OpenSSH: remove ability to enable DSA support (in configure)

DSA is deprecated and upstream OpenSSH is in the process of removing it. From OpenSSH-portable 10.0, cherry-pick the configure change so that we can independently decide what to merge to stable branches. This change has no direct user-facing impact, as the upstream configure script is not used in the FreeBSD build process. It is worth noting as part of OpenSSH's full removal of DSA support. Reviewed by: jlduran, philip Relnotes: Yes Obtained from: OpenSSH-portable 6c9872faa1c2 Sponsored by: The FreeBSD Foundation
2026-06-04 22:32:43 -04:00 · 2025-04-09 11:17:10 -04:00 · 2025-04-09 11:17:10 -04:00 · 3dcf2c2caf
commit 3dcf2c2caf
parent 8ce85300c7
1 changed files with 0 additions and 30 deletions
--- a/crypto/openssh/configure.ac
+++ b/crypto/openssh/configure.ac
@ -2140,16 +2140,6 @@ AC_ARG_WITH([security-key-builtin],
 	[ enable_sk_internal=$withval ]
 )

-enable_dsa=
-AC_ARG_ENABLE([dsa-keys],
-	[  --enable-dsa-keys       enable DSA key support [no]],
-	[
-		if test "x$enableval" != "xno" ; then
-			enable_dsa=1
-		fi
-	]
-)
-
 AC_SEARCH_LIBS([dlopen], [dl])
 AC_CHECK_FUNCS([dlopen])
 AC_CHECK_DECL([RTLD_NOW], [], [], [#include <dlfcn.h>])
@ -3258,26 +3248,6 @@ if test "x$openssl" = "xyes" ; then
 			AC_MSG_RESULT([no])
 		]
 	)
-
-	openssl_dsa=no
-	if test ! -z "$enable_dsa" ; then
-		AC_CHECK_DECLS([OPENSSL_NO_DSA], [], [
-			AC_CHECK_DECLS([OPENSSL_IS_BORINGSSL], [],
-			    [ openssl_dsa=yes ],
-			    [ #include <openssl/opensslconf.h> ]
-			)
-		    ],
-		    [ #include <openssl/opensslconf.h> ]
-		)
-		AC_MSG_CHECKING([whether to enable DSA key support])
-		if test "x$openssl_dsa" = "xno"; then
-			AC_MSG_ERROR([DSA requested but not supported by OpenSSL])
-		else
-			AC_MSG_RESULT([yes])
-			AC_DEFINE([WITH_DSA], [1],
-			   [DSA keys explicitly enabled])
-		fi
-	fi
 fi

 # PKCS11/U2F depend on OpenSSL and dlopen().