Crypto: Add deprecation compatibility declarations for SHA* message digest functions

Also add hints to SHA256_Init.pod and CHANGES.md how to replace SHA256() etc.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14741)

CHANGES.md

@@ -240,11 +240,11 @@ OpenSSL 3.0
 
    *Matt Caswell*
 
- * A number of functions handling low level keys or engines were deprecated
+ * A number of functions handling low-level keys or engines were deprecated
    including EVP_PKEY_set1_engine(), EVP_PKEY_get0_engine(), EVP_PKEY_assign(),
    EVP_PKEY_get0(), EVP_PKEY_get0_hmac(), EVP_PKEY_get0_poly1305() and
    EVP_PKEY_get0_siphash(). Applications using engines should instead use
-   providers. Applications getting or setting low level keys in an EVP_PKEY
+   providers. Applications getting or setting low-level keys in an EVP_PKEY
    should instead use the OSSL_ENCODER or OSSL_DECODER APIs, or alternatively
    use EVP_PKEY_fromdata() or EVP_PKEY_get_params().
 
@@ -405,7 +405,7 @@ OpenSSL 3.0
 
    *Dmitry Belyavskiy*
 
- * All of the low level EC_KEY functions have been deprecated including:
+ * All of the low-level EC_KEY functions have been deprecated including:
 
    EC_KEY_OpenSSL, EC_KEY_get_default_method, EC_KEY_set_default_method,
    EC_KEY_get_method, EC_KEY_set_method, EC_KEY_new_method
@@ -823,7 +823,7 @@ OpenSSL 3.0
 
    *David von Oheimb*
 
- * All of the low level RSA functions have been deprecated including:
+ * All of the low-level RSA functions have been deprecated including:
 
    RSA_new_method, RSA_size, RSA_security_bits, RSA_get0_pss_params,
    RSA_get_version, RSA_get0_engine, RSA_generate_key_ex,
@@ -854,12 +854,12 @@ OpenSSL 3.0
    RSA_meth_set_verify, RSA_meth_get_keygen, RSA_meth_set_keygen,
    RSA_meth_get_multi_prime_keygen and RSA_meth_set_multi_prime_keygen.
 
-   Use of these low level functions has been informally discouraged for a long
+   Use of these low-level functions has been informally discouraged for a long
    time.  Instead applications should use L<EVP_PKEY_encrypt_init(3)>,
    L<EVP_PKEY_encrypt(3)>, L<EVP_PKEY_decrypt_init(3)> and
    L<EVP_PKEY_decrypt(3)>.
 
-   All of these low level RSA functions have been deprecated without
+   All of these low-level RSA functions have been deprecated without
    replacement:
 
    RSA_blinding_off, RSA_blinding_on, RSA_clear_flags, RSA_get_version,
@@ -904,7 +904,7 @@ OpenSSL 3.0
 
    *Paul Dale*
 
- * All of the low level DH functions have been deprecated including:
+ * All of the low-level DH functions have been deprecated including:
 
    DH_OpenSSL, DH_set_default_method, DH_get_default_method, DH_set_method,
    DH_new_method, DH_new, DH_free, DH_up_ref, DH_bits, DH_set0_pqg, DH_size,
@@ -920,11 +920,11 @@ OpenSSL 3.0
    DH_meth_set_init, DH_meth_get_finish, DH_meth_set_finish,
    DH_meth_get_generate_params and DH_meth_set_generate_params.
 
-   Use of these low level functions has been informally discouraged for a long
+   Use of these low-level functions has been informally discouraged for a long
    time.  Instead applications should use L<EVP_PKEY_derive_init(3)>
    and L<EVP_PKEY_derive(3)>.
 
-   These low level DH functions have been deprecated without replacement:
+   These low-level DH functions have been deprecated without replacement:
 
    DH_clear_flags, DH_get_1024_160, DH_get_2048_224, DH_get_2048_256,
    DH_set_flags and DH_test_flags.
@@ -948,7 +948,7 @@ OpenSSL 3.0
 
    *Paul Dale and Matt Caswell*
 
- * All of the low level DSA functions have been deprecated including:
+ * All of the low-level DSA functions have been deprecated including:
 
    DSA_new, DSA_free, DSA_up_ref, DSA_bits, DSA_get0_pqg, DSA_set0_pqg,
    DSA_get0_key, DSA_set0_key, DSA_get0_p, DSA_get0_q, DSA_get0_g,
@@ -968,11 +968,11 @@ OpenSSL 3.0
    DSA_meth_get_finish, DSA_meth_set_finish, DSA_meth_get_paramgen,
    DSA_meth_set_paramgen, DSA_meth_get_keygen and DSA_meth_set_keygen.
 
-   Use of these low level functions has been informally discouraged for a long
+   Use of these low-level functions has been informally discouraged for a long
    time.  Instead applications should use L<EVP_DigestSignInit_ex(3)>,
    L<EVP_DigestSignUpdate(3)> and L<EVP_DigestSignFinal(3)>.
 
-   These low level DSA functions have been deprecated without replacement:
+   These low-level DSA functions have been deprecated without replacement:
 
    DSA_clear_flags, DSA_dup_DH, DSAparams_dup, DSA_set_flags and
    DSA_test_flags.
@@ -1002,13 +1002,13 @@ OpenSSL 3.0
 
    *Richard Levitte*
 
- * Deprecated low level ECDH and ECDSA functions.  These include:
+ * Deprecated low-level ECDH and ECDSA functions.  These include:
 
    ECDH_compute_key, ECDSA_do_sign, ECDSA_do_sign_ex, ECDSA_do_verify,
    ECDSA_sign_setup, ECDSA_sign, ECDSA_sign_ex, ECDSA_verify and
    ECDSA_size.
 
-   Use of these low level functions has been informally discouraged for a long
+   Use of these low-level functions has been informally discouraged for a long
    time.  Instead applications should use the EVP_PKEY_derive(3),
    EVP_DigestSign(3) and EVP_DigestVerify(3) functions.
 
@@ -1039,7 +1039,7 @@ OpenSSL 3.0
    HMAC_Init_ex, HMAC_Update, HMAC_Final, HMAC_CTX_copy, HMAC_CTX_set_flags
    and HMAC_CTX_get_md.
 
-   Use of these low level functions has been informally discouraged for a long
+   Use of these low-level functions has been informally discouraged for a long
    time.  Instead applications should use L<EVP_MAC_CTX_new(3)>,
    L<EVP_MAC_CTX_free(3)>, L<EVP_MAC_init(3)>, L<EVP_MAC_update(3)>
    and L<EVP_MAC_final(3)> or the single-shot MAC function L<EVP_Q_mac(3)>.
@@ -1058,19 +1058,19 @@ OpenSSL 3.0
 
    *Rich Salz*
 
- * All of the low level CMAC functions have been deprecated including:
+ * All of the low-level CMAC functions have been deprecated including:
 
    CMAC_CTX_new, CMAC_CTX_cleanup, CMAC_CTX_free, CMAC_CTX_get0_cipher_ctx,
    CMAC_CTX_copy, CMAC_Init, CMAC_Update, CMAC_Final and CMAC_resume.
 
-   Use of these low level functions has been informally discouraged for a long
+   Use of these low-level functions has been informally discouraged for a long
    time.  Instead applications should use L<EVP_MAC_CTX_new(3)>,
    L<EVP_MAC_CTX_free(3)>, L<EVP_MAC_init(3)>, L<EVP_MAC_update(3)>
    and L<EVP_MAC_final(3)>.
 
    *Paul Dale*
 
- * All of the low level MD2, MD4, MD5, MDC2, RIPEMD160, SHA1, SHA224, SHA256,
+ * The low-level MD2, MD4, MD5, MDC2, RIPEMD160, SHA1, SHA224, SHA256,
    SHA384, SHA512 and Whirlpool digest functions have been deprecated.
    These include:
 
@@ -1079,17 +1079,21 @@ OpenSSL 3.0
    MD5_Final, MD5_Transform, MDC2, MDC2_Init, MDC2_Update, MDC2_Final,
    RIPEMD160, RIPEMD160_Init, RIPEMD160_Update, RIPEMD160_Final,
    RIPEMD160_Transform, SHA1_Init, SHA1_Update, SHA1_Final, SHA1_Transform,
-   SHA224_Init, SHA224_Update, SHA224_Final, SHA224_Transform, SHA256_Init,
-   SHA256_Update, SHA256_Final, SHA256_Transform, SHA384, SHA384_Init,
-   SHA384_Update, SHA384_Final, SHA512, SHA512_Init, SHA512_Update,
-   SHA512_Final, SHA512_Transform, WHIRLPOOL, WHIRLPOOL_Init,
+   SHA224_Init, SHA224_Update, SHA224_Final, SHA224_Transform,
+   SHA256_Init, SHA256_Update, SHA256_Final, SHA256_Transform,
+   SHA384_Init, SHA384_Update, SHA384_Final,
+   SHA512_Init, SHA512_Update, SHA512_Final, SHA512_Transform,
+   WHIRLPOOL, WHIRLPOOL_Init,
    WHIRLPOOL_Update, WHIRLPOOL_BitUpdate and WHIRLPOOL_Final.
 
-   Use of these low level functions has been informally discouraged
-   for a long time.  Applications should use the EVP_DigestInit_ex(3),
-   EVP_DigestUpdate(3) and EVP_DigestFinal_ex(3) functions instead.
+   Use of these low-level functions has been informally discouraged
+   for a long time.  Applications should use the L<EVP_DigestInit_ex(3)>,
+   L<EVP_DigestUpdate(3)>, and L<EVP_DigestFinal_ex(3)> functions instead.
+   Alternatively, the quick one-shot function L<EVP_Q_digest(3)> can be used.
+   SHA1, SHA224, SHA256, SHA384 and SHA512 have changed from functions to macros
+   like this: (EVP_Q_digest(NULL, "SHA256", NULL, d, n, md, NULL) ? md : NULL).
 
-   *Paul Dale*
+   *Paul Dale and David von Oheimb*
 
  * Corrected the documentation of the return values from the `EVP_DigestSign*`
    set of functions.  The documentation mentioned negative values for some
@@ -1101,7 +1105,7 @@ OpenSSL 3.0
 
    *Richard Levitte*
 
- * All of the low level cipher functions have been deprecated including:
+ * All of the low-level cipher functions have been deprecated including:
 
    AES_options, AES_set_encrypt_key, AES_set_decrypt_key, AES_encrypt,
    AES_decrypt, AES_ecb_encrypt, AES_cbc_encrypt, AES_cfb128_encrypt,
@@ -1133,7 +1137,7 @@ OpenSSL 3.0
    SEED_set_key, SEED_encrypt, SEED_decrypt, SEED_ecb_encrypt,
    SEED_cbc_encrypt, SEED_cfb128_encrypt and SEED_ofb128_encrypt.
 
-   Use of these low level functions has been informally discouraged for
+   Use of these low-level functions has been informally discouraged for
    a long time. Applications should use the high level EVP APIs, e.g.
    EVP_EncryptInit_ex, EVP_EncryptUpdate, EVP_EncryptFinal_ex, and the
    equivalently named decrypt functions instead.
@@ -1168,7 +1172,7 @@ OpenSSL 3.0
    difficult to perform and are not believed likely. Attacks against DH512
    are considered just feasible. However, for an attack the target would
    have to re-use the DH512 private key, which is not recommended anyway.
-   Also applications directly using the low level API BN_mod_exp may be
+   Also applications directly using the low-level API BN_mod_exp may be
    affected if they use BN_FLG_CONSTTIME.
    ([CVE-2019-1551])
 
@@ -7652,11 +7656,11 @@ OpenSSL 1.0.1
 
    *Steve Henson*
 
- * Add similar low level API blocking to ciphers.
+ * Add similar low-level API blocking to ciphers.
 
    *Steve Henson*
 
- * Low level digest APIs are not approved in FIPS mode: any attempt
+ * low-level digest APIs are not approved in FIPS mode: any attempt
    to use these will cause a fatal error. Applications that *really* want
    to use them can use the `private_*` version instead.
 
@@ -11044,7 +11048,7 @@ OpenSSL 0.9.8.]
 
  * Add new 'medium level' PKCS#12 API. Certificates and keys
    can be added using this API to created arbitrary PKCS#12
-   files while avoiding the low level API.
+   files while avoiding the low-level API.
 
    New options to PKCS12_create(), key or cert can be NULL and
    will then be omitted from the output file. The encryption
@@ -11055,7 +11059,7 @@ OpenSSL 0.9.8.]
    options work when creating a PKCS#12 file. New option -nomac
    to omit the mac, NONE can be set for an encryption algorithm.
    New code is modified to use the enhanced PKCS12_create()
-   instead of the low level API.
+   instead of the low-level API.
 
    *Steve Henson*
 
@@ -12777,7 +12781,7 @@ s-cbc           3624.96k     5258.21k     5530.91k     5624.30k     5628.26k
 
    *Richard Levitte*
 
- * Change all calls to low level digest routines in the library and
+ * Change all calls to low-level digest routines in the library and
    applications to use EVP. Add missing calls to HMAC_cleanup() and
    don't assume HMAC_CTX can be copied using memcpy().
 
@@ -15360,7 +15364,7 @@ s-cbc           3624.96k     5258.21k     5530.91k     5624.30k     5628.26k
    *Bodo Moeller*
 
  * New openssl application 'rsautl'. This utility can be
-   used for low level RSA operations. DER public key
+   used for low-level RSA operations. DER public key
    BIO/fp routines also added.
 
    *Steve Henson*
@@ -17240,7 +17244,7 @@ s-cbc           3624.96k     5258.21k     5530.91k     5624.30k     5628.26k
    provides hooks that allow the default DSA functions or functions on a
    "per key" basis to be replaced. This allows hardware acceleration and
    hardware key storage to be handled without major modification to the
-   library. Also added low level modexp hooks and CRYPTO_EX structure and
+   library. Also added low-level modexp hooks and CRYPTO_EX structure and
    associated functions.
 
    *Steve Henson*

crypto/evp/digest.c

@@ -629,6 +629,20 @@ int EVP_Digest(const void *data, size_t count,
     return ret;
 }
 
+int EVP_Q_digest(OSSL_LIB_CTX *libctx, const char *name, const char *propq,
+                 const void *data, size_t count,
+                 unsigned char *md, unsigned int *size)
+{
+    EVP_MD *digest = EVP_MD_fetch(libctx, name, propq);
+    int ret = 0;
+
+    if (digest != NULL) {
+        ret = EVP_Digest(data, count, md, size, digest, NULL);
+        EVP_MD_free(digest);
+    }
+    return ret;
+}
+
 int EVP_MD_get_params(const EVP_MD *digest, OSSL_PARAM params[])
 {
     if (digest != NULL && digest->get_params != NULL)

crypto/evp/e_des3.c

@@ -16,9 +16,9 @@
 #include <stdio.h>
 #include "internal/cryptlib.h"
 #ifndef OPENSSL_NO_DES
-# include <openssl/evp.h>
 # include <openssl/objects.h>
 # include "crypto/evp.h"
+# include "crypto/sha.h"
 # include <openssl/des.h>
 # include <openssl/rand.h>
 # include "evp_local.h"
@@ -347,10 +347,8 @@ static int des_ede3_unwrap(EVP_CIPHER_CTX *ctx, unsigned char *out,
     /* Decrypt again using new IV */
     des_ede_cbc_cipher(ctx, out, out, inl - 16);
     des_ede_cbc_cipher(ctx, icv, icv, 8);
-    /* Work out SHA1 hash of first portion */
-    SHA1(out, inl - 16, sha1tmp);
-
-    if (!CRYPTO_memcmp(sha1tmp, icv, 8))
+    if (ossl_sha1(out, inl - 16, sha1tmp)  /* Work out hash of first portion */
+            && CRYPTO_memcmp(sha1tmp, icv, 8) == 0)
         rv = inl - 16;
     OPENSSL_cleanse(icv, 8);
     OPENSSL_cleanse(sha1tmp, SHA_DIGEST_LENGTH);
@@ -371,7 +369,8 @@ static int des_ede3_wrap(EVP_CIPHER_CTX *ctx, unsigned char *out,
     /* Copy input to output buffer + 8 so we have space for IV */
     memmove(out + 8, in, inl);
     /* Work out ICV */
-    SHA1(in, inl, sha1tmp);
+    if (!ossl_sha1(in, inl, sha1tmp))
+        return -1;
     memcpy(out + inl + 8, sha1tmp, 8);
     OPENSSL_cleanse(sha1tmp, SHA_DIGEST_LENGTH);
     /* Generate random IV */

crypto/sha/sha1_one.c

@@ -17,8 +17,9 @@
 #include <string.h>
 #include <openssl/crypto.h>
 #include <openssl/sha.h>
+#include "crypto/sha.h"
 
-unsigned char *SHA1(const unsigned char *d, size_t n, unsigned char *md)
+unsigned char *ossl_sha1(const unsigned char *d, size_t n, unsigned char *md)
 {
     SHA_CTX c;
     static unsigned char m[SHA_DIGEST_LENGTH];

crypto/sha/sha256.c

@@ -53,34 +53,6 @@ int SHA256_Init(SHA256_CTX *c)
     return 1;
 }
 
-unsigned char *SHA224(const unsigned char *d, size_t n, unsigned char *md)
-{
-    SHA256_CTX c;
-    static unsigned char m[SHA224_DIGEST_LENGTH];
-
-    if (md == NULL)
-        md = m;
-    SHA224_Init(&c);
-    SHA256_Update(&c, d, n);
-    SHA256_Final(md, &c);
-    OPENSSL_cleanse(&c, sizeof(c));
-    return md;
-}
-
-unsigned char *SHA256(const unsigned char *d, size_t n, unsigned char *md)
-{
-    SHA256_CTX c;
-    static unsigned char m[SHA256_DIGEST_LENGTH];
-
-    if (md == NULL)
-        md = m;
-    SHA256_Init(&c);
-    SHA256_Update(&c, d, n);
-    SHA256_Final(md, &c);
-    OPENSSL_cleanse(&c, sizeof(c));
-    return md;
-}
-
 int SHA224_Update(SHA256_CTX *c, const void *data, size_t len)
 {
     return SHA256_Update(c, data, len);

crypto/sha/sha512.c

@@ -338,34 +338,6 @@ void SHA512_Transform(SHA512_CTX *c, const unsigned char *data)
     sha512_block_data_order(c, data, 1);
 }
 
-unsigned char *SHA384(const unsigned char *d, size_t n, unsigned char *md)
-{
-    SHA512_CTX c;
-    static unsigned char m[SHA384_DIGEST_LENGTH];
-
-    if (md == NULL)
-        md = m;
-    SHA384_Init(&c);
-    SHA512_Update(&c, d, n);
-    SHA512_Final(md, &c);
-    OPENSSL_cleanse(&c, sizeof(c));
-    return md;
-}
-
-unsigned char *SHA512(const unsigned char *d, size_t n, unsigned char *md)
-{
-    SHA512_CTX c;
-    static unsigned char m[SHA512_DIGEST_LENGTH];
-
-    if (md == NULL)
-        md = m;
-    SHA512_Init(&c);
-    SHA512_Update(&c, d, n);
-    SHA512_Final(md, &c);
-    OPENSSL_cleanse(&c, sizeof(c));
-    return md;
-}
-
 #ifndef SHA512_ASM
 static const SHA_LONG64 K512[80] = {
     U64(0x428a2f98d728ae22), U64(0x7137449123ef65cd),

doc/man3/EVP_DigestInit.pod

@@ -10,7 +10,7 @@ EVP_MD_CTX_set_params, EVP_MD_CTX_get_params,
 EVP_MD_settable_ctx_params, EVP_MD_gettable_ctx_params,
 EVP_MD_CTX_settable_params, EVP_MD_CTX_gettable_params,
 EVP_MD_CTX_set_flags, EVP_MD_CTX_clear_flags, EVP_MD_CTX_test_flags,
-EVP_Digest, EVP_DigestInit_ex2, EVP_DigestInit_ex, EVP_DigestInit,
+EVP_Q_digest, EVP_Digest, EVP_DigestInit_ex2, EVP_DigestInit_ex, EVP_DigestInit,
 EVP_DigestUpdate, EVP_DigestFinal_ex, EVP_DigestFinalXOF, EVP_DigestFinal,
 EVP_MD_is_a, EVP_MD_name, EVP_MD_description, EVP_MD_number,
 EVP_MD_names_do_all, EVP_MD_provider,
@@ -49,6 +49,9 @@ EVP_MD_do_all_provided
  void EVP_MD_CTX_clear_flags(EVP_MD_CTX *ctx, int flags);
  int EVP_MD_CTX_test_flags(const EVP_MD_CTX *ctx, int flags);
 
+ int EVP_Q_digest(OSSL_LIB_CTX *libctx, const char *name, const char *propq,
+                  const void *data, size_t count,
+                  unsigned char *md, unsigned int *size);
  int EVP_Digest(const void *data, size_t count, unsigned char *md,
                 unsigned int *size, const EVP_MD *type, ENGINE *impl);
  int EVP_DigestInit_ex2(EVP_MD_CTX *ctx, const EVP_MD *type,
@@ -216,6 +219,12 @@ as a parameter descriptor.
 
 Sets, clears and tests I<ctx> flags.  See L</FLAGS> below for more information.
 
+=item EVP_Q_digest() is a quick one-shot digest function.
+It hashes I<count> bytes of data at I<data> using the digest algorithm I<name>,
+which is fetched using the optional I<libctx> and I<propq> parameters.
+The digest value is placed in I<md> and its length is written at I<size>
+if the pointer is not NULL. At most B<EVP_MAX_MD_SIZE> bytes will be written.
+
 =item EVP_Digest()
 
 A wrapper around the Digest Init_ex, Update and Final_ex functions.
@@ -528,12 +537,16 @@ Returns a pointer to a B<EVP_MD> for success or NULL for failure.
 
 Returns 1 for success or 0 for failure.
 
-=item EVP_DigestInit_ex2(),
+=item EVP_Q_digest(),
+EVP_Digest(),
+EVP_DigestInit_ex2(),
 EVP_DigestInit_ex(),
 EVP_DigestUpdate(),
-EVP_DigestFinal_ex()
+EVP_DigestFinal_ex(),
+EVP_DigestFinalXOF(), and
+EVP_DigestFinal()
 
-Returns 1 for
+return 1 for
 success and 0 for failure.
 
 =item EVP_MD_CTX_ctrl()
@@ -698,7 +711,8 @@ The EVP_dss1() function was removed in OpenSSL 1.1.0.
 
 The EVP_MD_CTX_set_pkey_ctx() function was added in OpenSSL 1.1.1.
 
-The EVP_DigestInit_ex2(), EVP_MD_fetch(), EVP_MD_free(), EVP_MD_up_ref(),
+The EVP_Q_digest(), EVP_DigestInit_ex2(),
+EVP_MD_fetch(), EVP_MD_free(), EVP_MD_up_ref(),
 EVP_MD_get_params(), EVP_MD_CTX_set_params(), EVP_MD_CTX_get_params(),
 EVP_MD_gettable_params(), EVP_MD_gettable_ctx_params(),
 EVP_MD_settable_ctx_params(), EVP_MD_CTX_settable_params() and

doc/man3/SHA256_Init.pod

@@ -11,6 +11,12 @@ SHA512_Final - Secure Hash Algorithm
 
  #include <openssl/sha.h>
 
+ unsigned char *SHA1(const void *data, size_t count, unsigned char *md_buf);
+ unsigned char *SHA224(const void *data, size_t count, unsigned char *md_buf);
+ unsigned char *SHA256(const void *data, size_t count, unsigned char *md_buf);
+ unsigned char *SHA384(const void *data, size_t count, unsigned char *md_buf);
+ unsigned char *SHA512(const void *data, size_t count, unsigned char *md_buf);
+
 Deprecated since OpenSSL 3.0, can be hidden entirely by defining
 B<OPENSSL_API_COMPAT> with a suitable version value, see
 L<openssl_user_macros(7)>:
@@ -18,38 +24,33 @@ L<openssl_user_macros(7)>:
  int SHA1_Init(SHA_CTX *c);
  int SHA1_Update(SHA_CTX *c, const void *data, size_t len);
  int SHA1_Final(unsigned char *md, SHA_CTX *c);
- unsigned char *SHA1(const unsigned char *d, size_t n,
-                     unsigned char *md);
 
  int SHA224_Init(SHA256_CTX *c);
  int SHA224_Update(SHA256_CTX *c, const void *data, size_t len);
  int SHA224_Final(unsigned char *md, SHA256_CTX *c);
- unsigned char *SHA224(const unsigned char *d, size_t n,
-                       unsigned char *md);
 
  int SHA256_Init(SHA256_CTX *c);
  int SHA256_Update(SHA256_CTX *c, const void *data, size_t len);
  int SHA256_Final(unsigned char *md, SHA256_CTX *c);
- unsigned char *SHA256(const unsigned char *d, size_t n,
-                       unsigned char *md);
 
  int SHA384_Init(SHA512_CTX *c);
  int SHA384_Update(SHA512_CTX *c, const void *data, size_t len);
  int SHA384_Final(unsigned char *md, SHA512_CTX *c);
- unsigned char *SHA384(const unsigned char *d, size_t n,
-                       unsigned char *md);
 
  int SHA512_Init(SHA512_CTX *c);
  int SHA512_Update(SHA512_CTX *c, const void *data, size_t len);
  int SHA512_Final(unsigned char *md, SHA512_CTX *c);
- unsigned char *SHA512(const unsigned char *d, size_t n,
-                       unsigned char *md);
 
 =head1 DESCRIPTION
 
-All of the functions described on this page are deprecated.
+All of the functions described on this page
+except for SHA1(), SHA224(), SHA256(), SHA384() and SHA512() are deprecated.
 Applications should instead use L<EVP_DigestInit_ex(3)>, L<EVP_DigestUpdate(3)>
-and L<EVP_DigestFinal_ex(3)>.
+and L<EVP_DigestFinal_ex(3)>, or the quick one-shot function L<EVP_Q_digest(3)>.
+SHA1(), SHA224(), SHA256(), SHA384(), and SHA256()
+can continue to be used. They can also be replaced by, e.g.,
+
+    (EVP_Q_digest(d, n, md, NULL, NULL, "SHA256", NULL) ? md : NULL)
 
 SHA-1 (Secure Hash Algorithm) is a cryptographic hash function with a
 160 bit output.
@@ -95,11 +96,12 @@ ANSI X9.30
 
 =head1 SEE ALSO
 
+L<EVP_Q_digest(3)>,
 L<EVP_DigestInit(3)>
 
 =head1 HISTORY
 
-All of these functions were deprecated in OpenSSL 3.0.
+All of these functions except SHA*() were deprecated in OpenSSL 3.0.
 
 =head1 COPYRIGHT
 

doc/man7/provider-digest.pod

@@ -255,7 +255,7 @@ algorithm.
 
 =head1 BUGS
 
-The EVP_Digest() and EVP_DigestFinal_ex() libcrypto API calls do not
+The EVP_Q_digest(), EVP_Digest() and EVP_DigestFinal_ex() API calls do not
 expect the digest size to be larger than EVP_MAX_MD_SIZE. Any algorithm which
 produces larger digests is unusable with those API calls.
 

include/crypto/sha.h

@@ -12,10 +12,11 @@
 # define OSSL_CRYPTO_SHA_H
 # pragma once
 
-# include <openssl/opensslconf.h>
+# include <openssl/sha.h>
 
 int sha512_224_init(SHA512_CTX *);
 int sha512_256_init(SHA512_CTX *);
 int ossl_sha1_ctrl(SHA_CTX *ctx, int cmd, int mslen, void *ms);
+unsigned char *ossl_sha1(const unsigned char *d, size_t n, unsigned char *md);
 
 #endif

include/openssl/evp.h

@@ -681,6 +681,9 @@ __owur int EVP_DigestFinal_ex(EVP_MD_CTX *ctx, unsigned char *md,
 __owur int EVP_Digest(const void *data, size_t count,
                           unsigned char *md, unsigned int *size,
                           const EVP_MD *type, ENGINE *impl);
+__owur int EVP_Q_digest(OSSL_LIB_CTX *libctx, const char *name,
+                        const char *propq, const void *data, size_t count,
+                        unsigned char *md, unsigned int *size);
 
 __owur int EVP_MD_CTX_copy(EVP_MD_CTX *out, const EVP_MD_CTX *in);
 __owur int EVP_DigestInit(EVP_MD_CTX *ctx, const EVP_MD *type);

include/openssl/sha.h

@@ -17,6 +17,7 @@
 # endif
 
 # include <openssl/e_os2.h>
+# include <openssl/evp.h>
 # include <stddef.h>
 
 # ifdef  __cplusplus
@@ -45,16 +46,16 @@ typedef struct SHAstate_st {
     SHA_LONG data[SHA_LBLOCK];
     unsigned int num;
 } SHA_CTX;
-# endif /* !defined(OPENSSL_NO_DEPRECATED_3_0) */
-# ifndef OPENSSL_NO_DEPRECATED_3_0
+
 OSSL_DEPRECATEDIN_3_0 int SHA1_Init(SHA_CTX *c);
 OSSL_DEPRECATEDIN_3_0 int SHA1_Update(SHA_CTX *c, const void *data, size_t len);
 OSSL_DEPRECATEDIN_3_0 int SHA1_Final(unsigned char *md, SHA_CTX *c);
-OSSL_DEPRECATEDIN_3_0 unsigned char *SHA1(const unsigned char *d, size_t n,
-                                          unsigned char *md);
 OSSL_DEPRECATEDIN_3_0 void SHA1_Transform(SHA_CTX *c, const unsigned char *data);
 # endif
 
+# define SHA1(d, n, md) \
+    (EVP_Q_digest(NULL, "SHA1", NULL, d, n, md, NULL) ? md : NULL)
+
 # ifndef OPENSSL_NO_DEPRECATED_3_0
 #  define SHA256_CBLOCK   (SHA_LBLOCK*4)/* SHA-256 treats input data as a
                                         * contiguous array of 32 bit wide
@@ -66,24 +67,24 @@ typedef struct SHA256state_st {
     SHA_LONG data[SHA_LBLOCK];
     unsigned int num, md_len;
 } SHA256_CTX;
-# endif /* !defined(OPENSSL_NO_DEPRECATED_3_0) */
-# ifndef OPENSSL_NO_DEPRECATED_3_0
+
 OSSL_DEPRECATEDIN_3_0 int SHA224_Init(SHA256_CTX *c);
 OSSL_DEPRECATEDIN_3_0 int SHA224_Update(SHA256_CTX *c,
                                         const void *data, size_t len);
 OSSL_DEPRECATEDIN_3_0 int SHA224_Final(unsigned char *md, SHA256_CTX *c);
-OSSL_DEPRECATEDIN_3_0 unsigned char *SHA224(const unsigned char *d, size_t n,
-                                            unsigned char *md);
 OSSL_DEPRECATEDIN_3_0 int SHA256_Init(SHA256_CTX *c);
 OSSL_DEPRECATEDIN_3_0 int SHA256_Update(SHA256_CTX *c,
                                         const void *data, size_t len);
 OSSL_DEPRECATEDIN_3_0 int SHA256_Final(unsigned char *md, SHA256_CTX *c);
-OSSL_DEPRECATEDIN_3_0 unsigned char *SHA256(const unsigned char *d, size_t n,
-                                            unsigned char *md);
 OSSL_DEPRECATEDIN_3_0 void SHA256_Transform(SHA256_CTX *c,
                                             const unsigned char *data);
 # endif
 
+# define SHA224(d, n, md) \
+    (EVP_Q_digest(NULL, "SHA224", NULL, d, n, md, NULL) ? md : NULL)
+# define SHA256(d, n, md) \
+    (EVP_Q_digest(NULL, "SHA256", NULL, d, n, md, NULL) ? md : NULL)
+
 # define SHA224_DIGEST_LENGTH    28
 # define SHA256_DIGEST_LENGTH    32
 # define SHA384_DIGEST_LENGTH    48
@@ -118,24 +119,24 @@ typedef struct SHA512state_st {
     } u;
     unsigned int num, md_len;
 } SHA512_CTX;
-# endif /* !defined(OPENSSL_NO_DEPRECATED_3_0) */
-# ifndef OPENSSL_NO_DEPRECATED_3_0
+
 OSSL_DEPRECATEDIN_3_0 int SHA384_Init(SHA512_CTX *c);
 OSSL_DEPRECATEDIN_3_0 int SHA384_Update(SHA512_CTX *c,
                                         const void *data, size_t len);
 OSSL_DEPRECATEDIN_3_0 int SHA384_Final(unsigned char *md, SHA512_CTX *c);
-OSSL_DEPRECATEDIN_3_0 unsigned char *SHA384(const unsigned char *d, size_t n,
-                                            unsigned char *md);
 OSSL_DEPRECATEDIN_3_0 int SHA512_Init(SHA512_CTX *c);
 OSSL_DEPRECATEDIN_3_0 int SHA512_Update(SHA512_CTX *c,
                                         const void *data, size_t len);
 OSSL_DEPRECATEDIN_3_0 int SHA512_Final(unsigned char *md, SHA512_CTX *c);
-OSSL_DEPRECATEDIN_3_0 unsigned char *SHA512(const unsigned char *d, size_t n,
-                                            unsigned char *md);
 OSSL_DEPRECATEDIN_3_0 void SHA512_Transform(SHA512_CTX *c,
                                             const unsigned char *data);
 # endif
 
+# define SHA384(d, n, md) \
+    (EVP_Q_digest(NULL, "SHA384", NULL, d, n, md, NULL) ? md : NULL)
+# define SHA512(d, n, md) \
+    (EVP_Q_digest(NULL, "SHA512", NULL, d, n, md, NULL) ? md : NULL)
+
 # ifdef  __cplusplus
 }
 # endif

providers/fips-sources.checksums

@@ -166,7 +166,7 @@ fa39906519062932adafb63cbf05b5dfa7563673576d421c80ec6b889d024e84  crypto/ec/ecp_
 22c44f561ab42d1bd7fd3a3c538ebaba375a704f98056b035e7949d73963c580  crypto/ec/ecx_key.c
 7c7f3e2a19a95d62942790e525f00cccc87e46da099a0c96d101787d68c75128  crypto/evp/asymcipher.c
 0e75a058dcbbb62cfe39fec6c4a85385dc1a8fce794e4278ce6cebb29763b82b  crypto/evp/dh_support.c
-4433d40517d9550f6a1db90dfb912e32ee10b95497ddfc2a7edb2116f87ee531  crypto/evp/digest.c
+e819c499207dd2ee5457cd9411c6089e13476bedf41de2aa67e10b13810ff0e5  crypto/evp/digest.c
 87599335b61f97362799170d7b19cbbf775bfecc0fab570b267c7622241cfad8  crypto/evp/ec_support.c
 c146c0a8a06e3c558207c1c76039dd2a61a2160cc243e9e3de2e290bc6e1b2d0  crypto/evp/evp_enc.c
 9b4956b5c28db987001b33421aacf3b9f352181f874c768ad1b034e083483561  crypto/evp/evp_fetch.c
@@ -297,9 +297,9 @@ f64d16c1e5c3fa4a7969de494a8372127502171a517c14be7a1e3a43a7308699  crypto/sha/asm
 8725cabb8d695c576619f19283b034074a3fa0f1c0be952a9dbe9793be15b907  crypto/sha/asm/sha512p8-ppc.pl
 4d13c5020a92190d43721018c50776fd4df858fe92f3cce1d465ed98dfb142d1  crypto/sha/keccak1600.c
 306cacd3f86e5cacaca74c58ef862516515e5c0cafaff48636d537fd84f1c2fb  crypto/sha/sha1dgst.c
-b40bd40b91a2ecdba63777758f84c5405a92e673636dba2cb83512c34aae3882  crypto/sha/sha256.c
+4d8cf04f5806611e7586aab47fb28165ec1afb00168e2c9876bb36cb5c29bf8b  crypto/sha/sha256.c
 01aff75580e47ee880f411a319ed5d86198df464e3b8056b8734698e3c8d4d07  crypto/sha/sha3.c
-7598a626c55fb6505cc234cb438c78846756cde95c4400ca07bf9460b9bec834  crypto/sha/sha512.c
+65ef028da082f1a9b6ce2c45ae5644895b7fca356a798fca65428852ccf24b96  crypto/sha/sha512.c
 86913a593b55c759a3824eeede398f966278d79c148bef41986c5ac4e48f0bd7  crypto/sparse_array.c
 32b48ac523d69b65d46b5588cd75697c473eec0b97bdefc820f436f25403a1df  crypto/stack/stack.c
 7b4efa594d8d1f3ecbf4605cf54f72fb296a3b1d951bdc69e415aaa08f34e5c8  crypto/threads_lib.c

providers/fips.checksum

@@ -1 +1 @@
-4d501c5fb8a5646c618eb02511a7a1ffab71823f6adee558ee30df8bb4bd6f40  providers/fips-sources.checksums
+db2202782291f6e77fbe9f6271517cb41d7c06790a606a61f69e564f002f76f5  providers/fips-sources.checksums

providers/implementations/ciphers/cipher_tdes_wrap.c

@@ -18,6 +18,7 @@
 #include <openssl/proverr.h>
 #include "cipher_tdes_default.h"
 #include "crypto/evp.h"
+#include "crypto/sha.h"
 #include "prov/implementations.h"
 #include "prov/providercommon.h"
 
@@ -64,10 +65,8 @@ static int des_ede3_unwrap(PROV_CIPHER_CTX *ctx, unsigned char *out,
     /* Decrypt again using new IV */
     ctx->hw->cipher(ctx, out, out, inl - 16);
     ctx->hw->cipher(ctx, icv, icv, 8);
-    /* Work out SHA1 hash of first portion */
-    SHA1(out, inl - 16, sha1tmp);
-
-    if (!CRYPTO_memcmp(sha1tmp, icv, 8))
+    if (ossl_sha1(out, inl - 16, sha1tmp) /* Work out hash of first portion */
+            && CRYPTO_memcmp(sha1tmp, icv, 8) == 0)
         rv = inl - 16;
     OPENSSL_cleanse(icv, 8);
     OPENSSL_cleanse(sha1tmp, SHA_DIGEST_LENGTH);
@@ -93,7 +92,8 @@ static int des_ede3_wrap(PROV_CIPHER_CTX *ctx, unsigned char *out,
     /* Copy input to output buffer + 8 so we have space for IV */
     memmove(out + ivlen, in, inl);
     /* Work out ICV */
-    SHA1(in, inl, sha1tmp);
+    if (!ossl_sha1(in, inl, sha1tmp))
+        return 0;
     memcpy(out + inl + ivlen, sha1tmp, icvlen);
     OPENSSL_cleanse(sha1tmp, SHA_DIGEST_LENGTH);
     /* Generate random IV */

util/libcrypto.num

@@ -1144,7 +1144,7 @@ BN_security_bits                        1171	3_0_0	EXIST::FUNCTION:
 X509_PURPOSE_get0_name                  1172	3_0_0	EXIST::FUNCTION:
 TS_TST_INFO_get_serial                  1173	3_0_0	EXIST::FUNCTION:TS
 ASN1_PCTX_get_str_flags                 1174	3_0_0	EXIST::FUNCTION:
-SHA256                                  1175	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0
+SHA256                                  1175	3_0_0	NOEXIST::FUNCTION:
 X509_LOOKUP_hash_dir                    1176	3_0_0	EXIST::FUNCTION:
 ASN1_BIT_STRING_check                   1177	3_0_0	EXIST::FUNCTION:
 ENGINE_set_default_RAND                 1178	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,ENGINE
@@ -1375,7 +1375,7 @@ EVP_MD_meth_get_cleanup                 1408	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_
 SRP_Calc_server_key                     1409	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,SRP
 BN_mod_exp_simple                       1410	3_0_0	EXIST::FUNCTION:
 BIO_set_ex_data                         1411	3_0_0	EXIST::FUNCTION:
-SHA512                                  1412	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0
+SHA512                                  1412	3_0_0	NOEXIST::FUNCTION:
 X509_STORE_CTX_get_explicit_policy      1413	3_0_0	EXIST::FUNCTION:
 EVP_DecodeBlock                         1414	3_0_0	EXIST::FUNCTION:
 OSSL_HTTP_REQ_CTX_set_request_line      1415	3_0_0	EXIST::FUNCTION:
@@ -2460,7 +2460,7 @@ BN_generate_dsa_nonce                   2512	3_0_0	EXIST::FUNCTION:
 X509_verify_cert                        2513	3_0_0	EXIST::FUNCTION:
 X509_policy_level_get0_node             2514	3_0_0	EXIST::FUNCTION:
 X509_REQ_get_attr                       2515	3_0_0	EXIST::FUNCTION:
-SHA1                                    2516	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0
+SHA1                                    2516	3_0_0	NOEXIST::FUNCTION:
 X509_print                              2517	3_0_0	EXIST::FUNCTION:
 d2i_AutoPrivateKey                      2518	3_0_0	EXIST::FUNCTION:
 X509_REQ_new                            2519	3_0_0	EXIST::FUNCTION:
@@ -2927,7 +2927,7 @@ EC_GROUP_set_asn1_flag                  2991	3_0_0	EXIST::FUNCTION:EC
 EVP_PKEY_new                            2992	3_0_0	EXIST::FUNCTION:
 i2d_POLICYINFO                          2993	3_0_0	EXIST::FUNCTION:
 BN_get_flags                            2994	3_0_0	EXIST::FUNCTION:
-SHA384                                  2995	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0
+SHA384                                  2995	3_0_0	NOEXIST::FUNCTION:
 NCONF_get_string                        2996	3_0_0	EXIST::FUNCTION:
 d2i_PROXY_CERT_INFO_EXTENSION           2997	3_0_0	EXIST::FUNCTION:
 EC_POINT_point2buf                      2998	3_0_0	EXIST::FUNCTION:EC
@@ -3510,7 +3510,7 @@ EVP_MD_meth_dup                         3588	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_
 ENGINE_unregister_ciphers               3589	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,ENGINE
 X509_issuer_and_serial_cmp              3590	3_0_0	EXIST::FUNCTION:
 OCSP_response_create                    3591	3_0_0	EXIST::FUNCTION:OCSP
-SHA224                                  3592	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0
+SHA224                                  3592	3_0_0	NOEXIST::FUNCTION:
 MD2_options                             3593	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,MD2
 X509_REQ_it                             3595	3_0_0	EXIST::FUNCTION:
 RAND_bytes                              3596	3_0_0	EXIST::FUNCTION:
@@ -5320,6 +5320,7 @@ OSSL_ESS_signing_cert_new_init          ?	3_0_0	EXIST::FUNCTION:
 OSSL_ESS_signing_cert_v2_new_init       ?	3_0_0	EXIST::FUNCTION:
 ESS_SIGNING_CERT_it                     ?	3_0_0	EXIST::FUNCTION:
 ESS_SIGNING_CERT_V2_it                  ?	3_0_0	EXIST::FUNCTION:
+EVP_Q_digest                            ?	3_0_0	EXIST::FUNCTION:
 EVP_DigestInit_ex2                      ?	3_0_0	EXIST::FUNCTION:
 EVP_EncryptInit_ex2                     ?	3_0_0	EXIST::FUNCTION:
 EVP_DecryptInit_ex2                     ?	3_0_0	EXIST::FUNCTION:

util/other.syms

@@ -431,6 +431,11 @@ PEM_FLAG_EAY_COMPATIBLE                 define
 PEM_FLAG_ONLY_B64                       define
 PEM_FLAG_SECURE                         define
 RAND_cleanup                            define deprecated 1.1.0
+SHA1                                    define
+SHA224                                  define
+SHA256                                  define
+SHA384                                  define
+SHA512                                  define
 SSL_COMP_free_compression_methods       define deprecated 1.1.0
 SSL_CTX_add0_chain_cert                 define
 SSL_CTX_add1_chain_cert                 define