Require openssl 1.0.0a for using openssl's ctr-mode implementation

Previously we required 1.0.0, but there was a bug in the 1.0.0 counter
mode. Found by Pascal. Fixes bug 4779.

A more elegant solution would be good here if somebody has time to code
one.

2 files changed, 8 insertions, 2 deletions

diff --git a/changes/bug4779 b/changes/bug4779
new file mode 100644
index 0000000000..4535a2b04d
--- /dev/null
+++ b/changes/bug4779
@@ -0,0 +1,4 @@
+  o Minor bugfixes:
+    - Do not use OpenSSL 1.0.0's counter mode: it has a critical bug
+      that was fixed in OpenSSL 1.0.0a. Fixes bug 4779; bugfix on
+      Tor 0.2.3.9-alpha. Found by Pascal.
diff --git a/src/common/aes.c b/src/common/aes.c
index cec6899817..9487cdd51c 100644
--- a/src/common/aes.c
+++ b/src/common/aes.c
@@ -17,7 +17,7 @@
 #include <openssl/aes.h>
 #include <openssl/evp.h>
 #include <openssl/engine.h>
-#if OPENSSL_VERSION_NUMBER >= 0x10000000L
+#if OPENSSL_VERSION_NUMBER >= 0x1000001fL
 /* See comments about which counter mode implementation to use below. */
 #include <openssl/modes.h>
 #define USE_OPENSSL_CTR
@@ -45,7 +45,9 @@
  * Here we have a counter mode that's faster than the one shipping with
  * OpenSSL pre-1.0 (by about 10%!).  But OpenSSL 1.0.0 added a counter mode
  * implementation faster than the one here (by about 7%).  So we pick which
- * one to used based on the Openssl version above.
+ * one to used based on the Openssl version above.  (OpenSSL 1.0.0a fixed a
+ * critical bug in that counter mode implementation, so we actually require
+ * that one.)
  */
 
 /*======================================================================*/