openssh bugs - Mar 2014 - [Bug 2212] New: openssl version check should ignore status nibble

https://bugzilla.mindrot.org/show_bug.cgi?id=2212

            Bug ID: 2212
           Summary: openssl version check should ignore status nibble
           Product: Portable OpenSSH
           Version: 6.5p1
          Hardware: All
                OS: All
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: Miscellaneous
          Assignee: unassigned-bugs at mindrot.org
          Reporter: vapier at gentoo.org

the current version check in entropy.c looks like:
   u_long version_mask = SSLeay() >= 0x1000000f ?  ~0xffff0L : ~0xff0L;
   if (((SSLeay() ^ OPENSSL_VERSION_NUMBER) & version_mask) ||

this causes it to pay attention to the last nibble in the version field
which makes no sense.  the only thing that part does is track whether
the openssl in use is a dev, beta, or release.  so if you install
1.0.2-beta1, then build openssh, then install 1.0.2 (the release), this
check rejects the openssl version.

this is documented in the openssl header:
/* Numeric release version identifier:
 * MNNFFPPS: major minor fix patch status
 * The status nibble has one of the values 0 for development, 1 to e
for betas
 * 1 to 14, and f for release.  The patch level is exactly that.
 * For example:
 * 0.9.3-dev      0x00903000 
 * 0.9.3-beta1    0x00903001
...

simple patch to fix the openssh code:
-   u_long version_mask = SSLeay() >= 0x1000000f ?  ~0xffff0L :
~0xff0L;
+   u_long version_mask = SSLeay() >= 0x1000000f ?  ~0xfffffL :
~0xff0L;

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2212

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
                 CC|                            |djm at mindrot.org
         Resolution|---                         |WONTFIX

--- Comment #1 from Damien Miller <djm at mindrot.org> ---
This is working as intended - we don't trust OpenSSL to to keep dev and
beta branches binary compatible with releases.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2212

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #2 from Damien Miller <djm at mindrot.org> ---
Close all resolved bugs after 7.3p1 release

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.