1 files changed, 71 insertions, 0 deletions

diff --git a/debian/patches/no-openssl-version-status.patch b/debian/patches/no-openssl-version-status.patch
new file mode 100644
index 0000000..dacefcc
--- /dev/null
+++ b/debian/patches/no-openssl-version-status.patch
@@ -0,0 +1,71 @@
+From 2c598ce2acb40df7a9275f245e375071a7fb9d7c Mon Sep 17 00:00:00 2001
+From: Kurt Roeckx <kurt@roeckx.be>
+Date: Sun, 9 Feb 2014 16:10:14 +0000
+Subject: Don't check the status field of the OpenSSL version
+
+There is no reason to check the version of OpenSSL (in Debian).  If it's
+not compatible the soname will change.  OpenSSH seems to want to do a
+check for the soname based on the version number, but wants to keep the
+status of the release the same.  Remove that check on the status since
+it doesn't tell you anything about how compatible that version is.
+
+Author: Colin Watson <cjwatson@debian.org>
+Bug-Debian: https://bugs.debian.org/93581
+Bug-Debian: https://bugs.debian.org/664383
+Bug-Debian: https://bugs.debian.org/732940
+Forwarded: not-needed
+Last-Update: 2023-09-02
+
+Patch-Name: no-openssl-version-status.patch
+---
+ openbsd-compat/openssl-compat.c         | 8 ++++----
+ openbsd-compat/regress/opensslvertest.c | 2 ++
+ 2 files changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/openbsd-compat/openssl-compat.c b/openbsd-compat/openssl-compat.c
+index 6c65003f2..30e97c464 100644
+--- a/openbsd-compat/openssl-compat.c
++++ b/openbsd-compat/openssl-compat.c
+@@ -49,18 +49,18 @@ ssh_compatible_openssl(long headerver, long libver)
+ 		return 1;
+ 
+ 	/*
+-	 * For versions >= 3.0, only the major and status must match.
++	 * For versions >= 3.0, only the major must match.
+ 	 */
+ 	if (headerver >= 0x3000000f) {
+-		mask = 0xf000000fL; /* major,status */
++		mask = 0xf0000000L; /* major */
+ 		return (headerver & mask) == (libver & mask);
+ 	}
+ 
+ 	/*
+-	 * For versions >= 1.0.0, but <3, major,minor,status must match and
++	 * For versions >= 1.0.0, but <3, major,minor must match and
+ 	 * library fix version must be equal to or newer than the header.
+ 	 */
+-	mask = 0xfff0000fL; /* major,minor,status */
++	mask = 0xfff00000L; /* major,minor */
+ 	hfix = (headerver & 0x000ff000) >> 12;
+ 	lfix = (libver & 0x000ff000) >> 12;
+ 	if ( (headerver & mask) == (libver & mask) && lfix >= hfix)
+diff --git a/openbsd-compat/regress/opensslvertest.c b/openbsd-compat/regress/opensslvertest.c
+index 99c894418..351df4374 100644
+--- a/openbsd-compat/regress/opensslvertest.c
++++ b/openbsd-compat/regress/opensslvertest.c
+@@ -28,6 +28,7 @@ struct version_test {
+ } version_tests[] = {
+ 	/* built with 1.0.1b release headers */
+ 	{ 0x1000101fL, 0x1000101fL, 1},/* exact match */
++	{ 0x1000101fL, 0x10001010L, 1}, /* different status: ok */
+ 	{ 0x1000101fL, 0x1000102fL, 1},	/* newer library patch version: ok */
+ 	{ 0x1000101fL, 0x1000100fL, 1},	/* older library patch version: ok */
+ 	{ 0x1000101fL, 0x1000201fL, 1},	/* newer library fix version: ok */
+@@ -48,6 +49,7 @@ struct version_test {
+ 
+ 	/* built with 3.0.1 release headers */
+ 	{ 0x3010101fL, 0x3010101fL, 1},/* exact match */
++	{ 0x3010101fL, 0x30101010L, 1}, /* different status: ok */
+ 	{ 0x3010101fL, 0x3010102fL, 1},	/* newer library patch version: ok */
+ 	{ 0x3010101fL, 0x3010100fL, 1},	/* older library patch version: ok */
+ 	{ 0x3010101fL, 0x3010201fL, 1},	/* newer library fix version: ok */