From 98186eb4e4aef6262ed6b0f499348defa2c26893 Mon Sep 17 00:00:00 2001 From: Viktor Dukhovni Date: Mon, 4 Jan 2016 23:00:33 -0500 Subject: [PATCH] Backwards-compatibility subject to OPENSSL_API_COMPAT Provide backwards-compatiblity for functions, macros and include files if OPENSSL_API_COMPAT is either not defined or defined less than the version number of the release in which the feature was deprecated. Reviewed-by: Richard Levitte --- CHANGES | 29 +++++++++++++++ Configure | 49 +++++++++++++++++++++----- NEWS | 5 +++ crypto/bn/bn_blind.c | 5 +-- crypto/bn/bn_depr.c | 3 +- crypto/bn/bn_lib.c | 5 +-- crypto/dh/dh_depr.c | 3 +- crypto/dsa/dsa_depr.c | 3 +- crypto/err/err.c | 3 +- crypto/evp/e_old.c | 4 ++- crypto/hmac/hmac.c | 3 +- crypto/opensslconf.h.in | 44 +++++++++++++++++------ crypto/rand/md_rand.c | 7 ++-- crypto/rand/rand_lib.c | 3 +- crypto/rsa/rsa_depr.c | 3 +- crypto/thr_id.c | 7 ++-- doc/crypto/BN_BLINDING_new.pod | 11 +++--- doc/crypto/BN_generate_prime.pod | 2 ++ doc/crypto/BN_zero.pod | 12 +++++-- doc/crypto/DH_generate_parameters.pod | 2 ++ doc/crypto/DSA_generate_parameters.pod | 2 ++ doc/crypto/ERR_remove_state.pod | 2 ++ doc/crypto/RAND_bytes.pod | 2 ++ doc/crypto/RSA_generate_key.pod | 2 ++ doc/crypto/err.pod | 13 ++++--- doc/crypto/hmac.pod | 9 +++-- include/openssl/asn1.h | 3 +- include/openssl/bn.h | 43 +++++++++------------- include/openssl/crypto.h | 26 +++++++++++--- include/openssl/dh.h | 9 +++-- include/openssl/dsa.h | 9 +++-- include/openssl/ec.h | 2 +- include/openssl/engine.h | 2 +- include/openssl/err.h | 6 ++-- include/openssl/hmac.h | 8 ++--- include/openssl/rand.h | 4 +-- include/openssl/rsa.h | 13 ++++--- include/openssl/ssl.h | 3 +- include/openssl/store.h | 2 +- include/openssl/ui.h | 3 +- include/openssl/x509.h | 3 +- 41 files changed, 253 insertions(+), 116 deletions(-) diff --git a/CHANGES b/CHANGES index 31fe88a9ab..b5a9e1e967 100644 --- a/CHANGES +++ b/CHANGES @@ -4,6 +4,35 @@ Changes between 1.0.2e and 1.1.0 [xx XXX xxxx] + *) Revert default OPENSSL_NO_DEPRECATED setting. Instead OpenSSL + continues to support deprecated interfaces in default builds. + However, applications are strongly advised to compile their + source files with -DOPENSSL_API_COMPAT=0x10100000L, which hides + the declarations of all interfaces deprecated in 0.9.8, 1.0.0 + or the 1.1.0 releases. + + In environments in which all applications have been ported to + not use any deprecated interfaces OpenSSL's Configure script + should be used with the --api=1.1.0 option to entirely remove + support for the deprecated features from the library and + unconditionally disable them in the installed headers. + Essentially the same effect can be achieved with the "no-deprecated" + argument to Configure, except that this will always restrict + the build to just the latest API, rather than a fixed API + version. + + As applications are ported to future revisions of the API, + they should update their compile-time OPENSSL_API_COMPAT define + accordingly, but in most cases should be able to continue to + compile with later releases. + + The OPENSSL_API_COMPAT versions for 1.0.0, and 0.9.8 are + 0x10000000L and 0x00908000L, respectively. However those + versions did not support the OPENSSL_API_COMPAT feature, and + so applications are not typically tested for explicit support + of just the undeprecated features of either release. + [Viktor Dukhovni] + *) Add support for setting the minimum and maximum supported protocol. It can bet set via the SSL_set_min_proto_version() and SSL_set_max_proto_version(), or via the SSL_CONF's MinProtocol and diff --git a/Configure b/Configure index 07bb98be0a..fb4593e977 100755 --- a/Configure +++ b/Configure @@ -35,6 +35,9 @@ my $usage="Usage: Configure [no- ...] [enable- ...] [experimenta # # --cross-compile-prefix Add specified prefix to binutils components. # +# --api One of 0.9.8, 1.0.0 or 1.1.0. Do not compile support for +# interfaces deprecated as of the specified OpenSSL version. +# # no-hw-xxx do not compile support for specific crypto hardware. # Generic OpenSSL-style methods relating to this support # are always compiled but return NULL if the hardware @@ -137,6 +140,16 @@ my $bits2="SIXTY_FOUR_BIT "; # seems to be sufficient? my $BSDthreads="-pthread -D_THREAD_SAFE -D_REENTRANT"; +# +# API compability name to version number mapping. +# +my $maxapi = "1.1.0"; # API for "no-deprecated" builds +my $apitable = { + "1.1.0" => "0x10100000L", + "1.0.0" => "0x10000000L", + "0.9.8" => "0x00908000L", +}; + # table of known configurations, read in from files # # The content of each entry can take one of two forms: @@ -890,7 +903,6 @@ my @disablables = ( # All of the following is disabled by default (RC5 was enabled before 0.9.8): my %disabled = ( # "what" => "comment" [or special keyword "experimental"] - "deprecated" => "default", "ec_nistp_64_gcc_128" => "default", "jpake" => "experimental", "md2" => "default", @@ -932,6 +944,7 @@ my $openssl_other_defines; my $libs; my $target; my $options; +my $api; my $make_depend=0; my %withargs=(); my $build_prefix = "release_"; @@ -1086,6 +1099,10 @@ PROCESS_ARGS: { $prefix=$1; } + elsif (/^--api=(.*)$/) + { + $api=$1; + } elsif (/^--libdir=(.*)$/) { $libdir=$1; @@ -1157,6 +1174,10 @@ PROCESS_ARGS: } } + if (defined($api) && !exists $apitable->{$api}) { + die "***** Unsupported api compatibility level: $api\n", + } + if (keys %unsupported_options) { die "***** Unsupported options: ", @@ -1542,11 +1563,10 @@ if ($zlib) } } -#Build the library with OPENSSL_USE_DEPRECATED if deprecation is not disabled -if(!defined($disabled{"deprecated"})) - { - $cflags = "-DOPENSSL_USE_DEPRECATED $cflags"; - } +# With "deprecated" disable all deprecated features. +if (defined($disabled{"deprecated"})) { + $api = $maxapi; +} # You will find shlib_mark1 and shlib_mark2 explained in Makefile.org my $shared_mark = ""; @@ -1744,7 +1764,7 @@ open(IN,') { $version=$1 if /OPENSSL.VERSION.TEXT.*OpenSSL (\S+) /; - $version_num=$1 if /OPENSSL.VERSION.NUMBER.*0x(\S+)/; + $version_num=$1 if /OPENSSL.VERSION.NUMBER.*(0x\S+)/; $shlib_version_number=$1 if /SHLIB_VERSION_NUMBER *"([^"]+)"/; $shlib_version_history=$1 if /SHLIB_VERSION_HISTORY *"([^"]*)"/; } @@ -1763,6 +1783,12 @@ if ($shlib_version_number =~ /(^[0-9]*)\.([0-9\.]*)/) $shlib_minor=$2; } +if (defined($api)) { + my $apiflag = sprintf("-DOPENSSL_API_COMPAT=%s", $apitable->{$api}); + $default_depflags .= " $apiflag"; + $cflags .= " $apiflag"; +} + my $ecc = $cc; $ecc = "clang" if `$cc --version 2>&1` =~ /clang/; @@ -1991,6 +2017,11 @@ print OUT "#ifdef __cplusplus\n"; print OUT "extern \"C\" {\n"; print OUT "#endif\n"; print OUT "/* OpenSSL was configured with the following options: */\n"; + +my $openssl_api_defines = ""; +if (defined($api)) { + $openssl_api_defines = sprintf "#define OPENSSL_MIN_API %s\n", $apitable->{$api}; +} my $openssl_algorithm_defines_trans = $openssl_algorithm_defines; $openssl_experimental_defines =~ s/^\s*#\s*define\s+OPENSSL_NO_(.*)/#ifndef OPENSSL_EXPERIMENTAL_$1\n# ifndef OPENSSL_NO_$1\n# define OPENSSL_NO_$1\n# endif\n#endif/mg; $openssl_algorithm_defines_trans =~ s/^\s*#\s*define\s+OPENSSL_(.*)/# if defined(OPENSSL_$1) \&\& !defined($1)\n# define $1\n# endif/mg; @@ -1999,9 +2030,11 @@ $openssl_algorithm_defines = " /* no ciphers excluded */\n" if $openssl_algori $openssl_thread_defines =~ s/^\s*#\s*define\s+(.*)/#ifndef $1\n# define $1\n#endif/mg; $openssl_sys_defines =~ s/^\s*#\s*define\s+(.*)/#ifndef $1\n# define $1\n#endif/mg; $openssl_other_defines =~ s/^\s*#\s*define\s+(.*)/#ifndef $1\n# define $1\n#endif/mg; + print OUT $openssl_sys_defines; print OUT "#ifndef OPENSSL_DOING_MAKEDEPEND\n\n"; print OUT $openssl_experimental_defines; +print OUT $openssl_api_defines; print OUT "\n"; print OUT $openssl_algorithm_defines; print OUT "\n#endif /* OPENSSL_DOING_MAKEDEPEND */\n\n"; @@ -2162,7 +2195,7 @@ EOF # create the ms/version32.rc file if needed if ($IsMK1MF && ($target !~ /^netware/)) { my ($v1, $v2, $v3, $v4); - if ($version_num =~ /(^[0-9a-f]{1})([0-9a-f]{2})([0-9a-f]{2})([0-9a-f]{2})/i) { + if ($version_num =~ /^0x([0-9a-f]{1})([0-9a-f]{2})([0-9a-f]{2})([0-9a-f]{2})L$/i) { $v1=hex $1; $v2=hex $2; $v3=hex $3; diff --git a/NEWS b/NEWS index ab7b2af10d..13e1a91c3f 100644 --- a/NEWS +++ b/NEWS @@ -23,6 +23,11 @@ o EC revision: now operations use new EC_KEY_METHOD. o Support for OCB mode added to libcrypto o Support for asynchronous crypto operations added to libcrypto and libssl + o Deprecated interfaces can now be disabled at build time either + relative to the latest relate via the "no-deprecated" Configure + argument, or via the "--api=1.1.0|1.0.0|0.9.8" option. + o Application software can be compiled with -DOPENSSL_API_COMPAT=version + to ensure that features deprecated before that version are not exposed. Major changes between OpenSSL 1.0.2d and OpenSSL 1.0.2e [3 Dec 2015] diff --git a/crypto/bn/bn_blind.c b/crypto/bn/bn_blind.c index 7ca13bb31e..bc2918e99b 100644 --- a/crypto/bn/bn_blind.c +++ b/crypto/bn/bn_blind.c @@ -109,6 +109,7 @@ * [including the GNU Public Licence.] */ +#include #include "internal/cryptlib.h" #include "bn_lcl.h" @@ -119,7 +120,7 @@ struct bn_blinding_st { BIGNUM *Ai; BIGNUM *e; BIGNUM *mod; /* just a reference */ -#ifndef OPENSSL_NO_DEPRECATED +#if OPENSSL_API_COMPAT < 0x10000000L unsigned long thread_id; /* added in OpenSSL 0.9.6j and 0.9.7b; used * only by crypto/rsa/rsa_eay.c, rsa_lib.c */ #endif @@ -271,7 +272,7 @@ int BN_BLINDING_invert_ex(BIGNUM *n, const BIGNUM *r, BN_BLINDING *b, return (ret); } -#ifndef OPENSSL_NO_DEPRECATED +#if OPENSSL_API_COMPAT < 0x10000000L unsigned long BN_BLINDING_get_thread_id(const BN_BLINDING *b) { return b->thread_id; diff --git a/crypto/bn/bn_depr.c b/crypto/bn/bn_depr.c index c4a5c820d0..b64aa5fb29 100644 --- a/crypto/bn/bn_depr.c +++ b/crypto/bn/bn_depr.c @@ -62,11 +62,12 @@ #include #include "internal/cryptlib.h" #include "bn_lcl.h" +#include #include static void *dummy = &dummy; -#ifndef OPENSSL_NO_DEPRECATED +#if OPENSSL_API_COMPAT < 0x00908000L BIGNUM *BN_generate_prime(BIGNUM *ret, int bits, int safe, const BIGNUM *add, const BIGNUM *rem, void (*callback) (int, int, void *), void *cb_arg) diff --git a/crypto/bn/bn_lib.c b/crypto/bn/bn_lib.c index b9e96b553e..6393a34f8a 100644 --- a/crypto/bn/bn_lib.c +++ b/crypto/bn/bn_lib.c @@ -65,9 +65,10 @@ #include #include "internal/cryptlib.h" #include "bn_lcl.h" +#include /* This stuff appears to be completely unused, so is deprecated */ -#ifndef OPENSSL_NO_DEPRECATED +#if OPENSSL_API_COMPAT < 0x00908000L /*- * For a 32 bit machine * 2 - 4 == 128 @@ -258,7 +259,7 @@ void BN_free(BIGNUM *a) if (a->flags & BN_FLG_MALLOCED) OPENSSL_free(a); else { -#ifndef OPENSSL_NO_DEPRECATED +#if OPENSSL_API_COMPAT < 0x00908000L a->flags |= BN_FLG_FREE; #endif a->d = NULL; diff --git a/crypto/dh/dh_depr.c b/crypto/dh/dh_depr.c index de93472189..78875fbc6b 100644 --- a/crypto/dh/dh_depr.c +++ b/crypto/dh/dh_depr.c @@ -59,10 +59,11 @@ #include "internal/cryptlib.h" #include #include +#include static void *dummy = &dummy; -#ifndef OPENSSL_NO_DEPRECATED +#if OPENSSL_API_COMPAT < 0x00908000L DH *DH_generate_parameters(int prime_len, int generator, void (*callback) (int, int, void *), void *cb_arg) { diff --git a/crypto/dsa/dsa_depr.c b/crypto/dsa/dsa_depr.c index 0b18776845..90dbd8d18e 100644 --- a/crypto/dsa/dsa_depr.c +++ b/crypto/dsa/dsa_depr.c @@ -75,8 +75,9 @@ static void *dummy = &dummy; #include #include #include +#include -#ifndef OPENSSL_NO_DEPRECATED +#if OPENSSL_API_COMPAT < 0x00908000L DSA *DSA_generate_parameters(int bits, unsigned char *seed_in, int seed_len, int *counter_ret, unsigned long *h_ret, diff --git a/crypto/err/err.c b/crypto/err/err.c index 9f81768ecc..77e8223de4 100644 --- a/crypto/err/err.c +++ b/crypto/err/err.c @@ -118,6 +118,7 @@ #include #include #include +#include DECLARE_LHASH_OF(ERR_STRING_DATA); DECLARE_LHASH_OF(ERR_STATE); @@ -861,7 +862,7 @@ void ERR_remove_thread_state(const CRYPTO_THREADID *id) int_thread_del_item(&tmp); } -#ifndef OPENSSL_NO_DEPRECATED +#if OPENSSL_API_COMPAT < 0x10000000L void ERR_remove_state(unsigned long pid) { ERR_remove_thread_state(NULL); diff --git a/crypto/evp/e_old.c b/crypto/evp/e_old.c index a23d143b7f..d5c4b4e09d 100644 --- a/crypto/evp/e_old.c +++ b/crypto/evp/e_old.c @@ -57,7 +57,9 @@ * */ -#ifdef OPENSSL_NO_DEPRECATED +#include + +#if OPENSSL_API_COMPAT >= 0x00908000L static void *dummy = &dummy; #else diff --git a/crypto/hmac/hmac.c b/crypto/hmac/hmac.c index 3bc93a8841..72daed13dd 100644 --- a/crypto/hmac/hmac.c +++ b/crypto/hmac/hmac.c @@ -61,6 +61,7 @@ #include #include "internal/cryptlib.h" #include +#include #include "hmac_lcl.h" int HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int len, @@ -127,7 +128,7 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int len, return 0; } -#ifndef OPENSSL_NO_DEPRECATED +#if OPENSSL_API_COMPAT < 0x10100000L int HMAC_Init(HMAC_CTX *ctx, const void *key, int len, const EVP_MD *md) { if (key && md) diff --git a/crypto/opensslconf.h.in b/crypto/opensslconf.h.in index f12117963f..20a420fa7b 100644 --- a/crypto/opensslconf.h.in +++ b/crypto/opensslconf.h.in @@ -1,20 +1,44 @@ /* crypto/opensslconf.h.in */ /* - * Applications should use -DOPENSSL_USE_DEPRECATED to enable access to - * deprecated functions. But if the library has been built to disable - * deprecated functions then this will not work + * Applications should use -DOPENSSL_API_COMPAT= to suppress the + * declarations of functions deprecated in or before . Otherwise, they + * still won't see them if the library has been built to disable deprecated + * functions. */ -#if defined(OPENSSL_NO_DEPRECATED) && defined(OPENSSL_USE_DEPRECATED) -#error "OPENSSL_USE_DEPRECATED has been defined, but OpenSSL has been built without support for deprecated functions" +#if defined(OPENSSL_NO_DEPRECATED) +# define DECLARE_DEPRECATED(f) +#elif __GNUC__ > 3 || (__GNUC__ == 3 && __GNUC_MINOR__ > 0) +# define DECLARE_DEPRECATED(f) f __attribute__ ((deprecated)); +#else +# define DECLARE_DEPRECATED(f) f; +#endif + +#ifndef OPENSSL_MIN_API +#define OPENSSL_MIN_API 0 +#endif + +#if !defined(OPENSSL_API_COMPAT) || OPENSSL_API_COMPAT < OPENSSL_MIN_API +#undef OPENSSL_API_COMPAT +#define OPENSSL_API_COMPAT OPENSSL_MIN_API +#endif + +#if OPENSSL_API_COMPAT < 0x10100000L +# define DEPRECATEDIN_1_1_0(f) DECLARE_DEPRECATED(f) +#else +# define DEPRECATEDIN_1_1_0(f) +#endif + +#if OPENSSL_API_COMPAT < 0x10000000L +# define DEPRECATEDIN_1_0_0(f) DECLARE_DEPRECATED(f) +#else +# define DEPRECATEDIN_1_0_0(f) #endif -/* Test for support for deprecated attribute */ -#if __GNUC__ > 3 || \ - (__GNUC__ == 3 && __GNUC_MINOR__ > 0) -#define DECLARE_DEPRECATED(f) f __attribute__ ((deprecated)) +#if OPENSSL_API_COMPAT < 0x00908000L +# define DEPRECATEDIN_0_9_8(f) DECLARE_DEPRECATED(f) #else -#define DECLARE_DEPRECATED(f) f +# define DEPRECATEDIN_0_9_8(f) #endif /* Generate 80386 code? */ diff --git a/crypto/rand/md_rand.c b/crypto/rand/md_rand.c index c2dfce419a..13ad774d8a 100644 --- a/crypto/rand/md_rand.c +++ b/crypto/rand/md_rand.c @@ -128,6 +128,7 @@ # include #endif +#include #include #include #include @@ -172,7 +173,7 @@ static int rand_seed(const void *buf, int num); static int rand_add(const void *buf, int num, double add_entropy); static int rand_bytes(unsigned char *buf, int num, int pseudo); static int rand_nopseudo_bytes(unsigned char *buf, int num); -#ifndef OPENSSL_NO_DEPRECATED +#if OPENSSL_API_COMPAT < 0x10100000L static int rand_pseudo_bytes(unsigned char *buf, int num); #endif static int rand_status(void); @@ -182,7 +183,7 @@ static RAND_METHOD rand_meth = { rand_nopseudo_bytes, rand_cleanup, rand_add, -#ifndef OPENSSL_NO_DEPRECATED +#if OPENSSL_API_COMPAT < 0x10100000L rand_pseudo_bytes, #else NULL, @@ -627,7 +628,7 @@ static int rand_nopseudo_bytes(unsigned char *buf, int num) return rand_bytes(buf, num, 0); } -#ifndef OPENSSL_NO_DEPRECATED +#if OPENSSL_API_COMPAT < 0x10100000L /* * pseudo-random bytes that are guaranteed to be unique but not unpredictable */ diff --git a/crypto/rand/rand_lib.c b/crypto/rand/rand_lib.c index 308b9e2c30..4a425d7e58 100644 --- a/crypto/rand/rand_lib.c +++ b/crypto/rand/rand_lib.c @@ -59,6 +59,7 @@ #include #include #include "internal/cryptlib.h" +#include #include #ifndef OPENSSL_NO_ENGINE @@ -159,7 +160,7 @@ int RAND_bytes(unsigned char *buf, int num) return (-1); } -#ifndef OPENSSL_NO_DEPRECATED +#if OPENSSL_API_COMPAT < 0x10100000L int RAND_pseudo_bytes(unsigned char *buf, int num) { const RAND_METHOD *meth = RAND_get_rand_method(); diff --git a/crypto/rsa/rsa_depr.c b/crypto/rsa/rsa_depr.c index 5bd0275856..59e1e7b38e 100644 --- a/crypto/rsa/rsa_depr.c +++ b/crypto/rsa/rsa_depr.c @@ -61,10 +61,11 @@ #include #include #include "internal/cryptlib.h" +#include #include #include -#ifdef OPENSSL_NO_DEPRECATED +#if OPENSSL_API_COMPAT >= 0x00908000L static void *dummy = &dummy; diff --git a/crypto/thr_id.c b/crypto/thr_id.c index 51088e4fb5..73711d89e3 100644 --- a/crypto/thr_id.c +++ b/crypto/thr_id.c @@ -115,8 +115,9 @@ */ #include "internal/cryptlib.h" +#include -#ifndef OPENSSL_NO_DEPRECATED +#if OPENSSL_API_COMPAT < 0x10000000L static unsigned long (*id_callback) (void) = 0; #endif static void (*threadid_callback) (CRYPTO_THREADID *) = 0; @@ -189,7 +190,7 @@ void CRYPTO_THREADID_current(CRYPTO_THREADID *id) threadid_callback(id); return; } -#ifndef OPENSSL_NO_DEPRECATED +#if OPENSSL_API_COMPAT < 0x10000000L /* If the deprecated callback was set, fall back to that */ if (id_callback) { CRYPTO_THREADID_set_numeric(id, id_callback()); @@ -220,7 +221,7 @@ unsigned long CRYPTO_THREADID_hash(const CRYPTO_THREADID *id) return id->val; } -#ifndef OPENSSL_NO_DEPRECATED +#if OPENSSL_API_COMPAT < 0x10000000L unsigned long (*CRYPTO_get_id_callback(void)) (void) { return (id_callback); } diff --git a/doc/crypto/BN_BLINDING_new.pod b/doc/crypto/BN_BLINDING_new.pod index 2e575c6d37..8688e48722 100644 --- a/doc/crypto/BN_BLINDING_new.pod +++ b/doc/crypto/BN_BLINDING_new.pod @@ -22,10 +22,6 @@ functions. BN_CTX *ctx); int BN_BLINDING_invert_ex(BIGNUM *n, const BIGNUM *r, BN_BLINDING *b, BN_CTX *ctx); - #ifndef OPENSSL_NO_DEPRECATED - unsigned long BN_BLINDING_get_thread_id(const BN_BLINDING *); - void BN_BLINDING_set_thread_id(BN_BLINDING *, unsigned long); - #endif CRYPTO_THREADID *BN_BLINDING_thread_id(BN_BLINDING *); unsigned long BN_BLINDING_get_flags(const BN_BLINDING *); void BN_BLINDING_set_flags(BN_BLINDING *, unsigned long); @@ -35,6 +31,13 @@ functions. const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx), BN_MONT_CTX *m_ctx); +Deprecated: + + #if OPENSSL_API_COMPAT < 0x10000000L + unsigned long BN_BLINDING_get_thread_id(const BN_BLINDING *); + void BN_BLINDING_set_thread_id(BN_BLINDING *, unsigned