openssl3/contribs10/0034.fipsinstall_disable.patch

diff -up openssl-3.0.0/apps/fipsinstall.c.xxx openssl-3.0.0/apps/fipsinstall.c
--- openssl-3.0.0/apps/fipsinstall.c.xxx        2021-11-22 13:09:28.232560235 +0100
+++ openssl-3.0.0/apps/fipsinstall.c    2021-11-22 13:12:22.272058910 +0100
@@ -311,6 +311,9 @@ int fipsinstall_main(int argc, char **ar
     EVP_MAC *mac = NULL;
     CONF *conf = NULL;
 
+    BIO_printf(bio_err, "This command is not enabled in the Red Hat Enterprise Linux OpenSSL build, please consult Red Hat documentation to learn how to enable FIPS mode\n");
+    return 1;
+
     if ((opts = sk_OPENSSL_STRING_new_null()) == NULL)
         goto end;
 
diff -up openssl-3.0.0/doc/man1/openssl.pod.xxx openssl-3.0.0/doc/man1/openssl.pod
--- openssl-3.0.0/doc/man1/openssl.pod.xxx      2021-11-22 13:18:51.081406990 +0100
+++ openssl-3.0.0/doc/man1/openssl.pod  2021-11-22 13:19:02.897508738 +0100
@@ -158,10 +158,6 @@ Engine (loadable module) information and
 
 Error Number to Error String Conversion.
 
-=item B<fipsinstall>
-
-FIPS configuration installation.
-
 =item B<gendsa>
 
 Generation of DSA Private Key from Parameters. Superseded by
diff -up openssl-3.0.0/doc/man5/config.pod.xxx openssl-3.0.0/doc/man5/config.pod
--- openssl-3.0.0/doc/man5/config.pod.xxx       2021-11-22 13:24:51.359509501 +0100
+++ openssl-3.0.0/doc/man5/config.pod   2021-11-22 13:26:02.360121820 +0100
@@ -573,7 +573,6 @@ configuration files using that syntax wi
 =head1 SEE ALSO
 
 L<openssl-x509(1)>, L<openssl-req(1)>, L<openssl-ca(1)>,
-L<openssl-fipsinstall(1)>,
 L<ASN1_generate_nconf(3)>,
 L<EVP_set_default_properties(3)>,
 L<CONF_modules_load(3)>,
diff -up openssl-3.0.0/doc/man5/fips_config.pod.xxx openssl-3.0.0/doc/man5/fips_config.pod
--- openssl-3.0.0/doc/man5/fips_config.pod.xxx  2021-11-22 13:21:13.812636065 +0100
+++ openssl-3.0.0/doc/man5/fips_config.pod      2021-11-22 13:24:12.278172847 +0100
@@ -6,106 +6,10 @@ fips_config - OpenSSL FIPS configuration
 
 =head1 DESCRIPTION
 
-A separate configuration file, using the OpenSSL L<config(5)> syntax,
-is used to hold information about the FIPS module. This includes a digest
-of the shared library file, and status about the self-testing.
-This data is used automatically by the module itself for two
-purposes:
-
-=over 4
-
-=item - Run the startup FIPS self-test known answer tests (KATS).
-
-This is normally done once, at installation time, but may also be set up to
-run each time the module is used.
-
-=item - Verify the module's checksum.
-
-This is done each time the module is used.
-
-=back
-
-This file is generated by the L<openssl-fipsinstall(1)> program, and
-used internally by the FIPS module during its initialization.
-
-The following options are supported. They should all appear in a section
-whose name is identified by the B<fips> option in the B<providers>
-section, as described in L<config(5)/Provider Configuration Module>.
-
-=over 4
-
-=item B<activate>
-
-If present, the module is activated. The value assigned to this name is not
-significant.
-
-=item B<install-version>
-
-A version number for the fips install process. Should be 1.
-
-=item B<conditional-errors>
-
-The FIPS module normally enters an internal error mode if any self test fails.
-Once this error mode is active, no services or cryptographic algorithms are
-accessible from this point on.
-Continuous tests are a subset of the self tests (e.g., a key pair test during key
-generation, or the CRNG output test).
-Setting this value to C<0> allows the error mode to not be triggered if any
-continuous test fails. The default value of C<1> will trigger the error mode.
-Regardless of the value, the operation (e.g., key generation) that called the
-continuous test will return an error code if its continuous test fails. The
-operation may then be retried if the error mode has not been triggered.
-
-=item B<security-checks>
-
-This indicates if run-time checks related to enforcement of security parameters
-such as minimum security strength of keys and approved curve names are used.
-A value of '1' will perform the checks, otherwise if the value is '0' the checks
-are not performed and FIPS compliance must be done by procedures documented in
-the relevant Security Policy.
-
-=item B<module-mac>
-
-The calculated MAC of the FIPS provider file.
-
-=item B<install-status>
-
-An indicator that the self-tests were successfully run.
-This should only be written after the module has
-successfully passed its self tests during installation.
-If this field is not present, then the self tests will run when the module
-loads.
-
-=item B<install-mac>
-
-A MAC of the value of the B<install-status> option, to prevent accidental
-changes to that value.
-It is written-to at the same time as B<install-status> is updated.
-
-=back
-
-For example:
-
- [fips_sect]
- activate = 1
- install-version = 1
- conditional-errors = 1
- security-checks = 1
- module-mac = 41:D0:FA:C2:5D:41:75:CD:7D:C3:90:55:6F:A4:DC
- install-mac = FE:10:13:5A:D3:B4:C7:82:1B:1E:17:4C:AC:84:0C
- install-status = INSTALL_SELF_TEST_KATS_RUN
-
-=head1 NOTES
-
-When using the FIPS provider, it is recommended that the
-B<config_diagnostics> option is enabled to prevent accidental use of
-non-FIPS validated algorithms via broken or mistaken configuration.
-See L<config(5)>.
-
-=head1 SEE ALSO
-
-L<config(5)>
-L<openssl-fipsinstall(1)>
+This command is disabled in Red Hat Enterprise Linux. The FIPS provider is
+automatically loaded when the system is booted in FIPS mode, or when the
+environment variable B<OPENSSL_FORCE_FIPS_MODE> is set. See the documentation
+for more information.
 
 =head1 COPYRIGHT
 
diff -up openssl-3.0.0/doc/man7/OSSL_PROVIDER-FIPS.pod.xxx openssl-3.0.0/doc/man7/OSSL_PROVIDER-FIPS.pod
--- openssl-3.0.0/doc/man7/OSSL_PROVIDER-FIPS.pod.xxx   2021-11-22 13:18:13.850086386 +0100
+++ openssl-3.0.0/doc/man7/OSSL_PROVIDER-FIPS.pod       2021-11-22 13:18:24.607179038 +0100
@@ -388,7 +388,6 @@ A simple self test callback is shown bel
 
 =head1 SEE ALSO
 
-L<openssl-fipsinstall(1)>,
 L<fips_config(5)>,
 L<OSSL_SELF_TEST_set_callback(3)>,
 L<OSSL_SELF_TEST_new(3)>,
diff -up openssl-3.0.1/doc/man1/openssl-fipsinstall.pod.in.embed-hmac openssl-3.0.1/doc/man1/openssl-fipsinstall.pod.in
--- openssl-3.0.1/doc/man1/openssl-fipsinstall.pod.in.embed-hmac        2022-01-11 13:26:33.279906225 +0100
+++ openssl-3.0.1/doc/man1/openssl-fipsinstall.pod.in   2022-01-11 13:33:18.757994419 +0100
@@ -8,236 +8,11 @@ openssl-fipsinstall - perform FIPS confi
 =head1 SYNOPSIS
 
 B<openssl fipsinstall>
-[B<-help>]
-[B<-in> I<configfilename>]
-[B<-out> I<configfilename>]
-[B<-module> I<modulefilename>]
-[B<-provider_name> I<providername>]
-[B<-section_name> I<sectionname>]
-[B<-verify>]
-[B<-mac_name> I<macname>]
-[B<-macopt> I<nm>:I<v>]
-[B<-noout>]
-[B<-quiet>]
-[B<-no_conditional_errors>]
-[B<-no_security_checks>]
-[B<-self_test_onload>]
-[B<-corrupt_desc> I<selftest_description>]
-[B<-corrupt_type> I<selftest_type>]
-[B<-config> I<parent_config>]
 
 =head1 DESCRIPTION
-
-This command is used to generate a FIPS module configuration file.
-This configuration file can be used each time a FIPS module is loaded
-in order to pass data to the FIPS module self tests. The FIPS module always
-verifies its MAC, but optionally only needs to run the KAT's once,
-at installation.
-
-The generated configuration file consists of:
-
-=over 4
-
-=item - A MAC of the FIPS module file.
-
-=item - A test status indicator.
-
-This indicates if the Known Answer Self Tests (KAT's) have successfully run.
-
-=item - A MAC of the status indicator.
-
-=item - A control for conditional self tests errors.
-
-By default if a continuous test (e.g a key pair test) fails then the FIPS module
-will enter an error state, and no services or cryptographic algorithms will be
-able to be accessed after this point.
-The default value of '1' will cause the fips module error state to be entered.
-If the value is '0' then the module error state will not be entered.
-Regardless of whether the error state is entered or not, the current operation
-(e.g. key generation) will return an error. The user is responsible for retrying
-the operation if the module error state is not entered.
-
-=item - A control to indicate whether run-time security checks are done.
-
-This indicates if run-time checks related to enforcement of security parameters
-such as minimum security strength of keys and approved curve names are used.
-The default value of '1' will perform the checks.
-If the value is '0' the checks are not performed and FIPS compliance must
-be done by procedures documented in the relevant Security Policy.
-
-=back
-
-This file is described in L<fips_config(5)>.
-
-=head1 OPTIONS
-
-=over 4
-
-=item B<-help>
-
-Print a usage message.
-
-=item B<-module> I<filename>
-
-Filename of the FIPS module to perform an integrity check on.
-The path provided in the filename is used to load the module when it is
-activated, and this overrides the environment variable B<OPENSSL_MODULES>.
-
-=item B<-out> I<configfilename>
-
-Filename to output the configuration data to; the default is standard output.
-
-=item B<-in> I<configfilename>
-
-Input filename to load configuration data from.
-Must be used if the B<-verify> option is specified.
-
-=item B<-verify>
-
-Verify that the input configuration file contains the correct information.
-
-=item B<-provider_name> I<providername>
-
-Name of the provider inside the configuration file.
-The default value is C<fips>.
-
-=item B<-section_name> I<sectionname>
-
-Name of the section inside the configuration file.
-The default value is C<fips_sect>.
-
-=item B<-mac_name> I<name>
-
-Specifies the name of a supported MAC algorithm which will be used.
-The MAC mechanisms that are available will depend on the options
-used when building OpenSSL.
-To see the list of supported MAC's use the command
-C<openssl list -mac-algorithms>.  The default is B<HMAC>.
-
-=item B<-macopt> I<nm>:I<v>
-
-Passes options to the MAC algorithm.
-A comprehensive list of controls can be found in the EVP_MAC implementation
-documentation.
-Common control strings used for this command are:
-
-=over 4
-
-=item B<key>:I<string>
-
-Specifies the MAC key as an alphanumeric string (use if the key contains
-printable characters only).
-The string length must conform to any restrictions of the MAC algorithm.
-A key must be specified for every MAC algorithm.
-If no key is provided, the default that was specified when OpenSSL was
-configured is used.
-
-=item B<hexkey>:I<string>
-
-Specifies the MAC key in hexadecimal form (two hex digits per byte).
-The key length must conform to any restrictions of the MAC algorithm.
-A key must be specified for every MAC algorithm.
