mir/sudo
2
0
Fork 0
mirror of https://github.com/sudo-project/sudo.git synced 2025-08-22 01:49:11 +00:00
Code Issues Releases Wiki Activity

Move OpenSSL/wolfSSL checks to m4/openssl.m4

Browse Source
This commit is contained in:
Todd C. Miller 2022-12-05 16:45:18 -07:00
parent f515c238bc
commit 00e22508a7
5 changed files with 706 additions and 685 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
MANIFEST
View File

@ -431,6 +431,7 @@ m4/ltoptions.m4
m4/ltsugar.m4
m4/ltversion.m4
m4/lt~obsolete.m4
m4/openssl.m4
m4/pie.m4
m4/python.m4
m4/runlog.m4

1
aclocal.m4 vendored
View File

@ -24,6 +24,7 @@ m4_include([m4/ltoptions.m4])
m4_include([m4/ltsugar.m4])
m4_include([m4/ltversion.m4])
m4_include([m4/lt~obsolete.m4])
m4_include([m4/openssl.m4])
m4_include([m4/pie.m4])
m4_include([m4/python.m4])
m4_include([m4/runlog.m4])

264
configure vendored
View File

@ -1,6 +1,6 @@
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
# Generated by GNU Autoconf 2.72a.69-9c123-dirty for sudo 1.9.12p1.
# Generated by GNU Autoconf 2.72a for sudo 1.9.12p1.
#
# Report bugs to <https://bugzilla.sudo.ws/>.
#
@ -1992,7 +1992,7 @@ test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
sudo configure 1.9.12p1
generated by GNU Autoconf 2.72a.69-9c123-dirty
generated by GNU Autoconf 2.72a
Copyright (C) 2022 Free Software Foundation, Inc.
This configure script is free software; the Free Software Foundation
@ -2670,7 +2670,7 @@ This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
It was created by sudo $as_me 1.9.12p1, which was
generated by GNU Autoconf 2.72a.69-9c123-dirty. Invocation command line was
generated by GNU Autoconf 2.72a. Invocation command line was
$ $0$ac_configure_args_raw
@ -24514,8 +24514,10 @@ printf "%s\n" "#define HAVE_STRUCT_DIRENT_D_NAMLEN 1" >>confdefs.h
fi
openssl_missing=no
if test "${enable_openssl-no}" != no; then
openssl_missing=no
if test "${enable_openssl-no}" != no; then
# Use pkg-config to find the openssl cflags and libs if possible.
if test "$enable_openssl" != "yes" -a "$enable_openssl" != "maybe"; then
PKG_CONFIG_LIBDIR=
@ -25373,6 +25375,7 @@ else case e in #(
if test "$enable_openssl" = "maybe"; then
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: OpenSSL too old (1.0.1 or higher required), Sudo logsrv connections will not be encrypted." >&5
printf "%s\n" "$as_me: WARNING: OpenSSL too old (1.0.1 or higher required), Sudo logsrv connections will not be encrypted." >&2;}
openssl_missing=yes
enable_openssl=no
else
as_fn_error $? "OpenSSL too old (1.0.1 or higher required)." "$LINENO" 5
@ -25400,8 +25403,11 @@ fi
if test "$enable_openssl" != "yes" -a "$enable_openssl" != "maybe"; then
unset PKG_CONFIG_LIBDIR
fi
fi
if test "${enable_openssl-no}" != no; then
fi
#
# Note that enable_openssl may be reset above.
#
if test "${enable_openssl-no}" != no; then
OLIBS="$LIBS"
LIBS="$LIBS $LIBTLS"
ac_fn_c_check_func "$LINENO" "X509_STORE_CTX_get0_cert" "ac_cv_func_X509_STORE_CTX_get0_cert"
@ -25465,122 +25471,8 @@ fi
fi
LIBS="$OLIBS"
elif test "${enable_gcrypt-no}" != no; then
# Use gcrypt's sha2 functions
printf "%s\n" "#define HAVE_GCRYPT 1" >>confdefs.h
DIGEST=digest_gcrypt.lo
LIBMD="-lgcrypt"
if test "$enable_gcrypt" != "yes"; then
if test ${CPPFLAGS+y}
then :
case " $CPPFLAGS " in #(
*" -I${enable_gcrypt}/include "*) :
{ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : CPPFLAGS already contains -I\${enable_gcrypt}/include"; } >&5
(: CPPFLAGS already contains -I${enable_gcrypt}/include) 2>&5
ac_status=$?
printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
test $ac_status = 0; } ;; #(
*) :
as_fn_append CPPFLAGS " -I${enable_gcrypt}/include"
{ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : CPPFLAGS=\"\$CPPFLAGS\""; } >&5
(: CPPFLAGS="$CPPFLAGS") 2>&5
ac_status=$?
printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
test $ac_status = 0; }
;;
esac
else case e in #(
e)
CPPFLAGS=-I${enable_gcrypt}/include
{ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : CPPFLAGS=\"\$CPPFLAGS\""; } >&5
(: CPPFLAGS="$CPPFLAGS") 2>&5
ac_status=$?
printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
test $ac_status = 0; }
;;
esac
fi
if test ${LDFLAGS+y}
then :
case " $LDFLAGS " in #(
*" -L${enable_gcrypt}/lib "*) :
{ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : LDFLAGS already contains -L\${enable_gcrypt}/lib"; } >&5
(: LDFLAGS already contains -L${enable_gcrypt}/lib) 2>&5
ac_status=$?
printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
test $ac_status = 0; } ;; #(
*) :
as_fn_append LDFLAGS " -L${enable_gcrypt}/lib"
{ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : LDFLAGS=\"\$LDFLAGS\""; } >&5
(: LDFLAGS="$LDFLAGS") 2>&5
ac_status=$?
printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
test $ac_status = 0; }
;;
esac
else case e in #(
e)
LDFLAGS=-L${enable_gcrypt}/lib
{ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : LDFLAGS=\"\$LDFLAGS\""; } >&5
(: LDFLAGS="$LDFLAGS") 2>&5
ac_status=$?
printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
test $ac_status = 0; }
;;
esac
fi
if test X"$enable_rpath" = X"yes"; then
if test ${LDFLAGS_R+y}
then :
case " $LDFLAGS_R " in #(
*" -R${enable_gcrypt}/lib "*) :
{ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : LDFLAGS_R already contains -R\${enable_gcrypt}/lib"; } >&5
(: LDFLAGS_R already contains -R${enable_gcrypt}/lib) 2>&5
ac_status=$?
printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
test $ac_status = 0; } ;; #(
*) :
as_fn_append LDFLAGS_R " -R${enable_gcrypt}/lib"
{ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : LDFLAGS_R=\"\$LDFLAGS_R\""; } >&5
(: LDFLAGS_R="$LDFLAGS_R") 2>&5
ac_status=$?
printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
test $ac_status = 0; }
;;
esac
else case e in #(
e)
LDFLAGS_R=-R${enable_gcrypt}/lib
{ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : LDFLAGS_R=\"\$LDFLAGS_R\""; } >&5
(: LDFLAGS_R="$LDFLAGS_R") 2>&5
ac_status=$?
printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
test $ac_status = 0; }
;;
esac
fi
fi
fi
fi
if test "${enable_wolfssl-no}" != no; then
elif test "${enable_wolfssl-no}" != no; then
# Check for OpenSSL compatibility functions in wolfSSL.
# Use pkg-config to find the wolfssl cflags and libs if possible.
if test "$enable_wolfssl" != "yes"; then
PKG_CONFIG_LIBDIR="${enable_wolfssl}/lib/pkgconfig:${enable_wolfssl}/lib64/pkgconfig:${enable_wolfssl}/share/pkgconfig"
@ -26250,8 +26142,126 @@ then :
printf "%s\n" "#define HAVE_SSL_CTX_SET_CIPHERSUITES 1" >>confdefs.h
fi
fi
fi
if test "$DIGEST" = "digest.lo"; then
if test "${enable_gcrypt-no}" != no; then
# Use gcrypt's sha2 functions
printf "%s\n" "#define HAVE_GCRYPT 1" >>confdefs.h
DIGEST=digest_gcrypt.lo
LIBMD="-lgcrypt"
if test "$enable_gcrypt" != "yes"; then
if test ${CPPFLAGS+y}
then :
case " $CPPFLAGS " in #(
*" -I${enable_gcrypt}/include "*) :
{ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : CPPFLAGS already contains -I\${enable_gcrypt}/include"; } >&5
(: CPPFLAGS already contains -I${enable_gcrypt}/include) 2>&5
ac_status=$?
printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
test $ac_status = 0; } ;; #(
*) :
as_fn_append CPPFLAGS " -I${enable_gcrypt}/include"
{ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : CPPFLAGS=\"\$CPPFLAGS\""; } >&5
(: CPPFLAGS="$CPPFLAGS") 2>&5
ac_status=$?
printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
test $ac_status = 0; }
;;
esac
else case e in #(
e)
CPPFLAGS=-I${enable_gcrypt}/include
{ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : CPPFLAGS=\"\$CPPFLAGS\""; } >&5
(: CPPFLAGS="$CPPFLAGS") 2>&5
ac_status=$?
printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
test $ac_status = 0; }
;;
esac
fi
if test ${LDFLAGS+y}
then :
case " $LDFLAGS " in #(
*" -L${enable_gcrypt}/lib "*) :
{ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : LDFLAGS already contains -L\${enable_gcrypt}/lib"; } >&5
(: LDFLAGS already contains -L${enable_gcrypt}/lib) 2>&5
ac_status=$?
printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
test $ac_status = 0; } ;; #(
*) :
as_fn_append LDFLAGS " -L${enable_gcrypt}/lib"
{ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : LDFLAGS=\"\$LDFLAGS\""; } >&5
(: LDFLAGS="$LDFLAGS") 2>&5
ac_status=$?
printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
test $ac_status = 0; }
;;
esac
else case e in #(
e)
LDFLAGS=-L${enable_gcrypt}/lib
{ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : LDFLAGS=\"\$LDFLAGS\""; } >&5
(: LDFLAGS="$LDFLAGS") 2>&5
ac_status=$?
printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
test $ac_status = 0; }
;;
esac
fi
if test X"$enable_rpath" = X"yes"; then
if test ${LDFLAGS_R+y}
then :
case " $LDFLAGS_R " in #(
*" -R${enable_gcrypt}/lib "*) :
{ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : LDFLAGS_R already contains -R\${enable_gcrypt}/lib"; } >&5
(: LDFLAGS_R already contains -R${enable_gcrypt}/lib) 2>&5
ac_status=$?
printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
test $ac_status = 0; } ;; #(
*) :
as_fn_append LDFLAGS_R " -R${enable_gcrypt}/lib"
{ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : LDFLAGS_R=\"\$LDFLAGS_R\""; } >&5
(: LDFLAGS_R="$LDFLAGS_R") 2>&5
ac_status=$?
printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
test $ac_status = 0; }
;;
esac
else case e in #(
e)
LDFLAGS_R=-R${enable_gcrypt}/lib
{ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : LDFLAGS_R=\"\$LDFLAGS_R\""; } >&5
(: LDFLAGS_R="$LDFLAGS_R") 2>&5
ac_status=$?
printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
test $ac_status = 0; }
;;
esac
fi
fi
fi
else
# Use sudo's sha2 functions if not in libmd or libc.
FOUND_SHA2=no
ac_fn_c_check_header_compile "$LINENO" "sha2.h" "ac_cv_header_sha2_h" "$ac_includes_default"
if test "x$ac_cv_header_sha2_h" = xyes
@ -26424,7 +26434,9 @@ esac
done
fi
fi
fi
OLIBS="$LIBS"
LIBS="${LIBS} ${NET_LIBS}"
ac_fn_c_check_func "$LINENO" "socket" "ac_cv_func_socket"
@ -34978,7 +34990,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
# values after options handling.
ac_log="
This file was extended by sudo $as_me 1.9.12p1, which was
generated by GNU Autoconf 2.72a.69-9c123-dirty. Invocation command line was
generated by GNU Autoconf 2.72a. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
CONFIG_HEADERS = $CONFIG_HEADERS
@ -35046,7 +35058,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config='$ac_cs_config_escaped'
ac_cs_version="\\
sudo config.status 1.9.12p1
configured by $0, generated by GNU Autoconf 2.72a.69-9c123-dirty,
configured by $0, generated by GNU Autoconf 2.72a,
with options \\"\$ac_cs_config\\"
Copyright (C) 2022 Free Software Foundation, Inc.

309
configure.ac
View File

@ -2975,178 +2975,17 @@ AC_CHECK_MEMBERS([struct dirent.d_type, struct dirent.d_namlen], [], [], [
AC_INCLUDES_DEFAULT
#include <$ac_header_dirent>
])
dnl
dnl Check for functions only present in OpenSSL 1.1 and above
dnl
openssl_missing=no
if test "${enable_openssl-no}" != no; then
# Use pkg-config to find the openssl cflags and libs if possible.
if test "$enable_openssl" != "yes" -a "$enable_openssl" != "maybe"; then
PKG_CONFIG_LIBDIR=
for d in ${enable_openssl}/*/pkgconfig; do
if test -d "$d"; then
PKG_CONFIG_LIBDIR="$PKG_CONFIG_LIBDIR:$d"
fi
done
if test -n "$PKG_CONFIG_LIBDIR"; then
PKG_CONFIG_LIBDIR=${PKG_CONFIG_LIBDIR#:}
export PKG_CONFIG_LIBDIR
fi
elif test "$cross_compiling" = "yes" -a -z "$PKG_CONFIG"; then
# Cannot use pkg-config when cross-compiling
PKG_CONFIG=false
fi
: ${PKG_CONFIG='pkg-config'}
pkg_openssl=`printf $enable_openssl_pkgconfig_template "openssl"`
pkg_libcrypto=lib`printf $enable_openssl_pkgconfig_template "crypto"`
if $PKG_CONFIG --exists "$pkg_openssl >= 1.0.1" >/dev/null 2>&1; then
AC_DEFINE(HAVE_OPENSSL)
if test "$enable_openssl" = "maybe"; then
enable_openssl=yes
fi
# Check whether --static is needed (don't assume name of ssl lib)
# There may be dependent libraries or -pthread.
O_LDFLAGS="$LDFLAGS"
LDFLAGS="$LDFLAGS `$PKG_CONFIG --libs-only-L $pkg_openssl`"
libssl="`$PKG_CONFIG --libs-only-l $pkg_openssl | sed 's/^ *-l//'`"
libssl_extra="`echo $libssl | sed 's/^[[^ ]]* *//'`"
libssl="`echo $libssl | sed 's/ .*//'`"
AC_CHECK_LIB([$libssl], [SSL_new], [STATIC=""], [STATIC="--static"], [$libssl_extra])
LDFLAGS="$O_LDFLAGS"
# Use pkg-config to determine OpenSSL libs and cflags
for f in `$PKG_CONFIG $STATIC --libs $pkg_openssl`; do
case "$f" in
-L*)
f="${f#-L}"
SUDO_APPEND_LIBPATH([LIBTLS], [$f])
;;
*)
AX_APPEND_FLAG([$f], [LIBTLS])
;;
esac
done
if $PKG_CONFIG --exists $pkg_libcrypto >/dev/null 2>&1; then
# Use OpenSSL's sha2 functions if possible (don't assume name of crypto)
O_LDFLAGS="$LDFLAGS"
libcrypto=
libcrypto_extra=
for f in `$PKG_CONFIG $STATIC --libs $pkg_libcrypto`; do
case "$f" in
-l*)
if test -z "$libcrypto"; then
libcrypto="${f#-l}"
else
libcrypto_extra="$libcrypto_extra $f"
fi
;;
*)
AX_APPEND_FLAG([$f], [LDFLAGS])
;;
esac
done
AC_CHECK_LIB([$libcrypto], [EVP_MD_CTX_new], [DIGEST=digest_openssl.lo], [], [$libcrypto_extra])
LDFLAGS="$O_LDFLAGS"
# Use pkg-config to determine libcrypto libs and cflags
for f in `$PKG_CONFIG $STATIC --libs $pkg_libcrypto`; do
case "$f" in
-L*)
f="${f#-L}"
SUDO_APPEND_LIBPATH([LIBCRYPTO], [$f])
;;
*)
AX_APPEND_FLAG([$f], [LIBCRYPTO])
;;
esac
done
else
# No separate pkg config for libcrypto
LIBCRYPTO="$LIBTLS"
LIBCRYPTO_R="$LIBTLS_R"
fi
for f in `$PKG_CONFIG --cflags-only-I $pkg_openssl`; do
AX_APPEND_FLAG([$f], [CPPFLAGS])
done
else
# No pkg-config file present, try to do it manually
O_LDFLAGS="$LDFLAGS"
if test "$enable_openssl" != "yes" -a "$enable_openssl" != "maybe"; then
SUDO_APPEND_LIBPATH(LDFLAGS, [${enable_openssl}/lib])
fi
AC_CHECK_LIB([ssl], [SSL_new], [
# Check OPENSSL_VERSION_NUMBER in headers
O_CPPFLAGS="$CPPFLAGS"
if test "$enable_openssl" != "yes" -a "$enable_openssl" != "maybe"; then
# Note: we only reset CPPFLAGS on failure
AX_APPEND_FLAG([-I${enable_openssl}/include], [CPPFLAGS])
fi
AC_PREPROC_IFELSE([AC_LANG_PROGRAM([[#include <openssl/opensslv.h>
#if !defined(OPENSSL_VERSION_NUMBER) || OPENSSL_VERSION_NUMBER < 0x1000100fL
#error "OpenSSL too old"
