This pull request is related to suggestions I made in May 2016 and Sep 2017:
https://mta.openssl.org/pipermail/openssl-dev/2017-September/009712.html

This pull request contains in its first five commits various small corrections for shortcomings in the build machinery of OpenSSL I came across while building the addition of the new library, namely:

• a bug fixed in util/mkdef.pl, which caused a loop handling declarations like void fn()
• a more practically useful trace option for util/mkdef.pl
• a new option for mkdef.pl for warning about incomplete handling of #if expressions
• a POSIX/ANSI compatibility warning issue with crypto/mem.c and Visual C fixed in e_os.h
• a correction of OPENSSL_EXPORT and OPENSSL_EXTERN in e_os2.h for native Windows builds
• a bug fixed in a file open error message in apps/progs.pl

Ok... so here's a few thoughts:

1. The code that you have put in that new library is internal, i.e. we have not at all designed it for public consumption. It's very likely that the names we use clash with something else if combined with "the wrong library".
2. the API isn't necessarely stable, i.e. we may introduce changes at any time, and that just doesn't roll well with the idea of making this a public library. We don't promise that it will be stable across minor OpenSSL versions or even releases.

It's true that people do copy that code (hey, I've done the same in previous work), but it's entirely at their own risk.

So in the end, while this might seem like a good idea, this places a maintenance burden on @openssl that I'm unsure we're willing to take.

I'm sorry to deliver such a message, 'cause you have obviously put time and effort into this.
I do take a specific interest into the faults that you have found, however. Would you be willing to move those to a separate PR?

@levitte thanks for your swift comments.

I already anticipated the points you made about internal and unstable API components - that's why I wrote above: "Of course, when this PR is accepted, some further cleanup would make sense."

My main points of this PR are that an application-level library would be of great benefit for several reasons and that it is not too hard to implement.

Of course, the actual contents of the library are debatable - putting essentially all of apps.c and app_rand.c is just an example. Yet at least functions like load_cert, load_key, load_crl, ... and all the code supporting CRL loading and OCSP would fit there perfectly.
As mentioned, further more high-level code possibly added in the future, e.g., on certificate management using CMP, would likely better not go into the core crypto lib, but into the new library.

Sure I'll put the various commits with small general improvements in a separate PR.

How if I reduce the initial (API) contents of the new library to:

X509 *load_cert(const char *file, int format, const char *cert_descrip);
X509_CRL *load_crl(const char *infile, int format);
EVP_PKEY *load_key(const char *file, int format, int maybe_stdin,
                   const char *pass, ENGINE *e, const char *key_descrip);
EVP_PKEY *load_pubkey(const char *file, int format, int maybe_stdin,
                      const char *pass, ENGINE *e, const char *key_descrip);
int load_certs(const char *file, STACK_OF(X509) **certs, int format,
               const char *pass, const char *cert_descrip);
int load_crls(const char *file, STACK_OF(X509_CRL) **crls, int format,
              const char *pass, const char *cert_descrip);
int load_pkcs12(BIO *in, const char *desc, pem_password_cb *pem_cb, void *cb_data,
                EVP_PKEY **pkey, X509 **cert, STACK_OF(X509) **ca);

int load_cert_crl_http(const char *url, X509 **pcert, X509_CRL **pcrl);
X509_CRL *load_crl_crldp(STACK_OF(DIST_POINT) *crldp);
STACK_OF(X509_CRL) *crls_http_cb(X509_STORE_CTX *ctx, X509_NAME *nm);

ENGINE *setup_engine(const char *engine, int debug);
void release_engine(ENGINE *e);

Hope this addresses (all) the concerns mentioned above.

I am sceptical about the need for a new library (for this purpose). If we think there is code in the apps that is generally useful, I'm not sure why we wouldn't push that code down into libcrypto or libssl as appropriate. If we were to introduce a new library then I think it should be part of a broader review of the structure of all our codebase. There are other things that have been proposed for splitting out into separate libraries, e.g. we could make all algorithms dynamically loadable at runtime. There is also code in libcrypto which isn't really crypto related at all and probably doesn't belong there at all. Such a wholesale review probably shouldn't happen until 1.2.0

What about libtls from LibreSSL?

So @DDvO, I just wanted to let you know that, which I'm sceptical about making a public library, I've recently come to think that a private apps library (that's made out of all the apps modules that aren't directly CLI stuff) wouldn't be such a bad thing, for practical purposes. So I want to thank you for the inspiration.

@mattcaswell and @levitte, very pleased that you confirmed that having such a lib would have practical advantages. and that you put this as a 1.2.0 milestone.

OpenSSL itself will benefit from this even without the need to sanitize and document the interface of such a library. Yet if this extra effort on the API is spent, also external users of OpenSSL would benefit. This would bring a considerable usability boost because OpenSSL-based developments would not need to deal with various awkward and error-prone details, for instance, on file handling, key management, certificate checking using CRLs and OCSP, and management of TLS connections.

This PR needs a rebase.
A smart move would be to split out the opt.h refactoring as as 1st step to this PR.

This PR needs a rebase.

This PR is very unlikely to be merged as is, so a rebase would be pointless.

Indeed, no need to rebase since this was essentially a proof-of-concept.

I suggest it get closed, even.

If it gets closed I suspect that the milestone tag for 1.2.0 will get neglected.
So in order to keep this PR as a reminder, I'd suggest keeping it open, or maybe it can be transformed into an issue?

Shall we convert this into an issue?

Closing this in favor of the new issue #13440,
which updates the suggestions made and discussed in this (heavily outdated) PR.