isaacpittman-hitachi / rpms / openssl

Forked from rpms/openssl 2 years ago
Clone

Blame SOURCES/README.FIPS

450916
User guide for the FIPS Red Hat Enterprise Linux - OpenSSL Module
450916
=================================================================
450916
450916
This package contains libraries which comprise the FIPS 140-2
450916
Red Hat Enterprise Linux - OPENSSL Module.
450916
450916
The module files
450916
================
450916
/usr/lib[64]/libcrypto.so.1.0.2j
450916
/usr/lib[64]/libssl.so.1.0.2j
450916
/usr/lib[64]/.libcrypto.so.1.0.2j.hmac
450916
/usr/lib[64]/.libssl.so.1.0.2j.hmac
450916
450916
Dependencies
450916
============
450916
450916
The approved mode of operation requires kernel with /dev/urandom RNG running
450916
with properties as defined in the security policy of the module. This is
450916
provided by kernel packages with validated Red Hat Enterprise Linux - IPSec
450916
Crytographic Module.
450916
450916
Installation
450916
============
450916
450916
The RPM package of the module can be installed by standard tools recommended
450916
for installation of RPM packages on the Red Hat Enterprise Linux system (yum,
450916
rpm, RHN remote management tool).
450916
450916
For proper operation of the in-module integrity verification the prelink has to
450916
be disabled. This can be done with setting PRELINKING=no in the
450916
/etc/sysconfig/prelink configuration file. If the libraries were already
450916
prelinked the prelink should be undone on all the system files with the
450916
'prelink -u -a' command.
450916
450916
Usage and API
450916
=============
450916
450916
The module respects kernel command line FIPS setting. If the kernel command
450916
line contains option fips=1 the module will initialize in the FIPS approved
450916
mode of operation automatically. To allow for the automatic initialization the
450916
application using the module has to call one of the following API calls:
450916
450916
- void OPENSSL_init_library(void) - this will do only a basic initialization
450916
of the library and does initialization of the FIPS approved mode without setting
450916
up EVP API with supported algorithms.
450916
450916
- void OPENSSL_add_all_algorithms(void) - this API function calls
450916
OPENSSL_init() implicitly and also adds all approved algorithms to the EVP API
450916
in the approved mode 
450916
450916
- void SSL_library_init(void) - it calls OPENSSL_init() implicitly and also
450916
adds algorithms which are necessary for TLS protocol support and initializes
450916
the SSL library.
450916
450916
To explicitely put the library to the approved mode the application can call
450916
the following function:
450916
450916
- int FIPS_mode_set(int on) - if called with 1 as a parameter it will switch
450916
the library from the non-approved to the approved mode. If any of the selftests
450916
and integrity verification tests fail, the library is put into the error state
450916
and 0 is returned. If they succeed the return value is 1.
450916
450916
To query the module whether it is in the approved mode or not:
450916
450916
- int FIPS_mode(void) - returns 1 if the module is in the approved mode,
450916
0 otherwise.
450916
450916
To query whether the module is in the error state:
450916
450916
- int FIPS_selftest_failed(void) - returns 1 if the module is in the error
450916
state, 0 otherwise.
450916
450916
To zeroize the FIPS RNG key and internal state the application calls:
450916
450916
- void RAND_cleanup(void)