openssl-fipsinstall.pod.in - OpenGrok cross reference for /freebsd/crypto/openssl/doc/man1/openssl-fipsinstall.pod.in

Lines Matching +full:run +full:- +full:time
2 {- OpenSSL::safe::output_do_not_edit_headers(); -}
6 openssl-fipsinstall - perform FIPS configuration installation
11 [B<-help>]
12 [B<-in> I<configfilename>]
13 [B<-out> I<configfilename>]
14 [B<-module> I<modulefilename>]
15 [B<-provider_name> I<providername>]
16 [B<-section_name> I<sectionname>]
17 [B<-verify>]
18 [B<-mac_name> I<macname>]
19 [B<-macopt> I<nm>:I<v>]
20 [B<-noout>]
21 [B<-quiet>]
22 [B<-pedantic>]
23 [B<-no_conditional_errors>]
24 [B<-no_security_checks>]
25 [B<-hmac_key_check>]
26 [B<-kmac_key_check>]
27 [B<-ems_check>]
28 [B<-no_drbg_truncated_digests>]
29 [B<-signature_digest_check>]
30 [B<-hkdf_digest_check>]
31 [B<-tls13_kdf_digest_check>]
32 [B<-tls1_prf_digest_check>]
33 [B<-sshkdf_digest_check>]
34 [B<-sskdf_digest_check>]
35 [B<-x963kdf_digest_check>]
36 [B<-dsa_sign_disabled>]
37 [B<-no_pbkdf2_lower_bound_check>]
38 [B<-no_short_mac>]
39 [B<-tdes_encrypt_disabled>]
40 [B<-rsa_pkcs15_padding_disabled>]
41 [B<-rsa_pss_saltlen_check>]
42 [B<-rsa_sign_x931_disabled>]
43 [B<-hkdf_key_check>]
44 [B<-kbkdf_key_check>]
45 [B<-tls13_kdf_key_check>]
46 [B<-tls1_prf_key_check>]
47 [B<-sshkdf_key_check>]
48 [B<-sskdf_key_check>]
49 [B<-x963kdf_key_check>]
50 [B<-x942kdf_key_check>]
51 [B<-ecdh_cofactor_check>]
52 [B<-self_test_onload>]
53 [B<-self_test_oninstall>]
54 [B<-corrupt_desc> I<selftest_description>]
55 [B<-corrupt_type> I<selftest_type>]
56 [B<-config> I<parent_config>]
61 This configuration file can be used each time a FIPS module is loaded
63 verifies its MAC, but optionally only needs to run the KAT's once,
70 =item - A MAC of the FIPS module file.
72 =item - A test status indicator.
74 This indicates if the Known Answer Self Tests (KAT's) have successfully run.
76 =item - A MAC of the status indicator.
78 =item - A control for conditional self tests errors.
89 =item - A control to indicate whether run-time security checks are done.
91 This indicates if run-time checks related to enforcement of security parameters
105 =item B<-help>
109 =item B<-module> I<filename>
115 =item B<-out> I<configfilename>
119 =item B<-in> I<configfilename>
122 Must be used if the B<-verify> option is specified.
124 =item B<-verify>
128 =item B<-provider_name> I<providername>
133 =item B<-section_name> I<sectionname>
138 =item B<-mac_name> I<name>
144 C<openssl list -mac-algorithms>.  The default is B<HMAC>.
146 =item B<-macopt> I<nm>:I<v>
178 C<openssl list -digest-commands>.
179 The default digest is SHA-256.
183 =item B<-noout>
187 =item B<-pedantic>
195 =item B<-no_conditional_errors>
200 =item B<-no_security_checks>
202 Configure the module to not perform run-time security checks as described above.
204 Enabling the configuration option "no-fips-securitychecks" provides another way to
205 turn off the check at compile time.
207 =item B<-ems_check>
209 Configure the module to enable a run-time Extended Master Secret (EMS) check
213 =item B<-no_short_mac>
216 See SP 800-185 8.4.2 and FIPS 140-3 ID C.D for details.
218 =item B<-hmac_key_check>
221 See SP 800-131Ar2 for details.
223 =item B<-kmac_key_check>
226 See SP 800-131Ar2 for details.
228 =item B<-no_drbg_truncated_digests>
231 HMAC DRBGs.  See FIPS 140-3 IG D.R for details.
233 =item B<-signature_digest_check>
238 =item B<-hkdf_digest_check>
242 =item B<-tls13_kdf_digest_check>
244 Configure the module to enable a run-time digest check when deriving a key by
248 =item B<-tls1_prf_digest_check>
250 Configure the module to enable a run-time digest check when deriving a key by
252 See NIST SP 800-135r1 for details.
254 =item B<-sshkdf_digest_check>
256 Configure the module to enable a run-time digest check when deriving a key by
258 See NIST SP 800-135r1 for details.
260 =item B<-sskdf_digest_check>
264 =item B<-x963kdf_digest_check>
266 Configure the module to enable a run-time digest check when deriving a key by
268 See NIST SP 800-131Ar2 for details.
270 =item B<-dsa_sign_disabled>
273 still allowed). See FIPS 140-3 IG C.K for details.
275 =item B<-tdes_encrypt_disabled>
277 Configure the module to not allow Triple-DES encryption.
278 Triple-DES decryption is still allowed for legacy purposes.
279 See SP800-131Ar2 for details.
281 =item B<-rsa_pkcs15_padding_disabled>
284 RSA for key transport and key agreement.  See NIST's SP 800-131A Revision 2
287 =item B<-rsa_pss_saltlen_check>
289 Configure the module to enable a run-time salt length check when generating or
290 verifying a RSA-PSS signature.
