The branch master has been updated
via ea7808143d6880db0cb9eb9cf6694c23958d32b0 (commit)
via 52c8535a73c575e5ac5f742c35b4fa65ed5df0dc (commit)
via 47422549da431cf9546a148d916d162e196fcd44 (commit)
via 575b36ecefca4eff181210ff1eeb3a3dcfbf5456 (commit)
via d6fff343c85b1fd1c144690b881bf89aa6d049e6 (commit)
from b36d6a5ef857a9e08b1fdb80ed5aa0bdbcec9aae (commit)
- Log -----------------------------------------------------------------
commit ea7808143d6880db0cb9eb9cf6694c23958d32b0
Author: Pauli <paul.d...@oracle.com>
Date: Thu Oct 22 08:18:38 2020 +1000
dsa: add additional deprecated functions to CHANGES entry.
Reviewed-by: Tomas Mraz <tm...@fedoraproject.org>
Reviewed-by: Richard Levitte <levi...@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13638)
commit 52c8535a73c575e5ac5f742c35b4fa65ed5df0dc
Author: Pauli <paul.d...@oracle.com>
Date: Tue Oct 20 13:32:57 2020 +1000
dsa: provider and library deprecation changes
Reviewed-by: Tomas Mraz <tm...@fedoraproject.org>
Reviewed-by: Richard Levitte <levi...@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13638)
commit 47422549da431cf9546a148d916d162e196fcd44
Author: Pauli <paul.d...@oracle.com>
Date: Tue Oct 20 13:32:26 2020 +1000
dsa: apps deprecation changes
Reviewed-by: Tomas Mraz <tm...@fedoraproject.org>
Reviewed-by: Richard Levitte <levi...@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13638)
commit 575b36ecefca4eff181210ff1eeb3a3dcfbf5456
Author: Pauli <paul.d...@oracle.com>
Date: Tue Oct 20 13:32:08 2020 +1000
dsa: fuzzer deprecation changes
Reviewed-by: Tomas Mraz <tm...@fedoraproject.org>
Reviewed-by: Richard Levitte <levi...@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13638)
commit d6fff343c85b1fd1c144690b881bf89aa6d049e6
Author: Pauli <paul.d...@oracle.com>
Date: Tue Oct 20 13:31:43 2020 +1000
dsa: documentation deprecation changes
Fixes #13121
Reviewed-by: Tomas Mraz <tm...@fedoraproject.org>
Reviewed-by: Richard Levitte <levi...@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13638)
-----------------------------------------------------------------------
Summary of changes:
CHANGES.md | 31 ++--
NEWS.md | 1 +
apps/dhparam.c | 2 +
apps/dsa.c | 132 +++++++++--------
apps/gendsa.c | 28 +---
apps/rsa.c | 10 +-
apps/x509.c | 17 +--
crypto/dsa/dsa_backend.c | 6 +
crypto/dsa/dsa_check.c | 6 +
crypto/dsa/dsa_meth.c | 8 +-
doc/man3/DSA_SIG_new.pod | 4 +-
doc/man3/DSA_get0_pqg.pod | 11 +-
doc/man3/DSA_new.pod | 12 ++
doc/man3/DSA_size.pod | 14 +-
doc/man3/d2i_RSAPrivateKey.pod | 47 ++++++
doc/man3/d2i_X509.pod | 17 ---
fuzz/asn1.c | 2 +
fuzz/server.c | 9 +-
include/openssl/dsa.h | 264 +++++++++++++++++-----------------
include/openssl/pem.h | 10 +-
include/openssl/types.h | 2 +
include/openssl/x509.h.in | 30 ++--
providers/common/der/der_dsa_gen.c.in | 6 +
providers/common/der/der_dsa_key.c | 6 +
providers/common/der/der_dsa_sig.c | 6 +
providers/common/digest_to_nid.c | 2 +
26 files changed, 397 insertions(+), 286 deletions(-)
diff --git a/CHANGES.md b/CHANGES.md
index e31ee42db3..a296406137 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -504,20 +504,23 @@ OpenSSL 3.0
* All of the low level DSA functions have been deprecated including:
- DSA_do_sign, DSA_do_verify, DSA_OpenSSL, DSA_set_default_method,
- DSA_get_default_method, DSA_set_method, DSA_get_method,
- DSA_new_method, DSA_size, DSA_security_bits, DSA_sign_setup, DSA_sign,
- DSA_verify, DSA_get_ex_new_index, DSA_set_ex_data, DSA_get_ex_data,
- DSA_generate_parameters_ex, DSA_generate_key, DSA_meth_new, DSA_get0_engine,
- DSA_meth_free, DSA_meth_dup, DSA_meth_get0_name, DSA_meth_set1_name,
- DSA_meth_get_flags, DSA_meth_set_flags, DSA_meth_get0_app_data,
- DSA_meth_set0_app_data, DSA_meth_get_sign, DSA_meth_set_sign,
- DSA_meth_get_sign_setup, DSA_meth_set_sign_setup, DSA_meth_get_verify,
- DSA_meth_set_verify, DSA_meth_get_mod_exp, DSA_meth_set_mod_exp,
- DSA_meth_get_bn_mod_exp, DSA_meth_set_bn_mod_exp, DSA_meth_get_init,
- DSA_meth_set_init, DSA_meth_get_finish, DSA_meth_set_finish,
- DSA_meth_get_paramgen, DSA_meth_set_paramgen, DSA_meth_get_keygen and
- DSA_meth_set_keygen.
+ DSA_new, DSA_free, DSA_up_ref, DSA_bits, DSA_get0_pqg, DSA_set0_pqg,
+ DSA_get0_key, DSA_set0_key, DSA_get0_p, DSA_get0_q, DSA_get0_g,
+ DSA_get0_pub_key, DSA_get0_priv_key, DSA_clear_flags, DSA_test_flags,
+ DSA_set_flags, DSA_do_sign, DSA_do_verify, DSA_OpenSSL,
+ DSA_set_default_method, DSA_get_default_method, DSA_set_method,
+ DSA_get_method, DSA_new_method, DSA_size, DSA_security_bits,
+ DSA_sign_setup, DSA_sign, DSA_verify, DSA_get_ex_new_index,
+ DSA_set_ex_data, DSA_get_ex_data, DSA_generate_parameters_ex,
+ DSA_generate_key, DSA_meth_new, DSA_get0_engine, DSA_meth_free,
+ DSA_meth_dup, DSA_meth_get0_name, DSA_meth_set1_name, DSA_meth_get_flags,
+ DSA_meth_set_flags, DSA_meth_get0_app_data, DSA_meth_set0_app_data,
+ DSA_meth_get_sign, DSA_meth_set_sign, DSA_meth_get_sign_setup,
+ DSA_meth_set_sign_setup, DSA_meth_get_verify, DSA_meth_set_verify,
+ DSA_meth_get_mod_exp, DSA_meth_set_mod_exp, DSA_meth_get_bn_mod_exp,
+ DSA_meth_set_bn_mod_exp, DSA_meth_get_init, DSA_meth_set_init,
+ DSA_meth_get_finish, DSA_meth_set_finish, DSA_meth_get_paramgen,
+ DSA_meth_set_paramgen, DSA_meth_get_keygen and DSA_meth_set_keygen.
Use of these low level functions has been informally discouraged for a long
time. Instead applications should use L<EVP_DigestSignInit_ex(3)>,
diff --git a/NEWS.md b/NEWS.md
index d02e00b8df..01f9563b1d 100644
--- a/NEWS.md
+++ b/NEWS.md
@@ -20,6 +20,7 @@ OpenSSL 3.0
### Major changes between OpenSSL 1.1.1 and OpenSSL 3.0 [under development]
+ * Deprecated the `DSA_` functions.
* Deprecated the `ERR_load_` functions.
* Remove the `RAND_DRBG` API.
* Deprecated the `ENGINE` API.
diff --git a/apps/dhparam.c b/apps/dhparam.c
index a69dfd3810..8242a1f1d7 100644
--- a/apps/dhparam.c
+++ b/apps/dhparam.c
@@ -47,8 +47,10 @@ const OPTIONS dhparam_options[] = {
OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
{"check", OPT_CHECK, '-', "Check the DH parameters"},
+#if !defined(OPENSSL_NO_DSA) || !defined(OPENSSL_NO_DEPRECATED_3_0)
{"dsaparam", OPT_DSAPARAM, '-',
"Read or generate DSA parameters, convert to DH"},
+#endif
#ifndef OPENSSL_NO_ENGINE
{"engine", OPT_ENGINE, 's', "Use engine e, possibly a hardware device"},
#endif
diff --git a/apps/dsa.c b/apps/dsa.c
index 2deda0a32c..ebb841fa53 100644
--- a/apps/dsa.c
+++ b/apps/dsa.c
@@ -22,6 +22,15 @@
#include <openssl/x509.h>
#include <openssl/pem.h>
#include <openssl/bn.h>
+#include <openssl/encoder.h>
+#include <openssl/core_names.h>
+#include <openssl/core_dispatch.h>
+
+#ifndef OPENSSL_NO_RC4
+# define DEFAULT_PVK_ENCR_STRENGTH 2
+#else
+# define DEFAULT_PVK_ENCR_STRENGTH 0
+#endif
typedef enum OPTION_choice {
OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
@@ -68,7 +77,6 @@ const OPTIONS dsa_options[] = {
int dsa_main(int argc, char **argv)
{
BIO *out = NULL;
- DSA *dsa = NULL;
ENGINE *e = NULL;
EVP_PKEY *pkey = NULL;
const EVP_CIPHER *enc = NULL;
@@ -76,11 +84,13 @@ int dsa_main(int argc, char **argv)
char *passin = NULL, *passout = NULL, *passinarg = NULL, *passoutarg =
NULL;
OPTION_CHOICE o;
int informat = FORMAT_PEM, outformat = FORMAT_PEM, text = 0, noout = 0;
- int i, modulus = 0, pubin = 0, pubout = 0, ret = 1;
-#ifndef OPENSSL_NO_RC4
- int pvk_encr = 2;
-#endif
+ int modulus = 0, pubin = 0, pubout = 0, ret = 1;
+ int pvk_encr = DEFAULT_PVK_ENCR_STRENGTH;
int private = 0;
+ const char *output_type = NULL;
+ const char *output_structure = NULL;
+ int selection = 0;
+ OSSL_ENCODER_CTX *ectx = NULL;
prog = opt_init(argc, argv, dsa_options);
while ((o = opt_next()) != OPT_EOF) {
@@ -171,14 +181,15 @@ int dsa_main(int argc, char **argv)
else
pkey = load_key(infile, informat, 1, passin, e, "private key");
- if (pkey != NULL)
- dsa = EVP_PKEY_get1_DSA(pkey);
-
- if (dsa == NULL) {
+ if (pkey == NULL) {
BIO_printf(bio_err, "unable to load Key\n");
ERR_print_errors(bio_err);
goto end;
}
+ if (!EVP_PKEY_is_a(pkey, "DSA")) {
+ BIO_printf(bio_err, "Not a DSA key\n");
+ goto end;
+ }
out = bio_open_owner(outfile, outformat, private);
if (out == NULL)
@@ -195,11 +206,16 @@ int dsa_main(int argc, char **argv)
}
if (modulus) {
- const BIGNUM *pub_key = NULL;
- DSA_get0_key(dsa, &pub_key, NULL);
+ BIGNUM *pub_key = NULL;
+
+ if (!EVP_PKEY_get_bn_param(pkey, "pub", &pub_key)) {
+ ERR_print_errors(bio_err);
+ goto end;
+ }
BIO_printf(out, "Public Key=");
BN_print(out, pub_key);
BIO_printf(out, "\n");
+ BN_free(pub_key);
}
if (noout) {
@@ -208,64 +224,68 @@ int dsa_main(int argc, char **argv)
}
BIO_printf(bio_err, "writing DSA key\n");
if (outformat == FORMAT_ASN1) {
- if (pubin || pubout) {
- i = i2d_DSA_PUBKEY_bio(out, dsa);
- } else {
- assert(private);
- i = i2d_DSAPrivateKey_bio(out, dsa);
- }
+ output_type = "DER";
} else if (outformat == FORMAT_PEM) {
- if (pubin || pubout) {
- i = PEM_write_bio_DSA_PUBKEY(out, dsa);
- } else {
- assert(private);
- i = PEM_write_bio_DSAPrivateKey(out, dsa, enc,
- NULL, 0, NULL, passout);
- }
-#ifndef OPENSSL_NO_RSA
- } else if (outformat == FORMAT_MSBLOB || outformat == FORMAT_PVK) {
- EVP_PKEY *pk;
- pk = EVP_PKEY_new();
- if (pk == NULL)
- goto end;
-
- EVP_PKEY_set1_DSA(pk, dsa);
- if (outformat == FORMAT_PVK) {
- if (pubin) {
- BIO_printf(bio_err, "PVK form impossible with public key
input\n");
- EVP_PKEY_free(pk);
- goto end;
- }
- assert(private);
-# ifdef OPENSSL_NO_RC4
- BIO_printf(bio_err, "PVK format not supported\n");
- EVP_PKEY_free(pk);
+ output_type = "PEM";
+ } else if (outformat == FORMAT_MSBLOB) {
+ output_type = "MSBLOB";
+ } else if (outformat == FORMAT_PVK) {
+ if (pubin) {
+ BIO_printf(bio_err, "PVK form impossible with public key input\n");
goto end;
-# else
- i = i2b_PVK_bio(out, pk, pvk_encr, 0, passout);
-# endif
- } else if (pubin || pubout) {
- i = i2b_PublicKey_bio(out, pk);
- } else {
- assert(private);
- i = i2b_PrivateKey_bio(out, pk);
}
- EVP_PKEY_free(pk);
-#endif
+ output_type = "PVK";
} else {
BIO_printf(bio_err, "bad output format specified for outfile\n");
goto end;
}
- if (i <= 0) {
- BIO_printf(bio_err, "unable to write private key\n");
- ERR_print_errors(bio_err);
+
+ if (outformat == FORMAT_ASN1 || outformat == FORMAT_PEM) {
+ if (pubout || pubin)
+ output_structure = "SubjectPublicKeyInfo";
+ else
+ output_structure = "type-specific";
+ }
+
+ /* Select what you want in the output */
+ if (pubout || pubin) {
+ selection = OSSL_KEYMGMT_SELECT_PUBLIC_KEY;
+ } else {
+ assert(private);
+ selection = (OSSL_KEYMGMT_SELECT_KEYPAIR
+ | OSSL_KEYMGMT_SELECT_ALL_PARAMETERS);
+ }
+
+ /* Perform the encoding */
+ ectx = OSSL_ENCODER_CTX_new_by_EVP_PKEY(pkey, selection, output_type,
+ output_structure, NULL);
+ if (OSSL_ENCODER_CTX_get_num_encoders(ectx) == 0) {
+ BIO_printf(bio_err, "%s format not supported\n", output_type);
+ goto end;
+ }
+
+ /* PVK requires a bit more */
+ if (outformat == FORMAT_PVK) {
+ OSSL_PARAM params[2] = { OSSL_PARAM_END, OSSL_PARAM_END };
+
+ params[0] = OSSL_PARAM_construct_int("encrypt-level", &pvk_encr);
+ if (!OSSL_ENCODER_CTX_set_params(ectx, params)) {
+ BIO_printf(bio_err, "invalid PVK encryption level\n");
+ goto end;
+ }
+ }
+
+ if (!OSSL_ENCODER_to_bio(ectx, out)) {
+ BIO_printf(bio_err, "unable to write key\n");
goto end;
}
ret = 0;
end:
+ if (ret != 0)
+ ERR_print_errors(bio_err);
+ OSSL_ENCODER_CTX_free(ectx);
BIO_free_all(out);
EVP_PKEY_free(pkey);
- DSA_free(dsa);
release_engine(e);
OPENSSL_free(passin);
OPENSSL_free(passout);
diff --git a/apps/gendsa.c b/apps/gendsa.c
index d525f7093b..c90a01d979 100644
--- a/apps/gendsa.c
+++ b/apps/gendsa.c
@@ -54,7 +54,6 @@ int gendsa_main(int argc, char **argv)
{
ENGINE *e = NULL;
BIO *out = NULL, *in = NULL;
- DSA *dsa = NULL;
EVP_PKEY *pkey = NULL;
EVP_PKEY_CTX *ctx = NULL;
const EVP_CIPHER *enc = NULL;
@@ -117,38 +116,18 @@ int gendsa_main(int argc, char **argv)
goto end;
}
- in = bio_open_default(dsaparams, 'r', FORMAT_PEM);
- if (in == NULL)
- goto end2;
-
- if ((dsa = PEM_read_bio_DSAparams(in, NULL, NULL, NULL)) == NULL) {
- BIO_printf(bio_err, "unable to load DSA parameter file\n");
- goto end;
- }
- BIO_free(in);
- in = NULL;
+ pkey = load_keyparams(dsaparams, 1, "DSA", "DSA parameters");
out = bio_open_owner(outfile, FORMAT_PEM, private);
if (out == NULL)
goto end2;
- DSA_get0_pqg(dsa, &p, NULL, NULL);
-
- if (BN_num_bits(p) > OPENSSL_DSA_MAX_MODULUS_BITS)
+ if (EVP_PKEY_bits(pkey) > OPENSSL_DSA_MAX_MODULUS_BITS)
BIO_printf(bio_err,
"Warning: It is not recommended to use more than %d bit for
DSA keys.\n"
" Your key size is %d! Larger key size may behave
not as expected.\n",
- OPENSSL_DSA_MAX_MODULUS_BITS, BN_num_bits(p));
+ OPENSSL_DSA_MAX_MODULUS_BITS, EVP_PKEY_bits(pkey));
- pkey = EVP_PKEY_new();
- if (pkey == NULL) {
- BIO_printf(bio_err, "unable to allocate PKEY\n");
- goto end;
- }
- if (!EVP_PKEY_set1_DSA(pkey, dsa)) {
- BIO_printf(bio_err, "unable to associate DSA parameters with PKEY\n");
- goto end;
- }
ctx = EVP_PKEY_CTX_new(pkey, NULL);
if (ctx == NULL) {
BIO_printf(bio_err, "unable to create PKEY context\n");
@@ -179,7 +158,6 @@ int gendsa_main(int argc, char **argv)
end2:
BIO_free(in);
BIO_free_all(out);
- DSA_free(dsa);
EVP_PKEY_free(pkey);
EVP_PKEY_CTX_free(ctx);
release_engine(e);
diff --git a/apps/rsa.c b/apps/rsa.c
index bdfbcf07b8..b65c8fc793 100644
--- a/apps/rsa.c
+++ b/apps/rsa.c
@@ -30,6 +30,12 @@
*/
#include <openssl/core_dispatch.h>
+#ifndef OPENSSL_NO_RC4
+# define DEFAULT_PVK_ENCR_STRENGTH 2
+#else
+# define DEFAULT_PVK_ENCR_STRENGTH 0
+#endif
+
typedef enum OPTION_choice {
OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
OPT_INFORM, OPT_OUTFORM, OPT_ENGINE, OPT_IN, OPT_OUT,
@@ -69,10 +75,12 @@ const OPTIONS rsa_options[] = {
{"traditional", OPT_TRADITIONAL, '-',
"Use traditional format for private keys"},
+#ifndef OPENSSL_NO_RC4
OPT_SECTION("PVK"),
{"pvk-strong", OPT_PVK_STRONG, '-', "Enable 'Strong' PVK encoding level
(default)"},
{"pvk-weak", OPT_PVK_WEAK, '-', "Enable 'Weak' PVK encoding level"},
{"pvk-none", OPT_PVK_NONE, '-', "Don't enforce PVK encoding"},
+#endif
OPT_PROV_OPTIONS,
{NULL}
@@ -90,7 +98,7 @@ int rsa_main(int argc, char **argv)
int private = 0;
int informat = FORMAT_PEM, outformat = FORMAT_PEM, text = 0, check = 0;
int noout = 0, modulus = 0, pubin = 0, pubout = 0, ret = 1;
- int pvk_encr = 2;
+ int pvk_encr = DEFAULT_PVK_ENCR_STRENGTH;
OPTION_CHOICE o;
int traditional = 0;
const char *output_type = NULL;
diff --git a/apps/x509.c b/apps/x509.c
index a82682bc11..5de25c1e2c 100644
--- a/apps/x509.c
+++ b/apps/x509.c
@@ -755,7 +755,6 @@ int x509_main(int argc, char **argv)
goto end;
}
BIO_printf(out, "Modulus=");
-#ifndef OPENSSL_NO_RSA
if (EVP_PKEY_is_a(pkey, "RSA")) {
BIGNUM *n;
@@ -763,16 +762,14 @@ int x509_main(int argc, char **argv)
EVP_PKEY_get_bn_param(pkey, "n", &n);
BN_print(out, n);
BN_free(n);
- } else
-#endif
-#ifndef OPENSSL_NO_DSA
- if (EVP_PKEY_id(pkey) == EVP_PKEY_DSA) {
- const BIGNUM *dsapub = NULL;
- DSA_get0_key(EVP_PKEY_get0_DSA(pkey), &dsapub, NULL);
+ } else if (EVP_PKEY_is_a(pkey, "DSA")) {
+ BIGNUM *dsapub;
+
+ /* Every DSA key has an 'pub' */
+ EVP_PKEY_get_bn_param(pkey, "pub", &dsapub);
BN_print(out, dsapub);
- } else
-#endif
- {
+ BN_free(dsapub);
+ } else {
BIO_printf(out, "Wrong Algorithm type");
}
BIO_printf(out, "\n");
diff --git a/crypto/dsa/dsa_backend.c b/crypto/dsa/dsa_backend.c
index 461cb187dd..4809b3100b 100644
--- a/crypto/dsa/dsa_backend.c
+++ b/crypto/dsa/dsa_backend.c
@@ -7,6 +7,12 @@
* https://www.openssl.org/source/license.html
*/
+/*
+ * DSA low level APIs are deprecated for public use, but still ok for
+ * internal use.
+ */
+#include "internal/deprecated.h"
+
#include <openssl/core_names.h>
#include "crypto/dsa.h"
diff --git a/crypto/dsa/dsa_check.c b/crypto/dsa/dsa_check.c
index 0d38340840..9a1b129df8 100644
--- a/crypto/dsa/dsa_check.c
+++ b/crypto/dsa/dsa_check.c
@@ -7,6 +7,12 @@
* https://www.openssl.org/source/license.html
*/
+/*
+ * DSA low level APIs are deprecated for public use, but still ok for
+ * internal use.
+ */
+#include "internal/deprecated.h"
+
#include <stdio.h>
#include "internal/cryptlib.h"
#include <openssl/bn.h>
diff --git a/crypto/dsa/dsa_meth.c b/crypto/dsa/dsa_meth.c
index b811bf2c33..2f0a0bf460 100644
--- a/crypto/dsa/dsa_meth.c
+++ b/crypto/dsa/dsa_meth.c
@@ -8,12 +8,10 @@
*/
/*
- * Licensed under the Apache License 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- * https://www.openssl.org/source/license.html
- * or in the file LICENSE in the source distribution.
+ * DSA low level APIs are deprecated for public use, but still ok for
+ * internal use.
*/
+#include "internal/deprecated.h"
#include "dsa_local.h"
#include <string.h>
diff --git a/doc/man3/DSA_SIG_new.pod b/doc/man3/DSA_SIG_new.pod
index ba925ef726..1f532d3000 100644
--- a/doc/man3/DSA_SIG_new.pod
+++ b/doc/man3/DSA_SIG_new.pod
@@ -43,8 +43,8 @@ DSA_SIG_set0() returns 1 on success or 0 on failure.
=head1 SEE ALSO
-L<DSA_new(3)>, L<ERR_get_error(3)>,
-L<DSA_do_sign(3)>
+L<EVP_PKEY_new(3)>, L<EVP_PKEY_free(3)>, L<EVP_PKEY_get_bn_param(3)>,
+L<ERR_get_error(3)>
=head1 COPYRIGHT
diff --git a/doc/man3/DSA_get0_pqg.pod b/doc/man3/DSA_get0_pqg.pod
index 5aa2c75714..3542a771e9 100644
--- a/doc/man3/DSA_get0_pqg.pod
+++ b/doc/man3/DSA_get0_pqg.pod
@@ -13,6 +13,10 @@ setting data in a DSA object
#include <openssl/dsa.h>
+Deprecated since OpenSSL 3.0, can be hidden entirely by defining
+B<OPENSSL_API_COMPAT> with a suitable version value, see
+L<openssl_user_macros(7)>:
+
void DSA_get0_pqg(const DSA *d,
const BIGNUM **p, const BIGNUM **q, const BIGNUM **g);
int DSA_set0_pqg(DSA *d, BIGNUM *p, BIGNUM *q, BIGNUM *g);
@@ -31,6 +35,9 @@ setting data in a DSA object
=head1 DESCRIPTION
+All of the functions described on this page are deprecated.
+Applications should instead use L<EVP_PKEY_get_bn_param(3)>.
+
A DSA object contains the parameters B<p>, B<q> and B<g>. It also contains a
public key (B<pub_key>) and (optionally) a private key (B<priv_key>).
@@ -94,13 +101,15 @@ has been set.
=head1 SEE ALSO
+L<EVP_PKEY_get_bn_param(3)>,
L<DSA_new(3)>, L<DSA_new(3)>, L<DSA_generate_parameters(3)>,
L<DSA_generate_key(3)>,
L<DSA_dup_DH(3)>, L<DSA_do_sign(3)>, L<DSA_set_method(3)>, L<DSA_SIG_new(3)>,
L<DSA_sign(3)>, L<DSA_size(3)>, L<DSA_meth_new(3)>
=head1 HISTORY
-The functions described here were added in OpenSSL 1.1.0.
+The functions described here were added in OpenSSL 1.1.0 and deprecated in
+OpenSSL 3.0.
=head1 COPYRIGHT
diff --git a/doc/man3/DSA_new.pod b/doc/man3/DSA_new.pod
index 830c9938b6..0993071d18 100644
--- a/doc/man3/DSA_new.pod
+++ b/doc/man3/DSA_new.pod
@@ -8,12 +8,19 @@ DSA_new, DSA_free - allocate and free DSA objects
#include <openssl/dsa.h>
+Deprecated since OpenSSL 3.0, can be hidden entirely by defining
+B<OPENSSL_API_COMPAT> with a suitable version value, see
+L<openssl_user_macros(7)>:
+
DSA* DSA_new(void);
void DSA_free(DSA *dsa);
=head1 DESCRIPTION
+All of the functions described on this page are deprecated.
+Applications should instead use L<EVP_PKEY_new(3)> and L<EVP_PKEY_free(3)>.
+
DSA_new() allocates and initializes a B<DSA> structure. It is equivalent to
calling DSA_new_method(NULL).
@@ -32,10 +39,15 @@ DSA_free() returns no value.
=head1 SEE ALSO
+L<EVP_PKEY_new(3)>, L<EVP_PKEY_free(3)>,
L<DSA_new(3)>, L<ERR_get_error(3)>,
L<DSA_generate_parameters(3)>,
L<DSA_generate_key(3)>
+=head1 HISTORY
+
+All of these functions were deprecated in OpenSSL 3.0.
+
=head1 COPYRIGHT
Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
diff --git a/doc/man3/DSA_size.pod b/doc/man3/DSA_size.pod
index 992357c4e0..b904845447 100644
--- a/doc/man3/DSA_size.pod
+++ b/doc/man3/DSA_size.pod
@@ -8,25 +8,25 @@ DSA_size, DSA_bits, DSA_security_bits - get DSA signature
size, key bits or secu
#include <openssl/dsa.h>
- int DSA_bits(const DSA *dsa);
-
Deprecated since OpenSSL 3.0, can be hidden entirely by defining
B<OPENSSL_API_COMPAT> with a suitable version value, see
L<openssl_user_macros(7)>:
+ int DSA_bits(const DSA *dsa);
+
int DSA_size(const DSA *dsa);
int DSA_security_bits(const DSA *dsa);
=head1 DESCRIPTION
+All of the functions described on this page are deprecated.
+Applications should instead use L<EVP_PKEY_bits(3)>,
+L<EVP_PKEY_security_bits(3)> and L<EVP_PKEY_size(3)>.
+
DSA_bits() returns the number of bits in key I<dsa>: this is the number
of bits in the I<p> parameter.
-The remaining functions described on this page are deprecated.
-Applications should instead use L<EVP_PKEY_security_bits(3)> and
-L<EVP_PKEY_size(3)>.
-
DSA_size() returns the maximum size of an ASN.1 encoded DSA signature
for key I<dsa> in bytes. It can be used to determine how much memory must
be allocated for a DSA signature.
@@ -54,7 +54,7 @@ L<DSA_new(3)>, L<DSA_sign(3)>
=head1 HISTORY
-The DSA_size() and DSA_security_bits() functions were deprecated in OpenSSL
3.0.
+All of these functions were deprecated in OpenSSL 3.0.
=head1 COPYRIGHT
diff --git a/doc/man3/d2i_RSAPrivateKey.pod b/doc/man3/d2i_RSAPrivateKey.pod
index 7827b3cef4..7375f1bab3 100644
--- a/doc/man3/d2i_RSAPrivateKey.pod
+++ b/doc/man3/d2i_RSAPrivateKey.pod
@@ -8,6 +8,14 @@ Any deprecated keypair/params d2i or i2d functions are
collected on this page.
=head1 NAME
+d2i_DSAPrivateKey,
+d2i_DSAPrivateKey_bio,
+d2i_DSAPrivateKey_fp,
+d2i_DSAPublicKey,
+d2i_DSA_PUBKEY,
+d2i_DSA_PUBKEY_bio,
+d2i_DSA_PUBKEY_fp,
+d2i_DSAparams,
d2i_RSAPrivateKey,
d2i_RSAPrivateKey_bio,
d2i_RSAPrivateKey_fp,
@@ -215,6 +223,45 @@ The following sample code does the rest of the work:
=for comment TODO: a similar section on OSSL_DECODER is to be added
+=head1 NOTES
+
+The letters B<i> and B<d> in B<i2d_I<TYPE>>() stand for
+"internal" (that is, an internal C structure) and "DER" respectively.
+So B<i2d_I<TYPE>>() converts from internal to DER.
+
+The functions can also understand B<BER> forms.
+
+The actual TYPE structure passed to B<i2d_I<TYPE>>() must be a valid
+populated B<I<TYPE>> structure -- it B<cannot> simply be fed with an
+empty structure such as that returned by TYPE_new().
+
+The encoded data is in binary form and may contain embedded zeros.
+Therefore, any FILE pointers or BIOs should be opened in binary mode.
+Functions such as strlen() will B<not> return the correct length
+of the encoded structure.
+
+The ways that I<*ppin> and I<*ppout> are incremented after the operation
+can trap the unwary. See the B<WARNINGS> section for some common
+errors.
+The reason for this-auto increment behaviour is to reflect a typical
+usage of ASN1 functions: after one structure is encoded or decoded
+another will be processed after it.
+
+The following points about the data types might be useful:
+
+=over 4
+
+=item B<DSA_PUBKEY>
+
+Represents a DSA public key using a B<SubjectPublicKeyInfo> structure.
+
+=item B<DSAPublicKey>, B<DSAPrivateKey>
+
+Use a non-standard OpenSSL format and should be avoided; use B<DSA_PUBKEY>,
+L<PEM_write_PrivateKey(3)>, or similar instead.
+
+=back
+
=head1 RETURN VALUES
B<d2i_I<TYPE>>(), B<d2i_I<TYPE>_bio>() and B<d2i_I<TYPE>_fp>() return a valid
diff --git a/doc/man3/d2i_X509.pod b/doc/man3/d2i_X509.pod
index 0b3414ba8f..d5c684e31d 100644
--- a/doc/man3/d2i_X509.pod
+++ b/doc/man3/d2i_X509.pod
@@ -51,15 +51,7 @@ d2i_DIRECTORYSTRING,
d2i_DISPLAYTEXT,
d2i_DIST_POINT,
d2i_DIST_POINT_NAME,
-d2i_DSAPrivateKey,
-d2i_DSAPrivateKey_bio,
-d2i_DSAPrivateKey_fp,
-d2i_DSAPublicKey,
-d2i_DSA_PUBKEY,
-d2i_DSA_PUBKEY_bio,
-d2i_DSA_PUBKEY_fp,
d2i_DSA_SIG,
-d2i_DSAparams,
d2i_ECDSA_SIG,
d2i_ECPKParameters,
d2i_ECParameters,
@@ -488,15 +480,6 @@ Represents a PKCS#3 DH parameters structure.
Represents an ANSI X9.42 DH parameters structure.
-=item B<DSA_PUBKEY>
-
-Represents a DSA public key using a B<SubjectPublicKeyInfo> structure.
-
-=item B<DSAPublicKey>, B<DSAPrivateKey>
-
-Use a non-standard OpenSSL format and should be avoided; use B<DSA_PUBKEY>,
-L<PEM_write_PrivateKey(3)>, or similar instead.
-
=item B<ECDSA_SIG>
Represents an ECDSA signature.
diff --git a/fuzz/asn1.c b/fuzz/asn1.c
index a6f1405881..b0d2ecd14e 100644
--- a/fuzz/asn1.c
+++ b/fuzz/asn1.c
@@ -337,9 +337,11 @@ int FuzzerTestOneInput(const uint8_t *buf, size_t len)
#endif
#ifndef OPENSSL_NO_DSA
DO_TEST_NO_PRINT(DSA_SIG, d2i_DSA_SIG, i2d_DSA_SIG);
+# ifndef OPENSSL_NO_DEPRECATED_3_0
DO_TEST_NO_PRINT(DSA, d2i_DSAPrivateKey, i2d_DSAPrivateKey);
DO_TEST_NO_PRINT(DSA, d2i_DSAPublicKey, i2d_DSAPublicKey);
DO_TEST_NO_PRINT(DSA, d2i_DSAparams, i2d_DSAparams);
+# endif
#endif
#ifndef OPENSSL_NO_DEPRECATED_3_0
DO_TEST_NO_PRINT(RSA, d2i_RSAPublicKey, i2d_RSAPublicKey);
diff --git a/fuzz/server.c b/fuzz/server.c
index 26c1c172cf..dc2ade686d 100644
--- a/fuzz/server.c
+++ b/fuzz/server.c
@@ -292,7 +292,7 @@ static const char ECDSACertPEM[] = {
};
#endif
-#ifndef OPENSSL_NO_DSA
+#if !defined(OPENSSL_NO_DSA) || !defined(OPENSSL_NO_DEPRECATED_3_0)
/*
* -----BEGIN DSA PRIVATE KEY-----
* MIIBuwIBAAKBgQDdkFKzNABLOha7Eqj7004+p5fhtR6bxpujToMmSZTYi8igVVXP
@@ -512,7 +512,8 @@ int FuzzerTestOneInput(const uint8_t *buf, size_t len)
SSL *server;
BIO *in;
BIO *out;
-#if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DSA)
+#if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DSA) \
+ || !defined(OPENSSL_NO_DEPRECATED_3_0)
BIO *bio_buf;
#endif
SSL_CTX *ctx;
@@ -529,7 +530,7 @@ int FuzzerTestOneInput(const uint8_t *buf, size_t len)
#ifndef OPENSSL_NO_EC
EC_KEY *ecdsakey = NULL;
#endif
-#ifndef OPENSSL_NO_DSA
+#if !defined(OPENSSL_NO_DSA) || !defined(OPENSSL_NO_DEPRECATED_3_0)
DSA *dsakey = NULL;
#endif
uint8_t opt;
@@ -592,7 +593,7 @@ int FuzzerTestOneInput(const uint8_t *buf, size_t len)
X509_free(cert);
#endif
-#ifndef OPENSSL_NO_DSA
+#if !defined(OPENSSL_NO_DSA) || !defined(OPENSSL_NO_DEPRECATED_3_0)
/* DSA */
bio_buf = BIO_new(BIO_s_mem());
OPENSSL_assert((size_t)BIO_write(bio_buf, DSAPrivateKeyPEM,
sizeof(DSAPrivateKeyPEM)) == sizeof(DSAPrivateKeyPEM));
diff --git a/include/openssl/dsa.h b/include/openssl/dsa.h
index 8b4696fabc..681058597b 100644
--- a/include/openssl/dsa.h
+++ b/include/openssl/dsa.h
@@ -58,6 +58,14 @@ int EVP_PKEY_CTX_set_dsa_paramgen_md(EVP_PKEY_CTX *ctx,
const EVP_MD *md);
# define OPENSSL_DSA_FIPS_MIN_MODULUS_BITS 1024
+typedef struct DSA_SIG_st DSA_SIG;
+DSA_SIG *DSA_SIG_new(void);
+void DSA_SIG_free(DSA_SIG *a);
+DECLARE_ASN1_ENCODE_FUNCTIONS_only(DSA_SIG, DSA_SIG)
+void DSA_SIG_get0(const DSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps);
+int DSA_SIG_set0(DSA_SIG *sig, BIGNUM *r, BIGNUM *s);
+
+
# ifndef OPENSSL_NO_DEPRECATED_1_1_0
/*
* Does nothing. Previously this switched off constant time behaviour.
@@ -85,103 +93,97 @@ int EVP_PKEY_CTX_set_dsa_paramgen_md(EVP_PKEY_CTX *ctx,
const EVP_MD *md);
# define DSA_FLAG_NON_FIPS_ALLOW 0x0400
# define DSA_FLAG_FIPS_CHECKED 0x0800
-# endif /* OPENSSL_NO_DEPRECATED_3_0 */
/* Already defined in ossl_typ.h */
/* typedef struct dsa_st DSA; */
/* typedef struct dsa_method DSA_METHOD; */
-typedef struct DSA_SIG_st DSA_SIG;
-
/*
* TODO(3.0): consider removing the ASN.1 encoding and decoding when
* deserialization is completed elsewhere.
*/
-# define d2i_DSAparams_fp(fp, x) \
+# define d2i_DSAparams_fp(fp, x) \
(DSA *)ASN1_d2i_fp((char *(*)())DSA_new, \
(char *(*)())d2i_DSAparams, (fp), \
(unsigned char **)(x))
-# define i2d_DSAparams_fp(fp, x) \
+# define i2d_DSAparams_fp(fp, x) \
ASN1_i2d_fp(i2d_DSAparams, (fp), (unsigned char *)(x))
-# define d2i_DSAparams_bio(bp, x) \
+# define d2i_DSAparams_bio(bp, x) \
ASN1_d2i_bio_of(DSA, DSA_new, d2i_DSAparams, bp, x)
-# define i2d_DSAparams_bio(bp, x) \
+# define i2d_DSAparams_bio(bp, x) \
ASN1_i2d_bio_of(DSA, i2d_DSAparams, bp, x)
-DECLARE_ASN1_DUP_FUNCTION_name(DSA, DSAparams)
-DSA_SIG *DSA_SIG_new(void);
-void DSA_SIG_free(DSA_SIG *a);
-DECLARE_ASN1_ENCODE_FUNCTIONS_only(DSA_SIG, DSA_SIG)
-void DSA_SIG_get0(const DSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps);
-int DSA_SIG_set0(DSA_SIG *sig, BIGNUM *r, BIGNUM *s);
-
-DEPRECATEDIN_3_0(DSA_SIG *DSA_do_sign(const unsigned char *dgst, int dlen,
- DSA *dsa))
-DEPRECATEDIN_3_0(int DSA_do_verify(const unsigned char *dgst, int dgst_len,
- DSA_SIG *sig, DSA *dsa))
+DECLARE_ASN1_DUP_FUNCTION_name_attr(OSSL_DEPRECATEDIN_3_0, DSA, DSAparams)
+OSSL_DEPRECATEDIN_3_0 DSA_SIG *DSA_do_sign(const unsigned char *dgst, int dlen,
+ DSA *dsa);
+OSSL_DEPRECATEDIN_3_0 int DSA_do_verify(const unsigned char *dgst, int
dgst_len,
+ DSA_SIG *sig, DSA *dsa);
-DEPRECATEDIN_3_0(const DSA_METHOD *DSA_OpenSSL(void))
+OSSL_DEPRECATEDIN_3_0 const DSA_METHOD *DSA_OpenSSL(void);
-DEPRECATEDIN_3_0(void DSA_set_default_method(const DSA_METHOD *))
-DEPRECATEDIN_3_0(const DSA_METHOD *DSA_get_default_method(void))
-DEPRECATEDIN_3_0(int DSA_set_method(DSA *dsa, const DSA_METHOD *))
-DEPRECATEDIN_3_0(const DSA_METHOD *DSA_get_method(DSA *d))
+OSSL_DEPRECATEDIN_3_0 void DSA_set_default_method(const DSA_METHOD *);
+OSSL_DEPRECATEDIN_3_0 const DSA_METHOD *DSA_get_default_method(void);
+OSSL_DEPRECATEDIN_3_0 int DSA_set_method(DSA *dsa, const DSA_METHOD *);
+OSSL_DEPRECATEDIN_3_0 const DSA_METHOD *DSA_get_method(DSA *d);
-DSA *DSA_new(void);
-DEPRECATEDIN_3_0(DSA *DSA_new_method(ENGINE *engine))
-void DSA_free(DSA *r);
+OSSL_DEPRECATEDIN_3_0 DSA *DSA_new(void);
+OSSL_DEPRECATEDIN_3_0 DSA *DSA_new_method(ENGINE *engine);
+OSSL_DEPRECATEDIN_3_0 void DSA_free(DSA *r);
/* "up" the DSA object's reference count */
-int DSA_up_ref(DSA *r);
-DEPRECATEDIN_3_0(int DSA_size(const DSA *))
-int DSA_bits(const DSA *d);
-DEPRECATEDIN_3_0(int DSA_security_bits(const DSA *d))
+OSSL_DEPRECATEDIN_3_0 int DSA_up_ref(DSA *r);
+OSSL_DEPRECATEDIN_3_0 int DSA_size(const DSA *);
+OSSL_DEPRECATEDIN_3_0 int DSA_bits(const DSA *d);
+OSSL_DEPRECATEDIN_3_0 int DSA_security_bits(const DSA *d);
/* next 4 return -1 on error */
-DEPRECATEDIN_3_0(int DSA_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp,
- BIGNUM **rp))
-DEPRECATEDIN_3_0(int DSA_sign(int type, const unsigned char *dgst, int dlen,
- unsigned char *sig, unsigned int *siglen,
- DSA *dsa))
-DEPRECATEDIN_3_0(int DSA_verify(int type, const unsigned char *dgst,
- int dgst_len, const unsigned char *sigbuf,
- int siglen, DSA *dsa))
-# ifndef OPENSSL_NO_DEPRECATED_3_0
+OSSL_DEPRECATEDIN_3_0 int DSA_sign_setup(DSA *dsa, BN_CTX *ctx_in,
+ BIGNUM **kinvp, BIGNUM **rp);
+OSSL_DEPRECATEDIN_3_0 int DSA_sign(int type, const unsigned char *dgst,
+ int dlen, unsigned char *sig,
+ unsigned int *siglen, DSA *dsa);
+OSSL_DEPRECATEDIN_3_0 int DSA_verify(int type, const unsigned char *dgst,
+ int dgst_len, const unsigned char *sigbuf,
+ int siglen, DSA *dsa);
+
# define DSA_get_ex_new_index(l, p, newf, dupf, freef) \
CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_DSA, l, p, newf, dupf, freef)
+OSSL_DEPRECATEDIN_3_0 int DSA_set_ex_data(DSA *d, int idx, void *arg);
+OSSL_DEPRECATEDIN_3_0 void *DSA_get_ex_data(const DSA *d, int idx);
+
+DECLARE_ASN1_ENCODE_FUNCTIONS_only_attr(OSSL_DEPRECATEDIN_3_0,
+ DSA, DSAPublicKey)
+DECLARE_ASN1_ENCODE_FUNCTIONS_only_attr(OSSL_DEPRECATEDIN_3_0,
+ DSA, DSAPrivateKey)
+DECLARE_ASN1_ENCODE_FUNCTIONS_only_attr(OSSL_DEPRECATEDIN_3_0,
+ DSA, DSAparams)
# endif
-DEPRECATEDIN_3_0(int DSA_set_ex_data(DSA *d, int idx, void *arg))
-DEPRECATEDIN_3_0(void *DSA_get_ex_data(const DSA *d, int idx))
-
-DECLARE_ASN1_ENCODE_FUNCTIONS_only(DSA, DSAPublicKey)
-DECLARE_ASN1_ENCODE_FUNCTIONS_only(DSA, DSAPrivateKey)
-DECLARE_ASN1_ENCODE_FUNCTIONS_only(DSA, DSAparams)
+# ifndef OPENSSL_NO_DEPRECATED_0_9_8
/* Deprecated version */
-DEPRECATEDIN_0_9_8(DSA *DSA_generate_parameters(int bits,
- unsigned char *seed,
- int seed_len,
- int *counter_ret,
- unsigned long *h_ret, void
- (*callback) (int, int,
- void *),
- void *cb_arg))
-
-/* New version */
-DEPRECATEDIN_3_0(int DSA_generate_parameters_ex(DSA *dsa, int bits,
- const unsigned char *seed,
- int seed_len, int *counter_ret,
- unsigned long *h_ret,
- BN_GENCB *cb))
-
-DEPRECATEDIN_3_0(int DSA_generate_key(DSA *a))
-
-DEPRECATEDIN_3_0(int DSAparams_print(BIO *bp, const DSA *x))
-DEPRECATEDIN_3_0(int DSA_print(BIO *bp, const DSA *x, int off))
-# ifndef OPENSSL_NO_STDIO
-DEPRECATEDIN_3_0(int DSAparams_print_fp(FILE *fp, const DSA *x))
-DEPRECATEDIN_3_0(int DSA_print_fp(FILE *bp, const DSA *x, int off))
+OSSL_DEPRECATEDIN_0_9_8
+DSA *DSA_generate_parameters(int bits, unsigned char *seed, int seed_len,
+ int *counter_ret, unsigned long *h_ret,
+ void (*callback) (int, int, void *),
+ void *cb_arg);
# endif
# ifndef OPENSSL_NO_DEPRECATED_3_0
+/* New version */
+OSSL_DEPRECATEDIN_3_0 int DSA_generate_parameters_ex(DSA *dsa, int bits,
+ const unsigned char *seed,
+ int seed_len,
+ int *counter_ret,
+ unsigned long *h_ret,
+ BN_GENCB *cb);
+
+OSSL_DEPRECATEDIN_3_0 int DSA_generate_key(DSA *a);
+
+OSSL_DEPRECATEDIN_3_0 int DSAparams_print(BIO *bp, const DSA *x);
+OSSL_DEPRECATEDIN_3_0 int DSA_print(BIO *bp, const DSA *x, int off);
+# ifndef OPENSSL_NO_STDIO
+OSSL_DEPRECATEDIN_3_0 int DSAparams_print_fp(FILE *fp, const DSA *x);
+OSSL_DEPRECATEDIN_3_0 int DSA_print_fp(FILE *bp, const DSA *x, int off);
+# endif
+
# define DSS_prime_checks 64
/*
* Primality test according to FIPS PUB 186-4, Appendix C.3. Since we only
@@ -191,79 +193,85 @@ DEPRECATEDIN_3_0(int DSA_print_fp(FILE *bp, const DSA *x,
int off))
*/
# define DSA_is_prime(n, callback, cb_arg) \
BN_is_prime(n, DSS_prime_checks, callback, NULL, cb_arg)
-# endif
-# ifndef OPENSSL_NO_DH
+# ifndef OPENSSL_NO_DH
/*
* Convert DSA structure (key or just parameters) into DH structure (be
* careful to avoid small subgroup attacks when using this!)
*/
-DEPRECATEDIN_3_0(DH *DSA_dup_DH(const DSA *r))
-# endif
-
-void DSA_get0_pqg(const DSA *d,
- const BIGNUM **p, const BIGNUM **q, const BIGNUM **g);
-int DSA_set0_pqg(DSA *d, BIGNUM *p, BIGNUM *q, BIGNUM *g);
-void DSA_get0_key(const DSA *d,
- const BIGNUM **pub_key, const BIGNUM **priv_key);
-int DSA_set0_key(DSA *d, BIGNUM *pub_key, BIGNUM *priv_key);
-const BIGNUM *DSA_get0_p(const DSA *d);
-const BIGNUM *DSA_get0_q(const DSA *d);
-const BIGNUM *DSA_get0_g(const DSA *d);
-const BIGNUM *DSA_get0_pub_key(const DSA *d);
-const BIGNUM *DSA_get0_priv_key(const DSA *d);
-void DSA_clear_flags(DSA *d, int flags);
-int DSA_test_flags(const DSA *d, int flags);
-void DSA_set_flags(DSA *d, int flags);
-DEPRECATEDIN_3_0(ENGINE *DSA_get0_engine(DSA *d))
-
-DEPRECATEDIN_3_0(DSA_METHOD *DSA_meth_new(const char *name, int flags))
-DEPRECATEDIN_3_0(void DSA_meth_free(DSA_METHOD *dsam))
-DEPRECATEDIN_3_0(DSA_METHOD *DSA_meth_dup(const DSA_METHOD *dsam))
-DEPRECATEDIN_3_0(const char *DSA_meth_get0_name(const DSA_METHOD *dsam))
-DEPRECATEDIN_3_0(int DSA_meth_set1_name(DSA_METHOD *dsam, const char *name))
-DEPRECATEDIN_3_0(int DSA_meth_get_flags(const DSA_METHOD *dsam))
-DEPRECATEDIN_3_0(int DSA_meth_set_flags(DSA_METHOD *dsam, int flags))
-DEPRECATEDIN_3_0(void *DSA_meth_get0_app_data(const DSA_METHOD *dsam))
-DEPRECATEDIN_3_0(int DSA_meth_set0_app_data(DSA_METHOD *dsam, void *app_data))
-DEPRECATEDIN_3_0(DSA_SIG *(*DSA_meth_get_sign(const DSA_METHOD *dsam))
- (const unsigned char *, int, DSA *))
-DEPRECATEDIN_3_0(int DSA_meth_set_sign(DSA_METHOD *dsam,
- DSA_SIG *(*sign) (const unsigned char *, int, DSA *)))
-DEPRECATEDIN_3_0(int (*DSA_meth_get_sign_setup(const DSA_METHOD *dsam))
- (DSA *, BN_CTX *, BIGNUM **, BIGNUM **))
-DEPRECATEDIN_3_0(int DSA_meth_set_sign_setup(DSA_METHOD *dsam,
- int (*sign_setup) (DSA *, BN_CTX *, BIGNUM **, BIGNUM **)))
-DEPRECATEDIN_3_0(int (*DSA_meth_get_verify(const DSA_METHOD *dsam))
- (const unsigned char *, int, DSA_SIG *, DSA *))
-DEPRECATEDIN_3_0(int DSA_meth_set_verify(DSA_METHOD *dsam,
- int (*verify) (const unsigned char *, int, DSA_SIG *, DSA *)))
-DEPRECATEDIN_3_0(int (*DSA_meth_get_mod_exp(const DSA_METHOD *dsam))
+OSSL_DEPRECATEDIN_3_0 DH *DSA_dup_DH(const DSA *r);
+# endif
+
+OSSL_DEPRECATEDIN_3_0 void DSA_get0_pqg(const DSA *d, const BIGNUM **p,
+ const BIGNUM **q, const BIGNUM **g);
+OSSL_DEPRECATEDIN_3_0 int DSA_set0_pqg(DSA *d, BIGNUM *p, BIGNUM *q, BIGNUM
*g);
+OSSL_DEPRECATEDIN_3_0 void DSA_get0_key(const DSA *d, const BIGNUM **pub_key,
+ const BIGNUM **priv_key);
+OSSL_DEPRECATEDIN_3_0 int DSA_set0_key(DSA *d, BIGNUM *pub_key,
+ BIGNUM *priv_key);
+OSSL_DEPRECATEDIN_3_0 const BIGNUM *DSA_get0_p(const DSA *d);
+OSSL_DEPRECATEDIN_3_0 const BIGNUM *DSA_get0_q(const DSA *d);
+OSSL_DEPRECATEDIN_3_0 const BIGNUM *DSA_get0_g(const DSA *d);
+OSSL_DEPRECATEDIN_3_0 const BIGNUM *DSA_get0_pub_key(const DSA *d);
+OSSL_DEPRECATEDIN_3_0 const BIGNUM *DSA_get0_priv_key(const DSA *d);
+OSSL_DEPRECATEDIN_3_0 void DSA_clear_flags(DSA *d, int flags);
+OSSL_DEPRECATEDIN_3_0 int DSA_test_flags(const DSA *d, int flags);
+OSSL_DEPRECATEDIN_3_0 void DSA_set_flags(DSA *d, int flags);
+OSSL_DEPRECATEDIN_3_0 ENGINE *DSA_get0_engine(DSA *d);
+
+OSSL_DEPRECATEDIN_3_0 DSA_METHOD *DSA_meth_new(const char *name, int flags);
+OSSL_DEPRECATEDIN_3_0 void DSA_meth_free(DSA_METHOD *dsam);
+OSSL_DEPRECATEDIN_3_0 DSA_METHOD *DSA_meth_dup(const DSA_METHOD *dsam);
+OSSL_DEPRECATEDIN_3_0 const char *DSA_meth_get0_name(const DSA_METHOD *dsam);
+OSSL_DEPRECATEDIN_3_0 int DSA_meth_set1_name(DSA_METHOD *dsam,
+ const char *name);
+OSSL_DEPRECATEDIN_3_0 int DSA_meth_get_flags(const DSA_METHOD *dsam);
+OSSL_DEPRECATEDIN_3_0 int DSA_meth_set_flags(DSA_METHOD *dsam, int flags);
+OSSL_DEPRECATEDIN_3_0 void *DSA_meth_get0_app_data(const DSA_METHOD *dsam);
+OSSL_DEPRECATEDIN_3_0 int DSA_meth_set0_app_data(DSA_METHOD *dsam,
+ void *app_data);
+OSSL_DEPRECATEDIN_3_0 DSA_SIG *(*DSA_meth_get_sign(const DSA_METHOD *dsam))
+ (const unsigned char *, int, DSA *);
+OSSL_DEPRECATEDIN_3_0 int DSA_meth_set_sign(DSA_METHOD *dsam,
+ DSA_SIG *(*sign) (const unsigned char *, int, DSA *));
+OSSL_DEPRECATEDIN_3_0 int (*DSA_meth_get_sign_setup(const DSA_METHOD *dsam))
+ (DSA *, BN_CTX *, BIGNUM **, BIGNUM **);
+OSSL_DEPRECATEDIN_3_0 int DSA_meth_set_sign_setup(DSA_METHOD *dsam,
+ int (*sign_setup) (DSA *, BN_CTX *, BIGNUM **, BIGNUM **));
+OSSL_DEPRECATEDIN_3_0 int (*DSA_meth_get_verify(const DSA_METHOD *dsam))
+ (const unsigned char *, int, DSA_SIG *, DSA *);
+OSSL_DEPRECATEDIN_3_0 int DSA_meth_set_verify(DSA_METHOD *dsam,
+ int (*verify) (const unsigned char *, int, DSA_SIG *, DSA *));
+OSSL_DEPRECATEDIN_3_0 int (*DSA_meth_get_mod_exp(const DSA_METHOD *dsam))
(DSA *, BIGNUM *, const BIGNUM *, const BIGNUM *, const BIGNUM *,
- const BIGNUM *, const BIGNUM *, BN_CTX *, BN_MONT_CTX *))
-DEPRECATEDIN_3_0(int DSA_meth_set_mod_exp(DSA_METHOD *dsam,
+ const BIGNUM *, const BIGNUM *, BN_CTX *, BN_MONT_CTX *);
+OSSL_DEPRECATEDIN_3_0 int DSA_meth_set_mod_exp(DSA_METHOD *dsam,
int (*mod_exp) (DSA *, BIGNUM *, const BIGNUM *, const BIGNUM *,
const BIGNUM *, const BIGNUM *, const BIGNUM *, BN_CTX *,
- BN_MONT_CTX *)))
-DEPRECATEDIN_3_0(int (*DSA_meth_get_bn_mod_exp(const DSA_METHOD *dsam))
+ BN_MONT_CTX *));
+OSSL_DEPRECATEDIN_3_0 int (*DSA_meth_get_bn_mod_exp(const DSA_METHOD *dsam))
(DSA *, BIGNUM *, const BIGNUM *, const BIGNUM *, const BIGNUM *,
- BN_CTX *, BN_MONT_CTX *))
-DEPRECATEDIN_3_0(int DSA_meth_set_bn_mod_exp(DSA_METHOD *dsam,
+ BN_CTX *, BN_MONT_CTX *);
+OSSL_DEPRECATEDIN_3_0 int DSA_meth_set_bn_mod_exp(DSA_METHOD *dsam,
int (*bn_mod_exp) (DSA *, BIGNUM *, const BIGNUM *, const BIGNUM *,
- const BIGNUM *, BN_CTX *, BN_MONT_CTX *)))
-DEPRECATEDIN_3_0(int (*DSA_meth_get_init(const DSA_METHOD *dsam))(DSA *))
-DEPRECATEDIN_3_0(int DSA_meth_set_init(DSA_METHOD *dsam, int (*init)(DSA *)))
-DEPRECATEDIN_3_0(int (*DSA_meth_get_finish(const DSA_METHOD *dsam)) (DSA *))
-DEPRECATEDIN_3_0(int DSA_meth_set_finish(DSA_METHOD *dsam, int (*finish) (DSA
*)))
-DEPRECATEDIN_3_0(int (*DSA_meth_get_paramgen(const DSA_METHOD *dsam))
+ const BIGNUM *, BN_CTX *, BN_MONT_CTX *));
+OSSL_DEPRECATEDIN_3_0 int (*DSA_meth_get_init(const DSA_METHOD *dsam))(DSA *);
+OSSL_DEPRECATEDIN_3_0 int DSA_meth_set_init(DSA_METHOD *dsam,
+ int (*init)(DSA *));
+OSSL_DEPRECATEDIN_3_0 int (*DSA_meth_get_finish(const DSA_METHOD *dsam))(DSA
*);
+OSSL_DEPRECATEDIN_3_0 int DSA_meth_set_finish(DSA_METHOD *dsam,
+ int (*finish)(DSA *));
+OSSL_DEPRECATEDIN_3_0 int (*DSA_meth_get_paramgen(const DSA_METHOD *dsam))
(DSA *, int, const unsigned char *, int, int *, unsigned long *,
- BN_GENCB *))
-DEPRECATEDIN_3_0(int DSA_meth_set_paramgen(DSA_METHOD *dsam,
+ BN_GENCB *);
+OSSL_DEPRECATEDIN_3_0 int DSA_meth_set_paramgen(DSA_METHOD *dsam,
int (*paramgen) (DSA *, int, const unsigned char *, int, int *,
- unsigned long *, BN_GENCB *)))
-DEPRECATEDIN_3_0(int (*DSA_meth_get_keygen(const DSA_METHOD *dsam)) (DSA *))
-DEPRECATEDIN_3_0(int DSA_meth_set_keygen(DSA_METHOD *dsam, int (*keygen) (DSA
*)))
+ unsigned long *, BN_GENCB *));
+OSSL_DEPRECATEDIN_3_0 int (*DSA_meth_get_keygen(const DSA_METHOD *dsam))(DSA
