On Sun, 3 Sep 2023 09:17:21 -0700
orbea <or...@riseup.net> wrote:

> On Sun, 3 Sep 2023 16:47:31 +0200
> Antonio Quartulli <a...@unstable.cc> wrote:
> 
> > Hi,
> > 
> > On 03/09/2023 16:29, or...@riseup.net wrote:  
> > > From: orbea <or...@riseup.net>
> > > 
> > > Starting with LibreSSL 3.8.1 the engines have been removed which
> > > causes the OpenVPN build to fail. This can be solved during
> > > configure by checking if OPENSSL_NO_ENGINE is defined in
> > > opensslconf.h. ---
> > >   configure.ac | 3 ++-
> > >   1 file changed, 2 insertions(+), 1 deletion(-)
> > > 
> > > diff --git a/configure.ac b/configure.ac
> > > index 2f65cbd5..b5a835dc 100644
> > > --- a/configure.ac
> > > +++ b/configure.ac
> > > @@ -926,11 +926,12 @@ if test "${with_crypto_library}" =
> > > "openssl"; then AC_COMPILE_IFELSE(
> > >                                       [AC_LANG_PROGRAM(
> > >                                               [[
> > > +     #include <openssl/opensslconf.h>
> > >               #include <openssl/opensslv.h>
> > >                                               ]],
> > >                                               [[
> > >               /*       Version encoding: MNNFFPPS - see
> > > opensslv.h for details */
> > > -     #if OPENSSL_VERSION_NUMBER >= 0x30000000L
> > > +     #if OPENSSL_VERSION_NUMBER >= 0x30000000L ||
> > > defined(OPENSSL_NO_ENGINE) #error Engine supported disabled by
> > > default in OpenSSL 3.0+    
> > 
> > Maybe the message should be changed now? Or we could have an
> > entirely different message for this case?
> > 
> > Cheers,
> >   
> > >               #endif
> > >                                               ]]    
> >   
> 
> Do you think it might be preferable to only check OPENSSL_NO_ENGINE? I
> see other code bases such as Tor only checking that define.
> 
> 
> _______________________________________________
> Openvpn-devel mailing list
> Openvpn-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Here is a patch that preserves the version check and adds a second
check for OPENSSL_NO_ENGINE which seems to also be useful for BoringSSL.

>From d6700ec0f5af2522bb4eb136d3760f5b1445c9d1 Mon Sep 17 00:00:00 2001
From: orbea <or...@riseup.net>
Date: Sat, 2 Sep 2023 23:06:22 -0700
Subject: [PATCH] configure: disable engines if OPENSSL_NO_ENGINE is defined

Starting with LibreSSL 3.8.1 the engines have been removed which causes
the OpenVPN build to fail. This can be solved during configure by
checking if OPENSSL_NO_ENGINE is defined in opensslconf.h.
---
 configure.ac | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/configure.ac b/configure.ac
index 2f65cbd5..1adfb9d4 100644
--- a/configure.ac
+++ b/configure.ac
@@ -927,11 +927,17 @@ if test "${with_crypto_library}" = "openssl"; then
                                    [AC_LANG_PROGRAM(
                                            [[
            #include <openssl/opensslv.h>
+           #include <openssl/opensslconf.h>
                                            ]],
                                            [[
            /*       Version encoding: MNNFFPPS - see opensslv.h for details */
            #if OPENSSL_VERSION_NUMBER >= 0x30000000L
-           #error Engine supported disabled by default in OpenSSL 3.0+
+           #error Engine support disabled by default in OpenSSL 3.0+
+           #endif
+
+           /*       BoringSSL and LibreSSL >= 3.8.1 removed engine support */
+           #ifdef OPENSSL_NO_ENGINE
+           #error Engine support disabled by default in openssl/opensslconf.h
            #endif
                                            ]]
                                    )],
-- 
2.41.0





_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Reply via email to