openssl-1.0.2检查是否FIPS enable

1. 命令行

$ openssl version
OpenSSL 1.0.2k-fips  DD Mon YYYY

2. 检查加密算法

因为MD5已经被FIPS不支持了，所以如果调用md5应该报错。

$ openssl md5 <<< "12345"
Error setting digest md5
140127617550224:error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fips:digest.c:256:

反之如果正确执行，说明fips没有enable。

$ openssl md5 <<< "12345"
(stdin)= d577273ff885c3f84dadb8578bb41399

例如在我的环境里：

$ openssl md5 <<< "12345"
(stdin)= d577273ff885c3f84dadb8578bb41399

$ OPENSSL_FIPS=1 openssl md5 <<< "12345"
Error setting digest md5
140687972132752:error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fips:digest.c:256:

说明FIPS是支持的，但是需要OPENSSL_FIPS=1来enable.

3. 查看lib的符号表

$ ldd $(which openssl)
...
    libcrypto.so.10 => /lib64/libcrypto.so.10 (0x00007f40c894f000)
...

$ readelf --symbols /lib64/libcrypto.so.10 | grep FIPS_
<there are many FIPS_ related functions support>

4. 程序判断

$ cat check_fips_openssl102.c
#include <openssl/err.h>
#include <string.h>

int main() {
  if (FIPS_mode() || FIPS_mode_set(1)) {
    printf("Installed library has FIPS support\n");
    return 0;
  }

  const char* err_str = ERR_error_string(ERR_get_error(), 0);
  printf("Failed to enable FIPS mode, %s\n", err_str);
  if (strstr(err_str, "0F06D065")) {
    printf("Installed library does not have FIPS support\n");
  }

  return 0;
}

$ gcc check_fips_openssl102.c -lssl -lcrypto
$ ./a.out
Installed library has FIPS support

5. 附录，如何查看openssl.conf的位置

$ openssl version -d
OPENSSLDIR: "/path/to/somewhere"