diff options
author | Richard Levitte <levitte@openssl.org> | 2015-05-18 11:03:47 +0200 |
---|---|---|
committer | Richard Levitte <levitte@openssl.org> | 2016-01-21 07:04:47 +0100 |
commit | c569e206d2abd186db400240a5746fa52b7f5198 (patch) | |
tree | 44f6ab6022fed112002ddb0fa48e1dd39f9f43a0 | |
parent | fe05264e32327e33f0b0c091479affeecbf55e89 (diff) |
Refactor config - consolidate handling of disabled stuff
It's time to refactor the handling of %disabled so that all
information of value is in the same place. We have so far had a few
cascading disable rules in form of code, far away from %disabled.
Instead, bring that information to the array @disable_cascade, which
is a list of pairs of the form 'test => descendents'. The test part
can be a string, and it's simply checked if that string is a key in
%disabled, or it can be a CODEref to do a more complex test. If the
test comes true, then all descendents are disabled. This check is
performed until there are no more things that need to be disabled.
Also, $default_depflags is constructed from the information in
%disabled instead of being a separate string. While a string of its
own is visually appealing, it's much too easy to forget to update it
when something is changed in %disabled.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
-rwxr-xr-x | Configure | 201 |
1 files changed, 81 insertions, 120 deletions
@@ -602,9 +602,72 @@ my %disabled = ( # "what" => "comment" [or special keyword "experimental ); my @experimental = (); -# This is what $depflags will look like with the above defaults -# (we need this to see if we should advise the user to run "make depend"): -my $default_depflags = " -DOPENSSL_NO_CRYPTO_MDEBUG -DOPENSSL_NO_EC_NISTP_64_GCC_128 -DOPENSSL_NO_JPAKE -DOPENSSL_NO_MD2 -DOPENSSL_NO_RC5 -DOPENSSL_NO_SCTP -DOPENSSL_NO_SSL_TRACE -DOPENSSL_NO_STORE -DOPENSSL_NO_UNIT_TEST"; +# Note: => pair form used for aesthetics, not to truly make a hash table +my @disable_cascades = ( + # "what" => [ "cascade", ... ] + sub { $processor eq "386" } + => [ "sse2" ], + "ssl" => [ "ssl3" ], + "ssl3-method" => [ "ssl3" ], + "zlib" => [ "zlib-dynamic" ], + "rijndael" => [ "aes" ], + "des" => [ "mdc2" ], + "ec" => [ "ecdsa", "ecdh", "gost" ], + "dsa" => [ "gost" ], + "dh" => [ "gost" ], + + "dgram" => [ "dtls" ], + "dtls" => [ @dtls ], + + # SSL 3.0, (D)TLS 1.0 and TLS 1.1 require MD5 and SHA + "md5" => [ "ssl", "tls1", "tls1_1", "dtls1" ], + "sha" => [ "ssl", "tls1", "tls1_1", "dtls1" ], + + # Additionally, SSL 3.0 requires either RSA or DSA+DH + sub { $disabled{rsa} + && ($disabled{dsa} || $disabled{dh}); } + => [ "ssl" ], + + # (D)TLS 1.0 and TLS 1.1 also require either RSA or DSA+DH + # or ECDSA + ECDH. (D)TLS 1.2 has this requirement as well. + # (XXX: We don't support PSK-only builds). + sub { $disabled{rsa} + && ($disabled{dsa} || $disabled{dh}) + && ($disabled{ecdsa} || $disabled{ecdh}); } + => [ "tls1", "tls1_1", "tls1_2", + "dtls1", "dtls1_2" ], + + "tls" => [ @tls ], + + # SRP and HEARTBEATS require TLSEXT + "tlsext" => [ "srp", "heartbeats" ], + ); + +# Avoid protocol support holes. Also disable all versions below N, if version +# N is disabled while N+1 is enabled. +# +my @list = (reverse @tls); +while ((my $first, my $second) = (shift @list, shift @list)) { + last unless @list; + push @disable_cascades, ( sub { !$disabled{$first} && $disabled{$second} } + => [ @list ] ); + unshift @list, $second; +} +my @list = (reverse @dtls); +while ((my $first, my $second) = (shift @list, shift @list)) { + last unless @list; + push @disable_cascades, ( sub { !$disabled{$first} && $disabled{$second} } + => [ @list ] ); + unshift @list, $second; +} + +# Construct the string of what $depflags should look like with the defaults +# from %disabled above. (we need this to see if we should advise the user +# to run "make depend"): +my $default_depflags = " ".join(" ", + map { my $x = $_; $x =~ tr{[a-z]-}{[A-Z]_}; "-DOPENSSL_NO_$x"; } + grep { $disabled{$_} !~ /\(no-depflags\)$/ } + sort keys %disabled); # Explicit "no-..." options will be collected in %disabled along with the defaults. # To remove something from %disabled, use "enable-foo" (unless it's experimental). @@ -860,122 +923,25 @@ foreach (@argvcopy) } } - -if ($processor eq "386") - { - $disabled{"sse2"} = "forced"; - } - -if (!defined($disabled{"zlib-dynamic"})) - { - # "zlib-dynamic" was specifically enabled, so enable "zlib" - delete $disabled{"zlib"}; - } - -if (defined($disabled{"rijndael"})) - { - $disabled{"aes"} = "forced"; - } -if (defined($disabled{"des"})) - { - $disabled{"mdc2"} = "forced"; - } -if (defined($disabled{"ec"})) - { - $disabled{"ecdsa"} = "forced"; - $disabled{"ecdh"} = "forced"; - } - -# SSL 3.0 requires MD5 and SHA and either RSA or DSA+DH -if (defined($disabled{"md5"}) || defined($disabled{"sha"}) - || (defined($disabled{"rsa"}) - && (defined($disabled{"dsa"}) || defined($disabled{"dh"})))) - { - $disabled{"ssl3"} = "forced"; - $disabled{"ssl"} = "forced"; - } - -# (D)TLS 1.0 and TLS 1.1 require MD5 and SHA and either RSA or DSA+DH -# or ECDSA + ECDH. (XXX: We don't support PSK-only builds). -# -if (defined($disabled{"md5"}) || defined($disabled{"sha"}) - || (defined($disabled{"rsa"}) - && (defined($disabled{"dsa"}) || defined($disabled{"dh"})) - && (defined($disabled{"ecdsa"}) || defined($disabled{"ecdh"})))) - { - $disabled{"tls1"} = "forced"; - $disabled{"dtls1"} = "forced"; - $disabled{"tls1_1"} = "forced"; - } - -# (D)TLS 1.2 requires either RSA or DSA+DH or ECDSA + ECDH -# So if all are missing, we can't do either TLS or DTLS. -# (XXX: We don't support PSK-only builds). -# -if (defined($disabled{"rsa"}) - && (defined($disabled{"dsa"}) || defined($disabled{"dh"})) - && (defined($disabled{"ecdsa"}) || defined($disabled{"ecdh"}))) - { - $disabled{"tls"} = "forced"; - $disabled{"dtls"} = "forced"; - foreach my $proto ((@tls, @dtls)) - { - $disabled{"$proto"} = "forced"; - } - } - - -# Avoid protocol support holes. Also disable all versions below N, if version -# N is disabled while N+1 is enabled. -# -my $prev_disabled = 1; -my $force_disable = 0; -foreach my $proto (reverse(@tls)) - { - if ($force_disable) - { - $disabled{$proto} = 1; - } - elsif (! defined($disabled{$proto})) - { - $prev_disabled = 0; - } - elsif (! $prev_disabled) - { - $force_disable = 1; - } - } -my $prev_disabled = 1; -my $force_disable = 0; -foreach my $proto (reverse(@dtls)) - { - if ($force_disable) - { - $disabled{$proto} = 1; - } - elsif (! defined($disabled{$proto})) - { - $prev_disabled = 0; - } - elsif (! $prev_disabled) - { - $force_disable = 1; - } - } - -if (defined($disabled{"dgram"})) +if ($fips) { - $disabled{"dtls"} = "forced"; - $disabled{"dtls1"} = "forced"; - $disabled{"dtls1_2"} = "forced"; + delete $disabled{"shared"} if ($disabled{"shared"} =~ /^default/); } -if (defined($disabled{"ec"}) || defined($disabled{"dsa"}) - || defined($disabled{"dh"}) || defined($disabled{"stdio"})) - { - $disabled{"gost"} = "forced"; +my @tocheckfor = (keys %disabled); +while (@tocheckfor) { + my %new_tocheckfor = (); + my @cascade_copy = (@disable_cascades); + while (@cascade_copy) { + my ($test, $descendents) = (shift @cascade_copy, shift @cascade_copy); + if (ref($test) eq "CODE" ? $test->() : defined($disabled{$test})) { + map { + $new_tocheckfor{$_} => 1; $disabled{$_} = "forced"; + } grep { !defined($disabled{$_}) } @$descendents; } - + } + @tocheckfor = (keys %new_tocheckfor); +} if ($target eq "TABLE") { foreach $target (sort keys %table) { @@ -1022,11 +988,6 @@ my %target = resolve_config($target); &usage if (!%target || $target{template}); -if ($fips) - { - delete $disabled{"shared"} if ($disabled{"shared"} eq "default"); - } - foreach (sort (keys %disabled)) { $options .= " no-$_"; |