debian: bump libssl3 dep floor to 3.0.8#449
Open
MarkAtwood wants to merge 1 commit into
Open
Conversation
The 3.0.3 floor was arbitrary. OpenSSL releases before 3.0.8 have two defects that break wolfProvider in ways we do not support: - Legacy-to-provider EC key export hardcodes compressed point format (fixed upstream in 999509c, first in 3.0.8). The provider rejects the compressed point and EVP silently falls back to built-in ECDSA for any d2i-loaded EC key, bypassing wolfCrypt. - Provider init re-enters libcrypto RAND when wolfProvider is built with --enable-seed-src and loaded during libcrypto initialization, failing the DSO load and crashing 'openssl list -providers'. 3.0.8+ made RAND/provider init re-entrancy safe. Require libssl3 >= 3.0.8 so the package cannot install onto a runtime where these silent-bypass/crash behaviors exist.
There was a problem hiding this comment.
Pull request overview
This PR updates the Debian packaging metadata to enforce a minimum supported OpenSSL runtime version for wolfProvider by raising the libssl3 dependency floor to a version that avoids known pre-3.0.8 OpenSSL defects that can impact correctness and stability.
Changes:
- Bump Debian runtime dependency
libssl3from>= 3.0.3to>= 3.0.8for thelibwolfprovbinary package.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
One-line packaging change:
Depends: libssl3 (>= 3.0.3)→(>= 3.0.8)indebian/control.Rather than carrying version-specific workarounds, wolfProvider does not support OpenSSL < 3.0.8. Two defects below that boundary bite wolfProvider:
wp_ecc_importrejects the compressed point and EVP core silently falls back to built-in legacy ECDSA for any d2i-loaded EC key — crypto escapes wolfCrypt with no error. Caught by unit test 116 on Ubuntu jammy (3.0.2).--enable-seed-src, provider init re-enters libcrypto RAND when wolfProvider is loaded during libcrypto initialization; on pre-3.0.8 this fails the DSO load and SIGSEGVsopenssl list -providers. 3.0.8+ made RAND/provider init re-entrancy safe.The new floor makes the package uninstallable on runtimes where those behaviors exist, instead of an arbitrary 3.0.3 that admits both.