summaryrefslogtreecommitdiffstats
path: root/doc/man7
diff options
context:
space:
mode:
authorPauli <pauli@openssl.org>2023-02-27 00:14:43 +0100
committerPauli <pauli@openssl.org>2023-02-28 23:16:45 +0100
commit0a81220a01e888c3ee4ab18dfdcab6472d9e214c (patch)
tree6279965ff23de6e49bd93e92edb410e9b9a9edad /doc/man7
parentFix incomplete error check on RSA_public_decrypt() (diff)
downloadopenssl-0a81220a01e888c3ee4ab18dfdcab6472d9e214c.tar.xz
openssl-0a81220a01e888c3ee4ab18dfdcab6472d9e214c.zip
Update FIPS provider documentation to note that fips=yes is mandatory
This was in the notes section but an earlier comment about it not being mandatory was missed. Fixes #20376 Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/20382)
Diffstat (limited to 'doc/man7')
-rw-r--r--doc/man7/OSSL_PROVIDER-FIPS.pod19
1 files changed, 11 insertions, 8 deletions
diff --git a/doc/man7/OSSL_PROVIDER-FIPS.pod b/doc/man7/OSSL_PROVIDER-FIPS.pod
index 9396b5e431..1e1601cef1 100644
--- a/doc/man7/OSSL_PROVIDER-FIPS.pod
+++ b/doc/man7/OSSL_PROVIDER-FIPS.pod
@@ -29,14 +29,17 @@ L<EVP_MD_fetch(3)> or L<EVP_CIPHER_fetch(3)>, as well as with other
functions that take a property query string, such as
L<EVP_PKEY_CTX_new_from_name(3)>.
-It isn't mandatory to query for any of these properties, except to
-make sure to get implementations of this provider and none other.
-
-The C<fips=yes> property can be use to make sure only FIPS approved
-implementations are used for crypto operations. This may also include
-other non-crypto support operations that are not in the FIPS provider,
-such as asymmetric key encoders,
-see L<OSSL_PROVIDER-default(7)/Asymmetric Key Management>.
+To be FIPS compliant, it is mandatory to include C<fips=yes> as
+part of all property queries. This ensures that only FIPS approved
+implementations are used for cryptographic operations. The C<fips=yes>
+query may also include other non-crypto support operations that
+are not in the FIPS provider, such as asymmetric key encoders, see
+L<OSSL_PROVIDER-default(7)/Asymmetric Key Management>.
+
+It is not mandatory to include C<provider=fips> as part of your property
+query. Including C<provider=fips> in your property query guarantees
+that the OpenSSL FIPS provider is used for cryptographic operations
+rather than other FIPS capable providers.
=head1 OPERATIONS AND ALGORITHMS