Mailing List Archive

Remove special handling of crypt() in configure
Hi.

Configure goes to some lengths to pick crypt() from either libcrypt
or OpenSSL's libcrypto because they can more or less featureful (eg
supporting md5-style passwords).

The thing is, OpenSSL removed its crypt() interface in 2002:
https://github.com/openssl/openssl/commit/69deec58 so these hijinks
should no longer be necessary.

Anyone see any reason not to do this? It will allow some other library
cleanups. As a bonus, only sshd ends up being linked against -lcrypt
as that's the only thing that needs it.

diff --git a/configure.ac b/configure.ac
index 6ebdd06a..7bb1d711 100644
--- a/configure.ac
+++ b/configure.ac
@@ -674,7 +674,6 @@ case "$host" in
AC_DEFINE([DISABLE_WTMP], [1], [Define if you don't want to use wtmp])
;;
*-*-cygwin*)
- check_for_libcrypt_later=1
LIBS="$LIBS /usr/lib/textreadmode.o"
AC_DEFINE([HAVE_CYGWIN], [1], [Define if you are on Cygwin])
AC_DEFINE([USE_PIPES], [1], [Use PIPES instead of a socketpair()])
@@ -753,7 +752,7 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
[System poll(2) implementation is broken])
;;
*-*-dragonfly*)
- SSHDLIBS="$SSHDLIBS -lcrypt"
+ SSHDLIBS="$SSHDLIBS"
TEST_MALLOC_OPTIONS="AFGJPRX"
;;
*-*-haiku*)
@@ -844,7 +843,6 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
AC_DEFINE([LOCKED_PASSWD_STRING], ["*LK*"])
;;
*-*-k*bsd*-gnu | *-*-kopensolaris*-gnu)
- check_for_libcrypt_later=1
AC_DEFINE([PAM_TTY_KLUDGE])
AC_DEFINE([LOCKED_PASSWD_PREFIX], ["!"])
AC_DEFINE([SPT_TYPE], [SPT_REUSEARGV])
@@ -854,7 +852,6 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
*-*-linux*)
no_dev_ptmx=1
use_pie=auto
- check_for_libcrypt_later=1
check_for_openpty_ctty_bug=1
dnl Target SUSv3/POSIX.1-2001 plus BSD specifics.
dnl _DEFAULT_SOURCE is the new name for _BSD_SOURCE
@@ -994,7 +991,6 @@ mips-sony-bsd|mips-sony-newsos4)
SONY=1
;;
*-*-netbsd*)
- check_for_libcrypt_before=1
if test "x$withval" != "xno" ; then
rpath_opt="-R"
fi
@@ -1009,7 +1005,6 @@ mips-sony-bsd|mips-sony-newsos4)
[.NetBSD read function is sometimes redirected, breaking atomicio comparisons against it])
;;
*-*-freebsd*)
- check_for_libcrypt_later=1
AC_DEFINE([LOCKED_PASSWD_PREFIX], ["*LOCKED*"], [Account locked with pw(1)])
AC_DEFINE([SSH_TUN_FREEBSD], [1], [Open tunnel devices the FreeBSD way])
AC_CHECK_HEADER([net/if_tap.h], ,
@@ -1182,7 +1177,6 @@ mips-sony-bsd|mips-sony-newsos4)
AC_DEFINE([PASSWD_NEEDS_USERNAME])
AC_DEFINE([BROKEN_TCGETATTR_ICANON])
TEST_SHELL=$SHELL # let configure find us a capable shell
- check_for_libcrypt_later=1
case "$host" in
*-*-sysv5SCO_SV*) # SCO OpenServer 6.x
maildir=/var/spool/mail
@@ -2885,6 +2879,7 @@ if test "x$openssl" = "xyes" ; then

AC_CHECK_FUNCS([. \
BN_is_prime_ex \
+ DES_crypt \
DSA_generate_parameters_ex \
EVP_CIPHER_CTX_ctrl \
EVP_DigestFinal_ex \
@@ -3052,19 +3047,6 @@ if test "x$openssl" = "xyes" ; then
]
)

- # Some systems want crypt() from libcrypt, *not* the version in OpenSSL,
- # because the system crypt() is more featureful.
- if test "x$check_for_libcrypt_before" = "x1"; then
- AC_CHECK_LIB([crypt], [crypt])
- fi
-
- # Some Linux systems (Slackware) need crypt() from libcrypt, *not* the
- # version in OpenSSL.
- if test "x$check_for_libcrypt_later" = "x1"; then
- AC_CHECK_LIB([crypt], [crypt], [LIBS="$LIBS -lcrypt"])
- fi
- AC_CHECK_FUNCS([crypt DES_crypt])
-
# Check for SHA256, SHA384 and SHA512 support in OpenSSL
AC_CHECK_FUNCS([EVP_sha256 EVP_sha384 EVP_sha512])

@@ -3176,10 +3158,6 @@ if test "x$openssl" = "xyes" ; then
ecdsa-sha2-nistp521 \
ecdsa-sha2-nistp521-cert-v01@openssh.com"
fi
-
-else
- AC_CHECK_LIB([crypt], [crypt], [LIBS="$LIBS -lcrypt"])
- AC_CHECK_FUNCS([crypt])
fi

# PKCS11/U2F depend on OpenSSL and dlopen().
@@ -3295,6 +3273,15 @@ AC_CHECK_LIB([iaf], [ia_openinfo], [
])
LIBS="$saved_LIBS"

+# Check for crypt() in libcrypt. If we have it, we only need it for sshd.
+saved_LIBS="$LIBS"
+AC_CHECK_LIB([crypt], [crypt], [
+ LIBS="-lcrypt $LIBS"
+ SSHDLIBS="-lcrypt $SSHDLIBS"
+])
+AC_CHECK_FUNCS([crypt])
+LIBS="$saved_LIBS"
+
### Configure cryptographic random number support

# Check whether OpenSSL seeds itself

--
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev