openssh bugs - Mar 2023 - [Bug 3548] New: Upgrading from openssl-3.0.8 to openssl-3.1.0 leads to version mismatch error

https://bugzilla.mindrot.org/show_bug.cgi?id=3548

            Bug ID: 3548
           Summary: Upgrading from openssl-3.0.8 to openssl-3.1.0 leads to
                    version mismatch error
           Product: Portable OpenSSH
           Version: 9.1p1
          Hardware: All
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: ssh
          Assignee: unassigned-bugs at mindrot.org
          Reporter: sam at gentoo.org

OpenSSL 3.0.8 and OpenSSL 3.1.0 both have the same libssl and libcrypto
SONAMEs, but after upgrading from 3.0.8->3.1.0, I get:
```
$ ssh -V
OpenSSL version mismatch. Built against 30000080, you have 30100000
```

Is this intentional when the relevant OpenSSL versions are supposed to
be ABI compatible?

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3548

--- Comment #1 from Sam James <sam at gentoo.org> ---
(This is with 9.2_p1).

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3548

Darren Tucker <dtucker at dtucker.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |dtucker at dtucker.net

--- Comment #2 from Darren Tucker <dtucker at dtucker.net> ---
(In reply to Sam James from comment #0)
> the relevant OpenSSL versions are supposed to be ABI compatible?
Looks like OpenSSL changed their compatibility guarantees between 1.1
and 3: https://www.openssl.org/policies/releasestrat.html

"As of release 3.0.0, the OpenSSL versioning scheme is changing to a
more contemporary format: MAJOR.MINOR.PATCH

With this format, API/ABI compatibility will be guaranteed for the same
MAJOR version number. Previously we guaranteed API/ABI compatibility
across the same MAJOR.MINOR combination."

Our check only implements the latter.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3548

Darren Tucker <dtucker at dtucker.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org
   Attachment #3684|                            |ok?(djm at mindrot.org)
              Flags|                            |

--- Comment #3 from Darren Tucker <dtucker at dtucker.net> ---
Created attachment 3684
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3684&action=edit
Update OpenSSL version check for v3 policy.  Remove <1 since we no
longer support them.

I think this will fix it (untested).

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3548

--- Comment #4 from Damien Miller <djm at mindrot.org> ---
Created attachment 3685
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3685&action=edit
My take

Don't we still want to prevent backsliding? The OpenSSL page says this:

"MINOR: API/ABI compatible feature releases will change this"

I could interpret this to mean that a minor release could adding API.
It would still be API/ABI compatible but only in one direction.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3548

--- Comment #5 from Sam James <sam at gentoo.org> ---
Ah, thanks, that makes sense. I thought I remembered 1.0 and 1.1 being
incompatible so I knew something had changed, but didn't dig into what
yet.

Your patch seems to work and cope with upgrading openssl.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3548

--- Comment #6 from Sam James <sam at gentoo.org> ---
(In reply to Damien Miller from comment #4)
> I could interpret this to mean that a minor release could adding
> API. It would still be API/ABI compatible but only in one direction.
This is generally the case for any shared library because of symbol
versioning - you often can't upgrade, build a bunch of stuff against
the new version, then downgrade it. But openssh has very few
dependencies and even fewer which use symbol versioning so, I guess
this doesn't come up often.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3548

--- Comment #7 from Darren Tucker <dtucker at dtucker.net> ---
Comment on attachment 3685
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3685
My take
>+        lfix = (libver & 0x0ffffff0L) >> 12;
That's going to include the patchlevel which we previously did not (but
since they also say "We also allow backporting of accessor functions in
these releases" was that deliberate?  if so is there any point in
disallowing this here, since in that case the dynamic linking would
fail anyway before we got to this check?)

If we're going to do the same checks we can use the same code.

    if (headerver < 0x3000000f) {
        mask = 0xfff0000fL; /* major,minor,status */
        hfix = (headerver & 0x000ff000) >> 12;
        lfix = (libver & 0x000ff000) >> 12;
    } else {
        mask = 0xf000000fL; /* major, status */
        hfix = (headerver & 0x0ffffff0L) >> 12;
        lfix = (libver & 0x0ffffff0L) >> 12;
    }

    if ( (headerver & mask) == (libver & mask) && lfix >=
hfix)
        return 1;
    return 0;

If you ignore the patchlevel for both you could even complement the
mask and use that to compute hfix and lfix once, but I think that'd be
sufficiently unclear as to be not worth the couple of lines saved.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3548

--- Comment #8 from Darren Tucker <dtucker at dtucker.net> ---
(In reply to Darren Tucker from comment #7)
> since in that case the dynamic linking would fail
actually adding accessors would be fine, only deleting them would be a
problem, so I don't see any reason we'd want to include the patchlevel
in the check?

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3548

psykose <alice at ayaya.dev> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |alice at ayaya.dev

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3548

Darren Tucker <dtucker at dtucker.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Blocks|                            |3549


Referenced Bugs:

https://bugzilla.mindrot.org/show_bug.cgi?id=3549
[Bug 3549] Tracking bug for OpenSSH 9.4
-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3548

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #3684|                            |ok+
              Flags|                            |

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3548

--- Comment #9 from Sam James <sam at gentoo.org> ---
See also https://marc.info/?l=openssh-unix-dev&m=168348988530204&w=2.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3548

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #3685|                            |ok-
              Flags|                            |

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3548

--- Comment #10 from Damien Miller <djm at mindrot.org> ---
I withdraw my version of the diff. Darren, do you want to commit yours?
IMO we should keep the status check that is in yours but not in the
post to the mailing list.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3548

Darren Tucker <dtucker at dtucker.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |FIXED

--- Comment #11 from Darren Tucker <dtucker at dtucker.net> ---
(In reply to Damien Miller from comment #10)
> I withdraw my version of the diff. Darren, do you want to commit
> yours? IMO we should keep the status check that is in yours but not
> in the post to the mailing list.
Committed, thanks.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3548

Darren Tucker <dtucker at dtucker.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |gtapase at ddn.com

--- Comment #12 from Darren Tucker <dtucker at dtucker.net> ---
*** Bug 3755 has been marked as a duplicate of this bug. ***

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.