Lines Matching +full:run +full:- +full:control
1 .\" -*- mode: troff; coding: utf-8 -*-
57 .IX Title "OPENSSL-FIPSINSTALL 1ossl"
58 .TH OPENSSL-FIPSINSTALL 1ossl 2025-09-30 3.5.4 OpenSSL
64 openssl\-fipsinstall \- perform FIPS configuration installation
68 [\fB\-help\fR]
69 [\fB\-in\fR \fIconfigfilename\fR]
70 [\fB\-out\fR \fIconfigfilename\fR]
71 [\fB\-module\fR \fImodulefilename\fR]
72 [\fB\-provider_name\fR \fIprovidername\fR]
73 [\fB\-section_name\fR \fIsectionname\fR]
74 [\fB\-verify\fR]
75 [\fB\-mac_name\fR \fImacname\fR]
76 [\fB\-macopt\fR \fInm\fR:\fIv\fR]
77 [\fB\-noout\fR]
78 [\fB\-quiet\fR]
79 [\fB\-pedantic\fR]
80 [\fB\-no_conditional_errors\fR]
81 [\fB\-no_security_checks\fR]
82 [\fB\-hmac_key_check\fR]
83 [\fB\-kmac_key_check\fR]
84 [\fB\-ems_check\fR]
85 [\fB\-no_drbg_truncated_digests\fR]
86 [\fB\-signature_digest_check\fR]
87 [\fB\-hkdf_digest_check\fR]
88 [\fB\-tls13_kdf_digest_check\fR]
89 [\fB\-tls1_prf_digest_check\fR]
90 [\fB\-sshkdf_digest_check\fR]
91 [\fB\-sskdf_digest_check\fR]
92 [\fB\-x963kdf_digest_check\fR]
93 [\fB\-dsa_sign_disabled\fR]
94 [\fB\-no_pbkdf2_lower_bound_check\fR]
95 [\fB\-no_short_mac\fR]
96 [\fB\-tdes_encrypt_disabled\fR]
97 [\fB\-rsa_pkcs15_padding_disabled\fR]
98 [\fB\-rsa_pss_saltlen_check\fR]
99 [\fB\-rsa_sign_x931_disabled\fR]
100 [\fB\-hkdf_key_check\fR]
101 [\fB\-kbkdf_key_check\fR]
102 [\fB\-tls13_kdf_key_check\fR]
103 [\fB\-tls1_prf_key_check\fR]
104 [\fB\-sshkdf_key_check\fR]
105 [\fB\-sskdf_key_check\fR]
106 [\fB\-x963kdf_key_check\fR]
107 [\fB\-x942kdf_key_check\fR]
108 [\fB\-ecdh_cofactor_check\fR]
109 [\fB\-self_test_onload\fR]
110 [\fB\-self_test_oninstall\fR]
111 [\fB\-corrupt_desc\fR \fIselftest_description\fR]
112 [\fB\-corrupt_type\fR \fIselftest_type\fR]
113 [\fB\-config\fR \fIparent_config\fR]
119 verifies its MAC, but optionally only needs to run the KAT's once,
123 .IP "\- A MAC of the FIPS module file." 4
124 .IX Item "- A MAC of the FIPS module file."
126 .IP "\- A test status indicator." 4
127 .IX Item "- A test status indicator."
129 This indicates if the Known Answer Self Tests (KAT's) have successfully run.
130 .IP "\- A MAC of the status indicator." 4
131 .IX Item "- A MAC of the status indicator."
133 .IP "\- A control for conditional self tests errors." 4
134 .IX Item "- A control for conditional self tests errors."
144 .IP "\- A control to indicate whether run-time security checks are done." 4
145 .IX Item "- A control to indicate whether run-time security checks are done."
