Only enable U2F if OpenSSL supports ECC.

This requires moving the U2F bits to below the OpenSSL parts so we have the required information. ok djm@
author: Darren Tucker <dtucker@dtucker.net> 2019-11-02 16:39:38 +1100
committer: Darren Tucker <dtucker@dtucker.net> 2019-11-02 16:39:38 +1100
commit: f5cc5816aaddb8eca3cba193f53e99d6a0b37d05 (patch)
tree: 806820158e00a433744f3742d8eafe10fe8faf93
parent: ad38406fc95fa223b0ef2edf8ff50508f8ab1cb6 (diff)
1 files changed, 40 insertions, 34 deletions
diff --git a/configure.ac b/configure.ac
index 4baaa62a8..bc28d0748 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1909,44 +1909,10 @@ AC_ARG_ENABLE([security-key],
        ]
 )
-# PKCS11/U2F depend on OpenSSL and dlopen().
 AC_SEARCH_LIBS([dlopen], [dl])
 AC_CHECK_FUNCS([dlopen])
 AC_CHECK_DECL([RTLD_NOW], [], [], [#include <dlfcn.h>])
-enable_pkcs11=yes
-enable_sk=yes
-if test "x$openssl" != "xyes" ; then
-        enable_pkcs11="disabled; missing libcrypto"
-        enable_sk="disabled; missing libcrypto"
-fi
-if test "x$ac_cv_func_dlopen" != "xyes" ; then
-        enable_pkcs11="disabled; missing dlopen(3)"
-        enable_sk="disabled; missing dlopen(3)"
-fi
-if test "x$ac_cv_have_decl_RTLD_NOW" != "xyes" ; then
-        enable_pkcs11="disabled; missing RTLD_NOW"
-        enable_sk="disabled; missing RTLD_NOW"
-fi
-if test ! -z "$disable_pkcs11" ; then
-        enable_pkcs11="disabled by user"
-fi
-if test ! -z "$disable_sk" ; then
-        enable_sk="disabled by user"
-fi
-AC_MSG_CHECKING([whether to enable PKCS11])
-if test "x$enable_pkcs11" = "xyes" ; then
-        AC_DEFINE([ENABLE_PKCS11], [], [Enable for PKCS#11 support])
-fi
-AC_MSG_RESULT([$enable_pkcs11])
-AC_MSG_CHECKING([whether to enable U2F])
-if test "x$enable_sk" = "xyes" ; then
-        AC_DEFINE([ENABLE_SK], [], [Enable for U2F/FIDO support])
-fi
-AC_MSG_RESULT([$enable_sk])
 # IRIX has a const char return value for gai_strerror()
 AC_CHECK_FUNCS([gai_strerror], [
        AC_DEFINE([HAVE_GAI_STRERROR])
@@ -3015,6 +2981,9 @@ if test "x$openssl" = "xyes" ; then
            test x$enable_nistp521 = x1; then
                AC_DEFINE(OPENSSL_HAS_ECC, [1], [OpenSSL has ECC])
                AC_CHECK_FUNCS([EC_KEY_METHOD_new])
+                openssl_ecc=yes
+        else
+                openssl_ecc=no
        fi
        if test x$enable_nistp256 = x1; then
                AC_DEFINE([OPENSSL_HAS_NISTP256], [1],
@@ -3055,6 +3024,43 @@ else
        AC_CHECK_FUNCS([crypt])
 fi
+# PKCS11/U2F depend on OpenSSL and dlopen().
+enable_pkcs11=yes
+enable_sk=yes
+if test "x$openssl" != "xyes" ; then
+        enable_pkcs11="disabled; missing libcrypto"
+        enable_sk="disabled; missing libcrypto"
+fi
+if test "x$openssl_ecc" != "xyes" ; then
+        enable_sk="disabled; OpenSSL has no ECC support"
+fi
+if test "x$ac_cv_func_dlopen" != "xyes" ; then
+        enable_pkcs11="disabled; missing dlopen(3)"
+        enable_sk="disabled; missing dlopen(3)"
+fi
+if test "x$ac_cv_have_decl_RTLD_NOW" != "xyes" ; then
+        enable_pkcs11="disabled; missing RTLD_NOW"
+        enable_sk="disabled; missing RTLD_NOW"
+fi
+if test ! -z "$disable_pkcs11" ; then
+        enable_pkcs11="disabled by user"
+fi
+if test ! -z "$disable_sk" ; then
+        enable_sk="disabled by user"
+fi
+AC_MSG_CHECKING([whether to enable PKCS11])
+if test "x$enable_pkcs11" = "xyes" ; then
+        AC_DEFINE([ENABLE_PKCS11], [], [Enable for PKCS#11 support])
+fi
+AC_MSG_RESULT([$enable_pkcs11])
+AC_MSG_CHECKING([whether to enable U2F])
+if test "x$enable_sk" = "xyes" ; then
+        AC_DEFINE([ENABLE_SK], [], [Enable for U2F/FIDO support])
+fi
+AC_MSG_RESULT([$enable_sk])
 AC_CHECK_FUNCS([ \
        arc4random \
        arc4random_buf \
author	Darren Tucker <dtucker@dtucker.net>	2019-11-02 16:39:38 +1100
committer	Darren Tucker <dtucker@dtucker.net>	2019-11-02 16:39:38 +1100
commit	f5cc5816aaddb8eca3cba193f53e99d6a0b37d05 (patch)
tree	806820158e00a433744f3742d8eafe10fe8faf93
parent	ad38406fc95fa223b0ef2edf8ff50508f8ab1cb6 (diff)