[ViewVC] Diff of: cvs/gvpe/configure.ac

Comparing gvpe/configure.ac (file contents):
Revision 1.58 by root, Tue Mar 8 17:33:30 2011 UTC vs.
Revision 1.68 by root, Thu Oct 6 03:25:53 2022 UTC

 dnl Process this file with autoconf to produce a configure script.
-AC_PREREQ(2.59)
+AC_PREREQ([2.71])
-AC_INIT
+AC_INIT([gvpe],[3.1])
 AC_CONFIG_SRCDIR([src/gvpe.C])
 AC_CANONICAL_TARGET
-AM_INIT_AUTOMAKE(gvpe, 2.24)
+AM_INIT_AUTOMAKE
 AC_CONFIG_HEADERS([config.h])
 AM_MAINTAINER_MODE
 AH_TOP([
 #ifndef CONFIG_H__
 # define CLOCALE <clocale>
 #else
 # define CLOCALE <locale.h>
 #endif
 ])
-dnl Include the macros from the m4/ directory
-AM_ACLOCAL_INCLUDE(m4)
 AM_GNU_GETTEXT([external])
 AM_GNU_GETTEXT_VERSION(0.11.5)
 # Enable GNU extensions.
 dnl Checks for typedefs, structures, and compiler characteristics.
 AC_C_CONST
 AC_TYPE_PID_T
 AC_TYPE_SIZE_T
-AC_HEADER_TIME
+AC_CHECK_HEADERS_ONCE([sys/time.h])
 AC_STRUCT_TM
 AC_CACHE_CHECK([for socklen_t], ac_cv_type_socklen_t,
 [
   AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[#include <sys/types.h>
 ])
 if test $ac_cv_struct_addrinfo = yes; then
   AC_DEFINE(HAVE_STRUCT_ADDRINFO, 1, [struct addrinfo available])
 fi
-dnl Checks for library functions.
-AC_TYPE_SIGNAL
 AC_LANG_PUSH(C)
-AC_HEADER_STDC
 dnl argl, could somebody catapult darwin into the 21st century???
 AC_CHECK_FUNCS(asprintf daemon get_current_dir_name putenv select strerror strsignal strtol unsetenv mlockall)
 AC_FUNC_ALLOCA
 AC_CACHE_SAVE
 dnl These are defined in files in m4/
 tinc_TUNTAP
-tinc_OPENSSL
+PKG_CHECK_MODULES([LIBCRYPTO], [libcrypto >= 1])
-if test "x$openssl_include" != x; then
-   CXXFLAGS="$CXXFLAGS -I$openssl_include"
-fi
-dnl tinc_ZLIB
 AC_ARG_ENABLE(threads,
   [AS_HELP_STRING(--enable-threads,try to use threads for long-running asynchronous operations (default enabled).)],
   [try_threads=$enableval],
   [try_threads=yes]
     AC_DEFINE_UNQUOTED(ENABLE_DNS, 1, [DNS tunnel protocol support.])
   ]
 )
+RSA=3072
+AC_ARG_ENABLE(rsa-length,
+  [AS_HELP_STRING(--enable-rsa-length=BITS,[
+      use BITS rsa keys (default 3072). Allowed values are 2048-10240.])],
+  RSA=$enableval
+)
+AC_DEFINE_UNQUOTED(RSABITS, $RSA, [Size of RSA keys.])
-HMAC=12
+HMACSIZE=12
 AC_ARG_ENABLE(hmac-length,
   [AS_HELP_STRING(--enable-hmac-length=BYTES,[
       use a hmac of length BYTES bytes (default 12). Allowed values are 4, 8, 12, 16.])],
-  HMAC=$enableval
+  HMACSIZE=$enableval
 )
-AC_DEFINE_UNQUOTED(HMACLENGTH, $HMAC, [Size of HMAC in each packet in bytes.])
+AC_DEFINE_UNQUOTED(HMACLENGTH, $HMACSIZE, [Size of HMAC in each packet in bytes.])
-RAND=8
-AC_ARG_ENABLE(rand-length,
-  [AS_HELP_STRING(--enable-rand-length=BYTES,
-      [use BYTES bytes of extra randomness (default 8). Allowed values are 0, 4, 8.])],
-  RAND=$enableval
-)
-AC_DEFINE_UNQUOTED(RAND_SIZE, $RAND, [Add this many bytes of randomness to each packet.])
 MTU=1500
 AC_ARG_ENABLE(max-mtu,
   [AS_HELP_STRING(--enable-max-mtu=BYTES,enable mtu sizes upto BYTES bytes (default 1500). Use 9100 for jumbogram support.)],
   MTU=$enableval
 )
-AC_DEFINE_UNQUOTED(MAX_MTU, $MTU + 14, [Maximum MTU supported.])
+AC_DEFINE_UNQUOTED(MAX_MTU, ($MTU + 14), [Maximum MTU supported.])
 COMPRESS=1
 AC_ARG_ENABLE(compression,
   [AS_HELP_STRING(--disable-compression,Disable compression support.)],
   if test "x$enableval" = xno; then
      COMPRESS=0
   fi
 )
 AC_DEFINE_UNQUOTED(ENABLE_COMPRESSION, $COMPRESS, [Enable compression support.])
-CIPHER=aes_128_cbc
+CIPHER=aes_128_ctr
 AC_ARG_ENABLE(cipher,
   [AS_HELP_STRING(--enable-cipher=CIPHER,[
       Select the symmetric cipher (default "aes-128").
-      Must be one of "bf" (blowfish), "aes-128" (rijndael), "aes-192" or "aes-256".])],
+      Must be one of "aes-128" (rijndael), "aes-192", or "aes-256".])],
-  if test "x$enableval" = xbf     ; then CIPHER=bf_cbc     ; fi
+  #if test "x$enableval" = xbf          ; then CIPHER=bf_ctr          ; fi
-  if test "x$enableval" = xaes-128; then CIPHER=aes_128_cbc; fi
+  if test "x$enableval" = xaes-128     ; then CIPHER=aes_128_ctr     ; fi
-  if test "x$enableval" = xaes-192; then CIPHER=aes_192_cbc; fi
+  if test "x$enableval" = xaes-192     ; then CIPHER=aes_192_ctr     ; fi
-  if test "x$enableval" = xaes-256; then CIPHER=aes_256_cbc; fi
+  if test "x$enableval" = xaes-256     ; then CIPHER=aes_256_ctr     ; fi
+  #if test "x$enableval" = xcamellia-128; then CIPHER=camellia_128_ctr; fi
+  #if test "x$enableval" = xcamellia-256; then CIPHER=camellia_256_ctr; fi
 )
 AC_DEFINE_UNQUOTED(ENABLE_CIPHER, EVP_${CIPHER}, [Select the symmetric cipher to use.])
-DIGEST=ripemd160
+HMAC=sha1
-AC_ARG_ENABLE(digest,
+AC_ARG_ENABLE(hmac-digest,
-  [AS_HELP_STRING(--enable-digest=CIPHER,[
+  [AS_HELP_STRING(--enable-hmac-digest=HMAC,[
-      Select the digest algorithm to use (default "ripemd160"). Must be one of
+      Select the HMAC digest algorithm to use (default "sha1"). Must be one of
-      "sha512", "sha256", "sha1" (somewhat insecure), "ripemd160", "md5" (insecure) or "md4" (insecure).])],
+      "sha512", "sha256", "sha1", "ripemd160", "whirlpool".])],
+  if test "x$enableval" = xwhirlpool; then HMAC=whirlpool; fi
+  if test "x$enableval" = xsha512   ; then HMAC=sha512   ; fi
+  if test "x$enableval" = xsha256   ; then HMAC=sha256   ; fi
+  if test "x$enableval" = xsha1     ; then HMAC=sha1     ; fi
+  if test "x$enableval" = xripemd160; then HMAC=ripemd160; fi
+)
+AC_DEFINE_UNQUOTED(ENABLE_HMAC, EVP_${HMAC}, [Select the HMAC digest algorithm to use.])
+AUTH=sha512
+AC_ARG_ENABLE(auth-digest,
+  [AS_HELP_STRING(--enable-auth-digest=DIGEST,[
+      Select the hmac algorithm to use (default "sha512"). Must be one of
+      "sha512", "sha256", "whirlpool".])],
+  if test "x$enableval" = xwhirlpool; then AUTH=whirlpool; fi
-  if test "x$enableval" = xsha512   ; then DIGEST=sha512   ; fi
+  if test "x$enableval" = xsha512   ; then AUTH=sha512   ; fi
-  if test "x$enableval" = xsha256   ; then DIGEST=sha256   ; fi
+  if test "x$enableval" = xsha256   ; then AUTH=sha256   ; fi
-  if test "x$enableval" = xsha1     ; then DIGEST=sha1     ; fi
-  if test "x$enableval" = xripemd160; then DIGEST=ripemd160; fi
-  if test "x$enableval" = xmd5      ; then DIGEST=md5      ; fi
-  if test "x$enableval" = xmd4      ; then DIGEST=md4      ; fi
 )
-AC_DEFINE_UNQUOTED(ENABLE_DIGEST, EVP_${DIGEST}, [Select the digest algorithm to use.])
+AC_DEFINE_UNQUOTED(ENABLE_AUTH, EVP_${AUTH}, [Select the auth digest algorithm to use.])
