[openssl] openssl-3.0 update
tomas at openssl.org
tomas at openssl.org
Mon Sep 20 07:33:10 UTC 2021
The branch openssl-3.0 has been updated
via 119062833cc7ac4fc6d67287e3be3e4868f7f389 (commit)
from 814271efcc6e77fefabd616fab381fd168e2bd15 (commit)
- Log -----------------------------------------------------------------
commit 119062833cc7ac4fc6d67287e3be3e4868f7f389
Author: slontis <shane.lontis at oracle.com>
Date: Tue Aug 31 10:59:20 2021 +1000
Document that the openssl fipsinstall self test callback may not be used.
Fixes #16260
If the user autoloads a fips module from a config file, then it will run the self tests early (before the self test callback is set),
and they may not get triggered again during the fipsinstall process.
In order for this to happen there must already be a valid fips config file.
As the main purpose of the application is to generate the fips config file, this case has just been documented.
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16475)
(cherry picked from commit 8d257d0dc6ed9d5aeb8366de6be0af01538557ea)
-----------------------------------------------------------------------
Summary of changes:
doc/man1/openssl-fipsinstall.pod.in | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/doc/man1/openssl-fipsinstall.pod.in b/doc/man1/openssl-fipsinstall.pod.in
index d79e237dba..97e2ae910c 100644
--- a/doc/man1/openssl-fipsinstall.pod.in
+++ b/doc/man1/openssl-fipsinstall.pod.in
@@ -197,6 +197,18 @@ All other options are ignored if '-config' is used.
=back
+=head1 NOTES
+
+Self tests results are logged by default if the options B<-quiet> and B<-noout>
+are not specified, or if either of the options B<-corrupt_desc> or
+B<-corrupt_type> are used.
+If the base configuration file is set up to autoload the fips module, then the
+fips module will be loaded and self tested BEFORE the fipsinstall application
+has a chance to set up its own self test callback. As a result of this the self
+test output and the options B<-corrupt_desc> and B<-corrupt_type> will be ignored.
+For normal usage the base configuration file should use the default provider
+when generating the fips configuration file.
+
=head1 EXAMPLES
Calculate the mac of a FIPS module F<fips.so> and run a FIPS self test
More information about the openssl-commits
mailing list