Backwards-compatibility subject to OPENSSL_API_COMPAT

Provide backwards-compatiblity for functions, macros and include
files if OPENSSL_API_COMPAT is either not defined or defined less
than the version number of the release in which the feature was
deprecated.
Reviewed-by: NRichard Levitte <levitte@openssl.org>

CHANGES

@@ -4,6 +4,35 @@
 
  Changes between 1.0.2e and 1.1.0  [xx XXX xxxx]
 
+  *) Revert default OPENSSL_NO_DEPRECATED setting.  Instead OpenSSL
+     continues to support deprecated interfaces in default builds.
+     However, applications are strongly advised to compile their
+     source files with -DOPENSSL_API_COMPAT=0x10100000L, which hides
+     the declarations of all interfaces deprecated in 0.9.8, 1.0.0
+     or the 1.1.0 releases.
+
+     In environments in which all applications have been ported to
+     not use any deprecated interfaces OpenSSL's Configure script
+     should be used with the --api=1.1.0 option to entirely remove
+     support for the deprecated features from the library and
+     unconditionally disable them in the installed headers.
+     Essentially the same effect can be achieved with the "no-deprecated"
+     argument to Configure, except that this will always restrict
+     the build to just the latest API, rather than a fixed API
+     version.
+
+     As applications are ported to future revisions of the API,
+     they should update their compile-time OPENSSL_API_COMPAT define
+     accordingly, but in most cases should be able to continue to
+     compile with later releases.
+
+     The OPENSSL_API_COMPAT versions for 1.0.0, and 0.9.8 are
+     0x10000000L and 0x00908000L, respectively.  However those
+     versions did not support the OPENSSL_API_COMPAT feature, and
+     so applications are not typically tested for explicit support
+     of just the undeprecated features of either release.
+     [Viktor Dukhovni]
+
   *) Add support for setting the minimum and maximum supported protocol.
      It can bet set via the SSL_set_min_proto_version() and
      SSL_set_max_proto_version(), or via the SSL_CONF's MinProtocol and

Configure

@@ -35,6 +35,9 @@ my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [experimenta
 #
 # --cross-compile-prefix Add specified prefix to binutils components.
 #
+# --api         One of 0.9.8, 1.0.0 or 1.1.0.  Do not compile support for
+#               interfaces deprecated as of the specified OpenSSL version.
+#
 # no-hw-xxx     do not compile support for specific crypto hardware.
 #               Generic OpenSSL-style methods relating to this support
 #               are always compiled but return NULL if the hardware
@@ -137,6 +140,16 @@ my $bits2="SIXTY_FOUR_BIT ";
 # seems to be sufficient?
 my $BSDthreads="-pthread -D_THREAD_SAFE -D_REENTRANT";
 
+#
+# API compability name to version number mapping.
+#
+my $maxapi = "1.1.0";           # API for "no-deprecated" builds
+my $apitable = {
+    "1.1.0" => "0x10100000L",
+    "1.0.0" => "0x10000000L",
+    "0.9.8" => "0x00908000L",
+};
+
 # table of known configurations, read in from files
 #
 # The content of each entry can take one of two forms:
@@ -890,7 +903,6 @@ my @disablables = (
 # All of the following is disabled by default (RC5 was enabled before 0.9.8):
 
 my %disabled = ( # "what"         => "comment" [or special keyword "experimental"]
-		 "deprecated" => "default",
 		 "ec_nistp_64_gcc_128" => "default",
 		 "jpake"          => "experimental",
 		 "md2"            => "default",
@@ -932,6 +944,7 @@ my $openssl_other_defines;
 my $libs;
 my $target;
 my $options;
+my $api;
 my $make_depend=0;
 my %withargs=();
 my $build_prefix = "release_";
@@ -1086,6 +1099,10 @@ PROCESS_ARGS:
 				{
 				$prefix=$1;
 				}
+			elsif (/^--api=(.*)$/)
+				{
+				$api=$1;
+				}
 			elsif (/^--libdir=(.*)$/)
 				{
 				$libdir=$1;
@@ -1157,6 +1174,10 @@ PROCESS_ARGS:
 			}
 		}
 
+        if (defined($api) && !exists $apitable->{$api}) {
+		die "***** Unsupported api compatibility level: $api\n",
+        }
+
 	if (keys %unsupported_options)
 		{
 		die "***** Unsupported options: ",
@@ -1542,11 +1563,10 @@ if ($zlib)
 		}
 	}
 
-#Build the library with OPENSSL_USE_DEPRECATED if deprecation is not disabled
-if(!defined($disabled{"deprecated"}))
-	{
-	$cflags = "-DOPENSSL_USE_DEPRECATED $cflags";
-	}
+# With "deprecated" disable all deprecated features.
+if (defined($disabled{"deprecated"})) {
+        $api = $maxapi;
+}
 
 # You will find shlib_mark1 and shlib_mark2 explained in Makefile.org
 my $shared_mark = "";
@@ -1744,7 +1764,7 @@ open(IN,'<include/openssl/opensslv.h') || die "unable to read opensslv.h:$!\n";
 while (<IN>)
 	{
 	$version=$1 if /OPENSSL.VERSION.TEXT.*OpenSSL (\S+) /;
-	$version_num=$1 if /OPENSSL.VERSION.NUMBER.*0x(\S+)/;
+	$version_num=$1 if /OPENSSL.VERSION.NUMBER.*(0x\S+)/;
 	$shlib_version_number=$1 if /SHLIB_VERSION_NUMBER *"([^"]+)"/;
 	$shlib_version_history=$1 if /SHLIB_VERSION_HISTORY *"([^"]*)"/;
 	}
@@ -1763,6 +1783,12 @@ if ($shlib_version_number =~ /(^[0-9]*)\.([0-9\.]*)/)
 	$shlib_minor=$2;
 	}
 
+if (defined($api)) {
+    my $apiflag = sprintf("-DOPENSSL_API_COMPAT=%s", $apitable->{$api});
+    $default_depflags .= " $apiflag";
+    $cflags .= " $apiflag";
+}
+
 my $ecc = $cc;
 $ecc = "clang" if `$cc --version 2>&1` =~ /clang/;
 
@@ -1991,6 +2017,11 @@ print OUT "#ifdef  __cplusplus\n";
 print OUT "extern \"C\" {\n";
 print OUT "#endif\n";
 print OUT "/* OpenSSL was configured with the following options: */\n";
+
+my $openssl_api_defines = "";
+if (defined($api)) {
+    $openssl_api_defines = sprintf "#define OPENSSL_MIN_API %s\n", $apitable->{$api};
+}
 my $openssl_algorithm_defines_trans = $openssl_algorithm_defines;
 $openssl_experimental_defines =~ s/^\s*#\s*define\s+OPENSSL_NO_(.*)/#ifndef OPENSSL_EXPERIMENTAL_$1\n# ifndef OPENSSL_NO_$1\n#  define OPENSSL_NO_$1\n# endif\n#endif/mg;
 $openssl_algorithm_defines_trans =~ s/^\s*#\s*define\s+OPENSSL_(.*)/# if defined(OPENSSL_$1) \&\& !defined($1)\n#  define $1\n# endif/mg;
@@ -1999,9 +2030,11 @@ $openssl_algorithm_defines = "   /* no ciphers excluded */\n" if $openssl_algori
 $openssl_thread_defines =~ s/^\s*#\s*define\s+(.*)/#ifndef $1\n# define $1\n#endif/mg;
 $openssl_sys_defines =~ s/^\s*#\s*define\s+(.*)/#ifndef $1\n# define $1\n#endif/mg;
 $openssl_other_defines =~ s/^\s*#\s*define\s+(.*)/#ifndef $1\n# define $1\n#endif/mg;
+
 print OUT $openssl_sys_defines;
 print OUT "#ifndef OPENSSL_DOING_MAKEDEPEND\n\n";
 print OUT $openssl_experimental_defines;
+print OUT $openssl_api_defines;
 print OUT "\n";
 print OUT $openssl_algorithm_defines;
 print OUT "\n#endif /* OPENSSL_DOING_MAKEDEPEND */\n\n";
@@ -2162,7 +2195,7 @@ EOF
 # create the ms/version32.rc file if needed
 if ($IsMK1MF && ($target !~ /^netware/)) {
 	my ($v1, $v2, $v3, $v4);
-	if ($version_num =~ /(^[0-9a-f]{1})([0-9a-f]{2})([0-9a-f]{2})([0-9a-f]{2})/i) {
+	if ($version_num =~ /^0x([0-9a-f]{1})([0-9a-f]{2})([0-9a-f]{2})([0-9a-f]{2})L$/i) {
 		$v1=hex $1;
 		$v2=hex $2;
 		$v3=hex $3;

NEWS

@@ -23,6 +23,11 @@
       o EC revision: now operations use new EC_KEY_METHOD.
       o Support for OCB mode added to libcrypto
       o Support for asynchronous crypto operations added to libcrypto and libssl
+      o Deprecated interfaces can now be disabled at build time either
+        relative to the latest relate via the "no-deprecated" Configure
+        argument, or via the "--api=1.1.0|1.0.0|0.9.8" option.
+      o Application software can be compiled with -DOPENSSL_API_COMPAT=version
+        to ensure that features deprecated before that version are not exposed.
 
   Major changes between OpenSSL 1.0.2d and OpenSSL 1.0.2e [3 Dec 2015]
 

crypto/bn/bn_blind.c

@@ -109,6 +109,7 @@
  * [including the GNU Public Licence.]
  */
 
+#include <openssl/opensslconf.h>
 #include "internal/cryptlib.h"
 #include "bn_lcl.h"
 
@@ -119,7 +120,7 @@ struct bn_blinding_st {
     BIGNUM *Ai;
     BIGNUM *e;
     BIGNUM *mod;                /* just a reference */
-#ifndef OPENSSL_NO_DEPRECATED
+#if OPENSSL_API_COMPAT < 0x10000000L
     unsigned long thread_id;    /* added in OpenSSL 0.9.6j and 0.9.7b; used
                                  * only by crypto/rsa/rsa_eay.c, rsa_lib.c */
 #endif
@@ -271,7 +272,7 @@ int BN_BLINDING_invert_ex(BIGNUM *n, const BIGNUM *r, BN_BLINDING *b,
     return (ret);
 }
 
-#ifndef OPENSSL_NO_DEPRECATED
+#if OPENSSL_API_COMPAT < 0x10000000L
 unsigned long BN_BLINDING_get_thread_id(const BN_BLINDING *b)
 {
     return b->thread_id;

crypto/bn/bn_depr.c

@@ -62,11 +62,12 @@
 #include <time.h>
 #include "internal/cryptlib.h"
 #include "bn_lcl.h"
+#include <openssl/opensslconf.h>
 #include <openssl/rand.h>
 
 static void *dummy = &dummy;
 
-#ifndef OPENSSL_NO_DEPRECATED
+#if OPENSSL_API_COMPAT < 0x00908000L
 BIGNUM *BN_generate_prime(BIGNUM *ret, int bits, int safe,
                           const BIGNUM *add, const BIGNUM *rem,
                           void (*callback) (int, int, void *), void *cb_arg)

crypto/bn/bn_lib.c

@@ -65,9 +65,10 @@
 #include <limits.h>
 #include "internal/cryptlib.h"
 #include "bn_lcl.h"
+#include <openssl/opensslconf.h>
 
 /* This stuff appears to be completely unused, so is deprecated */
-#ifndef OPENSSL_NO_DEPRECATED
+#if OPENSSL_API_COMPAT < 0x00908000L
 /*-
  * For a 32 bit machine
  * 2 -   4 ==  128
@@ -258,7 +259,7 @@ void BN_free(BIGNUM *a)
     if (a->flags & BN_FLG_MALLOCED)
         OPENSSL_free(a);
     else {
-#ifndef OPENSSL_NO_DEPRECATED
+#if OPENSSL_API_COMPAT < 0x00908000L
         a->flags |= BN_FLG_FREE;
 #endif
         a->d = NULL;

crypto/dh/dh_depr.c

@@ -59,10 +59,11 @@
 #include "internal/cryptlib.h"
 #include <openssl/bn.h>
 #include <openssl/dh.h>
+#include <openssl/opensslconf.h>
 
 static void *dummy = &dummy;
 
-#ifndef OPENSSL_NO_DEPRECATED
+#if OPENSSL_API_COMPAT < 0x00908000L
 DH *DH_generate_parameters(int prime_len, int generator,
                            void (*callback) (int, int, void *), void *cb_arg)
 {

crypto/dsa/dsa_depr.c

@@ -75,8 +75,9 @@ static void *dummy = &dummy;
 #include <openssl/dsa.h>
 #include <openssl/rand.h>
 #include <openssl/sha.h>
+#include <openssl/opensslconf.h>
 
-#ifndef OPENSSL_NO_DEPRECATED
+#if OPENSSL_API_COMPAT < 0x00908000L
 DSA *DSA_generate_parameters(int bits,
                              unsigned char *seed_in, int seed_len,
                              int *counter_ret, unsigned long *h_ret,

crypto/err/err.c

@@ -118,6 +118,7 @@
 #include <openssl/buffer.h>
 #include <openssl/bio.h>
 #include <openssl/err.h>
+#include <openssl/opensslconf.h>
 
 DECLARE_LHASH_OF(ERR_STRING_DATA);
 DECLARE_LHASH_OF(ERR_STATE);
@@ -861,7 +862,7 @@ void ERR_remove_thread_state(const CRYPTO_THREADID *id)
     int_thread_del_item(&tmp);
 }
 
-#ifndef OPENSSL_NO_DEPRECATED
+#if OPENSSL_API_COMPAT < 0x10000000L
 void ERR_remove_state(unsigned long pid)
 {
     ERR_remove_thread_state(NULL);

crypto/evp/e_old.c

@@ -57,7 +57,9 @@
  *
  */
 
-#ifdef OPENSSL_NO_DEPRECATED
+#include <openssl/opensslconf.h>
+
+#if OPENSSL_API_COMPAT >= 0x00908000L
 static void *dummy = &dummy;
 #else
 

crypto/hmac/hmac.c

@@ -61,6 +61,7 @@
 #include <string.h>
 #include "internal/cryptlib.h"
 #include <openssl/hmac.h>
+#include <openssl/opensslconf.h>
 #include "hmac_lcl.h"
 
 int HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int len,
@@ -127,7 +128,7 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int len,
     return 0;
 }
 
-#ifndef OPENSSL_NO_DEPRECATED
+#if OPENSSL_API_COMPAT < 0x10100000L
 int HMAC_Init(HMAC_CTX *ctx, const void *key, int len, const EVP_MD *md)
 {
     if (key && md)

crypto/opensslconf.h.in

 /* crypto/opensslconf.h.in */
 
 /*
- * Applications should use -DOPENSSL_USE_DEPRECATED to enable access to
- * deprecated functions. But if the library has been built to disable
- * deprecated functions then this will not work
+ * Applications should use -DOPENSSL_API_COMPAT=<version> to suppress the
+ * declarations of functions deprecated in or before <version>. Otherwise, they
+ * still won't see them if the library has been built to disable deprecated
+ * functions.
  */
-#if defined(OPENSSL_NO_DEPRECATED) && defined(OPENSSL_USE_DEPRECATED)
-#error "OPENSSL_USE_DEPRECATED has been defined, but OpenSSL has been built without support for deprecated functions"
+#if defined(OPENSSL_NO_DEPRECATED)
+# define DECLARE_DEPRECATED(f)
+#elif __GNUC__ > 3 || (__GNUC__ == 3 && __GNUC_MINOR__ > 0)
+# define DECLARE_DEPRECATED(f)    f __attribute__ ((deprecated));
+#else
+# define DECLARE_DEPRECATED(f)   f;
+#endif
+
+#ifndef OPENSSL_MIN_API
+#define OPENSSL_MIN_API 0
+#endif
+
+#if !defined(OPENSSL_API_COMPAT) || OPENSSL_API_COMPAT < OPENSSL_MIN_API
+#undef OPENSSL_API_COMPAT
+#define OPENSSL_API_COMPAT OPENSSL_MIN_API
+#endif
+
+#if OPENSSL_API_COMPAT < 0x10100000L
+# define DEPRECATEDIN_1_1_0(f)   DECLARE_DEPRECATED(f)
+#else
+# define DEPRECATEDIN_1_1_0(f)
+#endif
+
+#if OPENSSL_API_COMPAT < 0x10000000L
+# define DEPRECATEDIN_1_0_0(f)   DECLARE_DEPRECATED(f)
+#else
+# define DEPRECATEDIN_1_0_0(f)
 #endif
 
-/* Test for support for deprecated attribute */
-#if __GNUC__ > 3 || \
-  (__GNUC__ == 3 && __GNUC_MINOR__ > 0)
-#define DECLARE_DEPRECATED(f)    f __attribute__ ((deprecated))
+#if OPENSSL_API_COMPAT < 0x00908000L
+# define DEPRECATEDIN_0_9_8(f)   DECLARE_DEPRECATED(f)
 #else
-#define DECLARE_DEPRECATED(f)    f
+# define DEPRECATEDIN_0_9_8(f)
 #endif
 
 /* Generate 80386 code? */

crypto/rand/md_rand.c

@@ -128,6 +128,7 @@
 # include <time.h>
 #endif
 
+#include <openssl/opensslconf.h>
 #include <openssl/crypto.h>
 #include <openssl/rand.h>
 #include <openssl/async.h>
@@ -172,7 +173,7 @@ static int rand_seed(const void *buf, int num);
 static int rand_add(const void *buf, int num, double add_entropy);
 static int rand_bytes(unsigned char *buf, int num, int pseudo);
 static int rand_nopseudo_bytes(unsigned char *buf, int num);
-#ifndef OPENSSL_NO_DEPRECATED
+#if OPENSSL_API_COMPAT < 0x10100000L
 static int rand_pseudo_bytes(unsigned char *buf, int num);
 #endif
 static int rand_status(void);
@@ -182,7 +183,7 @@ static RAND_METHOD rand_meth = {
     rand_nopseudo_bytes,
     rand_cleanup,
     rand_add,
-#ifndef OPENSSL_NO_DEPRECATED
+#if OPENSSL_API_COMPAT < 0x10100000L
     rand_pseudo_bytes,
 #else
     NULL,
@@ -627,7 +628,7 @@ static int rand_nopseudo_bytes(unsigned char *buf, int num)
     return rand_bytes(buf, num, 0);
 }
 
-#ifndef OPENSSL_NO_DEPRECATED
+#if OPENSSL_API_COMPAT < 0x10100000L
 /*
  * pseudo-random bytes that are guaranteed to be unique but not unpredictable
  */

crypto/rand/rand_lib.c

@@ -59,6 +59,7 @@
 #include <stdio.h>
 #include <time.h>
 #include "internal/cryptlib.h"
+#include <openssl/opensslconf.h>
 #include <openssl/rand.h>
 
 #ifndef OPENSSL_NO_ENGINE
@@ -159,7 +160,7 @@ int RAND_bytes(unsigned char *buf, int num)
     return (-1);
 }
 
-#ifndef OPENSSL_NO_DEPRECATED
+#if OPENSSL_API_COMPAT < 0x10100000L
 int RAND_pseudo_bytes(unsigned char *buf, int num)
 {
     const RAND_METHOD *meth = RAND_get_rand_method();

crypto/rsa/rsa_depr.c

@@ -61,10 +61,11 @@
 #include <stdio.h>
 #include <time.h>
 #include "internal/cryptlib.h"
+#include <openssl/opensslconf.h>
 #include <openssl/bn.h>
 #include <openssl/rsa.h>
 
-#ifdef OPENSSL_NO_DEPRECATED
+#if OPENSSL_API_COMPAT >= 0x00908000L
 
 static void *dummy = &dummy;
 

crypto/thr_id.c

@@ -115,8 +115,9 @@
  */
 
 #include "internal/cryptlib.h"
+#include <openssl/opensslconf.h>
 
-#ifndef OPENSSL_NO_DEPRECATED
+#if OPENSSL_API_COMPAT < 0x10000000L
 static unsigned long (*id_callback) (void) = 0;
 #endif
 static void (*threadid_callback) (CRYPTO_THREADID *) = 0;
@@ -189,7 +190,7 @@ void CRYPTO_THREADID_current(CRYPTO_THREADID *id)
         threadid_callback(id);
         return;
     }
-#ifndef OPENSSL_NO_DEPRECATED
+#if OPENSSL_API_COMPAT < 0x10000000L
     /* If the deprecated callback was set, fall back to that */
     if (id_callback) {
         CRYPTO_THREADID_set_numeric(id, id_callback());
@@ -220,7 +221,7 @@ unsigned long CRYPTO_THREADID_hash(const CRYPTO_THREADID *id)
     return id->val;
 }
 
-#ifndef OPENSSL_NO_DEPRECATED
+#if OPENSSL_API_COMPAT < 0x10000000L
 unsigned long (*CRYPTO_get_id_callback(void)) (void) {
     return (id_callback);
 }

doc/crypto/BN_BLINDING_new.pod

@@ -22,10 +22,6 @@ functions.
 	BN_CTX *ctx);
  int BN_BLINDING_invert_ex(BIGNUM *n, const BIGNUM *r, BN_BLINDING *b,
 	BN_CTX *ctx);
- #ifndef OPENSSL_NO_DEPRECATED
- unsigned long BN_BLINDING_get_thread_id(const BN_BLINDING *);
- void BN_BLINDING_set_thread_id(BN_BLINDING *, unsigned long);
- #endif
  CRYPTO_THREADID *BN_BLINDING_thread_id(BN_BLINDING *);
  unsigned long BN_BLINDING_get_flags(const BN_BLINDING *);
  void BN_BLINDING_set_flags(BN_BLINDING *, unsigned long);
@@ -35,6 +31,13 @@ functions.
 			  const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx),
 	BN_MONT_CTX *m_ctx);
 
+Deprecated:
+
+ #if OPENSSL_API_COMPAT < 0x10000000L
+ unsigned long BN_BLINDING_get_thread_id(const BN_BLINDING *);
+ void BN_BLINDING_set_thread_id(BN_BLINDING *, unsigned long);
+ #endif
+
 =head1 DESCRIPTION
 
 BN_BLINDING_new() allocates a new B<BN_BLINDING> structure and copies

doc/crypto/BN_generate_prime.pod

@@ -35,6 +35,7 @@ for primality
 
 Deprecated:
 
+ #if OPENSSL_API_COMPAT < 0x00908000L
  BIGNUM *BN_generate_prime(BIGNUM *ret, int num, int safe, BIGNUM *add,
      BIGNUM *rem, void (*callback)(int, int, void *), void *cb_arg);
 
@@ -44,6 +45,7 @@ Deprecated:
  int BN_is_prime_fasttest(const BIGNUM *a, int checks,
      void (*callback)(int, int, void *), BN_CTX *ctx, void *cb_arg,
      int do_trial_division);
+ #endif
 
 =head1 DESCRIPTION
 

doc/crypto/BN_zero.pod

@@ -9,7 +9,7 @@ operations
 
  #include <openssl/bn.h>
 
- int BN_zero(BIGNUM *a);
+ void BN_zero(BIGNUM *a);
  int BN_one(BIGNUM *a);
 
  const BIGNUM *BN_value_one(void);
@@ -17,6 +17,12 @@ operations
  int BN_set_word(BIGNUM *a, unsigned long w);
  unsigned long BN_get_word(BIGNUM *a);
 
+Deprecated:
+
+ #if OPENSSL_API_COMPAT < 0x00908000L
+ int BN_zero(BIGNUM *a);
+ #endif
+
 =head1 DESCRIPTION
 
 BN_zero(), BN_one() and BN_set_word() set B<a> to the values 0, 1 and
@@ -33,8 +39,10 @@ long.
 BN_get_word() returns the value B<a>, and 0xffffffffL if B<a> cannot
 be represented as an unsigned long.
 
-BN_zero(), BN_one() and BN_set_word() return 1 on success, 0 otherwise.
+BN_one(), BN_set_word() and the deprecated version of BN_zero()
+return 1 on success, 0 otherwise.
 BN_value_one() returns the constant.
+The preferred version of BN_zer() never fails and returns no value.
 
 =head1 BUGS
 

doc/crypto/DH_generate_parameters.pod

@@ -16,8 +16,10 @@ DH_check - generate and check Diffie-Hellman parameters
 
 Deprecated:
 
+ #if OPENSSL_API_COMPAT < 0x00908000L
  DH *DH_generate_parameters(int prime_len, int generator,
      void (*callback)(int, int, void *), void *cb_arg);
+ #endif
 
 =head1 DESCRIPTION
 

doc/crypto/DSA_generate_parameters.pod

@@ -14,9 +14,11 @@ DSA_generate_parameters_ex, DSA_generate_parameters - generate DSA parameters
 
 Deprecated:
 
+ #if OPENSSL_API_COMPAT < 0x00908000L
  DSA *DSA_generate_parameters(int bits, unsigned char *seed,
                 int seed_len, int *counter_ret, unsigned long *h_ret,
 		void (*callback)(int, int, void *), void *cb_arg);
+ #endif
 
 =head1 DESCRIPTION
 

doc/crypto/ERR_remove_state.pod

@@ -12,7 +12,9 @@ ERR_remove_thread_state, ERR_remove_state - free a thread's error queue
 
 Deprecated:
 
+ #if OPENSSL_API_COMPAT < 0x10000000L
  void ERR_remove_state(unsigned long pid);
+ #endif
 
 =head1 DESCRIPTION
 

doc/crypto/RAND_bytes.pod

@@ -12,7 +12,9 @@ RAND_bytes, RAND_pseudo_bytes - generate random data
 
 Deprecated:
 
+ #if OPENSSL_API_COMPAT < 0x10100000L
  int RAND_pseudo_bytes(unsigned char *buf, int num);
+ #endif
 
 =head1 DESCRIPTION
 

doc/crypto/RSA_generate_key.pod

@@ -12,8 +12,10 @@ RSA_generate_key_ex, RSA_generate_key - generate RSA key pair
 
 Deprecated:
 
+ #if OPENSSL_API_COMPAT < 0x00908000L
  RSA *RSA_generate_key(int num, unsigned long e,
     void (*callback)(int,int,void *), void *cb_arg);
+ #endif
 
 =head1 DESCRIPTION
 

doc/crypto/err.pod

@@ -22,6 +22,7 @@ err - error codes
  int ERR_GET_REASON(unsigned long e);
 
  void ERR_clear_error(void);
+ void ERR_remove_thread_state(const CRYPTO_THREADID *tid);
 
  char *ERR_error_string(unsigned long e, char *buf);
  const char *ERR_lib_error_string(unsigned long e);
@@ -34,8 +35,6 @@ err - error codes
  void ERR_load_crypto_strings(void);
  void ERR_free_strings(void);
 
- void ERR_remove_state(unsigned long pid);
-
  void ERR_put_error(int lib, int func, int reason, const char *file,
          int line);
  void ERR_add_error_data(int num, ...);
@@ -44,6 +43,12 @@ err - error codes
  unsigned long ERR_PACK(int lib, int func, int reason);
  int ERR_get_next_error_library(void);
 
+Deprecated:
+
+ #if OPENSSL_API_COMPAT < 0x10000000L
+ void ERR_remove_state(unsigned long pid);
+ #endif
+
 =head1 DESCRIPTION
 
 When a call to the OpenSSL library fails, this is usually signaled
@@ -62,7 +67,7 @@ messages is described in L<ERR_error_string(3)>.
 L<ERR_clear_error(3)> can be used to clear the
 error queue.
 
-Note that L<ERR_remove_state(3)> should be used to
+Note that L<ERR_remove_thread_state(3)> should be used to
 avoid memory leaks when threads are terminated.
 
 =head1 ADDING NEW ERROR CODES TO OPENSSL
@@ -178,7 +183,7 @@ L<ERR_clear_error(3)>,
 L<ERR_error_string(3)>,
 L<ERR_print_errors(3)>,
 L<ERR_load_crypto_strings(3)>,
-L<ERR_remove_state(3)>,
+L<ERR_remove_thread_state(3)>,
 L<ERR_put_error(3)>,
 L<ERR_load_strings(3)>,
 L<SSL_get_error(3)>

doc/crypto/hmac.pod

@@ -15,8 +15,6 @@ HMAC, HMAC_CTX_new, HMAC_CTX_reset, HMAC_CTX_free, HMAC_Init, HMAC_Init_ex, HMAC
  HMAC_CTX *HMAC_CTX_new(void);
  int HMAC_CTX_reset(HMAC_CTX *ctx);
 
- int HMAC_Init(HMAC_CTX *ctx, const void *key, int key_len,
-               const EVP_MD *md);
  int HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int key_len,
                	   const EVP_MD *md, ENGINE *impl);
  int HMAC_Update(HMAC_CTX *ctx, const unsigned char *data, int len);
@@ -24,6 +22,13 @@ HMAC, HMAC_CTX_new, HMAC_CTX_reset, HMAC_CTX_free, HMAC_Init, HMAC_Init_ex, HMAC
 
  void HMAC_CTX_free(HMAC_CTX *ctx);
 
+Deprecated:
+
+ #if OPENSSL_API_COMPAT < 0x10100000L
+ int HMAC_Init(HMAC_CTX *ctx, const void *key, int key_len,
+               const EVP_MD *md);
+ #endif
+
 =head1 DESCRIPTION
 
 HMAC is a MAC (message authentication code), i.e. a keyed hash

include/openssl/asn1.h

@@ -61,6 +61,7 @@
 
 # include <time.h>
 # include <openssl/e_os2.h>
+# include <openssl/opensslconf.h>
 # include <openssl/bio.h>
 # include <openssl/stack.h>
 # include <openssl/safestack.h>
@@ -68,7 +69,7 @@
 # include <openssl/symhacks.h>
 
 # include <openssl/ossl_typ.h>
-# ifdef OPENSSL_USE_DEPRECATED
+# if OPENSSL_API_COMPAT < 0x10100000L
 #  include <openssl/bn.h>
 # endif
 

include/openssl/bn.h

@@ -129,6 +129,7 @@
 # ifndef OPENSSL_NO_STDIO
 #  include <stdio.h>            /* FILE */
 # endif
+# include <openssl/opensslconf.h>
 # include <openssl/ossl_typ.h>
 # include <openssl/crypto.h>
 
@@ -270,14 +271,10 @@ extern "C" {
 # define BN_FLG_CONSTTIME        0x04
 # define BN_FLG_SECURE           0x08
 
-# ifdef OPENSSL_USE_DEPRECATED
+# if OPENSSL_API_COMPAT < 0x00908000L
 /* deprecated name for the flag */
 #  define BN_FLG_EXP_CONSTTIME BN_FLG_CONSTTIME
-# endif
-
-# ifdef OPENSSL_USE_DEPRECATED
-#  define BN_FLG_FREE             0x8000
-                                       /* used for debuging */
+#  define BN_FLG_FREE            0x8000 /* used for debuging */
 # endif
 
 void BN_set_flags(BIGNUM *b, int n);
@@ -343,7 +340,7 @@ int BN_is_odd(const BIGNUM *a);
 
 void BN_zero_ex(BIGNUM *a);
 
-# ifndef OPENSSL_USE_DEPRECATED
+# if OPENSSL_API_COMPAT >= 0x00908000L
 #  define BN_zero(a)      BN_zero_ex(a)
 # else
 #  define BN_zero(a)      (BN_set_word((a),0))
@@ -475,23 +472,21 @@ BIGNUM *BN_mod_sqrt(BIGNUM *ret,
 void BN_consttime_swap(BN_ULONG swap, BIGNUM *a, BIGNUM *b, int nwords);
 
 /* Deprecated versions */
-# ifdef OPENSSL_USE_DEPRECATED
-DECLARE_DEPRECATED(BIGNUM *BN_generate_prime(BIGNUM *ret, int bits, int safe,
+DEPRECATEDIN_0_9_8(BIGNUM *BN_generate_prime(BIGNUM *ret, int bits, int safe,
                                              const BIGNUM *add,
                                              const BIGNUM *rem,
                                              void (*callback) (int, int,
                                                                void *),
-                                             void *cb_arg));
-DECLARE_DEPRECATED(int
+                                             void *cb_arg))
+DEPRECATEDIN_0_9_8(int
                    BN_is_prime(const BIGNUM *p, int nchecks,
                                void (*callback) (int, int, void *),
-                               BN_CTX *ctx, void *cb_arg));
-DECLARE_DEPRECATED(int
+                               BN_CTX *ctx, void *cb_arg))
+DEPRECATEDIN_0_9_8(int
                    BN_is_prime_fasttest(const BIGNUM *p, int nchecks,
                                         void (*callback) (int, int, void *),
                                         BN_CTX *ctx, void *cb_arg,
-                                        int do_trial_division));
-# endif                         /* defined(OPENSSL_USE_DEPRECATED) */
+                                        int do_trial_division))
 
 /* Newer versions */
 int BN_generate_prime_ex(BIGNUM *ret, int bits, int safe, const BIGNUM *add,
@@ -535,12 +530,10 @@ int BN_BLINDING_invert(BIGNUM *n, BN_BLINDING *b, BN_CTX *ctx);
 int BN_BLINDING_convert_ex(BIGNUM *n, BIGNUM *r, BN_BLINDING *b, BN_CTX *);
 int BN_BLINDING_invert_ex(BIGNUM *n, const BIGNUM *r, BN_BLINDING *b,
                           BN_CTX *);
-# ifdef OPENSSL_USE_DEPRECATED
-DECLARE_DEPRECATED(unsigned long
-                   BN_BLINDING_get_thread_id(const BN_BLINDING *));
-DECLARE_DEPRECATED(void
-                   BN_BLINDING_set_thread_id(BN_BLINDING *, unsigned long));
-# endif
+DEPRECATEDIN_1_0_0(unsigned long
+                   BN_BLINDING_get_thread_id(const BN_BLINDING *))
+DEPRECATEDIN_1_0_0(void
+                   BN_BLINDING_set_thread_id(BN_BLINDING *, unsigned long))
 CRYPTO_THREADID *BN_BLINDING_thread_id(BN_BLINDING *);
 unsigned long BN_BLINDING_get_flags(const BN_BLINDING *);
 void BN_BLINDING_set_flags(BN_BLINDING *, unsigned long);
@@ -554,11 +547,9 @@ BN_BLINDING *BN_BLINDING_create_param(BN_BLINDING *b,
                                                          BN_MONT_CTX *m_ctx),
                                       BN_MONT_CTX *m_ctx);
 
-# ifdef OPENSSL_USE_DEPRECATED
-DECLARE_DEPRECATED(void BN_set_params(int mul, int high, int low, int mont));
-DECLARE_DEPRECATED(int BN_get_params(int which)); /* 0, mul, 1 high, 2 low, 3
-                                                   * mont */
-# endif
+DEPRECATEDIN_0_9_8(void BN_set_params(int mul, int high, int low, int mont))
+DEPRECATEDIN_0_9_8(int BN_get_params(int which)) /* 0, mul, 1 high, 2 low, 3
+                                                  * mont */
 
 BN_RECP_CTX *BN_RECP_CTX_new(void);
 void BN_RECP_CTX_free(BN_RECP_CTX *recp);

include/openssl/crypto.h

@@ -130,6 +130,7 @@
 # include <openssl/safestack.h>
 # include <openssl/opensslv.h>
 # include <openssl/ossl_typ.h>
+# include <openssl/opensslconf.h>
 
