@@ -2802,42 +2802,40 @@ if test "x$openssl" = "xyes" ; then
2802
2802
#include <openssl/crypto.h>
2803
2803
#define DATA "conftest.ssllibver"
2804
2804
] ] , [ [
2805
- FILE *fd;
2806
- int rc;
2805
+ FILE *f;
2807
2806
2808
- fd = fopen(DATA,"w");
2809
- if(fd == NULL)
2807
+ if ((f = fopen(DATA, "w")) == NULL)
2810
2808
exit(1);
2811
- #ifndef OPENSSL_VERSION
2812
- # define OPENSSL_VERSION SSLEAY_VERSION
2813
- #endif
2814
- #ifndef HAVE_OPENSSL_VERSION
2815
- # define OpenSSL_version SSLeay_version
2816
- #endif
2817
- #ifndef HAVE_OPENSSL_VERSION_NUM
2818
- # define OpenSSL_version_num SSLeay
2819
- #endif
2820
- if ((rc = fprintf(fd, "%08lx (%s)\n",
2809
+ if (fprintf(f, "%08lx (%s)",
2821
2810
(unsigned long)OpenSSL_version_num(),
2822
- OpenSSL_version(OPENSSL_VERSION))) < 0)
2811
+ OpenSSL_version(OPENSSL_VERSION)) < 0)
2812
+ exit(1);
2813
+ #ifdef LIBRESSL_VERSION_NUMBER
2814
+ if (fprintf(f, " libressl-%08lx", LIBRESSL_VERSION_NUMBER) < 0)
2815
+ exit(1);
2816
+ #endif
2817
+ if (fputc('\n', f) == EOF || fclose(f) == EOF)
2823
2818
exit(1);
2824
-
2825
2819
exit(0);
2826
2820
] ] ) ] ,
2827
2821
[
2828
- ssl_library_ver=`cat conftest.ssllibver`
2822
+ sslver=`cat conftest.ssllibver`
2823
+ ssl_showver=`echo "$sslver" | sed 's/ libressl-.*//'`
2829
2824
# Check version is supported.
2830
- case "$ssl_library_ver" in
2831
- 10000*|0*)
2832
- AC_MSG_ERROR ( [ OpenSSL >= 1.0.1 required (have "$ssl_library_ver")] )
2833
- ;;
2834
- 100*) ;; # 1.0.x
2835
- 101000[ [ 0123456] ] *)
2836
- # https://github.com/openssl/openssl/pull/4613
2837
- AC_MSG_ERROR ( [ OpenSSL 1.1.x versions prior to 1.1.0g have a bug that breaks their use with OpenSSH (have "$ssl_library_ver")] )
2825
+ case "$sslver" in
2826
+ 100*|10100*) # 1.0.x, 1.1.0x
2827
+ AC_MSG_ERROR ( [ OpenSSL >= 1.1.1 required (have "$ssl_showver")] )
2838
2828
;;
2839
2829
101*) ;; # 1.1.x
2840
- 200*) ;; # LibreSSL
2830
+ 200*) # LibreSSL
2831
+ lver=`echo "$sslver" | sed 's/.*libressl-//'`
2832
+ case "$lver" in
2833
+ 2*|300*) # 2.x, 3.0.0
2834
+ AC_MSG_ERROR ( [ LibreSSL >= 3.1.0 required (have "$ssl_showver")] )
2835
+ ;;
2836
+ *) ;; # Assume all other versions are good.
