[fido][PATCH 0/1] Undo ABI breakage in OpenSSL

[fido][PATCH 0/1] Undo ABI breakage in OpenSSL

[Joshua Lock]

The backported upgrade to OpenSSL 1.0.2h introduced a newer version of
Debian's linker version-script which breaks the OpenSSL ABI.
This isn't desirable for a stable release, thus the attached patch reverts
the linker-version changes and simply adds the 2 new symbols required by
1.0.2h.

Thanks to Martin Jansa for spotting the issue and suggesting a fix.

The following changes since commit e7c46ce3e59cb4fd770e76ae006c0166d0dd5265:

  build-appliance-image: Update to fido head revision (2016-05-11 18:00:15 +0100)

are available in the git repository at:

  git://git.openembedded.org/openembedded-core-contrib joshuagl/fido-next
  http://cgit.openembedded.org/cgit.cgi/openembedded-core-contrib/log/?h=joshuagl/fido-next

Joshua Lock (1):
  openssl: prevent ABI break from earlier fido releases

 .../openssl/debian1.0.2/version-script.patch       | 31 +++++++++++++++-------
 1 file changed, 22 insertions(+), 9 deletions(-)

-- 
2.5.5

[fido][PATCH 1/1] openssl: prevent ABI break from earlier fido releases

[Joshua Lock]

The backported upgrade to 1.0.2h included an updated GNU LD
version-script which results in an ABI change. In order to try and
respect ABI for existing binaries built against fido this commit
partially reverts the version-script to maintain the existing ABI
and instead only add the new symbols required by 1.0.2h.

Suggested-by: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
---
 .../openssl/debian1.0.2/version-script.patch       | 31 +++++++++++++++-------
 1 file changed, 22 insertions(+), 9 deletions(-)

diff --git a/meta/recipes-connectivity/openssl/openssl/debian1.0.2/version-script.patch b/meta/recipes-connectivity/openssl/openssl/debian1.0.2/version-script.patch
index 29f11a2..f53efdb 100644
--- a/meta/recipes-connectivity/openssl/openssl/debian1.0.2/version-script.patch
+++ b/meta/recipes-connectivity/openssl/openssl/debian1.0.2/version-script.patch
@@ -15,8 +15,8 @@ Index: openssl-1.0.2~beta1.obsolete.0.0498436515490575/openssl.ld
 ===================================================================
 --- /dev/null	1970-01-01 00:00:00.000000000 +0000
 +++ openssl-1.0.2~beta1.obsolete.0.0498436515490575/openssl.ld	2014-02-24 22:19:08.601827266 +0100
-@@ -0,0 +1,4608 @@
-+OPENSSL_1.0.2d {
+@@ -0,0 +1,4621 @@
++OPENSSL_1.0.0 {
 +	global:
 +		BIO_f_ssl;
 +		BIO_new_buffer_ssl_connect;
@@ -4314,6 +4314,14 @@ Index: openssl-1.0.2~beta1.obsolete.0.0498436515490575/openssl.ld
 +		CRYPTO_cbc128_decrypt;
 +		CRYPTO_cfb128_encrypt;
 +		CRYPTO_cfb128_8_encrypt;
++
++	local:
++		*;
++};
++
++
++OPENSSL_1.0.1 {
++	global:
 +		SSL_renegotiate_abbreviated;
 +		TLSv1_1_method;
 +		TLSv1_1_client_method;
@@ -4475,7 +4483,15 @@ Index: openssl-1.0.2~beta1.obsolete.0.0498436515490575/openssl.ld
 +		BIO_s_datagram_sctp;
 +		BIO_dgram_is_sctp;
 +		BIO_dgram_sctp_notification_cb;
++} OPENSSL_1.0.0;
++
++OPENSSL_1.0.1d {
++	global:
 +		CRYPTO_memcmp;
++} OPENSSL_1.0.1;
++
++OPENSSL_1.0.2 {
++	global:
 +		SSL_CTX_set_alpn_protos;
 +		SSL_set_alpn_protos;
 +		SSL_CTX_set_alpn_select_cb;
@@ -4613,23 +4629,20 @@ Index: openssl-1.0.2~beta1.obsolete.0.0498436515490575/openssl.ld
 +		BUF_strnlen;
 +		sk_deep_copy;
 +		SSL_test_functions;
-+
-+	local:
-+		*;
-+};
++} OPENSSL_1.0.1d;
 +
 +OPENSSL_1.0.2g {
 +       global:
 +               SRP_VBASE_get1_by_user;
 +               SRP_user_pwd_free;
-+} OPENSSL_1.0.2d;
++} OPENSSL_1.0.2;
 +
 Index: openssl-1.0.2~beta1.obsolete.0.0498436515490575/engines/openssl.ld
 ===================================================================
 --- /dev/null	1970-01-01 00:00:00.000000000 +0000
 +++ openssl-1.0.2~beta1.obsolete.0.0498436515490575/engines/openssl.ld	2014-02-24 21:02:30.000000000 +0100
 @@ -0,0 +1,10 @@
-+OPENSSL_1.0.2 {
++OPENSSL_1.0.0 {
 +	global:
 +		bind_engine;
 +		v_check;
@@ -4644,7 +4657,7 @@ Index: openssl-1.0.2~beta1.obsolete.0.0498436515490575/engines/ccgost/openssl.ld
 --- /dev/null	1970-01-01 00:00:00.000000000 +0000
 +++ openssl-1.0.2~beta1.obsolete.0.0498436515490575/engines/ccgost/openssl.ld	2014-02-24 21:02:30.000000000 +0100
 @@ -0,0 +1,10 @@
-+OPENSSL_1.0.2 {
++OPENSSL_1.0.0 {
 +	global:
 +		bind_engine;
 +		v_check;
-- 
2.5.5

Re: [fido][PATCH 0/1] Undo ABI breakage in OpenSSL

[Martin Jansa]

[-- Attachment #1: Type: text/plain, Size: 1972 bytes --]

On Thu, May 12, 2016 at 01:06:33PM +0100, Joshua Lock wrote:
> The backported upgrade to OpenSSL 1.0.2h introduced a newer version of
> Debian's linker version-script which breaks the OpenSSL ABI.
> This isn't desirable for a stable release, thus the attached patch reverts
> the linker-version changes and simply adds the 2 new symbols required by
> 1.0.2h.
> 
> Thanks to Martin Jansa for spotting the issue and suggesting a fix.

