bpo-45536: Check OpenSSL APIs in configure (GH-29088)

This commit is contained in:
Christian Heimes 2021-10-20 18:18:34 +03:00 committed by GitHub
parent d9e1dae35a
commit 81520fe677
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 105 additions and 0 deletions

View File

@ -0,0 +1,3 @@
The ``configure`` script now checks whether OpenSSL headers and libraries
provide required APIs. Most common APIs are verified. The check detects
outdated or missing OpenSSL. Failures do not stop configure.

60
configure vendored
View File

@ -17949,6 +17949,66 @@ esac
$as_echo "$OPENSSL_RPATH" >&6; }
# check if OpenSSL libraries work as expected
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether OpenSSL provides required APIs" >&5
$as_echo_n "checking whether OpenSSL provides required APIs... " >&6; }
save_LIBS="$LIBS"
save_CFLAGS="$CFLAGS"
save_LDFLAGS="$LDFLAGS"
LIBS="$LIBS $OPENSSL_LIBS"
CFLAGS="$CFLAGS_NODIST $OPENSSL_INCLUDES"
LDFLAGS="$LDFLAGS $OPENSSL_LDFLAGS"
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
#include <openssl/opensslv.h>
#include <openssl/evp.h>
#include <openssl/ssl.h>
#if OPENSSL_VERSION_NUMBER < 0x10101000L
#error "OpenSSL >= 1.1.1 is required"
#endif
static void keylog_cb(const SSL *ssl, const char *line) {}
int
main ()
{
/* SSL APIs */
SSL_CTX *ctx = SSL_CTX_new(TLS_client_method());
SSL_CTX_set_keylog_callback(ctx, keylog_cb);
SSL *ssl = SSL_new(ctx);
X509_VERIFY_PARAM *param = SSL_get0_param(ssl);
X509_VERIFY_PARAM_set1_host(param, "python.org", 0);
SSL_free(ssl);
SSL_CTX_free(ctx);
/* hashlib APIs */
OBJ_nid2sn(NID_md5);
OBJ_nid2sn(NID_sha1);
OBJ_nid2sn(NID_sha3_512);
OBJ_nid2sn(NID_blake2b512);
EVP_PBE_scrypt(NULL, 0, NULL, 0, 2, 8, 1, 0, NULL, 0);
;
return 0;
}
_ACEOF
if ac_fn_c_try_link "$LINENO"; then :
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
$as_echo "yes" >&6; }
else
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
$as_echo "no" >&6; }
fi
rm -f core conftest.err conftest.$ac_objext \
conftest$ac_exeext conftest.$ac_ext
LIBS="$save_LIBS"
CFLAGS="$save_CFLAGS"
LDFLAGS="$save_LDFLAGS"
# ssl module default cipher suite string

View File

@ -5888,6 +5888,48 @@ AS_CASE($with_openssl_rpath,
AC_MSG_RESULT($OPENSSL_RPATH)
AC_SUBST([OPENSSL_RPATH])
# check if OpenSSL libraries work as expected
AC_MSG_CHECKING(whether OpenSSL provides required APIs)
save_LIBS="$LIBS"
save_CFLAGS="$CFLAGS"
save_LDFLAGS="$LDFLAGS"
LIBS="$LIBS $OPENSSL_LIBS"
CFLAGS="$CFLAGS_NODIST $OPENSSL_INCLUDES"
LDFLAGS="$LDFLAGS $OPENSSL_LDFLAGS"
AC_LINK_IFELSE([AC_LANG_PROGRAM([[
#include <openssl/opensslv.h>
#include <openssl/evp.h>
#include <openssl/ssl.h>
#if OPENSSL_VERSION_NUMBER < 0x10101000L
#error "OpenSSL >= 1.1.1 is required"
#endif
static void keylog_cb(const SSL *ssl, const char *line) {}
]], [[
/* SSL APIs */
SSL_CTX *ctx = SSL_CTX_new(TLS_client_method());
SSL_CTX_set_keylog_callback(ctx, keylog_cb);
SSL *ssl = SSL_new(ctx);
X509_VERIFY_PARAM *param = SSL_get0_param(ssl);
X509_VERIFY_PARAM_set1_host(param, "python.org", 0);
SSL_free(ssl);
SSL_CTX_free(ctx);
/* hashlib APIs */
OBJ_nid2sn(NID_md5);
OBJ_nid2sn(NID_sha1);
OBJ_nid2sn(NID_sha3_512);
OBJ_nid2sn(NID_blake2b512);
EVP_PBE_scrypt(NULL, 0, NULL, 0, 2, 8, 1, 0, NULL, 0);
]])],
[AC_MSG_RESULT(yes)],
[AC_MSG_RESULT(no)])
LIBS="$save_LIBS"
CFLAGS="$save_CFLAGS"
LDFLAGS="$save_LDFLAGS"
# ssl module default cipher suite string
AH_TEMPLATE(PY_SSL_DEFAULT_CIPHERS,
[Default cipher suites list for ssl module.