Custom method functions removed from the OpenSSL Library

Feb 3, 2026

Following on from the removal of ENGINE code, deprecated functions for creating or modifying custom METHODS will be removed from OpenSSL 4.0.

Summary

For a complete list of deprecated functions removed in OpenSSL 4.0, please see the ossl-removed-api documentation. They are divided into the following pull requests:

• Custom ciphers methods (EVP_CIPHER_meth_*) were removed in PR #29299.
• Custom message digest methods (EVP_MD_meth_*) were removed in PR #29366.
• Custom private key methods (EVP_PKEY_meth_*) were removed in PR #29384.
• Custom private key Abstract Syntax Notation One methods (EVP_PKEY_asn1_*) were removed in PR #29405. (These functions were deprecated in OpenSSL 3.6.)

Instead of using these methods, developers are encouraged to use the provider framework.

Details

The deprecated functions allowed developers to customize cryptographic functionality via the EVP (envelope) API. For instance, an application might use an optimized version of a cipher instead of the implementation provided by the OpenSSL Library. Alternatively, the custom methods could simply wrap the OpenSSL algorithms to add custom code before or after the algorithms were called. These functions could also facilitate hardware security modules (HSM) integrations. While they could be used outside of the ENGINE context, this was less common.

OpenSSL 3.0 introduced a new strategic architecture. Elements of the previous architecture, including ENGINEs and custom methods, were deprecated in favor or the provider interface. In order to maintain backward compatibility, they were not removed from the code. With the 4.0 major release, it’s time to remove this code in order to reduce the complexity and size of the OpenSSL code base.

The four pull requests listed above removed 8712 lines of code (7933 net of additions). In addition, removing EVP_CIPHER_meth_* allowed 9411 lines of dead code to be removed and removing EVP_MD_meth_* functions eliminated a further 397 lines.

Simple line counts undersell the complexity of the code being removed. The deprecated functions sit at the center of the cryptographic plumbing of libcrypto. In order to support the pre-3.0 ways of customizing algorithms, the legacy code needed to be compiled alongside the provider code.

    if (ctx->cipher == NULL || ctx->cipher->prov == NULL)
        goto legacy;

...


  /* Remove legacy code below when legacy support is removed. */
legacy:

Now that ENGINEs have been removed, this legacy code has no real use. It should be noted that there are occasional vulnerabilities reported on deprecated code. As Bruce Schneier pointed out, “Complexity is the worst enemy of security”. Removing unneeded code, especially when it makes evaluating critical parts of the library more difficult, can only help increase the security of the OpenSSL Library.

With the exception of EVP_PKEY_asn1_*, these functions were deprecated in the 3.0.0 release in September of 2021. As a reminder OpenSSL 3.5 is a long term stable (LTS) release supported until April 8, 2030 and still includes these functions.