summaryrefslogtreecommitdiffstats
path: root/doc/man7/EVP_KDF-HKDF.pod
diff options
context:
space:
mode:
Diffstat (limited to 'doc/man7/EVP_KDF-HKDF.pod')
-rw-r--r--doc/man7/EVP_KDF-HKDF.pod15
1 files changed, 10 insertions, 5 deletions
diff --git a/doc/man7/EVP_KDF-HKDF.pod b/doc/man7/EVP_KDF-HKDF.pod
index 15171e8299..0778ba04f9 100644
--- a/doc/man7/EVP_KDF-HKDF.pod
+++ b/doc/man7/EVP_KDF-HKDF.pod
@@ -80,12 +80,17 @@ an error will occur.
=back
+=back
+
+The OpenSSL FIPS provider also supports the following parameters:
+
+=over 4
+
=item "fips-indicator" (B<OSSL_KDF_PARAM_FIPS_APPROVED_INDICATOR>) <integer>
A getter that returns 1 if the operation is FIPS approved, or 0 otherwise.
-This may be used after calling EVP_KDF_derive. It returns 0 if any "***-check"
-related parameter is set to 0 and the check fails.
-This option is used by the OpenSSL FIPS provider.
+This may be used after calling EVP_KDF_derive. It returns 0 if "key-check"
+is set to 0 and the check fails.
=item "key-check" (B<OSSL_KDF_PARAM_FIPS_KEY_CHECK>) <integer>
@@ -94,8 +99,8 @@ length of used key-derivation key (B<OSSL_KDF_PARAM_KEY>) is shorter than 112
bits.
Setting this to zero will ignore the error and set the approved
"fips-indicator" to 0.
-This option is used by the OpenSSL FIPS provider, and breaks FIPS compliance if
-set to 0.
+This option breaks FIPS compliance if it causes the approved "fips-indicator"
+to return 0.
=back
generated by cgit v1.2.3 (git 2.39.1) at 2024-12-03 22:26:05 +0100