From: Daniel McCarney <daniel@binaryparadox.net>
Date: Wed, 2 Apr 2025 13:09:57 +0000 (-0400)
Subject: build: check required rustls-ffi version
X-Git-Tag: curl-8_14_0~332
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2ade14b6668892e42cf0c5a293bed4bc09d83805;p=thirdparty%2Fcurl.git

build: check required rustls-ffi version

Try to enforce that the Rustls vTLS backend is only used with
rustls-ffi 0.15 - the documentation already describes this as
the required version.

Follow-up from https://github.com/curl/curl/issues/16890

Closes #16922
---

diff --git a/CMakeLists.txt b/CMakeLists.txt
index a0ab0b184f..4bbf7aede2 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -943,6 +943,22 @@ if(CURL_USE_RUSTLS)
     string(APPEND CMAKE_C_FLAGS " ${RUSTLS_CFLAGS}")
   endif()
 
+  if(NOT DEFINED HAVE_RUSTLS_SUPPORTED_HPKE)
+    if(RUSTLS_VERSION AND RUSTLS_VERSION VERSION_GREATER_EQUAL "0.15")
+      set(HAVE_RUSTLS_SUPPORTED_HPKE TRUE)
+    elseif(NOT RUSTLS_VERSION)
+      cmake_push_check_state()
+      list(APPEND CMAKE_REQUIRED_INCLUDES ${RUSTLS_INCLUDE_DIRS})
+      list(APPEND CMAKE_REQUIRED_LIBRARIES ${RUSTLS_LIBRARIES})
+      curl_required_libpaths("${RUSTLS_LIBRARY_DIRS}")
+      check_symbol_exists("rustls_supported_hpke" "rustls.h" HAVE_RUSTLS_SUPPORTED_HPKE)
+      cmake_pop_check_state()
+    endif()
+  endif()
+  if(NOT HAVE_RUSTLS_SUPPORTED_HPKE)
+    message(FATAL_ERROR "rustls-ffi library does not provide rustls_supported_hpke function. Required version is 0.15 or newer.")
+  endif()
+
   if(CURL_DEFAULT_SSL_BACKEND AND CURL_DEFAULT_SSL_BACKEND STREQUAL "rustls")
     set(_valid_default_ssl_backend TRUE)
   endif()
diff --git a/m4/curl-rustls.m4 b/m4/curl-rustls.m4
index 40d7af05df..13022f3963 100644
--- a/m4/curl-rustls.m4
+++ b/m4/curl-rustls.m4
@@ -88,22 +88,16 @@ if test "x$OPT_RUSTLS" != xno; then
         else
           RUSTLS_LDFLAGS="-lpthread -ldl -lm"
         fi
-        AC_CHECK_LIB(rustls, rustls_connection_read,
-          [
-          AC_DEFINE(USE_RUSTLS, 1, [if Rustls is enabled])
-          RUSTLS_ENABLED=1
-          USE_RUSTLS="yes"
-          ssl_msg="rustls"
-          test rustls != "$DEFAULT_SSL_BACKEND" || VALID_DEFAULT_SSL_BACKEND=yes
-          ],
-          AC_MSG_ERROR([--with-rustls was specified but could not find Rustls.]),
-          $RUSTLS_LDFLAGS)
 
         LIB_RUSTLS="$PREFIX_RUSTLS/lib$libsuff"
         if test "$PREFIX_RUSTLS" != "/usr" ; then
           SSL_LDFLAGS="-L$LIB_RUSTLS $RUSTLS_LDFLAGS"
           SSL_CPPFLAGS="-I$PREFIX_RUSTLS/include"
         fi
+
+        dnl we will verify AC_CHECK_LIB later on
+        AC_DEFINE(USE_RUSTLS, 1, [if Rustls is enabled])
+        USE_RUSTLS="yes"
       fi
       ;;
   esac
@@ -176,6 +170,17 @@ if test "x$OPT_RUSTLS" != xno; then
     if test -n "$link_pkgconfig"; then
       LIBCURL_PC_REQUIRES_PRIVATE="$LIBCURL_PC_REQUIRES_PRIVATE rustls"
     fi
+
+    AC_CHECK_LIB(rustls, rustls_supported_hpke,
+        [
+        AC_DEFINE(USE_RUSTLS, 1, [if Rustls is enabled])
+        RUSTLS_ENABLED=1
+        USE_RUSTLS="yes"
+        ssl_msg="rustls"
+        test rustls != "$DEFAULT_SSL_BACKEND" || VALID_DEFAULT_SSL_BACKEND=yes
+        ],
+        AC_MSG_ERROR([--with-rustls was specified but could not find compatible Rustls.]),
+        $RUSTLS_LDFLAGS)
   fi
 
   test -z "$ssl_msg" || ssl_backends="${ssl_backends:+$ssl_backends, }$ssl_msg"