From da2d32f6db1c9fb33478af660daddcd1df369716 Mon Sep 17 00:00:00 2001 From: Pauli Date: Mon, 13 Jan 2020 13:02:45 +1000 Subject: [PATCH] Deprecate the low level IDEA functions. Use of the low level IDEA functions has been informally discouraged for a long time. We now formally deprecate them. Applications should instead use the EVP APIs, e.g. EVP_EncryptInit_ex, EVP_EncryptUpdate, EVP_EncryptFinal_ex, and the equivalently named decrypt functions. Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/10819) --- apps/speed.c | 10 ++-- apps/version.c | 12 ----- crypto/evp/e_idea.c | 7 +++ crypto/idea/i_cbc.c | 7 +++ crypto/idea/i_cfb64.c | 7 +++ crypto/idea/i_ecb.c | 7 +++ crypto/idea/i_ofb64.c | 7 +++ crypto/idea/i_skey.c | 7 +++ include/openssl/idea.h | 49 +++++++++++-------- .../implementations/ciphers/cipher_idea.c | 7 +++ .../implementations/ciphers/cipher_idea_hw.c | 7 +++ test/build.info | 12 ++--- test/ideatest.c | 7 +++ util/libcrypto.num | 16 +++--- 14 files changed, 111 insertions(+), 51 deletions(-) diff --git a/apps/speed.c b/apps/speed.c index dd07527cde..4883fe0936 100644 --- a/apps/speed.c +++ b/apps/speed.c @@ -378,7 +378,7 @@ static const OPT_PAIR doit_choices[] = { {"rc5-cbc", D_CBC_RC5}, {"rc5", D_CBC_RC5}, #endif -#ifndef OPENSSL_NO_IDEA +#if !defined(OPENSSL_NO_IDEA) && !defined(OPENSSL_NO_DEPRECATED_3_0) {"idea-cbc", D_CBC_IDEA}, {"idea", D_CBC_IDEA}, #endif @@ -1459,7 +1459,7 @@ int speed_main(int argc, char **argv) #if !defined(OPENSSL_NO_RC2) && !defined(OPENSSL_NO_DEPRECATED_3_0) RC2_KEY rc2_ks; #endif -#ifndef OPENSSL_NO_IDEA +#if !defined(OPENSSL_NO_IDEA) && !defined(OPENSSL_NO_DEPRECATED_3_0) IDEA_KEY_SCHEDULE idea_ks; #endif #if !defined(OPENSSL_NO_SEED) && !defined(OPENSSL_NO_DEPRECATED_3_0) @@ -1969,7 +1969,7 @@ int speed_main(int argc, char **argv) Camellia_set_key(key32, 256, &camellia_ks[2]); } #endif -#ifndef OPENSSL_NO_IDEA +#if !defined(OPENSSL_NO_IDEA) && !defined(OPENSSL_NO_DEPRECATED_3_0) if (doit[D_CBC_IDEA]) IDEA_set_encrypt_key(key16, &idea_ks); #endif @@ -2571,7 +2571,7 @@ int speed_main(int argc, char **argv) } } #endif -#ifndef OPENSSL_NO_IDEA +#if !defined(OPENSSL_NO_IDEA) && !defined(OPENSSL_NO_DEPRECATED_3_0) if (doit[D_CBC_IDEA]) { if (async_jobs > 0) { BIO_printf(bio_err, "Async mode is not supported with %s\n", @@ -3507,7 +3507,7 @@ int speed_main(int argc, char **argv) #ifndef OPENSSL_NO_DEPRECATED_3_0 printf("%s ", AES_options()); #endif -#ifndef OPENSSL_NO_IDEA +#if !defined(OPENSSL_NO_IDEA) && !defined(OPENSSL_NO_DEPRECATED_3_0) printf("%s ", IDEA_options()); #endif #if !defined(OPENSSL_NO_BF) && !defined(OPENSSL_NO_DEPRECATED_3_0) diff --git a/apps/version.c b/apps/version.c index deb9133855..513bbc81af 100644 --- a/apps/version.c +++ b/apps/version.c @@ -15,18 +15,9 @@ #include #include #include -#ifndef OPENSSL_NO_MD2 -# include -#endif #ifndef OPENSSL_NO_DES # include #endif -#ifndef OPENSSL_NO_IDEA -# include -#endif -#ifndef OPENSSL_NO_BF -# include -#endif typedef enum OPTION_choice { OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, @@ -128,9 +119,6 @@ opthelp: printf(" %s", BN_options()); #ifndef OPENSSL_NO_DES printf(" %s", DES_options()); -#endif -#ifndef OPENSSL_NO_IDEA - printf(" %s", IDEA_options()); #endif printf("\n"); } diff --git a/crypto/evp/e_idea.c b/crypto/evp/e_idea.c index 8c3a554108..97170200a3 100644 --- a/crypto/evp/e_idea.c +++ b/crypto/evp/e_idea.c @@ -7,6 +7,13 @@ * https://www.openssl.org/source/license.html */ +/* + * IDEA low level APIs are deprecated for public use, but still ok for internal + * use where we're using them to implement the higher level EVP interface, as is + * the case here. + */ +#include "internal/deprecated.h" + #include #include "internal/cryptlib.h" diff --git a/crypto/idea/i_cbc.c b/crypto/idea/i_cbc.c index a78841fcfc..987ba05ea1 100644 --- a/crypto/idea/i_cbc.c +++ b/crypto/idea/i_cbc.c @@ -7,6 +7,13 @@ * https://www.openssl.org/source/license.html */ +/* + * IDEA low level APIs are deprecated for public use, but still ok for internal + * use where we're using them to implement the higher level EVP interface, as is + * the case here. + */ +#include "internal/deprecated.h" + #include #include "idea_local.h" diff --git a/crypto/idea/i_cfb64.c b/crypto/idea/i_cfb64.c index 45c15b9474..50784f9027 100644 --- a/crypto/idea/i_cfb64.c +++ b/crypto/idea/i_cfb64.c @@ -7,6 +7,13 @@ * https://www.openssl.org/source/license.html */ +/* + * IDEA low level APIs are deprecated for public use, but still ok for internal + * use where we're using them to implement the higher level EVP interface, as is + * the case here. + */ +#include "internal/deprecated.h" + #include #include "idea_local.h" diff --git a/crypto/idea/i_ecb.c b/crypto/idea/i_ecb.c index 9fee121893..74cb35ae11 100644 --- a/crypto/idea/i_ecb.c +++ b/crypto/idea/i_ecb.c @@ -7,6 +7,13 @@ * https://www.openssl.org/source/license.html */ +/* + * IDEA low level APIs are deprecated for public use, but still ok for internal + * use where we're using them to implement the higher level EVP interface, as is + * the case here. + */ +#include "internal/deprecated.h" + #include #include "idea_local.h" #include diff --git a/crypto/idea/i_ofb64.c b/crypto/idea/i_ofb64.c index 517ded7bd6..bca1999ef9 100644 --- a/crypto/idea/i_ofb64.c +++ b/crypto/idea/i_ofb64.c @@ -7,6 +7,13 @@ * https://www.openssl.org/source/license.html */ +/* + * IDEA low level APIs are deprecated for public use, but still ok for internal + * use where we're using them to implement the higher level EVP interface, as is + * the case here. + */ +#include "internal/deprecated.h" + #include #include "idea_local.h" diff --git a/crypto/idea/i_skey.c b/crypto/idea/i_skey.c index 0b0221bd81..36bc2c9b1b 100644 --- a/crypto/idea/i_skey.c +++ b/crypto/idea/i_skey.c @@ -7,6 +7,13 @@ * https://www.openssl.org/source/license.html */ +/* + * IDEA low level APIs are deprecated for public use, but still ok for internal + * use where we're using them to implement the higher level EVP interface, as is + * the case here. + */ +#include "internal/deprecated.h" + #include #include "idea_local.h" diff --git a/include/openssl/idea.h b/include/openssl/idea.h index a0a0ceeb7e..a651ee2e72 100644 --- a/include/openssl/idea.h +++ b/include/openssl/idea.h @@ -23,33 +23,42 @@ extern "C" { # endif -typedef unsigned int IDEA_INT; - -# define IDEA_ENCRYPT 1 -# define IDEA_DECRYPT 0 - # define IDEA_BLOCK 8 # define IDEA_KEY_LENGTH 16 +# ifndef OPENSSL_NO_DEPRECATED_3_0 + +typedef unsigned int IDEA_INT; + +# define IDEA_ENCRYPT 1 +# define IDEA_DECRYPT 0 + typedef struct idea_key_st { IDEA_INT data[9][6]; } IDEA_KEY_SCHEDULE; +#endif -const char *IDEA_options(void); -void IDEA_ecb_encrypt(const unsigned char *in, unsigned char *out, - IDEA_KEY_SCHEDULE *ks); -void IDEA_set_encrypt_key(const unsigned char *key, IDEA_KEY_SCHEDULE *ks); -void IDEA_set_decrypt_key(IDEA_KEY_SCHEDULE *ek, IDEA_KEY_SCHEDULE *dk); -void IDEA_cbc_encrypt(const unsigned char *in, unsigned char *out, - long length, IDEA_KEY_SCHEDULE *ks, unsigned char *iv, - int enc); -void IDEA_cfb64_encrypt(const unsigned char *in, unsigned char *out, - long length, IDEA_KEY_SCHEDULE *ks, unsigned char *iv, - int *num, int enc); -void IDEA_ofb64_encrypt(const unsigned char *in, unsigned char *out, - long length, IDEA_KEY_SCHEDULE *ks, unsigned char *iv, - int *num); -void IDEA_encrypt(unsigned long *in, IDEA_KEY_SCHEDULE *ks); +DEPRECATEDIN_3_0(const char *IDEA_options(void)) +DEPRECATEDIN_3_0(void IDEA_ecb_encrypt(const unsigned char *in, + unsigned char *out, + IDEA_KEY_SCHEDULE *ks)) +DEPRECATEDIN_3_0(void IDEA_set_encrypt_key(const unsigned char *key, + IDEA_KEY_SCHEDULE *ks)) +DEPRECATEDIN_3_0(void IDEA_set_decrypt_key(IDEA_KEY_SCHEDULE *ek, + IDEA_KEY_SCHEDULE *dk)) +DEPRECATEDIN_3_0(void IDEA_cbc_encrypt(const unsigned char *in, + unsigned char *out, long length, + IDEA_KEY_SCHEDULE *ks, + unsigned char *iv, int enc)) +DEPRECATEDIN_3_0(void IDEA_cfb64_encrypt(const unsigned char *in, + unsigned char *out, long length, + IDEA_KEY_SCHEDULE *ks, + unsigned char *iv, int *num, int enc)) +DEPRECATEDIN_3_0(void IDEA_ofb64_encrypt(const unsigned char *in, + unsigned char *out, long length, + IDEA_KEY_SCHEDULE *ks, + unsigned char *iv, int *num)) +DEPRECATEDIN_3_0(void IDEA_encrypt(unsigned long *in, IDEA_KEY_SCHEDULE *ks)) # ifndef OPENSSL_NO_DEPRECATED_1_1_0 # define idea_options IDEA_options diff --git a/providers/implementations/ciphers/cipher_idea.c b/providers/implementations/ciphers/cipher_idea.c index 5602655f76..2c089634a4 100644 --- a/providers/implementations/ciphers/cipher_idea.c +++ b/providers/implementations/ciphers/cipher_idea.c @@ -7,6 +7,13 @@ * https://www.openssl.org/source/license.html */ +/* + * IDEA low level APIs are deprecated for public use, but still ok for internal + * use where we're using them to implement the higher level EVP interface, as is + * the case here. + */ +#include "internal/deprecated.h" + /* Dispatch functions for Idea cipher modes ecb, cbc, ofb, cfb */ #include "cipher_idea.h" diff --git a/providers/implementations/ciphers/cipher_idea_hw.c b/providers/implementations/ciphers/cipher_idea_hw.c index d722cc7a27..7718791b08 100644 --- a/providers/implementations/ciphers/cipher_idea_hw.c +++ b/providers/implementations/ciphers/cipher_idea_hw.c @@ -7,6 +7,13 @@ * https://www.openssl.org/source/license.html */ +/* + * IDEA low level APIs are deprecated for public use, but still ok for internal + * use where we're using them to implement the higher level EVP interface, as is + * the case here. + */ +#include "internal/deprecated.h" + #include "cipher_idea.h" static int cipher_hw_idea_initkey(PROV_CIPHER_CTX *ctx, diff --git a/test/build.info b/test/build.info index 837dbba934..cf03ce4c1a 100644 --- a/test/build.info +++ b/test/build.info @@ -32,7 +32,7 @@ IF[{- !$disabled{tests} -}] versions \ aborttest test_test \ sanitytest rsa_complex exdatatest bntest \ - ectest ecstresstest ecdsatest gmdifftest pbelutest ideatest \ + ectest ecstresstest ecdsatest gmdifftest pbelutest \ hmactest \ destest mdc2test \ dhtest enginetest \ @@ -110,10 +110,6 @@ IF[{- !$disabled{tests} -}] INCLUDE[pbelutest]=../include ../apps/include DEPEND[pbelutest]=../libcrypto libtestutil.a - SOURCE[ideatest]=ideatest.c - INCLUDE[ideatest]=../include ../apps/include - DEPEND[ideatest]=../libcrypto libtestutil.a - SOURCE[hmactest]=hmactest.c INCLUDE[hmactest]=../include ../apps/include DEPEND[hmactest]=../libcrypto libtestutil.a @@ -505,7 +501,7 @@ IF[{- !$disabled{tests} -}] IF[1] PROGRAMS{noinst}=asn1_internal_test modes_internal_test x509_internal_test \ tls13encryptiontest wpackettest ctype_internal_test \ - rdrand_sanitytest property_test \ + rdrand_sanitytest property_test ideatest \ rsa_sp800_56b_test bn_internal_test \ rc2test rc4test rc5test \ asn1_dsa_internal_test @@ -553,6 +549,10 @@ IF[{- !$disabled{tests} -}] INCLUDE[tls13encryptiontest]=.. ../include ../apps/include DEPEND[tls13encryptiontest]=../libcrypto ../libssl.a libtestutil.a + SOURCE[ideatest]=ideatest.c + INCLUDE[ideatest]=../include ../apps/include + DEPEND[ideatest]=../libcrypto.a libtestutil.a + SOURCE[wpackettest]=wpackettest.c INCLUDE[wpackettest]=../include ../apps/include DEPEND[wpackettest]=../libcrypto ../libssl.a libtestutil.a diff --git a/test/ideatest.c b/test/ideatest.c index e572984c4f..2ef5a49ce7 100644 --- a/test/ideatest.c +++ b/test/ideatest.c @@ -7,6 +7,13 @@ * https://www.openssl.org/source/license.html */ +/* + * IDEA low level APIs are deprecated for public use, but still ok for internal + * use where we're using them to implement the higher level EVP interface, as is + * the case here. + */ +#include "internal/deprecated.h" + #include #include "internal/nelem.h" diff --git a/util/libcrypto.num b/util/libcrypto.num index 2d034afaa4..c1f3978fbc 100644 --- a/util/libcrypto.num +++ b/util/libcrypto.num @@ -140,7 +140,7 @@ PKCS12_BAGS_new 142 3_0_0 EXIST::FUNCTION: CMAC_CTX_new 143 3_0_0 EXIST::FUNCTION:CMAC ASIdentifierChoice_new 144 3_0_0 EXIST::FUNCTION:RFC3779 EVP_PKEY_asn1_set_public 145 3_0_0 EXIST::FUNCTION: -IDEA_set_decrypt_key 146 3_0_0 EXIST::FUNCTION:IDEA +IDEA_set_decrypt_key 146 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,IDEA X509_STORE_CTX_set_flags 147 3_0_0 EXIST::FUNCTION: BIO_ADDR_rawmake 148 3_0_0 EXIST::FUNCTION:SOCK EVP_PKEY_asn1_set_ctrl 149 3_0_0 EXIST::FUNCTION: @@ -642,7 +642,7 @@ PEM_SignInit 658 3_0_0 EXIST::FUNCTION: EVP_CIPHER_CTX_set_key_length 659 3_0_0 EXIST::FUNCTION: X509_delete_ext 660 3_0_0 EXIST::FUNCTION: OCSP_resp_get0_produced_at 661 3_0_0 EXIST::FUNCTION:OCSP -IDEA_encrypt 662 3_0_0 EXIST::FUNCTION:IDEA +IDEA_encrypt 662 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,IDEA CRYPTO_nistcts128_encrypt_block 663 3_0_0 EXIST::FUNCTION: EVP_MD_do_all 664 3_0_0 EXIST::FUNCTION: EC_KEY_oct2priv 665 3_0_0 EXIST::FUNCTION:EC @@ -954,7 +954,7 @@ BN_is_bit_set 978 3_0_0 EXIST::FUNCTION: AES_ofb128_encrypt 979 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0 X509_STORE_add_lookup 980 3_0_0 EXIST::FUNCTION: ASN1_GENERALSTRING_new 981 3_0_0 EXIST::FUNCTION: -IDEA_options 982 3_0_0 EXIST::FUNCTION:IDEA +IDEA_options 982 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,IDEA d2i_X509_REQ 983 3_0_0 EXIST::FUNCTION: i2d_TS_STATUS_INFO 984 3_0_0 EXIST::FUNCTION:TS X509_PURPOSE_get_by_id 985 3_0_0 EXIST::FUNCTION: @@ -1844,7 +1844,7 @@ X509_STORE_CTX_set0_trusted_stack 1886 3_0_0 EXIST::FUNCTION: BIO_ADDR_service_string 1887 3_0_0 EXIST::FUNCTION:SOCK ASN1_BOOLEAN_it 1888 3_0_0 EXIST::FUNCTION: TS_RESP_CTX_set_time_cb 1889 3_0_0 EXIST::FUNCTION:TS -IDEA_cbc_encrypt 1890 3_0_0 EXIST::FUNCTION:IDEA +IDEA_cbc_encrypt 1890 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,IDEA BN_CTX_secure_new 1891 3_0_0 EXIST::FUNCTION: OCSP_ONEREQ_add_ext 1892 3_0_0 EXIST::FUNCTION:OCSP CMS_uncompress 1893 3_0_0 EXIST::FUNCTION:CMS @@ -2448,7 +2448,7 @@ BIO_f_zlib 2498 3_0_0 EXIST::FUNCTION:COMP,ZLIB AES_cfb128_encrypt 2499 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0 ENGINE_set_EC 2500 3_0_0 EXIST::FUNCTION:ENGINE d2i_ECPKParameters 2501 3_0_0 EXIST::FUNCTION:EC -IDEA_ofb64_encrypt 2502 3_0_0 EXIST::FUNCTION:IDEA +IDEA_ofb64_encrypt 2502 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,IDEA CAST_decrypt 2503 3_0_0 EXIST::FUNCTION:CAST,DEPRECATEDIN_3_0 TS_STATUS_INFO_get0_failure_info 2504 3_0_0 EXIST::FUNCTION:TS ENGINE_unregister_pkey_meths 2506 3_0_0 EXIST::FUNCTION:ENGINE @@ -2531,7 +2531,7 @@ ENGINE_load_ssl_client_cert 2584 3_0_0 EXIST::FUNCTION:ENGINE X509_STORE_CTX_set_verify_cb 2585 3_0_0 EXIST::FUNCTION: CRYPTO_clear_realloc 2586 3_0_0 EXIST::FUNCTION: OPENSSL_strnlen 2587 3_0_0 EXIST::FUNCTION: -IDEA_ecb_encrypt 2588 3_0_0 EXIST::FUNCTION:IDEA +IDEA_ecb_encrypt 2588 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,IDEA ASN1_STRING_set_default_mask 2589 3_0_0 EXIST::FUNCTION: TS_VERIFY_CTX_add_flags 2590 3_0_0 EXIST::FUNCTION:TS FIPS_mode 2591 3_0_0 EXIST::FUNCTION: @@ -3102,7 +3102,7 @@ a2i_ASN1_INTEGER 3166 3_0_0 EXIST::FUNCTION: OCSP_sendreq_bio 3167 3_0_0 EXIST::FUNCTION:OCSP PKCS12_SAFEBAG_create_crl 3168 3_0_0 EXIST::FUNCTION: d2i_X509_NAME 3169 3_0_0 EXIST::FUNCTION: -IDEA_cfb64_encrypt 3170 3_0_0 EXIST::FUNCTION:IDEA +IDEA_cfb64_encrypt 3170 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,IDEA BN_mod_sub 3171 3_0_0 EXIST::FUNCTION: ASN1_NULL_new 3172 3_0_0 EXIST::FUNCTION: HMAC_Init 3173 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_1_1_0 @@ -3129,7 +3129,7 @@ OCSP_request_verify 3194 3_0_0 EXIST::FUNCTION:OCSP CRYPTO_THREAD_run_once 3195 3_0_0 EXIST::FUNCTION: TS_REQ_print_bio 3196 3_0_0 EXIST::FUNCTION:TS SCT_get_version 3197 3_0_0 EXIST::FUNCTION:CT -IDEA_set_encrypt_key 3198 3_0_0 EXIST::FUNCTION:IDEA +IDEA_set_encrypt_key 3198 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,IDEA ENGINE_get_DH 3199 3_0_0 EXIST::FUNCTION:ENGINE i2d_ASIdentifierChoice 3200 3_0_0 EXIST::FUNCTION:RFC3779 SRP_Calc_A 3201 3_0_0 EXIST::FUNCTION:SRP -- 2.34.1