[openssl] master update
Dr. Paul Dale
pauli at openssl.org
Sun Apr 19 00:40:44 UTC 2020
The branch master has been updated
via 09ec5e6f5d08a854d40e4a1847759fc6a5793ec6 (commit)
via 61b2afb50ac3ba061765c71b6345a6e83917d27d (commit)
via 19d9be09d15e7c621402d2e29a08426625ccd71f (commit)
via f84fe4f448a34ea64443605000ecb344e6619e92 (commit)
via 7539cb70eb2b0713fbebda877ac411009d9c9ecc (commit)
via b304f8567cbf9557871b00f0c3dd57b054f5d7f3 (commit)
via 769cfc3bd031689cdb9fb3d257ee68b04979fc28 (commit)
via dddbbc6f3912c0c9ec4a9178a315445f62ecae5d (commit)
via 8f7e1f68ccf875d1f10067dc951d5aa697b820be (commit)
via 99a7c3a7bf98c7b8d1df943ab7f53cc26aec65dd (commit)
via 188dd86ab455eec54e4d940b545ae82ad23b4f1a (commit)
via ccefc3411e8870776b83fe740664c1e23217eb9c (commit)
via b0cfe526d75359e9bf992df16fce32854593cab3 (commit)
via cd3572a110ae7ea2e7f1e9be0badafa7679a628a (commit)
via 54affb77c54edfa8159cb773f4b5e9e67054b37e (commit)
via b940349de1184d050bed069622e2f929533efa45 (commit)
from e0331eb8b818ed0daac45e0786571958f744d398 (commit)
- Log -----------------------------------------------------------------
commit 09ec5e6f5d08a854d40e4a1847759fc6a5793ec6
Author: Pauli <paul.dale at oracle.com>
Date: Sun Apr 19 10:36:01 2020 +1000
dhparam: white space cleaning
Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11225)
commit 61b2afb50ac3ba061765c71b6345a6e83917d27d
Author: Pauli <paul.dale at oracle.com>
Date: Fri Apr 17 21:50:50 2020 +1000
apps: undeprecate the conditioned out apps
Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11225)
commit 19d9be09d15e7c621402d2e29a08426625ccd71f
Author: Pauli <paul.dale at oracle.com>
Date: Thu Mar 5 10:06:29 2020 +1000
openssl: include the version a command was deprecated in the output text.
Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11225)
commit f84fe4f448a34ea64443605000ecb344e6619e92
Author: Pauli <paul.dale at oracle.com>
Date: Tue Mar 3 17:40:00 2020 +1000
apps: reinstate deprecated commands but using PKEY APIs
Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11225)
commit 7539cb70eb2b0713fbebda877ac411009d9c9ecc
Author: Pauli <paul.dale at oracle.com>
Date: Tue Mar 3 11:01:26 2020 +1000
dsaparam: update command line app to use EVP calls
Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11225)
commit b304f8567cbf9557871b00f0c3dd57b054f5d7f3
Author: Pauli <paul.dale at oracle.com>
Date: Fri Mar 13 09:06:04 2020 +1000
CHANGES: note which command line utilities are marked for deprecation but still available.
Some of the utilities are much easier to use than their pkey alternatives.
These have been modified to use the PKEY APIs but still note that they are
deprecated.
Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11225)
commit 769cfc3bd031689cdb9fb3d257ee68b04979fc28
Author: Pauli <paul.dale at oracle.com>
Date: Tue Mar 10 15:10:37 2020 +1000
Undeprecate DH_get_length() and DH_set_length() functions
Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11225)
commit dddbbc6f3912c0c9ec4a9178a315445f62ecae5d
Author: Pauli <paul.dale at oracle.com>
Date: Tue Mar 10 15:09:18 2020 +1000
gendsa: update command line app to use EVP calls
Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11225)
commit 8f7e1f68ccf875d1f10067dc951d5aa697b820be
Author: Pauli <paul.dale at oracle.com>
Date: Tue Mar 10 15:08:05 2020 +1000
genrsa: update command line app to use EVP calls
Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11225)
commit 99a7c3a7bf98c7b8d1df943ab7f53cc26aec65dd
Author: Pauli <paul.dale at oracle.com>
Date: Thu Mar 5 10:06:29 2020 +1000
openssl: include the version a command was deprecated in the output text.
Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11225)
commit 188dd86ab455eec54e4d940b545ae82ad23b4f1a
Author: Pauli <paul.dale at oracle.com>
Date: Tue Mar 3 17:40:00 2020 +1000
apps: reinstate deprecated commands but using PKEY APIs
Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11225)
commit ccefc3411e8870776b83fe740664c1e23217eb9c
Author: Pauli <paul.dale at oracle.com>
Date: Tue Mar 3 17:38:39 2020 +1000
dhparam: update command line app to use EVP calls
Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11225)
commit b0cfe526d75359e9bf992df16fce32854593cab3
Author: Pauli <paul.dale at oracle.com>
Date: Tue Mar 3 11:03:47 2020 +1000
tests: reinstate tests for deprecated but non-removed functionality
Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11225)
commit cd3572a110ae7ea2e7f1e9be0badafa7679a628a
Author: Pauli <paul.dale at oracle.com>
Date: Tue Mar 3 11:01:26 2020 +1000
dsaparam: update command line app to use EVP calls
Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11225)
commit 54affb77c54edfa8159cb773f4b5e9e67054b37e
Author: Pauli <paul.dale at oracle.com>
Date: Mon Mar 2 14:30:36 2020 +1000
rsa: update command line app to use EVP calls
Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11225)
commit b940349de1184d050bed069622e2f929533efa45
Author: Pauli <paul.dale at oracle.com>
Date: Mon Mar 2 14:30:26 2020 +1000
dsa: update command line app to use EVP calls
Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11225)
-----------------------------------------------------------------------
Summary of changes:
CHANGES.md | 39 +++++++------
apps/build.info | 23 ++++----
apps/dhparam.c | 135 +++++++++++++++++++++++++++------------------
apps/dsa.c | 26 ++++-----
apps/dsaparam.c | 104 +++++++++++++++++++++++++---------
apps/gendsa.c | 32 ++++++++++-
apps/genrsa.c | 86 ++++++++++++++++++-----------
apps/include/function.h | 1 +
apps/openssl.c | 17 +++---
apps/progs.pl | 45 +++++++++------
apps/rsa.c | 52 +++++++++--------
doc/man3/DH_get0_pqg.pod | 11 ++--
include/openssl/dh.h | 4 +-
include/openssl/rsa.h | 6 +-
test/recipes/15-test_dsa.t | 32 ++++-------
test/recipes/15-test_ec.t | 2 +-
test/recipes/15-test_rsa.t | 9 +--
util/libcrypto.num | 4 +-
18 files changed, 381 insertions(+), 247 deletions(-)
diff --git a/CHANGES.md b/CHANGES.md
index 4b7a73dc89..5b73989a0c 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -79,11 +79,6 @@ OpenSSL 3.0
*Richard Levitte*
- * The command line utilities ecparam and ec have been deprecated. Instead
- use the pkeyparam, pkey and genpkey programs.
-
- *Paul Dale*
-
* All of the low level RSA functions have been deprecated including:
RSA_new_method, RSA_bits, RSA_size, RSA_security_bits,
@@ -138,25 +133,35 @@ OpenSSL 3.0
*Kurt Roeckx*
* The command line utilities dhparam, dsa, gendsa and dsaparam have been
- deprecated. Instead use the pkeyparam, pkey, genpkey and pkeyparam
- programs respectively.