*);
+OSSL_DEPRECATEDIN_3_0 int DSA_meth_set_keygen(DSA_METHOD *dsam,
+ int (*keygen) (DSA *));
+# endif
# endif
# ifdef __cplusplus
}
diff --git a/include/openssl/pem.h b/include/openssl/pem.h
index bb6955297e..37e9666b8f 100644
--- a/include/openssl/pem.h
+++ b/include/openssl/pem.h
@@ -450,10 +450,12 @@ DECLARE_PEM_rw_attr(OSSL_DEPRECATEDIN_3_0, RSAPublicKey,
RSA)
DECLARE_PEM_rw_attr(OSSL_DEPRECATEDIN_3_0, RSA_PUBKEY, RSA)
# endif
# endif
-# ifndef OPENSSL_NO_DSA
-DECLARE_PEM_rw_cb(DSAPrivateKey, DSA)
-DECLARE_PEM_rw(DSA_PUBKEY, DSA)
-DECLARE_PEM_rw(DSAparams, DSA)
+# ifndef OPENSSL_NO_DEPRECATED_3_0
+# ifndef OPENSSL_NO_DSA
+DECLARE_PEM_rw_cb_attr(OSSL_DEPRECATEDIN_3_0, DSAPrivateKey, DSA)
+DECLARE_PEM_rw_attr(OSSL_DEPRECATEDIN_3_0, DSA_PUBKEY, DSA)
+DECLARE_PEM_rw_attr(OSSL_DEPRECATEDIN_3_0, DSAparams, DSA)
+# endif
# endif
# ifndef OPENSSL_NO_EC
DECLARE_PEM_rw(ECPKParameters, EC_GROUP)
diff --git a/include/openssl/types.h b/include/openssl/types.h
index 6cb5a663cc..d44eb03a7c 100644
--- a/include/openssl/types.h
+++ b/include/openssl/types.h
@@ -133,8 +133,10 @@ typedef struct hmac_ctx_st HMAC_CTX;
typedef struct dh_st DH;
typedef struct dh_method DH_METHOD;
+# ifndef OPENSSL_NO_DEPRECATED_3_0
typedef struct dsa_st DSA;
typedef struct dsa_method DSA_METHOD;
+# endif
# ifndef OPENSSL_NO_DEPRECATED_3_0
typedef struct rsa_st RSA;
diff --git a/include/openssl/x509.h.in b/include/openssl/x509.h.in
index 5a3a4eedd7..0418d41f9a 100644
--- a/include/openssl/x509.h.in
+++ b/include/openssl/x509.h.in
@@ -424,11 +424,13 @@ OSSL_DEPRECATEDIN_3_0 RSA *d2i_RSA_PUBKEY_fp(FILE *fp,
RSA **rsa);
OSSL_DEPRECATEDIN_3_0 int i2d_RSA_PUBKEY_fp(FILE *fp, const RSA *rsa);
# endif
# endif
-# ifndef OPENSSL_NO_DSA
-DSA *d2i_DSA_PUBKEY_fp(FILE *fp, DSA **dsa);
-int i2d_DSA_PUBKEY_fp(FILE *fp, const DSA *dsa);
-DSA *d2i_DSAPrivateKey_fp(FILE *fp, DSA **dsa);
-int i2d_DSAPrivateKey_fp(FILE *fp, const DSA *dsa);
+# ifndef OPENSSL_NO_DEPRECATED_3_0
+# ifndef OPENSSL_NO_DSA
+OSSL_DEPRECATEDIN_3_0 DSA *d2i_DSA_PUBKEY_fp(FILE *fp, DSA **dsa);
+OSSL_DEPRECATEDIN_3_0 int i2d_DSA_PUBKEY_fp(FILE *fp, const DSA *dsa);
+OSSL_DEPRECATEDIN_3_0 DSA *d2i_DSAPrivateKey_fp(FILE *fp, DSA **dsa);
+OSSL_DEPRECATEDIN_3_0 int i2d_DSAPrivateKey_fp(FILE *fp, const DSA *dsa);
+# endif
# endif
# ifndef OPENSSL_NO_EC
EC_KEY *d2i_EC_PUBKEY_fp(FILE *fp, EC_KEY **eckey);
@@ -468,11 +470,13 @@ OSSL_DEPRECATEDIN_3_0 RSA *d2i_RSA_PUBKEY_bio(BIO *bp,
RSA **rsa);
OSSL_DEPRECATEDIN_3_0 int i2d_RSA_PUBKEY_bio(BIO *bp, const RSA *rsa);
# endif
# endif
-# ifndef OPENSSL_NO_DSA
-DSA *d2i_DSA_PUBKEY_bio(BIO *bp, DSA **dsa);
-int i2d_DSA_PUBKEY_bio(BIO *bp, const DSA *dsa);
-DSA *d2i_DSAPrivateKey_bio(BIO *bp, DSA **dsa);
-int i2d_DSAPrivateKey_bio(BIO *bp, const DSA *dsa);
+# ifndef OPENSSL_NO_DEPRECATED_3_0
+# ifndef OPENSSL_NO_DSA
+OSSL_DEPRECATEDIN_3_0 DSA *d2i_DSA_PUBKEY_bio(BIO *bp, DSA **dsa);
+OSSL_DEPRECATEDIN_3_0 int i2d_DSA_PUBKEY_bio(BIO *bp, const DSA *dsa);
+OSSL_DEPRECATEDIN_3_0 DSA *d2i_DSAPrivateKey_bio(BIO *bp, DSA **dsa);
+OSSL_DEPRECATEDIN_3_0 int i2d_DSAPrivateKey_bio(BIO *bp, const DSA *dsa);
+# endif
# endif
# ifndef OPENSSL_NO_EC
EC_KEY *d2i_EC_PUBKEY_bio(BIO *bp, EC_KEY **eckey);
@@ -552,8 +556,10 @@ EVP_PKEY *d2i_PUBKEY_ex(EVP_PKEY **a, const unsigned char
**pp, long length,
DECLARE_ASN1_ENCODE_FUNCTIONS_only_attr(OSSL_DEPRECATEDIN_3_0,RSA, RSA_PUBKEY)
# endif
# endif
-# ifndef OPENSSL_NO_DSA
-DECLARE_ASN1_ENCODE_FUNCTIONS_only(DSA, DSA_PUBKEY)
+# ifndef OPENSSL_NO_DEPRECATED_3_0
+# ifndef OPENSSL_NO_DSA
+DECLARE_ASN1_ENCODE_FUNCTIONS_only_attr(OSSL_DEPRECATEDIN_3_0,DSA, DSA_PUBKEY)
+# endif
# endif
# ifndef OPENSSL_NO_EC
DECLARE_ASN1_ENCODE_FUNCTIONS_only(EC_KEY, EC_PUBKEY)
diff --git a/providers/common/der/der_dsa_gen.c.in
b/providers/common/der/der_dsa_gen.c.in
index 95f1f5cdd1..33ea5fa90b 100644
--- a/providers/common/der/der_dsa_gen.c.in
+++ b/providers/common/der/der_dsa_gen.c.in
@@ -7,6 +7,12 @@
* https://www.openssl.org/source/license.html
*/
+/*
+ * DSA low level APIs are deprecated for public use, but still ok for
+ * internal use.
+ */
+#include "internal/deprecated.h"
+
#include "prov/der_dsa.h"
/* Well known OIDs precompiled */
diff --git a/providers/common/der/der_dsa_key.c
b/providers/common/der/der_dsa_key.c
index 1a369faa81..dc7b2fe8fa 100644
--- a/providers/common/der/der_dsa_key.c
+++ b/providers/common/der/der_dsa_key.c
@@ -7,6 +7,12 @@
* https://www.openssl.org/source/license.html
*/
+/*
+ * DSA low level APIs are deprecated for public use, but still ok for
+ * internal use.
+ */
+#include "internal/deprecated.h"
+
#include <openssl/obj_mac.h>
#include "internal/packet.h"
#include "prov/der_dsa.h"
diff --git a/providers/common/der/der_dsa_sig.c
b/providers/common/der/der_dsa_sig.c
index 37ee5f459d..07225b7b11 100644
--- a/providers/common/der/der_dsa_sig.c
+++ b/providers/common/der/der_dsa_sig.c
@@ -7,6 +7,12 @@
* https://www.openssl.org/source/license.html
*/
+/*
+ * DSA low level APIs are deprecated for public use, but still ok for
+ * internal use.
+ */
+#include "internal/deprecated.h"
+
#include <openssl/obj_mac.h>
#include "internal/packet.h"
#include "prov/der_dsa.h"
diff --git a/providers/common/digest_to_nid.c b/providers/common/digest_to_nid.c
index 99633c150c..496d814173 100644
--- a/providers/common/digest_to_nid.c
+++ b/providers/common/digest_to_nid.c
@@ -7,6 +7,8 @@
* https://www.openssl.org/source/license.html
*/
+#include "internal/deprecated.h"
+
#include <openssl/objects.h>
#include <openssl/core_names.h>
#include <openssl/evp.h>
