1#*************************************************************************** 2# _ _ ____ _ 3# Project ___| | | | _ \| | 4# / __| | | | |_) | | 5# | (__| |_| | _ <| |___ 6# \___|\___/|_| \_\_____| 7# 8# Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al. 9# 10# This software is licensed as described in the file COPYING, which 11# you should have received as part of this distribution. The terms 12# are also available at https://curl.se/docs/copyright.html. 13# 14# You may opt to use, copy, modify, merge, publish, distribute and/or sell 15# copies of the Software, and permit persons to whom the Software is 16# furnished to do so, under the terms of the COPYING file. 17# 18# This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY 19# KIND, either express or implied. 20# 21# SPDX-License-Identifier: curl 22# 23#*************************************************************************** 24 25# File version for 'aclocal' use. Keep it a single number. 26# serial 5 27 28dnl ********************************************************************** 29dnl Check for OpenSSL libraries and headers 30dnl ********************************************************************** 31 32AC_DEFUN([CURL_WITH_OPENSSL], [ 33if test "x$OPT_OPENSSL" != xno; then 34 ssl_msg= 35 36 dnl backup the pre-ssl variables 37 CLEANLDFLAGS="$LDFLAGS" 38 CLEANLDFLAGSPC="$LDFLAGSPC" 39 CLEANCPPFLAGS="$CPPFLAGS" 40 CLEANLIBS="$LIBS" 41 42 dnl This is for MSYS/MinGW 43 case $host in 44 *-*-msys* | *-*-mingw*) 45 AC_MSG_CHECKING([for gdi32]) 46 my_ac_save_LIBS=$LIBS 47 LIBS="-lgdi32 $LIBS" 48 AC_LINK_IFELSE([ AC_LANG_PROGRAM([[ 49 #include <windef.h> 50 #include <wingdi.h> 51 ]], 52 [[ 53 GdiFlush(); 54 ]])], 55 [ dnl worked! 56 AC_MSG_RESULT([yes])], 57 [ dnl failed, restore LIBS 58 LIBS=$my_ac_save_LIBS 59 AC_MSG_RESULT(no)] 60 ) 61 ;; 62 esac 63 64 case "$OPT_OPENSSL" in 65 yes) 66 dnl --with-openssl (without path) used 67 PKGTEST="yes" 68 PREFIX_OPENSSL= 69 ;; 70 *) 71 dnl check the given --with-openssl spot 72 PKGTEST="no" 73 PREFIX_OPENSSL=$OPT_OPENSSL 74 75 dnl Try pkg-config even when cross-compiling. Since we 76 dnl specify PKG_CONFIG_LIBDIR we're only looking where 77 dnl the user told us to look 78 OPENSSL_PCDIR="$OPT_OPENSSL/lib/pkgconfig" 79 if test -f "$OPENSSL_PCDIR/openssl.pc"; then 80 AC_MSG_NOTICE([PKG_CONFIG_LIBDIR will be set to "$OPENSSL_PCDIR"]) 81 PKGTEST="yes" 82 fi 83 84 if test "$PKGTEST" != "yes"; then 85 # try lib64 instead 86 OPENSSL_PCDIR="$OPT_OPENSSL/lib64/pkgconfig" 87 if test -f "$OPENSSL_PCDIR/openssl.pc"; then 88 AC_MSG_NOTICE([PKG_CONFIG_LIBDIR will be set to "$OPENSSL_PCDIR"]) 89 PKGTEST="yes" 90 fi 91 fi 92 93 if test "$PKGTEST" != "yes"; then 94 if test ! -f "$PREFIX_OPENSSL/include/openssl/ssl.h"; then 95 AC_MSG_ERROR([$PREFIX_OPENSSL is a bad --with-openssl prefix!]) 96 fi 97 fi 98 99 dnl in case pkg-config comes up empty, use what we got 100 dnl via --with-openssl 101 LIB_OPENSSL="$PREFIX_OPENSSL/lib$libsuff" 102 if test "$PREFIX_OPENSSL" != "/usr" ; then 103 SSL_LDFLAGS="-L$LIB_OPENSSL" 104 SSL_CPPFLAGS="-I$PREFIX_OPENSSL/include" 105 fi 106 ;; 107 esac 108 109 if test "$PKGTEST" = "yes"; then 110 111 CURL_CHECK_PKGCONFIG(openssl, [$OPENSSL_PCDIR]) 112 113 if test "$PKGCONFIG" != "no" ; then 114 SSL_LIBS=`CURL_EXPORT_PCDIR([$OPENSSL_PCDIR]) dnl 115 $PKGCONFIG --libs-only-l --libs-only-other openssl 2>/dev/null` 116 117 SSL_LDFLAGS=`CURL_EXPORT_PCDIR([$OPENSSL_PCDIR]) dnl 118 $PKGCONFIG --libs-only-L openssl 2>/dev/null` 119 120 SSL_CPPFLAGS=`CURL_EXPORT_PCDIR([$OPENSSL_PCDIR]) dnl 121 $PKGCONFIG --cflags-only-I openssl 2>/dev/null` 122 123 AC_MSG_NOTICE([pkg-config: SSL_LIBS: "$SSL_LIBS"]) 124 AC_MSG_NOTICE([pkg-config: SSL_LDFLAGS: "$SSL_LDFLAGS"]) 125 AC_MSG_NOTICE([pkg-config: SSL_CPPFLAGS: "$SSL_CPPFLAGS"]) 126 127 LIB_OPENSSL=`echo $SSL_LDFLAGS | sed -e 's/^-L//'` 128 129 dnl use the values pkg-config reported. This is here 130 dnl instead of below with CPPFLAGS and LDFLAGS because we only 131 dnl learn about this via pkg-config. If we only have 132 dnl the argument to --with-openssl we don't know what 133 dnl additional libs may be necessary. Hope that we 134 dnl don't need any. 135 LIBS="$SSL_LIBS $LIBS" 136 fi 137 fi 138 139 dnl finally, set flags to use SSL 140 CPPFLAGS="$CPPFLAGS $SSL_CPPFLAGS" 141 LDFLAGS="$LDFLAGS $SSL_LDFLAGS" 142 LDFLAGSPC="$LDFLAGSPC $SSL_LDFLAGS" 143 144 AC_CHECK_LIB(crypto, HMAC_Update,[ 145 HAVECRYPTO="yes" 146 LIBS="-lcrypto $LIBS" 147 ],[ 148 if test -n "$LIB_OPENSSL" ; then 149 LDFLAGS="$CLEANLDFLAGS -L$LIB_OPENSSL" 150 LDFLAGSPC="$CLEANLDFLAGSPC -L$LIB_OPENSSL" 151 fi 152 if test "$PKGCONFIG" = "no" -a -n "$PREFIX_OPENSSL" ; then 153 # only set this if pkg-config wasn't used 154 CPPFLAGS="$CLEANCPPFLAGS -I$PREFIX_OPENSSL/include" 155 fi 156 # Linking previously failed, try extra paths from --with-openssl or 157 # pkg-config. Use a different function name to avoid reusing the earlier 158 # cached result. 159 AC_CHECK_LIB(crypto, HMAC_Init_ex,[ 160 HAVECRYPTO="yes" 161 LIBS="-lcrypto $LIBS"], [ 162 163 dnl still no, but what about with -ldl? 164 AC_MSG_CHECKING([OpenSSL linking with -ldl]) 165 LIBS="-lcrypto $CLEANLIBS -ldl" 166 AC_LINK_IFELSE([ AC_LANG_PROGRAM([[ 167 #include <openssl/err.h> 168 ]], [[ 169 ERR_clear_error(); 170 ]]) ], 171 [ 172 AC_MSG_RESULT(yes) 173 HAVECRYPTO="yes" 174 ], 175 [ 176 AC_MSG_RESULT(no) 177 dnl ok, so what about both -ldl and -lpthread? 178 dnl This may be necessary for static libraries. 179 180 AC_MSG_CHECKING([OpenSSL linking with -ldl and -lpthread]) 181 LIBS="-lcrypto $CLEANLIBS -ldl -lpthread" 182 AC_LINK_IFELSE([ 183 AC_LANG_PROGRAM([[ 184 #include <openssl/err.h> 185 ]], [[ 186 ERR_clear_error(); 187 ]])], 188 [ 189 AC_MSG_RESULT(yes) 190 HAVECRYPTO="yes" 191 ], 192 [ 193 AC_MSG_RESULT(no) 194 LDFLAGS="$CLEANLDFLAGS" 195 LDFLAGSPC="$CLEANLDFLAGSPC" 196 CPPFLAGS="$CLEANCPPFLAGS" 197 LIBS="$CLEANLIBS" 198 ]) 199 ]) 200 ]) 201 ]) 202 203 if test X"$HAVECRYPTO" = X"yes"; then 204 dnl This is only reasonable to do if crypto actually is there: check for 205 dnl SSL libs NOTE: it is important to do this AFTER the crypto lib 206 207 AC_CHECK_LIB(ssl, SSL_connect) 208 209 if test "$ac_cv_lib_ssl_SSL_connect" != yes; then 210 dnl we didn't find the SSL lib, try the RSAglue/rsaref stuff 211 AC_MSG_CHECKING(for ssl with RSAglue/rsaref libs in use); 212 OLIBS=$LIBS 213 LIBS="-lRSAglue -lrsaref $LIBS" 214 AC_CHECK_LIB(ssl, SSL_connect) 215 if test "$ac_cv_lib_ssl_SSL_connect" != yes; then 216 dnl still no SSL_connect 217 AC_MSG_RESULT(no) 218 LIBS=$OLIBS 219 else 220 AC_MSG_RESULT(yes) 221 fi 222 223 else 224 225 dnl Have the libraries--check for OpenSSL headers 226 AC_CHECK_HEADERS(openssl/x509.h openssl/rsa.h openssl/crypto.h \ 227 openssl/pem.h openssl/ssl.h openssl/err.h, 228 ssl_msg="OpenSSL" 229 test openssl != "$DEFAULT_SSL_BACKEND" || VALID_DEFAULT_SSL_BACKEND=yes 230 OPENSSL_ENABLED=1 231 AC_DEFINE(USE_OPENSSL, 1, [if OpenSSL is in use])) 232 fi 233 234 if test X"$OPENSSL_ENABLED" != X"1"; then 235 LIBS="$CLEANLIBS" 236 fi 237 238 if test X"$OPT_OPENSSL" != Xoff && 239 test "$OPENSSL_ENABLED" != "1"; then 240 AC_MSG_ERROR([OpenSSL libs and/or directories were not found where specified!]) 241 fi 242 fi 243 244 if test X"$OPENSSL_ENABLED" = X"1"; then 245 dnl These can only exist if OpenSSL exists 246 247 AC_MSG_CHECKING([for BoringSSL]) 248 AC_COMPILE_IFELSE([ 249 AC_LANG_PROGRAM([[ 250 #include <openssl/base.h> 251 ]],[[ 252 #ifndef OPENSSL_IS_BORINGSSL 253 #error not boringssl 254 #endif 255 ]]) 256 ],[ 257 AC_MSG_RESULT([yes]) 258 ssl_msg="BoringSSL" 259 OPENSSL_IS_BORINGSSL=1 260 ],[ 261 AC_MSG_RESULT([no]) 262 ]) 263 264 AC_MSG_CHECKING([for AWS-LC]) 265 AC_COMPILE_IFELSE([ 266 AC_LANG_PROGRAM([[ 267 #include <openssl/base.h> 268 ]],[[ 269 #ifndef OPENSSL_IS_AWSLC 270 #error not AWS-LC 271 #endif 272 ]]) 273 ],[ 274 AC_MSG_RESULT([yes]) 275 ssl_msg="AWS-LC" 276 OPENSSL_IS_BORINGSSL=1 277 ],[ 278 AC_MSG_RESULT([no]) 279 ]) 280 281 AC_MSG_CHECKING([for LibreSSL]) 282 AC_COMPILE_IFELSE([ 283 AC_LANG_PROGRAM([[ 284 #include <openssl/opensslv.h> 285 ]],[[ 286 int dummy = LIBRESSL_VERSION_NUMBER; 287 ]]) 288 ],[ 289 AC_MSG_RESULT([yes]) 290 ssl_msg="LibreSSL" 291 ],[ 292 AC_MSG_RESULT([no]) 293 ]) 294 295 AC_MSG_CHECKING([for OpenSSL >= v3]) 296 AC_COMPILE_IFELSE([ 297 AC_LANG_PROGRAM([[ 298 #include <openssl/opensslv.h> 299 ]],[[ 300 #if (OPENSSL_VERSION_NUMBER >= 0x30000000L) 301 return 0; 302 #else 303 #error older than 3 304 #endif 305 ]]) 306 ],[ 307 AC_MSG_RESULT([yes]) 308 ssl_msg="OpenSSL v3+" 309 ],[ 310 AC_MSG_RESULT([no]) 311 ]) 312 fi 313 314 dnl is this OpenSSL (fork) providing the original QUIC API? 315 