diff options
author | Damien Miller <djm@mindrot.org> | 2015-01-15 02:21:31 +1100 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2015-01-15 02:28:36 +1100 |
commit | 72ef7c148c42db7d5632a29f137f8b87b579f2d9 (patch) | |
tree | 47954a387f4260cc8b1e0ff33bbbaf22fd6f11fc /configure.ac | |
parent | 4f38c61c68ae7e3f9ee4b3c38bc86cd39f65ece9 (diff) |
support --without-openssl at configure time
Disables and removes dependency on OpenSSL. Many features don't
work and the set of crypto options is greatly restricted. This
will only work on system with native arc4random or /dev/urandom.
Considered highly experimental for now.
Diffstat (limited to 'configure.ac')
-rw-r--r-- | configure.ac | 887 |
1 files changed, 465 insertions, 422 deletions
diff --git a/configure.ac b/configure.ac index 13e25e98f..cb66f54b1 100644 --- a/configure.ac +++ b/configure.ac | |||
@@ -121,14 +121,34 @@ AC_CHECK_DECL([PR_SET_NO_NEW_PRIVS], [have_linux_no_new_privs=1], , [ | |||
121 | #include <linux/prctl.h> | 121 | #include <linux/prctl.h> |
122 | ]) | 122 | ]) |
123 | 123 | ||
124 | openssl=yes | ||
124 | ssh1=yes | 125 | ssh1=yes |
125 | AC_ARG_WITH([ssh1], | 126 | AC_ARG_WITH([openssl], |
126 | [ --without-ssh1 Disable support for SSH protocol 1], | 127 | [ --without-openssl Disable use of OpenSSL; use only limited internal crypto **EXPERIMENTAL** ], |
127 | [ if test "x$withval" = "xno" ; then | 128 | [ if test "x$withval" = "xno" ; then |
129 | openssl=no | ||
128 | ssh1=no | 130 | ssh1=no |
129 | fi | 131 | fi |
130 | ] | 132 | ] |
131 | ) | 133 | ) |
134 | AC_MSG_CHECKING([whether OpenSSL will be used for cryptography]) | ||
135 | if test "x$openssl" = "xyes" ; then | ||
136 | AC_MSG_RESULT([yes]) | ||
137 | AC_DEFINE_UNQUOTED([WITH_OPENSSL], [1], [use libcrypto for cryptography]) | ||
138 | else | ||
139 | AC_MSG_RESULT([no]) | ||
140 | fi | ||
141 | |||
142 | AC_ARG_WITH([ssh1], | ||
143 | [ --without-ssh1 Disable support for SSH protocol 1], | ||
144 | [ | ||
145 | if test "x$withval" = "xno" ; then | ||
146 | ssh1=no | ||
147 | elif test "x$openssl" = "xno" ; then | ||
148 | AC_MSG_ERROR([Cannot enable SSH protocol 1 with OpenSSL disabled]) | ||
149 | fi | ||
150 | ] | ||
151 | ) | ||
132 | AC_MSG_CHECKING([whether SSH protocol 1 support is enabled]) | 152 | AC_MSG_CHECKING([whether SSH protocol 1 support is enabled]) |
133 | if test "x$ssh1" = "xyes" ; then | 153 | if test "x$ssh1" = "xyes" ; then |
134 | AC_MSG_RESULT([yes]) | 154 | AC_MSG_RESULT([yes]) |
@@ -1312,7 +1332,7 @@ g.gl_statv = NULL; | |||
1312 | AC_MSG_RESULT([yes]) | 1332 | AC_MSG_RESULT([yes]) |
1313 | ], [ | 1333 | ], [ |
1314 | AC_MSG_RESULT([no]) | 1334 | AC_MSG_RESULT([no]) |
1315 | 1335 | ||
1316 | ]) | 1336 | ]) |
1317 | 1337 | ||
1318 | AC_CHECK_DECLS([GLOB_NOMATCH], , , [#include <glob.h>]) | 1338 | AC_CHECK_DECLS([GLOB_NOMATCH], , , [#include <glob.h>]) |
@@ -1705,10 +1725,13 @@ AC_LINK_IFELSE( | |||
1705 | [AC_DEFINE([HAVE_ISBLANK], [1], [Define if you have isblank(3C).]) | 1725 | [AC_DEFINE([HAVE_ISBLANK], [1], [Define if you have isblank(3C).]) |
1706 | ]) | 1726 | ]) |
1707 | 1727 | ||
1708 | # PKCS#11 support requires dlopen() and co | 1728 | # PKCS11 depends on OpenSSL. |
1709 | AC_SEARCH_LIBS([dlopen], [dl], | 1729 | if test "x$openssl" = "xyes" ; then |
1710 | [AC_DEFINE([ENABLE_PKCS11], [], [Enable for PKCS#11 support])] | 1730 | # PKCS#11 support requires dlopen() and co |
1711 | ) | 1731 | AC_SEARCH_LIBS([dlopen], [dl], |
1732 | [AC_DEFINE([ENABLE_PKCS11], [], [Enable for PKCS#11 support])] | ||
1733 | ) | ||
1734 | fi | ||
1712 | 1735 | ||
1713 | # IRIX has a const char return value for gai_strerror() | 1736 | # IRIX has a const char return value for gai_strerror() |
1714 | AC_CHECK_FUNCS([gai_strerror], [ | 1737 | AC_CHECK_FUNCS([gai_strerror], [ |
@@ -2197,6 +2220,9 @@ saved_LDFLAGS="$LDFLAGS" | |||
2197 | AC_ARG_WITH([ssl-dir], | 2220 | AC_ARG_WITH([ssl-dir], |
2198 | [ --with-ssl-dir=PATH Specify path to OpenSSL installation ], | 2221 | [ --with-ssl-dir=PATH Specify path to OpenSSL installation ], |
2199 | [ | 2222 | [ |
2223 | if test "x$openssl" = "xno" ; then | ||
2224 | AC_MSG_ERROR([cannot use --with-ssl-dir when OpenSSL disabled]) | ||
2225 | fi | ||
2200 | if test "x$withval" != "xno" ; then | 2226 | if test "x$withval" != "xno" ; then |
2201 | case "$withval" in | 2227 | case "$withval" in |
2202 | # Relative paths | 2228 | # Relative paths |
@@ -2229,444 +2255,457 @@ AC_ARG_WITH([ssl-dir], | |||
2229 | fi | 2255 | fi |
2230 | ] | 2256 | ] |
2231 | ) | 2257 | ) |
2232 | LIBS="-lcrypto $LIBS" | 2258 | |
2233 | AC_TRY_LINK_FUNC([RAND_add], [AC_DEFINE([HAVE_OPENSSL], [1], | 2259 | AC_ARG_WITH([openssl-header-check], |
2234 | [Define if your ssl headers are included | 2260 | [ --without-openssl-header-check Disable OpenSSL version consistency check], |
