[Git][NTPsec/ntpsec][2026-06-drop-ancient-openssl-hack] 2 commits: chore: remove ancient OpenSSL compatibility shim
Mark Atwood (@MarkAtwood)
gitlab at mg.gitlab.com
Mon Jun 22 05:04:08 UTC 2026
Mark Atwood pushed to branch 2026-06-drop-ancient-openssl-hack at NTPsec / ntpsec
Commits:
2a778dde by Mark Atwood at 2026-06-21T22:03:49-07:00
chore: remove ancient OpenSSL compatibility shim
Remove hack-ancient-openssl.h which provided shims for OpenSSL < 1.1.0:
- EVP_MD_CTX_new -> EVP_MD_CTX_create
- EVP_MD_CTX_reset -> EVP_MD_CTX_init
- EVP_MD_CTX_free -> EVP_MD_CTX_destroy
OpenSSL 1.1.0 was released in 2016. Since we now require OpenSSL 3.0+,
this compatibility code is dead. The HAVE_EVP_MD_CTX_NEW check was
always true on any supported system.
- Delete include/hack-ancient-openssl.h
- Remove includes from 6 source files + 2 attic files
- Remove configure probe for EVP_MD_CTX_new
- - - - -
4c612868 by Mark Atwood at 2026-06-21T22:03:49-07:00
chore: remove dead OpenSSL < 1.1.0 code paths
Remove code that was only compiled for OpenSSL < 1.1.0:
- libntp/pymodule-mac.c: Remove init_ssl() function and its calls.
This was a no-op on OpenSSL >= 1.1.0.
- libntp/ssl_init.c: Change version checks from
'OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)'
to just 'defined(LIBRESSL_VERSION_NUMBER)'.
Preserves LibreSSL compat while removing ancient OpenSSL path.
OpenSSL 1.1.0 was released in 2016; no supported distro ships older.
- - - - -
10 changed files:
- attic/digest-find.c
- attic/digest-timing.c
- − include/hack-ancient-openssl.h
- libntp/authreadkeys.c
- libntp/macencrypt.c
- libntp/pymodule-mac.c
- libntp/ssl_init.c
- ntpd/ntp_control.c
- ntpd/ntp_leapsec.c
- wscript
Changes:
=====================================
attic/digest-find.c
=====================================
@@ -27,7 +27,6 @@
#include <openssl/ssl.h>
#include <openssl/evp.h>
-#include "hack-ancient-openssl.h"
#define UNUSED_ARG(arg) ((void)(arg))
=====================================
attic/digest-timing.c
=====================================
@@ -36,7 +36,6 @@
#include <openssl/objects.h>
#include <openssl/ssl.h>
-#include "hack-ancient-openssl.h"
#define UNUSED_ARG(arg) ((void)(arg))
=====================================
include/hack-ancient-openssl.h deleted
=====================================
@@ -1,53 +0,0 @@
-/*
- * hack-ancient-openssl.h - hack to run on ancient versions of OpenSSL
- * Copyright the NTPsec project contributors
- * SPDX-License-Identifier: BSD-2-Clause
- *
- * This is needed only on ancient systems that
- * are using OpenSSL older than OpenSSL 1.1.0.
- *
- * From the man page:
- * The EVP_MD_CTX_create() and EVP_MD_CTX_destroy() functions were renamed
- * to EVP_MD_CTX_new() and EVP_MD_CTX_free() in OpenSSL 1.1.0,
- * respectively.
- *
- * See:
- * https://lists.ntpsec.org/pipermail/devel/2024-December/010502.html
- * https://lists.ntpsec.org/pipermail/devel/2024-June/010451.html
- */
-
-#ifndef GUARD_HACK_ANCIENT_OPENSSL_H
-#define GUARD_HACK_ANCIENT_OPENSSL_H
-
-#include "config.h"
-
-#ifndef HAVE_EVP_MD_CTX_NEW
-
-#include <openssl/evp.h>
-
-static inline EVP_MD_CTX *
-EVP_MD_CTX_new(void) {
- (void) EVP_MD_CTX_new;
- return EVP_MD_CTX_create();
-}
-
-// Note the difference in the return types.
-// The return value for EVP_MD_CTX_reset isn't documented in the manpage,
-// but since other int-returning functions return 0 for failure and 1 for
-// success, we assume the same here.
-static inline int
-EVP_MD_CTX_reset(EVP_MD_CTX *ctx) {
- (void) EVP_MD_CTX_reset;
- EVP_MD_CTX_init(ctx);
- return 1;
-}
-
-static inline void
-EVP_MD_CTX_free(EVP_MD_CTX *ctx) {
- (void) EVP_MD_CTX_free;
- EVP_MD_CTX_destroy(ctx);
-}
-
-#endif /* !HAVE_EVP_MD_CTX_NEW */
-
-#endif /* GUARD_HACK_ANCIENT_OPENSSL_H */
=====================================
libntp/authreadkeys.c
=====================================
@@ -24,7 +24,6 @@
#include <openssl/evp.h>
#include <openssl/err.h>
-#include "hack-ancient-openssl.h"
#if OPENSSL_VERSION_NUMBER < 0x20000000L || defined(LIBRESSL_VERSION_NUMBER)
#include <openssl/cmac.h>
=====================================
libntp/macencrypt.c
=====================================
@@ -52,7 +52,6 @@
#include <openssl/err.h>
#include <openssl/evp.h> /* provides OpenSSL digest API */
#include <openssl/md5.h>
-#include "hack-ancient-openssl.h"
#include "ntp_fp.h"
#include "ntp_stdlib.h"
=====================================
libntp/pymodule-mac.c
=====================================
@@ -13,7 +13,6 @@
#include "ntp_stdlib.h"
#include "pymodule-mac.h"
-#include "hack-ancient-openssl.h"
// Don't include Python.h
@@ -22,18 +21,6 @@
#include <openssl/cmac.h>
#include <openssl/opensslv.h>
-// Needed on OpenSSL < 1.1.0
-static void init_ssl(void) {
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
- static bool init_done = false;
- if (init_done) {
- return;
- }
- init_done = true;
- OpenSSL_add_all_ciphers();
- OpenSSL_add_all_digests();
-#endif
-}
/* xx = ntp.ntpc.checkname(name)
* returns false if algorithm name is invalid.
@@ -44,7 +31,6 @@ int do_checkname(const char *name)
const EVP_MD *digest;
const EVP_CIPHER *cipher;
- init_ssl();
strlcpy(upcase, name, sizeof(upcase));
for (int i=0; upcase[i]!=0; i++) {
@@ -90,7 +76,6 @@ void do_mac(char *name,
size_t cipherlen;
uint8_t newkey[EVP_MAX_KEY_LENGTH];
- init_ssl();
strlcpy(upcase, name, sizeof(upcase));
for (int i=0; upcase[i]!=0; i++) {
=====================================
libntp/ssl_init.c
=====================================
@@ -9,7 +9,6 @@
#include <stdbool.h>
#include <openssl/ssl.h>
#include <openssl/evp.h>
-#include "hack-ancient-openssl.h"
#if OPENSSL_VERSION_NUMBER > 0x20000000L
#include <openssl/params.h>
@@ -18,7 +17,7 @@
#include <openssl/cmac.h>
#endif
-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+#if defined(LIBRESSL_VERSION_NUMBER)
static void atexit_ssl_cleanup(void);
#endif
@@ -43,7 +42,7 @@ ssl_init(void)
OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS|OPENSSL_INIT_LOAD_CRYPTO_STRINGS|OPENSSL_INIT_ADD_ALL_CIPHERS|OPENSSL_INIT_ADD_ALL_DIGESTS, NULL);
#endif
-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+#if defined(LIBRESSL_VERSION_NUMBER)
OpenSSL_add_all_digests();
OpenSSL_add_all_ciphers();
atexit(&atexit_ssl_cleanup);
@@ -108,7 +107,7 @@ ssl_init(void)
}
-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+#if defined(LIBRESSL_VERSION_NUMBER)
static void
atexit_ssl_cleanup(void)
{
=====================================
ntpd/ntp_control.c
=====================================
@@ -14,7 +14,6 @@
#include <stdbool.h>
#include <openssl/evp.h> /* provides OpenSSL digest API */
-#include "hack-ancient-openssl.h"
#include "ntpd.h"
#include "ntp_io.h"
=====================================
ntpd/ntp_leapsec.c
=====================================
@@ -29,7 +29,6 @@
#include "lib_strbuf.h"
#include <openssl/evp.h>
-#include "hack-ancient-openssl.h"
#define ISC_SHA1_DIGESTLENGTH 20U
=====================================
wscript
=====================================
@@ -627,8 +627,6 @@ int main(int argc, char **argv) {
# Sanity checks to give a sensible error message
required_functions = (
- # Check for ancient version of OpenSSL.
- ('EVP_MD_CTX_new', ["openssl/evp.h"], "CRYPTO", False),
# MacOS doesn't have timer_create ??
('timer_create', ["signal.h", "time.h"], "RT", False),
## Very old versions of OpenSSL don't have cmac.h
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/-/compare/d961629b83572ae8375e9c2a3c28eeeb25fc06fa...4c612868637b94d13218523869c4055a59d484b1
--
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/-/compare/d961629b83572ae8375e9c2a3c28eeeb25fc06fa...4c612868637b94d13218523869c4055a59d484b1
You're receiving this email because of your account on gitlab.com. Manage all notifications: https://gitlab.com/-/profile/notifications | Help: https://gitlab.com/help
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ntpsec.org/pipermail/vc/attachments/20260622/f2263962/attachment-0001.htm>
More information about the vc
mailing list