ossl-guide-migration.pod - OpenGrok cross reference for /freebsd/crypto/openssl/doc/man7/ossl-guide-migration.pod

Lines Matching +full:3 +full:l
16 L<https://github.com/openssl/openssl/blob/master/CHANGES.md>.
18 L<crypto(7)>.
57 In previous versions, OpenSSL was licensed under the L<dual OpenSSL and SSLeay
60 L<Apache License v2|https://www.openssl.org/source/apache-license-2.0.txt>.
72 be accessed using the L</Low Level APIs>.
86 the application should verify the result of the L<EVP_EncryptInit(3)>,
87 L<EVP_EncryptInit_ex(3)>, and L<EVP_DigestInit(3)> functions. In case when
90 See also L</Legacy Algorithms> for information on the legacy provider.
92 See also L</Completing the installation of the FIPS Module> and
93 L</Using the FIPS Module in applications>.
101 For example, the EVP APIs provide the functions L<EVP_EncryptInit_ex(3)>,
102 L<EVP_EncryptUpdate(3)> and L<EVP_EncryptFinal(3)> to perform symmetric
103 encryption. Those functions can be used with the algorithms AES, CHACHA, 3DES etc.
105 to call AES specific functions such as L<AES_set_encrypt_key(3)>,
106 L<AES_encrypt(3)>, and so on. The functions for 3DES are different.
115 This is described in more detail in L</Deprecation of Low Level Functions>
124 See L<OSSL_PROVIDER-legacy(7)> for a complete list of algorithms.
128 either programmatically or via configuration. See L<crypto(7)> man page for
135 modifies custom "METHODS" (for example L<EVP_MD_meth_new(3)>,
136 L<EVP_CIPHER_meth_new(3)>, L<EVP_PKEY_meth_new(3)>, L<RSA_meth_new(3)>,
137 L<EC_KEY_METHOD_new(3)>, etc.). These functions are being deprecated in
153 In this case the B<EVP_PKEY> objects created via L<ENGINE_load_private_key(3)>
165 B<EVP_PKEY>s L<EVP_PKEY_set1_RSA(3)>, L<EVP_PKEY_set1_EC_KEY(3)> or similar
182 For more information, see L<OpenSSL_version(3)>.
189 See L<openssl-cmp(1)> and L<OSSL_CMP_exec_certreq(3)> as starting points.
205 All new applications should use the new L<EVP_KDF(3)> interface.
206 See also L<OSSL_PROVIDER-default(7)/Key Derivation Function (KDF)> and
207 L<OSSL_PROVIDER-FIPS(7)/Key Derivation Function (KDF)>.
215 L<EVP_DigestSign(3)> and L<EVP_DigestVerify(3)>.
217 All new applications should use the new L<EVP_MAC(3)> interface.
218 See also L<OSSL_PROVIDER-default(7)/Message Authentication Code (MAC)>
219 and L<OSSL_PROVIDER-FIPS(7)/Message Authentication Code (MAC)>.
228 See L<crypto(7)/Performance>, L<crypto(7)/Explicit fetching> and L<crypto(7)/Implicit fetching>.
244 See L<EVP_KDF-SS(7)> and L<EVP_KDF-SSHKDF(7)>
250 See L<EVP_MAC-GMAC(7)> and L<EVP_MAC-KMAC(7)>.
256 See L<EVP_KEM-RSA(7)>.
262 See L<EVP_EncryptInit(3)/SIV Mode>.
305 L<PKCS7_get_octet_string(3)> and L<PKCS7_type_is_other(3)> were made public.
323 L<PKCS12_add_key_ex(3)>, L<PKCS12_add_safe_ex(3)>, L<PKCS12_add_safes_ex(3)>,
324 L<PKCS12_create_ex(3)>, L<PKCS12_decrypt_skey_ex(3)>, L<PKCS12_init_ex(3)>,
325 L<PKCS12_item_decrypt_d2i_ex(3)>, L<PKCS12_item_i2d_encrypt_ex(3)>,
326 L<PKCS12_key_gen_asc_ex(3)>, L<PKCS12_key_gen_uni_ex(3)>, L<PKCS12_key_gen_utf8_ex(3)>,
327 L<PKCS12_pack_p7encdata_ex(3)>, L<PKCS12_pbe_crypt_ex(3)>, L<PKCS12_PBE_keyivgen_ex(3)>,
328 L<PKCS12_SAFEBAG_create_pkcs8_encrypt_ex(3)>, L<PKCS5_pbe2_set_iv_ex(3)>,
329 L<PKCS5_pbe_set0_algor_ex(3)>, L<PKCS5_pbe_set_ex(3)>, L<PKCS5_pbkdf2_set_ex(3)>,
330 L<PKCS5_v2_PBE_keyivgen_ex(3)>, L<PKCS5_v2_scrypt_keyivgen_ex(3)>,
331 L<PKCS8_decrypt_ex(3)>, L<PKCS8_encrypt_ex(3)>, L<PKCS8_set0_pbe_ex(3)>.
336 L<EVP_PBE_CipherInit_ex(3)>, L<EVP_PBE_find_ex(3)> and L<EVP_PBE_scrypt_ex(3)>.
344 See L<EVP_KDF-PKCS12KDF(7)>, L<PKCS12_create(3)>, L<openssl-pkcs12(1)>,
345 L<OSSL_PROVIDER-FIPS(7)>.
361 categories. See L<OSSL_trace_enabled(3)>.
365 L<EVP_PKEY_public_check(3)> and L<EVP_PKEY_param_check(3)> now work for
368 parameters L<EVP_PKEY_param_check(3)> will always return 1.
379 See L<DEFINE_STACK_OF(3)> and L<DEFINE_LHASH_OF_EX(3)>.
383 The new L<EVP_RAND(3)> is a partial replacement: the DRBG callback framework is
391 L<EVP_default_properties_is_fips_enabled(3)> and
392 L<EVP_default_properties_enable_fips(3)>.
412 L<EVP_KDF-PBKDF2(7)>. The parameter can be set using L<EVP_KDF_derive(3)>.
446 Functions such as L<EVP_PKEY_get0_RSA(3)> behave slightly differently in
451 example using a function or macro such as L<EVP_PKEY_assign_RSA(3)>,
452 L<EVP_PKEY_set1_RSA(3)>, etc.
461 L<EVP_PKEY_get0_RSA(3)>, L<EVP_PKEY_get0_DSA(3)>, L<EVP_PKEY_get0_EC_KEY(3)> and
462 L<EVP_PKEY_get0_DH(3)> have been made const. This may break some existing code.
466 The L<EVP_PKEY_get1_RSA(3)>, L<EVP_PKEY_get1_DSA(3)>, L<EVP_PKEY_get1_EC_KEY(3)>
467 and L<EVP_PKEY_get1_DH(3)> functions continue to return a non-const pointer to
472 This may mean result in an error in L<EVP_PKEY_derive_set_peer(3)> rather than
473 during L<EVP_PKEY_derive(3)>.
478 The output from numerous "printing" functions such as L<X509_signature_print(3)>,
479 L<X509_print_ex(3)>, L<X509_CRL_print_ex(3)>, and other similar functions has been
496 result in errors. See L<EVP_PKEY-DH(7)> for further details. This affects the
497 behaviour of L<openssl-genpkey(1)> for DH parameter generation.
503 See L<EVP_EncryptInit(3)/FLAGS> for more information.
542 application. If this happens you have 3 options:
554 =item 3.
576 L</Upgrading from OpenSSL 1.1.1>, the main things to be aware of are:
615 =item 3.
617 Support for TLSv1.3 has been added.
620 L<TLS1.3 page|https://github.com/openssl/openssl/wiki/TLS1.3> for further details.
626 L<OpenSSL 1.1.0 Changes page|https://github.com/openssl/openssl/wiki/OpenSSL_1.1.0_Changes>.
634 L</Completing the installation of the FIPS Module>.
638 See L<fips_module(7)> and L<OSSL_PROVIDER-FIPS(7)> for details.
644 L<README-FIPS|https://github.com/openssl/openssl/blob/master/README-FIPS.md> file.
652 Read L<crypto(7)/Library contexts> for further information.
659 See L<crypto(7)/Library contexts> for further info.
661 If the user creates an B<OSSL_LIB_CTX> via L<OSSL_LIB_CTX_new(3)> then many
669 L<EVP_MD_fetch(3)>. See L<crypto(7)/ALGORITHM FETCHING>.
673 L<EVP_CIPHER_fetch(3)>. See L<crypto(7)/ALGORITHM FETCHING>.
676 context such as L<d2i_X509(3)>, L<d2i_X509_CRL(3)>, L<d2i_X509_REQ(3)> and
677 L<d2i_X509_PUBKEY(3)>. If NULL is passed instead then the created object will be
678 set up with the default library context. Use L<X509_new_ex(3)>,
679 L<X509_CRL_new_ex(3)>, L<X509_REQ_new_ex(3)> and L<X509_PUBKEY_new_ex(3)> if a
690 L<ASN1_item_new(3)>, L<ASN1_item_d2i(3)>, L<ASN1_item_d2i_fp(3)>,
691 L<ASN1_item_d2i_bio(3)>, L<ASN1_item_sign(3)> and L<ASN1_item_verify(3)>
695 L<BIO_new(3)>
703 L<BN_CTX_new(3)> and L<BN_CTX_secure_new(3)>
707 L<CMS_AuthEnvelopedData_create(3)>, L<CMS_ContentInfo_new(3)>, L<CMS_data_create(3)>,
708 L<CMS_digest_create(3)>, L<CMS_EncryptedData_encrypt(3)>, L<CMS_encrypt(3)>,
709 L<CMS_EnvelopedData_create(3)>, L<CMS_ReceiptRequest_create0(3)> and L<CMS_sign(3)>
713 L<CONF_modules_load_file(3)>
717 L<CTLOG_new(3)>, L<CTLOG_new_from_base64(3)> and L<CTLOG_STORE_new(3)>
721 L<CT_POLICY_EVAL_CTX_new(3)>
725 L<d2i_AutoPrivateKey(3)>, L<d2i_PrivateKey(3)> and L<d2i_PUBKEY(3)>
729 L<d2i_PrivateKey_bio(3)> and L<d2i_PrivateKey_fp(3)>
731 Use L<d2i_PrivateKey_ex_bio(3)> and L<d2i_PrivateKey_ex_fp(3)>
735 L<EC_GROUP_new(3)>
737 Use L<EC_GROUP_new_by_curve_name_ex(3)> or L<EC_GROUP_new_from_params(3)>.
741 L<EVP_DigestSignInit(3)> and L<EVP_DigestVerifyInit(3)>
745 L<EVP_PBE_CipherInit(3)>, L<EVP_PBE_find(3)> and L<EVP_PBE_scrypt(3)>
749 L<PKCS5_PBE_keyivgen(3)>
753 L<EVP_PKCS82PKEY(3)>
757 L<EVP_PKEY_CTX_new_id(3)>
759 Use L<EVP_PKEY_CTX_new_from_name(3)>
763 L<EVP_PKEY_derive_set_peer(3)>, L<EVP_PKEY_new_raw_private_key(3)>
764 and L<EVP_PKEY_new_raw_public_key(3)>
768 L<EVP_SignFinal(3)> and L<EVP_VerifyFinal(3)>
772 L<NCONF_new(3)>
776 L<OCSP_RESPID_match(3)> and L<OCSP_RESPID_set_by_key(3)>
780 L<OPENSSL_thread_stop(3)>
784 L<OSSL_STORE_open(3)>
788 L<PEM_read_bio_Parameters(3)>, L<PEM_read_bio_PrivateKey(3)>, L<PEM_read_bio_PUBKEY(3)>,
789 L<PEM_read_PrivateKey(3)> and L<PEM_read_PUBKEY(3)>
793 L<PEM_write_bio_PrivateKey(3)>, L<PEM_write_bio_PUBKEY(3)>, L<PEM_write_PrivateKey(3)>
794 and L<PEM_write_PUBKEY(3)>
798 L<PEM_X509_INFO_read_bio(3)> and L<PEM_X509_INFO_read(3)>
802 L<PKCS12_add_key(3)>, L<PKCS12_add_safe(3)>, L<PKCS12_add_safes(3)>,
803 L<PKCS12_create(3)>, L<PKCS12_decrypt_skey(3)>, L<PKCS12_init(3)>, L<PKCS12_item_decrypt_d2i(3)>,
804 L<PKCS12_item_i2d_encrypt(3)>, L<PKCS12_key_gen_asc(3)>, L<PKCS12_key_gen_uni(3)>,
805 L<PKCS12_key_gen_utf8(3)>, L<PKCS12_pack_p7encdata(3)>, L<PKCS12_pbe_crypt(3)>,
806 L<PKCS12_PBE_keyivgen(3)>, L<PKCS12_SAFEBAG_create_pkcs8_encrypt(3)>
810 L<PKCS5_pbe_set0_algor(3)>, L<PKCS5_pbe_set(3)>, L<PKCS5_pbe2_set_iv(3)>,
811 L<PKCS5_pbkdf2_set(3)> and L<PKCS5_v2_scrypt_keyivgen(3)>
815 L<PKCS7_encrypt(3)>, L<PKCS7_new(3)> and L<PKCS7_sign(3)>
819 L<PKCS8_decrypt(3)>, L<PKCS8_encrypt(3)> and L<PKCS8_set0_pbe(3)>
823 L<RAND_bytes(3)> and L<RAND_priv_bytes(3)>
827 L<SMIME_write_ASN1(3)>
831 L<SSL_load_client_CA_file(3)>
835 L<SSL_CTX_new(3)>
839 L<TS_RESP_CTX_new(3)>
843 L<X509_CRL_new(3)>
847 L<X509_load_cert_crl_file(3)> and L<X509_load_cert_file(3)>
851 L<X509_LOOKUP_by_subject(3)> and L<X509_LOOKUP_ctrl(3)>
855 L<X509_NAME_hash(3)>
859 L<X509_new(3)>
863 L<X509_REQ_new(3)> and L<X509_REQ_verify(3)>
867 L<X509_STORE_CTX_new(3)>, L<X509_STORE_set_default_paths(3)>, L<X509_STORE_load_file(3)>,
868 L<X509_STORE_load_locations(3)> and L<X509_STORE_load_store(3)>
881 L<BIO_new_from_core_bio(3)>
885 L<EVP_ASYM_CIPHER_fetch(3)> and L<EVP_ASYM_CIPHER_do_all_provided(3)>
889 L<EVP_CIPHER_fetch(3)> and L<EVP_CIPHER_do_all_provided(3)>
893 L<EVP_default_properties_enable_fips(3)> and
894 L<EVP_default_properties_is_fips_enabled(3)>
898 L<EVP_KDF_fetch(3)> and L<EVP_KDF_do_all_provided(3)>
902 L<EVP_KEM_fetch(3)> and L<EVP_KEM_do_all_provided(3)>
906 L<EVP_KEYEXCH_fetch(3)> and L<EVP_KEYEXCH_do_all_provided(3)>
910 L<EVP_KEYMGMT_fetch(3)> and L<EVP_KEYMGMT_do_all_provided(3)>
914 L<EVP_MAC_fetch(3)> and L<EVP_MAC_do_all_provided(3)>
918 L<EVP_MD_fetch(3)> and L<EVP_MD_do_all_provided(3)>
922 L<EVP_PKEY_CTX_new_from_pkey(3)>
926 L<EVP_PKEY_Q_keygen(3)>
930 L<EVP_Q_mac(3)> and L<EVP_Q_digest(3)>
934 L<EVP_RAND(3)> and L<EVP_RAND_do_all_provided(3)>
938 L<EVP_set_default_properties(3)>
942 L<EVP_SIGNATURE_fetch(3)> and L<EVP_SIGNATURE_do_all_provided(3)>
946 L<OSSL_CMP_CTX_new(3)> and L<OSSL_CMP_SRV_CTX_new(3)>
950 L<OSSL_CRMF_ENCRYPTEDVALUE_get1_encCert(3)>
954 L<OSSL_CRMF_MSG_create_popo(3)> and L<OSSL_CRMF_MSGS_verify_popo(3)>
958 L<OSSL_CRMF_pbm_new(3)> and L<OSSL_CRMF_pbmp_new(3)>
962 L<OSSL_DECODER_CTX_add_extra(3)> and L<OSSL_DECODER_CTX_new_for_pkey(3)>
966 L<OSSL_DECODER_fetch(3)> and L<OSSL_DECODER_do_all_provided(3)>
970 L<OSSL_ENCODER_CTX_add_extra(3)>
974 L<OSSL_ENCODER_fetch(3)> and L<OSSL_ENCODER_do_all_provided(3)>
978 L<OSSL_LIB_CTX_free(3)>, L<OSSL_LIB_CTX_load_config(3)> and L<OSSL_LIB_CTX_set0_default(3)>
982 L<OSSL_PROVIDER_add_builtin(3)>, L<OSSL_PROVIDER_available(3)>,
983 L<OSSL_PROVIDER_do_all(3)>, L<OSSL_PROVIDER_load(3)>,
984 L<OSSL_PROVIDER_set_default_search_path(3)> and L<OSSL_PROVIDER_try_load(3)>
988 L<OSSL_SELF_TEST_get_callback(3)> and L<OSSL_SELF_TEST_set_callback(3)>
992 L<OSSL_STORE_attach(3)>
996 L<OSSL_STORE_LOADER_fetch(3)> and L<OSSL_STORE_LOADER_do_all_provided(3)>
1000 L<RAND_get0_primary(3)>, L<RAND_get0_private(3)>, L<RAND_get0_public(3)>,
1001 L<RAND_set_DRBG_type(3)> and L<RAND_set_seed_source_type(3)>
1007 Providers are described in detail here L<crypto(7)/Providers>.
1008 See also L<crypto(7)/OPENSSL PROVIDERS>.
1013 L<crypto(7)/ALGORITHM FETCHING>.
1015 =head3 Mapping EVP controls and flags to provider L<OSSL_PARAM(3)> parameters
1017 The existing functions for controls (such as L<EVP_CIPHER_CTX_ctrl(3)>) and
1018 manipulating flags (such as L<EVP_MD_CTX_set_flags(3)>)internally use
1020 See L<OSSL_PARAM(3)> for additional information related to parameters.
1022 For ciphers see L<EVP_EncryptInit(3)/CONTROLS>, L<EVP_EncryptInit(3)/FLAGS> and
1023 L<EVP_EncryptInit(3)/PARAMETERS>.
1025 For digests see L<EVP_DigestInit(3)/CONTROLS>, L<EVP_DigestInit(3)/FLAGS> and
1026 L<EVP_DigestInit(3)/PARAMETERS>.
1032 See L</Deprecated function mappings> for the list of deprecated functions
1047 have been deprecated. Applications should instead use the L<OSSL_DECODER(3)> and
1048 L<OSSL_ENCODER(3)> APIs to read and write files.
1049 See L<d2i_RSAPrivateKey(3)/Migration> for further details.
1055 (See L<OSSL_ENCODER_to_bio(3)>) or OSSL_DECODER (See L<OSSL_DECODER_from_bio(3)>)
1056 APIs, or alternatively use L<EVP_PKEY_fromdata(3)> or L<EVP_PKEY_todata(3)>.
1060 Functions that access low-level objects directly such as L<RSA_get0_n(3)> are now
1062 L<EVP_PKEY_get_bn_param(3)>,
1063 L<EVP_PKEY_get_int_param(3)>,
1064 L<EVP_PKEY_get_size_t_param(3)>,
1065 L<EVP_PKEY_get_utf8_string_param(3)>,
1066 L<EVP_PKEY_get_octet_string_param(3)>, or
1067 L<EVP_PKEY_get_params(3)>,
1070 L<EVP_PKEY-RSA(7)/Common RSA parameters>,
1071 L<EVP_PKEY-EC(7)/Common EC parameters>,
1072 L<EVP_PKEY-DSA(7)/DSA parameters>,
1073 L<EVP_PKEY-DH(7)/DH parameters>,
1074 L<EVP_PKEY-FFC(7)/FFC parameters>,
1075 L<EVP_PKEY-X25519(7)/Common X25519, X448, ED25519 and ED448 parameters>,
1076 L<EVP_PKEY-ML-DSA(7)/Common parameters>,
1078 L<EVP_PKEY-ML-KEM(7)/Common parameters>.
1079 Applications may also use L<EVP_PKEY_todata(3)> to return all fields.
1083 Functions that access low-level objects directly such as L<RSA_set0_crt_params(3)>
1084 are now deprecated. Applications should use L<EVP_PKEY_fromdata(3)> to create
1086 created, so if required the user may use L<EVP_PKEY_todata(3)>, L<OSSL_PARAM_merge(3)>,
1087 and L<EVP_PKEY_fromdata(3)> to create a modified key.
1088 See L<EVP_PKEY-DH(7)/Examples> for more information.
1089 See L</Deprecated low-level key generation functions> for information on
1094 Low-level objects were created using methods such as L<RSA_new(3)>,
1095 L<RSA_up_ref(3)> and L<RSA_free(3)>. Applications should instead use the
1096 high-level EVP_PKEY APIs, e.g. L<EVP_PKEY_new(3)>, L<EVP_PKEY_up_ref(3)> and
1097 L<EVP_PKEY_free(3)>.
1098 See also L<EVP_PKEY_CTX_new_from_name(3)> and L<EVP_PKEY_CTX_new_from_pkey(3)>.
1101 See also L</Deprecated low-level key generation functions>,
1102 L</Deprecated low-level key reading and writing functions> and
1103 L</Deprecated low-level key parameter setters>.
1107 Low-level encryption functions such as L<AES_encrypt(3)> and L<AES_decrypt(3)>
1109 instead use the high level EVP APIs L<EVP_EncryptInit_ex(3)>,
1110 L<EVP_EncryptUpdate(3)>, and L<EVP_EncryptFinal_ex(3)> or
1111 L<EVP_DecryptInit_ex(3)>, L<EVP_DecryptUpdate(3)> and L<EVP_DecryptFinal_ex(3)>.
1115 Use of low-level digest functions such as L<SHA1_Init(3)> have been
1117 use the high level EVP APIs L<EVP_DigestInit_ex(3)>, L<EVP_DigestUpdate(3)>
1118 and L<EVP_DigestFinal_ex(3)>, or the quick one-shot L<EVP_Q_digest(3)>.
1120 Note that the functions L<SHA1(3)>, L<SHA224(3)>, L<SHA256(3)>, L<SHA384(3)>
1121 and L<SHA512(3)> have changed to macros that use L<EVP_Q_digest(3)>.
1125 Use of low-level signing functions such as L<DSA_sign(3)> have been
1127 L<EVP_DigestSign(3)> and L<EVP_DigestVerify(3)>.
1128 See also L<EVP_SIGNATURE-RSA(7)>, L<EVP_SIGNATURE-DSA(7)>,
1129 L<EVP_SIGNATURE-ECDSA(7)> and L<EVP_SIGNATURE-ED25519(7)>.
1133 Low-level mac functions such as L<CMAC_Init(3)> are deprecated.
1134 Applications should instead use the new L<EVP_MAC(3)> interface, using
1135 L<EVP_MAC_CTX_new(3)>, L<EVP_MAC_CTX_free(3)>, L<EVP_MAC_init(3)>,
1136 L<EVP_MAC_update(3)> and L<EVP_MAC_final(3)> or the single-shot MAC function
1137 L<EVP_Q_mac(3)>.
1138 See L<EVP_MAC(3)>, L<EVP_MAC-HMAC(7)>, L<EVP_MAC-CMAC(7)>, L<EVP_MAC-GMAC(7)>,
1139 L<EVP_MAC-KMAC(7)>, L<EVP_MAC-BLAKE2(7)>, L<EVP_MAC-Poly1305(7)> and
1140 L<EVP_MAC-Siphash(7)> for additional information.
1147 Low-level validation functions such as L<DH_check(3)> have been informally
1149 EVP_PKEY APIs such as L<EVP_PKEY_check(3)>, L<EVP_PKEY_param_check(3)>,
1150 L<EVP_PKEY_param_check_quick(3)>, L<EVP_PKEY_public_check(3)>,
1151 L<EVP_PKEY_public_check_quick(3)>, L<EVP_PKEY_private_check(3)>,
1152 and L<EVP_PKEY_pairwise_check(3)>.
1157 time. Applications should instead use L<EVP_PKEY_derive(3)>.
1158 See L<EVP_KEYEXCH-DH(7)>, L<EVP_KEYEXCH-ECDH(7)> and L<EVP_KEYEXCH-X25519(7)>.
1163 time. Applications should instead use L<EVP_PKEY_keygen_init(3)> and
1164 L<EVP_PKEY_generate(3)> as described in L<EVP_PKEY-DSA(7)>, L<EVP_PKEY-DH(7)>,
1165 L<EVP_PKEY-RSA(7)>, L<EVP_PKEY-EC(7)> and L<EVP_PKEY-X25519(7)>.
1166 The 'quick' one-shot function L<EVP_PKEY_Q_keygen(3)> and macros for the most
1167 common cases: <EVP_RSA_gen(3)> and L<EVP_EC_gen(3)> may also be used.
1174 L<OSSL_ENCODER_to_bio(3)> and L<OSSL_DECODER_from_bio(3)>.
1181 Application should use one of L<EVP_PKEY_print_public(3)>,
1182 L<EVP_PKEY_print_private(3)>, L<EVP_PKEY_print_params(3)>,
1183 L<EVP_PKEY_print_public_fp(3)>, L<EVP_PKEY_print_private_fp(3)> or
1184 L<EVP_PKEY_print_params_fp(3)>. Note that internally these use
1185 L<OSSL_ENCODER_to_bio(3)> and L<OSSL_DECODER_from_bio(3)>.
1216 See L</Deprecated low-level encryption functions>
1235 Use L<ASN1_STRING_set(3)> or L<ASN1_STRING_set0(3)> instead.
1244 See L</Deprecated low-level encryption functions>.
1245 The Blowfish algorithm has been moved to the L<Legacy Provider|/Legacy Algorithms>.
1263 Use L<BN_check_prime(3)> which avoids possible misuse and always uses at least
1270 Use L<BN_rand(3)> and L<BN_rand_range(3)>.
1278 Use L<EVP_PKEY_keygen(3)> instead.
1287 See L</Deprecated low-level encryption functions>.
1294 See L</Deprecated low-level encryption functions>.
1295 The CAST algorithm has been moved to the L<Legacy Provider|/Legacy Algorithms>.
1302 See L</Deprecated low-level MAC functions>.
1308 See L</Deprecated low-level MAC functions>.
1330 L<EVP_EncryptInit(3)/Gettable and Settable EVP_CIPHER_CTX parameters>.
1331 See L<EVP_EncryptInit(3)/EXAMPLES> for a AES-256-CBC-CTS example.
1345 See L</Deprecated i2d and d2i functions for low-level key types>
1351 Use L<EVP_PKEY_set1_encoded_public_key(3)>.
1352 See L</Deprecated low-level key parameter setters>
1366 See L</Deprecated low-level encryption functions>.
1368 "DES-CFB1" and "DES-CFB8" have been moved to the L<Legacy Provider|/Legacy Algorithms>.
1374 Use L<EVP_PKEY_get_bits(3)>, L<EVP_PKEY_get_security_bits(3)> and
1375 L<EVP_PKEY_get_size(3)>.
1382 See L</Deprecated low-level validation functions>
1397 See L</Deprecated low-level key exchange functions>.
1403 See L</Deprecated low-level object creation>
1409 See L</Deprecated low-level key generation functions>.
1416 See L</Deprecated low-level key parameter getters>
1423 L<EVP_PKEY-DH(7)/DH parameters>) to one of "dh_1024_160", "dh_2048_224" or
1430 Applications should use L<EVP_PKEY_CTX_set_dh_kdf_type(3)> instead.
1438 See L</Providers are a replacement for engines and low-level method overrides>
1444 See L</Deprecated low-level key printing functions>
1450 See L</Deprecated low-level key parameter setters>
1456 Use L<EVP_PKEY_get_bits(3)>, L<EVP_PKEY_get_security_bits(3)> and
1457 L<EVP_PKEY_get_size(3)>.
1463 There is no direct replacement. Applications may use L<EVP_PKEY_copy_parameters(3)>
1464 and L<EVP_PKEY_dup(3)> instead.
1470 See L</Deprecated low-level key generation functions>.
1478 See L</Providers are a replacement for engines and low-level method overrides>.
1485 See L</Deprecated low-level key parameter getters>.
1491 See L</Deprecated low-level object creation>
1497 There is no direct replacement. Applications may use L<EVP_PKEY_copy_parameters(3)>
1498 and L<EVP_PKEY_dup(3)> instead.
1504 See L</Deprecated low-level key printing functions>
1510 See L</Deprecated low-level key parameter setters>
1522 See L</Deprecated low-level signing functions>.
1528 See L</Deprecated low-level key exchange functions>.
1535 L<EVP_PKEY_CTX_set_ecdh_kdf_type(3)> or by setting an L<OSSL_PARAM(3)> using the
1536 "kdf-type" as shown in L<EVP_KEYEXCH-ECDH(7)/EXAMPLES>
1543 See L</Deprecated low-level signing functions>.
1549 Applications should use L<EVP_PKEY_get_size(3)>.
1565 Use L<EC_GROUP_free(3)> instead.
1572 Applications should use L<EC_GROUP_get_curve(3)> and L<EC_GROUP_set_curve(3)>.
1594 Applications should use L<EVP_PKEY_can_sign(3)> instead.
1600 See L</Deprecated low-level validation functions>
1606 See L<EVP_PKEY-EC(7)/Common EC parameters> which handles flags as separate
1611 See also L<EVP_PKEY-EC(7)/EXAMPLES>
1617 There is no direct replacement. Applications may use L<EVP_PKEY_copy_parameters(3)>
1618 and L<EVP_PKEY_dup(3)> instead.
1630 See L</Deprecated low-level key generation functions>.
1637 See L</Deprecated low-level key parameter getters>.
1646 See L</Providers are a replacement for engines and low-level method overrides>
1652 Use L<EC_GROUP_get_field_type(3)> instead.
1653 See L</Providers are a replacement for engines and low-level method overrides>
1666 See L</Deprecated low-level object creation>
1672 See L</Deprecated low-level key printing functions>
1678 See L</Deprecated low-level key parameter setters>.
1685 See L</Deprecated low-level key parameter setters>.
1692 See L</Deprecated low-level key printing functions>
1706 Applications should use L<EC_POINT_get_affine_coordinates(3)> and
1707 L<EC_POINT_set_affine_coordinates(3)> instead.
1714 L<EC_POINT_set_affine_coordinates(3)> and L<EC_POINT_get_affine_coordinates(3)>
1728 Applications should use L<EC_POINT_set_compressed_coordinates(3)> instead.
1735 L<EC_POINT_mul(3)> function.
1742 See L</Providers are a replacement for engines and low-level method overrides>.
1755 The new functions are L<ERR_peek_error_func(3)>, L<ERR_peek_last_error_func(3)>,
1756 L<ERR_peek_error_data(3)>, L<ERR_peek_last_error_data(3)>, L<ERR_get_error_all(3)>,
1757 L<ERR_peek_error_all(3)> and L<ERR_peek_last_error_all(3)>.
1758 Applications should use L<ERR_get_error_all(3)>, or pick information
1760 L<ERR_get_error(3)>.
1766 Applications should instead use L<EVP_CIPHER_CTX_get_updated_iv(3)>,
1767 L<EVP_CIPHER_CTX_get_updated_iv(3)> and L<EVP_CIPHER_CTX_get_original_iv(3)>
1769 See L<EVP_CIPHER_CTX_get_original_iv(3)> for further information.
1776 See L</Providers are a replacement for engines and low-level method overrides>.
1792 See the "kdf-ukm" item in L<EVP_KEYEXCH-DH(7)/DH key exchange parameters> and
1793 L<EVP_KEYEXCH-ECDH(7)/ECDH Key Exchange parameters>.
1800 Applications should use L<EVP_PKEY_CTX_set1_rsa_keygen_pubexp(3)> instead.
1806 Applications should use L<EVP_PKEY_eq(3)> and L<EVP_PKEY_parameters_eq(3)> instead.
1807 See L<EVP_PKEY_copy_parameters(3)> for further details.
1813 Applications should use L<EVP_PKEY_encrypt_init(3)> and L<EVP_PKEY_encrypt(3)> or
1814 L<EVP_PKEY_decrypt_init(3)> and L<EVP_PKEY_decrypt(3)> instead.
1828 See L</Functions that return an internal key should be treated as read only>.
1834 See L</Providers are a replacement for engines and low-level method overrides>.
1840 See L</Deprecated low-level MAC functions>.
1847 See L</Deprecated low-level key object getters and setters>
1855 generic functions L<EVP_PKEY_set1_encoded_public_key(3)> and
1856 L<EVP_PKEY_get1_encoded_public_key(3)>.
1864 See L</Providers are a replacement for engines and low-level method overrides>.
1871 See L</EVP_PKEY_set_alias_type() method has been removed>
1877 See L</Deprecated low-level MAC functions>.
1884 See L</Deprecated low-level MAC functions>.
1890 See L</Deprecated low-level key reading and writing functions>
1891 and L<d2i_RSAPrivateKey(3)/Migration>
1899 See L</Deprecated low-level key reading and writing functions>
1900 and L<d2i_RSAPrivateKey(3)/Migration>
1908 See L</Deprecated low-level key reading and writing functions>
1909 and L<d2i_RSAPrivateKey(3)/Migration>
1915 Use L<EVP_PKEY_get1_encoded_public_key(3)>.
1916 See L</Deprecated low-level key parameter getters>
1924 See L</Deprecated low-level key reading and writing functions>
1925 and L<d2i_RSAPrivateKey(3)/Migration>
1933 See L</Deprecated low-level encryption functions>.
1934 IDEA has been moved to the L<Legacy Provider|/Legacy Algorithms>.
1946 See L</Deprecated low-level encryption functions>.
1947 MD2 has been moved to the L<Legacy Provider|/Legacy Algorithms>.
1959 See L</Deprecated low-level encryption functions>.
1960 MD4 has been moved to the L<Legacy Provider|/Legacy Algorithms>.
1966 See L</Deprecated low-level encryption functions>.
1967 MDC2 has been moved to the L<Legacy Provider|/Legacy Algorithms>.
1973 See L</Deprecated low-level encryption functions>.
1980 See L<config(5)/HISTORY> for more details.
1986 Use L<OSSL_HTTP_parse_url(3)> instead.
1995 with B<OSSL_HTTP_REQ_CTX_*()>. See L<OSSL_HTTP_REQ_CTX(3)> for additional
2019 provider implementations, see L<provider-storemgmt(7)>.
2040 See L</Deprecated low-level key reading and writing functions>
2046 See L</Deprecated low-level encryption functions>.
2053 Applications should instead use L<RAND_set_DRBG_type(3)>,
2054 L<EVP_RAND(3)> and L<EVP_RAND(7)>.
2055 See L<RAND_set_rand_method(3)> for more details.
2065 See L</Deprecated low-level encryption functions>.
2066 The Algorithms "RC2", "RC4" and "RC5" have been moved to the L<Legacy Provider|/Legacy Algorithms>.
2073 See L</Deprecated low-level digest functions>.
2074 The RIPE algorithm has been moved to the L<Legacy Provider|/Legacy Algorithms>.
2080 Use L<EVP_PKEY_get_bits(3)>, L<EVP_PKEY_get_security_bits(3)> and
2081 L<EVP_PKEY_get_size(3)>.
2087 See L</Deprecated low-level validation functions>
2104 See L</Deprecated low-level key generation functions>.
2110 See L</Providers are a replacement for engines and low-level method overrides>
2120 See L</Deprecated low-level key parameter getters>
2126 See L</Deprecated low-level object creation>.
2132 See L</Providers are a replacement for engines and low-level method overrides>.
2144 See L</Providers are a replacement for engines and low-level method overrides>.
2150 See L</Deprecated low-level signing functions> and
2151 L</Deprecated low-level encryption functions>.
2157 See L</Deprecated low-level key printing functions>
2163 See L</Deprecated low-level encryption functions>
2170 mode of none). See L</Deprecated low-level signing functions>.
2176 There is no direct replacement. Applications may use L<EVP_PKEY_dup(3)>.
2182 See L</Deprecated low-level key reading and writing functions>
2189 See L</Deprecated low-level key parameter setters>.
2195 See L</Providers are a replacement for engines and low-level method overrides>
2203 See L</Deprecated low-level signing functions>.
2210 X931 padding can be set using L<EVP_SIGNATURE-RSA(7)/Signature Parameters>.
2218 See L</Deprecated low-level encryption functions>.
2219 The SEED algorithm has been moved to the L<Legacy Provider|/Legacy Algorithms>.
2229 See L</Deprecated low-level digest functions>.
2249 the built-in DH parameters that are available by calling L<SSL_CTX_set_dh_auto(3)>
2250 or L<SSL_set_dh_auto(3)>. If custom parameters are necessary then applications can
2251 use the alternative functions L<SSL_CTX_set0_tmp_dh_pkey(3)> and
2252 L<SSL_set0_tmp_dh_pkey(3)>. There is no direct replacement for the "callback"
2262 Use the new L<SSL_CTX_set_tlsext_ticket_key_evp_cb(3)> function instead.
2269 See L</Deprecated low-level digest functions>.
2270 The Whirlpool algorithm has been moved to the L<Legacy Provider|/Legacy Algorithms>.
2276 This was an undocumented function. Applications can use L<X509_get0_pubkey(3)>
2277 and L<X509_get0_signature(3)> instead.
2283 Use L<X509_load_http(3)> and L<X509_CRL_load_http(3)> instead.
2299 such EVP_PKEY by calling L<OBJ_nid2sn(3)>. With the introduction
2300 of L<provider(7)>s EVP_PKEY_id() or its new equivalent
2301 L<EVP_PKEY_get_id(3)> might now also return the value -1
2304 L<EVP_PKEY_get0_type_name(3)> is recommended for retrieving
2311 See L<fips_module(7)> and L<OSSL_PROVIDER-FIPS(7)> for details.
2317 L<B<openssl kdf>|openssl-kdf(1)> uses the new L<EVP_KDF(3)> API.
2318 L<B<openssl kdf>|openssl-mac(1)> uses the new L<EVP_MAC(3)> API.
2328 The B<list> app has many new options. See L<openssl-list(1)> for more
2388 Support for fully "pluggable" TLSv1.3 groups.
2405 See L<SSL_CTX_get_options(3)>, L<SSL_CTX_set_options(3)>,
2406 L<SSL_get_options(3)> and L<SSL_set_options(3)>.
2421 (e.g.: data received by L<SSL_read(3)>).
2443 Combining the Configure options no-ec and no-dh no longer disables TLSv1.3
2446 connections with TLSv1.3. However OpenSSL now supports "pluggable" groups
2449 TLS connections in such a build without also disabling TLSv1.3 at run time or
2450 using third party provider groups may result in handshake failures. TLSv1.3
2484 This results in SSL 3, TLS 1.0, TLS 1.1 and DTLS 1.0 no longer
2487 with C<@SECLEVEL>, or calling L<SSL_CTX_set_security_level(3)>. This also means
2499 string with C<@SECLEVEL>, or calling L<SSL_CTX_set_security_level(3)>. If the
2500 leaf certificate is signed with SHA-1, a call to L<SSL_CTX_use_certificate(3)>
2503 be set using L<X509_VERIFY_PARAM_set_auth_level(3)> or using the B<-auth_level>
2510 L<fips_module(7)>
2523 L<https://www.openssl.org/source/license.html>.