Lines Matching +full:3 +full:a
82 want to operate in a FIPS approved manner. The algorithms are:
100 OpenSSL 3.0 is a major release and consequently any application that currently
122 With OpenSSL 3.0 it is possible to specify, either programmatically or via a
136 There is however a dedicated \f(CW\*(C`install_fips\*(C'\fR make target, which serves the
140 Not all algorithms may be available for the application at a particular moment.
142 the application should verify the result of the \fBEVP_EncryptInit\fR\|(3),
143 \&\fBEVP_EncryptInit_ex\fR\|(3), and \fBEVP_DigestInit\fR\|(3) functions. In case when
157 types. The "low level" APIs are targeted at a specific algorithm implementation.
158 For example, the EVP APIs provide the functions \fBEVP_EncryptInit_ex\fR\|(3),
159 \&\fBEVP_EncryptUpdate\fR\|(3) and \fBEVP_EncryptFinal\fR\|(3) to perform symmetric
160 encryption. Those functions can be used with the algorithms AES, CHACHA, 3DES etc.
162 to call AES specific functions such as \fBAES_set_encrypt_key\fR\|(3),
163 \&\fBAES_encrypt\fR\|(3), and so on. The functions for 3DES are different.
165 development team for a long time. However in OpenSSL 3.0 this is made more
181 This can be as simple as a config file change, or can be done programmatically.
182 See \fBOSSL_PROVIDER\-legacy\fR\|(7) for a complete list of algorithms.
194 modifies custom "METHODS" (for example \fBEVP_MD_meth_new\fR\|(3),
195 \&\fBEVP_CIPHER_meth_new\fR\|(3), \fBEVP_PKEY_meth_new\fR\|(3), \fBRSA_meth_new\fR\|(3),
196 \&\fBEC_KEY_METHOD_new\fR\|(3), etc.). These functions are being deprecated in
213 In this case the \fBEVP_PKEY\fR objects created via \fBENGINE_load_private_key\fR\|(3)
224 \&\fBPEM_\fR or \fBd2i_\fR APIs will be provider-based. To create a fully legacy
225 \&\fBEVP_PKEY\fRs \fBEVP_PKEY_set1_RSA\fR\|(3), \fBEVP_PKEY_set1_EC_KEY\fR\|(3) or similar
236 For OpenSSL 1.1.1 and below, different patch levels were indicated by a letter
238 instead the patch level is indicated by the final number in the version. A
243 For more information, see \fBOpenSSL_version\fR\|(3).
252 See \fBopenssl\-cmp\fR\|(1) and \fBOSSL_CMP_exec_certreq\fR\|(3) as starting points.
257 A proper HTTP(S) client that supports GET and POST, redirection, plain and
266 which was not a logical mapping.
270 All new applications should use the new \fBEVP_KDF\fR\|(3) interface.
279 This includes a generic EVP_PKEY to EVP_MAC bridge, to facilitate the continued
281 \&\fBEVP_DigestSign\fR\|(3) and \fBEVP_DigestVerify\fR\|(3).
283 All new applications should use the new \fBEVP_MAC\fR\|(3) interface.
291 incur a performance penalty when using providers.
293 This is much slower than directly accessing a method table.
321 See "SIV Mode" in \fBEVP_EncryptInit\fR\|(3).
346 Its purpose is to support encryption and decryption of a digital envelope that
349 \&\fBPKCS7_get_octet_string\fR\|(3) and \fBPKCS7_type_is_other\fR\|(3) were made public.
362 Added enhanced PKCS#12 APIs which accept a library context \fBOSSL_LIB_CTX\fR
363 and (where relevant) a property query. Other APIs which handle PKCS#7 and
366 \&\fBPKCS12_add_key_ex\fR\|(3), \fBPKCS12_add_safe_ex\fR\|(3), \fBPKCS12_add_safes_ex\fR\|(3),
367 \&\fBPKCS12_create_ex\fR\|(3), \fBPKCS12_decrypt_skey_ex\fR\|(3), \fBPKCS12_init_ex\fR\|(3),
368 \&\fBPKCS12_item_decrypt_d2i_ex\fR\|(3), \fBPKCS12_item_i2d_encrypt_ex\fR\|(3),
369 \&\fBPKCS12_key_gen_asc_ex\fR\|(3), \fBPKCS12_key_gen_uni_ex\fR\|(3), \fBPKCS12_key_gen_utf8_ex\fR\…
370 \&\fBPKCS12_pack_p7encdata_ex\fR\|(3), \fBPKCS12_pbe_crypt_ex\fR\|(3), \fBPKCS12_PBE_keyivgen_ex\fR…
371 \&\fBPKCS12_SAFEBAG_create_pkcs8_encrypt_ex\fR\|(3), \fBPKCS5_pbe2_set_iv_ex\fR\|(3),
372 \&\fBPKCS5_pbe_set0_algor_ex\fR\|(3), \fBPKCS5_pbe_set_ex\fR\|(3), \fBPKCS5_pbkdf2_set_ex\fR\|(3),
373 \&\fBPKCS5_v2_PBE_keyivgen_ex\fR\|(3), \fBPKCS5_v2_scrypt_keyivgen_ex\fR\|(3),
374 \&\fBPKCS8_decrypt_ex\fR\|(3), \fBPKCS8_encrypt_ex\fR\|(3), \fBPKCS8_set0_pbe_ex\fR\|(3).
376 As part of this change the EVP_PBE_xxx APIs can also accept a library
379 \&\fBEVP_PBE_CipherInit_ex\fR\|(3), \fBEVP_PBE_find_ex\fR\|(3) and \fBEVP_PBE_scrypt_ex\fR\|(3).
384 Unlike in 1.x.y, the PKCS12KDF algorithm used when a PKCS#12 structure
385 is created with a MAC that does not work with the FIPS provider as the PKCS12KDF
386 is not a FIPS approvable mechanism.
388 See \fBEVP_KDF\-PKCS12KDF\fR\|(7), \fBPKCS12_create\fR\|(3), \fBopenssl\-pkcs12\fR\|(1),
400 A new generic trace API has been added which provides support for enabling
406 registering BIOs as trace channels for a number of tracing and debugging
407 categories. See \fBOSSL_trace_enabled\fR\|(3).
412 \&\fBEVP_PKEY_public_check\fR\|(3) and \fBEVP_PKEY_param_check\fR\|(3) now work for
415 parameters \fBEVP_PKEY_param_check\fR\|(3) will always return 1.
429 See \fBDEFINE_STACK_OF\fR\|(3) and \fBDEFINE_LHASH_OF_EX\fR\|(3).
434 The new \fBEVP_RAND\fR\|(3) is a partial replacement: the DRBG callback framework is
443 \&\fBEVP_default_properties_is_fips_enabled\fR\|(3) and
444 \&\fBEVP_default_properties_enable_fips\fR\|(3).
466 \&\fBEVP_KDF\-PBKDF2\fR\|(7). The parameter can be set using \fBEVP_KDF_derive\fR\|(3).
468 Enforce a minimum DH modulus size of 512 bits
469 .IX Subsection "Enforce a minimum DH modulus size of 512 bits"
491 In particular, a private scalar \fIk\fR outside the range \fI1 <= k < n\-1\fR is
497 This function made a \fBEVP_PKEY\fR object mutable after it had been set up. In
498 OpenSSL 3.0 it was decided that a provided key should not be able to change its
504 Functions such as \fBEVP_PKEY_get0_RSA\fR\|(3) behave slightly differently in
505 OpenSSL 3.0. Previously they returned a pointer to the low-level key used
506 internally by libcrypto. From OpenSSL 3.0 this key may now be held in a
507 provider. Calling these functions will only return a handle on the internal key
509 example using a function or macro such as \fBEVP_PKEY_assign_RSA\fR\|(3),
510 \&\fBEVP_PKEY_set1_RSA\fR\|(3), etc.
511 Where the EVP_PKEY holds a provider managed key, then these functions now return
512 a cached copy of the key. Changes to the internal provider key that take place
519 \&\fBEVP_PKEY_get0_RSA\fR\|(3), \fBEVP_PKEY_get0_DSA\fR\|(3), \fBEVP_PKEY_get0_EC_KEY\fR\|(3) and
520 \&\fBEVP_PKEY_get0_DH\fR\|(3) have been made const. This may break some existing code.
523 this the code should be modified to use a const pointer instead.
524 The \fBEVP_PKEY_get1_RSA\fR\|(3), \fBEVP_PKEY_get1_DSA\fR\|(3), \fBEVP_PKEY_get1_EC_KEY\fR\|(3)
525 and \fBEVP_PKEY_get1_DH\fR\|(3) functions continue to return a non-const pointer to
531 This may mean result in an error in \fBEVP_PKEY_derive_set_peer\fR\|(3) rather than
532 during \fBEVP_PKEY_derive\fR\|(3).
538 The output from numerous "printing" functions such as \fBX509_signature_print\fR\|(3),
539 \&\fBX509_print_ex\fR\|(3), \fBX509_CRL_print_ex\fR\|(3), and other similar functions has been
553 invalid inputs, now return \-1 indicating a generic error condition instead.
565 If using a cipher from a provider the \fBEVP_CIPH_FLAG_LENGTH_BITS\fR flag can only
567 See "FLAGS" in \fBEVP_EncryptInit\fR\|(3) for more information.
588 ChaCha20\-Poly1305 cipher does not allow a truncated IV length to be used
589 .IX Subsection "ChaCha20-Poly1305 cipher does not allow a truncated IV length to be used"
607 application. If this happens you have 3 options:
609 … and you may still use them. However be aware that they may be removed from a future version of Op…
612 .IP 3. 4
618 As OpenSSL 3.0 provides a brand new Encoder/Decoder mechanism for working with
644 function call (typically those function names have a \f(CW\*(C`_new\*(C'\fR suffix to them).
667 .IP 3. 4
668 Support for TLSv1.3 has been added.
670 This has a number of implications for SSL/TLS applications. See the
671 TLS1.3 page <https://github.com/openssl/openssl/wiki/TLS1.3> for further details.
680 The OpenSSL 2.0 FIPS Object Module was a separate download that had to be built
683 OpenSSL and is no longer a separate download. For further information see
705 A library context allows different components of a complex application to each
706 use a different library context and have different providers loaded with
710 If the user creates an \fBOSSL_LIB_CTX\fR via \fBOSSL_LIB_CTX_new\fR\|(3) then many
714 Using a Library Context \- Old functions that should be changed
715 .IX Subsection "Using a Library Context - Old functions that should be changed"
717 If a library context is needed then all EVP_* digest functions that return a
718 \&\fBconst EVP_MD *\fR such as \fBEVP_sha256()\fR should be replaced with a call to
719 \&\fBEVP_MD_fetch\fR\|(3). See "ALGORITHM FETCHING" in \fBcrypto\fR\|(7).
721 If a library context is needed then all EVP_* cipher functions that return a
722 \&\fBconst EVP_CIPHER *\fR such as \fBEVP_aes_128_cbc()\fR should be replaced vith a call to
723 \&\fBEVP_CIPHER_fetch\fR\|(3). See "ALGORITHM FETCHING" in \fBcrypto\fR\|(7).
725 Some functions can be passed an object that has already been set up with a library
726 context such as \fBd2i_X509\fR\|(3), \fBd2i_X509_CRL\fR\|(3), \fBd2i_X509_REQ\fR\|(3) and
727 \&\fBd2i_X509_PUBKEY\fR\|(3). If NULL is passed instead then the created object will be
728 set up with the default library context. Use \fBX509_new_ex\fR\|(3),
729 \&\fBX509_CRL_new_ex\fR\|(3), \fBX509_REQ_new_ex\fR\|(3) and \fBX509_PUBKEY_new_ex\fR\|(3) if a
732 All functions listed below with a \fINAME\fR have a replacement function \fINAME_ex\fR
736 \&\fBASN1_item_new\fR\|(3), \fBASN1_item_d2i\fR\|(3), \fBASN1_item_d2i_fp\fR\|(3),
737 \&\fBASN1_item_d2i_bio\fR\|(3), \fBASN1_item_sign\fR\|(3) and \fBASN1_item_verify\fR\|(3)
739 \&\fBBIO_new\fR\|(3)
743 \&\fBBN_CTX_new\fR\|(3) and \fBBN_CTX_secure_new\fR\|(3)
745 \&\fBCMS_AuthEnvelopedData_create\fR\|(3), \fBCMS_ContentInfo_new\fR\|(3), \fBCMS_data_create\fR\|(…
746 \&\fBCMS_digest_create\fR\|(3), \fBCMS_EncryptedData_encrypt\fR\|(3), \fBCMS_encrypt\fR\|(3),
747 \&\fBCMS_EnvelopedData_create\fR\|(3), \fBCMS_ReceiptRequest_create0\fR\|(3) and \fBCMS_sign\fR\|(3)
749 \&\fBCONF_modules_load_file\fR\|(3)
751 \&\fBCTLOG_new\fR\|(3), \fBCTLOG_new_from_base64\fR\|(3) and \fBCTLOG_STORE_new\fR\|(3)
753 \&\fBCT_POLICY_EVAL_CTX_new\fR\|(3)
755 \&\fBd2i_AutoPrivateKey\fR\|(3), \fBd2i_PrivateKey\fR\|(3) and \fBd2i_PUBKEY\fR\|(3)
757 \&\fBd2i_PrivateKey_bio\fR\|(3) and \fBd2i_PrivateKey_fp\fR\|(3)
759 Use \fBd2i_PrivateKey_ex_bio\fR\|(3) and \fBd2i_PrivateKey_ex_fp\fR\|(3)
761 \&\fBEC_GROUP_new\fR\|(3)
763 Use \fBEC_GROUP_new_by_curve_name_ex\fR\|(3) or \fBEC_GROUP_new_from_params\fR\|(3).
765 \&\fBEVP_DigestSignInit\fR\|(3) and \fBEVP_DigestVerifyInit\fR\|(3)
767 \&\fBEVP_PBE_CipherInit\fR\|(3), \fBEVP_PBE_find\fR\|(3) and \fBEVP_PBE_scrypt\fR\|(3)
769 \&\fBPKCS5_PBE_keyivgen\fR\|(3)
771 \&\fBEVP_PKCS82PKEY\fR\|(3)
773 \&\fBEVP_PKEY_CTX_new_id\fR\|(3)
775 Use \fBEVP_PKEY_CTX_new_from_name\fR\|(3)
777 \&\fBEVP_PKEY_derive_set_peer\fR\|(3), \fBEVP_PKEY_new_raw_private_key\fR\|(3)
778 and \fBEVP_PKEY_new_raw_public_key\fR\|(3)
780 \&\fBEVP_SignFinal\fR\|(3) and \fBEVP_VerifyFinal\fR\|(3)
782 \&\fBNCONF_new\fR\|(3)
784 \&\fBOCSP_RESPID_match\fR\|(3) and \fBOCSP_RESPID_set_by_key\fR\|(3)
786 \&\fBOPENSSL_thread_stop\fR\|(3)
788 \&\fBOSSL_STORE_open\fR\|(3)
790 \&\fBPEM_read_bio_Parameters\fR\|(3), \fBPEM_read_bio_PrivateKey\fR\|(3), \fBPEM_read_bio_PUBKEY\fR…
791 \&\fBPEM_read_PrivateKey\fR\|(3) and \fBPEM_read_PUBKEY\fR\|(3)
793 \&\fBPEM_write_bio_PrivateKey\fR\|(3), \fBPEM_write_bio_PUBKEY\fR\|(3), \fBPEM_write_PrivateKey\fR\…
794 and \fBPEM_write_PUBKEY\fR\|(3)
796 \&\fBPEM_X509_INFO_read_bio\fR\|(3) and \fBPEM_X509_INFO_read\fR\|(3)
798 \&\fBPKCS12_add_key\fR\|(3), \fBPKCS12_add_safe\fR\|(3), \fBPKCS12_add_safes\fR\|(3),
799 \&\fBPKCS12_create\fR\|(3), \fBPKCS12_decrypt_skey\fR\|(3), \fBPKCS12_init\fR\|(3), \fBPKCS12_item_…
800 \&\fBPKCS12_item_i2d_encrypt\fR\|(3), \fBPKCS12_key_gen_asc\fR\|(3), \fBPKCS12_key_gen_uni\fR\|(3),
801 \&\fBPKCS12_key_gen_utf8\fR\|(3), \fBPKCS12_pack_p7encdata\fR\|(3), \fBPKCS12_pbe_crypt\fR\|(3),
802 \&\fBPKCS12_PBE_keyivgen\fR\|(3), \fBPKCS12_SAFEBAG_create_pkcs8_encrypt\fR\|(3)
804 \&\fBPKCS5_pbe_set0_algor\fR\|(3), \fBPKCS5_pbe_set\fR\|(3), \fBPKCS5_pbe2_set_iv\fR\|(3),
805 \&\fBPKCS5_pbkdf2_set\fR\|(3) and \fBPKCS5_v2_scrypt_keyivgen\fR\|(3)
807 \&\fBPKCS7_encrypt\fR\|(3), \fBPKCS7_new\fR\|(3) and \fBPKCS7_sign\fR\|(3)
809 \&\fBPKCS8_decrypt\fR\|(3), \fBPKCS8_encrypt\fR\|(3) and \fBPKCS8_set0_pbe\fR\|(3)
811 \&\fBRAND_bytes\fR\|(3) and \fBRAND_priv_bytes\fR\|(3)
813 \&\fBSMIME_write_ASN1\fR\|(3)
815 \&\fBSSL_load_client_CA_file\fR\|(3)
817 \&\fBSSL_CTX_new\fR\|(3)
819 \&\fBTS_RESP_CTX_new\fR\|(3)
821 \&\fBX509_CRL_new\fR\|(3)
823 \&\fBX509_load_cert_crl_file\fR\|(3) and \fBX509_load_cert_file\fR\|(3)
825 \&\fBX509_LOOKUP_by_subject\fR\|(3) and \fBX509_LOOKUP_ctrl\fR\|(3)
827 \&\fBX509_NAME_hash\fR\|(3)
829 \&\fBX509_new\fR\|(3)
831 \&\fBX509_REQ_new\fR\|(3) and \fBX509_REQ_verify\fR\|(3)
833 \&\fBX509_STORE_CTX_new\fR\|(3), \fBX509_STORE_set_default_paths\fR\|(3), \fBX509_STORE_load_file\f…
834 \&\fBX509_STORE_load_locations\fR\|(3) and \fBX509_STORE_load_store\fR\|(3)
836 New functions that use a Library context
837 .IX Subsection "New functions that use a Library context"
839 The following functions can be passed a library context if required.
842 \&\fBBIO_new_from_core_bio\fR\|(3)
844 \&\fBEVP_ASYM_CIPHER_fetch\fR\|(3) and \fBEVP_ASYM_CIPHER_do_all_provided\fR\|(3)
846 \&\fBEVP_CIPHER_fetch\fR\|(3) and \fBEVP_CIPHER_do_all_provided\fR\|(3)
848 \&\fBEVP_default_properties_enable_fips\fR\|(3) and
849 \&\fBEVP_default_properties_is_fips_enabled\fR\|(3)
851 \&\fBEVP_KDF_fetch\fR\|(3) and \fBEVP_KDF_do_all_provided\fR\|(3)
853 \&\fBEVP_KEM_fetch\fR\|(3) and \fBEVP_KEM_do_all_provided\fR\|(3)
855 \&\fBEVP_KEYEXCH_fetch\fR\|(3) and \fBEVP_KEYEXCH_do_all_provided\fR\|(3)
857 \&\fBEVP_KEYMGMT_fetch\fR\|(3) and \fBEVP_KEYMGMT_do_all_provided\fR\|(3)
859 \&\fBEVP_MAC_fetch\fR\|(3) and \fBEVP_MAC_do_all_provided\fR\|(3)
861 \&\fBEVP_MD_fetch\fR\|(3) and \fBEVP_MD_do_all_provided\fR\|(3)
863 \&\fBEVP_PKEY_CTX_new_from_pkey\fR\|(3)
865 \&\fBEVP_PKEY_Q_keygen\fR\|(3)
867 \&\fBEVP_Q_mac\fR\|(3) and \fBEVP_Q_digest\fR\|(3)
869 \&\fBEVP_RAND\fR\|(3) and \fBEVP_RAND_do_all_provided\fR\|(3)
871 \&\fBEVP_set_default_properties\fR\|(3)
873 \&\fBEVP_SIGNATURE_fetch\fR\|(3) and \fBEVP_SIGNATURE_do_all_provided\fR\|(3)
875 \&\fBOSSL_CMP_CTX_new\fR\|(3) and \fBOSSL_CMP_SRV_CTX_new\fR\|(3)
877 \&\fBOSSL_CRMF_ENCRYPTEDVALUE_get1_encCert\fR\|(3)
879 \&\fBOSSL_CRMF_MSG_create_popo\fR\|(3) and \fBOSSL_CRMF_MSGS_verify_popo\fR\|(3)
881 \&\fBOSSL_CRMF_pbm_new\fR\|(3) and \fBOSSL_CRMF_pbmp_new\fR\|(3)
883 \&\fBOSSL_DECODER_CTX_add_extra\fR\|(3) and \fBOSSL_DECODER_CTX_new_for_pkey\fR\|(3)
885 \&\fBOSSL_DECODER_fetch\fR\|(3) and \fBOSSL_DECODER_do_all_provided\fR\|(3)
887 \&\fBOSSL_ENCODER_CTX_add_extra\fR\|(3)
889 \&\fBOSSL_ENCODER_fetch\fR\|(3) and \fBOSSL_ENCODER_do_all_provided\fR\|(3)
891 \&\fBOSSL_LIB_CTX_free\fR\|(3), \fBOSSL_LIB_CTX_load_config\fR\|(3) and \fBOSSL_LIB_CTX_set0_defaul…
893 \&\fBOSSL_PROVIDER_add_builtin\fR\|(3), \fBOSSL_PROVIDER_available\fR\|(3),
894 \&\fBOSSL_PROVIDER_do_all\fR\|(3), \fBOSSL_PROVIDER_load\fR\|(3),
895 \&\fBOSSL_PROVIDER_set_default_search_path\fR\|(3) and \fBOSSL_PROVIDER_try_load\fR\|(3)
897 \&\fBOSSL_SELF_TEST_get_callback\fR\|(3) and \fBOSSL_SELF_TEST_set_callback\fR\|(3)
899 \&\fBOSSL_STORE_attach\fR\|(3)
901 \&\fBOSSL_STORE_LOADER_fetch\fR\|(3) and \fBOSSL_STORE_LOADER_do_all_provided\fR\|(3)
903 \&\fBRAND_get0_primary\fR\|(3), \fBRAND_get0_private\fR\|(3), \fBRAND_get0_public\fR\|(3),
904 \&\fBRAND_set_DRBG_type\fR\|(3) and \fBRAND_set_seed_source_type\fR\|(3)
918 \fIMapping EVP controls and flags to provider \fR\f(BIOSSL_PARAM\fR\fI\|(3) parameters\fR
921 The existing functions for controls (such as \fBEVP_CIPHER_CTX_ctrl\fR\|(3)) and
922 manipulating flags (such as \fBEVP_MD_CTX_set_flags\fR\|(3))internally use
924 See \fBOSSL_PARAM\fR\|(3) for additional information related to parameters.
926 For ciphers see "CONTROLS" in \fBEVP_EncryptInit\fR\|(3), "FLAGS" in \fBEVP_EncryptInit\fR\|(3) and
927 "PARAMETERS" in \fBEVP_EncryptInit\fR\|(3).
929 For digests see "CONTROLS" in \fBEVP_DigestInit\fR\|(3), "FLAGS" in \fBEVP_DigestInit\fR\|(3) and
930 "PARAMETERS" in \fBEVP_DigestInit\fR\|(3).
935 A significant number of APIs have been deprecated in OpenSSL 3.0.
940 Providers are a replacement for engines and low-level method overrides
941 .IX Subsection "Providers are a replacement for engines and low-level method overrides"
953 Any i2d and d2i functions such as \fBd2i_DHparams()\fR that take a low-level key type
954 have been deprecated. Applications should instead use the \fBOSSL_DECODER\fR\|(3) and
955 \&\fBOSSL_ENCODER\fR\|(3) APIs to read and write files.
956 See "Migration" in \fBd2i_RSAPrivateKey\fR\|(3) for further details.
963 (See \fBOSSL_ENCODER_to_bio\fR\|(3)) or OSSL_DECODER (See \fBOSSL_DECODER_from_bio\fR\|(3))
964 APIs, or alternatively use \fBEVP_PKEY_fromdata\fR\|(3) or \fBEVP_PKEY_todata\fR\|(3).
969 Functions that access low-level objects directly such as \fBRSA_get0_n\fR\|(3) are now
971 \&\fBEVP_PKEY_get_bn_param\fR\|(3),
972 \&\fBEVP_PKEY_get_int_param\fR\|(3),
973 \&\fBEVP_PKEY_get_size_t_param\fR\|(3),
974 \&\fBEVP_PKEY_get_utf8_string_param\fR\|(3),
975 \&\fBEVP_PKEY_get_octet_string_param\fR\|(3), or
976 \&\fBEVP_PKEY_get_params\fR\|(3),
981 "DSA parameters" in \fBEVP_PKEY\-DSA\fR\|(7),
988 Applications may also use \fBEVP_PKEY_todata\fR\|(3) to return all fields.
993 Functions that access low-level objects directly such as \fBRSA_set0_crt_params\fR\|(3)
994 are now deprecated. Applications should use \fBEVP_PKEY_fromdata\fR\|(3) to create
996 created, so if required the user may use \fBEVP_PKEY_todata\fR\|(3), \fBOSSL_PARAM_merge\fR\|(3),
997 and \fBEVP_PKEY_fromdata\fR\|(3) to create a modified key.
1000 generating a key using parameters.
1005 Low-level objects were created using methods such as \fBRSA_new\fR\|(3),
1006 \&\fBRSA_up_ref\fR\|(3) and \fBRSA_free\fR\|(3). Applications should instead use the
1007 high-level EVP_PKEY APIs, e.g. \fBEVP_PKEY_new\fR\|(3), \fBEVP_PKEY_up_ref\fR\|(3) and
1008 \&\fBEVP_PKEY_free\fR\|(3).
