doc: note the restriction on digests used by DRBGs in FIPS mode.

Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/20521)
author: Pauli <pauli@openssl.org> 2023-03-16 14:21:25 +1100
committer: Pauli <pauli@openssl.org> 2023-03-29 09:25:19 +1100
commit: e14fc22c90ce5a9e6d66d8658fc6bb37f95019da (patch)
tree: 813b61a41d378d0845539c5d223f516b04318313 /doc/man1
parent: f553c0f0dd24f037f31d971a99a1ffe7a11f64e6 (diff)
1 files changed, 6 insertions, 0 deletions
diff --git a/doc/man1/openssl-fipsinstall.pod.in b/doc/man1/openssl-fipsinstall.pod.in
index 8b066453f9..e3ceeb481c 100644
--- a/doc/man1/openssl-fipsinstall.pod.in
+++ b/doc/man1/openssl-fipsinstall.pod.in
@@ -22,6 +22,7 @@ B<openssl fipsinstall>
 [B<-no_conditional_errors>]
 [B<-no_security_checks>]
 [B<-ems_check>]
+[B<-no_drbg_truncated_digests>]
 [B<-self_test_onload>]
 [B<-self_test_oninstall>]
 [B<-corrupt_desc> I<selftest_description>]
@@ -175,6 +176,11 @@ Configure the module to enable a run-time Extended Master Secret (EMS) check
 when using the TLS1_PRF KDF algorithm. This check is disabled by default.
 See RFC 7627 for information related to EMS.
 
+=item B<-no_drbg_truncated_digests>
+
+Configure the module to not allow truncated digests to be used with Hash and
+HMAC DRBGs.  See FIPS 140-3 IG D.R for details.
+
 =item B<-self_test_onload>
 
 Do not write the two fields related to the "test status indicator" and
author	Pauli <pauli@openssl.org>	2023-03-16 14:21:25 +1100
committer	Pauli <pauli@openssl.org>	2023-03-29 09:25:19 +1100
commit	e14fc22c90ce5a9e6d66d8658fc6bb37f95019da (patch)
tree	813b61a41d378d0845539c5d223f516b04318313 /doc/man1
parent	f553c0f0dd24f037f31d971a99a1ffe7a11f64e6 (diff)