diff options
author | Rich Salz <rsalz@akamai.com> | 2020-06-29 04:20:41 +0200 |
---|---|---|
committer | Shane Lontis <shane.lontis@oracle.com> | 2020-06-29 04:20:41 +0200 |
commit | 31214258309251aff297da67a60a6b60bf4ef27e (patch) | |
tree | aee548533bd6a7fe25c3c6ebf06b46287dfccb6c /INSTALL.md | |
parent | INSTALL.md and NOTES.VALGRIND: Further cleanup of references and code/symbol ... (diff) | |
download | openssl-31214258309251aff297da67a60a6b60bf4ef27e.tar.xz openssl-31214258309251aff297da67a60a6b60bf4ef27e.zip |
Add --fips-key configuration parameter to fipsinstall application.
Change default FIPS HMAC KEY from all-zero's
Use default FIPSKEY if not given on command line.
Make all -macopt in fipsinstall optional
Make all tests, except fipsinstall, use the default -macopt and
-mac_name flags.
Define and use FIPSDIR variable on VMS/MMS.
Also use SRCDIR/BLDDIR in SRCTOP/BLDTOP.
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12235)
Diffstat (limited to 'INSTALL.md')
-rw-r--r-- | INSTALL.md | 14 |
1 files changed, 14 insertions, 0 deletions
diff --git a/INSTALL.md b/INSTALL.md index 85cc1bee40..3b993585d2 100644 --- a/INSTALL.md +++ b/INSTALL.md @@ -21,6 +21,7 @@ Table of Contents - [Compiler Warnings](#compiler-warnings) - [ZLib Flags](#zlib-flags) - [Seeding the Random Generator](#seeding-the-random-generator) + - [Setting the FIPS HMAC key](#setting-the-FIPS-HMAC-key) - [Enable and Disable Features](#enable-and-disable-features) - [Displaying configuration data](#displaying-configuration-data) - [Installation Steps in Detail](#installation-steps-in-detail) @@ -465,6 +466,19 @@ at the end of this document. [rng]: #notes-on-random-number-generation +Setting the FIPS HMAC key +------------------------- + + --fips-key=value + +As part of its self-test validation, the FIPS module must verify itself +by performing a SHA-256 HMAC computation on itself. The default key is +the SHA256 value of "the holy handgrenade of antioch" and is sufficient +for meeting the FIPS requirements. + +To change the key to a different value, use this flag. The value should +be a hex string no more than 64 characters. + Enable and Disable Features --------------------------- |