diff options
| author | slontis <shane.lontis@oracle.com> | 2024-08-05 07:25:35 +0200 |
|---|---|---|
| committer | Tomas Mraz <tomas@openssl.org> | 2024-08-21 15:34:58 +0200 |
| commit | ea396c7024dec784c76e05d531db41f98788f1e9 (patch) | |
| tree | fdc9ecd6dc19ec4d2c8a5d11e96ce1c1c5504b61 /doc | |
| parent | Add HMAC FIPS keysize check. (diff) | |
| download | openssl-ea396c7024dec784c76e05d531db41f98788f1e9.tar.xz openssl-ea396c7024dec784c76e05d531db41f98788f1e9.zip | |
Add FIPS KMAC key check
This adds a FIPS indicator for KMAC key size.
Note that 112 bits keys are still smaller than the
sizes required to reach 128 bits for KMAC128 and
256 bits for KMAC256
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/25049)
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/man1/openssl-fipsinstall.pod.in | 6 | ||||
| -rw-r--r-- | doc/man7/EVP_MAC-KMAC.pod | 6 | ||||
| -rw-r--r-- | doc/man7/provider-mac.pod | 2 |
3 files changed, 12 insertions, 2 deletions
diff --git a/doc/man1/openssl-fipsinstall.pod.in b/doc/man1/openssl-fipsinstall.pod.in index 413c490329..cf86c64288 100644 --- a/doc/man1/openssl-fipsinstall.pod.in +++ b/doc/man1/openssl-fipsinstall.pod.in @@ -23,6 +23,7 @@ B<openssl fipsinstall> [B<-no_conditional_errors>] [B<-no_security_checks>] [B<-hmac_key_check>] +[B<-kmac_key_check>] [B<-ems_check>] [B<-no_drbg_truncated_digests>] [B<-signature_digest_check>] @@ -218,6 +219,11 @@ See SP 800-185 8.4.2 and FIPS 140-3 ID C.D for details. Configure the module to not allow small keys sizes when using HMAC. See SP 800-131Ar2 for details. +=item B<-kmac_key_check> + +Configure the module to not allow small keys sizes when using KMAC. +See SP 800-131Ar2 for details. + =item B<-no_drbg_truncated_digests> Configure the module to not allow truncated digests to be used with Hash and diff --git a/doc/man7/EVP_MAC-KMAC.pod b/doc/man7/EVP_MAC-KMAC.pod index 0b3e96b005..76f1a52ae3 100644 --- a/doc/man7/EVP_MAC-KMAC.pod +++ b/doc/man7/EVP_MAC-KMAC.pod @@ -68,12 +68,16 @@ The default value is 0. This settable parameter is described in L<provider-mac(7)>. -=item "no-short-mac" (B<OSSL_PROV_FIPS_PARAM_NO_SHORT_MAC>) <integer> +=item "no-short-mac" (B<OSSL_MAC_PARAM_FIPS_NO_SHORT_MAC>) <integer> This settable parameter is described in L<provider-mac(7)>. It is used by the OpenSSL FIPS provider and the minimum length output for KMAC is defined by NIST's SP 800-185 8.4.2. +=item "key-check" (B<OSSL_MAC_PARAM_FIPS_KEY_CHECK>) <integer> + +This settable parameter is described in L<provider-mac(7)>. + =back The "custom" and "no-short-mac" parameters must be set as part of or before diff --git a/doc/man7/provider-mac.pod b/doc/man7/provider-mac.pod index 15a86f51b4..a7643e7c85 100644 --- a/doc/man7/provider-mac.pod +++ b/doc/man7/provider-mac.pod @@ -204,7 +204,7 @@ This option is used by the OpenSSL FIPS provider. =over 4 -=item "no-short-mac" (B<OSSL_PROV_FIPS_PARAM_NO_SHORT_MAC>) <integer> +=item "no-short-mac" (B<OSSL_MAC_PARAM_FIPS_NO_SHORT_MAC>) <integer> If required this parameter should be set early via an init function. The default value of 1 causes an error when too short MAC output is |