resolved: ignore DNSSEC= option when resolved is built without gcrypt (#6084)

Fixes #5583.
2017-06-18 05:22:32 +09:00 · 2017-06-18 05:22:32 +09:00 · 42303dcb1a
parent a1bb2402cb
commit 42303dcb1a
4 changed files with 26 additions and 5 deletions
--- a/configure.ac
+++ b/configure.ac
@ -1326,6 +1326,11 @@ AC_ARG_WITH(default-dnssec,
        [DEFAULT_DNSSEC_MODE="$withval"],
        [DEFAULT_DNSSEC_MODE="allow-downgrade"])

+if test "x$have_gcrypt" = xno -a "x${DEFAULT_DNSSEC_MODE}" != xno ; then
+        AC_MSG_WARN(default-dnssec cannot be set to yes or allow-downgrade when gcrypt is disabled. Setting default-dnssec to no.)
+        DEFAULT_DNSSEC_MODE="no"
+fi
+
 AS_CASE("x${DEFAULT_DNSSEC_MODE}",
        [xno], [mode=DNSSEC_NO],
        [xyes], [mode=DNSSEC_YES],
--- a/meson.build
+++ b/meson.build
@ -603,11 +603,6 @@ kill_user_processes = get_option('default-kill-user-processes')
 conf.set10('KILL_USER_PROCESSES', kill_user_processes)
 substs.set('KILL_USER_PROCESSES', kill_user_processes ? 'yes' : 'no')

-default_dnssec = get_option('default-dnssec')
-conf.set('DEFAULT_DNSSEC_MODE',
-         'DNSSEC_' + default_dnssec.underscorify().to_upper())
-substs.set('DEFAULT_DNSSEC_MODE', default_dnssec)
-
 dns_servers = get_option('dns-servers')
 conf.set_quoted('DNS_SERVERS', dns_servers)
 substs.set('DNS_SERVERS', dns_servers)
@ -953,6 +948,15 @@ else
        libgpg_error = []
 endif

+default_dnssec = get_option('default-dnssec')
+if default_dnssec != 'no' and not conf.get('HAVE_GCRYPT', false)
+        message('default-dnssec cannot be set to yes or allow-downgrade when gcrypt is disabled. Setting default-dnssec to no.')
+        default_dnssec = 'no'
+endif
+conf.set('DEFAULT_DNSSEC_MODE',
+         'DNSSEC_' + default_dnssec.underscorify().to_upper())
+substs.set('DEFAULT_DNSSEC_MODE', default_dnssec)
+
 want_importd = get_option('importd')
 if want_importd != 'false'
        have_deps = (conf.get('HAVE_LIBCURL', false) and
--- a/src/resolve/resolved-conf.c
+++ b/src/resolve/resolved-conf.c
@ -246,6 +246,12 @@ int manager_parse_config_file(Manager *m) {
                        return r;
        }

+#ifndef HAVE_GCRYPT
+        if (m->dnssec_mode != DNSSEC_NO) {
+                log_warning("DNSSEC option cannot be enabled or set to allow-downgrade when systemd-resolved is built without gcrypt support. Turning off DNSSEC support.");
+                m->dnssec_mode = DNSSEC_NO;
+        }
+#endif
        return 0;

 }
--- a/src/resolve/resolved-link.c
+++ b/src/resolve/resolved-link.c
@ -313,6 +313,12 @@ void link_set_dnssec_mode(Link *l, DnssecMode mode) {

        assert(l);

+#ifndef HAVE_GCRYPT
+        if (mode == DNSSEC_YES || mode == DNSSEC_ALLOW_DOWNGRADE)
+                log_warning("DNSSEC option for the link cannot be enabled or set to allow-downgrade when systemd-resolved is built without gcrypt support. Turning off DNSSEC support.");
+        return;
+#endif
+
        if (l->dnssec_mode == mode)
                return;