diff options
author | Shane Lontis <shane.lontis@oracle.com> | 2020-01-15 10:48:01 +1000 |
---|---|---|
committer | Shane Lontis <shane.lontis@oracle.com> | 2020-01-15 10:48:01 +1000 |
commit | 36fc5fc6bd5ca53fb30aabc38e3fefbab0005b2c (patch) | |
tree | 16e416a148ab7e40d416977ab971e315f7b034f1 /doc/man1 | |
parent | 76123661a1db136b9ef368dc296a628818e7a4cc (diff) |
Add FIPS Self test kats for digests
Added an API to optionally set a self test callback.
The callback has the following 2 purposes
(1) Output information about the KAT tests.
(2) Allow the ability to corrupt one of the KAT's
The fipsinstall program uses the API.
Some KATS are not included in this PR since the required functionality did not yet exist in the provider.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10374)
Diffstat (limited to 'doc/man1')
-rw-r--r-- | doc/man1/openssl-fipsinstall.pod | 25 |
1 files changed, 25 insertions, 0 deletions
diff --git a/doc/man1/openssl-fipsinstall.pod b/doc/man1/openssl-fipsinstall.pod index 44f6e0e410..7cad6091e1 100644 --- a/doc/man1/openssl-fipsinstall.pod +++ b/doc/man1/openssl-fipsinstall.pod @@ -16,6 +16,9 @@ B<openssl fipsinstall> [B<-verify>] [B<-mac_name> I<macname>] [B<-macopt> I<nm>:I<v>] +[B<-noout>] +[B<-corrupt_desc> I<selftest_description>] +[B<-corrupt_type> I<selftest_type>] =head1 DESCRIPTION @@ -106,6 +109,20 @@ C<openssl list -digest-commands>. =back +=item B<-noout> + +Disable logging of the self tests. + +=item B<-corrupt_desc> I<selftest_description> + +=item B<-corrupt_type> I<selftest_type> + +The corrupt options can be used to test failure of one or more self test(s) by +name. +Either option or both may be used to select the self test(s) to corrupt. +Refer to the entries for "st-desc" and "st-type" in L<OSSL_PROVIDER-FIPS(7)> for +values that can be used. + =back =head1 EXAMPLES @@ -123,6 +140,13 @@ Verify that the configuration file F<fips.conf> contains the correct info: -section_name fips_install -mac_name HMAC -macopt digest:SHA256 \ -macopt hexkey:000102030405060708090A0B0C0D0E0F10111213 -verify +Corrupt any self tests which have the description 'SHA1': + + openssl fipsinstall -module ./fips.so -out fips.conf -provider_name fips \ + -section_name fipsinstall -mac_name HMAC -macopt digest:SHA256 \ + -macopt hexkey:000102030405060708090A0B0C0D0E0F10111213 \ + -corrupt_desc', 'SHA1' + =head1 NOTES The MAC mechanisms that are available will depend on the options @@ -132,6 +156,7 @@ The command C<openssl list -mac-algorithms> command can be used to list them. =head1 SEE ALSO L<fips_config(5)>, +L<OSSL_PROVIDER-FIPS(7)>, L<EVP_MAC(3)> =head1 COPYRIGHT |