summaryrefslogtreecommitdiff
path: root/configure.ac
diff options
context:
space:
mode:
authorDamien Miller <djm@mindrot.org>2015-01-15 02:21:31 +1100
committerDamien Miller <djm@mindrot.org>2015-01-15 02:28:36 +1100
commit72ef7c148c42db7d5632a29f137f8b87b579f2d9 (patch)
tree47954a387f4260cc8b1e0ff33bbbaf22fd6f11fc /configure.ac
parent4f38c61c68ae7e3f9ee4b3c38bc86cd39f65ece9 (diff)
support --without-openssl at configure time
Disables and removes dependency on OpenSSL. Many features don't work and the set of crypto options is greatly restricted. This will only work on system with native arc4random or /dev/urandom. Considered highly experimental for now.
Diffstat (limited to 'configure.ac')
-rw-r--r--configure.ac887
1 files changed, 465 insertions, 422 deletions
diff --git a/configure.ac b/configure.ac
index 13e25e98f..cb66f54b1 100644
--- a/configure.ac
+++ b/configure.ac
@@ -121,14 +121,34 @@ AC_CHECK_DECL([PR_SET_NO_NEW_PRIVS], [have_linux_no_new_privs=1], , [
121 #include <linux/prctl.h> 121 #include <linux/prctl.h>
122]) 122])
123 123
124openssl=yes
124ssh1=yes 125ssh1=yes
125AC_ARG_WITH([ssh1], 126AC_ARG_WITH([openssl],
126 [ --without-ssh1 Disable support for SSH protocol 1], 127 [ --without-openssl Disable use of OpenSSL; use only limited internal crypto **EXPERIMENTAL** ],
127 [ if test "x$withval" = "xno" ; then 128 [ if test "x$withval" = "xno" ; then
129 openssl=no
128 ssh1=no 130 ssh1=no
129 fi 131 fi
130 ] 132 ]
131) 133)
134AC_MSG_CHECKING([whether OpenSSL will be used for cryptography])
135if test "x$openssl" = "xyes" ; then
136 AC_MSG_RESULT([yes])
137 AC_DEFINE_UNQUOTED([WITH_OPENSSL], [1], [use libcrypto for cryptography])
138else
139 AC_MSG_RESULT([no])
140fi
141
142AC_ARG_WITH([ssh1],
143 [ --without-ssh1 Disable support for SSH protocol 1],
144 [
145 if test "x$withval" = "xno" ; then
146 ssh1=no
147 elif test "x$openssl" = "xno" ; then
148 AC_MSG_ERROR([Cannot enable SSH protocol 1 with OpenSSL disabled])
149 fi
150 ]
151)
132AC_MSG_CHECKING([whether SSH protocol 1 support is enabled]) 152AC_MSG_CHECKING([whether SSH protocol 1 support is enabled])
133if test "x$ssh1" = "xyes" ; then 153if test "x$ssh1" = "xyes" ; then
134 AC_MSG_RESULT([yes]) 154 AC_MSG_RESULT([yes])
@@ -1312,7 +1332,7 @@ g.gl_statv = NULL;
1312 AC_MSG_RESULT([yes]) 1332 AC_MSG_RESULT([yes])
1313 ], [ 1333 ], [
1314 AC_MSG_RESULT([no]) 1334 AC_MSG_RESULT([no])
1315 1335
1316]) 1336])
1317 1337
1318AC_CHECK_DECLS([GLOB_NOMATCH], , , [#include <glob.h>]) 1338AC_CHECK_DECLS([GLOB_NOMATCH], , , [#include <glob.h>])
@@ -1705,10 +1725,13 @@ AC_LINK_IFELSE(
1705 [AC_DEFINE([HAVE_ISBLANK], [1], [Define if you have isblank(3C).]) 1725 [AC_DEFINE([HAVE_ISBLANK], [1], [Define if you have isblank(3C).])
1706]) 1726])
1707 1727
1708# PKCS#11 support requires dlopen() and co 1728# PKCS11 depends on OpenSSL.
1709AC_SEARCH_LIBS([dlopen], [dl], 1729if test "x$openssl" = "xyes" ; then
1710 [AC_DEFINE([ENABLE_PKCS11], [], [Enable for PKCS#11 support])] 1730 # PKCS#11 support requires dlopen() and co
1711) 1731 AC_SEARCH_LIBS([dlopen], [dl],
1732 [AC_DEFINE([ENABLE_PKCS11], [], [Enable for PKCS#11 support])]
1733 )
1734fi
1712 1735
1713# IRIX has a const char return value for gai_strerror() 1736# IRIX has a const char return value for gai_strerror()
1714AC_CHECK_FUNCS([gai_strerror], [ 1737AC_CHECK_FUNCS([gai_strerror], [
@@ -2197,6 +2220,9 @@ saved_LDFLAGS="$LDFLAGS"
2197AC_ARG_WITH([ssl-dir], 2220AC_ARG_WITH([ssl-dir],
2198 [ --with-ssl-dir=PATH Specify path to OpenSSL installation ], 2221 [ --with-ssl-dir=PATH Specify path to OpenSSL installation ],
2199 [ 2222 [
2223 if test "x$openssl" = "xno" ; then
2224 AC_MSG_ERROR([cannot use --with-ssl-dir when OpenSSL disabled])
2225 fi
2200 if test "x$withval" != "xno" ; then 2226 if test "x$withval" != "xno" ; then
2201 case "$withval" in 2227 case "$withval" in
2202 # Relative paths 2228 # Relative paths
@@ -2229,444 +2255,457 @@ AC_ARG_WITH([ssl-dir],
2229 fi 2255 fi
2230 ] 2256 ]
2231) 2257)
2232LIBS="-lcrypto $LIBS" 2258
2233AC_TRY_LINK_FUNC([RAND_add], [AC_DEFINE([HAVE_OPENSSL], [1], 2259AC_ARG_WITH([openssl-header-check],
2234 [Define if your ssl headers are included 2260 [ --without-openssl-header-check Disable OpenSSL version consistency check],
2235 with #include <openssl/header.h>])],
2236 [ 2261 [
2237 dnl Check default openssl install dir 2262 if test "x$withval" = "xno" ; then
2238 if test -n "${need_dash_r}"; then 2263 openssl_check_nonfatal=1
2239 LDFLAGS="-L/usr/local/ssl/lib -R/usr/local/ssl/lib ${saved_LDFLAGS}"
2240 else
2241 LDFLAGS="-L/usr/local/ssl/lib ${saved_LDFLAGS}"
2242 fi 2264 fi
2243 CPPFLAGS="-I/usr/local/ssl/include ${saved_CPPFLAGS}"
2244 AC_CHECK_HEADER([openssl/opensslv.h], ,
2245 [AC_MSG_ERROR([*** OpenSSL headers missing - please install first or check config.log ***])])
2246 AC_TRY_LINK_FUNC([RAND_add], [AC_DEFINE([HAVE_OPENSSL])],
2247 [
2248 AC_MSG_ERROR([*** Can't find recent OpenSSL libcrypto (see config.log for details) ***])
2249 ]
2250 )
2251 ] 2265 ]
2252) 2266)
2253 2267
2254# Determine OpenSSL header version 2268openssl_engine=no
2255AC_MSG_CHECKING([OpenSSL header version]) 2269AC_ARG_WITH([ssl-engine],
2256AC_RUN_IFELSE( 2270 [ --with-ssl-engine Enable OpenSSL (hardware) ENGINE support ],
2257 [AC_LANG_PROGRAM([[
2258#include <stdio.h>
2259#include <string.h>
2260#include <openssl/opensslv.h>
2261#define DATA "conftest.sslincver"
2262 ]], [[
2263 FILE *fd;
2264 int rc;
2265
2266 fd = fopen(DATA,"w");
2267 if(fd == NULL)
2268 exit(1);
2269
2270 if ((rc = fprintf(fd ,"%08x (%s)\n", OPENSSL_VERSION_NUMBER, OPENSSL_VERSION_TEXT)) <0)
2271 exit(1);
2272
2273 exit(0);
2274 ]])],
2275 [
2276 ssl_header_ver=`cat conftest.sslincver`
2277 AC_MSG_RESULT([$ssl_header_ver])
2278 ],
2279 [
2280 AC_MSG_RESULT([not found])
2281 AC_MSG_ERROR([OpenSSL version header not found.])
2282 ],
2283 [ 2271 [
2284 AC_MSG_WARN([cross compiling: not checking]) 2272 if test "x$openssl" = "xno" ; then
2273 AC_MSG_ERROR([cannot use --with-ssl-engine when OpenSSL disabled])
2274 fi
2275 if test "x$withval" != "xno" ; then
2276 openssl_engine=yes
2277 fi
2285 ] 2278 ]
2286) 2279)
2287 2280
2288# Determine OpenSSL library version 2281if test "x$openssl" = "xyes" ; then
2289AC_MSG_CHECKING([OpenSSL library version]) 2282 LIBS="-lcrypto $LIBS"
2290AC_RUN_IFELSE( 2283 AC_TRY_LINK_FUNC([RAND_add], [AC_DEFINE([HAVE_OPENSSL], [1],
2291 [AC_LANG_PROGRAM([[ 2284 [Define if your ssl headers are included
2292#include <stdio.h> 2285 with #include <openssl/header.h>])],
2293#include <string.h> 2286 [
2294#include <openssl/opensslv.h> 2287 dnl Check default openssl install dir
2295#include <openssl/crypto.h> 2288 if test -n "${need_dash_r}"; then
2296#define DATA "conftest.ssllibver" 2289 LDFLAGS="-L/usr/local/ssl/lib -R/usr/local/ssl/lib ${saved_LDFLAGS}"
2297 ]], [[ 2290 else
2298 FILE *fd; 2291 LDFLAGS="-L/usr/local/ssl/lib ${saved_LDFLAGS}"
2299 int rc; 2292 fi
2293 CPPFLAGS="-I/usr/local/ssl/include ${saved_CPPFLAGS}"
2294 AC_CHECK_HEADER([openssl/opensslv.h], ,
2295 [AC_MSG_ERROR([*** OpenSSL headers missing - please install first or check config.log ***])])
2296 AC_TRY_LINK_FUNC([RAND_add], [AC_DEFINE([HAVE_OPENSSL])],
2297 [
2298 AC_MSG_ERROR([*** Can't find recent OpenSSL libcrypto (see config.log for details) ***])
2299 ]
2300 )
2301 ]
2302 )
2300 2303
2301 fd = fopen(DATA,"w"); 2304 # Determine OpenSSL header version
2302 if(fd == NULL) 2305 AC_MSG_CHECKING([OpenSSL header version])
2303 exit(1); 2306 AC_RUN_IFELSE(
2307 [AC_LANG_PROGRAM([[
2308 #include <stdio.h>
2309 #include <string.h>
2310 #include <openssl/opensslv.h>
2311 #define DATA "conftest.sslincver"
2312 ]], [[
2313 FILE *fd;
2314 int rc;
2304 2315
2305 if ((rc = fprintf(fd ,"%08x (%s)\n", SSLeay(), 2316 fd = fopen(DATA,"w");
2306 SSLeay_version(SSLEAY_VERSION))) <0) 2317 if(fd == NULL)
2307 exit(1); 2318 exit(1);
2308 2319
2309 exit(0); 2320 if ((rc = fprintf(fd ,"%08x (%s)\n", OPENSSL_VERSION_NUMBER, OPENSSL_VERSION_TEXT)) <0)
2310 ]])], 2321 exit(1);
2311 [
2312 ssl_library_ver=`cat conftest.ssllibver`
2313 # Check version is supported.
2314 case "$ssl_library_ver" in
2315 0090[[0-7]]*|009080[[0-5]]*)
2316 AC_MSG_ERROR([OpenSSL >= 0.9.8f required (have "$ssl_library_ver")])
2317 ;;
2318 *) ;;
2319 esac
2320 AC_MSG_RESULT([$ssl_library_ver])
2321 ],
2322 [
2323 AC_MSG_RESULT([not found])
2324 AC_MSG_ERROR([OpenSSL library not found.])
2325 ],
2326 [
2327 AC_MSG_WARN([cross compiling: not checking])
2328 ]
2329)
2330 2322
2331# XXX make --without-openssl work 2323 exit(0);
2332AC_DEFINE_UNQUOTED([WITH_OPENSSL], [1], [use libcrypto for cryptography]) 2324 ]])],
2325 [
2326 ssl_header_ver=`cat conftest.sslincver`
2327 AC_MSG_RESULT([$ssl_header_ver])
2328 ],
2329 [
2330 AC_MSG_RESULT([not found])
2331 AC_MSG_ERROR([OpenSSL version header not found.])
2332 ],
2333 [
2334 AC_MSG_WARN([cross compiling: not checking])
2335 ]
2336 )
2333 2337
2334AC_ARG_WITH([openssl-header-check], 2338 # Determine OpenSSL library version
2335 [ --without-openssl-header-check Disable OpenSSL version consistency check], 2339 AC_MSG_CHECKING([OpenSSL library version])
2336 [ if test "x$withval" = "xno" ; then 2340 AC_RUN_IFELSE(
2337 openssl_check_nonfatal=1 2341 [AC_LANG_PROGRAM([[
2338 fi 2342 #include <stdio.h>
2339 ] 2343 #include <string.h>
2340) 2344 #include <openssl/opensslv.h>
2345 #include <openssl/crypto.h>
2346 #define DATA "conftest.ssllibver"
2347 ]], [[
2348 FILE *fd;
2349 int rc;
2341 2350
2342# Sanity check OpenSSL headers 2351 fd = fopen(DATA,"w");
2343AC_MSG_CHECKING([whether OpenSSL's headers match the library]) 2352 if(fd == NULL)
2344AC_RUN_IFELSE( 2353 exit(1);
2345 [AC_LANG_PROGRAM([[
2346#include <string.h>
2347#include <openssl/opensslv.h>
2348 ]], [[
2349 exit(SSLeay() == OPENSSL_VERSION_NUMBER ? 0 : 1);
2350 ]])],
2351 [
2352 AC_MSG_RESULT([yes])
2353 ],
2354 [
2355 AC_MSG_RESULT([no])
2356 if test "x$openssl_check_nonfatal" = "x"; then
2357 AC_MSG_ERROR([Your OpenSSL headers do not match your
2358library. Check config.log for details.
2359If you are sure your installation is consistent, you can disable the check
2360by running "./configure --without-openssl-header-check".
2361Also see contrib/findssl.sh for help identifying header/library mismatches.
2362])
2363 else
2364 AC_MSG_WARN([Your OpenSSL headers do not match your
2365library. Check config.log for details.
2366Also see contrib/findssl.sh for help identifying header/library mismatches.])
2367 fi
2368 ],
2369 [
2370 AC_MSG_WARN([cross compiling: not checking])
2371 ]
2372)
2373 2354
2374AC_MSG_CHECKING([if programs using OpenSSL functions will link]) 2355 if ((rc = fprintf(fd ,"%08x (%s)\n", SSLeay(),
2375AC_LINK_IFELSE( 2356 SSLeay_version(SSLEAY_VERSION))) <0)
2376 [AC_LANG_PROGRAM([[ #include <openssl/evp.h> ]], 2357 exit(1);
2377 [[ SSLeay_add_all_algorithms(); ]])],
2378 [
2379 AC_MSG_RESULT([yes])
2380 ],
2381 [
2382 AC_MSG_RESULT([no])
2383 saved_LIBS="$LIBS"
2384 LIBS="$LIBS -ldl"
2385 AC_MSG_CHECKING([if programs using OpenSSL need -ldl])
2386 AC_LINK_IFELSE(
2387 [AC_LANG_PROGRAM([[ #include <openssl/evp.h> ]],
2388 [[ SSLeay_add_all_algorithms(); ]])],
2389 [
2390 AC_MSG_RESULT([yes])
2391 ],
2392 [
2393 AC_MSG_RESULT([no])
2394 LIBS="$saved_LIBS"
2395 ]
2396 )
2397 ]
2398)
2399 2358
2400AC_CHECK_FUNCS([ \ 2359 exit(0);
2401 BN_is_prime_ex \ 2360 ]])],
2402 DSA_generate_parameters_ex \ 2361 [
2403 EVP_DigestInit_ex \ 2362 ssl_library_ver=`cat conftest.ssllibver`
2404 EVP_DigestFinal_ex \ 2363 # Check version is supported.
2405 EVP_MD_CTX_init \ 2364 case "$ssl_library_ver" in
2406 EVP_MD_CTX_cleanup \ 2365 0090[[0-7]]*|009080[[0-5]]*)
2407 EVP_MD_CTX_copy_ex \ 2366 AC_MSG_ERROR([OpenSSL >= 0.9.8f required (have "$ssl_library_ver")])
2408 HMAC_CTX_init \ 2367 ;;
2409 RSA_generate_key_ex \ 2368 *) ;;
2410 RSA_get_default_method \ 2369 esac
2411]) 2370 AC_MSG_RESULT([$ssl_library_ver])
2371 ],
2372 [
2373 AC_MSG_RESULT([not found])
2374 AC_MSG_ERROR([OpenSSL library not found.])
2375 ],
2376 [
2377 AC_MSG_WARN([cross compiling: not checking])
2378 ]
2379 )
2412 2380
2413AC_ARG_WITH([ssl-engine], 2381 # Sanity check OpenSSL headers
2414 [ --with-ssl-engine Enable OpenSSL (hardware) ENGINE support ], 2382 AC_MSG_CHECKING([whether OpenSSL's headers match the library])
2415 [ if test "x$withval" != "xno" ; then 2383 AC_RUN_IFELSE(
2384 [AC_LANG_PROGRAM([[
2385 #include <string.h>
2386 #include <openssl/opensslv.h>
2387 ]], [[
2388 exit(SSLeay() == OPENSSL_VERSION_NUMBER ? 0 : 1);
2389 ]])],
2390 [
2391 AC_MSG_RESULT([yes])
2392 ],
2393 [
2394 AC_MSG_RESULT([no])
2395 if test "x$openssl_check_nonfatal" = "x"; then
2396 AC_MSG_ERROR([Your OpenSSL headers do not match your
2397 library. Check config.log for details.
2398 If you are sure your installation is consistent, you can disable the check
2399 by running "./configure --without-openssl-header-check".
2400 Also see contrib/findssl.sh for help identifying header/library mismatches.
2401 ])
2402 else
2403 AC_MSG_WARN([Your OpenSSL headers do not match your
2404 library. Check config.log for details.
2405 Also see contrib/findssl.sh for help identifying header/library mismatches.])
2406 fi
2407 ],
2408 [
2409 AC_MSG_WARN([cross compiling: not checking])
2410 ]
2411 )
2412
2413 AC_MSG_CHECKING([if programs using OpenSSL functions will link])
2414 AC_LINK_IFELSE(
2415 [AC_LANG_PROGRAM([[ #include <openssl/evp.h> ]],
2416 [[ SSLeay_add_all_algorithms(); ]])],
2417 [
2418 AC_MSG_RESULT([yes])
2419 ],
2420 [
2421 AC_MSG_RESULT([no])
2422 saved_LIBS="$LIBS"
2423 LIBS="$LIBS -ldl"
2424 AC_MSG_CHECKING([if programs using OpenSSL need -ldl])
2425 AC_LINK_IFELSE(
2426 [AC_LANG_PROGRAM([[ #include <openssl/evp.h> ]],
2427 [[ SSLeay_add_all_algorithms(); ]])],
2428 [
2429 AC_MSG_RESULT([yes])
2430 ],
2431 [
2432 AC_MSG_RESULT([no])
2433 LIBS="$saved_LIBS"
2434 ]
2435 )
2436 ]
2437 )
2438
2439 AC_CHECK_FUNCS([ \
2440 BN_is_prime_ex \
2441 DSA_generate_parameters_ex \
2442 EVP_DigestInit_ex \
2443 EVP_DigestFinal_ex \
2444 EVP_MD_CTX_init \
2445 EVP_MD_CTX_cleanup \
2446 EVP_MD_CTX_copy_ex \
2447 HMAC_CTX_init \
2448 RSA_generate_key_ex \
2449 RSA_get_default_method \
2450 ])
2451
2452 if test "x$openssl_engine" = "xyes" ; then
2416 AC_MSG_CHECKING([for OpenSSL ENGINE support]) 2453 AC_MSG_CHECKING([for OpenSSL ENGINE support])
2417 AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ 2454 AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
2418#include <openssl/engine.h> 2455 #include <openssl/engine.h>
2419 ]], [[ 2456 ]], [[
2420 ENGINE_load_builtin_engines(); 2457 ENGINE_load_builtin_engines();
2421 ENGINE_register_all_complete(); 2458 ENGINE_register_all_complete();
2422 ]])], 2459 ]])],
2423 [ AC_MSG_RESULT([yes]) 2460 [ AC_MSG_RESULT([yes])
2424 AC_DEFINE([USE_OPENSSL_ENGINE], [1], 2461 AC_DEFINE([USE_OPENSSL_ENGINE], [1],
2425 [Enable OpenSSL engine support]) 2462 [Enable OpenSSL engine support])
2426 ], [ AC_MSG_ERROR([OpenSSL ENGINE support not found]) 2463 ], [ AC_MSG_ERROR([OpenSSL ENGINE support not found])
2427 ]) 2464 ])
2428 fi ] 2465 fi
2429)
2430 2466
2431# Check for OpenSSL without EVP_aes_{192,256}_cbc 2467 # Check for OpenSSL without EVP_aes_{192,256}_cbc
2432AC_MSG_CHECKING([whether OpenSSL has crippled AES support]) 2468 AC_MSG_CHECKING([whether OpenSSL has crippled AES support])
2433AC_LINK_IFELSE( 2469 AC_LINK_IFELSE(
2434 [AC_LANG_PROGRAM([[ 2470 [AC_LANG_PROGRAM([[
2435#include <string.h> 2471 #include <string.h>
2436#include <openssl/evp.h> 2472 #include <openssl/evp.h>
2437 ]], [[ 2473 ]], [[
2438 exit(EVP_aes_192_cbc() == NULL || EVP_aes_256_cbc() == NULL); 2474 exit(EVP_aes_192_cbc() == NULL || EVP_aes_256_cbc() == NULL);
2439 ]])], 2475 ]])],
2440 [ 2476 [
2441 AC_MSG_RESULT([no]) 2477 AC_MSG_RESULT([no])
2442 ], 2478 ],
2443 [ 2479 [
2444 AC_MSG_RESULT([yes]) 2480 AC_MSG_RESULT([yes])
2445 AC_DEFINE([OPENSSL_LOBOTOMISED_AES], [1], 2481 AC_DEFINE([OPENSSL_LOBOTOMISED_AES], [1],
2446 [libcrypto is missing AES 192 and 256 bit functions]) 2482 [libcrypto is missing AES 192 and 256 bit functions])
2447 ] 2483 ]
2448) 2484 )
2449 2485
2450# Check for OpenSSL with EVP_aes_*ctr 2486 # Check for OpenSSL with EVP_aes_*ctr
2451AC_MSG_CHECKING([whether OpenSSL has AES CTR via EVP]) 2487 AC_MSG_CHECKING([whether OpenSSL has AES CTR via EVP])
2452AC_LINK_IFELSE( 2488 AC_LINK_IFELSE(
2453 [AC_LANG_PROGRAM([[ 2489 [AC_LANG_PROGRAM([[
2454#include <string.h> 2490 #include <string.h>
2455#include <openssl/evp.h> 2491 #include <openssl/evp.h>
2456 ]], [[ 2492 ]], [[
2457 exit(EVP_aes_128_ctr() == NULL || 2493 exit(EVP_aes_128_ctr() == NULL ||
2458 EVP_aes_192_cbc() == NULL || 2494 EVP_aes_192_cbc() == NULL ||
2459 EVP_aes_256_cbc() == NULL); 2495 EVP_aes_256_cbc() == NULL);
2460 ]])], 2496 ]])],
2461 [ 2497 [
2462 AC_MSG_RESULT([yes]) 2498 AC_MSG_RESULT([yes])
2463 AC_DEFINE([OPENSSL_HAVE_EVPCTR], [1], 2499 AC_DEFINE([OPENSSL_HAVE_EVPCTR], [1],
2464 [libcrypto has EVP AES CTR]) 2500 [libcrypto has EVP AES CTR])
2465 ], 2501 ],
2466 [ 2502 [
2467 AC_MSG_RESULT([no]) 2503 AC_MSG_RESULT([no])
2468 ] 2504 ]
2469) 2505 )
2470 2506
2471# Check for OpenSSL with EVP_aes_*gcm 2507 # Check for OpenSSL with EVP_aes_*gcm
2472AC_MSG_CHECKING([whether OpenSSL has AES GCM via EVP]) 2508 AC_MSG_CHECKING([whether OpenSSL has AES GCM via EVP])
2473AC_LINK_IFELSE( 2509 AC_LINK_IFELSE(
2474 [AC_LANG_PROGRAM([[ 2510 [AC_LANG_PROGRAM([[
2475#include <string.h> 2511 #include <string.h>
2476#include <openssl/evp.h> 2512 #include <openssl/evp.h>
2477 ]], [[ 2513 ]], [[
2478 exit(EVP_aes_128_gcm() == NULL || 2514 exit(EVP_aes_128_gcm() == NULL ||
2479 EVP_aes_256_gcm() == NULL || 2515 EVP_aes_256_gcm() == NULL ||
2480 EVP_CTRL_GCM_SET_IV_FIXED == 0 || 2516 EVP_CTRL_GCM_SET_IV_FIXED == 0 ||
2481 EVP_CTRL_GCM_IV_GEN == 0 || 2517 EVP_CTRL_GCM_IV_GEN == 0 ||
2482 EVP_CTRL_GCM_SET_TAG == 0 || 2518 EVP_CTRL_GCM_SET_TAG == 0 ||
2483 EVP_CTRL_GCM_GET_TAG == 0 || 2519 EVP_CTRL_GCM_GET_TAG == 0 ||
2484 EVP_CIPHER_CTX_ctrl(NULL, 0, 0, NULL) == 0); 2520 EVP_CIPHER_CTX_ctrl(NULL, 0, 0, NULL) == 0);
2485 ]])], 2521 ]])],
2486 [ 2522 [
2487 AC_MSG_RESULT([yes]) 2523 AC_MSG_RESULT([yes])
2488 AC_DEFINE([OPENSSL_HAVE_EVPGCM], [1], 2524 AC_DEFINE([OPENSSL_HAVE_EVPGCM], [1],
2489 [libcrypto has EVP AES GCM]) 2525 [libcrypto has EVP AES GCM])
2490 ], 2526 ],
2491 [ 2527 [
2492 AC_MSG_RESULT([no]) 2528 AC_MSG_RESULT([no])
2493 unsupported_algorithms="$unsupported_cipers \ 2529 unsupported_algorithms="$unsupported_cipers \
2494 aes128-gcm@openssh.com aes256-gcm@openssh.com" 2530 aes128-gcm@openssh.com aes256-gcm@openssh.com"
2495 ] 2531 ]
2496) 2532 )
2497 2533
2498AC_SEARCH_LIBS([EVP_CIPHER_CTX_ctrl], [crypto], 2534 AC_SEARCH_LIBS([EVP_CIPHER_CTX_ctrl], [crypto],
2499 [AC_DEFINE([HAVE_EVP_CIPHER_CTX_CTRL], [1], 2535 [AC_DEFINE([HAVE_EVP_CIPHER_CTX_CTRL], [1],
2500 [Define if libcrypto has EVP_CIPHER_CTX_ctrl])]) 2536 [Define if libcrypto has EVP_CIPHER_CTX_ctrl])])
2501 2537
2502AC_MSG_CHECKING([if EVP_DigestUpdate returns an int]) 2538 AC_MSG_CHECKING([if EVP_DigestUpdate returns an int])
2503AC_LINK_IFELSE( 2539 AC_LINK_IFELSE(
2504 [AC_LANG_PROGRAM([[ 2540 [AC_LANG_PROGRAM([[
2505#include <string.h> 2541 #include <string.h>
2506#include <openssl/evp.h> 2542 #include <openssl/evp.h>
2507 ]], [[ 2543 ]], [[
2508 if(EVP_DigestUpdate(NULL, NULL,0)) 2544 if(EVP_DigestUpdate(NULL, NULL,0))
2509 exit(0); 2545 exit(0);
2510 ]])], 2546 ]])],
2511 [ 2547 [
2512 AC_MSG_RESULT([yes]) 2548 AC_MSG_RESULT([yes])
2513 ], 2549 ],
2514 [ 2550 [
2515 AC_MSG_RESULT([no]) 2551 AC_MSG_RESULT([no])
2516 AC_DEFINE([OPENSSL_EVP_DIGESTUPDATE_VOID], [1], 2552 AC_DEFINE([OPENSSL_EVP_DIGESTUPDATE_VOID], [1],
2517 [Define if EVP_DigestUpdate returns void]) 2553 [Define if EVP_DigestUpdate returns void])
2518 ] 2554 ]
2519) 2555 )
2520 2556
2521# Some systems want crypt() from libcrypt, *not* the version in OpenSSL, 2557 # Some systems want crypt() from libcrypt, *not* the version in OpenSSL,
2522# because the system crypt() is more featureful. 2558 # because the system crypt() is more featureful.
2523if test "x$check_for_libcrypt_before" = "x1"; then 2559 if test "x$check_for_libcrypt_before" = "x1"; then
2524 AC_CHECK_LIB([crypt], [crypt]) 2560 AC_CHECK_LIB([crypt], [crypt])
2525fi 2561 fi
2526 2562
2527# Some Linux systems (Slackware) need crypt() from libcrypt, *not* the 2563 # Some Linux systems (Slackware) need crypt() from libcrypt, *not* the
2528# version in OpenSSL. 2564 # version in OpenSSL.
2529if test "x$check_for_libcrypt_later" = "x1"; then 2565 if test "x$check_for_libcrypt_later" = "x1"; then
2530 AC_CHECK_LIB([crypt], [crypt], [LIBS="$LIBS -lcrypt"]) 2566 AC_CHECK_LIB([crypt], [crypt], [LIBS="$LIBS -lcrypt"])
2531fi 2567 fi
2532AC_CHECK_FUNCS([crypt DES_crypt])
2533
2534# Search for SHA256 support in libc and/or OpenSSL
2535AC_CHECK_FUNCS([SHA256_Update EVP_sha256], ,
2536 [unsupported_algorithms="$unsupported_algorithms \
2537 hmac-sha2-256 hmac-sha2-512 \
2538 diffie-hellman-group-exchange-sha256 \
2539 hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com"
2540 ]
2541)
2542# Search for RIPE-MD support in OpenSSL
2543AC_CHECK_FUNCS([EVP_ripemd160], ,
2544 [unsupported_algorithms="$unsupported_algorithms \
2545 hmac-ripemd160
2546 hmac-ripemd160@openssh.com
2547 hmac-ripemd160-etm@openssh.com"
2548 ]
2549)
2550 2568
2551# Check complete ECC support in OpenSSL 2569 # Search for SHA256 support in libc and/or OpenSSL
2552AC_MSG_CHECKING([whether OpenSSL has NID_X9_62_prime256v1]) 2570 AC_CHECK_FUNCS([SHA256_Update EVP_sha256], ,
2553AC_LINK_IFELSE( 2571 [unsupported_algorithms="$unsupported_algorithms \
2554 [AC_LANG_PROGRAM([[ 2572 hmac-sha2-256 hmac-sha2-512 \
2555#include <openssl/ec.h> 2573 diffie-hellman-group-exchange-sha256 \
2556#include <openssl/ecdh.h> 2574 hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com"
2557#include <openssl/ecdsa.h> 2575 ]
2558#include <openssl/evp.h> 2576 )
2559#include <openssl/objects.h> 2577 # Search for RIPE-MD support in OpenSSL
2560#include <openssl/opensslv.h> 2578 AC_CHECK_FUNCS([EVP_ripemd160], ,
2561#if OPENSSL_VERSION_NUMBER < 0x0090807f /* 0.9.8g */ 2579 [unsupported_algorithms="$unsupported_algorithms \
2562# error "OpenSSL < 0.9.8g has unreliable ECC code" 2580 hmac-ripemd160
2563#endif 2581 hmac-ripemd160@openssh.com
2564 ]], [[ 2582 hmac-ripemd160-etm@openssh.com"
2565 EC_KEY *e = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); 2583 ]
2566 const EVP_MD *m = EVP_sha256(); /* We need this too */ 2584 )
2567 ]])],
2568 [ AC_MSG_RESULT([yes])
2569 enable_nistp256=1 ],
2570 [ AC_MSG_RESULT([no]) ]
2571)
2572 2585
2573AC_MSG_CHECKING([whether OpenSSL has NID_secp384r1]) 2586 # Check complete ECC support in OpenSSL
2574AC_LINK_IFELSE( 2587 AC_MSG_CHECKING([whether OpenSSL has NID_X9_62_prime256v1])
2575 [AC_LANG_PROGRAM([[ 2588 AC_LINK_IFELSE(
2576#include <openssl/ec.h> 2589 [AC_LANG_PROGRAM([[
2577#include <openssl/ecdh.h> 2590 #include <openssl/ec.h>
2578#include <openssl/ecdsa.h> 2591 #include <openssl/ecdh.h>
2579#include <openssl/evp.h> 2592 #include <openssl/ecdsa.h>
2580#include <openssl/objects.h> 2593 #include <openssl/evp.h>
2581#include <openssl/opensslv.h> 2594 #include <openssl/objects.h>
2582#if OPENSSL_VERSION_NUMBER < 0x0090807f /* 0.9.8g */ 2595 #include <openssl/opensslv.h>
2583# error "OpenSSL < 0.9.8g has unreliable ECC code" 2596 #if OPENSSL_VERSION_NUMBER < 0x0090807f /* 0.9.8g */
2584#endif 2597 # error "OpenSSL < 0.9.8g has unreliable ECC code"
2585 ]], [[ 2598 #endif
2586 EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp384r1); 2599 ]], [[
2587 const EVP_MD *m = EVP_sha384(); /* We need this too */ 2600 EC_KEY *e = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
2588 ]])], 2601 const EVP_MD *m = EVP_sha256(); /* We need this too */
2589 [ AC_MSG_RESULT([yes]) 2602 ]])],
2590 enable_nistp384=1 ], 2603 [ AC_MSG_RESULT([yes])
2591 [ AC_MSG_RESULT([no]) ] 2604 enable_nistp256=1 ],
2592) 2605 [ AC_MSG_RESULT([no]) ]
2606 )
2593 2607
2594AC_MSG_CHECKING([whether OpenSSL has NID_secp521r1]) 2608 AC_MSG_CHECKING([whether OpenSSL has NID_secp384r1])
2595AC_LINK_IFELSE( 2609 AC_LINK_IFELSE(
2596 [AC_LANG_PROGRAM([[ 2610 [AC_LANG_PROGRAM([[
2597#include <openssl/ec.h> 2611 #include <openssl/ec.h>
2598#include <openssl/ecdh.h> 2612 #include <openssl/ecdh.h>
2599#include <openssl/ecdsa.h> 2613 #include <openssl/ecdsa.h>
2600#include <openssl/evp.h> 2614 #include <openssl/evp.h>
2601#include <openssl/objects.h> 2615 #include <openssl/objects.h>
2602#include <openssl/opensslv.h> 2616 #include <openssl/opensslv.h>
2603#if OPENSSL_VERSION_NUMBER < 0x0090807f /* 0.9.8g */ 2617 #if OPENSSL_VERSION_NUMBER < 0x0090807f /* 0.9.8g */
2604# error "OpenSSL < 0.9.8g has unreliable ECC code" 2618 # error "OpenSSL < 0.9.8g has unreliable ECC code"
2605#endif 2619 #endif
2606 ]], [[ 2620 ]], [[
2607 EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp521r1); 2621 EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp384r1);
2608 const EVP_MD *m = EVP_sha512(); /* We need this too */ 2622 const EVP_MD *m = EVP_sha384(); /* We need this too */
2609 ]])], 2623 ]])],
2610 [ AC_MSG_RESULT([yes]) 2624 [ AC_MSG_RESULT([yes])
2611 AC_MSG_CHECKING([if OpenSSL's NID_secp521r1 is functional]) 2625 enable_nistp384=1 ],
2612 AC_RUN_IFELSE( 2626 [ AC_MSG_RESULT([no]) ]
2627 )
2628
2629 AC_MSG_CHECKING([whether OpenSSL has NID_secp521r1])
2630 AC_LINK_IFELSE(
2613 [AC_LANG_PROGRAM([[ 2631 [AC_LANG_PROGRAM([[
2614#include <openssl/ec.h> 2632 #include <openssl/ec.h>
2615#include <openssl/ecdh.h> 2633 #include <openssl/ecdh.h>
2616#include <openssl/ecdsa.h> 2634 #include <openssl/ecdsa.h>
2617#include <openssl/evp.h> 2635 #include <openssl/evp.h>
2618#include <openssl/objects.h> 2636 #include <openssl/objects.h>
2619#include <openssl/opensslv.h> 2637 #include <openssl/opensslv.h>
2620 ]],[[ 2638 #if OPENSSL_VERSION_NUMBER < 0x0090807f /* 0.9.8g */
2639 # error "OpenSSL < 0.9.8g has unreliable ECC code"
2640 #endif
2641 ]], [[
2621 EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp521r1); 2642 EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp521r1);
2622 const EVP_MD *m = EVP_sha512(); /* We need this too */ 2643 const EVP_MD *m = EVP_sha512(); /* We need this too */
2623 exit(e == NULL || m == NULL);
2624 ]])], 2644 ]])],
2625 [ AC_MSG_RESULT([yes]) 2645 [ AC_MSG_RESULT([yes])
2626 enable_nistp521=1 ], 2646 AC_MSG_CHECKING([if OpenSSL's NID_secp521r1 is functional])
2627 [ AC_MSG_RESULT([no]) ], 2647 AC_RUN_IFELSE(
2628 [ AC_MSG_WARN([cross-compiling: assuming yes]) 2648 [AC_LANG_PROGRAM([[
2629 enable_nistp521=1 ] 2649 #include <openssl/ec.h>
2630 )], 2650 #include <openssl/ecdh.h>
2631 AC_MSG_RESULT([no]) 2651 #include <openssl/ecdsa.h>
2632) 2652 #include <openssl/evp.h>
2653 #include <openssl/objects.h>
2654 #include <openssl/opensslv.h>
2655 ]],[[
2656 EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp521r1);
2657 const EVP_MD *m = EVP_sha512(); /* We need this too */
2658 exit(e == NULL || m == NULL);
2659 ]])],
2660 [ AC_MSG_RESULT([yes])
2661 enable_nistp521=1 ],
2662 [ AC_MSG_RESULT([no]) ],
2663 [ AC_MSG_WARN([cross-compiling: assuming yes])
2664 enable_nistp521=1 ]
2665 )],
2666 AC_MSG_RESULT([no])
2667 )
2633 2668
2634COMMENT_OUT_ECC="#no ecc#" 2669 COMMENT_OUT_ECC="#no ecc#"
2635TEST_SSH_ECC=no 2670 TEST_SSH_ECC=no
2636 2671
2637if test x$enable_nistp256 = x1 || test x$enable_nistp384 = x1 || \ 2672 if test x$enable_nistp256 = x1 || test x$enable_nistp384 = x1 || \
2638 test x$enable_nistp521 = x1; then 2673 test x$enable_nistp521 = x1; then
2639 AC_DEFINE(OPENSSL_HAS_ECC, [1], [OpenSSL has ECC]) 2674 AC_DEFINE(OPENSSL_HAS_ECC, [1], [OpenSSL has ECC])
2640fi 2675 fi
2641if test x$enable_nistp256 = x1; then 2676 if test x$enable_nistp256 = x1; then
2642 AC_DEFINE([OPENSSL_HAS_NISTP256], [1], 2677 AC_DEFINE([OPENSSL_HAS_NISTP256], [1],
2643 [libcrypto has NID_X9_62_prime256v1]) 2678 [libcrypto has NID_X9_62_prime256v1])
2644 TEST_SSH_ECC=yes 2679 TEST_SSH_ECC=yes
2645 COMMENT_OUT_ECC="" 2680 COMMENT_OUT_ECC=""
2646else 2681 else
2647 unsupported_algorithms="$unsupported_algorithms ecdsa-sha2-nistp256 \ 2682 unsupported_algorithms="$unsupported_algorithms ecdsa-sha2-nistp256 \
2648 ecdh-sha2-nistp256 ecdsa-sha2-nistp256-cert-v01@openssh.com" 2683 ecdh-sha2-nistp256 ecdsa-sha2-nistp256-cert-v01@openssh.com"
2649fi 2684 fi
2650if test x$enable_nistp384 = x1; then 2685 if test x$enable_nistp384 = x1; then
2651 AC_DEFINE([OPENSSL_HAS_NISTP384], [1], [libcrypto has NID_secp384r1]) 2686 AC_DEFINE([OPENSSL_HAS_NISTP384], [1], [libcrypto has NID_secp384r1])
2652 TEST_SSH_ECC=yes 2687 TEST_SSH_ECC=yes
2653 COMMENT_OUT_ECC="" 2688 COMMENT_OUT_ECC=""
2654else 2689 else
2655 unsupported_algorithms="$unsupported_algorithms ecdsa-sha2-nistp384 \ 2690 unsupported_algorithms="$unsupported_algorithms ecdsa-sha2-nistp384 \
2656 ecdh-sha2-nistp384 ecdsa-sha2-nistp384-cert-v01@openssh.com" 2691 ecdh-sha2-nistp384 ecdsa-sha2-nistp384-cert-v01@openssh.com"
2657fi 2692 fi
2658if test x$enable_nistp521 = x1; then 2693 if test x$enable_nistp521 = x1; then
2659 AC_DEFINE([OPENSSL_HAS_NISTP521], [1], [libcrypto has NID_secp521r1]) 2694 AC_DEFINE([OPENSSL_HAS_NISTP521], [1], [libcrypto has NID_secp521r1])
2660 TEST_SSH_ECC=yes 2695 TEST_SSH_ECC=yes
2661 COMMENT_OUT_ECC="" 2696 COMMENT_OUT_ECC=""
2697 else
2698 unsupported_algorithms="$unsupported_algorithms ecdh-sha2-nistp521 \
2699 ecdsa-sha2-nistp521 ecdsa-sha2-nistp521-cert-v01@openssh.com"
2700 fi
2701
2702 AC_SUBST([TEST_SSH_ECC])
2703 AC_SUBST([COMMENT_OUT_ECC])
2662else 2704else
2663 unsupported_algorithms="$unsupported_algorithms ecdh-sha2-nistp521 \ 2705 AC_CHECK_LIB([crypt], [crypt], [LIBS="$LIBS -lcrypt"])
2664 ecdsa-sha2-nistp521 ecdsa-sha2-nistp521-cert-v01@openssh.com" 2706 AC_CHECK_FUNCS([crypt DES_crypt])
2665fi 2707fi
2666 2708
2667AC_SUBST([TEST_SSH_ECC])
2668AC_SUBST([COMMENT_OUT_ECC])
2669
2670AC_CHECK_FUNCS([ \ 2709AC_CHECK_FUNCS([ \
2671 arc4random \ 2710 arc4random \
2672 arc4random_buf \ 2711 arc4random_buf \
@@ -2687,28 +2726,30 @@ LIBS="$saved_LIBS"
2687### Configure cryptographic random number support 2726### Configure cryptographic random number support
2688 2727
2689# Check wheter OpenSSL seeds itself 2728# Check wheter OpenSSL seeds itself
2690AC_MSG_CHECKING([whether OpenSSL's PRNG is internally seeded]) 2729if test "x$openssl" = "xyes" ; then
2691AC_RUN_IFELSE( 2730 AC_MSG_CHECKING([whether OpenSSL's PRNG is internally seeded])
2692 [AC_LANG_PROGRAM([[ 2731 AC_RUN_IFELSE(
2693#include <string.h> 2732 [AC_LANG_PROGRAM([[
2694#include <openssl/rand.h> 2733 #include <string.h>
2695 ]], [[ 2734 #include <openssl/rand.h>
2696 exit(RAND_status() == 1 ? 0 : 1); 2735 ]], [[
2697 ]])], 2736 exit(RAND_status() == 1 ? 0 : 1);
2698 [ 2737 ]])],
2699 OPENSSL_SEEDS_ITSELF=yes 2738 [
2700 AC_MSG_RESULT([yes]) 2739 OPENSSL_SEEDS_ITSELF=yes
2701 ], 2740 AC_MSG_RESULT([yes])
2702 [ 2741 ],
2703 AC_MSG_RESULT([no]) 2742 [
2704 ], 2743 AC_MSG_RESULT([no])
2705 [ 2744 ],
2706 AC_MSG_WARN([cross compiling: assuming yes]) 2745 [
2707 # This is safe, since we will fatal() at runtime if 2746 AC_MSG_WARN([cross compiling: assuming yes])
2708 # OpenSSL is not seeded correctly. 2747 # This is safe, since we will fatal() at runtime if
2709 OPENSSL_SEEDS_ITSELF=yes 2748 # OpenSSL is not seeded correctly.
2710 ] 2749 OPENSSL_SEEDS_ITSELF=yes
2711) 2750 ]
2751 )
2752fi
2712 2753
2713# PRNGD TCP socket 2754# PRNGD TCP socket
2714AC_ARG_WITH([prngd-port], 2755AC_ARG_WITH([prngd-port],
@@ -2790,8 +2831,10 @@ elif test ! -z "$PRNGD_SOCKET" ; then
2790 RAND_MSG="PRNGd socket $PRNGD_SOCKET" 2831 RAND_MSG="PRNGd socket $PRNGD_SOCKET"
2791elif test ! -z "$OPENSSL_SEEDS_ITSELF" ; then 2832elif test ! -z "$OPENSSL_SEEDS_ITSELF" ; then
2792 AC_DEFINE([OPENSSL_PRNG_ONLY], [1], 2833 AC_DEFINE([OPENSSL_PRNG_ONLY], [1],
2793 [Define if you want OpenSSL's internally seeded PRNG only]) 2834 [Define if you want the OpenSSL internally seeded PRNG only])
2794 RAND_MSG="OpenSSL internal ONLY" 2835 RAND_MSG="OpenSSL internal ONLY"
2836elif test "x$openssl" = "xno" ; then
2837 AC_MSG_WARN([OpenSSH will use /dev/urandom as a source of random numbers. It will fail if this device is not supported or accessible])
2795else 2838else
2796 AC_MSG_ERROR([OpenSSH has no source of random numbers. Please configure OpenSSL with an entropy source or re-run configure using one of the --with-prngd-port or --with-prngd-socket options]) 2839 AC_MSG_ERROR([OpenSSH has no source of random numbers. Please configure OpenSSL with an entropy source or re-run configure using one of the --with-prngd-port or --with-prngd-socket options])
2797fi 2840fi
@@ -2853,7 +2896,7 @@ if test "x$PAM_MSG" = "xyes" ; then
2853 which takes only one argument to pam_strerror]) 2896 which takes only one argument to pam_strerror])
2854 AC_MSG_RESULT([yes]) 2897 AC_MSG_RESULT([yes])
2855 PAM_MSG="yes (old library)" 2898 PAM_MSG="yes (old library)"
2856 2899
2857 ]) 2900 ])
2858fi 2901fi
2859 2902
generated by cgit v1.2.3 (git 2.39.1) at 2024-09-19 15:44:40 +0000