From a9fc8702e072db7c9ec28b50f162dca9580ae89a Mon Sep 17 00:00:00 2001
From: Pauli <ppzgs1@gmail.com>
Date: Fri, 16 Aug 2024 10:21:12 +1000
Subject: [PATCH] doc: document the OSSL_SIGNATURE_PARAM_FIPS_VERIFY_MESSAGE
 parameter

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/25211)
---
 doc/man7/EVP_SIGNATURE-ECDSA.pod | 2 ++
 doc/man7/EVP_SIGNATURE-RSA.pod   | 2 ++
 doc/man7/provider-signature.pod  | 9 +++++++++
 3 files changed, 13 insertions(+)

diff --git a/doc/man7/EVP_SIGNATURE-ECDSA.pod b/doc/man7/EVP_SIGNATURE-ECDSA.pod
index 49d9dff9497..c6cc23dfa60 100644
--- a/doc/man7/EVP_SIGNATURE-ECDSA.pod
+++ b/doc/man7/EVP_SIGNATURE-ECDSA.pod
@@ -44,6 +44,8 @@ EVP_PKEY_CTX_get_params().
 
 =item "fips-indicator" (B<OSSL_SIGNATURE_PARAM_FIPS_APPROVED_INDICATOR>) <integer>
 
+=item "verify-message" (B<OSSL_SIGNATURE_PARAM_FIPS_VERIFY_MESSAGE> <integer>
+
 The parameters are described in L<provider-signature(7)>.
 
 =back
diff --git a/doc/man7/EVP_SIGNATURE-RSA.pod b/doc/man7/EVP_SIGNATURE-RSA.pod
index 6ae682f7e1d..b33b0728fac 100644
--- a/doc/man7/EVP_SIGNATURE-RSA.pod
+++ b/doc/man7/EVP_SIGNATURE-RSA.pod
@@ -147,6 +147,8 @@ EVP_PKEY_CTX_get_params().
 
 =item "fips-indicator" (B<OSSL_SIGNATURE_PARAM_FIPS_APPROVED_INDICATOR>) <integer>
 
+=item "verify-message" (B<OSSL_SIGNATURE_PARAM_FIPS_VERIFY_MESSAGE> <integer>
+
 These common parameter are described in L<provider-signature(7)>.
 
 =item "digest" (B<OSSL_SIGNATURE_PARAM_DIGEST>) <UTF8 string>
diff --git a/doc/man7/provider-signature.pod b/doc/man7/provider-signature.pod
index e09f5f31d44..ce14c4c705c 100644
--- a/doc/man7/provider-signature.pod
+++ b/doc/man7/provider-signature.pod
@@ -395,6 +395,15 @@ This may be used after calling either the sign or verify final functions. It may
 return 0 if either the "digest-check", "key-check", or "sign-check" are set to 0.
 This option is used by the OpenSSL FIPS provider.
 
+=item "verify-message" (B<OSSL_SIGNATURE_PARAM_FIPS_VERIFY_MESSAGE> <integer>
+
+A getter that returns 1 if a signature verification operation acted on
+a raw message, or 0 if it verified a predigested message.  A value of 0
+indicates likely non-approved usage of the FIPS provider.  This flag is
+set when any signature verification initialisation function is called.
+It is also set to 1 when any signing operation is performed to signify
+compliance.  See FIPS 140-3 IG 2.4.B for further information.
+
 =item "key-check" (B<OSSL_SIGNATURE_PARAM_FIPS_KEY_CHECK>) <integer>
 
 If required this parameter should be set early via an init function
-- 
2.47.2