1009 See also \fBEVP_PKEY_CTX_new_from_name\fR\|(3) and \fBEVP_PKEY_CTX_new_from_pkey\fR\|(3).
1011 EVP_PKEYs may be created in a variety of ways:
1019 Low-level encryption functions such as \fBAES_encrypt\fR\|(3) and \fBAES_decrypt\fR\|(3)
1020 have been informally discouraged from use for a long time. Applications should
1021 instead use the high level EVP APIs \fBEVP_EncryptInit_ex\fR\|(3),
1022 \&\fBEVP_EncryptUpdate\fR\|(3), and \fBEVP_EncryptFinal_ex\fR\|(3) or
1023 \&\fBEVP_DecryptInit_ex\fR\|(3), \fBEVP_DecryptUpdate\fR\|(3) and \fBEVP_DecryptFinal_ex\fR\|(3).
1028 Use of low-level digest functions such as \fBSHA1_Init\fR\|(3) have been
1029 informally discouraged from use for a long time. Applications should instead
1030 use the high level EVP APIs \fBEVP_DigestInit_ex\fR\|(3), \fBEVP_DigestUpdate\fR\|(3)
1031 and \fBEVP_DigestFinal_ex\fR\|(3), or the quick one-shot \fBEVP_Q_digest\fR\|(3).
1033 Note that the functions \fBSHA1\fR\|(3), \fBSHA224\fR\|(3), \fBSHA256\fR\|(3), \fBSHA384\fR\|(3)
1034 and \fBSHA512\fR\|(3) have changed to macros that use \fBEVP_Q_digest\fR\|(3).
1039 Use of low-level signing functions such as \fBDSA_sign\fR\|(3) have been
1040 informally discouraged for a long time. Instead applications should use
1041 \&\fBEVP_DigestSign\fR\|(3) and \fBEVP_DigestVerify\fR\|(3).
1048 Low-level mac functions such as \fBCMAC_Init\fR\|(3) are deprecated.
1049 Applications should instead use the new \fBEVP_MAC\fR\|(3) interface, using
1050 \&\fBEVP_MAC_CTX_new\fR\|(3), \fBEVP_MAC_CTX_free\fR\|(3), \fBEVP_MAC_init\fR\|(3),
1051 \&\fBEVP_MAC_update\fR\|(3) and \fBEVP_MAC_final\fR\|(3) or the single-shot MAC function
1052 \&\fBEVP_Q_mac\fR\|(3).
1053 See \fBEVP_MAC\fR\|(3), \fBEVP_MAC\-HMAC\fR\|(7), \fBEVP_MAC\-CMAC\fR\|(7), \fBEVP_MAC\-GMAC\fR\|(7…
1058 but this can also be replaced by using EVP_Q_MAC if a library context is required.
1063 Low-level validation functions such as \fBDH_check\fR\|(3) have been informally
1064 discouraged from use for a long time. Applications should instead use the high-level
1065 EVP_PKEY APIs such as \fBEVP_PKEY_check\fR\|(3), \fBEVP_PKEY_param_check\fR\|(3),
1066 \&\fBEVP_PKEY_param_check_quick\fR\|(3), \fBEVP_PKEY_public_check\fR\|(3),
1067 \&\fBEVP_PKEY_public_check_quick\fR\|(3), \fBEVP_PKEY_private_check\fR\|(3),
1068 and \fBEVP_PKEY_pairwise_check\fR\|(3).
1073 Many low-level functions have been informally discouraged from use for a long
1074 time. Applications should instead use \fBEVP_PKEY_derive\fR\|(3).
1080 Many low-level functions have been informally discouraged from use for a long
1081 time. Applications should instead use \fBEVP_PKEY_keygen_init\fR\|(3) and
1082 \&\fBEVP_PKEY_generate\fR\|(3) as described in \fBEVP_PKEY\-DSA\fR\|(7), \fBEVP_PKEY\-DH\fR\|(7),
1084 The 'quick' one-shot function \fBEVP_PKEY_Q_keygen\fR\|(3) and macros for the most
1085 common cases: <\fBEVP_RSA_gen\fR\|(3)> and \fBEVP_EC_gen\fR\|(3) may also be used.
1091 for a long time. Functions to read and write these low-level objects (such as
1093 \&\fBOSSL_ENCODER_to_bio\fR\|(3) and \fBOSSL_DECODER_from_bio\fR\|(3).
1099 for a long time. Functions to print these low-level objects such as
1101 Application should use one of \fBEVP_PKEY_print_public\fR\|(3),
1102 \&\fBEVP_PKEY_print_private\fR\|(3), \fBEVP_PKEY_print_params\fR\|(3),
1103 \&\fBEVP_PKEY_print_public_fp\fR\|(3), \fBEVP_PKEY_print_private_fp\fR\|(3) or
1104 \&\fBEVP_PKEY_print_params_fp\fR\|(3). Note that internally these use
1105 \&\fBOSSL_ENCODER_to_bio\fR\|(3) and \fBOSSL_DECODER_from_bio\fR\|(3).
1119 \&\fBAES_bi_ige_encrypt()\fR has a known bug. It accepts 2 AES keys, but only one
1133 There is no replacement. It returned a string indicating if the AES code was unrolled.
1142 Use \fBASN1_STRING_set\fR\|(3) or \fBASN1_STRING_set0\fR\|(3) instead.
1143 This was a potentially unsafe function that could change the bounds of a
1154 There is no replacement. This option returned a constant string.
1162 Use \fBBN_check_prime\fR\|(3) which avoids possible misuse and always uses at least
1167 Use \fBBN_rand\fR\|(3) and \fBBN_rand_range\fR\|(3).
1173 Use \fBEVP_PKEY_keygen\fR\|(3) instead.
1213 "Gettable and Settable EVP_CIPHER_CTX parameters" in \fBEVP_EncryptInit\fR\|(3).
1214 See "EXAMPLES" in \fBEVP_EncryptInit\fR\|(3) for a AES\-256\-CBC\-CTS example.
1230 Use \fBEVP_PKEY_set1_encoded_public_key\fR\|(3).
1249 Use \fBEVP_PKEY_get_bits\fR\|(3), \fBEVP_PKEY_get_security_bits\fR\|(3) and
1250 \&\fBEVP_PKEY_get_size\fR\|(3).
1261 Use \fBEVP_PKEY_is_a()\fR to determine the type of a key.
1285 "dh_2048_256" when generating a DH key.
1289 Applications should use \fBEVP_PKEY_CTX_set_dh_kdf_type\fR\|(3) instead.
1295 See "Providers are a replacement for engines and low-level method overrides"
1307 Use \fBEVP_PKEY_get_bits\fR\|(3), \fBEVP_PKEY_get_security_bits\fR\|(3) and
1308 \&\fBEVP_PKEY_get_size\fR\|(3).
1312 There is no direct replacement. Applications may use \fBEVP_PKEY_copy_parameters\fR\|(3)
1313 and \fBEVP_PKEY_dup\fR\|(3) instead.
1323 See "Providers are a replacement for engines and low-level method overrides".
1336 There is no direct replacement. Applications may use \fBEVP_PKEY_copy_parameters\fR\|(3)
1337 and \fBEVP_PKEY_dup\fR\|(3) instead.
1362 \&\fBEVP_PKEY_CTX_set_ecdh_kdf_type\fR\|(3) or by setting an \fBOSSL_PARAM\fR\|(3) using the
1372 Applications should use \fBEVP_PKEY_get_size\fR\|(3).
1379 library automatically assigning a suitable method internally when an EC_GROUP
1384 Use \fBEC_GROUP_free\fR\|(3) instead.
1389 Applications should use \fBEC_GROUP_get_curve\fR\|(3) and \fBEC_GROUP_set_curve\fR\|(3).
1399 EC_METHOD is now an internal-only concept and a suitable EC_METHOD is assigned
1401 Users of \fBEC_GROUP_new()\fR should switch to a different suitable constructor.
1405 Applications should use \fBEVP_PKEY_can_sign\fR\|(3) instead.
1422 There is no direct replacement. Applications may use \fBEVP_PKEY_copy_parameters\fR\|(3)
1423 and \fBEVP_PKEY_dup\fR\|(3) instead.
1443 See "Providers are a replacement for engines and low-level method overrides"
1447 Use \fBEC_GROUP_get_field_type\fR\|(3) instead.
1448 See "Providers are a replacement for engines and low-level method overrides"
1485 Applications should use \fBEC_POINT_get_affine_coordinates\fR\|(3) and
1486 \&\fBEC_POINT_set_affine_coordinates\fR\|(3) instead.
1491 \&\fBEC_POINT_set_affine_coordinates\fR\|(3) and \fBEC_POINT_get_affine_coordinates\fR\|(3)
1501 Applications should use \fBEC_POINT_set_compressed_coordinates\fR\|(3) instead.
1506 \&\fBEC_POINT_mul\fR\|(3) function.
1510 All engine functions are deprecated. An engine should be rewritten as a provider.
1511 See "Providers are a replacement for engines and low-level method overrides".
1520 The new functions are \fBERR_peek_error_func\fR\|(3), \fBERR_peek_last_error_func\fR\|(3),
1521 \&\fBERR_peek_error_data\fR\|(3), \fBERR_peek_last_error_data\fR\|(3), \fBERR_get_error_all\fR\|(3),
1522 \&\fBERR_peek_error_all\fR\|(3) and \fBERR_peek_last_error_all\fR\|(3).
1523 Applications should use \fBERR_get_error_all\fR\|(3), or pick information
1525 \&\fBERR_get_error\fR\|(3).
1529 Applications should instead use \fBEVP_CIPHER_CTX_get_updated_iv\fR\|(3),
1530 \&\fBEVP_CIPHER_CTX_get_updated_iv\fR\|(3) and \fBEVP_CIPHER_CTX_get_original_iv\fR\|(3)
1532 See \fBEVP_CIPHER_CTX_get_original_iv\fR\|(3) for further information.
1537 See "Providers are a replacement for engines and low-level method overrides".
1555 Applications should use \fBEVP_PKEY_CTX_set1_rsa_keygen_pubexp\fR\|(3) instead.
1559 Applications should use \fBEVP_PKEY_eq\fR\|(3) and \fBEVP_PKEY_parameters_eq\fR\|(3) instead.
1560 See \fBEVP_PKEY_copy_parameters\fR\|(3) for further details.
1564 Applications should use \fBEVP_PKEY_encrypt_init\fR\|(3) and \fBEVP_PKEY_encrypt\fR\|(3) or
1565 \&\fBEVP_PKEY_decrypt_init\fR\|(3) and \fBEVP_PKEY_decrypt\fR\|(3) instead.
1569 This function returns NULL if the key comes from a provider.
1579 See "Providers are a replacement for engines and low-level method overrides".
1594 generic functions \fBEVP_PKEY_set1_encoded_public_key\fR\|(3) and
1595 \&\fBEVP_PKEY_get1_encoded_public_key\fR\|(3).
1601 See "Providers are a replacement for engines and low-level method overrides".
1620 and "Migration" in \fBd2i_RSAPrivateKey\fR\|(3)
1627 and "Migration" in \fBd2i_RSAPrivateKey\fR\|(3)
1634 and "Migration" in \fBd2i_RSAPrivateKey\fR\|(3)
1638 Use \fBEVP_PKEY_get1_encoded_public_key\fR\|(3).
1646 and "Migration" in \fBd2i_RSAPrivateKey\fR\|(3)
1657 There is no replacement. This function returned a constant string.
1666 There is no replacement. This function returned a constant string.
1689 Use \fBOSSL_HTTP_parse_url\fR\|(3) instead.
1693 These methods were used to collect all necessary data to form a HTTP request,
1696 with \fBOSSL_HTTP_REQ_CTX_*()\fR. See \fBOSSL_HTTP_REQ_CTX\fR\|(3) for additional
1744 Applications should instead use \fBRAND_set_DRBG_type\fR\|(3),
1745 \&\fBEVP_RAND\fR\|(3) and \fBEVP_RAND\fR\|(7).
1746 See \fBRAND_set_rand_method\fR\|(3) for more details.
1765 Use \fBEVP_PKEY_get_bits\fR\|(3), \fBEVP_PKEY_get_security_bits\fR\|(3) and
1766 \&\fBEVP_PKEY_get_size\fR\|(3).
1787 See "Providers are a replacement for engines and low-level method overrides"
1803 See "Providers are a replacement for engines and low-level method overrides".
1811 See "Providers are a replacement for engines and low-level method overrides".
1828 This is equivalent to doing sign and verify recover operations (with a padding
1833 There is no direct replacement. Applications may use \fBEVP_PKEY_dup\fR\|(3).
1846 See "Providers are a replacement for engines and low-level method overrides"
1888 the built-in DH parameters that are available by calling \fBSSL_CTX_set_dh_auto\fR\|(3)
1889 or \fBSSL_set_dh_auto\fR\|(3). If custom parameters are necessary then applications can
1890 use the alternative functions \fBSSL_CTX_set0_tmp_dh_pkey\fR\|(3) and
1891 \&\fBSSL_set0_tmp_dh_pkey\fR\|(3). There is no direct replacement for the "callback"
1899 Use the new \fBSSL_CTX_set_tlsext_ticket_key_evp_cb\fR\|(3) function instead.
1909 This was an undocumented function. Applications can use \fBX509_get0_pubkey\fR\|(3)
1910 and \fBX509_get0_signature\fR\|(3) instead.
1914 Use \fBX509_load_http\fR\|(3) and \fBX509_CRL_load_http\fR\|(3) instead.
1925 such EVP_PKEY by calling \fBOBJ_nid2sn\fR\|(3). With the introduction
1927 \&\fBEVP_PKEY_get_id\fR\|(3) might now also return the value \-1
1928 (\fBEVP_PKEY_KEYMGMT\fR) indicating the use of a provider to
1930 \&\fBEVP_PKEY_get0_type_name\fR\|(3) is recommended for retrieving
1940 \&\fBopenssl kdf\fR uses the new \fBEVP_KDF\fR\|(3) API.
1941 \&\fBopenssl kdf\fR uses the new \fBEVP_MAC\fR\|(3) API.
2010 Support for fully "pluggable" TLSv1.3 groups.
2025 See \fBSSL_CTX_get_options\fR\|(3), \fBSSL_CTX_set_options\fR\|(3),
2026 \&\fBSSL_get_options\fR\|(3) and \fBSSL_set_options\fR\|(3).
2037 (e.g.: data received by \fBSSL_read\fR\|(3)).
2053 Combining the Configure options no-ec and no-dh no longer disables TLSv1.3
2056 connections with TLSv1.3. However OpenSSL now supports "pluggable" groups
2059 TLS connections in such a build without also disabling TLSv1.3 at run time or
2060 using third party provider groups may result in handshake failures. TLSv1.3
2073 security operation and it passed a DH object instead. This is incorrect
2081 is set, an unexpected EOF is ignored, it pretends a close notify was received
2086 This results in SSL 3, TLS 1.0, TLS 1.1 and DTLS 1.0 no longer
2089 with \f(CW@SECLEVEL\fR, or calling \fBSSL_CTX_set_security_level\fR\|(3). This also means
2090 that where the signature algorithms extension is missing from a ClientHello
2093 OpenSSL will fallback to a default set of signature algorithms. This default
2099 string with \f(CW@SECLEVEL\fR, or calling \fBSSL_CTX_set_security_level\fR\|(3). If the
2100 leaf certificate is signed with SHA\-1, a call to \fBSSL_CTX_use_certificate\fR\|(3)
2103 be set using \fBX509_VERIFY_PARAM_set_auth_level\fR\|(3) or using the \fB\-auth_level\fR
2116 this file except in compliance with the License. You can obtain a copy