Only refuse to use OpenSSL 3.0.4 on x86_64.

The potential RCE only impacts x86_64, so only refuse to use it if we're targetting a potentially impacted architecture. ok djm@
author: Darren Tucker <dtucker@dtucker.net> 2022-07-13 13:17:47 +1000
committer: Darren Tucker <dtucker@dtucker.net> 2022-07-13 13:17:47 +1000
commit: 76f4e48631d7b09fb243b47d7b393d100d3741b7 (patch)
tree: 55d488c1e7fc3ea317257c04a5944330cfe5e24b /configure.ac
parent: e75bbc1d88491fa85e61b2cc8783d4bbd00cd131 (diff)
download: openssh-git-76f4e48631d7b09fb243b47d7b393d100d3741b7.tar.gz
1 files changed, 9 insertions, 1 deletions
diff --git a/configure.ac b/configure.ac
index 6ebdd06a..0c6a57eb 100644
--- a/configure.ac
+++ b/configure.ac
@@ -2796,7 +2796,6 @@ if test "x$openssl" = "xyes" ; then
 				;;
 			101*)   ;; # 1.1.x
 			200*)   ;; # LibreSSL
-			3000004*) AC_MSG_ERROR([OpenSSL 3.0.4 has a potential RCE in its RSA implementation (CVE-2022-2274)]) ;;
 			300*)
 				# OpenSSL 3; we use the 1.1x API
 				CPPFLAGS="$CPPFLAGS -DOPENSSL_API_COMPAT=0x10100000L"
@@ -2820,6 +2819,15 @@ if test "x$openssl" = "xyes" ; then
 		]
 	)
 
+	case "$host" in
+	x86_64-*)
+		case "$ssl_library_ver" in
+		3000004*)
+			AC_MSG_ERROR([OpenSSL 3.0.4 has a potential RCE in its RSA implementation (CVE-2022-2274)])
+			;;
+		esac
+	esac
+
 	# Sanity check OpenSSL headers
 	AC_MSG_CHECKING([whether OpenSSL's headers match the library])
 	AC_RUN_IFELSE(
author	Darren Tucker <dtucker@dtucker.net>	2022-07-13 13:17:47 +1000
committer	Darren Tucker <dtucker@dtucker.net>	2022-07-13 13:17:47 +1000
commit	76f4e48631d7b09fb243b47d7b393d100d3741b7 (patch)
tree	55d488c1e7fc3ea317257c04a5944330cfe5e24b /configure.ac
parent	e75bbc1d88491fa85e61b2cc8783d4bbd00cd131 (diff)
download	openssh-git-76f4e48631d7b09fb243b47d7b393d100d3741b7.tar.gz