Re: OpenSSL 1.1.0

To: debian-devel@lists.debian.org
Subject: Re: OpenSSL 1.1.0
From: Adrian Bunk <bunk@stusta.de>
Date: Thu, 24 Nov 2016 19:23:22 +0200
Message-id: <[🔎] 20161124172322.byvlezd2d3ha7uur@bunk.spdns.de>
In-reply-to: <[🔎] 20161124165023.GA23382@khazad-dum.debian.net>
References: <[🔎] 20161116174944.mz7rmyb3igzksuiu@bunk.spdns.de> <[🔎] 20161116215317.lwpt7oaexauiz6x2@breakpoint.cc> <[🔎] 20161117111039.en3earxej5fakotp@bunk.spdns.de> <[🔎] 20161121101109.eag7zlnybwiyog6v@mac.home> <[🔎] 20161121130655.GA3748@x61s.reliablesolutions.de> <[🔎] 1479735013.3271507.794517385.7B1EBBB0@webmail.messagingengine.com> <[🔎] 20161123233700.qqx3xvfigny7ed5y@roeckx.be> <[🔎] 20161124015012.GA5102@khazad-dum.debian.net> <[🔎] 20161124135910.j5zpgjdzrqemi3au@bunk.spdns.de> <[🔎] 20161124165023.GA23382@khazad-dum.debian.net>

On Thu, Nov 24, 2016 at 02:50:23PM -0200, Henrique de Moraes Holschuh wrote:
> On Thu, 24 Nov 2016, Adrian Bunk wrote:
> > On Wed, Nov 23, 2016 at 11:50:12PM -0200, Henrique de Moraes Holschuh wrote:
> > > On Thu, 24 Nov 2016, Kurt Roeckx wrote:
> > >...
> > > > > So, if Qt *ever* exposes its use of openssl anywere in its APIs, it
> > > > > might not be safe.   If it doesn't (i.e. at most you have a qt flag that
> > > > > says "use SSL", etc), then it should be fine.
> > > > 
> > > > It seems to be doing this in qtbase5-private-dev. Not sure if
> > > > there are actually any users of it.
> > > 
> > > If it does, all reverse *build* dependencies would need to be inspected,
> > > then.
> > > 
> > > AFAIK, that means they must not link to anything that could link to a
> > > different libssl than the one used by qt5.  If they do, everything needs
> > > to be inspected down to the details to ensure nothing will ever leak
> > > openssl contextes and data structures across a library boundary
> > > (including the application).
> > 
> > If inspection is not easily possible, then adding a dependency on 
> > libssl1.0-dev to qtbase5-private-dev should be sufficient to
> > ensure that this is not leaked to a different OpenSSL version.
> 
> How so? 
> 
> Consider the flattened tree (app is the root, - denotes a branch).
> 
> A - B - App -  C - D
> 
> Where A and D are two versions of openssl. B and C are libs (suppose B
> comes from qtbase5-private-dev) from different source packages.

Where does App get the definitions/declarations for the contextes and 
data structures it could leak between A and D?

If they are part of the B API and part of the C API, then they are used 
in the header files shipped in b-dev and c-dev.

If both b-dev and c-dev would depend on the libssl*-dev they use,
then App cannot be compiled with both B and C unless these use
the same OpenSSL. Any mismatch would very quickly be reported
as a FTBFS bug.

cu
Adrian

-- 

       "Is there not promise of rain?" Ling Tan asked suddenly out
        of the darkness. There had been need of rain for many days.
       "Only a promise," Lao Er said.
                                       Pearl S. Buck - Dragon Seed

Reply to:

Follow-Ups:
- Re: OpenSSL 1.1.0
  - From: Jan Niehusmann <jan@gondor.com>

References:
- Re: OpenSSL 1.1.0
  - From: Adrian Bunk <bunk@stusta.de>
- Re: OpenSSL 1.1.0
  - From: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
- Re: OpenSSL 1.1.0
  - From: Adrian Bunk <bunk@stusta.de>
- Re: OpenSSL 1.1.0
  - From: Tino Mettler <tino.mettler@tikei.de>
- Re: OpenSSL 1.1.0
  - From: Jan Niehusmann <jan@gondor.com>
- Re: OpenSSL 1.1.0
  - From: Henrique de Moraes Holschuh <hmh@debian.org>
- Re: OpenSSL 1.1.0
  - From: Kurt Roeckx <kurt@roeckx.be>
- Re: OpenSSL 1.1.0
  - From: Henrique de Moraes Holschuh <hmh@debian.org>
- Re: OpenSSL 1.1.0
  - From: Adrian Bunk <bunk@stusta.de>
- Re: OpenSSL 1.1.0
  - From: Henrique de Moraes Holschuh <hmh@debian.org>

Prev by Date: Re: Certbot in Debian Stretch
Next by Date: Re: OpenSSL 1.1.0
Previous by thread: Re: OpenSSL 1.1.0
Next by thread: Re: OpenSSL 1.1.0
Index(es):
- Date
- Thread