 if $CXX -v --help 2>&1 | grep -q fno-rtti; then
    CXXFLAGS="$CXXFLAGS -fno-rtti"
 fi
 LIBS="$EXTRA_LIBS $LIBS"
 dnl if $CXX -v --help 2>&1 | grep -q ffunction-sections; then
 dnl    CXXFLAGS="$CXXFLAGS -ffunction-sections"
 dnl fi
 dnl
 dnl if $LD -v --help 2>&1 | grep -q gc-sections; then
 dnl    LDFLAGS="$LDFLAGS -Wl,--gc-sections"
 dnl fi
-AC_SUBST(INCLUDES)
+AC_SUBST(AM_CPPFLAGS)
 AC_CONFIG_FILES([Makefile po/Makefile.in
 src/Makefile
 doc/Makefile
 lib/Makefile
 echo
 echo "***"
 echo "*** Configuration Summary"
 echo "***"
 echo "*** Kernel Iface: $IFTYPE/$IFSUBTYPE"
+echo "*** RSA size:     $RSA"
 echo "*** Cipher used:  $CIPHER"
 echo "*** Digest used:  $DIGEST"
+echo "*** Authdigest:   $AUTH"
 echo "*** HMAC length:  $HMAC"
-echo "*** RAND used:    $RAND"
 echo "*** Max. MTU:     $MTU"
 echo "***"
 echo "*** Enable options:"
 grep ENABLE_ config.h | sed -e 's/^/*** /'
-if test "x$DIGEST" = xmd4; then
+if test "$HMACSIZE" -lt 12; then
 echo "***"
-echo "*** WARNING: The digest you have chosen ($DIGEST) is known to be insecure"
-fi
-if test "x$DIGEST" = xmd5; then
-echo "***"
-echo "*** WARNING: The digest you have chosen ($DIGEST) is probably insecure"
-fi
-if test "$HMAC" -lt 12; then
-echo "***"
-echo "*** WARNING: The hmac length you have chosen ($HMAC) is probably insecure"
+echo "*** WARNING: The hmac length you have chosen ($HMACSIZE) is quite insecure"
-fi
-if test "$RAND" -lt 8; then
-echo "***"
-echo "*** WARNING: The random prefix you have chosen ($RAND) is probably insecure"
 fi
 echo "***"
 echo
+if pkg-config --exists 'libcrypto >= 1.1 libcrypto < 2.0'; then
+   cat <<EOF
+@<:@33m
+***
+*** WARNING WARNING WARNING WARNING WARNING WARNING WARNING
+***
+*** You seem to configure gvpe with OpenSSL 1.1 or newer.
+*** While this probably compiles, please note that this is not only
+*** unsupported, but also discouraged.
+***
+*** It is recommended to use either OpenSSL 1.0, as long as that is still
+*** supported, or LibreSSL (https://www.libressl.org/).
+***
+*** This is not a political issue - while porting GVPE to the newer
+*** OpenSSL 1.1 API, I encountered two incompatible API changes that were
+*** not documented, were not caught while compiling but caused security
+*** issues. When reported, the reaction of the OpenSSL developers was to
+*** update the documentation.
+***
+*** As a result, I lost all confidence in the ability and desire of
+*** OpenSSL developers to create a safe API, and would highly recommend
+*** switching to LibreSSL which explicitly avoids such braking changes.
+***
+*** WARNING WARNING WARNING WARNING WARNING WARNING WARNING
+***
+*** Again, do not use OpenSSL 1.1 and complain if stuff breaks.
+*** You have been warned, but your choice is respected.
+***
+@<:@0m
+EOF
+fi

Diff Legend

-–
+Removed lines
-+
+Added lines
-<
+Changed lines
->
+Changed lines

Comparing gvpe/configure.ac (file contents): Revision 1.58 by root, Tue Mar 8 17:33:30 2011 UTC vs. Revision 1.68 by root, Thu Oct 6 03:25:53 2022 UTC

Diff Legend

Comparing gvpe/configure.ac (file contents):
Revision 1.58 by root, Tue Mar 8 17:33:30 2011 UTC vs.
Revision 1.68 by root, Thu Oct 6 03:25:53 2022 UTC