diff options
| author | des <des@FreeBSD.org> | 2014-02-27 17:29:02 +0000 |
|---|---|---|
| committer | des <des@FreeBSD.org> | 2014-02-27 17:29:02 +0000 |
| commit | 255d8413daf4c3747aeb37e6a71bf2771beed29d (patch) | |
| tree | 28087af50eaf299f287c7fe4b7050c317771c89e /crypto/openssh/configure | |
| parent | ea1005cca47f4d3aace134a0acd6809943e46acc (diff) | |
| download | FreeBSD-src-255d8413daf4c3747aeb37e6a71bf2771beed29d.zip FreeBSD-src-255d8413daf4c3747aeb37e6a71bf2771beed29d.tar.gz | |
MFH (r261320): upgrade openssh to 6.5p1
MFH (r261340): enable sandboxing by default
Diffstat (limited to 'crypto/openssh/configure')
| -rwxr-xr-x | crypto/openssh/configure | 1006 |
1 files changed, 924 insertions, 82 deletions
diff --git a/crypto/openssh/configure b/crypto/openssh/configure index 0d6fad5..2d714ac 100755 --- a/crypto/openssh/configure +++ b/crypto/openssh/configure @@ -1,5 +1,5 @@ #! /bin/sh -# From configure.ac Revision: 1.536 . +# From configure.ac Revision: 1.568 . # Guess values for system-dependent variables and create Makefiles. # Generated by GNU Autoconf 2.68 for OpenSSH Portable. # @@ -606,6 +606,7 @@ ac_includes_default="\ ac_subst_vars='LTLIBOBJS LIBOBJS UNSUPPORTED_ALGORITHMS +TEST_MALLOC_OPTIONS TEST_SSH_IPV6 piddir user_path @@ -623,7 +624,6 @@ SSHLIBS SSH_PRIVSEP_USER COMMENT_OUT_ECC TEST_SSH_ECC -TEST_SSH_SHA256 LIBEDIT PKGCONFIG LD @@ -712,6 +712,7 @@ ac_user_opts=' enable_option_checking enable_largefile with_stackprotect +with_hardening with_rpath with_cflags with_cppflags @@ -728,6 +729,7 @@ with_tcp_wrappers with_ldns with_libedit with_audit +with_pie with_ssl_dir with_openssl_header_check with_ssl_engine @@ -1402,6 +1404,7 @@ Optional Packages: --with-PACKAGE[=ARG] use PACKAGE [ARG=yes] --without-PACKAGE do not use PACKAGE (same as --with-PACKAGE=no) --without-stackprotect Don't use compiler's stack protection + --without-hardening Don't use toolchain hardening flags --without-rpath Disable auto-added -R linker paths --with-cflags Specify additional flags to pass to compiler --with-cppflags Specify additional flags to pass to preprocessor @@ -1418,6 +1421,7 @@ Optional Packages: --with-ldns[=PATH] Use ldns for DNSSEC support (optionally in PATH) --with-libedit[=PATH] Enable libedit support for sftp --with-audit=module Enable audit support (modules=debug,bsm,linux) + --with-pie Build Position Independent Executables if possible --with-ssl-dir=PATH Specify path to OpenSSL installation --without-openssl-header-check Disable OpenSSL version consistency check --with-ssl-engine Enable OpenSSL (hardware) ENGINE support @@ -1425,7 +1429,7 @@ Optional Packages: --with-prngd-socket=FILE read entropy from PRNGD/EGD socket FILE (default=/var/run/egd-pool) --with-pam Enable PAM support --with-privsep-user=user Specify non-privileged user for privilege separation - --with-sandbox=style Specify privilege separation sandbox (no, darwin, rlimit, systrace, seccomp_filter) + --with-sandbox=style Specify privilege separation sandbox (no, darwin, rlimit, systrace, seccomp_filter, capsicum) --with-selinux Enable SELinux support --with-kerberos5=PATH Enable Kerberos 5 support --with-privsep-path=xxx Path for privilege separation chroot (default=/var/empty) @@ -5590,7 +5594,9 @@ if test "x$ac_cv_have_decl_PR_SET_NO_NEW_PRIVS" = xyes; then : have_linux_no_new_privs=1 fi + use_stack_protector=1 +use_toolchain_hardening=1 # Check whether --with-stackprotect was given. if test "${with_stackprotect+set}" = set; then : @@ -5601,18 +5607,61 @@ if test "${with_stackprotect+set}" = set; then : fi +# Check whether --with-hardening was given. +if test "${with_hardening+set}" = set; then : + withval=$with_hardening; + if test "x$withval" = "xno"; then + use_toolchain_hardening=0 + fi +fi + + +# We use -Werror for the tests only so that we catch warnings like "this is +# on by default" for things like -fPIE. +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking if $CC supports -Werror" >&5 +$as_echo_n "checking if $CC supports -Werror... " >&6; } +saved_CFLAGS="$CFLAGS" +CFLAGS="$CFLAGS -Werror" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +int main(void) { return 0; } +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + WERROR="-Werror" +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + WERROR="" + +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +CFLAGS="$saved_CFLAGS" if test "$GCC" = "yes" || test "$GCC" = "egcs"; then { - { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $CC supports -Qunused-arguments -Werror" >&5 -$as_echo_n "checking if $CC supports -Qunused-arguments -Werror... " >&6; } + { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $CC supports compile flag -Qunused-arguments" >&5 +$as_echo_n "checking if $CC supports compile flag -Qunused-arguments... " >&6; } saved_CFLAGS="$CFLAGS" - CFLAGS="$CFLAGS -Qunused-arguments -Werror" - _define_flag="-Qunused-arguments" - test "x$_define_flag" = "x" && _define_flag="-Qunused-arguments -Werror" + CFLAGS="$CFLAGS $WERROR -Qunused-arguments" + _define_flag="" + test "x$_define_flag" = "x" && _define_flag="-Qunused-arguments" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ -int main(void) { return 0; } + +#include <stdlib.h> +#include <stdio.h> +int main(int argc, char **argv) { + /* Some math to catch -ftrapv problems in the toolchain */ + int i = 123 * argc, j = 456 + argc, k = 789 - argc; + float l = i * 2.1; + double m = l / 0.5; + long long int n = argc * 12345LL, o = 12345LL * (long long int)argc; + printf("%d %d %d %f %f %lld %lld\n", i, j, k, l, m, n, o); + exit(0); +} + _ACEOF if ac_fn_c_try_compile "$LINENO"; then : @@ -5635,15 +5684,27 @@ fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext } { - { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $CC supports -Wunknown-warning-option -Werror" >&5 -$as_echo_n "checking if $CC supports -Wunknown-warning-option -Werror... " >&6; } + { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $CC supports compile flag -Wunknown-warning-option" >&5 +$as_echo_n "checking if $CC supports compile flag -Wunknown-warning-option... " >&6; } saved_CFLAGS="$CFLAGS" - CFLAGS="$CFLAGS -Wunknown-warning-option -Werror" - _define_flag="-Wno-unknown-warning-option" - test "x$_define_flag" = "x" && _define_flag="-Wunknown-warning-option -Werror" + CFLAGS="$CFLAGS $WERROR -Wunknown-warning-option" + _define_flag="" + test "x$_define_flag" = "x" && _define_flag="-Wunknown-warning-option" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ -int main(void) { return 0; } + +#include <stdlib.h> +#include <stdio.h> +int main(int argc, char **argv) { + /* Some math to catch -ftrapv problems in the toolchain */ + int i = 123 * argc, j = 456 + argc, k = 789 - argc; + float l = i * 2.1; + double m = l / 0.5; + long long int n = argc * 12345LL, o = 12345LL * (long long int)argc; + printf("%d %d %d %f %f %lld %lld\n", i, j, k, l, m, n, o); + exit(0); +} + _ACEOF if ac_fn_c_try_compile "$LINENO"; then : @@ -5666,15 +5727,27 @@ fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext } { - { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $CC supports -Wall" >&5 -$as_echo_n "checking if $CC supports -Wall... " >&6; } + { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $CC supports compile flag -Wall" >&5 +$as_echo_n "checking if $CC supports compile flag -Wall... " >&6; } saved_CFLAGS="$CFLAGS" - CFLAGS="$CFLAGS -Wall" + CFLAGS="$CFLAGS $WERROR -Wall" _define_flag="" test "x$_define_flag" = "x" && _define_flag="-Wall" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ -int main(void) { return 0; } + +#include <stdlib.h> +#include <stdio.h> +int main(int argc, char **argv) { + /* Some math to catch -ftrapv problems in the toolchain */ + int i = 123 * argc, j = 456 + argc, k = 789 - argc; + float l = i * 2.1; + double m = l / 0.5; + long long int n = argc * 12345LL, o = 12345LL * (long long int)argc; + printf("%d %d %d %f %f %lld %lld\n", i, j, k, l, m, n, o); + exit(0); +} + _ACEOF if ac_fn_c_try_compile "$LINENO"; then : @@ -5697,15 +5770,27 @@ fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext } { - { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $CC supports -Wpointer-arith" >&5 -$as_echo_n "checking if $CC supports -Wpointer-arith... " >&6; } + { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $CC supports compile flag -Wpointer-arith" >&5 +$as_echo_n "checking if $CC supports compile flag -Wpointer-arith... " >&6; } saved_CFLAGS="$CFLAGS" - CFLAGS="$CFLAGS -Wpointer-arith" + CFLAGS="$CFLAGS $WERROR -Wpointer-arith" _define_flag="" test "x$_define_flag" = "x" && _define_flag="-Wpointer-arith" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ -int main(void) { return 0; } + +#include <stdlib.h> +#include <stdio.h> +int main(int argc, char **argv) { + /* Some math to catch -ftrapv problems in the toolchain */ + int i = 123 * argc, j = 456 + argc, k = 789 - argc; + float l = i * 2.1; + double m = l / 0.5; + long long int n = argc * 12345LL, o = 12345LL * (long long int)argc; + printf("%d %d %d %f %f %lld %lld\n", i, j, k, l, m, n, o); + exit(0); +} + _ACEOF if ac_fn_c_try_compile "$LINENO"; then : @@ -5728,15 +5813,27 @@ fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext } { - { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $CC supports -Wuninitialized" >&5 -$as_echo_n "checking if $CC supports -Wuninitialized... " >&6; } + { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $CC supports compile flag -Wuninitialized" >&5 +$as_echo_n "checking if $CC supports compile flag -Wuninitialized... " >&6; } saved_CFLAGS="$CFLAGS" - CFLAGS="$CFLAGS -Wuninitialized" + CFLAGS="$CFLAGS $WERROR -Wuninitialized" _define_flag="" test "x$_define_flag" = "x" && _define_flag="-Wuninitialized" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ -int main(void) { return 0; } + +#include <stdlib.h> +#include <stdio.h> +int main(int argc, char **argv) { + /* Some math to catch -ftrapv problems in the toolchain */ + int i = 123 * argc, j = 456 + argc, k = 789 - argc; + float l = i * 2.1; + double m = l / 0.5; + long long int n = argc * 12345LL, o = 12345LL * (long long int)argc; + printf("%d %d %d %f %f %lld %lld\n", i, j, k, l, m, n, o); + exit(0); +} + _ACEOF if ac_fn_c_try_compile "$LINENO"; then : @@ -5759,15 +5856,27 @@ fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext } { - { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $CC supports -Wsign-compare" >&5 -$as_echo_n "checking if $CC supports -Wsign-compare... " >&6; } + { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $CC supports compile flag -Wsign-compare" >&5 +$as_echo_n "checking if $CC supports compile flag -Wsign-compare... " >&6; } saved_CFLAGS="$CFLAGS" - CFLAGS="$CFLAGS -Wsign-compare" + CFLAGS="$CFLAGS $WERROR -Wsign-compare" _define_flag="" test "x$_define_flag" = "x" && _define_flag="-Wsign-compare" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ -int main(void) { return 0; } + +#include <stdlib.h> +#include <stdio.h> +int main(int argc, char **argv) { + /* Some math to catch -ftrapv problems in the toolchain */ + int i = 123 * argc, j = 456 + argc, k = 789 - argc; + float l = i * 2.1; + double m = l / 0.5; + long long int n = argc * 12345LL, o = 12345LL * (long long int)argc; + printf("%d %d %d %f %f %lld %lld\n", i, j, k, l, m, n, o); + exit(0); +} + _ACEOF if ac_fn_c_try_compile "$LINENO"; then : @@ -5790,15 +5899,27 @@ fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext } { - { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $CC supports -Wformat-security" >&5 -$as_echo_n "checking if $CC supports -Wformat-security... " >&6; } + { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $CC supports compile flag -Wformat-security" >&5 +$as_echo_n "checking if $CC supports compile flag -Wformat-security... " >&6; } saved_CFLAGS="$CFLAGS" - CFLAGS="$CFLAGS -Wformat-security" + CFLAGS="$CFLAGS $WERROR -Wformat-security" _define_flag="" test "x$_define_flag" = "x" && _define_flag="-Wformat-security" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ -int main(void) { return 0; } + +#include <stdlib.h> +#include <stdio.h> +int main(int argc, char **argv) { + /* Some math to catch -ftrapv problems in the toolchain */ + int i = 123 * argc, j = 456 + argc, k = 789 - argc; + float l = i * 2.1; + double m = l / 0.5; + long long int n = argc * 12345LL, o = 12345LL * (long long int)argc; + printf("%d %d %d %f %f %lld %lld\n", i, j, k, l, m, n, o); + exit(0); +} + _ACEOF if ac_fn_c_try_compile "$LINENO"; then : @@ -5821,15 +5942,27 @@ fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext } { - { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $CC supports -Wsizeof-pointer-memaccess" >&5 -$as_echo_n "checking if $CC supports -Wsizeof-pointer-memaccess... " >&6; } + { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $CC supports compile flag -Wsizeof-pointer-memaccess" >&5 +$as_echo_n "checking if $CC supports compile flag -Wsizeof-pointer-memaccess... " >&6; } saved_CFLAGS="$CFLAGS" - CFLAGS="$CFLAGS -Wsizeof-pointer-memaccess" + CFLAGS="$CFLAGS $WERROR -Wsizeof-pointer-memaccess" _define_flag="" test "x$_define_flag" = "x" && _define_flag="-Wsizeof-pointer-memaccess" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ -int main(void) { return 0; } + +#include <stdlib.h> +#include <stdio.h> +int main(int argc, char **argv) { + /* Some math to catch -ftrapv problems in the toolchain */ + int i = 123 * argc, j = 456 + argc, k = 789 - argc; + float l = i * 2.1; + double m = l / 0.5; + long long int n = argc * 12345LL, o = 12345LL * (long long int)argc; + printf("%d %d %d %f %f %lld %lld\n", i, j, k, l, m, n, o); + exit(0); +} + _ACEOF if ac_fn_c_try_compile "$LINENO"; then : @@ -5852,15 +5985,27 @@ fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext } { - { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $CC supports -Wpointer-sign" >&5 -$as_echo_n "checking if $CC supports -Wpointer-sign... " >&6; } + { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $CC supports compile flag -Wpointer-sign" >&5 +$as_echo_n "checking if $CC supports compile flag -Wpointer-sign... " >&6; } saved_CFLAGS="$CFLAGS" - CFLAGS="$CFLAGS -Wpointer-sign" + CFLAGS="$CFLAGS $WERROR -Wpointer-sign" _define_flag="-Wno-pointer-sign" test "x$_define_flag" = "x" && _define_flag="-Wpointer-sign" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ -int main(void) { return 0; } + +#include <stdlib.h> +#include <stdio.h> +int main(int argc, char **argv) { + /* Some math to catch -ftrapv problems in the toolchain */ + int i = 123 * argc, j = 456 + argc, k = 789 - argc; + float l = i * 2.1; + double m = l / 0.5; + long long int n = argc * 12345LL, o = 12345LL * (long long int)argc; + printf("%d %d %d %f %f %lld %lld\n", i, j, k, l, m, n, o); + exit(0); +} + _ACEOF if ac_fn_c_try_compile "$LINENO"; then : @@ -5883,15 +6028,27 @@ fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext } { - { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $CC supports -Wunused-result" >&5 -$as_echo_n "checking if $CC supports -Wunused-result... " >&6; } + { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $CC supports compile flag -Wunused-result" >&5 +$as_echo_n "checking if $CC supports compile flag -Wunused-result... " >&6; } saved_CFLAGS="$CFLAGS" - CFLAGS="$CFLAGS -Wunused-result" + CFLAGS="$CFLAGS $WERROR -Wunused-result" _define_flag="-Wno-unused-result" test "x$_define_flag" = "x" && _define_flag="-Wunused-result" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ -int main(void) { return 0; } + +#include <stdlib.h> +#include <stdio.h> +int main(int argc, char **argv) { + /* Some math to catch -ftrapv problems in the toolchain */ + int i = 123 * argc, j = 456 + argc, k = 789 - argc; + float l = i * 2.1; + double m = l / 0.5; + long long int n = argc * 12345LL, o = 12345LL * (long long int)argc; + printf("%d %d %d %f %f %lld %lld\n", i, j, k, l, m, n, o); + exit(0); +} + _ACEOF if ac_fn_c_try_compile "$LINENO"; then : @@ -5914,15 +6071,27 @@ fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext } { - { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $CC supports -fno-strict-aliasing" >&5 -$as_echo_n "checking if $CC supports -fno-strict-aliasing... " >&6; } + { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $CC supports compile flag -fno-strict-aliasing" >&5 +$as_echo_n "checking if $CC supports compile flag -fno-strict-aliasing... " >&6; } saved_CFLAGS="$CFLAGS" - CFLAGS="$CFLAGS -fno-strict-aliasing" + CFLAGS="$CFLAGS $WERROR -fno-strict-aliasing" _define_flag="" test "x$_define_flag" = "x" && _define_flag="-fno-strict-aliasing" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ -int main(void) { return 0; } + +#include <stdlib.h> +#include <stdio.h> +int main(int argc, char **argv) { + /* Some math to catch -ftrapv problems in the toolchain */ + int i = 123 * argc, j = 456 + argc, k = 789 - argc; + float l = i * 2.1; + double m = l / 0.5; + long long int n = argc * 12345LL, o = 12345LL * (long long int)argc; + printf("%d %d %d %f %f %lld %lld\n", i, j, k, l, m, n, o); + exit(0); +} + _ACEOF if ac_fn_c_try_compile "$LINENO"; then : @@ -5945,15 +6114,27 @@ fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext } { - { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $CC supports -D_FORTIFY_SOURCE=2" >&5 -$as_echo_n "checking if $CC supports -D_FORTIFY_SOURCE=2... " >&6; } + { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $CC supports compile flag -D_FORTIFY_SOURCE=2" >&5 +$as_echo_n "checking if $CC supports compile flag -D_FORTIFY_SOURCE=2... " >&6; } saved_CFLAGS="$CFLAGS" - CFLAGS="$CFLAGS -D_FORTIFY_SOURCE=2" + CFLAGS="$CFLAGS $WERROR -D_FORTIFY_SOURCE=2" _define_flag="" test "x$_define_flag" = "x" && _define_flag="-D_FORTIFY_SOURCE=2" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ -int main(void) { return 0; } + +#include <stdlib.h> +#include <stdio.h> +int main(int argc, char **argv) { + /* Some math to catch -ftrapv problems in the toolchain */ + int i = 123 * argc, j = 456 + argc, k = 789 - argc; + float l = i * 2.1; + double m = l / 0.5; + long long int n = argc * 12345LL, o = 12345LL * (long long int)argc; + printf("%d %d %d %f %f %lld %lld\n", i, j, k, l, m, n, o); + exit(0); +} + _ACEOF if ac_fn_c_try_compile "$LINENO"; then : @@ -5975,6 +6156,165 @@ $as_echo "no" >&6; } fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext } + if test "x$use_toolchain_hardening" = "x1"; then + { + { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $LD supports link flag -Wl,-z,relro" >&5 +$as_echo_n "checking if $LD supports link flag -Wl,-z,relro... " >&6; } + saved_LDFLAGS="$LDFLAGS" + LDFLAGS="$LDFLAGS $WERROR -Wl,-z,relro" + _define_flag="" + test "x$_define_flag" = "x" && _define_flag="-Wl,-z,relro" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +#include <stdlib.h> +#include <stdio.h> +int main(int argc, char **argv) { + /* Some math to catch -ftrapv problems in the toolchain */ + int i = 123 * argc, j = 456 + argc, k = 789 - argc; + float l = i * 2.1; + double m = l / 0.5; + long long int n = argc * 12345LL, o = 12345LL * (long long int)argc; + printf("%d %d %d %f %f %lld %lld\n", i, j, k, l, m, n, o); + exit(0); +} + +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + LDFLAGS="$saved_LDFLAGS $_define_flag" +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + LDFLAGS="$saved_LDFLAGS" + +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +} + { + { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $LD supports link flag -Wl,-z,now" >&5 +$as_echo_n "checking if $LD supports link flag -Wl,-z,now... " >&6; } + saved_LDFLAGS="$LDFLAGS" + LDFLAGS="$LDFLAGS $WERROR -Wl,-z,now" + _define_flag="" + test "x$_define_flag" = "x" && _define_flag="-Wl,-z,now" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +#include <stdlib.h> +#include <stdio.h> +int main(int argc, char **argv) { + /* Some math to catch -ftrapv problems in the toolchain */ + int i = 123 * argc, j = 456 + argc, k = 789 - argc; + float l = i * 2.1; + double m = l / 0.5; + long long int n = argc * 12345LL, o = 12345LL * (long long int)argc; + printf("%d %d %d %f %f %lld %lld\n", i, j, k, l, m, n, o); + exit(0); +} + +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + LDFLAGS="$saved_LDFLAGS $_define_flag" +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + LDFLAGS="$saved_LDFLAGS" + +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +} + { + { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $LD supports link flag -Wl,-z,noexecstack" >&5 +$as_echo_n "checking if $LD supports link flag -Wl,-z,noexecstack... " >&6; } + saved_LDFLAGS="$LDFLAGS" + LDFLAGS="$LDFLAGS $WERROR -Wl,-z,noexecstack" + _define_flag="" + test "x$_define_flag" = "x" && _define_flag="-Wl,-z,noexecstack" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +#include <stdlib.h> +#include <stdio.h> +int main(int argc, char **argv) { + /* Some math to catch -ftrapv problems in the toolchain */ + int i = 123 * argc, j = 456 + argc, k = 789 - argc; + float l = i * 2.1; + double m = l / 0.5; + long long int n = argc * 12345LL, o = 12345LL * (long long int)argc; + printf("%d %d %d %f %f %lld %lld\n", i, j, k, l, m, n, o); + exit(0); +} + +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + LDFLAGS="$saved_LDFLAGS $_define_flag" +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + LDFLAGS="$saved_LDFLAGS" + +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +} + # NB. -ftrapv expects certain support functions to be present in + # the compiler library (libgcc or similar) to detect integer operations + # that can overflow. We must check that the result of enabling it + # actually links. The test program compiled/linked includes a number + # of integer operations that should exercise this. + { + { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $CC supports compile flag -ftrapv and linking succeeds" >&5 +$as_echo_n "checking if $CC supports compile flag -ftrapv and linking succeeds... " >&6; } + saved_CFLAGS="$CFLAGS" + CFLAGS="$CFLAGS $WERROR -ftrapv" + _define_flag="" + test "x$_define_flag" = "x" && _define_flag="-ftrapv" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +#include <stdlib.h> +#include <stdio.h> +int main(int argc, char **argv) { + /* Some math to catch -ftrapv problems in the toolchain */ + int i = 123 * argc, j = 456 + argc, k = 789 - argc; + float l = i * 2.1; + double m = l / 0.5; + long long int n = argc * 12345LL, o = 12345LL * (long long int)argc; + printf("%d %d %d %f %f %lld %lld\n", i, j, k, l, m, n, o); + exit(0); +} + +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + +if `grep -i "unrecognized option" conftest.err >/dev/null` +then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + CFLAGS="$saved_CFLAGS" +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + CFLAGS="$saved_CFLAGS $_define_flag" +fi +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + CFLAGS="$saved_CFLAGS" + +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +} + fi { $as_echo "$as_me:${as_lineno-$LINENO}: checking gcc version" >&5 $as_echo_n "checking gcc version... " >&6; } GCC_VER=`$CC -v 2>&1 | $AWK '/gcc version /{print $3}'` @@ -6020,7 +6360,8 @@ rm -f core conftest.err conftest.$ac_objext \ # and/or platforms, so we test if we can. If it's not supported # on a given platform gcc will emit a warning so we use -Werror. if test "x$use_stack_protector" = "x1"; then - for t in -fstack-protector-all -fstack-protector; do + for t in -fstack-protector-strong -fstack-protector-all \ + -fstack-protector; do { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $CC supports $t" >&5 $as_echo_n "checking if $CC supports $t... " >&6; } saved_CFLAGS="$CFLAGS" @@ -6224,6 +6565,7 @@ fi for ac_header in \ + blf.h \ bstring.h \ crypt.h \ crypto/sha2.h \ @@ -6237,6 +6579,7 @@ for ac_header in \ glob.h \ ia.h \ iaf.h \ + inttypes.h \ limits.h \ locale.h \ login.h \ @@ -6261,6 +6604,7 @@ for ac_header in \ sys/audit.h \ sys/bitypes.h \ sys/bsdtty.h \ + sys/capability.h \ sys/cdefs.h \ sys/dir.h \ sys/mman.h \ @@ -6713,6 +7057,51 @@ $as_echo "#define SSH_IOBUFSZ 65535" >>confdefs.h $as_echo "#define FILESYSTEM_NO_BACKSLASH 1" >>confdefs.h + # Cygwin defines optargs, optargs as declspec(dllimport) for historical + # reasons which cause compile warnings, so we disable those warnings. + { + { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $CC supports compile flag -Wno-attributes" >&5 +$as_echo_n "checking if $CC supports compile flag -Wno-attributes... " >&6; } + saved_CFLAGS="$CFLAGS" + CFLAGS="$CFLAGS $WERROR -Wno-attributes" + _define_flag="" + test "x$_define_flag" = "x" && _define_flag="-Wno-attributes" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +#include <stdlib.h> +#include <stdio.h> +int main(int argc, char **argv) { + /* Some math to catch -ftrapv problems in the toolchain */ + int i = 123 * argc, j = 456 + argc, k = 789 - argc; + float l = i * 2.1; + double m = l / 0.5; + long long int n = argc * 12345LL, o = 12345LL * (long long int)argc; + printf("%d %d %d %f %f %lld %lld\n", i, j, k, l, m, n, o); + exit(0); +} + +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + +if `grep -i "unrecognized option" conftest.err >/dev/null` +then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + CFLAGS="$saved_CFLAGS" +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + CFLAGS="$saved_CFLAGS $_define_flag" +fi +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + CFLAGS="$saved_CFLAGS" + +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +} ;; *-*-dgux*) @@ -6726,6 +7115,7 @@ $as_echo "#define IP_TOS_IS_BROKEN 1" >>confdefs.h ;; *-*-darwin*) + use_pie=auto { $as_echo "$as_me:${as_lineno-$LINENO}: checking if we have working getaddrinfo" >&5 $as_echo_n "checking if we have working getaddrinfo... " >&6; } if test "$cross_compiling" = yes; then : @@ -6824,6 +7214,7 @@ done ;; *-*-dragonfly*) SSHDLIBS="$SSHDLIBS -lcrypt" + TEST_MALLOC_OPTIONS="AFGJPRX" ;; *-*-haiku*) LIBS="$LIBS -lbsd " @@ -7046,6 +7437,7 @@ $as_echo "#define USE_BTMP 1" >>confdefs.h ;; *-*-linux*) no_dev_ptmx=1 + use_pie=auto check_for_libcrypt_later=1 check_for_openpty_ctty_bug=1 @@ -7178,6 +7570,13 @@ fi $as_echo "#define SSH_TUN_PREPEND_AF 1" >>confdefs.h + TEST_MALLOC_OPTIONS="AJRX" + +$as_echo "#define BROKEN_STRNVIS 1" >>confdefs.h + + +$as_echo "#define BROKEN_READ_COMPARISON 1" >>confdefs.h + ;; *-*-freebsd*) check_for_libcrypt_later=1 @@ -7203,6 +7602,12 @@ $as_echo "#define BROKEN_GLOB 1" >>confdefs.h $as_echo "#define BROKEN_STRNVIS 1" >>confdefs.h + TEST_MALLOC_OPTIONS="AJRX" + # Preauth crypto occasionally uses file descriptors for crypto offload + # and will crash if they cannot be opened. + +$as_echo "#define SANDBOX_SKIP_RLIMIT_NOFILE 1" >>confdefs.h +], ;; *-*-bsdi*) $as_echo "#define SETEUID_BREAKS_SETUID 1" >>confdefs.h @@ -7229,6 +7634,7 @@ $as_echo "#define BROKEN_SAVED_UIDS 1" >>confdefs.h ;; *-*-openbsd*) + use_pie=auto $as_echo "#define HAVE_ATTRIBUTE__SENTINEL__ 1" >>confdefs.h @@ -7241,6 +7647,7 @@ $as_echo "#define SSH_TUN_OPENBSD 1" >>confdefs.h $as_echo "#define SYSLOG_R_SAFE_IN_SIGHAND 1" >>confdefs.h + TEST_MALLOC_OPTIONS="AFGJPRX" ;; *-*-solaris*) if test "x$withval" != "xno" ; then @@ -8929,6 +9336,64 @@ fi done +# On some platforms, inet_ntop may be found in libresolv or libnsl. +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing inet_ntop" >&5 +$as_echo_n "checking for library containing inet_ntop... " >&6; } +if ${ac_cv_search_inet_ntop+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_func_search_save_LIBS=$LIBS +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char inet_ntop (); +int +main () +{ +return inet_ntop (); + ; + return 0; +} +_ACEOF +for ac_lib in '' resolv nsl; do + if test -z "$ac_lib"; then + ac_res="none required" + else + ac_res=-l$ac_lib + LIBS="-l$ac_lib $ac_func_search_save_LIBS" + fi + if ac_fn_c_try_link "$LINENO"; then : + ac_cv_search_inet_ntop=$ac_res +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext + if ${ac_cv_search_inet_ntop+:} false; then : + break +fi +done +if ${ac_cv_search_inet_ntop+:} false; then : + +else + ac_cv_search_inet_ntop=no +fi +rm conftest.$ac_ext +LIBS=$ac_func_search_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_inet_ntop" >&5 +$as_echo "$ac_cv_search_inet_ntop" >&6; } +ac_res=$ac_cv_search_inet_ntop +if test "$ac_res" != no; then : + test "$ac_res" = "none required" || LIBS="$ac_res $LIBS" + +fi + + for ac_func in strftime do : ac_fn_c_check_func "$LINENO" "strftime" "ac_cv_func_strftime" @@ -9495,7 +9960,7 @@ $as_echo "no" >&6; } fi fi if test "x$use_pkgconfig_for_libedit" = "xyes"; then - LIBEDIT=`$PKGCONFIG --libs-only-l libedit` + LIBEDIT=`$PKGCONFIG --libs libedit` CPPFLAGS="$CPPFLAGS `$PKGCONFIG --cflags libedit`" else LIBEDIT="-ledit -lcurses" @@ -9689,7 +10154,7 @@ done $as_echo "#define USE_BSM_AUDIT 1" >>confdefs.h - if test "$sol2ver" -eq 11; then + if test "$sol2ver" -ge 11; then SSHDLIBS="$SSHDLIBS -lscf" $as_echo "#define BROKEN_BSM_API 1" >>confdefs.h @@ -9737,9 +10202,155 @@ $as_echo "no" >&6; } fi + +# Check whether --with-pie was given. +if test "${with_pie+set}" = set; then : + withval=$with_pie; + if test "x$withval" = "xno"; then + use_pie=no + fi + if test "x$withval" = "xyes"; then + use_pie=yes + fi + + +fi + +if test "x$use_pie" = "x"; then + use_pie=no +fi +if test "x$use_toolchain_hardening" != "x1" && test "x$use_pie" = "xauto"; then + # Turn off automatic PIE when toolchain hardening is off. + use_pie=no +fi +if test "x$use_pie" = "xauto"; then + # Automatic PIE requires gcc >= 4.x + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for gcc >= 4.x" >&5 +$as_echo_n "checking for gcc >= 4.x... " >&6; } + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +#if !defined(__GNUC__) || __GNUC__ < 4 +#error gcc is too old +#endif + +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + use_pie=no + +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +fi +if test "x$use_pie" != "xno"; then + SAVED_CFLAGS="$CFLAGS" + SAVED_LDFLAGS="$LDFLAGS" + { + { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $CC supports compile flag -fPIE" >&5 +$as_echo_n "checking if $CC supports compile flag -fPIE... " >&6; } + saved_CFLAGS="$CFLAGS" + CFLAGS="$CFLAGS $WERROR -fPIE" + _define_flag="" + test "x$_define_flag" = "x" && _define_flag="-fPIE" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +#include <stdlib.h> +#include <stdio.h> +int main(int argc, char **argv) { + /* Some math to catch -ftrapv problems in the toolchain */ + int i = 123 * argc, j = 456 + argc, k = 789 - argc; + float l = i * 2.1; + double m = l / 0.5; + long long int n = argc * 12345LL, o = 12345LL * (long long int)argc; + printf("%d %d %d %f %f %lld %lld\n", i, j, k, l, m, n, o); + exit(0); +} + +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + +if `grep -i "unrecognized option" conftest.err >/dev/null` +then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + CFLAGS="$saved_CFLAGS" +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + CFLAGS="$saved_CFLAGS $_define_flag" +fi +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + CFLAGS="$saved_CFLAGS" + +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +} + { + { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $LD supports link flag -pie" >&5 +$as_echo_n "checking if $LD supports link flag -pie... " >&6; } + saved_LDFLAGS="$LDFLAGS" + LDFLAGS="$LDFLAGS $WERROR -pie" + _define_flag="" + test "x$_define_flag" = "x" && _define_flag="-pie" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +#include <stdlib.h> +#include <stdio.h> +int main(int argc, char **argv) { + /* Some math to catch -ftrapv problems in the toolchain */ + int i = 123 * argc, j = 456 + argc, k = 789 - argc; + float l = i * 2.1; + double m = l / 0.5; + long long int n = argc * 12345LL, o = 12345LL * (long long int)argc; + printf("%d %d %d %f %f %lld %lld\n", i, j, k, l, m, n, o); + exit(0); +} + +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + LDFLAGS="$saved_LDFLAGS $_define_flag" +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + LDFLAGS="$saved_LDFLAGS" + +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +} + # We use both -fPIE and -pie or neither. + { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether both -fPIE and -pie are supported" >&5 +$as_echo_n "checking whether both -fPIE and -pie are supported... " >&6; } + if echo "x $CFLAGS" | grep ' -fPIE' >/dev/null 2>&1 && \ + echo "x $LDFLAGS" | grep ' -pie' >/dev/null 2>&1 ; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + CFLAGS="$SAVED_CFLAGS" + LDFLAGS="$SAVED_LDFLAGS" + fi +fi + for ac_func in \ + Blowfish_initstate \ + Blowfish_expandstate \ + Blowfish_expand0state \ + Blowfish_stream2word \ arc4random \ arc4random_buf \ + arc4random_stir \ arc4random_uniform \ asprintf \ b64_ntop \ @@ -9747,7 +10358,10 @@ for ac_func in \ b64_pton \ __b64_pton \ bcopy \ + bcrypt_pbkdf \ bindresvport_sa \ + blf_enc \ + cap_rights_limit \ clock \ closefrom \ dirfd \ @@ -9755,6 +10369,7 @@ for ac_func in \ fchmod \ fchown \ freeaddrinfo \ + fstatfs \ fstatvfs \ futimes \ getaddrinfo \ @@ -11491,7 +12106,17 @@ fi rm -f core conftest.err conftest.$ac_objext \ conftest$ac_exeext conftest.$ac_ext -for ac_func in RSA_generate_key_ex DSA_generate_parameters_ex BN_is_prime_ex RSA_get_default_method HMAC_CTX_init +for ac_func in \ + BN_is_prime_ex \ + DSA_generate_parameters_ex \ + EVP_DigestInit_ex \ + EVP_DigestFinal_ex \ + EVP_MD_CTX_init \ + EVP_MD_CTX_cleanup \ + HMAC_CTX_init \ + RSA_generate_key_ex \ + RSA_get_default_method \ + do : as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var" @@ -11876,10 +12501,9 @@ if eval test \"x\$"$as_ac_var"\" = x"yes"; then : cat >>confdefs.h <<_ACEOF #define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1 _ACEOF - TEST_SSH_SHA256=yes + else - TEST_SSH_SHA256=no - unsupported_algorithms="$unsupported_algorithms \ + unsupported_algorithms="$unsupported_algorithms \ hmac-sha2-256 hmac-sha2-512 \ diffie-hellman-group-exchange-sha256 \ hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com" @@ -11889,10 +12513,9 @@ fi done - # Check complete ECC support in OpenSSL -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether OpenSSL has complete ECC support" >&5 -$as_echo_n "checking whether OpenSSL has complete ECC support... " >&6; } +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether OpenSSL has NID_X9_62_prime256v1" >&5 +$as_echo_n "checking whether OpenSSL has NID_X9_62_prime256v1... " >&6; } cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ @@ -11910,41 +12533,183 @@ int main () { - EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp521r1); - const EVP_MD *m = EVP_sha512(); /* We need this too */ + EC_KEY *e = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); + const EVP_MD *m = EVP_sha256(); /* We need this too */ ; return 0; } _ACEOF if ac_fn_c_try_link "$LINENO"; then : + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + enable_nistp256=1 +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } - { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether OpenSSL has NID_secp384r1" >&5 +$as_echo_n "checking whether OpenSSL has NID_secp384r1... " >&6; } +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +#include <openssl/ec.h> +#include <openssl/ecdh.h> +#include <openssl/ecdsa.h> +#include <openssl/evp.h> +#include <openssl/objects.h> +#include <openssl/opensslv.h> +#if OPENSSL_VERSION_NUMBER < 0x0090807f /* 0.9.8g */ +# error "OpenSSL < 0.9.8g has unreliable ECC code" +#endif + +int +main () +{ + + EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp384r1); + const EVP_MD *m = EVP_sha384(); /* We need this too */ + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 $as_echo "yes" >&6; } + enable_nistp384=1 +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } -$as_echo "#define OPENSSL_HAS_ECC 1" >>confdefs.h +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether OpenSSL has NID_secp521r1" >&5 +$as_echo_n "checking whether OpenSSL has NID_secp521r1... " >&6; } +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +#include <openssl/ec.h> +#include <openssl/ecdh.h> +#include <openssl/ecdsa.h> +#include <openssl/evp.h> +#include <openssl/objects.h> +#include <openssl/opensslv.h> +#if OPENSSL_VERSION_NUMBER < 0x0090807f /* 0.9.8g */ +# error "OpenSSL < 0.9.8g has unreliable ECC code" +#endif + +int +main () +{ - TEST_SSH_ECC=yes - COMMENT_OUT_ECC="" + EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp521r1); + const EVP_MD *m = EVP_sha512(); /* We need this too */ + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + { $as_echo "$as_me:${as_lineno-$LINENO}: checking if OpenSSL's NID_secp521r1 is functional" >&5 +$as_echo_n "checking if OpenSSL's NID_secp521r1 is functional... " >&6; } + if test "$cross_compiling" = yes; then : + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: cross-compiling: assuming yes" >&5 +$as_echo "$as_me: WARNING: cross-compiling: assuming yes" >&2;} + enable_nistp521=1 else + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +#include <openssl/ec.h> +#include <openssl/ecdh.h> +#include <openssl/ecdsa.h> +#include <openssl/evp.h> +#include <openssl/objects.h> +#include <openssl/opensslv.h> + +int +main () +{ + + EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp521r1); + const EVP_MD *m = EVP_sha512(); /* We need this too */ + exit(e == NULL || m == NULL); + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_run "$LINENO"; then : + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + enable_nistp521=1 +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } - TEST_SSH_ECC=no - COMMENT_OUT_ECC="#no ecc#" - unsupported_algorithms="$unsupported_algorithms \ - ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521 \ - ecdsa-sha2-nistp256-cert-v01@openssh.com \ - ecdsa-sha2-nistp384-cert-v01@openssh.com \ - ecdsa-sha2-nistp521-cert-v01@openssh.com \ - ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521" +fi +rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ + conftest.$ac_objext conftest.beam conftest.$ac_ext +fi +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } fi rm -f core conftest.err conftest.$ac_objext \ conftest$ac_exeext conftest.$ac_ext +COMMENT_OUT_ECC="#no ecc#" +TEST_SSH_ECC=no + +if test x$enable_nistp256 = x1 || test x$enable_nistp384 = x1 || \ + test x$enable_nistp521 = x1; then + +$as_echo "#define OPENSSL_HAS_ECC 1" >>confdefs.h + +fi +if test x$enable_nistp256 = x1; then + +$as_echo "#define OPENSSL_HAS_NISTP256 1" >>confdefs.h + + TEST_SSH_ECC=yes + COMMENT_OUT_ECC="" +else + unsupported_algorithms="$unsupported_algorithms ecdsa-sha2-nistp256 \ + ecdh-sha2-nistp256 ecdsa-sha2-nistp256-cert-v01@openssh.com" +fi +if test x$enable_nistp384 = x1; then + +$as_echo "#define OPENSSL_HAS_NISTP384 1" >>confdefs.h + + TEST_SSH_ECC=yes + COMMENT_OUT_ECC="" +else + unsupported_algorithms="$unsupported_algorithms ecdsa-sha2-nistp384 \ + ecdh-sha2-nistp384 ecdsa-sha2-nistp384-cert-v01@openssh.com" +fi +if test x$enable_nistp521 = x1; then + +$as_echo "#define OPENSSL_HAS_NISTP521 1" >>confdefs.h + + TEST_SSH_ECC=yes + COMMENT_OUT_ECC="" +else + unsupported_algorithms="$unsupported_algorithms ecdh-sha2-nistp521 \ + ecdsa-sha2-nistp521 ecdsa-sha2-nistp521-cert-v01@openssh.com" +fi + + saved_LIBS="$LIBS" @@ -12635,6 +13400,18 @@ elif test "x$sandbox_arg" = "xseccomp_filter" || \ $as_echo "#define SANDBOX_SECCOMP_FILTER 1" >>confdefs.h +elif test "x$sandbox_arg" = "xcapsicum" || \ + ( test -z "$sandbox_arg" && \ + test "x$ac_cv_header_sys_capability_h" = "xyes" && \ + test "x$ac_cv_func_cap_rights_limit" = "xyes") ; then + test "x$ac_cv_header_sys_capability_h" != "xyes" && \ + as_fn_error $? "capsicum sandbox requires sys/capability.h header" "$LINENO" 5 + test "x$ac_cv_func_cap_rights_limit" != "xyes" && \ + as_fn_error $? "capsicum sandbox requires cap_rights_limit function" "$LINENO" 5 + SANDBOX_STYLE="capsicum" + +$as_echo "#define SANDBOX_CAPSICUM 1" >>confdefs.h + elif test "x$sandbox_arg" = "xrlimit" || \ ( test -z "$sandbox_arg" && test "x$ac_cv_func_setrlimit" = "xyes" && \ test "x$select_works_with_rlimit" = "xyes" && \ @@ -13204,7 +13981,9 @@ $as_echo "#define HAVE_U_INT64_T 1" >>confdefs.h have_u_int64_t=1 fi -if test -z "$have_u_int64_t" ; then +if (test -z "$have_u_int64_t" && \ + test "x$ac_cv_header_sys_bitypes_h" = "xyes") +then { $as_echo "$as_me:${as_lineno-$LINENO}: checking for u_int64_t type in sys/bitypes.h" >&5 $as_echo_n "checking for u_int64_t type in sys/bitypes.h... " >&6; } cat confdefs.h - <<_ACEOF >conftest.$ac_ext @@ -13276,7 +14055,9 @@ $as_echo "#define HAVE_UINTXX_T 1" >>confdefs.h fi fi -if test -z "$have_uintxx_t" ; then +if (test -z "$have_uintxx_t" && \ + test "x$ac_cv_header_stdint_h" = "xyes") +then { $as_echo "$as_me:${as_lineno-$LINENO}: checking for uintXX_t types in stdint.h" >&5 $as_echo_n "checking for uintXX_t types in stdint.h... " >&6; } cat confdefs.h - <<_ACEOF >conftest.$ac_ext @@ -13305,6 +14086,37 @@ fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext fi +if (test -z "$have_uintxx_t" && \ + test "x$ac_cv_header_inttypes_h" = "xyes") +then + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for uintXX_t types in inttypes.h" >&5 +$as_echo_n "checking for uintXX_t types in inttypes.h... " >&6; } + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + #include <inttypes.h> +int +main () +{ + uint8_t a; uint16_t b; uint32_t c; a = b = c = 1; + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + + $as_echo "#define HAVE_UINTXX_T 1" >>confdefs.h + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +fi + if (test -z "$have_u_intxx_t" || test -z "$have_intxx_t" && \ test "x$ac_cv_header_sys_bitypes_h" = "xyes") then @@ -13379,6 +14191,34 @@ $as_echo "#define HAVE_U_CHAR 1" >>confdefs.h fi +ac_fn_c_check_type "$LINENO" "intmax_t" "ac_cv_type_intmax_t" " +#include <sys/types.h> +#include <stdint.h> + +" +if test "x$ac_cv_type_intmax_t" = xyes; then : + +cat >>confdefs.h <<_ACEOF +#define HAVE_INTMAX_T 1 +_ACEOF + + +fi +ac_fn_c_check_type "$LINENO" "uintmax_t" "ac_cv_type_uintmax_t" " +#include <sys/types.h> +#include <stdint.h> + +" +if test "x$ac_cv_type_uintmax_t" = xyes; then : + +cat >>confdefs.h <<_ACEOF +#define HAVE_UINTMAX_T 1 +_ACEOF + + +fi + + ac_fn_c_check_type "$LINENO" "socklen_t" "ac_cv_type_socklen_t" "#include <sys/types.h> #include <sys/socket.h> @@ -17492,6 +18332,8 @@ fi TEST_SSH_IPV6=$TEST_SSH_IPV6 +TEST_MALLOC_OPTIONS=$TEST_MALLOC_OPTIONS + UNSUPPORTED_ALGORITHMS=$unsupported_algorithms |
