Hi, On Tue, 2015-10-20 at 19:37 +0200, Florian Weimer wrote: > * James Cowgill: [...] > > One thing which was suggested was to use 1.3.14 and then disable at > > compile time all the new features which may affect the ABI and then > > revert the SONAME change, but is doing that actually allowed for the > > security archive or will the update be too big? > > We can do that, but I don't know if it is a good idea to patch > cryptographic software in such extensive ways. > > We can live with the addition of new symbols, but removal of symbols, > changes in struct sizes or offsets, and so on, would be hugely > problematic. For are start, you could just build both the old and new > versions and run libabigail on them, to get an idea what actually did > change.
So I checked the ABI and had to revert a few commits. I've attached the original libabigail diff (all against upstream versions) and the diff after my patches. The variables don't look to me like they were ever intended to be part of the public ABI so I don't think they're that important. My changes are here: https://github.com/jcowgill/mbedtls/commits/debian-jessie-compatibility Unfortunately there was quite a lot I had to do: $ git diff --stat mbedtls-1.3.14 debian-jessie-compatibility include/polarssl/asn1.h | 1 - include/polarssl/config.h | 8 +- include/polarssl/pk.h | 13 ---- include/polarssl/ssl.h | 49 +----------- include/polarssl/x509.h | 1 + library/Makefile | 20 ++--- library/pk.c | 26 ------- library/pk_wrap.c | 56 +------------- library/ssl_cli.c | 15 ---- library/ssl_srv.c | 10 +-- library/ssl_tls.c | 43 +++-------- library/x509.c | 56 ++++++-------- library/x509_crt.c | 4 - programs/ssl/ssl_client1.c | 2 - programs/ssl/ssl_client2.c | 15 ---- programs/ssl/ssl_fork_server.c | 2 - programs/ssl/ssl_mail_client.c | 2 - programs/ssl/ssl_pthread_server.c | 2 - programs/ssl/ssl_server.c | 2 - programs/ssl/ssl_server2.c | 35 +-------- tests/compat.sh | 2 +- tests/ssl-opt.sh | 136 ++++----------------------------- tests/suites/test_suite_pk.data | 20 ----- tests/suites/test_suite_pk.function | 29 ------- tests/suites/test_suite_x509parse.data | 6 +- 25 files changed, 73 insertions(+), 482 deletions(-) So any potential upload to jessie would include upstream 1.3.14, the above patches, and the existing config changes in Debian's 1.3.9. James
Functions changes summary: 0 Removed, 0 Changed, 6 Added functions
Variables changes summary: 80 Removed, 0 Changed, 0 Added variables
6 Added functions:
'function void debug_print_msg_free(const ssl_context*, int, const char*,
int, char*)' {debug_print_msg_free}
'function int ecp_check_pub_priv(const ecp_keypair*, const ecp_keypair*)'
{ecp_check_pub_priv}
'function int pk_load_file(const char*, unsigned char**, size_t*)'
{pk_load_file}
'function int rsa_check_pub_priv(const rsa_context*, const rsa_context*)'
{rsa_check_pub_priv}
'function int x509_crl_parse_der(x509_crl*, const unsigned char*, size_t)'
{x509_crl_parse_der}
'function int x509_crt_verify_info(char*, size_t, const char*, int)'
{x509_crt_verify_info}
80 Removed variables:
'int add_index[6]' {add_index}
'size_t add_len[6]' {add_len}
'unsigned char additional[6][64]' {additional}
'const cipher_info_t aes_128_cbc_info' {aes_128_cbc_info}
'const cipher_info_t aes_128_ccm_info' {aes_128_ccm_info}
'const cipher_info_t aes_128_cfb128_info' {aes_128_cfb128_info}
'const cipher_info_t aes_128_ctr_info' {aes_128_ctr_info}
'const cipher_info_t aes_128_ecb_info' {aes_128_ecb_info}
'const cipher_info_t aes_128_gcm_info' {aes_128_gcm_info}
'const cipher_info_t aes_192_cbc_info' {aes_192_cbc_info}
'const cipher_info_t aes_192_ccm_info' {aes_192_ccm_info}
'const cipher_info_t aes_192_cfb128_info' {aes_192_cfb128_info}
'const cipher_info_t aes_192_ctr_info' {aes_192_ctr_info}
'const cipher_info_t aes_192_ecb_info' {aes_192_ecb_info}
'const cipher_info_t aes_192_gcm_info' {aes_192_gcm_info}
'const cipher_info_t aes_256_cbc_info' {aes_256_cbc_info}
'const cipher_info_t aes_256_ccm_info' {aes_256_ccm_info}
'const cipher_info_t aes_256_cfb128_info' {aes_256_cfb128_info}
'const cipher_info_t aes_256_ctr_info' {aes_256_ctr_info}
'const cipher_info_t aes_256_ecb_info' {aes_256_ecb_info}
'const cipher_info_t aes_256_gcm_info' {aes_256_gcm_info}
'const cipher_base_t aes_info' {aes_info}
'const cipher_info_t arc4_128_info' {arc4_128_info}
'const cipher_base_t arc4_base_info' {arc4_base_info}
'const cipher_info_t blowfish_cbc_info' {blowfish_cbc_info}
'const cipher_info_t blowfish_cfb64_info' {blowfish_cfb64_info}
'const cipher_info_t blowfish_ctr_info' {blowfish_ctr_info}
'const cipher_info_t blowfish_ecb_info' {blowfish_ecb_info}
'const cipher_base_t blowfish_info' {blowfish_info}
'const cipher_info_t camellia_128_cbc_info' {camellia_128_cbc_info}
'const cipher_info_t camellia_128_ccm_info' {camellia_128_ccm_info}
'const cipher_info_t camellia_128_cfb128_info' {camellia_128_cfb128_info}
'const cipher_info_t camellia_128_ctr_info' {camellia_128_ctr_info}
'const cipher_info_t camellia_128_ecb_info' {camellia_128_ecb_info}
'const cipher_info_t camellia_128_gcm_info' {camellia_128_gcm_info}
'const cipher_info_t camellia_192_cbc_info' {camellia_192_cbc_info}
'const cipher_info_t camellia_192_ccm_info' {camellia_192_ccm_info}
'const cipher_info_t camellia_192_cfb128_info' {camellia_192_cfb128_info}
'const cipher_info_t camellia_192_ctr_info' {camellia_192_ctr_info}
'const cipher_info_t camellia_192_ecb_info' {camellia_192_ecb_info}
'const cipher_info_t camellia_192_gcm_info' {camellia_192_gcm_info}
'const cipher_info_t camellia_256_cbc_info' {camellia_256_cbc_info}
'const cipher_info_t camellia_256_ccm_info' {camellia_256_ccm_info}
'const cipher_info_t camellia_256_cfb128_info' {camellia_256_cfb128_info}
'const cipher_info_t camellia_256_ctr_info' {camellia_256_ctr_info}
'const cipher_info_t camellia_256_ecb_info' {camellia_256_ecb_info}
'const cipher_info_t camellia_256_gcm_info' {camellia_256_gcm_info}
'const cipher_base_t camellia_info' {camellia_info}
'const cipher_base_t ccm_aes_info' {ccm_aes_info}
'const cipher_base_t ccm_camellia_info' {ccm_camellia_info}
'unsigned char ct[18][64]' {ct}
'const cipher_info_t des_cbc_info' {des_cbc_info}
'const cipher_info_t des_ecb_info' {des_ecb_info}
'const cipher_info_t des_ede3_cbc_info' {des_ede3_cbc_info}
'const cipher_info_t des_ede3_ecb_info' {des_ede3_ecb_info}
'const cipher_base_t des_ede3_info' {des_ede3_info}
'const cipher_info_t des_ede_cbc_info' {des_ede_cbc_info}
'const cipher_info_t des_ede_ecb_info' {des_ede_ecb_info}
'const cipher_base_t des_ede_info' {des_ede_info}
'const cipher_base_t des_info' {des_info}
'const char* features[115]' {features}
'const cipher_base_t gcm_aes_info' {gcm_aes_info}
'const cipher_base_t gcm_camellia_info' {gcm_camellia_info}
'uint32_t it_cnt[6]' {it_cnt}
'unsigned char iv[6][64]' {iv}
'int iv_index[6]' {iv_index}
'size_t iv_len[6]' {iv_len}
'unsigned char key[6][32]' {key}
'int key_index[6]' {key_index}
'uint32_t key_len[6]' {key_len}
'unsigned char password[6][32]' {password}
'size_t plen[6]' {plen}
'unsigned char pt[6][64]' {pt}
'int pt_index[6]' {pt_index}
'size_t pt_len[6]' {pt_len}
'unsigned char result_key[6][32]' {result_key}
'unsigned char salt[6][40]' {salt}
'size_t slen[6]' {slen}
'unsigned char tag[18][16]' {tag}
'const char[6] version' {version}
ELF SONAME changed
Functions changes summary: 1 Removed, 4 Changed (162 filtered out), 13 Added
functions
Variables changes summary: 80 Removed, 0 Changed (5 filtered out), 0 Added
variables
SONAME changed from 'libpolarssl.so.7' to 'libmbedtls.so.9'
1 Removed function:
'function int x509_load_file(const char*, unsigned char**, size_t*)'
{x509_load_file}
13 Added functions:
'function void debug_print_msg_free(const ssl_context*, int, const char*,
int, char*)' {debug_print_msg_free}
'function int ecp_check_pub_priv(const ecp_keypair*, const ecp_keypair*)'
{ecp_check_pub_priv}
'function int pk_check_pair(const pk_context*, const pk_context*)'
{pk_check_pair}
'function int pk_load_file(const char*, unsigned char**, size_t*)'
{pk_load_file}
'function int rsa_check_pub_priv(const rsa_context*, const rsa_context*)'
{rsa_check_pub_priv}
'function void ssl_set_arc4_support(ssl_context*, char)'
{ssl_set_arc4_support}
'function void ssl_set_cbc_record_splitting(ssl_context*, char)'
{ssl_set_cbc_record_splitting}
'function void ssl_set_encrypt_then_mac(ssl_context*, char)'
{ssl_set_encrypt_then_mac}
'function void ssl_set_extended_master_secret(ssl_context*, char)'
{ssl_set_extended_master_secret}
'function void ssl_set_fallback(ssl_context*, char)' {ssl_set_fallback}
'function void ssl_set_renegotiation_period(ssl_context*, const unsigned
char*)' {ssl_set_renegotiation_period}
'function int x509_crl_parse_der(x509_crl*, const unsigned char*, size_t)'
{x509_crl_parse_der}
'function int x509_crt_verify_info(char*, size_t, const char*, int)'
{x509_crt_verify_info}
4 functions with some indirect sub-type change:
[C]'function asn1_named_data* asn1_find_named_data(asn1_named_data*, const
char*, size_t)' has some indirect sub-type changes:
return type changed:
in pointed to type 'typedef asn1_named_data':
underlying type 'struct _asn1_named_data' changed:
type size changed from 448 to 512 bits
1 data member insertion:
'unsigned char _asn1_named_data::next_merged', at offset 448 (in
bits)
no data member change (1 filtered);
[C]'function void debug_print_buf(const ssl_context*, int, const char*, int,
const char*, unsigned char*, size_t)' has some indirect sub-type changes:
parameter 1 of type 'const ssl_context*' has sub-type changes:
in pointed to type 'const ssl_context':
in unqualified underlying type 'typedef ssl_context':
underlying type 'struct _ssl_context' changed:
type size changed from 5824 to 5888 bits
6 data member insertions:
'char _ssl_context::fallback', at offset 288 (in bits)
'char _ssl_context::encrypt_then_mac', at offset 296 (in bits)
'char _ssl_context::extended_ms', at offset 304 (in bits)
'char _ssl_context::arc4_disabled', at offset 312 (in bits)
'signed char _ssl_context::split_done', at offset 3208 (in bits)
'unsigned char _ssl_context::renego_period[8]', at offset 3776
(in bits)
24 data member changes (4 filtered):
type of 'ssl_session* _ssl_context::session' changed:
in pointed to type 'typedef ssl_session':
underlying type 'struct _ssl_session' changed:
