doc: document the health test EVP_RAND

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25415)

doc/build.info

@@ -4745,6 +4745,10 @@ DEPEND[html/man7/EVP_PKEY-X25519.html]=man7/EVP_PKEY-X25519.pod
 GENERATE[html/man7/EVP_PKEY-X25519.html]=man7/EVP_PKEY-X25519.pod
 DEPEND[man/man7/EVP_PKEY-X25519.7]=man7/EVP_PKEY-X25519.pod
 GENERATE[man/man7/EVP_PKEY-X25519.7]=man7/EVP_PKEY-X25519.pod
+DEPEND[html/man7/EVP_RAND-CRNG-TEST.html]=man7/EVP_RAND-CRNG-TEST.pod
+GENERATE[html/man7/EVP_RAND-CRNG-TEST.html]=man7/EVP_RAND-CRNG-TEST.pod
+DEPEND[man/man7/EVP_RAND-CRNG-TEST.7]=man7/EVP_RAND-CRNG-TEST.pod
+GENERATE[man/man7/EVP_RAND-CRNG-TEST.7]=man7/EVP_RAND-CRNG-TEST.pod
 DEPEND[html/man7/EVP_RAND-CTR-DRBG.html]=man7/EVP_RAND-CTR-DRBG.pod
 GENERATE[html/man7/EVP_RAND-CTR-DRBG.html]=man7/EVP_RAND-CTR-DRBG.pod
 DEPEND[man/man7/EVP_RAND-CTR-DRBG.7]=man7/EVP_RAND-CTR-DRBG.pod
@@ -5127,6 +5131,7 @@ html/man7/EVP_PKEY-HMAC.html \
 html/man7/EVP_PKEY-RSA.html \
 html/man7/EVP_PKEY-SM2.html \
 html/man7/EVP_PKEY-X25519.html \
+html/man7/EVP_RAND-CRNG-TEST.html \
 html/man7/EVP_RAND-CTR-DRBG.html \
 html/man7/EVP_RAND-HASH-DRBG.html \
 html/man7/EVP_RAND-HMAC-DRBG.html \
@@ -5273,6 +5278,7 @@ man/man7/EVP_PKEY-HMAC.7 \
 man/man7/EVP_PKEY-RSA.7 \
 man/man7/EVP_PKEY-SM2.7 \
 man/man7/EVP_PKEY-X25519.7 \
+man/man7/EVP_RAND-CRNG-TEST.7 \
 man/man7/EVP_RAND-CTR-DRBG.7 \
 man/man7/EVP_RAND-HASH-DRBG.7 \
 man/man7/EVP_RAND-HMAC-DRBG.7 \

doc/man7/EVP_RAND-CRNG-TEST.pod

@@ -0,0 +1,72 @@
+=pod
+
+=head1 NAME
+
+EVP_RAND-CRNG-TEST - The FIPS health testing EVP_RAND filter
+
+=head1 DESCRIPTION
+
+This B<EVP_RAND> object acts a filter between the entropy source
+and its users.  It performs CRNG health tests as defined in
+L<SP 800-90B|https://csrc.nist.gov/pubs/sp/800/90/b/final> Section 4 "Health
+Tests".  Most requests are forwarded to the entropy source, either via
+its parent reference or via the provider entropy upcalls.
+
+=head2 Identity
+
+"CRNG-TEST" is the name for this implementation; it can be used with the
+EVP_RAND_fetch() function.
+
+=head2 Supported parameters
+
+If a parent EVP_RAND is specified on context creation, the parent's
+parameters are supported because the request is forwarded to the parent
+seed source for processing.
+
+If no parent EVP_RAND is specified on context creation, the following parameters
+are supported:
+
+=over 4
+
+=item "state" (B<OSSL_RAND_PARAM_STATE>) <integer>
+
+=item "strength" (B<OSSL_RAND_PARAM_STRENGTH>) <unsigned integer>
+
+=item "max_request" (B<OSSL_RAND_PARAM_MAX_REQUEST>) <unsigned integer>
+
+These parameters work as described in L<EVP_RAND(3)/PARAMETERS>.
+
+=item "fips-indicator" (B<OSSL_DRBG_PARAM_FIPS_APPROVED_INDICATOR>) <integer>
+
+This parameter works as described in L<provider-rand(7)/PARAMETERS>.
+
+=back
+
+=head1 NOTES
+
+This EVP_RAND is only implemented by the OpenSSL FIPS provider.
+
+A context for a health test filter can be obtained by calling:
+
+ EVP_RAND *parent = ...;
+ EVP_RAND *rand = EVP_RAND_fetch(NULL, "CRNG-TEST", NULL);
+ EVP_RAND_CTX *rctx = EVP_RAND_CTX_new(rand, parent);
+
+=head1 SEE ALSO
+
+L<EVP_RAND(3)>, L<OSSL_PROVIDER-FIPS(7)>
+
+=head1 HISTORY
+
+This functionality was added in OpenSSL 3.5.
+
+=head1 COPYRIGHT
+
+Copyright 2024 The OpenSSL Project Authors. All Rights Reserved.
+
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+L<https://www.openssl.org/source/license.html>.
+
+=cut

doc/man7/OSSL_PROVIDER-FIPS.pod

@@ -232,6 +232,8 @@ This is an unapproved algorithm.
 
 =over 4
 
+=item CRNG-TEST, see L<EVP_RAND-CRNG-TEST(7)>
+
 =item CTR-DRBG, see L<EVP_RAND-CTR-DRBG(7)>
 
 =item HASH-DRBG, see L<EVP_RAND-HASH-DRBG(7)>