[openssl] master update

Matt Caswell matt at openssl.org
Mon Jan 13 13:48:59 UTC 2020


The branch master has been updated
       via  0ae5d4d6f8a0cd17fb9beb5876827f311c1b350c (commit)
      from  291850b473ef5d83ac7d90bdcd7f68d186515348 (commit)


- Log -----------------------------------------------------------------
commit 0ae5d4d6f8a0cd17fb9beb5876827f311c1b350c
Author: Matt Caswell <matt at openssl.org>
Date:   Thu Jan 2 16:15:26 2020 +0000

    Deprecate the Low Level CAST APIs
    
    Applications should instead use the higher level EVP APIs, e.g.
    EVP_Encrypt*() and EVP_Decrypt*().
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/10742)

-----------------------------------------------------------------------

Summary of changes:
 CHANGES                                            |  9 ++++
 apps/speed.c                                       |  8 +--
 crypto/cast/c_cfb64.c                              |  6 +++
 crypto/cast/c_ecb.c                                |  6 +++
 crypto/cast/c_enc.c                                |  6 +++
 crypto/cast/c_ofb64.c                              |  6 +++
 crypto/cast/c_skey.c                               |  6 +++
 crypto/evp/e_cast.c                                |  6 +++
 include/openssl/cast.h                             | 57 ++++++++++++++--------
 providers/implementations/ciphers/cipher_cast5.c   |  6 +++
 .../implementations/ciphers/cipher_cast5_hw.c      |  6 +++
 test/build.info                                    | 13 ++---
 test/casttest.c                                    |  6 +++
 test/recipes/05-test_cast.t                        | 11 +++++
 util/libcrypto.num                                 | 14 +++---
 15 files changed, 130 insertions(+), 36 deletions(-)

diff --git a/CHANGES b/CHANGES
index e47c8ab968..215fd13b60 100644
--- a/CHANGES
+++ b/CHANGES
@@ -18,6 +18,15 @@
      equivalently named decrypt functions.
      [Matt Caswell]
 
+  *) All of the low level CAST functions have been deprecated including:
+     CAST_set_key, CAST_ecb_encrypt, CAST_encrypt, CAST_decrypt,
+     CAST_cbc_encrypt, CAST_cfb64_encrypt and CAST_ofb64_encrypt
+     Use of these low level functions has been informally discouraged for a long
+     time. Instead applications should use the high level EVP APIs, e.g.
+     EVP_EncryptInit_ex, EVP_EncryptUpdate, EVP_EncryptFinal_ex, and the
+     equivalently named decrypt functions.
+     [Matt Caswell]
+
   *) All of the low level Camelllia functions have been deprecated including:
      Camellia_set_key, Camellia_encrypt, Camellia_decrypt, Camellia_ecb_encrypt,
      Camellia_cbc_encrypt, Camellia_cfb128_encrypt, Camellia_cfb1_encrypt,
diff --git a/apps/speed.c b/apps/speed.c
index bb57da9c85..67bf650ec2 100644
--- a/apps/speed.c
+++ b/apps/speed.c
@@ -389,7 +389,7 @@ static const OPT_PAIR doit_choices[] = {
     {"blowfish", D_CBC_BF},
     {"bf", D_CBC_BF},
 #endif
-#ifndef OPENSSL_NO_CAST
+#if !defined(OPENSSL_NO_CAST) && !defined(OPENSSL_NO_DEPRECATED_3_0)
     {"cast-cbc", D_CBC_CAST},
     {"cast", D_CBC_CAST},
     {"cast5", D_CBC_CAST},
@@ -1464,7 +1464,7 @@ int speed_main(int argc, char **argv)
 #if !defined(OPENSSL_NO_BF) && !defined(OPENSSL_NO_DEPRECATED_3_0)
     BF_KEY bf_ks;
 #endif
-#ifndef OPENSSL_NO_CAST
+#if !defined(OPENSSL_NO_CAST) && !defined(OPENSSL_NO_DEPRECATED_3_0)
     CAST_KEY cast_ks;
 #endif
     static const unsigned char key16[16] = {
@@ -1992,7 +1992,7 @@ int speed_main(int argc, char **argv)
     if (doit[D_CBC_BF])
         BF_set_key(&bf_ks, 16, key16);
 #endif
-#ifndef OPENSSL_NO_CAST
+#if !defined(OPENSSL_NO_CAST) && !defined(OPENSSL_NO_DEPRECATED_3_0)
     if (doit[D_CBC_CAST]) 
         CAST_set_key(&cast_ks, 16, key16);
 #endif
@@ -2672,7 +2672,7 @@ int speed_main(int argc, char **argv)
         }
     }
 #endif
-#ifndef OPENSSL_NO_CAST
+#if !defined(OPENSSL_NO_CAST) && !defined(OPENSSL_NO_DEPRECATED_3_0)
     if (doit[D_CBC_CAST]) {
         if (async_jobs > 0) {
             BIO_printf(bio_err, "Async mode is not supported with %s\n",
diff --git a/crypto/cast/c_cfb64.c b/crypto/cast/c_cfb64.c
index 1ae13bc3d8..805a51d450 100644
--- a/crypto/cast/c_cfb64.c
+++ b/crypto/cast/c_cfb64.c
@@ -7,6 +7,12 @@
  * https://www.openssl.org/source/license.html
  */
 
+/*
+ * CAST low level APIs are deprecated for public use, but still ok for
+ * internal use.
+ */
+#include "internal/deprecated.h"
+
 #include <openssl/cast.h>
 #include "cast_local.h"
 
diff --git a/crypto/cast/c_ecb.c b/crypto/cast/c_ecb.c
index 2b841ac919..cbd044366d 100644
--- a/crypto/cast/c_ecb.c
+++ b/crypto/cast/c_ecb.c
@@ -7,6 +7,12 @@
  * https://www.openssl.org/source/license.html
  */
 
+/*
+ * CAST low level APIs are deprecated for public use, but still ok for
+ * internal use.
+ */
+#include "internal/deprecated.h"
+
 #include <openssl/cast.h>
 #include "cast_local.h"
 #include <openssl/opensslv.h>
diff --git a/crypto/cast/c_enc.c b/crypto/cast/c_enc.c
index 7e2461dfca..ede9f2e815 100644
--- a/crypto/cast/c_enc.c
+++ b/crypto/cast/c_enc.c
@@ -7,6 +7,12 @@
  * https://www.openssl.org/source/license.html
  */
 
+/*
+ * CAST low level APIs are deprecated for public use, but still ok for
+ * internal use.
+ */
+#include "internal/deprecated.h"
+
 #include <openssl/cast.h>
 #include "cast_local.h"
 
diff --git a/crypto/cast/c_ofb64.c b/crypto/cast/c_ofb64.c
index bc598d4d1b..6aaa7edfc8 100644
--- a/crypto/cast/c_ofb64.c
+++ b/crypto/cast/c_ofb64.c
@@ -7,6 +7,12 @@
  * https://www.openssl.org/source/license.html
  */
 
+/*
+ * CAST low level APIs are deprecated for public use, but still ok for
+ * internal use.
+ */
+#include "internal/deprecated.h"
+
 #include <openssl/cast.h>
 #include "cast_local.h"
 
diff --git a/crypto/cast/c_skey.c b/crypto/cast/c_skey.c
index c21ecdf89c..d516e10ee3 100644
--- a/crypto/cast/c_skey.c
+++ b/crypto/cast/c_skey.c
@@ -7,6 +7,12 @@
  * https://www.openssl.org/source/license.html
  */
 
+/*
+ * CAST low level APIs are deprecated for public use, but still ok for
+ * internal use.
+ */
+#include "internal/deprecated.h"
+
 #include <openssl/cast.h>
 #include "cast_local.h"
 #include "cast_s.h"
diff --git a/crypto/evp/e_cast.c b/crypto/evp/e_cast.c
index 4b06717b72..5703f7fa49 100644
--- a/crypto/evp/e_cast.c
+++ b/crypto/evp/e_cast.c
@@ -7,6 +7,12 @@
  * https://www.openssl.org/source/license.html
  */
 
+/*
+ * CAST low level APIs are deprecated for public use, but still ok for
+ * internal use.
+ */
+#include "internal/deprecated.h"
+
 #include <stdio.h>
 #include "internal/cryptlib.h"
 
diff --git a/include/openssl/cast.h b/include/openssl/cast.h
index 5f81217d14..f338d411cf 100644
--- a/include/openssl/cast.h
+++ b/include/openssl/cast.h
@@ -23,33 +23,52 @@
 extern "C" {
 # endif
 
-# define CAST_ENCRYPT    1
-# define CAST_DECRYPT    0
-
-# define CAST_LONG unsigned int
-
 # define CAST_BLOCK      8
 # define CAST_KEY_LENGTH 16
 
+# ifndef OPENSSL_NO_DEPRECATED_3_0
+
+#  define CAST_ENCRYPT    1
+#  define CAST_DECRYPT    0
+
+#  define CAST_LONG unsigned int
+
 typedef struct cast_key_st {
     CAST_LONG data[32];
     int short_key;              /* Use reduced rounds for short key */
 } CAST_KEY;
 
-void CAST_set_key(CAST_KEY *key, int len, const unsigned char *data);
-void CAST_ecb_encrypt(const unsigned char *in, unsigned char *out,
-                      const CAST_KEY *key, int enc);
-void CAST_encrypt(CAST_LONG *data, const CAST_KEY *key);
-void CAST_decrypt(CAST_LONG *data, const CAST_KEY *key);
-void CAST_cbc_encrypt(const unsigned char *in, unsigned char *out,
-                      long length, const CAST_KEY *ks, unsigned char *iv,
-                      int enc);
-void CAST_cfb64_encrypt(const unsigned char *in, unsigned char *out,
-                        long length, const CAST_KEY *schedule,
-                        unsigned char *ivec, int *num, int enc);
-void CAST_ofb64_encrypt(const unsigned char *in, unsigned char *out,
-                        long length, const CAST_KEY *schedule,
-                        unsigned char *ivec, int *num);
+# endif /* OPENSSL_NO_DEPRECATED_3_0 */
+
+DEPRECATEDIN_3_0(void CAST_set_key(CAST_KEY *key, int len,
+                                   const unsigned char *data))
+DEPRECATEDIN_3_0(void CAST_ecb_encrypt(const unsigned char *in,
+                                       unsigned char *out,
+                                       const CAST_KEY *key,
+                                       int enc))
+DEPRECATEDIN_3_0(void CAST_encrypt(CAST_LONG *data,
+                                   const CAST_KEY *key))
+DEPRECATEDIN_3_0(void CAST_decrypt(CAST_LONG *data,
+                                   const CAST_KEY *key))
+DEPRECATEDIN_3_0(void CAST_cbc_encrypt(const unsigned char *in,
+                                       unsigned char *out,
+                                       long length,
+                                       const CAST_KEY *ks,
+                                       unsigned char *iv,
+                                       int enc))
+DEPRECATEDIN_3_0(void CAST_cfb64_encrypt(const unsigned char *in,
+                                         unsigned char *out,
+                                         long length,
+                                         const CAST_KEY *schedule,
+                                         unsigned char *ivec,
+                                         int *num,
+                                         int enc))
+DEPRECATEDIN_3_0(void CAST_ofb64_encrypt(const unsigned char *in,
+                                         unsigned char *out,
+                                         long length,
+                                         const CAST_KEY *schedule,
+                                         unsigned char *ivec,
+                                         int *num))
 
 # ifdef  __cplusplus
 }
diff --git a/providers/implementations/ciphers/cipher_cast5.c b/providers/implementations/ciphers/cipher_cast5.c
index 473a7f02b9..24cb59d103 100644
--- a/providers/implementations/ciphers/cipher_cast5.c
+++ b/providers/implementations/ciphers/cipher_cast5.c
@@ -7,6 +7,12 @@
  * https://www.openssl.org/source/license.html
  */
 
+/*
+ * CAST low level APIs are deprecated for public use, but still ok for
+ * internal use.
+ */
+#include "internal/deprecated.h"
+
 /* Dispatch functions for cast cipher modes ecb, cbc, ofb, cfb */
 
 #include "cipher_cast.h"
diff --git a/providers/implementations/ciphers/cipher_cast5_hw.c b/providers/implementations/ciphers/cipher_cast5_hw.c
index 227e90d7a7..beeeb593f0 100644
--- a/providers/implementations/ciphers/cipher_cast5_hw.c
+++ b/providers/implementations/ciphers/cipher_cast5_hw.c
@@ -7,6 +7,12 @@
  * https://www.openssl.org/source/license.html
  */
 
+/*
+ * CAST low level APIs are deprecated for public use, but still ok for
+ * internal use.
+ */
+#include "internal/deprecated.h"
+
 #include "cipher_cast.h"
 
 static int cipher_hw_cast5_initkey(PROV_CIPHER_CTX *ctx,
diff --git a/test/build.info b/test/build.info
index de618b51d9..c54b7bc5a4 100644
--- a/test/build.info
+++ b/test/build.info
@@ -37,7 +37,7 @@ IF[{- !$disabled{tests} -}]
           hmactest \
           rc2test rc4test rc5test \
           destest mdc2test \
-          dhtest enginetest casttest \
+          dhtest enginetest \
           ssltest_old dsatest dsa_no_digest_size_test exptest rsa_test \
           evp_pkey_provided_test evp_test evp_extra_test evp_fetch_prov_test \
           v3nametest v3ext \
@@ -152,10 +152,6 @@ IF[{- !$disabled{tests} -}]
   INCLUDE[enginetest]=../include ../apps/include
   DEPEND[enginetest]=../libcrypto libtestutil.a
 
-  SOURCE[casttest]=casttest.c
-  INCLUDE[casttest]=../include ../apps/include
-  DEPEND[casttest]=../libcrypto libtestutil.a
-
   SOURCE[ssltest_old]=ssltest_old.c
   INCLUDE[ssltest_old]=.. ../include ../apps/include
   DEPEND[ssltest_old]=../libcrypto ../libssl
@@ -212,7 +208,8 @@ IF[{- !$disabled{tests} -}]
 
   IF[{- !$disabled{"deprecated"}
         || (defined $config{"api"} && $config{"api"} < 30000) -}]
-    PROGRAMS{noinst}=igetest bftest
+    PROGRAMS{noinst}=igetest bftest casttest
+
     SOURCE[igetest]=igetest.c
     INCLUDE[igetest]=../include ../apps/include
     DEPEND[igetest]=../libcrypto libtestutil.a
@@ -220,6 +217,10 @@ IF[{- !$disabled{tests} -}]
     SOURCE[bftest]=bftest.c
     INCLUDE[bftest]=../include ../apps/include
     DEPEND[bftest]=../libcrypto libtestutil.a
+
+    SOURCE[casttest]=casttest.c
+    INCLUDE[casttest]=../include ../apps/include
+    DEPEND[casttest]=../libcrypto libtestutil.a
   ENDIF
 
   SOURCE[v3nametest]=v3nametest.c
diff --git a/test/casttest.c b/test/casttest.c
index 0d7595cc99..09435bde45 100644
--- a/test/casttest.c
+++ b/test/casttest.c
@@ -7,6 +7,12 @@
  * https://www.openssl.org/source/license.html
  */
 
+/*
+ * CAST low level APIs are deprecated for public use, but still ok for
+ * internal use.
+ */
+#include "internal/deprecated.h"
+
 #include <stdio.h>
 #include <string.h>
 #include <stdlib.h>
diff --git a/test/recipes/05-test_cast.t b/test/recipes/05-test_cast.t
index b8b88d075e..b1b909db7a 100644
--- a/test/recipes/05-test_cast.t
+++ b/test/recipes/05-test_cast.t
@@ -7,6 +7,17 @@
 # https://www.openssl.org/source/license.html
 
 
+use strict;
+use warnings;
+
 use OpenSSL::Test::Simple;
+use OpenSSL::Test;
+use OpenSSL::Test::Utils;
+
+setup("test_cast");
+
+plan skip_all => "Low-level CAST APIs are disabled in this build"
+    if disabled("deprecated")
+       && (!defined config("api") || config("api") >= 30000);
 
 simple_test("test_cast", "casttest", "cast");
diff --git a/util/libcrypto.num b/util/libcrypto.num
index 5092f5dab8..d18e1a3ebb 100644
--- a/util/libcrypto.num
+++ b/util/libcrypto.num
@@ -712,7 +712,7 @@ DSA_sign_setup                          730	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3
 OPENSSL_sk_new_null                     731	3_0_0	EXIST::FUNCTION:
 PEM_read_PKCS8                          732	3_0_0	EXIST::FUNCTION:STDIO
 BN_mod_sqr                              733	3_0_0	EXIST::FUNCTION:
-CAST_ofb64_encrypt                      734	3_0_0	EXIST::FUNCTION:CAST
+CAST_ofb64_encrypt                      734	3_0_0	EXIST::FUNCTION:CAST,DEPRECATEDIN_3_0
 TXT_DB_write                            735	3_0_0	EXIST::FUNCTION:
 OCSP_REQUEST_get1_ext_d2i               736	3_0_0	EXIST::FUNCTION:OCSP
 CMS_unsigned_add1_attr_by_NID           737	3_0_0	EXIST::FUNCTION:CMS
@@ -1684,7 +1684,7 @@ EVP_PKEY_type                           1722	3_0_0	EXIST::FUNCTION:
 ENGINE_ctrl                             1723	3_0_0	EXIST::FUNCTION:ENGINE
 EVP_cast5_ecb                           1724	3_0_0	EXIST::FUNCTION:CAST
 BIO_nwrite0                             1725	3_0_0	EXIST::FUNCTION:
-CAST_encrypt                            1726	3_0_0	EXIST::FUNCTION:CAST
+CAST_encrypt                            1726	3_0_0	EXIST::FUNCTION:CAST,DEPRECATEDIN_3_0
 a2d_ASN1_OBJECT                         1727	3_0_0	EXIST::FUNCTION:
 OCSP_ONEREQ_delete_ext                  1728	3_0_0	EXIST::FUNCTION:OCSP
 UI_method_get_reader                    1729	3_0_0	EXIST::FUNCTION:
@@ -2068,7 +2068,7 @@ X509_REQ_set_version                    2113	3_0_0	EXIST::FUNCTION:
 d2i_ASN1_GENERALSTRING                  2114	3_0_0	EXIST::FUNCTION:
 i2d_ASIdentifiers                       2115	3_0_0	EXIST::FUNCTION:RFC3779
 X509V3_EXT_cleanup                      2116	3_0_0	EXIST::FUNCTION:
-CAST_ecb_encrypt                        2117	3_0_0	EXIST::FUNCTION:CAST
+CAST_ecb_encrypt                        2117	3_0_0	EXIST::FUNCTION:CAST,DEPRECATEDIN_3_0
 BIO_s_file                              2118	3_0_0	EXIST::FUNCTION:
 RSA_X931_derive_ex                      2119	3_0_0	EXIST::FUNCTION:RSA
 EVP_PKEY_decrypt_init                   2120	3_0_0	EXIST::FUNCTION:
@@ -2449,7 +2449,7 @@ AES_cfb128_encrypt                      2499	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_
 ENGINE_set_EC                           2500	3_0_0	EXIST::FUNCTION:ENGINE
 d2i_ECPKParameters                      2501	3_0_0	EXIST::FUNCTION:EC
 IDEA_ofb64_encrypt                      2502	3_0_0	EXIST::FUNCTION:IDEA
-CAST_decrypt                            2503	3_0_0	EXIST::FUNCTION:CAST
+CAST_decrypt                            2503	3_0_0	EXIST::FUNCTION:CAST,DEPRECATEDIN_3_0
 TS_STATUS_INFO_get0_failure_info        2504	3_0_0	EXIST::FUNCTION:TS
 ENGINE_unregister_pkey_meths            2506	3_0_0	EXIST::FUNCTION:ENGINE
 DISPLAYTEXT_new                         2507	3_0_0	EXIST::FUNCTION:
@@ -2862,7 +2862,7 @@ EVP_des_cfb1                            2923	3_0_0	EXIST::FUNCTION:DES
 OBJ_NAME_cleanup                        2924	3_0_0	EXIST::FUNCTION:
 OCSP_BASICRESP_get1_ext_d2i             2925	3_0_0	EXIST::FUNCTION:OCSP
 DES_cfb64_encrypt                       2926	3_0_0	EXIST::FUNCTION:DES
-CAST_cfb64_encrypt                      2927	3_0_0	EXIST::FUNCTION:CAST
+CAST_cfb64_encrypt                      2927	3_0_0	EXIST::FUNCTION:CAST,DEPRECATEDIN_3_0
 EVP_PKEY_asn1_set_param                 2928	3_0_0	EXIST::FUNCTION:
 BN_RECP_CTX_free                        2929	3_0_0	EXIST::FUNCTION:
 BN_with_flags                           2930	3_0_0	EXIST::FUNCTION:
@@ -2979,7 +2979,7 @@ PKCS12_item_pack_safebag                3043	3_0_0	EXIST::FUNCTION:
 i2d_OCSP_RESPDATA                       3044	3_0_0	EXIST::FUNCTION:OCSP
 i2d_X509_PUBKEY                         3045	3_0_0	EXIST::FUNCTION:
 EVP_DecryptUpdate                       3046	3_0_0	EXIST::FUNCTION:
-CAST_cbc_encrypt                        3047	3_0_0	EXIST::FUNCTION:CAST
+CAST_cbc_encrypt                        3047	3_0_0	EXIST::FUNCTION:CAST,DEPRECATEDIN_3_0
 BN_BLINDING_invert                      3048	3_0_0	EXIST::FUNCTION:
 SHA512_Update                           3049	3_0_0	EXIST::FUNCTION:
 ESS_ISSUER_SERIAL_new                   3050	3_0_0	EXIST::FUNCTION:
@@ -3588,7 +3588,7 @@ TS_X509_ALGOR_print_bio                 3666	3_0_0	EXIST::FUNCTION:TS
 d2i_PKCS7_ENVELOPE                      3667	3_0_0	EXIST::FUNCTION:
 ESS_CERT_ID_new                         3669	3_0_0	EXIST::FUNCTION:
 EC_POINT_invert                         3670	3_0_0	EXIST::FUNCTION:EC
-CAST_set_key                            3671	3_0_0	EXIST::FUNCTION:CAST
+CAST_set_key                            3671	3_0_0	EXIST::FUNCTION:CAST,DEPRECATEDIN_3_0
 ENGINE_get_pkey_meth                    3672	3_0_0	EXIST::FUNCTION:ENGINE
 BIO_ADDRINFO_free                       3673	3_0_0	EXIST::FUNCTION:SOCK
 DES_ede3_cbc_encrypt                    3674	3_0_0	EXIST::FUNCTION:DES


More information about the openssl-commits mailing list