Kurt Roeckx kurt at
Fri Feb 21 22:17:17 UTC 2020

On Fri, Feb 21, 2020 at 09:50:10AM +0000, Matt Caswell wrote:
> On 21/02/2020 08:06, Kurt Roeckx wrote:
> > In the apps, a lot of the files define
> > OPENSSL_SUPPRESS_DEPRECATED, which I think is the wrong way to do
> > it. We should stop using the deprecated functions ourself. If
> > there is no way to do this using non-deprecated functions, the
> > function should probably not have been deprecated in the first
> > place.
> > 
> > The apps might have functionality that we want to deprecate too,
> > that depends on the deprecated functions. In which case we should
> > also mark that as deprecated, and the apps should always build in
> > no-deprecation mode.
> I think we have a number of strategies for dealing with deprecated APIs
> in the apps depending on the situation:
> 1) Ideally we just rewrite the functionality using non-deprecated APIs

The problem is that many of the apps already define
OPENSSL_SUPPRESS_DEPRECATED so that you don't know that something
you're deprecating is used there without checking for it.

The commit I was looking at was ada66e78ef535fe80e422bbbadffe8e7863d457c:
Deprecate the low level Diffie-Hellman functions.

At least one of the functions being deprecated is DH_check, which
is still used by dhparam. Dhparam is our replacement for dh and gendh.
I don't know if any of the other function that were deprecated are
still used internally or not.

The define was added in commit 1ddf2594e18137aeb7ce861e54f46824db76e36f,
and so when DH_check later got deprecated, nobody noticed that the
now deprecated function is still being used.

I think the replacement function is EVP_PKEY_param_check().

DH_check is not mentioned as deprecated in the manual.


More information about the openssl-project mailing list