1 data member insertion:
'int _ssl_session::encrypt_then_mac', at offset 1184 (in
bits)
no data member change (1 filtered);
type of 'ssl_handshake_params* _ssl_context::handshake' changed:
in pointed to type 'typedef ssl_handshake_params':
underlying type 'struct _ssl_handshake_params' changed:
type size changed from 25856 to 25920 bits
1 data member insertion:
'int _ssl_handshake_params::extended_ms', at offset 25856
(in bits)
no data member changes (2 filtered);
type of 'x509_crt* _ssl_context::ca_chain' changed:
in pointed to type 'typedef x509_crt':
underlying type 'struct _x509_crt' changed:
type size changed from 4480 to 4608 bits
20 data member changes (1 filtered):
'x509_name _x509_crt::subject' offset changed from 1664 to
1728 (in bits)
'x509_time _x509_crt::valid_from' offset changed from 2112
to 2240 (in bits)
'x509_time _x509_crt::valid_to' offset changed from 2304 to
2432 (in bits)
type of 'pk_context _x509_crt::pk' changed:
underlying type 'struct __anonymous_struct__' changed:
1 data member change:
type of 'const pk_info_t*
__anonymous_struct__::pk_info' changed:
in pointed to type 'const pk_info_t':
in unqualified underlying type 'typedef pk_info_t':
underlying type 'struct __anonymous_struct__'
changed:
type size changed from 704 to 768 bits
and offset changed from 2496 to 2624 (in bits)
'x509_buf _x509_crt::issuer_id' offset changed from 2624 to
2752 (in bits)
'x509_buf _x509_crt::subject_id' offset changed from 2816
to 2944 (in bits)
'x509_buf _x509_crt::v3_ext' offset changed from 3008 to
3136 (in bits)
'x509_sequence _x509_crt::subject_alt_names' offset changed
from 3200 to 3328 (in bits)
'int _x509_crt::ext_types' offset changed from 3456 to 3584
(in bits)
'int _x509_crt::ca_istrue' offset changed from 3488 to 3616
(in bits)
'int _x509_crt::max_pathlen' offset changed from 3520 to
3648 (in bits)
'unsigned char _x509_crt::key_usage' offset changed from
3552 to 3680 (in bits)
'x509_sequence _x509_crt::ext_key_usage' offset changed
from 3584 to 3712 (in bits)
'unsigned char _x509_crt::ns_cert_type' offset changed from
3840 to 3968 (in bits)
'x509_buf _x509_crt::sig_oid2' offset changed from 3904 to
4032 (in bits)
'x509_buf _x509_crt::sig' offset changed from 4096 to 4224
(in bits)
'md_type_t _x509_crt::sig_md' offset changed from 4288 to
4416 (in bits)
'pk_type_t _x509_crt::sig_pk' offset changed from 4320 to
4448 (in bits)
'void* _x509_crt::sig_opts' offset changed from 4352 to
4480 (in bits)
'_x509_crt* _x509_crt::next' offset changed from 4416 to
4544 (in bits)
type of 'x509_crl* _ssl_context::ca_crl' changed:
in pointed to type 'typedef x509_crl':
underlying type 'struct _x509_crl' changed:
type size changed from 3264 to 3328 bits
10 data member changes (1 filtered):
'x509_time _x509_crl::this_update' offset changed from 1280
to 1344 (in bits)
'x509_time _x509_crl::next_update' offset changed from 1472
to 1536 (in bits)
'x509_crl_entry _x509_crl::entry' offset changed from 1664
to 1728 (in bits)
'x509_buf _x509_crl::crl_ext' offset changed from 2496 to
2560 (in bits)
'x509_buf _x509_crl::sig_oid2' offset changed from 2688 to
2752 (in bits)
'x509_buf _x509_crl::sig' offset changed from 2880 to 2944
(in bits)
'md_type_t _x509_crl::sig_md' offset changed from 3072 to
3136 (in bits)
'pk_type_t _x509_crl::sig_pk' offset changed from 3104 to
3168 (in bits)
'void* _x509_crl::sig_opts' offset changed from 3136 to
3200 (in bits)
'_x509_crl* _x509_crl::next' offset changed from 3200 to
3264 (in bits)
'int _ssl_context::allow_legacy_renegotiation' offset changed from
3744 to 3840 (in bits)
'int _ssl_context::renego_max_records' offset changed from 3776 to
3744 (in bits)
'const int* _ssl_context::ciphersuite_list[4]' offset changed from
3840 to 3904 (in bits)
'int _ssl_context::trunc_hmac' offset changed from 4096 to 4160
(in bits)
'int _ssl_context::session_tickets' offset changed from 4128 to
4192 (in bits)
'int _ssl_context::ticket_lifetime' offset changed from 4160 to
4224 (in bits)
'mpi _ssl_context::dhm_P' offset changed from 4224 to 4288 (in
bits)
'mpi _ssl_context::dhm_G' offset changed from 4416 to 4480 (in
bits)
'unsigned char* _ssl_context::psk' offset changed from 4608 to
4672 (in bits)
'size_t _ssl_context::psk_len' offset changed from 4672 to 4736
(in bits)
'unsigned char* _ssl_context::psk_identity' offset changed from
4736 to 4800 (in bits)
'size_t _ssl_context::psk_identity_len' offset changed from 4800
to 4864 (in bits)
'unsigned char* _ssl_context::hostname' offset changed from 4864
to 4928 (in bits)
'size_t _ssl_context::hostname_len' offset changed from 4928 to
4992 (in bits)
'const char** _ssl_context::alpn_list' offset changed from 4992 to
5056 (in bits)
'const char* _ssl_context::alpn_chosen' offset changed from 5056
to 5120 (in bits)
'int _ssl_context::secure_renegotiation' offset changed from 5120
to 5184 (in bits)
'size_t _ssl_context::verify_data_len' offset changed from 5184 to
5248 (in bits)
'char _ssl_context::own_verify_data[36]' offset changed from 5248
to 5312 (in bits)
'char _ssl_context::peer_verify_data[36]' offset changed from 5536
to 5600 (in bits)
[C]'function int ssl_check_cert_usage(const x509_crt*, const
ssl_ciphersuite_t*, int)' has some indirect sub-type changes:
parameter 4 of type 'int*' was added
[C]'function void x509_csr_free(x509_csr*)' has some indirect sub-type
changes:
parameter 1 of type 'x509_csr*' has sub-type changes:
in pointed to type 'typedef x509_csr':
underlying type 'struct _x509_csr' changed:
type size changed from 1728 to 1792 bits
6 data member changes (1 filtered):
'pk_context _x509_csr::pk' offset changed from 1088 to 1152 (in bits)
'x509_buf _x509_csr::sig_oid' offset changed from 1216 to 1280 (in
bits)
'x509_buf _x509_csr::sig' offset changed from 1408 to 1472 (in bits)
'md_type_t _x509_csr::sig_md' offset changed from 1600 to 1664 (in
bits)
'pk_type_t _x509_csr::sig_pk' offset changed from 1632 to 1696 (in
bits)
'void* _x509_csr::sig_opts' offset changed from 1664 to 1728 (in
bits)
80 Removed variables:
'int add_index[6]' {add_index}
'size_t add_len[6]' {add_len}
'unsigned char additional[6][64]' {additional}
'const cipher_info_t aes_128_cbc_info' {aes_128_cbc_info}
'const cipher_info_t aes_128_ccm_info' {aes_128_ccm_info}
'const cipher_info_t aes_128_cfb128_info' {aes_128_cfb128_info}
'const cipher_info_t aes_128_ctr_info' {aes_128_ctr_info}
'const cipher_info_t aes_128_ecb_info' {aes_128_ecb_info}
'const cipher_info_t aes_128_gcm_info' {aes_128_gcm_info}
'const cipher_info_t aes_192_cbc_info' {aes_192_cbc_info}
'const cipher_info_t aes_192_ccm_info' {aes_192_ccm_info}
'const cipher_info_t aes_192_cfb128_info' {aes_192_cfb128_info}
'const cipher_info_t aes_192_ctr_info' {aes_192_ctr_info}
'const cipher_info_t aes_192_ecb_info' {aes_192_ecb_info}
'const cipher_info_t aes_192_gcm_info' {aes_192_gcm_info}
'const cipher_info_t aes_256_cbc_info' {aes_256_cbc_info}
'const cipher_info_t aes_256_ccm_info' {aes_256_ccm_info}
'const cipher_info_t aes_256_cfb128_info' {aes_256_cfb128_info}
'const cipher_info_t aes_256_ctr_info' {aes_256_ctr_info}
'const cipher_info_t aes_256_ecb_info' {aes_256_ecb_info}
'const cipher_info_t aes_256_gcm_info' {aes_256_gcm_info}
'const cipher_base_t aes_info' {aes_info}
'const cipher_info_t arc4_128_info' {arc4_128_info}
'const cipher_base_t arc4_base_info' {arc4_base_info}
'const cipher_info_t blowfish_cbc_info' {blowfish_cbc_info}
'const cipher_info_t blowfish_cfb64_info' {blowfish_cfb64_info}
'const cipher_info_t blowfish_ctr_info' {blowfish_ctr_info}
'const cipher_info_t blowfish_ecb_info' {blowfish_ecb_info}
'const cipher_base_t blowfish_info' {blowfish_info}
'const cipher_info_t camellia_128_cbc_info' {camellia_128_cbc_info}
'const cipher_info_t camellia_128_ccm_info' {camellia_128_ccm_info}
'const cipher_info_t camellia_128_cfb128_info' {camellia_128_cfb128_info}
'const cipher_info_t camellia_128_ctr_info' {camellia_128_ctr_info}
'const cipher_info_t camellia_128_ecb_info' {camellia_128_ecb_info}
'const cipher_info_t camellia_128_gcm_info' {camellia_128_gcm_info}
'const cipher_info_t camellia_192_cbc_info' {camellia_192_cbc_info}
'const cipher_info_t camellia_192_ccm_info' {camellia_192_ccm_info}
'const cipher_info_t camellia_192_cfb128_info' {camellia_192_cfb128_info}
'const cipher_info_t camellia_192_ctr_info' {camellia_192_ctr_info}
'const cipher_info_t camellia_192_ecb_info' {camellia_192_ecb_info}
'const cipher_info_t camellia_192_gcm_info' {camellia_192_gcm_info}
'const cipher_info_t camellia_256_cbc_info' {camellia_256_cbc_info}
'const cipher_info_t camellia_256_ccm_info' {camellia_256_ccm_info}
'const cipher_info_t camellia_256_cfb128_info' {camellia_256_cfb128_info}
'const cipher_info_t camellia_256_ctr_info' {camellia_256_ctr_info}
'const cipher_info_t camellia_256_ecb_info' {camellia_256_ecb_info}
'const cipher_info_t camellia_256_gcm_info' {camellia_256_gcm_info}
'const cipher_base_t camellia_info' {camellia_info}
'const cipher_base_t ccm_aes_info' {ccm_aes_info}
'const cipher_base_t ccm_camellia_info' {ccm_camellia_info}
'unsigned char ct[18][64]' {ct}
'const cipher_info_t des_cbc_info' {des_cbc_info}
'const cipher_info_t des_ecb_info' {des_ecb_info}
'const cipher_info_t des_ede3_cbc_info' {des_ede3_cbc_info}
'const cipher_info_t des_ede3_ecb_info' {des_ede3_ecb_info}
'const cipher_base_t des_ede3_info' {des_ede3_info}
'const cipher_info_t des_ede_cbc_info' {des_ede_cbc_info}
'const cipher_info_t des_ede_ecb_info' {des_ede_ecb_info}
'const cipher_base_t des_ede_info' {des_ede_info}
'const cipher_base_t des_info' {des_info}
'const char* features[115]' {features}
'const cipher_base_t gcm_aes_info' {gcm_aes_info}
'const cipher_base_t gcm_camellia_info' {gcm_camellia_info}
'uint32_t it_cnt[6]' {it_cnt}
'unsigned char iv[6][64]' {iv}
'int iv_index[6]' {iv_index}
'size_t iv_len[6]' {iv_len}
'unsigned char key[6][32]' {key}
'int key_index[6]' {key_index}
'uint32_t key_len[6]' {key_len}
'unsigned char password[6][32]' {password}
'size_t plen[6]' {plen}
'unsigned char pt[6][64]' {pt}
'int pt_index[6]' {pt_index}
'size_t pt_len[6]' {pt_len}
'unsigned char result_key[6][32]' {result_key}
'unsigned char salt[6][40]' {salt}
'size_t slen[6]' {slen}
'unsigned char tag[18][16]' {tag}
'const char[6] version' {version}
signature.asc
Description: This is a digitally signed message part
