[PATCH] openssl: Bump SONAME to match the ABI

[PATCH] openssl: Bump SONAME to match the ABI

[Jussi Kukkonen]

Commit 7933fbbc637 "Security fix Drown via 1.0.2g update" included
a version-script change from Debian that was an ABI change. It did
not include the soname change that Debian did so we have been calling
our ABI 1.0.0 but it really matches what others call 1.0.2.

Bump SONAME to match the ABI. In practice this changes both libcrypto
and libssl sonames from 1.0.0 to 1.0.2.

For background: Upstream does not do sonames so these are set by
distros. In this case the ABI changes based on a build time
configuration! Debian took the ABI changing configuration and bumped
soname but e.g. Ubuntu kept the deprecated API and just made it not
work, keeping soname. So both have same version of openssl but support
different ABI (and expose different SONAME).

Fixes [YOCTO #11396].

Thanks to Alexander Larsson et al for detective work.

Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
---
 .../openssl/openssl/debian1.0.2/soname.patch                | 13 +++++++++++++
 meta/recipes-connectivity/openssl/openssl_1.0.2k.bb         |  1 +
 2 files changed, 14 insertions(+)
 create mode 100644 meta/recipes-connectivity/openssl/openssl/debian1.0.2/soname.patch

diff --git a/meta/recipes-connectivity/openssl/openssl/debian1.0.2/soname.patch b/meta/recipes-connectivity/openssl/openssl/debian1.0.2/soname.patch
new file mode 100644
index 0000000..f9cdfec
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/debian1.0.2/soname.patch
@@ -0,0 +1,13 @@
+Index: openssl-1.0.2d/crypto/opensslv.h
+===================================================================
+--- openssl-1.0.2d.orig/crypto/opensslv.h
++++ openssl-1.0.2d/crypto/opensslv.h
+@@ -88,7 +88,7 @@ extern "C" {
+  * should only keep the versions that are binary compatible with the current.
+  */
+ # define SHLIB_VERSION_HISTORY ""
+-# define SHLIB_VERSION_NUMBER "1.0.0"
++# define SHLIB_VERSION_NUMBER "1.0.2"
+ 
+ 
+ #ifdef  __cplusplus
diff --git a/meta/recipes-connectivity/openssl/openssl_1.0.2k.bb b/meta/recipes-connectivity/openssl/openssl_1.0.2k.bb
index 1c104142..83d1a50 100644
--- a/meta/recipes-connectivity/openssl/openssl_1.0.2k.bb
+++ b/meta/recipes-connectivity/openssl/openssl_1.0.2k.bb
@@ -30,6 +30,7 @@ SRC_URI += "file://find.pl;subdir=${BP}/util/ \
             file://debian/no-symbolic.patch \
             file://debian/pic.patch \
             file://debian1.0.2/version-script.patch \
+            file://debian1.0.2/soname.patch \
             file://openssl_fix_for_x32.patch \
             file://fix-cipher-des-ede3-cfb1.patch \
             file://openssl-avoid-NULL-pointer-dereference-in-EVP_DigestInit_ex.patch \
-- 
2.1.4

Re: [PATCH] openssl: Bump SONAME to match the ABI

[Jussi Kukkonen]

[-- Attachment #1: Type: text/plain, Size: 3050 bytes --]

On 20 April 2017 at 16:32, Jussi Kukkonen <jussi.kukkonen@intel.com> wrote:

> Commit 7933fbbc637 "Security fix Drown via 1.0.2g update" included
> a version-script change from Debian that was an ABI change. It did
> not include the soname change that Debian did so we have been calling
> our ABI 1.0.0 but it really matches what others call 1.0.2.
>

Just so it's clear: the new ABI was in krogoth and morty already with 1.0.0
soname. Not sure which option is least bad here.

  Jussi


> Bump SONAME to match the ABI. In practice this changes both libcrypto
> and libssl sonames from 1.0.0 to 1.0.2.
>
> For background: Upstream does not do sonames so these are set by
> distros. In this case the ABI changes based on a build time
> configuration! Debian took the ABI changing configuration and bumped
> soname but e.g. Ubuntu kept the deprecated API and just made it not
> work, keeping soname. So both have same version of openssl but support
> different ABI (and expose different SONAME).
>
> Fixes [YOCTO #11396].
>
> Thanks to Alexander Larsson et al for detective work.
>
> Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
> ---
>  .../openssl/openssl/debian1.0.2/soname.patch                | 13
> +++++++++++++
>  meta/recipes-connectivity/openssl/openssl_1.0.2k.bb         |  1 +
>  2 files changed, 14 insertions(+)
>  create mode 100644 meta/recipes-connectivity/openssl/openssl/debian1.0.2/
> soname.patch
>
> diff --git a/meta/recipes-connectivity/openssl/openssl/debian1.0.2/soname.patch
> b/meta/recipes-connectivity/openssl/openssl/debian1.0.2/soname.patch
> new file mode 100644
> index 0000000..f9cdfec
> --- /dev/null
> +++ b/meta/recipes-connectivity/openssl/openssl/debian1.0.2/soname.patch
> @@ -0,0 +1,13 @@
> +Index: openssl-1.0.2d/crypto/opensslv.h
> +===================================================================
> +--- openssl-1.0.2d.orig/crypto/opensslv.h
> ++++ openssl-1.0.2d/crypto/opensslv.h
> +@@ -88,7 +88,7 @@ extern "C" {
> +  * should only keep the versions that are binary compatible with the
> current.
> +  */
> + # define SHLIB_VERSION_HISTORY ""
> +-# define SHLIB_VERSION_NUMBER "1.0.0"
> ++# define SHLIB_VERSION_NUMBER "1.0.2"
> +
> +
> + #ifdef  __cplusplus
> diff --git a/meta/recipes-connectivity/openssl/openssl_1.0.2k.bb
> b/meta/recipes-connectivity/openssl/openssl_1.0.2k.bb
> index 1c104142..83d1a50 100644
> --- a/meta/recipes-connectivity/openssl/openssl_1.0.2k.bb
> +++ b/meta/recipes-connectivity/openssl/openssl_1.0.2k.bb
> @@ -30,6 +30,7 @@ SRC_URI += "file://find.pl;subdir=${BP}/util/ \
>              file://debian/no-symbolic.patch \
>              file://debian/pic.patch \
>              file://debian1.0.2/version-script.patch \
> +            file://debian1.0.2/soname.patch \
>              file://openssl_fix_for_x32.patch \
>              file://fix-cipher-des-ede3-cfb1.patch \
>              file://openssl-avoid-NULL-pointer-dereference-in-EVP_DigestInit_ex.patch
> \
> --
> 2.1.4
>
>

[-- Attachment #2: Type: text/html, Size: 4414 bytes --]

✗ patchtest: failure for openssl: Bump SONAME to match the ABI

[Patchwork]

== Series Details ==

Series: openssl: Bump SONAME to match the ABI
Revision: 1
URL   : https://patchwork.openembedded.org/series/6438/
State : failure

== Summary ==


Thank you for submitting this patch series to OpenEmbedded Core. This is
an automated response. Several tests have been executed on the proposed
series by patchtest resulting in the following failures:



* Issue             Added patch file is missing Upstream-Status in the header [test_upstream_status_presence] 
  Suggested fix    Add Upstream-Status: <status> to the header of meta/recipes-connectivity/openssl/openssl/debian1.0.2/soname.patch (possible values: Pending, Submitted, Accepted, Backport, Denied, Inappropriate)

* Issue             A patch file has been added, but does not have a Signed-off-by tag [test_signed_off_by_presence] 
  Suggested fix    Sign off the added patch file (meta/recipes-connectivity/openssl/openssl/debian1.0.2/soname.patch)



If you believe any of these test results are incorrect, please reply to the
mailing list (openembedded-core@lists.openembedded.org) raising your concerns.
Otherwise we would appreciate you correcting the issues and submitting a new
version of the patchset if applicable. Please ensure you add/increment the
version number when sending the new version (i.e. [PATCH] -> [PATCH v2] ->
[PATCH v3] -> ...).

---
Test framework: http://git.yoctoproject.org/cgit/cgit.cgi/patchtest
Test suite:     http://git.yoctoproject.org/cgit/cgit.cgi/patchtest-oe