summaryrefslogtreecommitdiff
path: root/configure.ac
diff options
context:
space:
mode:
Diffstat (limited to 'configure.ac')
-rw-r--r--configure.ac308
1 files changed, 269 insertions, 39 deletions
diff --git a/configure.ac b/configure.ac
index d7d500a33..e2289cd37 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,4 +1,4 @@
1# $Id: configure.ac,v 1.536 2013/08/04 11:48:41 dtucker Exp $ 1# $Id: configure.ac,v 1.568 2014/01/30 00:26:46 djm Exp $
2# 2#
3# Copyright (c) 1999-2004 Damien Miller 3# Copyright (c) 1999-2004 Damien Miller
4# 4#
@@ -15,7 +15,7 @@
15# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 15# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16 16
17AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) 17AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org])
18AC_REVISION($Revision: 1.536 $) 18AC_REVISION($Revision: 1.568 $)
19AC_CONFIG_SRCDIR([ssh.c]) 19AC_CONFIG_SRCDIR([ssh.c])
20AC_LANG([C]) 20AC_LANG([C])
21 21
@@ -120,19 +120,36 @@ AC_CHECK_DECL([PR_SET_NO_NEW_PRIVS], [have_linux_no_new_privs=1], , [
120 #include <sys/types.h> 120 #include <sys/types.h>
121 #include <linux/prctl.h> 121 #include <linux/prctl.h>
122]) 122])
123
123use_stack_protector=1 124use_stack_protector=1
125use_toolchain_hardening=1
124AC_ARG_WITH([stackprotect], 126AC_ARG_WITH([stackprotect],
125 [ --without-stackprotect Don't use compiler's stack protection], [ 127 [ --without-stackprotect Don't use compiler's stack protection], [
126 if test "x$withval" = "xno"; then 128 if test "x$withval" = "xno"; then
127 use_stack_protector=0 129 use_stack_protector=0
128 fi ]) 130 fi ])
131AC_ARG_WITH([hardening],
132 [ --without-hardening Don't use toolchain hardening flags], [
133 if test "x$withval" = "xno"; then
134 use_toolchain_hardening=0
135 fi ])
129 136
137# We use -Werror for the tests only so that we catch warnings like "this is
138# on by default" for things like -fPIE.
139AC_MSG_CHECKING([if $CC supports -Werror])
140saved_CFLAGS="$CFLAGS"
141CFLAGS="$CFLAGS -Werror"
142AC_COMPILE_IFELSE([AC_LANG_SOURCE([[int main(void) { return 0; }]])],
143 [ AC_MSG_RESULT([yes])
144 WERROR="-Werror"],
145 [ AC_MSG_RESULT([no])
146 WERROR="" ]
147)
148CFLAGS="$saved_CFLAGS"
130 149
131if test "$GCC" = "yes" || test "$GCC" = "egcs"; then 150if test "$GCC" = "yes" || test "$GCC" = "egcs"; then
132 OSSH_CHECK_CFLAG_COMPILE([-Qunused-arguments -Werror], 151 OSSH_CHECK_CFLAG_COMPILE([-Qunused-arguments])
133 [-Qunused-arguments]) 152 OSSH_CHECK_CFLAG_COMPILE([-Wunknown-warning-option])
134 OSSH_CHECK_CFLAG_COMPILE([-Wunknown-warning-option -Werror],
135 [-Wno-unknown-warning-option])
136 OSSH_CHECK_CFLAG_COMPILE([-Wall]) 153 OSSH_CHECK_CFLAG_COMPILE([-Wall])
137 OSSH_CHECK_CFLAG_COMPILE([-Wpointer-arith]) 154 OSSH_CHECK_CFLAG_COMPILE([-Wpointer-arith])
138 OSSH_CHECK_CFLAG_COMPILE([-Wuninitialized]) 155 OSSH_CHECK_CFLAG_COMPILE([-Wuninitialized])
@@ -143,6 +160,17 @@ if test "$GCC" = "yes" || test "$GCC" = "egcs"; then
143 OSSH_CHECK_CFLAG_COMPILE([-Wunused-result], [-Wno-unused-result]) 160 OSSH_CHECK_CFLAG_COMPILE([-Wunused-result], [-Wno-unused-result])
144 OSSH_CHECK_CFLAG_COMPILE([-fno-strict-aliasing]) 161 OSSH_CHECK_CFLAG_COMPILE([-fno-strict-aliasing])
145 OSSH_CHECK_CFLAG_COMPILE([-D_FORTIFY_SOURCE=2]) 162 OSSH_CHECK_CFLAG_COMPILE([-D_FORTIFY_SOURCE=2])
163 if test "x$use_toolchain_hardening" = "x1"; then
164 OSSH_CHECK_LDFLAG_LINK([-Wl,-z,relro])
165 OSSH_CHECK_LDFLAG_LINK([-Wl,-z,now])
166 OSSH_CHECK_LDFLAG_LINK([-Wl,-z,noexecstack])
167 # NB. -ftrapv expects certain support functions to be present in
168 # the compiler library (libgcc or similar) to detect integer operations
169 # that can overflow. We must check that the result of enabling it
170 # actually links. The test program compiled/linked includes a number
171 # of integer operations that should exercise this.
172 OSSH_CHECK_CFLAG_LINK([-ftrapv])
173 fi
146 AC_MSG_CHECKING([gcc version]) 174 AC_MSG_CHECKING([gcc version])
147 GCC_VER=`$CC -v 2>&1 | $AWK '/gcc version /{print $3}'` 175 GCC_VER=`$CC -v 2>&1 | $AWK '/gcc version /{print $3}'`
148 case $GCC_VER in 176 case $GCC_VER in
@@ -169,7 +197,8 @@ if test "$GCC" = "yes" || test "$GCC" = "egcs"; then
169 # and/or platforms, so we test if we can. If it's not supported 197 # and/or platforms, so we test if we can. If it's not supported
170 # on a given platform gcc will emit a warning so we use -Werror. 198 # on a given platform gcc will emit a warning so we use -Werror.
171 if test "x$use_stack_protector" = "x1"; then 199 if test "x$use_stack_protector" = "x1"; then
172 for t in -fstack-protector-all -fstack-protector; do 200 for t in -fstack-protector-strong -fstack-protector-all \
201 -fstack-protector; do
173 AC_MSG_CHECKING([if $CC supports $t]) 202 AC_MSG_CHECKING([if $CC supports $t])
174 saved_CFLAGS="$CFLAGS" 203 saved_CFLAGS="$CFLAGS"
175 saved_LDFLAGS="$LDFLAGS" 204 saved_LDFLAGS="$LDFLAGS"
@@ -296,6 +325,7 @@ AC_ARG_WITH([Werror],
296) 325)
297 326
298AC_CHECK_HEADERS([ \ 327AC_CHECK_HEADERS([ \
328 blf.h \
299 bstring.h \ 329 bstring.h \
300 crypt.h \ 330 crypt.h \
301 crypto/sha2.h \ 331 crypto/sha2.h \
@@ -309,6 +339,7 @@ AC_CHECK_HEADERS([ \
309 glob.h \ 339 glob.h \
310 ia.h \ 340 ia.h \
311 iaf.h \ 341 iaf.h \
342 inttypes.h \
312 limits.h \ 343 limits.h \
313 locale.h \ 344 locale.h \
314 login.h \ 345 login.h \
@@ -333,6 +364,7 @@ AC_CHECK_HEADERS([ \
333 sys/audit.h \ 364 sys/audit.h \
334 sys/bitypes.h \ 365 sys/bitypes.h \
335 sys/bsdtty.h \ 366 sys/bsdtty.h \
367 sys/capability.h \
336 sys/cdefs.h \ 368 sys/cdefs.h \
337 sys/dir.h \ 369 sys/dir.h \
338 sys/mman.h \ 370 sys/mman.h \
@@ -513,7 +545,10 @@ case "$host" in
513 [Define if your platform needs to skip post auth 545 [Define if your platform needs to skip post auth
514 file descriptor passing]) 546 file descriptor passing])
515 AC_DEFINE([SSH_IOBUFSZ], [65535], [Windows is sensitive to read buffer size]) 547 AC_DEFINE([SSH_IOBUFSZ], [65535], [Windows is sensitive to read buffer size])
516 AC_DEFINE([FILESYSTEM_NO_BACKSLASH], [1], [File names may not contain backslash characters]) 548 AC_DEFINE([FILESYSTEM_NO_BACKSLASH], [1], [File names may not contain backslash characters])
549 # Cygwin defines optargs, optargs as declspec(dllimport) for historical
550 # reasons which cause compile warnings, so we disable those warnings.
