doc: document no_short_mac option to fipsinstall

author Pauli <ppzgs1@gmail.com>

Wed, 17 Jul 2024 00:35:56 +0000 (10:35 +1000)

committer Pauli <ppzgs1@gmail.com>

Fri, 26 Jul 2024 00:09:29 +0000 (10:09 +1000)
author Pauli <ppzgs1@gmail.com>
Wed, 17 Jul 2024 00:35:56 +0000 (10:35 +1000)
committer Pauli <ppzgs1@gmail.com>
Fri, 26 Jul 2024 00:09:29 +0000 (10:09 +1000)
diff --git a/doc/man1/openssl-fipsinstall.pod.in b/doc/man1/openssl-fipsinstall.pod.in

index cb98598904177b2f0664269204028e66b6373dc8..0524c0fef12906778ba7566fd61194bcf60897a7 100644 (file)
--- a/doc/man1/openssl-fipsinstall.pod.in
+++ b/doc/man1/openssl-fipsinstall.pod.in
@@ -31,6 +31,7 @@ B<openssl fipsinstall>
  [B<-sskdf_digest_check>]
  [B<-x963kdf_digest_check>]
  [B<-dsa_sign_disabled>]
+[B<-no_short_mac>]
  [B<-self_test_onload>]
  [B<-self_test_oninstall>]
  [B<-corrupt_desc> I<selftest_description>]
@@ -192,6 +193,11 @@ Configure the module to enable a run-time Extended Master Secret (EMS) check
  when using the TLS1_PRF KDF algorithm. This check is disabled by default.
  See RFC 7627 for information related to EMS.
  
+=item B<-no_short_mac>
+
+Configure the module to not allow short MAC outputs.
+See SP 800-185 8.4.2 and FIPS 140-3 ID C.D for details.
+
  =item B<-no_drbg_truncated_digests>
  
  Configure the module to not allow truncated digests to be used with Hash and
author	Pauli <ppzgs1@gmail.com>
	Wed, 17 Jul 2024 00:35:56 +0000 (10:35 +1000)
committer	Pauli <ppzgs1@gmail.com>
	Fri, 26 Jul 2024 00:09:29 +0000 (10:09 +1000)