static long ssl_built = OPENSSL_VERSION_NUMBER;
-/** Check build and linked versions of OpenSSL match
+/** Check built and linked versions of OpenSSL match
+ *
+ * OpenSSL version number consists of:
+ * MMNNFFPPS: major minor fix patch status
+ *
+ * Where status >= 0 && < 10 means beta, and status 10 means release.
*
* Startup check for whether the linked version of OpenSSL matches the
* version the server was built against.
ssl_linked = SSLeay();
- if (ssl_linked != ssl_built) {
+ /*
+ * Status mismatch always triggers error.
+ */
+ if ((ssl_linked & 0x00000000f) != (ssl_built & 0x00000000f)) {
+ mismatch:
ERROR("libssl version mismatch. built: %lx linked: %lx",
(unsigned long) ssl_built,
(unsigned long) ssl_linked);
return -1;
- };
+ }
+
+ /*
+ * Use the OpenSSH approach and relax fix checks after version
+ * 1.0.0 and only allow moving backwards within a patch
+ * series.
+ */
+ if (ssl_built & 0xff) {
+ if ((ssl_built & 0xffff) != (ssl_linked & 0xffff) ||
+ (ssl_built & 0x0000ff) > (ssl_linked & 0x0000ff)) goto mismatch;
+ /*
+ * Before 1.0.0 we require the same major minor and fix version
+ * and ignore the patch number.
+ */
+ } else if ((ssl_built & 0xffffff) != (ssl_linked & 0xffffff)) goto mismatch;
return 0;
}