- (dtucker) [entropy.c openbsd-compat/openssl-compat.{c,h}
openbsd-compat/regress/{.cvsignore,Makefile.in,opensslvertest.c}] Move the OpenSSL header/library version test into its own function and add tests for it. Fix it to allow fix version upgrades (but not downgrades). Prompted by chl@ via OpenSMTPD (issue #462) and Debian (bug #748150). ok djm@ chl@
This commit is contained in:
parent
af665bb7b0
commit
316fac6f18
|
@ -1,3 +1,11 @@
|
|||
20140617
|
||||
- (dtucker) [entropy.c openbsd-compat/openssl-compat.{c,h}
|
||||
openbsd-compat/regress/{.cvsignore,Makefile.in,opensslvertest.c}]
|
||||
Move the OpenSSL header/library version test into its own function and add
|
||||
tests for it. Fix it to allow fix version upgrades (but not downgrades).
|
||||
Prompted by chl@ via OpenSMTPD (issue #462) and Debian (bug #748150).
|
||||
ok djm@ chl@
|
||||
|
||||
20140616
|
||||
- (dtucker) [defines.h] Fix undef of _PATH_MAILDIR. From rak at debian via
|
||||
OpenSMTPD and chl@
|
||||
|
|
11
entropy.c
11
entropy.c
|
@ -209,16 +209,7 @@ seed_rng(void)
|
|||
#ifndef OPENSSL_PRNG_ONLY
|
||||
unsigned char buf[RANDOM_SEED_SIZE];
|
||||
#endif
|
||||
/*
|
||||
* OpenSSL version numbers: MNNFFPPS: major minor fix patch status
|
||||
* We match major, minor, fix and status (not patch) for <1.0.0.
|
||||
* After that, we acceptable compatible fix versions (so we
|
||||
* allow 1.0.1 to work with 1.0.0). Going backwards is only allowed
|
||||
* within a patch series.
|
||||
*/
|
||||
u_long version_mask = SSLeay() >= 0x1000000f ? ~0xffff0L : ~0xff0L;
|
||||
if (((SSLeay() ^ OPENSSL_VERSION_NUMBER) & version_mask) ||
|
||||
(SSLeay() >> 12) < (OPENSSL_VERSION_NUMBER >> 12))
|
||||
if (!ssh_compatible_openssl(OPENSSL_VERSION_NUMBER, SSLeay()))
|
||||
fatal("OpenSSL version mismatch. Built against %lx, you "
|
||||
"have %lx", (u_long)OPENSSL_VERSION_NUMBER, SSLeay());
|
||||
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $Id: openssl-compat.c,v 1.17 2014/02/13 05:38:33 dtucker Exp $ */
|
||||
/* $Id: openssl-compat.c,v 1.18 2014/06/17 13:06:08 dtucker Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 2005 Darren Tucker <dtucker@zip.com.au>
|
||||
|
@ -35,6 +35,41 @@
|
|||
#define SSH_DONT_OVERLOAD_OPENSSL_FUNCS
|
||||
#include "openssl-compat.h"
|
||||
|
||||
/*
|
||||
* OpenSSL version numbers: MNNFFPPS: major minor fix patch status
|
||||
* We match major, minor, fix and status (not patch) for <1.0.0.
|
||||
* After that, we acceptable compatible fix versions (so we
|
||||
* allow 1.0.1 to work with 1.0.0). Going backwards is only allowed
|
||||
* within a patch series.
|
||||
*/
|
||||
|
||||
int
|
||||
ssh_compatible_openssl(long headerver, long libver)
|
||||
{
|
||||
long mask, hfix, lfix;
|
||||
|
||||
/* exact match is always OK */
|
||||
if (headerver == libver)
|
||||
return 1;
|
||||
|
||||
/* for versions < 1.0.0, major,minor,fix,status must match */
|
||||
if (headerver < 0x1000000f) {
|
||||
mask = 0xfffff00fL; /* major,minor,fix,status */
|
||||
return (headerver & mask) == (libver & mask);
|
||||
}
|
||||
|
||||
/*
|
||||
* For versions >= 1.0.0, major,minor,status must match and library
|
||||
* fix version must be equal to or newer than the header.
|
||||
*/
|
||||
mask = 0xfff0000fL; /* major,minor,status */
|
||||
hfix = (headerver & 0x000ff000) >> 12;
|
||||
lfix = (libver & 0x000ff000) >> 12;
|
||||
if ( (headerver & mask) == (libver & mask) && lfix >= hfix)
|
||||
return 1;
|
||||
return 0;
|
||||
}
|
||||
|
||||
#ifdef SSH_OLD_EVP
|
||||
int
|
||||
ssh_EVP_CipherInit(EVP_CIPHER_CTX *evp, const EVP_CIPHER *type,
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $Id: openssl-compat.h,v 1.26 2014/02/13 05:38:33 dtucker Exp $ */
|
||||
/* $Id: openssl-compat.h,v 1.27 2014/06/17 13:06:08 dtucker Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 2005 Darren Tucker <dtucker@zip.com.au>
|
||||
|
@ -22,6 +22,8 @@
|
|||
#include <openssl/rsa.h>
|
||||
#include <openssl/dsa.h>
|
||||
|
||||
int ssh_compatible_openssl(long, long);
|
||||
|
||||
/* Only in 0.9.8 */
|
||||
#ifndef OPENSSL_DSA_MAX_MODULUS_BITS
|
||||
# define OPENSSL_DSA_MAX_MODULUS_BITS 10000
|
||||
|
|
|
@ -2,4 +2,5 @@ Makefile
|
|||
snprintftest
|
||||
strduptest
|
||||
strtonumtest
|
||||
|
||||
closefromtest
|
||||
opensslvertest
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
# $Id: Makefile.in,v 1.4 2006/08/19 09:12:14 dtucker Exp $
|
||||
# $Id: Makefile.in,v 1.5 2014/06/17 13:06:08 dtucker Exp $
|
||||
|
||||
sysconfdir=@sysconfdir@
|
||||
piddir=@piddir@
|
||||
|
@ -16,11 +16,11 @@ LIBS=@LIBS@
|
|||
LDFLAGS=@LDFLAGS@ $(LIBCOMPAT)
|
||||
|
||||
TESTPROGS=closefromtest$(EXEEXT) snprintftest$(EXEEXT) strduptest$(EXEEXT) \
|
||||
strtonumtest$(EXEEXT)
|
||||
strtonumtest$(EXEEXT) opensslvertest$(EXEEXT)
|
||||
|
||||
all: t-exec ${OTHERTESTS}
|
||||
|
||||
%$(EXEEXT): %.c
|
||||
%$(EXEEXT): %.c $(LIBCOMPAT)
|
||||
$(CC) $(CFLAGS) $(CPPFLAGS) $(LDFLAGS) -o $@ $< $(LIBCOMPAT) $(LIBS)
|
||||
|
||||
t-exec: $(TESTPROGS)
|
||||
|
|
|
@ -0,0 +1,69 @@
|
|||
/*
|
||||
* Copyright (c) 2014 Darren Tucker
|
||||
*
|
||||
* Permission to use, copy, modify, and distribute this software for any
|
||||
* purpose with or without fee is hereby granted, provided that the above
|
||||
* copyright notice and this permission notice appear in all copies.
|
||||
*
|
||||
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
||||
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
||||
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
|
||||
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
||||
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
|
||||
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
||||
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
||||
*/
|
||||
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
|
||||
int ssh_compatible_openssl(long, long);
|
||||
|
||||
struct version_test {
|
||||
long headerver;
|
||||
long libver;
|
||||
int result;
|
||||
} version_tests[] = {
|
||||
/* built with 0.9.8b release headers */
|
||||
{ 0x0090802fL, 0x0090802fL, 1}, /* exact match */
|
||||
{ 0x0090802fL, 0x0090804fL, 1}, /* newer library fix version: ok */
|
||||
{ 0x0090802fL, 0x0090801fL, 1}, /* older library fix version: ok */
|
||||
{ 0x0090802fL, 0x0090702fL, 0}, /* older library minor version: NO */
|
||||
{ 0x0090802fL, 0x0090902fL, 0}, /* newer library minor version: NO */
|
||||
{ 0x0090802fL, 0x0080802fL, 0}, /* older library major version: NO */
|
||||
{ 0x0090802fL, 0x1000100fL, 0}, /* newer library major version: NO */
|
||||
|
||||
/* built with 1.0.1b release headers */
|
||||
{ 0x1000101fL, 0x1000101fL, 1},/* exact match */
|
||||
{ 0x1000101fL, 0x1000102fL, 1}, /* newer library patch version: ok */
|
||||
{ 0x1000101fL, 0x1000100fL, 1}, /* older library patch version: ok */
|
||||
{ 0x1000101fL, 0x1000201fL, 1}, /* newer library fix version: ok */
|
||||
{ 0x1000101fL, 0x1000001fL, 0}, /* older library fix version: NO */
|
||||
{ 0x1000101fL, 0x1010101fL, 0}, /* newer library minor version: NO */
|
||||
{ 0x1000101fL, 0x0000101fL, 0}, /* older library major version: NO */
|
||||
{ 0x1000101fL, 0x2000101fL, 0}, /* newer library major version: NO */
|
||||
};
|
||||
|
||||
void
|
||||
fail(long hver, long lver, int result)
|
||||
{
|
||||
fprintf(stderr, "opensslver: header %lx library %lx != %d \n", hver, lver, result);
|
||||
exit(1);
|
||||
}
|
||||
|
||||
int
|
||||
main(void)
|
||||
{
|
||||
unsigned int i;
|
||||
int res;
|
||||
long hver, lver;
|
||||
|
||||
for (i = 0; i < sizeof(version_tests) / sizeof(version_tests[0]); i++) {
|
||||
hver = version_tests[i].headerver;
|
||||
lver = version_tests[i].libver;
|
||||
res = version_tests[i].result;
|
||||
if (ssh_compatible_openssl(hver, lver) != res)
|
||||
fail(hver, lver, res);
|
||||
}
|
||||
exit(0);
|
||||
}
|
Loading…
Reference in New Issue