[Openvpn-devel,5/7] Add --with-openssl-engine autoconf option (auto|yes|no)

Message ID 20220512121429.2096164-6-arne@rfc2549.org
State Accepted
Headers show
Series Improve OpenSSL 3.0 support in OpenVPN 2.5 | expand

Commit Message

Arne Schwabe May 12, 2022, 2:14 a.m. UTC
This is a cherry-pick to release2.5 from 0df2261da. The OpenSSL engine
tests fail  otherwise and it is good to have the same behaviour as in
master/2.6

This allows to select engine support at configure time. For OpenSSL 1.1 the
default is not changed and we detect if engine support is available.

Engine support is deprecated in OpenSSL 3.0 and for OpenSSL 3.0 the default
is to disable engine support as engine support is deprecated and generates
compiler warnings which in turn also break -Werror.

By using --with-openssl-engine=no or --with-openssl-engine=yes engine
support can be forced on or off. If it is enabled but not detected an
error will be thown.

This commit cleans up the configure logic a bit and removes the
ENGINE_cleanup checks as we can just assume that it will be also
available as macro or function if the other engine functions are
available. Before the cleanup we would only check for the existance
of engine.h if ENGINE_cleanup was not found.

Signed-off-by: Arne Schwabe <arne@rfc2549.org>
---
 Changes.rst  |  3 +++
 configure.ac | 60 ++++++++++++++++++++++++++++++++++++++++------------
 2 files changed, 50 insertions(+), 13 deletions(-)

Comments

Gert Doering May 12, 2022, 9:23 p.m. UTC | #1
Acked-by: Gert Doering <gert@greenie.muc.de>

This repairs the first part of "make check" for ossl 3.0 builds (... by 
skipping the failing engine test).  The cipher loopback still fails.

Moved the Changes.rst hunk to the 2.5.7 section I introduced with 2/7 :-)

Your patch has been applied to the release/2.5 branch.

commit c5d61b345e21860b2357206848535a8452754ad8
Author: Arne Schwabe
Date:   Thu May 12 14:14:27 2022 +0200

     Add --with-openssl-engine autoconf option (auto|yes|no)

     Signed-off-by: Arne Schwabe <arne@rfc2549.org>
     Acked-by: Gert Doering <gert@greenie.muc.de>
     Message-Id: <20220512121429.2096164-6-arne@rfc2549.org>
     URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24332.html
     Signed-off-by: Gert Doering <gert@greenie.muc.de>


--
kind regards,

Gert Doering

Patch

diff --git a/Changes.rst b/Changes.rst
index 884c122a9..d15ffbb87 100644
--- a/Changes.rst
+++ b/Changes.rst
@@ -27,6 +27,9 @@  New features
     algorithm by default and the new option ``--providers`` allows loading
     the legacy provider to renable these algorithms.
 
+    The OpenSSL engine feature ``--engine`` is not enabled by default
+    anymore if OpenSSL 3.0 is detected.
+
 
 Bugfixes
 --------
diff --git a/configure.ac b/configure.ac
index 6242cc22e..2f5f6bc7c 100644
--- a/configure.ac
+++ b/configure.ac
@@ -281,6 +281,18 @@  AC_ARG_WITH(
 	[with_crypto_library="openssl"]
 )
 
+AC_ARG_WITH(
+	[openssl-engine],
+	[AS_HELP_STRING([--with-openssl-engine], [enable engine support with OpenSSL. Default enabled for OpenSSL < 3.0, auto,yes,no @<:@default=auto@:>@])],
+	[
+		case "${withval}" in
+			auto|yes|no) ;;
+			*) AC_MSG_ERROR([bad value ${withval} for --with-engine]) ;;
+		esac
+	],
+	[with_openssl_engine="auto"]
+)
+
 AC_ARG_VAR([PLUGINDIR], [Path of plug-in directory @<:@default=LIBDIR/openvpn/plugins@:>@])
 if test -n "${PLUGINDIR}"; then
 	plugindir="${PLUGINDIR}"
@@ -880,22 +892,44 @@  if test "${with_crypto_library}" = "openssl"; then
 				   [AC_MSG_ERROR([openssl check failed])]
 	)
 
-	have_openssl_engine="yes"
-	AC_CHECK_FUNCS(
-		[ \
+	if test "${with_openssl_engine}" = "auto"; then
+	    AC_COMPILE_IFELSE(
+				    [AC_LANG_PROGRAM(
+					    [[
+	    #include <openssl/opensslv.h>
+					    ]],
+					    [[
+	    /*	     Version encoding: MNNFFPPS - see opensslv.h for details */
+	    #if OPENSSL_VERSION_NUMBER >= 0x30000000L
+	    #error Engine supported disabled by default in OpenSSL 3.0+
+	    #endif
+					    ]]
+				    )],
+				    [have_openssl_engine="yes"],
+				    [have_openssl_engine="no"]
+	    )
+	    if test "${have_openssl_engine}" = "yes"; then
+		AC_CHECK_FUNCS(
+		    [ \
 			ENGINE_load_builtin_engines \
 			ENGINE_register_all_complete \
-			ENGINE_cleanup \
-		],
-		,
-		[have_openssl_engine="no"; break]
-	)
-	if test "${have_openssl_engine}" = "no"; then
-		AC_CHECK_DECL( [ENGINE_cleanup], [have_openssl_engine="yes"],,
-			[[
-				#include <openssl/engine.h>
-			]]
+		    ],
+		    ,
+		    [have_openssl_engine="no"; break]
+		)
+	    fi
+	else
+	    have_openssl_engine="${with_openssl_engine}"
+	    if test "${have_openssl_engine}" = "yes"; then
+		AC_CHECK_FUNCS(
+		    [ \
+			ENGINE_load_builtin_engines \
+			ENGINE_register_all_complete \
+		    ],
+		    ,
+		    [AC_MSG_ERROR([OpenSSL engine support not found])]
 		)
+	    fi
 	fi
 	if test "${have_openssl_engine}" = "yes"; then
 		AC_DEFINE([HAVE_OPENSSL_ENGINE], [1], [OpenSSL engine support available])