From fccc7e8929113f1317446e7698721d29ccfd699a Mon Sep 17 00:00:00 2001
From: tb <tb@openbsd.org>
Date: Sat, 2 Mar 2024 10:20:27 +0000
Subject: [PATCH] Remove more PBE stuff from the public API

This is still needed internally for CMS and its predecessors. This
removal will enable disentangling some of its innards.

ok jsing
---
 lib/libcrypto/Symbols.list      |  7 -------
 lib/libcrypto/evp/evp.h         |  7 +------
 lib/libcrypto/evp/evp_local.h   |  5 +----
 lib/libcrypto/evp/evp_pbe.c     |  8 +++++++-
 lib/libcrypto/pkcs12/p12_add.c  |  3 ++-
 lib/libcrypto/x509/x509.h       | 16 +---------------
 lib/libcrypto/x509/x509_local.h | 13 ++++++++++++-
 7 files changed, 24 insertions(+), 35 deletions(-)

diff --git a/lib/libcrypto/Symbols.list b/lib/libcrypto/Symbols.list
index 7a27d6d1a32..de97306613d 100644
--- a/lib/libcrypto/Symbols.list
+++ b/lib/libcrypto/Symbols.list
@@ -1952,15 +1952,8 @@ PKCS12_unpack_p7data
 PKCS12_unpack_p7encdata
 PKCS12_verify_mac
 PKCS1_MGF1
-PKCS5_PBE_keyivgen
 PKCS5_PBKDF2_HMAC
 PKCS5_PBKDF2_HMAC_SHA1
-PKCS5_pbe2_set
-PKCS5_pbe2_set_iv
-PKCS5_pbe_set
-PKCS5_pbe_set0_algor
-PKCS5_pbkdf2_set
-PKCS5_v2_PBE_keyivgen
 PKCS7_ATTR_SIGN_it
 PKCS7_ATTR_VERIFY_it
 PKCS7_DIGEST_free
diff --git a/lib/libcrypto/evp/evp.h b/lib/libcrypto/evp/evp.h
index 28b095ffd40..9e203b086d2 100644
--- a/lib/libcrypto/evp/evp.h
+++ b/lib/libcrypto/evp/evp.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: evp.h,v 1.130 2024/03/02 10:13:13 tb Exp $ */
+/* $OpenBSD: evp.h,v 1.131 2024/03/02 10:20:27 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -870,17 +870,12 @@ int EVP_PKEY_get_default_digest_nid(EVP_PKEY *pkey, int *pnid);
 int EVP_CIPHER_type(const EVP_CIPHER *ctx);
 
 /* PKCS5 password based encryption */
-int PKCS5_PBE_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
-    ASN1_TYPE *param, const EVP_CIPHER *cipher, const EVP_MD *md, int en_de);
 int PKCS5_PBKDF2_HMAC_SHA1(const char *pass, int passlen,
     const unsigned char *salt, int saltlen, int iter, int keylen,
     unsigned char *out);
 int PKCS5_PBKDF2_HMAC(const char *pass, int passlen, const unsigned char *salt,
     int saltlen, int iter, const EVP_MD *digest, int keylen,
     unsigned char *out);
-int PKCS5_v2_PBE_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
-    ASN1_TYPE *param, const EVP_CIPHER *cipher, const EVP_MD *md,
-    int en_de);
 
 #define ASN1_PKEY_ALIAS		0x1
 #define ASN1_PKEY_DYNAMIC	0x2
diff --git a/lib/libcrypto/evp/evp_local.h b/lib/libcrypto/evp/evp_local.h
index bce6a87a1e7..dad2cec81ed 100644
--- a/lib/libcrypto/evp/evp_local.h
+++ b/lib/libcrypto/evp/evp_local.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: evp_local.h,v 1.18 2024/03/02 10:08:29 tb Exp $ */
+/* $OpenBSD: evp_local.h,v 1.19 2024/03/02 10:20:27 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2000.
  */
@@ -340,9 +340,6 @@ struct evp_pkey_method_st {
 
 void evp_pkey_set_cb_translate(BN_GENCB *cb, EVP_PKEY_CTX *ctx);
 
-int PKCS5_v2_PBKDF2_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
-    ASN1_TYPE *param, const EVP_CIPHER *c, const EVP_MD *md, int en_de);
-
 /* EVP_AEAD represents a specific AEAD algorithm. */
 struct evp_aead_st {
 	unsigned char key_len;
diff --git a/lib/libcrypto/evp/evp_pbe.c b/lib/libcrypto/evp/evp_pbe.c
index a9f5b8fb126..532c924a9ee 100644
--- a/lib/libcrypto/evp/evp_pbe.c
+++ b/lib/libcrypto/evp/evp_pbe.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: evp_pbe.c,v 1.45 2024/03/02 10:17:37 tb Exp $ */
+/* $OpenBSD: evp_pbe.c,v 1.46 2024/03/02 10:20:27 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -73,9 +73,15 @@
 #include "x509_local.h"
 
