美文网首页
openssl-1.0.2检查是否FIPS enable

openssl-1.0.2检查是否FIPS enable

作者: CodingCode | 来源:发表于2023-09-22 20:41 被阅读0次
    1. 命令行
    $ openssl version
    OpenSSL 1.0.2k-fips  DD Mon YYYY
    
    1. 检查加密算法

    因为MD5已经被FIPS不支持了,所以如果调用md5应该报错。

    $ openssl md5 <<< "12345"
    Error setting digest md5
    140127617550224:error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fips:digest.c:256:
    

    反之如果正确执行,说明fips没有enable。

    $ openssl md5 <<< "12345"
    (stdin)= d577273ff885c3f84dadb8578bb41399
    

    例如在我的环境里:

    $ openssl md5 <<< "12345"
    (stdin)= d577273ff885c3f84dadb8578bb41399
    
    $ OPENSSL_FIPS=1 openssl md5 <<< "12345"
    Error setting digest md5
    140687972132752:error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fips:digest.c:256:
    

    说明FIPS是支持的,但是需要OPENSSL_FIPS=1来enable.

    1. 查看lib的符号表
    $ ldd $(which openssl)
    ...
        libcrypto.so.10 => /lib64/libcrypto.so.10 (0x00007f40c894f000)
    ...
    
    $ readelf --symbols /lib64/libcrypto.so.10 | grep FIPS_
    <there are many FIPS_ related functions support>
    
    1. 程序判断
    $ cat check_fips_openssl102.c
    #include <openssl/err.h>
    #include <string.h>
    
    int main() {
      if (FIPS_mode() || FIPS_mode_set(1)) {
        printf("Installed library has FIPS support\n");
        return 0;
      }
    
      const char* err_str = ERR_error_string(ERR_get_error(), 0);
      printf("Failed to enable FIPS mode, %s\n", err_str);
      if (strstr(err_str, "0F06D065")) {
        printf("Installed library does not have FIPS support\n");
      }
    
      return 0;
    }
    
    $ gcc check_fips_openssl102.c -lssl -lcrypto
    $ ./a.out
    Installed library has FIPS support
    
    1. 附录,如何查看openssl.conf的位置
    $ openssl version -d
    OPENSSLDIR: "/path/to/somewhere"
    

    相关文章

      网友评论

          本文标题:openssl-1.0.2检查是否FIPS enable

          本文链接:https://www.haomeiwen.com/subject/jiwtbdtx.html