diff options
Diffstat (limited to 'configure.ac')
-rw-r--r-- | configure.ac | 911 |
1 files changed, 489 insertions, 422 deletions
diff --git a/configure.ac b/configure.ac index f5c65c5a4..f7ce777a5 100644 --- a/configure.ac +++ b/configure.ac | |||
@@ -121,6 +121,42 @@ AC_CHECK_DECL([PR_SET_NO_NEW_PRIVS], [have_linux_no_new_privs=1], , [ | |||
121 | #include <linux/prctl.h> | 121 | #include <linux/prctl.h> |
122 | ]) | 122 | ]) |
123 | 123 | ||
124 | openssl=yes | ||
125 | ssh1=yes | ||
126 | AC_ARG_WITH([openssl], | ||
127 | [ --without-openssl Disable use of OpenSSL; use only limited internal crypto **EXPERIMENTAL** ], | ||
128 | [ if test "x$withval" = "xno" ; then | ||
129 | openssl=no | ||
130 | ssh1=no | ||
131 | fi | ||
132 | ] | ||
133 | ) | ||
134 | AC_MSG_CHECKING([whether OpenSSL will be used for cryptography]) | ||
135 | if test "x$openssl" = "xyes" ; then | ||
136 | AC_MSG_RESULT([yes]) | ||
137 | AC_DEFINE_UNQUOTED([WITH_OPENSSL], [1], [use libcrypto for cryptography]) | ||
138 | else | ||
139 | AC_MSG_RESULT([no]) | ||
140 | fi | ||
141 | |||
142 | AC_ARG_WITH([ssh1], | ||
143 | [ --without-ssh1 Disable support for SSH protocol 1], | ||
144 | [ | ||
145 | if test "x$withval" = "xno" ; then | ||
146 | ssh1=no | ||
147 | elif test "x$openssl" = "xno" ; then | ||
148 | AC_MSG_ERROR([Cannot enable SSH protocol 1 with OpenSSL disabled]) | ||
149 | fi | ||
150 | ] | ||
151 | ) | ||
152 | AC_MSG_CHECKING([whether SSH protocol 1 support is enabled]) | ||
153 | if test "x$ssh1" = "xyes" ; then | ||
154 | AC_MSG_RESULT([yes]) | ||
155 | AC_DEFINE_UNQUOTED([WITH_SSH1], [1], [include SSH protocol version 1 support]) | ||
156 | else | ||
157 | AC_MSG_RESULT([no]) | ||
158 | fi | ||
159 | |||
124 | use_stack_protector=1 | 160 | use_stack_protector=1 |
125 | use_toolchain_hardening=1 | 161 | use_toolchain_hardening=1 |
126 | AC_ARG_WITH([stackprotect], | 162 | AC_ARG_WITH([stackprotect], |
@@ -1320,7 +1356,7 @@ g.gl_statv = NULL; | |||
1320 | AC_MSG_RESULT([yes]) | 1356 | AC_MSG_RESULT([yes]) |
1321 | ], [ | 1357 | ], [ |
1322 | AC_MSG_RESULT([no]) | 1358 | AC_MSG_RESULT([no]) |
1323 | 1359 | ||
1324 | ]) | 1360 | ]) |
1325 | 1361 | ||
1326 | AC_CHECK_DECLS([GLOB_NOMATCH], , , [#include <glob.h>]) | 1362 | AC_CHECK_DECLS([GLOB_NOMATCH], , , [#include <glob.h>]) |
@@ -1603,7 +1639,7 @@ AC_ARG_WITH([audit], | |||
1603 | ) | 1639 | ) |
1604 | 1640 | ||
1605 | AC_ARG_WITH([pie], | 1641 | AC_ARG_WITH([pie], |
1606 | [ --with-pie Build Position Independent Executables if possible], [ | 1642 | [ --with-pie Build Position Independent Executables if possible], [ |
1607 | if test "x$withval" = "xno"; then | 1643 | if test "x$withval" = "xno"; then |
1608 | use_pie=no | 1644 | use_pie=no |
1609 | fi | 1645 | fi |
@@ -1709,6 +1745,7 @@ AC_CHECK_FUNCS([ \ | |||
1709 | prctl \ | 1745 | prctl \ |
1710 | pstat \ | 1746 | pstat \ |
1711 | readpassphrase \ | 1747 | readpassphrase \ |
1748 | reallocarray \ | ||
1712 | realpath \ | 1749 | realpath \ |
1713 | recvmsg \ | 1750 | recvmsg \ |
1714 | rresvport_af \ | 1751 | rresvport_af \ |
@@ -1768,10 +1805,13 @@ AC_LINK_IFELSE( | |||
1768 | [AC_DEFINE([HAVE_ISBLANK], [1], [Define if you have isblank(3C).]) | 1805 | [AC_DEFINE([HAVE_ISBLANK], [1], [Define if you have isblank(3C).]) |
1769 | ]) | 1806 | ]) |
1770 | 1807 | ||
1771 | # PKCS#11 support requires dlopen() and co | 1808 | # PKCS11 depends on OpenSSL. |
1772 | AC_SEARCH_LIBS([dlopen], [dl], | 1809 | if test "x$openssl" = "xyes" ; then |
1773 | [AC_DEFINE([ENABLE_PKCS11], [], [Enable for PKCS#11 support])] | 1810 | # PKCS#11 support requires dlopen() and co |
1774 | ) | 1811 | AC_SEARCH_LIBS([dlopen], [dl], |
1812 | [AC_DEFINE([ENABLE_PKCS11], [], [Enable for PKCS#11 support])] | ||
1813 | ) | ||
1814 | fi | ||
1775 | 1815 | ||
1776 | # IRIX has a const char return value for gai_strerror() | 1816 | # IRIX has a const char return value for gai_strerror() |
1777 | AC_CHECK_FUNCS([gai_strerror], [ | 1817 | AC_CHECK_FUNCS([gai_strerror], [ |
@@ -2237,6 +2277,13 @@ if test "x$ac_cv_func_getaddrinfo" = "xyes" && \ | |||
2237 | ) | 2277 | ) |
2238 | fi | 2278 | fi |
2239 | 2279 | ||
2280 | if test "x$ac_cv_func_getaddrinfo" = "xyes"; then | ||
2281 | AC_CHECK_DECLS(AI_NUMERICSERV, , , | ||
2282 | [#include <sys/types.h> | ||
2283 | #include <sys/socket.h> | ||
2284 | #include <netdb.h>]) | ||
2285 | fi | ||
2286 | |||
2240 | if test "x$check_for_conflicting_getspnam" = "x1"; then | 2287 | if test "x$check_for_conflicting_getspnam" = "x1"; then |
2241 | AC_MSG_CHECKING([for conflicting getspnam in shadow.h]) | 2288 | AC_MSG_CHECKING([for conflicting getspnam in shadow.h]) |
2242 | AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <shadow.h> ]], | 2289 | AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <shadow.h> ]], |
@@ -2260,6 +2307,9 @@ saved_LDFLAGS="$LDFLAGS" | |||
2260 | AC_ARG_WITH([ssl-dir], | 2307 | AC_ARG_WITH([ssl-dir], |
2261 | [ --with-ssl-dir=PATH Specify path to OpenSSL installation ], | 2308 | [ --with-ssl-dir=PATH Specify path to OpenSSL installation ], |
2262 | [ | 2309 | [ |
2310 | if test "x$openssl" = "xno" ; then | ||
2311 | AC_MSG_ERROR([cannot use --with-ssl-dir when OpenSSL disabled]) | ||
2312 | fi | ||
2263 | if test "x$withval" != "xno" ; then | 2313 | if test "x$withval" != "xno" ; then |
2264 | case "$withval" in | 2314 | case "$withval" in |
2265 | # Relative paths | 2315 | # Relative paths |
@@ -2292,445 +2342,458 @@ AC_ARG_WITH([ssl-dir], | |||
2292 | fi | 2342 | fi |
2293 | ] | 2343 | ] |
2294 | ) | 2344 | ) |
2295 | LIBS="-lcrypto $LIBS" | 2345 | |
2296 | AC_TRY_LINK_FUNC([RAND_add], [AC_DEFINE([HAVE_OPENSSL], [1], | 2346 | AC_ARG_WITH([openssl-header-check], |
2297 | [Define if your ssl headers are included | 2347 | [ --without-openssl-header-check Disable OpenSSL version consistency check], |
2298 | with #include <openssl/header.h>])], | ||
2299 | [ | 2348 | [ |
2300 | dnl Check default openssl install dir | 2349 | if test "x$withval" = "xno" ; then |
2301 | if test -n "${need_dash_r}"; then | 2350 | openssl_check_nonfatal=1 |
2302 | LDFLAGS="-L/usr/local/ssl/lib -R/usr/local/ssl/lib ${saved_LDFLAGS}" | ||
2303 | else | ||
2304 | LDFLAGS="-L/usr/local/ssl/lib ${saved_LDFLAGS}" | ||
2305 | fi | 2351 | fi |
2306 | CPPFLAGS="-I/usr/local/ssl/include ${saved_CPPFLAGS}" | ||
2307 | AC_CHECK_HEADER([openssl/opensslv.h], , | ||
2308 | [AC_MSG_ERROR([*** OpenSSL headers missing - please install first or check config.log ***])]) | ||
2309 | AC_TRY_LINK_FUNC([RAND_add], [AC_DEFINE([HAVE_OPENSSL])], | ||
2310 | [ | ||
2311 | AC_MSG_ERROR([*** Can't find recent OpenSSL libcrypto (see config.log for details) ***]) | ||
2312 | ] | ||
2313 | ) | ||
2314 | ] | 2352 | ] |
2315 | ) | 2353 | ) |
2316 | 2354 | ||
2317 | # Determine OpenSSL header version | 2355 | openssl_engine=no |
2318 | AC_MSG_CHECKING([OpenSSL header version]) | 2356 | AC_ARG_WITH([ssl-engine], |
2319 | AC_RUN_IFELSE( | 2357 | [ --with-ssl-engine Enable OpenSSL (hardware) ENGINE support ], |
2320 | [AC_LANG_PROGRAM([[ | ||
2321 | #include <stdio.h> | ||
2322 | #include <string.h> | ||
2323 | #include <openssl/opensslv.h> | ||
2324 | #define DATA "conftest.sslincver" | ||
2325 | ]], [[ | ||
2326 | FILE *fd; | ||
2327 | int rc; | ||
2328 | |||
2329 | fd = fopen(DATA,"w"); | ||
2330 | if(fd == NULL) | ||
2331 | exit(1); | ||
2332 | |||
2333 | if ((rc = fprintf(fd ,"%08x (%s)\n", OPENSSL_VERSION_NUMBER, OPENSSL_VERSION_TEXT)) <0) | ||
2334 | exit(1); | ||
2335 | |||
2336 | exit(0); | ||
2337 | ]])], | ||
2338 | [ | ||
2339 | ssl_header_ver=`cat conftest.sslincver` | ||
2340 | AC_MSG_RESULT([$ssl_header_ver]) | ||
2341 | ], | ||
2342 | [ | ||
2343 | AC_MSG_RESULT([not found]) | ||
2344 | AC_MSG_ERROR([OpenSSL version header not found.]) | ||
2345 | ], | ||
2346 | [ | 2358 | [ |
2347 | AC_MSG_WARN([cross compiling: not checking]) | 2359 | if test "x$openssl" = "xno" ; then |
2360 | AC_MSG_ERROR([cannot use --with-ssl-engine when OpenSSL disabled]) | ||
2361 | fi | ||
2362 | if test "x$withval" != "xno" ; then | ||
2363 | openssl_engine=yes | ||
2364 | fi | ||
2348 | ] | 2365 | ] |
2349 | ) | 2366 | ) |
2350 | 2367 | ||
2351 | # Determine OpenSSL library version | 2368 | if test "x$openssl" = "xyes" ; then |
2352 | AC_MSG_CHECKING([OpenSSL library version]) | 2369 | LIBS="-lcrypto $LIBS" |
2353 | AC_RUN_IFELSE( | 2370 | AC_TRY_LINK_FUNC([RAND_add], [AC_DEFINE([HAVE_OPENSSL], [1], |
2354 | [AC_LANG_PROGRAM([[ | 2371 | [Define if your ssl headers are included |
2355 | #include <stdio.h> | 2372 | with #include <openssl/header.h>])], |
2356 | #include <string.h> | 2373 | [ |
2357 | #include <openssl/opensslv.h> | 2374 | dnl Check default openssl install dir |
2358 | #include <openssl/crypto.h> | 2375 | if test -n "${need_dash_r}"; then |
2359 | #define DATA "conftest.ssllibver" | 2376 | LDFLAGS="-L/usr/local/ssl/lib -R/usr/local/ssl/lib ${saved_LDFLAGS}" |
2360 | ]], [[ | 2377 | else |
2361 | FILE *fd; | 2378 | LDFLAGS="-L/usr/local/ssl/lib ${saved_LDFLAGS}" |
2362 | int rc; | 2379 | fi |
2380 | CPPFLAGS="-I/usr/local/ssl/include ${saved_CPPFLAGS}" | ||
2381 | AC_CHECK_HEADER([openssl/opensslv.h], , | ||
2382 | [AC_MSG_ERROR([*** OpenSSL headers missing - please install first or check config.log ***])]) | ||
2383 | AC_TRY_LINK_FUNC([RAND_add], [AC_DEFINE([HAVE_OPENSSL])], | ||
2384 | [ | ||
2385 | AC_MSG_ERROR([*** Can't find recent OpenSSL libcrypto (see config.log for details) ***]) | ||
2386 | ] | ||
2387 | ) | ||
2388 | ] | ||
2389 | ) | ||
2363 | 2390 | ||
2364 | fd = fopen(DATA,"w"); | 2391 | # Determine OpenSSL header version |
2365 | if(fd == NULL) | 2392 | AC_MSG_CHECKING([OpenSSL header version]) |
2366 | exit(1); | 2393 | AC_RUN_IFELSE( |
2394 | [AC_LANG_PROGRAM([[ | ||
2395 | #include <stdio.h> | ||
2396 | #include <string.h> | ||
2397 | #include <openssl/opensslv.h> | ||
