diff options
40 files changed, 442 insertions, 186 deletions
@@ -22,6 +22,30 @@ However, code that does the latter will still work as before. [Richard Levitte] + *) Deprecated low level ECDH and ECDSA functions. These include: + + ECDH_compute_key, ECDSA_do_sign, ECDSA_do_sign_ex, ECDSA_do_verify, + ECDSA_sign_setup, ECDSA_sign, ECDSA_sign_ex, ECDSA_verify and + ECDSA_size. + + Use of these low level functions has been informally discouraged for a long + time. Instead applications should use the EVP_PKEY_derive(3), + EVP_DigestSign(3) and EVP_DigestVerify(3) functions. + [Paul Dale] + + *) Deprecated the EC_KEY_METHOD functions. These include: + + EC_KEY_METHOD_new, EC_KEY_METHOD_free, EC_KEY_METHOD_set_init, + EC_KEY_METHOD_set_keygen, EC_KEY_METHOD_set_compute_key, + EC_KEY_METHOD_set_sign, EC_KEY_METHOD_set_verify, + EC_KEY_METHOD_get_init, EC_KEY_METHOD_get_keygen, + EC_KEY_METHOD_get_compute_key, EC_KEY_METHOD_get_sign and + EC_KEY_METHOD_get_verify. + + Instead applications and extension writers should use the OSSL_PROVIDER + APIs. + [Paul Dale] + *) Deprecated EVP_PKEY_decrypt_old(), please use EVP_PKEY_decrypt_init() and EVP_PKEY_decrypt() instead. Deprecated EVP_PKEY_encrypt_old(), please use EVP_PKEY_encrypt_init() @@ -60,21 +84,21 @@ *) All of the low level MD2, MD4, MD5, MDC2, RIPEMD160, SHA1, SHA224, SHA256, SHA384, SHA512 and Whirlpool digest functions have been deprecated. These include: - MD2, MD2_options, MD2_Init, MD2_Update, MD2_Final, MD4, MD4_Init, - MD4_Update, MD4_Final, MD4_Transform, MD5, MD5_Init, MD5_Update, - MD5_Final, MD5_Transform, MDC2, MDC2_Init, MDC2_Update, MDC2_Final, - RIPEMD160, RIPEMD160_Init, RIPEMD160_Update, RIPEMD160_Final, - RIPEMD160_Transform, SHA1_Init, SHA1_Update, SHA1_Final, - SHA1_Transform, SHA224_Init, SHA224_Update, SHA224_Final, - SHA224_Transform, SHA256_Init, SHA256_Update, SHA256_Final, - SHA256_Transform, SHA384, SHA384_Init, SHA384_Update, SHA384_Final, - SHA512, SHA512_Init, SHA512_Update, SHA512_Final, SHA512_Transform, - WHIRLPOOL, WHIRLPOOL_Init, WHIRLPOOL_Update, WHIRLPOOL_BitUpdate - and WHIRLPOOL_Final. - Use of these low level functions has been informally discouraged for a long - time. Instead applications should instead use the EVP_DigestInit_ex, - EVP_DigestUpdate(3) and EVP_DigestFinal_ex(3) functions. + MD2, MD2_options, MD2_Init, MD2_Update, MD2_Final, MD4, MD4_Init, + MD4_Update, MD4_Final, MD4_Transform, MD5, MD5_Init, MD5_Update, + MD5_Final, MD5_Transform, MDC2, MDC2_Init, MDC2_Update, MDC2_Final, + RIPEMD160, RIPEMD160_Init, RIPEMD160_Update, RIPEMD160_Final, + RIPEMD160_Transform, SHA1_Init, SHA1_Update, SHA1_Final, SHA1_Transform, + SHA224_Init, SHA224_Update, SHA224_Final, SHA224_Transform, SHA256_Init, + SHA256_Update, SHA256_Final, SHA256_Transform, SHA384, SHA384_Init, + SHA384_Update, SHA384_Final, SHA512, SHA512_Init, SHA512_Update, + SHA512_Final, SHA512_Transform, WHIRLPOOL, WHIRLPOOL_Init, + WHIRLPOOL_Update, WHIRLPOOL_BitUpdate and WHIRLPOOL_Final. + + Use of these low level functions has been informally discouraged + for a long time. Applications should use the