[EXTERNAL] Re: Need Replacement for Deprecated function.

Matt Caswell matt at openssl.org
Wed Dec 1 13:58:12 UTC 2021 


On 01/12/2021 13:11, Shivakumar Poojari wrote:
> Hi Matt,
> your suggestion was very helpful, with your help I moved little forward 
> and blocked again.
> 
> Below code snippet I'm working on,
> PEM_read_bio_DHparams and PEM_read_bio_DSAparams reading DH params and 
> DSA params separately, how do I read separately 
> with PEM_read_bio_Parameters_ex.
> 
> or
> 
> Can I modify the code to read bio in one Strech using 
> PEM_read_bio_Parameters_ex and update  SSL_set_tmp_dh directly.

PEM_read_bio_Parameters_ex() should able to read either DH or DSA 
parameters. It will detect which one it is and give you back an EVP_PKEY 
object.

Internally the EVP_PKEY_object will either contain DH or DSA parameters. 
You can test which one you have using:

EVP_PKEY_is_a(pkey, "DH")

or

EVP_PKEY_is_a(pkey, "DSA")


Having read the parameters into an EVP_PKEY object you can simply pass 
that to SSL_set0_tmp_dh_pkey(). However this will only work if 
`EVP_PKEY_is_a(pkey, "DH") returns true. If you actually have DSA 
parameters then you would need to convert them using something like the 
workaround I linked to. But I would question whether you really want to 
continue to support this.

Matt



> 
> Please let me know your views.
> 
> Thanks,
> Shivakumar
> 
> ////////////////////////////////////////////////////////////////
> #ifdef OPENSSL_NO_DH
> if (dh_file == NULL)
> return 0;
> wpa_printf(MSG_ERROR, "TLS: openssl does not include DH support, but "
>    "dh_file specified");
> return -1;
> #else /* OPENSSL_NO_DH */
> DH *dh;
> BIO *bio;
> 
> /* TODO: add support for dh_blob */
> if (dh_file == NULL)
> return 0;
> if (conn == NULL)
> return -1;
> 
> bio = BIO_new_file(dh_file, "r");
> if (bio == NULL) {
> wpa_printf(MSG_INFO, "TLS: Failed to open DH file '%s': %s",
>    dh_file, ERR_error_string(ERR_get_error(), NULL));
> return -1;
> }
> dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
> BIO_free(bio);
> #ifndef OPENSSL_NO_DSA
> while (dh == NULL) {
> DSA *dsa;
> wpa_printf(MSG_DEBUG, "TLS: Failed to parse DH file '%s': %s -"
>    " trying to parse as DSA params", dh_file,
>    ERR_error_string(ERR_get_error(), NULL));
> bio = BIO_new_file(dh_file, "r");
> if (bio == NULL)
> break;
> dsa = PEM_read_bio_DSAparams(bio, NULL, NULL, NULL);
> BIO_free(bio);
> if (!dsa) {
> wpa_printf(MSG_DEBUG, "TLS: Failed to parse DSA file "
>    "'%s': %s", dh_file,
>    ERR_error_string(ERR_get_error(), NULL));
> break;
> }
> 
> wpa_printf(MSG_DEBUG, "TLS: DH file in DSA param format");
> dh = DSA_dup_DH(dsa);
> DSA_free(dsa);
> if (dh == NULL) {
> wpa_printf(MSG_INFO, "TLS: Failed to convert DSA "
>    "params into DH params");
> break;
> }
> break;
> }
> #endif /* !OPENSSL_NO_DSA */
> if (dh == NULL) {
> wpa_printf(MSG_INFO, "TLS: Failed to read/parse DH/DSA file "
>    "'%s'", dh_file);
> return -1;
> ////////////////////////////////////////////////////////////////
> ------------------------------------------------------------------------
> *From:* openssl-users <openssl-users-bounces at openssl.org> on behalf of 
> Matt Caswell <matt at openssl.org>
> *Sent:* Monday, November 29, 2021 8:40 PM
> *To:* openssl-users at openssl.org <openssl-users at openssl.org>
> *Subject:* [EXTERNAL] Re: Need Replacement for Deprecated function.
> 
> 
> On 29/11/2021 12:35, Shivakumar Poojari wrote:
>> Hi All,
>> 
>> We are upgrading our code to openssl 3.0.
>> 
>> Need Replacement for below Deprecated function.
>> 
>> SSL_use_RSAPrivateKey_ASN1();
> 
> Use SSL_use_PrivateKey_ASN1();
> 
> 
>> PEM_read_bio_DHparams();
>> PEM_read_bio_DSAparams();
> 
> Use PEM_read_bio_Parameters_ex() for these two.
> 
>> DSA_dup_DH();
> 
> There is no replacement for this. Why do you need it? Generally this is
> a bad idea.
> 
> If you really need to do it there is a workaround:
> 
> https://clicktime.symantec.com/3RFqPpzm8EUTsqiRi1524Xo6H2?u=https%3A%2F%2Fgithub.com%2Fopenssl%2Fopenssl%2Fblob%2Fbc42cf51c8b2a22282bb3cdf6303e230dc7b7873%2Fapps%2Fdhparam.c%23L352-L400 
> <https://clicktime.symantec.com/3RFqPpzm8EUTsqiRi1524Xo6H2?u=https%3A%2F%2Fgithub.com%2Fopenssl%2Fopenssl%2Fblob%2Fbc42cf51c8b2a22282bb3cdf6303e230dc7b7873%2Fapps%2Fdhparam.c%23L352-L400>
> 
> 
>> DSA_free();
> 
> You shouldn't need to call this anymore because you shouldn't have any
> DSA objects anymore. Instead you should only be using EVP_PKEY objects.
> To free those you use EVP_PKEY_free();
> 
> 
>> SSL_set_tmp_dh();
> 
> SSL_set0_tmp_dh_pkey(). Although you might be able to just remove it
> completely. These functions set the DH parameters to a specific set of
> values. Mostly you can instead just use the default built-in ones.
> 
>> DH_free();
> 
> As per DSA_free();
> 
>> SSL_CTX_set_tmp_dh();
> 
> SSL_CTX_set0_tmp_dh_pkey() - but same comments as for SSL_set_tmp_dh()
> apply.
> 
> 
> Matt
> 
>> 
>> I'm not able to find proper replacement, Please help me out
>> 
>> Thanks,
>> Shiva Kumar
>> 
>> 
>> 
>> 
>> Notice: This e-mail together with any attachments may contain 
>> information of Ribbon Communications Inc. and its Affiliates that is 
>> confidential and/or proprietary for the sole use of the intended 
>> recipient. Any review, disclosure, reliance or distribution by others or 
>> forwarding without express permission is strictly prohibited. If you are 
>> not the intended recipient, please notify the sender immediately and 
>> then delete all copies, including any attachments.
> 
> Notice: This e-mail together with any attachments may contain 
> information of Ribbon Communications Inc. and its Affiliates that is 
> confidential and/or proprietary for the sole use of the intended 
> recipient. Any review, disclosure, reliance or distribution by others or 
> forwarding without express permission is strictly prohibited. If you are 
> not the intended recipient, please notify the sender immediately and 
> then delete all copies, including any attachments.

More information about the openssl-users mailing list