long); + #endif + =head1 DESCRIPTION BN_BLINDING_new() allocates a new B structure and copies diff --git a/doc/crypto/BN_generate_prime.pod b/doc/crypto/BN_generate_prime.pod index 90f399dea6..8ea3d0bf3c 100644 --- a/doc/crypto/BN_generate_prime.pod +++ b/doc/crypto/BN_generate_prime.pod @@ -35,6 +35,7 @@ for primality Deprecated: + #if OPENSSL_API_COMPAT < 0x00908000L BIGNUM *BN_generate_prime(BIGNUM *ret, int num, int safe, BIGNUM *add, BIGNUM *rem, void (*callback)(int, int, void *), void *cb_arg); @@ -44,6 +45,7 @@ Deprecated: int BN_is_prime_fasttest(const BIGNUM *a, int checks, void (*callback)(int, int, void *), BN_CTX *ctx, void *cb_arg, int do_trial_division); + #endif =head1 DESCRIPTION diff --git a/doc/crypto/BN_zero.pod b/doc/crypto/BN_zero.pod index e0f653f81e..5334aaa41a 100644 --- a/doc/crypto/BN_zero.pod +++ b/doc/crypto/BN_zero.pod @@ -9,7 +9,7 @@ operations #include - int BN_zero(BIGNUM *a); + void BN_zero(BIGNUM *a); int BN_one(BIGNUM *a); const BIGNUM *BN_value_one(void); @@ -17,6 +17,12 @@ operations int BN_set_word(BIGNUM *a, unsigned long w); unsigned long BN_get_word(BIGNUM *a); +Deprecated: + + #if OPENSSL_API_COMPAT < 0x00908000L + int BN_zero(BIGNUM *a); + #endif + =head1 DESCRIPTION BN_zero(), BN_one() and BN_set_word() set B to the values 0, 1 and @@ -33,8 +39,10 @@ long. BN_get_word() returns the value B, and 0xffffffffL if B cannot be represented as an unsigned long. -BN_zero(), BN_one() and BN_set_word() return 1 on success, 0 otherwise. +BN_one(), BN_set_word() and the deprecated version of BN_zero() +return 1 on success, 0 otherwise. BN_value_one() returns the constant. +The preferred version of BN_zer() never fails and returns no value. =head1 BUGS diff --git a/doc/crypto/DH_generate_parameters.pod b/doc/crypto/DH_generate_parameters.pod index 1491d9f679..93d7b9c3b4 100644 --- a/doc/crypto/DH_generate_parameters.pod +++ b/doc/crypto/DH_generate_parameters.pod @@ -16,8 +16,10 @@ DH_check - generate and check Diffie-Hellman parameters Deprecated: + #if OPENSSL_API_COMPAT < 0x00908000L DH *DH_generate_parameters(int prime_len, int generator, void (*callback)(int, int, void *), void *cb_arg); + #endif =head1 DESCRIPTION diff --git a/doc/crypto/DSA_generate_parameters.pod b/doc/crypto/DSA_generate_parameters.pod index efe46eb734..b639db6d84 100644 --- a/doc/crypto/DSA_generate_parameters.pod +++ b/doc/crypto/DSA_generate_parameters.pod @@ -14,9 +14,11 @@ DSA_generate_parameters_ex, DSA_generate_parameters - generate DSA parameters Deprecated: + #if OPENSSL_API_COMPAT < 0x00908000L DSA *DSA_generate_parameters(int bits, unsigned char *seed, int seed_len, int *counter_ret, unsigned long *h_ret, void (*callback)(int, int, void *), void *cb_arg); + #endif =head1 DESCRIPTION diff --git a/doc/crypto/ERR_remove_state.pod b/doc/crypto/ERR_remove_state.pod index 1d20fc2dc2..55ded84c48 100644 --- a/doc/crypto/ERR_remove_state.pod +++ b/doc/crypto/ERR_remove_state.pod @@ -12,7 +12,9 @@ ERR_remove_thread_state, ERR_remove_state - free a thread's error queue Deprecated: + #if OPENSSL_API_COMPAT < 0x10000000L void ERR_remove_state(unsigned long pid); + #endif =head1 DESCRIPTION diff --git a/doc/crypto/RAND_bytes.pod b/doc/crypto/RAND_bytes.pod index d57618de4b..03c6e7f22d 100644 --- a/doc/crypto/RAND_bytes.pod +++ b/doc/crypto/RAND_bytes.pod @@ -12,7 +12,9 @@ RAND_bytes, RAND_pseudo_bytes - generate random data Deprecated: + #if OPENSSL_API_COMPAT < 0x10100000L int RAND_pseudo_bytes(unsigned char *buf, int num); + #endif =head1 DESCRIPTION diff --git a/doc/crypto/RSA_generate_key.pod b/doc/crypto/RSA_generate_key.pod index 7f6a157178..380bf123e0 100644 --- a/doc/crypto/RSA_generate_key.pod +++ b/doc/crypto/RSA_generate_key.pod @@ -12,8 +12,10 @@ RSA_generate_key_ex, RSA_generate_key - generate RSA key pair Deprecated: + #if OPENSSL_API_COMPAT < 0x00908000L RSA *RSA_generate_key(int num, unsigned long e, void (*callback)(int,int,void *), void *cb_arg); + #endif =head1 DESCRIPTION diff --git a/doc/crypto/err.pod b/doc/crypto/err.pod index 1a3c223526..4f512e6db0 100644 --- a/doc/crypto/err.pod +++ b/doc/crypto/err.pod @@ -22,6 +22,7 @@ err - error codes int ERR_GET_REASON(unsigned long e); void ERR_clear_error(void); + void ERR_remove_thread_state(const CRYPTO_THREADID *tid); char *ERR_error_string(unsigned long e, char *buf); const char *ERR_lib_error_string(unsigned long e); @@ -34,8 +35,6 @@ err - error codes void ERR_load_crypto_strings(void); void ERR_free_strings(void); - void ERR_remove_state(unsigned long pid); - void ERR_put_error(int lib, int func, int reason, const char *file, int line); void ERR_add_error_data(int num, ...); @@ -44,6 +43,12 @@ err - error codes unsigned long