diff options
| author | slontis <shane.lontis@oracle.com> | 2023-02-08 17:22:43 +1000 |
|---|---|---|
| committer | Tomas Mraz <tomas@openssl.org> | 2023-03-07 18:26:59 +0100 |
| commit | 6a0a3fee222d7687c543bceaf245507674e66c58 (patch) | |
| tree | 102d67e993235d4cb0d8f88ac6b8b40e9a97e30e /doc | |
| parent | 5b2fe0ba65b37950742305684ad54abcba305e13 (diff) | |
Add option to FIPS module to enforce EMS check during KDF TLS1_PRF.
Fixes #19989
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20241)
(cherry picked from commit 50ea5cdcb735916591e35a04c1f5a659bf253ddc)
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/man1/openssl-fipsinstall.pod.in | 10 | ||||
| -rw-r--r-- | doc/man7/OSSL_PROVIDER-FIPS.pod | 15 |
2 files changed, 25 insertions, 0 deletions
diff --git a/doc/man1/openssl-fipsinstall.pod.in b/doc/man1/openssl-fipsinstall.pod.in index 2e451f0a41..4d6b4655e6 100644 --- a/doc/man1/openssl-fipsinstall.pod.in +++ b/doc/man1/openssl-fipsinstall.pod.in @@ -21,6 +21,7 @@ B<openssl fipsinstall> [B<-quiet>] [B<-no_conditional_errors>] [B<-no_security_checks>] +[B<-ems_check>] [B<-self_test_onload>] [B<-self_test_oninstall>] [B<-corrupt_desc> I<selftest_description>] @@ -165,6 +166,15 @@ fails as described above. Configure the module to not perform run-time security checks as described above. +Enabling the configuration option "no-fips-securitychecks" provides another way to +turn off the check at compile time. + +=item B<-ems_check> + +Configure the module to enable a run-time Extended Master Secret (EMS) check +when using the TLS1_PRF KDF algorithm. This check is disabled by default. +See RFC 7627 for information related to EMS. + =item B<-self_test_onload> Do not write the two fields related to the "test status indicator" and diff --git a/doc/man7/OSSL_PROVIDER-FIPS.pod b/doc/man7/OSSL_PROVIDER-FIPS.pod index 691f36a357..063a47af80 100644 --- a/doc/man7/OSSL_PROVIDER-FIPS.pod +++ b/doc/man7/OSSL_PROVIDER-FIPS.pod @@ -41,6 +41,21 @@ query. Including C<provider=fips> in your property query guarantees that the OpenSSL FIPS provider is used for cryptographic operations rather than other FIPS capable providers. +=head2 Provider parameters + +See L<provider-base(7)/Provider parameters> for a list of base parameters. +Additionally the OpenSSL FIPS provider also supports the following gettable +parameters: + +=over 4 + +=item "security-checks" (B<OSSL_OSSL_PROV_PARAM_SECURITY_CHECKS>) <unsigned integer> + +For further information refer to the L<openssl-fipsinstall(1)> option +B<-no_security_checks>. + +=back + =head1 OPERATIONS AND ALGORITHMS The OpenSSL FIPS provider supports these operations and algorithms: |