Mailing List Archive

[Bug 3548] Upgrading from openssl-3.0.8 to openssl-3.1.0 leads to version mismatch error
https://bugzilla.mindrot.org/show_bug.cgi?id=3548

--- Comment #1 from Sam James <sam@gentoo.org> ---
(This is with 9.2_p1).

--
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3548] Upgrading from openssl-3.0.8 to openssl-3.1.0 leads to version mismatch error [ In reply to ]
https://bugzilla.mindrot.org/show_bug.cgi?id=3548

Darren Tucker <dtucker@dtucker.net> changed:

What |Removed |Added
----------------------------------------------------------------------------
CC| |dtucker@dtucker.net

--- Comment #2 from Darren Tucker <dtucker@dtucker.net> ---
(In reply to Sam James from comment #0)
> the relevant OpenSSL versions are supposed to be ABI compatible?

Looks like OpenSSL changed their compatibility guarantees between 1.1
and 3: https://www.openssl.org/policies/releasestrat.html

"As of release 3.0.0, the OpenSSL versioning scheme is changing to a
more contemporary format: MAJOR.MINOR.PATCH

With this format, API/ABI compatibility will be guaranteed for the same
MAJOR version number. Previously we guaranteed API/ABI compatibility
across the same MAJOR.MINOR combination."

Our check only implements the latter.

--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3548] Upgrading from openssl-3.0.8 to openssl-3.1.0 leads to version mismatch error [ In reply to ]
https://bugzilla.mindrot.org/show_bug.cgi?id=3548

Darren Tucker <dtucker@dtucker.net> changed:

What |Removed |Added
----------------------------------------------------------------------------
CC| |djm@mindrot.org
Attachment #3684| |ok?(djm@mindrot.org)
Flags| |

--- Comment #3 from Darren Tucker <dtucker@dtucker.net> ---
Created attachment 3684
--> https://bugzilla.mindrot.org/attachment.cgi?id=3684&action=edit
Update OpenSSL version check for v3 policy. Remove <1 since we no
longer support them.

I think this will fix it (untested).

--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3548] Upgrading from openssl-3.0.8 to openssl-3.1.0 leads to version mismatch error [ In reply to ]
https://bugzilla.mindrot.org/show_bug.cgi?id=3548

--- Comment #4 from Damien Miller <djm@mindrot.org> ---
Created attachment 3685
--> https://bugzilla.mindrot.org/attachment.cgi?id=3685&action=edit
My take

Don't we still want to prevent backsliding? The OpenSSL page says this:

"MINOR: API/ABI compatible feature releases will change this"

I could interpret this to mean that a minor release could adding API.
It would still be API/ABI compatible but only in one direction.

--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3548] Upgrading from openssl-3.0.8 to openssl-3.1.0 leads to version mismatch error [ In reply to ]
https://bugzilla.mindrot.org/show_bug.cgi?id=3548

--- Comment #5 from Sam James <sam@gentoo.org> ---
Ah, thanks, that makes sense. I thought I remembered 1.0 and 1.1 being
incompatible so I knew something had changed, but didn't dig into what
yet.

Your patch seems to work and cope with upgrading openssl.

--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3548] Upgrading from openssl-3.0.8 to openssl-3.1.0 leads to version mismatch error [ In reply to ]
https://bugzilla.mindrot.org/show_bug.cgi?id=3548

--- Comment #6 from Sam James <sam@gentoo.org> ---
(In reply to Damien Miller from comment #4)
> I could interpret this to mean that a minor release could adding
> API. It would still be API/ABI compatible but only in one direction.

This is generally the case for any shared library because of symbol
versioning - you often can't upgrade, build a bunch of stuff against
the new version, then downgrade it. But openssh has very few
dependencies and even fewer which use symbol versioning so, I guess
this doesn't come up often.

--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3548] Upgrading from openssl-3.0.8 to openssl-3.1.0 leads to version mismatch error [ In reply to ]
https://bugzilla.mindrot.org/show_bug.cgi?id=3548

--- Comment #7 from Darren Tucker <dtucker@dtucker.net> ---
Comment on attachment 3685
--> https://bugzilla.mindrot.org/attachment.cgi?id=3685
My take

>+ lfix = (libver & 0x0ffffff0L) >> 12;

That's going to include the patchlevel which we previously did not (but
since they also say "We also allow backporting of accessor functions in
these releases" was that deliberate? if so is there any point in
disallowing this here, since in that case the dynamic linking would
fail anyway before we got to this check?)

If we're going to do the same checks we can use the same code.

if (headerver < 0x3000000f) {
mask = 0xfff0000fL; /* major,minor,status */
hfix = (headerver & 0x000ff000) >> 12;
lfix = (libver & 0x000ff000) >> 12;
} else {
mask = 0xf000000fL; /* major, status */
hfix = (headerver & 0x0ffffff0L) >> 12;
lfix = (libver & 0x0ffffff0L) >> 12;
}

if ( (headerver & mask) == (libver & mask) && lfix >= hfix)
return 1;
return 0;

If you ignore the patchlevel for both you could even complement the
mask and use that to compute hfix and lfix once, but I think that'd be
sufficiently unclear as to be not worth the couple of lines saved.

--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3548] Upgrading from openssl-3.0.8 to openssl-3.1.0 leads to version mismatch error [ In reply to ]
https://bugzilla.mindrot.org/show_bug.cgi?id=3548

--- Comment #8 from Darren Tucker <dtucker@dtucker.net> ---
(In reply to Darren Tucker from comment #7)
> since in that case the dynamic linking would fail

actually adding accessors would be fine, only deleting them would be a
problem, so I don't see any reason we'd want to include the patchlevel
in the check?

--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3548] Upgrading from openssl-3.0.8 to openssl-3.1.0 leads to version mismatch error [ In reply to ]
https://bugzilla.mindrot.org/show_bug.cgi?id=3548

psykose <alice@ayaya.dev> changed:

What |Removed |Added
----------------------------------------------------------------------------
CC| |alice@ayaya.dev

--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3548] Upgrading from openssl-3.0.8 to openssl-3.1.0 leads to version mismatch error [ In reply to ]
https://bugzilla.mindrot.org/show_bug.cgi?id=3548

Darren Tucker <dtucker@dtucker.net> changed:

What |Removed |Added
----------------------------------------------------------------------------
Blocks| |3549


Referenced Bugs:

https://bugzilla.mindrot.org/show_bug.cgi?id=3549
[Bug 3549] Tracking bug for OpenSSH 9.4
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3548] Upgrading from openssl-3.0.8 to openssl-3.1.0 leads to version mismatch error [ In reply to ]
https://bugzilla.mindrot.org/show_bug.cgi?id=3548

Damien Miller <djm@mindrot.org> changed:

What |Removed |Added
----------------------------------------------------------------------------
Attachment #3684| |ok+
Flags| |

--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs