- (dtucker) [entropy.c openbsd-compat/openssl-compat.{c,h}
openbsd-compat/regress/{.cvsignore,Makefile.in,opensslvertest.c}]
Move the OpenSSL header/library version test into its own function and add
tests for it. Fix it to allow fix version upgrades (but not downgrades).
Prompted by chl@ via OpenSMTPD (issue #462) and Debian (bug #748150).
ok djm@ chl@
diff --git a/entropy.c b/entropy.c
index 2d483b3..e1a8e14 100644
--- a/entropy.c
+++ b/entropy.c
@@ -209,16 +209,7 @@
#ifndef OPENSSL_PRNG_ONLY
unsigned char buf[RANDOM_SEED_SIZE];
#endif
- /*
- * OpenSSL version numbers: MNNFFPPS: major minor fix patch status
- * We match major, minor, fix and status (not patch) for <1.0.0.
- * After that, we acceptable compatible fix versions (so we
- * allow 1.0.1 to work with 1.0.0). Going backwards is only allowed
- * within a patch series.
- */
- u_long version_mask = SSLeay() >= 0x1000000f ? ~0xffff0L : ~0xff0L;
- if (((SSLeay() ^ OPENSSL_VERSION_NUMBER) & version_mask) ||
- (SSLeay() >> 12) < (OPENSSL_VERSION_NUMBER >> 12))
+ if (!ssh_compatible_openssl(OPENSSL_VERSION_NUMBER, SSLeay()))
fatal("OpenSSL version mismatch. Built against %lx, you "
"have %lx", (u_long)OPENSSL_VERSION_NUMBER, SSLeay());