Re: OpenSSL 1.1.0

To: Kurt Roeckx <kurt@roeckx.be>
Cc: debian-devel@lists.debian.org
Subject: Re: OpenSSL 1.1.0
From: Henrique de Moraes Holschuh <hmh@debian.org>
Date: Wed, 23 Nov 2016 23:50:12 -0200
Message-id: <[🔎] 20161124015012.GA5102@khazad-dum.debian.net>
In-reply-to: <[🔎] 20161123233700.qqx3xvfigny7ed5y@roeckx.be>
References: <[🔎] e31aa628-9885-2403-bded-d9823f517df6@thykier.net> <[🔎] 20161114221614.s7unwm7v7axkhwc4@bunk.spdns.de> <[🔎] 20161115231538.ket2ziy6mcgfxtxk@breakpoint.cc> <[🔎] 20161116174944.mz7rmyb3igzksuiu@bunk.spdns.de> <[🔎] 20161116215317.lwpt7oaexauiz6x2@breakpoint.cc> <[🔎] 20161117111039.en3earxej5fakotp@bunk.spdns.de> <[🔎] 20161121101109.eag7zlnybwiyog6v@mac.home> <[🔎] 20161121130655.GA3748@x61s.reliablesolutions.de> <[🔎] 1479735013.3271507.794517385.7B1EBBB0@webmail.messagingengine.com> <[🔎] 20161123233700.qqx3xvfigny7ed5y@roeckx.be>

On Thu, 24 Nov 2016, Kurt Roeckx wrote:
> I've always had the impression that there are or used to be
> probems using using dlopen()/dlsym(). Maybe related to some things
> like RTDL_GLOBAL that causes the symbol lookup to go to the wrong
> library. Do you know of any problems related to that?

AFAIK, OpenSSL itself -- at least as packaged by Debian -- should not
get confused about where its *own* static globals are.  And any globals
it might export would also be fully ELF-symbol-versioned from what I can
see (objdump -tT).

If RTDL_GLOBAL is borking ELF symbol versioning, all bets are off.

Note: I have no idea what happens if you throw libssl.a into the mix
with a different version of libssl.so.  This kind of hell-born
braindamage can happen due to glibc nss modules, for example.

> Note that QT is one of those that uses dlopen()/dlsym() when
> calling openssl functions (for license reasons).

No comment I could make about this would be acceptable in polite
company.  Or in impolite company.  Or even during a sailor-class-cursing
competition.

> > So, if Qt *ever* exposes its use of openssl anywere in its APIs, it
> > might not be safe.   If it doesn't (i.e. at most you have a qt flag that
> > says "use SSL", etc), then it should be fine.
> 
> It seems to be doing this in qtbase5-private-dev. Not sure if
> there are actually any users of it.

If it does, all reverse *build* dependencies would need to be inspected,
then.

AFAIK, that means they must not link to anything that could link to a
different libssl than the one used by qt5.  If they do, everything needs
to be inspected down to the details to ensure nothing will ever leak
openssl contextes and data structures across a library boundary
(including the application).

-- 
  Henrique Holschuh

Reply to:

Follow-Ups:
- Re: OpenSSL 1.1.0
  - From: Adrian Bunk <bunk@stusta.de>

References:
- Re: OpenSSL 1.1.0
  - From: Niels Thykier <niels@thykier.net>
- Re: OpenSSL 1.1.0
  - From: Adrian Bunk <bunk@stusta.de>
- Re: OpenSSL 1.1.0
  - From: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
- Re: OpenSSL 1.1.0
  - From: Adrian Bunk <bunk@stusta.de>
- Re: OpenSSL 1.1.0
  - From: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
- Re: OpenSSL 1.1.0
  - From: Adrian Bunk <bunk@stusta.de>
- Re: OpenSSL 1.1.0
  - From: Tino Mettler <tino.mettler@tikei.de>
- Re: OpenSSL 1.1.0
  - From: Jan Niehusmann <jan@gondor.com>
- Re: OpenSSL 1.1.0
  - From: Henrique de Moraes Holschuh <hmh@debian.org>
- Re: OpenSSL 1.1.0
  - From: Kurt Roeckx <kurt@roeckx.be>

Prev by Date: Rejecting SHA1-signed repositories by default
Next by Date: Re: OpenSSL 1.1.0
Previous by thread: Re: OpenSSL 1.1.0
Next by thread: Re: OpenSSL 1.1.0
Index(es):
- Date
- Thread