1*b077aed3SPierre Pronchery=pod 2*b077aed3SPierre Pronchery 3*b077aed3SPierre Pronchery=head1 NAME 4*b077aed3SPierre Pronchery 5*b077aed3SPierre Proncherymigration_guide - OpenSSL migration guide 6*b077aed3SPierre Pronchery 7*b077aed3SPierre Pronchery=head1 SYNOPSIS 8*b077aed3SPierre Pronchery 9*b077aed3SPierre ProncherySee the individual manual pages for details. 10*b077aed3SPierre Pronchery 11*b077aed3SPierre Pronchery=head1 DESCRIPTION 12*b077aed3SPierre Pronchery 13*b077aed3SPierre ProncheryThis guide details the changes required to migrate to new versions of OpenSSL. 14*b077aed3SPierre ProncheryCurrently this covers OpenSSL 3.0. For earlier versions refer to 15*b077aed3SPierre ProncheryL<https://github.com/openssl/openssl/blob/master/CHANGES.md>. 16*b077aed3SPierre ProncheryFor an overview of some of the key concepts introduced in OpenSSL 3.0 see 17*b077aed3SPierre ProncheryL<crypto(7)>. 18*b077aed3SPierre Pronchery 19*b077aed3SPierre Pronchery=head1 OPENSSL 3.0 20*b077aed3SPierre Pronchery 21*b077aed3SPierre Pronchery=head2 Main Changes from OpenSSL 1.1.1 22*b077aed3SPierre Pronchery 23*b077aed3SPierre Pronchery=head3 Major Release 24*b077aed3SPierre Pronchery 25*b077aed3SPierre ProncheryOpenSSL 3.0 is a major release and consequently any application that currently 26*b077aed3SPierre Proncheryuses an older version of OpenSSL will at the very least need to be recompiled in 27*b077aed3SPierre Proncheryorder to work with the new version. It is the intention that the large majority 28*b077aed3SPierre Proncheryof applications will work unchanged with OpenSSL 3.0 if those applications 29*b077aed3SPierre Proncherypreviously worked with OpenSSL 1.1.1. However this is not guaranteed and some 30*b077aed3SPierre Proncherychanges may be required in some cases. Changes may also be required if 31*b077aed3SPierre Proncheryapplications need to take advantage of some of the new features available in 32*b077aed3SPierre ProncheryOpenSSL 3.0 such as the availability of the FIPS module. 33*b077aed3SPierre Pronchery 34*b077aed3SPierre Pronchery=head3 License Change 35*b077aed3SPierre Pronchery 36*b077aed3SPierre ProncheryIn previous versions, OpenSSL was licensed under the L<dual OpenSSL and SSLeay 37*b077aed3SPierre Proncherylicenses|https://www.openssl.org/source/license-openssl-ssleay.txt> 38*b077aed3SPierre Pronchery(both licenses apply). From OpenSSL 3.0 this is replaced by the 39*b077aed3SPierre ProncheryL<Apache License v2|https://www.openssl.org/source/apache-license-2.0.txt>. 40*b077aed3SPierre Pronchery 41*b077aed3SPierre Pronchery=head3 Providers and FIPS support 42*b077aed3SPierre Pronchery 43*b077aed3SPierre ProncheryOne of the key changes from OpenSSL 1.1.1 is the introduction of the Provider 44*b077aed3SPierre Proncheryconcept. Providers collect together and make available algorithm implementations. 45*b077aed3SPierre ProncheryWith OpenSSL 3.0 it is possible to specify, either programmatically or via a 46*b077aed3SPierre Proncheryconfig file, which providers you want to use for any given application. 47*b077aed3SPierre ProncheryOpenSSL 3.0 comes with 5 different providers as standard. Over time third 48*b077aed3SPierre Proncheryparties may distribute additional providers that can be plugged into OpenSSL. 49*b077aed3SPierre ProncheryAll algorithm implementations available via providers are accessed through the 50*b077aed3SPierre Pronchery"high level" APIs (for example those functions prefixed with C<EVP>). They cannot 51*b077aed3SPierre Proncherybe accessed using the L</Low Level APIs>. 52*b077aed3SPierre Pronchery 53*b077aed3SPierre ProncheryOne of the standard providers available is the FIPS provider. This makes 54*b077aed3SPierre Proncheryavailable FIPS validated cryptographic algorithms. 55*b077aed3SPierre ProncheryThe FIPS provider is disabled by default and needs to be enabled explicitly 56*b077aed3SPierre Proncheryat configuration time using the C<enable-fips> option. If it is enabled, 57*b077aed3SPierre Proncherythe FIPS provider gets built and installed in addition to the other standard 58*b077aed3SPierre Proncheryproviders. No separate installation procedure is necessary. 59*b077aed3SPierre ProncheryThere is however a dedicated C<install_fips> make target, which serves the 60*b077aed3SPierre Proncheryspecial purpose of installing only the FIPS provider into an existing 61*b077aed3SPierre ProncheryOpenSSL installation. 62*b077aed3SPierre Pronchery 63*b077aed3SPierre ProncheryNot all algorithms may be available for the application at a particular moment. 64*b077aed3SPierre ProncheryIf the application code uses any digest or cipher algorithm via the EVP interface, 65*b077aed3SPierre Proncherythe application should verify the result of the L<EVP_EncryptInit(3)>, 66*b077aed3SPierre ProncheryL<EVP_EncryptInit_ex(3)>, and L<EVP_DigestInit(3)> functions. In case when 67*b077aed3SPierre Proncherythe requested algorithm is not available, these functions will fail. 68*b077aed3SPierre Pronchery 69*b077aed3SPierre ProncherySee also L</Legacy Algorithms> for information on the legacy provider. 70*b077aed3SPierre Pronchery 71*b077aed3SPierre ProncherySee also L</Completing the installation of the FIPS Module> and 72*b077aed3SPierre ProncheryL</Using the FIPS Module in applications>. 73*b077aed3SPierre Pronchery 74*b077aed3SPierre Pronchery=head3 Low Level APIs 75*b077aed3SPierre Pronchery 76*b077aed3SPierre ProncheryOpenSSL has historically provided two sets of APIs for invoking cryptographic 77*b077aed3SPierre Proncheryalgorithms: the "high level" APIs (such as the C<EVP> APIs) and the "low level" 78*b077aed3SPierre ProncheryAPIs. The high level APIs are typically designed to work across all algorithm 79*b077aed3SPierre Proncherytypes. The "low level" APIs are targeted at a specific algorithm implementation. 80*b077aed3SPierre ProncheryFor example, the EVP APIs provide the functions L<EVP_EncryptInit_ex(3)>, 81*b077aed3SPierre ProncheryL<EVP_EncryptUpdate(3)> and L<EVP_EncryptFinal(3)> to perform symmetric 82*b077aed3SPierre Proncheryencryption. Those functions can be used with the algorithms AES, CHACHA, 3DES etc. 83*b077aed3SPierre ProncheryOn the other hand, to do AES encryption using the low level APIs you would have 84*b077aed3SPierre Proncheryto call AES specific functions such as L<AES_set_encrypt_key(3)>, 85*b077aed3SPierre ProncheryL<AES_encrypt(3)>, and so on. The functions for 3DES are different. 86*b077aed3SPierre ProncheryUse of the low level APIs has been informally discouraged by the OpenSSL 87*b077aed3SPierre Proncherydevelopment team for a long time. However in OpenSSL 3.0 this is made more 88*b077aed3SPierre Proncheryformal. All such low level APIs have been deprecated. You may still use them in 89*b077aed3SPierre Proncheryyour applications, but you may start to see deprecation warnings during 90*b077aed3SPierre Proncherycompilation (dependent on compiler support for this). Deprecated APIs may be 91*b077aed3SPierre Proncheryremoved from future versions of OpenSSL so you are strongly encouraged to update 92*b077aed3SPierre Proncheryyour code to use the high level APIs instead. 93*b077aed3SPierre Pronchery 94*b077aed3SPierre ProncheryThis is described in more detail in L</Deprecation of Low Level Functions> 95*b077aed3SPierre Pronchery 96*b077aed3SPierre Pronchery=head3 Legacy Algorithms 97*b077aed3SPierre Pronchery 98*b077aed3SPierre ProncherySome cryptographic algorithms such as B<MD2> and B<DES> that were available via 99*b077aed3SPierre Proncherythe EVP APIs are now considered legacy and their use is strongly discouraged. 100*b077aed3SPierre ProncheryThese legacy EVP algorithms are still available in OpenSSL 3.0 but not by 101*b077aed3SPierre Proncherydefault. If you want to use them then you must load the legacy provider. 102*b077aed3SPierre ProncheryThis can be as simple as a config file change, or can be done programmatically. 103*b077aed3SPierre ProncherySee L<OSSL_PROVIDER-legacy(7)> for a complete list of algorithms. 104*b077aed3SPierre ProncheryApplications using the EVP APIs to access these algorithms should instead use 105*b077aed3SPierre Proncherymore modern algorithms. If that is not possible then these applications 106*b077aed3SPierre Proncheryshould ensure that the legacy provider has been loaded. This can be achieved 107*b077aed3SPierre Proncheryeither programmatically or via configuration. See L<crypto(7)> man page for 108*b077aed3SPierre Proncherymore information about providers. 109*b077aed3SPierre Pronchery 110*b077aed3SPierre Pronchery=head3 Engines and "METHOD" APIs 111*b077aed3SPierre Pronchery 112*b077aed3SPierre ProncheryThe refactoring to support Providers conflicts internally with the APIs used to 113*b077aed3SPierre Proncherysupport engines, including the ENGINE API and any function that creates or 114*b077aed3SPierre Proncherymodifies custom "METHODS" (for example L<EVP_MD_meth_new(3)>, 115*b077aed3SPierre ProncheryL<EVP_CIPHER_meth_new(3)>, L<EVP_PKEY_meth_new(3)>, L<RSA_meth_new(3)>, 116*b077aed3SPierre ProncheryL<EC_KEY_METHOD_new(3)>, etc.). These functions are being deprecated in 117*b077aed3SPierre ProncheryOpenSSL 3.0, and users of these APIs should know that their use can likely 118*b077aed3SPierre Proncherybypass provider selection and configuration, with unintended consequences. 119*b077aed3SPierre ProncheryThis is particularly relevant for applications written to use the OpenSSL 3.0 120*b077aed3SPierre ProncheryFIPS module, as detailed below. Authors and maintainers of external engines are 121*b077aed3SPierre Proncherystrongly encouraged to refactor their code transforming engines into providers 122*b077aed3SPierre Proncheryusing the new Provider API and avoiding deprecated methods. 123*b077aed3SPierre Pronchery 124*b077aed3SPierre Pronchery=head3 Support of legacy engines 125*b077aed3SPierre Pronchery 126*b077aed3SPierre ProncheryIf openssl is not built without engine support or deprecated API support, engines 127*b077aed3SPierre Proncherywill still work. However, their applicability will be limited. 128*b077aed3SPierre Pronchery 129*b077aed3SPierre ProncheryNew algorithms provided via engines will still work. 130*b077aed3SPierre Pronchery 131*b077aed3SPierre ProncheryEngine-backed keys can be loaded via custom B<OSSL_STORE> implementation. 132*b077aed3SPierre ProncheryIn this case the B<EVP_PKEY> objects created via L<ENGINE_load_private_key(3)> 133*b077aed3SPierre Proncherywill be concidered legacy and will continue to work. 134*b077aed3SPierre Pronchery 135*b077aed3SPierre ProncheryTo ensure the future compatibility, the engines should be turned to providers. 136*b077aed3SPierre ProncheryTo prefer the provider-based hardware offload, you can specify the default 137*b077aed3SPierre Proncheryproperties to prefer your provider. 138*b077aed3SPierre Pronchery 139*b077aed3SPierre Pronchery=head3 Versioning Scheme 140*b077aed3SPierre Pronchery 141*b077aed3SPierre ProncheryThe OpenSSL versioning scheme has changed with the OpenSSL 3.0 release. The new 142*b077aed3SPierre Proncheryversioning scheme has this format: 143*b077aed3SPierre Pronchery 144*b077aed3SPierre ProncheryMAJOR.MINOR.PATCH 145*b077aed3SPierre Pronchery 146*b077aed3SPierre ProncheryFor OpenSSL 1.1.1 and below, different patch levels were indicated by a letter 147*b077aed3SPierre Proncheryat the end of the release version number. This will no longer be used and 148*b077aed3SPierre Proncheryinstead the patch level is indicated by the final number in the version. A 149*b077aed3SPierre Proncherychange in the second (MINOR) number indicates that new features may have been 150*b077aed3SPierre Proncheryadded. OpenSSL versions with the same major number are API and ABI compatible. 151*b077aed3SPierre ProncheryIf the major number changes then API and ABI compatibility is not guaranteed. 152*b077aed3SPierre Pronchery 153*b077aed3SPierre ProncheryFor more information, see L<OpenSSL_version(3)>. 154*b077aed3SPierre Pronchery 155*b077aed3SPierre Pronchery=head3 Other major new features 156*b077aed3SPierre Pronchery 157*b077aed3SPierre Pronchery=head4 Certificate Management Protocol (CMP, RFC 4210) 158*b077aed3SPierre Pronchery 159*b077aed3SPierre ProncheryThis also covers CRMF (RFC 4211) and HTTP transfer (RFC 6712) 160*b077aed3SPierre ProncherySee L<openssl-cmp(1)> and L<OSSL_CMP_exec_certreq(3)> as starting points. 161*b077aed3SPierre Pronchery 162*b077aed3SPierre Pronchery=head4 HTTP(S) client 163*b077aed3SPierre Pronchery 164*b077aed3SPierre ProncheryA proper HTTP(S) client that supports GET and POST, redirection, plain and 165*b077aed3SPierre ProncheryASN.1-encoded contents, proxies, and timeouts. 166*b077aed3SPierre Pronchery 167*b077aed3SPierre Pronchery=head4 Key Derivation Function API (EVP_KDF) 168*b077aed3SPierre Pronchery 169*b077aed3SPierre ProncheryThis simplifies the process of adding new KDF and PRF implementations. 170*b077aed3SPierre Pronchery 171*b077aed3SPierre ProncheryPreviously KDF algorithms had been shoe-horned into using the EVP_PKEY object 172*b077aed3SPierre Proncherywhich was not a logical mapping. 173*b077aed3SPierre ProncheryExisting applications that use KDF algorithms using EVP_PKEY 174*b077aed3SPierre Pronchery(scrypt, TLS1 PRF and HKDF) may be slower as they use an EVP_KDF bridge 175*b077aed3SPierre Proncheryinternally. 176*b077aed3SPierre ProncheryAll new applications should use the new L<EVP_KDF(3)> interface. 177*b077aed3SPierre ProncherySee also L<OSSL_PROVIDER-default(7)/Key Derivation Function (KDF)> and 178*b077aed3SPierre ProncheryL<OSSL_PROVIDER-FIPS(7)/Key Derivation Function (KDF)>. 179*b077aed3SPierre Pronchery 180*b077aed3SPierre Pronchery=head4 Message Authentication Code API (EVP_MAC) 181*b077aed3SPierre Pronchery 182*b077aed3SPierre ProncheryThis simplifies the process of adding MAC implementations. 183*b077aed3SPierre Pronchery 184*b077aed3SPierre ProncheryThis includes a generic EVP_PKEY to EVP_MAC bridge, to facilitate the continued 185*b077aed3SPierre Proncheryuse of MACs through raw private keys in functionality such as 186*b077aed3SPierre ProncheryL<EVP_DigestSign(3)> and L<EVP_DigestVerify(3)>. 187*b077aed3SPierre Pronchery 188*b077aed3SPierre ProncheryAll new applications should use the new L<EVP_MAC(3)> interface. 189*b077aed3SPierre ProncherySee also L<OSSL_PROVIDER-default(7)/Message Authentication Code (MAC)> 190*b077aed3SPierre Proncheryand L<OSSL_PROVIDER-FIPS(7)/Message Authentication Code (MAC)>. 191*b077aed3SPierre Pronchery 192*b077aed3SPierre Pronchery=head4 Algorithm Fetching 193*b077aed3SPierre Pronchery 194*b077aed3SPierre ProncheryUsing calls to convenience functions such as EVP_sha256() and EVP_aes_256_gcm() may 195*b077aed3SPierre Proncheryincur a performance penalty when using providers. 196*b077aed3SPierre ProncheryRetrieving algorithms from providers involves searching for an algorithm by name. 197*b077aed3SPierre ProncheryThis is much slower than directly accessing a method table. 198*b077aed3SPierre ProncheryIt is recommended to prefetch algorithms if an algorithm is used many times. 199*b077aed3SPierre ProncherySee L<crypto(7)/Performance>, L<crypto(7)/Explicit fetching> and L<crypto(7)/Implicit fetching>. 200*b077aed3SPierre Pronchery 201*b077aed3SPierre Pronchery=head4 Support for Linux Kernel TLS 202*b077aed3SPierre Pronchery 203*b077aed3SPierre ProncheryIn order to use KTLS, support for it must be compiled in using the 204*b077aed3SPierre ProncheryC<enable-ktls> configuration option. It must also be enabled at run time using 205*b077aed3SPierre Proncherythe B<SSL_OP_ENABLE_KTLS> option. 206*b077aed3SPierre Pronchery 207*b077aed3SPierre Pronchery=head4 New Algorithms 208*b077aed3SPierre Pronchery 209*b077aed3SPierre Pronchery=over 4 210*b077aed3SPierre Pronchery 211*b077aed3SPierre Pronchery=item * 212*b077aed3SPierre Pronchery 213*b077aed3SPierre ProncheryKDF algorithms "SINGLE STEP" and "SSH" 214*b077aed3SPierre Pronchery 215*b077aed3SPierre ProncherySee L<EVP_KDF-SS(7)> and L<EVP_KDF-SSHKDF(7)> 216*b077aed3SPierre Pronchery 217*b077aed3SPierre Pronchery=item * 218*b077aed3SPierre Pronchery 219*b077aed3SPierre ProncheryMAC Algorithms "GMAC" and "KMAC" 220*b077aed3SPierre Pronchery 221*b077aed3SPierre ProncherySee L<EVP_MAC-GMAC(7)> and L<EVP_MAC-KMAC(7)>. 222*b077aed3SPierre Pronchery 223*b077aed3SPierre Pronchery=item * 224*b077aed3SPierre Pronchery 225*b077aed3SPierre ProncheryKEM Algorithm "RSASVE" 226*b077aed3SPierre Pronchery 227*b077aed3SPierre ProncherySee L<EVP_KEM-RSA(7)>. 228*b077aed3SPierre Pronchery 229*b077aed3SPierre Pronchery=item * 230*b077aed3SPierre Pronchery 231*b077aed3SPierre ProncheryCipher Algorithm "AES-SIV" 232*b077aed3SPierre Pronchery 233*b077aed3SPierre ProncherySee L<EVP_EncryptInit(3)/SIV Mode>. 234*b077aed3SPierre Pronchery 235*b077aed3SPierre Pronchery=item * 236*b077aed3SPierre Pronchery 237*b077aed3SPierre ProncheryAES Key Wrap inverse ciphers supported by EVP layer. 238*b077aed3SPierre Pronchery 239*b077aed3SPierre ProncheryThe inverse ciphers use AES decryption for wrapping, and AES encryption for 240*b077aed3SPierre Proncheryunwrapping. The algorithms are: "AES-128-WRAP-INV", "AES-192-WRAP-INV", 241*b077aed3SPierre Pronchery"AES-256-WRAP-INV", "AES-128-WRAP-PAD-INV", "AES-192-WRAP-PAD-INV" and 242*b077aed3SPierre Pronchery"AES-256-WRAP-PAD-INV". 243*b077aed3SPierre Pronchery 244*b077aed3SPierre Pronchery=item * 245*b077aed3SPierre Pronchery 246*b077aed3SPierre ProncheryCTS ciphers added to EVP layer. 247*b077aed3SPierre Pronchery 248*b077aed3SPierre ProncheryThe algorithms are "AES-128-CBC-CTS", "AES-192-CBC-CTS", "AES-256-CBC-CTS", 249*b077aed3SPierre Pronchery"CAMELLIA-128-CBC-CTS", "CAMELLIA-192-CBC-CTS" and "CAMELLIA-256-CBC-CTS". 250*b077aed3SPierre ProncheryCS1, CS2 and CS3 variants are supported. 251*b077aed3SPierre Pronchery 252*b077aed3SPierre Pronchery=back 253*b077aed3SPierre Pronchery 254*b077aed3SPierre Pronchery=head4 CMS and PKCS#7 updates 255*b077aed3SPierre Pronchery 256*b077aed3SPierre Pronchery=over 4 257*b077aed3SPierre Pronchery 258*b077aed3SPierre Pronchery=item * 259*b077aed3SPierre Pronchery 260*b077aed3SPierre ProncheryAdded CAdES-BES signature verification support. 261*b077aed3SPierre Pronchery 262*b077aed3SPierre Pronchery=item * 263*b077aed3SPierre Pronchery 264*b077aed3SPierre ProncheryAdded CAdES-BES signature scheme and attributes support (RFC 5126) to CMS API. 265*b077aed3SPierre Pronchery 266*b077aed3SPierre Pronchery=item * 267*b077aed3SPierre Pronchery 268*b077aed3SPierre ProncheryAdded AuthEnvelopedData content type structure (RFC 5083) using AES_GCM 269*b077aed3SPierre Pronchery 270*b077aed3SPierre ProncheryThis uses the AES-GCM parameter (RFC 5084) for the Cryptographic Message Syntax. 271*b077aed3SPierre ProncheryIts purpose is to support encryption and decryption of a digital envelope that 272*b077aed3SPierre Proncheryis both authenticated and encrypted using AES GCM mode. 273*b077aed3SPierre Pronchery 274*b077aed3SPierre Pronchery=item * 275*b077aed3SPierre Pronchery 276*b077aed3SPierre ProncheryL<PKCS7_get_octet_string(3)> and L<PKCS7_type_is_other(3)> were made public. 277*b077aed3SPierre Pronchery 278*b077aed3SPierre Pronchery=back 279*b077aed3SPierre Pronchery 280*b077aed3SPierre Pronchery=head4 PKCS#12 API updates 281*b077aed3SPierre Pronchery 282*b077aed3SPierre ProncheryThe default algorithms for pkcs12 creation with the PKCS12_create() function 283*b077aed3SPierre Proncherywere changed to more modern PBKDF2 and AES based algorithms. The default 284*b077aed3SPierre ProncheryMAC iteration count was changed to PKCS12_DEFAULT_ITER to make it equal 285*b077aed3SPierre Proncherywith the password-based encryption iteration count. The default digest 286*b077aed3SPierre Proncheryalgorithm for the MAC computation was changed to SHA-256. The pkcs12 287*b077aed3SPierre Proncheryapplication now supports -legacy option that restores the previous 288*b077aed3SPierre Proncherydefault algorithms to support interoperability with legacy systems. 289*b077aed3SPierre Pronchery 290*b077aed3SPierre ProncheryAdded enhanced PKCS#12 APIs which accept a library context B<OSSL_LIB_CTX> 291*b077aed3SPierre Proncheryand (where relevant) a property query. Other APIs which handle PKCS#7 and 292*b077aed3SPierre ProncheryPKCS#8 objects have also been enhanced where required. This includes: 293*b077aed3SPierre Pronchery 294*b077aed3SPierre ProncheryL<PKCS12_add_key_ex(3)>, L<PKCS12_add_safe_ex(3)>, L<PKCS12_add_safes_ex(3)>, 295*b077aed3SPierre ProncheryL<PKCS12_create_ex(3)>, L<PKCS12_decrypt_skey_ex(3)>, L<PKCS12_init_ex(3)>, 296*b077aed3SPierre ProncheryL<PKCS12_item_decrypt_d2i_ex(3)>, L<PKCS12_item_i2d_encrypt_ex(3)>, 297*b077aed3SPierre ProncheryL<PKCS12_key_gen_asc_ex(3)>, L<PKCS12_key_gen_uni_ex(3)>, L<PKCS12_key_gen_utf8_ex(3)>, 298*b077aed3SPierre ProncheryL<PKCS12_pack_p7encdata_ex(3)>, L<PKCS12_pbe_crypt_ex(3)>, L<PKCS12_PBE_keyivgen_ex(3)>, 299*b077aed3SPierre ProncheryL<PKCS12_SAFEBAG_create_pkcs8_encrypt_ex(3)>, L<PKCS5_pbe2_set_iv_ex(3)>, 300*b077aed3SPierre ProncheryL<PKCS5_pbe_set0_algor_ex(3)>, L<PKCS5_pbe_set_ex(3)>, L<PKCS5_pbkdf2_set_ex(3)>, 301*b077aed3SPierre ProncheryL<PKCS5_v2_PBE_keyivgen_ex(3)>, L<PKCS5_v2_scrypt_keyivgen_ex(3)>, 302*b077aed3SPierre ProncheryL<PKCS8_decrypt_ex(3)>, L<PKCS8_encrypt_ex(3)>, L<PKCS8_set0_pbe_ex(3)>. 303*b077aed3SPierre Pronchery 304*b077aed3SPierre ProncheryAs part of this change the EVP_PBE_xxx APIs can also accept a library 305*b077aed3SPierre Proncherycontext and property query and will call an extended version of the key/IV 306*b077aed3SPierre Proncheryderivation function which supports these parameters. This includes 307*b077aed3SPierre ProncheryL<EVP_PBE_CipherInit_ex(3)>, L<EVP_PBE_find_ex(3)> and L<EVP_PBE_scrypt_ex(3)>. 308*b077aed3SPierre Pronchery 309*b077aed3SPierre Pronchery=head4 Windows thread synchronization changes 310*b077aed3SPierre Pronchery 311*b077aed3SPierre ProncheryWindows thread synchronization uses read/write primitives (SRWLock) when 312*b077aed3SPierre Proncherysupported by the OS, otherwise CriticalSection continues to be used. 313*b077aed3SPierre Pronchery 314*b077aed3SPierre Pronchery=head4 Trace API 315*b077aed3SPierre Pronchery 316*b077aed3SPierre ProncheryA new generic trace API has been added which provides support for enabling 317*b077aed3SPierre Proncheryinstrumentation through trace output. This feature is mainly intended as an aid 318*b077aed3SPierre Proncheryfor developers and is disabled by default. To utilize it, OpenSSL needs to be 319*b077aed3SPierre Proncheryconfigured with the C<enable-trace> option. 320*b077aed3SPierre Pronchery 321*b077aed3SPierre ProncheryIf the tracing API is enabled, the application can activate trace output by 322*b077aed3SPierre Proncheryregistering BIOs as trace channels for a number of tracing and debugging 323*b077aed3SPierre Proncherycategories. See L<OSSL_trace_enabled(3)>. 324*b077aed3SPierre Pronchery 325*b077aed3SPierre Pronchery=head4 Key validation updates 326*b077aed3SPierre Pronchery 327*b077aed3SPierre ProncheryL<EVP_PKEY_public_check(3)> and L<EVP_PKEY_param_check(3)> now work for 328*b077aed3SPierre Proncherymore key types. This includes RSA, DSA, ED25519, X25519, ED448 and X448. 329*b077aed3SPierre ProncheryPreviously (in 1.1.1) they would return -2. For key types that do not have 330*b077aed3SPierre Proncheryparameters then L<EVP_PKEY_param_check(3)> will always return 1. 331*b077aed3SPierre Pronchery 332*b077aed3SPierre Pronchery=head3 Other notable deprecations and changes 333*b077aed3SPierre Pronchery 334*b077aed3SPierre Pronchery=head4 The function code part of an OpenSSL error code is no longer relevant 335*b077aed3SPierre Pronchery 336*b077aed3SPierre ProncheryThis code is now always set to zero. Related functions are deprecated. 337*b077aed3SPierre Pronchery 338*b077aed3SPierre Pronchery=head4 STACK and HASH macros have been cleaned up 339*b077aed3SPierre Pronchery 340*b077aed3SPierre ProncheryThe type-safe wrappers are declared everywhere and implemented once. 341*b077aed3SPierre ProncherySee L<DEFINE_STACK_OF(3)> and L<DECLARE_LHASH_OF(3)>. 342*b077aed3SPierre Pronchery 343*b077aed3SPierre Pronchery=head4 The RAND_DRBG subsystem has been removed 344*b077aed3SPierre Pronchery 345*b077aed3SPierre ProncheryThe new L<EVP_RAND(3)> is a partial replacement: the DRBG callback framework is 346*b077aed3SPierre Proncheryabsent. The RAND_DRBG API did not fit well into the new provider concept as 347*b077aed3SPierre Proncheryimplemented by EVP_RAND and EVP_RAND_CTX. 348*b077aed3SPierre Pronchery 349*b077aed3SPierre Pronchery=head4 Removed FIPS_mode() and FIPS_mode_set() 350*b077aed3SPierre Pronchery 351*b077aed3SPierre ProncheryThese functions are legacy APIs that are not applicable to the new provider 352*b077aed3SPierre Proncherymodel. Applications should instead use 353*b077aed3SPierre ProncheryL<EVP_default_properties_is_fips_enabled(3)> and 354*b077aed3SPierre ProncheryL<EVP_default_properties_enable_fips(3)>. 355*b077aed3SPierre Pronchery 356*b077aed3SPierre Pronchery=head4 Key generation is slower 357*b077aed3SPierre Pronchery 358*b077aed3SPierre ProncheryThe Miller-Rabin test now uses 64 rounds, which is used for all prime generation, 359*b077aed3SPierre Proncheryincluding RSA key generation. This affects the time for larger keys sizes. 360*b077aed3SPierre Pronchery 361*b077aed3SPierre ProncheryThe default key generation method for the regular 2-prime RSA keys was changed 362*b077aed3SPierre Proncheryto the FIPS186-4 B.3.6 method (Generation of Probable Primes with Conditions 363*b077aed3SPierre ProncheryBased on Auxiliary Probable Primes). This method is slower than the original 364*b077aed3SPierre Proncherymethod. 365*b077aed3SPierre Pronchery 366*b077aed3SPierre Pronchery=head4 Change PBKDF2 to conform to SP800-132 instead of the older PKCS5 RFC2898 367*b077aed3SPierre Pronchery 368*b077aed3SPierre ProncheryThis checks that the salt length is at least 128 bits, the derived key length is 369*b077aed3SPierre Proncheryat least 112 bits, and that the iteration count is at least 1000. 370*b077aed3SPierre ProncheryFor backwards compatibility these checks are disabled by default in the 371*b077aed3SPierre Proncherydefault provider, but are enabled by default in the FIPS provider. 372*b077aed3SPierre Pronchery 373*b077aed3SPierre ProncheryTo enable or disable the checks see B<OSSL_KDF_PARAM_PKCS5> in 374*b077aed3SPierre ProncheryL<EVP_KDF-PBKDF2(7)>. The parameter can be set using L<EVP_KDF_derive(3)>. 375*b077aed3SPierre Pronchery 376*b077aed3SPierre Pronchery=head4 Enforce a minimum DH modulus size of 512 bits 377*b077aed3SPierre Pronchery 378*b077aed3SPierre ProncherySmaller sizes now result in an error. 379*b077aed3SPierre Pronchery 380*b077aed3SPierre Pronchery=head4 SM2 key changes 381*b077aed3SPierre Pronchery 382*b077aed3SPierre ProncheryEC EVP_PKEYs with the SM2 curve have been reworked to automatically become 383*b077aed3SPierre ProncheryEVP_PKEY_SM2 rather than EVP_PKEY_EC. 384*b077aed3SPierre Pronchery 385*b077aed3SPierre ProncheryUnlike in previous OpenSSL versions, this means that applications cannot 386*b077aed3SPierre Proncherycall C<EVP_PKEY_set_alias_type(pkey, EVP_PKEY_SM2)> to get SM2 computations. 387*b077aed3SPierre Pronchery 388*b077aed3SPierre ProncheryParameter and key generation is also reworked to make it possible 389*b077aed3SPierre Proncheryto generate EVP_PKEY_SM2 parameters and keys. Applications must now generate 390*b077aed3SPierre ProncherySM2 keys directly and must not create an EVP_PKEY_EC key first. It is no longer 391*b077aed3SPierre Proncherypossible to import an SM2 key with domain parameters other than the SM2 elliptic 392*b077aed3SPierre Proncherycurve ones. 393*b077aed3SPierre Pronchery 394*b077aed3SPierre ProncheryValidation of SM2 keys has been separated from the validation of regular EC 395*b077aed3SPierre Proncherykeys, allowing to improve the SM2 validation process to reject loaded private 396*b077aed3SPierre Proncherykeys that are not conforming to the SM2 ISO standard. 397*b077aed3SPierre ProncheryIn particular, a private scalar I<k> outside the range I<< 1 <= k < n-1 >> is 398*b077aed3SPierre Proncherynow correctly rejected. 399*b077aed3SPierre Pronchery 400*b077aed3SPierre Pronchery=head4 EVP_PKEY_set_alias_type() method has been removed 401*b077aed3SPierre Pronchery 402*b077aed3SPierre ProncheryThis function made a B<EVP_PKEY> object mutable after it had been set up. In 403*b077aed3SPierre ProncheryOpenSSL 3.0 it was decided that a provided key should not be able to change its 404*b077aed3SPierre Proncherytype, so this function has been removed. 405*b077aed3SPierre Pronchery 406*b077aed3SPierre Pronchery=head4 Functions that return an internal key should be treated as read only 407*b077aed3SPierre Pronchery 408*b077aed3SPierre ProncheryFunctions such as L<EVP_PKEY_get0_RSA(3)> behave slightly differently in 409*b077aed3SPierre ProncheryOpenSSL 3.0. Previously they returned a pointer to the low-level key used 410*b077aed3SPierre Proncheryinternally by libcrypto. From OpenSSL 3.0 this key may now be held in a 411*b077aed3SPierre Proncheryprovider. Calling these functions will only return a handle on the internal key 412*b077aed3SPierre Proncherywhere the EVP_PKEY was constructed using this key in the first place, for 413*b077aed3SPierre Proncheryexample using a function or macro such as L<EVP_PKEY_assign_RSA(3)>, 414*b077aed3SPierre ProncheryL<EVP_PKEY_set1_RSA(3)>, etc. 415*b077aed3SPierre ProncheryWhere the EVP_PKEY holds a provider managed key, then these functions now return 416*b077aed3SPierre Proncherya cached copy of the key. Changes to the internal provider key that take place 417*b077aed3SPierre Proncheryafter the first time the cached key is accessed will not be reflected back in 418*b077aed3SPierre Proncherythe cached copy. Similarly any changes made to the cached copy by application 419*b077aed3SPierre Proncherycode will not be reflected back in the internal provider key. 420*b077aed3SPierre Pronchery 421*b077aed3SPierre ProncheryFor the above reasons the keys returned from these functions should typically be 422*b077aed3SPierre Proncherytreated as read-only. To emphasise this the value returned from 423*b077aed3SPierre ProncheryL<EVP_PKEY_get0_RSA(3)>, L<EVP_PKEY_get0_DSA(3)>, L<EVP_PKEY_get0_EC_KEY(3)> and 424*b077aed3SPierre ProncheryL<EVP_PKEY_get0_DH(3)> have been made const. This may break some existing code. 425*b077aed3SPierre ProncheryApplications broken by this change should be modified. The preferred solution is 426*b077aed3SPierre Proncheryto refactor the code to avoid the use of these deprecated functions. Failing 427*b077aed3SPierre Proncherythis the code should be modified to use a const pointer instead. 428*b077aed3SPierre ProncheryThe L<EVP_PKEY_get1_RSA(3)>, L<EVP_PKEY_get1_DSA(3)>, L<EVP_PKEY_get1_EC_KEY(3)> 429*b077aed3SPierre Proncheryand L<EVP_PKEY_get1_DH(3)> functions continue to return a non-const pointer to 430*b077aed3SPierre Proncheryenable them to be "freed". However they should also be treated as read-only. 431*b077aed3SPierre Pronchery 432*b077aed3SPierre Pronchery=head4 The public key check has moved from EVP_PKEY_derive() to EVP_PKEY_derive_set_peer() 433*b077aed3SPierre Pronchery 434*b077aed3SPierre ProncheryThis may mean result in an error in L<EVP_PKEY_derive_set_peer(3)> rather than 435*b077aed3SPierre Proncheryduring L<EVP_PKEY_derive(3)>. 436*b077aed3SPierre ProncheryTo disable this check use EVP_PKEY_derive_set_peer_ex(dh, peer, 0). 437*b077aed3SPierre Pronchery 438*b077aed3SPierre Pronchery=head4 The print format has cosmetic changes for some functions 439*b077aed3SPierre Pronchery 440*b077aed3SPierre ProncheryThe output from numerous "printing" functions such as L<X509_signature_print(3)>, 441*b077aed3SPierre ProncheryL<X509_print_ex(3)>, L<X509_CRL_print_ex(3)>, and other similar functions has been 442*b077aed3SPierre Proncheryamended such that there may be cosmetic differences between the output 443*b077aed3SPierre Proncheryobserved in 1.1.1 and 3.0. This also applies to the B<-text> output from the 444*b077aed3SPierre ProncheryB<openssl x509> and B<openssl crl> applications. 445*b077aed3SPierre Pronchery 446*b077aed3SPierre Pronchery=head4 Interactive mode from the B<openssl> program has been removed 447*b077aed3SPierre Pronchery 448*b077aed3SPierre ProncheryFrom now on, running it without arguments is equivalent to B<openssl help>. 449*b077aed3SPierre Pronchery 450*b077aed3SPierre Pronchery=head4 The error return values from some control calls (ctrl) have changed 451*b077aed3SPierre Pronchery 452*b077aed3SPierre ProncheryOne significant change is that controls which used to return -2 for 453*b077aed3SPierre Proncheryinvalid inputs, now return -1 indicating a generic error condition instead. 454*b077aed3SPierre Pronchery 455*b077aed3SPierre Pronchery=head4 DH and DHX key types have different settable parameters 456*b077aed3SPierre Pronchery 457*b077aed3SPierre ProncheryPreviously (in 1.1.1) these conflicting parameters were allowed, but will now 458*b077aed3SPierre Proncheryresult in errors. See L<EVP_PKEY-DH(7)> for further details. This affects the 459*b077aed3SPierre Proncherybehaviour of L<openssl-genpkey(1)> for DH parameter generation. 460*b077aed3SPierre Pronchery 461*b077aed3SPierre Pronchery=head4 EVP_CIPHER_CTX_set_flags() ordering change 462*b077aed3SPierre Pronchery 463*b077aed3SPierre ProncheryIf using a cipher from a provider the B<EVP_CIPH_FLAG_LENGTH_BITS> flag can only 464*b077aed3SPierre Proncherybe set B<after> the cipher has been assigned to the cipher context. 465*b077aed3SPierre ProncherySee L<EVP_EncryptInit(3)/FLAGS> for more information. 466*b077aed3SPierre Pronchery 467*b077aed3SPierre Pronchery=head4 Validation of operation context parameters 468*b077aed3SPierre Pronchery 469*b077aed3SPierre ProncheryDue to move of the implementation of cryptographic operations to the 470*b077aed3SPierre Proncheryproviders, validation of various operation parameters can be postponed until 471*b077aed3SPierre Proncherythe actual operation is executed where previously it happened immediately 472*b077aed3SPierre Proncherywhen an operation parameter was set. 473*b077aed3SPierre Pronchery 474*b077aed3SPierre ProncheryFor example when setting an unsupported curve with 475*b077aed3SPierre ProncheryEVP_PKEY_CTX_set_ec_paramgen_curve_nid() this function call will not fail 476*b077aed3SPierre Proncherybut later keygen operations with the EVP_PKEY_CTX will fail. 477*b077aed3SPierre Pronchery 478*b077aed3SPierre Pronchery=head4 Removal of function code from the error codes 479*b077aed3SPierre Pronchery 480*b077aed3SPierre ProncheryThe function code part of the error code is now always set to 0. For that 481*b077aed3SPierre Proncheryreason the ERR_GET_FUNC() macro was removed. Applications must resolve 482*b077aed3SPierre Proncherythe error codes only using the library number and the reason code. 483*b077aed3SPierre Pronchery 484*b077aed3SPierre Pronchery=head4 ChaCha20-Poly1305 cipher does not allow a truncated IV length to be used 485*b077aed3SPierre Pronchery 486*b077aed3SPierre ProncheryIn OpenSSL 3.0 setting the IV length to any value other than 12 will result in an 487*b077aed3SPierre Proncheryerror. 488*b077aed3SPierre ProncheryPrior to OpenSSL 3.0 the ivlen could be smaller that the required 12 byte length, 489*b077aed3SPierre Proncheryusing EVP_CIPHER_CTX_ctrl(ctx, EVP_CRTL_AEAD_SET_IVLEN, ivlen, NULL). This resulted 490*b077aed3SPierre Proncheryin an IV that had leading zero padding. 491*b077aed3SPierre Pronchery 492*b077aed3SPierre Pronchery=head2 Installation and Compilation 493*b077aed3SPierre Pronchery 494*b077aed3SPierre ProncheryPlease refer to the INSTALL.md file in the top of the distribution for 495*b077aed3SPierre Proncheryinstructions on how to build and install OpenSSL 3.0. Please also refer to the 496*b077aed3SPierre Proncheryvarious platform specific NOTES files for your specific platform. 497*b077aed3SPierre Pronchery 498*b077aed3SPierre Pronchery=head2 Upgrading from OpenSSL 1.1.1 499*b077aed3SPierre Pronchery 500*b077aed3SPierre ProncheryUpgrading to OpenSSL 3.0 from OpenSSL 1.1.1 should be relatively straight 501*b077aed3SPierre Proncheryforward in most cases. The most likely area where you will encounter problems 502*b077aed3SPierre Proncheryis if you have used low level APIs in your code (as discussed above). In that 503*b077aed3SPierre Proncherycase you are likely to start seeing deprecation warnings when compiling your 504*b077aed3SPierre Proncheryapplication. If this happens you have 3 options: 505*b077aed3SPierre Pronchery 506*b077aed3SPierre Pronchery=over 4 507*b077aed3SPierre Pronchery 508*b077aed3SPierre Pronchery=item 1. 509*b077aed3SPierre Pronchery 510*b077aed3SPierre ProncheryIgnore the warnings. They are just warnings. The deprecated functions are still present and you may still use them. However be aware that they may be removed from a future version of OpenSSL. 511*b077aed3SPierre Pronchery 512*b077aed3SPierre Pronchery=item 2. 513*b077aed3SPierre Pronchery 514*b077aed3SPierre ProncherySuppress the warnings. Refer to your compiler documentation on how to do this. 515*b077aed3SPierre Pronchery 516*b077aed3SPierre Pronchery=item 3. 517*b077aed3SPierre Pronchery 518*b077aed3SPierre ProncheryRemove your usage of the low level APIs. In this case you will need to rewrite your code to use the high level APIs instead 519*b077aed3SPierre Pronchery 520*b077aed3SPierre Pronchery=back 521*b077aed3SPierre Pronchery 522*b077aed3SPierre Pronchery=head3 Error code changes 523*b077aed3SPierre Pronchery 524*b077aed3SPierre ProncheryAs OpenSSL 3.0 provides a brand new Encoder/Decoder mechanism for working with 525*b077aed3SPierre Proncherywidely used file formats, application code that checks for particular error 526*b077aed3SPierre Proncheryreason codes on key loading failures might need an update. 527*b077aed3SPierre Pronchery 528*b077aed3SPierre ProncheryPassword-protected keys may deserve special attention. If only some errors 529*b077aed3SPierre Proncheryare treated as an indicator that the user should be asked about the password again, 530*b077aed3SPierre Proncheryit's worth testing these scenarios and processing the newly relevant codes. 531*b077aed3SPierre Pronchery 532*b077aed3SPierre ProncheryThere may be more cases to treat specially, depending on the calling application code. 533*b077aed3SPierre Pronchery 534*b077aed3SPierre Pronchery=head2 Upgrading from OpenSSL 1.0.2 535*b077aed3SPierre Pronchery 536*b077aed3SPierre ProncheryUpgrading to OpenSSL 3.0 from OpenSSL 1.0.2 is likely to be significantly more 537*b077aed3SPierre Proncherydifficult. In addition to the issues discussed above in the section about 538*b077aed3SPierre ProncheryL</Upgrading from OpenSSL 1.1.1>, the main things to be aware of are: 539*b077aed3SPierre Pronchery 540*b077aed3SPierre Pronchery=over 4 541*b077aed3SPierre Pronchery 542*b077aed3SPierre Pronchery=item 1. 543*b077aed3SPierre Pronchery 544*b077aed3SPierre ProncheryThe build and installation procedure has changed significantly. 545*b077aed3SPierre Pronchery 546*b077aed3SPierre ProncheryCheck the file INSTALL.md in the top of the installation for instructions on how 547*b077aed3SPierre Proncheryto build and install OpenSSL for your platform. Also read the various NOTES 548*b077aed3SPierre Proncheryfiles in the same directory, as applicable for your platform. 549*b077aed3SPierre Pronchery 550*b077aed3SPierre Pronchery=item 2. 551*b077aed3SPierre Pronchery 552*b077aed3SPierre ProncheryMany structures have been made opaque in OpenSSL 3.0. 553*b077aed3SPierre Pronchery 554*b077aed3SPierre ProncheryThe structure definitions have been removed from the public header files and 555*b077aed3SPierre Proncherymoved to internal header files. In practice this means that you can no longer 556*b077aed3SPierre Proncherystack allocate some structures. Instead they must be heap allocated through some 557*b077aed3SPierre Proncheryfunction call (typically those function names have a C<_new> suffix to them). 558*b077aed3SPierre ProncheryAdditionally you must use "setter" or "getter" functions to access the fields 559*b077aed3SPierre Proncherywithin those structures. 560*b077aed3SPierre Pronchery 561*b077aed3SPierre ProncheryFor example code that previously looked like this: 562*b077aed3SPierre Pronchery 563*b077aed3SPierre Pronchery EVP_MD_CTX md_ctx; 564*b077aed3SPierre Pronchery 565*b077aed3SPierre Pronchery /* This line will now generate compiler errors */ 566*b077aed3SPierre Pronchery EVP_MD_CTX_init(&md_ctx); 567*b077aed3SPierre Pronchery 568*b077aed3SPierre ProncheryThe code needs to be amended to look like this: 569*b077aed3SPierre Pronchery 570*b077aed3SPierre Pronchery EVP_MD_CTX *md_ctx; 571*b077aed3SPierre Pronchery 572*b077aed3SPierre Pronchery md_ctx = EVP_MD_CTX_new(); 573*b077aed3SPierre Pronchery ... 574*b077aed3SPierre Pronchery ... 575*b077aed3SPierre Pronchery EVP_MD_CTX_free(md_ctx); 576*b077aed3SPierre Pronchery 577*b077aed3SPierre Pronchery=item 3. 578*b077aed3SPierre Pronchery 579*b077aed3SPierre ProncherySupport for TLSv1.3 has been added. 580*b077aed3SPierre Pronchery 581*b077aed3SPierre ProncheryThis has a number of implications for SSL/TLS applications. See the 582*b077aed3SPierre ProncheryL<TLS1.3 page|https://wiki.openssl.org/index.php/TLS1.3> for further details. 583*b077aed3SPierre Pronchery 584*b077aed3SPierre Pronchery=back 585*b077aed3SPierre Pronchery 586*b077aed3SPierre ProncheryMore details about the breaking changes between OpenSSL versions 1.0.2 and 1.1.0 587*b077aed3SPierre Proncherycan be found on the 588*b077aed3SPierre ProncheryL<OpenSSL 1.1.0 Changes page|https://wiki.openssl.org/index.php/OpenSSL_1.1.0_Changes>. 589*b077aed3SPierre Pronchery 590*b077aed3SPierre Pronchery=head3 Upgrading from the OpenSSL 2.0 FIPS Object Module 591*b077aed3SPierre Pronchery 592*b077aed3SPierre ProncheryThe OpenSSL 2.0 FIPS Object Module was a separate download that had to be built 593*b077aed3SPierre Proncheryseparately and then integrated into your main OpenSSL 1.0.2 build. 594*b077aed3SPierre ProncheryIn OpenSSL 3.0 the FIPS support is fully integrated into the mainline version of 595*b077aed3SPierre ProncheryOpenSSL and is no longer a separate download. For further information see 596*b077aed3SPierre ProncheryL</Completing the installation of the FIPS Module>. 597*b077aed3SPierre Pronchery 598*b077aed3SPierre ProncheryThe function calls FIPS_mode() and FIPS_mode_set() have been removed 599*b077aed3SPierre Proncheryfrom OpenSSL 3.0. You should rewrite your application to not use them. 600*b077aed3SPierre ProncherySee L<fips_module(7)> and L<OSSL_PROVIDER-FIPS(7)> for details. 601*b077aed3SPierre Pronchery 602*b077aed3SPierre Pronchery=head2 Completing the installation of the FIPS Module 603*b077aed3SPierre Pronchery 604*b077aed3SPierre ProncheryThe FIPS Module will be built and installed automatically if FIPS support has 605*b077aed3SPierre Proncherybeen configured. The current documentation can be found in the 606*b077aed3SPierre ProncheryL<README-FIPS|https://github.com/openssl/openssl/blob/master/README-FIPS.md> file. 607*b077aed3SPierre Pronchery 608*b077aed3SPierre Pronchery=head2 Programming 609*b077aed3SPierre Pronchery 610*b077aed3SPierre ProncheryApplications written to work with OpenSSL 1.1.1 will mostly just work with 611*b077aed3SPierre ProncheryOpenSSL 3.0. However changes will be required if you want to take advantage of 612*b077aed3SPierre Proncherysome of the new features that OpenSSL 3.0 makes available. In order to do that 613*b077aed3SPierre Proncheryyou need to understand some new concepts introduced in OpenSSL 3.0. 614*b077aed3SPierre ProncheryRead L<crypto(7)/Library contexts> for further information. 615*b077aed3SPierre Pronchery 616*b077aed3SPierre Pronchery=head3 Library Context 617*b077aed3SPierre Pronchery 618*b077aed3SPierre ProncheryA library context allows different components of a complex application to each 619*b077aed3SPierre Proncheryuse a different library context and have different providers loaded with 620*b077aed3SPierre Proncherydifferent configuration settings. 621*b077aed3SPierre ProncherySee L<crypto(7)/Library contexts> for further info. 622*b077aed3SPierre Pronchery 623*b077aed3SPierre ProncheryIf the user creates an B<OSSL_LIB_CTX> via L<OSSL_LIB_CTX_new(3)> then many 624*b077aed3SPierre Proncheryfunctions may need to be changed to pass additional parameters to handle the 625*b077aed3SPierre Proncherylibrary context. 626*b077aed3SPierre Pronchery 627*b077aed3SPierre Pronchery=head4 Using a Library Context - Old functions that should be changed 628*b077aed3SPierre Pronchery 629*b077aed3SPierre ProncheryIf a library context is needed then all EVP_* digest functions that return a 630*b077aed3SPierre ProncheryB<const EVP_MD *> such as EVP_sha256() should be replaced with a call to 631*b077aed3SPierre ProncheryL<EVP_MD_fetch(3)>. See L<crypto(7)/ALGORITHM FETCHING>. 632*b077aed3SPierre Pronchery 633*b077aed3SPierre ProncheryIf a library context is needed then all EVP_* cipher functions that return a 634*b077aed3SPierre ProncheryB<const EVP_CIPHER *> such as EVP_aes_128_cbc() should be replaced vith a call to 635*b077aed3SPierre ProncheryL<EVP_CIPHER_fetch(3)>. See L<crypto(7)/ALGORITHM FETCHING>. 636*b077aed3SPierre Pronchery 637*b077aed3SPierre ProncherySome functions can be passed an object that has already been set up with a library 638*b077aed3SPierre Proncherycontext such as L<d2i_X509(3)>, L<d2i_X509_CRL(3)>, L<d2i_X509_REQ(3)> and 639*b077aed3SPierre ProncheryL<d2i_X509_PUBKEY(3)>. If NULL is passed instead then the created object will be 640*b077aed3SPierre Proncheryset up with the default library context. Use L<X509_new_ex(3)>, 641*b077aed3SPierre ProncheryL<X509_CRL_new_ex(3)>, L<X509_REQ_new_ex(3)> and L<X509_PUBKEY_new_ex(3)> if a 642*b077aed3SPierre Proncherylibrary context is required. 643*b077aed3SPierre Pronchery 644*b077aed3SPierre ProncheryAll functions listed below with a I<NAME> have a replacment function I<NAME_ex> 645*b077aed3SPierre Proncherythat takes B<OSSL_LIB_CTX> as an additional argument. Functions that have other 646*b077aed3SPierre Proncherymappings are listed along with the respective name. 647*b077aed3SPierre Pronchery 648*b077aed3SPierre Pronchery=over 4 649*b077aed3SPierre Pronchery 650*b077aed3SPierre Pronchery=item * 651*b077aed3SPierre Pronchery 652*b077aed3SPierre ProncheryL<ASN1_item_new(3)>, L<ASN1_item_d2i(3)>, L<ASN1_item_d2i_fp(3)>, 653*b077aed3SPierre ProncheryL<ASN1_item_d2i_bio(3)>, L<ASN1_item_sign(3)> and L<ASN1_item_verify(3)> 654*b077aed3SPierre Pronchery 655*b077aed3SPierre Pronchery=item * 656*b077aed3SPierre Pronchery 657*b077aed3SPierre ProncheryL<BIO_new(3)> 658*b077aed3SPierre Pronchery 659*b077aed3SPierre Pronchery=item * 660*b077aed3SPierre Pronchery 661*b077aed3SPierre Proncheryb2i_RSA_PVK_bio() and i2b_PVK_bio() 662*b077aed3SPierre Pronchery 663*b077aed3SPierre Pronchery=item * 664*b077aed3SPierre Pronchery 665*b077aed3SPierre ProncheryL<BN_CTX_new(3)> and L<BN_CTX_secure_new(3)> 666*b077aed3SPierre Pronchery 667*b077aed3SPierre Pronchery=item * 668*b077aed3SPierre Pronchery 669*b077aed3SPierre ProncheryL<CMS_AuthEnvelopedData_create(3)>, L<CMS_ContentInfo_new(3)>, L<CMS_data_create(3)>, 670*b077aed3SPierre ProncheryL<CMS_digest_create(3)>, L<CMS_EncryptedData_encrypt(3)>, L<CMS_encrypt(3)>, 671*b077aed3SPierre ProncheryL<CMS_EnvelopedData_create(3)>, L<CMS_ReceiptRequest_create0(3)> and L<CMS_sign(3)> 672*b077aed3SPierre Pronchery 673*b077aed3SPierre Pronchery=item * 674*b077aed3SPierre Pronchery 675*b077aed3SPierre ProncheryL<CONF_modules_load_file(3)> 676*b077aed3SPierre Pronchery 677*b077aed3SPierre Pronchery=item * 678*b077aed3SPierre Pronchery 679*b077aed3SPierre ProncheryL<CTLOG_new(3)>, L<CTLOG_new_from_base64(3)> and L<CTLOG_STORE_new(3)> 680*b077aed3SPierre Pronchery 681*b077aed3SPierre Pronchery=item * 682*b077aed3SPierre Pronchery 683*b077aed3SPierre ProncheryL<CT_POLICY_EVAL_CTX_new(3)> 684*b077aed3SPierre Pronchery 685*b077aed3SPierre Pronchery=item * 686*b077aed3SPierre Pronchery 687*b077aed3SPierre ProncheryL<d2i_AutoPrivateKey(3)>, L<d2i_PrivateKey(3)> and L<d2i_PUBKEY(3)> 688*b077aed3SPierre Pronchery 689*b077aed3SPierre Pronchery=item * 690*b077aed3SPierre Pronchery 691*b077aed3SPierre ProncheryL<d2i_PrivateKey_bio(3)> and L<d2i_PrivateKey_fp(3)> 692*b077aed3SPierre Pronchery 693*b077aed3SPierre ProncheryUse L<d2i_PrivateKey_ex_bio(3)> and L<d2i_PrivateKey_ex_fp(3)> 694*b077aed3SPierre Pronchery 695*b077aed3SPierre Pronchery=item * 696*b077aed3SPierre Pronchery 697*b077aed3SPierre ProncheryL<EC_GROUP_new(3)> 698*b077aed3SPierre Pronchery 699*b077aed3SPierre ProncheryUse L<EC_GROUP_new_by_curve_name_ex(3)> or L<EC_GROUP_new_from_params(3)>. 700*b077aed3SPierre Pronchery 701*b077aed3SPierre Pronchery=item * 702*b077aed3SPierre Pronchery 703*b077aed3SPierre ProncheryL<EVP_DigestSignInit(3)> and L<EVP_DigestVerifyInit(3)> 704*b077aed3SPierre Pronchery 705*b077aed3SPierre Pronchery=item * 706*b077aed3SPierre Pronchery 707*b077aed3SPierre ProncheryL<EVP_PBE_CipherInit(3)>, L<EVP_PBE_find(3)> and L<EVP_PBE_scrypt(3)> 708*b077aed3SPierre Pronchery 709*b077aed3SPierre Pronchery=item * 710*b077aed3SPierre Pronchery 711*b077aed3SPierre ProncheryL<PKCS5_PBE_keyivgen(3)> 712*b077aed3SPierre Pronchery 713*b077aed3SPierre Pronchery=item * 714*b077aed3SPierre Pronchery 715*b077aed3SPierre ProncheryL<EVP_PKCS82PKEY(3)> 716*b077aed3SPierre Pronchery 717*b077aed3SPierre Pronchery=item * 718*b077aed3SPierre Pronchery 719*b077aed3SPierre ProncheryL<EVP_PKEY_CTX_new_id(3)> 720*b077aed3SPierre Pronchery 721*b077aed3SPierre ProncheryUse L<EVP_PKEY_CTX_new_from_name(3)> 722*b077aed3SPierre Pronchery 723*b077aed3SPierre Pronchery=item * 724*b077aed3SPierre Pronchery 725*b077aed3SPierre ProncheryL<EVP_PKEY_derive_set_peer(3)>, L<EVP_PKEY_new_raw_private_key(3)> 726*b077aed3SPierre Proncheryand L<EVP_PKEY_new_raw_public_key(3)> 727*b077aed3SPierre Pronchery 728*b077aed3SPierre Pronchery=item * 729*b077aed3SPierre Pronchery 730*b077aed3SPierre ProncheryL<EVP_SignFinal(3)> and L<EVP_VerifyFinal(3)> 731*b077aed3SPierre Pronchery 732*b077aed3SPierre Pronchery=item * 733*b077aed3SPierre Pronchery 734*b077aed3SPierre ProncheryL<NCONF_new(3)> 735*b077aed3SPierre Pronchery 736*b077aed3SPierre Pronchery=item * 737*b077aed3SPierre Pronchery 738*b077aed3SPierre ProncheryL<OCSP_RESPID_match(3)> and L<OCSP_RESPID_set_by_key(3)> 739*b077aed3SPierre Pronchery 740*b077aed3SPierre Pronchery=item * 741*b077aed3SPierre Pronchery 742*b077aed3SPierre ProncheryL<OPENSSL_thread_stop(3)> 743*b077aed3SPierre Pronchery 744*b077aed3SPierre Pronchery=item * 745*b077aed3SPierre Pronchery 746*b077aed3SPierre ProncheryL<OSSL_STORE_open(3)> 747*b077aed3SPierre Pronchery 748*b077aed3SPierre Pronchery=item * 749*b077aed3SPierre Pronchery 750*b077aed3SPierre ProncheryL<PEM_read_bio_Parameters(3)>, L<PEM_read_bio_PrivateKey(3)>, L<PEM_read_bio_PUBKEY(3)>, 751*b077aed3SPierre ProncheryL<PEM_read_PrivateKey(3)> and L<PEM_read_PUBKEY(3)> 752*b077aed3SPierre Pronchery 753*b077aed3SPierre Pronchery=item * 754*b077aed3SPierre Pronchery 755*b077aed3SPierre ProncheryL<PEM_write_bio_PrivateKey(3)>, L<PEM_write_bio_PUBKEY(3)>, L<PEM_write_PrivateKey(3)> 756*b077aed3SPierre Proncheryand L<PEM_write_PUBKEY(3)> 757*b077aed3SPierre Pronchery 758*b077aed3SPierre Pronchery=item * 759*b077aed3SPierre Pronchery 760*b077aed3SPierre ProncheryL<PEM_X509_INFO_read_bio(3)> and L<PEM_X509_INFO_read(3)> 761*b077aed3SPierre Pronchery 762*b077aed3SPierre Pronchery=item * 763*b077aed3SPierre Pronchery 764*b077aed3SPierre ProncheryL<PKCS12_add_key(3)>, L<PKCS12_add_safe(3)>, L<PKCS12_add_safes(3)>, 765*b077aed3SPierre ProncheryL<PKCS12_create(3)>, L<PKCS12_decrypt_skey(3)>, L<PKCS12_init(3)>, L<PKCS12_item_decrypt_d2i(3)>, 766*b077aed3SPierre ProncheryL<PKCS12_item_i2d_encrypt(3)>, L<PKCS12_key_gen_asc(3)>, L<PKCS12_key_gen_uni(3)>, 767*b077aed3SPierre ProncheryL<PKCS12_key_gen_utf8(3)>, L<PKCS12_pack_p7encdata(3)>, L<PKCS12_pbe_crypt(3)>, 768*b077aed3SPierre ProncheryL<PKCS12_PBE_keyivgen(3)>, L<PKCS12_SAFEBAG_create_pkcs8_encrypt(3)> 769*b077aed3SPierre Pronchery 770*b077aed3SPierre Pronchery=item * 771*b077aed3SPierre Pronchery 772*b077aed3SPierre ProncheryL<PKCS5_pbe_set0_algor(3)>, L<PKCS5_pbe_set(3)>, L<PKCS5_pbe2_set_iv(3)>, 773*b077aed3SPierre ProncheryL<PKCS5_pbkdf2_set(3)> and L<PKCS5_v2_scrypt_keyivgen(3)> 774*b077aed3SPierre Pronchery 775*b077aed3SPierre Pronchery=item * 776*b077aed3SPierre Pronchery 777*b077aed3SPierre ProncheryL<PKCS7_encrypt(3)>, L<PKCS7_new(3)> and L<PKCS7_sign(3)> 778*b077aed3SPierre Pronchery 779*b077aed3SPierre Pronchery=item * 780*b077aed3SPierre Pronchery 781*b077aed3SPierre ProncheryL<PKCS8_decrypt(3)>, L<PKCS8_encrypt(3)> and L<PKCS8_set0_pbe(3)> 782*b077aed3SPierre Pronchery 783*b077aed3SPierre Pronchery=item * 784*b077aed3SPierre Pronchery 785*b077aed3SPierre ProncheryL<RAND_bytes(3)> and L<RAND_priv_bytes(3)> 786*b077aed3SPierre Pronchery 787*b077aed3SPierre Pronchery=item * 788*b077aed3SPierre Pronchery 789*b077aed3SPierre ProncheryL<SMIME_write_ASN1(3)> 790*b077aed3SPierre Pronchery 791*b077aed3SPierre Pronchery=item * 792*b077aed3SPierre Pronchery 793*b077aed3SPierre ProncheryL<SSL_load_client_CA_file(3)> 794*b077aed3SPierre Pronchery 795*b077aed3SPierre Pronchery=item * 796*b077aed3SPierre Pronchery 797*b077aed3SPierre ProncheryL<SSL_CTX_new(3)> 798*b077aed3SPierre Pronchery 799*b077aed3SPierre Pronchery=item * 800*b077aed3SPierre Pronchery 801*b077aed3SPierre ProncheryL<TS_RESP_CTX_new(3)> 802*b077aed3SPierre Pronchery 803*b077aed3SPierre Pronchery=item * 804*b077aed3SPierre Pronchery 805*b077aed3SPierre ProncheryL<X509_CRL_new(3)> 806*b077aed3SPierre Pronchery 807*b077aed3SPierre Pronchery=item * 808*b077aed3SPierre Pronchery 809*b077aed3SPierre ProncheryL<X509_load_cert_crl_file(3)> and L<X509_load_cert_file(3)> 810*b077aed3SPierre Pronchery 811*b077aed3SPierre Pronchery=item * 812*b077aed3SPierre Pronchery 813*b077aed3SPierre ProncheryL<X509_LOOKUP_by_subject(3)> and L<X509_LOOKUP_ctrl(3)> 814*b077aed3SPierre Pronchery 815*b077aed3SPierre Pronchery=item * 816*b077aed3SPierre Pronchery 817*b077aed3SPierre ProncheryL<X509_NAME_hash(3)> 818*b077aed3SPierre Pronchery 819*b077aed3SPierre Pronchery=item * 820*b077aed3SPierre Pronchery 821*b077aed3SPierre ProncheryL<X509_new(3)> 822*b077aed3SPierre Pronchery 823*b077aed3SPierre Pronchery=item * 824*b077aed3SPierre Pronchery 825*b077aed3SPierre ProncheryL<X509_REQ_new(3)> and L<X509_REQ_verify(3)> 826*b077aed3SPierre Pronchery 827*b077aed3SPierre Pronchery=item * 828*b077aed3SPierre Pronchery 829*b077aed3SPierre ProncheryL<X509_STORE_CTX_new(3)>, L<X509_STORE_set_default_paths(3)>, L<X509_STORE_load_file(3)>, 830*b077aed3SPierre ProncheryL<X509_STORE_load_locations(3)> and L<X509_STORE_load_store(3)> 831*b077aed3SPierre Pronchery 832*b077aed3SPierre Pronchery=back 833*b077aed3SPierre Pronchery 834*b077aed3SPierre Pronchery=head4 New functions that use a Library context 835*b077aed3SPierre Pronchery 836*b077aed3SPierre ProncheryThe following functions can be passed a library context if required. 837*b077aed3SPierre ProncheryPassing NULL will use the default library context. 838*b077aed3SPierre Pronchery 839*b077aed3SPierre Pronchery=over 4 840*b077aed3SPierre Pronchery 841*b077aed3SPierre Pronchery=item * 842*b077aed3SPierre Pronchery 843*b077aed3SPierre ProncheryL<BIO_new_from_core_bio(3)> 844*b077aed3SPierre Pronchery 845*b077aed3SPierre Pronchery=item * 846*b077aed3SPierre Pronchery 847*b077aed3SPierre ProncheryL<EVP_ASYM_CIPHER_fetch(3)> and L<EVP_ASYM_CIPHER_do_all_provided(3)> 848*b077aed3SPierre Pronchery 849*b077aed3SPierre Pronchery=item * 850*b077aed3SPierre Pronchery 851*b077aed3SPierre ProncheryL<EVP_CIPHER_fetch(3)> and L<EVP_CIPHER_do_all_provided(3)> 852*b077aed3SPierre Pronchery 853*b077aed3SPierre Pronchery=item * 854*b077aed3SPierre Pronchery 855*b077aed3SPierre ProncheryL<EVP_default_properties_enable_fips(3)> and 856*b077aed3SPierre ProncheryL<EVP_default_properties_is_fips_enabled(3)> 857*b077aed3SPierre Pronchery 858*b077aed3SPierre Pronchery=item * 859*b077aed3SPierre Pronchery 860*b077aed3SPierre ProncheryL<EVP_KDF_fetch(3)> and L<EVP_KDF_do_all_provided(3)> 861*b077aed3SPierre Pronchery 862*b077aed3SPierre Pronchery=item * 863*b077aed3SPierre Pronchery 864*b077aed3SPierre ProncheryL<EVP_KEM_fetch(3)> and L<EVP_KEM_do_all_provided(3)> 865*b077aed3SPierre Pronchery 866*b077aed3SPierre Pronchery=item * 867*b077aed3SPierre Pronchery 868*b077aed3SPierre ProncheryL<EVP_KEYEXCH_fetch(3)> and L<EVP_KEYEXCH_do_all_provided(3)> 869*b077aed3SPierre Pronchery 870*b077aed3SPierre Pronchery=item * 871*b077aed3SPierre Pronchery 872*b077aed3SPierre ProncheryL<EVP_KEYMGMT_fetch(3)> and L<EVP_KEYMGMT_do_all_provided(3)> 873*b077aed3SPierre Pronchery 874*b077aed3SPierre Pronchery=item * 875*b077aed3SPierre Pronchery 876*b077aed3SPierre ProncheryL<EVP_MAC_fetch(3)> and L<EVP_MAC_do_all_provided(3)> 877*b077aed3SPierre Pronchery 878*b077aed3SPierre Pronchery=item * 879*b077aed3SPierre Pronchery 880*b077aed3SPierre ProncheryL<EVP_MD_fetch(3)> and L<EVP_MD_do_all_provided(3)> 881*b077aed3SPierre Pronchery 882*b077aed3SPierre Pronchery=item * 883*b077aed3SPierre Pronchery 884*b077aed3SPierre ProncheryL<EVP_PKEY_CTX_new_from_pkey(3)> 885*b077aed3SPierre Pronchery 886*b077aed3SPierre Pronchery=item * 887*b077aed3SPierre Pronchery 888*b077aed3SPierre ProncheryL<EVP_PKEY_Q_keygen(3)> 889*b077aed3SPierre Pronchery 890*b077aed3SPierre Pronchery=item * 891*b077aed3SPierre Pronchery 892*b077aed3SPierre ProncheryL<EVP_Q_mac(3)> and L<EVP_Q_digest(3)> 893*b077aed3SPierre Pronchery 894*b077aed3SPierre Pronchery=item * 895*b077aed3SPierre Pronchery 896*b077aed3SPierre ProncheryL<EVP_RAND(3)> and L<EVP_RAND_do_all_provided(3)> 897*b077aed3SPierre Pronchery 898*b077aed3SPierre Pronchery=item * 899*b077aed3SPierre Pronchery 900*b077aed3SPierre ProncheryL<EVP_set_default_properties(3)> 901*b077aed3SPierre Pronchery 902*b077aed3SPierre Pronchery=item * 903*b077aed3SPierre Pronchery 904*b077aed3SPierre ProncheryL<EVP_SIGNATURE_fetch(3)> and L<EVP_SIGNATURE_do_all_provided(3)> 905*b077aed3SPierre Pronchery 906*b077aed3SPierre Pronchery=item * 907*b077aed3SPierre Pronchery 908*b077aed3SPierre ProncheryL<OSSL_CMP_CTX_new(3)> and L<OSSL_CMP_SRV_CTX_new(3)> 909*b077aed3SPierre Pronchery 910*b077aed3SPierre Pronchery=item * 911*b077aed3SPierre Pronchery 912*b077aed3SPierre ProncheryL<OSSL_CRMF_ENCRYPTEDVALUE_get1_encCert(3)> 913*b077aed3SPierre Pronchery 914*b077aed3SPierre Pronchery=item * 915*b077aed3SPierre Pronchery 916*b077aed3SPierre ProncheryL<OSSL_CRMF_MSG_create_popo(3)> and L<OSSL_CRMF_MSGS_verify_popo(3)> 917*b077aed3SPierre Pronchery 918*b077aed3SPierre Pronchery=item * 919*b077aed3SPierre Pronchery 920*b077aed3SPierre ProncheryL<OSSL_CRMF_pbm_new(3)> and L<OSSL_CRMF_pbmp_new(3)> 921*b077aed3SPierre Pronchery 922*b077aed3SPierre Pronchery=item * 923*b077aed3SPierre Pronchery 924*b077aed3SPierre ProncheryL<OSSL_DECODER_CTX_add_extra(3)> and L<OSSL_DECODER_CTX_new_for_pkey(3)> 925*b077aed3SPierre Pronchery 926*b077aed3SPierre Pronchery=item * 927*b077aed3SPierre Pronchery 928*b077aed3SPierre ProncheryL<OSSL_DECODER_fetch(3)> and L<OSSL_DECODER_do_all_provided(3)> 929*b077aed3SPierre Pronchery 930*b077aed3SPierre Pronchery=item * 931*b077aed3SPierre Pronchery 932*b077aed3SPierre ProncheryL<OSSL_ENCODER_CTX_add_extra(3)> 933*b077aed3SPierre Pronchery 934*b077aed3SPierre Pronchery=item * 935*b077aed3SPierre Pronchery 936*b077aed3SPierre ProncheryL<OSSL_ENCODER_fetch(3)> and L<OSSL_ENCODER_do_all_provided(3)> 937*b077aed3SPierre Pronchery 938*b077aed3SPierre Pronchery=item * 939*b077aed3SPierre Pronchery 940*b077aed3SPierre ProncheryL<OSSL_LIB_CTX_free(3)>, L<OSSL_LIB_CTX_load_config(3)> and L<OSSL_LIB_CTX_set0_default(3)> 941*b077aed3SPierre Pronchery 942*b077aed3SPierre Pronchery=item * 943*b077aed3SPierre Pronchery 944*b077aed3SPierre ProncheryL<OSSL_PROVIDER_add_builtin(3)>, L<OSSL_PROVIDER_available(3)>, 945*b077aed3SPierre ProncheryL<OSSL_PROVIDER_do_all(3)>, L<OSSL_PROVIDER_load(3)>, 946*b077aed3SPierre ProncheryL<OSSL_PROVIDER_set_default_search_path(3)> and L<OSSL_PROVIDER_try_load(3)> 947*b077aed3SPierre Pronchery 948*b077aed3SPierre Pronchery=item * 949*b077aed3SPierre Pronchery 950*b077aed3SPierre ProncheryL<OSSL_SELF_TEST_get_callback(3)> and L<OSSL_SELF_TEST_set_callback(3)> 951*b077aed3SPierre Pronchery 952*b077aed3SPierre Pronchery=item * 953*b077aed3SPierre Pronchery 954*b077aed3SPierre ProncheryL<OSSL_STORE_attach(3)> 955*b077aed3SPierre Pronchery 956*b077aed3SPierre Pronchery=item * 957*b077aed3SPierre Pronchery 958*b077aed3SPierre ProncheryL<OSSL_STORE_LOADER_fetch(3)> and L<OSSL_STORE_LOADER_do_all_provided(3)> 959*b077aed3SPierre Pronchery 960*b077aed3SPierre Pronchery=item * 961*b077aed3SPierre Pronchery 962*b077aed3SPierre ProncheryL<RAND_get0_primary(3)>, L<RAND_get0_private(3)>, L<RAND_get0_public(3)>, 963*b077aed3SPierre ProncheryL<RAND_set_DRBG_type(3)> and L<RAND_set_seed_source_type(3)> 964*b077aed3SPierre Pronchery 965*b077aed3SPierre Pronchery=back 966*b077aed3SPierre Pronchery 967*b077aed3SPierre Pronchery=head3 Providers 968*b077aed3SPierre Pronchery 969*b077aed3SPierre ProncheryProviders are described in detail here L<crypto(7)/Providers>. 970*b077aed3SPierre ProncherySee also L<crypto(7)/OPENSSL PROVIDERS>. 971*b077aed3SPierre Pronchery 972*b077aed3SPierre Pronchery=head3 Fetching algorithms and property queries 973*b077aed3SPierre Pronchery 974*b077aed3SPierre ProncheryImplicit and Explicit Fetching is described in detail here 975*b077aed3SPierre ProncheryL<crypto(7)/ALGORITHM FETCHING>. 976*b077aed3SPierre Pronchery 977*b077aed3SPierre Pronchery=head3 Mapping EVP controls and flags to provider L<OSSL_PARAM(3)> parameters 978*b077aed3SPierre Pronchery 979*b077aed3SPierre ProncheryThe existing functions for controls (such as L<EVP_CIPHER_CTX_ctrl(3)>) and 980*b077aed3SPierre Proncherymanipulating flags (such as L<EVP_MD_CTX_set_flags(3)>)internally use 981*b077aed3SPierre ProncheryB<OSSL_PARAMS> to pass information to/from provider objects. 982*b077aed3SPierre ProncherySee L<OSSL_PARAM(3)> for additional information related to parameters. 983*b077aed3SPierre Pronchery 984*b077aed3SPierre ProncheryFor ciphers see L<EVP_EncryptInit(3)/CONTROLS>, L<EVP_EncryptInit(3)/FLAGS> and 985*b077aed3SPierre ProncheryL<EVP_EncryptInit(3)/PARAMETERS>. 986*b077aed3SPierre Pronchery 987*b077aed3SPierre ProncheryFor digests see L<EVP_DigestInit(3)/CONTROLS>, L<EVP_DigestInit(3)/FLAGS> and 988*b077aed3SPierre ProncheryL<EVP_DigestInit(3)/PARAMETERS>. 989*b077aed3SPierre Pronchery 990*b077aed3SPierre Pronchery=head3 Deprecation of Low Level Functions 991*b077aed3SPierre Pronchery 992*b077aed3SPierre ProncheryA significant number of APIs have been deprecated in OpenSSL 3.0. 993*b077aed3SPierre ProncheryThis section describes some common categories of deprecations. 994*b077aed3SPierre ProncherySee L</Deprecated function mappings> for the list of deprecated functions 995*b077aed3SPierre Proncherythat refer to these categories. 996*b077aed3SPierre Pronchery 997*b077aed3SPierre Pronchery=head4 Providers are a replacement for engines and low-level method overrides 998*b077aed3SPierre Pronchery 999*b077aed3SPierre ProncheryAny accessor that uses an ENGINE is deprecated (such as EVP_PKEY_set1_engine()). 1000*b077aed3SPierre ProncheryApplications using engines should instead use providers. 1001*b077aed3SPierre Pronchery 1002*b077aed3SPierre ProncheryBefore providers were added algorithms were overriden by changing the methods 1003*b077aed3SPierre Proncheryused by algorithms. All these methods such as RSA_new_method() and RSA_meth_new() 1004*b077aed3SPierre Proncheryare now deprecated and can be replaced by using providers instead. 1005*b077aed3SPierre Pronchery 1006*b077aed3SPierre Pronchery=head4 Deprecated i2d and d2i functions for low-level key types 1007*b077aed3SPierre Pronchery 1008*b077aed3SPierre ProncheryAny i2d and d2i functions such as d2i_DHparams() that take a low-level key type 1009*b077aed3SPierre Proncheryhave been deprecated. Applications should instead use the L<OSSL_DECODER(3)> and 1010*b077aed3SPierre ProncheryL<OSSL_ENCODER(3)> APIs to read and write files. 1011*b077aed3SPierre ProncherySee L<d2i_RSAPrivateKey(3)/Migration> for further details. 1012*b077aed3SPierre Pronchery 1013*b077aed3SPierre Pronchery=head4 Deprecated low-level key object getters and setters 1014*b077aed3SPierre Pronchery 1015*b077aed3SPierre ProncheryApplications that set or get low-level key objects (such as EVP_PKEY_set1_DH() 1016*b077aed3SPierre Proncheryor EVP_PKEY_get0()) should instead use the OSSL_ENCODER 1017*b077aed3SPierre Pronchery(See L<OSSL_ENCODER_to_bio(3)>) or OSSL_DECODER (See L<OSSL_DECODER_from_bio(3)>) 1018*b077aed3SPierre ProncheryAPIs, or alternatively use L<EVP_PKEY_fromdata(3)> or L<EVP_PKEY_todata(3)>. 1019*b077aed3SPierre Pronchery 1020*b077aed3SPierre Pronchery=head4 Deprecated low-level key parameter getters 1021*b077aed3SPierre Pronchery 1022*b077aed3SPierre ProncheryFunctions that access low-level objects directly such as L<RSA_get0_n(3)> are now 1023*b077aed3SPierre Proncherydeprecated. Applications should use one of L<EVP_PKEY_get_bn_param(3)>, 1024*b077aed3SPierre ProncheryL<EVP_PKEY_get_int_param(3)>, l<EVP_PKEY_get_size_t_param(3)>, 1025*b077aed3SPierre ProncheryL<EVP_PKEY_get_utf8_string_param(3)>, L<EVP_PKEY_get_octet_string_param(3)> or 1026*b077aed3SPierre ProncheryL<EVP_PKEY_get_params(3)> to access fields from an EVP_PKEY. 1027*b077aed3SPierre ProncheryGettable parameters are listed in L<EVP_PKEY-RSA(7)/Common RSA parameters>, 1028*b077aed3SPierre ProncheryL<EVP_PKEY-DH(7)/DH parameters>, L<EVP_PKEY-DSA(7)/DSA parameters>, 1029*b077aed3SPierre ProncheryL<EVP_PKEY-FFC(7)/FFC parameters>, L<EVP_PKEY-EC(7)/Common EC parameters> and 1030*b077aed3SPierre ProncheryL<EVP_PKEY-X25519(7)/Common X25519, X448, ED25519 and ED448 parameters>. 1031*b077aed3SPierre ProncheryApplications may also use L<EVP_PKEY_todata(3)> to return all fields. 1032*b077aed3SPierre Pronchery 1033*b077aed3SPierre Pronchery=head4 Deprecated low-level key parameter setters 1034*b077aed3SPierre Pronchery 1035*b077aed3SPierre ProncheryFunctions that access low-level objects directly such as L<RSA_set0_crt_params(3)> 1036*b077aed3SPierre Proncheryare now deprecated. Applications should use L<EVP_PKEY_fromdata(3)> to create 1037*b077aed3SPierre Proncherynew keys from user provided key data. Keys should be immutable once they are 1038*b077aed3SPierre Proncherycreated, so if required the user may use L<EVP_PKEY_todata(3)>, L<OSSL_PARAM_merge(3)>, 1039*b077aed3SPierre Proncheryand L<EVP_PKEY_fromdata(3)> to create a modified key. 1040*b077aed3SPierre ProncherySee L<EVP_PKEY-DH(7)/Examples> for more information. 1041*b077aed3SPierre ProncherySee L</Deprecated low-level key generation functions> for information on 1042*b077aed3SPierre Proncherygenerating a key using parameters. 1043*b077aed3SPierre Pronchery 1044*b077aed3SPierre Pronchery=head4 Deprecated low-level object creation 1045*b077aed3SPierre Pronchery 1046*b077aed3SPierre ProncheryLow-level objects were created using methods such as L<RSA_new(3)>, 1047*b077aed3SPierre ProncheryL<RSA_up_ref(3)> and L<RSA_free(3)>. Applications should instead use the 1048*b077aed3SPierre Proncheryhigh-level EVP_PKEY APIs, e.g. L<EVP_PKEY_new(3)>, L<EVP_PKEY_up_ref(3)> and 1049*b077aed3SPierre ProncheryL<EVP_PKEY_free(3)>. 1050*b077aed3SPierre ProncherySee also L<EVP_PKEY_CTX_new_from_name(3)> and L<EVP_PKEY_CTX_new_from_pkey(3)>. 1051*b077aed3SPierre Pronchery 1052*b077aed3SPierre ProncheryEVP_PKEYs may be created in a variety of ways: 1053*b077aed3SPierre ProncherySee also L</Deprecated low-level key generation functions>, 1054*b077aed3SPierre ProncheryL</Deprecated low-level key reading and writing functions> and 1055*b077aed3SPierre ProncheryL</Deprecated low-level key parameter setters>. 1056*b077aed3SPierre Pronchery 1057*b077aed3SPierre Pronchery=head4 Deprecated low-level encryption functions 1058*b077aed3SPierre Pronchery 1059*b077aed3SPierre ProncheryLow-level encryption functions such as L<AES_encrypt(3)> and L<AES_decrypt(3)> 1060*b077aed3SPierre Proncheryhave been informally discouraged from use for a long time. Applications should 1061*b077aed3SPierre Proncheryinstead use the high level EVP APIs L<EVP_EncryptInit_ex(3)>, 1062*b077aed3SPierre ProncheryL<EVP_EncryptUpdate(3)>, and L<EVP_EncryptFinal_ex(3)> or 1063*b077aed3SPierre ProncheryL<EVP_DecryptInit_ex(3)>, L<EVP_DecryptUpdate(3)> and L<EVP_DecryptFinal_ex(3)>. 1064*b077aed3SPierre Pronchery 1065*b077aed3SPierre Pronchery=head4 Deprecated low-level digest functions 1066*b077aed3SPierre Pronchery 1067*b077aed3SPierre ProncheryUse of low-level digest functions such as L<SHA1_Init(3)> have been 1068*b077aed3SPierre Proncheryinformally discouraged from use for a long time. Applications should instead 1069*b077aed3SPierre Proncheryuse the the high level EVP APIs L<EVP_DigestInit_ex(3)>, L<EVP_DigestUpdate(3)> 1070*b077aed3SPierre Proncheryand L<EVP_DigestFinal_ex(3)>, or the quick one-shot L<EVP_Q_digest(3)>. 1071*b077aed3SPierre Pronchery 1072*b077aed3SPierre ProncheryNote that the functions L<SHA1(3)>, L<SHA224(3)>, L<SHA256(3)>, L<SHA384(3)> 1073*b077aed3SPierre Proncheryand L<SHA512(3)> have changed to macros that use L<EVP_Q_digest(3)>. 1074*b077aed3SPierre Pronchery 1075*b077aed3SPierre Pronchery=head4 Deprecated low-level signing functions 1076*b077aed3SPierre Pronchery 1077*b077aed3SPierre ProncheryUse of low-level signing functions such as L<DSA_sign(3)> have been 1078*b077aed3SPierre Proncheryinformally discouraged for a long time. Instead applications should use 1079*b077aed3SPierre ProncheryL<EVP_DigestSign(3)> and L<EVP_DigestVerify(3)>. 1080*b077aed3SPierre ProncherySee also L<EVP_SIGNATURE-RSA(7)>, L<EVP_SIGNATURE-DSA(7)>, 1081*b077aed3SPierre ProncheryL<EVP_SIGNATURE-ECDSA(7)> and L<EVP_SIGNATURE-ED25519(7)>. 1082*b077aed3SPierre Pronchery 1083*b077aed3SPierre Pronchery=head4 Deprecated low-level MAC functions 1084*b077aed3SPierre Pronchery 1085*b077aed3SPierre ProncheryLow-level mac functions such as L<CMAC_Init(3)> are deprecated. 1086*b077aed3SPierre ProncheryApplications should instead use the new L<EVP_MAC(3)> interface, using 1087*b077aed3SPierre ProncheryL<EVP_MAC_CTX_new(3)>, L<EVP_MAC_CTX_free(3)>, L<EVP_MAC_init(3)>, 1088*b077aed3SPierre ProncheryL<EVP_MAC_update(3)> and L<EVP_MAC_final(3)> or the single-shot MAC function 1089*b077aed3SPierre ProncheryL<EVP_Q_mac(3)>. 1090*b077aed3SPierre ProncherySee L<EVP_MAC(3)>, L<EVP_MAC-HMAC(7)>, L<EVP_MAC-CMAC(7)>, L<EVP_MAC-GMAC(7)>, 1091*b077aed3SPierre ProncheryL<EVP_MAC-KMAC(7)>, L<EVP_MAC-BLAKE2(7)>, L<EVP_MAC-Poly1305(7)> and 1092*b077aed3SPierre ProncheryL<EVP_MAC-Siphash(7)> for additional information. 1093*b077aed3SPierre Pronchery 1094*b077aed3SPierre ProncheryNote that the one-shot method HMAC() is still available for compatibility purposes, 1095*b077aed3SPierre Proncherybut this can also be replaced by using EVP_Q_MAC if a library context is required. 1096*b077aed3SPierre Pronchery 1097*b077aed3SPierre Pronchery=head4 Deprecated low-level validation functions 1098*b077aed3SPierre Pronchery 1099*b077aed3SPierre ProncheryLow-level validation functions such as L<DH_check(3)> have been informally 1100*b077aed3SPierre Proncherydiscouraged from use for a long time. Applications should instead use the high-level 1101*b077aed3SPierre ProncheryEVP_PKEY APIs such as L<EVP_PKEY_check(3)>, L<EVP_PKEY_param_check(3)>, 1102*b077aed3SPierre ProncheryL<EVP_PKEY_param_check_quick(3)>, L<EVP_PKEY_public_check(3)>, 1103*b077aed3SPierre ProncheryL<EVP_PKEY_public_check_quick(3)>, L<EVP_PKEY_private_check(3)>, 1104*b077aed3SPierre Proncheryand L<EVP_PKEY_pairwise_check(3)>. 1105*b077aed3SPierre Pronchery 1106*b077aed3SPierre Pronchery=head4 Deprecated low-level key exchange functions 1107*b077aed3SPierre Pronchery 1108*b077aed3SPierre ProncheryMany low-level functions have been informally discouraged from use for a long 1109*b077aed3SPierre Proncherytime. Applications should instead use L<EVP_PKEY_derive(3)>. 1110*b077aed3SPierre ProncherySee L<EVP_KEYEXCH-DH(7)>, L<EVP_KEYEXCH-ECDH(7)> and L<EVP_KEYEXCH-X25519(7)>. 1111*b077aed3SPierre Pronchery 1112*b077aed3SPierre Pronchery=head4 Deprecated low-level key generation functions 1113*b077aed3SPierre Pronchery 1114*b077aed3SPierre ProncheryMany low-level functions have been informally discouraged from use for a long 1115*b077aed3SPierre Proncherytime. Applications should instead use L<EVP_PKEY_keygen_init(3)> and 1116*b077aed3SPierre ProncheryL<EVP_PKEY_generate(3)> as described in L<EVP_PKEY-DSA(7)>, L<EVP_PKEY-DH(7)>, 1117*b077aed3SPierre ProncheryL<EVP_PKEY-RSA(7)>, L<EVP_PKEY-EC(7)> and L<EVP_PKEY-X25519(7)>. 1118*b077aed3SPierre ProncheryThe 'quick' one-shot function L<EVP_PKEY_Q_keygen(3)> and macros for the most 1119*b077aed3SPierre Proncherycommon cases: <EVP_RSA_gen(3)> and L<EVP_EC_gen(3)> may also be used. 1120*b077aed3SPierre Pronchery 1121*b077aed3SPierre Pronchery=head4 Deprecated low-level key reading and writing functions 1122*b077aed3SPierre Pronchery 1123*b077aed3SPierre ProncheryUse of low-level objects (such as DSA) has been informally discouraged from use 1124*b077aed3SPierre Proncheryfor a long time. Functions to read and write these low-level objects (such as 1125*b077aed3SPierre ProncheryPEM_read_DSA_PUBKEY()) should be replaced. Applications should instead use 1126*b077aed3SPierre ProncheryL<OSSL_ENCODER_to_bio(3)> and L<OSSL_DECODER_from_bio(3)>. 1127*b077aed3SPierre Pronchery 1128*b077aed3SPierre Pronchery=head4 Deprecated low-level key printing functions 1129*b077aed3SPierre Pronchery 1130*b077aed3SPierre ProncheryUse of low-level objects (such as DSA) has been informally discouraged from use 1131*b077aed3SPierre Proncheryfor a long time. Functions to print these low-level objects such as 1132*b077aed3SPierre ProncheryDSA_print() should be replaced with the equivalent EVP_PKEY functions. 1133*b077aed3SPierre ProncheryApplication should use one of L<EVP_PKEY_print_public(3)>, 1134*b077aed3SPierre ProncheryL<EVP_PKEY_print_private(3)>, L<EVP_PKEY_print_params(3)>, 1135*b077aed3SPierre ProncheryL<EVP_PKEY_print_public_fp(3)>, L<EVP_PKEY_print_private_fp(3)> or 1136*b077aed3SPierre ProncheryL<EVP_PKEY_print_params_fp(3)>. Note that internally these use 1137*b077aed3SPierre ProncheryL<OSSL_ENCODER_to_bio(3)> and L<OSSL_DECODER_from_bio(3)>. 1138*b077aed3SPierre Pronchery 1139*b077aed3SPierre Pronchery=head3 Deprecated function mappings 1140*b077aed3SPierre Pronchery 1141*b077aed3SPierre ProncheryThe following functions have been deprecated in 3.0. 1142*b077aed3SPierre Pronchery 1143*b077aed3SPierre Pronchery=over 4 1144*b077aed3SPierre Pronchery 1145*b077aed3SPierre Pronchery=item * 1146*b077aed3SPierre Pronchery 1147*b077aed3SPierre ProncheryAES_bi_ige_encrypt() and AES_ige_encrypt() 1148*b077aed3SPierre Pronchery 1149*b077aed3SPierre ProncheryThere is no replacement for the IGE functions. New code should not use these modes. 1150*b077aed3SPierre ProncheryThese undocumented functions were never integrated into the EVP layer. 1151*b077aed3SPierre ProncheryThey implemented the AES Infinite Garble Extension (IGE) mode and AES 1152*b077aed3SPierre ProncheryBi-directional IGE mode. These modes were never formally standardised and 1153*b077aed3SPierre Proncheryusage of these functions is believed to be very small. In particular 1154*b077aed3SPierre ProncheryAES_bi_ige_encrypt() has a known bug. It accepts 2 AES keys, but only one 1155*b077aed3SPierre Proncheryis ever used. The security implications are believed to be minimal, but 1156*b077aed3SPierre Proncherythis issue was never fixed for backwards compatibility reasons. 1157*b077aed3SPierre Pronchery 1158*b077aed3SPierre Pronchery=item * 1159*b077aed3SPierre Pronchery 1160*b077aed3SPierre ProncheryAES_encrypt(), AES_decrypt(), AES_set_encrypt_key(), AES_set_decrypt_key(), 1161*b077aed3SPierre ProncheryAES_cbc_encrypt(), AES_cfb128_encrypt(), AES_cfb1_encrypt(), AES_cfb8_encrypt(), 1162*b077aed3SPierre ProncheryAES_ecb_encrypt(), AES_ofb128_encrypt() 1163*b077aed3SPierre Pronchery 1164*b077aed3SPierre Pronchery=item * 1165*b077aed3SPierre Pronchery 1166*b077aed3SPierre ProncheryAES_unwrap_key(), AES_wrap_key() 1167*b077aed3SPierre Pronchery 1168*b077aed3SPierre ProncherySee L</Deprecated low-level encryption functions> 1169*b077aed3SPierre Pronchery 1170*b077aed3SPierre Pronchery=item * 1171*b077aed3SPierre Pronchery 1172*b077aed3SPierre ProncheryAES_options() 1173*b077aed3SPierre Pronchery 1174*b077aed3SPierre ProncheryThere is no replacement. It returned a string indicating if the AES code was unrolled. 1175*b077aed3SPierre Pronchery 1176*b077aed3SPierre Pronchery=item * 1177*b077aed3SPierre Pronchery 1178*b077aed3SPierre ProncheryASN1_digest(), ASN1_sign(), ASN1_verify() 1179*b077aed3SPierre Pronchery 1180*b077aed3SPierre ProncheryThere are no replacements. These old functions are not used, and could be 1181*b077aed3SPierre Proncherydisabled with the macro NO_ASN1_OLD since OpenSSL 0.9.7. 1182*b077aed3SPierre Pronchery 1183*b077aed3SPierre Pronchery=item * 1184*b077aed3SPierre Pronchery 1185*b077aed3SPierre ProncheryASN1_STRING_length_set() 1186*b077aed3SPierre Pronchery 1187*b077aed3SPierre ProncheryUse L<ASN1_STRING_set(3)> or L<ASN1_STRING_set0(3)> instead. 1188*b077aed3SPierre ProncheryThis was a potentially unsafe function that could change the bounds of a 1189*b077aed3SPierre Proncherypreviously passed in pointer. 1190*b077aed3SPierre Pronchery 1191*b077aed3SPierre Pronchery=item * 1192*b077aed3SPierre Pronchery 1193*b077aed3SPierre ProncheryBF_encrypt(), BF_decrypt(), BF_set_key(), BF_cbc_encrypt(), BF_cfb64_encrypt(), 1194*b077aed3SPierre ProncheryBF_ecb_encrypt(), BF_ofb64_encrypt() 1195*b077aed3SPierre Pronchery 1196*b077aed3SPierre ProncherySee L</Deprecated low-level encryption functions>. 1197*b077aed3SPierre ProncheryThe Blowfish algorithm has been moved to the L<Legacy Provider|/Legacy Algorithms>. 1198*b077aed3SPierre Pronchery 1199*b077aed3SPierre Pronchery=item * 1200*b077aed3SPierre Pronchery 1201*b077aed3SPierre ProncheryBF_options() 1202*b077aed3SPierre Pronchery 1203*b077aed3SPierre ProncheryThere is no replacement. This option returned a constant string. 1204*b077aed3SPierre Pronchery 1205*b077aed3SPierre Pronchery=item * 1206*b077aed3SPierre Pronchery 1207*b077aed3SPierre ProncheryBIO_get_callback(), BIO_set_callback(), BIO_debug_callback() 1208*b077aed3SPierre Pronchery 1209*b077aed3SPierre ProncheryUse the respective non-deprecated _ex() functions. 1210*b077aed3SPierre Pronchery 1211*b077aed3SPierre Pronchery=item * 1212*b077aed3SPierre Pronchery 1213*b077aed3SPierre ProncheryBN_is_prime_ex(), BN_is_prime_fasttest_ex() 1214*b077aed3SPierre Pronchery 1215*b077aed3SPierre ProncheryUse L<BN_check_prime(3)> which avoids possible misuse and always uses at least 1216*b077aed3SPierre Pronchery64 rounds of the Miller-Rabin primality test. 1217*b077aed3SPierre Pronchery 1218*b077aed3SPierre Pronchery=item * 1219*b077aed3SPierre Pronchery 1220*b077aed3SPierre ProncheryBN_pseudo_rand(), BN_pseudo_rand_range() 1221*b077aed3SPierre Pronchery 1222*b077aed3SPierre ProncheryUse L<BN_rand(3)> and L<BN_rand_range(3)>. 1223*b077aed3SPierre Pronchery 1224*b077aed3SPierre Pronchery=item * 1225*b077aed3SPierre Pronchery 1226*b077aed3SPierre ProncheryBN_X931_derive_prime_ex(), BN_X931_generate_prime_ex(), BN_X931_generate_Xpq() 1227*b077aed3SPierre Pronchery 1228*b077aed3SPierre ProncheryThere are no replacements for these low-level functions. They were used internally 1229*b077aed3SPierre Proncheryby RSA_X931_derive_ex() and RSA_X931_generate_key_ex() which are also deprecated. 1230*b077aed3SPierre ProncheryUse L<EVP_PKEY_keygen(3)> instead. 1231*b077aed3SPierre Pronchery 1232*b077aed3SPierre Pronchery=item * 1233*b077aed3SPierre Pronchery 1234*b077aed3SPierre ProncheryCamellia_encrypt(), Camellia_decrypt(), Camellia_set_key(), 1235*b077aed3SPierre ProncheryCamellia_cbc_encrypt(), Camellia_cfb128_encrypt(), Camellia_cfb1_encrypt(), 1236*b077aed3SPierre ProncheryCamellia_cfb8_encrypt(), Camellia_ctr128_encrypt(), Camellia_ecb_encrypt(), 1237*b077aed3SPierre ProncheryCamellia_ofb128_encrypt() 1238*b077aed3SPierre Pronchery 1239*b077aed3SPierre ProncherySee L</Deprecated low-level encryption functions>. 1240*b077aed3SPierre Pronchery 1241*b077aed3SPierre Pronchery=item * 1242*b077aed3SPierre Pronchery 1243*b077aed3SPierre ProncheryCAST_encrypt(), CAST_decrypt(), CAST_set_key(), CAST_cbc_encrypt(), 1244*b077aed3SPierre ProncheryCAST_cfb64_encrypt(), CAST_ecb_encrypt(), CAST_ofb64_encrypt() 1245*b077aed3SPierre Pronchery 1246*b077aed3SPierre ProncherySee L</Deprecated low-level encryption functions>. 1247*b077aed3SPierre ProncheryThe CAST algorithm has been moved to the L<Legacy Provider|/Legacy Algorithms>. 1248*b077aed3SPierre Pronchery 1249*b077aed3SPierre Pronchery=item * 1250*b077aed3SPierre Pronchery 1251*b077aed3SPierre ProncheryCMAC_CTX_new(), CMAC_CTX_cleanup(), CMAC_CTX_copy(), CMAC_CTX_free(), 1252*b077aed3SPierre ProncheryCMAC_CTX_get0_cipher_ctx() 1253*b077aed3SPierre Pronchery 1254*b077aed3SPierre ProncherySee L</Deprecated low-level MAC functions>. 1255*b077aed3SPierre Pronchery 1256*b077aed3SPierre Pronchery=item * 1257*b077aed3SPierre Pronchery 1258*b077aed3SPierre ProncheryCMAC_Init(), CMAC_Update(), CMAC_Final(), CMAC_resume() 1259*b077aed3SPierre Pronchery 1260*b077aed3SPierre ProncherySee L</Deprecated low-level MAC functions>. 1261*b077aed3SPierre Pronchery 1262*b077aed3SPierre Pronchery=item * 1263*b077aed3SPierre Pronchery 1264*b077aed3SPierre ProncheryCRYPTO_mem_ctrl(), CRYPTO_mem_debug_free(), CRYPTO_mem_debug_malloc(), 1265*b077aed3SPierre ProncheryCRYPTO_mem_debug_pop(), CRYPTO_mem_debug_push(), CRYPTO_mem_debug_realloc(), 1266*b077aed3SPierre ProncheryCRYPTO_mem_leaks(), CRYPTO_mem_leaks_cb(), CRYPTO_mem_leaks_fp(), 1267*b077aed3SPierre ProncheryCRYPTO_set_mem_debug() 1268*b077aed3SPierre Pronchery 1269*b077aed3SPierre ProncheryMemory-leak checking has been deprecated in favor of more modern development 1270*b077aed3SPierre Proncherytools, such as compiler memory and leak sanitizers or Valgrind. 1271*b077aed3SPierre Pronchery 1272*b077aed3SPierre Pronchery=item * 1273*b077aed3SPierre Pronchery 1274*b077aed3SPierre ProncheryCRYPTO_cts128_encrypt_block(), CRYPTO_cts128_encrypt(), 1275*b077aed3SPierre ProncheryCRYPTO_cts128_decrypt_block(), CRYPTO_cts128_decrypt(), 1276*b077aed3SPierre ProncheryCRYPTO_nistcts128_encrypt_block(), CRYPTO_nistcts128_encrypt(), 1277*b077aed3SPierre ProncheryCRYPTO_nistcts128_decrypt_block(), CRYPTO_nistcts128_decrypt() 1278*b077aed3SPierre Pronchery 1279*b077aed3SPierre ProncheryUse the higher level functions EVP_CipherInit_ex2(), EVP_CipherUpdate() and 1280*b077aed3SPierre ProncheryEVP_CipherFinal_ex() instead. 1281*b077aed3SPierre ProncherySee the "cts_mode" parameter in 1282*b077aed3SPierre ProncheryL<EVP_EncryptInit(3)/Gettable and Settable EVP_CIPHER_CTX parameters>. 1283*b077aed3SPierre ProncherySee L<EVP_EncryptInit(3)/EXAMPLES> for a AES-256-CBC-CTS example. 1284*b077aed3SPierre Pronchery 1285*b077aed3SPierre Pronchery=item * 1286*b077aed3SPierre Pronchery 1287*b077aed3SPierre Proncheryd2i_DHparams(), d2i_DHxparams(), d2i_DSAparams(), d2i_DSAPrivateKey(), 1288*b077aed3SPierre Proncheryd2i_DSAPrivateKey_bio(), d2i_DSAPrivateKey_fp(), d2i_DSA_PUBKEY(), 1289*b077aed3SPierre Proncheryd2i_DSA_PUBKEY_bio(), d2i_DSA_PUBKEY_fp(), d2i_DSAPublicKey(), 1290*b077aed3SPierre Proncheryd2i_ECParameters(), d2i_ECPrivateKey(), d2i_ECPrivateKey_bio(), 1291*b077aed3SPierre Proncheryd2i_ECPrivateKey_fp(), d2i_EC_PUBKEY(), d2i_EC_PUBKEY_bio(), 1292*b077aed3SPierre Proncheryd2i_EC_PUBKEY_fp(), o2i_ECPublicKey(), d2i_RSAPrivateKey(), 1293*b077aed3SPierre Proncheryd2i_RSAPrivateKey_bio(), d2i_RSAPrivateKey_fp(), d2i_RSA_PUBKEY(), 1294*b077aed3SPierre Proncheryd2i_RSA_PUBKEY_bio(), d2i_RSA_PUBKEY_fp(), d2i_RSAPublicKey(), 1295*b077aed3SPierre Proncheryd2i_RSAPublicKey_bio(), d2i_RSAPublicKey_fp() 1296*b077aed3SPierre Pronchery 1297*b077aed3SPierre ProncherySee L</Deprecated i2d and d2i functions for low-level key types> 1298*b077aed3SPierre Pronchery 1299*b077aed3SPierre Pronchery=item * 1300*b077aed3SPierre Pronchery 1301*b077aed3SPierre ProncheryDES_crypt(), DES_fcrypt(), DES_encrypt1(), DES_encrypt2(), DES_encrypt3(), 1302*b077aed3SPierre ProncheryDES_decrypt3(), DES_ede3_cbc_encrypt(), DES_ede3_cfb64_encrypt(), 1303*b077aed3SPierre ProncheryDES_ede3_cfb_encrypt(),DES_ede3_ofb64_encrypt(), 1304*b077aed3SPierre ProncheryDES_ecb_encrypt(), DES_ecb3_encrypt(), DES_ofb64_encrypt(), DES_ofb_encrypt(), 1305*b077aed3SPierre ProncheryDES_cfb64_encrypt DES_cfb_encrypt(), DES_cbc_encrypt(), DES_ncbc_encrypt(), 1306*b077aed3SPierre ProncheryDES_pcbc_encrypt(), DES_xcbc_encrypt(), DES_cbc_cksum(), DES_quad_cksum(), 1307*b077aed3SPierre ProncheryDES_check_key_parity(), DES_is_weak_key(), DES_key_sched(), DES_options(), 1308*b077aed3SPierre ProncheryDES_random_key(), DES_set_key(), DES_set_key_checked(), DES_set_key_unchecked(), 1309*b077aed3SPierre ProncheryDES_set_odd_parity(), DES_string_to_2keys(), DES_string_to_key() 1310*b077aed3SPierre Pronchery 1311*b077aed3SPierre ProncherySee L</Deprecated low-level encryption functions>. 1312*b077aed3SPierre ProncheryAlgorithms for "DESX-CBC", "DES-ECB", "DES-CBC", "DES-OFB", "DES-CFB", 1313*b077aed3SPierre Pronchery"DES-CFB1" and "DES-CFB8" have been moved to the L<Legacy Provider|/Legacy Algorithms>. 1314*b077aed3SPierre Pronchery 1315*b077aed3SPierre Pronchery=item * 1316*b077aed3SPierre Pronchery 1317*b077aed3SPierre ProncheryDH_bits(), DH_security_bits(), DH_size() 1318*b077aed3SPierre Pronchery 1319*b077aed3SPierre ProncheryUse L<EVP_PKEY_get_bits(3)>, L<EVP_PKEY_get_security_bits(3)> and 1320*b077aed3SPierre ProncheryL<EVP_PKEY_get_size(3)>. 1321*b077aed3SPierre Pronchery 1322*b077aed3SPierre Pronchery=item * 1323*b077aed3SPierre Pronchery 1324*b077aed3SPierre ProncheryDH_check(), DH_check_ex(), DH_check_params(), DH_check_params_ex(), 1325*b077aed3SPierre ProncheryDH_check_pub_key(), DH_check_pub_key_ex() 1326*b077aed3SPierre Pronchery 1327*b077aed3SPierre ProncherySee L</Deprecated low-level validation functions> 1328*b077aed3SPierre Pronchery 1329*b077aed3SPierre Pronchery=item * 1330*b077aed3SPierre Pronchery 1331*b077aed3SPierre ProncheryDH_clear_flags(), DH_test_flags(), DH_set_flags() 1332*b077aed3SPierre Pronchery 1333*b077aed3SPierre ProncheryThe B<DH_FLAG_CACHE_MONT_P> flag has been deprecated without replacement. 1334*b077aed3SPierre ProncheryThe B<DH_FLAG_TYPE_DH> and B<DH_FLAG_TYPE_DHX> have been deprecated. 1335*b077aed3SPierre ProncheryUse EVP_PKEY_is_a() to determine the type of a key. 1336*b077aed3SPierre ProncheryThere is no replacement for setting these flags. 1337*b077aed3SPierre Pronchery 1338*b077aed3SPierre Pronchery=item * 1339*b077aed3SPierre Pronchery 1340*b077aed3SPierre ProncheryDH_compute_key() DH_compute_key_padded() 1341*b077aed3SPierre Pronchery 1342*b077aed3SPierre ProncherySee L</Deprecated low-level key exchange functions>. 1343*b077aed3SPierre Pronchery 1344*b077aed3SPierre Pronchery=item * 1345*b077aed3SPierre Pronchery 1346*b077aed3SPierre ProncheryDH_new(), DH_new_by_nid(), DH_free(), DH_up_ref() 1347*b077aed3SPierre Pronchery 1348*b077aed3SPierre ProncherySee L</Deprecated low-level object creation> 1349*b077aed3SPierre Pronchery 1350*b077aed3SPierre Pronchery=item * 1351*b077aed3SPierre Pronchery 1352*b077aed3SPierre ProncheryDH_generate_key(), DH_generate_parameters_ex() 1353*b077aed3SPierre Pronchery 1354*b077aed3SPierre ProncherySee L</Deprecated low-level key generation functions>. 1355*b077aed3SPierre Pronchery 1356*b077aed3SPierre Pronchery=item * 1357*b077aed3SPierre Pronchery 1358*b077aed3SPierre ProncheryDH_get0_pqg(), DH_get0_p(), DH_get0_q(), DH_get0_g(), DH_get0_key(), 1359*b077aed3SPierre ProncheryDH_get0_priv_key(), DH_get0_pub_key(), DH_get_length(), DH_get_nid() 1360*b077aed3SPierre Pronchery 1361*b077aed3SPierre ProncherySee L</Deprecated low-level key parameter getters> 1362*b077aed3SPierre Pronchery 1363*b077aed3SPierre Pronchery=item * 1364*b077aed3SPierre Pronchery 1365*b077aed3SPierre ProncheryDH_get_1024_160(), DH_get_2048_224(), DH_get_2048_256() 1366*b077aed3SPierre Pronchery 1367*b077aed3SPierre ProncheryApplications should instead set the B<OSSL_PKEY_PARAM_GROUP_NAME> as specified in 1368*b077aed3SPierre ProncheryL<EVP_PKEY-DH(7)/DH parameters>) to one of "dh_1024_160", "dh_2048_224" or 1369*b077aed3SPierre Pronchery"dh_2048_256" when generating a DH key. 1370*b077aed3SPierre Pronchery 1371*b077aed3SPierre Pronchery=item * 1372*b077aed3SPierre Pronchery 1373*b077aed3SPierre ProncheryDH_KDF_X9_42() 1374*b077aed3SPierre Pronchery 1375*b077aed3SPierre ProncheryApplications should use L<EVP_PKEY_CTX_set_dh_kdf_type(3)> instead. 1376*b077aed3SPierre Pronchery 1377*b077aed3SPierre Pronchery=item * 1378*b077aed3SPierre Pronchery 1379*b077aed3SPierre ProncheryDH_get_default_method(), DH_get0_engine(), DH_meth_*(), DH_new_method(), 1380*b077aed3SPierre ProncheryDH_OpenSSL(), DH_get_ex_data(), DH_set_default_method(), DH_set_method(), 1381*b077aed3SPierre ProncheryDH_set_ex_data() 1382*b077aed3SPierre Pronchery 1383*b077aed3SPierre ProncherySee L</Providers are a replacement for engines and low-level method overrides> 1384*b077aed3SPierre Pronchery 1385*b077aed3SPierre Pronchery=item * 1386*b077aed3SPierre Pronchery 1387*b077aed3SPierre ProncheryDHparams_print(), DHparams_print_fp() 1388*b077aed3SPierre Pronchery 1389*b077aed3SPierre ProncherySee L</Deprecated low-level key printing functions> 1390*b077aed3SPierre Pronchery 1391*b077aed3SPierre Pronchery=item * 1392*b077aed3SPierre Pronchery 1393*b077aed3SPierre ProncheryDH_set0_key(), DH_set0_pqg(), DH_set_length() 1394*b077aed3SPierre Pronchery 1395*b077aed3SPierre ProncherySee L</Deprecated low-level key parameter setters> 1396*b077aed3SPierre Pronchery 1397*b077aed3SPierre Pronchery=item * 1398*b077aed3SPierre Pronchery 1399*b077aed3SPierre ProncheryDSA_bits(), DSA_security_bits(), DSA_size() 1400*b077aed3SPierre Pronchery 1401*b077aed3SPierre ProncheryUse L<EVP_PKEY_get_bits(3)>, L<EVP_PKEY_get_security_bits(3)> and 1402*b077aed3SPierre ProncheryL<EVP_PKEY_get_size(3)>. 1403*b077aed3SPierre Pronchery 1404*b077aed3SPierre Pronchery=item * 1405*b077aed3SPierre Pronchery 1406*b077aed3SPierre ProncheryDHparams_dup(), DSA_dup_DH() 1407*b077aed3SPierre Pronchery 1408*b077aed3SPierre ProncheryThere is no direct replacement. Applications may use L<EVP_PKEY_copy_parameters(3)> 1409*b077aed3SPierre Proncheryand L<EVP_PKEY_dup(3)> instead. 1410*b077aed3SPierre Pronchery 1411*b077aed3SPierre Pronchery=item * 1412*b077aed3SPierre Pronchery 1413*b077aed3SPierre ProncheryDSA_generate_key(), DSA_generate_parameters_ex() 1414*b077aed3SPierre Pronchery 1415*b077aed3SPierre ProncherySee L</Deprecated low-level key generation functions>. 1416*b077aed3SPierre Pronchery 1417*b077aed3SPierre Pronchery=item * 1418*b077aed3SPierre Pronchery 1419*b077aed3SPierre ProncheryDSA_get0_engine(), DSA_get_default_method(), DSA_get_ex_data(), 1420*b077aed3SPierre ProncheryDSA_get_method(), DSA_meth_*(), DSA_new_method(), DSA_OpenSSL(), 1421*b077aed3SPierre ProncheryDSA_set_default_method(), DSA_set_ex_data(), DSA_set_method() 1422*b077aed3SPierre Pronchery 1423*b077aed3SPierre ProncherySee L</Providers are a replacement for engines and low-level method overrides>. 1424*b077aed3SPierre Pronchery 1425*b077aed3SPierre Pronchery=item * 1426*b077aed3SPierre Pronchery 1427*b077aed3SPierre ProncheryDSA_get0_p(), DSA_get0_q(), DSA_get0_g(), DSA_get0_pqg(), DSA_get0_key(), 1428*b077aed3SPierre ProncheryDSA_get0_priv_key(), DSA_get0_pub_key() 1429*b077aed3SPierre Pronchery 1430*b077aed3SPierre ProncherySee L</Deprecated low-level key parameter getters>. 1431*b077aed3SPierre Pronchery 1432*b077aed3SPierre Pronchery=item * 1433*b077aed3SPierre Pronchery 1434*b077aed3SPierre ProncheryDSA_new(), DSA_free(), DSA_up_ref() 1435*b077aed3SPierre Pronchery 1436*b077aed3SPierre ProncherySee L</Deprecated low-level object creation> 1437*b077aed3SPierre Pronchery 1438*b077aed3SPierre Pronchery=item * 1439*b077aed3SPierre Pronchery 1440*b077aed3SPierre ProncheryDSAparams_dup() 1441*b077aed3SPierre Pronchery 1442*b077aed3SPierre ProncheryThere is no direct replacement. Applications may use L<EVP_PKEY_copy_parameters(3)> 1443*b077aed3SPierre Proncheryand L<EVP_PKEY_dup(3)> instead. 1444*b077aed3SPierre Pronchery 1445*b077aed3SPierre Pronchery=item * 1446*b077aed3SPierre Pronchery 1447*b077aed3SPierre ProncheryDSAparams_print(), DSAparams_print_fp(), DSA_print(), DSA_print_fp() 1448*b077aed3SPierre Pronchery 1449*b077aed3SPierre ProncherySee L</Deprecated low-level key printing functions> 1450*b077aed3SPierre Pronchery 1451*b077aed3SPierre Pronchery=item * 1452*b077aed3SPierre Pronchery 1453*b077aed3SPierre ProncheryDSA_set0_key(), DSA_set0_pqg() 1454*b077aed3SPierre Pronchery 1455*b077aed3SPierre ProncherySee L</Deprecated low-level key parameter setters> 1456*b077aed3SPierre Pronchery 1457*b077aed3SPierre Pronchery=item * 1458*b077aed3SPierre Pronchery 1459*b077aed3SPierre ProncheryDSA_set_flags(), DSA_clear_flags(), DSA_test_flags() 1460*b077aed3SPierre Pronchery 1461*b077aed3SPierre ProncheryThe B<DSA_FLAG_CACHE_MONT_P> flag has been deprecated without replacement. 1462*b077aed3SPierre Pronchery 1463*b077aed3SPierre Pronchery=item * 1464*b077aed3SPierre Pronchery 1465*b077aed3SPierre ProncheryDSA_sign(), DSA_do_sign(), DSA_sign_setup(), DSA_verify(), DSA_do_verify() 1466*b077aed3SPierre Pronchery 1467*b077aed3SPierre ProncherySee L</Deprecated low-level signing functions>. 1468*b077aed3SPierre Pronchery 1469*b077aed3SPierre Pronchery=item * 1470*b077aed3SPierre Pronchery 1471*b077aed3SPierre ProncheryECDH_compute_key() 1472*b077aed3SPierre Pronchery 1473*b077aed3SPierre ProncherySee L</Deprecated low-level key exchange functions>. 1474*b077aed3SPierre Pronchery 1475*b077aed3SPierre Pronchery=item * 1476*b077aed3SPierre Pronchery 1477*b077aed3SPierre ProncheryECDH_KDF_X9_62() 1478*b077aed3SPierre Pronchery 1479*b077aed3SPierre ProncheryApplications may either set this using the helper function 1480*b077aed3SPierre ProncheryL<EVP_PKEY_CTX_set_ecdh_kdf_type(3)> or by setting an L<OSSL_PARAM(3)> using the 1481*b077aed3SPierre Pronchery"kdf-type" as shown in L<EVP_KEYEXCH-ECDH(7)/EXAMPLES> 1482*b077aed3SPierre Pronchery 1483*b077aed3SPierre Pronchery=item * 1484*b077aed3SPierre Pronchery 1485*b077aed3SPierre ProncheryECDSA_sign(), ECDSA_sign_ex(), ECDSA_sign_setup(), ECDSA_do_sign(), 1486*b077aed3SPierre ProncheryECDSA_do_sign_ex(), ECDSA_verify(), ECDSA_do_verify() 1487*b077aed3SPierre Pronchery 1488*b077aed3SPierre ProncherySee L</Deprecated low-level signing functions>. 1489*b077aed3SPierre Pronchery 1490*b077aed3SPierre Pronchery=item * 1491*b077aed3SPierre Pronchery 1492*b077aed3SPierre ProncheryECDSA_size() 1493*b077aed3SPierre Pronchery 1494*b077aed3SPierre ProncheryApplications should use L<EVP_PKEY_get_size(3)>. 1495*b077aed3SPierre Pronchery 1496*b077aed3SPierre Pronchery=item * 1497*b077aed3SPierre Pronchery 1498*b077aed3SPierre ProncheryEC_GF2m_simple_method(), EC_GFp_mont_method(), EC_GFp_nist_method(), 1499*b077aed3SPierre ProncheryEC_GFp_nistp224_method(), EC_GFp_nistp256_method(), EC_GFp_nistp521_method(), 1500*b077aed3SPierre ProncheryEC_GFp_simple_method() 1501*b077aed3SPierre Pronchery 1502*b077aed3SPierre ProncheryThere are no replacements for these functions. Applications should rely on the 1503*b077aed3SPierre Proncherylibrary automatically assigning a suitable method internally when an EC_GROUP 1504*b077aed3SPierre Proncheryis constructed. 