Give an error message if LibreSSL's TLSv1.3 APIs aren't what we need

From LibreSSL versions 3.2.1 through 3.4.0, our configure script
would conclude that TLSv1.3 as supported, but it actually wasn't.
This led to annoying breakage like #40128 and #40445.

Now we give an error message if we try to build with one of those
versions.

Closes #40511.

diff --git a/changes/ticket40511 b/changes/ticket40511
new file mode 100644 (file)
index 0000000..756edd8
--- /dev/null
+++ b/changes/ticket40511
@@ -0,0 +1,6 @@
+  o Minor features (compilation):
+    - Give an error message if trying to build with a version of LibreSSL
+      known not to work with Tor.  (There's an incompatibility with
+      LibreSSL versions 3.2.1 through 3.4.0 inclusive because of their
+      incompatibility with OpenSSL 1.1.1's TLSv1.3 APIs.)
+      Closes ticket 40511.

diff --git a/configure.ac b/configure.ac
index 249a250a2f5dbc4e3ac937211fb2d4f3b471485a..8ab35bf9dd87eb917a9fd265b3c5ec74eddd0100 100644 (file)
--- a/configure.ac
+++ b/configure.ac
@@ -963,6 +963,18 @@ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
    [ AC_MSG_RESULT([no]) ],
    [ AC_MSG_ERROR([OpenSSL is too old. We require 1.0.1 or later. You can specify a path to a newer one with --with-openssl-dir.]) ])
 
+AC_MSG_CHECKING([whether LibreSSL TLS 1.3 APIs are busted])
+AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
+#include <openssl/opensslv.h>
+#if defined(LIBRESSL_VERSION_NUMBER) && \
+     LIBRESSL_VERSION_NUMBER >= 0x3020100fL && \
+     LIBRESSL_VERSION_NUMBER < 0x3040100fL
+#error "oh no"
+#endif
+   ]], [[]])],
+   [ AC_MSG_RESULT([no]) ],
+   [ AC_MSG_ERROR([This version of LibreSSL won't work with Tor. Please upgrade to LibreSSL 3.4.1 or later. (Or downgrade to 3.2.0 if you really must.)]) ])
+
 AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
 #include <openssl/opensslv.h>
 #include <openssl/evp.h>