diff options
author | Shane Lontis <shane.lontis@oracle.com> | 2019-08-19 09:18:33 +1000 |
---|---|---|
committer | Shane Lontis <shane.lontis@oracle.com> | 2019-08-19 09:18:33 +1000 |
commit | 25e601445ae244ed623b2f5d6b28788488d87663 (patch) | |
tree | fe5c8cc5d0d9e828de208626a316e922dec258ff /doc/man5 | |
parent | 5e0d9c861bc44070c61b9b109884dc8aa5e2e8d1 (diff) |
Add fips provider code for handling self test data
More PR's related to self test will be derived from this PR.
Note: the code removed in core_get_params() was causing a freeze since the
fips module was being loaded from a config file, which then called core_get_params()
which then tried to init the config fle again...
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9596)
Diffstat (limited to 'doc/man5')
-rw-r--r-- | doc/man5/config.pod | 2 | ||||
-rw-r--r-- | doc/man5/fips_config.pod | 71 |
2 files changed, 72 insertions, 1 deletions
diff --git a/doc/man5/config.pod b/doc/man5/config.pod index cac4ef6742..deed6d9e16 100644 --- a/doc/man5/config.pod +++ b/doc/man5/config.pod @@ -504,7 +504,7 @@ file. =head1 SEE ALSO -L<x509(1)>, L<req(1)>, L<ca(1)> +L<x509(1)>, L<req(1)>, L<ca(1)>, L<fips_config(5)> =head1 COPYRIGHT diff --git a/doc/man5/fips_config.pod b/doc/man5/fips_config.pod new file mode 100644 index 0000000000..7f08fd06ff --- /dev/null +++ b/doc/man5/fips_config.pod @@ -0,0 +1,71 @@ +=pod + +=head1 NAME + +OPENSSL FIPS CONFIGURATION + +=head1 DESCRIPTION + +A separate configuration file containing data related to FIPS 'self tests' is +written to during installation time. +This data is used for 2 purposes when the fips module is loaded: + +=over 4 + +=item - Verify the module's checksum each time the fips module loads. + +=item - Run the startup FIPS self test KATS (known answer tests). +This only needs to be run once during installation. + +=back + +The supported options are: + +=over 4 + +=item B<module-checksum> + +The calculated MAC of the module file + +=item B<install-version> + +A version number for the fips install process. Should be 1. + +=item B<install-status> + +The install status indicator description that will be verified. +If this field is not present the FIPS self tests will run when the fips module +loads. +This value should only be written to after the FIPS module has +successfully passed its self tests during installation. + +=item B<install-checksum> + +The calculated MAC of the install status indicator. +It is initially empty and is written to at the same time as the install_status. + +=back + +For example: + + [fips_install] + + install-version = 1 + module-checksum = 41:D0:FA:C2:5D:41:75:CD:7D:C3:90:55:6F:A4:DC + install-checksum = FE:10:13:5A:D3:B4:C7:82:1B:1E:17:4C:AC:84:0C + install-status = INSTALL_SELF_TEST_KATS_RUN + +=head1 SEE ALSO + +L<config(5)> + +=head1 COPYRIGHT + +Copyright 2019 The OpenSSL Project Authors. All Rights Reserved. + +Licensed under the Apache License 2.0 (the "License"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file LICENSE in the source distribution or at +L<https://www.openssl.org/source/license.html>. + +=cut |