From 8beb560bfd19106ab75e13f6bf6230fde93e5fac Mon Sep 17 00:00:00 2001 From: Nick Mathewson Date: Fri, 5 Nov 2021 13:23:05 -0400 Subject: [PATCH 1/2] Reverse the direction of the test for openssl 3.0.0 Previously the logic was reversed, and always gave the wrong answer. This has no other effect than to change whether we suppress deprecated API warnings. Fixes #40429; bugfix on 0.3.5.13. --- changes/bug40429 | 5 +++++ configure.ac | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-) create mode 100644 changes/bug40429 diff --git a/changes/bug40429 b/changes/bug40429 new file mode 100644 index 0000000000..9bf3b63818 --- /dev/null +++ b/changes/bug40429 @@ -0,0 +1,5 @@ + o Minor bugfixes (compilation): + - Fix our configuration logic to detect whether we had OpenSSL 3: + previously, our logic was reversed. This has no other effect than to + change whether we suppress deprecated API warnings. Fixes + bug 40429; bugfix on 0.3.5.13. diff --git a/configure.ac b/configure.ac index 930862442c..249a250a2f 100644 --- a/configure.ac +++ b/configure.ac @@ -945,7 +945,7 @@ dnl warnings. AC_MSG_CHECKING([for OpenSSL >= 3.0.0]) AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include -#if !defined(LIBRESSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER <= 0x30000000L +#if !defined(LIBRESSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x30000000L #error "you_have_version_3" #endif ]], [[]])], From cee6e7d9e16fdede9e0c7f319e82bd176de25504 Mon Sep 17 00:00:00 2001 From: Nick Mathewson Date: Sat, 6 Nov 2021 11:04:08 -0400 Subject: [PATCH 2/2] Give an error message if LibreSSL's TLSv1.3 APIs aren't what we need From LibreSSL versions 3.2.1 through 3.4.0, our configure script would conclude that TLSv1.3 as supported, but it actually wasn't. This led to annoying breakage like #40128 and #40445. Now we give an error message if we try to build with one of those versions. Closes #40511. --- changes/ticket40511 | 6 ++++++ configure.ac | 12 ++++++++++++ 2 files changed, 18 insertions(+) create mode 100644 changes/ticket40511 diff --git a/changes/ticket40511 b/changes/ticket40511 new file mode 100644 index 0000000000..756edd874d --- /dev/null +++ b/changes/ticket40511 @@ -0,0 +1,6 @@ + o Minor features (compilation): + - Give an error message if trying to build with a version of LibreSSL + known not to work with Tor. (There's an incompatibility with + LibreSSL versions 3.2.1 through 3.4.0 inclusive because of their + incompatibility with OpenSSL 1.1.1's TLSv1.3 APIs.) + Closes ticket 40511. diff --git a/configure.ac b/configure.ac index 249a250a2f..8ab35bf9dd 100644 --- a/configure.ac +++ b/configure.ac @@ -963,6 +963,18 @@ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ [ AC_MSG_RESULT([no]) ], [ AC_MSG_ERROR([OpenSSL is too old. We require 1.0.1 or later. You can specify a path to a newer one with --with-openssl-dir.]) ]) +AC_MSG_CHECKING([whether LibreSSL TLS 1.3 APIs are busted]) +AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ +#include +#if defined(LIBRESSL_VERSION_NUMBER) && \ + LIBRESSL_VERSION_NUMBER >= 0x3020100fL && \ + LIBRESSL_VERSION_NUMBER < 0x3040100fL +#error "oh no" +#endif + ]], [[]])], + [ AC_MSG_RESULT([no]) ], + [ AC_MSG_ERROR([This version of LibreSSL won't work with Tor. Please upgrade to LibreSSL 3.4.1 or later. (Or downgrade to 3.2.0 if you really must.)]) ]) + AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include #include