Created wolfSSL FIPS FAQ #198
Conversation
There was a problem hiding this comment.
Please make sure you can generate the HTML and PDF of this document, and use that to verify everything looks OK formatting wise.
To generate the document, you will need to add a section to the "documentation/Makefile" file. At the bottom, you can add a section similar to:
.PHONY: fips-faq
fips-faq: MANPATH=wolfSSL-FIPS-FAQ
fips-faq: PDFFILE=wolfSSL-FIPS-FAQ.pdf
fips-faq: build
You will need to install Docker (https://www.docker.com/) and have that running on your computer, then you can build the output by running the following in a terminal from the "documentation" directory:
make fips-faq
.DS_Store
Outdated
There was a problem hiding this comment.
Please remove all .DS_Store files that are added in this pull request. These are auto-generated files generated by macOS.
| @@ -0,0 +1,14 @@ | |||
| # Introduction | |||
|
|
|||
| This page lists some of the most common issues and questions that are recieved by our wolfSSL security experts, along with their responses. This FAQ is useful for solving general questions that pertain to building/implementing wolfSSL FIPS. If this page does not provide an answer toyour question, please feel free to check the wolfSSL Manual, or contact us at [email protected]. | |||
| 1. [Why did I receive wolfSSL_X.X.X_commercial-fips-OE-v2.7z when we validated with Y.Y.Y?](./section02.md#why-did-i-receive-wolfssl-xxx-xommercial-fips-oe-v27z-when-we=validated-with-yyy) | ||
| 2. [How do I know if I am using the FIPS module?](./section02.md#how-do-i-if-i-am-using-the-fips-module) | ||
| 3. [Does the Power On Self Test (POST) really have to run every time?](./section02.md#does-the-power-on-self-test-post-really-have-to-run-every-teime) | ||
| 4. [Followup POST Q: What about this feature NO_Followup POST Q: What about this feature NO_ATTRIBUTE_CONSTRUCTOR? Can I use that to by-pass the POST by not running it in the constructor?](./section02.md#followup-post-q-what-about-this-feature-no-attribute-constructor-can-i-use-that-to-by-pass-the-post-by-not-running-it-in-the-constructor) |
There was a problem hiding this comment.
Remove duplicate Followup POST Q: What about this feature NO_.
Also, questions 4-7 are sub-items of number 3. I don't think 4-7 should be listed here, and just be inside the text section for 3.
| 5. [Followup POST Q: Why is the feature NO_ATTRIBUTE_CONSTRUCTOR there then if I can not use it?](./section02.md#followup-post-q-why-is-the-feature-no-attribute-constructor-there-then-if-i-can-not-use-it) | ||
| 6. [Followup POST Q: Who can determine when NO_ATTRIBUTE_CONSTRUCTOR is allowed?](./section02.md#followup-post-q-who-can-determine-when-no-attribute-constructor-is-allowed) | ||
| 7. [Followup POST Q: What about with fips-ready, can I use NO_ATTRIBUTE_CONSTRUCTOR with fips-ready?](./section02.md#followup-post-q-what-about-with-fips-ready-can-i-use-no-attribute-constructor-with-fips-ready) | ||
| 8. [WhatWhat can go wrong for the end user after basic testing?](./section02.md#what-can-go-wrong-for-the-end-user-after-basic-testing) |
There was a problem hiding this comment.
Remove duplicate What at beginning of list item
| @@ -0,0 +1,323 @@ | |||
| # Frequently Aked Questions | |||
| ``` | ||
|
|
||
| the key access can optionally be unlocked* only once on startup and locked again prior to shutdown** or... If the application wishes to be very strict, these can be called immediately before and after each call that involves a private key load or use. | ||
| *Be aware that LOCK and UNLOCK are thread-local. Aas this is a semaphore, each UNLOCK must be paired with a corresponding LOCK at the same scope to properly decrement the lock count. Alternatively doing a "true lock" (example provided below) may be the best approach for proper lock management. |
There was a problem hiding this comment.
Asterisks used here and in the line below do now show up correctly in generated output, please fix.
|
|
||
| ``` | ||
| /* true_lock will always decrement the lock counter to 0 regardless of scope */ | ||
| static inline int true_lock(void) |
There was a problem hiding this comment.
Please fix the formatting of the code in this block. See original document for expected spacing/formatting.
|
|
||
| g. To support an application that can link to both a wolfSSL FIPS library version and a wolfSSL non-FIPS library version users can implement NO-OP versions of the macros at the application level for the non-FIPS cases like so: | ||
|
|
||
| ... |
|
|
||
| API's that require UNLOCK before first use (should also be re-LOCKED after use): | ||
|
|
||
| ... |
| ● wc_ed448_export_key | ||
| ● wc_PBKDF2_ex | ||
| ● wc_PBKDF2 | ||
| ... |
|
Closing this PR since #202 has replaced it. |
Created the wolfSSL FIPS FAQ folder with header.txt, Makefile, mkdocs.yml, and .md files.