diff options
Diffstat (limited to 'configure.ac')
| -rw-r--r-- | configure.ac | 1343 |
1 files changed, 953 insertions, 390 deletions
diff --git a/configure.ac b/configure.ac index b4d6598d..46038375 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,3 @@ -# $Id: configure.ac,v 1.583 2014/08/26 20:32:01 djm Exp $ # # Copyright (c) 1999-2004 Damien Miller # @@ -20,7 +19,7 @@ AC_CONFIG_SRCDIR([ssh.c]) AC_LANG([C]) AC_CONFIG_HEADER([config.h]) -AC_PROG_CC +AC_PROG_CC([cc gcc]) AC_CANONICAL_HOST AC_C_BIGENDIAN @@ -30,12 +29,11 @@ AC_PROG_CPP AC_PROG_RANLIB AC_PROG_INSTALL AC_PROG_EGREP -AC_PATH_PROG([AR], [ar]) +AC_PROG_MKDIR_P +AC_CHECK_TOOLS([AR], [ar]) AC_PATH_PROG([CAT], [cat]) AC_PATH_PROG([KILL], [kill]) -AC_PATH_PROGS([PERL], [perl5 perl]) AC_PATH_PROG([SED], [sed]) -AC_SUBST([PERL]) AC_PATH_PROG([ENT], [ent]) AC_SUBST([ENT]) AC_PATH_PROG([TEST_MINUS_S_SH], [bash]) @@ -43,11 +41,11 @@ AC_PATH_PROG([TEST_MINUS_S_SH], [ksh]) AC_PATH_PROG([TEST_MINUS_S_SH], [sh]) AC_PATH_PROG([SH], [sh]) AC_PATH_PROG([GROFF], [groff]) -AC_PATH_PROG([NROFF], [nroff]) +AC_PATH_PROG([NROFF], [nroff awf]) AC_PATH_PROG([MANDOC], [mandoc]) AC_SUBST([TEST_SHELL], [sh]) -dnl select manpage formatter +dnl select manpage formatter to be used to build "cat" format pages. if test "x$MANDOC" != "x" ; then MANFMT="$MANDOC" elif test "x$NROFF" != "x" ; then @@ -55,7 +53,7 @@ elif test "x$NROFF" != "x" ; then elif test "x$GROFF" != "x" ; then MANFMT="$GROFF -mandoc -Tascii" else - AC_MSG_WARN([no manpage formatted found]) + AC_MSG_WARN([no manpage formatter found]) MANFMT="false" fi AC_SUBST([MANFMT]) @@ -79,33 +77,23 @@ if test -z "$AR" ; then AC_MSG_ERROR([*** 'ar' missing, please install or fix your \$PATH ***]) fi -# Use LOGIN_PROGRAM from environment if possible -if test ! -z "$LOGIN_PROGRAM" ; then - AC_DEFINE_UNQUOTED([LOGIN_PROGRAM_FALLBACK], ["$LOGIN_PROGRAM"], - [If your header files don't define LOGIN_PROGRAM, - then use this (detected) from environment and PATH]) -else - # Search for login - AC_PATH_PROG([LOGIN_PROGRAM_FALLBACK], [login]) - if test ! -z "$LOGIN_PROGRAM_FALLBACK" ; then - AC_DEFINE_UNQUOTED([LOGIN_PROGRAM_FALLBACK], ["$LOGIN_PROGRAM_FALLBACK"]) - fi -fi - AC_PATH_PROG([PATH_PASSWD_PROG], [passwd]) if test ! -z "$PATH_PASSWD_PROG" ; then AC_DEFINE_UNQUOTED([_PATH_PASSWD_PROG], ["$PATH_PASSWD_PROG"], [Full path of your "passwd" program]) fi -if test -z "$LD" ; then - LD=$CC -fi +dnl Since autoconf doesn't support it very well, we no longer allow users to +dnl override LD, however keeping the hook here for now in case there's a use +dnl use case we overlooked and someone needs to re-enable it. Unless a good +dnl reason is found we'll be removing this in future. +LD="$CC" AC_SUBST([LD]) AC_C_INLINE AC_CHECK_DECL([LLONG_MAX], [have_llong_max=1], , [#include <limits.h>]) +AC_CHECK_DECL([LONG_LONG_MAX], [have_long_long_max=1], , [#include <limits.h>]) AC_CHECK_DECL([SYSTR_POLICY_KILL], [have_systr_policy_kill=1], , [ #include <sys/types.h> #include <sys/param.h> @@ -122,12 +110,10 @@ AC_CHECK_DECL([PR_SET_NO_NEW_PRIVS], [have_linux_no_new_privs=1], , [ ]) openssl=yes -ssh1=yes AC_ARG_WITH([openssl], [ --without-openssl Disable use of OpenSSL; use only limited internal crypto **EXPERIMENTAL** ], [ if test "x$withval" = "xno" ; then openssl=no - ssh1=no fi ] ) @@ -139,24 +125,6 @@ else AC_MSG_RESULT([no]) fi -AC_ARG_WITH([ssh1], - [ --without-ssh1 Disable support for SSH protocol 1], - [ - if test "x$withval" = "xno" ; then - ssh1=no - elif test "x$openssl" = "xno" ; then - AC_MSG_ERROR([Cannot enable SSH protocol 1 with OpenSSL disabled]) - fi - ] -) -AC_MSG_CHECKING([whether SSH protocol 1 support is enabled]) -if test "x$ssh1" = "xyes" ; then - AC_MSG_RESULT([yes]) - AC_DEFINE_UNQUOTED([WITH_SSH1], [1], [include SSH protocol version 1 support]) -else - AC_MSG_RESULT([no]) -fi - use_stack_protector=1 use_toolchain_hardening=1 AC_ARG_WITH([stackprotect], @@ -184,9 +152,12 @@ AC_COMPILE_IFELSE([AC_LANG_SOURCE([[int main(void) { return 0; }]])], CFLAGS="$saved_CFLAGS" if test "$GCC" = "yes" || test "$GCC" = "egcs"; then - OSSH_CHECK_CFLAG_COMPILE([-Qunused-arguments]) + OSSH_CHECK_CFLAG_COMPILE([-pipe]) OSSH_CHECK_CFLAG_COMPILE([-Wunknown-warning-option]) + OSSH_CHECK_CFLAG_COMPILE([-Wno-error=format-truncation]) + OSSH_CHECK_CFLAG_COMPILE([-Qunused-arguments]) OSSH_CHECK_CFLAG_COMPILE([-Wall]) + OSSH_CHECK_CFLAG_COMPILE([-Wextra]) OSSH_CHECK_CFLAG_COMPILE([-Wpointer-arith]) OSSH_CHECK_CFLAG_COMPILE([-Wuninitialized]) OSSH_CHECK_CFLAG_COMPILE([-Wsign-compare]) @@ -194,9 +165,12 @@ if test "$GCC" = "yes" || test "$GCC" = "egcs"; then OSSH_CHECK_CFLAG_COMPILE([-Wsizeof-pointer-memaccess]) OSSH_CHECK_CFLAG_COMPILE([-Wpointer-sign], [-Wno-pointer-sign]) OSSH_CHECK_CFLAG_COMPILE([-Wunused-result], [-Wno-unused-result]) + OSSH_CHECK_CFLAG_COMPILE([-Wimplicit-fallthrough]) OSSH_CHECK_CFLAG_COMPILE([-fno-strict-aliasing]) - OSSH_CHECK_CFLAG_COMPILE([-D_FORTIFY_SOURCE=2]) if test "x$use_toolchain_hardening" = "x1"; then + OSSH_CHECK_CFLAG_COMPILE([-mretpoline]) # clang + OSSH_CHECK_LDFLAG_LINK([-Wl,-z,retpolineplt]) + OSSH_CHECK_CFLAG_COMPILE([-D_FORTIFY_SOURCE=2]) OSSH_CHECK_LDFLAG_LINK([-Wl,-z,relro]) OSSH_CHECK_LDFLAG_LINK([-Wl,-z,now]) OSSH_CHECK_LDFLAG_LINK([-Wl,-z,noexecstack]) @@ -241,20 +215,26 @@ if test "$GCC" = "yes" || test "$GCC" = "egcs"; then CFLAGS="$CFLAGS $t -Werror" LDFLAGS="$LDFLAGS $t -Werror" AC_LINK_IFELSE( - [AC_LANG_PROGRAM([[ #include <stdio.h> ]], + [AC_LANG_PROGRAM([[ + #include <stdio.h> + int func (int t) {char b[100]; snprintf(b,sizeof b,"%d",t); return t;} + ]], [[ char x[256]; - snprintf(x, sizeof(x), "XXX"); + snprintf(x, sizeof(x), "XXX%d", func(1)); ]])], [ AC_MSG_RESULT([yes]) CFLAGS="$saved_CFLAGS $t" LDFLAGS="$saved_LDFLAGS $t" AC_MSG_CHECKING([if $t works]) AC_RUN_IFELSE( - [AC_LANG_PROGRAM([[ #include <stdio.h> ]], + [AC_LANG_PROGRAM([[ + #include <stdio.h> + int func (int t) {char b[100]; snprintf(b,sizeof b,"%d",t); return t;} + ]], [[ char x[256]; - snprintf(x, sizeof(x), "XXX"); + snprintf(x, sizeof(x), "XXX%d", func(1)); ]])], [ AC_MSG_RESULT([yes]) break ], @@ -295,6 +275,18 @@ __attribute__((__unused__)) static void foo(void){return;}]], [compiler does not accept __attribute__ on return types]) ] ) +AC_MSG_CHECKING([if compiler allows __attribute__ prototype args]) +AC_COMPILE_IFELSE( + [AC_LANG_PROGRAM([[ +#include <stdlib.h> +typedef void foo(const char *, ...) __attribute__((format(printf, 1, 2)));]], + [[ exit(0); ]])], + [ AC_MSG_RESULT([yes]) ], + [ AC_MSG_RESULT([no]) + AC_DEFINE(NO_ATTRIBUTE_ON_PROTOTYPE_ARGS, 1, + [compiler does not accept __attribute__ on prototype args]) ] +) + if test "x$no_attrib_nonnull" != "x1" ; then AC_DEFINE([HAVE_ATTRIBUTE__NONNULL__], [1], [Have attribute nonnull]) fi @@ -303,10 +295,11 @@ AC_ARG_WITH([rpath], [ --without-rpath Disable auto-added -R linker paths], [ if test "x$withval" = "xno" ; then - need_dash_r="" - fi - if test "x$withval" = "xyes" ; then - need_dash_r=1 + rpath_opt="" + elif test "x$withval" = "xyes" ; then + rpath_opt="-R" + else + rpath_opt="$withval" fi ] ) @@ -321,6 +314,16 @@ AC_ARG_WITH([cflags], fi ] ) + +AC_ARG_WITH([cflags-after], + [ --with-cflags-after Specify additional flags to pass to compiler after configure], + [ + if test -n "$withval" && test "x$withval" != "xno" && \ + test "x${withval}" != "xyes"; then + CFLAGS_AFTER="$withval" + fi + ] +) AC_ARG_WITH([cppflags], [ --with-cppflags Specify additional flags to pass to preprocessor] , [ @@ -339,6 +342,15 @@ AC_ARG_WITH([ldflags], fi ] ) +AC_ARG_WITH([ldflags-after], + [ --with-ldflags-after Specify additional flags to pass to linker after configure], + [ + if test -n "$withval" && test "x$withval" != "xno" && \ + test "x${withval}" != "xyes"; then + LDFLAGS_AFTER="$withval" + fi + ] +) AC_ARG_WITH([libs], [ --with-libs Specify additional libraries to link with], [ @@ -368,14 +380,18 @@ AC_CHECK_HEADERS([ \ dirent.h \ endian.h \ elf.h \ + err.h \ features.h \ fcntl.h \ floatingpoint.h \ + fnmatch.h \ getopt.h \ glob.h \ ia.h \ iaf.h \ + ifaddrs.h \ inttypes.h \ + langinfo.h \ limits.h \ locale.h \ login.h \ @@ -397,17 +413,20 @@ AC_CHECK_HEADERS([ \ stdint.h \ string.h \ strings.h \ - sys/audit.h \ sys/bitypes.h \ + sys/byteorder.h \ sys/bsdtty.h \ - sys/capability.h \ sys/cdefs.h \ sys/dir.h \ + sys/file.h \ sys/mman.h \ + sys/label.h \ sys/ndir.h \ sys/poll.h \ sys/prctl.h \ sys/pstat.h \ + sys/ptrace.h \ + sys/random.h \ sys/select.h \ sys/stat.h \ sys/stream.h \ @@ -417,6 +436,7 @@ AC_CHECK_HEADERS([ \ sys/sysmacros.h \ sys/time.h \ sys/timers.h \ + sys/vfs.h \ time.h \ tmpdir.h \ ttyent.h \ @@ -428,6 +448,38 @@ AC_CHECK_HEADERS([ \ utmp.h \ utmpx.h \ vis.h \ + wchar.h \ +]) + +# On some platforms (eg SunOS4) sys/audit.h requires sys/[time|types|label.h] +# to be included first. +AC_CHECK_HEADERS([sys/audit.h], [], [], [ +#ifdef HAVE_SYS_TIME_H +# include <sys/time.h> +#endif +#ifdef HAVE_SYS_TYPES_H +# include <sys/types.h> +#endif +#ifdef HAVE_SYS_LABEL_H +# include <sys/label.h> +#endif +]) + +# sys/capsicum.h requires sys/types.h +AC_CHECK_HEADERS([sys/capsicum.h], [], [], [ +#ifdef HAVE_SYS_TYPES_H +# include <sys/types.h> +#endif +]) + +# net/route.h requires sys/socket.h and sys/types.h. +# sys/sysctl.h also requires sys/param.h +AC_CHECK_HEADERS([net/route.h sys/sysctl.h], [], [], [ +#ifdef HAVE_SYS_TYPES_H +# include <sys/types.h> +#endif +#include <sys/param.h> +#include <sys/socket.h> ]) # lastlog.h requires sys/time.h to be included first on Solaris @@ -464,6 +516,11 @@ AC_CHECK_HEADERS([sys/un.h], [], [], [ SIA_MSG="no" SPC_MSG="no" SP_MSG="no" +SPP_MSG="no" + +# Support for Solaris/Illumos privileges (this test is used by both +# the --with-solaris-privs option and --with-sandbox=solaris). +SOLARIS_PRIVS="no" # Check for some target-specific stuff case "$host" in @@ -471,7 +528,7 @@ case "$host" in # Some versions of VAC won't allow macro redefinitions at # -qlanglevel=ansi, and autoconf 2.60 sometimes insists on using that # particularly with older versions of vac or xlc. - # It also throws errors about null macro argments, but these are + # It also throws errors about null macro arguments, but these are # not fatal. AC_MSG_CHECKING([if compiler allows macro redefinitions]) AC_COMPILE_IFELSE( @@ -482,7 +539,6 @@ case "$host" in [ AC_MSG_RESULT([yes]) ], [ AC_MSG_RESULT([no]) CC="`echo $CC | sed 's/-qlanglvl\=ansi//g'`" - LD="`echo $LD | sed 's/-qlanglvl\=ansi//g'`" CFLAGS="`echo $CFLAGS | sed 's/-qlanglvl\=ansi//g'`" CPPFLAGS="`echo $CPPFLAGS | sed 's/-qlanglvl\=ansi//g'`" ] @@ -544,7 +600,6 @@ case "$host" in #include <fcntl.h> ] ) check_for_aix_broken_getaddrinfo=1 - AC_DEFINE([BROKEN_REALPATH], [1], [Define if you have a broken realpath.]) AC_DEFINE([SETEUID_BREAKS_SETUID], [1], [Define if your platform breaks doing a seteuid before a setuid]) AC_DEFINE([BROKEN_SETREUID], [1], [Define if your setreuid() is broken]) @@ -560,6 +615,8 @@ case "$host" in [AIX 5.2 and 5.3 (and presumably newer) require this]) AC_DEFINE([PTY_ZEROREAD], [1], [read(1) can return 0 for a non-closed fd]) AC_DEFINE([PLATFORM_SYS_DIR_UID], 2, [System dirs owned by bin (uid 2)]) + AC_DEFINE([BROKEN_STRNDUP], 1, [strndup broken, see APAR IY61211]) + AC_DEFINE([BROKEN_STRNLEN], 1, [strnlen broken, see APAR IY62551]) ;; *-*-android*) AC_DEFINE([DISABLE_UTMP], [1], [Define if you don't want to use utmp]) @@ -570,13 +627,12 @@ case "$host" in LIBS="$LIBS /usr/lib/textreadmode.o" AC_DEFINE([HAVE_CYGWIN], [1], [Define if you are on Cygwin]) AC_DEFINE([USE_PIPES], [1], [Use PIPES instead of a socketpair()]) + AC_DEFINE([NO_UID_RESTORATION_TEST], [1], + [Define to disable UID restoration test]) AC_DEFINE([DISABLE_SHADOW], [1], [Define if you want to disable shadow passwords]) AC_DEFINE([NO_X11_UNIX_SOCKETS], [1], [Define if X11 doesn't support AF_UNIX sockets on that system]) - AC_DEFINE([NO_IPPORT_RESERVED_CONCEPT], [1], - [Define if the concept of ports only accessible to - superusers isn't known]) AC_DEFINE([DISABLE_FD_PASSING], [1], [Define if your platform needs to skip post auth file descriptor passing]) @@ -621,7 +677,7 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) AC_DEFINE([SSH_TUN_PREPEND_AF], [1], [Prepend the address family to IP tunnel traffic]) m4_pattern_allow([AU_IPv]) - AC_CHECK_DECL([AU_IPv4], [], + AC_CHECK_DECL([AU_IPv4], [], AC_DEFINE([AU_IPv4], [0], [System only supports IPv4 audit records]) [#include <bsm/audit.h>] AC_DEFINE([LASTLOG_WRITE_PUTUTXLINE], [1], @@ -632,24 +688,30 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) supported by bsd-setproctitle.c]) AC_CHECK_FUNCS([sandbox_init]) AC_CHECK_HEADERS([sandbox.h]) + AC_CHECK_LIB([sandbox], [sandbox_apply], [ + SSHDLIBS="$SSHDLIBS -lsandbox" + ]) + # proc_pidinfo()-based closefrom() replacement. + AC_CHECK_HEADERS([libproc.h]) + AC_CHECK_FUNCS([proc_pidinfo]) ;; *-*-dragonfly*) SSHDLIBS="$SSHDLIBS -lcrypt" TEST_MALLOC_OPTIONS="AFGJPRX" ;; -*-*-haiku*) - LIBS="$LIBS -lbsd " - AC_CHECK_LIB([network], [socket]) - AC_DEFINE([HAVE_U_INT64_T]) - MANTYPE=man - ;; +*-*-haiku*) + LIBS="$LIBS -lbsd " + CFLAGS="$CFLAGS -D_BSD_SOURCE" + AC_CHECK_LIB([network], [socket]) + AC_DEFINE([HAVE_U_INT64_T]) + AC_DEFINE([DISABLE_UTMPX], [1], [no utmpx]) + MANTYPE=man + ;; *-*-hpux*) # first we define all of the options common to all HP-UX releases CPPFLAGS="$CPPFLAGS -D_HPUX_SOURCE -D_XOPEN_SOURCE -D_XOPEN_SOURCE_EXTENDED=1" IPADDR_IN_DISPLAY=yes AC_DEFINE([USE_PIPES]) - AC_DEFINE([LOGIN_NO_ENDOPT], [1], - [Define if your login program cannot handle end of options ("--")]) AC_DEFINE([LOGIN_NEEDS_UTMPX]) AC_DEFINE([LOCKED_PASSWD_STRING], ["*"], [String used in /etc/passwd to denote locked account]) @@ -708,7 +770,7 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) PATH="$PATH:/usr/etc" AC_DEFINE([WITH_IRIX_ARRAY], [1], [Define if you have/want arrays - (cluster-wide session managment, not C arrays)]) + (cluster-wide session management, not C arrays)]) AC_DEFINE([WITH_IRIX_PROJECT], [1], [Define if you want IRIX project management]) AC_DEFINE([WITH_IRIX_AUDIT], [1], @@ -736,6 +798,9 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) use_pie=auto check_for_libcrypt_later=1 check_for_openpty_ctty_bug=1 + dnl Target SUSv3/POSIX.1-2001 plus BSD specifics. + dnl _DEFAULT_SOURCE is the new name for _BSD_SOURCE + CPPFLAGS="$CPPFLAGS -D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCE" AC_DEFINE([PAM_TTY_KLUDGE], [1], [Work around problematic Linux PAM modules handling of PAM_TTY]) AC_DEFINE([LOCKED_PASSWD_PREFIX], ["!"], @@ -764,9 +829,36 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) AC_DEFINE([SSH_TUN_PREPEND_AF], [1], [Prepend the address family to IP tunnel traffic]) fi + AC_CHECK_HEADER([linux/if.h], + AC_DEFINE([SYS_RDOMAIN_LINUX], [1], + [Support routing domains using Linux VRF]), [], [ +#ifdef HAVE_SYS_TYPES_H +# include <sys/types.h> +#endif + ]) AC_CHECK_HEADERS([linux/seccomp.h linux/filter.h linux/audit.h], [], [], [#include <linux/types.h>]) - AC_CHECK_FUNCS([prctl]) + # Obtain MIPS ABI + case "$host" in + mips*) + AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ +#if _MIPS_SIM != _ABIO32 +#error +#endif + ]])],[mips_abi="o32"],[AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ +#if _MIPS_SIM != _ABIN32 +#error +#endif + ]])],[mips_abi="n32"],[AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ +#if _MIPS_SIM != _ABI64 +#error +#endif + ]])],[mips_abi="n64"],[AC_MSG_ERROR([unknown MIPS ABI]) + ]) + ]) + ]) + ;; + esac AC_MSG_CHECKING([for seccomp architecture]) seccomp_audit_arch= case "$host" in @@ -776,14 +868,55 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) i*86-*) seccomp_audit_arch=AUDIT_ARCH_I386 ;; - arm*-*) + arm*-*) seccomp_audit_arch=AUDIT_ARCH_ARM - ;; + ;; + aarch64*-*) + seccomp_audit_arch=AUDIT_ARCH_AARCH64 + ;; + s390x-*) + seccomp_audit_arch=AUDIT_ARCH_S390X + ;; + s390-*) + seccomp_audit_arch=AUDIT_ARCH_S390 + ;; + powerpc64-*) + seccomp_audit_arch=AUDIT_ARCH_PPC64 + ;; + powerpc64le-*) + seccomp_audit_arch=AUDIT_ARCH_PPC64LE + ;; + mips-*) + seccomp_audit_arch=AUDIT_ARCH_MIPS + ;; + mipsel-*) + seccomp_audit_arch=AUDIT_ARCH_MIPSEL + ;; + mips64-*) + case "$mips_abi" in + "n32") + seccomp_audit_arch=AUDIT_ARCH_MIPS64N32 + ;; + "n64") + seccomp_audit_arch=AUDIT_ARCH_MIPS64 + ;; + esac + ;; + mips64el-*) + case "$mips_abi" in + "n32") + seccomp_audit_arch=AUDIT_ARCH_MIPSEL64N32 + ;; + "n64") + seccomp_audit_arch=AUDIT_ARCH_MIPSEL64 + ;; + esac + ;; esac if test "x$seccomp_audit_arch" != "x" ; then AC_MSG_RESULT(["$seccomp_audit_arch"]) - AC_DEFINE_UNQUOTED([SECCOMP_AUDIT_ARCH], [$seccomp_audit_arch], - [Specify the system call convention in use]) + AC_DEFINE_UNQUOTED([SECCOMP_AUDIT_ARCH], [$seccomp_audit_arch], + [Specify the system call convention in use]) else AC_MSG_RESULT([architecture not supported]) fi @@ -795,16 +928,15 @@ mips-sony-bsd|mips-sony-newsos4) *-*-netbsd*) check_for_libcrypt_before=1 if test "x$withval" != "xno" ; then - need_dash_r=1 + rpath_opt="-R" fi + CPPFLAGS="$CPPFLAGS -D_OPENBSD_SOURCE" AC_DEFINE([SSH_TUN_FREEBSD], [1], [Open tunnel devices the FreeBSD way]) AC_CHECK_HEADER([net/if_tap.h], , AC_DEFINE([SSH_TUN_NO_L2], [1], [No layer 2 tunnel support])) AC_DEFINE([SSH_TUN_PREPEND_AF], [1], [Prepend the address family to IP tunnel traffic]) TEST_MALLOC_OPTIONS="AJRX" - AC_DEFINE([BROKEN_STRNVIS], [1], - [NetBSD strnvis argument order is swapped compared to OpenBSD]) AC_DEFINE([BROKEN_READ_COMPARISON], [1], [NetBSD read function is sometimes redirected, breaking atomicio comparisons against it]) ;; @@ -815,8 +947,6 @@ mips-sony-bsd|mips-sony-newsos4) AC_CHECK_HEADER([net/if_tap.h], , AC_DEFINE([SSH_TUN_NO_L2], [1], [No layer 2 tunnel support])) AC_DEFINE([BROKEN_GLOB], [1], [FreeBSD glob does not do what we need]) - AC_DEFINE([BROKEN_STRNVIS], [1], - [FreeBSD strnvis argument order is swapped compared to OpenBSD]) TEST_MALLOC_OPTIONS="AJRX" # Preauth crypto occasionally uses file descriptors for crypto offload # and will crash if they cannot be opened. @@ -834,7 +964,6 @@ mips-sony-bsd|mips-sony-newsos4) conf_wtmp_location=/usr/adm/wtmp maildir=/usr/spool/mail AC_DEFINE([HAVE_NEXT], [1], [Define if you are on NeXT]) - AC_DEFINE([BROKEN_REALPATH]) AC_DEFINE([USE_PIPES]) AC_DEFINE([BROKEN_SAVED_UIDS], [1], [Needed for NeXT]) ;; @@ -849,13 +978,10 @@ mips-sony-bsd|mips-sony-newsos4) ;; *-*-solaris*) if test "x$withval" != "xno" ; then - need_dash_r=1 + rpath_opt="-R" fi AC_DEFINE([PAM_SUN_CODEBASE]) AC_DEFINE([LOGIN_NEEDS_UTMPX]) - AC_DEFINE([LOGIN_NEEDS_TERM], [1], - [Some versions of /bin/login need the TERM supplied - on the commandline]) AC_DEFINE([PAM_TTY_KLUDGE]) AC_DEFINE([SSHPAM_CHAUTHTOK_NEEDS_RUID], [1], [Define if pam_chauthtok wants real uid set @@ -881,13 +1007,17 @@ mips-sony-bsd|mips-sony-newsos4) else AC_MSG_RESULT([no]) fi + AC_CHECK_FUNCS([setpflags]) + AC_CHECK_FUNCS([setppriv]) + AC_CHECK_FUNCS([priv_basicset]) + AC_CHECK_HEADERS([priv.h]) AC_ARG_WITH([solaris-contracts], [ --with-solaris-contracts Enable Solaris process contracts (experimental)], [ AC_CHECK_LIB([contract], [ct_tmpl_activate], [ AC_DEFINE([USE_SOLARIS_PROCESS_CONTRACTS], [1], [Define if you have Solaris process contracts]) - SSHDLIBS="$SSHDLIBS -lcontract" + LIBS="$LIBS -lcontract" SPC_MSG="yes" ], ) ], ) @@ -897,10 +1027,29 @@ mips-sony-bsd|mips-sony-newsos4) AC_CHECK_LIB([project], [setproject], [ AC_DEFINE([USE_SOLARIS_PROJECTS], [1], [Define if you have Solaris projects]) - SSHDLIBS="$SSHDLIBS -lproject" + LIBS="$LIBS -lproject" SP_MSG="yes" ], ) ], ) + AC_ARG_WITH([solaris-privs], + [ --with-solaris-privs Enable Solaris/Illumos privileges (experimental)], + [ + AC_MSG_CHECKING([for Solaris/Illumos privilege support]) + if test "x$ac_cv_func_setppriv" = "xyes" -a \ + "x$ac_cv_header_priv_h" = "xyes" ; then + SOLARIS_PRIVS=yes + AC_MSG_RESULT([found]) + AC_DEFINE([NO_UID_RESTORATION_TEST], [1], + [Define to disable UID restoration test]) + AC_DEFINE([USE_SOLARIS_PRIVS], [1], + [Define if you have Solaris privileges]) + SPP_MSG="yes" + else + AC_MSG_RESULT([not found]) + AC_MSG_ERROR([*** must have support for Solaris privileges to use --with-solaris-privs]) + fi + ], + ) TEST_SHELL=$SHELL # let configure find us a capable shell ;; *-*-sunos4*) @@ -911,6 +1060,7 @@ mips-sony-bsd|mips-sony-newsos4) conf_wtmp_location=/var/adm/wtmp conf_lastlog_location=/var/adm/lastlog AC_DEFINE([USE_PIPES]) + AC_DEFINE([DISABLE_UTMPX], [1], [no utmpx]) ;; *-ncr-sysv*) LIBS="$LIBS -lc89" @@ -957,21 +1107,18 @@ mips-sony-bsd|mips-sony-newsos4) AC_DEFINE([BROKEN_SETREUID]) AC_DEFINE([BROKEN_SETREGID]) AC_DEFINE([PASSWD_NEEDS_USERNAME]) + AC_DEFINE([BROKEN_TCGETATTR_ICANON]) TEST_SHELL=$SHELL # let configure find us a capable shell + check_for_libcrypt_later=1 case "$host" in *-*-sysv5SCO_SV*) # SCO OpenServer 6.x maildir=/var/spool/mail - AC_DEFINE([BROKEN_LIBIAF], [1], - [ia_uinfo routines not supported by OS yet]) AC_DEFINE([BROKEN_UPDWTMPX]) AC_CHECK_LIB([prot], [getluid], [ LIBS="$LIBS -lprot" AC_CHECK_FUNCS([getluid setluid], , , [-lprot]) - AC_DEFINE([HAVE_SECUREWARE]) - AC_DEFINE([DISABLE_SHADOW]) ], , ) ;; *) AC_DEFINE([LOCKED_PASSWD_STRING], ["*LK*"]) - check_for_libcrypt_later=1 ;; esac ;; @@ -1004,40 +1151,6 @@ mips-sony-bsd|mips-sony-newsos4) TEST_SHELL=$SHELL # let configure find us a capable shell SKIP_DISABLE_LASTLOG_DEFINE=yes ;; -*-*-unicosmk*) - AC_DEFINE([NO_SSH_LASTLOG], [1], - [Define if you don't want to use lastlog in session.c]) - AC_DEFINE([SETEUID_BREAKS_SETUID]) - AC_DEFINE([BROKEN_SETREUID]) - AC_DEFINE([BROKEN_SETREGID]) - AC_DEFINE([USE_PIPES]) - AC_DEFINE([DISABLE_FD_PASSING]) - LDFLAGS="$LDFLAGS" - LIBS="$LIBS -lgen -lrsc -lshare -luex -lacm" - MANTYPE=cat - ;; -*-*-unicosmp*) - AC_DEFINE([SETEUID_BREAKS_SETUID]) - AC_DEFINE([BROKEN_SETREUID]) - AC_DEFINE([BROKEN_SETREGID]) - AC_DEFINE([WITH_ABBREV_NO_TTY]) - AC_DEFINE([USE_PIPES]) - AC_DEFINE([DISABLE_FD_PASSING]) - LDFLAGS="$LDFLAGS" - LIBS="$LIBS -lgen -lacid -ldb" - MANTYPE=cat - ;; -*-*-unicos*) - AC_DEFINE([SETEUID_BREAKS_SETUID]) - AC_DEFINE([BROKEN_SETREUID]) - AC_DEFINE([BROKEN_SETREGID]) - AC_DEFINE([USE_PIPES]) - AC_DEFINE([DISABLE_FD_PASSING]) - AC_DEFINE([NO_SSH_LASTLOG]) - LDFLAGS="$LDFLAGS -Wl,-Dmsglevel=334:fatal" - LIBS="$LIBS -lgen -lrsc -lshare -luex -lacm" - MANTYPE=cat - ;; *-dec-osf*) AC_MSG_CHECKING([for Digital Unix SIA]) no_osfsia="" @@ -1091,15 +1204,32 @@ mips-sony-bsd|mips-sony-newsos4) *-*-ultrix*) AC_DEFINE([BROKEN_GETGROUPS], [1], [getgroups(0,NULL) will return -1]) - AC_DEFINE([BROKEN_MMAP], [1], [Ultrix mmap can't map files]) - AC_DEFINE([NEED_SETPGRP]) + AC_DEFINE([NEED_SETPGRP], [1], [Need setpgrp to for controlling tty]) AC_DEFINE([HAVE_SYS_SYSLOG_H], [1], [Force use of sys/syslog.h on Ultrix]) + AC_DEFINE([DISABLE_UTMPX], [1], [Disable utmpx]) + # DISABLE_FD_PASSING so that we call setpgrp as root, otherwise we + # don't get a controlling tty. + AC_DEFINE([DISABLE_FD_PASSING], [1], [Need to call setpgrp as root]) + # On Ultrix some headers are not protected against multiple includes, + # so we create wrappers and put it where the compiler will find it. + AC_MSG_WARN([creating compat wrappers for headers]) + mkdir -p netinet + for header in netinet/ip.h netdb.h resolv.h; do + name=`echo $header | tr 'a-z/.' 'A-Z__'` + cat >$header <<EOD +#ifndef _SSH_COMPAT_${name} +#define _SSH_COMPAT_${name} +#include "/usr/include/${header}" +#endif +EOD + done ;; *-*-lynxos) - CFLAGS="$CFLAGS -D__NO_INCLUDE_WARN__" - AC_DEFINE([BROKEN_SETVBUF], [1], [LynxOS has broken setvbuf() implementation]) - ;; + CFLAGS="$CFLAGS -D__NO_INCLUDE_WARN__" + AC_DEFINE([BROKEN_SETVBUF], [1], + [LynxOS has broken setvbuf() implementation]) + ;; esac AC_MSG_CHECKING([compiler and flags for sanity]) @@ -1114,7 +1244,6 @@ AC_RUN_IFELSE([AC_LANG_PROGRAM([[ #include <stdio.h> ]], [[ exit(0); ]])], dnl Checks for header files. # Checks for libraries. -AC_CHECK_FUNC([yp_match], , [AC_CHECK_LIB([nsl], [yp_match])]) AC_CHECK_FUNC([setsockopt], , [AC_CHECK_LIB([socket], [setsockopt])]) dnl IRIX and Solaris 2.5.1 have dirname() in libgen @@ -1160,21 +1289,22 @@ AC_CHECK_FUNC([getspnam], , AC_SEARCH_LIBS([basename], [gen], [AC_DEFINE([HAVE_BASENAME], [1], [Define if you have the basename function.])]) -dnl zlib is required +dnl zlib defaults to enabled +zlib=yes AC_ARG_WITH([zlib], [ --with-zlib=PATH Use zlib in PATH], [ if test "x$withval" = "xno" ; then - AC_MSG_ERROR([*** zlib is required ***]) + zlib=no elif test "x$withval" != "xyes"; then if test -d "$withval/lib"; then - if test -n "${need_dash_r}"; then - LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}" + if test -n "${rpath_opt}"; then + LDFLAGS="-L${withval}/lib ${rpath_opt}${withval}/lib ${LDFLAGS}" else LDFLAGS="-L${withval}/lib ${LDFLAGS}" fi else - if test -n "${need_dash_r}"; then - LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}" + if test -n "${rpath_opt}"; then + LDFLAGS="-L${withval} ${rpath_opt}${withval} ${LDFLAGS}" else LDFLAGS="-L${withval} ${LDFLAGS}" fi @@ -1187,15 +1317,21 @@ AC_ARG_WITH([zlib], fi ] ) -AC_CHECK_HEADER([zlib.h], ,[AC_MSG_ERROR([*** zlib.h missing - please install first or check config.log ***])]) -AC_CHECK_LIB([z], [deflate], , +AC_MSG_CHECKING([for zlib]) +if test "x${zlib}" = "xno"; then + AC_MSG_RESULT([no]) +else + AC_MSG_RESULT([yes]) + AC_DEFINE([WITH_ZLIB], [1], [Enable zlib]) + AC_CHECK_HEADER([zlib.h], ,[AC_MSG_ERROR([*** zlib.h missing - please install first or check config.log ***])]) + AC_CHECK_LIB([z], [deflate], , [ saved_CPPFLAGS="$CPPFLAGS" saved_LDFLAGS="$LDFLAGS" save_LIBS="$LIBS" dnl Check default zlib install dir - if test -n "${need_dash_r}"; then - LDFLAGS="-L/usr/local/lib -R/usr/local/lib ${saved_LDFLAGS}" + if test -n "${rpath_opt}"; then + LDFLAGS="-L/usr/local/lib ${rpath_opt}/usr/local/lib ${saved_LDFLAGS}" else LDFLAGS="-L/usr/local/lib ${saved_LDFLAGS}" fi @@ -1207,18 +1343,18 @@ AC_CHECK_LIB([z], [deflate], , ] ) ] -) + ) -AC_ARG_WITH([zlib-version-check], + AC_ARG_WITH([zlib-version-check], [ --without-zlib-version-check Disable zlib version check], [ if test "x$withval" = "xno" ; then zlib_check_nonfatal=1 fi ] -) + ) -AC_MSG_CHECKING([for possibly buggy zlib]) -AC_RUN_IFELSE([AC_LANG_PROGRAM([[ + AC_MSG_CHECKING([for possibly buggy zlib]) + AC_RUN_IFELSE([AC_LANG_PROGRAM([[ #include <stdio.h> #include <stdlib.h> #include <zlib.h> @@ -1256,7 +1392,8 @@ See http://www.gzip.org/zlib/ for details.]) fi ], [ AC_MSG_WARN([cross compiling: not checking zlib version]) ] -) + ) +fi dnl UnixWare 2.x AC_CHECK_FUNC([strcasecmp], @@ -1278,10 +1415,37 @@ AC_SEARCH_LIBS([openpty], [util bsd]) AC_SEARCH_LIBS([updwtmp], [util bsd]) AC_CHECK_FUNCS([fmt_scaled scan_scaled login logout openpty updwtmp logwtmp]) -# On some platforms, inet_ntop may be found in libresolv or libnsl. +# On some platforms, inet_ntop and gethostbyname may be found in libresolv +# or libnsl. AC_SEARCH_LIBS([inet_ntop], [resolv nsl]) +AC_SEARCH_LIBS([gethostbyname], [resolv nsl]) +# "Particular Function Checks" +# see https://www.gnu.org/software/autoconf/manual/autoconf-2.69/html_node/Particular-Functions.html AC_FUNC_STRFTIME +AC_FUNC_MALLOC +AC_FUNC_REALLOC +# autoconf doesn't have AC_FUNC_CALLOC so fake it if malloc returns NULL; +AC_MSG_CHECKING([if calloc(0, N) returns non-null]) +AC_RUN_IFELSE( + [AC_LANG_PROGRAM( + [[ #include <stdlib.h> ]], + [[ void *p = calloc(0, 1); exit(p == NULL); ]] + )], + [ func_calloc_0_nonnull=yes ], + [ func_calloc_0_nonnull=no ], + [ AC_MSG_WARN([cross compiling: assuming same as malloc]) + func_calloc_0_nonnull="$ac_cv_func_malloc_0_nonnull"] +) +AC_MSG_RESULT([$func_calloc_0_nonnull]) + +if test "x$func_calloc_0_nonnull" = "xyes"; then + AC_DEFINE(HAVE_CALLOC, 1, [calloc(0, x) returns non-null]) +else + AC_DEFINE(HAVE_CALLOC, 0, [calloc(0, x) returns NULL]) + AC_DEFINE(calloc, rpl_calloc, + [Define to rpl_calloc if the replacement function should be used.]) +fi # Check for ALTDIRFUNC glob() extension AC_MSG_CHECKING([for GLOB_ALTDIRFUNC support]) @@ -1337,6 +1501,9 @@ g.gl_statv = NULL; AC_CHECK_DECLS([GLOB_NOMATCH], , , [#include <glob.h>]) +AC_CHECK_DECL([VIS_ALL], , + AC_DEFINE(BROKEN_STRNVIS, 1, [missing VIS_ALL]), [#include <vis.h>]) + AC_MSG_CHECKING([whether struct dirent allocates space for d_name]) AC_RUN_IFELSE( [AC_LANG_PROGRAM([[ @@ -1367,89 +1534,52 @@ else AC_MSG_RESULT([no]) fi -# Check whether user wants S/Key support -SKEY_MSG="no" -AC_ARG_WITH([skey], - [ --with-skey[[=PATH]] Enable S/Key support (optionally in PATH)], - [ - if test "x$withval" != "xno" ; then - - if test "x$withval" != "xyes" ; then - CPPFLAGS="$CPPFLAGS -I${withval}/include" - LDFLAGS="$LDFLAGS -L${withval}/lib" - fi - - AC_DEFINE([SKEY], [1], [Define if you want S/Key support]) - LIBS="-lskey $LIBS" - SKEY_MSG="yes" - - AC_MSG_CHECKING([for s/key support]) - AC_LINK_IFELSE( - [AC_LANG_PROGRAM([[ -#include <stdio.h> -#include <skey.h> - ]], [[ - char *ff = skey_keyinfo(""); ff=""; - exit(0); - ]])], - [AC_MSG_RESULT([yes])], - [ - AC_MSG_RESULT([no]) - AC_MSG_ERROR([** Incomplete or missing s/key libraries.]) - ]) - AC_MSG_CHECKING([if skeychallenge takes 4 arguments]) - AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ -#include <stdio.h> -#include <skey.h> - ]], [[ - (void)skeychallenge(NULL,"name","",0); - ]])], - [ - AC_MSG_RESULT([yes]) - AC_DEFINE([SKEYCHALLENGE_4ARG], [1], - [Define if your skeychallenge() - function takes 4 arguments (NetBSD)])], - [ - AC_MSG_RESULT([no]) - ]) - fi - ] -) - # Check whether user wants to use ldns LDNS_MSG="no" AC_ARG_WITH(ldns, [ --with-ldns[[=PATH]] Use ldns for DNSSEC support (optionally in PATH)], - [ - if test "x$withval" != "xno" ; then - - if test "x$withval" != "xyes" ; then - CPPFLAGS="$CPPFLAGS -I${withval}/include" - LDFLAGS="$LDFLAGS -L${withval}/lib" - fi - - AC_DEFINE(HAVE_LDNS, 1, [Define if you want ldns support]) - LIBS="-lldns $LIBS" - LDNS_MSG="yes" + [ + ldns="" + if test "x$withval" = "xyes" ; then + AC_PATH_TOOL([LDNSCONFIG], [ldns-config], [no]) + if test "x$LDNSCONFIG" = "xno"; then + LIBS="-lldns $LIBS" + ldns=yes + else + LIBS="$LIBS `$LDNSCONFIG --libs`" + CPPFLAGS="$CPPFLAGS `$LDNSCONFIG --cflags`" + ldns=yes + fi + elif test "x$withval" != "xno" ; then + CPPFLAGS="$CPPFLAGS -I${withval}/include" + LDFLAGS="$LDFLAGS -L${withval}/lib" + LIBS="-lldns $LIBS" + ldns=yes + fi - AC_MSG_CHECKING([for ldns support]) - AC_LINK_IFELSE( - [AC_LANG_SOURCE([[ + # Verify that it works. + if test "x$ldns" = "xyes" ; then + AC_DEFINE(HAVE_LDNS, 1, [Define if you want ldns support]) + LDNS_MSG="yes" + AC_MSG_CHECKING([for ldns support]) + AC_LINK_IFELSE( + [AC_LANG_SOURCE([[ #include <stdio.h> #include <stdlib.h> -#include <stdint.h> +#ifdef HAVE_STDINT_H +# include <stdint.h> +#endif #include <ldns/ldns.h> int main() { ldns_status status = ldns_verify_trusted(NULL, NULL, NULL, NULL); status=LDNS_STATUS_OK; exit(0); } - ]]) - ], - [AC_MSG_RESULT(yes)], + ]]) + ], + [AC_MSG_RESULT(yes)], [ AC_MSG_RESULT(no) AC_MSG_ERROR([** Incomplete or missing ldns libraries.]) ]) - fi - ] -) + fi +]) # Check whether user wants libedit support LIBEDIT_MSG="no" @@ -1460,7 +1590,7 @@ AC_ARG_WITH([libedit], AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no]) if test "x$PKGCONFIG" != "xno"; then AC_MSG_CHECKING([if $PKGCONFIG knows about libedit]) - if "$PKGCONFIG" libedit; then + if "$PKGCONFIG" libedit; then AC_MSG_RESULT([yes]) use_pkgconfig_for_libedit=yes else @@ -1469,8 +1599,8 @@ AC_ARG_WITH([libedit], fi else CPPFLAGS="$CPPFLAGS -I${withval}/include" - if test -n "${need_dash_r}"; then - LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}" + if test -n "${rpath_opt}"; then + LDFLAGS="-L${withval}/lib ${rpath_opt}${withval}/lib ${LDFLAGS}" else LDFLAGS="-L${withval}/lib ${LDFLAGS}" fi @@ -1531,9 +1661,9 @@ AC_ARG_WITH([audit], AC_CHECK_FUNCS([getaudit_addr aug_get_machine]) AC_DEFINE([USE_BSM_AUDIT], [1], [Use BSM audit module]) if test "$sol2ver" -ge 11; then - SSHDLIBS="$SSHDLIBS -lscf" - AC_DEFINE([BROKEN_BSM_API], [1], - [The system has incomplete BSM API]) + SSHDLIBS="$SSHDLIBS -lscf" + AC_DEFINE([BROKEN_BSM_API], [1], + [The system has incomplete BSM API]) fi ;; linux) @@ -1605,12 +1735,27 @@ if test "x$use_pie" != "xno"; then fi fi +AC_MSG_CHECKING([whether -fPIC is accepted]) +SAVED_CFLAGS="$CFLAGS" +CFLAGS="$CFLAGS -fPIC" +AC_COMPILE_IFELSE( + [AC_LANG_PROGRAM( [[ #include <stdlib.h> ]], [[ exit(0); ]] )], + [AC_MSG_RESULT([yes]) + PICFLAG="-fPIC"; ], + [AC_MSG_RESULT([no]) + PICFLAG=""; ]) +CFLAGS="$SAVED_CFLAGS" +AC_SUBST([PICFLAG]) + dnl Checks for library functions. Please keep in alphabetical order AC_CHECK_FUNCS([ \ Blowfish_initstate \ Blowfish_expandstate \ Blowfish_expand0state \ Blowfish_stream2word \ + SHA256Update \ + SHA384Update \ + SHA512Update \ asprintf \ b64_ntop \ __b64_ntop \ @@ -1620,29 +1765,40 @@ AC_CHECK_FUNCS([ \ bcrypt_pbkdf \ bindresvport_sa \ blf_enc \ + bzero \ cap_rights_limit \ clock \ closefrom \ dirfd \ endgrent \ + err \ + errx \ explicit_bzero \ fchmod \ + fchmodat \ fchown \ + fchownat \ + flock \ + fnmatch \ freeaddrinfo \ + freezero \ fstatfs \ fstatvfs \ futimes \ getaddrinfo \ getcwd \ getgrouplist \ + getline \ getnameinfo \ getopt \ + getpagesize \ getpeereid \ getpeerucred \ getpgid \ - getpgrp \ _getpty \ getrlimit \ + getrandom \ + getsid \ getttyent \ glob \ group_from_gid \ @@ -1650,24 +1806,28 @@ AC_CHECK_FUNCS([ \ inet_ntoa \ inet_ntop \ innetgr \ + llabs \ + localtime_r \ login_getcapbool \ - mblen \ md5_crypt \ + memmem \ memmove \ memset_s \ mkdtemp \ - mmap \ ngetaddrinfo \ nsleep \ ogetaddrinfo \ openlog_r \ + pledge \ poll \ prctl \ pstat \ + raise \ readpassphrase \ reallocarray \ realpath \ recvmsg \ + recallocarray \ rresvport_af \ sendmsg \ setdtablesize \ @@ -1692,14 +1852,17 @@ AC_CHECK_FUNCS([ \ socketpair \ statfs \ statvfs \ + strcasestr \ strdup \ strerror \ strlcat \ strlcpy \ strmode \ + strndup \ strnlen \ strnvis \ strptime \ + strsignal \ strtonum \ strtoll \ strtoul \ @@ -1711,13 +1874,38 @@ AC_CHECK_FUNCS([ \ truncate \ unsetenv \ updwtmpx \ + utimensat \ user_from_uid \ usleep \ vasprintf \ vsnprintf \ waitpid \ + warn \ ]) +AC_CHECK_DECLS([bzero, memmem]) + +dnl Wide character support. +AC_CHECK_FUNCS([mblen mbtowc nl_langinfo wcwidth]) + +TEST_SSH_UTF8=${TEST_SSH_UTF8:=yes} +AC_MSG_CHECKING([for utf8 locale support]) +AC_RUN_IFELSE( + [AC_LANG_PROGRAM([[ +#include <locale.h> +#include <stdlib.h> + ]], [[ + char *loc = setlocale(LC_CTYPE, "en_US.UTF-8"); + if (loc != NULL) + exit(0); + exit(1); + ]])], + AC_MSG_RESULT(yes), + [AC_MSG_RESULT(no) + TEST_SSH_UTF8=no], + AC_MSG_WARN([cross compiling: assuming yes]) +) + AC_LINK_IFELSE( [AC_LANG_PROGRAM( [[ #include <ctype.h> ]], @@ -1725,13 +1913,39 @@ AC_LINK_IFELSE( [AC_DEFINE([HAVE_ISBLANK], [1], [Define if you have isblank(3C).]) ]) -# PKCS11 depends on OpenSSL. -if test "x$openssl" = "xyes" ; then - # PKCS#11 support requires dlopen() and co - AC_SEARCH_LIBS([dlopen], [dl], - [AC_DEFINE([ENABLE_PKCS11], [], [Enable for PKCS#11 support])] - ) -fi +disable_pkcs11= +AC_ARG_ENABLE([pkcs11], + [ --disable-pkcs11 disable PKCS#11 support code [no]], + [ + if test "x$enableval" = "xno" ; then + disable_pkcs11=1 + fi + ] +) + +disable_sk= +AC_ARG_ENABLE([security-key], + [ --disable-security-key disable U2F/FIDO support code [no]], + [ + if test "x$enableval" = "xno" ; then + disable_sk=1 + fi + ] +) +enable_sk_internal= +AC_ARG_WITH([security-key-builtin], + [ --with-security-key-builtin include builtin U2F/FIDO support], + [ + if test "x$withval" != "xno" ; then + enable_sk_internal=yes + fi + ] +) +test "x$disable_sk" != "x" && enable_sk_internal="" + +AC_SEARCH_LIBS([dlopen], [dl]) +AC_CHECK_FUNCS([dlopen]) +AC_CHECK_DECL([RTLD_NOW], [], [], [#include <dlfcn.h>]) # IRIX has a const char return value for gai_strerror() AC_CHECK_FUNCS([gai_strerror], [ @@ -1755,8 +1969,20 @@ AC_SEARCH_LIBS([nanosleep], [rt posix4], [AC_DEFINE([HAVE_NANOSLEEP], [1], AC_SEARCH_LIBS([clock_gettime], [rt], [AC_DEFINE([HAVE_CLOCK_GETTIME], [1], [Have clock_gettime])]) +dnl check if we need -D_REENTRANT for localtime_r declaration. +AC_CHECK_DECL([localtime_r], [], + [ saved_CPPFLAGS="$CFLAGS" + CPPFLAGS="$CPPFLAGS -D_REENTRANT" + unset ac_cv_have_decl_localtime_r + AC_CHECK_DECL([localtime_r], [], + [ CPPFLAGS="$saved_CPPFLAGS" ], + [ #include <time.h> ] + ) + ], + [ #include <time.h> ] +) + dnl Make sure prototypes are defined for these before using them. -AC_CHECK_DECL([getrusage], [AC_CHECK_FUNCS([getrusage])]) AC_CHECK_DECL([strsep], [AC_CHECK_FUNCS([strsep])], [], @@ -1775,10 +2001,11 @@ AC_CHECK_DECL([tcsendbreak], AC_CHECK_DECLS([h_errno], , ,[#include <netdb.h>]) -AC_CHECK_DECLS([SHUT_RD], , , +AC_CHECK_DECLS([SHUT_RD, getpeereid], , , [ #include <sys/types.h> #include <sys/socket.h> +#include <unistd.h> ]) AC_CHECK_DECLS([O_NONBLOCK], , , @@ -1792,7 +2019,7 @@ AC_CHECK_DECLS([O_NONBLOCK], , , #endif ]) -AC_CHECK_DECLS([writev], , , [ +AC_CHECK_DECLS([readv, writev], , , [ #include <sys/types.h> #include <sys/uio.h> #include <unistd.h> @@ -1883,6 +2110,16 @@ AC_CHECK_FUNCS([setresgid], [ ) ]) +AC_MSG_CHECKING([for working fflush(NULL)]) +AC_RUN_IFELSE( + [AC_LANG_PROGRAM([[#include <stdio.h>]], [[fflush(NULL); exit(0);]])], + AC_MSG_RESULT([yes]), + [AC_MSG_RESULT([no]) + AC_DEFINE([FFLUSH_NULL_BUG], [1], + [define if fflush(NULL) does not work])], + AC_MSG_WARN([cross compiling: assuming working]) +) + dnl Checks for time functions AC_CHECK_FUNCS([gettimeofday time]) dnl Checks for utmp functions @@ -1915,7 +2152,7 @@ if test "x$ac_cv_func_snprintf" = "xyes" ; then [[ char b[5]; snprintf(b,5,"123456789"); - exit(b[4]!='\0'); + exit(b[4]!='\0'); ]])], [AC_MSG_RESULT([yes])], [ @@ -1928,6 +2165,29 @@ if test "x$ac_cv_func_snprintf" = "xyes" ; then ) fi +if test "x$ac_cv_func_snprintf" = "xyes" ; then + AC_MSG_CHECKING([whether snprintf understands %zu]) + AC_RUN_IFELSE( + [AC_LANG_PROGRAM([[ +#include <sys/types.h> +#include <stdio.h> + ]], + [[ + size_t a = 1, b = 2; + char z[128]; + snprintf(z, sizeof z, "%zu%zu", a, b); + exit(strcmp(z, "12")); + ]])], + [AC_MSG_RESULT([yes])], + [ + AC_MSG_RESULT([no]) + AC_DEFINE([BROKEN_SNPRINTF], [1], + [snprintf does not understand %zu]) + ], + [ AC_MSG_WARN([cross compiling: Assuming working snprintf()]) ] + ) +fi + # We depend on vsnprintf returning the right thing on overflow: the # number of characters it tried to create (as per SUSv3) if test "x$ac_cv_func_vsnprintf" = "xyes" ; then @@ -2219,7 +2479,90 @@ if test "x$check_for_conflicting_getspnam" = "x1"; then ) fi -AC_FUNC_GETPGRP +dnl NetBSD added an strnvis and unfortunately made it incompatible with the +dnl existing one in OpenBSD and Linux's libbsd (the former having existed +dnl for over ten years). Despite this incompatibility being reported during +dnl development (see http://gnats.netbsd.org/44977) they still shipped it. +dnl Even more unfortunately FreeBSD and later MacOS picked up this incompatible +dnl implementation. Try to detect this mess, and assume the only safe option +dnl if we're cross compiling. +dnl +dnl OpenBSD, 2001: strnvis(char *dst, const char *src, size_t dlen, int flag); +dnl NetBSD: 2012, strnvis(char *dst, size_t dlen, const char *src, int flag); +if test "x$ac_cv_func_strnvis" = "xyes"; then + AC_MSG_CHECKING([for working strnvis]) + AC_RUN_IFELSE( + [AC_LANG_PROGRAM([[ +#include <signal.h> +#include <stdlib.h> +#include <string.h> +#include <vis.h> +static void sighandler(int sig) { _exit(1); } + ]], [[ + char dst[16]; + + signal(SIGSEGV, sighandler); + if (strnvis(dst, "src", 4, 0) && strcmp(dst, "src") == 0) + exit(0); + exit(1) + ]])], + [AC_MSG_RESULT([yes])], + [AC_MSG_RESULT([no]) + AC_DEFINE([BROKEN_STRNVIS], [1], [strnvis detected broken])], + [AC_MSG_WARN([cross compiling: assuming broken]) + AC_DEFINE([BROKEN_STRNVIS], [1], [strnvis assumed broken])] + ) +fi + +AC_MSG_CHECKING([if SA_RESTARTed signals interrupt select()]) +AC_RUN_IFELSE( + [AC_LANG_PROGRAM([[ +#ifdef HAVE_SYS_SELECT +# include <sys/select.h> +#endif +#include <sys/types.h> +#include <sys/time.h> +#include <stdlib.h> +#include <signal.h> +static void sighandler(int sig) { } + ]], [[ + int r; + pid_t pid; + struct sigaction sa; + + sa.sa_handler = sighandler; + sa.sa_flags = SA_RESTART; + (void)sigaction(SIGTERM, &sa, NULL); + if ((pid = fork()) == 0) { /* child */ + pid = getppid(); + sleep(1); + kill(pid, SIGTERM); + sleep(1); + if (getppid() == pid) /* if parent did not exit, shoot it */ + kill(pid, SIGKILL); + exit(0); + } else { /* parent */ + r = select(0, NULL, NULL, NULL, NULL); + } + exit(r == -1 ? 0 : 1); + ]])], + [AC_MSG_RESULT([yes])], + [AC_MSG_RESULT([no]) + AC_DEFINE([NO_SA_RESTART], [1], + [SA_RESTARTed signals do no interrupt select])], + [AC_MSG_WARN([cross compiling: assuming yes])] +) + +AC_CHECK_FUNCS([getpgrp],[ + AC_MSG_CHECKING([if getpgrp accepts zero args]) + AC_COMPILE_IFELSE( + [AC_LANG_PROGRAM([[$ac_includes_default]], [[ getpgrp(); ]])], + [ AC_MSG_RESULT([yes]) + AC_DEFINE([GETPGRP_VOID], [1], [getpgrp takes zero args])], + [ AC_MSG_RESULT([no]) + AC_DEFINE([GETPGRP_VOID], [0], [getpgrp takes one arg])] + ) +]) # Search for OpenSSL saved_CPPFLAGS="$CPPFLAGS" @@ -2236,20 +2579,20 @@ AC_ARG_WITH([ssl-dir], ./*|../*) withval="`pwd`/$withval" esac if test -d "$withval/lib"; then - if test -n "${need_dash_r}"; then - LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}" + if test -n "${rpath_opt}"; then + LDFLAGS="-L${withval}/lib ${rpath_opt}${withval}/lib ${LDFLAGS}" else LDFLAGS="-L${withval}/lib ${LDFLAGS}" fi elif test -d "$withval/lib64"; then - if test -n "${need_dash_r}"; then - LDFLAGS="-L${withval}/lib64 -R${withval}/lib64 ${LDFLAGS}" + if test -n "${rpath_opt}"; then + LDFLAGS="-L${withval}/lib64 ${rpath_opt}${withval}/lib64 ${LDFLAGS}" else LDFLAGS="-L${withval}/lib64 ${LDFLAGS}" fi else - if test -n "${need_dash_r}"; then - LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}" + if test -n "${rpath_opt}"; then + LDFLAGS="-L${withval} ${rpath_opt}${withval} ${LDFLAGS}" else LDFLAGS="-L${withval} ${LDFLAGS}" fi @@ -2276,10 +2619,10 @@ openssl_engine=no AC_ARG_WITH([ssl-engine], [ --with-ssl-engine Enable OpenSSL (hardware) ENGINE support ], [ - if test "x$openssl" = "xno" ; then - AC_MSG_ERROR([cannot use --with-ssl-engine when OpenSSL disabled]) - fi if test "x$withval" != "xno" ; then + if test "x$openssl" = "xno" ; then + AC_MSG_ERROR([cannot use --with-ssl-engine when OpenSSL disabled]) + fi openssl_engine=yes fi ] @@ -2287,31 +2630,16 @@ AC_ARG_WITH([ssl-engine], if test "x$openssl" = "xyes" ; then LIBS="-lcrypto $LIBS" - AC_TRY_LINK_FUNC([RAND_add], [AC_DEFINE([HAVE_OPENSSL], [1], - [Define if your ssl headers are included - with #include <openssl/header.h>])], - [ - dnl Check default openssl install dir - if test -n "${need_dash_r}"; then - LDFLAGS="-L/usr/local/ssl/lib -R/usr/local/ssl/lib ${saved_LDFLAGS}" - else - LDFLAGS="-L/usr/local/ssl/lib ${saved_LDFLAGS}" - fi - CPPFLAGS="-I/usr/local/ssl/include ${saved_CPPFLAGS}" - AC_CHECK_HEADER([openssl/opensslv.h], , - [AC_MSG_ERROR([*** OpenSSL headers missing - please install first or check config.log ***])]) - AC_TRY_LINK_FUNC([RAND_add], [AC_DEFINE([HAVE_OPENSSL])], - [ - AC_MSG_ERROR([*** Can't find recent OpenSSL libcrypto (see config.log for details) ***]) - ] - ) - ] - ) + AC_TRY_LINK_FUNC([RAND_add], , + [AC_MSG_ERROR([*** working libcrypto not found, check config.log])]) + AC_CHECK_HEADER([openssl/opensslv.h], , + [AC_MSG_ERROR([*** OpenSSL headers missing - please install first or check config.log ***])]) # Determine OpenSSL header version AC_MSG_CHECKING([OpenSSL header version]) AC_RUN_IFELSE( [AC_LANG_PROGRAM([[ + #include <stdlib.h> #include <stdio.h> #include <string.h> #include <openssl/opensslv.h> @@ -2324,7 +2652,9 @@ if test "x$openssl" = "xyes" ; then if(fd == NULL) exit(1); - if ((rc = fprintf(fd ,"%08x (%s)\n", OPENSSL_VERSION_NUMBER, OPENSSL_VERSION_TEXT)) <0) + if ((rc = fprintf(fd, "%08lx (%s)\n", + (unsigned long)OPENSSL_VERSION_NUMBER, + OPENSSL_VERSION_TEXT)) < 0) exit(1); exit(0); @@ -2342,6 +2672,9 @@ if test "x$openssl" = "xyes" ; then ] ) + # Determining OpenSSL library version is version dependent. + AC_CHECK_FUNCS([OpenSSL_version OpenSSL_version_num]) + # Determine OpenSSL library version AC_MSG_CHECKING([OpenSSL library version]) AC_RUN_IFELSE( @@ -2358,9 +2691,18 @@ if test "x$openssl" = "xyes" ; then fd = fopen(DATA,"w"); if(fd == NULL) exit(1); - - if ((rc = fprintf(fd ,"%08x (%s)\n", SSLeay(), - SSLeay_version(SSLEAY_VERSION))) <0) +#ifndef OPENSSL_VERSION +# define OPENSSL_VERSION SSLEAY_VERSION +#endif +#ifndef HAVE_OPENSSL_VERSION +# define OpenSSL_version SSLeay_version +#endif +#ifndef HAVE_OPENSSL_VERSION_NUM +# define OpenSSL_version_num SSLeay +#endif + if ((rc = fprintf(fd, "%08lx (%s)\n", + (unsigned long)OpenSSL_version_num(), + OpenSSL_version(OPENSSL_VERSION))) < 0) exit(1); exit(0); @@ -2369,10 +2711,20 @@ if test "x$openssl" = "xyes" ; then ssl_library_ver=`cat conftest.ssllibver` # Check version is supported. case "$ssl_library_ver" in - 0090[[0-7]]*|009080[[0-5]]*) - AC_MSG_ERROR([OpenSSL >= 0.9.8f required (have "$ssl_library_ver")]) - ;; - *) ;; + 10000*|0*) + AC_MSG_ERROR([OpenSSL >= 1.0.1 required (have "$ssl_library_ver")]) + ;; + 100*) ;; # 1.0.x + 101000[[0123456]]*) + # https://github.com/openssl/openssl/pull/4613 + AC_MSG_ERROR([OpenSSL 1.1.x versions prior to 1.1.0g have a bug that breaks their use with OpenSSH (have "$ssl_library_ver")]) + ;; + 101*) ;; # 1.1.x + 200*) ;; # LibreSSL + 300*) ;; # OpenSSL development branch. + *) + AC_MSG_ERROR([Unknown/unsupported OpenSSL version ("$ssl_library_ver")]) + ;; esac AC_MSG_RESULT([$ssl_library_ver]) ], @@ -2391,8 +2743,12 @@ if test "x$openssl" = "xyes" ; then [AC_LANG_PROGRAM([[ #include <string.h> #include <openssl/opensslv.h> + #include <openssl/crypto.h> ]], [[ - exit(SSLeay() == OPENSSL_VERSION_NUMBER ? 0 : 1); +#ifndef HAVE_OPENSSL_VERSION_NUM +# define OpenSSL_version_num SSLeay +#endif + exit(OpenSSL_version_num() == OPENSSL_VERSION_NUMBER ? 0 : 1); ]])], [ AC_MSG_RESULT([yes]) @@ -2419,8 +2775,8 @@ if test "x$openssl" = "xyes" ; then AC_MSG_CHECKING([if programs using OpenSSL functions will link]) AC_LINK_IFELSE( - [AC_LANG_PROGRAM([[ #include <openssl/evp.h> ]], - [[ SSLeay_add_all_algorithms(); ]])], + [AC_LANG_PROGRAM([[ #include <openssl/err.h> ]], + [[ ERR_load_crypto_strings(); ]])], [ AC_MSG_RESULT([yes]) ], @@ -2430,8 +2786,8 @@ if test "x$openssl" = "xyes" ; then LIBS="$LIBS -ldl" AC_MSG_CHECKING([if programs using OpenSSL need -ldl]) AC_LINK_IFELSE( - [AC_LANG_PROGRAM([[ #include <openssl/evp.h> ]], - [[ SSLeay_add_all_algorithms(); ]])], + [AC_LANG_PROGRAM([[ #include <openssl/err.h> ]], + [[ ERR_load_crypto_strings(); ]])], [ AC_MSG_RESULT([yes]) ], @@ -2446,16 +2802,65 @@ if test "x$openssl" = "xyes" ; then AC_CHECK_FUNCS([ \ BN_is_prime_ex \ DSA_generate_parameters_ex \ - EVP_DigestInit_ex \ + EVP_CIPHER_CTX_ctrl \ EVP_DigestFinal_ex \ - EVP_MD_CTX_init \ + EVP_DigestInit_ex \ EVP_MD_CTX_cleanup \ EVP_MD_CTX_copy_ex \ + EVP_MD_CTX_init \ HMAC_CTX_init \ RSA_generate_key_ex \ RSA_get_default_method \ ]) + # OpenSSL_add_all_algorithms may be a macro. + AC_CHECK_FUNC(OpenSSL_add_all_algorithms, + AC_DEFINE(HAVE_OPENSSL_ADD_ALL_ALGORITHMS, 1, [as a function]), + AC_CHECK_DECL(OpenSSL_add_all_algorithms, + AC_DEFINE(HAVE_OPENSSL_ADD_ALL_ALGORITHMS, 1, [as a macro]), , + [[#include <openssl/evp.h>]] + ) + ) + + # LibreSSL/OpenSSL 1.1x API + AC_CHECK_FUNCS([ \ + OPENSSL_init_crypto \ + DH_get0_key \ + DH_get0_pqg \ + DH_set0_key \ + DH_set_length \ + DH_set0_pqg \ + DSA_get0_key \ + DSA_get0_pqg \ + DSA_set0_key \ + DSA_set0_pqg \ + DSA_SIG_get0 \ + DSA_SIG_set0 \ + ECDSA_SIG_get0 \ + ECDSA_SIG_set0 \ + EVP_CIPHER_CTX_iv \ + EVP_CIPHER_CTX_iv_noconst \ + EVP_CIPHER_CTX_get_iv \ + EVP_CIPHER_CTX_set_iv \ + RSA_get0_crt_params \ + RSA_get0_factors \ + RSA_get0_key \ + RSA_set0_crt_params \ + RSA_set0_factors \ + RSA_set0_key \ + RSA_meth_free \ + RSA_meth_dup \ + RSA_meth_set1_name \ + RSA_meth_get_finish \ + RSA_meth_set_priv_enc \ + RSA_meth_set_priv_dec \ + RSA_meth_set_finish \ + EVP_PKEY_get0_RSA \ + EVP_MD_CTX_new \ + EVP_MD_CTX_free \ + EVP_chacha20 \ + ]) + if test "x$openssl_engine" = "xyes" ; then AC_MSG_CHECKING([for OpenSSL ENGINE support]) AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ @@ -2534,14 +2939,11 @@ if test "x$openssl" = "xyes" ; then [ AC_MSG_RESULT([no]) unsupported_algorithms="$unsupported_cipers \ - aes128-gcm@openssh.com aes256-gcm@openssh.com" + aes128-gcm@openssh.com \ + aes256-gcm@openssh.com" ] ) - AC_SEARCH_LIBS([EVP_CIPHER_CTX_ctrl], [crypto], - [AC_DEFINE([HAVE_EVP_CIPHER_CTX_CTRL], [1], - [Define if libcrypto has EVP_CIPHER_CTX_ctrl])]) - AC_MSG_CHECKING([if EVP_DigestUpdate returns an int]) AC_LINK_IFELSE( [AC_LANG_PROGRAM([[ @@ -2574,22 +2976,8 @@ if test "x$openssl" = "xyes" ; then fi AC_CHECK_FUNCS([crypt DES_crypt]) - # Search for SHA256 support in libc and/or OpenSSL - AC_CHECK_FUNCS([SHA256_Update EVP_sha256], , - [unsupported_algorithms="$unsupported_algorithms \ - hmac-sha2-256 hmac-sha2-512 \ - diffie-hellman-group-exchange-sha256 \ - hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com" - ] - ) - # Search for RIPE-MD support in OpenSSL - AC_CHECK_FUNCS([EVP_ripemd160], , - [unsupported_algorithms="$unsupported_algorithms \ - hmac-ripemd160 - hmac-ripemd160@openssh.com - hmac-ripemd160-etm@openssh.com" - ] - ) + # Check for SHA256, SHA384 and SHA512 support in OpenSSL + AC_CHECK_FUNCS([EVP_sha256 EVP_sha384 EVP_sha512]) # Check complete ECC support in OpenSSL AC_MSG_CHECKING([whether OpenSSL has NID_X9_62_prime256v1]) @@ -2601,9 +2989,6 @@ if test "x$openssl" = "xyes" ; then #include <openssl/evp.h> #include <openssl/objects.h> #include <openssl/opensslv.h> - #if OPENSSL_VERSION_NUMBER < 0x0090807f /* 0.9.8g */ - # error "OpenSSL < 0.9.8g has unreliable ECC code" - #endif ]], [[ EC_KEY *e = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); const EVP_MD *m = EVP_sha256(); /* We need this too */ @@ -2622,9 +3007,6 @@ if test "x$openssl" = "xyes" ; then #include <openssl/evp.h> #include <openssl/objects.h> #include <openssl/opensslv.h> - #if OPENSSL_VERSION_NUMBER < 0x0090807f /* 0.9.8g */ - # error "OpenSSL < 0.9.8g has unreliable ECC code" - #endif ]], [[ EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp384r1); const EVP_MD *m = EVP_sha384(); /* We need this too */ @@ -2643,9 +3025,6 @@ if test "x$openssl" = "xyes" ; then #include <openssl/evp.h> #include <openssl/objects.h> #include <openssl/opensslv.h> - #if OPENSSL_VERSION_NUMBER < 0x0090807f /* 0.9.8g */ - # error "OpenSSL < 0.9.8g has unreliable ECC code" - #endif ]], [[ EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp521r1); const EVP_MD *m = EVP_sha512(); /* We need this too */ @@ -2680,6 +3059,10 @@ if test "x$openssl" = "xyes" ; then if test x$enable_nistp256 = x1 || test x$enable_nistp384 = x1 || \ test x$enable_nistp521 = x1; then AC_DEFINE(OPENSSL_HAS_ECC, [1], [OpenSSL has ECC]) + AC_CHECK_FUNCS([EC_KEY_METHOD_new]) + openssl_ecc=yes + else + openssl_ecc=no fi if test x$enable_nistp256 = x1; then AC_DEFINE([OPENSSL_HAS_NISTP256], [1], @@ -2687,24 +3070,30 @@ if test "x$openssl" = "xyes" ; then TEST_SSH_ECC=yes COMMENT_OUT_ECC="" else - unsupported_algorithms="$unsupported_algorithms ecdsa-sha2-nistp256 \ - ecdh-sha2-nistp256 ecdsa-sha2-nistp256-cert-v01@openssh.com" + unsupported_algorithms="$unsupported_algorithms \ + ecdsa-sha2-nistp256 \ + ecdh-sha2-nistp256 \ + ecdsa-sha2-nistp256-cert-v01@openssh.com" fi if test x$enable_nistp384 = x1; then AC_DEFINE([OPENSSL_HAS_NISTP384], [1], [libcrypto has NID_secp384r1]) TEST_SSH_ECC=yes COMMENT_OUT_ECC="" else - unsupported_algorithms="$unsupported_algorithms ecdsa-sha2-nistp384 \ - ecdh-sha2-nistp384 ecdsa-sha2-nistp384-cert-v01@openssh.com" + unsupported_algorithms="$unsupported_algorithms \ + ecdsa-sha2-nistp384 \ + ecdh-sha2-nistp384 \ + ecdsa-sha2-nistp384-cert-v01@openssh.com" fi if test x$enable_nistp521 = x1; then AC_DEFINE([OPENSSL_HAS_NISTP521], [1], [libcrypto has NID_secp521r1]) TEST_SSH_ECC=yes COMMENT_OUT_ECC="" else - unsupported_algorithms="$unsupported_algorithms ecdh-sha2-nistp521 \ - ecdsa-sha2-nistp521 ecdsa-sha2-nistp521-cert-v01@openssh.com" + unsupported_algorithms="$unsupported_algorithms \ + ecdh-sha2-nistp521 \ + ecdsa-sha2-nistp521 \ + ecdsa-sha2-nistp521-cert-v01@openssh.com" fi AC_SUBST([TEST_SSH_ECC]) @@ -2714,6 +3103,84 @@ else AC_CHECK_FUNCS([crypt]) fi +# PKCS11/U2F depend on OpenSSL and dlopen(). +enable_pkcs11=yes +enable_sk=yes +if test "x$openssl" != "xyes" ; then + enable_pkcs11="disabled; missing libcrypto" + enable_sk="disabled; missing libcrypto" +fi +if test "x$openssl_ecc" != "xyes" ; then + enable_sk="disabled; OpenSSL has no ECC support" +fi +if test "x$ac_cv_func_dlopen" != "xyes" ; then + enable_pkcs11="disabled; missing dlopen(3)" + enable_sk="disabled; missing dlopen(3)" +fi +if test "x$ac_cv_have_decl_RTLD_NOW" != "xyes" ; then + enable_pkcs11="disabled; missing RTLD_NOW" + enable_sk="disabled; missing RTLD_NOW" +fi +if test ! -z "$disable_pkcs11" ; then + enable_pkcs11="disabled by user" +fi +if test ! -z "$disable_sk" ; then + enable_sk="disabled by user" +fi + +AC_MSG_CHECKING([whether to enable PKCS11]) +if test "x$enable_pkcs11" = "xyes" ; then + AC_DEFINE([ENABLE_PKCS11], [], [Enable for PKCS#11 support]) +fi +AC_MSG_RESULT([$enable_pkcs11]) + +AC_MSG_CHECKING([whether to enable U2F]) +if test "x$enable_sk" = "xyes" ; then + AC_DEFINE([ENABLE_SK], [], [Enable for U2F/FIDO support]) + AC_SUBST(SK_DUMMY_LIBRARY, [regress/misc/sk-dummy/sk-dummy.so]) +else + # Do not try to build sk-dummy library. + AC_SUBST(SK_DUMMY_LIBRARY, [""]) +fi +AC_MSG_RESULT([$enable_sk]) + +# Now check for built-in security key support. +if test "x$enable_sk" = "xyes" -a "x$enable_sk_internal" = "xyes" ; then + AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no]) + use_pkgconfig_for_libfido2= + if test "x$PKGCONFIG" != "xno"; then + AC_MSG_CHECKING([if $PKGCONFIG knows about libfido2]) + if "$PKGCONFIG" libfido2; then + AC_MSG_RESULT([yes]) + use_pkgconfig_for_libfido2=yes + else + AC_MSG_RESULT([no]) + fi + fi + if test "x$use_pkgconfig_for_libfido2" = "xyes"; then + LIBFIDO2=`$PKGCONFIG --libs libfido2` + CPPFLAGS="$CPPFLAGS `$PKGCONFIG --cflags libfido2`" + else + LIBFIDO2="-lfido2 -lcbor" + fi + OTHERLIBS=`echo $LIBFIDO2 | sed 's/-lfido2//'` + AC_CHECK_LIB([fido2], [fido_init], + [ + AC_SUBST([LIBFIDO2]) + AC_DEFINE([ENABLE_SK_INTERNAL], [], + [Enable for built-in U2F/FIDO support]) + enable_sk="built-in" + ], [ AC_MSG_ERROR([no usable libfido2 found]) ], + [ $OTHERLIBS ] + ) + AC_CHECK_HEADER([fido.h], [], + AC_MSG_ERROR([missing fido.h from libfido2])) + AC_CHECK_HEADER([fido/credman.h], [], + AC_MSG_ERROR([missing fido/credman.h from libfido2]), + [#include <fido.h>] + ) +fi + AC_CHECK_FUNCS([ \ arc4random \ arc4random_buf \ @@ -2726,14 +3193,14 @@ AC_CHECK_LIB([iaf], [ia_openinfo], [ LIBS="$LIBS -liaf" AC_CHECK_FUNCS([set_id], [SSHDLIBS="$SSHDLIBS -liaf" AC_DEFINE([HAVE_LIBIAF], [1], - [Define if system has libiaf that supports set_id]) + [Define if system has libiaf that supports set_id]) ]) ]) LIBS="$saved_LIBS" ### Configure cryptographic random number support -# Check wheter OpenSSL seeds itself +# Check whether OpenSSL seeds itself if test "x$openssl" = "xyes" ; then AC_MSG_CHECKING([whether OpenSSL's PRNG is internally seeded]) AC_RUN_IFELSE( @@ -2885,6 +3352,17 @@ AC_ARG_WITH([pam], ] ) +AC_ARG_WITH([pam-service], + [ --with-pam-service=name Specify PAM service name ], + [ + if test "x$withval" != "xno" && \ + test "x$withval" != "xyes" ; then + AC_DEFINE_UNQUOTED([SSHD_PAM_SERVICE], + ["$withval"], [sshd PAM service name]) + fi + ] +) + # Check for older PAM if test "x$PAM_MSG" = "xyes" ; then # Check PAM strerror arguments (old PAM) @@ -2965,7 +3443,7 @@ fi # Decide which sandbox style to use sandbox_arg="" AC_ARG_WITH([sandbox], - [ --with-sandbox=style Specify privilege separation sandbox (no, darwin, rlimit, systrace, seccomp_filter, capsicum)], + [ --with-sandbox=style Specify privilege separation sandbox (no, capsicum, darwin, rlimit, seccomp_filter, systrace, pledge)], [ if test "x$withval" = "xyes" ; then sandbox_arg="" @@ -3013,7 +3491,8 @@ AC_RUN_IFELSE( select_works_with_rlimit=yes], [AC_MSG_RESULT([no]) select_works_with_rlimit=no], - [AC_MSG_WARN([cross compiling: assuming yes])] + [AC_MSG_WARN([cross compiling: assuming yes]) + select_works_with_rlimit=yes] ) AC_MSG_CHECKING([if setrlimit(RLIMIT_NOFILE,{0,0}) works]) @@ -3028,8 +3507,7 @@ AC_RUN_IFELSE( #include <stdlib.h> ]],[[ struct rlimit rl_zero; - int fd, r; - fd_set fds; + int r; rl_zero.rlim_cur = rl_zero.rlim_max = 0; r = setrlimit(RLIMIT_NOFILE, &rl_zero); @@ -3039,7 +3517,8 @@ AC_RUN_IFELSE( rlimit_nofile_zero_works=yes], [AC_MSG_RESULT([no]) rlimit_nofile_zero_works=no], - [AC_MSG_WARN([cross compiling: assuming yes])] + [AC_MSG_WARN([cross compiling: assuming yes]) + rlimit_nofile_zero_works=yes] ) AC_MSG_CHECKING([if setrlimit RLIMIT_FSIZE works]) @@ -3061,7 +3540,13 @@ AC_RUN_IFELSE( [AC_MSG_WARN([cross compiling: assuming yes])] ) -if test "x$sandbox_arg" = "xsystrace" || \ +if test "x$sandbox_arg" = "xpledge" || \ + ( test -z "$sandbox_arg" && test "x$ac_cv_func_pledge" = "xyes" ) ; then + test "x$ac_cv_func_pledge" != "xyes" && \ + AC_MSG_ERROR([pledge sandbox requires pledge(2) support]) + SANDBOX_STYLE="pledge" + AC_DEFINE([SANDBOX_PLEDGE], [1], [Sandbox using pledge(2)]) +elif test "x$sandbox_arg" = "xsystrace" || \ ( test -z "$sandbox_arg" && test "x$have_systr_policy_kill" = "x1" ) ; then test "x$have_systr_policy_kill" != "x1" && \ AC_MSG_ERROR([systrace sandbox requires systrace headers and SYSTR_POLICY_KILL support]) @@ -3096,10 +3581,10 @@ elif test "x$sandbox_arg" = "xseccomp_filter" || \ AC_DEFINE([SANDBOX_SECCOMP_FILTER], [1], [Sandbox using seccomp filter]) elif test "x$sandbox_arg" = "xcapsicum" || \ ( test -z "$sandbox_arg" && \ - test "x$ac_cv_header_sys_capability_h" = "xyes" && \ + test "x$ac_cv_header_sys_capsicum_h" = "xyes" && \ test "x$ac_cv_func_cap_rights_limit" = "xyes") ; then - test "x$ac_cv_header_sys_capability_h" != "xyes" && \ - AC_MSG_ERROR([capsicum sandbox requires sys/capability.h header]) + test "x$ac_cv_header_sys_capsicum_h" != "xyes" && \ + AC_MSG_ERROR([capsicum sandbox requires sys/capsicum.h header]) test "x$ac_cv_func_cap_rights_limit" != "xyes" && \ AC_MSG_ERROR([capsicum sandbox requires cap_rights_limit function]) SANDBOX_STYLE="capsicum" @@ -3114,6 +3599,10 @@ elif test "x$sandbox_arg" = "xrlimit" || \ AC_MSG_ERROR([rlimit sandbox requires select to work with rlimit]) SANDBOX_STYLE="rlimit" AC_DEFINE([SANDBOX_RLIMIT], [1], [Sandbox using setrlimit(2)]) +elif test "x$sandbox_arg" = "xsolaris" || \ + ( test -z "$sandbox_arg" && test "x$SOLARIS_PRIVS" = "xyes" ) ; then + SANDBOX_STYLE="solaris" + AC_DEFINE([SANDBOX_SOLARIS], [1], [Sandbox using Solaris/Illumos privileges]) elif test -z "$sandbox_arg" || test "x$sandbox_arg" = "xno" || \ test "x$sandbox_arg" = "xnone" || test "x$sandbox_arg" = "xnull" ; then SANDBOX_STYLE="none" @@ -3131,10 +3620,10 @@ fi AC_CHECK_TYPES([long long, unsigned long long, long double]) # Check datatype sizes -AC_CHECK_SIZEOF([short int], [2]) -AC_CHECK_SIZEOF([int], [4]) -AC_CHECK_SIZEOF([long int], [4]) -AC_CHECK_SIZEOF([long long int], [8]) +AC_CHECK_SIZEOF([short int]) +AC_CHECK_SIZEOF([int]) +AC_CHECK_SIZEOF([long int]) +AC_CHECK_SIZEOF([long long int]) # Sanity check long long for some platforms (AIX) if test "x$ac_cv_sizeof_long_long_int" = "x4" ; then @@ -3142,7 +3631,7 @@ if test "x$ac_cv_sizeof_long_long_int" = "x4" ; then fi # compute LLONG_MIN and LLONG_MAX if we don't know them. -if test -z "$have_llong_max"; then +if test -z "$have_llong_max" && test -z "$have_long_long_max"; then AC_MSG_CHECKING([for max value of long long]) AC_RUN_IFELSE( [AC_LANG_PROGRAM([[ @@ -3237,12 +3726,23 @@ fprint_ll(FILE *f, long long n) ) fi +AC_CHECK_DECLS([UINT32_MAX], , , [[ +#ifdef HAVE_SYS_LIMITS_H +# include <sys/limits.h> +#endif +#ifdef HAVE_LIMITS_H +# include <limits.h> +#endif +#ifdef HAVE_STDINT_H +# include <stdint.h> +#endif +]]) # More checks for data types AC_CACHE_CHECK([for u_int type], ac_cv_have_u_int, [ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]], [[ u_int a; a = 1;]])], - [ ac_cv_have_u_int="yes" ], [ ac_cv_have_u_int="no" + [ ac_cv_have_u_int="yes" ], [ ac_cv_have_u_int="no" ]) ]) if test "x$ac_cv_have_u_int" = "xyes" ; then @@ -3253,7 +3753,7 @@ fi AC_CACHE_CHECK([for intXX_t types], ac_cv_have_intxx_t, [ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]], [[ int8_t a; int16_t b; int32_t c; a = b = c = 1;]])], - [ ac_cv_have_intxx_t="yes" ], [ ac_cv_have_intxx_t="no" + [ ac_cv_have_intxx_t="yes" ], [ ac_cv_have_intxx_t="no" ]) ]) if test "x$ac_cv_have_intxx_t" = "xyes" ; then @@ -3270,7 +3770,7 @@ then [ AC_DEFINE([HAVE_INTXX_T]) AC_MSG_RESULT([yes]) - ], [ AC_MSG_RESULT([no]) + ], [ AC_MSG_RESULT([no]) ]) fi @@ -3287,7 +3787,7 @@ AC_CACHE_CHECK([for int64_t type], ac_cv_have_int64_t, [ ]], [[ int64_t a; a = 1; ]])], - [ ac_cv_have_int64_t="yes" ], [ ac_cv_have_int64_t="no" + [ ac_cv_have_int64_t="yes" ], [ ac_cv_have_int64_t="no" ]) ]) if test "x$ac_cv_have_int64_t" = "xyes" ; then @@ -3297,7 +3797,7 @@ fi AC_CACHE_CHECK([for u_intXX_t types], ac_cv_have_u_intxx_t, [ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]], [[ u_int8_t a; u_int16_t b; u_int32_t c; a = b = c = 1;]])], - [ ac_cv_have_u_intxx_t="yes" ], [ ac_cv_have_u_intxx_t="no" + [ ac_cv_have_u_intxx_t="yes" ], [ ac_cv_have_u_intxx_t="no" ]) ]) if test "x$ac_cv_have_u_intxx_t" = "xyes" ; then @@ -3312,14 +3812,14 @@ if test -z "$have_u_intxx_t" ; then [ AC_DEFINE([HAVE_U_INTXX_T]) AC_MSG_RESULT([yes]) - ], [ AC_MSG_RESULT([no]) + ], [ AC_MSG_RESULT([no]) ]) fi AC_CACHE_CHECK([for u_int64_t types], ac_cv_have_u_int64_t, [ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]], [[ u_int64_t a; a = 1;]])], - [ ac_cv_have_u_int64_t="yes" ], [ ac_cv_have_u_int64_t="no" + [ ac_cv_have_u_int64_t="yes" ], [ ac_cv_have_u_int64_t="no" ]) ]) if test "x$ac_cv_have_u_int64_t" = "xyes" ; then @@ -3336,7 +3836,7 @@ then [ AC_DEFINE([HAVE_U_INT64_T]) AC_MSG_RESULT([yes]) - ], [ AC_MSG_RESULT([no]) + ], [ AC_MSG_RESULT([no]) ]) fi @@ -3350,7 +3850,7 @@ if test -z "$have_u_intxx_t" ; then uint32_t c; a = b = c = 1; ]])], - [ ac_cv_have_uintxx_t="yes" ], [ ac_cv_have_uintxx_t="no" + [ ac_cv_have_uintxx_t="yes" ], [ ac_cv_have_uintxx_t="no" ]) ]) if test "x$ac_cv_have_uintxx_t" = "xyes" ; then @@ -3368,7 +3868,7 @@ then [ AC_DEFINE([HAVE_UINTXX_T]) AC_MSG_RESULT([yes]) - ], [ AC_MSG_RESULT([no]) + ], [ AC_MSG_RESULT([no]) ]) fi @@ -3381,7 +3881,7 @@ then [ AC_DEFINE([HAVE_UINTXX_T]) AC_MSG_RESULT([yes]) - ], [ AC_MSG_RESULT([no]) + ], [ AC_MSG_RESULT([no]) ]) fi @@ -3408,7 +3908,7 @@ fi AC_CACHE_CHECK([for u_char], ac_cv_have_u_char, [ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]], [[ u_char foo; foo = 125; ]])], - [ ac_cv_have_u_char="yes" ], [ ac_cv_have_u_char="no" + [ ac_cv_have_u_char="yes" ], [ ac_cv_have_u_char="no" ]) ]) if test "x$ac_cv_have_u_char" = "xyes" ; then @@ -3417,7 +3917,9 @@ fi AC_CHECK_TYPES([intmax_t, uintmax_t], , , [ #include <sys/types.h> -#include <stdint.h> +#ifdef HAVE_STDINT_H +# include <stdint.h> +#endif ]) TYPE_SOCKLEN_T @@ -3436,6 +3938,27 @@ AC_CHECK_TYPES([fsblkcnt_t, fsfilcnt_t], , , [ #endif ]) +AC_CHECK_MEMBERS([struct statfs.f_files, struct statfs.f_flags], [], [], [[ +#include <sys/param.h> +#include <sys/types.h> +#ifdef HAVE_SYS_BITYPES_H +#include <sys/bitypes.h> +#endif +#ifdef HAVE_SYS_STATFS_H +#include <sys/statfs.h> +#endif +#ifdef HAVE_SYS_STATVFS_H +#include <sys/statvfs.h> +#endif +#ifdef HAVE_SYS_VFS_H +#include <sys/vfs.h> +#endif +#ifdef HAVE_SYS_MOUNT_H +#include <sys/mount.h> +#endif +]]) + + AC_CHECK_TYPES([in_addr_t, in_port_t], , , [#include <sys/types.h> #include <netinet/in.h>]) @@ -3443,7 +3966,7 @@ AC_CHECK_TYPES([in_addr_t, in_port_t], , , AC_CACHE_CHECK([for size_t], ac_cv_have_size_t, [ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]], [[ size_t foo; foo = 1235; ]])], - [ ac_cv_have_size_t="yes" ], [ ac_cv_have_size_t="no" + [ ac_cv_have_size_t="yes" ], [ ac_cv_have_size_t="no" ]) ]) if test "x$ac_cv_have_size_t" = "xyes" ; then @@ -3453,7 +3976,7 @@ fi AC_CACHE_CHECK([for ssize_t], ac_cv_have_ssize_t, [ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]], [[ ssize_t foo; foo = 1235; ]])], - [ ac_cv_have_ssize_t="yes" ], [ ac_cv_have_ssize_t="no" + [ ac_cv_have_ssize_t="yes" ], [ ac_cv_have_ssize_t="no" ]) ]) if test "x$ac_cv_have_ssize_t" = "xyes" ; then @@ -3463,7 +3986,7 @@ fi AC_CACHE_CHECK([for clock_t], ac_cv_have_clock_t, [ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <time.h> ]], [[ clock_t foo; foo = 1235; ]])], - [ ac_cv_have_clock_t="yes" ], [ ac_cv_have_clock_t="no" + [ ac_cv_have_clock_t="yes" ], [ ac_cv_have_clock_t="no" ]) ]) if test "x$ac_cv_have_clock_t" = "xyes" ; then @@ -3494,7 +4017,7 @@ fi AC_CACHE_CHECK([for pid_t], ac_cv_have_pid_t, [ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]], [[ pid_t foo; foo = 1235; ]])], - [ ac_cv_have_pid_t="yes" ], [ ac_cv_have_pid_t="no" + [ ac_cv_have_pid_t="yes" ], [ ac_cv_have_pid_t="no" ]) ]) if test "x$ac_cv_have_pid_t" = "xyes" ; then @@ -3504,7 +4027,7 @@ fi AC_CACHE_CHECK([for mode_t], ac_cv_have_mode_t, [ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]], [[ mode_t foo; foo = 1235; ]])], - [ ac_cv_have_mode_t="yes" ], [ ac_cv_have_mode_t="no" + [ ac_cv_have_mode_t="yes" ], [ ac_cv_have_mode_t="no" ]) ]) if test "x$ac_cv_have_mode_t" = "xyes" ; then @@ -3518,7 +4041,7 @@ AC_CACHE_CHECK([for struct sockaddr_storage], ac_cv_have_struct_sockaddr_storage #include <sys/socket.h> ]], [[ struct sockaddr_storage s; ]])], [ ac_cv_have_struct_sockaddr_storage="yes" ], - [ ac_cv_have_struct_sockaddr_storage="no" + [ ac_cv_have_struct_sockaddr_storage="no" ]) ]) if test "x$ac_cv_have_struct_sockaddr_storage" = "xyes" ; then @@ -3532,7 +4055,7 @@ AC_CACHE_CHECK([for struct sockaddr_in6], ac_cv_have_struct_sockaddr_in6, [ #include <netinet/in.h> ]], [[ struct sockaddr_in6 s; s.sin6_family = 0; ]])], [ ac_cv_have_struct_sockaddr_in6="yes" ], - [ ac_cv_have_struct_sockaddr_in6="no" + [ ac_cv_have_struct_sockaddr_in6="no" ]) ]) if test "x$ac_cv_have_struct_sockaddr_in6" = "xyes" ; then @@ -3546,7 +4069,7 @@ AC_CACHE_CHECK([for struct in6_addr], ac_cv_have_struct_in6_addr, [ #include <netinet/in.h> ]], [[ struct in6_addr s; s.s6_addr[0] = 0; ]])], [ ac_cv_have_struct_in6_addr="yes" ], - [ ac_cv_have_struct_in6_addr="no" + [ ac_cv_have_struct_in6_addr="no" ]) ]) if test "x$ac_cv_have_struct_in6_addr" = "xyes" ; then @@ -3570,7 +4093,7 @@ AC_CACHE_CHECK([for struct addrinfo], ac_cv_have_struct_addrinfo, [ #include <netdb.h> ]], [[ struct addrinfo s; s.ai_flags = AI_PASSIVE; ]])], [ ac_cv_have_struct_addrinfo="yes" ], - [ ac_cv_have_struct_addrinfo="no" + [ ac_cv_have_struct_addrinfo="no" ]) ]) if test "x$ac_cv_have_struct_addrinfo" = "xyes" ; then @@ -3578,11 +4101,13 @@ if test "x$ac_cv_have_struct_addrinfo" = "xyes" ; then [define if you have struct addrinfo data type]) fi +AC_HEADER_TIME + AC_CACHE_CHECK([for struct timeval], ac_cv_have_struct_timeval, [ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/time.h> ]], [[ struct timeval tv; tv.tv_sec = 1;]])], [ ac_cv_have_struct_timeval="yes" ], - [ ac_cv_have_struct_timeval="no" + [ ac_cv_have_struct_timeval="no" ]) ]) if test "x$ac_cv_have_struct_timeval" = "xyes" ; then @@ -3590,9 +4115,30 @@ if test "x$ac_cv_have_struct_timeval" = "xyes" ; then have_struct_timeval=1 fi -AC_CHECK_TYPES([struct timespec]) +AC_CACHE_CHECK([for struct timespec], ac_cv_have_struct_timespec, [ + AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ + #ifdef TIME_WITH_SYS_TIME + # include <sys/time.h> + # include <time.h> + #else + # ifdef HAVE_SYS_TIME_H + # include <sys/time.h> + # else + # include <time.h> + # endif + #endif + ]], + [[ struct timespec ts; ts.tv_sec = 1;]])], + [ ac_cv_have_struct_timespec="yes" ], + [ ac_cv_have_struct_timespec="no" + ]) +]) +if test "x$ac_cv_have_struct_timespec" = "xyes" ; then + AC_DEFINE([HAVE_STRUCT_TIMESPEC], [1], [define if you have struct timespec]) + have_struct_timespec=1 +fi -# We need int64_t or else certian parts of the compile will fail. +# We need int64_t or else certain parts of the compile will fail. if test "x$ac_cv_have_int64_t" = "xno" && \ test "x$ac_cv_sizeof_long_int" != "x8" && \ test "x$ac_cv_sizeof_long_long_int" = "x0" ; then @@ -3651,6 +4197,8 @@ OSSH_CHECK_HEADER_FOR_FIELD([ut_time], [utmpx.h], [HAVE_TIME_IN_UTMPX]) OSSH_CHECK_HEADER_FOR_FIELD([ut_tv], [utmpx.h], [HAVE_TV_IN_UTMPX]) AC_CHECK_MEMBERS([struct stat.st_blksize]) +AC_CHECK_MEMBERS([struct stat.st_mtim]) +AC_CHECK_MEMBERS([struct stat.st_mtime]) AC_CHECK_MEMBERS([struct passwd.pw_gecos, struct passwd.pw_class, struct passwd.pw_change, struct passwd.pw_expire], [], [], [[ @@ -3690,7 +4238,7 @@ AC_CACHE_CHECK([for __ss_family field in struct sockaddr_storage], #include <sys/socket.h> ]], [[ struct sockaddr_storage s; s.__ss_family = 1; ]])], [ ac_cv_have___ss_family_in_struct_ss="yes" ], - [ ac_cv_have___ss_family_in_struct_ss="no" + [ ac_cv_have___ss_family_in_struct_ss="no" ]) ]) if test "x$ac_cv_have___ss_family_in_struct_ss" = "xyes" ; then @@ -3789,7 +4337,7 @@ AC_CACHE_CHECK([if libc defines __progname], ac_cv_libc_defines___progname, [ AC_LINK_IFELSE([AC_LANG_PROGRAM([[]], [[ extern char *__progname; printf("%s", __progname); ]])], [ ac_cv_libc_defines___progname="yes" ], - [ ac_cv_libc_defines___progname="no" + [ ac_cv_libc_defines___progname="no" ]) ]) if test "x$ac_cv_libc_defines___progname" = "xyes" ; then @@ -3800,7 +4348,7 @@ AC_CACHE_CHECK([whether $CC implements __FUNCTION__], ac_cv_cc_implements___FUNC AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include <stdio.h> ]], [[ printf("%s", __FUNCTION__); ]])], [ ac_cv_cc_implements___FUNCTION__="yes" ], - [ ac_cv_cc_implements___FUNCTION__="no" + [ ac_cv_cc_implements___FUNCTION__="no" ]) ]) if test "x$ac_cv_cc_implements___FUNCTION__" = "xyes" ; then @@ -3812,7 +4360,7 @@ AC_CACHE_CHECK([whether $CC implements __func__], ac_cv_cc_implements___func__, AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include <stdio.h> ]], [[ printf("%s", __func__); ]])], [ ac_cv_cc_implements___func__="yes" ], - [ ac_cv_cc_implements___func__="no" + [ ac_cv_cc_implements___func__="no" ]) ]) if test "x$ac_cv_cc_implements___func__" = "xyes" ; then @@ -3825,7 +4373,7 @@ AC_CACHE_CHECK([whether va_copy exists], ac_cv_have_va_copy, [ va_list x,y; ]], [[ va_copy(x,y); ]])], [ ac_cv_have_va_copy="yes" ], - [ ac_cv_have_va_copy="no" + [ ac_cv_have_va_copy="no" ]) ]) if test "x$ac_cv_have_va_copy" = "xyes" ; then @@ -3837,7 +4385,7 @@ AC_CACHE_CHECK([whether __va_copy exists], ac_cv_have___va_copy, [ #include <stdarg.h> va_list x,y; ]], [[ __va_copy(x,y); ]])], - [ ac_cv_have___va_copy="yes" ], [ ac_cv_have___va_copy="no" + [ ac_cv_have___va_copy="yes" ], [ ac_cv_have___va_copy="no" ]) ]) if test "x$ac_cv_have___va_copy" = "xyes" ; then @@ -3849,7 +4397,7 @@ AC_CACHE_CHECK([whether getopt has optreset support], AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include <getopt.h> ]], [[ extern int optreset; optreset = 0; ]])], [ ac_cv_have_getopt_optreset="yes" ], - [ ac_cv_have_getopt_optreset="no" + [ ac_cv_have_getopt_optreset="no" ]) ]) if test "x$ac_cv_have_getopt_optreset" = "xyes" ; then @@ -3861,7 +4409,7 @@ AC_CACHE_CHECK([if libc defines sys_errlist], ac_cv_libc_defines_sys_errlist, [ AC_LINK_IFELSE([AC_LANG_PROGRAM([[]], [[ extern const char *const sys_errlist[]; printf("%s", sys_errlist[0]);]])], [ ac_cv_libc_defines_sys_errlist="yes" ], - [ ac_cv_libc_defines_sys_errlist="no" + [ ac_cv_libc_defines_sys_errlist="no" ]) ]) if test "x$ac_cv_libc_defines_sys_errlist" = "xyes" ; then @@ -3874,7 +4422,7 @@ AC_CACHE_CHECK([if libc defines sys_nerr], ac_cv_libc_defines_sys_nerr, [ AC_LINK_IFELSE([AC_LANG_PROGRAM([[]], [[ extern int sys_nerr; printf("%i", sys_nerr);]])], [ ac_cv_libc_defines_sys_nerr="yes" ], - [ ac_cv_libc_defines_sys_nerr="no" + [ ac_cv_libc_defines_sys_nerr="no" ]) ]) if test "x$ac_cv_libc_defines_sys_nerr" = "xyes" ; then @@ -3937,7 +4485,10 @@ AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include <arpa/nameser.h> #include <resolv.h> extern struct __res_state _res; - ]], [[ ]])], + ]], [[ +struct __res_state *volatile p = &_res; /* force resolution of _res */ +return 0; + ]],)], [AC_MSG_RESULT([yes]) AC_DEFINE([HAVE__RES_EXTERN], [1], [Define if you have struct __res_state _res as an extern]) @@ -3985,7 +4536,7 @@ AC_ARG_WITH([kerberos5], AC_DEFINE([KRB5], [1], [Define if you want Kerberos 5 support]) KRB5_MSG="yes" - AC_PATH_PROG([KRB5CONF], [krb5-config], + AC_PATH_TOOL([KRB5CONF], [krb5-config], [$KRB5ROOT/bin/krb5-config], [$KRB5ROOT/bin:$PATH]) if test -x $KRB5CONF ; then @@ -4030,7 +4581,6 @@ AC_ARG_WITH([kerberos5], [K5LIBS="$K5LIBS -ldes"]) ], [ AC_MSG_RESULT([no]) K5LIBS="-lkrb5 -lk5crypto -lcom_err" - ]) AC_SEARCH_LIBS([dn_expand], [resolv]) @@ -4062,8 +4612,8 @@ AC_ARG_WITH([kerberos5], [ CPPFLAGS="$oldCPP" ]) fi - if test ! -z "$need_dash_r" ; then - LDFLAGS="$LDFLAGS -R${KRB5ROOT}/lib" + if test -n "${rpath_opt}" ; then + LDFLAGS="$LDFLAGS ${rpath_opt}${KRB5ROOT}/lib" fi if test ! -z "$blibpath" ; then blibpath="$blibpath:${KRB5ROOT}/lib" @@ -4213,7 +4763,7 @@ AC_ARG_WITH([maildir], exit(0); ]])], [ - maildir_what=`awk -F: '{print $1}' conftest.maildir` + maildir_what=`awk -F: '{print $1}' conftest.maildir` maildir=`awk -F: '{print $2}' conftest.maildir \ | sed 's|/$||'` AC_MSG_RESULT([Using: $maildir from $maildir_what]) @@ -4281,9 +4831,9 @@ AC_ARG_WITH([mantype], ] ) if test -z "$MANTYPE"; then - TestPath="/usr/bin${PATH_SEPARATOR}/usr/ucb" - AC_PATH_PROGS([NROFF], [nroff awf], [/bin/false], [$TestPath]) - if ${NROFF} -mdoc ${srcdir}/ssh.1 >/dev/null 2>&1; then + if ${MANDOC} ${srcdir}/ssh.1 >/dev/null 2>&1; then + MANTYPE=doc + elif ${NROFF} -mdoc ${srcdir}/ssh.1 >/dev/null 2>&1; then MANTYPE=doc elif ${NROFF} -man ${srcdir}/ssh.1 >/dev/null 2>&1; then MANTYPE=man @@ -4351,7 +4901,7 @@ if test ! -z "$IPADDR_IN_DISPLAY" ; then else DISPLAY_HACK_MSG="no" AC_ARG_WITH([ipaddr-display], - [ --with-ipaddr-display Use ip address instead of hostname in \$DISPLAY], + [ --with-ipaddr-display Use ip address instead of hostname in $DISPLAY], [ if test "x$withval" != "xno" ; then AC_DEFINE([IPADDR_IN_DISPLAY]) @@ -4397,7 +4947,7 @@ fi # Whether to mess with the default path SERVER_PATH_MSG="(default)" AC_ARG_WITH([default-path], - [ --with-default-path= Specify default \$PATH environment for server], + [ --with-default-path= Specify default $PATH environment for server], [ if test "x$external_path_file" = "x/etc/login.conf" ; then AC_MSG_WARN([ @@ -4546,7 +5096,7 @@ if test ! -d $piddir ; then fi AC_ARG_WITH([pid-dir], - [ --with-pid-dir=PATH Specify location of ssh.pid file], + [ --with-pid-dir=PATH Specify location of sshd.pid file], [ if test -n "$withval" && test "x$withval" != "xno" && \ test "x${withval}" != "xyes"; then @@ -4558,7 +5108,7 @@ AC_ARG_WITH([pid-dir], ] ) -AC_DEFINE_UNQUOTED([_PATH_SSH_PIDDIR], ["$piddir"], +AC_DEFINE_UNQUOTED([_PATH_SSH_PIDDIR], ["$piddir"], [Specify location of ssh.pid]) AC_SUBST([piddir]) @@ -4716,7 +5266,7 @@ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ ]], [[ char *utmp = UTMP_FILE; ]])], [ AC_MSG_RESULT([yes]) ], [ AC_MSG_RESULT([no]) - system_utmp_path=no + system_utmp_path=no ]) if test -z "$conf_utmp_location"; then if test x"$system_utmp_path" = x"no" ; then @@ -4746,7 +5296,7 @@ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ ]], [[ char *wtmp = WTMP_FILE; ]])], [ AC_MSG_RESULT([yes]) ], [ AC_MSG_RESULT([no]) - system_wtmp_path=no + system_wtmp_path=no ]) if test -z "$conf_wtmp_location"; then if test x"$system_wtmp_path" = x"no" ; then @@ -4779,7 +5329,7 @@ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ ]], [[ char *wtmpx = WTMPX_FILE; ]])], [ AC_MSG_RESULT([yes]) ], [ AC_MSG_RESULT([no]) - system_wtmpx_path=no + system_wtmpx_path=no ]) if test -z "$conf_wtmpx_location"; then if test x"$system_wtmpx_path" = x"no" ; then @@ -4844,8 +5394,19 @@ else fi AC_CHECK_DECL([BROKEN_GETADDRINFO], [TEST_SSH_IPV6=no]) AC_SUBST([TEST_SSH_IPV6], [$TEST_SSH_IPV6]) +AC_SUBST([TEST_SSH_UTF8], [$TEST_SSH_UTF8]) AC_SUBST([TEST_MALLOC_OPTIONS], [$TEST_MALLOC_OPTIONS]) AC_SUBST([UNSUPPORTED_ALGORITHMS], [$unsupported_algorithms]) +AC_SUBST([DEPEND], [$(cat $srcdir/.depend)]) + +CFLAGS="${CFLAGS} ${CFLAGS_AFTER}" +LDFLAGS="${LDFLAGS} ${LDFLAGS_AFTER}" + +# Make a copy of CFLAGS/LDFLAGS without PIE options. +LDFLAGS_NOPIE=`echo "$LDFLAGS" | sed 's/ -pie//'` +CFLAGS_NOPIE=`echo "$CFLAGS" | sed 's/ -fPIE//'` +AC_SUBST([LDFLAGS_NOPIE]) +AC_SUBST([CFLAGS_NOPIE]) AC_EXEEXT AC_CONFIG_FILES([Makefile buildpkg.sh opensshd.init openssh.xml \ @@ -4894,17 +5455,19 @@ echo " PAM support: $PAM_MSG" echo " OSF SIA support: $SIA_MSG" echo " KerberosV support: $KRB5_MSG" echo " SELinux support: $SELINUX_MSG" -echo " Smartcard support: $SCARD_MSG" -echo " S/KEY support: $SKEY_MSG" echo " MD5 password support: $MD5_MSG" echo " libedit support: $LIBEDIT_MSG" +echo " libldns support: $LDNS_MSG" echo " Solaris process contract support: $SPC_MSG" echo " Solaris project support: $SP_MSG" +echo " Solaris privilege support: $SPP_MSG" echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG" echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG" echo " BSD Auth support: $BSD_AUTH_MSG" echo " Random number source: $RAND_MSG" echo " Privsep sandbox style: $SANDBOX_STYLE" +echo " PKCS#11 support: $enable_pkcs11" +echo " U2F/FIDO support: $enable_sk" echo "" |