QuasarApp/openssl
4
0
Fork 0
mirror of https://github.com/QuasarApp/openssl.git synced 2025-05-17 03:49:40 +00:00
Code Issues Projects Releases Wiki Activity

Revise fips_config.pod

Browse Source 
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11369)
This commit is contained in:
Rich Salz 2020-03-19 10:19:41 -04:00 committed by Tomas Mraz
parent fe92150d69
commit ca17a6ec56
1 changed files with 25 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
doc/man5/fips_config.pod
View File

@ -6,26 +6,36 @@ fips_config - OpenSSL FIPS configuration
=head1 DESCRIPTION =head1 DESCRIPTION
A separate configuration file containing data related to FIPS 'self tests' is A separate configuration file, using the OpenSSL L<config(5)> syntax,
written to during installation time. is used to hold information about the FIPS module. This includes a digest
This data is used for 2 purposes when the fips module is loaded: of the shared library file, and status about the self-testing.
This data is used automatically by the module itself for two
purposes:
=over 4 =over 4
=item - Verify the module's checksum each time the fips module loads. =item - Run the startup FIPS self-test known answer tests (KATS).
=item - Run the startup FIPS self test KATS (known answer tests). This is done once, at installation time.
This only needs to be run once during installation.
=item - Verify the module's checksum.
This is done each time the module is used.
=back =back
The supported options are: This file is generated by the L<openssl-fipsinstall(1)> program, and
used internally by the FIPS module during its initialization.
The following options are supported. They should all appear in a section
whose name is identified by the B<fips> option in the B<providers>
section, as desribed in L<config(5)/Provider Configuration Module>.
=over 4 =over 4
=item B<module-checksum> =item B<module-checksum>
The calculated MAC of the module file The calculated digest of the module file.
=item B<install-version> =item B<install-version>
@ -33,23 +43,23 @@ A version number for the fips install process. Should be 1.
=item B<install-status> =item B<install-status>
The install status indicator description that will be verified. An indicator that the self-tests were run.
If this field is not present the FIPS self tests will run when the fips module This should only be written after the module has
loads.
This value should only be written to after the FIPS module has
successfully passed its self tests during installation. successfully passed its self tests during installation.
If this field is not present, then the self tests will run when the module
loads.
=item B<install-checksum> =item B<install-checksum>
The calculated MAC of the install status indicator. A MAC on the value of the B<install-status> option, to prevent accidental
It is initially empty and is written to at the same time as the install_status. changes to that value.
It is written-to at the same time as B<install-status> is updated.
=back =back
For example: For example:
[fips_install] [fips_install]
install-version = 1 install-version = 1
module-checksum = 41:D0:FA:C2:5D:41:75:CD:7D:C3:90:55:6F:A4:DC module-checksum = 41:D0:FA:C2:5D:41:75:CD:7D:C3:90:55:6F:A4:DC
install-checksum = FE:10:13:5A:D3:B4:C7:82:1B:1E:17:4C:AC:84:0C install-checksum = FE:10:13:5A:D3:B4:C7:82:1B:1E:17:4C:AC:84:0C