- (dtucker) [configure.ac kex.c key.c myproposal.h] Test for the presence of

NID_X9_62_prime256v1, NID_secp384r1 and NID_secp521r1 and test that the latter actually works before using it. Fedora (at least) has NID_secp521r1 that doesn't work (see https://bugzilla.redhat.com/show_bug.cgi?id=1021897).
author: Darren Tucker <dtucker@zip.com.au> 2013-11-09 18:39:25 +1100
committer: Darren Tucker <dtucker@zip.com.au> 2013-11-09 18:39:25 +1100
commit: 37bcef51b3d9d496caecea6394814d2f49a1357f (patch)
tree: c564402d96ca797f8b0248552ef78f4f9408ef8c /configure.ac
parent: 6e2fe81f926d995bae4be4a6b5b3c88c1c525187 (diff)
1 files changed, 101 insertions, 21 deletions
diff --git a/configure.ac b/configure.ac
index e31147c24..5d4793cae 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,4 +1,4 @@
-# $Id: configure.ac,v 1.540 2013/11/08 13:17:41 dtucker Exp $
+# $Id: configure.ac,v 1.541 2013/11/09 07:39:25 dtucker Exp $
 #
 # Copyright (c) 1999-2004 Damien Miller
 #
@@ -15,7 +15,7 @@
 # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org])
-AC_REVISION($Revision: 1.540 $)
+AC_REVISION($Revision: 1.541 $)
 AC_CONFIG_SRCDIR([ssh.c])
 AC_LANG([C])
@@ -2450,7 +2450,49 @@ AC_CHECK_FUNCS([SHA256_Update EVP_sha256], ,
 )
 # Check complete ECC support in OpenSSL
-AC_MSG_CHECKING([whether OpenSSL has complete ECC support])
+AC_MSG_CHECKING([whether OpenSSL has NID_X9_62_prime256v1])
+AC_LINK_IFELSE(
+        [AC_LANG_PROGRAM([[
+#include <openssl/ec.h>
+#include <openssl/ecdh.h>
+#include <openssl/ecdsa.h>
+#include <openssl/evp.h>
+#include <openssl/objects.h>
+#include <openssl/opensslv.h>
+#if OPENSSL_VERSION_NUMBER < 0x0090807f /* 0.9.8g */
+# error "OpenSSL < 0.9.8g has unreliable ECC code"
+#endif
+        ]], [[
+        EC_KEY *e = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
+        const EVP_MD *m = EVP_sha256(); /* We need this too */
+        ]])],
+        [ AC_MSG_RESULT([yes])
+          enable_nistp256=1 ],
+        [ AC_MSG_RESULT([no]) ]
+)
+AC_MSG_CHECKING([whether OpenSSL has NID_secp384r1])
+AC_LINK_IFELSE(
+        [AC_LANG_PROGRAM([[
+#include <openssl/ec.h>
+#include <openssl/ecdh.h>
+#include <openssl/ecdsa.h>
+#include <openssl/evp.h>
+#include <openssl/objects.h>
+#include <openssl/opensslv.h>
+#if OPENSSL_VERSION_NUMBER < 0x0090807f /* 0.9.8g */
+# error "OpenSSL < 0.9.8g has unreliable ECC code"
+#endif
+        ]], [[
+        EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp384r1);
+        const EVP_MD *m = EVP_sha384(); /* We need this too */
+        ]])],
+        [ AC_MSG_RESULT([yes])
+          enable_nistp384=1 ],
+        [ AC_MSG_RESULT([no]) ]
+)
+AC_MSG_CHECKING([whether OpenSSL has NID_secp521r1])
 AC_LINK_IFELSE(
        [AC_LANG_PROGRAM([[
 #include <openssl/ec.h>
@@ -2466,25 +2508,63 @@ AC_LINK_IFELSE(
        EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp521r1);
        const EVP_MD *m = EVP_sha512(); /* We need this too */
        ]])],
-        [
+        [ AC_MSG_RESULT([yes])
-                AC_MSG_RESULT([yes])
+          AC_MSG_CHECKING([if OpenSSL's NID_secp521r1 is functional])
-                AC_DEFINE([OPENSSL_HAS_ECC], [1],
+          AC_RUN_IFELSE(
-                    [libcrypto includes complete ECC support])
+                [AC_LANG_PROGRAM([[
-                TEST_SSH_ECC=yes
+#include <openssl/ec.h>
-                COMMENT_OUT_ECC=""
+#include <openssl/ecdh.h>
-        ],
+#include <openssl/ecdsa.h>
-        [
+#include <openssl/evp.h>
-                AC_MSG_RESULT([no])
+#include <openssl/objects.h>
-                TEST_SSH_ECC=no
+#include <openssl/opensslv.h>
-                COMMENT_OUT_ECC="#no ecc#"
+                ]],[[
-                unsupported_algorithms="$unsupported_algorithms \
+                EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp521r1);
-                    ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521 \
+                const EVP_MD *m = EVP_sha512(); /* We need this too */
-                    ecdsa-sha2-nistp256-cert-v01@openssh.com \
+                exit(e == NULL || m == NULL);
-                    ecdsa-sha2-nistp384-cert-v01@openssh.com \
+                ]])],
-                    ecdsa-sha2-nistp521-cert-v01@openssh.com \
+                [ AC_MSG_RESULT([yes])
-                    ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521"
+                  enable_nistp521=1 ],
-        ]
+                [ AC_MSG_RESULT([no]) ],
+                [ AC_MSG_WARN([cross-compiling, assuming yes])
+                  enable_nistp521=1 ]
+        ])
+        AC_MSG_RESULT([no])
 )
+COMMENT_OUT_ECC="#no ecc#"
+TEST_SSH_ECC=no
+if test x$enable_nistp256 = x1 || test x$enable_nistp384 = x1 || \
+    x$enable_nistp521 = x1; then
+        AC_DEFINE(OPENSSL_HAS_ECC, [1], [OpenSSL has ECC])
+fi
+if test x$enable_nistp256 = x1; then
+        AC_DEFINE([OPENSSL_HAS_NISTP256], [1],
+            [libcrypto has NID_X9_62_prime256v1])
+        TEST_SSH_ECC=yes
+        COMMENT_OUT_ECC=""
+else
+        unsupported_algorithms="$unsupported_algorithms ecdsa-sha2-nistp256 \
+            ecdh-sha2-nistp256 ecdsa-sha2-nistp256-cert-v01@openssh.com"
+fi
+if test x$enable_nistp384 = x1; then
+        AC_DEFINE([OPENSSL_HAS_NISTP384], [1], [libcrypto has NID_secp384r1])
+        TEST_SSH_ECC=yes
+        COMMENT_OUT_ECC=""
+else
+        unsupported_algorithms="$unsupported_algorithms ecdsa-sha2-nistp384 \
+            ecdh-sha2-nistp384 ecdsa-sha2-nistp384-cert-v01@openssh.com"
+fi
+if test x$enable_nistp521 = x1; then
+        AC_DEFINE([OPENSSL_HAS_NISTP521], [1], [libcrypto has NID_secp521r1])
+        TEST_SSH_ECC=yes
+        COMMENT_OUT_ECC=""
+else
+        unsupported_algorithms="$unsupported_algorithms ecdh-sha2-nistp521 \
+            ecdsa-sha2-nistp521 ecdsa-sha2-nistp521-cert-v01@openssh.com"
+fi
 AC_SUBST([TEST_SSH_ECC])
 AC_SUBST([COMMENT_OUT_ECC])
author	Darren Tucker <dtucker@zip.com.au>	2013-11-09 18:39:25 +1100
committer	Darren Tucker <dtucker@zip.com.au>	2013-11-09 18:39:25 +1100
commit	37bcef51b3d9d496caecea6394814d2f49a1357f (patch)
tree	c564402d96ca797f8b0248552ef78f4f9408ef8c /configure.ac
parent	6e2fe81f926d995bae4be4a6b5b3c88c1c525187 (diff)

diff --git a/configure.ac b/configure.ac index e31147c24..5d4793cae 100644 --- a/configure.ac +++ b/configure.ac
@@ -1,4 +1,4 @@
1	# $Id: configure.ac,v 1.540 2013/11/08 13:17:41 dtucker Exp $	1	# $Id: configure.ac,v 1.541 2013/11/09 07:39:25 dtucker Exp $
2	#	2	#
3	# Copyright (c) 1999-2004 Damien Miller	3	# Copyright (c) 1999-2004 Damien Miller
4	#	4	#
@@ -15,7 +15,7 @@
15	# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.	15	# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16		16
17	AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org])	17	AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org])
18	AC_REVISION($Revision: 1.540 $)	18	AC_REVISION($Revision: 1.541 $)
19	AC_CONFIG_SRCDIR([ssh.c])	19	AC_CONFIG_SRCDIR([ssh.c])
20	AC_LANG([C])	20	AC_LANG([C])
21		21
@@ -2450,7 +2450,49 @@ AC_CHECK_FUNCS([SHA256_Update EVP_sha256], ,
2450	)	2450	)
2451		2451
2452	# Check complete ECC support in OpenSSL	2452	# Check complete ECC support in OpenSSL
2453	AC_MSG_CHECKING([whether OpenSSL has complete ECC support])	2453	AC_MSG_CHECKING([whether OpenSSL has NID_X9_62_prime256v1])
		2454	AC_LINK_IFELSE(
		2455	[AC_LANG_PROGRAM([[
		2456	#include <openssl/ec.h>
		2457	#include <openssl/ecdh.h>
		2458	#include <openssl/ecdsa.h>
		2459	#include <openssl/evp.h>
		2460	#include <openssl/objects.h>
		2461	#include <openssl/opensslv.h>
		2462	#if OPENSSL_VERSION_NUMBER < 0x0090807f /* 0.9.8g */
		2463	# error "OpenSSL < 0.9.8g has unreliable ECC code"
		2464	#endif
		2465	]], [[
		2466	EC_KEY *e = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
		2467	const EVP_MD m = EVP_sha256(); / We need this too */
		2468	]])],
		2469	[ AC_MSG_RESULT([yes])
		2470	enable_nistp256=1 ],
		2471	[ AC_MSG_RESULT([no]) ]
		2472	)
		2473
		2474	AC_MSG_CHECKING([whether OpenSSL has NID_secp384r1])
		2475	AC_LINK_IFELSE(
		2476	[AC_LANG_PROGRAM([[
		2477	#include <openssl/ec.h>
		2478	#include <openssl/ecdh.h>
		2479	#include <openssl/ecdsa.h>
		2480	#include <openssl/evp.h>
		2481	#include <openssl/objects.h>
		2482	#include <openssl/opensslv.h>
		2483	#if OPENSSL_VERSION_NUMBER < 0x0090807f /* 0.9.8g */
		2484	# error "OpenSSL < 0.9.8g has unreliable ECC code"
		2485	#endif
		2486	]], [[
		2487	EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp384r1);
		2488	const EVP_MD m = EVP_sha384(); / We need this too */
		2489	]])],
		2490	[ AC_MSG_RESULT([yes])
		2491	enable_nistp384=1 ],
		2492	[ AC_MSG_RESULT([no]) ]
		2493	)
		2494
		2495	AC_MSG_CHECKING([whether OpenSSL has NID_secp521r1])
2454	AC_LINK_IFELSE(	2496	AC_LINK_IFELSE(
2455	[AC_LANG_PROGRAM([[	2497	[AC_LANG_PROGRAM([[
2456	#include <openssl/ec.h>	2498	#include <openssl/ec.h>
@@ -2466,25 +2508,63 @@ AC_LINK_IFELSE(
2466	EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp521r1);	2508	EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp521r1);
2467	const EVP_MD m = EVP_sha512(); / We need this too */	2509	const EVP_MD m = EVP_sha512(); / We need this too */
2468	]])],	2510	]])],
2469	[	2511	[ AC_MSG_RESULT([yes])
2470	AC_MSG_RESULT([yes])	2512	AC_MSG_CHECKING([if OpenSSL's NID_secp521r1 is functional])
2471	AC_DEFINE([OPENSSL_HAS_ECC], [1],	2513	AC_RUN_IFELSE(
2472	[libcrypto includes complete ECC support])	2514	[AC_LANG_PROGRAM([[
2473	TEST_SSH_ECC=yes	2515	#include <openssl/ec.h>
2474	COMMENT_OUT_ECC=""	2516	#include <openssl/ecdh.h>
2475	],	2517	#include <openssl/ecdsa.h>
2476	[	2518	#include <openssl/evp.h>
2477	AC_MSG_RESULT([no])	2519	#include <openssl/objects.h>
2478	TEST_SSH_ECC=no	2520	#include <openssl/opensslv.h>
2479	COMMENT_OUT_ECC="#no ecc#"	2521	]],[[
2480	unsupported_algorithms="$unsupported_algorithms \	2522	EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp521r1);
2481	ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521 \	2523	const EVP_MD m = EVP_sha512(); / We need this too */
2482	ecdsa-sha2-nistp256-cert-v01@openssh.com \	2524	exit(e == NULL \|\| m == NULL);
2483	ecdsa-sha2-nistp384-cert-v01@openssh.com \	2525	]])],
2484	ecdsa-sha2-nistp521-cert-v01@openssh.com \	2526	[ AC_MSG_RESULT([yes])
2485	ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521"	2527	enable_nistp521=1 ],
2486	]	2528	[ AC_MSG_RESULT([no]) ],
		2529	[ AC_MSG_WARN([cross-compiling, assuming yes])
		2530	enable_nistp521=1 ]
		2531	])
		2532	AC_MSG_RESULT([no])
2487	)	2533	)
		2534
		2535	COMMENT_OUT_ECC="#no ecc#"
		2536	TEST_SSH_ECC=no
		2537
		2538	if test x$enable_nistp256 = x1 \|\| test x$enable_nistp384 = x1 \|\| \
		2539	x$enable_nistp521 = x1; then
		2540	AC_DEFINE(OPENSSL_HAS_ECC, [1], [OpenSSL has ECC])
		2541	fi
		2542	if test x$enable_nistp256 = x1; then
		2543	AC_DEFINE([OPENSSL_HAS_NISTP256], [1],
		2544	[libcrypto has NID_X9_62_prime256v1])
		2545	TEST_SSH_ECC=yes
		2546	COMMENT_OUT_ECC=""
		2547	else
		2548	unsupported_algorithms="$unsupported_algorithms ecdsa-sha2-nistp256 \
		2549	ecdh-sha2-nistp256 ecdsa-sha2-nistp256-cert-v01@openssh.com"
		2550	fi
		2551	if test x$enable_nistp384 = x1; then
		2552	AC_DEFINE([OPENSSL_HAS_NISTP384], [1], [libcrypto has NID_secp384r1])
		2553	TEST_SSH_ECC=yes
		2554	COMMENT_OUT_ECC=""
		2555	else
		2556	unsupported_algorithms="$unsupported_algorithms ecdsa-sha2-nistp384 \
		2557	ecdh-sha2-nistp384 ecdsa-sha2-nistp384-cert-v01@openssh.com"
		2558	fi
		2559	if test x$enable_nistp521 = x1; then
		2560	AC_DEFINE([OPENSSL_HAS_NISTP521], [1], [libcrypto has NID_secp521r1])
		2561	TEST_SSH_ECC=yes
		2562	COMMENT_OUT_ECC=""
		2563	else
		2564	unsupported_algorithms="$unsupported_algorithms ecdh-sha2-nistp521 \
		2565	ecdsa-sha2-nistp521 ecdsa-sha2-nistp521-cert-v01@openssh.com"
		2566	fi
		2567
2488	AC_SUBST([TEST_SSH_ECC])	2568	AC_SUBST([TEST_SSH_ECC])
2489	AC_SUBST([COMMENT_OUT_ECC])	2569	AC_SUBST([COMMENT_OUT_ECC])
2490		2570