On most systems poll(2) does not work when the number of FDs is reduced
with setrlimit, so assume it doesn't when cross compiling and we can't
run the test. bz#3398.
POSIX specifies that poll() shall fail if "nfds argument is greater
than {OPEN_MAX}". The setrlimit sandbox sets this to effectively zero
so this causes poll() to fail in the preauth privsep process.
This is likely the underlying cause for the previously observed similar
behaviour of select() on plaforms where it is implement in userspace on
top of poll().
of manually hashing data outselves. Saves a fair bit of code and makes life
easier for some -portable platforms.
OpenBSD-Commit-ID: 351dfaaa5ab1ee928c0e623041fca28078cff0e0
Darwin's poll(2) implementation is broken. For character-special
devices like /dev/null, it returns POLLNVAL when polled with
POLLIN.
Apparently this is Apple bug 3710161, which is AFAIK not public,
but a websearch will find other OSS projects rediscovering it
periodically since it was first identified in 2005 (!!)
Since we changed from select() to ppoll() tests have been failing.
This seems to be because FreeBSD 10 (and presumably 9) do not allow
ppoll() in the privsep process and sshd will fail with "Not permitted in
capability mode". Setting CAP_EVENT on the FDs doesn't help, but weirdly,
poll() works without that. Those versions are EOL so this situation is
unlikely to change.
glibc's closefrom implementation does not work in a chroot when the kernel
does not have close_range. It tries to read from /proc/self/fd and when
that fails dies with an assertion of sorts. Instead, call close_range
ourselves from our compat code and fall back if that fails. bz#3349,
with william.wilson at canonical.com and fweimer at redhat.com.
HP-UX 10.x has a getline() implementation in libc that does not behave
as we expect so don't use it. With correction from Thorsten Glaser and
typo fix from Larkin Nickle.
Users of MD5-hashed password should arrange for ./configure to link
against libxcrypt or similar. Though it would be better to avoid use
of MD5 password hashing entirely, it's arguably worse than DEScrypt.
feedback and ok dtucker@
Add -fzero-call-used-regs and -ftrivial-auto-var-init to the list of
compiler hardening flags that configure checks for. These are supported
by clang and gcc, and make ROP gadgets less useful and mitigate
stack-based infoleaks respectively. ok djm@
Placed at the start of platform_disable_tracing() to prevent declaration
after code errors from strict C89 compilers (in the unlikely event that
more than one method is enabled).
Should fix printing cert times exceeding INT_MAX (bz#3329) on platforms
were time_t is a long long. The limit used is for the signed type, so if
some system has a 32bit unsigned time_t then the lower limit will still
be imposed and we would need to add some way to detect this. Anyone using
an unsigned 64bit can let us know when it starts being a problem.
This is basically the existing notify_pipe kludge from serverloop.c
moved behind a pselect interface. It works by installing a signal
handler that writes to a pipe that the select is watching, then calls
the original handler.
The select call in serverloop will become pselect soon, at which point the
kludge will be removed from thereand will only exist in the compat layer.
Original code by markus, help from djm.
Some Linux distributions are shipping the BSD-style hashing functions
(e.g. SHA256Update) in libbsd and/or libmd. Detect this situation to
avoid header/replacement clashes later. ok dtucker@
FreeBSD has login_getpwclass() that does some special magic for
UID=0. Prefer this to login_getclass() as its easier to emulate
the former with the latter.
Based on FreeBSD PR 37416 via Ed Maste; ok dtucker@
The sntrup761 code sourced from supercop uses variable length
arrays. Although widely supported, they are not part of the ANSI
C89 spec so if the compiler does not support VLAs, disable the
sntrup761x25519-sha512@openssh.com KEX method by replacing the kex
functions with no-op ones similar to what we do in kexecdh.c.
This should allow OpenSSH to build with a plain C89 compiler again.
Spotted by tim@, ok djm@.
It was only set by the recently removed AC_HEADER_TIME macro, replace
with simple inclusions of both sys/time.h and time.h. Should prevent
mis-detection of struct timespec.
We needed a mkdtemp() that accepted template paths that did not
end in XXXXXX a long time ago for KRB4, but that code is long
deprecated. We no longer need to replace mkdtemp() for strictly
following POSIX. ok dtucker@
when testing, make sure to include the relevant header files that
declare the types of the functions used by the test:
- stdio.h for printf();
- stdlib.h for exit();
- string.h for strcmp();
- unistd.h for unlink(), _exit(), fork(), getppid(), sleep().
The `aclocal' step is skipped during `autoreconf' because aclocal.m4 is
present.
Move the current aclocal.m4 which contains local macros into the m4/
folder. With this change the aclocal.m4 will be re-created during
changes to the m4/ macro.
This is needed so the `aclocal' can fetch m4 macros from the system if
they are references in the configure script. This is a prerequisite to
use PKG_CHECK_MODULES.
Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
configure.ac is not detecting -Wextra in compilers that implement the
option. The problem is that -Wextra implies -Wunused-parameter, and the
C excerpt used by aclocal.m4 does not use argv. Patch from pedro at
ambientworks.net, ok djm@
This is a frankenstein monster of AMD64 instructions/calling conventions
but with a 4GB address space. Allegedly deprecated but people still run
into it causing weird sandbox failures, e.g. bz#3085
When the test's child signals its parent and it exits the result of
getppid changes. On Ubuntu 20.04 this results in the ppid being that
of the GDM session, causing it to exit. Analysis and testing from pedro
at ambientworks.net
If we don't have LLONG_{MIN,MAX} but do have LONG_LONG_{MIN,MAX}
then use those instead. We do calculate these values in configure,
but it turns out that at least one compiler (old HP ANSI C) can't
parse "-9223372036854775808LL" without mangling it. (It can parse
"-9223372036854775807LL" which is presumably why its limits.h defines
LONG_LONG_MIN as the latter minus 1.)
Fixes rekey test when compiled with the aforementioned compiler.
On some platforms (at least older HP-UXes such as 11.11, possibly others)
setting SA_RESTART on signal handers will cause it to not interrupt
select(), at least for calls that do not specify a timeout. Try to
detect this and if found, don't use SA_RESTART.
POSIX says "If SA_RESTART has been set for the interrupting signal, it
is implementation-dependent whether select() restarts or returns with
[EINTR]" so this behaviour is within spec.
... unless we are actually going to use it. Fixes build on HP-UX
without the potential impact to other platforms of a header change
shortly before release.
If the system (or one of the dependencies) implements memmem but does
not define the header, we would not declare it either resulting in
compiler warnings. Check for declaration explicitly. bz#3102.
linking against the (previously external) USB HID middleware. The dlopen()
capability still exists for alternate middlewares, e.g. for Bluetooth, NFC
and test/debugging.
OpenBSD-Commit-ID: 14446cf170ac0351f0d4792ba0bca53024930069
Including a function call in the test programs for the gcc stack
protector flag tests exercises more of the compiler and makes it more
likely it'll detect problems.
Enable -Wextra if compiler supports it
Set -Wno-error=format-truncation if available to prevent expected
string truncations in openbsd-compat from breaking -Werror builds
Darren Tucker
Damien Miller
djm@openbsd.org
David Carlier
John Ericson
pedro martelletto
Sebastian Andrzej Siewior
Andreas Schwab
Ruben Kerkhof