[EXTERNAL] Re: Need Replacement for Deprecated function.

Shivakumar Poojari Shivakumar.Poojari at rbbn.com
Wed Dec 1 13:11:34 UTC 2021


Hi Matt,
your suggestion was very helpful, with your help I moved little forward and blocked again.

Below code snippet I'm working on,
PEM_read_bio_DHparams and PEM_read_bio_DSAparams reading DH params and DSA params separately, how do I read separately with PEM_read_bio_Parameters_ex.

or

Can I modify the code to read bio in one Strech using PEM_read_bio_Parameters_ex and update  SSL_set_tmp_dh directly.

Please let me know your views.

Thanks,
Shivakumar

////////////////////////////////////////////////////////////////
#ifdef OPENSSL_NO_DH
if (dh_file == NULL)
return 0;
wpa_printf(MSG_ERROR, "TLS: openssl does not include DH support, but "
  "dh_file specified");
return -1;
#else /* OPENSSL_NO_DH */
DH *dh;
BIO *bio;

/* TODO: add support for dh_blob */
if (dh_file == NULL)
return 0;
if (conn == NULL)
return -1;

bio = BIO_new_file(dh_file, "r");
if (bio == NULL) {
wpa_printf(MSG_INFO, "TLS: Failed to open DH file '%s': %s",
  dh_file, ERR_error_string(ERR_get_error(), NULL));
return -1;
}
dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
BIO_free(bio);
#ifndef OPENSSL_NO_DSA
while (dh == NULL) {
DSA *dsa;
wpa_printf(MSG_DEBUG, "TLS: Failed to parse DH file '%s': %s -"
  " trying to parse as DSA params", dh_file,
  ERR_error_string(ERR_get_error(), NULL));
bio = BIO_new_file(dh_file, "r");
if (bio == NULL)
break;
dsa = PEM_read_bio_DSAparams(bio, NULL, NULL, NULL);
BIO_free(bio);
if (!dsa) {
wpa_printf(MSG_DEBUG, "TLS: Failed to parse DSA file "
  "'%s': %s", dh_file,
  ERR_error_string(ERR_get_error(), NULL));
break;
}

wpa_printf(MSG_DEBUG, "TLS: DH file in DSA param format");
dh = DSA_dup_DH(dsa);
DSA_free(dsa);
if (dh == NULL) {
wpa_printf(MSG_INFO, "TLS: Failed to convert DSA "
  "params into DH params");
break;
}
break;
}
#endif /* !OPENSSL_NO_DSA */
if (dh == NULL) {
wpa_printf(MSG_INFO, "TLS: Failed to read/parse DH/DSA file "
  "'%s'", dh_file);
return -1;
////////////////////////////////////////////////////////////////
________________________________
From: openssl-users <openssl-users-bounces at openssl.org> on behalf of Matt Caswell <matt at openssl.org>
Sent: Monday, November 29, 2021 8:40 PM
To: openssl-users at openssl.org <openssl-users at openssl.org>
Subject: [EXTERNAL] Re: Need Replacement for Deprecated function.



On 29/11/2021 12:35, Shivakumar Poojari wrote:
> Hi All,
>
> We are upgrading our code to openssl 3.0.
>
> Need Replacement for below Deprecated function.
>
> SSL_use_RSAPrivateKey_ASN1();

Use SSL_use_PrivateKey_ASN1();


> PEM_read_bio_DHparams();
> PEM_read_bio_DSAparams();

Use PEM_read_bio_Parameters_ex() for these two.

> DSA_dup_DH();

There is no replacement for this. Why do you need it? Generally this is
a bad idea.

If you really need to do it there is a workaround:

https://clicktime.symantec.com/3RFqPpzm8EUTsqiRi1524Xo6H2?u=https%3A%2F%2Fgithub.com%2Fopenssl%2Fopenssl%2Fblob%2Fbc42cf51c8b2a22282bb3cdf6303e230dc7b7873%2Fapps%2Fdhparam.c%23L352-L400


> DSA_free();

You shouldn't need to call this anymore because you shouldn't have any
DSA objects anymore. Instead you should only be using EVP_PKEY objects.
To free those you use EVP_PKEY_free();


> SSL_set_tmp_dh();

SSL_set0_tmp_dh_pkey(). Although you might be able to just remove it
completely. These functions set the DH parameters to a specific set of
values. Mostly you can instead just use the default built-in ones.

> DH_free();

As per DSA_free();

> SSL_CTX_set_tmp_dh();

SSL_CTX_set0_tmp_dh_pkey() - but same comments as for SSL_set_tmp_dh()
apply.


Matt

>
> I'm not able to find proper replacement, Please help me out
>
> Thanks,
> Shiva Kumar
>
>
>
>
> Notice: This e-mail together with any attachments may contain
> information of Ribbon Communications Inc. and its Affiliates that is
> confidential and/or proprietary for the sole use of the intended
> recipient. Any review, disclosure, reliance or distribution by others or
> forwarding without express permission is strictly prohibited. If you are
> not the intended recipient, please notify the sender immediately and
> then delete all copies, including any attachments.

Notice: This e-mail together with any attachments may contain information of Ribbon Communications Inc. and its Affiliates that is confidential and/or proprietary for the sole use of the intended recipient. Any review, disclosure, reliance or distribution by others or forwarding without express permission is strictly prohibited. If you are not the intended recipient, please notify the sender immediately and then delete all copies, including any attachments.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20211201/9ddd23a6/attachment.htm>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: New Text Document (10).txt
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20211201/9ddd23a6/attachment.txt>


More information about the openssl-users mailing list