Check at runtime that the tool is loading the same libcrypto it was b…

…uilt with (#1716) ### Description of changes: The tool CMakeList was already checking /lib and /lib64 for the different versions of OpenSSH. However, at runtime we set the LD_LIBRARY_PATH to only /lib which doesn't have the OpenSSL 3+ artifacts. The benchmark tool was then finding the system install of OpenSSL which happened to be 3.something and close enough to work. This change is inspired by a similar mechanism OpenSSL's own tool uses to check build/runtime dependencies. ### Callouts This uses SSLeay which seems to be the best common way to check at runtime all the library versions we test against. ### Testing: Tested locally changing the expected version and observing the tool fail. By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license. Co-authored-by: Justin W Smith <[email protected]>
aws · Aug 27, 2024 · 519c1c5 · 519c1c5
1 parent 35d5287
commit 519c1c5
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 3 deletions.
diff --git a/tests/ci/run_benchmark_build_tests.sh b/tests/ci/run_benchmark_build_tests.sh
@@ -94,9 +94,9 @@ LD_LIBRARY_PATH="${install_dir}/aws-lc-fips-2021-10-20/lib" "${BUILD_ROOT}/tool/
 LD_LIBRARY_PATH="${install_dir}/aws-lc-fips-2022/lib" "${BUILD_ROOT}/tool/aws-lc-fips-2022" -timeout_ms 10
 LD_LIBRARY_PATH="${install_dir}/openssl-${openssl_1_0_2_branch}/lib" "${BUILD_ROOT}/tool/open102" -timeout_ms 10
 LD_LIBRARY_PATH="${install_dir}/openssl-${openssl_1_1_1_branch}/lib" "${BUILD_ROOT}/tool/open111" -timeout_ms 10
-LD_LIBRARY_PATH="${install_dir}/openssl-${openssl_3_1_branch}/lib" "${BUILD_ROOT}/tool/open31" -timeout_ms 10
-LD_LIBRARY_PATH="${install_dir}/openssl-${openssl_3_2_branch}/lib" "${BUILD_ROOT}/tool/open32" -timeout_ms 10
-LD_LIBRARY_PATH="${install_dir}/openssl-${openssl_master_branch}/lib" "${BUILD_ROOT}/tool/openmaster" -timeout_ms 10
+LD_LIBRARY_PATH="${install_dir}/openssl-${openssl_3_1_branch}/lib64" "${BUILD_ROOT}/tool/open31" -timeout_ms 10
+LD_LIBRARY_PATH="${install_dir}/openssl-${openssl_3_2_branch}/lib64" "${BUILD_ROOT}/tool/open32" -timeout_ms 10
+LD_LIBRARY_PATH="${install_dir}/openssl-${openssl_master_branch}/lib64" "${BUILD_ROOT}/tool/openmaster" -timeout_ms 10
 LD_LIBRARY_PATH="${install_dir}/boringssl" "${BUILD_ROOT}/tool/boringssl" -timeout_ms 10
 
 echo "Testing ossl_bm with OpenSSL 1.0 with the legacy build option"

diff --git a/tool/benchmark.cc b/tool/benchmark.cc
@@ -2,8 +2,15 @@
 // SPDX-License-Identifier: Apache-2.0 OR ISC
 
 #include "internal.h"
+#include <openssl/opensslv.h>
 
 int main(int argc, char **argv) {
+  unsigned long build_version = OPENSSL_VERSION_NUMBER;
+  unsigned long runtime_version = SSLeay();
+  if (build_version != runtime_version) {
+    fprintf(stderr, "Incorrect version number detected, built with %lx, loaded %lx at runtime.", build_version, runtime_version);
+    return 1;
+  }
   args_list_t args;
   for (int i = 1; i < argc; i++) {
     args.push_back(argv[i]);

diff --git a/tool/tool.cc b/tool/tool.cc
@@ -17,6 +17,7 @@
 
 #include <openssl/crypto.h>
 #include <openssl/err.h>
+#include <openssl/opensslv.h>
 #include <openssl/ssl.h>
 
 #if defined(OPENSSL_WINDOWS)
@@ -95,6 +96,12 @@ static tool_func_t FindTool(const std::string &name) {
 }
 
 int main(int argc, char **argv) {
+  unsigned long build_version = OPENSSL_VERSION_NUMBER;
+  unsigned long runtime_version = OpenSSL_version_num();
+  if (build_version != runtime_version) {
+    fprintf(stderr, "Incorrect version number detected, built with 0x%lx, loaded 0x%lx at runtime.", build_version, runtime_version);
+    return 1;
+  }
 #if defined(OPENSSL_WINDOWS)
   // Read and write in binary mode. This makes bssl on Windows consistent with
   // bssl on other platforms, and also makes it consistent with MSYS's commands