Deprecate the low level RC4 functions

Use of the low level RC4 functions has been informally discouraged for a long
time.  We now formally deprecate them.

Applications should instead use the EVP APIs, e.g. EVP_EncryptInit_ex,
EVP_EncryptUpdate, EVP_EncryptFinal_ex and the equivalently named decrypt
functions.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10834)

diff --git a/apps/speed.c b/apps/speed.c
index ae02393dd1c8a1ce10c348703942a27f19c672c8..f567b48d2e561574de456beb994e62ac93bdf5f3 100644 (file)
--- a/apps/speed.c
+++ b/apps/speed.c
@@ -353,7 +353,7 @@ static const OPT_PAIR doit_choices[] = {
     {"rmd160", D_RMD160},
     {"ripemd160", D_RMD160},
 #endif
-#ifndef OPENSSL_NO_RC4
+#if !defined(OPENSSL_NO_RC4) && !defined(OPENSSL_NO_DEPRECATED_3_0)
     {"rc4", D_RC4},
 #endif
 #ifndef OPENSSL_NO_DES
@@ -712,7 +712,7 @@ static int EVP_Digest_RMD160_loop(void *args)
 }
 #endif
 
-#ifndef OPENSSL_NO_RC4
+#if !defined(OPENSSL_NO_RC4) && !defined(OPENSSL_NO_DEPRECATED_3_0)
 static RC4_KEY rc4_ks;
 static int RC4_loop(void *args)
 {
@@ -1973,7 +1973,7 @@ int speed_main(int argc, char **argv)
     if (doit[D_CBC_SEED])
         SEED_set_key(key16, &seed_ks);
 #endif
-#ifndef OPENSSL_NO_RC4
+#if !defined(OPENSSL_NO_RC4) && !defined(OPENSSL_NO_DEPRECATED_3_0)
     if (doit[D_RC4])
         RC4_set_key(&rc4_ks, 16, key16);
 #endif
@@ -2379,7 +2379,7 @@ int speed_main(int argc, char **argv)
         }
     }
 #endif
-#ifndef OPENSSL_NO_RC4
+#if !defined(OPENSSL_NO_RC4) && !defined(OPENSSL_NO_DEPRECATED_3_0)
     if (doit[D_RC4]) {
         for (testnum = 0; testnum < size_num; testnum++) {
             print_message(names[D_RC4], c[D_RC4][testnum], lengths[testnum],
@@ -3492,7 +3492,7 @@ int speed_main(int argc, char **argv)
 #if !defined(OPENSSL_NO_MD2) && !defined(OPENSSL_NO_DEPRECATED_3_0)
         printf("%s ", MD2_options());
 #endif
-#ifndef OPENSSL_NO_RC4
+#if !defined(OPENSSL_NO_RC4) && !defined(OPENSSL_NO_DEPRECATED_3_0)
         printf("%s ", RC4_options());
 #endif
 #ifndef OPENSSL_NO_DES

diff --git a/apps/version.c b/apps/version.c
index 09d903d8442fd5928d257f72b7449755c69eefa7..deb91338553a6ca98235cb790f02fde3a5bcc940 100644 (file)
--- a/apps/version.c
+++ b/apps/version.c
@@ -18,9 +18,6 @@
 #ifndef OPENSSL_NO_MD2
 # include <openssl/md2.h>
 #endif
-#ifndef OPENSSL_NO_RC4
-# include <openssl/rc4.h>
-#endif
 #ifndef OPENSSL_NO_DES
 # include <openssl/des.h>
 #endif
@@ -129,9 +126,6 @@ opthelp:
     if (options) {
         printf("options: ");
         printf(" %s", BN_options());
-#ifndef OPENSSL_NO_RC4
-        printf(" %s", RC4_options());
-#endif
 #ifndef OPENSSL_NO_DES
         printf(" %s", DES_options());
 #endif

diff --git a/crypto/engine/eng_openssl.c b/crypto/engine/eng_openssl.c
index b5c087830c0081b27366c15246cefd1e01ba541e..704268ad970b8f8b8fffc40501d769febf20b5e5 100644 (file)
--- a/crypto/engine/eng_openssl.c
+++ b/crypto/engine/eng_openssl.c
@@ -8,6 +8,12 @@
  * https://www.openssl.org/source/license.html
  */
 
