From: Pauli Date: Thu, 25 Jul 2024 23:29:05 +0000 (+1000) Subject: doc: document -signature_digest_check option to fipsinstall X-Git-Tag: openssl-3.4.0-alpha1~161 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5d6e692c36d6ecf1427c2a7c5fc37c501a251c03;p=thirdparty%2Fopenssl.git doc: document -signature_digest_check option to fipsinstall Reviewed-by: Dmitry Belyavskiy Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/25020) --- diff --git a/doc/man1/openssl-fipsinstall.pod.in b/doc/man1/openssl-fipsinstall.pod.in index f61d9839923..4b1564e8981 100644 --- a/doc/man1/openssl-fipsinstall.pod.in +++ b/doc/man1/openssl-fipsinstall.pod.in @@ -25,6 +25,7 @@ B [B<-ems_check>] [B<-eddsa_no_verify_digested>] [B<-no_drbg_truncated_digests>] +[B<-signature_digest_check>] [B<-hkdf_digest_check>] [B<-tls13_kdf_digest_check>] [B<-tls1_prf_digest_check>] @@ -221,6 +222,11 @@ See SP 800-185 8.4.2 and FIPS 140-3 ID C.D for details. Configure the module to not allow truncated digests to be used with Hash and HMAC DRBGs. See FIPS 140-3 IG D.R for details. +=item B<-signature_digest_check> + +Configure the module to enforce signature algorithms to use digests that are +explicitly permitted by the various standards. + =item B<-hkdf_digest_check> Configure the module to enable a run-time digest check when deriving a key by