Make OpenSSL auto-enable by default

acinclude/lib-checks.m4

@@ -32,7 +32,6 @@ AC_DEFUN([SQUID_CHECK_OPENSSL_TLS_METHODS],[
   AH_TEMPLATE(HAVE_OPENSSL_TLS_CLIENT_METHOD, "Define to 1 if the TLS_client_method() OpenSSL API function exists")
   AH_TEMPLATE(HAVE_OPENSSL_TLS_SERVER_METHOD, "Define to 1 if the TLS_server_method() OpenSSL API function exists")
   SQUID_STATE_SAVE(check_openssl_TLS_METHODS)
-  LIBS="$LIBS $SSLLIB"
   AC_CHECK_LIB(ssl, TLS_method, AC_DEFINE(HAVE_OPENSSL_TLS_METHOD, 1))
   AC_CHECK_LIB(ssl, TLS_client_method, AC_DEFINE(HAVE_OPENSSL_TLS_CLIENT_METHOD, 1))
   AC_CHECK_LIB(ssl, TLS_server_method, AC_DEFINE(HAVE_OPENSSL_TLS_SERVER_METHOD, 1))
@@ -60,7 +59,6 @@ AC_DEFUN([SQUID_CHECK_LIBCRYPTO_API],[
   AH_TEMPLATE(HAVE_SSL_GET0_PARAM, "Define to 1 of the SSL_get0_param() OpenSSL API function exists")
   AH_TEMPLATE(HAVE_LIBCRYPTO_EVP_PKEY_GET_DEFAULT_DIGEST_NAME, "Define to 1 if the EVP_PKEY_get_default_digest_name() OpenSSL API function exists")
   SQUID_STATE_SAVE(check_openssl_libcrypto_api)
-  LIBS="$LIBS $SSLLIB"
   AC_CHECK_LIB(crypto, OPENSSL_LH_strhash, AC_DEFINE(HAVE_LIBCRYPTO_OPENSSL_LH_STRHASH, 1))
   AC_CHECK_LIB(crypto, EVP_PKEY_get0_RSA, AC_DEFINE(HAVE_LIBCRYPTO_EVP_PKEY_GET0_RSA, 1))
   AC_CHECK_LIB(crypto, BIO_meth_new, AC_DEFINE(HAVE_LIBCRYPTO_BIO_METH_NEW, 1))
@@ -91,7 +89,6 @@ AC_DEFUN([SQUID_CHECK_LIBSSL_API],[
   AH_TEMPLATE(HAVE_LIBSSL_SSL_GET_CLIENT_RANDOM, "Define to 1 if the SSL_get_client_random() OpenSSL API function exists")
   AH_TEMPLATE(HAVE_LIBSSL_SSL_SESSION_GET_MASTER_KEY, "Define to 1 if the SSL_SESSION_get_master_key() OpenSSL API function exists")
   SQUID_STATE_SAVE(check_openssl_libssl_api)
-  LIBS="$LIBS $SSLLIB"
   AC_CHECK_LIB(ssl, OPENSSL_init_ssl, AC_DEFINE(HAVE_LIBSSL_OPENSSL_INIT_SSL, 1))
   AC_CHECK_LIB(ssl, SSL_CIPHER_find, AC_DEFINE(HAVE_LIBSSL_SSL_CIPHER_FIND, 1))
   AC_CHECK_LIB(ssl, SSL_CTX_set_tmp_rsa_callback, AC_DEFINE(HAVE_LIBSSL_SSL_CTX_SET_TMP_RSA_CALLBACK, 1))
@@ -107,8 +104,7 @@ AC_DEFUN([SQUID_CHECK_OPENSSL_GETCERTIFICATE_WORKS],[
   AH_TEMPLATE(SQUID_SSLGETCERTIFICATE_BUGGY, "Define to 1 if the SSL_get_certificate crashes squid")
   AH_TEMPLATE(SQUID_USE_SSLGETCERTIFICATE_HACK, "Define to 1 to use squid workaround for SSL_get_certificate")
   SQUID_STATE_SAVE(check_SSL_get_certificate)
-  LIBS="$SSLLIB $LIBS"
-  AS_IF([test "x$SSLLIBDIR" != "x"],[LIBS="$LIBS -Wl,-rpath -Wl,$SSLLIBDIR"])
+  AS_IF([test "x$LIBOPENSSL_PATH" != "x"],[LIBS="$LIBS -Wl,-rpath -Wl,$LIBOPENSSL_PATH"])
 
   AC_MSG_CHECKING(whether the SSL_get_certificate is buggy)
   AC_RUN_IFELSE([
@@ -297,7 +293,6 @@ AC_DEFUN([SQUID_CHECK_OPENSSL_TXTDB],[
 
   SQUID_STATE_SAVE(check_TXTDB)
 
-  LIBS="$LIBS $SSLLIB"
   squid_cv_check_openssl_pstring="no"
   AC_MSG_CHECKING(whether the TXT_DB use OPENSSL_PSTRING data member)
   AC_COMPILE_IFELSE([AC_LANG_PROGRAM([

acinclude/squid-util.m4

@@ -263,19 +263,6 @@ AC_DEFUN([SQUID_AUTO_LIB],[
     ])
   ])
 ])
-dnl same as SQUID_AUTO_LIB but for default-disabled libraries
-AC_DEFUN([SQUID_OPTIONAL_LIB],[
-  AC_ARG_WITH([$1],AS_HELP_STRING([--with-$1],[Compile with the $2 library.]),[
-    AS_CASE(["$withval"],[yes|no],,[
-      AS_IF([test ! -d "$withval"],AC_MSG_ERROR([--with-$1 path does not point to a directory]))
-      m4_translit([with_$1], [-+.], [___])=yes
-      AS_IF([test -d "$withval/lib64"],[$3_PATH="$$3_PATH -L$withval/lib64"])
-      AS_IF([test -d "$withval/lib"],[$3_PATH="$$3_PATH -L$withval/lib"])
-      AS_IF([test -d "$withval/include"],[$3_CFLAGS="$$3_CFLAGS -I$withval/include"])
-    ])
-  ])
-  AS_IF([test "x$withval" = "x"],[m4_translit([with_$1], [-+.], [___])=no])
-])
 
 AC_DEFUN([SQUID_EMBED_BUILD_INFO],[
   AC_ARG_ENABLE([build-info],

compat/Makefile.am

@@ -17,7 +17,7 @@ include $(top_srcdir)/src/Common.am
 COMPAT_SSL_ALL_SOURCES = \
 	openssl.h
 
-if ENABLE_SSL
+if ENABLE_LIBOPENSSL
 COMPAT_SSL_SOURCES = $(COMPAT_SSL_ALL_SOURCES)
 else
 COMPAT_SSL_SOURCES =

compat/openssl.h

@@ -19,8 +19,8 @@
 #ifndef SQUID_COMPAT_OPENSSL_H
 #define SQUID_COMPAT_OPENSSL_H
 
-#if !USE_OPENSSL
-#error compat/openssl.h depends on USE_OPENSSL
+#if !HAVE_LIBOPENSSL
+#error compat/openssl.h depends on HAVE_LIBOPENSSL
 #endif
 
 #include <algorithm>

configure.ac

@@ -1056,43 +1056,10 @@ SQUID_CHECK_LIB_WORKS(gnutls,[
   ],[:])
 ])
 
-SSLLIB=""
-dnl User may specify OpenSSL is needed from a non-standard location
-SQUID_OPTIONAL_LIB(openssl,[OpenSSL],[LIBOPENSSL])
-AH_TEMPLATE(USE_OPENSSL,[OpenSSL support is available])
-## OpenSSL is default disable due to licensing issues on some OS
-AS_IF([test "x$with_openssl" = "xyes"],[
-  CPPFLAGS="$LIBOPENSSL_CFLAGS $CPPFLAGS"
-  AC_CHECK_HEADERS( \
-    openssl/asn1.h \
-    openssl/bio.h \
-    openssl/bn.h \
-    openssl/crypto.h \
-    openssl/decoder.h \
-    openssl/dh.h \
-    openssl/err.h \
-    openssl/evp.h \
-    openssl/lhash.h \
-    openssl/md5.h \
-    openssl/opensslv.h \
-    openssl/rsa.h \
-    openssl/ssl.h \
-    openssl/x509.h \
-    openssl/x509v3.h \
-    openssl/engine.h \
-    openssl/txt_db.h \
-    openssl/pem.h \
-  )
-
-  # User may have provided a custom location for OpenSSL. Otherwise...
-  SQUID_STATE_SAVE(squid_openssl_state)
+SQUID_AUTO_LIB(openssl,[OpenSSL],[LIBOPENSSL])
+SQUID_CHECK_LIB_WORKS(openssl,[
   LIBS="$LIBS $LIBOPENSSL_PATH"
-
-  # auto-detect using pkg-config
-  PKG_CHECK_MODULES([LIBOPENSSL],[openssl],,[
-    ## For some OS pkg-config is broken or unavailable.
-    ## Detect libraries the hard way.
-
+  PKG_CHECK_MODULES([LIBOPENSSL],[openssl >= 3],[:],[
     # Windows MinGW has some special libraries ...
     AS_IF([test "x$squid_host_os" = "xmingw"],[
       LIBOPENSSL_LIBS='-lssleay32 -leay32 -lgdi32 $LIBOPENSSL_LIBS'
@@ -1107,19 +1074,35 @@ AS_IF([test "x$with_openssl" = "xyes"],[
     ],$LIBOPENSSL_LIBS)
   ])
 
-  SQUID_STATE_ROLLBACK(squid_openssl_state) #de-pollute LIBS
-
   AS_IF([test "x$LIBOPENSSL_LIBS" != "x"],[
     CXXFLAGS="$LIBOPENSSL_CFLAGS $CXXFLAGS"
-    SSLLIB="$LIBOPENSSL_PATH $LIBOPENSSL_LIBS $SSLLIB"
-    AC_DEFINE(USE_OPENSSL,1,[OpenSSL support is available])
+    LIBS="$LIBS $LIBOPENSSL_LIBS"
+    AC_CHECK_HEADERS( \
+      openssl/asn1.h \
+      openssl/bio.h \
+      openssl/bn.h \
+      openssl/crypto.h \
+      openssl/decoder.h \
+      openssl/dh.h \
+      openssl/err.h \
+      openssl/evp.h \
+      openssl/lhash.h \
+      openssl/md5.h \
+      openssl/opensslv.h \
+      openssl/rsa.h \
+      openssl/ssl.h \
+      openssl/x509.h \
+      openssl/x509v3.h \
+      openssl/engine.h \
+      openssl/txt_db.h \
+      openssl/pem.h \
+    )
 
     # check for API functions
     SQUID_CHECK_LIBCRYPTO_API
     SQUID_CHECK_LIBSSL_API
     SQUID_CHECK_OPENSSL_TLS_METHODS
     SQUID_STATE_SAVE(check_SSL_CTX_get0_certificate)
-    LIBS="$LIBS $SSLLIB"
     AC_CHECK_LIB(ssl, SSL_CTX_get0_certificate, [
       AC_DEFINE(HAVE_SSL_CTX_GET0_CERTIFICATE, 1, [SSL_CTX_get0_certificate is available])
       ], [
@@ -1135,11 +1118,7 @@ AS_IF([test "x$with_openssl" = "xyes"],[
     SQUID_CHECK_OPENSSL_CONST_X509_GET0_SIGNATURE_ARGS
     SQUID_CHECK_OPENSSL_TXTDB
   ])
-  AS_IF([test "x$SSLLIB" = "x"],[AC_MSG_ERROR([Required OpenSSL library not found])])
 ])
-AC_MSG_NOTICE([OpenSSL library support: ${with_openssl:=no} ${LIBOPENSSL_PATH} ${LIBOPENSSL_LIBS}])
-AM_CONDITIONAL(ENABLE_SSL,[ test "x$with_openssl" = "xyes" ])
-AC_SUBST(SSLLIB)
 
 # Kerberos support libraries: MIT
 SQUID_AUTO_LIB(mit-krb5,[MIT Kerberos],[LIBMIT_KRB5])

squid.dox

@@ -2070,6 +2070,7 @@ PREDEFINED             = __cplusplus \
                          ICAP_CLIENT \
                          HAVE_LIBHEIMDAL_KRB5 \
                          HAVE_LIBMIT_KRB5 \
+                         HAVE_LIBOPENSSL \
                          LINUX_NETFILTER \
                          SQUID_SNMP \
                          USE_ADAPTATION \
@@ -2090,14 +2091,12 @@ PREDEFINED             = __cplusplus \
                          USE_IPV6 \
                          USE_KQUEUE \
                          USE_LOADABLE_MODULES \
-                         USE_OPENSSL \
                          USE_POLL \
                          USE_QOS_TOS \
                          USE_SELECT \
                          USE_SOLARIS_KRB5 \
                          USE_SQUID_EUI \
                          USE_SSL_CRTD \
-                         USE_OPENSSL \
                          USE_UNLINKD \
                          USE_WCCP \
                          USE_WCCPv2 \

src/AccessLogEntry.h

@@ -27,7 +27,7 @@
 #if ICAP_CLIENT
 #include "adaptation/icap/Elements.h"
 #endif
-#if USE_OPENSSL
+#if HAVE_LIBOPENSSL
 #include "ssl/gadgets.h"
 #include "ssl/support.h"
 #endif
@@ -124,7 +124,7 @@ class AccessLogEntry: public CodeContext
         const char *opcode = nullptr;
     } htcp;
 
-#if USE_OPENSSL
+#if HAVE_LIBOPENSSL
     /// logging information specific to the SSL protocol
     class SslDetails
     {
@@ -155,7 +155,7 @@ class AccessLogEntry: public CodeContext
         struct timeval start_time; ///< The time the master transaction started
         struct timeval trTime; ///< The response time
         const char *extuser = nullptr;
-#if USE_OPENSSL
+#if HAVE_LIBOPENSSL
         const char *ssluser = nullptr;
         Security::CertPointer sslClientCert; ///< cert received from the client
 #endif

src/AclRegs.cc

@@ -21,7 +21,7 @@
 #include "acl/Arp.h"
 #include "acl/Eui64.h"
 #endif
-#if USE_OPENSSL
+#if HAVE_LIBOPENSSL
 #include "acl/AtStep.h"
 #include "acl/AtStepData.h"
 #endif
@@ -72,15 +72,15 @@
 #include "acl/SourceIp.h"
 #include "acl/SquidError.h"
 #include "acl/SquidErrorData.h"
-#if USE_OPENSSL
+#if HAVE_LIBOPENSSL
 #include "acl/Certificate.h"
 #include "acl/CertificateData.h"
 #include "acl/ServerName.h"
 #include "acl/SslError.h"
 #include "acl/SslErrorData.h"
 #endif
 #include "acl/StringData.h"
-#if USE_OPENSSL
+#if HAVE_LIBOPENSSL
 #include "acl/ServerCertificate.h"
 #endif
 #include "acl/Tag.h"
@@ -245,7 +245,7 @@ Acl::Init()
     RegisterMaker("client_connection_mark", [](TypeName)->Node* { return new ConnMark; }); // XXX: Add name parameter to ctor
 #endif
 
-#if USE_OPENSSL
+#if HAVE_LIBOPENSSL
     RegisterMaker("ssl_error", [](TypeName name)->Node* { return new FinalizedParameterizedNode<CertificateErrorCheck>(name, new ACLSslErrorData); });
 
     RegisterMaker("user_cert", [](TypeName name)->Node* { return new FinalizedParameterizedNode<ClientCertificateCheck>(name, new ACLCertificateData(Ssl::GetX509UserAttribute, "*")); });

src/ClientRequestContext.h

@@ -48,7 +48,7 @@ class ClientRequestContext : public RefCountable
 #if USE_ADAPTATION
     void adaptationAccessCheck();
 #endif
-#if USE_OPENSSL
+#if HAVE_LIBOPENSSL
     /**
      * Initiates and start the acl checklist to check if the CONNECT
      * request must be bumped.
@@ -75,7 +75,7 @@ class ClientRequestContext : public RefCountable
     bool no_cache_done = false;
     bool interpreted_req_hdrs = false;
     bool toClientMarkingDone = false;
-#if USE_OPENSSL
+#if HAVE_LIBOPENSSL
     bool sslBumpCheckDone = false;
 #endif
 

src/FwdState.cc

@@ -56,7 +56,7 @@
 #include "Store.h"
 #include "StoreClient.h"
 #include "urn.h"
-#if USE_OPENSSL
+#if HAVE_LIBOPENSSL
 #include "ssl/cert_validate_message.h"
 #include "ssl/Config.h"
 #include "ssl/helper.h"
@@ -281,7 +281,7 @@ FwdState::completed()
             updateAleWithFinalError();
             errorAppendEntry(entry, err);
             err = nullptr;
-#if USE_OPENSSL
+#if HAVE_LIBOPENSSL
             if (request->flags.sslPeek && request->clientConnectionManager.valid()) {
                 CallJobHere1(17, 4, request->clientConnectionManager, ConnStateData,
                              ConnStateData::httpsPeeked, ConnStateData::PinnedIdleContext(Comm::ConnectionPointer(nullptr), request));
@@ -999,7 +999,7 @@ FwdState::secureConnectionToPeer(const Comm::ConnectionPointer &conn)
     const auto callback = asyncCallback(17, 4, FwdState::connectedToPeer, this);
     const auto sslNegotiationTimeout = connectingTimeout(conn);
     Security::PeerConnector *connector = nullptr;
-#if USE_OPENSSL
+#if HAVE_LIBOPENSSL
     if (request->flags.sslPeek)
         connector = new Ssl::PeekingPeerConnector(requestPointer, conn, clientConn, callback, al, sslNegotiationTimeout);
     else
@@ -1234,7 +1234,7 @@ FwdState::dispatch()
     }
 #endif
 
-#if USE_OPENSSL
+#if HAVE_LIBOPENSSL
     if (request->flags.sslPeek) {
         // we were just asked to peek at the server, and we did that
         CallJobHere1(17, 4, request->clientConnectionManager, ConnStateData,

src/FwdState.h

@@ -23,7 +23,7 @@
 #include "PeerSelectState.h"
 #include "ResolvedPeers.h"
 #include "security/forward.h"
-#if USE_OPENSSL
+#if HAVE_LIBOPENSSL
 #include "ssl/support.h"
 #endif
 

src/HttpHeader.cc

@@ -84,7 +84,7 @@ static std::array<HttpHeaderStat, hoEnd> HttpHeaderStats = {{
 #endif
         HttpHeaderStat(/*hoRequest*/ "request", &RequestHeadersMask),
         HttpHeaderStat(/*hoReply*/ "reply", &ReplyHeadersMask)
-#if USE_OPENSSL
+#if HAVE_LIBOPENSSL
         , HttpHeaderStat(/*hoErrorDetail*/ "error detail templates", nullptr)
 #endif
         /* hoEnd */

src/HttpHeader.h

@@ -35,7 +35,7 @@ typedef enum {
 #endif
     hoRequest,
     hoReply,
-#if USE_OPENSSL
+#if HAVE_LIBOPENSSL
     hoErrorDetail,
 #endif
     hoEnd