Merge branch '244-enforce-crypto-library' into 'master'

Disable builds without cryptographic provider (OpenSSL or PKCS#11)

Closes #244

See merge request isc-projects/bind9!266

CHANGES

@@ -1,3 +1,8 @@
+4945.	[func]		BIND can no longer be built without DNSSEC support.
+			A cryptography provder (i.e., OpenSSL or a hardware
+			service module with PKCS#11 support) must be
+			available. [GL #244]
+
 4944.	[cleanup]	Silence cppcheck portability warnings in
 			lib/isc/tests/buffer_test.c. [GL #239]
 

bin/confgen/Makefile.in

@@ -22,7 +22,7 @@ VERSION=@BIND9_VERSION@
 CINCLUDES = -I${srcdir}/include ${ISC_INCLUDES} ${ISCCC_INCLUDES} \
 	${ISCCFG_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES}
 
-CDEFINES =
+CDEFINES =	@CRYPTO@
 CWARNINGS =
 
 ISCCFGLIBS =	../../lib/isccfg/libisccfg.@A@

bin/confgen/unix/Makefile.in

@@ -16,7 +16,7 @@ top_srcdir =	@top_srcdir@
 CINCLUDES =	-I${srcdir}/include -I${srcdir}/../include \
 		${DNS_INCLUDES} ${ISC_INCLUDES}
 
-CDEFINES =
+CDEFINES =	@CRYPTO@
 CWARNINGS =
 
 OBJS =		os.@O@

bin/pkcs11/Makefile.in

@@ -15,7 +15,7 @@ top_srcdir =	@top_srcdir@
 
 CINCLUDES =	${ISC_INCLUDES}
 
-CDEFINES =
+CDEFINES =	@CRYPTO@
 
 ISCLIBS =	../../lib/isc/libisc.@A@ @ISC_OPENSSL_LIBS@
 

bin/rndc/Makefile.in

@@ -18,7 +18,7 @@ VERSION=@BIND9_VERSION@
 CINCLUDES = -I${srcdir}/include ${ISC_INCLUDES} ${ISCCC_INCLUDES} \
 	${ISCCFG_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES}
 
-CDEFINES =
+CDEFINES =	@CRYPTO@
 CWARNINGS =
 
 ISCCFGLIBS =	../../lib/isccfg/libisccfg.@A@

bin/tests/pkcs11/Makefile.in

@@ -17,7 +17,7 @@ PROVIDER =	@PKCS11_PROVIDER@
 
 CINCLUDES =	${ISC_INCLUDES}
 
-CDEFINES =	-DPK11_LIB_LOCATION=\"${PROVIDER}\"
+CDEFINES =	-DPK11_LIB_LOCATION=\"${PROVIDER}\" @CRYPTO@
 
 ISCLIBS =	../../../lib/isc/libisc.@A@ @ISC_OPENSSL_LIBS@
 

bin/tests/pkcs11/benchmarks/Makefile.in

@@ -17,7 +17,7 @@ PROVIDER =	@PKCS11_PROVIDER@
 
 CINCLUDES =	${ISC_INCLUDES}
 
-CDEFINES =	-DPK11_LIB_LOCATION=\"${PROVIDER}\"
+CDEFINES =	-DPK11_LIB_LOCATION=\"${PROVIDER}\" @CRYPTO@
 
 ISCLIBS =	../../../../lib/isc/libisc.@A@ @ISC_OPENSSL_LIBS@
 

bin/tests/system/Makefile.in

@@ -19,7 +19,7 @@ SUBDIRS =	dlzexternal dyndb pipelined rndc rpz rsabigexponent tkey
 
 CINCLUDES =	${ISC_INCLUDES} ${DNS_INCLUDES}
 
-CDEFINES =	@USE_GSSAPI@
+CDEFINES =	@USE_GSSAPI@ @CRYPTO@
 CWARNINGS =
 
 DNSLIBS =

bin/tests/system/rndc/Makefile.in

@@ -17,7 +17,7 @@ VERSION=@BIND9_VERSION@
 
 CINCLUDES =	${ISC_INCLUDES}
 
-CDEFINES =
+CDEFINES =	@CRYPTO@
 CWARNINGS =
 
 ISCLIBS =	../../../../lib/isc/libisc.@A@ @ISC_OPENSSL_LIBS@

bin/tests/system/rpz/Makefile.in

@@ -17,7 +17,7 @@ VERSION=@BIND9_VERSION@
 
 CINCLUDES =     ${ISC_INCLUDES} ${DNS_INCLUDES}
 
-CDEFINES =
+CDEFINES =	@CRYPTO@
 CWARNINGS =
 
 DNSLIBS =

configure

@@ -941,6 +941,7 @@ infodir
 docdir
 oldincludedir
 includedir
+runstatedir
 localstatedir
 sharedstatedir
 sysconfdir
@@ -1100,6 +1101,7 @@ datadir='${datarootdir}'
 sysconfdir='${prefix}/etc'
 sharedstatedir='${prefix}/com'
 localstatedir='${prefix}/var'
+runstatedir='${localstatedir}/run'
 includedir='${prefix}/include'
 oldincludedir='/usr/include'
 docdir='${datarootdir}/doc/${PACKAGE_TARNAME}'
@@ -1352,6 +1354,15 @@ do
   | -silent | --silent | --silen | --sile | --sil)
     silent=yes ;;
 
+  -runstatedir | --runstatedir | --runstatedi | --runstated \
+  | --runstate | --runstat | --runsta | --runst | --runs \
+  | --run | --ru | --r)
+    ac_prev=runstatedir ;;
+  -runstatedir=* | --runstatedir=* | --runstatedi=* | --runstated=* \
+  | --runstate=* | --runstat=* | --runsta=* | --runst=* | --runs=* \
+  | --run=* | --ru=* | --r=*)
+    runstatedir=$ac_optarg ;;
+
   -sbindir | --sbindir | --sbindi | --sbind | --sbin | --sbi | --sb)
     ac_prev=sbindir ;;
   -sbindir=* | --sbindir=* | --sbindi=* | --sbind=* | --sbin=* \
@@ -1489,7 +1500,7 @@ fi
 for ac_var in	exec_prefix prefix bindir sbindir libexecdir datarootdir \
 		datadir sysconfdir sharedstatedir localstatedir includedir \
 		oldincludedir docdir infodir htmldir dvidir pdfdir psdir \
-		libdir localedir mandir
+		libdir localedir mandir runstatedir
 do
   eval ac_val=\$$ac_var
   # Remove trailing slashes.
@@ -1642,6 +1653,7 @@ Fine tuning of the installation directories:
   --sysconfdir=DIR        read-only single-machine data [PREFIX/etc]
   --sharedstatedir=DIR    modifiable architecture-independent data [PREFIX/com]
   --localstatedir=DIR     modifiable single-machine data [PREFIX/var]
+  --runstatedir=DIR       modifiable per-process data [LOCALSTATEDIR/run]
   --libdir=DIR            object code libraries [EPREFIX/lib]
   --includedir=DIR        C header files [PREFIX/include]
   --oldincludedir=DIR     C header files for non-gcc [/usr/include]
@@ -16226,7 +16238,6 @@ fi
 
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for OpenSSL library" >&5
 $as_echo_n "checking for OpenSSL library... " >&6; }
-OPENSSL_WARNING=
 openssldirs="/usr /usr/local /usr/local/ssl /usr/pkg /usr/sfw"
 if test "yes" = "$want_native_pkcs11"
 then
@@ -17345,6 +17356,15 @@ esac
 
 
 
+if test "X$CRYPTO" = "X"; then
+#        cat << \EOF
+as_fn_error $? "No cryptography library has been found or provided.
+You must use --with-openssl, or --with-pkcs11 and --enable-native-pkcs11,
+to enable cryptography." "$LINENO" 5
+#EOF
+        exit 1
+fi
+
 # for PKCS11 benchmarks
 
 have_clock_gt=no
@@ -26532,14 +26552,6 @@ if test "yes" != "$silent"; then
 	report
 fi
 
-if test "X$CRYPTO" = "X"; then
-cat << \EOF
-BIND 9 is being built without cryptography support. This means it will
-not have DNSSEC support. Use --with-openssl, or --with-pkcs11 and
---enable-native-pkcs11 to enable cryptography.
-EOF
-fi
-
 # Tell Emacs to edit this file in shell mode.
 # Local Variables:
 # mode: sh

configure.in

@@ -1472,7 +1472,6 @@ then
 fi
 
 AC_MSG_CHECKING(for OpenSSL library)
-OPENSSL_WARNING=
 openssldirs="/usr /usr/local /usr/local/ssl /usr/pkg /usr/sfw"
 if test "yes" = "$want_native_pkcs11"
 then
@@ -2320,6 +2319,15 @@ AC_SUBST(PKCS11_GOST)
 AC_SUBST(PKCS11_ED25519)
 AC_SUBST(PKCS11_TEST)
 
+if test "X$CRYPTO" = "X"; then
+#        cat << \EOF
+AC_MSG_ERROR([No cryptography library has been found or provided.
+You must use --with-openssl, or --with-pkcs11 and --enable-native-pkcs11,
+to enable cryptography.])
+#EOF
+        exit 1
+fi
+
 # for PKCS11 benchmarks
 
 have_clock_gt=no
@@ -5454,14 +5462,6 @@ if test "yes" != "$silent"; then
 	report
 fi
 
-if test "X$CRYPTO" = "X"; then
-cat << \EOF                                                             
-BIND 9 is being built without cryptography support. This means it will
-not have DNSSEC support. Use --with-openssl, or --with-pkcs11 and
---enable-native-pkcs11 to enable cryptography.
-EOF
-fi
-
 # Tell Emacs to edit this file in shell mode.
 # Local Variables:
 # mode: sh

contrib/dlz/bin/dlzbdb/Makefile.in

@@ -17,7 +17,7 @@ DLZINCLUDES =	@DLZ_DRIVER_INCLUDES@
 CINCLUDES =	-I${srcdir}/include -I${srcdir}/unix/include \
                 ${ISC_INCLUDES} ${DLZINCLUDES}
 
-CDEFINES =      @CONTRIB_DLZ@
+CDEFINES =      @CONTRIB_DLZ@ @CRYPTO@
 CWARNINGS =
 
 DLZLIBS = 	@DLZ_DRIVER_LIBS@

doc/arm/notes.xml

@@ -132,6 +132,13 @@
 
   <section xml:id="relnotes_changes"><info><title>Feature Changes</title></info>
     <itemizedlist>
+      <listitem>
+	<para>
+	  BIND can no longer be built without DNSSEC support. A cryptography
+	  provder (i.e., OpenSSL or a hardware service module with
+	  PKCS#11 support) must be available. [GL #244]
+	</para>
+      </listitem>
       <listitem>
 	<para>
 	  Zone types <command>primary</command> and

lib/irs/tests/Makefile.in

@@ -20,7 +20,7 @@ VERSION=@BIND9_VERSION@
 @BIND9_MAKE_INCLUDES@
 
 CINCLUDES =	-I. -Iinclude -I../include ${ISC_INCLUDES} ${IRS_INCLUDES}
-CDEFINES =	-DTESTS="\"${top_builddir}/lib/irs/tests/\""
+CDEFINES =	-DTESTS="\"${top_builddir}/lib/irs/tests/\"" @CRYPTO@
 
 CFGLIBS =	../../isccfg/libisccfg.@A@
 CFGDEPLIBS =	../../isccfg/libisccfg.@A@

lib/isc/include/isc/platform.h.in

@@ -18,6 +18,14 @@
  ***** Platform-dependent defines.
  *****/
 
+/***
+ *** Enforce OpenSSL or PKCS#11 cryptography
+ ***/
+
+#if !defined(OPENSSL) && !defined(PKCS11CRYPTO)
+#error No cryptography library has been found or provided.
+#endif
+
 /***
  *** Network.
  ***/

lib/isc/nls/Makefile.in

@@ -16,7 +16,7 @@ CINCLUDES =	-I../unix/include \
 		-I../include \
 		-I${srcdir}/../include
 
-CDEFINES =
+CDEFINES =	@CRYPTO@
 CWARNINGS =
 
 OBJS =		msgcat.@O@

lib/isc/nothreads/Makefile.in

@@ -17,7 +17,7 @@ CINCLUDES =	-I${srcdir}/include \
 		-I${srcdir}/../include \
 		-I${srcdir}/..
 
-CDEFINES =
+CDEFINES =	@CRYPTO@
 CWARNINGS =
 
 THREADOPTOBJS = condition.@O@ mutex.@O@

lib/isc/pthreads/Makefile.in

@@ -17,7 +17,7 @@ CINCLUDES =	-I${srcdir}/include \
 		-I${srcdir}/../include \
 		-I${srcdir}/..
 
-CDEFINES =
+CDEFINES =	@CRYPTO@
 CWARNINGS =
 
 OBJS =		condition.@O@ mutex.@O@ thread.@O@

lib/isc/win32/Makefile.in

@@ -15,7 +15,7 @@ CINCLUDES =	-I${srcdir}/.. \
 		-I./include \
 		-I${srcdir}/include \
 		-I${srcdir}/../include
-CDEFINES =
+CDEFINES =	@CRYPTO@
 CWARNINGS =
 
 # Alphabetically

lib/isc/win32/include/isc/platform.h.in

@@ -31,6 +31,14 @@
 #endif
 #endif
 
+/***
+ *** Enforce OpenSSL or PKCS#11 cryptography
+ ***/
+
+#if !defined(OPENSSL) && !defined(PKCS11CRYPTO)
+#error No cryptography library has been found or provided.
+#endif
+
 /***
  *** Network.
  ***/

lib/isccfg/Makefile.in

@@ -19,7 +19,7 @@ VERSION=@BIND9_VERSION@
 
 CINCLUDES =	-I. ${DNS_INCLUDES} ${ISC_INCLUDES} ${ISCCFG_INCLUDES}
 
-CDEFINES =
+CDEFINES =	@CRYPTO@
 CWARNINGS =
 
 ISCLIBS =	../../lib/isc/libisc.@A@ @ISC_OPENSSL_LIBS@

lib/ns/Makefile.in

@@ -28,7 +28,7 @@ CINCLUDES =	-I. -I${top_srcdir}/lib/ns -Iinclude \
 		${NS_INCLUDES} ${DNS_INCLUDES} ${ISC_INCLUDES} \
 		@DST_OPENSSL_INC@ @DST_GSSAPI_INC@
 
-CDEFINES =
+CDEFINES =	@CRYPTO@
 
 CWARNINGS =
 

lib/samples/Makefile-postinstall.in

@@ -11,7 +11,7 @@ srcdir =	@srcdir@
 #prefix =	@prefix@
 #exec_prefix =	@exec_prefix@
 
-CDEFINES =
+CDEFINES =	@CRYPTO@
 CWARNINGS =
 
 DNSLIBS =	-ldns @DNS_CRYPTO_LIBS@