[thirdparty/openssl.git] / doc / man5 / fips_config.pod

=pod

=head1 NAME

fips_config - OpenSSL FIPS configuration

=head1 DESCRIPTION

A separate configuration file, using the OpenSSL L<config(5)> syntax,
is used to hold information about the FIPS module. This includes a digest
of the shared library file, and status about the self-testing.
This data is used automatically by the module itself for two
purposes:

=over 4

=item - Run the startup FIPS self-test known answer tests (KATS).

This is done once, at installation time.

=item - Verify the module's checksum.

This is done each time the module is used.

=back

This file is generated by the L<openssl-fipsinstall(1)> program, and
used internally by the FIPS module during its initialization.

The following options are supported. They should all appear in a section
whose name is identified by the B<fips> option in the B<providers>
section, as described in L<config(5)/Provider Configuration Module>.

=over 4

=item B<activate>

If present, the module is activated. The value assigned to this name is not
significant.

=item B<install-version>

A version number for the fips install process. Should be 1.

=item B<conditional-errors>

The FIPS module normally enters an internal error mode if any self test fails.
Once this error mode is active, no services or cryptographic algorithms are
accessible from this point on.
Continuous tests are a subset of the self tests (e.g., a key pair test during key
generation, or the CRNG output test).
Setting this value to C<0> allows the error mode to not be triggered if any
continuous test fails. The default value of C<1> will trigger the error mode.
Regardless of the value, the operation (e.g., key generation) that called the
continuous test will return an error code if its continuous test fails. The
operation may then be retried if the error mode has not been triggered.

=item B<security-checks>

This indicates if run-time checks related to enforcement of security parameters
such as minimum security strength of keys and approved curve names are used.
A value of '1' will perform the checks, otherwise if the value is '0' the checks
are not performed and FIPS compliance must be done by procedures documented in
the relevant Security Policy.

=item B<module-mac>

The calculated MAC of the FIPS provider file.

=item B<install-status>

An indicator that the self-tests were successfully run.
This should only be written after the module has
successfully passed its self tests during installation.
If this field is not present, then the self tests will run when the module
loads.

=item B<install-mac>

A MAC of the value of the B<install-status> option, to prevent accidental
changes to that value.
It is written-to at the same time as B<install-status> is updated.

=back

For example:

 [fips_sect]
 activate = 1
 install-version = 1
 conditional-errors = 1
 security-checks = 1
 module-mac = 41:D0:FA:C2:5D:41:75:CD:7D:C3:90:55:6F:A4:DC
 install-mac = FE:10:13:5A:D3:B4:C7:82:1B:1E:17:4C:AC:84:0C
 install-status = INSTALL_SELF_TEST_KATS_RUN

=head1 SEE ALSO

L<config(5)>
L<openssl-fipsinstall(1)>

=head1 COPYRIGHT

Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved.

Licensed under the Apache License 2.0 (the "License").  You may not use
this file except in compliance with the License.  You can obtain a copy
in the file LICENSE in the source distribution or at
L<https://www.openssl.org/source/license.html>.

=cut
Commit	Line	Data
25e60144 SL	1	=pod
	2
	3	=head1 NAME
	4
1b0d1bf7	5	fips_config - OpenSSL FIPS configuration
25e60144 SL	6
	7	=head1 DESCRIPTION
	8
ca17a6ec RS	9	A separate configuration file, using the OpenSSL L<config(5)> syntax,
	10	is used to hold information about the FIPS module. This includes a digest
	11	of the shared library file, and status about the self-testing.
	12	This data is used automatically by the module itself for two
	13	purposes:
25e60144 SL	14
	15	=over 4
	16
ca17a6ec	17	=item - Run the startup FIPS self-test known answer tests (KATS).
25e60144	18
ca17a6ec RS	19	This is done once, at installation time.
	20
	21	=item - Verify the module's checksum.
	22
	23	This is done each time the module is used.
25e60144 SL	24
	25	=back
	26
ca17a6ec RS	27	This file is generated by the L<openssl-fipsinstall(1)> program, and
	28	used internally by the FIPS module during its initialization.
	29
	30	The following options are supported. They should all appear in a section
	31	whose name is identified by the B<fips> option in the B<providers>
bb361a27	32	section, as described in L<config(5)/Provider Configuration Module>.
25e60144 SL	33
	34	=over 4
	35
991a6bb5	36	=item B<activate>
25e60144	37
991a6bb5 SL	38	If present, the module is activated. The value assigned to this name is not
991a6bb5 SL	39	significant.
25e60144 SL	40
	41	=item B<install-version>
	42
	43	A version number for the fips install process. Should be 1.
	44
991a6bb5 SL	45	=item B<conditional-errors>
	46
	47	The FIPS module normally enters an internal error mode if any self test fails.
	48	Once this error mode is active, no services or cryptographic algorithms are
	49	accessible from this point on.
	50	Continuous tests are a subset of the self tests (e.g., a key pair test during key
	51	generation, or the CRNG output test).
	52	Setting this value to C<0> allows the error mode to not be triggered if any
	53	continuous test fails. The default value of C<1> will trigger the error mode.
	54	Regardless of the value, the operation (e.g., key generation) that called the
	55	continuous test will return an error code if its continuous test fails. The
	56	operation may then be retried if the error mode has not been triggered.
	57
	58	=item B<security-checks>
	59
	60	This indicates if run-time checks related to enforcement of security parameters
	61	such as minimum security strength of keys and approved curve names are used.
	62	A value of '1' will perform the checks, otherwise if the value is '0' the checks
	63	are not performed and FIPS compliance must be done by procedures documented in
	64	the relevant Security Policy.
	65
	66	=item B<module-mac>
	67
	68	The calculated MAC of the FIPS provider file.
	69
25e60144 SL	70	=item B<install-status>
25e60144 SL	71
991a6bb5	72	An indicator that the self-tests were successfully run.
ca17a6ec	73	This should only be written after the module has
25e60144	74	successfully passed its self tests during installation.
ca17a6ec RS	75	If this field is not present, then the self tests will run when the module
ca17a6ec RS	76	loads.
25e60144	77
fb420afc	78	=item B<install-mac>
25e60144	79
fb420afc	80	A MAC of the value of the B<install-status> option, to prevent accidental
ca17a6ec RS	81	changes to that value.
ca17a6ec RS	82	It is written-to at the same time as B<install-status> is updated.
25e60144 SL	83
	84	=back
	85
	86	For example:
	87
9f7bdcf3	88	[fips_sect]
991a6bb5	89	activate = 1
25e60144	90	install-version = 1
991a6bb5 SL	91	conditional-errors = 1
991a6bb5 SL	92	security-checks = 1
fb420afc RS	93	module-mac = 41:D0:FA:C2:5D:41:75:CD:7D:C3:90:55:6F:A4:DC
fb420afc RS	94	install-mac = FE:10:13:5A:D3:B4:C7:82:1B:1E:17:4C:AC:84:0C
25e60144 SL	95	install-status = INSTALL_SELF_TEST_KATS_RUN
	96
	97	=head1 SEE ALSO
	98
	99	L<config(5)>
991a6bb5	100	L<openssl-fipsinstall(1)>
25e60144 SL	101
	102	=head1 COPYRIGHT
	103
00c405b3	104	Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved.
25e60144 SL	105
	106	Licensed under the Apache License 2.0 (the "License"). You may not use
	107	this file except in compliance with the License. You can obtain a copy
	108	in the file LICENSE in the source distribution or at
	109	L<https://www.openssl.org/source/license.html>.
	110
	111	=cut