summaryrefslogtreecommitdiff
path: root/configure.ac
AgeCommit message (Collapse)Author
2017-10-04Add systemd readiness notification supportMichael Biebl
Bug-Debian: https://bugs.debian.org/778913 Forwarded: no Last-Update: 2017-08-22 Patch-Name: systemd-readiness.patch
2017-10-04Restore TCP wrappers supportColin Watson
Support for TCP wrappers was dropped in OpenSSH 6.7. See this message and thread: https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032497.html It is true that this reduces preauth attack surface in sshd. On the other hand, this support seems to be quite widely used, and abruptly dropping it (from the perspective of users who don't read openssh-unix-dev) could easily cause more serious problems in practice. It's not entirely clear what the right long-term answer for Debian is, but it at least probably doesn't involve dropping this feature shortly before a freeze. Forwarded: not-needed Last-Update: 2014-10-07 Patch-Name: restore-tcp-wrappers.patch
2017-10-04GSSAPI key exchange supportSimon Wilkinson
This patch has been rejected upstream: "None of the OpenSSH developers are in favour of adding this, and this situation has not changed for several years. This is not a slight on Simon's patch, which is of fine quality, but just that a) we don't trust GSSAPI implementations that much and b) we don't like adding new KEX since they are pre-auth attack surface. This one is particularly scary, since it requires hooks out to typically root-owned system resources." However, quite a lot of people rely on this in Debian, and it's better to have it merged into the main openssh package rather than having separate -krb5 packages (as we used to have). It seems to have a generally good security history. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 Last-Updated: 2017-10-04 Patch-Name: gssapi.patch
2017-09-28don't fatal ./configure for LibreSSLDamien Miller
2017-09-28abort in configure when only openssl-1.1.x foundDamien Miller
We don't support openssl-1.1.x yet (see multiple threads on the openssh-unix-dev@ mailing list for the reason), but previously ./configure would accept it and the compilation would subsequently fail. This makes ./configure display an explicit error message and abort. ok dtucker@
2017-09-27Check for and handle calloc(p, 0) = NULL.Darren Tucker
On some platforms (AIX, maybe others) allocating zero bytes of memory via the various *alloc functions returns NULL, which is permitted by the standards. Autoconf has some macros for detecting this (with the exception of calloc for some reason) so use these and if necessary activate shims for them. ok djm@
2017-09-25Add minimal strsignal for platforms without it.Darren Tucker
2017-09-19add freezero(3) replacementDamien Miller
ok dtucker@
2017-09-19move FORTIFY_SOURCE into hardening options groupDamien Miller
It's still on by default, but now it's possible to turn it off using --without-hardening. This is useful since it's known to cause problems with some -fsanitize options. ok dtucker@
2017-09-08Give configure ability to set CFLAGS/LDFLAGS laterDamien Miller
Some CFLAGS/LDFLAGS may disrupt the configure script's operation, in particular santization and fuzzer options that break assumptions about memory and file descriptor dispositions. This adds two flags to configure --with-cflags-after and --with-ldflags-after that allow specifying additional compiler and linker options that are added to the resultant Makefiles but not used in the configure run itself. E.g. env CC=clang-3.9 ./configure \ --with-cflags-after=-fsantize=address \ --with-ldflags-after="-g -fsanitize=address"
2017-08-28Switch Capsicum header to sys/capsicum.h.Darren Tucker
FreeBSD's <sys/capability.h> was renamed to <sys/capsicum.h> in 2014 to avoid future conflicts with POSIX capabilities (the last release that didn't have it was 9.3) so switch to that. Patch from des at des.no.
2017-07-11modified: configure.acTim Rice
UnixWare needs BROKEN_TCGETATTR_ICANON like Solaris Analysis by Robbie Zhang
2017-06-10portability for sftp globbed ls sort by mtimeDamien Miller
Include replacement timespeccmp() for systems that lack it. Support time_t struct stat->st_mtime in addition to timespec stat->st_mtim, as well as unsorted fallback.
2017-06-01add recallocarray replacement and dependencyDamien Miller
recallocarray() needs getpagesize() so add a tiny replacement for that.
2017-05-25configure: actually set cache vars when cross-compilingMike Frysinger
The cross-compiling fallback message says it's assuming the test passed, but it didn't actually set the cache var which causes later tests to fail.
2017-05-01remove configure --with-ssh1Damien Miller
2017-03-31Check for and use gcc's -pipe.Darren Tucker
Speeds up configure and build by a couple of percent. ok djm@
2017-03-29Remove check for OpenSSL < 0.9.8g.Darren Tucker
We no longer support OpenSSL < 1.0.1 so remove check for unreliable ECC in OpenSSL < 0.9.8g.
2017-03-24Enable ldns when using ldns-config.Darren Tucker
Actually enable ldns when attempting to use ldns-config. bz#2697, patch from fredrik at fornwall.net.
2017-03-20Add llabs() implementation.Darren Tucker
2017-03-14require OpenSSL >=1.0.1Damien Miller
2017-02-03prefer to use ldns-config to find libldnsDamien Miller
Should fix bz#2603 - "Build with ldns and without kerberos support fails if ldns compiled with kerberos support" by including correct cflags/libs ok dtucker@
2017-02-03Remove _XOPEN_SOURCE from wide char detection.Darren Tucker
Having _XOPEN_SOURCE unconditionally causes problems on some platforms and configurations, notably Solaris 64-bit binaries. It was there for the benefit of Linux put the required bits in the *-*linux* section. Patch from yvoinov at gmail.com.
2016-12-13Get default of TEST_SSH_UTF8 from environment.Darren Tucker
2016-12-13Add strcasestr to compat library.Darren Tucker
Fixes build on (at least) Solaris 10.
2016-12-09exit is in stdlib.h not unistd.h (that's _exit).Darren Tucker
2016-12-09Include <unistd.h> for exit in utf8 locale test.Darren Tucker
2016-12-08Check for utf8 local support before testing it.Darren Tucker
Check for utf8 local support and if not found, do not attempt to run the utf8 tests. Suggested by djm@
2016-12-08Use AC_PATH_TOOL for krb5-config.Darren Tucker
This will use the host-prefixed version when cross compiling; patch from david.michael at coreos.com.
2016-11-01Use ptrace(PT_DENY_ATTACH, ..) on OS X.Darren Tucker
2016-09-29Remove portability support for mmapDamien Miller
We no longer need to wrap/replace mmap for portability now that pre-auth compression has been removed from OpenSSH.
2016-08-23removing UseLogin bits from configure.acDamien Miller
2016-08-17Only check for prctl once.Darren Tucker
2016-08-16add a --with-login-program configure argumentDamien Miller
Saves messing around with LOGIN_PROGRAM env var, which come packaging environments make hard to do during configure phase.
2016-08-16add --with-pam-service to specify PAM service nameDamien Miller
Saves messing around with CFLAGS to do it.
2016-08-02Use tabs consistently inside "case $host".Darren Tucker
2016-08-02Explicitly test for broken strnvis.Darren Tucker
NetBSD added an strnvis and unfortunately made it incompatible with the existing one in OpenBSD and Linux's libbsd (the former having existed for over ten years). Despite this incompatibility being reported during development (see http://gnats.netbsd.org/44977) they still shipped it. Even more unfortunately FreeBSD and later MacOS picked up this incompatible implementation. Try to detect this mess, and assume the only safe option if we're cross compiling. OpenBSD 2.9 (2001): strnvis(char *dst, const char *src, size_t dlen, int flag); NetBSD 6.0 (2012): strnvis(char *dst, size_t dlen, const char *src, int flag); ok djm@
2016-08-01modified: configure.ac opensshd.init.inTim Rice
Skip generating missing RSA1 key on startup unless ssh1 support is enabled. Spotted by Jean-Pierre Radley
2016-07-28define _OPENBSD_SOURCE for reallocarray on NetBSDDamien Miller
Report by and debugged with Hisashi T Fujinaka, dtucker nailed the problem (lack of prototype causing return type confusion).
2016-07-23Move Cygwin IPPORT_RESERVED overrride to defines.hDarren Tucker
Patch from vinschen at redhat.com.
2016-07-15add a --disable-pkcs11 knobDamien Miller
2016-07-15fix newline escaping for unsupported_algorithmsDamien Miller
The hmac-ripemd160 was incorrect and could lead to broken Makefiles on systems that lacked support for it, but I made all the others consistent too.
2016-07-14Check for VIS_ALL.Darren Tucker
If we don't have it, set BROKEN_STRNVIS to activate the compat replacement.
2016-07-14Add compat code for missing wcwidth.Darren Tucker
If we don't have wcwidth force fallback implementations of nl_langinfo and mbtowc. Based on advice from Ingo Schwarze.
2016-07-13Move err.h replacements into compat lib.Darren Tucker
Move implementations of err.h replacement functions into their own file in the libopenbsd-compat so we can use them in kexfuzz.c too. ok djm@
2016-07-11Check for wchar.h and langinfo.hDarren Tucker
Wrap includes in the appropriate #ifdefs.
2016-07-08whitelist more architectures for seccomp-bpfDamien Miller
bz#2590 - testing and patch from Jakub Jelen
2016-06-14Use Solaris setpflags(__PROC_PROTECT, ...).Darren Tucker
Where possible, use Solaris setpflags to disable process tracing on ssh-agent and sftp-server. bz#2584, based on a patch from huieying.lee at oracle.com, ok djm.
2016-05-31modified: configure.acTim Rice
whitspace clean up. No code changes.
2016-04-08Remove NO_IPPORT_RESERVED_CONCEPTDarren Tucker
Replace by defining IPPORT_RESERVED to zero on Cygwin, which should have the same effect without causing problems syncing patches with OpenBSD. Resync the two affected functions with OpenBSD. ok djm, sanity checked by Corinna.