 # ifdef CHARSET_EBCDIC
 #  include <openssl/ebcdic.h>
@@ -141,10 +142,25 @@
  */
 # include <openssl/symhacks.h>
 
+# if OPENSSL_API_COMPAT < 0x10100000L
+#  include <openssl/opensslv.h>
+# endif
+
 #ifdef  __cplusplus
 extern "C" {
 #endif
 
+# if OPENSSL_API_COMPAT < 0x10100000L
+#  define SSLeay                  OpenSSL_version_num
+#  define SSLeay_version          OpenSSL_version
+#  define SSLEAY_VERSION_NUMBER   OPENSSL_VERSION_NUMBER
+#  define SSLEAY_VERSION          OPENSSL_VERSION
+#  define SSLEAY_CFLAGS           OPENSSL_CFLAGS
+#  define SSLEAY_BUILT_ON         OPENSSL_BUILT_ON
+#  define SSLEAY_PLATFORM         OPENSSL_PLATFORM
+#  define SSLEAY_DIR              OPENSSL_DIR
+# endif /* OPENSSL_API_COMPAT */
+
 /*
  * When changing the CRYPTO_LOCK_* list, be sure to maintin the text lock
  * names in cryptlib.c
@@ -414,15 +430,15 @@ void CRYPTO_THREADID_current(CRYPTO_THREADID *id);
 int CRYPTO_THREADID_cmp(const CRYPTO_THREADID *a, const CRYPTO_THREADID *b);
 void CRYPTO_THREADID_cpy(CRYPTO_THREADID *dest, const CRYPTO_THREADID *src);
 unsigned long CRYPTO_THREADID_hash(const CRYPTO_THREADID *id);
-# ifdef OPENSSL_USE_DEPRECATED
-DECLARE_DEPRECATED(void CRYPTO_set_id_callback(unsigned long (*func) (void)));
+DEPRECATEDIN_1_0_0(void CRYPTO_set_id_callback(unsigned long (*func) (void)))
 /*
- * mkdef.pl cannot handle this next one so not inside DECLARE_DEPRECATED,
- * but still inside OPENSSL_USE_DEPRECATED
+ * mkdef.pl cannot handle this next one so not inside DEPRECATEDIN_1_0_0,
+ * but still conditional on a lower or unknown source API version.
  */
+# if OPENSSL_API_COMPAT < 0x10000000L
 unsigned long (*CRYPTO_get_id_callback(void)) (void);
-DECLARE_DEPRECATED(unsigned long CRYPTO_thread_id(void));
 # endif
+DEPRECATEDIN_1_0_0(unsigned long CRYPTO_thread_id(void))
 
 const char *CRYPTO_get_lock_name(int type);
 int CRYPTO_add_lock(int *pointer, int amount, int type, const char *file,

include/openssl/dh.h

@@ -60,6 +60,7 @@
 # define HEADER_DH_H
 
 # include <openssl/e_os2.h>
+# include <openssl/opensslconf.h>
 
 # ifdef OPENSSL_NO_DH
 #  error DH is disabled.
@@ -67,7 +68,7 @@
 
 # include <openssl/bio.h>
 # include <openssl/ossl_typ.h>
-# ifdef OPENSSL_USE_DEPRECATED
+# if OPENSSL_API_COMPAT < 0x10100000L
 #  include <openssl/bn.h>
 # endif
 
@@ -209,12 +210,10 @@ int DH_set_ex_data(DH *d, int idx, void *arg);
 void *DH_get_ex_data(DH *d, int idx);
 
 /* Deprecated version */
-# ifdef OPENSSL_USE_DEPRECATED
-DECLARE_DEPRECATED(DH *DH_generate_parameters(int prime_len, int generator,
+DEPRECATEDIN_0_9_8(DH *DH_generate_parameters(int prime_len, int generator,
                                               void (*callback) (int, int,
                                                                 void *),
-                                              void *cb_arg));
-# endif                         /* defined(OPENSSL_USE_DEPRECATED) */
+                                              void *cb_arg))
 
 /* New version */
 int DH_generate_parameters_ex(DH *dh, int prime_len, int generator,

include/openssl/dsa.h

@@ -73,8 +73,9 @@
 # include <openssl/bio.h>
 # include <openssl/crypto.h>
 # include <openssl/ossl_typ.h>
+# include <openssl/opensslconf.h>
 
-# ifdef OPENSSL_USE_DEPRECATED
+# if OPENSSL_API_COMPAT < 0x10100000L
 #  include <openssl/bn.h>
 #  ifndef OPENSSL_NO_DH
 #   include <openssl/dh.h>
@@ -222,16 +223,14 @@ DSA *d2i_DSAPrivateKey(DSA **a, const unsigned char **pp, long length);
 DSA *d2i_DSAparams(DSA **a, const unsigned char **pp, long length);
 
 /* Deprecated version */
-# ifdef OPENSSL_USE_DEPRECATED
-DECLARE_DEPRECATED(DSA *DSA_generate_parameters(int bits,
+DEPRECATEDIN_0_9_8(DSA *DSA_generate_parameters(int bits,
                                                 unsigned char *seed,
                                                 int seed_len,
                                                 int *counter_ret,
                                                 unsigned long *h_ret, void
                                                  (*callback) (int, int,
                                                               void *),
-                                                void *cb_arg));
-# endif                         /* defined(OPENSSL_USE_DEPRECATED) */
+                                                void *cb_arg))
 
 /* New version */
 int DSA_generate_parameters_ex(DSA *dsa, int bits,

include/openssl/ec.h

@@ -85,7 +85,7 @@
 
 # include <openssl/asn1.h>
 # include <openssl/symhacks.h>
-# ifdef OPENSSL_USE_DEPRECATED
+# if OPENSSL_API_COMPAT < 0x10100000L
 #  include <openssl/bn.h>
 # endif
 

include/openssl/engine.h

@@ -71,7 +71,7 @@
 #  error ENGINE is disabled.
 # endif
 
-# ifdef OPENSSL_USE_DEPRECATED
+# if OPENSSL_API_COMPAT < 0x10100000L
 #  include <openssl/bn.h>
 #  ifndef OPENSSL_NO_RSA
 #   include <openssl/rsa.h>

include/openssl/err.h

@@ -351,10 +351,8 @@ void ERR_load_crypto_strings(void);
 void ERR_free_strings(void);
 
 void ERR_remove_thread_state(const CRYPTO_THREADID *tid);
-# ifdef OPENSSL_USE_DEPRECATED
-DECLARE_DEPRECATED(void ERR_remove_state(unsigned long pid)); /* if zero we
-                                                               * look it up */
-# endif
+DEPRECATEDIN_1_0_0(void ERR_remove_state(unsigned long pid)) /* if zero we
+                                                              * look it up */
 ERR_STATE *ERR_get_state(void);
 
 LHASH_OF(ERR_STRING_DATA) *ERR_get_string_table(void);

include/openssl/hmac.h

@@ -73,13 +73,9 @@ HMAC_CTX *HMAC_CTX_new(void);
 int HMAC_CTX_reset(HMAC_CTX *ctx);
 void HMAC_CTX_free(HMAC_CTX *ctx);
 
-#ifdef OPENSSL_USE_DEPRECATED
+DEPRECATEDIN_1_1_0(__owur int HMAC_Init(HMAC_CTX *ctx, const void *key, int len,
+                     const EVP_MD *md))
 
-/* deprecated */
-DECLARE_DEPRECATED(__owur int HMAC_Init(HMAC_CTX *ctx, const void *key, int len,
-                     const EVP_MD *md));
-
-#endif
 /*__owur*/ int HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int len,
                             const EVP_MD *md, ENGINE *impl);
 /*__owur*/ int HMAC_Update(HMAC_CTX *ctx, const unsigned char *data,

include/openssl/rand.h

@@ -95,9 +95,7 @@ int RAND_set_rand_engine(ENGINE *engine);
 RAND_METHOD *RAND_OpenSSL(void);
 void RAND_cleanup(void);
 int RAND_bytes(unsigned char *buf, int num);
-#ifdef OPENSSL_USE_DEPRECATED
-DECLARE_DEPRECATED(int RAND_pseudo_bytes(unsigned char *buf, int num));
-#endif
+DEPRECATEDIN_1_1_0(int RAND_pseudo_bytes(unsigned char *buf, int num))
 void RAND_seed(const void *buf, int num);
 #if defined(__ANDROID__) && defined(__NDK_FPABI__)
 __NDK_FPABI__	/* __attribute__((pcs("aapcs"))) on ARM */

include/openssl/rsa.h

@@ -59,12 +59,13 @@
 #ifndef HEADER_RSA_H
 # define HEADER_RSA_H
 
+# include <openssl/opensslconf.h>
 # include <openssl/asn1.h>
 
 # include <openssl/bio.h>
 # include <openssl/crypto.h>
 # include <openssl/ossl_typ.h>
-# ifdef OPENSSL_USE_DEPRECATED
+# if OPENSSL_API_COMPAT < 0x10100000L
 #  include <openssl/bn.h>
 # endif
 
@@ -212,7 +213,7 @@ struct rsa_st {
  * private key operations.
  */
 # define RSA_FLAG_NO_CONSTTIME           0x0100
-# ifdef OPENSSL_USE_DEPRECATED
+# if OPENSSL_API_COMPAT < 0x00908000L
 /* deprecated name for the flag*/
 /*
  * new with 0.9.7h; the built-in RSA
@@ -316,11 +317,9 @@ int RSA_size(const RSA *rsa);
 int RSA_security_bits(const RSA *rsa);
 
 /* Deprecated version */
-# ifdef OPENSSL_USE_DEPRECATED
-DECLARE_DEPRECATED(RSA *RSA_generate_key(int bits, unsigned long e, void
-                                          (*callback) (int, int, void *),
-                                         void *cb_arg));
-# endif                         /* defined(OPENSSL_USE_DEPRECATED) */
+DEPRECATEDIN_0_9_8(RSA *RSA_generate_key(int bits, unsigned long e, void
+                                         (*callback) (int, int, void *),
+                                         void *cb_arg))
 
 /* New version */
 int RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e, BN_GENCB *cb);

include/openssl/ssl.h

@@ -144,10 +144,11 @@
 # define HEADER_SSL_H
 
 # include <openssl/e_os2.h>
+# include <openssl/opensslconf.h>
 
 # include <openssl/comp.h>
 # include <openssl/bio.h>
-# ifdef OPENSSL_USE_DEPRECATED
+# if OPENSSL_API_COMPAT < 0x10100000L
 #  include <openssl/x509.h>
 #  include <openssl/crypto.h>
 #  include <openssl/lhash.h>

include/openssl/store.h

@@ -67,7 +67,7 @@
 # endif
 
 # include <openssl/ossl_typ.h>
-# ifdef OPENSSL_USE_DEPRECATED
+# if OPENSSL_API_COMPAT < 0x10100000L
 #  include <openssl/evp.h>
 #  include <openssl/bn.h>
 #  include <openssl/x509.h>

include/openssl/ui.h

@@ -60,11 +60,12 @@
 #ifndef HEADER_UI_H
 # define HEADER_UI_H
 
-# ifdef OPENSSL_USE_DEPRECATED
+# if OPENSSL_API_COMPAT < 0x10100000L
 #  include <openssl/crypto.h>
 # endif
 # include <openssl/safestack.h>
 # include <openssl/ossl_typ.h>
+# include <openssl/opensslconf.h>
 
 #ifdef  __cplusplus
 extern "C" {

include/openssl/x509.h

@@ -65,6 +65,7 @@
 # define HEADER_X509_H
 
 # include <openssl/e_os2.h>
+# include <openssl/opensslconf.h>
 # include <openssl/symhacks.h>
 # include <openssl/buffer.h>
 # include <openssl/evp.h>
@@ -77,7 +78,7 @@
 #  include <openssl/ec.h>
 # endif
 
-# ifdef OPENSSL_USE_DEPRECATED
+# if OPENSSL_API_COMPAT < 0x10100000L
 #  ifndef OPENSSL_NO_RSA
 #   include <openssl/rsa.h>
 #  endif