Age | Commit message (Collapse) | Author |
|
ok dtucker@
|
|
It's still on by default, but now it's possible to turn it off using
--without-hardening. This is useful since it's known to cause problems
with some -fsanitize options. ok dtucker@
|
|
Some CFLAGS/LDFLAGS may disrupt the configure script's operation,
in particular santization and fuzzer options that break assumptions
about memory and file descriptor dispositions.
This adds two flags to configure --with-cflags-after and
--with-ldflags-after that allow specifying additional compiler and
linker options that are added to the resultant Makefiles but not
used in the configure run itself.
E.g.
env CC=clang-3.9 ./configure \
--with-cflags-after=-fsantize=address \
--with-ldflags-after="-g -fsanitize=address"
|
|
FreeBSD's <sys/capability.h> was renamed to <sys/capsicum.h> in 2014 to
avoid future conflicts with POSIX capabilities (the last release that
didn't have it was 9.3) so switch to that. Patch from des at des.no.
|
|
UnixWare needs BROKEN_TCGETATTR_ICANON like Solaris
Analysis by Robbie Zhang
|
|
Include replacement timespeccmp() for systems that lack it.
Support time_t struct stat->st_mtime in addition to
timespec stat->st_mtim, as well as unsorted fallback.
|
|
recallocarray() needs getpagesize() so add a tiny replacement for that.
|
|
The cross-compiling fallback message says it's assuming the test
passed, but it didn't actually set the cache var which causes
later tests to fail.
|
|
|
|
Speeds up configure and build by a couple of percent. ok djm@
|
|
We no longer support OpenSSL < 1.0.1 so remove check for unreliable ECC
in OpenSSL < 0.9.8g.
|
|
Actually enable ldns when attempting to use ldns-config. bz#2697, patch
from fredrik at fornwall.net.
|
|
|
|
|
|
Should fix bz#2603 - "Build with ldns and without kerberos support
fails if ldns compiled with kerberos support" by including correct
cflags/libs
ok dtucker@
|
|
Having _XOPEN_SOURCE unconditionally causes problems on some platforms
and configurations, notably Solaris 64-bit binaries. It was there for
the benefit of Linux put the required bits in the *-*linux* section.
Patch from yvoinov at gmail.com.
|
|
|
|
Fixes build on (at least) Solaris 10.
|
|
|
|
|
|
Check for utf8 local support and if not found, do not attempt to run the
utf8 tests. Suggested by djm@
|
|
This will use the host-prefixed version when cross compiling; patch from
david.michael at coreos.com.
|
|
|
|
We no longer need to wrap/replace mmap for portability now that
pre-auth compression has been removed from OpenSSH.
|
|
|
|
|
|
Saves messing around with LOGIN_PROGRAM env var, which come
packaging environments make hard to do during configure phase.
|
|
Saves messing around with CFLAGS to do it.
|
|
|
|
NetBSD added an strnvis and unfortunately made it incompatible with the
existing one in OpenBSD and Linux's libbsd (the former having existed
for over ten years). Despite this incompatibility being reported during
development (see http://gnats.netbsd.org/44977) they still shipped it.
Even more unfortunately FreeBSD and later MacOS picked up this incompatible
implementation. Try to detect this mess, and assume the only safe option
if we're cross compiling.
OpenBSD 2.9 (2001): strnvis(char *dst, const char *src, size_t dlen, int flag);
NetBSD 6.0 (2012): strnvis(char *dst, size_t dlen, const char *src, int flag);
ok djm@
|
|
Skip generating missing RSA1 key on startup unless ssh1 support is enabled.
Spotted by Jean-Pierre Radley
|
|
Report by and debugged with Hisashi T Fujinaka, dtucker nailed
the problem (lack of prototype causing return type confusion).
|
|
Patch from vinschen at redhat.com.
|
|
|
|
The hmac-ripemd160 was incorrect and could lead to broken
Makefiles on systems that lacked support for it, but I made
all the others consistent too.
|
|
If we don't have it, set BROKEN_STRNVIS to activate the compat replacement.
|
|
If we don't have wcwidth force fallback implementations of nl_langinfo
and mbtowc. Based on advice from Ingo Schwarze.
|
|
Move implementations of err.h replacement functions into their own file
in the libopenbsd-compat so we can use them in kexfuzz.c too. ok djm@
|
|
Wrap includes in the appropriate #ifdefs.
|
|
bz#2590 - testing and patch from Jakub Jelen
|
|
Where possible, use Solaris setpflags to disable process tracing on
ssh-agent and sftp-server. bz#2584, based on a patch from huieying.lee
at oracle.com, ok djm.
|
|
whitspace clean up. No code changes.
|
|
Replace by defining IPPORT_RESERVED to zero on Cygwin, which should have
the same effect without causing problems syncing patches with OpenBSD.
Resync the two affected functions with OpenBSD. ok djm, sanity checked
by Corinna.
|
|
|
|
|
|
sshd was failing with:
ssh_sandbox_child: sandbox_init: dlopen(/usr/lib/libsandbox.1.dylib, 261):cw
image not found [preauth]
caused by chroot before sandboxing. Avoid by explicitly linking libsandbox
to sshd. Spotted by Darren.
|
|
Not all systems with Solaris privs have priv_basicset so factor that
out and provide backward compatibility code. Similarly, not all have
PRIV_NET_ACCESS so wrap that in #ifdef. Based on code from
alex at cooperi.net and djm@ with help from carson at taltos.org and
wieland at purdue.edu.
|
|
Should fix build problem on Solaris 2.6 reported by Tom G. Christensen.
|
|
Includes a pre-auth privsep sandbox and several pledge()
emulations. bz#2511, patch by Alex Wilson.
ok dtucker@
|
|
Patch from Mike Frysinger via github.
|