Ignore --enable-gcrypt if --enable-openssl is also specified.

INSTALL

@@ -557,7 +557,8 @@ Authentication options:
         Use GNU crypt's SHA-2 message digest functions instead of the
         ones bundled with sudo (or in the system's C library).
         If specified, DIR should contain the GNU crypt include and
-        lib directories.
+        lib directories.  This option is ignored when the
+        --enable-openssl option is also specified.
 
   --enable-openssl[=DIR]
         Use OpenSSL's TLS and SHA-2 message digest functions.

configure

@@ -1675,8 +1675,7 @@ Optional Features:
   --enable-warnings       Whether to enable compiler warnings
   --enable-werror         Whether to enable the -Werror compiler option
   --enable-openssl        Use OpenSSL's TLS and sha2 functions
-  --enable-gcrypt         Use GNU crypt's message digest functions instead of
-                          sudo's
+  --enable-gcrypt         Use GNU crypt's sha2 functions
   --disable-hardening     Do not use compiler/linker exploit mitigation
                           options
   --enable-pie            Build sudo as a position independent executable.
@@ -6490,128 +6489,19 @@ fi
 
 # Check whether --enable-openssl was given.
 if test "${enable_openssl+set}" = set; then :
-  enableval=$enable_openssl;  case $enableval in
-    no)		;;
-    *)		$as_echo "#define HAVE_OPENSSL 1" >>confdefs.h
-;;
- esac
-
+  enableval=$enable_openssl;
 fi
 
 
 # Check whether --enable-gcrypt was given.
 if test "${enable_gcrypt+set}" = set; then :
-  enableval=$enable_gcrypt;  case $enableval in
-    no)		;;
-    *)		LIBMD="-lgcrypt"
-		DIGEST=digest_gcrypt.lo
-		$as_echo "#define HAVE_GCRYPT 1" >>confdefs.h
-
-		if test "$enableval" != "yes"; then
-
-if ${CPPFLAGS+:} false; then :
-
-  case " $CPPFLAGS " in #(
-  *" -I${enableval}/include "*) :
-    { { $as_echo "$as_me:${as_lineno-$LINENO}: : CPPFLAGS already contains -I\${enableval}/include"; } >&5
-  (: CPPFLAGS already contains -I${enableval}/include) 2>&5
-  ac_status=$?
-  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
-  test $ac_status = 0; } ;; #(
-  *) :
-
-     as_fn_append CPPFLAGS " -I${enableval}/include"
-     { { $as_echo "$as_me:${as_lineno-$LINENO}: : CPPFLAGS=\"\$CPPFLAGS\""; } >&5
-  (: CPPFLAGS="$CPPFLAGS") 2>&5
-  ac_status=$?
-  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
-  test $ac_status = 0; }
-     ;;
-esac
-
-else
-
-  CPPFLAGS=-I${enableval}/include
-  { { $as_echo "$as_me:${as_lineno-$LINENO}: : CPPFLAGS=\"\$CPPFLAGS\""; } >&5
-  (: CPPFLAGS="$CPPFLAGS") 2>&5
-  ac_status=$?
-  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
-  test $ac_status = 0; }
-
-fi
-
-
-
-if ${LDFLAGS+:} false; then :
-
-  case " $LDFLAGS " in #(
-  *" -L${enableval}/lib "*) :
-    { { $as_echo "$as_me:${as_lineno-$LINENO}: : LDFLAGS already contains -L\${enableval}/lib"; } >&5
-  (: LDFLAGS already contains -L${enableval}/lib) 2>&5
-  ac_status=$?
-  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
-  test $ac_status = 0; } ;; #(
-  *) :
-
-     as_fn_append LDFLAGS " -L${enableval}/lib"
-     { { $as_echo "$as_me:${as_lineno-$LINENO}: : LDFLAGS=\"\$LDFLAGS\""; } >&5
-  (: LDFLAGS="$LDFLAGS") 2>&5
-  ac_status=$?
-  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
-  test $ac_status = 0; }
-     ;;
-esac
-
-else
-
-  LDFLAGS=-L${enableval}/lib
-  { { $as_echo "$as_me:${as_lineno-$LINENO}: : LDFLAGS=\"\$LDFLAGS\""; } >&5
-  (: LDFLAGS="$LDFLAGS") 2>&5
-  ac_status=$?
-  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
-  test $ac_status = 0; }
-
-fi
-
-    if test X"$enable_rpath" = X"yes"; then
-
-if ${LDFLAGS_R+:} false; then :
-
-  case " $LDFLAGS_R " in #(
-  *" -R${enableval}/lib "*) :
-    { { $as_echo "$as_me:${as_lineno-$LINENO}: : LDFLAGS_R already contains -R\${enableval}/lib"; } >&5
-  (: LDFLAGS_R already contains -R${enableval}/lib) 2>&5
-  ac_status=$?
-  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
-  test $ac_status = 0; } ;; #(
-  *) :
-
-     as_fn_append LDFLAGS_R " -R${enableval}/lib"
-     { { $as_echo "$as_me:${as_lineno-$LINENO}: : LDFLAGS_R=\"\$LDFLAGS_R\""; } >&5
-  (: LDFLAGS_R="$LDFLAGS_R") 2>&5
-  ac_status=$?
-  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
-  test $ac_status = 0; }
-     ;;
-esac
-
-else
-
-  LDFLAGS_R=-R${enableval}/lib
-  { { $as_echo "$as_me:${as_lineno-$LINENO}: : LDFLAGS_R=\"\$LDFLAGS_R\""; } >&5
-  (: LDFLAGS_R="$LDFLAGS_R") 2>&5
-  ac_status=$?
-  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
-  test $ac_status = 0; }
-
-fi
-
+  enableval=$enable_gcrypt;
+    if test "${enable_openssl-no}" != no; then
+	{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: Ignoring --enable-gcrypt when OpenSSL is enabled." >&5
+$as_echo "$as_me: WARNING: Ignoring --enable-gcrypt when OpenSSL is enabled." >&2;}
+	enable_gcrypt=no
     fi
 
