fips: document that the EdDSA algorithms are not-validated

Ed25519 and Ed448 are included in the FIPS 140-3 provider for compatibility purposes but are flagged as "fips=no" to prevent their accidental use. This therefore requires that applications always specify the "fips=yes" property query to enforce FIPS correctness. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20079)
author: Pauli <pauli@openssl.org> 2023-01-19 11:16:40 +1100
committer: Hugo Landau <hlandau@openssl.org> 2023-01-24 12:35:36 +0000
commit: 8353b2dfacd723db5ba8b833b95e68e9600d1cf5 (patch)
tree: 5fb6196f1800c212092537dd168f7a5aa496b593 /doc/man7/migration_guide.pod
parent: bfd5680e6be789fd554acf2ad34428816a644eec (diff)
download: openssl-new-8353b2dfacd723db5ba8b833b95e68e9600d1cf5.tar.gz
1 files changed, 13 insertions, 1 deletions
diff --git a/doc/man7/migration_guide.pod b/doc/man7/migration_guide.pod
index 8bd44a6ce7..e82471370f 100644
--- a/doc/man7/migration_guide.pod
+++ b/doc/man7/migration_guide.pod
@@ -20,7 +20,19 @@ L<crypto(7)>.
 
 =head2 Main Changes from OpenSSL 3.0
 
-There are no changes requiring additional migration measures since OpenSSL 3.0.
+The FIPS provider in OpenSSL 3.1 includes some non-FIPS validated algorithms,
+consequently the property query C<fips=yes> is mandatory for applications that
+want to operate in a FIPS approved manner.  The algorithms are:
+
+=over 4
+
+=item Triple DES
+
+=item EdDSA
+
+=back
+
+There are no other changes requiring additional migration measures since OpenSSL 3.0.
 
 =head1 OPENSSL 3.0
author	Pauli <pauli@openssl.org>	2023-01-19 11:16:40 +1100
committer	Hugo Landau <hlandau@openssl.org>	2023-01-24 12:35:36 +0000
commit	8353b2dfacd723db5ba8b833b95e68e9600d1cf5 (patch)
tree	5fb6196f1800c212092537dd168f7a5aa496b593 /doc/man7/migration_guide.pod
parent	bfd5680e6be789fd554acf2ad34428816a644eec (diff)
download	openssl-new-8353b2dfacd723db5ba8b833b95e68e9600d1cf5.tar.gz