[thirdparty/squid.git] / acinclude / lib-checks.m4

## Copyright (C) 1996-2017 The Squid Software Foundation and contributors
##
## Squid software is distributed under GPLv2+ license and includes
## contributions from numerous individuals and organizations.
## Please see the COPYING and CONTRIBUTORS files for details.
##

dnl check whether regex works by actually compiling one
dnl sets squid_cv_regex_works to either yes or no

AC_DEFUN([SQUID_CHECK_REGEX_WORKS],[
  AC_CACHE_CHECK([if the system-supplied regex lib actually works],squid_cv_regex_works,[
    AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
#if HAVE_SYS_TYPES_H
#include <sys/types.h>
#endif
#if HAVE_REGEX_H
#include <regex.h> 
#endif
]], [[
regex_t t; regcomp(&t,"",0);]])],
    [ squid_cv_regex_works=yes ],
    [ squid_cv_regex_works=no ])
  ])
])


AC_DEFUN([SQUID_CHECK_LIBIPHLPAPI],[
  AC_CACHE_CHECK([for libIpHlpApi],squid_cv_have_libiphlpapi,[
    SQUID_STATE_SAVE(iphlpapi)
    LIBS="$LIBS -liphlpapi"
    AC_LINK_IFELSE([AC_LANG_PROGRAM([[
#include <windows.h>
#include <winsock2.h>
#include <iphlpapi.h>
]], [[
  MIB_IPNETTABLE i;
  unsigned long isz=sizeof(i);
  GetIpNetTable(&i,&isz,FALSE);
    ]])],
    [squid_cv_have_libiphlpapi=yes
     SQUID_STATE_COMMIT(iphlpapi)],
    [squid_cv_have_libiphlpapi=no
     SQUID_STATE_ROLLBACK(iphlpapi)])
  ])
  SQUID_STATE_ROLLBACK(iphlpapi)
])

dnl Checks whether the -lssl library provides OpenSSL TLS_*_method() definitions
AC_DEFUN([SQUID_CHECK_OPENSSL_TLS_METHODS],[
  AH_TEMPLATE(HAVE_OPENSSL_TLS_METHOD, "Define to 1 if the TLS_method() OpenSSL API function exists")
  AH_TEMPLATE(HAVE_OPENSSL_TLS_CLIENT_METHOD, "Define to 1 if the TLS_client_method() OpenSSL API function exists")
  AH_TEMPLATE(HAVE_OPENSSL_TLS_SERVER_METHOD, "Define to 1 if the TLS_server_method() OpenSSL API function exists")
  SQUID_STATE_SAVE(check_openssl_TLS_METHODS)
  LIBS="$LIBS $SSLLIB"
  AC_CHECK_LIB(ssl, TLS_method, AC_DEFINE(HAVE_OPENSSL_TLS_METHOD, 1))
  AC_CHECK_LIB(ssl, TLS_client_method, AC_DEFINE(HAVE_OPENSSL_TLS_CLIENT_METHOD, 1))
  AC_CHECK_LIB(ssl, TLS_server_method, AC_DEFINE(HAVE_OPENSSL_TLS_SERVER_METHOD, 1))
  SQUID_STATE_ROLLBACK(check_openssl_TLS_METHODS)
])

dnl Checks whether the -lcrypto library provides various OpenSSL API functions
AC_DEFUN([SQUID_CHECK_LIBCRYPTO_API],[
  AH_TEMPLATE(HAVE_LIBCRYPTO_EVP_PKEY_GET0_RSA, "Define to 1 if the EVP_PKEY_get0_RSA() OpenSSL API function exists")
  AH_TEMPLATE(HAVE_LIBCRYPTO_BIO_METH_NEW, "Define to 1 if the BIO_meth_new() OpenSSL API function exists")
  AH_TEMPLATE(HAVE_LIBCRYPTO_BIO_GET_INIT, "Define to 1 if the BIO_get_init() OpenSSL API function exists")
  AH_TEMPLATE(HAVE_LIBCRYPTO_ASN1_STRING_GET0_DATA, "Define to 1 if the ASN1_STRING_get0_data() OpenSSL API function exists")
  AH_TEMPLATE(HAVE_LIBCRYPTO_X509_STORE_CTX_GET0_CERT, "Define to 1 if the X509_STORE_CTX_get0_cert() OpenSSL API function exists")
  AH_TEMPLATE(HAVE_LIBCRYPTO_X509_VERIFY_PARAM_GET_DEPTH, "Define to 1 if the X509_VERIFY_PARAM_get_depth() OpenSSL API function exists")
  AH_TEMPLATE(HAVE_LIBCRYPTO_X509_STORE_CTX_GET0_UNTRUSTED, "Define to 1 if the X509_STORE_CTX_get0_untrusted() OpenSSL API function exists")
  AH_TEMPLATE(HAVE_LIBCRYPTO_X509_STORE_CTX_SET0_UNTRUSTED, "Define to 1 if the X509_STORE_CTX_set0_untrusted() OpenSSL API function exists")
  AH_TEMPLATE(HAVE_LIBCRYPTO_X509_UP_REF, "Define to 1 if the X509_up_ref() OpenSSL API function exists")
  AH_TEMPLATE(HAVE_LIBCRYPTO_X509_CRL_UP_REF, "Define to 1 if the X509_CRL_up_ref() OpenSSL API function exists")
  AH_TEMPLATE(HAVE_LIBCRYPTO_DH_UP_REF, "Define to 1 if the DH_up_ref() OpenSSL API function exists")
  AH_TEMPLATE(HAVE_LIBCRYPTO_X509_GET0_SIGNATURE, "Define to 1 if the X509_get0_signature() OpenSSL API function exists")
  SQUID_STATE_SAVE(check_openssl_libcrypto_api)
  LIBS="$LIBS $SSLLIB"
  AC_CHECK_LIB(crypto, EVP_PKEY_get0_RSA, AC_DEFINE(HAVE_LIBCRYPTO_EVP_PKEY_GET0_RSA, 1))
  AC_CHECK_LIB(crypto, BIO_meth_new, AC_DEFINE(HAVE_LIBCRYPTO_BIO_METH_NEW, 1))
  AC_CHECK_LIB(crypto, BIO_get_init, AC_DEFINE(HAVE_LIBCRYPTO_BIO_GET_INIT, 1))
  AC_CHECK_LIB(crypto, ASN1_STRING_get0_data, AC_DEFINE(HAVE_LIBCRYPTO_ASN1_STRING_GET0_DATA, 1))
  AC_CHECK_LIB(crypto, X509_STORE_CTX_get0_cert, AC_DEFINE(HAVE_LIBCRYPTO_X509_STORE_CTX_GET0_CERT, 1))
  AC_CHECK_LIB(crypto, X509_VERIFY_PARAM_get_depth, AC_DEFINE(HAVE_LIBCRYPTO_X509_VERIFY_PARAM_GET_DEPTH, 1))
  AC_CHECK_LIB(crypto, X509_STORE_CTX_get0_untrusted, AC_DEFINE(HAVE_LIBCRYPTO_X509_STORE_CTX_GET0_UNTRUSTED, 1))
  AC_CHECK_LIB(crypto, X509_STORE_CTX_set0_untrusted, AC_DEFINE(HAVE_LIBCRYPTO_X509_STORE_CTX_SET0_UNTRUSTED, 1))
  AC_CHECK_LIB(crypto, X509_up_ref, AC_DEFINE(HAVE_LIBCRYPTO_X509_UP_REF, 1))
  AC_CHECK_LIB(crypto, X509_CRL_up_ref, AC_DEFINE(HAVE_LIBCRYPTO_X509_CRL_UP_REF, 1))
  AC_CHECK_LIB(crypto, DH_up_ref, AC_DEFINE(HAVE_LIBCRYPTO_DH_UP_REF, 1))
  AC_CHECK_LIB(crypto, X509_get0_signature, AC_DEFINE(HAVE_LIBCRYPTO_X509_GET0_SIGNATURE, 1))
  SQUID_STATE_ROLLBACK(check_openssl_libcrypto_api)
])

