Message ID | 20230903142947.20906-1-orbea@riseup.net |
---|---|
State | Changes Requested |
Headers | show |
Series | [Openvpn-devel] configure: disable engines if OPENSSL_NO_ENGINE is defined | expand |
Hi, On 03/09/2023 16:29, orbea@riseup.net wrote: > From: orbea <orbea@riseup.net> > > Starting with LibreSSL 3.8.1 the engines have been removed which causes > the OpenVPN build to fail. This can be solved during configure by > checking if OPENSSL_NO_ENGINE is defined in opensslconf.h. > --- > configure.ac | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/configure.ac b/configure.ac > index 2f65cbd5..b5a835dc 100644 > --- a/configure.ac > +++ b/configure.ac > @@ -926,11 +926,12 @@ if test "${with_crypto_library}" = "openssl"; then > AC_COMPILE_IFELSE( > [AC_LANG_PROGRAM( > [[ > + #include <openssl/opensslconf.h> > #include <openssl/opensslv.h> > ]], > [[ > /* Version encoding: MNNFFPPS - see opensslv.h for details */ > - #if OPENSSL_VERSION_NUMBER >= 0x30000000L > + #if OPENSSL_VERSION_NUMBER >= 0x30000000L || defined(OPENSSL_NO_ENGINE) > #error Engine supported disabled by default in OpenSSL 3.0+ Maybe the message should be changed now? Or we could have an entirely different message for this case? Cheers, > #endif > ]]
On Sun, 3 Sep 2023 16:47:31 +0200 Antonio Quartulli <a@unstable.cc> wrote: > Hi, > > On 03/09/2023 16:29, orbea@riseup.net wrote: > > From: orbea <orbea@riseup.net> > > > > Starting with LibreSSL 3.8.1 the engines have been removed which > > causes the OpenVPN build to fail. This can be solved during > > configure by checking if OPENSSL_NO_ENGINE is defined in > > opensslconf.h. --- > > configure.ac | 3 ++- > > 1 file changed, 2 insertions(+), 1 deletion(-) > > > > diff --git a/configure.ac b/configure.ac > > index 2f65cbd5..b5a835dc 100644 > > --- a/configure.ac > > +++ b/configure.ac > > @@ -926,11 +926,12 @@ if test "${with_crypto_library}" = "openssl"; > > then AC_COMPILE_IFELSE( > > [AC_LANG_PROGRAM( > > [[ > > + #include <openssl/opensslconf.h> > > #include <openssl/opensslv.h> > > ]], > > [[ > > /* Version encoding: MNNFFPPS - see > > opensslv.h for details */ > > - #if OPENSSL_VERSION_NUMBER >= 0x30000000L > > + #if OPENSSL_VERSION_NUMBER >= 0x30000000L || > > defined(OPENSSL_NO_ENGINE) #error Engine supported disabled by > > default in OpenSSL 3.0+ > > Maybe the message should be changed now? Or we could have an entirely > different message for this case? > > Cheers, > > > #endif > > ]] > Do you think it might be preferable to only check OPENSSL_NO_ENGINE? I see other code bases such as Tor only checking that define.
On Sun, 3 Sep 2023 09:17:21 -0700 orbea <orbea@riseup.net> wrote: > On Sun, 3 Sep 2023 16:47:31 +0200 > Antonio Quartulli <a@unstable.cc> wrote: > > > Hi, > > > > On 03/09/2023 16:29, orbea@riseup.net wrote: > > > From: orbea <orbea@riseup.net> > > > > > > Starting with LibreSSL 3.8.1 the engines have been removed which > > > causes the OpenVPN build to fail. This can be solved during > > > configure by checking if OPENSSL_NO_ENGINE is defined in > > > opensslconf.h. --- > > > configure.ac | 3 ++- > > > 1 file changed, 2 insertions(+), 1 deletion(-) > > > > > > diff --git a/configure.ac b/configure.ac > > > index 2f65cbd5..b5a835dc 100644 > > > --- a/configure.ac > > > +++ b/configure.ac > > > @@ -926,11 +926,12 @@ if test "${with_crypto_library}" = > > > "openssl"; then AC_COMPILE_IFELSE( > > > [AC_LANG_PROGRAM( > > > [[ > > > + #include <openssl/opensslconf.h> > > > #include <openssl/opensslv.h> > > > ]], > > > [[ > > > /* Version encoding: MNNFFPPS - see > > > opensslv.h for details */ > > > - #if OPENSSL_VERSION_NUMBER >= 0x30000000L > > > + #if OPENSSL_VERSION_NUMBER >= 0x30000000L || > > > defined(OPENSSL_NO_ENGINE) #error Engine supported disabled by > > > default in OpenSSL 3.0+ > > > > Maybe the message should be changed now? Or we could have an > > entirely different message for this case? > > > > Cheers, > > > > > #endif > > > ]] > > > > Do you think it might be preferable to only check OPENSSL_NO_ENGINE? I > see other code bases such as Tor only checking that define. > > > _______________________________________________ > Openvpn-devel mailing list > Openvpn-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-devel Here is a patch that preserves the version check and adds a second check for OPENSSL_NO_ENGINE which seems to also be useful for BoringSSL. From d6700ec0f5af2522bb4eb136d3760f5b1445c9d1 Mon Sep 17 00:00:00 2001 From: orbea <orbea@riseup.net> Date: Sat, 2 Sep 2023 23:06:22 -0700 Subject: [PATCH] configure: disable engines if OPENSSL_NO_ENGINE is defined Starting with LibreSSL 3.8.1 the engines have been removed which causes the OpenVPN build to fail. This can be solved during configure by checking if OPENSSL_NO_ENGINE is defined in opensslconf.h. --- configure.ac | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac index 2f65cbd5..1adfb9d4 100644 --- a/configure.ac +++ b/configure.ac @@ -927,11 +927,17 @@ if test "${with_crypto_library}" = "openssl"; then [AC_LANG_PROGRAM( [[ #include <openssl/opensslv.h> + #include <openssl/opensslconf.h> ]], [[ /* Version encoding: MNNFFPPS - see opensslv.h for details */ #if OPENSSL_VERSION_NUMBER >= 0x30000000L - #error Engine supported disabled by default in OpenSSL 3.0+ + #error Engine support disabled by default in OpenSSL 3.0+ + #endif + + /* BoringSSL and LibreSSL >= 3.8.1 removed engine support */ + #ifdef OPENSSL_NO_ENGINE + #error Engine support disabled by default in openssl/opensslconf.h #endif ]] )],
Hi, On 03/09/2023 18:55, orbea wrote: > Here is a patch that preserves the version check and adds a second > check for OPENSSL_NO_ENGINE which seems to also be useful for BoringSSL. > I prefer this version, but I'll let other chime in. On top of that I think we may need a proper v2 PATCH having no extra body, as I am not sure your message can be properly parsed by git-am. Cheers, > From d6700ec0f5af2522bb4eb136d3760f5b1445c9d1 Mon Sep 17 00:00:00 2001 > From: orbea <orbea@riseup.net> > Date: Sat, 2 Sep 2023 23:06:22 -0700 > Subject: [PATCH] configure: disable engines if OPENSSL_NO_ENGINE is defined > > Starting with LibreSSL 3.8.1 the engines have been removed which causes > the OpenVPN build to fail. This can be solved during configure by > checking if OPENSSL_NO_ENGINE is defined in opensslconf.h. > --- > configure.ac | 8 +++++++- > 1 file changed, 7 insertions(+), 1 deletion(-) > > diff --git a/configure.ac b/configure.ac > index 2f65cbd5..1adfb9d4 100644 > --- a/configure.ac > +++ b/configure.ac > @@ -927,11 +927,17 @@ if test "${with_crypto_library}" = "openssl"; then > [AC_LANG_PROGRAM( > [[ > #include <openssl/opensslv.h> > + #include <openssl/opensslconf.h> > ]], > [[ > /* Version encoding: MNNFFPPS - see opensslv.h for details */ > #if OPENSSL_VERSION_NUMBER >= 0x30000000L > - #error Engine supported disabled by default in OpenSSL 3.0+ > + #error Engine support disabled by default in OpenSSL 3.0+ > + #endif > + > + /* BoringSSL and LibreSSL >= 3.8.1 removed engine support */ > + #ifdef OPENSSL_NO_ENGINE > + #error Engine support disabled by default in openssl/opensslconf.h > #endif > ]] > )],
Hi, On Sun, Sep 03, 2023 at 08:15:05PM +0200, Antonio Quartulli wrote: > On 03/09/2023 18:55, orbea wrote: > > Here is a patch that preserves the version check and adds a second > > check for OPENSSL_NO_ENGINE which seems to also be useful for BoringSSL. > > I prefer this version, but I'll let other chime in. > On top of that I think we may need a proper v2 PATCH having no extra body, > as I am not sure your message can be properly parsed by git-am. It should be fine, and if not, I'll massage it to make it go in. gert
On Sun, 3 Sep 2023 21:22:15 +0200 Gert Doering <gert@greenie.muc.de> wrote: > Hi, > > On Sun, Sep 03, 2023 at 08:15:05PM +0200, Antonio Quartulli wrote: > > On 03/09/2023 18:55, orbea wrote: > > > Here is a patch that preserves the version check and adds a second > > > check for OPENSSL_NO_ENGINE which seems to also be useful for > > > BoringSSL. > > > > I prefer this version, but I'll let other chime in. > > On top of that I think we may need a proper v2 PATCH having no > > extra body, as I am not sure your message can be properly parsed by > > git-am. > > It should be fine, and if not, I'll massage it to make it go in. > > gert Thank you, the patch was generated with 'git format-patch' so I would think 'git am' can consume it, but please let me know if there is anything else I can change.
Hi, On Sun, Sep 03, 2023 at 01:44:13PM -0700, orbea wrote: > Thank you, the patch was generated with 'git format-patch' so I would > think 'git am' can consume it, but please let me know if there is > anything else I can change. For the sake of the archives (so, nothing to do for you now) - what we usually do is, for a v2 of the patch, to tag it as such, and use git-send-email to send it $ git-send-email -v2 --in-reply-to=$original-message-id -1 this will make it show up with a nice "[PATCH v2]" on the list, threaded to the original v1. gert
Hi, so the v2 patch itself is good, but... On Sun, Sep 03, 2023 at 09:55:45AM -0700, orbea wrote: > From d6700ec0f5af2522bb4eb136d3760f5b1445c9d1 Mon Sep 17 00:00:00 2001 > From: orbea <orbea@riseup.net> ... it would be really preferred to have a real author name here, and a "Signed-off-by:" line (git commit -s), and... > Date: Sat, 2 Sep 2023 23:06:22 -0700 > Subject: [PATCH] configure: disable engines if OPENSSL_NO_ENGINE is defined > > Starting with LibreSSL 3.8.1 the engines have been removed which causes > the OpenVPN build to fail. This can be solved during configure by > checking if OPENSSL_NO_ENGINE is defined in opensslconf.h. > --- [..] > + /* BoringSSL and LibreSSL >= 3.8.1 removed engine support */ > + #ifdef OPENSSL_NO_ENGINE > + #error Engine support disabled by default in openssl/opensslconf.h > #endif ... I think the "by default" needs to go from this #error - it's disabled, period. "disabled by default" is the OpenSSL 3.0 thing... (The code change itself looks reasonable, and passes our GHA build farm with various OSes and mbedTLS / OpenSSL 1.1 / OpenSSL 3.0) gert
diff --git a/configure.ac b/configure.ac index 2f65cbd5..b5a835dc 100644 --- a/configure.ac +++ b/configure.ac @@ -926,11 +926,12 @@ if test "${with_crypto_library}" = "openssl"; then AC_COMPILE_IFELSE( [AC_LANG_PROGRAM( [[ + #include <openssl/opensslconf.h> #include <openssl/opensslv.h> ]], [[ /* Version encoding: MNNFFPPS - see opensslv.h for details */ - #if OPENSSL_VERSION_NUMBER >= 0x30000000L + #if OPENSSL_VERSION_NUMBER >= 0x30000000L || defined(OPENSSL_NO_ENGINE) #error Engine supported disabled by default in OpenSSL 3.0+ #endif ]]
From: orbea <orbea@riseup.net> Starting with LibreSSL 3.8.1 the engines have been removed which causes the OpenVPN build to fail. This can be solved during configure by checking if OPENSSL_NO_ENGINE is defined in opensslconf.h. --- configure.ac | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)