git: 3dcf2c2cafbc - main - OpenSSH: remove ability to enable DSA support (in configure)

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Ed Maste <emaste_at_FreeBSD.org>
Date: Tue, 15 Apr 2025 18:16:58 UTC
The branch main has been updated by emaste:

URL: https://cgit.FreeBSD.org/src/commit/?id=3dcf2c2cafbcf5d725103e6051e70c81a121eb18

commit 3dcf2c2cafbcf5d725103e6051e70c81a121eb18
Author:     Ed Maste <emaste@FreeBSD.org>
AuthorDate: 2025-04-09 15:17:10 +0000
Commit:     Ed Maste <emaste@FreeBSD.org>
CommitDate: 2025-04-15 18:12:55 +0000

    OpenSSH: remove ability to enable DSA support (in configure)
    
    DSA is deprecated and upstream OpenSSH is in the process of removing it.
    
    From OpenSSH-portable 10.0, cherry-pick the configure change so that we
    can independently decide what to merge to stable branches.
    
    This change has no direct user-facing impact, as the upstream configure
    script is not used in the FreeBSD build process.  It is worth noting as
    part of OpenSSH's full removal of DSA support.
    
    Reviewed by:    jlduran, philip
    Relnotes:       Yes
    Obtained from:  OpenSSH-portable 6c9872faa1c2
    Sponsored by:   The FreeBSD Foundation
---
 crypto/openssh/configure.ac | 30 ------------------------------
 1 file changed, 30 deletions(-)

diff --git a/crypto/openssh/configure.ac b/crypto/openssh/configure.ac
index df05a54b8f63..dbe5b238fb75 100644
--- a/crypto/openssh/configure.ac
+++ b/crypto/openssh/configure.ac
@@ -2140,16 +2140,6 @@ AC_ARG_WITH([security-key-builtin],
 	[ enable_sk_internal=$withval ]
 )
 
-enable_dsa=
-AC_ARG_ENABLE([dsa-keys],
-	[  --enable-dsa-keys       enable DSA key support [no]],
-	[
-		if test "x$enableval" != "xno" ; then
-			enable_dsa=1
-		fi
-	]
-)
-
 AC_SEARCH_LIBS([dlopen], [dl])
 AC_CHECK_FUNCS([dlopen])
 AC_CHECK_DECL([RTLD_NOW], [], [], [#include <dlfcn.h>])
@@ -3258,26 +3248,6 @@ if test "x$openssl" = "xyes" ; then
 			AC_MSG_RESULT([no])
 		]
 	)
-
-	openssl_dsa=no
-	if test ! -z "$enable_dsa" ; then
-		AC_CHECK_DECLS([OPENSSL_NO_DSA], [], [
-			AC_CHECK_DECLS([OPENSSL_IS_BORINGSSL], [],
-			    [ openssl_dsa=yes ],
-			    [ #include <openssl/opensslconf.h> ]
-			)
-		    ],
-		    [ #include <openssl/opensslconf.h> ]
-		)
-		AC_MSG_CHECKING([whether to enable DSA key support])
-		if test "x$openssl_dsa" = "xno"; then
-			AC_MSG_ERROR([DSA requested but not supported by OpenSSL])
-		else
-			AC_MSG_RESULT([yes])
-			AC_DEFINE([WITH_DSA], [1],
-			   [DSA keys explicitly enabled])
-		fi
-	fi
 fi
 
 # PKCS11/U2F depend on OpenSSL and dlopen().