common: disable OpenSSL engine support if it is disabled

OpenSSL 3.0 documentation recommends moving from the ENGINE API to the
Providers API. Recent distributions may compile OpenSSL without engine
support by default, necessitating more flexible configuration handling.

So, in this change:

- Add a CMake option `WITH_OPENSSL_ENGINE` to explicitly control engine support
- Respect `openssl_engine_opts` when engine support is enabled
- Provide clear error messaging when engine options are set but support is disabled

See also:
- OpenSSL 3.0 documentation:
https://wiki.openssl.org/index.php/OpenSSL_3.0#Engines_and_.22METHOD.22_APIs

Fixes: https://tracker.ceph.com/issues/68059
Signed-off-by: Kefu Chai <tchaikov@gmail.com>

diff --git a/cmake/modules/CephChecks.cmake b/cmake/modules/CephChecks.cmake
index fcde99f4b07e92ffc83e9b33af08d59f4dc65661..da69b24105077a33206766b96685ed64814c9391 100644 (file)
--- a/cmake/modules/CephChecks.cmake
+++ b/cmake/modules/CephChecks.cmake
@@ -55,6 +55,11 @@ if(LINUX)
   CHECK_INCLUDE_FILES("sched.h" HAVE_SCHED)
 endif()
 CHECK_INCLUDE_FILES("valgrind/helgrind.h" HAVE_VALGRIND_HELGRIND_H)
+CHECK_INCLUDE_FILES("openssl/engine.h" HAVE_OPENSSL_ENGINE_H)
+option(WITH_OPENSSL_ENGINE "Build with OpenSSL Engine Support")
+if(WITH_OPENSSL_ENGINE AND NOT HAVE_OPENSSL_ENGINE)
+  message(FATAL_ERROR "Can't find openssl/engine.h")
+endif()
 
 include(CheckTypeSize)
 set(CMAKE_EXTRA_INCLUDE_FILES "linux/types.h" "netinet/in.h")

diff --git a/src/common/openssl_opts_handler.cc b/src/common/openssl_opts_handler.cc
index 81d0c478651a6d9fd59d6f120d2a4e86ca560f9a..6b16d521ae9ef9cf2ebe3584aec51c6ea5c1d474 100644 (file)
--- a/src/common/openssl_opts_handler.cc
+++ b/src/common/openssl_opts_handler.cc
@@ -16,7 +16,9 @@
 
 #include <openssl/bio.h>
 #include <openssl/conf.h>
+#ifndef OPENSSL_NO_ENGINE
 #include <openssl/engine.h>
+#endif
 #include <mutex>
 #include <vector>
 #include <algorithm>
@@ -40,6 +42,9 @@ static ostream &_prefix(std::ostream *_dout)
 {
   return *_dout << "OpenSSLOptsHandler: ";
 }
+
+#ifndef OPENSSL_NO_ENGINE
+
 // -----------------------------------------------------------------------------
 
 string construct_engine_conf(const string &opts)
@@ -128,6 +133,7 @@ void load_module(const string &engine_conf)
     log_error("failed to load modules from CONF:\n" + get_openssl_error());
   }
 }
+#endif // !OPENSSL_NO_ENGINE
 
 void init_engine()
 {
@@ -135,8 +141,12 @@ void init_engine()
   if (opts.empty()) {
     return;
   }
+#ifdef OPENSSL_NO_ENGINE
+  derr << "OpenSSL is compiled with no engine, but openssl_engine_opts is set" << dendl;
+#else
   string engine_conf = construct_engine_conf(opts);
   load_module(engine_conf);
+#endif
 }
 
 void ceph::crypto::init_openssl_engine_once()