Old OpenSSL Compatibility (x: Old OpenSSL Cpmpaitibility)
Fred Wright
fw at fwright.net
Wed Dec 18 21:43:44 UTC 2024
On Wed, 18 Dec 2024, Hal Murray wrote:
>> It used to be possible to build with --disable-nts when a sufficiently
>> new OpenSSL wasn't available, but commit 7c8b5fe20 broke that. I'm not
>> sure why cryptographic functions are needed at all with --disable-nts,
>> but even if they are, the compatibility definitions could have been in a
>> single header instead of replicated all over the place.
>
[...]
> What system do you have that is now causing troubles? Do we want to be
> supporting systems that old and/or does anybody running stuff that old
> want to run our code?
I'm always in favor of maximum compatibility.
The non-Mac systems I have here are:
Ubuntu 22
Ubuntu 14
Debian 7
FreeBSD 10.3
OpenBSD 5.6
NetBSD 6.1.5
NetBSD was previously broken by another issue, but all the others worked
as of v1.2.3, at least with --disable-nts (though OpenBSD requires the
same patches as I use for older OSX versions). Of the above, only Ubuntu
22 can build the latest code.
[...]
> We need crypto for hashing IPv6 addresses, shared key authentication, the
> cookies that mode6 uses, and checking the leapsecond file.
For non-cryptographic uses, a Bob Jenkins hash is usually a better choice,
anyway, though the shared-key case probably doesn't qualify.
[...]
> The cleanest fix I can think of right now would be something like
>
> #ifndef HAVE_EVP_MD_CTX_new
> #define EVP_MD_CTX_new EVP_MD_CTX_create
> $define EVP_MD_CTX_free EVP_MD_CTX_destroy
> #endif
>
> I don't see a good header file to put that in so I would make a new one
> and include it where needed.
That's roughly what I'd do, though using function macros instead of simple
macros reduces the collision risk.
> Modern header files have this:
> # define EVP_MD_CTX_create() EVP_MD_CTX_new()
> # define EVP_MD_CTX_init(ctx) EVP_MD_CTX_reset((ctx))
> # define EVP_MD_CTX_destroy(ctx) EVP_MD_CTX_free((ctx))
> I don't see any ifdef around that.
>
> That's also in 1.1.0. So I think it would work if we hacked our code to
> use the old names. But that is pretty ugly to me and could get confusing
> if somebody was trying to use man pages to understand the code.
That approach seems backwards, and yes, confusing.
On Wed, 18 Dec 2024, Hal Murray via devel wrote:
>
>> I think the standalone MD5 and SHA code is long gone.
>
> Yes, but it's in git someplace. It won't be that hard to find if we
> really want it. I don't want to go there, but don't want to hide options
> either in case somebody thinks it is important.
But more work and more code than a couple of compatibility definitions.
>> I would be nice to move the control interface off of port 123 and away
>> from UDP in general.
>
> Yup. But that requires some thought and planning. It's not going to
> happen before a release.
The most important thing to get off of port 123 (and again, not right
before a release) is the client port. Using 123 as the client port is
extremely NAT-hostile. Some people switched from classic NTP to chrony
for that reason alone.
Fred Wright
More information about the devel
mailing list