diff options
author | Darren Tucker <dtucker@zip.com.au> | 2013-11-09 18:39:25 +1100 |
---|---|---|
committer | Darren Tucker <dtucker@zip.com.au> | 2013-11-09 18:39:25 +1100 |
commit | 37bcef51b3d9d496caecea6394814d2f49a1357f (patch) | |
tree | c564402d96ca797f8b0248552ef78f4f9408ef8c /configure.ac | |
parent | 6e2fe81f926d995bae4be4a6b5b3c88c1c525187 (diff) |
- (dtucker) [configure.ac kex.c key.c myproposal.h] Test for the presence of
NID_X9_62_prime256v1, NID_secp384r1 and NID_secp521r1 and test that the
latter actually works before using it. Fedora (at least) has NID_secp521r1
that doesn't work (see https://bugzilla.redhat.com/show_bug.cgi?id=1021897).
Diffstat (limited to 'configure.ac')
-rw-r--r-- | configure.ac | 122 |
1 files changed, 101 insertions, 21 deletions
diff --git a/configure.ac b/configure.ac index e31147c24..5d4793cae 100644 --- a/configure.ac +++ b/configure.ac | |||
@@ -1,4 +1,4 @@ | |||
1 | # $Id: configure.ac,v 1.540 2013/11/08 13:17:41 dtucker Exp $ | 1 | # $Id: configure.ac,v 1.541 2013/11/09 07:39:25 dtucker Exp $ |
2 | # | 2 | # |
3 | # Copyright (c) 1999-2004 Damien Miller | 3 | # Copyright (c) 1999-2004 Damien Miller |
4 | # | 4 | # |
@@ -15,7 +15,7 @@ | |||
15 | # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. | 15 | # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. |
16 | 16 | ||
17 | AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) | 17 | AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) |
18 | AC_REVISION($Revision: 1.540 $) | 18 | AC_REVISION($Revision: 1.541 $) |
19 | AC_CONFIG_SRCDIR([ssh.c]) | 19 | AC_CONFIG_SRCDIR([ssh.c]) |
20 | AC_LANG([C]) | 20 | AC_LANG([C]) |
21 | 21 | ||
@@ -2450,7 +2450,49 @@ AC_CHECK_FUNCS([SHA256_Update EVP_sha256], , | |||
2450 | ) | 2450 | ) |
2451 | 2451 | ||
2452 | # Check complete ECC support in OpenSSL | 2452 | # Check complete ECC support in OpenSSL |
2453 | AC_MSG_CHECKING([whether OpenSSL has complete ECC support]) | 2453 | AC_MSG_CHECKING([whether OpenSSL has NID_X9_62_prime256v1]) |
2454 | AC_LINK_IFELSE( | ||
2455 | [AC_LANG_PROGRAM([[ | ||
2456 | #include <openssl/ec.h> | ||
2457 | #include <openssl/ecdh.h> | ||
2458 | #include <openssl/ecdsa.h> | ||
2459 | #include <openssl/evp.h> | ||
2460 | #include <openssl/objects.h> | ||
2461 | #include <openssl/opensslv.h> | ||
2462 | #if OPENSSL_VERSION_NUMBER < 0x0090807f /* 0.9.8g */ | ||
2463 | # error "OpenSSL < 0.9.8g has unreliable ECC code" | ||
2464 | #endif | ||
2465 | ]], [[ | ||
2466 | EC_KEY *e = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); | ||
2467 | const EVP_MD *m = EVP_sha256(); /* We need this too */ | ||
2468 | ]])], | ||
2469 | [ AC_MSG_RESULT([yes]) | ||
2470 | enable_nistp256=1 ], | ||
2471 | [ AC_MSG_RESULT([no]) ] | ||
2472 | ) | ||
2473 | |||
2474 | AC_MSG_CHECKING([whether OpenSSL has NID_secp384r1]) | ||
2475 | AC_LINK_IFELSE( | ||
2476 | [AC_LANG_PROGRAM([[ | ||
2477 | #include <openssl/ec.h> | ||
2478 | #include <openssl/ecdh.h> | ||
2479 | #include <openssl/ecdsa.h> | ||
2480 | #include <openssl/evp.h> | ||
2481 | #include <openssl/objects.h> | ||
2482 | #include <openssl/opensslv.h> | ||
2483 | #if OPENSSL_VERSION_NUMBER < 0x0090807f /* 0.9.8g */ | ||
2484 | # error "OpenSSL < 0.9.8g has unreliable ECC code" | ||
2485 | #endif | ||
2486 | ]], [[ | ||
2487 | EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp384r1); | ||
2488 | const EVP_MD *m = EVP_sha384(); /* We need this too */ | ||
2489 | ]])], | ||
2490 | [ AC_MSG_RESULT([yes]) | ||
2491 | enable_nistp384=1 ], | ||
2492 | [ AC_MSG_RESULT([no]) ] | ||
2493 | ) | ||
2494 | |||
2495 | AC_MSG_CHECKING([whether OpenSSL has NID_secp521r1]) | ||
2454 | AC_LINK_IFELSE( | 2496 | AC_LINK_IFELSE( |
2455 | [AC_LANG_PROGRAM([[ | 2497 | [AC_LANG_PROGRAM([[ |
2456 | #include <openssl/ec.h> | 2498 | #include <openssl/ec.h> |
@@ -2466,25 +2508,63 @@ AC_LINK_IFELSE( | |||
2466 | EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp521r1); | 2508 | EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp521r1); |
2467 | const EVP_MD *m = EVP_sha512(); /* We need this too */ | 2509 | const EVP_MD *m = EVP_sha512(); /* We need this too */ |
2468 | ]])], | 2510 | ]])], |
2469 | [ | 2511 | [ AC_MSG_RESULT([yes]) |
2470 | AC_MSG_RESULT([yes]) | 2512 | AC_MSG_CHECKING([if OpenSSL's NID_secp521r1 is functional]) |
2471 | AC_DEFINE([OPENSSL_HAS_ECC], [1], | 2513 | AC_RUN_IFELSE( |
2472 | [libcrypto includes complete ECC support]) | 2514 | [AC_LANG_PROGRAM([[ |
2473 | TEST_SSH_ECC=yes | 2515 | #include <openssl/ec.h> |
2474 | COMMENT_OUT_ECC="" | 2516 | #include <openssl/ecdh.h> |
2475 | ], | 2517 | #include <openssl/ecdsa.h> |
2476 | [ | 2518 | #include <openssl/evp.h> |
2477 | AC_MSG_RESULT([no]) | 2519 | #include <openssl/objects.h> |
2478 | TEST_SSH_ECC=no | 2520 | #include <openssl/opensslv.h> |
2479 | COMMENT_OUT_ECC="#no ecc#" | 2521 | ]],[[ |
2480 | unsupported_algorithms="$unsupported_algorithms \ | 2522 | EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp521r1); |
2481 | ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521 \ | 2523 | const EVP_MD *m = EVP_sha512(); /* We need this too */ |
2482 | ecdsa-sha2-nistp256-cert-v01@openssh.com \ | 2524 | exit(e == NULL || m == NULL); |
2483 | ecdsa-sha2-nistp384-cert-v01@openssh.com \ | 2525 | ]])], |
2484 | ecdsa-sha2-nistp521-cert-v01@openssh.com \ | 2526 | [ AC_MSG_RESULT([yes]) |
2485 | ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521" | 2527 | enable_nistp521=1 ], |
2486 | ] | 2528 | [ AC_MSG_RESULT([no]) ], |
2529 | [ AC_MSG_WARN([cross-compiling, assuming yes]) | ||
2530 | enable_nistp521=1 ] | ||
2531 | ]) | ||
2532 | AC_MSG_RESULT([no]) | ||
2487 | ) | 2533 | ) |
2534 | |||
2535 | COMMENT_OUT_ECC="#no ecc#" | ||
2536 | TEST_SSH_ECC=no | ||
2537 | |||
2538 | if test x$enable_nistp256 = x1 || test x$enable_nistp384 = x1 || \ | ||
2539 | x$enable_nistp521 = x1; then | ||
2540 | AC_DEFINE(OPENSSL_HAS_ECC, [1], [OpenSSL has ECC]) | ||
2541 | fi | ||
2542 | if test x$enable_nistp256 = x1; then | ||
2543 | AC_DEFINE([OPENSSL_HAS_NISTP256], [1], | ||
2544 | [libcrypto has NID_X9_62_prime256v1]) | ||
2545 | TEST_SSH_ECC=yes | ||
2546 | COMMENT_OUT_ECC="" | ||
2547 | else | ||
2548 | unsupported_algorithms="$unsupported_algorithms ecdsa-sha2-nistp256 \ | ||
2549 | ecdh-sha2-nistp256 ecdsa-sha2-nistp256-cert-v01@openssh.com" | ||
2550 | fi | ||
2551 | if test x$enable_nistp384 = x1; then | ||
2552 | AC_DEFINE([OPENSSL_HAS_NISTP384], [1], [libcrypto has NID_secp384r1]) | ||
2553 | TEST_SSH_ECC=yes | ||
2554 | COMMENT_OUT_ECC="" | ||
2555 | else | ||
2556 | unsupported_algorithms="$unsupported_algorithms ecdsa-sha2-nistp384 \ | ||
2557 | ecdh-sha2-nistp384 ecdsa-sha2-nistp384-cert-v01@openssh.com" | ||
2558 | fi | ||
2559 | if test x$enable_nistp521 = x1; then | ||
2560 | AC_DEFINE([OPENSSL_HAS_NISTP521], [1], [libcrypto has NID_secp521r1]) | ||
2561 | TEST_SSH_ECC=yes | ||
2562 | COMMENT_OUT_ECC="" | ||
2563 | else | ||
2564 | unsupported_algorithms="$unsupported_algorithms ecdh-sha2-nistp521 \ | ||
2565 | ecdsa-sha2-nistp521 ecdsa-sha2-nistp521-cert-v01@openssh.com" | ||
2566 | fi | ||
2567 | |||
2488 | AC_SUBST([TEST_SSH_ECC]) | 2568 | AC_SUBST([TEST_SSH_ECC]) |
2489 | AC_SUBST([COMMENT_OUT_ECC]) | 2569 | AC_SUBST([COMMENT_OUT_ECC]) |
2490 | 2570 | ||