Home
last modified time | relevance | path

Searched refs:FIPS (Results 1 – 25 of 177) sorted by relevance

12345678

/src/crypto/openssl/
H A DREADME-FIPS.md1 OpenSSL FIPS support
5 FIPS validated. The module is implemented as an OpenSSL provider.
10 A cryptographic module is only FIPS validated after it has gone through the complex
11 FIPS 140 validation process. As this process takes a very long time, it is not
13 If you need a FIPS validated module then you must ONLY generate a FIPS provider
14 using OpenSSL versions that have valid FIPS certificates. A FIPS certificate
16 in the Security Policy in order to be FIPS compliant.
18 FIPS certificates and Security Policies.
22 legacy providers) without any restrictions, but the FIPS provider must be built
26 The OpenSSL FIPS provider is a shared library called `fips.so` (on Unix), or
[all …]
H A DREADME-PROVIDERS.md7 - [The FIPS Provider](#the-fips-provider)
54 The FIPS Provider
57 The FIPS provider contains a sub-set of the algorithm implementations available
58 from the default provider, consisting of algorithms conforming to FIPS standards.
63 default provider. This is typically in order to conform to FIPS standards.
72 you are using the FIPS provider).
/src/crypto/openssl/doc/man7/
H A Dfips_module.pod14 with the FIPS module. Which is the correct approach to use will depend on your
17 For information related to installing the FIPS module see
18 L<https://github.com/openssl/openssl/blob/master/README-FIPS.md>.
23 Applications written to use the OpenSSL 3.0 FIPS module should not use any
24 legacy APIs or features that avoid the FIPS module. Specifically this includes:
48 =head2 Making all applications use the FIPS module by default
51 use the FIPS module for cryptographic algorithms by default.
56 FIPS module without the need for any further code changes.
99 FIPS module config file that you installed earlier.
100 See L<https://github.com/openssl/openssl/blob/master/README-FIPS.md>.
[all …]
H A DOSSL_PROVIDER-FIPS.pod5 OSSL_PROVIDER-FIPS - OpenSSL FIPS provider
9 The OpenSSL FIPS provider is a special provider that conforms to the Federal
10 Information Processing Standards (FIPS) specified in FIPS 140-3. This 'module'
32 To be FIPS compliant, it is mandatory to include C<fips=yes> as
33 part of all property queries. This ensures that only FIPS approved
36 are not in the FIPS provider, such as asymmetric key encoders, see
41 that the OpenSSL FIPS provider is used for cryptographic operations
42 rather than other FIPS capable providers.
47 conditions are not met. See L<fips_module(7)/FIPS indicators> for additional
53 The OpenSSL FIPS provider also handles FIPS indicator related parameters as
[all …]
H A DEVP_ASYM_CIPHER-RSA.pod28 This padding mode is no longer supported by the FIPS provider for key
30 (This is a FIPS 140-3 requirement).
45 This padding mode is no longer supported by the FIPS provider for key
47 (This is a FIPS 140-3 requirement)
81 The OpenSSL FIPS provider also supports the following parameters:
97 This option breaks FIPS compliance if it causes the approved "fips-indicator"
109 L<OSSL_PROVIDER-FIPS(7)>
H A DEVP_PKEY-DSA.pod9 For B<DSA> the FIPS 186-4 standard specifies that the values used for FFC
16 As part of FIPS 140-3 DSA is not longer FIPS approved for key generation and
50 The OpenSSL FIPS provider conforms to the rules within the FIPS186-4
60 L<EVP_PKEY_pairwise_check(3)> the OpenSSL default and FIPS providers conform to
127 L<OSSL_PROVIDER-FIPS(7)>
131 DSA Key generation and signature generation are no longer FIPS approved in
132 OpenSSL 3.4. See L<fips_module(7)/FIPS indicators> for more information.
H A DEVP_PKEY-ML-KEM.pod18 in OpenSSL's default and FIPS providers.
31 the concatenation of the 32-byte I<d> and I<z> parameters described in FIPS 203.
45 key files will contain only the private key in FIPS 203 C<dk> format.
76 The key length and content is that of the FIPS 203 (Algorithm 16:
86 The key length and content is that of the FIPS 203 (Algorithm 16:
93 The key format is that of B<ek> in FIPS 203, Algorithm 16:
113 When an B<ML-KEM> key is imported as an explicit FIPS 203 B<dk> decapsulation
128 only the FIPS 203 C<dk> key.