146 This indicates if run-time checks related to enforcement of security parameters
155 .IP \fB\-help\fR 4
156 .IX Item "-help"
158 .IP "\fB\-module\fR \fIfilename\fR" 4
159 .IX Item "-module filename"
163 .IP "\fB\-out\fR \fIconfigfilename\fR" 4
164 .IX Item "-out configfilename"
166 .IP "\fB\-in\fR \fIconfigfilename\fR" 4
167 .IX Item "-in configfilename"
169 Must be used if the \fB\-verify\fR option is specified.
170 .IP \fB\-verify\fR 4
171 .IX Item "-verify"
173 .IP "\fB\-provider_name\fR \fIprovidername\fR" 4
174 .IX Item "-provider_name providername"
177 .IP "\fB\-section_name\fR \fIsectionname\fR" 4
178 .IX Item "-section_name sectionname"
181 .IP "\fB\-mac_name\fR \fIname\fR" 4
182 .IX Item "-mac_name name"
187 \&\f(CW\*(C`openssl list \-mac\-algorithms\*(C'\fR. The default is \fBHMAC\fR.
188 .IP "\fB\-macopt\fR \fInm\fR:\fIv\fR" 4
189 .IX Item "-macopt nm:v"
193 Common control strings used for this command are:
216 \&\f(CW\*(C`openssl list \-digest\-commands\*(C'\fR.
217 The default digest is SHA\-256.
221 .IP \fB\-noout\fR 4
222 .IX Item "-noout"
224 .IP \fB\-pedantic\fR 4
225 .IX Item "-pedantic"
231 .IP \fB\-no_conditional_errors\fR 4
232 .IX Item "-no_conditional_errors"
235 .IP \fB\-no_security_checks\fR 4
236 .IX Item "-no_security_checks"
237 Configure the module to not perform run-time security checks as described above.
239 Enabling the configuration option "no-fips-securitychecks" provides another way to
241 .IP \fB\-ems_check\fR 4
242 .IX Item "-ems_check"
243 Configure the module to enable a run-time Extended Master Secret (EMS) check
246 .IP \fB\-no_short_mac\fR 4
247 .IX Item "-no_short_mac"
249 See SP 800\-185 8.4.2 and FIPS 140\-3 ID C.D for details.
250 .IP \fB\-hmac_key_check\fR 4
251 .IX Item "-hmac_key_check"
253 See SP 800\-131Ar2 for details.
254 .IP \fB\-kmac_key_check\fR 4
255 .IX Item "-kmac_key_check"
257 See SP 800\-131Ar2 for details.
258 .IP \fB\-no_drbg_truncated_digests\fR 4
259 .IX Item "-no_drbg_truncated_digests"
261 HMAC DRBGs. See FIPS 140\-3 IG D.R for details.
262 .IP \fB\-signature_digest_check\fR 4
263 .IX Item "-signature_digest_check"
266 .IP \fB\-hkdf_digest_check\fR 4
267 .IX Item "-hkdf_digest_check"
269 .IP \fB\-tls13_kdf_digest_check\fR 4
270 .IX Item "-tls13_kdf_digest_check"
271 Configure the module to enable a run-time digest check when deriving a key by
274 .IP \fB\-tls1_prf_digest_check\fR 4
275 .IX Item "-tls1_prf_digest_check"
276 Configure the module to enable a run-time digest check when deriving a key by
278 See NIST SP 800\-135r1 for details.
279 .IP \fB\-sshkdf_digest_check\fR 4
280 .IX Item "-sshkdf_digest_check"
281 Configure the module to enable a run-time digest check when deriving a key by
283 See NIST SP 800\-135r1 for details.
284 .IP \fB\-sskdf_digest_check\fR 4
285 .IX Item "-sskdf_digest_check"
287 .IP \fB\-x963kdf_digest_check\fR 4
288 .IX Item "-x963kdf_digest_check"
289 Configure the module to enable a run-time digest check when deriving a key by
291 See NIST SP 800\-131Ar2 for details.
292 .IP \fB\-dsa_sign_disabled\fR 4
293 .IX Item "-dsa_sign_disabled"
295 still allowed). See FIPS 140\-3 IG C.K for details.
296 .IP \fB\-tdes_encrypt_disabled\fR 4
297 .IX Item "-tdes_encrypt_disabled"
298 Configure the module to not allow Triple-DES encryption.
299 Triple-DES decryption is still allowed for legacy purposes.
300 See SP800\-131Ar2 for details.
301 .IP \fB\-rsa_pkcs15_padding_disabled\fR 4
302 .IX Item "-rsa_pkcs15_padding_disabled"
304 RSA for key transport and key agreement. See NIST's SP 800\-131A Revision 2
306 .IP \fB\-rsa_pss_saltlen_check\fR 4
307 .IX Item "-rsa_pss_saltlen_check"
308 Configure the module to enable a run-time salt length check when generating or
309 verifying a RSA-PSS signature.
310 See FIPS 186\-5 5.4 (g) for details.
311 .IP \fB\-rsa_sign_x931_disabled\fR 4
312 .IX Item "-rsa_sign_x931_disabled"
314 RSA. See FIPS 140\-3 IG C.K for details.
315 .IP \fB\-hkdf_key_check\fR 4
316 .IX Item "-hkdf_key_check"
317 Configure the module to enable a run-time short key-derivation key check when
319 See NIST SP 800\-131Ar2 for details.
320 .IP \fB\-kbkdf_key_check\fR 4
321 .IX Item "-kbkdf_key_check"
322 Configure the module to enable a run-time short key-derivation key check when
324 See NIST SP 800\-131Ar2 for details.
325 .IP \fB\-tls13_kdf_key_check\fR 4
326 .IX Item "-tls13_kdf_key_check"
327 Configure the module to enable a run-time short key-derivation key check when
329 See NIST SP 800\-131Ar2 for details.
330 .IP \fB\-tls1_prf_key_check\fR 4
331 .IX Item "-tls1_prf_key_check"
332 Configure the module to enable a run-time short key-derivation key check when
334 See NIST SP 800\-131Ar2 for details.
335 .IP \fB\-sshkdf_key_check\fR 4
336 .IX Item "-sshkdf_key_check"
337 Configure the module to enable a run-time short key-derivation key check when
339 See NIST SP 800\-131Ar2 for details.
340 .IP \fB\-sskdf_key_check\fR 4
341 .IX Item "-sskdf_key_check"
342 Configure the module to enable a run-time short key-derivation key check when
344 See NIST SP 800\-131Ar2 for details.
345 .IP \fB\-x963kdf_key_check\fR 4
346 .IX Item "-x963kdf_key_check"
347 Configure the module to enable a run-time short key-derivation key check when
349 See NIST SP 800\-131Ar2 for details.
350 .IP \fB\-x942kdf_key_check\fR 4
351 .IX Item "-x942kdf_key_check"
352 Configure the module to enable a run-time short key-derivation key check when
354 See NIST SP 800\-131Ar2 for details.
355 .IP \fB\-no_pbkdf2_lower_bound_check\fR 4
356 .IX Item "-no_pbkdf2_lower_bound_check"
357 Configure the module to not perform run-time lower bound check for PBKDF2.
358 See NIST SP 800\-132 for details.
359 .IP \fB\-ecdh_cofactor_check\fR 4
360 .IX Item "-ecdh_cofactor_check"
361 Configure the module to enable a run-time check that ECDH uses the EC curves
363 See SP 800\-56A r3 Section 5.7.1.2 for details.
364 .IP \fB\-self_test_onload\fR 4
365 .IX Item "-self_test_onload"
368 the self tests KATS will run each time the module is loaded. This option could be
369 used for cross compiling, since the self tests need to run at least once on each
