From patchwork Tue Oct 19 07:31:08 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 2027 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director13.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net with LMTP id +KrwDDMPb2GwQgAAIUCqbw (envelope-from ) for ; Tue, 19 Oct 2021 14:32:19 -0400 Received: from proxy1.mail.ord1d.rsapps.net ([172.30.191.6]) by director13.mail.ord1d.rsapps.net with LMTP id kMnLDDMPb2HzFAAA91zNiA (envelope-from ) for ; Tue, 19 Oct 2021 14:32:19 -0400 Received: from smtp28.gate.ord1c ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy1.mail.ord1d.rsapps.net with LMTPS id SCSqDDMPb2GPLgAAasrz9Q (envelope-from ) for ; Tue, 19 Oct 2021 14:32:19 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp28.gate.ord1c.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: e34fe644-310a-11ec-a9dd-a0369f1890f1-1-1 Received: from [216.105.38.7] ([216.105.38.7:55666] helo=lists.sourceforge.net) by smtp28.gate.ord1c.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 00/71-31896-13F0F616; Tue, 19 Oct 2021 14:32:17 -0400 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1mctth-0006Yg-OL; Tue, 19 Oct 2021 18:31:37 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mctte-0006Xd-KL for openvpn-devel@lists.sourceforge.net; Tue, 19 Oct 2021 18:31:34 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=g+BbFlk/TNYCxV5SfHT8VRUglsLp9EeKcx2if7PidP0=; b=QCZ3nyi0WVzdBRT8T6pUfYDBQl m5fJFZBDwy68ZKRlAKM5MfrDjw9mfL0FKmlV3cQUtUQFTC1yUfO/ug8nmPzbamby4Cl9mx4QZ/Lj2 j/z3kNWQouQcbBOzwtL2yylhh7JbHfE3q+zQ28aWZsYEDY8jTbXNMT7B+bkeuO1CGRCQ=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=g+BbFlk/TNYCxV5SfHT8VRUglsLp9EeKcx2if7PidP0=; b=M1htAZjVQI5MR9f8oz9mloaBCG qo8EOJph5S/WoRC0OAd0ZL0K9j3fefqYM5f5Rk3FLf1qThaEKOK38lEE4pZ6+YRz/CW2+FRSzyOYo taqtCCJTML5pPMLBiBPkvEG5BZiCUL6o4kc0vYOA7HFu8lUzEZL3Se4z4kxRBe8SSjG0=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) id 1mctte-006U06-2g for openvpn-devel@lists.sourceforge.net; Tue, 19 Oct 2021 18:31:34 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94.2 (FreeBSD)) (envelope-from ) id 1mcttX-0008hi-2q for openvpn-devel@lists.sourceforge.net; Tue, 19 Oct 2021 20:31:27 +0200 Received: (nullmailer pid 614229 invoked by uid 10006); Tue, 19 Oct 2021 18:31:27 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Tue, 19 Oct 2021 20:31:08 +0200 Message-Id: <20211019183127.614175-3-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20211019183127.614175-1-arne@rfc2549.org> References: <20211019183127.614175-1-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: This allows to select engine support at configure time. For OpenSSL 1.1 the default is not changed and we detect if engine support is available. Engine support is deprecated in OpenSSL 3.0 and for OpenSSL 3.0 the default is to disable engine support as engine support is deprecated and generates compiler warnings which in turn also break -Werro [...] Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record X-Headers-End: 1mctte-006U06-2g Subject: [Openvpn-devel] [PATCH v3 02/21] [OSSL 3.0] Add --with-openssl-engine autoconf option (auto|yes|no) X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox This allows to select engine support at configure time. For OpenSSL 1.1 the default is not changed and we detect if engine support is available. Engine support is deprecated in OpenSSL 3.0 and for OpenSSL 3.0 the default is to disable engine support as engine support is deprecated and generates compiler warnings which in turn also break -Werror. By using --with-openssl-engine=no or --with-openssl-engine=yes engine support can be forced on or off. If it is enabled but not detected an error will be thown. This commit cleans up the configurelogic a bit and removes the ENGINE_cleanup checks as we can just assume that it will be also available as macro or function if the other engine functions are available. Before the cleanup we would only check for the existance of engine.h if ENGINE_cleanup was not found. Signed-off-by: Arne Schwabe --- configure.ac | 68 +++++++++++++++++++++++++++++++++++++++------------- 1 file changed, 51 insertions(+), 17 deletions(-) diff --git a/configure.ac b/configure.ac index a37dc762f..31adb875b 100644 --- a/configure.ac +++ b/configure.ac @@ -267,6 +267,18 @@ AC_ARG_ENABLE( [enable_wolfssl_options_h="yes"] ) +AC_ARG_WITH( + [openssl-engine], + [AS_HELP_STRING([--with-openssl-engine], [enable engine support with OpenSSL. Default enabled for OpenSSL < 3.0, auto,yes,no @<:@default=auto@:>@])], + [ + case "${withval}" in + auto|yes|no) ;; + *) AC_MSG_ERROR([bad value ${withval} for --with-engine]) ;; + esac + ], + [with_openssl_engine="auto"] +) + AC_ARG_VAR([PLUGINDIR], [Path of plug-in directory @<:@default=LIBDIR/openvpn/plugins@:>@]) if test -n "${PLUGINDIR}"; then plugindir="${PLUGINDIR}" @@ -800,23 +812,45 @@ if test "${with_crypto_library}" = "openssl"; then [AC_MSG_ERROR([openssl check failed])] ) - have_openssl_engine="yes" - AC_CHECK_FUNCS( - [ \ - ENGINE_load_builtin_engines \ - ENGINE_register_all_complete \ - ENGINE_cleanup \ - ], - , - [have_openssl_engine="no"; break] - ) - if test "${have_openssl_engine}" = "no"; then - AC_CHECK_DECL( [ENGINE_cleanup], [have_openssl_engine="yes"],, - [[ - #include - ]] - ) - fi + if test "${with_openssl_engine}" = "auto"; then + AC_COMPILE_IFELSE( + [AC_LANG_PROGRAM( + [[ + #include + ]], + [[ + /* Version encoding: MNNFFPPS - see opensslv.h for details */ + #if OPENSSL_VERSION_NUMBER >= 0x30000000L + #error Engine supported disabled by default in OpenSSL 3.0+ + #endif + ]] + )], + [have_openssl_engine="yes"], + [have_openssl_engine="no"] + ) + if test "${have_openssl_engine}" = "yes"; then + AC_CHECK_FUNCS( + [ \ + ENGINE_load_builtin_engines \ + ENGINE_register_all_complete \ + ], + , + [have_openssl_engine="no"; break] + ) + fi + else + have_openssl_engine="${with_openssl_engine}" + if test "${have_openssl_engine}" = "yes"; then + AC_CHECK_FUNCS( + [ \ + ENGINE_load_builtin_engines \ + ENGINE_register_all_complete \ + ], + , + [AC_MSG_ERROR([OpenSSL engine support not found])] + ) + fi + fi if test "${have_openssl_engine}" = "yes"; then AC_DEFINE([HAVE_OPENSSL_ENGINE], [1], [OpenSSL engine support available]) fi