On Fri, Feb 21, 2020 at 09:50:10AM +0000, Matt Caswell wrote: > > > On 21/02/2020 08:06, Kurt Roeckx wrote: > > In the apps, a lot of the files define > > OPENSSL_SUPPRESS_DEPRECATED, which I think is the wrong way to do > > it. We should stop using the deprecated functions ourself. If > > there is no way to do this using non-deprecated functions, the > > function should probably not have been deprecated in the first > > place. > > > > The apps might have functionality that we want to deprecate too, > > that depends on the deprecated functions. In which case we should > > also mark that as deprecated, and the apps should always build in > > no-deprecation mode. > > I think we have a number of strategies for dealing with deprecated APIs > in the apps depending on the situation: > > 1) Ideally we just rewrite the functionality using non-deprecated APIs
The problem is that many of the apps already define OPENSSL_SUPPRESS_DEPRECATED so that you don't know that something you're deprecating is used there without checking for it. The commit I was looking at was ada66e78ef535fe80e422bbbadffe8e7863d457c: Deprecate the low level Diffie-Hellman functions. At least one of the functions being deprecated is DH_check, which is still used by dhparam. Dhparam is our replacement for dh and gendh. I don't know if any of the other function that were deprecated are still used internally or not. The define was added in commit 1ddf2594e18137aeb7ce861e54f46824db76e36f, and so when DH_check later got deprecated, nobody noticed that the now deprecated function is still being used. I think the replacement function is EVP_PKEY_param_check(). DH_check is not mentioned as deprecated in the manual. Kurt