#endif
]])], [
# OpenSSL >= 1.0.1 detected, use it.
AC_DEFINE(HAVE_OPENSSL)
if test "$enable_openssl" != "yes" -a "$enable_openssl" != "maybe"; then
SUDO_APPEND_LIBPATH(LIBCRYPTO, [${enable_openssl}/lib])
SUDO_APPEND_LIBPATH(LIBTLS, [${enable_openssl}/lib])
else
enable_openssl=yes
fi
LIBCRYPTO="${LIBCRYPTO} -lcrypto"
LIBTLS="${LIBTLS} -lssl -lcrypto"
# Use OpenSSL's sha2 functions if possible
AC_CHECK_LIB([crypto], [EVP_MD_CTX_new], [
DIGEST=digest_openssl.lo
])
], [
# OpenSSL < 1.0.1 detected, ignore it.
if test "$enable_openssl" = "maybe"; then
AC_MSG_WARN([OpenSSL too old (1.0.1 or higher required), Sudo logsrv connections will not be encrypted.])
enable_openssl=no
else
AC_MSG_ERROR([OpenSSL too old (1.0.1 or higher required).])
fi
CPPFLAGS="$O_CPPFLAGS"
])
], [
if test "$enable_openssl" = "maybe"; then
openssl_missing=yes
enable_openssl=no
else
AC_MSG_ERROR([OpenSSL development libraries not found.])
fi
], [-lcrypto])
LDFLAGS="$O_LDFLAGS"
fi
if test "$enable_openssl" != "yes" -a "$enable_openssl" != "maybe"; then
unset PKG_CONFIG_LIBDIR
fi
fi
dnl
dnl Note that enable_openssl may be reset above.
dnl Check for OpenSSL or wolfSSL
dnl
if test "${enable_openssl-no}" != no; then
OLIBS="$LIBS"
LIBS="$LIBS $LIBTLS"
AC_CHECK_FUNCS([X509_STORE_CTX_get0_cert ASN1_STRING_get0_data SSL_CTX_get0_certificate SSL_CTX_set0_tmp_dh_pkey TLS_method])
# SSL_CTX_set_min_proto_version may be a macro
AC_CHECK_DECL([SSL_CTX_set_min_proto_version], [AC_DEFINE(HAVE_SSL_CTX_SET_MIN_PROTO_VERSION)], [], [
AC_INCLUDES_DEFAULT
#include <openssl/ssl.h>
])
# LibreSSL TLS 1.3 support may not be enabled, check for declaration too.
AC_CHECK_FUNC([SSL_CTX_set_ciphersuites], [
AC_CHECK_DECL([SSL_CTX_set_ciphersuites], [AC_DEFINE(HAVE_SSL_CTX_SET_CIPHERSUITES)], [], [
AC_INCLUDES_DEFAULT
#include <openssl/ssl.h>
])
])
LIBS="$OLIBS"
elif test "${enable_gcrypt-no}" != no; then
SUDO_CHECK_OPENSSL
dnl
dnl Check for sha2 functions if not using openssl or wolfssl
dnl
if test "$DIGEST" = "digest.lo"; then
if test "${enable_gcrypt-no}" != no; then
# Use gcrypt's sha2 functions
AC_DEFINE(HAVE_GCRYPT)
DIGEST=digest_gcrypt.lo
@ -3155,136 +2994,8 @@ elif test "${enable_gcrypt-no}" != no; then
AX_APPEND_FLAG([-I${enable_gcrypt}/include], [CPPFLAGS])
SUDO_APPEND_LIBPATH(LDFLAGS, [${enable_gcrypt}/lib])
fi
fi
dnl
dnl Check for OpenSSL compatibility functions in wolfSSL
dnl
if test "${enable_wolfssl-no}" != no; then
# Use pkg-config to find the wolfssl cflags and libs if possible.
if test "$enable_wolfssl" != "yes"; then
PKG_CONFIG_LIBDIR="${enable_wolfssl}/lib/pkgconfig:${enable_wolfssl}/lib64/pkgconfig:${enable_wolfssl}/share/pkgconfig"
export PKG_CONFIG_LIBDIR
elif test "$cross_compiling" = "yes" -a -z "$PKG_CONFIG"; then
# Cannot use pkg-config when cross-compiling
PKG_CONFIG=false
fi
: ${PKG_CONFIG='pkg-config'}
if $PKG_CONFIG --exists wolfssl >/dev/null 2>&1; then
AC_DEFINE(HAVE_OPENSSL)
AC_DEFINE(HAVE_WOLFSSL)
O_CPPFLAGS="$CPPFLAGS"
CPPFLAGS="$CPPFLAGS `$PKG_CONFIG --cflags-only-I wolfssl`"
O_LDFLAGS="$LDFLAGS"
LDFLAGS="$LDFLAGS `$PKG_CONFIG --libs-only-L wolfssl`"
# Check whether --static is needed
libssl="`$PKG_CONFIG --libs-only-l wolfssl | sed 's/^ *-l//'`"
libssl_extra=`echo $libssl | sed 's/^[[^ ]]* *//'`
libssl=`echo $libssl | sed 's/ .*//'`
AC_CHECK_LIB([$libssl], [wolfSSL_new], [STATIC=""], [STATIC="--static"], [$libssl_extra])
# Use wolfSSL's sha2 functions if possible
AC_CHECK_DECL([EVP_MD_CTX_new], [DIGEST=digest_openssl.lo], [], [
AC_INCLUDES_DEFAULT
#include <wolfssl/options.h>
#include <wolfssl/openssl/evp.h>
])
CPPFLAGS="$O_CPPFLAGS"
LDFLAGS="$O_LDFLAGS"
# Use pkg-config to determine wolfSSL libs and cflags
for f in `$PKG_CONFIG $STATIC --libs wolfssl`; do
case "$f" in
-L*)
f="${f#-L}"
SUDO_APPEND_LIBPATH([LIBTLS], [$f])
;;
*)
AX_APPEND_FLAG([$f], [LIBTLS])
;;
esac
done
# No separate pkg config for libcrypto
LIBCRYPTO="$LIBTLS"
LIBCRYPTO_R="$LIBTLS_R"
for f in `$PKG_CONFIG --cflags-only-I wolfssl`; do
AX_APPEND_FLAG([$f], [CPPFLAGS])
# So we find the openssl compat headers under wolfssl
AX_APPEND_FLAG([$f/wolfssl], [CPPFLAGS])
done
if test "$CPPFLAGS" = "$O_CPPFLAGS"; then
# So we find the openssl compat headers under wolfssl (XXX)
AX_APPEND_FLAG([-I/usr/include/wolfssl], [CPPFLAGS])
fi
else
AC_DEFINE(HAVE_OPENSSL)
AC_DEFINE(HAVE_WOLFSSL)
# No pkg-config file present, try to do it manually
if test "$enable_wolfssl" != "yes"; then
SUDO_APPEND_LIBPATH(LIBCRYPTO, [${enable_wolfssl}/lib])
SUDO_APPEND_LIBPATH(LIBTLS, [${enable_wolfssl}/lib])
AX_APPEND_FLAG([-I${enable_wolfssl}/include], [CPPFLAGS])
# So we find the openssl compat headers under wolfssl
AX_APPEND_FLAG([-I${enable_wolfssl}/include/wolfssl], [CPPFLAGS])
else
# So we find the openssl compat headers under wolfssl (XXX)
AX_APPEND_FLAG([-I/usr/include/wolfssl], [CPPFLAGS])
fi
LIBTLS="${LIBTLS} -lwolfssl"
LIBCRYPTO="${LIBCRYPTO} -lwolfssl"
# Use wolfSSL's sha2 functions if possible
AC_CHECK_DECL([EVP_MD_CTX_new], [DIGEST=digest_openssl.lo], [], [
AC_INCLUDES_DEFAULT
#include <wolfssl/options.h>
#include <wolfssl/openssl/evp.h>
])
fi
dnl
dnl Check for specific OpenSSL API compatibility macros
dnl
AC_CHECK_DECL([X509_STORE_CTX_get0_cert], [AC_DEFINE(HAVE_X509_STORE_CTX_GET0_CERT)], [], [
AC_INCLUDES_DEFAULT
#include <wolfssl/options.h>
#include <wolfssl/openssl/x509.h>
])
AC_CHECK_DECL([ASN1_STRING_get0_data], [AC_DEFINE(HAVE_ASN1_STRING_GET0_DATA)], [], [
AC_INCLUDES_DEFAULT
#include <wolfssl/options.h>
#include <wolfssl/openssl/asn1.h>
])
AC_CHECK_DECL([SSL_CTX_get0_certificate], [AC_DEFINE(HAVE_SSL_CTX_GET0_CERTIFICATE)], [], [
AC_INCLUDES_DEFAULT
#include <wolfssl/options.h>
#include <wolfssl/openssl/ssl.h>
])
AC_CHECK_DECL([SSL_CTX_set0_tmp_dh_pkey], [AC_DEFINE(HAVE_SSL_CTX_SET0_TMP_DH_PKEY)], [], [
AC_INCLUDES_DEFAULT
#include <wolfssl/options.h>
#include <wolfssl/openssl/ssl.h>
])
AC_CHECK_DECL([TLS_method], [AC_DEFINE(HAVE_TLS_METHOD)], [], [
AC_INCLUDES_DEFAULT
#include <wolfssl/options.h>
#include <wolfssl/openssl/ssl.h>
])
AC_CHECK_DECL([SSL_CTX_set_min_proto_version], [AC_DEFINE(HAVE_SSL_CTX_SET_MIN_PROTO_VERSION)], [], [
AC_INCLUDES_DEFAULT
#include <wolfssl/options.h>
#include <wolfssl/openssl/ssl.h>
])
AC_CHECK_DECL([SSL_CTX_set_ciphersuites], [AC_DEFINE(HAVE_SSL_CTX_SET_CIPHERSUITES)], [], [
AC_INCLUDES_DEFAULT
#include <wolfssl/options.h>
#include <wolfssl/openssl/ssl.h>
])
fi
dnl
dnl Check for sha2 functions if not using openssl, wolfssl or gcrypt
dnl
if test "$DIGEST" = "digest.lo"; then
# Use sudo's sha2 functions if not in libmd or libc.
FOUND_SHA2=no
AC_CHECK_HEADER([sha2.h], [
FOUND_SHA2=yes
@ -3304,7 +3015,9 @@ if test "$DIGEST" = "digest.lo"; then
AC_LIBOBJ(sha2)
SUDO_APPEND_COMPAT_EXP(sudo_SHA224Final sudo_SHA224Init sudo_SHA224Pad sudo_SHA224Transform sudo_SHA224Update sudo_SHA256Final sudo_SHA256Init sudo_SHA256Pad sudo_SHA256Transform sudo_SHA256Update sudo_SHA384Final sudo_SHA384Init sudo_SHA384Pad sudo_SHA384Transform sudo_SHA384Update sudo_SHA512Final sudo_SHA512Init sudo_SHA512Pad sudo_SHA512Transform sudo_SHA512Update)
fi
fi
fi
dnl
dnl If socket(2) not in libc, check -lsocket and -linet
dnl May need to link with *both* -lnsl and -lsocket due to unresolved symbols

294
m4/openssl.m4 Normal file
View File

@ -0,0 +1,294 @@
AC_DEFUN([SUDO_CHECK_OPENSSL], [
openssl_missing=no
if test "${enable_openssl-no}" != no; then
# Use pkg-config to find the openssl cflags and libs if possible.
if test "$enable_openssl" != "yes" -a "$enable_openssl" != "maybe"; then
PKG_CONFIG_LIBDIR=
for d in ${enable_openssl}/*/pkgconfig; do
if test -d "$d"; then
PKG_CONFIG_LIBDIR="$PKG_CONFIG_LIBDIR:$d"
fi
done
if test -n "$PKG_CONFIG_LIBDIR"; then
PKG_CONFIG_LIBDIR=${PKG_CONFIG_LIBDIR#:}
export PKG_CONFIG_LIBDIR
fi
elif test "$cross_compiling" = "yes" -a -z "$PKG_CONFIG"; then
# Cannot use pkg-config when cross-compiling
PKG_CONFIG=false
fi
: ${PKG_CONFIG='pkg-config'}
pkg_openssl=`printf $enable_openssl_pkgconfig_template "openssl"`
pkg_libcrypto=lib`printf $enable_openssl_pkgconfig_template "crypto"`
if $PKG_CONFIG --exists "$pkg_openssl >= 1.0.1" >/dev/null 2>&1; then
AC_DEFINE(HAVE_OPENSSL)
if test "$enable_openssl" = "maybe"; then
enable_openssl=yes
fi
# Check whether --static is needed (don't assume name of ssl lib)
# There may be dependent libraries or -pthread.
O_LDFLAGS="$LDFLAGS"
LDFLAGS="$LDFLAGS `$PKG_CONFIG --libs-only-L $pkg_openssl`"
libssl="`$PKG_CONFIG --libs-only-l $pkg_openssl | sed 's/^ *-l//'`"
libssl_extra="`echo $libssl | sed 's/^[[^ ]]* *//'`"
libssl="`echo $libssl | sed 's/ .*//'`"
AC_CHECK_LIB([$libssl], [SSL_new], [STATIC=""], [STATIC="--static"], [$libssl_extra])
LDFLAGS="$O_LDFLAGS"
# Use pkg-config to determine OpenSSL libs and cflags
for f in `$PKG_CONFIG $STATIC --libs $pkg_openssl`; do
case "$f" in
-L*)
f="${f#-L}"
SUDO_APPEND_LIBPATH([LIBTLS], [$f])
;;
*)
AX_APPEND_FLAG([$f], [LIBTLS])
;;
esac
done
if $PKG_CONFIG --exists $pkg_libcrypto >/dev/null 2>&1; then
# Use OpenSSL's sha2 functions if possible (don't assume name of crypto)
O_LDFLAGS="$LDFLAGS"
libcrypto=
libcrypto_extra=
for f in `$PKG_CONFIG $STATIC --libs $pkg_libcrypto`; do
case "$f" in
-l*)
if test -z "$libcrypto"; then
libcrypto="${f#-l}"
else
libcrypto_extra="$libcrypto_extra $f"
fi
;;
*)
AX_APPEND_FLAG([$f], [LDFLAGS])
;;
esac
done
AC_CHECK_LIB([$libcrypto], [EVP_MD_CTX_new], [DIGEST=digest_openssl.lo], [], [$libcrypto_extra])
LDFLAGS="$O_LDFLAGS"
# Use pkg-config to determine libcrypto libs and cflags
for f in `$PKG_CONFIG $STATIC --libs $pkg_libcrypto`; do
case "$f" in
-L*)
f="${f#-L}"
SUDO_APPEND_LIBPATH([LIBCRYPTO], [$f])
;;
*)
AX_APPEND_FLAG([$f], [LIBCRYPTO])
;;
esac
done
else
# No separate pkg config for libcrypto
LIBCRYPTO="$LIBTLS"
LIBCRYPTO_R="$LIBTLS_R"
fi
for f in `$PKG_CONFIG --cflags-only-I $pkg_openssl`; do
AX_APPEND_FLAG([$f], [CPPFLAGS])
done
else
# No pkg-config file present, try to do it manually
O_LDFLAGS="$LDFLAGS"
if test "$enable_openssl" != "yes" -a "$enable_openssl" != "maybe"; then
SUDO_APPEND_LIBPATH(LDFLAGS, [${enable_openssl}/lib])
fi
AC_CHECK_LIB([ssl], [SSL_new], [
# Check OPENSSL_VERSION_NUMBER in headers
O_CPPFLAGS="$CPPFLAGS"
if test "$enable_openssl" != "yes" -a "$enable_openssl" != "maybe"; then
# Note: we only reset CPPFLAGS on failure
AX_APPEND_FLAG([-I${enable_openssl}/include], [CPPFLAGS])
fi
AC_PREPROC_IFELSE([AC_LANG_PROGRAM([[#include <openssl/opensslv.h>
#if !defined(OPENSSL_VERSION_NUMBER) || OPENSSL_VERSION_NUMBER < 0x1000100fL
#error "OpenSSL too old"
#endif
]])], [
# OpenSSL >= 1.0.1 detected, use it.
AC_DEFINE(HAVE_OPENSSL)
if test "$enable_openssl" != "yes" -a "$enable_openssl" != "maybe"; then
SUDO_APPEND_LIBPATH(LIBCRYPTO, [${enable_openssl}/lib])
SUDO_APPEND_LIBPATH(LIBTLS, [${enable_openssl}/lib])
else
enable_openssl=yes
fi
LIBCRYPTO="${LIBCRYPTO} -lcrypto"
LIBTLS="${LIBTLS} -lssl -lcrypto"
# Use OpenSSL's sha2 functions if possible
AC_CHECK_LIB([crypto], [EVP_MD_CTX_new], [
DIGEST=digest_openssl.lo
])
], [
# OpenSSL < 1.0.1 detected, ignore it.
if test "$enable_openssl" = "maybe"; then
AC_MSG_WARN([OpenSSL too old (1.0.1 or higher required), Sudo logsrv connections will not be encrypted.])
openssl_missing=yes
enable_openssl=no
else
AC_MSG_ERROR([OpenSSL too old (1.0.1 or higher required).])
fi
CPPFLAGS="$O_CPPFLAGS"
])
], [
if test "$enable_openssl" = "maybe"; then
openssl_missing=yes
enable_openssl=no
else
AC_MSG_ERROR([OpenSSL development libraries not found.])
fi
], [-lcrypto])
LDFLAGS="$O_LDFLAGS"
fi
if test "$enable_openssl" != "yes" -a "$enable_openssl" != "maybe"; then
unset PKG_CONFIG_LIBDIR
fi
fi
#
# Note that enable_openssl may be reset above.
#
if test "${enable_openssl-no}" != no; then
OLIBS="$LIBS"
LIBS="$LIBS $LIBTLS"
AC_CHECK_FUNCS([X509_STORE_CTX_get0_cert ASN1_STRING_get0_data SSL_CTX_get0_certificate SSL_CTX_set0_tmp_dh_pkey TLS_method])
# SSL_CTX_set_min_proto_version may be a macro
AC_CHECK_DECL([SSL_CTX_set_min_proto_version], [AC_DEFINE(HAVE_SSL_CTX_SET_MIN_PROTO_VERSION)], [], [
AC_INCLUDES_DEFAULT
#include <openssl/ssl.h>
])
# LibreSSL TLS 1.3 support may not be enabled, check for declaration too.
AC_CHECK_FUNC([SSL_CTX_set_ciphersuites], [
AC_CHECK_DECL([SSL_CTX_set_ciphersuites], [AC_DEFINE(HAVE_SSL_CTX_SET_CIPHERSUITES)], [], [
AC_INCLUDES_DEFAULT
#include <openssl/ssl.h>
])
])
LIBS="$OLIBS"
elif test "${enable_wolfssl-no}" != no; then
# Check for OpenSSL compatibility functions in wolfSSL.
# Use pkg-config to find the wolfssl cflags and libs if possible.
if test "$enable_wolfssl" != "yes"; then
PKG_CONFIG_LIBDIR="${enable_wolfssl}/lib/pkgconfig:${enable_wolfssl}/lib64/pkgconfig:${enable_wolfssl}/share/pkgconfig"
export PKG_CONFIG_LIBDIR
elif test "$cross_compiling" = "yes" -a -z "$PKG_CONFIG"; then
# Cannot use pkg-config when cross-compiling
PKG_CONFIG=false
fi
: ${PKG_CONFIG='pkg-config'}
if $PKG_CONFIG --exists wolfssl >/dev/null 2>&1; then
AC_DEFINE(HAVE_OPENSSL)
AC_DEFINE(HAVE_WOLFSSL)
O_CPPFLAGS="$CPPFLAGS"
CPPFLAGS="$CPPFLAGS `$PKG_CONFIG --cflags-only-I wolfssl`"
O_LDFLAGS="$LDFLAGS"
LDFLAGS="$LDFLAGS `$PKG_CONFIG --libs-only-L wolfssl`"
# Check whether --static is needed
libssl="`$PKG_CONFIG --libs-only-l wolfssl | sed 's/^ *-l//'`"
libssl_extra=`echo $libssl | sed 's/^[[^ ]]* *//'`
libssl=`echo $libssl | sed 's/ .*//'`
AC_CHECK_LIB([$libssl], [wolfSSL_new], [STATIC=""], [STATIC="--static"], [$libssl_extra])
# Use wolfSSL's sha2 functions if possible
AC_CHECK_DECL([EVP_MD_CTX_new], [DIGEST=digest_openssl.lo], [], [
AC_INCLUDES_DEFAULT
#include <wolfssl/options.h>
#include <wolfssl/openssl/evp.h>
])
CPPFLAGS="$O_CPPFLAGS"
LDFLAGS="$O_LDFLAGS"
# Use pkg-config to determine wolfSSL libs and cflags
for f in `$PKG_CONFIG $STATIC --libs wolfssl`; do
case "$f" in
-L*)
f="${f#-L}"
SUDO_APPEND_LIBPATH([LIBTLS], [$f])
;;
*)
AX_APPEND_FLAG([$f], [LIBTLS])
;;
esac
done
# No separate pkg config for libcrypto
LIBCRYPTO="$LIBTLS"
LIBCRYPTO_R="$LIBTLS_R"
for f in `$PKG_CONFIG --cflags-only-I wolfssl`; do
AX_APPEND_FLAG([$f], [CPPFLAGS])
# So we find the openssl compat headers under wolfssl
AX_APPEND_FLAG([$f/wolfssl], [CPPFLAGS])
done
if test "$CPPFLAGS" = "$O_CPPFLAGS"; then
# So we find the openssl compat headers under wolfssl (XXX)
AX_APPEND_FLAG([-I/usr/include/wolfssl], [CPPFLAGS])
fi
else
AC_DEFINE(HAVE_OPENSSL)
AC_DEFINE(HAVE_WOLFSSL)
# No pkg-config file present, try to do it manually
if test "$enable_wolfssl" != "yes"; then
SUDO_APPEND_LIBPATH(LIBCRYPTO, [${enable_wolfssl}/lib])
SUDO_APPEND_LIBPATH(LIBTLS, [${enable_wolfssl}/lib])
AX_APPEND_FLAG([-I${enable_wolfssl}/include], [CPPFLAGS])
# So we find the openssl compat headers under wolfssl
AX_APPEND_FLAG([-I${enable_wolfssl}/include/wolfssl], [CPPFLAGS])
else
# So we find the openssl compat headers under wolfssl (XXX)
AX_APPEND_FLAG([-I/usr/include/wolfssl], [CPPFLAGS])
fi
LIBTLS="${LIBTLS} -lwolfssl"
LIBCRYPTO="${LIBCRYPTO} -lwolfssl"
# Use wolfSSL's sha2 functions if possible
AC_CHECK_DECL([EVP_MD_CTX_new], [DIGEST=digest_openssl.lo], [], [
AC_INCLUDES_DEFAULT
#include <wolfssl/options.h>
#include <wolfssl/openssl/evp.h>
])
fi
dnl
dnl Check for specific OpenSSL API compatibility macros
dnl
AC_CHECK_DECL([X509_STORE_CTX_get0_cert], [AC_DEFINE(HAVE_X509_STORE_CTX_GET0_CERT)], [], [
AC_INCLUDES_DEFAULT
#include <wolfssl/options.h>
#include <wolfssl/openssl/x509.h>
])
AC_CHECK_DECL([ASN1_STRING_get0_data], [AC_DEFINE(HAVE_ASN1_STRING_GET0_DATA)], [], [
AC_INCLUDES_DEFAULT
#include <wolfssl/options.h>
#include <wolfssl/openssl/asn1.h>
])
AC_CHECK_DECL([SSL_CTX_get0_certificate], [AC_DEFINE(HAVE_SSL_CTX_GET0_CERTIFICATE)], [], [
AC_INCLUDES_DEFAULT
#include <wolfssl/options.h>
#include <wolfssl/openssl/ssl.h>
])
AC_CHECK_DECL([SSL_CTX_set0_tmp_dh_pkey], [AC_DEFINE(HAVE_SSL_CTX_SET0_TMP_DH_PKEY)], [], [
AC_INCLUDES_DEFAULT
#include <wolfssl/options.h>
#include <wolfssl/openssl/ssl.h>
])
AC_CHECK_DECL([TLS_method], [AC_DEFINE(HAVE_TLS_METHOD)], [], [
AC_INCLUDES_DEFAULT
#include <wolfssl/options.h>
#include <wolfssl/openssl/ssl.h>
])
AC_CHECK_DECL([SSL_CTX_set_min_proto_version], [AC_DEFINE(HAVE_SSL_CTX_SET_MIN_PROTO_VERSION)], [], [
AC_INCLUDES_DEFAULT
#include <wolfssl/options.h>
#include <wolfssl/openssl/ssl.h>
])
AC_CHECK_DECL([SSL_CTX_set_ciphersuites], [AC_DEFINE(HAVE_SSL_CTX_SET_CIPHERSUITES)], [], [
AC_INCLUDES_DEFAULT
#include <wolfssl/options.h>
#include <wolfssl/openssl/ssl.h>
])
fi
])