From 05a8f32a5ea3c12e2408757bd383145576465d97 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Mr=C3=A1z?= Date: Tue, 30 Jun 2009 14:20:37 +0000 Subject: [PATCH] - abort if selftests failed and random number generator is polled - mention EVP_aes and EVP_sha2xx routines in the manpages - add README.FIPS - make CA dir absolute path (#445344) - change default length for RSA key generation to 2048 (#484101) --- README.FIPS | 71 +++++++++++++++++++++++++++++++++++ openssl-0.9.8a-defaults.patch | 3 +- 2 files changed, 73 insertions(+), 1 deletion(-) create mode 100644 README.FIPS diff --git a/README.FIPS b/README.FIPS new file mode 100644 index 0000000..5933f94 --- /dev/null +++ b/README.FIPS @@ -0,0 +1,71 @@ +User guide for the FIPS Red Hat Enterprise Linux - OpenSSL Module +================================================================= + +This package contains libraries which comprise the FIPS 140-2 +Red Hat Enterprise Linux - OPENSSL Module. + +The module files +================ +/lib[64]/libcrypto.so.0.9.8e +/lib[64]/libssl.so.0.9.8e +/lib[64]/.libcrypto.so.0.9.8e.hmac +/lib[64]/.libssl.so.0.9.8e.hmac + +Dependencies +============ + +The approved mode of operation requires kernel with /dev/urandom RNG running +with properties as defined in the security policy of the module. This is +provided by kernel packages with validated Red Hat Enterprise Linux - IPSec +Crytographic Module. + +Installation +============ + +The RPM package of the module can be installed by standard tools recommended +for installation of RPM packages on the Red Hat Enterprise Linux system (yum, +rpm, RHN remote management tool). + +For proper operation of the in-module integrity verification the prelink has to +be disabled. This can be done with setting PRELINKING=no in the +/etc/sysconfig/prelink configuration file. If the libraries were already +prelinked the prelink should be undone on all the system files with the +'prelink -u -a' command. + +Usage and API +============= + +The module respects kernel command line FIPS setting. If the kernel command +line contains option fips=1 the module will initialize in the FIPS approved +mode of operation automatically. To allow for the automatic initialization the +application using the module has to call one of the following API calls: + +- void OPENSSL_init(void) - this will do only a basic initialization of the +library and does initialization of the FIPS approved mode without setting up +EVP API with supported algorithms. + +- void OPENSSL_add_all_algorithms(void) - this API function calls +OPENSSL_init() implicitly and also adds all approved algorithms to the EVP API +in the approved mode + +- void SSL_library_init(void) - it calls OPENSSL_init() implicitly and also +adds algorithms which are necessary for TLS protocol support and initializes +the SSL library. + +To explicitely put the library to the approved mode the application can call +the following function: + +- int FIPS_mode_set(int on) - if called with 1 as a parameter it will switch +the library from the non-approved to the approved mode. If any of the selftests +and integrity verification tests fail, the library is put into the error state +and 0 is returned. If they succeed the return value is 1. + +To query the module whether it is in the approved mode or not: + +- int FIPS_mode(void) - returns 1 if the module is in the approved mode, +0 otherwise. + +To query whether the module is in the error state: + +- int FIPS_selftest_failed(void) - returns 1 if the module is in the error +state, 0 otherwise. diff --git a/openssl-0.9.8a-defaults.patch b/openssl-0.9.8a-defaults.patch index 391d117..6c9d5a4 100644 --- a/openssl-0.9.8a-defaults.patch +++ b/openssl-0.9.8a-defaults.patch @@ -1,6 +1,7 @@ --- openssl-0.9.8a/apps/openssl.cnf.defaults 2005-09-16 14:20:24.000000000 +0200 +++ openssl-0.9.8a/apps/openssl.cnf 2005-11-04 11:00:37.000000000 +0100 -@@ -99,7 +99,8 @@ +@@ -98,7 +98,8 @@ + #################################################################### [ req ] -default_bits = 1024