Bug 2212

Summary: openssl version check should ignore status nibble
Product: Portable OpenSSH Reporter: Mike Frysinger <vapier>
Component: MiscellaneousAssignee: Assigned to nobody <unassigned-bugs>
Status: CLOSED WONTFIX    
Severity: enhancement CC: djm
Priority: P5    
Version: 6.5p1   
Hardware: All   
OS: All   

Description Mike Frysinger 2014-03-20 17:16:41 AEDT 
the current version check in entropy.c looks like:
   u_long version_mask = SSLeay() >= 0x1000000f ?  ~0xffff0L : ~0xff0L;
   if (((SSLeay() ^ OPENSSL_VERSION_NUMBER) & version_mask) ||

this causes it to pay attention to the last nibble in the version field which makes no sense.  the only thing that part does is track whether the openssl in use is a dev, beta, or release.  so if you install 1.0.2-beta1, then build openssh, then install 1.0.2 (the release), this check rejects the openssl version.

this is documented in the openssl header:
/* Numeric release version identifier:
 * MNNFFPPS: major minor fix patch status
 * The status nibble has one of the values 0 for development, 1 to e for betas
 * 1 to 14, and f for release.  The patch level is exactly that.
 * For example:
 * 0.9.3-dev      0x00903000 
 * 0.9.3-beta1    0x00903001
...

simple patch to fix the openssh code:
-   u_long version_mask = SSLeay() >= 0x1000000f ?  ~0xffff0L : ~0xff0L;
+   u_long version_mask = SSLeay() >= 0x1000000f ?  ~0xfffffL : ~0xff0L;
Comment 1 Damien Miller 2014-04-17 09:44:14 AEST 
This is working as intended - we don't trust OpenSSL to to keep dev and beta branches binary compatible with releases.
Comment 2 Damien Miller 2016-08-02 10:42:21 AEST 
Close all resolved bugs after 7.3p1 release