From: Rich Salz Date: Tue, 8 Dec 2020 15:13:54 +0000 (-0500) Subject: Deprecate EVP_KEY_new_CMAC_key and EVP_PKEY_new_CMAC_key_ex X-Git-Tag: openssl-3.0.0-alpha11~51 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=a3d267f18492a1e874534d5af6072bc8b7a290e5;p=thirdparty%2Fopenssl.git Deprecate EVP_KEY_new_CMAC_key and EVP_PKEY_new_CMAC_key_ex EVP_KEY_new_CMAC_key_ex was in the pre-release 3.0 only, so is safe to remove. Restore 1.1.1 version of EVP_PKEY_new_CMAC_key documentation. Also make testing of EVP_PKEY_new_CMAC_key properly #ifdef'd. Reviewed-by: Tomas Mraz Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/13829) --- diff --git a/crypto/evp/p_lib.c b/crypto/evp/p_lib.c index 326c58c8aa5..93cdbb89bf0 100644 --- a/crypto/evp/p_lib.c +++ b/crypto/evp/p_lib.c @@ -636,13 +636,6 @@ static EVP_PKEY *new_cmac_key_int(const unsigned char *priv, size_t len, # endif } -EVP_PKEY *EVP_PKEY_new_CMAC_key_ex(const unsigned char *priv, size_t len, - const char *cipher_name, OSSL_LIB_CTX *libctx, - const char *propq) -{ - return new_cmac_key_int(priv, len, cipher_name, NULL, libctx, propq, NULL); -} - EVP_PKEY *EVP_PKEY_new_CMAC_key(ENGINE *e, const unsigned char *priv, size_t len, const EVP_CIPHER *cipher) { diff --git a/doc/man3/EVP_PKEY_new.pod b/doc/man3/EVP_PKEY_new.pod index c2d3c57e438..88c4e67e53d 100644 --- a/doc/man3/EVP_PKEY_new.pod +++ b/doc/man3/EVP_PKEY_new.pod @@ -10,7 +10,6 @@ EVP_PKEY_new_raw_private_key_ex, EVP_PKEY_new_raw_private_key, EVP_PKEY_new_raw_public_key_ex, EVP_PKEY_new_raw_public_key, -EVP_PKEY_new_CMAC_key_ex, EVP_PKEY_new_CMAC_key, EVP_PKEY_new_mac_key, EVP_PKEY_get_raw_private_key, @@ -41,11 +40,6 @@ EVP_PKEY_get_raw_public_key size_t keylen); EVP_PKEY *EVP_PKEY_new_raw_public_key(int type, ENGINE *e, const unsigned char *key, size_t keylen); - EVP_PKEY *EVP_PKEY_new_CMAC_key_ex(const unsigned char *priv, size_t len, - const char *cipher_name, - OSSL_LIB_CTX *libctx, const char *propq); - EVP_PKEY *EVP_PKEY_new_CMAC_key(ENGINE *e, const unsigned char *priv, - size_t len, const EVP_CIPHER *cipher); EVP_PKEY *EVP_PKEY_new_mac_key(int type, ENGINE *e, const unsigned char *key, int keylen); @@ -54,6 +48,13 @@ EVP_PKEY_get_raw_public_key int EVP_PKEY_get_raw_public_key(const EVP_PKEY *pkey, unsigned char *pub, size_t *len); +Deprecated since OpenSSL 3.0, can be hidden entirely by defining +B with a suitable version value, see +L: + + EVP_PKEY *EVP_PKEY_new_CMAC_key(ENGINE *e, const unsigned char *priv, + size_t len, const EVP_CIPHER *cipher); + =head1 DESCRIPTION B is a generic structure to hold diverse types of asymmetric keys @@ -121,21 +122,6 @@ data. The B structure will be initialised without any private key information. Algorithm types that support raw public keys are B, B, B or B. -EVP_PKEY_new_CMAC_key_ex() works in the same way as -EVP_PKEY_new_raw_private_key() except it is only for the B -algorithm type. In addition to the raw private key data, it also takes a cipher -algorithm to be used during creation of a CMAC in the I argument. The -cipher should be a standard encryption only cipher. For example AEAD and XTS -ciphers should not be used. Finally it also takes a library context I -and property query I which are used when fetching any cryptographic -algorithms which may be NULL to use the default values. - -EVP_PKEY_new_CMAC_key() is the same as EVP_PKEY_new_CMAC_key_ex() -except that the default values are used for I and I. - -Using EVP_PKEY_new_CMAC_key_ex() or EVP_PKEY_new_CMAC_key() is discouraged in -favor of the L API. - EVP_PKEY_new_mac_key() works in the same way as EVP_PKEY_new_raw_private_key(). New applications should use EVP_PKEY_new_raw_private_key() instead. @@ -159,6 +145,16 @@ key data. This function only works for algorithms that support raw public keys. Currently this is: B, B, B or B. +EVP_PKEY_new_CMAC_key() works in the same way as EVP_PKEY_new_raw_private_key() +except it is only for the B algorithm type. In addition to the +raw private key data, it also takes a cipher algorithm to be used during +creation of a CMAC in the B argument. The cipher should be a standard +encryption-only cipher. For example AEAD and XTS ciphers should not be used. + +Applications should use the L API instead +and set the B parameter on the B object +with the name of the cipher being used. + =head1 NOTES The B structure is used by various OpenSSL functions which require a @@ -195,9 +191,11 @@ EVP_PKEY_new_raw_private_key(), EVP_PKEY_new_raw_public_key(), EVP_PKEY_new_CMAC_key(), EVP_PKEY_new_raw_private_key() and EVP_PKEY_get_raw_public_key() functions were added in OpenSSL 1.1.1. -The EVP_PKEY_new_raw_private_key_ex(), -EVP_PKEY_new_raw_public_key_ex() and -EVP_PKEY_new_CMAC_key_ex() functions were added in OpenSSL 3.0. +The EVP_PKEY_new_raw_private_key_ex() and +EVP_PKEY_new_raw_public_key_ex() +functions were added in OpenSSL 3.0. + +The EVP_PKEY_new_CMAC_key() was deprecated in OpenSSL 3.0. The documentation of B was amended in OpenSSL 3.0 to allow there to be the private part of the keypair without the public part, where this was diff --git a/include/openssl/evp.h b/include/openssl/evp.h index ae9488acbbe..0180170b8d7 100644 --- a/include/openssl/evp.h +++ b/include/openssl/evp.h @@ -1678,11 +1678,11 @@ int EVP_PKEY_get_raw_private_key(const EVP_PKEY *pkey, unsigned char *priv, int EVP_PKEY_get_raw_public_key(const EVP_PKEY *pkey, unsigned char *pub, size_t *len); -EVP_PKEY *EVP_PKEY_new_CMAC_key_ex(const unsigned char *priv, size_t len, - const char *cipher_name, OSSL_LIB_CTX *libctx, - const char *propq); +# ifndef OPENSSL_NO_DEPRECATED_3_0 +OSSL_DEPRECATEDIN_3_0 EVP_PKEY *EVP_PKEY_new_CMAC_key(ENGINE *e, const unsigned char *priv, size_t len, const EVP_CIPHER *cipher); +# endif void EVP_PKEY_CTX_set_data(EVP_PKEY_CTX *ctx, void *data); void *EVP_PKEY_CTX_get_data(const EVP_PKEY_CTX *ctx); diff --git a/test/evp_extra_test.c b/test/evp_extra_test.c index 42f4319d6c3..37efbd42e2b 100644 --- a/test/evp_extra_test.c +++ b/test/evp_extra_test.c @@ -1538,7 +1538,10 @@ static int test_CMAC_keygen(void) EVP_PKEY_CTX *kctx = EVP_PKEY_CTX_new_id(EVP_PKEY_CMAC, NULL); int ret = 0; EVP_PKEY *pkey = NULL; - unsigned char mac[AES_BLOCK_SIZE], mac2[AES_BLOCK_SIZE]; + unsigned char mac[AES_BLOCK_SIZE]; +# if !defined(OPENSSL_NO_DEPRECATED_3_0) + unsigned char mac2[AES_BLOCK_SIZE]; +# endif /* Test a CMAC key created using the "generated" method */ if (!TEST_int_gt(EVP_PKEY_keygen_init(kctx), 0) @@ -1553,6 +1556,7 @@ static int test_CMAC_keygen(void) || !TEST_true(get_cmac_val(pkey, mac))) goto done; +# if !defined(OPENSSL_NO_DEPRECATED_3_0) EVP_PKEY_free(pkey); /* @@ -1564,6 +1568,7 @@ static int test_CMAC_keygen(void) || !TEST_true(get_cmac_val(pkey, mac2)) || !TEST_mem_eq(mac, sizeof(mac), mac2, sizeof(mac2))) goto done; +# endif ret = 1; diff --git a/test/evp_test.c b/test/evp_test.c index b1c9c72b8b1..94bbdc7a357 100644 --- a/test/evp_test.c +++ b/test/evp_test.c @@ -7,6 +7,7 @@ * https://www.openssl.org/source/license.html */ +#define OPENSSL_SUPPRESS_DEPRECATED /* EVP_PKEY_new_CMAC_key */ #include #include #include @@ -1152,6 +1153,14 @@ static int mac_test_run_pkey(EVP_TEST *t) OBJ_nid2sn(expected->type), expected->alg); if (expected->type == EVP_PKEY_CMAC) { +#ifdef OPENSSL_NO_DEPRECATED_3_0 + TEST_info("skipping, PKEY CMAC '%s' is disabled", expected->alg); + t->skip = 1; + t->err = NULL; + goto err; +#else + OSSL_LIB_CTX *tmpctx; + if (expected->alg != NULL && is_cipher_disabled(expected->alg)) { TEST_info("skipping, PKEY CMAC '%s' is disabled", expected->alg); t->skip = 1; @@ -1162,8 +1171,11 @@ static int mac_test_run_pkey(EVP_TEST *t) t->err = "MAC_KEY_CREATE_ERROR"; goto err; } - key = EVP_PKEY_new_CMAC_key_ex(expected->key, expected->key_len, - EVP_CIPHER_name(cipher), libctx, NULL); + tmpctx = OSSL_LIB_CTX_set0_default(libctx); + key = EVP_PKEY_new_CMAC_key(NULL, expected->key, expected->key_len, + cipher); + OSSL_LIB_CTX_set0_default(tmpctx); +#endif } else { key = EVP_PKEY_new_raw_private_key_ex(libctx, OBJ_nid2sn(expected->type), NULL, diff --git a/util/libcrypto.num b/util/libcrypto.num index a1e9b5cc34b..1cd4b86f4d0 100644 --- a/util/libcrypto.num +++ b/util/libcrypto.num @@ -4338,7 +4338,7 @@ OSSL_STORE_SEARCH_free 4450 3_0_0 EXIST::FUNCTION: OSSL_STORE_SEARCH_get0_digest 4451 3_0_0 EXIST::FUNCTION: EVP_PKEY_new_raw_private_key 4453 3_0_0 EXIST::FUNCTION: EVP_PKEY_new_raw_public_key 4454 3_0_0 EXIST::FUNCTION: -EVP_PKEY_new_CMAC_key 4455 3_0_0 EXIST::FUNCTION: +EVP_PKEY_new_CMAC_key 4455 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0 EVP_PKEY_asn1_set_set_priv_key 4456 3_0_0 EXIST::FUNCTION: EVP_PKEY_asn1_set_set_pub_key 4457 3_0_0 EXIST::FUNCTION: conf_ssl_name_find 4469 3_0_0 EXIST::FUNCTION: @@ -5221,7 +5221,6 @@ OSSL_PARAM_get_utf8_string_ptr ? 3_0_0 EXIST::FUNCTION: OSSL_PARAM_get_octet_string_ptr ? 3_0_0 EXIST::FUNCTION: OSSL_DECODER_CTX_set_passphrase_cb ? 3_0_0 EXIST::FUNCTION: EVP_PKEY_CTX_set_mac_key ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_new_CMAC_key_ex ? 3_0_0 EXIST::FUNCTION: OSSL_STORE_INFO_new ? 3_0_0 EXIST::FUNCTION: OSSL_STORE_INFO_get0_data ? 3_0_0 EXIST::FUNCTION: asn1_d2i_read_bio ? 3_0_0 EXIST::FUNCTION: