1 files changed, 70 insertions, 18 deletions

diff --git a/configure.ac b/configure.ac
index 92877285d478..1f3ac92252c6 100644
--- a/configure.ac
+++ b/configure.ac
@@ -6,10 +6,10 @@ sinclude(acx_pthread.m4)
 sinclude(acx_python.m4)
 sinclude(ac_pkg_swig.m4)
 
-AC_INIT(unbound, 1.4.17, unbound-bugs@nlnetlabs.nl, unbound)
+AC_INIT(unbound, 1.4.20, unbound-bugs@nlnetlabs.nl, unbound)
 
 LIBUNBOUND_CURRENT=3
-LIBUNBOUND_REVISION=1
+LIBUNBOUND_REVISION=5
 LIBUNBOUND_AGE=1
 # 1.0.0 had 0:12:0
 # 1.0.1 had 0:13:0
@@ -43,6 +43,9 @@ LIBUNBOUND_AGE=1
 # 1.4.15 had 3:0:1 # adds ub_version()
 # 1.4.16 had 3:1:1
 # 1.4.17 had 3:2:1
+# 1.4.18 had 3:3:1
+# 1.4.19 had 3:4:1
+# 1.4.20 had 4:0:2 # adds libunbound.ttl
 
 #   Current  -- the number of the binary API that we're implementing
 #   Revision -- which iteration of the implementation of the binary
@@ -208,8 +211,11 @@ AC_DEFINE_UNQUOTED(RSRC_PACKAGE_VERSION, [$wnvs], [version number for resource f
 # Checks for typedefs, structures, and compiler characteristics.
 AC_C_CONST
 AC_LANG_C
+# allow user to override the -g -O2 flags.
+if test "x$CFLAGS" = "x" ; then
 ACX_CHECK_COMPILER_FLAG(g, [CFLAGS="$CFLAGS -g"])
 ACX_CHECK_COMPILER_FLAG(O2, [CFLAGS="$CFLAGS -O2"])
+fi
 AC_PROG_CC
 ACX_DEPFLAG
 ACX_DETERMINE_EXT_FLAGS_UNBOUND
@@ -511,11 +517,34 @@ CONFIG_DATE=`date +%Y%m%d`
 AC_SUBST(CONFIG_DATE)
 
 # Checks for libraries.
+
+# libnss
+USE_NSS="no"
+AC_ARG_WITH([nss], AC_HELP_STRING([--with-nss=path],
+	[use libnss instead of openssl, installed at path.]),
+	[
+	USE_NSS="yes"
+	AC_DEFINE(HAVE_NSS, 1, [Use libnss for crypto])
+	if test "$withval" != "" -a "$withval" != "yes"; then
+		CPPFLAGS="$CPPFLAGS -I$withval/include/nss3"
+		LDFLAGS="$LDFLAGS -L$withval/lib"
+		ACX_RUNTIME_PATH_ADD([$withval/lib])
+		CPPFLAGS="-I$withval/include/nspr4 $CPPFLAGS"
+	else
+		CPPFLAGS="$CPPFLAGS -I/usr/include/nss3"
+		CPPFLAGS="-I/usr/include/nspr4 $CPPFLAGS"
+	fi
+        LIBS="$LIBS -lnss3 -lnspr4"
+	]
+)
+
+# openssl
+if test $USE_NSS = "no"; then
 ACX_WITH_SSL
 ACX_LIB_SSL
 AC_CHECK_HEADERS([openssl/conf.h],,, [AC_INCLUDES_DEFAULT])
 AC_CHECK_HEADERS([openssl/engine.h],,, [AC_INCLUDES_DEFAULT])
-AC_CHECK_FUNCS([OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512])
+AC_CHECK_FUNCS([OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode])
 AC_CHECK_DECLS([SSL_COMP_get_compression_methods,sk_SSL_COMP_pop_free], [], [], [
 AC_INCLUDES_DEFAULT
 #ifdef HAVE_OPENSSL_ERR_H
@@ -536,6 +565,8 @@ AC_INCLUDES_DEFAULT
 #include <openssl/ssl.h>
 #include <openssl/evp.h>
 ])
+fi
+
 
 AC_ARG_ENABLE(sha2, AC_HELP_STRING([--disable-sha2], [Disable SHA256 and SHA512 RRSIG support]))
 case "$enable_sha2" in
@@ -646,19 +677,21 @@ AC_MSG_RESULT($ac_cv_c_gost_works)
 
 AC_ARG_ENABLE(gost, AC_HELP_STRING([--disable-gost], [Disable GOST support]))
 use_gost="no"
+if test $USE_NSS = "no"; then
 case "$enable_gost" in
 	no)
 	;;
 	*)
 	AC_CHECK_FUNC(EVP_PKEY_set_type_str, [:],[AC_MSG_ERROR([OpenSSL 1.0.0 is needed for GOST support])])
-        AC_CHECK_FUNC(EC_KEY_new, [], [AC_MSG_ERROR([OpenSSL does not support ECC, needed for GOST support])])
+	AC_CHECK_FUNC(EC_KEY_new, [], [AC_MSG_ERROR([OpenSSL does not support ECC, needed for GOST support])])
 	AC_CHECK_GOST_WORKS
-	if test $ac_cv_c_gost_works != no; then
+	if test "$ac_cv_c_gost_works" != no; then
 		use_gost="yes"
 		AC_DEFINE([USE_GOST], [1], [Define this to enable GOST support.])
 	fi
 	;;
 esac
+fi dnl !USE_NSS
 