+ modified to use PKEY APIs. These commands are now in maintenance mode
+ and no new features will be added to them.
+
+ *Paul Dale*
+
+ * The command line utility rsautl has been deprecated.
+ Instead use the pkeyutl program.
+
+ *Paul Dale*
+
+ * The command line utilities genrsa and rsa have been modified to use PKEY
+ APIs These commands are now in maintenance mode and no new features will
+ be added to them.
*Paul Dale*
* All of the low level DH functions have been deprecated including:
- DH_OpenSSL, DH_set_default_method, DH_get_default_method, DH_set_method,
- DH_new_method, DH_bits, DH_size, DH_security_bits, DH_get_ex_new_index,
- DH_set_ex_data, DH_get_ex_data, DH_generate_parameters_ex,
- DH_check_params_ex, DH_check_ex, DH_check_pub_key_ex,
- DH_check, DH_check_pub_key, DH_generate_key, DH_compute_key,
- DH_compute_key_padded, DHparams_print_fp, DHparams_print, DH_get_nid,
- DH_KDF_X9_42, DH_get0_engine, DH_get_length, DH_set_length, DH_meth_new,
+ DH_OpenSSL, DH_set_default_method, DH_get_default_method,
+ DH_set_method, DH_new_method, DH_bits, DH_size, DH_security_bits,
+ DH_get_ex_new_index, DH_set_ex_data, DH_get_ex_data,
+ DH_generate_parameters_ex, DH_check_params_ex, DH_check_ex,
+ DH_check_pub_key_ex, DH_check, DH_check_pub_key, DH_generate_key,
+ DH_compute_key, DH_compute_key_padded, DHparams_print_fp,
+ DHparams_print, DH_get_nid, DH_KDF_X9_42, DH_get0_engine, DH_meth_new,
DH_meth_free, DH_meth_dup, DH_meth_get0_name, DH_meth_set1_name,
DH_meth_get_flags, DH_meth_set_flags, DH_meth_get0_app_data,
- DH_meth_set0_app_data, DH_meth_get_generate_key,
- DH_meth_set_generate_key, DH_meth_get_compute_key,
- DH_meth_set_compute_key, DH_meth_get_bn_mod_exp,
+ DH_meth_set0_app_data, DH_meth_get_generate_key, DH_meth_set_generate_key,
+ DH_meth_get_compute_key, DH_meth_set_compute_key, DH_meth_get_bn_mod_exp,
DH_meth_set_bn_mod_exp, DH_meth_get_init, DH_meth_set_init,
DH_meth_get_finish, DH_meth_set_finish, DH_meth_get_generate_params
and DH_meth_set_generate_params.
diff --git a/apps/build.info b/apps/build.info
index 06b5ca46d8..f2c62c94dc 100644
--- a/apps/build.info
+++ b/apps/build.info
@@ -34,18 +34,21 @@ ENDIF
IF[{- !$disabled{'ts'} -}]
$OPENSSLSRC=$OPENSSLSRC ts.c
ENDIF
+IF[{- !$disabled{'dh'} -}]
+$OPENSSLSRC=$OPENSSLSRC dhparam.c
+ENDIF
+IF[{- !$disabled{'dsa'} -}]
+$OPENSSLSRC=$OPENSSLSRC dsa.c dsaparam.c gendsa.c
+ENDIF
+IF[{- !$disabled{'engine'} -}]
+$OPENSSLSRC=$OPENSSLSRC engine.c
+ENDIF
+IF[{- !$disabled{'rsa'} -}]
+$OPENSSLSRC=$OPENSSLSRC rsa.c genrsa.c
+ENDIF
IF[{- !$disabled{'deprecated-3.0'} -}]
- IF[{- !$disabled{'dh'} -}]
- $OPENSSLSRC=$OPENSSLSRC dhparam.c
- ENDIF
- IF[{- !$disabled{'dsa'} -}]
- $OPENSSLSRC=$OPENSSLSRC dsa.c dsaparam.c gendsa.c
- ENDIF
- IF[{- !$disabled{'engine'} -}]
- $OPENSSLSRC=$OPENSSLSRC engine.c
- ENDIF
IF[{- !$disabled{'rsa'} -}]
- $OPENSSLSRC=$OPENSSLSRC rsa.c rsautl.c genrsa.c
+ $OPENSSLSRC=$OPENSSLSRC rsautl.c
ENDIF
ENDIF
IF[{- !$disabled{'cmp'} -}]
diff --git a/apps/dhparam.c b/apps/dhparam.c
index 019a7ce8ab..c8abb5ac41 100644
--- a/apps/dhparam.c
+++ b/apps/dhparam.c
@@ -7,9 +7,10 @@
* https://www.openssl.org/source/license.html
*/
+#ifndef OPENSSL_NO_DEPRECATED_3_0
/* We need to use some deprecated APIs */
-#define OPENSSL_SUPPRESS_DEPRECATED
-
+# define OPENSSL_SUPPRESS_DEPRECATED
+#endif
#include <openssl/opensslconf.h>
#include <stdio.h>
@@ -25,13 +26,16 @@
#include <openssl/x509.h>
#include <openssl/pem.h>
-#ifndef OPENSSL_NO_DSA
+#if !defined(OPENSSL_NO_DSA) && !defined(OPENSSL_NO_DEPRECATED_3_0)
# include <openssl/dsa.h>
#endif
#define DEFBITS 2048
+#if !defined(OPENSSL_NO_DSA) && !defined(OPENSSL_NO_DEPRECATED_3_0)
static int dh_cb(int p, int n, BN_GENCB *cb);
+#endif
+static int gendh_cb(EVP_PKEY_CTX *ctx);
typedef enum OPTION_choice {
OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
@@ -81,9 +85,11 @@ int dhparam_main(int argc, char **argv)
{
BIO *in = NULL, *out = NULL;
DH *dh = NULL;
+ EVP_PKEY *pkey = NULL;
+ EVP_PKEY_CTX *ctx = NULL;
char *infile = NULL, *outfile = NULL, *prog;
ENGINE *e = NULL;
-#ifndef OPENSSL_NO_DSA
+#if !defined(OPENSSL_NO_DSA) && !defined(OPENSSL_NO_DEPRECATED_3_0)
int dsaparam = 0;
#endif
int i, text = 0, C = 0, ret = 1, num = 0, g = 0;
@@ -127,7 +133,11 @@ int dhparam_main(int argc, char **argv)
break;
case OPT_DSAPARAM:
#ifndef OPENSSL_NO_DSA
+# ifdef OPENSSL_NO_DEPRECATED_3_0
+ BIO_printf(bio_err, "The dsaparam option is deprecated.\n");
+# else
dsaparam = 1;
+# endif
#endif
break;
case OPT_C:
@@ -164,7 +174,7 @@ int dhparam_main(int argc, char **argv)
if (g && !num)
num = DEFBITS;
-#ifndef OPENSSL_NO_DSA
+#if !defined(OPENSSL_NO_DSA) && !defined(OPENSSL_NO_DEPRECATED_3_0)
if (dsaparam && g) {
BIO_printf(bio_err,
"generator may not be chosen for DSA parameters\n");
@@ -182,18 +192,18 @@ int dhparam_main(int argc, char **argv)
if (num) {
- BN_GENCB *cb;
- cb = BN_GENCB_new();
- if (cb == NULL) {
- ERR_print_errors(bio_err);
- goto end;
- }
- BN_GENCB_set(cb, dh_cb, bio_err);
-
-#ifndef OPENSSL_NO_DSA
+#if !defined(OPENSSL_NO_DSA) && !defined(OPENSSL_NO_DEPRECATED_3_0)
if (dsaparam) {
DSA *dsa = DSA_new();
+ BN_GENCB *cb = BN_GENCB_new();
+
+ if (cb == NULL) {
+ ERR_print_errors(bio_err);
+ goto end;
+ }
+
+ BN_GENCB_set(cb, dh_cb, bio_err);
BIO_printf(bio_err,
"Generating DSA parameters, %d bit long prime\n", num);
@@ -208,34 +218,51 @@ int dhparam_main(int argc, char **argv)
dh = DSA_dup_DH(dsa);
DSA_free(dsa);
+ BN_GENCB_free(cb);
if (dh == NULL) {
- BN_GENCB_free(cb);
ERR_print_errors(bio_err);
goto end;
}
} else
#endif
{
- dh = DH_new();
+ ctx = EVP_PKEY_CTX_new_from_name(NULL, "DH", NULL);
+ if (ctx == NULL) {
+ ERR_print_errors(bio_err);
+ BIO_printf(bio_err,
+ "Error, DH key generation context allocation failed\n");
+ goto end;
+ }
+ EVP_PKEY_CTX_set_cb(ctx, gendh_cb);
+ EVP_PKEY_CTX_set_app_data(ctx, bio_err);
BIO_printf(bio_err,
"Generating DH parameters, %d bit long safe prime, generator %d\n",
num, g);
BIO_printf(bio_err, "This is going to take a long time\n");
- if (dh == NULL || !DH_generate_parameters_ex(dh, num, g, cb)) {
- BN_GENCB_free(cb);
+ if (!EVP_PKEY_paramgen_init(ctx)) {
+ BIO_printf(bio_err,
+ "Error, unable to initialise DH param generation\n");
ERR_print_errors(bio_err);
goto end;
}
- }
- BN_GENCB_free(cb);
+ if (!EVP_PKEY_CTX_set_dh_paramgen_prime_len(ctx, num)) {
+ BIO_printf(bio_err, "Error, unable to set DH prime length\n");
+ ERR_print_errors(bio_err);
+ goto end;
+ }
+ if (!EVP_PKEY_paramgen(ctx, &pkey)) {
+ BIO_printf(bio_err, "Error, DH generation failed\n");
+ ERR_print_errors(bio_err);
+ goto end;
+ }
+ }
} else {
-
in = bio_open_default(infile, 'r', informat);
if (in == NULL)
goto end;
-#ifndef OPENSSL_NO_DSA
+#if !defined(OPENSSL_NO_DSA) && !defined(OPENSSL_NO_DEPRECATED_3_0)
if (dsaparam) {
DSA *dsa;
@@ -264,10 +291,10 @@ int dhparam_main(int argc, char **argv)
* We have no PEM header to determine what type of DH params it
* is. We'll just try both.
*/
- dh = d2i_DHparams_bio(in, NULL);
+ dh = ASN1_d2i_bio_of(DH, DH_new, d2i_DHparams, in, NULL);
/* BIO_reset() returns 0 for success for file BIOs only!!! */
if (dh == NULL && BIO_reset(in) == 0)
- dh = d2i_DHxparams_bio(in, NULL);
+ dh = ASN1_d2i_bio_of(DH, DH_new, d2i_DHxparams, in, NULL);
} else {
/* informat == FORMAT_PEM */
dh = PEM_read_bio_DHparams(in, NULL, NULL, NULL);
@@ -279,37 +306,20 @@ int dhparam_main(int argc, char **argv)
goto end;
}
}
-
/* dh != NULL */
}
- if (text) {
- DHparams_print(out, dh);
- }
+ if (text)
+ EVP_PKEY_print_params(out, pkey, 4, NULL);
if (check) {
- if (!DH_check(dh, &i)) {
+ if (!EVP_PKEY_param_check(ctx) /* DH_check(dh, &i) */) {
ERR_print_errors(bio_err);
+ BIO_printf(bio_err, "ERROR: Invalid parameters generated\n");
goto end;
}
- if (i & DH_CHECK_P_NOT_PRIME)
- BIO_printf(bio_err, "WARNING: p value is not prime\n");
- if (i & DH_CHECK_P_NOT_SAFE_PRIME)
- BIO_printf(bio_err, "WARNING: p value is not a safe prime\n");
- if (i & DH_CHECK_Q_NOT_PRIME)
- BIO_printf(bio_err, "WARNING: q value is not a prime\n");
- if (i & DH_CHECK_INVALID_Q_VALUE)
- BIO_printf(bio_err, "WARNING: q value is invalid\n");
- if (i & DH_CHECK_INVALID_J_VALUE)
- BIO_printf(bio_err, "WARNING: j value is invalid\n");
- if (i & DH_UNABLE_TO_CHECK_GENERATOR)
- BIO_printf(bio_err,
- "WARNING: unable to check the generator value\n");
- if (i & DH_NOT_SUITABLE_GENERATOR)
- BIO_printf(bio_err, "WARNING: the g value is not a generator\n");
- if (i == 0)
- BIO_printf(bio_err, "DH parameters appear to be ok.\n");
- if (num != 0 && i != 0) {
+ BIO_printf(bio_err, "DH parameters appear to be ok.\n");
+ if (num != 0) {
/*
* We have generated parameters but DH_check() indicates they are
* invalid! This should never happen!
@@ -323,8 +333,9 @@ int dhparam_main(int argc, char **argv)
int len, bits;
const BIGNUM *pbn, *gbn;
- len = DH_size(dh);
- bits = DH_bits(dh);
+ dh = EVP_PKEY_get0_DH(pkey);
+ len = EVP_PKEY_size(pkey);
+ bits = EVP_PKEY_size(pkey);
DH_get0_pqg(dh, &pbn, NULL, &gbn);
data = app_malloc(len, "print a BN");
@@ -362,9 +373,9 @@ int dhparam_main(int argc, char **argv)
DH_get0_pqg(dh, NULL, &q, NULL);
if (outformat == FORMAT_ASN1) {
if (q != NULL)
- i = i2d_DHxparams_bio(out, dh);
+ i = ASN1_i2d_bio_of(DH, i2d_DHxparams, out, dh);
else
- i = i2d_DHparams_bio(out, dh);
+ i = ASN1_i2d_bio_of(DH, i2d_DHparams, out, dh);
} else if (q != NULL) {
i = PEM_write_bio_DHxparams(out, dh);
} else {
@@ -380,17 +391,31 @@ int dhparam_main(int argc, char **argv)
end:
BIO_free(in);
BIO_free_all(out);
- DH_free(dh);
+ EVP_PKEY_free(pkey);
+ EVP_PKEY_CTX_free(ctx);
release_engine(e);
return ret;
}
-static int dh_cb(int p, int n, BN_GENCB *cb)
+static int common_dh_cb(int p, BIO *b)
{
static const char symbols[] = ".+*\n";
char c = (p >= 0 && (size_t)p < sizeof(symbols) - 1) ? symbols[p] : '?';
- BIO_write(BN_GENCB_get_arg(cb), &c, 1);
- (void)BIO_flush(BN_GENCB_get_arg(cb));
+ BIO_write(b, &c, 1);
+ (void)BIO_flush(b);
return 1;
}
+
+#if !defined(OPENSSL_NO_DSA) && !defined(OPENSSL_NO_DEPRECATED_3_0)
+static int dh_cb(int p, int n, BN_GENCB *cb)
+{
+ return common_dh_cb(p, BN_GENCB_get_arg(cb));
+}
+#endif
+
+static int gendh_cb(EVP_PKEY_CTX *ctx)
+{
+ return common_dh_cb(EVP_PKEY_CTX_get_keygen_info(ctx, 0),
+ EVP_PKEY_CTX_get_app_data(ctx));
+}
diff --git a/apps/dsa.c b/apps/dsa.c
index 200e959fb0..f4677ddb1c 100644
--- a/apps/dsa.c
+++ b/apps/dsa.c
@@ -7,9 +7,6 @@
* https://www.openssl.org/source/license.html
*/
-/* We need to use the deprecated DSA_print */
-#define OPENSSL_SUPPRESS_DEPRECATED
-
#include <openssl/opensslconf.h>
#include <stdio.h>
@@ -73,6 +70,7 @@ int dsa_main(int argc, char **argv)
BIO *out = NULL;
DSA *dsa = NULL;
ENGINE *e = NULL;
+ EVP_PKEY *pkey = NULL;
const EVP_CIPHER *enc = NULL;
char *infile = NULL, *outfile = NULL, *prog;
char *passin = NULL, *passout = NULL, *passinarg = NULL, *passoutarg = NULL;
@@ -166,19 +164,13 @@ int dsa_main(int argc, char **argv)
}
BIO_printf(bio_err, "read DSA key\n");
- {
- EVP_PKEY *pkey;
-
- if (pubin)
- pkey = load_pubkey(infile, informat, 1, passin, e, "Public Key");
- else
- pkey = load_key(infile, informat, 1, passin, e, "Private Key");
+ if (pubin)
+ pkey = load_pubkey(infile, informat, 1, passin, e, "Public Key");
+ else
+ pkey = load_key(infile, informat, 1, passin, e, "Private Key");
- if (pkey != NULL) {
- dsa = EVP_PKEY_get1_DSA(pkey);
- EVP_PKEY_free(pkey);
- }
- }
+ if (pkey != NULL)
+ dsa = EVP_PKEY_get1_DSA(pkey);
if (dsa == NULL) {
BIO_printf(bio_err, "unable to load Key\n");
@@ -192,7 +184,8 @@ int dsa_main(int argc, char **argv)
if (text) {
assert(pubin || private);
- if (!DSA_print(out, dsa, 0)) {
+ if ((pubin && EVP_PKEY_print_public(out, pkey, 0, NULL) <= 0)
+ || (!pubin && EVP_PKEY_print_private(out, pkey, 0, NULL) <= 0)) {
perror(outfile);
ERR_print_errors(bio_err);
goto end;
@@ -269,6 +262,7 @@ int dsa_main(int argc, char **argv)
ret = 0;
end:
BIO_free_all(out);
+ EVP_PKEY_free(pkey);
DSA_free(dsa);
release_engine(e);
OPENSSL_free(passin);
diff --git a/apps/dsaparam.c b/apps/dsaparam.c
index 11f47b44c4..54faf2c713 100644
--- a/apps/dsaparam.c
+++ b/apps/dsaparam.c
@@ -7,9 +7,6 @@
* https://www.openssl.org/source/license.html
*/
-/* We need to use some deprecated APIs */
-#define OPENSSL_SUPPRESS_DEPRECATED
-
#include <openssl/opensslconf.h>
#include <stdio.h>
@@ -27,7 +24,7 @@
static int verbose = 0;
-static int dsa_cb(int p, int n, BN_GENCB *cb);
+static int gendsa_cb(EVP_PKEY_CTX *ctx);
typedef enum OPTION_choice {
OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
@@ -71,7 +68,8 @@ int dsaparam_main(int argc, char **argv)
ENGINE *e = NULL;
DSA *dsa = NULL;
BIO *in = NULL, *out = NULL;
- BN_GENCB *cb = NULL;
+ EVP_PKEY *pkey = NULL;
+ EVP_PKEY_CTX *ctx = NULL;
int numbits = -1, num = 0, genkey = 0;
int informat = FORMAT_PEM, outformat = FORMAT_PEM, noout = 0, C = 0;
int ret = 1, i, text = 0, private = 0;
@@ -150,6 +148,13 @@ int dsaparam_main(int argc, char **argv)
if (out == NULL)
goto end;
+ ctx = EVP_PKEY_CTX_new_from_name(NULL, "DSA", NULL);
+ if (ctx == NULL) {
+ ERR_print_errors(bio_err);
+ BIO_printf(bio_err,
+ "Error, DSA parameter generation context allocation failed\n");
+ goto end;
+ }
if (numbits > 0) {
if (numbits > OPENSSL_DSA_MAX_MODULUS_BITS)
BIO_printf(bio_err,
@@ -157,27 +162,36 @@ int dsaparam_main(int argc, char **argv)
" Your key size is %d! Larger key size may behave not as expected.\n",
OPENSSL_DSA_MAX_MODULUS_BITS, numbits);
- cb = BN_GENCB_new();
- if (cb == NULL) {
- BIO_printf(bio_err, "Error allocating BN_GENCB object\n");
- goto end;
- }
- BN_GENCB_set(cb, dsa_cb, bio_err);
- dsa = DSA_new();
- if (dsa == NULL) {
- BIO_printf(bio_err, "Error allocating DSA object\n");
- goto end;
- }
+ EVP_PKEY_CTX_set_cb(ctx, gendsa_cb);
+ EVP_PKEY_CTX_set_app_data(ctx, bio_err);
if (verbose) {
BIO_printf(bio_err, "Generating DSA parameters, %d bit long prime\n",
num);
BIO_printf(bio_err, "This could take some time\n");
}
- if (!DSA_generate_parameters_ex(dsa, num, NULL, 0, NULL, NULL, cb)) {
+ if (EVP_PKEY_paramgen_init(ctx) <= 0) {
+ ERR_print_errors(bio_err);
+ BIO_printf(bio_err,
+ "Error, DSA key generation paramgen init failed\n");
+ goto end;
+ }
+ if (!EVP_PKEY_CTX_set_dsa_paramgen_bits(ctx, num)) {
+ ERR_print_errors(bio_err);
+ BIO_printf(bio_err,
+ "Error, DSA key generation setting bit length failed\n");
+ goto end;
+ }
+ if (EVP_PKEY_paramgen(ctx, &pkey) <= 0) {
ERR_print_errors(bio_err);
BIO_printf(bio_err, "Error, DSA key generation failed\n");
goto end;
}
+ dsa = EVP_PKEY_get1_DSA(pkey);
+ if (dsa == NULL) {
+ ERR_print_errors(bio_err);
+ BIO_printf(bio_err, "Error, DSA key extraction failed\n");
+ goto end;
+ }
} else if (informat == FORMAT_ASN1) {
dsa = d2i_DSAparams_bio(in, NULL);
} else {
@@ -189,8 +203,21 @@ int dsaparam_main(int argc, char **argv)
goto end;
}
+ if (pkey == NULL) {
+ pkey = EVP_PKEY_new();
+ if (pkey == NULL) {
+ BIO_printf(bio_err, "Error, unable to allocate PKEY object\n");
+ ERR_print_errors(bio_err);
+ goto end;
+ }
+ if (!EVP_PKEY_set1_DSA(pkey, dsa)) {
+ BIO_printf(bio_err, "Error, unable to set DSA parameters\n");
+ ERR_print_errors(bio_err);
+ goto end;
+ }
+ }
if (text) {
- DSAparams_print(out, dsa);
+ EVP_PKEY_print_params(out, pkey, 0, NULL);
}
if (C) {
@@ -246,11 +273,28 @@ int dsaparam_main(int argc, char **argv)
if (genkey) {
DSA *dsakey;
- if ((dsakey = DSAparams_dup(dsa)) == NULL)
+ EVP_PKEY_CTX_free(ctx);
+ ctx = EVP_PKEY_CTX_new_from_name(NULL, "DSA", NULL);
+ if (ctx == NULL) {
+ ERR_print_errors(bio_err);
+ BIO_printf(bio_err,
+ "Error, DSA key generation context allocation failed\n");
goto end;
- if (!DSA_generate_key(dsakey)) {
+ }
+ if (!EVP_PKEY_keygen_init(ctx)) {
+ BIO_printf(bio_err, "unable to initialise for key generation\n");
+ ERR_print_errors(bio_err);
+ goto end;
+ }
+ if (!EVP_PKEY_keygen(ctx, &pkey)) {
+ BIO_printf(bio_err, "unable to generate key\n");
+ ERR_print_errors(bio_err);
+ goto end;
+ }
+ dsakey = EVP_PKEY_get0_DSA(pkey);
+ if (dsakey == NULL) {
+ BIO_printf(bio_err, "unable to extract generated key\n");
ERR_print_errors(bio_err);
- DSA_free(dsakey);
goto end;
}
assert(private);
@@ -259,27 +303,33 @@ int dsaparam_main(int argc, char **argv)
else
i = PEM_write_bio_DSAPrivateKey(out, dsakey, NULL, NULL, 0, NULL,
NULL);
- DSA_free(dsakey);
}
ret = 0;
end:
- BN_GENCB_free(cb);
BIO_free(in);
BIO_free_all(out);
+ EVP_PKEY_CTX_free(ctx);
+ EVP_PKEY_free(pkey);
DSA_free(dsa);
release_engine(e);
return ret;
}
-static int dsa_cb(int p, int n, BN_GENCB *cb)
+static int gendsa_cb(EVP_PKEY_CTX *ctx)
{
static const char symbols[] = ".+*\n";
- char c = (p >= 0 && (size_t)p < sizeof(symbols) - 1) ? symbols[p] : '?';
+ int p;
+ char c;
+ BIO *b;
if (!verbose)
return 1;
- BIO_write(BN_GENCB_get_arg(cb), &c, 1);
- (void)BIO_flush(BN_GENCB_get_arg(cb));
+ b = EVP_PKEY_CTX_get_app_data(ctx);
+ p = EVP_PKEY_CTX_get_keygen_info(ctx, 0);
+ c = (p >= 0 && (size_t)p < sizeof(symbols) - 1) ? symbols[p] : '?';
+
+ BIO_write(b, &c, 1);
+ (void)BIO_flush(b);
return 1;
}
diff --git a/apps/gendsa.c b/apps/gendsa.c
index 56939c56d1..cd180ae5e6 100644
--- a/apps/gendsa.c
+++ b/apps/gendsa.c
@@ -58,6 +58,8 @@ int gendsa_main(int argc, char **argv)
ENGINE *e = NULL;
BIO *out = NULL, *in = NULL;
DSA *dsa = NULL;
+ EVP_PKEY *pkey = NULL;
+ EVP_PKEY_CTX *ctx = NULL;
const EVP_CIPHER *enc = NULL;
char *dsaparams = NULL;
char *outfile = NULL, *passoutarg = NULL, *passout = NULL, *prog;
@@ -139,14 +141,38 @@ int gendsa_main(int argc, char **argv)
" Your key size is %d! Larger key size may behave not as expected.\n",
OPENSSL_DSA_MAX_MODULUS_BITS, BN_num_bits(p));
+ pkey = EVP_PKEY_new();
+ if (pkey == NULL) {
+ BIO_printf(bio_err, "unable to allocate PKEY\n");
+ goto end;
+ }
+ if (!EVP_PKEY_set1_DSA(pkey, dsa)) {
+ BIO_printf(bio_err, "unable to associate DSA parameters with PKEY\n");
+ goto end;
+ }
+ ctx = EVP_PKEY_CTX_new(pkey, NULL);
+ if (ctx == NULL) {
+ BIO_printf(bio_err, "unable to create PKEY context\n");
+ goto end;
+ }
+ EVP_PKEY_free(pkey);
+ pkey = NULL;
+ if (EVP_PKEY_keygen_init(ctx) <= 0) {
+ BIO_printf(bio_err, "unable to set up for key generation\n");
+ goto end;
+ }
if (verbose)
BIO_printf(bio_err, "Generating DSA key, %d bits\n", BN_num_bits(p));
- if (!DSA_generate_key(dsa))
+ if (EVP_PKEY_keygen(ctx, &pkey) <= 0) {
+ BIO_printf(bio_err, "unable to generate key\n");
goto end;
+ }
assert(private);
- if (!PEM_write_bio_DSAPrivateKey(out, dsa, enc, NULL, 0, NULL, passout))
+ if (!PEM_write_bio_PrivateKey(out, pkey, enc, NULL, 0, NULL, passout)) {
+ BIO_printf(bio_err, "unable to output generated key\n");
goto end;
+ }
ret = 0;
end:
if (ret != 0)
@@ -155,6 +181,8 @@ int gendsa_main(int argc, char **argv)
BIO_free(in);
BIO_free_all(out);
DSA_free(dsa);
+ EVP_PKEY_free(pkey);
+ EVP_PKEY_CTX_free(ctx);
release_engine(e);
OPENSSL_free(passout);
return ret;
diff --git a/apps/genrsa.c b/apps/genrsa.c
index deeac112b1..17b575620a 100644
--- a/apps/genrsa.c
+++ b/apps/genrsa.c
@@ -7,9 +7,6 @@
* https://www.openssl.org/source/license.html
*/
-/* We need to use the deprecated RSA low level calls */
-#define OPENSSL_SUPPRESS_DEPRECATED
-
#include <openssl/opensslconf.h>
#include <stdio.h>
@@ -32,7 +29,7 @@
static int verbose = 0;
-static int genrsa_cb(int p, int n, BN_GENCB *cb);
+static int genrsa_cb(EVP_PKEY_CTX *ctx);
typedef enum OPTION_choice {
OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
@@ -73,24 +70,24 @@ const OPTIONS genrsa_options[] = {
int genrsa_main(int argc, char **argv)
{
BN_GENCB *cb = BN_GENCB_new();
- PW_CB_DATA cb_data;
ENGINE *eng = NULL;
BIGNUM *bn = BN_new();
+ RSA *rsa;
BIO *out = NULL;
const BIGNUM *e;
- RSA *rsa = NULL;
+ EVP_PKEY *pkey = NULL;
+ EVP_PKEY_CTX *ctx = NULL;
const EVP_CIPHER *enc = NULL;
int ret = 1, num = DEFBITS, private = 0, primes = DEFPRIMES;
unsigned long f4 = RSA_F4;
char *outfile = NULL, *passoutarg = NULL, *passout = NULL;
char *prog, *hexe, *dece;
OPTION_CHOICE o;
+ unsigned char *ebuf = NULL;
if (bn == NULL || cb == NULL)
goto end;
- BN_GENCB_set(cb, genrsa_cb, bio_err);
-
prog = opt_init(argc, argv, genrsa_options);
while ((o = opt_next()) != OPT_EOF) {
switch (o) {
@@ -104,7 +101,7 @@ opthelp:
opt_help(genrsa_options);
goto end;
case OPT_3:
- f4 = 3;
+ f4 = RSA_3;
break;
case OPT_F4:
f4 = RSA_F4;
@@ -165,49 +162,74 @@ opthelp:
if (out == NULL)
goto end;
+ if (!init_gen_str(&ctx, "RSA", eng, 0))
+ goto end;
+
+ EVP_PKEY_CTX_set_cb(ctx, genrsa_cb);
+ EVP_PKEY_CTX_set_app_data(ctx, bio_err);
+
+ if (EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, num) <= 0) {
+ BIO_printf(bio_err, "Error setting RSA length\n");
+ goto end;
+ }
+ if (!BN_set_word(bn, f4)) {
+ BIO_printf(bio_err, "Error allocating RSA public exponent\n");
+ goto end;
+ }
+ if (EVP_PKEY_CTX_set_rsa_keygen_pubexp(ctx, bn) <= 0) {
+ BIO_printf(bio_err, "Error setting RSA public exponent\n");
+ goto end;
+ }
+ if (EVP_PKEY_CTX_set_rsa_keygen_primes(ctx, primes) <= 0) {
+ BIO_printf(bio_err, "Error setting number of primes\n");
+ goto end;
+ }
if (verbose)
BIO_printf(bio_err, "Generating RSA private key, %d bit long modulus (%d primes)\n",
num, primes);
- rsa = eng ? RSA_new_method(eng) : RSA_new();
- if (rsa == NULL)
- goto end;
-
- if (!BN_set_word(bn, f4)
- || !RSA_generate_multi_prime_key(rsa, num, primes, bn, cb))
+ if (!EVP_PKEY_keygen(ctx, &pkey)) {
+ BIO_printf(bio_err, "Error generating RSA key\n");
goto end;
+ }
- RSA_get0_key(rsa, NULL, &e, NULL);
- hexe = BN_bn2hex(e);
- dece = BN_bn2dec(e);
- if (hexe && dece && verbose) {
- BIO_printf(bio_err, "e is %s (0x%s)\n", dece, hexe);
+ if (verbose) {
+ if ((rsa = EVP_PKEY_get0_RSA(pkey)) != NULL) {
+ RSA_get0_key(rsa, NULL, &e, NULL);
+ } else {
+ BIO_printf(bio_err, "Error cannot access RSA e\n");
+ goto end;
+ }
+ hexe = BN_bn2hex(e);
+ dece = BN_bn2dec(e);
+ if (hexe && dece) {
+ BIO_printf(bio_err, "e is %s (0x%s)\n", dece, hexe);
+ }
+ OPENSSL_free(hexe);
+ OPENSSL_free(dece);
}
- OPENSSL_free(hexe);
- OPENSSL_free(dece);
- cb_data.password = passout;
- cb_data.prompt_info = outfile;
- assert(private);
- if (!PEM_write_bio_RSAPrivateKey(out, rsa, enc, NULL, 0,
- (pem_password_cb *)password_callback,
- &cb_data))
+ if (!PEM_write_bio_PrivateKey(out, pkey, enc, NULL, 0, NULL, passout))
goto end;
ret = 0;
end:
BN_free(bn);
BN_GENCB_free(cb);
- RSA_free(rsa);
+ EVP_PKEY_CTX_free(ctx);
+ EVP_PKEY_free(pkey);
BIO_free_all(out);
release_engine(eng);
OPENSSL_free(passout);
+ OPENSSL_free(ebuf);
if (ret != 0)
ERR_print_errors(bio_err);
return ret;
}
-static int genrsa_cb(int p, int n, BN_GENCB *cb)
+static int genrsa_cb(EVP_PKEY_CTX *ctx)
{
char c = '*';
+ BIO *b = EVP_PKEY_CTX_get_app_data(ctx);
+ int p = EVP_PKEY_CTX_get_keygen_info(ctx, 0);
if (!verbose)
return 1;
@@ -220,7 +242,7 @@ static int genrsa_cb(int p, int n, BN_GENCB *cb)
c = '*';
if (p == 3)
c = '\n';
- BIO_write(BN_GENCB_get_arg(cb), &c, 1);
- (void)BIO_flush(BN_GENCB_get_arg(cb));
+ BIO_write(b, &c, 1);
+ (void)BIO_flush(b);
return 1;
}
diff --git a/apps/include/function.h b/apps/include/function.h
index 28eb3e5d1c..58657cdf43 100644
--- a/apps/include/function.h
+++ b/apps/include/function.h
@@ -26,6 +26,7 @@ typedef struct function_st {
int (*func)(int argc, char *argv[]);
const OPTIONS *help;
const char *deprecated_alternative;
+ const char *deprecated_version;
} FUNCTION;
DEFINE_LHASH_OF(FUNCTION);
diff --git a/apps/openssl.c b/apps/openssl.c
index 558f662e14..e3197daab9 100644
--- a/apps/openssl.c
+++ b/apps/openssl.c
@@ -47,12 +47,15 @@ BIO *bio_in = NULL;
BIO *bio_out = NULL;
BIO *bio_err = NULL;
-static void warn_deprecated(const char *pname,
- const char *deprecated_alternative)
+static void warn_deprecated(const FUNCTION *fp)
{
- BIO_printf(bio_err, "The command %s is deprecated.", pname);
- if (strcmp(deprecated_alternative, DEPRECATED_NO_ALTERNATIVE) != 0)
- BIO_printf(bio_err, " Use '%s' instead.", deprecated_alternative);
+ if (fp->deprecated_version != NULL)
+ BIO_printf(bio_err, "The command %s was deprecated in version %s.",
+ fp->name, fp->deprecated_version);
+ else
+ BIO_printf(bio_err, "The command %s is deprecated.", fp->name);
+ if (strcmp(fp->deprecated_alternative, DEPRECATED_NO_ALTERNATIVE) != 0)
+ BIO_printf(bio_err, " Use '%s' instead.", fp->deprecated_alternative);
BIO_printf(bio_err, "\n");
}
@@ -287,7 +290,7 @@ int main(int argc, char *argv[])
if (fp != NULL) {
argv[0] = pname;
if (fp->deprecated_alternative != NULL)
- warn_deprecated(pname, fp->deprecated_alternative);
+ warn_deprecated(fp);
ret = fp->func(argc, argv);
goto end;
}
@@ -483,7 +486,7 @@ static int do_cmd(LHASH_OF(FUNCTION) *prog, int argc, char *argv[])
}
if (fp != NULL) {
if (fp->deprecated_alternative != NULL)
- warn_deprecated(fp->name, fp->deprecated_alternative);
+ warn_deprecated(fp);
return fp->func(argc, argv);
}
if ((strncmp(argv[0], "no-", 3)) == 0) {
diff --git a/apps/progs.pl b/apps/progs.pl
index 03553efb23..b6f40e7e20 100644
--- a/apps/progs.pl
+++ b/apps/progs.pl
@@ -92,35 +92,48 @@ EOF
my %cmd_disabler = (
ciphers => "sock",
+ genrsa => "rsa",
+ gendsa => "dsa",
+ dsaparam => "dsa",
+ gendh => "dh",
+ dhparam => "dh",
+ ecparam => "ec",
pkcs12 => "des",
);
my %cmd_deprecated = (
- rsa => [ "3_0", "pkey", "rsa" ],
- genrsa => [ "3_0", "genpkey", "rsa" ],
- rsautl => [ "3_0", "pkeyutl", "rsa" ],
- dhparam => [ "3_0", "pkeyparam", "dh" ],
- dsaparam => [ "3_0", "pkeyparam", "dsa" ],
- dsa => [ "3_0", "pkey", "dsa" ],
- gendsa => [ "3_0", "genpkey", "dsa" ],
- ec => [ "3_0", "pkey", "ec" ],
- ecparam => [ "3_0", "pkeyparam", "ec" ],
+# The format of this table is:
+# [0] = alternative command to use instead
+# [1] = deprecented in this version
+# [2] = preprocessor conditional for exclusing irrespective of deprecation
+# rsa => [ "pkey", "3_0", "rsa" ],
+# genrsa => [ "genpkey", "3_0", "rsa" ],
+ rsautl => [ "pkeyutl", "3_0", "rsa" ],
+# dhparam => [ "pkeyparam", "3_0", "dh" ],
+# dsaparam => [ "pkeyparam", "3_0", "dsa" ],
+# dsa => [ "pkey", "3_0", "dsa" ],
+# gendsa => [ "genpkey", "3_0", "dsa" ],
+# ec => [ "pkey", "3_0", "ec" ],
+# ecparam => [ "pkeyparam", "3_0", "ec" ],
);
print "FUNCTION functions[] = {\n";
foreach my $cmd ( @ARGV ) {
my $str =
- " {FT_general, \"$cmd\", ${cmd}_main, ${cmd}_options, NULL},\n";
+ " {FT_general, \"$cmd\", ${cmd}_main, ${cmd}_options, NULL, NULL},\n";
if ($cmd =~ /^s_/) {
print "#ifndef OPENSSL_NO_SOCK\n${str}#endif\n";
} elsif (my $deprecated = $cmd_deprecated{$cmd}) {
my @dep = @{$deprecated};
- print "#if ";
- if ($dep[2]) {
- print "!defined(OPENSSL_NO_" . uc($dep[2]) . ") && ";
+ my $daltprg = $dep[0];
+ my $dver = $dep[1];
+ my $dsys = $dep[2];
+ print "#if !defined(OPENSSL_NO_DEPRECATED_" . $dver . ")";
+ if ($dsys) {
+ print " && !defined(OPENSSL_NO_" . uc($dsys) . ")";
}
- print "!defined(OPENSSL_NO_DEPRECATED_" . $dep[0] . ")";
- my $dalt = "\"" . $dep[1] . "\"";
- $str =~ s/NULL/$dalt/;
+ $dver =~ s/_/./g;
+ my $dalt = "\"" . $daltprg . "\", \"" . $dver . "\"";
+ $str =~ s/NULL, NULL/$dalt/;
print "\n${str}#endif\n";
} elsif (grep { $cmd eq $_ } @disablables) {
print "#ifndef OPENSSL_NO_" . uc($cmd) . "\n${str}#endif\n";
diff --git a/apps/rsa.c b/apps/rsa.c
index 25cc6266f8..42eecb18ea 100644
--- a/apps/rsa.c
+++ b/apps/rsa.c
@@ -7,9 +7,6 @@
* https://www.openssl.org/source/license.html
*/
-/* We need to use the deprecated RSA low level calls */
-#define OPENSSL_SUPPRESS_DEPRECATED
-
#include <openssl/opensslconf.h>
#include <stdio.h>
@@ -79,6 +76,8 @@ int rsa_main(int argc, char **argv)
ENGINE *e = NULL;
BIO *out = NULL;
RSA *rsa = NULL;
+ EVP_PKEY *pkey = NULL;
+ EVP_PKEY_CTX *pctx;
const EVP_CIPHER *enc = NULL;
char *infile = NULL, *outfile = NULL, *prog;
char *passin = NULL, *passout = NULL, *passinarg = NULL, *passoutarg = NULL;
@@ -181,30 +180,26 @@ int rsa_main(int argc, char **argv)
goto end;
}
- {
- EVP_PKEY *pkey;
-
- if (pubin) {
- int tmpformat = -1;
- if (pubin == 2) {
- if (informat == FORMAT_PEM)
- tmpformat = FORMAT_PEMRSA;
- else if (informat == FORMAT_ASN1)
- tmpformat = FORMAT_ASN1RSA;
- } else {
- tmpformat = informat;
- }
+ if (pubin) {
+ int tmpformat = -1;
- pkey = load_pubkey(infile, tmpformat, 1, passin, e, "Public Key");
+ if (pubin == 2) {
+ if (informat == FORMAT_PEM)
+ tmpformat = FORMAT_PEMRSA;
+ else if (informat == FORMAT_ASN1)
+ tmpformat = FORMAT_ASN1RSA;
} else {
- pkey = load_key(infile, informat, 1, passin, e, "Private Key");
+ tmpformat = informat;
}
- if (pkey != NULL)
- rsa = EVP_PKEY_get1_RSA(pkey);
- EVP_PKEY_free(pkey);
+ pkey = load_pubkey(infile, tmpformat, 1, passin, e, "Public Key");
+ } else {
+ pkey = load_key(infile, informat, 1, passin, e, "Private Key");
}
+ if (pkey != NULL)
+ rsa = EVP_PKEY_get1_RSA(pkey);
+
if (rsa == NULL) {
ERR_print_errors(bio_err);
goto end;
@@ -216,7 +211,8 @@ int rsa_main(int argc, char **argv)
if (text) {
assert(pubin || private);
- if (!RSA_print(out, rsa, 0)) {
+ if ((pubin && EVP_PKEY_print_public(out, pkey, 0, NULL) <= 0)
+ || (!pubin && EVP_PKEY_print_private(out, pkey, 0, NULL) <= 0)) {
perror(outfile);
ERR_print_errors(bio_err);
goto end;
@@ -232,7 +228,16 @@ int rsa_main(int argc, char **argv)
}
if (check) {
- int r = RSA_check_key_ex(rsa, NULL);
+ int r;
+
+ pctx = EVP_PKEY_CTX_new_from_pkey(NULL, pkey, NULL);
+ if (pctx == NULL) {
+ BIO_printf(out, "RSA unable to create PKEY context\n");
+ ERR_print_errors(bio_err);
+ goto end;
+ }
+ r = EVP_PKEY_check(pctx);
+ EVP_PKEY_CTX_free(pctx);
if (r == 1) {
BIO_printf(out, "RSA key ok\n");
@@ -321,6 +326,7 @@ int rsa_main(int argc, char **argv)
end:
release_engine(e);
BIO_free_all(out);
+ EVP_PKEY_free(pkey);
RSA_free(rsa);
OPENSSL_free(passin);
OPENSSL_free(passout);
diff --git a/doc/man3/DH_get0_pqg.pod b/doc/man3/DH_get0_pqg.pod
index 3806dab357..2c63e52b38 100644
--- a/doc/man3/DH_get0_pqg.pod
+++ b/doc/man3/DH_get0_pqg.pod
@@ -27,13 +27,14 @@ DH_get_length, DH_set_length - Routines for getting and setting data in a DH obj
int DH_test_flags(const DH *dh, int flags);
void DH_set_flags(DH *dh, int flags);
+ long DH_get_length(const DH *dh);
+ int DH_set_length(DH *dh, long length);
+
Deprecated since OpenSSL 3.0, can be hidden entirely by defining
B<OPENSSL_API_COMPAT> with a suitable version value, see
L<openssl_user_macros(7)>:
ENGINE *DH_get0_engine(DH *d);
- long DH_get_length(const DH *dh);
- int DH_set_length(DH *dh, long length);
=head1 DESCRIPTION
@@ -95,8 +96,7 @@ object, or NULL if no such ENGINE has been set. This function is deprecated.
The DH_get_length() and DH_set_length() functions get and set the optional
length parameter associated with this DH object. If the length is nonzero then
it is used, otherwise it is ignored. The I<length> parameter indicates the
-length of the secret exponent (private key) in bits. These functions are
-deprecated.
+length of the secret exponent (private key) in bits.
=head1 NOTES
@@ -127,8 +127,7 @@ L<DH_set_method(3)>, L<DH_size(3)>, L<DH_meth_new(3)>
=head1 HISTORY
-The DH_get0_engine(), DH_get_length() and DH_set_length() functions were
-deprecated in OpenSSL 3.0.
+The DH_get0_engine() function was deprecated in OpenSSL 3.0.
The functions described here were added in OpenSSL 1.1.0.
diff --git a/include/openssl/dh.h b/include/openssl/dh.h
index d705f50f09..ab455b7492 100644
--- a/include/openssl/dh.h
+++ b/include/openssl/dh.h
@@ -222,8 +222,8 @@ void DH_clear_flags(DH *dh, int flags);
int DH_test_flags(const DH *dh, int flags);
void DH_set_flags(DH *dh, int flags);
DEPRECATEDIN_3_0(ENGINE *DH_get0_engine(DH *d))
-DEPRECATEDIN_3_0(long DH_get_length(const DH *dh))
-DEPRECATEDIN_3_0(int DH_set_length(DH *dh, long length))
+long DH_get_length(const DH *dh);
+int DH_set_length(DH *dh, long length);
DEPRECATEDIN_3_0(DH_METHOD *DH_meth_new(const char *name, int flags))
DEPRECATEDIN_3_0(void DH_meth_free(DH_METHOD *dhm))
diff --git a/include/openssl/rsa.h b/include/openssl/rsa.h
index 49040bf7e6..8912cce4f1 100644
--- a/include/openssl/rsa.h
+++ b/include/openssl/rsa.h
@@ -50,10 +50,12 @@ extern "C" {
# ifndef OPENSSL_RSA_MAX_PUBEXP_BITS
# define OPENSSL_RSA_MAX_PUBEXP_BITS 64
# endif
+# endif /* OPENSSL_NO_DEPRECATED_3_0 */
-# define RSA_3 0x3L
-# define RSA_F4 0x10001L
+# define RSA_3 0x3L
+# define RSA_F4 0x10001L
+# ifndef OPENSSL_NO_DEPRECATED_3_0
/* based on RFC 8017 appendix A.1.2 */
# define RSA_ASN1_VERSION_DEFAULT 0
# define RSA_ASN1_VERSION_MULTI 1
diff --git a/test/recipes/15-test_dsa.t b/test/recipes/15-test_dsa.t
index 1495724e48..5bbc54b082 100644
--- a/test/recipes/15-test_dsa.t
+++ b/test/recipes/15-test_dsa.t
@@ -21,27 +21,17 @@ plan tests => 7;
require_ok(srctop_file('test','recipes','tconversion.pl'));
- SKIP: {
- skip "Skipping initial dsa tests", 2
- if disabled('deprecated-3.0');
-
- ok(run(test(["dsatest"])), "running dsatest");
- ok(run(test(["dsa_no_digest_size_test"])),
- "running dsa_no_digest_size_test");
-}
-
- SKIP: {
- skip "Skipping dsa conversion test using 'openssl dsa'", 2
- if disabled('deprecated-3.0');
-
- subtest "dsa conversions using 'openssl dsa' -- private key" => sub {
- tconversion("dsa", srctop_file("test","testdsa.pem"));
- };
- subtest "dsa conversions using 'openssl dsa' -- public key" => sub {
- tconversion("msb", srctop_file("test","testdsapub.pem"), "dsa",
- "-pubin", "-pubout");
- };
-}
+ok(run(test(["dsatest"])), "running dsatest");
+ok(run(test(["dsa_no_digest_size_test"])),
+ "running dsa_no_digest_size_test");
+
+subtest "dsa conversions using 'openssl dsa' -- private key" => sub {
+ tconversion("dsa", srctop_file("test","testdsa.pem"));
+};
+subtest "dsa conversions using 'openssl dsa' -- public key" => sub {
+ tconversion("msb", srctop_file("test","testdsapub.pem"), "dsa",
+ "-pubin", "-pubout");
+};
subtest "dsa conversions using 'openssl pkey' -- private key PKCS#8" => sub {
tconversion("dsa", srctop_file("test","testdsa.pem"), "pkey");
diff --git a/test/recipes/15-test_ec.t b/test/recipes/15-test_ec.t
index 127c1d12d1..e8f9e2ffdd 100644
--- a/test/recipes/15-test_ec.t
+++ b/test/recipes/15-test_ec.t
@@ -27,7 +27,7 @@ ok(run(test(["ectest"])), "running ectest");
# the command line tool in addition to the algorithm.
SKIP: {
skip "Skipping EC conversion test", 3
- if disabled("ec") || disabled('deprecated-3.0');
+ if disabled("ec");
subtest 'EC conversions -- private key' => sub {
tconversion("ec", srctop_file("test","testec-p256.pem"));
diff --git a/test/recipes/15-test_rsa.t b/test/recipes/15-test_rsa.t
index 2e8afa8213..f078a6aeb2 100644
--- a/test/recipes/15-test_rsa.t
+++ b/test/recipes/15-test_rsa.t
@@ -16,9 +16,6 @@ use OpenSSL::Test::Utils;
setup("test_rsa");
-#plan skip_all => "RSA command line tool not built"
-# if disabled("deprecated-3.0");
-
plan tests => 10;
require_ok(srctop_file('test', 'recipes', 'tconversion.pl'));
@@ -27,11 +24,7 @@ ok(run(test(["rsa_test"])), "running rsatest");
run_rsa_tests("pkey");
- SKIP: {
- skip "Skipping rsa command line tests", 4 if disabled('deprecated-3.0');
-
- run_rsa_tests("rsa");
-}
+run_rsa_tests("rsa");
sub run_rsa_tests {
my $cmd = shift;
diff --git a/util/libcrypto.num b/util/libcrypto.num
index adcf408d34..bf5eb90f2c 100644
--- a/util/libcrypto.num
+++ b/util/libcrypto.num
@@ -3953,9 +3953,9 @@ DH_clear_flags 4041 3_0_0 EXIST::FUNCTION:DH
DH_get0_key 4042 3_0_0 EXIST::FUNCTION:DH
DH_get0_engine 4043 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,DH
DH_set0_key 4044 3_0_0 EXIST::FUNCTION:DH
-DH_set_length 4045 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,DH
+DH_set_length 4045 3_0_0 EXIST::FUNCTION:DH
DH_test_flags 4046 3_0_0 EXIST::FUNCTION:DH
-DH_get_length 4047 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,DH
+DH_get_length 4047 3_0_0 EXIST::FUNCTION:DH
DH_get0_pqg 4048 3_0_0 EXIST::FUNCTION:DH
DH_meth_get_compute_key 4049 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,DH
DH_meth_set1_name 4050 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,DH
More information about the openssl-commits
mailing list