From 316fac6f18f87262a315c79bcf68b9f92c9337e4 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Tue, 17 Jun 2014 23:06:07 +1000 Subject: - (dtucker) [entropy.c openbsd-compat/openssl-compat.{c,h} openbsd-compat/regress/{.cvsignore,Makefile.in,opensslvertest.c}] Move the OpenSSL header/library version test into its own function and add tests for it. Fix it to allow fix version upgrades (but not downgrades). Prompted by chl@ via OpenSMTPD (issue #462) and Debian (bug #748150). ok djm@ chl@ --- openbsd-compat/regress/.cvsignore | 3 +- openbsd-compat/regress/Makefile.in | 6 +-- openbsd-compat/regress/opensslvertest.c | 69 +++++++++++++++++++++++++++++++++ 3 files changed, 74 insertions(+), 4 deletions(-) create mode 100644 openbsd-compat/regress/opensslvertest.c (limited to 'openbsd-compat/regress') diff --git a/openbsd-compat/regress/.cvsignore b/openbsd-compat/regress/.cvsignore index afbf7cc3f..33074f4a3 100644 --- a/openbsd-compat/regress/.cvsignore +++ b/openbsd-compat/regress/.cvsignore @@ -2,4 +2,5 @@ Makefile snprintftest strduptest strtonumtest - +closefromtest +opensslvertest diff --git a/openbsd-compat/regress/Makefile.in b/openbsd-compat/regress/Makefile.in index bcf214bd0..dabdb0912 100644 --- a/openbsd-compat/regress/Makefile.in +++ b/openbsd-compat/regress/Makefile.in @@ -1,4 +1,4 @@ -# $Id: Makefile.in,v 1.4 2006/08/19 09:12:14 dtucker Exp $ +# $Id: Makefile.in,v 1.5 2014/06/17 13:06:08 dtucker Exp $ sysconfdir=@sysconfdir@ piddir=@piddir@ @@ -16,11 +16,11 @@ LIBS=@LIBS@ LDFLAGS=@LDFLAGS@ $(LIBCOMPAT) TESTPROGS=closefromtest$(EXEEXT) snprintftest$(EXEEXT) strduptest$(EXEEXT) \ - strtonumtest$(EXEEXT) + strtonumtest$(EXEEXT) opensslvertest$(EXEEXT) all: t-exec ${OTHERTESTS} -%$(EXEEXT): %.c +%$(EXEEXT): %.c $(LIBCOMPAT) $(CC) $(CFLAGS) $(CPPFLAGS) $(LDFLAGS) -o $@ $< $(LIBCOMPAT) $(LIBS) t-exec: $(TESTPROGS) diff --git a/openbsd-compat/regress/opensslvertest.c b/openbsd-compat/regress/opensslvertest.c new file mode 100644 index 000000000..5d019b598 --- /dev/null +++ b/openbsd-compat/regress/opensslvertest.c @@ -0,0 +1,69 @@ +/* + * Copyright (c) 2014 Darren Tucker + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include +#include + +int ssh_compatible_openssl(long, long); + +struct version_test { + long headerver; + long libver; + int result; +} version_tests[] = { + /* built with 0.9.8b release headers */ + { 0x0090802fL, 0x0090802fL, 1}, /* exact match */ + { 0x0090802fL, 0x0090804fL, 1}, /* newer library fix version: ok */ + { 0x0090802fL, 0x0090801fL, 1}, /* older library fix version: ok */ + { 0x0090802fL, 0x0090702fL, 0}, /* older library minor version: NO */ + { 0x0090802fL, 0x0090902fL, 0}, /* newer library minor version: NO */ + { 0x0090802fL, 0x0080802fL, 0}, /* older library major version: NO */ + { 0x0090802fL, 0x1000100fL, 0}, /* newer library major version: NO */ + + /* built with 1.0.1b release headers */ + { 0x1000101fL, 0x1000101fL, 1},/* exact match */ + { 0x1000101fL, 0x1000102fL, 1}, /* newer library patch version: ok */ + { 0x1000101fL, 0x1000100fL, 1}, /* older library patch version: ok */ + { 0x1000101fL, 0x1000201fL, 1}, /* newer library fix version: ok */ + { 0x1000101fL, 0x1000001fL, 0}, /* older library fix version: NO */ + { 0x1000101fL, 0x1010101fL, 0}, /* newer library minor version: NO */ + { 0x1000101fL, 0x0000101fL, 0}, /* older library major version: NO */ + { 0x1000101fL, 0x2000101fL, 0}, /* newer library major version: NO */ +}; + +void +fail(long hver, long lver, int result) +{ + fprintf(stderr, "opensslver: header %lx library %lx != %d \n", hver, lver, result); + exit(1); +} + +int +main(void) +{ + unsigned int i; + int res; + long hver, lver; + + for (i = 0; i < sizeof(version_tests) / sizeof(version_tests[0]); i++) { + hver = version_tests[i].headerver; + lver = version_tests[i].libver; + res = version_tests[i].result; + if (ssh_compatible_openssl(hver, lver) != res) + fail(hver, lver, res); + } + exit(0); +} -- cgit v1.2.3 From 37fd625165d0df302e441d9cad9bcc742378eef5 Mon Sep 17 00:00:00 2001 From: Kurt Roeckx Date: Sun, 9 Feb 2014 16:10:14 +0000 Subject: Don't check the status field of the OpenSSL version There is no reason to check the version of OpenSSL (in Debian). If it's not compatible the soname will change. OpenSSH seems to want to do a check for the soname based on the version number, but wants to keep the status of the release the same. Remove that check on the status since it doesn't tell you anything about how compatible that version is. Author: Colin Watson Bug-Debian: https://bugs.debian.org/93581 Bug-Debian: https://bugs.debian.org/664383 Bug-Debian: https://bugs.debian.org/732940 Forwarded: not-needed Last-Update: 2014-10-07 Patch-Name: no-openssl-version-status.patch --- openbsd-compat/openssl-compat.c | 6 +++--- openbsd-compat/regress/opensslvertest.c | 1 + 2 files changed, 4 insertions(+), 3 deletions(-) (limited to 'openbsd-compat/regress') diff --git a/openbsd-compat/openssl-compat.c b/openbsd-compat/openssl-compat.c index 36570e4ad..defd5fb61 100644 --- a/openbsd-compat/openssl-compat.c +++ b/openbsd-compat/openssl-compat.c @@ -34,7 +34,7 @@ /* * OpenSSL version numbers: MNNFFPPS: major minor fix patch status * We match major, minor, fix and status (not patch) for <1.0.0. - * After that, we acceptable compatible fix versions (so we + * After that, we accept compatible fix and status versions (so we * allow 1.0.1 to work with 1.0.0). Going backwards is only allowed * within a patch series. */ @@ -55,10 +55,10 @@ ssh_compatible_openssl(long headerver, long libver) } /* - * For versions >= 1.0.0, major,minor,status must match and library + * For versions >= 1.0.0, major,minor must match and library * fix version must be equal to or newer than the header. */ - mask = 0xfff0000fL; /* major,minor,status */ + mask = 0xfff00000L; /* major,minor */ hfix = (headerver & 0x000ff000) >> 12; lfix = (libver & 0x000ff000) >> 12; if ( (headerver & mask) == (libver & mask) && lfix >= hfix) diff --git a/openbsd-compat/regress/opensslvertest.c b/openbsd-compat/regress/opensslvertest.c index 5d019b598..58474873d 100644 --- a/openbsd-compat/regress/opensslvertest.c +++ b/openbsd-compat/regress/opensslvertest.c @@ -35,6 +35,7 @@ struct version_test { /* built with 1.0.1b release headers */ { 0x1000101fL, 0x1000101fL, 1},/* exact match */ + { 0x1000101fL, 0x10001010L, 1}, /* different status: ok */ { 0x1000101fL, 0x1000102fL, 1}, /* newer library patch version: ok */ { 0x1000101fL, 0x1000100fL, 1}, /* older library patch version: ok */ { 0x1000101fL, 0x1000201fL, 1}, /* newer library fix version: ok */ -- cgit v1.2.3