[openssl] master update
matthias.st.pierre at ncp-e.com
matthias.st.pierre at ncp-e.com
Thu Apr 29 09:29:26 UTC 2021
The branch master has been updated
via 3b9e47695f66e83b162d6d78f9a3c20e4464322d (commit)
via f2ea01d9f138dd7e99e55d4c9bd949d2aae64a2a (commit)
via b2d8c7b6a380bd93d350526ddd3746f82a76a18f (commit)
via afa0a13c1a61e075eb5949bf370f7b0c58d3b8e2 (commit)
via d9ce268151e5d3de4f15673aa8c0ae60b07eeadd (commit)
via 18da9fc31f050edaf65da162f01c7bea920a5aac (commit)
via 4e282708c5bb82b6caed8e0565b9ac4ac15a7ac3 (commit)
via 5b689181853ca6d240d756cd7d65678124838b11 (commit)
via c3bda8a2e0d51a8be2c2c0afc673048bc9457dcd (commit)
via b6821df0d0713e05af338f5a7dba51a63f2c79b9 (commit)
via 59cf2869199b695cace97869c578d40fafff24c6 (commit)
from f4585aeca99d43ed4cfd7053f8d74a4d816c95e4 (commit)
- Log -----------------------------------------------------------------
commit 3b9e47695f66e83b162d6d78f9a3c20e4464322d
Author: Dr. Matthias St. Pierre <matthias.st.pierre at ncp-e.com>
Date: Mon Apr 26 02:19:35 2021 +0200
CHANGES: document the FIPS provider configuration and installation
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13684)
commit f2ea01d9f138dd7e99e55d4c9bd949d2aae64a2a
Author: Dr. Matthias St. Pierre <matthias.st.pierre at ncp-e.com>
Date: Thu Apr 8 21:06:23 2021 +0200
README-FIPS: document the installation of the FIPS provider
Note that configuration and installation procedure has changed:
- The FIPS provider is now disabled by default and needs to
be enabled by configuring with `enable-fips`.
- If the FIPS provider is enabled, it gets installed automatically.
There is no extra installation step required anymore.
This is more natural and coincides with the expectation of the
user, namely "what's configured, gets installed".
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13684)
commit b2d8c7b6a380bd93d350526ddd3746f82a76a18f
Author: Dr. Matthias St. Pierre <matthias.st.pierre at ncp-e.com>
Date: Mon Apr 26 01:04:26 2021 +0200
Configure: disable fips mode by default
Building the fips provider in addition to the default provider
effectively doubles the build time. Since many users will not
need fips support, it is now disabled by default.
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13684)
commit afa0a13c1a61e075eb5949bf370f7b0c58d3b8e2
Author: Dr. Matthias St. Pierre <matthias.st.pierre at ncp-e.com>
Date: Mon Apr 26 01:01:50 2021 +0200
Configure: sort the disablables alphabetically
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13684)
commit d9ce268151e5d3de4f15673aa8c0ae60b07eeadd
Author: Dr. Matthias St. Pierre <matthias.st.pierre at ncp-e.com>
Date: Wed Apr 14 20:23:43 2021 +0200
build.info: add the Perl wrapper to build generator programs on Windows
Pull request #14320 introduced the ability to use compiled programs
as generators in GENERATE rules of build.info files. Those generator
calls were wrapped by the Perl wrapper (wrap.pl) in the Unix makefile
template, but not on Windows.
This commit adds the missing wrapper for Windows, because for the
`fipsmodule.cnf` target it is essential that the `openssl fipsinstall`
command does not load any preinstalled openssl configuration file.
Fixes #13680
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13684)
commit 18da9fc31f050edaf65da162f01c7bea920a5aac
Author: Dr. Matthias St. Pierre <matthias.st.pierre at ncp-e.com>
Date: Mon Apr 26 00:14:59 2021 +0200
Configure/Makefile: install the fips provider if it was configured
To follow the principle "what you configure is what you install",
the `make install` target now includes the installation of the
fips provider (`make install_fips`) if (and only if) OpenSSL was
configured with fips support (`enable-fips`).
The `make install_fips` target exists as well and can be used
to install just the fips provider. It requires `enable-fips`
and issues an error message if `no-fips` was configured.
