[openssl] master update
Dr. Paul Dale
pauli at openssl.org
Wed Aug 4 05:02:57 UTC 2021
The branch master has been updated
via da496bc159361b0bc22df2432fb07b1cd7491ac2 (commit)
via 2fc02378ffcd9a266077eeea224890c534b7aaef (commit)
from 92c03668c0cd77434006b613e3429888a0a8ecfe (commit)
- Log -----------------------------------------------------------------
commit da496bc159361b0bc22df2432fb07b1cd7491ac2
Author: Beat Bolli <dev at drbeat.li>
Date: Fri Jul 30 18:40:27 2021 +0200
doc: replace markdown backticks with perlpod syntax
Reviewed-by: Tomas Mraz <tomas at openssl.org>
Reviewed-by: Paul Dale <pauli at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16190)
commit 2fc02378ffcd9a266077eeea224890c534b7aaef
Author: Beat Bolli <dev at drbeat.li>
Date: Fri Jul 30 18:39:51 2021 +0200
doc: use the documented =item markers
The generated lists[1] look weird when using a dash as the list item
character. Perlpod documents[2] '*' for unordered lists and '1.' (note
the period) for ordered lists. Use these characters instead.
[1] e.g. https://www.openssl.org/docs/manmaster/man7/migration_guide.html#New-Algorithms
[2] https://perldoc.perl.org/perlpod
Reviewed-by: Tomas Mraz <tomas at openssl.org>
Reviewed-by: Paul Dale <pauli at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16190)
-----------------------------------------------------------------------
Summary of changes:
doc/internal/man7/deprecation.pod | 4 +-
doc/man1/openssl-ocsp.pod.in | 2 +-
doc/man1/openssl-verification-options.pod | 22 +-
doc/man3/OSSL_STORE_INFO.pod | 2 +-
doc/man7/fips_module.pod | 14 +-
doc/man7/migration_guide.pod | 493 +++++++++++++++---------------
doc/man7/passphrase-encoding.pod | 2 +-
util/perl/OpenSSL/Template.pm | 4 +-
8 files changed, 273 insertions(+), 270 deletions(-)
diff --git a/doc/internal/man7/deprecation.pod b/doc/internal/man7/deprecation.pod
index 15e1c7aef1..e0efa75ce4 100644
--- a/doc/internal/man7/deprecation.pod
+++ b/doc/internal/man7/deprecation.pod
@@ -21,10 +21,10 @@ Removal of a symbol is not the same thing as deprecation, as it actually
explicitly removes the symbol from public view.
OpenSSL configuration supports deprecation as well as simulating removal of
-symbols from public view (with the configuration option `no-deprecated`, or
+symbols from public view (with the configuration option C<no-deprecated>, or
if the user chooses to do so, with L<OPENSSL_NO_DEPRECATED(7)>), and also
supports doing this in terms of a specified OpenSSL version (with the
-configuration option `--api`, or if the user chooses to do so, with
+configuration option C<--api>, or if the user chooses to do so, with
L<OPENSSL_API_COMPAT(7)>).
Deprecation is done using attribute macros named
diff --git a/doc/man1/openssl-ocsp.pod.in b/doc/man1/openssl-ocsp.pod.in
index 0ef1e1a002..fbad5079af 100644
--- a/doc/man1/openssl-ocsp.pod.in
+++ b/doc/man1/openssl-ocsp.pod.in
@@ -371,7 +371,7 @@ subject name.
Port to listen for OCSP requests on. The port may also be specified
using the B<url> option.
-A `0` argument indicates that any available port shall be chosen automatically.
+A C<0> argument indicates that any available port shall be chosen automatically.
=item B<-ignore_err>
diff --git a/doc/man1/openssl-verification-options.pod b/doc/man1/openssl-verification-options.pod
index c634ccae15..70daa986b8 100644
--- a/doc/man1/openssl-verification-options.pod
+++ b/doc/man1/openssl-verification-options.pod
@@ -274,50 +274,50 @@ among others, the following certificate well-formedness conditions are checked:
=over 4
-=item -
+=item *
The basicConstraints of CA certificates must be marked critical.
-=item -
+=item *
CA certificates must explicitly include the keyUsage extension.
-=item -
+=item *
If a pathlenConstraint is given the key usage keyCertSign must be allowed.
-=item -
+=item *
The pathlenConstraint must not be given for non-CA certificates.
-=item -
+=item *
The issuer name of any certificate must not be empty.
-=item -
+=item *
The subject name of CA certs, certs with keyUsage crlSign, and certs
without subjectAlternativeName must not be empty.
-=item -
+=item *
If a subjectAlternativeName extension is given it must not be empty.
-=item -
+=item *
The signatureAlgorithm field and the cert signature must be consistent.
-=item -
+=item *
Any given authorityKeyIdentifier and any given subjectKeyIdentifier
must not be marked critical.
-=item -
+=item *
The authorityKeyIdentifier must be given for X.509v3 certs unless they
are self-signed.
-=item -
+=item *
The subjectKeyIdentifier must be given for all X.509v3 CA certs.
diff --git a/doc/man3/OSSL_STORE_INFO.pod b/doc/man3/OSSL_STORE_INFO.pod
index 299249ceb1..39bb93fbf5 100644
--- a/doc/man3/OSSL_STORE_INFO.pod
+++ b/doc/man3/OSSL_STORE_INFO.pod
@@ -108,7 +108,7 @@ OSSL_STORE_INFO_new_CERT() and OSSL_STORE_INFO_new_CRL()
create a B<OSSL_STORE_INFO> object to hold the given input object.
On success the input object is consumed.
-Additionally, for B<OSSL_STORE_INFO_NAME>` objects,
+Additionally, for B<OSSL_STORE_INFO_NAME> objects,
OSSL_STORE_INFO_set0_NAME_description() can be used to add an extra
description.
This description is meant to be human readable and should be used for
diff --git a/doc/man7/fips_module.pod b/doc/man7/fips_module.pod
index b47ed279f6..e374651fa5 100644
--- a/doc/man7/fips_module.pod
+++ b/doc/man7/fips_module.pod
@@ -22,15 +22,15 @@ legacy APIs or features that avoid the FIPS module. Specifically this includes:
=over 4
-=item -
+=item *
Low level cryptographic APIs (use the high level APIs, such as EVP, instead)
-=item -
+=item *
Engines
-=item -
+=item *
Any functions that create or modify custom "METHODS" (for example
EVP_MD_meth_new(), EVP_CIPHER_meth_new(), EVP_PKEY_meth_new(), RSA_meth_new(),
@@ -110,21 +110,21 @@ some disadvantages to this approach:
=over 4
-=item -
+=item *
You may not want all applications to use the FIPS module.
It may be the case that some applications should and some should not use the
FIPS module.
-=item -
+=item *
If applications take explicit steps to not load the default config file or
set different settings.
This method will not work for these cases.
-=item -
+=item *
The algorithms available in the FIPS module are a subset of the algorithms
that are available in the default OpenSSL Provider.
@@ -132,7 +132,7 @@ that are available in the default OpenSSL Provider.
If any applications attempt to use any algorithms that are not present,
then they will fail.
-=item -
+=item *
Usage of certain deprecated APIs avoids the use of the FIPS module.
diff --git a/doc/man7/migration_guide.pod b/doc/man7/migration_guide.pod
index 8cc9bd5fc8..462ef9f122 100644
--- a/doc/man7/migration_guide.pod
+++ b/doc/man7/migration_guide.pod
@@ -184,31 +184,31 @@ the B<SSL_OP_ENABLE_KTLS> option.
=over 4
-=item -
+=item *
KDF algorithms "SINGLE STEP" and "SSH"
See L<EVP_KDF-SS(7)> and L<EVP_KDF-SSHKDF(7)>
-=item -
+=item *
MAC Algorithms "GMAC" and "KMAC"
See L<EVP_MAC-GMAC(7)> and L<EVP_MAC-KMAC(7)>.
-=item -
+=item *
KEM Algorithm "RSASVE"
See L<EVP_KEM-RSA(7)>.
-=item -
+=item *
Cipher Algorithm "AES-SIV"
See L<EVP_EncryptInit(3)/SIV Mode>.
-=item -
+=item *
AES Key Wrap inverse ciphers supported by EVP layer.
@@ -217,7 +217,9 @@ unwrapping. The algorithms are: "AES-128-WRAP-INV", "AES-192-WRAP-INV",
"AES-256-WRAP-INV", "AES-128-WRAP-PAD-INV", "AES-192-WRAP-PAD-INV" and
"AES-256-WRAP-PAD-INV".
-=item AES CTS cipher added to EVP layer.
+=item *
+
+AES CTS cipher added to EVP layer.
The algorithms are "AES-128-CBC-CTS", "AES-192-CBC-CTS" and "AES-256-CBC-CTS".
CS1, CS2 and CS3 variants are supported.
@@ -228,15 +230,15 @@ CS1, CS2 and CS3 variants are supported.
=over 4
-=item -
+=item *
Added CAdES-BES signature verification support.
-=item -
+=item *
Added CAdES-BES signature scheme and attributes support (RFC 5126) to CMS API.
-=item -
+=item *
Added AuthEnvelopedData content type structure (RFC 5083) using AES_GCM
@@ -244,7 +246,7 @@ This uses the AES-GCM parameter (RFC 5084) for the Cryptographic Message Syntax.
Its purpose is to support encryption and decryption of a digital envelope that
is both authenticated and encrypted using AES GCM mode.
-=item -
+=item *
L<PKCS7_get_octet_string(3)> and L<PKCS7_type_is_other(3)> were made public.
@@ -367,8 +369,8 @@ curve ones.
Validation of SM2 keys has been separated from the validation of regular EC
keys, allowing to improve the SM2 validation process to reject loaded private
keys that are not conforming to the SM2 ISO standard.
-In particular, a private scalar `k` outside the range `1 <= k < n-1` is now
-correctly rejected.
+In particular, a private scalar I<k> outside the range I<< 1 <= k < n-1 >> is
+now correctly rejected.
=head4 EVP_PKEY_set_alias_type() method has been removed
@@ -453,15 +455,15 @@ application. If this happens you have 3 options:
=over 4
-=item 1)
+=item 1.
Ignore the warnings. They are just warnings. The deprecated functions are still present and you may still use them. However be aware that they may be removed from a future version of OpenSSL.
-=item 2)
+=item 2.
Suppress the warnings. Refer to your compiler documentation on how to do this.
-=item 3)
+=item 3.
Remove your usage of the low level APIs. In this case you will need to rewrite your code to use the high level APIs instead
@@ -475,7 +477,7 @@ L</Upgrading from OpenSSL 1.1.1>, the main things to be aware of are:
=over 4
-=item 1)
+=item 1.
The build and installation procedure has changed significantly.
@@ -483,7 +485,7 @@ Check the file INSTALL.md in the top of the installation for instructions on how
to build and install OpenSSL for your platform. Also read the various NOTES
files in the same directory, as applicable for your platform.
-=item 2)
+=item 2.
Many structures have been made opaque in OpenSSL 3.0.
@@ -501,7 +503,8 @@ For example code that previously looked like this:
/* This line will now generate compiler errors */
EVP_MD_CTX_init(&md_ctx);
- The code needs to be amended to look like this:
+The code needs to be amended to look like this:
+
EVP_MD_CTX *md_ctx;
md_ctx = EVP_MD_CTX_new();
@@ -509,7 +512,7 @@ For example code that previously looked like this:
...
EVP_MD_CTX_free(md_ctx);
-=item 3)
+=item 3.
Support for TLSv1.3 has been added.
@@ -582,119 +585,119 @@ mappings are listed along with the respective name.
=over 4
-=item -
+=item *
L<ASN1_item_new(3)>, L<ASN1_item_d2i(3)>, L<ASN1_item_d2i_fp(3)>,
L<ASN1_item_d2i_bio(3)>, L<ASN1_item_sign(3)> and L<ASN1_item_verify(3)>
-=item -
+=item *
L<BIO_new(3)>
-=item -
+=item *
b2i_RSA_PVK_bio() and i2b_PVK_bio()
-=item -
+=item *
L<BN_CTX_new(3)> and L<BN_CTX_secure_new(3)>
-=item -
+=item *
L<CMS_AuthEnvelopedData_create(3)>, L<CMS_ContentInfo_new(3)>, L<CMS_data_create(3)>,
L<CMS_digest_create(3)>, L<CMS_EncryptedData_encrypt(3)>, L<CMS_encrypt(3)>,
L<CMS_EnvelopedData_create(3)>, L<CMS_ReceiptRequest_create0(3)> and L<CMS_sign(3)>
-=item -
+=item *
L<CONF_modules_load_file(3)>
-=item -
+=item *
L<CTLOG_new(3)>, L<CTLOG_new_from_base64(3)> and L<CTLOG_STORE_new(3)>
-=item -
+=item *
L<CT_POLICY_EVAL_CTX_new(3)>
-=item -
+=item *
L<d2i_AutoPrivateKey(3)>, L<d2i_PrivateKey(3)> and L<d2i_PUBKEY(3)>
-=item -
+=item *
L<d2i_PrivateKey_bio(3)> and L<d2i_PrivateKey_fp(3)>
Use L<d2i_PrivateKey_ex_bio(3)> and L<d2i_PrivateKey_ex_fp(3)>
-=item -
+=item *
L<EC_GROUP_new(3)>
Use L<EC_GROUP_new_by_curve_name_ex(3)> or L<EC_GROUP_new_from_params(3)>.
-=item -
+=item *
L<EVP_DigestSignInit(3)> and L<EVP_DigestVerifyInit(3)>
-=item -
+=item *
L<EVP_PBE_CipherInit(3)>, L<EVP_PBE_find(3)> and L<EVP_PBE_scrypt(3)>
-=item -
+=item *
L<PKCS5_PBE_keyivgen(3)>
-=item -
+=item *
L<EVP_PKCS82PKEY(3)>
-=item -
+=item *
L<EVP_PKEY_CTX_new_id(3)>
Use L<EVP_PKEY_CTX_new_from_name(3)>
-=item -
+=item *
L<EVP_PKEY_derive_set_peer(3)>, L<EVP_PKEY_new_raw_private_key(3)>
and L<EVP_PKEY_new_raw_public_key(3)>
-=item -
+=item *
L<EVP_SignFinal(3)> and L<EVP_VerifyFinal(3)>
-=item -
+=item *
L<NCONF_new(3)>
-=item -
+=item *
L<OCSP_RESPID_match(3)> and L<OCSP_RESPID_set_by_key(3)>
-=item -
+=item *
L<OPENSSL_thread_stop(3)>
-=item -
+=item *
L<OSSL_STORE_open(3)>
-=item -
+=item *
L<PEM_read_bio_Parameters(3)>, L<PEM_read_bio_PrivateKey(3)>, L<PEM_read_bio_PUBKEY(3)>,
L<PEM_read_PrivateKey(3)> and L<PEM_read_PUBKEY(3)>
-=item -
+=item *
L<PEM_write_bio_PrivateKey(3)>, L<PEM_write_bio_PUBKEY(3)>, L<PEM_write_PrivateKey(3)>
and L<PEM_write_PUBKEY(3)>
-=item -
+=item *
L<PEM_X509_INFO_read_bio(3)> and L<PEM_X509_INFO_read(3)>
-=item -
+=item *
L<PKCS12_add_key(3)>, L<PKCS12_add_safe(3)>, L<PKCS12_add_safes(3)>,
L<PKCS12_create(3)>, L<PKCS12_decrypt_skey(3)>, L<PKCS12_init(3)>, L<PKCS12_item_decrypt_d2i(3)>,
@@ -702,64 +705,64 @@ L<PKCS12_item_i2d_encrypt(3)>, L<PKCS12_key_gen_asc(3)>, L<PKCS12_key_gen_uni(3)
L<PKCS12_key_gen_utf8(3)>, L<PKCS12_pack_p7encdata(3)>, L<PKCS12_pbe_crypt(3)>,
L<PKCS12_PBE_keyivgen(3)>, L<PKCS12_SAFEBAG_create_pkcs8_encrypt(3)>
-=item -
+=item *
L<PKCS5_pbe_set0_algor(3)>, L<PKCS5_pbe_set(3)>, L<PKCS5_pbe2_set_iv(3)>,
L<PKCS5_pbkdf2_set(3)> and L<PKCS5_v2_scrypt_keyivgen(3)>
-=item -
+=item *
L<PKCS7_encrypt(3)>, L<PKCS7_new(3)> and L<PKCS7_sign(3)>
-=item -
+=item *
L<PKCS8_decrypt(3)>, L<PKCS8_encrypt(3)> and L<PKCS8_set0_pbe(3)>
-=item -
+=item *
L<RAND_bytes(3)> and L<RAND_priv_bytes(3)>
-=item -
+=item *
L<SMIME_write_ASN1(3)>
-=item -
+=item *
L<SSL_load_client_CA_file(3)>
-=item -
+=item *
L<SSL_CTX_new(3)>
-=item -
+=item *
L<TS_RESP_CTX_new(3)>
-=item -
+=item *
L<X509_CRL_new(3)>
-=item -
+=item *
L<X509_load_cert_crl_file(3)> and L<X509_load_cert_file(3)>
-=item -
+=item *
L<X509_LOOKUP_by_subject(3)> and L<X509_LOOKUP_ctrl(3)>
-=item -
+=item *
L<X509_NAME_hash(3)>
-=item -
+=item *
L<X509_new(3)>
-=item -
+=item *
L<X509_REQ_new(3)> and L<X509_REQ_verify(3)>
-=item -
+=item *
L<X509_STORE_CTX_new(3)>, L<X509_STORE_set_default_paths(3)>, L<X509_STORE_load_file(3)>,
L<X509_STORE_load_locations(3)> and L<X509_STORE_load_store(3)>
@@ -773,126 +776,126 @@ Passing NULL will use the default library context.
=over 4
-=item -
+=item *
L<BIO_new_from_core_bio(3)>
-=item -
+=item *
L<EVP_ASYM_CIPHER_fetch(3)> and L<EVP_ASYM_CIPHER_do_all_provided(3)>
-=item -
+=item *
L<EVP_CIPHER_fetch(3)> and L<EVP_CIPHER_do_all_provided(3)>
-=item -
+=item *
L<EVP_default_properties_enable_fips(3)> and
L<EVP_default_properties_is_fips_enabled(3)>
-=item -
+=item *
L<EVP_KDF_fetch(3)> and L<EVP_KDF_do_all_provided(3)>
-=item -
+=item *
L<EVP_KEM_fetch(3)> and L<EVP_KEM_do_all_provided(3)>
-=item -
+=item *
L<EVP_KEYEXCH_fetch(3)> and L<EVP_KEYEXCH_do_all_provided(3)>
-=item -
+=item *
L<EVP_KEYMGMT_fetch(3)> and L<EVP_KEYMGMT_do_all_provided(3)>
-=item -
+=item *
L<EVP_MAC_fetch(3)> and L<EVP_MAC_do_all_provided(3)>
-=item -
+=item *
L<EVP_MD_fetch(3)> and L<EVP_MD_do_all_provided(3)>
-=item -
+=item *
L<EVP_PKEY_CTX_new_from_pkey(3)>
-=item -
+=item *
L<EVP_PKEY_Q_keygen(3)>
-=item -
+=item *
L<EVP_Q_mac(3)> and L<EVP_Q_digest(3)>
-=item -
+=item *
L<EVP_RAND(3)> and L<EVP_RAND_do_all_provided(3)>
-=item -
+=item *
L<EVP_set_default_properties(3)>
-=item -
+=item *
L<EVP_SIGNATURE_fetch(3)> and L<EVP_SIGNATURE_do_all_provided(3)>
-=item -
+=item *
L<OSSL_CMP_CTX_new(3)> and L<OSSL_CMP_SRV_CTX_new(3)>
-=item -
+=item *
L<OSSL_CRMF_ENCRYPTEDVALUE_get1_encCert(3)>
-=item -
+=item *
L<OSSL_CRMF_MSG_create_popo(3)> and L<OSSL_CRMF_MSGS_verify_popo(3)>
-=item -
+=item *
L<OSSL_CRMF_pbm_new(3)> and L<OSSL_CRMF_pbmp_new(3)>
-=item -
+=item *
L<OSSL_DECODER_CTX_add_extra(3)> and L<OSSL_DECODER_CTX_new_for_pkey(3)>
-=item -
+=item *
L<OSSL_DECODER_fetch(3)> and L<OSSL_DECODER_do_all_provided(3)>
-=item -
+=item *
L<OSSL_ENCODER_CTX_add_extra(3)>
-=item -
+=item *
L<OSSL_ENCODER_fetch(3)> and L<OSSL_ENCODER_do_all_provided(3)>
-=item -
+=item *
L<OSSL_LIB_CTX_free(3)>, L<OSSL_LIB_CTX_load_config(3)> and L<OSSL_LIB_CTX_set0_default(3)>
-=item -
+=item *
L<OSSL_PROVIDER_add_builtin(3)>, L<OSSL_PROVIDER_available(3)>,
L<OSSL_PROVIDER_do_all(3)>, L<OSSL_PROVIDER_load(3)>,
L<OSSL_PROVIDER_set_default_search_path(3)> and L<OSSL_PROVIDER_try_load(3)>
-=item -
+=item *
L<OSSL_SELF_TEST_get_callback(3)> and L<OSSL_SELF_TEST_set_callback(3)>
-=item -
+=item *
L<OSSL_STORE_attach(3)>
-=item -
+=item *
L<OSSL_STORE_LOADER_fetch(3)> and L<OSSL_STORE_LOADER_do_all_provided(3)>
-=item -
+=item *
L<RAND_get0_primary(3)>, L<RAND_get0_private(3)>, L<RAND_get0_public(3)>,
L<RAND_set_DRBG_type(3)> and L<RAND_set_seed_source_type(3)>
@@ -1076,7 +1079,7 @@ The following functions have been deprecated in 3.0.
=over 4
-=item -
+=item *
AES_bi_ige_encrypt() and AES_ige_encrypt()
@@ -1089,32 +1092,32 @@ AES_bi_ige_encrypt() has a known bug. It accepts 2 AES keys, but only one
is ever used. The security implications are believed to be minimal, but
this issue was never fixed for backwards compatibility reasons.
-=item -
+=item *
AES_encrypt(), AES_decrypt(), AES_set_encrypt_key(), AES_set_decrypt_key(),
AES_cbc_encrypt(), AES_cfb128_encrypt(), AES_cfb1_encrypt(), AES_cfb8_encrypt(),
AES_ecb_encrypt(), AES_ofb128_encrypt()
-=item -
+=item *
AES_unwrap_key(), AES_wrap_key()
See L</Deprecated low-level encryption functions>
-=item -
+=item *
AES_options()
There is no replacement. It returned a string indicating if the AES code was unrolled.
-=item -
+=item *
ASN1_digest(), ASN1_sign(), ASN1_verify()
There are no replacements. These old functions are not used, and could be
disabled with the macro NO_ASN1_OLD since OpenSSL 0.9.7.
-=item -
+=item *
ASN1_STRING_length_set()
@@ -1122,7 +1125,7 @@ Use L<ASN1_STRING_set(3)> or L<ASN1_STRING_set0(3)> instead.
This was a potentially unsafe function that could change the bounds of a
previously passed in pointer.
-=item -
+=item *
BF_encrypt(), BF_decrypt(), BF_set_key(), BF_cbc_encrypt(), BF_cfb64_encrypt(),
BF_ecb_encrypt(), BF_ofb64_encrypt()
@@ -1130,32 +1133,32 @@ BF_ecb_encrypt(), BF_ofb64_encrypt()
See L</Deprecated low-level encryption functions>.
The Blowfish algorithm has been moved to the L<Legacy Provider|/Legacy Algorithms>.
-=item -
+=item *
BF_options()
There is no replacement. This option returned a constant string.
-=item -
+=item *
BIO_get_callback(), BIO_set_callback(), BIO_debug_callback()
Use the respective non-deprecated _ex() functions.
-=item -
+=item *
BN_is_prime_ex(), BN_is_prime_fasttest_ex()
Use L<BN_check_prime(3)> which that avoids possible misuse and always uses at least
64 rounds of the Miller-Rabin primality test.
-=item -
+=item *
BN_pseudo_rand(), BN_pseudo_rand_range()
Use L<BN_rand(3)> and L<BN_rand_range(3)>.
-=item -
+=item *
BN_X931_derive_prime_ex(), BN_X931_generate_prime_ex(), BN_X931_generate_Xpq()
@@ -1163,7 +1166,7 @@ There are no replacements for these low-level functions. They were used internal
by RSA_X931_derive_ex() and RSA_X931_generate_key_ex() which are also deprecated.
Use L<EVP_PKEY_keygen(3)> instead.
-=item -
+=item *
Camellia_encrypt(), Camellia_decrypt(), Camellia_set_key(),
Camellia_cbc_encrypt(), Camellia_cfb128_encrypt(), Camellia_cfb1_encrypt(),
@@ -1172,7 +1175,7 @@ Camellia_ofb128_encrypt()
See L</Deprecated low-level encryption functions>.
-=item -
+=item *
CAST_encrypt(), CAST_decrypt(), CAST_set_key(), CAST_cbc_encrypt(),
CAST_cfb64_encrypt(), CAST_ecb_encrypt(), CAST_ofb64_encrypt()
@@ -1180,20 +1183,20 @@ CAST_cfb64_encrypt(), CAST_ecb_encrypt(), CAST_ofb64_encrypt()
See L</Deprecated low-level encryption functions>.
The CAST algorithm has been moved to the L<Legacy Provider|/Legacy Algorithms>.
-=item -
+=item *
CMAC_CTX_new(), CMAC_CTX_cleanup(), CMAC_CTX_copy(), CMAC_CTX_free(),
CMAC_CTX_get0_cipher_ctx()
See L</Deprecated low-level MAC functions>.
-=item -
+=item *
CMAC_Init(), CMAC_Update(), CMAC_Final(), CMAC_resume()
See L</Deprecated low-level MAC functions>.
-=item -
+=item *
CRYPTO_mem_ctrl(), CRYPTO_mem_debug_free(), CRYPTO_mem_debug_malloc(),
CRYPTO_mem_debug_pop(), CRYPTO_mem_debug_push(), CRYPTO_mem_debug_realloc(),
@@ -1203,7 +1206,7 @@ CRYPTO_set_mem_debug()
Memory-leak checking has been deprecated in favor of more modern development
tools, such as compiler memory and leak sanitizers or Valgrind.
-=item -
+=item *
d2i_DHparams(), d2i_DHxparams(), d2i_DSAparams(), d2i_DSAPrivateKey(),
d2i_DSAPrivateKey_bio(), d2i_DSAPrivateKey_fp(), d2i_DSA_PUBKEY(),
@@ -1217,7 +1220,7 @@ d2i_RSAPublicKey_bio(), d2i_RSAPublicKey_fp()
See L</Deprecated i2d and d2i functions for low-level key types>
-=item -
+=item *
DES_crypt(), DES_fcrypt(), DES_encrypt1(), DES_encrypt2(), DES_encrypt3(),
DES_decrypt3(), DES_ede3_cbc_encrypt(), DES_ede3_cfb64_encrypt(),
@@ -1233,21 +1236,21 @@ See L</Deprecated low-level encryption functions>.
Algorithms for "DESX-CBC", "DES-ECB", "DES-CBC", "DES-OFB", "DES-CFB",
"DES-CFB1" and "DES-CFB8" have been moved to the L<Legacy Provider|/Legacy Algorithms>.
-=item -
+=item *
DH_bits(), DH_security_bits(), DH_size()
Use L<EVP_PKEY_get_bits(3)>, L<EVP_PKEY_get_security_bits(3)> and
L<EVP_PKEY_get_size(3)>.
-=item -
+=item *
DH_check(), DH_check_ex(), DH_check_params(), DH_check_params_ex(),
DH_check_pub_key(), DH_check_pub_key_ex()
See L</Deprecated low-level validation functions>
-=item -
+=item *
DH_clear_flags(), DH_test_flags(), DH_set_flags()
@@ -1256,32 +1259,32 @@ The B<DH_FLAG_TYPE_DH> and B<DH_FLAG_TYPE_DHX> have been deprecated.
Use EVP_PKEY_is_a() to determine the type of a key.
There is no replacement for setting these flags.
-=item -
+=item *
DH_compute_key() DH_compute_key_padded()
See L</Deprecated low-level key exchange functions>.
-=item -
+=item *
DH_new(), DH_new_by_nid(), DH_free(), DH_up_ref()
See L</Deprecated low-level object creation>
-=item -
+=item *
DH_generate_key(), DH_generate_parameters_ex()
See L</Deprecated low-level key generation functions>.
-=item -
+=item *
DH_get0_pqg(), DH_get0_p(), DH_get0_q(), DH_get0_g(), DH_get0_key(),
DH_get0_priv_key(), DH_get0_pub_key(), DH_get_length(), DH_get_nid()
See L</Deprecated low-level key parameter getters>
-=item -
+=item *
DH_get_1024_160(), DH_get_2048_224(), DH_get_2048_256()
@@ -1289,13 +1292,13 @@ Applications should instead set the B<OSSL_PKEY_PARAM_GROUP_NAME> as specified i
L<EVP_PKEY-DH(7)/DH parameters>) to one of "dh_1024_160", "dh_2048_224" or
"dh_2048_256" when generating a DH key.
-=item -
+=item *
DH_KDF_X9_42()
Applications should use L<EVP_PKEY_CTX_set_dh_kdf_type(3)> instead.
-=item -
+=item *
DH_get_default_method(), DH_get0_engine(), DH_meth_*(), DH_new_method(),
DH_OpenSSL(), DH_get_ex_data(), DH_set_default_method(), DH_set_method(),
@@ -1303,39 +1306,39 @@ DH_set_ex_data()
See L</Providers are a replacement for engines and low-level method overrides>
-=item -
+=item *
DHparams_print(), DHparams_print_fp()
See L</Deprecated low-level key printing functions>
-=item -
+=item *
DH_set0_key(), DH_set0_pqg(), DH_set_length()
See L</Deprecated low-level key parameter setters>
-=item -
+=item *
DSA_bits(), DSA_security_bits(), DSA_size()
Use L<EVP_PKEY_get_bits(3)>, L<EVP_PKEY_get_security_bits(3)> and
L<EVP_PKEY_get_size(3)>.
-=item -
+=item *
DHparams_dup(), DSA_dup_DH()
There is no direct replacement. Applications may use L<EVP_PKEY_copy_parameters(3)>
and L<EVP_PKEY_dup(3)> instead.
-=item -
+=item *
DSA_generate_key(), DSA_generate_parameters_ex()
See L</Deprecated low-level key generation functions>.
-=item -
+=item *
DSA_get0_engine(), DSA_get_default_method(), DSA_get_ex_data(),
DSA_get_method(), DSA_meth_*(), DSA_new_method(), DSA_OpenSSL(),
@@ -1343,57 +1346,57 @@ DSA_set_default_method(), DSA_set_ex_data(), DSA_set_method()
See L</Providers are a replacement for engines and low-level method overrides>.
-=item -
+=item *
DSA_get0_p(), DSA_get0_q(), DSA_get0_g(), DSA_get0_pqg(), DSA_get0_key(),
DSA_get0_priv_key(), DSA_get0_pub_key()
See L</Deprecated low-level key parameter getters>.
