[tor-commits] [tor/main] Give an error message if LibreSSL's TLSv1.3 APIs aren't what we need

ahf at torproject.org ahf at torproject.org
Mon Nov 8 14:16:42 UTC 2021


commit cee6e7d9e16fdede9e0c7f319e82bd176de25504
Author: Nick Mathewson <nickm at torproject.org>
Date:   Sat Nov 6 11:04:08 2021 -0400

    Give an error message if LibreSSL's TLSv1.3 APIs aren't what we need
    
    From LibreSSL versions 3.2.1 through 3.4.0, our configure script
    would conclude that TLSv1.3 as supported, but it actually wasn't.
    This led to annoying breakage like #40128 and #40445.
    
    Now we give an error message if we try to build with one of those
    versions.
    
    Closes #40511.
---
 changes/ticket40511 |  6 ++++++
 configure.ac        | 12 ++++++++++++
 2 files changed, 18 insertions(+)

diff --git a/changes/ticket40511 b/changes/ticket40511
new file mode 100644
index 0000000000..756edd874d
--- /dev/null
+++ b/changes/ticket40511
@@ -0,0 +1,6 @@
+  o Minor features (compilation):
+    - Give an error message if trying to build with a version of LibreSSL
+      known not to work with Tor.  (There's an incompatibility with
+      LibreSSL versions 3.2.1 through 3.4.0 inclusive because of their
+      incompatibility with OpenSSL 1.1.1's TLSv1.3 APIs.)
+      Closes ticket 40511.
diff --git a/configure.ac b/configure.ac
index 249a250a2f..8ab35bf9dd 100644
--- a/configure.ac
+++ b/configure.ac
@@ -963,6 +963,18 @@ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
    [ AC_MSG_RESULT([no]) ],
    [ AC_MSG_ERROR([OpenSSL is too old. We require 1.0.1 or later. You can specify a path to a newer one with --with-openssl-dir.]) ])
 
+AC_MSG_CHECKING([whether LibreSSL TLS 1.3 APIs are busted])
+AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
+#include <openssl/opensslv.h>
+#if defined(LIBRESSL_VERSION_NUMBER) && \
+     LIBRESSL_VERSION_NUMBER >= 0x3020100fL && \
+     LIBRESSL_VERSION_NUMBER < 0x3040100fL
+#error "oh no"
+#endif
+   ]], [[]])],
+   [ AC_MSG_RESULT([no]) ],
+   [ AC_MSG_ERROR([This version of LibreSSL won't work with Tor. Please upgrade to LibreSSL 3.4.1 or later. (Or downgrade to 3.2.0 if you really must.)]) ])
+
 AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
 #include <openssl/opensslv.h>
 #include <openssl/evp.h>





More information about the tor-commits mailing list