Add --fips-key configuration parameter to fipsinstall application.

Change default FIPS HMAC KEY from all-zero's
Use default FIPSKEY if not given on command line.
Make all -macopt in fipsinstall optional
Make all tests, except fipsinstall, use the default -macopt and
-mac_name flags.
Define and use FIPSDIR variable on VMS/MMS.
Also use SRCDIR/BLDDIR in SRCTOP/BLDTOP.

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12235)

1 files changed, 14 insertions, 0 deletions

diff --git a/INSTALL.md b/INSTALL.md
index 85cc1bee40..3b993585d2 100644
--- a/INSTALL.md
+++ b/INSTALL.md
@@ -21,6 +21,7 @@ Table of Contents
    - [Compiler Warnings](#compiler-warnings)
    - [ZLib Flags](#zlib-flags)
    - [Seeding the Random Generator](#seeding-the-random-generator)
+   - [Setting the FIPS HMAC key](#setting-the-FIPS-HMAC-key)
    - [Enable and Disable Features](#enable-and-disable-features)
    - [Displaying configuration data](#displaying-configuration-data)
  - [Installation Steps in Detail](#installation-steps-in-detail)
@@ -465,6 +466,19 @@ at the end of this document.
 
 [rng]: #notes-on-random-number-generation
 
+Setting the FIPS HMAC key
+-------------------------
+
+    --fips-key=value
+
+As part of its self-test validation, the FIPS module must verify itself
+by performing a SHA-256 HMAC computation on itself. The default key is
+the SHA256 value of "the holy handgrenade of antioch" and is sufficient
+for meeting the FIPS requirements.
+
+To change the key to a different value, use this flag. The value should
+be a hex string no more than 64 characters.
+
 Enable and Disable Features
 ---------------------------