-=item -
+=item *
DSA_new(), DSA_free(), DSA_up_ref()
See L</Deprecated low-level object creation>
-=item -
+=item *
DSAparams_dup()
There is no direct replacement. Applications may use L<EVP_PKEY_copy_parameters(3)>
and L<EVP_PKEY_dup(3)> instead.
-=item -
+=item *
DSAparams_print(), DSAparams_print_fp(), DSA_print(), DSA_print_fp()
See L</Deprecated low-level key printing functions>
-=item -
+=item *
DSA_set0_key(), DSA_set0_pqg()
See L</Deprecated low-level key parameter setters>
-=item -
+=item *
DSA_set_flags(), DSA_clear_flags(), DSA_test_flags()
The B<DSA_FLAG_CACHE_MONT_P> flag has been deprecated without replacement.
-=item -
+=item *
DSA_sign(), DSA_do_sign(), DSA_sign_setup(), DSA_verify(), DSA_do_verify()
See L</Deprecated low-level signing functions>.
-=item -
+=item *
ECDH_compute_key()
See L</Deprecated low-level key exchange functions>.
-=item -
+=item *
ECDH_KDF_X9_62()
@@ -1401,20 +1404,20 @@ Applications may either set this using the helper function
L<EVP_PKEY_CTX_set_ecdh_kdf_type(3)> or by setting an B<OSSL_PARAM> using the
"kdf-type" as shown in L<EVP_KEYEXCH-ECDH(7)/EXAMPLES>
-=item -
+=item *
ECDSA_sign(), ECDSA_sign_ex(), ECDSA_sign_setup(), ECDSA_do_sign(),
ECDSA_do_sign_ex(), ECDSA_verify(), ECDSA_do_verify()
See L</Deprecated low-level signing functions>.
-=item -
+=item *
ECDSA_size()
Applications should use L<EVP_PKEY_get_size(3)>.
-=item -
+=item *
EC_GF2m_simple_method(), EC_GFp_mont_method(), EC_GFp_nist_method(),
EC_GFp_nistp224_method(), EC_GFp_nistp256_method(), EC_GFp_nistp521_method(),
@@ -1424,20 +1427,20 @@ There are no replacements for these functions. Applications should rely on the
library automatically assigning a suitable method internally when an EC_GROUP
is constructed.
-=item -
+=item *
EC_GROUP_clear_free()
Use L<EC_GROUP_free(3)> instead.
-=item -
+=item *
EC_GROUP_get_curve_GF2m(), EC_GROUP_get_curve_GFp(), EC_GROUP_set_curve_GF2m(),
EC_GROUP_set_curve_GFp()
Applications should use L<EC_GROUP_get_curve(3)> and L<EC_GROUP_set_curve(3)>.
-=item -
+=item *
EC_GROUP_have_precompute_mult(), EC_GROUP_precompute_mult(),
EC_KEY_precompute_mult()
@@ -1445,7 +1448,7 @@ EC_KEY_precompute_mult()
These functions are not widely used. Applications should instead switch to
named curves which OpenSSL has hardcoded lookup tables for.
-=item -
+=item *
EC_GROUP_new(), EC_GROUP_method_of(), EC_POINT_method_of()
@@ -1453,19 +1456,19 @@ EC_METHOD is now an internal-only concept and a suitable EC_METHOD is assigned
internally without application intervention.
Users of EC_GROUP_new() should switch to a different suitable constructor.
-=item -
+=item *
EC_KEY_can_sign()
Applications should use L<EVP_PKEY_can_sign(3)> instead.
-=item -
+=item *
EC_KEY_check_key()
See L</Deprecated low-level validation functions>
-=item -
+=item *
EC_KEY_set_flags(), EC_KEY_get_flags(), EC_KEY_clear_flags()
@@ -1476,33 +1479,33 @@ B<OSSL_PKEY_PARAM_USE_COFACTOR_ECDH> and
B<OSSL_PKEY_PARAM_EC_INCLUDE_PUBLIC>.
See also L<EVP_PKEY-EC(7)/EXAMPLES>
-=item -
+=item *
EC_KEY_dup(), EC_KEY_copy()
There is no direct replacement. Applications may use L<EVP_PKEY_copy_parameters(3)>
and L<EVP_PKEY_dup(3)> instead.
-=item -
+=item *
EC_KEY_decoded_from_explicit_params()
There is no replacement.
-=item -
+=item *
EC_KEY_generate_key()
See L</Deprecated low-level key generation functions>.
-=item -
+=item *
EC_KEY_get0_group(), EC_KEY_get0_private_key(), EC_KEY_get0_public_key(),
EC_KEY_get_conv_form(), EC_KEY_get_enc_flags()
See L</Deprecated low-level key parameter getters>.
-=item -
+=item *
EC_KEY_get0_engine(), EC_KEY_get_default_method(), EC_KEY_get_method(),
EC_KEY_new_method(), EC_KEY_get_ex_data(), EC_KEY_OpenSSL(),
@@ -1511,60 +1514,60 @@ EC_KEY_set_method()
See L</Providers are a replacement for engines and low-level method overrides>
-=item -
+=item *
EC_METHOD_get_field_type()
Use L<EC_GROUP_get_field_type(3)> instead.
See L</Providers are a replacement for engines and low-level method overrides>
-=item -
+=item *
EC_KEY_key2buf(), EC_KEY_oct2key(), EC_KEY_oct2priv(), EC_KEY_priv2buf(),
EC_KEY_priv2oct()
There are no replacements for these.
-=item -
+=item *
EC_KEY_new(), EC_KEY_new_by_curve_name(), EC_KEY_free(), EC_KEY_up_ref()
See L</Deprecated low-level object creation>
-=item -
+=item *
EC_KEY_print(), EC_KEY_print_fp()
See L</Deprecated low-level key printing functions>
-=item -
+=item *
EC_KEY_set_asn1_flag(), EC_KEY_set_conv_form(), EC_KEY_set_enc_flags()
See L</Deprecated low-level key parameter setters>.
-=item -
+=item *
EC_KEY_set_group(), EC_KEY_set_private_key(), EC_KEY_set_public_key(),
EC_KEY_set_public_key_affine_coordinates()
See L</Deprecated low-level key parameter setters>.
-=item -
+=item *
ECParameters_print(), ECParameters_print_fp(), ECPKParameters_print(),
ECPKParameters_print_fp()
See L</Deprecated low-level key printing functions>
-=item -
+=item *
EC_POINT_bn2point(), EC_POINT_point2bn()
These functions were not particularly useful, since EC point serialization
formats are not individual big-endian integers.
-=item -
+=item *
EC_POINT_get_affine_coordinates_GF2m(), EC_POINT_get_affine_coordinates_GFp(),
EC_POINT_set_affine_coordinates_GF2m(), EC_POINT_set_affine_coordinates_GFp()
@@ -1572,7 +1575,7 @@ EC_POINT_set_affine_coordinates_GF2m(), EC_POINT_set_affine_coordinates_GFp()
Applications should use L<EC_POINT_get_affine_coordinates(3)> and
L<EC_POINT_set_affine_coordinates(3)> instead.
-=item -
+=item *
EC_POINT_get_Jprojective_coordinates_GFp(), EC_POINT_set_Jprojective_coordinates_GFp()
@@ -1580,41 +1583,41 @@ These functions are not widely used. Applications should instead use the
L<EC_POINT_set_affine_coordinates(3)> and L<EC_POINT_get_affine_coordinates(3)>
functions.
-=item -
+=item *
EC_POINT_make_affine(), EC_POINTs_make_affine()
There is no replacement. These functions were not widely used, and OpenSSL
automatically performs this conversion when needed.
-=item -
+=item *
EC_POINT_set_compressed_coordinates_GF2m(), EC_POINT_set_compressed_coordinates_GFp()
Applications should use L<EC_POINT_set_compressed_coordinates(3)> instead.
-=item -
+=item *
EC_POINTs_mul()
This function is not widely used. Applications should instead use the
L<EC_POINT_mul(3)> function.
-=item -
+=item *
B<ENGINE_*()>
All engine functions are deprecated. An engine should be rewritten as a provider.
See L</Providers are a replacement for engines and low-level method overrides>.
-=item -
+=item *
B<ERR_load_*()>, ERR_func_error_string(), ERR_get_error_line(),
ERR_get_error_line_data(), ERR_get_state()
OpenSSL now loads error strings automatically so these functions are not needed.
-=item -
+=item *
ERR_peek_error_line_data(), ERR_peek_last_error_line_data()
@@ -1625,7 +1628,7 @@ Applications should use L<ERR_get_error_all(3)>, or pick information
with ERR_peek functions and finish off with getting the error code by using
L<ERR_get_error(3)>.
-=item -
+=item *
EVP_CIPHER_CTX_iv(), EVP_CIPHER_CTX_iv_noconst(), EVP_CIPHER_CTX_original_iv()
@@ -1634,14 +1637,14 @@ L<EVP_CIPHER_CTX_get_updated_iv(3)> and L<EVP_CIPHER_CTX_get_original_iv(3)>
respectively.
See L<EVP_CIPHER_CTX_get_original_iv(3)> for further information.
-=item -
+=item *
B<EVP_CIPHER_meth_*()>, EVP_MD_CTX_set_update_fn(), EVP_MD_CTX_update_fn(),
B<EVP_MD_meth_*()>
See L</Providers are a replacement for engines and low-level method overrides>.
-=item -
+=item *
EVP_PKEY_CTRL_PKCS7_ENCRYPT(), EVP_PKEY_CTRL_PKCS7_DECRYPT(),
EVP_PKEY_CTRL_PKCS7_SIGN(), EVP_PKEY_CTRL_CMS_ENCRYPT(),
@@ -1651,7 +1654,7 @@ These control operations are not invoked by the OpenSSL library anymore and
are replaced by direct checks of the key operation against the key type
when the operation is initialized.
-=item -
+=item *
EVP_PKEY_CTX_get0_dh_kdf_ukm(), EVP_PKEY_CTX_get0_ecdh_kdf_ukm()
@@ -1659,33 +1662,33 @@ See the "kdf-ukm" item in L<EVP_KEYEXCH-DH(7)/DH key exchange parameters> and
L<EVP_KEYEXCH-ECDH(7)/ECDH Key Exchange parameters>.
These functions are obsolete and should not be required.
-=item -
+=item *
EVP_PKEY_CTX_set_rsa_keygen_pubexp()
Applications should use L<EVP_PKEY_CTX_set1_rsa_keygen_pubexp(3)> instead.
-=item -
+=item *
EVP_PKEY_cmp(), EVP_PKEY_cmp_parameters()
Applications should use L<EVP_PKEY_eq(3)> and L<EVP_PKEY_parameters_eq(3)> instead.
See L<EVP_PKEY_copy_parameters(3)> for further details.
-=item -
+=item *
EVP_PKEY_encrypt_old(), EVP_PKEY_decrypt_old(),
Applications should use L<EVP_PKEY_encrypt_init(3)> and L<EVP_PKEY_encrypt(3)> or
L<EVP_PKEY_decrypt_init(3)> and L<EVP_PKEY_decrypt(3)> instead.
-=item -
+=item *
EVP_PKEY_get0()
This function returns NULL if the key comes from a provider.
-=item -
+=item *
EVP_PKEY_get0_DH(), EVP_PKEY_get0_DSA(), EVP_PKEY_get0_EC_KEY(), EVP_PKEY_get0_RSA(),
EVP_PKEY_get1_DH(), EVP_PKEY_get1_DSA(), EVP_PKEY_get1_EC_KEY and EVP_PKEY_get1_RSA(),
@@ -1693,26 +1696,26 @@ EVP_PKEY_get0_hmac(), EVP_PKEY_get0_poly1305(), EVP_PKEY_get0_siphash()
See L</Functions that return an internal key should be treated as read only>.
-=item -
+=item *
B<EVP_PKEY_meth_*()>
See L</Providers are a replacement for engines and low-level method overrides>.
-=item -
+=item *
EVP_PKEY_new_CMAC_key()
See L</Deprecated low-level MAC functions>.
-=item -
+=item *
EVP_PKEY_assign(), EVP_PKEY_set1_DH(), EVP_PKEY_set1_DSA(),
EVP_PKEY_set1_EC_KEY(), EVP_PKEY_set1_RSA()
See L</Deprecated low-level key object getters and setters>
-=item -
+=item *
EVP_PKEY_set1_tls_encodedpoint() EVP_PKEY_get1_tls_encodedpoint()
@@ -1723,40 +1726,40 @@ L<EVP_PKEY_get1_encoded_public_key(3)>.
The old versions have been converted to deprecated macros that just call the
new functions.
-=item -
+=item *
EVP_PKEY_set1_engine(), EVP_PKEY_get0_engine()
See L</Providers are a replacement for engines and low-level method overrides>.
-=item -
+=item *
EVP_PKEY_set_alias_type()
This function has been removed. There is no replacement.
See L</EVP_PKEY_set_alias_type() method has been removed>
-=item -
+=item *
HMAC_Init_ex(), HMAC_Update(), HMAC_Final(), HMAC_size()
See L</Deprecated low-level MAC functions>.
-=item -
+=item *
HMAC_CTX_new(), HMAC_CTX_free(), HMAC_CTX_copy(), HMAC_CTX_reset(),
HMAC_CTX_set_flags(), HMAC_CTX_get_md()
See L</Deprecated low-level MAC functions>.
-=item -
+=item *
i2d_DHparams(), i2d_DHxparams()
See L</Deprecated low-level key reading and writing functions>
and L<d2i_RSAPrivateKey(3)/Migration>
-=item -
+=item *
i2d_DSAparams(), i2d_DSAPrivateKey(), i2d_DSAPrivateKey_bio(),
i2d_DSAPrivateKey_fp(), i2d_DSA_PUBKEY(), i2d_DSA_PUBKEY_bio(),
@@ -1765,7 +1768,7 @@ i2d_DSA_PUBKEY_fp(), i2d_DSAPublicKey()
See L</Deprecated low-level key reading and writing functions>
and L<d2i_RSAPrivateKey(3)/Migration>
-=item -
+=item *
i2d_ECParameters(), i2d_ECPrivateKey(), i2d_ECPrivateKey_bio(),
i2d_ECPrivateKey_fp(), i2d_EC_PUBKEY(), i2d_EC_PUBKEY_bio(),
@@ -1774,7 +1777,7 @@ i2d_EC_PUBKEY_fp(), i2o_ECPublicKey()
See L</Deprecated low-level key reading and writing functions>
and L<d2i_RSAPrivateKey(3)/Migration>
-=item -
+=item *
i2d_RSAPrivateKey(), i2d_RSAPrivateKey_bio(), i2d_RSAPrivateKey_fp(),
i2d_RSA_PUBKEY(), i2d_RSA_PUBKEY_bio(), i2d_RSA_PUBKEY_fp(),
@@ -1783,7 +1786,7 @@ i2d_RSAPublicKey(), i2d_RSAPublicKey_bio(), i2d_RSAPublicKey_fp()
See L</Deprecated low-level key reading and writing functions>
and L<d2i_RSAPrivateKey(3)/Migration>
-=item -
+=item *
IDEA_encrypt(), IDEA_set_decrypt_key(), IDEA_set_encrypt_key(),
IDEA_cbc_encrypt(), IDEA_cfb64_encrypt(), IDEA_ecb_encrypt(),
@@ -1792,59 +1795,59 @@ IDEA_ofb64_encrypt()
See L</Deprecated low-level encryption functions>.
IDEA has been moved to the L<Legacy Provider|/Legacy Algorithms>.
-=item -
+=item *
IDEA_options()
There is no replacement. This function returned a constant string.
-=item -
+=item *
MD2(), MD2_Init(), MD2_Update(), MD2_Final()
See L</Deprecated low-level encryption functions>.
MD2 has been moved to the L<Legacy Provider|/Legacy Algorithms>.
-=item -
+=item *
MD2_options()
There is no replacement. This function returned a constant string.
-=item -
+=item *
MD4(), MD4_Init(), MD4_Update(), MD4_Final(), MD4_Transform()
See L</Deprecated low-level encryption functions>.
MD4 has been moved to the L<Legacy Provider|/Legacy Algorithms>.
-=item -
+=item *
MDC2(), MDC2_Init(), MDC2_Update(), MDC2_Final()
See L</Deprecated low-level encryption functions>.
MDC2 has been moved to the L<Legacy Provider|/Legacy Algorithms>.
-=item -
+=item *
MD5(), MD5_Init(), MD5_Update(), MD5_Final(), MD5_Transform()
See L</Deprecated low-level encryption functions>.
-=item -
+=item *
NCONF_WIN32()
This undocumented function has no replacement.
See L<config(5)/HISTORY> for more details.
-=item -
+=item *
OCSP_parse_url()
Use L<OSSL_HTTP_parse_url(3)> instead.
-=item -
+=item *
B<OCSP_REQ_CTX> type and B<OCSP_REQ_CTX_*()> functions
@@ -1854,14 +1857,14 @@ type is B<OSSL_HTTP_REQ_CTX>, and the deprecated functions are replaced
with B<OSSL_HTTP_REQ_CTX_*()>. See L<OSSL_HTTP_REQ_CTX(3)> for additional
details.
-=item -
+=item *
OPENSSL_fork_child(), OPENSSL_fork_parent(), OPENSSL_fork_prepare()
There is no replacement for these functions. These pthread fork support methods
were unused by OpenSSL.
-=item -
+=item *
OSSL_STORE_ctrl(), OSSL_STORE_do_all_loaders(), OSSL_STORE_LOADER_get0_engine(),
OSSL_STORE_LOADER_get0_scheme(), OSSL_STORE_LOADER_new(),
@@ -1877,7 +1880,7 @@ These functions helped applications and engines create loaders for
schemes they supported. These are all deprecated and discouraged in favour of
provider implementations, see L<provider-storemgmt(7)>.
-=item -
+=item *
PEM_read_DHparams(), PEM_read_bio_DHparams(),
PEM_read_DSAparams(), PEM_read_bio_DSAparams(),
@@ -1898,13 +1901,13 @@ PEM_write_bio_RSAPublicKey(),
See L</Deprecated low-level key reading and writing functions>
-=item -
+=item *
PKCS1_MGF1()
See L</Deprecated low-level encryption functions>.
-=item -
+=item *
RAND_get_rand_method(), RAND_set_rand_method(), RAND_OpenSSL(),
RAND_set_rand_engine()
@@ -1913,7 +1916,7 @@ Applications should instead use L<RAND_set_DRBG_type(3)>,
L<EVP_RAND(3)> and L<EVP_RAND(7)>.
See L<RAND_set_rand_method(3)> for more details.
-=item -
+=item *
RC2_encrypt(), RC2_decrypt(), RC2_set_key(), RC2_cbc_encrypt(), RC2_cfb64_encrypt(),
RC2_ecb_encrypt(), RC2_ofb64_encrypt(),
@@ -1924,7 +1927,7 @@ RC5_32_cfb64_encrypt(), RC5_32_ecb_encrypt(), RC5_32_ofb64_encrypt()
See L</Deprecated low-level encryption functions>.
The Algorithms "RC2", "RC4" and "RC5" have been moved to the L<Legacy Provider|/Legacy Algorithms>.
-=item -
+=item *
RIPEMD160(), RIPEMD160_Init(), RIPEMD160_Update(), RIPEMD160_Final(),
RIPEMD160_Transform()
@@ -1932,20 +1935,20 @@ RIPEMD160_Transform()
See L</Deprecated low-level digest functions>.
The RIPE algorithm has been moved to the L<Legacy Provider|/Legacy Algorithms>.
-=item -
+=item *
RSA_bits(), RSA_security_bits(), RSA_size()
Use L<EVP_PKEY_get_bits(3)>, L<EVP_PKEY_get_security_bits(3)> and
L<EVP_PKEY_get_size(3)>.
-=item -
+=item *
RSA_check_key(), RSA_check_key_ex()
See L</Deprecated low-level validation functions>
-=item -
+=item *
RSA_clear_flags(), RSA_flags(), RSA_set_flags(), RSA_test_flags(),
RSA_setup_blinding(), RSA_blinding_off(), RSA_blinding_on()
@@ -1956,19 +1959,19 @@ B<RSA_FLAG_BLINDING>, B<RSA_FLAG_CACHE_PRIVATE>, B<RSA_FLAG_CACHE_PUBLIC>,
B<RSA_FLAG_EXT_PKEY>, B<RSA_FLAG_NO_BLINDING>, B<RSA_FLAG_THREAD_SAFE>
B<RSA_METHOD_FLAG_NO_CHECK>
-=item -
+=item *
RSA_generate_key_ex(), RSA_generate_multi_prime_key()
See L</Deprecated low-level key generation functions>.
-=item -
+=item *
RSA_get0_engine()
See L</Providers are a replacement for engines and low-level method overrides>
-=item -
+=item *
RSA_get0_crt_params(), RSA_get0_d(), RSA_get0_dmp1(), RSA_get0_dmq1(),
RSA_get0_e(), RSA_get0_factors(), RSA_get0_iqmp(), RSA_get0_key(),
@@ -1978,82 +1981,82 @@ RSA_get_multi_prime_extra_count()
See L</Deprecated low-level key parameter getters>
-=item -
+=item *
RSA_new(), RSA_free(), RSA_up_ref()
See L</Deprecated low-level object creation>.
-=item -
+=item *
RSA_get_default_method(), RSA_get_ex_data and RSA_get_method()
See L</Providers are a replacement for engines and low-level method overrides>.
-=item -
+=item *
RSA_get_version()
There is no replacement.
-=item -
+=item *
B<RSA_meth_*()>, RSA_new_method(), RSA_null_method and RSA_PKCS1_OpenSSL()
See L</Providers are a replacement for engines and low-level method overrides>.
-=item -
+=item *
B<RSA_padding_add_*()>, B<RSA_padding_check_*()>
See L</Deprecated low-level signing functions> and
L</Deprecated low-level encryption functions>.
-=item -
+=item *
RSA_print(), RSA_print_fp()
See L</Deprecated low-level key printing functions>
-=item -
+=item *
RSA_public_encrypt(), RSA_private_decrypt()
See L</Deprecated low-level encryption functions>
-=item -
+=item *
RSA_private_encrypt(), RSA_public_decrypt()
This is equivalent to doing sign and verify recover operations (with a padding
mode of none). See L</Deprecated low-level signing functions>.
-=item -
+=item *
RSAPrivateKey_dup(), RSAPublicKey_dup()
There is no direct replacement. Applications may use L<EVP_PKEY_dup(3)>.
-=item -
+=item *
RSAPublicKey_it(), RSAPrivateKey_it()
See L</Deprecated low-level key reading and writing functions>
-=item -
+=item *
RSA_set0_crt_params(), RSA_set0_factors(), RSA_set0_key(),
RSA_set0_multi_prime_params()
See L</Deprecated low-level key parameter setters>.
-=item -
+=item *
RSA_set_default_method(), RSA_set_method(), RSA_set_ex_data()
See L</Providers are a replacement for engines and low-level method overrides>
-=item -
+=item *
RSA_sign(), RSA_sign_ASN1_OCTET_STRING(), RSA_verify(),
RSA_verify_ASN1_OCTET_STRING(), RSA_verify_PKCS1_PSS(),
@@ -2061,7 +2064,7 @@ RSA_verify_PKCS1_PSS_mgf1()
See L</Deprecated low-level signing functions>.
-=item -
+=item *
RSA_X931_derive_ex(), RSA_X931_generate_key_ex(), RSA_X931_hash_id()
@@ -2069,7 +2072,7 @@ There are no replacements for these functions.
X931 padding can be set using L<EVP_SIGNATURE-RSA(7)/Signature Parameters>.
