- (djm) [entropy.c] bz#1991: relax OpenSSL version test to allow running

   openssh binaries on a newer fix release than they were compiled on.
   with and ok dtucker@

2 files changed, 10 insertions, 2 deletions

diff --git a/ChangeLog b/ChangeLog
index ac8fd70b..00be8d36 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,6 +1,9 @@
 20120330
  - (dtucker) [contrib/redhat/openssh.spec] Bug #1992: remove now-gone WARNING
    file from spec file.  From crighter at nuclioss com.
+ - (djm) [entropy.c] bz#1991: relax OpenSSL version test to allow running
+   openssh binaries on a newer fix release than they were compiled on.
+   with and ok dtucker@
 
 20120309
  - (djm) [openbsd-compat/port-linux.c] bz#1960: fix crash on SELinux 
diff --git a/entropy.c b/entropy.c
index 2d6d3ec5..2d483b39 100644
--- a/entropy.c
+++ b/entropy.c
@@ -211,9 +211,14 @@ seed_rng(void)
 #endif
 	/*
 	 * OpenSSL version numbers: MNNFFPPS: major minor fix patch status
-	 * We match major, minor, fix and status (not patch)
+	 * We match major, minor, fix and status (not patch) for <1.0.0.
+	 * After that, we acceptable compatible fix versions (so we
+	 * allow 1.0.1 to work with 1.0.0). Going backwards is only allowed
+	 * within a patch series.
 	 */
-	if ((SSLeay() ^ OPENSSL_VERSION_NUMBER) & ~0xff0L)
+	u_long version_mask = SSLeay() >= 0x1000000f ?  ~0xffff0L : ~0xff0L;
+	if (((SSLeay() ^ OPENSSL_VERSION_NUMBER) & version_mask) ||
+	    (SSLeay() >> 12) < (OPENSSL_VERSION_NUMBER >> 12))
 		fatal("OpenSSL version mismatch. Built against %lx, you "
 		    "have %lx", (u_long)OPENSSL_VERSION_NUMBER, SSLeay());