PHPC-2545: Drop support for compiling with LibreSSL (#1836)

* PHPC-2545: Drop support for compiling with LibreSSL

* Warn when explicitly building with libressl

Author: alcaeus

bin/package.xml.in

@@ -76,7 +76,7 @@ necessary to build a fully-functional MongoDB driver.
   <configureoption name="with-mongodb-zlib"                    prompt="Enable zlib for compression? (auto/system/bundled/no)"                       default="auto" />
   <configureoption name="with-mongodb-zstd"                    prompt="Enable zstd for compression? (auto/yes/no)"                                  default="auto" />
   <configureoption name="with-mongodb-sasl"                    prompt="Enable SASL for Kerberos authentication? (auto/cyrus/no)"                    default="auto" />
-  <configureoption name="with-mongodb-ssl"                     prompt="Enable crypto and TLS? (auto/openssl/libressl/darwin/no)"                    default="auto" />
+  <configureoption name="with-mongodb-ssl"                     prompt="Enable crypto and TLS? (auto/openssl/darwin/no)"                             default="auto" />
   <configureoption name="enable-mongodb-crypto-system-profile" prompt="Use system crypto profile (OpenSSL only)? (yes/no)"                          default="no" />
   <configureoption name="with-mongodb-utf8proc"                prompt="Use bundled or system utf8proc for SCRAM-SHA-256 SASLprep? (bundled/system)" default="bundled" />
  </extsrcrelease>

composer.json

@@ -61,7 +61,7 @@
       },
       {
         "name": "with-mongodb-ssl",
-        "description": "Enable crypto and TLS (auto/openssl/libressl/darwin/no)",
+        "description": "Enable crypto and TLS (auto/openssl/darwin/no)",
         "needs-value": true
       },
       {

config.w32

@@ -161,7 +161,6 @@ if (PHP_MONGODB != "no") {
     // Secure Transport does not apply to Windows
     MONGOC_ENABLE_SSL_SECURE_TRANSPORT: 0,
     MONGOC_ENABLE_CRYPTO_COMMON_CRYPTO: 0,
-    MONGOC_ENABLE_SSL_LIBRESSL: 0,
     MONGOC_ENABLE_SSL_OPENSSL: 0,
     MONGOC_ENABLE_CRYPTO_LIBCRYPTO: 0,
     MONGOC_ENABLE_SSL: 0,

php_phongo.c

@@ -408,8 +408,6 @@ PHP_MINFO_FUNCTION(mongodb) /* {{{ */
 	php_info_print_table_row(2, "libmongoc SSL", "enabled");
 #if defined(MONGOC_ENABLE_SSL_OPENSSL)
 	php_info_print_table_row(2, "libmongoc SSL library", "OpenSSL");
-#elif defined(MONGOC_ENABLE_SSL_LIBRESSL)
-	php_info_print_table_row(2, "libmongoc SSL library", "LibreSSL");
 #elif defined(MONGOC_ENABLE_SSL_SECURE_TRANSPORT)
 	php_info_print_table_row(2, "libmongoc SSL library", "Secure Transport");
 #elif defined(MONGOC_ENABLE_SSL_SECURE_CHANNEL)

scripts/autotools/libmongoc/CheckSSL.m4

@@ -1,24 +1,32 @@
 PHP_ARG_WITH([mongodb-ssl],
              [whether to enable crypto and TLS],
-             [AS_HELP_STRING([--with-mongodb-ssl=@<:@auto/openssl/libressl/darwin/no@:>@],
+             [AS_HELP_STRING([--with-mongodb-ssl=@<:@auto/openssl/darwin/no@:>@],
                              [MongoDB: Enable TLS connections and SCRAM-SHA-1 authentication [default=auto]])],
              [auto],
              [no])
 
+dnl PHP_ARG_WITH without a value assigns "yes". Treat it like "auto" but
+dnl require a crypto library.
+if test "$PHP_MONGODB_SSL" = "yes"; then
+  PHP_MONGODB_SSL="auto"
+fi
+
+dnl TODO 3.0: Remove libressl from valid options
+PHP_MONGODB_VALIDATE_ARG([PHP_MONGODB_SSL], [auto openssl libressl darwin no])
+
+if test "$PHP_MONGODB_SSL" = "libressl"; then
+  dnl libressl is a valid option, but it is not supported by libmongoc
+  dnl Warn users that it is not supported and treat it like "auto"
+  PHP_MONGODB_SSL="auto"
+  AC_MSG_WARN([Building with libressl is not supported by libmongoc. Falling back to "auto".])
+fi
+
 if test "$PHP_MONGODB_SSL" = "auto" -o "$PHP_MONGODB_SSL" = "no"; then
   crypto_required="no"
 else
   crypto_required="yes"
-
-  dnl PHP_ARG_WITH without a value assigns "yes". Treat it like "auto" but
-  dnl require a crypto library.
-  if test "$PHP_MONGODB_SSL" = "yes"; then
-    PHP_MONGODB_SSL="auto"
-  fi
 fi
 
-PHP_MONGODB_VALIDATE_ARG([PHP_MONGODB_SSL], [auto openssl libressl darwin no])
-
 AS_IF([test "$PHP_MONGODB_SSL" = "openssl" -o "$PHP_MONGODB_SSL" = "auto"],[
   found_openssl="no"
 
@@ -130,38 +138,6 @@ AS_IF([test "$PHP_MONGODB_SSL" = "darwin" -o \( "$PHP_MONGODB_SSL" = "auto" -a "
   PHP_MONGODB_SSL="darwin"
 ])
 
-AS_IF([test "$PHP_MONGODB_SSL" = "libressl" -o "$PHP_MONGODB_SSL" = "auto"],[
-  found_libressl="no"
-
-  PKG_CHECK_MODULES([PHP_MONGODB_SSL],[libtls libcrypto],[
-    PHP_MONGODB_BUNDLED_CFLAGS="$PHP_MONGODB_BUNDLED_CFLAGS $PHP_MONGODB_SSL_CFLAGS"
-    PHP_EVAL_LIBLINE([$PHP_MONGODB_SSL_LIBS],[MONGODB_SHARED_LIBADD])
-    PHP_MONGODB_SSL="libressl"
-    found_libressl="yes"
-  ],[
-    PHP_CHECK_LIBRARY([crypto],
-                      [EVP_DigestInit_ex],
-                      [have_crypto_lib="yes"],
-                      [have_crypto_lib="no"])
-    PHP_CHECK_LIBRARY([tls],
-                      [tls_init],
-                      [have_ssl_lib="yes"],
-                      [have_ssl_lib="no"],
-                      [-lcrypto])
-
-    if test "$have_ssl_lib" = "yes" -a "$have_crypto_lib" = "yes"; then
-      PHP_ADD_LIBRARY([tls],,[MONGODB_SHARED_LIBADD])
-      PHP_ADD_LIBRARY([crypto],,[MONGODB_SHARED_LIBADD])
-      PHP_MONGODB_SSL="libressl"
-      found_libressl="yes"
-    fi
-  ])
-
-  if test "$PHP_MONGODB_SSL" = "libressl" -a "$found_libressl" != "yes"; then
-    AC_MSG_ERROR([LibreSSL libraries and development headers could not be found])
-  fi
-])
-
 AS_IF([test "$PHP_MONGODB_SSL" = "auto"],[
   if test "$crypto_required" = "yes"; then
     AC_MSG_ERROR([crypto and TLS libraries not found])
@@ -177,28 +153,18 @@ AC_SUBST(MONGOC_ENABLE_SSL_SECURE_CHANNEL, 0)
 AC_SUBST(MONGOC_ENABLE_CRYPTO_CNG, 0)
 AC_SUBST(MONGOC_HAVE_BCRYPT_PBKDF2, 0)
 
-if test "$PHP_MONGODB_SSL" = "openssl" -o "$PHP_MONGODB_SSL" = "libressl" -o "$PHP_MONGODB_SSL" = "darwin"; then
+if test "$PHP_MONGODB_SSL" = "openssl" -o "$PHP_MONGODB_SSL" = "darwin"; then
   AC_SUBST(MONGOC_ENABLE_SSL, 1)
   AC_SUBST(MONGOC_ENABLE_CRYPTO, 1)
   if test "$PHP_MONGODB_SSL" = "darwin"; then
     AC_SUBST(MONGOC_ENABLE_SSL_OPENSSL, 0)
-    AC_SUBST(MONGOC_ENABLE_SSL_LIBRESSL, 0)
     AC_SUBST(MONGOC_ENABLE_SSL_SECURE_TRANSPORT, 1)
     AC_SUBST(MONGOC_ENABLE_CRYPTO_LIBCRYPTO, 0)
     AC_SUBST(MONGOC_ENABLE_CRYPTO_COMMON_CRYPTO, 1)
 
     PHP_MONGODB_BUNDLED_CFLAGS="$PHP_MONGODB_BUNDLED_CFLAGS -DKMS_MESSAGE_ENABLE_CRYPTO=1 -DKMS_MESSAGE_ENABLE_CRYPTO_COMMON_CRYPTO=1"
   elif test "$PHP_MONGODB_SSL" = "openssl"; then
     AC_SUBST(MONGOC_ENABLE_SSL_OPENSSL, 1)
-    AC_SUBST(MONGOC_ENABLE_SSL_LIBRESSL, 0)
-    AC_SUBST(MONGOC_ENABLE_SSL_SECURE_TRANSPORT, 0)
-    AC_SUBST(MONGOC_ENABLE_CRYPTO_LIBCRYPTO, 1)
-    AC_SUBST(MONGOC_ENABLE_CRYPTO_COMMON_CRYPTO, 0)
-
-    PHP_MONGODB_BUNDLED_CFLAGS="$PHP_MONGODB_BUNDLED_CFLAGS -DKMS_MESSAGE_ENABLE_CRYPTO=1 -DKMS_MESSAGE_ENABLE_CRYPTO_LIBCRYPTO=1"
-  elif test "$PHP_MONGODB_SSL" = "libressl"; then
-    AC_SUBST(MONGOC_ENABLE_SSL_OPENSSL, 0)
-    AC_SUBST(MONGOC_ENABLE_SSL_LIBRESSL, 1)
     AC_SUBST(MONGOC_ENABLE_SSL_SECURE_TRANSPORT, 0)
     AC_SUBST(MONGOC_ENABLE_CRYPTO_LIBCRYPTO, 1)
     AC_SUBST(MONGOC_ENABLE_CRYPTO_COMMON_CRYPTO, 0)
@@ -207,7 +173,6 @@ if test "$PHP_MONGODB_SSL" = "openssl" -o "$PHP_MONGODB_SSL" = "libressl" -o "$P
   fi
 else
   AC_SUBST(MONGOC_ENABLE_SSL, 0)
-  AC_SUBST(MONGOC_ENABLE_SSL_LIBRESSL, 0)
   AC_SUBST(MONGOC_ENABLE_SSL_OPENSSL, 0)
   AC_SUBST(MONGOC_ENABLE_SSL_SECURE_TRANSPORT, 0)
   AC_SUBST(MONGOC_ENABLE_CRYPTO, 0)

scripts/autotools/libmongocrypt/CheckSSL.m4

@@ -11,7 +11,7 @@ if test "$PHP_MONGODB_CLIENT_SIDE_ENCRYPTION" != "no"; then
     AC_SUBST(MONGOCRYPT_ENABLE_CRYPTO, 1)
     AC_SUBST(MONGOCRYPT_ENABLE_CRYPTO_LIBCRYPTO, 0)
     AC_SUBST(MONGOCRYPT_ENABLE_CRYPTO_COMMON_CRYPTO, 1)
-  elif test "$PHP_MONGODB_SSL" = "openssl" -o "$PHP_MONGODB_SSL" = "libressl"; then
+  elif test "$PHP_MONGODB_SSL" = "openssl"; then
     PHP_MONGODB_CLIENT_SIDE_ENCRYPTION="yes"
 
     AC_SUBST(MONGOCRYPT_ENABLE_CRYPTO, 1)

src/phongo_client.c

@@ -708,9 +708,9 @@ static mongoc_ssl_opt_t* php_phongo_make_ssl_opt(mongoc_uri_t* uri, zval* driver
 	}
 #endif
 
-#if defined(MONGOC_ENABLE_SSL_LIBRESSL) || defined(MONGOC_ENABLE_SSL_SECURE_TRANSPORT)
+#if defined(MONGOC_ENABLE_SSL_SECURE_TRANSPORT)
 	if (php_array_existsc(driverOptions, "crl_file")) {
-		phongo_throw_exception(PHONGO_ERROR_INVALID_ARGUMENT, "\"crl_file\" option is not supported by LibreSSL and Secure Transport");
+		phongo_throw_exception(PHONGO_ERROR_INVALID_ARGUMENT, "\"crl_file\" option is not supported by Secure Transport");
 		return NULL;
 	}
 #endif

tests/manager/manager-ctor-ssl-003.phpt

@@ -2,7 +2,7 @@
 MongoDB\Driver\Manager::__construct(): Specifying a driver option implicitly enables TLS
 --SKIPIF--
 <?php require __DIR__ . "/../utils/basic-skipif.inc"; ?>
-<?php skip_if_not_libmongoc_ssl(['OpenSSL', 'LibreSSL']); ?>
+<?php skip_if_not_libmongoc_ssl(['OpenSSL']); ?>
 <?php skip_if_ssl(); ?>
 <?php skip_if_not_live(); ?>
 --FILE--

tests/utils/skipif.php

@@ -375,8 +375,8 @@ function skip_if_not_libmongoc_crypto(array $libs = [])
  * Skips the test if libmongoc does not support SSL.
  *
  * If one or more libaries are provided, additionally check that the reported
- * library is in that array. Possible values are "OpenSSL", "LibreSSL",
- * "Secure Transport", and "Secure Channel".
+ * library is in that array. Possible values are "OpenSSL", "Secure Transport",
+ * and "Secure Channel".
  *
  * @param array $libs Optional list of SSL libraries to require
  */