Skip to content

Commit

Permalink
Deprecate recently added PKCS7 functions (#2039)
Browse files Browse the repository at this point in the history 
This small PR deprecates all recently added PKCS7 functions and moves
them to the appropriate section(s) in `pkcs7.h`. We also consolidate
`OPENSSL_BEGIN_ALLOW_DEPRECATED`/`OPENSSL_END_ALLOW_DEPRECATED`
directives in relevant source files.
  • Loading branch information
@WillChilds-Klein
WillChilds-Klein authored Dec 9, 2024
1 parent e0214ba commit b649c44
Show file tree
Hide file tree
Showing 3 changed files with 58 additions and 66 deletions.
17 changes: 0 additions & 17 deletions crypto/pkcs7/pkcs7.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,6 @@
#include "../internal.h"
#include "internal.h"

// TODO remove all other usages of OPENSSL_BEGIN_ALLOW_DEPRECATED in this file
OPENSSL_BEGIN_ALLOW_DEPRECATED

// 1.2.840.113549.1.7.1
Expand Down Expand Up @@ -815,9 +814,7 @@ BIO *PKCS7_dataInit(PKCS7 *p7, BIO *bio) {
goto err;
}
BIO_set_mem_eof_return(bio, /*eof_value*/ 0);
OPENSSL_BEGIN_ALLOW_DEPRECATED
if (!PKCS7_is_detached(p7) && content && content->length > 0) {
OPENSSL_END_ALLOW_DEPRECATED
// |bio |needs a copy of |os->data| instead of a pointer because the data
// will be used after |os |has been freed
if (BIO_write(bio, content->data, content->length) != content->length) {
Expand All @@ -838,9 +835,7 @@ BIO *PKCS7_dataInit(PKCS7 *p7, BIO *bio) {
return NULL;
}

OPENSSL_BEGIN_ALLOW_DEPRECATED
int PKCS7_is_detached(PKCS7 *p7) {
OPENSSL_END_ALLOW_DEPRECATED
GUARD_PTR(p7);
if (PKCS7_type_is_signed(p7)) {
return (p7->d.sign == NULL || p7->d.sign->contents->d.ptr == NULL);
Expand Down Expand Up @@ -958,11 +953,9 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio) {
case NID_pkcs7_signed:
si_sk = p7->d.sign->signer_info;
// clang-format off
OPENSSL_BEGIN_ALLOW_DEPRECATED
content = PKCS7_get_octet_string(p7->d.sign->contents);
// If detached data then the content is excluded
if (PKCS7_type_is_data(p7->d.sign->contents) && PKCS7_is_detached(p7)) {
OPENSSL_END_ALLOW_DEPRECATED
// clang-format on
ASN1_OCTET_STRING_free(content);
content = NULL;
Expand All @@ -973,9 +966,7 @@ OPENSSL_END_ALLOW_DEPRECATED
case NID_pkcs7_digest:
content = PKCS7_get_octet_string(p7->d.digest->contents);
// If detached data, then the content is excluded
OPENSSL_BEGIN_ALLOW_DEPRECATED
if (PKCS7_type_is_data(p7->d.digest->contents) && PKCS7_is_detached(p7)) {
OPENSSL_END_ALLOW_DEPRECATED
ASN1_OCTET_STRING_free(content);
content = NULL;
p7->d.digest->contents->d.data = NULL;
Expand Down Expand Up @@ -1032,9 +1023,7 @@ OPENSSL_END_ALLOW_DEPRECATED
}
}

OPENSSL_BEGIN_ALLOW_DEPRECATED
if (!PKCS7_is_detached(p7)) {
OPENSSL_END_ALLOW_DEPRECATED
if (content == NULL) {
goto err;
}
Expand Down Expand Up @@ -1087,9 +1076,7 @@ int pkcs7_final(PKCS7 *p7, BIO *data) {
BIO *p7bio;
int ret = 0;

OPENSSL_BEGIN_ALLOW_DEPRECATED
if ((p7bio = PKCS7_dataInit(p7, NULL)) == NULL) {
OPENSSL_END_ALLOW_DEPRECATED
OPENSSL_PUT_ERROR(PKCS7, ERR_R_PKCS7_LIB);
goto err;
}
Expand All @@ -1098,9 +1085,7 @@ int pkcs7_final(PKCS7 *p7, BIO *data) {
goto err;
}

OPENSSL_BEGIN_ALLOW_DEPRECATED
if (!PKCS7_dataFinal(p7, p7bio)) {
OPENSSL_END_ALLOW_DEPRECATED
OPENSSL_PUT_ERROR(PKCS7, ERR_R_PKCS7_LIB);
goto err;
}
Expand Down Expand Up @@ -1134,9 +1119,7 @@ PKCS7 *PKCS7_encrypt(STACK_OF(X509) *certs, BIO *in, const EVP_CIPHER *cipher,

for (size_t i = 0; i < sk_X509_num(certs); i++) {
x509 = sk_X509_value(certs, i);
OPENSSL_BEGIN_ALLOW_DEPRECATED
if (!PKCS7_add_recipient(p7, x509)) {
OPENSSL_END_ALLOW_DEPRECATED
OPENSSL_PUT_ERROR(PKCS7, PKCS7_R_ERROR_ADDING_RECIPIENT);
goto err;
}
Expand Down
3 changes: 3 additions & 0 deletions crypto/pkcs7/pkcs7_x509.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,7 @@
#include "../internal.h"
#include "internal.h"

OPENSSL_BEGIN_ALLOW_DEPRECATED

int PKCS7_get_certificates(STACK_OF(X509) *out_certs, CBS *cbs) {
int ret = 0;
Expand Down Expand Up @@ -592,3 +593,5 @@ int PKCS7_add_crl(PKCS7 *p7, X509_CRL *crl) {
X509_CRL_up_ref(crl);
return 1;
}

OPENSSL_END_ALLOW_DEPRECATED
104 changes: 55 additions & 49 deletions include/openssl/pkcs7.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -101,6 +101,36 @@ OPENSSL_EXPORT int PKCS7_get_PEM_certificates(STACK_OF(X509) *out_certs,
OPENSSL_EXPORT int PKCS7_get_PEM_CRLs(STACK_OF(X509_CRL) *out_crls,
BIO *pem_bio);

// d2i_PKCS7_bio behaves like |d2i_PKCS7| but reads the input from |bio|. If
// the length of the object is indefinite the full contents of |bio| are read.
//
// If the function fails then some unknown amount of data may have been read
// from |bio|.
OPENSSL_EXPORT PKCS7 *d2i_PKCS7_bio(BIO *bio, PKCS7 **out);

// i2d_PKCS7_bio writes |p7| to |bio|. It returns one on success and zero on
// error.
OPENSSL_EXPORT int i2d_PKCS7_bio(BIO *bio, const PKCS7 *p7);

// PKCS7_type_is_data returns 1 if |p7| is of type data
OPENSSL_EXPORT int PKCS7_type_is_data(const PKCS7 *p7);

// PKCS7_type_is_digest returns 1 if |p7| is of type digest
OPENSSL_EXPORT int PKCS7_type_is_digest(const PKCS7 *p7);

// PKCS7_type_is_encrypted returns 1 if |p7| is of type encrypted
OPENSSL_EXPORT int PKCS7_type_is_encrypted(const PKCS7 *p7);

// PKCS7_type_is_enveloped returns 1 if |p7| is of type enveloped
OPENSSL_EXPORT int PKCS7_type_is_enveloped(const PKCS7 *p7);

// PKCS7_type_is_signed returns 1 if |p7| is of type signed
OPENSSL_EXPORT int PKCS7_type_is_signed(const PKCS7 *p7);

// PKCS7_type_is_signedAndEnveloped returns 1 if |p7| is of type
// signedAndEnveloped
OPENSSL_EXPORT int PKCS7_type_is_signedAndEnveloped(const PKCS7 *p7);


// Deprecated functions.
//
Expand Down Expand Up @@ -261,108 +291,84 @@ DEFINE_STACK_OF(PKCS7_SIGNER_INFO)

// PKCS7_dup returns a newly allocated copy of |p7| without deep-copying
// internal references.
OPENSSL_EXPORT PKCS7 *PKCS7_dup(PKCS7 *p7);

// d2i_PKCS7_bio behaves like |d2i_PKCS7| but reads the input from |bio|. If
// the length of the object is indefinite the full contents of |bio| are read.
//
// If the function fails then some unknown amount of data may have been read
// from |bio|.
OPENSSL_EXPORT PKCS7 *d2i_PKCS7_bio(BIO *bio, PKCS7 **out);

// i2d_PKCS7_bio writes |p7| to |bio|. It returns one on success and zero on
// error.
OPENSSL_EXPORT int i2d_PKCS7_bio(BIO *bio, const PKCS7 *p7);
OPENSSL_EXPORT OPENSSL_DEPRECATED PKCS7 *PKCS7_dup(PKCS7 *p7);

// PKCS7_get_signed_attribute returns a pointer to the first signed attribute
// from |si| with NID |nid| if one is present, else NULL.
OPENSSL_EXPORT ASN1_TYPE *PKCS7_get_signed_attribute(
OPENSSL_EXPORT OPENSSL_DEPRECATED ASN1_TYPE *PKCS7_get_signed_attribute(
const PKCS7_SIGNER_INFO *si, int nid);

// PKCS7_get_signer_info returns |p7|'s attached PKCS7_SIGNER_INFO if present
// and |p7| is of a relevant type, else NULL. This function only pertains to
// signedData and signedAndEnvelopedData.
OPENSSL_EXPORT STACK_OF(PKCS7_SIGNER_INFO) *PKCS7_get_signer_info(PKCS7 *p7);
OPENSSL_EXPORT OPENSSL_DEPRECATED STACK_OF(PKCS7_SIGNER_INFO) *
PKCS7_get_signer_info(PKCS7 *p7);

// PKCS7_RECIP_INFO_set attaches |x509| to |p7i| and increments |x509|'s
// reference count. It returns 1 on success and 0 on failure or if |x509|'s
// public key not usable for encryption.
OPENSSL_EXPORT int PKCS7_RECIP_INFO_set(PKCS7_RECIP_INFO *p7i, X509 *x509);
OPENSSL_EXPORT OPENSSL_DEPRECATED int PKCS7_RECIP_INFO_set(
PKCS7_RECIP_INFO *p7i, X509 *x509);

// PKCS7_SIGNER_INFO_set attaches the other parameters to |p7i|, returning 1 on
// success and 0 on error or if specified parameters are inapplicable to
// signing. Only EC, DH, and RSA |pkey|s are supported. |pkey|'s reference
// count is incremented, but neither |x509|'s nor |dgst|'s is.
OPENSSL_EXPORT int PKCS7_SIGNER_INFO_set(PKCS7_SIGNER_INFO *p7i, X509 *x509,
EVP_PKEY *pkey, const EVP_MD *dgst);
OPENSSL_EXPORT OPENSSL_DEPRECATED int PKCS7_SIGNER_INFO_set(
PKCS7_SIGNER_INFO *p7i, X509 *x509, EVP_PKEY *pkey, const EVP_MD *dgst);

// PKCS7_add_certificate adds |x509| to |p7|'s certificate stack, incrementing
// |x509|'s reference count. It returns 1 on success and 0 on failure or if
// |p7| isn't of an applicable type: signedData and signedAndEnvelopedData.
OPENSSL_EXPORT int PKCS7_add_certificate(PKCS7 *p7, X509 *x509);
OPENSSL_EXPORT OPENSSL_DEPRECATED int PKCS7_add_certificate(PKCS7 *p7,
X509 *x509);

// PKCS7_add_crl adds |x509| to |p7|'s CRL stack, incrementing |x509|'s
// reference count. It returns 1 on success and 0 on failure or if |p7| isn't
// of an applicable type: signedData and signedAndEnvelopedData.
OPENSSL_EXPORT int PKCS7_add_crl(PKCS7 *p7, X509_CRL *x509);
OPENSSL_EXPORT OPENSSL_DEPRECATED int PKCS7_add_crl(PKCS7 *p7, X509_CRL *x509);

// PKCS7_add_recipient_info adds |ri| to |p7|, returning 1 on succes or 0 if
// |p7| is of an inapplicable type: envelopedData and signedAndEnvelopedData.
OPENSSL_EXPORT int PKCS7_add_recipient_info(PKCS7 *p7, PKCS7_RECIP_INFO *ri);
OPENSSL_EXPORT OPENSSL_DEPRECATED int PKCS7_add_recipient_info(
PKCS7 *p7, PKCS7_RECIP_INFO *ri);

// PKCS7_add_signer adds |p7i| to |p7|, returning 1 on succes or 0 if
// |p7| is of an inapplicable type: signedData and signedAndEnvelopedData.
OPENSSL_EXPORT int PKCS7_add_signer(PKCS7 *p7, PKCS7_SIGNER_INFO *p7i);
OPENSSL_EXPORT OPENSSL_DEPRECATED int PKCS7_add_signer(PKCS7 *p7,
PKCS7_SIGNER_INFO *p7i);

