Concentrate deprecated libssl API usage in one file

We create a new file ssl/tls_depr.c to contain functions that need to call
deprecated APIs in libssl. This enables us to remove
OPENSSL_SUPPRESS_DEPRECATED from a number of other libssl files.

The deprecated API usage is either related to ENGINEs and is needed to
continue to support applications that use such ENGINEs. Or they are needed
to support some deprecated public libssl APIs.

One other file remains in libssl that still uses deprecated APIs: s3_cbc.c
This is needed to support the deprecated SSLv3.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13135)

1 files changed, 11 insertions, 31 deletions

diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 219d30ff24..2c6b28aacf 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -9,9 +9,6 @@
  * https://www.openssl.org/source/license.html
  */
 
-/* We need to use some engine deprecated APIs */
-#define OPENSSL_SUPPRESS_DEPRECATED
-
 #include <stdio.h>
 #include "ssl_local.h"
 #include "e_os.h"
@@ -3396,7 +3393,7 @@ void SSL_CTX_free(SSL_CTX *a)
     SSL_CTX_SRP_CTX_free(a);
 #endif
 #ifndef OPENSSL_NO_ENGINE
-    ENGINE_finish(a->client_cert_engine);
+    tls_engine_finish(a->client_cert_engine);
 #endif
 
 #ifndef OPENSSL_NO_EC
@@ -5897,23 +5894,16 @@ const EVP_CIPHER *ssl_evp_cipher_fetch(OSSL_LIB_CTX *libctx,
                                        int nid,
                                        const char *properties)
 {
-    EVP_CIPHER *ciph;
+    const EVP_CIPHER *ciph;
 
-#ifndef OPENSSL_NO_ENGINE
-    ENGINE *eng;
+    ciph = tls_get_cipher_from_engine(nid);
+    if (ciph != NULL)
+        return ciph;
 
     /*
-     * If there is an Engine available for this cipher we use the "implicit"
-     * form to ensure we use that engine later.
+     * If there is no engine cipher then we do an explicit fetch. This may fail
+     * and that could be ok
      */
-    eng = ENGINE_get_cipher_engine(nid);
-    if (eng != NULL) {
-        ENGINE_finish(eng);
-        return EVP_get_cipherbynid(nid);
-    }
-#endif
-
-    /* Otherwise we do an explicit fetch. This may fail and that could be ok */
     ERR_set_mark();
     ciph = EVP_CIPHER_fetch(libctx, OBJ_nid2sn(nid), properties);
     ERR_pop_to_mark();
@@ -5952,21 +5942,11 @@ const EVP_MD *ssl_evp_md_fetch(OSSL_LIB_CTX *libctx,
                                int nid,
                                const char *properties)
 {
-    EVP_MD *md;
+    const EVP_MD *md;
 
-#ifndef OPENSSL_NO_ENGINE
-    ENGINE *eng;
-
-    /*
-     * If there is an Engine available for this digest we use the "implicit"
-     * form to ensure we use that engine later.
-     */
-    eng = ENGINE_get_digest_engine(nid);
-    if (eng != NULL) {
-        ENGINE_finish(eng);
-        return EVP_get_digestbynid(nid);
-    }
-#endif
+    md = tls_get_digest_from_engine(nid);
+    if (md != NULL)
+        return md;
 
     /* Otherwise we do an explicit fetch */
     ERR_set_mark();