- abort if selftests failed and random number generator is polled

- mention EVP_aes and EVP_sha2xx routines in the manpages
- add README.FIPS
- make CA dir absolute path (#445344)
- change default length for RSA key generation to 2048 (#484101)

README.FIPS

@@ -0,0 +1,71 @@
+User guide for the FIPS Red Hat Enterprise Linux - OpenSSL Module
+=================================================================
+
+This package contains libraries which comprise the FIPS 140-2
+Red Hat Enterprise Linux - OPENSSL Module.
+
+The module files
+================
+/lib[64]/libcrypto.so.0.9.8e
+/lib[64]/libssl.so.0.9.8e
+/lib[64]/.libcrypto.so.0.9.8e.hmac
+/lib[64]/.libssl.so.0.9.8e.hmac
+
+Dependencies
+============
+
+The approved mode of operation requires kernel with /dev/urandom RNG running
+with properties as defined in the security policy of the module. This is
+provided by kernel packages with validated Red Hat Enterprise Linux - IPSec
+Crytographic Module.
+
+Installation
+============
+
+The RPM package of the module can be installed by standard tools recommended
+for installation of RPM packages on the Red Hat Enterprise Linux system (yum,
+rpm, RHN remote management tool).
+
+For proper operation of the in-module integrity verification the prelink has to
+be disabled. This can be done with setting PRELINKING=no in the
+/etc/sysconfig/prelink configuration file. If the libraries were already
+prelinked the prelink should be undone on all the system files with the
+'prelink -u -a' command.
+
+Usage and API
+=============
+
+The module respects kernel command line FIPS setting. If the kernel command
+line contains option fips=1 the module will initialize in the FIPS approved
+mode of operation automatically. To allow for the automatic initialization the
+application using the module has to call one of the following API calls:
+
+- void OPENSSL_init(void) - this will do only a basic initialization of the
+library and does initialization of the FIPS approved mode without setting up
+EVP API with supported algorithms.
+
+- void OPENSSL_add_all_algorithms(void) - this API function calls
+OPENSSL_init() implicitly and also adds all approved algorithms to the EVP API
+in the approved mode 
+
+- void SSL_library_init(void) - it calls OPENSSL_init() implicitly and also
+adds algorithms which are necessary for TLS protocol support and initializes
+the SSL library.
+
+To explicitely put the library to the approved mode the application can call
+the following function:
+
+- int FIPS_mode_set(int on) - if called with 1 as a parameter it will switch
+the library from the non-approved to the approved mode. If any of the selftests
+and integrity verification tests fail, the library is put into the error state
+and 0 is returned. If they succeed the return value is 1.
+
+To query the module whether it is in the approved mode or not:
+
+- int FIPS_mode(void) - returns 1 if the module is in the approved mode,
+0 otherwise.
+
+To query whether the module is in the error state:
+
+- int FIPS_selftest_failed(void) - returns 1 if the module is in the error
+state, 0 otherwise.

openssl-0.9.8a-defaults.patch

@@ -1,6 +1,7 @@
 --- openssl-0.9.8a/apps/openssl.cnf.defaults	2005-09-16 14:20:24.000000000 +0200
 +++ openssl-0.9.8a/apps/openssl.cnf	2005-11-04 11:00:37.000000000 +0100
-@@ -99,7 +99,8 @@
+@@ -98,7 +98,8 @@
+ 
  ####################################################################
  [ req ]
 -default_bits		= 1024