/** Check built and linked versions of OpenSSL match
*
* OpenSSL version number consists of:
- * MMNNFFPPS: major minor fix patch status
+ * MNNFFPPS: major minor fix patch status
*
* Where status >= 0 && < 10 means beta, and status 10 means release.
*
*
* @return 0 if ok, else -1
*/
-#if defined(HAVE_OPENSSL_CRYPTO_H) && defined(ENABLE_OPENSSL_VERSION_CHECK)
+#ifdef HAVE_OPENSSL_CRYPTO_H
int ssl_check_version(int allow_vulnerable)
{
long ssl_linked;
- /*
- * Initialize the library before calling any library
- * functions.
- */
- SSL_library_init();
- SSL_load_error_strings();
-
ssl_linked = SSLeay();
/*
* Status mismatch always triggers error.
*/
- if ((ssl_linked & 0x00000000f) != (ssl_built & 0x00000000f)) {
+ if ((ssl_linked & 0x0000000f) != (ssl_built & 0x0000000f)) {
mismatch:
radlog(L_ERR, "libssl version mismatch. built: %lx linked: %lx",
(unsigned long) ssl_built, (unsigned long) ssl_linked);
* 1.0.0 and only allow moving backwards within a patch
* series.
*/
- if (ssl_built & 0xff) {
- if ((ssl_built & 0xffff) != (ssl_linked & 0xffff) ||
- (ssl_built & 0x0000ff) > (ssl_linked & 0x0000ff)) goto mismatch;
+ if (ssl_built & 0xf0000000) {
+ if ((ssl_built & 0xfffff000) != (ssl_linked & 0xfffff000) ||
+ (ssl_built & 0x00000ff0) > (ssl_linked & 0x00000ff0)) goto mismatch;
/*
* Before 1.0.0 we require the same major minor and fix version
* and ignore the patch number.
*/
- } else if ((ssl_built & 0xffffff) != (ssl_linked & 0xffffff)) goto mismatch;
+ } else if ((ssl_built & 0xfffff000) != (ssl_linked & 0xfffff000)) goto mismatch;
+# ifdef ENABLE_OPENSSL_VERSION_CHECK
if (!allow_vulnerable) {
/* Check for bad versions */
/* 1.0.1 - 1.0.1f CVE-2014-0160 http://heartbleed.com */
return -1;
}
}
+# endif
return 0;
}