[HEADSUP] ABI breakage in OpenSSL 1.0.2b

Corinna Vinschen corinna-cygwin@cygwin.com
Fri Jun 12 10:52:00 GMT 2015


Hi guys,


this is a friendly warning that the latest OpenSSL version not only
introduced security bugfixes, but unfortunately also an inadvertent ABI
breakage.

Specifically, the HMAC_CTX stucture has a new "key_init" field of type
integer:

  --- a/crypto/hmac/hmac.h
  +++ b/crypto/hmac/hmac.h
  @@ -75,6 +75,7 @@ typedef struct hmac_ctx_st {
       EVP_MD_CTX o_ctx;
       unsigned int key_length;
       unsigned char key[HMAC_MAX_MD_CBLOCK];
  +    int key_init;
   } HMAC_CTX;

Thus the size of HMAC_CTX changed, which breaks binary compatibility.

The problem is currently discussed in the OpenSSL community:

https://mta.openssl.org/pipermail/openssl-dev/2015-June/001788.html

OpenSSH 6.8p1 is not affected, but there's no guarantee that other
tools linked against OpenSSL might not crash when using crypto
functions.

What you should do for the time being:

- Update to OpenSSL 1.0.2b and use it in the first place for security
  reasons.

- If you have an application which suddenly crashes with 1.0.2b, and if
  this application is crucial for your daily work, and if you're sure
  that the security problems fixed in 1.0.2b don't affect you, then, and
  only then, revert to OpenSSL 1.0.2a.

- If you *build* applications linked against OpenSSL, continue linking
  against openssl-devel-1.0.2a-1.

I'll keep you informed (probably by updating OpenSSL) as soon as the as
the problem hasn't been addressed upstream.


Cheers,
Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://cygwin.com/pipermail/cygwin/attachments/20150612/1f28ddc1/attachment.sig>


More information about the Cygwin mailing list