551 OSSH_CHECK_CFLAG_COMPILE([-Wno-attributes])
517 ;; 552 ;;
518*-*-dgux*) 553*-*-dgux*)
519 AC_DEFINE([IP_TOS_IS_BROKEN], [1], 554 AC_DEFINE([IP_TOS_IS_BROKEN], [1],
@@ -523,6 +558,7 @@ case "$host" in
523 AC_DEFINE([BROKEN_SETREGID]) 558 AC_DEFINE([BROKEN_SETREGID])
524 ;; 559 ;;
525*-*-darwin*) 560*-*-darwin*)
561 use_pie=auto
526 AC_MSG_CHECKING([if we have working getaddrinfo]) 562 AC_MSG_CHECKING([if we have working getaddrinfo])
527 AC_RUN_IFELSE([AC_LANG_SOURCE([[ #include <mach-o/dyld.h> 563 AC_RUN_IFELSE([AC_LANG_SOURCE([[ #include <mach-o/dyld.h>
528main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) 564main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
@@ -587,6 +623,7 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
587 ;; 623 ;;
588*-*-dragonfly*) 624*-*-dragonfly*)
589 SSHDLIBS="$SSHDLIBS -lcrypt" 625 SSHDLIBS="$SSHDLIBS -lcrypt"
626 TEST_MALLOC_OPTIONS="AFGJPRX"
590 ;; 627 ;;
591*-*-haiku*) 628*-*-haiku*)
592 LIBS="$LIBS -lbsd " 629 LIBS="$LIBS -lbsd "
@@ -684,6 +721,7 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
684 ;; 721 ;;
685*-*-linux*) 722*-*-linux*)
686 no_dev_ptmx=1 723 no_dev_ptmx=1
724 use_pie=auto
687 check_for_libcrypt_later=1 725 check_for_libcrypt_later=1
688 check_for_openpty_ctty_bug=1 726 check_for_openpty_ctty_bug=1
689 AC_DEFINE([PAM_TTY_KLUDGE], [1], 727 AC_DEFINE([PAM_TTY_KLUDGE], [1],
@@ -752,6 +790,11 @@ mips-sony-bsd|mips-sony-newsos4)
752 AC_DEFINE([SSH_TUN_NO_L2], [1], [No layer 2 tunnel support])) 790 AC_DEFINE([SSH_TUN_NO_L2], [1], [No layer 2 tunnel support]))
753 AC_DEFINE([SSH_TUN_PREPEND_AF], [1], 791 AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
754 [Prepend the address family to IP tunnel traffic]) 792 [Prepend the address family to IP tunnel traffic])
793 TEST_MALLOC_OPTIONS="AJRX"
794 AC_DEFINE([BROKEN_STRNVIS], [1],
795 [NetBSD strnvis argument order is swapped compared to OpenBSD])
796 AC_DEFINE([BROKEN_READ_COMPARISON], [1],
797 [NetBSD read function is sometimes redirected, breaking atomicio comparisons against it])
755 ;; 798 ;;
756*-*-freebsd*) 799*-*-freebsd*)
757 check_for_libcrypt_later=1 800 check_for_libcrypt_later=1
@@ -760,7 +803,13 @@ mips-sony-bsd|mips-sony-newsos4)
760 AC_CHECK_HEADER([net/if_tap.h], , 803 AC_CHECK_HEADER([net/if_tap.h], ,
761 AC_DEFINE([SSH_TUN_NO_L2], [1], [No layer 2 tunnel support])) 804 AC_DEFINE([SSH_TUN_NO_L2], [1], [No layer 2 tunnel support]))
762 AC_DEFINE([BROKEN_GLOB], [1], [FreeBSD glob does not do what we need]) 805 AC_DEFINE([BROKEN_GLOB], [1], [FreeBSD glob does not do what we need])
763 AC_DEFINE([BROKEN_STRNVIS], [1], [FreeBSD strnvis does not do what we need]) 806 AC_DEFINE([BROKEN_STRNVIS], [1],
807 [FreeBSD strnvis argument order is swapped compared to OpenBSD])
808 TEST_MALLOC_OPTIONS="AJRX"
809 # Preauth crypto occasionally uses file descriptors for crypto offload
810 # and will crash if they cannot be opened.
