rsbecker at nexbridge.com
2023-May-07 20:11 UTC
[PATCH] compat: Relax version check with OpenSSL 3.0+
On Sunday, May 7, 2023 3:53 PM, Sebastian Andrzej Siewior wrote:>OpenSSL 3.1.0 uses the same ABI as OpenSSL 3.0.x series. Further 3.1.xrelease are>just stable updates and no ABI change (is expected) just like the 3.0.xseries.> >Relax the version check for OpenSSL 3+ and rely on ABI compatibility. > >Signed-off-by: Sebastian Andrzej Siewior <sebastian at breakpoint.cc> >--- > openbsd-compat/openssl-compat.c | 4 ++++ > 1 file changed, 4 insertions(+) > >diff --git a/openbsd-compat/openssl-compat.cb/openbsd-compat/openssl-compat.c>index c1749210d586f..5b35253f1d19b 100644 >--- a/openbsd-compat/openssl-compat.c >+++ b/openbsd-compat/openssl-compat.c >@@ -54,6 +54,10 @@ ssh_compatible_openssl(long headerver, long libver) > return (headerver & mask) == (libver & mask); > } > >+ /* For versions > 3.0.0, we rely on upstream's ABI */ >+ if (headerver > 0x3000000f) >+ return 1; >+Is this not already covered using the --without-openssl-header-check configuration option? --Randall
On Mon, 8 May 2023 at 06:13, <rsbecker at nexbridge.com> wrote: [...]> Is this not already covered using the --without-openssl-header-check > configuration option?No. That configure option will disable the consistency check between the headers and library versions at compile time, ie the API. It was added when some vendors (from memory, Apple) started shipping libcrypto updates without the corresponding header updates. This diff posted affects the check between the version it was compiled against and the currently installed library version, ie the ABI. OpenSSL improved the ABI compatibility from "must be the same minor release" in 1.x to "must be the same major release" in 3.x but we currently only have the 1.x checks. Damien had a slightly different diff that also fixed this, not sure what happened to it. -- Darren Tucker (dtucker at dtucker.net) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.