From: Beat Bolli Date: Fri, 30 Jul 2021 16:39:51 +0000 (+0200) Subject: doc: use the documented =item markers X-Git-Tag: openssl-3.0.0~167 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=2fc02378ffcd9a266077eeea224890c534b7aaef;p=thirdparty%2Fopenssl.git doc: use the documented =item markers The generated lists[1] look weird when using a dash as the list item character. Perlpod documents[2] '*' for unordered lists and '1.' (note the period) for ordered lists. Use these characters instead. [1] e.g. https://www.openssl.org/docs/manmaster/man7/migration_guide.html#New-Algorithms [2] https://perldoc.perl.org/perlpod Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/16190) --- diff --git a/doc/man1/openssl-verification-options.pod b/doc/man1/openssl-verification-options.pod index c634ccae15b..70daa986b80 100644 --- a/doc/man1/openssl-verification-options.pod +++ b/doc/man1/openssl-verification-options.pod @@ -274,50 +274,50 @@ among others, the following certificate well-formedness conditions are checked: =over 4 -=item - +=item * The basicConstraints of CA certificates must be marked critical. -=item - +=item * CA certificates must explicitly include the keyUsage extension. -=item - +=item * If a pathlenConstraint is given the key usage keyCertSign must be allowed. -=item - +=item * The pathlenConstraint must not be given for non-CA certificates. -=item - +=item * The issuer name of any certificate must not be empty. -=item - +=item * The subject name of CA certs, certs with keyUsage crlSign, and certs without subjectAlternativeName must not be empty. -=item - +=item * If a subjectAlternativeName extension is given it must not be empty. -=item - +=item * The signatureAlgorithm field and the cert signature must be consistent. -=item - +=item * Any given authorityKeyIdentifier and any given subjectKeyIdentifier must not be marked critical. -=item - +=item * The authorityKeyIdentifier must be given for X.509v3 certs unless they are self-signed. -=item - +=item * The subjectKeyIdentifier must be given for all X.509v3 CA certs. diff --git a/doc/man7/fips_module.pod b/doc/man7/fips_module.pod index b47ed279f60..e374651fa57 100644 --- a/doc/man7/fips_module.pod +++ b/doc/man7/fips_module.pod @@ -22,15 +22,15 @@ legacy APIs or features that avoid the FIPS module. Specifically this includes: =over 4 -=item - +=item * Low level cryptographic APIs (use the high level APIs, such as EVP, instead) -=item - +=item * Engines -=item - +=item * Any functions that create or modify custom "METHODS" (for example EVP_MD_meth_new(), EVP_CIPHER_meth_new(), EVP_PKEY_meth_new(), RSA_meth_new(), @@ -110,21 +110,21 @@ some disadvantages to this approach: =over 4 -=item - +=item * You may not want all applications to use the FIPS module. It may be the case that some applications should and some should not use the FIPS module. -=item - +=item * If applications take explicit steps to not load the default config file or set different settings. This method will not work for these cases. -=item - +=item * The algorithms available in the FIPS module are a subset of the algorithms that are available in the default OpenSSL Provider. @@ -132,7 +132,7 @@ that are available in the default OpenSSL Provider. If any applications attempt to use any algorithms that are not present, then they will fail. -=item - +=item * Usage of certain deprecated APIs avoids the use of the FIPS module. diff --git a/doc/man7/migration_guide.pod b/doc/man7/migration_guide.pod index 8cc9bd5fc86..8f1fd1b1ade 100644 --- a/doc/man7/migration_guide.pod +++ b/doc/man7/migration_guide.pod @@ -184,31 +184,31 @@ the B option. =over 4 -=item - +=item * KDF algorithms "SINGLE STEP" and "SSH" See L and L -=item - +=item * MAC Algorithms "GMAC" and "KMAC" See L and L. -=item - +=item * KEM Algorithm "RSASVE" See L. -=item - +=item * Cipher Algorithm "AES-SIV" See L. -=item - +=item * AES Key Wrap inverse ciphers supported by EVP layer. @@ -217,7 +217,9 @@ unwrapping. The algorithms are: "AES-128-WRAP-INV", "AES-192-WRAP-INV", "AES-256-WRAP-INV", "AES-128-WRAP-PAD-INV", "AES-192-WRAP-PAD-INV" and "AES-256-WRAP-PAD-INV". -=item AES CTS cipher added to EVP layer. +=item * + +AES CTS cipher added to EVP layer. The algorithms are "AES-128-CBC-CTS", "AES-192-CBC-CTS" and "AES-256-CBC-CTS". CS1, CS2 and CS3 variants are supported. @@ -228,15 +230,15 @@ CS1, CS2 and CS3 variants are supported. =over 4 -=item - +=item * Added CAdES-BES signature verification support. -=item - +=item * Added CAdES-BES signature scheme and attributes support (RFC 5126) to CMS API. -=item - +=item * Added AuthEnvelopedData content type structure (RFC 5083) using AES_GCM @@ -244,7 +246,7 @@ This uses the AES-GCM parameter (RFC 5084) for the Cryptographic Message Syntax. Its purpose is to support encryption and decryption of a digital envelope that is both authenticated and encrypted using AES GCM mode. -=item - +=item * L and L were made public. @@ -453,15 +455,15 @@ application. If this happens you have 3 options: =over 4 -=item 1) +=item 1. Ignore the warnings. They are just warnings. The deprecated functions are still present and you may still use them. However be aware that they may be removed from a future version of OpenSSL. -=item 2) +=item 2. Suppress the warnings. Refer to your compiler documentation on how to do this. -=item 3) +=item 3. Remove your usage of the low level APIs. In this case you will need to rewrite your code to use the high level APIs instead @@ -475,7 +477,7 @@ L, the main things to be aware of are: =over 4 -=item 1) +=item 1. The build and installation procedure has changed significantly. @@ -483,7 +485,7 @@ Check the file INSTALL.md in the top of the installation for instructions on how to build and install OpenSSL for your platform. Also read the various NOTES files in the same directory, as applicable for your platform. -=item 2) +=item 2. Many structures have been made opaque in OpenSSL 3.0. @@ -501,7 +503,8 @@ For example code that previously looked like this: /* This line will now generate compiler errors */ EVP_MD_CTX_init(&md_ctx); - The code needs to be amended to look like this: +The code needs to be amended to look like this: + EVP_MD_CTX *md_ctx; md_ctx = EVP_MD_CTX_new(); @@ -509,7 +512,7 @@ For example code that previously looked like this: ... EVP_MD_CTX_free(md_ctx); -=item 3) +=item 3. Support for TLSv1.3 has been added. @@ -582,119 +585,119 @@ mappings are listed along with the respective name. =over 4 -=item - +=item * L, L, L, L, L and L -=item - +=item * L -=item - +=item * b2i_RSA_PVK_bio() and i2b_PVK_bio() -=item - +=item * L and L -=item - +=item * L, L, L, L, L, L, L, L and L -=item - +=item * L -=item - +=item * L, L and L -=item - +=item * L -=item - +=item * L, L and L -=item - +=item * L and L Use L and L -=item - +=item * L Use L or L. -=item - +=item * L and L -=item - +=item * L, L and L -=item - +=item * L -=item - +=item * L -=item - +=item * L Use L -=item - +=item * L, L and L -=item - +=item * L and L -=item - +=item * L -=item - +=item * L and L -=item - +=item * L -=item - +=item * L -=item - +=item * L, L, L, L and L -=item - +=item * L, L, L and L -=item - +=item * L and L -=item - +=item * L, L, L, L, L, L, L, @@ -702,64 +705,64 @@ L, L, L, L, L, L, L -=item - +=item * L, L, L, L and L -=item - +=item * L, L and L -=item - +=item * L, L and L -=item - +=item * L and L -=item - +=item * L -=item - +=item * L -=item - +=item * L -=item - +=item * L -=item - +=item * L -=item - +=item * L and L -=item - +=item * L and L -=item - +=item * L -=item - +=item * L -=item - +=item * L and L -=item - +=item * L, L, L, L and L @@ -773,126 +776,126 @@ Passing NULL will use the default library context. =over 4 -=item - +=item * L -=item - +=item * L and L -=item - +=item * L and L -=item - +=item * L and L -=item - +=item * L and L -=item - +=item * L and L -=item - +=item * L and L -=item - +=item * L and L -=item - +=item * L and L -=item - +=item * L and L -=item - +=item * L -=item - +=item * L -=item - +=item * L and L -=item - +=item * L and L -=item - +=item * L -=item - +=item * L and L -=item - +=item * L and L -=item - +=item * L -=item - +=item * L and L -=item - +=item * L and L -=item - +=item * L and L -=item - +=item * L and L -=item - +=item * L -=item - +=item * L and L -=item - +=item * L, L and L -=item - +=item * L, L, L, L, L and L -=item - +=item * L and L -=item - +=item * L -=item - +=item * L and L -=item - +=item * L, L, L, L and L @@ -1076,7 +1079,7 @@ The following functions have been deprecated in 3.0. =over 4 -=item - +=item * AES_bi_ige_encrypt() and AES_ige_encrypt() @@ -1089,32 +1092,32 @@ AES_bi_ige_encrypt() has a known bug. It accepts 2 AES keys, but only one is ever used. The security implications are believed to be minimal, but this issue was never fixed for backwards compatibility reasons. -=item - +=item * AES_encrypt(), AES_decrypt(), AES_set_encrypt_key(), AES_set_decrypt_key(), AES_cbc_encrypt(), AES_cfb128_encrypt(), AES_cfb1_encrypt(), AES_cfb8_encrypt(), AES_ecb_encrypt(), AES_ofb128_encrypt() -=item - +=item * AES_unwrap_key(), AES_wrap_key() See L -=item - +=item * AES_options() There is no replacement. It returned a string indicating if the AES code was unrolled. -=item - +=item * ASN1_digest(), ASN1_sign(), ASN1_verify() There are no replacements. These old functions are not used, and could be disabled with the macro NO_ASN1_OLD since OpenSSL 0.9.7. -=item - +=item * ASN1_STRING_length_set() @@ -1122,7 +1125,7 @@ Use L or L instead. This was a potentially unsafe function that could change the bounds of a previously passed in pointer. -=item - +=item * BF_encrypt(), BF_decrypt(), BF_set_key(), BF_cbc_encrypt(), BF_cfb64_encrypt(), BF_ecb_encrypt(), BF_ofb64_encrypt() @@ -1130,32 +1133,32 @@ BF_ecb_encrypt(), BF_ofb64_encrypt() See L. The Blowfish algorithm has been moved to the L. -=item - +=item * BF_options() There is no replacement. This option returned a constant string. -=item - +=item * BIO_get_callback(), BIO_set_callback(), BIO_debug_callback() Use the respective non-deprecated _ex() functions. -=item - +=item * BN_is_prime_ex(), BN_is_prime_fasttest_ex() Use L which that avoids possible misuse and always uses at least 64 rounds of the Miller-Rabin primality test. -=item - +=item * BN_pseudo_rand(), BN_pseudo_rand_range() Use L and L. -=item - +=item * BN_X931_derive_prime_ex(), BN_X931_generate_prime_ex(), BN_X931_generate_Xpq() @@ -1163,7 +1166,7 @@ There are no replacements for these low-level functions. They were used internal by RSA_X931_derive_ex() and RSA_X931_generate_key_ex() which are also deprecated. Use L instead. -=item - +=item * Camellia_encrypt(), Camellia_decrypt(), Camellia_set_key(), Camellia_cbc_encrypt(), Camellia_cfb128_encrypt(), Camellia_cfb1_encrypt(), @@ -1172,7 +1175,7 @@ Camellia_ofb128_encrypt() See L. -=item - +=item * CAST_encrypt(), CAST_decrypt(), CAST_set_key(), CAST_cbc_encrypt(), CAST_cfb64_encrypt(), CAST_ecb_encrypt(), CAST_ofb64_encrypt() @@ -1180,20 +1183,20 @@ CAST_cfb64_encrypt(), CAST_ecb_encrypt(), CAST_ofb64_encrypt() See L. The CAST algorithm has been moved to the L. -=item - +=item * CMAC_CTX_new(), CMAC_CTX_cleanup(), CMAC_CTX_copy(), CMAC_CTX_free(), CMAC_CTX_get0_cipher_ctx() See L. -=item - +=item * CMAC_Init(), CMAC_Update(), CMAC_Final(), CMAC_resume() See L. -=item - +=item * CRYPTO_mem_ctrl(), CRYPTO_mem_debug_free(), CRYPTO_mem_debug_malloc(), CRYPTO_mem_debug_pop(), CRYPTO_mem_debug_push(), CRYPTO_mem_debug_realloc(), @@ -1203,7 +1206,7 @@ CRYPTO_set_mem_debug() Memory-leak checking has been deprecated in favor of more modern development tools, such as compiler memory and leak sanitizers or Valgrind. -=item - +=item * d2i_DHparams(), d2i_DHxparams(), d2i_DSAparams(), d2i_DSAPrivateKey(), d2i_DSAPrivateKey_bio(), d2i_DSAPrivateKey_fp(), d2i_DSA_PUBKEY(), @@ -1217,7 +1220,7 @@ d2i_RSAPublicKey_bio(), d2i_RSAPublicKey_fp() See L -=item - +=item * DES_crypt(), DES_fcrypt(), DES_encrypt1(), DES_encrypt2(), DES_encrypt3(), DES_decrypt3(), DES_ede3_cbc_encrypt(), DES_ede3_cfb64_encrypt(), @@ -1233,21 +1236,21 @@ See L. Algorithms for "DESX-CBC", "DES-ECB", "DES-CBC", "DES-OFB", "DES-CFB", "DES-CFB1" and "DES-CFB8" have been moved to the L. -=item - +=item * DH_bits(), DH_security_bits(), DH_size() Use L, L and L. -=item - +=item * DH_check(), DH_check_ex(), DH_check_params(), DH_check_params_ex(), DH_check_pub_key(), DH_check_pub_key_ex() See L -=item - +=item * DH_clear_flags(), DH_test_flags(), DH_set_flags() @@ -1256,32 +1259,32 @@ The B and B have been deprecated. Use EVP_PKEY_is_a() to determine the type of a key. There is no replacement for setting these flags. -=item - +=item * DH_compute_key() DH_compute_key_padded() See L. -=item - +=item * DH_new(), DH_new_by_nid(), DH_free(), DH_up_ref() See L -=item - +=item * DH_generate_key(), DH_generate_parameters_ex() See L. -=item - +=item * DH_get0_pqg(), DH_get0_p(), DH_get0_q(), DH_get0_g(), DH_get0_key(), DH_get0_priv_key(), DH_get0_pub_key(), DH_get_length(), DH_get_nid() See L -=item - +=item * DH_get_1024_160(), DH_get_2048_224(), DH_get_2048_256() @@ -1289,13 +1292,13 @@ Applications should instead set the B as specified i L) to one of "dh_1024_160", "dh_2048_224" or "dh_2048_256" when generating a DH key. -=item - +=item * DH_KDF_X9_42() Applications should use L instead. -=item - +=item * DH_get_default_method(), DH_get0_engine(), DH_meth_*(), DH_new_method(), DH_OpenSSL(), DH_get_ex_data(), DH_set_default_method(), DH_set_method(), @@ -1303,39 +1306,39 @@ DH_set_ex_data() See L -=item - +=item * DHparams_print(), DHparams_print_fp() See L -=item - +=item * DH_set0_key(), DH_set0_pqg(), DH_set_length() See L -=item - +=item * DSA_bits(), DSA_security_bits(), DSA_size() Use L, L and L. -=item - +=item * DHparams_dup(), DSA_dup_DH() There is no direct replacement. Applications may use L and L instead. -=item - +=item * DSA_generate_key(), DSA_generate_parameters_ex() See L. -=item - +=item * DSA_get0_engine(), DSA_get_default_method(), DSA_get_ex_data(), DSA_get_method(), DSA_meth_*(), DSA_new_method(), DSA_OpenSSL(), @@ -1343,57 +1346,57 @@ DSA_set_default_method(), DSA_set_ex_data(), DSA_set_method() See L. -=item - +=item * DSA_get0_p(), DSA_get0_q(), DSA_get0_g(), DSA_get0_pqg(), DSA_get0_key(), DSA_get0_priv_key(), DSA_get0_pub_key() See L. -=item - +=item * DSA_new(), DSA_free(), DSA_up_ref() See L -=item - +=item * DSAparams_dup() There is no direct replacement. Applications may use L and L instead. -=item - +=item * DSAparams_print(), DSAparams_print_fp(), DSA_print(), DSA_print_fp() See L -=item - +=item * DSA_set0_key(), DSA_set0_pqg() See L -=item - +=item * DSA_set_flags(), DSA_clear_flags(), DSA_test_flags() The B flag has been deprecated without replacement. -=item - +=item * DSA_sign(), DSA_do_sign(), DSA_sign_setup(), DSA_verify(), DSA_do_verify() See L. -=item - +=item * ECDH_compute_key() See L. -=item - +=item * ECDH_KDF_X9_62() @@ -1401,20 +1404,20 @@ Applications may either set this using the helper function L or by setting an B using the "kdf-type" as shown in L -=item - +=item * ECDSA_sign(), ECDSA_sign_ex(), ECDSA_sign_setup(), ECDSA_do_sign(), ECDSA_do_sign_ex(), ECDSA_verify(), ECDSA_do_verify() See L. -=item - +=item * ECDSA_size() Applications should use L. -=item - +=item * EC_GF2m_simple_method(), EC_GFp_mont_method(), EC_GFp_nist_method(), EC_GFp_nistp224_method(), EC_GFp_nistp256_method(), EC_GFp_nistp521_method(), @@ -1424,20 +1427,20 @@ There are no replacements for these functions. Applications should rely on the library automatically assigning a suitable method internally when an EC_GROUP is constructed. -=item - +=item * EC_GROUP_clear_free() Use L instead. -=item - +=item * EC_GROUP_get_curve_GF2m(), EC_GROUP_get_curve_GFp(), EC_GROUP_set_curve_GF2m(), EC_GROUP_set_curve_GFp() Applications should use L and L. -=item - +=item * EC_GROUP_have_precompute_mult(), EC_GROUP_precompute_mult(), EC_KEY_precompute_mult() @@ -1445,7 +1448,7 @@ EC_KEY_precompute_mult() These functions are not widely used. Applications should instead switch to named curves which OpenSSL has hardcoded lookup tables for. -=item - +=item * EC_GROUP_new(), EC_GROUP_method_of(), EC_POINT_method_of() @@ -1453,19 +1456,19 @@ EC_METHOD is now an internal-only concept and a suitable EC_METHOD is assigned internally without application intervention. Users of EC_GROUP_new() should switch to a different suitable constructor. -=item - +=item * EC_KEY_can_sign() Applications should use L instead. -=item - +=item * EC_KEY_check_key() See L -=item - +=item * EC_KEY_set_flags(), EC_KEY_get_flags(), EC_KEY_clear_flags() @@ -1476,33 +1479,33 @@ B and B. See also L -=item - +=item * EC_KEY_dup(), EC_KEY_copy() There is no direct replacement. Applications may use L and L instead. -=item - +=item * EC_KEY_decoded_from_explicit_params() There is no replacement. -=item - +=item * EC_KEY_generate_key() See L. -=item - +=item * EC_KEY_get0_group(), EC_KEY_get0_private_key(), EC_KEY_get0_public_key(), EC_KEY_get_conv_form(), EC_KEY_get_enc_flags() See L. -=item - +=item * EC_KEY_get0_engine(), EC_KEY_get_default_method(), EC_KEY_get_method(), EC_KEY_new_method(), EC_KEY_get_ex_data(), EC_KEY_OpenSSL(), @@ -1511,60 +1514,60 @@ EC_KEY_set_method() See L -=item - +=item * EC_METHOD_get_field_type() Use L instead. See L -=item - +=item * EC_KEY_key2buf(), EC_KEY_oct2key(), EC_KEY_oct2priv(), EC_KEY_priv2buf(), EC_KEY_priv2oct() There are no replacements for these. -=item - +=item * EC_KEY_new(), EC_KEY_new_by_curve_name(), EC_KEY_free(), EC_KEY_up_ref() See L -=item - +=item * EC_KEY_print(), EC_KEY_print_fp() See L -=item - +=item * EC_KEY_set_asn1_flag(), EC_KEY_set_conv_form(), EC_KEY_set_enc_flags() See L. -=item - +=item * EC_KEY_set_group(), EC_KEY_set_private_key(), EC_KEY_set_public_key(), EC_KEY_set_public_key_affine_coordinates() See L. -=item - +=item * ECParameters_print(), ECParameters_print_fp(), ECPKParameters_print(), ECPKParameters_print_fp() See L -=item - +=item * EC_POINT_bn2point(), EC_POINT_point2bn() These functions were not particularly useful, since EC point serialization formats are not individual big-endian integers. -=item - +=item * EC_POINT_get_affine_coordinates_GF2m(), EC_POINT_get_affine_coordinates_GFp(), EC_POINT_set_affine_coordinates_GF2m(), EC_POINT_set_affine_coordinates_GFp() @@ -1572,7 +1575,7 @@ EC_POINT_set_affine_coordinates_GF2m(), EC_POINT_set_affine_coordinates_GFp() Applications should use L and L instead. -=item - +=item * EC_POINT_get_Jprojective_coordinates_GFp(), EC_POINT_set_Jprojective_coordinates_GFp() @@ -1580,41 +1583,41 @@ These functions are not widely used. Applications should instead use the L and L functions. -=item - +=item * EC_POINT_make_affine(), EC_POINTs_make_affine() There is no replacement. These functions were not widely used, and OpenSSL automatically performs this conversion when needed. -=item - +=item * EC_POINT_set_compressed_coordinates_GF2m(), EC_POINT_set_compressed_coordinates_GFp() Applications should use L instead. -=item - +=item * EC_POINTs_mul() This function is not widely used. Applications should instead use the L function. -=item - +=item * B All engine functions are deprecated. An engine should be rewritten as a provider. See L. -=item - +=item * B, ERR_func_error_string(), ERR_get_error_line(), ERR_get_error_line_data(), ERR_get_state() OpenSSL now loads error strings automatically so these functions are not needed. -=item - +=item * ERR_peek_error_line_data(), ERR_peek_last_error_line_data() @@ -1625,7 +1628,7 @@ Applications should use L, or pick information with ERR_peek functions and finish off with getting the error code by using L. -=item - +=item * EVP_CIPHER_CTX_iv(), EVP_CIPHER_CTX_iv_noconst(), EVP_CIPHER_CTX_original_iv() @@ -1634,14 +1637,14 @@ L and L respectively. See L for further information. -=item - +=item * B, EVP_MD_CTX_set_update_fn(), EVP_MD_CTX_update_fn(), B See L. -=item - +=item * EVP_PKEY_CTRL_PKCS7_ENCRYPT(), EVP_PKEY_CTRL_PKCS7_DECRYPT(), EVP_PKEY_CTRL_PKCS7_SIGN(), EVP_PKEY_CTRL_CMS_ENCRYPT(), @@ -1651,7 +1654,7 @@ These control operations are not invoked by the OpenSSL library anymore and are replaced by direct checks of the key operation against the key type when the operation is initialized. -=item - +=item * EVP_PKEY_CTX_get0_dh_kdf_ukm(), EVP_PKEY_CTX_get0_ecdh_kdf_ukm() @@ -1659,33 +1662,33 @@ See the "kdf-ukm" item in L and L. These functions are obsolete and should not be required. -=item - +=item * EVP_PKEY_CTX_set_rsa_keygen_pubexp() Applications should use L instead. -=item - +=item * EVP_PKEY_cmp(), EVP_PKEY_cmp_parameters() Applications should use L and L instead. See L for further details. -=item - +=item * EVP_PKEY_encrypt_old(), EVP_PKEY_decrypt_old(), Applications should use L and L or L and L instead. -=item - +=item * EVP_PKEY_get0() This function returns NULL if the key comes from a provider. -=item - +=item * EVP_PKEY_get0_DH(), EVP_PKEY_get0_DSA(), EVP_PKEY_get0_EC_KEY(), EVP_PKEY_get0_RSA(), EVP_PKEY_get1_DH(), EVP_PKEY_get1_DSA(), EVP_PKEY_get1_EC_KEY and EVP_PKEY_get1_RSA(), @@ -1693,26 +1696,26 @@ EVP_PKEY_get0_hmac(), EVP_PKEY_get0_poly1305(), EVP_PKEY_get0_siphash() See L. -=item - +=item * B See L. -=item - +=item * EVP_PKEY_new_CMAC_key() See L. -=item - +=item * EVP_PKEY_assign(), EVP_PKEY_set1_DH(), EVP_PKEY_set1_DSA(), EVP_PKEY_set1_EC_KEY(), EVP_PKEY_set1_RSA() See L -=item - +=item * EVP_PKEY_set1_tls_encodedpoint() EVP_PKEY_get1_tls_encodedpoint() @@ -1723,40 +1726,40 @@ L. The old versions have been converted to deprecated macros that just call the new functions. -=item - +=item * EVP_PKEY_set1_engine(), EVP_PKEY_get0_engine() See L. -=item - +=item * EVP_PKEY_set_alias_type() This function has been removed. There is no replacement. See L -=item - +=item * HMAC_Init_ex(), HMAC_Update(), HMAC_Final(), HMAC_size() See L. -=item - +=item * HMAC_CTX_new(), HMAC_CTX_free(), HMAC_CTX_copy(), HMAC_CTX_reset(), HMAC_CTX_set_flags(), HMAC_CTX_get_md() See L. -=item - +=item * i2d_DHparams(), i2d_DHxparams() See L and L -=item - +=item * i2d_DSAparams(), i2d_DSAPrivateKey(), i2d_DSAPrivateKey_bio(), i2d_DSAPrivateKey_fp(), i2d_DSA_PUBKEY(), i2d_DSA_PUBKEY_bio(), @@ -1765,7 +1768,7 @@ i2d_DSA_PUBKEY_fp(), i2d_DSAPublicKey() See L and L -=item - +=item * i2d_ECParameters(), i2d_ECPrivateKey(), i2d_ECPrivateKey_bio(), i2d_ECPrivateKey_fp(), i2d_EC_PUBKEY(), i2d_EC_PUBKEY_bio(), @@ -1774,7 +1777,7 @@ i2d_EC_PUBKEY_fp(), i2o_ECPublicKey() See L and L -=item - +=item * i2d_RSAPrivateKey(), i2d_RSAPrivateKey_bio(), i2d_RSAPrivateKey_fp(), i2d_RSA_PUBKEY(), i2d_RSA_PUBKEY_bio(), i2d_RSA_PUBKEY_fp(), @@ -1783,7 +1786,7 @@ i2d_RSAPublicKey(), i2d_RSAPublicKey_bio(), i2d_RSAPublicKey_fp() See L and L -=item - +=item * IDEA_encrypt(), IDEA_set_decrypt_key(), IDEA_set_encrypt_key(), IDEA_cbc_encrypt(), IDEA_cfb64_encrypt(), IDEA_ecb_encrypt(), @@ -1792,59 +1795,59 @@ IDEA_ofb64_encrypt() See L. IDEA has been moved to the L. -=item - +=item * IDEA_options() There is no replacement. This function returned a constant string. -=item - +=item * MD2(), MD2_Init(), MD2_Update(), MD2_Final() See L. MD2 has been moved to the L. -=item - +=item * MD2_options() There is no replacement. This function returned a constant string. -=item - +=item * MD4(), MD4_Init(), MD4_Update(), MD4_Final(), MD4_Transform() See L. MD4 has been moved to the L. -=item - +=item * MDC2(), MDC2_Init(), MDC2_Update(), MDC2_Final() See L. MDC2 has been moved to the L. -=item - +=item * MD5(), MD5_Init(), MD5_Update(), MD5_Final(), MD5_Transform() See L. -=item - +=item * NCONF_WIN32() This undocumented function has no replacement. See L for more details. -=item - +=item * OCSP_parse_url() Use L instead. -=item - +=item * B type and B functions @@ -1854,14 +1857,14 @@ type is B, and the deprecated functions are replaced with B. See L for additional details. -=item - +=item * OPENSSL_fork_child(), OPENSSL_fork_parent(), OPENSSL_fork_prepare() There is no replacement for these functions. These pthread fork support methods were unused by OpenSSL. -=item - +=item * OSSL_STORE_ctrl(), OSSL_STORE_do_all_loaders(), OSSL_STORE_LOADER_get0_engine(), OSSL_STORE_LOADER_get0_scheme(), OSSL_STORE_LOADER_new(), @@ -1877,7 +1880,7 @@ These functions helped applications and engines create loaders for schemes they supported. These are all deprecated and discouraged in favour of provider implementations, see L. -=item - +=item * PEM_read_DHparams(), PEM_read_bio_DHparams(), PEM_read_DSAparams(), PEM_read_bio_DSAparams(), @@ -1898,13 +1901,13 @@ PEM_write_bio_RSAPublicKey(), See L -=item - +=item * PKCS1_MGF1() See L. -=item - +=item * RAND_get_rand_method(), RAND_set_rand_method(), RAND_OpenSSL(), RAND_set_rand_engine() @@ -1913,7 +1916,7 @@ Applications should instead use L, L and L. See L for more details. -=item - +=item * RC2_encrypt(), RC2_decrypt(), RC2_set_key(), RC2_cbc_encrypt(), RC2_cfb64_encrypt(), RC2_ecb_encrypt(), RC2_ofb64_encrypt(), @@ -1924,7 +1927,7 @@ RC5_32_cfb64_encrypt(), RC5_32_ecb_encrypt(), RC5_32_ofb64_encrypt() See L. The Algorithms "RC2", "RC4" and "RC5" have been moved to the L. -=item - +=item * RIPEMD160(), RIPEMD160_Init(), RIPEMD160_Update(), RIPEMD160_Final(), RIPEMD160_Transform() @@ -1932,20 +1935,20 @@ RIPEMD160_Transform() See L. The RIPE algorithm has been moved to the L. -=item - +=item * RSA_bits(), RSA_security_bits(), RSA_size() Use L, L and L. -=item - +=item * RSA_check_key(), RSA_check_key_ex() See L -=item - +=item * RSA_clear_flags(), RSA_flags(), RSA_set_flags(), RSA_test_flags(), RSA_setup_blinding(), RSA_blinding_off(), RSA_blinding_on() @@ -1956,19 +1959,19 @@ B, B, B, B, B, B B -=item - +=item * RSA_generate_key_ex(), RSA_generate_multi_prime_key() See L. -=item - +=item * RSA_get0_engine() See L -=item - +=item * RSA_get0_crt_params(), RSA_get0_d(), RSA_get0_dmp1(), RSA_get0_dmq1(), RSA_get0_e(), RSA_get0_factors(), RSA_get0_iqmp(), RSA_get0_key(), @@ -1978,82 +1981,82 @@ RSA_get_multi_prime_extra_count() See L -=item - +=item * RSA_new(), RSA_free(), RSA_up_ref() See L. -=item - +=item * RSA_get_default_method(), RSA_get_ex_data and RSA_get_method() See L. -=item - +=item * RSA_get_version() There is no replacement. -=item - +=item * B, RSA_new_method(), RSA_null_method and RSA_PKCS1_OpenSSL() See L. -=item - +=item * B, B See L and L. -=item - +=item * RSA_print(), RSA_print_fp() See L -=item - +=item * RSA_public_encrypt(), RSA_private_decrypt() See L -=item - +=item * RSA_private_encrypt(), RSA_public_decrypt() This is equivalent to doing sign and verify recover operations (with a padding mode of none). See L. -=item - +=item * RSAPrivateKey_dup(), RSAPublicKey_dup() There is no direct replacement. Applications may use L. -=item - +=item * RSAPublicKey_it(), RSAPrivateKey_it() See L -=item - +=item * RSA_set0_crt_params(), RSA_set0_factors(), RSA_set0_key(), RSA_set0_multi_prime_params() See L. -=item - +=item * RSA_set_default_method(), RSA_set_method(), RSA_set_ex_data() See L -=item - +=item * RSA_sign(), RSA_sign_ASN1_OCTET_STRING(), RSA_verify(), RSA_verify_ASN1_OCTET_STRING(), RSA_verify_PKCS1_PSS(), @@ -2061,7 +2064,7 @@ RSA_verify_PKCS1_PSS_mgf1() See L. -=item - +=item * RSA_X931_derive_ex(), RSA_X931_generate_key_ex(), RSA_X931_hash_id() @@ -2069,7 +2072,7 @@ There are no replacements for these functions. X931 padding can be set using L. See B. -=item - +=item * SEED_encrypt(), SEED_decrypt(), SEED_set_key(), SEED_cbc_encrypt(), SEED_cfb128_encrypt(), SEED_ecb_encrypt(), SEED_ofb128_encrypt() @@ -2077,7 +2080,7 @@ SEED_cfb128_encrypt(), SEED_ecb_encrypt(), SEED_ofb128_encrypt() See L. The SEED algorithm has been moved to the L. -=item - +=item * SHA1_Init(), SHA1_Update(), SHA1_Final(), SHA1_Transform(), SHA224_Init(), SHA224_Update(), SHA224_Final(), @@ -2087,7 +2090,7 @@ SHA512_Init(), SHA512_Update(), SHA512_Final(), SHA512_Transform() See L. -=item - +=item * SRP_Calc_A(), SRP_Calc_B(), SRP_Calc_client_key(), SRP_Calc_server_key(), SRP_Calc_u(), SRP_Calc_x(), SRP_check_known_gN_param(), SRP_create_verifier(), @@ -2098,7 +2101,7 @@ SRP_VBASE_new(), SRP_Verify_A_mod_N(), SRP_Verify_B_mod_N() There are no replacements for the SRP functions. -=item - +=item * SSL_CTX_set_tmp_dh_callback(), SSL_set_tmp_dh_callback(), SSL_CTX_set_tmp_dh(), SSL_set_tmp_dh() @@ -2114,13 +2117,13 @@ parameters for export and non-export ciphersuites. Export ciphersuites are no longer supported by OpenSSL. Use of the callback functions should be replaced by one of the other methods described above. -=item - +=item * SSL_CTX_set_tlsext_ticket_key_cb() Use the new L function instead. -=item - +=item * WHIRLPOOL(), WHIRLPOOL_Init(), WHIRLPOOL_Update(), WHIRLPOOL_Final(), WHIRLPOOL_BitUpdate() @@ -2128,14 +2131,14 @@ WHIRLPOOL_BitUpdate() See L. The Whirlpool algorithm has been moved to the L. -=item - +=item * X509_certificate_type() This was an undocumented function. Applications can use L and L instead. -=item - +=item * X509_http_nbio(), X509_CRL_http_nbio() @@ -2214,13 +2217,13 @@ now in maintenance mode and no new features will be added to them. =over 4 -=item - +=item * TLS 1.3 FFDHE key exchange support added This uses DH safe prime named groups. -=item - +=item * Support for fully "pluggable" TLSv1.3 groups. @@ -2228,7 +2231,7 @@ This means that providers may supply their own group implementations (using either the "key exchange" or the "key encapsulation" methods) which will automatically be detected and used by libssl. -=item - +=item * SSL and SSL_CTX options are now 64 bit instead of 32 bit. @@ -2242,13 +2245,13 @@ However it is still possible to test whether these macros are defined or not. See L, L, L and L. -=item - +=item * SSL_set1_host() and SSL_add1_host() Changes These functions now take IP literal addresses as well as actual hostnames. -=item - +=item * Added SSL option SSL_OP_CLEANSE_PLAINTEXT @@ -2257,7 +2260,7 @@ internal buffers after delivering them to the application. Note, the application is still responsible for cleansing other copies (e.g.: data received by L). -=item - +=item * Client-initiated renegotiation is disabled by default. @@ -2265,7 +2268,7 @@ To allow it, use the B<-client_renegotiation> option, the B flag, or the C config parameter as appropriate. -=item - +=item * Secure renegotiation is now required by default for TLS connections @@ -2275,7 +2278,7 @@ to connect to legacy peers will need to explicitly set SSL_OP_LEGACY_SERVER_CONNECT. Accordingly, SSL_OP_LEGACY_SERVER_CONNECT is no longer set as part of SSL_OP_ALL. -=item - +=item * Combining the Configure options no-ec and no-dh no longer disables TLSv1.3 @@ -2287,13 +2290,13 @@ TLS connections in such a build without also disabling TLSv1.3 at run time or using third party provider groups may result in handshake failures. TLSv1.3 can be disabled at compile time using the "no-tls1_3" Configure option. -=item - +=item * SSL_CTX_set_ciphersuites() and SSL_set_ciphersuites() changes. The methods now ignore unknown ciphers. -=item - +=item * Security callback change. @@ -2306,7 +2309,7 @@ according to the definition of SSL_SECOP_TMP_DH, and is inconsistent with all of the other locations. Therefore this client side call has been changed to pass an EVP_PKEY instead. -=item - +=item * New SSL option SSL_OP_IGNORE_UNEXPECTED_EOF @@ -2314,7 +2317,7 @@ The SSL option SSL_OP_IGNORE_UNEXPECTED_EOF is introduced. If that option is set, an unexpected EOF is ignored, it pretends a close notify was received instead and so the returned error becomes SSL_ERROR_ZERO_RETURN. -=item - +=item * The security strength of SHA1 and MD5 based signatures in TLS has been reduced. @@ -2328,7 +2331,7 @@ although this extension is optional, failing to provide one means that OpenSSL will fallback to a default set of signature algorithms. This default set requires the availability of SHA1. -=item - +=item * X509 certificates signed using SHA1 are no longer allowed at security level 1 and above. diff --git a/util/perl/OpenSSL/Template.pm b/util/perl/OpenSSL/Template.pm index 926a6ea5e04..7411dd8ae8d 100644 --- a/util/perl/OpenSSL/Template.pm +++ b/util/perl/OpenSSL/Template.pm @@ -22,12 +22,12 @@ following additions: =over 4 -=item - +=item * The template perl code delimiters (given with the C option) are set to C<{-> and C<-}> by default. -=item - +=item * A few extra functions are offered to be used by the template perl code, see L.