1#*************************************************************************** 2# _ _ ____ _ 3# Project ___| | | | _ \| | 4# / __| | | | |_) | | 5# | (__| |_| | _ <| |___ 6# \___|\___/|_| \_\_____| 7# 8# Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al. 9# 10# This software is licensed as described in the file COPYING, which 11# you should have received as part of this distribution. The terms 12# are also available at https://curl.se/docs/copyright.html. 13# 14# You may opt to use, copy, modify, merge, publish, distribute and/or sell 15# copies of the Software, and permit persons to whom the Software is 16# furnished to do so, under the terms of the COPYING file. 17# 18# This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY 19# KIND, either express or implied. 20# 21# SPDX-License-Identifier: curl 22# 23#*************************************************************************** 24 25# File version for 'aclocal' use. Keep it a single number. 26# serial 5 27 28dnl ********************************************************************** 29dnl Check for OpenSSL libraries and headers 30dnl ********************************************************************** 31 32AC_DEFUN([CURL_WITH_OPENSSL], [ 33if test "x$OPT_OPENSSL" != xno; then 34 ssl_msg= 35 36 dnl backup the pre-ssl variables 37 CLEANLDFLAGS="$LDFLAGS" 38 CLEANCPPFLAGS="$CPPFLAGS" 39 CLEANLIBS="$LIBS" 40 41 dnl This is for Msys/Mingw 42 case $host in 43 *-*-msys* | *-*-mingw*) 44 AC_MSG_CHECKING([for gdi32]) 45 my_ac_save_LIBS=$LIBS 46 LIBS="-lgdi32 $LIBS" 47 AC_LINK_IFELSE([ AC_LANG_PROGRAM([[ 48 #include <windef.h> 49 #include <wingdi.h> 50 ]], 51 [[ 52 GdiFlush(); 53 ]])], 54 [ dnl worked! 55 AC_MSG_RESULT([yes])], 56 [ dnl failed, restore LIBS 57 LIBS=$my_ac_save_LIBS 58 AC_MSG_RESULT(no)] 59 ) 60 ;; 61 esac 62 63 case "$OPT_OPENSSL" in 64 yes) 65 dnl --with-openssl (without path) used 66 PKGTEST="yes" 67 PREFIX_OPENSSL= 68 ;; 69 *) 70 dnl check the given --with-openssl spot 71 PKGTEST="no" 72 PREFIX_OPENSSL=$OPT_OPENSSL 73 74 dnl Try pkg-config even when cross-compiling. Since we 75 dnl specify PKG_CONFIG_LIBDIR we're only looking where 76 dnl the user told us to look 77 OPENSSL_PCDIR="$OPT_OPENSSL/lib/pkgconfig" 78 if test -f "$OPENSSL_PCDIR/openssl.pc"; then 79 AC_MSG_NOTICE([PKG_CONFIG_LIBDIR will be set to "$OPENSSL_PCDIR"]) 80 PKGTEST="yes" 81 fi 82 83 if test "$PKGTEST" != "yes"; then 84 # try lib64 instead 85 OPENSSL_PCDIR="$OPT_OPENSSL/lib64/pkgconfig" 86 if test -f "$OPENSSL_PCDIR/openssl.pc"; then 87 AC_MSG_NOTICE([PKG_CONFIG_LIBDIR will be set to "$OPENSSL_PCDIR"]) 88 PKGTEST="yes" 89 fi 90 fi 91 92 if test "$PKGTEST" != "yes"; then 93 if test ! -f "$PREFIX_OPENSSL/include/openssl/ssl.h"; then 94 AC_MSG_ERROR([$PREFIX_OPENSSL is a bad --with-openssl prefix!]) 95 fi 96 fi 97 98 dnl in case pkg-config comes up empty, use what we got 99 dnl via --with-openssl 100 LIB_OPENSSL="$PREFIX_OPENSSL/lib$libsuff" 101 if test "$PREFIX_OPENSSL" != "/usr" ; then 102 SSL_LDFLAGS="-L$LIB_OPENSSL" 103 SSL_CPPFLAGS="-I$PREFIX_OPENSSL/include" 104 fi 105 ;; 106 esac 107 108 if test "$PKGTEST" = "yes"; then 109 110 CURL_CHECK_PKGCONFIG(openssl, [$OPENSSL_PCDIR]) 111 112 if test "$PKGCONFIG" != "no" ; then 113 SSL_LIBS=`CURL_EXPORT_PCDIR([$OPENSSL_PCDIR]) dnl 114 $PKGCONFIG --libs-only-l --libs-only-other openssl 2>/dev/null` 115 116 SSL_LDFLAGS=`CURL_EXPORT_PCDIR([$OPENSSL_PCDIR]) dnl 117 $PKGCONFIG --libs-only-L openssl 2>/dev/null` 118 119 SSL_CPPFLAGS=`CURL_EXPORT_PCDIR([$OPENSSL_PCDIR]) dnl 120 $PKGCONFIG --cflags-only-I openssl 2>/dev/null` 121 122 AC_SUBST(SSL_LIBS) 123 AC_MSG_NOTICE([pkg-config: SSL_LIBS: "$SSL_LIBS"]) 124 AC_MSG_NOTICE([pkg-config: SSL_LDFLAGS: "$SSL_LDFLAGS"]) 125 AC_MSG_NOTICE([pkg-config: SSL_CPPFLAGS: "$SSL_CPPFLAGS"]) 126 127 LIB_OPENSSL=`echo $SSL_LDFLAGS | sed -e 's/^-L//'` 128 129 dnl use the values pkg-config reported. This is here 130 dnl instead of below with CPPFLAGS and LDFLAGS because we only 131 dnl learn about this via pkg-config. If we only have 132 dnl the argument to --with-openssl we don't know what 133 dnl additional libs may be necessary. Hope that we 134 dnl don't need any. 135 LIBS="$SSL_LIBS $LIBS" 136 fi 137 fi 138 139 dnl finally, set flags to use SSL 140 CPPFLAGS="$CPPFLAGS $SSL_CPPFLAGS" 141 LDFLAGS="$LDFLAGS $SSL_LDFLAGS" 142 143 AC_CHECK_LIB(crypto, HMAC_Update,[ 144 HAVECRYPTO="yes" 145 LIBS="-lcrypto $LIBS" 146 ],[ 147 if test -n "$LIB_OPENSSL" ; then 148 LDFLAGS="$CLEANLDFLAGS -L$LIB_OPENSSL" 149 fi 150 if test "$PKGCONFIG" = "no" -a -n "$PREFIX_OPENSSL" ; then 151 # only set this if pkg-config wasn't used 152 CPPFLAGS="$CLEANCPPFLAGS -I$PREFIX_OPENSSL/include" 153 fi 154 # Linking previously failed, try extra paths from --with-openssl or 155 # pkg-config. Use a different function name to avoid reusing the earlier 156 # cached result. 157 AC_CHECK_LIB(crypto, HMAC_Init_ex,[ 158 HAVECRYPTO="yes" 159 LIBS="-lcrypto $LIBS"], [ 160 161 dnl still no, but what about with -ldl? 162 AC_MSG_CHECKING([OpenSSL linking with -ldl]) 163 LIBS="-lcrypto $CLEANLIBS -ldl" 164 AC_LINK_IFELSE([ AC_LANG_PROGRAM([[ 165 #include <openssl/err.h> 166 ]], [[ 167 ERR_clear_error(); 168 ]]) ], 169 [ 170 AC_MSG_RESULT(yes) 171 HAVECRYPTO="yes" 172 ], 173 [ 174 AC_MSG_RESULT(no) 175 dnl ok, so what about both -ldl and -lpthread? 176 dnl This may be necessary for static libraries. 177 178 AC_MSG_CHECKING([OpenSSL linking with -ldl and -lpthread]) 179 LIBS="-lcrypto $CLEANLIBS -ldl -lpthread" 180 AC_LINK_IFELSE([ 181 AC_LANG_PROGRAM([[ 182 #include <openssl/err.h> 183 ]], [[ 184 ERR_clear_error(); 185 ]])], 186 [ 187 AC_MSG_RESULT(yes) 188 HAVECRYPTO="yes" 189 ], 190 [ 191 AC_MSG_RESULT(no) 192 LDFLAGS="$CLEANLDFLAGS" 193 CPPFLAGS="$CLEANCPPFLAGS" 194 LIBS="$CLEANLIBS" 195 196 ]) 197 198 ]) 199 200 ]) 201 ]) 202 203 if test X"$HAVECRYPTO" = X"yes"; then 204 dnl This is only reasonable to do if crypto actually is there: check for 205 dnl SSL libs NOTE: it is important to do this AFTER the crypto lib 206 207 AC_CHECK_LIB(ssl, SSL_connect) 208 209 if test "$ac_cv_lib_ssl_SSL_connect" != yes; then 210 dnl we didn't find the SSL lib, try the RSAglue/rsaref stuff 211 AC_MSG_CHECKING(for ssl with RSAglue/rsaref libs in use); 212 OLIBS=$LIBS 213 LIBS="-lRSAglue -lrsaref $LIBS" 214 AC_CHECK_LIB(ssl, SSL_connect) 215 if test "$ac_cv_lib_ssl_SSL_connect" != yes; then 216 dnl still no SSL_connect 217 AC_MSG_RESULT(no) 218 LIBS=$OLIBS 219 else 220 AC_MSG_RESULT(yes) 221 fi 222 223 else 224 225 dnl Have the libraries--check for OpenSSL headers 226 AC_CHECK_HEADERS(openssl/x509.h openssl/rsa.h openssl/crypto.h \ 227 openssl/pem.h openssl/ssl.h openssl/err.h, 228 ssl_msg="OpenSSL" 229 test openssl != "$DEFAULT_SSL_BACKEND" || VALID_DEFAULT_SSL_BACKEND=yes 230 OPENSSL_ENABLED=1 231 AC_DEFINE(USE_OPENSSL, 1, [if OpenSSL is in use])) 232 233 if test $ac_cv_header_openssl_x509_h = no; then 234 dnl we don't use the "action" part of the AC_CHECK_HEADERS macro 235 dnl since 'err.h' might in fact find a krb4 header with the same 236 dnl name 237 AC_CHECK_HEADERS(x509.h rsa.h crypto.h pem.h ssl.h err.h) 238 239 if test $ac_cv_header_x509_h = yes && 240 test $ac_cv_header_crypto_h = yes && 241 test $ac_cv_header_ssl_h = yes; then 242 dnl three matches 243 ssl_msg="OpenSSL" 244 OPENSSL_ENABLED=1 245 fi 246 fi 247 fi 248 249 if test X"$OPENSSL_ENABLED" != X"1"; then 250 LIBS="$CLEANLIBS" 251 fi 252 253 if test X"$OPT_OPENSSL" != Xoff && 254 test "$OPENSSL_ENABLED" != "1"; then 255 AC_MSG_ERROR([OpenSSL libs and/or directories were not found where specified!]) 