diff options
author | Vladimir Kotal <vladimir.kotal@oracle.com> | 2023-09-05 11:13:47 +0200 |
---|---|---|
committer | Tomas Mraz <tomas@openssl.org> | 2023-09-11 11:00:41 +0200 |
commit | 4ee8c1fb51687ea811fc2abf87e173c70d018bc2 (patch) | |
tree | d6b447f3e62b233c2fed8a3bd7f473afd4bee862 /doc/man7 | |
parent | 0be7510f49e498532708fd03628fc3fc62ee7875 (diff) |
augment man pages with information about PKCS12KDF in FIPS mode
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21965)
Diffstat (limited to 'doc/man7')
-rw-r--r-- | doc/man7/EVP_KDF-PKCS12KDF.pod | 6 | ||||
-rw-r--r-- | doc/man7/ossl-guide-migration.pod | 9 |
2 files changed, 14 insertions, 1 deletions
diff --git a/doc/man7/EVP_KDF-PKCS12KDF.pod b/doc/man7/EVP_KDF-PKCS12KDF.pod index 7edde1dc9b..05d4e902bd 100644 --- a/doc/man7/EVP_KDF-PKCS12KDF.pod +++ b/doc/man7/EVP_KDF-PKCS12KDF.pod @@ -46,6 +46,9 @@ RFC 7292 section B.3. =head1 NOTES +This algorithm is not available in the FIPS provider as it is not FIPS +approvable. + A typical application of this algorithm is to derive keying material for an encryption algorithm from a password in the "pass", a salt in "salt", and an iteration count. @@ -68,7 +71,8 @@ L<EVP_KDF_CTX_new(3)>, L<EVP_KDF_CTX_free(3)>, L<EVP_KDF_CTX_set_params(3)>, L<EVP_KDF_derive(3)>, -L<EVP_KDF(3)/PARAMETERS> +L<EVP_KDF(3)/PARAMETERS>, +L<OSSL_PROVIDER-FIPS(7)> =head1 HISTORY diff --git a/doc/man7/ossl-guide-migration.pod b/doc/man7/ossl-guide-migration.pod index 064ad21789..fc3acef6d9 100644 --- a/doc/man7/ossl-guide-migration.pod +++ b/doc/man7/ossl-guide-migration.pod @@ -327,6 +327,15 @@ context and property query and will call an extended version of the key/IV derivation function which supports these parameters. This includes L<EVP_PBE_CipherInit_ex(3)>, L<EVP_PBE_find_ex(3)> and L<EVP_PBE_scrypt_ex(3)>. +=head4 PKCS#12 KDF versus FIPS + +Unlike in 1.x.y, the PKCS12KDF algorithm used when a PKCS#12 structure +is created with a MAC that does not work with the FIPS provider as the PKCS12KDF +is not a FIPS approvable mechanism. + +See L<EVP_KDF-PKCS12KDF(7)>, L<PKCS12_create(3)>, L<openssl-pkcs12(1)>, +L<OSSL_PROVIDER-FIPS(7)>. + =head4 Windows thread synchronization changes Windows thread synchronization uses read/write primitives (SRWLock) when |