[EXTERNAL] Re: Need Replacement for Deprecated function

Shivakumar Poojari Shivakumar.Poojari at rbbn.com
Mon Dec 13 06:39:24 UTC 2021


Hi Matt,

I'm able resolve for AES and DES errors, I replaced with function but few parameter are filled with NULL, please suggest its correct way of doing

The below is the actual source code I'm trying to change
https://github.com/digsrc/wpa_supplicant/blob/master/src/crypto/crypto_openssl.c

trying to upgrade this function in the above file des_encrypt aes_wrap aes_unwrap

I called below function for both DES AES

In des_encrypt:I changed below code

int clen = 16;
evp_encrypt_wrapper((unsigned char *)clear, clen, (unsigned char *)pkey, NULL, (unsigned char *)cypher, EVP_des_ecb());

In aes_wrap:I changed below code

evp_encrypt_wrapper((unsigned char *)plain, n * 8, (unsigned char *)kek, NULL, (unsigned char *)cipher, aes_wrap_get_evp_cipher(kek_len << 3));

Please suggest how do I manage inputLen and iv parameter

int evp_encrypt_wrapper(unsigned char *input, unsigned int inputLen, unsigned char *key, unsigned char *iv, unsigned char *output, const EVP_CIPHER *type)
{
    EVP_CIPHER_CTX *ctx = NULL;
    int len = 0;
    int outputLen = 0;

    do
    {
        /* Create and initialize the context */
        if(!(ctx = EVP_CIPHER_CTX_new()))
        {
            break;
        }

        /*
         * Initialize the encryption operation.
         */
        if(1 != EVP_EncryptInit_ex2(ctx, type, key, iv, NULL))
        {
            break;
        }

        /*
         * Provide the message to be encrypted, and obtain the encrypted output.
         * EVP_EncryptUpdate can be called multiple times if necessary
         */
        if(1 != EVP_EncryptUpdate(ctx, output, &outputLen, input, inputLen))
        {
            break;
        }

        /*
         * Finalize the encryption. Further output bytes may be written at
         * this stage.
         */
        if(1 != EVP_EncryptFinal_ex(ctx, output + outputLen, &len))
        {
            break;
        }

        outputLen += len;
    }while(false);

    /* Clean up */
    if(ctx)
        EVP_CIPHER_CTX_free(ctx);

    return outputLen;
}
________________________________
From: Matt Caswell <matt at openssl.org>
Sent: Monday, December 6, 2021 7:19 PM
To: Shivakumar Poojari <Shivakumar.Poojari at rbbn.com>; openssl-users at openssl.org <openssl-users at openssl.org>
Cc: Amballi, Kishor <kamballi at rbbn.com>; Bhattacharjee, Debapriyo (c) <dbhattacharjee at rbbn.com>; Kumar Mishra, Sanjeev <Sanjeev.Kumar-Mishra at rbbn.com>
Subject: [EXTERNAL] Re: Need Replacement for Deprecated function



On 06/12/2021 12:26, Shivakumar Poojari wrote:
> Hi All,
>
> We are upgrading our code to openssl 3.0.
>
> Need Replacement for below Deprecated function.
>
> DSE:
> DES_set_key();
> DES_ecb_encrypt();
>
> AES:
> AES_set_encrypt_key();
> AES_set_decrypt_key();
> AES_wrap_key();
> AES_unwrap_key();--- perivously i upgraded AES function with EVP related
> function but wrap/unwraper is something new.
>

All the DES and AES functions are just replaced by the EVP functions.
 From the migration guide:

"Low-level encryption functions such as AES_encrypt(3) and
AES_decrypt(3) have been informally discouraged from use for a long
time. Applications should instead use the high level EVP APIs
EVP_EncryptInit_ex(3), EVP_EncryptUpdate(3), and EVP_EncryptFinal_ex(3)
or EVP_DecryptInit_ex(3), EVP_DecryptUpdate(3) and EVP_DecryptFinal_ex(3)."


The wrap/unwrap functionality is the same but you use the "wrap" ciphers:

https://clicktime.symantec.com/3YBoRtRxfsEzqu7jB1kQRdi6H2?u=https%3A%2F%2Fwww.openssl.org%2Fdocs%2Fman3.0%2Fman7%2FEVP_CIPHER-AES.html

The following "wrap" ciphers are supported:

"AES-128-WRAP", "AES-192-WRAP", "AES-256-WRAP", "AES-128-WRAP-PAD",
"AES-192-WRAP-PAD", "AES-256-WRAP-PAD", "AES-128-WRAP-INV",
"AES-192-WRAP-INV", "AES-256-WRAP-INV", "AES-128-WRAP-PAD-INV",
"AES-192-WRAP-PAD-INV" and "AES-256-WRAP-PAD-INV"


> DH:
> DH_new();
> DH_set0_pqg();
> DH_generate_key();
> DH_get0_key();
> DH_free();
> DH_set0_key();
> DH_size();
> DH_compute_key();

All the DH functions are replaced by the EVP key exchange functionality.

In particular see this page:

https://clicktime.symantec.com/3QwQe8oMQp2ycuXi1g6n3276H2?u=https%3A%2F%2Fwww.openssl.org%2Fdocs%2Fman3.0%2Fman7%2FEVP_KEYEXCH-DH.html

and

https://clicktime.symantec.com/3HxeDKVhVDjB4zstTvgpdpJ6H2?u=https%3A%2F%2Fwww.openssl.org%2Fdocs%2Fman3.0%2Fman3%2FEVP_PKEY_derive.html


>
> HMAC:
> HMAC_CTX_new();compiler suggestion EVP_MAC_CTX_new();
> HMAC_Init_ex();
> HMAC_CTX_free();compiler suggestion EVP_MAC_CTX_free();
> HMAC_Update();compiler suggestion EVP_MAC_update();
> HMAC_Final();compiler suggestion EVP_MAC_final();

Use the EVP_MAC functions. In particular see:

https://clicktime.symantec.com/3E4wr8pyUbGoHvQV24ZcU176H2?u=https%3A%2F%2Fwww.openssl.org%2Fdocs%2Fman3.0%2Fman3%2FEVP_MAC.html

and

https://clicktime.symantec.com/3Jt5BYvGZ2j2MurnueNjzss6H2?u=https%3A%2F%2Fwww.openssl.org%2Fdocs%2Fman3.0%2Fman7%2FEVP_MAC-HMAC.html

Matt


>
> I'm not able to find proper replacement, Please help me out
>
> Thanks,
> Shiva Kumar
>
> Notice: This e-mail together with any attachments may contain
> information of Ribbon Communications Inc. and its Affiliates that is
> confidential and/or proprietary for the sole use of the intended
> recipient. Any review, disclosure, reliance or distribution by others or
> forwarding without express permission is strictly prohibited. If you are
> not the intended recipient, please notify the sender immediately and
> then delete all copies, including any attachments.

Notice: This e-mail together with any attachments may contain information of Ribbon Communications Inc. and its Affiliates that is confidential and/or proprietary for the sole use of the intended recipient. Any review, disclosure, reliance or distribution by others or forwarding without express permission is strictly prohibited. If you are not the intended recipient, please notify the sender immediately and then delete all copies, including any attachments.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20211213/22810e10/attachment-0001.htm>


More information about the openssl-users mailing list