Utilities from the general purpose cryptography library with TLS implementation
Go to file
2024-12-06 16:37:58 +03:00
.fmf Add TMT interoperability tests & rewrite python STI test to TMT 2023-05-23 17:51:57 +02:00
plans configure basic gating on RHEL-10 2024-07-01 14:15:53 +00:00
.gitignore Rebase to OpenSSL 3.2.2. 2024-06-05 18:56:27 +02:00
0001-Aarch64-and-ppc64le-use-lib64.patch Rebase to upstream version 3.0.0 2021-09-09 17:27:21 +02:00
0002-Use-more-general-default-values-in-openssl.cnf.patch Rebase to upstream version 3.0.0 2021-09-09 17:27:21 +02:00
0003-Do-not-install-html-docs.patch Rebase to new upstream release 3.2.1 2024-02-08 13:42:51 +01:00
0004-Override-default-paths-for-the-CA-directory-tree.patch Synchronize patches from c9s and Fedora 2024-06-05 09:32:43 +02:00
0005-apps-ca-fix-md-option-help-text.patch Rebase to upstream version 3.0.0 2021-09-09 17:27:21 +02:00
0006-Disable-signature-verification-with-totally-unsafe-h.patch Rebase to upstream version 3.0.0 2021-09-09 17:27:21 +02:00
0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch Resolve SAST package scan results 2024-08-14 19:25:12 +02:00
0008-Add-FIPS_mode-compatibility-macro.patch Adding changes to patch files from source-git sync 2023-07-31 10:04:55 +02:00
0009-Add-Kernel-FIPS-mode-flag-support.patch Rebase to new upstream release 3.2.1 2024-02-08 13:42:51 +01:00
0010-Add-changes-to-ectest-and-eccurve.patch Rebase to new upstream release 3.2.1 2024-02-08 13:42:51 +01:00
0011-Remove-EC-curves.patch Rebase to new upstream release 3.2.1 2024-02-08 13:42:51 +01:00
0012-Disable-explicit-ec.patch Adding changes to patch files from source-git sync 2023-07-31 10:04:55 +02:00
0013-skipped-tests-EC-curves.patch Rebase to new upstream release 3.2.1 2024-02-08 13:42:51 +01:00
0024-load-legacy-prov.patch Synchronize patches from c9s and Fedora 2024-06-05 09:32:43 +02:00
0025-for-tests.patch Sync with RHEL - applying patches 2022-09-02 16:20:26 +02:00
0032-Force-fips.patch Synchronize patches from c9s and Fedora 2024-06-05 09:32:43 +02:00
0033-FIPS-embed-hmac.patch Rebase to OpenSSL 3.2.2. 2024-06-05 18:56:27 +02:00
0034.fipsinstall_disable.patch Adding changes to patch files from source-git sync 2023-07-31 10:04:55 +02:00
0035-speed-skip-unavailable-dgst.patch Adding changes to patch files from source-git sync 2023-07-31 10:04:55 +02:00
0044-FIPS-140-3-keychecks.patch Synchronize patches from c9s and Fedora 2024-06-05 09:32:43 +02:00
0045-FIPS-services-minimize.patch Rebase to new upstream release 3.2.1 2024-02-08 13:42:51 +01:00
0047-FIPS-early-KATS.patch Rebase to new upstream release 3.2.1 2024-02-08 13:42:51 +01:00
0049-Allow-disabling-of-SHA1-signatures.patch SHA-1 signature shouldn't work in normal mode 2024-07-10 11:43:37 +02:00
0056-strcasecmp.patch Synchronize patches from c9s and Fedora 2024-06-05 09:32:43 +02:00
0058-FIPS-limit-rsa-encrypt.patch Rebase to new upstream release 3.2.1 2024-02-08 13:42:51 +01:00
0061-Deny-SHA-1-signature-verification-in-FIPS-provider.patch Rebase to upstream release 3.1.1 2023-07-28 15:26:00 +02:00
0062-fips-Expose-a-FIPS-indicator.patch Rebase to upstream release 3.1.1 2023-07-28 15:26:00 +02:00
0073-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.patch Rebase to new upstream release 3.2.1 2024-02-08 13:42:51 +01:00
0074-FIPS-Use-digest_sign-digest_verify-in-self-test.patch Rebase to new upstream release 3.2.1 2024-02-08 13:42:51 +01:00
0075-FIPS-Use-FFDHE2048-in-self-test.patch Sync with RHEL - applying patches 2022-09-02 16:20:26 +02:00
0076-FIPS-140-3-DRBG.patch Rebase to OpenSSL 3.2.2. 2024-06-05 18:56:27 +02:00
0077-FIPS-140-3-zeroization.patch Rebase to new upstream release 3.2.1 2024-02-08 13:42:51 +01:00
0078-KDF-Add-FIPS-indicators.patch Rebase to OpenSSL 3.2.2. 2024-06-05 18:56:27 +02:00
0080-rand-Forbid-truncated-hashes-SHA-3-in-FIPS-prov.patch Synchronize patches from CentOS stream 2023-08-22 16:39:12 +02:00
0081-signature-Remove-X9.31-padding-from-FIPS-prov.patch Synchronize patches from CentOS stream 2023-08-22 16:39:12 +02:00
0083-hmac-Add-explicit-FIPS-indicator-for-key-length.patch Rebase to new upstream release 3.2.1 2024-02-08 13:42:51 +01:00
0084-pbkdf2-Set-minimum-password-length-of-8-bytes.patch Synchronize patches from CentOS stream 2023-08-22 16:39:12 +02:00
0085-FIPS-RSA-disable-shake.patch Synchronize patches from CentOS stream 2023-08-22 16:39:12 +02:00