The anologue holds for the 'uninstall_fips' target.
Fixes #13693
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13684)
commit 4e282708c5bb82b6caed8e0565b9ac4ac15a7ac3
Author: Dr. Matthias St. Pierre <matthias.st.pierre at ncp-e.com>
Date: Wed Apr 14 20:37:37 2021 +0200
Configure/Makefile: don't generate a fresh fipsmodule.cnf when installing it
There is already a `providers/fipsmodule.cnf` target which is required by
the tests. Instead of creating another fipsmodule.cnf, the `install_fips`
target simply copies that configuration file to its final destination.
This commit also restores the minimal dependencies to build the `install_fips`
target immediately after configuring, which was broken after the removal
of the `install_sw` dependency.
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13684)
commit 5b689181853ca6d240d756cd7d65678124838b11
Author: Dr. Matthias St. Pierre <matthias.st.pierre at ncp-e.com>
Date: Thu Jan 7 18:47:01 2021 +0100
Configure/Makefile: separate install of the FIPS module
Fixes #13693
Co-authored-by: Richard Levitte <levitte at openssl.org>
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13684)
commit c3bda8a2e0d51a8be2c2c0afc673048bc9457dcd
Author: Dr. Matthias St. Pierre <matthias.st.pierre at ncp-e.com>
Date: Tue Dec 15 22:44:32 2020 +0100
Configure/Makefile: correct the FIPS module configuration file path
According to the OpenSSL 3.0 Wiki, the file should be located at
$(DESTDIR)$(OPENSSLDIR)/fipsmodule.cnf
next to the openssl.cnf file.
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13684)
commit b6821df0d0713e05af338f5a7dba51a63f2c79b9
Author: Dr. Matthias St. Pierre <matthias.st.pierre at ncp-e.com>
Date: Tue Dec 15 22:34:41 2020 +0100
Configure/Makefile: use the correct openssl app for FIPS installation
The `openssl` app was previously called without a path, which
would generally invoke the system's copy of the openssl application.
Currently, that's most likely an openssl version 1.1.1 application,
which does not recognize the `fipsinstall` command and terminates
with an error message.
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13684)
commit 59cf2869199b695cace97869c578d40fafff24c6
Author: Dr. Matthias St. Pierre <matthias.st.pierre at ncp-e.com>
Date: Tue Dec 15 19:41:58 2020 +0100
Configure/Makefile: fix the `-macopt` argument of the fipsinstall command
The FIPS hmac key is provided as a hexadezimal string, which needs to
be be prefixed with `hexkey:`, not `key:`.
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13684)
-----------------------------------------------------------------------
Summary of changes:
CHANGES.md | 16 ++++++++++
Configurations/descrip.mms.tmpl | 2 +-
Configurations/unix-Makefile.tmpl | 47 ++++++++++++++++++++++-------
Configurations/windows-makefile.tmpl | 45 ++++++++++++++++++++--------
Configure | 13 ++++----
INSTALL.md | 4 +--
README-FIPS.md | 57 +++++++++++++++++++++++++-----------
7 files changed, 135 insertions(+), 49 deletions(-)
diff --git a/CHANGES.md b/CHANGES.md
index a7420d6d5a..1097c8c749 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -23,6 +23,22 @@ OpenSSL 3.0
### Changes between 1.1.1 and 3.0 [xx XXX xxxx]
+ * OpenSSL includes a cryptographic module that is intended to be FIPS 140-2
+ validated. The module is implemented as an OpenSSL provider, the so-called
+ FIPS provider. A list of all changes related to the FIPS provider would go
+ beyond the scope of this CHANGES file, please consult the README-FIPS and
+ README-PROVIDERS files, as well as the migration guide.
+
+ The FIPS provider is disabled by default and needs to be enabled explicitly
+ at configuration time using the `enable-fips` option. If it is enabled,
+ the FIPS provider gets built and installed in addition to the default and
+ the legacy provider. No separate installation procedure is necessary.
+ There is however a dedicated `install_fips` make target, which serves the
+ special purpose of installing only the FIPS provider into an existing
+ OpenSSL installation.