Thanks for following it and getting it merged so quickly.

It was already merged in fido, can we get the same to jethro (which was
also recently upgraded to 1.0.2h)?

Small downside is that the same 1.0.2h version in fido and jethro will
have different ABI than 1.0.2h in krogoth (unless someone updates the
version there as suggested by Andre in:
http://lists.openembedded.org/pipermail/openembedded-core/2016-March/118433.html
).

Krogoth was released with this ABI, so it's something users have
to deal with when upgrading to newer Yocto release (and this won't be
the only component with different ABI).

> The following changes since commit e7c46ce3e59cb4fd770e76ae006c0166d0dd5265:
> 
>   build-appliance-image: Update to fido head revision (2016-05-11 18:00:15 +0100)
> 
> are available in the git repository at:
> 
>   git://git.openembedded.org/openembedded-core-contrib joshuagl/fido-next
>   http://cgit.openembedded.org/cgit.cgi/openembedded-core-contrib/log/?h=joshuagl/fido-next
> 
> Joshua Lock (1):
>   openssl: prevent ABI break from earlier fido releases
> 
>  .../openssl/debian1.0.2/version-script.patch       | 31 +++++++++++++++-------
>  1 file changed, 22 insertions(+), 9 deletions(-)
> 
> -- 
> 2.5.5
> 
> -- 
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core

-- 
Martin 'JaMa' Jansa     jabber: Martin.Jansa@gmail.com

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 188 bytes --]

Re: [fido][PATCH 0/1] Undo ABI breakage in OpenSSL

[Richard Purdie]

On Thu, 2016-05-12 at 16:16 +0200, Martin Jansa wrote:
> On Thu, May 12, 2016 at 01:06:33PM +0100, Joshua Lock wrote:
> > The backported upgrade to OpenSSL 1.0.2h introduced a newer version
> > of
> > Debian's linker version-script which breaks the OpenSSL ABI.
> > This isn't desirable for a stable release, thus the attached patch
> > reverts
> > the linker-version changes and simply adds the 2 new symbols
> > required by
> > 1.0.2h.
> > 
> > Thanks to Martin Jansa for spotting the issue and suggesting a fix.
> 
> Thanks for following it and getting it merged so quickly.
> 
> It was already merged in fido, can we get the same to jethro (which
> was
> also recently upgraded to 1.0.2h)?

I'm hoping someone will give me a patch series which does this
correctly for jethro. Its why I haven't taken the previous pull
request.

Cheers,

Richard

Re: [fido][PATCH 0/1] Undo ABI breakage in OpenSSL

[akuster808]

On 05/13/2016 09:34 AM, Richard Purdie wrote:
> On Thu, 2016-05-12 at 16:16 +0200, Martin Jansa wrote:
>> On Thu, May 12, 2016 at 01:06:33PM +0100, Joshua Lock wrote:
>>> The backported upgrade to OpenSSL 1.0.2h introduced a newer version
>>> of
>>> Debian's linker version-script which breaks the OpenSSL ABI.
>>> This isn't desirable for a stable release, thus the attached patch
>>> reverts
>>> the linker-version changes and simply adds the 2 new symbols
>>> required by
>>> 1.0.2h.
>>>
>>> Thanks to Martin Jansa for spotting the issue and suggesting a fix.
>>
>> Thanks for following it and getting it merged so quickly.
>>
>> It was already merged in fido, can we get the same to jethro (which
>> was
>> also recently upgraded to 1.0.2h)?
> 
> I'm hoping someone will give me a patch series which does this
> correctly for jethro. Its why I haven't taken the previous pull
> request.

I will spin one

- armin
> 
> Cheers,
> 
> Richard
> 
> 
> 

Re: [fido][PATCH 0/1] Undo ABI breakage in OpenSSL

[akuster808]

On 05/13/2016 09:34 AM, Richard Purdie wrote:
> On Thu, 2016-05-12 at 16:16 +0200, Martin Jansa wrote:
>> On Thu, May 12, 2016 at 01:06:33PM +0100, Joshua Lock wrote:
>>> The backported upgrade to OpenSSL 1.0.2h introduced a newer version
>>> of
>>> Debian's linker version-script which breaks the OpenSSL ABI.
>>> This isn't desirable for a stable release, thus the attached patch
>>> reverts
>>> the linker-version changes and simply adds the 2 new symbols
>>> required by
>>> 1.0.2h.
>>>
>>> Thanks to Martin Jansa for spotting the issue and suggesting a fix.
>>
>> Thanks for following it and getting it merged so quickly.
>>
>> It was already merged in fido, can we get the same to jethro (which
>> was
>> also recently upgraded to 1.0.2h)?
> 
> I'm hoping someone will give me a patch series which does this
> correctly for jethro. Its why I haven't taken the previous pull
> request.
> 

sent
- armin

> Cheers,
> 
> Richard
> 
> 
>