Update to OpenSSL 3.0

From https://www.openssl.org/source/:

The previous LTS version (the 1.1.1 series) is also available and is supported until 11th September 2023.

Our estimation is that for the end of September we'll release 13.0 stable.

However, I think that we should account for any emergency and/or postponed release, and updating 12.5 to OpenSSL 3.0 while it's still in alpha seems like a good idea to me.

I'm saying 3.0 because it's a LTS, and it's supported until September 2026, whereas 3.1 is supported only up to March 2025.

Updating the OpenSSL project is trivial (change version and hash).

However, tor isn't that easy.

First, it needs a patch because we copy the libraries to the target (well, we use OpenSSL only for Tor, maybe we could even switch to static linking also on Linux).

First patch for Linux amd64

diff --git a/projects/tor/build b/projects/tor/build
index ac045aeb..5ce9aa24 100644
--- a/projects/tor/build
+++ b/projects/tor/build
@@ -35,8 +35,8 @@ openssldir=/var/tmp/dist/openssl/openssl
   TORDEBUGDIR="$distdir/debug"
   mkdir "$TORDEBUGDIR"
 
-  cp $openssldir/lib/libssl.so.1.1 "$TORBINDIR"
-  cp $openssldir/lib/libcrypto.so.1.1 "$TORBINDIR"
+  cp $openssldir/[% c("var/libdir") %]/libssl.so.3 "$TORBINDIR"
+  cp $openssldir/[% c("var/libdir") %]/libcrypto.so.3 "$TORBINDIR"
   cp $libeventdir/lib/libevent-2.1.so.7 "$TORBINDIR"
   # We need to copy the libstdc++.so.6 for Tor Browser on older Linux distros.
   # Copying it into /Browser, which feels more natural, and amending

Then, tests fail to build:

Logs

In file included from src/test/test_tortls_openssl.c:42:
./src/lib/tls/tortls_internal.h:55:8: error: conflicting types for 'SSL_SESSION_get_master_key'
   55 | size_t SSL_SESSION_get_master_key(struct ssl_session_st *s,
      |        ^~~~~~~~~~~~~~~~~~~~~~~~~~
In file included from src/test/test_tortls_openssl.c:23:
/var/tmp/dist/openssl/openssl/include/openssl/ssl.h:2160:15: note: previous declaration of 'SSL_SESSION_get_master_key' was here
 2160 | __owur size_t SSL_SESSION_get_master_key(const SSL_SESSION *sess,
      |               ^~~~~~~~~~~~~~~~~~~~~~~~~~
  CC       src/test/src_test_test_memwipe-test-memwipe.o
  CC       src/test/test-process.o
src/test/test_tortls_openssl.c: In function 'get_cipher_by_name':
src/test/test_tortls_openssl.c:540:19: error: invalid use of incomplete typedef 'SSL_METHOD' {aka 'const struct ssl_method_st'}
  540 |   int num = method->num_ciphers();
      |                   ^~
src/test/test_tortls_openssl.c:543:38: error: invalid use of incomplete typedef 'SSL_METHOD' {aka 'const struct ssl_method_st'}
  543 |     const SSL_CIPHER *cipher = method->get_cipher(i);
      |                                      ^~
src/test/test_tortls_openssl.c: In function 'test_tortls_client_is_using_v2_ciphers':
src/test/test_tortls_openssl.c:716:6: error: invalid use of incomplete typedef 'SSL' {aka 'struct ssl_st'}
  716 |   ssl->session = sess;
      |      ^~
src/test/test_tortls_openssl.c:723:6: error: invalid use of incomplete typedef 'SSL_CIPHER' {aka 'struct ssl_cipher_st'}
  723 |   one->id = 0x00ff;
      |      ^~
src/test/test_tortls_openssl.c:725:7: error: invalid use of incomplete typedef 'SSL_SESSION' {aka 'struct ssl_session_st'}
  725 |   sess->ciphers = ciphers;
      |       ^~
  CC       src/test/src_test_test_workqueue-test_workqueue.o
Makefile:21319: recipe for target 'src/test/src_test_test-test_tortls_openssl.o' failed

There aren't issues about this in the core repository. We should check it isn't a problem with include files/paths.

I don't have these errors in my regular host machine.

We should try to see if we can isolate the reason for which we get this problem, and open an issue on tpo/core/tor if needed.

The problem was that OpenSSL 3 switched to lib64 instead of lib, and little-t-tor kept looking for lib with a custom OpenSSL directory.

Changing OpenSSL to use lib fixed the problem.

Also, OpenSSL 3 stopped using Program Files for Windows also when cross compiling (), so fixed that, too, and in general reworked the directories a little bit.

added FF115-esr label

We just talked about that on IRC.

The plan is to get 12.5 soonish, so we don't have too much time.

We can do it in the first 13.0 alpha, and backport should we ever need it.

added 13.0 stable label

added Build System label

added All Platforms label

added Roadmap::Future label

added Task label

assigned to @pierov

removed Roadmap::Future label

added Doing label

removed FF115-esr label

mentioned in issue tpo/core/tor#40807

mentioned in merge request !738 (merged)

marked this issue as related to #40848 (closed)

added Needs Review label and removed Doing label

closed

removed Needs Review label

marked this issue as related to #40965 (closed)