EVP_DigestInit_ex(3), + EVP_DigestUpdate(3) and EVP_DigestFinal_ex(3) functions instead. [Paul Dale] *) Corrected the documentation of the return values from the EVP_DigestSign* @@ -87,6 +111,7 @@ [Richard Levitte] *) All of the low level cipher functions have been deprecated including: + AES_options, AES_set_encrypt_key, AES_set_decrypt_key, AES_encrypt, AES_decrypt, AES_ecb_encrypt, AES_cbc_encrypt, AES_cfb128_encrypt, AES_cfb1_encrypt, AES_cfb8_encrypt, AES_ofb128_encrypt, @@ -117,10 +142,10 @@ SEED_set_key, SEED_encrypt, SEED_decrypt, SEED_ecb_encrypt, SEED_cbc_encrypt, SEED_cfb128_encrypt and SEED_ofb128_encrypt. - Use of these low level functions has been informally discouraged for a long - time. Instead applications should use the high level EVP APIs, e.g. + Use of these low level functions has been informally discouraged for + a long time. Applications should use the high level EVP APIs, e.g. EVP_EncryptInit_ex, EVP_EncryptUpdate, EVP_EncryptFinal_ex, and the - equivalently named decrypt functions. + equivalently named decrypt functions instead. [Matt Caswell and Paul Dale] *) Removed include/openssl/opensslconf.h.in and replaced it with diff --git a/apps/speed.c b/apps/speed.c index d2afebb2c6..17f2cf3924 100644 --- a/apps/speed.c +++ b/apps/speed.c @@ -1110,6 +1110,7 @@ static int DSA_verify_loop(void *args) #endif #ifndef OPENSSL_NO_EC +# ifndef OPENSSL_NO_DEPRECATED_3_0 static long ecdsa_c[ECDSA_NUM][2]; static int ECDSA_sign_loop(void *args) { @@ -1150,6 +1151,7 @@ static int ECDSA_verify_loop(void *args) } return count; } +# endif /* ******************************************************************** */ static long ecdh_c[EC_NUM][1]; @@ -3020,6 +3022,7 @@ int speed_main(int argc, char **argv) #endif /* OPENSSL_NO_DSA */ #ifndef OPENSSL_NO_EC +# ifndef OPENSSL_NO_DEPRECATED_3_0 for (testnum = 0; testnum < ECDSA_NUM; testnum++) { int st = 1; @@ -3102,6 +3105,7 @@ int speed_main(int argc, char **argv) } } } +# endif for (testnum = 0; testnum < EC_NUM; testnum++) { int ecdh_checks = 1; @@ -3398,7 +3402,7 @@ int speed_main(int argc, char **argv) st = 0; /* set back to zero */ /* attach it sooner to rely on main final cleanup */ loopargs[i].sm2_pkey[testnum] = sm2_pkey; - loopargs[i].sigsize = ECDSA_size(EVP_PKEY_get0_EC_KEY(sm2_pkey)); + loopargs[i].sigsize = EVP_PKEY_size(sm2_pkey); sm2_pctx = EVP_PKEY_CTX_new(sm2_pkey, NULL); sm2_vfy_pctx = EVP_PKEY_CTX_new(sm2_pkey, NULL); @@ -3406,6 +3410,7 @@ int speed_main(int argc, char **argv) EVP_PKEY_CTX_free(sm2_vfy_pctx); break; } + /* attach them directly to respective ctx */ EVP_MD_CTX_set_pkey_ctx(loopargs[i].sm2_ctx[testnum], sm2_pctx); EVP_MD_CTX_set_pkey_ctx(loopargs[i].sm2_vfy_ctx[testnum], sm2_vfy_pctx); diff --git a/crypto/ec/curve25519.c b/crypto/ec/curve25519.c index a512aeb237..6672f5d249 100644 --- a/crypto/ec/curve25519.c +++ b/crypto/ec/curve25519.c @@ -7,6 +7,12 @@ * https://www.openssl.org/source/license.html */ +/* + * ECDSA low level APIs are deprecated for public use, but still ok for + * internal use. + */ +#include "internal/deprecated.h" + #include <string.h> #include "ec_local.h" #include <openssl/evp.h> diff --git a/crypto/ec/ec2_oct.c b/crypto/ec/ec2_oct.c index 1f92680f7b..38218f64c1 100644 --- a/crypto/ec/ec2_oct.c +++ b/crypto/ec/ec2_oct.c @@ -8,6 +8,12 @@ * https://www.openssl.org/source/license.html */ +/* + * ECDSA low level APIs are deprecated for public use, but still ok for + * internal use. + */ +#include "internal/deprecated.h" + #include <openssl/err.h> #include "ec_local.h" diff --git a/crypto/ec/ec2_smpl.c b/crypto/ec/ec2_smpl.c index 21ce6e12d3..593f543e1a 100644 --- a/crypto/ec/ec2_smpl.c +++ b/crypto/ec/ec2_smpl.c @@ -8,6 +8,12 @@ * https://www.openssl.org/source/license.html */ +/* + * ECDSA low level APIs are deprecated for public use, but still ok for + * internal use. + */ +#include "internal/deprecated.h" + #include <openssl/err.h> #include "crypto/bn.h" diff --git a/crypto/ec/ec_ameth.c b/crypto/ec/ec_ameth.c index f38ab103ab..d2c8c399de 100644 --- a/crypto/ec/ec_ameth.c +++ b/crypto/ec/ec_ameth.c @@ -7,6 +7,12 @@ * https://www.openssl.org/source/license.html */ +/* + * ECDH and ECDSA low level APIs are deprecated for public use, but still ok + * for internal use. + */ +#include "internal/deprecated.h" + #include <stdio.h> #include "internal/cryptlib.h" #include <openssl/x509.h> diff --git a/crypto/ec/ec_asn1.c b/crypto/ec/ec_asn1.c index 0567f2ab06..f61d8860a4 100644 --- a/crypto/ec/ec_asn1.c +++ b/crypto/ec/ec_asn1.c @@ -7,6 +7,12 @@ * https://www.openssl.org/source/license.html */ +/* + * ECDSA low level APIs are deprecated for public use, but still ok for + * internal use. + */ +#include "internal/deprecated.h" + #include <string.h> #include "ec_local.h" #include <openssl/err.h> diff --git a/crypto/ec/ec_check.c b/crypto/ec/ec_check.c index f8723aab47..bb39177d64 100644 --- a/crypto/ec/ec_check.c +++ b/crypto/ec/ec_check.c @@ -7,6 +7,12 @@ * https://www.openssl.org/source/license.html */ +/* + * ECDSA low level APIs are deprecated for public use, but still ok for + * internal use. + */ +#include "internal/deprecated.h" + #include "ec_local.h" #include <openssl/err.h> diff --git a/crypto/ec/ec_curve.c b/crypto/ec/ec_curve.c index 2639b1b547..5951615ec2 100644 --- a/crypto/ec/ec_curve.c +++ b/crypto/ec/ec_curve.c @@ -8,6 +8,12 @@ * https://www.openssl.org/source/license.html */ +/* + * ECDSA low level APIs are deprecated for public use, but still ok for + * internal use. + */ +#include "internal/deprecated.h" + #include <string.h> #include "ec_local.h" #include <openssl/err.h> diff --git a/crypto/ec/ec_cvt.c b/crypto/ec/ec_cvt.c index 0fdd5f672c..030c299070 100644 --- a/crypto/ec/ec_cvt.c +++ b/crypto/ec/ec_cvt.c @@ -8,6 +8,12 @@ * https://www.openssl.org/source/license.html */ +/* + * ECDSA low level APIs are deprecated for public use, but still ok for + * internal use. + */ +#include "internal/deprecated.h" + #include <openssl/err.h> #include "crypto/bn.h" #include "ec_local.h" diff --git a/crypto/ec/ec_key.c b/crypto/ec/ec_key.c index 2ae5a654c3..a0cd5b9bda 100644 --- a/crypto/ec/ec_key.c +++ b/crypto/ec/ec_key.c @@ -8,6 +8,12 @@ * https://www.openssl.org/source/license.html */ +/* + * ECDSA low level APIs are deprecated for public use, but still ok for + * internal use. + */ +#include "internal/deprecated.h" + #include "internal/cryptlib.h" #include <string.h> #include "ec_local.h" diff --git a/crypto/ec/ec_lib.c b/crypto/ec/ec_lib.c index 168cf72973..078d8b35fa 100644 --- a/crypto/ec/ec_lib.c +++ b/crypto/ec/ec_lib.c @@ -8,6 +8,12 @@ * https://www.openssl.org/source/license.html */ +/* + * ECDSA low level APIs are deprecated for public use, but still ok for + * internal use. + */ +#include "internal/deprecated.h" + #include <string.h> #include <openssl/err.h> diff --git a/crypto/ec/ec_mult.c b/crypto/ec/ec_mult.c index 2f2e66c679..17aacf877b 100644 --- a/crypto/ec/ec_mult.c +++ b/crypto/ec/ec_mult.c @@ -8,6 +8,12 @@ * https://www.openssl.org/source/license.html */ +/* + * ECDSA low level APIs are deprecated for public use, but still ok for + * internal use. + */ +#include "internal/deprecated.h" + #include <string.h> #include <openssl/err.h> diff --git a/crypto/ec/ec_oct.c b/crypto/ec/ec_oct.c index 041c442b62..ba2de89656 100644 --- a/crypto/ec/ec_oct.c +++ b/crypto/ec/ec_oct.c @@ -8,6 +8,12 @@ * https://www.openssl.org/source/license.html */ +/* + * ECDSA low level APIs are deprecated for public use, but still ok for + * internal use. + */ +#include "internal/deprecated.h" + #include <string.h> #include <openssl/err.h> diff --git a/crypto/ec/ec_print.c b/crypto/ec/ec_print.c index c76d7034a2..e3fd17d59e 100644 --- a/crypto/ec/ec_print.c +++ b/crypto/ec/ec_print.c @@ -7,6 +7,12 @@ * https://www.openssl.org/source/license.html */ +/* + * ECDSA low level APIs are deprecated for public use, but still ok for + * internal use. + */ +#include "internal/deprecated.h" + #include <openssl/crypto.h> #include <openssl/err.h> #include "ec_local.h" diff --git a/crypto/ec/ecdh_ossl.c b/crypto/ec/ecdh_ossl.c index 30b8837187..89761a9fdd 100644 --- a/crypto/ec/ecdh_ossl.c +++ b/crypto/ec/ecdh_ossl.c @@ -8,6 +8,12 @@ * https://www.openssl.org/source/license.html */ +/* + * ECDH low level APIs are deprecated for public use, but still ok for + * internal use. + */ +#include "internal/deprecated.h" + #include <string.h> #include <limits.h> diff --git a/crypto/ec/ecdsa_ossl.c b/crypto/ec/ecdsa_ossl.c index 8de22ba910..e9291b17a6 100644 --- a/crypto/ec/ecdsa_ossl.c +++ b/crypto/ec/ecdsa_ossl.c @@ -7,6 +7,12 @@ * https://www.openssl.org/source/license.html */ +/* + * ECDSA low level APIs are deprecated for public use, but still ok for + * internal use. + */ +#include "internal/deprecated.h" + #include <string.h> #include <openssl/err.h> #include <openssl/obj_mac.h> diff --git a/crypto/ec/ecdsa_sign.c b/crypto/ec/ecdsa_sign.c index 7d0215b326..d602008164 100644 --- a/crypto/ec/ecdsa_sign.c +++ b/crypto/ec/ecdsa_sign.c @@ -7,6 +7,12 @@ * https://www.openssl.org/source/license.html */ +/* + * ECDSA low level APIs are deprecated for public use, but still ok for + * internal use. + */ +#include "internal/deprecated.h" + #include <openssl/ec.h> #include "ec_local.h" #include <openssl/err.h> diff --git a/crypto/ec/ecdsa_vrf.c b/crypto/ec/ecdsa_vrf.c index 60f4af0426..255c4eeea2 100644 --- a/crypto/ec/ecdsa_vrf.c +++ b/crypto/ec/ecdsa_vrf.c @@ -7,6 +7,12 @@ * https://www.openssl.org/source/license.html */ +/* + * ECDSA low level APIs are deprecated for public use, but still ok for + * internal use. + */ +#include "internal/deprecated.h" + #include <openssl/ec.h> #include "ec_local.h" #include <openssl/err.h> diff --git a/crypto/ec/ecp_mont.c b/crypto/ec/ecp_mont.c index 44b6635361..a81f79029c 100644 --- a/crypto/ec/ecp_mont.c +++ b/crypto/ec/ecp_mont.c @@ -8,6 +8,12 @@ * https://www.openssl.org/source/license.html */ +/* + * ECDSA low level APIs are deprecated for public use, but still ok for + * internal use. + */ +#include "internal/deprecated.h" + #include <openssl/err.h> #include "ec_local.h" diff --git a/crypto/ec/ecp_nist.c b/crypto/ec/ecp_nist.c index 3b5666d15c..e5aad5890e 100644 --- a/crypto/ec/ecp_nist.c +++ b/crypto/ec/ecp_nist.c @@ -8,6 +8,12 @@ * https://www.openssl.org/source/license.html */ +/* + * ECDSA low level APIs are deprecated for public use, but still ok for + * internal use. + */ +#include "internal/deprecated.h" + #include <limits.h> #include <openssl/err.h> diff --git a/crypto/ec/ecp_nistp224.c b/crypto/ec/ecp_nistp224.c index 6777d32244..f52e55b7ed 100644 --- a/crypto/ec/ecp_nistp224.c +++ b/crypto/ec/ecp_nistp224.c @@ -24,6 +24,12 @@ */ /* + * ECDSA low level APIs are deprecated for public use, but still ok for + * internal use. + */ +#include "internal/deprecated.h" + +/* * A 64-bit implementation of the NIST P-224 elliptic curve point multiplication * * Inspired by Daniel J. Bernstein's public domain nistp224 implementation diff --git a/crypto/ec/ecp_nistp256.c b/crypto/ec/ecp_nistp256.c index 954263c960..d9c98c83ad 100644 --- a/crypto/ec/ecp_nistp256.c +++ b/crypto/ec/ecp_nistp256.c @@ -24,6 +24,12 @@ */ /* + * ECDSA low level APIs are deprecated for public use, but still ok for + * internal use. + */ +#include "internal/deprecated.h" + +/* * A 64-bit implementation of the NIST P-256 elliptic curve point multiplication * * OpenSSL integration was taken from Emilia Kasper's work in ecp_nistp224.c. diff --git a/crypto/ec/ecp_nistp521.c b/crypto/ec/ecp_nistp521.c index 78a98c7187..d09553fec8 100644 --- a/crypto/ec/ecp_nistp521.c +++ b/crypto/ec/ecp_nistp521.c @@ -24,6 +24,12 @@ */ /* + * ECDSA low level APIs are deprecated for public use, but still ok for + * internal use. + */ +#include "internal/deprecated.h" + +/* * A 64-bit implementation of the NIST P-521 elliptic curve point multiplication * * OpenSSL integration was taken from Emilia Kasper's work in ecp_nistp224.c. diff --git a/crypto/ec/ecp_nistputil.c b/crypto/ec/ecp_nistputil.c index 98e0b72d10..d3739a108c 100644 --- a/crypto/ec/ecp_nistputil.c +++ b/crypto/ec/ecp_nistputil.c @@ -23,6 +23,12 @@ * limitations under the License. */ +/* + * ECDSA low level APIs are deprecated for public use, but still ok for + * internal use. + */ +#include "internal/deprecated.h" + #include <openssl/opensslconf.h> #ifdef OPENSSL_NO_EC_NISTP_64_GCC_128 NON_EMPTY_TRANSLATION_UNIT diff --git a/crypto/ec/ecp_nistz256.c b/crypto/ec/ecp_nistz256.c index 1609c4bbf7..d9709da4f4 100644 --- a/crypto/ec/ecp_nistz256.c +++ b/crypto/ec/ecp_nistz256.c @@ -18,6 +18,12 @@ * 256 Bit Primes" */ +/* + * ECDSA low level APIs are deprecated for public use, but still ok for + * internal use. + */ +#include "internal/deprecated.h" + #include <string.h> #include "internal/cryptlib.h" diff --git a/crypto/ec/ecp_oct.c b/crypto/ec/ecp_oct.c index e6bc153f51..1455f9c16c 100644 --- a/crypto/ec/ecp_oct.c +++ b/crypto/ec/ecp_oct.c @@ -8,6 +8,12 @@ * https://www.openssl.org/source/license.html */ +/* + * ECDSA low level APIs are deprecated for public use, but still ok for + * internal use. + */ +#include "internal/deprecated.h" + #include <openssl/err.h> #include <openssl/symhacks.h> diff --git a/crypto/ec/ecp_smpl.c b/crypto/ec/ecp_smpl.c index e06177ee14..005ab1ec65 100644 --- a/crypto/ec/ecp_smpl.c +++ b/crypto/ec/ecp_smpl.c @@ -8,6 +8,12 @@ * https://www.openssl.org/source/license.html */ +/* + * ECDSA low level APIs are deprecated for public use, but still ok for + * internal use. + */ +#include "internal/deprecated.h" + #include <openssl/err.h> #include <openssl/symhacks.h> diff --git a/crypto/ec/ecx_meth.c b/crypto/ec/ecx_meth.c index 4e3c630bd2..525fcd343f 100644 --- a/crypto/ec/ecx_meth.c +++ b/crypto/ec/ecx_meth.c @@ -7,6 +7,12 @@ * https://www.openssl.org/source/license.html */ +/* + * ECDSA low level APIs are deprecated for public use, but still ok for + * internal use. + */ +#include "internal/deprecated.h" + #include <stdio.h> #include "internal/cryptlib.h" #include <openssl/x509.h> diff --git a/crypto/sm2/sm2_crypt.c b/crypto/sm2/sm2_crypt.c index 102f02651a..934c957d8b 100644 --- a/crypto/sm2/sm2_crypt.c +++ b/crypto/sm2/sm2_crypt.c @@ -9,6 +9,12 @@ * https://www.openssl.org/source/license.html */ +/* + * ECDSA low level APIs are deprecated for public use, but still ok for + * internal use. + */ +#include "internal/deprecated.h" + #include "crypto/sm2.h" #include "crypto/sm2err.h" #include "crypto/ec.h" /* ecdh_KDF_X9_63() */ diff --git a/crypto/sm2/sm2_pmeth.c b/crypto/sm2/sm2_pmeth.c index 1068b7b901..681a0ab130 100644 --- a/crypto/sm2/sm2_pmeth.c +++ b/crypto/sm2/sm2_pmeth.c @@ -7,6 +7,12 @@ * https://www.openssl.org/source/license.html */ +/* + * ECDSA low level APIs are deprecated for public use, but still ok for + * internal use. + */ +#include "internal/deprecated.h" + #include "internal/cryptlib.h" #include <openssl/asn1t.h> #include <openssl/ec.h> diff --git a/crypto/x509/x_all.c b/crypto/x509/x_all.c index 9af26e69f0..5a5f098558 100644 --- a/crypto/x509/x_all.c +++ b/crypto/x509/x_all.c @@ -7,6 +7,12 @@ * https://www.openssl.org/source/license.html */ +/* + * Low level APIs are deprecated for public use, but still ok for + * internal use. + */ +#include "internal/deprecated.h" + #include <stdio.h> #include "internal/cryptlib.h" #include <openssl/buffer.h> diff --git a/doc/man3/ECDSA_SIG_new.pod b/doc/man3/ECDSA_SIG_new.pod index 02b4a54f96..4364297e6f 100644 --- a/doc/man3/ECDSA_SIG_new.pod +++ b/doc/man3/ECDSA_SIG_new.pod @@ -18,6 +18,11 @@ functions const BIGNUM *ECDSA_SIG_get0_r(const ECDSA_SIG *sig); const BIGNUM *ECDSA_SIG_get0_s(const ECDSA_SIG *sig); int ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s); + +Deprecated |