isaacpittman-hitachi / rpms / openssl

Forked from rpms/openssl 2 years ago
Clone

Blame SOURCES/README.FIPS

a5ef24
User guide for the FIPS Red Hat Enterprise Linux - OpenSSL Module
a5ef24
=================================================================
a5ef24
a5ef24
This package contains libraries which comprise the FIPS 140-2
a5ef24
Red Hat Enterprise Linux - OPENSSL Module.
a5ef24
a5ef24
The module files
a5ef24
================
cfec1a
/usr/lib[64]/libcrypto.so.1.0.2j
cfec1a
/usr/lib[64]/libssl.so.1.0.2j
cfec1a
/usr/lib[64]/.libcrypto.so.1.0.2j.hmac
cfec1a
/usr/lib[64]/.libssl.so.1.0.2j.hmac
a5ef24
a5ef24
Dependencies
a5ef24
============
a5ef24
a5ef24
The approved mode of operation requires kernel with /dev/urandom RNG running
a5ef24
with properties as defined in the security policy of the module. This is
a5ef24
provided by kernel packages with validated Red Hat Enterprise Linux - IPSec
a5ef24
Crytographic Module.
a5ef24
a5ef24
Installation
a5ef24
============
a5ef24
a5ef24
The RPM package of the module can be installed by standard tools recommended
a5ef24
for installation of RPM packages on the Red Hat Enterprise Linux system (yum,
a5ef24
rpm, RHN remote management tool).
a5ef24
a5ef24
For proper operation of the in-module integrity verification the prelink has to
a5ef24
be disabled. This can be done with setting PRELINKING=no in the
a5ef24
/etc/sysconfig/prelink configuration file. If the libraries were already
a5ef24
prelinked the prelink should be undone on all the system files with the
a5ef24
'prelink -u -a' command.
a5ef24
a5ef24
Usage and API
a5ef24
=============
a5ef24
a5ef24
The module respects kernel command line FIPS setting. If the kernel command
a5ef24
line contains option fips=1 the module will initialize in the FIPS approved
a5ef24
mode of operation automatically. To allow for the automatic initialization the
a5ef24
application using the module has to call one of the following API calls:
a5ef24
a5ef24
- void OPENSSL_init_library(void) - this will do only a basic initialization
a5ef24
of the library and does initialization of the FIPS approved mode without setting
a5ef24
up EVP API with supported algorithms.
a5ef24
a5ef24
- void OPENSSL_add_all_algorithms(void) - this API function calls
a5ef24
OPENSSL_init() implicitly and also adds all approved algorithms to the EVP API
a5ef24
in the approved mode 
a5ef24
a5ef24
- void SSL_library_init(void) - it calls OPENSSL_init() implicitly and also
a5ef24
adds algorithms which are necessary for TLS protocol support and initializes
a5ef24
the SSL library.
a5ef24
a5ef24
To explicitely put the library to the approved mode the application can call
a5ef24
the following function:
a5ef24
a5ef24
- int FIPS_mode_set(int on) - if called with 1 as a parameter it will switch
a5ef24
the library from the non-approved to the approved mode. If any of the selftests
a5ef24
and integrity verification tests fail, the library is put into the error state
a5ef24
and 0 is returned. If they succeed the return value is 1.
a5ef24
a5ef24
To query the module whether it is in the approved mode or not:
a5ef24
a5ef24
- int FIPS_mode(void) - returns 1 if the module is in the approved mode,
a5ef24
0 otherwise.
a5ef24
a5ef24
To query whether the module is in the error state:
a5ef24
a5ef24
- int FIPS_selftest_failed(void) - returns 1 if the module is in the error
a5ef24
state, 0 otherwise.
a5ef24
a5ef24
To zeroize the FIPS RNG key and internal state the application calls:
a5ef24
a5ef24
- void RAND_cleanup(void)