Add option to FIPS module to enforce EMS check during KDF TLS1_PRF.

Fixes #19989 Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20241)
author: slontis <shane.lontis@oracle.com> 2023-02-08 17:22:43 +1000
committer: Tomas Mraz <tomas@openssl.org> 2023-03-07 18:24:45 +0100
commit: 50ea5cdcb735916591e35a04c1f5a659bf253ddc (patch)
tree: 8cdfdf314aa83a346256e15dcf36a18c8e931bea /doc/man1/openssl-fipsinstall.pod.in
parent: de13699370183ab565f548267afa57e25a921ca9 (diff)
1 files changed, 10 insertions, 0 deletions
diff --git a/doc/man1/openssl-fipsinstall.pod.in b/doc/man1/openssl-fipsinstall.pod.in
index af18f361e6..8b066453f9 100644
--- a/doc/man1/openssl-fipsinstall.pod.in
+++ b/doc/man1/openssl-fipsinstall.pod.in
@@ -21,6 +21,7 @@ B<openssl fipsinstall>
 [B<-quiet>]
 [B<-no_conditional_errors>]
 [B<-no_security_checks>]
+[B<-ems_check>]
 [B<-self_test_onload>]
 [B<-self_test_oninstall>]
 [B<-corrupt_desc> I<selftest_description>]
@@ -165,6 +166,15 @@ fails as described above.
 
 Configure the module to not perform run-time security checks as described above.
 
+Enabling the configuration option "no-fips-securitychecks" provides another way to
+turn off the check at compile time.
+
+=item B<-ems_check>
+
+Configure the module to enable a run-time Extended Master Secret (EMS) check
+when using the TLS1_PRF KDF algorithm. This check is disabled by default.
+See RFC 7627 for information related to EMS.
+
 =item B<-self_test_onload>
 
 Do not write the two fields related to the "test status indicator" and
author	slontis <shane.lontis@oracle.com>	2023-02-08 17:22:43 +1000
committer	Tomas Mraz <tomas@openssl.org>	2023-03-07 18:24:45 +0100
commit	50ea5cdcb735916591e35a04c1f5a659bf253ddc (patch)
tree	8cdfdf314aa83a346256e15dcf36a18c8e931bea /doc/man1/openssl-fipsinstall.pod.in
parent	de13699370183ab565f548267afa57e25a921ca9 (diff)