Deprecate basically the entire base64 implementation.
The IUF functions were added for PEM and internally are very lenient to
whitespace and include other PEM-specific behaviors (notably they treat
hyphens as EOF). They also decode a ton of invalid input (see upstream's
RT #3757).
Upstream has a rewrite with tests that resolves the latter issue which
we should review and import. But this is still a very PEM-specific
interface. As this code has basically no callers outside the PEM code
(and any such callers likely don't want a PEM-specific API), it's
probably not worth the trouble to massage this and PEM into a strict IUF
base64 API with PEM whitespace and hyphen bits outside. Just deprecate
it all and leave it in a corner.
Change-Id: I5b98111e87436e287547829daa65e9c1efc95119
Reviewed-on: https://boringssl-review.googlesource.com/5952
Reviewed-by: Adam Langley <agl@google.com>
diff --git a/include/openssl/base.h b/include/openssl/base.h
index 41e4b60..f0aafec 100644
--- a/include/openssl/base.h
+++ b/include/openssl/base.h
@@ -214,6 +214,7 @@
typedef struct evp_aead_st EVP_AEAD;
typedef struct evp_cipher_ctx_st EVP_CIPHER_CTX;
typedef struct evp_cipher_st EVP_CIPHER;
+typedef struct evp_encode_ctx_st EVP_ENCODE_CTX;
typedef struct evp_pkey_asn1_method_st EVP_PKEY_ASN1_METHOD;
typedef struct evp_pkey_ctx_st EVP_PKEY_CTX;
typedef struct evp_pkey_method_st EVP_PKEY_METHOD;
diff --git a/include/openssl/base64.h b/include/openssl/base64.h
index 2d27c89..f28e7dd 100644
--- a/include/openssl/base64.h
+++ b/include/openssl/base64.h
@@ -70,32 +70,8 @@
* base64 encoding and decoding. */
-typedef struct evp_encode_ctx_st EVP_ENCODE_CTX;
-
-
/* Encoding */
-/* EVP_EncodeInit initialises |*ctx|, which is typically stack
- * allocated, for an encoding operation.
- *
- * NOTE: The encoding operation breaks its output with newlines every
- * 64 characters of output (48 characters of input). Use
- * EVP_EncodeBlock to encode raw base64. */
-OPENSSL_EXPORT void EVP_EncodeInit(EVP_ENCODE_CTX *ctx);
-
-/* EVP_EncodeUpdate encodes |in_len| bytes from |in| and writes an encoded
- * version of them to |out| and sets |*out_len| to the number of bytes written.
- * Some state may be contained in |ctx| so |EVP_EncodeFinal| must be used to
- * flush it before using the encoded data. */
-OPENSSL_EXPORT void EVP_EncodeUpdate(EVP_ENCODE_CTX *ctx, uint8_t *out,
- int *out_len, const uint8_t *in,
- size_t in_len);
-
-/* EVP_EncodeFinal flushes any remaining output bytes from |ctx| to |out| and
- * sets |*out_len| to the number of bytes written. */
-OPENSSL_EXPORT void EVP_EncodeFinal(EVP_ENCODE_CTX *ctx, uint8_t *out,
- int *out_len);
-
/* EVP_EncodeBlock encodes |src_len| bytes from |src| and writes the
* result to |dst| with a trailing NUL. It returns the number of bytes
* written, not including this trailing NUL. */
@@ -124,6 +100,36 @@
size_t max_out, const uint8_t *in,
size_t in_len);
+
+/* Deprecated functions.
+ *
+ * OpenSSL provides a streaming base64 implementation, however its behavior is
+ * very specific to PEM. It is also very lenient of invalid input. Use of any of
+ * these functions is thus deprecated.
+ *
+ * TODO(davidben): Import upstream's rewrite that rejects the invalid input. */
+
+/* EVP_EncodeInit initialises |*ctx|, which is typically stack
+ * allocated, for an encoding operation.
+ *
+ * NOTE: The encoding operation breaks its output with newlines every
+ * 64 characters of output (48 characters of input). Use
+ * EVP_EncodeBlock to encode raw base64. */
+OPENSSL_EXPORT void EVP_EncodeInit(EVP_ENCODE_CTX *ctx);
+
+/* EVP_EncodeUpdate encodes |in_len| bytes from |in| and writes an encoded
+ * version of them to |out| and sets |*out_len| to the number of bytes written.
+ * Some state may be contained in |ctx| so |EVP_EncodeFinal| must be used to
+ * flush it before using the encoded data. */
+OPENSSL_EXPORT void EVP_EncodeUpdate(EVP_ENCODE_CTX *ctx, uint8_t *out,
+ int *out_len, const uint8_t *in,
+ size_t in_len);
+
+/* EVP_EncodeFinal flushes any remaining output bytes from |ctx| to |out| and
+ * sets |*out_len| to the number of bytes written. */
+OPENSSL_EXPORT void EVP_EncodeFinal(EVP_ENCODE_CTX *ctx, uint8_t *out,
+ int *out_len);
+
/* EVP_DecodeInit initialises |*ctx|, which is typically stack allocated, for
* a decoding operation.
*
@@ -148,9 +154,6 @@
OPENSSL_EXPORT int EVP_DecodeFinal(EVP_ENCODE_CTX *ctx, uint8_t *out,
int *out_len);
-
-/* Deprecated functions. */
-
/* EVP_DecodeBlock encodes |src_len| bytes from |src| and writes the result to
* |dst|. It returns the number of bytes written or -1 on error.
*
