Try   HackMD

OpenSSL FIPS on Feodra

The detailed info of the OpenSSL RPM

$ rpm -q openssl
openssl-3.0.8-1.fc37.x86_64

$ which openssl
/bin/openssl

You can check the used compiler and the flags.

$ openssl version -a
OpenSSL 3.0.8 7 Feb 2023 (Library: OpenSSL 3.0.8 7 Feb 2023)
built on: Thu Feb  9 00:00:00 2023 UTC
platform: linux-x86_64
options:  bn(64,64)
compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -O2 -flto=auto -ffat-lto-objects -fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1  -m64  -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -O2 -flto=auto -ffat-lto-objects -fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -Wa,--noexecstack -Wa,--generate-missing-build-notes=yes -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -specs=/usr/lib/rpm/redhat/redhat-package-notes -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_BUILDING_OPENSSL -DZLIB -DNDEBUG -DPURIFY -DDEVRANDOM="\"/dev/urandom\"" -DSYSTEM_CIPHERS_FILE="/etc/crypto-policies/back-ends/openssl.config"
OPENSSLDIR: "/etc/pki/tls"
ENGINESDIR: "/usr/lib64/engines-3"
MODULESDIR: "/usr/lib64/ossl-modules"
Seeding source: os-specific
CPUINFO: OPENSSL_ia32cap=0x7ffaf3ffffebffff:0x29c67af

Differences of OpenSSL FIPS between the upstream and Fedora

There are many downstream specific patch files in openssl RPM package of Fedora.

OPENSSL_FORCE_FIPS_MODE envrionment variable

One Fedora downstream specific feature is the enviornment variable OPENSSL_FORCE_FIPS_MODE to enable FIPS mode in non-FIPS environment. The feature is managed in this patch. According to this Bugzilla ticket, the environment variable may work with the openssl RPM package >= openssl-3.0.5-3.fc38 in Fedora 38.

In the non-FPS environment, you can see the result by the comand below.

# fips-mode-setup --check
FIPS mode is disabled.
Initramfs fips module is disabled.
The current crypto policy (DEFAULT) neither is the FIPS policy nor is based on the FIPS policy.

You can test it by running a testing program https://github.com/junaruga/openssl-test - fips_mode.c.

$ cd https://github.com/junaruga/openssl-test.git

$ cd openssl-test

$ gcc -lcrypto -o fips_mode fips_mode.c

$ ./fips_mode
Loaded providers:
  default
FIPS mode enabled: 0

$ OPENSSL_FORCE_FIPS_MODE=1 ./fips_mode
Loaded providers:
  default
  fips
  base
FIPS mode enabled: 1
Last changed by 
Jun Aruga
0
531

Read more

Ruby and OpenSSL FIPS

This document is related to the issue ticket is Being a co-maintainer of the ruby/openssl for the OpenSSL FIPS mode. See also “What is FIPS mode”.

Aug 9, 2023
DevConf CZ 2023 summary

3 OpenSSL related talks

Jun 21, 2023
How to debug a unit test with debug gem

Way 1 Build the Ruby. $ cd ~/git/ruby/ruby $ ./configure ... $ make -j$(nproc) Run a unit test with RUN_OPTS=-rdebug/start.

May 25, 2023
Set up SystemTap on Fedora

The document is here. The installation document is here. This document is created in Feodra Linux 37. $ sudo dnf install systemtap systemtap-runtime $ sudo stap-prep $ cat ~/script/stap/hello.stp #! /usr/bin/env stap probe oneshot { println("Hello!") } $ sudo stap ~/script/stap/hello.stp Hello! Add groups to run a stap script by a regular user

May 4, 2023
Read more from Jun Aruga
Published on HackMD