diff options
author | Matt Caswell <matt@openssl.org> | 2020-08-27 13:52:17 +0200 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2020-09-03 10:40:52 +0200 |
commit | 820d87bc98c254bb36c46891f3fe4e55bd47f2e7 (patch) | |
tree | 01f3ab78dca0c68fd5b677e95bd2b7dc55352090 /doc | |
parent | Enable PKEY MAC bridge signature algs to take ctx params (diff) | |
download | openssl-820d87bc98c254bb36c46891f3fe4e55bd47f2e7.tar.xz openssl-820d87bc98c254bb36c46891f3fe4e55bd47f2e7.zip |
Update the EVP_PKEY MAC documentation
Include more information about the new HMAC parameter. Also fill in some
missing documentation about the EVP_PKEY MAC bridge.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12732)
Diffstat (limited to 'doc')
-rw-r--r-- | doc/man3/EVP_DigestVerifyInit.pod | 2 | ||||
-rw-r--r-- | doc/man3/EVP_MAC.pod | 15 | ||||
-rw-r--r-- | doc/man7/EVP_MAC-HMAC.pod | 2 | ||||
-rw-r--r-- | doc/man7/EVP_MAC-Siphash.pod | 4 | ||||
-rw-r--r-- | doc/man7/EVP_PKEY-HMAC.pod | 10 | ||||
-rw-r--r-- | doc/man7/EVP_SIGNATURE-HMAC.pod | 24 | ||||
-rw-r--r-- | doc/man7/OSSL_PROVIDER-FIPS.pod | 6 | ||||
-rw-r--r-- | doc/man7/OSSL_PROVIDER-default.pod | 8 |
8 files changed, 55 insertions, 16 deletions
diff --git a/doc/man3/EVP_DigestVerifyInit.pod b/doc/man3/EVP_DigestVerifyInit.pod index f0061f4548..f90fb2754f 100644 --- a/doc/man3/EVP_DigestVerifyInit.pod +++ b/doc/man3/EVP_DigestVerifyInit.pod @@ -93,7 +93,7 @@ Support no digests (the digest B<type> must be NULL) Supports any digest -=item CMAC, Poly1305 and SipHash +=item CMAC, Poly1305 and Siphash Will ignore any digest provided. diff --git a/doc/man3/EVP_MAC.pod b/doc/man3/EVP_MAC.pod index 9e35d57c17..dc90ee5421 100644 --- a/doc/man3/EVP_MAC.pod +++ b/doc/man3/EVP_MAC.pod @@ -248,6 +248,21 @@ EVP_MAC_final() should produce. The allowed sizes vary between MAC implementations, but must never exceed what can be given with a B<size_t>. +=item "tls-data-size" (B<OSSL_MAC_PARAM_TLS_DATA_SIZE>) <unsigned integer> + +This parameter is only supported by HMAC. If set then special handling is +activated for calculating the MAC of a received mac-then-encrypt TLS record +where variable length record padding has been used (as in the case of CBC mode +ciphersuites). The value represents the total length of the record that is +having the MAC calculated including the received MAC and the record padding. + +When used EVP_MAC_update must be called precisely twice. The first time with +the 13 bytes of TLS "header" data, and the second time with the entire record +including the MAC itself and any padding. The entire record length must equal +the value passed in the "tls-data-size" parameter. The length passed in the +B<datalen> parameter to EVP_MAC_update() should be equal to the length of the +record after the MAC and any padding has been removed. + =back All these parameters should be used before the calls to any of diff --git a/doc/man7/EVP_MAC-HMAC.pod b/doc/man7/EVP_MAC-HMAC.pod index 7f0ec35b43..45ccd17211 100644 --- a/doc/man7/EVP_MAC-HMAC.pod +++ b/doc/man7/EVP_MAC-HMAC.pod @@ -36,6 +36,8 @@ The following parameter can be set with EVP_MAC_CTX_set_params(): =item "properties" (B<OSSL_MAC_PARAM_PROPERTIES>) <UTF8 string> +=item "tls-data-size" (B<OSSL_MAC_PARAM_TLS_DATA_SIZE>) <unsigned integer> + =back The "flags" parameter is passed directly to HMAC_CTX_set_flags(). diff --git a/doc/man7/EVP_MAC-Siphash.pod b/doc/man7/EVP_MAC-Siphash.pod index d8013b3369..8b610c4383 100644 --- a/doc/man7/EVP_MAC-Siphash.pod +++ b/doc/man7/EVP_MAC-Siphash.pod @@ -2,11 +2,11 @@ =head1 NAME -EVP_MAC-Siphash - The SipHash EVP_MAC implementation +EVP_MAC-Siphash - The Siphash EVP_MAC implementation =head1 DESCRIPTION -Support for computing SipHash MACs through the B<EVP_MAC> API. +Support for computing Siphash MACs through the B<EVP_MAC> API. =head2 Identity diff --git a/doc/man7/EVP_PKEY-HMAC.pod b/doc/man7/EVP_PKEY-HMAC.pod index 7b6c52bb03..84b647e530 100644 --- a/doc/man7/EVP_PKEY-HMAC.pod +++ b/doc/man7/EVP_PKEY-HMAC.pod @@ -2,22 +2,22 @@ =head1 NAME -EVP_PKEY-HMAC, EVP_KEYMGMT-HMAC, EVP_PKEY-SIPHASH, EVP_KEYMGMT-SIPHASH, -EVP_PKEY-POLY1305, EVP_KEYMGMT-POLY1305, EVP_PKEY-CMAC, EVP_KEYMGMT-CMAC +EVP_PKEY-HMAC, EVP_KEYMGMT-HMAC, EVP_PKEY-Siphash, EVP_KEYMGMT-Siphash, +EVP_PKEY-Poly1305, EVP_KEYMGMT-Poly1305, EVP_PKEY-CMAC, EVP_KEYMGMT-CMAC - EVP_PKEY legacy MAC keytypes and algorithm support =head1 DESCRIPTION The B<HMAC> and B<CMAC> key types are implemented in OpenSSL's default and FIPS -providers. Additionally the B<SIPHASH> and B<POLY1305> key types are implemented +providers. Additionally the B<Siphash> and B<Poly1305> key types are implemented in the default provider. Performing MAC operations via an EVP_PKEY is considered legacy and are only available for backwards compatibility purposes and for a restricted set of algorithms. The preferred way of performing MAC operations is via the EVP_MAC APIs. See L<EVP_MAC_init(3)>. For further details on using EVP_PKEY based MAC keys see -L<EVP_SIGNATURE-HMAC(7)>, L<EVP_SIGNATURE-SIPHASH(7)>, -L<EVP_SIGNATURE-POLY1305(7)> or L<EVP_SIGNATURE-CMAC(7)>. +L<EVP_SIGNATURE-HMAC(7)>, L<EVP_SIGNATURE-Siphash(7)>, +L<EVP_SIGNATURE-Poly1305(7)> or L<EVP_SIGNATURE-CMAC(7)>. =head2 Common MAC parameters diff --git a/doc/man7/EVP_SIGNATURE-HMAC.pod b/doc/man7/EVP_SIGNATURE-HMAC.pod index dd74fae88c..6628d9ebc2 100644 --- a/doc/man7/EVP_SIGNATURE-HMAC.pod +++ b/doc/man7/EVP_SIGNATURE-HMAC.pod @@ -2,7 +2,7 @@ =head1 NAME -EVP_SIGNATURE-HMAC, EVP_SIGNATURE-SIPHASH, EVP_SIGNATURE-POLY1305, +EVP_SIGNATURE-HMAC, EVP_SIGNATURE-Siphash, EVP_SIGNATURE-Poly1305, EVP_SIGNATURE-CMAC - The legacy B<EVP_PKEY> MAC signature implementations @@ -12,21 +12,29 @@ The algorithms described here have legacy support for creating MACs using L<EVP_DigestSignInit(3)> and related functions. This is not the preferred way of creating MACs. Instead you should use the newer L<EVP_MAC_init(3)> functions. This mechanism is provided for backwards compatibility with older versions of -OpenSSL. +OpenSSL. -There are no parameters supported by the legacy EVP_PKEY MAC signature -algorithms. See L<EVP_PKEY-HMAC(7)>, L<EVP_PKEY-SIPHASH(7)>, -L<EVP_PKEY-POLY1305(7)> or L<EVP_PKEY-CMAC(7)> for details about parameters that -are supported during the creation of an EVP_PKEY. +The same signature parameters can be set using EVP_PKEY_CTX_set_params() as can +be set via EVP_MAC_CTX_set_params() for the underlying EVP_MAC. See +L<EVP_MAC-HMAC(7)>, L<EVP_MAC-Siphash(7)>, L<EVP_MAC-Poly1305(7)> and +L<EVP_MAC-CMAC(7)> for details. + + See L<EVP_PKEY-HMAC(7)>, L<EVP_PKEY-Siphash(7)>, L<EVP_PKEY-Poly1305(7)> or + L<EVP_PKEY-CMAC(7)> for details about parameters that are supported during the + creation of an EVP_PKEY. =head1 SEE ALSO L<EVP_MAC_init(3)>, L<EVP_DigestSignInit(3)>, L<EVP_PKEY-HMAC(7)>, -L<EVP_PKEY-SIPHASH(7)>, -L<EVP_PKEY-POLY1305(7)>, +L<EVP_PKEY-Siphash(7)>, +L<EVP_PKEY-Poly1305(7)>, L<EVP_PKEY-CMAC(7)>, +L<EVP_MAC-HMAC(7)>, +L<EVP_MAC-Siphash(7)>, +L<EVP_MAC-Poly1305(7)>, +L<EVP_MAC-CMAC(7)>, L<provider-signature(7)>, =head1 COPYRIGHT diff --git a/doc/man7/OSSL_PROVIDER-FIPS.pod b/doc/man7/OSSL_PROVIDER-FIPS.pod index fc9c191855..d404716b23 100644 --- a/doc/man7/OSSL_PROVIDER-FIPS.pod +++ b/doc/man7/OSSL_PROVIDER-FIPS.pod @@ -120,6 +120,12 @@ This has the property "provider=fips,fips=no" =item DSA, see L<EVP_KEYEXCH-DSA(7)> +=item RSA, see L<EVP_SIGNATURE-RSA(7)> + +=item HMAC, see L<EVP_SIGNATURE-HMAC(7)> + +=item CMAC, see L<EVP_SIGNATURE-CMAC(7)> + =back =head2 Asymmetric Cipher diff --git a/doc/man7/OSSL_PROVIDER-default.pod b/doc/man7/OSSL_PROVIDER-default.pod index 0b477b56c1..a88c0be6e6 100644 --- a/doc/man7/OSSL_PROVIDER-default.pod +++ b/doc/man7/OSSL_PROVIDER-default.pod @@ -164,6 +164,14 @@ The OpenSSL default provider supports these operations and algorithms: =item RSA, see L<EVP_SIGNATURE-RSA(7)> +=item HMAC, see L<EVP_SIGNATURE-HMAC(7)> + +=item SIPHASH, see L<EVP_SIGNATURE-Siphash(7)> + +=item POLY1305, see L<EVP_SIGNATURE-Poly1305(7)> + +=item CMAC, see L<EVP_SIGNATURE-CMAC(7)> + =back =head2 Asymmetric Cipher |