diff options
Diffstat (limited to 'configure.ac')
-rw-r--r-- | configure.ac | 308 |
1 files changed, 269 insertions, 39 deletions
diff --git a/configure.ac b/configure.ac index d7d500a33..e2289cd37 100644 --- a/configure.ac +++ b/configure.ac | |||
@@ -1,4 +1,4 @@ | |||
1 | # $Id: configure.ac,v 1.536 2013/08/04 11:48:41 dtucker Exp $ | 1 | # $Id: configure.ac,v 1.568 2014/01/30 00:26:46 djm Exp $ |
2 | # | 2 | # |
3 | # Copyright (c) 1999-2004 Damien Miller | 3 | # Copyright (c) 1999-2004 Damien Miller |
4 | # | 4 | # |
@@ -15,7 +15,7 @@ | |||
15 | # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. | 15 | # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. |
16 | 16 | ||
17 | AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) | 17 | AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) |
18 | AC_REVISION($Revision: 1.536 $) | 18 | AC_REVISION($Revision: 1.568 $) |
19 | AC_CONFIG_SRCDIR([ssh.c]) | 19 | AC_CONFIG_SRCDIR([ssh.c]) |
20 | AC_LANG([C]) | 20 | AC_LANG([C]) |
21 | 21 | ||
@@ -120,19 +120,36 @@ AC_CHECK_DECL([PR_SET_NO_NEW_PRIVS], [have_linux_no_new_privs=1], , [ | |||
120 | #include <sys/types.h> | 120 | #include <sys/types.h> |
121 | #include <linux/prctl.h> | 121 | #include <linux/prctl.h> |
122 | ]) | 122 | ]) |
123 | |||
123 | use_stack_protector=1 | 124 | use_stack_protector=1 |
125 | use_toolchain_hardening=1 | ||
124 | AC_ARG_WITH([stackprotect], | 126 | AC_ARG_WITH([stackprotect], |
125 | [ --without-stackprotect Don't use compiler's stack protection], [ | 127 | [ --without-stackprotect Don't use compiler's stack protection], [ |
126 | if test "x$withval" = "xno"; then | 128 | if test "x$withval" = "xno"; then |
127 | use_stack_protector=0 | 129 | use_stack_protector=0 |
128 | fi ]) | 130 | fi ]) |
131 | AC_ARG_WITH([hardening], | ||
132 | [ --without-hardening Don't use toolchain hardening flags], [ | ||
133 | if test "x$withval" = "xno"; then | ||
134 | use_toolchain_hardening=0 | ||
135 | fi ]) | ||
129 | 136 | ||
137 | # We use -Werror for the tests only so that we catch warnings like "this is | ||
138 | # on by default" for things like -fPIE. | ||
139 | AC_MSG_CHECKING([if $CC supports -Werror]) | ||
140 | saved_CFLAGS="$CFLAGS" | ||
141 | CFLAGS="$CFLAGS -Werror" | ||
142 | AC_COMPILE_IFELSE([AC_LANG_SOURCE([[int main(void) { return 0; }]])], | ||
143 | [ AC_MSG_RESULT([yes]) | ||
144 | WERROR="-Werror"], | ||
145 | [ AC_MSG_RESULT([no]) | ||
146 | WERROR="" ] | ||
147 | ) | ||
148 | CFLAGS="$saved_CFLAGS" | ||
130 | 149 | ||
131 | if test "$GCC" = "yes" || test "$GCC" = "egcs"; then | 150 | if test "$GCC" = "yes" || test "$GCC" = "egcs"; then |
132 | OSSH_CHECK_CFLAG_COMPILE([-Qunused-arguments -Werror], | 151 | OSSH_CHECK_CFLAG_COMPILE([-Qunused-arguments]) |
133 | [-Qunused-arguments]) | 152 | OSSH_CHECK_CFLAG_COMPILE([-Wunknown-warning-option]) |
134 | OSSH_CHECK_CFLAG_COMPILE([-Wunknown-warning-option -Werror], | ||
135 | [-Wno-unknown-warning-option]) | ||
136 | OSSH_CHECK_CFLAG_COMPILE([-Wall]) | 153 | OSSH_CHECK_CFLAG_COMPILE([-Wall]) |
137 | OSSH_CHECK_CFLAG_COMPILE([-Wpointer-arith]) | 154 | OSSH_CHECK_CFLAG_COMPILE([-Wpointer-arith]) |
138 | OSSH_CHECK_CFLAG_COMPILE([-Wuninitialized]) | 155 | OSSH_CHECK_CFLAG_COMPILE([-Wuninitialized]) |
@@ -143,6 +160,17 @@ if test "$GCC" = "yes" || test "$GCC" = "egcs"; then | |||
143 | OSSH_CHECK_CFLAG_COMPILE([-Wunused-result], [-Wno-unused-result]) | 160 | OSSH_CHECK_CFLAG_COMPILE([-Wunused-result], [-Wno-unused-result]) |
144 | OSSH_CHECK_CFLAG_COMPILE([-fno-strict-aliasing]) | 161 | OSSH_CHECK_CFLAG_COMPILE([-fno-strict-aliasing]) |
145 | OSSH_CHECK_CFLAG_COMPILE([-D_FORTIFY_SOURCE=2]) | 162 | OSSH_CHECK_CFLAG_COMPILE([-D_FORTIFY_SOURCE=2]) |
