diff options
Diffstat (limited to 'doc/man7')
| -rw-r--r-- | doc/man7/EVP_CIPHER-NULL.pod | 72 | ||||
| -rw-r--r-- | doc/man7/EVP_MD-NULL.pod | 42 | ||||
| -rw-r--r-- | doc/man7/EVP_PKEY-EC.pod | 4 | ||||
| -rw-r--r-- | doc/man7/OSSL_PROVIDER-FIPS.pod | 18 | ||||
| -rw-r--r-- | doc/man7/OSSL_PROVIDER-default.pod | 22 | ||||
| -rw-r--r-- | doc/man7/crypto.pod | 72 | ||||
| -rw-r--r-- | doc/man7/migration_guide.pod | 31 | ||||
| -rw-r--r-- | doc/man7/provider-asym_cipher.pod | 7 | ||||
| -rw-r--r-- | doc/man7/provider-base.pod | 6 | ||||
| -rw-r--r-- | doc/man7/provider-cipher.pod | 4 | ||||
| -rw-r--r-- | doc/man7/provider-decoder.pod | 6 | ||||
| -rw-r--r-- | doc/man7/provider-digest.pod | 3 | ||||
| -rw-r--r-- | doc/man7/provider-keymgmt.pod | 32 | ||||
| -rw-r--r-- | doc/man7/provider-signature.pod | 6 |
14 files changed, 301 insertions, 24 deletions
diff --git a/doc/man7/EVP_CIPHER-NULL.pod b/doc/man7/EVP_CIPHER-NULL.pod new file mode 100644 index 000000000000..44e07dcf1b05 --- /dev/null +++ b/doc/man7/EVP_CIPHER-NULL.pod @@ -0,0 +1,72 @@ +=pod + +=head1 NAME + +EVP_CIPHER-NULL - The NULL EVP_CIPHER implementation + +=head1 DESCRIPTION + +Support for a NULL symmetric encryption using the B<EVP_CIPHER> API. +This is used when the TLS cipher suite is TLS_NULL_WITH_NULL_NULL. +This does no encryption (just copies the data) and has a mac size of zero. + +=head2 Algorithm Name + +The following algorithm is available in the default provider: + +=over 4 + +=item "NULL" + +=back + +=head2 Parameters + +This implementation supports the following parameters: + +=head3 Gettable EVP_CIPHER parameters + +See L<EVP_EncryptInit(3)/Gettable EVP_CIPHER parameters> + +=head3 Gettable EVP_CIPHER_CTX parameters + +=over 4 + +=item "keylen" (B<OSSL_CIPHER_PARAM_KEYLEN>) <unsigned integer> + +=item "ivlen" (B<OSSL_CIPHER_PARAM_IVLEN> and <B<OSSL_CIPHER_PARAM_AEAD_IVLEN>) <unsigned integer> + +=item "tls-mac" (B<OSSL_CIPHER_PARAM_TLS_MAC>) <octet ptr> + +=back + +See L<EVP_EncryptInit(3)/PARAMETERS> for further information. + +=head3 Settable EVP_CIPHER_CTX parameters + +=over 4 + +=item "tls-mac-size" (B<OSSL_CIPHER_PARAM_TLS_MAC_SIZE>) <unsigned integer> + +=back + +See L<EVP_EncryptInit(3)/PARAMETERS> for further information. + +=head1 CONFORMING TO + +RFC 5246 section-6.2.3.1 + +=head1 SEE ALSO + +L<provider-cipher(7)>, L<OSSL_PROVIDER-default(7)> + +=head1 COPYRIGHT + +Copyright 2023 The OpenSSL Project Authors. All Rights Reserved. + +Licensed under the Apache License 2.0 (the "License"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file LICENSE in the source distribution or at +L<https://www.openssl.org/source/license.html>. + +=cut diff --git a/doc/man7/EVP_MD-NULL.pod b/doc/man7/EVP_MD-NULL.pod new file mode 100644 index 000000000000..bce399a1e121 --- /dev/null +++ b/doc/man7/EVP_MD-NULL.pod @@ -0,0 +1,42 @@ +=pod + +=head1 NAME + +EVP_MD-NULL - The NULL EVP_MD implementation + +=head1 DESCRIPTION + +Support for a NULL digest through the B<EVP_MD> API. +This algorithm does nothing and returns 1 for its init, +update and final methods. + +=head2 Algorithm Name + +The following algorithm is available in the default provider: + +=over 4 + +=item "NULL" + +=back + +=head2 Gettable Parameters + +This implementation supports the common gettable parameters described +in L<EVP_MD-common(7)>. + +=head1 SEE ALSO + +L<EVP_MD_CTX_set_params(3)>, L<provider-digest(7)>, +L<OSSL_PROVIDER-default(7)> + +=head1 COPYRIGHT + +Copyright 2023 The OpenSSL Project Authors. All Rights Reserved. + +Licensed under the Apache License 2.0 (the "License"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file LICENSE in the source distribution or at +L<https://www.openssl.org/source/license.html>. + +=cut diff --git a/doc/man7/EVP_PKEY-EC.pod b/doc/man7/EVP_PKEY-EC.pod index 668a024014b4..4b6dec35862c 100644 --- a/doc/man7/EVP_PKEY-EC.pod +++ b/doc/man7/EVP_PKEY-EC.pod @@ -142,7 +142,7 @@ Used for getting the EC public key X component. Used for getting the EC public key Y component. -=item (B<OSSL_PKEY_PARAM_DEFAULT_DIGEST>) <UTF8 string> +=item "default-digest" (B<OSSL_PKEY_PARAM_DEFAULT_DIGEST>) <UTF8 string> Getter that returns the default digest name. (Currently returns "SHA256" as of OpenSSL 3.0). @@ -272,7 +272,7 @@ L<EVP_KEYEXCH-ECDH(7)> =head1 COPYRIGHT -Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man7/OSSL_PROVIDER-FIPS.pod b/doc/man7/OSSL_PROVIDER-FIPS.pod index 58008ae59f19..2f34866d998b 100644 --- a/doc/man7/OSSL_PROVIDER-FIPS.pod +++ b/doc/man7/OSSL_PROVIDER-FIPS.pod @@ -172,6 +172,22 @@ The OpenSSL FIPS provider supports these operations and algorithms: =back +=head2 Random Number Generation + +=over 4 + +=item CTR-DRBG, see L<EVP_RAND-CTR-DRBG(7)> + +=item HASH-DRBG, see L<EVP_RAND-HASH-DRBG(7)> + +=item HMAC-DRBG, see L<EVP_RAND-HMAC-DRBG(7)> + +=item TEST-RAND, see L<EVP_RAND-TEST-RAND(7)> + +TEST-RAND is an unapproved algorithm. + +=back + =head1 SELF TESTING One of the requirements for the FIPS module is self testing. An optional callback @@ -409,7 +425,7 @@ This functionality was added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man7/OSSL_PROVIDER-default.pod b/doc/man7/OSSL_PROVIDER-default.pod index 43ba0ef02d52..e39d76abdbb8 100644 --- a/doc/man7/OSSL_PROVIDER-default.pod +++ b/doc/man7/OSSL_PROVIDER-default.pod @@ -71,6 +71,8 @@ The OpenSSL default provider supports these operations and algorithms: =item RIPEMD160, see L<EVP_MD-RIPEMD160(7)> +=item NULL, see L<EVP_MD-NULL(7)> + =back =head2 Symmetric Ciphers @@ -93,6 +95,8 @@ The OpenSSL default provider supports these operations and algorithms: =item ChaCha20-Poly1305, see L<EVP_CIPHER-CHACHA(7)> +=item NULL, see L<EVP_CIPHER-NULL(7)> + =back =head2 Message Authentication Code (MAC) @@ -216,6 +220,22 @@ The OpenSSL default provider supports these operations and algorithms: =back +=head2 Random Number Generation + +=over 4 + +=item CTR-DRBG, see L<EVP_RAND-CTR-DRBG(7)> + +=item HASH-DRBG, see L<EVP_RAND-HASH-DRBG(7)> + +=item HMAC-DRBG, see L<EVP_RAND-HMAC-DRBG(7)> + +=item SEED-SRC, see L<EVP_RAND-SEED-SRC(7)> + +=item TEST-RAND, see L<EVP_RAND-TEST-RAND(7)> + +=back + =head2 Asymmetric Key Encoder The default provider also includes all of the encoding algorithms @@ -251,7 +271,7 @@ All other functionality was added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man7/crypto.pod b/doc/man7/crypto.pod index 59c60e4b5f92..ea81c91d3aff 100644 --- a/doc/man7/crypto.pod +++ b/doc/man7/crypto.pod @@ -116,7 +116,8 @@ algorithm implementations in the default provider. Property query strings can be specified explicitly as an argument to a function. It is also possible to specify a default property query string for the whole -library context