[tor] branch main updated (3cee70e87d -> da52d7206a)

List overview All Threads
Download

newer

older

...

[tor] branch main updated...

gitolite role

21 Jul 2022 21 Jul '22

7:22 p.m.

This is an automated email from the git hooks/post-receive script.

nickm pushed a change to branch main in repository tor.

from 3cee70e87d Merge remote-tracking branch 'tor-gitlab/mr/592' new f3dabd705f LibreSSL 3.5 compatibility new b1545b6d18 Changes file for #40630 (LibreSSL 3.5 compatibility) new da52d7206a Merge remote-tracking branch 'tor-gitlab/mr/598'

The 3 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference.

Summary of changes: changes/issue40630 | 3 +++ configure.ac | 2 +- src/lib/crypt_ops/compat_openssl.h | 22 +++++++++++++--------- src/lib/crypt_ops/crypto_openssl_mgt.h | 3 +-- src/lib/crypt_ops/crypto_rsa_openssl.c | 8 +++++--- 5 files changed, 23 insertions(+), 15 deletions(-) create mode 100644 changes/issue40630

-- To stop receiving notification emails like this one, please contact the administrator of this repository.

Show replies by date

gitolite role

21 Jul 21 Jul

7:22 p.m.

New subject: [tor] 01/03: LibreSSL 3.5 compatibility

This is an automated email from the git hooks/post-receive script.

nickm pushed a commit to branch main in repository tor.

commit f3dabd705f26c56076934323f24b5b05ecdfd39c Author: Alex Xu (Hello71) alex_y_xu@yahoo.ca AuthorDate: Tue Jul 5 11:37:30 2022 -0400

LibreSSL 3.5 compatibility

LibreSSL is now closer to OpenSSL 1.1 than OpenSSL 1.0. According to https://undeadly.org/cgi?action=article;sid=20220116121253, this is the intention of OpenBSD developers.

According to #40630, many special cases are needed to compile Tor against LibreSSL 3.5 when using Tor's OpenSSL 1.0 compatibility mode, whereas only a small number of #defines are required when using OpenSSL 1.1 compatibility mode. One additional workaround is required for LibreSSL 3.4 compatibility.

Compiles and passes unit tests with LibreSSL 3.4.3 and 3.5.1. --- configure.ac | 2 +- src/lib/crypt_ops/compat_openssl.h | 22 +++++++++++++--------- src/lib/crypt_ops/crypto_openssl_mgt.h | 3 +-- src/lib/crypt_ops/crypto_rsa_openssl.c | 8 +++++--- 4 files changed, 20 insertions(+), 15 deletions(-)

diff --git a/configure.ac b/configure.ac index 8baae007cf..6ab7903010 100644 --- a/configure.ac +++ b/configure.ac @@ -1022,7 +1022,7 @@ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ AC_MSG_CHECKING([for OpenSSL < 1.0.1]) AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <openssl/opensslv.h> -#if !defined(LIBRESSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER < 0x1000100fL +#if OPENSSL_VERSION_NUMBER < 0x1000100fL #error "too old" #endif ]], [[]])], diff --git a/src/lib/crypt_ops/compat_openssl.h b/src/lib/crypt_ops/compat_openssl.h index 0f56f338b5..c5eccdb015 100644 --- a/src/lib/crypt_ops/compat_openssl.h +++ b/src/lib/crypt_ops/compat_openssl.h @@ -20,32 +20,36 @@ * \brief compatibility definitions for working with different openssl forks **/

-#if !defined(LIBRESSL_VERSION_NUMBER) && \ - OPENSSL_VERSION_NUMBER < OPENSSL_V_SERIES(1,0,1) +#if OPENSSL_VERSION_NUMBER < OPENSSL_V_SERIES(1,0,1) #error "We require OpenSSL >= 1.0.1" #endif

-#if OPENSSL_VERSION_NUMBER >= OPENSSL_V_SERIES(1,1,0) && \ - ! defined(LIBRESSL_VERSION_NUMBER) +#if OPENSSL_VERSION_NUMBER >= OPENSSL_V_SERIES(1,1,0) /* We define this macro if we're trying to build with the majorly refactored * API in OpenSSL 1.1 */ #define OPENSSL_1_1_API #endif /* OPENSSL_VERSION_NUMBER >= OPENSSL_V_SERIES(1,1,0) && ... */

-#ifndef OPENSSL_1_1_API -#define OpenSSL_version(v) SSLeay_version(v) -#define tor_OpenSSL_version_num() SSLeay() +/* LibreSSL claims to be OpenSSL 2.0 but lacks these OpenSSL 1.1 APIs */ +#if !defined(OPENSSL_1_1_API) || defined(LIBRESSL_VERSION_NUMBER) #define RAND_OpenSSL() RAND_SSLeay() #define STATE_IS_SW_SERVER_HELLO(st) \ (((st) == SSL3_ST_SW_SRVR_HELLO_A) || \ ((st) == SSL3_ST_SW_SRVR_HELLO_B)) #define OSSL_HANDSHAKE_STATE int #define CONST_IF_OPENSSL_1_1_API -#else /* defined(OPENSSL_1_1_API) */ -#define tor_OpenSSL_version_num() OpenSSL_version_num() +#else #define STATE_IS_SW_SERVER_HELLO(st) \ ((st) == TLS_ST_SW_SRVR_HELLO) #define CONST_IF_OPENSSL_1_1_API const +#endif + +/* OpenSSL 1.1 and LibreSSL both have these APIs */ +#ifndef OPENSSL_1_1_API +#define OpenSSL_version(v) SSLeay_version(v) +#define tor_OpenSSL_version_num() SSLeay() +#else /* defined(OPENSSL_1_1_API) */ +#define tor_OpenSSL_version_num() OpenSSL_version_num() #endif /* !defined(OPENSSL_1_1_API) */

#endif /* defined(ENABLE_OPENSSL) */ diff --git a/src/lib/crypt_ops/crypto_openssl_mgt.h b/src/lib/crypt_ops/crypto_openssl_mgt.h index c6f63ffa08..96a37721dd 100644 --- a/src/lib/crypt_ops/crypto_openssl_mgt.h +++ b/src/lib/crypt_ops/crypto_openssl_mgt.h @@ -54,8 +54,7 @@ #define DISABLE_ENGINES #endif

-#if OPENSSL_VERSION_NUMBER >= OPENSSL_VER(1,1,0,0,5) && \ - !defined(LIBRESSL_VERSION_NUMBER) +#if OPENSSL_VERSION_NUMBER >= OPENSSL_VER(1,1,0,0,5) /* OpenSSL as of 1.1.0pre4 has an "new" thread API, which doesn't require * setting up various callbacks. * diff --git a/src/lib/crypt_ops/crypto_rsa_openssl.c b/src/lib/crypt_ops/crypto_rsa_openssl.c index a21c4a65cf..544d72e6ca 100644 --- a/src/lib/crypt_ops/crypto_rsa_openssl.c +++ b/src/lib/crypt_ops/crypto_rsa_openssl.c @@ -572,7 +572,9 @@ static bool rsa_private_key_too_long(RSA *rsa, int max_bits) { const BIGNUM *n, *e, *p, *q, *d, *dmp1, *dmq1, *iqmp; -#ifdef OPENSSL_1_1_API +#if defined(OPENSSL_1_1_API) && \ + (!defined(LIBRESSL_VERSION_NUMBER) || \ + LIBRESSL_VERSION_NUMBER >= OPENSSL_V_SERIES(3,5,0))

#if OPENSSL_VERSION_NUMBER >= OPENSSL_V_SERIES(1,1,1) n = RSA_get0_n(rsa); @@ -591,7 +593,7 @@ rsa_private_key_too_long(RSA *rsa, int max_bits)

if (RSA_bits(rsa) > max_bits) return true; -#else /* !defined(OPENSSL_1_1_API) */ +#else /* !defined(OPENSSL_1_1_API) && ... */ n = rsa->n; e = rsa->e; p = rsa->p; @@ -600,7 +602,7 @@ rsa_private_key_too_long(RSA *rsa, int max_bits) dmp1 = rsa->dmp1; dmq1 = rsa->dmq1; iqmp = rsa->iqmp; -#endif /* defined(OPENSSL_1_1_API) */ +#endif /* defined(OPENSSL_1_1_API) && ... */

if (n && BN_num_bits(n) > max_bits) return true;

-- To stop receiving notification emails like this one, please contact the administrator of this repository.

gitolite role

7:22 p.m.

New subject: [tor] 02/03: Changes file for #40630 (LibreSSL 3.5 compatibility)

This is an automated email from the git hooks/post-receive script.

nickm pushed a commit to branch main in repository tor.

commit b1545b6d18fbef6c790e2731a814fa54230d8857 Author: Alex Xu (Hello71) alex_y_xu@yahoo.ca AuthorDate: Tue Jul 19 16:18:29 2022 -0400

Changes file for #40630 (LibreSSL 3.5 compatibility) --- changes/issue40630 | 3 +++ 1 file changed, 3 insertions(+)

diff --git a/changes/issue40630 b/changes/issue40630 new file mode 100644 index 0000000000..faf04941b6 --- /dev/null +++ b/changes/issue40630 @@ -0,0 +1,3 @@ + o Minor features (portability, compilation): + - Use OpenSSL 1.1 APIs for LibreSSL, fixing LibreSSL 3.5 compatibility. + Fixes issue 40630; patch by Alex Xu (Hello71).

-- To stop receiving notification emails like this one, please contact the administrator of this repository.

gitolite role

7:22 p.m.

New subject: [tor] 03/03: Merge remote-tracking branch 'tor-gitlab/mr/598'

This is an automated email from the git hooks/post-receive script.

nickm pushed a commit to branch main in repository tor.

commit da52d7206a4a8e4fa8b5e80b5ed73de50fbe8692 Merge: 3cee70e87d b1545b6d18 Author: Nick Mathewson nickm@torproject.org AuthorDate: Thu Jul 21 15:21:59 2022 -0400

Merge remote-tracking branch 'tor-gitlab/mr/598'

-- To stop receiving notification emails like this one, please contact the administrator of this repository.

851

Age (days ago)

851

Last active (days ago)

tor-commits@lists.torproject.org

3 comments

1 participants

tags (0)

participants (1)

gitolite role