diff options
author | Tomas Mraz <tomas@openssl.org> | 2021-02-04 18:40:33 +0100 |
---|---|---|
committer | Tomas Mraz <tomas@openssl.org> | 2021-02-09 13:45:04 +0100 |
commit | 93b39c85c9bbf4b40d3cc2486a0ecac50422b2f3 (patch) | |
tree | 3fd5d784a1ad6f0d75abce67e29fbb2fff1cec6a /CHANGES.md | |
parent | 4d2a6159db1060ca38a3808cfa60bac46737c670 (diff) |
CHANGES.md: Mention RSA key generation slowdown related changes
Fixes #14068
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14073)
Diffstat (limited to 'CHANGES.md')
-rw-r--r-- | CHANGES.md | 18 |
1 files changed, 17 insertions, 1 deletions
diff --git a/CHANGES.md b/CHANGES.md index 318cce84fc..380cd07886 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -52,7 +52,23 @@ OpenSSL 3.0 *Tomáš Mráz* - * Deprecate EVP_MD_CTX_set_update_fn() and EVP_MD_CTX_update_fn() + * The default key generation method for the regular 2-prime RSA keys was + changed to the FIPS 186-4 B.3.6 method (Generation of Probable Primes with + Conditions Based on Auxiliary Probable Primes). This method is slower + than the original method. + + *Shane Lontis* + + * Deprecated the BN_is_prime_ex() and BN_is_prime_fasttest_ex() functions. + They are replaced with the BN_check_prime() function that avoids possible + misuse and always uses at least 64 rounds of the Miller-Rabin + primality test. At least 64 rounds of the Miller-Rabin test are now also + used for all prime generation, including RSA key generation. + This increases key generation time, especially for larger keys. + + *Kurt Roeckx* + + * Deprecated EVP_MD_CTX_set_update_fn() and EVP_MD_CTX_update_fn() as they are not useful with non-deprecated functions. *Rich Salz* |