163 | if test "x$use_toolchain_hardening" = "x1"; then | ||
164 | OSSH_CHECK_LDFLAG_LINK([-Wl,-z,relro]) | ||
165 | OSSH_CHECK_LDFLAG_LINK([-Wl,-z,now]) | ||
166 | OSSH_CHECK_LDFLAG_LINK([-Wl,-z,noexecstack]) | ||
167 | # NB. -ftrapv expects certain support functions to be present in | ||
168 | # the compiler library (libgcc or similar) to detect integer operations | ||
169 | # that can overflow. We must check that the result of enabling it | ||
170 | # actually links. The test program compiled/linked includes a number | ||
171 | # of integer operations that should exercise this. | ||
172 | OSSH_CHECK_CFLAG_LINK([-ftrapv]) | ||
173 | fi | ||
146 | AC_MSG_CHECKING([gcc version]) | 174 | AC_MSG_CHECKING([gcc version]) |
147 | GCC_VER=`$CC -v 2>&1 | $AWK '/gcc version /{print $3}'` | 175 | GCC_VER=`$CC -v 2>&1 | $AWK '/gcc version /{print $3}'` |
148 | case $GCC_VER in | 176 | case $GCC_VER in |
@@ -169,7 +197,8 @@ if test "$GCC" = "yes" || test "$GCC" = "egcs"; then | |||
169 | # and/or platforms, so we test if we can. If it's not supported | 197 | # and/or platforms, so we test if we can. If it's not supported |
170 | # on a given platform gcc will emit a warning so we use -Werror. | 198 | # on a given platform gcc will emit a warning so we use -Werror. |
171 | if test "x$use_stack_protector" = "x1"; then | 199 | if test "x$use_stack_protector" = "x1"; then |
172 | for t in -fstack-protector-all -fstack-protector; do | 200 | for t in -fstack-protector-strong -fstack-protector-all \ |
201 | -fstack-protector; do | ||
173 | AC_MSG_CHECKING([if $CC supports $t]) | 202 | AC_MSG_CHECKING([if $CC supports $t]) |
174 | saved_CFLAGS="$CFLAGS" | 203 | saved_CFLAGS="$CFLAGS" |
175 | saved_LDFLAGS="$LDFLAGS" | 204 | saved_LDFLAGS="$LDFLAGS" |
@@ -296,6 +325,7 @@ AC_ARG_WITH([Werror], | |||
296 | ) | 325 | ) |
297 | 326 | ||
298 | AC_CHECK_HEADERS([ \ | 327 | AC_CHECK_HEADERS([ \ |
328 | blf.h \ | ||
299 | bstring.h \ | 329 | bstring.h \ |
300 | crypt.h \ | 330 | crypt.h \ |
301 | crypto/sha2.h \ | 331 | crypto/sha2.h \ |
@@ -309,6 +339,7 @@ AC_CHECK_HEADERS([ \ | |||
309 | glob.h \ | 339 | glob.h \ |
310 | ia.h \ | 340 | ia.h \ |
311 | iaf.h \ | 341 | iaf.h \ |
342 | inttypes.h \ | ||
312 | limits.h \ | 343 | limits.h \ |
313 | locale.h \ | 344 | locale.h \ |
314 | login.h \ | 345 | login.h \ |
@@ -333,6 +364,7 @@ AC_CHECK_HEADERS([ \ | |||
333 | sys/audit.h \ | 364 | sys/audit.h \ |
334 | sys/bitypes.h \ | 365 | sys/bitypes.h \ |
335 | sys/bsdtty.h \ | 366 | sys/bsdtty.h \ |
367 | sys/capability.h \ | ||
336 | sys/cdefs.h \ | 368 | sys/cdefs.h \ |
337 | sys/dir.h \ | 369 | sys/dir.h \ |
338 | sys/mman.h \ | 370 | sys/mman.h \ |
@@ -513,7 +545,10 @@ case "$host" in | |||
513 | [Define if your platform needs to skip post auth | 545 | [Define if your platform needs to skip post auth |
514 | file descriptor passing]) | 546 | file descriptor passing]) |
515 | AC_DEFINE([SSH_IOBUFSZ], [65535], [Windows is sensitive to read buffer size]) | 547 | AC_DEFINE([SSH_IOBUFSZ], [65535], [Windows is sensitive to read buffer size]) |
516 | AC_DEFINE([FILESYSTEM_NO_BACKSLASH], [1], [File names may not contain backslash characters]) | 548 | AC_DEFINE([FILESYSTEM_NO_BACKSLASH], [1], [File names may not contain backslash characters]) |
549 | # Cygwin defines optargs, optargs as declspec(dllimport) for historical | ||
550 | # reasons which cause compile warnings, so we disable those warnings. | ||
551 | OSSH_CHECK_CFLAG_COMPILE([-Wno-attributes]) | ||
517 | ;; | 552 | ;; |
518 | *-*-dgux*) | 553 | *-*-dgux*) |
519 | AC_DEFINE([IP_TOS_IS_BROKEN], [1], | 554 | AC_DEFINE([IP_TOS_IS_BROKEN], [1], |
@@ -523,6 +558,7 @@ case "$host" in | |||
523 | AC_DEFINE([BROKEN_SETREGID]) | 558 | AC_DEFINE([BROKEN_SETREGID]) |
524 | ;; | 559 | ;; |
525 | *-*-darwin*) | 560 | *-*-darwin*) |
561 | use_pie=auto | ||
526 | AC_MSG_CHECKING([if we have working getaddrinfo]) | 562 | AC_MSG_CHECKING([if we have working getaddrinfo]) |
527 | AC_RUN_IFELSE([AC_LANG_SOURCE([[ #include <mach-o/dyld.h> | 563 | AC_RUN_IFELSE([AC_LANG_SOURCE([[ #include <mach-o/dyld.h> |
528 | main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) | 564 | main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) |
@@ -587,6 +623,7 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) | |||
587 | ;; | 623 | ;; |
588 | *-*-dragonfly*) | 624 | *-*-dragonfly*) |
589 | SSHDLIBS="$SSHDLIBS -lcrypt" | 625 | SSHDLIBS="$SSHDLIBS -lcrypt" |
626 | TEST_MALLOC_OPTIONS="AFGJPRX" | ||
590 | ;; | 627 | ;; |
591 | *-*-haiku*) | 628 | *-*-haiku*) |
592 | LIBS="$LIBS -lbsd " | 629 | LIBS="$LIBS -lbsd " |
@@ -684,6 +721,7 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) | |||
684 | ;; | 721 | ;; |
685 | *-*-linux*) | 722 | *-*-linux*) |
686 | no_dev_ptmx=1 | 723 | no_dev_ptmx=1 |
724 | use_pie=auto | ||
687 | check_for_libcrypt_later=1 | 725 | check_for_libcrypt_later=1 |
688 | check_for_openpty_ctty_bug=1 | 726 | check_for_openpty_ctty_bug=1 |
689 | AC_DEFINE([PAM_TTY_KLUDGE], [1], | 727 | AC_DEFINE([PAM_TTY_KLUDGE], [1], |
@@ -752,6 +790,11 @@ mips-sony-bsd|mips-sony-newsos4) | |||
752 | AC_DEFINE([SSH_TUN_NO_L2], [1], [No layer 2 tunnel support])) | 790 | AC_DEFINE([SSH_TUN_NO_L2], [1], [No layer 2 tunnel support])) |
753 | AC_DEFINE([SSH_TUN_PREPEND_AF], [1], | 791 | AC_DEFINE([SSH_TUN_PREPEND_AF], [1], |
754 | [Prepend the address family to IP tunnel traffic]) | 792 | [Prepend the address family to IP tunnel traffic]) |
793 | TEST_MALLOC_OPTIONS="AJRX" | ||
794 | AC_DEFINE([BROKEN_STRNVIS], [1], | ||
795 | [NetBSD strnvis argument order is swapped compared to OpenBSD]) | ||
796 | AC_DEFINE([BROKEN_READ_COMPARISON], [1], | ||
797 | [NetBSD read function is sometimes redirected, breaking atomicio comparisons against it]) | ||
755 | ;; | 798 | ;; |
756 | *-*-freebsd*) | 799 | *-*-freebsd*) |
757 | check_for_libcrypt_later=1 | 800 | check_for_libcrypt_later=1 |
@@ -760,7 +803,13 @@ mips-sony-bsd|mips-sony-newsos4) | |||
760 | AC_CHECK_HEADER([net/if_tap.h], , | 803 | AC_CHECK_HEADER([net/if_tap.h], , |
761 | AC_DEFINE([SSH_TUN_NO_L2], [1], [No layer 2 tunnel support])) | 804 | AC_DEFINE([SSH_TUN_NO_L2], [1], [No layer 2 tunnel support])) |
762 | AC_DEFINE([BROKEN_GLOB], [1], [FreeBSD glob does not do what we need]) | 805 | AC_DEFINE([BROKEN_GLOB], [1], [FreeBSD glob does not do what we need]) |
763 | AC_DEFINE([BROKEN_STRNVIS], [1], [FreeBSD strnvis does not do what we need]) | 806 | AC_DEFINE([BROKEN_STRNVIS], [1], |
807 | [FreeBSD strnvis argument order is swapped compared to OpenBSD]) | ||
808 | TEST_MALLOC_OPTIONS="AJRX" | ||
809 | # Preauth crypto occasionally uses file descriptors for crypto offload | ||
810 | # and will crash if they cannot be opened. | ||
811 | AC_DEFINE([SANDBOX_SKIP_RLIMIT_NOFILE], [1], | ||
812 | [define if setrlimit RLIMIT_NOFILE breaks things])], | ||
764 | ;; | 813 | ;; |
765 | *-*-bsdi*) | 814 | *-*-bsdi*) |
766 | AC_DEFINE([SETEUID_BREAKS_SETUID]) | 815 | AC_DEFINE([SETEUID_BREAKS_SETUID]) |
@@ -778,11 +827,13 @@ mips-sony-bsd|mips-sony-newsos4) | |||
778 | AC_DEFINE([BROKEN_SAVED_UIDS], [1], [Needed for NeXT]) | 827 | AC_DEFINE([BROKEN_SAVED_UIDS], [1], [Needed for NeXT]) |
779 | ;; | 828 | ;; |
780 | *-*-openbsd*) | 829 | *-*-openbsd*) |
830 | use_pie=auto | ||
781 | AC_DEFINE([HAVE_ATTRIBUTE__SENTINEL__], [1], [OpenBSD's gcc has sentinel]) | 831 | AC_DEFINE([HAVE_ATTRIBUTE__SENTINEL__], [1], [OpenBSD's gcc has sentinel]) |
782 | AC_DEFINE([HAVE_ATTRIBUTE__BOUNDED__], [1], [OpenBSD's gcc has bounded]) | 832 | AC_DEFINE([HAVE_ATTRIBUTE__BOUNDED__], [1], [OpenBSD's gcc has bounded]) |
783 | AC_DEFINE([SSH_TUN_OPENBSD], [1], [Open tunnel devices the OpenBSD way]) | 833 | AC_DEFINE([SSH_TUN_OPENBSD], [1], [Open tunnel devices the OpenBSD way]) |
784 | AC_DEFINE([SYSLOG_R_SAFE_IN_SIGHAND], [1], | 834 | AC_DEFINE([SYSLOG_R_SAFE_IN_SIGHAND], [1], |
785 | [syslog_r function is safe to use in in a signal handler]) | 835 | [syslog_r function is safe to use in in a signal handler]) |
836 | TEST_MALLOC_OPTIONS="AFGJPRX" | ||
786 | ;; | 837 | ;; |
787 | *-*-solaris*) | 838 | *-*-solaris*) |
788 | if test "x$withval" != "xno" ; then | 839 | if test "x$withval" != "xno" ; then |
@@ -1215,6 +1266,9 @@ AC_SEARCH_LIBS([openpty], [util bsd]) | |||
1215 | AC_SEARCH_LIBS([updwtmp], [util bsd]) | 1266 | AC_SEARCH_LIBS([updwtmp], [util bsd]) |
1216 | AC_CHECK_FUNCS([fmt_scaled scan_scaled login logout openpty updwtmp logwtmp]) | 1267 | AC_CHECK_FUNCS([fmt_scaled scan_scaled login logout openpty updwtmp logwtmp]) |
1217 | 1268 | ||
1269 | # On some platforms, inet_ntop may be found in libresolv or libnsl. | ||
1270 | AC_SEARCH_LIBS([inet_ntop], [resolv nsl]) | ||
1271 | |||
1218 | AC_FUNC_STRFTIME | 1272 | AC_FUNC_STRFTIME |
1219 | 1273 | ||
1220 | # Check for ALTDIRFUNC glob() extension | 1274 | # Check for ALTDIRFUNC glob() extension |
@@ -1466,7 +1520,7 @@ AC_ARG_WITH([libedit], | |||
1466 | fi | 1520 | fi |
1467 | fi | 1521 | fi |
1468 | if test "x$use_pkgconfig_for_libedit" = "xyes"; then | 1522 | if test "x$use_pkgconfig_for_libedit" = "xyes"; then |
1469 | LIBEDIT=`$PKGCONFIG --libs-only-l libedit` | 1523 | LIBEDIT=`$PKGCONFIG --libs libedit` |
1470 | CPPFLAGS="$CPPFLAGS `$PKGCONFIG --cflags libedit`" | 1524 | CPPFLAGS="$CPPFLAGS `$PKGCONFIG --cflags libedit`" |
1471 | else | 1525 | else |
1472 | LIBEDIT="-ledit -lcurses" | 1526 | LIBEDIT="-ledit -lcurses" |
@@ -1520,7 +1574,7 @@ AC_ARG_WITH([audit], | |||
1520 | # These are optional | 1574 | # These are optional |
1521 | AC_CHECK_FUNCS([getaudit_addr aug_get_machine]) | 1575 | AC_CHECK_FUNCS([getaudit_addr aug_get_machine]) |
1522 | AC_DEFINE([USE_BSM_AUDIT], [1], [Use BSM audit module]) | 1576 | AC_DEFINE([USE_BSM_AUDIT], [1], [Use BSM audit module]) |
1523 | if test "$sol2ver" -eq 11; then | 1577 | if test "$sol2ver" -ge 11; then |
1524 | SSHDLIBS="$SSHDLIBS -lscf" | 1578 | SSHDLIBS="$SSHDLIBS -lscf" |
1525 | AC_DEFINE([BROKEN_BSM_API], [1], | 1579 | AC_DEFINE([BROKEN_BSM_API], [1], |
1526 | [The system has incomplete BSM API]) | 1580 | [The system has incomplete BSM API]) |
@@ -1548,10 +1602,62 @@ AC_ARG_WITH([audit], | |||
1548 | esac ] | 1602 | esac ] |
1549 | ) | 1603 | ) |
1550 | 1604 | ||
1605 | AC_ARG_WITH([pie], | ||
1606 | [ --with-pie Build Position Independent Executables if possible], [ | ||
1607 | if test "x$withval" = "xno"; then | ||
1608 | use_pie=no | ||
1609 | fi | ||
1610 | if test "x$withval" = "xyes"; then | ||
1611 | use_pie=yes | ||
1612 | fi | ||
1613 | ] | ||
1614 | ) | ||
1615 | if test "x$use_pie" = "x"; then | ||
1616 | use_pie=no | ||
1617 | fi | ||
1618 | if test "x$use_toolchain_hardening" != "x1" && test "x$use_pie" = "xauto"; then | ||
1619 | # Turn off automatic PIE when toolchain hardening is off. | ||
1620 | use_pie=no | ||
1621 | fi | ||
1622 | if test "x$use_pie" = "xauto"; then | ||
1623 | # Automatic PIE requires gcc >= 4.x | ||
1624 | AC_MSG_CHECKING([for gcc >= 4.x]) | ||
1625 | AC_COMPILE_IFELSE([AC_LANG_SOURCE([[ | ||
1626 | #if !defined(__GNUC__) || __GNUC__ < 4 | ||
1627 | #error gcc is too old | ||
1628 | #endif | ||
1629 | ]])], | ||
1630 | [ AC_MSG_RESULT([yes]) ], | ||
1631 | [ AC_MSG_RESULT([no]) | ||
1632 | use_pie=no ] | ||
1633 | ) | ||
1634 | fi | ||
1635 | if test "x$use_pie" != "xno"; then | ||
1636 | SAVED_CFLAGS="$CFLAGS" | ||
1637 | SAVED_LDFLAGS="$LDFLAGS" | ||
1638 | OSSH_CHECK_CFLAG_COMPILE([-fPIE]) | ||
1639 | OSSH_CHECK_LDFLAG_LINK([-pie]) | ||
1640 | # We use both -fPIE and -pie or neither. | ||
1641 | AC_MSG_CHECKING([whether both -fPIE and -pie are supported]) | ||
1642 | if echo "x $CFLAGS" | grep ' -fPIE' >/dev/null 2>&1 && \ | ||
1643 | echo "x $LDFLAGS" | grep ' -pie' >/dev/null 2>&1 ; then | ||
1644 | AC_MSG_RESULT([yes]) | ||
1645 | else | ||
1646 | AC_MSG_RESULT([no]) | ||
1647 | CFLAGS="$SAVED_CFLAGS" | ||
1648 | LDFLAGS="$SAVED_LDFLAGS" | ||
1649 | fi | ||
1650 | fi | ||
1651 | |||
1551 | dnl Checks for library functions. Please keep in alphabetical order | 1652 | dnl Checks for library functions. Please keep in alphabetical order |
1552 | AC_CHECK_FUNCS([ \ | 1653 | AC_CHECK_FUNCS([ \ |
1654 | Blowfish_initstate \ | ||
1655 | Blowfish_expandstate \ | ||
1656 | Blowfish_expand0state \ | ||
1657 | Blowfish_stream2word \ | ||
1553 | arc4random \ | 1658 | arc4random \ |
1554 | arc4random_buf \ | 1659 | arc4random_buf \ |
1660 | arc4random_stir \ | ||
1555 | arc4random_uniform \ | 1661 | arc4random_uniform \ |
1556 | asprintf \ | 1662 | asprintf \ |
1557 | b64_ntop \ | 1663 | b64_ntop \ |
@@ -1559,7 +1665,10 @@ AC_CHECK_FUNCS([ \ | |||
1559 | b64_pton \ | 1665 | b64_pton \ |
1560 | __b64_pton \ | 1666 | __b64_pton \ |
1561 | bcopy \ | 1667 | bcopy \ |
1668 | bcrypt_pbkdf \ | ||
1562 | bindresvport_sa \ | 1669 | bindresvport_sa \ |
1670 | blf_enc \ | ||
1671 | cap_rights_limit \ | ||
1563 | clock \ | 1672 | clock \ |
1564 | closefrom \ | 1673 | closefrom \ |
1565 | dirfd \ | 1674 | dirfd \ |
@@ -1567,6 +1676,7 @@ AC_CHECK_FUNCS([ \ | |||
1567 | fchmod \ | 1676 | fchmod \ |
1568 | fchown \ | 1677 | fchown \ |
1569 | freeaddrinfo \ | 1678 | freeaddrinfo \ |
1679 | fstatfs \ | ||
1570 | fstatvfs \ | 1680 | fstatvfs \ |
1571 | futimes \ | 1681 | futimes \ |
1572 | getaddrinfo \ | 1682 | getaddrinfo \ |
@@ -2336,7 +2446,17 @@ AC_LINK_IFELSE( | |||
2336 | ] | 2446 | ] |
2337 | ) | 2447 | ) |
2338 | 2448 | ||
2339 | AC_CHECK_FUNCS([RSA_generate_key_ex DSA_generate_parameters_ex BN_is_prime_ex RSA_get_default_method HMAC_CTX_init]) | 2449 | AC_CHECK_FUNCS([ \ |
2450 | BN_is_prime_ex \ | ||
2451 | DSA_generate_parameters_ex \ | ||
2452 | EVP_DigestInit_ex \ | ||
2453 | EVP_DigestFinal_ex \ | ||
2454 | EVP_MD_CTX_init \ | ||
2455 | EVP_MD_CTX_cleanup \ | ||
2456 | HMAC_CTX_init \ | ||
2457 | RSA_generate_key_ex \ | ||
2458 | RSA_get_default_method \ | ||
2459 | ]) | ||
2340 | 2460 | ||
2341 | AC_ARG_WITH([ssl-engine], | 2461 | AC_ARG_WITH([ssl-engine], |
2342 | [ --with-ssl-engine Enable OpenSSL (hardware) ENGINE support ], | 2462 | [ --with-ssl-engine Enable OpenSSL (hardware) ENGINE support ], |
@@ -2460,19 +2580,58 @@ fi | |||
2460 | AC_CHECK_FUNCS([crypt DES_crypt]) | 2580 | AC_CHECK_FUNCS([crypt DES_crypt]) |
2461 | 2581 | ||
2462 | # Search for SHA256 support in libc and/or OpenSSL | 2582 | # Search for SHA256 support in libc and/or OpenSSL |
2463 | AC_CHECK_FUNCS([SHA256_Update EVP_sha256], | 2583 | AC_CHECK_FUNCS([SHA256_Update EVP_sha256], , |
2464 | [TEST_SSH_SHA256=yes], | 2584 | [unsupported_algorithms="$unsupported_algorithms \ |
2465 | [TEST_SSH_SHA256=no | ||
2466 | unsupported_algorithms="$unsupported_algorithms \ | ||
2467 | hmac-sha2-256 hmac-sha2-512 \ | 2585 | hmac-sha2-256 hmac-sha2-512 \ |
2468 | diffie-hellman-group-exchange-sha256 \ | 2586 | diffie-hellman-group-exchange-sha256 \ |
2469 | hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com" | 2587 | hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com" |
2470 | ] | 2588 | ] |
2471 | ) | 2589 | ) |
2472 | AC_SUBST([TEST_SSH_SHA256]) | ||
2473 | 2590 | ||
2474 | # Check complete ECC support in OpenSSL | 2591 | # Check complete ECC support in OpenSSL |
2475 | AC_MSG_CHECKING([whether OpenSSL has complete ECC support]) | 2592 | AC_MSG_CHECKING([whether OpenSSL has NID_X9_62_prime256v1]) |
2593 | AC_LINK_IFELSE( | ||
2594 | [AC_LANG_PROGRAM([[ | ||
2595 | #include <openssl/ec.h> | ||
2596 | #include <openssl/ecdh.h> | ||
2597 | #include <openssl/ecdsa.h> | ||
2598 | #include <openssl/evp.h> | ||
2599 | #include <openssl/objects.h> | ||
2600 | #include <openssl/opensslv.h> | ||
2601 | #if OPENSSL_VERSION_NUMBER < 0x0090807f /* 0.9.8g */ | ||
2602 | # error "OpenSSL < 0.9.8g has unreliable ECC code" | ||
2603 | #endif | ||
2604 | ]], [[ | ||
2605 | EC_KEY *e = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); | ||
2606 | const EVP_MD *m = EVP_sha256(); /* We need this too */ | ||
2607 | ]])], | ||
2608 | [ AC_MSG_RESULT([yes]) | ||
2609 | enable_nistp256=1 ], | ||
2610 | [ AC_MSG_RESULT([no]) ] | ||
2611 | ) | ||
2612 | |||
2613 | AC_MSG_CHECKING([whether OpenSSL has NID_secp384r1]) | ||
2614 | AC_LINK_IFELSE( | ||
2615 | [AC_LANG_PROGRAM([[ | ||
2616 | #include <openssl/ec.h> | ||
2617 | #include <openssl/ecdh.h> | ||
2618 | #include <openssl/ecdsa.h> | ||
2619 | #include <openssl/evp.h> | ||
2620 | #include <openssl/objects.h> | ||
2621 | #include <openssl/opensslv.h> | ||
2622 | #if OPENSSL_VERSION_NUMBER < 0x0090807f /* 0.9.8g */ | ||
2623 | # error "OpenSSL < 0.9.8g has unreliable ECC code" | ||
2624 | #endif | ||
2625 | ]], [[ | ||
2626 | EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp384r1); | ||
2627 | const EVP_MD *m = EVP_sha384(); /* We need this too */ | ||
2628 | ]])], | ||
2629 | [ AC_MSG_RESULT([yes]) | ||
2630 | enable_nistp384=1 ], | ||
2631 | [ AC_MSG_RESULT([no]) ] | ||
2632 | ) | ||
2633 | |||
2634 | AC_MSG_CHECKING([whether OpenSSL has NID_secp521r1]) | ||
2476 | AC_LINK_IFELSE( | 2635 | AC_LINK_IFELSE( |
2477 | [AC_LANG_PROGRAM([[ | 2636 | [AC_LANG_PROGRAM([[ |
2478 | #include <openssl/ec.h> | 2637 | #include <openssl/ec.h> |
@@ -2488,25 +2647,63 @@ AC_LINK_IFELSE( | |||
2488 | EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp521r1); | 2647 | EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp521r1); |
2489 | const EVP_MD *m = EVP_sha512(); /* We need this too */ | 2648 | const EVP_MD *m = EVP_sha512(); /* We need this too */ |
2490 | ]])], | 2649 | ]])], |
2491 | [ | 2650 | [ AC_MSG_RESULT([yes]) |
2492 | AC_MSG_RESULT([yes]) | 2651 | AC_MSG_CHECKING([if OpenSSL's NID_secp521r1 is functional]) |
2493 | AC_DEFINE([OPENSSL_HAS_ECC], [1], | 2652 | AC_RUN_IFELSE( |
2494 | [libcrypto includes complete ECC support]) | 2653 | [AC_LANG_PROGRAM([[ |
2495 | TEST_SSH_ECC=yes | 2654 | #include <openssl/ec.h> |
2496 | COMMENT_OUT_ECC="" | 2655 | #include <openssl/ecdh.h> |
2497 | ], | 2656 | #include <openssl/ecdsa.h> |
2498 | [ | 2657 | #include <openssl/evp.h> |
2499 | AC_MSG_RESULT([no]) | 2658 | #include <openssl/objects.h> |
2500 | TEST_SSH_ECC=no | 2659 | #include <openssl/opensslv.h> |
2501 | COMMENT_OUT_ECC="#no ecc#" | 2660 | ]],[[ |
2502 | unsupported_algorithms="$unsupported_algorithms \ | 2661 | EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp521r1); |
2503 | ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521 \ | 2662 | const EVP_MD *m = EVP_sha512(); /* We need this too */ |
2504 | ecdsa-sha2-nistp256-cert-v01@openssh.com \ | 2663 | exit(e == NULL || m == NULL); |
2505 | ecdsa-sha2-nistp384-cert-v01@openssh.com \ | 2664 | ]])], |
2506 | ecdsa-sha2-nistp521-cert-v01@openssh.com \ | 2665 | [ AC_MSG_RESULT([yes]) |
2507 | ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521" | 2666 | enable_nistp521=1 ], |
2508 | ] | 2667 | [ AC_MSG_RESULT([no]) ], |
2668 | [ AC_MSG_WARN([cross-compiling: assuming yes]) | ||
2669 | enable_nistp521=1 ] | ||
2670 | )], | ||
2671 | AC_MSG_RESULT([no]) | ||
2509 | ) | 2672 | ) |
2673 | |||
2674 | COMMENT_OUT_ECC="#no ecc#" | ||
2675 | TEST_SSH_ECC=no | ||
2676 | |||
2677 | if test x$enable_nistp256 = x1 || test x$enable_nistp384 = x1 || \ | ||
2678 | test x$enable_nistp521 = x1; then | ||
2679 | AC_DEFINE(OPENSSL_HAS_ECC, [1], [OpenSSL has ECC]) | ||
2680 | fi | ||
2681 | if test x$enable_nistp256 = x1; then | ||
2682 | AC_DEFINE([OPENSSL_HAS_NISTP256], [1], | ||
2683 | [libcrypto has NID_X9_62_prime256v1]) | ||
2684 | TEST_SSH_ECC=yes | ||
2685 | COMMENT_OUT_ECC="" | ||
2686 | else | ||
2687 | unsupported_algorithms="$unsupported_algorithms ecdsa-sha2-nistp256 \ | ||
2688 | ecdh-sha2-nistp256 ecdsa-sha2-nistp256-cert-v01@openssh.com" | ||
2689 | fi | ||
2690 | if test x$enable_nistp384 = x1; then | ||
2691 | AC_DEFINE([OPENSSL_HAS_NISTP384], [1], [libcrypto has NID_secp384r1]) | ||
2692 | TEST_SSH_ECC=yes | ||
2693 | COMMENT_OUT_ECC="" | ||
2694 | else | ||
2695 | unsupported_algorithms="$unsupported_algorithms ecdsa-sha2-nistp384 \ | ||
2696 | ecdh-sha2-nistp384 ecdsa-sha2-nistp384-cert-v01@openssh.com" | ||
2697 | fi | ||
2698 | if test x$enable_nistp521 = x1; then | ||
2699 | AC_DEFINE([OPENSSL_HAS_NISTP521], [1], [libcrypto has NID_secp521r1]) | ||
2700 | TEST_SSH_ECC=yes | ||
2701 | COMMENT_OUT_ECC="" | ||
2702 | else | ||
2703 | unsupported_algorithms="$unsupported_algorithms ecdh-sha2-nistp521 \ | ||
2704 | ecdsa-sha2-nistp521 ecdsa-sha2-nistp521-cert-v01@openssh.com" | ||
2705 | fi | ||
2706 | |||
2510 | AC_SUBST([TEST_SSH_ECC]) | 2707 | AC_SUBST([TEST_SSH_ECC]) |
2511 | AC_SUBST([COMMENT_OUT_ECC]) | 2708 | AC_SUBST([COMMENT_OUT_ECC]) |
2512 | 2709 | ||
@@ -2738,7 +2935,7 @@ fi | |||
2738 | # Decide which sandbox style to use | 2935 | # Decide which sandbox style to use |
2739 | sandbox_arg="" | 2936 | sandbox_arg="" |
2740 | AC_ARG_WITH([sandbox], | 2937 | AC_ARG_WITH([sandbox], |
2741 | [ --with-sandbox=style Specify privilege separation sandbox (no, darwin, rlimit, systrace, seccomp_filter)], | 2938 | [ --with-sandbox=style Specify privilege separation sandbox (no, darwin, rlimit, systrace, seccomp_filter, capsicum)], |
2742 | [ | 2939 | [ |
2743 | if test "x$withval" = "xyes" ; then | 2940 | if test "x$withval" = "xyes" ; then |
2744 | sandbox_arg="" | 2941 | sandbox_arg="" |
@@ -2867,6 +3064,16 @@ elif test "x$sandbox_arg" = "xseccomp_filter" || \ | |||
2867 | AC_MSG_ERROR([seccomp_filter sandbox requires prctl function]) | 3064 | AC_MSG_ERROR([seccomp_filter sandbox requires prctl function]) |
2868 | SANDBOX_STYLE="seccomp_filter" | 3065 | SANDBOX_STYLE="seccomp_filter" |
2869 | AC_DEFINE([SANDBOX_SECCOMP_FILTER], [1], [Sandbox using seccomp filter]) | 3066 | AC_DEFINE([SANDBOX_SECCOMP_FILTER], [1], [Sandbox using seccomp filter]) |
3067 | elif test "x$sandbox_arg" = "xcapsicum" || \ | ||
3068 | ( test -z "$sandbox_arg" && \ | ||
3069 | test "x$ac_cv_header_sys_capability_h" = "xyes" && \ | ||
3070 | test "x$ac_cv_func_cap_rights_limit" = "xyes") ; then | ||
3071 | test "x$ac_cv_header_sys_capability_h" != "xyes" && \ | ||
3072 | AC_MSG_ERROR([capsicum sandbox requires sys/capability.h header]) | ||
3073 | test "x$ac_cv_func_cap_rights_limit" != "xyes" && \ | ||
3074 | AC_MSG_ERROR([capsicum sandbox requires cap_rights_limit function]) | ||
3075 | SANDBOX_STYLE="capsicum" | ||
3076 | AC_DEFINE([SANDBOX_CAPSICUM], [1], [Sandbox using capsicum]) | ||
2870 | elif test "x$sandbox_arg" = "xrlimit" || \ | 3077 | elif test "x$sandbox_arg" = "xrlimit" || \ |
