diff options
author | Dr. Stephen Henson <steve@openssl.org> | 2017-01-27 02:19:54 +0000 |
---|---|---|
committer | Dr. Stephen Henson <steve@openssl.org> | 2017-01-30 13:00:17 +0000 |
commit | a593cffe48e923f9db9c1eb5540d0851fa165ad6 (patch) | |
tree | 248693828ad68c48f7085954ec289052961df33d /doc | |
parent | 377c5e98cb98f2d4588efc8a78ac37701be0add2 (diff) | |
download | openssl-a593cffe48e923f9db9c1eb5540d0851fa165ad6.tar.gz |
Update documentation
Add details of the use of PSS for signature algorithms.
Document SSL_get_peer_signature_nid() and SSL_get_peer_signature_type_nid().
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2301)
Diffstat (limited to 'doc')
-rw-r--r-- | doc/man3/SSL_CTX_set1_sigalgs.pod | 7 | ||||
-rw-r--r-- | doc/man3/SSL_get_peer_signature_nid.pod | 45 |
2 files changed, 50 insertions, 2 deletions
diff --git a/doc/man3/SSL_CTX_set1_sigalgs.pod b/doc/man3/SSL_CTX_set1_sigalgs.pod index f828c02821..7795388295 100644 --- a/doc/man3/SSL_CTX_set1_sigalgs.pod +++ b/doc/man3/SSL_CTX_set1_sigalgs.pod @@ -70,11 +70,14 @@ prohibits them (for example SHA1 if the security level is 4 or more). Currently the NID_md5, NID_sha1, NID_sha224, NID_sha256, NID_sha384 and NID_sha512 digest NIDs are supported and the public key algorithm NIDs -EVP_PKEY_RSA, EVP_PKEY_DSA and EVP_PKEY_EC. +EVP_PKEY_RSA, EVP_PKEY_RSA_PSS, EVP_PKEY_DSA and EVP_PKEY_EC. The short or long name values for digests can be used in a string (for example "MD5", "SHA1", "SHA224", "SHA256", "SHA384", "SHA512") and -the public key algorithm strings "RSA", "DSA" or "ECDSA". +the public key algorithm strings "RSA", "RSA-PSS", "DSA" or "ECDSA". + +The TLS 1.3 signature scheme names (such as "rsa_pss_sha256") can also +be used. The use of MD5 as a digest is strongly discouraged due to security weaknesses. diff --git a/doc/man3/SSL_get_peer_signature_nid.pod b/doc/man3/SSL_get_peer_signature_nid.pod new file mode 100644 index 0000000000..492b13fc37 --- /dev/null +++ b/doc/man3/SSL_get_peer_signature_nid.pod @@ -0,0 +1,45 @@ +=pod + +=head1 NAME + +SSL_get_peer_signature_nid, SSL_get_peer_signature_type_nid - get TLS +message signing types + +=head1 SYNOPSIS + + #include <openssl/ssl.h> + + int SSL_get_peer_signature_nid(SSL *ssl, int *psig_nid); + int SSL_get_peer_signature_type_nid(const SSL *ssl, int *psigtype_nid); + +=head1 DESCRIPTION + +SSL_get_peer_signature_nid() sets B<*psig_nid> to the NID of the digest used +by the peer to sign TLS messages. It is implemented as a macro. + +SSL_get_peer_signature_type_nid() sets B<*psigtype_nid> to the signature +type used by the peer to sign TLS messages. Currently the signature type +is the NID of the public key type used for signing except for PSS signing +where it is B<EVP_PKEY_RSA_PSS>. + +=head1 RETURN VALUES + +These functions return 1 for success and 0 for failure. There are several +possible reasons for failure: the ciphersuite has no signature (e.g. it +uses RSA key exchange or is anonymous), the TLS version is below 1.2 or +the functions were called before the peer signed a message. + +=head1 SEE ALSO + +L<ssl(7)>, L<SSL_get_peer_certificate(3)>, + +=head1 COPYRIGHT + +Copyright 2017 The OpenSSL Project Authors. All Rights Reserved. + +Licensed under the OpenSSL license (the "License"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file LICENSE in the source distribution or at +L<https://www.openssl.org/source/license.html>. + +=cut |