Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. OpenSSH>
  3. Dev
[PATCH] compat: Relax version check with OpenSSL 3.0+
openssh at ml
May 7, 2023, 12:52 PM
Post #1 of 5 (278 views)
Permalink
From: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>

OpenSSL 3.1.0 uses the same ABI as OpenSSL 3.0.x series. Further 3.1.x
release are just stable updates and no ABI change (is expected) just
like the 3.0.x series.

Relax the version check for OpenSSL 3+ and rely on ABI compatibility.

Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
---
openbsd-compat/openssl-compat.c | 4 ++++
1 file changed, 4 insertions(+)

diff --git a/openbsd-compat/openssl-compat.c b/openbsd-compat/openssl-compat.c
index c1749210d586f..5b35253f1d19b 100644
--- a/openbsd-compat/openssl-compat.c
+++ b/openbsd-compat/openssl-compat.c
@@ -54,6 +54,10 @@ ssh_compatible_openssl(long headerver, long libver)
return (headerver & mask) == (libver & mask);
}

+ /* For versions > 3.0.0, we rely on upstream's ABI */
+ if (headerver > 0x3000000f)
+ return 1;
+
/*
* For versions >= 1.0.0, major,minor must match and library
* fix version must be equal to or newer than the header.
--
2.40.1

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
RE: [PATCH] compat: Relax version check with OpenSSL 3.0+ [ In reply to ]
rsbecker at nexbridge
May 7, 2023, 1:11 PM
Post #2 of 5 (278 views)
Permalink
On Sunday, May 7, 2023 3:53 PM, Sebastian Andrzej Siewior wrote:
>OpenSSL 3.1.0 uses the same ABI as OpenSSL 3.0.x series. Further 3.1.x
release are
>just stable updates and no ABI change (is expected) just like the 3.0.x
series.
>
>Relax the version check for OpenSSL 3+ and rely on ABI compatibility.
>
>Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
>---
> openbsd-compat/openssl-compat.c | 4 ++++
> 1 file changed, 4 insertions(+)
>
>diff --git a/openbsd-compat/openssl-compat.c
b/openbsd-compat/openssl-compat.c
>index c1749210d586f..5b35253f1d19b 100644
>--- a/openbsd-compat/openssl-compat.c
>+++ b/openbsd-compat/openssl-compat.c
>@@ -54,6 +54,10 @@ ssh_compatible_openssl(long headerver, long libver)
> return (headerver & mask) == (libver & mask);
> }
>
>+ /* For versions > 3.0.0, we rely on upstream's ABI */
>+ if (headerver > 0x3000000f)
>+ return 1;
>+

Is this not already covered using the --without-openssl-header-check
configuration option?
--Randall

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: [PATCH] compat: Relax version check with OpenSSL 3.0+ [ In reply to ]
dtucker at dtucker
May 7, 2023, 4:07 PM
Post #3 of 5 (278 views)
Permalink
On Mon, 8 May 2023 at 06:13, <rsbecker@nexbridge.com> wrote:
[...]
> Is this not already covered using the --without-openssl-header-check
> configuration option?

No. That configure option will disable the consistency check between
the headers and library versions at compile time, ie the API. It was
added when some vendors (from memory, Apple) started shipping
libcrypto updates without the corresponding header updates.

This diff posted affects the check between the version it was compiled
against and the currently installed library version, ie the ABI.
OpenSSL improved the ABI compatibility from "must be the same minor
release" in 1.x to "must be the same major release" in 3.x but we
currently only have the 1.x checks. Damien had a slightly different
diff that also fixed this, not sure what happened to it.

--
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
RE: [PATCH] compat: Relax version check with OpenSSL 3.0+ [ In reply to ]
rsbecker at nexbridge
May 7, 2023, 4:24 PM
Post #4 of 5 (278 views)
Permalink
On Sunday, May 7, 2023 7:08 PM, Darren Tucker wrote:
>On Mon, 8 May 2023 at 06:13, <rsbecker@nexbridge.com> wrote:
>[...]
>> Is this not already covered using the --without-openssl-header-check
>> configuration option?
>
>No. That configure option will disable the consistency check between the
headers
>and library versions at compile time, ie the API. It was added when some
vendors
>(from memory, Apple) started shipping libcrypto updates without the
corresponding
>header updates.
>
>This diff posted affects the check between the version it was compiled
against and
>the currently installed library version, ie the ABI.
>OpenSSL improved the ABI compatibility from "must be the same minor
release" in
>1.x to "must be the same major release" in 3.x but we currently only have
the 1.x
>checks. Damien had a slightly different diff that also fixed this, not
sure what
>happened to it.

Thanks, I understand better now.
--Randall

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: [PATCH] compat: Relax version check with OpenSSL 3.0+ [ In reply to ]
sam at gentoo
May 7, 2023, 4:59 PM
Post #5 of 5 (278 views)
Permalink
Darren Tucker <dtucker@dtucker.net> writes:

> On Mon, 8 May 2023 at 06:13, <rsbecker@nexbridge.com> wrote:
> [...]
>> Is this not already covered using the --without-openssl-header-check
>> configuration option?
>
> No. That configure option will disable the consistency check between
> the headers and library versions at compile time, ie the API. It was
> added when some vendors (from memory, Apple) started shipping
> libcrypto updates without the corresponding header updates.
>
> This diff posted affects the check between the version it was compiled
> against and the currently installed library version, ie the ABI.
> OpenSSL improved the ABI compatibility from "must be the same minor
> release" in 1.x to "must be the same major release" in 3.x but we
> currently only have the 1.x checks. Damien had a slightly different
> diff that also fixed this, not sure what happened to it.

IIRC not committed yet. It's https://bugzilla.mindrot.org/show_bug.cgi?id=3548
which I also posted about at
https://lore.kernel.org/distributions/87lejy7ilz.fsf@gentoo.org/T/#u.

best,
sam

Attached Files:

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal