From 28c690cb7dd80c15c9fa45df518c555c66ad67f8 Mon Sep 17 00:00:00 2001 From: Pauli Date: Tue, 14 Jan 2020 08:35:12 +1000 Subject: [PATCH] Deprecate the low level SEED functions Use of the low level SEED functions has been informally discouraged for a long time. We now formally deprecate them. Applications should instead use the EVP APIs, e.g. EVP_EncryptInit_ex, EVP_EncryptUpdate, EVP_EncryptFinal_ex, and the equivalently named decrypt functions. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/10833) --- apps/speed.c | 8 +-- crypto/evp/e_seed.c | 6 ++ crypto/seed/seed.c | 6 ++ crypto/seed/seed_cbc.c | 6 ++ crypto/seed/seed_cfb.c | 6 ++ crypto/seed/seed_ecb.c | 6 ++ crypto/seed/seed_ofb.c | 6 ++ include/openssl/seed.h | 70 +++++++++++-------- .../implementations/ciphers/cipher_seed.c | 6 ++ .../implementations/ciphers/cipher_seed_hw.c | 6 ++ util/libcrypto.num | 14 ++-- 11 files changed, 98 insertions(+), 42 deletions(-) diff --git a/apps/speed.c b/apps/speed.c index 67bf650ec2..ef14ad6380 100644 --- a/apps/speed.c +++ b/apps/speed.c @@ -380,7 +380,7 @@ static const OPT_PAIR doit_choices[] = { {"idea-cbc", D_CBC_IDEA}, {"idea", D_CBC_IDEA}, #endif -#ifndef OPENSSL_NO_SEED +#if !defined(OPENSSL_NO_SEED) && !defined(OPENSSL_NO_DEPRECATED_3_0) {"seed-cbc", D_CBC_SEED}, {"seed", D_CBC_SEED}, #endif @@ -1458,7 +1458,7 @@ int speed_main(int argc, char **argv) #ifndef OPENSSL_NO_IDEA IDEA_KEY_SCHEDULE idea_ks; #endif -#ifndef OPENSSL_NO_SEED +#if !defined(OPENSSL_NO_SEED) && !defined(OPENSSL_NO_DEPRECATED_3_0) SEED_KEY_SCHEDULE seed_ks; #endif #if !defined(OPENSSL_NO_BF) && !defined(OPENSSL_NO_DEPRECATED_3_0) @@ -1969,7 +1969,7 @@ int speed_main(int argc, char **argv) if (doit[D_CBC_IDEA]) IDEA_set_encrypt_key(key16, &idea_ks); #endif -#ifndef OPENSSL_NO_SEED +#if !defined(OPENSSL_NO_SEED) && !defined(OPENSSL_NO_DEPRECATED_3_0) if (doit[D_CBC_SEED]) SEED_set_key(key16, &seed_ks); #endif @@ -2585,7 +2585,7 @@ int speed_main(int argc, char **argv) } } #endif -#ifndef OPENSSL_NO_SEED +#if !defined(OPENSSL_NO_SEED) && !defined(OPENSSL_NO_DEPRECATED_3_0) if (doit[D_CBC_SEED]) { if (async_jobs > 0) { BIO_printf(bio_err, "Async mode is not supported with %s\n", diff --git a/crypto/evp/e_seed.c b/crypto/evp/e_seed.c index 9a9938deaf..224003d9dd 100644 --- a/crypto/evp/e_seed.c +++ b/crypto/evp/e_seed.c @@ -7,6 +7,12 @@ * https://www.openssl.org/source/license.html */ +/* + * SEED low level APIs are deprecated for public use, but still ok for + * internal use. + */ +#include "internal/deprecated.h" + #include #ifdef OPENSSL_NO_SEED NON_EMPTY_TRANSLATION_UNIT diff --git a/crypto/seed/seed.c b/crypto/seed/seed.c index 224fb1f8af..492853d5c8 100644 --- a/crypto/seed/seed.c +++ b/crypto/seed/seed.c @@ -34,6 +34,12 @@ */ #ifndef OPENSSL_NO_SEED +/* + * SEED low level APIs are deprecated for public use, but still ok for + * internal use. + */ +#include "internal/deprecated.h" + # include # include # include diff --git a/crypto/seed/seed_cbc.c b/crypto/seed/seed_cbc.c index 26116ab727..59ebbeef58 100644 --- a/crypto/seed/seed_cbc.c +++ b/crypto/seed/seed_cbc.c @@ -7,6 +7,12 @@ * https://www.openssl.org/source/license.html */ +/* + * SEED low level APIs are deprecated for public use, but still ok for + * internal use. + */ +#include "internal/deprecated.h" + #include #include diff --git a/crypto/seed/seed_cfb.c b/crypto/seed/seed_cfb.c index b8ee9e9151..0e86e1696c 100644 --- a/crypto/seed/seed_cfb.c +++ b/crypto/seed/seed_cfb.c @@ -7,6 +7,12 @@ * https://www.openssl.org/source/license.html */ +/* + * SEED low level APIs are deprecated for public use, but still ok for + * internal use. + */ +#include "internal/deprecated.h" + #include #include diff --git a/crypto/seed/seed_ecb.c b/crypto/seed/seed_ecb.c index d7f34ec99a..b7ea0d4349 100644 --- a/crypto/seed/seed_ecb.c +++ b/crypto/seed/seed_ecb.c @@ -7,6 +7,12 @@ * https://www.openssl.org/source/license.html */ +/* + * SEED low level APIs are deprecated for public use, but still ok for + * internal use. + */ +#include "internal/deprecated.h" + #include void SEED_ecb_encrypt(const unsigned char *in, unsigned char *out, diff --git a/crypto/seed/seed_ofb.c b/crypto/seed/seed_ofb.c index e556c440ea..3bc6c17d4d 100644 --- a/crypto/seed/seed_ofb.c +++ b/crypto/seed/seed_ofb.c @@ -7,6 +7,12 @@ * https://www.openssl.org/source/license.html */ +/* + * SEED low level APIs are deprecated for public use, but still ok for + * internal use. + */ +#include "internal/deprecated.h" + #include #include diff --git a/include/openssl/seed.h b/include/openssl/seed.h index 7d7b207ac7..2e1ba2a7bc 100644 --- a/include/openssl/seed.h +++ b/include/openssl/seed.h @@ -46,53 +46,61 @@ # ifndef OPENSSL_NO_SEED # include # include +# include # ifdef __cplusplus extern "C" { # endif +# define SEED_BLOCK_SIZE 16 +# define SEED_KEY_LENGTH 16 + +# ifndef OPENSSL_NO_DEPRECATED_3_0 /* look whether we need 'long' to get 32 bits */ -# ifdef AES_LONG -# ifndef SEED_LONG -# define SEED_LONG 1 +# ifdef AES_LONG +# ifndef SEED_LONG +# define SEED_LONG 1 +# endif # endif -# endif -# include - -# define SEED_BLOCK_SIZE 16 -# define SEED_KEY_LENGTH 16 typedef struct seed_key_st { -# ifdef SEED_LONG +# ifdef SEED_LONG unsigned long data[32]; -# else +# else unsigned int data[32]; -# endif +# endif } SEED_KEY_SCHEDULE; +# endif /* OPENSSL_NO_DEPRECATED_3_0 */ -void SEED_set_key(const unsigned char rawkey[SEED_KEY_LENGTH], - SEED_KEY_SCHEDULE *ks); +DEPRECATEDIN_3_0(void SEED_set_key(const unsigned char rawkey[SEED_KEY_LENGTH], + SEED_KEY_SCHEDULE *ks)) -void SEED_encrypt(const unsigned char s[SEED_BLOCK_SIZE], - unsigned char d[SEED_BLOCK_SIZE], - const SEED_KEY_SCHEDULE *ks); -void SEED_decrypt(const unsigned char s[SEED_BLOCK_SIZE], - unsigned char d[SEED_BLOCK_SIZE], - const SEED_KEY_SCHEDULE *ks); +DEPRECATEDIN_3_0(void SEED_encrypt(const unsigned char s[SEED_BLOCK_SIZE], + unsigned char d[SEED_BLOCK_SIZE], + const SEED_KEY_SCHEDULE *ks)) +DEPRECATEDIN_3_0(void SEED_decrypt(const unsigned char s[SEED_BLOCK_SIZE], + unsigned char d[SEED_BLOCK_SIZE], + const SEED_KEY_SCHEDULE *ks)) -void SEED_ecb_encrypt(const unsigned char *in, unsigned char *out, - const SEED_KEY_SCHEDULE *ks, int enc); -void SEED_cbc_encrypt(const unsigned char *in, unsigned char *out, size_t len, - const SEED_KEY_SCHEDULE *ks, - unsigned char ivec[SEED_BLOCK_SIZE], int enc); -void SEED_cfb128_encrypt(const unsigned char *in, unsigned char *out, - size_t len, const SEED_KEY_SCHEDULE *ks, - unsigned char ivec[SEED_BLOCK_SIZE], int *num, - int enc); -void SEED_ofb128_encrypt(const unsigned char *in, unsigned char *out, - size_t len, const SEED_KEY_SCHEDULE *ks, - unsigned char ivec[SEED_BLOCK_SIZE], int *num); +DEPRECATEDIN_3_0(void SEED_ecb_encrypt(const unsigned char *in, + unsigned char *out, + const SEED_KEY_SCHEDULE *ks, int enc)) +DEPRECATEDIN_3_0(void SEED_cbc_encrypt(const unsigned char *in, + unsigned char *out, size_t len, + const SEED_KEY_SCHEDULE *ks, + unsigned char ivec[SEED_BLOCK_SIZE], + int enc)) +DEPRECATEDIN_3_0(void SEED_cfb128_encrypt(const unsigned char *in, + unsigned char *out, size_t len, + const SEED_KEY_SCHEDULE *ks, + unsigned char ivec[SEED_BLOCK_SIZE], + int *num, int enc)) +DEPRECATEDIN_3_0(void SEED_ofb128_encrypt(const unsigned char *in, + unsigned char *out, size_t len, + const SEED_KEY_SCHEDULE *ks, + unsigned char ivec[SEED_BLOCK_SIZE], + int *num)) # ifdef __cplusplus } diff --git a/providers/implementations/ciphers/cipher_seed.c b/providers/implementations/ciphers/cipher_seed.c index ee90669fda..0c83482d4e 100644 --- a/providers/implementations/ciphers/cipher_seed.c +++ b/providers/implementations/ciphers/cipher_seed.c @@ -9,6 +9,12 @@ /* Dispatch functions for Seed cipher modes ecb, cbc, ofb, cfb */ +/* + * SEED low level APIs are deprecated for public use, but still ok for + * internal use. + */ +#include "internal/deprecated.h" + #include "cipher_seed.h" #include "prov/implementations.h" diff --git a/providers/implementations/ciphers/cipher_seed_hw.c b/providers/implementations/ciphers/cipher_seed_hw.c index 3bd3323dc0..c7dee292ea 100644 --- a/providers/implementations/ciphers/cipher_seed_hw.c +++ b/providers/implementations/ciphers/cipher_seed_hw.c @@ -7,6 +7,12 @@ * https://www.openssl.org/source/license.html */ +/* + * SEED low level APIs are deprecated for public use, but still ok for + * internal use. + */ +#include "internal/deprecated.h" + #include "cipher_seed.h" static int cipher_hw_seed_initkey(PROV_CIPHER_CTX *ctx, diff --git a/util/libcrypto.num b/util/libcrypto.num index c2eff0edb9..4484b361c3 100644 --- a/util/libcrypto.num +++ b/util/libcrypto.num @@ -233,7 +233,7 @@ d2i_ASN1_SET_ANY 236 3_0_0 EXIST::FUNCTION: ASN1_item_i2d 238 3_0_0 EXIST::FUNCTION: OCSP_copy_nonce 239 3_0_0 EXIST::FUNCTION:OCSP OBJ_txt2nid 240 3_0_0 EXIST::FUNCTION: -SEED_set_key 241 3_0_0 EXIST::FUNCTION:SEED +SEED_set_key 241 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,SEED EC_KEY_clear_flags 242 3_0_0 EXIST::FUNCTION:EC CMS_RecipientInfo_ktri_get0_algs 243 3_0_0 EXIST::FUNCTION:CMS i2d_EC_PUBKEY 244 3_0_0 EXIST::FUNCTION:EC @@ -360,7 +360,7 @@ CMS_signed_add1_attr_by_txt 366 3_0_0 EXIST::FUNCTION:CMS i2d_NETSCAPE_SPKAC 367 3_0_0 EXIST::FUNCTION: X509V3_add_value_bool_nf 368 3_0_0 EXIST::FUNCTION: ASN1_item_verify 369 3_0_0 EXIST::FUNCTION: -SEED_ecb_encrypt 370 3_0_0 EXIST::FUNCTION:SEED +SEED_ecb_encrypt 370 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,SEED X509_PUBKEY_get0_param 371 3_0_0 EXIST::FUNCTION: ASN1_i2d_fp 372 3_0_0 EXIST::FUNCTION:STDIO BIO_new_mem_buf 373 3_0_0 EXIST::FUNCTION: @@ -971,7 +971,7 @@ BIO_printf 995 3_0_0 EXIST::FUNCTION: a2i_IPADDRESS 996 3_0_0 EXIST::FUNCTION: ERR_peek_error_line_data 997 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0 ERR_unload_strings 998 3_0_0 EXIST::FUNCTION: -SEED_cfb128_encrypt 999 3_0_0 EXIST::FUNCTION:SEED +SEED_cfb128_encrypt 999 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,SEED ASN1_BIT_STRING_it 1000 3_0_0 EXIST::FUNCTION: PKCS12_decrypt_skey 1001 3_0_0 EXIST::FUNCTION: ENGINE_register_EC 1002 3_0_0 EXIST::FUNCTION:ENGINE @@ -2094,7 +2094,7 @@ ASN1_PRINTABLE_new 2139 3_0_0 EXIST::FUNCTION: OBJ_NAME_new_index 2140 3_0_0 EXIST::FUNCTION: EVP_PKEY_asn1_add_alias 2141 3_0_0 EXIST::FUNCTION: EVP_PKEY_get1_DSA 2142 3_0_0 EXIST::FUNCTION:DSA -SEED_cbc_encrypt 2143 3_0_0 EXIST::FUNCTION:SEED +SEED_cbc_encrypt 2143 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,SEED EVP_rc2_40_cbc 2144 3_0_0 EXIST::FUNCTION:RC2 ECDSA_SIG_new 2145 3_0_0 EXIST::FUNCTION:EC i2d_PKCS8PrivateKey_nid_fp 2146 3_0_0 EXIST::FUNCTION:STDIO @@ -2559,7 +2559,7 @@ OPENSSL_LH_node_usage_stats 2613 3_0_0 EXIST::FUNCTION:STDIO DIRECTORYSTRING_it 2614 3_0_0 EXIST::FUNCTION: BIO_write 2615 3_0_0 EXIST::FUNCTION: OCSP_ONEREQ_get_ext_by_OBJ 2616 3_0_0 EXIST::FUNCTION:OCSP -SEED_encrypt 2617 3_0_0 EXIST::FUNCTION:SEED +SEED_encrypt 2617 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,SEED IPAddressRange_it 2618 3_0_0 EXIST::FUNCTION:RFC3779 PEM_read_bio_DSAPrivateKey 2619 3_0_0 EXIST::FUNCTION:DSA CMS_get0_type 2620 3_0_0 EXIST::FUNCTION:CMS @@ -2663,7 +2663,7 @@ i2d_TS_TST_INFO_bio 2719 3_0_0 EXIST::FUNCTION:TS CMS_sign_receipt 2720 3_0_0 EXIST::FUNCTION:CMS ENGINE_set_RAND 2721 3_0_0 EXIST::FUNCTION:ENGINE X509_REVOKED_get_ext_by_OBJ 2722 3_0_0 EXIST::FUNCTION: -SEED_decrypt 2723 3_0_0 EXIST::FUNCTION:SEED +SEED_decrypt 2723 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,SEED PEM_write_PKCS8PrivateKey 2724 3_0_0 EXIST::FUNCTION:STDIO ENGINE_new 2725 3_0_0 EXIST::FUNCTION:ENGINE X509_check_issued 2726 3_0_0 EXIST::FUNCTION: @@ -2937,7 +2937,7 @@ RSA_padding_add_PKCS1_OAEP_mgf1 2999 3_0_0 EXIST::FUNCTION:RSA COMP_CTX_get_type 3000 3_0_0 EXIST::FUNCTION:COMP TS_RESP_CTX_set_status_info 3001 3_0_0 EXIST::FUNCTION:TS BIO_f_nbio_test 3002 3_0_0 EXIST::FUNCTION: -SEED_ofb128_encrypt 3003 3_0_0 EXIST::FUNCTION:SEED +SEED_ofb128_encrypt 3003 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,SEED d2i_RSAPrivateKey_bio 3004 3_0_0 EXIST::FUNCTION:RSA DH_KDF_X9_42 3005 3_0_0 EXIST::FUNCTION:CMS,DH EVP_PKEY_meth_set_signctx 3006 3_0_0 EXIST::FUNCTION: -- 2.34.1