From 25e601445ae244ed623b2f5d6b28788488d87663 Mon Sep 17 00:00:00 2001
From: Shane Lontis <shane.lontis@oracle.com>
Date: Mon, 19 Aug 2019 09:18:33 +1000
Subject: Add fips provider code for handling self test data

More PR's related to self test will be derived from this PR.

Note: the code removed in core_get_params() was causing a freeze since the
fips module was being loaded from a config file, which then called core_get_params()
which then tried to init the config fle again...

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9596)
---
 doc/man5/config.pod      |  2 +-
 doc/man5/fips_config.pod | 71 ++++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 72 insertions(+), 1 deletion(-)
 create mode 100644 doc/man5/fips_config.pod

(limited to 'doc/man5')

diff --git a/doc/man5/config.pod b/doc/man5/config.pod
index cac4ef6742..deed6d9e16 100644
--- a/doc/man5/config.pod
+++ b/doc/man5/config.pod
@@ -504,7 +504,7 @@ file.
 
 =head1 SEE ALSO
 
-L<x509(1)>, L<req(1)>, L<ca(1)>
+L<x509(1)>, L<req(1)>, L<ca(1)>, L<fips_config(5)>
 
 =head1 COPYRIGHT
 
diff --git a/doc/man5/fips_config.pod b/doc/man5/fips_config.pod
new file mode 100644
index 0000000000..7f08fd06ff
--- /dev/null
+++ b/doc/man5/fips_config.pod
@@ -0,0 +1,71 @@
+=pod
+
+=head1 NAME
+
+OPENSSL FIPS CONFIGURATION
+
+=head1 DESCRIPTION
+
+A separate configuration file containing data related to FIPS 'self tests' is
+written to during installation time.
+This data is used for 2 purposes when the fips module is loaded:
+
+=over 4
+
+=item - Verify the module's checksum each time the fips module loads.
+
+=item - Run the startup FIPS self test KATS (known answer tests).
+This only needs to be run once during installation.
+
+=back
+
+The supported options are:
+
+=over 4
+
+=item B<module-checksum>
+
+The calculated MAC of the module file
+
+=item B<install-version>
+
+A version number for the fips install process. Should be 1.
+
+=item B<install-status>
+
+The install status indicator description that will be verified.
+If this field is not present the FIPS self tests will run when the fips module
+loads.
+This value should only be written to after the FIPS module has
+successfully passed its self tests during installation.
+
+=item B<install-checksum>
+
+The calculated MAC of the install status indicator.
+It is initially empty and is written to at the same time as the install_status.
+
+=back
+
+For example:
+
+ [fips_install]
+
+ install-version = 1
+ module-checksum = 41:D0:FA:C2:5D:41:75:CD:7D:C3:90:55:6F:A4:DC
+ install-checksum = FE:10:13:5A:D3:B4:C7:82:1B:1E:17:4C:AC:84:0C
+ install-status = INSTALL_SELF_TEST_KATS_RUN
+
+=head1 SEE ALSO
+
+L<config(5)>
+
+=head1 COPYRIGHT
+
+Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
+
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+L<https://www.openssl.org/source/license.html>.
+
+=cut
-- 
cgit v1.2.3