2235 | with #include <openssl/header.h>])], | ||
2236 | [ | 2261 | [ |
2237 | dnl Check default openssl install dir | 2262 | if test "x$withval" = "xno" ; then |
2238 | if test -n "${need_dash_r}"; then | 2263 | openssl_check_nonfatal=1 |
2239 | LDFLAGS="-L/usr/local/ssl/lib -R/usr/local/ssl/lib ${saved_LDFLAGS}" | ||
2240 | else | ||
2241 | LDFLAGS="-L/usr/local/ssl/lib ${saved_LDFLAGS}" | ||
2242 | fi | 2264 | fi |
2243 | CPPFLAGS="-I/usr/local/ssl/include ${saved_CPPFLAGS}" | ||
2244 | AC_CHECK_HEADER([openssl/opensslv.h], , | ||
2245 | [AC_MSG_ERROR([*** OpenSSL headers missing - please install first or check config.log ***])]) | ||
2246 | AC_TRY_LINK_FUNC([RAND_add], [AC_DEFINE([HAVE_OPENSSL])], | ||
2247 | [ | ||
2248 | AC_MSG_ERROR([*** Can't find recent OpenSSL libcrypto (see config.log for details) ***]) | ||
2249 | ] | ||
2250 | ) | ||
2251 | ] | 2265 | ] |
2252 | ) | 2266 | ) |
2253 | 2267 | ||
2254 | # Determine OpenSSL header version | 2268 | openssl_engine=no |
2255 | AC_MSG_CHECKING([OpenSSL header version]) | 2269 | AC_ARG_WITH([ssl-engine], |
2256 | AC_RUN_IFELSE( | 2270 | [ --with-ssl-engine Enable OpenSSL (hardware) ENGINE support ], |
2257 | [AC_LANG_PROGRAM([[ | ||
2258 | #include <stdio.h> | ||
2259 | #include <string.h> | ||
2260 | #include <openssl/opensslv.h> | ||
2261 | #define DATA "conftest.sslincver" | ||
2262 | ]], [[ | ||
2263 | FILE *fd; | ||
2264 | int rc; | ||
2265 | |||
2266 | fd = fopen(DATA,"w"); | ||
2267 | if(fd == NULL) | ||
2268 | exit(1); | ||
2269 | |||
2270 | if ((rc = fprintf(fd ,"%08x (%s)\n", OPENSSL_VERSION_NUMBER, OPENSSL_VERSION_TEXT)) <0) | ||
2271 | exit(1); | ||
2272 | |||
2273 | exit(0); | ||
2274 | ]])], | ||
2275 | [ | ||
2276 | ssl_header_ver=`cat conftest.sslincver` | ||
2277 | AC_MSG_RESULT([$ssl_header_ver]) | ||
2278 | ], | ||
2279 | [ | ||
2280 | AC_MSG_RESULT([not found]) | ||
2281 | AC_MSG_ERROR([OpenSSL version header not found.]) | ||
2282 | ], | ||
2283 | [ | 2271 | [ |
2284 | AC_MSG_WARN([cross compiling: not checking]) | 2272 | if test "x$openssl" = "xno" ; then |
2273 | AC_MSG_ERROR([cannot use --with-ssl-engine when OpenSSL disabled]) | ||
2274 | fi | ||
2275 | if test "x$withval" != "xno" ; then | ||
2276 | openssl_engine=yes | ||
2277 | fi | ||
2285 | ] | 2278 | ] |
2286 | ) | 2279 | ) |
2287 | 2280 | ||
2288 | # Determine OpenSSL library version | 2281 | if test "x$openssl" = "xyes" ; then |
2289 | AC_MSG_CHECKING([OpenSSL library version]) | 2282 | LIBS="-lcrypto $LIBS" |
2290 | AC_RUN_IFELSE( | 2283 | AC_TRY_LINK_FUNC([RAND_add], [AC_DEFINE([HAVE_OPENSSL], [1], |
2291 | [AC_LANG_PROGRAM([[ | 2284 | [Define if your ssl headers are included |
2292 | #include <stdio.h> | 2285 | with #include <openssl/header.h>])], |
2293 | #include <string.h> | 2286 | [ |
2294 | #include <openssl/opensslv.h> | 2287 | dnl Check default openssl install dir |
2295 | #include <openssl/crypto.h> | 2288 | if test -n "${need_dash_r}"; then |
2296 | #define DATA "conftest.ssllibver" | 2289 | LDFLAGS="-L/usr/local/ssl/lib -R/usr/local/ssl/lib ${saved_LDFLAGS}" |
2297 | ]], [[ | 2290 | else |
2298 | FILE *fd; | 2291 | LDFLAGS="-L/usr/local/ssl/lib ${saved_LDFLAGS}" |
2299 | int rc; | 2292 | fi |
2293 | CPPFLAGS="-I/usr/local/ssl/include ${saved_CPPFLAGS}" | ||
2294 | AC_CHECK_HEADER([openssl/opensslv.h], , | ||
2295 | [AC_MSG_ERROR([*** OpenSSL headers missing - please install first or check config.log ***])]) | ||
2296 | AC_TRY_LINK_FUNC([RAND_add], [AC_DEFINE([HAVE_OPENSSL])], | ||
2297 | [ | ||
2298 | AC_MSG_ERROR([*** Can't find recent OpenSSL libcrypto (see config.log for details) ***]) | ||
2299 | ] | ||
2300 | ) | ||
2301 | ] | ||
2302 | ) | ||
2300 | 2303 | ||
2301 | fd = fopen(DATA,"w"); | 2304 | # Determine OpenSSL header version |
2302 | if(fd == NULL) | 2305 | AC_MSG_CHECKING([OpenSSL header version]) |
2303 | exit(1); | 2306 | AC_RUN_IFELSE( |
2307 | [AC_LANG_PROGRAM([[ | ||
2308 | #include <stdio.h> | ||
2309 | #include <string.h> | ||
2310 | #include <openssl/opensslv.h> | ||
2311 | #define DATA "conftest.sslincver" | ||
2312 | ]], [[ | ||
2313 | FILE *fd; | ||
2314 | int rc; | ||
2304 | 2315 | ||
2305 | if ((rc = fprintf(fd ,"%08x (%s)\n", SSLeay(), | 2316 | fd = fopen(DATA,"w"); |
2306 | SSLeay_version(SSLEAY_VERSION))) <0) | 2317 | if(fd == NULL) |
2307 | exit(1); | 2318 | exit(1); |
2308 | 2319 | ||
2309 | exit(0); | 2320 | if ((rc = fprintf(fd ,"%08x (%s)\n", OPENSSL_VERSION_NUMBER, OPENSSL_VERSION_TEXT)) <0) |
2310 | ]])], | 2321 | exit(1); |
2311 | [ | ||
2312 | ssl_library_ver=`cat conftest.ssllibver` | ||
2313 | # Check version is supported. | ||
2314 | case "$ssl_library_ver" in | ||
2315 | 0090[[0-7]]*|009080[[0-5]]*) | ||
2316 | AC_MSG_ERROR([OpenSSL >= 0.9.8f required (have "$ssl_library_ver")]) | ||
2317 | ;; | ||
2318 | *) ;; | ||
2319 | esac | ||
2320 | AC_MSG_RESULT([$ssl_library_ver]) | ||
2321 | ], | ||
2322 | [ | ||
2323 | AC_MSG_RESULT([not found]) | ||
2324 | AC_MSG_ERROR([OpenSSL library not found.]) | ||
2325 | ], | ||
2326 | [ | ||
2327 | AC_MSG_WARN([cross compiling: not checking]) | ||
2328 | ] | ||
2329 | ) | ||
2330 | 2322 | ||
2331 | # XXX make --without-openssl work | 2323 | exit(0); |
2332 | AC_DEFINE_UNQUOTED([WITH_OPENSSL], [1], [use libcrypto for cryptography]) | 2324 | ]])], |
2325 | [ | ||
2326 | ssl_header_ver=`cat conftest.sslincver` | ||
2327 | AC_MSG_RESULT([$ssl_header_ver]) | ||
2328 | ], | ||
2329 | [ | ||
2330 | AC_MSG_RESULT([not found]) | ||
2331 | AC_MSG_ERROR([OpenSSL version header not found.]) | ||
2332 | ], | ||
2333 | [ | ||
2334 | AC_MSG_WARN([cross compiling: not checking]) | ||
2335 | ] | ||
2336 | ) | ||
2333 | 2337 | ||
2334 | AC_ARG_WITH([openssl-header-check], | 2338 | # Determine OpenSSL library version |
2335 | [ --without-openssl-header-check Disable OpenSSL version consistency check], | 2339 | AC_MSG_CHECKING([OpenSSL library version]) |
2336 | [ if test "x$withval" = "xno" ; then | 2340 | AC_RUN_IFELSE( |
2337 | openssl_check_nonfatal=1 | 2341 | [AC_LANG_PROGRAM([[ |
2338 | fi | 2342 | #include <stdio.h> |
2339 | ] | 2343 | #include <string.h> |
2340 | ) | 2344 | #include <openssl/opensslv.h> |
2345 | #include <openssl/crypto.h> | ||
2346 | #define DATA "conftest.ssllibver" | ||
2347 | ]], [[ | ||
2348 | FILE *fd; | ||
2349 | int rc; | ||
2341 | 2350 | ||
2342 | # Sanity check OpenSSL headers | 2351 | fd = fopen(DATA,"w"); |
2343 | AC_MSG_CHECKING([whether OpenSSL's headers match the library]) | 2352 | if(fd == NULL) |
2344 | AC_RUN_IFELSE( | 2353 | exit(1); |
2345 | [AC_LANG_PROGRAM([[ | ||
2346 | #include <string.h> | ||
2347 | #include <openssl/opensslv.h> | ||
2348 | ]], [[ | ||
2349 | exit(SSLeay() == OPENSSL_VERSION_NUMBER ? 0 : 1); | ||
2350 | ]])], | ||
2351 | [ | ||
2352 | AC_MSG_RESULT([yes]) | ||
2353 | ], | ||
2354 | [ | ||
2355 | AC_MSG_RESULT([no]) | ||
2356 | if test "x$openssl_check_nonfatal" = "x"; then | ||
2357 | AC_MSG_ERROR([Your OpenSSL headers do not match your | ||
2358 | library. Check config.log for details. | ||
2359 | If you are sure your installation is consistent, you can disable the check | ||
2360 | by running "./configure --without-openssl-header-check". | ||
2361 | Also see contrib/findssl.sh for help identifying header/library mismatches. | ||
2362 | ]) | ||
2363 | else | ||
2364 | AC_MSG_WARN([Your OpenSSL headers do not match your | ||
2365 | library. Check config.log for details. | ||
2366 | Also see contrib/findssl.sh for help identifying header/library mismatches.]) | ||
2367 | fi | ||
2368 | ], | ||
2369 | [ | ||
2370 | AC_MSG_WARN([cross compiling: not checking]) | ||
2371 | ] | ||
2372 | ) | ||
2373 | 2354 | ||
2374 | AC_MSG_CHECKING([if programs using OpenSSL functions will link]) | 2355 | if ((rc = fprintf(fd ,"%08x (%s)\n", SSLeay(), |
2375 | AC_LINK_IFELSE( | 2356 | SSLeay_version(SSLEAY_VERSION))) <0) |
2376 | [AC_LANG_PROGRAM([[ #include <openssl/evp.h> ]], | 2357 | exit(1); |
2377 | [[ SSLeay_add_all_algorithms(); ]])], | ||
2378 | [ | ||
2379 | AC_MSG_RESULT([yes]) | ||
2380 | ], | ||
2381 | [ | ||
2382 | AC_MSG_RESULT([no]) | ||
2383 | saved_LIBS="$LIBS" | ||
2384 | LIBS="$LIBS -ldl" | ||
2385 | AC_MSG_CHECKING([if programs using OpenSSL need -ldl]) | ||
2386 | AC_LINK_IFELSE( | ||
2387 | [AC_LANG_PROGRAM([[ #include <openssl/evp.h> ]], | ||
2388 | [[ SSLeay_add_all_algorithms(); ]])], | ||
2389 | [ | ||
2390 | AC_MSG_RESULT([yes]) | ||
2391 | ], | ||
2392 | [ | ||
2393 | AC_MSG_RESULT([no]) | ||
2394 | LIBS="$saved_LIBS" | ||
2395 | ] | ||
2396 | ) | ||
2397 | ] | ||
2398 | ) | ||
2399 | 2358 | ||
2400 | AC_CHECK_FUNCS([ \ | 2359 | exit(0); |
2401 | BN_is_prime_ex \ | 2360 | ]])], |
2402 | DSA_generate_parameters_ex \ | 2361 | [ |
2403 | EVP_DigestInit_ex \ | 2362 | ssl_library_ver=`cat conftest.ssllibver` |
2404 | EVP_DigestFinal_ex \ | 2363 | # Check version is supported. |
2405 | EVP_MD_CTX_init \ | 2364 | case "$ssl_library_ver" in |
2406 | EVP_MD_CTX_cleanup \ | 2365 | 0090[[0-7]]*|009080[[0-5]]*) |
2407 | EVP_MD_CTX_copy_ex \ | 2366 | AC_MSG_ERROR([OpenSSL >= 0.9.8f required (have "$ssl_library_ver")]) |
2408 | HMAC_CTX_init \ | 2367 | ;; |
2409 | RSA_generate_key_ex \ | 2368 | *) ;; |
2410 | RSA_get_default_method \ | 2369 | esac |
2411 | ]) | 2370 | AC_MSG_RESULT([$ssl_library_ver]) |
2371 | ], | ||
2372 | [ | ||
2373 | AC_MSG_RESULT([not found]) | ||
2374 | AC_MSG_ERROR([OpenSSL library not found.]) | ||
2375 | ], | ||
2376 | [ | ||
2377 | AC_MSG_WARN([cross compiling: not checking]) | ||
2378 | ] | ||
2379 | ) | ||
2412 | 2380 | ||
2413 | AC_ARG_WITH([ssl-engine], | 2381 | # Sanity check OpenSSL headers |
2414 | [ --with-ssl-engine Enable OpenSSL (hardware) ENGINE support ], | 2382 | AC_MSG_CHECKING([whether OpenSSL's headers match the library]) |
2415 | [ if test "x$withval" != "xno" ; then | 2383 | AC_RUN_IFELSE( |
2384 | [AC_LANG_PROGRAM([[ | ||
2385 | #include <string.h> | ||
2386 | #include <openssl/opensslv.h> | ||
2387 | ]], [[ | ||
2388 | exit(SSLeay() == OPENSSL_VERSION_NUMBER ? 0 : 1); | ||
2389 | ]])], | ||
2390 | [ | ||
2391 | AC_MSG_RESULT([yes]) | ||
2392 | ], | ||
2393 | [ | ||
2394 | AC_MSG_RESULT([no]) | ||
2395 | if test "x$openssl_check_nonfatal" = "x"; then | ||
2396 | AC_MSG_ERROR([Your OpenSSL headers do not match your | ||
2397 | library. Check config.log for details. | ||
2398 | If you are sure your installation is consistent, you can disable the check | ||
2399 | by running "./configure --without-openssl-header-check". | ||
2400 | Also see contrib/findssl.sh for help identifying header/library mismatches. | ||
2401 | ]) | ||
2402 | else | ||
2403 | AC_MSG_WARN([Your OpenSSL headers do not match your | ||
2404 | library. Check config.log for details. | ||
2405 | Also see contrib/findssl.sh for help identifying header/library mismatches.]) | ||
2406 | fi | ||
2407 | ], | ||
2408 | [ | ||
2409 | AC_MSG_WARN([cross compiling: not checking]) | ||
2410 | ] | ||
2411 | ) | ||
2412 | |||
2413 | AC_MSG_CHECKING([if programs using OpenSSL functions will link]) | ||
2414 | AC_LINK_IFELSE( | ||
2415 | [AC_LANG_PROGRAM([[ #include <openssl/evp.h> ]], | ||
2416 | [[ SSLeay_add_all_algorithms(); ]])], | ||
2417 | [ | ||
2418 | AC_MSG_RESULT([yes]) | ||
2419 | ], | ||
2420 | [ | ||
2421 | AC_MSG_RESULT([no]) | ||
2422 | saved_LIBS="$LIBS" | ||
2423 | LIBS="$LIBS -ldl" | ||
2424 | AC_MSG_CHECKING([if programs using OpenSSL need -ldl]) | ||
2425 | AC_LINK_IFELSE( | ||
2426 | [AC_LANG_PROGRAM([[ #include <openssl/evp.h> ]], | ||
2427 | [[ SSLeay_add_all_algorithms(); ]])], | ||
2428 | [ | ||
2429 | AC_MSG_RESULT([yes]) | ||
2430 | ], | ||
2431 | [ | ||
2432 | AC_MSG_RESULT([no]) | ||
2433 | LIBS="$saved_LIBS" | ||
2434 | ] | ||
2435 | ) | ||
2436 | ] | ||
2437 | ) | ||
2438 | |||
2439 | AC_CHECK_FUNCS([ \ | ||
2440 | BN_is_prime_ex \ | ||
2441 | DSA_generate_parameters_ex \ | ||
2442 | EVP_DigestInit_ex \ | ||
2443 | EVP_DigestFinal_ex \ | ||
2444 | EVP_MD_CTX_init \ | ||
2445 | EVP_MD_CTX_cleanup \ | ||
2446 | EVP_MD_CTX_copy_ex \ | ||
2447 | HMAC_CTX_init \ | ||
2448 | RSA_generate_key_ex \ | ||
2449 | RSA_get_default_method \ | ||
2450 | ]) | ||
2451 | |||
2452 | if test "x$openssl_engine" = "xyes" ; then | ||
2416 | AC_MSG_CHECKING([for OpenSSL ENGINE support]) | 2453 | AC_MSG_CHECKING([for OpenSSL ENGINE support]) |
2417 | AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ | 2454 | AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ |
2418 | #include <openssl/engine.h> | 2455 | #include <openssl/engine.h> |
2419 | ]], [[ | 2456 | ]], [[ |
2420 | ENGINE_load_builtin_engines(); | 2457 | ENGINE_load_builtin_engines(); |
2421 | ENGINE_register_all_complete(); | 2458 | ENGINE_register_all_complete(); |
2422 | ]])], | 2459 | ]])], |
2423 | [ AC_MSG_RESULT([yes]) | 2460 | [ AC_MSG_RESULT([yes]) |
2424 | AC_DEFINE([USE_OPENSSL_ENGINE], [1], | 2461 | AC_DEFINE([USE_OPENSSL_ENGINE], [1], |
2425 | [Enable OpenSSL engine support]) | 2462 | [Enable OpenSSL engine support]) |
2426 | ], [ AC_MSG_ERROR([OpenSSL ENGINE support not found]) | 2463 | ], [ AC_MSG_ERROR([OpenSSL ENGINE support not found]) |
2427 | ]) | 2464 | ]) |
2428 | fi ] | 2465 | fi |
2429 | ) | ||
2430 | 2466 | ||
2431 | # Check for OpenSSL without EVP_aes_{192,256}_cbc | 2467 | # Check for OpenSSL without EVP_aes_{192,256}_cbc |
2432 | AC_MSG_CHECKING([whether OpenSSL has crippled AES support]) | 2468 | AC_MSG_CHECKING([whether OpenSSL has crippled AES support]) |
2433 | AC_LINK_IFELSE( | 2469 | AC_LINK_IFELSE( |
2434 | [AC_LANG_PROGRAM([[ | 2470 | [AC_LANG_PROGRAM([[ |
2435 | #include <string.h> | 2471 | #include <string.h> |
2436 | #include <openssl/evp.h> | 2472 | #include <openssl/evp.h> |
2437 | ]], [[ | 2473 | ]], [[ |
2438 | exit(EVP_aes_192_cbc() == NULL || EVP_aes_256_cbc() == NULL); | 2474 | exit(EVP_aes_192_cbc() == NULL || EVP_aes_256_cbc() == NULL); |
2439 | ]])], | 2475 | ]])], |
2440 | [ | 2476 | [ |
2441 | AC_MSG_RESULT([no]) | 2477 | AC_MSG_RESULT([no]) |
2442 | ], | 2478 | ], |
2443 | [ | 2479 | [ |
2444 | AC_MSG_RESULT([yes]) | 2480 | AC_MSG_RESULT([yes]) |
2445 | AC_DEFINE([OPENSSL_LOBOTOMISED_AES], [1], | 2481 | AC_DEFINE([OPENSSL_LOBOTOMISED_AES], [1], |
2446 | [libcrypto is missing AES 192 and 256 bit functions]) | 2482 | [libcrypto is missing AES 192 and 256 bit functions]) |
2447 | ] | 2483 | ] |
2448 | ) | 2484 | ) |
2449 | 2485 | ||
2450 | # Check for OpenSSL with EVP_aes_*ctr | 2486 | # Check for OpenSSL with EVP_aes_*ctr |
2451 | AC_MSG_CHECKING([whether OpenSSL has AES CTR via EVP]) | 2487 | AC_MSG_CHECKING([whether OpenSSL has AES CTR via EVP]) |
2452 | AC_LINK_IFELSE( | 2488 | AC_LINK_IFELSE( |
2453 | [AC_LANG_PROGRAM([[ | 2489 | [AC_LANG_PROGRAM([[ |
2454 | #include <string.h> | 2490 | #include <string.h> |
2455 | #include <openssl/evp.h> | 2491 | #include <openssl/evp.h> |
2456 | ]], [[ | 2492 | ]], [[ |
2457 | exit(EVP_aes_128_ctr() == NULL || | 2493 | exit(EVP_aes_128_ctr() == NULL || |
2458 | EVP_aes_192_cbc() == NULL || | 2494 | EVP_aes_192_cbc() == NULL || |
2459 | EVP_aes_256_cbc() == NULL); | 2495 | EVP_aes_256_cbc() == NULL); |
2460 | ]])], | 2496 | ]])], |
2461 | [ | 2497 | [ |
2462 | AC_MSG_RESULT([yes]) | 2498 | AC_MSG_RESULT([yes]) |
2463 | AC_DEFINE([OPENSSL_HAVE_EVPCTR], [1], | 2499 | AC_DEFINE([OPENSSL_HAVE_EVPCTR], [1], |
2464 | [libcrypto has EVP AES CTR]) | 2500 | [libcrypto has EVP AES CTR]) |
2465 | ], | 2501 | ], |
2466 | [ | 2502 | [ |
2467 | AC_MSG_RESULT([no]) | 2503 | AC_MSG_RESULT([no]) |
2468 | ] | 2504 | ] |
2469 | ) | 2505 | ) |
2470 | 2506 | ||
2471 | # Check for OpenSSL with EVP_aes_*gcm | 2507 | # Check for OpenSSL with EVP_aes_*gcm |
2472 | AC_MSG_CHECKING([whether OpenSSL has AES GCM via EVP]) | 2508 | AC_MSG_CHECKING([whether OpenSSL has AES GCM via EVP]) |
2473 | AC_LINK_IFELSE( | 2509 | AC_LINK_IFELSE( |
2474 | [AC_LANG_PROGRAM([[ | 2510 | [AC_LANG_PROGRAM([[ |
2475 | #include <string.h> | 2511 | #include <string.h> |
2476 | #include <openssl/evp.h> | 2512 | #include <openssl/evp.h> |
2477 | ]], [[ | 2513 | ]], [[ |
2478 | exit(EVP_aes_128_gcm() == NULL || | 2514 | exit(EVP_aes_128_gcm() == NULL || |
2479 | EVP_aes_256_gcm() == NULL || | 2515 | EVP_aes_256_gcm() == NULL || |
2480 | EVP_CTRL_GCM_SET_IV_FIXED == 0 || | 2516 | EVP_CTRL_GCM_SET_IV_FIXED == 0 || |
2481 | EVP_CTRL_GCM_IV_GEN == 0 || | 2517 | EVP_CTRL_GCM_IV_GEN == 0 || |
2482 | EVP_CTRL_GCM_SET_TAG == 0 || | 2518 | EVP_CTRL_GCM_SET_TAG == 0 || |
2483 | EVP_CTRL_GCM_GET_TAG == 0 || | 2519 | EVP_CTRL_GCM_GET_TAG == 0 || |
2484 | EVP_CIPHER_CTX_ctrl(NULL, 0, 0, NULL) == 0); | 2520 | EVP_CIPHER_CTX_ctrl(NULL, 0, 0, NULL) == 0); |
2485 | ]])], | 2521 | ]])], |
2486 | [ | 2522 | [ |
2487 | AC_MSG_RESULT([yes]) | 2523 | AC_MSG_RESULT([yes]) |
2488 | AC_DEFINE([OPENSSL_HAVE_EVPGCM], [1], | 2524 | AC_DEFINE([OPENSSL_HAVE_EVPGCM], [1], |
2489 | [libcrypto has EVP AES GCM]) | 2525 | [libcrypto has EVP AES GCM]) |
2490 | ], | 2526 | ], |
2491 | [ | 2527 | [ |
2492 | AC_MSG_RESULT([no]) | 2528 | AC_MSG_RESULT([no]) |
2493 | unsupported_algorithms="$unsupported_cipers \ | 2529 | unsupported_algorithms="$unsupported_cipers \ |
2494 | aes128-gcm@openssh.com aes256-gcm@openssh.com" | 2530 | aes128-gcm@openssh.com aes256-gcm@openssh.com" |
2495 | ] | 2531 | ] |
2496 | ) | 2532 | ) |
2497 | 2533 | ||
2498 | AC_SEARCH_LIBS([EVP_CIPHER_CTX_ctrl], [crypto], | 2534 | AC_SEARCH_LIBS([EVP_CIPHER_CTX_ctrl], [crypto], |
2499 | [AC_DEFINE([HAVE_EVP_CIPHER_CTX_CTRL], [1], | 2535 | [AC_DEFINE([HAVE_EVP_CIPHER_CTX_CTRL], [1], |
2500 | [Define if libcrypto has EVP_CIPHER_CTX_ctrl])]) | 2536 | [Define if libcrypto has EVP_CIPHER_CTX_ctrl])]) |
2501 | 2537 | ||
2502 | AC_MSG_CHECKING([if EVP_DigestUpdate returns an int]) | 2538 | AC_MSG_CHECKING([if EVP_DigestUpdate returns an int]) |
2503 | AC_LINK_IFELSE( | 2539 | AC_LINK_IFELSE( |
2504 | [AC_LANG_PROGRAM([[ | 2540 | [AC_LANG_PROGRAM([[ |
2505 | #include <string.h> | 2541 | #include <string.h> |
2506 | #include <openssl/evp.h> | 2542 | #include <openssl/evp.h> |
2507 | ]], [[ | 2543 | ]], [[ |
2508 | if(EVP_DigestUpdate(NULL, NULL,0)) | 2544 | if(EVP_DigestUpdate(NULL, NULL,0)) |
2509 | exit(0); | 2545 | exit(0); |
2510 | ]])], | 2546 | ]])], |
2511 | [ | 2547 | [ |
2512 | AC_MSG_RESULT([yes]) | 2548 | AC_MSG_RESULT([yes]) |
2513 | ], | 2549 | ], |
2514 | [ | 2550 | [ |
2515 | AC_MSG_RESULT([no]) | 2551 | AC_MSG_RESULT([no]) |
2516 | AC_DEFINE([OPENSSL_EVP_DIGESTUPDATE_VOID], [1], | 2552 | AC_DEFINE([OPENSSL_EVP_DIGESTUPDATE_VOID], [1], |
2517 | [Define if EVP_DigestUpdate returns void]) | 2553 | [Define if EVP_DigestUpdate returns void]) |
2518 | ] | 2554 | ] |
2519 | ) | 2555 | ) |
2520 | 2556 | ||
2521 | # Some systems want crypt() from libcrypt, *not* the version in OpenSSL, | 2557 | # Some systems want crypt() from libcrypt, *not* the version in OpenSSL, |
2522 | # because the system crypt() is more featureful. | 2558 | # because the system crypt() is more featureful. |
2523 | if test "x$check_for_libcrypt_before" = "x1"; then | 2559 | if test "x$check_for_libcrypt_before" = "x1"; then |
2524 | AC_CHECK_LIB([crypt], [crypt]) | 2560 | AC_CHECK_LIB([crypt], [crypt]) |
2525 | fi | 2561 | fi |
2526 | 2562 | ||
2527 | # Some Linux systems (Slackware) need crypt() from libcrypt, *not* the | 2563 | # Some Linux systems (Slackware) need crypt() from libcrypt, *not* the |
2528 | # version in OpenSSL. | 2564 | # version in OpenSSL. |
2529 | if test "x$check_for_libcrypt_later" = "x1"; then | 2565 | if test "x$check_for_libcrypt_later" = "x1"; then |
2530 | AC_CHECK_LIB([crypt], [crypt], [LIBS="$LIBS -lcrypt"]) | 2566 | AC_CHECK_LIB([crypt], [crypt], [LIBS="$LIBS -lcrypt"]) |
2531 | fi | 2567 | fi |
2532 | AC_CHECK_FUNCS([crypt DES_crypt]) | ||
2533 | |||
2534 | # Search for SHA256 support in libc and/or OpenSSL | ||
2535 | AC_CHECK_FUNCS([SHA256_Update EVP_sha256], , | ||
2536 | [unsupported_algorithms="$unsupported_algorithms \ | ||
2537 | hmac-sha2-256 hmac-sha2-512 \ | ||
2538 | diffie-hellman-group-exchange-sha256 \ | ||
2539 | hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com" | ||
2540 | ] | ||
2541 | ) | ||
2542 | # Search for RIPE-MD support in OpenSSL | ||
2543 | AC_CHECK_FUNCS([EVP_ripemd160], , | ||
2544 | [unsupported_algorithms="$unsupported_algorithms \ | ||
2545 | hmac-ripemd160 | ||
2546 | hmac-ripemd160@openssh.com | ||
2547 | hmac-ripemd160-etm@openssh.com" | ||
2548 | ] | ||
2549 | ) | ||
2550 | 2568 | ||
2551 | # Check complete ECC support in OpenSSL | 2569 | # Search for SHA256 support in libc and/or OpenSSL |
2552 | AC_MSG_CHECKING([whether OpenSSL has NID_X9_62_prime256v1]) | 2570 | AC_CHECK_FUNCS([SHA256_Update EVP_sha256], , |
2553 | AC_LINK_IFELSE( | 2571 | [unsupported_algorithms="$unsupported_algorithms \ |
2554 | [AC_LANG_PROGRAM([[ | 2572 | hmac-sha2-256 hmac-sha2-512 \ |
2555 | #include <openssl/ec.h> | 2573 | diffie-hellman-group-exchange-sha256 \ |
2556 | #include <openssl/ecdh.h> | 2574 | hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com" |
2557 | #include <openssl/ecdsa.h> | 2575 | ] |
2558 | #include <openssl/evp.h> | 2576 | ) |
2559 | #include <openssl/objects.h> | 2577 | # Search for RIPE-MD support in OpenSSL |
2560 | #include <openssl/opensslv.h> | 2578 | AC_CHECK_FUNCS([EVP_ripemd160], , |
2561 | #if OPENSSL_VERSION_NUMBER < 0x0090807f /* 0.9.8g */ | 2579 | [unsupported_algorithms="$unsupported_algorithms \ |
2562 | # error "OpenSSL < 0.9.8g has unreliable ECC code" | 2580 | hmac-ripemd160 |
2563 | #endif | 2581 | hmac-ripemd160@openssh.com |
2564 | ]], [[ | 2582 | hmac-ripemd160-etm@openssh.com" |
2565 | EC_KEY *e = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); | 2583 | ] |
2566 | const EVP_MD *m = EVP_sha256(); /* We need this too */ | 2584 | ) |
2567 | ]])], | ||
2568 | [ AC_MSG_RESULT([yes]) | ||
2569 | enable_nistp256=1 ], | ||
2570 | [ AC_MSG_RESULT([no]) ] | ||
2571 | ) | ||
2572 | 2585 | ||
2573 | AC_MSG_CHECKING([whether OpenSSL has NID_secp384r1]) | 2586 | # Check complete ECC support in OpenSSL |
2574 | AC_LINK_IFELSE( | 2587 | AC_MSG_CHECKING([whether OpenSSL has NID_X9_62_prime256v1]) |
2575 | [AC_LANG_PROGRAM([[ | 2588 | AC_LINK_IFELSE( |
2576 | #include <openssl/ec.h> | 2589 | [AC_LANG_PROGRAM([[ |
2577 | #include <openssl/ecdh.h> | 2590 | #include <openssl/ec.h> |
2578 | #include <openssl/ecdsa.h> | 2591 | #include <openssl/ecdh.h> |
2579 | #include <openssl/evp.h> | 2592 | #include <openssl/ecdsa.h> |
2580 | #include <openssl/objects.h> | 2593 | #include <openssl/evp.h> |
2581 | #include <openssl/opensslv.h> | 2594 | #include <openssl/objects.h> |
2582 | #if OPENSSL_VERSION_NUMBER < 0x0090807f /* 0.9.8g */ | 2595 | #include <openssl/opensslv.h> |
2583 | # error "OpenSSL < 0.9.8g has unreliable ECC code" | 2596 | #if OPENSSL_VERSION_NUMBER < 0x0090807f /* 0.9.8g */ |
2584 | #endif | 2597 | # error "OpenSSL < 0.9.8g has unreliable ECC code" |
2585 | ]], [[ | 2598 | #endif |
2586 | EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp384r1); | 2599 | ]], [[ |
2587 | const EVP_MD *m = EVP_sha384(); /* We need this too */ | 2600 | EC_KEY *e = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); |
2588 | ]])], | 2601 | const EVP_MD *m = EVP_sha256(); /* We need this too */ |
2589 | [ AC_MSG_RESULT([yes]) | 2602 | ]])], |
2590 | enable_nistp384=1 ], | 2603 | [ AC_MSG_RESULT([yes]) |
2591 | [ AC_MSG_RESULT([no]) ] | 2604 | enable_nistp256=1 ], |
2592 | ) | 2605 | [ AC_MSG_RESULT([no]) ] |
2606 | ) | ||
2593 | 2607 | ||
2594 | AC_MSG_CHECKING([whether OpenSSL has NID_secp521r1]) | 2608 | AC_MSG_CHECKING([whether OpenSSL has NID_secp384r1]) |
2595 | AC_LINK_IFELSE( | 2609 | AC_LINK_IFELSE( |
2596 | [AC_LANG_PROGRAM([[ | 2610 | [AC_LANG_PROGRAM([[ |
2597 | #include <openssl/ec.h> | 2611 | #include <openssl/ec.h> |
2598 | #include <openssl/ecdh.h> | 2612 | #include <openssl/ecdh.h> |
2599 | #include <openssl/ecdsa.h> | 2613 | #include <openssl/ecdsa.h> |
2600 | #include <openssl/evp.h> | 2614 | #include <openssl/evp.h> |
2601 | #include <openssl/objects.h> | 2615 | #include <openssl/objects.h> |
2602 | #include <openssl/opensslv.h> | 2616 | #include <openssl/opensslv.h> |
2603 | #if OPENSSL_VERSION_NUMBER < 0x0090807f /* 0.9.8g */ | 2617 | #if OPENSSL_VERSION_NUMBER < 0x0090807f /* 0.9.8g */ |
2604 | # error "OpenSSL < 0.9.8g has unreliable ECC code" | 2618 | # error "OpenSSL < 0.9.8g has unreliable ECC code" |
2605 | #endif | 2619 | #endif |
2606 | ]], [[ | 2620 | ]], [[ |
2607 | EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp521r1); | 2621 | EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp384r1); |
2608 | const EVP_MD *m = EVP_sha512(); /* We need this too */ | 2622 | const EVP_MD *m = EVP_sha384(); /* We need this too */ |
2609 | ]])], | 2623 | ]])], |
2610 | [ AC_MSG_RESULT([yes]) | 2624 | [ AC_MSG_RESULT([yes]) |
2611 | AC_MSG_CHECKING([if OpenSSL's NID_secp521r1 is functional]) | 2625 | enable_nistp384=1 ], |
2612 | AC_RUN_IFELSE( | 2626 | [ AC_MSG_RESULT([no]) ] |
2627 | ) | ||
2628 | |||
2629 | AC_MSG_CHECKING([whether OpenSSL has NID_secp521r1]) | ||
2630 | AC_LINK_IFELSE( | ||
2613 | [AC_LANG_PROGRAM([[ | 2631 | [AC_LANG_PROGRAM([[ |
2614 | #include <openssl/ec.h> | 2632 | #include <openssl/ec.h> |
2615 | #include <openssl/ecdh.h> | 2633 | #include <openssl/ecdh.h> |
2616 | #include <openssl/ecdsa.h> | 2634 | #include <openssl/ecdsa.h> |
2617 | #include <openssl/evp.h> | 2635 | #include <openssl/evp.h> |
2618 | #include <openssl/objects.h> | 2636 | #include <openssl/objects.h> |
2619 | #include <openssl/opensslv.h> | 2637 | #include <openssl/opensslv.h> |
2620 | ]],[[ | 2638 | #if OPENSSL_VERSION_NUMBER < 0x0090807f /* 0.9.8g */ |
2639 | # error "OpenSSL < 0.9.8g has unreliable ECC code" | ||
2640 | #endif | ||
2641 | ]], [[ | ||
2621 | EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp521r1); | 2642 | EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp521r1); |
2622 | const EVP_MD *m = EVP_sha512(); /* We need this too */ | 2643 | const EVP_MD *m = EVP_sha512(); /* We need this too */ |
2623 | exit(e == NULL || m == NULL); | ||
2624 | ]])], | 2644 | ]])], |
2625 | [ AC_MSG_RESULT([yes]) | 2645 | [ AC_MSG_RESULT([yes]) |
2626 | enable_nistp521=1 ], | 2646 | AC_MSG_CHECKING([if OpenSSL's NID_secp521r1 is functional]) |
2627 | [ AC_MSG_RESULT([no]) ], | 2647 | AC_RUN_IFELSE( |
2628 | [ AC_MSG_WARN([cross-compiling: assuming yes]) | 2648 | [AC_LANG_PROGRAM([[ |
2629 | enable_nistp521=1 ] | 2649 | #include <openssl/ec.h> |
2630 | )], | 2650 | #include <openssl/ecdh.h> |
2631 | AC_MSG_RESULT([no]) | 2651 | #include <openssl/ecdsa.h> |
2632 | ) | 2652 | #include <openssl/evp.h> |
2653 | #include <openssl/objects.h> | ||
2654 | #include <openssl/opensslv.h> | ||
2655 | ]],[[ | ||
2656 | EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp521r1); | ||
2657 | const EVP_MD *m = EVP_sha512(); /* We need this too */ | ||
2658 | exit(e == NULL || m == NULL); | ||
2659 | ]])], | ||
2660 | [ AC_MSG_RESULT([yes]) | ||
2661 | enable_nistp521=1 ], | ||
2662 | [ AC_MSG_RESULT([no]) ], | ||
2663 | [ AC_MSG_WARN([cross-compiling: assuming yes]) | ||
2664 | enable_nistp521=1 ] | ||
2665 | )], | ||
2666 | AC_MSG_RESULT([no]) | ||
2667 | ) | ||
2633 | 2668 | ||
2634 | COMMENT_OUT_ECC="#no ecc#" | 2669 | COMMENT_OUT_ECC="#no ecc#" |
2635 | TEST_SSH_ECC=no | 2670 | TEST_SSH_ECC=no |
2636 | 2671 | ||
2637 | if test x$enable_nistp256 = x1 || test x$enable_nistp384 = x1 || \ | 2672 | if test x$enable_nistp256 = x1 || test x$enable_nistp384 = x1 || \ |
2638 | test x$enable_nistp521 = x1; then | 2673 | test x$enable_nistp521 = x1; then |
2639 | AC_DEFINE(OPENSSL_HAS_ECC, [1], [OpenSSL has ECC]) | 2674 | AC_DEFINE(OPENSSL_HAS_ECC, [1], [OpenSSL has ECC]) |
2640 | fi | 2675 | fi |
2641 | if test x$enable_nistp256 = x1; then | 2676 | if test x$enable_nistp256 = x1; then |
2642 | AC_DEFINE([OPENSSL_HAS_NISTP256], [1], | 2677 | AC_DEFINE([OPENSSL_HAS_NISTP256], [1], |
2643 | [libcrypto has NID_X9_62_prime256v1]) | 2678 | [libcrypto has NID_X9_62_prime256v1]) |
2644 | TEST_SSH_ECC=yes | 2679 | TEST_SSH_ECC=yes |
2645 | COMMENT_OUT_ECC="" | 2680 | COMMENT_OUT_ECC="" |
2646 | else | 2681 | else |
2647 | unsupported_algorithms="$unsupported_algorithms ecdsa-sha2-nistp256 \ | 2682 | unsupported_algorithms="$unsupported_algorithms ecdsa-sha2-nistp256 \ |
2648 | ecdh-sha2-nistp256 ecdsa-sha2-nistp256-cert-v01@openssh.com" | 2683 | ecdh-sha2-nistp256 ecdsa-sha2-nistp256-cert-v01@openssh.com" |
2649 | fi | 2684 | fi |
2650 | if test x$enable_nistp384 = x1; then | 2685 | if test x$enable_nistp384 = x1; then |
2651 | AC_DEFINE([OPENSSL_HAS_NISTP384], [1], [libcrypto has NID_secp384r1]) | 2686 | AC_DEFINE([OPENSSL_HAS_NISTP384], [1], [libcrypto has NID_secp384r1]) |
2652 | TEST_SSH_ECC=yes | 2687 | TEST_SSH_ECC=yes |
2653 | COMMENT_OUT_ECC="" | 2688 | COMMENT_OUT_ECC="" |
2654 | else | 2689 | else |
2655 | unsupported_algorithms="$unsupported_algorithms ecdsa-sha2-nistp384 \ | 2690 | unsupported_algorithms="$unsupported_algorithms ecdsa-sha2-nistp384 \ |
2656 | ecdh-sha2-nistp384 ecdsa-sha2-nistp384-cert-v01@openssh.com" | 2691 | ecdh-sha2-nistp384 ecdsa-sha2-nistp384-cert-v01@openssh.com" |
2657 | fi | 2692 | fi |
2658 | if test x$enable_nistp521 = x1; then | 2693 | if test x$enable_nistp521 = x1; then |
2659 | AC_DEFINE([OPENSSL_HAS_NISTP521], [1], [libcrypto has NID_secp521r1]) | 2694 | AC_DEFINE([OPENSSL_HAS_NISTP521], [1], [libcrypto has NID_secp521r1]) |
2660 | TEST_SSH_ECC=yes | 2695 | TEST_SSH_ECC=yes |
2661 | COMMENT_OUT_ECC="" | 2696 | COMMENT_OUT_ECC="" |
2697 | else | ||
2698 | unsupported_algorithms="$unsupported_algorithms ecdh-sha2-nistp521 \ | ||
2699 | ecdsa-sha2-nistp521 ecdsa-sha2-nistp521-cert-v01@openssh.com" | ||
2700 | fi | ||
2701 | |||
2702 | AC_SUBST([TEST_SSH_ECC]) | ||
2703 | AC_SUBST([COMMENT_OUT_ECC]) | ||
2662 | else | 2704 | else |
2663 | unsupported_algorithms="$unsupported_algorithms ecdh-sha2-nistp521 \ | 2705 | AC_CHECK_LIB([crypt], [crypt], [LIBS="$LIBS -lcrypt"]) |
2664 | ecdsa-sha2-nistp521 ecdsa-sha2-nistp521-cert-v01@openssh.com" | 2706 | AC_CHECK_FUNCS([crypt DES_crypt]) |
2665 | fi | 2707 | fi |
2666 | 2708 | ||
2667 | AC_SUBST([TEST_SSH_ECC]) | ||
2668 | AC_SUBST([COMMENT_OUT_ECC]) | ||
2669 | |||
2670 | AC_CHECK_FUNCS([ \ | 2709 | AC_CHECK_FUNCS([ \ |
2671 | arc4random \ | 2710 | arc4random \ |
2672 | arc4random_buf \ | 2711 | arc4random_buf \ |
@@ -2687,28 +2726,30 @@ LIBS="$saved_LIBS" | |||
2687 | ### Configure cryptographic random number support | 2726 | ### Configure cryptographic random number support |
2688 | 2727 | ||
2689 | # Check wheter OpenSSL seeds itself | 2728 | # Check wheter OpenSSL seeds itself |
2690 | AC_MSG_CHECKING([whether OpenSSL's PRNG is internally seeded]) | 2729 | if test "x$openssl" = "xyes" ; then |
2691 | AC_RUN_IFELSE( | 2730 | AC_MSG_CHECKING([whether OpenSSL's PRNG is internally seeded]) |
2692 | [AC_LANG_PROGRAM([[ | 2731 | AC_RUN_IFELSE( |
2693 | #include <string.h> | 2732 | [AC_LANG_PROGRAM([[ |
2694 | #include <openssl/rand.h> | 2733 | #include <string.h> |
2695 | ]], [[ | 2734 | #include <openssl/rand.h> |
2696 | exit(RAND_status() == 1 ? 0 : 1); | 2735 | ]], [[ |
2697 | ]])], | 2736 | exit(RAND_status() == 1 ? 0 : 1); |
2698 | [ | 2737 | ]])], |
2699 | OPENSSL_SEEDS_ITSELF=yes | 2738 | [ |
2700 | AC_MSG_RESULT([yes]) | 2739 | OPENSSL_SEEDS_ITSELF=yes |
2701 | ], | 2740 | AC_MSG_RESULT([yes]) |
2702 | [ | 2741 | ], |
2703 | AC_MSG_RESULT([no]) | 2742 | [ |
2704 | ], | 2743 | AC_MSG_RESULT([no]) |
2705 | [ | 2744 | ], |
2706 | AC_MSG_WARN([cross compiling: assuming yes]) | 2745 | [ |
2707 | # This is safe, since we will fatal() at runtime if | 2746 | AC_MSG_WARN([cross compiling: assuming yes]) |
2708 | # OpenSSL is not seeded correctly. | 2747 | # This is safe, since we will fatal() at runtime if |
2709 | OPENSSL_SEEDS_ITSELF=yes | 2748 | # OpenSSL is not seeded correctly. |
2710 | ] | 2749 | OPENSSL_SEEDS_ITSELF=yes |
2711 | ) | 2750 | ] |
2751 | ) | ||
2752 | fi | ||
2712 | 2753 | ||
2713 | # PRNGD TCP socket | 2754 | # PRNGD TCP socket |
2714 | AC_ARG_WITH([prngd-port], | 2755 | AC_ARG_WITH([prngd-port], |
@@ -2790,8 +2831,10 @@ elif test ! -z "$PRNGD_SOCKET" ; then | |||
2790 | RAND_MSG="PRNGd socket $PRNGD_SOCKET" | 2831 | RAND_MSG="PRNGd socket $PRNGD_SOCKET" |
2791 | elif test ! -z "$OPENSSL_SEEDS_ITSELF" ; then | 2832 | elif test ! -z "$OPENSSL_SEEDS_ITSELF" ; then |
2792 | AC_DEFINE([OPENSSL_PRNG_ONLY], [1], | 2833 | AC_DEFINE([OPENSSL_PRNG_ONLY], [1], |
2793 | [Define if you want OpenSSL's internally seeded PRNG only]) | 2834 | [Define if you want the OpenSSL internally seeded PRNG only]) |
2794 | RAND_MSG="OpenSSL internal ONLY" | 2835 | RAND_MSG="OpenSSL internal ONLY" |
2836 | elif test "x$openssl" = "xno" ; then | ||
2837 | AC_MSG_WARN([OpenSSH will use /dev/urandom as a source of random numbers. It will fail if this device is not supported or accessible]) | ||
2795 | else | 2838 | else |
2796 | AC_MSG_ERROR([OpenSSH has no source of random numbers. Please configure OpenSSL with an entropy source or re-run configure using one of the --with-prngd-port or --with-prngd-socket options]) | 2839 | AC_MSG_ERROR([OpenSSH has no source of random numbers. Please configure OpenSSL with an entropy source or re-run configure using one of the --with-prngd-port or --with-prngd-socket options]) |
2797 | fi | 2840 | fi |
@@ -2853,7 +2896,7 @@ if test "x$PAM_MSG" = "xyes" ; then | |||
2853 | which takes only one argument to pam_strerror]) | 2896 | which takes only one argument to pam_strerror]) |
2854 | AC_MSG_RESULT([yes]) | 2897 | AC_MSG_RESULT([yes]) |
2855 | PAM_MSG="yes (old library)" | 2898 | PAM_MSG="yes (old library)" |
2856 | 2899 | ||
2857 | ]) | 2900 | ]) |
2858 | fi | 2901 | fi |
2859 | 2902 | ||