summaryrefslogtreecommitdiffstats
path: root/INSTALL.md
diff options
context:
space:
mode:
authorRich Salz <rsalz@akamai.com>2020-06-29 04:20:41 +0200
committerShane Lontis <shane.lontis@oracle.com>2020-06-29 04:20:41 +0200
commit31214258309251aff297da67a60a6b60bf4ef27e (patch)
treeaee548533bd6a7fe25c3c6ebf06b46287dfccb6c /INSTALL.md
parentINSTALL.md and NOTES.VALGRIND: Further cleanup of references and code/symbol ... (diff)
downloadopenssl-31214258309251aff297da67a60a6b60bf4ef27e.tar.xz
openssl-31214258309251aff297da67a60a6b60bf4ef27e.zip
Add --fips-key configuration parameter to fipsinstall application.
Change default FIPS HMAC KEY from all-zero's Use default FIPSKEY if not given on command line. Make all -macopt in fipsinstall optional Make all tests, except fipsinstall, use the default -macopt and -mac_name flags. Define and use FIPSDIR variable on VMS/MMS. Also use SRCDIR/BLDDIR in SRCTOP/BLDTOP. Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/12235)
Diffstat (limited to 'INSTALL.md')
-rw-r--r--INSTALL.md14
1 files changed, 14 insertions, 0 deletions
diff --git a/INSTALL.md b/INSTALL.md
index 85cc1bee40..3b993585d2 100644
--- a/INSTALL.md
+++ b/INSTALL.md
@@ -21,6 +21,7 @@ Table of Contents
- [Compiler Warnings](#compiler-warnings)
- [ZLib Flags](#zlib-flags)
- [Seeding the Random Generator](#seeding-the-random-generator)
+ - [Setting the FIPS HMAC key](#setting-the-FIPS-HMAC-key)
- [Enable and Disable Features](#enable-and-disable-features)
- [Displaying configuration data](#displaying-configuration-data)
- [Installation Steps in Detail](#installation-steps-in-detail)
@@ -465,6 +466,19 @@ at the end of this document.
[rng]: #notes-on-random-number-generation
+Setting the FIPS HMAC key
+-------------------------
+
+ --fips-key=value
+
+As part of its self-test validation, the FIPS module must verify itself
+by performing a SHA-256 HMAC computation on itself. The default key is
+the SHA256 value of "the holy handgrenade of antioch" and is sufficient
+for meeting the FIPS requirements.
+
+To change the key to a different value, use this flag. The value should
+be a hex string no more than 64 characters.
+
Enable and Disable Features
---------------------------