diff --git a/IDE/WIN/README.txt b/IDE/WIN/README.txt index 81695ded9..12e84bdee 100644 --- a/IDE/WIN/README.txt +++ b/IDE/WIN/README.txt @@ -3,10 +3,11 @@ First, if you did not get the FIPS files with your archive, you must contact wolfSSL to obtain them. + # Building the wolfssl-fips project The wolfCrypt FIPS library for Windows is a part of the wolfSSL library. It -must be built as a static library. +must be built as a static library, for the moment. The library project is built with Whole Program Optimization disabled. This is required so that necessary components of the library are not optimized away. @@ -20,15 +21,18 @@ section names start with ".fipsB$". Each subsection has a letter to organize them in a secific order. This specific ordering puts marker functions and constants on either end of the boundary so it can be hashed. + # In Core Memory Test The In Core Memory test calculates a checksum (HMAC-SHA256) of the wolfCrypt FIPS library code and constant data and compares it with a known value in the code. -The Randomized Base Address setting doesn't cause any problems because -(I believe) that the addrsses in the executable are all offsets from the base -rather than absolute addresses. +The Randomized Base Address setting needs to be disabled on the 32-bit builds +but can be enabled on the 64-bit builds. In the 32-bit mode the addresses +being different throws off the in-core memory calculation. It looks like in +64-bit mode the library uses all offsets, so the core hash calculation +is the same every time. The "verifyCore" check value in the source fips_test.c needs to be updated when building the code. The POS performs this check and the default failure callback @@ -36,3 +40,30 @@ will print out the calculated checksum. When developing your code, copy this value and paste it back into your code in the verifyCore initializer then rebuild the code. When statically linking, you may have to recalculate your check value when changing your application. + + +# Build Options + +The default build options should be the proper default set of options: + + * HAVE_FIPS + * HAVE_THREAD_LS + * HAVE_AESGCM + * HAVE_HASHDRBG + * WOLFSSL_SHA384 + * WOLFSSL_SHA512 + * NO_HC128 + * NO_RC4 + * NO_RABBIT + * NO_DSA + * NO_MD4 + +The "NO" options explicitly disable algorithms that are not allowed in +FIPS mode. + +Additionally one may enable: + + * HAVE_ECC + * OPENSSL_EXTRA + * WOLFSSL_KEY_GEN +