fipsinstall: add -self_test_oninstall option.

This option runs the self tests at installation time.  It fails for the 3.1
module.

Also changed the default behaviour to that set by the -self_test_onload
option.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/19510)

1 files changed, 14 insertions, 0 deletions

diff --git a/doc/man1/openssl-fipsinstall.pod.in b/doc/man1/openssl-fipsinstall.pod.in
index 97e2ae910c..af18f361e6 100644
--- a/doc/man1/openssl-fipsinstall.pod.in
+++ b/doc/man1/openssl-fipsinstall.pod.in
@@ -22,6 +22,7 @@ B<openssl fipsinstall>
 [B<-no_conditional_errors>]
 [B<-no_security_checks>]
 [B<-self_test_onload>]
+[B<-self_test_oninstall>]
 [B<-corrupt_desc> I<selftest_description>]
 [B<-corrupt_type> I<selftest_type>]
 [B<-config> I<parent_config>]
@@ -174,6 +175,14 @@ target machine. Once the self tests have run on the target machine the user
 could possibly then add the 2 fields into the configuration using some other
 mechanism.
 
+This is the default.
+
+=item B<-self_test_oninstall>
+
+The converse of B<-self_test_oninstall>.  The two fields related to the
+"test status indicator" and "MAC status indicator" are written to the
+output configuration file.
+
 =item B<-quiet>
 
 Do not output pass/fail messages. Implies B<-noout>.
@@ -209,6 +218,11 @@ test output and the options B<-corrupt_desc> and B<-corrupt_type> will be ignore
 For normal usage the base configuration file should use the default provider
 when generating the fips configuration file.
 
+The B<-self_test_oninstall> option was added and the
+B<-self_test_onload> option was made the default in OpenSSL 3.1.
+
+The command and all remaining options were added in OpenSSL 3.0.
+
 =head1 EXAMPLES
 
 Calculate the mac of a FIPS module F<fips.so> and run a FIPS self test