Relax OpenSSH checks for OpenSSL version

Resolves: RHEL-4734
2023-10-23 12:59:46 +02:00 · 2023-10-23 12:59:46 +02:00 · d8b51e8341
commit d8b51e8341
parent edaf6c0fb4
2 changed files with 48 additions and 1 deletions
--- a/openssh-9.3p1-openssl-compat.patch
+++ b/openssh-9.3p1-openssl-compat.patch
@ -0,0 +1,40 @@
+--- openssh-9.3p1/openbsd-compat/openssl-compat.c	2023-03-15 22:28:19.000000000 +0100
+++ /home/dbelyavs/work/upstream/openssh-portable/openbsd-compat/openssl-compat.c	2023-05-25 14:19:42.870841944 +0200
+@@ -33,10 +33,10 @@
+ 
+ /*
+  * OpenSSL version numbers: MNNFFPPS: major minor fix patch status
+- * We match major, minor, fix and status (not patch) for <1.0.0.
+- * After that, we acceptable compatible fix versions (so we
+- * allow 1.0.1 to work with 1.0.0). Going backwards is only allowed
+- * within a patch series.
+ * Versions >=3 require only major versions to match.
+ * For versions <3, we accept compatible fix versions (so we allow 1.0.1
+ * to work with 1.0.0). Going backwards is only allowed within a patch series.
+ * See https://www.openssl.org/policies/releasestrat.html
+  */
+ 
+ int
+@@ -48,15 +48,17 @@
+ 	if (headerver == libver)
+ 		return 1;
+ 
+-	/* for versions < 1.0.0, major,minor,fix,status must match */
+-	if (headerver < 0x1000000f) {
+-		mask = 0xfffff00fL; /* major,minor,fix,status */
+	/*
+	 * For versions >= 3.0, only the major and status must match.
+	 */
+	if (headerver >= 0x3000000f) {
+		mask = 0xf000000fL; /* major,status */
+ 		return (headerver & mask) == (libver & mask);
+ 	}
+ 
+ 	/*
+-	 * For versions >= 1.0.0, major,minor,status must match and library
+-	 * fix version must be equal to or newer than the header.
+	 * For versions >= 1.0.0, but <3, major,minor,status must match and
+	 * library fix version must be equal to or newer than the header.
+ 	 */
+ 	mask = 0xfff0000fL; /* major,minor,status */
+ 	hfix = (headerver & 0x000ff000) >> 12;
--- a/openssh.spec
+++ b/openssh.spec
@ -51,7 +51,7 @@

 # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
 %global openssh_ver 8.7p1
-%global openssh_rel 34
+%global openssh_rel 35
 %global pam_ssh_agent_ver 0.10.4
 %global pam_ssh_agent_rel 5

@ -282,6 +282,8 @@ Patch1014: openssh-8.7p1-UTC-time-parse.patch
 # upsream commit
 # b23fe83f06ee7e721033769cfa03ae840476d280
 Patch1015: openssh-9.3p1-upstream-cve-2023-38408.patch
+#upstream commit b7afd8a4ecaca8afd3179b55e9db79c0ff210237
+Patch1016: openssh-9.3p1-openssl-compat.patch

 License: BSD
 Requires: /sbin/nologin
@ -501,6 +503,7 @@ popd
 %patch1013 -p1 -b .man-hostkeyalgos
 %patch1014 -p1 -b .utc_parse
 %patch1015 -p1 -b .cve-2023-38408
+%patch1016 -p1 -b .openssl3compat

 autoreconf
 pushd pam_ssh_agent_auth-pam_ssh_agent_auth-%{pam_ssh_agent_ver}
@ -787,6 +790,10 @@ test -f %{sysconfig_anaconda} && \
 %endif

 %changelog
+* Mon Oct 23 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.7p1-35
+- Relax OpenSSH checks for OpenSSL version
+  Resolves: RHEL-4734
+
 * Thu Jul 20 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.7p1-34
 - Avoid remote code execution in ssh-agent PKCS#11 support
  Resolves: CVE-2023-38408