1#*************************************************************************** 2# _ _ ____ _ 3# Project ___| | | | _ \| | 4# / __| | | | |_) | | 5# | (__| |_| | _ <| |___ 6# \___|\___/|_| \_\_____| 7# 8# Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al. 9# 10# This software is licensed as described in the file COPYING, which 11# you should have received as part of this distribution. The terms 12# are also available at https://curl.se/docs/copyright.html. 13# 14# You may opt to use, copy, modify, merge, publish, distribute and/or sell 15# copies of the Software, and permit persons to whom the Software is 16# furnished to do so, under the terms of the COPYING file. 17# 18# This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY 19# KIND, either express or implied. 20# 21# SPDX-License-Identifier: curl 22# 23#*************************************************************************** 24 25# File version for 'aclocal' use. Keep it a single number. 26# serial 5 27 28dnl ********************************************************************** 29dnl Check for OpenSSL libraries and headers 30dnl ********************************************************************** 31 32AC_DEFUN([CURL_WITH_OPENSSL], [ 33if test "x$OPT_OPENSSL" != xno; then 34 ssl_msg= 35 36 dnl backup the pre-ssl variables 37 CLEANLDFLAGS="$LDFLAGS" 38 CLEANLDFLAGSPC="$LDFLAGSPC" 39 CLEANCPPFLAGS="$CPPFLAGS" 40 CLEANLIBS="$LIBS" 41 42 dnl This is for MSYS/MinGW 43 case $host in 44 *-*-msys* | *-*-mingw*) 45 AC_MSG_CHECKING([for gdi32]) 46 my_ac_save_LIBS=$LIBS 47 LIBS="-lgdi32 $LIBS" 48 AC_LINK_IFELSE([ AC_LANG_PROGRAM([[ 49 #include <windef.h> 50 #include <wingdi.h> 51 ]], 52 [[ 53 GdiFlush(); 54 ]])], 55 [ dnl worked! 56 AC_MSG_RESULT([yes])], 57 [ dnl failed, restore LIBS 58 LIBS=$my_ac_save_LIBS 59 AC_MSG_RESULT(no)] 60 ) 61 ;; 62 esac 63 64 case "$OPT_OPENSSL" in 65 yes) 66 dnl --with-openssl (without path) used 67 PKGTEST="yes" 68 PREFIX_OPENSSL= 69 ;; 70 *) 71 dnl check the given --with-openssl spot 72 PKGTEST="no" 73 PREFIX_OPENSSL=$OPT_OPENSSL 74 75 dnl Try pkg-config even when cross-compiling. Since we 76 dnl specify PKG_CONFIG_LIBDIR we're only looking where 77 dnl the user told us to look 78 OPENSSL_PCDIR="$OPT_OPENSSL/lib/pkgconfig" 79 if test -f "$OPENSSL_PCDIR/openssl.pc"; then 80 AC_MSG_NOTICE([PKG_CONFIG_LIBDIR will be set to "$OPENSSL_PCDIR"]) 81 PKGTEST="yes" 82 fi 83 84 if test "$PKGTEST" != "yes"; then 85 # try lib64 instead 86 OPENSSL_PCDIR="$OPT_OPENSSL/lib64/pkgconfig" 87 if test -f "$OPENSSL_PCDIR/openssl.pc"; then 88 AC_MSG_NOTICE([PKG_CONFIG_LIBDIR will be set to "$OPENSSL_PCDIR"]) 89 PKGTEST="yes" 90 fi 91 fi 92 93 if test "$PKGTEST" != "yes"; then 94 if test ! -f "$PREFIX_OPENSSL/include/openssl/ssl.h"; then 95 AC_MSG_ERROR([$PREFIX_OPENSSL is a bad --with-openssl prefix!]) 