0088-signature-Add-indicator-for-PSS-salt-length.patch Rebase to new upstream release 3.2.1 2024-02-08 13:42:51 +01:00
0091-FIPS-RSA-encapsulate.patch Synchronize patches from CentOS stream 2023-08-22 16:39:12 +02:00
0093-DH-Disable-FIPS-186-4-type-parameters-in-FIPS-mode.patch Synchronize patches from CentOS stream 2023-08-22 16:39:12 +02:00
0110-GCM-Implement-explicit-FIPS-indicator-for-IV-gen.patch Rebase to new upstream release 3.2.1 2024-02-08 13:42:51 +01:00
0112-pbdkf2-Set-indicator-if-pkcs5-param-disabled-checks.patch Synchronize patches from CentOS stream 2023-08-22 16:39:12 +02:00
0113-asymciphers-kem-Add-explicit-FIPS-indicator.patch Rebase to new upstream release 3.2.1 2024-02-08 13:42:51 +01:00
0114-FIPS-enforce-EMS-support.patch Rebase to new upstream release 3.2.1 2024-02-08 13:42:51 +01:00
0115-skip-quic-pairwise.patch Synchronize patches from c9s and Fedora 2024-06-05 09:32:43 +02:00
0116-version-aliasing.patch Synchronize patches from c9s and Fedora 2024-06-05 09:32:43 +02:00
0117-ignore-unknown-sigalgorithms-groups.patch Rebase to OpenSSL 3.2.2. 2024-06-05 18:56:27 +02:00
0121-FIPS-cms-defaults.patch Synchronize patches from c9s and Fedora 2024-06-05 09:32:43 +02:00
0122-TMP-KTLS-test-skip.patch Enable KTLS, temporary disable KTLS tests 2024-08-14 13:03:42 +02:00
0123-kdf-Preserve-backward-compatibility-with-older-provi.patch Replace HKDF backward compatibility patch with the official one 2024-07-01 09:36:26 +09:00
0124-PBMAC1-PKCS12-FIPS-support.patch An interface to create PKCS #12 files in FIPS compliant way 2024-08-09 13:27:18 +00:00
0125-PBMAC1-PKCS12-FIPS-default.patch Use PBMAC1 by default when creating PKCS#12 files in FIPS mode 2024-08-14 11:36:06 +02:00
0126-pkeyutl-encap.patch Support key encapsulation/decapsulation in openssl pkeyutl command 2024-08-14 11:43:38 +02:00
0127-speedup-SSL_add_cert_subjects_to_stack.patch Speedup SSL_add_{file,dir}_cert_subjects_to_stack 2024-08-14 13:03:42 +02:00
0128-SAST-findings.patch Resolve SAST package scan results 2024-08-14 19:25:12 +02:00
0129-Fix-SSL_select_next_proto.patch Fix CVE-2024-5535 2024-08-21 17:09:28 +02:00
0130-More-correctly-handle-a-selected_len-of-0-when-proce.patch Fix CVE-2024-5535 2024-08-21 17:09:28 +02:00
0131-Use-correctly-formatted-ALPN-data-in-tserver.patch Fix CVE-2024-5535 2024-08-21 17:09:28 +02:00
0132-Clarify-the-SSL_select_next_proto-documentation.patch Fix CVE-2024-5535 2024-08-21 17:09:28 +02:00
0133-Add-a-test-for-SSL_select_next_proto.patch Fix CVE-2024-5535 2024-08-21 17:09:28 +02:00
0134-Allow-an-empty-NPN-ALPN-protocol-list-in-the-tests.patch Fix CVE-2024-5535 2024-08-21 17:09:28 +02:00
0135-Correct-return-values-for-tls_construct_stoc_next_pr.patch Fix CVE-2024-5535 2024-08-21 17:09:28 +02:00
0136-Add-ALPN-validation-in-the-client.patch Fix CVE-2024-5535 2024-08-21 17:09:28 +02:00
0137-Add-explicit-testing-of-ALN-and-NPN-in-sslapitest.patch Fix CVE-2024-5535 2024-08-21 17:09:28 +02:00
0138-Add-a-test-for-an-empty-NextProto-message.patch Fix CVE-2024-5535 2024-08-21 17:09:28 +02:00
0139-CVE-2024-6119.patch Fix CVE-2024-6119: Possible denial of service in X.509 name checks 2024-09-04 11:47:44 +02:00
ci.fmf Add TMT interoperability tests & rewrite python STI test to TMT 2023-05-23 17:51:57 +02:00
configuration-prefix.h Rebase to upstream version 3.0.0 2021-09-09 17:27:21 +02:00
configuration-switch.h Rebase to upstream version 3.0.0 2021-09-09 17:27:21 +02:00
fixpatch New upstream release from the 1.0.1 branch, ABI compatible 2012-02-07 13:46:42 +01:00
gating.yaml Fix the gating test names 2024-08-07 15:40:45 +02:00
genpatches Rebase to upstream version 3.0.0 2021-09-09 17:27:21 +02:00
make-dummy-cert - abort if selftests failed and random number generator is polled 2009-06-30 11:17:45 +00:00
Makefile.certificate Makefile.certificate should not set serial to 0 by default 2015-12-04 14:36:15 +01:00
openssl.rpmlintrc Silence rpmlint false positives 2022-04-07 18:14:35 +02:00
openssl.spec Merge branch 'c10s' into a10s 2024-12-06 16:37:58 +03:00
opensslconf-new-warning.h auto-import openssl-0.9.7a-34 from openssl-0.9.7a-34.src.rpm 2004-09-09 09:49:16 +00:00
opensslconf-new.h minor upstream release 1.0.2f fixing security issues 2016-01-28 17:12:09 +01:00
README.FIPS update to upstream version 1.1.0b 2016-10-11 10:31:54 +02:00
renew-dummy-cert renew-dummy-cert: Fix long serial number renewal problem. 2018-05-04 09:17:27 +02:00
sources Rebase to OpenSSL 3.2.2. 2024-06-05 18:56:27 +02:00

User guide for the FIPS Red Hat Enterprise Linux - OpenSSL Module
=================================================================

This package contains libraries which comprise the FIPS 140-2
Red Hat Enterprise Linux - OPENSSL Module.

The module files
================
/usr/lib[64]/libcrypto.so.1.1.0
/usr/lib[64]/libssl.so.1.1.0
/usr/lib[64]/.libcrypto.so.1.1.0.hmac
/usr/lib[64]/.libssl.so.1.1.0.hmac

Dependencies
============

The approved mode of operation requires kernel with /dev/urandom RNG running
with properties as defined in the security policy of the module. This is
provided by kernel packages with validated Red Hat Enterprise Linux Kernel
Crytographic Module.

Installation
============

The RPM package of the module can be installed by standard tools recommended
for installation of RPM packages on the Red Hat Enterprise Linux system (yum,
rpm, RHN remote management tool).

The RPM package dracut-fips must be installed for the approved mode of
operation.

Usage and API
=============

The module respects kernel command line FIPS setting. If the kernel command
line contains option fips=1 the module will initialize in the FIPS approved
mode of operation automatically. To allow for the automatic initialization the
application using the module has to call one of the following API calls:

- void OPENSSL_init_library(void) - this will do only a basic initialization
of the library and does initialization of the FIPS approved mode without setting
up EVP API with supported algorithms.

- void OPENSSL_add_all_algorithms(void) - this API function calls
OPENSSL_init() implicitly and also adds all approved algorithms to the EVP API
in the approved mode 

- void SSL_library_init(void) - it calls OPENSSL_init() implicitly and also
adds algorithms which are necessary for TLS protocol support and initializes
the SSL library.

To explicitely put the library to the approved mode the application can call
the following function:

- int FIPS_mode_set(int on) - if called with 1 as a parameter it will switch
the library from the non-approved to the approved mode. If any of the selftests
and integrity verification tests fail, the library is put into the error state
and 0 is returned. If they succeed the return value is 1.

To query the module whether it is in the approved mode or not:

- int FIPS_mode(void) - returns 1 if the module is in the approved mode,
0 otherwise.

To query whether the module is in the error state:

- int FIPS_selftest_failed(void) - returns 1 if the module is in the error
state, 0 otherwise.

To zeroize the FIPS RNG key and internal state the application calls:

- void RAND_cleanup(void)