### Changes between 1.1.1 and 3.0 [xx XXX xxxx]
+ * Add ".pragma abspath:true" to prevent relative file inclusion in
+ config files.
+
+ * Rich Salz *
+
* OpenSSL includes a cryptographic module that is intended to be FIPS 140-2
validated. The module is implemented as an OpenSSL provider, the so-called
FIPS provider. A list of all changes related to the FIPS provider would go
*Shane Lontis*
+ * Added enhanced PKCS#12 APIs which accept a library context `OSSL_LIB_CTX`
+ and (where relevant) a property query. Other APIs which handle PKCS#7 and
+ PKCS#8 objects have also been enhanced where required. This includes:
+
+ PKCS12_add_key_ex(), PKCS12_add_safe_ex(), PKCS12_add_safes_ex(),
+ PKCS12_create_ex(), PKCS12_decrypt_skey_ex(), PKCS12_init_ex(),
+ PKCS12_item_decrypt_d2i_ex(), PKCS12_item_i2d_encrypt_ex(),
+ PKCS12_key_gen_asc_ex(), PKCS12_key_gen_uni_ex(), PKCS12_key_gen_utf8_ex(),
+ PKCS12_pack_p7encdata_ex(), PKCS12_pbe_crypt_ex(), PKCS12_PBE_keyivgen_ex(),
+ PKCS12_SAFEBAG_create_pkcs8_encrypt_ex(), PKCS5_pbe2_set_iv_ex(),
+ PKCS5_pbe_set0_algor_ex(), PKCS5_pbe_set_ex(), PKCS5_pbkdf2_set_ex(),
+ PKCS5_v2_PBE_keyivgen_ex(), PKCS5_v2_scrypt_keyivgen_ex(),
+ PKCS8_decrypt_ex(), PKCS8_encrypt_ex(), PKCS8_set0_pbe_ex().
+
+ As part of this change the EVP_PBE_xxx APIs can also accept a library
+ context and property query and will call an extended version of the key/IV
+ derivation function which supports these parameters. This includes
+ EVP_PBE_CipherInit_ex(), EVP_PBE_find_ex() and EVP_PBE_scrypt_ex().
+
+ *Jon Spillett*
+
* The default manual page suffix ($MANSUFFIX) has been changed to "ossl"
*Matt Caswell*
*Boris Pismenny, John Baldwin and Andrew Gallatin*
+ * The signature of the `copy` functional parameter of the
+ EVP_PKEY_meth_set_copy() function has changed so its `src` argument is
+ now `const EVP_PKEY_CTX *` instead of `EVP_PKEY_CTX *`. Similarly
+ the signature of the `pub_decode` functional parameter of the
+ EVP_PKEY_asn1_set_public() function has changed so its `pub` argument is
+ now `const X509_PUBKEY *` instead of `X509_PUBKEY *`.
+
+ *David von Oheimb*
+
* The error return values from some control calls (ctrl) have changed.
One significant change is that controls which used to return -2 for
invalid inputs, now return -1 indicating a generic error condition instead.
* Deprecated the type OCSP_REQ_CTX and the functions OCSP_REQ_CTX_new(),
OCSP_REQ_CTX_free(), OCSP_REQ_CTX_http(), OCSP_REQ_CTX_add1_header(),
- OCSP_REQ_CTX_i2d(), OCSP_REQ_CTX_nbio(), OCSP_REQ_CTX_nbio_d2i(),
+ OCSP_REQ_CTX_i2d() and its special form OCSP_REQ_CTX_set1_req(),
+ OCSP_REQ_CTX_nbio(), OCSP_REQ_CTX_nbio_d2i(),
OCSP_REQ_CTX_get0_mem_bio() and OCSP_set_max_response_length(). These
were used to collect all necessary data to form a HTTP request, and to
perform the HTTP transfer with that request. With OpenSSL 3.0, the
type is OSSL_HTTP_REQ_CTX, and the deprecated functions are replaced
with OSSL_HTTP_REQ_CTX_new(), OSSL_HTTP_REQ_CTX_free(),
OSSL_HTTP_REQ_CTX_set_request_line(), OSSL_HTTP_REQ_CTX_add1_header(),
- OSSL_HTTP_REQ_CTX_set1_req(), OSSL_HTTP_REQ_CTX_nbio(),
+ OSSL_HTTP_REQ_CTX_i2d(), OSSL_HTTP_REQ_CTX_nbio(),
OSSL_HTTP_REQ_CTX_sendreq_d2i(), OSSL_HTTP_REQ_CTX_get0_mem_bio() and
OSSL_HTTP_REQ_CTX_set_max_response_length().