1 files changed, 61 insertions, 45 deletions

diff --git a/configure.ac b/configure.ac
index c2878e3d4..889f50637 100644
--- a/configure.ac
+++ b/configure.ac
@@ -109,13 +109,10 @@ AC_CHECK_DECL([PR_SET_NO_NEW_PRIVS], [have_linux_no_new_privs=1], , [
 ])
 
 openssl=yes
-ssh1=no
-COMMENT_OUT_RSA1="#no ssh1#"
 AC_ARG_WITH([openssl],
         [  --without-openssl       Disable use of OpenSSL; use only limited internal crypto **EXPERIMENTAL** ],
         [  if test "x$withval" = "xno" ; then
                 openssl=no
-                ssh1=no
            fi
         ]
 )
@@ -127,31 +124,6 @@ else
         AC_MSG_RESULT([no])
 fi
 
-AC_ARG_WITH([ssh1],
-        [  --with-ssh1             Enable support for SSH protocol 1],
-        [
-                if test "x$withval" = "xyes" ; then
-                        if test "x$openssl" = "xno" ; then
-                                AC_MSG_ERROR([Cannot enable SSH protocol 1 with OpenSSL disabled])
-                        fi
-                        ssh1=yes
-                        COMMENT_OUT_RSA1=""
-                elif test "x$withval" = "xno" ; then
-                        ssh1=no
-                else
-                        AC_MSG_ERROR([unknown --with-ssh1 argument])
-                fi
-        ]
-)
-AC_MSG_CHECKING([whether SSH protocol 1 support is enabled])
-if test "x$ssh1" = "xyes" ; then
-        AC_MSG_RESULT([yes])
-        AC_DEFINE_UNQUOTED([WITH_SSH1], [1], [include SSH protocol version 1 support])
-        AC_SUBST([COMMENT_OUT_RSA1])
-else
-        AC_MSG_RESULT([no])
-fi
-
 use_stack_protector=1
 use_toolchain_hardening=1
 AC_ARG_WITH([stackprotect],
@@ -179,6 +151,7 @@ AC_COMPILE_IFELSE([AC_LANG_SOURCE([[int main(void) { return 0; }]])],
 CFLAGS="$saved_CFLAGS"
 
 if test "$GCC" = "yes" || test "$GCC" = "egcs"; then
+        OSSH_CHECK_CFLAG_COMPILE([-pipe])
         OSSH_CHECK_CFLAG_COMPILE([-Qunused-arguments])
         OSSH_CHECK_CFLAG_COMPILE([-Wunknown-warning-option])
         OSSH_CHECK_CFLAG_COMPILE([-Wall])
@@ -190,8 +163,8 @@ if test "$GCC" = "yes" || test "$GCC" = "egcs"; then
         OSSH_CHECK_CFLAG_COMPILE([-Wpointer-sign], [-Wno-pointer-sign])
         OSSH_CHECK_CFLAG_COMPILE([-Wunused-result], [-Wno-unused-result])
         OSSH_CHECK_CFLAG_COMPILE([-fno-strict-aliasing])
-        OSSH_CHECK_CFLAG_COMPILE([-D_FORTIFY_SOURCE=2])
     if test "x$use_toolchain_hardening" = "x1"; then
+        OSSH_CHECK_CFLAG_COMPILE([-D_FORTIFY_SOURCE=2])
         OSSH_CHECK_LDFLAG_LINK([-Wl,-z,relro])
         OSSH_CHECK_LDFLAG_LINK([-Wl,-z,now])
         OSSH_CHECK_LDFLAG_LINK([-Wl,-z,noexecstack])
@@ -316,6 +289,16 @@ AC_ARG_WITH([cflags],
                 fi
         ]
 )
+
+AC_ARG_WITH([cflags-after],
+        [  --with-cflags-after     Specify additional flags to pass to compiler after configure],
+        [
+                if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
+                    test "x${withval}" != "xyes"; then
+                        CFLAGS_AFTER="$withval"
+                fi
+        ]
+)
 AC_ARG_WITH([cppflags],
         [  --with-cppflags         Specify additional flags to pass to preprocessor] ,
         [
@@ -334,6 +317,15 @@ AC_ARG_WITH([ldflags],
                 fi
         ]
 )
+AC_ARG_WITH([ldflags-after],
+        [  --with-ldflags-after    Specify additional flags to pass to linker after configure],
+        [
+                if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
+                    test "x${withval}" != "xyes"; then
+                        LDFLAGS_AFTER="$withval"
+                fi
+        ]
+)
 AC_ARG_WITH([libs],
         [  --with-libs             Specify additional libraries to link with],
         [
@@ -397,7 +389,6 @@ AC_CHECK_HEADERS([ \
         sys/audit.h \
         sys/bitypes.h \
         sys/bsdtty.h \
-        sys/capability.h \
         sys/cdefs.h \
         sys/dir.h \
         sys/mman.h \
@@ -429,6 +420,13 @@ AC_CHECK_HEADERS([ \
         wchar.h \
 ])
 
+# sys/capsicum.h requires sys/types.h
+AC_CHECK_HEADERS([sys/capsicum.h], [], [], [
+#ifdef HAVE_SYS_TYPES_H
+# include <sys/types.h>
+#endif
+])
+
 # lastlog.h requires sys/time.h to be included first on Solaris
 AC_CHECK_HEADERS([lastlog.h], [], [], [
 #ifdef HAVE_SYS_TIME_H
@@ -1007,6 +1005,7 @@ mips-sony-bsd|mips-sony-newsos4)
         AC_DEFINE([BROKEN_SETREUID])
         AC_DEFINE([BROKEN_SETREGID])
         AC_DEFINE([PASSWD_NEEDS_USERNAME])
+        AC_DEFINE([BROKEN_TCGETATTR_ICANON])
         TEST_SHELL=$SHELL       # let configure find us a capable shell
         case "$host" in
         *-*-sysv5SCO_SV*)       # SCO OpenServer 6.x
@@ -1332,7 +1331,17 @@ AC_CHECK_FUNCS([fmt_scaled scan_scaled login logout openpty updwtmp logwtmp])
 AC_SEARCH_LIBS([inet_ntop], [resolv nsl])
 AC_SEARCH_LIBS([gethostbyname], [resolv nsl])
 
+# "Particular Function Checks"
+# see https://www.gnu.org/software/autoconf/manual/autoconf-2.69/html_node/Particular-Functions.html
 AC_FUNC_STRFTIME
+AC_FUNC_MALLOC
+AC_FUNC_REALLOC
+# autoconf doesn't have AC_FUNC_CALLOC so fake it if malloc returns NULL;
+if test "x$ac_cv_func_malloc_0_nonnull" != "xyes"; then
+        AC_DEFINE(HAVE_CALLOC, 0, [calloc(x, 0) returns NULL])
+        AC_DEFINE(calloc, rpl_calloc,
+            [Define to rpl_calloc if the replacement function should be used.])
+fi
 
 # Check for ALTDIRFUNC glob() extension
 AC_MSG_CHECKING([for GLOB_ALTDIRFUNC support])
@@ -1486,6 +1495,7 @@ AC_ARG_WITH(ldns,
                 else
                         LIBS="$LIBS `$LDNSCONFIG --libs`"
                         CPPFLAGS="$CPPFLAGS `$LDNSCONFIG --cflags`"
+                        ldns=yes
                 fi
         elif test "x$withval" != "xno" ; then
                         CPPFLAGS="$CPPFLAGS -I${withval}/include"
@@ -1696,6 +1706,7 @@ AC_CHECK_FUNCS([ \
         fchmod \
         fchown \
         freeaddrinfo \
+        freezero \
         fstatfs \
         fstatvfs \
         futimes \
@@ -1704,6 +1715,7 @@ AC_CHECK_FUNCS([ \
         getgrouplist \
         getnameinfo \
         getopt \
+        getpagesize \
         getpeereid \
         getpeerucred \
         getpgid \
@@ -1734,6 +1746,7 @@ AC_CHECK_FUNCS([ \
         readpassphrase \
         reallocarray \
         recvmsg \
+        recallocarray \
         rresvport_af \
         sendmsg \
         setdtablesize \
@@ -1767,6 +1780,7 @@ AC_CHECK_FUNCS([ \
         strnlen \
         strnvis \
         strptime \
+        strsignal \
         strtonum \
         strtoll \
         strtoul \
@@ -2535,7 +2549,11 @@ if test "x$openssl" = "xyes" ; then
                                 10000*|0*)
                                         AC_MSG_ERROR([OpenSSL >= 1.0.1 required (have "$ssl_library_ver")])
                                         ;;
-                                *) ;;
+                                100*)   ;; # 1.0.x
+                                200*)   ;; # LibreSSL
+                                *)
+                                        AC_MSG_ERROR([OpenSSL >= 1.1.0 is not yet supported (have "$ssl_library_ver")])
+                                        ;;
                         esac
                         AC_MSG_RESULT([$ssl_library_ver])
                 ],
@@ -2768,9 +2786,6 @@ if test "x$openssl" = "xyes" ; then
         #include <openssl/evp.h>
         #include <openssl/objects.h>
         #include <openssl/opensslv.h>
-        #if OPENSSL_VERSION_NUMBER < 0x0090807f /* 0.9.8g */
-        # error "OpenSSL < 0.9.8g has unreliable ECC code"
-        #endif
                 ]], [[
                 EC_KEY *e = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
                 const EVP_MD *m = EVP_sha256(); /* We need this too */
@@ -2789,9 +2804,6 @@ if test "x$openssl" = "xyes" ; then
         #include <openssl/evp.h>
         #include <openssl/objects.h>
         #include <openssl/opensslv.h>
-        #if OPENSSL_VERSION_NUMBER < 0x0090807f /* 0.9.8g */
-        # error "OpenSSL < 0.9.8g has unreliable ECC code"
-        #endif
                 ]], [[
                 EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp384r1);
                 const EVP_MD *m = EVP_sha384(); /* We need this too */
@@ -2810,9 +2822,6 @@ if test "x$openssl" = "xyes" ; then
         #include <openssl/evp.h>
         #include <openssl/objects.h>
         #include <openssl/opensslv.h>
-        #if OPENSSL_VERSION_NUMBER < 0x0090807f /* 0.9.8g */
-        # error "OpenSSL < 0.9.8g has unreliable ECC code"
-        #endif
                 ]], [[
                 EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp521r1);
                 const EVP_MD *m = EVP_sha512(); /* We need this too */
@@ -3197,7 +3206,8 @@ AC_RUN_IFELSE(
          select_works_with_rlimit=yes],
         [AC_MSG_RESULT([no])
          select_works_with_rlimit=no],
-        [AC_MSG_WARN([cross compiling: assuming yes])]
+        [AC_MSG_WARN([cross compiling: assuming yes])
+         select_works_with_rlimit=yes]
 )
 
 AC_MSG_CHECKING([if setrlimit(RLIMIT_NOFILE,{0,0}) works])
@@ -3223,7 +3233,8 @@ AC_RUN_IFELSE(
          rlimit_nofile_zero_works=yes],
         [AC_MSG_RESULT([no])
          rlimit_nofile_zero_works=no],
-        [AC_MSG_WARN([cross compiling: assuming yes])]
+        [AC_MSG_WARN([cross compiling: assuming yes])
+         rlimit_nofile_zero_works=yes]
 )
 
 AC_MSG_CHECKING([if setrlimit RLIMIT_FSIZE works])
@@ -3286,10 +3297,10 @@ elif test "x$sandbox_arg" = "xseccomp_filter" || \
         AC_DEFINE([SANDBOX_SECCOMP_FILTER], [1], [Sandbox using seccomp filter])
 elif test "x$sandbox_arg" = "xcapsicum" || \
      ( test -z "$sandbox_arg" && \
-       test "x$ac_cv_header_sys_capability_h" = "xyes" && \
+       test "x$ac_cv_header_sys_capsicum_h" = "xyes" && \
        test "x$ac_cv_func_cap_rights_limit" = "xyes") ; then
-       test "x$ac_cv_header_sys_capability_h" != "xyes" && \
-                AC_MSG_ERROR([capsicum sandbox requires sys/capability.h header])
+       test "x$ac_cv_header_sys_capsicum_h" != "xyes" && \
+                AC_MSG_ERROR([capsicum sandbox requires sys/capsicum.h header])
        test "x$ac_cv_func_cap_rights_limit" != "xyes" && \
                 AC_MSG_ERROR([capsicum sandbox requires cap_rights_limit function])
        SANDBOX_STYLE="capsicum"
@@ -3845,6 +3856,8 @@ OSSH_CHECK_HEADER_FOR_FIELD([ut_time], [utmpx.h], [HAVE_TIME_IN_UTMPX])
 OSSH_CHECK_HEADER_FOR_FIELD([ut_tv], [utmpx.h], [HAVE_TV_IN_UTMPX])
 
 AC_CHECK_MEMBERS([struct stat.st_blksize])
+AC_CHECK_MEMBERS([struct stat.st_mtim])
+AC_CHECK_MEMBERS([struct stat.st_mtime])
 AC_CHECK_MEMBERS([struct passwd.pw_gecos, struct passwd.pw_class,
 struct passwd.pw_change, struct passwd.pw_expire],
 [], [], [[
@@ -5044,6 +5057,9 @@ AC_SUBST([TEST_SSH_UTF8], [$TEST_SSH_UTF8])
 AC_SUBST([TEST_MALLOC_OPTIONS], [$TEST_MALLOC_OPTIONS])
 AC_SUBST([UNSUPPORTED_ALGORITHMS], [$unsupported_algorithms])
 
+CFLAGS="${CFLAGS} ${CFLAGS_AFTER}"
+LDFLAGS="${LDFLAGS} ${LDFLAGS_AFTER}"
+
 AC_EXEEXT
 AC_CONFIG_FILES([Makefile buildpkg.sh opensshd.init openssh.xml \
         openbsd-compat/Makefile openbsd-compat/regress/Makefile \