Remove special handling of crypt() in configure

Darren Tucker dtucker at dtucker.net
Tue Jul 12 19:29:04 AEST 2022


Hi.

Configure goes to some lengths to pick crypt() from either libcrypt
or OpenSSL's libcrypto because they can more or less featureful (eg
supporting md5-style passwords).

The thing is, OpenSSL removed its crypt() interface in 2002:
https://github.com/openssl/openssl/commit/69deec58 so these hijinks
should no longer be necessary.

Anyone see any reason not to do this?  It will allow some other library
cleanups.  As a bonus, only sshd ends up being linked against -lcrypt
as that's the only thing that needs it.

diff --git a/configure.ac b/configure.ac
index 6ebdd06a..7bb1d711 100644
--- a/configure.ac
+++ b/configure.ac
@@ -674,7 +674,6 @@ case "$host" in
 	AC_DEFINE([DISABLE_WTMP], [1], [Define if you don't want to use wtmp])
 	;;
 *-*-cygwin*)
-	check_for_libcrypt_later=1
 	LIBS="$LIBS /usr/lib/textreadmode.o"
 	AC_DEFINE([HAVE_CYGWIN], [1], [Define if you are on Cygwin])
 	AC_DEFINE([USE_PIPES], [1], [Use PIPES instead of a socketpair()])
@@ -753,7 +752,7 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
 	    [System poll(2) implementation is broken])
 	;;
 *-*-dragonfly*)
-	SSHDLIBS="$SSHDLIBS -lcrypt"
+	SSHDLIBS="$SSHDLIBS"
 	TEST_MALLOC_OPTIONS="AFGJPRX"
 	;;
 *-*-haiku*)
@@ -844,7 +843,6 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
 	AC_DEFINE([LOCKED_PASSWD_STRING], ["*LK*"])
 	;;
 *-*-k*bsd*-gnu | *-*-kopensolaris*-gnu)
-	check_for_libcrypt_later=1
 	AC_DEFINE([PAM_TTY_KLUDGE])
 	AC_DEFINE([LOCKED_PASSWD_PREFIX], ["!"])
 	AC_DEFINE([SPT_TYPE], [SPT_REUSEARGV])
@@ -854,7 +852,6 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
 *-*-linux*)
 	no_dev_ptmx=1
 	use_pie=auto
-	check_for_libcrypt_later=1
 	check_for_openpty_ctty_bug=1
 	dnl Target SUSv3/POSIX.1-2001 plus BSD specifics.
 	dnl _DEFAULT_SOURCE is the new name for _BSD_SOURCE
@@ -994,7 +991,6 @@ mips-sony-bsd|mips-sony-newsos4)
 	SONY=1
 	;;
 *-*-netbsd*)
-	check_for_libcrypt_before=1
 	if test "x$withval" != "xno" ; then
 		rpath_opt="-R"
 	fi
@@ -1009,7 +1005,6 @@ mips-sony-bsd|mips-sony-newsos4)
 	    [NetBSD read function is sometimes redirected, breaking atomicio comparisons against it])
 	;;
 *-*-freebsd*)
-	check_for_libcrypt_later=1
 	AC_DEFINE([LOCKED_PASSWD_PREFIX], ["*LOCKED*"], [Account locked with pw(1)])
 	AC_DEFINE([SSH_TUN_FREEBSD], [1], [Open tunnel devices the FreeBSD way])
 	AC_CHECK_HEADER([net/if_tap.h], ,
@@ -1182,7 +1177,6 @@ mips-sony-bsd|mips-sony-newsos4)
 	AC_DEFINE([PASSWD_NEEDS_USERNAME])
 	AC_DEFINE([BROKEN_TCGETATTR_ICANON])
 	TEST_SHELL=$SHELL	# let configure find us a capable shell
-	check_for_libcrypt_later=1
 	case "$host" in
 	*-*-sysv5SCO_SV*)	# SCO OpenServer 6.x
 		maildir=/var/spool/mail
@@ -2885,6 +2879,7 @@ if test "x$openssl" = "xyes" ; then
 
 	AC_CHECK_FUNCS([ \
 		BN_is_prime_ex \
+		DES_crypt \
 		DSA_generate_parameters_ex \
 		EVP_CIPHER_CTX_ctrl \
 		EVP_DigestFinal_ex \
@@ -3052,19 +3047,6 @@ if test "x$openssl" = "xyes" ; then
 		]
 	)
 
-	# Some systems want crypt() from libcrypt, *not* the version in OpenSSL,
-	# because the system crypt() is more featureful.
-	if test "x$check_for_libcrypt_before" = "x1"; then
-		AC_CHECK_LIB([crypt], [crypt])
-	fi
-
-	# Some Linux systems (Slackware) need crypt() from libcrypt, *not* the
-	# version in OpenSSL.
-	if test "x$check_for_libcrypt_later" = "x1"; then
-		AC_CHECK_LIB([crypt], [crypt], [LIBS="$LIBS -lcrypt"])
-	fi
-	AC_CHECK_FUNCS([crypt DES_crypt])
-
 	# Check for SHA256, SHA384 and SHA512 support in OpenSSL
 	AC_CHECK_FUNCS([EVP_sha256 EVP_sha384 EVP_sha512])
 
@@ -3176,10 +3158,6 @@ if test "x$openssl" = "xyes" ; then
 			ecdsa-sha2-nistp521 \
 			ecdsa-sha2-nistp521-cert-v01 at openssh.com"
 	fi
-
-else
-	AC_CHECK_LIB([crypt], [crypt], [LIBS="$LIBS -lcrypt"])
-	AC_CHECK_FUNCS([crypt])
 fi
 
 # PKCS11/U2F depend on OpenSSL and dlopen().
@@ -3295,6 +3273,15 @@ AC_CHECK_LIB([iaf], [ia_openinfo], [
 ])
 LIBS="$saved_LIBS"
 
+# Check for crypt() in libcrypt.  If we have it, we only need it for sshd.
+saved_LIBS="$LIBS"
+AC_CHECK_LIB([crypt], [crypt], [
+	LIBS="-lcrypt $LIBS"
+	SSHDLIBS="-lcrypt $SSHDLIBS"
+])
+AC_CHECK_FUNCS([crypt])
+LIBS="$saved_LIBS"
+
 ### Configure cryptographic random number support
 
 # Check whether OpenSSL seeds itself

-- 
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.


More information about the openssh-unix-dev mailing list