Using libica in FIPS mode
To be compliant to the Federal Information Processing Standards (FIPS), an application must adhere to the various data security and computer system requirements outlined in the FIPS standards created by the National Institute of Standards and Technology (NIST).
Out of a multitude of FIPS standards, the FIPS 140 regulations govern the use of cryptographic services. They require that all cryptographic processing performed by US government personnel must be completed using hardware or software that have been independently tested and certified by NIST, to meet the extensive requirements of these FIPS 140 regulations.
Therefore, if you enable the so-called FIPS mode during libica configuration in whatever environment, libica runs according to the highest applied FIPS level, even if not certified in the current environment.
The FIPS 140-1 document was issued in 1994 and withdrawn May 2002. libica version 4.1 is compliant to FIPS 140-3 with documented restrictions. libica versions in the range 3.0 - 4.0 are compliant to FIPS 140-2.
When running in FIPS mode, only cryptographic algorithms approved by the National Institute of Standards and Technology (NIST) can be used.
Also, when running in FIPS mode, an initial integrity check on the libica library file libica.so is performed by calculating an HMAC from that file contents using a HMAC key. This key is specified at two places: in the makefile and in the code (fips.c). At runtime, the HMAC (calculated with the key from fips.c) is then compared with the HMAC (pre-calculated with the key from the makefile) in an existing HMAC file. If the pre-calculated HMAC value is different to the calculated one, an error occurs and any cryptographic operation is blocked. Check your libica installation and ensure that the correct libica.hmac file is installed in the same directory as libica.so. The library and its default distribution location is /usr/lib64/libica.so.
In libica version 3.7, an HMAC file was optional. If no HMAC file was present, libica.so could be used without any integrity check performed. Starting with libica version 3.8, a HMAC file is always provided (by default or by the distribution) and the integrity check is always performed.
For information on how to enable or disable the FIPS mode for libica, see Enabling libica for FIPS mode.
The icainfo output indicates whether libica has built-in FIPS support, whether it is running in FIPS mode, and whether it is in an error state. Algorithms that are not FIPS approved are marked as blocked when running in FIPS mode. All algorithms are marked as blocked when libica is in an error state.
Compile option NO_FIPS_CONFIG_LOAD
The compile option NO_FIPS_CONFIG_LOAD allows to skip the loading and reading of the FIPS configuration of OpenSSL 3.0 or later. Distributions must decide whether to use this compile option to adjust the behavior to their needs.
Environment variable LIBICA_FIPS_FLAG
Use this environment variable to allow to run libica tests in active FIPS mode on systems that are not running in FIPS mode (for example, when the kernel FIPS flag is off). Setting this variable to LIBICA_FIPS_FLAG=1 overrides the kernel’s FIPS indication and puts libica into active FIPS mode. Other values than 1 are ignored. In such cases, the FIPS test is skipped, because it would fail due to this discrepancy.