From 0d6e108b133a6b5c11d9c32f1301223751dfe28a Mon Sep 17 00:00:00 2001
From: Andres Amaya Garcia <andres.amayagarcia@arm.com>
Date: Wed, 5 Dec 2018 20:52:29 +0000
Subject: [PATCH] Deprecate MBEDTLS_PKCS11_C functions

---
 include/mbedtls/pkcs11.h | 91 +++++++++++++++++++++++++++++-----------
 1 file changed, 67 insertions(+), 24 deletions(-)

diff --git a/include/mbedtls/pkcs11.h b/include/mbedtls/pkcs11.h
index d9f45db67..e5b4607e0 100644
--- a/include/mbedtls/pkcs11.h
+++ b/include/mbedtls/pkcs11.h
@@ -56,47 +56,81 @@ typedef struct mbedtls_pkcs11_context
         int len;
 } mbedtls_pkcs11_context;
 
+/*
+ * NOTE: It is not necessary to enclose the definitions with
+ * MBEDTLS_DEPRECATED_REMOVED because we already have a check for the full
+ * MBEDTLS_PKCS11_C feature that makes compilation fail even before we get
+ * here.
+ */
+#if defined(MBEDTLS_DEPRECATED_WARNING)
+#define MBEDTLS_DEPRECATED      __attribute__((deprecated))
+#else
+#define MBEDTLS_DEPRECATED
+#endif
+
 /**
  * Initialize a mbedtls_pkcs11_context.
  * (Just making memory references valid.)
+ *
+ * \deprecated          It is deprecated and discouraged to call this function
+ *                      as future versions of the library are likely to remove
+ *                      it.
  */
-void mbedtls_pkcs11_init( mbedtls_pkcs11_context *ctx );
+MBEDTLS_DEPRECATED void mbedtls_pkcs11_init( mbedtls_pkcs11_context *ctx );
 
 /**
  * Fill in a mbed TLS certificate, based on the given PKCS11 helper certificate.
  *
+ * \deprecated          It is deprecated and discouraged to call this function
+ *                      as future versions of the library are likely to remove
+ *                      it.
+ *
  * \param cert          X.509 certificate to fill
  * \param pkcs11h_cert  PKCS #11 helper certificate
  *
  * \return              0 on success.
  */
-int mbedtls_pkcs11_x509_cert_bind( mbedtls_x509_crt *cert, pkcs11h_certificate_t pkcs11h_cert );
+MBEDTLS_DEPRECATED int mbedtls_pkcs11_x509_cert_bind( mbedtls_x509_crt *cert,
+                                        pkcs11h_certificate_t pkcs11h_cert );
 
 /**
  * Set up a mbedtls_pkcs11_context storing the given certificate. Note that the
  * mbedtls_pkcs11_context will take over control of the certificate, freeing it when
  * done.
  *
+ * \deprecated          It is deprecated and discouraged to call this function
+ *                      as future versions of the library are likely to remove
+ *                      it.
+ *
  * \param priv_key      Private key structure to fill.
  * \param pkcs11_cert   PKCS #11 helper certificate
  *
  * \return              0 on success
  */
-int mbedtls_pkcs11_priv_key_bind( mbedtls_pkcs11_context *priv_key,
-        pkcs11h_certificate_t pkcs11_cert );
+MBEDTLS_DEPRECATED int mbedtls_pkcs11_priv_key_bind(
+                                        mbedtls_pkcs11_context *priv_key,
+                                        pkcs11h_certificate_t pkcs11_cert );
 
 /**
  * Free the contents of the given private key context. Note that the structure
  * itself is not freed.
  *
+ * \deprecated          It is deprecated and discouraged to call this function
+ *                      as future versions of the library are likely to remove
+ *                      it.
+ *
  * \param priv_key      Private key structure to cleanup
  */
-void mbedtls_pkcs11_priv_key_free( mbedtls_pkcs11_context *priv_key );
+MBEDTLS_DEPRECATED void mbedtls_pkcs11_priv_key_free(
+                                            mbedtls_pkcs11_context *priv_key );
 
 /**
  * \brief          Do an RSA private key decrypt, then remove the message
  *                 padding
  *
+ * \deprecated     It is deprecated and discouraged to call this function as
+ *                 future versions of the library are likely to remove it.
+ *
  * \param ctx      PKCS #11 context
  * \param mode     must be MBEDTLS_RSA_PRIVATE, for compatibility with rsa.c's signature
  * \param input    buffer holding the encrypted data
@@ -110,15 +144,18 @@ void mbedtls_pkcs11_priv_key_free( mbedtls_pkcs11_context *priv_key );
  *                 of ctx->N (eg. 128 bytes if RSA-1024 is used) otherwise
  *                 an error is thrown.
  */
-int mbedtls_pkcs11_decrypt( mbedtls_pkcs11_context *ctx,
-                       int mode, size_t *olen,
-                       const unsigned char *input,
-                       unsigned char *output,
-                       size_t output_max_len );
+MBEDTLS_DEPRECATED int mbedtls_pkcs11_decrypt( mbedtls_pkcs11_context *ctx,
+                                               int mode, size_t *olen,
+                                               const unsigned char *input,
+                                               unsigned char *output,
+                                               size_t output_max_len );
 
 /**
  * \brief          Do a private RSA to sign a message digest
  *
+ * \deprecated     It is deprecated and discouraged to call this function as
+ *                 future versions of the library are likely to remove it.
+ *
  * \param ctx      PKCS #11 context
  * \param mode     must be MBEDTLS_RSA_PRIVATE, for compatibility with rsa.c's signature
  * \param md_alg   a MBEDTLS_MD_XXX (use MBEDTLS_MD_NONE for signing raw data)
@@ -132,28 +169,32 @@ int mbedtls_pkcs11_decrypt( mbedtls_pkcs11_context *ctx,
  * \note           The "sig" buffer must be as large as the size
  *                 of ctx->N (eg. 128 bytes if RSA-1024 is used).
  */
-int mbedtls_pkcs11_sign( mbedtls_pkcs11_context *ctx,
-                    int mode,
-                    mbedtls_md_type_t md_alg,
-                    unsigned int hashlen,
-                    const unsigned char *hash,
-                    unsigned char *sig );
+MBEDTLS_DEPRECATED int mbedtls_pkcs11_sign( mbedtls_pkcs11_context *ctx,
+                                            int mode,
+                                            mbedtls_md_type_t md_alg,
+                                            unsigned int hashlen,
+                                            const unsigned char *hash,
+                                            unsigned char *sig );
 
 /**
  * SSL/TLS wrappers for PKCS#11 functions
+ *
+ * \deprecated     It is deprecated and discouraged to call these functions as
+ *                 future versions of the library are likely to remove them.
  */
-static inline int mbedtls_ssl_pkcs11_decrypt( void *ctx, int mode, size_t *olen,
-                        const unsigned char *input, unsigned char *output,
-                        size_t output_max_len )
+MBEDTLS_DEPRECATED static inline int mbedtls_ssl_pkcs11_decrypt( void *ctx,
+                            int mode, size_t *olen,
+                            const unsigned char *input, unsigned char *output,
+                            size_t output_max_len )
 {
     return mbedtls_pkcs11_decrypt( (mbedtls_pkcs11_context *) ctx, mode, olen, input, output,
                            output_max_len );
 }
 
-static inline int mbedtls_ssl_pkcs11_sign( void *ctx,
-                     int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
-                     int mode, mbedtls_md_type_t md_alg, unsigned int hashlen,
-                     const unsigned char *hash, unsigned char *sig )
+MBEDTLS_DEPRECATED static inline int mbedtls_ssl_pkcs11_sign( void *ctx,
+                    int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
+                    int mode, mbedtls_md_type_t md_alg, unsigned int hashlen,
+                    const unsigned char *hash, unsigned char *sig )
 {
     ((void) f_rng);
     ((void) p_rng);
@@ -161,11 +202,13 @@ static inline int mbedtls_ssl_pkcs11_sign( void *ctx,
                         hashlen, hash, sig );
 }
 
-static inline size_t mbedtls_ssl_pkcs11_key_len( void *ctx )
+MBEDTLS_DEPRECATED static inline size_t mbedtls_ssl_pkcs11_key_len( void *ctx )
 {
     return ( (mbedtls_pkcs11_context *) ctx )->len;
 }
 
+#undef MBEDTLS_DEPRECATED
+
 #ifdef __cplusplus
 }
 #endif