Update documentation following deprecation of SRP

Ensure all the man pages correctly reflect the deprecated status of SRP.

Fixes #13917

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14132)

CHANGES.md

@@ -23,12 +23,18 @@ OpenSSL 3.0
 
 ### Changes between 1.1.1 and 3.0 [xx XXX xxxx]
 
+* The SRP APIs have been deprecated. The old APIs do not work via providers,
+   and there is no EVP interface to them. Unfortunately there is no replacement
+   for these APIs at this time.
+
+   *Matt Caswell*
+
  * Add a compile time option to prevent the caching of provider fetched
    algorithms.  This is enabled by including the no-cached-fetch option
    at configuration time.
 
    *Paul Dale*
-
+ 
  * Combining the Configure options no-ec and no-dh no longer disables TLSv1.3.
    Typically if OpenSSL has no EC or DH algorithms then it cannot support
    connections with TLSv1.3. However OpenSSL now supports "pluggable" groups

doc/man1/openssl-ciphers.pod.in

@@ -67,7 +67,8 @@ When combined with B<-s> includes cipher suites which require PSK.
 
 =item B<-srp>
 
-When combined with B<-s> includes cipher suites which require SRP.
+When combined with B<-s> includes cipher suites which require SRP. This option
+is deprecated.
 
 =item B<-v>
 

doc/man1/openssl-s_client.pod.in

@@ -752,23 +752,24 @@ Offer SRTP key management, where B<value> is a colon-separated profile list.
 
 =item B<-srpuser> I<value>
 
-Set the SRP username to the specified value.
+Set the SRP username to the specified value. This option is deprecated.
 
 =item B<-srppass> I<value>
 
-Set the SRP password to the specified value.
+Set the SRP password to the specified value. This option is deprecated.
 
 =item B<-srp_lateuser>
 
-SRP username for the second ClientHello message.
+SRP username for the second ClientHello message. This option is deprecated.
 
-=item B<-srp_moregroups>
+=item B<-srp_moregroups>  This option is deprecated.
 
 Tolerate other than the known B<g> and B<N> values.
 
 =item B<-srp_strength> I<number>
 
-Set the minimal acceptable length, in bits, for B<N>.
+Set the minimal acceptable length, in bits, for B<N>.  This option is
+deprecated.
 
 {- $OpenSSL::safe::opt_version_item -}
 

doc/man1/openssl-srp.pod.in

@@ -29,9 +29,9 @@ B<openssl srp>
 
 =head1 DESCRIPTION
 
-This command is used to maintain an SRP (secure remote password) file.
-At most one of the B<-add>, B<-modify>, B<-delete>, and B<-list> options
-can be specified.
+This command is deprecated. It is used to maintain an SRP (secure remote
+password) file. At most one of the B<-add>, B<-modify>, B<-delete>, and B<-list>
+options can be specified.
 These options take zero or more usernames as parameters and perform the
 appropriate operation on the SRP file.
 For B<-list>, if no I<user> is given then all users are displayed.

doc/man1/openssl.pod

@@ -294,7 +294,7 @@ SPKAC printing and generating command.
 
 =item B<srp>
 
-Maintain SRP password file.
+Maintain SRP password file. This command is deprecated.
 
 =item B<storeutl>
 

doc/man3/SRP_Calc_B.pod

@@ -18,6 +18,10 @@ SRP_Calc_client_key
 
  #include <openssl/srp.h>
 
+Deprecated since OpenSSL 3.0, can be hidden entirely by defining
+B<OPENSSL_API_COMPAT> with a suitable version value, see
+L<openssl_user_macros(7)>:
+
  /* server side .... */
  BIGNUM *SRP_Calc_server_key(const BIGNUM *A, const BIGNUM *v, const BIGNUM *u,
                              const BIGNUM *b, const BIGNUM *N);
@@ -43,6 +47,9 @@ SRP_Calc_client_key
 
 =head1 DESCRIPTION
 
+All of the functions described on this page are deprecated. There are no
+available replacement functions at this time.
+
 The SRP functions described on this page are used to calculate various
 parameters and keys used by SRP as defined in RFC2945. The server key and I<B>
 and I<u> parameters are used on the server side and are calculated via
@@ -74,7 +81,12 @@ L<SRP_user_pwd_new(3)>
 
 =head1 HISTORY
 
-These functions were added in OpenSSL 1.0.1.
+SRP_Calc_B_ex, SRP_Calc_u_ex, SRP_Calc_client_key_ex and SRP_Calc_x_ex were
+introduced in OpenSSL 3.0.
+
+All of the other functions were added in OpenSSL 1.0.1.
+
+All of these functions were deprecated in OpenSSL 3.0.
 
 =head1 COPYRIGHT
 

doc/man3/SRP_VBASE_new.pod

@@ -14,6 +14,10 @@ SRP_VBASE_get_by_user
 
  #include <openssl/srp.h>
 
+Deprecated since OpenSSL 3.0, can be hidden entirely by defining
+B<OPENSSL_API_COMPAT> with a suitable version value, see
+L<openssl_user_macros(7)>:
+
  SRP_VBASE *SRP_VBASE_new(char *seed_key);
  void SRP_VBASE_free(SRP_VBASE *vb);
 
@@ -25,6 +29,9 @@ SRP_VBASE_get_by_user
 
 =head1 DESCRIPTION
 
+All of the functions described on this page are deprecated. There are no
+available replacement functions at this time.
+
 The SRP_VBASE_new() function allocates a structure to store server side SRP
 verifier information.
 If B<seed_key> is not NULL a copy is stored and used to generate dummy parameters
@@ -87,6 +94,8 @@ The SRP_VBASE_add0_user() function was added in OpenSSL 3.0.
 
 All other functions were added in OpenSSL 1.0.1.
 
+All of these functions were deprecated in OpenSSL 3.0.
+
 =head1 COPYRIGHT
 
 Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.

doc/man3/SRP_create_verifier.pod

@@ -14,6 +14,10 @@ SRP_get_default_gN
 
  #include <openssl/srp.h>
 
+Deprecated since OpenSSL 3.0, can be hidden entirely by defining
+B<OPENSSL_API_COMPAT> with a suitable version value, see
+L<openssl_user_macros(7)>:
+
  int SRP_create_verifier_BN_ex(const char *user, const char *pass, BIGNUM **salt,
                                BIGNUM **verifier, const BIGNUM *N,
                                const BIGNUM *g, OSSL_LIB_CTX *libctx,
@@ -31,6 +35,9 @@ SRP_get_default_gN
 
 =head1 DESCRIPTION
 
+All of the functions described on this page are deprecated. There are no
+available replacement functions at this time.
+
 The SRP_create_verifier_BN_ex() function creates an SRP password verifier from
 the supplied parameters as defined in section 2.4 of RFC 5054 using the library
 context I<libctx> and property query string I<propq>. Any cryptographic
@@ -115,7 +122,10 @@ L<SRP_user_pwd_new(3)>
 
 =head1 HISTORY
 
-These functions were added in OpenSSL 1.0.1.
+SRP_create_verifier_BN_ex() and SRP_create_verifier_ex() were introduced in
+OpenSSL 3.0. All other functions were added in OpenSSL 1.0.1.
+
+All of these functions were deprecated in OpenSSL 3.0.
 
 =head1 COPYRIGHT
 

doc/man3/SRP_user_pwd_new.pod

@@ -13,6 +13,10 @@ SRP_user_pwd_set0_sv
 
  #include <openssl/srp.h>
 
+Deprecated since OpenSSL 3.0, can be hidden entirely by defining
+B<OPENSSL_API_COMPAT> with a suitable version value, see
+L<openssl_user_macros(7)>:
+
  SRP_user_pwd *SRP_user_pwd_new(void);
  void SRP_user_pwd_free(SRP_user_pwd *user_pwd);
 
@@ -22,6 +26,9 @@ SRP_user_pwd_set0_sv
 
 =head1 DESCRIPTION
 
+All of the functions described on this page are deprecated. There are no
+available replacement functions at this time.
+
 The SRP_user_pwd_new() function allocates a structure to store a user verifier
 record.
 
@@ -56,7 +63,7 @@ L<SSL_CTX_set_srp_password(3)>
 
 =head1 HISTORY
 
-These functions were made public in OpenSSL 3.0.
+These functions were made public in OpenSSL 3.0 and are deprecated.
 
 =head1 COPYRIGHT
 

doc/man3/SSL_CTX_set_srp_password.pod

@@ -21,6 +21,10 @@ SSL_get_srp_userinfo
 
  #include <openssl/ssl.h>
 
+Deprecated since OpenSSL 3.0, can be hidden entirely by defining
+B<OPENSSL_API_COMPAT> with a suitable version value, see
+L<openssl_user_macros(7)>:
+
  int SSL_CTX_set_srp_username(SSL_CTX *ctx, char *name);
  int SSL_CTX_set_srp_password(SSL_CTX *ctx, char *password);
  int SSL_CTX_set_srp_strength(SSL_CTX *ctx, int strength);
@@ -45,6 +49,9 @@ SSL_get_srp_userinfo
 
 =head1 DESCRIPTION
 
+All of the functions described on this page are deprecated. There are no
+available replacement functions at this time.
+
 These functions provide access to SRP (Secure Remote Password) parameters,
 an alternate authentication mechanism for TLS. SRP allows the use of usernames
 and passwords over unencrypted channels without revealing the password to an
@@ -203,7 +210,7 @@ L<SRP_create_verifier(3)>
 
 =head1 HISTORY
 
-These functions were added in OpenSSL 1.0.1.
+These functions were added in OpenSSL 1.0.1 and deprecated in OpenSSL 3.0.
 
 =head1 COPYRIGHT