Old OpenSSL Cpmpaitibility
Hal Murray
halmurray at sonic.net
Wed Dec 18 09:03:16 UTC 2024
> It used to be possible to build with --disable-nts when a sufficiently
> new OpenSSL wasn't available, but commit 7c8b5fe20 broke that. I'm not
> sure why cryptographic functions are needed at all with --disable-nts,
> but even if they are, the compatibility definitions could have been in a
> single header instead of replicated all over the place.
7c8b5fe20 was just cleaning up some thought to be no longer needed cruft.
>From the man page:
The EVP_MD_CTX_create() and EVP_MD_CTX_destroy() functions were renamed
to EVP_MD_CTX_new() and EVP_MD_CTX_free() in OpenSSL 1.1.0,
respectively.
What system do you have that is now causing troubles? Do we want to be
supporting systems that old and/or does anybody running stuff that old
want to run our code?
OpenSSL 1.x.x is no longer freely supported.
https://endoflife.date/openssl
Do we have an official support policy? I'm expecting something like "runs
on supported versions of most Unix like OSes with ntp_adjtime". Should we
add "using supported versions of OpenSSL"?
We need crypto for hashing IPv6 addresses, shared key authentication, the
cookies that mode6 uses, and checking the leapsecond file.
There was some maybe related discussion a while ago for FIPS mode. It
would be not-too-hard to recover the old stand-alone MD5 code. I think
that covers the IPv6, cookie, and leapsecond usage. We would have to add
an ifdef to skip the shared key code which might be useful anyway.
The cleanest fix I can think of right now would be something like
#ifndef HAVE_EVP_MD_CTX_new
#define EVP_MD_CTX_new EVP_MD_CTX_create
$define EVP_MD_CTX_free EVP_MD_CTX_destroy
#endif
I don't see a good header file to put that in so I would make a new one
and include it where needed.
Modern header files have this:
# define EVP_MD_CTX_create() EVP_MD_CTX_new()
# define EVP_MD_CTX_init(ctx) EVP_MD_CTX_reset((ctx))
# define EVP_MD_CTX_destroy(ctx) EVP_MD_CTX_free((ctx))
I don't see any ifdef around that.
That's also in 1.1.0. So I think it would work if we hacked our code to
use the old names. But that is pretty ugly to me and could get confusing
if somebody was trying to use man pages to understand the code.
--
These are my opinions. I hate spam.
More information about the devel
mailing list