Require openssl 1.0.0a for using openssl's ctr-mode implementation

Previously we required 1.0.0, but there was a bug in the 1.0.0 counter
mode. Found by Pascal. Fixes bug 4779.

A more elegant solution would be good here if somebody has time to code
one.

1 files changed, 4 insertions, 2 deletions

diff --git a/src/common/aes.c b/src/common/aes.c
index cec6899817..9487cdd51c 100644
--- a/src/common/aes.c
+++ b/src/common/aes.c
@@ -17,7 +17,7 @@
 #include <openssl/aes.h>
 #include <openssl/evp.h>
 #include <openssl/engine.h>
-#if OPENSSL_VERSION_NUMBER >= 0x10000000L
+#if OPENSSL_VERSION_NUMBER >= 0x1000001fL
 /* See comments about which counter mode implementation to use below. */
 #include <openssl/modes.h>
 #define USE_OPENSSL_CTR
@@ -45,7 +45,9 @@
  * Here we have a counter mode that's faster than the one shipping with
  * OpenSSL pre-1.0 (by about 10%!).  But OpenSSL 1.0.0 added a counter mode
  * implementation faster than the one here (by about 7%).  So we pick which
- * one to used based on the Openssl version above.
+ * one to used based on the Openssl version above.  (OpenSSL 1.0.0a fixed a
+ * critical bug in that counter mode implementation, so we actually require
+ * that one.)
  */
 
 /*======================================================================*/