-If no key is provided, the default that was specified when OpenSSL was
-configured is used.
-
-=item B<digest>:I<string>
-
-Used by HMAC as an alphanumeric string (use if the key contains printable
-characters only).
-The string length must conform to any restrictions of the MAC algorithm.
-To see the list of supported digests, use the command
-C<openssl list -digest-commands>.
-The default digest is SHA-256.
-
-=back
-
-=item B<-noout>
-
-Disable logging of the self tests.
-
-=item B<-no_conditional_errors>
-
-Configure the module to not enter an error state if a conditional self test
-fails as described above.
-
-=item B<-no_security_checks>
-
-Configure the module to not perform run-time security checks as described above.
-
-=item B<-self_test_onload>
-
-Do not write the two fields related to the "test status indicator" and
-"MAC status indicator" to the output configuration file. Without these fields
-the self tests KATS will run each time the module is loaded. This option could be
-used for cross compiling, since the self tests need to run at least once on each
-target machine. Once the self tests have run on the target machine the user
-could possibly then add the 2 fields into the configuration using some other
-mechanism.
-
-=item B<-quiet>
-
-Do not output pass/fail messages. Implies B<-noout>.
-
-=item B<-corrupt_desc> I<selftest_description>,
-B<-corrupt_type> I<selftest_type>
-
-The corrupt options can be used to test failure of one or more self tests by
-name.
-Either option or both may be used to select the tests to corrupt.
-Refer to the entries for B<st-desc> and B<st-type> in L<OSSL_PROVIDER-FIPS(7)> for
-values that can be used.
-
-=item B<-config> I<parent_config>
-
-Test that a FIPS provider can be loaded from the specified configuration file.
-A previous call to this application needs to generate the extra configuration
-data that is included by the base C<parent_config> configuration file.
-See L<config(5)> for further information on how to set up a provider section.
-All other options are ignored if '-config' is used.
-
-=back
-
-=head1 NOTES
-
-Self tests results are logged by default if the options B<-quiet> and B<-noout>
-are not specified, or if either of the options B<-corrupt_desc> or
-B<-corrupt_type> are used.
-If the base configuration file is set up to autoload the fips module, then the
-fips module will be loaded and self tested BEFORE the fipsinstall application
-has a chance to set up its own self test callback. As a result of this the self
-test output and the options B<-corrupt_desc> and B<-corrupt_type> will be ignored.
-For normal usage the base configuration file should use the default provider
-when generating the fips configuration file.
-
-=head1 EXAMPLES
-
-Calculate the mac of a FIPS module F<fips.so> and run a FIPS self test
-for the module, and save the F<fips.cnf> configuration file:
-
- openssl fipsinstall -module ./fips.so -out fips.cnf -provider_name fips
-
-Verify that the configuration file F<fips.cnf> contains the correct info:
-
- openssl fipsinstall -module ./fips.so -in fips.cnf  -provider_name fips -verify
-
-Corrupt any self tests which have the description C<SHA1>:
-
- openssl fipsinstall -module ./fips.so -out fips.cnf -provider_name fips \
-         -corrupt_desc 'SHA1'
-
-Validate that the fips module can be loaded from a base configuration file:
-
- export OPENSSL_CONF_INCLUDE=<path of configuration files>
- export OPENSSL_MODULES=<provider-path>
- openssl fipsinstall -config' 'default.cnf'
-
-
-=head1 SEE ALSO
-
-L<config(5)>,
-L<fips_config(5)>,
-L<OSSL_PROVIDER-FIPS(7)>,
-L<EVP_MAC(3)>
+This command is disabled.
+Please consult Red Hat Enterprise Linux documentation to learn how to correctly
+enable FIPS mode on Red Hat Enterprise
 
