Re: [Openvpn-devel] [PATCH 5/5] Remove OpenSSL configure checks
Hi, On 06/04/2021 23:01, Antonio Quartulli wrote: > > I like the new approach a lot. > It definitely helps keeping track of "what compat code do we need? and > for which version?" > > Just one suggestion: > I think it would still be useful to add a comment on the #endif line to > explicitly say what if we are closing. > > i.e: > > #endif /* OPENSSL_VERSION_NUMBER < 0x10101000L && > !defined(ENABLE_CRYPTO_WOLFSSL) */ > > That helps your brain when the corresponding #if is far away or you have > more than one nearby. > > Other than that, it compiles on openssl-1.1.1, 1.1.0 and 1.0.2. > Test on Linux and Windows (openssl-1.1.1 only in this case). Since Gert has volunteered to fix this comment on the fly, I am fine with this version of the patch. Acked-by: Antonio Quartulli -- Antonio Quartulli ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH 5/5] Remove OpenSSL configure checks
> I like the new approach a lot. > It definitely helps keeping track of "what compat code do we need? and > for which version?" > > Just one suggestion: > I think it would still be useful to add a comment on the #endif line to > explicitly say what if we are closing. > > i.e: > > #endif /* OPENSSL_VERSION_NUMBER < 0x10101000L && > !defined(ENABLE_CRYPTO_WOLFSSL) */ > > That helps your brain when the corresponding #if is far away or you have > more than one nearby. > >\ Just running uncrustify on the file will just add that one comment -#endif +#endif /* if OPENSSL_VERSION_NUMBER < 0x1010L && !defined(ENABLE_CRYPTO_WOLFSSL) */ So if that can be done at commit time that would avoid a V2 but I can also send a V2 with only that change if that is preferred. Arne ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH 5/5] Remove OpenSSL configure checks
Hi, On 06/04/2021 18:25, Arne Schwabe wrote: > These checks for the functions take a lot of time in configure call and > also having these checks make it more blurry for which of the supported > OpenSSL versions (and libraries claiming to be OpenSSL) are actually > needed. > > Tested with OpenSSL 1.1.1(Ubuntu 20, macOS), 1.0.2 (CentOS7), > 1.1.0 (Debian stretch), LibreSSL (OpenBSD 6.8) and wolfSSL > > Signed-off-by: Arne Schwabe > --- > configure.ac | 84 > src/openvpn/openssl_compat.h | 144 +++ > 2 files changed, 29 insertions(+), 199 deletions(-) > > diff --git a/configure.ac b/configure.ac > index 81700abcb..747325164 100644 > --- a/configure.ac > +++ b/configure.ac > @@ -846,50 +846,6 @@ if test "${with_crypto_library}" = "openssl"; then > # have this feature > have_export_keying_material="yes" > > - AC_CHECK_FUNCS( > - [ \ > - HMAC_CTX_new \ > - HMAC_CTX_free \ > - HMAC_CTX_reset \ > - EVP_MD_CTX_new \ > - EVP_MD_CTX_free \ > - EVP_MD_CTX_reset \ > - EVP_CIPHER_CTX_reset \ > - OpenSSL_version \ > - SSL_CTX_get_default_passwd_cb \ > - SSL_CTX_get_default_passwd_cb_userdata \ > - SSL_CTX_set1_groups \ > - SSL_CTX_set_security_level \ > - X509_get0_notBefore \ > - X509_get0_notAfter \ > - X509_get0_pubkey \ > - X509_STORE_get0_objects \ > - X509_OBJECT_free \ > - X509_OBJECT_get_type \ > - EVP_PKEY_get0_RSA \ > - EVP_PKEY_get0_DSA \ > - EVP_PKEY_get0_EC_KEY \ > - RSA_set_flags \ > - RSA_bits \ > - RSA_get0_key \ > - RSA_set0_key \ > - DSA_get0_pqg \ > - DSA_bits \ > - RSA_meth_new \ > - RSA_meth_free \ > - RSA_meth_set_pub_enc \ > - RSA_meth_set_pub_dec \ > - RSA_meth_set_priv_enc \ > - RSA_meth_set_priv_dec \ > - RSA_meth_set_init \ > - RSA_meth_set_sign \ > - RSA_meth_set_finish \ > - RSA_meth_set0_app_data \ > - RSA_meth_get0_app_data \ > - EC_GROUP_order_bits > - ] > - ) > - > CFLAGS="${saved_CFLAGS}" > LIBS="${saved_LIBS}" > > @@ -999,46 +955,6 @@ elif test "${with_crypto_library}" = "wolfssl"; then > # wolfSSL signal EKM support > have_export_keying_material="yes" > > - AC_DEFINE([HAVE_HMAC_CTX_NEW], [1], [Emulate AC_CHECK_FUNCS since these > are defined as macros]) > - AC_DEFINE([HAVE_HMAC_CTX_FREE], [1], [Emulate AC_CHECK_FUNCS since > these are defined as macros]) > - AC_DEFINE([HAVE_HMAC_CTX_RESET], [1], [Emulate AC_CHECK_FUNCS since > these are defined as macros]) > - AC_DEFINE([HAVE_EVP_MD_CTX_NEW], [1], [Emulate AC_CHECK_FUNCS since > these are defined as macros]) > - AC_DEFINE([HAVE_EVP_MD_CTX_FREE], [1], [Emulate AC_CHECK_FUNCS since > these are defined as macros]) > - AC_DEFINE([HAVE_EVP_MD_CTX_RESET], [1], [Emulate AC_CHECK_FUNCS since > these are defined as macros]) > - AC_DEFINE([HAVE_EVP_CIPHER_CTX_RESET], [1], [Emulate AC_CHECK_FUNCS > since these are defined as macros]) > - AC_DEFINE([HAVE_OPENSSL_VERSION], [1], [Emulate AC_CHECK_FUNCS since > these are defined as macros]) > - AC_DEFINE([HAVE_SSL_CTX_GET_DEFAULT_PASSWD_CB], [1], [Emulate > AC_CHECK_FUNCS since these are defined as macros]) > - AC_DEFINE([HAVE_SSL_CTX_GET_DEFAULT_PASSWD_CB_USERDATA], [1], [Emulate > AC_CHECK_FUNCS since these are defined as macros]) > - AC_DEFINE([HAVE_SSL_CTX_SET_SECURITY_LEVEL], [1], [Emulate > AC_CHECK_FUNCS since these are defined as macros]) > - AC_DEFINE([HAVE_X509_GET0_NOTBEFORE], [1], [Emulate AC_CHECK_FUNCS > since these are defined as macros]) > - AC_DEFINE([HAVE_X509_GET0_NOTAFTER], [1], [Emulate AC_CHECK_FUNCS since > these are defined as macros]) > - AC_DEFINE([HAVE_X509_GET0_PUBKEY], [1], [Emulate AC_CHECK_FUNCS since > these are defined as macros]) > - AC_DEFINE([HAVE_X509_STORE_GET0_OBJECTS], [1], [Emulate AC_CHECK_FUNCS > since these are defined as macros]) > - AC_DEFINE([HAVE_X509_OBJECT_FREE], [1], [Emulate AC_CHECK_FUNCS since > these are defined as macros]) > - AC_DEFINE([HAVE_X509_OBJECT_GET_TYPE], [1], [Emulate AC_CHECK_FUNCS > since these are defined as macros]) > - AC_DEFINE([HAVE_EVP_PKEY_ID], [1], [Emulate AC_CHECK_FUNCS since these > are defined as macros]) > -
[Openvpn-devel] [PATCH 5/5] Remove OpenSSL configure checks
These checks for the functions take a lot of time in configure call and also having these checks make it more blurry for which of the supported OpenSSL versions (and libraries claiming to be OpenSSL) are actually needed. Tested with OpenSSL 1.1.1(Ubuntu 20, macOS), 1.0.2 (CentOS7), 1.1.0 (Debian stretch), LibreSSL (OpenBSD 6.8) and wolfSSL Signed-off-by: Arne Schwabe --- configure.ac | 84 src/openvpn/openssl_compat.h | 144 +++ 2 files changed, 29 insertions(+), 199 deletions(-) diff --git a/configure.ac b/configure.ac index 81700abcb..747325164 100644 --- a/configure.ac +++ b/configure.ac @@ -846,50 +846,6 @@ if test "${with_crypto_library}" = "openssl"; then # have this feature have_export_keying_material="yes" - AC_CHECK_FUNCS( - [ \ - HMAC_CTX_new \ - HMAC_CTX_free \ - HMAC_CTX_reset \ - EVP_MD_CTX_new \ - EVP_MD_CTX_free \ - EVP_MD_CTX_reset \ - EVP_CIPHER_CTX_reset \ - OpenSSL_version \ - SSL_CTX_get_default_passwd_cb \ - SSL_CTX_get_default_passwd_cb_userdata \ - SSL_CTX_set1_groups \ - SSL_CTX_set_security_level \ - X509_get0_notBefore \ - X509_get0_notAfter \ - X509_get0_pubkey \ - X509_STORE_get0_objects \ - X509_OBJECT_free \ - X509_OBJECT_get_type \ - EVP_PKEY_get0_RSA \ - EVP_PKEY_get0_DSA \ - EVP_PKEY_get0_EC_KEY \ - RSA_set_flags \ - RSA_bits \ - RSA_get0_key \ - RSA_set0_key \ - DSA_get0_pqg \ - DSA_bits \ - RSA_meth_new \ - RSA_meth_free \ - RSA_meth_set_pub_enc \ - RSA_meth_set_pub_dec \ - RSA_meth_set_priv_enc \ - RSA_meth_set_priv_dec \ - RSA_meth_set_init \ - RSA_meth_set_sign \ - RSA_meth_set_finish \ - RSA_meth_set0_app_data \ - RSA_meth_get0_app_data \ - EC_GROUP_order_bits - ] - ) - CFLAGS="${saved_CFLAGS}" LIBS="${saved_LIBS}" @@ -999,46 +955,6 @@ elif test "${with_crypto_library}" = "wolfssl"; then # wolfSSL signal EKM support have_export_keying_material="yes" - AC_DEFINE([HAVE_HMAC_CTX_NEW], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) - AC_DEFINE([HAVE_HMAC_CTX_FREE], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) - AC_DEFINE([HAVE_HMAC_CTX_RESET], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) - AC_DEFINE([HAVE_EVP_MD_CTX_NEW], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) - AC_DEFINE([HAVE_EVP_MD_CTX_FREE], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) - AC_DEFINE([HAVE_EVP_MD_CTX_RESET], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) - AC_DEFINE([HAVE_EVP_CIPHER_CTX_RESET], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) - AC_DEFINE([HAVE_OPENSSL_VERSION], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) - AC_DEFINE([HAVE_SSL_CTX_GET_DEFAULT_PASSWD_CB], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) - AC_DEFINE([HAVE_SSL_CTX_GET_DEFAULT_PASSWD_CB_USERDATA], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) - AC_DEFINE([HAVE_SSL_CTX_SET_SECURITY_LEVEL], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) - AC_DEFINE([HAVE_X509_GET0_NOTBEFORE], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) - AC_DEFINE([HAVE_X509_GET0_NOTAFTER], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) - AC_DEFINE([HAVE_X509_GET0_PUBKEY], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) - AC_DEFINE([HAVE_X509_STORE_GET0_OBJECTS], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) - AC_DEFINE([HAVE_X509_OBJECT_FREE], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) - AC_DEFINE([HAVE_X509_OBJECT_GET_TYPE], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) - AC_DEFINE([HAVE_EVP_PKEY_ID], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) - AC_DEFINE([HAVE_EVP_PKEY_GET0_RSA], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) -