From fc98a2f6ad8f8afe5f0e32d2ae66d09d39b1ff9d Mon Sep 17 00:00:00 2001 From: Pauli Date: Wed, 17 Jul 2024 10:35:56 +1000 Subject: [PATCH] doc: document no_short_mac option to fipsinstall Reviewed-by: Shane Lontis Reviewed-by: Tom Cosgrove (Merged from https://github.com/openssl/openssl/pull/24917) --- doc/man1/openssl-fipsinstall.pod.in | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/doc/man1/openssl-fipsinstall.pod.in b/doc/man1/openssl-fipsinstall.pod.in index cb985989041..0524c0fef12 100644 --- a/doc/man1/openssl-fipsinstall.pod.in +++ b/doc/man1/openssl-fipsinstall.pod.in @@ -31,6 +31,7 @@ B [B<-sskdf_digest_check>] [B<-x963kdf_digest_check>] [B<-dsa_sign_disabled>] +[B<-no_short_mac>] [B<-self_test_onload>] [B<-self_test_oninstall>] [B<-corrupt_desc> I] @@ -192,6 +193,11 @@ Configure the module to enable a run-time Extended Master Secret (EMS) check when using the TLS1_PRF KDF algorithm. This check is disabled by default. See RFC 7627 for information related to EMS. +=item B<-no_short_mac> + +Configure the module to not allow short MAC outputs. +See SP 800-185 8.4.2 and FIPS 140-3 ID C.D for details. + =item B<-no_drbg_truncated_digests> Configure the module to not allow truncated digests to be used with Hash and -- 2.47.2