05a8f3
User guide for the FIPS Red Hat Enterprise Linux - OpenSSL Module
05a8f3
=================================================================
05a8f3
05a8f3
This package contains libraries which comprise the FIPS 140-2
05a8f3
Red Hat Enterprise Linux - OPENSSL Module.
bb2f38
Note that the openssl-fips subpackage needs to be installed for the
bb2f38
OpenSSL FIPS module installation to be complete.
05a8f3
05a8f3
The module files
05a8f3
================
bb2f38
/usr/lib[64]/libcrypto.so.1.0.1e
bb2f38
/usr/lib[64]/libssl.so.1.0.1e
bb2f38
/usr/lib[64]/.libcrypto.so.1.0.1e.hmac
bb2f38
/usr/lib[64]/.libssl.so.1.0.1e.hmac
05a8f3
05a8f3
Dependencies
05a8f3
============
05a8f3
05a8f3
The approved mode of operation requires kernel with /dev/urandom RNG running
05a8f3
with properties as defined in the security policy of the module. This is
05a8f3
provided by kernel packages with validated Red Hat Enterprise Linux - IPSec
05a8f3
Crytographic Module.
05a8f3
05a8f3
Installation
05a8f3
============
05a8f3
05a8f3
The RPM package of the module can be installed by standard tools recommended
05a8f3
for installation of RPM packages on the Red Hat Enterprise Linux system (yum,
05a8f3
rpm, RHN remote management tool).
05a8f3
05a8f3
For proper operation of the in-module integrity verification the prelink has to
05a8f3
be disabled. This can be done with setting PRELINKING=no in the
05a8f3
/etc/sysconfig/prelink configuration file. If the libraries were already
05a8f3
prelinked the prelink should be undone on all the system files with the
05a8f3
'prelink -u -a' command.
05a8f3
05a8f3
Usage and API
05a8f3
=============
05a8f3
05a8f3
The module respects kernel command line FIPS setting. If the kernel command
05a8f3
line contains option fips=1 the module will initialize in the FIPS approved
05a8f3
mode of operation automatically. To allow for the automatic initialization the
05a8f3
application using the module has to call one of the following API calls:
05a8f3
76952b
- void OPENSSL_init_library(void) - this will do only a basic initialization
76952b
of the library and does initialization of the FIPS approved mode without setting
76952b
up EVP API with supported algorithms.
05a8f3
05a8f3
- void OPENSSL_add_all_algorithms(void) - this API function calls
05a8f3
OPENSSL_init() implicitly and also adds all approved algorithms to the EVP API
05a8f3
in the approved mode 
05a8f3
05a8f3
- void SSL_library_init(void) - it calls OPENSSL_init() implicitly and also
05a8f3
adds algorithms which are necessary for TLS protocol support and initializes
05a8f3
the SSL library.
05a8f3
05a8f3
To explicitely put the library to the approved mode the application can call
05a8f3
the following function:
05a8f3
05a8f3
- int FIPS_mode_set(int on) - if called with 1 as a parameter it will switch
05a8f3
the library from the non-approved to the approved mode. If any of the selftests
05a8f3
and integrity verification tests fail, the library is put into the error state
05a8f3
and 0 is returned. If they succeed the return value is 1.
05a8f3
05a8f3
To query the module whether it is in the approved mode or not:
05a8f3
05a8f3
- int FIPS_mode(void) - returns 1 if the module is in the approved mode,
05a8f3
0 otherwise.
05a8f3
05a8f3
To query whether the module is in the error state:
05a8f3
05a8f3
- int FIPS_selftest_failed(void) - returns 1 if the module is in the error
05a8f3
state, 0 otherwise.
2ccfa6
2ccfa6
To zeroize the FIPS RNG key and internal state the application calls:
2ccfa6
2ccfa6
- void RAND_cleanup(void)