From 3f39f589f24cb0993fa0df6de7515eb63a4f96b0 Mon Sep 17 00:00:00 2001
From: Daniel Roethlisberger <daniel@roe.ch>
Date: Tue, 23 Jun 2015 19:07:23 +0200
Subject: [PATCH] Warn on OpenSSL version mismatch in debug mode

Issue:		#88
---
 NEWS.md |  1 +
 ssl.c   | 12 ++++++++++++
 ssl.t.c |  9 +++++++++
 3 files changed, 22 insertions(+)

diff --git a/NEWS.md b/NEWS.md
index 4b1e1c9..e244a09 100644
--- a/NEWS.md
+++ b/NEWS.md
@@ -1,6 +1,7 @@
 
 ### SSLsplit develop
 
+-   Warn when an OpenSSL version mismatch is detected (issue #88).
 -   Added separate src/dst host and port format specifiers %S, %p, %D and %q
     to -F (pull req #74 by @AdamJacobMuller).
 -   Filenames generated by -S and -F %d and %s changed from [host]:port to
diff --git a/ssl.c b/ssl.c
index cf2bd38..31d21c6 100644
--- a/ssl.c
+++ b/ssl.c
@@ -102,6 +102,18 @@ ssl_openssl_version(void)
 	fprintf(stderr, "rtlinked against %s (%lx)\n",
 	                SSLeay_version(SSLEAY_VERSION),
 	                SSLeay());
+	if ((OPENSSL_VERSION_NUMBER ^ SSLeay()) & 0xfffff000L) {
+		fprintf(stderr, "---------------------------------------"
+		                "---------------------------------------\n");
+		fprintf(stderr, "WARNING: OpenSSL version mismatch may "
+		                "lead to crashes or other problems!\n");
+		fprintf(stderr, "If there are multiple versions of "
+		                "OpenSSL available, make sure to use\n");
+		fprintf(stderr, "the same version of the library at "
+		                "runtime as well as for compiling against.\n");
+		fprintf(stderr, "---------------------------------------"
+		                "---------------------------------------\n");
+	}
 #ifndef OPENSSL_NO_TLSEXT
 	fprintf(stderr, "TLS Server Name Indication (SNI) supported\n");
 #else /* OPENSSL_NO_TLSEXT */
diff --git a/ssl.t.c b/ssl.t.c
index cd25455..27d824f 100644
--- a/ssl.t.c
+++ b/ssl.t.c
@@ -572,6 +572,14 @@ START_TEST(ssl_is_ocspreq_01)
 END_TEST
 
 START_TEST(ssl_features_01)
+{
+	long vdiff = ((OPENSSL_VERSION_NUMBER ^ SSLeay()) & 0xfffff000L);
+
+	fail_unless(!vdiff, "OpenSSL version mismatch at runtime");
+}
+END_TEST
+
+START_TEST(ssl_features_02)
 {
 	int have_threads = 0;
 #ifdef OPENSSL_THREADS
@@ -664,6 +672,7 @@ ssl_suite(void)
 
 	tc = tcase_create("ssl_features");
 	tcase_add_test(tc, ssl_features_01);
+	tcase_add_test(tc, ssl_features_02);
 	suite_add_tcase(s, tc);
 
 	return s;