xref: /openssl/doc/man5/fips_config.pod (revision 7ed6de99) 
1=pod
2
3=head1 NAME
4
5fips_config - OpenSSL FIPS configuration
6
7=head1 DESCRIPTION
8
9A separate configuration file, using the OpenSSL L<config(5)> syntax,
10is used to hold information about the FIPS module. This includes a digest
11of the shared library file, and status about the self-testing.
12This data is used automatically by the module itself for two
13purposes:
14
15=over 4
16
17=item - Run the startup FIPS self-test known answer tests (KATS).
18
19This is normally done once, at installation time, but may also be set up to
20run each time the module is used.
21
22=item - Verify the module's checksum.
23
24This is done each time the module is used.
25
26=back
27
28This file is generated by the L<openssl-fipsinstall(1)> program, and
29used internally by the FIPS module during its initialization.
30
31The following options are supported. They should all appear in a section
32whose name is identified by the B<fips> option in the B<providers>
33section, as described in L<config(5)/Provider Configuration Module>.
34
35=over 4
36
37=item B<activate>
38
39If present, the module is activated. The value assigned to this name is not
40significant.
41
42=item B<conditional-errors>
43
44The FIPS module normally enters an internal error mode if any self test fails.
45Once this error mode is active, no services or cryptographic algorithms are
46accessible from this point on.
47Continuous tests are a subset of the self tests (e.g., a key pair test during key
48generation, or the CRNG output test).
49Setting this value to C<0> allows the error mode to not be triggered if any
50continuous test fails. The default value of C<1> will trigger the error mode.
51Regardless of the value, the operation (e.g., key generation) that called the
52continuous test will return an error code if its continuous test fails. The
53operation may then be retried if the error mode has not been triggered.
54
55=item B<module-mac>
56
57The calculated MAC of the FIPS provider file.
58
59=item B<install-version>
60
61A version number for the fips install process. Should be 1.
62
63=item B<install-status>
64
65An indicator that the self-tests were successfully run.
66This should only be written after the module has
67successfully passed its self tests during installation.
68If this field is not present, then the self tests will run when the module
69loads.
70
71=item B<install-mac>
72
73A MAC of the value of the B<install-status> option, to prevent accidental
74changes to that value.
75It is written-to at the same time as B<install-status> is updated.
76
77=back
78
79=head2 FIPS indicator options
80
81The following FIPS configuration options indicate if run-time checks related to
82enforcement of FIPS security parameters such as minimum security strength of
83keys and approved curve names are used.
84A value of '1' will perform the checks, otherwise if the value is '0' the checks
85are not performed and FIPS compliance must be done by procedures documented in
86the relevant Security Policy.
87
88See L<openssl-fipsinstall(1)/OPTIONS> for further information related to these
89options.
90
91=over 4
92
93=item B<security-checks>
94
95See L<openssl-fipsinstall(1)/OPTIONS> B<-no_security_checks>
96
97=item B<tls1-prf-ems-check>
98
99See L<openssl-fipsinstall(1)/OPTIONS> B<-ems_check>
100
101=item B<no-short-mac>
102
103See L<openssl-fipsinstall(1)/OPTIONS> B<-no_short_mac>
104
105=item B<drbg-no-trunc-md>
106