 =head1 COPYRIGHT
 
1	diff -up openssl-3.0.0/apps/fipsinstall.c.xxx openssl-3.0.0/apps/fipsinstall.c
2	--- openssl-3.0.0/apps/fipsinstall.c.xxx 2021-11-22 13:09:28.232560235 +0100
3	+++ openssl-3.0.0/apps/fipsinstall.c 2021-11-22 13:12:22.272058910 +0100
4	@@ -311,6 +311,9 @@ int fipsinstall_main(int argc, char **ar
5	EVP_MAC *mac = NULL;
6	CONF *conf = NULL;
7
8	+ BIO_printf(bio_err, "This command is not enabled in the Red Hat Enterprise Linux OpenSSL build, please consult Red Hat documentation to learn how to enable FIPS mode\n");
9	+ return 1;
10	+
11	if ((opts = sk_OPENSSL_STRING_new_null()) == NULL)
12	goto end;
13
14	diff -up openssl-3.0.0/doc/man1/openssl.pod.xxx openssl-3.0.0/doc/man1/openssl.pod
15	--- openssl-3.0.0/doc/man1/openssl.pod.xxx 2021-11-22 13:18:51.081406990 +0100
16	+++ openssl-3.0.0/doc/man1/openssl.pod 2021-11-22 13:19:02.897508738 +0100
17	@@ -158,10 +158,6 @@ Engine (loadable module) information and
18
19	Error Number to Error String Conversion.
20
21	-=item B<fipsinstall>
22	-
23	-FIPS configuration installation.
24	-
25	=item B<gendsa>
26
27	Generation of DSA Private Key from Parameters. Superseded by
28	diff -up openssl-3.0.0/doc/man5/config.pod.xxx openssl-3.0.0/doc/man5/config.pod
29	--- openssl-3.0.0/doc/man5/config.pod.xxx 2021-11-22 13:24:51.359509501 +0100
30	+++ openssl-3.0.0/doc/man5/config.pod 2021-11-22 13:26:02.360121820 +0100
31	@@ -573,7 +573,6 @@ configuration files using that syntax wi
32	=head1 SEE ALSO
33
34	L<openssl-x509(1)>, L<openssl-req(1)>, L<openssl-ca(1)>,
35	-L<openssl-fipsinstall(1)>,
36	L<ASN1_generate_nconf(3)>,
37	L<EVP_set_default_properties(3)>,
38	L<CONF_modules_load(3)>,
39	diff -up openssl-3.0.0/doc/man5/fips_config.pod.xxx openssl-3.0.0/doc/man5/fips_config.pod
40	--- openssl-3.0.0/doc/man5/fips_config.pod.xxx 2021-11-22 13:21:13.812636065 +0100
41	+++ openssl-3.0.0/doc/man5/fips_config.pod 2021-11-22 13:24:12.278172847 +0100
42	@@ -6,106 +6,10 @@ fips_config - OpenSSL FIPS configuration
43
44	=head1 DESCRIPTION
45
46	-A separate configuration file, using the OpenSSL L<config(5)> syntax,
47	-is used to hold information about the FIPS module. This includes a digest
48	-of the shared library file, and status about the self-testing.
49	-This data is used automatically by the module itself for two
50	-purposes:
51	-
52	-=over 4
53	-
54	-=item - Run the startup FIPS self-test known answer tests (KATS).
55	-
56	-This is normally done once, at installation time, but may also be set up to
57	-run each time the module is used.
58	-
59	-=item - Verify the module's checksum.
60	-
61	-This is done each time the module is used.
62	-
63	-=back
64	-
65	-This file is generated by the L<openssl-fipsinstall(1)> program, and
66	-used internally by the FIPS module during its initialization.
67	-
68	-The following options are supported. They should all appear in a section
69	-whose name is identified by the B<fips> option in the B<providers>
70	-section, as described in L<config(5)/Provider Configuration Module>.
71	-
72	-=over 4
73	-
74	-=item B<activate>
75	-
76	-If present, the module is activated. The value assigned to this name is not
77	-significant.
78	-
79	-=item B<install-version>
80	-
81	-A version number for the fips install process. Should be 1.
82	-
83	-=item B<conditional-errors>
84	-
85	-The FIPS module normally enters an internal error mode if any self test fails.
86	-Once this error mode is active, no services or cryptographic algorithms are
87	-accessible from this point on.
88	-Continuous tests are a subset of the self tests (e.g., a key pair test during key
89	-generation, or the CRNG output test).
90	-Setting this value to C<0> allows the error mode to not be triggered if any
91	-continuous test fails. The default value of C<1> will trigger the error mode.
92	-Regardless of the value, the operation (e.g., key generation) that called the
93	-continuous test will return an error code if its continuous test fails. The
