From: Landon Fuller Date: Thu, 24 May 2007 16:45:05 +0000 (+0000) Subject: Add detection of 'export-limited' openssl as shipped in Solaris X-Git-Tag: Release-7.0.0~6252 X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=99743617dcd46d75768906c83e32b565c195aab8;p=bacula%2Fbacula Add detection of 'export-limited' openssl as shipped in Solaris git-svn-id: https://bacula.svn.sourceforge.net/svnroot/bacula/trunk@4893 91ce42f0-d328-0410-95d8-f526ca767f89 --- diff --git a/bacula/autoconf/config.h.in b/bacula/autoconf/config.h.in index d29d9229fa..e860477e18 100644 --- a/bacula/autoconf/config.h.in +++ b/bacula/autoconf/config.h.in @@ -229,6 +229,9 @@ /* Define if OPENSSL is available */ #undef HAVE_OPENSSL +/* Define if the OpenSSL library is export-constrained to 128bit ciphers */ +#undef HAVE_OPENSSL_EXPORT_LIBRARY + /* Define if comm encryption should be enabled */ #undef HAVE_TLS diff --git a/bacula/autoconf/configure.in b/bacula/autoconf/configure.in index 2d71fcc244..700d464468 100644 --- a/bacula/autoconf/configure.in +++ b/bacula/autoconf/configure.in @@ -830,6 +830,16 @@ if test "x$with_openssl_directory" != "x"; then [ ac_cv_openssl_sha2="no" ] ) + # Solaris disables greater than 128+ bit encryption in their OpenSSL + # implementation, presumably for export reasons. If 192bit AES + # is available, we assume that we're running with a 'non-export' + # openssl library. + AC_TRY_LINK([ #include ], + [ EVP_aes_192_cbc(); ], + [ ac_cv_openssl_export="no" ], + [ ac_cv_openssl_export="yes" ] + ) + LIBS="${saved_LIBS}" CFLAGS="${saved_CFLAGS}" @@ -842,6 +852,10 @@ if test "x$with_openssl_directory" != "x"; then if test "$ac_cv_openssl_sha2" = "yes"; then AC_DEFINE(HAVE_SHA2, 1, [Define if the SHA-2 family of digest algorithms is available]) fi + + if test "$ac_cv_openssl_export" = "yes"; then + AC_DEFINE(HAVE_OPENSSL_EXPORT_LIBRARY, 1, [Define if the OpenSSL library is export-contrained to 128bit ciphers]) + fi else support_tls="no" support_crypto="no" diff --git a/bacula/configure b/bacula/configure index 57c3e9b210..02c42ea61d 100755 --- a/bacula/configure +++ b/bacula/configure @@ -18089,6 +18089,71 @@ sed 's/^/| /' conftest.$ac_ext >&5 fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext + + # Solaris disables greater than 128+ bit encryption in their OpenSSL + # implementation, presumably for export reasons. If 192bit AES + # is available, we assume that we're running with a 'non-export' + # openssl library. + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ + #include +int +main () +{ + EVP_aes_192_cbc(); + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext conftest$ac_exeext +if { (ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 + (eval "$ac_link") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && + { ac_try='test -z "$ac_c_werror_flag" || test ! -s conftest.err' + { (case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 + (eval "$ac_try") 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; } && + { ac_try='test -s conftest$ac_exeext' + { (case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 + (eval "$ac_try") 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + ac_cv_openssl_export="no" +else + echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + ac_cv_openssl_export="yes" + +fi + rm -f core conftest.err conftest.$ac_objext \ conftest$ac_exeext conftest.$ac_ext @@ -18117,6 +18182,14 @@ _ACEOF cat >>confdefs.h <<\_ACEOF #define HAVE_SHA2 1 +_ACEOF + + fi + + if test "$ac_cv_openssl_export" = "yes"; then + +cat >>confdefs.h <<\_ACEOF +#define HAVE_OPENSSL_EXPORT_LIBRARY 1 _ACEOF fi diff --git a/bacula/src/lib/crypto.c b/bacula/src/lib/crypto.c index ce1dd97daf..f6fa8847df 100644 --- a/bacula/src/lib/crypto.c +++ b/bacula/src/lib/crypto.c @@ -1002,7 +1002,7 @@ CRYPTO_SESSION *crypto_session_new (crypto_cipher_t cipher, alist *pubkeys) cs->cryptoData->contentEncryptionAlgorithm = OBJ_nid2obj(NID_aes_128_cbc); ec = EVP_aes_128_cbc(); break; -#ifdef HAVE_SHA2 +#ifndef HAVE_OPENSSL_EXPORT_LIBRARY case CRYPTO_CIPHER_AES_192_CBC: /* AES 192 bit CBC */ cs->cryptoData->contentEncryptionAlgorithm = OBJ_nid2obj(NID_aes_192_cbc);