Deprecate ASN1_METH internal usage

Some of them are needed and were kept by adding `#include "internal/deprecated"` and some had to be turned off. Signed-off-by: Norbert Pocs <norbertp@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> (Merged from https://github.com/openssl/openssl/pull/27727)
2025-06-17 12:47:54 +02:00 · 2025-06-17 12:47:54 +02:00 · af2aaf3271
parent 6b5540c21c
commit af2aaf3271
22 changed files with 212 additions and 49 deletions
--- a/apps/genpkey.c
+++ b/apps/genpkey.c
@ -374,17 +374,21 @@ int init_gen_str(EVP_PKEY_CTX **pctx,
                 OSSL_LIB_CTX *libctx, const char *propq)
 {
    EVP_PKEY_CTX *ctx = NULL;
 #ifndef OPENSSL_NO_DEPRECATED_3_6
    int pkey_id;
 #endif
    if (*pctx) {
        BIO_puts(bio_err, "Algorithm already set!\n");
        return 0;
    }
 #ifndef OPENSSL_NO_DEPRECATED_3_6
    pkey_id = get_legacy_pkey_id(libctx, algname, e);
    if (pkey_id != NID_undef)
        ctx = EVP_PKEY_CTX_new_id(pkey_id, e);
    else
 #endif
        ctx = EVP_PKEY_CTX_new_from_name(libctx, algname, propq);
    if (ctx == NULL)
--- a/apps/include/apps.h
+++ b/apps/include/apps.h
@ -184,7 +184,9 @@ int init_engine(ENGINE *e);
 int finish_engine(ENGINE *e);
 char *make_engine_uri(ENGINE *e, const char *key_id, const char *desc);
 # ifndef OPENSSL_NO_DEPRECATED_3_6
 int get_legacy_pkey_id(OSSL_LIB_CTX *libctx, const char *algname, ENGINE *e);
 # endif
 const EVP_MD *get_digest_from_engine(const char *name);
 const EVP_CIPHER *get_cipher_from_engine(const char *name);
--- a/apps/lib/engine.c
+++ b/apps/lib/engine.c
@ -135,6 +135,7 @@ char *make_engine_uri(ENGINE *e, const char *key_id, const char *desc)
    return new_uri;
 }
 #ifndef OPENSSL_NO_DEPRECATED_3_6
 int get_legacy_pkey_id(OSSL_LIB_CTX *libctx, const char *algname, ENGINE *e)
 {
    const EVP_PKEY_ASN1_METHOD *ameth;
@ -163,6 +164,7 @@ int get_legacy_pkey_id(OSSL_LIB_CTX *libctx, const char *algname, ENGINE *e)
    return pkey_id;
 }
 #endif
 const EVP_MD *get_digest_from_engine(const char *name)
 {
--- a/apps/lib/s_cb.c
+++ b/apps/lib/s_cb.c
@ -1547,12 +1547,9 @@ static int security_callback_debug(const SSL *s, const SSL_CTX *ctx,
                if (pkey == NULL) {
                    BIO_printf(sdb->out, "Public key missing");
                } else {
                    const char *algname = "";
                    EVP_PKEY_asn1_get0_info(NULL, NULL, NULL, NULL,
                                            &algname, EVP_PKEY_get0_asn1(pkey));
                    BIO_printf(sdb->out, "%s, bits=%d",
-                            algname, EVP_PKEY_get_bits(pkey));
+                               EVP_PKEY_get0_type_name(pkey),
                               EVP_PKEY_get_bits(pkey));
                }
            }
            break;
--- a/apps/req.c
+++ b/apps/req.c
@ -1608,6 +1608,7 @@ static EVP_PKEY_CTX *set_keygen_ctx(const char *gstr,
        *pkeylen = EVP_PKEY_get_bits(param);
        EVP_PKEY_free(param);
    } else {
 #ifndef OPENSSL_NO_DEPRECATED_3_6
        if (keygen_engine != NULL) {
            int pkey_id = get_legacy_pkey_id(app_get0_libctx(), *pkeytype,
                                             keygen_engine);
@ -1615,9 +1616,12 @@ static EVP_PKEY_CTX *set_keygen_ctx(const char *gstr,
            if (pkey_id != NID_undef)
                gctx = EVP_PKEY_CTX_new_id(pkey_id, keygen_engine);
        } else {
 #endif
            gctx = EVP_PKEY_CTX_new_from_name(app_get0_libctx(),
                                              *pkeytype, app_get0_propq());
 #ifndef OPENSSL_NO_DEPRECATED_3_6
        }
 #endif
    }
    if (gctx == NULL) {
--- a/crypto/asn1/ameth_lib.c
+++ b/crypto/asn1/ameth_lib.c
@ -7,9 +7,10 @@
 * https://www.openssl.org/source/license.html
 */
-#ifndef OPENSSL_NO_DEPRECATED_3_6
+/*
-/* We need to use some engine deprecated APIs */
+ * We need to use some engine deprecated APIs
-#define OPENSSL_SUPPRESS_DEPRECATED
+ */
 #include "internal/deprecated.h"
 #include "internal/cryptlib.h"
 #include <stdio.h>
@ -433,4 +434,3 @@ void EVP_PKEY_asn1_set_get_pub_key(EVP_PKEY_ASN1_METHOD *ameth,
 {
    ameth->get_pub_key = get_pub_key;
 }
 #endif
--- a/crypto/asn1/standard_methods.h
+++ b/crypto/asn1/standard_methods.h
@ -7,6 +7,7 @@
 * https://www.openssl.org/source/license.html
 */
 #ifndef OPENSSL_NO_DEPRECATED_3_6
 /*
 * This table MUST be kept in ascending order of the NID each method
 * represents (corresponding to the pkey_id field) as OBJ_bsearch
@ -41,3 +42,4 @@ static const EVP_PKEY_ASN1_METHOD *standard_methods[] = {
    &ossl_sm2_asn1_meth,
 #endif
 };
 #endif
--- a/crypto/core_namemap.c
+++ b/crypto/core_namemap.c
@ -7,6 +7,12 @@
 * https://www.openssl.org/source/license.html
 */
 /*
 * For EVP_PKEY_asn1_get0_info(), EVP_PKEY_asn1_get_count() and
 * EVP_PKEY_asn1_get0()
 */
 #define OPENSSL_SUPPRESS_DEPRECATED
 #include "internal/namemap.h"
 #include "internal/tsan_assist.h"
 #include "internal/hashtable.h"
@ -432,6 +438,7 @@ static void get_legacy_md_names(const OBJ_NAME *on, void *arg)
        get_legacy_evp_names(0, EVP_MD_get_type(md), NULL, arg);
 }
 # ifndef OPENSSL_NO_DEPRECATED_3_6
 static void get_legacy_pkey_meth_names(const EVP_PKEY_ASN1_METHOD *ameth,
                                       void *arg)
 {
@ -470,6 +477,7 @@ static void get_legacy_pkey_meth_names(const EVP_PKEY_ASN1_METHOD *ameth,
        }
    }
 }
 # endif /* OPENSSL_NO_DEPRECATED_3_6 */
 #endif
 /*-
@ -498,7 +506,7 @@ OSSL_NAMEMAP *ossl_namemap_stored(OSSL_LIB_CTX *libctx)
        return NULL;
    }
    if (nms == 1) {
-        int i, end;
+        int num;
        /* Before pilfering, we make sure the legacy database is populated */
        OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS
@ -509,11 +517,28 @@ OSSL_NAMEMAP *ossl_namemap_stored(OSSL_LIB_CTX *libctx)
        OBJ_NAME_do_all(OBJ_NAME_TYPE_MD_METH,
                        get_legacy_md_names, namemap);
        /*
