diff options
| author | Richard Levitte <levitte@openssl.org> | 2021-05-20 13:32:28 +0200 |
|---|---|---|
| committer | Richard Levitte <levitte@openssl.org> | 2021-05-21 15:01:47 +0200 |
| commit | 0491691342cf8fefb61de14b8edd56a937b458ac (patch) | |
| tree | 040592ac77b3a49f44750c892010bb22e8a3dee4 /doc/man7/migration_guide.pod | |
| parent | 819b94c0c0d338fbec0aee828f3b61d7878c3837 (diff) | |
DOCS: Fixups of the migration guide and the FIPS module manual
The markup needed a few touch-ups
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/15377)
Diffstat (limited to 'doc/man7/migration_guide.pod')
| -rw-r--r-- | doc/man7/migration_guide.pod | 1256 |
1 files changed, 873 insertions, 383 deletions
diff --git a/doc/man7/migration_guide.pod b/doc/man7/migration_guide.pod index 58260860de..022ac88207 100644 --- a/doc/man7/migration_guide.pod +++ b/doc/man7/migration_guide.pod @@ -16,7 +16,7 @@ L<https://github.com/openssl/openssl/blob/master/CHANGES.md>. For an overview of some of the key concepts introduced in OpenSSL 3.0 see L<crypto(7)>. -=head1 OPENSSL 3_0 +=head1 OPENSSL 3.0 =head2 Main Changes from OpenSSL 1.1.1 @@ -47,15 +47,16 @@ config file, which providers you want to use for any given application. OpenSSL 3.0 comes with 5 different providers as standard. Over time third parties may distribute additional providers that can be plugged into OpenSSL. All algorithm implementations available via providers are accessed through the -"high level" APIs (for example those functions prefixed with "EVP"). They cannot +"high level" APIs (for example those functions prefixed with C<EVP>). They cannot be accessed using the L</Low Level APIs>. + One of the standard providers available is the FIPS provider. This makes available FIPS validated cryptographic algorithms. The FIPS provider is disabled by default and needs to be enabled explicitly -at configuration time using the `enable-fips` option. If it is enabled, +at configuration time using the C<enable-fips> option. If it is enabled, the FIPS provider gets built and installed in addition to the other standard providers. No separate installation procedure is necessary. -There is however a dedicated `install_fips` make target, which serves the +There is however a dedicated C<install_fips> make target, which serves the special purpose of installing only the FIPS provider into an existing OpenSSL installation. @@ -67,7 +68,7 @@ L</Using the FIPS Module in applications>. =head3 Low Level APIs OpenSSL has historically provided two sets of APIs for invoking cryptographic -algorithms: the "high level" APIs (such as the "EVP" APIs) and the "low level" +algorithms: the "high level" APIs (such as the C<EVP> APIs) and the "low level" APIs. The high level APIs are typically designed to work across all algorithm types. The "low level" APIs are targeted at a specific algorithm implementation. For example, the EVP APIs provide the functions L<EVP_EncryptInit_ex(3)>, @@ -128,6 +129,8 @@ change in the second (MINOR) number indicates that new features may have been added. OpenSSL versions with the same major number are API and ABI compatible. If the major number changes then API and ABI compatibility is not guaranteed. +For more information, see L<OpenSSL_version(3)>. + =head3 Other major new features =head4 Certificate Management Protocol (CMP, RFC 4210) @@ -167,31 +170,41 @@ and L<OSSL_PROVIDER-FIPS(7)/Message Authentication Code (MAC)>. =head4 Support for Linux Kernel TLS -In order to use KTLS, support for it must be compiled in using the 'enable-ktls' -compile time option. It must also be enabled at run time using the -B<SSL_OP_ENABLE_KTLS> option. +In order to use KTLS, support for it must be compiled in using the +C<enable-ktls> configuration option. It must also be enabled at run time using +the B<SSL_OP_ENABLE_KTLS> option. =head4 New Algorithms =over 4 -=item KDF algorithms "SINGLE STEP" and "SSH" +=item - + +KDF algorithms "SINGLE STEP" and "SSH" See L<EVP_KDF-SS(7)> and L<EVP_KDF-SSHKDF(7)> -=item MAC Algorithms "GMAC" and "KMAC" +=item - + +MAC Algorithms "GMAC" and "KMAC" See L<EVP_MAC-GMAC(7)> and L<EVP_MAC-KMAC(7)>. -=item KEM Algorithm "RSASVE" +=item - + +KEM Algorithm "RSASVE" See L<EVP_KEM-RSA(7)>. -=item Cipher Algorithm "AES-SIV" +=item - + +Cipher Algorithm "AES-SIV" See L<EVP_EncryptInit(3)/SIV Mode>. -=item AES Key Wrap inverse ciphers supported by EVP layer. +=item - + +AES Key Wrap inverse ciphers supported by EVP layer. The inverse ciphers use AES decryption for wrapping, and AES encryption for unwrapping. The algorithms are: "AES-128-WRAP-INV", "AES-192-WRAP-INV", @@ -209,17 +222,25 @@ CS1, CS2 and CS3 variants are supported. =over 4 -=item Added CAdES-BES signature verification support. +=item - + +Added CAdES-BES signature verification support. -=item Added CAdES-BES signature scheme and attributes support (RFC 5126) to CMS API. +=item - -=item Added AuthEnvelopedData content type structure (RFC 5083) using AES_GCM +Added CAdES-BES signature scheme and attributes support (RFC 5126) to CMS API. + +=item - + +Added AuthEnvelopedData content type structure (RFC 5083) using AES_GCM This uses the AES-GCM parameter (RFC 5084) for the Cryptographic Message Syntax. Its purpose is to support encryption and decryption of a digital envelope that is both authenticated and encrypted using AES GCM mode. -=item L<PKCS7_get_octet_string(3)> and L<PKCS7_type_is_other(3)> were made public. +=item - + +L<PKCS7_get_octet_string(3)> and L<PKCS7_type_is_other(3)> were made public. =back @@ -233,7 +254,7 @@ algorithm for the MAC computation was changed to SHA-256. The pkcs12 application now supports -legacy option that restores the previous default algorithms to support interoperability with legacy systems. -Added enhanced PKCS#12 APIs which accept a library context `OSSL_LIB_CTX` +Added enhanced PKCS#12 APIs which accept a library context B<OSSL_LIB_CTX> and (where relevant) a property query. Other APIs which handle PKCS#7 and PKCS#8 objects have also been enhanced where required. This includes: @@ -262,7 +283,7 @@ supported by the OS, otherwise CriticalSection continues to be used. A new generic trace API has been added which provides support for enabling instrumentation through trace output. This feature is mainly intended as an aid for developers and is disabled by default. To utilize it, OpenSSL needs to be -configured with the `enable-trace` option. +configured with the C<enable-trace> option. If the tracing API is enabled, the application can activate trace output by registering BIOs as trace channels for a number of tracing and debugging @@ -281,7 +302,7 @@ parameters then L<EVP_PKEY_param_check(3)> will always return 1. This code is now always set to zero. Related functions are deprecated. -=head4 STACK and HASH macro's have been cleaned up +=head4 STACK and HASH macros have been cleaned up The type-safe wrappers are declared everywhere and implemented once. See L<DEFINE_STACK_OF(3)> and L<DECLARE_LHASH_OF(3)>. @@ -329,7 +350,7 @@ EC EVP_PKEYs with the SM2 curve have been reworked to automatically become EVP_PKEY_SM2 rather than EVP_PKEY_EC. Unlike in previous OpenSSL versions, this means that applications cannot -call `EVP_PKEY_set_alias_type(pkey, EVP_PKEY_SM2)` to get SM2 computations. +call C<EVP_PKEY_set_alias_type(pkey, EVP_PKEY_SM2)> to get SM2 computations. Parameter and key generation is also reworked to make it possible to generate EVP_PKEY_SM2 parameters and keys. Applications must now generate @@ -384,12 +405,12 @@ To disable this check use EVP_PKEY_derive_set_peer_ex(dh, peer, 0). The output from numerous "printing" functions such as L<X509_signature_print(3)>, L<X509_print_ex(3)>, L<X509_CRL_print_ex(3)>, and other similar functions has been amended such that there may be cosmetic differences between the output -observed in 1.1.1 and 3.0. This also applies to the "-text" output from the -x509 and crl applications. +observed in 1.1.1 and 3.0. This also applies to the B<-text> output from the +B<openssl x509> and B<openssl crl> applications. -=head4 Interactive mode from the `openssl` program has been removed +=head4 Interactive mode from the B<openssl> program has been removed -From now on, running it without arguments is equivalent to `openssl help`. +From now on, running it without arguments is equivalent to B<openssl help>. =head4 The error return values from some control calls (ctrl) have changed @@ -418,11 +439,17 @@ application. If this happens you have 3 options: =over 4 -=item 1) Ignore the warnings. They are just warnings. The deprecated functions are still present and you may still use them. However be aware that they may be removed from a future version of OpenSSL. +=item 1) + +Ignore the warnings. They are just warnings. The deprecated functions are still present and you may still use them. However be aware that they may be removed from a future version of OpenSSL. -=item 2) Suppress the warnings. Refer to your compiler documentation on how to do this. +=item 2) -=item 3) Remove your usage of the low level APIs. In this case you will need to rewrite your code to use the high level APIs instead +Suppress the warnings. Refer to your compiler documentation on how to do this. + +=item 3) + +Remove your usage of the low level APIs. In this case you will need to rewrite your code to use the high level APIs instead =back @@ -434,18 +461,22 @@ L</Upgrading from OpenSSL 1.1.1>, the main things to be aware of are: =over 4 -=item 1) The build and installation procedure has changed significantly. +=item 1) + +The build and installation procedure has changed significantly. Check the file INSTALL.md in the top of the installation for instructions on how to build and install OpenSSL for your platform. Also read the various NOTES files in the same directory, as applicable for your platform. -=item 2) Many structures have been made opaque in OpenSSL 3.0. +=item 2) + +Many structures have been made opaque in OpenSSL 3.0. The structure definitions have been removed from the public header files and moved to internal header files. In practice this means that you can no longer stack allocate some structures. Instead they must be heap allocated through some -function call (typically those function names have a `_new` suffix to them). +function call (typically those function names have a C<_new> suffix to them). Additionally you must use "setter" or "getter" functions to access the fields within those structures. @@ -464,7 +495,9 @@ For example code that previously looked like this: ... EVP_MD_CTX_free(md_ctx); -=item 3) Support for TLSv1.3 has been added. +=item 3) + +Support for TLSv1.3 has been added. This has a number of implications for SSL/TLS applications. See the L<TLS1.3 page|https://wiki.openssl.org/index.php/TLS1.3> for further details. @@ -483,7 +516,7 @@ In OpenSSL 3.0 the FIPS support is fully integrated into the mainline version of OpenSSL and is no longer a separate download. For further information see L</Completing the installation of the FIPS Module>. -The function calls 'FIPS_mode()' and 'FIPS_mode_set()' have been removed +The function calls FIPS_mode() and FIPS_mode_set() have been removed from OpenSSL 3.0. You should rewrite your application to not use them. See L<fips_module(7)> and L<OSSL_PROVIDER-FIPS(7)> for details. @@ -534,93 +567,165 @@ mappings are listed along with the respective name. =over 4 -=item L<ASN1_item_sign(3)> and L<ASN1_item_verify(3)> +=item - + +L<ASN1_item_sign(3)> and L<ASN1_item_verify(3)> + +=item - -=item L<BN_CTX_new(3)> and L<BN_CTX_secure_new(3)> +L<BN_CTX_new(3)> and L<BN_CTX_secure_new(3)> -=item L<CMS_AuthEnvelopedData_create(3)>, L<CMS_ContentInfo_new(3)>, L<CMS_data_create(3)>, +=item - + +L<CMS_AuthEnvelopedData_create(3)>, L<CMS_ContentInfo_new(3)>, L<CMS_data_create(3)>, L<CMS_digest_create(3)>, L<CMS_EncryptedData_encrypt(3)>, L<CMS_encrypt(3)>, L<CMS_EnvelopedData_create(3)>, L<CMS_ReceiptRequest_create0(3)> and L<CMS_sign(3)> -=item L<CONF_modules_load_file(3)> +=item - + +L<CONF_modules_load_file(3)> + +=item - + +L<CTLOG_new(3)>, L<CTLOG_new_from_base64(3)> and L<CTLOG_STORE_new(3)> -=item L<CTLOG_new(3)>, L<CTLOG_new_from_base64(3)> and L<CTLOG_STORE_new(3)> +=item - -=item L<CT_POLICY_EVAL_CTX_new(3)> +L<CT_POLICY_EVAL_CTX_new(3)> -=item L<d2i_AutoPrivateKey(3)>, L<d2i_PrivateKey(3)> and L<d2i_PUBKEY(3)> +=item - -=item L<d2i_PrivateKey_bio(3)> and L<d2i_PrivateKey_fp(3)> +L<d2i_AutoPrivateKey(3)>, L<d2i_PrivateKey(3)> and L<d2i_PUBKEY(3)> + +=item - + +L<d2i_PrivateKey_bio(3)> and L<d2i_PrivateKey_fp(3)> Use L<d2i_PrivateKey_ex_bio(3)> and L<d2i_PrivateKey_ex_fp(3)> -=item L<EC_GROUP_new(3)> +=item - + +L<EC_GROUP_new(3)> Use L<EC_GROUP_new_by_curve_name_ex(3)> or L<EC_GROUP_new_from_params(3)>. -=item L<EVP_DigestSignInit(3)> and L<EVP_DigestVerifyInit(3)> +=item - + +L<EVP_DigestSignInit(3)> and L<EVP_DigestVerifyInit(3)> + +=item - + +L<EVP_PBE_CipherInit(3)>, L<EVP_PBE_find(3)> and L<EVP_PBE_scrypt(3)> + +=item - -=item L<EVP_PBE_CipherInit(3)>, L<EVP_PBE_find(3)> and L<EVP_PBE_scrypt(3)> +L<EVP_PKCS82PKEY(3)> -=item L<EVP_PKCS82PKEY(3)> +=item - -=item L<EVP_PKEY_CTX_new_id(3)> +L<EVP_PKEY_CTX_new_id(3)> Use L<EVP_PKEY_CTX_new_from_name(3)> -=item L<EVP_PKEY_derive_set_peer(3)>, L<EVP_PKEY_new_raw_private_key(3)> +=item - + +L<EVP_PKEY_derive_set_peer(3)>, L<EVP_PKEY_new_raw_private_key(3)> and L<EVP_PKEY_new_raw_public_key(3)> -=item L<EVP_SignFinal(3)> and L<EVP_VerifyFinal(3)> +=item - + +L<EVP_SignFinal(3)> and L<EVP_VerifyFinal(3)> + +=item - + +L<NCONF_new(3)> -=item L<NCONF_new(3)> +=item - -=item L<OCSP_RESPID_match(3)> and L<OCSP_RESPID_set_by_key(3)> +L<OCSP_RESPID_match(3)> and L<OCSP_RESPID_set_by_key(3)> -=item L<OPENSSL_thread_stop(3)> +=item - -=item L<OSSL_STORE_open(3)> +L<OPENSSL_thread_stop(3)> -=item L<PEM_read_bio_Parameters(3)>, L<PEM_read_bio_PrivateKey(3)>, L<PEM_read_bio_PUBKEY(3)>, +=item - + +L<OSSL_STORE_open(3)> + +=item - + +L<PEM_read_bio_Parameters(3)>, L<PEM_read_bio_PrivateKey(3)>, L<PEM_read_bio_PUBKEY(3)>, L<PEM_read_PrivateKey(3)> and L<PEM_read_PUBKEY(3)> -=item L<PEM_write_bio_PrivateKey(3)>, L<PEM_write_bio_PUBKEY(3)>, L<PEM_write_PrivateKey(3)> +=item - + +L<PEM_write_bio_PrivateKey(3)>, L<PEM_write_bio_PUBKEY(3)>, L<PEM_write_PrivateKey(3)> and L<PEM_write_PUBKEY(3)> -=item L<PEM_X509_INFO_read_bio(3)> and L<PEM_X509_INFO_read(3)> +=item - -=item L<PKCS12_add_key(3)>, L<PKCS12_add_safe(3)>, L<PKCS12_add_safes(3)>, +L<PEM_X509_INFO_read_bio(3)> and L<PEM_X509_INFO_read(3)> + +=item - + +L<PKCS12_add_key(3)>, L<PKCS12_add_safe(3)>, L<PKCS12_add_safes(3)>, L<PKCS12_create(3)>, L<PKCS12_decrypt_skey(3)>, L<PKCS12_init(3)>, L<PKCS12_item_decrypt_d2i(3)>, L<PKCS12_item_i2d_encrypt(3)>, L<PKCS12_key_gen_asc(3)>, L<PKCS12_key_gen_uni(3)>, L<PKCS12_key_gen_utf8(3)>, L<PKCS12_pack_p7encdata(3)>, L<PKCS12_pbe_crypt(3)>, L<PKCS12_PBE_keyivgen(3)>, L<PKCS12_SAFEBAG_create_pkcs8_encrypt(3)> -=item L<PKCS5_pbe_set0_algor(3)>, L<PKCS5_pbe_set(3)>, L<PKCS5_pbe2_set_iv(3)>, +=item - + +L<PKCS5_pbe_set0_algor(3)>, L<PKCS5_pbe_set(3)>, L<PKCS5_pbe2_set_iv(3)>, L<PKCS5_pbkdf2_set(3)> and L<PKCS5_v2_scrypt_keyivgen(3)> -=item L<PKCS7_encrypt(3)>, L<PKCS7_new(3)> and L<PKCS7_sign(3)> +=item - + +L<PKCS7_encrypt(3)>, L<PKCS7_new(3)> and L<PKCS7_sign(3)> + +=item - + +L<PKCS8_decrypt(3)>, L<PKCS8_encrypt(3)> and L<PKCS8_set0_pbe(3)> + +=item - -=item L<PKCS8_decrypt(3)>, L<PKCS8_encrypt(3)> and L<PKCS8_set0_pbe(3)> +L<RAND_bytes(3)> and L<RAND_priv_bytes(3)> -=item L<RAND_bytes(3)> and L<RAND_priv_bytes(3)> +=item - -=item L<SMIME_write_ASN1(3)> +L<SMIME_write_ASN1(3)> -=item L<TS_RESP_CTX_new(3)> +=item - -=item L<X509_CRL_new(3)> +L<TS_RESP_CTX_new(3)> -=item L<X509_load_cert_crl_file(3)> and L<X509_load_cert_file(3)> +=item - -=item L<X509_LOOKUP_by_subject(3)> and L<X509_LOOKUP_ctrl(3)> +L<X509_CRL_new(3)> -=item L<X509_NAME_hash(3)> +=item - -=item L<X509_new(3)> +L<X509_load_cert_crl_file(3)> and L<X509_load_cert_file(3)> -=item L<X509_REQ_new(3)> and L<X509_REQ_verify(3)> +=item - -=item L<X509_STORE_CTX_new(3)>, L<X509_STORE_set_default_paths(3)>, L<X509_STORE_load_file(3)>, +L<X509_LOOKUP_by_subject(3)> and L<X509_LOOKUP_ctrl(3)> + +=item - + +L<X509_NAME_hash(3)> + +=item - + +L<X509_new(3)> + +=item - + +L<X509_REQ_new(3)> and L<X509_REQ_verify(3)> + +=item - + +L<X509_STORE_CTX_new(3)>, L<X509_STORE_set_default_paths(3)>, L<X509_STORE_load_file(3)>, L<X509_STORE_load_locations(3)> and L<X509_STORE_load_store(3)> =back @@ -632,66 +737,124 @@ Passing NULL will use the default library context. =over 4 -=item L<EVP_ASYM_CIPHER_fetch(3)> and L<EVP_ASYM_CIPHER_do_all_provided(3)> +=item - + +L<EVP_ASYM_CIPHER_fetch(3)> and L<EVP_ASYM_CIPHER_do_all_provided(3)> + +=item - + +L<EVP_CIPHER_fetch(3)> and L<EVP_CIPHER_do_all_provided(3)> -=item L<EVP_CIPHER_fetch(3)> and L<EVP_CIPHER_do_all_provided(3)> +=item - -=item L<EVP_default_properties_enable_fips(3)> and +L<EVP_default_properties_enable_fips(3)> and L<EVP_default_properties_is_fips_enabled(3)> -=item L<EVP_KDF_fetch(3)> and L<EVP_KDF_do_all_provided(3)> +=item - + +L<EVP_KDF_fetch(3)> and L<EVP_KDF_do_all_provided(3)> + +=item - + +L<EVP_KEM_fetch(3)> and L<EVP_KEM_do_all_provided(3)> -=item L<EVP_KEM_fetch(3)> and L<EVP_KEM_do_all_provided(3)> +=item - -=item L<EVP_KEYEXCH_fetch(3)> and L<EVP_KEYEXCH_do_all_provided(3)> +L<EVP_KEYEXCH_fetch(3)> and L<EVP_KEYEXCH_do_all_provided(3)> -=item L<EVP_KEYMGMT_fetch(3)> and L<EVP_KEYMGMT_do_all_provided(3)> +=item - -=item L<EVP_MAC_fetch(3)> and L<EVP_MAC_do_all_provided(3)> +L<EVP_KEYMGMT_fetch(3)> and L<EVP_KEYMGMT_do_all_provided(3)> -=item L<EVP_MD_fetch(3)> and L<EVP_MD_do_all_provided(3)> +=item - -=item L<EVP_PKEY_CTX_new_from_pkey(3)> +L<EVP_MAC_fetch(3)> and L<EVP_MAC_do_all_provided(3)> -=item L<EVP_PKEY_Q_keygen(3)> +=item - -=item L<EVP_Q_mac(3)> and L<EVP_Q_digest(3)> +L<EVP_MD_fetch(3)> and L<EVP_MD_do_all_provided(3)> -=item L<EVP_RAND(3)> and L<EVP_RAND_do_all_provided(3)> +=item - -=item L<EVP_set_default_properties(3)> +L<EVP_PKEY_CTX_new_from_pkey(3)> -=item L<EVP_SIGNATURE_fetch(3)> and L<EVP_SIGNATURE_do_all_provided(3)> +=item - -=item L<OSSL_CMP_CTX_new(3)> and L<OSSL_CMP_SRV_CTX_new(3)> +L<EVP_PKEY_Q_keygen(3)> -=item L<OSSL_CRMF_ENCRYPTEDVALUE_get1_encCert(3)> +=item - -=item L<OSSL_CRMF_MSG_create_popo(3)> and L<OSSL_CRMF_MSGS_verify_popo(3)> +L<EVP_Q_mac(3)> and L<EVP_Q_digest(3)> -=item L<OSSL_CRMF_pbm_new(3)> and L<OSSL_CRMF_pbmp_new(3)> +=item - -=item L<OSSL_DECODER_CTX_add_extra(3)> and L<OSSL_DECODER_CTX_new_for_pkey(3)> +L<EVP_RAND(3)> and L<EVP_RAND_do_all_provided(3)> -=item L<OSSL_DECODER_fetch(3)> and L<OSSL_DECODER_do_all_provided(3)> +=item - -=item L<OSSL_ENCODER_CTX_add_extra(3)> +L<EVP_set_default_properties(3)> -=item L<OSSL_ENCODER_fetch(3)> and L<OSSL_ENCODER_do_all_provided(3)> +=item - -=item L<OSSL_LIB_CTX_free(3)>, L<OSSL_LIB_CTX_load_config(3)> and L<OSSL_LIB_CTX_set0_default(3)> +L<EVP_SIGNATURE_fetch(3)> and L<EVP_SIGNATURE_do_all_provided(3)> -=item L<OSSL_PROVIDER_add_builtin(3)>, L<OSSL_PROVIDER_available(3)>, +=item - + +L<OSSL_CMP_CTX_new(3)> and L<OSSL_CMP_SRV_CTX_new(3)> + +=item - + +L<OSSL_CRMF_ENCRYPTEDVALUE_get1_encCert(3)> + +=item - + +L<OSSL_CRMF_MSG_create_popo(3)> and L<OSSL_CRMF_MSGS_verify_popo(3)> + +=item - + +L<OSSL_CRMF_pbm_new(3)> and L<OSSL_CRMF_pbmp_new(3)> + +=item - + +L<OSSL_DECODER_CTX_add_extra(3)> and L<OSSL_DECODER_CTX_new_for_pkey(3)> + +=item - + +L<OSSL_DECODER_fetch(3)> and L<OSSL_DECODER_do_all_provided(3)> + +=item - + +L<OSSL_ENCODER_CTX_add_extra(3)> + +=item - + +L<OSSL_ENCODER_fetch(3)> and L<OSSL_ENCODER_do_all_provided(3)> + +=item - + +L<OSSL_LIB_CTX_free(3)>, L<OSSL_LIB_CTX_load_config(3)> and L<OSSL_LIB_CTX_set0_default(3)> + +=item - + +L<OSSL_PROVIDER_add_builtin(3)>, L<OSSL_PROVIDER_available(3)>, L<OSSL_PROVIDER_do_all(3)>, L<OSSL_PROVIDER_load(3)>, L<OSSL_PROVIDER_set_default_search_path(3)> and L<OSSL_PROVIDER_try_load(3)> -=item L<OSSL_SELF_TEST_get_callback(3)> and L<OSSL_SELF_TEST_set_callback(3)> +=item - + +L<OSSL_SELF_TEST_get_callback(3)> and L<OSSL_SELF_TEST_set_callback(3)> + +=item - + +L<OSSL_STORE_attach(3)> + +=item - -=item L<OSSL_STORE_attach(3)> +L<OSSL_STORE_LOADER_fetch(3)> and L<OSSL_STORE_LOADER_do_all_provided(3)> -=item L<OSSL_STORE_LOADER_fetch(3)> and L<OSSL_STORE_LOADER_do_all_provided(3)> +=item - -=item L<RAND_get0_primary(3)>, L<RAND_get0_private(3)>, L<RAND_get0_public(3)>, +L<RAND_get0_primary(3)>, L<RAND_get0_private(3)>, L<RAND_get0_public(3)>, L<RAND_set_DRBG_type(3)> and L<RAND_set_seed_source_type(3)> =back @@ -768,7 +931,7 @@ high-level EVP_PKEY APIs, e.g. L<EVP_PKEY_new(3)>, L<EVP_PKEY_up_ref(3)> and L<EVP_PKEY_free(3)>. See also L<EVP_PKEY_CTX_new_from_name(3)> and L<EVP_PKEY_CTX_new_from_pkey(3)>. -EVP_PKEY's may be created in a variety of ways: +EVP_PKEYs may be created in a variety of ways: See also L</Deprecated low-level key generation functions>, L</Deprecated low-level key reading and writing functions> and L</Deprecated low-level key parameter setters>. @@ -860,7 +1023,9 @@ The following functions have been deprecated in 3.0. =over 4 -=item AES_bi_ige_encrypt and AES_ige_encrypt +=item - + +AES_bi_ige_encrypt() and AES_ige_encrypt() There is no replacement for the IGE functions. New code should not use these modes. These undocumented functions were never integrated into the EVP layer. @@ -871,270 +1036,377 @@ AES_bi_ige_encrypt() has a known bug. It accepts 2 AES keys, but only one is ever used. The security implications are believed to be minimal, but this issue was never fixed for backwards compatibility reasons. -=item AES_encrypt, AES_decrypt, AES_set_encrypt_key, AES_set_decrypt_key, -AES_cbc_encrypt, AES_cfb128_encrypt, AES_cfb1_encrypt, AES_cfb8_encrypt, -AES_ecb_encrypt and AES_ofb128_encrypt +=item - + +AES_encrypt(), AES_decrypt(), AES_set_encrypt_key(), AES_set_decrypt_key(), +AES_cbc_encrypt(), AES_cfb128_encrypt(), AES_cfb1_encrypt(), AES_cfb8_encrypt(), +AES_ecb_encrypt(), AES_ofb128_encrypt() -=item AES_unwrap_key, AES_wrap_key +=item - + +AES_unwrap_key(), AES_wrap_key() See L</Deprecated low-level encryption functions> -=item AES_options +=item - + +AES_options() There is no replacement. It returned a string indicating if the AES code was unrolled. -=item ASN1_digest, ASN1_sign and ASN1_verify +=item - + +ASN1_digest(), ASN1_sign(), ASN1_verify() There are no replacements. These old functions are not used, and could be disabled with the macro NO_ASN1_OLD since OpenSSL 0.9.7. -=item ASN1_STRING_length_set +=item - + +ASN1_STRING_length_set() Use L<ASN1_STRING_set(3)> or L<ASN1_STRING_set0(3)> instead. This was a potentially unsafe function that could change the bounds of a previously passed in pointer. -=item BF_encrypt, BF_decrypt, BF_set_key, BF_cbc_encrypt, BF_cfb64_encrypt, -BF_ecb_encrypt and BF_ofb64_encrypt +=item - + +BF_encrypt(), BF_decrypt(), BF_set_key(), BF_cbc_encrypt(), BF_cfb64_encrypt(), +BF_ecb_encrypt(), BF_ofb64_encrypt() See L</Deprecated low-level encryption functions>. The Blowfish algorithm has been moved to the L<Legacy Provider|/Legacy Algorithms>. -=item BF_options +=item - + +BF_options() There is no replacement. This option returned a constant string. -=item BN_is_prime_ex and BN_is_prime_fasttest_ex +=item - + +BN_is_prime_ex(), BN_is_prime_fasttest_ex() Use L<BN_check_prime(3)> which that avoids possible misuse and always uses at least 64 rounds of the Miller-Rabin primality test. -=item BN_pseudo_rand and BN_pseudo_rand_range +=item - + +BN_pseudo_rand(), BN_pseudo_rand_range() Use L<BN_rand(3)> and L<BN_rand_range(3)>. -=item BN_X931_derive_prime_ex, BN_X931_generate_prime_ex and BN_X931_generate_Xpq +=item - + +BN_X931_derive_prime_ex(), BN_X931_generate_prime_ex(), BN_X931_generate_Xpq() There are no replacements for these low-level functions. They were used internally by RSA_X931_derive_ex() and RSA_X931_generate_key_ex() which are also deprecated. Use L<EVP_PKEY_keygen(3)> instead. -=item Camellia_encrypt, Camellia_decrypt, Camellia_set_key, -Camellia_cbc_encrypt, Camellia_cfb128_encrypt, Camellia_cfb1_encrypt, -Camellia_cfb8_encrypt, Camellia_ctr128_encrypt, Camellia_ecb_encrypt and -Camellia_ofb128_encrypt. +=item - + +Camellia_encrypt(), Camellia_decrypt(), Camellia_set_key(), +Camellia_cbc_encrypt(), Camellia_cfb128_encrypt(), Camellia_cfb1_encrypt(), +Camellia_cfb8_encrypt(), Camellia_ctr128_encrypt(), Camellia_ecb_encrypt(), +Camellia_ofb128_encrypt() See L</Deprecated low-level encryption functions>. -=item CAST_encrypt, CAST_decrypt, CAST_set_key, CAST_cbc_encrypt, -CAST_cfb64_encrypt, CAST_ecb_encrypt and CAST_ofb64_encrypt +=item - + +CAST_encrypt(), CAST_decrypt(), CAST_set_key(), CAST_cbc_encrypt(), +CAST_cfb64_encrypt(), CAST_ecb_encrypt(), CAST_ofb64_encrypt() See L</Deprecated low-level encryption functions>. The CAST algorithm has been moved to the L<Legacy Provider|/Legacy Algorithms>. -=item CMAC_CTX_new, CMAC_CTX_cleanup, CMAC_CTX_copy, CMAC_CTX_free and -CMAC_CTX_get0_cipher_ctx +=item - + +CMAC_CTX_new(), CMAC_CTX_cleanup(), CMAC_CTX_copy(), CMAC_CTX_free(), +CMAC_CTX_get0_cipher_ctx() See L</Deprecated low-level MAC functions>. -=item CMAC_Init, CMAC_Update, CMAC_Final and CMAC_resume. +=item - + +CMAC_Init(), CMAC_Update(), CMAC_Final(), CMAC_resume() See L</Deprecated low-level MAC functions>. -=item CRYPTO_mem_ctrl, CRYPTO_mem_debug_free, CRYPTO_mem_debug_malloc, -CRYPTO_mem_debug_pop, CRYPTO_mem_debug_push, CRYPTO_mem_debug_realloc, -CRYPTO_mem_leaks, CRYPTO_mem_leaks_cb, CRYPTO_mem_leaks_fp and -CRYPTO_set_mem_debug +=item - + +CRYPTO_mem_ctrl(), CRYPTO_mem_debug_free(), CRYPTO_mem_debug_malloc(), +CRYPTO_mem_debug_pop(), CRYPTO_mem_debug_push(), CRYPTO_mem_debug_realloc(), +CRYPTO_mem_leaks(), CRYPTO_mem_leaks_cb(), CRYPTO_mem_leaks_fp(), +CRYPTO_set_mem_debug() Memory-leak checking has been deprecated in favor of more modern development tools, such as compiler memory and leak sanitizers or Valgrind. -=item d2i_DHparams, d2i_DHxparams, d2i_DSAparams, d2i_DSAPrivateKey, -d2i_DSAPrivateKey_bio, d2i_DSAPrivateKey_fp, d2i_DSA_PUBKEY, d2i_DSA_PUBKEY_bio, -d2i_DSA_PUBKEY_fp, d2i_DSAPublicKey, -d2i_ECParameters, d2i_ECPrivateKey, d2i_ECPrivateKey_bio, d2i_ECPrivateKey_fp, -d2i_EC_PUBKEY, d2i_EC_PUBKEY_bio, d2i_EC_PUBKEY_fp, o2i_ECPublicKey, -d2i_RSAPrivateKey, d2i_RSAPrivateKey_bio, d2i_RSAPrivateKey_fp, -d2i_RSA_PUBKEY, d2i_RSA_PUBKEY_bio, d2i_RSA_PUBKEY_fp, d2i_RSAPublicKey, -d2i_RSAPublicKey_bio and d2i_RSAPublicKey_fp +=item - + +d2i_DHparams(), d2i_DHxparams(), d2i_DSAparams(), d2i_DSAPrivateKey(), +d2i_DSAPrivateKey_bio(), d2i_DSAPrivateKey_fp(), d2i_DSA_PUBKEY(), +d2i_DSA_PUBKEY_bio(), d2i_DSA_PUBKEY_fp(), d2i_DSAPublicKey(), +d2i_ECParameters(), d2i_ECPrivateKey(), d2i_ECPrivateKey_bio(), +d2i_ECPrivateKey_fp(), d2i_EC_PUBKEY(), d2i_EC_PUBKEY_bio(), +d2i_EC_PUBKEY_fp(), o2i_ECPublicKey(), d2i_RSAPrivateKey(), +d2i_RSAPrivateKey_bio(), d2i_RSAPrivateKey_fp(), d2i_RSA_PUBKEY(), +d2i_RSA_PUBKEY_bio(), d2i_RSA_PUBKEY_fp(), d2i_RSAPublicKey(), +d2i_RSAPublicKey_bio(), d2i_RSAPublicKey_fp() See L</Deprecated i2d and d2i functions for low-level key types> -=item DES_crypt, DES_fcrypt, DES_encrypt1, DES_encrypt2, DES_encrypt3, -DES_decrypt3, DES_ede3_cbc_encrypt, DES_ede3_cfb64_encrypt, -DES_ede3_cfb_encrypt,DES_ede3_ofb64_encrypt, -DES_ecb_encrypt, DES_ecb3_encrypt, DES_ofb64_encrypt, DES_ofb_encrypt, -DES_cfb64_encrypt DES_cfb_encrypt, DES_cbc_encrypt, DES_ncbc_encrypt, -DES_pcbc_encrypt, DES_xcbc_encrypt, DES_cbc_cksum, DES_quad_cksum, -DES_check_key_parity, DES_is_weak_key, DES_key_sched, DES_options, -DES_random_key, DES_set_key, DES_set_key_checked, DES_set_key_unchecked, -DES_set_odd_parity, DES_string_to_2keys, DES_string_to_key +=item - + +DES_crypt(), DES_fcrypt(), DES_encrypt1(), DES_encrypt2(), DES_encrypt3(), +DES_decrypt3(), DES_ede3_cbc_encrypt(), DES_ede3_cfb64_encrypt(), +DES_ede3_cfb_encrypt(),DES_ede3_ofb64_encrypt(), +DES_ecb_encrypt(), DES_ecb3_encrypt(), DES_ofb64_encrypt(), DES_ofb_encrypt(), +DES_cfb64_encrypt DES_cfb_encrypt(), DES_cbc_encrypt(), DES_ncbc_encrypt(), +DES_pcbc_encrypt(), DES_xcbc_encrypt(), DES_cbc_cksum(), DES_quad_cksum(), +DES_check_key_parity(), DES_is_weak_key(), DES_key_sched(), DES_options(), +DES_random_key(), DES_set_key(), DES_set_key_checked(), DES_set_key_unchecked(), +DES_set_odd_parity(), DES_string_to_2keys(), DES_string_to_key() See L</Deprecated low-level encryption functions>. Algorithms for "DESX-CBC", "DES-ECB", "DES-CBC", "DES-OFB", "DES-CFB", "DES-CFB1" and "DES-CFB8" have been moved to the L<Legacy Provider|/Legacy Algorithms>. -=item DH_bits, DH_security_bits and DH_size +=item - + +DH_bits(), DH_security_bits(), DH_size() Use L<EVP_PKEY_bits(3)>, L<EVP_PKEY_security_bits(3)> and L<EVP_PKEY_size(3)>. -=item DH_check, DH_check_ex, DH_check_params, DH_check_params_ex, -DH_check_pub_key and DH_check_pub_key_ex +=item - + +DH_check(), DH_check_ex(), DH_check_params(), DH_check_params_ex(), +DH_check_pub_key(), DH_check_pub_key_ex() See L</Deprecated low-level validation functions> -=item DH_clear_flags, DH_test_flags and DH_set_flags +=item - + +DH_clear_flags(), DH_test_flags(), DH_set_flags() -The DH_FLAG_CACHE_MONT_P flag has been deprecated without replacement. -The DH_FLAG_TYPE_DH and DH_FLAG_TYPE_DHX have been deprecated. +The B<DH_FLAG_CACHE_MONT_P> flag has been deprecated without replacement. +The B<DH_FLAG_TYPE_DH> and B<DH_FLAG_TYPE_DHX> have been deprecated. Use EVP_PKEY_is_a() to determine the type of a key. There is no replacement for setting these flags. -=item DH_compute_key and DH_compute_key_padded +=item - + +DH_compute_key() DH_compute_key_padded() See L</Deprecated low-level key exchange functions>. -=item DH_new, DH_new_by_nid, DH_free, DH_up_ref +=item - + +DH_new(), DH_new_by_nid(), DH_free(), DH_up_ref() See L</Deprecated low-level object creation> -=item DH_generate_key and DH_generate_parameters_ex +=item - + +DH_generate_key(), DH_generate_parameters_ex() See L</Deprecated low-level key generation functions>. -=item DH_get0_pqg, DH_get0_p, DH_get0_q, DH_get0_g, DH_get0_key, -DH_get0_priv_key, DH_get0_pub_key, DH_get_length and DH_get_nid +=item - + +DH_get0_pqg(), DH_get0_p(), DH_get0_q(), DH_get0_g(), DH_get0_key(), +DH_get0_priv_key(), DH_get0_pub_key(), DH_get_length(), DH_get_nid() See L</Deprecated low-level key parameter getters> -=item DH_get_1024_160, DH_get_2048_224 and DH_get_2048_256 +=item - + +DH_get_1024_160(), DH_get_2048_224(), DH_get_2048_256() Applications should instead set the B<OSSL_PKEY_PARAM_GROUP_NAME> as specified in L<EVP_PKEY-DH(7)/DH parameters>) to one of "dh_1024_160", "dh_2048_224" or "dh_2048_256" when generating a DH key. -=item DH_KDF_X9_42 +=item - + +DH_KDF_X9_42() Applications should use L<EVP_PKEY_CTX_set_dh_kdf_type(3)> instead. -=item DH_get_default_method, DH_get0_engine, DH_meth_*, DH_new_method, DH_OpenSSL, -DH_get_ex_data, DH_set_default_method, DH_set_method and DH_set_ex_data +=item - + +DH_get_default_method(), DH_get0_engine(), DH_meth_*(), DH_new_method(), +DH_OpenSSL(), DH_get_ex_data(), DH_set_default_method(), DH_set_method(), +DH_set_ex_data() See L</Providers are a replacement for engines and low-level method overrides> -=item DHparams_print and DHparams_print_fp +=item - + +DHparams_print(), DHparams_print_fp() See L</Deprecated low-level key printing functions> -=item DH_set0_key, DH_set0_pqg, DH_set_length +=item - + +DH_set0_key(), DH_set0_pqg(), DH_set_length() See L</Deprecated low-level key parameter setters> -=item DSA_bits, DSA_security_bits and DSA_size +=item - + +DSA_bits(), DSA_security_bits(), DSA_size() Use L<EVP_PKEY_bits(3)>, L<EVP_PKEY_security_bits(3)> and L<EVP_PKEY_size(3)>. -=item DHparams_dup, DSA_dup_DH +=item - + +DHparams_dup(), DSA_dup_DH() There is no direct replacement. Applications may use L<EVP_PKEY_copy_parameters(3)> and L<EVP_PKEY_dup(3)> instead. -=item DSA_generate_key and DSA_generate_parameters_ex +=item - + +DSA_generate_key(), DSA_generate_parameters_ex() See L</Deprecated low-level key generation functions>. -=item DSA_get0_engine, DSA_get_default_method, DSA_get_ex_data, DSA_get_method, -DSA_meth_*, DSA_new_method, DSA_OpenSSL, DSA_set_default_method, DSA_set_ex_data -and DSA_set_method +=item - + +DSA_get0_engine(), DSA_get_default_method(), DSA_get_ex_data(), +DSA_get_method(), DSA_meth_*(), DSA_new_method(), DSA_OpenSSL(), +DSA_set_default_method(), DSA_set_ex_data(), DSA_set_method() See L</Providers are a replacement for engines and low-level method overrides>. -=item DSA_get0_p, DSA_get0_q, DSA_get0_g, DSA_get0_pqg, DSA_get0_key, -DSA_get0_priv_key and DSA_get0_pub_key +=item - + +DSA_get0_p(), DSA_get0_q(), DSA_get0_g(), DSA_get0_pqg(), DSA_get0_key(), +DSA_get0_priv_key(), DSA_get0_pub_key() See L</Deprecated low-level key parameter getters>. -=item DSA_new, DSA_free, DSA_up_ref +=item - + +DSA_new(), DSA_free(), DSA_up_ref() See L</Deprecated low-level object creation> -=item D |