--- gvpe/configure.ac	2009/08/07 20:58:15	1.56
+++ gvpe/configure.ac	2022/10/06 03:25:53	1.68
@@ -1,10 +1,10 @@
 dnl Process this file with autoconf to produce a configure script.
 
-AC_PREREQ(2.59)
-AC_INIT
+AC_PREREQ([2.71])
+AC_INIT([gvpe],[3.1])
 AC_CONFIG_SRCDIR([src/gvpe.C])
 AC_CANONICAL_TARGET
-AM_INIT_AUTOMAKE(gvpe, 2.22)
+AM_INIT_AUTOMAKE
 AC_CONFIG_HEADERS([config.h])
 AM_MAINTAINER_MODE
 
@@ -48,9 +48,6 @@
 #endif
 ])
 
-dnl Include the macros from the m4/ directory
-AM_ACLOCAL_INCLUDE(m4)
-
 AM_GNU_GETTEXT([external])
 AM_GNU_GETTEXT_VERSION(0.11.5)
 
@@ -184,7 +181,8 @@
 AC_C_CONST
 AC_TYPE_PID_T
 AC_TYPE_SIZE_T
-AC_HEADER_TIME
+AC_CHECK_HEADERS_ONCE([sys/time.h])
+
 AC_STRUCT_TM
 
 AC_CACHE_CHECK([for socklen_t], ac_cv_type_socklen_t,
@@ -206,13 +204,8 @@
   AC_DEFINE(HAVE_STRUCT_ADDRINFO, 1, [struct addrinfo available])
 fi
 
-dnl Checks for library functions.
-AC_TYPE_SIGNAL
-
 AC_LANG_PUSH(C)
 
-AC_HEADER_STDC
-
 dnl argl, could somebody catapult darwin into the 21st century???
 AC_CHECK_FUNCS(asprintf daemon get_current_dir_name putenv select strerror strsignal strtol unsetenv mlockall)
 
@@ -239,11 +232,23 @@
 dnl These are defined in files in m4/
 tinc_TUNTAP
 
-tinc_OPENSSL
-if test "x$openssl_include" != x; then
-   CXXFLAGS="$CXXFLAGS -I$openssl_include"
+PKG_CHECK_MODULES([LIBCRYPTO], [libcrypto >= 1])
+
+AC_ARG_ENABLE(threads,
+  [AS_HELP_STRING(--enable-threads,try to use threads for long-running asynchronous operations (default enabled).)],
+  [try_threads=$enableval],
+  [try_threads=yes]
+)
+
+if test "x$try_threads" = xyes; then
+   AC_CHECK_HEADER(pthread.h,[
+      LIBS="$LIBS -lpthread"
+      AC_COMPILE_IFELSE(
+         [AC_LANG_PROGRAM([#include <pthread.h>], [pthread_t id; pthread_create (&id, 0, 0, 0);])],
+         [AC_DEFINE_UNQUOTED(ENABLE_PTHREADS, 1, [POSIX thread support.])]
+      )
+   ])
 fi
-dnl tinc_ZLIB
 
 AC_ARG_ENABLE(static-daemon,
   [AS_HELP_STRING(--enable-static-daemon,enable statically linked daemon.)],
@@ -316,28 +321,28 @@
   ]
 )
 
-HMAC=12
+RSA=3072
+AC_ARG_ENABLE(rsa-length,
+  [AS_HELP_STRING(--enable-rsa-length=BITS,[
+      use BITS rsa keys (default 3072). Allowed values are 2048-10240.])],
+  RSA=$enableval
+)
+AC_DEFINE_UNQUOTED(RSABITS, $RSA, [Size of RSA keys.])
+
+HMACSIZE=12
 AC_ARG_ENABLE(hmac-length,
   [AS_HELP_STRING(--enable-hmac-length=BYTES,[
       use a hmac of length BYTES bytes (default 12). Allowed values are 4, 8, 12, 16.])],
-  HMAC=$enableval
-)
-AC_DEFINE_UNQUOTED(HMACLENGTH, $HMAC, [Size of HMAC in each packet in bytes.])
-
-RAND=8
-AC_ARG_ENABLE(rand-length,
-  [AS_HELP_STRING(--enable-rand-length=BYTES,
-      [use BYTES bytes of extra randomness (default 8). Allowed values are 0, 4, 8.])],
-  RAND=$enableval
+  HMACSIZE=$enableval
 )
-AC_DEFINE_UNQUOTED(RAND_SIZE, $RAND, [Add this many bytes of randomness to each packet.])
+AC_DEFINE_UNQUOTED(HMACLENGTH, $HMACSIZE, [Size of HMAC in each packet in bytes.])
 
 MTU=1500
 AC_ARG_ENABLE(max-mtu,
   [AS_HELP_STRING(--enable-max-mtu=BYTES,enable mtu sizes upto BYTES bytes (default 1500). Use 9100 for jumbogram support.)],
   MTU=$enableval
 )
-AC_DEFINE_UNQUOTED(MAX_MTU, $MTU + 14, [Maximum MTU supported.])
+AC_DEFINE_UNQUOTED(MAX_MTU, ($MTU + 14), [Maximum MTU supported.])
 
 COMPRESS=1
 AC_ARG_ENABLE(compression,
@@ -348,31 +353,43 @@
 )
 AC_DEFINE_UNQUOTED(ENABLE_COMPRESSION, $COMPRESS, [Enable compression support.])
 
-CIPHER=aes_128_cbc
+CIPHER=aes_128_ctr
 AC_ARG_ENABLE(cipher,
   [AS_HELP_STRING(--enable-cipher=CIPHER,[
       Select the symmetric cipher (default "aes-128").
-      Must be one of "bf" (blowfish), "aes-128" (rijndael), "aes-192" or "aes-256".])],
-  if test "x$enableval" = xbf     ; then CIPHER=bf_cbc     ; fi
-  if test "x$enableval" = xaes-128; then CIPHER=aes_128_cbc; fi
-  if test "x$enableval" = xaes-192; then CIPHER=aes_192_cbc; fi
-  if test "x$enableval" = xaes-256; then CIPHER=aes_256_cbc; fi
+      Must be one of "aes-128" (rijndael), "aes-192", or "aes-256".])],
+  #if test "x$enableval" = xbf          ; then CIPHER=bf_ctr          ; fi
+  if test "x$enableval" = xaes-128     ; then CIPHER=aes_128_ctr     ; fi
+  if test "x$enableval" = xaes-192     ; then CIPHER=aes_192_ctr     ; fi
+  if test "x$enableval" = xaes-256     ; then CIPHER=aes_256_ctr     ; fi
+  #if test "x$enableval" = xcamellia-128; then CIPHER=camellia_128_ctr; fi
+  #if test "x$enableval" = xcamellia-256; then CIPHER=camellia_256_ctr; fi
 )
 AC_DEFINE_UNQUOTED(ENABLE_CIPHER, EVP_${CIPHER}, [Select the symmetric cipher to use.])
 
-DIGEST=ripemd160
-AC_ARG_ENABLE(digest,
-  [AS_HELP_STRING(--enable-digest=CIPHER,[
-      Select the digest algorithm to use (default "ripemd160"). Must be one of
-      "sha512", "sha256", "sha1" (somewhat insecure), "ripemd160", "md5" (insecure) or "md4" (insecure).])],
-  if test "x$enableval" = xsha512   ; then DIGEST=sha512   ; fi
-  if test "x$enableval" = xsha256   ; then DIGEST=sha256   ; fi
-  if test "x$enableval" = xsha1     ; then DIGEST=sha1     ; fi
-  if test "x$enableval" = xripemd160; then DIGEST=ripemd160; fi
-  if test "x$enableval" = xmd5      ; then DIGEST=md5      ; fi
-  if test "x$enableval" = xmd4      ; then DIGEST=md4      ; fi
+HMAC=sha1
+AC_ARG_ENABLE(hmac-digest,
+  [AS_HELP_STRING(--enable-hmac-digest=HMAC,[
+      Select the HMAC digest algorithm to use (default "sha1"). Must be one of
+      "sha512", "sha256", "sha1", "ripemd160", "whirlpool".])],
+  if test "x$enableval" = xwhirlpool; then HMAC=whirlpool; fi
+  if test "x$enableval" = xsha512   ; then HMAC=sha512   ; fi
+  if test "x$enableval" = xsha256   ; then HMAC=sha256   ; fi
+  if test "x$enableval" = xsha1     ; then HMAC=sha1     ; fi
+  if test "x$enableval" = xripemd160; then HMAC=ripemd160; fi
+)
+AC_DEFINE_UNQUOTED(ENABLE_HMAC, EVP_${HMAC}, [Select the HMAC digest algorithm to use.])
+
+AUTH=sha512
+AC_ARG_ENABLE(auth-digest,
+  [AS_HELP_STRING(--enable-auth-digest=DIGEST,[
+      Select the hmac algorithm to use (default "sha512"). Must be one of
+      "sha512", "sha256", "whirlpool".])],
+  if test "x$enableval" = xwhirlpool; then AUTH=whirlpool; fi
+  if test "x$enableval" = xsha512   ; then AUTH=sha512   ; fi
+  if test "x$enableval" = xsha256   ; then AUTH=sha256   ; fi
 )
-AC_DEFINE_UNQUOTED(ENABLE_DIGEST, EVP_${DIGEST}, [Select the digest algorithm to use.])
+AC_DEFINE_UNQUOTED(ENABLE_AUTH, EVP_${AUTH}, [Select the auth digest algorithm to use.])
 
 if $CXX -v --help 2>&1 | grep -q fno-rtti; then
    CXXFLAGS="$CXXFLAGS -fno-rtti"
@@ -387,12 +404,12 @@
 dnl if $CXX -v --help 2>&1 | grep -q ffunction-sections; then
 dnl    CXXFLAGS="$CXXFLAGS -ffunction-sections"
 dnl fi
-dnl 
+dnl
 dnl if $LD -v --help 2>&1 | grep -q gc-sections; then
 dnl    LDFLAGS="$LDFLAGS -Wl,--gc-sections"
 dnl fi
 
-AC_SUBST(INCLUDES)
+AC_SUBST(AM_CPPFLAGS)
 
 AC_CONFIG_FILES([Makefile po/Makefile.in
 src/Makefile
@@ -407,32 +424,56 @@
 echo "*** Configuration Summary"
 echo "***"
 echo "*** Kernel Iface: $IFTYPE/$IFSUBTYPE"
+echo "*** RSA size:     $RSA"
 echo "*** Cipher used:  $CIPHER"
 echo "*** Digest used:  $DIGEST"
+echo "*** Authdigest:   $AUTH"
 echo "*** HMAC length:  $HMAC"
-echo "*** RAND used:    $RAND"
 echo "*** Max. MTU:     $MTU"
 
 echo "***"
 echo "*** Enable options:"
 grep ENABLE_ config.h | sed -e 's/^/*** /'
 
-if test "x$DIGEST" = xmd4; then
+if test "$HMACSIZE" -lt 12; then
 echo "***"
-echo "*** WARNING: The digest you have chosen ($DIGEST) is known to be insecure"
+echo "*** WARNING: The hmac length you have chosen ($HMACSIZE) is quite insecure"
 fi
 
-if test "$HMAC" -lt 12; then
 echo "***"
-echo "*** WARNING: The hmac length you have chosen ($HMAC) is probably insecure"
-fi
+echo
 
-if test "$RAND" -lt 8; then
-echo "***"
-echo "*** WARNING: The random prefix you have chosen ($RAND) is probably insecure"
-fi
+if pkg-config --exists 'libcrypto >= 1.1 libcrypto < 2.0'; then
+   cat <<EOF
+@<:@33m
+***
+*** WARNING WARNING WARNING WARNING WARNING WARNING WARNING
+***
+*** You seem to configure gvpe with OpenSSL 1.1 or newer.
+*** While this probably compiles, please note that this is not only
+*** unsupported, but also discouraged.
+***
+*** It is recommended to use either OpenSSL 1.0, as long as that is still
+*** supported, or LibreSSL (https://www.libressl.org/).
+***
+*** This is not a political issue - while porting GVPE to the newer
+*** OpenSSL 1.1 API, I encountered two incompatible API changes that were
+*** not documented, were not caught while compiling but caused security
+*** issues. When reported, the reaction of the OpenSSL developers was to
+*** update the documentation.
+***
+*** As a result, I lost all confidence in the ability and desire of
+*** OpenSSL developers to create a safe API, and would highly recommend
+*** switching to LibreSSL which explicitly avoids such braking changes.
+***
+*** WARNING WARNING WARNING WARNING WARNING WARNING WARNING
+***
+*** Again, do not use OpenSSL 1.1 and complain if stuff breaks.
+*** You have been warned, but your choice is respected.
+***
+@<:@0m
 
-echo "***"
-echo
+EOF
+fi