summaryrefslogtreecommitdiff
path: root/openssl-freefilesync/README.FIPS
diff options
context:
space:
mode:
Diffstat (limited to 'openssl-freefilesync/README.FIPS')
-rw-r--r--openssl-freefilesync/README.FIPS72
1 files changed, 72 insertions, 0 deletions
diff --git a/openssl-freefilesync/README.FIPS b/openssl-freefilesync/README.FIPS
new file mode 100644
index 0000000..a36c547
--- /dev/null
+++ b/openssl-freefilesync/README.FIPS
@@ -0,0 +1,72 @@
+User guide for the FIPS Red Hat Enterprise Linux - OpenSSL Module
+=================================================================
+
+This package contains libraries which comprise the FIPS 140-2
+Red Hat Enterprise Linux - OPENSSL Module.
+
+The module files
+================
+/usr/lib[64]/libcrypto.so.1.1.0
+/usr/lib[64]/libssl.so.1.1.0
+/usr/lib[64]/.libcrypto.so.1.1.0.hmac
+/usr/lib[64]/.libssl.so.1.1.0.hmac
+
+Dependencies
+============
+
+The approved mode of operation requires kernel with /dev/urandom RNG running
+with properties as defined in the security policy of the module. This is
+provided by kernel packages with validated Red Hat Enterprise Linux Kernel
+Crytographic Module.
+
+Installation
+============
+
+The RPM package of the module can be installed by standard tools recommended
+for installation of RPM packages on the Red Hat Enterprise Linux system (yum,
+rpm, RHN remote management tool).
+
+The RPM package dracut-fips must be installed for the approved mode of
+operation.
+
+Usage and API
+=============
+
+The module respects kernel command line FIPS setting. If the kernel command
+line contains option fips=1 the module will initialize in the FIPS approved
+mode of operation automatically. To allow for the automatic initialization the
+application using the module has to call one of the following API calls:
+
+- void OPENSSL_init_library(void) - this will do only a basic initialization
+of the library and does initialization of the FIPS approved mode without setting
+up EVP API with supported algorithms.
+
+- void OPENSSL_add_all_algorithms(void) - this API function calls
+OPENSSL_init() implicitly and also adds all approved algorithms to the EVP API
+in the approved mode
+
+- void SSL_library_init(void) - it calls OPENSSL_init() implicitly and also
+adds algorithms which are necessary for TLS protocol support and initializes
+the SSL library.
+
+To explicitely put the library to the approved mode the application can call
+the following function:
+
+- int FIPS_mode_set(int on) - if called with 1 as a parameter it will switch
+the library from the non-approved to the approved mode. If any of the selftests
+and integrity verification tests fail, the library is put into the error state
+and 0 is returned. If they succeed the return value is 1.
+
+To query the module whether it is in the approved mode or not:
+
+- int FIPS_mode(void) - returns 1 if the module is in the approved mode,
+0 otherwise.
+
+To query whether the module is in the error state:
+
+- int FIPS_selftest_failed(void) - returns 1 if the module is in the error
+state, 0 otherwise.
+
+To zeroize the FIPS RNG key and internal state the application calls:
+
+- void RAND_cleanup(void)
bgstack15