1 dnl sxe-crypto.m4 -- Cryptographical stuff
6 AC_DEFUN([SXE_PATH_OPENSSL_BIN], [dnl
7 AC_CHECK_PROG([have_openssl_bin], [openssl], [yes], [no])
8 AC_PATH_PROG([OPENSSL_BIN], [openssl], [echo])
9 ])dnl SXE_PATH_OPENSSL_BIN
11 AC_DEFUN([SXE_OPENSSL_VERSION], [dnl
12 ## assumes SXE_PATH_OPENSSL_BIN has been run already
13 AC_MSG_CHECKING([for openssl version])
14 if test "$have_openssl_bin" = "yes"; then
15 OPENSSL_VERSION=`$OPENSSL_BIN version`
17 OPENSSL_VERSION="unknown"
19 AC_MSG_RESULT([$OPENSSL_VERSION])
21 AC_MSG_CHECKING([whether OpenSSL version is recent enough])
22 ## we allow 0.9.8z*, 1.0.0[n-z]* 1.0.1[mz]* 1.0.2*
23 ## As vulnerabilities are uncovered we should update this
24 allowed_versions="0.9.8z 1.0.0[[n-z]] 1.0.1[[m-z]] 1.0.2[[d-z]]"
26 for ver in $allowed_versions; do
27 if echo "$OPENSSL_VERSION" | ${GREP-grep} -q "$ver"; then
32 AC_MSG_RESULT([$OPENSSL_SANE_P])
33 ])dnl SXE_OPENSSL_VERSION
35 AC_DEFUN([SXE_TRY_OPENSSL_HISTORICAL_PREFIX], [dnl
36 ## ooh, maybe this historical trap to install at /usr/local/ssl
37 OPENSSL_CPPFLAGS="-I/usr/local/ssl/include"
38 OPENSSL_LDFLAGS="-L/usr/local/ssl/lib"
40 ## now append these candidates to our c_switch and ld_switch
42 SXE_APPEND_UNDUP([$OPENSSL_CPPFLAGS], [CPPFLAGS])
43 SXE_APPEND_UNDUP([$OPENSSL_LDFLAGS], [LDFLAGS])
46 SXE_CHECK_HEADERS([openssl/crypto.h])
47 SXE_CHECK_HEADERS([openssl/x509.h openssl/pem.h])
48 SXE_CHECK_HEADERS([openssl/ssl.h openssl/bio.h])
49 AC_CHECK_LIB([crypto], [OPENSSL_cleanse],
50 [have_libcrypto=yes], [have_libcrypto=no])
54 if test "$ac_cv_header_openssl_crypto_h $have_libcrypto" != "yes yes"; then
57 openssl_historical_prefix_worked="no"
59 openssl_historical_prefix_worked="yes"
61 ])dnl SXE_TRY_OPENSSL_HISTORICAL_PREFIX
63 AC_DEFUN([SXE_TRY_OPENSSL_BIN_PREFIX], [dnl
64 ## use the dirname of the openssl binary to determine the prefix of SSL
65 openssl_bindir=`dirname $OPENSSL_BIN`
66 openssl_prefix_maybe=`dirname $openssl_bindir`
67 OPENSSL_CPPFLAGS="-I$openssl_prefix_maybe/include"
68 OPENSSL_LDFLAGS="-L$openssl_prefix_maybe/lib"
70 ## now append these candidates to our c_switch and ld_switch
72 SXE_APPEND_UNDUP([$OPENSSL_CPPFLAGS], [CPPFLAGS])
73 SXE_APPEND_UNDUP([$OPENSSL_LDFLAGS], [LDFLAGS])
76 SXE_CHECK_HEADERS([openssl/opensslconf.h])
77 SXE_CHECK_HEADERS([openssl/evp.h])
78 SXE_CHECK_HEADERS([openssl/rand.h openssl/hmac.h])
79 SXE_CHECK_HEADERS([openssl/rsa.h openssl/dsa.h])
80 SXE_CHECK_HEADERS([openssl/ec.h openssl/ecdh.h])
81 SXE_CHECK_HEADERS([openssl/ecdsa.h openssl/dh.h])
82 SXE_CHECK_HEADERS([openssl/crypto.h])
83 SXE_CHECK_HEADERS([openssl/x509.h openssl/pem.h])
84 SXE_CHECK_HEADERS([openssl/ssl.h openssl/bio.h])
85 AC_CHECK_LIB([ssl], [SSL_connect],
86 [have_libssl=yes], [have_libssl=no])
87 AC_CHECK_LIB([crypto], [OPENSSL_cleanse],
88 [have_libcrypto=yes], [have_libcrypto=no])
92 if test "$ac_cv_header_openssl_crypto_h $have_libcrypto $have_libssl " != "yes yes yes"; then
95 openssl_bin_prefix_worked="no"
97 openssl_bin_prefix_worked="yes"
99 ])dnl SXE_TRY_OPENSSL_BIN_PREFIX
101 AC_DEFUN([SXE_CHECK_OPENSSL_LOCS], [dnl
102 ## defines OPENSSL_CPPFLAGS and OPENSSL_LDFLAGS if needed
104 dnl Look for these standard header file locations
105 OPENSSL_LIBS="-lssl -lcrypto"
106 SXE_CHECK_HEADERS([openssl/opensslconf.h])
107 SXE_CHECK_HEADERS([openssl/evp.h])
108 SXE_CHECK_HEADERS([openssl/rand.h openssl/hmac.h])
109 SXE_CHECK_HEADERS([openssl/rsa.h openssl/dsa.h])
110 SXE_CHECK_HEADERS([openssl/ec.h openssl/ecdh.h])
111 SXE_CHECK_HEADERS([openssl/ecdsa.h openssl/dh.h])
112 SXE_CHECK_HEADERS([openssl/crypto.h])
113 SXE_CHECK_HEADERS([openssl/x509.h openssl/pem.h])
114 SXE_CHECK_HEADERS([openssl/ssl.h openssl/bio.h])
115 AC_CHECK_LIB([crypto], [OPENSSL_cleanse],
116 [have_libcrypto=yes], [have_libcrypto=no])
117 AC_CHECK_LIB([ssl], [SSL_connect],
118 [have_libssl=yes], [have_libssl=no])
119 if test "$ac_cv_header_openssl_crypto_h $have_libcrypto $have_libssl" != "yes yes yes"; then
121 unset ac_cv_header_openssl_crypto_h
122 unset ac_cv_lib_crypto_OPENSSL_cleanse
123 SXE_TRY_OPENSSL_BIN_PREFIX
124 if test "$openssl_bin_prefix_worked" != "yes"; then
126 unset ac_cv_header_openssl_crypto_h
127 unset ac_cv_lib_crypto_OPENSSL_cleanse
128 SXE_TRY_OPENSSL_HISTORICAL_PREFIX
131 ## the location was known already, nothing to do now
134 ])dnl SXE_CHECK_OPENSSL_LOCS
136 AC_DEFUN([SXE_CHECK_OPENSSL_FEATURES], [dnl
137 dnl test for some special purpose stuff in libcrypto
138 AC_CHECK_LIB([crypto], [RSA_new], [openssl_no_rsa=no], [openssl_no_rsa=yes])
139 AC_CHECK_LIB([crypto], [DSA_new], [openssl_no_dsa=no], [openssl_no_dsa=yes])
140 AC_CHECK_LIB([crypto], [ECDSA_SIG_new], [openssl_no_ecdsa=no],
141 [openssl_no_ecdsa=yes])
142 AC_CHECK_LIB([crypto], [ECDH_OpenSSL], [openssl_no_ecdh=no],
143 [openssl_no_ecdh=yes])
144 AC_CHECK_LIB([crypto], [EC_KEY_new], [openssl_no_ec=no], [openssl_no_ec=yes])
145 AC_CHECK_LIB([crypto], [DH_new], [openssl_no_dh=no], [openssl_no_dh=yes])
146 if test "$openssl_no_rsa" = "yes"; then
147 AC_DEFINE([OPENSSL_NO_RSA], [1], [Description here!])
149 if test "$openssl_no_dsa" = "yes"; then
150 AC_DEFINE([OPENSSL_NO_DSA], [1], [Description here!])
152 if test "$openssl_no_ecdsa" = "yes"; then
153 AC_DEFINE([OPENSSL_NO_ECDSA], [1], [Description here!])
155 if test "$openssl_no_ecdh" = "yes"; then
156 AC_DEFINE([OPENSSL_NO_ECDH], [1], [Description here!])
158 if test "$openssl_no_ec" = "yes"; then
159 AC_DEFINE([OPENSSL_NO_EC], [1], [Description here!])
161 if test "$openssl_no_dh" = "yes"; then
162 AC_DEFINE([OPENSSL_NO_DH], [1], [Description here!])
165 AC_CHECK_TYPES([SSL], [:], [:], [
166 #if defined HAVE_OPENSSL_OPENSSLCONF_H
167 # include <openssl/opensslconf.h>
169 #if defined HAVE_OPENSSL_SSL_H
170 # include <openssl/ssl.h>
173 AC_CHECK_TYPES([SSL_METHOD], [:], [:], [
174 #if defined HAVE_OPENSSL_OPENSSLCONF_H
175 # include <openssl/opensslconf.h>
177 #if defined HAVE_OPENSSL_SSL_H
178 # include <openssl/ssl.h>
181 AC_CHECK_TYPES([SSL_CTX], [:], [:], [
182 #if defined HAVE_OPENSSL_OPENSSLCONF_H
183 # include <openssl/opensslconf.h>
185 #if defined HAVE_OPENSSL_SSL_H
186 # include <openssl/ssl.h>
189 AC_CHECK_TYPES([BIO], [:], [:], [
190 #if defined HAVE_OPENSSL_OPENSSLCONF_H
191 # include <openssl/opensslconf.h>
193 #if defined HAVE_OPENSSL_SSL_H
194 # include <openssl/ssl.h>
196 #if defined HAVE_OPENSSL_BIO_H
197 # include <openssl/bio.h>
200 AC_CHECK_TYPES([X509], [:], [:], [
201 #if defined HAVE_OPENSSL_OPENSSLCONF_H
202 # include <openssl/opensslconf.h>
204 #if defined HAVE_OPENSSL_SSL_H
205 # include <openssl/ssl.h>
207 #if defined HAVE_OPENSSL_X509_H
208 # include <openssl/x509.h>
211 AC_CHECK_TYPES([EVP_PKEY], [:], [:], [
212 #if defined HAVE_OPENSSL_OPENSSLCONF_H
213 # include <openssl/opensslconf.h>
215 #if defined HAVE_OPENSSL_EVP_H
216 # include <openssl/evp.h>
218 #if defined HAVE_OPENSSL_SSL_H
219 # include <openssl/ssl.h>
221 #if defined HAVE_OPENSSL_X509_H
222 # include <openssl/x509.h>
225 dnl check for libssl support
226 AC_CHECK_LIB([ssl], [SSL_new], [openssl_ssl=yes], [openssl_ssl=no])
227 AC_MSG_CHECKING([for openssl types sufficent])
228 if test "x$ac_cv_type_EVP_PKEY" = xyes -a \
229 "x$ac_cv_type_X509" = xyes -a \
230 "x$ac_cv_type_BIO" = xyes -a \
231 "x$ac_cv_type_SSL" = xyes -a \
232 "x$ac_cv_type_SSL_METHOD" = xyes -a \
233 "x$ac_cv_type_SSL_CTX" = xyes; then
235 if test "$openssl_ssl" = "yes"; then
236 AC_DEFINE([OPENSSL_SSL], [1], [Description here!])
242 ])dnl SXE_CHECK_OPENSSL_FEATURES
244 AC_DEFUN([SXE_CHECK_OPENSSL_FUNCS], [dnl
246 LDFLAGS="$LDFLAGS $OPENSSL_LDFLAGS"
247 CPPFLAGS="$CPPFLAGS $OPENSSL_CPPFLAGS"
248 LIBS="$LIBS $OPENSSL_LIBS"
250 OpenSSL_add_all_digests OpenSSL_add_all_ciphers dnl
251 RAND_bytes RAND_query_egd_bytes RAND_status dnl
252 EVP_cleanup EVP_MD_CTX_init EVP_DigestInit_ex dnl
253 EVP_DigestUpdate EVP_DigestFinal_ex EVP_MD_CTX_cleanup dnl
254 HMAC_CTX_init HMAC_Init HMAC_Update HMAC_Final HMAC_CTX_cleanup dnl
255 EVP_BytesToKey EVP_CIPHER_CTX_init EVP_EncryptInit dnl
256 EVP_EncryptUpdate EVP_EncryptFinal EVP_DecryptInit dnl
257 EVP_DecryptUpdate EVP_DecryptFinal EVP_CIPHER_CTX_cleanup dnl
