[Git][NTPsec/ntpsec][master] Several fixes for old OpenSSL and LibreSSL

Hal Murray (@hal.murray) gitlab at mg.gitlab.com
Mon Feb 3 10:48:25 UTC 2025 


Hal Murray pushed to branch master at NTPsec / ntpsec


Commits:
05d65d11 by Fred Wright at 2025-02-03T10:45:05+00:00
Several fixes for old OpenSSL and LibreSSL

- - - - -


7 changed files:

- attic/cmac-timing.c
- attic/digest-find.c
- attic/digest-timing.c
- include/hack-ancient-openssl.h
- libntp/authreadkeys.c
- libntp/pymodule-mac.c
- libntp/ssl_init.c


Changes:

=====================================
attic/cmac-timing.c
=====================================
@@ -36,7 +36,7 @@
 #include <openssl/evp.h>
 #include <openssl/rand.h>
 #include <openssl/objects.h>
-#if OPENSSL_VERSION_NUMBER > 0x20000000L
+#if OPENSSL_VERSION_NUMBER > 0x20000000L && !defined(LIBRESSL_VERSION_NUMBER)
 #include <openssl/params.h> 
 #endif
 
@@ -50,7 +50,7 @@ int SAMPLESIZE = 1000000;
 #define MAX_KEY_LENGTH 64
 
 CMAC_CTX *cmac;
-#if OPENSSL_VERSION_NUMBER > 0x20000000L
+#if OPENSSL_VERSION_NUMBER > 0x20000000L && !defined(LIBRESSL_VERSION_NUMBER)
 EVP_MAC_CTX *evp;
 #endif
 
@@ -60,14 +60,14 @@ unsigned char answer[EVP_MAX_MD_SIZE];
 
 static void ssl_init(void)
 {
-#if OPENSSL_VERSION_NUMBER > 0x20000000L
+#if OPENSSL_VERSION_NUMBER > 0x20000000L && !defined(LIBRESSL_VERSION_NUMBER)
 	EVP_MAC *mac;
 #endif
 	ERR_load_crypto_strings();
 	OpenSSL_add_all_digests();
 	OpenSSL_add_all_ciphers();
 	cmac = CMAC_CTX_new();
-#if OPENSSL_VERSION_NUMBER > 0x20000000L
+#if OPENSSL_VERSION_NUMBER > 0x20000000L && !defined(LIBRESSL_VERSION_NUMBER)
 	mac = EVP_MAC_fetch(NULL, "cmac", NULL);
 	if (NULL == mac)
 		printf("## Oops, EVP_MAC_fetch() failed.\n");
@@ -163,7 +163,7 @@ static void DoCMAC(
 	printf("\n");
 }
 
-#if OPENSSL_VERSION_NUMBER > 0x10101000L
+#if OPENSSL_VERSION_NUMBER > 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER)
 static size_t One_PKEY(
   EVP_MD_CTX *ctx,        /* context  */
   uint8_t *key,           /* key pointer */
@@ -307,7 +307,7 @@ static void DoPKEY2(
 }
 #endif
 
-#if OPENSSL_VERSION_NUMBER > 0x20000000L
+#if OPENSSL_VERSION_NUMBER > 0x20000000L && !defined(LIBRESSL_VERSION_NUMBER)
 static size_t One_EVP_MAC(
   EVP_MAC_CTX *ctx,         /* context  */
   char *name,               /* name of cipher (with -cbc) */
@@ -578,7 +578,7 @@ int main(int argc, char *argv[])
 	DoCMAC("AES-256",      key, 32, packet, PACKET_LENGTH);
 
 if (do_all) {
-#if OPENSSL_VERSION_NUMBER < 0x20000000L
+#if OPENSSL_VERSION_NUMBER < 0x20000000L || defined(LIBRESSL_VERSION_NUMBER)
 /* Hangs on 3.0.0  Checking OPENSSL_NO_DES doesn't work. */
 	DoCMAC("DES",          key,  8, packet, PACKET_LENGTH);
 #endif
@@ -595,7 +595,7 @@ if (do_all) {
 	DoCMAC("ARIA-256",     key, 32, packet, PACKET_LENGTH);
 }
 
-#if OPENSSL_VERSION_NUMBER > 0x10101000L
+#if OPENSSL_VERSION_NUMBER > 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER)
 	printf("\n");
 	printf("# KL=key length, PL=packet length, CL=CMAC length\n");
 	printf("# PKEY        KL   PL CL  ns/op sec/run\n");
@@ -607,7 +607,7 @@ if (do_all) {
 	DoPKEY("AES-256",      key, 32, packet, PACKET_LENGTH);
 
 if (do_all) {
-#if OPENSSL_VERSION_NUMBER < 0x20000000L
+#if OPENSSL_VERSION_NUMBER < 0x20000000L || defined(LIBRESSL_VERSION_NUMBER)
 	DoPKEY("DES",          key,  8, packet, PACKET_LENGTH);
 #endif
 	DoPKEY("DES-EDE",      key, 16, packet, PACKET_LENGTH);
@@ -633,7 +633,7 @@ if (do_all) {
 	DoPKEY2("AES-256",      key, 32, packet, PACKET_LENGTH);
 
 if (do_all) {
-#if OPENSSL_VERSION_NUMBER < 0x20000000L
+#if OPENSSL_VERSION_NUMBER < 0x20000000L || defined(LIBRESSL_VERSION_NUMBER)
 	DoPKEY2("DES",          key,  8, packet, PACKET_LENGTH);
 #endif
 	DoPKEY2("DES-EDE",      key, 16, packet, PACKET_LENGTH);
@@ -650,7 +650,7 @@ if (do_all) {
 }
 #endif
 
-#if OPENSSL_VERSION_NUMBER > 0x20000000L
+#if OPENSSL_VERSION_NUMBER > 0x20000000L && !defined(LIBRESSL_VERSION_NUMBER)
 	printf("\n");
 	printf("# KL=key length, PL=packet length, CL=CMAC length\n");
 	printf("# EVP_MAC     KL   PL CL  ns/op sec/run\n");
@@ -717,7 +717,8 @@ if (do_all) {
 	Do_EVP_MAC3("ARIA-192",     key, 24, packet, PACKET_LENGTH);
 	Do_EVP_MAC3("ARIA-256",     key, 32, packet, PACKET_LENGTH);
 }
-#endif /* OPENSSL_VERSION_NUMBER > 0x20000000L */
+#endif /* OPENSSL_VERSION_NUMBER > 0x20000000L
+          && !defined(LIBRESSL_VERSION_NUMBER) */
 
 	return 0;
 }


=====================================
attic/digest-find.c
=====================================
@@ -27,6 +27,8 @@
 #include <openssl/ssl.h>
 #include <openssl/evp.h>
 
+#include "hack-ancient-openssl.h"
+
 #define UNUSED_ARG(arg)         ((void)(arg))
 
 /* 2023-Jan-10


=====================================
attic/digest-timing.c
=====================================
@@ -36,8 +36,9 @@
 #include <openssl/objects.h>
 #include <openssl/ssl.h>
 
-#define UNUSED_ARG(arg)         ((void)(arg))
+#include "hack-ancient-openssl.h"
 
+#define UNUSED_ARG(arg)         ((void)(arg))
 
 /* Get timing for old slower way too.  Pre Feb 2018 */
 #define DoSLOW 1


=====================================
include/hack-ancient-openssl.h
=====================================
@@ -19,10 +19,35 @@
 #ifndef GUARD_HACK_ANCIENT_OPENSSL_H
 #define GUARD_HACK_ANCIENT_OPENSSL_H
 
+#include "config.h"
+
 #ifndef HAVE_EVP_MD_CTX_NEW
-  #define EVP_MD_CTX_new()       EVP_MD_CTX_create()
-  #define EVP_MD_CTX_reset(ctx)  EVP_MD_CTX_init((ctx)) 
-  #define EVP_MD_CTX_free(ctx)   EVP_MD_CTX_destroy((ctx))
-#endif
+
+#include <openssl/evp.h>
+
+static inline EVP_MD_CTX *
+EVP_MD_CTX_new(void) {
+	(void) EVP_MD_CTX_new;
+	return EVP_MD_CTX_create();
+}
+
+// Note the difference in the return types.
+// The return value for EVP_MD_CTX_reset isn't documented in the manpage,
+// but since other int-returning functions return 0 for failure and 1 for
+// success, we assume the same here.
+static inline int
+EVP_MD_CTX_reset(EVP_MD_CTX *ctx) {
+	(void) EVP_MD_CTX_reset;
+	EVP_MD_CTX_init(ctx);
+	return 1;
+}
+
+static inline void
+EVP_MD_CTX_free(EVP_MD_CTX *ctx) {
+	(void) EVP_MD_CTX_free;
+	EVP_MD_CTX_destroy(ctx);
+}
+
+#endif /* !HAVE_EVP_MD_CTX_NEW */
 
 #endif /* GUARD_HACK_ANCIENT_OPENSSL_H */


=====================================
libntp/authreadkeys.c
=====================================
@@ -20,11 +20,13 @@
 #include "ntp_auth.h"
 
 #include <openssl/objects.h>
+#include <openssl/opensslv.h>
 #include <openssl/evp.h>
 #include <openssl/err.h>
+
 #include "hack-ancient-openssl.h"
 
-#if OPENSSL_VERSION_NUMBER < 0x20000000L
+#if OPENSSL_VERSION_NUMBER < 0x20000000L || defined(LIBRESSL_VERSION_NUMBER)
 #include <openssl/cmac.h>
 #endif
 


=====================================
libntp/pymodule-mac.c
=====================================
@@ -20,19 +20,19 @@
 #define OPENSSL_SUPPRESS_DEPRECATED 1
 #include <openssl/evp.h>
 #include <openssl/cmac.h>
+#include <openssl/opensslv.h>
 
 // Needed on OpenSSL < 1.1.0
-// I don't think this is needed on modern versions,
-// but I'm leaving this code around for a while in case we do need it.
-// HGM: 2024-Jun-11
 static void init_ssl(void) {
-//	static bool init_done = false;
-//	if (init_done) {
-//		return;
-//        }
-//	init_done = true;
-//	OpenSSL_add_all_ciphers();
-//	OpenSSL_add_all_digests();
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+	static bool init_done = false;
+	if (init_done) {
+		return;
+        }
+	init_done = true;
+	OpenSSL_add_all_ciphers();
+	OpenSSL_add_all_digests();
+#endif
 }
 
 /* xx = ntp.ntpc.checkname(name)


=====================================
libntp/ssl_init.c
=====================================
@@ -18,7 +18,7 @@
 #include <openssl/cmac.h>
 #endif
 
-#ifdef LIBRESSL_VERSION_NUMBER
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
 static void	atexit_ssl_cleanup(void);
 #endif
 
@@ -43,7 +43,7 @@ ssl_init(void)
 	OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS|OPENSSL_INIT_LOAD_CRYPTO_STRINGS|OPENSSL_INIT_ADD_ALL_CIPHERS|OPENSSL_INIT_ADD_ALL_DIGESTS, NULL);
 #endif
 
-#ifdef LIBRESSL_VERSION_NUMBER
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
 	OpenSSL_add_all_digests();
 	OpenSSL_add_all_ciphers();
 	atexit(&atexit_ssl_cleanup);
@@ -108,7 +108,7 @@ ssl_init(void)
 }
 
 
-#ifdef LIBRESSL_VERSION_NUMBER
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
 static void
 atexit_ssl_cleanup(void)
 {



View it on GitLab: https://gitlab.com/NTPsec/ntpsec/-/commit/05d65d1144e7827e8ede4eb37e1c67f1065a317d

-- 
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/-/commit/05d65d1144e7827e8ede4eb37e1c67f1065a317d
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ntpsec.org/pipermail/vc/attachments/20250203/36d6adbe/attachment-0001.htm>

More information about the vc mailing list