Check if OpenSSL implementation supports DSA.

If --enable/disable-dsa-keys is not specified, set based on what OpenSSL
supports.  If specified as enabled, but not supported by OpenSSL error
out.  ok djm@

configure.ac

@@ -2075,17 +2075,11 @@ AC_ARG_WITH([security-key-builtin],
 	[ enable_sk_internal=$withval ]
 )
 
-disable_ecdsa=
+enable_dsa=
 AC_ARG_ENABLE([dsa-keys],
 	[  --disable-dsa-keys      disable DSA key support [no]],
-	[
+	[  enable_dsa="$enableval" ]
-		if test "x$enableval" = "xno" ; then
-			disable_ecdsa=1
-		fi
-	]
 )
-test -z "$disable_ecdsa" &&
-    AC_DEFINE([WITH_DSA], [1], [Define if to enable DSA keys.])
 
 AC_SEARCH_LIBS([dlopen], [dl])
 AC_CHECK_FUNCS([dlopen])
@@ -3196,6 +3190,35 @@ if test "x$openssl" = "xyes" ; then
 			AC_MSG_RESULT([no])
 		]
 	)
+	openssl_dsa=no
+	if test -z "$enable_dsa" || test "x$enable_dsa" = "xyes"; then
+		AC_CHECK_DECLS([OPENSSL_NO_DSA], [], [
+			AC_CHECK_DECLS([OPENSSL_IS_BORINGSSL], [],
+			    [ openssl_dsa=yes ],
+			    [ #include <openssl/opensslconf.h> ]
+			)
+		    ],
+		    [ #include <openssl/opensslconf.h> ]
+		)
+		AC_MSG_CHECKING([whether to enable DSA key support])
+		if test -z "$enable_dsa"; then
+			if test "x$openssl_dsa" = "xno"; then
+				AC_MSG_RESULT([not supported by OpenSSL])
+			else
+				AC_MSG_RESULT([yes])
+				AC_DEFINE([WITH_DSA], [1],
+				   [DSA keys enabled by default])
+			fi
+		else
+			if test "x$openssl_dsa" = "xno"; then
+				AC_MSG_ERROR([DSA requested but not supported by OpenSSL])
+			else
+				AC_MSG_RESULT([yes])
+				AC_DEFINE([WITH_DSA], [1],
+				   [DSA keys explicitly enabled])
+			fi
+		fi
+	fi
 fi
 
 # PKCS11/U2F depend on OpenSSL and dlopen().