291 See FIPS 186-5 5.4 (g) for details.
293 =item B<-rsa_sign_x931_disabled>
296 RSA.  See FIPS 140-3 IG C.K for details.
298 =item B<-hkdf_key_check>
300 Configure the module to enable a run-time short key-derivation key check when
302 See NIST SP 800-131Ar2 for details.
304 =item B<-kbkdf_key_check>
306 Configure the module to enable a run-time short key-derivation key check when
308 See NIST SP 800-131Ar2 for details.
310 =item B<-tls13_kdf_key_check>
312 Configure the module to enable a run-time short key-derivation key check when
314 See NIST SP 800-131Ar2 for details.
316 =item B<-tls1_prf_key_check>
318 Configure the module to enable a run-time short key-derivation key check when
320 See NIST SP 800-131Ar2 for details.
322 =item B<-sshkdf_key_check>
324 Configure the module to enable a run-time short key-derivation key check when
326 See NIST SP 800-131Ar2 for details.
328 =item B<-sskdf_key_check>
330 Configure the module to enable a run-time short key-derivation key check when
332 See NIST SP 800-131Ar2 for details.
334 =item B<-x963kdf_key_check>
336 Configure the module to enable a run-time short key-derivation key check when
338 See NIST SP 800-131Ar2 for details.
340 =item B<-x942kdf_key_check>
342 Configure the module to enable a run-time short key-derivation key check when
344 See NIST SP 800-131Ar2 for details.
346 =item B<-no_pbkdf2_lower_bound_check>
348 Configure the module to not perform run-time lower bound check for PBKDF2.
349 See NIST SP 800-132 for details.
351 =item B<-ecdh_cofactor_check>
353 Configure the module to enable a run-time check that ECDH uses the EC curves
355 See SP 800-56A r3 Section 5.7.1.2 for details.
357 =item B<-self_test_onload>
361 the self tests KATS will run each time the module is loaded. This option could be
362 used for cross compiling, since the self tests need to run at least once on each
363 target machine. Once the self tests have run on the target machine the user
366 This option defaults to 0 for any OpenSSL FIPS 140-2 provider (OpenSSL 3.0.X).
367 and is not relevant for an OpenSSL FIPS 140-3 provider, since this is no
370 =item B<-self_test_oninstall>
372 The converse of B<-self_test_oninstall>.  The two fields related to the
375 This field is not relevant for an OpenSSL FIPS 140-3 provider, since this is no
378 =item B<-quiet>
380 Do not output pass/fail messages. Implies B<-noout>.
382 =item B<-corrupt_desc> I<selftest_description>,
383 B<-corrupt_type> I<selftest_type>
388 Refer to the entries for B<st-desc> and B<st-type> in L<OSSL_PROVIDER-FIPS(7)> for
391 =item B<-config> I<parent_config>
397 All other options are ignored if '-config' is used.
403 Self tests results are logged by default if the options B<-quiet> and B<-noout>
404 are not specified, or if either of the options B<-corrupt_desc> or
405 B<-corrupt_type> are used.
409 test output and the options B<-corrupt_desc> and B<-corrupt_type> will be ignored.
413 The B<-self_test_oninstall> option was added and the
414 B<-self_test_onload> option was made the default in OpenSSL 3.1.
420 Calculate the mac of a FIPS module F<fips.so> and run a FIPS self test
423  openssl fipsinstall -module ./fips.so -out fips.cnf -provider_name fips
427  openssl fipsinstall -module ./fips.so -in fips.cnf  -provider_name fips -verify
431  openssl fipsinstall -module ./fips.so -out fips.cnf -provider_name fips \
432          -corrupt_desc 'SHA1'
437  export OPENSSL_MODULES=<provider-path>
438  openssl fipsinstall -config' 'default.cnf'
445 L<OSSL_PROVIDER-FIPS(7)>,
450 The B<openssl-fipsinstall> application was added in OpenSSL 3.0.
454 B<-ems_check>,
455 B<-self_test_oninstall>
459 B<-pedantic>,
460 B<-no_drbg_truncated_digests>
464 B<-hmac_key_check>,
465 B<-kmac_key_check>,
466 B<-signature_digest_check>,
467 B<-hkdf_digest_check>,
468 B<-tls13_kdf_digest_check>,
469 B<-tls1_prf_digest_check>,
470 B<-sshkdf_digest_check>,
471 B<-sskdf_digest_check>,
472 B<-x963kdf_digest_check>,
473 B<-dsa_sign_disabled>,
474 B<-no_pbkdf2_lower_bound_check>,
475 B<-no_short_mac>,
476 B<-tdes_encrypt_disabled>,
477 B<-rsa_pkcs15_padding_disabled>,
478 B<-rsa_pss_saltlen_check>,
479 B<-rsa_sign_x931_disabled>,
480 B<-hkdf_key_check>,
481 B<-kbkdf_key_check>,
482 B<-tls13_kdf_key_check>,
483 B<-tls1_prf_key_check>,
484 B<-sshkdf_key_check>,
485 B<-sskdf_key_check>,
486 B<-x963kdf_key_check>,
487 B<-x942kdf_key_check>,
488 B<-ecdh_cofactor_check>
492 Copyright 2019-2025 The OpenSSL Project Authors. All Rights Reserved.