[openssh-commits] [openssh] 04/04: Remove status bits from OpenSSL >=3 version check.

Thu Sep 25 18:25:34 AEST 2025

This is an automated email from the git hooks/post-receive script.

dtucker pushed a commit to branch master
in repository openssh.

commit e914e61eb88e22e5b725c399698256c54589ca32
Author: Darren Tucker <dtucker at dtucker.net>
AuthorDate: Thu Sep 25 17:50:07 2025 +1000

    Remove status bits from OpenSSL >=3 version check.
    
    OpenSSL traditionally did not guarantee ABI compatibility across release
    (and development) versions.  Because of this, OpenSSH checked the lower 4
    "status" bits returned by OpenSSL_version_num(), which were originally
    set to 0 for development versions and 0xf for release versions and, if
    they did not match, would report the discrepancy and exit.
    
    OpenSSL (unintentionally) changed these bits in the 3.0.0 and subsequent
    3.x releases, setting them to zero in the release versions (which happened
    to also match the documentation), then changed them back in the 3.5.3
    release.  If OpenSSL was upgraded to (or from) this version without
    recompiling OpenSSH, it would cause OpenSSH flag it as potentially
    incompatible and refuse to use it.  Ultimately OpenSSL rolled this
    back, but the check now has no value so is being removed for OpenSSL
    versions >=3.
    
    bz#3865 and https://github.com/openssl/openssl/issues/28575, ok djm@
---
 openbsd-compat/openssl-compat.c | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/openbsd-compat/openssl-compat.c b/openbsd-compat/openssl-compat.c
index 14865077e..48938920c 100644
--- a/openbsd-compat/openssl-compat.c
+++ b/openbsd-compat/openssl-compat.c
@@ -32,7 +32,8 @@
 #include "openssl-compat.h"
 
 /*
- * OpenSSL version numbers: MNNFFPPS: major minor fix patch status
+ * OpenSSL version numbers: MNNFFPPS: major minor fix patch status.
+ * See the OpenSSL_version_num(3ssl) man page.
  * Versions >=3 require only major versions to match.
  * For versions <3, we accept compatible fix versions (so we allow 1.0.1
  * to work with 1.0.0). Going backwards is only allowed within a patch series.
@@ -49,10 +50,10 @@ ssh_compatible_openssl(long headerver, long libver)
 		return 1;
 
 	/*
-	 * For versions >= 3.0, only the major and status must match.
+	 * For versions >= 3.0, only the major must match.
 	 */
-	if (headerver >= 0x3000000f) {
-		mask = 0xf000000fL; /* major,status */
+	if (headerver >= 0x30000000) {
+		mask = 0xf0000000L; /* major only */
 		return (headerver & mask) == (libver & mask);
 	}
 

-- 
To stop receiving notification emails like this one, please contact
djm at mindrot.org.
