summaryrefslogtreecommitdiffstats
path: root/doc/man7
diff options
context:
space:
mode:
authorBeat Bolli <dev@drbeat.li>2021-07-30 18:39:51 +0200
committerPauli <pauli@openssl.org>2021-08-04 15:02:27 +1000
commit2fc02378ffcd9a266077eeea224890c534b7aaef (patch)
tree257bb9c5ffd11e27ffcf6f7e0126b833c66aef03 /doc/man7
parent92c03668c0cd77434006b613e3429888a0a8ecfe (diff)
doc: use the documented =item markers
The generated lists[1] look weird when using a dash as the list item character. Perlpod documents[2] '*' for unordered lists and '1.' (note the period) for ordered lists. Use these characters instead. [1] e.g. https://www.openssl.org/docs/manmaster/man7/migration_guide.html#New-Algorithms [2] https://perldoc.perl.org/perlpod Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16190)
Diffstat (limited to 'doc/man7')
-rw-r--r--doc/man7/fips_module.pod14
-rw-r--r--doc/man7/migration_guide.pod487
2 files changed, 252 insertions, 249 deletions
diff --git a/doc/man7/fips_module.pod b/doc/man7/fips_module.pod
index b47ed279f6..e374651fa5 100644
--- a/doc/man7/fips_module.pod
+++ b/doc/man7/fips_module.pod
@@ -22,15 +22,15 @@ legacy APIs or features that avoid the FIPS module. Specifically this includes:
=over 4
-=item -
+=item *
Low level cryptographic APIs (use the high level APIs, such as EVP, instead)
-=item -
+=item *
Engines
-=item -
+=item *
Any functions that create or modify custom "METHODS" (for example
EVP_MD_meth_new(), EVP_CIPHER_meth_new(), EVP_PKEY_meth_new(), RSA_meth_new(),
@@ -110,21 +110,21 @@ some disadvantages to this approach:
=over 4
-=item -
+=item *
You may not want all applications to use the FIPS module.
It may be the case that some applications should and some should not use the
FIPS module.
-=item -
+=item *
If applications take explicit steps to not load the default config file or
set different settings.
This method will not work for these cases.
-=item -
+=item *
The algorithms available in the FIPS module are a subset of the algorithms
that are available in the default OpenSSL Provider.
@@ -132,7 +132,7 @@ that are available in the default OpenSSL Provider.
If any applications attempt to use any algorithms that are not present,
then they will fail.
-=item -
+=item *
Usage of certain deprecated APIs avoids the use of the FIPS module.
diff --git a/doc/man7/migration_guide.pod b/doc/man7/migration_guide.pod
index 8cc9bd5fc8..8f1fd1b1ad 100644
--- a/doc/man7/migration_guide.pod
+++ b/doc/man7/migration_guide.pod
@@ -184,31 +184,31 @@ the B<SSL_OP_ENABLE_KTLS> option.
=over 4
-=item -
+=item *
KDF algorithms "SINGLE STEP" and "SSH"
See L<EVP_KDF-SS(7)> and L<EVP_KDF-SSHKDF(7)>
-=item -
+=item *
MAC Algorithms "GMAC" and "KMAC"
See L<EVP_MAC-GMAC(7)> and L<EVP_MAC-KMAC(7)>.
-=item -
+=item *
KEM Algorithm "RSASVE"
See L<EVP_KEM-RSA(7)>.
-=item -
+=item *
Cipher Algorithm "AES-SIV"
See L<EVP_EncryptInit(3)/SIV Mode>.
-=item -
+=item *
AES Key Wrap inverse ciphers supported by EVP layer.
@@ -217,7 +217,9 @@ unwrapping. The algorithms are: "AES-128-WRAP-INV", "AES-192-WRAP-INV",
"AES-256-WRAP-INV", "AES-128-WRAP-PAD-INV", "AES-192-WRAP-PAD-INV" and
"AES-256-WRAP-PAD-INV".
-=item AES CTS cipher added to EVP layer.
+=item *
+
+AES CTS cipher added to EVP layer.
The algorithms are "AES-128-CBC-CTS", "AES-192-CBC-CTS" and "AES-256-CBC-CTS".
CS1, CS2 and CS3 variants are supported.
@@ -228,15 +230,15 @@ CS1, CS2 and CS3 variants are supported.
=over 4
-=item -
+=item *
Added CAdES-BES signature verification support.
-=item -
+=item *
Added CAdES-BES signature scheme and attributes support (RFC 5126) to CMS API.
-=item -
+=item *
Added AuthEnvelopedData content type structure (RFC 5083) using AES_GCM
@@ -244,7 +246,7 @@ This uses the AES-GCM parameter (RFC 5084) for the Cryptographic Message Syntax.
Its purpose is to support encryption and decryption of a digital envelope that
is both authenticated and encrypted using AES GCM mode.
-=item -
+=item *
L<PKCS7_get_octet_string(3)> and L<PKCS7_type_is_other(3)> were made public.
@@ -453,15 +455,15 @@ application. If this happens you have 3 options:
=over 4
-=item 1)
+=item 1.
Ignore the warnings. They are just warnings. The deprecated functions are still present and you may still use them. However be aware that they may be removed from a future version of OpenSSL.
-=item 2)
+=item 2.
Suppress the warnings. Refer to your compiler documentation on how to do this.
-=item 3)
+=item 3.
Remove your usage of the low level APIs. In this case you will need to rewrite your code to use the high level APIs instead
@@ -475,7 +477,7 @@ L</Upgrading from OpenSSL 1.1.1>, the main things to be aware of are:
=over 4
-=item 1)
+=item 1.
The build and installation procedure has changed significantly.
@@ -483,7 +485,7 @@ Check the file INSTALL.md in the top of the installation for instructions on how
to build and install OpenSSL for your platform. Also read the various NOTES
files in the same directory, as applicable for your platform.
-=item 2)
+=item 2.
Many structures have been made opaque in OpenSSL 3.0.
@@ -501,7 +503,8 @@ For example code that previously looked like this:
/* This line will now generate compiler errors */
EVP_MD_CTX_init(&md_ctx);
- The code needs to be amended to look like this:
+The code needs to be amended to look like this:
+
EVP_MD_CTX *md_ctx;
md_ctx = EVP_MD_CTX_new();
@@ -509,7 +512,7 @@ For example code that previously looked like this:
...
EVP_MD_CTX_free(md_ctx);
-=item 3)
+=item 3.
Support for TLSv1.3 has been added.
@@ -582,119 +585,119 @@ mappings are listed along with the respective name.
=over 4
-=item -
+=item *
L<ASN1_item_new(3)>, L<ASN1_item_d2i(3)>, L<ASN1_item_d2i_fp(3)>,
L<ASN1_item_d2i_bio(3)>, L<ASN1_item_sign(3)> and L<ASN1_item_verify(3)>
-=item -
+=item *
L<BIO_new(3)>
-=item -
+=item *
b2i_RSA_PVK_bio() and i2b_PVK_bio()
-=item -
+=item *
L<BN_CTX_new(3)> and L<BN_CTX_secure_new(3)>
-=item -
+=item *
L<CMS_AuthEnvelopedData_create(3)>, L<CMS_ContentInfo_new(3)>, L<CMS_data_create(3)>,
L<CMS_digest_create(3)>, L<CMS_EncryptedData_encrypt(3)>, L<CMS_encrypt(3)>,
L<CMS_EnvelopedData_create(3)>, L<CMS_ReceiptRequest_create0(3)> and L<CMS_sign(3)>
-=item -
+=item *
L<CONF_modules_load_file(3)>
-=item -
+=item *
L<CTLOG_new(3)>, L<CTLOG_new_from_base64(3)> and L<CTLOG_STORE_new(3)>
-=item -
+=item *
L<CT_POLICY_EVAL_CTX_new(3)>
-=item -
+=item *
L<d2i_AutoPrivateKey(3)>, L<d2i_PrivateKey(3)> and L<d2i_PUBKEY(3)>
-=item -
+=item *
L<d2i_PrivateKey_bio(3)> and L<d2i_PrivateKey_fp(3)>
Use L<d2i_PrivateKey_ex_bio(3)> and L<d2i_PrivateKey_ex_fp(3)>
-=item -
+=item *
L<EC_GROUP_new(3)>
Use L<EC_GROUP_new_by_curve_name_ex(3)> or L<EC_GROUP_new_from_params(3)>.
-=item -
+=item *
L<EVP_DigestSignInit(3)> and L<EVP_DigestVerifyInit(3)>
-=item -
+=item *
L<EVP_PBE_CipherInit(3)>, L<EVP_PBE_find(3)> and L<EVP_PBE_scrypt(3)>
-=item -
+=item *
L<PKCS5_PBE_keyivgen(3)>
-=item -
+=item *
L<EVP_PKCS82PKEY(3)>
-=item -
+=item *
L<EVP_PKEY_CTX_new_id(3)>
Use L<EVP_PKEY_CTX_new_from_name(3)>
-=item -
+=item *
L<EVP_PKEY_derive_set_peer(3)>, L<EVP_PKEY_new_raw_private_key(3)>
and L<EVP_PKEY_new_raw_public_key(3)>
-=item -
+=item *
L<EVP_SignFinal(3)> and L<EVP_VerifyFinal(3)>
-=item -
+=item *
L<NCONF_new(3)>
-=item -
+=item *
L<OCSP_RESPID_match(3)> and L<OCSP_RESPID_set_by_key(3)>
-=item -
+=item *
L<OPENSSL_thread_stop(3)>
-=item -
+=item *
L<OSSL_STORE_open(3)>
-=item -
+=item *
L<PEM_read_bio_Parameters(3)>, L<PEM_read_bio_PrivateKey(3)>, L<PEM_read_bio_PUBKEY(3)>,
L<PEM_read_PrivateKey(3)> and L<PEM_read_PUBKEY(3)>
-=item -
+=item *
L<PEM_write_bio_PrivateKey(3)>, L<PEM_write_bio_PUBKEY(3)>, L<PEM_write_PrivateKey(3)>
and L<PEM_write_PUBKEY(3)>
-=item -
+=item *
L<PEM_X509_INFO_read_bio(3)> and L<PEM_X509_INFO_read(3)>
-=item -
+=item *
L<PKCS12_add_key(3)>, L<PKCS12_add_safe(3)>, L<PKCS12_add_safes(3)>,
L<PKCS12_create(3)>, L<PKCS12_decrypt_skey(3)>, L<PKCS12_init(3)>, L<PKCS12_item_decrypt_d2i(3)>,
@@ -702,64 +705,64 @@ L<PKCS12_item_i2d_encrypt(3)>, L<PKCS12_key_gen_asc(3)>, L<PKCS12_key_gen_uni(3)
L<PKCS12_key_gen_utf8(3)>, L<PKCS12_pack_p7encdata(3)>, L<PKCS12_pbe_crypt(3)>,
L<PKCS12_PBE_keyivgen(3)>, L<PKCS12_SAFEBAG_create_pkcs8_encrypt(3)>
-=item -
+=item *
L<PKCS5_pbe_set0_algor(3)>, L<PKCS5_pbe_set(3)>, L<PKCS5_pbe2_set_iv(3)>,
L<PKCS5_pbkdf2_set(3)> and L<PKCS5_v2_scrypt_keyivgen(3)>
-=item -
+=item *
L<PKCS7_encrypt(3)>, L<PKCS7_new(3)> and L<PKCS7_sign(3)>
-=item -
+=item *
L<PKCS8_decrypt(3)>, L<PKCS8_encrypt(3)> and L<PKCS8_set0_pbe(3)>
-=item -
+=item *
L<RAND_bytes(3)> and L<RAND_priv_bytes(3)>
-=item -
+=item *
L<SMIME_write_ASN1(3)>
-=item -
+=item *
L<SSL_load_client_CA_file(3)>
-=item -
+=item *
L<SSL_CTX_new(3)>
-=item -
+=item *
L<TS_RESP_CTX_new(3)>
-=item -
+=item *
L<X509_CRL_new(3)>
-=item -
+=item *
L<X509_load_cert_crl_file(3)> and L<X509_load_cert_file(3)>
-=item -
+=item *
L<X509_LOOKUP_by_subject(3)> and L<X509_LOOKUP_ctrl(3)>
-=item -
+=item *
L<X509_NAME_hash(3)>
-=item -
+=item *
L<X509_new(3)>
-=item -
+=item *
L<X509_REQ_new(3)> and L<X509_REQ_verify(3)>
-=item -
+=item *
L<X509_STORE_CTX_new(3)>, L<X509_STORE_set_default_paths(3)>, L<X509_STORE_load_file(3)>,
L<X509_STORE_load_locations(3)> and L<X509_STORE_load_store(3)>
@@ -773,126 +776,126 @@ Passing NULL will use the default library context.
=over 4
-=item -
+=item *
L<BIO_new_from_core_bio(3)>
-=item -
+=item *
L<EVP_ASYM_CIPHER_fetch(3)> and L<EVP_ASYM_CIPHER_do_all_provided(3)>
-=item -
+=item *
L<EVP_CIPHER_fetch(3)> and L<EVP_CIPHER_do_all_provided(3)>
-=item -
+=item *
L<EVP_default_properties_enable_fips(3)> and
L<EVP_default_properties_is_fips_enabled(3)>
-=item -
+=item *
L<EVP_KDF_fetch(3)> and L<EVP_KDF_do_all_provided(3)>
-=item -
+=item *
L<EVP_KEM_fetch(3)> and L<EVP_KEM_do_all_provided(3)>
-=item -
+=item *
L<EVP_KEYEXCH_fetch(3)> and L<EVP_KEYEXCH_do_all_provided(3)>
-=item -
+=item *
L<EVP_KEYMGMT_fetch(3)> and L<EVP_KEYMGMT_do_all_provided(3)>
-=item -
+=item *
L<EVP_MAC_fetch(3)> and L<EVP_MAC_do_all_provided(3)>
-=item -
+=item *
L<EVP_MD_fetch(3)> and L<EVP_MD_do_all_provided(3)>
-=item -
+=item *
L<EVP_PKEY_CTX_new_from_pkey(3)>
-=item -
+=item *
L<EVP_PKEY_Q_keygen(3)>
-=item -
+=item *
L<EVP_Q_mac(3)> and L<EVP_Q_digest(3)>
-=item -
+=item *
L<EVP_RAND(3)> and L<EVP_RAND_do_all_provided(3)>
-=item -
+=item *
L<EVP_set_default_properties(3)>
-=item -
+=item *
L<EVP_SIGNATURE_fetch(3)> and L<EVP_SIGNATURE_do_all_provided(3)>
-=item -
+=item *
L<OSSL_CMP_CTX_new(3)> and L<OSSL_CMP_SRV_CTX_new(3)>
-=item -
+=item *
L<OSSL_CRMF_ENCRYPTEDVALUE_get1_encCert(3)>
-=item -
+=item *
L<OSSL_CRMF_MSG_create_popo(3)> and L<OSSL_CRMF_MSGS_verify_popo(3)>
-=item -
+=item *
L<OSSL_CRMF_pbm_new(3)> and L<OSSL_CRMF_pbmp_new(3)>
-=item -
+=item *
L<OSSL_DECODER_CTX_add_extra(3)> and L<OSSL_DECODER_CTX_new_for_pkey(3)>
-=item -
+=item *
L<OSSL_DECODER_fetch(3)> and L<OSSL_DECODER_do_all_provided(3)>
-=item -
+=item *
L<OSSL_ENCODER_CTX_add_extra(3)>
-=item -
+=item *
L<OSSL_ENCODER_fetch(3)> and L<OSSL_ENCODER_do_all_provided(3)>
-=item -
+=item *
L<OSSL_LIB_CTX_free(3)>, L<OSSL_LIB_CTX_load_config(3)> and L<OSSL_LIB_CTX_set0_default(3)>
-=item -
+=item *
L<OSSL_PROVIDER_add_builtin(3)>, L<OSSL_PROVIDER_available(3)>,
L<OSSL_PROVIDER_do_all(3)>, L<OSSL_PROVIDER_load(3)>,
L<OSSL_PROVIDER_set_default_search_path(3)> and L<OSSL_PROVIDER_try_load(3)>
-=item -
+=item *
L<OSSL_SELF_TEST_get_callback(3)> and L<OSSL_SELF_TEST_set_callback(3)>
-=item -
+=item *
L<OSSL_STORE_attach(3)>
-=item -
+=item *
L<OSSL_STORE_LOADER_fetch(3)> and L<OSSL_STORE_LOADER_do_all_provided(3)>
-=item -
+=item *
L<RAND_get0_primary(3)>, L<RAND_get0_private(3)>, L<RAND_get0_public(3)>,
L<RAND_set_DRBG_type(3)> and L<RAND_set_seed_source_type(3)>
@@ -1076,7 +1079,7 @@ The following functions have been deprecated in 3.0.
=over 4
-=item -
+=item *
AES_bi_ige_encrypt() and AES_ige_encrypt()
@@ -1089,32 +1092,32 @@ AES_bi_ige_encrypt() has a known bug. It accepts 2 AES keys, but only one
is ever used. The security implications are believed to be minimal, but
this issue was never fixed for backwards compatibility reasons.
-=item -
+=item *
AES_encrypt(), AES_decrypt(), AES_set_encrypt_key(), AES_set_decrypt_key(),
AES_cbc_encrypt(), AES_cfb128_encrypt(), AES_cfb1_encrypt(), AES_cfb8_encrypt(),
AES_ecb_encrypt(), AES_ofb128_encrypt()
-=item -
+=item *
AES_unwrap_key(), AES_wrap_key()
See L</Deprecated low-level encryption functions>
-=item -
+=item *
AES_options()
There is no replacement. It returned a string indicating if the AES code was unrolled.
-=item -
+=item *
ASN1_digest(), ASN1_sign(), ASN1_verify()
There are no replacements. These old functions are not used, and could be
disabled with the macro NO_ASN1_OLD since OpenSSL 0.9.7.
-=item -
+=item *
ASN1_STRING_length_set()
@@ -1122,7 +1125,7 @@ Use L<ASN1_STRING_set(3)> or L<ASN1_STRING_set0(3)> instead.
This was a potentially unsafe function that could change the bounds of a
previously passed in pointer.
-=item -
+=item *
BF_encrypt(), BF_decrypt(), BF_set_key(), BF_cbc_encrypt(), BF_cfb64_encrypt(),
BF_ecb_encrypt(), BF_ofb64_encrypt()
@@ -1130,32 +1133,32 @@ BF_ecb_encrypt(), BF_ofb64_encrypt()
See L</Deprecated low-level encryption functions>.
The Blowfish algorithm has been moved to the L<Legacy Provider|/Legacy Algorithms>.
-=item -
+=item *
BF_options()
There is no replacement. This option returned a constant string.
-=item -
+=item *
BIO_get_callback(), BIO_set_callback(), BIO_debug_callback()
Use the respective non-deprecated _ex() functions.
-=item -
+=item *
BN_is_prime_ex(), BN_is_prime_fasttest_ex()
Use L<BN_check_prime(3)> which that avoids possible misuse and always uses at least
64 rounds of the Miller-Rabin primality test.
-=item -
+=item *
BN_pseudo_rand(), BN_pseudo_rand_range()
Use L<BN_rand(3)> and L<BN_rand_range(3)>.
-=item -
+=item *
BN_X931_derive_prime_ex(), BN_X931_generate_prime_ex(), BN_X931_generate_Xpq()
@@ -1163,7 +1166,7 @@ There are no replacements for these low-level functions. They were used internal
by RSA_X931_derive_ex() and RSA_X931_generate_key_ex() which are also deprecated.
Use L<EVP_PKEY_keygen(3)> instead.
-=item -
+=item *
Camellia_encrypt(), Camellia_decrypt(), Camellia_set_key(),
Camellia_cbc_encrypt(), Camellia_cfb128_encrypt(), Camellia_cfb1_encrypt(),
@@ -1172,7 +1175,7 @@ Camellia_ofb128_encrypt()
See L</Deprecated low-level encryption functions>.
-=item -
+=item *
CAST_encrypt(), CAST_decrypt(), CAST_set_key(), CAST_cbc_encrypt(),
CAST_cfb64_encrypt(), CAST_ecb_encrypt(), CAST_ofb64_encrypt()
@@ -1180,20 +1183,20 @@ CAST_cfb64_encrypt(), CAST_ecb_encrypt(), CAST_ofb64_encrypt()
See L</Deprecated low-level encryption functions>.
The CAST algorithm has been moved to the L<Legacy Provider|/Legacy Algorithms>.
-=item -
+=item *
CMAC_CTX_new(), CMAC_CTX_cleanup(), CMAC_CTX_copy(), CMAC_CTX_free(),
CMAC_CTX_get0_cipher_ctx()
See L</Deprecated low-level MAC functions>.
-=item -
+=item *
CMAC_Init(), CMAC_Update(), CMAC_Final(), CMAC_resume()
See L</Deprecated low-level MAC functions>.
-=item -
+=item *
CRYPTO_mem_ctrl(), CRYPTO_mem_debug_free(), CRYPTO_mem_debug_malloc(),
CRYPTO_mem_debug_pop(), CRYPTO_mem_debug_push(), CRYPTO_mem_debug_realloc(),
@@ -1203,7 +1206,7 @@ CRYPTO_set_mem_debug()
Memory-leak checking has been deprecated in favor of more modern development
tools, such as compiler memory and leak sanitizers or Valgrind.
-=item -
+=item *
d2i_DHparams(), d2i_DHxparams(), d2i_DSAparams(), d2i_DSAPrivateKey(),
d2i_DSAPrivateKey_bio(), d2i_DSAPrivateKey_fp(), d2i_DSA_PUBKEY(),
@@ -1217,7 +1220,7 @@ d2i_RSAPublicKey_bio(), d2i_RSAPublicKey_fp()
See L</Deprecated i2d and d2i functions for low-level key types>
-=item -
+=item *
DES_crypt(), DES_fcrypt(), DES_encrypt1(), DES_encrypt2(), DES_encrypt3(),
DES_decrypt3(), DES_ede3_cbc_encrypt(), DES_ede3_cfb64_encrypt(),
@@ -1233,21 +1236,21 @@ See L</Deprecated low-level encryption functions>.
Algorithms for "DESX-CBC", "DES-ECB", "DES-CBC", "DES-OFB", "DES-CFB",
"DES-CFB1" and "DES-CFB8" have been moved to the L<Legacy Provider|/Legacy Algorithms>.
-=item -
+=item *
DH_bits(), DH_security_bits(), DH_size()
Use L<EVP_PKEY_get_bits(3)>, L<EVP_PKEY_get_security_bits(3)> and
L<EVP_PKEY_get_size(3)>.
-=item -
+=item *
DH_check(), DH_check_ex(), DH_check_params(), DH_check_params_ex(),
DH_check_pub_key(), DH_check_pub_key_ex()
See L</Deprecated low-level validation functions>
-=item -
+=item *
DH_clear_flags(), DH_test_flags(), DH_set_flags()
@@ -1256,32 +1259,32 @@ The B<DH_FLAG_TYPE_DH> and B<DH_FLAG_TYPE_DHX> have been deprecated.
Use EVP_PKEY_is_a() to determine the type of a key.
There is no replacement for setting these flags.
-=item -
+=item *
DH_compute_key() DH_compute_key_padded()
See L</Deprecated low-level key exchange functions>.
-=item -
+=item *
DH_new(), DH_new_by_nid(), DH_free(), DH_up_ref()
See L</Deprecated low-level object creation>
-=item -
+=item *
DH_generate_key(), DH_generate_parameters_ex()
See L</Deprecated low-level key generation functions>.
-=item -
+=item *
DH_get0_pqg(), DH_get0_p(), DH_get0_q(), DH_get0_g(), DH_get0_key(),
DH_get0_priv_key(), DH_get0_pub_key(), DH_get_length(), DH_get_nid()
See L</Deprecated low-level key parameter getters>
-=item -
+=item *
DH_get_1024_160(), DH_get_2048_224(), DH_get_2048_256()
@@ -1289,13 +1292,13 @@ Applications should instead set the B<OSSL_PKEY_PARAM_GROUP_NAME> as specified i
L<EVP_PKEY-DH(7)/DH parameters>) to one of "dh_1024_160", "dh_2048_224" or
"dh_2048_256" when generating a DH key.
-=item -
+=item *
DH_KDF_X9_42()
Applications should use L<EVP_PKEY_CTX_set_dh_kdf_type(3)> instead.
-=item -
+=item *
DH_get_default_method(), DH_get0_engine(), DH_meth_*(), DH_new_method(),
DH_OpenSSL(), DH_get_ex_data(), DH_set_default_method(), DH_set_method(),
@@ -1303,39 +1306,39 @@ DH_set_ex_data()
See L</Providers are a replacement for engines and low-level method overrides>
-=item -
+=item *
DHparams_print(), DHparams_print_fp()
See L</Deprecated low-level key printing functions>
-=item -
+=item *
DH_set0_key(), DH_set0_pqg(), DH_set_length()
See L</Deprecated low-level key parameter setters>
-=item -
+=item *
DSA_bits(), DSA_security_bits(), DSA_size()
Use L<EVP_PKEY_get_bits(3)>, L<EVP_PKEY_get_security_bits(3)> and
L<EVP_PKEY_get_size(3)>.
-=item -
+=item *
DHparams_dup(), DSA_dup_DH()
There is no direct replacement. Applications may use L<EVP_PKEY_copy_parameters(3)>
and L<EVP_PKEY_dup(3)> instead.
-=item -
+=item *
DSA_generate_key(), DSA_generate_parameters_ex()
See L</Deprecated low-level key generation functions>.
-=item -
+=item *
DSA_get0_engine(), DSA_get_default_method(), DSA_get_ex_data(),
DSA_get_method(), DSA_meth_*(), DSA_new_method(), DSA_OpenSSL(),
@@ -1343,57 +1346,57 @@ DSA_set_default_method(), DSA_set_ex_data(), DSA_set_method()
See L</Providers are a replacement for engines and low-level method overrides>.
-=item -
+=item *
DSA_get0_p(), DSA_get0_q(), DSA_get0_g(), DSA_get0_pqg(), DSA_get0_key(),
DSA_get0_priv_key(), DSA_get0_pub_key()
See L</Deprecated low-level key parameter getters>.
-=item -
+=item *
DSA_new(), DSA_free(), DSA_up_ref()
See L</Deprecated low-level object creation>
-=item -
+=item *
DSAparams_dup()
There is no direct replacement. Applications may use L<EVP_PKEY_copy_parameters(3)>
and L<EVP_PKEY_dup(3)> instead.
-=item -
+=item *
DSAparams_print(), DSAparams_print_fp(), DSA_print(), DSA_print_fp()
See L</Deprecated low-level key printing functions>
-=item -
+=item *
DSA_set0_key(), DSA_set0_pqg()
See L</Deprecated low-level key parameter setters>
-=item -
+=item *
DSA_set_flags(), DSA_clear_flags(), DSA_test_flags()
The B<DSA_FLAG_CACHE_MONT_P> flag has been deprecated without replacement.
-=item -
+=item *
DSA_sign(), DSA_do_sign(), DSA_sign_setup(), DSA_verify(), DSA_do_verify()
See L</Deprecated low-level signing functions>.
-=item -
+=item *
ECDH_compute_key()
See L</Deprecated low-level key exchange functions>.
-=item -
+=item *
ECDH_KDF_X9_62()
@@ -1401,20 +1404,20 @@ Applications may either set this using the helper function
L<EVP_PKEY_CTX_set_ecdh_kdf_type(3)> or by setting an B<OSSL_PARAM> using the
"kdf-type" as shown in L<EVP_KEYEXCH-ECDH(7)/EXAMPLES>
-=item -
+=item *
ECDSA_sign(), ECDSA_sign_ex(), ECDSA_sign_setup(), ECDSA_do_sign(),
ECDSA_do_sign_ex(), ECDSA_verify(), ECDSA_do_verify()
See L</Deprecated low-level signing functions>.
-=item -
+=item *
ECDSA_size()
Applications should use L<EVP_PKEY_get_size(3)>.
-=item -
+=item *
EC_GF2m_simple_method(), EC_GFp_mont_method(), EC_GFp_nist_method(),
EC_GFp_nistp224_method(), EC_GFp_nistp256_method(), EC_GFp_nistp521_method(),
@@ -1424,20 +1427,20 @@ There are no replacements for these functions. Applications should rely on the
library automatically assigning a suitable method internally when an EC_GROUP
is constructed.
-=item -
+=item *
EC_GROUP_clear_free()
Use L<EC_GROUP_free(3)> instead.
-=item -
+=item *
EC_GROUP_get_curve_GF2m(), EC_GROUP_get_curve_GFp(), EC_GROUP_set_curve_GF2m(),
EC_GROUP_set_curve_GFp()
Applications should use L<EC_GROUP_get_curve(3)> and L<EC_GROUP_set_curve(3)>.
-=item -
+=item *
EC_GROUP_have_precompute_mult(), EC_GROUP_precompute_mult(),
EC_KEY_precompute_mult()
@@ -1445,7 +1448,7 @@ EC_KEY_precompute_mult()
These functions are not widely used. Applications should instead switch to
named curves which OpenSSL has hardcoded lookup tables for.
-=item -
+=item *
EC_GROUP_new(), EC_GROUP_method_of(), EC_POINT_method_of()
@@ -1453,19 +1456,19 @@ EC_METHOD is now an internal-only concept and a suitable EC_METHOD is assigned
internally without application intervention.
Users of EC_GROUP_new() should switch to a different suitable constructor.
-=item -
+=item *
EC_KEY_can_sign()
Applications should use L<EVP_PKEY_can_sign(3)> instead.
-=item -
+=item *
EC_KEY_check_key()
See L</Deprecated low-level validation functions>
-=item -
+=item *
EC_KEY_set_flags(), EC_KEY_get_flags(), EC_KEY_clear_flags()
@@ -1476,33 +1479,33 @@ B<OSSL_PKEY_PARAM_USE_COFACTOR_ECDH> and
B<OSSL_PKEY_PARAM_EC_INCLUDE_PUBLIC>.
See also L<EVP_PKEY-EC(7)/EXAMPLES>
-=item -
+=item *
EC_KEY_dup(), EC_KEY_copy()
There is no direct replacement. Applications may use L<EVP_PKEY_copy_parameters(3)>
and L<EVP_PKEY_dup(3)> instead.
-=item -
+=item *
EC_KEY_decoded_from_explicit_params()
There is no replacement.
-=item -
+=item *
EC_KEY_generate_key()
See L</Deprecated low-level key generation functions>.
-=item -
+=item *
EC_KEY_get0_group(), EC_KEY_get0_private_key(), EC_KEY_get0_public_key(),
EC_KEY_get_conv_form(), EC_KEY_get_enc_flags()
See L</Deprecated low-level key parameter getters>.
-=item -
+=item *
EC_KEY_get0_engine(), EC_KEY_get_default_method(), EC_KEY_get_method(),
EC_KEY_new_method(), EC_KEY_get_ex_data(), EC_KEY_OpenSSL(),
@@ -1511,60 +1514,60 @@ EC_KEY_set_method()
See L</Providers are a replacement for engines and low-level method overrides>
-=item -
+=item *
EC_METHOD_get_field_type()
Use L<EC_GROUP_get_field_type(3)> instead.
See L</Providers are a replacement for engines and low-level method overrides>
-=item -
+=item *
EC_KEY_key2buf(), EC_KEY_oct2key(), EC_KEY_oct2priv(), EC_KEY_priv2buf(),
EC_KEY_priv2oct()
There are no replacements for these.
-=item -
+=item *
EC_KEY_new(), EC_KEY_new_by_curve_name(), EC_KEY_free(), EC_KEY_up_ref()
See L</Deprecated low-level object creation>
-=item -
+=item *
EC_KEY_print(), EC_KEY_print_fp()
See L</Deprecated low-level key printing functions>
-=item -
+=item *
EC_KEY_set_asn1_flag(), EC_KEY_set_conv_form(), EC_KEY_set_enc_flags()
See L</Deprecated low-level key parameter setters>.
-=item -
+=item *
EC_KEY_set_group(), EC_KEY_set_private_key(), EC_KEY_set_public_key(),
EC_KEY_set_public_key_affine_coordinates()
See L</Deprecated low-level key parameter setters>.
-=item -
+=item *
ECParameters_print(), ECParameters_print_fp(), ECPKParameters_print(),
ECPKParameters_print_fp()
See L</Deprecated low-level key printing functions>
-=item -
+=item *
EC_POINT_bn2point(), EC_POINT_point2bn()
These functions were not particularly useful, since EC point serialization
formats are not individual big-endian integers.
-=item -
+=item *
EC_POINT_get_affine_coordinates_GF2m(), EC_POINT_get_affine_coordinates_GFp(),
EC_POINT_set_affine_coordinates_GF2m(), EC_POINT_set_affine_coordinates_GFp()
@@ -1572,7 +1575,7 @@ EC_POINT_set_affine_coordinates_GF2m(), EC_POINT_set_affine_coordinates_GFp()
Applications should use L<EC_POINT_get_affine_coordinates(3)> and
L<EC_POINT_set_affine_coordinates(3)> instead.
-=item -
+=item *
EC_POINT_get_Jprojective_coordinates_GFp(), EC_POINT_set_Jprojective_coordinates_GFp()
@@ -1580,41 +1583,41 @@ These functions are not widely used. Applications should instead use the
L<EC_POINT_set_affine_coordinates(3)> and L<EC_POINT_get_affine_coordinates(3)>
functions.
-=item -
+=item *
EC_POINT_make_affine(), EC_POINTs_make_affine()
There is no replacement. These functions were not widely used, and OpenSSL
automatically performs this conversion when needed.
-=item -
+=item *
EC_POINT_set_compressed_coordinates_GF2m(), EC_POINT_set_compressed_coordinates_GFp()
Applications should use L<EC_POINT_set_compressed_coordinates(3)> instead.
-=item -
+=item *
EC_POINTs_mul()
This function is not widely used. Applications should instead use the
L<EC_POINT_mul(3)> function.
-=item -
+=item *
B<ENGINE_*()>
All engine functions are deprecated. An engine should be rewritten as a provider.
See L</Providers are a replacement for engines and low-level method overrides>.
-=item -
+=item *
B<ERR_load_*()>, ERR_func_error_string(), ERR_get_error_line(),
ERR_get_error_line_data(), ERR_get_state()
OpenSSL now loads error strings automatically so these functions are not needed.
-=item -
+=item *
ERR_peek_error_line_data(), ERR_peek_last_error_line_data()
@@ -1625,7 +1628,7 @@ Applications should use L<ERR_get_error_all(3)>, or pick information
with ERR_peek functions and finish off with getting the error code by using
L<ERR_get_error(3)>.
-=item -
+=item *
EVP_CIPHER_CTX_iv(), EVP_CIPHER_CTX_iv_noconst(), EVP_CIPHER_CTX_original_iv()
@@ -1634,14 +1637,14 @@ L<EVP_CIPHER_CTX_get_updated_iv(3)> and L<EVP_CIPHER_CTX_get_original_iv(3)>
respectively.
See L<EVP_CIPHER_CTX_get_original_iv(3)> for further information.
-=item -
+=item *
B<EVP_CIPHER_meth_*()>, EVP_MD_CTX_set_update_fn(), EVP_MD_CTX_update_fn(),
B<EVP_MD_meth_*()>
See L</Providers are a replacement for engines and low-level method overrides>.
-=item -
+=item *
EVP_PKEY_CTRL_PKCS7_ENCRYPT(), EVP_PKEY_CTRL_PKCS7_DECRYPT(),
EVP_PKEY_CTRL_PKCS7_SIGN(), EVP_PKEY_CTRL_CMS_ENCRYPT(),
@@ -1651,7 +1654,7 @@ These control operations are not invoked by the OpenSSL library anymore and
are replaced by direct checks of the key operation against the key type
when the operation is initialized.
-=item -
+=item *
EVP_PKEY_CTX_get0_dh_kdf_ukm(), EVP_PKEY_CTX_get0_ecdh_kdf_ukm()
@@ -1659,33 +1662,33 @@ See the "kdf-ukm" item in L<EVP_KEYEXCH-DH(7)/DH key exchange parameters> and
L<EVP_KEYEXCH-ECDH(7)/ECDH Key Exchange parameters>.
These functions are obsolete and should not be required.
-=item -
+=item *
EVP_PKEY_CTX_set_rsa_keygen_pubexp()
Applications should use L<EVP_PKEY_CTX_set1_rsa_keygen_pubexp(3)> instead.
-=item -
+=item *
EVP_PKEY_cmp(), EVP_PKEY_cmp_parameters()
Applications should use L<EVP_PKEY_eq(3)> and L<EVP_PKEY_parameters_eq(3)> instead.
See L<EVP_PKEY_copy_parameters(3)> for further details.
-=item -
+=item *
EVP_PKEY_encrypt_old(), EVP_PKEY_decrypt_old(),