X-Git-Url: http://review.tizen.org/git/?a=blobdiff_plain;f=configure.ac;h=d7ba18bff8e59f872c261b6c9dcc5526af9cb2dc;hb=420ad62f0bb77970a6ba234bde9e1405f7df7789;hp=1286cf9d2744d074e212544cb34cc75a9e734660;hpb=664eff9e76e90702137268116873cbfc8719568e;p=platform%2Fupstream%2Fcryptsetup.git diff --git a/configure.ac b/configure.ac index 1286cf9..d7ba18b 100644 --- a/configure.ac +++ b/configure.ac @@ -1,17 +1,22 @@ AC_PREREQ([2.67]) -AC_INIT([cryptsetup],[1.6.0]) +AC_INIT([cryptsetup],[2.6.1]) dnl library version from ..[-] LIBCRYPTSETUP_VERSION=$(echo $PACKAGE_VERSION | cut -f1 -d-) -LIBCRYPTSETUP_VERSION_INFO=9:0:5 -dnl library file name for FIPS selfcheck -LIBCRYPTSETUP_VERSION_FIPS="libcryptsetup.so.4" +LIBCRYPTSETUP_VERSION_INFO=21:0:9 +AM_SILENT_RULES([yes]) AC_CONFIG_SRCDIR(src/cryptsetup.c) AC_CONFIG_MACRO_DIR([m4]) AC_CONFIG_HEADERS([config.h:config.h.in]) -AM_INIT_AUTOMAKE(dist-bzip2) + +# We do not want to run test in parallel. Really. +# http://lists.gnu.org/archive/html/automake/2013-01/msg00060.html + +# For old automake use this +#AM_INIT_AUTOMAKE(dist-xz subdir-objects) +AM_INIT_AUTOMAKE([dist-xz 1.12 serial-tests subdir-objects foreign]) if test "x$prefix" = "xNONE"; then sysconfdir=/etc @@ -23,38 +28,152 @@ AC_USE_SYSTEM_EXTENSIONS AC_PROG_CC AM_PROG_CC_C_O AC_PROG_CPP +AC_PROG_CXX AC_PROG_INSTALL AC_PROG_MAKE_SET +AC_PROG_MKDIR_P AC_ENABLE_STATIC(no) LT_INIT PKG_PROG_PKG_CONFIG +dnl ========================================================================== +dnl define PKG_CHECK_VAR for old pkg-config <= 0.28 +m4_ifndef([AS_VAR_COPY], +[m4_define([AS_VAR_COPY], +[AS_LITERAL_IF([$1[]$2], [$1=$$2], [eval $1=\$$2])]) +]) +m4_ifndef([PKG_CHECK_VAR], [ +AC_DEFUN([PKG_CHECK_VAR], +[AC_REQUIRE([PKG_PROG_PKG_CONFIG]) +AC_ARG_VAR([$1], [value of $3 for $2, overriding pkg-config]) + +_PKG_CONFIG([$1], [variable="][$3]["], [$2]) +AS_VAR_COPY([$1], [pkg_cv_][$1]) + +AS_VAR_IF([$1], [""], [$5], [$4]) +]) +]) +dnl ========================================================================== +dnl AsciiDoc manual pages + +AC_ARG_ENABLE([asciidoc], + AS_HELP_STRING([--disable-asciidoc], [do not generate man pages from asciidoc]), + [], [enable_asciidoc=yes] +) + +AC_PATH_PROG([ASCIIDOCTOR], [asciidoctor]) +if test "x$enable_asciidoc" = xyes -a "x$ASCIIDOCTOR" = x; then + AC_MSG_ERROR([Building man pages requires asciidoctor installed.]) +fi +AM_CONDITIONAL([ENABLE_ASCIIDOC], [test "x$enable_asciidoc" = xyes]) + +have_manpages=no +AS_IF([test -f "$srcdir/man/cryptsetup-open.8"], [ + AC_MSG_NOTICE([re-use already generated man-pages.]) + have_manpages=yes] +) +AM_CONDITIONAL([HAVE_MANPAGES], [test "x$have_manpages" = xyes]) + +dnl ========================================================================== + +AC_C_RESTRICT + AC_HEADER_DIRENT -AC_HEADER_STDC -AC_CHECK_HEADERS(fcntl.h malloc.h inttypes.h sys/ioctl.h sys/mman.h \ - ctype.h unistd.h locale.h) +AC_CHECK_HEADERS(fcntl.h malloc.h inttypes.h uchar.h sys/ioctl.h sys/mman.h \ + sys/sysmacros.h sys/statvfs.h ctype.h unistd.h locale.h byteswap.h endian.h stdint.h) +AC_CHECK_DECLS([O_CLOEXEC],,[AC_DEFINE([O_CLOEXEC],[0], [Defined to 0 if not provided])], +[[ +#ifdef HAVE_FCNTL_H +# include +#endif +]]) AC_CHECK_HEADERS(uuid/uuid.h,,[AC_MSG_ERROR([You need the uuid library.])]) AC_CHECK_HEADER(libdevmapper.h,,[AC_MSG_ERROR([You need the device-mapper library.])]) +AC_ARG_ENABLE([keyring], + AS_HELP_STRING([--disable-keyring], [disable kernel keyring support and builtin kernel keyring token]), + [], [enable_keyring=yes]) +if test "x$enable_keyring" = "xyes"; then + AC_CHECK_HEADERS(linux/keyctl.h,,[AC_MSG_ERROR([You need Linux kernel headers with kernel keyring service compiled.])]) + + dnl ========================================================================== + dnl check whether kernel is compiled with kernel keyring service syscalls + AC_CHECK_DECL(__NR_add_key,,[AC_MSG_ERROR([The kernel is missing add_key syscall.])], [#include ]) + AC_CHECK_DECL(__NR_keyctl,,[AC_MSG_ERROR([The kernel is missing keyctl syscall.])], [#include ]) + AC_CHECK_DECL(__NR_request_key,,[AC_MSG_ERROR([The kernel is missing request_key syscall.])], [#include ]) + + dnl ========================================================================== + dnl check that key_serial_t hasn't been adopted yet in stdlib + AC_CHECK_TYPES([key_serial_t], [], [], [ + AC_INCLUDES_DEFAULT + #ifdef HAVE_LINUX_KEYCTL_H + # include + #endif + ]) + + AC_DEFINE(KERNEL_KEYRING, 1, [Enable kernel keyring service support]) +fi +AM_CONDITIONAL(KERNEL_KEYRING, test "x$enable_keyring" = "xyes") + saved_LIBS=$LIBS AC_CHECK_LIB(uuid, uuid_clear, ,[AC_MSG_ERROR([You need the uuid library.])]) AC_SUBST(UUID_LIBS, $LIBS) LIBS=$saved_LIBS -AC_CHECK_FUNCS([posix_memalign]) +AC_SEARCH_LIBS([clock_gettime],[rt posix4]) +AC_CHECK_FUNCS([posix_memalign clock_gettime posix_fallocate explicit_bzero]) + +if test "x$enable_largefile" = "xno"; then + AC_MSG_ERROR([Building with --disable-largefile is not supported, it can cause data corruption.]) +fi AC_C_CONST AC_C_BIGENDIAN AC_TYPE_OFF_T AC_SYS_LARGEFILE - +AC_FUNC_FSEEKO AC_PROG_GCC_TRADITIONAL +AC_FUNC_STRERROR_R + +dnl ========================================================================== +dnl LUKS2 external tokens + +AC_ARG_ENABLE([external-tokens], + AS_HELP_STRING([--disable-external-tokens], [disable external LUKS2 tokens]), + [], [enable_external_tokens=yes]) +if test "x$enable_external_tokens" = "xyes"; then + AC_DEFINE(USE_EXTERNAL_TOKENS, 1, [Use external tokens]) + dnl we need dynamic library loading here + saved_LIBS=$LIBS + AC_SEARCH_LIBS([dlsym],[dl]) + AC_CHECK_FUNCS([dlvsym]) + AC_SUBST(DL_LIBS, $LIBS) + LIBS=$saved_LIBS +fi +AM_CONDITIONAL(EXTERNAL_TOKENS, test "x$enable_external_tokens" = "xyes") + +AC_ARG_ENABLE([ssh-token], + AS_HELP_STRING([--disable-ssh-token], [disable LUKS2 ssh-token]), + [], [enable_ssh_token=yes]) +AM_CONDITIONAL(SSHPLUGIN_TOKEN, test "x$enable_ssh_token" = "xyes") + +if test "x$enable_ssh_token" = "xyes" -a "x$enable_external_tokens" = "xno"; then + AC_MSG_ERROR([Requested LUKS2 ssh-token build, but external tokens are disabled.]) +fi + +dnl LUKS2 online reencryption +AC_ARG_ENABLE([luks2-reencryption], + AS_HELP_STRING([--disable-luks2-reencryption], [disable LUKS2 online reencryption extension]), + [], [enable_luks2_reencryption=yes]) +if test "x$enable_luks2_reencryption" = "xyes"; then + AC_DEFINE(USE_LUKS2_REENCRYPTION, 1, [Use LUKS2 online reencryption extension]) +fi dnl ========================================================================== AM_GNU_GETTEXT([external],[need-ngettext]) -AM_GNU_GETTEXT_VERSION([0.15]) +AM_GNU_GETTEXT_VERSION([0.18.3]) dnl ========================================================================== @@ -66,40 +185,29 @@ LIBS=$saved_LIBS dnl ========================================================================== dnl FIPS extensions -AC_ARG_ENABLE([fips], AS_HELP_STRING([--enable-fips],[enable FIPS mode restrictions]), -[with_fips=$enableval], -[with_fips=no]) - -if test "x$with_fips" = "xyes"; then +AC_ARG_ENABLE([fips], + AS_HELP_STRING([--enable-fips], [enable FIPS mode restrictions])) +if test "x$enable_fips" = "xyes"; then AC_DEFINE(ENABLE_FIPS, 1, [Enable FIPS mode restrictions]) - AC_DEFINE_UNQUOTED(LIBCRYPTSETUP_VERSION_FIPS, ["$LIBCRYPTSETUP_VERSION_FIPS"], - [library file name for FIPS selfcheck]) if test "x$enable_static" = "xyes" -o "x$enable_static_cryptsetup" = "xyes" ; then AC_MSG_ERROR([Static build is not compatible with FIPS.]) fi - - saved_LIBS=$LIBS - AC_CHECK_LIB(fipscheck, FIPSCHECK_verify, ,[AC_MSG_ERROR([You need the fipscheck library.])]) - AC_SUBST(FIPSCHECK_LIBS, $LIBS) - LIBS=$saved_LIBS - fi AC_DEFUN([NO_FIPS], [ - if test "x$with_fips" = "xyes"; then + if test "x$enable_fips" = "xyes"; then AC_MSG_ERROR([This option is not compatible with FIPS.]) fi ]) dnl ========================================================================== dnl pwquality library (cryptsetup CLI only) -AC_ARG_ENABLE([pwquality], AS_HELP_STRING([--enable-pwquality],[enable password quality checking]), -[with_pwquality=$enableval], -[with_pwquality=no]) +AC_ARG_ENABLE([pwquality], + AS_HELP_STRING([--enable-pwquality], [enable password quality checking using pwquality library])) -if test "x$with_pwquality" = "xyes"; then - AC_DEFINE(ENABLE_PWQUALITY, 1, [Enable password quality checking]) +if test "x$enable_pwquality" = "xyes"; then + AC_DEFINE(ENABLE_PWQUALITY, 1, [Enable password quality checking using pwquality library]) PKG_CHECK_MODULES([PWQUALITY], [pwquality >= 1.0.0],, AC_MSG_ERROR([You need pwquality library.])) @@ -108,19 +216,83 @@ if test "x$with_pwquality" = "xyes"; then fi dnl ========================================================================== +dnl fuzzers, it requires own static library compilation later +AC_ARG_ENABLE([fuzz-targets], + AS_HELP_STRING([--enable-fuzz-targets], [enable building fuzz targets])) +AM_CONDITIONAL(ENABLE_FUZZ_TARGETS, test "x$enable_fuzz_targets" = "xyes") + +if test "x$enable_fuzz_targets" = "xyes"; then + AX_CHECK_COMPILE_FLAG([-fsanitize=fuzzer-no-link],, + AC_MSG_ERROR([Required compiler options not supported; use clang.]), [-Werror]) +fi + +dnl ========================================================================== +dnl passwdqc library (cryptsetup CLI only) +AC_ARG_ENABLE([passwdqc], + AS_HELP_STRING([--enable-passwdqc@<:@=CONFIG_PATH@:>@], + [enable password quality checking using passwdqc library (optionally with CONFIG_PATH)])) + +case "$enable_passwdqc" in + ""|yes|no) use_passwdqc_config="" ;; + /*) use_passwdqc_config="$enable_passwdqc"; enable_passwdqc=yes ;; + *) AC_MSG_ERROR([Unrecognized --enable-passwdqc parameter.]) ;; +esac +AC_DEFINE_UNQUOTED([PASSWDQC_CONFIG_FILE], ["$use_passwdqc_config"], [passwdqc library config file]) + +if test "x$enable_passwdqc" = "xyes"; then + AC_DEFINE(ENABLE_PASSWDQC, 1, [Enable password quality checking using passwdqc library]) + + saved_LIBS="$LIBS" + AC_SEARCH_LIBS([passwdqc_check], [passwdqc]) + case "$ac_cv_search_passwdqc_check" in + no) AC_MSG_ERROR([failed to find passwdqc_check]) ;; + -l*) PASSWDQC_LIBS="$ac_cv_search_passwdqc_check" ;; + *) PASSWDQC_LIBS= ;; + esac + AC_CHECK_FUNCS([passwdqc_params_free]) + LIBS="$saved_LIBS" +fi + +if test "x$enable_pwquality$enable_passwdqc" = "xyesyes"; then + AC_MSG_ERROR([--enable-pwquality and --enable-passwdqc are mutually incompatible.]) +fi + +dnl ========================================================================== dnl Crypto backend functions AC_DEFUN([CONFIGURE_GCRYPT], [ - if test "x$with_fips" = "xyes"; then + if test "x$enable_fips" = "xyes"; then GCRYPT_REQ_VERSION=1.4.5 else GCRYPT_REQ_VERSION=1.1.42 fi - dnl Check if we can use gcrypt PBKDF2 (1.6.0 supports empty password) - AM_PATH_LIBGCRYPT([1.6.0], [use_internal_pbkdf2=0], [use_internal_pbkdf2=1]) - AM_PATH_LIBGCRYPT($GCRYPT_REQ_VERSION,,[AC_MSG_ERROR([You need the gcrypt library.])]) - if test x$enable_static_cryptsetup = xyes; then + dnl libgcrypt rejects to use pkgconfig, use AM_PATH_LIBGCRYPT from gcrypt-devel here. + dnl Do not require gcrypt-devel if other crypto backend is used. + m4_ifdef([AM_PATH_LIBGCRYPT],[ + AC_ARG_ENABLE([gcrypt-pbkdf2], + dnl Check if we can use gcrypt PBKDF2 (1.6.0 supports empty password) + AS_HELP_STRING([--enable-gcrypt-pbkdf2], [force enable internal gcrypt PBKDF2]), + if test "x$enableval" = "xyes"; then + [use_internal_pbkdf2=0] + else + [use_internal_pbkdf2=1] + fi, + [AM_PATH_LIBGCRYPT([1.6.1], [use_internal_pbkdf2=0], [use_internal_pbkdf2=1])]) + AM_PATH_LIBGCRYPT($GCRYPT_REQ_VERSION,,[AC_MSG_ERROR([You need the gcrypt library.])])], + AC_MSG_ERROR([Missing support for gcrypt: install gcrypt and regenerate configure.])) + + AC_MSG_CHECKING([if internal cryptsetup PBKDF2 is compiled-in]) + if test $use_internal_pbkdf2 = 0; then + AC_MSG_RESULT([no]) + else + AC_MSG_RESULT([yes]) + NO_FIPS([]) + fi + + AC_CHECK_DECLS([GCRY_CIPHER_MODE_XTS], [], [], [#include ]) + + if test "x$enable_static_cryptsetup" = "xyes"; then saved_LIBS=$LIBS LIBS="$saved_LIBS $LIBGCRYPT_LIBS -static" AC_CHECK_LIB(gcrypt, gcry_check_version,, @@ -138,24 +310,23 @@ AC_DEFUN([CONFIGURE_GCRYPT], [ ]) AC_DEFUN([CONFIGURE_OPENSSL], [ - PKG_CHECK_MODULES([OPENSSL], [openssl >= 0.9.8],, + PKG_CHECK_MODULES([OPENSSL], [openssl1.1 >= 0.9.8],, AC_MSG_ERROR([You need openssl library.])) CRYPTO_CFLAGS=$OPENSSL_CFLAGS CRYPTO_LIBS=$OPENSSL_LIBS use_internal_pbkdf2=0 - if test x$enable_static_cryptsetup = xyes; then + if test "x$enable_static_cryptsetup" = "xyes"; then saved_PKG_CONFIG=$PKG_CONFIG PKG_CONFIG="$PKG_CONFIG --static" - PKG_CHECK_MODULES([OPENSSL], [openssl]) - CRYPTO_STATIC_LIBS=$OPENSSL_LIBS + PKG_CHECK_MODULES([OPENSSL_STATIC], [openssl]) + CRYPTO_STATIC_LIBS=$OPENSSL_STATIC_LIBS PKG_CONFIG=$saved_PKG_CONFIG fi - NO_FIPS([]) ]) AC_DEFUN([CONFIGURE_NSS], [ - if test x$enable_static_cryptsetup = xyes; then + if test "x$enable_static_cryptsetup" = "xyes"; then AC_MSG_ERROR([Static build of cryptsetup is not supported with NSS.]) fi @@ -188,15 +359,16 @@ AC_DEFUN([CONFIGURE_KERNEL], [ AC_DEFUN([CONFIGURE_NETTLE], [ AC_CHECK_HEADERS(nettle/sha.h,, [AC_MSG_ERROR([You need Nettle cryptographic library.])]) + AC_CHECK_HEADERS(nettle/version.h) saved_LIBS=$LIBS - AC_CHECK_LIB(nettle, nettle_ripemd160_init,, - [AC_MSG_ERROR([You need Nettle library version 2.4 or more recent.])]) + AC_CHECK_LIB(nettle, nettle_pbkdf2_hmac_sha256,, + [AC_MSG_ERROR([You need Nettle library version 2.6 or more recent.])]) CRYPTO_LIBS=$LIBS LIBS=$saved_LIBS CRYPTO_STATIC_LIBS=$CRYPTO_LIBS - use_internal_pbkdf2=1 + use_internal_pbkdf2=0 NO_FIPS([]) ]) @@ -204,33 +376,37 @@ dnl ========================================================================== saved_LIBS=$LIBS AC_ARG_ENABLE([static-cryptsetup], - AS_HELP_STRING([--enable-static-cryptsetup], - [enable build of static cryptsetup binary])) -if test x$enable_static_cryptsetup = xyes; then - if test x$enable_static = xno; then + AS_HELP_STRING([--enable-static-cryptsetup], [enable build of static version of tools])) +if test "x$enable_static_cryptsetup" = "xyes"; then + if test "x$enable_static" = "xno"; then AC_MSG_WARN([Requested static cryptsetup build, enabling static library.]) enable_static=yes fi fi -AM_CONDITIONAL(STATIC_TOOLS, test x$enable_static_cryptsetup = xyes) +AM_CONDITIONAL(STATIC_TOOLS, test "x$enable_static_cryptsetup" = "xyes") -AC_ARG_ENABLE(veritysetup, - AS_HELP_STRING([--disable-veritysetup], - [disable veritysetup support]),[], [enable_veritysetup=yes]) -AM_CONDITIONAL(VERITYSETUP, test x$enable_veritysetup = xyes) +AC_ARG_ENABLE([cryptsetup], + AS_HELP_STRING([--disable-cryptsetup], [disable cryptsetup support]), + [], [enable_cryptsetup=yes]) +AM_CONDITIONAL(CRYPTSETUP, test "x$enable_cryptsetup" = "xyes") -AC_ARG_ENABLE([cryptsetup-reencrypt], - AS_HELP_STRING([--enable-cryptsetup-reencrypt], - [enable cryptsetup-reencrypt tool])) -AM_CONDITIONAL(REENCRYPT, test x$enable_cryptsetup_reencrypt = xyes) +AC_ARG_ENABLE([veritysetup], + AS_HELP_STRING([--disable-veritysetup], [disable veritysetup support]), + [], [enable_veritysetup=yes]) +AM_CONDITIONAL(VERITYSETUP, test "x$enable_veritysetup" = "xyes") -AC_ARG_ENABLE(selinux, - AS_HELP_STRING([--disable-selinux], - [disable selinux support [default=auto]]),[], []) +AC_ARG_ENABLE([integritysetup], + AS_HELP_STRING([--disable-integritysetup], [disable integritysetup support]), + [], [enable_integritysetup=yes]) +AM_CONDITIONAL(INTEGRITYSETUP, test "x$enable_integritysetup" = "xyes") + +AC_ARG_ENABLE([selinux], + AS_HELP_STRING([--disable-selinux], [disable selinux support [default=auto]]), + [], [enable_selinux=yes]) AC_ARG_ENABLE([udev], - AS_HELP_STRING([--disable-udev], - [disable udev support]),[], enable_udev=yes) + AS_HELP_STRING([--disable-udev], [disable udev support]), + [], [enable_udev=yes]) dnl Try to use pkg-config for devmapper, but fallback to old detection PKG_CHECK_MODULES([DEVMAPPER], [devmapper >= 1.02.03],, [ @@ -245,6 +421,11 @@ LIBS=$saved_LIBS LIBS="$LIBS $DEVMAPPER_LIBS" AC_CHECK_DECLS([dm_task_secure_data], [], [], [#include ]) AC_CHECK_DECLS([dm_task_retry_remove], [], [], [#include ]) +AC_CHECK_DECLS([dm_task_deferred_remove], [], [], [#include ]) +AC_CHECK_DECLS([dm_device_has_mounted_fs], [], [], [#include ]) +AC_CHECK_DECLS([dm_device_has_holders], [], [], [#include ]) +AC_CHECK_DECLS([dm_device_get_name], [], [], [#include ]) +AC_CHECK_DECLS([DM_DEVICE_GET_TARGET_VERSION], [], [], [#include ]) AC_CHECK_DECLS([DM_UDEV_DISABLE_DISK_RULES_FLAG], [have_cookie=yes], [have_cookie=no], [#include ]) if test "x$enable_udev" = xyes; then if test "x$have_cookie" = xno; then @@ -255,19 +436,33 @@ if test "x$enable_udev" = xyes; then fi LIBS=$saved_LIBS +dnl Check for JSON-C used in LUKS2 +PKG_CHECK_MODULES([JSON_C], [json-c]) +AC_CHECK_DECLS([json_object_object_add_ex], [], [], [#include ]) +AC_CHECK_DECLS([json_object_deep_copy], [], [], [#include ]) + +dnl Check for libssh and argp for SSH plugin +if test "x$enable_ssh_token" = "xyes"; then + PKG_CHECK_MODULES([LIBSSH], [libssh]) + AC_CHECK_DECLS([ssh_session_is_known_server], [], [], [#include ]) + AC_CHECK_HEADER([argp.h], [], AC_MSG_ERROR([You need argp library.])) + saved_LIBS=$LIBS + AC_SEARCH_LIBS([argp_parse],[argp]) + AC_SUBST(ARGP_LIBS, $LIBS) + LIBS=$saved_LIBS +fi + dnl Crypto backend configuration. AC_ARG_WITH([crypto_backend], - AS_HELP_STRING([--with-crypto_backend=BACKEND], [crypto backend (gcrypt/openssl/nss/kernel/nettle) [gcrypt]]), - [], with_crypto_backend=gcrypt -) + AS_HELP_STRING([--with-crypto_backend=BACKEND], [crypto backend (gcrypt/openssl/nss/kernel/nettle) [openssl]]), + [], [with_crypto_backend=openssl]) dnl Kernel crypto API backend needed for benchmark and tcrypt -AC_ARG_ENABLE([kernel_crypto], AS_HELP_STRING([--disable-kernel_crypto], - [disable kernel userspace crypto (no benchmark and tcrypt)]), - [with_kernel_crypto=$enableval], - [with_kernel_crypto=yes]) +AC_ARG_ENABLE([kernel_crypto], + AS_HELP_STRING([--disable-kernel_crypto], [disable kernel userspace crypto (no benchmark and tcrypt)]), + [], [enable_kernel_crypto=yes]) -if test "x$with_kernel_crypto" = "xyes"; then +if test "x$enable_kernel_crypto" = "xyes"; then AC_CHECK_HEADERS(linux/if_alg.h,, [AC_MSG_ERROR([You need Linux kernel headers with userspace crypto interface. (Or use --disable-kernel_crypto.)])]) AC_DEFINE(ENABLE_AF_ALG, 1, [Enable using of kernel userspace crypto]) @@ -281,17 +476,88 @@ case $with_crypto_backend in nettle) CONFIGURE_NETTLE([]) ;; *) AC_MSG_ERROR([Unknown crypto backend.]) ;; esac -AM_CONDITIONAL(CRYPTO_BACKEND_GCRYPT, test $with_crypto_backend = gcrypt) -AM_CONDITIONAL(CRYPTO_BACKEND_OPENSSL, test $with_crypto_backend = openssl) -AM_CONDITIONAL(CRYPTO_BACKEND_NSS, test $with_crypto_backend = nss) -AM_CONDITIONAL(CRYPTO_BACKEND_KERNEL, test $with_crypto_backend = kernel) -AM_CONDITIONAL(CRYPTO_BACKEND_NETTLE, test $with_crypto_backend = nettle) +AM_CONDITIONAL(CRYPTO_BACKEND_GCRYPT, test "$with_crypto_backend" = "gcrypt") +AM_CONDITIONAL(CRYPTO_BACKEND_OPENSSL, test "$with_crypto_backend" = "openssl") +AM_CONDITIONAL(CRYPTO_BACKEND_NSS, test "$with_crypto_backend" = "nss") +AM_CONDITIONAL(CRYPTO_BACKEND_KERNEL, test "$with_crypto_backend" = "kernel") +AM_CONDITIONAL(CRYPTO_BACKEND_NETTLE, test "$with_crypto_backend" = "nettle") AM_CONDITIONAL(CRYPTO_INTERNAL_PBKDF2, test $use_internal_pbkdf2 = 1) AC_DEFINE_UNQUOTED(USE_INTERNAL_PBKDF2, [$use_internal_pbkdf2], [Use internal PBKDF2]) +dnl Argon2 implementation +AC_ARG_ENABLE([internal-argon2], + AS_HELP_STRING([--disable-internal-argon2], [disable internal implementation of Argon2 PBKDF]), + [], [enable_internal_argon2=yes]) + +AC_ARG_ENABLE([libargon2], + AS_HELP_STRING([--enable-libargon2], [enable external libargon2 (PHC) library (disables internal bundled version)])) + +if test "x$enable_libargon2" = "xyes" ; then + AC_CHECK_HEADERS(argon2.h,, + [AC_MSG_ERROR([You need libargon2 development library installed.])]) + AC_CHECK_DECL(Argon2_id,,[AC_MSG_ERROR([You need more recent Argon2 library with support for Argon2id.])], [#include ]) + PKG_CHECK_MODULES([LIBARGON2], [libargon2],,[LIBARGON2_LIBS="-largon2"]) + enable_internal_argon2=no +else + AC_MSG_WARN([Argon2 bundled (slow) reference implementation will be used, please consider to use system library with --enable-libargon2.]) + + AC_ARG_ENABLE([internal-sse-argon2], + AS_HELP_STRING([--enable-internal-sse-argon2], [enable internal SSE implementation of Argon2 PBKDF])) + + if test "x$enable_internal_sse_argon2" = "xyes"; then + AC_MSG_CHECKING(if Argon2 SSE optimization can be used) + AC_LINK_IFELSE([AC_LANG_PROGRAM([[ + #include + __m128i testfunc(__m128i *a, __m128i *b) { + return _mm_xor_si128(_mm_loadu_si128(a), _mm_loadu_si128(b)); + } + ]])],,[enable_internal_sse_argon2=no]) + AC_MSG_RESULT($enable_internal_sse_argon2) + fi +fi + +if test "x$enable_internal_argon2" = "xyes"; then + AC_DEFINE(USE_INTERNAL_ARGON2, 1, [Use internal Argon2]) +fi +AM_CONDITIONAL(CRYPTO_INTERNAL_ARGON2, test "x$enable_internal_argon2" = "xyes") +AM_CONDITIONAL(CRYPTO_INTERNAL_SSE_ARGON2, test "x$enable_internal_sse_argon2" = "xyes") + +dnl Link with blkid to check for other device types +AC_ARG_ENABLE([blkid], + AS_HELP_STRING([--disable-blkid], [disable use of blkid for device signature detection and wiping]), + [], [enable_blkid=yes]) + +if test "x$enable_blkid" = "xyes"; then + PKG_CHECK_MODULES([BLKID], [blkid],[AC_DEFINE([HAVE_BLKID], 1, [Define to 1 to use blkid for detection of disk signatures.])],[LIBBLKID_LIBS="-lblkid"]) + + AC_CHECK_HEADERS(blkid/blkid.h,,[AC_MSG_ERROR([You need blkid development library installed.])]) + AC_CHECK_DECL([blkid_do_wipe], + [ AC_DEFINE([HAVE_BLKID_WIPE], 1, [Define to 1 to use blkid_do_wipe.]) + enable_blkid_wipe=yes + ],, + [#include ]) + AC_CHECK_DECL([blkid_probe_step_back], + [ AC_DEFINE([HAVE_BLKID_STEP_BACK], 1, [Define to 1 to use blkid_probe_step_back.]) + enable_blkid_step_back=yes + ],, + [#include ]) + AC_CHECK_DECLS([ blkid_reset_probe, + blkid_probe_set_device, + blkid_probe_filter_superblocks_type, + blkid_do_safeprobe, + blkid_do_probe, + blkid_probe_lookup_value + ],, + [AC_MSG_ERROR([Can not compile with blkid support, disable it by --disable-blkid.])], + [#include ]) +fi +AM_CONDITIONAL(HAVE_BLKID, test "x$enable_blkid" = "xyes") +AM_CONDITIONAL(HAVE_BLKID_WIPE, test "x$enable_blkid_wipe" = "xyes") +AM_CONDITIONAL(HAVE_BLKID_STEP_BACK, test "x$enable_blkid_step_back" = "xyes") + dnl Magic for cryptsetup.static build. -if test x$enable_static_cryptsetup = xyes; then +if test "x$enable_static_cryptsetup" = "xyes"; then saved_PKG_CONFIG=$PKG_CONFIG PKG_CONFIG="$PKG_CONFIG --static" @@ -303,7 +569,7 @@ if test x$enable_static_cryptsetup = xyes; then LIBS="$saved_LIBS -static" PKG_CHECK_MODULES([DEVMAPPER_STATIC], [devmapper >= 1.02.27],,[ DEVMAPPER_STATIC_LIBS=$DEVMAPPER_LIBS - if test "x$enable_selinux" != xno; then + if test "x$enable_selinux" = "xyes"; then AC_CHECK_LIB(sepol, sepol_bool_set) AC_CHECK_LIB(selinux, is_selinux_enabled) DEVMAPPER_STATIC_LIBS="$DEVMAPPER_STATIC_LIBS $LIBS" @@ -322,24 +588,72 @@ if test x$enable_static_cryptsetup = xyes; then PKG_CONFIG=$saved_PKG_CONFIG fi +dnl Check compiler support for symver function attribute +AC_MSG_CHECKING([for symver attribute support]) +saved_CFLAGS=$CFLAGS +CFLAGS="-O0 -Werror" +AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ + void _test_sym(void); + __attribute__((__symver__("sym@VERSION_4.2"))) void _test_sym(void) {} +]], +[[ _test_sym() ]] +)],[ + AC_DEFINE([HAVE_ATTRIBUTE_SYMVER], 