php-src/ext/openssl/config0.m4

PHP_ARG_WITH([openssl],
  [for OpenSSL support],
  [AS_HELP_STRING([--with-openssl],
    [Include OpenSSL support (requires OpenSSL >= 1.1.1)])])

PHP_ARG_WITH([system-ciphers],
  [whether to use system default cipher list instead of hardcoded value],
  [AS_HELP_STRING([--with-system-ciphers],
    [OPENSSL: Use system default cipher list instead of hardcoded value])],
  [no],
  [no])

PHP_ARG_WITH([openssl-legacy-provider],
  [whether to load legacy algorithm provider],
  [AS_HELP_STRING([--with-openssl-legacy-provider],
    [OPENSSL: Load legacy algorithm provider in addition to default provider])],
  [no],
  [no])

if test "$PHP_OPENSSL" != "no"; then
  PHP_NEW_EXTENSION(openssl, openssl.c xp_ssl.c, $ext_shared)
  PHP_SUBST(OPENSSL_SHARED_LIBADD)
  PHP_SETUP_OPENSSL([OPENSSL_SHARED_LIBADD],
    [AC_DEFINE([HAVE_OPENSSL_EXT], [1],
      [Define to 1 if the openssl extension is available.])])

  PHP_CHECK_LIBRARY([crypto], [RAND_egd],
    [AC_DEFINE([HAVE_RAND_EGD], [1],
      [Define to 1 if OpenSSL crypto library has the 'RAND_egd' function.])],,
    [$OPENSSL_LIBS])

  if test "$PHP_SYSTEM_CIPHERS" != "no"; then
    AC_DEFINE(USE_OPENSSL_SYSTEM_CIPHERS,1,[ Use system default cipher list instead of hardcoded value ])
  fi

  if test "$PHP_OPENSSL_LEGACY_PROVIDER" != "no"; then
    AC_DEFINE(LOAD_OPENSSL_LEGACY_PROVIDER,1,[ Load legacy algorithm provider in addition to default provider ])
  fi
fi
Add AS_HELP_STRING to *nix build configure options The Autoconf's default AS_HELP_STRING macro can properly format help strings [1] so watching out if columns are aligned manually is not anymore. [1] https://www.gnu.org/software/autoconf/manual/autoconf.html#Pretty-Help-Strings 2019-03-03 15:44:16 +00:00			`PHP_ARG_WITH([openssl],`
			`[for OpenSSL support],`
			`[AS_HELP_STRING([--with-openssl],`
ext/openssl: Bump minimum required OpenSSL version to 1.1.1 Bumps the minimum required OpenSSL version from 1.0.2 to 1.1.1. OpenSSL 1.1.1 is an LTS release, but has reached[^1] EOL from upstream. However, Linux distro/OS vendors continue to ship OpenSSL 1.1.1, so 1.1.1 was picked as the minimum. The current minimum 1.0.2 reached EOL in 2018. Bumping the minimum required OpenSSL version makes it possible for ext-openssl to remove a bunch of conditional code, and assume that TLS 1.3 (shipped with OpenSSL 1.1.1) will be supported everywhere. - Debian buster: 1.1.1[^2] - Ubuntu 20.04: 1.1.1[^3] - CentOS/RHEL 7: 1.0.2 - RHEL 8/Rocky 8/EL 8: 1.1.1 - Fedora 38: 3.0.9 (`openssl11` provides OpenSSL 1.1 as well) RHEL/CentOS 7 reaches EOL mid 2024, so for PHP 8.4 scheduled towards the end of this year, we can safely bump the minimum OpenSSL version. [^1]: https://www.openssl.org/blog/blog/2023/03/28/1.1.1-EOL/index.html [^2]: https://packages.debian.org/buster/libssl-dev [^3]: https://packages.ubuntu.com/focal/libssl-dev 2024-02-25 02:37:08 +00:00			`[Include OpenSSL support (requires OpenSSL >= 1.1.1)])])`
- Unified PHP_SETUP_OPENSSL with other PHP_SETUP_* macros. 2003-06-24 14:05:26 +00:00
Add AS_HELP_STRING to *nix build configure options The Autoconf's default AS_HELP_STRING macro can properly format help strings [1] so watching out if columns are aligned manually is not anymore. [1] https://www.gnu.org/software/autoconf/manual/autoconf.html#Pretty-Help-Strings 2019-03-03 15:44:16 +00:00			`PHP_ARG_WITH([system-ciphers],`
			`[whether to use system default cipher list instead of hardcoded value],`
			`[AS_HELP_STRING([--with-system-ciphers],`
			`[OPENSSL: Use system default cipher list instead of hardcoded value])],`
			`[no],`
			`[no])`
Fix bug #68074 Allow to use system cipher list instead of hardcoded value 2014-09-24 08:34:55 +00:00
ext/openssl: Add option to load legacy algorithm provider OpenSSL 3.x relegated a set of insecure algorithms to a "legacy" provider which is not loaded by default. Some of these algorithms have utility beyond encryption such as for hashing, e.g., DES[1] Add a compile-time option to load the legacy provider in 3.x. When enabled, also load the default provider because loading any provider explicitly disables auto-loading the default provider. [1] https://github.com/vitessio/vitess/blob/9e40015748ede158357bd7291f583db138abc3df/go/vt/vtgate/vindexes/hash.go#L157 Closes GH-13951 2024-04-12 16:52:04 +00:00			`PHP_ARG_WITH([openssl-legacy-provider],`
			`[whether to load legacy algorithm provider],`
			`[AS_HELP_STRING([--with-openssl-legacy-provider],`
			`[OPENSSL: Load legacy algorithm provider in addition to default provider])],`
			`[no],`
			`[no])`

