diff options
author | Pauli <pauli@openssl.org> | 2023-02-27 10:14:43 +1100 |
---|---|---|
committer | Pauli <pauli@openssl.org> | 2023-03-01 09:17:02 +1100 |
commit | 97b926c852ae92b7669e31adc0cc3aef25287c05 (patch) | |
tree | 047797aa147e533471e5db479e6c1f2b2ef7b34f | |
parent | cdcb9c76bddc36ace7d06bf0a97935f2ff1b67a8 (diff) |
Update FIPS provider documentation to note that fips=yes is mandatory
This was in the notes section but an earlier comment about it not being
mandatory was missed.
Fixes #20376
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/20382)
(cherry picked from commit 0a81220a01e888c3ee4ab18dfdcab6472d9e214c)
-rw-r--r-- | doc/man7/OSSL_PROVIDER-FIPS.pod | 19 |
1 files changed, 11 insertions, 8 deletions
diff --git a/doc/man7/OSSL_PROVIDER-FIPS.pod b/doc/man7/OSSL_PROVIDER-FIPS.pod index 4301db657d..691f36a357 100644 --- a/doc/man7/OSSL_PROVIDER-FIPS.pod +++ b/doc/man7/OSSL_PROVIDER-FIPS.pod @@ -29,14 +29,17 @@ L<EVP_MD_fetch(3)> or L<EVP_CIPHER_fetch(3)>, as well as with other functions that take a property query string, such as L<EVP_PKEY_CTX_new_from_name(3)>. -It isn't mandatory to query for any of these properties, except to -make sure to get implementations of this provider and none other. - -The C<fips=yes> property can be use to make sure only FIPS approved -implementations are used for crypto operations. This may also include -other non-crypto support operations that are not in the FIPS provider, -such as asymmetric key encoders, -see L<OSSL_PROVIDER-default(7)/Asymmetric Key Management>. +To be FIPS compliant, it is mandatory to include C<fips=yes> as +part of all property queries. This ensures that only FIPS approved +implementations are used for cryptographic operations. The C<fips=yes> +query may also include other non-crypto support operations that +are not in the FIPS provider, such as asymmetric key encoders, see +L<OSSL_PROVIDER-default(7)/Asymmetric Key Management>. + +It is not mandatory to include C<provider=fips> as part of your property +query. Including C<provider=fips> in your property query guarantees +that the OpenSSL FIPS provider is used for cryptographic operations +rather than other FIPS capable providers. =head1 OPERATIONS AND ALGORITHMS |