]>
Commit | Line | Data |
---|---|---|
25e60144 SL |
1 | =pod |
2 | ||
3 | =head1 NAME | |
4 | ||
1b0d1bf7 | 5 | fips_config - OpenSSL FIPS configuration |
25e60144 SL |
6 | |
7 | =head1 DESCRIPTION | |
8 | ||
ca17a6ec RS |
9 | A separate configuration file, using the OpenSSL L<config(5)> syntax, |
10 | is used to hold information about the FIPS module. This includes a digest | |
11 | of the shared library file, and status about the self-testing. | |
12 | This data is used automatically by the module itself for two | |
13 | purposes: | |
25e60144 SL |
14 | |
15 | =over 4 | |
16 | ||
ca17a6ec | 17 | =item - Run the startup FIPS self-test known answer tests (KATS). |
25e60144 | 18 | |
ca17a6ec RS |
19 | This is done once, at installation time. |
20 | ||
21 | =item - Verify the module's checksum. | |
22 | ||
23 | This is done each time the module is used. | |
25e60144 SL |
24 | |
25 | =back | |
26 | ||
ca17a6ec RS |
27 | This file is generated by the L<openssl-fipsinstall(1)> program, and |
28 | used internally by the FIPS module during its initialization. | |
29 | ||
30 | The following options are supported. They should all appear in a section | |
31 | whose name is identified by the B<fips> option in the B<providers> | |
bb361a27 | 32 | section, as described in L<config(5)/Provider Configuration Module>. |
25e60144 SL |
33 | |
34 | =over 4 | |
35 | ||
991a6bb5 | 36 | =item B<activate> |
25e60144 | 37 | |
991a6bb5 SL |
38 | If present, the module is activated. The value assigned to this name is not |
39 | significant. | |
25e60144 SL |
40 | |
41 | =item B<install-version> | |
42 | ||
43 | A version number for the fips install process. Should be 1. | |
44 | ||
991a6bb5 SL |
45 | =item B<conditional-errors> |
46 | ||
47 | The FIPS module normally enters an internal error mode if any self test fails. | |
48 | Once this error mode is active, no services or cryptographic algorithms are | |
49 | accessible from this point on. | |
50 | Continuous tests are a subset of the self tests (e.g., a key pair test during key | |
51 | generation, or the CRNG output test). | |
52 | Setting this value to C<0> allows the error mode to not be triggered if any | |
53 | continuous test fails. The default value of C<1> will trigger the error mode. | |
54 | Regardless of the value, the operation (e.g., key generation) that called the | |
55 | continuous test will return an error code if its continuous test fails. The | |
56 | operation may then be retried if the error mode has not been triggered. | |
57 | ||
58 | =item B<security-checks> | |
59 | ||
60 | This indicates if run-time checks related to enforcement of security parameters | |
61 | such as minimum security strength of keys and approved curve names are used. | |
62 | A value of '1' will perform the checks, otherwise if the value is '0' the checks | |
63 | are not performed and FIPS compliance must be done by procedures documented in | |
64 | the relevant Security Policy. | |
65 | ||
66 | =item B<module-mac> | |
67 | ||
68 | The calculated MAC of the FIPS provider file. | |
69 | ||
25e60144 SL |
70 | =item B<install-status> |
71 | ||
991a6bb5 | 72 | An indicator that the self-tests were successfully run. |
ca17a6ec | 73 | This should only be written after the module has |
25e60144 | 74 | successfully passed its self tests during installation. |
ca17a6ec RS |
75 | If this field is not present, then the self tests will run when the module |
76 | loads. | |
25e60144 | 77 | |
fb420afc | 78 | =item B<install-mac> |
25e60144 | 79 | |
fb420afc | 80 | A MAC of the value of the B<install-status> option, to prevent accidental |
ca17a6ec RS |
81 | changes to that value. |
82 | It is written-to at the same time as B<install-status> is updated. | |
25e60144 SL |
83 | |
84 | =back | |
85 | ||
86 | For example: | |
87 | ||
9f7bdcf3 | 88 | [fips_sect] |
991a6bb5 | 89 | activate = 1 |
25e60144 | 90 | install-version = 1 |
991a6bb5 SL |
91 | conditional-errors = 1 |
92 | security-checks = 1 | |
fb420afc RS |
93 | module-mac = 41:D0:FA:C2:5D:41:75:CD:7D:C3:90:55:6F:A4:DC |
94 | install-mac = FE:10:13:5A:D3:B4:C7:82:1B:1E:17:4C:AC:84:0C | |
25e60144 SL |
95 | install-status = INSTALL_SELF_TEST_KATS_RUN |
96 | ||
97 | =head1 SEE ALSO | |
98 | ||
99 | L<config(5)> | |
991a6bb5 | 100 | L<openssl-fipsinstall(1)> |
25e60144 SL |
101 | |
102 | =head1 COPYRIGHT | |
103 | ||
00c405b3 | 104 | Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved. |
25e60144 SL |
105 | |
106 | Licensed under the Apache License 2.0 (the "License"). You may not use | |
107 | this file except in compliance with the License. You can obtain a copy | |
108 | in the file LICENSE in the source distribution or at | |
109 | L<https://www.openssl.org/source/license.html>. | |
110 | ||
111 | =cut |