- Unified PHP_SETUP_OPENSSL with other PHP_SETUP_* macros. 2003-06-24 14:05:26 +00:00			`if test "$PHP_OPENSSL" != "no"; then`
Fix build... 2005-01-01 14:32:59 +00:00			`PHP_NEW_EXTENSION(openssl, openssl.c xp_ssl.c, $ext_shared)`
- Fixed bug #31101 (missing kerberos header file path with --with-openssl) 2004-12-30 14:50:06 +00:00			`PHP_SUBST(OPENSSL_SHARED_LIBADD)`
Remove PHP_SETUP_OPENSSL inactive 3rd argument (#14323) If OpenSSL is not found, the PKG_CHECK_MODULES errors out already. To not introduce too big of a BC break with possible PECL extensions using this macro, it is perhaps simpler to remove this non-working argument. Redundant macro arguments are ignored by Autoconf anyway. 2024-06-07 21:48:17 +00:00			`PHP_SETUP_OPENSSL([OPENSSL_SHARED_LIBADD],`
Sync HAVE_OPENSSL* symbols (#14333) This syncs few inconsistencies between the Windows and Autotools build systems: - HAVE_OPENSSL_EXT is now defined in the same style on both systems (undefined - extension is not available, defined to 1 - extension is available) - HAVE_OPENSSL removed as it was only defined on Windows 2024-06-11 17:18:19 +00:00			`[AC_DEFINE([HAVE_OPENSSL_EXT], [1],`
			`[Define to 1 if the openssl extension is available.])])`
Check RAND_egd after setting up openssl Noticed this by accident: We should check functions in the library only after setting it up. 2021-05-14 10:02:28 +00:00
Fix RAND_egd check (#14588) When building with OpenSSL (--with-openssl) the OpenSSL libraries (crypto and ssl) are added to LIBS. When building --with-openssl=shared the libraries are added to OPENSSL_SHARED_LIBADD. This fixes the check for the shared build when OpenSSL is built with RAND_egd support. 2024-06-17 11:02:53 +00:00			`PHP_CHECK_LIBRARY([crypto], [RAND_egd],`
			`[AC_DEFINE([HAVE_RAND_EGD], [1],`
			`[Define to 1 if OpenSSL crypto library has the 'RAND_egd' function.])],,`
			`[$OPENSSL_LIBS])`
Check RAND_egd after setting up openssl Noticed this by accident: We should check functions in the library only after setting it up. 2021-05-14 10:02:28 +00:00
Fix bug #68074 Allow to use system cipher list instead of hardcoded value 2014-09-24 08:34:55 +00:00			`if test "$PHP_SYSTEM_CIPHERS" != "no"; then`
			`AC_DEFINE(USE_OPENSSL_SYSTEM_CIPHERS,1,[ Use system default cipher list instead of hardcoded value ])`
			`fi`
ext/openssl: Add option to load legacy algorithm provider OpenSSL 3.x relegated a set of insecure algorithms to a "legacy" provider which is not loaded by default. Some of these algorithms have utility beyond encryption such as for hashing, e.g., DES[1] Add a compile-time option to load the legacy provider in 3.x. When enabled, also load the default provider because loading any provider explicitly disables auto-loading the default provider. [1] https://github.com/vitessio/vitess/blob/9e40015748ede158357bd7291f583db138abc3df/go/vt/vtgate/vindexes/hash.go#L157 Closes GH-13951 2024-04-12 16:52:04 +00:00
			`if test "$PHP_OPENSSL_LEGACY_PROVIDER" != "no"; then`
			`AC_DEFINE(LOAD_OPENSSL_LEGACY_PROVIDER,1,[ Load legacy algorithm provider in addition to default provider ])`
			`fi`
- Unified PHP_SETUP_OPENSSL with other PHP_SETUP_* macros. 2003-06-24 14:05:26 +00:00			`fi`