256 fi 257 fi 258 259 if test X"$OPENSSL_ENABLED" = X"1"; then 260 dnl These can only exist if OpenSSL exists 261 262 AC_MSG_CHECKING([for BoringSSL]) 263 AC_COMPILE_IFELSE([ 264 AC_LANG_PROGRAM([[ 265 #include <openssl/base.h> 266 ]],[[ 267 #ifndef OPENSSL_IS_BORINGSSL 268 #error not boringssl 269 #endif 270 ]]) 271 ],[ 272 AC_MSG_RESULT([yes]) 273 ssl_msg="BoringSSL" 274 OPENSSL_IS_BORINGSSL=1 275 ],[ 276 AC_MSG_RESULT([no]) 277 ]) 278 279 AC_MSG_CHECKING([for AWS-LC]) 280 AC_COMPILE_IFELSE([ 281 AC_LANG_PROGRAM([[ 282 #include <openssl/base.h> 283 ]],[[ 284 #ifndef OPENSSL_IS_AWSLC 285 #error not AWS-LC 286 #endif 287 ]]) 288 ],[ 289 AC_MSG_RESULT([yes]) 290 ssl_msg="AWS-LC" 291 OPENSSL_IS_BORINGSSL=1 292 ],[ 293 AC_MSG_RESULT([no]) 294 ]) 295 296 AC_MSG_CHECKING([for libressl]) 297 AC_COMPILE_IFELSE([ 298 AC_LANG_PROGRAM([[ 299#include <openssl/opensslv.h> 300 ]],[[ 301 int dummy = LIBRESSL_VERSION_NUMBER; 302 ]]) 303 ],[ 304 AC_MSG_RESULT([yes]) 305 AC_DEFINE_UNQUOTED(HAVE_LIBRESSL, 1, 306 [Define to 1 if using libressl.]) 307 ssl_msg="libressl" 308 ],[ 309 AC_MSG_RESULT([no]) 310 ]) 311 312 AC_MSG_CHECKING([for OpenSSL >= v3]) 313 AC_COMPILE_IFELSE([ 314 AC_LANG_PROGRAM([[ 315#include <openssl/opensslv.h> 316 ]],[[ 317 #if (OPENSSL_VERSION_NUMBER >= 0x30000000L) 318 return 0; 319 #else 320 #error older than 3 321 #endif 322 ]]) 323 ],[ 324 AC_MSG_RESULT([yes]) 325 AC_DEFINE_UNQUOTED(HAVE_OPENSSL3, 1, 326 [Define to 1 if using OpenSSL 3 or later.]) 327 ssl_msg="OpenSSL v3+" 328 ],[ 329 AC_MSG_RESULT([no]) 330 ]) 331 fi 332 333 dnl is this OpenSSL (fork) providing the original QUIC API? 334 AC_CHECK_FUNCS([SSL_set_quic_use_legacy_codepoint], 335 [QUIC_ENABLED=yes]) 336 if test "$QUIC_ENABLED" = "yes"; then 337 AC_MSG_NOTICE([OpenSSL fork speaks QUIC API]) 338 else 339 AC_MSG_NOTICE([OpenSSL version does not speak QUIC API]) 340 fi 341 342 if test "$OPENSSL_ENABLED" = "1"; then 343 if test -n "$LIB_OPENSSL"; then 344 dnl when the ssl shared libs were found in a path that the run-time 345 dnl linker doesn't search through, we need to add it to CURL_LIBRARY_PATH 346 dnl to prevent further configure tests to fail due to this 347 if test "x$cross_compiling" != "xyes"; then 348 CURL_LIBRARY_PATH="$CURL_LIBRARY_PATH:$LIB_OPENSSL" 349 export CURL_LIBRARY_PATH 350 AC_MSG_NOTICE([Added $LIB_OPENSSL to CURL_LIBRARY_PATH]) 351 fi 352 fi 353 check_for_ca_bundle=1 354 fi 355 356 test -z "$ssl_msg" || ssl_backends="${ssl_backends:+$ssl_backends, }$ssl_msg" 357fi 358 359if test X"$OPT_OPENSSL" != Xno && 360 test "$OPENSSL_ENABLED" != "1"; then 361 AC_MSG_NOTICE([OPT_OPENSSL: $OPT_OPENSSL]) 362 AC_MSG_NOTICE([OPENSSL_ENABLED: $OPENSSL_ENABLED]) 363 AC_MSG_ERROR([--with-openssl was given but OpenSSL could not be detected]) 364fi 365 366dnl ********************************************************************** 367dnl Check for the random seed preferences 368dnl ********************************************************************** 369 370if test X"$OPENSSL_ENABLED" = X"1"; then 371 dnl Check for user-specified random device 372 AC_ARG_WITH(random, 373 AS_HELP_STRING([--with-random=FILE], 374 [read randomness from FILE (default=/dev/urandom)]), 375 [ RANDOM_FILE="$withval" ], 376 [ 377 if test x$cross_compiling != xyes; then 378 dnl Check for random device 379 AC_CHECK_FILE("/dev/urandom", [ RANDOM_FILE="/dev/urandom"] ) 380 else 381 AC_MSG_WARN([skipped the /dev/urandom detection when cross-compiling]) 382 fi 383 ] 384 ) 385 if test -n "$RANDOM_FILE" && test X"$RANDOM_FILE" != Xno ; then 386 AC_SUBST(RANDOM_FILE) 387 AC_DEFINE_UNQUOTED(RANDOM_FILE, "$RANDOM_FILE", 388 [a suitable file to read random data from]) 389 fi 390fi 391 392dnl --- 393dnl We require OpenSSL with SRP support. 394dnl --- 395if test "$OPENSSL_ENABLED" = "1"; then 396 AC_MSG_CHECKING([for SRP support in OpenSSL]) 397 AC_LINK_IFELSE([ 398 AC_LANG_PROGRAM([[ 399#include <openssl/ssl.h> 400 ]],[[ 401 SSL_CTX_set_srp_username(NULL, ""); 402 SSL_CTX_set_srp_password(NULL, ""); 403 ]]) 404 ],[ 405 AC_MSG_RESULT([yes]) 406 AC_DEFINE(HAVE_OPENSSL_SRP, 1, [if you have the functions SSL_CTX_set_srp_username and SSL_CTX_set_srp_password]) 407 AC_SUBST(HAVE_OPENSSL_SRP, [1]) 408 ],[ 409 AC_MSG_RESULT([no]) 410 ]) 411fi 412 413dnl --- 414dnl Whether the OpenSSL configuration will be loaded automatically 415dnl --- 416if test X"$OPENSSL_ENABLED" = X"1"; then 417AC_ARG_ENABLE(openssl-auto-load-config, 418AS_HELP_STRING([--enable-openssl-auto-load-config],[Enable automatic loading of OpenSSL configuration]) 419AS_HELP_STRING([--disable-openssl-auto-load-config],[Disable automatic loading of OpenSSL configuration]), 420[ if test X"$enableval" = X"no"; then 421 AC_MSG_NOTICE([automatic loading of OpenSSL configuration disabled]) 422 AC_DEFINE(CURL_DISABLE_OPENSSL_AUTO_LOAD_CONFIG, 1, [if the OpenSSL configuration won't be loaded automatically]) 423 fi 424]) 425fi 426 427dnl --- 428dnl We may use OpenSSL QUIC. 429dnl --- 430if test "$OPENSSL_ENABLED" = "1"; then 431 AC_MSG_CHECKING([for QUIC support in OpenSSL]) 432 AC_LINK_IFELSE([ 433 AC_LANG_PROGRAM([[ 434#include <openssl/ssl.h> 435 ]],[[ 436 OSSL_QUIC_client_method(); 437 ]]) 438 ],[ 439 AC_MSG_RESULT([yes]) 440 AC_DEFINE(HAVE_OPENSSL_QUIC, 1, [if you have the functions OSSL_QUIC_client_method]) 441 AC_SUBST(HAVE_OPENSSL_QUIC, [1]) 442 ],[ 443 AC_MSG_RESULT([no]) 444 ]) 445fi 446]) 447