Utilities from the general purpose cryptography library with TLS implementation
Go to file
2009-08-20 14:18:42 +00:00
.cvsignore - update to new upstream release (minor bug fixes, security fixes and 2009-03-25 21:12:41 +00:00
hobble-openssl - new upstream version 2005-11-08 13:52:29 +00:00
make-dummy-cert - abort if selftests failed and random number generator is polled 2009-06-30 11:17:45 +00:00
Makefile makefile update to properly grab makefile.common 2007-10-15 19:12:21 +00:00
Makefile.certificate - abort if selftests failed and random number generator is polled 2009-06-30 11:17:45 +00:00
openssl-0.9.6-x509.patch auto-import openssl-0.9.6b-18 from openssl-0.9.6b-18.src.rpm 2004-09-09 09:41:24 +00:00
openssl-0.9.8a-defaults.patch - abort if selftests failed and random number generator is polled 2009-06-30 14:20:37 +00:00
openssl-0.9.8a-enginesdir.patch - new upstream version 2005-11-08 13:52:29 +00:00
openssl-0.9.8a-link-krb5.patch - new upstream version 2005-11-08 13:52:29 +00:00
openssl-0.9.8a-no-rpath.patch - don't set -rpath for openssl binary 2005-11-16 21:45:59 +00:00
openssl-0.9.8a-reuse-cipher-change.patch - don't include SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG in SSL_OP_ALL 2005-12-15 10:45:33 +00:00
openssl-0.9.8b-aliasing-bug.patch - aliasing bug in engine loading, patch by IBM (#213216) 2006-11-02 21:16:00 +00:00
openssl-0.9.8b-test-use-localhost.patch - use localhost in testsuite, hopefully fixes slow build in koji 2007-08-03 12:16:54 +00:00
openssl-0.9.8g-default-paths.patch - set default paths when no explicit paths are set (#418771) 2007-12-13 17:16:43 +00:00
openssl-0.9.8g-ia64.patch - rediff for no fuzz 2008-08-10 20:36:12 +00:00
openssl-0.9.8g-ipv6-apps.patch - update to latest upstream release, SONAME bumped to 7 2007-12-03 14:24:08 +00:00
openssl-0.9.8g-no-extssl.patch - do not add tls extensions to server hello for SSLv3 either 2008-08-10 19:45:27 +00:00
openssl-0.9.8j-bad-mime.patch - new upstream version with necessary soname bump (#455753) 2009-01-15 09:10:25 +00:00
openssl-0.9.8j-ca-dir.patch - abort if selftests failed and random number generator is polled 2009-06-30 11:17:45 +00:00
openssl-0.9.8j-eap-fast.patch - new upstream version with necessary soname bump (#455753) 2009-01-15 09:10:25 +00:00
openssl-0.9.8j-enginesdir.patch - new upstream version with necessary soname bump (#455753) 2009-01-15 09:10:25 +00:00
openssl-0.9.8j-env-nozlib.patch - new upstream version with necessary soname bump (#455753) 2009-01-15 09:10:25 +00:00
openssl-0.9.8j-fips-no-pairwise.patch - no pairwise key tests in non-fips mode (#479817) 2009-01-17 19:31:29 +00:00
openssl-0.9.8j-nocanister.patch - new upstream version with necessary soname bump (#455753) 2009-01-15 09:10:25 +00:00
openssl-0.9.8j-readme-warning.patch - new upstream version with necessary soname bump (#455753) 2009-01-15 09:10:25 +00:00
openssl-0.9.8j-redhat.patch - new upstream version with necessary soname bump (#455753) 2009-01-15 09:10:25 +00:00
openssl-0.9.8j-soversion.patch - new upstream version with necessary soname bump (#455753) 2009-01-15 09:10:25 +00:00
openssl-0.9.8j-version-add-engines.patch - new upstream version with necessary soname bump (#455753) 2009-01-15 09:10:25 +00:00
openssl-0.9.8k-algo-doc.patch - abort if selftests failed and random number generator is polled 2009-07-01 09:52:07 +00:00
openssl-0.9.8k-dtls-compat.patch - support compatibility DTLS mode for CISCO AnyConnect (#464629) 2009-04-21 10:05:11 +00:00
openssl-0.9.8k-dtls-dos.patch - fix CVE-2009-1377 CVE-2009-1378 CVE-2009-1379 (DTLS DoS problems) 2009-05-21 16:30:42 +00:00
openssl-0.9.8k-fips-rng-seed.patch - abort if selftests failed and random number generator is polled 2009-06-30 11:17:45 +00:00
openssl-0.9.8k-fipscheck-hmac.patch - update to new upstream release (minor bug fixes, security fixes and 2009-03-25 21:12:41 +00:00
openssl-0.9.8k-kernel-fipsmode.patch - add support for multiple CRLs with same subject 2009-04-15 14:36:54 +00:00
openssl-0.9.8k-multi-crl.patch - add support for multiple CRLs with same subject 2009-04-15 14:36:54 +00:00
openssl-0.9.8k-shlib-version.patch - correct the SHLIB_VERSION define 2009-04-17 16:13:51 +00:00
openssl-0.9.8k-use-fipscheck.patch - update to new upstream release (minor bug fixes, security fixes and 2009-03-25 21:12:41 +00:00
openssl-0.9.8k-x509-name-cmp.patch - update to new upstream release (minor bug fixes, security fixes and 2009-03-25 21:12:41 +00:00
openssl-thread-test.c - new upstream version 2005-11-08 13:52:29 +00:00
openssl.spec - update to new major upstream release 2009-08-20 14:18:42 +00:00
opensslconf-new-warning.h auto-import openssl-0.9.7a-34 from openssl-0.9.7a-34.src.rpm 2004-09-09 09:49:16 +00:00
opensslconf-new.h sparc handling 2008-05-20 15:16:15 +00:00
README.FIPS - abort if selftests failed and random number generator is polled 2009-06-30 14:20:37 +00:00
sources - update to new upstream release (minor bug fixes, security fixes and 2009-03-25 21:12:41 +00:00

