- (djm) [entropy.c] bz#1991: relax OpenSSL version test to allow running

   openssh binaries on a newer fix release than they were compiled on.
   with and ok dtucker@

2 files changed, 10 insertions, 2 deletions

diff --git a/ChangeLog b/ChangeLog
index ac8fd70b7..00be8d367 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,6 +1,9 @@
 20120330
  - (dtucker) [contrib/redhat/openssh.spec] Bug #1992: remove now-gone WARNING
    file from spec file.  From crighter at nuclioss com.
+ - (djm) [entropy.c] bz#1991: relax OpenSSL version test to allow running
+   openssh binaries on a newer fix release than they were compiled on.
+   with and ok dtucker@
 
 20120309
  - (djm) [openbsd-compat/port-linux.c] bz#1960: fix crash on SELinux 
diff --git a/entropy.c b/entropy.c
index 2d6d3ec52..2d483b391 100644
--- a/entropy.c
+++ b/entropy.c
@@ -211,9 +211,14 @@ seed_rng(void)
 #endif
         /*
          * OpenSSL version numbers: MNNFFPPS: major minor fix patch status
-         * We match major, minor, fix and status (not patch)
+         * We match major, minor, fix and status (not patch) for <1.0.0.
+         * After that, we acceptable compatible fix versions (so we
+         * allow 1.0.1 to work with 1.0.0). Going backwards is only allowed
+         * within a patch series.
          */
-        if ((SSLeay() ^ OPENSSL_VERSION_NUMBER) & ~0xff0L)
+        u_long version_mask = SSLeay() >= 0x1000000f ?  ~0xffff0L : ~0xff0L;
+        if (((SSLeay() ^ OPENSSL_VERSION_NUMBER) & version_mask) ||
+            (SSLeay() >> 12) < (OPENSSL_VERSION_NUMBER >> 12))
                 fatal("OpenSSL version mismatch. Built against %lx, you "
                     "have %lx", (u_long)OPENSSL_VERSION_NUMBER, SSLeay());