+
+ *OpenSSL team members and many third party contributors*
+
* For the key types DH and DHX the allowed settable parameters are now different.
Previously (in 1.1.1) these conflicting parameters were allowed, but will now
result in errors. See EVP_PKEY-DH(7) for further details. This affects the
diff --git a/Configurations/descrip.mms.tmpl b/Configurations/descrip.mms.tmpl
index 065854d2ea..920c0abfeb 100644
--- a/Configurations/descrip.mms.tmpl
+++ b/Configurations/descrip.mms.tmpl
@@ -544,7 +544,7 @@ install_fips: install_sw
openssl fipsinstall -
-module ossl_installroot:[MODULES{- $sover_dirname.$target{pointer_size} -}.'arch']$(FIPSMODULENAME) -
-out ossl_installroot:[MODULES{- $sover_dirname.$target{pointer_size} -}.'arch']$(FIPSMODULENAME).cnf -
- -macopt "key:$(FIPSKEY)"
+ -macopt "hexkey:$(FIPSKEY)"
uninstall_fips: uninstall_sw
@ WRITE SYS$OUTPUT "*** Uninstalling FIPS module configuration"
diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl
index e2df304061..4ace44477d 100644
--- a/Configurations/unix-Makefile.tmpl
+++ b/Configurations/unix-Makefile.tmpl
@@ -164,12 +164,21 @@ INSTALL_ENGINES={-
&& $unified_info{attributes}->{modules}->{$_}->{engine} }
@{$unified_info{modules}}))
-}
+INSTALL_FIPS={-
+ join(" \\\n" . ' ' x 16,
+ fill_lines(" ", $COLUMNS - 16,
+ map { platform->dso($_) }
+ grep { !$unified_info{attributes}->{modules}->{$_}->{noinst}
+ && $unified_info{attributes}->{modules}->{$_}->{fips} }
+ @{$unified_info{modules}}))
+-}
INSTALL_MODULES={-
join(" \\\n" . ' ' x 16,
fill_lines(" ", $COLUMNS - 16,
map { platform->dso($_) }
grep { !$unified_info{attributes}->{modules}->{$_}->{noinst}
- && !$unified_info{attributes}->{modules}->{$_}->{engine} }
+ && !$unified_info{attributes}->{modules}->{$_}->{engine}
+ && !$unified_info{attributes}->{modules}->{$_}->{fips} }
@{$unified_info{modules}}))
-}
INSTALL_PROGRAMS={-
@@ -517,9 +526,9 @@ list-tests:
@echo "Tests are not supported with your chosen Configure options"
@ : {- output_on() if !$disabled{tests}; "" -}
-install: install_sw install_ssldirs install_docs
+install: install_sw install_ssldirs install_docs {- $disabled{fips} ? "" : "install_fips" -}
-uninstall: uninstall_docs uninstall_sw
+uninstall: uninstall_docs uninstall_sw {- $disabled{fips} ? "" : "uninstall_fips" -}
libclean:
@set -e; for s in $(SHLIB_INFO); do \
@@ -585,17 +594,33 @@ install_docs: install_man_docs install_html_docs
uninstall_docs: uninstall_man_docs uninstall_html_docs
$(RM) -r $(DESTDIR)$(DOCDIR)
-install_fips: install_sw
+{- output_off() if $disabled{fips}; "" -}
+install_fips: build_sw providers/fipsmodule.cnf
+ @[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1)
+ @$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(MODULESDIR)
+ @$(ECHO) "*** Installing FIPS module"
+ @$(ECHO) "install $(INSTALL_FIPS) -> $(DESTDIR)$(MODULESDIR)/$(FIPSMODULENAME)"
+ @cp "$(INSTALL_FIPS)" $(DESTDIR)$(MODULESDIR)/$(FIPSMODULENAME).new
+ @chmod 755 $(DESTDIR)$(MODULESDIR)/$(FIPSMODULENAME).new
+ @mv -f $(DESTDIR)$(MODULESDIR)/$(FIPSMODULENAME).new \
+ $(DESTDIR)$(MODULESDIR)/$(FIPSMODULENAME)
@$(ECHO) "*** Installing FIPS module configuration"
- @$(ECHO) "fipsinstall $(DESTDIR)$(MODULESDIR)/$(FIPSMODULENAME).cnf"
- @openssl fipsinstall -module $(DESTDIR)$(MODULESDIR)/$(FIPSMODULENAME) \
- -out $(DESTDIR)$(MODULESDIR)/$(FIPSMODULENAME).cnf \
- -macopt 'key:$(FIPSKEY)'
+ @$(ECHO) "install providers/fipsmodule.cnf -> $(DESTDIR)$(OPENSSLDIR)/fipsmodule.cnf"
+ @cp providers/fipsmodule.cnf $(DESTDIR)$(OPENSSLDIR)/fipsmodule.cnf
-uninstall_fips: uninstall_sw
+uninstall_fips:
@$(ECHO) "*** Uninstalling FIPS module configuration"
- @$(ECHO) "$(RM) $(DESTDIR)$(MODULESDIR)/$(FIPSMODULENAME).cnf"
- @$(RM) $(DESTDIR)$(MODULESDIR)/$(FIPSMODULENAME).cnf
+ $(RM) $(DESTDIR)$(OPENSSLDIR)/fipsmodule.cnf
+ @$(ECHO) "*** Uninstalling FIPS module"
+ $(RM) $(DESTDIR)$(MODULESDIR)/$(FIPSMODULENAME)
+{- if ($disabled{fips}) { output_on(); } else { output_off(); } "" -}
+install_fips:
+ @$(ECHO) "The 'install_fips' target requires the 'enable-fips' option"
+
+uninstall_fips:
+ @$(ECHO) "The 'uninstall_fips' target requires the 'enable-fips' option"
+{- output_on() if !$disabled{fips}; "" -}
+
install_ssldirs:
@$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(OPENSSLDIR)/certs
diff --git a/Configurations/windows-makefile.tmpl b/Configurations/windows-makefile.tmpl
index 2cd003cf89..4843106de2 100644
--- a/Configurations/windows-makefile.tmpl
+++ b/Configurations/windows-makefile.tmpl
@@ -103,10 +103,17 @@ INSTALL_ENGINEPDBS={-
&& $unified_info{attributes}->{modules}->{$_}->{engine} }
@{$unified_info{modules}})
-}
+INSTALL_FIPS={-
+ join(" ", map { quotify1(platform->dso($_)) }
+ grep { !$unified_info{attributes}->{modules}->{$_}->{noinst}
+ && $unified_info{attributes}->{modules}->{$_}->{fips} }
+ @{$unified_info{modules}})
+-}
INSTALL_MODULES={-
- join(" ", map { platform->dso($_) }
+ join(" ", map { quotify1(platform->dso($_)) }
grep { !$unified_info{attributes}->{modules}->{$_}->{noinst}
- && !$unified_info{attributes}->{modules}->{$_}->{engine} }
+ && !$unified_info{attributes}->{modules}->{$_}->{engine}
+ && !$unified_info{attributes}->{modules}->{$_}->{fips} }
@{$unified_info{modules}})
-}
INSTALL_MODULEPDBS={-
@@ -470,17 +477,31 @@ install_docs: install_html_docs
uninstall_docs: uninstall_html_docs
-install_fips: install_sw
+{- output_off() if $disabled{fips}; "" -}
+install_fips: build_sw providers\fipsmodule.cnf
+# @[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1)
+ @$(PERL) $(SRCDIR)\util\mkdir-p.pl $(MODULESDIR)
+ @$(ECHO) "*** Installing FIPS module"
+ @$(ECHO) "install $(INSTALL_FIPS) -> $(MODULESDIR)\$(FIPSMODULENAME)"
+ @copy "$(INSTALL_FIPS)" $(MODULESDIR)\$(FIPSMODULENAME).new
+ @move /Y $(MODULESDIR)\$(FIPSMODULENAME).new \
+ $(MODULESDIR)\$(FIPSMODULENAME)
@$(ECHO) "*** Installing FIPS module configuration"
- @$(ECHO) "fipsinstall $(DESTDIR)$(MODULESDIR)/$(FIPSMODULENAME).cnf"
- @openssl fipsinstall -module $(DESTDIR)$(MODULESDIR)/$(FIPSMODULENAME) \
