diff options
author | Matt Caswell <matt@openssl.org> | 2020-10-23 12:35:00 +0100 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2020-11-18 14:54:18 +0000 |
commit | f1d6670840b08104646713f464a6ef42e2cf1c2a (patch) | |
tree | 5548329237ea84a4a4f67dfce768b708f2d62056 /doc | |
parent | c2bd8d27835186b9fc4c7e4e12a3f6d81bac0544 (diff) |
Swap to FIPS186-2 DSA generation outside of the FIPS module
Inside the FIPS module we continue to use FIPS186-4. We prefer FIPS186-2
in the default provider for backwards compatibility reasons.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13228)
Diffstat (limited to 'doc')
-rw-r--r-- | doc/man3/EVP_PKEY_CTX_ctrl.pod | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/doc/man3/EVP_PKEY_CTX_ctrl.pod b/doc/man3/EVP_PKEY_CTX_ctrl.pod index 8b06a49d06..1de332c3b3 100644 --- a/doc/man3/EVP_PKEY_CTX_ctrl.pod +++ b/doc/man3/EVP_PKEY_CTX_ctrl.pod @@ -455,9 +455,10 @@ Uses a safe prime generator g (PKCS#3 format). =back -The default is B<DH_PARAMGEN_TYPE_GENERATOR> in the default provider for the -"DH" keytype, and B<DH_PARAMGEN_TYPE_FIPS_186_4> in the FIPS provider and for -the "DHX" keytype in the default provider. +The default in the default provider is B<DH_PARAMGEN_TYPE_GENERATOR> for the +"DH" keytype, and B<DH_PARAMGEN_TYPE_FIPS_186_2> for the "DHX" keytype. In the +FIPS provider the default value is B<DH_PARAMGEN_TYPE_GROUP> for the "DH" +keytype and <B<DH_PARAMGEN_TYPE_FIPS_186_4> for the "DHX" keytype. EVP_PKEY_CTX_set_dh_paramgen_gindex() sets the I<gindex> used by the generator G. The default value is -1 which uses unverifiable g, otherwise a positive value |