Build failure for 2.3.3 if PCKS#11 and OpenSSL are enabled

[jkb]

When trying to build OpenVPN 2.3.3 for Tunnelblick with PKCS11 and OpenSSL support, I get the following error:

libtool: link: blah, blah, blah…
Undefined symbols:

"_pkcs11h_openssl_session_getEVP", referenced from:

_pkcs11_init_tls_session in pkcs11_openssl.o

ld: symbol(s) not found
collect2: ld returned 1 exit status

I had downloaded the source from ​https://github.com/OpenVPN/openvpn/tree/release/2.3 on 2014-03-25.

Looking at the source, I see a reference to

pkcs11h_openssl_session_getEVP

at line 66 of pkcs11_openssl.c, but I cannot find any place it is defined.

Line 66 is conditionally compiled when:

#if defined(ENABLE_PKCS11) && defined(ENABLE_CRYPTO_OPENSSL)

The reference to pkcs11h_openssl_session_getEVP is not present in the source for OpenVPN 2.3.2.

(I filed this under "git master branch" because there is no "2.3.3" option. I do not know if the problem occurs with the source from the git master branch.)

[Gert Döring]

I seem to remember that we need a more recent version of pkcs11_helper "since some change". Let me go searching...

[Gert Döring]

Ah, indeed, commit f8b590d5a6692324a from Nov 12, 2013

pkcs11: use generic evp key instead of rsa

Enables DSA, ECDSA key usages with newer pkcs11-helper.

configure should complain that pkcs11-helper needs to be 1.11 or later, but if I read this right, it will only do that if "pkg-config" is there and can be queried for versions.

[jkb]

Thank you! Linking with pkcs11-helper 1.11 solves the problem.

Apparently variable names prefixed with "pkcs11h_" refer to items outside of the OpenVPN source, in the pcks11-helper source -- I had not realized that.

Sorry for the trouble, and thanks again.

This ticket can be closed, or marked "invalid" or something.

[Gert Döring]

Thanks for testing and reporting :-) - will close!