Re: [Openvpn-devel] [PATCH v3 02/21] [OSSL 3.0] Add --with-openssl-engine autoconf option (auto|yes|no)

Wed, 20 Oct 2021 12:09:06 -0700 

On 19/10/2021 20:31, Arne Schwabe wrote:

This allows to select engine support at configure time. For OpenSSL 1.1 the
default is not changed and we detect if engine support is available.

Engine support is deprecated in OpenSSL 3.0 and for OpenSSL 3.0 the default
is to disable engine support as engine support is deprecated and generates
compiler warnings which in turn also break -Werror.

By using --with-openssl-engine=no or --with-openssl-engine=yes engine support
can be forced on or off. If it is enabled but not detected an error will be
thown.

This commit cleans up the configurelogic a bit and removes the ENGINE_cleanup
checks as we can just assume that it will be also available as macro or function
if the other engine functions are available. Before the cleanup we would only
check for the existance of engine.h if ENGINE_cleanup was not found.

Signed-off-by: Arne Schwabe <a...@rfc2549.org>
Looks good to me. My one nitpick is that the part below uses a mix of spaces and tabs for indentation. But the entire file doesn't seem terribly consistent about that. 


+    if test "${with_openssl_engine}" = "auto"; then
+        AC_COMPILE_IFELSE(
+                               [AC_LANG_PROGRAM(
+                                       [[
+        #include <openssl/opensslv.h>
+                                       ]],
+                                       [[
+        /*          Version encoding: MNNFFPPS - see opensslv.h for details */
+        #if OPENSSL_VERSION_NUMBER >= 0x30000000L
+        #error Engine supported disabled by default in OpenSSL 3.0+
+        #endif
+                                       ]]
+                               )],
+                               [have_openssl_engine="yes"],
+                               [have_openssl_engine="no"]
+        )
+        if test "${have_openssl_engine}" = "yes"; then
+            AC_CHECK_FUNCS(
+                [ \
+                    ENGINE_load_builtin_engines \
+                    ENGINE_register_all_complete \
+                ],
+                ,
+                [have_openssl_engine="no"; break]
+            )
+        fi
+    else
+        have_openssl_engine="${with_openssl_engine}"
+        if test "${have_openssl_engine}" = "yes"; then
+            AC_CHECK_FUNCS(
+                [ \
+                    ENGINE_load_builtin_engines \
+                    ENGINE_register_all_complete \
+                ],
+                ,
+                [AC_MSG_ERROR([OpenSSL engine support not found])]
+            )
+        fi
+    fi
        if test "${have_openssl_engine}" = "yes"; then
                AC_DEFINE([HAVE_OPENSSL_ENGINE], [1], [OpenSSL engine support 
available])
        fi




_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Reply via email to