Add option to FIPS module to enforce EMS check during KDF TLS1_PRF.

Fixes #19989 Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20241) (cherry picked from commit 50ea5cdcb735916591e35a04c1f5a659bf253ddc)
author: slontis <shane.lontis@oracle.com> 2023-02-08 17:22:43 +1000
committer: Tomas Mraz <tomas@openssl.org> 2023-03-07 18:26:59 +0100
commit: 6a0a3fee222d7687c543bceaf245507674e66c58 (patch)
tree: 102d67e993235d4cb0d8f88ac6b8b40e9a97e30e /CHANGES.md
parent: 5b2fe0ba65b37950742305684ad54abcba305e13 (diff)
1 files changed, 7 insertions, 0 deletions
diff --git a/CHANGES.md b/CHANGES.md
index 6586989ec1..24b7ca0e4d 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -24,6 +24,13 @@ OpenSSL 3.1
 
 ### Changes between 3.0 and 3.1.0 [xx XXX xxxx]
 
+ * Add FIPS provider configuration option to enforce the
+   Extended Master Secret (EMS) check during the TLS1_PRF KDF.
+   The option '-ems-check' can optionally be supplied to
+   'openssl fipsinstall'.
+
+   *Shane Lontis*
+
  * The FIPS provider includes a few non-approved algorithms for
    backward compatibility purposes and the "fips=yes" property query
    must be used for all algorithm fetches to ensure FIPS compliance.
author	slontis <shane.lontis@oracle.com>	2023-02-08 17:22:43 +1000
committer	Tomas Mraz <tomas@openssl.org>	2023-03-07 18:26:59 +0100
commit	6a0a3fee222d7687c543bceaf245507674e66c58 (patch)
tree	102d67e993235d4cb0d8f88ac6b8b40e9a97e30e /CHANGES.md
parent	5b2fe0ba65b37950742305684ad54abcba305e13 (diff)