diff options
author | Shane Lontis <shane.lontis@oracle.com> | 2020-09-10 06:01:30 +0200 |
---|---|---|
committer | Pauli <paul.dale@oracle.com> | 2020-09-12 08:46:51 +0200 |
commit | 35e6ea3bdc2741c1818337e75756b45d6a2a6122 (patch) | |
tree | 5e3220d285fb8cbc899c7e7565475c832c00943e /doc | |
parent | CRNGT: enter FIPS error state if the test fails (diff) | |
download | openssl-35e6ea3bdc2741c1818337e75756b45d6a2a6122.tar.xz openssl-35e6ea3bdc2741c1818337e75756b45d6a2a6122.zip |
keygen: add FIPS error state management to conditional self tests
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12801)
Diffstat (limited to 'doc')
-rw-r--r-- | doc/man1/openssl-fipsinstall.pod.in | 18 |
1 files changed, 18 insertions, 0 deletions
diff --git a/doc/man1/openssl-fipsinstall.pod.in b/doc/man1/openssl-fipsinstall.pod.in index 451e8a775d..7fb6ad5636 100644 --- a/doc/man1/openssl-fipsinstall.pod.in +++ b/doc/man1/openssl-fipsinstall.pod.in @@ -19,6 +19,7 @@ B<openssl fipsinstall> [B<-macopt> I<nm>:I<v>] [B<-noout>] [B<-quiet>] +[B<-no_conditional_errors>] [B<-corrupt_desc> I<selftest_description>] [B<-corrupt_type> I<selftest_type>] [B<-config> I<parent_config>] @@ -43,6 +44,17 @@ This indicates if the Known Answer Self Tests (KAT's) have successfully run. =item - A MAC of the status indicator. +=item - A control for conditional self tests errors. + +By default if a continuous test (e.g a key pair test) fails then the FIPS module +will enter an error state, and no services or cryptographic algorithms will be +able to be accessed after this point. +The default value of '1' will cause the fips module error state to be entered. +If the value is '0' then the module error state will not be entered. +Regardless of whether the error state is entered or not, the current operation +(e.g. key generation) will return an error. The user is responsible for retrying +the operation if the module error state is not entered. + =back This file is described in L<fips_config(5)>. @@ -133,6 +145,12 @@ The default digest is SHA-256. Disable logging of the self tests. +=item B<-no_conditional_errors> + +Configure the module to not enter an error state if a conditional self test +fails as described above. + + =item B<-quiet> Do not output pass/fail messages. Implies B<-noout>. |