aboutsummaryrefslogtreecommitdiff
blob: bba0c45f3fc365235511f86c5d6b460a106deb5b (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
Upstream-MR: https://gitlab.torproject.org/tpo/core/tor/-/merge_requests/598
Upstream-Commit: https://gitlab.torproject.org/tpo/core/tor/-/commit/da52d7206a4a8e4fa8b5e80b5ed73de50fbe8692
Upstream-MR: https://gitlab.torproject.org/tpo/core/tor/-/merge_requests/713
Upstream-Commit: https://gitlab.torproject.org/tpo/core/tor/-/commit/9850dc59c0db5cbcadc314be8d324a992880fce1

From f3dabd705f26c56076934323f24b5b05ecdfd39c Mon Sep 17 00:00:00 2001
From: "Alex Xu (Hello71)" <alex_y_xu@yahoo.ca>
Date: Tue, 5 Jul 2022 11:37:30 -0400
Subject: [PATCH 1/2] LibreSSL 3.5 compatibility

LibreSSL is now closer to OpenSSL 1.1 than OpenSSL 1.0. According to
https://undeadly.org/cgi?action=article;sid=20220116121253, this is the
intention of OpenBSD developers.

According to #40630, many special cases are needed to compile Tor against
LibreSSL 3.5 when using Tor's OpenSSL 1.0 compatibility mode, whereas only a
small number of #defines are required when using OpenSSL 1.1 compatibility
mode. One additional workaround is required for LibreSSL 3.4 compatibility.

Compiles and passes unit tests with LibreSSL 3.4.3 and 3.5.1.
---
 configure.ac                           |  2 +-
 src/lib/crypt_ops/compat_openssl.h     | 22 +++++++++++++---------
 src/lib/crypt_ops/crypto_openssl_mgt.h |  3 +--
 src/lib/crypt_ops/crypto_rsa_openssl.c |  8 +++++---
 4 files changed, 20 insertions(+), 15 deletions(-)

diff --git a/configure.ac b/configure.ac
index 8baae007cf..6ab7903010 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1022,7 +1022,7 @@ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
 AC_MSG_CHECKING([for OpenSSL < 1.0.1])
 AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
 #include <openssl/opensslv.h>
-#if !defined(LIBRESSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER < 0x1000100fL
+#if OPENSSL_VERSION_NUMBER < 0x1000100fL
 #error "too old"
 #endif
    ]], [[]])],
diff --git a/src/lib/crypt_ops/compat_openssl.h b/src/lib/crypt_ops/compat_openssl.h
index 0f56f338b5..c5eccdb015 100644
--- a/src/lib/crypt_ops/compat_openssl.h
+++ b/src/lib/crypt_ops/compat_openssl.h
@@ -20,32 +20,36 @@
  * \brief compatibility definitions for working with different openssl forks
  **/
 
-#if !defined(LIBRESSL_VERSION_NUMBER) && \
-  OPENSSL_VERSION_NUMBER < OPENSSL_V_SERIES(1,0,1)
+#if OPENSSL_VERSION_NUMBER < OPENSSL_V_SERIES(1,0,1)
 #error "We require OpenSSL >= 1.0.1"
 #endif
 
-#if OPENSSL_VERSION_NUMBER >= OPENSSL_V_SERIES(1,1,0) && \
-   ! defined(LIBRESSL_VERSION_NUMBER)
+#if OPENSSL_VERSION_NUMBER >= OPENSSL_V_SERIES(1,1,0)
 /* We define this macro if we're trying to build with the majorly refactored
  * API in OpenSSL 1.1 */
 #define OPENSSL_1_1_API
 #endif /* OPENSSL_VERSION_NUMBER >= OPENSSL_V_SERIES(1,1,0) && ... */
 
-#ifndef OPENSSL_1_1_API
-#define OpenSSL_version(v) SSLeay_version(v)
-#define tor_OpenSSL_version_num() SSLeay()
+/* LibreSSL claims to be OpenSSL 2.0 but lacks these OpenSSL 1.1 APIs */
+#if !defined(OPENSSL_1_1_API) || defined(LIBRESSL_VERSION_NUMBER)
 #define RAND_OpenSSL() RAND_SSLeay()
 #define STATE_IS_SW_SERVER_HELLO(st)       \
   (((st) == SSL3_ST_SW_SRVR_HELLO_A) ||    \
    ((st) == SSL3_ST_SW_SRVR_HELLO_B))
 #define OSSL_HANDSHAKE_STATE int
 #define CONST_IF_OPENSSL_1_1_API
-#else /* defined(OPENSSL_1_1_API) */
-#define tor_OpenSSL_version_num() OpenSSL_version_num()
+#else
 #define STATE_IS_SW_SERVER_HELLO(st) \
   ((st) == TLS_ST_SW_SRVR_HELLO)
 #define CONST_IF_OPENSSL_1_1_API const
+#endif
+
+/* OpenSSL 1.1 and LibreSSL both have these APIs */
+#ifndef OPENSSL_1_1_API
+#define OpenSSL_version(v) SSLeay_version(v)
+#define tor_OpenSSL_version_num() SSLeay()
+#else /* defined(OPENSSL_1_1_API) */
+#define tor_OpenSSL_version_num() OpenSSL_version_num()
 #endif /* !defined(OPENSSL_1_1_API) */
 
 #endif /* defined(ENABLE_OPENSSL) */
diff --git a/src/lib/crypt_ops/crypto_openssl_mgt.h b/src/lib/crypt_ops/crypto_openssl_mgt.h
index c6f63ffa08..96a37721dd 100644
--- a/src/lib/crypt_ops/crypto_openssl_mgt.h
+++ b/src/lib/crypt_ops/crypto_openssl_mgt.h
@@ -54,8 +54,7 @@
 #define DISABLE_ENGINES
 #endif
 
-#if OPENSSL_VERSION_NUMBER >= OPENSSL_VER(1,1,0,0,5) && \
-  !defined(LIBRESSL_VERSION_NUMBER)
+#if OPENSSL_VERSION_NUMBER >= OPENSSL_VER(1,1,0,0,5)
 /* OpenSSL as of 1.1.0pre4 has an "new" thread API, which doesn't require
  * setting up various callbacks.
  *
diff --git a/src/lib/crypt_ops/crypto_rsa_openssl.c b/src/lib/crypt_ops/crypto_rsa_openssl.c
index a21c4a65cf..544d72e6ca 100644
--- a/src/lib/crypt_ops/crypto_rsa_openssl.c
+++ b/src/lib/crypt_ops/crypto_rsa_openssl.c
@@ -572,7 +572,9 @@ static bool
 rsa_private_key_too_long(RSA *rsa, int max_bits)
 {
   const BIGNUM *n, *e, *p, *q, *d, *dmp1, *dmq1, *iqmp;
-#ifdef OPENSSL_1_1_API
+#if defined(OPENSSL_1_1_API) && \
+    (!defined(LIBRESSL_VERSION_NUMBER) || \
+     LIBRESSL_VERSION_NUMBER >= OPENSSL_V_SERIES(3,5,0))
 
 #if OPENSSL_VERSION_NUMBER >= OPENSSL_V_SERIES(1,1,1)
   n = RSA_get0_n(rsa);
@@ -591,7 +593,7 @@ rsa_private_key_too_long(RSA *rsa, int max_bits)
 
   if (RSA_bits(rsa) > max_bits)
     return true;
-#else /* !defined(OPENSSL_1_1_API) */
+#else /* !defined(OPENSSL_1_1_API) && ... */
   n = rsa->n;
   e = rsa->e;
   p = rsa->p;
@@ -600,7 +602,7 @@ rsa_private_key_too_long(RSA *rsa, int max_bits)
   dmp1 = rsa->dmp1;
   dmq1 = rsa->dmq1;
   iqmp = rsa->iqmp;
-#endif /* defined(OPENSSL_1_1_API) */
+#endif /* defined(OPENSSL_1_1_API) && ... */
 
   if (n && BN_num_bits(n) > max_bits)
     return true;
-- 
GitLab


From b1545b6d18fbef6c790e2731a814fa54230d8857 Mon Sep 17 00:00:00 2001
From: "Alex Xu (Hello71)" <alex_y_xu@yahoo.ca>
Date: Tue, 19 Jul 2022 16:18:29 -0400
Subject: [PATCH 2/2] Changes file for #40630 (LibreSSL 3.5 compatibility)

---
 changes/issue40630 | 3 +++
 1 file changed, 3 insertions(+)
 create mode 100644 changes/issue40630

diff --git a/changes/issue40630 b/changes/issue40630
new file mode 100644
index 0000000000..faf04941b6
--- /dev/null
+++ b/changes/issue40630
@@ -0,0 +1,3 @@
+  o Minor features (portability, compilation):
+    - Use OpenSSL 1.1 APIs for LibreSSL, fixing LibreSSL 3.5 compatibility.
+      Fixes issue 40630; patch by Alex Xu (Hello71).
-- 
GitLab

From 9850dc59c0db5cbcadc314be8d324a992880fce1 Mon Sep 17 00:00:00 2001
From: orbea <orbea@riseup.net>
Date: Mon, 29 May 2023 12:56:37 -0700
Subject: [PATCH] tls: Disable a warning with LibreSSL >= 3.8.0

Skip a warning using EC_GFp_nist_method() which was removed in LibreSSL
3.8.

Based on a patch from OpenBSD.

https://github.com/openbsd/ports/commit/33fe251a08cb11f30ce6094a2e0759c3bb63ed16

These functions are deprecated since OpenSSL 3.0.

https://www.openssl.org/docs/man3.1/man3/EC_GFp_nist_method.html
---
 src/lib/tls/tortls_openssl.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/src/lib/tls/tortls_openssl.c b/src/lib/tls/tortls_openssl.c
index 12260c09d3..c0a89ac272 100644
--- a/src/lib/tls/tortls_openssl.c
+++ b/src/lib/tls/tortls_openssl.c
@@ -340,8 +340,10 @@ tor_tls_init(void)
     SSL_load_error_strings();
 #endif /* defined(OPENSSL_1_1_API) */
 
-#if (SIZEOF_VOID_P >= 8 &&                              \
-     OPENSSL_VERSION_NUMBER >= OPENSSL_V_SERIES(1,0,1))
+#if (SIZEOF_VOID_P >= 8 &&                                \
+     OPENSSL_VERSION_NUMBER >= OPENSSL_V_SERIES(1,0,1) && \
+     (!defined(LIBRESSL_VERSION_NUMBER) ||                \
+      LIBRESSL_VERSION_NUMBER < 0x3080000fL))
     long version = tor_OpenSSL_version_num();
 
     /* LCOV_EXCL_START : we can't test these lines on the same machine */
-- 
GitLab