I am confused by RHEL8. It reports:
# openssl
OpenSSL> version
OpenSSL 1.1.1g FIPS 21 Apr 2020
OpenSSL> exit
# find / -name fipscanister*.*
My system reports to be running a FIPS compliant OpenSSL, but I do not find a FIPS canister on the system ... I inspected the ISO (rhel-8.4-x86_64-dvd.iso), there is in BaseOS/Packages: openssl-devel-1.1.1g-15.el8_3.x86_64.rpm, but also this does not contain a FIPS canister ...
What needs to be done to have a fipscanister lib on the system?
BR, Rene
I assume you mean fipscanister.o (the object file where the FIPS algorithms are compiled in). You won't find it, as it was linked in libcrypto.so*.
According to [OpenSSL]: UserGuide-2.0.pdf - User Guide for the OpenSSL FIPS Object Module v2.0 (emphasis is mine):
Note that except in the most unusual circumstances the FIPS Object Module itself (fipscanister.o) is not linked directly with application code. Instead the FIPS Object Module is embedded in the OpenSSL libcrypto library (libcrypto.a/libcrypto.so) which is then referenced in the usual way by the application code. That combination is known as a "FIPS capable" OpenSSL library and is discussed in more detail in section 2.5.
Check [SO]: OpenSSL FIPS_mode_set not working in Python cryptography library (@CristiFati's answer) for (some interesting) details.
Here's some sample output (environment left from [SO]: How to compile python3 on RHEL with SSL? SSL cannot be imported (@CristiFati's answer)):
[root@cfati-5510-0:/work/q069539286]> python Python 2.7.5 (default, Nov 16 2020, 22:23:17) [GCC 4.8.5 20150623 (Red Hat 4.8.5-44)] on linux2 Type "help", "copyright", "credits" or "license" for more information. >>> import ctypes as ct >>> >>> lcr = ct.CDLL("openssl-1.1.1g/lib/libcrypto.so") # Load a library >>> lcr.FIPS_mode() # Call a function exported by it (for demo purposes only, not use (like this) in production) 0