User guide for the FIPS Red Hat Enterprise Linux - OpenSSL Module
=================================================================

This package contains libraries which comprise the FIPS 140-2
Red Hat Enterprise Linux - OPENSSL Module.

The module files
================
/lib[64]/libcrypto.so.0.9.8e
/lib[64]/libssl.so.0.9.8e
/lib[64]/.libcrypto.so.0.9.8e.hmac
/lib[64]/.libssl.so.0.9.8e.hmac

Dependencies
============

The approved mode of operation requires kernel with /dev/urandom RNG running
with properties as defined in the security policy of the module. This is
provided by kernel packages with validated Red Hat Enterprise Linux - IPSec
Crytographic Module.

Installation
============

The RPM package of the module can be installed by standard tools recommended
for installation of RPM packages on the Red Hat Enterprise Linux system (yum,
rpm, RHN remote management tool).

For proper operation of the in-module integrity verification the prelink has to
be disabled. This can be done with setting PRELINKING=no in the
/etc/sysconfig/prelink configuration file. If the libraries were already
prelinked the prelink should be undone on all the system files with the
'prelink -u -a' command.

Usage and API
=============

The module respects kernel command line FIPS setting. If the kernel command
line contains option fips=1 the module will initialize in the FIPS approved
mode of operation automatically. To allow for the automatic initialization the
application using the module has to call one of the following API calls:

- void OPENSSL_init(void) - this will do only a basic initialization of the
library and does initialization of the FIPS approved mode without setting up
EVP API with supported algorithms.

- void OPENSSL_add_all_algorithms(void) - this API function calls
OPENSSL_init() implicitly and also adds all approved algorithms to the EVP API
in the approved mode 

- void SSL_library_init(void) - it calls OPENSSL_init() implicitly and also
adds algorithms which are necessary for TLS protocol support and initializes
the SSL library.

To explicitely put the library to the approved mode the application can call
the following function:

- int FIPS_mode_set(int on) - if called with 1 as a parameter it will switch
the library from the non-approved to the approved mode. If any of the selftests
and integrity verification tests fail, the library is put into the error state
and 0 is returned. If they succeed the return value is 1.

To query the module whether it is in the approved mode or not:

- int FIPS_mode(void) - returns 1 if the module is in the approved mode,
0 otherwise.

To query whether the module is in the error state:

- int FIPS_selftest_failed(void) - returns 1 if the module is in the error
state, 0 otherwise.