132 When decoding PKCS#8 objects that contain both a seed and the FIPS 203 C<dk>
156 This format represents B<PKCS#8> objects in which both the FIPS 203 64-byte
[all …]
H A DEVP_RAND-HASH-DRBG.pod63 When the FIPS provider is installed using the B<-no_drbg_truncated_digests>
65 L<FIPS 140-3 IG D.R|https://csrc.nist.gov/CSRC/media/Projects/cryptographic-module-validation-progr…
125 fipsinstall which restricts the permitted digests when using the FIPS
127 L<FIPS 140-3 IG D.R|https://csrc.nist.gov/CSRC/media/Projects/cryptographic-module-validation-progr…
H A DEVP_RAND-HMAC-DRBG.pod65 When using the FIPS provider, only these digests are permitted (as per
66 L<FIPS 140-3 IG D.R|https://csrc.nist.gov/CSRC/media/Projects/cryptographic-module-validation-progr…
128 fipsinstall which restricts the permitted digests when using the FIPS
130 L<FIPS 140-3 IG D.R|https://csrc.nist.gov/CSRC/media/Projects/cryptographic-module-validation-progr…
H A DEVP_PKEY-ML-DSA.pod15 B<EVP_PKEY_ML_DSA_87> are implemented in OpenSSL's default and FIPS providers.
45 key files will contain only the private key in FIPS 204 C<sk> format.
97 only the FIPS 204 C<sk> key.
101 When decoding PKCS#8 objects that contain both a seed and the FIPS 204 C<sk>
125 This format represents B<PKCS#8> objects in which both the FIPS 204 32-byte
141 This format represents B<PKCS#8> objects in which only the 32-byte FIPS 204
148 This format represents B<PKCS#8> objects in which only the FIPS 204
156 encoding of an octet string containing the concatenaton of the FIPS 204 private
165 the 32-byte FIPS 204 seed B<ξ> without any ASN.1 encapsulation.
172 the FIPS 204 secret key B<sk> without any ASN.1 encapsulation.
[all …]
H A DEVP_SIGNATURE-ML-DSA.pod13 signature schemes described in L<FIPS 204|https://csrc.nist.gov/pubs/fips/204/final>.
16 L<FIPS 204|https://csrc.nist.gov/pubs/fips/204/final> Section 4 Table 1.
28 defined in L<FIPS 204|https://csrc.nist.gov/pubs/fips/204/final> Algorithm 2
59 L<FIPS 204|https://csrc.nist.gov/pubs/fips/204/final> Algorithm 2 step 10 and
77 from L<FIPS 204|https://csrc.nist.gov/pubs/fips/204/final> Algorithm 7 step 6 and
81 L<FIPS 204|https://csrc.nist.gov/pubs/fips/204/final> Algorithm 2 step 10 and
126 L<FIPS 204|https://csrc.nist.gov/pubs/fips/204/final>
H A DEVP_KEYEXCH-X25519.pod21 B<X25519> and B<X448> are not FIPS approved in FIPS 140-3.
44 L<OSSL_PROVIDER-FIPS(7)>,
H A DEVP_CIPHER-DES.pod13 The following algorithms are available in the FIPS provider as well as the
25 FIPS provider:
66 L<provider-cipher(7)>, L<OSSL_PROVIDER-FIPS(7)>, L<OSSL_PROVIDER-default(7)>,
H A DEVP_MAC-CMAC.pod52 This option is used by the OpenSSL FIPS provider.
59 This option breaks FIPS compliance if it causes the approved "fips-indicator"
82 This option is used by the OpenSSL FIPS provider.
84 A getter that returns 1 if the operation is FIPS approved, or 0 otherwise.
/src/crypto/openssl/doc/designs/
H A Dfips_indicator.md1 OpenSSL FIPS Indicators
4 The following document refers to behaviour required by the OpenSSL FIPS provider,
10 - [1] FIPS 140-3 Standards: <https://csrc.nist.gov/projects/cryptographic-module-validation-program…
14 …[5] FIPS 140-3 Implementation Guidance: <https://csrc.nist.gov/csrc/media/Projects/cryptographic-m…
19 The following information was extracted from the FIPS 140-3 IG [5] “2.4.C Approved Security Service…
22 - A FIPS 140-3 compliant module requires a built-in service indicator capable of indicating the use…
29 Since any new FIPS restrictions added could possibly break existing applications
32 - The FIPS restrictions should be able to be disabled using Configuration file options (This result…
34 - The FIPS restrictions should be able to be enabled/disabled per algorithm context.
40 In OpenSSL most of the existing code in the FIPS provider is using
[all …]
H A DML-KEM.md5 **ML-KEM** is specified in [FIPS 203], which includes comprehensive pseudo-code
11 There are 3 different parameter sets in FIPS 203 (see Section 8).
67 fully describe the algorithms) FIPS 203 documents a format that is commonly
73 Recovery of the key from the seed (*d*, *z* pair) is supported by the [FIPS
79 [FIPS 203] format, but it will be possible to use the "seed-based" private key
155 [FIPS 203]:
156 <https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.203.pdf>
/src/crypto/openssl/test/recipes/30-test_evp_data/
H A Devpciph_des3_common.txt26 # FIPS(3.0.0): has a bug in the IV length #17591
43 # Test that DES3 CBC mode encryption fails because it is not FIPS approved
53 # Test that DES3 EBC mode encryption fails because it is not FIPS approved
62 Title = DES3 FIPS Indicator Tests
64 # Test that DES3 CBC mode encryption is not FIPS approved
76 # Test that DES3 ECB mode encryption is not FIPS approved
H A Devppkey_rsa_common.txt256 # The old FIPS provider doesn't include the workaround (#13817)
264 # The old FIPS provider doesn't include the workaround (#13817)
272 # The old FIPS provider doesn't include the workaround (#13817)
413 # The old FIPS provider doesn't include the workaround (#13817)
420 # The old FIPS provider doesn't include the workaround (#13817)
427 # The old FIPS provider doesn't include the workaround (#13817)
434 # The old FIPS provider doesn't include the workaround (#13817)
476 # The old FIPS provider doesn't include the workaround (#13817)
483 # The old FIPS provider doesn't include the workaround (#13817)
491 # The old FIPS provider doesn't include the workaround (#13817)
[all …]
H A Devppkey_rsa_kem.txt55 # testing the FIPS provider's ability to detect short keys. If a
86 # Test small RSA keys are not allowed for Encapsulation in FIPS mode
94 # Test small RSA keys are not allowed for Decapsulation in FIPS mode
103 # Test FIPS indicator callback is triggered
/src/crypto/openssl/doc/man5/
H A Dfips_config.pod5 fips_config - OpenSSL FIPS configuration
10 is used to hold information about the FIPS module. This includes a digest
17 =item - Run the startup FIPS self-test known answer tests (KATS).
29 used internally by the FIPS module during its initialization.
44 The FIPS module normally enters an internal error mode if any self test fails.
57 The calculated MAC of the FIPS provider file.
73 =head2 FIPS indicator options
75 The following FIPS configuration options indicate if run-time checks related to
76 enforcement of FIPS security parameters such as minimum security strength of
79 are not performed and FIPS compliance must be done by procedures documented in
[all …]
/src/crypto/openssl/doc/man1/
H A Dopenssl-fipsinstall.pod.in6 openssl-fipsinstall - perform FIPS configuration installation
60 This command is used to generate a FIPS module configuration file.
61 This configuration file can be used each time a FIPS module is loaded
62 in order to pass data to the FIPS module self tests. The FIPS module always
70 =item - A MAC of the FIPS module file.
80 By default if a continuous test (e.g a key pair test) fails then the FIPS module
94 If the value is '0' the checks are not performed and FIPS compliance must
111 Filename of the FIPS module to perform an integrity check on.
189 Configure the module so that it is strictly FIPS compliant rather
193 FIPS compliance will result in an error.
[all …]
/src/crypto/openssl/doc/man3/
H A DOSSL_INDICATOR_set_callback.pod6 OSSL_INDICATOR_get_callback - specify a callback for FIPS indicators
23 I<libctx> that will be called when a non approved FIPS operation is detected.
29 so (either by setting a global FIPS configuration option or via an option in an
47 A simple indicator callback to log non approved FIPS operations
65 L<OSSL_PROVIDER-FIPS(7)>
/src/crypto/openssl/include/openssl/
H A Dfipskey.h.in21 * The FIPS validation HMAC key, usable as an array initializer.
29 * The FIPS validation key, as a string.
36 * The FIPS provider vendor name, as a string.
/src/crypto/openssl/test/
H A Dfips-alt.cnf10 # Ensure FIPS non-approved algorithms in the FIPS module are suppressed (e.g.
H A Dfips.cnf13 # Ensure FIPS non-approved algorithms in the FIPS module are suppressed (e.g.

12345678