[openssl] master update

Richard Levitte levitte at openssl.org
Thu Jan 21 11:13:17 UTC 2021


The branch master has been updated
       via  a3d267f18492a1e874534d5af6072bc8b7a290e5 (commit)
      from  3aa7212e0a4fd1533c8a28b8587dd8b022f3a66f (commit)


- Log -----------------------------------------------------------------
commit a3d267f18492a1e874534d5af6072bc8b7a290e5
Author: Rich Salz <rsalz at akamai.com>
Date:   Tue Dec 8 10:13:54 2020 -0500

    Deprecate EVP_KEY_new_CMAC_key and EVP_PKEY_new_CMAC_key_ex
    
    EVP_KEY_new_CMAC_key_ex was in the pre-release 3.0 only, so is safe
    to remove.
    Restore 1.1.1 version of EVP_PKEY_new_CMAC_key documentation.
    Also make testing of EVP_PKEY_new_CMAC_key properly #ifdef'd.
    
    Reviewed-by: Tomas Mraz <tomas at openssl.org>
    Reviewed-by: Richard Levitte <levitte at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/13829)

-----------------------------------------------------------------------

Summary of changes:
 crypto/evp/p_lib.c        |  7 -------
 doc/man3/EVP_PKEY_new.pod | 46 ++++++++++++++++++++++------------------------
 include/openssl/evp.h     |  6 +++---
 test/evp_extra_test.c     |  7 ++++++-
 test/evp_test.c           | 16 ++++++++++++++--
 util/libcrypto.num        |  3 +--
 6 files changed, 46 insertions(+), 39 deletions(-)

diff --git a/crypto/evp/p_lib.c b/crypto/evp/p_lib.c
index 326c58c8aa..93cdbb89bf 100644
--- a/crypto/evp/p_lib.c
+++ b/crypto/evp/p_lib.c
@@ -636,13 +636,6 @@ static EVP_PKEY *new_cmac_key_int(const unsigned char *priv, size_t len,
 # endif
 }
 
-EVP_PKEY *EVP_PKEY_new_CMAC_key_ex(const unsigned char *priv, size_t len,
-                                   const char *cipher_name, OSSL_LIB_CTX *libctx,
-                                   const char *propq)
-{
-    return new_cmac_key_int(priv, len, cipher_name, NULL, libctx, propq, NULL);
-}
-
 EVP_PKEY *EVP_PKEY_new_CMAC_key(ENGINE *e, const unsigned char *priv,
                                 size_t len, const EVP_CIPHER *cipher)
 {
diff --git a/doc/man3/EVP_PKEY_new.pod b/doc/man3/EVP_PKEY_new.pod
index c2d3c57e43..88c4e67e53 100644
--- a/doc/man3/EVP_PKEY_new.pod
+++ b/doc/man3/EVP_PKEY_new.pod
@@ -10,7 +10,6 @@ EVP_PKEY_new_raw_private_key_ex,
 EVP_PKEY_new_raw_private_key,
 EVP_PKEY_new_raw_public_key_ex,
 EVP_PKEY_new_raw_public_key,
-EVP_PKEY_new_CMAC_key_ex,
 EVP_PKEY_new_CMAC_key,
 EVP_PKEY_new_mac_key,
 EVP_PKEY_get_raw_private_key,
@@ -41,11 +40,6 @@ EVP_PKEY_get_raw_public_key
                                           size_t keylen);
  EVP_PKEY *EVP_PKEY_new_raw_public_key(int type, ENGINE *e,
                                        const unsigned char *key, size_t keylen);
- EVP_PKEY *EVP_PKEY_new_CMAC_key_ex(const unsigned char *priv, size_t len,
-                                    const char *cipher_name,
-                                    OSSL_LIB_CTX *libctx, const char *propq);
- EVP_PKEY *EVP_PKEY_new_CMAC_key(ENGINE *e, const unsigned char *priv,
-                                 size_t len, const EVP_CIPHER *cipher);
  EVP_PKEY *EVP_PKEY_new_mac_key(int type, ENGINE *e, const unsigned char *key,
                                 int keylen);
 
@@ -54,6 +48,13 @@ EVP_PKEY_get_raw_public_key
  int EVP_PKEY_get_raw_public_key(const EVP_PKEY *pkey, unsigned char *pub,
                                  size_t *len);
 
+Deprecated since OpenSSL 3.0, can be hidden entirely by defining
+B<OPENSSL_API_COMPAT> with a suitable version value, see
+L<openssl_user_macros(7)>:
+
+ EVP_PKEY *EVP_PKEY_new_CMAC_key(ENGINE *e, const unsigned char *priv,
+                                 size_t len, const EVP_CIPHER *cipher);
+
 =head1 DESCRIPTION
 
 B<EVP_PKEY> is a generic structure to hold diverse types of asymmetric keys
@@ -121,21 +122,6 @@ data. The B<EVP_PKEY> structure will be initialised without any private key
 information. Algorithm types that support raw public keys are
 B<EVP_PKEY_X25519>, B<EVP_PKEY_ED25519>, B<EVP_PKEY_X448> or B<EVP_PKEY_ED448>.
 
-EVP_PKEY_new_CMAC_key_ex() works in the same way as
-EVP_PKEY_new_raw_private_key() except it is only for the B<EVP_PKEY_CMAC>
-algorithm type. In addition to the raw private key data, it also takes a cipher
-algorithm to be used during creation of a CMAC in the I<cipher> argument. The
-cipher should be a standard encryption only cipher. For example AEAD and XTS
-ciphers should not be used. Finally it also takes a library context I<libctx>
-and property query I<propq> which are used when fetching any cryptographic
-algorithms which may be NULL to use the default values.
-
-EVP_PKEY_new_CMAC_key() is the same as EVP_PKEY_new_CMAC_key_ex()
-except that the default values are used for I<libctx> and I<propq>.
-
-Using EVP_PKEY_new_CMAC_key_ex() or EVP_PKEY_new_CMAC_key() is discouraged in
-favor of the L<EVP_MAC(3)> API.
-
 EVP_PKEY_new_mac_key() works in the same way as EVP_PKEY_new_raw_private_key().
 New applications should use EVP_PKEY_new_raw_private_key() instead.
 
@@ -159,6 +145,16 @@ key data. This function only works for algorithms that support raw public  keys.
 Currently this is: B<EVP_PKEY_X25519>, B<EVP_PKEY_ED25519>, B<EVP_PKEY_X448> or
 B<EVP_PKEY_ED448>.
 
+EVP_PKEY_new_CMAC_key() works in the same way as EVP_PKEY_new_raw_private_key()
+except it is only for the B<EVP_PKEY_CMAC> algorithm type. In addition to the
+raw private key data, it also takes a cipher algorithm to be used during
+creation of a CMAC in the B<cipher> argument. The cipher should be a standard
+encryption-only cipher. For example AEAD and XTS ciphers should not be used.
+
+Applications should use the L<EVP_MAC(3)> API instead
+and set the B<OSSL_MAC_PARAM_CIPHER> parameter on the B<EVP_MAC_CTX> object
+with the name of the cipher being used.
+
 =head1 NOTES
 
 The B<EVP_PKEY> structure is used by various OpenSSL functions which require a
@@ -195,9 +191,11 @@ EVP_PKEY_new_raw_private_key(), EVP_PKEY_new_raw_public_key(),
 EVP_PKEY_new_CMAC_key(), EVP_PKEY_new_raw_private_key() and
 EVP_PKEY_get_raw_public_key() functions were added in OpenSSL 1.1.1.
 
-The EVP_PKEY_new_raw_private_key_ex(),
-EVP_PKEY_new_raw_public_key_ex() and
-EVP_PKEY_new_CMAC_key_ex() functions were added in OpenSSL 3.0.
+The EVP_PKEY_new_raw_private_key_ex() and
+EVP_PKEY_new_raw_public_key_ex()
+functions were added in OpenSSL 3.0.
+
+The EVP_PKEY_new_CMAC_key() was deprecated in OpenSSL 3.0.
 
 The documentation of B<EVP_PKEY> was amended in OpenSSL 3.0 to allow there to
 be the private part of the keypair without the public part, where this was
diff --git a/include/openssl/evp.h b/include/openssl/evp.h
index ae9488acbb..0180170b8d 100644
--- a/include/openssl/evp.h
+++ b/include/openssl/evp.h
@@ -1678,11 +1678,11 @@ int EVP_PKEY_get_raw_private_key(const EVP_PKEY *pkey, unsigned char *priv,
 int EVP_PKEY_get_raw_public_key(const EVP_PKEY *pkey, unsigned char *pub,
                                 size_t *len);
 
-EVP_PKEY *EVP_PKEY_new_CMAC_key_ex(const unsigned char *priv, size_t len,
-                                   const char *cipher_name, OSSL_LIB_CTX *libctx,
-                                   const char *propq);
+# ifndef OPENSSL_NO_DEPRECATED_3_0
+OSSL_DEPRECATEDIN_3_0
 EVP_PKEY *EVP_PKEY_new_CMAC_key(ENGINE *e, const unsigned char *priv,
                                 size_t len, const EVP_CIPHER *cipher);
+# endif
 
 void EVP_PKEY_CTX_set_data(EVP_PKEY_CTX *ctx, void *data);
 void *EVP_PKEY_CTX_get_data(const EVP_PKEY_CTX *ctx);
diff --git a/test/evp_extra_test.c b/test/evp_extra_test.c
index 42f4319d6c..37efbd42e2 100644
--- a/test/evp_extra_test.c
+++ b/test/evp_extra_test.c
@@ -1538,7 +1538,10 @@ static int test_CMAC_keygen(void)
     EVP_PKEY_CTX *kctx = EVP_PKEY_CTX_new_id(EVP_PKEY_CMAC, NULL);
     int ret = 0;
     EVP_PKEY *pkey = NULL;
-    unsigned char mac[AES_BLOCK_SIZE], mac2[AES_BLOCK_SIZE];
+    unsigned char mac[AES_BLOCK_SIZE];
+# if !defined(OPENSSL_NO_DEPRECATED_3_0)
+    unsigned char mac2[AES_BLOCK_SIZE];
+# endif
 
     /* Test a CMAC key created using the "generated" method */
     if (!TEST_int_gt(EVP_PKEY_keygen_init(kctx), 0)
@@ -1553,6 +1556,7 @@ static int test_CMAC_keygen(void)
             || !TEST_true(get_cmac_val(pkey, mac)))
         goto done;
 
+# if !defined(OPENSSL_NO_DEPRECATED_3_0)
     EVP_PKEY_free(pkey);
 
     /*
@@ -1564,6 +1568,7 @@ static int test_CMAC_keygen(void)
             || !TEST_true(get_cmac_val(pkey, mac2))
             || !TEST_mem_eq(mac, sizeof(mac), mac2, sizeof(mac2)))
         goto done;
+# endif
 
     ret = 1;
 
diff --git a/test/evp_test.c b/test/evp_test.c
index b1c9c72b8b..94bbdc7a35 100644
--- a/test/evp_test.c
+++ b/test/evp_test.c
@@ -7,6 +7,7 @@
  * https://www.openssl.org/source/license.html
  */
 
+#define OPENSSL_SUPPRESS_DEPRECATED /* EVP_PKEY_new_CMAC_key */
 #include <stdio.h>
 #include <string.h>
 #include <stdlib.h>
@@ -1152,6 +1153,14 @@ static int mac_test_run_pkey(EVP_TEST *t)
                   OBJ_nid2sn(expected->type), expected->alg);
 
     if (expected->type == EVP_PKEY_CMAC) {
+#ifdef OPENSSL_NO_DEPRECATED_3_0
+        TEST_info("skipping, PKEY CMAC '%s' is disabled", expected->alg);
+        t->skip = 1;
+        t->err = NULL;
+        goto err;
+#else
+        OSSL_LIB_CTX *tmpctx;
+
         if (expected->alg != NULL && is_cipher_disabled(expected->alg)) {
             TEST_info("skipping, PKEY CMAC '%s' is disabled", expected->alg);
             t->skip = 1;
@@ -1162,8 +1171,11 @@ static int mac_test_run_pkey(EVP_TEST *t)
             t->err = "MAC_KEY_CREATE_ERROR";
             goto err;
         }
-        key = EVP_PKEY_new_CMAC_key_ex(expected->key, expected->key_len,
-                                       EVP_CIPHER_name(cipher), libctx, NULL);
+        tmpctx = OSSL_LIB_CTX_set0_default(libctx);
+        key = EVP_PKEY_new_CMAC_key(NULL, expected->key, expected->key_len,
+                                    cipher);
+        OSSL_LIB_CTX_set0_default(tmpctx);
+#endif
     } else {
         key = EVP_PKEY_new_raw_private_key_ex(libctx,
                                               OBJ_nid2sn(expected->type), NULL,
diff --git a/util/libcrypto.num b/util/libcrypto.num
index a1e9b5cc34..1cd4b86f4d 100644
--- a/util/libcrypto.num
+++ b/util/libcrypto.num
@@ -4338,7 +4338,7 @@ OSSL_STORE_SEARCH_free                  4450	3_0_0	EXIST::FUNCTION:
 OSSL_STORE_SEARCH_get0_digest           4451	3_0_0	EXIST::FUNCTION:
 EVP_PKEY_new_raw_private_key            4453	3_0_0	EXIST::FUNCTION:
 EVP_PKEY_new_raw_public_key             4454	3_0_0	EXIST::FUNCTION:
-EVP_PKEY_new_CMAC_key                   4455	3_0_0	EXIST::FUNCTION:
+EVP_PKEY_new_CMAC_key                   4455	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0
 EVP_PKEY_asn1_set_set_priv_key          4456	3_0_0	EXIST::FUNCTION:
 EVP_PKEY_asn1_set_set_pub_key           4457	3_0_0	EXIST::FUNCTION:
 conf_ssl_name_find                      4469	3_0_0	EXIST::FUNCTION:
@@ -5221,7 +5221,6 @@ OSSL_PARAM_get_utf8_string_ptr          ?	3_0_0	EXIST::FUNCTION:
 OSSL_PARAM_get_octet_string_ptr         ?	3_0_0	EXIST::FUNCTION:
 OSSL_DECODER_CTX_set_passphrase_cb      ?	3_0_0	EXIST::FUNCTION:
 EVP_PKEY_CTX_set_mac_key                ?	3_0_0	EXIST::FUNCTION:
-EVP_PKEY_new_CMAC_key_ex                ?	3_0_0	EXIST::FUNCTION:
 OSSL_STORE_INFO_new                     ?	3_0_0	EXIST::FUNCTION:
 OSSL_STORE_INFO_get0_data               ?	3_0_0	EXIST::FUNCTION:
 asn1_d2i_read_bio                       ?	3_0_0	EXIST::FUNCTION:


More information about the openssl-commits mailing list