See B<OSSL_SIGNATURE_PARAM_PAD_MODE>.
-=item -
+=item *
SEED_encrypt(), SEED_decrypt(), SEED_set_key(), SEED_cbc_encrypt(),
SEED_cfb128_encrypt(), SEED_ecb_encrypt(), SEED_ofb128_encrypt()
@@ -2077,7 +2080,7 @@ SEED_cfb128_encrypt(), SEED_ecb_encrypt(), SEED_ofb128_encrypt()
See L</Deprecated low-level encryption functions>.
The SEED algorithm has been moved to the L<Legacy Provider|/Legacy Algorithms>.
-=item -
+=item *
SHA1_Init(), SHA1_Update(), SHA1_Final(), SHA1_Transform(),
SHA224_Init(), SHA224_Update(), SHA224_Final(),
@@ -2087,7 +2090,7 @@ SHA512_Init(), SHA512_Update(), SHA512_Final(), SHA512_Transform()
See L</Deprecated low-level digest functions>.
-=item -
+=item *
SRP_Calc_A(), SRP_Calc_B(), SRP_Calc_client_key(), SRP_Calc_server_key(),
SRP_Calc_u(), SRP_Calc_x(), SRP_check_known_gN_param(), SRP_create_verifier(),
@@ -2098,7 +2101,7 @@ SRP_VBASE_new(), SRP_Verify_A_mod_N(), SRP_Verify_B_mod_N()
There are no replacements for the SRP functions.
-=item -
+=item *
SSL_CTX_set_tmp_dh_callback(), SSL_set_tmp_dh_callback(),
SSL_CTX_set_tmp_dh(), SSL_set_tmp_dh()
@@ -2114,13 +2117,13 @@ parameters for export and non-export ciphersuites. Export ciphersuites are no
longer supported by OpenSSL. Use of the callback functions should be replaced
by one of the other methods described above.
-=item -
+=item *
SSL_CTX_set_tlsext_ticket_key_cb()
Use the new L<SSL_CTX_set_tlsext_ticket_key_evp_cb(3)> function instead.
-=item -
+=item *
WHIRLPOOL(), WHIRLPOOL_Init(), WHIRLPOOL_Update(), WHIRLPOOL_Final(),
WHIRLPOOL_BitUpdate()
@@ -2128,14 +2131,14 @@ WHIRLPOOL_BitUpdate()
See L</Deprecated low-level digest functions>.
The Whirlpool algorithm has been moved to the L<Legacy Provider|/Legacy Algorithms>.
-=item -
+=item *
X509_certificate_type()
This was an undocumented function. Applications can use L<X509_get0_pubkey(3)>
and L<X509_get0_signature(3)> instead.
-=item -
+=item *
X509_http_nbio(), X509_CRL_http_nbio()
@@ -2214,13 +2217,13 @@ now in maintenance mode and no new features will be added to them.
=over 4
-=item -
+=item *
TLS 1.3 FFDHE key exchange support added
This uses DH safe prime named groups.
-=item -
+=item *
Support for fully "pluggable" TLSv1.3 groups.
@@ -2228,7 +2231,7 @@ This means that providers may supply their own group implementations (using
either the "key exchange" or the "key encapsulation" methods) which will
automatically be detected and used by libssl.
-=item -
+=item *
SSL and SSL_CTX options are now 64 bit instead of 32 bit.
@@ -2242,13 +2245,13 @@ However it is still possible to test whether these macros are defined or not.
See L<SSL_CTX_get_options(3)>, L<SSL_CTX_set_options(3)>,
L<SSL_get_options(3)> and L<SSL_set_options(3)>.
-=item -
+=item *
SSL_set1_host() and SSL_add1_host() Changes
These functions now take IP literal addresses as well as actual hostnames.
-=item -
+=item *
Added SSL option SSL_OP_CLEANSE_PLAINTEXT
@@ -2257,7 +2260,7 @@ internal buffers after delivering them to the application. Note,
the application is still responsible for cleansing other copies
(e.g.: data received by L<SSL_read(3)>).
-=item -
+=item *
Client-initiated renegotiation is disabled by default.
@@ -2265,7 +2268,7 @@ To allow it, use the B<-client_renegotiation> option,
the B<SSL_OP_ALLOW_CLIENT_RENEGOTIATION> flag, or the C<ClientRenegotiation>
config parameter as appropriate.
-=item -
+=item *
Secure renegotiation is now required by default for TLS connections
@@ -2275,7 +2278,7 @@ to connect to legacy peers will need to explicitly set
SSL_OP_LEGACY_SERVER_CONNECT. Accordingly, SSL_OP_LEGACY_SERVER_CONNECT
is no longer set as part of SSL_OP_ALL.
-=item -
+=item *
Combining the Configure options no-ec and no-dh no longer disables TLSv1.3
@@ -2287,13 +2290,13 @@ TLS connections in such a build without also disabling TLSv1.3 at run time or
using third party provider groups may result in handshake failures. TLSv1.3
can be disabled at compile time using the "no-tls1_3" Configure option.
-=item -
+=item *
SSL_CTX_set_ciphersuites() and SSL_set_ciphersuites() changes.
The methods now ignore unknown ciphers.
-=item -
+=item *
Security callback change.
@@ -2306,7 +2309,7 @@ according to the definition of SSL_SECOP_TMP_DH, and is inconsistent with all
of the other locations. Therefore this client side call has been changed to
pass an EVP_PKEY instead.
-=item -
+=item *
New SSL option SSL_OP_IGNORE_UNEXPECTED_EOF
@@ -2314,21 +2317,21 @@ The SSL option SSL_OP_IGNORE_UNEXPECTED_EOF is introduced. If that option
is set, an unexpected EOF is ignored, it pretends a close notify was received
instead and so the returned error becomes SSL_ERROR_ZERO_RETURN.
-=item -
+=item *
The security strength of SHA1 and MD5 based signatures in TLS has been reduced.
This results in SSL 3, TLS 1.0, TLS 1.1 and DTLS 1.0 no longer
working at the default security level of 1 and instead requires security
level 0. The security level can be changed either using the cipher string
-with `C<@SECLEVEL>, or calling L<SSL_CTX_set_security_level(3)>. This also means
+with C<@SECLEVEL>, or calling L<SSL_CTX_set_security_level(3)>. This also means
that where the signature algorithms extension is missing from a ClientHello
then the handshake will fail in TLS 1.2 at security level 1. This is because,
although this extension is optional, failing to provide one means that
OpenSSL will fallback to a default set of signature algorithms. This default
set requires the availability of SHA1.
-=item -
+=item *
X509 certificates signed using SHA1 are no longer allowed at security level 1 and above.
diff --git a/doc/man7/passphrase-encoding.pod b/doc/man7/passphrase-encoding.pod
index aabf9a5a9f..ed580fecac 100644
--- a/doc/man7/passphrase-encoding.pod
+++ b/doc/man7/passphrase-encoding.pod
@@ -105,7 +105,7 @@ Also note that the sub-sections below discuss human readable pass phrases.
This is particularly relevant for PKCS#12 objects, where human readable pass
phrases are assumed.
For other objects, it's as legitimate to use any byte sequence (such as a
-sequence of bytes from `/dev/urandom` that's been saved away), which makes any
+sequence of bytes from F</dev/urandom> that's been saved away), which makes any
character encoding discussion irrelevant; in such cases, simply use the same
byte sequence as it is.
diff --git a/util/perl/OpenSSL/Template.pm b/util/perl/OpenSSL/Template.pm
index 926a6ea5e0..7411dd8ae8 100644
--- a/util/perl/OpenSSL/Template.pm
+++ b/util/perl/OpenSSL/Template.pm
@@ -22,12 +22,12 @@ following additions:
=over 4
-=item -
+=item *
The template perl code delimiters (given with the C<DELIMITER> option)
are set to C<{-> and C<-}> by default.
-=item -
+=item *
A few extra functions are offered to be used by the template perl code, see
L</Functions>.
More information about the openssl-commits
mailing list