Check if OpenSSL implementation supports DSA.

If --enable/disable-dsa-keys is not specified, set based on what OpenSSL
supports.  If specified as enabled, but not supported by OpenSSL error
out.  ok djm@

diff --git a/configure.ac b/configure.ac
index 081e2bc75bd3f54256f12e19e7b6a4b9b60a0cae..c04349f35f609fd89b261423f9b0acd85ccb1b1e 100644 (file)
--- a/configure.ac
+++ b/configure.ac
@@ -2075,17 +2075,11 @@ AC_ARG_WITH([security-key-builtin],
        [ enable_sk_internal=$withval ]
 )
 
-disable_ecdsa=
+enable_dsa=
 AC_ARG_ENABLE([dsa-keys],
        [  --disable-dsa-keys      disable DSA key support [no]],
-       [
-               if test "x$enableval" = "xno" ; then
-                       disable_ecdsa=1
-               fi
-       ]
+       [  enable_dsa="$enableval" ]
 )
-test -z "$disable_ecdsa" &&
-    AC_DEFINE([WITH_DSA], [1], [Define if to enable DSA keys.])
 
 AC_SEARCH_LIBS([dlopen], [dl])
 AC_CHECK_FUNCS([dlopen])
@@ -3196,6 +3190,35 @@ if test "x$openssl" = "xyes" ; then
                        AC_MSG_RESULT([no])
                ]
        )
+       openssl_dsa=no
+       if test -z "$enable_dsa" || test "x$enable_dsa" = "xyes"; then
+               AC_CHECK_DECLS([OPENSSL_NO_DSA], [], [
+                       AC_CHECK_DECLS([OPENSSL_IS_BORINGSSL], [],
+                           [ openssl_dsa=yes ],
+                           [ #include <openssl/opensslconf.h> ]
+                       )
+                   ],
+                   [ #include <openssl/opensslconf.h> ]
+               )
+               AC_MSG_CHECKING([whether to enable DSA key support])
+               if test -z "$enable_dsa"; then
+                       if test "x$openssl_dsa" = "xno"; then
+                               AC_MSG_RESULT([not supported by OpenSSL])
+                       else
+                               AC_MSG_RESULT([yes])
+                               AC_DEFINE([WITH_DSA], [1],
+                                  [DSA keys enabled by default])
+                       fi
+               else
+                       if test "x$openssl_dsa" = "xno"; then
+                               AC_MSG_ERROR([DSA requested but not supported by OpenSSL])
+                       else
+                               AC_MSG_RESULT([yes])
+                               AC_DEFINE([WITH_DSA], [1],
+                                  [DSA keys explicitly enabled])
+                       fi
+               fi
+       fi
 fi
 
 # PKCS11/U2F depend on OpenSSL and dlopen().