[OE-core] [PATCH] openssl: Bump SONAME to match the ABI

Thu Apr 20 13:56:30 UTC 2017

On 20 April 2017 at 16:32, Jussi Kukkonen <jussi.kukkonen at intel.com> wrote:

> Commit 7933fbbc637 "Security fix Drown via 1.0.2g update" included
> a version-script change from Debian that was an ABI change. It did
> not include the soname change that Debian did so we have been calling
> our ABI 1.0.0 but it really matches what others call 1.0.2.
>

Just so it's clear: the new ABI was in krogoth and morty already with 1.0.0
soname. Not sure which option is least bad here.

  Jussi

> Bump SONAME to match the ABI. In practice this changes both libcrypto
> and libssl sonames from 1.0.0 to 1.0.2.
>
> For background: Upstream does not do sonames so these are set by
> distros. In this case the ABI changes based on a build time
> configuration! Debian took the ABI changing configuration and bumped
> soname but e.g. Ubuntu kept the deprecated API and just made it not
> work, keeping soname. So both have same version of openssl but support
> different ABI (and expose different SONAME).
>
> Fixes [YOCTO #11396].
>
> Thanks to Alexander Larsson et al for detective work.
>
> Signed-off-by: Jussi Kukkonen <jussi.kukkonen at intel.com>
> ---
>  .../openssl/openssl/debian1.0.2/soname.patch                | 13
> +++++++++++++
>  meta/recipes-connectivity/openssl/openssl_1.0.2k.bb         |  1 +
>  2 files changed, 14 insertions(+)
>  create mode 100644 meta/recipes-connectivity/openssl/openssl/debian1.0.2/
> soname.patch
>
> diff --git a/meta/recipes-connectivity/openssl/openssl/debian1.0.2/soname.patch
> b/meta/recipes-connectivity/openssl/openssl/debian1.0.2/soname.patch
> new file mode 100644
> index 0000000..f9cdfec
> --- /dev/null
> +++ b/meta/recipes-connectivity/openssl/openssl/debian1.0.2/soname.patch
> @@ -0,0 +1,13 @@
> +Index: openssl-1.0.2d/crypto/opensslv.h
> +===================================================================
> +--- openssl-1.0.2d.orig/crypto/opensslv.h
> ++++ openssl-1.0.2d/crypto/opensslv.h
> +@@ -88,7 +88,7 @@ extern "C" {
> +  * should only keep the versions that are binary compatible with the
> current.
> +  */
> + # define SHLIB_VERSION_HISTORY ""
> +-# define SHLIB_VERSION_NUMBER "1.0.0"
> ++# define SHLIB_VERSION_NUMBER "1.0.2"
> +
> +
> + #ifdef  __cplusplus
> diff --git a/meta/recipes-connectivity/openssl/openssl_1.0.2k.bb
> b/meta/recipes-connectivity/openssl/openssl_1.0.2k.bb
> index 1c104142..83d1a50 100644
> --- a/meta/recipes-connectivity/openssl/openssl_1.0.2k.bb
> +++ b/meta/recipes-connectivity/openssl/openssl_1.0.2k.bb
> @@ -30,6 +30,7 @@ SRC_URI += "file://find.pl;subdir=${BP}/util/ \
>              file://debian/no-symbolic.patch \
>              file://debian/pic.patch \
>              file://debian1.0.2/version-script.patch \
> +            file://debian1.0.2/soname.patch \
>              file://openssl_fix_for_x32.patch \
>              file://fix-cipher-des-ede3-cfb1.patch \
>              file://openssl-avoid-NULL-pointer-dereference-in-EVP_DigestInit_ex.patch
> \
> --
> 2.1.4
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openembedded.org/pipermail/openembedded-core/attachments/20170420/98bef565/attachment-0002.html>