From 73f59aa8ebee4231ef8d4072b474974c571efb96 Mon Sep 17 00:00:00 2001 From: Pauli Date: Thu, 25 May 2023 11:31:36 +1000 Subject: [PATCH] doc: update FIPS provider version information With 3.0.8 validated, we need to note this in the documentation. Reviewed-by: Tomas Mraz Reviewed-by: David von Oheimb (Merged from https://github.com/openssl/openssl/pull/21049) --- doc/man7/OSSL_PROVIDER-FIPS.pod | 18 +++++++++++++----- doc/man7/fips_module.pod | 18 +++++++++++++----- 2 files changed, 26 insertions(+), 10 deletions(-) diff --git a/doc/man7/OSSL_PROVIDER-FIPS.pod b/doc/man7/OSSL_PROVIDER-FIPS.pod index a18703f568fc5..844c14df9e257 100644 --- a/doc/man7/OSSL_PROVIDER-FIPS.pod +++ b/doc/man7/OSSL_PROVIDER-FIPS.pod @@ -426,6 +426,17 @@ A simple self test callback is shown below for illustrative purposes. =head1 NOTES +Some released versions of OpenSSL do not include a validated +FIPS provider. To determine which versions have undergone +the validation process, please refer to the +L. If you +require FIPS-approved functionality, it is essential to build your FIPS +provider using one of the validated versions listed there. Normally, +it is possible to utilize a FIPS provider constructed from one of the +validated versions alongside F and F compiled from any +release within the same major release series. This flexibility enables +you to address bug fixes and CVEs that fall outside the FIPS boundary. + The FIPS provider in OpenSSL 3.1 includes some non-FIPS validated algorithms, consequently the property query C is mandatory for applications that want to operate in a FIPS approved manner. The algorithms are: @@ -449,16 +460,13 @@ L, L, L, L, -L +L, +L =head1 HISTORY This functionality was added in OpenSSL 3.0. -OpenSSL 3.0 includes a FIPS 140-2 approved FIPS provider. - -OpenSSL 3.1 includes a FIPS 140-3 approved FIPS provider. - =head1 COPYRIGHT Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. diff --git a/doc/man7/fips_module.pod b/doc/man7/fips_module.pod index c465dca56c6b1..f3fca15c58b4f 100644 --- a/doc/man7/fips_module.pod +++ b/doc/man7/fips_module.pod @@ -470,6 +470,17 @@ L. =head1 NOTES +Some released versions of OpenSSL do not include a validated +FIPS provider. To determine which versions have undergone +the validation process, please refer to the +L. If you +require FIPS-approved functionality, it is essential to build your FIPS +provider using one of the validated versions listed there. Normally, +it is possible to utilize a FIPS provider constructed from one of the +validated versions alongside F and F compiled from any +release within the same major release series. This flexibility enables +you to address bug fixes and CVEs that fall outside the FIPS boundary. + The FIPS provider in OpenSSL 3.1 includes some non-FIPS validated algorithms, consequently the property query C is mandatory for applications that want to operate in a FIPS approved manner. The algorithms are: @@ -486,17 +497,14 @@ want to operate in a FIPS approved manner. The algorithms are: =head1 SEE ALSO -L, L, L +L, L, L, +L =head1 HISTORY The FIPS module guide was created for use with the new FIPS provider in OpenSSL 3.0. -OpenSSL 3.0 includes a FIPS 140-2 approved FIPS provider. - -OpenSSL 3.1 includes a FIPS 140-3 approved FIPS provider. - =head1 COPYRIGHT Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved.