Deprecate the low level RC4 functions

Use of the low level RC4 functions has been informally discouraged for a long time. We now formally deprecate them. Applications should instead use the EVP APIs, e.g. EVP_EncryptInit_ex, EVP_EncryptUpdate, EVP_EncryptFinal_ex and the equivalently named decrypt functions. Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/10834)
2020-01-14 09:38:09 +10:00 · 2020-01-14 09:38:09 +10:00 · a8fca7284a
parent ae856791e2
commit a8fca7284a
15 changed files with 79 additions and 22 deletions
--- a/apps/speed.c
+++ b/apps/speed.c
@ -353,7 +353,7 @@ static const OPT_PAIR doit_choices[] = {
    {"rmd160", D_RMD160},
    {"ripemd160", D_RMD160},
 #endif
-#ifndef OPENSSL_NO_RC4
+#if !defined(OPENSSL_NO_RC4) && !defined(OPENSSL_NO_DEPRECATED_3_0)
    {"rc4", D_RC4},
 #endif
 #ifndef OPENSSL_NO_DES
@ -712,7 +712,7 @@ static int EVP_Digest_RMD160_loop(void *args)
 }
 #endif

-#ifndef OPENSSL_NO_RC4
+#if !defined(OPENSSL_NO_RC4) && !defined(OPENSSL_NO_DEPRECATED_3_0)
 static RC4_KEY rc4_ks;
 static int RC4_loop(void *args)
 {
@ -1973,7 +1973,7 @@ int speed_main(int argc, char **argv)
    if (doit[D_CBC_SEED])
        SEED_set_key(key16, &seed_ks);
 #endif
-#ifndef OPENSSL_NO_RC4
+#if !defined(OPENSSL_NO_RC4) && !defined(OPENSSL_NO_DEPRECATED_3_0)
    if (doit[D_RC4])
        RC4_set_key(&rc4_ks, 16, key16);
 #endif
@ -2379,7 +2379,7 @@ int speed_main(int argc, char **argv)
        }
    }
 #endif
-#ifndef OPENSSL_NO_RC4
+#if !defined(OPENSSL_NO_RC4) && !defined(OPENSSL_NO_DEPRECATED_3_0)
    if (doit[D_RC4]) {
        for (testnum = 0; testnum < size_num; testnum++) {
            print_message(names[D_RC4], c[D_RC4][testnum], lengths[testnum],
@ -3492,7 +3492,7 @@ int speed_main(int argc, char **argv)
 #if !defined(OPENSSL_NO_MD2) && !defined(OPENSSL_NO_DEPRECATED_3_0)
        printf("%s ", MD2_options());
 #endif
-#ifndef OPENSSL_NO_RC4
+#if !defined(OPENSSL_NO_RC4) && !defined(OPENSSL_NO_DEPRECATED_3_0)
        printf("%s ", RC4_options());
 #endif
 #ifndef OPENSSL_NO_DES
--- a/apps/version.c
+++ b/apps/version.c
@ -18,9 +18,6 @@
 #ifndef OPENSSL_NO_MD2
 # include <openssl/md2.h>
 #endif
-#ifndef OPENSSL_NO_RC4
-# include <openssl/rc4.h>
-#endif
 #ifndef OPENSSL_NO_DES
 # include <openssl/des.h>
 #endif
@ -129,9 +126,6 @@ opthelp:
    if (options) {
        printf("options: ");
        printf(" %s", BN_options());
-#ifndef OPENSSL_NO_RC4
-        printf(" %s", RC4_options());
-#endif
 #ifndef OPENSSL_NO_DES
        printf(" %s", DES_options());
 #endif
--- a/crypto/engine/eng_openssl.c
+++ b/crypto/engine/eng_openssl.c
@ -8,6 +8,12 @@
 * https://www.openssl.org/source/license.html
 */

+/*
+ * RC4 low level APIs are deprecated for public use, but still ok for internal
+ * use.
+ */
+#include "internal/deprecated.h"
+
 #include <stdio.h>
 #include <openssl/crypto.h>
 #include "internal/cryptlib.h"
--- a/crypto/evp/e_rc4.c
+++ b/crypto/evp/e_rc4.c
@ -7,6 +7,12 @@
 * https://www.openssl.org/source/license.html
 */

+/*
+ * RC4 low level APIs are deprecated for public use, but still ok for internal
+ * use.
+ */
+#include "internal/deprecated.h"
+
 #include <stdio.h>
 #include "internal/cryptlib.h"

--- a/crypto/evp/e_rc4_hmac_md5.c
+++ b/crypto/evp/e_rc4_hmac_md5.c
@ -7,6 +7,12 @@
 * https://www.openssl.org/source/license.html
 */

+/*
+ * RC4 low level APIs are deprecated for public use, but still ok for internal
+ * use.
+ */
+#include "internal/deprecated.h"
+
 #include <internal/cryptlib.h>
 #include <openssl/opensslconf.h>

--- a/crypto/rc4/rc4_enc.c
+++ b/crypto/rc4/rc4_enc.c
@ -7,6 +7,12 @@
 * https://www.openssl.org/source/license.html
 */

+/*
+ * RC4 low level APIs are deprecated for public use, but still ok for internal
+ * use.
+ */
+#include "internal/deprecated.h"
+
 #include <openssl/rc4.h>
 #include "rc4_local.h"

--- a/crypto/rc4/rc4_skey.c
+++ b/crypto/rc4/rc4_skey.c
@ -7,6 +7,12 @@
 * https://www.openssl.org/source/license.html
 */

+/*
+ * RC4 low level APIs are deprecated for public use, but still ok for internal
+ * use.
+ */
+#include "internal/deprecated.h"
+
 #include <openssl/rc4.h>
 #include "rc4_local.h"
 #include <openssl/opensslv.h>
--- a/include/openssl/rc4.h
+++ b/include/openssl/rc4.h
@ -24,15 +24,18 @@
 extern "C" {
 #  endif

+#  ifndef OPENSSL_NO_DEPRECATED_3_0
 typedef struct rc4_key_st {
    RC4_INT x, y;
    RC4_INT data[256];
 } RC4_KEY;
+#  endif

-const char *RC4_options(void);
-void RC4_set_key(RC4_KEY *key, int len, const unsigned char *data);
-void RC4(RC4_KEY *key, size_t len, const unsigned char *indata,
-         unsigned char *outdata);
+DEPRECATEDIN_3_0(const char *RC4_options(void))
+DEPRECATEDIN_3_0(void RC4_set_key(RC4_KEY *key, int len,
+                                  const unsigned char *data))
+DEPRECATEDIN_3_0(void RC4(RC4_KEY *key, size_t len, const unsigned char *indata,
+                          unsigned char *outdata))

 #  ifdef  __cplusplus
 }
--- a/providers/implementations/ciphers/cipher_rc4.c
+++ b/providers/implementations/ciphers/cipher_rc4.c
@ -9,6 +9,12 @@

 /* Dispatch functions for RC4 ciphers */

+/*
+ * RC4 low level APIs are deprecated for public use, but still ok for internal
+ * use.
+ */
+#include "internal/deprecated.h"
+
 #include "cipher_rc4.h"
 #include "prov/implementations.h"

--- a/providers/implementations/ciphers/cipher_rc4_hmac_md5.c
+++ b/providers/implementations/ciphers/cipher_rc4_hmac_md5.c
@ -9,6 +9,12 @@

 /* Dispatch functions for RC4_HMAC_MD5 cipher */

+/*
+ * RC4 low level APIs are deprecated for public use, but still ok for internal
+ * use.
+ */
+#include "internal/deprecated.h"
+
 #include "cipher_rc4_hmac_md5.h"
 #include "prov/implementations.h"
 #include "prov/providercommonerr.h"
--- a/providers/implementations/ciphers/cipher_rc4_hmac_md5_hw.c
+++ b/providers/implementations/ciphers/cipher_rc4_hmac_md5_hw.c
@ -9,6 +9,12 @@

 /* RC4_HMAC_MD5 cipher implementation */

+/*
+ * RC4 low level APIs are deprecated for public use, but still ok for internal
+ * use.
+ */
+#include "internal/deprecated.h"
+
 #include "cipher_rc4_hmac_md5.h"

 #define NO_PAYLOAD_LENGTH ((size_t)-1)
--- a/providers/implementations/ciphers/cipher_rc4_hw.c
+++ b/providers/implementations/ciphers/cipher_rc4_hw.c
@ -7,6 +7,12 @@
 * https://www.openssl.org/source/license.html
 */

+/*
+ * RC4 low level APIs are deprecated for public use, but still ok for internal
+ * use.
+ */
+#include "internal/deprecated.h"
+
 #include "cipher_rc4.h"

 static int cipher_hw_rc4_initkey(PROV_CIPHER_CTX *ctx,
--- a/test/build.info
+++ b/test/build.info
@ -119,10 +119,6 @@ IF[{- !$disabled{tests} -}]
  INCLUDE[hmactest]=../include ../apps/include
  DEPEND[hmactest]=../libcrypto libtestutil.a

-  SOURCE[rc4test]=rc4test.c
-  INCLUDE[rc4test]=../include ../apps/include
-  DEPEND[rc4test]=../libcrypto libtestutil.a
-
  SOURCE[rc5test]=rc5test.c
  INCLUDE[rc5test]=../include ../apps/include
  DEPEND[rc5test]=../libcrypto libtestutil.a
@ -593,6 +589,10 @@ IF[{- !$disabled{tests} -}]
    INCLUDE[rc2test]=../include ../apps/include
    DEPEND[rc2test]=../libcrypto.a libtestutil.a

+    SOURCE[rc4test]=rc4test.c
+    INCLUDE[rc4test]=../include ../apps/include
+    DEPEND[rc4test]=../libcrypto.a libtestutil.a
+
    SOURCE[ec_internal_test]=ec_internal_test.c
    INCLUDE[ec_internal_test]=../include ../crypto/ec ../apps/include ../crypto/include
    DEPEND[ec_internal_test]=../libcrypto.a libtestutil.a
--- a/test/rc4test.c
+++ b/test/rc4test.c
@ -7,6 +7,12 @@
 * https://www.openssl.org/source/license.html
 */

+/*
+ * RC4 low level APIs are deprecated for public use, but still ok for internal
+ * use.
+ */
+#include "internal/deprecated.h"
+
 #include <string.h>

 #include "internal/nelem.h"
--- a/util/libcrypto.num
+++ b/util/libcrypto.num
@ -341,7 +341,7 @@ OPENSSL_sk_sort                         346	3_0_0	EXIST::FUNCTION:
 CTLOG_STORE_load_file                   347	3_0_0	EXIST::FUNCTION:CT
 ASN1_SEQUENCE_it                        348	3_0_0	EXIST::FUNCTION:
 TS_RESP_CTX_get_tst_info                349	3_0_0	EXIST::FUNCTION:TS
-RC4                                     350	3_0_0	EXIST::FUNCTION:RC4
+RC4                                     350	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RC4
 PKCS7_stream                            352	3_0_0	EXIST::FUNCTION:
 i2t_ASN1_OBJECT                         353	3_0_0	EXIST::FUNCTION:
 EC_GROUP_get0_generator                 354	3_0_0	EXIST::FUNCTION:EC
@ -778,7 +778,7 @@ PKCS7_dataInit                          797	3_0_0	EXIST::FUNCTION:
 EVP_PKEY_CTX_set_app_data               798	3_0_0	EXIST::FUNCTION:
 a2i_GENERAL_NAME                        799	3_0_0	EXIST::FUNCTION:
 SXNETID_new                             800	3_0_0	EXIST::FUNCTION:
-RC4_options                             801	3_0_0	EXIST::FUNCTION:RC4
+RC4_options                             801	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RC4
 BIO_f_null                              802	3_0_0	EXIST::FUNCTION:
 EC_GROUP_set_curve_name                 803	3_0_0	EXIST::FUNCTION:EC
 d2i_PBE2PARAM                           804	3_0_0	EXIST::FUNCTION:
@ -2960,7 +2960,7 @@ ASN1_TYPE_unpack_sequence               3024	3_0_0	EXIST::FUNCTION:
 X509_CRL_sign_ctx                       3025	3_0_0	EXIST::FUNCTION:
 X509_STORE_add_crl                      3026	3_0_0	EXIST::FUNCTION:
 PEM_write_RSAPrivateKey                 3027	3_0_0	EXIST::FUNCTION:RSA,STDIO
-RC4_set_key                             3028	3_0_0	EXIST::FUNCTION:RC4
+RC4_set_key                             3028	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RC4
 EVP_CIPHER_CTX_cipher                   3029	3_0_0	EXIST::FUNCTION:
 PEM_write_bio_PKCS8PrivateKey_nid       3030	3_0_0	EXIST::FUNCTION:
 BN_MONT_CTX_new                         3031	3_0_0	EXIST::FUNCTION: