# see INSTALL for instructions.
-my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [experimental-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-dso] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--test-sanity] [--config=FILE] os/compiler[:flags]\n";
+my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [experimental-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-dso] [no-egd] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--test-sanity] [--config=FILE] os/compiler[:flags]\n";
# Options:
#
# no-asm do not use assembler
# no-dso do not compile in any native shared-library methods. This
# will ensure that all methods just return NULL.
+# no-egd do not compile support for the entropy-gathering daemon APIs
# [no-]zlib [don't] compile support for zlib compression.
# zlib-dynamic Like "zlib", but the zlib library is expected to be a shared
# library and will be loaded in run-time by the OpenSSL library.
# MD2_CHAR slags pentium pros
my $x86_gcc_opts="RC4_INDEX MD2_INT";
-#$bits1="SIXTEEN_BIT ";
-#$bits2="THIRTY_TWO_BIT ";
-my $bits1="THIRTY_TWO_BIT ";
-my $bits2="SIXTY_FOUR_BIT ";
-
# As for $BSDthreads. Idea is to maintain "collective" set of flags,
# which would cover all BSD flavors. -pthread applies to them all,
# but is treated differently. OpenBSD expands is as -D_POSIX_THREAD
my $perl;
my $fips=0;
+# Known TLS and DTLS protocols
+my @tls = qw(ssl3 tls1 tls1_1 tls1_2);
+my @dtls = qw(dtls1 dtls1_2);
+
# Explicitelly known options that are possible to disable. They can
# be regexps, and will be used like this: /^no-${option}$/
# For developers: keep it sorted alphabetically
"dynamic[-_]engine",
"ec",
"ec2m",
+ "ecdh",
+ "ecdsa",
"ec_nistp_64_gcc_128",
"engine",
"err", # Really???
"srtp",
"sse2",
"ssl",
- "ssl3",
- "ssl3-method",
"ssl-trace",
"static-engine",
"stdio",
"store",
"threads",
"tls",
- "tls1",
"unit-test",
"whirlpool",
"zlib",
"zlib-dynamic",
);
+foreach my $proto ((@tls, @dtls))
+ {
+ push(@disablables, $proto);
+ push(@disablables, "$proto-method");
+ }
# All of the following is disabled by default (RC5 was enabled before 0.9.8):
my %disabled = ( # "what" => "comment" [or special keyword "experimental"]
"ec_nistp_64_gcc_128" => "default",
+ "egd" => "default",
"jpake" => "experimental",
"md2" => "default",
"rc5" => "default",
{
if (!($disabled{$1} eq "experimental"))
{
- if ($1 eq "ssl")
+ foreach my $proto ((@tls, @dtls))
{
- $disabled{"ssl3"} = "option(ssl)";
+ if ($1 eq "$proto-method")
+ {
+ $disabled{"$proto"} = "option($proto-method)";
+ last;
+ }
}
- elsif ($1 eq "tls")
+ if ($1 eq "dtls")
{
- $disabled{"tls1"} = "option(tls)"
+ foreach my $proto (@dtls)
+ {
+ $disabled{$proto} = "option(dtls)";
+ }
}
- elsif ($1 eq "ssl3-method")
+ elsif ($1 eq "ssl")
{
- $disabled{"ssl3-method"} = "option(ssl)";
+ # Last one of its kind
$disabled{"ssl3"} = "option(ssl)";
}
+ elsif ($1 eq "tls")
+ {
+ # XXX: Tests will fail if all SSL/TLS
+ # protocols are disabled.
+ foreach my $proto (@tls)
+ {
+ $disabled{$proto} = "option(tls)";
+ }
+ }
else
{
$disabled{$1} = "option";
$disabled{"ecdh"} = "forced";
}
-# SSL 3.0 and TLS requires MD5 and SHA and either RSA or DSA+DH
+# SSL 3.0 requires MD5 and SHA and either RSA or DSA+DH
if (defined($disabled{"md5"}) || defined($disabled{"sha"})
|| (defined($disabled{"rsa"})
- && (defined($disabled{"dsa"}) || defined($disabled{"dh"}))))
+ && (defined($disabled{"dsa"}) || defined($disabled{"dh"}))))
{
$disabled{"ssl3"} = "forced";
+ $disabled{"ssl"} = "forced";
+ }
+
+# (D)TLS 1.0 and TLS 1.1 require MD5 and SHA and either RSA or DSA+DH
+# or ECDSA + ECDH. (XXX: We don't support PSK-only builds).
+#
+if (defined($disabled{"md5"}) || defined($disabled{"sha"})
+ || (defined($disabled{"rsa"})
+ && (defined($disabled{"dsa"}) || defined($disabled{"dh"}))
+ && (defined($disabled{"ecdsa"}) || defined($disabled{"ecdh"}))))
+ {
$disabled{"tls1"} = "forced";
+ $disabled{"dtls1"} = "forced";
+ $disabled{"tls1_1"} = "forced";
+ }
+
+# (D)TLS 1.2 requires either RSA or DSA+DH or ECDSA + ECDH
+# So if all are missing, we can't do either TLS or DTLS.
+# (XXX: We don't support PSK-only builds).
+#
+if (defined($disabled{"rsa"})
+ && (defined($disabled{"dsa"}) || defined($disabled{"dh"}))
+ && (defined($disabled{"ecdsa"}) || defined($disabled{"ecdh"})))
+ {
+ $disabled{"tls"} = "forced";
+ $disabled{"dtls"} = "forced";
+ foreach my $proto ((@tls, @dtls))
+ {
+ $disabled{"$proto"} = "forced";
+ }
+ }
+
+
+# Avoid protocol support holes. Also disable all versions below N, if version
+# N is disabled while N+1 is enabled.
+#
+my $prev_disabled = 1;
+my $force_disable = 0;
+foreach my $proto (reverse(@tls))
+ {
+ if ($force_disable)
+ {
+ $disabled{$proto} = 1;
+ }
+ elsif (! defined($disabled{$proto}))
+ {
+ $prev_disabled = 0;
+ }
+ elsif (! $prev_disabled)
+ {
+ $force_disable = 1;
+ }
+ }
+my $prev_disabled = 1;
+my $force_disable = 0;
+foreach my $proto (reverse(@dtls))
+ {
+ if ($force_disable)
+ {
+ $disabled{$proto} = 1;
+ }
+ elsif (! defined($disabled{$proto}))
+ {
+ $prev_disabled = 0;
+ }
+ elsif (! $prev_disabled)
+ {
+ $force_disable = 1;
+ }
}
if (defined($disabled{"dgram"}))
{
- $disabled{"dtls"} = "forced";
- }
+ $disabled{"dtls"} = "forced";
+ $disabled{"dtls1"} = "forced";
+ $disabled{"dtls1_2"} = "forced";
+ }
if (defined($disabled{"ec"}) || defined($disabled{"dsa"})
|| defined($disabled{"dh"}) || defined($disabled{"stdio"}))
# If we do not find debug-foo in the table, the target is set to foo,
# but only if the foo target has a noon-empty debug_cflags or debug_lflags
# attribute.
- if (!$table{$target} && ($table{$t}->{debug_cflags}
- || $table{$t}->{debug_lflags})) {
+ if (!$table{$target}) {
$target = $t;
}
}
-&usage if (!defined($table{$target})
- || $table{$target}->{template}
- || ($build_prefix eq "debug_"
- && $target !~ /^debug-/
- && !($table{$target}->{debug_cflags}
- || $table{$target}->{debug_lflags})));
+&usage if (!defined($table{$target}) || $table{$target}->{template});
if ($fips)
{
# linker only when --prefix is not /usr.
if ($target =~ /^BSD\-/)
{
- $shared_ldflag.=" -Wl,-rpath,\$(LIBRPATH)" if ($prefix !~ m|^/usr[/]*$|);
+ $shared_ldflag.=" -Wl,-rpath,\$\$(LIBRPATH)" if ($prefix !~ m|^/usr[/]*$|);
}
if ($sys_id ne "")
$sdirs = 0 unless /\\$/;
s/fips // if (/^DIRS=/ && !$fips);
s/engines // if (/^DIRS=/ && $disabled{"engine"});
- s/ccgost// if (/^ENGDIRS=/ && $disabled{"gost"});
s/^VERSION=.*/VERSION=$version/;
s/^MAJOR=.*/MAJOR=$major/;
s/^MINOR=.*/MINOR=$minor/;
}
if($IsMK1MF) {
open (OUT,">crypto/buildinf.h") || die "Can't open buildinf.h";
- printf OUT <<EOF;
+ printf OUT <<"EOF";
#ifndef MK1MF_BUILD
/* auto-generated by Configure for crypto/cversion.c:
* for Unix builds, crypto/Makefile.ssl generates functional definitions;
$v4=hex $4;
}
open (OUT,">ms/version32.rc") || die "Can't open ms/version32.rc";
- print OUT <<EOF;
+ print OUT <<"EOF";
#include <winver.h>
LANGUAGE 0x09,0x01
close(OUT);
}
-print <<EOF;
+print <<"EOF";
Configured for $target.
EOF
-print <<\EOF if (!$no_threads && !$threads);
+print <<"EOF" if (!$no_threads && !$threads);
The library could not be configured for supporting multi-threaded
applications as the compiler options required on this system are not known.
See file INSTALL for details if you need multi-threading.
EOF
-print <<\EOF if ($no_shared_warn);
+print <<"EOF" if ($no_shared_warn);
You gave the option 'shared', which is not supported on this platform, so
we will pretend you gave the option 'no-shared'. If you know how to implement
tried with a current version of OpenSSL).
EOF
-print <<EOF if ($warn_make_depend);
+print <<"EOF" if ($warn_make_depend);
*** Because of configuration changes, you MUST do the following before
*** building:
return if $table{$target}->{template};
if ($type eq "TABLE") {
- print <<EOF
+ print <<"EOF"
*** $target
\$cc = $table{$target}->{cc}