openssl-fipsinstall.pod.in - OpenGrok cross reference for /freebsd/crypto/openssl/doc/man1/openssl-fipsinstall.pod.in

Lines Matching +full:allow +full:- +full:set +full:- +full:time
2 {- OpenSSL::safe::output_do_not_edit_headers(); -}
6 openssl-fipsinstall - perform FIPS configuration installation
11 [B<-help>]
12 [B<-in> I<configfilename>]
13 [B<-out> I<configfilename>]
14 [B<-module> I<modulefilename>]
15 [B<-provider_name> I<providername>]
16 [B<-section_name> I<sectionname>]
17 [B<-verify>]
18 [B<-mac_name> I<macname>]
19 [B<-macopt> I<nm>:I<v>]
20 [B<-noout>]
21 [B<-quiet>]
22 [B<-pedantic>]
23 [B<-no_conditional_errors>]
24 [B<-no_security_checks>]
25 [B<-hmac_key_check>]
26 [B<-kmac_key_check>]
27 [B<-ems_check>]
28 [B<-no_drbg_truncated_digests>]
29 [B<-signature_digest_check>]
30 [B<-hkdf_digest_check>]
31 [B<-tls13_kdf_digest_check>]
32 [B<-tls1_prf_digest_check>]
33 [B<-sshkdf_digest_check>]
34 [B<-sskdf_digest_check>]
35 [B<-x963kdf_digest_check>]
36 [B<-dsa_sign_disabled>]
37 [B<-no_pbkdf2_lower_bound_check>]
38 [B<-no_short_mac>]
39 [B<-tdes_encrypt_disabled>]
40 [B<-rsa_pkcs15_padding_disabled>]
41 [B<-rsa_pss_saltlen_check>]
42 [B<-rsa_sign_x931_disabled>]
43 [B<-hkdf_key_check>]
44 [B<-kbkdf_key_check>]
45 [B<-tls13_kdf_key_check>]
46 [B<-tls1_prf_key_check>]
47 [B<-sshkdf_key_check>]
48 [B<-sskdf_key_check>]
49 [B<-x963kdf_key_check>]
50 [B<-x942kdf_key_check>]
51 [B<-ecdh_cofactor_check>]
52 [B<-self_test_onload>]
53 [B<-self_test_oninstall>]
54 [B<-corrupt_desc> I<selftest_description>]
55 [B<-corrupt_type> I<selftest_type>]
56 [B<-config> I<parent_config>]
61 This configuration file can be used each time a FIPS module is loaded
70 =item - A MAC of the FIPS module file.
72 =item - A test status indicator.
76 =item - A MAC of the status indicator.
78 =item - A control for conditional self tests errors.
89 =item - A control to indicate whether run-time security checks are done.
91 This indicates if run-time checks related to enforcement of security parameters
105 =item B<-help>
109 =item B<-module> I<filename>
115 =item B<-out> I<configfilename>
119 =item B<-in> I<configfilename>
122 Must be used if the B<-verify> option is specified.
124 =item B<-verify>
128 =item B<-provider_name> I<providername>
133 =item B<-section_name> I<sectionname>
138 =item B<-mac_name> I<name>
144 C<openssl list -mac-algorithms>.  The default is B<HMAC>.
146 =item B<-macopt> I<nm>:I<v>
178 C<openssl list -digest-commands>.
179 The default digest is SHA-256.
183 =item B<-noout>
187 =item B<-pedantic>
195 =item B<-no_conditional_errors>
200 =item B<-no_security_checks>
202 Configure the module to not perform run-time security checks as described above.
204 Enabling the configuration option "no-fips-securitychecks" provides another way to
205 turn off the check at compile time.
207 =item B<-ems_check>
209 Configure the module to enable a run-time Extended Master Secret (EMS) check
213 =item B<-no_short_mac>
215 Configure the module to not allow short MAC outputs.
216 See SP 800-185 8.4.2 and FIPS 140-3 ID C.D for details.
218 =item B<-hmac_key_check>
220 Configure the module to not allow small keys sizes when using HMAC.
221 See SP 800-131Ar2 for details.
223 =item B<-kmac_key_check>
225 Configure the module to not allow small keys sizes when using KMAC.
226 See SP 800-131Ar2 for details.
228 =item B<-no_drbg_truncated_digests>
230 Configure the module to not allow truncated digests to be used with Hash and
231 HMAC DRBGs.  See FIPS 140-3 IG D.R for details.
233 =item B<-signature_digest_check>
238 =item B<-hkdf_digest_check>
242 =item B<-tls13_kdf_digest_check>
244 Configure the module to enable a run-time digest check when deriving a key by
248 =item B<-tls1_prf_digest_check>
250 Configure the module to enable a run-time digest check when deriving a key by
252 See NIST SP 800-135r1 for details.
254 =item B<-sshkdf_digest_check>
256 Configure the module to enable a run-time digest check when deriving a key by
258 See NIST SP 800-135r1 for details.
260 =item B<-sskdf_digest_check>
264 =item B<-x963kdf_digest_check>
266 Configure the module to enable a run-time digest check when deriving a key by
268 See NIST SP 800-131Ar2 for details.
270 =item B<-dsa_sign_disabled>
272 Configure the module to not allow DSA signing (DSA signature verification is
273 still allowed). See FIPS 140-3 IG C.K for details.