ERR_PACK(int lib, int func, int reason); int ERR_get_next_error_library(void); +Deprecated: + + #if OPENSSL_API_COMPAT < 0x10000000L + void ERR_remove_state(unsigned long pid); + #endif + =head1 DESCRIPTION When a call to the OpenSSL library fails, this is usually signaled @@ -62,7 +67,7 @@ messages is described in L. L can be used to clear the error queue. -Note that L should be used to +Note that L should be used to avoid memory leaks when threads are terminated. =head1 ADDING NEW ERROR CODES TO OPENSSL @@ -178,7 +183,7 @@ L, L, L, L, -L, +L, L, L, L diff --git a/doc/crypto/hmac.pod b/doc/crypto/hmac.pod index d8e2498abc..57c274cbfe 100644 --- a/doc/crypto/hmac.pod +++ b/doc/crypto/hmac.pod @@ -15,8 +15,6 @@ HMAC, HMAC_CTX_new, HMAC_CTX_reset, HMAC_CTX_free, HMAC_Init, HMAC_Init_ex, HMAC HMAC_CTX *HMAC_CTX_new(void); int HMAC_CTX_reset(HMAC_CTX *ctx); - int HMAC_Init(HMAC_CTX *ctx, const void *key, int key_len, - const EVP_MD *md); int HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int key_len, const EVP_MD *md, ENGINE *impl); int HMAC_Update(HMAC_CTX *ctx, const unsigned char *data, int len); @@ -24,6 +22,13 @@ HMAC, HMAC_CTX_new, HMAC_CTX_reset, HMAC_CTX_free, HMAC_Init, HMAC_Init_ex, HMAC void HMAC_CTX_free(HMAC_CTX *ctx); +Deprecated: + + #if OPENSSL_API_COMPAT < 0x10100000L + int HMAC_Init(HMAC_CTX *ctx, const void *key, int key_len, + const EVP_MD *md); + #endif + =head1 DESCRIPTION HMAC is a MAC (message authentication code), i.e. a keyed hash diff --git a/include/openssl/asn1.h b/include/openssl/asn1.h index e80b376e01..627f725ac0 100644 --- a/include/openssl/asn1.h +++ b/include/openssl/asn1.h @@ -61,6 +61,7 @@ # include # include +# include # include # include # include @@ -68,7 +69,7 @@ # include # include -# ifdef OPENSSL_USE_DEPRECATED +# if OPENSSL_API_COMPAT < 0x10100000L # include # endif diff --git a/include/openssl/bn.h b/include/openssl/bn.h index b052c41991..84111b507f 100644 --- a/include/openssl/bn.h +++ b/include/openssl/bn.h @@ -129,6 +129,7 @@ # ifndef OPENSSL_NO_STDIO # include /* FILE */ # endif +# include # include # include @@ -270,14 +271,10 @@ extern "C" { # define BN_FLG_CONSTTIME 0x04 # define BN_FLG_SECURE 0x08 -# ifdef OPENSSL_USE_DEPRECATED +# if OPENSSL_API_COMPAT < 0x00908000L /* deprecated name for the flag */ # define BN_FLG_EXP_CONSTTIME BN_FLG_CONSTTIME -# endif - -# ifdef OPENSSL_USE_DEPRECATED -# define BN_FLG_FREE 0x8000 - /* used for debuging */ +# define BN_FLG_FREE 0x8000 /* used for debuging */ # endif void BN_set_flags(BIGNUM *b, int n); @@ -343,7 +340,7 @@ int BN_is_odd(const BIGNUM *a); void BN_zero_ex(BIGNUM *a); -# ifndef OPENSSL_USE_DEPRECATED +# if OPENSSL_API_COMPAT >= 0x00908000L # define BN_zero(a) BN_zero_ex(a) # else # define BN_zero(a) (BN_set_word((a),0)) @@ -475,23 +472,21 @@ BIGNUM *BN_mod_sqrt(BIGNUM *ret, void BN_consttime_swap(BN_ULONG swap, BIGNUM *a, BIGNUM *b, int nwords); /* Deprecated versions */ -# ifdef OPENSSL_USE_DEPRECATED -DECLARE_DEPRECATED(BIGNUM *BN_generate_prime(BIGNUM *ret, int bits, int safe, +DEPRECATEDIN_0_9_8(BIGNUM *BN_generate_prime(BIGNUM *ret, int bits, int safe, const BIGNUM *add, const BIGNUM *rem, void (*callback) (int, int, void *), - void *cb_arg)); -DECLARE_DEPRECATED(int + void *cb_arg)) +DEPRECATEDIN_0_9_8(int BN_is_prime(const BIGNUM *p, int nchecks, void (*callback) (int, int, void *), - BN_CTX *ctx, void *cb_arg)); -DECLARE_DEPRECATED(int + BN_CTX *ctx, void *cb_arg)) +DEPRECATEDIN_0_9_8(int BN_is_prime_fasttest(const BIGNUM *p, int nchecks, void (*callback) (int, int, void *), BN_CTX *ctx, void *cb_arg, - int do_trial_division)); -# endif /* defined(OPENSSL_USE_DEPRECATED) */ + int do_trial_division)) /* Newer versions */ int BN_generate_prime_ex(BIGNUM *ret, int bits, int safe, const BIGNUM *add, @@ -535,12 +530,10 @@ int BN_BLINDING_invert(BIGNUM *n, BN_BLINDING *b, BN_CTX *ctx); int BN_BLINDING_convert_ex(BIGNUM *n, BIGNUM *r, BN_BLINDING *b, BN_CTX *); int BN_BLINDING_invert_ex(BIGNUM *n, const BIGNUM *r, BN_BLINDING *b, BN_CTX *); -# ifdef OPENSSL_USE_DEPRECATED -DECLARE_DEPRECATED(unsigned long - BN_BLINDING_get_thread_id(const BN_BLINDING *)); -DECLARE_DEPRECATED(void - BN_BLINDING_set_thread_id(BN_BLINDING *, unsigned long)); -# endif +DEPRECATEDIN_1_0_0(unsigned long + BN_BLINDING_get_thread_id(const BN_BLINDING *)) +DEPRECATEDIN_1_0_0(void + BN_BLINDING_set_thread_id(BN_BLINDING *, unsigned long)) CRYPTO_THREADID *BN_BLINDING_thread_id(BN_BLINDING *); unsigned long BN_BLINDING_get_flags(const BN_BLINDING *); void BN_BLINDING_set_flags(BN_BLINDING *, unsigned long); @@ -554,11 +547,9 @@ BN_BLINDING *BN_BLINDING_create_param(BN_BLINDING *b, BN_MONT_CTX *m_ctx), BN_MONT_CTX *m_ctx); -# ifdef OPENSSL_USE_DEPRECATED -DECLARE_DEPRECATED(void BN_set_params(int mul, int high, int low, int mont)); -DECLARE_DEPRECATED(int BN_get_params(int which)); /* 0, mul, 1 high, 2 low, 3 - * mont */ -# endif +DEPRECATEDIN_0_9_8(void BN_set_params(int mul, int high, int low, int mont)) +DEPRECATEDIN_0_9_8(int BN_get_params(int which)) /* 0, mul, 1 high, 2 low, 3 + * mont */ BN_RECP_CTX *BN_RECP_CTX_new(void); void BN_RECP_CTX_free(BN_RECP_CTX *recp); diff --git a/include/openssl/crypto.h b/include/openssl/crypto.h index cf98b2cf24..a85b021253 100644 --- a/include/openssl/crypto.h +++ b/include/openssl/crypto.h @@ -130,6 +130,7 @@ # include # include # include +# include # ifdef CHARSET_EBCDIC # include @@ -141,10 +142,25 @@ */ # include +# if OPENSSL_API_COMPAT < 0x10100000L +# include +# endif + #ifdef __cplusplus extern "C" { #endif +# if OPENSSL_API_COMPAT < 0x10100000L +# define SSLeay OpenSSL_version_num +# define SSLeay_version OpenSSL_version +# define SSLEAY_VERSION_NUMBER OPENSSL_VERSION_NUMBER +# define SSLEAY_VERSION OPENSSL_VERSION +# define SSLEAY_CFLAGS OPENSSL_CFLAGS +# define SSLEAY_BUILT_ON OPENSSL_BUILT_ON +# define SSLEAY_PLATFORM OPENSSL_PLATFORM +# define SSLEAY_DIR OPENSSL_DIR +# endif /* OPENSSL_API_COMPAT */ + /* * When changing the CRYPTO_LOCK_* list, be sure to maintin the text lock * names in cryptlib.c @@ -414,15 +430,15 @@ void CRYPTO_THREADID_current(CRYPTO_THREADID *id); int CRYPTO_THREADID_cmp(const CRYPTO_THREADID *a, const CRYPTO_THREADID *b); void CRYPTO_THREADID_cpy(CRYPTO_THREADID *dest, const CRYPTO_THREADID *src); unsigned long CRYPTO_THREADID_hash(const CRYPTO_THREADID *id); -# ifdef OPENSSL_USE_DEPRECATED -DECLARE_DEPRECATED(void CRYPTO_set_id_callback(unsigned long (*func) (void))); +DEPRECATEDIN_1_0_0(void CRYPTO_set_id_callback(unsigned long (*func) (void))) /* - * mkdef.pl cannot handle this next one so not inside DECLARE_DEPRECATED, - * but still inside OPENSSL_USE_DEPRECATED + * mkdef.pl cannot handle this next one so not inside DEPRECATEDIN_1_0_0, + * but still conditional on a lower or unknown source API version. */ +# if OPENSSL_API_COMPAT < 0x10000000L unsigned long (*CRYPTO_get_id_callback(void)) (void); -DECLARE_DEPRECATED(unsigned long CRYPTO_thread_id(void)); # endif +DEPRECATEDIN_1_0_0(unsigned long CRYPTO_thread_id(void)) const char *CRYPTO_get_lock_name(int type); int CRYPTO_add_lock(int *pointer, int amount, int type, const char *file, diff --git a/include/openssl/dh.h b/include/openssl/dh.h index 816b1eb218..b1192a387f 100644 --- a/include/openssl/dh.h +++ b/include/openssl/dh.h @@ -60,6 +60,7 @@ # define HEADER_DH_H # include +# include # ifdef OPENSSL_NO_DH # error DH is disabled. @@ -67,7 +68,7 @@ # include # include -# ifdef OPENSSL_USE_DEPRECATED +# if OPENSSL_API_COMPAT < 0x10100000L # include # endif @@ -209,12 +210,10 @@ int DH_set_ex_data(DH *d, int idx, void *arg); void *DH_get_ex_data(DH *d, int idx); /* Deprecated version */ -# ifdef OPENSSL_USE_DEPRECATED -DECLARE_DEPRECATED(DH *DH_generate_parameters(int prime_len, int generator, +DEPRECATEDIN_0_9_8(DH *DH_generate_parameters(int prime_len, int generator, void (*callback) (int, int, void *), - void *cb_arg)); -# endif /* defined(OPENSSL_USE_DEPRECATED) */ + void *cb_arg)) /* New version */ int DH_generate_parameters_ex(DH *dh, int prime_len, int generator, diff --git a/include/openssl/dsa.h b/include/openssl/dsa.h index 824faae099..14b06ecff6 100644 --- a/include/openssl/dsa.h +++ b/include/openssl/dsa.h @@ -73,8 +73,9 @@ # include # include # include +# include -# ifdef OPENSSL_USE_DEPRECATED +# if OPENSSL_API_COMPAT < 0x10100000L # include # ifndef OPENSSL_NO_DH # include @@ -222,16 +223,14 @@ DSA *d2i_DSAPrivateKey(DSA **a, const unsigned char **pp, long length); DSA *d2i_DSAparams(DSA **a, const unsigned char **pp, long length); /* Deprecated version */ -# ifdef OPENSSL_USE_DEPRECATED -DECLARE_DEPRECATED(DSA *DSA_generate_parameters(int bits, +DEPRECATEDIN_0_9_8(DSA *DSA_generate_parameters(int bits, unsigned char *seed, int seed_len, int *counter_ret, unsigned long *h_ret, void (*callback) (int, int, void *), - void *cb_arg)); -# endif /* defined(OPENSSL_USE_DEPRECATED) */ + void *cb_arg)) /* New version */ int DSA_generate_parameters_ex(DSA *dsa, int bits, diff --git a/include/openssl/ec.h b/include/openssl/ec.h index 1dc2db18cc..3926907401 100644 --- a/include/openssl/ec.h +++ b/include/openssl/ec.h @@ -85,7 +85,7 @@ # include # include -# ifdef OPENSSL_USE_DEPRECATED +# if OPENSSL_API_COMPAT < 0x10100000L # include # endif diff --git a/include/openssl/engine.h b/include/openssl/engine.h index 34d7fed52e..300ff26b08 100644 --- a/include/openssl/engine.h +++ b/include/openssl/engine.h @@ -71,7 +71,7 @@ # error ENGINE is disabled. # endif -# ifdef OPENSSL_USE_DEPRECATED +# if OPENSSL_API_COMPAT < 0x10100000L # include # ifndef OPENSSL_NO_RSA # include diff --git a/include/openssl/err.h b/include/openssl/err.h index 79bf6a3214..e05552b182 100644 --- a/include/openssl/err.h +++ b/include/openssl/err.h @@ -351,10 +351,8 @@ void ERR_load_crypto_strings(void); void ERR_free_strings(void); void ERR_remove_thread_state(const CRYPTO_THREADID *tid); -# ifdef OPENSSL_USE_DEPRECATED -DECLARE_DEPRECATED(void ERR_remove_state(unsigned long pid)); /* if zero we - * look it up */ -# endif +DEPRECATEDIN_1_0_0(void ERR_remove_state(unsigned long pid)) /* if zero we + * look it up */ ERR_STATE *ERR_get_state(void); LHASH_OF(ERR_STRING_DATA) *ERR_get_string_table(void); diff --git a/include/openssl/hmac.h b/include/openssl/hmac.h index 071e8b49dc..f9a67b5386 100644 --- a/include/openssl/hmac.h +++ b/include/openssl/hmac.h @@ -73,13 +73,9 @@ HMAC_CTX *HMAC_CTX_new(void); int HMAC_CTX_reset(HMAC_CTX *ctx); void HMAC_CTX_free(HMAC_CTX *ctx); -#ifdef OPENSSL_USE_DEPRECATED +DEPRECATEDIN_1_1_0(__owur int HMAC_Init(HMAC_CTX *ctx, const void *key, int len, + const EVP_MD *md)) -/* deprecated */ -DECLARE_DEPRECATED(__owur int HMAC_Init(HMAC_CTX *ctx, const void *key, int len, - const EVP_MD *md)); - -#endif /*__owur*/ int HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int len, const EVP_MD *md, ENGINE *impl); /*__owur*/ int HMAC_Update(HMAC_CTX *ctx, const unsigned char *data, diff --git a/include/openssl/rand.h b/include/openssl/rand.h index fb5dda1e83..13e3e04f98 100644 --- a/include/openssl/rand.h +++ b/include/openssl/rand.h @@ -95,9 +95,7 @@ int RAND_set_rand_engine(ENGINE *engine); RAND_METHOD *RAND_OpenSSL(void); void RAND_cleanup(void); int RAND_bytes(unsigned char *buf, int num); -#ifdef OPENSSL_USE_DEPRECATED -DECLARE_DEPRECATED(int RAND_pseudo_bytes(unsigned char *buf, int num)); -#endif +DEPRECATEDIN_1_1_0(int RAND_pseudo_bytes(unsigned char *buf, int num)) void RAND_seed(const void *buf, int num); #if defined(__ANDROID__) && defined(__NDK_FPABI__) __NDK_FPABI__ /* __attribute__((pcs("aapcs"))) on ARM */ diff --git a/include/openssl/rsa.h b/include/openssl/rsa.h index d47eeb179a..28c851abb5 100644 --- a/include/openssl/rsa.h +++ b/include/openssl/rsa.h @@ -59,12 +59,13 @@ #ifndef HEADER_RSA_H # define HEADER_RSA_H +# include # include # include # include # include -# ifdef OPENSSL_USE_DEPRECATED +# if OPENSSL_API_COMPAT < 0x10100000L # include # endif @@ -212,7 +213,7 @@ struct rsa_st { * private key operations. */ # define RSA_FLAG_NO_CONSTTIME 0x0100 -# ifdef OPENSSL_USE_DEPRECATED +# if OPENSSL_API_COMPAT < 0x00908000L /* deprecated name for the flag*/ /* * new with 0.9.7h; the built-in RSA @@ -316,11 +317,9 @@ int RSA_size(const RSA *rsa); int RSA_security_bits(const RSA *rsa); /* Deprecated version */ -# ifdef OPENSSL_USE_DEPRECATED -DECLARE_DEPRECATED(RSA *RSA_generate_key(int bits, unsigned long e, void - (*callback) (int, int, void *), - void *cb_arg)); -# endif /* defined(OPENSSL_USE_DEPRECATED) */ +DEPRECATEDIN_0_9_8(RSA *RSA_generate_key(int bits, unsigned long e, void + (*callback) (int, int, void *), + void *cb_arg)) /* New version */ int RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e, BN_GENCB *cb); diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h index ee1835a91b..39cb2e7edb 100644 --- a/include/openssl/ssl.h +++ b/include/openssl/ssl.h @@ -144,10 +144,11 @@ # define HEADER_SSL_H # include +# include # include # include -# ifdef OPENSSL_USE_DEPRECATED +# if OPENSSL_API_COMPAT < 0x10100000L # include # include # include diff --git a/include/openssl/store.h b/include/openssl/store.h index cc4683e369..38a2d4b58a 100644 --- a/include/openssl/store.h +++ b/include/openssl/store.h @@ -67,7 +67,7 @@ # endif # include -# ifdef OPENSSL_USE_DEPRECATED +# if OPENSSL_API_COMPAT < 0x10100000L # include # include # include diff --git a/include/openssl/ui.h b/include/openssl/ui.h index 3b4b372d74..93a93a7baa 100644 --- a/include/openssl/ui.h +++ b/include/openssl/ui.h @@ -60,11 +60,12 @@ #ifndef HEADER_UI_H # define HEADER_UI_H -# ifdef OPENSSL_USE_DEPRECATED +# if OPENSSL_API_COMPAT < 0x10100000L # include # endif # include # include +# include #ifdef __cplusplus extern "C" { diff --git a/include/openssl/x509.h b/include/openssl/x509.h index 0f66329544..50a5edd27e 100644 --- a/include/openssl/x509.h +++ b/include/openssl/x509.h @@ -65,6 +65,7 @@ # define HEADER_X509_H # include +# include # include # include # include @@ -77,7 +78,7 @@ # include # endif -# ifdef OPENSSL_USE_DEPRECATED +# if OPENSSL_API_COMPAT < 0x10100000L # ifndef OPENSSL_NO_RSA # include # endif -- 2.34.1