diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-15 13:14:46 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-15 13:14:46 +0000 |
commit | 025c439e829e0db9ac511cd9c1b8d5fd53475ead (patch) | |
tree | fa6986b4690f991613ffb97cea1f6942427baf5d /m4/openssl.m4 | |
parent | Initial commit. (diff) | |
download | sudo-upstream/1.9.15p5.tar.xz sudo-upstream/1.9.15p5.zip |
Adding upstream version 1.9.15p5.upstream/1.9.15p5upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to '')
-rw-r--r-- | m4/openssl.m4 | 309 |
1 files changed, 309 insertions, 0 deletions
diff --git a/m4/openssl.m4 b/m4/openssl.m4 new file mode 100644 index 0000000..6c2d6a6 --- /dev/null +++ b/m4/openssl.m4 @@ -0,0 +1,309 @@ +AC_DEFUN([SUDO_CHECK_OPENSSL], [ + openssl_missing=no + if test "${enable_openssl-no}" != no; then + # Use pkg-config to find the openssl cflags and libs if possible. + if test "$enable_openssl" != "yes" -a "$enable_openssl" != "maybe"; then + PKG_CONFIG_LIBDIR= + for d in ${enable_openssl}/*/pkgconfig; do + if test -d "$d"; then + PKG_CONFIG_LIBDIR="$PKG_CONFIG_LIBDIR:$d" + fi + done + if test -n "$PKG_CONFIG_LIBDIR"; then + PKG_CONFIG_LIBDIR=${PKG_CONFIG_LIBDIR#:} + export PKG_CONFIG_LIBDIR + fi + elif test "$cross_compiling" = "yes" -a -z "$PKG_CONFIG"; then + # Cannot use pkg-config when cross-compiling + PKG_CONFIG=false + fi + : ${PKG_CONFIG='pkg-config'} + pkg_openssl=`printf $enable_openssl_pkgconfig_template "openssl"` + pkg_libcrypto=lib`printf $enable_openssl_pkgconfig_template "crypto"` + if $PKG_CONFIG --exists "$pkg_openssl >= 1.0.1" >/dev/null 2>&1; then + AC_DEFINE(HAVE_OPENSSL) + if test "$enable_openssl" = "maybe"; then + enable_openssl=yes + fi + + # Check whether --static is needed (don't assume name of ssl lib) + # There may be dependent libraries or -pthread. + O_LDFLAGS="$LDFLAGS" + LDFLAGS="$LDFLAGS `$PKG_CONFIG --libs-only-L $pkg_openssl`" + libssl="`$PKG_CONFIG --libs-only-l $pkg_openssl | sed 's/^ *-l//'`" + libssl_extra="`echo $libssl | sed 's/^[[^ ]]* *//'`" + libssl="`echo $libssl | sed 's/ .*//'`" + AC_CHECK_LIB([$libssl], [SSL_new], [STATIC=""], [STATIC="--static"], [$libssl_extra]) + LDFLAGS="$O_LDFLAGS" + + # Use pkg-config to determine OpenSSL libs and cflags + for f in `$PKG_CONFIG $STATIC --libs $pkg_openssl`; do + case "$f" in + -L*) + f="${f#-L}" + SUDO_APPEND_LIBPATH([LIBTLS], [$f]) + ;; + *) + # Do not use AX_APPEND_FLAG as it will break static builds by removing + # duplicates such as -lz or -latomic which are needed by -lssl and -lcrypto + LIBTLS="$LIBTLS $f" + ;; + esac + done + if $PKG_CONFIG --exists $pkg_libcrypto >/dev/null 2>&1; then + # Use OpenSSL's sha2 functions if possible (don't assume name of crypto) + O_LDFLAGS="$LDFLAGS" + libcrypto= + libcrypto_extra= + for f in `$PKG_CONFIG $STATIC --libs $pkg_libcrypto`; do + case "$f" in + -l*) + if test -z "$libcrypto"; then + libcrypto="${f#-l}" + else + libcrypto_extra="$libcrypto_extra $f" + fi + ;; + *) + AX_APPEND_FLAG([$f], [LDFLAGS]) + ;; + esac + done + AC_CHECK_LIB([$libcrypto], [EVP_MD_CTX_new], [DIGEST=digest_openssl.lo], [], [$libcrypto_extra]) + LDFLAGS="$O_LDFLAGS" + + # Use pkg-config to determine libcrypto libs and cflags + for f in `$PKG_CONFIG $STATIC --libs $pkg_libcrypto`; do + case "$f" in + -L*) + f="${f#-L}" + SUDO_APPEND_LIBPATH([LIBCRYPTO], [$f]) + ;; + *) + AX_APPEND_FLAG([$f], [LIBCRYPTO]) + ;; + esac + done + else + # No separate pkg config for libcrypto + LIBCRYPTO="$LIBTLS" + LIBCRYPTO_R="$LIBTLS_R" + fi + for f in `$PKG_CONFIG --cflags-only-I $pkg_openssl`; do + AX_APPEND_FLAG([$f], [CPPFLAGS]) + done + else + # No pkg-config file present, try to do it manually + O_LDFLAGS="$LDFLAGS" + if test "$enable_openssl" != "yes" -a "$enable_openssl" != "maybe"; then + SUDO_APPEND_LIBPATH(LDFLAGS, [${enable_openssl}/lib]) + fi + AC_CHECK_LIB([ssl], [SSL_new], [ + # Check OPENSSL_VERSION_NUMBER in headers + O_CPPFLAGS="$CPPFLAGS" + if test "$enable_openssl" != "yes" -a "$enable_openssl" != "maybe"; then + # Note: we only reset CPPFLAGS on failure + AX_APPEND_FLAG([-I${enable_openssl}/include], [CPPFLAGS]) + fi + AC_PREPROC_IFELSE([AC_LANG_PROGRAM([[#include <openssl/opensslv.h> +#if !defined(OPENSSL_VERSION_NUMBER) || OPENSSL_VERSION_NUMBER < 0x1000100fL +#error "OpenSSL too old" +#endif + ]])], [ + # OpenSSL >= 1.0.1 detected, use it. + AC_DEFINE(HAVE_OPENSSL) + if test "$enable_openssl" != "yes" -a "$enable_openssl" != "maybe"; then + SUDO_APPEND_LIBPATH(LIBCRYPTO, [${enable_openssl}/lib]) + SUDO_APPEND_LIBPATH(LIBTLS, [${enable_openssl}/lib]) + else + enable_openssl=yes + fi + LIBCRYPTO="${LIBCRYPTO} -lcrypto" + LIBTLS="${LIBTLS} -lssl -lcrypto" + + # Use OpenSSL's sha2 functions if possible + AC_CHECK_LIB([crypto], [EVP_MD_CTX_new], [ + DIGEST=digest_openssl.lo + ]) + ], [ + # OpenSSL < 1.0.1 detected, ignore it. + if test "$enable_openssl" = "maybe"; then + AC_MSG_WARN([OpenSSL too old (1.0.1 or higher required), Sudo logsrv connections will not be encrypted.]) + openssl_missing=yes + enable_openssl=no + else + AC_MSG_ERROR([OpenSSL too old (1.0.1 or higher required).]) + fi + CPPFLAGS="$O_CPPFLAGS" + ]) + ], [ + if test "$enable_openssl" = "maybe"; then + openssl_missing=yes + enable_openssl=no + else + AC_MSG_ERROR([OpenSSL development libraries not found.]) + fi + ], [-lcrypto]) + LDFLAGS="$O_LDFLAGS" + fi + if test "$enable_openssl" != "yes" -a "$enable_openssl" != "maybe"; then + unset PKG_CONFIG_LIBDIR + fi + fi + # + # Note that enable_openssl may be reset above. + # + if test "${enable_openssl-no}" != no; then + OLIBS="$LIBS" + LIBS="$LIBS $LIBTLS" + AC_CHECK_FUNCS([X509_STORE_CTX_get0_cert ASN1_STRING_get0_data SSL_CTX_get0_certificate SSL_CTX_set0_tmp_dh_pkey TLS_method]) + # SSL_CTX_set_min_proto_version may be a macro + AC_CHECK_DECL([SSL_CTX_set_min_proto_version], [AC_DEFINE(HAVE_SSL_CTX_SET_MIN_PROTO_VERSION)], [], [ + AC_INCLUDES_DEFAULT + #include <openssl/ssl.h> + ]) + AC_CHECK_FUNCS([SSL_read_ex], [], [ + SSL_COMPAT_SRC=lib/ssl_compat + ]) + # LibreSSL TLS 1.3 support may not be enabled, check for declaration too. + AC_CHECK_FUNC([SSL_CTX_set_ciphersuites], [ + AC_CHECK_DECL([SSL_CTX_set_ciphersuites], [AC_DEFINE(HAVE_SSL_CTX_SET_CIPHERSUITES)], [], [ + AC_INCLUDES_DEFAULT + #include <openssl/ssl.h> + ]) + ]) + LIBS="$OLIBS" + elif test "${enable_wolfssl-no}" != no; then + # Check for OpenSSL compatibility functions in wolfSSL. + # Use pkg-config to find the wolfssl cflags and libs if possible. + if test "$enable_wolfssl" != "yes"; then + PKG_CONFIG_LIBDIR="${enable_wolfssl}/lib/pkgconfig:${enable_wolfssl}/lib64/pkgconfig:${enable_wolfssl}/share/pkgconfig" + export PKG_CONFIG_LIBDIR + elif test "$cross_compiling" = "yes" -a -z "$PKG_CONFIG"; then + # Cannot use pkg-config when cross-compiling + PKG_CONFIG=false + fi + : ${PKG_CONFIG='pkg-config'} + if $PKG_CONFIG --exists wolfssl >/dev/null 2>&1; then + AC_DEFINE(HAVE_OPENSSL) + AC_DEFINE(HAVE_WOLFSSL) + + O_CPPFLAGS="$CPPFLAGS" + CPPFLAGS="$CPPFLAGS `$PKG_CONFIG --cflags-only-I wolfssl`" + O_LDFLAGS="$LDFLAGS" + LDFLAGS="$LDFLAGS `$PKG_CONFIG --libs-only-L wolfssl`" + + # Check whether --static is needed + libssl="`$PKG_CONFIG --libs-only-l wolfssl | sed 's/^ *-l//'`" + libssl_extra=`echo $libssl | sed 's/^[[^ ]]* *//'` + libssl=`echo $libssl | sed 's/ .*//'` + AC_CHECK_LIB([$libssl], [wolfSSL_new], [STATIC=""], [STATIC="--static"], [$libssl_extra]) + + # Use wolfSSL's sha2 functions if possible + AC_CHECK_DECL([EVP_MD_CTX_new], [DIGEST=digest_openssl.lo], [], [ + AC_INCLUDES_DEFAULT + #include <wolfssl/options.h> + #include <wolfssl/openssl/evp.h> + ]) + CPPFLAGS="$O_CPPFLAGS" + LDFLAGS="$O_LDFLAGS" + + # Use pkg-config to determine wolfSSL libs and cflags + for f in `$PKG_CONFIG $STATIC --libs wolfssl`; do + case "$f" in + -L*) + f="${f#-L}" + SUDO_APPEND_LIBPATH([LIBTLS], [$f]) + ;; + *) + AX_APPEND_FLAG([$f], [LIBTLS]) + ;; + esac + done + # No separate pkg config for libcrypto + LIBCRYPTO="$LIBTLS" + LIBCRYPTO_R="$LIBTLS_R" + for f in `$PKG_CONFIG --cflags-only-I wolfssl`; do + AX_APPEND_FLAG([$f], [CPPFLAGS]) + # So we find the openssl compat headers under wolfssl + AX_APPEND_FLAG([$f/wolfssl], [CPPFLAGS]) + done + if test "$CPPFLAGS" = "$O_CPPFLAGS"; then + # So we find the openssl compat headers under wolfssl (XXX) + AX_APPEND_FLAG([-I/usr/include/wolfssl], [CPPFLAGS]) + fi + else + AC_DEFINE(HAVE_OPENSSL) + AC_DEFINE(HAVE_WOLFSSL) + + # No pkg-config file present, try to do it manually + if test "$enable_wolfssl" != "yes"; then + SUDO_APPEND_LIBPATH(LIBCRYPTO, [${enable_wolfssl}/lib]) + SUDO_APPEND_LIBPATH(LIBTLS, [${enable_wolfssl}/lib]) + AX_APPEND_FLAG([-I${enable_wolfssl}/include], [CPPFLAGS]) + # So we find the openssl compat headers under wolfssl + AX_APPEND_FLAG([-I${enable_wolfssl}/include/wolfssl], [CPPFLAGS]) + else + # So we find the openssl compat headers under wolfssl (XXX) + AX_APPEND_FLAG([-I/usr/include/wolfssl], [CPPFLAGS]) + fi + LIBTLS="${LIBTLS} -lwolfssl" + LIBCRYPTO="${LIBCRYPTO} -lwolfssl" + + # Use wolfSSL's sha2 functions if possible + AC_CHECK_DECL([EVP_MD_CTX_new], [DIGEST=digest_openssl.lo], [], [ + AC_INCLUDES_DEFAULT + #include <wolfssl/options.h> + #include <wolfssl/openssl/evp.h> + ]) + fi + dnl + dnl Check for specific OpenSSL API compatibility macros + dnl + AC_CHECK_DECL([X509_STORE_CTX_get0_cert], [AC_DEFINE(HAVE_X509_STORE_CTX_GET0_CERT)], [], [ + AC_INCLUDES_DEFAULT + #include <wolfssl/options.h> + #include <wolfssl/openssl/x509.h> + ]) + AC_CHECK_DECL([ASN1_STRING_get0_data], [AC_DEFINE(HAVE_ASN1_STRING_GET0_DATA)], [], [ + AC_INCLUDES_DEFAULT + #include <wolfssl/options.h> + #include <wolfssl/openssl/asn1.h> + ]) + AC_CHECK_DECL([SSL_CTX_get0_certificate], [AC_DEFINE(HAVE_SSL_CTX_GET0_CERTIFICATE)], [], [ + AC_INCLUDES_DEFAULT + #include <wolfssl/options.h> + #include <wolfssl/openssl/ssl.h> + ]) + AC_CHECK_DECL([SSL_CTX_set0_tmp_dh_pkey], [AC_DEFINE(HAVE_SSL_CTX_SET0_TMP_DH_PKEY)], [], [ + AC_INCLUDES_DEFAULT + #include <wolfssl/options.h> + #include <wolfssl/openssl/ssl.h> + ]) + AC_CHECK_DECL([TLS_method], [AC_DEFINE(HAVE_TLS_METHOD)], [], [ + AC_INCLUDES_DEFAULT + #include <wolfssl/options.h> + #include <wolfssl/openssl/ssl.h> + ]) + AC_CHECK_DECL([SSL_CTX_set_min_proto_version], [AC_DEFINE(HAVE_SSL_CTX_SET_MIN_PROTO_VERSION)], [], [ + AC_INCLUDES_DEFAULT + #include <wolfssl/options.h> + #include <wolfssl/openssl/ssl.h> + ]) + AC_CHECK_DECL([SSL_CTX_set_ciphersuites], [AC_DEFINE(HAVE_SSL_CTX_SET_CIPHERSUITES)], [], [ + AC_INCLUDES_DEFAULT + #include <wolfssl/options.h> + #include <wolfssl/openssl/ssl.h> + ]) + AC_CHECK_DECL([SSL_read_ex], [AC_DEFINE(HAVE_SSL_READ_EX)], [ + SSL_COMPAT_SRC=lib/ssl_compat + ], [ + AC_INCLUDES_DEFAULT + #include <wolfssl/options.h> + #include <wolfssl/openssl/ssl.h> + ]) + fi + if test -n "$SSL_COMPAT_SRC"; then + LIBTLS='$(top_builddir)/lib/ssl_compat/libssl_compat.la '"${LIBTLS}" + fi +]) |