diff options
author | Pauli <pauli@openssl.org> | 2023-02-27 00:14:43 +0100 |
---|---|---|
committer | Pauli <pauli@openssl.org> | 2023-02-28 23:16:45 +0100 |
commit | 0a81220a01e888c3ee4ab18dfdcab6472d9e214c (patch) | |
tree | 6279965ff23de6e49bd93e92edb410e9b9a9edad /doc/man7 | |
parent | Fix incomplete error check on RSA_public_decrypt() (diff) | |
download | openssl-0a81220a01e888c3ee4ab18dfdcab6472d9e214c.tar.xz openssl-0a81220a01e888c3ee4ab18dfdcab6472d9e214c.zip |
Update FIPS provider documentation to note that fips=yes is mandatory
This was in the notes section but an earlier comment about it not being
mandatory was missed.
Fixes #20376
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/20382)
Diffstat (limited to 'doc/man7')
-rw-r--r-- | doc/man7/OSSL_PROVIDER-FIPS.pod | 19 |
1 files changed, 11 insertions, 8 deletions
diff --git a/doc/man7/OSSL_PROVIDER-FIPS.pod b/doc/man7/OSSL_PROVIDER-FIPS.pod index 9396b5e431..1e1601cef1 100644 --- a/doc/man7/OSSL_PROVIDER-FIPS.pod +++ b/doc/man7/OSSL_PROVIDER-FIPS.pod @@ -29,14 +29,17 @@ L<EVP_MD_fetch(3)> or L<EVP_CIPHER_fetch(3)>, as well as with other functions that take a property query string, such as L<EVP_PKEY_CTX_new_from_name(3)>. -It isn't mandatory to query for any of these properties, except to -make sure to get implementations of this provider and none other. - -The C<fips=yes> property can be use to make sure only FIPS approved -implementations are used for crypto operations. This may also include -other non-crypto support operations that are not in the FIPS provider, -such as asymmetric key encoders, -see L<OSSL_PROVIDER-default(7)/Asymmetric Key Management>. +To be FIPS compliant, it is mandatory to include C<fips=yes> as +part of all property queries. This ensures that only FIPS approved +implementations are used for cryptographic operations. The C<fips=yes> +query may also include other non-crypto support operations that +are not in the FIPS provider, such as asymmetric key encoders, see +L<OSSL_PROVIDER-default(7)/Asymmetric Key Management>. + +It is not mandatory to include C<provider=fips> as part of your property +query. Including C<provider=fips> in your property query guarantees +that the OpenSSL FIPS provider is used for cryptographic operations +rather than other FIPS capable providers. =head1 OPERATIONS AND ALGORITHMS |