From d20797ee75e25a639db3df954fb2e5fdf9363838 Mon Sep 17 00:00:00 2001
From: Dmitry Belyavskiy <beldmit@gmail.com>
Date: Thu, 6 Jun 2024 14:52:33 +0200
Subject: [PATCH] RFC 9579 support - documentation

---
 doc/man1/openssl-pkcs12.pod.in | 10 ++++++++++
 doc/man3/PKCS12_gen_mac.pod    | 16 +++++++++++-----
 2 files changed, 21 insertions(+), 5 deletions(-)

diff --git a/doc/man1/openssl-pkcs12.pod.in b/doc/man1/openssl-pkcs12.pod.in
index 665b22bb644ac5..bc726e64cfb920 100644
--- a/doc/man1/openssl-pkcs12.pod.in
+++ b/doc/man1/openssl-pkcs12.pod.in
@@ -62,6 +62,8 @@ PKCS#12 output (export) options:
 [B<-certpbe> I<cipher>]
 [B<-descert>]
 [B<-macalg> I<digest>]
+[B<-pbmac1>]
+[B<-pbmac1_kdf_md> I<digest>]
 [B<-iter> I<count>]
 [B<-noiter>]
 [B<-nomaciter>]
@@ -341,10 +343,18 @@ key and the certificates are encrypted using AES-256-CBC unless
 the '-legacy' option is used. If '-descert' is used with the '-legacy'
 then both, the private key and the certificates are encrypted using triple DES.
 
+=item B<-pbmac1> I<digest>
+
+Use PBMAC1 for MAC protection of the PKCS#12 file.
+
 =item B<-macalg> I<digest>
 
 Specify the MAC digest algorithm. If not included SHA256 will be used.
 
+=item B<-pbmac1_kdf_md> I<digest>
+
+Specify the PBMAC1 KDF digest algorithm. If not included SHA256 will be used.
+
 =item B<-iter> I<count>
 
 This option specifies the iteration count for the encryption key and MAC. The
diff --git a/doc/man3/PKCS12_gen_mac.pod b/doc/man3/PKCS12_gen_mac.pod
index a72df145fedd70..4e0daad6d76957 100644
--- a/doc/man3/PKCS12_gen_mac.pod
+++ b/doc/man3/PKCS12_gen_mac.pod
@@ -15,6 +15,9 @@ PKCS12_verify_mac - Functions to create and manipulate a PKCS#12 structure
  int PKCS12_set_mac(PKCS12 *p12, const char *pass, int passlen,
                     unsigned char *salt, int saltlen, int iter,
                     const EVP_MD *md_type);
+ int PKCS12_set_pbmac1(PKCS12 *p12, const char *pass, int passlen,
+                   unsigned char *salt, int saltlen, int iter,
+                   const EVP_MD *md_type, const char *prf_md_name);
  int PKCS12_setup_mac(PKCS12 *p12, int iter, unsigned char *salt,
                       int saltlen, const EVP_MD *md_type);
 
@@ -31,10 +34,12 @@ PKCS12_setup_mac() sets the MAC part of the PKCS#12 structure with the supplied
 parameters.
 
 PKCS12_set_mac() sets the MAC and MAC parameters into the PKCS#12 object.
+PKCS12_set_pbmac1() sets the MAC and MAC parameters into the PKCS#12 object
+when B<PBMAC1> is used for protection of the PKCS#12 object.
 
 I<pass> is the passphrase to use in the HMAC. I<salt> is the salt value to use,
 I<iter> is the iteration count and I<md_type> is the message digest
-function to use.
+function to use. I<prf_md_name> specifies the digest used for PBMAC1 KDF.
 
 =head1 NOTES
 
@@ -43,9 +48,9 @@ If I<salt> is NULL then a suitable salt will be generated and used.
 If I<iter> is 1 then an iteration count will be omitted from the PKCS#12
 structure.
 
-PKCS12_gen_mac(), PKCS12_verify_mac() and PKCS12_set_mac() make assumptions
-regarding the encoding of the given passphrase. See L<passphrase-encoding(7)>
-for more information.
+PKCS12_gen_mac(), PKCS12_verify_mac(), PKCS12_set_mac() and PKCS12_set_pbmac1()
+make assumptions regarding the encoding of the given passphrase. See
+L<passphrase-encoding(7)> for more information.
 
 =head1 RETURN VALUES
 
@@ -54,6 +59,7 @@ All functions return 1 on success and 0 if an error occurred.
 =head1 CONFORMING TO
 
 IETF RFC 7292 (L<https://tools.ietf.org/html/rfc7292>)
+IETF RFC 9579 (L<https://tools.ietf.org/html/rfc9579>)
 
 =head1 SEE ALSO
 
@@ -64,7 +70,7 @@ L<passphrase-encoding(7)>
 
 =head1 COPYRIGHT
 
-Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2021-2024 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy