Deprecate the low level DSA functions.

Use of the low level DSA functions has been informally discouraged for a long time. We now formally deprecate them. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from #10977)
openssl · Feb 11, 2020 · f41ac0e · f41ac0e
1 parent 7f6deaf
commit f41ac0e
Show file tree

Hide file tree

Showing 37 changed files with 360 additions and 109 deletions.
diff --git a/CHANGES b/CHANGES
@@ -21,6 +21,32 @@
      options of the apps.
      [Kurt Roeckx]
 
+  *) The command line utilities dhparam, dsa, gendsa and dsaparam have been
+     deprecated.  Instead use the pkeyparam, pkey, genpkey and pkeyparam
+     programs respectively.
+     [Paul Dale]
+
+  *) All of the low level DSA functions have been deprecated including:
+
+     DSA_do_sign, DSA_do_verify, DSA_OpenSSL, DSA_set_default_method,
+     DSA_get_default_method, DSA_set_method, DSA_get_method, DSA_new_method,
+     DSA_sign_setup, DSA_sign, DSA_verify, DSA_get_ex_new_index,
+     DSA_set_ex_data, DSA_get_ex_data, DSA_generate_parameters_ex,
+     DSA_generate_key, DSA_meth_new, DSA_get0_engine, DSA_meth_free,
+     DSA_meth_dup, DSA_meth_get0_name, DSA_meth_set1_name, DSA_meth_get_flags,
+     DSA_meth_set_flags, DSA_meth_get0_app_data, DSA_meth_set0_app_data,
+     DSA_meth_get_sign, DSA_meth_set_sign, DSA_meth_get_sign_setup,
+     DSA_meth_set_sign_setup, DSA_meth_get_verify, DSA_meth_set_verify,
+     DSA_meth_get_mod_exp, DSA_meth_set_mod_exp, DSA_meth_get_bn_mod_exp,
+     DSA_meth_set_bn_mod_exp, DSA_meth_get_init, DSA_meth_set_init,
+     DSA_meth_get_finish, DSA_meth_set_finish, DSA_meth_get_paramgen,
+     DSA_meth_set_paramgen, DSA_meth_get_keygen and DSA_meth_set_keygen.
+
+     Use of these low level functions has been informally discouraged for a long
+     time.  Instead applications should use L<EVP_DigestSignInit_ex(3)>,
+     L<EVP_DigestSignUpdate(3)> and L<EVP_DigestSignFinal(3)>.
+     [Paul Dale]
+
   *) Reworked the treatment of EC EVP_PKEYs with the SM2 curve to
      automatically become EVP_PKEY_SM2 rather than EVP_PKEY_EC.
      This means that applications don't have to look at the curve NID and

diff --git a/apps/dsa.c b/apps/dsa.c
@@ -81,6 +81,7 @@ int dsa_main(int argc, char **argv)
     int pvk_encr = 2;
 # endif
     int private = 0;
+    EVP_PKEY *pkey = NULL;
 
     prog = opt_init(argc, argv, dsa_options);
     while ((o = opt_next()) != OPT_EOF) {
@@ -160,19 +161,14 @@ int dsa_main(int argc, char **argv)
     }
 
     BIO_printf(bio_err, "read DSA key\n");
-    {
-        EVP_PKEY *pkey;
+    if (pubin)
+        pkey = load_pubkey(infile, informat, 1, passin, e, "Public Key");
+    else
+        pkey = load_key(infile, informat, 1, passin, e, "Private Key");
 
-        if (pubin)
-            pkey = load_pubkey(infile, informat, 1, passin, e, "Public Key");
-        else
-            pkey = load_key(infile, informat, 1, passin, e, "Private Key");
+    if (pkey != NULL)
+        dsa = EVP_PKEY_get1_DSA(pkey);
 
-        if (pkey != NULL) {
-            dsa = EVP_PKEY_get1_DSA(pkey);
-            EVP_PKEY_free(pkey);
-        }
-    }
     if (dsa == NULL) {
         BIO_printf(bio_err, "unable to load Key\n");
         ERR_print_errors(bio_err);
@@ -185,7 +181,7 @@ int dsa_main(int argc, char **argv)
 
     if (text) {
         assert(pubin || private);
-        if (!DSA_print(out, dsa, 0)) {
+        if (!EVP_PKEY_print_private(out, pkey, 0, NULL)) {
             perror(outfile);
             ERR_print_errors(bio_err);
             goto end;
@@ -261,6 +257,7 @@ int dsa_main(int argc, char **argv)
     }
     ret = 0;
  end:
+    EVP_PKEY_free(pkey);
     BIO_free_all(out);
     DSA_free(dsa);
     release_engine(e);

diff --git a/crypto/asn1/d2i_pu.c b/crypto/asn1/d2i_pu.c
@@ -7,6 +7,12 @@
  * https://www.openssl.org/source/license.html
  */
 
+/*
+ * DSA low level APIs are deprecated for public use, but still ok for
+ * internal use.
+ */
+#include "internal/deprecated.h"
+
 #include <stdio.h>
 #include "internal/cryptlib.h"
 #include <openssl/bn.h>

diff --git a/crypto/asn1/i2d_pu.c b/crypto/asn1/i2d_pu.c
@@ -7,6 +7,12 @@
  * https://www.openssl.org/source/license.html
  */
 
+/*
+ * DSA low level APIs are deprecated for public use, but still ok for
+ * internal use.
+ */
+#include "internal/deprecated.h"
+
 #include <stdio.h>
 #include "internal/cryptlib.h"
 #include <openssl/bn.h>

diff --git a/crypto/dh/dh_pmeth.c b/crypto/dh/dh_pmeth.c
@@ -7,6 +7,12 @@
  * https://www.openssl.org/source/license.html
  */
 
+/*
+ * DSA low level APIs are deprecated for public use, but still ok for
+ * internal use.
+ */
+#include "internal/deprecated.h"
+
 #include <stdio.h>
 #include "internal/cryptlib.h"
 #include <openssl/asn1t.h>

diff --git a/crypto/dsa/dsa_ameth.c b/crypto/dsa/dsa_ameth.c
@@ -7,6 +7,12 @@
  * https://www.openssl.org/source/license.html
  */
 
+/*
+ * DSA low level APIs are deprecated for public use, but still ok for
+ * internal use.
+ */
+#include "internal/deprecated.h"
+
 #include <stdio.h>
 #include <openssl/x509.h>
 #include <openssl/asn1.h>

diff --git a/crypto/dsa/dsa_asn1.c b/crypto/dsa/dsa_asn1.c
@@ -7,6 +7,12 @@
  * https://www.openssl.org/source/license.html
  */
 
+/*
+ * DSA low level APIs are deprecated for public use, but still ok for
+ * internal use.
+ */
+#include "internal/deprecated.h"
+
 #include <stdio.h>
 #include "internal/cryptlib.h"
 #include "dsa_local.h"

diff --git a/crypto/dsa/dsa_depr.c b/crypto/dsa/dsa_depr.c
@@ -12,6 +12,12 @@
  * version(s).
  */
 
+/*
+ * DSA low level APIs are deprecated for public use, but still ok for
+ * internal use.
+ */
+#include "internal/deprecated.h"
+
 /*
  * Parameter generation follows the updated Appendix 2.2 for FIPS PUB 186,
  * also Appendix 2.2 of FIPS PUB 186-1 (i.e. use SHA as defined in FIPS PUB

diff --git a/crypto/dsa/dsa_gen.c b/crypto/dsa/dsa_gen.c
@@ -7,6 +7,12 @@
  * https://www.openssl.org/source/license.html
  */
 
+/*
+ * DSA low level APIs are deprecated for public use, but still ok for
+ * internal use.
+ */
+#include "internal/deprecated.h"
+
 #include <openssl/opensslconf.h>
 #include <stdio.h>
 #include "internal/cryptlib.h"

diff --git a/crypto/dsa/dsa_key.c b/crypto/dsa/dsa_key.c
@@ -7,6 +7,12 @@
  * https://www.openssl.org/source/license.html
  */
 
+/*
+ * DSA low level APIs are deprecated for public use, but still ok for
+ * internal use.
+ */
+#include "internal/deprecated.h"
+
 #include <stdio.h>
 #include <time.h>
 #include "internal/cryptlib.h"

diff --git a/crypto/dsa/dsa_lib.c b/crypto/dsa/dsa_lib.c
@@ -7,6 +7,12 @@
  * https://www.openssl.org/source/license.html
  */
 
+/*
+ * DSA low level APIs are deprecated for public use, but still ok for
+ * internal use.
+ */
+#include "internal/deprecated.h"
+
 #include <stdio.h>
 #include "internal/cryptlib.h"
 #include "internal/refcount.h"

diff --git a/crypto/dsa/dsa_meth.c b/crypto/dsa/dsa_meth.c
@@ -19,6 +19,7 @@
 #include <string.h>
 #include <openssl/err.h>
 
+#ifndef OPENSSL_NO_DEPRECATED_3_0
 DSA_METHOD *DSA_meth_new(const char *name, int flags)
 {
     DSA_METHOD *dsam = OPENSSL_zalloc(sizeof(*dsam));
@@ -222,3 +223,4 @@ int DSA_meth_set_keygen(DSA_METHOD *dsam, int (*keygen) (DSA *))
     dsam->dsa_keygen = keygen;
     return 1;
 }
+#endif
diff --git a/crypto/dsa/dsa_ossl.c b/crypto/dsa/dsa_ossl.c
@@ -7,6 +7,12 @@
  * https://www.openssl.org/source/license.html
  */
 
+/*
+ * DSA low level APIs are deprecated for public use, but still ok for
+ * internal use.
+ */
+#include "internal/deprecated.h"
+
 #include <stdio.h>
 #include "internal/cryptlib.h"
 #include "crypto/bn.h"

diff --git a/crypto/dsa/dsa_pmeth.c b/crypto/dsa/dsa_pmeth.c
@@ -7,6 +7,12 @@
  * https://www.openssl.org/source/license.html
  */
 
+/*
+ * DSA low level APIs are deprecated for public use, but still ok for
+ * internal use.
+ */
+#include "internal/deprecated.h"
+
 #include <stdio.h>
 #include "internal/cryptlib.h"
 #include <openssl/asn1t.h>

diff --git a/crypto/dsa/dsa_prn.c b/crypto/dsa/dsa_prn.c
@@ -7,6 +7,12 @@
  * https://www.openssl.org/source/license.html
  */
 
+/*
+ * DSA low level APIs are deprecated for public use, but still ok for
+ * internal use.
+ */
+#include "internal/deprecated.h"
+
 #include <stdio.h>
 #include "internal/cryptlib.h"
 #include <openssl/evp.h>

diff --git a/crypto/dsa/dsa_sign.c b/crypto/dsa/dsa_sign.c
@@ -7,6 +7,12 @@
  * https://www.openssl.org/source/license.html
  */
 
+/*
+ * DSA low level APIs are deprecated for public use, but still ok for
+ * internal use.
+ */
+#include "internal/deprecated.h"
+
 #include <openssl/bn.h>
 #include "internal/cryptlib.h"
 #include "dsa_local.h"

diff --git a/crypto/dsa/dsa_vrf.c b/crypto/dsa/dsa_vrf.c
@@ -7,6 +7,12 @@
  * https://www.openssl.org/source/license.html
  */
 
+/*
+ * DSA low level APIs are deprecated for public use, but still ok for
+ * internal use.
+ */
+#include "internal/deprecated.h"
+
 #include "internal/cryptlib.h"
 #include "dsa_local.h"
 

diff --git a/crypto/evp/p_lib.c b/crypto/evp/p_lib.c
@@ -7,6 +7,12 @@
  * https://www.openssl.org/source/license.html
  */
 
+/*
+ * DSA low level APIs are deprecated for public use, but still ok for
+ * internal use.
+ */
+#include "internal/deprecated.h"
+
 #include <stdio.h>
 #include "internal/cryptlib.h"
 #include "internal/refcount.h"

diff --git a/crypto/pem/pem_all.c b/crypto/pem/pem_all.c
@@ -7,6 +7,12 @@
  * https://www.openssl.org/source/license.html
  */
 
+/*
+ * DSA low level APIs are deprecated for public use, but still ok for
+ * internal use.
+ */
+#include "internal/deprecated.h"
+
 #include <stdio.h>
 #include "internal/cryptlib.h"
 #include <openssl/bio.h>

diff --git a/crypto/pem/pem_info.c b/crypto/pem/pem_info.c
@@ -7,6 +7,12 @@
  * https://www.openssl.org/source/license.html
  */
 
+/*
+ * DSA low level APIs are deprecated for public use, but still ok for
+ * internal use.
+ */
+#include "internal/deprecated.h"
+
 #include <stdio.h>
 #include "internal/cryptlib.h"
 #include <openssl/buffer.h>

diff --git a/crypto/pem/pvkfmt.c b/crypto/pem/pvkfmt.c
@@ -12,6 +12,12 @@
  * and PRIVATEKEYBLOB).
  */
 
+/*
+ * DSA low level APIs are deprecated for public use, but still ok for
+ * internal use.
+ */
+#include "internal/deprecated.h"
+
 #include "internal/cryptlib.h"
 #include <openssl/pem.h>
 #include <openssl/rand.h>

diff --git a/crypto/x509/x_pubkey.c b/crypto/x509/x_pubkey.c
@@ -7,6 +7,12 @@
  * https://www.openssl.org/source/license.html
  */
 
+/*
+ * DSA low level APIs are deprecated for public use, but still ok for
+ * internal use.
+ */
+#include "internal/deprecated.h"
+
 #include <stdio.h>
 #include "internal/cryptlib.h"
 #include <openssl/asn1t.h>

diff --git a/doc/man3/DSA_meth_new.pod b/doc/man3/DSA_meth_new.pod
@@ -16,6 +16,10 @@ DSA_meth_set_keygen - Routines to build up DSA methods
 
  #include <openssl/dsa.h>
 
+Deprecated since OpenSSL 3.0, can be hidden entirely by defining
+B<OPENSSL_API_COMPAT> with a suitable version value, see
+L<openssl_user_macros(7)>:
+
  DSA_METHOD *DSA_meth_new(const char *name, int flags);
 
  void DSA_meth_free(DSA_METHOD *dsam);
@@ -86,6 +90,10 @@ DSA_meth_set_keygen - Routines to build up DSA methods
 
 =head1 DESCRIPTION
 
+All of the functions described on this page are deprecated.
+Applications and extension implementations should instead use the
+OSSL_PROVIDER APIs.
+
 The B<DSA_METHOD> type is a structure used for the provision of custom DSA
 implementations. It provides a set of functions used by OpenSSL for the
 implementation of the various DSA capabilities.
@@ -200,11 +208,13 @@ L<DSA_sign(3)>, L<DSA_size(3)>, L<DSA_get0_pqg(3)>
 
 =head1 HISTORY
 
+The functions described here were deprecated in OpenSSL 3.0.
+
 The functions described here were added in OpenSSL 1.1.0.
 
 =head1 COPYRIGHT
 
-Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy