Opened 4 years ago

Last modified 19 months ago

#13817 new defect

Untange kludgey library detection, particularly for SSL forks

Reported by: teor Owned by:
Priority: High Milestone: Tor: unspecified
Component: Core Tor/Tor Version: Tor: 0.2.6.1-alpha
Severity: Normal Keywords: tor-build build library-detection
Cc: nickm Actual Points:
Parent ID: #6311 Points:
Reviewer: Sponsor:

Description

Split from #13415:

teor:

LibreSSL

I'm having trouble getting LibreSSL (2.1.2) to work with tor git on OS X 10.9.

Here are the issues I've found and fixed in the configure invocation:

configure --with-openssl-dir= detects the wrong bin/openssl if "$OPENSSL_DIR/bin/openssl" isn't in the path before all other openssl executables.
configure --enable-static-openssl requires LDFLAGS="$OPENSSL_DIR/lib":$LDFLAGS to link properly, at least on OS X.

I'm pretty sure these issues will affect all (non-system/non-standard) SSLs.

Can we make configuring with non-system SSLs easier by prepending "$OPENSSL_DIR/bin" and "$OPENSSL_DIR/lib" to the PATH and LDFLAGS respectively?

BoringSSL

BoringSSL is even worse - it doesn't even have an openssl executable, only builds static libraries, and is a pain to configure correctly under our current config scripts.

I can't seem to stop it finding the system-supplied SSL, even when I provide it the BoringSSL directories.

I get the following warnings when I manually install BoringSSL into include/lib/bin dirs, and fake the openssl executable using the bssl executable:

(See #13815)

nickm:

(The build issues are another matter and should get their own ticket: Untangling our kludgey library detection has been something a bunch of people have wanted for a while.)

Child Tickets

Change History (19)

comment:1 Changed 4 years ago by teor

On OS X 10.9, which has a system-installed OpenSSL 0.9.8, the EVP_aes_128_ctr function is missing when the system OpenSSL is used instead of LibreSSL.

comment:2 Changed 4 years ago by Sebastian

Check out #1354 here, too

comment:3 Changed 4 years ago by teor

#6311 could fix this - Migrate TOR_SEARCH_LIBRARY to use pkg-config

comment:4 in reply to:  1 Changed 4 years ago by yawning

Replying to teor:

#6311 could fix this - Migrate TOR_SEARCH_LIBRARY to use pkg-config

Using pkg-config for our library detection would also solve #10304.

comment:5 Changed 4 years ago by teor

Parent ID: #13415#6311

Assigning #6311 as the parent of tasks that could be resolved by pkg-config

comment:6 Changed 4 years ago by teor

From:
https://lists.torproject.org/pipermail/tor-relays/2014-November/005812.html
https://lists.torproject.org/pipermail/tor-relays/2014-November/005822.html

Seth:

I'm trying to build tor-0.2.5.10 from source against LibreSSL 2.1.1 on a
FreeBSD 9.3x jail system.

It fails with this message


CC src/tools/tor-gencert.o
CCLD src/tools/tor-gencert

src/common/libor-crypto.a(aes.o): In function `aes_new_cipher':
/usr/local/src/tor-0.2.5.10/src/common/aes.c:100: undefined reference to
`EVP_aes_128_ctr'
* [src/tools/tor-gencert] Error code 1

Stop in /usr/local/src/tor-0.2.5.10.
* [all] Error code 1

Stop in /usr/local/src/tor-0.2.5.10.


Has anyone has any luck building Tor against LibreSSL?

teor:

Yes, on OS X, but it wasn't easy, and it didn't bootstrap for me due to
SSL errors. Others have had more luck, but mostly on Linux AFAIK.

Do you perhaps have a system-installed OpenSSL 0.9.* which is lacking
EVP_aes_128_ctr?

See https://trac.torproject.org/projects/tor/ticket/13817 for a similar
failure, due to the following issues:

configure --with-openssl-dir= detects the wrong bin/openssl if
"$OPENSSL_DIR/bin/openssl" isn't in the path before all other openssl
executables.
configure --enable-static-openssl requires
LDFLAGS="$OPENSSL_DIR/lib":$LDFLAGS to link properly, at least on OS X.

If you do run into runtime SSL errors, see this bug:
https://trac.torproject.org/projects/tor/ticket/13816

Seth:
Thanks for the information. I was able to get the latest git version of
Tor build against the libressl-2.1.1 pkg in a fresh FreeBSD 9x jail using
the following steps:

pkg install libressl autoconf git gmake gettext
mkdir /usr/local/src;cd /usr/local/src;git clone
https://git.torproject.org/git/tor
cd tor;sh autogen.sh;./configure --with-openssl-dir=/usr/local
--disable-asciidoc
make;make install;tor

Here's the terminal output when launching it:

Nov 22 17:26:41.971 [notice] Tor v0.2.6.1-alpha-dev (git-336c856e52d211aa)
running on FreeBSD with Libevent 2.0.21-stable, OpenSSL LibreSSL 2.1 and
Zlib 1.2.8.
Nov 22 17:26:41.971 [notice] Tor can't help you if you use it wrong! Learn
how to be safe at https://www.torproject.org/download/download#warning
Nov 22 17:26:41.971 [notice] This version is not a stable Tor release.
Expect more bugs than usual.
Nov 22 17:26:41.972 [notice] Configuration file "/usr/local/etc/tor/torrc"
not present, using reasonable defaults.
Nov 22 17:26:41.987 [notice] Opening Socks listener on 127.0.0.1:9050
Nov 22 17:26:41.971 [notice] Tor v0.2.6.1-alpha-dev (git-336c856e52d211aa)
running on FreeBSD with Libevent 2.0.21-stable, OpenSSL LibreSSL 2.1 and
Zlib 1.2.8.
Nov 22 17:26:41.971 [notice] Tor can't help you if you use it wrong! Learn
how to be safe at https://www.torproject.org/download/download#warning
Nov 22 17:26:41.971 [notice] This version is not a stable Tor release.
Expect more bugs than usual.
Nov 22 17:26:41.972 [notice] Configuration file "/usr/local/etc/tor/torrc"
not present, using reasonable defaults.
Nov 22 17:26:41.987 [notice] Opening Socks listener on 127.0.0.1:9050
Nov 22 17:26:41.000 [notice] Parsing GEOIP IPv4 file
/usr/local/share/tor/geoip.
Nov 22 17:26:42.000 [notice] Parsing GEOIP IPv6 file
/usr/local/share/tor/geoip6.
Nov 22 17:26:42.000 [warn] You are running Tor as root. You don't need to,
and you probably shouldn't.
Nov 22 17:26:42.000 [notice] We were built to run on a 64-bit CPU, with
OpenSSL 1.0.1 or later, but with a version of OpenSSL that apparently
lacks accelerated support for the NIST P-224 and P-256 groups. Building
openssl with such support (using the enable-ec_nistp_64_gcc_128 option
when configuring it) would make ECDH much faster.
Nov 22 17:26:42.000 [notice] Bootstrapped 0%: Starting
Nov 22 17:26:43.000 [notice] Bootstrapped 5%: Connecting to directory
server
Nov 22 17:26:43.000 [notice] Bootstrapped 10%: Finishing handshake with
directory server
Nov 22 17:26:43.000 [notice] We weren't able to find support for all of
the TLS ciphersuites that we wanted to advertise. This won't hurt
security, but it might make your Tor (if run as a client) more easy for
censors to block.
Nov 22 17:26:43.000 [notice] To correct this, use a version of OpenSSL
built with none of its ciphers disabled.
Nov 22 17:26:44.000 [notice] Bootstrapped 15%: Establishing an encrypted
directory connection
Nov 22 17:26:44.000 [notice] Bootstrapped 20%: Asking for networkstatus
consensus
Nov 22 17:26:45.000 [notice] Bootstrapped 25%: Loading networkstatus
consensus
Nov 22 17:26:47.000 [notice] I learned some more directory information,
but not enough to build a circuit: We have no usable consensus.
Nov 22 17:26:48.000 [notice] Bootstrapped 40%: Loading authority key certs
Nov 22 17:26:49.000 [notice] Bootstrapped 45%: Asking for relay descriptors
Nov 22 17:26:49.000 [notice] I learned some more directory information,
but not enough to build a circuit: We need more microdescriptors: we have
0/6624, and can only build 0% of likely paths. (We have 0% of guards bw,
0% of midpoint bw, and 0% of exit bw.)
Nov 22 17:26:50.000 [notice] Bootstrapped 50%: Loading relay descriptors
Nov 22 17:26:53.000 [notice] Bootstrapped 55%: Loading relay descriptors
Nov 22 17:26:54.000 [notice] Bootstrapped 60%: Loading relay descriptors
Nov 22 17:26:54.000 [notice] Bootstrapped 65%: Loading relay descriptors
Nov 22 17:26:55.000 [notice] Bootstrapped 70%: Loading relay descriptors
Nov 22 17:26:55.000 [notice] Bootstrapped 75%: Loading relay descriptors
Nov 22 17:26:55.000 [notice] We now have enough directory information to
build circuits.
Nov 22 17:26:55.000 [notice] Bootstrapped 80%: Connecting to the Tor
network
Nov 22 17:26:55.000 [notice] Bootstrapped 90%: Establishing a Tor circuit
Nov 22 17:26:56.000 [notice] Tor has successfully opened a circuit. Looks
like client functionality is working.
Nov 22 17:26:56.000 [notice] Bootstrapped 100%: Done

comment:7 Changed 4 years ago by sysfu

after upgrading the FreeBSD 9.3 LibreSSL pkg from 2.1.1 to 2.1.2 the above method now fails with the error:

src/common/tortls.c: In function 'find_cipher_by_id':
src/common/tortls.c:1480: error: 'SSL_METHOD' has no member named 'get_cipher_by_char'
src/common/tortls.c:1486: error: 'SSL_METHOD' has no member named 'get_cipher_by_char'
* [src/common/tortls.o] Error code 1

This happens whether trying to build Tor stable 0.2.5.10, Tor 0.2.6.1-alpha, or the latest version from git.

Last edited 4 years ago by sysfu (previous) (diff)

comment:8 Changed 4 years ago by nickm

Milestone: Tor: unspecifiedTor: 0.2.7.x-final

Worth looking at during 0.2.7 triage IMO

comment:9 Changed 4 years ago by nickm

Status: newassigned

comment:10 Changed 4 years ago by nickm

Keywords: 027-triaged-1-out added

Marking triaged-out items from first round of 0.2.7 triage.

comment:11 Changed 4 years ago by nickm

Milestone: Tor: 0.2.7.x-finalTor: 0.2.???

Make all non-needs_review, non-needs_revision, 027-triaged-1-out items belong to 0.2.???

comment:12 Changed 2 years ago by teor

Milestone: Tor: 0.2.???Tor: 0.3.???

Milestone renamed

comment:13 Changed 2 years ago by nickm

Keywords: tor-03-unspecified-201612 added
Milestone: Tor: 0.3.???Tor: unspecified

Finally admitting that 0.3.??? was a euphemism for Tor: unspecified all along.

comment:14 Changed 19 months ago by nickm

Keywords: tor-03-unspecified-201612 removed

Remove an old triaging keyword.

comment:15 Changed 19 months ago by nickm

Keywords: 027-triaged-in added

comment:16 Changed 19 months ago by nickm

Keywords: 027-triaged-in removed

comment:17 Changed 19 months ago by nickm

Keywords: 027-triaged-1-out removed

comment:18 Changed 19 months ago by nickm

Status: assignednew

Change the status of all assigned/accepted Tor tickets with owner="" to "new".

comment:19 Changed 19 months ago by nickm

Keywords: tor-build build library-detection added; lorax removed
Priority: MediumHigh
Severity: Normal
Note: See TracTickets for help on using tickets.