summaryrefslogtreecommitdiff
path: root/configure.ac
diff options
context:
space:
mode:
authorJacob Hoffman-Andrews <github@hoffman-andrews.com>2020-12-12 23:55:09 -0800
committerDaniel Stenberg <daniel@haxx.se>2021-02-09 11:06:18 +0100
commit246399a8745369b63cad53ea189a5205f237fa31 (patch)
treeb36f7ed0abdf420ab6b2fb00ffd4c6be587bc470 /configure.ac
parent3eebbfe8f34d37c4d68d08277a44ec7aa6bd0889 (diff)
downloadcurl-246399a8745369b63cad53ea189a5205f237fa31.tar.gz
vtls: initial implementation of rustls backend
This adds a new TLS backend, rustls. It uses the C-to-rustls bindings from https://github.com/abetterinternet/crustls. Rustls is at https://github.com/ctz/rustls/. There is still a fair bit to be done, like sending CloseNotify on connection shutdown, respecting CAPATH, and properly indicating features like "supports TLS 1.3 ciphersuites." But it works well enough to make requests and receive responses. Blog post for context: https://www.abetterinternet.org/post/memory-safe-curl/ Closes #6350
Diffstat (limited to 'configure.ac')
-rwxr-xr-xconfigure.ac97
1 files changed, 95 insertions, 2 deletions
diff --git a/configure.ac b/configure.ac
index b7aef5ba3..cf4b5278f 100755
--- a/configure.ac
+++ b/configure.ac
@@ -143,7 +143,7 @@ AC_SUBST(PKGADD_VENDOR)
dnl
dnl initialize all the info variables
- curl_ssl_msg="no (--with-{ssl,gnutls,nss,mbedtls,wolfssl,schannel,secure-transport,mesalink,amissl,bearssl} )"
+ curl_ssl_msg="no (--with-{ssl,gnutls,nss,mbedtls,wolfssl,schannel,secure-transport,mesalink,amissl,bearssl,rustls} )"
curl_ssh_msg="no (--with-{libssh,libssh2})"
curl_zlib_msg="no (--with-zlib)"
curl_brotli_msg="no (--with-brotli)"
@@ -2699,6 +2699,98 @@ if test -z "$ssl_backends" -o "x$OPT_BEARSSL" != xno; then
fi
dnl ----------------------------------------------------
+dnl check for rustls
+dnl ----------------------------------------------------
+
+OPT_RUSTLS=no
+
+_cppflags=$CPPFLAGS
+_ldflags=$LDFLAGS
+AC_ARG_WITH(rustls,dnl
+AC_HELP_STRING([--with-rustls=PATH],[where to look for rustls, PATH points to the installation root])
+AC_HELP_STRING([--without-rustls], [disable rustls detection]),
+ OPT_RUSTLS=$withval)
+
+if test -z "$ssl_backends" -o "x$OPT_RUSTLS" != xno; then
+ ssl_msg=
+
+ if test X"$OPT_RUSTLS" != Xno; then
+
+ if test "$OPT_RUSTLS" = "yes"; then
+ OPT_RUSTLS=""
+ fi
+
+ if test -z "$OPT_RUSTLS" ; then
+ dnl check for lib first without setting any new path
+
+ AC_CHECK_LIB(crustls, rustls_client_session_read,
+ dnl libcrustls found, set the variable
+ [
+ AC_DEFINE(USE_RUSTLS, 1, [if rustls is enabled])
+ AC_SUBST(USE_RUSTLS, [1])
+ RUSTLS_ENABLED=1
+ USE_RUSTLS="yes"
+ ssl_msg="rustls"
+ test rustls != "$DEFAULT_SSL_BACKEND" || VALID_DEFAULT_SSL_BACKEND=yes
+ ], [], -lpthread -ldl)
+ fi
+
+ addld=""
+ addlib="-lpthread"
+ addcflags=""
+ bearssllib=""
+
+ if test "x$USE_RUSTLS" != "xyes"; then
+ dnl add the path and test again
+ addld=-L$OPT_RUSTLS/lib$libsuff
+ addcflags=-I$OPT_RUSTLS/include
+ rustlslib=$OPT_RUSTLS/lib$libsuff
+
+ LDFLAGS="$LDFLAGS $addld"
+ if test "$addcflags" != "-I/usr/include"; then
+ CPPFLAGS="$CPPFLAGS $addcflags"
+ fi
+
+ AC_CHECK_LIB(crustls, rustls_client_session_read,
+ [
+ AC_DEFINE(USE_RUSTLS, 1, [if rustls is enabled])
+ AC_SUBST(USE_RUSTLS, [1])
+ RUSTLS_ENABLED=1
+ USE_RUSTLS="yes"
+ ssl_msg="rustls"
+ test rustls != "$DEFAULT_SSL_BACKEND" || VALID_DEFAULT_SSL_BACKEND=yes
+ ],
+ [
+ CPPFLAGS=$_cppflags
+ LDFLAGS=$_ldflags
+ ], -lpthread -ldl)
+ fi
+
+ if test "x$USE_RUSTLS" = "xyes"; then
+ AC_MSG_NOTICE([detected rustls])
+ check_for_ca_bundle=1
+
+ LIBS="-lcrustls -lpthread -ldl $LIBS"
+
+ if test -n "$rustlslib"; then
+ dnl when shared libs were found in a path that the run-time
+ dnl linker doesn't search through, we need to add it to
+ dnl CURL_LIBRARY_PATH to prevent further configure tests to fail
+ dnl due to this
+ if test "x$cross_compiling" != "xyes"; then
+ CURL_LIBRARY_PATH="$CURL_LIBRARY_PATH:$rustlslib"
+ export CURL_LIBRARY_PATH
+ AC_MSG_NOTICE([Added $rustlslib to CURL_LIBRARY_PATH])
+ fi
+ fi
+ fi
+
+ fi dnl rustls not disabled
+
+ test -z "$ssl_msg" || ssl_backends="${ssl_backends:+$ssl_backends, }$ssl_msg"
+fi
+
+dnl ----------------------------------------------------
dnl NSS. Only check if GnuTLS and OpenSSL are not enabled
dnl ----------------------------------------------------
@@ -2828,7 +2920,8 @@ if test -z "$ssl_backends" -o "x$OPT_NSS" != xno; then
test -z "$ssl_msg" || ssl_backends="${ssl_backends:+$ssl_backends, }$ssl_msg"
fi
-case "x$OPENSSL_ENABLED$GNUTLS_ENABLED$NSS_ENABLED$MBEDTLS_ENABLED$WOLFSSL_ENABLED$SCHANNEL_ENABLED$SECURETRANSPORT_ENABLED$MESALINK_ENABLED$BEARSSL_ENABLED$AMISSL_ENABLED" in
+case "x$OPENSSL_ENABLED$GNUTLS_ENABLED$NSS_ENABLED$MBEDTLS_ENABLED$WOLFSSL_ENABLED$SCHANNEL_ENABLED$SECURETRANSPORT_ENABLED$MESALINK_ENABLED$BEARSSL_ENABLED$AMISSL_ENABLED$RUSTLS_ENABLED"
+in
x)
AC_MSG_WARN([SSL disabled, you will not be able to use HTTPS, FTPS, NTLM and more.])
AC_MSG_WARN([Use --with-ssl, --with-gnutls, --with-wolfssl, --with-mbedtls, --with-nss, --with-schannel, --with-secure-transport, --with-mesalink, --with-amissl or --with-bearssl to address this.])