 AC_ARG_ENABLE(ecdsa, AC_HELP_STRING([--disable-ecdsa], [Disable ECDSA support]))
 use_ecdsa="no"
@@ -666,18 +699,20 @@ case "$enable_ecdsa" in
     no)
       ;;
     *)
-      AC_CHECK_FUNC(ECDSA_sign, [], [AC_MSG_ERROR([OpenSSL does not support ECDSA: please upgrade or rerun with --disable-ecdsa])])
-      AC_CHECK_FUNC(SHA384_Init, [], [AC_MSG_ERROR([OpenSSL does not support SHA384: please upgrade or rerun with --disable-ecdsa])])
-      AC_CHECK_DECLS([NID_X9_62_prime256v1, NID_secp384r1], [], [AC_MSG_ERROR([OpenSSL does not support the ECDSA curves: please upgrade or rerun with --disable-ecdsa])], [AC_INCLUDES_DEFAULT
+      if test $USE_NSS = "no"; then
+	      AC_CHECK_FUNC(ECDSA_sign, [], [AC_MSG_ERROR([OpenSSL does not support ECDSA: please upgrade or rerun with --disable-ecdsa])])
+	      AC_CHECK_FUNC(SHA384_Init, [], [AC_MSG_ERROR([OpenSSL does not support SHA384: please upgrade or rerun with --disable-ecdsa])])
+	      AC_CHECK_DECLS([NID_X9_62_prime256v1, NID_secp384r1], [], [AC_MSG_ERROR([OpenSSL does not support the ECDSA curves: please upgrade or rerun with --disable-ecdsa])], [AC_INCLUDES_DEFAULT
 #include <openssl/evp.h>
-      ])
-      # see if OPENSSL 1.0.0 or later (has EVP MD and Verify independency)
-      AC_MSG_CHECKING([if openssl supports SHA2 and ECDSA with EVP])
-      if grep OPENSSL_VERSION_NUMBER $ssldir/include/openssl/opensslv.h | grep 0x0 >/dev/null; then
-	AC_MSG_RESULT([no])
-	AC_DEFINE_UNQUOTED([USE_ECDSA_EVP_WORKAROUND], [1], [Define this to enable an EVP workaround for older openssl])
-      else
-	AC_MSG_RESULT([yes])
+	      ])
+	      # see if OPENSSL 1.0.0 or later (has EVP MD and Verify independency)
+	      AC_MSG_CHECKING([if openssl supports SHA2 and ECDSA with EVP])
+	      if grep OPENSSL_VERSION_NUMBER $ssldir/include/openssl/opensslv.h | grep 0x0 >/dev/null; then
+		AC_MSG_RESULT([no])
+		AC_DEFINE_UNQUOTED([USE_ECDSA_EVP_WORKAROUND], [1], [Define this to enable an EVP workaround for older openssl])
+	      else
+		AC_MSG_RESULT([yes])
+	      fi
       fi
       # we now know we have ECDSA and the required curves.
       AC_DEFINE_UNQUOTED([USE_ECDSA], [1], [Define this to enable ECDSA support.])
@@ -969,6 +1004,17 @@ rm -f conftest.lo
 AC_SUBST(SOURCEDETERMINE)
 AC_SUBST(SOURCEFILE)
 
+# see if we want to build the library or everything
+ALLTARGET="alltargets"
+AC_ARG_WITH(libunbound-only, AC_HELP_STRING([--with-libunbound-only],
+	[do not build daemon and tool programs]),
+	[
+	if test "$withval" = "yes"; then
+		ALLTARGET="lib"
+	fi
+])
+AC_SUBST(ALLTARGET)
+
 # check this after all other compilation checks, since the linking of the lib
 # may break checks after this.
 AC_ARG_WITH(ldns, AC_HELP_STRING([--with-ldns=PATH], 
@@ -990,13 +1036,19 @@ AC_CHECK_LIB(ldns, ldns_rr_new,,[
 	AC_MSG_ERROR([No ldns library found, install the ldns library into system lib dir or use --with-ldns=path to other location.  The --with-ldns can point to the make-dir of ldns.  Install the package ldns or download source http://www.nlnetlabs.nl/projects/ldns])
 ])
 AC_CHECK_FUNC(ldns_buffer_copy)
-AC_CHECK_FUNC(ldns_key_buf2rsa_raw)
+if test $USE_NSS = "no"; then
+    AC_CHECK_FUNC(ldns_key_buf2rsa_raw)
+else
+    dnl ignore test
+    ac_cv_func_ldns_key_buf2rsa_raw="yes"
+fi
 AC_CHECK_FUNC(ldns_get_random)
 AC_CHECK_FUNC(ldns_b32_ntop_extended_hex)
-if test x$use_gost = xyes; then
+if test x$use_gost = xyes -a x$USE_NSS = xno; then
     AC_CHECK_FUNC(ldns_key_EVP_load_gost_id)
     AC_CHECK_FUNCS([ldns_key_EVP_unload_gost])
 else
+    dnl ignore test
     ac_cv_func_ldns_key_EVP_load_gost_id="yes"
 fi
 if test x$use_ecdsa = xyes; then