1#*************************************************************************** 2# _ _ ____ _ 3# Project ___| | | | _ \| | 4# / __| | | | |_) | | 5# | (__| |_| | _ <| |___ 6# \___|\___/|_| \_\_____| 7# 8# Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al. 9# 10# This software is licensed as described in the file COPYING, which 11# you should have received as part of this distribution. The terms 12# are also available at https://curl.se/docs/copyright.html. 13# 14# You may opt to use, copy, modify, merge, publish, distribute and/or sell 15# copies of the Software, and permit persons to whom the Software is 16# furnished to do so, under the terms of the COPYING file. 17# 18# This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY 19# KIND, either express or implied. 20# 21# SPDX-License-Identifier: curl 22# 23#*************************************************************************** 24 25# File version for 'aclocal' use. Keep it a single number. 26# serial 5 27 28dnl ********************************************************************** 29dnl Check for OpenSSL libraries and headers 30dnl ********************************************************************** 31 32AC_DEFUN([CURL_WITH_OPENSSL], [ 33if test "x$OPT_OPENSSL" != xno; then 34 ssl_msg= 35 36 dnl backup the pre-ssl variables 37 CLEANLDFLAGS="$LDFLAGS" 38 CLEANCPPFLAGS="$CPPFLAGS" 39 CLEANLIBS="$LIBS" 40 41 dnl This is for MSYS/MinGW 42 case $host in 43 *-*-msys* | *-*-mingw*) 44 AC_MSG_CHECKING([for gdi32]) 45 my_ac_save_LIBS=$LIBS 46 LIBS="-lgdi32 $LIBS" 47 AC_LINK_IFELSE([ AC_LANG_PROGRAM([[ 48 #include <windef.h> 49 #include <wingdi.h> 50 ]], 51 [[ 52 GdiFlush(); 53 ]])], 54 [ dnl worked! 55 AC_MSG_RESULT([yes])], 56 [ dnl failed, restore LIBS 57 LIBS=$my_ac_save_LIBS 58 AC_MSG_RESULT(no)] 59 ) 60 ;; 61 esac 62 63 case "$OPT_OPENSSL" in 64 yes) 65 dnl --with-openssl (without path) used 66 PKGTEST="yes" 67 PREFIX_OPENSSL= 68 ;; 69 *) 70 dnl check the given --with-openssl spot 71 PKGTEST="no" 72 PREFIX_OPENSSL=$OPT_OPENSSL 73 74 dnl Try pkg-config even when cross-compiling. Since we 75 dnl specify PKG_CONFIG_LIBDIR we're only looking where 76 dnl the user told us to look 77 OPENSSL_PCDIR="$OPT_OPENSSL/lib/pkgconfig" 78 if test -f "$OPENSSL_PCDIR/openssl.pc"; then 79 AC_MSG_NOTICE([PKG_CONFIG_LIBDIR will be set to "$OPENSSL_PCDIR"]) 80 PKGTEST="yes" 81 fi 82 83 if test "$PKGTEST" != "yes"; then 84 # try lib64 instead 85 OPENSSL_PCDIR="$OPT_OPENSSL/lib64/pkgconfig" 86 if test -f "$OPENSSL_PCDIR/openssl.pc"; then 87 AC_MSG_NOTICE([PKG_CONFIG_LIBDIR will be set to "$OPENSSL_PCDIR"]) 88 PKGTEST="yes" 89 fi 90 fi 91 92 if test "$PKGTEST" != "yes"; then 93 if test ! -f "$PREFIX_OPENSSL/include/openssl/ssl.h"; then 94 AC_MSG_ERROR([$PREFIX_OPENSSL is a bad --with-openssl prefix!]) 