From: Tomas Mraz Date: Thu, 4 Feb 2021 17:40:33 +0000 (+0100) Subject: CHANGES.md: Mention RSA key generation slowdown related changes X-Git-Tag: openssl-3.0.0-alpha12~99 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=93b39c85c9bbf4b40d3cc2486a0ecac50422b2f3;p=thirdparty%2Fopenssl.git CHANGES.md: Mention RSA key generation slowdown related changes Fixes #14068 Reviewed-by: Kurt Roeckx Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/14073) --- diff --git a/CHANGES.md b/CHANGES.md index 318cce84fc1..380cd078868 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -52,7 +52,23 @@ OpenSSL 3.0 *Tomáš Mráz* - * Deprecate EVP_MD_CTX_set_update_fn() and EVP_MD_CTX_update_fn() + * The default key generation method for the regular 2-prime RSA keys was + changed to the FIPS 186-4 B.3.6 method (Generation of Probable Primes with + Conditions Based on Auxiliary Probable Primes). This method is slower + than the original method. + + *Shane Lontis* + + * Deprecated the BN_is_prime_ex() and BN_is_prime_fasttest_ex() functions. + They are replaced with the BN_check_prime() function that avoids possible + misuse and always uses at least 64 rounds of the Miller-Rabin + primality test. At least 64 rounds of the Miller-Rabin test are now also + used for all prime generation, including RSA key generation. + This increases key generation time, especially for larger keys. + + *Kurt Roeckx* + + * Deprecated EVP_MD_CTX_set_update_fn() and EVP_MD_CTX_update_fn() as they are not useful with non-deprecated functions. *Rich Salz* diff --git a/doc/man3/BN_generate_prime.pod b/doc/man3/BN_generate_prime.pod index 6b2ca3baab6..288969c5251 100644 --- a/doc/man3/BN_generate_prime.pod +++ b/doc/man3/BN_generate_prime.pod @@ -233,6 +233,9 @@ L =head1 HISTORY +The BN_is_prime_ex() and BN_is_prime_fasttest_ex() functions were +deprecated in OpenSSL 3.0. + The BN_GENCB_new(), BN_GENCB_free(), and BN_GENCB_get_arg() functions were added in OpenSSL 1.1.0.