summaryrefslogtreecommitdiff
path: root/configure.ac
AgeCommit message (Collapse)Author
2019-06-05Add systemd readiness notification supportMichael Biebl
Bug-Debian: https://bugs.debian.org/778913 Forwarded: no Last-Update: 2017-08-22 Patch-Name: systemd-readiness.patch
2019-06-05Restore TCP wrappers supportColin Watson
Support for TCP wrappers was dropped in OpenSSH 6.7. See this message and thread: https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032497.html It is true that this reduces preauth attack surface in sshd. On the other hand, this support seems to be quite widely used, and abruptly dropping it (from the perspective of users who don't read openssh-unix-dev) could easily cause more serious problems in practice. It's not entirely clear what the right long-term answer for Debian is, but it at least probably doesn't involve dropping this feature shortly before a freeze. Forwarded: not-needed Last-Update: 2019-06-05 Patch-Name: restore-tcp-wrappers.patch
2019-06-05GSSAPI key exchange supportSimon Wilkinson
This patch has been rejected upstream: "None of the OpenSSH developers are in favour of adding this, and this situation has not changed for several years. This is not a slight on Simon's patch, which is of fine quality, but just that a) we don't trust GSSAPI implementations that much and b) we don't like adding new KEX since they are pre-auth attack surface. This one is particularly scary, since it requires hooks out to typically root-owned system resources." However, quite a lot of people rely on this in Debian, and it's better to have it merged into the main openssh package rather than having separate -krb5 packages (as we used to have). It seems to have a generally good security history. Origin: other, https://github.com/openssh-gsskex/openssh-gsskex/commits/debian/master Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 Last-Updated: 2019-06-05 Patch-Name: gssapi.patch
2019-01-22Allow building against OpenSSL dev (3.x) version.Darren Tucker
2019-01-21Make --with-rpath take a flag instead of yes/no.Darren Tucker
Linkers need various flags for -rpath and similar, so make --with-rpath take an optional flag argument which is passed to the linker. ok djm@
2019-01-21conditionalise ECDSA PKCS#11 supportDamien Miller
Require EC_KEY_METHOD support in libcrypto, evidenced by presence of EC_KEY_METHOD_new() function.
2019-01-21Check for cc before gcc.Darren Tucker
If cc is something other than gcc and is the system compiler prefer using that, unless otherwise told via $CC. ok djm@
2019-01-18Add minimal fchownat and fchmodat implementations.Darren Tucker
Fixes builds on at least OS X Lion, NetBSD 6 and Solaris 10.
2019-01-18Add a minimal implementation of utimensat().Darren Tucker
Some systems (eg older OS X) do not have utimensat, so provide minimal implementation in compat layer. Fixes build on at least El Capitan.
2018-11-25Improve OpenSSL_add_all_algorithms check.Darren Tucker
OpenSSL_add_all_algorithms() may be a macro so check for that too.
2018-11-23fix configure test for OpenSSL versionDamien Miller
square brackets in case statements may be eaten by autoconf. Report and fix from Filipp Gunbin; tweaked by naddy@
2018-11-23refactor libcrypto initialisationDamien Miller
Don't call OpenSSL_add_all_algorithms() unless OpenSSL actually supports it. Move all libcrypto initialisation to a single function, and call that from seed_rng() that is called early in each tool's main(). Prompted by patch from Rosen Penev
2018-11-16Test for OPENSSL_init_crypto before using.Darren Tucker
Check for the presence of OPENSSL_init_crypto and all the flags we want before trying to use it (bz#2931).
2018-11-16Remove fallback check for /usr/local/ssl.Darren Tucker
If configure could not find a working OpenSSL installation it would fall back to checking in /usr/local/ssl. This made sense back when systems did not ship with OpenSSL, but most do and OpenSSL 1.1 doesn't use that as a default any more. The fallback behaviour also meant that if you pointed --with-ssl-dir at a specific directory and it didn't work, it would silently use either the system libs or the ones in /usr/local/ssl. If you want to use /usr/local/ssl you'll need to pass configure --with-ssl-dir=/usr/local/ssl. ok djm@
2018-11-10AC_CHECK_SIZEOF() no longer needs a second argument.Dag-Erling Smørgrav
2018-11-08Simplify OpenSSL 1.1 function checks.Darren Tucker
Replace AC_SEARCH_LIBS checks for OpenSSL 1.1 functions with a single AC_CHECK_FUNCS. ok djm@
2018-11-05Fix pasto for HAVE_EVP_CIPHER_CTX_SET_IV.Darren Tucker
Prevents unnecessary redefinition. Patch from mforney at mforney.org.
2018-10-27Check for the existence of openssl version funcs.Darren Tucker
Check for the existence of openssl version functions and use the ones detected instead of trying to guess based on the int32 version identifier. Fixes builds with LibreSSL.
2018-10-26fix builds on OpenSSL <= 1.0.xDamien Miller
I thought OpenSSL 1.0.x offered the new-style OpenSSL_version_num() API to obtain version number, but they don't.
2018-10-23remove remaining references to SSLeayDamien Miller
Prompted by Rosen Penev
2018-10-17Require OpenSSL 1.1.x series 1.1.0g or greaterDamien Miller
Previous versions have a bug with EVP_CipherInit() when passed a NULL EVP_CIPHER, per https://github.com/openssl/openssl/pull/4613 ok dtucker@
2018-10-16Remove gcc spectre mitigation flags.Darren Tucker
Current impementions of the gcc spectre mitigation flags cause miscompilations when combined with other flags and do not provide much protection. Found by fweimer at redhat.com, ok djm@
2018-10-12Check if snprintf understands %zu.Darren Tucker
If the platforms snprintf and friends don't understand %zu, use the compat replacement. Prevents segfaults on those platforms.
2018-09-13adapt -portable to OpenSSL 1.1x APIDamien Miller
Polyfill missing API with replacement functions extracted from LibreSSL
2018-08-13configure: work around GCC shortcoming on CygwinCorinna Vinschen
Cygwin's latest 7.x GCC allows to specify -mfunction-return=thunk as well as -mindirect-branch=thunk on the command line, albeit producing invalid code, leading to an error at link stage. The check in configure.ac only checks if the option is present, but not if it produces valid code. This patch fixes it by special-casing Cygwin. Another solution may be to change these to linker checks. Signed-off-by: Corinna Vinschen <vinschen@redhat.com>
2018-07-31Remove support for S/KeyDamien Miller
Most people will 1) be using modern multi-factor authentication methods like TOTP/OATH etc and 2) be getting support for multi-factor authentication via PAM or BSD Auth.
2018-07-02Add implementation of getline.Darren Tucker
Add getline for the benefit of platforms that don't have it. Sourced from NetBSD (OpenBSD's implementation is a little too chummy with the internals of FILE).
2018-06-08Remove ability to override $LD.Darren Tucker
Since autoconf always uses $CC to link C programs, allowing users to override LD caused mismatches between what LD_LINK_IFELSE thought worked and what ld thought worked. If you do need to do this kind of thing you need to set a compiler flag such as gcc's -fuse-ld in LDFLAGS.
2018-04-13Using "==" in shell tests is not portable.Darren Tucker
Patch from rsbecker at nexbridge.com.
2018-04-13prefer to use getrandom() for PRNG seedingDamien Miller
Only applies when built --without-openssl. Thanks Jann Horn for reminder.
2018-04-10Many typo fixes from Karsten WeissDamien Miller
Spotted using https://github.com/lucasdemarchi/codespell
2018-03-30Disable native strndup and strnlen on AIX.Darren Tucker
On at least some revisions of AIX, strndup returns unterminated strings under some conditions, apparently because strnlen returns incorrect values in those cases. Disable both on AIX and use the replacements from openbsd-compat. Fixes problem with ECDSA keys there, ok djm.
2018-03-25 Use libiaf on all sysv5 systemsTim Rice
2018-03-12Add AC_LANG_PROGRAM to AC_COMPILE_IFELSE.Darren Tucker
The recently added MIPS ABI tests need AC_LANG_PROGRAM to prevent warnings from autoconf. Pointed out by klausz at haus-gisela.de.
2018-03-08configure.ac: properly set seccomp_audit_arch for MIPS64Vicente Olivert Riera
Currently seccomp_audit_arch is set to AUDIT_ARCH_MIPS64 or AUDIT_ARCH_MIPSEL64 (depending on the endinness) when openssh is built for MIPS64. However, that's only valid for n64 ABI. The right macros for n32 ABI defined in seccomp.h are AUDIT_ARCH_MIPS64N32 and AUDIT_ARCH_MIPSEL64N32, for big and little endian respectively. Because of that an sshd built for MIPS64 n32 rejects connection attempts and the output of strace reveals that the problem is related to seccomp audit: [pid 194] prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, {len=57, filter=0x555d5da0}) = 0 [pid 194] write(7, "\0\0\0]\0\0\0\5\0\0\0Ulist_hostkey_types: "..., 97) = ? [pid 193] <... poll resumed> ) = 2 ([{fd=5, revents=POLLIN|POLLHUP}, {fd=6, revents=POLLHUP}]) [pid 194] +++ killed by SIGSYS +++ This patch fixes that problem by setting the right value to seccomp_audit_arch taking into account the MIPS64 ABI. Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
2018-03-08configure.ac: detect MIPS ABIVicente Olivert Riera
Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
2018-03-05Disable UTMPX on SunOS4.Darren Tucker
2018-03-05Check for and work around buggy fflush(NULL).Darren Tucker
Some really old platforms (eg SunOS4) segfault on fflush(NULL) so check for and work around. With klausz at haus-gisela.de.
2018-03-03Add strndup for platforms that need it.Darren Tucker
Some platforms don't have strndup, which includes Solaris 10, NetBSD 3 and FreeBSD 6.
2018-02-27Check dlopen has RTLD_NOW before enabling pkcs11.Darren Tucker
2018-02-27Check for attributes on prototype args.Darren Tucker
Some compilers (gcc 2.9.53, 3.0 and probably others, see gcc bug #3481) do not accept __attribute__ on function pointer prototype args. Check for this and hide them if they're not accepted.
2018-02-26Hook up flock() compat code.Darren Tucker
Also a couple of minor changes: fail if we can't lock instead of silently succeeding, and apply a couple of minor style fixes.
2018-02-26XMSS-related files get includes.hDamien Miller
2018-02-26Invert sense of getpgrp test.Darren Tucker
AC_FUNC_GETPGRP tests if getpgrp(0) works, which it does if it's not declared. Instead, test if the zero-arg version we want to use works.
2018-02-26Add no-op getsid implmentation.Darren Tucker
2018-02-26bsd-statvfs: include sys/vfs.h, check for f_flags.Darren Tucker
2018-02-26Handle calloc(0,x) where different from malloc.Darren Tucker
Configure assumes that if malloc(0) returns null then calloc(0,n) also does. On some old platforms (SunOS4) malloc behaves as expected (as determined by AC_FUNC_MALLOC) but calloc doesn't. Test for this at configure time and activate the replacement function if found, plus handle this case in rpl_calloc.
2018-02-26Add prototype for readv if needed.Darren Tucker
2018-02-26Check for raise and supply if needed.Darren Tucker
2018-02-26Check for bzero and supply if needed.Darren Tucker
Since explicit_bzero uses it via an indirect it needs to be a function not just a macro.