mirror of
https://github.com/PowerShell/openssh-portable.git
synced 2025-08-31 22:58:29 +02:00
f71f81eb0f
* upstream: attemp FIDO key signing without PIN and use the error
code returned to fall back only if necessary. Avoids PIN prompts for FIDO
tokens that don't require them; part of GHPR#302
OpenBSD-Commit-ID: 4f752aaf9f2e7c28bcaaf3d4f8fc290131bd038e
* Install Cygwin packages based on OS not config.
* initial list of allowed signers
* upstream: whitespace
OpenBSD-Commit-ID: d297e4387935d4aef091c5e9432578c2e513f538
* upstream: whitespace
OpenBSD-Commit-ID: a5d015efbfd228dc598ffdef612d2da3a579e5d8
* Add cygwin-release test target.
This also moves the cygwin package install from the workflow file to
setup_ci.sh so that we can install different sets of Cygwin packages
for different test configs.
* Add Windows 2022 test targets.
* Add libcrypt-devel to cygwin-release deps.
Based on feedback from vinschen at redhat.com.
* cross-sign allowed_signers with PGP key
Provides continuity of trust from legacy PGP release key to
the SSHSIG signing keys that we will use henceforth for git
signing.
* additional keys
* upstream: whitespace
OpenBSD-Commit-ID: c2bcbf93610d3d62ed206cdf9bf9ff98c6aaf232
* Move sftp from valgrind-2 to 3 to rebalance.
* upstream: sk-usbhid: fix key_lookup() on tokens with built-in UV
explicitly test whether the token performs built-in UV (e.g. biometric
tokens) and enable UV in that case. From Pedro Martelletto via GHPR#388
OpenBSD-Commit-ID: 007eb7e387d27cf3029ab06b88224e03eca62ccd
* Remove arc4random_uniform from arc4random.c
This was previously moved into its own file (matching OpenBSD) which
prematurely committed in commit 73541f2.
* Move OPENBSD ORIGINAL marker.
Putting this after the copyright statement (which doesn't change)
instead of before the version identifier (which does) prevents merge
conflicts when resyncing changes.
* Resync arc4random with OpenBSD.
This brings us up to current, including djm's random-reseeding change,
as prompted by logan at cyberstorm.mu in bz#3467. It brings the
platform-specific hooks from LibreSSL Portable, simplified to match our
use case. ok djm@.
* Remove DEF_WEAK, it's already in defines.h.
* openbsd-compat/bsd-asprintf: add <stdio.h> include for vsnprintf
Fixes the following build failure with Clang 15 on musl:
```
bsd-asprintf.c:51:8: error: call to undeclared library function 'vsnprintf' with type 'int (char *, unsigned long, const char *, struct __va_list_tag *)'; ISO C99 and laterclang -O2 -pipe -fdiagnostics-color=always -frecord-gcc-switches -pipe -Wunknown-warning-option -Qunused-arguments -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-result -Wmisleading-indentation -Wbitwise-instead-of-logical -fno-strict-aliasing -mretpoline -ftrapv -fzero-call-used-regs=all -fno-builtin-memset -fstack-protector-strong -fPIE -I. -I. -D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCE -DSSHDIR=\"/etc/ssh\" -D_PATH_SSH_PROGRAM=\"/usr/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/lib/misc/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/lib/misc/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/lib/misc/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/lib/misc/ssh-pkcs11-helper\" -D_PATH_SSH_SK_HELPER=\"/usr/lib/misc/ssh-sk-helper\" -D_PATH_SSH_PIDDIR=\"/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c cipher-aes.c -o cipher-aes.o
do not support
implicit function declarations [-Wimplicit-function-declaration]
ret = vsnprintf(string, INIT_SZ, fmt, ap2);
^
bsd-asprintf.c:51:8: note: include the header <stdio.h> or explicitly provide a declaration for 'vsnprintf'
1 error generated.
```
* upstream: notifier_complete(NULL, ...) is a noop, so no need to test
that ctx!=NULL; from Corinna Vinschen
OpenBSD-Commit-ID: ade2f2e9cc519d01a586800c25621d910bce384a
* upstream: fix repeated words ok miod@ jmc@
OpenBSD-Commit-ID: 6765daefe26a6b648cc15cadbbe337596af709b7
* upstream: .Li -> .Vt where appropriate; from josiah frentsos,
tweaked by schwarze
ok schwarze
OpenBSD-Commit-ID: 565046e3ce68b46c2f440a93d67c2a92726de8ed
* upstream: ssh-agent: attempt FIDO key signing without PIN and use
the error to determine whether a PIN is required and prompt only if
necessary. from Corinna Vinschen
OpenBSD-Commit-ID: dd6be6a0b7148608e834ee737c3479b3270b00dd
* upstream: a little extra debugging
OpenBSD-Commit-ID: edf1601c1d0905f6da4c713f4d9cecc7d1c0295a
* upstream: sk_enroll: never drop SSH_SK_USER_VERIFICATION_REQD flag
from response
Now that all FIDO signing calls attempt first without PIN and then
fall back to trying PIN only if that attempt fails, we can remove the
hack^wtrick that removed the UV flag from the keys returned during
enroll.
By Corinna Vinschen
OpenBSD-Commit-ID: 684517608c8491503bf80cd175425f0178d91d7f
* upstream: sftp: Don't attempt to complete arguments for
non-existent commands
If user entered a non-existent command (e.g. because they made a
typo) there is no point in trying to complete its arguments. Skip
calling complete_match() if that's the case.
From Michal Privoznik
OpenBSD-Commit-ID: cf39c811a68cde2aeb98fc85addea4000ef6b07a
* upstream: sftp: Be a bit more clever about completions
There are commands (e.g. "get" or "put") that accept two
arguments, a local path and a remote path. However, the way
current completion is written doesn't take this distinction into
account and always completes remote or local paths.
By expanding CMD struct and "cmds" array this distinction can be
reflected and with small adjustment to completer code the correct
path can be completed.
By Michal Privoznik, ok dtucker@
OpenBSD-Commit-ID: 1396d921c4eb1befd531f5c4a8ab47e7a74b610b
* upstream: correct error value
OpenBSD-Commit-ID: 780efcbad76281f11f14b2a5ff04eb6db3dfdad4
* upstream: actually hook up restrict_websafe; the command-line flag
was never actually used. Spotted by Matthew Garrett
OpenBSD-Commit-ID: 0b363518ac4c2819dbaa3dfad4028633ab9cdff1
* upstream: Add a sshkey_check_rsa_length() call for checking the
length of an RSA key; ok markus@
OpenBSD-Commit-ID: de77cd5b11594297eda82edc594b0d32b8535134
* upstream: add a RequiredRSASize for checking RSA key length in
ssh(1). User authentication keys that fall beneath this limit will be
ignored. If a host presents a host key beneath this limit then the connection
will be terminated (unfortunately there are no fallbacks in the protocol for
host authentication).
feedback deraadt, Dmitry Belyavskiy; ok markus@
OpenBSD-Commit-ID: 430e339b2a79fa9ecc63f2837b06fdd88a7da13a
* upstream: Add RequiredRSASize for sshd(8); RSA keys that fall
beneath this limit will be ignored for user and host-based authentication.
Feedback deraadt@ ok markus@
OpenBSD-Commit-ID: 187931dfc19d51873df5930a04f2d972adf1f7f1
* upstream: better debugging for connect_next()
OpenBSD-Commit-ID: d16a307a0711499c971807f324484ed3a6036640
* upstream: sftp-server(8): add a "users-groups-by-id@openssh.com"
extension request that allows the client to obtain user/group names that
correspond to a set of uids/gids.
Will be used to make directory listings more useful and consistent
in sftp(1).
ok markus@
OpenBSD-Commit-ID: 7ebabde0bcb95ef949c4840fe89e697e30df47d3
* upstream: extend sftp-common.c:extend ls_file() to support supplied
user/group names; ok markus@
OpenBSD-Commit-ID: c70c70498b1fdcf158531117e405b6245863bfb0
* upstream: sftp client library support for
users-groups-by-id@openssh.com; ok markus@
OpenBSD-Commit-ID: ddb2f33a2da6349a9a89a8b5bcb9ca7c999394de
* upstream: use users-groups-by-id@openssh.com sftp-server extension
(when available) to fill in user/group names for directory listings.
Implement a client-side cache of see uid/gid=>user/group names. ok markus@
OpenBSD-Commit-ID: f239aeeadfa925a37ceee36ee8b256b8ccf4466e
* avoid Wuninitialized false positive in gcc-12ish
* no need for glob.h here
it also causes portability problems
* upstream: add RequiredRSASize to the list of keywords accepted by
-o; spotted by jmc@
OpenBSD-Commit-ID: fe871408cf6f9d3699afeda876f8adbac86a035e
* upstream: Fix typo. From AlexanderStohr via github PR#343.
OpenBSD-Commit-ID: a134c9b4039e48803fc6a87f955b0f4a03181497
* upstream: openssh-9.1
OpenBSD-Commit-ID: 5a467b2ee81da01a86adf1ad93b62b1728494e56
* crank versions in RPM spec files
* update release notes URL
* update .depend
* remove mention of --with-security-key-builtin
it is enabled by default when libfido2 is installed
* mention libfido2 autodetection
* whitespace at EOL
* Test commits to all branches of portable.
Only test OpenBSD upstream on commits to master since that's what it
tracks.
* Add 9.1 branch to CI status page.
* Add LibreSSL 3.6.0 to test suite.
While there, bump OpenSSL to latest 1.1.1q release.
* upstream: honour user's umask if it is more restrictive then the ssh
default (022); based on patch from Alex Henrie, ok dtucker@ deraadt@
OpenBSD-Commit-ID: fe1b9e15fc9a4f49fc338e848ce14d8727abe82d
* skip bsd-poll.h if poll.h found; ok dtucker
* Fix snprintf configure test for clang 15
Clang 15 -Wimplicit-int defaults to an error in C99 mode and above.
A handful of tests have "main(..." and not "int main(..." which caused
the tests to produce incorrect results.
* undef _get{short,long} before redefining
* revert c64b62338b4 and guard POLL* defines instead
c64b62338b4 broke OSX builds, which do have poll.h but lack ppoll(2)
Spotted by dtucker
* OpenSSL dev branch now identifies as 3.2.0.
* upstream: document "-O no-restrict-websafe"; spotted by Ross L
Richardson
OpenBSD-Commit-ID: fe9eaa50237693a14ebe5b5614bf32a02145fe8b
* upstream: ssh-agent.1: - use Nm not Xr for self-ref - while here,
wrap a long line
ssh-agent.c:
- add -O to usage()
OpenBSD-Commit-ID: 855dac4695cef22e96d69c53436496bc408ca389
* upstream: use correct type with sizeof ok djm@
OpenBSD-Commit-ID: d6c882c2e8a42ff831a5b3cbc2c961ecb2dd6143
* upstream: when scp(1) is using the SFTP protocol for transport (the
default), better match scp/rcp's handling of globs that don't match the
globbed characters but do match literally (e.g. trying to transfer
"foo.[1]").
Previously scp(1) in SFTP mode would not match these pathnames but
legacy scp/rcp mode would.
Reported by Michael Yagliyan in bz3488; ok dtucker@
OpenBSD-Commit-ID: d8a3773f53015ba811fddba7473769a2fd343e11
* upstream: regress test for unmatched glob characters; fails before
previous commit but passes now. bz3488; prodded by dtucker@
OpenBSD-Regress-ID: 0cc5cc9ea4a6fd170dc61b9212f15badaafb3bbd
* upstream: Be more paranoid with host/domain names coming from the
never write a name with bad characters to a known_hosts file.
reported by David Leadbeater, ok deraadt@
OpenBSD-Commit-ID: ba9b25fa8b5490b49398471e0c9657b0cbc7a5ad
* upstream: begin big refactor of sshkey
Move keytype data and some of the type-specific code (allocation,
cleanup, etc) out into each key type's implementation. Subsequent
commits will move more, with the goal of having each key-*.c file
owning as much of its keytype's implementation as possible.
lots of feedback + ok markus@
OpenBSD-Commit-ID: 0f2b4334f73914344e9e5b3d33522d41762a57ec
* upstream: factor out sshkey_equal_public()
feedback/ok markus@
OpenBSD-Commit-ID: 1368ba114cb37732fe6ec3d89c7e6d27ea6fdc94
* upstream: factor out public key serialization
feedback/ok markus@
OpenBSD-Commit-ID: a3570c4b97290c5662890aea7328d87f55939033
* upstream: refactor and simplify sshkey_read()
feedback/ok markus@
OpenBSD-Commit-ID: 0d93b7a56e31cd06a8bb0d2191d084ce254b0971
* upstream: factor out key generation
feedback/ok markus@
OpenBSD-Commit-ID: 5b4211bff4de8d9adb84bc72857a8c42c44e7ceb
* upstream: refactor sshkey_from_private()
feedback/ok markus@
OpenBSD-Commit-ID: e5dbe7a3545930c50f70ee75c867a1e08b382b53
* upstream: refactor sshkey_from_blob_internal()
feedback/ok markus@
OpenBSD-Commit-ID: 1f46c0cbb8060ee9666a02749594ad6658c8e283
* upstream: refactor sshkey_sign() and sshkey_verify()
feedback/ok markus@
OpenBSD-Commit-ID: 368e662c128c99d05cc043b1308d2b6c71a4d3cc
* upstream: refactor certify
feedback/ok markus@
OpenBSD-Commit-ID: 35d742992e223eaca3537e6fb3d3002c08eed4f6
* upstream: refactor sshkey_private_serialize_opt()
feedback/ok markus@
OpenBSD-Commit-ID: 61e0fe989897901294efe7c3b6d670cefaf44cbd
* upstream: refactor sshkey_private_deserialize
feedback/ok markus@
OpenBSD-Commit-ID: f5ca6932fdaf840a5e8250becb38315a29b5fc9f
* fix merge botch
* upstream: allow ssh-keyscan(1) to accept CIDR address ranges, e.g.
ssh-keyscan 192.168.0.0/24
If a CIDR range is passed, then it will be expanded to all possible
addresses in the range including the all-0s and all-1s addresses.
bz#976 feedback/ok markus@
OpenBSD-Commit-ID: ce6c5211f936ac0053fd4a2ddb415277931e6c4b
* upstream: put sshkey_check_rsa_length() back in sshkey.c to unbreak
OPENSSL=no builds
OpenBSD-Commit-ID: 99eec58abe382ecd14b14043b195ee1babb9cf6e
* OpenSSL dev branch is 302 not 320.
While there, also accept 301 which it shat it was previously.
* upstream: Use variable for diff options
instead of unconditionally specifying "-rN". This will make life easier
in -portable where not all diff's understand -N.
OpenBSD-Regress-ID: 8b8a407115546be1c6d72d350b1e4f1f960d3cd3
* Check for sockaddr_in.sin_len.
If found, set SOCK_HAS_LEN which is used in addr.c. Should fix keyscan
tests on platforms with this (eg old NetBSD).
* Always use compat getentropy.
Have it call native getentropy and fall back as required. Should fix
issues of platforms where libc has getentropy but it is not implemented
in the kernel. Based on github PR#354 from simsergey.
* Include time.h when defining timegm.
Fixes build on some platforms eg recent AIX.
* Compat tests need libcrypto.
This was moved to CHANNELLIBS during the libs refactor. Spotted by
rapier at psc.edu.
* Run compat regress tests too.
* Add tests for OpenSSL 3.0.7 and LibreSSL 3.6.1.
* Only run opensslver tests if built with OpenSSL.
* Increase selfhosted job timeout.
The default job timeout of 360 (6h) is not enough to complete the
regress tests for some of the slow VMs depending on the load on the host.
Increase to 600 (10h).
* Fix compat regress to work with non-GNU make.
* Link libssh into compat tests.
The cygwin compat code uses xmalloc, so add libssh.a so pick up that.
* Rerun tests on changes to Makefile.in in any dir.
* upstream: replace recently-added valid_domain() check for hostnames
going to known_hosts with a more relaxed check for bad characters; previous
commit broke address literals. Reported by/feedback from florian@
OpenBSD-Commit-ID: 10b86dc6a4b206adaa0c11b58b6d5933898d43e0
* Don't run openbsd-compat tests on Cygwin.
Add "compat-tests" to the default TEST_TARGET so we can override as
necessary. Override TEST_TARGET for Cygwin as the tests don't currently
compile there.
* Fix broken zlib link.
* configure.ac: Add <pty.h> include for openpty
Another Clang 16ish fix (which makes -Wimplicit-function-declaration
an error by default). github PR#355.
See: 2efd71da49b9cfeab7987058cf5919e473ff466b
See: be197635329feb839865fdc738e34e24afd1fca8
* configure.ac: Fix -Wstrict-prototypes
Clang 16 now warns on this and it'll be removed in C23, so let's
just be future proof. It also reduces noise when doing general
Clang 16 porting work (which is a big job as it is). github PR#355.
Signed-off-by: Sam James <sam@gentoo.org>
* Fix setres*id checks to work with clang-16.
glibc has the prototypes for setresuid and setresgid behind _GNU_SOURCE,
and clang 16 will error out on implicit function definitions, so add
_GNU_SOURCE and the required headers to the configure checks. From
sam at @gentoo.org via bz#3497.
* Fix tracing disable on FreeBSD.
Some versions of FreeBSD do not support using id 0 to refer to the
current pid for procctl, so pass getpid() explicitly. From
emaste at freebsd.org.
* Use "prohibit-password" in -portable comments.
"without-password" is the deprecated alias for "prohibit-password",
so we should reference the latter. From emaste at freebsd.org.
* Link to branch-specific queries for V_9_1 status.
* upstream: Fix typo. From pablomh via -portable github PR#344.
OpenBSD-Commit-ID: d056ee2e73691dc3ecdb44a6de68e6b88cd93827
* upstream: Import regenerated moduli.
OpenBSD-Commit-ID: b0e54ee4d703bd6929bbc624068666a7a42ecb1f
* Add CIFuzz integration
* Run cifuzz workflow on the actions as regular CI.
* Whitespace change to trigger CIFuzz workflow.
* Do not run CIFuzz on selfhosted tree.
We already run it on the regular tree, no need to double up.
* Add CIFuzz status badge.
* Branch-specific links for master status badges.
* Fix merge conflict.
* upstream: fix parsing of hex cert expiry time; was checking whether the
start time began with "0x", not the expiry time.
from Ed Maste
OpenBSD-Commit-ID: 6269242c3e1a130b47c92cfca4d661df15f05739
* upstream: Check for and disallow MaxStartups values less than or
equal to zero during config parsing, rather than faling later at runtime.
bz#3489, ok djm@
OpenBSD-Commit-ID: d79c2b7a8601eb9be493629a91245d761154308b
* upstream: Remove some set but otherwise unused variables, spotted
in -portable by clang 16's -Wunused-but-set-variable. ok djm@
OpenBSD-Commit-ID: 3d943ddf2369b38fbf89f5f19728e7dc1daf3982
* upstream: The IdentityFile option in ssh_config can also be used to
specify a public key file, as documented in ssh.1 for the -i option. Document
this also for IdentityFile in ssh_config.5, for documentation completeness.
From laalsaas at systemli.org via portable github PR#352, ok jmc@ djm@
OpenBSD-Commit-ID: 2f943be9f96e60ef81a9a4faa25b009999f9883b
* Split out rekey test since it runs the longest.
* Update checkout and upload actions.
Update actions/checkout and actions/upload-artifact to main branch for
compatibility with node.js v16.
* Add valrind-5 test here too.
* Run vm startup and shutdown from runner temp dir.
Should work even if the github workspace dir is on a stale sshfs mount.
* Shutdown any VM before trying to check out repo.
In the case where the previous run did not clean up, the checkout will
fail as it'll leave a stale mount.
* Avoid assuming layout of fd_set
POSIX doesn't specify the internal layout of the fd_set object, so let's
not assume it is just a bit mask. This increases compatibility with
systems that have a different layout.
The assumption is also worthless as we already refuse to use file
descriptors over FD_SETSIZE anyway. Meaning that the default size of
fd_set is quite sufficient.
* Fix comment text. From emaste at freebsd.org.
* Defer seed_rng until after closefrom call.
seed_rng will initialize OpenSSL, and some engine providers (eg Intel's
QAT) will open descriptors for their own use. bz#3483, patch from
joel.d.schuetze at intel.com, ok djm@
* upstream: typo in comment
OpenBSD-Commit-ID: 39c58f41e0f32d1ff31731fa6f5bbbc3ad25084a
* upstream: rename client_global_hostkeys_private_confirm() to
client_global_hostkeys_prove_confirm(), as it handles the
"hostkeys-prove00@openssh.com" message; no functional change
OpenBSD-Commit-ID: 31e09bd3cca6eed26855b88fb8beed18e9bd026d
* upstream: Remove errant colon and simplify format
string in error messages. Patch from vapier at chromium.org.
OpenBSD-Commit-ID: fc28466ebc7b74e0072331947a89bdd239c160d3
* upstream: Fix typo in fatal error message.
Patch from vapier at chromium.org.
OpenBSD-Commit-ID: 8a0c164a6a25eef0eedfc30df95bfa27644e35cf
* Skip reexec test on OpenSSL 1.1.1 specifically.
OpenSSL 1.1.1 has a bug in its RNG that breaks reexec fallback, so skip
that test. See bz#3483 for details.
* Remove seed passing over reexec.
This was added for the benefit of platforms using ssh-rand-helper to
prevent a delay on each connection as sshd reseeded itself.
ssh-random-helper is long gone, and since the re-exec happens before the
chroot the re-execed sshd can reseed itself normally. ok djm@
* upstream: Handle dynamic remote port forwarding in escape commandline's
-R processing. bz#3499, ok djm@
OpenBSD-Commit-ID: 194ee4cfe7ed0e2b8ad0727f493c798a50454208
* Add dfly62 test target.
* If we haven't found it yet, recheck for sys/stat.h.
On some very old platforms, sys/stat.h needs sys/types.h, however
autoconf 2.71's AC_CHECK_INCLUDES_DEFAULT checks for them in the
opposite order, which in combination with modern autoconf's
"present but cannot be compiled" behaviour causes it to not be
detected.
* Add fallback for old platforms w/out MAP_ANON.
* Remove explicit "default" test config argument.
Not specifying the test config implicitly selects default args.
* Remove unused self-hosted test targets.
* Rename "os" in matrix to "target".
This is in preparation to distinguish this from the host that the runner
runs on in case where they are separate (eg VMs).
* Add "libvirt" label to dfly30.
* Make "config" in matrix singular and pass in env.
This will allow the startup scripts to adapt their behaviour based on
the type and config.
* Run vmstartup from temp dir.
This will allow us to create ephemeral disk images per-runner.
* Rework how selfhosted tests interact with runners.
Previously there was one runner per test target (mostly VMs). This had
a few limitations:
- multiple tests that ran on the same target (eg multiple build
configs) were serialized on availability or that runner.
- it needed manual balancing of VMs over host machines.
To address this, make VMs that use ephemeral disks (ie most of them)
all use a pool of runners with the "libvirt" label. This requires that
we distinguish between "host" and "target" for those. Native runners
and VMs with persistent disks (eg the constantly-updated snapshot ones)
specify the same host and target.
This should improve test throughput.
* Skip unit tests on slow riscv64 hardware.
* Use -fzero-call-used-regs=used on clang 15.
clang 15 seems to have a problem with -fzero-call-used-reg=all which
causes spurious "incorrect signature" failures with ED25519. On those
versions, use -fzero-call-used-regs=used instead. (We may add exceptions
later if specific versions prove to be OK). Also move the GCC version
check to match.
Initial investigation by Daniel Pouzzner (douzzer at mega nu), workaround
suggested by Bill Wendling (morbo at google com). bz#3475, ok djm@
* upstream: In channel_request_remote_forwarding the parameters for
permission_set_add are leaked as they are also duplicated in the call. Found
by CodeChecker. ok djm
OpenBSD-Commit-ID: 4aef50fa9be7c0b138188814c8fe3dccc196f61e
* upstream: New EnableEscapeCommandline ssh_config(5) option
This option (default "no") controls whether the ~C escape is available.
Turning it off by default means we will soon be able to use a stricter
default pledge(2) in the client.
feedback deraadt@ dtucker@; tested in snaps for a while
OpenBSD-Commit-ID: 7e277595d60acb8263118dcb66554472257b387a
* upstream: tighten pledge(2) after session establishment
feedback, ok & testing in snaps deraadt@
OpenBSD-Commit-ID: aecf4d49d28586dfbcc74328d9333398fef9eb58
* upstream: Add void to client_repledge args to fix compiler warning. ok djm@
OpenBSD-Commit-ID: 7e964a641ce4a0a0a11f047953b29929d7a4b866
* upstream: Log output of ssh-agent and ssh-add
This should make debugging easier.
OpenBSD-Regress-ID: 5974b02651f428d7e1079b41304c498ca7e306c8
* upstream: Clean up ssh-add and ssh-agent logs.
OpenBSD-Regress-ID: 9eda8e4c3714d7f943ab2e73ed58a233bd29cd2c
* Restore ssh-agent permissions on exit.
...enough that subsequent builds can overwrite ssh-agent if necessary.
* upstream: make struct sshbuf private
and remove an unused field; ok dtucker
OpenBSD-Commit-ID: c7a3d77c0b8c153d463398606a8d57569186a0c3
* upstream: Remove duplicate includes.
Patch from AtariDreams via github PR#364.
OpenBSD-Commit-ID: b9186638a05cb8b56ef7c0de521922b6723644ea
* Fix typo in comment. Spotted by tim@
* Update autotools
Regenerate config files using latest autotools
* disable SANDBOX_SECCOMP_FILTER_DEBUG
It was mistakenly enabled in 2580916e4872
Reported by Peter sec-openssh-com.22.fichtner AT 0sg.net
* Add SANDBOX_DEBUG to the kitchensink test build.
* upstream: Fix comment typo.
OpenBSD-Regress-ID: 3b04faced6511bb5e74648c6a4ef4bf2c4decf03
* upstream: remove '?' from getopt(3) loops
userspace: remove vestigial '?' cases from top-level getopt(3) loops
getopt(3) returns '?' when it encounters a flag not present in the in
the optstring or if a flag is missing its option argument. We can
handle this case with the "default" failure case with no loss of
legibility. Hence, remove all the redundant "case '?':" lines.
Prompted by dlg@. With help from dlg@ and millert@.
Link: https://marc.info/?l=openbsd-tech&m=167011979726449&w=2
ok naddy@ millert@ dlg@
OpenBSD-Commit-ID: b2f89346538ce4f5b33ab8011a23e0626a67e66e
* upstream: Add server debugging for hostbased auth.
auth_debug_add queues messages about the auth process which is sent to
the client after successful authentication. This also sends those to
the server debug log to aid in debugging. From bz#3507, ok djm@
OpenBSD-Commit-ID: 46ff67518cccf9caf47e06393e2a121ee5aa258a
* upstream: Warn if no host keys for hostbased auth can be loaded.
OpenBSD-Commit-ID: 2a0a13132000cf8d3593133c1b49768aa3c95977
* use calloc for allocating arc4random structs
ok dtucker
* Move obsdsnap test VMs to ephemeral runners.
* Run upstream obsdsnap tests on ephemeral runners.
* obsdsnap test VMs runs-on libvirt too.
* Fetch regress logs from obj dir.
* Set group perms on regress dir.
This ensures that the tests don't fail due to StrictMode checks.
* Use sudo when resetting perms on directories.
* Add tests for LibreSSL 3.7.0 and OpenSSL 1.1.1s.
* Simply handling of SSH_CONNECTION PAM env var.
Prompted by bz#3508: there's no need to cache the value of
sshpam_conninfo so remove the global. While there, add check of
return value from pam_putenv. ok djm@
* upstream: The idiomatic way of coping with signed char vs unsigned
char (which did not come from stdio read functions) in the presence of
ctype macros, is to always cast to (unsigned char). casting to (int)
for a "macro" which is documented to take int, is weird. And sadly wrong,
because of the sing extension risk.. same diff from florian
OpenBSD-Commit-ID: 65b9a49a68e22ff3a0ebd593f363e9f22dd73fea
* upstream: add a -X option to both scp(1) and sftp(1) to allow
control over some SFTP protocol knobs: the copy buffer length and
the number of inflight requests, both of which are used during
upload/download.
Previously these could be controlled in sftp(1) using the -b/-R options.
This makes them available in both SFTP protocol clients using the same
option character sequence.
ok dtucker@
OpenBSD-Commit-ID: 27502bffc589776f5da1f31df8cb51abe9a15f1c
* upstream: add -X to usage();
OpenBSD-Commit-ID: 1bdc3df7de11d766587b0428318336dbffe4a9d0
* upstream: Clear signal mask early in main(); sshd may have been
started with one or more signals masked (sigprocmask(2) is not cleared
on fork/exec) and this could interfere with various things, e.g. the
login grace timer.
Execution environments that fail to clear the signal mask before running
sshd are clearly broken, but apparently they do exist.
Reported by Sreedhar Balasubramanian; ok dtucker@
OpenBSD-Commit-ID: 77078c0b1c53c780269fc0c416f121d05e3010ae
* upstream: Mention that scp uses the SFTP protocol and remove
reference to legacy flag. Spotted by, feedback and ok jmc@
OpenBSD-Commit-ID: 9dfe04966f52e941966b46c7a2972147f95281b3
* upstream: spelling fixes; from paul tagliamonte amendments to his
diff are noted on tech
OpenBSD-Commit-ID: d776dd03d0b882ca9c83b84f6b384f6f9bd7de4a
* upstream: fix bug in PermitRemoteOpen which caused it to ignore its
first argument unless it was one of the special keywords "any" or "none".
Reported by Georges Chaudy in bz3515; ok dtucker@
OpenBSD-Commit-ID: c5678a39f1ff79993d5ae3cfac5746a4ae148ea5
* upstream: regression test for PermitRemoteOpen
OpenBSD-Regress-ID: 8271aafbf5c21950cd5bf966f08e585cebfe630c
* upstream: suppress "Connection closed" message when in quiet mode
OpenBSD-Commit-ID: 8a3ab7176764da55f60bfacfeae9b82d84e3908f
* upstream: add ptimeout API for keeping track of poll/ppoll
timeouts; ok dtucker markus
OpenBSD-Commit-ID: 3335268ca135b3ec15a947547d7cfbb8ff929ead
* upstream: replace manual poll/ppoll timeout math with ptimeout API
feedback markus / ok markus dtucker
OpenBSD-Commit-ID: c5ec4f2d52684cdb788cd9cbc1bcf89464014be2
* upstream: Add channel_force_close()
This will forcibly close an open channel by simulating read/write errors,
draining the IO buffers and calling the detach function.
Previously the detach function was only ever called during channel garbage
collection, but there was no way to signal the user of a channel (e.g.
session.c) that its channel was being closed deliberately (vs. by the
usual state-machine logic). So this adds an extra "force" argument to the
channel cleanup callback to indicate this condition.
ok markus dtucker
OpenBSD-Commit-ID: 23052707a42bdc62fda2508636e624afd466324b
* upstream: tweak channel ctype names
These are now used by sshd_config:ChannelTimeouts to specify timeouts by
channel type, so force them all to use a similar format without whitespace.
ok dtucker markus
OpenBSD-Commit-ID: 66834765bb4ae14f96d2bb981ac98a7dae361b65
* upstream: Add channel_set_xtype()
This sets an "extended" channel type after channel creation (e.g.
"session:subsystem:sftp") that will be used for setting channel inactivity
timeouts.
ok markus dtucker
OpenBSD-Commit-ID: 42564aa92345045b4a74300528f960416a15d4ca
* upstream: Implement channel inactivity timeouts
This adds a sshd_config ChannelTimeouts directive that allows channels that
have not seen traffic in a configurable interval to be automatically closed.
Different timeouts may be applied to session, X11, agent and TCP forwarding
channels.
Note: this only affects channels over an opened SSH connection and not
the connection itself. Most clients close the connection when their channels
go away, with a notable exception being ssh(1) in multiplexing mode.
ok markus dtucker
OpenBSD-Commit-ID: ae8bba3ed9d9f95ff2e2dc8dcadfa36b48e6c0b8
* unbreak scp on NetBSD 4.x
e555d5cad5 effectively increased the default copy buffer size for SFTP
transfers. This caused NetBSD 4.x to hang during the "copy local file to
remote file in place" scp.sh regression test.
This puts back the original 32KB copy buffer size until we can properly
figure out why.
lots of debugging assistance from dtucker@
* upstream: Copy bytes from the_banana[] rather than banana()
Fixes test failure due to segfault seen on arm64 with xonly snap.
ok djm
OpenBSD-Regress-ID: 86e2aa4bbd1dff1bc4ebb2969c0d6474485be046
* upstream: unit tests for misc.c:ptimeout_* API
OpenBSD-Regress-ID: 01f8fb12d08e5aaadd4bd4e71f456b6588be9a94
* upstream: fix typo in verbose logging
OpenBSD-Regress-ID: 0497cdb66e003b2f50ed77291a9104fba2e017e9
* upstream: regression test for ChannelTimeout
OpenBSD-Regress-ID: 280bfbefcfa415428ad744e43f69a8dede8ad685
* upstream: Save debug logs from ssh for debugging purposes.
OpenBSD-Regress-ID: 109e40b06de1c006a3b8e0d8745b790b2c5870a0
* Set OPENSSL_BIN from OpenSSL directory.
* Check openssl_bin path is executable before using.
* Use autoconf to find openssl binary.
It's possible to install an OpenSSL in a path not in the system's
default library search path. OpenSSH can still use this (eg if you
specify an rpath) but the openssl binary there may not work. If one is
available on the system path just use that.
* Use our own netcat for dynamic-forward test.
That way we can be surer about its behaviour rather than trying to
second-guess the behaviour of various netcat implementations.
* upstream: When OpenSSL is not available, skip parts of percent test
that require it. Based on github pr#368 from ren mingshuai.
OpenBSD-Regress-ID: 49a375b2cf61ccb95b52e75e2e025cd10988ebb2
* don't test IPv6 addresses if platform lacks support
* Skip dynamic-forward test on minix3.
This test relies on loopback addresses which minix does not have.
Previously the test would not run at all since it also doesn't have
netcat, but now we use our own netcat it tries and fails.
* try to improve logging for dynamic-forward test
previously the logs from the ssh used to exercise the forwarding
channel would clobber the logs from the ssh actually doing the
forwarding
* upstream: tweak previous; ok djm
OpenBSD-Commit-ID: 229c493452766d70a78b0f02f6ff9894f9028858
* upstream: Switch scp from using pipes to a socketpair for
communication with it's ssh sub-processes. We no longer need to reserve two
descriptors to ensure that we don't end up using fd 0-2 unexpectedly, that is
handled by sanitise_stdfd() in main(). Based on an original diff from djm@.
OK deraadt@ djm@
OpenBSD-Commit-ID: b80c372faac462471e955ddeab9480d668a2e48d
* add back use of pipes in scp.c under USE_PIPES
This matches sftp.c which prefers socketpair but uses pipes on
some older platforms.
* remove buffer len workaround for NetBSD 4.x
Switching to from pipes to a socketpair for communicating with the
ssh process avoids the (kernel bug?) problem.
* upstream: rewrite this test to use a multiplexed ssh session so we can
control its lifecycle without risk of race conditions; fixes some of the
Github integration tests for openssh-portable
OpenBSD-Regress-ID: 5451cad59ba0d43ae9eeda48ec80f54405fee969
* upstream: remove whitespace at EOL from code extracted from SUPERCOP
OpenBSD-Commit-ID: 1ec524ff2fbb9387d731601437c82008f35a60f4
* upstream: ignore bogus upload/download buffer lengths in the limits
extension
OpenBSD-Commit-ID: c5b023e0954693ba9a5376e4280c739b5db575f8
* upstream: clamp the minimum buffer lengths and number of inflight
requests too
OpenBSD-Commit-ID: c4965f62fa0ba850940fd66ae3f60cf516bbcd56
* upstream: avoid printf("%s", NULL) if using ssh
-oUserKnownHostsFile=none and a hostkey in one of the system known hosts file
changes; ok dtucker@
OpenBSD-Commit-ID: 7ca87614bfc6da491315536a7f2301434a9fe614
* upstream: Add a "Host" line to the output of ssh -G showing the
original host arg. Inspired by patch from vincent at bernat.ch via bz#3343,
ok djm@
OpenBSD-Commit-ID: 59c0f60a222113a44d0650cd394376e3beecc883
* Remove skipping test when scp not in path.
An upcoming change renders this obsolete by adding scp's path to the
test sshd's PATH, and removing this first will make the subsequent sync
easier.
* upstream: Add scp's path to test sshd's PATH.
If the scp we're testing is fully qualified (eg it's not in the system
PATH) then add its path to the under-test sshd's PATH so we can find
it. Prompted by bz#3518.
OpenBSD-Regress-ID: 7df4f5a0be3aa135495b7e5a6719d3cbc26cc4c0
* upstream: Move scp path setting to a helper function. The previous
commit to add scp to the test sshd's path causes the t-envpass test to fail
when the test scp is given using a fully qualified path. Put this in a
helper function and only call it from the scp tests.
OpenBSD-Regress-ID: 7533dc1c4265c1de716abb062957994195b36df4
* Retry package installation 3 times.
When setting up the CI environment, retry package installation 3 times
before going up. Should help prevent spurious failures during
infrastructure issues.
* upstream: Document "UserKnownHostsFile none". ok djm@
OpenBSD-Commit-ID: f695742d39e34ecdcc3c861c3739a84648a4bce5
* upstream: fix double phrase in previous;
OpenBSD-Commit-ID: 671e6c8dc5e9230518b2bbfa143daaa88adc66c2
* upstream: Instead of skipping the all-tokens test if we don't have
OpenSSL (since we use it to compute the hash), put the hash at the end and
just omit it if we don't have it. Prompted by bz#3521.
OpenBSD-Regress-ID: c79ecba64250ed3b6417294b6c965e6b12ca5eea
* upstream: Shell syntax fix. From ren mingshuai vi github PR#369.
OpenBSD-Regress-ID: 6696b2eeefe128099fc3d7ea9f23252cc35156f9
* Allow writev is seccomp sandbox.
This seems to be used by recent glibcs at least in some configurations.
From bz#3512, ok djm@
* upstream: update OpenSSH's Ed25519 code to the last version of SUPERCOP
(20221122) and change the import approach to the same one we use for
Streamlined NTRUPrime: use a shell script to extract the bits we need from
SUPERCOP, make some minor adjustments and squish them all into a single file.
ok tb@ tobhe@
OpenBSD-Commit-ID: 1bc0fd624cb6af440905b8ba74ac7c03311b8e3b
* upstream: adapt to ed25519 changes in src/usr.bin/ssh
OpenBSD-Regress-ID: 4b3e7ba7ee486ae8a0b4790f8112eded2bb7dcd5
* upstream: Add a sshd_config UnusedConnectionTimeout option to terminate
client connections that have no open channels for some length of time. This
complements the recently-added ChannelTimeout option that terminates inactive
channels after a timeout.
ok markus@
OpenBSD-Commit-ID: ca983be74c0350364c11f8ba3bd692f6f24f5da9
* upstream: unbreak test: cannot access shell positional parameters
past $9 without wrapping the position in braces (i.e. need ${10}, etc.)
OpenBSD-Regress-ID: 3750ec98d5d409ce6a93406fedde6f220d2ea2ac
* upstream: regression test for UnusedConnectionTimeout
OpenBSD-Regress-ID: 7f29001374a68e71e5e078f69e4520cf4bcca084
* upstream: also check that an active session inhibits
UnusedConnectionTimeout idea markus@
OpenBSD-Regress-ID: 55c0fb61f3bf9e092b0a53f9041d3d2012f14003
* upstream: For "ssh -V" always exit 0, there is no need to check opt
again. This was missed when the fallthrough in the switch case above it was
removed. OK deraadt@
OpenBSD-Commit-ID: 5583e5d8f6d62a8a4215cfa95a69932f344c8120
* upstream: Add a -V (version) option to sshd like the ssh client
has. OK markus@ deraadt@
OpenBSD-Commit-ID: abe990ec3e636fb040132aab8cbbede98f0c413e
* upstream: when restoring non-blocking mode to stdio fds, restore
exactly the flags that ssh started with and don't just clobber them with
zero, as this could also remove the append flag from the set;
bz3523; ok dtucker@
OpenBSD-Commit-ID: 1336b03e881db7564a4b66014eb24c5230e9a0c0
* Skip connection-timeout when missing FD passing.
This tests uses multiplexing which uses file descriptor passing, so
skip it if we don't have that. Fixes test failures on Cygwin.
* Skip connection-timeout test under Valgrind.
Valgrind slows things down so much that the timeout test fails. Skip
this test until we figure out if we can make it work.
* upstream: tweak previous; ok djm
OpenBSD-Commit-ID: df71ce4180c58202dfdc1d92626cfe900b91b7c3
* upstream: Create and install sshd random relink kit.
../Makefile.inc and Makfile are concatenated for reuse, which hopefully won't
be too fragile, we'll see if we need a different approach. The resulting sshd
binary is tested with the new sshd -V option before installation. As the
binary layout is now semi-unknown (meaning relative, fixed, and gadget
offsets are not precisely known), change the filesystem permissions to 511 to
prevent what I call "logged in BROP". I have ideas for improving this further
but this is a first step ok djm
OpenBSD-Commit-ID: 1e0a2692b7e20b126dda60bf04999d1d30d959d8
* upstream: delete useless dependency
OpenBSD-Commit-ID: e1dc11143f83082e3154d6094f9136d0dc2637ad
* fix libfido2 detection without pkg-config
Place libfido2 before additional libraries (that it may depend upon)
and not after. bz3530 from James Zhang; ok dtucker@
* Skip connection-timeout test on minix3.
Minix 3's Unix domain sockets don't seem to work the way we expect, so
skip connection-timeout test on that platform. While there, group
together all similarly skipped tests and explicitly comment.
* upstream: fix double-free caused by compat_kex_proposal(); bz3522
by dtucker@, ok me
OpenBSD-Commit-ID: 2bfc37cd2d41f67dad64c17a64cf2cd3806a5c80
* upstream: openssh-9.2
OpenBSD-Commit-ID: f7389f32413c74d6e2055f05cf65e7082de03923
* upstream: Check if we can copy sshd or need to use sudo to do so
during reexec test. Skip test if neither can work. Patch from anton@, tweaks
from me.
OpenBSD-Regress-ID: 731b96ae74d02d5744e1f1a8e51d09877ffd9b6d
* upstream: test compat_kex_proposal(); by dtucker@
OpenBSD-Regress-ID: 0e404ee264db546f9fdbf53390689ab5f8d38bf2
* adapt compat_kex_proposal() test to portable
* update version in README
* crank versions in RPM specs
* remove files from libssh project
* re-merge arc4random.c
* re-merge misc.c
* remove unused files from libssh.vcxproj
* fix outstanding merge conflicts
* fix build errors
* modify upstream workflows to trigger on workflow dispatch instead of all PRs
* fix scp client hanging with pipes
* fix some failing bash tests
* make bash test compatible with Windows
* address scp's sftp mode buf len limitations
* address review feedback
* address review feedback
* update comment
---------
Signed-off-by: Sam James <sam@gentoo.org>
Co-authored-by: djm@openbsd.org <djm@openbsd.org>
Co-authored-by: Darren Tucker <dtucker@dtucker.net>
Co-authored-by: Damien Miller <djm@mindrot.org>
Co-authored-by: Sam James <sam@gentoo.org>
Co-authored-by: jsg@openbsd.org <jsg@openbsd.org>
Co-authored-by: jmc@openbsd.org <jmc@openbsd.org>
Co-authored-by: dtucker@openbsd.org <dtucker@openbsd.org>
Co-authored-by: Harmen Stoppels <harmenstoppels@gmail.com>
Co-authored-by: Rochdi Nassah <rochdinassah.1998@gmail.com>
Co-authored-by: David Korczynski <david@adalogics.com>
Co-authored-by: Pierre Ossman <ossman@cendio.se>
Co-authored-by: mbuhl@openbsd.org <mbuhl@openbsd.org>
Co-authored-by: Rose <83477269+AtariDreams@users.noreply.github.com>
Co-authored-by: cheloha@openbsd.org <cheloha@openbsd.org>
Co-authored-by: deraadt@openbsd.org <deraadt@openbsd.org>
Co-authored-by: tb@openbsd.org <tb@openbsd.org>
Co-authored-by: millert@openbsd.org <millert@openbsd.org>
5692 lines
154 KiB
Plaintext
5692 lines
154 KiB
Plaintext
#
|
|
# Copyright (c) 1999-2004 Damien Miller
|
|
#
|
|
# Permission to use, copy, modify, and distribute this software for any
|
|
# purpose with or without fee is hereby granted, provided that the above
|
|
# copyright notice and this permission notice appear in all copies.
|
|
#
|
|
# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
|
# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
|
# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
|
|
# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
|
# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
|
|
# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
|
# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
|
|
|
AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org])
|
|
AC_CONFIG_MACRO_DIR([m4])
|
|
AC_CONFIG_SRCDIR([ssh.c])
|
|
|
|
# Check for stale configure as early as possible.
|
|
for i in $srcdir/configure.ac $srcdir/m4/*.m4; do
|
|
if test "$i" -nt "$srcdir/configure"; then
|
|
AC_MSG_ERROR([$i newer than configure, run autoreconf])
|
|
fi
|
|
done
|
|
|
|
AC_LANG([C])
|
|
|
|
AC_CONFIG_HEADERS([config.h])
|
|
AC_PROG_CC([cc gcc clang])
|
|
|
|
# XXX relax this after reimplementing logit() etc.
|
|
AC_MSG_CHECKING([if $CC supports C99-style variadic macros])
|
|
AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
|
|
int f(int a, int b, int c) { return a + b + c; }
|
|
#define F(a, ...) f(a, __VA_ARGS__)
|
|
]], [[return F(1, 2, -3);]])],
|
|
[ AC_MSG_RESULT([yes]) ],
|
|
[ AC_MSG_ERROR([*** OpenSSH requires support for C99-style variadic macros]) ]
|
|
)
|
|
|
|
AC_CANONICAL_HOST
|
|
AC_C_BIGENDIAN
|
|
|
|
# Checks for programs.
|
|
AC_PROG_AWK
|
|
AC_PROG_CPP
|
|
AC_PROG_RANLIB
|
|
AC_PROG_INSTALL
|
|
AC_PROG_EGREP
|
|
AC_PROG_MKDIR_P
|
|
AC_CHECK_TOOLS([AR], [ar])
|
|
AC_PATH_PROG([CAT], [cat])
|
|
AC_PATH_PROG([KILL], [kill])
|
|
AC_PATH_PROG([SED], [sed])
|
|
AC_PATH_PROG([TEST_MINUS_S_SH], [bash])
|
|
AC_PATH_PROG([TEST_MINUS_S_SH], [ksh])
|
|
AC_PATH_PROG([TEST_MINUS_S_SH], [sh])
|
|
AC_PATH_PROG([SH], [bash])
|
|
AC_PATH_PROG([SH], [ksh])
|
|
AC_PATH_PROG([SH], [sh])
|
|
AC_PATH_PROG([GROFF], [groff])
|
|
AC_PATH_PROG([NROFF], [nroff awf])
|
|
AC_PATH_PROG([MANDOC], [mandoc])
|
|
AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no])
|
|
AC_SUBST([TEST_SHELL], [sh])
|
|
|
|
dnl select manpage formatter to be used to build "cat" format pages.
|
|
if test "x$MANDOC" != "x" ; then
|
|
MANFMT="$MANDOC"
|
|
elif test "x$NROFF" != "x" ; then
|
|
MANFMT="$NROFF -mandoc"
|
|
elif test "x$GROFF" != "x" ; then
|
|
MANFMT="$GROFF -mandoc -Tascii"
|
|
else
|
|
AC_MSG_WARN([no manpage formatter found])
|
|
MANFMT="false"
|
|
fi
|
|
AC_SUBST([MANFMT])
|
|
|
|
dnl for buildpkg.sh
|
|
AC_PATH_PROG([PATH_GROUPADD_PROG], [groupadd], [groupadd],
|
|
[/usr/sbin${PATH_SEPARATOR}/etc])
|
|
AC_PATH_PROG([PATH_USERADD_PROG], [useradd], [useradd],
|
|
[/usr/sbin${PATH_SEPARATOR}/etc])
|
|
AC_CHECK_PROG([MAKE_PACKAGE_SUPPORTED], [pkgmk], [yes], [no])
|
|
if test -x /sbin/sh; then
|
|
AC_SUBST([STARTUP_SCRIPT_SHELL], [/sbin/sh])
|
|
else
|
|
AC_SUBST([STARTUP_SCRIPT_SHELL], [/bin/sh])
|
|
fi
|
|
|
|
# System features
|
|
AC_SYS_LARGEFILE
|
|
|
|
if test -z "$AR" ; then
|
|
AC_MSG_ERROR([*** 'ar' missing, please install or fix your \$PATH ***])
|
|
fi
|
|
|
|
AC_PATH_PROG([PATH_PASSWD_PROG], [passwd])
|
|
if test ! -z "$PATH_PASSWD_PROG" ; then
|
|
AC_DEFINE_UNQUOTED([_PATH_PASSWD_PROG], ["$PATH_PASSWD_PROG"],
|
|
[Full path of your "passwd" program])
|
|
fi
|
|
|
|
dnl Since autoconf doesn't support it very well, we no longer allow users to
|
|
dnl override LD, however keeping the hook here for now in case there's a use
|
|
dnl use case we overlooked and someone needs to re-enable it. Unless a good
|
|
dnl reason is found we'll be removing this in future.
|
|
LD="$CC"
|
|
AC_SUBST([LD])
|
|
|
|
AC_C_INLINE
|
|
|
|
AC_CHECK_DECL([LLONG_MAX], [have_llong_max=1], , [#include <limits.h>])
|
|
AC_CHECK_DECL([LONG_LONG_MAX], [have_long_long_max=1], , [#include <limits.h>])
|
|
AC_CHECK_DECL([SYSTR_POLICY_KILL], [have_systr_policy_kill=1], , [
|
|
#include <sys/types.h>
|
|
#include <sys/param.h>
|
|
#include <dev/systrace.h>
|
|
])
|
|
AC_CHECK_DECL([RLIMIT_NPROC],
|
|
[AC_DEFINE([HAVE_RLIMIT_NPROC], [], [sys/resource.h has RLIMIT_NPROC])], , [
|
|
#include <sys/types.h>
|
|
#include <sys/resource.h>
|
|
])
|
|
AC_CHECK_DECL([PR_SET_NO_NEW_PRIVS], [have_linux_no_new_privs=1], , [
|
|
#include <sys/types.h>
|
|
#include <linux/prctl.h>
|
|
])
|
|
|
|
openssl=yes
|
|
openssl_bin=openssl
|
|
AC_ARG_WITH([openssl],
|
|
[ --without-openssl Disable use of OpenSSL; use only limited internal crypto **EXPERIMENTAL** ],
|
|
[ if test "x$withval" = "xno" ; then
|
|
openssl=no
|
|
openssl_bin=""
|
|
fi
|
|
]
|
|
)
|
|
AC_MSG_CHECKING([whether OpenSSL will be used for cryptography])
|
|
if test "x$openssl" = "xyes" ; then
|
|
AC_MSG_RESULT([yes])
|
|
AC_DEFINE_UNQUOTED([WITH_OPENSSL], [1], [use libcrypto for cryptography])
|
|
else
|
|
AC_MSG_RESULT([no])
|
|
fi
|
|
|
|
use_stack_protector=1
|
|
use_toolchain_hardening=1
|
|
AC_ARG_WITH([stackprotect],
|
|
[ --without-stackprotect Don't use compiler's stack protection], [
|
|
if test "x$withval" = "xno"; then
|
|
use_stack_protector=0
|
|
fi ])
|
|
AC_ARG_WITH([hardening],
|
|
[ --without-hardening Don't use toolchain hardening flags], [
|
|
if test "x$withval" = "xno"; then
|
|
use_toolchain_hardening=0
|
|
fi ])
