From 6a0a3fee222d7687c543bceaf245507674e66c58 Mon Sep 17 00:00:00 2001
From: slontis <shane.lontis@oracle.com>
Date: Wed, 8 Feb 2023 17:22:43 +1000
Subject: Add option to FIPS module to enforce EMS check during KDF TLS1_PRF.

Fixes #19989

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20241)

(cherry picked from commit 50ea5cdcb735916591e35a04c1f5a659bf253ddc)
---
 CHANGES.md | 7 +++++++
 1 file changed, 7 insertions(+)

(limited to 'CHANGES.md')

diff --git a/CHANGES.md b/CHANGES.md
index 6586989ec1..24b7ca0e4d 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -24,6 +24,13 @@ OpenSSL 3.1
 
 ### Changes between 3.0 and 3.1.0 [xx XXX xxxx]
 
+ * Add FIPS provider configuration option to enforce the
+   Extended Master Secret (EMS) check during the TLS1_PRF KDF.
+   The option '-ems-check' can optionally be supplied to
+   'openssl fipsinstall'.
+
+   *Shane Lontis*
+
  * The FIPS provider includes a few non-approved algorithms for
    backward compatibility purposes and the "fips=yes" property query
    must be used for all algorithm fetches to ensure FIPS compliance.
-- 
cgit v1.2.3