Deprecate the Low Level CAST APIs
authorMatt Caswell <matt@openssl.org>
Thu, 2 Jan 2020 16:15:26 +0000 (16:15 +0000)
committerMatt Caswell <matt@openssl.org>
Mon, 13 Jan 2020 13:44:27 +0000 (13:44 +0000)
Applications should instead use the higher level EVP APIs, e.g.
EVP_Encrypt*() and EVP_Decrypt*().

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10742)

15 files changed:
CHANGES
apps/speed.c
crypto/cast/c_cfb64.c
crypto/cast/c_ecb.c
crypto/cast/c_enc.c
crypto/cast/c_ofb64.c
crypto/cast/c_skey.c
crypto/evp/e_cast.c
include/openssl/cast.h
providers/implementations/ciphers/cipher_cast5.c
providers/implementations/ciphers/cipher_cast5_hw.c
test/build.info
test/casttest.c
test/recipes/05-test_cast.t
util/libcrypto.num

diff --git a/CHANGES b/CHANGES
index e47c8ab..215fd13 100644 (file)
--- a/CHANGES
+++ b/CHANGES
      equivalently named decrypt functions.
      [Matt Caswell]
 
+  *) All of the low level CAST functions have been deprecated including:
+     CAST_set_key, CAST_ecb_encrypt, CAST_encrypt, CAST_decrypt,
+     CAST_cbc_encrypt, CAST_cfb64_encrypt and CAST_ofb64_encrypt
+     Use of these low level functions has been informally discouraged for a long
+     time. Instead applications should use the high level EVP APIs, e.g.
+     EVP_EncryptInit_ex, EVP_EncryptUpdate, EVP_EncryptFinal_ex, and the
+     equivalently named decrypt functions.
+     [Matt Caswell]
+
   *) All of the low level Camelllia functions have been deprecated including:
      Camellia_set_key, Camellia_encrypt, Camellia_decrypt, Camellia_ecb_encrypt,
      Camellia_cbc_encrypt, Camellia_cfb128_encrypt, Camellia_cfb1_encrypt,
index bb57da9..67bf650 100644 (file)
@@ -389,7 +389,7 @@ static const OPT_PAIR doit_choices[] = {
     {"blowfish", D_CBC_BF},
     {"bf", D_CBC_BF},
 #endif
-#ifndef OPENSSL_NO_CAST
+#if !defined(OPENSSL_NO_CAST) && !defined(OPENSSL_NO_DEPRECATED_3_0)
     {"cast-cbc", D_CBC_CAST},
     {"cast", D_CBC_CAST},
     {"cast5", D_CBC_CAST},
@@ -1464,7 +1464,7 @@ int speed_main(int argc, char **argv)
 #if !defined(OPENSSL_NO_BF) && !defined(OPENSSL_NO_DEPRECATED_3_0)
     BF_KEY bf_ks;
 #endif
-#ifndef OPENSSL_NO_CAST
+#if !defined(OPENSSL_NO_CAST) && !defined(OPENSSL_NO_DEPRECATED_3_0)
     CAST_KEY cast_ks;
 #endif
     static const unsigned char key16[16] = {
@@ -1992,7 +1992,7 @@ int speed_main(int argc, char **argv)
     if (doit[D_CBC_BF])
         BF_set_key(&bf_ks, 16, key16);
 #endif
-#ifndef OPENSSL_NO_CAST
+#if !defined(OPENSSL_NO_CAST) && !defined(OPENSSL_NO_DEPRECATED_3_0)
     if (doit[D_CBC_CAST]) 
         CAST_set_key(&cast_ks, 16, key16);
 #endif
@@ -2672,7 +2672,7 @@ int speed_main(int argc, char **argv)
         }
     }
 #endif
-#ifndef OPENSSL_NO_CAST
+#if !defined(OPENSSL_NO_CAST) && !defined(OPENSSL_NO_DEPRECATED_3_0)
     if (doit[D_CBC_CAST]) {
         if (async_jobs > 0) {
             BIO_printf(bio_err, "Async mode is not supported with %s\n",
index 1ae13bc..805a51d 100644 (file)
@@ -7,6 +7,12 @@
  * https://www.openssl.org/source/license.html
  */
 
+/*
+ * CAST low level APIs are deprecated for public use, but still ok for
+ * internal use.
+ */
+#include "internal/deprecated.h"
+
 #include <openssl/cast.h>
 #include "cast_local.h"
 
index 2b841ac..cbd0443 100644 (file)
@@ -7,6 +7,12 @@
  * https://www.openssl.org/source/license.html
  */
 
+/*
+ * CAST low level APIs are deprecated for public use, but still ok for
+ * internal use.
+ */
+#include "internal/deprecated.h"
+
 #include <openssl/cast.h>
 #include "cast_local.h"
 #include <openssl/opensslv.h>
index 7e2461d..ede9f2e 100644 (file)
@@ -7,6 +7,12 @@
  * https://www.openssl.org/source/license.html
  */
 
+/*
+ * CAST low level APIs are deprecated for public use, but still ok for
+ * internal use.
+ */
+#include "internal/deprecated.h"
+
 #include <openssl/cast.h>
 #include "cast_local.h"
 
index bc598d4..6aaa7ed 100644 (file)
@@ -7,6 +7,12 @@
  * https://www.openssl.org/source/license.html
  */
 
+/*
+ * CAST low level APIs are deprecated for public use, but still ok for
+ * internal use.
+ */
+#include "internal/deprecated.h"
+
 #include <openssl/cast.h>
 #include "cast_local.h"
 
index c21ecdf..d516e10 100644 (file)
@@ -7,6 +7,12 @@
  * https://www.openssl.org/source/license.html
  */
 
+/*
+ * CAST low level APIs are deprecated for public use, but still ok for
+ * internal use.
+ */
+#include "internal/deprecated.h"
+
 #include <openssl/cast.h>
 #include "cast_local.h"
 #include "cast_s.h"
index 4b06717..5703f7f 100644 (file)
@@ -7,6 +7,12 @@
  * https://www.openssl.org/source/license.html
  */
 
+/*
+ * CAST low level APIs are deprecated for public use, but still ok for
+ * internal use.
+ */
+#include "internal/deprecated.h"
+
 #include <stdio.h>
 #include "internal/cryptlib.h"
 
index 5f81217..f338d41 100644 (file)
 extern "C" {
 # endif
 
-# define CAST_ENCRYPT    1
-# define CAST_DECRYPT    0
-
-# define CAST_LONG unsigned int
-
 # define CAST_BLOCK      8
 # define CAST_KEY_LENGTH 16
 
+# ifndef OPENSSL_NO_DEPRECATED_3_0
+
+#  define CAST_ENCRYPT    1
+#  define CAST_DECRYPT    0
+
+#  define CAST_LONG unsigned int
+
 typedef struct cast_key_st {
     CAST_LONG data[32];
     int short_key;              /* Use reduced rounds for short key */
 } CAST_KEY;
 
-void CAST_set_key(CAST_KEY *key, int len, const unsigned char *data);
-void CAST_ecb_encrypt(const unsigned char *in, unsigned char *out,
-                      const CAST_KEY *key, int enc);
-void CAST_encrypt(CAST_LONG *data, const CAST_KEY *key);
-void CAST_decrypt(CAST_LONG *data, const CAST_KEY *key);
-void CAST_cbc_encrypt(const unsigned char *in, unsigned char *out,
-                      long length, const CAST_KEY *ks, unsigned char *iv,
-                      int enc);
-void CAST_cfb64_encrypt(const unsigned char *in, unsigned char *out,
-                        long length, const CAST_KEY *schedule,
-                        unsigned char *ivec, int *num, int enc);
-void CAST_ofb64_encrypt(const unsigned char *in, unsigned char *out,
-                        long length, const CAST_KEY *schedule,
-                        unsigned char *ivec, int *num);
+# endif /* OPENSSL_NO_DEPRECATED_3_0 */
+
+DEPRECATEDIN_3_0(void CAST_set_key(CAST_KEY *key, int len,
+                                   const unsigned char *data))
+DEPRECATEDIN_3_0(void CAST_ecb_encrypt(const unsigned char *in,
+                                       unsigned char *out,
+                                       const CAST_KEY *key,
+                                       int enc))
+DEPRECATEDIN_3_0(void CAST_encrypt(CAST_LONG *data,
+                                   const CAST_KEY *key))
+DEPRECATEDIN_3_0(void CAST_decrypt(CAST_LONG *data,
+                                   const CAST_KEY *key))
+DEPRECATEDIN_3_0(void CAST_cbc_encrypt(const unsigned char *in,
+                                       unsigned char *out,
+                                       long length,
+                                       const CAST_KEY *ks,
+                                       unsigned char *iv,
+                                       int enc))
+DEPRECATEDIN_3_0(void CAST_cfb64_encrypt(const unsigned char *in,
+                                         unsigned char *out,
+                                         long length,
+                                         const CAST_KEY *schedule,
+                                         unsigned char *ivec,
+                                         int *num,
+                                         int enc))
+DEPRECATEDIN_3_0(void CAST_ofb64_encrypt(const unsigned char *in,
+                                         unsigned char *out,
+                                         long length,
+                                         const CAST_KEY *schedule,
+                                         unsigned char *ivec,
+                                         int *num))
 
 # ifdef  __cplusplus
 }
index 473a7f0..24cb59d 100644 (file)
@@ -7,6 +7,12 @@
  * https://www.openssl.org/source/license.html
  */
 
+/*
+ * CAST low level APIs are deprecated for public use, but still ok for
+ * internal use.
+ */
+#include "internal/deprecated.h"
+
 /* Dispatch functions for cast cipher modes ecb, cbc, ofb, cfb */
 
 #include "cipher_cast.h"
index 227e90d..beeeb59 100644 (file)
@@ -7,6 +7,12 @@
  * https://www.openssl.org/source/license.html
  */
 
+/*
+ * CAST low level APIs are deprecated for public use, but still ok for
+ * internal use.
+ */
+#include "internal/deprecated.h"
+
 #include "cipher_cast.h"
 
 static int cipher_hw_cast5_initkey(PROV_CIPHER_CTX *ctx,
index de618b5..c54b7bc 100644 (file)
@@ -37,7 +37,7 @@ IF[{- !$disabled{tests} -}]
           hmactest \
           rc2test rc4test rc5test \
           destest mdc2test \
-          dhtest enginetest casttest \
+          dhtest enginetest \
           ssltest_old dsatest dsa_no_digest_size_test exptest rsa_test \
           evp_pkey_provided_test evp_test evp_extra_test evp_fetch_prov_test \
           v3nametest v3ext \
@@ -152,10 +152,6 @@ IF[{- !$disabled{tests} -}]
   INCLUDE[enginetest]=../include ../apps/include
   DEPEND[enginetest]=../libcrypto libtestutil.a
 
-  SOURCE[casttest]=casttest.c
-  INCLUDE[casttest]=../include ../apps/include
-  DEPEND[casttest]=../libcrypto libtestutil.a
-
   SOURCE[ssltest_old]=ssltest_old.c
   INCLUDE[ssltest_old]=.. ../include ../apps/include
   DEPEND[ssltest_old]=../libcrypto ../libssl
@@ -212,7 +208,8 @@ IF[{- !$disabled{tests} -}]
 
   IF[{- !$disabled{"deprecated"}
         || (defined $config{"api"} && $config{"api"} < 30000) -}]
-    PROGRAMS{noinst}=igetest bftest
+    PROGRAMS{noinst}=igetest bftest casttest
+
     SOURCE[igetest]=igetest.c
     INCLUDE[igetest]=../include ../apps/include
     DEPEND[igetest]=../libcrypto libtestutil.a
@@ -220,6 +217,10 @@ IF[{- !$disabled{tests} -}]
     SOURCE[bftest]=bftest.c
     INCLUDE[bftest]=../include ../apps/include
     DEPEND[bftest]=../libcrypto libtestutil.a
+
+    SOURCE[casttest]=casttest.c
+    INCLUDE[casttest]=../include ../apps/include
+    DEPEND[casttest]=../libcrypto libtestutil.a
   ENDIF
 
   SOURCE[v3nametest]=v3nametest.c
index 0d7595c..09435bd 100644 (file)
@@ -7,6 +7,12 @@
  * https://www.openssl.org/source/license.html
  */
 
+/*
+ * CAST low level APIs are deprecated for public use, but still ok for
+ * internal use.
+ */
+#include "internal/deprecated.h"
+
 #include <stdio.h>
 #include <string.h>
 #include <stdlib.h>
index b8b88d0..b1b909d 100644 (file)
@@ -7,6 +7,17 @@
 # https://www.openssl.org/source/license.html
 
 
+use strict;
+use warnings;
+
 use OpenSSL::Test::Simple;
+use OpenSSL::Test;
+use OpenSSL::Test::Utils;
+
+setup("test_cast");
+
+plan skip_all => "Low-level CAST APIs are disabled in this build"
+    if disabled("deprecated")
+       && (!defined config("api") || config("api") >= 30000);
 
 simple_test("test_cast", "casttest", "cast");
index 5092f5d..d18e1a3 100644 (file)
@@ -712,7 +712,7 @@ DSA_sign_setup                          730 3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3
 OPENSSL_sk_new_null                     731    3_0_0   EXIST::FUNCTION:
 PEM_read_PKCS8                          732    3_0_0   EXIST::FUNCTION:STDIO
 BN_mod_sqr                              733    3_0_0   EXIST::FUNCTION:
-CAST_ofb64_encrypt                      734    3_0_0   EXIST::FUNCTION:CAST
+CAST_ofb64_encrypt                      734    3_0_0   EXIST::FUNCTION:CAST,DEPRECATEDIN_3_0
 TXT_DB_write                            735    3_0_0   EXIST::FUNCTION:
 OCSP_REQUEST_get1_ext_d2i               736    3_0_0   EXIST::FUNCTION:OCSP
 CMS_unsigned_add1_attr_by_NID           737    3_0_0   EXIST::FUNCTION:CMS
@@ -1684,7 +1684,7 @@ EVP_PKEY_type                           1722      3_0_0   EXIST::FUNCTION:
 ENGINE_ctrl                             1723   3_0_0   EXIST::FUNCTION:ENGINE
 EVP_cast5_ecb                           1724   3_0_0   EXIST::FUNCTION:CAST
 BIO_nwrite0                             1725   3_0_0   EXIST::FUNCTION:
-CAST_encrypt                            1726   3_0_0   EXIST::FUNCTION:CAST
+CAST_encrypt                            1726   3_0_0   EXIST::FUNCTION:CAST,DEPRECATEDIN_3_0
 a2d_ASN1_OBJECT                         1727   3_0_0   EXIST::FUNCTION:
 OCSP_ONEREQ_delete_ext                  1728   3_0_0   EXIST::FUNCTION:OCSP
 UI_method_get_reader                    1729   3_0_0   EXIST::FUNCTION:
@@ -2068,7 +2068,7 @@ X509_REQ_set_version                    2113      3_0_0   EXIST::FUNCTION:
 d2i_ASN1_GENERALSTRING                  2114   3_0_0   EXIST::FUNCTION:
 i2d_ASIdentifiers                       2115   3_0_0   EXIST::FUNCTION:RFC3779
 X509V3_EXT_cleanup                      2116   3_0_0   EXIST::FUNCTION:
-CAST_ecb_encrypt                        2117   3_0_0   EXIST::FUNCTION:CAST
+CAST_ecb_encrypt                        2117   3_0_0   EXIST::FUNCTION:CAST,DEPRECATEDIN_3_0
 BIO_s_file                              2118   3_0_0   EXIST::FUNCTION:
 RSA_X931_derive_ex                      2119   3_0_0   EXIST::FUNCTION:RSA
 EVP_PKEY_decrypt_init                   2120   3_0_0   EXIST::FUNCTION:
@@ -2449,7 +2449,7 @@ AES_cfb128_encrypt                      2499      3_0_0   EXIST::FUNCTION:DEPRECATEDIN_
 ENGINE_set_EC                           2500   3_0_0   EXIST::FUNCTION:ENGINE
 d2i_ECPKParameters                      2501   3_0_0   EXIST::FUNCTION:EC
 IDEA_ofb64_encrypt                      2502   3_0_0   EXIST::FUNCTION:IDEA
-CAST_decrypt                            2503   3_0_0   EXIST::FUNCTION:CAST
+CAST_decrypt                            2503   3_0_0   EXIST::FUNCTION:CAST,DEPRECATEDIN_3_0
 TS_STATUS_INFO_get0_failure_info        2504   3_0_0   EXIST::FUNCTION:TS
 ENGINE_unregister_pkey_meths            2506   3_0_0   EXIST::FUNCTION:ENGINE
 DISPLAYTEXT_new                         2507   3_0_0   EXIST::FUNCTION:
@@ -2862,7 +2862,7 @@ EVP_des_cfb1                            2923      3_0_0   EXIST::FUNCTION:DES
 OBJ_NAME_cleanup                        2924   3_0_0   EXIST::FUNCTION:
 OCSP_BASICRESP_get1_ext_d2i             2925   3_0_0   EXIST::FUNCTION:OCSP
 DES_cfb64_encrypt                       2926   3_0_0   EXIST::FUNCTION:DES
-CAST_cfb64_encrypt                      2927   3_0_0   EXIST::FUNCTION:CAST
+CAST_cfb64_encrypt                      2927   3_0_0   EXIST::FUNCTION:CAST,DEPRECATEDIN_3_0
 EVP_PKEY_asn1_set_param                 2928   3_0_0   EXIST::FUNCTION:
 BN_RECP_CTX_free                        2929   3_0_0   EXIST::FUNCTION:
 BN_with_flags                           2930   3_0_0   EXIST::FUNCTION:
@@ -2979,7 +2979,7 @@ PKCS12_item_pack_safebag                3043      3_0_0   EXIST::FUNCTION:
 i2d_OCSP_RESPDATA                       3044   3_0_0   EXIST::FUNCTION:OCSP
 i2d_X509_PUBKEY                         3045   3_0_0   EXIST::FUNCTION:
 EVP_DecryptUpdate                       3046   3_0_0   EXIST::FUNCTION:
-CAST_cbc_encrypt                        3047   3_0_0   EXIST::FUNCTION:CAST
+CAST_cbc_encrypt                        3047   3_0_0   EXIST::FUNCTION:CAST,DEPRECATEDIN_3_0
 BN_BLINDING_invert                      3048   3_0_0   EXIST::FUNCTION:
 SHA512_Update                           3049   3_0_0   EXIST::FUNCTION:
 ESS_ISSUER_SERIAL_new                   3050   3_0_0   EXIST::FUNCTION:
@@ -3588,7 +3588,7 @@ TS_X509_ALGOR_print_bio                 3666      3_0_0   EXIST::FUNCTION:TS
 d2i_PKCS7_ENVELOPE                      3667   3_0_0   EXIST::FUNCTION:
 ESS_CERT_ID_new                         3669   3_0_0   EXIST::FUNCTION:
 EC_POINT_invert                         3670   3_0_0   EXIST::FUNCTION:EC
-CAST_set_key                            3671   3_0_0   EXIST::FUNCTION:CAST
+CAST_set_key                            3671   3_0_0   EXIST::FUNCTION:CAST,DEPRECATEDIN_3_0
 ENGINE_get_pkey_meth                    3672   3_0_0   EXIST::FUNCTION:ENGINE
 BIO_ADDRINFO_free                       3673   3_0_0   EXIST::FUNCTION:SOCK
 DES_ede3_cbc_encrypt                    3674   3_0_0   EXIST::FUNCTION:DES