7.4.2 Using the OpenSSL FIPS Object Module

The software described in this software documentation is either in Extended Support or Sustaining Support. See hypertext transfer protocol : //www.oracle.com/us/support/library/enterprise-linux-support-policies-069172.pdf for more information. Oracle recommends that you upgrade the software described by this software documentation adenine soon as possible .

7.4.2 Using the OpenSSL FIPS Object Module

If the kernel command channel specifies a fips=1 entrance, the rate of /proc/sys/crypto/fips_enabled is set to 1, which causes the OpenSSL library module to initialize the FIPS-approved manner of process mechanically. To handle automatic low-level formatting, an application that uses the module must call one of the following routines :

void OPENSSL_add_all_algorithms(void)
Calls OPENSSL_init() implicitly and adds all approved algorithms to the EVP API in FIPS-approved modality.

void OPENSSL_init_library(void)
Performs basic low-level formatting of the library and initialize FIPS-approved mode without setting up the EVP API with hold algorithm .
void SSL_library_init(void)
Calls OPENSSL_init() implicitly, adds algorithms that are necessity for TLS protocol support and initializes the SSL library .

To put the library into FIPS-approved mode explicitly, an application can call the int FIPS_mode_set(int
on)
function. If the respect of on is set to 1, the library switches from non-approved to approved mode. If any self tests or integrity confirmation tests fail, the library is put into the mistake state and the function returns 0. If the tests succeed, the function returns 1. If the value of on is set to 0, the library switches to non-approved mode. alternatively, the application can call OPENSSL_conf(const char
*config_name)
to enable FIPS mode by reading the alg_section that is defined for the config_name entry in the standard shape file ( openssl.conf ), for exemplar :

[ config_name ]
alg_section = algsec
...
[ algsec ]
fips_mode = yes

OPENSSL_config() does not return a prize. If there is an error in the shape, the serve writes a message to the criterion erroneousness and forces the application to exit. To provide better erroneousness control, an application can call the CONF_modules_load_file() function rather.

An lotion can use the following functions to query the OpenSSL library faculty :

int FIPS_mode(void)
Returns 1 if the faculty is in FIPS-approved mode ; otherwise it returns 0 .
int FIPS_selftest_failed(void)
Returns 1 if the module is in the error country ; otherwise it returns 0 .

To set the FIPS random number generator key and internal state to zero, an application can call the void
RAND_cleanup(void)
affair.

note If you set the respect of the OPENSSL_FIPS environment variable to 1, the openssl binary that is included in the openssl-fips-1.0.1* box, and which has been built using the FIPS-compliant OpenSSL library, uses alone FIPS 140-2 approved algorithm. The value of OPENSSL_FIPS has no effect on the FIPS modality of the system. Do not assume that the prize of OPENSSL_FIPS has any effect on other applications that use the FIPS-compliant OpenSSL library. For more information about using the OpenSSL library with FIPS, see hypertext transfer protocol : //www.openssl.org/docs/fips/UserGuide-2.0.pdf .

Leave a Reply

Your email address will not be published.