From a99ad2b9007d1775e9598bc78698cbc5d5ba0f60 Mon Sep 17 00:00:00 2001 From: Dean Scarff Date: Thu, 2 Jul 2020 19:24:04 +1000 Subject: [PATCH] Update OpenSSL autoconf checks - Checks explicitly for versions >= 1.1.0 with pkg-config - Refactor the fallback checks. Previously they were copied from the gnutls logic, but could be slightly surprising (it's not obvious that they're for the case where pkg-config returns a false negative, and it's weird that the linker check overode the header check) - Fix the AC_SEARCH_LIBS check to try -lcrypto instead of -lopenssl (-lcrypto is the standard library OpenSSL ships the crypto symbols in). - Fix the AC_SEARCH_LIBS check to look for EVP_MD_CTX_new, which is not present in versions prior to 1.1.0. Fixes qpdf/qpdf#429 (although I haven't verified on cygwin) --- autofiles.sums | 2 +- configure | 59 ++++++++++++++++++++++++-------------------------- configure.ac | 18 +++++++++------ 3 files changed, 40 insertions(+), 39 deletions(-) diff --git a/autofiles.sums b/autofiles.sums index 89be5836..c0c1cc30 100644 --- a/autofiles.sums +++ b/autofiles.sums @@ -1,4 +1,4 @@ -055e54a34d94a0c2ed9451042a1c747e47b29259a9035af9e7327401a5c3fbd1 configure.ac +d2cb3f80935a7e6e265a04da6ba9c0df4eabae3de33c6a48384a9fa50a15143b configure.ac d3f9ee6f6f0846888d9a10fd3dad2e4b1258be84205426cf04d7cef02d61dad7 aclocal.m4 cf2c764639c4c94abc183a0976eca6ae500b80790ea25e3d0af97b23587363b7 libqpdf/qpdf/qpdf-config.h.in 5297971a0ef90bcd5563eb3f7127a032bb76d3ae2af7258bf13479caf8983a60 m4/ax_cxx_compile_stdcxx.m4 diff --git a/configure b/configure index 47e08dad..2b21fc79 100755 --- a/configure +++ b/configure @@ -1477,7 +1477,7 @@ Optional Features: are not explicitly requested; true by default --enable-crypto-native whether to include support for native crypto provider - --enable-crypto-openssl whether to include support for the BoringSSL crypto + --enable-crypto-openssl whether to include support for the openssl crypto provider --enable-crypto-gnutls whether to include support for gnutls crypto provider @@ -17811,12 +17811,12 @@ if test -n "$pc_openssl_CFLAGS"; then pkg_cv_pc_openssl_CFLAGS="$pc_openssl_CFLAGS" elif test -n "$PKG_CONFIG"; then if test -n "$PKG_CONFIG" && \ - { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"openssl\""; } >&5 - ($PKG_CONFIG --exists --print-errors "openssl") 2>&5 + { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"openssl >= 1.1.0\""; } >&5 + ($PKG_CONFIG --exists --print-errors "openssl >= 1.1.0") 2>&5 ac_status=$? $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; }; then - pkg_cv_pc_openssl_CFLAGS=`$PKG_CONFIG --cflags "openssl" 2>/dev/null` + pkg_cv_pc_openssl_CFLAGS=`$PKG_CONFIG --cflags "openssl >= 1.1.0" 2>/dev/null` test "x$?" != "x0" && pkg_failed=yes else pkg_failed=yes @@ -17828,12 +17828,12 @@ if test -n "$pc_openssl_LIBS"; then pkg_cv_pc_openssl_LIBS="$pc_openssl_LIBS" elif test -n "$PKG_CONFIG"; then if test -n "$PKG_CONFIG" && \ - { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"openssl\""; } >&5 - ($PKG_CONFIG --exists --print-errors "openssl") 2>&5 + { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"openssl >= 1.1.0\""; } >&5 + ($PKG_CONFIG --exists --print-errors "openssl >= 1.1.0") 2>&5 ac_status=$? $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; }; then - pkg_cv_pc_openssl_LIBS=`$PKG_CONFIG --libs "openssl" 2>/dev/null` + pkg_cv_pc_openssl_LIBS=`$PKG_CONFIG --libs "openssl >= 1.1.0" 2>/dev/null` test "x$?" != "x0" && pkg_failed=yes else pkg_failed=yes @@ -17854,9 +17854,9 @@ else _pkg_short_errors_supported=no fi if test $_pkg_short_errors_supported = yes; then - pc_openssl_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "openssl" 2>&1` + pc_openssl_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "openssl >= 1.1.0" 2>&1` else - pc_openssl_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "openssl" 2>&1` + pc_openssl_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "openssl >= 1.1.0" 2>&1` fi # Put the nasty error message in config.log where it belongs echo "$pc_openssl_PKG_ERRORS" >&5 @@ -17873,18 +17873,13 @@ else $as_echo "yes" >&6; } OPENSSL_FOUND=1 fi -if test "$OPENSSL_FOUND" = "0"; then + +if test "$OPENSSL_FOUND" = "0"; then : ac_fn_c_check_header_mongrel "$LINENO" "openssl/evp.h" "ac_cv_header_openssl_evp_h" "$ac_includes_default" if test "x$ac_cv_header_openssl_evp_h" = xyes; then : - OPENSSL_FOUND=1 -else - OPENSSL_FOUND=0 -fi - - - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing EVP_DigestInit_ex" >&5 -$as_echo_n "checking for library containing EVP_DigestInit_ex... " >&6; } -if ${ac_cv_search_EVP_DigestInit_ex+:} false; then : + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing EVP_MD_CTX_new" >&5 +$as_echo_n "checking for library containing EVP_MD_CTX_new... " >&6; } +if ${ac_cv_search_EVP_MD_CTX_new+:} false; then : $as_echo_n "(cached) " >&6 else ac_func_search_save_LIBS=$LIBS @@ -17897,16 +17892,16 @@ cat confdefs.h - <<_ACEOF >conftest.$ac_ext #ifdef __cplusplus extern "C" #endif -char EVP_DigestInit_ex (); +char EVP_MD_CTX_new (); int main () { -return EVP_DigestInit_ex (); +return EVP_MD_CTX_new (); ; return 0; } _ACEOF -for ac_lib in '' openssl; do +for ac_lib in '' crypto; do if test -z "$ac_lib"; then ac_res="none required" else @@ -17914,32 +17909,34 @@ for ac_lib in '' openssl; do LIBS="-l$ac_lib $ac_func_search_save_LIBS" fi if ac_fn_c_try_link "$LINENO"; then : - ac_cv_search_EVP_DigestInit_ex=$ac_res + ac_cv_search_EVP_MD_CTX_new=$ac_res fi rm -f core conftest.err conftest.$ac_objext \ conftest$ac_exeext - if ${ac_cv_search_EVP_DigestInit_ex+:} false; then : + if ${ac_cv_search_EVP_MD_CTX_new+:} false; then : break fi done -if ${ac_cv_search_EVP_DigestInit_ex+:} false; then : +if ${ac_cv_search_EVP_MD_CTX_new+:} false; then : else - ac_cv_search_EVP_DigestInit_ex=no + ac_cv_search_EVP_MD_CTX_new=no fi rm conftest.$ac_ext LIBS=$ac_func_search_save_LIBS fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_EVP_DigestInit_ex" >&5 -$as_echo "$ac_cv_search_EVP_DigestInit_ex" >&6; } -ac_res=$ac_cv_search_EVP_DigestInit_ex +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_EVP_MD_CTX_new" >&5 +$as_echo "$ac_cv_search_EVP_MD_CTX_new" >&6; } +ac_res=$ac_cv_search_EVP_MD_CTX_new if test "$ac_res" != no; then : test "$ac_res" = "none required" || LIBS="$ac_res $LIBS" OPENSSL_FOUND=1 -else - OPENSSL_FOUND=0 fi +fi + + + fi IMPLICIT_OPENSSL=0 diff --git a/configure.ac b/configure.ac index 83587b82..bd2ee15a 100644 --- a/configure.ac +++ b/configure.ac @@ -586,23 +586,27 @@ if test "$USE_CRYPTO_NATIVE" = "1"; then DEFAULT_CRYPTO=native fi -dnl If the openssl/BoringSSL provider is explicitly requested, require openssl +dnl If the openssl/BoringSSL provider is explicitly requested, require openssl. dnl If the openssl provider is not explicitly disabled, enable it if dnl openssl is available. If the openssl provider is explicitly dnl disabled, do not link with openssl even if present. -PKG_CHECK_MODULES([pc_openssl], [openssl], [OPENSSL_FOUND=1], [OPENSSL_FOUND=0]) -if test "$OPENSSL_FOUND" = "0"; then - AC_CHECK_HEADER([openssl/evp.h],[OPENSSL_FOUND=1],[OPENSSL_FOUND=0]) - AC_SEARCH_LIBS(EVP_DigestInit_ex,openssl,[OPENSSL_FOUND=1],[OPENSSL_FOUND=0]) -fi +PKG_CHECK_MODULES([pc_openssl], [openssl >= 1.1.0], + [OPENSSL_FOUND=1], [OPENSSL_FOUND=0]) + +dnl Override pkg-config if headers and libraries are present. +AS_IF([test "$OPENSSL_FOUND" = "0"], + [AC_CHECK_HEADER( + [openssl/evp.h], + [AC_SEARCH_LIBS(EVP_MD_CTX_new,crypto,[OPENSSL_FOUND=1])]) + ]) IMPLICIT_OPENSSL=0 USE_CRYPTO_OPENSSL=0 AC_SUBST(USE_CRYPTO_OPENSSL) AC_ARG_ENABLE(crypto-openssl, AS_HELP_STRING([--enable-crypto-openssl], - [whether to include support for the BoringSSL crypto provider]), + [whether to include support for the openssl crypto provider]), [if test "$enableval" = "yes"; then USE_CRYPTO_OPENSSL=1 else