From c47b4209b4f8e30fdecaba079a70615c0275fe9b Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Mon, 23 Dec 2013 10:40:53 +0000 Subject: Restore patch to disable OpenSSL version check (closes: #732940). --- debian/changelog | 3 ++- debian/patches/no-openssl-version-check.patch | 32 +++++++++++++++++++++++++++ debian/patches/series | 1 + entropy.c | 12 ---------- 4 files changed, 35 insertions(+), 13 deletions(-) create mode 100644 debian/patches/no-openssl-version-check.patch diff --git a/debian/changelog b/debian/changelog index 99c395769..f4755f107 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,7 +1,8 @@ -openssh (1:6.4p1-2) UNRELEASED; urgency=low +openssh (1:6.4p1-2) UNRELEASED; urgency=high * Increase ServerKeyBits value in package-generated sshd_config to 1024 (closes: #727622, LP: #1244272). + * Restore patch to disable OpenSSL version check (closes: #732940). -- Colin Watson Tue, 12 Nov 2013 11:14:41 +0000 diff --git a/debian/patches/no-openssl-version-check.patch b/debian/patches/no-openssl-version-check.patch new file mode 100644 index 000000000..8c7b6538e --- /dev/null +++ b/debian/patches/no-openssl-version-check.patch @@ -0,0 +1,32 @@ +Description: Disable OpenSSL version check + OpenSSL's SONAME is sufficient nowadays. +Author: Philip Hands +Author: Colin Watson +Bug-Debian: http://bugs.debian.org/93581 +Bug-Debian: http://bugs.debian.org/664383 +Forwarded: not-needed +Last-Update: 2013-12-23 + +Index: b/entropy.c +=================================================================== +--- a/entropy.c ++++ b/entropy.c +@@ -209,18 +209,6 @@ + #ifndef OPENSSL_PRNG_ONLY + unsigned char buf[RANDOM_SEED_SIZE]; + #endif +- /* +- * OpenSSL version numbers: MNNFFPPS: major minor fix patch status +- * We match major, minor, fix and status (not patch) for <1.0.0. +- * After that, we acceptable compatible fix versions (so we +- * allow 1.0.1 to work with 1.0.0). Going backwards is only allowed +- * within a patch series. +- */ +- u_long version_mask = SSLeay() >= 0x1000000f ? ~0xffff0L : ~0xff0L; +- if (((SSLeay() ^ OPENSSL_VERSION_NUMBER) & version_mask) || +- (SSLeay() >> 12) < (OPENSSL_VERSION_NUMBER >> 12)) +- fatal("OpenSSL version mismatch. Built against %lx, you " +- "have %lx", (u_long)OPENSSL_VERSION_NUMBER, SSLeay()); + + #ifndef OPENSSL_PRNG_ONLY + if (RAND_status() == 1) { diff --git a/debian/patches/series b/debian/patches/series index f5c2ebb52..4d2080a37 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -43,6 +43,7 @@ doc-upstart.patch ssh-agent-setgid.patch # Debian-specific configuration +no-openssl-version-check.patch gnome-ssh-askpass2-icon.patch sigstop.patch debian-config.patch diff --git a/entropy.c b/entropy.c index 2d483b391..2aee2d917 100644 --- a/entropy.c +++ b/entropy.c @@ -209,18 +209,6 @@ seed_rng(void) #ifndef OPENSSL_PRNG_ONLY unsigned char buf[RANDOM_SEED_SIZE]; #endif - /* - * OpenSSL version numbers: MNNFFPPS: major minor fix patch status - * We match major, minor, fix and status (not patch) for <1.0.0. - * After that, we acceptable compatible fix versions (so we - * allow 1.0.1 to work with 1.0.0). Going backwards is only allowed - * within a patch series. - */ - u_long version_mask = SSLeay() >= 0x1000000f ? ~0xffff0L : ~0xff0L; - if (((SSLeay() ^ OPENSSL_VERSION_NUMBER) & version_mask) || - (SSLeay() >> 12) < (OPENSSL_VERSION_NUMBER >> 12)) - fatal("OpenSSL version mismatch. Built against %lx, you " - "have %lx", (u_long)OPENSSL_VERSION_NUMBER, SSLeay()); #ifndef OPENSSL_PRNG_ONLY if (RAND_status() == 1) { -- cgit v1.2.3