- 命令行
$ openssl version
OpenSSL 1.0.2k-fips DD Mon YYYY
- 检查加密算法
因为MD5已经被FIPS不支持了,所以如果调用md5应该报错。
$ openssl md5 <<< "12345"
Error setting digest md5
140127617550224:error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fips:digest.c:256:
反之如果正确执行,说明fips没有enable。
$ openssl md5 <<< "12345"
(stdin)= d577273ff885c3f84dadb8578bb41399
例如在我的环境里:
$ openssl md5 <<< "12345"
(stdin)= d577273ff885c3f84dadb8578bb41399
$ OPENSSL_FIPS=1 openssl md5 <<< "12345"
Error setting digest md5
140687972132752:error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fips:digest.c:256:
说明FIPS是支持的,但是需要OPENSSL_FIPS=1来enable.
- 查看lib的符号表
$ ldd $(which openssl)
...
libcrypto.so.10 => /lib64/libcrypto.so.10 (0x00007f40c894f000)
...
$ readelf --symbols /lib64/libcrypto.so.10 | grep FIPS_
<there are many FIPS_ related functions support>
- 程序判断
$ cat check_fips_openssl102.c
#include <openssl/err.h>
#include <string.h>
int main() {
if (FIPS_mode() || FIPS_mode_set(1)) {
printf("Installed library has FIPS support\n");
return 0;
}
const char* err_str = ERR_error_string(ERR_get_error(), 0);
printf("Failed to enable FIPS mode, %s\n", err_str);
if (strstr(err_str, "0F06D065")) {
printf("Installed library does not have FIPS support\n");
}
return 0;
}
$ gcc check_fips_openssl102.c -lssl -lcrypto
$ ./a.out
Installed library has FIPS support
- 附录,如何查看openssl.conf的位置
$ openssl version -d
OPENSSLDIR: "/path/to/somewhere"
网友评论