|
 |
acdedc |
User guide for the FIPS Red Hat Enterprise Linux - OpenSSL Module
|
|
|
acdedc |
=================================================================
|
|
|
acdedc |
|
|
|
acdedc |
This package contains libraries which comprise the FIPS 140-2
|
|
|
acdedc |
Red Hat Enterprise Linux - OPENSSL Module.
|
|
|
acdedc |
|
|
|
acdedc |
The module files
|
|
|
acdedc |
================
|
|
|
acdedc |
/usr/lib[64]/libcrypto.so.1.1.0
|
|
|
acdedc |
/usr/lib[64]/libssl.so.1.1.0
|
|
|
acdedc |
/usr/lib[64]/.libcrypto.so.1.1.0.hmac
|
|
|
acdedc |
/usr/lib[64]/.libssl.so.1.1.0.hmac
|
|
|
acdedc |
|
|
|
acdedc |
Dependencies
|
|
|
acdedc |
============
|
|
|
acdedc |
|
|
|
acdedc |
The approved mode of operation requires kernel with /dev/urandom RNG running
|
|
|
acdedc |
with properties as defined in the security policy of the module. This is
|
|
|
acdedc |
provided by kernel packages with validated Red Hat Enterprise Linux Kernel
|
|
|
acdedc |
Crytographic Module.
|
|
|
acdedc |
|
|
|
acdedc |
Installation
|
|
|
acdedc |
============
|
|
|
acdedc |
|
|
|
acdedc |
The RPM package of the module can be installed by standard tools recommended
|
|
|
acdedc |
for installation of RPM packages on the Red Hat Enterprise Linux system (yum,
|
|
|
acdedc |
rpm, RHN remote management tool).
|
|
|
acdedc |
|
|
|
acdedc |
The RPM package dracut-fips must be installed for the approved mode of
|
|
|
acdedc |
operation.
|
|
|
acdedc |
|
|
|
acdedc |
Usage and API
|
|
|
acdedc |
=============
|
|
|
acdedc |
|
|
|
acdedc |
The module respects kernel command line FIPS setting. If the kernel command
|
|
|
acdedc |
line contains option fips=1 the module will initialize in the FIPS approved
|
|
|
acdedc |
mode of operation automatically. To allow for the automatic initialization the
|
|
|
acdedc |
application using the module has to call one of the following API calls:
|
|
|
acdedc |
|
|
|
acdedc |
- void OPENSSL_init_library(void) - this will do only a basic initialization
|
|
|
acdedc |
of the library and does initialization of the FIPS approved mode without setting
|
|
|
acdedc |
up EVP API with supported algorithms.
|
|
|
acdedc |
|
|
|
acdedc |
- void OPENSSL_add_all_algorithms(void) - this API function calls
|
|
|
acdedc |
OPENSSL_init() implicitly and also adds all approved algorithms to the EVP API
|
|
|
acdedc |
in the approved mode
|
|
|
acdedc |
|
|
|
acdedc |
- void SSL_library_init(void) - it calls OPENSSL_init() implicitly and also
|
|
|
acdedc |
adds algorithms which are necessary for TLS protocol support and initializes
|
|
|
acdedc |
the SSL library.
|
|
|
acdedc |
|
|
|
acdedc |
To explicitely put the library to the approved mode the application can call
|
|
|
acdedc |
the following function:
|
|
|
acdedc |
|
|
|
acdedc |
- int FIPS_mode_set(int on) - if called with 1 as a parameter it will switch
|
|
|
acdedc |
the library from the non-approved to the approved mode. If any of the selftests
|
|
|
acdedc |
and integrity verification tests fail, the library is put into the error state
|
|
|
acdedc |
and 0 is returned. If they succeed the return value is 1.
|
|
|
acdedc |
|
|
|
acdedc |
To query the module whether it is in the approved mode or not:
|
|
|
acdedc |
|
|
|
acdedc |
- int FIPS_mode(void) - returns 1 if the module is in the approved mode,
|
|
|
acdedc |
0 otherwise.
|
|
|
acdedc |
|
|
|
acdedc |
To query whether the module is in the error state:
|
|
|
acdedc |
|
|
|
acdedc |
- int FIPS_selftest_failed(void) - returns 1 if the module is in the error
|
|
|
acdedc |
state, 0 otherwise.
|
|
|
acdedc |
|
|
|
acdedc |
To zeroize the FIPS RNG key and internal state the application calls:
|
|
|
acdedc |
|
|
|
acdedc |
- void RAND_cleanup(void)
|