diff options
author | Colin Watson <cjwatson@debian.org> | 2014-02-10 00:18:28 +0000 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2014-02-10 00:18:28 +0000 |
commit | 9a975a9faed7c4f334e8c8490db3e77e102f2b21 (patch) | |
tree | 764a885ec9a963f6a8b15de6e1765f16b9ac4738 /configure.ac | |
parent | ee196dab7c5f97f0b80c8099343a375bead92010 (diff) | |
parent | cdb6c90811caa5df2df856be9b0b16db020fe31d (diff) |
Import openssh_6.5p1.orig.tar.gz
Diffstat (limited to 'configure.ac')
-rw-r--r-- | configure.ac | 308 |
1 files changed, 269 insertions, 39 deletions
diff --git a/configure.ac b/configure.ac index 4a1b50331..dfd32cd85 100644 --- a/configure.ac +++ b/configure.ac | |||
@@ -1,4 +1,4 @@ | |||
1 | # $Id: configure.ac,v 1.536 2013/08/04 11:48:41 dtucker Exp $ | 1 | # $Id: configure.ac,v 1.568 2014/01/30 00:26:46 djm Exp $ |
2 | # | 2 | # |
3 | # Copyright (c) 1999-2004 Damien Miller | 3 | # Copyright (c) 1999-2004 Damien Miller |
4 | # | 4 | # |
@@ -15,7 +15,7 @@ | |||
15 | # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. | 15 | # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. |
16 | 16 | ||
17 | AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) | 17 | AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) |
18 | AC_REVISION($Revision: 1.536 $) | 18 | AC_REVISION($Revision: 1.568 $) |
19 | AC_CONFIG_SRCDIR([ssh.c]) | 19 | AC_CONFIG_SRCDIR([ssh.c]) |
20 | AC_LANG([C]) | 20 | AC_LANG([C]) |
21 | 21 | ||
@@ -120,19 +120,36 @@ AC_CHECK_DECL([PR_SET_NO_NEW_PRIVS], [have_linux_no_new_privs=1], , [ | |||
120 | #include <sys/types.h> | 120 | #include <sys/types.h> |
121 | #include <linux/prctl.h> | 121 | #include <linux/prctl.h> |
122 | ]) | 122 | ]) |
123 | |||
123 | use_stack_protector=1 | 124 | use_stack_protector=1 |
125 | use_toolchain_hardening=1 | ||
124 | AC_ARG_WITH([stackprotect], | 126 | AC_ARG_WITH([stackprotect], |
125 | [ --without-stackprotect Don't use compiler's stack protection], [ | 127 | [ --without-stackprotect Don't use compiler's stack protection], [ |
126 | if test "x$withval" = "xno"; then | 128 | if test "x$withval" = "xno"; then |
127 | use_stack_protector=0 | 129 | use_stack_protector=0 |
128 | fi ]) | 130 | fi ]) |
131 | AC_ARG_WITH([hardening], | ||
132 | [ --without-hardening Don't use toolchain hardening flags], [ | ||
133 | if test "x$withval" = "xno"; then | ||
134 | use_toolchain_hardening=0 | ||
135 | fi ]) | ||
129 | 136 | ||
137 | # We use -Werror for the tests only so that we catch warnings like "this is | ||
138 | # on by default" for things like -fPIE. | ||
139 | AC_MSG_CHECKING([if $CC supports -Werror]) | ||
140 | saved_CFLAGS="$CFLAGS" | ||
141 | CFLAGS="$CFLAGS -Werror" | ||
142 | AC_COMPILE_IFELSE([AC_LANG_SOURCE([[int main(void) { return 0; }]])], | ||
143 | [ AC_MSG_RESULT([yes]) | ||
144 | WERROR="-Werror"], | ||
145 | [ AC_MSG_RESULT([no]) | ||
146 | WERROR="" ] | ||
147 | ) | ||
148 | CFLAGS="$saved_CFLAGS" | ||
130 | 149 | ||
131 | if test "$GCC" = "yes" || test "$GCC" = "egcs"; then | 150 | if test "$GCC" = "yes" || test "$GCC" = "egcs"; then |
132 | OSSH_CHECK_CFLAG_COMPILE([-Qunused-arguments -Werror], | 151 | OSSH_CHECK_CFLAG_COMPILE([-Qunused-arguments]) |
133 | [-Qunused-arguments]) | 152 | OSSH_CHECK_CFLAG_COMPILE([-Wunknown-warning-option]) |
134 | OSSH_CHECK_CFLAG_COMPILE([-Wunknown-warning-option -Werror], | ||
135 | [-Wno-unknown-warning-option]) | ||
136 | OSSH_CHECK_CFLAG_COMPILE([-Wall]) | 153 | OSSH_CHECK_CFLAG_COMPILE([-Wall]) |
137 | OSSH_CHECK_CFLAG_COMPILE([-Wpointer-arith]) | 154 | OSSH_CHECK_CFLAG_COMPILE([-Wpointer-arith]) |
138 | OSSH_CHECK_CFLAG_COMPILE([-Wuninitialized]) | 155 | OSSH_CHECK_CFLAG_COMPILE([-Wuninitialized]) |
@@ -143,6 +160,17 @@ if test "$GCC" = "yes" || test "$GCC" = "egcs"; then | |||
143 | OSSH_CHECK_CFLAG_COMPILE([-Wunused-result], [-Wno-unused-result]) | 160 | OSSH_CHECK_CFLAG_COMPILE([-Wunused-result], [-Wno-unused-result]) |
144 | OSSH_CHECK_CFLAG_COMPILE([-fno-strict-aliasing]) | 161 | OSSH_CHECK_CFLAG_COMPILE([-fno-strict-aliasing]) |
145 | OSSH_CHECK_CFLAG_COMPILE([-D_FORTIFY_SOURCE=2]) | 162 | OSSH_CHECK_CFLAG_COMPILE([-D_FORTIFY_SOURCE=2]) |
163 | if test "x$use_toolchain_hardening" = "x1"; then | ||
164 | OSSH_CHECK_LDFLAG_LINK([-Wl,-z,relro]) | ||
165 | OSSH_CHECK_LDFLAG_LINK([-Wl,-z,now]) | ||
166 | OSSH_CHECK_LDFLAG_LINK([-Wl,-z,noexecstack]) | ||
167 | # NB. -ftrapv expects certain support functions to be present in | ||
168 | # the compiler library (libgcc or similar) to detect integer operations | ||
169 | # that can overflow. We must check that the result of enabling it | ||
170 | # actually links. The test program compiled/linked includes a number | ||
171 | # of integer operations that should exercise this. | ||
172 | OSSH_CHECK_CFLAG_LINK([-ftrapv]) | ||
173 | fi | ||
146 | AC_MSG_CHECKING([gcc version]) | 174 | AC_MSG_CHECKING([gcc version]) |
147 | GCC_VER=`$CC -v 2>&1 | $AWK '/gcc version /{print $3}'` | 175 | GCC_VER=`$CC -v 2>&1 | $AWK '/gcc version /{print $3}'` |
148 | case $GCC_VER in | 176 | case $GCC_VER in |
@@ -169,7 +197,8 @@ if test "$GCC" = "yes" || test "$GCC" = "egcs"; then | |||
169 | # and/or platforms, so we test if we can. If it's not supported | 197 | # and/or platforms, so we test if we can. If it's not supported |
170 | # on a given platform gcc will emit a warning so we use -Werror. | 198 | # on a given platform gcc will emit a warning so we use -Werror. |
171 | if test "x$use_stack_protector" = "x1"; then | 199 | if test "x$use_stack_protector" = "x1"; then |
172 | for t in -fstack-protector-all -fstack-protector; do | 200 | for t in -fstack-protector-strong -fstack-protector-all \ |
201 | -fstack-protector; do | ||
173 | AC_MSG_CHECKING([if $CC supports $t]) | 202 | AC_MSG_CHECKING([if $CC supports $t]) |
174 | saved_CFLAGS="$CFLAGS" | 203 | saved_CFLAGS="$CFLAGS" |
175 | saved_LDFLAGS="$LDFLAGS" | 204 | saved_LDFLAGS="$LDFLAGS" |
@@ -296,6 +325,7 @@ AC_ARG_WITH([Werror], | |||
296 | ) | 325 | ) |
297 | 326 | ||
298 | AC_CHECK_HEADERS([ \ | 327 | AC_CHECK_HEADERS([ \ |
328 | blf.h \ | ||
299 | bstring.h \ | 329 | bstring.h \ |
300 | crypt.h \ | 330 | crypt.h \ |
301 | crypto/sha2.h \ | 331 | crypto/sha2.h \ |
@@ -309,6 +339,7 @@ AC_CHECK_HEADERS([ \ | |||
309 | glob.h \ | 339 | glob.h \ |
310 | ia.h \ | 340 | ia.h \ |
311 | iaf.h \ | 341 | iaf.h \ |
342 | inttypes.h \ | ||
312 | limits.h \ | 343 | limits.h \ |
313 | locale.h \ | 344 | locale.h \ |
314 | login.h \ | 345 | login.h \ |
@@ -333,6 +364,7 @@ AC_CHECK_HEADERS([ \ | |||
333 | sys/audit.h \ | 364 | sys/audit.h \ |
334 | sys/bitypes.h \ | 365 | sys/bitypes.h \ |
335 | sys/bsdtty.h \ | 366 | sys/bsdtty.h \ |
367 | sys/capability.h \ | ||
336 | sys/cdefs.h \ | 368 | sys/cdefs.h \ |
337 | sys/dir.h \ | 369 | sys/dir.h \ |
338 | sys/mman.h \ | 370 | sys/mman.h \ |
@@ -513,7 +545,10 @@ case "$host" in | |||
513 | [Define if your platform needs to skip post auth | 545 | [Define if your platform needs to skip post auth |
514 | file descriptor passing]) | 546 | file descriptor passing]) |
515 | AC_DEFINE([SSH_IOBUFSZ], [65535], [Windows is sensitive to read buffer size]) | 547 | AC_DEFINE([SSH_IOBUFSZ], [65535], [Windows is sensitive to read buffer size]) |
516 | AC_DEFINE([FILESYSTEM_NO_BACKSLASH], [1], [File names may not contain backslash characters]) | 548 | AC_DEFINE([FILESYSTEM_NO_BACKSLASH], [1], [File names may not contain backslash characters]) |
549 | # Cygwin defines optargs, optargs as declspec(dllimport) for historical | ||
550 | # reasons which cause compile warnings, so we disable those warnings. | ||
551 | OSSH_CHECK_CFLAG_COMPILE([-Wno-attributes]) | ||
517 | ;; | 552 | ;; |
518 | *-*-dgux*) | 553 | *-*-dgux*) |
519 | AC_DEFINE([IP_TOS_IS_BROKEN], [1], | 554 | AC_DEFINE([IP_TOS_IS_BROKEN], [1], |
@@ -523,6 +558,7 @@ case "$host" in | |||
523 | AC_DEFINE([BROKEN_SETREGID]) | 558 | AC_DEFINE([BROKEN_SETREGID]) |
524 | ;; | 559 | ;; |
525 | *-*-darwin*) | 560 | *-*-darwin*) |
561 | use_pie=auto | ||
526 | AC_MSG_CHECKING([if we have working getaddrinfo]) | 562 | AC_MSG_CHECKING([if we have working getaddrinfo]) |
527 | AC_RUN_IFELSE([AC_LANG_SOURCE([[ #include <mach-o/dyld.h> | 563 | AC_RUN_IFELSE([AC_LANG_SOURCE([[ #include <mach-o/dyld.h> |
528 | main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) | 564 | main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) |
@@ -563,6 +599,7 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) | |||
563 | ;; | 599 | ;; |
564 | *-*-dragonfly*) | 600 | *-*-dragonfly*) |
565 | SSHDLIBS="$SSHDLIBS -lcrypt" | 601 | SSHDLIBS="$SSHDLIBS -lcrypt" |
602 | TEST_MALLOC_OPTIONS="AFGJPRX" | ||
566 | ;; | 603 | ;; |
567 | *-*-haiku*) | 604 | *-*-haiku*) |
568 | LIBS="$LIBS -lbsd " | 605 | LIBS="$LIBS -lbsd " |
@@ -660,6 +697,7 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) | |||
660 | ;; | 697 | ;; |
661 | *-*-linux*) | 698 | *-*-linux*) |
662 | no_dev_ptmx=1 | 699 | no_dev_ptmx=1 |
700 | use_pie=auto | ||
663 | check_for_libcrypt_later=1 | 701 | check_for_libcrypt_later=1 |
664 | check_for_openpty_ctty_bug=1 | 702 | check_for_openpty_ctty_bug=1 |
665 | AC_DEFINE([PAM_TTY_KLUDGE], [1], | 703 | AC_DEFINE([PAM_TTY_KLUDGE], [1], |
@@ -728,6 +766,11 @@ mips-sony-bsd|mips-sony-newsos4) | |||
728 | AC_DEFINE([SSH_TUN_NO_L2], [1], [No layer 2 tunnel support])) | 766 | AC_DEFINE([SSH_TUN_NO_L2], [1], [No layer 2 tunnel support])) |
729 | AC_DEFINE([SSH_TUN_PREPEND_AF], [1], | 767 | AC_DEFINE([SSH_TUN_PREPEND_AF], [1], |
730 | [Prepend the address family to IP tunnel traffic]) | 768 | [Prepend the address family to IP tunnel traffic]) |
769 | TEST_MALLOC_OPTIONS="AJRX" | ||
770 | AC_DEFINE([BROKEN_STRNVIS], [1], | ||
771 | [NetBSD strnvis argument order is swapped compared to OpenBSD]) | ||
772 | AC_DEFINE([BROKEN_READ_COMPARISON], [1], | ||
773 | [NetBSD read function is sometimes redirected, breaking atomicio comparisons against it]) | ||
731 | ;; | 774 | ;; |
732 | *-*-freebsd*) | 775 | *-*-freebsd*) |
733 | check_for_libcrypt_later=1 | 776 | check_for_libcrypt_later=1 |
@@ -736,7 +779,13 @@ mips-sony-bsd|mips-sony-newsos4) | |||
736 | AC_CHECK_HEADER([net/if_tap.h], , | 779 | AC_CHECK_HEADER([net/if_tap.h], , |
737 | AC_DEFINE([SSH_TUN_NO_L2], [1], [No layer 2 tunnel support])) | 780 | AC_DEFINE([SSH_TUN_NO_L2], [1], [No layer 2 tunnel support])) |
738 | AC_DEFINE([BROKEN_GLOB], [1], [FreeBSD glob does not do what we need]) | 781 | AC_DEFINE([BROKEN_GLOB], [1], [FreeBSD glob does not do what we need]) |
739 | AC_DEFINE([BROKEN_STRNVIS], [1], [FreeBSD strnvis does not do what we need]) | 782 | AC_DEFINE([BROKEN_STRNVIS], [1], |
783 | [FreeBSD strnvis argument order is swapped compared to OpenBSD]) | ||
784 | TEST_MALLOC_OPTIONS="AJRX" | ||
785 | # Preauth crypto occasionally uses file descriptors for crypto offload | ||
786 | # and will crash if they cannot be opened. | ||
787 | AC_DEFINE([SANDBOX_SKIP_RLIMIT_NOFILE], [1], | ||
788 | [define if setrlimit RLIMIT_NOFILE breaks things])], | ||
740 | ;; | 789 | ;; |
741 | *-*-bsdi*) | 790 | *-*-bsdi*) |
742 | AC_DEFINE([SETEUID_BREAKS_SETUID]) | 791 | AC_DEFINE([SETEUID_BREAKS_SETUID]) |
@@ -754,11 +803,13 @@ mips-sony-bsd|mips-sony-newsos4) | |||
754 | AC_DEFINE([BROKEN_SAVED_UIDS], [1], [Needed for NeXT]) | 803 | AC_DEFINE([BROKEN_SAVED_UIDS], [1], [Needed for NeXT]) |
755 | ;; | 804 | ;; |
756 | *-*-openbsd*) | 805 | *-*-openbsd*) |
806 | use_pie=auto | ||
757 | AC_DEFINE([HAVE_ATTRIBUTE__SENTINEL__], [1], [OpenBSD's gcc has sentinel]) | 807 | AC_DEFINE([HAVE_ATTRIBUTE__SENTINEL__], [1], [OpenBSD's gcc has sentinel]) |
758 | AC_DEFINE([HAVE_ATTRIBUTE__BOUNDED__], [1], [OpenBSD's gcc has bounded]) | 808 | AC_DEFINE([HAVE_ATTRIBUTE__BOUNDED__], [1], [OpenBSD's gcc has bounded]) |
759 | AC_DEFINE([SSH_TUN_OPENBSD], [1], [Open tunnel devices the OpenBSD way]) | 809 | AC_DEFINE([SSH_TUN_OPENBSD], [1], [Open tunnel devices the OpenBSD way]) |
760 | AC_DEFINE([SYSLOG_R_SAFE_IN_SIGHAND], [1], | 810 | AC_DEFINE([SYSLOG_R_SAFE_IN_SIGHAND], [1], |
761 | [syslog_r function is safe to use in in a signal handler]) | 811 | [syslog_r function is safe to use in in a signal handler]) |
812 | TEST_MALLOC_OPTIONS="AFGJPRX" | ||
762 | ;; | 813 | ;; |
763 | *-*-solaris*) | 814 | *-*-solaris*) |
764 | if test "x$withval" != "xno" ; then | 815 | if test "x$withval" != "xno" ; then |
@@ -1191,6 +1242,9 @@ AC_SEARCH_LIBS([openpty], [util bsd]) | |||
1191 | AC_SEARCH_LIBS([updwtmp], [util bsd]) | 1242 | AC_SEARCH_LIBS([updwtmp], [util bsd]) |
1192 | AC_CHECK_FUNCS([fmt_scaled scan_scaled login logout openpty updwtmp logwtmp]) | 1243 | AC_CHECK_FUNCS([fmt_scaled scan_scaled login logout openpty updwtmp logwtmp]) |
1193 | 1244 | ||
1245 | # On some platforms, inet_ntop may be found in libresolv or libnsl. | ||
1246 | AC_SEARCH_LIBS([inet_ntop], [resolv nsl]) | ||
1247 | |||
1194 | AC_FUNC_STRFTIME | 1248 | AC_FUNC_STRFTIME |
1195 | 1249 | ||
1196 | # Check for ALTDIRFUNC glob() extension | 1250 | # Check for ALTDIRFUNC glob() extension |
@@ -1442,7 +1496,7 @@ AC_ARG_WITH([libedit], | |||
1442 | fi | 1496 | fi |
1443 | fi | 1497 | fi |
1444 | if test "x$use_pkgconfig_for_libedit" = "xyes"; then | 1498 | if test "x$use_pkgconfig_for_libedit" = "xyes"; then |
1445 | LIBEDIT=`$PKGCONFIG --libs-only-l libedit` | 1499 | LIBEDIT=`$PKGCONFIG --libs libedit` |
1446 | CPPFLAGS="$CPPFLAGS `$PKGCONFIG --cflags libedit`" | 1500 | CPPFLAGS="$CPPFLAGS `$PKGCONFIG --cflags libedit`" |
1447 | else | 1501 | else |
1448 | LIBEDIT="-ledit -lcurses" | 1502 | LIBEDIT="-ledit -lcurses" |
@@ -1496,7 +1550,7 @@ AC_ARG_WITH([audit], | |||
1496 | # These are optional | 1550 | # These are optional |
1497 | AC_CHECK_FUNCS([getaudit_addr aug_get_machine]) | 1551 | AC_CHECK_FUNCS([getaudit_addr aug_get_machine]) |
1498 | AC_DEFINE([USE_BSM_AUDIT], [1], [Use BSM audit module]) | 1552 | AC_DEFINE([USE_BSM_AUDIT], [1], [Use BSM audit module]) |
1499 | if test "$sol2ver" -eq 11; then | 1553 | if test "$sol2ver" -ge 11; then |
1500 | SSHDLIBS="$SSHDLIBS -lscf" | 1554 | SSHDLIBS="$SSHDLIBS -lscf" |
1501 | AC_DEFINE([BROKEN_BSM_API], [1], | 1555 | AC_DEFINE([BROKEN_BSM_API], [1], |
1502 | [The system has incomplete BSM API]) | 1556 | [The system has incomplete BSM API]) |
@@ -1524,10 +1578,62 @@ AC_ARG_WITH([audit], | |||
1524 | esac ] | 1578 | esac ] |
1525 | ) | 1579 | ) |
1526 | 1580 | ||
1581 | AC_ARG_WITH([pie], | ||
1582 | [ --with-pie Build Position Independent Executables if possible], [ | ||
1583 | if test "x$withval" = "xno"; then | ||
1584 | use_pie=no | ||
1585 | fi | ||
1586 | if test "x$withval" = "xyes"; then | ||
1587 | use_pie=yes | ||
1588 | fi | ||
1589 | ] | ||
1590 | ) | ||
1591 | if test "x$use_pie" = "x"; then | ||
1592 | use_pie=no | ||
1593 | fi | ||
1594 | if test "x$use_toolchain_hardening" != "x1" && test "x$use_pie" = "xauto"; then | ||
1595 | # Turn off automatic PIE when toolchain hardening is off. | ||
1596 | use_pie=no | ||
1597 | fi | ||
1598 | if test "x$use_pie" = "xauto"; then | ||
1599 | # Automatic PIE requires gcc >= 4.x | ||
1600 | AC_MSG_CHECKING([for gcc >= 4.x]) | ||
1601 | AC_COMPILE_IFELSE([AC_LANG_SOURCE([[ | ||
1602 | #if !defined(__GNUC__) || __GNUC__ < 4 | ||
1603 | #error gcc is too old | ||
1604 | #endif | ||
1605 | ]])], | ||
1606 | [ AC_MSG_RESULT([yes]) ], | ||
1607 | [ AC_MSG_RESULT([no]) | ||
1608 | use_pie=no ] | ||
1609 | ) | ||
1610 | fi | ||
1611 | if test "x$use_pie" != "xno"; then | ||
1612 | SAVED_CFLAGS="$CFLAGS" | ||
1613 | SAVED_LDFLAGS="$LDFLAGS" | ||
1614 | OSSH_CHECK_CFLAG_COMPILE([-fPIE]) | ||
1615 | OSSH_CHECK_LDFLAG_LINK([-pie]) | ||
1616 | # We use both -fPIE and -pie or neither. | ||
1617 | AC_MSG_CHECKING([whether both -fPIE and -pie are supported]) | ||
1618 | if echo "x $CFLAGS" | grep ' -fPIE' >/dev/null 2>&1 && \ | ||
1619 | echo "x $LDFLAGS" | grep ' -pie' >/dev/null 2>&1 ; then | ||
1620 | AC_MSG_RESULT([yes]) | ||
1621 | else | ||
1622 | AC_MSG_RESULT([no]) | ||
1623 | CFLAGS="$SAVED_CFLAGS" | ||
1624 | LDFLAGS="$SAVED_LDFLAGS" | ||
1625 | fi | ||
1626 | fi | ||
1627 | |||
1527 | dnl Checks for library functions. Please keep in alphabetical order | 1628 | dnl Checks for library functions. Please keep in alphabetical order |
1528 | AC_CHECK_FUNCS([ \ | 1629 | AC_CHECK_FUNCS([ \ |
1630 | Blowfish_initstate \ | ||
1631 | Blowfish_expandstate \ | ||
1632 | Blowfish_expand0state \ | ||
1633 | Blowfish_stream2word \ | ||
1529 | arc4random \ | 1634 | arc4random \ |
1530 | arc4random_buf \ | 1635 | arc4random_buf \ |
1636 | arc4random_stir \ | ||
1531 | arc4random_uniform \ | 1637 | arc4random_uniform \ |
1532 | asprintf \ | 1638 | asprintf \ |
1533 | b64_ntop \ | 1639 | b64_ntop \ |
@@ -1535,7 +1641,10 @@ AC_CHECK_FUNCS([ \ | |||
1535 | b64_pton \ | 1641 | b64_pton \ |
1536 | __b64_pton \ | 1642 | __b64_pton \ |
1537 | bcopy \ | 1643 | bcopy \ |
1644 | bcrypt_pbkdf \ | ||
1538 | bindresvport_sa \ | 1645 | bindresvport_sa \ |
1646 | blf_enc \ | ||
1647 | cap_rights_limit \ | ||
1539 | clock \ | 1648 | clock \ |
1540 | closefrom \ | 1649 | closefrom \ |
1541 | dirfd \ | 1650 | dirfd \ |
@@ -1543,6 +1652,7 @@ AC_CHECK_FUNCS([ \ | |||
1543 | fchmod \ | 1652 | fchmod \ |
1544 | fchown \ | 1653 | fchown \ |
1545 | freeaddrinfo \ | 1654 | freeaddrinfo \ |
1655 | fstatfs \ | ||
1546 | fstatvfs \ | 1656 | fstatvfs \ |
1547 | futimes \ | 1657 | futimes \ |
1548 | getaddrinfo \ | 1658 | getaddrinfo \ |
@@ -2312,7 +2422,17 @@ AC_LINK_IFELSE( | |||
2312 | ] | 2422 | ] |
2313 | ) | 2423 | ) |
2314 | 2424 | ||
2315 | AC_CHECK_FUNCS([RSA_generate_key_ex DSA_generate_parameters_ex BN_is_prime_ex RSA_get_default_method HMAC_CTX_init]) | 2425 | AC_CHECK_FUNCS([ \ |
2426 | BN_is_prime_ex \ | ||
2427 | DSA_generate_parameters_ex \ | ||
2428 | EVP_DigestInit_ex \ | ||
2429 | EVP_DigestFinal_ex \ | ||
2430 | EVP_MD_CTX_init \ | ||
2431 | EVP_MD_CTX_cleanup \ | ||
2432 | HMAC_CTX_init \ | ||
2433 | RSA_generate_key_ex \ | ||
2434 | RSA_get_default_method \ | ||
2435 | ]) | ||
2316 | 2436 | ||
2317 | AC_ARG_WITH([ssl-engine], | 2437 | AC_ARG_WITH([ssl-engine], |
2318 | [ --with-ssl-engine Enable OpenSSL (hardware) ENGINE support ], | 2438 | [ --with-ssl-engine Enable OpenSSL (hardware) ENGINE support ], |
@@ -2436,19 +2556,58 @@ fi | |||
2436 | AC_CHECK_FUNCS([crypt DES_crypt]) | 2556 | AC_CHECK_FUNCS([crypt DES_crypt]) |
2437 | 2557 | ||
2438 | # Search for SHA256 support in libc and/or OpenSSL | 2558 | # Search for SHA256 support in libc and/or OpenSSL |
2439 | AC_CHECK_FUNCS([SHA256_Update EVP_sha256], | 2559 | AC_CHECK_FUNCS([SHA256_Update EVP_sha256], , |
2440 | [TEST_SSH_SHA256=yes], | 2560 | [unsupported_algorithms="$unsupported_algorithms \ |
2441 | [TEST_SSH_SHA256=no | ||
2442 | unsupported_algorithms="$unsupported_algorithms \ | ||
2443 | hmac-sha2-256 hmac-sha2-512 \ | 2561 | hmac-sha2-256 hmac-sha2-512 \ |
2444 | diffie-hellman-group-exchange-sha256 \ | 2562 | diffie-hellman-group-exchange-sha256 \ |
2445 | hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com" | 2563 | hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com" |
2446 | ] | 2564 | ] |
2447 | ) | 2565 | ) |
2448 | AC_SUBST([TEST_SSH_SHA256]) | ||
2449 | 2566 | ||
2450 | # Check complete ECC support in OpenSSL | 2567 | # Check complete ECC support in OpenSSL |
2451 | AC_MSG_CHECKING([whether OpenSSL has complete ECC support]) | 2568 | AC_MSG_CHECKING([whether OpenSSL has NID_X9_62_prime256v1]) |
2569 | AC_LINK_IFELSE( | ||
2570 | [AC_LANG_PROGRAM([[ | ||
2571 | #include <openssl/ec.h> | ||
2572 | #include <openssl/ecdh.h> | ||
2573 | #include <openssl/ecdsa.h> | ||
2574 | #include <openssl/evp.h> | ||
2575 | #include <openssl/objects.h> | ||
2576 | #include <openssl/opensslv.h> | ||
2577 | #if OPENSSL_VERSION_NUMBER < 0x0090807f /* 0.9.8g */ | ||
2578 | # error "OpenSSL < 0.9.8g has unreliable ECC code" | ||
2579 | #endif | ||
2580 | ]], [[ | ||
2581 | EC_KEY *e = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); | ||
2582 | const EVP_MD *m = EVP_sha256(); /* We need this too */ | ||
2583 | ]])], | ||
2584 | [ AC_MSG_RESULT([yes]) | ||
2585 | enable_nistp256=1 ], | ||
2586 | [ AC_MSG_RESULT([no]) ] | ||
2587 | ) | ||
2588 | |||
2589 | AC_MSG_CHECKING([whether OpenSSL has NID_secp384r1]) | ||
2590 | AC_LINK_IFELSE( | ||
2591 | [AC_LANG_PROGRAM([[ | ||
2592 | #include <openssl/ec.h> | ||
2593 | #include <openssl/ecdh.h> | ||
2594 | #include <openssl/ecdsa.h> | ||
2595 | #include <openssl/evp.h> | ||
2596 | #include <openssl/objects.h> | ||
2597 | #include <openssl/opensslv.h> | ||
2598 | #if OPENSSL_VERSION_NUMBER < 0x0090807f /* 0.9.8g */ | ||
2599 | # error "OpenSSL < 0.9.8g has unreliable ECC code" | ||
2600 | #endif | ||
2601 | ]], [[ | ||
2602 | EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp384r1); | ||
2603 | const EVP_MD *m = EVP_sha384(); /* We need this too */ | ||
2604 | ]])], | ||
2605 | [ AC_MSG_RESULT([yes]) | ||
2606 | enable_nistp384=1 ], | ||
2607 | [ AC_MSG_RESULT([no]) ] | ||
2608 | ) | ||
2609 | |||
2610 | AC_MSG_CHECKING([whether OpenSSL has NID_secp521r1]) | ||
2452 | AC_LINK_IFELSE( | 2611 | AC_LINK_IFELSE( |
2453 | [AC_LANG_PROGRAM([[ | 2612 | [AC_LANG_PROGRAM([[ |
2454 | #include <openssl/ec.h> | 2613 | #include <openssl/ec.h> |
@@ -2464,25 +2623,63 @@ AC_LINK_IFELSE( | |||
2464 | EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp521r1); | 2623 | EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp521r1); |
2465 | const EVP_MD *m = EVP_sha512(); /* We need this too */ | 2624 | const EVP_MD *m = EVP_sha512(); /* We need this too */ |
2466 | ]])], | 2625 | ]])], |
2467 | [ | 2626 | [ AC_MSG_RESULT([yes]) |
2468 | AC_MSG_RESULT([yes]) | 2627 | AC_MSG_CHECKING([if OpenSSL's NID_secp521r1 is functional]) |
2469 | AC_DEFINE([OPENSSL_HAS_ECC], [1], | 2628 | AC_RUN_IFELSE( |
2470 | [libcrypto includes complete ECC support]) | 2629 | [AC_LANG_PROGRAM([[ |
2471 | TEST_SSH_ECC=yes | 2630 | #include <openssl/ec.h> |
2472 | COMMENT_OUT_ECC="" | 2631 | #include <openssl/ecdh.h> |
2473 | ], | 2632 | #include <openssl/ecdsa.h> |
2474 | [ | 2633 | #include <openssl/evp.h> |
2475 | AC_MSG_RESULT([no]) | 2634 | #include <openssl/objects.h> |
2476 | TEST_SSH_ECC=no | 2635 | #include <openssl/opensslv.h> |
2477 | COMMENT_OUT_ECC="#no ecc#" | 2636 | ]],[[ |
2478 | unsupported_algorithms="$unsupported_algorithms \ | 2637 | EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp521r1); |
2479 | ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521 \ | 2638 | const EVP_MD *m = EVP_sha512(); /* We need this too */ |
2480 | ecdsa-sha2-nistp256-cert-v01@openssh.com \ | 2639 | exit(e == NULL || m == NULL); |
2481 | ecdsa-sha2-nistp384-cert-v01@openssh.com \ | 2640 | ]])], |
2482 | ecdsa-sha2-nistp521-cert-v01@openssh.com \ | 2641 | [ AC_MSG_RESULT([yes]) |
2483 | ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521" | 2642 | enable_nistp521=1 ], |
2484 | ] | 2643 | [ AC_MSG_RESULT([no]) ], |
2644 | [ AC_MSG_WARN([cross-compiling: assuming yes]) | ||
2645 | enable_nistp521=1 ] | ||
2646 | )], | ||
2647 | AC_MSG_RESULT([no]) | ||
2485 | ) | 2648 | ) |
2649 | |||
2650 | COMMENT_OUT_ECC="#no ecc#" | ||
2651 | TEST_SSH_ECC=no | ||
2652 | |||
2653 | if test x$enable_nistp256 = x1 || test x$enable_nistp384 = x1 || \ | ||
2654 | test x$enable_nistp521 = x1; then | ||
2655 | AC_DEFINE(OPENSSL_HAS_ECC, [1], [OpenSSL has ECC]) | ||
2656 | fi | ||
2657 | if test x$enable_nistp256 = x1; then | ||
2658 | AC_DEFINE([OPENSSL_HAS_NISTP256], [1], | ||
2659 | [libcrypto has NID_X9_62_prime256v1]) | ||
2660 | TEST_SSH_ECC=yes | ||
2661 | COMMENT_OUT_ECC="" | ||
2662 | else | ||
2663 | unsupported_algorithms="$unsupported_algorithms ecdsa-sha2-nistp256 \ | ||
2664 | ecdh-sha2-nistp256 ecdsa-sha2-nistp256-cert-v01@openssh.com" | ||
2665 | fi | ||
2666 | if test x$enable_nistp384 = x1; then | ||
2667 | AC_DEFINE([OPENSSL_HAS_NISTP384], [1], [libcrypto has NID_secp384r1]) | ||
2668 | TEST_SSH_ECC=yes | ||
2669 | COMMENT_OUT_ECC="" | ||
2670 | else | ||
2671 | unsupported_algorithms="$unsupported_algorithms ecdsa-sha2-nistp384 \ | ||
2672 | ecdh-sha2-nistp384 ecdsa-sha2-nistp384-cert-v01@openssh.com" | ||
2673 | fi | ||
2674 | if test x$enable_nistp521 = x1; then | ||
2675 | AC_DEFINE([OPENSSL_HAS_NISTP521], [1], [libcrypto has NID_secp521r1]) | ||
2676 | TEST_SSH_ECC=yes | ||
2677 | COMMENT_OUT_ECC="" | ||
2678 | else | ||
2679 | unsupported_algorithms="$unsupported_algorithms ecdh-sha2-nistp521 \ | ||
2680 | ecdsa-sha2-nistp521 ecdsa-sha2-nistp521-cert-v01@openssh.com" | ||
2681 | fi | ||
2682 | |||
2486 | AC_SUBST([TEST_SSH_ECC]) | 2683 | AC_SUBST([TEST_SSH_ECC]) |
2487 | AC_SUBST([COMMENT_OUT_ECC]) | 2684 | AC_SUBST([COMMENT_OUT_ECC]) |
2488 | 2685 | ||
@@ -2714,7 +2911,7 @@ fi | |||
2714 | # Decide which sandbox style to use | 2911 | # Decide which sandbox style to use |
2715 | sandbox_arg="" | 2912 | sandbox_arg="" |
2716 | AC_ARG_WITH([sandbox], | 2913 | AC_ARG_WITH([sandbox], |
2717 | [ --with-sandbox=style Specify privilege separation sandbox (no, darwin, rlimit, systrace, seccomp_filter)], | 2914 | [ --with-sandbox=style Specify privilege separation sandbox (no, darwin, rlimit, systrace, seccomp_filter, capsicum)], |
2718 | [ | 2915 | [ |
2719 | if test "x$withval" = "xyes" ; then | 2916 | if test "x$withval" = "xyes" ; then |
2720 | sandbox_arg="" | 2917 | sandbox_arg="" |
@@ -2843,6 +3040,16 @@ elif test "x$sandbox_arg" = "xseccomp_filter" || \ | |||
2843 | AC_MSG_ERROR([seccomp_filter sandbox requires prctl function]) | 3040 | AC_MSG_ERROR([seccomp_filter sandbox requires prctl function]) |
2844 | SANDBOX_STYLE="seccomp_filter" | 3041 | SANDBOX_STYLE="seccomp_filter" |
2845 | AC_DEFINE([SANDBOX_SECCOMP_FILTER], [1], [Sandbox using seccomp filter]) | 3042 | AC_DEFINE([SANDBOX_SECCOMP_FILTER], [1], [Sandbox using seccomp filter]) |
3043 | elif test "x$sandbox_arg" = "xcapsicum" || \ | ||
3044 | ( test -z "$sandbox_arg" && \ | ||
3045 | test "x$ac_cv_header_sys_capability_h" = "xyes" && \ | ||
3046 | test "x$ac_cv_func_cap_rights_limit" = "xyes") ; then | ||
3047 | test "x$ac_cv_header_sys_capability_h" != "xyes" && \ | ||
3048 | AC_MSG_ERROR([capsicum sandbox requires sys/capability.h header]) | ||
3049 | test "x$ac_cv_func_cap_rights_limit" != "xyes" && \ | ||
3050 | AC_MSG_ERROR([capsicum sandbox requires cap_rights_limit function]) | ||
3051 | SANDBOX_STYLE="capsicum" | ||
3052 | AC_DEFINE([SANDBOX_CAPSICUM], [1], [Sandbox using capsicum]) | ||
2846 | elif test "x$sandbox_arg" = "xrlimit" || \ | 3053 | elif test "x$sandbox_arg" = "xrlimit" || \ |
2847 | ( test -z "$sandbox_arg" && test "x$ac_cv_func_setrlimit" = "xyes" && \ | 3054 | ( test -z "$sandbox_arg" && test "x$ac_cv_func_setrlimit" = "xyes" && \ |
2848 | test "x$select_works_with_rlimit" = "xyes" && \ | 3055 | test "x$select_works_with_rlimit" = "xyes" && \ |
@@ -3066,7 +3273,9 @@ if test "x$ac_cv_have_u_int64_t" = "xyes" ; then | |||
3066 | have_u_int64_t=1 | 3273 | have_u_int64_t=1 |
3067 | fi | 3274 | fi |
3068 | 3275 | ||
3069 | if test -z "$have_u_int64_t" ; then | 3276 | if (test -z "$have_u_int64_t" && \ |
3277 | test "x$ac_cv_header_sys_bitypes_h" = "xyes") | ||
3278 | then | ||
3070 | AC_MSG_CHECKING([for u_int64_t type in sys/bitypes.h]) | 3279 | AC_MSG_CHECKING([for u_int64_t type in sys/bitypes.h]) |
3071 | AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/bitypes.h> ]], | 3280 | AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/bitypes.h> ]], |
3072 | [[ u_int64_t a; a = 1]])], | 3281 | [[ u_int64_t a; a = 1]])], |
@@ -3096,7 +3305,9 @@ if test -z "$have_u_intxx_t" ; then | |||
3096 | fi | 3305 | fi |
3097 | fi | 3306 | fi |
3098 | 3307 | ||
3099 | if test -z "$have_uintxx_t" ; then | 3308 | if (test -z "$have_uintxx_t" && \ |
3309 | test "x$ac_cv_header_stdint_h" = "xyes") | ||
3310 | then | ||
3100 | AC_MSG_CHECKING([for uintXX_t types in stdint.h]) | 3311 | AC_MSG_CHECKING([for uintXX_t types in stdint.h]) |
3101 | AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <stdint.h> ]], | 3312 | AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <stdint.h> ]], |
3102 | [[ uint8_t a; uint16_t b; uint32_t c; a = b = c = 1;]])], | 3313 | [[ uint8_t a; uint16_t b; uint32_t c; a = b = c = 1;]])], |
@@ -3107,6 +3318,19 @@ if test -z "$have_uintxx_t" ; then | |||
3107 | ]) | 3318 | ]) |
3108 | fi | 3319 | fi |
3109 | 3320 | ||
3321 | if (test -z "$have_uintxx_t" && \ | ||
3322 | test "x$ac_cv_header_inttypes_h" = "xyes") | ||
3323 | then | ||
3324 | AC_MSG_CHECKING([for uintXX_t types in inttypes.h]) | ||
3325 | AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <inttypes.h> ]], | ||
3326 | [[ uint8_t a; uint16_t b; uint32_t c; a = b = c = 1;]])], | ||
3327 | [ | ||
3328 | AC_DEFINE([HAVE_UINTXX_T]) | ||
3329 | AC_MSG_RESULT([yes]) | ||
3330 | ], [ AC_MSG_RESULT([no]) | ||
3331 | ]) | ||
3332 | fi | ||
3333 | |||
3110 | if (test -z "$have_u_intxx_t" || test -z "$have_intxx_t" && \ | 3334 | if (test -z "$have_u_intxx_t" || test -z "$have_intxx_t" && \ |
3111 | test "x$ac_cv_header_sys_bitypes_h" = "xyes") | 3335 | test "x$ac_cv_header_sys_bitypes_h" = "xyes") |
3112 | then | 3336 | then |
@@ -3137,6 +3361,11 @@ if test "x$ac_cv_have_u_char" = "xyes" ; then | |||
3137 | AC_DEFINE([HAVE_U_CHAR], [1], [define if you have u_char data type]) | 3361 | AC_DEFINE([HAVE_U_CHAR], [1], [define if you have u_char data type]) |
3138 | fi | 3362 | fi |
3139 | 3363 | ||
3364 | AC_CHECK_TYPES([intmax_t, uintmax_t], , , [ | ||
3365 | #include <sys/types.h> | ||
3366 | #include <stdint.h> | ||
3367 | ]) | ||
3368 | |||
3140 | TYPE_SOCKLEN_T | 3369 | TYPE_SOCKLEN_T |
3141 | 3370 | ||
3142 | AC_CHECK_TYPES([sig_atomic_t], , , [#include <signal.h>]) | 3371 | AC_CHECK_TYPES([sig_atomic_t], , , [#include <signal.h>]) |
@@ -4561,6 +4790,7 @@ else | |||
4561 | fi | 4790 | fi |
4562 | AC_CHECK_DECL([BROKEN_GETADDRINFO], [TEST_SSH_IPV6=no]) | 4791 | AC_CHECK_DECL([BROKEN_GETADDRINFO], [TEST_SSH_IPV6=no]) |
4563 | AC_SUBST([TEST_SSH_IPV6], [$TEST_SSH_IPV6]) | 4792 | AC_SUBST([TEST_SSH_IPV6], [$TEST_SSH_IPV6]) |
4793 | AC_SUBST([TEST_MALLOC_OPTIONS], [$TEST_MALLOC_OPTIONS]) | ||
4564 | AC_SUBST([UNSUPPORTED_ALGORITHMS], [$unsupported_algorithms]) | 4794 | AC_SUBST([UNSUPPORTED_ALGORITHMS], [$unsupported_algorithms]) |
4565 | 4795 | ||
4566 | AC_EXEEXT | 4796 | AC_EXEEXT |