Your message dated Mon, 26 Nov 2018 23:25:03 +0100
with message-id <[email protected]>
and subject line Re: Bug#895547: openssl: After symbol versioning, distributed
pkgs are missing API symbols (e.g. EVP_PKEY_asn1_set_item)
has caused the Debian Bug report #895547,
regarding openssl: After symbol versioning, distributed pkgs are missing API
symbols (e.g. EVP_PKEY_asn1_set_item)
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
895547: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=895547
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: openssl
Version: 1.0.2l-1~bpo8+1
Severity: important
Tags: patch
Dear Maintainer,
I'm developing an ENGINE for OpenSSL, and close to release, I noticed
that in Ubuntu and in Debian the build fails with the following output:
```
/usr/bin/cc -fPIC -g -shared -Wl,-soname,liblibsuola.so -o liblibsuola.so
CMakeFiles/suola.dir/suola.c.o CMakeFiles/suola.dir/suola_keypair.c.o
CMakeFiles/suola.dir/debug/debug.c.o CMakeFiles/suola.dir/meths/X25519_meth.c.o
CMakeFiles/suola.dir/meths/ed25519_meth.c.o
CMakeFiles/suola.dir/meths/suola_asn1_meth.c.o
CMakeFiles/suola.dir/meths/suola_md_identity_meth.c.o
CMakeFiles/suola.dir/ossl/ossl_compat.c.o
CMakeFiles/suola.dir/ossl/suola_err.c.o
CMakeFiles/suola.dir/ossl/suola_objects.c.o
CMakeFiles/suola.dir/providers/libsodium/base.c.o
CMakeFiles/suola.dir/providers/libsodium/curve25519.c.o
CMakeFiles/suola.dir/providers/libsodium/ed25519.c.o -lssl -lcrypto
/opt/libsodium-stable/lib/libsodium.so -Wl,-z,defs
-Wl,-rpath,/opt/libsodium-stable/lib:
CMakeFiles/suola.dir/meths/suola_asn1_meth.c.o: In function
`suola_register_asn1_meth':
/usr/local/src/libsuola/meths/suola_asn1_meth.c:505: undefined reference to
`EVP_PKEY_asn1_set_item'
collect2: error: ld returned 1 exit status
make[2]: *** [liblibsuola.so] Error 1
CMakeFiles/suola.dir/build.make:412: recipe for target 'liblibsuola.so' failed
make[2]: Leaving directory '/usr/local/src/libsuola/build'
make[1]: *** [CMakeFiles/suola.dir/all] Error 2
make: *** [all] Error 2
```
This does not happen linking against the same exact release of openssl
compiled from source on the same system.
I then learned that one of the patches applied by Debian (and included
by derived distributions) has the goal of versioning library symbols to
avoid conflicts.
Unfortunately said patch is not updated regularly with each release of
OpenSSL, resulting, like in my case, in symbols available in the public
header files but masked through versioning in the shared library binary.
The attached patch fixes my need by adding `EVP_PKEY_asn1_set_item` to
the list, but you might consider an internal review of your release
process to make sure that the list of symbols is updated whenever a new
upstream releases makes new functions publicly available.
I marked this bug as important, as it stops everyone using official
debian packages from using third-party ENGINEs that require to use that
function to set special handling of ASN.1 format, which basically
includes every ENGINE that would add support for cryptosystems that
upstream OpenSSL does not support (defying the purpose of using some
ENGINEs).
This covers my use case, but basically the package as is results
unusable to any user of any application that may require functions
available in the public headers but accidentally masked in the symbol
versioning step.
The ideal outcome of fixing this issue would consist in making the
versioning patch dynamic, checking when symbols are added (or removed)
in newer releases and updating the list accordingly.
The same versioning patch is applied in the other releases, so it's
worth tagging this bug also for those to make the handling of the
exposed symbols consistent.
-- System Information:
Debian Release: 8.10
APT prefers oldstable-updates
APT policy: (500, 'oldstable-updates'), (500, 'oldstable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.9.87-linuxkit-aufs (SMP w/4 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash
Init: unable to detect
Versions of packages openssl depends on:
ii libc6 2.19-18+deb8u10
ii libssl1.0.0 1.0.2l-1~bpo8+1
openssl recommends no packages.
Versions of packages openssl suggests:
ii ca-certificates 20141019+deb8u3
-- no debconf information
--- deb/openssl-1.0.2g/openssl.ld 2018-03-17 06:56:37.000000000 +0000
+++ deb-mod/openssl-1.0.2g/openssl.ld 2018-04-12 11:54:28.159985887 +0000
@@ -4615,6 +4615,7 @@
OPENSSL_1.0.2g {
global:
+ EVP_PKEY_asn1_set_item;
SRP_VBASE_get1_by_user;
SRP_user_pwd_free;
} OPENSSL_1.0.2;
--- End Message ---
--- Begin Message ---
control: tags -1 wontfix
On 2018-04-14 15:10:47 [+0300], Nicola wrote:
> > Functions that might possibly be missing are:
> > EVP_PKEY_asn1_set_item
> > EVP_PKEY_meth_get_init
> > EVP_PKEY_meth_get_verify_recover
> > EVP_PKEY_meth_get_keygen
> > EVP_PKEY_meth_get_derive
> > EVP_PKEY_meth_get_verifyctx
> > EVP_PKEY_meth_get_paramgen
> > EVP_PKEY_meth_get_verify
> > EVP_PKEY_meth_get_sign
> > EVP_PKEY_meth_get_signctx
> > EVP_PKEY_meth_get_ctrl
> > EVP_PKEY_meth_get_decrypt
> > EVP_PKEY_meth_get_cleanup
> > EVP_PKEY_meth_get_encrypt
> > EVP_PKEY_meth_get_copy
> >
>
> Thanks for the list and for the explanation about >= 1.1.0.
>
> Out of curiosity can I ask how did you generate the list of possibly
> missing symbols?
okay. I can't update bpo for Jessie anymore. I tried to get around but
never made it. Now it is too late (it was so months ago).
Now, it is official. It should be a no-issue I belive since I *assume*
that you moved on to Stretch.
> Thanks,
>
> Nicola
Sebastian
--- End Message ---
