diff --git a/changes/ticket40165 b/changes/ticket40165 new file mode 100644 index 0000000000..a8dd0a339b --- /dev/null +++ b/changes/ticket40165 @@ -0,0 +1,5 @@ + o Minor features (compilation): + - Disable deprecation warnings when building with OpenSSL 3.0.0 or later. + There are a number of newly deprecated APIs in OpenSSL 3.0.0 that Tor + still requires. (A later version of Tor will try to stop depending on + these.) Closes ticket 40165. diff --git a/changes/ticket40170 b/changes/ticket40170 new file mode 100644 index 0000000000..cc1c8dbad1 --- /dev/null +++ b/changes/ticket40170 @@ -0,0 +1,3 @@ + o Minor bugfixes (tests): + - Fix the "tortls/openssl/log_one_error" test to work with OpenSSL 3.0.0. + Fixes bug 40170; bugfix on 0.2.8.1-alpha. diff --git a/configure.ac b/configure.ac index 7a39d9da95..6c761064bf 100644 --- a/configure.ac +++ b/configure.ac @@ -1009,13 +1009,30 @@ LIBS="$TOR_OPENSSL_LIBS $LIBS" LDFLAGS="$TOR_LDFLAGS_openssl $LDFLAGS" CPPFLAGS="$TOR_CPPFLAGS_openssl $CPPFLAGS" +dnl Tor currently uses a number of APIs that are deprecated in OpenSSL 3.0.0 +dnl and later. We want to migrate away from them, but that will be a lot of +dnl work. (See ticket tor#40166.) For now, we disable the deprecation +dnl warnings. + +AC_MSG_CHECKING([for OpenSSL >= 3.0.0]) +AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ +#include +#if !defined(LIBRESSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER <= 0x30000000L +#error "you_have_version_3" +#endif + ]], [[]])], + [ AC_MSG_RESULT([no]) ], + [ AC_MSG_RESULT([yes]); + AC_DEFINE(OPENSSL_SUPPRESS_DEPRECATED, 1, [disable openssl deprecated-function warnings]) ]) + +AC_MSG_CHECKING([for OpenSSL < 1.0.1]) AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include #if !defined(LIBRESSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER < 0x1000100fL #error "too old" #endif ]], [[]])], - [ : ], + [ AC_MSG_RESULT([no]) ], [ AC_MSG_ERROR([OpenSSL is too old. We require 1.0.1 or later. You can specify a path to a newer one with --with-openssl-dir.]) ]) AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ diff --git a/src/lib/crypt_ops/compat_openssl.h b/src/lib/crypt_ops/compat_openssl.h index 5fd073bea1..c2e1459078 100644 --- a/src/lib/crypt_ops/compat_openssl.h +++ b/src/lib/crypt_ops/compat_openssl.h @@ -32,10 +32,6 @@ #define OPENSSL_1_1_API #endif /* OPENSSL_VERSION_NUMBER >= OPENSSL_V_SERIES(1,1,0) && ... */ -#ifndef OPENSSL_VERSION -#define OPENSSL_VERSION SSLEAY_VERSION -#endif - #ifndef OPENSSL_1_1_API #define OpenSSL_version(v) SSLeay_version(v) #define OpenSSL_version_num() SSLeay() @@ -54,4 +50,3 @@ #endif /* defined(ENABLE_OPENSSL) */ #endif /* !defined(TOR_COMPAT_OPENSSL_H) */ - diff --git a/src/lib/crypt_ops/crypto_openssl_mgt.c b/src/lib/crypt_ops/crypto_openssl_mgt.c index f2f5a55d05..065cbca1cc 100644 --- a/src/lib/crypt_ops/crypto_openssl_mgt.c +++ b/src/lib/crypt_ops/crypto_openssl_mgt.c @@ -101,13 +101,22 @@ static char *crypto_openssl_version_str = NULL; const char * crypto_openssl_get_version_str(void) { +#ifdef OPENSSL_VERSION + const int query = OPENSSL_VERSION; +#else + /* This old name was changed around OpenSSL 1.1.0 */ + const int query = SSLEAY_VERSION; +#endif + if (crypto_openssl_version_str == NULL) { - const char *raw_version = OpenSSL_version(OPENSSL_VERSION); + const char *raw_version = OpenSSL_version(query); crypto_openssl_version_str = parse_openssl_version_str(raw_version); } return crypto_openssl_version_str; } +#undef QUERY_OPENSSL_VERSION + static char *crypto_openssl_header_version_str = NULL; /* Return a human-readable version of the compile-time openssl version * number. */ @@ -214,7 +223,7 @@ crypto_openssl_early_init(void) setup_openssl_threading(); unsigned long version_num = OpenSSL_version_num(); - const char *version_str = OpenSSL_version(OPENSSL_VERSION); + const char *version_str = crypto_openssl_get_version_str(); if (version_num == OPENSSL_VERSION_NUMBER && !strcmp(version_str, OPENSSL_VERSION_TEXT)) { log_info(LD_CRYPTO, "OpenSSL version matches version from headers " diff --git a/src/lib/crypt_ops/crypto_openssl_mgt.h b/src/lib/crypt_ops/crypto_openssl_mgt.h index 083df00033..c67ab6467c 100644 --- a/src/lib/crypt_ops/crypto_openssl_mgt.h +++ b/src/lib/crypt_ops/crypto_openssl_mgt.h @@ -16,8 +16,7 @@ #include "orconfig.h" #ifdef ENABLE_OPENSSL -#include - +#include /* Macro to create an arbitrary OpenSSL version number as used by OPENSSL_VERSION_NUMBER or SSLeay(), since the actual numbers are a bit hard diff --git a/src/test/test_tortls_openssl.c b/src/test/test_tortls_openssl.c index e20b0d1ede..42a901fe77 100644 --- a/src/test/test_tortls_openssl.c +++ b/src/test/test_tortls_openssl.c @@ -279,8 +279,7 @@ test_tortls_log_one_error(void *ignored) mock_clean_saved_logs(); tor_tls_log_one_error(tls, ERR_PACK(1, 2, 3), LOG_WARN, 0, NULL); - expect_log_msg("TLS error with 127.hello: " - "BN lib (in unknown library:(null):---)\n"); + expect_log_msg_containing("TLS error with 127.hello"); mock_clean_saved_logs(); tor_tls_log_one_error(tls, ERR_PACK(1, 2, SSL_R_HTTP_REQUEST),