2398 | #define DATA "conftest.sslincver" | ||
2399 | ]], [[ | ||
2400 | FILE *fd; | ||
2401 | int rc; | ||
2367 | 2402 | ||
2368 | if ((rc = fprintf(fd ,"%08x (%s)\n", SSLeay(), | 2403 | fd = fopen(DATA,"w"); |
2369 | SSLeay_version(SSLEAY_VERSION))) <0) | 2404 | if(fd == NULL) |
2370 | exit(1); | 2405 | exit(1); |
2371 | 2406 | ||
2372 | exit(0); | 2407 | if ((rc = fprintf(fd ,"%08x (%s)\n", OPENSSL_VERSION_NUMBER, OPENSSL_VERSION_TEXT)) <0) |
2373 | ]])], | 2408 | exit(1); |
2374 | [ | 2409 | |
2375 | ssl_library_ver=`cat conftest.ssllibver` | 2410 | exit(0); |
2376 | # Check version is supported. | 2411 | ]])], |
2377 | case "$ssl_library_ver" in | 2412 | [ |
2378 | 0090[[0-7]]*|009080[[0-5]]*) | 2413 | ssl_header_ver=`cat conftest.sslincver` |
2379 | AC_MSG_ERROR([OpenSSL >= 0.9.8f required]) | 2414 | AC_MSG_RESULT([$ssl_header_ver]) |
2380 | ;; | 2415 | ], |
2381 | *) ;; | 2416 | [ |
2382 | esac | 2417 | AC_MSG_RESULT([not found]) |
2383 | AC_MSG_RESULT([$ssl_library_ver]) | 2418 | AC_MSG_ERROR([OpenSSL version header not found.]) |
2384 | ], | 2419 | ], |
2385 | [ | 2420 | [ |
2386 | AC_MSG_RESULT([not found]) | 2421 | AC_MSG_WARN([cross compiling: not checking]) |
2387 | AC_MSG_ERROR([OpenSSL library not found.]) | 2422 | ] |
2388 | ], | 2423 | ) |
2389 | [ | ||
2390 | AC_MSG_WARN([cross compiling: not checking]) | ||
2391 | ] | ||
2392 | ) | ||
2393 | 2424 | ||
2394 | # XXX make --without-openssl work | 2425 | # Determine OpenSSL library version |
2395 | AC_DEFINE_UNQUOTED([WITH_OPENSSL], [1], [use libcrypto for cryptography]) | 2426 | AC_MSG_CHECKING([OpenSSL library version]) |
2396 | AC_DEFINE_UNQUOTED([WITH_SSH1], [1], [include SSH protocol version 1 support]) | 2427 | AC_RUN_IFELSE( |
2428 | [AC_LANG_PROGRAM([[ | ||
2429 | #include <stdio.h> | ||
2430 | #include <string.h> | ||
2431 | #include <openssl/opensslv.h> | ||
2432 | #include <openssl/crypto.h> | ||
2433 | #define DATA "conftest.ssllibver" | ||
2434 | ]], [[ | ||
2435 | FILE *fd; | ||
2436 | int rc; | ||
2397 | 2437 | ||
2398 | AC_ARG_WITH([openssl-header-check], | 2438 | fd = fopen(DATA,"w"); |
2399 | [ --without-openssl-header-check Disable OpenSSL version consistency check], | 2439 | if(fd == NULL) |
2400 | [ if test "x$withval" = "xno" ; then | 2440 | exit(1); |
2401 | openssl_check_nonfatal=1 | ||
2402 | fi | ||
2403 | ] | ||
2404 | ) | ||
2405 | 2441 | ||
2406 | # Sanity check OpenSSL headers | 2442 | if ((rc = fprintf(fd ,"%08x (%s)\n", SSLeay(), |
2407 | AC_MSG_CHECKING([whether OpenSSL's headers match the library]) | 2443 | SSLeay_version(SSLEAY_VERSION))) <0) |
2408 | AC_RUN_IFELSE( | 2444 | exit(1); |
2409 | [AC_LANG_PROGRAM([[ | ||
2410 | #include <string.h> | ||
2411 | #include <openssl/opensslv.h> | ||
2412 | ]], [[ | ||
2413 | exit(SSLeay() == OPENSSL_VERSION_NUMBER ? 0 : 1); | ||
2414 | ]])], | ||
2415 | [ | ||
2416 | AC_MSG_RESULT([yes]) | ||
2417 | ], | ||
2418 | [ | ||
2419 | AC_MSG_RESULT([no]) | ||
2420 | if test "x$openssl_check_nonfatal" = "x"; then | ||
2421 | AC_MSG_ERROR([Your OpenSSL headers do not match your | ||
2422 | library. Check config.log for details. | ||
2423 | If you are sure your installation is consistent, you can disable the check | ||
2424 | by running "./configure --without-openssl-header-check". | ||
2425 | Also see contrib/findssl.sh for help identifying header/library mismatches. | ||
2426 | ]) | ||
2427 | else | ||
2428 | AC_MSG_WARN([Your OpenSSL headers do not match your | ||
2429 | library. Check config.log for details. | ||
2430 | Also see contrib/findssl.sh for help identifying header/library mismatches.]) | ||
2431 | fi | ||
2432 | ], | ||
2433 | [ | ||
2434 | AC_MSG_WARN([cross compiling: not checking]) | ||
2435 | ] | ||
2436 | ) | ||
2437 | 2445 | ||
2438 | AC_MSG_CHECKING([if programs using OpenSSL functions will link]) | 2446 | exit(0); |
2439 | AC_LINK_IFELSE( | 2447 | ]])], |
2440 | [AC_LANG_PROGRAM([[ #include <openssl/evp.h> ]], | 2448 | [ |
2441 | [[ SSLeay_add_all_algorithms(); ]])], | 2449 | ssl_library_ver=`cat conftest.ssllibver` |
2442 | [ | 2450 | # Check version is supported. |
2443 | AC_MSG_RESULT([yes]) | 2451 | case "$ssl_library_ver" in |
2444 | ], | 2452 | 0090[[0-7]]*|009080[[0-5]]*) |
2445 | [ | 2453 | AC_MSG_ERROR([OpenSSL >= 0.9.8f required (have "$ssl_library_ver")]) |
2446 | AC_MSG_RESULT([no]) | 2454 | ;; |
2447 | saved_LIBS="$LIBS" | 2455 | *) ;; |
2448 | LIBS="$LIBS -ldl" | 2456 | esac |
2449 | AC_MSG_CHECKING([if programs using OpenSSL need -ldl]) | 2457 | AC_MSG_RESULT([$ssl_library_ver]) |
2450 | AC_LINK_IFELSE( | 2458 | ], |
2451 | [AC_LANG_PROGRAM([[ #include <openssl/evp.h> ]], | 2459 | [ |
2452 | [[ SSLeay_add_all_algorithms(); ]])], | 2460 | AC_MSG_RESULT([not found]) |
2453 | [ | 2461 | AC_MSG_ERROR([OpenSSL library not found.]) |
2454 | AC_MSG_RESULT([yes]) | 2462 | ], |
2455 | ], | 2463 | [ |
2456 | [ | 2464 | AC_MSG_WARN([cross compiling: not checking]) |
2457 | AC_MSG_RESULT([no]) | 2465 | ] |
2458 | LIBS="$saved_LIBS" | 2466 | ) |
2459 | ] | ||
2460 | ) | ||
2461 | ] | ||
2462 | ) | ||
2463 | 2467 | ||
2464 | AC_CHECK_FUNCS([ \ | 2468 | # Sanity check OpenSSL headers |
2465 | BN_is_prime_ex \ | 2469 | AC_MSG_CHECKING([whether OpenSSL's headers match the library]) |
2466 | DSA_generate_parameters_ex \ | 2470 | AC_RUN_IFELSE( |
2467 | EVP_DigestInit_ex \ | 2471 | [AC_LANG_PROGRAM([[ |
2468 | EVP_DigestFinal_ex \ | 2472 | #include <string.h> |
2469 | EVP_MD_CTX_init \ | 2473 | #include <openssl/opensslv.h> |
2470 | EVP_MD_CTX_cleanup \ | 2474 | ]], [[ |
2471 | EVP_MD_CTX_copy_ex \ | 2475 | exit(SSLeay() == OPENSSL_VERSION_NUMBER ? 0 : 1); |
2472 | HMAC_CTX_init \ | 2476 | ]])], |
2473 | RSA_generate_key_ex \ | 2477 | [ |
2474 | RSA_get_default_method \ | 2478 | AC_MSG_RESULT([yes]) |
2475 | ]) | 2479 | ], |
2480 | [ | ||
2481 | AC_MSG_RESULT([no]) | ||
2482 | if test "x$openssl_check_nonfatal" = "x"; then | ||
2483 | AC_MSG_ERROR([Your OpenSSL headers do not match your | ||
2484 | library. Check config.log for details. | ||
2485 | If you are sure your installation is consistent, you can disable the check | ||
2486 | by running "./configure --without-openssl-header-check". | ||
2487 | Also see contrib/findssl.sh for help identifying header/library mismatches. | ||
2488 | ]) | ||
2489 | else | ||
2490 | AC_MSG_WARN([Your OpenSSL headers do not match your | ||
2491 | library. Check config.log for details. | ||
2492 | Also see contrib/findssl.sh for help identifying header/library mismatches.]) | ||
2493 | fi | ||
2494 | ], | ||
2495 | [ | ||
2496 | AC_MSG_WARN([cross compiling: not checking]) | ||
2497 | ] | ||
2498 | ) | ||
2476 | 2499 | ||
2477 | AC_ARG_WITH([ssl-engine], | 2500 | AC_MSG_CHECKING([if programs using OpenSSL functions will link]) |
2478 | [ --with-ssl-engine Enable OpenSSL (hardware) ENGINE support ], | 2501 | AC_LINK_IFELSE( |
2479 | [ if test "x$withval" != "xno" ; then | 2502 | [AC_LANG_PROGRAM([[ #include <openssl/evp.h> ]], |
2503 | [[ SSLeay_add_all_algorithms(); ]])], | ||
2504 | [ | ||
2505 | AC_MSG_RESULT([yes]) | ||
2506 | ], | ||
2507 | [ | ||
2508 | AC_MSG_RESULT([no]) | ||
2509 | saved_LIBS="$LIBS" | ||
2510 | LIBS="$LIBS -ldl" | ||
2511 | AC_MSG_CHECKING([if programs using OpenSSL need -ldl]) | ||
2512 | AC_LINK_IFELSE( | ||
2513 | [AC_LANG_PROGRAM([[ #include <openssl/evp.h> ]], | ||
2514 | [[ SSLeay_add_all_algorithms(); ]])], | ||
2515 | [ | ||
2516 | AC_MSG_RESULT([yes]) | ||
2517 | ], | ||
2518 | [ | ||
2519 | AC_MSG_RESULT([no]) | ||
2520 | LIBS="$saved_LIBS" | ||
2521 | ] | ||
2522 | ) | ||
2523 | ] | ||
2524 | ) | ||
2525 | |||
2526 | AC_CHECK_FUNCS([ \ | ||
2527 | BN_is_prime_ex \ | ||
2528 | DSA_generate_parameters_ex \ | ||
2529 | EVP_DigestInit_ex \ | ||
2530 | EVP_DigestFinal_ex \ | ||
2531 | EVP_MD_CTX_init \ | ||
2532 | EVP_MD_CTX_cleanup \ | ||
2533 | EVP_MD_CTX_copy_ex \ | ||
2534 | HMAC_CTX_init \ | ||
2535 | RSA_generate_key_ex \ | ||
2536 | RSA_get_default_method \ | ||
2537 | ]) | ||
2538 | |||
2539 | if test "x$openssl_engine" = "xyes" ; then | ||
2480 | AC_MSG_CHECKING([for OpenSSL ENGINE support]) | 2540 | AC_MSG_CHECKING([for OpenSSL ENGINE support]) |
2481 | AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ | 2541 | AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ |
2482 | #include <openssl/engine.h> | 2542 | #include <openssl/engine.h> |
2483 | ]], [[ | 2543 | ]], [[ |
2484 | ENGINE_load_builtin_engines(); | 2544 | ENGINE_load_builtin_engines(); |
2485 | ENGINE_register_all_complete(); | 2545 | ENGINE_register_all_complete(); |
2486 | ]])], | 2546 | ]])], |
2487 | [ AC_MSG_RESULT([yes]) | 2547 | [ AC_MSG_RESULT([yes]) |
2488 | AC_DEFINE([USE_OPENSSL_ENGINE], [1], | 2548 | AC_DEFINE([USE_OPENSSL_ENGINE], [1], |
2489 | [Enable OpenSSL engine support]) | 2549 | [Enable OpenSSL engine support]) |
2490 | ], [ AC_MSG_ERROR([OpenSSL ENGINE support not found]) | 2550 | ], [ AC_MSG_ERROR([OpenSSL ENGINE support not found]) |
2491 | ]) | 2551 | ]) |
2492 | fi ] | 2552 | fi |
2493 | ) | ||
2494 | 2553 | ||
2495 | # Check for OpenSSL without EVP_aes_{192,256}_cbc | 2554 | # Check for OpenSSL without EVP_aes_{192,256}_cbc |
2496 | AC_MSG_CHECKING([whether OpenSSL has crippled AES support]) | 2555 | AC_MSG_CHECKING([whether OpenSSL has crippled AES support]) |
2497 | AC_LINK_IFELSE( | 2556 | AC_LINK_IFELSE( |
2498 | [AC_LANG_PROGRAM([[ | 2557 | [AC_LANG_PROGRAM([[ |
2499 | #include <string.h> | 2558 | #include <string.h> |
2500 | #include <openssl/evp.h> | 2559 | #include <openssl/evp.h> |
2501 | ]], [[ | 2560 | ]], [[ |
2502 | exit(EVP_aes_192_cbc() == NULL || EVP_aes_256_cbc() == NULL); | 2561 | exit(EVP_aes_192_cbc() == NULL || EVP_aes_256_cbc() == NULL); |
2503 | ]])], | 2562 | ]])], |
2504 | [ | 2563 | [ |
2505 | AC_MSG_RESULT([no]) | 2564 | AC_MSG_RESULT([no]) |
2506 | ], | 2565 | ], |
2507 | [ | 2566 | [ |
2508 | AC_MSG_RESULT([yes]) | 2567 | AC_MSG_RESULT([yes]) |
2509 | AC_DEFINE([OPENSSL_LOBOTOMISED_AES], [1], | 2568 | AC_DEFINE([OPENSSL_LOBOTOMISED_AES], [1], |
2510 | [libcrypto is missing AES 192 and 256 bit functions]) | 2569 | [libcrypto is missing AES 192 and 256 bit functions]) |
2511 | ] | 2570 | ] |
2512 | ) | 2571 | ) |
2513 | 2572 | ||
2514 | # Check for OpenSSL with EVP_aes_*ctr | 2573 | # Check for OpenSSL with EVP_aes_*ctr |
2515 | AC_MSG_CHECKING([whether OpenSSL has AES CTR via EVP]) | 2574 | AC_MSG_CHECKING([whether OpenSSL has AES CTR via EVP]) |
2516 | AC_LINK_IFELSE( | 2575 | AC_LINK_IFELSE( |
2517 | [AC_LANG_PROGRAM([[ | 2576 | [AC_LANG_PROGRAM([[ |
2518 | #include <string.h> | 2577 | #include <string.h> |
2519 | #include <openssl/evp.h> | 2578 | #include <openssl/evp.h> |
2520 | ]], [[ | 2579 | ]], [[ |
2521 | exit(EVP_aes_128_ctr() == NULL || | 2580 | exit(EVP_aes_128_ctr() == NULL || |
2522 | EVP_aes_192_cbc() == NULL || | 2581 | EVP_aes_192_cbc() == NULL || |
2523 | EVP_aes_256_cbc() == NULL); | 2582 | EVP_aes_256_cbc() == NULL); |
2524 | ]])], | 2583 | ]])], |
2525 | [ | 2584 | [ |
2526 | AC_MSG_RESULT([yes]) | 2585 | AC_MSG_RESULT([yes]) |
2527 | AC_DEFINE([OPENSSL_HAVE_EVPCTR], [1], | 2586 | AC_DEFINE([OPENSSL_HAVE_EVPCTR], [1], |
2528 | [libcrypto has EVP AES CTR]) | 2587 | [libcrypto has EVP AES CTR]) |
2529 | ], | 2588 | ], |
2530 | [ | 2589 | [ |
2531 | AC_MSG_RESULT([no]) | 2590 | AC_MSG_RESULT([no]) |
2532 | ] | 2591 | ] |
2533 | ) | 2592 | ) |
2534 | 2593 | ||
2535 | # Check for OpenSSL with EVP_aes_*gcm | 2594 | # Check for OpenSSL with EVP_aes_*gcm |
2536 | AC_MSG_CHECKING([whether OpenSSL has AES GCM via EVP]) | 2595 | AC_MSG_CHECKING([whether OpenSSL has AES GCM via EVP]) |
2537 | AC_LINK_IFELSE( | 2596 | AC_LINK_IFELSE( |
2538 | [AC_LANG_PROGRAM([[ | 2597 | [AC_LANG_PROGRAM([[ |
2539 | #include <string.h> | 2598 | #include <string.h> |
2540 | #include <openssl/evp.h> | 2599 | #include <openssl/evp.h> |
2541 | ]], [[ | 2600 | ]], [[ |
2542 | exit(EVP_aes_128_gcm() == NULL || | 2601 | exit(EVP_aes_128_gcm() == NULL || |
2543 | EVP_aes_256_gcm() == NULL || | 2602 | EVP_aes_256_gcm() == NULL || |
2544 | EVP_CTRL_GCM_SET_IV_FIXED == 0 || | 2603 | EVP_CTRL_GCM_SET_IV_FIXED == 0 || |
2545 | EVP_CTRL_GCM_IV_GEN == 0 || | 2604 | EVP_CTRL_GCM_IV_GEN == 0 || |
2546 | EVP_CTRL_GCM_SET_TAG == 0 || | 2605 | EVP_CTRL_GCM_SET_TAG == 0 || |
2547 | EVP_CTRL_GCM_GET_TAG == 0 || | 2606 | EVP_CTRL_GCM_GET_TAG == 0 || |
2548 | EVP_CIPHER_CTX_ctrl(NULL, 0, 0, NULL) == 0); | 2607 | EVP_CIPHER_CTX_ctrl(NULL, 0, 0, NULL) == 0); |
2549 | ]])], | 2608 | ]])], |
2550 | [ | 2609 | [ |
2551 | AC_MSG_RESULT([yes]) | 2610 | AC_MSG_RESULT([yes]) |
2552 | AC_DEFINE([OPENSSL_HAVE_EVPGCM], [1], | 2611 | AC_DEFINE([OPENSSL_HAVE_EVPGCM], [1], |
2553 | [libcrypto has EVP AES GCM]) | 2612 | [libcrypto has EVP AES GCM]) |
2554 | ], | 2613 | ], |
2555 | [ | 2614 | [ |
2556 | AC_MSG_RESULT([no]) | 2615 | AC_MSG_RESULT([no]) |
2557 | unsupported_algorithms="$unsupported_cipers \ | 2616 | unsupported_algorithms="$unsupported_cipers \ |
2558 | aes128-gcm@openssh.com aes256-gcm@openssh.com" | 2617 | aes128-gcm@openssh.com aes256-gcm@openssh.com" |
2559 | ] | 2618 | ] |
2560 | ) | 2619 | ) |
2561 | 2620 | ||
2562 | AC_SEARCH_LIBS([EVP_CIPHER_CTX_ctrl], [crypto], | 2621 | AC_SEARCH_LIBS([EVP_CIPHER_CTX_ctrl], [crypto], |
2563 | [AC_DEFINE([HAVE_EVP_CIPHER_CTX_CTRL], [1], | 2622 | [AC_DEFINE([HAVE_EVP_CIPHER_CTX_CTRL], [1], |
2564 | [Define if libcrypto has EVP_CIPHER_CTX_ctrl])]) | 2623 | [Define if libcrypto has EVP_CIPHER_CTX_ctrl])]) |
2565 | 2624 | ||
2566 | AC_MSG_CHECKING([if EVP_DigestUpdate returns an int]) | 2625 | AC_MSG_CHECKING([if EVP_DigestUpdate returns an int]) |
2567 | AC_LINK_IFELSE( | 2626 | AC_LINK_IFELSE( |
2568 | [AC_LANG_PROGRAM([[ | 2627 | [AC_LANG_PROGRAM([[ |
2569 | #include <string.h> | 2628 | #include <string.h> |
2570 | #include <openssl/evp.h> | 2629 | #include <openssl/evp.h> |
2571 | ]], [[ | 2630 | ]], [[ |
2572 | if(EVP_DigestUpdate(NULL, NULL,0)) | 2631 | if(EVP_DigestUpdate(NULL, NULL,0)) |
2573 | exit(0); | 2632 | exit(0); |
2574 | ]])], | 2633 | ]])], |
2575 | [ | 2634 | [ |
2576 | AC_MSG_RESULT([yes]) | 2635 | AC_MSG_RESULT([yes]) |
2577 | ], | 2636 | ], |
2578 | [ | 2637 | [ |
2579 | AC_MSG_RESULT([no]) | 2638 | AC_MSG_RESULT([no]) |
2580 | AC_DEFINE([OPENSSL_EVP_DIGESTUPDATE_VOID], [1], | 2639 | AC_DEFINE([OPENSSL_EVP_DIGESTUPDATE_VOID], [1], |
2581 | [Define if EVP_DigestUpdate returns void]) | 2640 | [Define if EVP_DigestUpdate returns void]) |
2582 | ] | 2641 | ] |
2583 | ) | 2642 | ) |
2584 | 2643 | ||
2585 | # Some systems want crypt() from libcrypt, *not* the version in OpenSSL, | 2644 | # Some systems want crypt() from libcrypt, *not* the version in OpenSSL, |
2586 | # because the system crypt() is more featureful. | 2645 | # because the system crypt() is more featureful. |
2587 | if test "x$check_for_libcrypt_before" = "x1"; then | 2646 | if test "x$check_for_libcrypt_before" = "x1"; then |
2588 | AC_CHECK_LIB([crypt], [crypt]) | 2647 | AC_CHECK_LIB([crypt], [crypt]) |
2589 | fi | 2648 | fi |
2590 | 2649 | ||
2591 | # Some Linux systems (Slackware) need crypt() from libcrypt, *not* the | 2650 | # Some Linux systems (Slackware) need crypt() from libcrypt, *not* the |
2592 | # version in OpenSSL. | 2651 | # version in OpenSSL. |
2593 | if test "x$check_for_libcrypt_later" = "x1"; then | 2652 | if test "x$check_for_libcrypt_later" = "x1"; then |
2594 | AC_CHECK_LIB([crypt], [crypt], [LIBS="$LIBS -lcrypt"]) | 2653 | AC_CHECK_LIB([crypt], [crypt], [LIBS="$LIBS -lcrypt"]) |
2595 | fi | 2654 | fi |
2596 | AC_CHECK_FUNCS([crypt DES_crypt]) | 2655 | AC_CHECK_FUNCS([crypt DES_crypt]) |
2597 | 2656 | ||
2598 | # Search for SHA256 support in libc and/or OpenSSL | 2657 | # Search for SHA256 support in libc and/or OpenSSL |
2599 | AC_CHECK_FUNCS([SHA256_Update EVP_sha256], , | 2658 | AC_CHECK_FUNCS([SHA256_Update EVP_sha256], , |
2600 | [unsupported_algorithms="$unsupported_algorithms \ | 2659 | [unsupported_algorithms="$unsupported_algorithms \ |
2601 | hmac-sha2-256 hmac-sha2-512 \ | 2660 | hmac-sha2-256 hmac-sha2-512 \ |
2602 | diffie-hellman-group-exchange-sha256 \ | 2661 | diffie-hellman-group-exchange-sha256 \ |
2603 | hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com" | 2662 | hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com" |
2604 | ] | 2663 | ] |
2605 | ) | 2664 | ) |
2606 | # Search for RIPE-MD support in OpenSSL | 2665 | # Search for RIPE-MD support in OpenSSL |
2607 | AC_CHECK_FUNCS([EVP_ripemd160], , | 2666 | AC_CHECK_FUNCS([EVP_ripemd160], , |
2608 | [unsupported_algorithms="$unsupported_algorithms \ | 2667 | [unsupported_algorithms="$unsupported_algorithms \ |
2609 | hmac-ripemd160 | 2668 | hmac-ripemd160 |
2610 | hmac-ripemd160@openssh.com | 2669 | hmac-ripemd160@openssh.com |
2611 | hmac-ripemd160-etm@openssh.com" | 2670 | hmac-ripemd160-etm@openssh.com" |
2612 | ] | 2671 | ] |
2613 | ) | 2672 | ) |
2614 | 2673 | ||
2615 | # Check complete ECC support in OpenSSL | 2674 | # Check complete ECC support in OpenSSL |
2616 | AC_MSG_CHECKING([whether OpenSSL has NID_X9_62_prime256v1]) | 2675 | AC_MSG_CHECKING([whether OpenSSL has NID_X9_62_prime256v1]) |
2617 | AC_LINK_IFELSE( | 2676 | AC_LINK_IFELSE( |
2618 | [AC_LANG_PROGRAM([[ | 2677 | [AC_LANG_PROGRAM([[ |
2619 | #include <openssl/ec.h> | 2678 | #include <openssl/ec.h> |
2620 | #include <openssl/ecdh.h> | 2679 | #include <openssl/ecdh.h> |
2621 | #include <openssl/ecdsa.h> | 2680 | #include <openssl/ecdsa.h> |
2622 | #include <openssl/evp.h> | 2681 | #include <openssl/evp.h> |
2623 | #include <openssl/objects.h> | 2682 | #include <openssl/objects.h> |
2624 | #include <openssl/opensslv.h> | 2683 | #include <openssl/opensslv.h> |
2625 | #if OPENSSL_VERSION_NUMBER < 0x0090807f /* 0.9.8g */ | 2684 | #if OPENSSL_VERSION_NUMBER < 0x0090807f /* 0.9.8g */ |
2626 | # error "OpenSSL < 0.9.8g has unreliable ECC code" | 2685 | # error "OpenSSL < 0.9.8g has unreliable ECC code" |
2627 | #endif | 2686 | #endif |
2628 | ]], [[ | 2687 | ]], [[ |
2629 | EC_KEY *e = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); | 2688 | EC_KEY *e = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); |
2630 | const EVP_MD *m = EVP_sha256(); /* We need this too */ | 2689 | const EVP_MD *m = EVP_sha256(); /* We need this too */ |
2631 | ]])], | 2690 | ]])], |
2632 | [ AC_MSG_RESULT([yes]) | 2691 | [ AC_MSG_RESULT([yes]) |
2633 | enable_nistp256=1 ], | 2692 | enable_nistp256=1 ], |
2634 | [ AC_MSG_RESULT([no]) ] | 2693 | [ AC_MSG_RESULT([no]) ] |
2635 | ) | 2694 | ) |
2636 | 2695 | ||
2637 | AC_MSG_CHECKING([whether OpenSSL has NID_secp384r1]) | 2696 | AC_MSG_CHECKING([whether OpenSSL has NID_secp384r1]) |
2638 | AC_LINK_IFELSE( | 2697 | AC_LINK_IFELSE( |
2639 | [AC_LANG_PROGRAM([[ | 2698 | [AC_LANG_PROGRAM([[ |
2640 | #include <openssl/ec.h> | 2699 | #include <openssl/ec.h> |
2641 | #include <openssl/ecdh.h> | 2700 | #include <openssl/ecdh.h> |
2642 | #include <openssl/ecdsa.h> | 2701 | #include <openssl/ecdsa.h> |
2643 | #include <openssl/evp.h> | 2702 | #include <openssl/evp.h> |
2644 | #include <openssl/objects.h> | 2703 | #include <openssl/objects.h> |
2645 | #include <openssl/opensslv.h> | 2704 | #include <openssl/opensslv.h> |
2646 | #if OPENSSL_VERSION_NUMBER < 0x0090807f /* 0.9.8g */ | 2705 | #if OPENSSL_VERSION_NUMBER < 0x0090807f /* 0.9.8g */ |
2647 | # error "OpenSSL < 0.9.8g has unreliable ECC code" | 2706 | # error "OpenSSL < 0.9.8g has unreliable ECC code" |
2648 | #endif | 2707 | #endif |
2649 | ]], [[ | 2708 | ]], [[ |
2650 | EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp384r1); | 2709 | EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp384r1); |
2651 | const EVP_MD *m = EVP_sha384(); /* We need this too */ | 2710 | const EVP_MD *m = EVP_sha384(); /* We need this too */ |
