Only enable U2F if OpenSSL supports ECC.

This requires moving the U2F bits to below the OpenSSL parts so we have
the required information.  ok djm@

diff --git a/configure.ac b/configure.ac
index 4baaa62a8e78616d64b0e3f98e76137baa4e26b6..bc28d07481e7348c5d0d350c766407b2c2e75c35 100644 (file)
--- a/configure.ac
+++ b/configure.ac
@@ -1909,44 +1909,10 @@ AC_ARG_ENABLE([security-key],
        ]
 )
 
-# PKCS11/U2F depend on OpenSSL and dlopen().
 AC_SEARCH_LIBS([dlopen], [dl])
 AC_CHECK_FUNCS([dlopen])
 AC_CHECK_DECL([RTLD_NOW], [], [], [#include <dlfcn.h>])
 
-enable_pkcs11=yes
-enable_sk=yes
-if test "x$openssl" != "xyes" ; then
-       enable_pkcs11="disabled; missing libcrypto"
-       enable_sk="disabled; missing libcrypto"
-fi
-if test "x$ac_cv_func_dlopen" != "xyes" ; then
-       enable_pkcs11="disabled; missing dlopen(3)"
-       enable_sk="disabled; missing dlopen(3)"
-fi
-if test "x$ac_cv_have_decl_RTLD_NOW" != "xyes" ; then
-       enable_pkcs11="disabled; missing RTLD_NOW"
-       enable_sk="disabled; missing RTLD_NOW"
-fi
-if test ! -z "$disable_pkcs11" ; then
-       enable_pkcs11="disabled by user"
-fi
-if test ! -z "$disable_sk" ; then
-       enable_sk="disabled by user"
-fi
-
-AC_MSG_CHECKING([whether to enable PKCS11])
-if test "x$enable_pkcs11" = "xyes" ; then
-       AC_DEFINE([ENABLE_PKCS11], [], [Enable for PKCS#11 support])
-fi
-AC_MSG_RESULT([$enable_pkcs11])
-
-AC_MSG_CHECKING([whether to enable U2F])
-if test "x$enable_sk" = "xyes" ; then
-       AC_DEFINE([ENABLE_SK], [], [Enable for U2F/FIDO support])
-fi
-AC_MSG_RESULT([$enable_sk])
-
 # IRIX has a const char return value for gai_strerror()
 AC_CHECK_FUNCS([gai_strerror], [
        AC_DEFINE([HAVE_GAI_STRERROR])
@@ -3015,6 +2981,9 @@ if test "x$openssl" = "xyes" ; then
            test x$enable_nistp521 = x1; then
                AC_DEFINE(OPENSSL_HAS_ECC, [1], [OpenSSL has ECC])
                AC_CHECK_FUNCS([EC_KEY_METHOD_new])
+               openssl_ecc=yes
+       else
+               openssl_ecc=no
        fi
        if test x$enable_nistp256 = x1; then
                AC_DEFINE([OPENSSL_HAS_NISTP256], [1],
@@ -3055,6 +3024,43 @@ else
        AC_CHECK_FUNCS([crypt])
 fi
 
+# PKCS11/U2F depend on OpenSSL and dlopen().
+enable_pkcs11=yes
+enable_sk=yes
+if test "x$openssl" != "xyes" ; then
+       enable_pkcs11="disabled; missing libcrypto"
+       enable_sk="disabled; missing libcrypto"
+fi
+if test "x$openssl_ecc" != "xyes" ; then
+       enable_sk="disabled; OpenSSL has no ECC support"
+fi
+if test "x$ac_cv_func_dlopen" != "xyes" ; then
+       enable_pkcs11="disabled; missing dlopen(3)"
+       enable_sk="disabled; missing dlopen(3)"
+fi
+if test "x$ac_cv_have_decl_RTLD_NOW" != "xyes" ; then
+       enable_pkcs11="disabled; missing RTLD_NOW"
+       enable_sk="disabled; missing RTLD_NOW"
+fi
+if test ! -z "$disable_pkcs11" ; then
+       enable_pkcs11="disabled by user"
+fi
+if test ! -z "$disable_sk" ; then
+       enable_sk="disabled by user"
+fi
+
+AC_MSG_CHECKING([whether to enable PKCS11])
+if test "x$enable_pkcs11" = "xyes" ; then
+       AC_DEFINE([ENABLE_PKCS11], [], [Enable for PKCS#11 support])
+fi
+AC_MSG_RESULT([$enable_pkcs11])
+
+AC_MSG_CHECKING([whether to enable U2F])
+if test "x$enable_sk" = "xyes" ; then
+       AC_DEFINE([ENABLE_SK], [], [Enable for U2F/FIDO support])
+fi
+AC_MSG_RESULT([$enable_sk])
+
 AC_CHECK_FUNCS([ \
        arc4random \
        arc4random_buf \