From c5926e930cc9a4bdf0932d14e17f1f122a70205b Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Fri, 6 Mar 2020 14:25:42 +0100 Subject: [PATCH] DOCS: Start restructuring our provider and implementation documentation This adds doc/man7/OSSL_PROVIDER-default.pod and OSSL_PROVIDER-legacy.pod, and fills in currently implemented operations and algorithms in them, as well as in doc/man7/OSSL_PROVIDER-FIPS.pod, with links to documentation to come. Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/11270) --- doc/man7/OSSL_PROVIDER-FIPS.pod | 131 ++++++++++++++++- doc/man7/OSSL_PROVIDER-default.pod | 226 +++++++++++++++++++++++++++++ doc/man7/OSSL_PROVIDER-legacy.pod | 92 ++++++++++++ 3 files changed, 445 insertions(+), 4 deletions(-) create mode 100644 doc/man7/OSSL_PROVIDER-default.pod create mode 100644 doc/man7/OSSL_PROVIDER-legacy.pod diff --git a/doc/man7/OSSL_PROVIDER-FIPS.pod b/doc/man7/OSSL_PROVIDER-FIPS.pod index 1cb75e7c87..56844deeb9 100644 --- a/doc/man7/OSSL_PROVIDER-FIPS.pod +++ b/doc/man7/OSSL_PROVIDER-FIPS.pod @@ -2,15 +2,136 @@ =head1 NAME -OSSL_PROVIDER-FIPS - OPENSSL FIPS provider +OSSL_PROVIDER-FIPS - OpenSSL FIPS provider =head1 DESCRIPTION -The OPENSSL FIPS provider is a special provider that conforms to the Federal +The OpenSSL FIPS provider is a special provider that conforms to the Federal Information Processing Standards (FIPS) specified in FIPS 140-2. This 'module' contains an approved set of cryptographic algorithms that is validated by an accredited testing laboratory. +=head2 Properties + +The implementations in this provider specifically have these properties +defined: + +=over 4 + +"provider=default" + +"fips=yes" + +=back + +It may be used in a property query string with fetching functions such as +L or L, as well as with other +functions that take a property query string, such as +L. + +It isn't mandatory to query for any of these properties, except to +make sure to get implementations of this provider and none other. + +The "fips=yes" property can be use to make sure only FIPS approved +implementations are used for crypto operations. This may also include +other non-crypto support operations that are not in the fips provider, +such as asymmetric key serializers, +see L. + +=head1 OPERATIONS AND ALGORITHMS + +The OpenSSL FIPS provider supports these operations and algorithms: + +=head2 Hashing Algorithms / Message Digests + +=over 4 + +=item SHA1, see L + +=item SHA2, see L + +=item SHA3, see L + +=item KECCAK-KMAC, see L + +=back + +=head2 Symmetric Ciphers + +=over 4 + +=item AES, see L + +=item DES-EDE3 (TrippleDES), see L + +=back + +=head2 Message Authentication Code (MAC) + +=over 4 + +=item CMAC, see L + +=item GMAC, see L + +=item HMAC, see L + +=item KMAC, see L + +=back + +=head2 Key Derivation Function (KDF) + +=over 4 + +=item HKDF, see L + +=item SSKDF, see L + +=item PBKDF2, see L + +=item TLS1-PRF, see L + +=item KBKDF, see L + +=back + +=head2 Key Exchange + +=over 4 + +=item DH, see L + +=back + +=head2 Asymmetric Signature + +=over 4 + +=item DSA, see L + +=back + +=head2 Asymmetric Cipher + +=over 4 + +=item RSA, see L + +=back + +=head2 Asymmetric Key Management + +=over 4 + +=item DH, see L + +=item DSA, see L + +=item RSA, see L + +=back + =head1 SELF TESTING One of the requirements for the FIPS module is self testing. An optional callback @@ -19,7 +140,7 @@ L. The parameters passed to the callback are described in L -The OPENSSL FIPS module uses the following mechanism to provide information +The OpenSSL FIPS module uses the following mechanism to provide information about the self tests as they run. This is useful for debugging if a self test is failing. The callback also allows forcing any self test to fail, in order to check that @@ -196,7 +317,9 @@ L, L, L, L, -L +L, +L, +L =head1 HISTORY diff --git a/doc/man7/OSSL_PROVIDER-default.pod b/doc/man7/OSSL_PROVIDER-default.pod new file mode 100644 index 0000000000..acfd4d0e07 --- /dev/null +++ b/doc/man7/OSSL_PROVIDER-default.pod @@ -0,0 +1,226 @@ +=pod + +=head1 NAME + +OSSL_PROVIDER-default - OpenSSL default provider + +=head1 DESCRIPTION + +The OpenSSL default provider supplies the majority of OpenSSL's diverse +algorithm implementations. It also acts as a fallback when no other +provider has been loaded. + +=head2 Properties + +The implementations in this provider specifically have this property +defined: + +=over 4 + +"provider=default" + +=back + +It may be used in a property query string with fetching functions such as +L or L, as well as with