summaryrefslogtreecommitdiffstats
path: root/doc
diff options
context:
space:
mode:
authorShane Lontis <shane.lontis@oracle.com>2020-09-10 06:01:30 +0200
committerPauli <paul.dale@oracle.com>2020-09-12 08:46:51 +0200
commit35e6ea3bdc2741c1818337e75756b45d6a2a6122 (patch)
tree5e3220d285fb8cbc899c7e7565475c832c00943e /doc
parentCRNGT: enter FIPS error state if the test fails (diff)
downloadopenssl-35e6ea3bdc2741c1818337e75756b45d6a2a6122.tar.xz
openssl-35e6ea3bdc2741c1818337e75756b45d6a2a6122.zip
keygen: add FIPS error state management to conditional self tests
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/12801)
Diffstat (limited to 'doc')
-rw-r--r--doc/man1/openssl-fipsinstall.pod.in18
1 files changed, 18 insertions, 0 deletions
diff --git a/doc/man1/openssl-fipsinstall.pod.in b/doc/man1/openssl-fipsinstall.pod.in
index 451e8a775d..7fb6ad5636 100644
--- a/doc/man1/openssl-fipsinstall.pod.in
+++ b/doc/man1/openssl-fipsinstall.pod.in
@@ -19,6 +19,7 @@ B<openssl fipsinstall>
[B<-macopt> I<nm>:I<v>]
[B<-noout>]
[B<-quiet>]
+[B<-no_conditional_errors>]
[B<-corrupt_desc> I<selftest_description>]
[B<-corrupt_type> I<selftest_type>]
[B<-config> I<parent_config>]
@@ -43,6 +44,17 @@ This indicates if the Known Answer Self Tests (KAT's) have successfully run.
=item - A MAC of the status indicator.
+=item - A control for conditional self tests errors.
+
+By default if a continuous test (e.g a key pair test) fails then the FIPS module
+will enter an error state, and no services or cryptographic algorithms will be
+able to be accessed after this point.
+The default value of '1' will cause the fips module error state to be entered.
+If the value is '0' then the module error state will not be entered.
+Regardless of whether the error state is entered or not, the current operation
+(e.g. key generation) will return an error. The user is responsible for retrying
+the operation if the module error state is not entered.
+
=back
This file is described in L<fips_config(5)>.
@@ -133,6 +145,12 @@ The default digest is SHA-256.
Disable logging of the self tests.
+=item B<-no_conditional_errors>
+
+Configure the module to not enter an error state if a conditional self test
+fails as described above.
+
+
=item B<-quiet>
Do not output pass/fail messages. Implies B<-noout>.