using the L<EVP_set_default_properties(3)> function. Where both +library context using the L<EVP_set_default_properties(3)> or +L<EVP_default_properties_enable_fips(3)> functions. Where both default properties and function specific properties are specified then they are combined. Function specific properties will override default properties where there is a conflict. @@ -164,7 +165,7 @@ functions that use them. For example the L<EVP_DigestInit_ex(3)> function takes as a parameter an B<EVP_MD> object which may have been returned from an earlier call to L<EVP_MD_fetch(3)>. -=head2 Implicit fetch +=head2 Implicit fetching OpenSSL has a number of functions that return an algorithm object with no associated implementation, such as L<EVP_sha256(3)>, L<EVP_aes_128_cbc(3)>, @@ -210,6 +211,69 @@ propery string from the B<EVP_PKEY_CTX>. =back +=head2 Performance + +If you perform the same operation many times then it is recommended to use +L</Explicit fetching> to prefetch an algorithm once initially, +and then pass this created object to any operations that are currently +using L</Implicit fetching>. +See an example of Explicit fetching in L</USING ALGORITHMS IN APPLICATIONS>. + +Prior to OpenSSL 3.0, constant method tables (such as EVP_sha256()) were used +directly to access methods. If you pass one of these convenience functions +to an operation the fixed methods are ignored, and only the name is used to +internally fetch methods from a provider. + +If the prefetched object is not passed to operations, then any implicit +fetch will use the internally cached prefetched object, but it will +still be slower than passing the prefetched object directly. + +Fetching via a provider offers more flexibility, but it is slower than the +old method, since it must search for the algorithm in all loaded providers, +and then populate the method table using provider supplied methods. +Internally OpenSSL caches similar algorithms on the first fetch +(so loading a digest caches all digests). + +The following methods can be used for prefetching: + +=over 4 + +=item L<EVP_MD_fetch(3)> + +=item L<EVP_CIPHER_fetch(3)> + +=item L<EVP_KDF_fetch(3)> + +=item L<EVP_MAC_fetch(3)> + +=item L<EVP_KEM_fetch(3)> + +=item L<OSSL_ENCODER_fetch(3)> + +=item L<OSSL_DECODER_fetch(3)> + +=item L<EVP_RAND_fetch(3)> + +=back + +The following methods are used internally when performing operations: + +=over 4 + +=item L<EVP_KEYMGMT_fetch(3)> + +=item L<EVP_KEYEXCH_fetch(3)> + +=item L<EVP_SIGNATURE_fetch(3)> + +=item L<OSSL_STORE_LOADER_fetch(3)> + +=back + +See L<OSSL_PROVIDER-default(7)>, <OSSL_PROVIDER-fips(7)> and +<OSSL_PROVIDER-legacy(7)>for a list of algorithm names that +can be fetched. + =head1 FETCHING EXAMPLES The following section provides a series of examples of fetching algorithm @@ -404,6 +468,8 @@ encryption/decryption, signatures, message authentication codes, etc. * we're not supplying any particular search criteria for our SHA256 * implementation (second NULL parameter). Any SHA256 implementation will * do. + * In a larger application this fetch would just be done once, and could + * be used for multiple calls to other operations such as EVP_DigestInit_ex(). */ sha256 = EVP_MD_fetch(NULL, "SHA256", NULL); if (sha256 == NULL) @@ -504,7 +570,7 @@ L<openssl-glossary(7)>, L<provider(7)> =head1 COPYRIGHT -Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man7/migration_guide.pod b/doc/man7/migration_guide.pod index a234147f46a0..9eb4a031aa32 100644 --- a/doc/man7/migration_guide.pod +++ b/doc/man7/migration_guide.pod @@ -189,6 +189,15 @@ All new applications should use the new L<EVP_MAC(3)> interface. See also L<OSSL_PROVIDER-default(7)/Message Authentication Code (MAC)> and L<OSSL_PROVIDER-FIPS(7)/Message Authentication Code (MAC)>. +=head4 Algorithm Fetching + +Using calls to convenience functions such as EVP_sha256() and EVP_aes_256_gcm() may +incur a performance penalty when using providers. +Retrieving algorithms from providers involves searching for an algorithm by name. +This is much slower than directly accessing a method table. +It is recommended to prefetch algorithms if an algorithm is used many times. +See L<crypto(7)/Performance>, L<crypto(7)/Explicit fetching> and L<crypto(7)/Implicit fetching>. + =head4 Support for Linux Kernel TLS In order to use KTLS, support for it must be compiled in using the @@ -2213,6 +2222,28 @@ Use L<X509_load_http(3)> and L<X509_CRL_load_http(3)> instead. =back +=head3 NID handling for provided keys and algorithms + +The following functions for NID (numeric id) handling have changed semantics. + +=over 4 + +=item * + +EVP_PKEY_id(), EVP_PKEY_get_id() + +This function was previously used to reliably return the NID of +an EVP_PKEY object, e.g., to look up the name of the algorithm of +such EVP_PKEY by calling L<OBJ_nid2sn(3)>. With the introduction +of L<provider(7)>s EVP_PKEY_id() or its new equivalent +L<EVP_PKEY_get_id(3)> might now also return the value -1 +(B<EVP_PKEY_KEYMGMT>) indicating the use of a provider to +implement the EVP_PKEY object. Therefore, the use of +L<EVP_PKEY_get0_type_name(3)> is recommended for retrieving +the name of the EVP_PKEY algorithm. + +=back + =head2 Using the FIPS Module in applications See L<fips_module(7)> and L<OSSL_PROVIDER-FIPS(7)> for details. diff --git a/doc/man7/provider-asym_cipher.pod b/doc/man7/provider-asym_cipher.pod index ac3f6271969d..0976a263a883 100644 --- a/doc/man7/provider-asym_cipher.pod +++ b/doc/man7/provider-asym_cipher.pod @@ -127,8 +127,7 @@ pointer to a provider key object in the I<provkey> parameter. The I<params>, if not NULL, should be set on the context in a manner similar to using OSSL_FUNC_asym_cipher_set_ctx_params(). The key object should have been previously generated, loaded or imported into -the provider using the key management (OSSL_OP_KEYMGMT) operation (see -provider-keymgmt(7)>. +the provider using the key management (OSSL_OP_KEYMGMT) operation (see L<provider-keymgmt(7)>). OSSL_FUNC_asym_cipher_encrypt() performs the actual encryption itself. A previously initialised asymmetric cipher context is passed in the I<ctx> parameter. @@ -150,7 +149,7 @@ The I<params>, if not NULL, should be set on the context in a manner similar to using OSSL_FUNC_asym_cipher_set_ctx_params(). The key object should have been previously generated, loaded or imported into the provider using the key management (OSSL_OP_KEYMGMT) operation (see -provider-keymgmt(7)>. +L<provider-keymgmt(7)>). OSSL_FUNC_asym_cipher_decrypt() performs the actual decryption itself. A previously initialised asymmetric cipher context is passed in the I<ctx> @@ -259,7 +258,7 @@ The provider ASYM_CIPHER interface was introduced