Only refuse to use OpenSSL 3.0.4 on x86_64.

The potential RCE only impacts x86_64, so only refuse to use it if we're
targetting a potentially impacted architecture.  ok djm@

configure.ac

@@ -2796,7 +2796,6 @@ if test "x$openssl" = "xyes" ; then
 				;;
 			101*)   ;; # 1.1.x
 			200*)   ;; # LibreSSL
-			3000004*) AC_MSG_ERROR([OpenSSL 3.0.4 has a potential RCE in its RSA implementation (CVE-2022-2274)]) ;;
 			300*)
 				# OpenSSL 3; we use the 1.1x API
 				CPPFLAGS="$CPPFLAGS -DOPENSSL_API_COMPAT=0x10100000L"
@@ -2820,6 +2819,15 @@ if test "x$openssl" = "xyes" ; then
 		]
 	)
 
+	case "$host" in
+	x86_64-*)
+		case "$ssl_library_ver" in
+		3000004*)
+			AC_MSG_ERROR([OpenSSL 3.0.4 has a potential RCE in its RSA implementation (CVE-2022-2274)])
+			;;
+		esac
+	esac
+
 	# Sanity check OpenSSL headers
 	AC_MSG_CHECKING([whether OpenSSL's headers match the library])
 	AC_RUN_IFELSE(

regress/keyscan.sh

@@ -23,3 +23,16 @@ for t in $SSH_KEYTYPES; do
 		fail "ssh-keyscan -t $t failed with: $r"
 	fi
 done
+
+stop_sshd
+sleep 1
+
+trace "keyscan banner length"
+banner=""
+for i in `seq 245 256`; do
+	trace "keyscan length $i"
+	banner=`perl -le "print 'A'x$i"`
+	(printf "SSH-2.0-${banner}" | ${NC} -N -l $PORT >/dev/null) &
+	${SSHKEYSCAN} -p $PORT 127.0.0.1
+	sleep 3
+done

sftp-server-main.c

@@ -42,8 +42,6 @@ main(int argc, char **argv)
 	/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
 	sanitise_stdfd();
 
-	seed_rng();
-
 	if ((user_pw = getpwuid(getuid())) == NULL) {
 		fprintf(stderr, "No user found for uid %lu\n",
 		    (u_long)getuid());