[openssl-dev] [openssl/openssl] ABI compatibility 1.0.0-->1.0.1-->1.0.2
Kurt Roeckx
kurt at roeckx.be
Sun Feb 26 13:26:43 UTC 2017
On Sun, Feb 26, 2017 at 09:26:06AM +0300, Andrey Ponomarenko wrote:
> 31.01.2017, 10:21, "Nikos Mavrogiannopoulos":
> > On Fri, 2017-01-27 at 10:54 -0600, Benjamin Kaduk via openssl-dev
> > wrote:
> >> [moving from github to -dev]
> >>
> >> On 01/27/2017 07:36 AM, mattcaswell wrote:
> >> > 1.0.2 is the software version.
> >> > The numbers on the end of lbssl.so.1.0.0 refer to the ABI version -
> >> > which is different. Software version 1.0.2 is a drop in replacement
> >> > for 1.0.1, which is a drop in replacement for 1.0.0 - hence they
> >> > all have the same ABI version.
> >> >
> >>
> >> There was some discussion about 1.0.1 being EoL on a FreeBSD list
> >> [0], and whether it would make sense to move to 1.0.2 on their stable
> >> branch, which led to someone making the claim that 1.0.2 has removed
> >> 4 symbols compared to 1.0.1, and thus is not strictly ABI compatible,
> >> linking to https://abi-laboratory.pro/tracker/timeline/openssl/ . If
> >> I start semi-randomly clicking around, I can find a page [1] that
> >> seems to claim the missing symbols are:
> >> ASN1_STRING_clear_free()
> >> ENGINE_load_rsax()
> >> SRP_user_pwd_free()
> >> SRP_VBASE_get1_by_user()
It's normal that you might see some symbols removed if you compare
something like 1.0.1t against 1.0.2, but it shouldn't when compared
to 1.0.2k.
CRYPTO_memcmp was added in 1.0.1d.
ASN1_STRING_clear_free was added in 1.0.1m and 1.0.2a
In 1.0.1s and 1.0.2g the following were added (for CVE-2016-0798):
SRP_VBASE_get1_by_user;
SRP_user_pwd_free;
ENGINE_load_rsax seems to have been removed because it didn't
compile? That looks like the only symbol that has been removed,
and it probably shouldn't have.
Kurt
More information about the openssl-dev
mailing list