258 EVP_PKEY_new RSA_generate_key DSA_generate_parameters dnl
259 DSA_generate_key EC_get_builtin_curves dnl
260 EC_KEY_new_by_curve_name EC_KEY_generate_key dnl
261 EC_KEY_set_private_key EC_KEY_dup dnl
262 EVP_SealInit EVP_SealFinal EVP_OpenInit EVP_OpenFinal dnl
263 EVP_SignFinal EVP_VerifyFinal dnl
264 PEM_read_X509 PEM_read_PUBKEY PEM_read_PrivateKey dnl
265 PEM_write_PUBKEY PEM_write_PKCS8PrivateKey dnl
266 BIO_new BIO_free BIO_printf BIO_dump BIO_get_callback_arg dnl
267 BIO_set_callback BIO_set_callback_arg BIO_read dnl
268 SSL_library_init SSL_load_error_strings dnl
269 SSLv2_client_method SSLv3_client_method dnl
270 SSLv23_client_method TLSv1_client_method dnl
271 SSLv2_server_method SSLv3_server_method dnl
272 SSLv23_server_method TLSv1_server_method dnl
273 SSL_CTX_new SSL_CTX_free SSL_CTX_add_client_CA dnl
274 SSL_CTX_load_verify_locations SSL_CTX_use_certificate dnl
275 SSL_CTX_use_PrivateKey SSL_CTX_check_private_key dnl
276 SSL_CTX_use_certificate_file SSL_CTX_use_PrivateKey_file dnl
277 SSL_do_handshake SSL_get_error ssl_verify_cert_chain dnl
278 SSL_get_peer_cert_chain SSL_pending SSL_get_certificate dnl
279 SSL_get_peer_certificate X509_verify_cert_error_string dnl
280 SSL_get_verify_result SSL_get_current_cipher SSL_CIPHER_get_bits])
281 if test x"$ac_TLSv1_client_method" = xyes; then
282 AC_DEFINE([HAVE_TLSV1_CLIENT_METHOD], 1, [TLSv1 client methods available])
284 if test x"$ac_SSLv2_client_method" = xyes; then
285 AC_DEFINE([HAVE_SSLV2_CLIENT_METHOD], 1, [SSLv2 client methods available])
287 if test x"$ac_SSLv3_client_method" = xyes; then
288 AC_DEFINE([HAVE_SSLV3_CLIENT_METHOD], 1, [SSLv3 client methods available])
290 if test x"$ac_SSLv23_client_method" = xyes; then
291 AC_DEFINE([HAVE_SSLV23_CLIENT_METHOD], 1, [SSLv23 client methods available])
293 if test x"$ac_TLSv1_server_method" = xyes; then
294 AC_DEFINE([HAVE_TLSV1_SERVER_METHOD], 1, [TLSv1 server methods available])
296 if test x"$ac_SSLv2_server_method" = xyes; then
297 AC_DEFINE([HAVE_SSLV2_SERVER_METHOD], 1, [SSLv2 server methods available])
299 if test x"$ac_SSLv3_server_method" = xyes; then
300 AC_DEFINE([HAVE_SSLV3_SERVER_METHOD], 1, [SSLv3 server methods available])
302 if test x"$ac_SSLv23_server_method" = xyes; then
303 AC_DEFINE([HAVE_SSLV23_SERVER_METHOD], 1, [SSLv23 server methods available])
305 if test x"$ac_ssl_verify_cert_chain" = xyes; then
306 AC_DEFINE([HAVE_SSL_VERIFY_CERT_CHAIN], 1, [ssl_verify_cert_chain available])
309 ])dnl SXE_CHECK_OPENSSL_FUNCS
311 AC_DEFUN([SXE_CHECK_OPENSSL], [dnl
312 AC_MSG_CHECKING([for OpenSSL])
316 dnl defines OPENSSL_VERSION and OPENSSL_SANE_P
318 if test "$OPENSSL_SANE_P" = "yes"; then
319 SXE_CHECK_OPENSSL_LOCS
320 if test "$have_libssl $have_libcrypto" = "yes yes"; then
322 SXE_CHECK_OPENSSL_FEATURES
323 SXE_CHECK_OPENSSL_FUNCS
326 ])dnl SXE_CHECK_OPENSSL
329 dnl Kerberos detection
330 dnl ==================
332 AC_DEFUN([SXE_CHECK_KERBEROS], [dnl
333 ## defines sxe_cv_feat_kerberos
334 ## call like this SXE_CHECK_GMP([<if-found>], [<if-not-found>])
335 pushdef([ACTION_IF_FOUND], [$1])
336 pushdef([ACTION_IF_NOT_FOUND], [$2])
338 AC_CACHE_CHECK([for kerberos support],
339 [sxe_cv_feat_kerberos], [_SXE_CHECK_KERBEROS])
341 if test "$sxe_cv_feat_kerberos5" = "yes"; then
342 AC_DEFINE([HAVE_KERBEROS5], [1],
343 [Whether kerberos5 support is available!])
345 if test "$sxe_cv_feat_kerberos" = "yes"; then
347 AC_DEFINE([HAVE_KERBEROS], [1],
348 [Whether kerberos support is available!])
355 popdef([ACTION_IF_FOUND])
356 popdef([ACTION_IF_NOT_FOUND])
357 ])dnl SXE_CHECK_KERBEROS
359 AC_DEFUN([SXE_CHECK_KERBEROS5], [dnl
360 ## defines sxe_cv_feat_kerberos
361 ## call like this SXE_CHECK_GMP([<if-found>], [<if-not-found>])
362 pushdef([ACTION_IF_FOUND], [$1])
363 pushdef([ACTION_IF_NOT_FOUND], [$2])
365 AC_CACHE_CHECK([for kerberos5 support],
366 [sxe_cv_feat_kerberos5], [_SXE_CHECK_KERBEROS])
368 if test "$sxe_cv_feat_kerberos5" = "yes"; then
370 AC_DEFINE([HAVE_KERBEROS5], [1],
371 [Whether kerberos5 support is available!])
378 popdef([ACTION_IF_FOUND])
379 popdef([ACTION_IF_NOT_FOUND])
380 ])dnl SXE_CHECK_KERBEROS5
382 AC_DEFUN([_SXE_CHECK_KERBEROS], [dnl
383 AC_REQUIRE([SXE_CHECK_KERBEROS_HEADERS])
384 AC_REQUIRE([SXE_CHECK_KERBEROS_LIBS])
386 if test "$ac_cv_header_krb5_krb5_h" = "yes" -a \
387 "$ac_cv_lib_krb5_krb5_sendauth" = "yes" -o \
388 "$ac_cv_header_krb5_h" = "yes" -a \
389 "$ac_cv_lib_krb5_krb5_sendauth" = "yes"; then
390 sxe_cv_feat_kerberos="yes"
391 sxe_cv_feat_kerberos5="yes"
392 KERBEROS_LIBS="-lkrb5"
393 elif test "$ac_cv_header_krb_krb_h" = "yes" -a \
394 "$ac_cv_lib_krb_krb_sendauth" = "yes" -o \
395 "$ac_cv_header_krb_h" = "yes" -a \
396 "$ac_cv_lib_krb_krb_sendauth" = "yes"; then
397 sxe_cv_feat_kerberos="yes"
398 sxe_cv_feat_kerberos5="no"
399 KERBEROS_LIBS="-lkrb"
400 elif test "$ac_cv_header_kerberos_krb_h" = "yes" -a \
401 "$ac_cv_lib_krb_krb_sendauth" = "yes" -o \
402 "$ac_cv_header_kerberosIV_krb_h" = "yes" -a \
403 "$ac_cv_lib_krb_krb_sendauth" = "yes"; then
404 sxe_cv_feat_kerberos="yes"
405 sxe_cv_feat_kerberos5="no"
406 KERBEROS_LIBS="-lkrb"
408 sxe_cv_feat_kerberos="no"
409 sxe_cv_feat_kerberos5="no"
412 ])dnl _SXE_CHECK_KERBEROS
414 AC_DEFUN([SXE_CHECK_KERBEROS_HEADERS], [dnl
415 AC_CHECK_HEADERS([des.h krb.h krb/krb.h])
416 AC_CHECK_HEADERS([kerberos/krb.h kerberosIV/krb.h])
417 AC_CHECK_HEADERS([krb5.h krb5/krb5.h])
418 AC_CHECK_HEADERS([com_err.h krb/com_err.h kerberosIV/krb_err.h])
419 ])dnl SXE_CHECK_KERBEROS_HEADERS
421 AC_DEFUN([SXE_CHECK_KERBEROS_LIBS], [dnl
422 AC_CHECK_LIB([krb], [krb_sendauth], [:])
423 AC_CHECK_LIB([krb5], [krb5_sendauth], [:])
424 ])dnl SXE_CHECK_KERBEROS_LIBS
426 dnl sxe-maths.m4 ends here