Blame SOURCES/README.FIPS

acdedc
User guide for the FIPS Red Hat Enterprise Linux - OpenSSL Module
acdedc
=================================================================
acdedc
acdedc
This package contains libraries which comprise the FIPS 140-2
acdedc
Red Hat Enterprise Linux - OPENSSL Module.
acdedc
acdedc
The module files
acdedc
================
acdedc
/usr/lib[64]/libcrypto.so.1.1.0
acdedc
/usr/lib[64]/libssl.so.1.1.0
acdedc
/usr/lib[64]/.libcrypto.so.1.1.0.hmac
acdedc
/usr/lib[64]/.libssl.so.1.1.0.hmac
acdedc
acdedc
Dependencies
acdedc
============
acdedc
acdedc
The approved mode of operation requires kernel with /dev/urandom RNG running
acdedc
with properties as defined in the security policy of the module. This is
acdedc
provided by kernel packages with validated Red Hat Enterprise Linux Kernel
acdedc
Crytographic Module.
acdedc
acdedc
Installation
acdedc
============
acdedc
acdedc
The RPM package of the module can be installed by standard tools recommended
acdedc
for installation of RPM packages on the Red Hat Enterprise Linux system (yum,
acdedc
rpm, RHN remote management tool).
acdedc
acdedc
The RPM package dracut-fips must be installed for the approved mode of
acdedc
operation.
acdedc
acdedc
Usage and API
acdedc
=============
acdedc
acdedc
The module respects kernel command line FIPS setting. If the kernel command
acdedc
line contains option fips=1 the module will initialize in the FIPS approved
acdedc
mode of operation automatically. To allow for the automatic initialization the
acdedc
application using the module has to call one of the following API calls:
acdedc
acdedc
- void OPENSSL_init_library(void) - this will do only a basic initialization
acdedc
of the library and does initialization of the FIPS approved mode without setting
acdedc
up EVP API with supported algorithms.
acdedc
acdedc
- void OPENSSL_add_all_algorithms(void) - this API function calls
acdedc
OPENSSL_init() implicitly and also adds all approved algorithms to the EVP API
acdedc
in the approved mode 
acdedc
acdedc
- void SSL_library_init(void) - it calls OPENSSL_init() implicitly and also
acdedc
adds algorithms which are necessary for TLS protocol support and initializes
acdedc
the SSL library.
acdedc
acdedc
To explicitely put the library to the approved mode the application can call
acdedc
the following function:
acdedc
acdedc
- int FIPS_mode_set(int on) - if called with 1 as a parameter it will switch
acdedc
the library from the non-approved to the approved mode. If any of the selftests
acdedc
and integrity verification tests fail, the library is put into the error state
acdedc
and 0 is returned. If they succeed the return value is 1.
acdedc
acdedc
To query the module whether it is in the approved mode or not:
acdedc
acdedc
- int FIPS_mode(void) - returns 1 if the module is in the approved mode,
acdedc
0 otherwise.
acdedc
acdedc
To query whether the module is in the error state:
acdedc
acdedc
- int FIPS_selftest_failed(void) - returns 1 if the module is in the error
acdedc
state, 0 otherwise.
acdedc
acdedc
To zeroize the FIPS RNG key and internal state the application calls:
acdedc
acdedc
- void RAND_cleanup(void)