275 =item B<-tdes_encrypt_disabled>
277 Configure the module to not allow Triple-DES encryption.
278 Triple-DES decryption is still allowed for legacy purposes.
279 See SP800-131Ar2 for details.
281 =item B<-rsa_pkcs15_padding_disabled>
283 Configure the module to not allow PKCS#1 version 1.5 padding to be used with
284 RSA for key transport and key agreement.  See NIST's SP 800-131A Revision 2
287 =item B<-rsa_pss_saltlen_check>
289 Configure the module to enable a run-time salt length check when generating or
290 verifying a RSA-PSS signature.
291 See FIPS 186-5 5.4 (g) for details.
293 =item B<-rsa_sign_x931_disabled>
295 Configure the module to not allow X9.31 padding to be used when signing with
296 RSA.  See FIPS 140-3 IG C.K for details.
298 =item B<-hkdf_key_check>
300 Configure the module to enable a run-time short key-derivation key check when
302 See NIST SP 800-131Ar2 for details.
304 =item B<-kbkdf_key_check>
306 Configure the module to enable a run-time short key-derivation key check when
308 See NIST SP 800-131Ar2 for details.
310 =item B<-tls13_kdf_key_check>
312 Configure the module to enable a run-time short key-derivation key check when
314 See NIST SP 800-131Ar2 for details.
316 =item B<-tls1_prf_key_check>
318 Configure the module to enable a run-time short key-derivation key check when
320 See NIST SP 800-131Ar2 for details.
322 =item B<-sshkdf_key_check>
324 Configure the module to enable a run-time short key-derivation key check when
326 See NIST SP 800-131Ar2 for details.
328 =item B<-sskdf_key_check>
330 Configure the module to enable a run-time short key-derivation key check when
332 See NIST SP 800-131Ar2 for details.
334 =item B<-x963kdf_key_check>
336 Configure the module to enable a run-time short key-derivation key check when
338 See NIST SP 800-131Ar2 for details.
340 =item B<-x942kdf_key_check>
342 Configure the module to enable a run-time short key-derivation key check when
344 See NIST SP 800-131Ar2 for details.
346 =item B<-no_pbkdf2_lower_bound_check>
348 Configure the module to not perform run-time lower bound check for PBKDF2.
349 See NIST SP 800-132 for details.
351 =item B<-ecdh_cofactor_check>
353 Configure the module to enable a run-time check that ECDH uses the EC curves
355 See SP 800-56A r3 Section 5.7.1.2 for details.
357 =item B<-self_test_onload>
361 the self tests KATS will run each time the module is loaded. This option could be
366 This option defaults to 0 for any OpenSSL FIPS 140-2 provider (OpenSSL 3.0.X).
367 and is not relevant for an OpenSSL FIPS 140-3 provider, since this is no
370 =item B<-self_test_oninstall>
372 The converse of B<-self_test_oninstall>.  The two fields related to the
375 This field is not relevant for an OpenSSL FIPS 140-3 provider, since this is no
378 =item B<-quiet>
380 Do not output pass/fail messages. Implies B<-noout>.
382 =item B<-corrupt_desc> I<selftest_description>,
383 B<-corrupt_type> I<selftest_type>
388 Refer to the entries for B<st-desc> and B<st-type> in L<OSSL_PROVIDER-FIPS(7)> for
391 =item B<-config> I<parent_config>
396 See L<config(5)> for further information on how to set up a provider section.
397 All other options are ignored if '-config' is used.
403 Self tests results are logged by default if the options B<-quiet> and B<-noout>
404 are not specified, or if either of the options B<-corrupt_desc> or
405 B<-corrupt_type> are used.
406 If the base configuration file is set up to autoload the fips module, then the
408 has a chance to set up its own self test callback. As a result of this the self
409 test output and the options B<-corrupt_desc> and B<-corrupt_type> will be ignored.
413 The B<-self_test_oninstall> option was added and the
414 B<-self_test_onload> option was made the default in OpenSSL 3.1.
423  openssl fipsinstall -module ./fips.so -out fips.cnf -provider_name fips
427  openssl fipsinstall -module ./fips.so -in fips.cnf  -provider_name fips -verify
431  openssl fipsinstall -module ./fips.so -out fips.cnf -provider_name fips \
432          -corrupt_desc 'SHA1'
437  export OPENSSL_MODULES=<provider-path>
438  openssl fipsinstall -config' 'default.cnf'
445 L<OSSL_PROVIDER-FIPS(7)>,
450 The B<openssl-fipsinstall> application was added in OpenSSL 3.0.
454 B<-ems_check>,
455 B<-self_test_oninstall>
459 B<-pedantic>,
460 B<-no_drbg_truncated_digests>
464 B<-hmac_key_check>,
465 B<-kmac_key_check>,
466 B<-signature_digest_check>,
467 B<-hkdf_digest_check>,
468 B<-tls13_kdf_digest_check>,
469 B<-tls1_prf_digest_check>,
470 B<-sshkdf_digest_check>,
471 B<-sskdf_digest_check>,
472 B<-x963kdf_digest_check>,
473 B<-dsa_sign_disabled>,
474 B<-no_pbkdf2_lower_bound_check>,
475 B<-no_short_mac>,
476 B<-tdes_encrypt_disabled>,
477 B<-rsa_pkcs15_padding_disabled>,
478 B<-rsa_pss_saltlen_check>,
479 B<-rsa_sign_x931_disabled>,
480 B<-hkdf_key_check>,
481 B<-kbkdf_key_check>,
482 B<-tls13_kdf_key_check>,
483 B<-tls1_prf_key_check>,
484 B<-sshkdf_key_check>,
485 B<-sskdf_key_check>,
486 B<-x963kdf_key_check>,
487 B<-x942kdf_key_check>,
488 B<-ecdh_cofactor_check>
492 Copyright 2019-2025 The OpenSSL Project Authors. All Rights Reserved.