A local copy of OpenSSL from GitHub
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

67 lines
2.8 KiB

  1. OpenSSL FIPS support
  2. ====================
  3. This release of OpenSSL includes a cryptographic module that is intended to be
  4. FIPS 140-2 validated. The module is implemented as an OpenSSL provider.
  5. A provider is essentially a dynamically loadable module which implements
  6. cryptographic algorithms, see the [README-PROVIDERS](README-PROVIDERS.md) file
  7. for further details.
  8. The OpenSSL FIPS provider comes as shared library called `fips.so` (on Unix)
  9. resp. `fips.dll` (on Windows). The FIPS provider does not get built and
  10. installed automatically. To enable it, you need to configure OpenSSL using
  11. the `enable-fips` option.
  12. Installing the FIPS module
  13. ==========================
  14. If the FIPS provider is enabled, it gets installed automatically during the
  15. normal installation process. Simply follow the normal procedure (configure,
  16. make, make test, make install) as described in the [INSTALL](INSTALL.md) file.
  17. For example, on Unix the final command
  18. $ make install
  19. effectively executes the following install targets
  20. $ make install_sw
  21. $ make install_ssldirs
  22. $ make install_docs
  23. $ make install_fips # for `enable-fips` only
  24. The `install_fips` make target can also be invoked explicitly to install
  25. the FIPS provider independently, without installing the rest of OpenSSL.
  26. The Installation of the FIPS provider consists of two steps. In the first step,
  27. the shared library is copied to its installed location, which by default is
  28. /usr/local/lib/ossl-modules/fips.so on Unix, and
  29. C:\Program Files\OpenSSL\lib\ossl-modules\fips.dll on Windows.
  30. In the second step, the `openssl fipsinstall` command is executed, which completes
  31. the installation by doing the following two things:
  32. - Runs the FIPS module self tests
  33. - Generates the so-called FIPS module configuration file containing information
  34. about the module such as the self test status, and the module checksum.
  35. The FIPS module must have the self tests run, and the FIPS module config file
  36. output generated on every machine that it is to be used on. You must not copy
  37. the FIPS module config file output data from one machine to another.
  38. On Unix the `openssl fipsinstall` command will be invoked as follows by default:
  39. $ openssl fipsinstall -out /usr/local/ssl/fipsmodule.cnf -module /usr/local/lib/ossl-modules/fips.so
  40. If you configured OpenSSL to be installed to a different location, the paths will
  41. vary accordingly. In the rare case that you need to install the fipsmodule.cnf
  42. to non-standard location, you can execute the `openssl fipsinstall` command manually.
  43. Using the FIPS Module in applications
  44. =====================================
  45. Documentation about using the FIPS module is available on the [fips_module(7)]
  46. manual page.
  47. [fips_module(7)]: https://www.openssl.org/docs/manmaster/man7/fips_module.html