# OpenSSL FIPS on Feodra ## The detailed info of the OpenSSL RPM ``` $ rpm -q openssl openssl-3.0.8-1.fc37.x86_64 ``` ``` $ which openssl /bin/openssl ``` You can check the used compiler and the flags. ``` $ openssl version -a OpenSSL 3.0.8 7 Feb 2023 (Library: OpenSSL 3.0.8 7 Feb 2023) built on: Thu Feb 9 00:00:00 2023 UTC platform: linux-x86_64 options: bn(64,64) compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -O2 -flto=auto -ffat-lto-objects -fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -O2 -flto=auto -ffat-lto-objects -fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -Wa,--noexecstack -Wa,--generate-missing-build-notes=yes -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -specs=/usr/lib/rpm/redhat/redhat-package-notes -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_BUILDING_OPENSSL -DZLIB -DNDEBUG -DPURIFY -DDEVRANDOM="\"/dev/urandom\"" -DSYSTEM_CIPHERS_FILE="/etc/crypto-policies/back-ends/openssl.config" OPENSSLDIR: "/etc/pki/tls" ENGINESDIR: "/usr/lib64/engines-3" MODULESDIR: "/usr/lib64/ossl-modules" Seeding source: os-specific CPUINFO: OPENSSL_ia32cap=0x7ffaf3ffffebffff:0x29c67af ``` ## Differences of OpenSSL FIPS between the upstream and Fedora There are many downstream specific patch files in openssl RPM package of Fedora. ### OPENSSL_FORCE_FIPS_MODE envrionment variable One Fedora downstream specific feature is the enviornment variable `OPENSSL_FORCE_FIPS_MODE` to enable FIPS mode in non-FIPS environment. The feature is managed in [this patch](https://src.fedoraproject.org/rpms/openssl/blob/rawhide/f/0009-Add-Kernel-FIPS-mode-flag-support.patch). According to [this Bugzilla ticket](https://bugzilla.redhat.com/show_bug.cgi?id=2196876), the environment variable may work with the openssl RPM package >= openssl-3.0.5-3.fc38 in Fedora 38. In the non-FPS environment, you can see the result by the comand below. ``` # fips-mode-setup --check FIPS mode is disabled. Initramfs fips module is disabled. The current crypto policy (DEFAULT) neither is the FIPS policy nor is based on the FIPS policy. ``` You can test it by running a testing program <https://github.com/junaruga/openssl-test> - `fips_mode.c`. ``` $ cd https://github.com/junaruga/openssl-test.git $ cd openssl-test $ gcc -lcrypto -o fips_mode fips_mode.c ``` ``` $ ./fips_mode Loaded providers: default FIPS mode enabled: 0 $ OPENSSL_FORCE_FIPS_MODE=1 ./fips_mode Loaded providers: default fips base FIPS mode enabled: 1 ```