2871 | ( test -z "$sandbox_arg" && test "x$ac_cv_func_setrlimit" = "xyes" && \ | 3078 | ( test -z "$sandbox_arg" && test "x$ac_cv_func_setrlimit" = "xyes" && \ |
2872 | test "x$select_works_with_rlimit" = "xyes" && \ | 3079 | test "x$select_works_with_rlimit" = "xyes" && \ |
@@ -3090,7 +3297,9 @@ if test "x$ac_cv_have_u_int64_t" = "xyes" ; then | |||
3090 | have_u_int64_t=1 | 3297 | have_u_int64_t=1 |
3091 | fi | 3298 | fi |
3092 | 3299 | ||
3093 | if test -z "$have_u_int64_t" ; then | 3300 | if (test -z "$have_u_int64_t" && \ |
3301 | test "x$ac_cv_header_sys_bitypes_h" = "xyes") | ||
3302 | then | ||
3094 | AC_MSG_CHECKING([for u_int64_t type in sys/bitypes.h]) | 3303 | AC_MSG_CHECKING([for u_int64_t type in sys/bitypes.h]) |
3095 | AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/bitypes.h> ]], | 3304 | AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/bitypes.h> ]], |
3096 | [[ u_int64_t a; a = 1]])], | 3305 | [[ u_int64_t a; a = 1]])], |
@@ -3120,7 +3329,9 @@ if test -z "$have_u_intxx_t" ; then | |||
3120 | fi | 3329 | fi |
3121 | fi | 3330 | fi |
3122 | 3331 | ||
3123 | if test -z "$have_uintxx_t" ; then | 3332 | if (test -z "$have_uintxx_t" && \ |
3333 | test "x$ac_cv_header_stdint_h" = "xyes") | ||
3334 | then | ||
3124 | AC_MSG_CHECKING([for uintXX_t types in stdint.h]) | 3335 | AC_MSG_CHECKING([for uintXX_t types in stdint.h]) |
3125 | AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <stdint.h> ]], | 3336 | AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <stdint.h> ]], |
3126 | [[ uint8_t a; uint16_t b; uint32_t c; a = b = c = 1;]])], | 3337 | [[ uint8_t a; uint16_t b; uint32_t c; a = b = c = 1;]])], |
@@ -3131,6 +3342,19 @@ if test -z "$have_uintxx_t" ; then | |||
3131 | ]) | 3342 | ]) |
3132 | fi | 3343 | fi |
3133 | 3344 | ||
3345 | if (test -z "$have_uintxx_t" && \ | ||
3346 | test "x$ac_cv_header_inttypes_h" = "xyes") | ||
3347 | then | ||
3348 | AC_MSG_CHECKING([for uintXX_t types in inttypes.h]) | ||
3349 | AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <inttypes.h> ]], | ||
3350 | [[ uint8_t a; uint16_t b; uint32_t c; a = b = c = 1;]])], | ||
3351 | [ | ||
3352 | AC_DEFINE([HAVE_UINTXX_T]) | ||
3353 | AC_MSG_RESULT([yes]) | ||
3354 | ], [ AC_MSG_RESULT([no]) | ||
3355 | ]) | ||
3356 | fi | ||
3357 | |||
3134 | if (test -z "$have_u_intxx_t" || test -z "$have_intxx_t" && \ | 3358 | if (test -z "$have_u_intxx_t" || test -z "$have_intxx_t" && \ |
3135 | test "x$ac_cv_header_sys_bitypes_h" = "xyes") | 3359 | test "x$ac_cv_header_sys_bitypes_h" = "xyes") |
3136 | then | 3360 | then |
@@ -3161,6 +3385,11 @@ if test "x$ac_cv_have_u_char" = "xyes" ; then | |||
3161 | AC_DEFINE([HAVE_U_CHAR], [1], [define if you have u_char data type]) | 3385 | AC_DEFINE([HAVE_U_CHAR], [1], [define if you have u_char data type]) |
3162 | fi | 3386 | fi |
3163 | 3387 | ||
3388 | AC_CHECK_TYPES([intmax_t, uintmax_t], , , [ | ||
3389 | #include <sys/types.h> | ||
3390 | #include <stdint.h> | ||
3391 | ]) | ||
3392 | |||
3164 | TYPE_SOCKLEN_T | 3393 | TYPE_SOCKLEN_T |
3165 | 3394 | ||
3166 | AC_CHECK_TYPES([sig_atomic_t], , , [#include <signal.h>]) | 3395 | AC_CHECK_TYPES([sig_atomic_t], , , [#include <signal.h>]) |
@@ -4609,6 +4838,7 @@ else | |||
4609 | fi | 4838 | fi |
4610 | AC_CHECK_DECL([BROKEN_GETADDRINFO], [TEST_SSH_IPV6=no]) | 4839 | AC_CHECK_DECL([BROKEN_GETADDRINFO], [TEST_SSH_IPV6=no]) |
4611 | AC_SUBST([TEST_SSH_IPV6], [$TEST_SSH_IPV6]) | 4840 | AC_SUBST([TEST_SSH_IPV6], [$TEST_SSH_IPV6]) |
4841 | AC_SUBST([TEST_MALLOC_OPTIONS], [$TEST_MALLOC_OPTIONS]) | ||
4612 | AC_SUBST([UNSUPPORTED_ALGORITHMS], [$unsupported_algorithms]) | 4842 | AC_SUBST([UNSUPPORTED_ALGORITHMS], [$unsupported_algorithms]) |
4613 | 4843 | ||
4614 | AC_EXEEXT | 4844 | AC_EXEEXT |