Blame SOURCES/README.FIPS

3a273b
User guide for the FIPS Red Hat Enterprise Linux - OpenSSL Module
3a273b
=================================================================
3a273b
3a273b
This package contains libraries which comprise the FIPS 140-2
3a273b
Red Hat Enterprise Linux - OPENSSL Module.
3a273b
3a273b
The module files
3a273b
================
3a273b
/usr/lib[64]/libcrypto.so.1.1.0
3a273b
/usr/lib[64]/libssl.so.1.1.0
3a273b
/usr/lib[64]/.libcrypto.so.1.1.0.hmac
3a273b
/usr/lib[64]/.libssl.so.1.1.0.hmac
3a273b
3a273b
Dependencies
3a273b
============
3a273b
3a273b
The approved mode of operation requires kernel with /dev/urandom RNG running
3a273b
with properties as defined in the security policy of the module. This is
3a273b
provided by kernel packages with validated Red Hat Enterprise Linux Kernel
3a273b
Crytographic Module.
3a273b
3a273b
Installation
3a273b
============
3a273b
3a273b
The RPM package of the module can be installed by standard tools recommended
3a273b
for installation of RPM packages on the Red Hat Enterprise Linux system (yum,
3a273b
rpm, RHN remote management tool).
3a273b
3a273b
The RPM package dracut-fips must be installed for the approved mode of
3a273b
operation.
3a273b
3a273b
Usage and API
3a273b
=============
3a273b
3a273b
The module respects kernel command line FIPS setting. If the kernel command
3a273b
line contains option fips=1 the module will initialize in the FIPS approved
3a273b
mode of operation automatically. To allow for the automatic initialization the
3a273b
application using the module has to call one of the following API calls:
3a273b
3a273b
- void OPENSSL_init_library(void) - this will do only a basic initialization
3a273b
of the library and does initialization of the FIPS approved mode without setting
3a273b
up EVP API with supported algorithms.
3a273b
3a273b
- void OPENSSL_add_all_algorithms(void) - this API function calls
3a273b
OPENSSL_init() implicitly and also adds all approved algorithms to the EVP API
3a273b
in the approved mode 
3a273b
3a273b
- void SSL_library_init(void) - it calls OPENSSL_init() implicitly and also
3a273b
adds algorithms which are necessary for TLS protocol support and initializes
3a273b
the SSL library.
3a273b
3a273b
To explicitely put the library to the approved mode the application can call
3a273b
the following function:
3a273b
3a273b
- int FIPS_mode_set(int on) - if called with 1 as a parameter it will switch
3a273b
the library from the non-approved to the approved mode. If any of the selftests
3a273b
and integrity verification tests fail, the library is put into the error state
3a273b
and 0 is returned. If they succeed the return value is 1.
3a273b
3a273b
To query the module whether it is in the approved mode or not:
3a273b
3a273b
- int FIPS_mode(void) - returns 1 if the module is in the approved mode,
3a273b
0 otherwise.
3a273b
3a273b
To query whether the module is in the error state:
3a273b
3a273b
- int FIPS_selftest_failed(void) - returns 1 if the module is in the error
3a273b
state, 0 otherwise.
3a273b
3a273b
To zeroize the FIPS RNG key and internal state the application calls:
3a273b
3a273b
- void RAND_cleanup(void)