diff options
| author | Dimitri John Ledkov <dimitri.ledkov@surgut.co.uk> | 2024-05-10 11:58:18 +0100 |
|---|---|---|
| committer | Pauli <ppzgs1@gmail.com> | 2024-08-15 08:33:48 +1000 |
| commit | 8945f406a73a01862695a424679f9440f592604b (patch) | |
| tree | 7b8a5bea55bce6cd0df1a1d6697262c0165b97ab /README-FIPS.md | |
| parent | ca112fccdd34a8538f14ddf8c3569b8331eae357 (diff) | |
fips: allow to customize provider vendor name
FIPS providers need to specify identifiable names and versions. Allow
to customize the fips provider name prefix, via VERSION.dat which
already allows to customize version & buildinfo. With this patch
in-place it removes the need of patching code to set customized
provider name.
E.g. echo FIPS_VENDOR=ACME >> VERSION.dat, results in
```
$ OPENSSL_CONF=fips-and-base.cnf ../util/wrap.pl ../apps/openssl list -providers --verbose
Providers:
base
name: OpenSSL Base Provider
version: 3.4.0
status: active
build info: 3.4.0-dev
gettable provider parameters:
name: pointer to a UTF8 encoded string (arbitrary size)
version: pointer to a UTF8 encoded string (arbitrary size)
buildinfo: pointer to a UTF8 encoded string (arbitrary size)
status: integer (arbitrary size)
fips
name: ACME FIPS Provider for OpenSSL
version: 3.4.0
status: active
build info: 3.4.0-dev
gettable provider parameters:
name: pointer to a UTF8 encoded string (arbitrary size)
version: pointer to a UTF8 encoded string (arbitrary size)
buildinfo: pointer to a UTF8 encoded string (arbitrary size)
status: integer (arbitrary size)
security-checks: integer (arbitrary size)
tls1-prf-ems-check: integer (arbitrary size)
drbg-no-trunc-md: integer (arbitrary size)
```
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24368)
Diffstat (limited to 'README-FIPS.md')
| -rw-r--r-- | README-FIPS.md | 14 |
1 files changed, 14 insertions, 0 deletions
diff --git a/README-FIPS.md b/README-FIPS.md index 66fd18030a..d8ca3c482d 100644 --- a/README-FIPS.md +++ b/README-FIPS.md @@ -166,3 +166,17 @@ Documentation about using the FIPS module is available on the [fips_module(7)] manual page. [fips_module(7)]: https://www.openssl.org/docs/manmaster/man7/fips_module.html + +3rd-Party Vendor Builds +===================================== + +Some Vendors choose to patch/modify/build their own FIPS provider, +test it with a Security Laboratory and submit it under their own CMVP +certificate, instead of using OpenSSL Project submissions. When doing +so, FIPS provider should uniquely identify its own name and version +number. The build infrastructure allows to customize FIPS provider +build information via changes to strings in `VERSION.dat`. + +Setting "PRE_RELEASE_TAG" (dashed suffix), "BUILD_METADATA" (plus +suffix), and "FIPS_VENDOR" allow to control reported FIPS provider +name and build version as required for CMVP submission. |