From d9221968ce3daed75d698f333f8bea0bf742ddf3 Mon Sep 17 00:00:00 2001 From: Nick Mathewson Date: Wed, 28 Oct 2020 10:07:56 -0400 Subject: [PATCH 1/5] Include a more modest openssl header in crypto_openssl_mgt.h The "engines.h" header has lots of stuff; the "opensslv.h" header has the version number, which is all we actually need here. We need to do this because we're about to change this header to conditionally define OPENSSL_SUPPRESS_DEPRECATED, and it would be too late to do so if we'd already included "engines.h". --- src/lib/crypt_ops/crypto_openssl_mgt.h | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/lib/crypt_ops/crypto_openssl_mgt.h b/src/lib/crypt_ops/crypto_openssl_mgt.h index a3dd03aa04..8dbadfc9d2 100644 --- a/src/lib/crypt_ops/crypto_openssl_mgt.h +++ b/src/lib/crypt_ops/crypto_openssl_mgt.h @@ -16,8 +16,7 @@ #include "orconfig.h" #ifdef ENABLE_OPENSSL -#include - +#include /* Macro to create an arbitrary OpenSSL version number as used by OPENSSL_VERSION_NUMBER or SSLeay(), since the actual numbers are a bit hard From e399d32cdf8b77b68345290f59bb315d3ed7a5d9 Mon Sep 17 00:00:00 2001 From: Nick Mathewson Date: Wed, 28 Oct 2020 10:30:24 -0400 Subject: [PATCH 2/5] configure: disable OpenSSL deprecation warnings with OpenSSL >= 3 We can't do this in the C headers, since by the time we include `opensslv.h` in order to check the openssl version number, we will have included `openssl/macros.h`, which is the thing that checks whether we disabled deprecation warnings. --- configure.ac | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac index f30a7efa91..6c8456d0c7 100644 --- a/configure.ac +++ b/configure.ac @@ -937,13 +937,30 @@ LIBS="$TOR_OPENSSL_LIBS $LIBS" LDFLAGS="$TOR_LDFLAGS_openssl $LDFLAGS" CPPFLAGS="$TOR_CPPFLAGS_openssl $CPPFLAGS" +dnl Tor currently uses a number of APIs that are deprecated in OpenSSL 3.0.0 +dnl and later. We want to migrate away from them, but that will be a lot of +dnl work. (See ticket tor#40166.) For now, we disable the deprecation +dnl warnings. + +AC_MSG_CHECKING([for OpenSSL >= 3.0.0]) +AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ +#include +#if !defined(LIBRESSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER <= 0x30000000L +#error "you_have_version_3" +#endif + ]], [[]])], + [ AC_MSG_RESULT([no]) ], + [ AC_MSG_RESULT([yes]); + AC_DEFINE(OPENSSL_SUPPRESS_DEPRECATED, 1, [disable openssl deprecated-function warnings]) ]) + +AC_MSG_CHECKING([for OpenSSL < 1.0.1]) AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include #if !defined(LIBRESSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER < 0x1000100fL #error "too old" #endif ]], [[]])], - [ : ], + [ AC_MSG_RESULT([no]) ], [ AC_MSG_ERROR([OpenSSL is too old. We require 1.0.1 or later. You can specify a path to a newer one with --with-openssl-dir.]) ]) AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ From 2b4a3d07b25ae9c284a1f130de71940242b78bb7 Mon Sep 17 00:00:00 2001 From: Nick Mathewson Date: Wed, 28 Oct 2020 10:32:06 -0400 Subject: [PATCH 3/5] Do not define OPENSSL_VERSION in compat_openssl.h Apparently it conflicts with definitions elsewhere in Openssl 3.0.0. --- src/lib/crypt_ops/compat_openssl.h | 5 ----- src/lib/crypt_ops/crypto_openssl_mgt.c | 13 +++++++++++-- 2 files changed, 11 insertions(+), 7 deletions(-) diff --git a/src/lib/crypt_ops/compat_openssl.h b/src/lib/crypt_ops/compat_openssl.h index 9c10386c34..6605d01045 100644 --- a/src/lib/crypt_ops/compat_openssl.h +++ b/src/lib/crypt_ops/compat_openssl.h @@ -32,10 +32,6 @@ #define OPENSSL_1_1_API #endif /* OPENSSL_VERSION_NUMBER >= OPENSSL_V_SERIES(1,1,0) && ... */ -#ifndef OPENSSL_VERSION -#define OPENSSL_VERSION SSLEAY_VERSION -#endif - #ifndef OPENSSL_1_1_API #define OpenSSL_version(v) SSLeay_version(v) #define OpenSSL_version_num() SSLeay() @@ -54,4 +50,3 @@ #endif /* defined(ENABLE_OPENSSL) */ #endif /* !defined(TOR_COMPAT_OPENSSL_H) */ - diff --git a/src/lib/crypt_ops/crypto_openssl_mgt.c b/src/lib/crypt_ops/crypto_openssl_mgt.c index c97815f9a4..e7d6084f6c 100644 --- a/src/lib/crypt_ops/crypto_openssl_mgt.c +++ b/src/lib/crypt_ops/crypto_openssl_mgt.c @@ -101,13 +101,22 @@ static char *crypto_openssl_version_str = NULL; const char * crypto_openssl_get_version_str(void) { +#ifdef OPENSSL_VERSION + const int query = OPENSSL_VERSION; +#else + /* This old name was changed around OpenSSL 1.1.0 */ + const int query = SSLEAY_VERSION; +#endif + if (crypto_openssl_version_str == NULL) { - const char *raw_version = OpenSSL_version(OPENSSL_VERSION); + const char *raw_version = OpenSSL_version(query); crypto_openssl_version_str = parse_openssl_version_str(raw_version); } return crypto_openssl_version_str; } +#undef QUERY_OPENSSL_VERSION + static char *crypto_openssl_header_version_str = NULL; /* Return a human-readable version of the compile-time openssl version * number. */ @@ -208,7 +217,7 @@ crypto_openssl_early_init(void) setup_openssl_threading(); unsigned long version_num = OpenSSL_version_num(); - const char *version_str = OpenSSL_version(OPENSSL_VERSION); + const char *version_str = crypto_openssl_get_version_str(); if (version_num == OPENSSL_VERSION_NUMBER && !strcmp(version_str, OPENSSL_VERSION_TEXT)) { log_info(LD_CRYPTO, "OpenSSL version matches version from headers " From 59f76a8a1fd0fffe3ccf083bcad49435d6226a8e Mon Sep 17 00:00:00 2001 From: Nick Mathewson Date: Wed, 28 Oct 2020 10:34:18 -0400 Subject: [PATCH 4/5] Changes file for #40165 (openssl deprecation warnings) --- changes/ticket40165 | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 changes/ticket40165 diff --git a/changes/ticket40165 b/changes/ticket40165 new file mode 100644 index 0000000000..a8dd0a339b --- /dev/null +++ b/changes/ticket40165 @@ -0,0 +1,5 @@ + o Minor features (compilation): + - Disable deprecation warnings when building with OpenSSL 3.0.0 or later. + There are a number of newly deprecated APIs in OpenSSL 3.0.0 that Tor + still requires. (A later version of Tor will try to stop depending on + these.) Closes ticket 40165. From c48d25ac8d5cb8320a56a61cbee7754420d77309 Mon Sep 17 00:00:00 2001 From: Nick Mathewson Date: Wed, 28 Oct 2020 10:47:39 -0400 Subject: [PATCH 5/5] Fix a previously overstrict log message check. OpenSSL doesn't seem to report error locations in the same way as before, which broke one of our tests. Fixes bug 40170; bugfix on 0.2.8.1-alpha. --- changes/ticket40170 | 3 +++ src/test/test_tortls_openssl.c | 3 +-- 2 files changed, 4 insertions(+), 2 deletions(-) create mode 100644 changes/ticket40170 diff --git a/changes/ticket40170 b/changes/ticket40170 new file mode 100644 index 0000000000..cc1c8dbad1 --- /dev/null +++ b/changes/ticket40170 @@ -0,0 +1,3 @@ + o Minor bugfixes (tests): + - Fix the "tortls/openssl/log_one_error" test to work with OpenSSL 3.0.0. + Fixes bug 40170; bugfix on 0.2.8.1-alpha. diff --git a/src/test/test_tortls_openssl.c b/src/test/test_tortls_openssl.c index f039980a25..f4e3430dac 100644 --- a/src/test/test_tortls_openssl.c +++ b/src/test/test_tortls_openssl.c @@ -283,8 +283,7 @@ test_tortls_log_one_error(void *ignored) mock_clean_saved_logs(); tor_tls_log_one_error(tls, ERR_PACK(1, 2, 3), LOG_WARN, 0, NULL); - expect_log_msg("TLS error with 127.hello: " - "BN lib (in unknown library:(null):---)\n"); + expect_log_msg_containing("TLS error with 127.hello"); mock_clean_saved_logs(); tor_tls_log_one_error(tls, ERR_PACK(1, 2, SSL_R_HTTP_REQUEST),