These changes follow the same style as earlier patches, e.g. the selinux
patch. Pkg-config is now being used to detect pkcs11-helper afaics.
Also, pkcs11-helper now disabled by default, which I think makes sense.
I don't see why this shouldn't be included, so it's an ACK.
--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc
irc freenode net: mattock
> Signed-off-by: Alon Bar-Lev <alon.bar...@gmail.com>
> ---
> configure.ac | 49 ++++++++++++++++---------------------------
> distro/rpm/openvpn.spec.in | 5 ++-
> src/openvpn/Makefile.am | 4 +++
> src/openvpn/ssl.c | 2 +-
> src/openvpn/syshead.h | 7 ------
> 5 files changed, 26 insertions(+), 41 deletions(-)
>
> diff --git a/configure.ac b/configure.ac
> index 2388f17..baa66b2 100644
> --- a/configure.ac
> +++ b/configure.ac
> @@ -111,9 +111,9 @@ AC_ARG_ENABLE(
>
> AC_ARG_ENABLE(
> [pkcs11],
> - [AS_HELP_STRING([--disable-pkcs11], [disable pkcs11 support])],
> + [AS_HELP_STRING([--enable-pkcs11], [enable pkcs11 support])],
> ,
> - [enable_pkcs11="yes"]
> + [enable_pkcs11="no"]
> )
>
> AC_ARG_ENABLE(
> @@ -254,19 +254,6 @@ AC_ARG_WITH(
> )
>
> AC_ARG_WITH(
> - [pkcs11-helper-headers],
> - [AS_HELP_STRING([--with-pkcs11-helper-headers=DIR], [pkcs11-helper
> Include files location])],
> - [PKCS11_HELPER_HDR_DIR="$withval"]
> - [CPPFLAGS="$CPPFLAGS -I$withval"]
> -)
> -
> -AC_ARG_WITH(
> - [pkcs11-helper-lib],
> - [AS_HELP_STRING([--with-pkcs11-helper-lib=DIR], [pkcs11-helper Library
> location])],
> - [LDFLAGS="$LDFLAGS -L$withval"]
> -)
> -
> -AC_ARG_WITH(
> [mem-check],
> [AS_HELP_STRING([--with-mem-check=TYPE], [build with debug memory
> checking, TYPE=dmalloc|valgrind|ssl])],
> [
> @@ -719,22 +706,12 @@ if test "${enable_lzo_stub}" = "yes"; then
> AC_DEFINE([LZO_STUB], [1], [Enable LZO stub capability])
> fi
>
> -dnl
> -dnl enable pkcs11 capability
> -dnl
> -if test "${enable_pkcs11}" = "yes"; then
> - AC_CHECKING([for pkcs11-helper Library and Header files])
> - AC_CHECK_HEADER(pkcs11-helper-1.0/pkcs11h-core.h,
> - [AC_CHECK_LIB(pkcs11-helper, pkcs11h_initialize,
> - [
> - AC_DEFINE(USE_PKCS11, 1, [Enable PKCS11 capability])
> - LIBS="${LIBS} -lpkcs11-helper"
> - ],
> - [AC_MSG_RESULT([pkcs11-helper library not found.])]
> - )],
> - [AC_MSG_RESULT([pkcs11-helper headers not found.])]
> - )
> -fi
> +PKG_CHECK_MODULES(
> + [PKCS11_HELPER],
> + [libpkcs11-helper-1 >= 1.02],
> + [have_pkcs11_helper="yes"],
> + []
> +)
>
> dnl
> dnl check for SSL-crypto library
> @@ -890,6 +867,14 @@ if test "${enable_selinux}" = "yes"; then
> AC_DEFINE([ENABLE_SELINUX], [1], [SELinux support])
> fi
>
> +if test "${enable_pkcs11}" = "yes"; then
> + test "${have_pkcs11_helper}" != "yes" && AC_MSG_ERROR([PKCS11 enabled
> but libpkcs11-helper is missing])
> + test "${enable_ssl}" != "yes" && AC_MSG_ERROR([PKCS11 can be enabled
> only if SSL is enabled])
> + OPTIONAL_PKCS11_HELPER_CFLAGS="${PKCS11_HELPER_CFLAGS}"
> + OPTIONAL_PKCS11_HELPER_LIBS="${PKCS11_HELPER_LIBS}"
> + AC_DEFINE([ENABLE_PKCS11], [1], [Enable PKCS11])
> +fi
> +
> if test "${enable_pedantic}" = "yes"; then
> enable_strict="yes"
> CFLAGS="${CFLAGS} -ansi -pedantic"
> @@ -917,6 +902,8 @@ AC_SUBST([TAP_WIN_MIN_MINOR])
>
> AC_SUBST([OPTIONAL_DL_LIBS])
> AC_SUBST([OPTIONAL_SELINUX_LIBS])
> +AC_SUBST([OPTIONAL_PKCS11_HELPER_CFLAGS])
> +AC_SUBST([OPTIONAL_PKCS11_HELPER_LIBS])
>
> AM_CONDITIONAL([WIN32], [test "${WIN32}" = "yes"])
>
> diff --git a/distro/rpm/openvpn.spec.in b/distro/rpm/openvpn.spec.in
> index 455f739..8db5172 100644
> --- a/distro/rpm/openvpn.spec.in
> +++ b/distro/rpm/openvpn.spec.in
> @@ -52,8 +52,8 @@ Requires: openssl >= 0.9.6
> %{!?without_pam:BuildRequires: pam-devel}
> %{!?without_pam:Requires: pam}
>
> -%{!?with_pkcs11:BuildRequires: pkcs11-helper-devel}
> -%{!?with_pkcs11:Requires: pkcs11-helper}
> +%{?with_pkcs11:BuildRequires: pkcs11-helper-devel}
> +%{?with_pkcs11:Requires: pkcs11-helper}
>
> #
> # Description
> @@ -111,6 +111,7 @@ Development support for OpenVPN.
> --docdir="%{_docdir}/%{name}-%{version}" \
> %{?with_password_save:--enable-password-save} \
> %{?without_lzo:--disable-lzo} \
> + %{?with_pkcs11:--enable-pkcs11} \
> %{?with_kerberos:--with-ssl-headers=/usr/kerberos/include}
> %__make
>
> diff --git a/src/openvpn/Makefile.am b/src/openvpn/Makefile.am
> index a3f8b3a..fd92225 100644
> --- a/src/openvpn/Makefile.am
> +++ b/src/openvpn/Makefile.am
> @@ -16,6 +16,9 @@ MAINTAINERCLEANFILES = \
>
> INCLUDES = -I$(top_srcdir)/include
>
> +AM_CFLAGS = \
> + $(OPTIONAL_PKCS11_HELPER_CFLAGS)
> +
> sbin_PROGRAMS = openvpn
>
> openvpn_SOURCES = \
> @@ -97,6 +100,7 @@ openvpn_SOURCES = \
> cryptoapi.h cryptoapi.c
> openvpn_LDADD = \
> $(SOCKETS_LIBS) \
> + $(OPTIONAL_PKCS11_HELPER_LIBS) \
> $(OPTIONAL_SELINUX_LIBS) \
> $(OPTIONAL_DL_LIBS)
> if WIN32
> diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
> index c26756e..e260718 100644
> --- a/src/openvpn/ssl.c
> +++ b/src/openvpn/ssl.c
> @@ -264,7 +264,7 @@ ssl_purge_auth (const bool auth_user_pass_only)
> {
> if (!auth_user_pass_only)
> {
> -#ifdef USE_PKCS11
> +#ifdef ENABLE_PKCS11
> pkcs11_logout ();
> #endif
> purge_user_pass (&passbuf, true);
> diff --git a/src/openvpn/syshead.h b/src/openvpn/syshead.h
> index cac4757..53b7580 100644
> --- a/src/openvpn/syshead.h
> +++ b/src/openvpn/syshead.h
> @@ -590,13 +590,6 @@ socket_defined (const socket_descriptor_t sd)
> #endif
>
> /*
> - * Do we have PKCS11 capability?
> - */
> -#if defined(USE_PKCS11) && defined(USE_CRYPTO) && defined(USE_SSL)
> -#define ENABLE_PKCS11
> -#endif
> -
> -/*
> * Do we have CryptoAPI capability?
> */
> #if defined(WIN32) && defined(USE_CRYPTO) && defined(USE_SSL) &&
> defined(USE_OPENSSL)
