Add FIPS related configuration data to the default openssl application configuration file

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12333)

apps/openssl-vms.cnf

@@ -1,7 +1,9 @@
 #
 # OpenSSL example configuration file.
-# This is mostly being used for generation of certificate requests.
+# See doc/man5/config.pod for more info.
 #
+# This is mostly being used for generation of certificate requests,
+# but may be used for auto loading of providers
 
 # Note that you can include other files from the main configuration
 # file using the .include directive.
@@ -11,6 +13,9 @@
 # defined.
 HOME			= .
 
+ # Use this in order to automatically load providers.
+openssl_conf = openssl_init
+
 # Extra OBJECT IDENTIFIER info:
 # oid_file       = $ENV::HOME/.oid
 oid_section = new_oids
@@ -23,7 +28,6 @@ oid_section		= new_oids
 # X.509v3 extensions in its main [= default] section.)
 
 [ new_oids ]
-
 # We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
 # Add a simple OID like this:
 # testoid1=1.2.3.4
@@ -35,6 +39,28 @@ tsa_policy1 = 1.2.3.4.1
 tsa_policy2 = 1.2.3.4.5.6
 tsa_policy3 = 1.2.3.4.5.7
 
+# For FIPS
+# Optionally include a file that is generated by the OpenSSL fipsinstall
+# application. This file contains configuration data required by the OpenSSL
+# fips provider. It contains a named section e.g. [fips_sect] which is
+# referenced from the [provider_sect] below.
+# Refer to the OpenSSL security policy for more information.
+# .include fipsmodule.cnf
+
+[openssl_init]
+providers = provider_sect
+
+# List of providers to load
+[provider_sect]
+default = default_sect
+# The fips section name should match the section name inside the
+# included fipsmodule.cnf.
+# fips = fips_sect
+
+[default_sect]
+# activate = 1
+
+
 ####################################################################
 [ ca ]
 default_ca	= CA_default		# The default ca section

apps/openssl.cnf

@@ -1,7 +1,9 @@
 #
 # OpenSSL example configuration file.
-# This is mostly being used for generation of certificate requests.
+# See doc/man5/config.pod for more info.
 #
+# This is mostly being used for generation of certificate requests,
+# but may be used for auto loading of providers
 
 # Note that you can include other files from the main configuration
 # file using the .include directive.
@@ -11,6 +13,9 @@
 # defined.
 HOME			= .
 
+ # Use this in order to automatically load providers.
+openssl_conf = openssl_init
+
 # Extra OBJECT IDENTIFIER info:
 # oid_file       = $ENV::HOME/.oid
 oid_section = new_oids
@@ -23,7 +28,6 @@ oid_section		= new_oids
 # X.509v3 extensions in its main [= default] section.)
 
 [ new_oids ]
-
 # We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
 # Add a simple OID like this:
 # testoid1=1.2.3.4
@@ -35,6 +39,28 @@ tsa_policy1 = 1.2.3.4.1
 tsa_policy2 = 1.2.3.4.5.6
 tsa_policy3 = 1.2.3.4.5.7
 
+# For FIPS
+# Optionally include a file that is generated by the OpenSSL fipsinstall
+# application. This file contains configuration data required by the OpenSSL
+# fips provider. It contains a named section e.g. [fips_sect] which is
+# referenced from the [provider_sect] below.
+# Refer to the OpenSSL security policy for more information.
+# .include fipsmodule.cnf
+
+[openssl_init]
+providers = provider_sect
+
+# List of providers to load
+[provider_sect]
+default = default_sect
+# The fips section name should match the section name inside the
+# included fipsmodule.cnf.
+# fips = fips_sect
+
+[default_sect]
+# activate = 1
+
+
 ####################################################################
 [ ca ]
 default_ca	= CA_default		# The default ca section

doc/man5/config.pod

@@ -474,6 +474,7 @@ configuration files using that syntax will have to be modified.
 =head1 SEE ALSO
 
 L<openssl-x509(1)>, L<openssl-req(1)>, L<openssl-ca(1)>,
+L<openssl-fipsinstall(1)>,
 L<ASN1_generate_nconf(3)>,
 L<EVP_set_default_properties(3)>,
 L<CONF_modules_load_file(3)>,