- -out $(DESTDIR)$(MODULESDIR)/$(FIPSMODULENAME).cnf \
- -macopt "key:$(FIPSKEY)"
+ @$(ECHO) "install providers\fipsmodule.cnf -> $(OPENSSLDIR)\fipsmodule.cnf"
+ @copy providers\fipsmodule.cnf "$(OPENSSLDIR)\fipsmodule.cnf"
-uninstall_fips: uninstall_sw
+uninstall_fips:
@$(ECHO) "*** Uninstalling FIPS module configuration"
- @$(ECHO) "$(RM) $(DESTDIR)$(MODULESDIR)/$(FIPSMODULENAME).cnf"
- @$(RM) $(DESTDIR)$(MODULESDIR)/$(FIPSMODULENAME).cnf
+ $(RM) "$(OPENSSLDIR)\fipsmodule.cnf"
+ @$(ECHO) "*** Uninstalling FIPS module"
+ $(RM) "$(MODULESDIR)\$(FIPSMODULENAME)"
+{- if ($disabled{fips}) { output_on(); } else { output_off(); } "" -}
+install_fips:
+ @$(ECHO) "The 'install_fips' target requires the 'enable-fips' option"
+
+uninstall_fips:
+ @$(ECHO) "The 'uninstall_fips' target requires the 'enable-fips' option"
+{- output_on() if !$disabled{fips}; "" -}
install_ssldirs:
@"$(PERL)" "$(SRCDIR)\util\mkdir-p.pl" "$(OPENSSLDIR)\certs"
@@ -768,8 +789,8 @@ EOF
# Also redo $gen0, to ensure that we have the proper extension.
$gen0 = platform->bin($gen0);
return <<"EOF";
-$args{src}: $gen0 $deps
- $gen0$gen_args > \$@
+$args{src}: $gen0 $deps "\$(BLDDIR)\\util\\wrap.pl"
+ "\$(PERL)" "\$(BLDDIR)\\util\\wrap.pl" $gen0$gen_args > \$@
EOF
} else {
#
diff --git a/Configure b/Configure
index b068b60e66..83c9a6f382 100755
--- a/Configure
+++ b/Configure
@@ -414,9 +414,9 @@ my @disablables = (
"dynamic-engine",
"ec",
"ec2m",
+ "ec_nistp_64_gcc_128",
"ecdh",
"ecdsa",
- "ec_nistp_64_gcc_128",
"egd",
"engine",
"err",
@@ -424,8 +424,8 @@ my @disablables = (
"filenames",
"fips",
"fips-securitychecks",
- "fuzz-libfuzzer",
"fuzz-afl",
+ "fuzz-libfuzzer",
"gost",
"idea",
"ktls",
@@ -438,11 +438,11 @@ my @disablables = (
"msan",
"multiblock",
"nextprotoneg",
- "pinshared",
"ocb",
"ocsp",
"padlockeng",
"pic",
+ "pinshared",
"poly1305",
"posix-io",
"psk",
@@ -479,8 +479,8 @@ my @disablables = (
"ui-console",
"unit-test",
"uplink",
- "whirlpool",
"weak-ssl-ciphers",
+ "whirlpool",
"zlib",
"zlib-dynamic",
);
@@ -512,6 +512,7 @@ my %deprecated_disablables = (
# All of the following are disabled by default:
our %disabled = ( # "what" => "comment"
+ "fips" => "default",
"asan" => "default",
"buildtest-c++" => "default",
"crypto-mdebug" => "default",
@@ -520,8 +521,9 @@ our %disabled = ( # "what" => "comment"
"ec_nistp_64_gcc_128" => "default",
"egd" => "default",
"external-tests" => "default",
- "fuzz-libfuzzer" => "default",
"fuzz-afl" => "default",
+ "fuzz-libfuzzer" => "default",
+ "ktls" => "default",
"md2" => "default",
"msan" => "default",
"rc5" => "default",
@@ -535,7 +537,6 @@ our %disabled = ( # "what" => "comment"
"weak-ssl-ciphers" => "default",
"zlib" => "default",
"zlib-dynamic" => "default",
- "ktls" => "default",
);
# Note: => pair form used for aesthetics, not to truly make a hash table
diff --git a/INSTALL.md b/INSTALL.md
index 039e1bdf08..f9b065d764 100644
--- a/INSTALL.md
+++ b/INSTALL.md
@@ -705,9 +705,9 @@ for further details.
Don't compile in filename and line number information (e.g. for errors and
memory allocation).
-### no-fips
+### enable-fips
-Don't compile the FIPS provider
+Build (and install) the FIPS provider
### no-fips-securitychecks
diff --git a/README-FIPS.md b/README-FIPS.md
index 0ea41daa46..3dc6c35b89 100644
--- a/README-FIPS.md
+++ b/README-FIPS.md
@@ -2,38 +2,61 @@ OpenSSL FIPS support
====================
This release of OpenSSL includes a cryptographic module that is intended to be
-FIPS 140-2 validated. The module is implemented as an OpenSSL provider. See
-the [README-PROVIDERS](README-PROVIDERS.md) file for further details about
-providers.
+FIPS 140-2 validated. The module is implemented as an OpenSSL provider.
+A provider is essentially a dynamically loadable module which implements
+cryptographic algorithms, see the [README-PROVIDERS](README-PROVIDERS.md) file
+for further details.
+
+The OpenSSL FIPS provider comes as shared library called `fips.so` (on Unix)
+resp. `fips.dll` (on Windows). The FIPS provider does not get built and
+installed automatically. To enable it, you need to configure OpenSSL using
+the `enable-fips` option.
Installing the FIPS module
==========================
-Once OpenSSL has been built and installed you will need to take explicit steps
-to complete the installation of the FIPS module (if you wish to use it). The
-OpenSSL 3.0 FIPS support is in the form of the FIPS provider which, on Unix, is
-in a `fips.so` file. On Windows this will be called `fips.dll`. Following
-installation of OpenSSL 3.0 the default location for this file is
-`/usr/local/lib/ossl-modules/fips.so` on Unix or
-`C:\Program Files\OpenSSL\lib\ossl-modules\fips.dll` on Windows.
+If the FIPS provider is enabled, it gets installed automatically during the
+normal installation process. Simply follow the normal procedure (configure,
+make, make test, make install) as described in the [INSTALL](INSTALL.md) file.
+
+For example, on Unix the final command
+
+ $ make install
+
+effectively executes the following install targets
+
+ $ make install_sw
+ $ make install_ssldirs
+ $ make install_docs
+ $ make install_fips # for `enable-fips` only
+
+The `install_fips` make target can also be invoked explicitly to install
+the FIPS provider independently, without installing the rest of OpenSSL.
+
+The Installation of the FIPS provider consists of two steps. In the first step,
+the shared library is copied to its installed location, which by default is
+
+ /usr/local/lib/ossl-modules/fips.so on Unix, and
+ C:\Program Files\OpenSSL\lib\ossl-modules\fips.dll on Windows.
-To complete the installation you need to run the `fipsinstall` command line
-application. This does 2 things:
+In the second step, the `openssl fipsinstall` command is executed, which completes
+the installation by doing the following two things:
- Runs the FIPS module self tests
-- Generates FIPS module config file output containing information about the
-module such as the self test status, and the module checksum.
+- Generates the so-called FIPS module configuration file containing information
+ about the module such as the self test status, and the module checksum.
The FIPS module must have the self tests run, and the FIPS module config file
output generated on every machine that it is to be used on. You must not copy
the FIPS module config file output data from one machine to another.
-For example, to install the FIPS module to its default location on Unix:
+On Unix the `openssl fipsinstall` command will be invoked as follows by default:
$ openssl fipsinstall -out /usr/local/ssl/fipsmodule.cnf -module /usr/local/lib/ossl-modules/fips.so
-If you installed OpenSSL to a different location, you need to adjust the output
-and module path accordingly.
+If you configured OpenSSL to be installed to a different location, the paths will
+vary accordingly. In the rare case that you need to install the fipsmodule.cnf
+to non-standard location, you can execute the `openssl fipsinstall` command manually.
Using the FIPS Module in applications
More information about the openssl-commits
mailing list