Remove OPENSSL_atexit();

OSSLINAPPL (OpenSSL Is Not A Public Portability Layer)

I blame @nhorman and @sashan, who made me update the adjacent
documentation, and it was sitting there like an unloved and
ignored chronically ill pet with no hope for any future
quality of life.

Since this really does not need an alternative API or a
deprecation stragegy, we can simply remove it. Anyone
who was using this can use libc atexit() if they must.

Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
MergeDate: Wed Feb 11 17:37:33 2026
(Merged from https://github.com/openssl/openssl/pull/29874)

diff --git a/CHANGES.md b/CHANGES.md
index 217dda6591bfe89f96c1540c6ef74c47de4a6599..c0fe9bac1811f8870be5a1e7b4645e81cbf981a7 100644 (file)
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -56,6 +56,10 @@ OpenSSL 4.0
 
    *Shane Lontis*
 
+ * OPENSSL_atexit() was removed.
+
+   *Bob Beck*
+
  * Support of deprecated elliptic curves in TLS according to RFC 8422 was
    disabled at compile-time by default. To enable it, use the
    `enable-tls-deprecated-ec` compilation option.

diff --git a/crypto/init.c b/crypto/init.c
index db9f18aee0b921dd013d97f20c08096b4cf1b571..f865affda9d79449ea69b4ad9a2ce076d1609a58 100644 (file)
--- a/crypto/init.c
+++ b/crypto/init.c
@@ -500,12 +500,3 @@ void OPENSSL_cleanup(void)
     ossl_cleanup_destructor();
 #endif /* defined(DO_NOT_SKIP_OPENSSL_CLEANUP) */
 }
-
-int OPENSSL_atexit(void (*handler)(void))
-{
-#if defined(__TANDEM)
-    return 0;
-#else
-    return atexit(handler) == 0;
-#endif
-}

diff --git a/doc/man3/OPENSSL_init_crypto.pod b/doc/man3/OPENSSL_init_crypto.pod
index f79d1b97dc850930a8b19a601e7d920b0b146f5b..733f5c665d23677c9bcdaa4c8eaef08fbca4eac4 100644 (file)
--- a/doc/man3/OPENSSL_init_crypto.pod
+++ b/doc/man3/OPENSSL_init_crypto.pod
@@ -4,7 +4,7 @@
 
 OPENSSL_INIT_new, OPENSSL_INIT_set_config_filename,
 OPENSSL_INIT_set_config_appname, OPENSSL_INIT_set_config_file_flags,
-OPENSSL_INIT_free, OPENSSL_init_crypto, OPENSSL_cleanup, OPENSSL_atexit,
+OPENSSL_INIT_free, OPENSSL_init_crypto, OPENSSL_cleanup,
 OPENSSL_thread_stop_ex, OPENSSL_thread_stop - OpenSSL initialisation
 and deinitialisation functions
 
@@ -14,7 +14,6 @@ and deinitialisation functions
 
  void OPENSSL_cleanup(void);
  int OPENSSL_init_crypto(uint64_t opts, const OPENSSL_INIT_SETTINGS *settings);
- int OPENSSL_atexit(void (*handler)(void));
  void OPENSSL_thread_stop_ex(OSSL_LIB_CTX *ctx);
  void OPENSSL_thread_stop(void);
 
@@ -165,8 +164,6 @@ OpenSSL error strings will not be available, only an error code. This code can
 be put through the openssl errstr command line application to produce a human
 readable error (see L<openssl-errstr(1)>).
 
-The OPENSSL_atexit() is a wrapper on atexit(3) provided by the platform's libc.
-
 The OPENSSL_thread_stop_ex() function deallocates resources associated
 with the current thread for the given OSSL_LIB_CTX B<ctx>. The B<ctx> parameter
 can be NULL in which case the default OSSL_LIB_CTX is used.
@@ -229,7 +226,7 @@ call should use the RTLD_NODELETE flag (where available on the platform).
 
 =head1 RETURN VALUES
 
-The functions OPENSSL_init_crypto, OPENSSL_atexit() and
+The functions OPENSSL_init_crypto, and
 OPENSSL_INIT_set_config_appname() return 1 on success or 0 on error.
 
 =head1 SEE ALSO
@@ -238,7 +235,7 @@ L<OPENSSL_init_ssl(3)>
 
 =head1 HISTORY
 
-The OPENSSL_init_crypto(), OPENSSL_cleanup(), OPENSSL_atexit(),
+The OPENSSL_init_crypto(), OPENSSL_cleanup()
 OPENSSL_thread_stop(), OPENSSL_INIT_new(), OPENSSL_INIT_set_config_appname()
 and OPENSSL_INIT_free() functions were added in OpenSSL 1.1.0.
 

diff --git a/doc/man7/ossl-removed-api.pod b/doc/man7/ossl-removed-api.pod
index 05dadb89887295a61b3072d630a751d410d7b95e..a0327c2fe2c1e34457ffbb7d83cb4a9eaf258951 100644 (file)
--- a/doc/man7/ossl-removed-api.pod
+++ b/doc/man7/ossl-removed-api.pod
@@ -391,6 +391,8 @@ This includes consulting the L<ossl-guide-migration(7)> documentation.
 
 =item EVP_PKEY_asn1_set_security_bits (Deprecated in 3.6.0) - consult L<ossl-guide-migration(7)>
 
+=item OPENSSL_atexit - No longer used, use libc atexit() if you must use this.
+
 =back
 
 =head1 SEE ALSO

diff --git a/include/openssl/crypto.h.in b/include/openssl/crypto.h.in
index c9dc3706f373b6d7f584d5487cf757eb256e5acc..c111cd2bc523883bd4d909e9bbbd390783970eb3 100644 (file)
--- a/include/openssl/crypto.h.in
+++ b/include/openssl/crypto.h.in
@@ -516,7 +516,6 @@ int CRYPTO_memcmp(const void *in_a, const void *in_b, size_t len);
 /* Library initialisation functions */
 void OPENSSL_cleanup(void);
 int OPENSSL_init_crypto(uint64_t opts, const OPENSSL_INIT_SETTINGS *settings);
-int OPENSSL_atexit(void (*handler)(void));
 void OPENSSL_thread_stop(void);
 void OPENSSL_thread_stop_ex(OSSL_LIB_CTX *ctx);
 

diff --git a/test/shlibloadtest.c b/test/shlibloadtest.c
index 5fa37415a57a5e2e66504fe7e95896cc797f86e9..d1b8628877e8a30a15f843a8893a2d530491ee8b 100644 (file)
--- a/test/shlibloadtest.c
+++ b/test/shlibloadtest.c
@@ -21,7 +21,6 @@ typedef const SSL_METHOD *(*TLS_method_t)(void);
 typedef SSL_CTX *(*SSL_CTX_new_t)(const SSL_METHOD *meth);
 typedef void (*SSL_CTX_free_t)(SSL_CTX *);
 typedef int (*OPENSSL_init_crypto_t)(uint64_t, void *);
-typedef int (*OPENSSL_atexit_t)(void (*handler)(void));
 typedef unsigned long (*ERR_get_error_t)(void);
 typedef unsigned long (*OPENSSL_version_major_t)(void);
 typedef unsigned long (*OPENSSL_version_minor_t)(void);
@@ -73,7 +72,6 @@ static int test_lib(void)
     OPENSSL_version_major_t myOPENSSL_version_major;
     OPENSSL_version_minor_t myOPENSSL_version_minor;
     OPENSSL_version_patch_t myOPENSSL_version_patch;
-    OPENSSL_atexit_t myOPENSSL_atexit;
     int result = 0;
 
     switch (test_type) {
@@ -124,8 +122,7 @@ static int test_lib(void)
     if (!sd_sym(cryptolib, "ERR_get_error", &symbols[0].sym)
         || !sd_sym(cryptolib, "OPENSSL_version_major", &symbols[1].sym)
         || !sd_sym(cryptolib, "OPENSSL_version_minor", &symbols[2].sym)
-        || !sd_sym(cryptolib, "OPENSSL_version_patch", &symbols[3].sym)
-        || !sd_sym(cryptolib, "OPENSSL_atexit", &symbols[4].sym)) {
+        || !sd_sym(cryptolib, "OPENSSL_version_patch", &symbols[3].sym)) {
         fprintf(stderr, "Failed to load libcrypto symbols\n");
         goto end;
     }
@@ -146,8 +143,7 @@ static int test_lib(void)
         goto end;
     }
 
-    myOPENSSL_atexit = (OPENSSL_atexit_t)symbols[4].func;
-    if (!myOPENSSL_atexit(atexit_handler)) {
+    if (atexit(atexit_handler) != 0) {
         fprintf(stderr, "Failed to register atexit handler\n");
         goto end;
     }
@@ -159,7 +155,7 @@ static int test_lib(void)
 
         /*
          * This is resembling the code used in ossl_init_base() and
-         * OPENSSL_atexit() to block unloading the library after dlclose().
+         * atexit() to block unloading the library after dlclose().
          * We are not testing this on Windows, because it is done there in a
          * completely different way. Especially as a call to DSO_dsobyaddr()
          * will always return an error, because DSO_pathbyaddr() is not

diff --git a/util/libcrypto.num b/util/libcrypto.num
index 275f01301e7a68a13e69c405c1ecf0867de461e9..80eb4309a7b3ebeb76ce7ecf71165da34144b068 100644 (file)
--- a/util/libcrypto.num
+++ b/util/libcrypto.num
@@ -3601,7 +3601,6 @@ OPENSSL_gmtime_diff                     ? 4_0_0   EXIST::FUNCTION:
 CRYPTO_memcmp                           ?      4_0_0   EXIST::FUNCTION:
 OPENSSL_cleanup                         ?      4_0_0   EXIST::FUNCTION:
 OPENSSL_init_crypto                     ?      4_0_0   EXIST::FUNCTION:
-OPENSSL_atexit                          ?      4_0_0   EXIST::FUNCTION:
 OPENSSL_thread_stop                     ?      4_0_0   EXIST::FUNCTION:
 OPENSSL_thread_stop_ex                  ?      4_0_0   EXIST::FUNCTION:
 OPENSSL_INIT_new                        ?      4_0_0   EXIST::FUNCTION: