summaryrefslogtreecommitdiff
path: root/configure.ac
AgeCommit message (Collapse)Author
2020-02-21Restore TCP wrappers supportColin Watson
Support for TCP wrappers was dropped in OpenSSH 6.7. See this message and thread: https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032497.html It is true that this reduces preauth attack surface in sshd. On the other hand, this support seems to be quite widely used, and abruptly dropping it (from the perspective of users who don't read openssh-unix-dev) could easily cause more serious problems in practice. It's not entirely clear what the right long-term answer for Debian is, but it at least probably doesn't involve dropping this feature shortly before a freeze. Forwarded: not-needed Last-Update: 2019-06-05 Patch-Name: restore-tcp-wrappers.patch
2020-02-21GSSAPI key exchange supportSimon Wilkinson
This patch has been rejected upstream: "None of the OpenSSH developers are in favour of adding this, and this situation has not changed for several years. This is not a slight on Simon's patch, which is of fine quality, but just that a) we don't trust GSSAPI implementations that much and b) we don't like adding new KEX since they are pre-auth attack surface. This one is particularly scary, since it requires hooks out to typically root-owned system resources." However, quite a lot of people rely on this in Debian, and it's better to have it merged into the main openssh package rather than having separate -krb5 packages (as we used to have). It seems to have a generally good security history. Origin: other, https://github.com/openssh-gsskex/openssh-gsskex/commits/debian/master Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 Last-Updated: 2020-02-21 Patch-Name: gssapi.patch
2020-02-06Don't look for UINT32_MAX in inttypes.hDarren Tucker
... unless we are actually going to use it. Fixes build on HP-UX without the potential impact to other platforms of a header change shortly before release.
2020-01-30Look in inttypes.h for UINT32_MAX.Darren Tucker
Should prevent warnings on at least some AIX versions.
2020-01-26Wrap stdint.h in tests inside HAVE_STDINT_H.Darren Tucker
2020-01-23Plumb WITH_ZLIB into configure.Darren Tucker
This allows zlib support to be disabled by ./configure --without-zlib.
2020-01-21configure.ac: fix ldns testRuben Kerkhof
When running ./configure --with-ldns, if ldns-config cannot be found, we add -Iyes/include to CPPFLAGS and -Lyes/lib to LDFLAGS. Fix that.
2020-01-14Improve search for 'struct timespec'.Darren Tucker
Make struct timespec test consistent with existing timeval test. Include time.h for timespec in compat header where required.
2020-01-14Remove configure test & compat code for ripemd160.Darren Tucker
RIPEMD160 support was removed upstream in 2017, however we still had a configure test and compat code for it, so clean those up now.
2019-12-14only link ssh-sk-helper against libfido2Damien Miller
2019-12-11Check if memmem is declared in system headers.Darren Tucker
If the system (or one of the dependencies) implements memmem but does not define the header, we would not declare it either resulting in compiler warnings. Check for declaration explicitly. bz#3102.
2019-11-29compile sk-dummy.so with no-PIE version of LDFLAGSDamien Miller
This lets it pick up the -L path to libcrypto for example.
2019-11-29(yet) another x-platform fix for sk-dummy.soDamien Miller
Check for -fPIC support from compiler Compile libopenbsd-compat -fPIC Don't mix -fPIE and -fPIC when compiling
2019-11-18Enable -Wimplicit-fallthrough if supportedDarren Tucker
Suggested by djm.
2019-11-15Add wrappers for other ultrix headers.Darren Tucker
Wrappers protect against multiple inclusions for headers that don't do it themselves.
2019-11-15Remove ultrix realpath hack.Darren Tucker
2019-11-15configure flag to built-in security key supportDamien Miller
Require --with-security-key-builtin before enabling the built-in security key support (and consequent dependency on libfido2).
2019-11-15don't fatal if libfido2 not foundDamien Miller
spotted by dtucker@
2019-11-15upstream: directly support U2F/FIDO2 security keys in OpenSSH bydjm@openbsd.org
linking against the (previously external) USB HID middleware. The dlopen() capability still exists for alternate middlewares, e.g. for Bluetooth, NFC and test/debugging. OpenBSD-Commit-ID: 14446cf170ac0351f0d4792ba0bca53024930069
2019-11-03statfs might be defined in sys/mount.h.Darren Tucker
eg on old NetBSDs.
2019-11-02Only enable U2F if OpenSSL supports ECC.Darren Tucker
This requires moving the U2F bits to below the OpenSSL parts so we have the required information. ok djm@
2019-11-01Add flags needed to build and work on Ultrix.Darren Tucker
2019-11-01Hook up fnmatch for platforms that don't have it.Darren Tucker
2019-11-01Use sftp_realpath if no native realpath.Darren Tucker
2019-11-01Configure flags for haiku from haikuports.Darren Tucker
Should build with the default flags with ./configure
2019-11-01autoconf pieces for U2F supportDamien Miller
Mostly following existing logic for PKCS#11 - turning off support when either libcrypto or dlopen(3) are unavailable.
2019-10-29Add implementation of localtime_r.Darren Tucker
2019-10-28Make sure we have struct statfs before using.Darren Tucker
2019-10-28Define UINT32_MAX if needed.Darren Tucker
2019-10-24Add a function call stackprotector tests.Darren Tucker
Including a function call in the test programs for the gcc stack protector flag tests exercises more of the compiler and makes it more likely it'll detect problems.
2019-08-30tweak warning flagsDamien Miller
Enable -Wextra if compiler supports it Set -Wno-error=format-truncation if available to prevent expected string truncations in openbsd-compat from breaking -Werror builds
2019-08-30proc_pidinfo()-based closefrom() for OS XDamien Miller
Refactor closefrom() to use a single brute-force close() loop fallback. Based on patch from likan_999.student@sina.com in bz#3049. ok dtucker@
2019-07-23Re-apply portability changes to current sha2.{c,h}.Darren Tucker
Rather than attempt to apply 14 years' worth of changes to OpenBSD's sha2 I imported the current versions directly then re-applied the portability changes. This also allowed re-syncing digest-libc.c against upstream.
2019-07-16Hook memmem compat code into build.Darren Tucker
This fixes builds on platforms that don't have it (at least old DragonFly, probably others).
2019-07-10fix typo that prevented detection of Linux VRFDamien Miller
Reported by hexiaowen AT huawei.com
2019-07-08remove realpath() compat replacementDamien Miller
We shipped a BSD implementation of realpath() because sftp-server depended on its behaviour. OpenBSD is now moving to a more strictly POSIX-compliant realpath(2), so sftp-server now unconditionally requires its own BSD-style realpath implementation. As such, there is no need to carry another independant implementation in openbsd-compat. ok dtucker@
2019-05-15Fix typo in man page formatter selector.Darren Tucker
2019-05-10Use "doc" man page format if mandoc present.Darren Tucker
Previously configure would not select the "doc" man page format if mandoc was present but nroff was not. This checks for mandoc first and removes a now-superflous AC_PATH_PROG. Based on a patch from vehk at vehk.de and feedback from schwarze at usta.de.
2019-04-30Remove unused variables from RLIMIT_NOFILE test.Darren Tucker
2019-01-22Allow building against OpenSSL dev (3.x) version.Darren Tucker
2019-01-21Make --with-rpath take a flag instead of yes/no.Darren Tucker
Linkers need various flags for -rpath and similar, so make --with-rpath take an optional flag argument which is passed to the linker. ok djm@
2019-01-21conditionalise ECDSA PKCS#11 supportDamien Miller
Require EC_KEY_METHOD support in libcrypto, evidenced by presence of EC_KEY_METHOD_new() function.
2019-01-21Check for cc before gcc.Darren Tucker
If cc is something other than gcc and is the system compiler prefer using that, unless otherwise told via $CC. ok djm@
2019-01-18Add minimal fchownat and fchmodat implementations.Darren Tucker
Fixes builds on at least OS X Lion, NetBSD 6 and Solaris 10.
2019-01-18Add a minimal implementation of utimensat().Darren Tucker
Some systems (eg older OS X) do not have utimensat, so provide minimal implementation in compat layer. Fixes build on at least El Capitan.
2018-11-25Improve OpenSSL_add_all_algorithms check.Darren Tucker
OpenSSL_add_all_algorithms() may be a macro so check for that too.
2018-11-23fix configure test for OpenSSL versionDamien Miller
square brackets in case statements may be eaten by autoconf. Report and fix from Filipp Gunbin; tweaked by naddy@
2018-11-23refactor libcrypto initialisationDamien Miller
Don't call OpenSSL_add_all_algorithms() unless OpenSSL actually supports it. Move all libcrypto initialisation to a single function, and call that from seed_rng() that is called early in each tool's main(). Prompted by patch from Rosen Penev
2018-11-16Test for OPENSSL_init_crypto before using.Darren Tucker
Check for the presence of OPENSSL_init_crypto and all the flags we want before trying to use it (bz#2931).
2018-11-16Remove fallback check for /usr/local/ssl.Darren Tucker
If configure could not find a working OpenSSL installation it would fall back to checking in /usr/local/ssl. This made sense back when systems did not ship with OpenSSL, but most do and OpenSSL 1.1 doesn't use that as a default any more. The fallback behaviour also meant that if you pointed --with-ssl-dir at a specific directory and it didn't work, it would silently use either the system libs or the ones in /usr/local/ssl. If you want to use /usr/local/ssl you'll need to pass configure --with-ssl-dir=/usr/local/ssl. ok djm@