811 AC_DEFINE([SANDBOX_SKIP_RLIMIT_NOFILE], [1],
812 [define if setrlimit RLIMIT_NOFILE breaks things])],
764 ;; 813 ;;
765*-*-bsdi*) 814*-*-bsdi*)
766 AC_DEFINE([SETEUID_BREAKS_SETUID]) 815 AC_DEFINE([SETEUID_BREAKS_SETUID])
@@ -778,11 +827,13 @@ mips-sony-bsd|mips-sony-newsos4)
778 AC_DEFINE([BROKEN_SAVED_UIDS], [1], [Needed for NeXT]) 827 AC_DEFINE([BROKEN_SAVED_UIDS], [1], [Needed for NeXT])
779 ;; 828 ;;
780*-*-openbsd*) 829*-*-openbsd*)
830 use_pie=auto
781 AC_DEFINE([HAVE_ATTRIBUTE__SENTINEL__], [1], [OpenBSD's gcc has sentinel]) 831 AC_DEFINE([HAVE_ATTRIBUTE__SENTINEL__], [1], [OpenBSD's gcc has sentinel])
782 AC_DEFINE([HAVE_ATTRIBUTE__BOUNDED__], [1], [OpenBSD's gcc has bounded]) 832 AC_DEFINE([HAVE_ATTRIBUTE__BOUNDED__], [1], [OpenBSD's gcc has bounded])
783 AC_DEFINE([SSH_TUN_OPENBSD], [1], [Open tunnel devices the OpenBSD way]) 833 AC_DEFINE([SSH_TUN_OPENBSD], [1], [Open tunnel devices the OpenBSD way])
784 AC_DEFINE([SYSLOG_R_SAFE_IN_SIGHAND], [1], 834 AC_DEFINE([SYSLOG_R_SAFE_IN_SIGHAND], [1],
785 [syslog_r function is safe to use in in a signal handler]) 835 [syslog_r function is safe to use in in a signal handler])
836 TEST_MALLOC_OPTIONS="AFGJPRX"
786 ;; 837 ;;
787*-*-solaris*) 838*-*-solaris*)
788 if test "x$withval" != "xno" ; then 839 if test "x$withval" != "xno" ; then
@@ -1215,6 +1266,9 @@ AC_SEARCH_LIBS([openpty], [util bsd])
1215AC_SEARCH_LIBS([updwtmp], [util bsd]) 1266AC_SEARCH_LIBS([updwtmp], [util bsd])
1216AC_CHECK_FUNCS([fmt_scaled scan_scaled login logout openpty updwtmp logwtmp]) 1267AC_CHECK_FUNCS([fmt_scaled scan_scaled login logout openpty updwtmp logwtmp])
1217 1268
1269# On some platforms, inet_ntop may be found in libresolv or libnsl.
1270AC_SEARCH_LIBS([inet_ntop], [resolv nsl])
1271
1218AC_FUNC_STRFTIME 1272AC_FUNC_STRFTIME
1219 1273
1220# Check for ALTDIRFUNC glob() extension 1274# Check for ALTDIRFUNC glob() extension
@@ -1466,7 +1520,7 @@ AC_ARG_WITH([libedit],
1466 fi 1520 fi
1467 fi 1521 fi
1468 if test "x$use_pkgconfig_for_libedit" = "xyes"; then 1522 if test "x$use_pkgconfig_for_libedit" = "xyes"; then
1469 LIBEDIT=`$PKGCONFIG --libs-only-l libedit` 1523 LIBEDIT=`$PKGCONFIG --libs libedit`
1470 CPPFLAGS="$CPPFLAGS `$PKGCONFIG --cflags libedit`" 1524 CPPFLAGS="$CPPFLAGS `$PKGCONFIG --cflags libedit`"
1471 else 1525 else
1472 LIBEDIT="-ledit -lcurses" 1526 LIBEDIT="-ledit -lcurses"
@@ -1520,7 +1574,7 @@ AC_ARG_WITH([audit],
1520 # These are optional 1574 # These are optional
1521 AC_CHECK_FUNCS([getaudit_addr aug_get_machine]) 1575 AC_CHECK_FUNCS([getaudit_addr aug_get_machine])
1522 AC_DEFINE([USE_BSM_AUDIT], [1], [Use BSM audit module]) 1576 AC_DEFINE([USE_BSM_AUDIT], [1], [Use BSM audit module])
1523 if test "$sol2ver" -eq 11; then 1577 if test "$sol2ver" -ge 11; then
1524 SSHDLIBS="$SSHDLIBS -lscf" 1578 SSHDLIBS="$SSHDLIBS -lscf"
1525 AC_DEFINE([BROKEN_BSM_API], [1], 1579 AC_DEFINE([BROKEN_BSM_API], [1],
1526 [The system has incomplete BSM API]) 1580 [The system has incomplete BSM API])
@@ -1548,10 +1602,62 @@ AC_ARG_WITH([audit],
1548 esac ] 1602 esac ]
1549) 1603)
1550 1604
1605AC_ARG_WITH([pie],
1606 [ --with-pie Build Position Independent Executables if possible], [
1607 if test "x$withval" = "xno"; then
1608 use_pie=no
1609 fi
1610 if test "x$withval" = "xyes"; then
1611 use_pie=yes
1612 fi
1613 ]
1614)
1615if test "x$use_pie" = "x"; then
1616 use_pie=no
1617fi
1618if test "x$use_toolchain_hardening" != "x1" && test "x$use_pie" = "xauto"; then
1619 # Turn off automatic PIE when toolchain hardening is off.
1620 use_pie=no
1621fi
1622if test "x$use_pie" = "xauto"; then
1623 # Automatic PIE requires gcc >= 4.x
1624 AC_MSG_CHECKING([for gcc >= 4.x])
1625 AC_COMPILE_IFELSE([AC_LANG_SOURCE([[
1626#if !defined(__GNUC__) || __GNUC__ < 4
1627#error gcc is too old
1628#endif
1629]])],
1630 [ AC_MSG_RESULT([yes]) ],
1631 [ AC_MSG_RESULT([no])
1632 use_pie=no ]
1633)
1634fi
1635if test "x$use_pie" != "xno"; then
1636 SAVED_CFLAGS="$CFLAGS"
1637 SAVED_LDFLAGS="$LDFLAGS"
1638 OSSH_CHECK_CFLAG_COMPILE([-fPIE])
1639 OSSH_CHECK_LDFLAG_LINK([-pie])
1640 # We use both -fPIE and -pie or neither.
1641 AC_MSG_CHECKING([whether both -fPIE and -pie are supported])
1642 if echo "x $CFLAGS" | grep ' -fPIE' >/dev/null 2>&1 && \
1643 echo "x $LDFLAGS" | grep ' -pie' >/dev/null 2>&1 ; then
1644 AC_MSG_RESULT([yes])
1645 else
1646 AC_MSG_RESULT([no])
1647 CFLAGS="$SAVED_CFLAGS"
1648 LDFLAGS="$SAVED_LDFLAGS"
1649 fi
1650fi
1651
1551dnl Checks for library functions. Please keep in alphabetical order 1652dnl Checks for library functions. Please keep in alphabetical order
1552AC_CHECK_FUNCS([ \ 1653AC_CHECK_FUNCS([ \
1654 Blowfish_initstate \
1655 Blowfish_expandstate \
1656 Blowfish_expand0state \
1657 Blowfish_stream2word \
1553 arc4random \ 1658 arc4random \
1554 arc4random_buf \ 1659 arc4random_buf \
1660 arc4random_stir \
1555 arc4random_uniform \ 1661 arc4random_uniform \
1556 asprintf \ 1662 asprintf \
1557 b64_ntop \ 1663 b64_ntop \
@@ -1559,7 +1665,10 @@ AC_CHECK_FUNCS([ \
1559 b64_pton \ 1665 b64_pton \
1560 __b64_pton \ 1666 __b64_pton \
1561 bcopy \ 1667 bcopy \
1668 bcrypt_pbkdf \
1562 bindresvport_sa \ 1669 bindresvport_sa \
1670 blf_enc \
1671 cap_rights_limit \
1563 clock \ 1672 clock \
1564 closefrom \ 1673 closefrom \
1565 dirfd \ 1674 dirfd \
@@ -1567,6 +1676,7 @@ AC_CHECK_FUNCS([ \
1567 fchmod \ 1676 fchmod \
1568 fchown \ 1677 fchown \
1569 freeaddrinfo \ 1678 freeaddrinfo \
1679 fstatfs \
1570 fstatvfs \ 1680 fstatvfs \
1571 futimes \ 1681 futimes \
1572 getaddrinfo \ 1682 getaddrinfo \
@@ -2336,7 +2446,17 @@ AC_LINK_IFELSE(
2336 ] 2446 ]
2337) 2447)
2338 2448
2339AC_CHECK_FUNCS([RSA_generate_key_ex DSA_generate_parameters_ex BN_is_prime_ex RSA_get_default_method HMAC_CTX_init]) 2449AC_CHECK_FUNCS([ \
2450 BN_is_prime_ex \
2451 DSA_generate_parameters_ex \
2452 EVP_DigestInit_ex \
2453 EVP_DigestFinal_ex \
2454 EVP_MD_CTX_init \
2455 EVP_MD_CTX_cleanup \
2456 HMAC_CTX_init \
2457 RSA_generate_key_ex \
2458 RSA_get_default_method \
2459])
2340 2460
2341AC_ARG_WITH([ssl-engine], 2461AC_ARG_WITH([ssl-engine],
2342 [ --with-ssl-engine Enable OpenSSL (hardware) ENGINE support ], 2462 [ --with-ssl-engine Enable OpenSSL (hardware) ENGINE support ],
@@ -2460,19 +2580,58 @@ fi
2460AC_CHECK_FUNCS([crypt DES_crypt]) 2580AC_CHECK_FUNCS([crypt DES_crypt])
2461 2581
2462# Search for SHA256 support in libc and/or OpenSSL 2582# Search for SHA256 support in libc and/or OpenSSL
2463AC_CHECK_FUNCS([SHA256_Update EVP_sha256], 2583AC_CHECK_FUNCS([SHA256_Update EVP_sha256], ,
2464 [TEST_SSH_SHA256=yes], 2584 [unsupported_algorithms="$unsupported_algorithms \
2465 [TEST_SSH_SHA256=no
2466 unsupported_algorithms="$unsupported_algorithms \
2467 hmac-sha2-256 hmac-sha2-512 \ 2585 hmac-sha2-256 hmac-sha2-512 \
2468 diffie-hellman-group-exchange-sha256 \ 2586 diffie-hellman-group-exchange-sha256 \
2469 hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com" 2587 hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com"
2470 ] 2588 ]
2471) 2589)
2472AC_SUBST([TEST_SSH_SHA256])
2473 2590
2474# Check complete ECC support in OpenSSL 2591# Check complete ECC support in OpenSSL
2475AC_MSG_CHECKING([whether OpenSSL has complete ECC support]) 2592AC_MSG_CHECKING([whether OpenSSL has NID_X9_62_prime256v1])
2593AC_LINK_IFELSE(
2594 [AC_LANG_PROGRAM([[
2595#include <openssl/ec.h>
2596#include <openssl/ecdh.h>
2597#include <openssl/ecdsa.h>
2598#include <openssl/evp.h>
2599#include <openssl/objects.h>
2600#include <openssl/opensslv.h>
2601#if OPENSSL_VERSION_NUMBER < 0x0090807f /* 0.9.8g */
2602# error "OpenSSL < 0.9.8g has unreliable ECC code"
2603#endif
2604 ]], [[
2605 EC_KEY *e = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
2606 const EVP_MD *m = EVP_sha256(); /* We need this too */
2607 ]])],
2608 [ AC_MSG_RESULT([yes])
2609 enable_nistp256=1 ],
2610 [ AC_MSG_RESULT([no]) ]
2611)
2612
2613AC_MSG_CHECKING([whether OpenSSL has NID_secp384r1])
2614AC_LINK_IFELSE(
2615 [AC_LANG_PROGRAM([[
2616#include <openssl/ec.h>
2617#include <openssl/ecdh.h>
2618#include <openssl/ecdsa.h>
2619#include <openssl/evp.h>
2620#include <openssl/objects.h>
2621#include <openssl/opensslv.h>
2622#if OPENSSL_VERSION_NUMBER < 0x0090807f /* 0.9.8g */
2623# error "OpenSSL < 0.9.8g has unreliable ECC code"
2624#endif
2625 ]], [[
2626 EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp384r1);
2627 const EVP_MD *m = EVP_sha384(); /* We need this too */
2628 ]])],
2629 [ AC_MSG_RESULT([yes])
2630 enable_nistp384=1 ],
2631 [ AC_MSG_RESULT([no]) ]
2632)
2633
2634AC_MSG_CHECKING([whether OpenSSL has NID_secp521r1])
2476AC_LINK_IFELSE( 2635AC_LINK_IFELSE(
2477 [AC_LANG_PROGRAM([[ 2636 [AC_LANG_PROGRAM([[
2478#include <openssl/ec.h> 2637#include <openssl/ec.h>
@@ -2488,25 +2647,63 @@ AC_LINK_IFELSE(
2488 EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp521r1); 2647 EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp521r1);
2489 const EVP_MD *m = EVP_sha512(); /* We need this too */ 2648 const EVP_MD *m = EVP_sha512(); /* We need this too */
2490 ]])], 2649 ]])],
2491 [ 2650 [ AC_MSG_RESULT([yes])
2492 AC_MSG_RESULT([yes]) 2651 AC_MSG_CHECKING([if OpenSSL's NID_secp521r1 is functional])
2493 AC_DEFINE([OPENSSL_HAS_ECC], [1], 2652 AC_RUN_IFELSE(
2494 [libcrypto includes complete ECC support]) 2653 [AC_LANG_PROGRAM([[
2495 TEST_SSH_ECC=yes 2654#include <openssl/ec.h>
2496 COMMENT_OUT_ECC="" 2655#include <openssl/ecdh.h>
2497 ], 2656#include <openssl/ecdsa.h>
2498 [ 2657#include <openssl/evp.h>
2499 AC_MSG_RESULT([no]) 2658#include <openssl/objects.h>
2500 TEST_SSH_ECC=no 2659#include <openssl/opensslv.h>
2501 COMMENT_OUT_ECC="#no ecc#" 2660 ]],[[
2502 unsupported_algorithms="$unsupported_algorithms \ 2661 EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp521r1);
2503 ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521 \ 2662 const EVP_MD *m = EVP_sha512(); /* We need this too */
2504 ecdsa-sha2-nistp256-cert-v01@openssh.com \ 2663 exit(e == NULL || m == NULL);
2505 ecdsa-sha2-nistp384-cert-v01@openssh.com \ 2664 ]])],
2506 ecdsa-sha2-nistp521-cert-v01@openssh.com \ 2665 [ AC_MSG_RESULT([yes])
2507 ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521" 2666 enable_nistp521=1 ],
2508 ] 2667 [ AC_MSG_RESULT([no]) ],
2668 [ AC_MSG_WARN([cross-compiling: assuming yes])
2669 enable_nistp521=1 ]
2670 )],
2671 AC_MSG_RESULT([no])
2509) 2672)
2673
2674COMMENT_OUT_ECC="#no ecc#"
2675TEST_SSH_ECC=no
2676
2677if test x$enable_nistp256 = x1 || test x$enable_nistp384 = x1 || \
2678 test x$enable_nistp521 = x1; then
2679 AC_DEFINE(OPENSSL_HAS_ECC, [1], [OpenSSL has ECC])
2680fi
2681if test x$enable_nistp256 = x1; then
2682 AC_DEFINE([OPENSSL_HAS_NISTP256], [1],
2683 [libcrypto has NID_X9_62_prime256v1])
2684 TEST_SSH_ECC=yes
2685 COMMENT_OUT_ECC=""
2686else
2687 unsupported_algorithms="$unsupported_algorithms ecdsa-sha2-nistp256 \
2688 ecdh-sha2-nistp256 ecdsa-sha2-nistp256-cert-v01@openssh.com"
2689fi
2690if test x$enable_nistp384 = x1; then
2691 AC_DEFINE([OPENSSL_HAS_NISTP384], [1], [libcrypto has NID_secp384r1])
2692 TEST_SSH_ECC=yes
2693 COMMENT_OUT_ECC=""
2694else
2695 unsupported_algorithms="$unsupported_algorithms ecdsa-sha2-nistp384 \
2696 ecdh-sha2-nistp384 ecdsa-sha2-nistp384-cert-v01@openssh.com"
2697fi
2698if test x$enable_nistp521 = x1; then
2699 AC_DEFINE([OPENSSL_HAS_NISTP521], [1], [libcrypto has NID_secp521r1])
2700 TEST_SSH_ECC=yes
2701 COMMENT_OUT_ECC=""
2702else
2703 unsupported_algorithms="$unsupported_algorithms ecdh-sha2-nistp521 \
2704 ecdsa-sha2-nistp521 ecdsa-sha2-nistp521-cert-v01@openssh.com"
2705fi
2706
2510AC_SUBST([TEST_SSH_ECC]) 2707AC_SUBST([TEST_SSH_ECC])
2511AC_SUBST([COMMENT_OUT_ECC]) 2708AC_SUBST([COMMENT_OUT_ECC])
2512 2709
@@ -2738,7 +2935,7 @@ fi
2738# Decide which sandbox style to use 2935# Decide which sandbox style to use
2739sandbox_arg="" 2936sandbox_arg=""
2740AC_ARG_WITH([sandbox], 2937AC_ARG_WITH([sandbox],
2741 [ --with-sandbox=style Specify privilege separation sandbox (no, darwin, rlimit, systrace, seccomp_filter)], 2938 [ --with-sandbox=style Specify privilege separation sandbox (no, darwin, rlimit, systrace, seccomp_filter, capsicum)],
2742 [ 2939 [
2743 if test "x$withval" = "xyes" ; then 2940 if test "x$withval" = "xyes" ; then
2744 sandbox_arg="" 2941 sandbox_arg=""
@@ -2867,6 +3064,16 @@ elif test "x$sandbox_arg" = "xseccomp_filter" || \
2867 AC_MSG_ERROR([seccomp_filter sandbox requires prctl function]) 3064 AC_MSG_ERROR([seccomp_filter sandbox requires prctl function])
2868 SANDBOX_STYLE="seccomp_filter" 3065 SANDBOX_STYLE="seccomp_filter"
2869 AC_DEFINE([SANDBOX_SECCOMP_FILTER], [1], [Sandbox using seccomp filter]) 3066 AC_DEFINE([SANDBOX_SECCOMP_FILTER], [1], [Sandbox using seccomp filter])
3067elif test "x$sandbox_arg" = "xcapsicum" || \
3068 ( test -z "$sandbox_arg" && \
3069 test "x$ac_cv_header_sys_capability_h" = "xyes" && \
3070 test "x$ac_cv_func_cap_rights_limit" = "xyes") ; then
3071 test "x$ac_cv_header_sys_capability_h" != "xyes" && \
3072 AC_MSG_ERROR([capsicum sandbox requires sys/capability.h header])
3073 test "x$ac_cv_func_cap_rights_limit" != "xyes" && \
3074 AC_MSG_ERROR([capsicum sandbox requires cap_rights_limit function])
3075 SANDBOX_STYLE="capsicum"
3076 AC_DEFINE([SANDBOX_CAPSICUM], [1], [Sandbox using capsicum])
2870elif test "x$sandbox_arg" = "xrlimit" || \ 3077elif test "x$sandbox_arg" = "xrlimit" || \
2871 ( test -z "$sandbox_arg" && test "x$ac_cv_func_setrlimit" = "xyes" && \ 3078 ( test -z "$sandbox_arg" && test "x$ac_cv_func_setrlimit" = "xyes" && \
2872 test "x$select_works_with_rlimit" = "xyes" && \ 3079 test "x$select_works_with_rlimit" = "xyes" && \
@@ -3090,7 +3297,9 @@ if test "x$ac_cv_have_u_int64_t" = "xyes" ; then
3090 have_u_int64_t=1 3297 have_u_int64_t=1
3091fi 3298fi
3092 3299
3093if test -z "$have_u_int64_t" ; then 3300if (test -z "$have_u_int64_t" && \
3301 test "x$ac_cv_header_sys_bitypes_h" = "xyes")
3302then
3094 AC_MSG_CHECKING([for u_int64_t type in sys/bitypes.h]) 3303 AC_MSG_CHECKING([for u_int64_t type in sys/bitypes.h])
3095 AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/bitypes.h> ]], 3304 AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/bitypes.h> ]],
3096 [[ u_int64_t a; a = 1]])], 3305 [[ u_int64_t a; a = 1]])],
@@ -3120,7 +3329,9 @@ if test -z "$have_u_intxx_t" ; then
3120 fi 3329 fi
3121fi 3330fi
3122 3331
3123if test -z "$have_uintxx_t" ; then 3332if (test -z "$have_uintxx_t" && \
3333 test "x$ac_cv_header_stdint_h" = "xyes")
3334then
3124 AC_MSG_CHECKING([for uintXX_t types in stdint.h]) 3335 AC_MSG_CHECKING([for uintXX_t types in stdint.h])
3125 AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <stdint.h> ]], 3336 AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <stdint.h> ]],
3126 [[ uint8_t a; uint16_t b; uint32_t c; a = b = c = 1;]])], 3337 [[ uint8_t a; uint16_t b; uint32_t c; a = b = c = 1;]])],
@@ -3131,6 +3342,19 @@ if test -z "$have_uintxx_t" ; then
3131 ]) 3342 ])
3132fi 3343fi
3133 3344
3345if (test -z "$have_uintxx_t" && \
3346 test "x$ac_cv_header_inttypes_h" = "xyes")
3347then
3348 AC_MSG_CHECKING([for uintXX_t types in inttypes.h])
3349 AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <inttypes.h> ]],
3350 [[ uint8_t a; uint16_t b; uint32_t c; a = b = c = 1;]])],
3351 [
3352 AC_DEFINE([HAVE_UINTXX_T])
3353 AC_MSG_RESULT([yes])
3354 ], [ AC_MSG_RESULT([no])
3355 ])
3356fi
3357
3134if (test -z "$have_u_intxx_t" || test -z "$have_intxx_t" && \ 3358if (test -z "$have_u_intxx_t" || test -z "$have_intxx_t" && \
3135 test "x$ac_cv_header_sys_bitypes_h" = "xyes") 3359 test "x$ac_cv_header_sys_bitypes_h" = "xyes")
3136then 3360then
@@ -3161,6 +3385,11 @@ if test "x$ac_cv_have_u_char" = "xyes" ; then
3161 AC_DEFINE([HAVE_U_CHAR], [1], [define if you have u_char data type]) 3385 AC_DEFINE([HAVE_U_CHAR], [1], [define if you have u_char data type])
3162fi 3386fi
3163 3387
3388AC_CHECK_TYPES([intmax_t, uintmax_t], , , [
3389#include <sys/types.h>
3390#include <stdint.h>
3391])
3392
3164TYPE_SOCKLEN_T 3393TYPE_SOCKLEN_T
3165 3394
3166AC_CHECK_TYPES([sig_atomic_t], , , [#include <signal.h>]) 3395AC_CHECK_TYPES([sig_atomic_t], , , [#include <signal.h>])
@@ -4609,6 +4838,7 @@ else
4609fi 4838fi
4610AC_CHECK_DECL([BROKEN_GETADDRINFO], [TEST_SSH_IPV6=no]) 4839AC_CHECK_DECL([BROKEN_GETADDRINFO], [TEST_SSH_IPV6=no])
4611AC_SUBST([TEST_SSH_IPV6], [$TEST_SSH_IPV6]) 4840AC_SUBST([TEST_SSH_IPV6], [$TEST_SSH_IPV6])
4841AC_SUBST([TEST_MALLOC_OPTIONS], [$TEST_MALLOC_OPTIONS])
4612AC_SUBST([UNSUPPORTED_ALGORITHMS], [$unsupported_algorithms]) 4842AC_SUBST([UNSUPPORTED_ALGORITHMS], [$unsupported_algorithms])
4613 4843
4614AC_EXEEXT 4844AC_EXEEXT
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-30 07:31:44 +0000