cf3e0be7f5
modified: configure.ac opensshd.init.in
...
Skip generating missing RSA1 key on startup unless ssh1 support is enabled.
Spotted by Jean-Pierre Radley
2016-08-01 14:31:52 -07:00
99522ba7ec
define _OPENBSD_SOURCE for reallocarray on NetBSD
...
Report by and debugged with Hisashi T Fujinaka, dtucker nailed
the problem (lack of prototype causing return type confusion).
2016-07-28 08:54:27 +10:00
353766e088
Move Cygwin IPPORT_RESERVED overrride to defines.h
...
Patch from vinschen at redhat.com.
2016-07-23 16:14:42 +10:00
5fbe93fc6f
add a --disable-pkcs11 knob
2016-07-15 14:28:59 +10:00
679ce88ec2
fix newline escaping for unsupported_algorithms
...
The hmac-ripemd160 was incorrect and could lead to broken
Makefiles on systems that lacked support for it, but I made
all the others consistent too.
2016-07-15 14:28:59 +10:00
7df91b01fc
Check for VIS_ALL.
...
If we don't have it, set BROKEN_STRNVIS to activate the compat replacement.
2016-07-14 12:26:54 +10:00
a233358417
Add compat code for missing wcwidth.
...
If we don't have wcwidth force fallback implementations of nl_langinfo
and mbtowc. Based on advice from Ingo Schwarze.
2016-07-14 10:59:09 +10:00
6310ef27a2
Move err.h replacements into compat lib.
...
Move implementations of err.h replacement functions into their own file
in the libopenbsd-compat so we can use them in kexfuzz.c too. ok djm@
2016-07-13 14:42:35 +10:00
f3f2cc8386
Check for wchar.h and langinfo.h
...
Wrap includes in the appropriate #ifdefs.
2016-07-11 17:26:49 +10:00
b9c50614eb
whitelist more architectures for seccomp-bpf
...
bz#2590 - testing and patch from Jakub Jelen
2016-07-08 13:59:13 +10:00
a86ec4d073
Use Solaris setpflags(__PROC_PROTECT, ...).
...
Where possible, use Solaris setpflags to disable process tracing on
ssh-agent and sftp-server. bz#2584, based on a patch from huieying.lee
at oracle.com, ok djm.
2016-06-14 10:48:27 +10:00
e1d93705f8
modified: configure.ac
...
whitspace clean up. No code changes.
2016-05-31 11:13:22 -07:00
5f41f030e2
Remove NO_IPPORT_RESERVED_CONCEPT
...
Replace by defining IPPORT_RESERVED to zero on Cygwin, which should have
the same effect without causing problems syncing patches with OpenBSD.
Resync the two affected functions with OpenBSD. ok djm, sanity checked
by Corinna.
2016-04-08 21:21:27 +10:00
b3413534aa
Tidy up openssl header test.
2016-04-04 11:09:21 +10:00
815bcac0b9
Fix configure-time warnings for openssl test.
2016-04-04 11:07:59 +10:00
39f303b1f3
fix sandbox on OSX Lion
...
sshd was failing with:
ssh_sandbox_child: sandbox_init: dlopen(/usr/lib/libsandbox.1.dylib, 261):cw
image not found [preauth]
caused by chroot before sandboxing. Avoid by explicitly linking libsandbox
to sshd. Spotted by Darren.
2016-02-23 12:58:53 +11:00
907091acb1
Make Solaris privs code build on older systems.
...
Not all systems with Solaris privs have priv_basicset so factor that
out and provide backward compatibility code. Similarly, not all have
PRIV_NET_ACCESS so wrap that in #ifdef. Based on code from
alex at cooperi.net and djm@ with help from carson at taltos.org and
wieland at purdue.edu.
2016-02-19 09:05:39 +11:00
2fee909c3c
Look for gethostbyname in libresolv and libnsl.
...
Should fix build problem on Solaris 2.6 reported by Tom G. Christensen.
2016-02-17 09:48:15 +11:00
4626cbaf78
Support Illumos/Solaris fine-grained privileges
...
Includes a pre-auth privsep sandbox and several pledge()
emulations. bz#2511, patch by Alex Wilson.
ok dtucker@
2016-01-08 14:29:12 +11:00
b5fa0cd735
Allow --without-ssl-engine with --without-openssl
...
Patch from Mike Frysinger via github.
2015-12-15 15:10:32 +11:00
c1d7e546f6
Include openssl crypto.h for SSLeay.
...
Patch from doughdemon via github.
2015-12-15 14:27:09 +11:00
3ddd15e1b6
Add a null implementation of pledge.
...
Fixes builds on almost everything.
2015-11-30 07:23:53 +11:00
1560596f44
Fix compiler warnings in the openssl header check.
...
Noted by Austin English.
2015-11-10 11:14:47 +11:00
fafe1d84a2
s/SANDBOX_TAME/SANDBOX_PLEDGE/g
2015-10-14 09:22:15 -07:00
2539dce2a0
upstream commit
...
Change all tame callers to namechange to pledge(2).
Upstream-ID: 17e654fc27ceaf523c60f4ffd9ec7ae4e7efc7f2
2015-10-14 03:22:08 +11:00
9846a2f406
hook tame(2) sandbox up to build
...
OpenBSD only for now
2015-10-08 04:30:48 +11:00
366bada1e9
Correct default value for --with-ssh1.
...
bz#2457, from konto-mindrot.org at walimnieto.com.
2015-09-11 13:33:23 +10:00
7ad8b287c8
Force resolution of _res for correct detection.
...
bz#2259, from sconeu at yahoo.com.
2015-09-11 13:11:02 +10:00
f498a98cf8
don't check for yp_match; ok tim@
2015-09-03 09:11:22 +10:00
d3e2aee414
Check if realpath works on nonexistent files.
...
On some platforms the native realpath doesn't work with non-existent
files (this is actually specified in some versions of POSIX), however
the sftp spec says its realpath with "canonicalize any given path name".
On those platforms, use realpath from the compat library.
In addition, when compiling with -DFORTIFY_SOURCE, glibc redefines
the realpath symbol to the checked version, so redefine ours to
something else so we pick up the compat version we want.
bz#2428, ok djm@
2015-07-17 12:58:02 +10:00
564d63e1b4
upstream commit
...
Compile-time disable SSH v.1 again
Upstream-ID: 1d4b513a3a06232f02650b73bad25100d1b800af
2015-07-15 15:24:40 +10:00
37035c07d4
s/--with-ssh1/--without-ssh1/
2015-07-01 10:49:37 +10:00
5c15e22c69
fix syntax error
2015-06-18 15:07:56 +10:00
99f33d7304
aarch64 support for seccomp-bpf sandbox
...
Also resort and tidy syscall list. Based on patches by Jakub Jelen
bz#2361; ok dtucker@
2015-06-17 10:50:51 +10:00
6397eedf95
Remove unneeded backslashes. Patch from Ángel González
2015-06-03 21:41:11 -07:00
0c2a81dfc2
re-enable SSH protocol 1 at compile time
2015-05-29 17:08:28 +10:00
408f4c2ad4
Look for '${host}-ar' before 'ar'.
...
This changes configure.ac to look for '${host}-ar' as set by
AC_CANONICAL_HOST before looking for the unprefixed 'ar'.
Useful when cross-compiling when all your binutils are prefixed.
Patch from moben at exherbo org via astrand at lysator liu se and
bz#2352.
2015-04-17 09:39:58 +10:00
2aa9da1a3b
upstream commit
...
Compile-time disable SSH protocol 1. You can turn it
back on using the Makefile.inc knob if you need it to talk to ancient
devices.
2015-03-27 12:00:37 +11:00
00797e86b2
check for crypt and DES_crypt in openssl block
...
fixes builds on systems that use DES_crypt; based on patch
from Roumen Petrov
2015-03-04 05:02:45 +11:00
e50e8c97a9
Add null declaration of AI_NUMERICINFO.
...
Some platforms (older FreeBSD and DragonFly versions) do have
getaddrinfo() but do not have AI_NUMERICINFO. so define it to zero
in those cases.
2015-02-21 15:10:33 +11:00
72ef7c148c
support --without-openssl at configure time
...
Disables and removes dependency on OpenSSL. Many features don't
work and the set of crypto options is greatly restricted. This
will only work on system with native arc4random or /dev/urandom.
Considered highly experimental for now.
2015-01-15 02:28:36 +11:00
76c0480a85
add --without-ssh1 option to configure
...
Allows disabling support for SSH protocol 1.
2015-01-13 19:38:18 +11:00
642652d280
Add reallocarray to compat library
2014-12-10 01:32:23 +11:00
7d0ba53366
include version number in OpenSSL-too-old error
2014-10-30 10:45:41 +11:00
3d673d103b
- (djm) [openbsd-compat/explicit_bzero.c] implement explicit_bzero()
...
using memset_s() where possible; improve fallback to indirect bzero
via a volatile pointer to give it more of a chance to avoid being
optimised away.
2014-08-27 06:32:01 +10:00
d244a5816f
- (djm) [configure.ac] We now require a working vsnprintf everywhere (not
...
just for systems that lack asprintf); check for it always and extend
test to catch more brokenness. Fixes builds on Solaris <= 9
2014-08-23 17:06:49 +10:00
394a60f259
- (djm) [configure.ac] double braces to appease autoconf
2014-08-22 18:06:20 +10:00
6d62784b89
- (djm) [configure.ac] include leading zero characters in OpenSSL version
...
number; fixes test for unsupported versions
2014-08-22 17:36:19 +10:00
2195847e50
- (djm) [configure.ac] Check OpenSSL version is supported at configure time;
...
suggested by Kevin Brott
2014-08-20 11:05:03 +10:00
00f9cd2307
- (djm) [configure.ac] Delay checks for arc4random* until after libcrypto
...
has been located; fixes builds agains libressl-portable
2014-07-15 10:41:38 +10:00
Tim Rice
Damien Miller
Darren Tucker
deraadt@openbsd.org
djm@openbsd.org