diff options
| author | Matt Caswell <matt@openssl.org> | 2019-12-05 17:09:49 +0000 |
|---|---|---|
| committer | Matt Caswell <matt@openssl.org> | 2020-01-06 15:09:57 +0000 |
| commit | c72fa2554f5adc03bcc3c6e4ebcd1929e70efed4 (patch) | |
| tree | 181157c82b41fb40f46ada0f30d33468df50aefb | |
| parent | 2852c672a8ecb02a74d0adeeb93c661b7d2d7511 (diff) | |
Deprecate the low level AES functions
Use of the low level AES functions has been informally discouraged for a
long time. We now formally deprecate them.
Applications should instead use the EVP APIs, e.g. EVP_EncryptInit_ex,
EVP_EncryptUpdate, EVP_EncryptFinal_ex, and the equivalently named decrypt
functions.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10580)
36 files changed, 327 insertions, 72 deletions
@@ -363,7 +363,17 @@ for scripting purposes. [Richard Levitte] - *) The functions AES_ige_encrypt() and AES_bi_ige_encrypt() have been + *) All of the low level AES functions have been deprecated including: + AES_options, AES_set_encrypt_key, AES_set_decrypt_key, AES_encrypt, + AES_decrypt, AES_ecb_encrypt, AES_cbc_encrypt, AES_cfb128_encrypt, + AES_cfb1_encrypt, AES_cfb8_encrypt, AES_ofb128_encrypt, AES_wrap_key and + AES_unwrap_key + Use of these low level functions has been informally discouraged for a long + time. Instead applications should use the high level EVP APIs, e.g. + EVP_EncryptInit_ex, EVP_EncryptUpdate, EVP_EncryptFinal_ex, and the + equivalently named decrypt functions. + + The functions AES_ige_encrypt() and AES_bi_ige_encrypt() have also been deprecated. These undocumented functions were never integrated into the EVP layer and implement the AES Infinite Garble Extension (IGE) mode and AES Bi-directional IGE mode. These modes were never formally standardised and @@ -559,6 +559,11 @@ my @disable_cascades = ( "legacy" => [ "md2" ], "cmp" => [ "crmf" ], + + # Padlock engine uses low-level AES APIs which are deprecated + sub { $disabled{"deprecated"} + && (!defined $config{"api"} || $config{"api"} >= 30000) } + => [ "padlockeng" ] ); # Avoid protocol support holes. Also disable all versions below N, if version diff --git a/apps/speed.c b/apps/speed.c index 9eed4f2083..3e09d8ddcb 100644 --- a/apps/speed.c +++ b/apps/speed.c @@ -44,7 +44,9 @@ #ifndef OPENSSL_NO_DES # include <openssl/des.h> #endif +#ifndef OPENSSL_NO_DEPRECATED_3_0 #include <openssl/aes.h> +#endif #ifndef OPENSSL_NO_CAMELLIA # include <openssl/camellia.h> #endif @@ -358,10 +360,10 @@ static const OPT_PAIR doit_choices[] = { {"des-cbc", D_CBC_DES}, {"des-ede3", D_EDE3_DES}, #endif +#ifndef OPENSSL_NO_DEPRECATED_3_0 {"aes-128-cbc", D_CBC_128_AES}, {"aes-192-cbc", D_CBC_192_AES}, {"aes-256-cbc", D_CBC_256_AES}, -#ifndef OPENSSL_NO_DEPRECATED_3_0 {"aes-128-ige", D_IGE_128_AES}, {"aes-192-ige", D_IGE_192_AES}, {"aes-256-ige", D_IGE_256_AES}, @@ -752,6 +754,8 @@ static int DES_ede3_cbc_encrypt_loop(void *args) #define MAX_BLOCK_SIZE 128 static unsigned char iv[2 * MAX_BLOCK_SIZE / 8]; + +#ifndef OPENSSL_NO_DEPRECATED_3_0 static AES_KEY aes_ks1, aes_ks2, aes_ks3; static int AES_cbc_128_encrypt_loop(void *args) { @@ -786,7 +790,6 @@ static int AES_cbc_256_encrypt_loop(void *args) return count; } -#ifndef OPENSSL_NO_DEPRECATED_3_0 static int AES_ige_128_encrypt_loop(void *args) { loopargs_t *tempargs = *(loopargs_t **) args; @@ -822,7 +825,6 @@ static int AES_ige_256_encrypt_loop(void *args) (size_t)lengths[testnum], &aes_ks3, iv, AES_ENCRYPT); return count; } -#endif static int CRYPTO_gcm128_aad_loop(void *args) { @@ -834,6 +836,7 @@ static int CRYPTO_gcm128_aad_loop(void *args) CRYPTO_gcm128_aad(gcm_ctx, buf, lengths[testnum]); return count; } +#endif static int RAND_bytes_loop(void *args) { @@ -1749,10 +1752,12 @@ int speed_main(int argc, char **argv) } } #endif +#ifndef OPENSSL_NO_DEPRECATED_3_0 if (strcmp(algo, "aes") == 0) { doit[D_CBC_128_AES] = doit[D_CBC_192_AES] = doit[D_CBC_256_AES] = 1; continue; } +#endif #ifndef OPENSSL_NO_CAMELLIA if (strcmp(algo, "camellia") == 0) { doit[D_CBC_128_CML] = doit[D_CBC_192_CML] = doit[D_CBC_256_CML] = 1; @@ -1946,9 +1951,11 @@ int speed_main(int argc, char **argv) DES_set_key_unchecked(&keys[2], &sch[2]); } #endif +#ifndef OPENSSL_NO_DEPRECATED_3_0 AES_set_encrypt_key(key16, 128, &aes_ks1); AES_set_encrypt_key(key24, 192, &aes_ks2); AES_set_encrypt_key(key32, 256, &aes_ks3); +#endif #ifndef OPENSSL_NO_CAMELLIA if (doit[D_CBC_128_CML] || doit[D_CBC_192_CML] || doit[D_CBC_256_CML]) { Camellia_set_key(key16, 128, &camellia_ks[0]); @@ -2407,6 +2414,7 @@ int speed_main(int argc, char **argv) } #endif +#ifndef OPENSSL_NO_DEPRECATED_3_0 if (doit[D_CBC_128_AES]) { for (testnum = 0; testnum < size_num; testnum++) { print_message(names[D_CBC_128_AES], c[D_CBC_128_AES][testnum], @@ -2441,7 +2449,7 @@ int speed_main(int argc, char **argv) } } -#ifndef OPENSSL_NO_DEPRECATED_3_0 + if (doit[D_IGE_128_AES]) { for (testnum = 0; testnum < size_num; testnum++) { print_message(names[D_IGE_128_AES], c[D_IGE_128_AES][testnum], @@ -2475,7 +2483,6 @@ int speed_main(int argc, char **argv) print_result(D_IGE_256_AES, testnum, count, d); } } -#endif if (doit[D_GHASH]) { for (i = 0; i < loopargs_len; i++) { loopargs[i].gcm_ctx = @@ -2495,6 +2502,7 @@ int speed_main(int argc, char **argv) for (i = 0; i < loopargs_len; i++) CRYPTO_gcm128_release(loopargs[i].gcm_ctx); } +#endif /* OPENSSL_NO_DEPRECATED_3_0 */ #ifndef OPENSSL_NO_CAMELLIA if (doit[D_CBC_128_CML]) { if (async_jobs > 0) { @@ -3488,7 +3496,9 @@ int speed_main(int argc, char **argv) #ifndef OPENSSL_NO_DES printf("%s ", DES_options()); #endif +#ifndef OPENSSL_NO_DEPRECATED_3_0 printf("%s ", AES_options()); +#endif #ifndef OPENSSL_NO_IDEA printf("%s ", IDEA_options()); #endif diff --git a/crypto/aes/aes_cbc.c b/crypto/aes/aes_cbc.c index d4e309195f..9017cc132c 100644 --- a/crypto/aes/aes_cbc.c +++ b/crypto/aes/aes_cbc.c @@ -7,6 +7,13 @@ * https://www.openssl.org/source/license.html */ +/* + * AES low level APIs are deprecated for public use, but still ok for internal + * use where we're using them to implement the higher level EVP interface, as is + * the case here. + */ +#include "internal/deprecated.h" + #include <openssl/aes.h> #include <openssl/modes.h> diff --git a/crypto/aes/aes_cfb.c b/crypto/aes/aes_cfb.c index 096280171f..f0442f61e8 100644 --- a/crypto/aes/aes_cfb.c +++ b/crypto/aes/aes_cfb.c @@ -7,6 +7,12 @@ * https://www.openssl.org/source/license.html */ +/* + * AES_encrypt is deprecated - but we need to use it to implement these other + * deprecated APIs. + */ +#include "internal/deprecated.h" + #include <openssl/aes.h> #include <openssl/modes.h> diff --git a/crypto/aes/aes_core.c b/crypto/aes/aes_core.c index a094a9adeb..d7e4bf1635 100644 --- a/crypto/aes/aes_core.c +++ b/crypto/aes/aes_core.c @@ -36,6 +36,13 @@ /* Note: rewritten a little bit to provide error control and an OpenSSL- compatible API */ +/* + * AES low level APIs are deprecated for public use, but still ok for internal + * use where we're using them to implement the higher level EVP interface, as is + * the case here. + */ +#include "internal/deprecated.h" + #include <assert.h> #include <stdlib.h> diff --git a/crypto/aes/aes_ecb.c b/crypto/aes/aes_ecb.c index f4a75f133b..7270fc31e8 100644 --- a/crypto/aes/aes_ecb.c +++ b/crypto/aes/aes_ecb.c @@ -9,6 +9,12 @@ #include <assert.h> +/* + * AES_encrypt/AES_decrypt are deprecated - but we need to use them to implement + * AES_ecb_encrypt + */ +#include "internal/deprecated.h" + #include <openssl/aes.h> #include "aes_local.h" diff --git a/crypto/aes/aes_ige.c b/crypto/aes/aes_ige.c index 3300e518d2..b40f4e53a6 100644 --- a/crypto/aes/aes_ige.c +++ b/crypto/aes/aes_ige.c @@ -7,6 +7,12 @@ * https://www.openssl.org/source/license.html */ +/* + * AES_encrypt/AES_decrypt are deprecated - but we need to use them to implement + * these functions + */ +#include "internal/deprecated.h" + #include "internal/cryptlib.h" #ifdef OPENSSL_NO_DEPRECATED_3_0 diff --git a/crypto/aes/aes_misc.c b/crypto/aes/aes_misc.c index 35be71d1c7..e706f5135f 100644 --- a/crypto/aes/aes_misc.c +++ b/crypto/aes/aes_misc.c @@ -11,11 +11,13 @@ #include <openssl/aes.h> #include "aes_local.h" +#ifndef OPENSSL_NO_DEPRECATED_3_0 const char *AES_options(void) { -#ifdef FULL_UNROLL +# ifdef FULL_UNROLL return "aes(full)"; -#else +# else return "aes(partial)"; -#endif +# endif } +#endif diff --git a/crypto/aes/aes_ofb.c b/crypto/aes/aes_ofb.c index e77546c89f..20f9814f69 100644 --- a/crypto/aes/aes_ofb.c +++ b/crypto/aes/aes_ofb.c @@ -7,6 +7,12 @@ * https://www.openssl.org/source/license.html */ +/* + * AES_encrypt is deprecated - but we need to use it to implement + * AES_ofb128_encrypt + */ +#include "internal/deprecated.h" + #include <openssl/aes.h> #include <openssl/modes.h> diff --git a/crypto/aes/aes_wrap.c b/crypto/aes/aes_wrap.c index b869b265cd..82bf6dbfb6 100644 --- a/crypto/aes/aes_wrap.c +++ b/crypto/aes/aes_wrap.c @@ -7,6 +7,12 @@ * https://www.openssl.org/source/license.html */ +/* + * AES_encrypt/AES_decrypt are deprecated - but we need to use them to implement + * these functions + */ +#include "internal/deprecated.h" + #include "internal/cryptlib.h" #include <openssl/aes.h> #include <openssl/modes.h> diff --git a/crypto/evp/e_aes.c b/crypto/evp/e_aes.c index 29836844d4..0d5418b0d3 100644 --- a/crypto/evp/e_aes.c +++ b/crypto/evp/e_aes.c @@ -7,6 +7,12 @@ * https://www.openssl.org/source/license.html */ +/* + * This file uses the low level AES functions (which are deprecated for + * non-internal use) in order to implement the EVP AES ciphers. + */ +#include "internal/deprecated.h" + #include <string.h> #include <assert.h> #include <openssl/opensslconf.h> diff --git a/crypto/evp/e_aes_cbc_hmac_sha1.c b/crypto/evp/e_aes_cbc_hmac_sha1.c index 6b9362a1fe..35b1646385 100644 --- a/crypto/evp/e_aes_cbc_hmac_sha1.c +++ b/crypto/evp/e_aes_cbc_hmac_sha1.c @@ -7,6 +7,13 @@ * https://www.openssl.org/source/license.html */ +/* + * AES low level APIs are deprecated for public use, but still ok for internal + * use where we're using them to implement the higher level EVP interface, as is + * the case here. + */ +#include "internal/deprecated.h" + #include <stdio.h> #include <string.h> #include <openssl/opensslconf.h> diff --git a/crypto/evp/e_aes_cbc_hmac_sha256.c b/crypto/evp/e_aes_cbc_hmac_sha256.c index 771ef1d6a2..27cc59bd13 100644 --- a/crypto/evp/e_aes_cbc_hmac_sha256.c +++ b/crypto/evp/e_aes_cbc_hmac_sha256.c @@ -7,6 +7,13 @@ * https://www.openssl.org/source/license.html */ +/* + * AES low level APIs are deprecated for public use, but still ok for internal + * use where we're using them to implement the higher level EVP interface, as is + * the case here. + */ +#include "internal/deprecated.h" + #include <stdio.h> #include <string.h> #include <openssl/opensslconf.h> diff --git a/engines/e_padlock.c b/engines/e_padlock.c index 78e9c79521..3f86545c53 100644 --- a/engines/e_padlock.c +++ b/engines/e_padlock.c @@ -7,6 +7,12 @@ * https://www.openssl.org/source/license.html */ +/* + * This file uses the low level AES functions (which are deprecated for + * non-internal use) in order to implement the padlock engine AES ciphers. + */ +#define OPENSSL_SUPPRESS_DEPRECATED + #include <stdio.h> #include <string.h> diff --git a/include/internal/deprecated.h b/include/internal/deprecated.h new file mode 100644 index 0000000000..a4bde883f2 --- /dev/null +++ b/include/internal/deprecated.h @@ -0,0 +1,29 @@ +/* + * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +/* + * This header file should be included by internal code that needs to use APIs + * that have been deprecated for public use, but where those symbols will still + * be available internally. For example the EVP and provider code needs to use + * low level APIs that are otherwise deprecated. + * + * This header *must* be the first OpenSSL header included by a source file. + */ + +#ifndef OSSL_INTERNAL_DEPRECATED_H +# define OSSL_INTERNAL_DEPRECATED_H + +# include <openssl/configuration.h> + +# undef OPENSSL_NO_DEPRECATED +# define OPENSSL_SUPPRESS_DEPRECATED + +# include <openssl/macros.h> + +#endif diff --git a/include/openssl/aes.h b/include/openssl/aes.h index 510edce18d..f6e74db9da 100644 --- a/include/openssl/aes.h +++ b/include/openssl/aes.h @@ -23,56 +23,69 @@ extern "C" { # endif -# define AES_ENCRYPT 1 -# define AES_DECRYPT 0 - -/* - * Because array size can't be a const in C, the following two are macros. - * Both sizes are in bytes. - */ -# define AES_MAXNR 14 # define AES_BLOCK_SIZE 16 +# ifndef OPENSSL_NO_DEPRECATED_3_0 + +# define AES_ENCRYPT 1 +# define AES_DECRYPT 0 + +# define AES_MAXNR 14 + + /* This should be a hidden type, but EVP requires that the size be known */ struct aes_key_st { -# ifdef AES_LONG +# ifdef AES_LONG unsigned long rd_key[4 * (AES_MAXNR + 1)]; -# else +# else unsigned int rd_key[4 * (AES_MAXNR + 1)]; -# endif +# endif int rounds; }; typedef struct aes_key_st AES_KEY; -const char *AES_options(void); - -int AES_set_encrypt_key(const unsigned char *userKey, const int bits, - AES_KEY *key); -int AES_set_decrypt_key(const unsigned char *userKey, const int bits, - AES_KEY *key); - -void AES_encrypt(const unsigned char *in, unsigned char *out, - const AES_KEY *key); -void AES_decrypt(const unsigned char *in, unsigned char *out, - const AES_KEY *key); - -void AES_ecb_encrypt(const unsigned char *in, unsigned char *out, - const AES_KEY *key, const int enc); -void AES_cbc_encrypt(const unsigned char *in, unsigned char *out, - size_t length, const AES_KEY *key, - unsigned char *ivec, const int enc); -void AES_cfb128_encrypt(const unsigned char *in, unsigned char *out, - size_t length, const AES_KEY *key, - unsigned char *ivec, int *num, const int enc); -void AES_cfb1_encrypt(const unsigned char *in, unsigned char *out, - size_t length, const AES_KEY *key, - unsigned char *ivec, int *num, const int enc); -void AES_cfb8_encrypt(const unsigned char *in, unsigned char *out, - size_t length, const AES_KEY *key, - unsigned char *ivec, int *num, const int enc); -void AES_ofb128_encrypt(const unsigned char *in, unsigned char *out, - size_t length, const AES_KEY *key, - unsigned char *ivec, int *num); +# endif + +DEPRECATEDIN_3_0(const char *AES_options(void)) + +DEPRECATEDIN_3_0(int + AES_set_encrypt_key(const unsigned char *userKey, + const int bits, AES_KEY *key)) +DEPRECATEDIN_3_0(int + AES_set_decrypt_key(const unsigned char *userKey, + const int bits, AES_KEY *key)) + +DEPRECATEDIN_3_0(void + AES_encrypt(const unsigned char *in, unsigned char *out, + const AES_KEY *key)) +DEPRECATEDIN_3_0(void + AES_decrypt(const unsigned char *in, unsigned char *out, + const AES_KEY *key)) + +DEPRECATEDIN_3_0(void + AES_ecb_encrypt(const unsigned char *in, unsigned char *out, + const AES_KEY *key, const int enc)) +DEPRECATEDIN_3_0(void + AES_cbc_encrypt(const unsigned char *in, unsigned char *out, + size_t length, const AES_KEY *key, + unsigned char *ivec, const int enc)) +DEPRECATEDIN_3_0(void + AES_cfb128_encrypt(const unsigned char *in, unsigned char *out, + size_t length, const AES_KEY *key, + unsigned char *ivec, int *num, + const int enc)) +DEPRECATEDIN_3_0(void + AES_cfb1_encrypt(const unsigned char *in, unsigned char *out, + size_t length, const AES_KEY *key, + unsigned char *ivec, int *num, const int enc)) +DEPRECATEDIN_3_0(void + AES_cfb8_encrypt(const unsigned char *in, unsigned char *out, + size_t length, const AES_KEY *key, + unsigned char *ivec, int *num, const int enc)) +DEPRECATEDIN_3_0(void + AES_ofb128_encrypt(const unsigned char *in, unsigned char *out, + size_t length, const AES_KEY *key, + unsigned char *ivec, int *num)) /* NB: the IV is _two_ blocks long */ DEPRECATEDIN_3_0(void @@ -86,12 +99,14 @@ DEPRECATEDIN_3_0(void const AES_KEY *key2, const unsigned char *ivec, const int enc)) -int AES_wrap_key(AES_KEY *key, const unsigned char *iv, - unsigned char *out, - const unsigned char *in, unsigned int inlen); -int AES_unwrap_key(AES_KEY *key, const unsigned char *iv, - unsigned char *out, - const unsigned char *in, unsigned int inlen); +DEPRECATEDIN_3_0(int + AES_wrap_key(AES_KEY *key, const unsigned char *iv, + unsigned char *out, const unsigned char *in, + unsigned int inlen)) +DEPRECATEDIN_3_0(int + AES_unwrap_key(AES_KEY *key, const unsigned char *iv, + unsigned char *out, const unsigned char *in, + unsigned int inlen)) # ifdef __cplusplus diff --git a/include/openssl/macros.h b/include/openssl/macros.h index a38387f131..28e3a3064f 100644 --- a/include/openssl/macros.h +++ b/include/openssl/macros.h @@ -25,6 +25,9 @@ /* * Generic deprecation macro + * + * If OPENSSL_SUPPRESS_DEPRECATED is defined, then DECLARE_DEPRECATED + * becomes a no-op */ # ifndef DECLARE_DEPRECATED # define DECLARE_DEPRECATED(f) f; diff --git a/providers/implementations/ciphers/cipher_aes.c b/providers/implementations/ciphers/cipher_aes.c index 561377a27b..2d42f1d8ff 100644 --- a/providers/implementations/ciphers/cipher_aes.c +++ b/providers/implementations/ciphers/cipher_aes.c @@ -7,6 +7,13 @@ * https://www.openssl.org/source/license.html */ +/* + * AES low level APIs are deprecated for public use, but still ok for internal + * use where we're using them to implement the higher level EVP interface, as is + * the case here. + */ +#include "internal/deprecated.h" + /* Dispatch functions for AES cipher modes ecb, cbc, ofb, cfb, ctr */ #include "cipher_aes.h" diff --git a/providers/implementations/ciphers/cipher_aes_ccm.c b/providers/implementations/ciphers/cipher_aes_ccm.c index c800d1284d..ad7f14bf85 100644 --- a/providers/implementations/ciphers/cipher_aes_ccm.c +++ b/providers/implementations/ciphers/cipher_aes_ccm.c @@ -7,6 +7,13 @@ * https://www.openssl.org/source/license.html */ +/* + * AES low level APIs are deprecated for public use, but still ok for internal + * use where we're using them to implement the higher level EVP interface, as is + * the case here. + */ +#include "internal/deprecated.h" + /* Dispatch functions for AES CCM mode */ #include "cipher_aes_ccm.h" diff --git a/providers/implementations/ciphers/cipher_aes_ccm_hw.c b/providers/implementations/ciphers/cipher_aes_ccm_hw.c index 5f4accdb54..f4410ca755 100644 --- a/providers/implementations/ciphers/cipher_aes_ccm_hw.c +++ b/providers/implementations/ciphers/cipher_aes_ccm_hw.c @@ -9,6 +9,12 @@ /* AES CCM mode */ +/* + * This file uses the low level AES functions (which are deprecated for + * non-internal use) in order to implement provider AES ciphers. + */ +#include "internal/deprecated.h" + #include "cipher_aes_ccm.h" #define AES_HW_CCM_SET_KEY_FN(fn_set_enc_key, fn_blk, fn_ccm_enc, fn_ccm_dec) \ diff --git a/providers/implementations/ciphers/cipher_aes_gcm.c b/providers/implementations/ciphers/cipher_aes_gcm.c index bb0b8debc0..3f3d923a56 100644 --- a/providers/implementations/ciphers/cipher_aes_gcm.c +++ b/providers/implementations/ciphers/cipher_aes_gcm.c @@ -7,6 +7,13 @@ * https://www.openssl.org/source/license.html */ +/* + * AES low level APIs are deprecated for public use, but still ok for internal + * use where we're using them to implement the higher level EVP interface, as is + * the case here. + */ +#include "internal/deprecated.h" + /* Dispatch functions for AES GCM mode */ #include "cipher_aes_gcm.h" diff --git a/providers/implementations/ciphers/cipher_aes_gcm_hw.c b/providers/implementations/ciphers/cipher_aes_gcm_hw.c index 08ee34ef1e..0eb799451d 100644 --- a/providers/implementations/ciphers/cipher_aes_gcm_hw.c +++ b/providers/implementations/ciphers/cipher_aes_gcm_hw.c @@ -9,6 +9,12 @@ /* Dispatch functions for AES GCM mode */ +/* + * This file uses the low level AES functions (which are deprecated for + * non-internal use) in order to implement provider AES ciphers. + */ +#include "internal/deprecated.h" + #include "cipher_aes_gcm.h" static int generic_aes_gcm_initkey(PROV_GCM_CTX *ctx, const unsigned char *key, diff --git a/providers/implementations/ciphers/cipher_aes_hw.c b/providers/implementations/ciphers/cipher_aes_hw.c index e9a7c31f98..835e0b968b 100644 --- a/providers/implementations/ciphers/cipher_aes_hw.c +++ b/providers/implementations/ciphers/cipher_aes_hw.c @@ -7,6 +7,12 @@ * https://www.openssl.org/source/license.html */ +/* + * This file uses the low level AES functions (which are deprecated for + * non-internal use) in order to implement provider AES ciphers. + */ +#include "internal/deprecated.h" + #include "cipher_aes.h" #include "prov/providercommonerr.h" diff --git a/providers/implementations/ciphers/cipher_aes_ocb.c b/providers/implementations/ciphers/cipher_aes_ocb.c index 03ec70b949..2f85604a87 100644 --- a/p |