         * Some old providers (<= 3.5) may not have the rsassaPSS alias which
         * may cause problems in some cases. We add it manually here
         */
        num = ossl_namemap_add_name(namemap, 0, "RSA-PSS");
        if (num != 0) {
            ossl_namemap_add_name(namemap, num, "rsassaPss");
            /* Add other RSA-PSS aliases as well */
            ossl_namemap_add_name(namemap, num, "RSASSA-PSS");
            ossl_namemap_add_name(namemap, num, "1.2.840.113549.1.1.10");
        }
 # ifndef OPENSSL_NO_DEPRECATED_3_6
        {
            int i, end;
            /* We also pilfer data from the legacy EVP_PKEY_ASN1_METHODs */
            for (i = 0, end = EVP_PKEY_asn1_get_count(); i < end; i++)
                get_legacy_pkey_meth_names(EVP_PKEY_asn1_get0(i), namemap);
        }
 # endif
    }
 #endif
    return namemap;
 }
--- a/crypto/evp/build.info
+++ b/crypto/evp/build.info
@ -3,7 +3,8 @@ $COMMON=digest.c evp_enc.c evp_lib.c evp_fetch.c evp_utils.c \
        mac_lib.c mac_meth.c keymgmt_meth.c keymgmt_lib.c kdf_lib.c kdf_meth.c \
        skeymgmt_meth.c \
        pmeth_lib.c signature.c p_lib.c s_lib.c pmeth_gn.c exchange.c \
-        evp_rand.c asymcipher.c kem.c dh_support.c ec_support.c pmeth_check.c
+        evp_rand.c asymcipher.c kem.c dh_support.c ec_support.c pmeth_check.c \
        evp_pkey_type.c
 SOURCE[../../libcrypto]=$COMMON\
        encode.c evp_key.c evp_cnf.c \
--- a/crypto/evp/evp_pkey.c
+++ b/crypto/evp/evp_pkey.c
@ -7,6 +7,11 @@
 * https://www.openssl.org/source/license.html
 */
 /*
 * Needed for EVP_PKEY_get0_asn1 and EVP_PKEY_asn1_get0_info
 */
 #define OPENSSL_SUPPRESS_DEPRECATED
 #include <stdio.h>
 #include <stdlib.h>
 #include "internal/cryptlib.h"
@ -244,17 +249,21 @@ int EVP_PKEY_add1_attr_by_txt(EVP_PKEY *key,
 const char *EVP_PKEY_get0_type_name(const EVP_PKEY *key)
 {
 #ifndef OPENSSL_NO_DEPRECATED_3_6
    const EVP_PKEY_ASN1_METHOD *ameth;
 #endif
    const char *name = NULL;
    if (key->keymgmt != NULL)
        return EVP_KEYMGMT_get0_name(key->keymgmt);
 #ifndef OPENSSL_NO_DEPRECATED_3_6
    /* Otherwise fallback to legacy */
    ameth = EVP_PKEY_get0_asn1(key);
    if (ameth != NULL)
        EVP_PKEY_asn1_get0_info(NULL, NULL,
                                NULL, NULL, &name, ameth);
 #endif
    return name;
 }
--- a/crypto/evp/evp_pkey_type.c
+++ b/crypto/evp/evp_pkey_type.c
@ -0,0 +1,88 @@
 /*
 * Copyright 1995-2025 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */
 #define OPENSSL_SUPPRESS_DEPRECATED
 #include "crypto/evp.h"
 #include <openssl/core_names.h>
 #include <openssl/macros.h>
 #ifndef OPENSSL_NO_DEPRECATED_3_6
 # include <openssl/engine.h>
 # include "crypto/asn1.h"
 #include <openssl/types.h>
 #else
 # include "internal/nelem.h"
 #endif
 #ifdef OPENSSL_NO_DEPRECATED_3_6
 /*
 * This is a hardcoded conversion table for legacy ASN1_METHOD and pkey type.
 * As the deprecated ASN1 should not enable to add any asn1 method, therefore
 * this should work.
 */
 struct pkid2bid {
    int pkey_id;
    int pkey_base_id;
 };
 const struct pkid2bid base_id_conversion[] = {
    {EVP_PKEY_RSA, EVP_PKEY_RSA},
    {EVP_PKEY_RSA2, EVP_PKEY_RSA},
    {EVP_PKEY_RSA_PSS, EVP_PKEY_RSA_PSS},
 #ifndef OPENSSL_NO_DH
    {EVP_PKEY_DH, EVP_PKEY_DH},
    {EVP_PKEY_DHX, EVP_PKEY_DHX},
 #endif
 #ifndef OPENSSL_NO_DSA
    {EVP_PKEY_DSA1, EVP_PKEY_DSA},
    {EVP_PKEY_DSA4, EVP_PKEY_DSA2},
    {EVP_PKEY_DSA3, EVP_PKEY_DSA2},
    {EVP_PKEY_DSA, EVP_PKEY_DSA},
 #endif
 #ifndef OPENSSL_NO_EC
    {EVP_PKEY_EC, EVP_PKEY_EC},
 #endif
 #ifndef OPENSSL_NO_ECX
    {EVP_PKEY_X25519, EVP_PKEY_X25519},
    {EVP_PKEY_X448, EVP_PKEY_X448},
    {EVP_PKEY_ED25519, EVP_PKEY_ED25519},
    {EVP_PKEY_ED448, EVP_PKEY_ED448},
 #endif
 #ifndef OPENSSL_NO_SM2
    {EVP_PKEY_SM2, EVP_PKEY_EC},
 #endif
 };
 #endif
 int EVP_PKEY_type(int type)
 {
 #ifndef OPENSSL_NO_DEPRECATED_3_6
    int ret;
    const EVP_PKEY_ASN1_METHOD *ameth;
    ENGINE *e;
    ameth = EVP_PKEY_asn1_find(&e, type);
    if (ameth)
        ret = ameth->pkey_id;
    else
        ret = NID_undef;
 # ifndef OPENSSL_NO_ENGINE
    ENGINE_finish(e);
 # endif
    return ret;
 #else
    size_t i;
    for (i = 0; i < OSSL_NELEM(base_id_conversion); i++) {
        if (type == base_id_conversion[i].pkey_id)
            return base_id_conversion[i].pkey_base_id;
    }
    return NID_undef;
 #endif
 }
--- a/crypto/evp/p_lib.c
+++ b/crypto/evp/p_lib.c
@ -1022,22 +1022,6 @@ DH *EVP_PKEY_get1_DH(EVP_PKEY *pkey)
 }
 # endif
 int EVP_PKEY_type(int type)
 {
    int ret;
    const EVP_PKEY_ASN1_METHOD *ameth;
    ENGINE *e;
    ameth = EVP_PKEY_asn1_find(&e, type);
    if (ameth)
        ret = ameth->pkey_id;
    else
        ret = NID_undef;
 # ifndef OPENSSL_NO_ENGINE
    ENGINE_finish(e);
 # endif
    return ret;
 }
 int EVP_PKEY_get_id(const EVP_PKEY *pkey)
 {
    return pkey->type;
--- a/crypto/evp/pmeth_gn.c
+++ b/crypto/evp/pmeth_gn.c
@ -192,7 +192,7 @@ int EVP_PKEY_generate(EVP_PKEY_CTX *ctx, EVP_PKEY **ppkey)
    ctx->keygen_info = NULL;
-#ifndef FIPS_MODULE
+#if !defined(FIPS_MODULE) && !defined(OPENSSL_NO_DEPRECATED_3_6)
    /* In case |*ppkey| was originally a legacy key */
    if (ret)
        evp_pkey_free_legacy(*ppkey);
--- a/crypto/pem/pem_lib.c
+++ b/crypto/pem/pem_lib.c
@ -7,8 +7,10 @@
 * https://www.openssl.org/source/license.html
 */
-/* We need to use some engine deprecated APIs */
+/*
-#define OPENSSL_SUPPRESS_DEPRECATED
+ * We need to use some engine deprecated APIs
 */
 #include "internal/deprecated.h"
 #include <stdio.h>
 #include "crypto/ctype.h"
--- a/crypto/pem/pem_pkey.c
+++ b/crypto/pem/pem_pkey.c
@ -7,8 +7,10 @@
 * https://www.openssl.org/source/license.html
 */
-/* We need to use some deprecated APIs */
+/*
-#define OPENSSL_SUPPRESS_DEPRECATED
+ * We need to use some deprecated APIs
 */
 #include "internal/deprecated.h"
 #include <stdio.h>
 #include <openssl/buffer.h>
--- a/crypto/x509/t_x509.c
+++ b/crypto/x509/t_x509.c
@ -7,6 +7,11 @@
 * https://www.openssl.org/source/license.html
 */
 /*
 * because of EVP_PKEY_asn1_find deprecation
 */
 #define OPENSSL_SUPPRESS_DEPRECATED
 #include <stdio.h>
 #include "internal/cryptlib.h"
 #include <openssl/buffer.h>
@ -287,7 +292,9 @@ int X509_signature_dump(BIO *bp, const ASN1_STRING *sig, int indent)
 int X509_signature_print(BIO *bp, const X509_ALGOR *sigalg,
                         const ASN1_STRING *sig)
 {
 #ifndef OPENSSL_NO_DEPRECATED_3_6
    int sig_nid;
 #endif
    int indent = 4;
    if (BIO_printf(bp, "%*sSignature Algorithm: ", indent, "") <= 0)
        return 0;
@ -296,6 +303,7 @@ int X509_signature_print(BIO *bp, const X509_ALGOR *sigalg,
    if (sig && BIO_printf(bp, "\n%*sSignature Value:", indent, "") <= 0)
        return 0;
 #ifndef OPENSSL_NO_DEPRECATED_3_6
    sig_nid = OBJ_obj2nid(sigalg->algorithm);
    if (sig_nid != NID_undef) {
        int pkey_nid, dig_nid;
@ -306,6 +314,7 @@ int X509_signature_print(BIO *bp, const X509_ALGOR *sigalg,
                return ameth->sig_print(bp, sigalg, sig, indent + 4, 0);
        }
    }
 #endif
    if (BIO_write(bp, "\n", 1) != 1)
        return 0;
    if (sig)
--- a/crypto/x509/v3_ac_tgt.c
+++ b/crypto/x509/v3_ac_tgt.c
@ -7,6 +7,11 @@
 * https://www.openssl.org/source/license.html
 */
 /*
 * Needed for EVP_PKEY_asn1_find
 */
 #define OPENSSL_SUPPRESS_DEPRECATED
 #include <stdio.h>
 #include <openssl/x509_acert.h>
 #include <crypto/x509_acert.h>
@ -103,15 +108,16 @@ static int i2r_OBJECT_DIGEST_INFO(X509V3_EXT_METHOD *method,
                           BIO *out, int indent)
 {
    int64_t dot = 0;
 #ifndef OPENSSL_NO_DEPRECATED_3_6
    int sig_nid;
    X509_ALGOR *digalg;
 #endif
    ASN1_STRING *sig;
    if (odi == NULL) {
        ERR_raise(ERR_LIB_ASN1, ERR_R_PASSED_NULL_PARAMETER);
        return 0;
    }
    digalg = &odi->digestAlgorithm;
    sig = &odi->objectDigest;
    if (!ASN1_ENUMERATED_get_int64(&dot, &odi->digestedObjectType)) {
        return 0;
@ -139,6 +145,8 @@ static int i2r_OBJECT_DIGEST_INFO(X509V3_EXT_METHOD *method,
    BIO_puts(out, "\n");
    if (BIO_printf(out, "\n%*sSignature Value: ", indent, "") <= 0)
        return 0;
 #ifndef OPENSSL_NO_DEPRECATED_3_6
    digalg = &odi->digestAlgorithm;
    sig_nid = OBJ_obj2nid(odi->digestAlgorithm.algorithm);
    if (sig_nid != NID_undef) {
        int pkey_nid, dig_nid;
@ -149,6 +157,7 @@ static int i2r_OBJECT_DIGEST_INFO(X509V3_EXT_METHOD *method,
                return ameth->sig_print(out, digalg, sig, indent + 4, 0);
        }
    }
 #endif
    if (BIO_write(out, "\n", 1) != 1)
        return 0;
    if (sig)
--- a/crypto/x509/x509_set.c
+++ b/crypto/x509/x509_set.c
@ -7,6 +7,11 @@
 * https://www.openssl.org/source/license.html
 */
 /*
 * because of EVP_PKEY_asn1_find deprecation
 */
 #include "internal/deprecated.h"
 #include <stdio.h>
 #include "internal/cryptlib.h"
 #include "internal/refcount.h"
--- a/engines/e_loader_attic.c
+++ b/engines/e_loader_attic.c
@ -11,7 +11,9 @@
 /* This file has quite some overlap with providers/implementations/storemgmt/file_store.c */
-/* We need to use some engine deprecated APIs */
+/*
 * We need to use some asn1_meth deprecated APIs
 */
 #define OPENSSL_SUPPRESS_DEPRECATED
 #include "internal/e_os.h" /* for stat */
--- a/include/openssl/evp.h
+++ b/include/openssl/evp.h
@ -523,10 +523,12 @@ typedef int (EVP_PBE_KEYGEN_EX) (EVP_CIPHER_CTX *ctx, const char *pass,
                                                         (rsa))
 # endif
 # ifndef OPENSSL_NO_DEPRECATED_3_6
 #  ifndef OPENSSL_NO_DSA
 #   define EVP_PKEY_assign_DSA(pkey, dsa) EVP_PKEY_assign((pkey), EVP_PKEY_DSA, \
                                                          (dsa))
 #  endif
 # endif
 # if !defined(OPENSSL_NO_DH) && !defined(OPENSSL_NO_DEPRECATED_3_0)
 #  define EVP_PKEY_assign_DH(pkey, dh) EVP_PKEY_assign((pkey), EVP_PKEY_DH, (dh))
@ -539,9 +541,11 @@ typedef int (EVP_PBE_KEYGEN_EX) (EVP_CIPHER_CTX *ctx, const char *pass,
                                                               (eckey))
 #  endif
 # endif
 # ifndef OPENSSL_NO_DEPRECATED_3_6
 #  ifndef OPENSSL_NO_SIPHASH
 #   define EVP_PKEY_assign_SIPHASH(pkey, shkey) EVP_PKEY_assign((pkey), \
-                                        EVP_PKEY_SIPHASH,(shkey))
+                                                                EVP_PKEY_SIPHASH, \
                                                                (shkey))
 #  endif
 #  ifndef OPENSSL_NO_POLY1305
--- a/providers/implementations/include/prov/names.h
+++ b/providers/implementations/include/prov/names.h
@ -400,7 +400,7 @@
 #define PROV_NAMES_RSA_SHA3_384 "RSA-SHA3-384:id-rsassa-pkcs1-v1_5-with-sha3-384:2.16.840.1.101.3.4.3.15"
 #define PROV_NAMES_RSA_SHA3_512 "RSA-SHA3-512:id-rsassa-pkcs1-v1_5-with-sha3-512:2.16.840.1.101.3.4.3.16"
 #define PROV_DESCS_RSA "OpenSSL RSA implementation"
-#define PROV_NAMES_RSA_PSS "RSA-PSS:RSASSA-PSS:1.2.840.113549.1.1.10"
+#define PROV_NAMES_RSA_PSS "RSA-PSS:RSASSA-PSS:rsassaPss:1.2.840.113549.1.1.10"
 #define PROV_DESCS_RSA_PSS "OpenSSL RSA-PSS implementation"
 #define PROV_NAMES_SM2 "SM2:1.2.156.10197.1.301"
 #define PROV_DESCS_SM2 "OpenSSL SM2 implementation"
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@ -9,6 +9,11 @@
 * https://www.openssl.org/source/license.html
 */
 /*
 * Because of *asn1_*
 */
 #define OPENSSL_SUPPRESS_DEPRECATED
 #include <stdio.h>
 #include <ctype.h>
 #include <openssl/objects.h>
@ -275,6 +280,7 @@ static const SSL_CIPHER cipher_aliases[] = {
 };
 #ifndef OPENSSL_NO_DEPRECATED_3_6
 /*
 * Search for public key algorithm with given name and return its pkey_id if
 * it is available. Otherwise return 0
@ -308,7 +314,13 @@ static int get_optional_pkey_id(const char *pkey_name)
    tls_engine_finish(tmpeng);
    return pkey_id;
 }
-
+# endif
 #else
 static int get_optional_pkey_id(const char *pkey_name)
 {
    (void)pkey_name;
    return 0;
 }
 #endif
 int ssl_load_ciphers(SSL_CTX *ctx)