Bug 2212 - openssl version check should ignore status nibble
Summary: openssl version check should ignore status nibble
Status: CLOSED WONTFIX
Alias: None
Product: Portable OpenSSH
Classification: Unclassified
Component: Miscellaneous (show other bugs)
Version: 6.5p1
Hardware: All All
: P5 enhancement
Assignee: Assigned to nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-03-20 17:16 AEDT by Mike Frysinger
Modified: 2016-08-02 10:42 AEST (History)
1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Mike Frysinger 2014-03-20 17:16:41 AEDT 
the current version check in entropy.c looks like:
   u_long version_mask = SSLeay() >= 0x1000000f ?  ~0xffff0L : ~0xff0L;
   if (((SSLeay() ^ OPENSSL_VERSION_NUMBER) & version_mask) ||

this causes it to pay attention to the last nibble in the version field which makes no sense.  the only thing that part does is track whether the openssl in use is a dev, beta, or release.  so if you install 1.0.2-beta1, then build openssh, then install 1.0.2 (the release), this check rejects the openssl version.

this is documented in the openssl header:
/* Numeric release version identifier:
 * MNNFFPPS: major minor fix patch status
 * The status nibble has one of the values 0 for development, 1 to e for betas
 * 1 to 14, and f for release.  The patch level is exactly that.
 * For example:
 * 0.9.3-dev      0x00903000 
 * 0.9.3-beta1    0x00903001
...

simple patch to fix the openssh code:
-   u_long version_mask = SSLeay() >= 0x1000000f ?  ~0xffff0L : ~0xff0L;
+   u_long version_mask = SSLeay() >= 0x1000000f ?  ~0xfffffL : ~0xff0L;
Comment 1 Damien Miller 2014-04-17 09:44:14 AEST 
This is working as intended - we don't trust OpenSSL to to keep dev and beta branches binary compatible with releases.
Comment 2 Damien Miller 2016-08-02 10:42:21 AEST 
Close all resolved bugs after 7.3p1 release