1 files changed, 245 insertions, 0 deletions

diff --git a/static/freebsd/man5/fips_config.5 b/static/freebsd/man5/fips_config.5
new file mode 100644
index 00000000..dbedf848
--- /dev/null
+++ b/static/freebsd/man5/fips_config.5
@@ -0,0 +1,245 @@
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
+.ie n \{\
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds C`
+.    ds C'
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\"
+.\" If the F register is >0, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
+..
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{\
+.    if \nF \{\
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
+..
+.        if !\nF==2 \{\
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
+.\}
+.rr rF
+.\"
+.\" Required to disable full justification in groff 1.23.0.
+.if n .ds AD l
+.\" ========================================================================
+.\"
+.IX Title "FIPS_CONFIG 5ossl"
+.TH FIPS_CONFIG 5ossl 2026-04-07 3.5.6 OpenSSL
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH NAME
+fips_config \- OpenSSL FIPS configuration
+.SH DESCRIPTION
+.IX Header "DESCRIPTION"
+A separate configuration file, using the OpenSSL \fBconfig\fR\|(5) syntax,
+is used to hold information about the FIPS module. This includes a digest
+of the shared library file, and status about the self\-testing.
+This data is used automatically by the module itself for two
+purposes:
+.IP "\- Run the startup FIPS self\-test known answer tests (KATS)." 4
+.IX Item "- Run the startup FIPS self-test known answer tests (KATS)."
+This is normally done once, at installation time, but may also be set up to
+run each time the module is used.
+.IP "\- Verify the module\*(Aqs checksum." 4
+.IX Item "- Verify the module's checksum."
+This is done each time the module is used.
+.PP
+This file is generated by the \fBopenssl\-fipsinstall\fR\|(1) program, and
+used internally by the FIPS module during its initialization.
+.PP
+The following options are supported. They should all appear in a section
+whose name is identified by the \fBfips\fR option in the \fBproviders\fR
+section, as described in "Provider Configuration Module" in \fBconfig\fR\|(5).
+.IP \fBactivate\fR 4
+.IX Item "activate"
+If present, the module is activated. The value assigned to this name is not
+significant.
+.IP \fBconditional\-errors\fR 4
+.IX Item "conditional-errors"
+The FIPS module normally enters an internal error mode if any self test fails.
+Once this error mode is active, no services or cryptographic algorithms are
+accessible from this point on.
+Continuous tests are a subset of the self tests (e.g., a key pair test during key
+generation, or the CRNG output test).
+Setting this value to \f(CW0\fR allows the error mode to not be triggered if any
+continuous test fails. The default value of \f(CW1\fR will trigger the error mode.
+Regardless of the value, the operation (e.g., key generation) that called the
+continuous test will return an error code if its continuous test fails. The
+operation may then be retried if the error mode has not been triggered.
+.IP \fBmodule\-mac\fR 4
+.IX Item "module-mac"
+The calculated MAC of the FIPS provider file.
+.IP \fBinstall\-version\fR 4
+.IX Item "install-version"
+A version number for the fips install process. Should be 1.
+.IP \fBinstall\-status\fR 4
+.IX Item "install-status"
+This field is deprecated and is no longer used.
+.IP \fBinstall\-mac\fR 4
+.IX Item "install-mac"
+This field is deprecated and is no longer used.
+.SS "FIPS indicator options"
+.IX Subsection "FIPS indicator options"
+The following FIPS configuration options indicate if run\-time checks related to
+enforcement of FIPS security parameters such as minimum security strength of
+keys and approved curve names are used.
+A value of \*(Aq1\*(Aq will perform the checks, otherwise if the value is \*(Aq0\*(Aq the checks
+are not performed and FIPS compliance must be done by procedures documented in
+the relevant Security Policy.
+.PP
+See "OPTIONS" in \fBopenssl\-fipsinstall\fR\|(1) for further information related to these
+options.
+.IP \fBsecurity\-checks\fR 4
+.IX Item "security-checks"
+See "OPTIONS" in \fBopenssl\-fipsinstall\fR\|(1) \fB\-no_security_checks\fR
+.IP \fBtls1\-prf\-ems\-check\fR 4
+.IX Item "tls1-prf-ems-check"
+See "OPTIONS" in \fBopenssl\-fipsinstall\fR\|(1) \fB\-ems_check\fR
+.IP \fBno\-short\-mac\fR 4
+.IX Item "no-short-mac"
+See "OPTIONS" in \fBopenssl\-fipsinstall\fR\|(1) \fB\-no_short_mac\fR
+.IP \fBdrbg\-no\-trunc\-md\fR 4
+.IX Item "drbg-no-trunc-md"
+See "OPTIONS" in \fBopenssl\-fipsinstall\fR\|(1) \fB\-no_drbg_truncated_digests\fR
+.IP \fBsignature\-digest\-check\fR 4
+.IX Item "signature-digest-check"
+See "OPTIONS" in \fBopenssl\-fipsinstall\fR\|(1) \fB\-signature_digest_check\fR
+.IP \fBhkdf\-digest\-check\fR 4
+.IX Item "hkdf-digest-check"
+This option is deprecated.
+.IP \fBtls13\-kdf\-digest\-check\fR 4
+.IX Item "tls13-kdf-digest-check"
+See "OPTIONS" in \fBopenssl\-fipsinstall\fR\|(1) \fB\-tls13_kdf_digest_check\fR
+.IP \fBtls1\-prf\-digest\-check\fR 4
+.IX Item "tls1-prf-digest-check"
+See "OPTIONS" in \fBopenssl\-fipsinstall\fR\|(1) \fB\-tls1_prf_digest_check\fR
+.IP \fBsshkdf\-digest\-check\fR 4
+.IX Item "sshkdf-digest-check"
+See "OPTIONS" in \fBopenssl\-fipsinstall\fR\|(1) \fB\-sshkdf_digest_check\fR
+.IP \fBsskdf\-digest\-check\fR 4
+.IX Item "sskdf-digest-check"
+This option is deprecated.
+.IP \fBx963kdf\-digest\-check\fR 4
+.IX Item "x963kdf-digest-check"
+See "OPTIONS" in \fBopenssl\-fipsinstall\fR\|(1) \fB\-x963kdf_digest_check\fR
+.IP \fBdsa\-sign\-disabled\fR 4
+.IX Item "dsa-sign-disabled"
+See "OPTIONS" in \fBopenssl\-fipsinstall\fR\|(1) \fB\-dsa_sign_disabled\fR
+.IP \fBtdes\-encrypt\-disabled\fR 4
+.IX Item "tdes-encrypt-disabled"
+See "OPTIONS" in \fBopenssl\-fipsinstall\fR\|(1) \fB\-tdes_encrypt_disabled\fR
+.IP \fBrsa\-pkcs15\-pad\-disabled\fR 4
+.IX Item "rsa-pkcs15-pad-disabled"
+See "OPTIONS" in \fBopenssl\-fipsinstall\fR\|(1) \fB\-rsa_pkcs15_pad_disabled\fR
+.IP \fBrsa\-pss\-saltlen\-check\fR 4
+.IX Item "rsa-pss-saltlen-check"
+See "OPTIONS" in \fBopenssl\-fipsinstall\fR\|(1) \fB\-rsa_pss_saltlen_check\fR
+.IP \fBrsa\-sign\-x931\-pad\-disabled\fR 4
+.IX Item "rsa-sign-x931-pad-disabled"
+See "OPTIONS" in \fBopenssl\-fipsinstall\fR\|(1) \fB\-rsa_sign_x931_disabled\fR
+.IP \fBhkdf\-key\-check\fR 4
+.IX Item "hkdf-key-check"
+See "OPTIONS" in \fBopenssl\-fipsinstall\fR\|(1) \fB\-hkdf_key_check\fR
+.IP \fBkbkdf\-key\-check\fR 4
+.IX Item "kbkdf-key-check"
+See "OPTIONS" in \fBopenssl\-fipsinstall\fR\|(1) \fB\-kbkdf_key_check\fR
+.IP \fBtls13\-kdf\-key\-check\fR 4
+.IX Item "tls13-kdf-key-check"
+See "OPTIONS" in \fBopenssl\-fipsinstall\fR\|(1) \fB\-tls13_kdf_key_check\fR
+.IP \fBtls1\-prf\-key\-check\fR 4
+.IX Item "tls1-prf-key-check"
+See "OPTIONS" in \fBopenssl\-fipsinstall\fR\|(1) \fB\-tls1_prf_key_check\fR
+.IP \fBsshkdf\-key\-check\fR 4
+.IX Item "sshkdf-key-check"
+See "OPTIONS" in \fBopenssl\-fipsinstall\fR\|(1) \fB\-sshkdf_key_check\fR
+.IP \fBsskdf\-key\-check\fR 4
+.IX Item "sskdf-key-check"
+See "OPTIONS" in \fBopenssl\-fipsinstall\fR\|(1) \fB\-sskdf_key_check\fR
+.IP \fBx963kdf\-key\-check\fR 4
+.IX Item "x963kdf-key-check"
+See "OPTIONS" in \fBopenssl\-fipsinstall\fR\|(1) \fB\-x963kdf_key_check\fR
+.IP \fBx942kdf\-key\-check\fR 4
+.IX Item "x942kdf-key-check"
+See "OPTIONS" in \fBopenssl\-fipsinstall\fR\|(1) \fB\-x942kdf_key_check\fR
+.IP \fBpbkdf2\-lower\-bound\-check\fR 4
+.IX Item "pbkdf2-lower-bound-check"
+See "OPTIONS" in \fBopenssl\-fipsinstall\fR\|(1) \fB\-no_pbkdf2_lower_bound_check\fR
+.IP \fBecdh\-cofactor\-check\fR 4
+.IX Item "ecdh-cofactor-check"
+See "OPTIONS" in \fBopenssl\-fipsinstall\fR\|(1) \fB\-ecdh_cofactor_check\fR
+.IP \fBhmac\-key\-check\fR 4
+.IX Item "hmac-key-check"
+See "OPTIONS" in \fBopenssl\-fipsinstall\fR\|(1) \fB\-hmac_key_check\fR
+.IP \fBkmac\-key\-check\fR 4
+.IX Item "kmac-key-check"
+See "OPTIONS" in \fBopenssl\-fipsinstall\fR\|(1) \fB\-kmac_key_check\fR
+.PP
+For example:
+.PP
+.Vb 8
+\& [fips_sect]
+\& activate = 1
+\& install\-version = 1
+\& conditional\-errors = 1
+\& security\-checks = 1
+\& module\-mac = 41:D0:FA:C2:5D:41:75:CD:7D:C3:90:55:6F:A4:DC
+\& install\-mac = FE:10:13:5A:D3:B4:C7:82:1B:1E:17:4C:AC:84:0C
+\& install\-status = INSTALL_SELF_TEST_KATS_RUN
+.Ve
+.SH NOTES
+.IX Header "NOTES"
+When using the FIPS provider, it is recommended that the
+\&\fBconfig_diagnostics\fR option is enabled to prevent accidental use of
+non\-FIPS validated algorithms via broken or mistaken configuration.
+See \fBconfig\fR\|(5).
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+\&\fBconfig\fR\|(5)
+\&\fBopenssl\-fipsinstall\fR\|(1)
+.SH HISTORY
+.IX Header "HISTORY"
+This functionality was added in OpenSSL 3.0.
+.SH COPYRIGHT
+.IX Header "COPYRIGHT"
+Copyright 2019\-2025 The OpenSSL Project Authors. All Rights Reserved.
+.PP
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+<https://www.openssl.org/source/license.html>.