RHEL8:FIPS 对象模块 (fipscanister) 是否存在?

RHEL8: FIPS Object Module (fipscanister) existing?

我对 RHEL8 很困惑。它报告:

# openssl
OpenSSL> version
OpenSSL 1.1.1g FIPS  21 Apr 2020
OpenSSL> exit
# find / -name fipscanister*.*

我的系统报告为 运行 符合 FIPS 的 OpenSSL,但我没有在系统上找到 FIPS 容器...我检查了 ISO (rhel-8.4-x86_64-dvd.iso),在 BaseOS/Packages 中有:openssl-devel-1.1.1g-15.el8_3.x86_64.rpm,但这也不包含 FIPS 容器 ...

需要做什么才能在系统上安装 fipscanister 库?

BR,勒内

我假设你的意思是 fipscanister.o(编译 FIPS 算法的目标文件)。您不会找到它,因为它已在 libcrypto.so*.

中链接

根据[OpenSSL]: UserGuide-2.0.pdf - User Guide for the OpenSSL FIPS Object Module v2.0强调是我的):

Note that except in the most unusual circumstances the FIPS Object Module itself (fipscanister.o) is not linked directly with application code. Instead the FIPS Object Module is embedded in the OpenSSL libcrypto library (libcrypto.a/libcrypto.so) which is then referenced in the usual way by the application code. That combination is known as a "FIPS capable" OpenSSL library and is discussed in more detail in section 2.5.

查看 了解(一些有趣的)详细信息。

这是一些示例输出([SO]: How to compile python3 on RHEL with SSL? SSL cannot be imported (@CristiFati's answer) 留下的环境):

[root@cfati-5510-0:/work/q069539286]> python
Python 2.7.5 (default, Nov 16 2020, 22:23:17) 
[GCC 4.8.5 20150623 (Red Hat 4.8.5-44)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import ctypes as ct
>>> 
>>> lcr = ct.CDLL("openssl-1.1.1g/lib/libcrypto.so")  # Load a library
>>> lcr.FIPS_mode()  # Call a function exported by it (for demo purposes only, not use (like this) in production)
0