// PKCS7_content_new allocates a new PKCS7 and adds it to |p7| as content. It
// returns 1 on success and 0 on failure.
OPENSSL_EXPORT int PKCS7_content_new(PKCS7 *p7, int nid);
OPENSSL_EXPORT OPENSSL_DEPRECATED int PKCS7_content_new(PKCS7 *p7, int nid);

// PKCS7_set_content sets |p7_data| as content on |p7| for applicable types of
// |p7|. It frees any existing content on |p7|, returning 1 on success and 0 on
// failure.
OPENSSL_EXPORT int PKCS7_set_content(PKCS7 *p7, PKCS7 *p7_data);
OPENSSL_EXPORT OPENSSL_DEPRECATED int PKCS7_set_content(PKCS7 *p7,
PKCS7 *p7_data);

// PKCS7_set_content sets |p7_data| as content on |p7| for applicable types of
// |p7|: signedData and digestData. |p7_data| may be NULL. It frees any
// existing content on |p7|, returning 1 on success and 0 on failure.
OPENSSL_EXPORT int PKCS7_set_cipher(PKCS7 *p7, const EVP_CIPHER *cipher);
OPENSSL_EXPORT OPENSSL_DEPRECATED int PKCS7_set_cipher(
PKCS7 *p7, const EVP_CIPHER *cipher);

// PKCS7_set_type instantiates |p7| as type |type|. It returns 1 on success and
// 0 on failure or if |type| is not a valid PKCS7 content type.
OPENSSL_EXPORT int PKCS7_set_type(PKCS7 *p7, int type);
OPENSSL_EXPORT OPENSSL_DEPRECATED int PKCS7_set_type(PKCS7 *p7, int type);

// PKCS7_RECIP_INFO_get0_alg sets |*penc| to |ri|'s key encryption algorithm,
// if present. Ownership of |*penc| is retained by |ri|.
OPENSSL_EXPORT void PKCS7_RECIP_INFO_get0_alg(PKCS7_RECIP_INFO *ri,
X509_ALGOR **penc);
OPENSSL_EXPORT OPENSSL_DEPRECATED void PKCS7_RECIP_INFO_get0_alg(
PKCS7_RECIP_INFO *ri, X509_ALGOR **penc);

// PKCS7_SIGNER_INFO_get0_algs sets all of, if present: |*pk| to |si|'s key,
// |*pdig| to |si|'s digest angorithm, and |*psig| to |si|'s signature
// algorithm. Ownership of |*pk|, |*pdig|, and |*psig) is retained by |si|.
OPENSSL_EXPORT void PKCS7_SIGNER_INFO_get0_algs(PKCS7_SIGNER_INFO *si,
EVP_PKEY **pk,
X509_ALGOR **pdig,
X509_ALGOR **psig);
OPENSSL_EXPORT OPENSSL_DEPRECATED void PKCS7_SIGNER_INFO_get0_algs(
PKCS7_SIGNER_INFO *si, EVP_PKEY **pk, X509_ALGOR **pdig, X509_ALGOR **psig);

// PKCS7_type_is_data returns 1 if |p7| is of type data
OPENSSL_EXPORT int PKCS7_type_is_data(const PKCS7 *p7);

// PKCS7_type_is_digest returns 1 if |p7| is of type digest
OPENSSL_EXPORT int PKCS7_type_is_digest(const PKCS7 *p7);

// PKCS7_type_is_encrypted returns 1 if |p7| is of type encrypted
OPENSSL_EXPORT int PKCS7_type_is_encrypted(const PKCS7 *p7);

// PKCS7_type_is_enveloped returns 1 if |p7| is of type enveloped
OPENSSL_EXPORT int PKCS7_type_is_enveloped(const PKCS7 *p7);

// PKCS7_type_is_signed returns 1 if |p7| is of type signed
OPENSSL_EXPORT int PKCS7_type_is_signed(const PKCS7 *p7);

// PKCS7_type_is_signedAndEnveloped returns 1 if |p7| is of type
// signedAndEnveloped
OPENSSL_EXPORT int PKCS7_type_is_signedAndEnveloped(const PKCS7 *p7);

// Deprecated flags
//
Expand Down

0 comments on commit b649c44

Please sign in to comment.