1, [Define to 1 to use __attribute__((symver))]) + AC_MSG_RESULT([yes]) +], [ + AC_MSG_RESULT([no]) +]) +CFLAGS=$saved_CFLAGS + +AC_MSG_CHECKING([for systemd tmpfiles config directory]) +PKG_CHECK_VAR([systemd_tmpfilesdir], [systemd], [tmpfilesdir], [], [systemd_tmpfilesdir=no]) +AC_MSG_RESULT([$systemd_tmpfilesdir]) + AC_SUBST([DEVMAPPER_LIBS]) AC_SUBST([DEVMAPPER_STATIC_LIBS]) AC_SUBST([PWQUALITY_LIBS]) AC_SUBST([PWQUALITY_STATIC_LIBS]) +AC_SUBST([PASSWDQC_LIBS]) + AC_SUBST([CRYPTO_CFLAGS]) AC_SUBST([CRYPTO_LIBS]) AC_SUBST([CRYPTO_STATIC_LIBS]) +AC_SUBST([JSON_C_LIBS]) +AC_SUBST([LIBARGON2_LIBS]) +AC_SUBST([BLKID_LIBS]) + +AC_SUBST([LIBSSH_LIBS]) + AC_SUBST([LIBCRYPTSETUP_VERSION]) AC_SUBST([LIBCRYPTSETUP_VERSION_INFO]) -AC_SUBST([LIBCRYPTSETUP_VERSION_FIPS]) +dnl Set Requires.private for libcryptsetup.pc +dnl pwquality is used only by tools +PKGMODULES="uuid devmapper json-c" +case $with_crypto_backend in + gcrypt) PKGMODULES+=" libgcrypt" ;; + openssl) PKGMODULES+=" openssl" ;; + nss) PKGMODULES+=" nss" ;; + nettle) PKGMODULES+=" nettle" ;; +esac +if test "x$enable_libargon2" = "xyes"; then + PKGMODULES+=" libargon2" +fi +if test "x$enable_blkid" = "xyes"; then + PKGMODULES+=" blkid" +fi +AC_SUBST([PKGMODULES]) dnl ========================================================================== -AC_ARG_ENABLE([dev-random], AS_HELP_STRING([--enable-dev-random], -[use blocking /dev/random by default for key generator (otherwise use /dev/urandom)]), -[default_rng=/dev/random], [default_rng=/dev/urandom]) +AC_ARG_ENABLE([dev-random], + AS_HELP_STRING([--enable-dev-random], [use /dev/random by default for key generation (otherwise use /dev/urandom)])) +if test "x$enable_dev_random" = "xyes"; then + default_rng=/dev/random +else + default_rng=/dev/urandom +fi AC_DEFINE_UNQUOTED(DEFAULT_RNG, ["$default_rng"], [default RNG type for key generator]) dnl ========================================================================== @@ -359,23 +673,12 @@ AC_DEFUN([CS_NUM_WITH], [AC_ARG_WITH([$1], [CS_DEFINE([$1], [$3], [$2])] )]) -dnl ========================================================================== -dnl Python bindings -AC_ARG_ENABLE([python], AS_HELP_STRING([--enable-python],[enable Python bindings]), -[with_python=$enableval], -[with_python=no]) - -if test "x$with_python" = "xyes"; then - AM_PATH_PYTHON([2.4]) - - if ! test -x "$PYTHON-config" ; then - AC_MSG_ERROR([Cannot find python development packages to build bindings]) - fi - - PYTHON_INCLUDES=$($PYTHON-config --includes) - AC_SUBST(PYTHON_INCLUDES) -fi -AM_CONDITIONAL([PYTHON_CRYPTSETUP], [test "x$with_python" = "xyes"]) +AC_DEFUN([CS_ABSPATH], [ + case "$1" in + /*) ;; + *) AC_MSG_ERROR([$2 argument must be an absolute path.]);; + esac +]) dnl ========================================================================== CS_STR_WITH([plain-hash], [password hashing function for plain mode], [ripemd160]) @@ -383,37 +686,88 @@ CS_STR_WITH([plain-cipher], [cipher for plain mode], [aes]) CS_STR_WITH([plain-mode], [cipher mode for plain mode], [cbc-essiv:sha256]) CS_NUM_WITH([plain-keybits],[key length in bits for plain mode], [256]) -CS_STR_WITH([luks1-hash], [hash function for LUKS1 header], [sha1]) +CS_STR_WITH([luks1-hash], [hash function for LUKS1 header], [sha256]) CS_STR_WITH([luks1-cipher], [cipher for LUKS1], [aes]) CS_STR_WITH([luks1-mode], [cipher mode for LUKS1], [xts-plain64]) CS_NUM_WITH([luks1-keybits],[key length in bits for LUKS1], [256]) -CS_NUM_WITH([luks1-iter-time],[PBKDF2 iteration time for LUKS1 (in ms)], [1000]) + +AC_ARG_ENABLE([luks_adjust_xts_keysize], AS_HELP_STRING([--disable-luks-adjust-xts-keysize], + [XTS mode requires two keys, double default LUKS keysize if needed]), + [], [enable_luks_adjust_xts_keysize=yes]) +if test "x$enable_luks_adjust_xts_keysize" = "xyes"; then + AC_DEFINE(ENABLE_LUKS_ADJUST_XTS_KEYSIZE, 1, [XTS mode - double default LUKS keysize if needed]) +fi + +CS_STR_WITH([luks2-pbkdf], [Default PBKDF algorithm (pbkdf2 or argon2i/argon2id) for LUKS2], [argon2id]) +CS_NUM_WITH([luks1-iter-time], [PBKDF2 iteration time for LUKS1 (in ms)], [2000]) +CS_NUM_WITH([luks2-iter-time], [Argon2 PBKDF iteration time for LUKS2 (in ms)], [2000]) +CS_NUM_WITH([luks2-memory-kb], [Argon2 PBKDF memory cost for LUKS2 (in kB)], [1048576]) +CS_NUM_WITH([luks2-parallel-threads],[Argon2 PBKDF max parallel cost for LUKS2 (if CPUs available)], [4]) + +CS_STR_WITH([luks2-keyslot-cipher], [fallback cipher for LUKS2 keyslot (if data encryption is incompatible)], [aes-xts-plain64]) +CS_NUM_WITH([luks2-keyslot-keybits],[fallback key size for LUKS2 keyslot (if data encryption is incompatible)], [512]) CS_STR_WITH([loopaes-cipher], [cipher for loop-AES mode], [aes]) CS_NUM_WITH([loopaes-keybits],[key length in bits for loop-AES mode], [256]) CS_NUM_WITH([keyfile-size-maxkb],[maximum keyfile size (in KiB)], [8192]) -CS_NUM_WITH([passphrase-size-max],[maximum keyfile size (in characters)], [512]) +CS_NUM_WITH([integrity-keyfile-size-maxkb],[maximum integritysetup keyfile size (in KiB)], [4]) +CS_NUM_WITH([passphrase-size-max],[maximum passphrase size (in characters)], [512]) CS_STR_WITH([verity-hash], [hash function for verity mode], [sha256]) CS_NUM_WITH([verity-data-block], [data block size for verity mode], [4096]) CS_NUM_WITH([verity-hash-block], [hash block size for verity mode], [4096]) CS_NUM_WITH([verity-salt-size], [salt size for verity mode], [32]) +CS_NUM_WITH([verity-fec-roots], [parity bytes for verity FEC], [2]) + +CS_STR_WITH([tmpfilesdir], [override default path to directory with systemd temporary files], []) +test -z "$with_tmpfilesdir" && with_tmpfilesdir=$systemd_tmpfilesdir +test "x$with_tmpfilesdir" = "xno" || { + CS_ABSPATH([${with_tmpfilesdir}],[with-tmpfilesdir]) + DEFAULT_TMPFILESDIR=$with_tmpfilesdir + AC_SUBST(DEFAULT_TMPFILESDIR) +} +AM_CONDITIONAL(CRYPTSETUP_TMPFILE, test -n "$DEFAULT_TMPFILESDIR") + +CS_STR_WITH([luks2-lock-path], [path to directory for LUKSv2 locks], [/run/cryptsetup]) +test -z "$with_luks2_lock_path" && with_luks2_lock_path=/run/cryptsetup +CS_ABSPATH([${with_luks2_lock_path}],[with-luks2-lock-path]) +DEFAULT_LUKS2_LOCK_PATH=$with_luks2_lock_path +AC_SUBST(DEFAULT_LUKS2_LOCK_PATH) + +CS_NUM_WITH([luks2-lock-dir-perms], [default luks2 locking directory permissions], [0700]) +test -z "$with_luks2_lock_dir_perms" && with_luks2_lock_dir_perms=0700 +DEFAULT_LUKS2_LOCK_DIR_PERMS=$with_luks2_lock_dir_perms +AC_SUBST(DEFAULT_LUKS2_LOCK_DIR_PERMS) + +CS_STR_WITH([luks2-external-tokens-path], [path to directory with LUKSv2 external token handlers (plugins)], [LIBDIR/cryptsetup]) +if test -n "$with_luks2_external_tokens_path"; then + CS_ABSPATH([${with_luks2_external_tokens_path}],[with-luks2-external-tokens-path]) + EXTERNAL_LUKS2_TOKENS_PATH=$with_luks2_external_tokens_path +else + EXTERNAL_LUKS2_TOKENS_PATH="\${libdir}/cryptsetup" +fi +AC_SUBST(EXTERNAL_LUKS2_TOKENS_PATH) + +dnl Override default LUKS format version (for cryptsetup or cryptsetup-reencrypt format actions only). +AC_ARG_WITH([default_luks_format], + AS_HELP_STRING([--with-default-luks-format=FORMAT], [default LUKS format version (LUKS1/LUKS2) [LUKS2]]), + [], [with_default_luks_format=LUKS2]) + +case $with_default_luks_format in + LUKS1) default_luks=CRYPT_LUKS1 ;; + LUKS2) default_luks=CRYPT_LUKS2 ;; + *) AC_MSG_ERROR([Unknown default LUKS format. Use LUKS1 or LUKS2 only.]) ;; +esac +AC_DEFINE_UNQUOTED([DEFAULT_LUKS_FORMAT], [$default_luks], [default LUKS format version]) dnl ========================================================================== AC_CONFIG_FILES([ Makefile -lib/Makefile lib/libcryptsetup.pc -lib/crypto_backend/Makefile -lib/luks1/Makefile -lib/loopaes/Makefile -lib/verity/Makefile -lib/tcrypt/Makefile -src/Makefile po/Makefile.in -man/Makefile +scripts/cryptsetup.conf tests/Makefile -python/Makefile +tests/fuzz/Makefile ]) AC_OUTPUT