mongo-php-driver/scripts/autotools/libmongoc/CheckSSL.m4 at d84f2bb92573eecfa475b9913d7ae15d13edfdd1 · alcaeus/mongo-php-driver · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
PHP_ARG_WITH([mongodb-ssl],
             [whether to enable crypto and TLS],
             [AS_HELP_STRING([--with-mongodb-ssl=@<:@auto/openssl/darwin/no@:>@],
                             [MongoDB: Enable TLS connections and SCRAM-SHA-1 authentication [default=auto]])],
             [auto],
             [no])

dnl PHP_ARG_WITH without a value assigns "yes". Treat it like "auto" but
dnl require a crypto library.
if test "$PHP_MONGODB_SSL" = "yes"; then
  PHP_MONGODB_SSL="auto"
fi

dnl TODO 3.0: Remove libressl from valid options
PHP_MONGODB_VALIDATE_ARG([PHP_MONGODB_SSL], [auto openssl libressl darwin no])

if test "$PHP_MONGODB_SSL" = "libressl"; then
  dnl libressl is a valid option, but it is not supported by libmongoc
  dnl Warn users that it is not supported and treat it like "auto"
  PHP_MONGODB_SSL="auto"
  AC_MSG_WARN([Building with libressl is not supported by libmongoc. Falling back to "auto".])
fi

if test "$PHP_MONGODB_SSL" = "auto" -o "$PHP_MONGODB_SSL" = "no"; then
  crypto_required="no"
else
  crypto_required="yes"
fi

AS_IF([test "$PHP_MONGODB_SSL" = "openssl" -o "$PHP_MONGODB_SSL" = "auto"],[
  found_openssl="no"

  dnl OpenSSL 1.0.1 is required for libmongoc 1.24+ (CDRIVER-3562). This can be
  dnl enforced through pkg-config but not the PHP_CHECK_LIBRARY fallback.
  PKG_CHECK_MODULES([PHP_MONGODB_SSL],[openssl >= 1.0.1],[
    PHP_MONGODB_BUNDLED_CFLAGS="$PHP_MONGODB_BUNDLED_CFLAGS $PHP_MONGODB_SSL_CFLAGS"
    PHP_EVAL_LIBLINE([$PHP_MONGODB_SSL_LIBS],[MONGODB_SHARED_LIBADD])
    PHP_MONGODB_SSL="openssl"
    found_openssl="yes"

    old_CFLAGS="$CFLAGS"
    CFLAGS="$PHP_MONGODB_SSL_CFLAGS $CFLAGS"

    AC_CHECK_DECLS([ASN1_STRING_get0_data],
                   [have_ASN1_STRING_get0_data="yes"],
                   [have_ASN1_STRING_get0_data="no"],
                   [[#include <openssl/asn1.h>]])

    CFLAGS="$old_CFLAGS"
  ],[
    unset OPENSSL_INCDIR
    unset OPENSSL_LIBDIR

    dnl Use a list of directories from PHP_SETUP_OPENSSL by default.
    OPENSSL_SEARCH_PATHS="/usr/local/ssl /usr/local /usr /usr/local/openssl"

    for i in $OPENSSL_SEARCH_PATHS; do
      if test -r $i/include/openssl/evp.h; then
        OPENSSL_INCDIR="$i/include"
      fi
      if test -r $i/$PHP_LIBDIR/libssl.a -o -r $i/$PHP_LIBDIR/libssl.$SHLIB_SUFFIX_NAME; then
        OPENSSL_LIBDIR="$i/$PHP_LIBDIR"
      fi
      test -n "$OPENSSL_INCDIR" && test -n "$OPENSSL_LIBDIR" && break
    done

    if test -n "$OPENSSL_LIBDIR"; then
      OPENSSL_LIBDIR_LDFLAG="-L$OPENSSL_LIBDIR"
    fi

    PHP_CHECK_LIBRARY([crypto],
                      [EVP_DigestInit_ex],
                      [have_crypto_lib="yes"],
                      [have_crypto_lib="no"],
                      [$OPENSSL_LIBDIR_LDFLAG])

    dnl Check whether OpenSSL >= 1.1.0 is available
    PHP_CHECK_LIBRARY([ssl],
                      [OPENSSL_init_ssl],
                      [have_ssl_lib="yes"],
                      [have_ssl_lib="no"],
                      [$OPENSSL_LIBDIR_LDFLAG -lcrypto])

    dnl If necessary, check whether OpenSSL < 1.1.0 is available
    if test "$have_ssl_lib" = "no"; then
        PHP_CHECK_LIBRARY([ssl],
                          [SSL_library_init],
                          [have_ssl_lib="yes"],
                          [have_ssl_lib="no"],
                          [$OPENSSL_LIBDIR_LDFLAG -lcrypto])
    fi

    if test "$have_ssl_lib" = "yes" -a "$have_crypto_lib" = "yes"; then
      PHP_ADD_LIBRARY([ssl],,[MONGODB_SHARED_LIBADD])
      PHP_ADD_LIBRARY([crypto],,[MONGODB_SHARED_LIBADD])

      if test -n "$OPENSSL_LIBDIR"; then
        PHP_ADD_LIBPATH([$OPENSSL_LIBDIR],[MONGODB_SHARED_LIBADD])
      fi

      if test -n "$OPENSSL_INCDIR"; then
        PHP_ADD_INCLUDE($OPENSSL_INCDIR)
      fi

      old_CFLAGS="$CFLAGS"
      CFLAGS="-I$OPENSSL_INCDIR $CFLAGS"

      AC_CHECK_DECLS([ASN1_STRING_get0_data],
                     [have_ASN1_STRING_get0_data="yes"],
                     [have_ASN1_STRING_get0_data="no"],
                     [[#include <openssl/asn1.h>]])

      CFLAGS="$old_CFLAGS"

      PHP_MONGODB_SSL="openssl"
      found_openssl="yes"
    fi
  ])

  if test "$PHP_MONGODB_SSL" = "openssl" -a "$found_openssl" != "yes"; then
    AC_MSG_ERROR([OpenSSL libraries and development headers could not be found])
  fi
])

AS_IF([test "$PHP_MONGODB_SSL" = "darwin" -o \( "$PHP_MONGODB_SSL" = "auto" -a "$os_darwin" = "yes" \)],[
  if test "$os_darwin" = "no"; then
    AC_MSG_ERROR([Darwin SSL is only supported on macOS])
  fi

  dnl PHP_FRAMEWORKS is only used for SAPI builds, so use MONGODB_SHARED_LIBADD for shared builds
  if test "$ext_shared" = "yes"; then
    MONGODB_SHARED_LIBADD="-framework Security -framework CoreFoundation $MONGODB_SHARED_LIBADD"
  else
    PHP_ADD_FRAMEWORK([Security])
    PHP_ADD_FRAMEWORK([CoreFoundation])
  fi

  PHP_MONGODB_SSL="darwin"
])

AS_IF([test "$PHP_MONGODB_SSL" = "auto"],[
  if test "$crypto_required" = "yes"; then
    AC_MSG_ERROR([crypto and TLS libraries not found])
  fi
  PHP_MONGODB_SSL="no"
])

AC_MSG_CHECKING([which TLS library to use])
AC_MSG_RESULT([$PHP_MONGODB_SSL])

dnl Disable Windows SSL and crypto
AC_SUBST(MONGOC_ENABLE_SSL_SECURE_CHANNEL, 0)
AC_SUBST(MONGOC_ENABLE_CRYPTO_CNG, 0)
AC_SUBST(MONGOC_HAVE_BCRYPT_PBKDF2, 0)

if test "$PHP_MONGODB_SSL" = "openssl" -o "$PHP_MONGODB_SSL" = "darwin"; then
  AC_SUBST(MONGOC_ENABLE_SSL, 1)
  AC_SUBST(MONGOC_ENABLE_CRYPTO, 1)
  if test "$PHP_MONGODB_SSL" = "darwin"; then
    AC_SUBST(MONGOC_ENABLE_SSL_OPENSSL, 0)
    AC_SUBST(MONGOC_ENABLE_SSL_SECURE_TRANSPORT, 1)
    AC_SUBST(MONGOC_ENABLE_CRYPTO_LIBCRYPTO, 0)
    AC_SUBST(MONGOC_ENABLE_CRYPTO_COMMON_CRYPTO, 1)

    PHP_MONGODB_BUNDLED_CFLAGS="$PHP_MONGODB_BUNDLED_CFLAGS -DKMS_MESSAGE_ENABLE_CRYPTO=1 -DKMS_MESSAGE_ENABLE_CRYPTO_COMMON_CRYPTO=1"
  elif test "$PHP_MONGODB_SSL" = "openssl"; then
    AC_SUBST(MONGOC_ENABLE_SSL_OPENSSL, 1)
    AC_SUBST(MONGOC_ENABLE_SSL_SECURE_TRANSPORT, 0)
    AC_SUBST(MONGOC_ENABLE_CRYPTO_LIBCRYPTO, 1)
    AC_SUBST(MONGOC_ENABLE_CRYPTO_COMMON_CRYPTO, 0)

    PHP_MONGODB_BUNDLED_CFLAGS="$PHP_MONGODB_BUNDLED_CFLAGS -DKMS_MESSAGE_ENABLE_CRYPTO=1 -DKMS_MESSAGE_ENABLE_CRYPTO_LIBCRYPTO=1"
  fi
else
  AC_SUBST(MONGOC_ENABLE_SSL, 0)
  AC_SUBST(MONGOC_ENABLE_SSL_OPENSSL, 0)
  AC_SUBST(MONGOC_ENABLE_SSL_SECURE_TRANSPORT, 0)
  AC_SUBST(MONGOC_ENABLE_CRYPTO, 0)
  AC_SUBST(MONGOC_ENABLE_CRYPTO_LIBCRYPTO, 0)
  AC_SUBST(MONGOC_ENABLE_CRYPTO_COMMON_CRYPTO, 0)
fi

if test "$have_ASN1_STRING_get0_data" = "yes"; then
  AC_SUBST(MONGOC_HAVE_ASN1_STRING_GET0_DATA, 1)
else
  AC_SUBST(MONGOC_HAVE_ASN1_STRING_GET0_DATA, 0)
fi

PHP_ARG_ENABLE([mongodb-crypto-system-profile],
               [whether to use system crypto profile],
               [AS_HELP_STRING([--enable-mongodb-crypto-system-profile],
                               [MongoDB: Use system crypto profile (OpenSSL only) [default=no]])],
               [no],
               [no])
PHP_MONGODB_VALIDATE_ARG([PHP_MONGODB_CRYPTO_SYSTEM_PROFILE], [yes no])

if test "$PHP_MONGODB_CRYPTO_SYSTEM_PROFILE" = "yes"; then
  if test "$PHP_MONGODB_SSL" = "openssl"; then
    AC_SUBST(MONGOC_ENABLE_CRYPTO_SYSTEM_PROFILE, 1)
  else
    AC_MSG_ERROR([System crypto profile is only available with OpenSSL])
  fi
else
  AC_SUBST(MONGOC_ENABLE_CRYPTO_SYSTEM_PROFILE, 0)
fi