Skip to content

debian: bump libssl3 dep floor to 3.0.8#449

Open
MarkAtwood wants to merge 1 commit into
wolfSSL:masterfrom
MarkAtwood:bump-libssl3-dep-floor
Open

debian: bump libssl3 dep floor to 3.0.8#449
MarkAtwood wants to merge 1 commit into
wolfSSL:masterfrom
MarkAtwood:bump-libssl3-dep-floor

Conversation

@MarkAtwood

@MarkAtwood MarkAtwood commented Jul 16, 2026

Copy link
Copy Markdown

One-line packaging change: Depends: libssl3 (>= 3.0.3)(>= 3.0.8) in debian/control.

Rather than carrying version-specific workarounds, wolfProvider does not support OpenSSL < 3.0.8. Two defects below that boundary bite wolfProvider:

  1. Silent EC provider bypass: pre-3.0.8 legacy-to-provider EC key export hardcodes compressed point form (fixed upstream in openssl/openssl@999509c, first released in 3.0.8). wp_ecc_import rejects the compressed point and EVP core silently falls back to built-in legacy ECDSA for any d2i-loaded EC key — crypto escapes wolfCrypt with no error. Caught by unit test 116 on Ubuntu jammy (3.0.2).
  2. seed-src init crash: with --enable-seed-src, provider init re-enters libcrypto RAND when wolfProvider is loaded during libcrypto initialization; on pre-3.0.8 this fails the DSO load and SIGSEGVs openssl list -providers. 3.0.8+ made RAND/provider init re-entrancy safe.

The new floor makes the package uninstallable on runtimes where those behaviors exist, instead of an arbitrary 3.0.3 that admits both.

The 3.0.3 floor was arbitrary. OpenSSL releases before 3.0.8 have two
defects that break wolfProvider in ways we do not support:

- Legacy-to-provider EC key export hardcodes compressed point format
  (fixed upstream in 999509c, first in 3.0.8). The provider rejects the
  compressed point and EVP silently falls back to built-in ECDSA for
  any d2i-loaded EC key, bypassing wolfCrypt.
- Provider init re-enters libcrypto RAND when wolfProvider is built
  with --enable-seed-src and loaded during libcrypto initialization,
  failing the DSO load and crashing 'openssl list -providers'.
  3.0.8+ made RAND/provider init re-entrancy safe.

Require libssl3 >= 3.0.8 so the package cannot install onto a runtime
where these silent-bypass/crash behaviors exist.
Copilot AI review requested due to automatic review settings July 16, 2026 19:11

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the Debian packaging metadata to enforce a minimum supported OpenSSL runtime version for wolfProvider by raising the libssl3 dependency floor to a version that avoids known pre-3.0.8 OpenSSL defects that can impact correctness and stability.

Changes:

  • Bump Debian runtime dependency libssl3 from >= 3.0.3 to >= 3.0.8 for the libwolfprov binary package.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants