Home | History | Annotate | Line # | Download | only in man5 
      1 =pod
      2 
      3 =head1 NAME
      4 
      5 fips_config - OpenSSL FIPS configuration
      6 
      7 =head1 DESCRIPTION
      8 
      9 A separate configuration file, using the OpenSSL L<config(5)> syntax,
     10 is used to hold information about the FIPS module. This includes a digest
     11 of the shared library file, and status about the self-testing.
     12 This data is used automatically by the module itself for two
     13 purposes:
     14 
     15 =over 4
     16 
     17 =item - Run the startup FIPS self-test known answer tests (KATS).
     18 
     19 This is normally done once, at installation time, but may also be set up to
     20 run each time the module is used.
     21 
     22 =item - Verify the module's checksum.
     23 
     24 This is done each time the module is used.
     25 
     26 =back
     27 
     28 This file is generated by the L<openssl-fipsinstall(1)> program, and
     29 used internally by the FIPS module during its initialization.
     30 
     31 The following options are supported. They should all appear in a section
     32 whose name is identified by the B<fips> option in the B<providers>
     33 section, as described in L<config(5)/Provider Configuration Module>.
     34 
     35 =over 4
     36 
     37 =item B<activate>
     38 
     39 If present, the module is activated. The value assigned to this name is not
     40 significant.
     41 
     42 =item B<conditional-errors>
     43 
     44 The FIPS module normally enters an internal error mode if any self test fails.
     45 Once this error mode is active, no services or cryptographic algorithms are
     46 accessible from this point on.
     47 Continuous tests are a subset of the self tests (e.g., a key pair test during key
     48 generation, or the CRNG output test).
     49 Setting this value to C<0> allows the error mode to not be triggered if any
     50 continuous test fails. The default value of C<1> will trigger the error mode.
     51 Regardless of the value, the operation (e.g., key generation) that called the
     52 continuous test will return an error code if its continuous test fails. The
     53 operation may then be retried if the error mode has not been triggered.
     54 
     55 =item B<module-mac>
     56 
     57 The calculated MAC of the FIPS provider file.
     58 
     59 =item B<install-version>
     60 
     61 A version number for the fips install process. Should be 1.
     62 
     63 =item B<install-status>
     64 
     65 This field is deprecated and is no longer used.
     66 
     67 =item B<install-mac>
     68 
     69 This field is deprecated and is no longer used.
     70 
     71 =back
     72 
     73 =head2 FIPS indicator options
     74 
     75 The following FIPS configuration options indicate if run-time checks related to
     76 enforcement of FIPS security parameters such as minimum security strength of
     77 keys and approved curve names are used.
     78 A value of '1' will perform the checks, otherwise if the value is '0' the checks
     79 are not performed and FIPS compliance must be done by procedures documented in
     80 the relevant Security Policy.
     81 
     82 See L<openssl-fipsinstall(1)/OPTIONS> for further information related to these
     83 options.
     84 
     85 =over 4
     86 
     87 =item B<security-checks>
     88 
     89 See L<openssl-fipsinstall(1)/OPTIONS> B<-no_security_checks>
     90 
     91 =item B<tls1-prf-ems-check>
     92 
     93 See L<openssl-fipsinstall(1)/OPTIONS> B<-ems_check>
     94 
     95 =item B<no-short-mac>
     96 
     97 See L<openssl-fipsinstall(1)/OPTIONS> B<-no_short_mac>
     98 
     99 =item B<drbg-no-trunc-md>
    100 
    101 See L<openssl-fipsinstall(1)/OPTIONS> B<-no_drbg_truncated_digests>
    102 
    103 =item B<signature-digest-check>
    104 
    105 See L<openssl-fipsinstall(1)/OPTIONS> B<-signature_digest_check>
    106 
    107 =item B<hkdf-digest-check>
    108 
    109 This option is deprecated.
    110 
    111 =item B<tls13-kdf-digest-check>
    112 
    113 See L<openssl-fipsinstall(1)/OPTIONS> B<-tls13_kdf_digest_check>
    114 
    115 =item B<tls1-prf-digest-check>
    116 
    117 See L<openssl-fipsinstall(1)/OPTIONS> B<-tls1_prf_digest_check>
    118 
    119 =item B<sshkdf-digest-check>
    120 
    121 See L<openssl-fipsinstall(1)/OPTIONS> B<-sshkdf_digest_check>
    122 
    123 =item B<sskdf-digest-check>
    124 
    125 This option is deprecated.
    126 
    127 =item B<x963kdf-digest-check>
    128 
    129 See L<openssl-fipsinstall(1)/OPTIONS> B<-x963kdf_digest_check>
    130 
    131 =item B<dsa-sign-disabled>
    132 
    133 See L<openssl-fipsinstall(1)/OPTIONS> B<-dsa_sign_disabled>
    134 
    135 =item B<tdes-encrypt-disabled>
    136 
    137 See L<openssl-fipsinstall(1)/OPTIONS> B<-tdes_encrypt_disabled>
    138 
    139 =item B<rsa-pkcs15-pad-disabled>
    140 
    141 See L<openssl-fipsinstall(1)/OPTIONS> B<-rsa_pkcs15_pad_disabled>
    142 
    143 =item B<rsa-pss-saltlen-check>
    144 
    145 See L<openssl-fipsinstall(1)/OPTIONS> B<-rsa_pss_saltlen_check>
    146 
    147 =item B<rsa-sign-x931-pad-disabled>
    148 
    149 See L<openssl-fipsinstall(1)/OPTIONS> B<-rsa_sign_x931_disabled>
    150 
    151 =item B<hkdf-key-check>
    152 
    153 See L<openssl-fipsinstall(1)/OPTIONS> B<-hkdf_key_check>
    154 
    155 =item B<kbkdf-key-check>
    156 
    157 See L<openssl-fipsinstall(1)/OPTIONS> B<-kbkdf_key_check>
    158 
    159 =item B<tls13-kdf-key-check>
    160 
    161 See L<openssl-fipsinstall(1)/OPTIONS> B<-tls13_kdf_key_check>
    162 
    163 =item B<tls1-prf-key-check>
    164 
    165 See L<openssl-fipsinstall(1)/OPTIONS> B<-tls1_prf_key_check>
    166 
    167 =item B<sshkdf-key-check>
    168 
    169 See L<openssl-fipsinstall(1)/OPTIONS> B<-sshkdf_key_check>
    170 
    171 =item B<sskdf-key-check>
    172 
    173 See L<openssl-fipsinstall(1)/OPTIONS> B<-sskdf_key_check>
    174 
    175 =item B<x963kdf-key-check>
    176 
    177 See L<openssl-fipsinstall(1)/OPTIONS> B<-x963kdf_key_check>
    178 
    179 =item B<x942kdf-key-check>
    180 
    181 See L<openssl-fipsinstall(1)/OPTIONS> B<-x942kdf_key_check>
    182 
    183 =item B<pbkdf2-lower-bound-check>
    184 
    185 See L<openssl-fipsinstall(1)/OPTIONS> B<-no_pbkdf2_lower_bound_check>
    186 
    187 =item B<ecdh-cofactor-check>
    188 
    189 See L<openssl-fipsinstall(1)/OPTIONS> B<-ecdh_cofactor_check>
    190 
    191 =item B<hmac-key-check>
    192 
    193 See L<openssl-fipsinstall(1)/OPTIONS> B<-hmac_key_check>
    194 
    195 =item B<kmac-key-check>
    196 
    197 See L<openssl-fipsinstall(1)/OPTIONS> B<-kmac_key_check>
    198 
    199 =back
    200 
    201 For example:
    202 
    203  [fips_sect]
    204  activate = 1
    205  install-version = 1
    206  conditional-errors = 1
    207  security-checks = 1
    208  module-mac = 41:D0:FA:C2:5D:41:75:CD:7D:C3:90:55:6F:A4:DC
    209  install-mac = FE:10:13:5A:D3:B4:C7:82:1B:1E:17:4C:AC:84:0C
    210  install-status = INSTALL_SELF_TEST_KATS_RUN
    211 
    212 =head1 NOTES
    213 
    214 When using the FIPS provider, it is recommended that the
    215 B<config_diagnostics> option is enabled to prevent accidental use of
    216 non-FIPS validated algorithms via broken or mistaken configuration.
    217 See L<config(5)>.
    218 
    219 =head1 SEE ALSO
    220 
    221 L<config(5)>
    222 L<openssl-fipsinstall(1)>
    223 
    224 =head1 HISTORY
    225 
    226 This functionality was added in OpenSSL 3.0.
    227 
    228 =head1 COPYRIGHT
    229 
    230 Copyright 2019-2025 The OpenSSL Project Authors. All Rights Reserved.
    231 
    232 Licensed under the Apache License 2.0 (the "License").  You may not use
    233 this file except in compliance with the License.  You can obtain a copy
    234 in the file LICENSE in the source distribution or at
    235 L<https://www.openssl.org/source/license.html>.
    236 
    237 =cut
    238