1# FIPS Mode on ISA-L Crypto 2 3## Compilation 4 5FIPS mode is disabled in the library by default. 6In order to enable it, the library needs to be compiled as follows: 7 8- Using autotools: 9 10``` 11 ./autogen.sh 12 ./configure --enable-fips-mode 13 make 14``` 15 16- Standard makefile: 17 18``` 19 make -f Makefile.unx FIPS_MODE=y 20``` 21 22- Windows Makefile: 23 24``` 25 make /f Makefile.nmake FIPS_MODE=y 26``` 27 28## Covered API by this mode 29 30Only the "isal_" prefixed API is in the scope of this mode 31(e.g. `isal_aes_cbc_enc_128()`). 32 33isal_crypto.h or isal_crypto_api.h must be included in the application/framework 34calling this API. 35 36After the first call on this API, crypto self tests will be run. 37If any of the tests fail, no crypto operation will be performed 38and the API will return ISAL_CRYPTO_ERR_SELF_TEST. 39Subsequent calls will return this error too. 40 41The self tests can also be run at the application level by 42calling explicitly `isal_self_tests()`. 43 44The validation of self tests is executed only once, either by invoking 45the `isal_self_tests()` function or by invoking a covered crypto function, 46such as `isal_aes_cbc_enc_128()`. After the tests have been run once, 47they will not be executed again, and subsequent API calls will use the previous test result. 48 49If an algorithm is not NIST approved (e.g. SM3), calling the 50crypto function will return ISAL_CRYPTO_ERR_FIPS_INVALID_ALGO. 51 52## Example of usage 53 54``` 55#include <isal_crypto_api.h> 56#include <aes_cbc.h> 57 58... 59 60int ret = isal_aes_cbc_enc_128(pt, iv, expkey_enc, ct, pt_len); 61if (ret != 0) 62 exit(1); 63 64``` 65 66## Considerations 67 68- This library does not check for uniqueness on AES-GCM key/IV pair. 69- FIPS mode is supported from ISA-L Crypto version v2.25. 70- FIPS mode has only been tested on Intel x86 architecture. 71