[Pkg-openssl-devel] Bug#793565: Bug#793565: libssl1.0.0: HMAC broken after upgrade to 1.0.2d-1
Marc Lehmann
schmorp at schmorp.de
Sat Jul 25 16:15:10 UTC 2015
On Sat, Jul 25, 2015 at 10:48:51AM +0200, Kurt Roeckx <kurt at roeckx.be> wrote:
> > upgrading libssl1.0.0 from 1.0.1k-3+deb8u1 to 1.0.2d-1 breaks HMAC
> > authentication in a gvpe compiled with 1.0.1k-3.
>
> I will need more information other than that it doesn't work.
Just ask, but without knowing what you want to know (you haven't said
anything), I can only guess.
> I don't have any idea who gvpe works.
Well, many people "work gvpe". Maybe you meant "how"? gvpe uses openssl's
HMAC (by default hmac-sha512) to verify packet integrity, and when
upgrading libssl to 1.0.2d-1, for some connections, every packet gets a
HMAC authentication error (causing complete loss of connectivity) that
goes away once libssl is downgraded again.
> > Since the ABI was apparently broken before (#788511), chances are high
> > that the fix in 1.0.2d-1 isn't effective and 1.0.2d-1 is still ABI
> > incompatible to the version in jessie.
>
> This is very unlikely. But if it's really the case rebuilding
> against that version should fix the issue.
I think you are not understanding the problem on a very basic level here
- rebuilding a program using a shared library will not and can not fix
bugs in that library. If libssl 1.0.2d-1 is incompatible to 1.0.1k-3
w.r.t. HMAC generation, then the only way to fix this is to patch and fix
libssl, OR bump the soname, to indicate an incompatible version.
--
The choice of a Deliantra, the free code+content MORPG
-----==- _GNU_ http://www.deliantra.net
----==-- _ generation
---==---(_)__ __ ____ __ Marc Lehmann
--==---/ / _ \/ // /\ \/ / schmorp at schmorp.de
-=====/_/_//_/\_,_/ /_/\_\
More information about the Pkg-openssl-devel
mailing list