EVP_PKEY-DH.pod - OpenGrok cross reference for /third_party/openssl/doc/man7/EVP

Lines Matching +full:fips +full:- +full:provider +full:- +full:validation
5 EVP_PKEY-DH, EVP_PKEY-DHX, EVP_KEYMGMT-DH, EVP_KEYMGMT-DHX
6 - EVP_PKEY DH and DHX keytype and algorithm support
11 "safe" domain parameters that are associated with approved named safe-prime
12 groups, and a class of "FIPS186-type" domain parameters. FIPS186-type domain
14 applications that cannot be upgraded to use the approved safe-prime groups.
16 See L<EVP_PKEY-FFC(7)> for more information about FFC keys.
21 must be used for FIPS186-4. If key validation is required, users should be aware
22 of the nuances associated with FIPS186-4 style parameters as discussed in
23 L</DH key validation>.
28 (see L<EVP_PKEY-FFC(7)/FFC parameters>) the B<DHX> and B<DH> keytype
38 The following values can be used by the OpenSSL's default and FIPS providers:
42 The following additional values can also be used by OpenSSL's default provider:
55 =item "encoded-pub-key" (B<OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY>) <octet string>
67 =item "safeprime-generator" (B<OSSL_PKEY_PARAM_DH_GENERATOR>) <integer>
72 validation is required.
74 Randomly generated safe primes are not allowed by FIPS, so setting this value
75 for the OpenSSL FIPS provider will instead choose a named safe prime group
83 should support (see L<EVP_PKEY-FFC(7)/FFC key generation parameters>) the
100 These are described in L<EVP_PKEY-FFC(7)/FFC key generation parameters>
109 A safe prime generator. See the "safeprime-generator" type above.
132 =head2 DH key validation
134 For B<DHX> that is not a named group the FIPS186-4 standard specifies that the
136 validation. This means that optional FFC domain parameter values for
138 validation purposes.
144 The OpenSSL FIPS provider tests if the parameters are either an approved safe
145 prime group OR that the FFC parameters conform to FIPS186-4 as defined in
146 SP800-56Ar3 I<Assurances of Domain-Parameter Validity>.
147 The OpenSSL default provider uses simpler checks that allows there to be no I<q>
154 SP800-56Ar3 I<FFC Full Public-Key Validation>.
157 SP800-56Ar3 I<FFC Partial Public-Key Validation> when the
162 correct range according to SP800-56Ar3. The OpenSSL FIPS provider requires the
164 For backwards compatibility the OpenSSL default provider only requires I<p> to
168 SP800-56Ar3 I<Owner Assurance of Pair-wise Consistency>.
195 B<DHX> domain parameters can be generated according to B<FIPS186-4> by calling:
234 To validate B<FIPS186-4> B<DHX> domain parameters decoded from B<PEM> or
240 the actual validation. In production code the return values should be checked.
245     int gindex = ...;              /* for the validation */
296 The following sections of SP800-56Ar3:
302 =item Appendix D: FFC Safe-prime Groups
306 The following sections of FIPS186-4:
320 L<EVP_PKEY-FFC(7)>,
321 L<EVP_KEYEXCH-DH(7)>
323 L<provider-keymgmt(7)>,
325 L<OSSL_PROVIDER-default(7)>,
326 L<OSSL_PROVIDER-FIPS(7)>
330 Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved.