Deprecate the low level MD4 functions.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10790)

apps/speed.c

@@ -335,7 +335,7 @@ static const OPT_PAIR doit_choices[] = {
 #ifndef OPENSSL_NO_MDC2
     {"mdc2", D_MDC2},
 #endif
-#ifndef OPENSSL_NO_MD4
+#if !defined(OPENSSL_NO_MD4) && !defined(OPENSSL_NO_DEPRECATED_3_0)
     {"md4", D_MD4},
 #endif
 #ifndef OPENSSL_NO_MD5
@@ -604,7 +604,7 @@ static int EVP_Digest_MDC2_loop(void *args)
 }
 #endif
 
-#ifndef OPENSSL_NO_MD4
+#if !defined(OPENSSL_NO_MD4) && !defined(OPENSSL_NO_DEPRECATED_3_0)
 static int EVP_Digest_MD4_loop(void *args)
 {
     loopargs_t *tempargs = *(loopargs_t **) args;
@@ -2268,7 +2268,7 @@ int speed_main(int argc, char **argv)
     }
 #endif
 
-#ifndef OPENSSL_NO_MD4
+#if !defined(OPENSSL_NO_MD4) && !defined(OPENSSL_NO_DEPRECATED_3_0)
     if (doit[D_MD4]) {
         for (testnum = 0; testnum < size_num; testnum++) {
             print_message(names[D_MD4], c[D_MD4][testnum], lengths[testnum],

crypto/evp/legacy_md4.c

@@ -7,6 +7,12 @@
  * https://www.openssl.org/source/license.html
  */
 
+/*
+ * MD4 low level APIs are deprecated for public use, but still ok for
+ * internal use.
+ */
+#include "internal/deprecated.h"
+
 #include <openssl/md4.h>
 #include "crypto/evp.h"
 #include "legacy_meth.h"

crypto/md4/build.info

@@ -1,3 +1,10 @@
 LIBS=../../libcrypto
-SOURCE[../../libcrypto]=\
-        md4_dgst.c md4_one.c
+
+SOURCE[../../libcrypto]=md4_dgst.c md4_one.c
+
+# When all deprecated symbols are removed, libcrypto doesn't export the
+# MD4 functions, so we must include them directly in liblegacy.a
+IF[{- $disabled{"deprecated"}
+      && (defined $config{"api"} && $config{"api"} >= 30000) -}]
+  SOURCE[../../providers/liblegacy.a]=md4_dgst.c md4_one.c
+ENDIF

crypto/md4/md4_dgst.c

@@ -7,6 +7,12 @@
  * https://www.openssl.org/source/license.html
  */
 
+/*
+ * MD4 low level APIs are deprecated for public use, but still ok for
+ * internal use.
+ */
+#include "internal/deprecated.h"
+
 #include <stdio.h>
 #include <openssl/opensslv.h>
 #include "md4_local.h"

crypto/md4/md4_one.c

@@ -7,6 +7,12 @@
  * https://www.openssl.org/source/license.html
  */
 
+/*
+ * MD4 low level APIs are deprecated for public use, but still ok for
+ * internal use.
+ */
+#include "internal/deprecated.h"
+
 #include <stdio.h>
 #include <string.h>
 #include <openssl/md4.h>

doc/man3/MD5.pod

@@ -22,6 +22,10 @@ L<openssl_user_macros(7)>:
 
  #include <openssl/md4.h>
 
+Deprecated since OpenSSL 3.0, can be hidden entirely by defining
+B<OPENSSL_API_COMPAT> with a suitable version value, see
+L<openssl_user_macros(7)>:
+
  unsigned char *MD4(const unsigned char *d, unsigned long n, unsigned char *md);
 
  int MD4_Init(MD4_CTX *c);

include/openssl/md4.h

@@ -23,18 +23,21 @@
 #  include <stddef.h>
 #  ifdef  __cplusplus
 extern "C" {
-#  endif
+#   endif
+
+#  define MD4_DIGEST_LENGTH 16
+
+#  if !defined(OPENSSL_NO_DEPRECATED_3_0)
 
 /*-
  * !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
  * ! MD4_LONG has to be at least 32 bits wide.                     !
  * !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
  */
-#  define MD4_LONG unsigned int
+#   define MD4_LONG unsigned int
 
-#  define MD4_CBLOCK      64
-#  define MD4_LBLOCK      (MD4_CBLOCK/4)
-#  define MD4_DIGEST_LENGTH 16
+#   define MD4_CBLOCK      64
+#   define MD4_LBLOCK      (MD4_CBLOCK/4)
 
 typedef struct MD4state_st {
     MD4_LONG A, B, C, D;
@@ -42,12 +45,14 @@ typedef struct MD4state_st {
     MD4_LONG data[MD4_LBLOCK];
     unsigned int num;
 } MD4_CTX;
+#  endif
 
-int MD4_Init(MD4_CTX *c);
-int MD4_Update(MD4_CTX *c, const void *data, size_t len);
-int MD4_Final(unsigned char *md, MD4_CTX *c);
-unsigned char *MD4(const unsigned char *d, size_t n, unsigned char *md);
-void MD4_Transform(MD4_CTX *c, const unsigned char *b);
+DEPRECATEDIN_3_0(int MD4_Init(MD4_CTX *c))
+DEPRECATEDIN_3_0(int MD4_Update(MD4_CTX *c, const void *data, size_t len))
+DEPRECATEDIN_3_0(int MD4_Final(unsigned char *md, MD4_CTX *c))
+DEPRECATEDIN_3_0(unsigned char *MD4(const unsigned char *d, size_t n,
+                 unsigned char *md))
+DEPRECATEDIN_3_0(void MD4_Transform(MD4_CTX *c, const unsigned char *b))
 
 #  ifdef  __cplusplus
 }

providers/implementations/digests/md4_prov.c

@@ -7,6 +7,12 @@
  * https://www.openssl.org/source/license.html
  */
 
+/*
+ * MD4 low level APIs are deprecated for public use, but still ok for
+ * internal use.
+ */
+#include "internal/deprecated.h"
+
 #include <openssl/crypto.h>
 #include <openssl/md4.h>
 #include "prov/digestcommon.h"

util/libcrypto.num

@@ -421,7 +421,7 @@ EVP_MD_CTX_md                           428	3_0_0	EXIST::FUNCTION:
 X509_REVOKED_get_ext                    429	3_0_0	EXIST::FUNCTION:
 d2i_RSA_PSS_PARAMS                      430	3_0_0	EXIST::FUNCTION:RSA
 USERNOTICE_free                         431	3_0_0	EXIST::FUNCTION:
-MD4_Transform                           432	3_0_0	EXIST::FUNCTION:MD4
+MD4_Transform                           432	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,MD4
 EVP_CIPHER_block_size                   433	3_0_0	EXIST::FUNCTION:
 CERTIFICATEPOLICIES_new                 434	3_0_0	EXIST::FUNCTION:
 BIO_dump_fp                             435	3_0_0	EXIST::FUNCTION:STDIO
@@ -2541,7 +2541,7 @@ EC_GROUP_get_order                      2594	3_0_0	EXIST::FUNCTION:EC
 X509_REVOKED_add1_ext_i2d               2595	3_0_0	EXIST::FUNCTION:
 X509_VERIFY_PARAM_add1_host             2596	3_0_0	EXIST::FUNCTION:
 i2d_PUBKEY_bio                          2597	3_0_0	EXIST::FUNCTION:
-MD4_Update                              2598	3_0_0	EXIST::FUNCTION:MD4
+MD4_Update                              2598	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,MD4
 X509_STORE_CTX_set_time                 2599	3_0_0	EXIST::FUNCTION:
 ENGINE_set_default_DH                   2600	3_0_0	EXIST::FUNCTION:ENGINE
 X509_ocspid_print                       2601	3_0_0	EXIST::FUNCTION:
@@ -2591,7 +2591,7 @@ ASN1_item_dup                           2646	3_0_0	EXIST::FUNCTION:
 GENERAL_NAMES_it                        2647	3_0_0	EXIST::FUNCTION:
 X509_issuer_name_hash                   2648	3_0_0	EXIST::FUNCTION:
 TS_TST_INFO_get_nonce                   2649	3_0_0	EXIST::FUNCTION:TS
-MD4_Init                                2650	3_0_0	EXIST::FUNCTION:MD4
+MD4_Init                                2650	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,MD4
 X509_EXTENSION_create_by_OBJ            2651	3_0_0	EXIST::FUNCTION:
 EVP_aes_256_cbc_hmac_sha1               2652	3_0_0	EXIST::FUNCTION:
 SCT_validate                            2653	3_0_0	EXIST::FUNCTION:CT
@@ -3144,7 +3144,7 @@ i2d_PKCS12_SAFEBAG                      3209	3_0_0	EXIST::FUNCTION:
 BN_rand_range                           3210	3_0_0	EXIST::FUNCTION:
 SMIME_write_ASN1                        3211	3_0_0	EXIST::FUNCTION:
 EVP_CIPHER_CTX_new                      3212	3_0_0	EXIST::FUNCTION:
-MD4_Final                               3213	3_0_0	EXIST::FUNCTION:MD4
+MD4_Final                               3213	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,MD4
 EVP_PKEY_id                             3214	3_0_0	EXIST::FUNCTION:
 CMS_RecipientInfo_get0_pkey_ctx         3215	3_0_0	EXIST::FUNCTION:CMS
 OCSP_REQINFO_free                       3216	3_0_0	EXIST::FUNCTION:OCSP
@@ -3187,7 +3187,7 @@ EVP_des_ede3_wrap                       3252	3_0_0	EXIST::FUNCTION:DES
 GENERAL_SUBTREE_it                      3253	3_0_0	EXIST::FUNCTION:
 EVP_read_pw_string_min                  3254	3_0_0	EXIST::FUNCTION:
 X509_set1_notBefore                     3255	3_0_0	EXIST::FUNCTION:
-MD4                                     3256	3_0_0	EXIST::FUNCTION:MD4
+MD4                                     3256	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,MD4
 EVP_PKEY_CTX_dup                        3257	3_0_0	EXIST::FUNCTION:
 ENGINE_setup_bsd_cryptodev              3258	3_0_0	EXIST:__FreeBSD__:FUNCTION:DEPRECATEDIN_1_1_0,ENGINE
 PEM_read_bio_DHparams                   3259	3_0_0	EXIST::FUNCTION:DH