Re: Binary incompatability caused by different compiler flags

Fri, 02 Mar 2001 04:54:49 -0800 

Damien Miller wrote:
> 
> In diagnosing some OpenSSH crashes on Redhat 6.2 systems, I have
> tracked a problem to a binary incompatability between Redhat's OpenSSL
> packages and OpenSSL packages built by myself.
> 
> My RPM packages are pretty basic, they just do a
> ./Configure --prefix=/usr --openssldir=%{openssldir} linux-elf
> This results in compiler options of:
> 
> "-fPIC -DTHREADS -D_REENTRANT -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer
> -m486 -Wall -DSHA1_ASM -DMD5_ASM -DRMD160_ASM"
> 
> Redhat's are not that much more complicated, but they do modify the
> default compiler options and turn off non-free ciphers (RC5, IDEA, etc).
> The compiler options this results in are:
> 
> "-DTHREADS -D_REENTRANT -fPIC -ggdb -O2 -m486 -fno-strength-reduce -DNO_IDEA
> -DNO_MDC2 -DNO_RC5 -DNO_MD2 -DL_ENDIAN -DTERMIO -O2 -m486
> -fno-strength-reduce -Wall -DSHA1_ASM -DMD5_ASM -DRMD160_ASM"
> 
> I am wondering if this is enough to break structure alignment. If
> so, is there any way of making OpenSSL more robust in the face of
> different compiler options?
> 

OpenSSL isn't 100% binary compatible between versions. This causes all
manner of trouble with shared libraries.

However if you are using the same version of OpenSSL then yes the
compilation options might themselves result in binary incompatibility.
I'm not sure about structure alignment but structure sizes could be a
problem. For example the EVP_CIPHER_CTX structure is currently handled
like this:

EVP_CIPHER_CTX ctx;

EVP_some_function(...,&ctx);

EVP_CIPHER_CTX contains lots of algorithm specific structures in a
union. If the largest is omitted it may reduce the size of the
structure. Code linked against such a library wont be able to use the
disabled algorithms of course. If the shared library is changed to one
which does include the (previously disabled) algorithms and the code
could use them problems will arise because it will assume that
EVP_CIPHER_CTX is larger.

There are similar problems with EVP_MD_CTX.

Steve.
-- 
Dr Stephen N. Henson.   http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED] 
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the   OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to