From 31214258309251aff297da67a60a6b60bf4ef27e Mon Sep 17 00:00:00 2001 From: Rich Salz Date: Mon, 29 Jun 2020 12:20:41 +1000 Subject: Add --fips-key configuration parameter to fipsinstall application. Change default FIPS HMAC KEY from all-zero's Use default FIPSKEY if not given on command line. Make all -macopt in fipsinstall optional Make all tests, except fipsinstall, use the default -macopt and -mac_name flags. Define and use FIPSDIR variable on VMS/MMS. Also use SRCDIR/BLDDIR in SRCTOP/BLDTOP. Reviewed-by: Matthias St. Pierre Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/12235) --- INSTALL.md | 14 ++++++++++++++ 1 file changed, 14 insertions(+) (limited to 'INSTALL.md') diff --git a/INSTALL.md b/INSTALL.md index 85cc1bee40..3b993585d2 100644 --- a/INSTALL.md +++ b/INSTALL.md @@ -21,6 +21,7 @@ Table of Contents - [Compiler Warnings](#compiler-warnings) - [ZLib Flags](#zlib-flags) - [Seeding the Random Generator](#seeding-the-random-generator) + - [Setting the FIPS HMAC key](#setting-the-FIPS-HMAC-key) - [Enable and Disable Features](#enable-and-disable-features) - [Displaying configuration data](#displaying-configuration-data) - [Installation Steps in Detail](#installation-steps-in-detail) @@ -465,6 +466,19 @@ at the end of this document. [rng]: #notes-on-random-number-generation +Setting the FIPS HMAC key +------------------------- + + --fips-key=value + +As part of its self-test validation, the FIPS module must verify itself +by performing a SHA-256 HMAC computation on itself. The default key is +the SHA256 value of "the holy handgrenade of antioch" and is sufficient +for meeting the FIPS requirements. + +To change the key to a different value, use this flag. The value should +be a hex string no more than 64 characters. + Enable and Disable Features --------------------------- -- cgit v1.2.1