Hi,
On 22-04-17 00:07, David Sommerseth wrote:
> Commit 039a89c331e9b799 changed the OpenSSL check slightly, but that
> broke ./configure on systems which do not install the openssl.pc
> pkg-config support file. This is typically an issue on most of the BSD
> platforms, where the OpenSSL package from the base repository does not
> provide that file.
>
> We should anyway in this case have a better check of OpenSSL version
> available. So in the case pkg-config fails, it will run an additional
> test looking for the OpenSSL version number in the opensslv.h header
> file and check against that version number.
>
> I did consider to rip out the pkg-config test all together, but decided
> to let it stay. If pkg-config works, it provides much more details to
> the ./configure script than just the version number check - such as
> include and library paths if those are outside the default system paths.
>
> If the user adds OPENSSL_CFLAGS or OPENSSL_LIBS to the ./configure
> script, the pkg-config will not be run. But this patch ensures that the
> OpenSSL version is also checked in this situation.
>
> This patch have been tested on Scientic Linux 7.3 (RHEL clone) and
> FreeBSD 10.3-RELEASE-p11.
>
> v4 - Move the CFLAGS/LDFLAGS declarations before the manual
> version test; otherwise we're still testing the system install
> version
>
> v3 - Remove not needed and duplicated OPENSSL_LIBS assignment
> - Fix tab/space issues in modified lines
>
> v2 - Don't use try to simplify the version matching, use the full
> OPENSSL_VERSION_NUMBER
> - Fixed typo (OpneSSL -> OpenSSL)
> - Improve a few comments
>
> Signed-off-by: David Sommerseth <dav...@openvpn.net>
> ---
> configure.ac | 28 ++++++++++++++++++++++++----
> 1 file changed, 24 insertions(+), 4 deletions(-)
>
> diff --git a/configure.ac b/configure.ac
> index acea060..2b98375 100644
> --- a/configure.ac
> +++ b/configure.ac
> @@ -860,11 +860,9 @@ if test "${enable_crypto}" = "yes" -a
> "${with_crypto_library}" = "openssl"; then
> PKG_CHECK_MODULES(
> [OPENSSL],
> [libcrypto >= 1.0.1, libssl >= 1.0.1],
> - [have_openssl="yes"],
> - [AC_MSG_ERROR([Minimum supported OpenSSL version is
> 1.0.1])]
> + [have_openssl="yes"],
> + [] # If this fails, we will do another test next
> )
> -
> - OPENSSL_LIBS=${OPENSSL_LIBS:--lssl -lcrypto}
> fi
>
> saved_CFLAGS="${CFLAGS}"
> @@ -872,6 +870,28 @@ if test "${enable_crypto}" = "yes" -a
> "${with_crypto_library}" = "openssl"; then
> CFLAGS="${CFLAGS} ${OPENSSL_CFLAGS}"
> LIBS="${LIBS} ${OPENSSL_LIBS}"
>
> + # If pkgconfig check failed or OPENSSL_CFLAGS/OPENSSL_LIBS env vars
> + # are used, check the version directly in the OpenSSL include file
> + if test "${have_openssl}" != "yes"; then
> + AC_MSG_CHECKING([additionally if OpenSSL is available and version >=
> 1.0.1])
> + AC_COMPILE_IFELSE(
> + [AC_LANG_PROGRAM(
> + [[
> +#include <openssl/opensslv.h>
> + ]],
> + [[
> +/* Version encoding: MNNFFPPS - see opensslv.h for details */
> +#if OPENSSL_VERSION_NUMBER < 0x10001000L
> +#error OpenSSL too old
> +#endif
> + ]]
> + )],
> + [AC_MSG_RESULT([ok])],
> + [AC_MSG_ERROR([OpenSSL version too old])]
> + )
> + OPENSSL_LIBS=${OPENSSL_LIBS:--lssl -lcrypto}
> + fi
> +
> AC_CHECK_FUNCS([SSL_CTX_new EVP_CIPHER_CTX_set_key_length],
> ,
> [AC_MSG_ERROR([openssl check failed])]
>
This looks good now, ACK.
-Steffan
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