96 fi 97 fi 98 99 dnl in case pkg-config comes up empty, use what we got 100 dnl via --with-openssl 101 LIB_OPENSSL="$PREFIX_OPENSSL/lib$libsuff" 102 if test "$PREFIX_OPENSSL" != "/usr" ; then 103 SSL_LDFLAGS="-L$LIB_OPENSSL" 104 SSL_CPPFLAGS="-I$PREFIX_OPENSSL/include" 105 fi 106 ;; 107 esac 108 109 if test "$PKGTEST" = "yes"; then 110 111 CURL_CHECK_PKGCONFIG(openssl, [$OPENSSL_PCDIR]) 112 113 if test "$PKGCONFIG" != "no" ; then 114 SSL_LIBS=`CURL_EXPORT_PCDIR([$OPENSSL_PCDIR]) dnl 115 $PKGCONFIG --libs-only-l --libs-only-other openssl 2>/dev/null` 116 117 SSL_LDFLAGS=`CURL_EXPORT_PCDIR([$OPENSSL_PCDIR]) dnl 118 $PKGCONFIG --libs-only-L openssl 2>/dev/null` 119 120 SSL_CPPFLAGS=`CURL_EXPORT_PCDIR([$OPENSSL_PCDIR]) dnl 121 $PKGCONFIG --cflags-only-I openssl 2>/dev/null` 122 123 AC_SUBST(SSL_LIBS) 124 AC_MSG_NOTICE([pkg-config: SSL_LIBS: "$SSL_LIBS"]) 125 AC_MSG_NOTICE([pkg-config: SSL_LDFLAGS: "$SSL_LDFLAGS"]) 126 AC_MSG_NOTICE([pkg-config: SSL_CPPFLAGS: "$SSL_CPPFLAGS"]) 127 128 LIB_OPENSSL=`echo $SSL_LDFLAGS | sed -e 's/^-L//'` 129 130 dnl use the values pkg-config reported. This is here 131 dnl instead of below with CPPFLAGS and LDFLAGS because we only 132 dnl learn about this via pkg-config. If we only have 133 dnl the argument to --with-openssl we don't know what 134 dnl additional libs may be necessary. Hope that we 135 dnl don't need any. 136 LIBS="$SSL_LIBS $LIBS" 137 fi 138 fi 139 140 dnl finally, set flags to use SSL 141 CPPFLAGS="$CPPFLAGS $SSL_CPPFLAGS" 142 LDFLAGS="$LDFLAGS $SSL_LDFLAGS" 143 LDFLAGSPC="$LDFLAGSPC $SSL_LDFLAGS" 144 145 AC_CHECK_LIB(crypto, HMAC_Update,[ 146 HAVECRYPTO="yes" 147 LIBS="-lcrypto $LIBS" 148 ],[ 149 if test -n "$LIB_OPENSSL" ; then 150 LDFLAGS="$CLEANLDFLAGS -L$LIB_OPENSSL" 151 LDFLAGSPC="$CLEANLDFLAGSPC -L$LIB_OPENSSL" 152 fi 153 if test "$PKGCONFIG" = "no" -a -n "$PREFIX_OPENSSL" ; then 154 # only set this if pkg-config wasn't used 155 CPPFLAGS="$CLEANCPPFLAGS -I$PREFIX_OPENSSL/include" 156 fi 157 # Linking previously failed, try extra paths from --with-openssl or 158 # pkg-config. Use a different function name to avoid reusing the earlier 159 # cached result. 160 AC_CHECK_LIB(crypto, HMAC_Init_ex,[ 161 HAVECRYPTO="yes" 162 LIBS="-lcrypto $LIBS"], [ 163 164 dnl still no, but what about with -ldl? 165 AC_MSG_CHECKING([OpenSSL linking with -ldl]) 166 LIBS="-lcrypto $CLEANLIBS -ldl" 167 AC_LINK_IFELSE([ AC_LANG_PROGRAM([[ 168 #include <openssl/err.h> 169 ]], [[ 170 ERR_clear_error(); 171 ]]) ], 172 [ 173 AC_MSG_RESULT(yes) 174 HAVECRYPTO="yes" 175 ], 176 [ 177 AC_MSG_RESULT(no) 178 dnl ok, so what about both -ldl and -lpthread? 179 dnl This may be necessary for static libraries. 180 181 AC_MSG_CHECKING([OpenSSL linking with -ldl and -lpthread]) 182 LIBS="-lcrypto $CLEANLIBS -ldl -lpthread" 183 AC_LINK_IFELSE([ 184 AC_LANG_PROGRAM([[ 185 #include <openssl/err.h> 186 ]], [[ 187 ERR_clear_error(); 188 ]])], 189 [ 190 AC_MSG_RESULT(yes) 191 HAVECRYPTO="yes" 192 ], 193 [ 194 AC_MSG_RESULT(no) 195 LDFLAGS="$CLEANLDFLAGS" 196 LDFLAGSPC="$CLEANLDFLAGSPC" 197 CPPFLAGS="$CLEANCPPFLAGS" 198 LIBS="$CLEANLIBS" 199 ]) 200 ]) 201 ]) 202 ]) 203 204 if test X"$HAVECRYPTO" = X"yes"; then 205 dnl This is only reasonable to do if crypto actually is there: check for 206 dnl SSL libs NOTE: it is important to do this AFTER the crypto lib 207 208 AC_CHECK_LIB(ssl, SSL_connect) 209 210 if test "$ac_cv_lib_ssl_SSL_connect" != yes; then 211 dnl we didn't find the SSL lib, try the RSAglue/rsaref stuff 212 AC_MSG_CHECKING(for ssl with RSAglue/rsaref libs in use); 213 OLIBS=$LIBS 214 LIBS="-lRSAglue -lrsaref $LIBS" 215 AC_CHECK_LIB(ssl, SSL_connect) 216 if test "$ac_cv_lib_ssl_SSL_connect" != yes; then 217 dnl still no SSL_connect 218 AC_MSG_RESULT(no) 219 LIBS=$OLIBS 220 else 221 AC_MSG_RESULT(yes) 222 fi 223 224 else 225 226 dnl Have the libraries--check for OpenSSL headers 227 AC_CHECK_HEADERS(openssl/x509.h openssl/rsa.h openssl/crypto.h \ 228 openssl/pem.h openssl/ssl.h openssl/err.h, 229 ssl_msg="OpenSSL" 230 test openssl != "$DEFAULT_SSL_BACKEND" || VALID_DEFAULT_SSL_BACKEND=yes 231 OPENSSL_ENABLED=1 232 AC_DEFINE(USE_OPENSSL, 1, [if OpenSSL is in use])) 233 234 if test $ac_cv_header_openssl_x509_h = no; then 235 dnl we don't use the "action" part of the AC_CHECK_HEADERS macro 236 dnl since 'err.h' might in fact find a krb4 header with the same 237 dnl name 238 AC_CHECK_HEADERS(x509.h rsa.h crypto.h pem.h ssl.h err.h) 239 240 if test $ac_cv_header_x509_h = yes && 241 test $ac_cv_header_crypto_h = yes && 242 test $ac_cv_header_ssl_h = yes; then 243 dnl three matches 244 ssl_msg="OpenSSL" 245 OPENSSL_ENABLED=1 246 fi 247 fi 248 fi 249 250 if test X"$OPENSSL_ENABLED" != X"1"; then 251 LIBS="$CLEANLIBS" 252 fi 253 254 if test X"$OPT_OPENSSL" != Xoff && 255 test "$OPENSSL_ENABLED" != "1"; then 256 AC_MSG_ERROR([OpenSSL libs and/or directories were not found where specified!]) 257 fi 258 fi 259 260 if test X"$OPENSSL_ENABLED" = X"1"; then 261 dnl These can only exist if OpenSSL exists 262 263 AC_MSG_CHECKING([for BoringSSL]) 264 AC_COMPILE_IFELSE([ 265 AC_LANG_PROGRAM([[ 266 #include <openssl/base.h> 267 ]],[[ 268 #ifndef OPENSSL_IS_BORINGSSL 269 #error not boringssl 270 #endif 271 ]]) 272 ],[ 273 AC_MSG_RESULT([yes]) 274 ssl_msg="BoringSSL" 275 OPENSSL_IS_BORINGSSL=1 276 ],[ 277 AC_MSG_RESULT([no]) 278 ]) 279 280 AC_MSG_CHECKING([for AWS-LC]) 281 AC_COMPILE_IFELSE([ 282 AC_LANG_PROGRAM([[ 283 #include <openssl/base.h> 284 ]],[[ 285 #ifndef OPENSSL_IS_AWSLC 286 #error not AWS-LC 287 #endif 288 ]]) 289 ],[ 290 AC_MSG_RESULT([yes]) 291 ssl_msg="AWS-LC" 292 OPENSSL_IS_BORINGSSL=1 293 ],[ 294 AC_MSG_RESULT([no]) 295 ]) 296 297 AC_MSG_CHECKING([for LibreSSL]) 298 AC_COMPILE_IFELSE([ 299 AC_LANG_PROGRAM([[ 300 #include <openssl/opensslv.h> 301 ]],[[ 302 int dummy = LIBRESSL_VERSION_NUMBER; 303 ]]) 304 ],[ 305 AC_MSG_RESULT([yes]) 306 AC_DEFINE_UNQUOTED(HAVE_LIBRESSL, 1, 307 [Define to 1 if using LibreSSL.]) 308 ssl_msg="LibreSSL" 309 ],[ 310 AC_MSG_RESULT([no]) 311 ]) 312 313 AC_MSG_CHECKING([for OpenSSL >= v3]) 314 AC_COMPILE_IFELSE([ 315 AC_LANG_PROGRAM([[ 316 #include <openssl/opensslv.h> 317 ]],[[ 318 #if (OPENSSL_VERSION_NUMBER >= 0x30000000L) 319 return 0; 320 #else 321 #error older than 3 322 #endif 323 ]]) 324 ],[ 325 AC_MSG_RESULT([yes]) 326 ssl_msg="OpenSSL v3+" 327 ],[ 328 AC_MSG_RESULT([no]) 329 ]) 330 fi 331 332 dnl is this OpenSSL (fork) providing the original QUIC API? 333 AC_CHECK_FUNCS([SSL_set_quic_use_legacy_codepoint], 334 [QUIC_ENABLED=yes]) 335 if test "$QUIC_ENABLED" = "yes"; then 336 AC_MSG_NOTICE([OpenSSL fork speaks QUIC API]) 337 else 338 AC_MSG_NOTICE([OpenSSL version does not speak QUIC API]) 339 fi 340 341 if test "$OPENSSL_ENABLED" = "1"; then 342 if test -n "$LIB_OPENSSL"; then 343 dnl when the ssl shared libs were found in a path that the run-time 344 dnl linker doesn't search through, we need to add it to CURL_LIBRARY_PATH 345 dnl to prevent further configure tests to fail due to this 346 if test "x$cross_compiling" != "xyes"; then 347 CURL_LIBRARY_PATH="$CURL_LIBRARY_PATH:$LIB_OPENSSL" 348 export CURL_LIBRARY_PATH 349 AC_MSG_NOTICE([Added $LIB_OPENSSL to CURL_LIBRARY_PATH]) 350 fi 351 fi 352 check_for_ca_bundle=1 353 LIBCURL_PC_REQUIRES_PRIVATE="$LIBCURL_PC_REQUIRES_PRIVATE openssl" 354 fi 355 356 test -z "$ssl_msg" || ssl_backends="${ssl_backends:+$ssl_backends, }$ssl_msg" 357fi 358 359if test X"$OPT_OPENSSL" != Xno && 360 test "$OPENSSL_ENABLED" != "1"; then 361 AC_MSG_NOTICE([OPT_OPENSSL: $OPT_OPENSSL]) 362 AC_MSG_NOTICE([OPENSSL_ENABLED: $OPENSSL_ENABLED]) 363 AC_MSG_ERROR([--with-openssl was given but OpenSSL could not be detected]) 364fi 365 366dnl --- 367dnl We require OpenSSL with SRP support. 368dnl --- 369if test "$OPENSSL_ENABLED" = "1"; then 370 AC_MSG_CHECKING([for SRP support in OpenSSL]) 371 AC_LINK_IFELSE([ 372 AC_LANG_PROGRAM([[ 373 #include <openssl/ssl.h> 374 ]],[[ 375 SSL_CTX_set_srp_username(NULL, ""); 376 SSL_CTX_set_srp_password(NULL, ""); 377 ]]) 378 ],[ 379 AC_MSG_RESULT([yes]) 380 AC_DEFINE(HAVE_OPENSSL_SRP, 1, [if you have the functions SSL_CTX_set_srp_username and SSL_CTX_set_srp_password]) 381 AC_SUBST(HAVE_OPENSSL_SRP, [1]) 382 ],[ 383 AC_MSG_RESULT([no]) 384 ]) 385fi 386 387dnl --- 388dnl Whether the OpenSSL configuration will be loaded automatically 389dnl --- 390if test X"$OPENSSL_ENABLED" = X"1"; then 391 AC_ARG_ENABLE(openssl-auto-load-config, 392AS_HELP_STRING([--enable-openssl-auto-load-config],[Enable automatic loading of OpenSSL configuration]) 393AS_HELP_STRING([--disable-openssl-auto-load-config],[Disable automatic loading of OpenSSL configuration]), 394 [ if test X"$enableval" = X"no"; then 395 AC_MSG_NOTICE([automatic loading of OpenSSL configuration disabled]) 396 AC_DEFINE(CURL_DISABLE_OPENSSL_AUTO_LOAD_CONFIG, 1, [if the OpenSSL configuration won't be loaded automatically]) 397 fi 398 ]) 399fi 400 401dnl --- 402dnl We may use OpenSSL QUIC. 403dnl --- 404if test "$OPENSSL_ENABLED" = "1"; then 405 AC_MSG_CHECKING([for QUIC support and OpenSSL >= 3.3]) 406 AC_LINK_IFELSE([ 407 AC_LANG_PROGRAM([[ 408 #include <openssl/ssl.h> 409 ]],[[ 410 #if (OPENSSL_VERSION_NUMBER < 0x30300000L) 411 #error need at least version 3.3.0 412 #endif 413 OSSL_QUIC_client_method(); 414 ]]) 415 ],[ 416 AC_MSG_RESULT([yes]) 417 have_openssl_quic=1 418 ],[ 419 AC_MSG_RESULT([no]) 420 ]) 421fi 422]) 423