 /* Password based encryption (PBE) functions */
+int PKCS5_PBE_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
+    ASN1_TYPE *param, const EVP_CIPHER *cipher, const EVP_MD *md, int en_de);
+int PKCS5_v2_PBKDF2_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
+    ASN1_TYPE *param, const EVP_CIPHER *c, const EVP_MD *md, int en_de);
 int PKCS12_PBE_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
     ASN1_TYPE *param, const EVP_CIPHER *cipher, const EVP_MD *md_type,
     int en_de);
+int PKCS5_v2_PBE_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
+    ASN1_TYPE *param, const EVP_CIPHER *c, const EVP_MD *md, int en_de);
 
 static const struct pbe_config {
 	int pbe_nid;
diff --git a/lib/libcrypto/pkcs12/p12_add.c b/lib/libcrypto/pkcs12/p12_add.c
index dd72c999859..f6f42c558ce 100644
--- a/lib/libcrypto/pkcs12/p12_add.c
+++ b/lib/libcrypto/pkcs12/p12_add.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: p12_add.c,v 1.24 2024/03/02 10:15:16 tb Exp $ */
+/* $OpenBSD: p12_add.c,v 1.25 2024/03/02 10:20:27 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -62,6 +62,7 @@
 #include <openssl/pkcs12.h>
 
 #include "pkcs12_local.h"
+#include "x509_local.h"
 
 /* Pack an object into an OCTET STRING and turn into a safebag */
 
diff --git a/lib/libcrypto/x509/x509.h b/lib/libcrypto/x509/x509.h
index bd8497d9c4a..66752f34e98 100644
--- a/lib/libcrypto/x509/x509.h
+++ b/lib/libcrypto/x509/x509.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509.h,v 1.104 2024/03/02 10:17:37 tb Exp $ */
+/* $OpenBSD: x509.h,v 1.105 2024/03/02 10:20:27 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1018,20 +1018,6 @@ X509 *X509_find_by_subject(STACK_OF(X509) *sk,X509_NAME *name);
 
 extern const ASN1_ITEM PBEPARAM_it;
 
-int PKCS5_pbe_set0_algor(X509_ALGOR *algor, int alg, int iter,
-				const unsigned char *salt, int saltlen);
-
-X509_ALGOR *PKCS5_pbe_set(int alg, int iter,
-				const unsigned char *salt, int saltlen);
-X509_ALGOR *PKCS5_pbe2_set(const EVP_CIPHER *cipher, int iter,
-					 unsigned char *salt, int saltlen);
-X509_ALGOR *PKCS5_pbe2_set_iv(const EVP_CIPHER *cipher, int iter,
-				 unsigned char *salt, int saltlen,
-				 unsigned char *aiv, int prf_nid);
-
-X509_ALGOR *PKCS5_pbkdf2_set(int iter, unsigned char *salt, int saltlen,
-				int prf_nid, int keylen);
-
 /* PKCS#8 utilities */
 
 PKCS8_PRIV_KEY_INFO *PKCS8_PRIV_KEY_INFO_new(void);
diff --git a/lib/libcrypto/x509/x509_local.h b/lib/libcrypto/x509/x509_local.h
index 1e813797e12..4ac99da2bd5 100644
--- a/lib/libcrypto/x509/x509_local.h
+++ b/lib/libcrypto/x509/x509_local.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: x509_local.h,v 1.19 2024/03/02 10:17:37 tb Exp $ */
+/*	$OpenBSD: x509_local.h,v 1.20 2024/03/02 10:20:27 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2013.
  */
@@ -391,6 +391,17 @@ PBKDF2PARAM *d2i_PBKDF2PARAM(PBKDF2PARAM **a, const unsigned char **in, long len
 int i2d_PBKDF2PARAM(PBKDF2PARAM *a, unsigned char **out);
 extern const ASN1_ITEM PBKDF2PARAM_it;
 
+int PKCS5_pbe_set0_algor(X509_ALGOR *algor, int alg, int iter,
+    const unsigned char *salt, int saltlen);
+X509_ALGOR *PKCS5_pbe2_set(const EVP_CIPHER *cipher, int iter,
+    unsigned char *salt, int saltlen);
+X509_ALGOR *PKCS5_pbe2_set_iv(const EVP_CIPHER *cipher, int iter,
+    unsigned char *salt, int saltlen, unsigned char *aiv, int prf_nid);
+X509_ALGOR *PKCS5_pbe_set(int alg, int iter, const unsigned char *salt,
+    int saltlen);
+X509_ALGOR *PKCS5_pbkdf2_set(int iter, unsigned char *salt, int saltlen,
+    int prf_nid, int keylen);
+
 __END_HIDDEN_DECLS
 
 #endif /* !HEADER_X509_LOCAL_H */
-- 
2.20.1