1505*b077aed3SPierre Pronchery 1506*b077aed3SPierre Pronchery=item * 1507*b077aed3SPierre Pronchery 1508*b077aed3SPierre ProncheryEC_GROUP_clear_free() 1509*b077aed3SPierre Pronchery 1510*b077aed3SPierre ProncheryUse L<EC_GROUP_free(3)> instead. 1511*b077aed3SPierre Pronchery 1512*b077aed3SPierre Pronchery=item * 1513*b077aed3SPierre Pronchery 1514*b077aed3SPierre ProncheryEC_GROUP_get_curve_GF2m(), EC_GROUP_get_curve_GFp(), EC_GROUP_set_curve_GF2m(), 1515*b077aed3SPierre ProncheryEC_GROUP_set_curve_GFp() 1516*b077aed3SPierre Pronchery 1517*b077aed3SPierre ProncheryApplications should use L<EC_GROUP_get_curve(3)> and L<EC_GROUP_set_curve(3)>. 1518*b077aed3SPierre Pronchery 1519*b077aed3SPierre Pronchery=item * 1520*b077aed3SPierre Pronchery 1521*b077aed3SPierre ProncheryEC_GROUP_have_precompute_mult(), EC_GROUP_precompute_mult(), 1522*b077aed3SPierre ProncheryEC_KEY_precompute_mult() 1523*b077aed3SPierre Pronchery 1524*b077aed3SPierre ProncheryThese functions are not widely used. Applications should instead switch to 1525*b077aed3SPierre Proncherynamed curves which OpenSSL has hardcoded lookup tables for. 1526*b077aed3SPierre Pronchery 1527*b077aed3SPierre Pronchery=item * 1528*b077aed3SPierre Pronchery 1529*b077aed3SPierre ProncheryEC_GROUP_new(), EC_GROUP_method_of(), EC_POINT_method_of() 1530*b077aed3SPierre Pronchery 1531*b077aed3SPierre ProncheryEC_METHOD is now an internal-only concept and a suitable EC_METHOD is assigned 1532*b077aed3SPierre Proncheryinternally without application intervention. 1533*b077aed3SPierre ProncheryUsers of EC_GROUP_new() should switch to a different suitable constructor. 1534*b077aed3SPierre Pronchery 1535*b077aed3SPierre Pronchery=item * 1536*b077aed3SPierre Pronchery 1537*b077aed3SPierre ProncheryEC_KEY_can_sign() 1538*b077aed3SPierre Pronchery 1539*b077aed3SPierre ProncheryApplications should use L<EVP_PKEY_can_sign(3)> instead. 1540*b077aed3SPierre Pronchery 1541*b077aed3SPierre Pronchery=item * 1542*b077aed3SPierre Pronchery 1543*b077aed3SPierre ProncheryEC_KEY_check_key() 1544*b077aed3SPierre Pronchery 1545*b077aed3SPierre ProncherySee L</Deprecated low-level validation functions> 1546*b077aed3SPierre Pronchery 1547*b077aed3SPierre Pronchery=item * 1548*b077aed3SPierre Pronchery 1549*b077aed3SPierre ProncheryEC_KEY_set_flags(), EC_KEY_get_flags(), EC_KEY_clear_flags() 1550*b077aed3SPierre Pronchery 1551*b077aed3SPierre ProncherySee L<EVP_PKEY-EC(7)/Common EC parameters> which handles flags as seperate 1552*b077aed3SPierre Proncheryparameters for B<OSSL_PKEY_PARAM_EC_POINT_CONVERSION_FORMAT>, 1553*b077aed3SPierre ProncheryB<OSSL_PKEY_PARAM_EC_GROUP_CHECK_TYPE>, B<OSSL_PKEY_PARAM_EC_ENCODING>, 1554*b077aed3SPierre ProncheryB<OSSL_PKEY_PARAM_USE_COFACTOR_ECDH> and 1555*b077aed3SPierre ProncheryB<OSSL_PKEY_PARAM_EC_INCLUDE_PUBLIC>. 1556*b077aed3SPierre ProncherySee also L<EVP_PKEY-EC(7)/EXAMPLES> 1557*b077aed3SPierre Pronchery 1558*b077aed3SPierre Pronchery=item * 1559*b077aed3SPierre Pronchery 1560*b077aed3SPierre ProncheryEC_KEY_dup(), EC_KEY_copy() 1561*b077aed3SPierre Pronchery 1562*b077aed3SPierre ProncheryThere is no direct replacement. Applications may use L<EVP_PKEY_copy_parameters(3)> 1563*b077aed3SPierre Proncheryand L<EVP_PKEY_dup(3)> instead. 1564*b077aed3SPierre Pronchery 1565*b077aed3SPierre Pronchery=item * 1566*b077aed3SPierre Pronchery 1567*b077aed3SPierre ProncheryEC_KEY_decoded_from_explicit_params() 1568*b077aed3SPierre Pronchery 1569*b077aed3SPierre ProncheryThere is no replacement. 1570*b077aed3SPierre Pronchery 1571*b077aed3SPierre Pronchery=item * 1572*b077aed3SPierre Pronchery 1573*b077aed3SPierre ProncheryEC_KEY_generate_key() 1574*b077aed3SPierre Pronchery 1575*b077aed3SPierre ProncherySee L</Deprecated low-level key generation functions>. 1576*b077aed3SPierre Pronchery 1577*b077aed3SPierre Pronchery=item * 1578*b077aed3SPierre Pronchery 1579*b077aed3SPierre ProncheryEC_KEY_get0_group(), EC_KEY_get0_private_key(), EC_KEY_get0_public_key(), 1580*b077aed3SPierre ProncheryEC_KEY_get_conv_form(), EC_KEY_get_enc_flags() 1581*b077aed3SPierre Pronchery 1582*b077aed3SPierre ProncherySee L</Deprecated low-level key parameter getters>. 1583*b077aed3SPierre Pronchery 1584*b077aed3SPierre Pronchery=item * 1585*b077aed3SPierre Pronchery 1586*b077aed3SPierre ProncheryEC_KEY_get0_engine(), EC_KEY_get_default_method(), EC_KEY_get_method(), 1587*b077aed3SPierre ProncheryEC_KEY_new_method(), EC_KEY_get_ex_data(), EC_KEY_OpenSSL(), 1588*b077aed3SPierre ProncheryEC_KEY_set_ex_data(), EC_KEY_set_default_method(), EC_KEY_METHOD_*(), 1589*b077aed3SPierre ProncheryEC_KEY_set_method() 1590*b077aed3SPierre Pronchery 1591*b077aed3SPierre ProncherySee L</Providers are a replacement for engines and low-level method overrides> 1592*b077aed3SPierre Pronchery 1593*b077aed3SPierre Pronchery=item * 1594*b077aed3SPierre Pronchery 1595*b077aed3SPierre ProncheryEC_METHOD_get_field_type() 1596*b077aed3SPierre Pronchery 1597*b077aed3SPierre ProncheryUse L<EC_GROUP_get_field_type(3)> instead. 1598*b077aed3SPierre ProncherySee L</Providers are a replacement for engines and low-level method overrides> 1599*b077aed3SPierre Pronchery 1600*b077aed3SPierre Pronchery=item * 1601*b077aed3SPierre Pronchery 1602*b077aed3SPierre ProncheryEC_KEY_key2buf(), EC_KEY_oct2key(), EC_KEY_oct2priv(), EC_KEY_priv2buf(), 1603*b077aed3SPierre ProncheryEC_KEY_priv2oct() 1604*b077aed3SPierre Pronchery 1605*b077aed3SPierre ProncheryThere are no replacements for these. 1606*b077aed3SPierre Pronchery 1607*b077aed3SPierre Pronchery=item * 1608*b077aed3SPierre Pronchery 1609*b077aed3SPierre ProncheryEC_KEY_new(), EC_KEY_new_by_curve_name(), EC_KEY_free(), EC_KEY_up_ref() 1610*b077aed3SPierre Pronchery 1611*b077aed3SPierre ProncherySee L</Deprecated low-level object creation> 1612*b077aed3SPierre Pronchery 1613*b077aed3SPierre Pronchery=item * 1614*b077aed3SPierre Pronchery 1615*b077aed3SPierre ProncheryEC_KEY_print(), EC_KEY_print_fp() 1616*b077aed3SPierre Pronchery 1617*b077aed3SPierre ProncherySee L</Deprecated low-level key printing functions> 1618*b077aed3SPierre Pronchery 1619*b077aed3SPierre Pronchery=item * 1620*b077aed3SPierre Pronchery 1621*b077aed3SPierre ProncheryEC_KEY_set_asn1_flag(), EC_KEY_set_conv_form(), EC_KEY_set_enc_flags() 1622*b077aed3SPierre Pronchery 1623*b077aed3SPierre ProncherySee L</Deprecated low-level key parameter setters>. 1624*b077aed3SPierre Pronchery 1625*b077aed3SPierre Pronchery=item * 1626*b077aed3SPierre Pronchery 1627*b077aed3SPierre ProncheryEC_KEY_set_group(), EC_KEY_set_private_key(), EC_KEY_set_public_key(), 1628*b077aed3SPierre ProncheryEC_KEY_set_public_key_affine_coordinates() 1629*b077aed3SPierre Pronchery 1630*b077aed3SPierre ProncherySee L</Deprecated low-level key parameter setters>. 1631*b077aed3SPierre Pronchery 1632*b077aed3SPierre Pronchery=item * 1633*b077aed3SPierre Pronchery 1634*b077aed3SPierre ProncheryECParameters_print(), ECParameters_print_fp(), ECPKParameters_print(), 1635*b077aed3SPierre ProncheryECPKParameters_print_fp() 1636*b077aed3SPierre Pronchery 1637*b077aed3SPierre ProncherySee L</Deprecated low-level key printing functions> 1638*b077aed3SPierre Pronchery 1639*b077aed3SPierre Pronchery=item * 1640*b077aed3SPierre Pronchery 1641*b077aed3SPierre ProncheryEC_POINT_bn2point(), EC_POINT_point2bn() 1642*b077aed3SPierre Pronchery 1643*b077aed3SPierre ProncheryThese functions were not particularly useful, since EC point serialization 1644*b077aed3SPierre Proncheryformats are not individual big-endian integers. 1645*b077aed3SPierre Pronchery 1646*b077aed3SPierre Pronchery=item * 1647*b077aed3SPierre Pronchery 1648*b077aed3SPierre ProncheryEC_POINT_get_affine_coordinates_GF2m(), EC_POINT_get_affine_coordinates_GFp(), 1649*b077aed3SPierre ProncheryEC_POINT_set_affine_coordinates_GF2m(), EC_POINT_set_affine_coordinates_GFp() 1650*b077aed3SPierre Pronchery 1651*b077aed3SPierre ProncheryApplications should use L<EC_POINT_get_affine_coordinates(3)> and 1652*b077aed3SPierre ProncheryL<EC_POINT_set_affine_coordinates(3)> instead. 1653*b077aed3SPierre Pronchery 1654*b077aed3SPierre Pronchery=item * 1655*b077aed3SPierre Pronchery 1656*b077aed3SPierre ProncheryEC_POINT_get_Jprojective_coordinates_GFp(), EC_POINT_set_Jprojective_coordinates_GFp() 1657*b077aed3SPierre Pronchery 1658*b077aed3SPierre ProncheryThese functions are not widely used. Applications should instead use the 1659*b077aed3SPierre ProncheryL<EC_POINT_set_affine_coordinates(3)> and L<EC_POINT_get_affine_coordinates(3)> 1660*b077aed3SPierre Proncheryfunctions. 1661*b077aed3SPierre Pronchery 1662*b077aed3SPierre Pronchery=item * 1663*b077aed3SPierre Pronchery 1664*b077aed3SPierre ProncheryEC_POINT_make_affine(), EC_POINTs_make_affine() 1665*b077aed3SPierre Pronchery 1666*b077aed3SPierre ProncheryThere is no replacement. These functions were not widely used, and OpenSSL 1667*b077aed3SPierre Proncheryautomatically performs this conversion when needed. 1668*b077aed3SPierre Pronchery 1669*b077aed3SPierre Pronchery=item * 1670*b077aed3SPierre Pronchery 1671*b077aed3SPierre ProncheryEC_POINT_set_compressed_coordinates_GF2m(), EC_POINT_set_compressed_coordinates_GFp() 1672*b077aed3SPierre Pronchery 1673*b077aed3SPierre ProncheryApplications should use L<EC_POINT_set_compressed_coordinates(3)> instead. 1674*b077aed3SPierre Pronchery 1675*b077aed3SPierre Pronchery=item * 1676*b077aed3SPierre Pronchery 1677*b077aed3SPierre ProncheryEC_POINTs_mul() 1678*b077aed3SPierre Pronchery 1679*b077aed3SPierre ProncheryThis function is not widely used. Applications should instead use the 1680*b077aed3SPierre ProncheryL<EC_POINT_mul(3)> function. 1681*b077aed3SPierre Pronchery 1682*b077aed3SPierre Pronchery=item * 1683*b077aed3SPierre Pronchery 1684*b077aed3SPierre ProncheryB<ENGINE_*()> 1685*b077aed3SPierre Pronchery 1686*b077aed3SPierre ProncheryAll engine functions are deprecated. An engine should be rewritten as a provider. 1687*b077aed3SPierre ProncherySee L</Providers are a replacement for engines and low-level method overrides>. 1688*b077aed3SPierre Pronchery 1689*b077aed3SPierre Pronchery=item * 1690*b077aed3SPierre Pronchery 1691*b077aed3SPierre ProncheryB<ERR_load_*()>, ERR_func_error_string(), ERR_get_error_line(), 1692*b077aed3SPierre ProncheryERR_get_error_line_data(), ERR_get_state() 1693*b077aed3SPierre Pronchery 1694*b077aed3SPierre ProncheryOpenSSL now loads error strings automatically so these functions are not needed. 1695*b077aed3SPierre Pronchery 1696*b077aed3SPierre Pronchery=item * 1697*b077aed3SPierre Pronchery 1698*b077aed3SPierre ProncheryERR_peek_error_line_data(), ERR_peek_last_error_line_data() 1699*b077aed3SPierre Pronchery 1700*b077aed3SPierre ProncheryThe new functions are L<ERR_peek_error_func(3)>, L<ERR_peek_last_error_func(3)>, 1701*b077aed3SPierre ProncheryL<ERR_peek_error_data(3)>, L<ERR_peek_last_error_data(3)>, L<ERR_get_error_all(3)>, 1702*b077aed3SPierre ProncheryL<ERR_peek_error_all(3)> and L<ERR_peek_last_error_all(3)>. 1703*b077aed3SPierre ProncheryApplications should use L<ERR_get_error_all(3)>, or pick information 1704*b077aed3SPierre Proncherywith ERR_peek functions and finish off with getting the error code by using 1705*b077aed3SPierre ProncheryL<ERR_get_error(3)>. 1706*b077aed3SPierre Pronchery 1707*b077aed3SPierre Pronchery=item * 1708*b077aed3SPierre Pronchery 1709*b077aed3SPierre ProncheryEVP_CIPHER_CTX_iv(), EVP_CIPHER_CTX_iv_noconst(), EVP_CIPHER_CTX_original_iv() 1710*b077aed3SPierre Pronchery 1711*b077aed3SPierre ProncheryApplications should instead use L<EVP_CIPHER_CTX_get_updated_iv(3)>, 1712*b077aed3SPierre ProncheryL<EVP_CIPHER_CTX_get_updated_iv(3)> and L<EVP_CIPHER_CTX_get_original_iv(3)> 1713*b077aed3SPierre Proncheryrespectively. 1714*b077aed3SPierre ProncherySee L<EVP_CIPHER_CTX_get_original_iv(3)> for further information. 1715*b077aed3SPierre Pronchery 1716*b077aed3SPierre Pronchery=item * 1717*b077aed3SPierre Pronchery 1718*b077aed3SPierre ProncheryB<EVP_CIPHER_meth_*()>, EVP_MD_CTX_set_update_fn(), EVP_MD_CTX_update_fn(), 1719*b077aed3SPierre ProncheryB<EVP_MD_meth_*()> 1720*b077aed3SPierre Pronchery 1721*b077aed3SPierre ProncherySee L</Providers are a replacement for engines and low-level method overrides>. 1722*b077aed3SPierre Pronchery 1723*b077aed3SPierre Pronchery=item * 1724*b077aed3SPierre Pronchery 1725*b077aed3SPierre ProncheryEVP_PKEY_CTRL_PKCS7_ENCRYPT(), EVP_PKEY_CTRL_PKCS7_DECRYPT(), 1726*b077aed3SPierre ProncheryEVP_PKEY_CTRL_PKCS7_SIGN(), EVP_PKEY_CTRL_CMS_ENCRYPT(), 1727*b077aed3SPierre ProncheryEVP_PKEY_CTRL_CMS_DECRYPT(), and EVP_PKEY_CTRL_CMS_SIGN() 1728*b077aed3SPierre Pronchery 1729*b077aed3SPierre ProncheryThese control operations are not invoked by the OpenSSL library anymore and 1730*b077aed3SPierre Proncheryare replaced by direct checks of the key operation against the key type 1731*b077aed3SPierre Proncherywhen the operation is initialized. 1732*b077aed3SPierre Pronchery 1733*b077aed3SPierre Pronchery=item * 1734*b077aed3SPierre Pronchery 1735*b077aed3SPierre ProncheryEVP_PKEY_CTX_get0_dh_kdf_ukm(), EVP_PKEY_CTX_get0_ecdh_kdf_ukm() 1736*b077aed3SPierre Pronchery 1737*b077aed3SPierre ProncherySee the "kdf-ukm" item in L<EVP_KEYEXCH-DH(7)/DH key exchange parameters> and 1738*b077aed3SPierre ProncheryL<EVP_KEYEXCH-ECDH(7)/ECDH Key Exchange parameters>. 1739*b077aed3SPierre ProncheryThese functions are obsolete and should not be required. 1740*b077aed3SPierre Pronchery 1741*b077aed3SPierre Pronchery=item * 1742*b077aed3SPierre Pronchery 1743*b077aed3SPierre ProncheryEVP_PKEY_CTX_set_rsa_keygen_pubexp() 1744*b077aed3SPierre Pronchery 1745*b077aed3SPierre ProncheryApplications should use L<EVP_PKEY_CTX_set1_rsa_keygen_pubexp(3)> instead. 1746*b077aed3SPierre Pronchery 1747*b077aed3SPierre Pronchery=item * 1748*b077aed3SPierre Pronchery 1749*b077aed3SPierre ProncheryEVP_PKEY_cmp(), EVP_PKEY_cmp_parameters() 1750*b077aed3SPierre Pronchery 1751*b077aed3SPierre ProncheryApplications should use L<EVP_PKEY_eq(3)> and L<EVP_PKEY_parameters_eq(3)> instead. 1752*b077aed3SPierre ProncherySee L<EVP_PKEY_copy_parameters(3)> for further details. 1753*b077aed3SPierre Pronchery 1754*b077aed3SPierre Pronchery=item * 1755*b077aed3SPierre Pronchery 1756*b077aed3SPierre ProncheryEVP_PKEY_encrypt_old(), EVP_PKEY_decrypt_old(), 1757*b077aed3SPierre Pronchery 1758*b077aed3SPierre ProncheryApplications should use L<EVP_PKEY_encrypt_init(3)> and L<EVP_PKEY_encrypt(3)> or 1759*b077aed3SPierre ProncheryL<EVP_PKEY_decrypt_init(3)> and L<EVP_PKEY_decrypt(3)> instead. 1760*b077aed3SPierre Pronchery 1761*b077aed3SPierre Pronchery=item * 1762*b077aed3SPierre Pronchery 1763*b077aed3SPierre ProncheryEVP_PKEY_get0() 1764*b077aed3SPierre Pronchery 1765*b077aed3SPierre ProncheryThis function returns NULL if the key comes from a provider. 1766*b077aed3SPierre Pronchery 1767*b077aed3SPierre Pronchery=item * 1768*b077aed3SPierre Pronchery 1769*b077aed3SPierre ProncheryEVP_PKEY_get0_DH(), EVP_PKEY_get0_DSA(), EVP_PKEY_get0_EC_KEY(), EVP_PKEY_get0_RSA(), 1770*b077aed3SPierre ProncheryEVP_PKEY_get1_DH(), EVP_PKEY_get1_DSA(), EVP_PKEY_get1_EC_KEY and EVP_PKEY_get1_RSA(), 1771*b077aed3SPierre ProncheryEVP_PKEY_get0_hmac(), EVP_PKEY_get0_poly1305(), EVP_PKEY_get0_siphash() 1772*b077aed3SPierre Pronchery 1773*b077aed3SPierre ProncherySee L</Functions that return an internal key should be treated as read only>. 1774*b077aed3SPierre Pronchery 1775*b077aed3SPierre Pronchery=item * 1776*b077aed3SPierre Pronchery 1777*b077aed3SPierre ProncheryB<EVP_PKEY_meth_*()> 1778*b077aed3SPierre Pronchery 1779*b077aed3SPierre ProncherySee L</Providers are a replacement for engines and low-level method overrides>. 1780*b077aed3SPierre Pronchery 1781*b077aed3SPierre Pronchery=item * 1782*b077aed3SPierre Pronchery 1783*b077aed3SPierre ProncheryEVP_PKEY_new_CMAC_key() 1784*b077aed3SPierre Pronchery 1785*b077aed3SPierre ProncherySee L</Deprecated low-level MAC functions>. 1786*b077aed3SPierre Pronchery 1787*b077aed3SPierre Pronchery=item * 1788*b077aed3SPierre Pronchery 1789*b077aed3SPierre ProncheryEVP_PKEY_assign(), EVP_PKEY_set1_DH(), EVP_PKEY_set1_DSA(), 1790*b077aed3SPierre ProncheryEVP_PKEY_set1_EC_KEY(), EVP_PKEY_set1_RSA() 1791*b077aed3SPierre Pronchery 1792*b077aed3SPierre ProncherySee L</Deprecated low-level key object getters and setters> 1793*b077aed3SPierre Pronchery 1794*b077aed3SPierre Pronchery=item * 1795*b077aed3SPierre Pronchery 1796*b077aed3SPierre ProncheryEVP_PKEY_set1_tls_encodedpoint() EVP_PKEY_get1_tls_encodedpoint() 1797*b077aed3SPierre Pronchery 1798*b077aed3SPierre ProncheryThese functions were previously used by libssl to set or get an encoded public 1799*b077aed3SPierre Proncherykey into/from an EVP_PKEY object. With OpenSSL 3.0 these are replaced by the more 1800*b077aed3SPierre Proncherygeneric functions L<EVP_PKEY_set1_encoded_public_key(3)> and 1801*b077aed3SPierre ProncheryL<EVP_PKEY_get1_encoded_public_key(3)>. 1802*b077aed3SPierre ProncheryThe old versions have been converted to deprecated macros that just call the 1803*b077aed3SPierre Proncherynew functions. 1804*b077aed3SPierre Pronchery 1805*b077aed3SPierre Pronchery=item * 1806*b077aed3SPierre Pronchery 1807*b077aed3SPierre ProncheryEVP_PKEY_set1_engine(), EVP_PKEY_get0_engine() 1808*b077aed3SPierre Pronchery 1809*b077aed3SPierre ProncherySee L</Providers are a replacement for engines and low-level method overrides>. 1810*b077aed3SPierre Pronchery 1811*b077aed3SPierre Pronchery=item * 1812*b077aed3SPierre Pronchery 1813*b077aed3SPierre ProncheryEVP_PKEY_set_alias_type() 1814*b077aed3SPierre Pronchery 1815*b077aed3SPierre ProncheryThis function has been removed. There is no replacement. 1816*b077aed3SPierre ProncherySee L</EVP_PKEY_set_alias_type() method has been removed> 1817*b077aed3SPierre Pronchery 1818*b077aed3SPierre Pronchery=item * 1819*b077aed3SPierre Pronchery 1820*b077aed3SPierre ProncheryHMAC_Init_ex(), HMAC_Update(), HMAC_Final(), HMAC_size() 1821*b077aed3SPierre Pronchery 1822*b077aed3SPierre ProncherySee L</Deprecated low-level MAC functions>. 1823*b077aed3SPierre Pronchery 1824*b077aed3SPierre Pronchery=item * 1825*b077aed3SPierre Pronchery 1826*b077aed3SPierre ProncheryHMAC_CTX_new(), HMAC_CTX_free(), HMAC_CTX_copy(), HMAC_CTX_reset(), 1827*b077aed3SPierre ProncheryHMAC_CTX_set_flags(), HMAC_CTX_get_md() 1828*b077aed3SPierre Pronchery 1829*b077aed3SPierre ProncherySee L</Deprecated low-level MAC functions>. 1830*b077aed3SPierre Pronchery 1831*b077aed3SPierre Pronchery=item * 1832*b077aed3SPierre Pronchery 1833*b077aed3SPierre Proncheryi2d_DHparams(), i2d_DHxparams() 1834*b077aed3SPierre Pronchery 1835*b077aed3SPierre ProncherySee L</Deprecated low-level key reading and writing functions> 1836*b077aed3SPierre Proncheryand L<d2i_RSAPrivateKey(3)/Migration> 1837*b077aed3SPierre Pronchery 1838*b077aed3SPierre Pronchery=item * 1839*b077aed3SPierre Pronchery 1840*b077aed3SPierre Proncheryi2d_DSAparams(), i2d_DSAPrivateKey(), i2d_DSAPrivateKey_bio(), 1841*b077aed3SPierre Proncheryi2d_DSAPrivateKey_fp(), i2d_DSA_PUBKEY(), i2d_DSA_PUBKEY_bio(), 1842*b077aed3SPierre Proncheryi2d_DSA_PUBKEY_fp(), i2d_DSAPublicKey() 1843*b077aed3SPierre Pronchery 1844*b077aed3SPierre ProncherySee L</Deprecated low-level key reading and writing functions> 1845*b077aed3SPierre Proncheryand L<d2i_RSAPrivateKey(3)/Migration> 1846*b077aed3SPierre Pronchery 1847*b077aed3SPierre Pronchery=item * 1848*b077aed3SPierre Pronchery 1849*b077aed3SPierre Proncheryi2d_ECParameters(), i2d_ECPrivateKey(), i2d_ECPrivateKey_bio(), 1850*b077aed3SPierre Proncheryi2d_ECPrivateKey_fp(), i2d_EC_PUBKEY(), i2d_EC_PUBKEY_bio(), 1851*b077aed3SPierre Proncheryi2d_EC_PUBKEY_fp(), i2o_ECPublicKey() 1852*b077aed3SPierre Pronchery 1853*b077aed3SPierre ProncherySee L</Deprecated low-level key reading and writing functions> 1854*b077aed3SPierre Proncheryand L<d2i_RSAPrivateKey(3)/Migration> 1855*b077aed3SPierre Pronchery 1856*b077aed3SPierre Pronchery=item * 1857*b077aed3SPierre Pronchery 1858*b077aed3SPierre Proncheryi2d_RSAPrivateKey(), i2d_RSAPrivateKey_bio(), i2d_RSAPrivateKey_fp(), 1859*b077aed3SPierre Proncheryi2d_RSA_PUBKEY(), i2d_RSA_PUBKEY_bio(), i2d_RSA_PUBKEY_fp(), 1860*b077aed3SPierre Proncheryi2d_RSAPublicKey(), i2d_RSAPublicKey_bio(), i2d_RSAPublicKey_fp() 1861*b077aed3SPierre Pronchery 1862*b077aed3SPierre ProncherySee L</Deprecated low-level key reading and writing functions> 1863*b077aed3SPierre Proncheryand L<d2i_RSAPrivateKey(3)/Migration> 1864*b077aed3SPierre Pronchery 1865*b077aed3SPierre Pronchery=item * 1866*b077aed3SPierre Pronchery 1867*b077aed3SPierre ProncheryIDEA_encrypt(), IDEA_set_decrypt_key(), IDEA_set_encrypt_key(), 1868*b077aed3SPierre ProncheryIDEA_cbc_encrypt(), IDEA_cfb64_encrypt(), IDEA_ecb_encrypt(), 1869*b077aed3SPierre ProncheryIDEA_ofb64_encrypt() 1870*b077aed3SPierre Pronchery 1871*b077aed3SPierre ProncherySee L</Deprecated low-level encryption functions>. 1872*b077aed3SPierre ProncheryIDEA has been moved to the L<Legacy Provider|/Legacy Algorithms>. 1873*b077aed3SPierre Pronchery 1874*b077aed3SPierre Pronchery=item * 1875*b077aed3SPierre Pronchery 1876*b077aed3SPierre ProncheryIDEA_options() 1877*b077aed3SPierre Pronchery 1878*b077aed3SPierre ProncheryThere is no replacement. This function returned a constant string. 1879*b077aed3SPierre Pronchery 1880*b077aed3SPierre Pronchery=item * 1881*b077aed3SPierre Pronchery 1882*b077aed3SPierre ProncheryMD2(), MD2_Init(), MD2_Update(), MD2_Final() 1883*b077aed3SPierre Pronchery 1884*b077aed3SPierre ProncherySee L</Deprecated low-level encryption functions>. 1885*b077aed3SPierre ProncheryMD2 has been moved to the L<Legacy Provider|/Legacy Algorithms>. 1886*b077aed3SPierre Pronchery 1887*b077aed3SPierre Pronchery=item * 1888*b077aed3SPierre Pronchery 1889*b077aed3SPierre ProncheryMD2_options() 1890*b077aed3SPierre Pronchery 1891*b077aed3SPierre ProncheryThere is no replacement. This function returned a constant string. 1892*b077aed3SPierre Pronchery 1893*b077aed3SPierre Pronchery=item * 1894*b077aed3SPierre Pronchery 1895*b077aed3SPierre ProncheryMD4(), MD4_Init(), MD4_Update(), MD4_Final(), MD4_Transform() 1896*b077aed3SPierre Pronchery 1897*b077aed3SPierre ProncherySee L</Deprecated low-level encryption functions>. 1898*b077aed3SPierre ProncheryMD4 has been moved to the L<Legacy Provider|/Legacy Algorithms>. 1899*b077aed3SPierre Pronchery 1900*b077aed3SPierre Pronchery=item * 1901*b077aed3SPierre Pronchery 1902*b077aed3SPierre ProncheryMDC2(), MDC2_Init(), MDC2_Update(), MDC2_Final() 1903*b077aed3SPierre Pronchery 1904*b077aed3SPierre ProncherySee L</Deprecated low-level encryption functions>. 1905*b077aed3SPierre ProncheryMDC2 has been moved to the L<Legacy Provider|/Legacy Algorithms>. 1906*b077aed3SPierre Pronchery 1907*b077aed3SPierre Pronchery=item * 1908*b077aed3SPierre Pronchery 1909*b077aed3SPierre ProncheryMD5(), MD5_Init(), MD5_Update(), MD5_Final(), MD5_Transform() 1910*b077aed3SPierre Pronchery 1911*b077aed3SPierre ProncherySee L</Deprecated low-level encryption functions>. 1912*b077aed3SPierre Pronchery 1913*b077aed3SPierre Pronchery=item * 1914*b077aed3SPierre Pronchery 1915*b077aed3SPierre ProncheryNCONF_WIN32() 1916*b077aed3SPierre Pronchery 1917*b077aed3SPierre ProncheryThis undocumented function has no replacement. 1918*b077aed3SPierre ProncherySee L<config(5)/HISTORY> for more details. 1919*b077aed3SPierre Pronchery 1920*b077aed3SPierre Pronchery=item * 1921*b077aed3SPierre Pronchery 1922*b077aed3SPierre ProncheryOCSP_parse_url() 1923*b077aed3SPierre Pronchery 1924*b077aed3SPierre ProncheryUse L<OSSL_HTTP_parse_url(3)> instead. 1925*b077aed3SPierre Pronchery 1926*b077aed3SPierre Pronchery=item * 1927*b077aed3SPierre Pronchery 1928*b077aed3SPierre ProncheryB<OCSP_REQ_CTX> type and B<OCSP_REQ_CTX_*()> functions 1929*b077aed3SPierre Pronchery 1930*b077aed3SPierre ProncheryThese methods were used to collect all necessary data to form a HTTP request, 1931*b077aed3SPierre Proncheryand to perform the HTTP transfer with that request. With OpenSSL 3.0, the 1932*b077aed3SPierre Proncherytype is B<OSSL_HTTP_REQ_CTX>, and the deprecated functions are replaced 1933*b077aed3SPierre Proncherywith B<OSSL_HTTP_REQ_CTX_*()>. See L<OSSL_HTTP_REQ_CTX(3)> for additional 1934*b077aed3SPierre Proncherydetails. 1935*b077aed3SPierre Pronchery 1936*b077aed3SPierre Pronchery=item * 1937*b077aed3SPierre Pronchery 1938*b077aed3SPierre ProncheryOPENSSL_fork_child(), OPENSSL_fork_parent(), OPENSSL_fork_prepare() 1939*b077aed3SPierre Pronchery 1940*b077aed3SPierre ProncheryThere is no replacement for these functions. These pthread fork support methods 1941*b077aed3SPierre Proncherywere unused by OpenSSL. 1942*b077aed3SPierre Pronchery 1943*b077aed3SPierre Pronchery=item * 1944*b077aed3SPierre Pronchery 1945*b077aed3SPierre ProncheryOSSL_STORE_ctrl(), OSSL_STORE_do_all_loaders(), OSSL_STORE_LOADER_get0_engine(), 1946*b077aed3SPierre ProncheryOSSL_STORE_LOADER_get0_scheme(), OSSL_STORE_LOADER_new(), 1947*b077aed3SPierre ProncheryOSSL_STORE_LOADER_set_attach(), OSSL_STORE_LOADER_set_close(), 1948*b077aed3SPierre ProncheryOSSL_STORE_LOADER_set_ctrl(), OSSL_STORE_LOADER_set_eof(), 1949*b077aed3SPierre ProncheryOSSL_STORE_LOADER_set_error(), OSSL_STORE_LOADER_set_expect(), 1950*b077aed3SPierre ProncheryOSSL_STORE_LOADER_set_find(), OSSL_STORE_LOADER_set_load(), 1951*b077aed3SPierre ProncheryOSSL_STORE_LOADER_set_open(), OSSL_STORE_LOADER_set_open_ex(), 1952*b077aed3SPierre ProncheryOSSL_STORE_register_loader(), OSSL_STORE_unregister_loader(), 1953*b077aed3SPierre ProncheryOSSL_STORE_vctrl() 1954*b077aed3SPierre Pronchery 1955*b077aed3SPierre ProncheryThese functions helped applications and engines create loaders for 1956*b077aed3SPierre Proncheryschemes they supported. These are all deprecated and discouraged in favour of 1957*b077aed3SPierre Proncheryprovider implementations, see L<provider-storemgmt(7)>. 1958*b077aed3SPierre Pronchery 1959*b077aed3SPierre Pronchery=item * 1960*b077aed3SPierre Pronchery 1961*b077aed3SPierre ProncheryPEM_read_DHparams(), PEM_read_bio_DHparams(), 1962*b077aed3SPierre ProncheryPEM_read_DSAparams(), PEM_read_bio_DSAparams(), 1963*b077aed3SPierre ProncheryPEM_read_DSAPrivateKey(), PEM_read_DSA_PUBKEY(), 1964*b077aed3SPierre ProncheryPEM_read_bio_DSAPrivateKey and PEM_read_bio_DSA_PUBKEY(), 1965*b077aed3SPierre ProncheryPEM_read_ECPKParameters(), PEM_read_ECPrivateKey(), PEM_read_EC_PUBKEY(), 1966*b077aed3SPierre ProncheryPEM_read_bio_ECPKParameters(), PEM_read_bio_ECPrivateKey(), PEM_read_bio_EC_PUBKEY(), 1967*b077aed3SPierre ProncheryPEM_read_RSAPrivateKey(), PEM_read_RSA_PUBKEY(), PEM_read_RSAPublicKey(), 1968*b077aed3SPierre ProncheryPEM_read_bio_RSAPrivateKey(), PEM_read_bio_RSA_PUBKEY(), PEM_read_bio_RSAPublicKey(), 1969*b077aed3SPierre ProncheryPEM_write_bio_DHparams(), PEM_write_bio_DHxparams(), PEM_write_DHparams(), PEM_write_DHxparams(), 1970*b077aed3SPierre ProncheryPEM_write_DSAparams(), PEM_write_DSAPrivateKey(), PEM_write_DSA_PUBKEY(), 1971*b077aed3SPierre ProncheryPEM_write_bio_DSAparams(), PEM_write_bio_DSAPrivateKey(), PEM_write_bio_DSA_PUBKEY(), 1972*b077aed3SPierre ProncheryPEM_write_ECPKParameters(), PEM_write_ECPrivateKey(), PEM_write_EC_PUBKEY(), 1973*b077aed3SPierre ProncheryPEM_write_bio_ECPKParameters(), PEM_write_bio_ECPrivateKey(), PEM_write_bio_EC_PUBKEY(), 1974*b077aed3SPierre ProncheryPEM_write_RSAPrivateKey(), PEM_write_RSA_PUBKEY(), PEM_write_RSAPublicKey(), 1975*b077aed3SPierre ProncheryPEM_write_bio_RSAPrivateKey(), PEM_write_bio_RSA_PUBKEY(), 1976*b077aed3SPierre ProncheryPEM_write_bio_RSAPublicKey(), 1977*b077aed3SPierre Pronchery 1978*b077aed3SPierre ProncherySee L</Deprecated low-level key reading and writing functions> 1979*b077aed3SPierre Pronchery 1980*b077aed3SPierre Pronchery=item * 1981*b077aed3SPierre Pronchery 1982*b077aed3SPierre ProncheryPKCS1_MGF1() 1983*b077aed3SPierre Pronchery 1984*b077aed3SPierre ProncherySee L</Deprecated low-level encryption functions>. 1985*b077aed3SPierre Pronchery 1986*b077aed3SPierre Pronchery=item * 1987*b077aed3SPierre Pronchery 1988*b077aed3SPierre ProncheryRAND_get_rand_method(), RAND_set_rand_method(), RAND_OpenSSL(), 1989*b077aed3SPierre ProncheryRAND_set_rand_engine() 1990*b077aed3SPierre Pronchery 1991*b077aed3SPierre ProncheryApplications should instead use L<RAND_set_DRBG_type(3)>, 1992*b077aed3SPierre ProncheryL<EVP_RAND(3)> and L<EVP_RAND(7)>. 1993*b077aed3SPierre ProncherySee L<RAND_set_rand_method(3)> for more details. 1994*b077aed3SPierre Pronchery 1995*b077aed3SPierre Pronchery=item * 1996*b077aed3SPierre Pronchery 1997*b077aed3SPierre ProncheryRC2_encrypt(), RC2_decrypt(), RC2_set_key(), RC2_cbc_encrypt(), RC2_cfb64_encrypt(), 1998*b077aed3SPierre ProncheryRC2_ecb_encrypt(), RC2_ofb64_encrypt(), 1999*b077aed3SPierre ProncheryRC4(), RC4_set_key(), RC4_options(), 2000*b077aed3SPierre ProncheryRC5_32_encrypt(), RC5_32_set_key(), RC5_32_decrypt(), RC5_32_cbc_encrypt(), 2001*b077aed3SPierre ProncheryRC5_32_cfb64_encrypt(), RC5_32_ecb_encrypt(), RC5_32_ofb64_encrypt() 2002*b077aed3SPierre Pronchery 2003*b077aed3SPierre ProncherySee L</Deprecated low-level encryption functions>. 2004*b077aed3SPierre ProncheryThe Algorithms "RC2", "RC4" and "RC5" have been moved to the L<Legacy Provider|/Legacy Algorithms>. 2005*b077aed3SPierre Pronchery 2006*b077aed3SPierre Pronchery=item * 2007*b077aed3SPierre Pronchery 2008*b077aed3SPierre ProncheryRIPEMD160(), RIPEMD160_Init(), RIPEMD160_Update(), RIPEMD160_Final(), 2009*b077aed3SPierre ProncheryRIPEMD160_Transform() 2010*b077aed3SPierre Pronchery 2011*b077aed3SPierre ProncherySee L</Deprecated low-level digest functions>. 2012*b077aed3SPierre ProncheryThe RIPE algorithm has been moved to the L<Legacy Provider|/Legacy Algorithms>. 2013*b077aed3SPierre Pronchery 2014*b077aed3SPierre Pronchery=item * 2015*b077aed3SPierre Pronchery 2016*b077aed3SPierre ProncheryRSA_bits(), RSA_security_bits(), RSA_size() 2017*b077aed3SPierre Pronchery 2018*b077aed3SPierre ProncheryUse L<EVP_PKEY_get_bits(3)>, L<EVP_PKEY_get_security_bits(3)> and 2019*b077aed3SPierre ProncheryL<EVP_PKEY_get_size(3)>. 2020*b077aed3SPierre Pronchery 2021*b077aed3SPierre Pronchery=item * 2022*b077aed3SPierre Pronchery 2023*b077aed3SPierre ProncheryRSA_check_key(), RSA_check_key_ex() 2024*b077aed3SPierre Pronchery 2025*b077aed3SPierre ProncherySee L</Deprecated low-level validation functions> 2026*b077aed3SPierre Pronchery 2027*b077aed3SPierre Pronchery=item * 2028*b077aed3SPierre Pronchery 2029*b077aed3SPierre ProncheryRSA_clear_flags(), RSA_flags(), RSA_set_flags(), RSA_test_flags(), 2030*b077aed3SPierre ProncheryRSA_setup_blinding(), RSA_blinding_off(), RSA_blinding_on() 2031*b077aed3SPierre Pronchery 2032*b077aed3SPierre ProncheryAll of these RSA flags have been deprecated without replacement: 2033*b077aed3SPierre Pronchery 2034*b077aed3SPierre ProncheryB<RSA_FLAG_BLINDING>, B<RSA_FLAG_CACHE_PRIVATE>, B<RSA_FLAG_CACHE_PUBLIC>, 2035*b077aed3SPierre ProncheryB<RSA_FLAG_EXT_PKEY>, B<RSA_FLAG_NO_BLINDING>, B<RSA_FLAG_THREAD_SAFE> 2036*b077aed3SPierre ProncheryB<RSA_METHOD_FLAG_NO_CHECK> 2037*b077aed3SPierre Pronchery 2038*b077aed3SPierre Pronchery=item * 2039*b077aed3SPierre Pronchery 2040*b077aed3SPierre ProncheryRSA_generate_key_ex(), RSA_generate_multi_prime_key() 2041*b077aed3SPierre Pronchery 2042*b077aed3SPierre ProncherySee L</Deprecated low-level key generation functions>. 2043*b077aed3SPierre Pronchery 2044*b077aed3SPierre Pronchery=item * 2045*b077aed3SPierre Pronchery 2046*b077aed3SPierre ProncheryRSA_get0_engine() 2047*b077aed3SPierre Pronchery 2048*b077aed3SPierre ProncherySee L</Providers are a replacement for engines and low-level method overrides> 2049*b077aed3SPierre Pronchery 2050*b077aed3SPierre Pronchery=item * 2051*b077aed3SPierre Pronchery 2052*b077aed3SPierre ProncheryRSA_get0_crt_params(), RSA_get0_d(), RSA_get0_dmp1(), RSA_get0_dmq1(), 2053*b077aed3SPierre ProncheryRSA_get0_e(), RSA_get0_factors(), RSA_get0_iqmp(), RSA_get0_key(), 2054*b077aed3SPierre ProncheryRSA_get0_multi_prime_crt_params(), RSA_get0_multi_prime_factors(), RSA_get0_n(), 2055*b077aed3SPierre ProncheryRSA_get0_p(), RSA_get0_pss_params(), RSA_get0_q(), 2056*b077aed3SPierre ProncheryRSA_get_multi_prime_extra_count() 2057*b077aed3SPierre Pronchery 2058*b077aed3SPierre ProncherySee L</Deprecated low-level key parameter getters> 2059*b077aed3SPierre Pronchery 2060*b077aed3SPierre Pronchery=item * 2061*b077aed3SPierre Pronchery 2062*b077aed3SPierre ProncheryRSA_new(), RSA_free(), RSA_up_ref() 2063*b077aed3SPierre Pronchery 2064*b077aed3SPierre ProncherySee L</Deprecated low-level object creation>. 2065*b077aed3SPierre Pronchery 2066*b077aed3SPierre Pronchery=item * 2067*b077aed3SPierre Pronchery 2068*b077aed3SPierre ProncheryRSA_get_default_method(), RSA_get_ex_data and RSA_get_method() 2069*b077aed3SPierre Pronchery 2070*b077aed3SPierre ProncherySee L</Providers are a replacement for engines and low-level method overrides>. 2071*b077aed3SPierre Pronchery 2072*b077aed3SPierre Pronchery=item * 2073*b077aed3SPierre Pronchery 2074*b077aed3SPierre ProncheryRSA_get_version() 2075*b077aed3SPierre Pronchery 2076*b077aed3SPierre ProncheryThere is no replacement. 2077*b077aed3SPierre Pronchery 2078*b077aed3SPierre Pronchery=item * 2079*b077aed3SPierre Pronchery 2080*b077aed3SPierre ProncheryB<RSA_meth_*()>, RSA_new_method(), RSA_null_method and RSA_PKCS1_OpenSSL() 2081*b077aed3SPierre Pronchery 2082*b077aed3SPierre ProncherySee L</Providers are a replacement for engines and low-level method overrides>. 2083*b077aed3SPierre Pronchery 2084*b077aed3SPierre Pronchery=item * 2085*b077aed3SPierre Pronchery 2086*b077aed3SPierre ProncheryB<RSA_padding_add_*()>, B<RSA_padding_check_*()> 2087*b077aed3SPierre Pronchery 2088*b077aed3SPierre ProncherySee L</Deprecated low-level signing functions> and 2089*b077aed3SPierre ProncheryL</Deprecated low-level encryption functions>. 2090*b077aed3SPierre Pronchery 2091*b077aed3SPierre Pronchery=item * 2092*b077aed3SPierre Pronchery 2093*b077aed3SPierre ProncheryRSA_print(), RSA_print_fp() 2094*b077aed3SPierre Pronchery 2095*b077aed3SPierre ProncherySee L</Deprecated low-level key printing functions> 2096*b077aed3SPierre Pronchery 2097*b077aed3SPierre Pronchery=item * 2098*b077aed3SPierre Pronchery 2099*b077aed3SPierre ProncheryRSA_public_encrypt(), RSA_private_decrypt() 2100*b077aed3SPierre Pronchery 2101*b077aed3SPierre ProncherySee L</Deprecated low-level encryption functions> 2102*b077aed3SPierre Pronchery 2103*b077aed3SPierre Pronchery=item * 2104*b077aed3SPierre Pronchery 2105*b077aed3SPierre ProncheryRSA_private_encrypt(), RSA_public_decrypt() 2106*b077aed3SPierre Pronchery 2107*b077aed3SPierre ProncheryThis is equivalent to doing sign and verify recover operations (with a padding 2108*b077aed3SPierre Proncherymode of none). See L</Deprecated low-level signing functions>. 2109*b077aed3SPierre Pronchery 2110*b077aed3SPierre Pronchery=item * 2111*b077aed3SPierre Pronchery 2112*b077aed3SPierre ProncheryRSAPrivateKey_dup(), RSAPublicKey_dup() 2113*b077aed3SPierre Pronchery 2114*b077aed3SPierre ProncheryThere is no direct replacement. Applications may use L<EVP_PKEY_dup(3)>. 2115*b077aed3SPierre Pronchery 2116*b077aed3SPierre Pronchery=item * 2117*b077aed3SPierre Pronchery 2118*b077aed3SPierre ProncheryRSAPublicKey_it(), RSAPrivateKey_it() 2119*b077aed3SPierre Pronchery 2120*b077aed3SPierre ProncherySee L</Deprecated low-level key reading and writing functions> 2121*b077aed3SPierre Pronchery 2122*b077aed3SPierre Pronchery=item * 2123*b077aed3SPierre Pronchery 2124*b077aed3SPierre ProncheryRSA_set0_crt_params(), RSA_set0_factors(), RSA_set0_key(), 2125*b077aed3SPierre ProncheryRSA_set0_multi_prime_params() 2126*b077aed3SPierre Pronchery 2127*b077aed3SPierre ProncherySee L</Deprecated low-level key parameter setters>. 2128*b077aed3SPierre Pronchery 2129*b077aed3SPierre Pronchery=item * 2130*b077aed3SPierre Pronchery 2131*b077aed3SPierre ProncheryRSA_set_default_method(), RSA_set_method(), RSA_set_ex_data() 2132*b077aed3SPierre Pronchery 2133*b077aed3SPierre ProncherySee L</Providers are a replacement for engines and low-level method overrides> 2134*b077aed3SPierre Pronchery 2135*b077aed3SPierre Pronchery=item * 2136*b077aed3SPierre Pronchery 2137*b077aed3SPierre ProncheryRSA_sign(), RSA_sign_ASN1_OCTET_STRING(), RSA_verify(), 2138*b077aed3SPierre ProncheryRSA_verify_ASN1_OCTET_STRING(), RSA_verify_PKCS1_PSS(), 2139*b077aed3SPierre ProncheryRSA_verify_PKCS1_PSS_mgf1() 2140*b077aed3SPierre Pronchery 2141*b077aed3SPierre ProncherySee L</Deprecated low-level signing functions>. 2142*b077aed3SPierre Pronchery 2143*b077aed3SPierre Pronchery=item * 2144*b077aed3SPierre Pronchery 2145*b077aed3SPierre ProncheryRSA_X931_derive_ex(), RSA_X931_generate_key_ex(), RSA_X931_hash_id() 2146*b077aed3SPierre Pronchery 2147*b077aed3SPierre ProncheryThere are no replacements for these functions. 2148*b077aed3SPierre ProncheryX931 padding can be set using L<EVP_SIGNATURE-RSA(7)/Signature Parameters>. 2149*b077aed3SPierre ProncherySee B<OSSL_SIGNATURE_PARAM_PAD_MODE>. 2150*b077aed3SPierre Pronchery 2151*b077aed3SPierre Pronchery=item * 2152*b077aed3SPierre Pronchery 2153*b077aed3SPierre ProncherySEED_encrypt(), SEED_decrypt(), SEED_set_key(), SEED_cbc_encrypt(), 2154*b077aed3SPierre ProncherySEED_cfb128_encrypt(), SEED_ecb_encrypt(), SEED_ofb128_encrypt() 2155*b077aed3SPierre Pronchery 2156*b077aed3SPierre ProncherySee L</Deprecated low-level encryption functions>. 2157*b077aed3SPierre ProncheryThe SEED algorithm has been moved to the L<Legacy Provider|/Legacy Algorithms>. 2158*b077aed3SPierre Pronchery 2159*b077aed3SPierre Pronchery=item * 2160*b077aed3SPierre Pronchery 2161*b077aed3SPierre ProncherySHA1_Init(), SHA1_Update(), SHA1_Final(), SHA1_Transform(), 2162*b077aed3SPierre ProncherySHA224_Init(), SHA224_Update(), SHA224_Final(), 2163*b077aed3SPierre ProncherySHA256_Init(), SHA256_Update(), SHA256_Final(), SHA256_Transform(), 2164*b077aed3SPierre ProncherySHA384_Init(), SHA384_Update(), SHA384_Final(), 2165*b077aed3SPierre ProncherySHA512_Init(), SHA512_Update(), SHA512_Final(), SHA512_Transform() 2166*b077aed3SPierre Pronchery 2167*b077aed3SPierre ProncherySee L</Deprecated low-level digest functions>. 2168*b077aed3SPierre Pronchery 2169*b077aed3SPierre Pronchery=item * 2170*b077aed3SPierre Pronchery 2171*b077aed3SPierre ProncherySRP_Calc_A(), SRP_Calc_B(), SRP_Calc_client_key(), SRP_Calc_server_key(), 2172*b077aed3SPierre ProncherySRP_Calc_u(), SRP_Calc_x(), SRP_check_known_gN_param(), SRP_create_verifier(), 2173*b077aed3SPierre ProncherySRP_create_verifier_BN(), SRP_get_default_gN(), SRP_user_pwd_free(), SRP_user_pwd_new(), 2174*b077aed3SPierre ProncherySRP_user_pwd_set0_sv(), SRP_user_pwd_set1_ids(), SRP_user_pwd_set_gN(), 2175*b077aed3SPierre ProncherySRP_VBASE_add0_user(), SRP_VBASE_free(), SRP_VBASE_get1_by_user(), SRP_VBASE_init(), 2176*b077aed3SPierre ProncherySRP_VBASE_new(), SRP_Verify_A_mod_N(), SRP_Verify_B_mod_N() 2177*b077aed3SPierre Pronchery 2178*b077aed3SPierre ProncheryThere are no replacements for the SRP functions. 2179*b077aed3SPierre Pronchery 2180*b077aed3SPierre Pronchery=item * 2181*b077aed3SPierre Pronchery 2182*b077aed3SPierre ProncherySSL_CTX_set_tmp_dh_callback(), SSL_set_tmp_dh_callback(), 2183*b077aed3SPierre ProncherySSL_CTX_set_tmp_dh(), SSL_set_tmp_dh() 2184*b077aed3SPierre Pronchery 2185*b077aed3SPierre ProncheryThese are used to set the Diffie-Hellman (DH) parameters that are to be used by 2186*b077aed3SPierre Proncheryservers requiring ephemeral DH keys. Instead applications should consider using 2187*b077aed3SPierre Proncherythe built-in DH parameters that are available by calling L<SSL_CTX_set_dh_auto(3)> 2188*b077aed3SPierre Proncheryor L<SSL_set_dh_auto(3)>. If custom parameters are necessary then applications can 2189*b077aed3SPierre Proncheryuse the alternative functions L<SSL_CTX_set0_tmp_dh_pkey(3)> and 2190*b077aed3SPierre ProncheryL<SSL_set0_tmp_dh_pkey(3)>. There is no direct replacement for the "callback" 2191*b077aed3SPierre Proncheryfunctions. The callback was originally useful in order to have different 2192*b077aed3SPierre Proncheryparameters for export and non-export ciphersuites. Export ciphersuites are no 2193*b077aed3SPierre Proncherylonger supported by OpenSSL. Use of the callback functions should be replaced 2194*b077aed3SPierre Proncheryby one of the other methods described above. 2195*b077aed3SPierre Pronchery 2196*b077aed3SPierre Pronchery=item * 2197*b077aed3SPierre Pronchery 2198*b077aed3SPierre ProncherySSL_CTX_set_tlsext_ticket_key_cb() 2199*b077aed3SPierre Pronchery 2200*b077aed3SPierre ProncheryUse the new L<SSL_CTX_set_tlsext_ticket_key_evp_cb(3)> function instead. 2201*b077aed3SPierre Pronchery 2202*b077aed3SPierre Pronchery=item * 2203*b077aed3SPierre Pronchery 2204*b077aed3SPierre ProncheryWHIRLPOOL(), WHIRLPOOL_Init(), WHIRLPOOL_Update(), WHIRLPOOL_Final(), 2205*b077aed3SPierre ProncheryWHIRLPOOL_BitUpdate() 2206*b077aed3SPierre Pronchery 2207*b077aed3SPierre ProncherySee L</Deprecated low-level digest functions>. 2208*b077aed3SPierre ProncheryThe Whirlpool algorithm has been moved to the L<Legacy Provider|/Legacy Algorithms>. 2209*b077aed3SPierre Pronchery 2210*b077aed3SPierre Pronchery=item * 2211*b077aed3SPierre Pronchery 2212*b077aed3SPierre ProncheryX509_certificate_type() 2213*b077aed3SPierre Pronchery 2214*b077aed3SPierre ProncheryThis was an undocumented function. Applications can use L<X509_get0_pubkey(3)> 2215*b077aed3SPierre Proncheryand L<X509_get0_signature(3)> instead. 2216*b077aed3SPierre Pronchery 2217*b077aed3SPierre Pronchery=item * 2218*b077aed3SPierre Pronchery 2219*b077aed3SPierre ProncheryX509_http_nbio(), X509_CRL_http_nbio() 2220*b077aed3SPierre Pronchery 2221*b077aed3SPierre ProncheryUse L<X509_load_http(3)> and L<X509_CRL_load_http(3)> instead. 2222*b077aed3SPierre Pronchery 2223*b077aed3SPierre Pronchery=back 2224*b077aed3SPierre Pronchery 2225*b077aed3SPierre Pronchery=head3 NID handling for provided keys and algorithms 2226*b077aed3SPierre Pronchery 2227*b077aed3SPierre ProncheryThe following functions for NID (numeric id) handling have changed semantics. 2228*b077aed3SPierre Pronchery 2229*b077aed3SPierre Pronchery=over 4 2230*b077aed3SPierre Pronchery 2231*b077aed3SPierre Pronchery=item * 2232*b077aed3SPierre Pronchery 2233*b077aed3SPierre ProncheryEVP_PKEY_id(), EVP_PKEY_get_id() 2234*b077aed3SPierre Pronchery 2235*b077aed3SPierre ProncheryThis function was previously used to reliably return the NID of 2236*b077aed3SPierre Proncheryan EVP_PKEY object, e.g., to look up the name of the algorithm of 2237*b077aed3SPierre Proncherysuch EVP_PKEY by calling L<OBJ_nid2sn(3)>. With the introduction 2238*b077aed3SPierre Proncheryof L<provider(7)>s EVP_PKEY_id() or its new equivalent 2239*b077aed3SPierre ProncheryL<EVP_PKEY_get_id(3)> might now also return the value -1 2240*b077aed3SPierre Pronchery(B<EVP_PKEY_KEYMGMT>) indicating the use of a provider to 2241*b077aed3SPierre Proncheryimplement the EVP_PKEY object. Therefore, the use of 2242*b077aed3SPierre ProncheryL<EVP_PKEY_get0_type_name(3)> is recommended for retrieving 2243*b077aed3SPierre Proncherythe name of the EVP_PKEY algorithm. 2244*b077aed3SPierre Pronchery 2245*b077aed3SPierre Pronchery=back 2246*b077aed3SPierre Pronchery 2247*b077aed3SPierre Pronchery=head2 Using the FIPS Module in applications 2248*b077aed3SPierre Pronchery 2249*b077aed3SPierre ProncherySee L<fips_module(7)> and L<OSSL_PROVIDER-FIPS(7)> for details. 2250*b077aed3SPierre Pronchery 2251*b077aed3SPierre Pronchery=head2 OpenSSL command line application changes 2252*b077aed3SPierre Pronchery 2253*b077aed3SPierre Pronchery=head3 New applications 2254*b077aed3SPierre Pronchery 2255*b077aed3SPierre ProncheryL<B<openssl kdf>|openssl-kdf(1)> uses the new L<EVP_KDF(3)> API. 2256*b077aed3SPierre ProncheryL<B<openssl kdf>|openssl-mac(1)> uses the new L<EVP_MAC(3)> API. 2257*b077aed3SPierre Pronchery 2258*b077aed3SPierre Pronchery=head3 Added options 2259*b077aed3SPierre Pronchery 2260*b077aed3SPierre ProncheryB<-provider_path> and B<-provider> are available to all apps and can be used 2261*b077aed3SPierre Proncherymultiple times to load any providers, such as the 'legacy' provider or third 2262*b077aed3SPierre Proncheryparty providers. If used then the 'default' provider would also need to be 2263*b077aed3SPierre Proncheryspecified if required. The B<-provider_path> must be specified before the 2264*b077aed3SPierre ProncheryB<-provider> option. 2265*b077aed3SPierre Pronchery 2266*b077aed3SPierre ProncheryThe B<list> app has many new options. See L<openssl-list(1)> for more 2267*b077aed3SPierre Proncheryinformation. 2268*b077aed3SPierre Pronchery 2269*b077aed3SPierre ProncheryB<-crl_lastupdate> and B<-crl_nextupdate> used by B<openssl ca> allows 2270*b077aed3SPierre Proncheryexplicit setting of fields in the generated CRL. 2271*b077aed3SPierre Pronchery 2272*b077aed3SPierre Pronchery=head3 Removed options 2273*b077aed3SPierre Pronchery 2274*b077aed3SPierre ProncheryInteractive mode is not longer available. 2275*b077aed3SPierre Pronchery 2276*b077aed3SPierre ProncheryThe B<-crypt> option used by B<openssl passwd>. 2277*b077aed3SPierre ProncheryThe B<-c> option used by B<openssl x509>, B<openssl dhparam>, 2278*b077aed3SPierre ProncheryB<openssl dsaparam>, and B<openssl ecparam>. 2279*b077aed3SPierre Pronchery 2280*b077aed3SPierre Pronchery=head3 Other Changes 2281*b077aed3SPierre Pronchery 2282*b077aed3SPierre ProncheryThe output of Command line applications may have minor changes. 2283*b077aed3SPierre ProncheryThese are primarily changes in capitalisation and white space. However, in some 2284*b077aed3SPierre Proncherycases, there are additional differences. 2285*b077aed3SPierre ProncheryFor example, the DH parameters output from B<openssl dhparam> now lists 'P', 2286*b077aed3SPierre Pronchery'Q', 'G' and 'pcounter' instead of 'prime', 'generator', 'subgroup order' and 2287*b077aed3SPierre Pronchery'counter' respectively. 2288*b077aed3SPierre Pronchery 2289*b077aed3SPierre ProncheryThe B<openssl> commands that read keys, certificates, and CRLs now 2290*b077aed3SPierre Proncheryautomatically detect the PEM or DER format of the input files so it is not 2291*b077aed3SPierre Proncherynecessary to explicitly specify the input format anymore. However if the 2292*b077aed3SPierre Proncheryinput format option is used the specified format will be required. 2293*b077aed3SPierre Pronchery 2294*b077aed3SPierre ProncheryB<openssl speed> no longer uses low-level API calls. 2295*b077aed3SPierre ProncheryThis implies some of the performance numbers might not be comparable with the 2296*b077aed3SPierre Proncheryprevious releases due to higher overhead. This applies particularly to 2297*b077aed3SPierre Proncherymeasuring performance on smaller data chunks. 2298*b077aed3SPierre Pronchery 2299*b077aed3SPierre Proncheryb<openssl dhparam>, B<openssl dsa>, B<openssl gendsa>, B<openssl dsaparam>, 2300*b077aed3SPierre ProncheryB<openssl genrsa> and B<openssl rsa> have been modified to use PKEY APIs. 2301*b077aed3SPierre ProncheryB<openssl genrsa> and B<openssl rsa> now write PKCS #8 keys by default. 2302*b077aed3SPierre Pronchery 2303*b077aed3SPierre Pronchery=head3 Default settings 2304*b077aed3SPierre Pronchery 2305*b077aed3SPierre Pronchery"SHA256" is now the default digest for TS query used by B<openssl ts>. 2306*b077aed3SPierre Pronchery 2307*b077aed3SPierre Pronchery=head3 Deprecated apps 2308*b077aed3SPierre Pronchery 2309*b077aed3SPierre ProncheryB<openssl rsautl> is deprecated, use B<openssl pkeyutl> instead. 2310*b077aed3SPierre ProncheryB<openssl dhparam>, B<openssl dsa>, B<openssl gendsa>, B<openssl dsaparam>, 2311*b077aed3SPierre ProncheryB<openssl genrsa>, B<openssl rsa>, B<openssl genrsa> and B<openssl rsa> are 2312*b077aed3SPierre Proncherynow in maintenance mode and no new features will be added to them. 2313*b077aed3SPierre Pronchery 2314*b077aed3SPierre Pronchery=head2 TLS Changes 2315*b077aed3SPierre Pronchery 2316*b077aed3SPierre Pronchery=over 4 2317*b077aed3SPierre Pronchery 2318*b077aed3SPierre Pronchery=item * 2319*b077aed3SPierre Pronchery 2320*b077aed3SPierre ProncheryTLS 1.3 FFDHE key exchange support added 2321*b077aed3SPierre Pronchery 2322*b077aed3SPierre ProncheryThis uses DH safe prime named groups. 2323*b077aed3SPierre Pronchery 2324*b077aed3SPierre Pronchery=item * 2325*b077aed3SPierre Pronchery 2326*b077aed3SPierre ProncherySupport for fully "pluggable" TLSv1.3 groups. 2327*b077aed3SPierre Pronchery 2328*b077aed3SPierre ProncheryThis means that providers may supply their own group implementations (using 2329*b077aed3SPierre Proncheryeither the "key exchange" or the "key encapsulation" methods) which will 2330*b077aed3SPierre Proncheryautomatically be detected and used by libssl. 2331*b077aed3SPierre Pronchery 2332*b077aed3SPierre Pronchery=item * 2333*b077aed3SPierre Pronchery 2334*b077aed3SPierre ProncherySSL and SSL_CTX options are now 64 bit instead of 32 bit. 2335*b077aed3SPierre Pronchery 2336*b077aed3SPierre ProncheryThe signatures of the functions to get and set options on SSL and 2337*b077aed3SPierre ProncherySSL_CTX objects changed from "unsigned long" to "uint64_t" type. 2338*b077aed3SPierre Pronchery 2339*b077aed3SPierre ProncheryThis may require source code changes. For example it is no longer possible 2340*b077aed3SPierre Proncheryto use the B<SSL_OP_> macro values in preprocessor C<#if> conditions. 2341*b077aed3SPierre ProncheryHowever it is still possible to test whether these macros are defined or not. 2342*b077aed3SPierre Pronchery 2343*b077aed3SPierre ProncherySee L<SSL_CTX_get_options(3)>, L<SSL_CTX_set_options(3)>, 2344*b077aed3SPierre ProncheryL<SSL_get_options(3)> and L<SSL_set_options(3)>. 2345*b077aed3SPierre Pronchery 2346*b077aed3SPierre Pronchery=item * 2347*b077aed3SPierre Pronchery 2348*b077aed3SPierre ProncherySSL_set1_host() and SSL_add1_host() Changes 2349*b077aed3SPierre Pronchery 2350*b077aed3SPierre ProncheryThese functions now take IP literal addresses as well as actual hostnames. 2351*b077aed3SPierre Pronchery 2352*b077aed3SPierre Pronchery=item * 2353*b077aed3SPierre Pronchery 2354*b077aed3SPierre ProncheryAdded SSL option SSL_OP_CLEANSE_PLAINTEXT 2355*b077aed3SPierre Pronchery 2356*b077aed3SPierre ProncheryIf the option is set, openssl cleanses (zeroizes) plaintext bytes from 2357*b077aed3SPierre Proncheryinternal buffers after delivering them to the application. Note, 2358*b077aed3SPierre Proncherythe application is still responsible for cleansing other copies 2359*b077aed3SPierre Pronchery(e.g.: data received by L<SSL_read(3)>). 2360*b077aed3SPierre Pronchery 2361*b077aed3SPierre Pronchery=item * 2362*b077aed3SPierre Pronchery 2363*b077aed3SPierre ProncheryClient-initiated renegotiation is disabled by default. 2364*b077aed3SPierre Pronchery 2365*b077aed3SPierre ProncheryTo allow it, use the B<-client_renegotiation> option, 2366*b077aed3SPierre Proncherythe B<SSL_OP_ALLOW_CLIENT_RENEGOTIATION> flag, or the C<ClientRenegotiation> 2367*b077aed3SPierre Proncheryconfig parameter as appropriate. 2368*b077aed3SPierre Pronchery 2369*b077aed3SPierre Pronchery=item * 2370*b077aed3SPierre Pronchery 2371*b077aed3SPierre ProncherySecure renegotiation is now required by default for TLS connections 2372*b077aed3SPierre Pronchery 2373*b077aed3SPierre ProncherySupport for RFC 5746 secure renegotiation is now required by default for 2374*b077aed3SPierre ProncherySSL or TLS connections to succeed. Applications that require the ability 2375*b077aed3SPierre Proncheryto connect to legacy peers will need to explicitly set 2376*b077aed3SPierre ProncherySSL_OP_LEGACY_SERVER_CONNECT. Accordingly, SSL_OP_LEGACY_SERVER_CONNECT 2377*b077aed3SPierre Proncheryis no longer set as part of SSL_OP_ALL. 2378*b077aed3SPierre Pronchery 2379*b077aed3SPierre Pronchery=item * 2380*b077aed3SPierre Pronchery 2381*b077aed3SPierre ProncheryCombining the Configure options no-ec and no-dh no longer disables TLSv1.3 2382*b077aed3SPierre Pronchery 2383*b077aed3SPierre ProncheryTypically if OpenSSL has no EC or DH algorithms then it cannot support 2384*b077aed3SPierre Proncheryconnections with TLSv1.3. However OpenSSL now supports "pluggable" groups 2385*b077aed3SPierre Proncherythrough providers. Therefore third party providers may supply group 2386*b077aed3SPierre Proncheryimplementations even where there are no built-in ones. Attempting to create 2387*b077aed3SPierre ProncheryTLS connections in such a build without also disabling TLSv1.3 at run time or 2388*b077aed3SPierre Proncheryusing third party provider groups may result in handshake failures. TLSv1.3 2389*b077aed3SPierre Proncherycan be disabled at compile time using the "no-tls1_3" Configure option. 2390*b077aed3SPierre Pronchery 2391*b077aed3SPierre Pronchery=item * 2392*b077aed3SPierre Pronchery 2393*b077aed3SPierre ProncherySSL_CTX_set_ciphersuites() and SSL_set_ciphersuites() changes. 2394*b077aed3SPierre Pronchery 2395*b077aed3SPierre ProncheryThe methods now ignore unknown ciphers. 2396*b077aed3SPierre Pronchery 2397*b077aed3SPierre Pronchery=item * 2398*b077aed3SPierre Pronchery 2399*b077aed3SPierre ProncherySecurity callback change. 2400*b077aed3SPierre Pronchery 2401*b077aed3SPierre ProncheryThe security callback, which can be customised by application code, supports 2402*b077aed3SPierre Proncherythe security operation SSL_SECOP_TMP_DH. This is defined to take an EVP_PKEY 2403*b077aed3SPierre Proncheryin the "other" parameter. In most places this is what is passed. All these 2404*b077aed3SPierre Proncheryplaces occur server side. However there was one client side call of this 2405*b077aed3SPierre Proncherysecurity operation and it passed a DH object instead. This is incorrect 2406*b077aed3SPierre Proncheryaccording to the definition of SSL_SECOP_TMP_DH, and is inconsistent with all 2407*b077aed3SPierre Proncheryof the other locations. Therefore this client side call has been changed to 2408*b077aed3SPierre Proncherypass an EVP_PKEY instead. 2409*b077aed3SPierre Pronchery 2410*b077aed3SPierre Pronchery=item * 2411*b077aed3SPierre Pronchery 2412*b077aed3SPierre ProncheryNew SSL option SSL_OP_IGNORE_UNEXPECTED_EOF 2413*b077aed3SPierre Pronchery 2414*b077aed3SPierre ProncheryThe SSL option SSL_OP_IGNORE_UNEXPECTED_EOF is introduced. If that option 2415*b077aed3SPierre Proncheryis set, an unexpected EOF is ignored, it pretends a close notify was received 2416*b077aed3SPierre Proncheryinstead and so the returned error becomes SSL_ERROR_ZERO_RETURN. 2417*b077aed3SPierre Pronchery 2418*b077aed3SPierre Pronchery=item * 2419*b077aed3SPierre Pronchery 2420*b077aed3SPierre ProncheryThe security strength of SHA1 and MD5 based signatures in TLS has been reduced. 2421*b077aed3SPierre Pronchery 2422*b077aed3SPierre ProncheryThis results in SSL 3, TLS 1.0, TLS 1.1 and DTLS 1.0 no longer 2423*b077aed3SPierre Proncheryworking at the default security level of 1 and instead requires security 2424*b077aed3SPierre Proncherylevel 0. The security level can be changed either using the cipher string 2425*b077aed3SPierre Proncherywith C<@SECLEVEL>, or calling L<SSL_CTX_set_security_level(3)>. This also means 2426*b077aed3SPierre Proncherythat where the signature algorithms extension is missing from a ClientHello 2427*b077aed3SPierre Proncherythen the handshake will fail in TLS 1.2 at security level 1. This is because, 2428*b077aed3SPierre Proncheryalthough this extension is optional, failing to provide one means that 2429*b077aed3SPierre ProncheryOpenSSL will fallback to a default set of signature algorithms. This default 2430*b077aed3SPierre Proncheryset requires the availability of SHA1. 2431*b077aed3SPierre Pronchery 2432*b077aed3SPierre Pronchery=item * 2433*b077aed3SPierre Pronchery 2434*b077aed3SPierre ProncheryX509 certificates signed using SHA1 are no longer allowed at security level 1 and above. 2435*b077aed3SPierre Pronchery 2436*b077aed3SPierre ProncheryIn TLS/SSL the default security level is 1. It can be set either using the cipher 2437*b077aed3SPierre Proncherystring with C<@SECLEVEL>, or calling L<SSL_CTX_set_security_level(3)>. If the 2438*b077aed3SPierre Proncheryleaf certificate is signed with SHA-1, a call to L<SSL_CTX_use_certificate(3)> 2439*b077aed3SPierre Proncherywill fail if the security level is not lowered first. 2440*b077aed3SPierre ProncheryOutside TLS/SSL, the default security level is -1 (effectively 0). It can 2441*b077aed3SPierre Proncherybe set using L<X509_VERIFY_PARAM_set_auth_level(3)> or using the B<-auth_level> 2442*b077aed3SPierre Proncheryoptions of the commands. 2443*b077aed3SPierre Pronchery 2444*b077aed3SPierre Pronchery=back 2445*b077aed3SPierre Pronchery 2446*b077aed3SPierre Pronchery=head1 SEE ALSO 2447*b077aed3SPierre Pronchery 2448*b077aed3SPierre ProncheryL<fips_module(7)> 2449*b077aed3SPierre Pronchery 2450*b077aed3SPierre Pronchery=head1 HISTORY 2451*b077aed3SPierre Pronchery 2452*b077aed3SPierre ProncheryThe migration guide was created for OpenSSL 3.0. 2453*b077aed3SPierre Pronchery 2454*b077aed3SPierre Pronchery=head1 COPYRIGHT 2455*b077aed3SPierre Pronchery 2456*b077aed3SPierre ProncheryCopyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved. 2457*b077aed3SPierre Pronchery 2458*b077aed3SPierre ProncheryLicensed under the Apache License 2.0 (the "License"). You may not use 2459*b077aed3SPierre Proncherythis file except in compliance with the License. You can obtain a copy 2460*b077aed3SPierre Proncheryin the file LICENSE in the source distribution or at 2461*b077aed3SPierre ProncheryL<https://www.openssl.org/source/license.html>. 2462*b077aed3SPierre Pronchery 2463*b077aed3SPierre Pronchery=cut 2464