-		fi
-		;;
- esac
-
 fi
 
 
@@ -21652,163 +21542,6 @@ fi
 
 fi
 
-# Look for sha2 functions if not using openssl
-if test "$DIGEST" = "digest.lo"; then
-    FOUND_SHA2=no
-    ac_fn_c_check_header_mongrel "$LINENO" "sha2.h" "ac_cv_header_sha2_h" "$ac_includes_default"
-if test "x$ac_cv_header_sha2_h" = xyes; then :
-
-	FOUND_SHA2=yes
-	for ac_func in SHA224Update
-do :
-  ac_fn_c_check_func "$LINENO" "SHA224Update" "ac_cv_func_SHA224Update"
-if test "x$ac_cv_func_SHA224Update" = xyes; then :
-  cat >>confdefs.h <<_ACEOF
-#define HAVE_SHA224UPDATE 1
-_ACEOF
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the data argument of SHA224Update() is void *" >&5
-$as_echo_n "checking whether the data argument of SHA224Update() is void *... " >&6; }
-if ${sudo_cv_func_sha2_void_ptr+:} false; then :
-  $as_echo_n "(cached) " >&6
-else
-  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-/* end confdefs.h.  */
-$ac_includes_default
-#include <sha2.h>
-void SHA224Update(SHA2_CTX *context, const void *data, size_t len) {return;}
-int
-main ()
-{
-
-  ;
-  return 0;
-}
-_ACEOF
-if ac_fn_c_try_compile "$LINENO"; then :
-  sudo_cv_func_sha2_void_ptr=yes
-else
-  sudo_cv_func_sha2_void_ptr=no
-fi
-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-
-fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $sudo_cv_func_sha2_void_ptr" >&5
-$as_echo "$sudo_cv_func_sha2_void_ptr" >&6; }
-  if test $sudo_cv_func_sha2_void_ptr = yes; then
-
-$as_echo "#define SHA2_VOID_PTR 1" >>confdefs.h
-
-  fi
-
-else
-
-	    # On some systems, SHA224Update is in libmd
-	    { $as_echo "$as_me:${as_lineno-$LINENO}: checking for SHA224Update in -lmd" >&5
-$as_echo_n "checking for SHA224Update in -lmd... " >&6; }
-if ${ac_cv_lib_md_SHA224Update+:} false; then :
-  $as_echo_n "(cached) " >&6
-else
-  ac_check_lib_save_LIBS=$LIBS
-LIBS="-lmd  $LIBS"
-cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-/* end confdefs.h.  */
-
-/* Override any GCC internal prototype to avoid an error.
-   Use char because int might match the return type of a GCC
-   builtin and then its argument prototype would still apply.  */
-#ifdef __cplusplus
-extern "C"
-#endif
-char SHA224Update ();
-int
-main ()
-{
-return SHA224Update ();
-  ;
-  return 0;
-}
-_ACEOF
-if ac_fn_c_try_link "$LINENO"; then :
-  ac_cv_lib_md_SHA224Update=yes
-else
-  ac_cv_lib_md_SHA224Update=no
-fi
-rm -f core conftest.err conftest.$ac_objext \
-    conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
-fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_md_SHA224Update" >&5
-$as_echo "$ac_cv_lib_md_SHA224Update" >&6; }
-if test "x$ac_cv_lib_md_SHA224Update" = xyes; then :
-
-		$as_echo "#define HAVE_SHA224UPDATE 1" >>confdefs.h
-
-		{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the data argument of SHA224Update() is void *" >&5
-$as_echo_n "checking whether the data argument of SHA224Update() is void *... " >&6; }
-if ${sudo_cv_func_sha2_void_ptr+:} false; then :
-  $as_echo_n "(cached) " >&6
-else
-  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-/* end confdefs.h.  */
-$ac_includes_default
-#include <sha2.h>
-void SHA224Update(SHA2_CTX *context, const void *data, size_t len) {return;}
-int
-main ()
-{
-
-  ;
-  return 0;
-}
-_ACEOF
-if ac_fn_c_try_compile "$LINENO"; then :
-  sudo_cv_func_sha2_void_ptr=yes
-else
-  sudo_cv_func_sha2_void_ptr=no
-fi
-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-
-fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $sudo_cv_func_sha2_void_ptr" >&5
-$as_echo "$sudo_cv_func_sha2_void_ptr" >&6; }
-  if test $sudo_cv_func_sha2_void_ptr = yes; then
-
-$as_echo "#define SHA2_VOID_PTR 1" >>confdefs.h
-
-  fi
-
-		LIBMD="-lmd"
-
-else
-
-		# Does not have SHA224Update
-		FOUND_SHA2=no
-
-fi
-
-
-fi
-done
-
-
-fi
-
-
-    if test X"$FOUND_SHA2" = X"no"; then
-	case " $LIBOBJS " in
-  *" sha2.$ac_objext "* ) ;;
-  *) LIBOBJS="$LIBOBJS sha2.$ac_objext"
- ;;
-esac
-
-
-    for _sym in sudo_SHA224Final sudo_SHA224Init sudo_SHA224Pad sudo_SHA224Transform sudo_SHA224Update sudo_SHA256Final sudo_SHA256Init sudo_SHA256Pad sudo_SHA256Transform sudo_SHA256Update sudo_SHA384Final sudo_SHA384Init sudo_SHA384Pad sudo_SHA384Transform sudo_SHA384Update sudo_SHA512Final sudo_SHA512Init sudo_SHA512Pad sudo_SHA512Transform sudo_SHA512Update; do
-	COMPAT_EXP="${COMPAT_EXP}${_sym}
-"
-    done
-
-    fi
-fi
 for ac_func in vsyslog
 do :
   ac_fn_c_check_func "$LINENO" "vsyslog" "ac_cv_func_vsyslog"
@@ -21944,6 +21677,11 @@ _ACEOF
 fi
 
 if test "${enable_openssl-no}" != no; then
+    # Use OpenSSL's sha2 functions
+    $as_echo "#define HAVE_OPENSSL 1" >>confdefs.h
+
+    DIGEST=digest_openssl.lo
+
     # Use pkg-config to find the openssl cflags and libs if possible.
     if test "$enable_openssl" != "yes"; then
 	PKG_CONFIG_LIBDIR="${enable_openssl}/lib/pkgconfig:${enable_openssl}/lib64/pkgconfig:${enable_openssl}/share/pkgconfig"
@@ -22239,6 +21977,270 @@ if test "x$ac_cv_have_decl_SSL_CTX_set_min_proto_version" = xyes; then :
 fi
 
     LIBS="$OLIBS"
+elif test "${enable_gcrypt-no}" != no; then
+    # Use gcrypt's sha2 functions
+    $as_echo "#define HAVE_GCRYPT 1" >>confdefs.h
+
+    DIGEST=digest_gcrypt.lo
+    LIBMD="-lgcrypt"
+    if test "$enable_gcrypt" != "yes"; then
+
+if ${CPPFLAGS+:} false; then :
+
+  case " $CPPFLAGS " in #(
+  *" -I${enable_gcrypt}/include "*) :
+    { { $as_echo "$as_me:${as_lineno-$LINENO}: : CPPFLAGS already contains -I\${enable_gcrypt}/include"; } >&5
+  (: CPPFLAGS already contains -I${enable_gcrypt}/include) 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; } ;; #(
+  *) :
+
+     as_fn_append CPPFLAGS " -I${enable_gcrypt}/include"
+     { { $as_echo "$as_me:${as_lineno-$LINENO}: : CPPFLAGS=\"\$CPPFLAGS\""; } >&5
+  (: CPPFLAGS="$CPPFLAGS") 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }
+     ;;
+esac
+
+else
+
+  CPPFLAGS=-I${enable_gcrypt}/include
+  { { $as_echo "$as_me:${as_lineno-$LINENO}: : CPPFLAGS=\"\$CPPFLAGS\""; } >&5
+  (: CPPFLAGS="$CPPFLAGS") 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }
+
+fi
+
+
+
+if ${LDFLAGS+:} false; then :
+
+  case " $LDFLAGS " in #(
+  *" -L${enable_gcrypt}/lib "*) :
+    { { $as_echo "$as_me:${as_lineno-$LINENO}: : LDFLAGS already contains -L\${enable_gcrypt}/lib"; } >&5
+  (: LDFLAGS already contains -L${enable_gcrypt}/lib) 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; } ;; #(
+  *) :
+
+     as_fn_append LDFLAGS " -L${enable_gcrypt}/lib"
+     { { $as_echo "$as_me:${as_lineno-$LINENO}: : LDFLAGS=\"\$LDFLAGS\""; } >&5
+  (: LDFLAGS="$LDFLAGS") 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }
+     ;;
+esac
+
+else
+
+  LDFLAGS=-L${enable_gcrypt}/lib
+  { { $as_echo "$as_me:${as_lineno-$LINENO}: : LDFLAGS=\"\$LDFLAGS\""; } >&5
+  (: LDFLAGS="$LDFLAGS") 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }
+
+fi
+
+    if test X"$enable_rpath" = X"yes"; then
+
+if ${LDFLAGS_R+:} false; then :
+
+  case " $LDFLAGS_R " in #(
+  *" -R${enable_gcrypt}/lib "*) :
+    { { $as_echo "$as_me:${as_lineno-$LINENO}: : LDFLAGS_R already contains -R\${enable_gcrypt}/lib"; } >&5
+  (: LDFLAGS_R already contains -R${enable_gcrypt}/lib) 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; } ;; #(
+  *) :
+
+     as_fn_append LDFLAGS_R " -R${enable_gcrypt}/lib"
+     { { $as_echo "$as_me:${as_lineno-$LINENO}: : LDFLAGS_R=\"\$LDFLAGS_R\""; } >&5
+  (: LDFLAGS_R="$LDFLAGS_R") 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }
+     ;;
+esac
+
+else
+
+  LDFLAGS_R=-R${enable_gcrypt}/lib
+  { { $as_echo "$as_me:${as_lineno-$LINENO}: : LDFLAGS_R=\"\$LDFLAGS_R\""; } >&5
+  (: LDFLAGS_R="$LDFLAGS_R") 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }
+
+fi
+
+    fi
+
+    fi
+fi
+if test "$DIGEST" = "digest.lo"; then
+    FOUND_SHA2=no
+    ac_fn_c_check_header_mongrel "$LINENO" "sha2.h" "ac_cv_header_sha2_h" "$ac_includes_default"
+if test "x$ac_cv_header_sha2_h" = xyes; then :
+
+	FOUND_SHA2=yes
+	for ac_func in SHA224Update
+do :
+  ac_fn_c_check_func "$LINENO" "SHA224Update" "ac_cv_func_SHA224Update"
+if test "x$ac_cv_func_SHA224Update" = xyes; then :
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_SHA224UPDATE 1
+_ACEOF
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the data argument of SHA224Update() is void *" >&5
+$as_echo_n "checking whether the data argument of SHA224Update() is void *... " >&6; }
+if ${sudo_cv_func_sha2_void_ptr+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+$ac_includes_default
+#include <sha2.h>
+void SHA224Update(SHA2_CTX *context, const void *data, size_t len) {return;}
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+  sudo_cv_func_sha2_void_ptr=yes
+else
+  sudo_cv_func_sha2_void_ptr=no
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $sudo_cv_func_sha2_void_ptr" >&5
+$as_echo "$sudo_cv_func_sha2_void_ptr" >&6; }
+  if test $sudo_cv_func_sha2_void_ptr = yes; then
+
+$as_echo "#define SHA2_VOID_PTR 1" >>confdefs.h
+
+  fi
+
+else
+
+	    # On some systems, SHA224Update is in libmd
+	    { $as_echo "$as_me:${as_lineno-$LINENO}: checking for SHA224Update in -lmd" >&5
+$as_echo_n "checking for SHA224Update in -lmd... " >&6; }
+if ${ac_cv_lib_md_SHA224Update+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-lmd  $LIBS"
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char SHA224Update ();
+int
+main ()
+{
+return SHA224Update ();
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+  ac_cv_lib_md_SHA224Update=yes
+else
+  ac_cv_lib_md_SHA224Update=no
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_md_SHA224Update" >&5
+$as_echo "$ac_cv_lib_md_SHA224Update" >&6; }
+if test "x$ac_cv_lib_md_SHA224Update" = xyes; then :
+
+		$as_echo "#define HAVE_SHA224UPDATE 1" >>confdefs.h
+
+		{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the data argument of SHA224Update() is void *" >&5
+$as_echo_n "checking whether the data argument of SHA224Update() is void *... " >&6; }
+if ${sudo_cv_func_sha2_void_ptr+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+$ac_includes_default
+#include <sha2.h>
+void SHA224Update(SHA2_CTX *context, const void *data, size_t len) {return;}
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+  sudo_cv_func_sha2_void_ptr=yes
+else
+  sudo_cv_func_sha2_void_ptr=no
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $sudo_cv_func_sha2_void_ptr" >&5
+$as_echo "$sudo_cv_func_sha2_void_ptr" >&6; }
+  if test $sudo_cv_func_sha2_void_ptr = yes; then
+
+$as_echo "#define SHA2_VOID_PTR 1" >>confdefs.h
+
+  fi
+
+		LIBMD="-lmd"
+
+else
+
+		# Does not have SHA224Update
+		FOUND_SHA2=no
+
+fi
+
+
+fi
+done
+
+
+fi
+
+
+    if test X"$FOUND_SHA2" = X"no"; then
+	case " $LIBOBJS " in
+  *" sha2.$ac_objext "* ) ;;
+  *) LIBOBJS="$LIBOBJS sha2.$ac_objext"
+ ;;
+esac
+
+
+    for _sym in sudo_SHA224Final sudo_SHA224Init sudo_SHA224Pad sudo_SHA224Transform sudo_SHA224Update sudo_SHA256Final sudo_SHA256Init sudo_SHA256Pad sudo_SHA256Transform sudo_SHA256Update sudo_SHA384Final sudo_SHA384Init sudo_SHA384Pad sudo_SHA384Transform sudo_SHA384Update sudo_SHA512Final sudo_SHA512Init sudo_SHA512Pad sudo_SHA512Transform sudo_SHA512Update; do
+	COMPAT_EXP="${COMPAT_EXP}${_sym}
+"
+    done
+
+    fi
 fi
 OLIBS="$LIBS"
 LIBS="${LIBS} ${NET_LIBS}"

configure.ac

@@ -1503,26 +1503,14 @@ AC_ARG_ENABLE(werror,
 ])
 
 AC_ARG_ENABLE(openssl,
-[AS_HELP_STRING([--enable-openssl], [Use OpenSSL's TLS and sha2 functions])],
-[ case $enableval in
-    no)		;;
-    *)		AC_DEFINE(HAVE_OPENSSL);;
- esac
-])
+[AS_HELP_STRING([--enable-openssl], [Use OpenSSL's TLS and sha2 functions])])
 
 AC_ARG_ENABLE(gcrypt,
-[AS_HELP_STRING([--enable-gcrypt], [Use GNU crypt's message digest functions instead of sudo's])],
-[ case $enableval in
-    no)		;;
-    *)		LIBMD="-lgcrypt"
-		DIGEST=digest_gcrypt.lo
-		AC_DEFINE(HAVE_GCRYPT)
-		if test "$enableval" != "yes"; then
-		    AX_APPEND_FLAG([-I${enableval}/include], [CPPFLAGS])
-		    SUDO_APPEND_LIBPATH(LDFLAGS, [${enableval}/lib])
-		fi
-		;;
- esac
+[AS_HELP_STRING([--enable-gcrypt], [Use GNU crypt's sha2 functions])], [
+    if test "${enable_openssl-no}" != no; then
+	AC_MSG_WARN([Ignoring --enable-gcrypt when OpenSSL is enabled.])
+	enable_gcrypt=no
+    fi
 ])
 
 AC_ARG_ENABLE(hardening,
@@ -2962,28 +2950,6 @@ AC_CHECK_MEMBER([struct stat.st_mtim],
 	[AC_CHECK_MEMBER([struct stat.st_nmtime], AC_DEFINE(HAVE_ST_NMTIME))])
     ]
 )
-# Look for sha2 functions if not using openssl
-if test "$DIGEST" = "digest.lo"; then
-    FOUND_SHA2=no
-    AC_CHECK_HEADER([sha2.h], [
-	FOUND_SHA2=yes
-	AC_CHECK_FUNCS([SHA224Update], [SUDO_FUNC_SHA2_VOID_PTR], [
-	    # On some systems, SHA224Update is in libmd
-	    AC_CHECK_LIB(md, SHA224Update, [
-		AC_DEFINE(HAVE_SHA224UPDATE)
-		SUDO_FUNC_SHA2_VOID_PTR
-		LIBMD="-lmd"
-	    ], [
-		# Does not have SHA224Update
-		FOUND_SHA2=no
-	    ])
-	])
-    ])
-    if test X"$FOUND_SHA2" = X"no"; then
-	AC_LIBOBJ(sha2)
-	SUDO_APPEND_COMPAT_EXP(sudo_SHA224Final sudo_SHA224Init sudo_SHA224Pad sudo_SHA224Transform sudo_SHA224Update sudo_SHA256Final sudo_SHA256Init sudo_SHA256Pad sudo_SHA256Transform sudo_SHA256Update sudo_SHA384Final sudo_SHA384Init sudo_SHA384Pad sudo_SHA384Transform sudo_SHA384Update sudo_SHA512Final sudo_SHA512Init sudo_SHA512Pad sudo_SHA512Transform sudo_SHA512Update)
-    fi
-fi
 AC_CHECK_FUNCS([vsyslog], [], [
     AC_LIBOBJ(vsyslog)
     SUDO_APPEND_COMPAT_EXP(sudo_vsyslog)
@@ -3019,6 +2985,10 @@ dnl
 dnl Check for functions only present in OpenSSL 1.1 and above
 dnl
 if test "${enable_openssl-no}" != no; then
+    # Use OpenSSL's sha2 functions
+    AC_DEFINE(HAVE_OPENSSL)
+    DIGEST=digest_openssl.lo
+
     # Use pkg-config to find the openssl cflags and libs if possible.
     if test "$enable_openssl" != "yes"; then
 	PKG_CONFIG_LIBDIR="${enable_openssl}/lib/pkgconfig:${enable_openssl}/lib64/pkgconfig:${enable_openssl}/share/pkgconfig"
@@ -3060,6 +3030,39 @@ if test "${enable_openssl-no}" != no; then
 	#include <openssl/ssl.h>
     ])
     LIBS="$OLIBS"
+elif test "${enable_gcrypt-no}" != no; then
+    # Use gcrypt's sha2 functions
+    AC_DEFINE(HAVE_GCRYPT)
+    DIGEST=digest_gcrypt.lo
+    LIBMD="-lgcrypt"
+    if test "$enable_gcrypt" != "yes"; then
+	AX_APPEND_FLAG([-I${enable_gcrypt}/include], [CPPFLAGS])
+	SUDO_APPEND_LIBPATH(LDFLAGS, [${enable_gcrypt}/lib])
+    fi
+fi
+dnl
+dnl Check for sha2 functions if not using openssl or gcrypt
+dnl
+if test "$DIGEST" = "digest.lo"; then
+    FOUND_SHA2=no
+    AC_CHECK_HEADER([sha2.h], [
+	FOUND_SHA2=yes
+	AC_CHECK_FUNCS([SHA224Update], [SUDO_FUNC_SHA2_VOID_PTR], [
+	    # On some systems, SHA224Update is in libmd
+	    AC_CHECK_LIB(md, SHA224Update, [
+		AC_DEFINE(HAVE_SHA224UPDATE)
+		SUDO_FUNC_SHA2_VOID_PTR
+		LIBMD="-lmd"
+	    ], [
+		# Does not have SHA224Update
+		FOUND_SHA2=no
+	    ])
+	])
+    ])
+    if test X"$FOUND_SHA2" = X"no"; then
+	AC_LIBOBJ(sha2)
+	SUDO_APPEND_COMPAT_EXP(sudo_SHA224Final sudo_SHA224Init sudo_SHA224Pad sudo_SHA224Transform sudo_SHA224Update sudo_SHA256Final sudo_SHA256Init sudo_SHA256Pad sudo_SHA256Transform sudo_SHA256Update sudo_SHA384Final sudo_SHA384Init sudo_SHA384Pad sudo_SHA384Transform sudo_SHA384Update sudo_SHA512Final sudo_SHA512Init sudo_SHA512Pad sudo_SHA512Transform sudo_SHA512Update)
+    fi
 fi
 dnl
 dnl If socket(2) not in libc, check -lsocket and -linet