2652 | ]])], | 2711 | ]])], |
2653 | [ AC_MSG_RESULT([yes]) | 2712 | [ AC_MSG_RESULT([yes]) |
2654 | enable_nistp384=1 ], | 2713 | enable_nistp384=1 ], |
2655 | [ AC_MSG_RESULT([no]) ] | 2714 | [ AC_MSG_RESULT([no]) ] |
2656 | ) | 2715 | ) |
2657 | 2716 | ||
2658 | AC_MSG_CHECKING([whether OpenSSL has NID_secp521r1]) | 2717 | AC_MSG_CHECKING([whether OpenSSL has NID_secp521r1]) |
2659 | AC_LINK_IFELSE( | 2718 | AC_LINK_IFELSE( |
2660 | [AC_LANG_PROGRAM([[ | ||
2661 | #include <openssl/ec.h> | ||
2662 | #include <openssl/ecdh.h> | ||
2663 | #include <openssl/ecdsa.h> | ||
2664 | #include <openssl/evp.h> | ||
2665 | #include <openssl/objects.h> | ||
2666 | #include <openssl/opensslv.h> | ||
2667 | #if OPENSSL_VERSION_NUMBER < 0x0090807f /* 0.9.8g */ | ||
2668 | # error "OpenSSL < 0.9.8g has unreliable ECC code" | ||
2669 | #endif | ||
2670 | ]], [[ | ||
2671 | EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp521r1); | ||
2672 | const EVP_MD *m = EVP_sha512(); /* We need this too */ | ||
2673 | ]])], | ||
2674 | [ AC_MSG_RESULT([yes]) | ||
2675 | AC_MSG_CHECKING([if OpenSSL's NID_secp521r1 is functional]) | ||
2676 | AC_RUN_IFELSE( | ||
2677 | [AC_LANG_PROGRAM([[ | 2719 | [AC_LANG_PROGRAM([[ |
2678 | #include <openssl/ec.h> | 2720 | #include <openssl/ec.h> |
2679 | #include <openssl/ecdh.h> | 2721 | #include <openssl/ecdh.h> |
2680 | #include <openssl/ecdsa.h> | 2722 | #include <openssl/ecdsa.h> |
2681 | #include <openssl/evp.h> | 2723 | #include <openssl/evp.h> |
2682 | #include <openssl/objects.h> | 2724 | #include <openssl/objects.h> |
2683 | #include <openssl/opensslv.h> | 2725 | #include <openssl/opensslv.h> |
2684 | ]],[[ | 2726 | #if OPENSSL_VERSION_NUMBER < 0x0090807f /* 0.9.8g */ |
2727 | # error "OpenSSL < 0.9.8g has unreliable ECC code" | ||
2728 | #endif | ||
2729 | ]], [[ | ||
2685 | EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp521r1); | 2730 | EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp521r1); |
2686 | const EVP_MD *m = EVP_sha512(); /* We need this too */ | 2731 | const EVP_MD *m = EVP_sha512(); /* We need this too */ |
2687 | exit(e == NULL || m == NULL); | ||
2688 | ]])], | 2732 | ]])], |
2689 | [ AC_MSG_RESULT([yes]) | 2733 | [ AC_MSG_RESULT([yes]) |
2690 | enable_nistp521=1 ], | 2734 | AC_MSG_CHECKING([if OpenSSL's NID_secp521r1 is functional]) |
2691 | [ AC_MSG_RESULT([no]) ], | 2735 | AC_RUN_IFELSE( |
2692 | [ AC_MSG_WARN([cross-compiling: assuming yes]) | 2736 | [AC_LANG_PROGRAM([[ |
2693 | enable_nistp521=1 ] | 2737 | #include <openssl/ec.h> |
2694 | )], | 2738 | #include <openssl/ecdh.h> |
2695 | AC_MSG_RESULT([no]) | 2739 | #include <openssl/ecdsa.h> |
2696 | ) | 2740 | #include <openssl/evp.h> |
2741 | #include <openssl/objects.h> | ||
2742 | #include <openssl/opensslv.h> | ||
2743 | ]],[[ | ||
2744 | EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp521r1); | ||
2745 | const EVP_MD *m = EVP_sha512(); /* We need this too */ | ||
2746 | exit(e == NULL || m == NULL); | ||
2747 | ]])], | ||
2748 | [ AC_MSG_RESULT([yes]) | ||
2749 | enable_nistp521=1 ], | ||
2750 | [ AC_MSG_RESULT([no]) ], | ||
2751 | [ AC_MSG_WARN([cross-compiling: assuming yes]) | ||
2752 | enable_nistp521=1 ] | ||
2753 | )], | ||
2754 | AC_MSG_RESULT([no]) | ||
2755 | ) | ||
2697 | 2756 | ||
2698 | COMMENT_OUT_ECC="#no ecc#" | 2757 | COMMENT_OUT_ECC="#no ecc#" |
2699 | TEST_SSH_ECC=no | 2758 | TEST_SSH_ECC=no |
2700 | 2759 | ||
2701 | if test x$enable_nistp256 = x1 || test x$enable_nistp384 = x1 || \ | 2760 | if test x$enable_nistp256 = x1 || test x$enable_nistp384 = x1 || \ |
2702 | test x$enable_nistp521 = x1; then | 2761 | test x$enable_nistp521 = x1; then |
2703 | AC_DEFINE(OPENSSL_HAS_ECC, [1], [OpenSSL has ECC]) | 2762 | AC_DEFINE(OPENSSL_HAS_ECC, [1], [OpenSSL has ECC]) |
2704 | fi | 2763 | fi |
2705 | if test x$enable_nistp256 = x1; then | 2764 | if test x$enable_nistp256 = x1; then |
2706 | AC_DEFINE([OPENSSL_HAS_NISTP256], [1], | 2765 | AC_DEFINE([OPENSSL_HAS_NISTP256], [1], |
2707 | [libcrypto has NID_X9_62_prime256v1]) | 2766 | [libcrypto has NID_X9_62_prime256v1]) |
2708 | TEST_SSH_ECC=yes | 2767 | TEST_SSH_ECC=yes |
2709 | COMMENT_OUT_ECC="" | 2768 | COMMENT_OUT_ECC="" |
2710 | else | 2769 | else |
2711 | unsupported_algorithms="$unsupported_algorithms ecdsa-sha2-nistp256 \ | 2770 | unsupported_algorithms="$unsupported_algorithms ecdsa-sha2-nistp256 \ |
2712 | ecdh-sha2-nistp256 ecdsa-sha2-nistp256-cert-v01@openssh.com" | 2771 | ecdh-sha2-nistp256 ecdsa-sha2-nistp256-cert-v01@openssh.com" |
2713 | fi | 2772 | fi |
2714 | if test x$enable_nistp384 = x1; then | 2773 | if test x$enable_nistp384 = x1; then |
2715 | AC_DEFINE([OPENSSL_HAS_NISTP384], [1], [libcrypto has NID_secp384r1]) | 2774 | AC_DEFINE([OPENSSL_HAS_NISTP384], [1], [libcrypto has NID_secp384r1]) |
2716 | TEST_SSH_ECC=yes | 2775 | TEST_SSH_ECC=yes |
2717 | COMMENT_OUT_ECC="" | 2776 | COMMENT_OUT_ECC="" |
2718 | else | 2777 | else |
2719 | unsupported_algorithms="$unsupported_algorithms ecdsa-sha2-nistp384 \ | 2778 | unsupported_algorithms="$unsupported_algorithms ecdsa-sha2-nistp384 \ |
2720 | ecdh-sha2-nistp384 ecdsa-sha2-nistp384-cert-v01@openssh.com" | 2779 | ecdh-sha2-nistp384 ecdsa-sha2-nistp384-cert-v01@openssh.com" |
2721 | fi | 2780 | fi |
2722 | if test x$enable_nistp521 = x1; then | 2781 | if test x$enable_nistp521 = x1; then |
2723 | AC_DEFINE([OPENSSL_HAS_NISTP521], [1], [libcrypto has NID_secp521r1]) | 2782 | AC_DEFINE([OPENSSL_HAS_NISTP521], [1], [libcrypto has NID_secp521r1]) |
2724 | TEST_SSH_ECC=yes | 2783 | TEST_SSH_ECC=yes |
2725 | COMMENT_OUT_ECC="" | 2784 | COMMENT_OUT_ECC="" |
2785 | else | ||
2786 | unsupported_algorithms="$unsupported_algorithms ecdh-sha2-nistp521 \ | ||
2787 | ecdsa-sha2-nistp521 ecdsa-sha2-nistp521-cert-v01@openssh.com" | ||
2788 | fi | ||
2789 | |||
2790 | AC_SUBST([TEST_SSH_ECC]) | ||
2791 | AC_SUBST([COMMENT_OUT_ECC]) | ||
2726 | else | 2792 | else |
2727 | unsupported_algorithms="$unsupported_algorithms ecdh-sha2-nistp521 \ | 2793 | AC_CHECK_LIB([crypt], [crypt], [LIBS="$LIBS -lcrypt"]) |
2728 | ecdsa-sha2-nistp521 ecdsa-sha2-nistp521-cert-v01@openssh.com" | 2794 | AC_CHECK_FUNCS([crypt]) |
2729 | fi | 2795 | fi |
2730 | 2796 | ||
2731 | AC_SUBST([TEST_SSH_ECC]) | ||
2732 | AC_SUBST([COMMENT_OUT_ECC]) | ||
2733 | |||
2734 | AC_CHECK_FUNCS([ \ | 2797 | AC_CHECK_FUNCS([ \ |
2735 | arc4random \ | 2798 | arc4random \ |
2736 | arc4random_buf \ | 2799 | arc4random_buf \ |
@@ -2751,28 +2814,30 @@ LIBS="$saved_LIBS" | |||
2751 | ### Configure cryptographic random number support | 2814 | ### Configure cryptographic random number support |
2752 | 2815 | ||
2753 | # Check wheter OpenSSL seeds itself | 2816 | # Check wheter OpenSSL seeds itself |
2754 | AC_MSG_CHECKING([whether OpenSSL's PRNG is internally seeded]) | 2817 | if test "x$openssl" = "xyes" ; then |
2755 | AC_RUN_IFELSE( | 2818 | AC_MSG_CHECKING([whether OpenSSL's PRNG is internally seeded]) |
2756 | [AC_LANG_PROGRAM([[ | 2819 | AC_RUN_IFELSE( |
2757 | #include <string.h> | 2820 | [AC_LANG_PROGRAM([[ |
2758 | #include <openssl/rand.h> | 2821 | #include <string.h> |
2759 | ]], [[ | 2822 | #include <openssl/rand.h> |
2760 | exit(RAND_status() == 1 ? 0 : 1); | 2823 | ]], [[ |
2761 | ]])], | 2824 | exit(RAND_status() == 1 ? 0 : 1); |
2762 | [ | 2825 | ]])], |
2763 | OPENSSL_SEEDS_ITSELF=yes | 2826 | [ |
2764 | AC_MSG_RESULT([yes]) | 2827 | OPENSSL_SEEDS_ITSELF=yes |
2765 | ], | 2828 | AC_MSG_RESULT([yes]) |
2766 | [ | 2829 | ], |
2767 | AC_MSG_RESULT([no]) | 2830 | [ |
2768 | ], | 2831 | AC_MSG_RESULT([no]) |
2769 | [ | 2832 | ], |
2770 | AC_MSG_WARN([cross compiling: assuming yes]) | 2833 | [ |
2771 | # This is safe, since we will fatal() at runtime if | 2834 | AC_MSG_WARN([cross compiling: assuming yes]) |
2772 | # OpenSSL is not seeded correctly. | 2835 | # This is safe, since we will fatal() at runtime if |
2773 | OPENSSL_SEEDS_ITSELF=yes | 2836 | # OpenSSL is not seeded correctly. |
2774 | ] | 2837 | OPENSSL_SEEDS_ITSELF=yes |
2775 | ) | 2838 | ] |
2839 | ) | ||
2840 | fi | ||
2776 | 2841 | ||
2777 | # PRNGD TCP socket | 2842 | # PRNGD TCP socket |
2778 | AC_ARG_WITH([prngd-port], | 2843 | AC_ARG_WITH([prngd-port], |
@@ -2854,8 +2919,10 @@ elif test ! -z "$PRNGD_SOCKET" ; then | |||
2854 | RAND_MSG="PRNGd socket $PRNGD_SOCKET" | 2919 | RAND_MSG="PRNGd socket $PRNGD_SOCKET" |
2855 | elif test ! -z "$OPENSSL_SEEDS_ITSELF" ; then | 2920 | elif test ! -z "$OPENSSL_SEEDS_ITSELF" ; then |
2856 | AC_DEFINE([OPENSSL_PRNG_ONLY], [1], | 2921 | AC_DEFINE([OPENSSL_PRNG_ONLY], [1], |
2857 | [Define if you want OpenSSL's internally seeded PRNG only]) | 2922 | [Define if you want the OpenSSL internally seeded PRNG only]) |
2858 | RAND_MSG="OpenSSL internal ONLY" | 2923 | RAND_MSG="OpenSSL internal ONLY" |
2924 | elif test "x$openssl" = "xno" ; then | ||
2925 | AC_MSG_WARN([OpenSSH will use /dev/urandom as a source of random numbers. It will fail if this device is not supported or accessible]) | ||
2859 | else | 2926 | else |
2860 | AC_MSG_ERROR([OpenSSH has no source of random numbers. Please configure OpenSSL with an entropy source or re-run configure using one of the --with-prngd-port or --with-prngd-socket options]) | 2927 | AC_MSG_ERROR([OpenSSH has no source of random numbers. Please configure OpenSSL with an entropy source or re-run configure using one of the --with-prngd-port or --with-prngd-socket options]) |
2861 | fi | 2928 | fi |
@@ -2917,7 +2984,7 @@ if test "x$PAM_MSG" = "xyes" ; then | |||
2917 | which takes only one argument to pam_strerror]) | 2984 | which takes only one argument to pam_strerror]) |
2918 | AC_MSG_RESULT([yes]) | 2985 | AC_MSG_RESULT([yes]) |
2919 | PAM_MSG="yes (old library)" | 2986 | PAM_MSG="yes (old library)" |
2920 | 2987 | ||
2921 | ]) | 2988 | ]) |
2922 | fi | 2989 | fi |
2923 | 2990 | ||