BUILD: ssl: add USE_ENGINE and disable the openssl engine by default

author William Lallemand <wlallemand@haproxy.org>

Mon, 11 Apr 2022 16:41:24 +0000 (18:41 +0200)

committer William Lallemand <wlallemand@haproxy.org>

Mon, 11 Apr 2022 16:41:24 +0000 (18:41 +0200)
author William Lallemand <wlallemand@haproxy.org>
Mon, 11 Apr 2022 16:41:24 +0000 (18:41 +0200)
committer William Lallemand <wlallemand@haproxy.org>
Mon, 11 Apr 2022 16:41:24 +0000 (18:41 +0200)
diff --git a/Makefile b/Makefile

index 0c511bcb193176e3b97ee9ac4b8955b06e90e50e..726f28f3e27c24e8162895a3476b871d75355503 100644 (file)
--- a/Makefile
+++ b/Makefile
@@ -32,6 +32,7 @@
  #   USE_CRYPT_H          : set it if your system requires including crypt.h
  #   USE_GETADDRINFO      : use getaddrinfo() to resolve IPv6 host names.
  #   USE_OPENSSL          : enable use of OpenSSL. Recommended, but see below.
+#   USE_ENGINE           : enable use of OpenSSL Engine.
  #   USE_LUA              : enable Lua support.
  #   USE_ACCEPT4          : enable use of accept4() on linux. Automatic.
  #   USE_CLOSEFROM        : enable use of closefrom() on *bsd, solaris. Automatic.
diff --git a/include/haproxy/openssl-compat.h b/include/haproxy/openssl-compat.h

index 87bb5109c217244e5582950879286a269377a770..f69139bb72c18e6de28f8b7241dda504d96ecf56 100644 (file)
--- a/include/haproxy/openssl-compat.h
+++ b/include/haproxy/openssl-compat.h
@@ -16,7 +16,7 @@
  #ifndef OPENSSL_NO_DH
  #include <openssl/dh.h>
  #endif
-#ifndef OPENSSL_NO_ENGINE
+#if defined(USE_ENGINE) && !defined(OPENSSL_NO_ENGINE)
  #include <openssl/engine.h>
  #endif
  
diff --git a/src/cfgparse-ssl.c b/src/cfgparse-ssl.c

index 026e16d888f593e339153e9db6c663793614077a..5db69b24d82ed195679ceea6961658f96baf0f0c 100644 (file)
--- a/src/cfgparse-ssl.c
+++ b/src/cfgparse-ssl.c
@@ -137,7 +137,7 @@ static int ssl_parse_global_ssl_async(char **args, int section_type, struct prox
  #endif
  }
  
-#ifndef OPENSSL_NO_ENGINE
+#if defined(USE_ENGINE) && !defined(OPENSSL_NO_ENGINE)
  /* parse the "ssl-engine" keyword in global section.
   * Returns <0 on alert, >0 on warning, 0 on success.
   */
@@ -1932,7 +1932,7 @@ static struct cfg_kw_list cfg_kws = {ILH, {
         { CFG_GLOBAL, "ssl-dh-param-file", ssl_parse_global_dh_param_file },
  #endif
         { CFG_GLOBAL, "ssl-mode-async",  ssl_parse_global_ssl_async },
-#ifndef OPENSSL_NO_ENGINE
+#if defined(USE_ENGINE) && !defined(OPENSSL_NO_ENGINE)
         { CFG_GLOBAL, "ssl-engine",  ssl_parse_global_ssl_engine },
  #endif
         { CFG_GLOBAL, "ssl-skip-self-issued-ca", ssl_parse_skip_self_issued_ca },
diff --git a/src/ssl_sock.c b/src/ssl_sock.c

index 19a166aa98c89d40553825fa1e3eac06a5f4406c..de0965dc8e59ac66685b39418274d5fcf6184008 100644 (file)
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -457,7 +457,7 @@ int ssl_client_sni_index = -1;
  struct list tlskeys_reference = LIST_HEAD_INIT(tlskeys_reference);
  #endif
  
-#ifndef OPENSSL_NO_ENGINE
+#if defined(USE_ENGINE) && !defined(OPENSSL_NO_ENGINE)
  unsigned int openssl_engines_initialized;
  struct list openssl_engines = LIST_HEAD_INIT(openssl_engines);
  struct ssl_engine_list {
@@ -627,7 +627,7 @@ static forceinline void ssl_sock_dump_errors(struct connection *conn)
  }
  
  
-#ifndef OPENSSL_NO_ENGINE
+#if defined(USE_ENGINE) && !defined(OPENSSL_NO_ENGINE)
  int ssl_init_single_engine(const char *engine_id, const char *def_algorithms)
  {
         int err_code = ERR_ABORT;
@@ -7082,7 +7082,7 @@ void ssl_free_global_issuers(void)
         }
  }
  
-#ifndef OPENSSL_NO_ENGINE
+#if defined(USE_ENGINE) && !defined(OPENSSL_NO_ENGINE)
  static int ssl_check_async_engine_count(void) {
         int err_code = ERR_NONE;
  
@@ -7893,7 +7893,7 @@ static void __ssl_sock_init(void)
  #endif
         ssl_client_crt_ref_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, ssl_sock_clt_crt_free_func);
         ssl_client_sni_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, ssl_sock_clt_sni_free_func);
-#ifndef OPENSSL_NO_ENGINE
+#if defined(USE_ENGINE) && !defined(OPENSSL_NO_ENGINE)
         ENGINE_load_builtin_engines();
         hap_register_post_check(ssl_check_async_engine_count);
  #endif
@@ -7910,7 +7910,7 @@ static void __ssl_sock_init(void)
         ssl_dh_ptr_index = SSL_CTX_get_ex_new_index(0, NULL, NULL, NULL, NULL);
         hap_register_post_deinit(ssl_free_dh);
  #endif
-#ifndef OPENSSL_NO_ENGINE
+#if defined(USE_ENGINE) && !defined(OPENSSL_NO_ENGINE)
         hap_register_post_deinit(ssl_free_engines);
  #endif
  #if HA_OPENSSL_VERSION_NUMBER < 0x3000000fL
@@ -7986,8 +7986,7 @@ static void ssl_register_build_options()
  
  INITCALL0(STG_REGISTER, ssl_register_build_options);
  
-
-#ifndef OPENSSL_NO_ENGINE
+#if defined(USE_ENGINE) && !defined(OPENSSL_NO_ENGINE)
  void ssl_free_engines(void) {
         struct ssl_engine_list *wl, *wlb;
         /* free up engine list */
author	William Lallemand <wlallemand@haproxy.org>
	Mon, 11 Apr 2022 16:41:24 +0000 (18:41 +0200)
committer	William Lallemand <wlallemand@haproxy.org>
	Mon, 11 Apr 2022 16:41:24 +0000 (18:41 +0200)
Makefile		patch \| blob \| blame \| history
include/haproxy/openssl-compat.h		patch \| blob \| blame \| history
src/cfgparse-ssl.c		patch \| blob \| blame \| history
src/ssl_sock.c		patch \| blob \| blame \| history