AC_CHECK_FUNCS([SSL_set_quic_use_legacy_codepoint], 316 [QUIC_ENABLED=yes]) 317 if test "$QUIC_ENABLED" = "yes"; then 318 AC_MSG_NOTICE([OpenSSL fork speaks QUIC API]) 319 else 320 AC_MSG_NOTICE([OpenSSL version does not speak QUIC API]) 321 fi 322 323 if test "$OPENSSL_ENABLED" = "1"; then 324 if test -n "$LIB_OPENSSL"; then 325 dnl when the ssl shared libs were found in a path that the run-time 326 dnl linker doesn't search through, we need to add it to CURL_LIBRARY_PATH 327 dnl to prevent further configure tests to fail due to this 328 if test "x$cross_compiling" != "xyes"; then 329 CURL_LIBRARY_PATH="$CURL_LIBRARY_PATH:$LIB_OPENSSL" 330 export CURL_LIBRARY_PATH 331 AC_MSG_NOTICE([Added $LIB_OPENSSL to CURL_LIBRARY_PATH]) 332 fi 333 fi 334 check_for_ca_bundle=1 335 LIBCURL_PC_REQUIRES_PRIVATE="$LIBCURL_PC_REQUIRES_PRIVATE openssl" 336 fi 337 338 test -z "$ssl_msg" || ssl_backends="${ssl_backends:+$ssl_backends, }$ssl_msg" 339fi 340 341if test X"$OPT_OPENSSL" != Xno && 342 test "$OPENSSL_ENABLED" != "1"; then 343 AC_MSG_NOTICE([OPT_OPENSSL: $OPT_OPENSSL]) 344 AC_MSG_NOTICE([OPENSSL_ENABLED: $OPENSSL_ENABLED]) 345 AC_MSG_ERROR([--with-openssl was given but OpenSSL could not be detected]) 346fi 347 348dnl --- 349dnl We require OpenSSL with SRP support. 350dnl --- 351if test "$OPENSSL_ENABLED" = "1"; then 352 AC_MSG_CHECKING([for SRP support in OpenSSL]) 353 AC_LINK_IFELSE([ 354 AC_LANG_PROGRAM([[ 355 #include <openssl/ssl.h> 356 ]],[[ 357 SSL_CTX_set_srp_username(NULL, ""); 358 SSL_CTX_set_srp_password(NULL, ""); 359 ]]) 360 ],[ 361 AC_MSG_RESULT([yes]) 362 AC_DEFINE(HAVE_OPENSSL_SRP, 1, [if you have the functions SSL_CTX_set_srp_username and SSL_CTX_set_srp_password]) 363 HAVE_OPENSSL_SRP=1 364 ],[ 365 AC_MSG_RESULT([no]) 366 ]) 367fi 368 369dnl --- 370dnl Whether the OpenSSL configuration will be loaded automatically 371dnl --- 372if test X"$OPENSSL_ENABLED" = X"1"; then 373 AC_ARG_ENABLE(openssl-auto-load-config, 374AS_HELP_STRING([--enable-openssl-auto-load-config],[Enable automatic loading of OpenSSL configuration]) 375AS_HELP_STRING([--disable-openssl-auto-load-config],[Disable automatic loading of OpenSSL configuration]), 376 [ if test X"$enableval" = X"no"; then 377 AC_MSG_NOTICE([automatic loading of OpenSSL configuration disabled]) 378 AC_DEFINE(CURL_DISABLE_OPENSSL_AUTO_LOAD_CONFIG, 1, [if the OpenSSL configuration won't be loaded automatically]) 379 fi 380 ]) 381fi 382 383dnl --- 384dnl We may use OpenSSL QUIC. 385dnl --- 386if test "$OPENSSL_ENABLED" = "1"; then 387 AC_MSG_CHECKING([for QUIC support and OpenSSL >= 3.3]) 388 AC_LINK_IFELSE([ 389 AC_LANG_PROGRAM([[ 390 #include <openssl/ssl.h> 391 ]],[[ 392 #if (OPENSSL_VERSION_NUMBER < 0x30300000L) 393 #error need at least version 3.3.0 394 #endif 395 OSSL_QUIC_client_method(); 396 ]]) 397 ],[ 398 AC_MSG_RESULT([yes]) 399 have_openssl_quic=1 400 ],[ 401 AC_MSG_RESULT([no]) 402 ]) 403fi 404]) 405