in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man7/provider-base.pod b/doc/man7/provider-base.pod index c587e0e529b6..2fd803bb96b6 100644 --- a/doc/man7/provider-base.pod +++ b/doc/man7/provider-base.pod @@ -312,7 +312,7 @@ get_nonce() retrieves a nonce using the passed I<salt> parameter of length I<salt_len> and operating system specific information. The I<salt> should contain uniquely identifying information and this is included, in an unspecified manner, as part of the output. -The output is stored in a buffer which contrains at least I<min_len> and at +The output is stored in a buffer which contains at least I<min_len> and at most I<max_len> bytes. The buffer address is stored in I<*pout> and the buffer length returned to the caller. On error, zero is returned. @@ -779,7 +779,7 @@ This relies on a few things existing in F<openssl/core_dispatch.h>: #define OSSL_FUNC_BAR_FREECTX 2 typedef void (OSSL_FUNC_bar_freectx_fn)(void *ctx); - static ossl_inline OSSL_FUNC_bar_newctx(const OSSL_DISPATCH *opf) + static ossl_inline OSSL_FUNC_bar_freectx(const OSSL_DISPATCH *opf) { return (OSSL_FUNC_bar_freectx_fn *)opf->function; } #define OSSL_FUNC_BAR_INIT 3 @@ -809,7 +809,7 @@ introduced in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man7/provider-cipher.pod b/doc/man7/provider-cipher.pod index 1faf698107be..14ff581c72c4 100644 --- a/doc/man7/provider-cipher.pod +++ b/doc/man7/provider-cipher.pod @@ -228,7 +228,7 @@ L<EVP_CIPHER-AES(7)>, L<EVP_CIPHER-ARIA(7)>, L<EVP_CIPHER-BLOWFISH(7)>, L<EVP_CIPHER-CAMELLIA(7)>, L<EVP_CIPHER-CAST(7)>, L<EVP_CIPHER-CHACHA(7)>, L<EVP_CIPHER-DES(7)>, L<EVP_CIPHER-IDEA(7)>, L<EVP_CIPHER-RC2(7)>, L<EVP_CIPHER-RC4(7)>, L<EVP_CIPHER-RC5(7)>, L<EVP_CIPHER-SEED(7)>, -L<EVP_CIPHER-SM4(7)>, +L<EVP_CIPHER-SM4(7)>, L<EVP_CIPHER-NULL(7)>, L<life_cycle-cipher(7)>, L<EVP_EncryptInit(3)> =head1 HISTORY @@ -237,7 +237,7 @@ The provider CIPHER interface was introduced in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man7/provider-decoder.pod b/doc/man7/provider-decoder.pod index f279955a6088..e968e661f7cf 100644 --- a/doc/man7/provider-decoder.pod +++ b/doc/man7/provider-decoder.pod @@ -34,7 +34,7 @@ provider-decoder - The OSSL_DECODER library E<lt>-E<gt> provider functions OSSL_PASSPHRASE_CALLBACK *cb, void *cbarg); /* Functions to export a decoded object */ - void *OSSL_FUNC_decoder_export_object(void *ctx, + int OSSL_FUNC_decoder_export_object(void *ctx, const void *objref, size_t objref_sz, OSSL_CALLBACK *export_cb, void *export_cbarg); @@ -83,7 +83,7 @@ For example, the "function" OSSL_FUNC_decoder_decode() has these: int selection, OSSL_CALLBACK *data_cb, void *data_cbarg, OSSL_PASSPHRASE_CALLBACK *cb, void *cbarg); - static ossl_inline OSSL_FUNC_decoder_decode_fn + static ossl_inline OSSL_FUNC_decoder_decode_fn* OSSL_FUNC_decoder_decode(const OSSL_DISPATCH *opf); L<OSSL_DISPATCH(3)> arrays are indexed by numbers that are provided as @@ -302,7 +302,7 @@ The DECODER interface was introduced in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man7/provider-digest.pod b/doc/man7/provider-digest.pod index c96dfe396676..cac53ac291fe 100644 --- a/doc/man7/provider-digest.pod +++ b/doc/man7/provider-digest.pod @@ -268,6 +268,7 @@ L<EVP_MD-MD4(7)>, L<EVP_MD-MD5(7)>, L<EVP_MD-MD5-SHA1(7)>, L<EVP_MD-MDC2(7)>, L<EVP_MD-RIPEMD160(7)>, L<EVP_MD-SHA1(7)>, L<EVP_MD-SHA2(7)>, L<EVP_MD-SHA3(7)>, L<EVP_MD-SHAKE(7)>, L<EVP_MD-SM3(7)>, L<EVP_MD-WHIRLPOOL(7)>, +L<EVP_MD-NULL(7)>, L<life_cycle-digest(7)>, L<EVP_DigestInit(3)> =head1 HISTORY @@ -276,7 +277,7 @@ The provider DIGEST interface was introduced in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man7/provider-keymgmt.pod b/doc/man7/provider-keymgmt.pod index be3a65e31978..c6399b8373b9 100644 --- a/doc/man7/provider-keymgmt.pod +++ b/doc/man7/provider-keymgmt.pod @@ -374,6 +374,36 @@ dimensions handled in the rest of the same provider. The value should be the number of security bits of the given key. Bits of security is defined in SP800-57. +=item "mandatory-digest" (B<OSSL_PKEY_PARAM_MANDATORY_DIGEST>) <UTF8 string> + +If there is a mandatory digest for performing a signature operation with +keys from this keymgmt, this parameter should get its name as value. + +When EVP_PKEY_get_default_digest_name() queries this parameter and it's +filled in by the implementation, its return value will be 2. + +If the keymgmt implementation fills in the value C<""> or C<"UNDEF">, +L<EVP_PKEY_get_default_digest_name(3)> will place the string C<"UNDEF"> into +its argument I<mdname>. This signifies that no digest should be specified +with the corresponding signature operation. + +=item "default-digest" (B<OSSL_PKEY_PARAM_DEFAULT_DIGEST>) <UTF8 string> + +If there is a default digest for performing a signature operation with +keys from this keymgmt, this parameter should get its name as value. + +When L<EVP_PKEY_get_default_digest_name(3)> queries this parameter and it's +filled in by the implementation, its return value will be 1. Note that if +B<OSSL_PKEY_PARAM_MANDATORY_DIGEST> is responded to as well, +L<EVP_PKEY_get_default_digest_name(3)> ignores the response to this +parameter. + +If the keymgmt implementation fills in the value C<""> or C<"UNDEF">, +L<EVP_PKEY_get_default_digest_name(3)> will place the string C<"UNDEF"> into +its argument I<mdname>. This signifies that no digest has to be specified +with the corresponding signature operation, but may be specified as an +option. + =back =head1 RETURN VALUES @@ -412,7 +442,7 @@ The KEYMGMT interface was introduced in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man7/provider-signature.pod b/doc/man7/provider-signature.pod index fa38be1b16da..1a9859eac367 100644 --- a/doc/man7/provider-signature.pod +++ b/doc/man7/provider-signature.pod @@ -155,7 +155,7 @@ set of "signature" functions, i.e. at least one of: =item OSSL_FUNC_signature_verify_init and OSSL_FUNC_signature_verify -=item OSSL_FUNC_signature_verify_recover_init and OSSL_FUNC_signature_verify_init +=item OSSL_FUNC_signature_verify_recover_init and OSSL_FUNC_signature_verify_recover =item OSSL_FUNC_signature_digest_sign_init, OSSL_FUNC_signature_digest_sign_update and OSSL_FUNC_signature_digest_sign_final @@ -411,7 +411,7 @@ respectively. =head1 RETURN VALUES OSSL_FUNC_signature_newctx() and OSSL_FUNC_signature_dupctx() should return the newly created -provider side signature, or NULL on failure. +provider side signature context, or NULL on failure. OSSL_FUNC_signature_gettable_ctx_params(), OSSL_FUNC_signature_settable_ctx_params(), OSSL_FUNC_signature_gettable_md_ctx_params() and OSSL_FUNC_signature_settable_md_ctx_params(), @@ -429,7 +429,7 @@ The provider SIGNATURE interface was introduced in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy |