Difficult to figure how configure --api=x.y.z vs OPENSSL_API_COMPAT behave

Yann Droneaud ydroneaud at opteya.com
Fri Mar 11 17:43:56 UTC 2022 

Hi,


I have hard time figuring how to use --api=x.y.z regarding 
OPENSSL_API_COMPAT define.

https://github.com/openssl/openssl/blob/openssl-3.0.1/INSTALL.md#api-level

https://www.openssl.org/docs/man3.0/man7/OPENSSL_API_COMPAT.html


Say I have #define OPENSSL_API_COMPAT 0x010101000L in one file and want 
to compile it against OpenSSL 3.0.1 configured with --api=1.1.0,

I would have expected OPENSSL_API_COMPAT to ask for API 1.1.1 to be 
available, and --api=1.1.0 to ask for APIs 1.1.0, 1.1.1, and 3.0 to be 
built in OpenSSL.

But this doesn't work as I expected.

$ git describe
openssl-3.0.1

$ ./Configure --banner= --api=3.0 && make -s build_generated && gcc -E 
-x c /dev/null -I include -DOPENSSL_API_COMPAT=0x010101000L -include 
"include/openssl/opensslconf.h" -o /dev/null  && echo "***success***"
Configuring OpenSSL version 3.0.1 for target linux-x86_64
Using os-specific seed configuration
Creating configdata.pm
Running configdata.pm
Creating Makefile.in
Creating Makefile

*** SUCCESS ***


$ ./Configure --banner= --api=1.1.1 && make -s build_generated && gcc -E 
-x c /dev/null -I include -DOPENSSL_API_COMPAT=0x010101000L -include 
"include/openssl/opensslconf.h" -o /dev/null && echo "*** SUCCESS ***"
Configuring OpenSSL version 3.0.1 for target linux-x86_64
Using os-specific seed configuration
Creating configdata.pm
Running configdata.pm
Creating Makefile.in
Creating Makefile

*** SUCCESS ***

$ ./Configure --banner= --api=1.1.0 && make -s build_generated && gcc -E 
-x c /dev/null -I include -DOPENSSL_API_COMPAT=0x010101000L -include 
"include/openssl/opensslconf.h" -o /dev/null && echo "*** SUCCESS ***"
Configuring OpenSSL version 3.0.1 for target linux-x86_64
Using os-specific seed configuration
Creating configdata.pm
Running configdata.pm
Creating Makefile.in
Creating Makefile

In file included from ./include/openssl/opensslconf.h:15,
                  from <command-line>:
include/openssl/macros.h:139:4: error: #error "The requested API level 
higher than the configured API compatibility level"
   139 | #  error "The requested API level higher than the configured 
API compatibility level"
       |    ^~~~~


It makes no sense to me that building OpenSSL with --api=3.0 provides 
1.1.1 OPENSSL_API_COMPAT, while OpenSSL configured with --api=1.1.0 
doesn't provide 1.1.1 OPENSSL_API_COMPAT, as --api should set the oldest 
API supported.


What do you think ? Where is my misunderstanding ?


Regards.

-- 

Yann Droneaud

OPTEYA

More information about the openssl-users mailing list