+/*
+ * RC4 low level APIs are deprecated for public use, but still ok for internal
+ * use.
+ */
+#include "internal/deprecated.h"
+
 #include <stdio.h>
 #include <openssl/crypto.h>
 #include "internal/cryptlib.h"

diff --git a/crypto/evp/e_rc4.c b/crypto/evp/e_rc4.c
index 092d6cf1dba38a98763393c5e316a70e0b4c5930..f75e2d716e4270472bc627266a4d266b66df6792 100644 (file)
--- a/crypto/evp/e_rc4.c
+++ b/crypto/evp/e_rc4.c
@@ -7,6 +7,12 @@
  * https://www.openssl.org/source/license.html
  */
 
+/*
+ * RC4 low level APIs are deprecated for public use, but still ok for internal
+ * use.
+ */
+#include "internal/deprecated.h"
+
 #include <stdio.h>
 #include "internal/cryptlib.h"
 

diff --git a/crypto/evp/e_rc4_hmac_md5.c b/crypto/evp/e_rc4_hmac_md5.c
index f0168219f12b53c88245c4e59fa3c328ef541eff..fa838bf4b2468c16d0769d6ab9e25e255c0debc5 100644 (file)
--- a/crypto/evp/e_rc4_hmac_md5.c
+++ b/crypto/evp/e_rc4_hmac_md5.c
@@ -7,6 +7,12 @@
  * https://www.openssl.org/source/license.html
  */
 
+/*
+ * RC4 low level APIs are deprecated for public use, but still ok for internal
+ * use.
+ */
+#include "internal/deprecated.h"
+
 #include <internal/cryptlib.h>
 #include <openssl/opensslconf.h>
 

diff --git a/crypto/rc4/rc4_enc.c b/crypto/rc4/rc4_enc.c
index c4753d93e00671bc74d941f431809e68ad5cedbb..8479091c6c4098f1a978e7a663bc2f344d204b37 100644 (file)
--- a/crypto/rc4/rc4_enc.c
+++ b/crypto/rc4/rc4_enc.c
@@ -7,6 +7,12 @@
  * https://www.openssl.org/source/license.html
  */
 
+/*
+ * RC4 low level APIs are deprecated for public use, but still ok for internal
+ * use.
+ */
+#include "internal/deprecated.h"
+
 #include <openssl/rc4.h>
 #include "rc4_local.h"
 

diff --git a/crypto/rc4/rc4_skey.c b/crypto/rc4/rc4_skey.c
index 42c4a20860d489be470ecb55add0ff03bcc16ded..e9d60ca03a547502d45f4615f86d5e2eca3b4b34 100644 (file)
--- a/crypto/rc4/rc4_skey.c
+++ b/crypto/rc4/rc4_skey.c
@@ -7,6 +7,12 @@
  * https://www.openssl.org/source/license.html
  */
 
+/*
+ * RC4 low level APIs are deprecated for public use, but still ok for internal
+ * use.
+ */
+#include "internal/deprecated.h"
+
 #include <openssl/rc4.h>
 #include "rc4_local.h"
 #include <openssl/opensslv.h>

diff --git a/include/openssl/rc4.h b/include/openssl/rc4.h
index 22c76863e7d69b6f7d29fd62121974e96ec7d516..98ba8d8a2bdd4c409fb4b9fa669d1953e1ffe522 100644 (file)
--- a/include/openssl/rc4.h
+++ b/include/openssl/rc4.h
@@ -24,15 +24,18 @@
 extern "C" {
 #  endif
 
+#  ifndef OPENSSL_NO_DEPRECATED_3_0
 typedef struct rc4_key_st {
     RC4_INT x, y;
     RC4_INT data[256];
 } RC4_KEY;
+#  endif
 
-const char *RC4_options(void);
-void RC4_set_key(RC4_KEY *key, int len, const unsigned char *data);
-void RC4(RC4_KEY *key, size_t len, const unsigned char *indata,
-         unsigned char *outdata);
+DEPRECATEDIN_3_0(const char *RC4_options(void))
+DEPRECATEDIN_3_0(void RC4_set_key(RC4_KEY *key, int len,
+                                  const unsigned char *data))
+DEPRECATEDIN_3_0(void RC4(RC4_KEY *key, size_t len, const unsigned char *indata,
+                          unsigned char *outdata))
 
 #  ifdef  __cplusplus
 }

diff --git a/providers/implementations/ciphers/cipher_rc4.c b/providers/implementations/ciphers/cipher_rc4.c
index baf34f7b9393cf400631e9169d2ea096410cad3a..5e6112894f2d7a0fc38347783ed4e5903a053a68 100644 (file)
--- a/providers/implementations/ciphers/cipher_rc4.c
+++ b/providers/implementations/ciphers/cipher_rc4.c
@@ -9,6 +9,12 @@
 
 /* Dispatch functions for RC4 ciphers */
 
+/*
+ * RC4 low level APIs are deprecated for public use, but still ok for internal
+ * use.
+ */
+#include "internal/deprecated.h"
+
 #include "cipher_rc4.h"
 #include "prov/implementations.h"
 

diff --git a/providers/implementations/ciphers/cipher_rc4_hmac_md5.c b/providers/implementations/ciphers/cipher_rc4_hmac_md5.c
index e7736bb0f33831c8b4344f722f41fdf64d3b5ec0..876c81d34dc5186b16fc608daee4fb78843bd6b6 100644 (file)
--- a/providers/implementations/ciphers/cipher_rc4_hmac_md5.c
+++ b/providers/implementations/ciphers/cipher_rc4_hmac_md5.c
@@ -9,6 +9,12 @@
 
 /* Dispatch functions for RC4_HMAC_MD5 cipher */
 
+/*
+ * RC4 low level APIs are deprecated for public use, but still ok for internal
+ * use.
+ */
+#include "internal/deprecated.h"
+
 #include "cipher_rc4_hmac_md5.h"
 #include "prov/implementations.h"
 #include "prov/providercommonerr.h"

diff --git a/providers/implementations/ciphers/cipher_rc4_hmac_md5_hw.c b/providers/implementations/ciphers/cipher_rc4_hmac_md5_hw.c
index d3098b1b3c18bd42747ade83329b20d65e5510e0..767a1e3e6bdc8f334b940994c873f9e2eba025d2 100644 (file)
--- a/providers/implementations/ciphers/cipher_rc4_hmac_md5_hw.c
+++ b/providers/implementations/ciphers/cipher_rc4_hmac_md5_hw.c
@@ -9,6 +9,12 @@
 
 /* RC4_HMAC_MD5 cipher implementation */
 
+/*
+ * RC4 low level APIs are deprecated for public use, but still ok for internal
+ * use.
+ */
+#include "internal/deprecated.h"
+
 #include "cipher_rc4_hmac_md5.h"
 
 #define NO_PAYLOAD_LENGTH ((size_t)-1)

diff --git a/providers/implementations/ciphers/cipher_rc4_hw.c b/providers/implementations/ciphers/cipher_rc4_hw.c
index 503a6189144d356eee88d5bde26304a31352d09c..865b0aaedb1dc09c935d4f8bd122c5db16668ea4 100644 (file)
--- a/providers/implementations/ciphers/cipher_rc4_hw.c
+++ b/providers/implementations/ciphers/cipher_rc4_hw.c
@@ -7,6 +7,12 @@
  * https://www.openssl.org/source/license.html
  */
 
+/*
+ * RC4 low level APIs are deprecated for public use, but still ok for internal
+ * use.
+ */
+#include "internal/deprecated.h"
+
 #include "cipher_rc4.h"
 
 static int cipher_hw_rc4_initkey(PROV_CIPHER_CTX *ctx,

diff --git a/test/build.info b/test/build.info
index 9b3122b74f8aadfee5a2f6f04c13e1a89cf8ae50..c5040718a28ce751eae06613ba9712c5056055bc 100644 (file)
--- a/test/build.info
+++ b/test/build.info
@@ -119,10 +119,6 @@ IF[{- !$disabled{tests} -}]
   INCLUDE[hmactest]=../include ../apps/include
   DEPEND[hmactest]=../libcrypto libtestutil.a
 
