- (djm) [entropy.c] bz#1991: relax OpenSSL version test to allow running

   openssh binaries on a newer fix release than they were compiled on.
   with and ok dtucker@

diff --git a/ChangeLog b/ChangeLog
index ac8fd70b793f364f5a8255840d6c40511c1c889d..00be8d3673dfab36ecd61a06a38b9183beceec68 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,6 +1,9 @@
 20120330
  - (dtucker) [contrib/redhat/openssh.spec] Bug #1992: remove now-gone WARNING
    file from spec file.  From crighter at nuclioss com.
+ - (djm) [entropy.c] bz#1991: relax OpenSSL version test to allow running
+   openssh binaries on a newer fix release than they were compiled on.
+   with and ok dtucker@
 
 20120309
  - (djm) [openbsd-compat/port-linux.c] bz#1960: fix crash on SELinux 

diff --git a/entropy.c b/entropy.c
index 2d6d3ec5251c70c957b8f364ec8919d56cd73cf3..2d483b39174cd3f833aa0c536181a658af473389 100644 (file)
--- a/entropy.c
+++ b/entropy.c
@@ -211,9 +211,14 @@ seed_rng(void)
 #endif
        /*
         * OpenSSL version numbers: MNNFFPPS: major minor fix patch status
-        * We match major, minor, fix and status (not patch)
+        * We match major, minor, fix and status (not patch) for <1.0.0.
+        * After that, we acceptable compatible fix versions (so we
+        * allow 1.0.1 to work with 1.0.0). Going backwards is only allowed
+        * within a patch series.
         */
-       if ((SSLeay() ^ OPENSSL_VERSION_NUMBER) & ~0xff0L)
+       u_long version_mask = SSLeay() >= 0x1000000f ?  ~0xffff0L : ~0xff0L;
+       if (((SSLeay() ^ OPENSSL_VERSION_NUMBER) & version_mask) ||
+           (SSLeay() >> 12) < (OPENSSL_VERSION_NUMBER >> 12))
                fatal("OpenSSL version mismatch. Built against %lx, you "
                    "have %lx", (u_long)OPENSSL_VERSION_NUMBER, SSLeay());