Hi there,
* Justin Erenkrantz ([EMAIL PROTECTED]) wrote:
>
> Yes, the former is what I would expect as well. I would add a third clause
> to your AC_CHECK_LIB which appends -lLIBRARY to saved_LIBS. Hmm. I wonder
> where saved_LIBS will end up in relationship to AP_LIBS. Ah, it seems that
> EXTRA_LIBS will be before AP_LIBS - Solaris and other one-pass linkers
> should be happy.
Yeah I've changed this to manually add "-lssl -lcrypto" to LIBS after
it's restored from saved_LIBS and that makes things work. I also added a
missing AC_MSG_ERROR() if the libs weren't found, as this is clearly a
fatal SSL/TLS configuration error I should have been catching already.
So I guess we make do with that then? I know this is what is currently
done so I presume this is OK, though I admit to being less than pleased
with manually added linker flags given that we're using AC_CHECK_LIB()
which is supposed to hide all that (and handle whatever the correct
syntax is on the host).
NB: If it's later decided that AC_CHECK_LIB() should take care of adding
the linker flags internally, the save/restore trick with LIBS would have
to go, which in turn means that the other linker flags would have to be
configured in advance using AC_CHECK_LIB macros (rather than using
$apr_config --libs).
> >in portability problems. Unless someone tells me the Apache-Approved(tm)
> >way to do this, I'd rather just leave the comment there to guide someone
> >else if they feel so moved afterwards.
>
> ap_ssltk_version="`$p/openssl version`"
>
> I kinda like that approach (i.e. what we're currently doing...).
I'm not sure I like it but I'll go with the flow if you insist. The
thing is, it requires the openssl executable be installed which on
package-management systems will be the openssl package containing
programs, documents, scripts, certificates, etc. rather than just a
"libopenssl" package contains libs and headers. This also requires us to
test for the "openssl" program and work around the case that it's not
found (the current code seems to consider this fatal but that seems
dramatic under the circumstances). At the least, can we leave that as a
second step once the configuration is tidied up? Right now the version
check in configure is OK even if there's no obvious way to propogate a
text form of the version to the console. I can't see the implications of
requiring the presence of the openssl binary to be worth the effort for
a purely aesthetic issue.
> If you want to be cute, you could do something with AC_EGREP_HEADER, but
> I'm not totally clear what the syntax would be.
I took a look because this idea seemed promising at first look, but the
code generated by AC_EGREP_HEADER sends both stdout and stderr to
/dev/null, so the regexp seems useful only for a yes/no pattern-match -
I can't see any obvious way to capture what comes out of the egrep.
Perhaps there's another macro lurking somewhere that would solve all
this?
> >- Seeing as CPPFLAGS seems ideal for header *and* compilation checks, is
> > INCLUDES still the appropriate place to APR_ADDTO() any required
> > include path once the tests are done?
>
> Yeah, I thought about that after I sent my original message. We really
> should be adding the -I's to INCLUDES. But, autoconf will only temporarily
> use CPPFLAGS, so we should add to CPPFLAGS for the header checks, then if
> it works, add it to INCLUDES (which gets morphed to EXTRA_INCLUDES later
> on). Our build system should use INCLUDES properly. -- justin
OK, I'll stick with INCLUDES then. So AFAICS, if we accept the
following;
(1) explicitly adding "-lssl -lcrypto" into LIBS if the library checks
succeed (using APR_ADDTO),
(2) don't try to grep the version text yet for output from "configure"
nor assume the "openssl" binary to generate it,
(3) put include paths into INCLUDES (using APR_ADDTO)
then the patch attached to this mail should be OK? Does this seem
reasonable? (Note, I've still left the old version stubbed in - I prefer
to leave the diff readable until someone's ready to start using the word
"commit").
Cheers,
Geoff
--
Geoff Thorpe
[EMAIL PROTECTED]
http://www.geoffthorpe.net/
Index: acconfig.h
===================================================================
RCS file: /home/cvspublic/httpd-2.0/acconfig.h,v
retrieving revision 1.1
diff -u -r1.1 acconfig.h
--- acconfig.h 31 Jan 2002 14:51:37 -0000 1.1
+++ acconfig.h 7 Mar 2003 20:54:37 -0000
@@ -1,2 +1,8 @@
/* Define this if struct tm has a field tm_gmtoff */
#undef HAVE_GMTOFF
+
+/* Define this if we are building with OpenSSL */
+#undef HAVE_OPENSSL
+
+/* Define this if we are building with SSL-C */
+#undef HAVE_SSLC
Index: acinclude.m4
===================================================================
RCS file: /home/cvspublic/httpd-2.0/acinclude.m4,v
retrieving revision 1.136
diff -u -r1.136 acinclude.m4
--- acinclude.m4 17 Feb 2003 02:32:19 -0000 1.136
+++ acinclude.m4 7 Mar 2003 20:54:37 -0000
@@ -312,7 +312,7 @@
])
dnl
-dnl APACHE_CHECK_SSL_TOOLKIT
+dnl APACHE_CHECK_SSL_TOOLKIT (old version)
dnl
dnl Find the openssl toolkit installation and check it for the right
dnl version, then add its flags to INCLUDES and LIBS. This should
@@ -320,7 +320,7 @@
dnl and then AC_TRY_LINK to test the libraries directly for the version,
dnl but that will require someone who knows how to program openssl.
dnl
-AC_DEFUN(APACHE_CHECK_SSL_TOOLKIT,[
+AC_DEFUN(APACHE_CHECK_SSL_TOOLKIT_OLD,[
if test "x$ap_ssltk_base" = "x"; then
AC_MSG_CHECKING(for SSL/TLS toolkit base)
ap_ssltk_base=""
@@ -421,6 +421,116 @@
fi
APR_ADDTO(LIBS, [-lssl -lcrypto])
ap_cv_ssltk="$ap_ssltk_base"
+fi
+])
+
+dnl
+dnl APACHE_CHECK_SSL_TOOLKIT (new version)
+dnl
+dnl Configure for the detected openssl/ssl-c toolkit installation, giving
+dnl preference to "--with-ssl=<path>" if it was specified.
+dnl
+AC_DEFUN(APACHE_CHECK_SSL_TOOLKIT,[
+if test "x$ap_ssltk_configured" = "x"; then
+ dnl initialise the variables we use
+ ap_ssltk_base=""
+ ap_ssltk_inc=""
+ ap_ssltk_lib=""
+ ap_ssltk_type=""
+
+ dnl Determine the SSL/TLS toolkit's base directory, if any
+ AC_MSG_CHECKING(for SSL/TLS toolkit base)
+ AC_ARG_WITH(ssl, APACHE_HELP_STRING(--with-ssl=DIR,SSL/TLS toolkit), [
+ dnl If --with-ssl specifies a directory, we use that directory or fail
+ if test "x$withval" != "xyes" -a "x$withval" != "x"; then
+ dnl This ensures $withval is actually a directory and that it is absolute
+ ap_ssltk_base="`cd $withval ; pwd`"
+ fi
+ ])
+ if test "x$ap_ssltk_base" = "x"; then
+ AC_MSG_RESULT(none)
+ else
+ AC_MSG_RESULT($ap_ssltk_base)
+ fi
+
+ dnl Run header and version checks
+ saved_CPPFLAGS=$CPPFLAGS
+ if test "x$ap_ssltk_base" != "x"; then
+ ap_ssltk_inc="-I$ap_ssltk_base/include"
+ CPPFLAGS="$CPPFLAGS $ap_ssltk_inc"
+ fi
+ AC_CHECK_HEADERS([sslc.h], [ap_ssltk_type="sslc"], [])
+ if test "x$ap_ssltk_type" = "x"; then
+ AC_CHECK_HEADERS([openssl/opensslv.h openssl/ssl.h], [ap_ssltk_type="openssl"],
[])
+ if test "x$ap_ssltk_type" = "x"; then
+ AC_MSG_ERROR([No SSL/TLS headers were available])
+ fi
+ dnl so it's OpenSSL - report, then test for a good version
+ echo "... SSL/TLS support configuring for OpenSSL"
+ AC_MSG_CHECKING(for OpenSSL version)
+ AC_TRY_COMPILE([#include <openssl/opensslv.h>],
+[#if !defined(OPENSSL_VERSION_NUMBER) || OPENSSL_VERSION_NUMBER < 0x0090609f
+#error "invalid openssl version"
+#endif],
+ [dnl Replace this with OPENSSL_VERSION_TEXT from opensslv.h?
+ AC_MSG_RESULT(OK)],
+ [AC_MSG_RESULT([not encouraging])
+ echo "WARNING: OpenSSL version may contain security vulnerabilities!"])
+ else
+ dnl so it's SSL-C - report, then test anything relevant
+ echo "... SSL/TLS support configuring for SSL-C"
+ AC_MSG_CHECKING(for SSL-C version)
+ dnl FIXME: we currently don't check anything for SSL-C
+ AC_MSG_RESULT([OK, but I didn't really check])
+ fi
+ dnl restore
+ CPPFLAGS=$saved_CPPFLAGS
+
+ dnl Run library checks
+ saved_LDFLAGS=$LDFLAGS
+ saved_LIBS=$LIBS
+ if test "x$ap_ssltk_base" != "x"; then
+ if test -d "$ap_ssltk_base/lib"; then
+ ap_ssltk_lib="$ap_ssltk_base/lib"
+ else
+ ap_ssltk_lib="$ap_ssltk_base"
+ fi
+ LDFLAGS="$LDFLAGS -L$ap_ssltk_lib"
+ fi
+ dnl make sure "other" flags are available so libcrypto and libssl can link
+ LIBS="$LIBS `$apr_config --libs`"
+ liberrors=""
+ AC_CHECK_LIB(crypto, SSLeay_version, [], [liberrors="yes"])
+ AC_CHECK_LIB(ssl, SSL_CTX_new, [], [liberrors="yes"])
+ if test "x$liberrors" != "x"; then
+ AC_MSG_ERROR([... Error, SSL/TLS libraries were missing or unusable])
+ fi
+ dnl restore
+ LDFLAGS=$saved_LDFLAGS
+ LIBS=$saved_LIBS
+
+ dnl Adjust apache's configuration based on what we found above.
+ dnl (a) define preprocessor symbols
+ if test "$ap_ssltk_type" = "openssl"; then
+ AC_DEFINE(HAVE_OPENSSL)
+ else
+ AC_DEFINE(HAVE_SSLC)
+ fi
+ dnl (b) hook up include paths
+ if test "x$ap_ssltk_inc" != "x"; then
+ APR_ADDTO(INCLUDES, [$ap_ssltk_inc])
+ fi
+ dnl (c) hook up linker paths
+ if test "x$ap_ssltk_lib" != "x"; then
+ APR_ADDTO(LDFLAGS, ["-L$ap_ssltk_lib"])
+ if test "x$ap_platform_runtime_link_flag" != "x"; then
+ APR_ADDTO(LDFLAGS, ["$ap_platform_runtime_link_flag$ap_ssltk_libdir"])
+ fi
+ fi
+ dnl (d) add "-lssl -lcrypto" to LIBS because restoring LIBS after
+ dnl AC_CHECK_LIB() obliterates any flags AC_CHECK_LIB() added.
+ APR_ADDTO(LIBS, [-lssl -lcrypto])
+
fi
])
Index: modules/ssl/config.m4
===================================================================
RCS file: /home/cvspublic/httpd-2.0/modules/ssl/config.m4,v
retrieving revision 1.11
diff -u -r1.11 config.m4
--- modules/ssl/config.m4 29 Mar 2002 07:36:01 -0000 1.11
+++ modules/ssl/config.m4 7 Mar 2003 20:54:38 -0000
@@ -77,8 +77,6 @@
dnl # hook module into the Autoconf mechanism (--enable-ssl option)
APACHE_MODULE(ssl, [SSL/TLS support (mod_ssl)], $ssl_objs, , no, [
APACHE_CHECK_SSL_TOOLKIT
- AC_CHECK_FUNCS(SSL_set_state)
- AC_CHECK_FUNCS(SSL_set_cert_store)
])
dnl # end of module specific part
Index: modules/ssl/mod_ssl.h
===================================================================
RCS file: /home/cvspublic/httpd-2.0/modules/ssl/mod_ssl.h,v
retrieving revision 1.125
diff -u -r1.125 mod_ssl.h
--- modules/ssl/mod_ssl.h 23 Feb 2003 17:12:43 -0000 1.125
+++ modules/ssl/mod_ssl.h 7 Mar 2003 20:54:39 -0000
@@ -107,23 +107,7 @@
#define MOD_SSL_VERSION AP_SERVER_BASEREVISION
-/* OpenSSL headers */
-#include <ssl.h>
-#include <err.h>
-#include <x509.h>
-#include <pem.h>
-#include <crypto.h>
-#include <evp.h>
-#include <rand.h>
-#ifdef SSL_EXPERIMENTAL_ENGINE
-#include <engine.h>
-#endif
-
#include "ssl_toolkit_compat.h"
-
-#ifdef HAVE_SSL_X509V3_H
-#include <x509v3.h>
-#endif
/* mod_ssl headers */
#include "ssl_expr.h"
Index: modules/ssl/ssl_toolkit_compat.h
===================================================================
RCS file: /home/cvspublic/httpd-2.0/modules/ssl/ssl_toolkit_compat.h,v
retrieving revision 1.28
diff -u -r1.28 ssl_toolkit_compat.h
--- modules/ssl/ssl_toolkit_compat.h 3 Feb 2003 17:53:13 -0000 1.28
+++ modules/ssl/ssl_toolkit_compat.h 7 Mar 2003 20:54:39 -0000
@@ -55,7 +55,20 @@
* between OpenSSL and RSA sslc
*/
-#ifdef OPENSSL_VERSION_NUMBER
+#ifdef HAVE_OPENSSL
+
+/* OpenSSL headers */
+#include <openssl/ssl.h>
+#include <openssl/err.h>
+#include <openssl/x509.h>
+#include <openssl/pem.h>
+#include <openssl/crypto.h>
+#include <openssl/evp.h>
+#include <openssl/rand.h>
+#include <openssl/x509v3.h>
+#ifdef SSL_EXPERIMENTAL_ENGINE
+#include <openssl/engine.h>
+#endif
/*
* rsa sslc uses incomplete types for most structures
@@ -123,6 +136,19 @@
#else /* RSA sslc */
+/* SSL-C headers */
+#include <ssl.h>
+#include <err.h>
+#include <x509.h>
+#include <pem.h>
+#include <crypto.h>
+#include <evp.h>
+#include <rand.h>
+
+#if SSLC_VERSION > 0x1FFF
+#include <x509v3.h>
+#endif
+
/* sslc does not support this function, OpenSSL has since 9.5.1 */
#define RAND_status() 1
@@ -160,6 +186,9 @@
#define PEM_F_DEF_CALLBACK PEM_F_DEF_CB
#endif
+/* Note: this test is no longer used to mess with NO_SSL_X509V3_H and
+ * HAVE_SSL_X509V3_H, instead we include x509v3.h further up using the opposite
+ * test (SSLC_VERSION > 0x1FFF). */
#if SSLC_VERSION < 0x2000
#define X509_STORE_CTX_set_depth(st, d)
@@ -171,8 +200,6 @@
#define modssl_set_verify(ssl, verify, cb) \
SSL_set_verify(ssl, verify)
-#define NO_SSL_X509V3_H
-
#endif
/* BEGIN GENERATED SECTION */
@@ -208,10 +235,6 @@
#ifndef modssl_set_verify
#define modssl_set_verify(ssl, verify, cb) \
SSL_set_verify(ssl, verify, cb)
-#endif
-
-#ifndef NO_SSL_X509V3_H
-#define HAVE_SSL_X509V3_H
#endif
#endif /* SSL_TOOLKIT_COMPAT_H */
