Re: [openssl-dev] [openssl/openssl] ABI compatibility 1.0.0-->1.0.1-->1.0.2

Sun, 26 Feb 2017 22:29:35 -0800

26.02.2017, 16:27, "Kurt Roeckx":
> On Sun, Feb 26, 2017 at 09:26:06AM +0300, Andrey Ponomarenko wrote:
>>  31.01.2017, 10:21, "Nikos Mavrogiannopoulos":
>>  > On Fri, 2017-01-27 at 10:54 -0600, Benjamin Kaduk via openssl-dev
>>  > wrote:
>>  >>  [moving from github to -dev]
>>  >>
>>  >>  On 01/27/2017 07:36 AM, mattcaswell wrote:
>>  >>  > 1.0.2 is the software version.
>>  >>  > The numbers on the end of lbssl.so.1.0.0 refer to the ABI version -
>>  >>  > which is different. Software version 1.0.2 is a drop in replacement
>>  >>  > for 1.0.1, which is a drop in replacement for 1.0.0 - hence they
>>  >>  > all have the same ABI version.
>>  >>  >
>>  >>
>>  >>  There was some discussion about 1.0.1 being EoL on a FreeBSD list
>>  >>  [0], and whether it would make sense to move to 1.0.2 on their stable
>>  >>  branch, which led to someone making the claim that 1.0.2 has removed
>>  >>  4 symbols compared to 1.0.1, and thus is not strictly ABI compatible,
>>  >>  linking to https://abi-laboratory.pro/tracker/timeline/openssl/ .  If
>>  >>  I start semi-randomly clicking around, I can find a page [1] that
>>  >>  seems to claim the missing symbols are:
>>  >>  ASN1_STRING_clear_free()
>>  >>  ENGINE_load_rsax()
>>  >>  SRP_user_pwd_free()
>>  >>  SRP_VBASE_get1_by_user()
>
> It's normal that you might see some symbols removed if you compare
> something like 1.0.1t against 1.0.2, but it shouldn't when compared
> to 1.0.2k.
>
> CRYPTO_memcmp was added in 1.0.1d.
>
> ASN1_STRING_clear_free was added in 1.0.1m and 1.0.2a
>
> In 1.0.1s and 1.0.2g the following were added (for CVE-2016-0798):
> SRP_VBASE_get1_by_user;
> SRP_user_pwd_free;
>
> ENGINE_load_rsax seems to have been removed because it didn't
> compile? That looks like the only symbol that has been removed,
> and it probably shouldn't have.
>
> Kurt
 
I found new ABI navigator reports to be very useful when checking for these symbols:
 
https://abi-laboratory.pro/index.php?view=navigator&selected=SRP_VBASE_get1_by_user#result
https://abi-laboratory.pro/index.php?view=navigator&selected=ASN1_STRING_clear_free#result
 
Thank you.
-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Reply via email to