Blame SOURCES/README.FIPS

fd2893
User guide for the FIPS Red Hat Enterprise Linux - OpenSSL Module
fd2893
=================================================================
fd2893
fd2893
This package contains libraries which comprise the FIPS 140-2
fd2893
Red Hat Enterprise Linux - OPENSSL Module.
fd2893
fd2893
The module files
fd2893
================
fd2893
/usr/lib[64]/libcrypto.so.1.0.2j
fd2893
/usr/lib[64]/libssl.so.1.0.2j
fd2893
/usr/lib[64]/.libcrypto.so.1.0.2j.hmac
fd2893
/usr/lib[64]/.libssl.so.1.0.2j.hmac
fd2893
fd2893
Dependencies
fd2893
============
fd2893
fd2893
The approved mode of operation requires kernel with /dev/urandom RNG running
fd2893
with properties as defined in the security policy of the module. This is
fd2893
provided by kernel packages with validated Red Hat Enterprise Linux - IPSec
fd2893
Crytographic Module.
fd2893
fd2893
Installation
fd2893
============
fd2893
fd2893
The RPM package of the module can be installed by standard tools recommended
fd2893
for installation of RPM packages on the Red Hat Enterprise Linux system (yum,
fd2893
rpm, RHN remote management tool).
fd2893
fd2893
For proper operation of the in-module integrity verification the prelink has to
fd2893
be disabled. This can be done with setting PRELINKING=no in the
fd2893
/etc/sysconfig/prelink configuration file. If the libraries were already
fd2893
prelinked the prelink should be undone on all the system files with the
fd2893
'prelink -u -a' command.
fd2893
fd2893
Usage and API
fd2893
=============
fd2893
fd2893
The module respects kernel command line FIPS setting. If the kernel command
fd2893
line contains option fips=1 the module will initialize in the FIPS approved
fd2893
mode of operation automatically. To allow for the automatic initialization the
fd2893
application using the module has to call one of the following API calls:
fd2893
fd2893
- void OPENSSL_init_library(void) - this will do only a basic initialization
fd2893
of the library and does initialization of the FIPS approved mode without setting
fd2893
up EVP API with supported algorithms.
fd2893
fd2893
- void OPENSSL_add_all_algorithms(void) - this API function calls
fd2893
OPENSSL_init() implicitly and also adds all approved algorithms to the EVP API
fd2893
in the approved mode 
fd2893
fd2893
- void SSL_library_init(void) - it calls OPENSSL_init() implicitly and also
fd2893
adds algorithms which are necessary for TLS protocol support and initializes
fd2893
the SSL library.
fd2893
fd2893
To explicitely put the library to the approved mode the application can call
fd2893
the following function:
fd2893
fd2893
- int FIPS_mode_set(int on) - if called with 1 as a parameter it will switch
fd2893
the library from the non-approved to the approved mode. If any of the selftests
fd2893
and integrity verification tests fail, the library is put into the error state
fd2893
and 0 is returned. If they succeed the return value is 1.
fd2893
fd2893
To query the module whether it is in the approved mode or not:
fd2893
fd2893
- int FIPS_mode(void) - returns 1 if the module is in the approved mode,
fd2893
0 otherwise.
fd2893
fd2893
To query whether the module is in the error state:
fd2893
fd2893
- int FIPS_selftest_failed(void) - returns 1 if the module is in the error
fd2893
state, 0 otherwise.
fd2893
fd2893
To zeroize the FIPS RNG key and internal state the application calls:
fd2893
fd2893
- void RAND_cleanup(void)