370 target machine. Once the self tests have run on the target machine the user
373 This option defaults to 0 for any OpenSSL FIPS 140\-2 provider (OpenSSL 3.0.X).
374 and is not relevant for an OpenSSL FIPS 140\-3 provider, since this is no
376 .IP \fB\-self_test_oninstall\fR 4
377 .IX Item "-self_test_oninstall"
378 The converse of \fB\-self_test_oninstall\fR. The two fields related to the
381 This field is not relevant for an OpenSSL FIPS 140\-3 provider, since this is no
383 .IP \fB\-quiet\fR 4
384 .IX Item "-quiet"
385 Do not output pass/fail messages. Implies \fB\-noout\fR.
386 .IP "\fB\-corrupt_desc\fR \fIselftest_description\fR, \fB\-corrupt_type\fR \fIselftest_type\fR" 4
387 .IX Item "-corrupt_desc selftest_description, -corrupt_type selftest_type"
391 Refer to the entries for \fBst-desc\fR and \fBst-type\fR in \fBOSSL_PROVIDER\-FIPS\fR\|(7) for
393 .IP "\fB\-config\fR \fIparent_config\fR" 4
394 .IX Item "-config parent_config"
399 All other options are ignored if '\-config' is used.
402 Self tests results are logged by default if the options \fB\-quiet\fR and \fB\-noout\fR
403 are not specified, or if either of the options \fB\-corrupt_desc\fR or
404 \&\fB\-corrupt_type\fR are used.
408 test output and the options \fB\-corrupt_desc\fR and \fB\-corrupt_type\fR will be ignored.
412 The \fB\-self_test_oninstall\fR option was added and the
413 \&\fB\-self_test_onload\fR option was made the default in OpenSSL 3.1.
418 Calculate the mac of a FIPS module \fIfips.so\fR and run a FIPS self test
422 \& openssl fipsinstall \-module ./fips.so \-out fips.cnf \-provider_name fips
428 \& openssl fipsinstall \-module ./fips.so \-in fips.cnf \-provider_name fips \-verify
434 \& openssl fipsinstall \-module ./fips.so \-out fips.cnf \-provider_name fips \e
435 \& \-corrupt_desc \*(AqSHA1\*(Aq
442 \& export OPENSSL_MODULES=<provider\-path>
443 \& openssl fipsinstall \-config\*(Aq \*(Aqdefault.cnf\*(Aq
449 \&\fBOSSL_PROVIDER\-FIPS\fR\|(7),
453 The \fBopenssl-fipsinstall\fR application was added in OpenSSL 3.0.
457 \&\fB\-ems_check\fR,
458 \&\fB\-self_test_oninstall\fR
462 \&\fB\-pedantic\fR,
463 \&\fB\-no_drbg_truncated_digests\fR
467 \&\fB\-hmac_key_check\fR,
468 \&\fB\-kmac_key_check\fR,
469 \&\fB\-signature_digest_check\fR,
470 \&\fB\-hkdf_digest_check\fR,
471 \&\fB\-tls13_kdf_digest_check\fR,
472 \&\fB\-tls1_prf_digest_check\fR,
473 \&\fB\-sshkdf_digest_check\fR,
474 \&\fB\-sskdf_digest_check\fR,
475 \&\fB\-x963kdf_digest_check\fR,
476 \&\fB\-dsa_sign_disabled\fR,
477 \&\fB\-no_pbkdf2_lower_bound_check\fR,
478 \&\fB\-no_short_mac\fR,
479 \&\fB\-tdes_encrypt_disabled\fR,
480 \&\fB\-rsa_pkcs15_padding_disabled\fR,
481 \&\fB\-rsa_pss_saltlen_check\fR,
482 \&\fB\-rsa_sign_x931_disabled\fR,
483 \&\fB\-hkdf_key_check\fR,
484 \&\fB\-kbkdf_key_check\fR,
485 \&\fB\-tls13_kdf_key_check\fR,
486 \&\fB\-tls1_prf_key_check\fR,
487 \&\fB\-sshkdf_key_check\fR,
488 \&\fB\-sskdf_key_check\fR,
489 \&\fB\-x963kdf_key_check\fR,
490 \&\fB\-x942kdf_key_check\fR,
491 \&\fB\-ecdh_cofactor_check\fR
494 Copyright 2019\-2025 The OpenSSL Project Authors. All Rights Reserved.