search

haskell-cryptography / HsOpenSSL

OpenSSL binding for Haskell
http://hackage.haskell.org/package/HsOpenSSL
Creative Commons Zero v1.0 Universal
22 stars 33 forks source link

OpenSSL 3.0 deprecations #63

Open vshabanov opened 3 years ago

vshabanov commented 3 years ago

There are a lot of deprecated functions in OpenSSL 3.0 (see #62 for example).

https://www.openssl.org/docs/man3.0/man7/migration_guide.html#Deprecation-of-Low-Level-Functions

Haven't looked into details but I suppose that there should be two cases:

  1. Haskell module exports deprecated OpenSSL functions. Such bindings should have deprecation warning in Haskell as well (when compiled with OpenSSL 3.0) and alternative bindings should be added if necessary (with deprecation message pointing to them).
  2. Haskell modules that don't export deprecated functions but use them underneath should be updated to use new functions from migration guide.

Looks like a lot of work for me at the moment (we may need to replace import ccall with import capi to see all deprecations). So it will be amazing if somebody would take a leap and send PR for this issue.

vshabanov commented 1 year ago

Need to add import capi anyway to get rid from linking errors in #73.

arrowd commented 11 months ago

FreeBSD 14 imported OpenSSL 3 into its base and now I can't get HsOpenSSL working.

When building without any additional defines I get undefined reference to DSA_generate_parameters and with --gcc-option=-DOPENSSL_NO_DEPRECATED I get 

cbits/HsOpenSSL.h:107:24: error: unknown type name 'DSA'
int HsOpenSSL_dsa_sign(DSA *dsa, const unsigned char *ddata, int len,
                       ^

What can be done about that?

vshabanov commented 11 months ago

Unfortunately, many DSA functions are deprecated. They need to be replaced with EVP_* functions as described in https://www.openssl.org/docs/man3.0/man7/migration_guide.html#Deprecated-low-level-key-generation-functions I will gladly accept a PR that uses new functions.

tchoutri commented 3 months ago

servant is getting hit by this in its development repo. Unfortunately I am very unfamiliar with OpenSSL. Is there anything I can do to help or should this be left to someone who knows their stuff?

vshabanov commented 3 months ago

There are no active HsOpenSSL developers at the moment. Maybe it worth to try to remove all deprecated functions and make HsOpenSSL 0.12 which is incompatible with previous versions because OpenSSL 3.0 is not.

There's no DSA_generate_parameters in OpenSSL 3.0, so I think it makes not much sense trying emulating it.

I don't know how much stuff will be broken due to this. I suppose the SSL connection setup and I/O should still work, and that's probably the lion's share of HsOpenSSL usage.

You can try to remove everything that no longer works (probably by dropping the whole OpenSSL.DSA module) and check whether servant (and maybe http-client-openssl) still works. If it is, this would be the next HsOpenSSL version.

It won't break on OpenSSL 3.0 systems, and missing features will be added by those who need them and can check whether they really work.