Only enable U2F if OpenSSL supports ECC.

This requires moving the U2F bits to below the OpenSSL parts so we have
the required information.  ok djm@
This commit is contained in:
Darren Tucker 2019-11-02 16:39:38 +11:00
parent ad38406fc9
commit f5cc5816aa
1 changed files with 40 additions and 34 deletions

View File

@ -1909,44 +1909,10 @@ AC_ARG_ENABLE([security-key],
] ]
) )
# PKCS11/U2F depend on OpenSSL and dlopen().
AC_SEARCH_LIBS([dlopen], [dl]) AC_SEARCH_LIBS([dlopen], [dl])
AC_CHECK_FUNCS([dlopen]) AC_CHECK_FUNCS([dlopen])
AC_CHECK_DECL([RTLD_NOW], [], [], [#include <dlfcn.h>]) AC_CHECK_DECL([RTLD_NOW], [], [], [#include <dlfcn.h>])
enable_pkcs11=yes
enable_sk=yes
if test "x$openssl" != "xyes" ; then
enable_pkcs11="disabled; missing libcrypto"
enable_sk="disabled; missing libcrypto"
fi
if test "x$ac_cv_func_dlopen" != "xyes" ; then
enable_pkcs11="disabled; missing dlopen(3)"
enable_sk="disabled; missing dlopen(3)"
fi
if test "x$ac_cv_have_decl_RTLD_NOW" != "xyes" ; then
enable_pkcs11="disabled; missing RTLD_NOW"
enable_sk="disabled; missing RTLD_NOW"
fi
if test ! -z "$disable_pkcs11" ; then
enable_pkcs11="disabled by user"
fi
if test ! -z "$disable_sk" ; then
enable_sk="disabled by user"
fi
AC_MSG_CHECKING([whether to enable PKCS11])
if test "x$enable_pkcs11" = "xyes" ; then
AC_DEFINE([ENABLE_PKCS11], [], [Enable for PKCS#11 support])
fi
AC_MSG_RESULT([$enable_pkcs11])
AC_MSG_CHECKING([whether to enable U2F])
if test "x$enable_sk" = "xyes" ; then
AC_DEFINE([ENABLE_SK], [], [Enable for U2F/FIDO support])
fi
AC_MSG_RESULT([$enable_sk])
# IRIX has a const char return value for gai_strerror() # IRIX has a const char return value for gai_strerror()
AC_CHECK_FUNCS([gai_strerror], [ AC_CHECK_FUNCS([gai_strerror], [
AC_DEFINE([HAVE_GAI_STRERROR]) AC_DEFINE([HAVE_GAI_STRERROR])
@ -3015,6 +2981,9 @@ if test "x$openssl" = "xyes" ; then
test x$enable_nistp521 = x1; then test x$enable_nistp521 = x1; then
AC_DEFINE(OPENSSL_HAS_ECC, [1], [OpenSSL has ECC]) AC_DEFINE(OPENSSL_HAS_ECC, [1], [OpenSSL has ECC])
AC_CHECK_FUNCS([EC_KEY_METHOD_new]) AC_CHECK_FUNCS([EC_KEY_METHOD_new])
openssl_ecc=yes
else
openssl_ecc=no
fi fi
if test x$enable_nistp256 = x1; then if test x$enable_nistp256 = x1; then
AC_DEFINE([OPENSSL_HAS_NISTP256], [1], AC_DEFINE([OPENSSL_HAS_NISTP256], [1],
@ -3055,6 +3024,43 @@ else
AC_CHECK_FUNCS([crypt]) AC_CHECK_FUNCS([crypt])
fi fi
# PKCS11/U2F depend on OpenSSL and dlopen().
enable_pkcs11=yes
enable_sk=yes
if test "x$openssl" != "xyes" ; then
enable_pkcs11="disabled; missing libcrypto"
enable_sk="disabled; missing libcrypto"
fi
if test "x$openssl_ecc" != "xyes" ; then
enable_sk="disabled; OpenSSL has no ECC support"
fi
if test "x$ac_cv_func_dlopen" != "xyes" ; then
enable_pkcs11="disabled; missing dlopen(3)"
enable_sk="disabled; missing dlopen(3)"
fi
if test "x$ac_cv_have_decl_RTLD_NOW" != "xyes" ; then
enable_pkcs11="disabled; missing RTLD_NOW"
enable_sk="disabled; missing RTLD_NOW"
fi
if test ! -z "$disable_pkcs11" ; then
enable_pkcs11="disabled by user"
fi
if test ! -z "$disable_sk" ; then
enable_sk="disabled by user"
fi
AC_MSG_CHECKING([whether to enable PKCS11])
if test "x$enable_pkcs11" = "xyes" ; then
AC_DEFINE([ENABLE_PKCS11], [], [Enable for PKCS#11 support])
fi
AC_MSG_RESULT([$enable_pkcs11])
AC_MSG_CHECKING([whether to enable U2F])
if test "x$enable_sk" = "xyes" ; then
AC_DEFINE([ENABLE_SK], [], [Enable for U2F/FIDO support])
fi
AC_MSG_RESULT([$enable_sk])
AC_CHECK_FUNCS([ \ AC_CHECK_FUNCS([ \
arc4random \ arc4random \
arc4random_buf \ arc4random_buf \