dnl Checks whether the -lssl library provides various OpenSSL API functions
AC_DEFUN([SQUID_CHECK_LIBSSL_API],[
  AH_TEMPLATE(HAVE_LIBSSL_SSL_CIPHER_FIND, "Define to 1 if the SSL_CIPHER_find() OpenSSL API function exists")
  AH_TEMPLATE(HAVE_LIBSSL_SSL_CTX_SET_TMP_RSA_CALLBACK, "Define to 1 if the SSL_CTX_set_tmp_rsa_callback() OpenSSL API function exists")
  AH_TEMPLATE(HAVE_LIBSSL_SSL_SESSION_GET_ID, "Define to 1 if the SSL_SESSION_get_id() OpenSSL API function exists")
  SQUID_STATE_SAVE(check_openssl_libssl_api)
  LIBS="$LIBS $SSLLIB"
  AC_CHECK_LIB(ssl, SSL_CIPHER_find, AC_DEFINE(HAVE_LIBSSL_SSL_CIPHER_FIND, 1))
  AC_CHECK_LIB(ssl, SSL_CTX_set_tmp_rsa_callback, AC_DEFINE(HAVE_LIBSSL_SSL_CTX_SET_TMP_RSA_CALLBACK, 1))
  AC_CHECK_LIB(ssl, SSL_SESSION_get_id, AC_DEFINE(HAVE_LIBSSL_SSL_SESSION_GET_ID, 1))
  SQUID_STATE_ROLLBACK(check_openssl_libssl_api)
])

dnl Checks whether the OpenSSL SSL_get_certificate crashes squid and if a
dnl workaround can be used instead of using the SSL_get_certificate
AC_DEFUN([SQUID_CHECK_OPENSSL_GETCERTIFICATE_WORKS],[
  AH_TEMPLATE(SQUID_SSLGETCERTIFICATE_BUGGY, "Define to 1 if the SSL_get_certificate crashes squid")
  AH_TEMPLATE(SQUID_USE_SSLGETCERTIFICATE_HACK, "Define to 1 to use squid workaround for SSL_get_certificate")
  SQUID_STATE_SAVE(check_SSL_get_certificate)
  LIBS="$SSLLIB $LIBS"
  if test "x$SSLLIBDIR" != "x"; then
     LIBS="$LIBS -Wl,-rpath -Wl,$SSLLIBDIR"
  fi

  AC_MSG_CHECKING(whether the SSL_get_certificate is buggy)
  AC_RUN_IFELSE([
  AC_LANG_PROGRAM(
    [
     #include <openssl/ssl.h>
     #include <openssl/err.h>
    ],
    [
    SSLeay_add_ssl_algorithms();
#if HAVE_OPENSSL_TLS_METHOD
    SSL_CTX *sslContext = SSL_CTX_new(TLS_method());
#else
    SSL_CTX *sslContext = SSL_CTX_new(SSLv23_method());
#endif
    SSL *ssl = SSL_new(sslContext);
    X509* cert = SSL_get_certificate(ssl);
    return 0;
    ])
  ],
  [
   AC_MSG_RESULT([no])
  ],
  [
   AC_DEFINE(SQUID_SSLGETCERTIFICATE_BUGGY, 1)
   AC_MSG_RESULT([yes])
  ],
  [
   AC_DEFINE(SQUID_SSLGETCERTIFICATE_BUGGY, 0)
   AC_MSG_RESULT([cross-compile, assuming no])
  ])

  AC_MSG_CHECKING(whether the workaround for SSL_get_certificate works)
  AC_RUN_IFELSE([
  AC_LANG_PROGRAM(
    [
     #include <openssl/ssl.h>
     #include <openssl/err.h>
    ],
    [
    SSLeay_add_ssl_algorithms();
#if HAVE_OPENSSL_TLS_METHOD
    SSL_CTX *sslContext = SSL_CTX_new(TLS_method());
#else
    SSL_CTX *sslContext = SSL_CTX_new(SSLv23_method());
#endif
    X509 ***pCert = (X509 ***)sslContext->cert;
    X509 *sslCtxCert = pCert && *pCert ? **pCert : (X509 *)0x1;
    if (sslCtxCert != NULL)
        return 1;
    return 0;
    ])
  ],
  [
   AC_MSG_RESULT([yes])
   AC_DEFINE(SQUID_USE_SSLGETCERTIFICATE_HACK, 1)
  ],
  [
   AC_MSG_RESULT([no])
  ],
  [
   AC_DEFINE(SQUID_USE_SSLGETCERTIFICATE_HACK, 0)
   AC_MSG_RESULT([cross-compile, assuming no])
  ])

SQUID_STATE_ROLLBACK(check_SSL_get_certificate)
])

dnl Checks whether the  SSL_CTX_new and similar functions require 
dnl a const 'SSL_METHOD *' argument
AC_DEFUN([SQUID_CHECK_OPENSSL_CONST_SSL_METHOD],[
  AH_TEMPLATE(SQUID_USE_CONST_SSL_METHOD, "Define to 1 if the SSL_CTX_new and similar openSSL API functions require 'const SSL_METHOD *'")
  SQUID_STATE_SAVE(check_const_SSL_METHOD)
  AC_MSG_CHECKING(whether SSL_CTX_new and similar openSSL API functions require 'const SSL_METHOD *'")

  AC_COMPILE_IFELSE([
  AC_LANG_PROGRAM(
    [
     #include <openssl/ssl.h>
     #include <openssl/err.h>
    ],
    [
       const SSL_METHOD *method = NULL;
       SSL_CTX *sslContext = SSL_CTX_new(method);
       return (sslContext != NULL);
    ])
  ],
  [
   AC_DEFINE(SQUID_USE_CONST_SSL_METHOD, 1)
   AC_MSG_RESULT([yes])
  ],
  [
   AC_MSG_RESULT([no])
  ],
  [])

SQUID_STATE_ROLLBACK(check_const_SSL_METHOD)
])

dnl Checks whether the CRYPTO_EX_DATA duplication callback for SSL_get_ex_new_index() has a const argument
AC_DEFUN([SQUID_CHECK_OPENSSL_CONST_CRYPTO_EX_DATA],[
  AH_TEMPLATE(SQUID_USE_CONST_CRYPTO_EX_DATA_DUP, "Define to 1 if the SSL_get_new_ex_index() dup callback accepts 'const CRYPTO_EX_DATA *'")
  SQUID_STATE_SAVE(check_const_CRYPTO_EX_DATA)
  AC_MSG_CHECKING(whether SSL_get_new_ex_index() dup callback accepts 'const CRYPTO_EX_DATA *'")
  AC_COMPILE_IFELSE([AC_LANG_PROGRAM([
#include <openssl/ssl.h>

int const_dup_func(CRYPTO_EX_DATA *, const CRYPTO_EX_DATA *, void *, int, long, void *) {
    return 0;
}
    ],[
return SSL_get_ex_new_index(0, (void*)"foo", NULL, &const_dup_func, NULL);
    ])
  ],[
   AC_DEFINE(SQUID_USE_CONST_CRYPTO_EX_DATA_DUP, 1)
   AC_MSG_RESULT([yes])
  ],[
   AC_MSG_RESULT([no])
  ])
  SQUID_STATE_ROLLBACK(check_const_CRYPTO_EX_DATA)
])

dnl Checks whether the callback for SSL_CTX_sess_set_get_cb() accepts a const ID argument
AC_DEFUN([SQUID_CHECK_OPENSSL_CONST_SSL_SESSION_CB_ARG],[
  AH_TEMPLATE(SQUID_USE_CONST_SSL_SESSION_CBID, "Define to 1 if the SSL_CTX_sess_set_get_cb() callback accepts a const ID argument")
  SQUID_STATE_SAVE(check_const_SSL_CTX_sess_set_get_cb)
  AC_MSG_CHECKING(whether SSL_CTX_sess_set_get_cb() callback accepts a const ID argument")
  AC_COMPILE_IFELSE([AC_LANG_PROGRAM([
#include <openssl/ssl.h>

SSL_SESSION *get_session_cb(SSL *, const unsigned char *ID, int, int *) {
    return NULL;
}
    ],[
SSL_CTX_sess_set_get_cb(NULL, get_session_cb);
return 0;
    ])
  ],[
   AC_DEFINE(SQUID_USE_CONST_SSL_SESSION_CBID, 1)
   AC_MSG_RESULT([yes])
  ],[
   AC_MSG_RESULT([no])
  ])
  SQUID_STATE_ROLLBACK(check_const_SSL_CTX_sess_set_get_cb)
])

dnl Try to handle TXT_DB related  problems:
dnl 1) The type of TXT_DB::data member changed in openSSL-1.0.1 version
dnl 2) The IMPLEMENT_LHASH_* openSSL macros in openSSL-1.0.1 and later releases is not
dnl    implemented correctly and causes type conversion errors while compiling squid

AC_DEFUN([SQUID_CHECK_OPENSSL_TXTDB],[
  AH_TEMPLATE(SQUID_SSLTXTDB_PSTRINGDATA, "Define to 1 if the TXT_DB uses OPENSSL_PSTRING data member")
  AH_TEMPLATE(SQUID_STACKOF_PSTRINGDATA_HACK, "Define to 1 to use squid workaround for buggy versions of sk_OPENSSL_PSTRING_value")
  AH_TEMPLATE(SQUID_USE_SSLLHASH_HACK, "Define to 1 to use squid workaround for openssl IMPLEMENT_LHASH_* type conversion errors")

  SQUID_STATE_SAVE(check_TXTDB)

  LIBS="$LIBS $SSLLIB"
  squid_cv_check_openssl_pstring="no"
  AC_MSG_CHECKING(whether the TXT_DB use OPENSSL_PSTRING data member)
  AC_COMPILE_IFELSE([
  AC_LANG_PROGRAM(
    [
     #include <openssl/txt_db.h>
    ],
    [
    TXT_DB *db = NULL;
    int i = sk_OPENSSL_PSTRING_num(db->data);
    return 0;
    ])
  ],
  [
   AC_DEFINE(SQUID_SSLTXTDB_PSTRINGDATA, 1)
   AC_MSG_RESULT([yes])
   squid_cv_check_openssl_pstring="yes"
  ],
  [
   AC_MSG_RESULT([no])
  ],
  [])

  if test x"$squid_cv_check_openssl_pstring" = "xyes"; then
     AC_MSG_CHECKING(whether the squid workaround for buggy versions of sk_OPENSSL_PSTRING_value should used)
     AC_COMPILE_IFELSE([
     AC_LANG_PROGRAM(
       [
        #include <openssl/txt_db.h>
       ],
       [
       TXT_DB *db = NULL;
       const char ** current_row = ((const char **)sk_OPENSSL_PSTRING_value(db->data, 0));
       return (current_row != NULL);
       ])
     ],
     [
      AC_MSG_RESULT([no])
     ],
     [
      AC_DEFINE(SQUID_STACKOF_PSTRINGDATA_HACK, 1)
      AC_MSG_RESULT([yes])
     ],
     [])
  fi

  AC_MSG_CHECKING(whether the workaround for OpenSSL IMPLEMENT_LHASH_  macros should used)
  AC_COMPILE_IFELSE([
  AC_LANG_PROGRAM(
    [
     #include <openssl/txt_db.h>

     static unsigned long index_serial_hash(const char **a){}
     static int index_serial_cmp(const char **a, const char **b){}
     static IMPLEMENT_LHASH_HASH_FN(index_serial_hash,const char **)
     static IMPLEMENT_LHASH_COMP_FN(index_serial_cmp,const char **)
    ],
    [
    TXT_DB *db = NULL;
    TXT_DB_create_index(db, 1, NULL, LHASH_HASH_FN(index_serial_hash), LHASH_COMP_FN(index_serial_cmp));
    ])
  ],
  [
   AC_MSG_RESULT([no])
  ],
  [
   AC_MSG_RESULT([yes])
   AC_DEFINE(SQUID_USE_SSLLHASH_HACK, 1)
  ],
[])

SQUID_STATE_ROLLBACK(check_TXTDB)
])

dnl Check if we can rewrite the hello message stored in an SSL object.
dnl The tests are very basic, just check if the required members exist in
dnl SSL structure.
AC_DEFUN([SQUID_CHECK_OPENSSL_HELLO_OVERWRITE_HACK],[
  AH_TEMPLATE(SQUID_USE_OPENSSL_HELLO_OVERWRITE_HACK, "Define to 1 if hello message can be overwritten in SSL struct")
  SQUID_STATE_SAVE(check_openSSL_overwrite_hack)
  AC_MSG_CHECKING(whether hello message can be overwritten in SSL struct)

  AC_COMPILE_IFELSE([
  AC_LANG_PROGRAM(
    [
     #include <openssl/ssl.h>
     #include <openssl/err.h>
     #include <assert.h>
    ],
    [
    SSL *ssl;
    char *random, *msg;
    memcpy(ssl->s3->client_random, random, SSL3_RANDOM_SIZE);
    SSL3_BUFFER *wb=&(ssl->s3->wbuf);
    assert(wb->len == 0);
    memcpy(wb->buf, msg, 0);
    assert(wb->left == 0);
    memcpy(ssl->init_buf->data, msg, 0);
    ssl->init_num = 0;
    ssl->s3->wpend_ret = 0;
    ssl->s3->wpend_tot = 0;
    SSL_CIPHER *cipher = 0;
    assert(SSL_CIPHER_get_id(cipher));
    ])
  ],
  [
   AC_MSG_RESULT([possibly; to try, set SQUID_USE_OPENSSL_HELLO_OVERWRITE_HACK macro value to 1])
  ],
  [
   AC_MSG_RESULT([no])
  ],
  [])

SQUID_STATE_ROLLBACK(check_openSSL_overwrite_hack)
]
)
Commit	Line	Data
4ac4a490	1	## Copyright (C) 1996-2017 The Squid Software Foundation and contributors
5d2e6f19 AJ	2	##
	3	## Squid software is distributed under GPLv2+ license and includes
	4	## contributions from numerous individuals and organizations.
	5	## Please see the COPYING and CONTRIBUTORS files for details.
	6	##
73862432	7
c2afddd8 AJ	8	dnl check whether regex works by actually compiling one
	9	dnl sets squid_cv_regex_works to either yes or no
	10
	11	AC_DEFUN([SQUID_CHECK_REGEX_WORKS],[
	12	AC_CACHE_CHECK([if the system-supplied regex lib actually works],squid_cv_regex_works,[
	13	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
	14	#if HAVE_SYS_TYPES_H
	15	#include <sys/types.h>
	16	#endif
	17	#if HAVE_REGEX_H
	18	#include <regex.h>
	19	#endif
	20	]], [[
	21	regex_t t; regcomp(&t,"",0);]])],
	22	[ squid_cv_regex_works=yes ],
	23	[ squid_cv_regex_works=no ])
	24	])
	25	])
	26
	27
2ef664d8 FC	28	AC_DEFUN([SQUID_CHECK_LIBIPHLPAPI],[
	29	AC_CACHE_CHECK([for libIpHlpApi],squid_cv_have_libiphlpapi,[
	30	SQUID_STATE_SAVE(iphlpapi)
	31	LIBS="$LIBS -liphlpapi"
	32	AC_LINK_IFELSE([AC_LANG_PROGRAM([[
	33	#include <windows.h>
	34	#include <winsock2.h>
	35	#include <iphlpapi.h>
	36	]], [[
	37	MIB_IPNETTABLE i;
	38	unsigned long isz=sizeof(i);
	39	GetIpNetTable(&i,&isz,FALSE);
	40	]])],
	41	[squid_cv_have_libiphlpapi=yes
	42	SQUID_STATE_COMMIT(iphlpapi)],
	43	[squid_cv_have_libiphlpapi=no
	44	SQUID_STATE_ROLLBACK(iphlpapi)])
	45	])
	46	SQUID_STATE_ROLLBACK(iphlpapi)
	47	])
fc321c30	48
8d56fe55 AJ	49	dnl Checks whether the -lssl library provides OpenSSL TLS_*_method() definitions
	50	AC_DEFUN([SQUID_CHECK_OPENSSL_TLS_METHODS],[
	51	AH_TEMPLATE(HAVE_OPENSSL_TLS_METHOD, "Define to 1 if the TLS_method() OpenSSL API function exists")
	52	AH_TEMPLATE(HAVE_OPENSSL_TLS_CLIENT_METHOD, "Define to 1 if the TLS_client_method() OpenSSL API function exists")
	53	AH_TEMPLATE(HAVE_OPENSSL_TLS_SERVER_METHOD, "Define to 1 if the TLS_server_method() OpenSSL API function exists")
	54	SQUID_STATE_SAVE(check_openssl_TLS_METHODS)
fe94990b	55	LIBS="$LIBS $SSLLIB"
8d56fe55 AJ	56	AC_CHECK_LIB(ssl, TLS_method, AC_DEFINE(HAVE_OPENSSL_TLS_METHOD, 1))
	57	AC_CHECK_LIB(ssl, TLS_client_method, AC_DEFINE(HAVE_OPENSSL_TLS_CLIENT_METHOD, 1))
	58	AC_CHECK_LIB(ssl, TLS_server_method, AC_DEFINE(HAVE_OPENSSL_TLS_SERVER_METHOD, 1))
	59	SQUID_STATE_ROLLBACK(check_openssl_TLS_METHODS)
	60	])
	61
17e98f24 AJ	62	dnl Checks whether the -lcrypto library provides various OpenSSL API functions
	63	AC_DEFUN([SQUID_CHECK_LIBCRYPTO_API],[
	64	AH_TEMPLATE(HAVE_LIBCRYPTO_EVP_PKEY_GET0_RSA, "Define to 1 if the EVP_PKEY_get0_RSA() OpenSSL API function exists")
	65	AH_TEMPLATE(HAVE_LIBCRYPTO_BIO_METH_NEW, "Define to 1 if the BIO_meth_new() OpenSSL API function exists")
	66	AH_TEMPLATE(HAVE_LIBCRYPTO_BIO_GET_INIT, "Define to 1 if the BIO_get_init() OpenSSL API function exists")
	67	AH_TEMPLATE(HAVE_LIBCRYPTO_ASN1_STRING_GET0_DATA, "Define to 1 if the ASN1_STRING_get0_data() OpenSSL API function exists")
	68	AH_TEMPLATE(HAVE_LIBCRYPTO_X509_STORE_CTX_GET0_CERT, "Define to 1 if the X509_STORE_CTX_get0_cert() OpenSSL API function exists")
	69	AH_TEMPLATE(HAVE_LIBCRYPTO_X509_VERIFY_PARAM_GET_DEPTH, "Define to 1 if the X509_VERIFY_PARAM_get_depth() OpenSSL API function exists")
	70	AH_TEMPLATE(HAVE_LIBCRYPTO_X509_STORE_CTX_GET0_UNTRUSTED, "Define to 1 if the X509_STORE_CTX_get0_untrusted() OpenSSL API function exists")
	71	AH_TEMPLATE(HAVE_LIBCRYPTO_X509_STORE_CTX_SET0_UNTRUSTED, "Define to 1 if the X509_STORE_CTX_set0_untrusted() OpenSSL API function exists")
fe94990b AJ	72	AH_TEMPLATE(HAVE_LIBCRYPTO_X509_UP_REF, "Define to 1 if the X509_up_ref() OpenSSL API function exists")
	73	AH_TEMPLATE(HAVE_LIBCRYPTO_X509_CRL_UP_REF, "Define to 1 if the X509_CRL_up_ref() OpenSSL API function exists")
	74	AH_TEMPLATE(HAVE_LIBCRYPTO_DH_UP_REF, "Define to 1 if the DH_up_ref() OpenSSL API function exists")
5107d2c4	75	AH_TEMPLATE(HAVE_LIBCRYPTO_X509_GET0_SIGNATURE, "Define to 1 if the X509_get0_signature() OpenSSL API function exists")
17e98f24	76	SQUID_STATE_SAVE(check_openssl_libcrypto_api)
fe94990b	77	LIBS="$LIBS $SSLLIB"
17e98f24 AJ	78	AC_CHECK_LIB(crypto, EVP_PKEY_get0_RSA, AC_DEFINE(HAVE_LIBCRYPTO_EVP_PKEY_GET0_RSA, 1))
	79	AC_CHECK_LIB(crypto, BIO_meth_new, AC_DEFINE(HAVE_LIBCRYPTO_BIO_METH_NEW, 1))
	80	AC_CHECK_LIB(crypto, BIO_get_init, AC_DEFINE(HAVE_LIBCRYPTO_BIO_GET_INIT, 1))
	81	AC_CHECK_LIB(crypto, ASN1_STRING_get0_data, AC_DEFINE(HAVE_LIBCRYPTO_ASN1_STRING_GET0_DATA, 1))
	82	AC_CHECK_LIB(crypto, X509_STORE_CTX_get0_cert, AC_DEFINE(HAVE_LIBCRYPTO_X509_STORE_CTX_GET0_CERT, 1))
	83	AC_CHECK_LIB(crypto, X509_VERIFY_PARAM_get_depth, AC_DEFINE(HAVE_LIBCRYPTO_X509_VERIFY_PARAM_GET_DEPTH, 1))
	84	AC_CHECK_LIB(crypto, X509_STORE_CTX_get0_untrusted, AC_DEFINE(HAVE_LIBCRYPTO_X509_STORE_CTX_GET0_UNTRUSTED, 1))
	85	AC_CHECK_LIB(crypto, X509_STORE_CTX_set0_untrusted, AC_DEFINE(HAVE_LIBCRYPTO_X509_STORE_CTX_SET0_UNTRUSTED, 1))
fe94990b AJ	86	AC_CHECK_LIB(crypto, X509_up_ref, AC_DEFINE(HAVE_LIBCRYPTO_X509_UP_REF, 1))
	87	AC_CHECK_LIB(crypto, X509_CRL_up_ref, AC_DEFINE(HAVE_LIBCRYPTO_X509_CRL_UP_REF, 1))
	88	AC_CHECK_LIB(crypto, DH_up_ref, AC_DEFINE(HAVE_LIBCRYPTO_DH_UP_REF, 1))
5107d2c4	89	AC_CHECK_LIB(crypto, X509_get0_signature, AC_DEFINE(HAVE_LIBCRYPTO_X509_GET0_SIGNATURE, 1))
17e98f24 AJ	90	SQUID_STATE_ROLLBACK(check_openssl_libcrypto_api)
	91	])
	92
	93	dnl Checks whether the -lssl library provides various OpenSSL API functions
	94	AC_DEFUN([SQUID_CHECK_LIBSSL_API],[
	95	AH_TEMPLATE(HAVE_LIBSSL_SSL_CIPHER_FIND, "Define to 1 if the SSL_CIPHER_find() OpenSSL API function exists")
	96	AH_TEMPLATE(HAVE_LIBSSL_SSL_CTX_SET_TMP_RSA_CALLBACK, "Define to 1 if the SSL_CTX_set_tmp_rsa_callback() OpenSSL API function exists")
	97	AH_TEMPLATE(HAVE_LIBSSL_SSL_SESSION_GET_ID, "Define to 1 if the SSL_SESSION_get_id() OpenSSL API function exists")
	98	SQUID_STATE_SAVE(check_openssl_libssl_api)
fe94990b	99	LIBS="$LIBS $SSLLIB"
17e98f24 AJ	100	AC_CHECK_LIB(ssl, SSL_CIPHER_find, AC_DEFINE(HAVE_LIBSSL_SSL_CIPHER_FIND, 1))
	101	AC_CHECK_LIB(ssl, SSL_CTX_set_tmp_rsa_callback, AC_DEFINE(HAVE_LIBSSL_SSL_CTX_SET_TMP_RSA_CALLBACK, 1))
	102	AC_CHECK_LIB(ssl, SSL_SESSION_get_id, AC_DEFINE(HAVE_LIBSSL_SSL_SESSION_GET_ID, 1))
	103	SQUID_STATE_ROLLBACK(check_openssl_libssl_api)
	104	])
	105
fc321c30 CT	106	dnl Checks whether the OpenSSL SSL_get_certificate crashes squid and if a
	107	dnl workaround can be used instead of using the SSL_get_certificate
	108	AC_DEFUN([SQUID_CHECK_OPENSSL_GETCERTIFICATE_WORKS],[
	109	AH_TEMPLATE(SQUID_SSLGETCERTIFICATE_BUGGY, "Define to 1 if the SSL_get_certificate crashes squid")
	110	AH_TEMPLATE(SQUID_USE_SSLGETCERTIFICATE_HACK, "Define to 1 to use squid workaround for SSL_get_certificate")
	111	SQUID_STATE_SAVE(check_SSL_get_certificate)
216eee00	112	LIBS="$SSLLIB $LIBS"
fc321c30 CT	113	if test "x$SSLLIBDIR" != "x"; then
	114	LIBS="$LIBS -Wl,-rpath -Wl,$SSLLIBDIR"
	115	fi
	116
	117	AC_MSG_CHECKING(whether the SSL_get_certificate is buggy)
	118	AC_RUN_IFELSE([
	119	AC_LANG_PROGRAM(
	120	[
	121	#include <openssl/ssl.h>
	122	#include <openssl/err.h>
	123	],
	124	[
	125	SSLeay_add_ssl_algorithms();
8d56fe55	126	#if HAVE_OPENSSL_TLS_METHOD
1f3e0389 SH	127	SSL_CTX *sslContext = SSL_CTX_new(TLS_method());
	128	#else
	129	SSL_CTX *sslContext = SSL_CTX_new(SSLv23_method());
	130	#endif
fc321c30 CT	131	SSL *ssl = SSL_new(sslContext);
	132	X509* cert = SSL_get_certificate(ssl);
	133	return 0;
	134	])
	135	],
	136	[
	137	AC_MSG_RESULT([no])
	138	],
	139	[
	140	AC_DEFINE(SQUID_SSLGETCERTIFICATE_BUGGY, 1)
	141	AC_MSG_RESULT([yes])
	142	],
958ae827 AJ	143	[
	144	AC_DEFINE(SQUID_SSLGETCERTIFICATE_BUGGY, 0)
	145	AC_MSG_RESULT([cross-compile, assuming no])
	146	])
fc321c30 CT	147
	148	AC_MSG_CHECKING(whether the workaround for SSL_get_certificate works)
	149	AC_RUN_IFELSE([
	150	AC_LANG_PROGRAM(
	151	[
	152	#include <openssl/ssl.h>
	153	#include <openssl/err.h>
	154	],
	155	[
	156	SSLeay_add_ssl_algorithms();
8d56fe55	157	#if HAVE_OPENSSL_TLS_METHOD
1f3e0389 SH	158	SSL_CTX *sslContext = SSL_CTX_new(TLS_method());
	159	#else
	160	SSL_CTX *sslContext = SSL_CTX_new(SSLv23_method());
	161	#endif
fc321c30 CT	162	X509 *pCert = (X509 *)sslContext->cert;
	163	X509 sslCtxCert = pCert && pCert ? *pCert : (X509 )0x1;
	164	if (sslCtxCert != NULL)
	165	return 1;
	166	return 0;
	167	])
	168	],
	169	[
	170	AC_MSG_RESULT([yes])
	171	AC_DEFINE(SQUID_USE_SSLGETCERTIFICATE_HACK, 1)
	172	],
	173	[
	174	AC_MSG_RESULT([no])
	175	],
958ae827 AJ	176	[
	177	AC_DEFINE(SQUID_USE_SSLGETCERTIFICATE_HACK, 0)
	178	AC_MSG_RESULT([cross-compile, assuming no])
	179	])
fc321c30 CT	180
	181	SQUID_STATE_ROLLBACK(check_SSL_get_certificate)
	182	])
fee5325b	183
19179f7c CT	184	dnl Checks whether the SSL_CTX_new and similar functions require
	185	dnl a const 'SSL_METHOD *' argument
	186	AC_DEFUN([SQUID_CHECK_OPENSSL_CONST_SSL_METHOD],[
	187	AH_TEMPLATE(SQUID_USE_CONST_SSL_METHOD, "Define to 1 if the SSL_CTX_new and similar openSSL API functions require 'const SSL_METHOD *'")
	188	SQUID_STATE_SAVE(check_const_SSL_METHOD)
	189	AC_MSG_CHECKING(whether SSL_CTX_new and similar openSSL API functions require 'const SSL_METHOD *'")
	190
	191	AC_COMPILE_IFELSE([
	192	AC_LANG_PROGRAM(
	193	[
	194	#include <openssl/ssl.h>
	195	#include <openssl/err.h>
	196	],
	197	[
	198	const SSL_METHOD *method = NULL;
	199	SSL_CTX *sslContext = SSL_CTX_new(method);
	200	return (sslContext != NULL);
	201	])
	202	],
	203	[
	204	AC_DEFINE(SQUID_USE_CONST_SSL_METHOD, 1)
	205	AC_MSG_RESULT([yes])
	206	],
	207	[
	208	AC_MSG_RESULT([no])
	209	],
	210	[])
	211
	212	SQUID_STATE_ROLLBACK(check_const_SSL_METHOD)
7d841344 AJ	213	])
	214
	215	dnl Checks whether the CRYPTO_EX_DATA duplication callback for SSL_get_ex_new_index() has a const argument
	216	AC_DEFUN([SQUID_CHECK_OPENSSL_CONST_CRYPTO_EX_DATA],[
	217	AH_TEMPLATE(SQUID_USE_CONST_CRYPTO_EX_DATA_DUP, "Define to 1 if the SSL_get_new_ex_index() dup callback accepts 'const CRYPTO_EX_DATA *'")
	218	SQUID_STATE_SAVE(check_const_CRYPTO_EX_DATA)
	219	AC_MSG_CHECKING(whether SSL_get_new_ex_index() dup callback accepts 'const CRYPTO_EX_DATA *'")
	220	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([
	221	#include <openssl/ssl.h>
	222
	223	int const_dup_func(CRYPTO_EX_DATA , const CRYPTO_EX_DATA , void , int, long, void ) {
	224	return 0;
	225	}
	226	],[
	227	return SSL_get_ex_new_index(0, (void*)"foo", NULL, &const_dup_func, NULL);
	228	])
	229	],[
	230	AC_DEFINE(SQUID_USE_CONST_CRYPTO_EX_DATA_DUP, 1)
	231	AC_MSG_RESULT([yes])
	232	],[
	233	AC_MSG_RESULT([no])
	234	])
	235	SQUID_STATE_ROLLBACK(check_const_CRYPTO_EX_DATA)
	236	])
	237
	238	dnl Checks whether the callback for SSL_CTX_sess_set_get_cb() accepts a const ID argument
	239	AC_DEFUN([SQUID_CHECK_OPENSSL_CONST_SSL_SESSION_CB_ARG],[
	240	AH_TEMPLATE(SQUID_USE_CONST_SSL_SESSION_CBID, "Define to 1 if the SSL_CTX_sess_set_get_cb() callback accepts a const ID argument")
	241	SQUID_STATE_SAVE(check_const_SSL_CTX_sess_set_get_cb)
	242	AC_MSG_CHECKING(whether SSL_CTX_sess_set_get_cb() callback accepts a const ID argument")
	243	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([
	244	#include <openssl/ssl.h>
	245
	246	SSL_SESSION get_session_cb(SSL , const unsigned char ID, int, int ) {
	247	return NULL;
	248	}
	249	],[
	250	SSL_CTX_sess_set_get_cb(NULL, get_session_cb);
	251	return 0;
	252	])
	253	],[
	254	AC_DEFINE(SQUID_USE_CONST_SSL_SESSION_CBID, 1)
	255	AC_MSG_RESULT([yes])
	256	],[
	257	AC_MSG_RESULT([no])
	258	])
	259	SQUID_STATE_ROLLBACK(check_const_SSL_CTX_sess_set_get_cb)
	260	])
fee5325b CT	261
	262	dnl Try to handle TXT_DB related problems:
	263	dnl 1) The type of TXT_DB::data member changed in openSSL-1.0.1 version
	264	dnl 2) The IMPLEMENT_LHASH_* openSSL macros in openSSL-1.0.1 and later releases is not
	265	dnl implemented correctly and causes type conversion errors while compiling squid
	266
	267	AC_DEFUN([SQUID_CHECK_OPENSSL_TXTDB],[
	268	AH_TEMPLATE(SQUID_SSLTXTDB_PSTRINGDATA, "Define to 1 if the TXT_DB uses OPENSSL_PSTRING data member")
19179f7c	269	AH_TEMPLATE(SQUID_STACKOF_PSTRINGDATA_HACK, "Define to 1 to use squid workaround for buggy versions of sk_OPENSSL_PSTRING_value")
fee5325b CT	270	AH_TEMPLATE(SQUID_USE_SSLLHASH_HACK, "Define to 1 to use squid workaround for openssl IMPLEMENT_LHASH_* type conversion errors")
	271
	272	SQUID_STATE_SAVE(check_TXTDB)
	273
	274	LIBS="$LIBS $SSLLIB"
19179f7c	275	squid_cv_check_openssl_pstring="no"
fee5325b CT	276	AC_MSG_CHECKING(whether the TXT_DB use OPENSSL_PSTRING data member)
	277	AC_COMPILE_IFELSE([
	278	AC_LANG_PROGRAM(
	279	[
	280	#include <openssl/txt_db.h>
	281	],
	282	[
	283	TXT_DB *db = NULL;
	284	int i = sk_OPENSSL_PSTRING_num(db->data);
	285	return 0;
	286	])
	287	],
	288	[
	289	AC_DEFINE(SQUID_SSLTXTDB_PSTRINGDATA, 1)
	290	AC_MSG_RESULT([yes])
19179f7c	291	squid_cv_check_openssl_pstring="yes"
fee5325b CT	292	],
	293	[
	294	AC_MSG_RESULT([no])
	295	],
	296	[])
	297
19179f7c CT	298	if test x"$squid_cv_check_openssl_pstring" = "xyes"; then
	299	AC_MSG_CHECKING(whether the squid workaround for buggy versions of sk_OPENSSL_PSTRING_value should used)
	300	AC_COMPILE_IFELSE([
	301	AC_LANG_PROGRAM(
	302	[
	303	#include <openssl/txt_db.h>
	304	],
	305	[
	306	TXT_DB *db = NULL;
	307	const char current_row = ((const char )sk_OPENSSL_PSTRING_value(db->data, 0));
	308	return (current_row != NULL);
	309	])
	310	],
	311	[
	312	AC_MSG_RESULT([no])
	313	],
	314	[
	315	AC_DEFINE(SQUID_STACKOF_PSTRINGDATA_HACK, 1)
	316	AC_MSG_RESULT([yes])
	317	],
	318	[])
	319	fi
	320
fee5325b CT	321	AC_MSG_CHECKING(whether the workaround for OpenSSL IMPLEMENT_LHASH_ macros should used)
	322	AC_COMPILE_IFELSE([
	323	AC_LANG_PROGRAM(
	324	[
	325	#include <openssl/txt_db.h>
	326
	327	static unsigned long index_serial_hash(const char **a){}
	328	static int index_serial_cmp(const char a, const char b){}
	329	static IMPLEMENT_LHASH_HASH_FN(index_serial_hash,const char **)
	330	static IMPLEMENT_LHASH_COMP_FN(index_serial_cmp,const char **)
	331	],
	332	[
	333	TXT_DB *db = NULL;
	334	TXT_DB_create_index(db, 1, NULL, LHASH_HASH_FN(index_serial_hash), LHASH_COMP_FN(index_serial_cmp));
	335	])
	336	],
	337	[
	338	AC_MSG_RESULT([no])
	339	],
	340	[
	341	AC_MSG_RESULT([yes])
	342	AC_DEFINE(SQUID_USE_SSLLHASH_HACK, 1)
	343	],
	344	[])
	345
	346	SQUID_STATE_ROLLBACK(check_TXTDB)
	347	])
a95989ed	348
1110989a CT	349	dnl Check if we can rewrite the hello message stored in an SSL object.
	350	dnl The tests are very basic, just check if the required members exist in
	351	dnl SSL structure.
a95989ed CT	352	AC_DEFUN([SQUID_CHECK_OPENSSL_HELLO_OVERWRITE_HACK],[
	353	AH_TEMPLATE(SQUID_USE_OPENSSL_HELLO_OVERWRITE_HACK, "Define to 1 if hello message can be overwritten in SSL struct")
	354	SQUID_STATE_SAVE(check_openSSL_overwrite_hack)
	355	AC_MSG_CHECKING(whether hello message can be overwritten in SSL struct)
	356
	357	AC_COMPILE_IFELSE([
	358	AC_LANG_PROGRAM(
	359	[
	360	#include <openssl/ssl.h>
	361	#include <openssl/err.h>
	362	#include <assert.h>
	363	],
	364	[
	365	SSL *ssl;
	366	char random, msg;
	367	memcpy(ssl->s3->client_random, random, SSL3_RANDOM_SIZE);
	368	SSL3_BUFFER *wb=&(ssl->s3->wbuf);
	369	assert(wb->len == 0);
	370	memcpy(wb->buf, msg, 0);
	371	assert(wb->left == 0);
	372	memcpy(ssl->init_buf->data, msg, 0);
	373	ssl->init_num = 0;
	374	ssl->s3->wpend_ret = 0;
	375	ssl->s3->wpend_tot = 0;
b44de379 AR	376	SSL_CIPHER *cipher = 0;
b44de379 AR	377	assert(SSL_CIPHER_get_id(cipher));
a95989ed CT	378	])
	379	],
	380	[
88a300ce	381	AC_MSG_RESULT([possibly; to try, set SQUID_USE_OPENSSL_HELLO_OVERWRITE_HACK macro value to 1])
a95989ed CT	382	],
	383	[
	384	AC_MSG_RESULT([no])
	385	],
	386	[])
	387
	388	SQUID_STATE_ROLLBACK(check_openSSL_overwrite_hack)
	389	]
	390	)