Hi all,
Thanks to those who replied to my earlier post on this subject,
especially Madhu. Here's the next incarnation of the patch based on that
feedback and some ferretting of my own.
Patch notes;
- This now probes for sslc.h to distinguish between OpenSSL and SSL-C.
- Existing version checking only made sense for OpenSSL so is now only
done for OpenSSL.
- The version "error" is now just a warning.
- HAVE_OPENSSL and HAVE_SSLC are set up from these tests so that
modules/ssl/ code can be clearer and less ambiguous.
- Libraries are now checked by AC_CHECK_LIB instead of AC_TRY_LINK as in
my previous patch. This lets autoconf/automake deal with adding the
appropriate "-lssl -lcrypto" linker flags, so this should be a little
more portable.
- inclusion of openssl or ssl-c headers now takes place in
ssl_toolkit_compat.h instead of mod_ssl.h. This results in cleaner
handling of the [HAVE|NO]_SSL_X509V3_H stuff for SSL-C (and which
isn't relevant for OpenSSL at all). Also, paths are now correct for
headers, so an installed version of OpenSSL or SSL-C will usable as-is
without needing any -I flags generated from the configure script.
Questions for apache gurus/code-reviewers;
- AC_CHECK_HEADERS() appears difficult to coax into accepting additional
include paths, so if "--with-ssl=<path>" is specified there appears no
obvious way to have AC_CHECK_HEADERS() pick up those headers in
(particularly if versions exist in system locations too and we want
autoconf's tests to find the <path> versions in preference to any
auto-detectable ones). I've left some comments in the acinclude.m4
changes about this. For now, I've made do with adding "-I<...>" to
CFLAGS prior to AC_TRY_COMPILE, but I'm sure autoconf intended some
other way of handling this. For one thing, is "-I" actually portable
anyway? The existing code depends utterly on it but it would be nice
to do away with it altogether.
- My changes use autoconf tests for openssl/ssl-c headers and libraries
(existing code just looks for files but doesn't actually try to use
them). As a result, linker flags like -ldl, -lsocket, -lnsl, -ldld,
etc are needed in advance of these tests. I've added the obvious ones
I know about so that this patch can be tested as-is, but ideally
Apache's builtin tests (which are obviously OK because Apache links
fine) should occur before the AC_CHECK_LIB()s for "ssl" and "crypto".
See "Step 3" of my changes to acinclude.m4.
- The adjustments made to LDFLAGS at the end of the testing has been
written to try and match the existing stuff, but I don't confess to
know what the significance of $ap_platform_runtime_link_flag is so I'm
working blind there.
- I'm tagging "-DHAVE_OPENSSL" or "-DHAVE_SSLC" directly onto CFLAGS
rather than using anything like AC_DEFINE because the latter
possibility would require HAVE_OPENSSL and HAVE_SSLC to be stubbed
into an appropriate "something.h.in" file. If you prefer not to have
such stuff polluting CFLAGS then please suggest an appropriate ".in"
file for me to hook into.
Note that (I think) the problems of relying on syntax like "-I", "-L",
etc all apply to the existing code anyway, so they're more questions of
style than whether my changes will work. The only things I can think of
that my changes my break are that I've dumped the builtin paths for
searching for headers and libraries and instead let autoconf probes
(combined with --with-ssl=<path>) find whatever they find. In other
words, perhaps some people might have been relying on the unconventional
anti-autoconf nature of the existing checks that my changes remove?
Any/all feedback most welcome.
Cheers,
Geoff
--
Geoff Thorpe
[EMAIL PROTECTED]
http://www.geoffthorpe.net/
Index: acinclude.m4
===================================================================
RCS file: /home/cvspublic/httpd-2.0/acinclude.m4,v
retrieving revision 1.136
diff -u -r1.136 acinclude.m4
--- acinclude.m4 17 Feb 2003 02:32:19 -0000 1.136
+++ acinclude.m4 4 Mar 2003 23:00:03 -0000
@@ -312,7 +312,7 @@
])
dnl
-dnl APACHE_CHECK_SSL_TOOLKIT
+dnl APACHE_CHECK_SSL_TOOLKIT (old version)
dnl
dnl Find the openssl toolkit installation and check it for the right
dnl version, then add its flags to INCLUDES and LIBS. This should
@@ -320,7 +320,7 @@
dnl and then AC_TRY_LINK to test the libraries directly for the version,
dnl but that will require someone who knows how to program openssl.
dnl
-AC_DEFUN(APACHE_CHECK_SSL_TOOLKIT,[
+AC_DEFUN(APACHE_CHECK_SSL_TOOLKIT_OLD,[
if test "x$ap_ssltk_base" = "x"; then
AC_MSG_CHECKING(for SSL/TLS toolkit base)
ap_ssltk_base=""
@@ -421,6 +421,140 @@
fi
APR_ADDTO(LIBS, [-lssl -lcrypto])
ap_cv_ssltk="$ap_ssltk_base"
+fi
+])
+
+dnl
+dnl APACHE_CHECK_SSL_TOOLKIT (new version)
+dnl
+dnl Configure for the detected openssl/ssl-c toolkit installation, giving
+dnl preference to "--with-ssl=<path>" if it was specified.
+dnl
+AC_DEFUN(APACHE_CHECK_SSL_TOOLKIT,[
+if test "x$ap_ssltk_configured" = "x"; then
+ dnl initialise the variables we use
+ ap_ssltk_base=""
+ ap_ssltk_inc=""
+ ap_ssltk_lib=""
+ ap_ssltk_type=""
+
+ dnl Step 1: base directory, if any
+ AC_MSG_CHECKING(for SSL/TLS toolkit base)
+ AC_ARG_WITH(ssl, APACHE_HELP_STRING(--with-ssl=DIR,SSL/TLS toolkit), [
+ dnl If --with-ssl specifies a directory, we use that directory or fail
+ if test "x$withval" != "xyes" -a "x$withval" != "x"; then
+ dnl This ensures $withval is actually a directory and that it is absolute
+ ap_ssltk_base="`cd $withval ; pwd`"
+ fi
+ ])
+ if test "x$ap_ssltk_base" = "x"; then
+ AC_MSG_RESULT(none)
+ else
+ AC_MSG_RESULT($ap_ssltk_base)
+ fi
+
+ dnl Step 2: run header checks
+ dnl notes: I've tried a few things to do this via AC_CHECK_HEADERS, but it
+ dnl seems that even if I assume gcc (which I can't) and I follow its
+ dnl documented support for CPATH and/or C_INCLUDE_PATH (which I wouldn't be
+ dnl able to in general), AC_CHECK_HEADER() still won't locate SSL headers
+ dnl inside the added paths. In the face of this, I'm resorting to CFLAGS and
+ dnl AC_TRY_COMPILE.
+ saved_CFLAGS=$CFLAGS
+ if test "x$ap_ssltk_base" != "x"; then
+ ap_ssltk_inc="-I$ap_ssltk_base/include"
+ CFLAGS="$CFLAGS $ap_ssltk_inc"
+ fi
+ AC_MSG_CHECKING(for SSL-C headers)
+ AC_TRY_COMPILE([#include <sslc.h>],
+ [SSL_CTX *ctx = SSL_CTX_new((void *)0);],
+ [AC_MSG_RESULT(yes)
+ ap_ssltk_type="sslc"],
+ [AC_MSG_RESULT(no)])
+ if test "x$ap_ssltk_type" = "x"; then
+ AC_MSG_CHECKING(for OpenSSL headers)
+ AC_TRY_COMPILE(
+[#include <openssl/opensslv.h>
+#include <openssl/ssl.h>],
+ [SSL_CTX *ctx = SSL_CTX_new((void *)0);],
+ [AC_MSG_RESULT(yes)
+ ap_ssltk_type="openssl"],
+ [AC_MSG_RESULT(no)])
+ fi
+ if test "x$ap_ssltk_type" = "x"; then
+ AC_MSG_ERROR([SSL/TLS headers aren't available])
+ fi
+ dnl restore
+ CFLAGS=$saved_CFLAGS
+
+ dnl Step 3: linker pre-requisites
+ AC_CHECK_LIB(dl, dlopen) dnl Linux and friends
+ AC_CHECK_LIB(dld, shl_load) dnl HPUX (has no friends)
+ AC_CHECK_LIB(nsl, gethostent)
+ AC_CHECK_LIB(socket, socket)
+
+ dnl Step 4: library checks
+ saved_LDFLAGS=$LDFLAGS
+ if test "x$ap_ssltk_base" != "x"; then
+ if test -d "$ap_ssltk_base/lib"; then
+ ap_ssltk_lib="$ap_ssltk_base/lib"
+ else
+ ap_ssltk_lib="$ap_ssltk_base"
+ fi
+ LDFLAGS="$LDFLAGS -L$ap_ssltk_lib"
+ fi
+ AC_CHECK_LIB(crypto, SSLeay_version)
+ AC_CHECK_LIB(ssl, SSL_CTX_new)
+ dnl restore
+ LDFLAGS=$saved_LDFLAGS
+
+ dnl Step 5: run version checks
+ if test "$ap_ssltk_type" = "openssl"; then
+ saved_CFLAGS=$CFLAGS
+ if test "x$ap_ssltk_inc" != "x"; then
+ CFLAGS="$CFLAGS $ap_ssltk_inc"
+ fi
+ AC_MSG_CHECKING(for OpenSSL version)
+ AC_TRY_COMPILE([#include <openssl/opensslv.h>],
+[#if !defined(OPENSSL_VERSION_NUMBER) || OPENSSL_VERSION_NUMBER < 0x0090609f
+#error "invalid openssl version"
+#endif],
+ [dnl Replace this with OPENSSL_VERSION_TEXT from opensslv.h?
+ AC_MSG_RESULT(OK)],
+ [AC_MSG_RESULT([not encouraging])
+ echo "WARNING: OpenSSL version may contain security vulnerabilities!"])
+ dnl restore
+ CFLAGS=$saved_CFLAGS
+ fi
+
+ if test "$ap_ssltk_type" = "sslc"; then
+ AC_MSG_CHECKING(for SSL-C version)
+ dnl FIXME: we currently don't check anything for SSL-C
+ AC_MSG_RESULT([OK, but I didn't really check])
+ fi
+
+ dnl Step 6: adjust anything we need based on what we found above
+ dnl (a) define preprocessor symbols
+ if test "$ap_ssltk_type" = "openssl"; then
+ APR_ADDTO(CFLAGS, ["-DHAVE_OPENSSL"])
+ else
+ APR_ADDTO(CFLAGS, ["-DHAVE_SSLC"])
+ fi
+ dnl (b) hook up include paths
+ if test "x$ap_ssltk_inc" != "x"; then
+ APR_ADDTO(INCLUDES, [$ap_ssltk_inc])
+ fi
+ dnl (c) hook up linker paths
+ if test "x$ap_ssltk_lib" != "x"; then
+ dnl FIXME: I'm following the old mechanism here - add -L<path> to LDFLAGS
+ dnl and *IF* ap_platform_runtime_link_flag is defined, add {that}<path>
+ dnl to LDFLAGS as well.
+ APR_ADDTO(LDFLAGS, ["-L$ap_ssltk_lib"])
+ if test "x$ap_platform_runtime_link_flag" != "x"; then
+ APR_ADDTO(LDFLAGS, ["$ap_platform_runtime_link_flag$ap_ssltk_libdir"])
+ fi
+ fi
+
fi
])
Index: modules/ssl/config.m4
===================================================================
RCS file: /home/cvspublic/httpd-2.0/modules/ssl/config.m4,v
retrieving revision 1.11
diff -u -r1.11 config.m4
--- modules/ssl/config.m4 29 Mar 2002 07:36:01 -0000 1.11
+++ modules/ssl/config.m4 4 Mar 2003 23:00:05 -0000
@@ -77,8 +77,13 @@
dnl # hook module into the Autoconf mechanism (--enable-ssl option)
APACHE_MODULE(ssl, [SSL/TLS support (mod_ssl)], $ssl_objs, , no, [
APACHE_CHECK_SSL_TOOLKIT
- AC_CHECK_FUNCS(SSL_set_state)
- AC_CHECK_FUNCS(SSL_set_cert_store)
+ dnl These checks aren't really useful and could fail for silly reasons if
+ dnl ever the flags configured by APACHE_CHECK_SSL_TOOLKIT aren't in
+ dnl effect when these checks run (but are in effect during apache
+ dnl compilation). The version checks on openssl already make sure the
+ dnl below functions exist anyway.
+ dnl AC_CHECK_FUNCS(SSL_set_state)
+ dnl AC_CHECK_FUNCS(SSL_set_cert_store)
])
dnl # end of module specific part
Index: modules/ssl/mod_ssl.h
===================================================================
RCS file: /home/cvspublic/httpd-2.0/modules/ssl/mod_ssl.h,v
retrieving revision 1.125
diff -u -r1.125 mod_ssl.h
--- modules/ssl/mod_ssl.h 23 Feb 2003 17:12:43 -0000 1.125
+++ modules/ssl/mod_ssl.h 4 Mar 2003 23:00:06 -0000
@@ -107,23 +107,7 @@
#define MOD_SSL_VERSION AP_SERVER_BASEREVISION
-/* OpenSSL headers */
-#include <ssl.h>
-#include <err.h>
-#include <x509.h>
-#include <pem.h>
-#include <crypto.h>
-#include <evp.h>
-#include <rand.h>
-#ifdef SSL_EXPERIMENTAL_ENGINE
-#include <engine.h>
-#endif
-
#include "ssl_toolkit_compat.h"
-
-#ifdef HAVE_SSL_X509V3_H
-#include <x509v3.h>
-#endif
/* mod_ssl headers */
#include "ssl_expr.h"
Index: modules/ssl/ssl_toolkit_compat.h
===================================================================
RCS file: /home/cvspublic/httpd-2.0/modules/ssl/ssl_toolkit_compat.h,v
retrieving revision 1.28
diff -u -r1.28 ssl_toolkit_compat.h
--- modules/ssl/ssl_toolkit_compat.h 3 Feb 2003 17:53:13 -0000 1.28
+++ modules/ssl/ssl_toolkit_compat.h 4 Mar 2003 23:00:07 -0000
@@ -55,7 +55,20 @@
* between OpenSSL and RSA sslc
*/
-#ifdef OPENSSL_VERSION_NUMBER
+#ifdef HAVE_OPENSSL
+
+/* OpenSSL headers */
+#include <openssl/ssl.h>
+#include <openssl/err.h>
+#include <openssl/x509.h>
+#include <openssl/pem.h>
+#include <openssl/crypto.h>
+#include <openssl/evp.h>
+#include <openssl/rand.h>
+#include <openssl/x509v3.h>
+#ifdef SSL_EXPERIMENTAL_ENGINE
+#include <openssl/engine.h>
+#endif
/*
* rsa sslc uses incomplete types for most structures
@@ -123,6 +136,19 @@
#else /* RSA sslc */
+/* SSL-C headers */
+#include <ssl.h>
+#include <err.h>
+#include <x509.h>
+#include <pem.h>
+#include <crypto.h>
+#include <evp.h>
+#include <rand.h>
+
+#if SSLC_VERSION > 0x1FFF
+#include <x509v3.h>
+#endif
+
/* sslc does not support this function, OpenSSL has since 9.5.1 */
#define RAND_status() 1
@@ -160,6 +186,9 @@
#define PEM_F_DEF_CALLBACK PEM_F_DEF_CB
#endif
+/* Note: this test is no longer used to mess with NO_SSL_X509V3_H and
+ * HAVE_SSL_X509V3_H, instead we include x509v3.h further up using the opposite
+ * test (SSLC_VERSION > 0x1FFF). */
#if SSLC_VERSION < 0x2000
#define X509_STORE_CTX_set_depth(st, d)
@@ -171,8 +200,6 @@
#define modssl_set_verify(ssl, verify, cb) \
SSL_set_verify(ssl, verify)
-#define NO_SSL_X509V3_H
-
#endif
/* BEGIN GENERATED SECTION */
@@ -208,10 +235,6 @@
#ifndef modssl_set_verify
#define modssl_set_verify(ssl, verify, cb) \
SSL_set_verify(ssl, verify, cb)
-#endif
-
-#ifndef NO_SSL_X509V3_H
-#define HAVE_SSL_X509V3_H
#endif
#endif /* SSL_TOOLKIT_COMPAT_H */
