sgallagh / rpms / openssl

Forked from rpms/openssl 2 years ago
Clone
Source Code
GIT

Files

eln f10 f11 f12 f13 f14 f15 f16 f17 f18 f19 f20 f21 f22 f23 f24 f25 f26 f27 f28 f29 f30 f31 f32 f33 f34 f35 f36 f37 f7 f8 f9 fix_strcasecmp main rawhide seclevel2 sha1patch
  1.   seclevel2
tests
.gitignore
0001-Aarch64-and-ppc64le-use-lib64.patch
0002-Use-more-general-default-values-in-openssl.cnf.patch
0003-Do-not-install-html-docs.patch
0004-Override-default-paths-for-the-CA-directory-tree.patch
0005-apps-ca-fix-md-option-help-text.patch
0006-Disable-signature-verification-with-totally-unsafe-h.patch
0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch
0008-Add-FIPS_mode-compatibility-macro.patch
0009-Add-Kernel-FIPS-mode-flag-support.patch
0011-Remove-EC-curves.patch
0012-Disable-explicit-ec.patch
0024-load-legacy-prov.patch
0025-for-tests.patch
0031-tmp-Fix-test-names.patch
0032-Force-fips.patch
0033-FIPS-embed-hmac.patch
0034.fipsinstall_disable.patch
0035-speed-skip-unavailable-dgst.patch
0044-FIPS-140-3-keychecks.patch
0045-FIPS-services-minimize.patch
0047-FIPS-early-KATS.patch
0049-Allow-disabling-of-SHA1-signatures.patch
0049-Selectively-disallow-SHA1-signatures.patch
0051-Support-different-R_BITS-lengths-for-KBKDF.patch
0052-Allow-SHA1-in-seclevel-1-if-rh-allow-sha1-signatures.patch
0052-Allow-SHA1-in-seclevel-2-if-rh-allow-sha1-signatures.patch
0053-Add-SHA1-probes.patch
0056-strcasecmp.patch
0058-FIPS-limit-rsa-encrypt.patch
0060-FIPS-KAT-signature-tests.patch
0061-Deny-SHA-1-signature-verification-in-FIPS-provider.patch
0062-fips-Expose-a-FIPS-indicator.patch
0071-AES-GCM-performance-optimization.patch
0072-ChaCha20-performance-optimizations-for-ppc64le.patch
0073-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.patch
0074-FIPS-Use-digest_sign-digest_verify-in-self-test-eln.patch
0074-FIPS-Use-digest_sign-digest_verify-in-self-test.patch
0075-FIPS-Use-FFDHE2048-in-self-test.patch
0076-FIPS-140-3-DRBG.patch
0077-FIPS-140-3-zeroization.patch
0078-Add-FIPS-indicator-parameter-to-HKDF.patch
0079-Fix-AES-GCM-on-Power-8-CPUs.patch
0100-RSA-PKCS15-implicit-rejection.patch
Makefile.certificate
README.FIPS
configuration-prefix.h
configuration-switch.h
ec_curve.c
ectest.c
openssl.rpmlintrc
openssl.spec
opensslconf-new-warning.h
opensslconf-new.h
sources
fixpatch
genpatches
hobble-openssl
make-dummy-cert
renew-dummy-cert
README.FIPS
User guide for the FIPS Red Hat Enterprise Linux - OpenSSL Module ================================================================= This package contains libraries which comprise the FIPS 140-2 Red Hat Enterprise Linux - OPENSSL Module. The module files ================ /usr/lib[64]/libcrypto.so.1.1.0 /usr/lib[64]/libssl.so.1.1.0 /usr/lib[64]/.libcrypto.so.1.1.0.hmac /usr/lib[64]/.libssl.so.1.1.0.hmac Dependencies ============ The approved mode of operation requires kernel with /dev/urandom RNG running with properties as defined in the security policy of the module. This is provided by kernel packages with validated Red Hat Enterprise Linux Kernel Crytographic Module. Installation ============ The RPM package of the module can be installed by standard tools recommended for installation of RPM packages on the Red Hat Enterprise Linux system (yum, rpm, RHN remote management tool). The RPM package dracut-fips must be installed for the approved mode of operation. Usage and API ============= The module respects kernel command line FIPS setting. If the kernel command line contains option fips=1 the module will initialize in the FIPS approved mode of operation automatically. To allow for the automatic initialization the application using the module has to call one of the following API calls: - void OPENSSL_init_library(void) - this will do only a basic initialization of the library and does initialization of the FIPS approved mode without setting up EVP API with supported algorithms. - void OPENSSL_add_all_algorithms(void) - this API function calls OPENSSL_init() implicitly and also adds all approved algorithms to the EVP API in the approved mode - void SSL_library_init(void) - it calls OPENSSL_init() implicitly and also adds algorithms which are necessary for TLS protocol support and initializes the SSL library. To explicitely put the library to the approved mode the application can call the following function: - int FIPS_mode_set(int on) - if called with 1 as a parameter it will switch the library from the non-approved to the approved mode. If any of the selftests and integrity verification tests fail, the library is put into the error state and 0 is returned. If they succeed the return value is 1. To query the module whether it is in the approved mode or not: - int FIPS_mode(void) - returns 1 if the module is in the approved mode, 0 otherwise. To query whether the module is in the error state: - int FIPS_selftest_failed(void) - returns 1 if the module is in the error state, 0 otherwise. To zeroize the FIPS RNG key and internal state the application calls: - void RAND_cleanup(void)
Powered by Pagure 5.13.3
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.