On Sat, Jul 25, 2015 at 06:15:10PM +0200, Marc Lehmann wrote: > On Sat, Jul 25, 2015 at 10:48:51AM +0200, Kurt Roeckx <k...@roeckx.be> wrote: > > > upgrading libssl1.0.0 from 1.0.1k-3+deb8u1 to 1.0.2d-1 breaks HMAC > > > authentication in a gvpe compiled with 1.0.1k-3. > > > > I will need more information other than that it doesn't work. > > Just ask, but without knowing what you want to know (you haven't said > anything), I can only guess. > > > I don't have any idea who gvpe works. > > Well, many people "work gvpe". Maybe you meant "how"? gvpe uses openssl's > HMAC (by default hmac-sha512) to verify packet integrity, and when > upgrading libssl to 1.0.2d-1, for some connections, every packet gets a > HMAC authentication error (causing complete loss of connectivity) that > goes away once libssl is downgraded again.
I tried some of the test vectors in rfc4231 with the version from squeeze, wheezy, jessie and stretch and they all produce the same correct output. For instance case 2: echo -n "what do ya want for nothing?" | openssl dgst -hmac Jefe -sha512 (stdin)= 164b7a7bfcf819e2e395fbe73b56e0a387bd64222e831fd610270cd7ea2505549758bf75c05a994a6d034f65f8f0e6fdcaeab1a34d4a6b4b636e070a38bce737 So it seems more likely that this is either a bug in gvpe or something cpu specific. > > > Since the ABI was apparently broken before (#788511), chances are high > > > that the fix in 1.0.2d-1 isn't effective and 1.0.2d-1 is still ABI > > > incompatible to the version in jessie. > > > > This is very unlikely. But if it's really the case rebuilding > > against that version should fix the issue. > > I think you are not understanding the problem on a very basic level here > - rebuilding a program using a shared library will not and can not fix > bugs in that library. If libssl 1.0.2d-1 is incompatible to 1.0.1k-3 > w.r.t. HMAC generation, then the only way to fix this is to patch and fix > libssl, OR bump the soname, to indicate an incompatible version. Please note that I'm not saying that this is how you should fix it, it's a test to see if that's the issue or not. I might not have worded it the best way. Kurt -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org