updated FIPS status

author: Dr. Stephen Henson <steve@openssl.org> 2011-04-06 15:40:36 +0200
committer: Dr. Stephen Henson <steve@openssl.org> 2011-04-06 15:40:36 +0200
commit: 161cc82df13b2f491706b77004ba834f35d0cd8c (patch)
tree: c64aaf1c2a2fbaf92c9a61a86b82ad8860a58d86 /README.FIPS
parent: Update fipssyms.h to keep all symbols in FIPS,fips namespace. (diff)
download: openssl-161cc82df13b2f491706b77004ba834f35d0cd8c.tar.xz
openssl-161cc82df13b2f491706b77004ba834f35d0cd8c.zip
1 files changed, 8 insertions, 5 deletions
diff --git a/README.FIPS b/README.FIPS
index 5197276740..5c5fa295ce 100644
--- a/README.FIPS
+++ b/README.FIPS
@@ -44,11 +44,14 @@ Known issues:
 
 Algorithm tests are pre-2011.
 The fipslagtest.pl script wont auto run new algorithm tests such as DSA2.
-Usage of ECDH/DH needs review and adding appropriate self tests.
+Usage of ECDH/DH needs review and whether any KDFs need to be implemented.
 Selftests need updating with larger key sizes in some cases and redundant
 tests pruned.
-SP800-90 DRBG needs more work: health checks, continuous PRNG test,
-entropy gathering, security checks in algorithms, add appropriate RAND method
-for use by rest of OpenSSL.
-No CMAC.
+SP800-90 DRBG needs more work: check for compliance, continuous PRNG test
+when entropy gathering, periodic health tests.
+Some algorithms need to check security strength of PRNG: keygen etc.
 No CCM.
+No XTS.
+The "FIPS capable OpenSSL" is not yet complete: meaning that the rest of
+OpenSSL doesn't always use the correct FIPS module APIs and block others
+in FIPS mode.
author	Dr. Stephen Henson <steve@openssl.org>	2011-04-06 15:40:36 +0200
committer	Dr. Stephen Henson <steve@openssl.org>	2011-04-06 15:40:36 +0200
commit	161cc82df13b2f491706b77004ba834f35d0cd8c (patch)
tree	c64aaf1c2a2fbaf92c9a61a86b82ad8860a58d86 /README.FIPS
parent	Update fipssyms.h to keep all symbols in FIPS,fips namespace. (diff)
download	openssl-161cc82df13b2f491706b77004ba834f35d0cd8c.tar.xz openssl-161cc82df13b2f491706b77004ba834f35d0cd8c.zip