95 fi 96 fi 97 98 dnl in case pkg-config comes up empty, use what we got 99 dnl via --with-openssl 100 LIB_OPENSSL="$PREFIX_OPENSSL/lib$libsuff" 101 if test "$PREFIX_OPENSSL" != "/usr" ; then 102 SSL_LDFLAGS="-L$LIB_OPENSSL" 103 SSL_CPPFLAGS="-I$PREFIX_OPENSSL/include" 104 fi 105 ;; 106 esac 107 108 if test "$PKGTEST" = "yes"; then 109 110 CURL_CHECK_PKGCONFIG(openssl, [$OPENSSL_PCDIR]) 111 112 if test "$PKGCONFIG" != "no" ; then 113 SSL_LIBS=`CURL_EXPORT_PCDIR([$OPENSSL_PCDIR]) dnl 114 $PKGCONFIG --libs-only-l --libs-only-other openssl 2>/dev/null` 115 116 SSL_LDFLAGS=`CURL_EXPORT_PCDIR([$OPENSSL_PCDIR]) dnl 117 $PKGCONFIG --libs-only-L openssl 2>/dev/null` 118 119 SSL_CPPFLAGS=`CURL_EXPORT_PCDIR([$OPENSSL_PCDIR]) dnl 120 $PKGCONFIG --cflags-only-I openssl 2>/dev/null` 121 122 AC_SUBST(SSL_LIBS) 123 AC_MSG_NOTICE([pkg-config: SSL_LIBS: "$SSL_LIBS"]) 124 AC_MSG_NOTICE([pkg-config: SSL_LDFLAGS: "$SSL_LDFLAGS"]) 125 AC_MSG_NOTICE([pkg-config: SSL_CPPFLAGS: "$SSL_CPPFLAGS"]) 126 127 LIB_OPENSSL=`echo $SSL_LDFLAGS | sed -e 's/^-L//'` 128 129 dnl use the values pkg-config reported. This is here 130 dnl instead of below with CPPFLAGS and LDFLAGS because we only 131 dnl learn about this via pkg-config. If we only have 132 dnl the argument to --with-openssl we don't know what 133 dnl additional libs may be necessary. Hope that we 134 dnl don't need any. 135 LIBS="$SSL_LIBS $LIBS" 136 fi 137 fi 138 139 dnl finally, set flags to use SSL 140 CPPFLAGS="$CPPFLAGS $SSL_CPPFLAGS" 141 LDFLAGS="$LDFLAGS $SSL_LDFLAGS" 142 143 AC_CHECK_LIB(crypto, HMAC_Update,[ 144 HAVECRYPTO="yes" 145 LIBS="-lcrypto $LIBS" 146 ],[ 147 if test -n "$LIB_OPENSSL" ; then 148 LDFLAGS="$CLEANLDFLAGS -L$LIB_OPENSSL" 149 fi 150 if test "$PKGCONFIG" = "no" -a -n "$PREFIX_OPENSSL" ; then 151 # only set this if pkg-config wasn't used 152 CPPFLAGS="$CLEANCPPFLAGS -I$PREFIX_OPENSSL/include" 153 fi 154 # Linking previously failed, try extra paths from --with-openssl or 155 # pkg-config. Use a different function name to avoid reusing the earlier 156 # cached result. 157 AC_CHECK_LIB(crypto, HMAC_Init_ex,[ 158 HAVECRYPTO="yes" 159 LIBS="-lcrypto $LIBS"], [ 160 161 dnl still no, but what about with -ldl? 162 AC_MSG_CHECKING([OpenSSL linking with -ldl]) 163 LIBS="-lcrypto $CLEANLIBS -ldl" 164 AC_LINK_IFELSE([ AC_LANG_PROGRAM([[ 165 #include <openssl/err.h> 166 ]], [[ 167 ERR_clear_error(); 168 ]]) ], 169 [ 170 AC_MSG_RESULT(yes) 171 HAVECRYPTO="yes" 172 ], 173 [ 174 AC_MSG_RESULT(no) 175 dnl ok, so what about both -ldl and -lpthread? 176 dnl This may be necessary for static libraries. 177 178 AC_MSG_CHECKING([OpenSSL linking with -ldl and -lpthread]) 179 LIBS="-lcrypto $CLEANLIBS -ldl -lpthread" 180 AC_LINK_IFELSE([ 181 AC_LANG_PROGRAM([[ 182 #include <openssl/err.h> 183 ]], [[ 184 ERR_clear_error(); 185 ]])], 186 [ 187 AC_MSG_RESULT(yes) 188 HAVECRYPTO="yes" 189 ], 190 [ 191 AC_MSG_RESULT(no) 192 LDFLAGS="$CLEANLDFLAGS" 193 CPPFLAGS="$CLEANCPPFLAGS" 194 LIBS="$CLEANLIBS" 195 ]) 196 ]) 197 ]) 198 ]) 199 200 if test X"$HAVECRYPTO" = X"yes"; then 201 dnl This is only reasonable to do if crypto actually is there: check for 202 dnl SSL libs NOTE: it is important to do this AFTER the crypto lib 203 204 AC_CHECK_LIB(ssl, SSL_connect) 205 206 if test "$ac_cv_lib_ssl_SSL_connect" != yes; then 207 dnl we didn't find the SSL lib, try the RSAglue/rsaref stuff 208 AC_MSG_CHECKING(for ssl with RSAglue/rsaref libs in use); 209 OLIBS=$LIBS 210 LIBS="-lRSAglue -lrsaref $LIBS" 211 AC_CHECK_LIB(ssl, SSL_connect) 212 if test "$ac_cv_lib_ssl_SSL_connect" != yes; then 213 dnl still no SSL_connect 214 AC_MSG_RESULT(no) 215 LIBS=$OLIBS 216 else 217 AC_MSG_RESULT(yes) 218 fi 219 220 else 221 222 dnl Have the libraries--check for OpenSSL headers 223 AC_CHECK_HEADERS(openssl/x509.h openssl/rsa.h openssl/crypto.h \ 224 openssl/pem.h openssl/ssl.h openssl/err.h, 225 ssl_msg="OpenSSL" 226 test openssl != "$DEFAULT_SSL_BACKEND" || VALID_DEFAULT_SSL_BACKEND=yes 227 OPENSSL_ENABLED=1 228 AC_DEFINE(USE_OPENSSL, 1, [if OpenSSL is in use])) 229 230 if test $ac_cv_header_openssl_x509_h = no; then 231 dnl we don't use the "action" part of the AC_CHECK_HEADERS macro 232 dnl since 'err.h' might in fact find a krb4 header with the same 233 dnl name 234 AC_CHECK_HEADERS(x509.h rsa.h crypto.h pem.h ssl.h err.h) 235 236 if test $ac_cv_header_x509_h = yes && 237 test $ac_cv_header_crypto_h = yes && 238 test $ac_cv_header_ssl_h = yes; then 239 dnl three matches 240 ssl_msg="OpenSSL" 241 OPENSSL_ENABLED=1 242 fi 243 fi 244 fi 245 246 if test X"$OPENSSL_ENABLED" != X"1"; then 247 LIBS="$CLEANLIBS" 248 fi 249 250 if test X"$OPT_OPENSSL" != Xoff && 251 test "$OPENSSL_ENABLED" != "1"; then 252 AC_MSG_ERROR([OpenSSL libs and/or directories were not found where specified!]) 253 fi 254 fi 255 256 if test X"$OPENSSL_ENABLED" = X"1"; then 257 dnl These can only exist if OpenSSL exists 258 259 AC_MSG_CHECKING([for BoringSSL]) 260 AC_COMPILE_IFELSE([ 261 AC_LANG_PROGRAM([[ 262 #include <openssl/base.h> 263 ]],[[ 264 #ifndef OPENSSL_IS_BORINGSSL 265 #error not boringssl 266 #endif 267 ]]) 268 ],[ 269 AC_MSG_RESULT([yes]) 270 ssl_msg="BoringSSL" 271 OPENSSL_IS_BORINGSSL=1 272 ],[ 273 AC_MSG_RESULT([no]) 274 ]) 275 276 AC_MSG_CHECKING([for AWS-LC]) 277 AC_COMPILE_IFELSE([ 278 AC_LANG_PROGRAM([[ 279 #include <openssl/base.h> 280 ]],[[ 281 #ifndef OPENSSL_IS_AWSLC 282 #error not AWS-LC 283 #endif 284 ]]) 285 ],[ 286 AC_MSG_RESULT([yes]) 287 ssl_msg="AWS-LC" 288 OPENSSL_IS_BORINGSSL=1 289 ],[ 290 AC_MSG_RESULT([no]) 291 ]) 292 293 AC_MSG_CHECKING([for LibreSSL]) 294 AC_COMPILE_IFELSE([ 295 AC_LANG_PROGRAM([[ 296 #include <openssl/opensslv.h> 297 ]],[[ 298 int dummy = LIBRESSL_VERSION_NUMBER; 299 ]]) 300 ],[ 301 AC_MSG_RESULT([yes]) 302 AC_DEFINE_UNQUOTED(HAVE_LIBRESSL, 1, 303 [Define to 1 if using LibreSSL.]) 