94	-operation may then be retried if the error mode has not been triggered.
95	-
96	-=item B<security-checks>
97	-
98	-This indicates if run-time checks related to enforcement of security parameters
99	-such as minimum security strength of keys and approved curve names are used.
100	-A value of '1' will perform the checks, otherwise if the value is '0' the checks
101	-are not performed and FIPS compliance must be done by procedures documented in
102	-the relevant Security Policy.
103	-
104	-=item B<module-mac>
105	-
106	-The calculated MAC of the FIPS provider file.
107	-
108	-=item B<install-status>
109	-
110	-An indicator that the self-tests were successfully run.
111	-This should only be written after the module has
112	-successfully passed its self tests during installation.
113	-If this field is not present, then the self tests will run when the module
114	-loads.
115	-
116	-=item B<install-mac>
117	-
118	-A MAC of the value of the B<install-status> option, to prevent accidental
119	-changes to that value.
120	-It is written-to at the same time as B<install-status> is updated.
121	-
122	-=back
123	-
124	-For example:
125	-
126	- [fips_sect]
127	- activate = 1
128	- install-version = 1
129	- conditional-errors = 1
130	- security-checks = 1
131	- module-mac = 41:D0:FA:C2:5D:41:75:CD:7D:C3:90:55:6F:A4:DC
132	- install-mac = FE:10:13:5A:D3:B4:C7:82:1B:1E:17:4C:AC:84:0C
133	- install-status = INSTALL_SELF_TEST_KATS_RUN
134	-
135	-=head1 NOTES
136	-
137	-When using the FIPS provider, it is recommended that the
138	-B<config_diagnostics> option is enabled to prevent accidental use of
139	-non-FIPS validated algorithms via broken or mistaken configuration.
140	-See L<config(5)>.
141	-
142	-=head1 SEE ALSO
143	-
144	-L<config(5)>
145	-L<openssl-fipsinstall(1)>
146	+This command is disabled in Red Hat Enterprise Linux. The FIPS provider is
147	+automatically loaded when the system is booted in FIPS mode, or when the
148	+environment variable B<OPENSSL_FORCE_FIPS_MODE> is set. See the documentation
149	+for more information.
150
151	=head1 COPYRIGHT
152
153	diff -up openssl-3.0.0/doc/man7/OSSL_PROVIDER-FIPS.pod.xxx openssl-3.0.0/doc/man7/OSSL_PROVIDER-FIPS.pod
154	--- openssl-3.0.0/doc/man7/OSSL_PROVIDER-FIPS.pod.xxx 2021-11-22 13:18:13.850086386 +0100
155	+++ openssl-3.0.0/doc/man7/OSSL_PROVIDER-FIPS.pod 2021-11-22 13:18:24.607179038 +0100
156	@@ -388,7 +388,6 @@ A simple self test callback is shown bel
157
158	=head1 SEE ALSO
159
160	-L<openssl-fipsinstall(1)>,
161	L<fips_config(5)>,
162	L<OSSL_SELF_TEST_set_callback(3)>,
163	L<OSSL_SELF_TEST_new(3)>,
164	diff -up openssl-3.0.1/doc/man1/openssl-fipsinstall.pod.in.embed-hmac openssl-3.0.1/doc/man1/openssl-fipsinstall.pod.in
165	--- openssl-3.0.1/doc/man1/openssl-fipsinstall.pod.in.embed-hmac 2022-01-11 13:26:33.279906225 +0100
166	+++ openssl-3.0.1/doc/man1/openssl-fipsinstall.pod.in 2022-01-11 13:33:18.757994419 +0100
167	@@ -8,236 +8,11 @@ openssl-fipsinstall - perform FIPS confi
168	=head1 SYNOPSIS
169
170	B<openssl fipsinstall>
171	-[B<-help>]
172	-[B<-in> I<configfilename>]
173	-[B<-out> I<configfilename>]
174	-[B<-module> I<modulefilename>]
175	-[B<-provider_name> I<providername>]
176	-[B<-section_name> I<sectionname>]
177	-[B<-verify>]
178	-[B<-mac_name> I<macname>]
179	-[B<-macopt> I<nm>:I<v>]
180	-[B<-noout>]
181	-[B<-quiet>]
182	-[B<-no_conditional_errors>]
183	-[B<-no_security_checks>]
184	-[B<-self_test_onload>]
185	-[B<-corrupt_desc> I<selftest_description>]
186	-[B<-corrupt_type> I<selftest_type>]
187	-[B<-config> I<parent_config>]
188
189	=head1 DESCRIPTION
190	-
191	-This command is used to generate a FIPS module configuration file.
192	-This configuration file can be used each time a FIPS module is loaded
193	-in order to pass data to the FIPS module self tests. The FIPS module always
194	-verifies its MAC, but optionally only needs to run the KAT's once,
195	-at installation.
196	-
197	-The generated configuration file consists of:
198	-
199	-=over 4
200	-
201	-=item - A MAC of the FIPS module file.
202	-
203	-=item - A test status indicator.
204	-
205	-This indicates if the Known Answer Self Tests (KAT's) have successfully run.
206	-
207	-=item - A MAC of the status indicator.
208	-
209	-=item - A control for conditional self tests errors.
210	-
211	-By default if a continuous test (e.g a key pair test) fails then the FIPS module
212	-will enter an error state, and no services or cryptographic algorithms will be
213	-able to be accessed after this point.
214	-The default value of '1' will cause the fips module error state to be entered.
215	-If the value is '0' then the module error state will not be entered.
216	-Regardless of whether the error state is entered or not, the current operation
217	-(e.g. key generation) will return an error. The user is responsible for retrying
218	-the operation if the module error state is not entered.
219	-
220	-=item - A control to indicate whether run-time security checks are done.
221	-
222	-This indicates if run-time checks related to enforcement of security parameters
223	-such as minimum security strength of keys and approved curve names are used.
224	-The default value of '1' will perform the checks.
225	-If the value is '0' the checks are not performed and FIPS compliance must
226	-be done by procedures documented in the relevant Security Policy.
227	-
228	-=back
229	-
230	-This file is described in L<fips_config(5)>.
231	-
232	-=head1 OPTIONS
233	-
234	-=over 4
235	-
236	-=item B<-help>
237	-
238	-Print a usage message.
239	-
240	-=item B<-module> I<filename>
241	-
242	-Filename of the FIPS module to perform an integrity check on.
243	-The path provided in the filename is used to load the module when it is
244	-activated, and this overrides the environment variable B<OPENSSL_MODULES>.
245	-
246	-=item B<-out> I<configfilename>
247	-
248	-Filename to output the configuration data to; the default is standard output.
249	-
250	-=item B<-in> I<configfilename>
251	-
252	-Input filename to load configuration data from.
253	-Must be used if the B<-verify> option is specified.
254	-
255	-=item B<-verify>
256	-
257	-Verify that the input configuration file contains the correct information.
258	-
259	-=item B<-provider_name> I<providername>
260	-
261	-Name of the provider inside the configuration file.
262	-The default value is C<fips>.
263	-
264	-=item B<-section_name> I<sectionname>
265	-
266	-Name of the section inside the configuration file.
267	-The default value is C<fips_sect>.
268	-
269	-=item B<-mac_name> I<name>
270	-
271	-Specifies the name of a supported MAC algorithm which will be used.
272	-The MAC mechanisms that are available will depend on the options
273	-used when building OpenSSL.
274	-To see the list of supported MAC's use the command
275	-C<openssl list -mac-algorithms>. The default is B<HMAC>.
276	-
277	-=item B<-macopt> I<nm>:I<v>
278	-
279	-Passes options to the MAC algorithm.
280	-A comprehensive list of controls can be found in the EVP_MAC implementation
281	-documentation.
282	-Common control strings used for this command are:
283	-
284	-=over 4
285	-
286	-=item B<key>:I<string>
287	-
288	-Specifies the MAC key as an alphanumeric string (use if the key contains
289	-printable characters only).
290	-The string length must conform to any restrictions of the MAC algorithm.
291	-A key must be specified for every MAC algorithm.
292	-If no key is provided, the default that was specified when OpenSSL was
293	-configured is used.
294	-
295	-=item B<hexkey>:I<string>
296	-
297	-Specifies the MAC key in hexadecimal form (two hex digits per byte).
298	-The key length must conform to any restrictions of the MAC algorithm.
299	-A key must be specified for every MAC algorithm.
300	-If no key is provided, the default that was specified when OpenSSL was
301	-configured is used.
302	-
303	-=item B<digest>:I<string>
304	-
305	-Used by HMAC as an alphanumeric string (use if the key contains printable
306	-characters only).
307	-The string length must conform to any restrictions of the MAC algorithm.
308	-To see the list of supported digests, use the command
309	-C<openssl list -digest-commands>.
310	-The default digest is SHA-256.
311	-
312	-=back
313	-
314	-=item B<-noout>
315	-
316	-Disable logging of the self tests.
317	-
318	-=item B<-no_conditional_errors>
319	-
320	-Configure the module to not enter an error state if a conditional self test
321	-fails as described above.
322	-
323	-=item B<-no_security_checks>
324	-
325	-Configure the module to not perform run-time security checks as described above.
326	-
327	-=item B<-self_test_onload>
328	-
329	-Do not write the two fields related to the "test status indicator" and
330	-"MAC status indicator" to the output configuration file. Without these fields
331	-the self tests KATS will run each time the module is loaded. This option could be
332	-used for cross compiling, since the self tests need to run at least once on each
333	-target machine. Once the self tests have run on the target machine the user
334	-could possibly then add the 2 fields into the configuration using some other
335	-mechanism.
336	-
337	-=item B<-quiet>
338	-
339	-Do not output pass/fail messages. Implies B<-noout>.
340	-
341	-=item B<-corrupt_desc> I<selftest_description>,
342	-B<-corrupt_type> I<selftest_type>
343	-
344	-The corrupt options can be used to test failure of one or more self tests by
345	-name.
346	-Either option or both may be used to select the tests to corrupt.
347	-Refer to the entries for B<st-desc> and B<st-type> in L<OSSL_PROVIDER-FIPS(7)> for
348	-values that can be used.
349	-
350	-=item B<-config> I<parent_config>
351	-
352	-Test that a FIPS provider can be loaded from the specified configuration file.
353	-A previous call to this application needs to generate the extra configuration
354	-data that is included by the base C<parent_config> configuration file.
355	-See L<config(5)> for further information on how to set up a provider section.
356	-All other options are ignored if '-config' is used.
357	-
358	-=back
359	-
360	-=head1 NOTES
361	-
362	-Self tests results are logged by default if the options B<-quiet> and B<-noout>
363	-are not specified, or if either of the options B<-corrupt_desc> or
364	-B<-corrupt_type> are used.
365	-If the base configuration file is set up to autoload the fips module, then the
366	-fips module will be loaded and self tested BEFORE the fipsinstall application
367	-has a chance to set up its own self test callback. As a result of this the self
368	-test output and the options B<-corrupt_desc> and B<-corrupt_type> will be ignored.
369	-For normal usage the base configuration file should use the default provider
370	-when generating the fips configuration file.
371	-
372	-=head1 EXAMPLES
373	-
374	-Calculate the mac of a FIPS module F<fips.so> and run a FIPS self test
375	-for the module, and save the F<fips.cnf> configuration file:
376	-
377	- openssl fipsinstall -module ./fips.so -out fips.cnf -provider_name fips
378	-
379	-Verify that the configuration file F<fips.cnf> contains the correct info:
380	-
381	- openssl fipsinstall -module ./fips.so -in fips.cnf -provider_name fips -verify
382	-
383	-Corrupt any self tests which have the description C<SHA1>:
384	-
385	- openssl fipsinstall -module ./fips.so -out fips.cnf -provider_name fips \
386	- -corrupt_desc 'SHA1'
387	-
388	-Validate that the fips module can be loaded from a base configuration file:
389	-
390	- export OPENSSL_CONF_INCLUDE=<path of configuration files>
391	- export OPENSSL_MODULES=<provider-path>
392	- openssl fipsinstall -config' 'default.cnf'
393	-
394	-
395	-=head1 SEE ALSO
396	-
397	-L<config(5)>,
398	-L<fips_config(5)>,
399	-L<OSSL_PROVIDER-FIPS(7)>,
400	-L<EVP_MAC(3)>
401	+This command is disabled.
402	+Please consult Red Hat Enterprise Linux documentation to learn how to correctly
403	+enable FIPS mode on Red Hat Enterprise
404
405	=head1 COPYRIGHT
406