-  SOURCE[rc4test]=rc4test.c
-  INCLUDE[rc4test]=../include ../apps/include
-  DEPEND[rc4test]=../libcrypto libtestutil.a
-
   SOURCE[rc5test]=rc5test.c
   INCLUDE[rc5test]=../include ../apps/include
   DEPEND[rc5test]=../libcrypto libtestutil.a
@@ -593,6 +589,10 @@ IF[{- !$disabled{tests} -}]
     INCLUDE[rc2test]=../include ../apps/include
     DEPEND[rc2test]=../libcrypto.a libtestutil.a
 
+    SOURCE[rc4test]=rc4test.c
+    INCLUDE[rc4test]=../include ../apps/include
+    DEPEND[rc4test]=../libcrypto.a libtestutil.a
+
     SOURCE[ec_internal_test]=ec_internal_test.c
     INCLUDE[ec_internal_test]=../include ../crypto/ec ../apps/include ../crypto/include
     DEPEND[ec_internal_test]=../libcrypto.a libtestutil.a

diff --git a/test/rc4test.c b/test/rc4test.c
index 34ec2e016ebabb9e28358ee0b09c1e430972a684..ed0bef50064076a0092826268d08119fa61ca21a 100644 (file)
--- a/test/rc4test.c
+++ b/test/rc4test.c
@@ -7,6 +7,12 @@
  * https://www.openssl.org/source/license.html
  */
 
+/*
+ * RC4 low level APIs are deprecated for public use, but still ok for internal
+ * use.
+ */
+#include "internal/deprecated.h"
+
 #include <string.h>
 
 #include "internal/nelem.h"

diff --git a/util/libcrypto.num b/util/libcrypto.num
index 827ce5eb15bc21212a3a73baea24910841348b6b..926ab06eaab5fe27b5de1e985e9eeb3a4c521944 100644 (file)
--- a/util/libcrypto.num
+++ b/util/libcrypto.num
@@ -341,7 +341,7 @@ OPENSSL_sk_sort                         346 3_0_0   EXIST::FUNCTION:
 CTLOG_STORE_load_file                   347    3_0_0   EXIST::FUNCTION:CT
 ASN1_SEQUENCE_it                        348    3_0_0   EXIST::FUNCTION:
 TS_RESP_CTX_get_tst_info                349    3_0_0   EXIST::FUNCTION:TS
-RC4                                     350    3_0_0   EXIST::FUNCTION:RC4
+RC4                                     350    3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0,RC4
 PKCS7_stream                            352    3_0_0   EXIST::FUNCTION:
 i2t_ASN1_OBJECT                         353    3_0_0   EXIST::FUNCTION:
 EC_GROUP_get0_generator                 354    3_0_0   EXIST::FUNCTION:EC
@@ -778,7 +778,7 @@ PKCS7_dataInit                          797 3_0_0   EXIST::FUNCTION:
 EVP_PKEY_CTX_set_app_data               798    3_0_0   EXIST::FUNCTION:
 a2i_GENERAL_NAME                        799    3_0_0   EXIST::FUNCTION:
 SXNETID_new                             800    3_0_0   EXIST::FUNCTION:
-RC4_options                             801    3_0_0   EXIST::FUNCTION:RC4
+RC4_options                             801    3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0,RC4
 BIO_f_null                              802    3_0_0   EXIST::FUNCTION:
 EC_GROUP_set_curve_name                 803    3_0_0   EXIST::FUNCTION:EC
 d2i_PBE2PARAM                           804    3_0_0   EXIST::FUNCTION:
@@ -2960,7 +2960,7 @@ ASN1_TYPE_unpack_sequence               3024      3_0_0   EXIST::FUNCTION:
 X509_CRL_sign_ctx                       3025   3_0_0   EXIST::FUNCTION:
 X509_STORE_add_crl                      3026   3_0_0   EXIST::FUNCTION:
 PEM_write_RSAPrivateKey                 3027   3_0_0   EXIST::FUNCTION:RSA,STDIO
-RC4_set_key                             3028   3_0_0   EXIST::FUNCTION:RC4
+RC4_set_key                             3028   3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0,RC4
 EVP_CIPHER_CTX_cipher                   3029   3_0_0   EXIST::FUNCTION:
 PEM_write_bio_PKCS8PrivateKey_nid       3030   3_0_0   EXIST::FUNCTION:
 BN_MONT_CTX_new                         3031   3_0_0   EXIST::FUNCTION: