summaryrefslogtreecommitdiff
path: root/configure.ac
diff options
context:
space:
mode:
Diffstat (limited to 'configure.ac')
-rw-r--r--configure.ac911
1 files changed, 489 insertions, 422 deletions
diff --git a/configure.ac b/configure.ac
index f5c65c5a4..f7ce777a5 100644
--- a/configure.ac
+++ b/configure.ac
@@ -121,6 +121,42 @@ AC_CHECK_DECL([PR_SET_NO_NEW_PRIVS], [have_linux_no_new_privs=1], , [
121 #include <linux/prctl.h> 121 #include <linux/prctl.h>
122]) 122])
123 123
124openssl=yes
125ssh1=yes
126AC_ARG_WITH([openssl],
127 [ --without-openssl Disable use of OpenSSL; use only limited internal crypto **EXPERIMENTAL** ],
128 [ if test "x$withval" = "xno" ; then
129 openssl=no
130 ssh1=no
131 fi
132 ]
133)
134AC_MSG_CHECKING([whether OpenSSL will be used for cryptography])
135if test "x$openssl" = "xyes" ; then
136 AC_MSG_RESULT([yes])
137 AC_DEFINE_UNQUOTED([WITH_OPENSSL], [1], [use libcrypto for cryptography])
138else
139 AC_MSG_RESULT([no])
140fi
141
142AC_ARG_WITH([ssh1],
143 [ --without-ssh1 Disable support for SSH protocol 1],
144 [
145 if test "x$withval" = "xno" ; then
146 ssh1=no
147 elif test "x$openssl" = "xno" ; then
148 AC_MSG_ERROR([Cannot enable SSH protocol 1 with OpenSSL disabled])
149 fi
150 ]
151)
152AC_MSG_CHECKING([whether SSH protocol 1 support is enabled])
153if test "x$ssh1" = "xyes" ; then
154 AC_MSG_RESULT([yes])
155 AC_DEFINE_UNQUOTED([WITH_SSH1], [1], [include SSH protocol version 1 support])
156else
157 AC_MSG_RESULT([no])
158fi
159
124use_stack_protector=1 160use_stack_protector=1
125use_toolchain_hardening=1 161use_toolchain_hardening=1
126AC_ARG_WITH([stackprotect], 162AC_ARG_WITH([stackprotect],
@@ -1320,7 +1356,7 @@ g.gl_statv = NULL;
1320 AC_MSG_RESULT([yes]) 1356 AC_MSG_RESULT([yes])
1321 ], [ 1357 ], [
1322 AC_MSG_RESULT([no]) 1358 AC_MSG_RESULT([no])
1323 1359
1324]) 1360])
1325 1361
1326AC_CHECK_DECLS([GLOB_NOMATCH], , , [#include <glob.h>]) 1362AC_CHECK_DECLS([GLOB_NOMATCH], , , [#include <glob.h>])
@@ -1603,7 +1639,7 @@ AC_ARG_WITH([audit],
1603) 1639)
1604 1640
1605AC_ARG_WITH([pie], 1641AC_ARG_WITH([pie],
1606 [ --with-pie Build Position Independent Executables if possible], [ 1642 [ --with-pie Build Position Independent Executables if possible], [
1607 if test "x$withval" = "xno"; then 1643 if test "x$withval" = "xno"; then
1608 use_pie=no 1644 use_pie=no
1609 fi 1645 fi
@@ -1709,6 +1745,7 @@ AC_CHECK_FUNCS([ \
1709 prctl \ 1745 prctl \
1710 pstat \ 1746 pstat \
1711 readpassphrase \ 1747 readpassphrase \
1748 reallocarray \
1712 realpath \ 1749 realpath \
1713 recvmsg \ 1750 recvmsg \
1714 rresvport_af \ 1751 rresvport_af \
@@ -1768,10 +1805,13 @@ AC_LINK_IFELSE(
1768 [AC_DEFINE([HAVE_ISBLANK], [1], [Define if you have isblank(3C).]) 1805 [AC_DEFINE([HAVE_ISBLANK], [1], [Define if you have isblank(3C).])
1769]) 1806])
1770 1807
1771# PKCS#11 support requires dlopen() and co 1808# PKCS11 depends on OpenSSL.
1772AC_SEARCH_LIBS([dlopen], [dl], 1809if test "x$openssl" = "xyes" ; then
1773 [AC_DEFINE([ENABLE_PKCS11], [], [Enable for PKCS#11 support])] 1810 # PKCS#11 support requires dlopen() and co
1774) 1811 AC_SEARCH_LIBS([dlopen], [dl],
1812 [AC_DEFINE([ENABLE_PKCS11], [], [Enable for PKCS#11 support])]
1813 )
1814fi
1775 1815
1776# IRIX has a const char return value for gai_strerror() 1816# IRIX has a const char return value for gai_strerror()
1777AC_CHECK_FUNCS([gai_strerror], [ 1817AC_CHECK_FUNCS([gai_strerror], [
@@ -2237,6 +2277,13 @@ if test "x$ac_cv_func_getaddrinfo" = "xyes" && \
2237 ) 2277 )
2238fi 2278fi
2239 2279
2280if test "x$ac_cv_func_getaddrinfo" = "xyes"; then
2281 AC_CHECK_DECLS(AI_NUMERICSERV, , ,
2282 [#include <sys/types.h>
2283 #include <sys/socket.h>
2284 #include <netdb.h>])
2285fi
2286
2240if test "x$check_for_conflicting_getspnam" = "x1"; then 2287if test "x$check_for_conflicting_getspnam" = "x1"; then
2241 AC_MSG_CHECKING([for conflicting getspnam in shadow.h]) 2288 AC_MSG_CHECKING([for conflicting getspnam in shadow.h])
2242 AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <shadow.h> ]], 2289 AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <shadow.h> ]],
@@ -2260,6 +2307,9 @@ saved_LDFLAGS="$LDFLAGS"
2260AC_ARG_WITH([ssl-dir], 2307AC_ARG_WITH([ssl-dir],
2261 [ --with-ssl-dir=PATH Specify path to OpenSSL installation ], 2308 [ --with-ssl-dir=PATH Specify path to OpenSSL installation ],
2262 [ 2309 [
2310 if test "x$openssl" = "xno" ; then
2311 AC_MSG_ERROR([cannot use --with-ssl-dir when OpenSSL disabled])
2312 fi
2263 if test "x$withval" != "xno" ; then 2313 if test "x$withval" != "xno" ; then
2264 case "$withval" in 2314 case "$withval" in
2265 # Relative paths 2315 # Relative paths
@@ -2292,445 +2342,458 @@ AC_ARG_WITH([ssl-dir],
2292 fi 2342 fi
2293 ] 2343 ]
2294) 2344)
2295LIBS="-lcrypto $LIBS" 2345
2296AC_TRY_LINK_FUNC([RAND_add], [AC_DEFINE([HAVE_OPENSSL], [1], 2346AC_ARG_WITH([openssl-header-check],
2297 [Define if your ssl headers are included 2347 [ --without-openssl-header-check Disable OpenSSL version consistency check],
2298 with #include <openssl/header.h>])],
2299 [ 2348 [
2300 dnl Check default openssl install dir 2349 if test "x$withval" = "xno" ; then
2301 if test -n "${need_dash_r}"; then 2350 openssl_check_nonfatal=1
2302 LDFLAGS="-L/usr/local/ssl/lib -R/usr/local/ssl/lib ${saved_LDFLAGS}"
2303 else
2304 LDFLAGS="-L/usr/local/ssl/lib ${saved_LDFLAGS}"
2305 fi 2351 fi
2306 CPPFLAGS="-I/usr/local/ssl/include ${saved_CPPFLAGS}"
2307 AC_CHECK_HEADER([openssl/opensslv.h], ,
2308 [AC_MSG_ERROR([*** OpenSSL headers missing - please install first or check config.log ***])])
2309 AC_TRY_LINK_FUNC([RAND_add], [AC_DEFINE([HAVE_OPENSSL])],
2310 [
2311 AC_MSG_ERROR([*** Can't find recent OpenSSL libcrypto (see config.log for details) ***])
2312 ]
2313 )
2314 ] 2352 ]
2315) 2353)
2316 2354
2317# Determine OpenSSL header version 2355openssl_engine=no
2318AC_MSG_CHECKING([OpenSSL header version]) 2356AC_ARG_WITH([ssl-engine],
2319AC_RUN_IFELSE( 2357 [ --with-ssl-engine Enable OpenSSL (hardware) ENGINE support ],
2320 [AC_LANG_PROGRAM([[
2321#include <stdio.h>
2322#include <string.h>
2323#include <openssl/opensslv.h>
2324#define DATA "conftest.sslincver"
2325 ]], [[
2326 FILE *fd;
2327 int rc;
2328
2329 fd = fopen(DATA,"w");
2330 if(fd == NULL)
2331 exit(1);
2332
2333 if ((rc = fprintf(fd ,"%08x (%s)\n", OPENSSL_VERSION_NUMBER, OPENSSL_VERSION_TEXT)) <0)
2334 exit(1);
2335
2336 exit(0);
2337 ]])],
2338 [
2339 ssl_header_ver=`cat conftest.sslincver`
2340 AC_MSG_RESULT([$ssl_header_ver])
2341 ],
2342 [
2343 AC_MSG_RESULT([not found])
2344 AC_MSG_ERROR([OpenSSL version header not found.])
2345 ],
2346 [ 2358 [
2347 AC_MSG_WARN([cross compiling: not checking]) 2359 if test "x$openssl" = "xno" ; then
2360 AC_MSG_ERROR([cannot use --with-ssl-engine when OpenSSL disabled])
2361 fi
2362 if test "x$withval" != "xno" ; then
2363 openssl_engine=yes
2364 fi
2348 ] 2365 ]
2349) 2366)
2350 2367
2351# Determine OpenSSL library version 2368if test "x$openssl" = "xyes" ; then
2352AC_MSG_CHECKING([OpenSSL library version]) 2369 LIBS="-lcrypto $LIBS"
2353AC_RUN_IFELSE( 2370 AC_TRY_LINK_FUNC([RAND_add], [AC_DEFINE([HAVE_OPENSSL], [1],
2354 [AC_LANG_PROGRAM([[ 2371 [Define if your ssl headers are included
2355#include <stdio.h> 2372 with #include <openssl/header.h>])],
2356#include <string.h> 2373 [
2357#include <openssl/opensslv.h> 2374 dnl Check default openssl install dir
2358#include <openssl/crypto.h> 2375 if test -n "${need_dash_r}"; then
2359#define DATA "conftest.ssllibver" 2376 LDFLAGS="-L/usr/local/ssl/lib -R/usr/local/ssl/lib ${saved_LDFLAGS}"
2360 ]], [[ 2377 else
2361 FILE *fd; 2378 LDFLAGS="-L/usr/local/ssl/lib ${saved_LDFLAGS}"
2362 int rc; 2379 fi
2380 CPPFLAGS="-I/usr/local/ssl/include ${saved_CPPFLAGS}"
2381 AC_CHECK_HEADER([openssl/opensslv.h], ,
2382 [AC_MSG_ERROR([*** OpenSSL headers missing - please install first or check config.log ***])])
2383 AC_TRY_LINK_FUNC([RAND_add], [AC_DEFINE([HAVE_OPENSSL])],
2384 [
2385 AC_MSG_ERROR([*** Can't find recent OpenSSL libcrypto (see config.log for details) ***])
2386 ]
2387 )
2388 ]
2389 )
2363 2390
2364 fd = fopen(DATA,"w"); 2391 # Determine OpenSSL header version
2365 if(fd == NULL) 2392 AC_MSG_CHECKING([OpenSSL header version])
2366 exit(1); 2393 AC_RUN_IFELSE(
2394 [AC_LANG_PROGRAM([[
2395 #include <stdio.h>
2396 #include <string.h>
2397 #include <openssl/opensslv.h>
2398 #define DATA "conftest.sslincver"
2399 ]], [[
2400 FILE *fd;
2401 int rc;
2367 2402
2368 if ((rc = fprintf(fd ,"%08x (%s)\n", SSLeay(), 2403 fd = fopen(DATA,"w");
2369 SSLeay_version(SSLEAY_VERSION))) <0) 2404 if(fd == NULL)
2370 exit(1); 2405 exit(1);
2371 2406
2372 exit(0); 2407 if ((rc = fprintf(fd ,"%08x (%s)\n", OPENSSL_VERSION_NUMBER, OPENSSL_VERSION_TEXT)) <0)
2373 ]])], 2408 exit(1);
2374 [ 2409
2375 ssl_library_ver=`cat conftest.ssllibver` 2410 exit(0);
2376 # Check version is supported. 2411 ]])],
2377 case "$ssl_library_ver" in 2412 [
2378 0090[[0-7]]*|009080[[0-5]]*) 2413 ssl_header_ver=`cat conftest.sslincver`
2379 AC_MSG_ERROR([OpenSSL >= 0.9.8f required]) 2414 AC_MSG_RESULT([$ssl_header_ver])
2380 ;; 2415 ],
2381 *) ;; 2416 [
2382 esac 2417 AC_MSG_RESULT([not found])
2383 AC_MSG_RESULT([$ssl_library_ver]) 2418 AC_MSG_ERROR([OpenSSL version header not found.])
2384 ], 2419 ],
2385 [ 2420 [
2386 AC_MSG_RESULT([not found]) 2421 AC_MSG_WARN([cross compiling: not checking])
2387 AC_MSG_ERROR([OpenSSL library not found.]) 2422 ]
2388 ], 2423 )
2389 [
2390 AC_MSG_WARN([cross compiling: not checking])
2391 ]
2392)
2393 2424
2394# XXX make --without-openssl work 2425 # Determine OpenSSL library version
2395AC_DEFINE_UNQUOTED([WITH_OPENSSL], [1], [use libcrypto for cryptography]) 2426 AC_MSG_CHECKING([OpenSSL library version])
2396AC_DEFINE_UNQUOTED([WITH_SSH1], [1], [include SSH protocol version 1 support]) 2427 AC_RUN_IFELSE(
2428 [AC_LANG_PROGRAM([[
2429 #include <stdio.h>
2430 #include <string.h>
2431 #include <openssl/opensslv.h>
2432 #include <openssl/crypto.h>
2433 #define DATA "conftest.ssllibver"
2434 ]], [[
2435 FILE *fd;
2436 int rc;
2397 2437
2398AC_ARG_WITH([openssl-header-check], 2438 fd = fopen(DATA,"w");
2399 [ --without-openssl-header-check Disable OpenSSL version consistency check], 2439 if(fd == NULL)
2400 [ if test "x$withval" = "xno" ; then 2440 exit(1);
2401 openssl_check_nonfatal=1
2402 fi
2403 ]
2404)
2405 2441
2406# Sanity check OpenSSL headers 2442 if ((rc = fprintf(fd ,"%08x (%s)\n", SSLeay(),
2407AC_MSG_CHECKING([whether OpenSSL's headers match the library]) 2443 SSLeay_version(SSLEAY_VERSION))) <0)
2408AC_RUN_IFELSE( 2444 exit(1);
2409 [AC_LANG_PROGRAM([[
2410#include <string.h>
2411#include <openssl/opensslv.h>
2412 ]], [[
2413 exit(SSLeay() == OPENSSL_VERSION_NUMBER ? 0 : 1);
2414 ]])],
2415 [
2416 AC_MSG_RESULT([yes])
2417 ],
2418 [
2419 AC_MSG_RESULT([no])
2420 if test "x$openssl_check_nonfatal" = "x"; then
2421 AC_MSG_ERROR([Your OpenSSL headers do not match your
2422library. Check config.log for details.
2423If you are sure your installation is consistent, you can disable the check
2424by running "./configure --without-openssl-header-check".
2425Also see contrib/findssl.sh for help identifying header/library mismatches.
2426])
2427 else
2428 AC_MSG_WARN([Your OpenSSL headers do not match your
2429library. Check config.log for details.
2430Also see contrib/findssl.sh for help identifying header/library mismatches.])
2431 fi
2432 ],
2433 [
2434 AC_MSG_WARN([cross compiling: not checking])
2435 ]
2436)
2437 2445
2438AC_MSG_CHECKING([if programs using OpenSSL functions will link]) 2446 exit(0);
2439AC_LINK_IFELSE( 2447 ]])],
2440 [AC_LANG_PROGRAM([[ #include <openssl/evp.h> ]], 2448 [
2441 [[ SSLeay_add_all_algorithms(); ]])], 2449 ssl_library_ver=`cat conftest.ssllibver`
2442 [ 2450 # Check version is supported.
2443 AC_MSG_RESULT([yes]) 2451 case "$ssl_library_ver" in
2444 ], 2452 0090[[0-7]]*|009080[[0-5]]*)
2445 [ 2453 AC_MSG_ERROR([OpenSSL >= 0.9.8f required (have "$ssl_library_ver")])
2446 AC_MSG_RESULT([no]) 2454 ;;
2447 saved_LIBS="$LIBS" 2455 *) ;;
2448 LIBS="$LIBS -ldl" 2456 esac
2449 AC_MSG_CHECKING([if programs using OpenSSL need -ldl]) 2457 AC_MSG_RESULT([$ssl_library_ver])
2450 AC_LINK_IFELSE( 2458 ],
2451 [AC_LANG_PROGRAM([[ #include <openssl/evp.h> ]], 2459 [
2452 [[ SSLeay_add_all_algorithms(); ]])], 2460 AC_MSG_RESULT([not found])
2453 [ 2461 AC_MSG_ERROR([OpenSSL library not found.])
2454 AC_MSG_RESULT([yes]) 2462 ],
2455 ], 2463 [
2456 [ 2464 AC_MSG_WARN([cross compiling: not checking])
2457 AC_MSG_RESULT([no]) 2465 ]
2458 LIBS="$saved_LIBS" 2466 )
2459 ]
2460 )
2461 ]
2462)
2463 2467
2464AC_CHECK_FUNCS([ \ 2468 # Sanity check OpenSSL headers
2465 BN_is_prime_ex \ 2469 AC_MSG_CHECKING([whether OpenSSL's headers match the library])
2466 DSA_generate_parameters_ex \ 2470 AC_RUN_IFELSE(
2467 EVP_DigestInit_ex \ 2471 [AC_LANG_PROGRAM([[
2468 EVP_DigestFinal_ex \ 2472 #include <string.h>
2469 EVP_MD_CTX_init \ 2473 #include <openssl/opensslv.h>
2470 EVP_MD_CTX_cleanup \ 2474 ]], [[
2471 EVP_MD_CTX_copy_ex \ 2475 exit(SSLeay() == OPENSSL_VERSION_NUMBER ? 0 : 1);
2472 HMAC_CTX_init \ 2476 ]])],
2473 RSA_generate_key_ex \ 2477 [
2474 RSA_get_default_method \ 2478 AC_MSG_RESULT([yes])
2475]) 2479 ],
2480 [
2481 AC_MSG_RESULT([no])
2482 if test "x$openssl_check_nonfatal" = "x"; then
2483 AC_MSG_ERROR([Your OpenSSL headers do not match your
2484 library. Check config.log for details.
2485 If you are sure your installation is consistent, you can disable the check
2486 by running "./configure --without-openssl-header-check".
2487 Also see contrib/findssl.sh for help identifying header/library mismatches.
2488 ])
2489 else
2490 AC_MSG_WARN([Your OpenSSL headers do not match your
2491 library. Check config.log for details.
2492 Also see contrib/findssl.sh for help identifying header/library mismatches.])
2493 fi
2494 ],
2495 [
2496 AC_MSG_WARN([cross compiling: not checking])
2497 ]
2498 )
2476 2499
2477AC_ARG_WITH([ssl-engine], 2500 AC_MSG_CHECKING([if programs using OpenSSL functions will link])
2478 [ --with-ssl-engine Enable OpenSSL (hardware) ENGINE support ], 2501 AC_LINK_IFELSE(
2479 [ if test "x$withval" != "xno" ; then 2502 [AC_LANG_PROGRAM([[ #include <openssl/evp.h> ]],
2503 [[ SSLeay_add_all_algorithms(); ]])],
2504 [
2505 AC_MSG_RESULT([yes])
2506 ],
2507 [
2508 AC_MSG_RESULT([no])
2509 saved_LIBS="$LIBS"
2510 LIBS="$LIBS -ldl"
2511 AC_MSG_CHECKING([if programs using OpenSSL need -ldl])
2512 AC_LINK_IFELSE(
2513 [AC_LANG_PROGRAM([[ #include <openssl/evp.h> ]],
2514 [[ SSLeay_add_all_algorithms(); ]])],
2515 [
2516 AC_MSG_RESULT([yes])
2517 ],
2518 [
2519 AC_MSG_RESULT([no])
2520 LIBS="$saved_LIBS"
2521 ]
2522 )
2523 ]
2524 )
2525
2526 AC_CHECK_FUNCS([ \
2527 BN_is_prime_ex \
2528 DSA_generate_parameters_ex \
2529 EVP_DigestInit_ex \
2530 EVP_DigestFinal_ex \
2531 EVP_MD_CTX_init \
2532 EVP_MD_CTX_cleanup \
2533 EVP_MD_CTX_copy_ex \
2534 HMAC_CTX_init \
2535 RSA_generate_key_ex \
2536 RSA_get_default_method \
2537 ])
2538
2539 if test "x$openssl_engine" = "xyes" ; then
2480 AC_MSG_CHECKING([for OpenSSL ENGINE support]) 2540 AC_MSG_CHECKING([for OpenSSL ENGINE support])
2481 AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ 2541 AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
2482#include <openssl/engine.h> 2542 #include <openssl/engine.h>
2483 ]], [[ 2543 ]], [[
2484 ENGINE_load_builtin_engines(); 2544 ENGINE_load_builtin_engines();
2485 ENGINE_register_all_complete(); 2545 ENGINE_register_all_complete();
2486 ]])], 2546 ]])],
2487 [ AC_MSG_RESULT([yes]) 2547 [ AC_MSG_RESULT([yes])
2488 AC_DEFINE([USE_OPENSSL_ENGINE], [1], 2548 AC_DEFINE([USE_OPENSSL_ENGINE], [1],
2489 [Enable OpenSSL engine support]) 2549 [Enable OpenSSL engine support])
2490 ], [ AC_MSG_ERROR([OpenSSL ENGINE support not found]) 2550 ], [ AC_MSG_ERROR([OpenSSL ENGINE support not found])
2491 ]) 2551 ])
2492 fi ] 2552 fi
2493)
2494 2553
2495# Check for OpenSSL without EVP_aes_{192,256}_cbc 2554 # Check for OpenSSL without EVP_aes_{192,256}_cbc
2496AC_MSG_CHECKING([whether OpenSSL has crippled AES support]) 2555 AC_MSG_CHECKING([whether OpenSSL has crippled AES support])
2497AC_LINK_IFELSE( 2556 AC_LINK_IFELSE(
2498 [AC_LANG_PROGRAM([[ 2557 [AC_LANG_PROGRAM([[
2499#include <string.h> 2558 #include <string.h>
2500#include <openssl/evp.h> 2559 #include <openssl/evp.h>
2501 ]], [[ 2560 ]], [[
2502 exit(EVP_aes_192_cbc() == NULL || EVP_aes_256_cbc() == NULL); 2561 exit(EVP_aes_192_cbc() == NULL || EVP_aes_256_cbc() == NULL);
2503 ]])], 2562 ]])],
2504 [ 2563 [
2505 AC_MSG_RESULT([no]) 2564 AC_MSG_RESULT([no])
2506 ], 2565 ],
2507 [ 2566 [
2508 AC_MSG_RESULT([yes]) 2567 AC_MSG_RESULT([yes])
2509 AC_DEFINE([OPENSSL_LOBOTOMISED_AES], [1], 2568 AC_DEFINE([OPENSSL_LOBOTOMISED_AES], [1],
2510 [libcrypto is missing AES 192 and 256 bit functions]) 2569 [libcrypto is missing AES 192 and 256 bit functions])
2511 ] 2570 ]
2512) 2571 )
2513 2572
2514# Check for OpenSSL with EVP_aes_*ctr 2573 # Check for OpenSSL with EVP_aes_*ctr
2515AC_MSG_CHECKING([whether OpenSSL has AES CTR via EVP]) 2574 AC_MSG_CHECKING([whether OpenSSL has AES CTR via EVP])
2516AC_LINK_IFELSE( 2575 AC_LINK_IFELSE(
2517 [AC_LANG_PROGRAM([[ 2576 [AC_LANG_PROGRAM([[
2518#include <string.h> 2577 #include <string.h>
2519#include <openssl/evp.h> 2578 #include <openssl/evp.h>
2520 ]], [[ 2579 ]], [[
2521 exit(EVP_aes_128_ctr() == NULL || 2580 exit(EVP_aes_128_ctr() == NULL ||
2522 EVP_aes_192_cbc() == NULL || 2581 EVP_aes_192_cbc() == NULL ||
2523 EVP_aes_256_cbc() == NULL); 2582 EVP_aes_256_cbc() == NULL);
2524 ]])], 2583 ]])],
2525 [ 2584 [
2526 AC_MSG_RESULT([yes]) 2585 AC_MSG_RESULT([yes])
2527 AC_DEFINE([OPENSSL_HAVE_EVPCTR], [1], 2586 AC_DEFINE([OPENSSL_HAVE_EVPCTR], [1],
2528 [libcrypto has EVP AES CTR]) 2587 [libcrypto has EVP AES CTR])
2529 ], 2588 ],
2530 [ 2589 [
2531 AC_MSG_RESULT([no]) 2590 AC_MSG_RESULT([no])
2532 ] 2591 ]
2533) 2592 )
2534 2593
2535# Check for OpenSSL with EVP_aes_*gcm 2594 # Check for OpenSSL with EVP_aes_*gcm
2536AC_MSG_CHECKING([whether OpenSSL has AES GCM via EVP]) 2595 AC_MSG_CHECKING([whether OpenSSL has AES GCM via EVP])
2537AC_LINK_IFELSE( 2596 AC_LINK_IFELSE(
2538 [AC_LANG_PROGRAM([[ 2597 [AC_LANG_PROGRAM([[
2539#include <string.h> 2598 #include <string.h>
2540#include <openssl/evp.h> 2599 #include <openssl/evp.h>
2541 ]], [[ 2600 ]], [[
2542 exit(EVP_aes_128_gcm() == NULL || 2601 exit(EVP_aes_128_gcm() == NULL ||
2543 EVP_aes_256_gcm() == NULL || 2602 EVP_aes_256_gcm() == NULL ||
2544 EVP_CTRL_GCM_SET_IV_FIXED == 0 || 2603 EVP_CTRL_GCM_SET_IV_FIXED == 0 ||
2545 EVP_CTRL_GCM_IV_GEN == 0 || 2604 EVP_CTRL_GCM_IV_GEN == 0 ||
2546 EVP_CTRL_GCM_SET_TAG == 0 || 2605 EVP_CTRL_GCM_SET_TAG == 0 ||
2547 EVP_CTRL_GCM_GET_TAG == 0 || 2606 EVP_CTRL_GCM_GET_TAG == 0 ||
2548 EVP_CIPHER_CTX_ctrl(NULL, 0, 0, NULL) == 0); 2607 EVP_CIPHER_CTX_ctrl(NULL, 0, 0, NULL) == 0);
2549 ]])], 2608 ]])],
2550 [ 2609 [
2551 AC_MSG_RESULT([yes]) 2610 AC_MSG_RESULT([yes])
2552 AC_DEFINE([OPENSSL_HAVE_EVPGCM], [1], 2611 AC_DEFINE([OPENSSL_HAVE_EVPGCM], [1],
2553 [libcrypto has EVP AES GCM]) 2612 [libcrypto has EVP AES GCM])
2554 ], 2613 ],
2555 [ 2614 [
2556 AC_MSG_RESULT([no]) 2615 AC_MSG_RESULT([no])
2557 unsupported_algorithms="$unsupported_cipers \ 2616 unsupported_algorithms="$unsupported_cipers \
2558 aes128-gcm@openssh.com aes256-gcm@openssh.com" 2617 aes128-gcm@openssh.com aes256-gcm@openssh.com"
2559 ] 2618 ]
2560) 2619 )
2561 2620
2562AC_SEARCH_LIBS([EVP_CIPHER_CTX_ctrl], [crypto], 2621 AC_SEARCH_LIBS([EVP_CIPHER_CTX_ctrl], [crypto],
2563 [AC_DEFINE([HAVE_EVP_CIPHER_CTX_CTRL], [1], 2622 [AC_DEFINE([HAVE_EVP_CIPHER_CTX_CTRL], [1],
2564 [Define if libcrypto has EVP_CIPHER_CTX_ctrl])]) 2623 [Define if libcrypto has EVP_CIPHER_CTX_ctrl])])
2565 2624
2566AC_MSG_CHECKING([if EVP_DigestUpdate returns an int]) 2625 AC_MSG_CHECKING([if EVP_DigestUpdate returns an int])
2567AC_LINK_IFELSE( 2626 AC_LINK_IFELSE(
2568 [AC_LANG_PROGRAM([[ 2627 [AC_LANG_PROGRAM([[
2569#include <string.h> 2628 #include <string.h>
2570#include <openssl/evp.h> 2629 #include <openssl/evp.h>
2571 ]], [[ 2630 ]], [[
2572 if(EVP_DigestUpdate(NULL, NULL,0)) 2631 if(EVP_DigestUpdate(NULL, NULL,0))
2573 exit(0); 2632 exit(0);
2574 ]])], 2633 ]])],
2575 [ 2634 [
2576 AC_MSG_RESULT([yes]) 2635 AC_MSG_RESULT([yes])
2577 ], 2636 ],
2578 [ 2637 [
2579 AC_MSG_RESULT([no]) 2638 AC_MSG_RESULT([no])
2580 AC_DEFINE([OPENSSL_EVP_DIGESTUPDATE_VOID], [1], 2639 AC_DEFINE([OPENSSL_EVP_DIGESTUPDATE_VOID], [1],
2581 [Define if EVP_DigestUpdate returns void]) 2640 [Define if EVP_DigestUpdate returns void])
2582 ] 2641 ]
2583) 2642 )
2584 2643
2585# Some systems want crypt() from libcrypt, *not* the version in OpenSSL, 2644 # Some systems want crypt() from libcrypt, *not* the version in OpenSSL,
2586# because the system crypt() is more featureful. 2645 # because the system crypt() is more featureful.
2587if test "x$check_for_libcrypt_before" = "x1"; then 2646 if test "x$check_for_libcrypt_before" = "x1"; then
2588 AC_CHECK_LIB([crypt], [crypt]) 2647 AC_CHECK_LIB([crypt], [crypt])
2589fi 2648 fi
2590 2649
2591# Some Linux systems (Slackware) need crypt() from libcrypt, *not* the 2650 # Some Linux systems (Slackware) need crypt() from libcrypt, *not* the
2592# version in OpenSSL. 2651 # version in OpenSSL.
2593if test "x$check_for_libcrypt_later" = "x1"; then 2652 if test "x$check_for_libcrypt_later" = "x1"; then
2594 AC_CHECK_LIB([crypt], [crypt], [LIBS="$LIBS -lcrypt"]) 2653 AC_CHECK_LIB([crypt], [crypt], [LIBS="$LIBS -lcrypt"])
2595fi 2654 fi
2596AC_CHECK_FUNCS([crypt DES_crypt]) 2655 AC_CHECK_FUNCS([crypt DES_crypt])
2597 2656
2598# Search for SHA256 support in libc and/or OpenSSL 2657 # Search for SHA256 support in libc and/or OpenSSL
2599AC_CHECK_FUNCS([SHA256_Update EVP_sha256], , 2658 AC_CHECK_FUNCS([SHA256_Update EVP_sha256], ,
2600 [unsupported_algorithms="$unsupported_algorithms \ 2659 [unsupported_algorithms="$unsupported_algorithms \
2601 hmac-sha2-256 hmac-sha2-512 \ 2660 hmac-sha2-256 hmac-sha2-512 \
2602 diffie-hellman-group-exchange-sha256 \ 2661 diffie-hellman-group-exchange-sha256 \
2603 hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com" 2662 hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com"
2604 ] 2663 ]
2605) 2664 )
2606# Search for RIPE-MD support in OpenSSL 2665 # Search for RIPE-MD support in OpenSSL
2607AC_CHECK_FUNCS([EVP_ripemd160], , 2666 AC_CHECK_FUNCS([EVP_ripemd160], ,
2608 [unsupported_algorithms="$unsupported_algorithms \ 2667 [unsupported_algorithms="$unsupported_algorithms \
2609 hmac-ripemd160 2668 hmac-ripemd160
2610 hmac-ripemd160@openssh.com 2669 hmac-ripemd160@openssh.com
2611 hmac-ripemd160-etm@openssh.com" 2670 hmac-ripemd160-etm@openssh.com"
2612 ] 2671 ]
2613) 2672 )
2614 2673
2615# Check complete ECC support in OpenSSL 2674 # Check complete ECC support in OpenSSL
2616AC_MSG_CHECKING([whether OpenSSL has NID_X9_62_prime256v1]) 2675 AC_MSG_CHECKING([whether OpenSSL has NID_X9_62_prime256v1])
2617AC_LINK_IFELSE( 2676 AC_LINK_IFELSE(
2618 [AC_LANG_PROGRAM([[ 2677 [AC_LANG_PROGRAM([[
2619#include <openssl/ec.h> 2678 #include <openssl/ec.h>
2620#include <openssl/ecdh.h> 2679 #include <openssl/ecdh.h>
2621#include <openssl/ecdsa.h> 2680 #include <openssl/ecdsa.h>
2622#include <openssl/evp.h> 2681 #include <openssl/evp.h>
2623#include <openssl/objects.h> 2682 #include <openssl/objects.h>
2624#include <openssl/opensslv.h> 2683 #include <openssl/opensslv.h>
2625#if OPENSSL_VERSION_NUMBER < 0x0090807f /* 0.9.8g */ 2684 #if OPENSSL_VERSION_NUMBER < 0x0090807f /* 0.9.8g */
2626# error "OpenSSL < 0.9.8g has unreliable ECC code" 2685 # error "OpenSSL < 0.9.8g has unreliable ECC code"
2627#endif 2686 #endif
2628 ]], [[ 2687 ]], [[
2629 EC_KEY *e = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); 2688 EC_KEY *e = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
2630 const EVP_MD *m = EVP_sha256(); /* We need this too */ 2689 const EVP_MD *m = EVP_sha256(); /* We need this too */
2631 ]])], 2690 ]])],
2632 [ AC_MSG_RESULT([yes]) 2691 [ AC_MSG_RESULT([yes])
2633 enable_nistp256=1 ], 2692 enable_nistp256=1 ],
2634 [ AC_MSG_RESULT([no]) ] 2693 [ AC_MSG_RESULT([no]) ]
2635) 2694 )
2636 2695
2637AC_MSG_CHECKING([whether OpenSSL has NID_secp384r1]) 2696 AC_MSG_CHECKING([whether OpenSSL has NID_secp384r1])
2638AC_LINK_IFELSE( 2697 AC_LINK_IFELSE(
2639 [AC_LANG_PROGRAM([[ 2698 [AC_LANG_PROGRAM([[
2640#include <openssl/ec.h> 2699 #include <openssl/ec.h>
2641#include <openssl/ecdh.h> 2700 #include <openssl/ecdh.h>
2642#include <openssl/ecdsa.h> 2701 #include <openssl/ecdsa.h>
2643#include <openssl/evp.h> 2702 #include <openssl/evp.h>
2644#include <openssl/objects.h> 2703 #include <openssl/objects.h>
2645#include <openssl/opensslv.h> 2704 #include <openssl/opensslv.h>
2646#if OPENSSL_VERSION_NUMBER < 0x0090807f /* 0.9.8g */ 2705 #if OPENSSL_VERSION_NUMBER < 0x0090807f /* 0.9.8g */
2647# error "OpenSSL < 0.9.8g has unreliable ECC code" 2706 # error "OpenSSL < 0.9.8g has unreliable ECC code"
2648#endif 2707 #endif
2649 ]], [[ 2708 ]], [[
2650 EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp384r1); 2709 EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp384r1);
2651 const EVP_MD *m = EVP_sha384(); /* We need this too */ 2710 const EVP_MD *m = EVP_sha384(); /* We need this too */
2652 ]])], 2711 ]])],
2653 [ AC_MSG_RESULT([yes]) 2712 [ AC_MSG_RESULT([yes])
2654 enable_nistp384=1 ], 2713 enable_nistp384=1 ],
2655 [ AC_MSG_RESULT([no]) ] 2714 [ AC_MSG_RESULT([no]) ]
2656) 2715 )
2657 2716
2658AC_MSG_CHECKING([whether OpenSSL has NID_secp521r1]) 2717 AC_MSG_CHECKING([whether OpenSSL has NID_secp521r1])
2659AC_LINK_IFELSE( 2718 AC_LINK_IFELSE(
2660 [AC_LANG_PROGRAM([[
2661#include <openssl/ec.h>
2662#include <openssl/ecdh.h>
2663#include <openssl/ecdsa.h>
2664#include <openssl/evp.h>
2665#include <openssl/objects.h>
2666#include <openssl/opensslv.h>
2667#if OPENSSL_VERSION_NUMBER < 0x0090807f /* 0.9.8g */
2668# error "OpenSSL < 0.9.8g has unreliable ECC code"
2669#endif
2670 ]], [[
2671 EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp521r1);
2672 const EVP_MD *m = EVP_sha512(); /* We need this too */
2673 ]])],
2674 [ AC_MSG_RESULT([yes])
2675 AC_MSG_CHECKING([if OpenSSL's NID_secp521r1 is functional])
2676 AC_RUN_IFELSE(
2677 [AC_LANG_PROGRAM([[ 2719 [AC_LANG_PROGRAM([[
2678#include <openssl/ec.h> 2720 #include <openssl/ec.h>
2679#include <openssl/ecdh.h> 2721 #include <openssl/ecdh.h>
2680#include <openssl/ecdsa.h> 2722 #include <openssl/ecdsa.h>
2681#include <openssl/evp.h> 2723 #include <openssl/evp.h>
2682#include <openssl/objects.h> 2724 #include <openssl/objects.h>
2683#include <openssl/opensslv.h> 2725 #include <openssl/opensslv.h>
2684 ]],[[ 2726 #if OPENSSL_VERSION_NUMBER < 0x0090807f /* 0.9.8g */
2727 # error "OpenSSL < 0.9.8g has unreliable ECC code"
2728 #endif
2729 ]], [[
2685 EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp521r1); 2730 EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp521r1);
2686 const EVP_MD *m = EVP_sha512(); /* We need this too */ 2731 const EVP_MD *m = EVP_sha512(); /* We need this too */
2687 exit(e == NULL || m == NULL);
2688 ]])], 2732 ]])],
2689 [ AC_MSG_RESULT([yes]) 2733 [ AC_MSG_RESULT([yes])
2690 enable_nistp521=1 ], 2734 AC_MSG_CHECKING([if OpenSSL's NID_secp521r1 is functional])
2691 [ AC_MSG_RESULT([no]) ], 2735 AC_RUN_IFELSE(
2692 [ AC_MSG_WARN([cross-compiling: assuming yes]) 2736 [AC_LANG_PROGRAM([[
2693 enable_nistp521=1 ] 2737 #include <openssl/ec.h>
2694 )], 2738 #include <openssl/ecdh.h>
2695 AC_MSG_RESULT([no]) 2739 #include <openssl/ecdsa.h>
2696) 2740 #include <openssl/evp.h>
2741 #include <openssl/objects.h>
2742 #include <openssl/opensslv.h>
2743 ]],[[
2744 EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp521r1);
2745 const EVP_MD *m = EVP_sha512(); /* We need this too */
2746 exit(e == NULL || m == NULL);
2747 ]])],
2748 [ AC_MSG_RESULT([yes])
2749 enable_nistp521=1 ],
2750 [ AC_MSG_RESULT([no]) ],
2751 [ AC_MSG_WARN([cross-compiling: assuming yes])
2752 enable_nistp521=1 ]
2753 )],
2754 AC_MSG_RESULT([no])
2755 )
2697 2756
2698COMMENT_OUT_ECC="#no ecc#" 2757 COMMENT_OUT_ECC="#no ecc#"
2699TEST_SSH_ECC=no 2758 TEST_SSH_ECC=no
2700 2759
2701if test x$enable_nistp256 = x1 || test x$enable_nistp384 = x1 || \ 2760 if test x$enable_nistp256 = x1 || test x$enable_nistp384 = x1 || \
2702 test x$enable_nistp521 = x1; then 2761 test x$enable_nistp521 = x1; then
2703 AC_DEFINE(OPENSSL_HAS_ECC, [1], [OpenSSL has ECC]) 2762 AC_DEFINE(OPENSSL_HAS_ECC, [1], [OpenSSL has ECC])
2704fi 2763 fi
2705if test x$enable_nistp256 = x1; then 2764 if test x$enable_nistp256 = x1; then
2706 AC_DEFINE([OPENSSL_HAS_NISTP256], [1], 2765 AC_DEFINE([OPENSSL_HAS_NISTP256], [1],
2707 [libcrypto has NID_X9_62_prime256v1]) 2766 [libcrypto has NID_X9_62_prime256v1])
2708 TEST_SSH_ECC=yes 2767 TEST_SSH_ECC=yes
2709 COMMENT_OUT_ECC="" 2768 COMMENT_OUT_ECC=""
2710else 2769 else
2711 unsupported_algorithms="$unsupported_algorithms ecdsa-sha2-nistp256 \ 2770 unsupported_algorithms="$unsupported_algorithms ecdsa-sha2-nistp256 \
2712 ecdh-sha2-nistp256 ecdsa-sha2-nistp256-cert-v01@openssh.com" 2771 ecdh-sha2-nistp256 ecdsa-sha2-nistp256-cert-v01@openssh.com"
2713fi 2772 fi
2714if test x$enable_nistp384 = x1; then 2773 if test x$enable_nistp384 = x1; then
2715 AC_DEFINE([OPENSSL_HAS_NISTP384], [1], [libcrypto has NID_secp384r1]) 2774 AC_DEFINE([OPENSSL_HAS_NISTP384], [1], [libcrypto has NID_secp384r1])
2716 TEST_SSH_ECC=yes 2775 TEST_SSH_ECC=yes
2717 COMMENT_OUT_ECC="" 2776 COMMENT_OUT_ECC=""
2718else 2777 else
2719 unsupported_algorithms="$unsupported_algorithms ecdsa-sha2-nistp384 \ 2778 unsupported_algorithms="$unsupported_algorithms ecdsa-sha2-nistp384 \
2720 ecdh-sha2-nistp384 ecdsa-sha2-nistp384-cert-v01@openssh.com" 2779 ecdh-sha2-nistp384 ecdsa-sha2-nistp384-cert-v01@openssh.com"
2721fi 2780 fi
2722if test x$enable_nistp521 = x1; then 2781 if test x$enable_nistp521 = x1; then
2723 AC_DEFINE([OPENSSL_HAS_NISTP521], [1], [libcrypto has NID_secp521r1]) 2782 AC_DEFINE([OPENSSL_HAS_NISTP521], [1], [libcrypto has NID_secp521r1])
2724 TEST_SSH_ECC=yes 2783 TEST_SSH_ECC=yes
2725 COMMENT_OUT_ECC="" 2784 COMMENT_OUT_ECC=""
2785 else
2786 unsupported_algorithms="$unsupported_algorithms ecdh-sha2-nistp521 \
2787 ecdsa-sha2-nistp521 ecdsa-sha2-nistp521-cert-v01@openssh.com"
2788 fi
2789
2790 AC_SUBST([TEST_SSH_ECC])
2791 AC_SUBST([COMMENT_OUT_ECC])
2726else 2792else
2727 unsupported_algorithms="$unsupported_algorithms ecdh-sha2-nistp521 \ 2793 AC_CHECK_LIB([crypt], [crypt], [LIBS="$LIBS -lcrypt"])
2728 ecdsa-sha2-nistp521 ecdsa-sha2-nistp521-cert-v01@openssh.com" 2794 AC_CHECK_FUNCS([crypt])
2729fi 2795fi
2730 2796
2731AC_SUBST([TEST_SSH_ECC])
2732AC_SUBST([COMMENT_OUT_ECC])
2733
2734AC_CHECK_FUNCS([ \ 2797AC_CHECK_FUNCS([ \
2735 arc4random \ 2798 arc4random \
2736 arc4random_buf \ 2799 arc4random_buf \
@@ -2751,28 +2814,30 @@ LIBS="$saved_LIBS"
2751### Configure cryptographic random number support 2814### Configure cryptographic random number support
2752 2815
2753# Check wheter OpenSSL seeds itself 2816# Check wheter OpenSSL seeds itself
2754AC_MSG_CHECKING([whether OpenSSL's PRNG is internally seeded]) 2817if test "x$openssl" = "xyes" ; then
2755AC_RUN_IFELSE( 2818 AC_MSG_CHECKING([whether OpenSSL's PRNG is internally seeded])
2756 [AC_LANG_PROGRAM([[ 2819 AC_RUN_IFELSE(
2757#include <string.h> 2820 [AC_LANG_PROGRAM([[
2758#include <openssl/rand.h> 2821 #include <string.h>
2759 ]], [[ 2822 #include <openssl/rand.h>
2760 exit(RAND_status() == 1 ? 0 : 1); 2823 ]], [[
2761 ]])], 2824 exit(RAND_status() == 1 ? 0 : 1);
2762 [ 2825 ]])],
2763 OPENSSL_SEEDS_ITSELF=yes 2826 [
2764 AC_MSG_RESULT([yes]) 2827 OPENSSL_SEEDS_ITSELF=yes
2765 ], 2828 AC_MSG_RESULT([yes])
2766 [ 2829 ],
2767 AC_MSG_RESULT([no]) 2830 [
2768 ], 2831 AC_MSG_RESULT([no])
2769 [ 2832 ],
2770 AC_MSG_WARN([cross compiling: assuming yes]) 2833 [
2771 # This is safe, since we will fatal() at runtime if 2834 AC_MSG_WARN([cross compiling: assuming yes])
2772 # OpenSSL is not seeded correctly. 2835 # This is safe, since we will fatal() at runtime if
2773 OPENSSL_SEEDS_ITSELF=yes 2836 # OpenSSL is not seeded correctly.
2774 ] 2837 OPENSSL_SEEDS_ITSELF=yes
2775) 2838 ]
2839 )
2840fi
2776 2841
2777# PRNGD TCP socket 2842# PRNGD TCP socket
2778AC_ARG_WITH([prngd-port], 2843AC_ARG_WITH([prngd-port],
@@ -2854,8 +2919,10 @@ elif test ! -z "$PRNGD_SOCKET" ; then
2854 RAND_MSG="PRNGd socket $PRNGD_SOCKET" 2919 RAND_MSG="PRNGd socket $PRNGD_SOCKET"
2855elif test ! -z "$OPENSSL_SEEDS_ITSELF" ; then 2920elif test ! -z "$OPENSSL_SEEDS_ITSELF" ; then
2856 AC_DEFINE([OPENSSL_PRNG_ONLY], [1], 2921 AC_DEFINE([OPENSSL_PRNG_ONLY], [1],
2857 [Define if you want OpenSSL's internally seeded PRNG only]) 2922 [Define if you want the OpenSSL internally seeded PRNG only])
2858 RAND_MSG="OpenSSL internal ONLY" 2923 RAND_MSG="OpenSSL internal ONLY"
2924elif test "x$openssl" = "xno" ; then
2925 AC_MSG_WARN([OpenSSH will use /dev/urandom as a source of random numbers. It will fail if this device is not supported or accessible])
2859else 2926else
2860 AC_MSG_ERROR([OpenSSH has no source of random numbers. Please configure OpenSSL with an entropy source or re-run configure using one of the --with-prngd-port or --with-prngd-socket options]) 2927 AC_MSG_ERROR([OpenSSH has no source of random numbers. Please configure OpenSSL with an entropy source or re-run configure using one of the --with-prngd-port or --with-prngd-socket options])
2861fi 2928fi
@@ -2917,7 +2984,7 @@ if test "x$PAM_MSG" = "xyes" ; then
2917 which takes only one argument to pam_strerror]) 2984 which takes only one argument to pam_strerror])
2918 AC_MSG_RESULT([yes]) 2985 AC_MSG_RESULT([yes])
2919 PAM_MSG="yes (old library)" 2986 PAM_MSG="yes (old library)"
2920 2987
2921 ]) 2988 ])
2922fi 2989fi
2923 2990
generated by cgit v1.2.3 (git 2.39.1) at 2024-09-22 01:51:22 +0000