Unverified Commit b0989cd3 authored by Johannes Schindelin's avatar Johannes Schindelin Committed by Daniel Stenberg
Browse files

vtls: allow selecting which SSL backend to use at runtime 



When building software for the masses, it is sometimes not possible to
decide for all users which SSL backend is appropriate.

Git for Windows, for example,  uses cURL to perform clones, fetches and
pushes via HTTPS, and some users strongly prefer OpenSSL, while other
users really need to use Secure Channel because it offers
enterprise-ready tools to manage credentials via Windows' Credential
Store.

The current Git for Windows versions use the ugly work-around of
building libcurl once with OpenSSL support and once with Secure Channel
support, and switching out the binaries in the installer depending on
the user's choice.

Needless to say, this is a super ugly workaround that actually only
works in some cases: Git for Windows also comes in a portable form, and
in a form intended for third-party applications requiring Git
functionality, in which cases this "swap out libcurl-4.dll" simply is
not an option.

Therefore, the Git for Windows project has a vested interest in teaching
cURL to make the SSL backend a *runtime* option.

This patch makes that possible.

By running ./configure with multiple --with-<backend> options, cURL will
be built with multiple backends.

For the moment, the backend can be configured using the environment
variable CURL_SSL_BACKEND (valid values are e.g. "openssl" and
"schannel").

Signed-off-by: default avatarJohannes Schindelin <johannes.schindelin@gmx.de>
parent a53bda35

configure.ac

+50 −27
Original line number Diff line number Diff line
@@ -165,7 +165,7 @@ curl_verbose_msg="enabled (--disable-verbose)" 
  curl_mtlnk_msg="no      (--with-libmetalink)"

    curl_psl_msg="no      (--with-libpsl)"



    init_ssl_msg=${curl_ssl_msg}

    ssl_backends=



dnl

dnl Save some initial values the user might have provided
@@ -1345,13 +1345,14 @@ AC_HELP_STRING([--without-winssl], [disable Windows native SSL/TLS]), 
  OPT_WINSSL=$withval)



AC_MSG_CHECKING([whether to enable Windows native SSL/TLS (Windows native builds only)])

if test "$curl_ssl_msg" = "$init_ssl_msg"; then

if test -z "$ssl_backends" -o "x$OPT_WINSSL" != xno; then

  ssl_msg=

  if test "x$OPT_WINSSL" != "xno"  &&

     test "x$curl_cv_native_windows" = "xyes"; then

    AC_MSG_RESULT(yes)

    AC_DEFINE(USE_SCHANNEL, 1, [to enable Windows native SSL/TLS support])

    AC_SUBST(USE_SCHANNEL, [1])

    curl_ssl_msg="enabled (Windows-native)"

    ssl_msg="Windows-native"

    WINSSL_ENABLED=1

    # --with-winssl implies --enable-sspi

    AC_DEFINE(USE_WINDOWS_SSPI, 1, [to enable SSPI support])
@@ -1361,6 +1362,7 @@ if test "$curl_ssl_msg" = "$init_ssl_msg"; then 
  else

    AC_MSG_RESULT(no)

  fi

  test -z "$ssl_msg" || ssl_backends="${ssl_backends:+$ssl_backends, }$ssl_msg"

else

  AC_MSG_RESULT(no)

fi
@@ -1372,18 +1374,19 @@ AC_HELP_STRING([--without-darwinssl], [disable Apple OS native SSL/TLS]), 
  OPT_DARWINSSL=$withval)



AC_MSG_CHECKING([whether to enable Apple OS native SSL/TLS])

if test "$curl_ssl_msg" = "$init_ssl_msg"; then

if test -z "$ssl_backends" -o "x$OPT_DARWINSSL" != xno; then

  if test "x$OPT_DARWINSSL" != "xno" &&

     test -d "/System/Library/Frameworks/Security.framework"; then

    AC_MSG_RESULT(yes)

    AC_DEFINE(USE_DARWINSSL, 1, [to enable Apple OS native SSL/TLS support])

    AC_SUBST(USE_DARWINSSL, [1])

    curl_ssl_msg="enabled (Apple OS-native)"

    ssl_msg="$ssh_backends, Apple OS-native"

    DARWINSSL_ENABLED=1

    LDFLAGS="$LDFLAGS -framework CoreFoundation -framework Security"

  else

    AC_MSG_RESULT(no)

  fi

  test -z "$ssl_msg" || ssl_backends="${ssl_backends:+$ssl_backends, }$ssl_msg"

else

  AC_MSG_RESULT(no)

fi
@@ -1401,7 +1404,10 @@ AC_HELP_STRING([--with-ssl=PATH],[Where to look for OpenSSL, PATH points to the 
AC_HELP_STRING([--without-ssl], [disable OpenSSL]),

