bn: Deprecate the X9.31 RSA key generation related functions

This key generation method is obsolete. Fixes #10111 Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13921)
2 years ago · c27e792221
parent c9603dfa42
commit c27e792221
7 changed files with 23 additions and 8 deletions
--- a/CHANGES.md
+++ b/CHANGES.md
@ -23,6 +23,12 @@ OpenSSL 3.0

 ### Changes between 1.1.1 and 3.0 [xx XXX xxxx]

+ * Deprecated the obsolete X9.31 RSA key generation related functions
+   BN_X931_generate_Xpq(), BN_X931_derive_prime_ex(), and
+   BN_X931_generate_prime_ex().
+
+   *Tomas Mraz*
+
 * Deprecated the type OCSP_REQ_CTX and the functions OCSP_REQ_CTX_new(),
   OCSP_REQ_CTX_free(), OCSP_REQ_CTX_http(), OCSP_REQ_CTX_add1_header(),
   OCSP_REQ_CTX_i2d(), OCSP_REQ_CTX_nbio(), OCSP_REQ_CTX_nbio_d2i(),
--- a/crypto/bn/bn_x931p.c
+++ b/crypto/bn/bn_x931p.c
@ -7,6 +7,8 @@
 * https://www.openssl.org/source/license.html
 */

+#define OPENSSL_SUPPRESS_DEPRECATED
+
 #include <stdio.h>
 #include <openssl/bn.h>
 #include "bn_local.h"
--- a/crypto/bn/build.info
+++ b/crypto/bn/build.info
@ -105,11 +105,10 @@ $COMMON=bn_add.c bn_div.c bn_exp.c bn_lib.c bn_ctx.c bn_mul.c \
        bn_mod.c bn_conv.c bn_rand.c bn_shift.c bn_word.c bn_blind.c \
        bn_kron.c bn_sqrt.c bn_gcd.c bn_prime.c bn_sqr.c \
        bn_recp.c bn_mont.c bn_mpi.c bn_exp2.c bn_gf2m.c bn_nist.c \
-        bn_x931p.c bn_intern.c bn_dh.c \
-        bn_rsa_fips186_4.c bn_const.c
+        bn_intern.c bn_dh.c bn_rsa_fips186_4.c bn_const.c
 SOURCE[../../libcrypto]=$COMMON $BNASM bn_print.c bn_err.c bn_srp.c
 IF[{- !$disabled{'deprecated-3.0'} -}]
-  SOURCE[../../libcrypto]=bn_depr.c
+  SOURCE[../../libcrypto]=bn_depr.c bn_x931p.c
 ENDIF
 SOURCE[../../providers/libfips.a]=$COMMON $BNASM
 SOURCE[../../providers/liblegacy.a]=$BNASM
--- a/crypto/rsa/build.info
+++ b/crypto/rsa/build.info
@ -2,7 +2,7 @@ LIBS=../../libcrypto

 $COMMON=rsa_ossl.c rsa_gen.c rsa_lib.c rsa_sign.c rsa_pk1.c \
        rsa_none.c rsa_oaep.c rsa_chk.c rsa_pss.c rsa_x931.c rsa_crpt.c \
-        rsa_x931g.c rsa_sp800_56b_gen.c rsa_sp800_56b_check.c rsa_backend.c \
+        rsa_sp800_56b_gen.c rsa_sp800_56b_check.c rsa_backend.c \
        rsa_mp_names.c rsa_schemes.c

 SOURCE[../../libcrypto]=$COMMON\
@ -11,6 +11,9 @@ SOURCE[../../libcrypto]=$COMMON\
 IF[{- !$disabled{'deprecated-0.9.8'} -}]
  SOURCE[../../libcrypto]=rsa_depr.c
 ENDIF
+IF[{- !$disabled{'deprecated-3.0'} -}]
+  SOURCE[../../libcrypto]=rsa_x931g.c
+ENDIF

 SOURCE[../../providers/libfips.a]=$COMMON

--- a/crypto/rsa/rsa_x931g.c
+++ b/crypto/rsa/rsa_x931g.c
@ -11,7 +11,7 @@
 * RSA low level APIs are deprecated for public use, but still ok for
 * internal use.
 */
-#include "internal/deprecated.h"
+#define OPENSSL_SUPPRESS_DEPRECATED

 #include <stdio.h>
 #include <string.h>
--- a/include/openssl/bn.h
+++ b/include/openssl/bn.h
@ -370,15 +370,20 @@ int BN_generate_prime_ex(BIGNUM *ret, int bits, int safe, const BIGNUM *add,
                         const BIGNUM *rem, BN_GENCB *cb);
 int BN_check_prime(const BIGNUM *p, BN_CTX *ctx, BN_GENCB *cb);

+# ifndef OPENSSL_NO_DEPRECATED_3_0
+OSSL_DEPRECATEDIN_3_0
 int BN_X931_generate_Xpq(BIGNUM *Xp, BIGNUM *Xq, int nbits, BN_CTX *ctx);

+OSSL_DEPRECATEDIN_3_0
 int BN_X931_derive_prime_ex(BIGNUM *p, BIGNUM *p1, BIGNUM *p2,
                            const BIGNUM *Xp, const BIGNUM *Xp1,
                            const BIGNUM *Xp2, const BIGNUM *e, BN_CTX *ctx,
                            BN_GENCB *cb);
+OSSL_DEPRECATEDIN_3_0
 int BN_X931_generate_prime_ex(BIGNUM *p, BIGNUM *p1, BIGNUM *p2, BIGNUM *Xp1,
                              BIGNUM *Xp2, const BIGNUM *Xp, const BIGNUM *e,
                              BN_CTX *ctx, BN_GENCB *cb);
+# endif

 BN_MONT_CTX *BN_MONT_CTX_new(void);
 int BN_mod_mul_montgomery(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
--- a/util/libcrypto.num
+++ b/util/libcrypto.num
@ -568,7 +568,7 @@ ERR_load_CONF_strings                   581	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3
 ESS_ISSUER_SERIAL_dup                   582	3_0_0	EXIST::FUNCTION:
 BN_GF2m_mod_exp_arr                     583	3_0_0	EXIST::FUNCTION:EC2M
 ASN1_UTF8STRING_free                    584	3_0_0	EXIST::FUNCTION:
-BN_X931_generate_prime_ex               585	3_0_0	EXIST::FUNCTION:
+BN_X931_generate_prime_ex               585	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0
 ENGINE_get_RAND                         586	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,ENGINE
 EVP_DecryptInit                         587	3_0_0	EXIST::FUNCTION:
 BN_bin2bn                               588	3_0_0	EXIST::FUNCTION:
@ -980,7 +980,7 @@ CRYPTO_cbc128_encrypt                   1004	3_0_0	EXIST::FUNCTION:
 i2d_RSAPublicKey_bio                    1005	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0
 X509_chain_check_suiteb                 1006	3_0_0	EXIST::FUNCTION:
 i2d_OCSP_REQUEST                        1007	3_0_0	EXIST::FUNCTION:OCSP
-BN_X931_generate_Xpq                    1008	3_0_0	EXIST::FUNCTION:
+BN_X931_generate_Xpq                    1008	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0
 ASN1_item_digest                        1009	3_0_0	EXIST::FUNCTION:
 X509_VERIFY_PARAM_set_trust             1010	3_0_0	EXIST::FUNCTION:
 X509_STORE_CTX_get_error                1011	3_0_0	EXIST::FUNCTION:
@ -1976,7 +1976,7 @@ EC_KEY_get0_private_key                 2021	3_0_0	EXIST::FUNCTION:EC
 SCT_get0_extensions                     2022	3_0_0	EXIST::FUNCTION:CT
 OPENSSL_LH_node_stats_bio               2023	3_0_0	EXIST::FUNCTION:
 i2d_DIRECTORYSTRING                     2024	3_0_0	EXIST::FUNCTION:
-BN_X931_derive_prime_ex                 2025	3_0_0	EXIST::FUNCTION:
+BN_X931_derive_prime_ex                 2025	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0
 ENGINE_get_pkey_asn1_meth_str           2026	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,ENGINE
 PKCS7_signatureVerify                   2027	3_0_0	EXIST::FUNCTION:
 CRYPTO_ocb128_new                       2028	3_0_0	EXIST::FUNCTION:OCB