From: Kefu Chai <tchaikov@gmail.com>
Date: Tue, 25 Mar 2025 04:03:30 +0000 (+0800)
Subject: common: disable OpenSSL engine support if it is disabled
X-Git-Tag: testing/wip-vshankar-testing-20250407.170244-debug~81^2
X-Git-Url: http://git.apps.os.sepia.ceph.com/?a=commitdiff_plain;h=47b843c377d045cdc4db6830cac98b7365036cfa;p=ceph-ci.git

common: disable OpenSSL engine support if it is disabled

OpenSSL 3.0 documentation recommends moving from the ENGINE API to the
Providers API. Recent distributions may compile OpenSSL without engine
support by default, necessitating more flexible configuration handling.

So, in this change:

- Add a CMake option `WITH_OPENSSL_ENGINE` to explicitly control engine support
- Respect `openssl_engine_opts` when engine support is enabled
- Provide clear error messaging when engine options are set but support is disabled

See also:
- OpenSSL 3.0 documentation:
https://wiki.openssl.org/index.php/OpenSSL_3.0#Engines_and_.22METHOD.22_APIs

Fixes: https://tracker.ceph.com/issues/68059
Signed-off-by: Kefu Chai <tchaikov@gmail.com>
---

diff --git a/cmake/modules/CephChecks.cmake b/cmake/modules/CephChecks.cmake
index fcde99f4b07..da69b241050 100644
--- a/cmake/modules/CephChecks.cmake
+++ b/cmake/modules/CephChecks.cmake
@@ -55,6 +55,11 @@ if(LINUX)
   CHECK_INCLUDE_FILES("sched.h" HAVE_SCHED)
 endif()
 CHECK_INCLUDE_FILES("valgrind/helgrind.h" HAVE_VALGRIND_HELGRIND_H)
+CHECK_INCLUDE_FILES("openssl/engine.h" HAVE_OPENSSL_ENGINE_H)
+option(WITH_OPENSSL_ENGINE "Build with OpenSSL Engine Support")
+if(WITH_OPENSSL_ENGINE AND NOT HAVE_OPENSSL_ENGINE)
+  message(FATAL_ERROR "Can't find openssl/engine.h")
+endif()
 
 include(CheckTypeSize)
 set(CMAKE_EXTRA_INCLUDE_FILES "linux/types.h" "netinet/in.h")
diff --git a/src/common/openssl_opts_handler.cc b/src/common/openssl_opts_handler.cc
index 81d0c478651..6b16d521ae9 100644
--- a/src/common/openssl_opts_handler.cc
+++ b/src/common/openssl_opts_handler.cc
@@ -16,7 +16,9 @@
 
 #include <openssl/bio.h>
 #include <openssl/conf.h>
+#ifndef OPENSSL_NO_ENGINE
 #include <openssl/engine.h>
+#endif
 #include <mutex>
 #include <vector>
 #include <algorithm>
@@ -40,6 +42,9 @@ static ostream &_prefix(std::ostream *_dout)
 {
   return *_dout << "OpenSSLOptsHandler: ";
 }
+
+#ifndef OPENSSL_NO_ENGINE
+
 // -----------------------------------------------------------------------------
 
 string construct_engine_conf(const string &opts)
@@ -128,6 +133,7 @@ void load_module(const string &engine_conf)
     log_error("failed to load modules from CONF:\n" + get_openssl_error());
   }
 }
+#endif // !OPENSSL_NO_ENGINE
 
 void init_engine()
 {
@@ -135,8 +141,12 @@ void init_engine()
   if (opts.empty()) {
     return;
   }
+#ifdef OPENSSL_NO_ENGINE
+  derr << "OpenSSL is compiled with no engine, but openssl_engine_opts is set" << dendl;
+#else
   string engine_conf = construct_engine_conf(opts);
   load_module(engine_conf);
+#endif
 }
 
 void ceph::crypto::init_openssl_engine_once()