Test for SSL_set1_verify_cert_store at configure time (apache#8048)

SSL_set1_verify_cert_store is a macro in OpenSSL but a function in BoringSSL
nekomachi-touge · Jul 8, 2021 · 3412c4f · 3412c4f
1 parent 77c8dba
commit 3412c4f
Show file tree

Hide file tree

Showing 5 changed files with 46 additions and 2 deletions.
diff --git a/build/crypto.m4 b/build/crypto.m4
@@ -365,3 +365,43 @@ AC_DEFUN([TS_CHECK_SESSION_TICKET], [
 
   AC_SUBST(has_tls_session_ticket)
 ])
+
+dnl SSL_set1_verify_cert_store macro is for OpenSSL 1.1.1
+dnl SSL_set1_verify_cert_store function is for BoringSSL
+AC_DEFUN([TS_CHECK_VERIFY_CERT_STORE], [
+
+  TS_ADDTO(LIBS, [$OPENSSL_LIBS])
+  AC_CHECK_HEADERS(openssl/ssl.h)
+  verify_cert_store_check=no
+  has_verify_cert_store=0
+  AC_MSG_CHECKING([for SSL_set1_verify_cert_store macro])
+  AC_COMPILE_IFELSE(
+    [AC_LANG_PROGRAM([[#include <openssl/ssl.h>]],
+                     [[
+                     #ifndef SSL_set1_verify_cert_store
+                     #error
+                     #endif
+                     ]])
+    ],
+    [
+      verify_cert_store_check=yes
+      has_verify_cert_store=1
+    ],
+    []
+  )
+  AC_MSG_RESULT([$verify_cert_store_check])
+
+  AC_CHECK_FUNCS(
+    SSL_set1_verify_cert_store,
+    [
+      verify_cert_store_check=yes
+      has_verify_cert_store=1
+    ],
+    []
+  )
+
+  AC_MSG_CHECKING([for setting verify cert store APIs])
+  AC_MSG_RESULT([$verify_cert_store_check])
+
+  AC_SUBST(has_verify_cert_store)
+])
diff --git a/configure.ac b/configure.ac
@@ -1292,6 +1292,9 @@ TS_CHECK_EARLY_DATA
 # Check for openssl session ticket support
 TS_CHECK_SESSION_TICKET
 
+# Check for openssl verify cert store support
+TS_CHECK_VERIFY_CERT_STORE
+
 saved_LIBS="$LIBS"
 TS_ADDTO([LIBS], ["$OPENSSL_LIBS"])
 

diff --git a/include/tscore/ink_config.h.in b/include/tscore/ink_config.h.in
@@ -80,6 +80,7 @@
 #define TS_USE_TLS_OCSP @use_tls_ocsp@
 #define TS_HAS_TLS_EARLY_DATA @has_tls_early_data@
 #define TS_HAS_TLS_SESSION_TICKET @has_tls_session_ticket@
+#define TS_HAS_VERIFY_CERT_STORE @has_verify_cert_store@
 
 #define TS_USE_HRW_GEOIP @use_hrw_geoip@
 #define TS_USE_HRW_MAXMINDDB @use_hrw_maxminddb@

diff --git a/iocore/net/SSLUtils.cc b/iocore/net/SSLUtils.cc
@@ -1132,7 +1132,7 @@ void
 setClientCertCACerts(SSL *ssl, const char *file, const char *dir)
 {
   if ((file != nullptr && file[0] != '\0') || (dir != nullptr && dir[0] != '\0')) {
-#if defined(SSL_set1_verify_cert_store)
+#if TS_HAS_VERIFY_CERT_STORE
     // The set0 version will take ownership of the X509_STORE object
     X509_STORE *ctx = X509_STORE_new();
     if (X509_STORE_load_locations(ctx, file && file[0] != '\0' ? file : nullptr, dir && dir[0] != '\0' ? dir : nullptr)) {

diff --git a/iocore/net/YamlSNIConfig.cc b/iocore/net/YamlSNIConfig.cc
@@ -174,7 +174,7 @@ template <> struct convert<YamlSNIConfig::Item> {
     }
 
     if (node[TS_verify_client_ca_certs]) {
-#if !defined(SSL_set1_verify_cert_store)
+#if !TS_HAS_VERIFY_CERT_STORE
       // TS was compiled with an older version of the OpenSSL interface, that doesn't have
       // SSL_set1_verify_cert_store().  We need this macro in order to set the CA certs for verifying clients
       // after the client sends the SNI server name.