  OPT_SSL=$withval)



if test "$curl_ssl_msg" = "$init_ssl_msg" && test X"$OPT_SSL" != Xno; then

if test -z "$ssl_backends" -o "x$OPT_SSL" != xno &&

   test X"$OPT_SSL" != Xno; then

  ssl_msg=



  dnl backup the pre-ssl variables

  CLEANLDFLAGS="$LDFLAGS"

  CLEANCPPFLAGS="$CPPFLAGS"
@@ -1582,7 +1588,7 @@ if test "$curl_ssl_msg" = "$init_ssl_msg" && test X"$OPT_SSL" != Xno; then 
      dnl Have the libraries--check for OpenSSL headers

      AC_CHECK_HEADERS(openssl/x509.h openssl/rsa.h openssl/crypto.h \

                       openssl/pem.h openssl/ssl.h openssl/err.h,

        curl_ssl_msg="enabled (OpenSSL)"

        ssl_msg="OpenSSL"

        OPENSSL_ENABLED=1

        AC_DEFINE(USE_OPENSSL, 1, [if OpenSSL is in use]))
@@ -1596,7 +1602,7 @@ if test "$curl_ssl_msg" = "$init_ssl_msg" && test X"$OPT_SSL" != Xno; then 
           test $ac_cv_header_crypto_h = yes &&

           test $ac_cv_header_ssl_h = yes; then

          dnl three matches

          curl_ssl_msg="enabled (OpenSSL)"

          ssl_msg="OpenSSL"

          OPENSSL_ENABLED=1

        fi

      fi
@@ -1647,7 +1653,7 @@ if test "$curl_ssl_msg" = "$init_ssl_msg" && test X"$OPT_SSL" != Xno; then 
        AC_MSG_RESULT([yes])

        AC_DEFINE_UNQUOTED(HAVE_BORINGSSL, 1,

                           [Define to 1 if using BoringSSL.])

        curl_ssl_msg="enabled (BoringSSL)"

        ssl_msg="BoringSSL"

    ],[

        AC_MSG_RESULT([no])

    ])
@@ -1663,7 +1669,7 @@ if test "$curl_ssl_msg" = "$init_ssl_msg" && test X"$OPT_SSL" != Xno; then 
      AC_MSG_RESULT([yes])

      AC_DEFINE_UNQUOTED(HAVE_LIBRESSL, 1,

        [Define to 1 if using libressl.])

      curl_ssl_msg="enabled (libressl)"

      ssl_msg="libressl"

    ],[

      AC_MSG_RESULT([no])

    ])
@@ -1683,6 +1689,7 @@ if test "$curl_ssl_msg" = "$init_ssl_msg" && test X"$OPT_SSL" != Xno; then 
    CURL_CHECK_OPENSSL_API

  fi



  test -z "$ssl_msg" || ssl_backends="${ssl_backends:+$ssl_backends, }$ssl_msg"

fi



dnl **********************************************************************
@@ -1744,7 +1751,8 @@ AC_HELP_STRING([--with-gnutls=PATH],[where to look for GnuTLS, PATH points to th 
AC_HELP_STRING([--without-gnutls], [disable GnuTLS detection]),

  OPT_GNUTLS=$withval)



if test "$curl_ssl_msg" = "$init_ssl_msg"; then

if test -z "$ssl_backends" -o "x$OPT_GNUTLS" != xno; then

  ssl_msg=



  if test X"$OPT_GNUTLS" != Xno; then
@@ -1818,7 +1826,7 @@ if test "$curl_ssl_msg" = "$init_ssl_msg"; then 
       AC_SUBST(USE_GNUTLS, [1])

       GNUTLS_ENABLED=1

       USE_GNUTLS="yes"

       curl_ssl_msg="enabled (GnuTLS)"

       ssl_msg="GnuTLS"

       ],

       [

         LIBS="$CLEANLIBS"
@@ -1846,6 +1854,7 @@ if test "$curl_ssl_msg" = "$init_ssl_msg"; then 


  fi dnl GNUTLS not disabled



  test -z "$ssl_msg" || ssl_backends="${ssl_backends:+$ssl_backends, }$ssl_msg"

fi



dnl ---
@@ -1903,7 +1912,8 @@ AC_HELP_STRING([--with-polarssl=PATH],[where to look for PolarSSL, PATH points t 
AC_HELP_STRING([--without-polarssl], [disable PolarSSL detection]),

  OPT_POLARSSL=$withval)



if test "$curl_ssl_msg" = "$init_ssl_msg"; then

if test -z "$ssl_backends" -o "x$OPT_POLARSSL" != xno; then

  ssl_msg=



  if test X"$OPT_POLARSSL" != Xno; then
@@ -1921,7 +1931,7 @@ if test "$curl_ssl_msg" = "$init_ssl_msg"; then 
         AC_SUBST(USE_POLARSSL, [1])

         POLARSSL_ENABLED=1

         USE_POLARSSL="yes"

         curl_ssl_msg="enabled (PolarSSL)"

         ssl_msg="PolarSSL"

        ])

    fi
@@ -1947,7 +1957,7 @@ if test "$curl_ssl_msg" = "$init_ssl_msg"; then 
       AC_SUBST(USE_POLARSSL, [1])

       POLARSSL_ENABLED=1

       USE_POLARSSL="yes"

       curl_ssl_msg="enabled (PolarSSL)"

       ssl_msg="PolarSSL"

       ],

       [

         CPPFLAGS=$_cppflags
@@ -1975,6 +1985,7 @@ if test "$curl_ssl_msg" = "$init_ssl_msg"; then 


  fi dnl PolarSSL not disabled



  test -z "$ssl_msg" || ssl_backends="${ssl_backends:+$ssl_backends, }$ssl_msg"

fi



dnl ----------------------------------------------------
@@ -1990,7 +2001,8 @@ AC_HELP_STRING([--with-mbedtls=PATH],[where to look for mbedTLS, PATH points to 
AC_HELP_STRING([--without-mbedtls], [disable mbedTLS detection]),

  OPT_MBEDTLS=$withval)



if test "$curl_ssl_msg" = "$init_ssl_msg"; then

if test -z "$ssl_backends" -o "x$OPT_MBEDTLS" != xno; then

  ssl_msg=



  if test X"$OPT_MBEDTLS" != Xno; then
@@ -2008,7 +2020,7 @@ if test "$curl_ssl_msg" = "$init_ssl_msg"; then 
         AC_SUBST(USE_MBEDTLS, [1])

         MBEDTLS_ENABLED=1

         USE_MBEDTLS="yes"

         curl_ssl_msg="enabled (mbedTLS)"

         ssl_msg="mbedTLS"

        ], [], -lmbedx509 -lmbedcrypto)

    fi
@@ -2034,7 +2046,7 @@ if test "$curl_ssl_msg" = "$init_ssl_msg"; then 
       AC_SUBST(USE_MBEDTLS, [1])

       MBEDTLS_ENABLED=1

       USE_MBEDTLS="yes"

       curl_ssl_msg="enabled (mbedTLS)"

       ssl_msg="mbedTLS"

       ],

       [

         CPPFLAGS=$_cppflags
@@ -2062,6 +2074,7 @@ if test "$curl_ssl_msg" = "$init_ssl_msg"; then 


  fi dnl mbedTLS not disabled



  test -z "$ssl_msg" || ssl_backends="${ssl_backends:+$ssl_backends, }$ssl_msg"

fi



dnl ----------------------------------------------------
@@ -2078,7 +2091,8 @@ AC_HELP_STRING([--with-cyassl=PATH],[where to look for CyaSSL, PATH points to th 
AC_HELP_STRING([--without-cyassl], [disable CyaSSL detection]),

  OPT_CYASSL=$withval)



if test "$curl_ssl_msg" = "$init_ssl_msg"; then

if test -z "$ssl_backends" -o "x$OPT_CYASSL" != xno; then

  ssl_msg=



  if test X"$OPT_CYASSL" != Xno; then
@@ -2100,7 +2114,7 @@ if test "$curl_ssl_msg" = "$init_ssl_msg"; then 
         AC_SUBST(USE_CYASSL, [1])

         CYASSL_ENABLED=1

         USE_CYASSL="yes"

         curl_ssl_msg="enabled (CyaSSL)"

         ssl_msg="CyaSSL"

        ])

    fi
@@ -2126,7 +2140,7 @@ if test "$curl_ssl_msg" = "$init_ssl_msg"; then 
       AC_SUBST(USE_CYASSL, [1])

       CYASSL_ENABLED=1

       USE_CYASSL="yes"

       curl_ssl_msg="enabled (CyaSSL)"

       ssl_msg="CyaSSL"

       ],

       [

         CPPFLAGS=$_cppflags
@@ -2171,7 +2185,7 @@ if test "$curl_ssl_msg" = "$init_ssl_msg"; then 
         AC_SUBST(USE_CYASSL, [1])

         CYASSL_ENABLED=1

         USE_CYASSL="yes"

         curl_ssl_msg="enabled (WolfSSL)"

         ssl_msg="WolfSSL"

       ],

       [

         AC_MSG_RESULT(no)
@@ -2225,6 +2239,7 @@ if test "$curl_ssl_msg" = "$init_ssl_msg"; then 


  fi dnl CyaSSL not disabled



  test -z "$ssl_msg" || ssl_backends="${ssl_backends:+$ssl_backends, }$ssl_msg"

fi



dnl ----------------------------------------------------
@@ -2239,7 +2254,8 @@ AC_HELP_STRING([--with-nss=PATH],[where to look for NSS, PATH points to the inst 
AC_HELP_STRING([--without-nss], [disable NSS detection]),

  OPT_NSS=$withval)



if test "$curl_ssl_msg" = "$init_ssl_msg"; then

if test -z "$ssl_backends" -o "x$OPT_NSS" != xno; then

  ssl_msg=



  if test X"$OPT_NSS" != Xno; then
@@ -2314,7 +2330,7 @@ if test "$curl_ssl_msg" = "$init_ssl_msg"; then 
     AC_SUBST(USE_NSS, [1])

     USE_NSS="yes"

     NSS_ENABLED=1

     curl_ssl_msg="enabled (NSS)"

     ssl_msg="NSS"

     ],

     [

       LDFLAGS="$CLEANLDFLAGS"
@@ -2343,7 +2359,8 @@ if test "$curl_ssl_msg" = "$init_ssl_msg"; then 


  fi dnl NSS not disabled



fi dnl curl_ssl_msg = init_ssl_msg

  test -z "$ssl_msg" || ssl_backends="${ssl_backends:+$ssl_backends, }$ssl_msg"

fi



OPT_AXTLS=off
@@ -2352,7 +2369,8 @@ AC_HELP_STRING([--with-axtls=PATH],[Where to look for axTLS, PATH points to the 
AC_HELP_STRING([--without-axtls], [disable axTLS]),

  OPT_AXTLS=$withval)



if test "$curl_ssl_msg" = "$init_ssl_msg"; then

if test -z "$ssl_backends" -o "x$OPT_AXTLS" != xno; then

  ssl_msg=

  if test X"$OPT_AXTLS" != Xno; then

    dnl backup the pre-axtls variables

    CLEANLDFLAGS="$LDFLAGS"
@@ -2386,7 +2404,7 @@ if test "$curl_ssl_msg" = "$init_ssl_msg"; then 
      AC_SUBST(USE_AXTLS, [1])

      AXTLS_ENABLED=1

      USE_AXTLS="yes"

      curl_ssl_msg="enabled (axTLS)"

      ssl_msg="axTLS"



      if test "x$cross_compiling" != "xyes"; then

        LD_LIBRARY_PATH="$LD_LIBRARY_PATH:$LIB_AXTLS"
@@ -2399,6 +2417,7 @@ if test "$curl_ssl_msg" = "$init_ssl_msg"; then 
      LIBS="$CLEANLIBS"

    ])

  fi

  test -z "$ssl_msg" || ssl_backends="${ssl_backends:+$ssl_backends, }$ssl_msg"

fi



if test "x$OPENSSL_ENABLED$GNUTLS_ENABLED$NSS_ENABLED$POLARSSL_ENABLED$MBEDTLS_ENABLED$AXTLS_ENABLED$CYASSL_ENABLED$WINSSL_ENABLED$DARWINSSL_ENABLED" = "x"; then
@@ -2410,6 +2429,10 @@ else 
  SSL_ENABLED="1"

fi



if test -n "$ssl_backends"; then

  curl_ssl_msg="enabled ($ssl_backends)"

fi



dnl **********************************************************************

dnl Check for the CA bundle

dnl **********************************************************************

lib/vtls/axtls.c

+0 −2
Original line number Diff line number Diff line
@@ -740,6 +740,4 @@ const struct Curl_ssl Curl_ssl_axtls = { 
  NULL                            /* sha256sum */

};



const struct Curl_ssl *Curl_ssl = &Curl_ssl_axtls;



#endif /* USE_AXTLS */

lib/vtls/cyassl.c

+0 −2
Original line number Diff line number Diff line
@@ -1015,6 +1015,4 @@ const struct Curl_ssl Curl_ssl_cyassl = { 
  Curl_cyassl_sha256sum            /* sha256sum */

};



const struct Curl_ssl *Curl_ssl = &Curl_ssl_cyassl;



#endif

lib/vtls/darwinssl.c

+0 −2
Original line number Diff line number Diff line
@@ -2927,8 +2927,6 @@ const struct Curl_ssl Curl_ssl_darwinssl = { 
  Curl_darwinssl_sha256sum            /* sha256sum */

};



const struct Curl_ssl *Curl_ssl = &Curl_ssl_darwinssl;



#ifdef __clang__

#pragma clang diagnostic pop

#endif

lib/vtls/gskit.c

+0 −2
Original line number Diff line number Diff line
@@ -1388,6 +1388,4 @@ const struct Curl_ssl Curl_ssl_gskit = { 
  NULL                            /* sha256sum */

};



const struct Curl_ssl *Curl_ssl = &Curl_ssl_gskit;



#endif /* USE_GSKIT */