[openssl-project] A proposal for an updated OpenSSL version scheme (v2)

Viktor Dukhovni openssl-users at dukhovni.org
Sat Sep 22 05:12:21 UTC 2018



> On Sep 22, 2018, at 12:50 AM, Tim Hudson <tjh at cryptsoft.com> wrote:
> 
> The impact of the breaking change on anyone actually following our documented encoding cannot.
> i.e. openssh as one example Richard pointed out.

The only use of OPENSSL_VERSION_NUMBER bits in OpenSSH (which is not yet ported to
1.1.x upstream BTW, so hardly relevant really) is:

ssh_compatible_openssl(long headerver, long libver)
{
        long mask, hfix, lfix;

        /* exact match is always OK */
        if (headerver == libver)
                return 1;

        /* for versions < 1.0.0, major,minor,fix,status must match */
        if (headerver < 0x1000000f) {
                mask = 0xfffff00fL; /* major,minor,fix,status */
                return (headerver & mask) == (libver & mask);
        }
        
        /*
         * For versions >= 1.0.0, major,minor,status must match and library
         * fix version must be equal to or newer than the header.
         */
        mask = 0xfff0000fL; /* major,minor,status */
        hfix = (headerver & 0x000ff000) >> 12;
        lfix = (libver & 0x000ff000) >> 12;
        if ( (headerver & mask) == (libver & mask) && lfix >= hfix)
                return 1;
        return 0;
}

all other uses as a simple ordinal.  In the above function they expect
stability of the ABI for matching first three nibbles and release
status.  Which makes a case for Richard's encoding scheme as being
more compatible with one of the more prominent applications that depends
on the encoding.

The proposal to move the minor version into nibbles 2 and 3 breaks this
OpenSSH function.

-- 
	Viktor.



More information about the openssl-project mailing list