2837
+ esac
2838
+ ;;
2841
2839
300*)
2842
2840
# OpenSSL 3; we use the 1.1x API
2843
2841
CPPFLAGS="$CPPFLAGS -DOPENSSL_API_COMPAT=0x10100000L"
@@ -2847,10 +2845,10 @@ if test "x$openssl" = "xyes" ; then
2847
2845
CPPFLAGS="$CPPFLAGS -DOPENSSL_API_COMPAT=0x10100000L"
2848
2846
;;
2849
2847
*)
2850
- AC_MSG_ERROR ( [ Unknown/unsupported OpenSSL version ("$ssl_library_ver ")] )
2848
+ AC_MSG_ERROR ( [ Unknown/unsupported OpenSSL version ("$ssl_showver ")] )
2851
2849
;;
2852
2850
esac
2853
- AC_MSG_RESULT ( [ $ssl_library_ver ] )
2851
+ AC_MSG_RESULT ( [ $ssl_showver ] )
2854
2852
] ,
2855
2853
[
2856
2854
AC_MSG_RESULT ( [ not found] )
@@ -2863,7 +2861,7 @@ if test "x$openssl" = "xyes" ; then
2863
2861
2864
2862
case "$host" in
2865
2863
x86_64-*)
2866
- case "$ssl_library_ver " in
2864
+ case "$sslver " in
2867
2865
3000004*)
2868
2866
AC_MSG_ERROR ( [ OpenSSL 3.0.4 has a potential RCE in its RSA implementation (CVE-2022-2274)] )
2869
2867
;;
@@ -2879,9 +2877,6 @@ if test "x$openssl" = "xyes" ; then
2879
2877
#include <openssl/opensslv.h>
2880
2878
#include <openssl/crypto.h>
2881
2879
] ] , [ [
2882
- #ifndef HAVE_OPENSSL_VERSION_NUM
2883
- # define OpenSSL_version_num SSLeay
2884
- #endif
2885
2880
exit(OpenSSL_version_num() == OPENSSL_VERSION_NUMBER ? 0 : 1);
2886
2881
] ] ) ] ,
2887
2882
[
@@ -2955,44 +2950,13 @@ if test "x$openssl" = "xyes" ; then
2955
2950
)
2956
2951
)
2957
2952
2958
- # LibreSSL/OpenSSL 1.1x API
2953
+ # LibreSSL/OpenSSL API differences
2959
2954
AC_CHECK_FUNCS ( [ \
2960
- OPENSSL_init_crypto \
2961
- DH_get0_key \
2962
- DH_get0_pqg \
2963
- DH_set0_key \
2964
- DH_set_length \
2965
- DH_set0_pqg \
2966
- DSA_get0_key \
2967
- DSA_get0_pqg \
2968
- DSA_set0_key \
2969
- DSA_set0_pqg \
2970
- DSA_SIG_get0 \
2971
- DSA_SIG_set0 \
2972
- ECDSA_SIG_get0 \
2973
- ECDSA_SIG_set0 \
2974
2955
EVP_CIPHER_CTX_iv \
2975
2956
EVP_CIPHER_CTX_iv_noconst \
2976
2957
EVP_CIPHER_CTX_get_iv \
2977
2958
EVP_CIPHER_CTX_get_updated_iv \
2978
2959
EVP_CIPHER_CTX_set_iv \
2979
- RSA_get0_crt_params \
2980
- RSA_get0_factors \
2981
- RSA_get0_key \
2982
- RSA_set0_crt_params \
2983
- RSA_set0_factors \
2984
- RSA_set0_key \
2985
- RSA_meth_free \
2986
- RSA_meth_dup \
2987
- RSA_meth_set1_name \
2988
- RSA_meth_get_finish \
2989
- RSA_meth_set_priv_enc \
2990
- RSA_meth_set_priv_dec \
2991
- RSA_meth_set_finish \
2992
- EVP_PKEY_get0_RSA \
2993
- EVP_MD_CTX_new \
2994
- EVP_MD_CTX_free \
2995
- EVP_chacha20 \
2996
2960
] )
2997
2961
2998
2962
if test "x$openssl_engine" = "xyes" ; then
@@ -3050,8 +3014,8 @@ if test "x$openssl" = "xyes" ; then
3050
3014
]
3051
3015
)
3052
3016
3053
- # Check for SHA256, SHA384 and SHA512 support in OpenSSL
3054
- AC_CHECK_FUNCS ( [ EVP_sha256 EVP_sha384 EVP_sha512] )
3017
+ # Check for various EVP support in OpenSSL
3018
+ AC_CHECK_FUNCS ( [ EVP_sha256 EVP_sha384 EVP_sha512 EVP_chacha20 ] )
3055
3019
3056
3020
# Check complete ECC support in OpenSSL
3057
3021
AC_MSG_CHECKING ( [ whether OpenSSL has NID_X9_62_prime256v1] )
0 commit comments