From: Pauli Date: Mon, 5 Aug 2024 05:52:07 +0000 (+1000) Subject: doc: docment key-check param for kbkdf X-Git-Tag: openssl-3.4.0-alpha1~185 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=57fb8841dc80e6bff89a47d912fd1d4998ac7afc;p=thirdparty%2Fopenssl.git doc: docment key-check param for kbkdf Reviewed-by: Tomas Mraz Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/25095) --- diff --git a/doc/man7/EVP_KDF-KB.pod b/doc/man7/EVP_KDF-KB.pod index 1b9342f6911..e6981759413 100644 --- a/doc/man7/EVP_KDF-KB.pod +++ b/doc/man7/EVP_KDF-KB.pod @@ -65,6 +65,23 @@ Set the fixed value 'r', indicating the length of the counter in bits. Supported values are B<8>, B<16>, B<24>, and B<32>. The default value of B<32> will be used if unspecified. +=item "fips-indicator" (B) + +A getter that returns 1 if the operation is FIPS approved, or 0 otherwise. +This may be used after calling EVP_KDF_derive. It returns 0 if any "***-check" +related parameter is set to 0 and the check fails. +This option is used by the OpenSSL FIPS provider. + +=item "key-check" (B) + +The default value of 1 causes an error during EVP_KDF_CTX_set_params() if the +length of used key-derivation key (B) is shorter than 112 +bits. +Setting this to zero will ignore the error and set the approved +"fips-indicator" to 0. +This option is used by the OpenSSL FIPS provider, and breaks FIPS compliance if +set to 0. + =back Depending on whether mac is CMAC or HMAC, either digest or cipher is required