README-FIPS.md - OpenGrok cross reference for /freebsd/crypto/openssl/README-FIPS.md

Lines Matching +full:security +full:- +full:module
4 This release of OpenSSL includes a cryptographic module that can be
5 FIPS validated. The module is implemented as an OpenSSL provider.
6 A provider is essentially a dynamically loadable module which implements
7 cryptographic algorithms, see the [README-PROVIDERS](README-PROVIDERS.md) file
10 A cryptographic module is only FIPS validated after it has gone through the complex
13 If you need a FIPS validated module then you must ONLY generate a FIPS provider
15 contains a link to a Security Policy, and you MUST follow the instructions
16 in the Security Policy in order to be FIPS compliant.
18 FIPS certificates and Security Policies.
20 Newer OpenSSL Releases that include security or bug fixes can be used to build
23 as specified in the Security Policy (normally with a different version of the
29 the `enable-fips` option.
45 Please read the Security Policy for up to date installation instructions.
60     $ make install_fips     # for `enable-fips` only
68     /usr/local/lib/ossl-modules/fips.so                  on Unix, and
69     C:\Program Files\OpenSSL\lib\ossl-modules\fips.dll   on Windows.
74 - Runs the FIPS module self tests
75 - Generates the so-called FIPS module configuration file containing information
76   about the module such as the module checksum (and for OpenSSL 3.1.2 the
79 The FIPS module must have the self tests run, and the FIPS module config file
81 you must not copy the FIPS module config file output data from one machine to another.
85 …$ openssl fipsinstall -out /usr/local/ssl/fipsmodule.cnf -module /usr/local/lib/ossl-modules/fips.…
89 to a non-standard location, you can execute the `openssl fipsinstall` command manually.
97 --------------------------------------------
102     $ wget https://www.openssl.org/source/openssl-3.1.2.tar.gz
103     $ tar -xf openssl-3.1.2.tar.gz
104     $ cd openssl-3.1.2
105     $ ./Configure enable-fips
110 ------------------------------------------------
114     $ wget https://www.openssl.org/source/openssl-3.5.0.tar.gz
115     $ tar -xf openssl-3.5.0.tar.gz
116     $ cd openssl-3.5.0
117     $ ./Configure enable-fips
121 -----------------------------------------
127     $ cp ../openssl-3.1.2/providers/fips.so providers/.
128     $ cp ../openssl-3.1.2/providers/fipsmodule.cnf providers/.
131     // `install-status`. (Otherwise the self tests would be skipped).
135     $ ./util/wrap.pl -fips apps/openssl list -provider-path providers \
136     -provider fips -providers
142 -------------------------------------------------------------------------------------
144     $ cd ../openssl-3.1.2
148 --------------------------------------------------
150     $ cd ../openssl-3.5.0
151     $./util/wrap.pl -fips apps/openssl list -provider-path providers \
152     -provider fips -providers
165 Using the FIPS Module in applications
168 Documentation about using the FIPS module is available on the [fips_module(7)]
178 enabling the `enable-fips-jitter` option during configuration, an internal
180 the FIPS provider to operate in a non-compliant mode unless an entropy
183 Note that the `enable-fips-jitter` option is only available in OpenSSL
186  [CMVP]: https://csrc.nist.gov/projects/cryptographic-module-validation-program
187  [ESV]: https://csrc.nist.gov/Projects/cryptographic-module-validation-program/entropy-validations
189 3rd-Party Vendor Builds
193 test it with a Security Laboratory and submit it under their own CMVP