107See L<openssl-fipsinstall(1)/OPTIONS> B<-no_drbg_truncated_digests>
108
109=item B<signature-digest-check>
110
111See L<openssl-fipsinstall(1)/OPTIONS> B<-signature_digest_check>
112
113=item B<hkdf-digest-check>
114
115See L<openssl-fipsinstall(1)/OPTIONS> B<-hkdf_digest_check>
116
117=item B<tls13-kdf-digest-check>
118
119See L<openssl-fipsinstall(1)/OPTIONS> B<-tls13_kdf_digest_check>
120
121=item B<tls1-prf-digest-check>
122
123See L<openssl-fipsinstall(1)/OPTIONS> B<-tls1_prf_digest_check>
124
125=item B<sshkdf-digest-check>
126
127See L<openssl-fipsinstall(1)/OPTIONS> B<-sshkdf_digest_check>
128
129=item B<sskdf-digest-check>
130
131See L<openssl-fipsinstall(1)/OPTIONS> B<-sskdf_digest_check>
132
133=item B<x963kdf-digest-check>
134
135See L<openssl-fipsinstall(1)/OPTIONS> B<-x963kdf_digest_check>
136
137=item B<dsa-sign-disabled>
138
139See L<openssl-fipsinstall(1)/OPTIONS> B<-dsa_sign_disabled>
140
141=item B<tdes-encrypt-disabled>
142
143See L<openssl-fipsinstall(1)/OPTIONS> B<-tdes_encrypt_disabled>
144
145=item B<rsa-pkcs15-pad-disabled>
146
147See L<openssl-fipsinstall(1)/OPTIONS> B<-rsa_pkcs15_pad_disabled>
148
149=item B<rsa-pss-saltlen-check>
150
151See L<openssl-fipsinstall(1)/OPTIONS> B<-rsa_pss_saltlen_check>
152
153=item B<rsa-sign-x931-pad-disabled>
154
155See L<openssl-fipsinstall(1)/OPTIONS> B<-rsa_sign_x931_disabled>
156
157=item B<hkdf-key-check>
158
159See L<openssl-fipsinstall(1)/OPTIONS> B<-hkdf_key_check>
160
161=item B<kbkdf-key-check>
162
163See L<openssl-fipsinstall(1)/OPTIONS> B<-kbkdf_key_check>
164
165=item B<tls13-kdf-key-check>
166
167See L<openssl-fipsinstall(1)/OPTIONS> B<-tls13_kdf_key_check>
168
169=item B<tls1-prf-key-check>
170
171See L<openssl-fipsinstall(1)/OPTIONS> B<-tls1_prf_key_check>
172
173=item B<sshkdf-key-check>
174
175See L<openssl-fipsinstall(1)/OPTIONS> B<-sshkdf_key_check>
176
177=item B<sskdf-key-check>
178
179See L<openssl-fipsinstall(1)/OPTIONS> B<-sskdf_key_check>
180
181=item B<x963kdf-key-check>
182
183See L<openssl-fipsinstall(1)/OPTIONS> B<-x963kdf_key_check>
184
185=item B<pbkdf2-lower-bound-check>
186
187See L<openssl-fipsinstall(1)/OPTIONS> B<-no_pbkdf2_lower_bound_check>
188
189=item B<ecdh-cofactor-check>
190
191See L<openssl-fipsinstall(1)/OPTIONS> B<-ecdh_cofactor_check>
192
193=item B<hmac-key-check>
194
195See L<openssl-fipsinstall(1)/OPTIONS> B<-hmac_key_check>
196
197=item B<kmac-key-check>
198
199See L<openssl-fipsinstall(1)/OPTIONS> B<-kmac_key_check>
200
201=back
202
203For example:
204
205 [fips_sect]
206 activate = 1
207 install-version = 1
208 conditional-errors = 1
209 security-checks = 1
210 module-mac = 41:D0:FA:C2:5D:41:75:CD:7D:C3:90:55:6F:A4:DC
211 install-mac = FE:10:13:5A:D3:B4:C7:82:1B:1E:17:4C:AC:84:0C
212 install-status = INSTALL_SELF_TEST_KATS_RUN
213
214=head1 NOTES
215
216When using the FIPS provider, it is recommended that the
217B<config_diagnostics> option is enabled to prevent accidental use of
218non-FIPS validated algorithms via broken or mistaken configuration.
219See L<config(5)>.
220
221=head1 SEE ALSO
222
223L<config(5)>
224L<openssl-fipsinstall(1)>
225
226=head1 HISTORY
227
228This functionality was added in OpenSSL 3.0.
229
230=head1 COPYRIGHT
231
232Copyright 2019-2024 The OpenSSL Project Authors. All Rights Reserved.
233
234Licensed under the Apache License 2.0 (the "License").  You may not use
235this file except in compliance with the License.  You can obtain a copy
236in the file LICENSE in the source distribution or at
237L<https://www.openssl.org/source/license.html>.
238
239=cut
240