other +functions that take a property query string, such as +L. + +It isn't mandatory to query for this property, except to make sure to get +implementations of this provider and none other. + +Some implementations may define additional properties. Exact information is +listed below + +=head1 OPERATIONS AND ALGORITHMS + +The OpenSSL default provider supports these operations and algorithms: + +=head2 Hashing Algorithms / Message Digests + +=over 4 + +=item SHA1, see L + +=item SHA2, see L + +=item SHA3, see L + +=item KECCAK-KMAC, see L + +=item SHAKE, see L + +=item BLAKE2, see L + +=item SM3, see L + +=item MD5, see L + +=item MD5-SHA1, see L + +=back + +=head2 Symmetric Ciphers + +=over 4 + +=item AES, see L + +=item ARIA, see L + +=item CAMELLIA, see L + +=item DES, see L + +=item BF, see L + +=item IDEA, see L + +=item CAST5, see L + +=item SEED, see L + +=item SM4, see L + +=item RC2, see L + +=item RC4, see L + +=item RC5, see L + +=item ChaCha20, see L + +=item ChaCha20-Poly1305, see L + +=back + +=head2 Message Authentication Code (MAC) + +=over 4 + +=item BLAKE2, see L + +=item CMAC, see L + +=item GMAC, see L + +=item HMAC, see L + +=item KMAC, see L + +=item SIPHASH, see L + +=item POLY1305, see L + +=back + +=head2 Key Derivation Function (KDF) + +=over 4 + +=item HKDF, see L + +=item SSKDF, see L + +=item PBKDF2, see L + +=item SSHKDF, see L + +=item TLS1-PRF, see L + +=item KBKDF, see L + +=item X942KDF, see L + +=item SCRYPT, see L + +=item KRB5KDF, see L + +=back + +=head2 Key Exchange + +=over 4 + +=item DH, see L + +=item ECDH, see L + +=item X25519, see L + +=item X448, see L + +=back + +=head2 Asymmetric Signature + +=over 4 + +=item DSA, see L + +=item RSA, see L + +=back + +=head2 Asymmetric Cipher + +=over 4 + +=item RSA, see L + +=back + +=head2 Asymmetric Key Management + +=over 4 + +=item DH, see L + +=item DSA, see L + +=item RSA, see L + +=item EC, see L + +=item X25519, see L + +=item X448, see L + +=back + +=head2 Asymmetric Key Serializer + +In addition to "provider=default", this set of implementations define the +property "fips=yes", to allow them to be used together with the FIPS +provider. + +=over 4 + +=item RSA, see L + +=item DH, see L + +=item DSA, see L + +=item EC, see L + +=item X25519, see L + +=item X448, see L + +=back + +=head1 SEE ALSO + +L, L, L + +=head1 COPYRIGHT + +Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. + +Licensed under the Apache License 2.0 (the "License"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file LICENSE in the source distribution or at +L. + +=cut diff --git a/doc/man7/OSSL_PROVIDER-legacy.pod b/doc/man7/OSSL_PROVIDER-legacy.pod new file mode 100644 index 0000000000..27ed3080bf --- /dev/null +++ b/doc/man7/OSSL_PROVIDER-legacy.pod @@ -0,0 +1,92 @@ +=pod + +=head1 NAME + +OSSL_PROVIDER-legacy - OpenSSL legacy provider + +=head1 DESCRIPTION + +The OpenSSL legacy provider supplies OpenSSL implementations of algorithms +that have been deemed legacy. Such algorithms have commonly fallen out of +use, have been deemed insecure by the cryptography community, or something +similar. + +We can consider this the retirement home of cryptographic algorithms. + +=head2 Properties + +The implementations in this provider specifically have these property +defined: + +=over 4 + +"provider=legacy" + +=back + +It may be used in a property query string with fetching functions such as +L or L, as well as with other +functions that take a property query string, such as +L. + +It isn't mandatory to query for any of these properties, except to +make sure to get implementations of this provider and none other. + +=head1 OPERATIONS AND ALGORITHMS + +The OpenSSL legacy provider supports these operations and algorithms: + +=head2 Hashing Algorithms / Message Digests + +=over 4 + +=item MD2, see L + +=item MD4, see L + +=item MDC2, see L + +=item WHIRLPOOL, see L + +=item RIPEMD160, see L + +=back + +=begin comment + +When algorithms for other operations start appearing, the +following =head2 titles are appropriate to use: + +- Symmetric Ciphers + +- Message Authentication Code (MAC) + +- Key Derivation Function (KDF) + +- Key Exchange + +- Signature + +- Asymmetric Cipher + +- Asymmetric Key Management + +=end comment + +=head1 SEE ALSO + +L, +L, +L, +L + +=head1 COPYRIGHT + +Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. + +Licensed under the Apache License 2.0 (the "License"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file LICENSE in the source distribution or at +L. + +=cut -- 2.25.1