Utilities from the general purpose cryptography library with TLS implementation
Go to file
Tomas Mraz 0376d8368c new upstream release 1.0.1g
- do not include ECC ciphersuites in SSLv2 client hello (#1090952)
- fail on hmac integrity check if the .hmac file is empty
2014-05-07 11:42:32 +02:00
.gitignore new upstream release 1.0.1g 2014-05-07 11:42:32 +02:00
ec_curve.c add back support for secp521r1 EC curve 2013-11-08 18:16:49 +01:00
ectest.c add back support for secp521r1 EC curve 2013-11-08 18:23:00 +01:00
fixpatch New upstream release from the 1.0.1 branch, ABI compatible 2012-02-07 13:46:42 +01:00
hobble-openssl only ECC NIST Suite B curves support 2013-10-16 14:37:51 +02:00
make-dummy-cert - abort if selftests failed and random number generator is polled 2009-06-30 11:17:45 +00:00
Makefile.certificate make expiration and key length changeable by DAYS and KEYLEN 2014-02-06 18:07:59 +01:00
openssl-0.9.6-x509.patch auto-import openssl-0.9.6b-18 from openssl-0.9.6b-18.src.rpm 2004-09-09 09:41:24 +00:00
openssl-0.9.8a-no-rpath.patch - don't set -rpath for openssl binary 2005-11-16 21:45:59 +00:00
openssl-0.9.8b-test-use-localhost.patch - use localhost in testsuite, hopefully fixes slow build in koji 2007-08-03 12:16:54 +00:00
openssl-0.9.8j-version-add-engines.patch - new upstream version with necessary soname bump (#455753) 2009-01-15 09:10:25 +00:00
openssl-1.0.0-beta4-ca-dir.patch - update to new upstream version, no soname bump needed 2009-11-12 15:51:40 +00:00
openssl-1.0.0-beta5-enginesdir.patch - new upstream release 2010-01-21 08:12:12 +00:00
openssl-1.0.0-beta5-readme-warning.patch - new upstream release 2010-01-21 08:12:12 +00:00
openssl-1.0.0-timezone.patch - set UTC timezone on pod2man run (#578842) 2010-04-06 14:35:57 +00:00
openssl-1.0.0c-fips-md5-allow.patch - add -x931 parameter to openssl genrsa command to use the ANSI X9.31 2011-02-04 15:14:18 +01:00
openssl-1.0.0c-rsa-x931.patch - add -x931 parameter to openssl genrsa command to use the ANSI X9.31 2011-02-04 15:14:18 +01:00
openssl-1.0.0d-apps-dgst.patch clarify apps help texts for available digest algorithms (#693858) 2011-04-05 21:24:01 +02:00
openssl-1.0.0d-xmpp-starttls.patch correct openssl cms help output (#636266) 2011-07-26 13:02:17 +02:00
openssl-1.0.0e-chil-fixes.patch fix missing initialization of variable in CHIL engine 2011-09-21 17:34:13 +02:00
openssl-1.0.0e-doc-noeof.patch New upstream release from the 1.0.1 branch, ABI compatible 2012-02-07 13:46:42 +01:00
openssl-1.0.1-beta2-dtls1-abi.patch New upstream release from the 1.0.1 branch, ABI compatible 2012-02-07 13:46:42 +01:00
openssl-1.0.1-beta2-fips-md5-allow.patch New upstream release from the 1.0.1 branch, ABI compatible 2012-02-07 13:46:42 +01:00
openssl-1.0.1-beta2-padlock64.patch New upstream release from the 1.0.1 branch, ABI compatible 2012-02-07 13:46:42 +01:00
openssl-1.0.1-beta2-rpmbuild.patch add back support for secp521r1 EC curve 2013-11-08 18:16:49 +01:00
openssl-1.0.1-pkgconfig-krb5.patch add Kerberos 5 libraries to pkgconfig for static linking (#807050) 2012-04-11 16:33:03 +02:00
openssl-1.0.1a-algo-doc.patch new upstream version fixing CVE-2012-2110 2012-04-20 12:24:39 +02:00
openssl-1.0.1c-aliasing.patch do not move libcrypto to /lib 2012-07-13 14:23:34 +02:00
openssl-1.0.1c-default-paths.patch s_time uses tm_ctx. 2012-12-07 10:01:17 +01:00
openssl-1.0.1c-dh-1024.patch use 1024 bit DH parameters in s_server as 512 bit is not allowed 2012-11-15 21:11:36 +01:00
openssl-1.0.1c-ipv6-apps.patch fix s_server with new glibc when no global IPv6 address (#839031) 2012-07-12 00:05:11 +02:00
openssl-1.0.1c-perlfind.patch Make it build with new Perl 2012-07-12 00:35:57 +02:00
openssl-1.0.1e-arm-use-elf-auxv-caps.patch arm: use auxv to figure out armcap.c instead of using signals (#1006474) 2013-09-11 10:36:42 -04:00
openssl-1.0.1e-compat-symbols.patch drop weak ciphers from the default TLS ciphersuite list 2013-12-18 15:55:26 +01:00
openssl-1.0.1e-defaults.patch make expiration and key length changeable by DAYS and KEYLEN 2014-02-06 18:07:59 +01:00
openssl-1.0.1e-ecc-suiteb.patch add back support for secp521r1 EC curve 2013-11-08 18:16:49 +01:00
openssl-1.0.1e-enc-fail.patch properly detect encryption failure in BIO 2014-03-17 17:22:08 +01:00
openssl-1.0.1e-env-zlib.patch disable ZLIB loading by default (due to CRIME attack) 2013-02-19 16:41:14 +01:00
openssl-1.0.1e-ephemeral-key-size.patch print ephemeral key size negotiated in TLS handshake (#1057715) 2014-02-12 16:20:03 +01:00
openssl-1.0.1e-fips-ctor.patch only ECC NIST Suite B curves support 2013-10-16 14:37:51 +02:00
openssl-1.0.1e-fips-ec.patch add back support for secp521r1 EC curve 2013-11-08 18:16:49 +01:00
openssl-1.0.1e-issuer-hash.patch new upstream version 2013-02-19 13:57:39 +01:00
openssl-1.0.1e-manfix.patch Add documentation of -attime to verify manpage 2013-09-12 11:26:07 +02:00
openssl-1.0.1e-no-md5-verify.patch disable verification of certificate, CRL, and OCSP signatures using MD5 2013-11-13 20:06:28 +01:00
openssl-1.0.1e-ppc64le-target.patch add support for ppc64le architecture (#1072633) 2014-04-03 16:24:35 +02:00
openssl-1.0.1e-secure-getenv.patch new upstream version 2013-02-19 13:57:39 +01:00
openssl-1.0.1e-ssl2-no-ec.patch new upstream release 1.0.1g 2014-05-07 11:42:32 +02:00
openssl-1.0.1e-trusted-first.patch fix use of rdrand if available 2013-08-16 16:06:51 +02:00
openssl-1.0.1e-version.patch use symbol versioning also for the textual version 2013-07-26 13:16:10 +02:00
openssl-1.0.1e-weak-ciphers.patch drop weak ciphers from the default TLS ciphersuite list 2013-12-18 15:55:26 +01:00
openssl-1.0.1g-3des-strength.patch new upstream release 1.0.1g 2014-05-07 11:42:32 +02:00
openssl-1.0.1g-fips.patch new upstream release 1.0.1g 2014-05-07 11:42:32 +02:00
openssl-1.0.1g-new-fips-reqs.patch new upstream release 1.0.1g 2014-05-07 11:42:32 +02:00
openssl-1.0.1g-ssl-op-all.patch new upstream release 1.0.1g 2014-05-07 11:42:32 +02:00
openssl-fips.conf add -fips subpackage that contains the FIPS module files 2013-08-27 16:03:43 +02:00
openssl-thread-test.c - new upstream version 2005-11-08 13:52:29 +00:00
openssl.spec new upstream release 1.0.1g 2014-05-07 11:42:32 +02:00
opensslconf-new-warning.h auto-import openssl-0.9.7a-34 from openssl-0.9.7a-34.src.rpm 2004-09-09 09:49:16 +00:00
opensslconf-new.h add support for ppc64le architecture (#1072633) 2014-04-03 16:24:35 +02:00
README.FIPS Remove obsolete sentence. 2014-02-13 16:17:58 +01:00
renew-dummy-cert add script for renewal of a self-signed cert by Philip Prindeville (#871566) 2012-12-21 17:21:50 +01:00
sources new upstream release 1.0.1g 2014-05-07 11:42:32 +02:00

User guide for the FIPS Red Hat Enterprise Linux - OpenSSL Module
=================================================================

This package contains libraries which comprise the FIPS 140-2
Red Hat Enterprise Linux - OPENSSL Module.

The module files
================
/usr/lib[64]/libcrypto.so.1.0.1e
/usr/lib[64]/libssl.so.1.0.1e
/usr/lib[64]/.libcrypto.so.1.0.1e.hmac
/usr/lib[64]/.libssl.so.1.0.1e.hmac

Dependencies
============

The approved mode of operation requires kernel with /dev/urandom RNG running
with properties as defined in the security policy of the module. This is
provided by kernel packages with validated Red Hat Enterprise Linux - IPSec
Crytographic Module.

Installation
============

The RPM package of the module can be installed by standard tools recommended
for installation of RPM packages on the Red Hat Enterprise Linux system (yum,
rpm, RHN remote management tool).

For proper operation of the in-module integrity verification the prelink has to
be disabled. This can be done with setting PRELINKING=no in the
/etc/sysconfig/prelink configuration file. If the libraries were already
prelinked the prelink should be undone on all the system files with the
'prelink -u -a' command.

Usage and API
=============

The module respects kernel command line FIPS setting. If the kernel command
line contains option fips=1 the module will initialize in the FIPS approved
mode of operation automatically. To allow for the automatic initialization the
application using the module has to call one of the following API calls:

- void OPENSSL_init_library(void) - this will do only a basic initialization
of the library and does initialization of the FIPS approved mode without setting
up EVP API with supported algorithms.

- void OPENSSL_add_all_algorithms(void) - this API function calls
OPENSSL_init() implicitly and also adds all approved algorithms to the EVP API
in the approved mode 

- void SSL_library_init(void) - it calls OPENSSL_init() implicitly and also
adds algorithms which are necessary for TLS protocol support and initializes
the SSL library.

To explicitely put the library to the approved mode the application can call
the following function:

- int FIPS_mode_set(int on) - if called with 1 as a parameter it will switch
the library from the non-approved to the approved mode. If any of the selftests
and integrity verification tests fail, the library is put into the error state
and 0 is returned. If they succeed the return value is 1.

To query the module whether it is in the approved mode or not:

- int FIPS_mode(void) - returns 1 if the module is in the approved mode,
0 otherwise.

To query whether the module is in the error state:

- int FIPS_selftest_failed(void) - returns 1 if the module is in the error
state, 0 otherwise.

To zeroize the FIPS RNG key and internal state the application calls:

- void RAND_cleanup(void)