common: disable OpenSSL engine support if it is disabled

tchaikov · tchaikov · commit 47b843c377d0 · 2025-03-28T08:54:19.000+08:00
OpenSSL 3.0 documentation recommends moving from the ENGINE API to the Providers API. Recent distributions may compile OpenSSL without engine support by default, necessitating more flexible configuration handling. So, in this change: - Add a CMake option `WITH_OPENSSL_ENGINE` to explicitly control engine support - Respect `openssl_engine_opts` when engine support is enabled - Provide clear error messaging when engine options are set but support is disabled See also: - OpenSSL 3.0 documentation: https://wiki.openssl.org/index.php/OpenSSL_3.0#Engines_and_.22METHOD.22_APIs Fixes: https://tracker.ceph.com/issues/68059 Signed-off-by: Kefu Chai <tchaikov@gmail.com>
diff --git a/cmake/modules/CephChecks.cmake b/cmake/modules/CephChecks.cmake
@@ -55,6 +55,11 @@ if(LINUX)
   CHECK_INCLUDE_FILES("sched.h" HAVE_SCHED)
 endif()
 CHECK_INCLUDE_FILES("valgrind/helgrind.h" HAVE_VALGRIND_HELGRIND_H)
+CHECK_INCLUDE_FILES("openssl/engine.h" HAVE_OPENSSL_ENGINE_H)
+option(WITH_OPENSSL_ENGINE "Build with OpenSSL Engine Support")
+if(WITH_OPENSSL_ENGINE AND NOT HAVE_OPENSSL_ENGINE)
+  message(FATAL_ERROR "Can't find openssl/engine.h")
+endif()
 
 include(CheckTypeSize)
 set(CMAKE_EXTRA_INCLUDE_FILES "linux/types.h" "netinet/in.h")
diff --git a/src/common/openssl_opts_handler.cc b/src/common/openssl_opts_handler.cc
@@ -16,7 +16,9 @@
 
 #include <openssl/bio.h>
 #include <openssl/conf.h>
+#ifndef OPENSSL_NO_ENGINE
 #include <openssl/engine.h>
+#endif
 #include <mutex>
 #include <vector>
 #include <algorithm>
@@ -40,6 +42,9 @@ static ostream &_prefix(std::ostream *_dout)
 {
   return *_dout << "OpenSSLOptsHandler: ";
 }
+
+#ifndef OPENSSL_NO_ENGINE
+
 // -----------------------------------------------------------------------------
 
 string construct_engine_conf(const string &opts)
@@ -128,15 +133,20 @@ void load_module(const string &engine_conf)
     log_error("failed to load modules from CONF:\n" + get_openssl_error());
   }
 }
+#endif // !OPENSSL_NO_ENGINE
 
 void init_engine()
 {
   string opts = g_ceph_context->_conf->openssl_engine_opts;
   if (opts.empty()) {
     return;
   }
+#ifdef OPENSSL_NO_ENGINE
+  derr << "OpenSSL is compiled with no engine, but openssl_engine_opts is set" << dendl;
+#else
   string engine_conf = construct_engine_conf(opts);
   load_module(engine_conf);
+#endif
 }
 
 void ceph::crypto::init_openssl_engine_once()

Original file line number	Diff line number	Diff line change
`@@ -16,7 +16,9 @@`
`16`	`16`
`17`	`17`	`#include <openssl/bio.h>`
`18`	`18`	`#include <openssl/conf.h>`
	`19`	`+#ifndef OPENSSL_NO_ENGINE`
`19`	`20`	`#include <openssl/engine.h>`
	`21`	`+#endif`
`20`	`22`	`#include <mutex>`
`21`	`23`	`#include <vector>`
`22`	`24`	`#include <algorithm>`
`@@ -40,6 +42,9 @@ static ostream &_prefix(std::ostream *_dout)`
`40`	`42`	`{`
`41`	`43`	`return *_dout << "OpenSSLOptsHandler: ";`
`42`	`44`	`}`
	`45`	`+`
	`46`	`+#ifndef OPENSSL_NO_ENGINE`
	`47`	`+`
`43`	`48`	`// -----------------------------------------------------------------------------`
`44`	`49`
`45`	`50`	`string construct_engine_conf(const string &opts)`
`@@ -128,15 +133,20 @@ void load_module(const string &engine_conf)`
`128`	`133`	`log_error("failed to load modules from CONF:\n" + get_openssl_error());`
`129`	`134`	`}`
`130`	`135`	`}`
	`136`	`+#endif // !OPENSSL_NO_ENGINE`
`131`	`137`
`132`	`138`	`void init_engine()`
`133`	`139`	`{`
`134`	`140`	`string opts = g_ceph_context->_conf->openssl_engine_opts;`
`135`	`141`	`if (opts.empty()) {`
`136`	`142`	`return;`
`137`	`143`	`}`
	`144`	`+#ifdef OPENSSL_NO_ENGINE`
	`145`	`+ derr << "OpenSSL is compiled with no engine, but openssl_engine_opts is set" << dendl;`
	`146`	`+#else`
`138`	`147`	`string engine_conf = construct_engine_conf(opts);`
`139`	`148`	`load_module(engine_conf);`
	`149`	`+#endif`
`140`	`150`	`}`
`141`	`151`
`142`	`152`	`void ceph::crypto::init_openssl_engine_once()`