summaryrefslogtreecommitdiff
path: root/configure.ac
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2014-02-10 00:18:28 +0000
committerColin Watson <cjwatson@debian.org>2014-02-10 00:18:28 +0000
commit9a975a9faed7c4f334e8c8490db3e77e102f2b21 (patch)
tree764a885ec9a963f6a8b15de6e1765f16b9ac4738 /configure.ac
parentee196dab7c5f97f0b80c8099343a375bead92010 (diff)
parentcdb6c90811caa5df2df856be9b0b16db020fe31d (diff)
Import openssh_6.5p1.orig.tar.gz
Diffstat (limited to 'configure.ac')
-rw-r--r--configure.ac308
1 files changed, 269 insertions, 39 deletions
diff --git a/configure.ac b/configure.ac
index 4a1b50331..dfd32cd85 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,4 +1,4 @@
1# $Id: configure.ac,v 1.536 2013/08/04 11:48:41 dtucker Exp $ 1# $Id: configure.ac,v 1.568 2014/01/30 00:26:46 djm Exp $
2# 2#
3# Copyright (c) 1999-2004 Damien Miller 3# Copyright (c) 1999-2004 Damien Miller
4# 4#
@@ -15,7 +15,7 @@
15# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 15# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16 16
17AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) 17AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org])
18AC_REVISION($Revision: 1.536 $) 18AC_REVISION($Revision: 1.568 $)
19AC_CONFIG_SRCDIR([ssh.c]) 19AC_CONFIG_SRCDIR([ssh.c])
20AC_LANG([C]) 20AC_LANG([C])
21 21
@@ -120,19 +120,36 @@ AC_CHECK_DECL([PR_SET_NO_NEW_PRIVS], [have_linux_no_new_privs=1], , [
120 #include <sys/types.h> 120 #include <sys/types.h>
121 #include <linux/prctl.h> 121 #include <linux/prctl.h>
122]) 122])
123
123use_stack_protector=1 124use_stack_protector=1
125use_toolchain_hardening=1
124AC_ARG_WITH([stackprotect], 126AC_ARG_WITH([stackprotect],
125 [ --without-stackprotect Don't use compiler's stack protection], [ 127 [ --without-stackprotect Don't use compiler's stack protection], [
126 if test "x$withval" = "xno"; then 128 if test "x$withval" = "xno"; then
127 use_stack_protector=0 129 use_stack_protector=0
128 fi ]) 130 fi ])
131AC_ARG_WITH([hardening],
132 [ --without-hardening Don't use toolchain hardening flags], [
133 if test "x$withval" = "xno"; then
134 use_toolchain_hardening=0
135 fi ])
129 136
137# We use -Werror for the tests only so that we catch warnings like "this is
138# on by default" for things like -fPIE.
139AC_MSG_CHECKING([if $CC supports -Werror])
140saved_CFLAGS="$CFLAGS"
141CFLAGS="$CFLAGS -Werror"
142AC_COMPILE_IFELSE([AC_LANG_SOURCE([[int main(void) { return 0; }]])],
143 [ AC_MSG_RESULT([yes])
144 WERROR="-Werror"],
145 [ AC_MSG_RESULT([no])
146 WERROR="" ]
147)
148CFLAGS="$saved_CFLAGS"
130 149
131if test "$GCC" = "yes" || test "$GCC" = "egcs"; then 150if test "$GCC" = "yes" || test "$GCC" = "egcs"; then
132 OSSH_CHECK_CFLAG_COMPILE([-Qunused-arguments -Werror], 151 OSSH_CHECK_CFLAG_COMPILE([-Qunused-arguments])
133 [-Qunused-arguments]) 152 OSSH_CHECK_CFLAG_COMPILE([-Wunknown-warning-option])
134 OSSH_CHECK_CFLAG_COMPILE([-Wunknown-warning-option -Werror],
135 [-Wno-unknown-warning-option])
136 OSSH_CHECK_CFLAG_COMPILE([-Wall]) 153 OSSH_CHECK_CFLAG_COMPILE([-Wall])
137 OSSH_CHECK_CFLAG_COMPILE([-Wpointer-arith]) 154 OSSH_CHECK_CFLAG_COMPILE([-Wpointer-arith])
138 OSSH_CHECK_CFLAG_COMPILE([-Wuninitialized]) 155 OSSH_CHECK_CFLAG_COMPILE([-Wuninitialized])
@@ -143,6 +160,17 @@ if test "$GCC" = "yes" || test "$GCC" = "egcs"; then
143 OSSH_CHECK_CFLAG_COMPILE([-Wunused-result], [-Wno-unused-result]) 160 OSSH_CHECK_CFLAG_COMPILE([-Wunused-result], [-Wno-unused-result])
144 OSSH_CHECK_CFLAG_COMPILE([-fno-strict-aliasing]) 161 OSSH_CHECK_CFLAG_COMPILE([-fno-strict-aliasing])
145 OSSH_CHECK_CFLAG_COMPILE([-D_FORTIFY_SOURCE=2]) 162 OSSH_CHECK_CFLAG_COMPILE([-D_FORTIFY_SOURCE=2])
163 if test "x$use_toolchain_hardening" = "x1"; then
164 OSSH_CHECK_LDFLAG_LINK([-Wl,-z,relro])
165 OSSH_CHECK_LDFLAG_LINK([-Wl,-z,now])
166 OSSH_CHECK_LDFLAG_LINK([-Wl,-z,noexecstack])
167 # NB. -ftrapv expects certain support functions to be present in
168 # the compiler library (libgcc or similar) to detect integer operations
169 # that can overflow. We must check that the result of enabling it
170 # actually links. The test program compiled/linked includes a number
171 # of integer operations that should exercise this.
172 OSSH_CHECK_CFLAG_LINK([-ftrapv])
173 fi
146 AC_MSG_CHECKING([gcc version]) 174 AC_MSG_CHECKING([gcc version])
147 GCC_VER=`$CC -v 2>&1 | $AWK '/gcc version /{print $3}'` 175 GCC_VER=`$CC -v 2>&1 | $AWK '/gcc version /{print $3}'`
148 case $GCC_VER in 176 case $GCC_VER in
@@ -169,7 +197,8 @@ if test "$GCC" = "yes" || test "$GCC" = "egcs"; then
169 # and/or platforms, so we test if we can. If it's not supported 197 # and/or platforms, so we test if we can. If it's not supported
170 # on a given platform gcc will emit a warning so we use -Werror. 198 # on a given platform gcc will emit a warning so we use -Werror.
171 if test "x$use_stack_protector" = "x1"; then 199 if test "x$use_stack_protector" = "x1"; then
172 for t in -fstack-protector-all -fstack-protector; do 200 for t in -fstack-protector-strong -fstack-protector-all \
201 -fstack-protector; do
173 AC_MSG_CHECKING([if $CC supports $t]) 202 AC_MSG_CHECKING([if $CC supports $t])
174 saved_CFLAGS="$CFLAGS" 203 saved_CFLAGS="$CFLAGS"
175 saved_LDFLAGS="$LDFLAGS" 204 saved_LDFLAGS="$LDFLAGS"
@@ -296,6 +325,7 @@ AC_ARG_WITH([Werror],
296) 325)
297 326
298AC_CHECK_HEADERS([ \ 327AC_CHECK_HEADERS([ \
328 blf.h \
299 bstring.h \ 329 bstring.h \
300 crypt.h \ 330 crypt.h \
301 crypto/sha2.h \ 331 crypto/sha2.h \
@@ -309,6 +339,7 @@ AC_CHECK_HEADERS([ \
309 glob.h \ 339 glob.h \
310 ia.h \ 340 ia.h \
311 iaf.h \ 341 iaf.h \
342 inttypes.h \
312 limits.h \ 343 limits.h \
313 locale.h \ 344 locale.h \
314 login.h \ 345 login.h \
@@ -333,6 +364,7 @@ AC_CHECK_HEADERS([ \
333 sys/audit.h \ 364 sys/audit.h \
334 sys/bitypes.h \ 365 sys/bitypes.h \
335 sys/bsdtty.h \ 366 sys/bsdtty.h \
367 sys/capability.h \
336 sys/cdefs.h \ 368 sys/cdefs.h \
337 sys/dir.h \ 369 sys/dir.h \
338 sys/mman.h \ 370 sys/mman.h \
@@ -513,7 +545,10 @@ case "$host" in
513 [Define if your platform needs to skip post auth 545 [Define if your platform needs to skip post auth
514 file descriptor passing]) 546 file descriptor passing])
515 AC_DEFINE([SSH_IOBUFSZ], [65535], [Windows is sensitive to read buffer size]) 547 AC_DEFINE([SSH_IOBUFSZ], [65535], [Windows is sensitive to read buffer size])
516 AC_DEFINE([FILESYSTEM_NO_BACKSLASH], [1], [File names may not contain backslash characters]) 548 AC_DEFINE([FILESYSTEM_NO_BACKSLASH], [1], [File names may not contain backslash characters])
549 # Cygwin defines optargs, optargs as declspec(dllimport) for historical
550 # reasons which cause compile warnings, so we disable those warnings.
551 OSSH_CHECK_CFLAG_COMPILE([-Wno-attributes])
517 ;; 552 ;;
518*-*-dgux*) 553*-*-dgux*)
519 AC_DEFINE([IP_TOS_IS_BROKEN], [1], 554 AC_DEFINE([IP_TOS_IS_BROKEN], [1],
@@ -523,6 +558,7 @@ case "$host" in
523 AC_DEFINE([BROKEN_SETREGID]) 558 AC_DEFINE([BROKEN_SETREGID])
524 ;; 559 ;;
525*-*-darwin*) 560*-*-darwin*)
561 use_pie=auto
526 AC_MSG_CHECKING([if we have working getaddrinfo]) 562 AC_MSG_CHECKING([if we have working getaddrinfo])
527 AC_RUN_IFELSE([AC_LANG_SOURCE([[ #include <mach-o/dyld.h> 563 AC_RUN_IFELSE([AC_LANG_SOURCE([[ #include <mach-o/dyld.h>
528main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) 564main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
@@ -563,6 +599,7 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
563 ;; 599 ;;
564*-*-dragonfly*) 600*-*-dragonfly*)
565 SSHDLIBS="$SSHDLIBS -lcrypt" 601 SSHDLIBS="$SSHDLIBS -lcrypt"
602 TEST_MALLOC_OPTIONS="AFGJPRX"
566 ;; 603 ;;
567*-*-haiku*) 604*-*-haiku*)
568 LIBS="$LIBS -lbsd " 605 LIBS="$LIBS -lbsd "
@@ -660,6 +697,7 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
660 ;; 697 ;;
661*-*-linux*) 698*-*-linux*)
662 no_dev_ptmx=1 699 no_dev_ptmx=1
700 use_pie=auto
663 check_for_libcrypt_later=1 701 check_for_libcrypt_later=1
664 check_for_openpty_ctty_bug=1 702 check_for_openpty_ctty_bug=1
665 AC_DEFINE([PAM_TTY_KLUDGE], [1], 703 AC_DEFINE([PAM_TTY_KLUDGE], [1],
@@ -728,6 +766,11 @@ mips-sony-bsd|mips-sony-newsos4)
728 AC_DEFINE([SSH_TUN_NO_L2], [1], [No layer 2 tunnel support])) 766 AC_DEFINE([SSH_TUN_NO_L2], [1], [No layer 2 tunnel support]))
729 AC_DEFINE([SSH_TUN_PREPEND_AF], [1], 767 AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
730 [Prepend the address family to IP tunnel traffic]) 768 [Prepend the address family to IP tunnel traffic])
769 TEST_MALLOC_OPTIONS="AJRX"
770 AC_DEFINE([BROKEN_STRNVIS], [1],
771 [NetBSD strnvis argument order is swapped compared to OpenBSD])
772 AC_DEFINE([BROKEN_READ_COMPARISON], [1],
773 [NetBSD read function is sometimes redirected, breaking atomicio comparisons against it])
731 ;; 774 ;;
732*-*-freebsd*) 775*-*-freebsd*)
733 check_for_libcrypt_later=1 776 check_for_libcrypt_later=1
@@ -736,7 +779,13 @@ mips-sony-bsd|mips-sony-newsos4)
736 AC_CHECK_HEADER([net/if_tap.h], , 779 AC_CHECK_HEADER([net/if_tap.h], ,
737 AC_DEFINE([SSH_TUN_NO_L2], [1], [No layer 2 tunnel support])) 780 AC_DEFINE([SSH_TUN_NO_L2], [1], [No layer 2 tunnel support]))
738 AC_DEFINE([BROKEN_GLOB], [1], [FreeBSD glob does not do what we need]) 781 AC_DEFINE([BROKEN_GLOB], [1], [FreeBSD glob does not do what we need])
739 AC_DEFINE([BROKEN_STRNVIS], [1], [FreeBSD strnvis does not do what we need]) 782 AC_DEFINE([BROKEN_STRNVIS], [1],
783 [FreeBSD strnvis argument order is swapped compared to OpenBSD])
784 TEST_MALLOC_OPTIONS="AJRX"
785 # Preauth crypto occasionally uses file descriptors for crypto offload
786 # and will crash if they cannot be opened.
787 AC_DEFINE([SANDBOX_SKIP_RLIMIT_NOFILE], [1],
788 [define if setrlimit RLIMIT_NOFILE breaks things])],
740 ;; 789 ;;
741*-*-bsdi*) 790*-*-bsdi*)
742 AC_DEFINE([SETEUID_BREAKS_SETUID]) 791 AC_DEFINE([SETEUID_BREAKS_SETUID])
@@ -754,11 +803,13 @@ mips-sony-bsd|mips-sony-newsos4)
754 AC_DEFINE([BROKEN_SAVED_UIDS], [1], [Needed for NeXT]) 803 AC_DEFINE([BROKEN_SAVED_UIDS], [1], [Needed for NeXT])
755 ;; 804 ;;
756*-*-openbsd*) 805*-*-openbsd*)
806 use_pie=auto
757 AC_DEFINE([HAVE_ATTRIBUTE__SENTINEL__], [1], [OpenBSD's gcc has sentinel]) 807 AC_DEFINE([HAVE_ATTRIBUTE__SENTINEL__], [1], [OpenBSD's gcc has sentinel])
758 AC_DEFINE([HAVE_ATTRIBUTE__BOUNDED__], [1], [OpenBSD's gcc has bounded]) 808 AC_DEFINE([HAVE_ATTRIBUTE__BOUNDED__], [1], [OpenBSD's gcc has bounded])
759 AC_DEFINE([SSH_TUN_OPENBSD], [1], [Open tunnel devices the OpenBSD way]) 809 AC_DEFINE([SSH_TUN_OPENBSD], [1], [Open tunnel devices the OpenBSD way])
760 AC_DEFINE([SYSLOG_R_SAFE_IN_SIGHAND], [1], 810 AC_DEFINE([SYSLOG_R_SAFE_IN_SIGHAND], [1],
761 [syslog_r function is safe to use in in a signal handler]) 811 [syslog_r function is safe to use in in a signal handler])
812 TEST_MALLOC_OPTIONS="AFGJPRX"
762 ;; 813 ;;
763*-*-solaris*) 814*-*-solaris*)
764 if test "x$withval" != "xno" ; then 815 if test "x$withval" != "xno" ; then
@@ -1191,6 +1242,9 @@ AC_SEARCH_LIBS([openpty], [util bsd])
1191AC_SEARCH_LIBS([updwtmp], [util bsd]) 1242AC_SEARCH_LIBS([updwtmp], [util bsd])
1192AC_CHECK_FUNCS([fmt_scaled scan_scaled login logout openpty updwtmp logwtmp]) 1243AC_CHECK_FUNCS([fmt_scaled scan_scaled login logout openpty updwtmp logwtmp])
1193 1244
1245# On some platforms, inet_ntop may be found in libresolv or libnsl.
1246AC_SEARCH_LIBS([inet_ntop], [resolv nsl])
1247
1194AC_FUNC_STRFTIME 1248AC_FUNC_STRFTIME
1195 1249
1196# Check for ALTDIRFUNC glob() extension 1250# Check for ALTDIRFUNC glob() extension
@@ -1442,7 +1496,7 @@ AC_ARG_WITH([libedit],
1442 fi 1496 fi
1443 fi 1497 fi
1444 if test "x$use_pkgconfig_for_libedit" = "xyes"; then 1498 if test "x$use_pkgconfig_for_libedit" = "xyes"; then
1445 LIBEDIT=`$PKGCONFIG --libs-only-l libedit` 1499 LIBEDIT=`$PKGCONFIG --libs libedit`
1446 CPPFLAGS="$CPPFLAGS `$PKGCONFIG --cflags libedit`" 1500 CPPFLAGS="$CPPFLAGS `$PKGCONFIG --cflags libedit`"
1447 else 1501 else
1448 LIBEDIT="-ledit -lcurses" 1502 LIBEDIT="-ledit -lcurses"
@@ -1496,7 +1550,7 @@ AC_ARG_WITH([audit],
1496 # These are optional 1550 # These are optional
1497 AC_CHECK_FUNCS([getaudit_addr aug_get_machine]) 1551 AC_CHECK_FUNCS([getaudit_addr aug_get_machine])
1498 AC_DEFINE([USE_BSM_AUDIT], [1], [Use BSM audit module]) 1552 AC_DEFINE([USE_BSM_AUDIT], [1], [Use BSM audit module])
1499 if test "$sol2ver" -eq 11; then 1553 if test "$sol2ver" -ge 11; then
1500 SSHDLIBS="$SSHDLIBS -lscf" 1554 SSHDLIBS="$SSHDLIBS -lscf"
1501 AC_DEFINE([BROKEN_BSM_API], [1], 1555 AC_DEFINE([BROKEN_BSM_API], [1],
1502 [The system has incomplete BSM API]) 1556 [The system has incomplete BSM API])
@@ -1524,10 +1578,62 @@ AC_ARG_WITH([audit],
1524 esac ] 1578 esac ]
1525) 1579)
1526 1580
1581AC_ARG_WITH([pie],
1582 [ --with-pie Build Position Independent Executables if possible], [
1583 if test "x$withval" = "xno"; then
1584 use_pie=no
1585 fi
1586 if test "x$withval" = "xyes"; then
1587 use_pie=yes
1588 fi
1589 ]
1590)
1591if test "x$use_pie" = "x"; then
1592 use_pie=no
1593fi
1594if test "x$use_toolchain_hardening" != "x1" && test "x$use_pie" = "xauto"; then
1595 # Turn off automatic PIE when toolchain hardening is off.
1596 use_pie=no
1597fi
1598if test "x$use_pie" = "xauto"; then
1599 # Automatic PIE requires gcc >= 4.x
1600 AC_MSG_CHECKING([for gcc >= 4.x])
1601 AC_COMPILE_IFELSE([AC_LANG_SOURCE([[
1602#if !defined(__GNUC__) || __GNUC__ < 4
1603#error gcc is too old
1604#endif
1605]])],
1606 [ AC_MSG_RESULT([yes]) ],
1607 [ AC_MSG_RESULT([no])
1608 use_pie=no ]
1609)
1610fi
1611if test "x$use_pie" != "xno"; then
1612 SAVED_CFLAGS="$CFLAGS"
1613 SAVED_LDFLAGS="$LDFLAGS"
1614 OSSH_CHECK_CFLAG_COMPILE([-fPIE])
1615 OSSH_CHECK_LDFLAG_LINK([-pie])
1616 # We use both -fPIE and -pie or neither.
1617 AC_MSG_CHECKING([whether both -fPIE and -pie are supported])
1618 if echo "x $CFLAGS" | grep ' -fPIE' >/dev/null 2>&1 && \
1619 echo "x $LDFLAGS" | grep ' -pie' >/dev/null 2>&1 ; then
1620 AC_MSG_RESULT([yes])
1621 else
1622 AC_MSG_RESULT([no])
1623 CFLAGS="$SAVED_CFLAGS"
1624 LDFLAGS="$SAVED_LDFLAGS"
1625 fi
1626fi
1627
1527dnl Checks for library functions. Please keep in alphabetical order 1628dnl Checks for library functions. Please keep in alphabetical order
1528AC_CHECK_FUNCS([ \ 1629AC_CHECK_FUNCS([ \
1630 Blowfish_initstate \
1631 Blowfish_expandstate \
1632 Blowfish_expand0state \
1633 Blowfish_stream2word \
1529 arc4random \ 1634 arc4random \
1530 arc4random_buf \ 1635 arc4random_buf \
1636 arc4random_stir \
1531 arc4random_uniform \ 1637 arc4random_uniform \
1532 asprintf \ 1638 asprintf \
1533 b64_ntop \ 1639 b64_ntop \
@@ -1535,7 +1641,10 @@ AC_CHECK_FUNCS([ \
1535 b64_pton \ 1641 b64_pton \
1536 __b64_pton \ 1642 __b64_pton \
1537 bcopy \ 1643 bcopy \
1644 bcrypt_pbkdf \
1538 bindresvport_sa \ 1645 bindresvport_sa \
1646 blf_enc \
1647 cap_rights_limit \
1539 clock \ 1648 clock \
1540 closefrom \ 1649 closefrom \
1541 dirfd \ 1650 dirfd \
@@ -1543,6 +1652,7 @@ AC_CHECK_FUNCS([ \
1543 fchmod \ 1652 fchmod \
1544 fchown \ 1653 fchown \
1545 freeaddrinfo \ 1654 freeaddrinfo \
1655 fstatfs \
1546 fstatvfs \ 1656 fstatvfs \
1547 futimes \ 1657 futimes \
1548 getaddrinfo \ 1658 getaddrinfo \
@@ -2312,7 +2422,17 @@ AC_LINK_IFELSE(
2312 ] 2422 ]
2313) 2423)
2314 2424
2315AC_CHECK_FUNCS([RSA_generate_key_ex DSA_generate_parameters_ex BN_is_prime_ex RSA_get_default_method HMAC_CTX_init]) 2425AC_CHECK_FUNCS([ \
2426 BN_is_prime_ex \
2427 DSA_generate_parameters_ex \
2428 EVP_DigestInit_ex \
2429 EVP_DigestFinal_ex \
2430 EVP_MD_CTX_init \
2431 EVP_MD_CTX_cleanup \
2432 HMAC_CTX_init \
2433 RSA_generate_key_ex \
2434 RSA_get_default_method \
2435])
2316 2436
2317AC_ARG_WITH([ssl-engine], 2437AC_ARG_WITH([ssl-engine],
2318 [ --with-ssl-engine Enable OpenSSL (hardware) ENGINE support ], 2438 [ --with-ssl-engine Enable OpenSSL (hardware) ENGINE support ],
@@ -2436,19 +2556,58 @@ fi
2436AC_CHECK_FUNCS([crypt DES_crypt]) 2556AC_CHECK_FUNCS([crypt DES_crypt])
2437 2557
2438# Search for SHA256 support in libc and/or OpenSSL 2558# Search for SHA256 support in libc and/or OpenSSL
2439AC_CHECK_FUNCS([SHA256_Update EVP_sha256], 2559AC_CHECK_FUNCS([SHA256_Update EVP_sha256], ,
2440 [TEST_SSH_SHA256=yes], 2560 [unsupported_algorithms="$unsupported_algorithms \
2441 [TEST_SSH_SHA256=no
2442 unsupported_algorithms="$unsupported_algorithms \
2443 hmac-sha2-256 hmac-sha2-512 \ 2561 hmac-sha2-256 hmac-sha2-512 \
2444 diffie-hellman-group-exchange-sha256 \ 2562 diffie-hellman-group-exchange-sha256 \
2445 hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com" 2563 hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com"
2446 ] 2564 ]
2447) 2565)
2448AC_SUBST([TEST_SSH_SHA256])
2449 2566
2450# Check complete ECC support in OpenSSL 2567# Check complete ECC support in OpenSSL
2451AC_MSG_CHECKING([whether OpenSSL has complete ECC support]) 2568AC_MSG_CHECKING([whether OpenSSL has NID_X9_62_prime256v1])
2569AC_LINK_IFELSE(
2570 [AC_LANG_PROGRAM([[
2571#include <openssl/ec.h>
2572#include <openssl/ecdh.h>
2573#include <openssl/ecdsa.h>
2574#include <openssl/evp.h>
2575#include <openssl/objects.h>
2576#include <openssl/opensslv.h>
2577#if OPENSSL_VERSION_NUMBER < 0x0090807f /* 0.9.8g */
2578# error "OpenSSL < 0.9.8g has unreliable ECC code"
2579#endif
2580 ]], [[
2581 EC_KEY *e = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
2582 const EVP_MD *m = EVP_sha256(); /* We need this too */
2583 ]])],
2584 [ AC_MSG_RESULT([yes])
2585 enable_nistp256=1 ],
2586 [ AC_MSG_RESULT([no]) ]
2587)
2588
2589AC_MSG_CHECKING([whether OpenSSL has NID_secp384r1])
2590AC_LINK_IFELSE(
2591 [AC_LANG_PROGRAM([[
2592#include <openssl/ec.h>
2593#include <openssl/ecdh.h>
2594#include <openssl/ecdsa.h>
2595#include <openssl/evp.h>
2596#include <openssl/objects.h>
2597#include <openssl/opensslv.h>
2598#if OPENSSL_VERSION_NUMBER < 0x0090807f /* 0.9.8g */
2599# error "OpenSSL < 0.9.8g has unreliable ECC code"
2600#endif
2601 ]], [[
2602 EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp384r1);
2603 const EVP_MD *m = EVP_sha384(); /* We need this too */
2604 ]])],
2605 [ AC_MSG_RESULT([yes])
2606 enable_nistp384=1 ],
2607 [ AC_MSG_RESULT([no]) ]
2608)
2609
2610AC_MSG_CHECKING([whether OpenSSL has NID_secp521r1])
2452AC_LINK_IFELSE( 2611AC_LINK_IFELSE(
2453 [AC_LANG_PROGRAM([[ 2612 [AC_LANG_PROGRAM([[
2454#include <openssl/ec.h> 2613#include <openssl/ec.h>
@@ -2464,25 +2623,63 @@ AC_LINK_IFELSE(
2464 EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp521r1); 2623 EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp521r1);
2465 const EVP_MD *m = EVP_sha512(); /* We need this too */ 2624 const EVP_MD *m = EVP_sha512(); /* We need this too */
2466 ]])], 2625 ]])],
2467 [ 2626 [ AC_MSG_RESULT([yes])
2468 AC_MSG_RESULT([yes]) 2627 AC_MSG_CHECKING([if OpenSSL's NID_secp521r1 is functional])
2469 AC_DEFINE([OPENSSL_HAS_ECC], [1], 2628 AC_RUN_IFELSE(
2470 [libcrypto includes complete ECC support]) 2629 [AC_LANG_PROGRAM([[
2471 TEST_SSH_ECC=yes 2630#include <openssl/ec.h>
2472 COMMENT_OUT_ECC="" 2631#include <openssl/ecdh.h>
2473 ], 2632#include <openssl/ecdsa.h>
2474 [ 2633#include <openssl/evp.h>
2475 AC_MSG_RESULT([no]) 2634#include <openssl/objects.h>
2476 TEST_SSH_ECC=no 2635#include <openssl/opensslv.h>
2477 COMMENT_OUT_ECC="#no ecc#" 2636 ]],[[
2478 unsupported_algorithms="$unsupported_algorithms \ 2637 EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp521r1);
2479 ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521 \ 2638 const EVP_MD *m = EVP_sha512(); /* We need this too */
2480 ecdsa-sha2-nistp256-cert-v01@openssh.com \ 2639 exit(e == NULL || m == NULL);
2481 ecdsa-sha2-nistp384-cert-v01@openssh.com \ 2640 ]])],
2482 ecdsa-sha2-nistp521-cert-v01@openssh.com \ 2641 [ AC_MSG_RESULT([yes])
2483 ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521" 2642 enable_nistp521=1 ],
2484 ] 2643 [ AC_MSG_RESULT([no]) ],
2644 [ AC_MSG_WARN([cross-compiling: assuming yes])
2645 enable_nistp521=1 ]
2646 )],
2647 AC_MSG_RESULT([no])
2485) 2648)
2649
2650COMMENT_OUT_ECC="#no ecc#"
2651TEST_SSH_ECC=no
2652
2653if test x$enable_nistp256 = x1 || test x$enable_nistp384 = x1 || \
2654 test x$enable_nistp521 = x1; then
2655 AC_DEFINE(OPENSSL_HAS_ECC, [1], [OpenSSL has ECC])
2656fi
2657if test x$enable_nistp256 = x1; then
2658 AC_DEFINE([OPENSSL_HAS_NISTP256], [1],
2659 [libcrypto has NID_X9_62_prime256v1])
2660 TEST_SSH_ECC=yes
2661 COMMENT_OUT_ECC=""
2662else
2663 unsupported_algorithms="$unsupported_algorithms ecdsa-sha2-nistp256 \
2664 ecdh-sha2-nistp256 ecdsa-sha2-nistp256-cert-v01@openssh.com"
2665fi
2666if test x$enable_nistp384 = x1; then
2667 AC_DEFINE([OPENSSL_HAS_NISTP384], [1], [libcrypto has NID_secp384r1])
2668 TEST_SSH_ECC=yes
2669 COMMENT_OUT_ECC=""
2670else
2671 unsupported_algorithms="$unsupported_algorithms ecdsa-sha2-nistp384 \
2672 ecdh-sha2-nistp384 ecdsa-sha2-nistp384-cert-v01@openssh.com"
2673fi
2674if test x$enable_nistp521 = x1; then
2675 AC_DEFINE([OPENSSL_HAS_NISTP521], [1], [libcrypto has NID_secp521r1])
2676 TEST_SSH_ECC=yes
2677 COMMENT_OUT_ECC=""
2678else
2679 unsupported_algorithms="$unsupported_algorithms ecdh-sha2-nistp521 \
2680 ecdsa-sha2-nistp521 ecdsa-sha2-nistp521-cert-v01@openssh.com"
2681fi
2682
2486AC_SUBST([TEST_SSH_ECC]) 2683AC_SUBST([TEST_SSH_ECC])
2487AC_SUBST([COMMENT_OUT_ECC]) 2684AC_SUBST([COMMENT_OUT_ECC])
2488 2685
@@ -2714,7 +2911,7 @@ fi
2714# Decide which sandbox style to use 2911# Decide which sandbox style to use
2715sandbox_arg="" 2912sandbox_arg=""
2716AC_ARG_WITH([sandbox], 2913AC_ARG_WITH([sandbox],
2717 [ --with-sandbox=style Specify privilege separation sandbox (no, darwin, rlimit, systrace, seccomp_filter)], 2914 [ --with-sandbox=style Specify privilege separation sandbox (no, darwin, rlimit, systrace, seccomp_filter, capsicum)],
2718 [ 2915 [
2719 if test "x$withval" = "xyes" ; then 2916 if test "x$withval" = "xyes" ; then
2720 sandbox_arg="" 2917 sandbox_arg=""
@@ -2843,6 +3040,16 @@ elif test "x$sandbox_arg" = "xseccomp_filter" || \
2843 AC_MSG_ERROR([seccomp_filter sandbox requires prctl function]) 3040 AC_MSG_ERROR([seccomp_filter sandbox requires prctl function])
2844 SANDBOX_STYLE="seccomp_filter" 3041 SANDBOX_STYLE="seccomp_filter"
2845 AC_DEFINE([SANDBOX_SECCOMP_FILTER], [1], [Sandbox using seccomp filter]) 3042 AC_DEFINE([SANDBOX_SECCOMP_FILTER], [1], [Sandbox using seccomp filter])
3043elif test "x$sandbox_arg" = "xcapsicum" || \
3044 ( test -z "$sandbox_arg" && \
3045 test "x$ac_cv_header_sys_capability_h" = "xyes" && \
3046 test "x$ac_cv_func_cap_rights_limit" = "xyes") ; then
3047 test "x$ac_cv_header_sys_capability_h" != "xyes" && \
3048 AC_MSG_ERROR([capsicum sandbox requires sys/capability.h header])
3049 test "x$ac_cv_func_cap_rights_limit" != "xyes" && \
3050 AC_MSG_ERROR([capsicum sandbox requires cap_rights_limit function])
3051 SANDBOX_STYLE="capsicum"
3052 AC_DEFINE([SANDBOX_CAPSICUM], [1], [Sandbox using capsicum])
2846elif test "x$sandbox_arg" = "xrlimit" || \ 3053elif test "x$sandbox_arg" = "xrlimit" || \
2847 ( test -z "$sandbox_arg" && test "x$ac_cv_func_setrlimit" = "xyes" && \ 3054 ( test -z "$sandbox_arg" && test "x$ac_cv_func_setrlimit" = "xyes" && \
2848 test "x$select_works_with_rlimit" = "xyes" && \ 3055 test "x$select_works_with_rlimit" = "xyes" && \
@@ -3066,7 +3273,9 @@ if test "x$ac_cv_have_u_int64_t" = "xyes" ; then
3066 have_u_int64_t=1 3273 have_u_int64_t=1
3067fi 3274fi
3068 3275
3069if test -z "$have_u_int64_t" ; then 3276if (test -z "$have_u_int64_t" && \
3277 test "x$ac_cv_header_sys_bitypes_h" = "xyes")
3278then
3070 AC_MSG_CHECKING([for u_int64_t type in sys/bitypes.h]) 3279 AC_MSG_CHECKING([for u_int64_t type in sys/bitypes.h])
3071 AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/bitypes.h> ]], 3280 AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/bitypes.h> ]],
3072 [[ u_int64_t a; a = 1]])], 3281 [[ u_int64_t a; a = 1]])],
@@ -3096,7 +3305,9 @@ if test -z "$have_u_intxx_t" ; then
3096 fi 3305 fi
3097fi 3306fi
3098 3307
3099if test -z "$have_uintxx_t" ; then 3308if (test -z "$have_uintxx_t" && \
3309 test "x$ac_cv_header_stdint_h" = "xyes")
3310then
3100 AC_MSG_CHECKING([for uintXX_t types in stdint.h]) 3311 AC_MSG_CHECKING([for uintXX_t types in stdint.h])
3101 AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <stdint.h> ]], 3312 AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <stdint.h> ]],
3102 [[ uint8_t a; uint16_t b; uint32_t c; a = b = c = 1;]])], 3313 [[ uint8_t a; uint16_t b; uint32_t c; a = b = c = 1;]])],
@@ -3107,6 +3318,19 @@ if test -z "$have_uintxx_t" ; then
3107 ]) 3318 ])
3108fi 3319fi
3109 3320
3321if (test -z "$have_uintxx_t" && \
3322 test "x$ac_cv_header_inttypes_h" = "xyes")
3323then
3324 AC_MSG_CHECKING([for uintXX_t types in inttypes.h])
3325 AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <inttypes.h> ]],
3326 [[ uint8_t a; uint16_t b; uint32_t c; a = b = c = 1;]])],
3327 [
3328 AC_DEFINE([HAVE_UINTXX_T])
3329 AC_MSG_RESULT([yes])
3330 ], [ AC_MSG_RESULT([no])
3331 ])
3332fi
3333
3110if (test -z "$have_u_intxx_t" || test -z "$have_intxx_t" && \ 3334if (test -z "$have_u_intxx_t" || test -z "$have_intxx_t" && \
3111 test "x$ac_cv_header_sys_bitypes_h" = "xyes") 3335 test "x$ac_cv_header_sys_bitypes_h" = "xyes")
3112then 3336then
@@ -3137,6 +3361,11 @@ if test "x$ac_cv_have_u_char" = "xyes" ; then
3137 AC_DEFINE([HAVE_U_CHAR], [1], [define if you have u_char data type]) 3361 AC_DEFINE([HAVE_U_CHAR], [1], [define if you have u_char data type])
3138fi 3362fi
3139 3363
3364AC_CHECK_TYPES([intmax_t, uintmax_t], , , [
3365#include <sys/types.h>
3366#include <stdint.h>
3367])
3368
3140TYPE_SOCKLEN_T 3369TYPE_SOCKLEN_T
3141 3370
3142AC_CHECK_TYPES([sig_atomic_t], , , [#include <signal.h>]) 3371AC_CHECK_TYPES([sig_atomic_t], , , [#include <signal.h>])
@@ -4561,6 +4790,7 @@ else
4561fi 4790fi
4562AC_CHECK_DECL([BROKEN_GETADDRINFO], [TEST_SSH_IPV6=no]) 4791AC_CHECK_DECL([BROKEN_GETADDRINFO], [TEST_SSH_IPV6=no])
4563AC_SUBST([TEST_SSH_IPV6], [$TEST_SSH_IPV6]) 4792AC_SUBST([TEST_SSH_IPV6], [$TEST_SSH_IPV6])
4793AC_SUBST([TEST_MALLOC_OPTIONS], [$TEST_MALLOC_OPTIONS])
4564AC_SUBST([UNSUPPORTED_ALGORITHMS], [$unsupported_algorithms]) 4794AC_SUBST([UNSUPPORTED_ALGORITHMS], [$unsupported_algorithms])
4565 4795
4566AC_EXEEXT 4796AC_EXEEXT