From: Richard Levitte <levitte@openssl.org>
Date: Wed, 11 Dec 2019 13:36:36 +0000 (+0100)
Subject: Add better support for using deprecated symbols internally
X-Git-Tag: openssl-3.0.0-alpha1~819
X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=46994f71631922565924e3ca6303950c36337b33;p=oweals%2Fopenssl.git

Add better support for using deprecated symbols internally

OPENSSL_SUPPRESS_DEPRECATED only does half the job, in telling the
deprecation macros not to add the warning attribute.  However, with
'no-deprecated', the symbols are still removed entirely, while we
might still want to use them internally.

The solution is to permit <openssl/opensslconf.h> macros to be
modified internally, such as undefining OPENSSL_NO_DEPRECATED in this
case.

However, with the way <openssl/opensslconf.h> includes
<openssl/macros.h>, that's easier said than done.  That's solved by
generating <openssl/configuration.h> instead, and add a new
<openssl/opensslconf.h> that includes <openssl/configuration.h> as
well as <openssl/macros.h>, thus allowing to replace an inclusion of
<openssl/opensslconf.h> with this:

    #include <openssl/configuration.h>

    #undef OPENSSL_NO_DEPRECATED
    #define OPENSSL_SUPPRESS_DEPRECATED

    #include <openssl/macros.h>

Or simply add the following prior to any other openssl inclusion:

    #include <openssl/configuration.h>

    #undef OPENSSL_NO_DEPRECATED
    #define OPENSSL_SUPPRESS_DEPRECATED

Note that undefining OPENSSL_NO_DEPRECATED must never be done by
applications, since the symbols must still be exported by the
library.  Internal test programs are excempt of this rule, though.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10608)
---

diff --git a/.gitignore b/.gitignore
index 0d02ecdf8f..659be22843 100644
--- a/.gitignore
+++ b/.gitignore
@@ -22,7 +22,7 @@
 # Auto generated headers
 /crypto/buildinf.h
 /include/crypto/*_conf.h
-/include/openssl/opensslconf.h
+/include/openssl/configuration.h
 /include/openssl/opensslv.h
 
 # Auto generated doc files
diff --git a/CHANGES b/CHANGES
index e0b15b35f6..45f97e6740 100644
--- a/CHANGES
+++ b/CHANGES
@@ -9,6 +9,26 @@
 
  Changes between 1.1.1 and 3.0.0 [xx XXX xxxx]
 
+  *) Removed include/openssl/opensslconf.h.in and replaced it with
+     include/openssl/configuration.h.in, which differs in not including
+     <openssl/macros.h>.  A short header include/openssl/opensslconf.h
+     was added to include both.
+
+     This allows internal hacks where one might need to modify the set
+     of configured macros, for example this if deprecated symbols are
+     still supposed to be available internally:
+
+         #include <openssl/configuration.h>
+
+         #undef OPENSSL_NO_DEPRECATED
+         #define OPENSSL_SUPPRESS_DEPRECATED
+
+         #include <openssl/macros.h>
+
+     This should not be used by applications that use the exported
+     symbols, as that will lead to linking errors.
+     [Richard Levitte]
+
   *) Fixed an an overflow bug in the x64_64 Montgomery squaring procedure
      used in exponentiation with 512-bit moduli. No EC algorithms are
      affected. Analysis suggests that attacks against 2-prime RSA1024,
diff --git a/INSTALL b/INSTALL
index 7578733f4e..4dcc452562 100644
--- a/INSTALL
+++ b/INSTALL
@@ -836,8 +836,8 @@
 
      Configure creates a build file ("Makefile" on Unix, "makefile" on Windows
      and "descrip.mms" on OpenVMS) from a suitable template in Configurations,
-     and defines various macros in include/openssl/opensslconf.h (generated from
-     include/openssl/opensslconf.h.in).
+     and defines various macros in include/openssl/configuration.h (generated
+     from include/openssl/configuration.h.in).
 
  1c. Configure OpenSSL for building outside of the source tree.
 
diff --git a/build.info b/build.info
index a28ddbe739..6cfa2017c4 100644
--- a/build.info
+++ b/build.info
@@ -9,11 +9,11 @@ DEPEND[libssl]=libcrypto
 
 # Empty DEPEND "indices" means the dependencies are expected to be built
 # unconditionally before anything else.
-DEPEND[]=include/openssl/opensslconf.h include/openssl/opensslv.h \
+DEPEND[]=include/openssl/configuration.h include/openssl/opensslv.h \
          include/crypto/bn_conf.h include/crypto/dso_conf.h \
          doc/man7/openssl_user_macros.pod
 
-GENERATE[include/openssl/opensslconf.h]=include/openssl/opensslconf.h.in
+GENERATE[include/openssl/configuration.h]=include/openssl/configuration.h.in
 GENERATE[include/openssl/opensslv.h]=include/openssl/opensslv.h.in
 GENERATE[include/crypto/bn_conf.h]=include/crypto/bn_conf.h.in
 GENERATE[include/crypto/dso_conf.h]=include/crypto/dso_conf.h.in
diff --git a/include/openssl/configuration.h.in b/include/openssl/configuration.h.in
new file mode 100644
index 0000000000..00a4fc0aa3
--- /dev/null
+++ b/include/openssl/configuration.h.in
@@ -0,0 +1,68 @@
+/*
+ * {- join("\n * ", @autowarntext) -}
+ *
+ * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#ifndef OPENSSL_CONFIGURATION_H
+# define OPENSSL_CONFIGURATION_H
+
+# ifdef  __cplusplus
+extern "C" {
+# endif
+
+# ifdef OPENSSL_ALGORITHM_DEFINES
+#  error OPENSSL_ALGORITHM_DEFINES no longer supported
+# endif
+
+/*
+ * OpenSSL was configured with the following options:
+ */
+
+{- if (@{$config{openssl_sys_defines}}) {
+      foreach (@{$config{openssl_sys_defines}}) {
+	$OUT .= "# ifndef $_\n";
+	$OUT .= "#  define $_ 1\n";
+	$OUT .= "# endif\n";
+      }
+    }
+    foreach (@{$config{openssl_api_defines}}) {
+        (my $macro, my $value) = $_ =~ /^(.*?)=(.*?)$/;
+        $OUT .= "# define $macro $value\n";
+    }
+    if (@{$config{openssl_feature_defines}}) {
+      foreach (@{$config{openssl_feature_defines}}) {
+	$OUT .= "# ifndef $_\n";
+	$OUT .= "#  define $_\n";
+	$OUT .= "# endif\n";
+      }
+    }
+    "";
+-}
+
+/* Generate 80386 code? */
+{- $config{processor} eq "386" ? "# define" : "# undef" -} I386_ONLY
+
+/*
+ * The following are cipher-specific, but are part of the public API.
+ */
+# if !defined(OPENSSL_SYS_UEFI)
+{- $config{bn_ll} ? "#  define" : "#  undef" -} BN_LLONG
+/* Only one for the following should be defined */
+{- $config{b64l} ? "#  define" : "#  undef" -} SIXTY_FOUR_BIT_LONG
+{- $config{b64}  ? "#  define" : "#  undef" -} SIXTY_FOUR_BIT
+{- $config{b32}  ? "#  define" : "#  undef" -} THIRTY_TWO_BIT
+# endif
+
+# define RC4_INT {- $config{rc4_int} -}
+
+# ifdef  __cplusplus
+}
+# endif
+
+#endif                          /* OPENSSL_CONFIGURATION_H */
diff --git a/include/openssl/opensslconf.h b/include/openssl/opensslconf.h
new file mode 100644
index 0000000000..9a49bceea3
--- /dev/null
+++ b/include/openssl/opensslconf.h
@@ -0,0 +1,16 @@
+/*
+ * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#ifndef OPENSSL_OPENSSLCONF_H
+# define OPENSSL_OPENSSLCONF_H
+
+#include <openssl/configuration.h>
+#include <openssl/macros.h>
+
+#endif  /* OPENSSL_OPENSSLCONF_H */
diff --git a/include/openssl/opensslconf.h.in b/include/openssl/opensslconf.h.in
deleted file mode 100644
index c0ef3ddcff..0000000000
--- a/include/openssl/opensslconf.h.in
+++ /dev/null
@@ -1,70 +0,0 @@
-/*
- * {- join("\n * ", @autowarntext) -}
- *
- * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the Apache License 2.0 (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-#ifndef OPENSSL_OPENSSLCONF_H
-# define OPENSSL_OPENSSLCONF_H
-
-# ifdef  __cplusplus
-extern "C" {
-# endif
-
-# ifdef OPENSSL_ALGORITHM_DEFINES
-#  error OPENSSL_ALGORITHM_DEFINES no longer supported
-# endif
-
-/*
- * OpenSSL was configured with the following options:
- */
-
-{- if (@{$config{openssl_sys_defines}}) {
-      foreach (@{$config{openssl_sys_defines}}) {
-	$OUT .= "# ifndef $_\n";
-	$OUT .= "#  define $_ 1\n";
-	$OUT .= "# endif\n";
-      }
-    }
-    foreach (@{$config{openssl_api_defines}}) {
-        (my $macro, my $value) = $_ =~ /^(.*?)=(.*?)$/;
-        $OUT .= "# define $macro $value\n";
-    }
-    if (@{$config{openssl_feature_defines}}) {
-      foreach (@{$config{openssl_feature_defines}}) {
-	$OUT .= "# ifndef $_\n";
-	$OUT .= "#  define $_\n";
-	$OUT .= "# endif\n";
-      }
-    }
-    "";
--}
-
-/* Generate 80386 code? */
-{- $config{processor} eq "386" ? "# define" : "# undef" -} I386_ONLY
-
-/*
- * The following are cipher-specific, but are part of the public API.
- */
-# if !defined(OPENSSL_SYS_UEFI)
-{- $config{bn_ll} ? "#  define" : "#  undef" -} BN_LLONG
-/* Only one for the following should be defined */
-{- $config{b64l} ? "#  define" : "#  undef" -} SIXTY_FOUR_BIT_LONG
-{- $config{b64}  ? "#  define" : "#  undef" -} SIXTY_FOUR_BIT
-{- $config{b32}  ? "#  define" : "#  undef" -} THIRTY_TWO_BIT
-# endif
-
-# define RC4_INT {- $config{rc4_int} -}
-
-# ifdef  __cplusplus
-}
-# endif
-
-# include <openssl/macros.h>
-
-#endif                          /* OPENSSL_OPENSSLCONF_H */