Relax libssl checks

diff --git a/src/main/version.c b/src/main/version.c
index fb72c86..e291a68 100644 (file)
--- a/src/main/version.c
+++ b/src/main/version.c
@@ -35,7 +35,12 @@ static uint64_t libmagic = RADIUSD_MAGIC_NUMBER;
 
 static long ssl_built = OPENSSL_VERSION_NUMBER;
 
-/** Check build and linked versions of OpenSSL match
+/** Check built and linked versions of OpenSSL match
+ *
+ * OpenSSL version number consists of:
+ * MMNNFFPPS: major minor fix patch status
+ *
+ * Where status >= 0 && < 10 means beta, and status 10 means release.
  *
  * Startup check for whether the linked version of OpenSSL matches the
  * version the server was built against.
@@ -48,13 +53,31 @@ int ssl_check_consistency(void)
 
        ssl_linked = SSLeay();
 
-       if (ssl_linked != ssl_built) {
+       /*
+        *      Status mismatch always triggers error.
+        */
+       if ((ssl_linked & 0x00000000f) != (ssl_built & 0x00000000f)) {
+       mismatch:
                ERROR("libssl version mismatch.  built: %lx linked: %lx",
                       (unsigned long) ssl_built,
                       (unsigned long) ssl_linked);
 
                return -1;
-       };
+       }
+
+       /*
+        *      Use the OpenSSH approach and relax fix checks after version
+        *      1.0.0 and only allow moving backwards within a patch
+        *      series.
+        */
+       if (ssl_built & 0xff) {
+               if ((ssl_built & 0xffff) != (ssl_linked & 0xffff) ||
+                   (ssl_built & 0x0000ff) > (ssl_linked & 0x0000ff)) goto mismatch;
+       /*
+        *      Before 1.0.0 we require the same major minor and fix version
+        *      and ignore the patch number.
+        */
+       } else if ((ssl_built & 0xffffff) != (ssl_linked & 0xffffff)) goto mismatch;
 
        return 0;
 }