304 ssl_msg="LibreSSL" 305 ],[ 306 AC_MSG_RESULT([no]) 307 ]) 308 309 AC_MSG_CHECKING([for OpenSSL >= v3]) 310 AC_COMPILE_IFELSE([ 311 AC_LANG_PROGRAM([[ 312 #include <openssl/opensslv.h> 313 ]],[[ 314 #if (OPENSSL_VERSION_NUMBER >= 0x30000000L) 315 return 0; 316 #else 317 #error older than 3 318 #endif 319 ]]) 320 ],[ 321 AC_MSG_RESULT([yes]) 322 ssl_msg="OpenSSL v3+" 323 ],[ 324 AC_MSG_RESULT([no]) 325 ]) 326 fi 327 328 dnl is this OpenSSL (fork) providing the original QUIC API? 329 AC_CHECK_FUNCS([SSL_set_quic_use_legacy_codepoint], 330 [QUIC_ENABLED=yes]) 331 if test "$QUIC_ENABLED" = "yes"; then 332 AC_MSG_NOTICE([OpenSSL fork speaks QUIC API]) 333 else 334 AC_MSG_NOTICE([OpenSSL version does not speak QUIC API]) 335 fi 336 337 if test "$OPENSSL_ENABLED" = "1"; then 338 if test -n "$LIB_OPENSSL"; then 339 dnl when the ssl shared libs were found in a path that the run-time 340 dnl linker doesn't search through, we need to add it to CURL_LIBRARY_PATH 341 dnl to prevent further configure tests to fail due to this 342 if test "x$cross_compiling" != "xyes"; then 343 CURL_LIBRARY_PATH="$CURL_LIBRARY_PATH:$LIB_OPENSSL" 344 export CURL_LIBRARY_PATH 345 AC_MSG_NOTICE([Added $LIB_OPENSSL to CURL_LIBRARY_PATH]) 346 fi 347 fi 348 check_for_ca_bundle=1 349 LIBCURL_PC_REQUIRES_PRIVATE="$LIBCURL_PC_REQUIRES_PRIVATE openssl" 350 fi 351 352 test -z "$ssl_msg" || ssl_backends="${ssl_backends:+$ssl_backends, }$ssl_msg" 353fi 354 355if test X"$OPT_OPENSSL" != Xno && 356 test "$OPENSSL_ENABLED" != "1"; then 357 AC_MSG_NOTICE([OPT_OPENSSL: $OPT_OPENSSL]) 358 AC_MSG_NOTICE([OPENSSL_ENABLED: $OPENSSL_ENABLED]) 359 AC_MSG_ERROR([--with-openssl was given but OpenSSL could not be detected]) 360fi 361 362dnl --- 363dnl We require OpenSSL with SRP support. 364dnl --- 365if test "$OPENSSL_ENABLED" = "1"; then 366 AC_MSG_CHECKING([for SRP support in OpenSSL]) 367 AC_LINK_IFELSE([ 368 AC_LANG_PROGRAM([[ 369 #include <openssl/ssl.h> 370 ]],[[ 371 SSL_CTX_set_srp_username(NULL, ""); 372 SSL_CTX_set_srp_password(NULL, ""); 373 ]]) 374 ],[ 375 AC_MSG_RESULT([yes]) 376 AC_DEFINE(HAVE_OPENSSL_SRP, 1, [if you have the functions SSL_CTX_set_srp_username and SSL_CTX_set_srp_password]) 377 AC_SUBST(HAVE_OPENSSL_SRP, [1]) 378 ],[ 379 AC_MSG_RESULT([no]) 380 ]) 381fi 382 383dnl --- 384dnl Whether the OpenSSL configuration will be loaded automatically 385dnl --- 386if test X"$OPENSSL_ENABLED" = X"1"; then 387 AC_ARG_ENABLE(openssl-auto-load-config, 388AS_HELP_STRING([--enable-openssl-auto-load-config],[Enable automatic loading of OpenSSL configuration]) 389AS_HELP_STRING([--disable-openssl-auto-load-config],[Disable automatic loading of OpenSSL configuration]), 390 [ if test X"$enableval" = X"no"; then 391 AC_MSG_NOTICE([automatic loading of OpenSSL configuration disabled]) 392 AC_DEFINE(CURL_DISABLE_OPENSSL_AUTO_LOAD_CONFIG, 1, [if the OpenSSL configuration won't be loaded automatically]) 393 fi 394 ]) 395fi 396 397dnl --- 398dnl We may use OpenSSL QUIC. 399dnl --- 400if test "$OPENSSL_ENABLED" = "1"; then 401 AC_MSG_CHECKING([for QUIC support and OpenSSL >= 3.3]) 402 AC_LINK_IFELSE([ 403 AC_LANG_PROGRAM([[ 404 #include <openssl/ssl.h> 405 ]],[[ 406 #if (OPENSSL_VERSION_NUMBER < 0x30300000L) 407 #error need at least version 3.3.0 408 #endif 409 OSSL_QUIC_client_method(); 410 ]]) 411 ],[ 412 AC_MSG_RESULT([yes]) 413 have_openssl_quic=1 414 ],[ 415 AC_MSG_RESULT([no]) 416 ]) 417fi 418]) 419
