From: Pauli <ppzgs1@gmail.com>
Date: Wed, 17 Jul 2024 00:35:56 +0000 (+1000)
Subject: doc: document no_short_mac option to fipsinstall
X-Git-Tag: openssl-3.4.0-alpha1~283
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=fc98a2f6ad8f8afe5f0e32d2ae66d09d39b1ff9d;p=thirdparty%2Fopenssl.git

doc: document no_short_mac option to fipsinstall

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/24917)
---

diff --git a/doc/man1/openssl-fipsinstall.pod.in b/doc/man1/openssl-fipsinstall.pod.in
index cb985989041..0524c0fef12 100644
--- a/doc/man1/openssl-fipsinstall.pod.in
+++ b/doc/man1/openssl-fipsinstall.pod.in
@@ -31,6 +31,7 @@ B<openssl fipsinstall>
 [B<-sskdf_digest_check>]
 [B<-x963kdf_digest_check>]
 [B<-dsa_sign_disabled>]
+[B<-no_short_mac>]
 [B<-self_test_onload>]
 [B<-self_test_oninstall>]
 [B<-corrupt_desc> I<selftest_description>]
@@ -192,6 +193,11 @@ Configure the module to enable a run-time Extended Master Secret (EMS) check
 when using the TLS1_PRF KDF algorithm. This check is disabled by default.
 See RFC 7627 for information related to EMS.
 
+=item B<-no_short_mac>
+
+Configure the module to not allow short MAC outputs.
+See SP 800-185 8.4.2 and FIPS 140-3 ID C.D for details.
+
 =item B<-no_drbg_truncated_digests>
 
 Configure the module to not allow truncated digests to be used with Hash and