|
|
|
|
# We use -Werror for the tests only so that we catch warnings like "this is
|
|
# on by default" for things like -fPIE.
|
|
AC_MSG_CHECKING([if $CC supports -Werror])
|
|
saved_CFLAGS="$CFLAGS"
|
|
CFLAGS="$CFLAGS -Werror"
|
|
AC_COMPILE_IFELSE([AC_LANG_SOURCE([[int main(void) { return 0; }]])],
|
|
[ AC_MSG_RESULT([yes])
|
|
WERROR="-Werror"],
|
|
[ AC_MSG_RESULT([no])
|
|
WERROR="" ]
|
|
)
|
|
CFLAGS="$saved_CFLAGS"
|
|
|
|
if test "$GCC" = "yes" || test "$GCC" = "egcs"; then
|
|
AC_MSG_CHECKING([gcc version])
|
|
GCC_VER=`$CC -v 2>&1 | $AWK '/gcc version /{print $3}'`
|
|
case "$GCC_VER" in
|
|
1.*) no_attrib_nonnull=1 ;;
|
|
2.8* | 2.9*)
|
|
no_attrib_nonnull=1
|
|
;;
|
|
2.*) no_attrib_nonnull=1 ;;
|
|
*) ;;
|
|
esac
|
|
AC_MSG_RESULT([$GCC_VER])
|
|
|
|
AC_MSG_CHECKING([clang version])
|
|
CLANG_VER=`$CC -v 2>&1 | $AWK '/clang version /{print $3}'`
|
|
AC_MSG_RESULT([$CLANG_VER])
|
|
|
|
OSSH_CHECK_CFLAG_COMPILE([-pipe])
|
|
OSSH_CHECK_CFLAG_COMPILE([-Wunknown-warning-option])
|
|
OSSH_CHECK_CFLAG_COMPILE([-Wno-error=format-truncation])
|
|
OSSH_CHECK_CFLAG_COMPILE([-Qunused-arguments])
|
|
OSSH_CHECK_CFLAG_COMPILE([-Wall])
|
|
OSSH_CHECK_CFLAG_COMPILE([-Wextra])
|
|
OSSH_CHECK_CFLAG_COMPILE([-Wpointer-arith])
|
|
OSSH_CHECK_CFLAG_COMPILE([-Wuninitialized])
|
|
OSSH_CHECK_CFLAG_COMPILE([-Wsign-compare])
|
|
OSSH_CHECK_CFLAG_COMPILE([-Wformat-security])
|
|
OSSH_CHECK_CFLAG_COMPILE([-Wsizeof-pointer-memaccess])
|
|
OSSH_CHECK_CFLAG_COMPILE([-Wpointer-sign], [-Wno-pointer-sign])
|
|
OSSH_CHECK_CFLAG_COMPILE([-Wunused-parameter], [-Wno-unused-parameter])
|
|
OSSH_CHECK_CFLAG_COMPILE([-Wunused-result], [-Wno-unused-result])
|
|
OSSH_CHECK_CFLAG_COMPILE([-Wimplicit-fallthrough])
|
|
OSSH_CHECK_CFLAG_COMPILE([-Wmisleading-indentation])
|
|
OSSH_CHECK_CFLAG_COMPILE([-Wbitwise-instead-of-logical])
|
|
OSSH_CHECK_CFLAG_COMPILE([-fno-strict-aliasing])
|
|
if test "x$use_toolchain_hardening" = "x1"; then
|
|
OSSH_CHECK_CFLAG_COMPILE([-mretpoline]) # clang
|
|
OSSH_CHECK_LDFLAG_LINK([-Wl,-z,retpolineplt])
|
|
OSSH_CHECK_CFLAG_COMPILE([-D_FORTIFY_SOURCE=2])
|
|
OSSH_CHECK_LDFLAG_LINK([-Wl,-z,relro])
|
|
OSSH_CHECK_LDFLAG_LINK([-Wl,-z,now])
|
|
OSSH_CHECK_LDFLAG_LINK([-Wl,-z,noexecstack])
|
|
# NB. -ftrapv expects certain support functions to be present in
|
|
# the compiler library (libgcc or similar) to detect integer operations
|
|
# that can overflow. We must check that the result of enabling it
|
|
# actually links. The test program compiled/linked includes a number
|
|
# of integer operations that should exercise this.
|
|
OSSH_CHECK_CFLAG_LINK([-ftrapv])
|
|
# clang 15 seems to have a bug in -fzero-call-used-regs=all. See
|
|
# https://bugzilla.mindrot.org/show_bug.cgi?id=3475 and
|
|
# https://github.com/llvm/llvm-project/issues/59242
|
|
case "$CLANG_VER" in
|
|
15.*) OSSH_CHECK_CFLAG_COMPILE([-fzero-call-used-regs=used]) ;;
|
|
*) OSSH_CHECK_CFLAG_COMPILE([-fzero-call-used-regs=all]) ;;
|
|
esac
|
|
OSSH_CHECK_CFLAG_COMPILE([-ftrivial-auto-var-init=zero])
|
|
fi
|
|
|
|
AC_MSG_CHECKING([if $CC accepts -fno-builtin-memset])
|
|
saved_CFLAGS="$CFLAGS"
|
|
CFLAGS="$CFLAGS -fno-builtin-memset"
|
|
AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include <string.h> ]],
|
|
[[ char b[10]; memset(b, 0, sizeof(b)); ]])],
|
|
[ AC_MSG_RESULT([yes]) ],
|
|
[ AC_MSG_RESULT([no])
|
|
CFLAGS="$saved_CFLAGS" ]
|
|
)
|
|
|
|
# -fstack-protector-all doesn't always work for some GCC versions
|
|
# and/or platforms, so we test if we can. If it's not supported
|
|
# on a given platform gcc will emit a warning so we use -Werror.
|
|
if test "x$use_stack_protector" = "x1"; then
|
|
for t in -fstack-protector-strong -fstack-protector-all \
|
|
-fstack-protector; do
|
|
AC_MSG_CHECKING([if $CC supports $t])
|
|
saved_CFLAGS="$CFLAGS"
|
|
saved_LDFLAGS="$LDFLAGS"
|
|
CFLAGS="$CFLAGS $t -Werror"
|
|
LDFLAGS="$LDFLAGS $t -Werror"
|
|
AC_LINK_IFELSE(
|
|
[AC_LANG_PROGRAM([[
|
|
#include <stdio.h>
|
|
int func (int t) {char b[100]; snprintf(b,sizeof b,"%d",t); return t;}
|
|
]],
|
|
[[
|
|
char x[256];
|
|
snprintf(x, sizeof(x), "XXX%d", func(1));
|
|
]])],
|
|
[ AC_MSG_RESULT([yes])
|
|
CFLAGS="$saved_CFLAGS $t"
|
|
LDFLAGS="$saved_LDFLAGS $t"
|
|
AC_MSG_CHECKING([if $t works])
|
|
AC_RUN_IFELSE(
|
|
[AC_LANG_PROGRAM([[
|
|
#include <stdio.h>
|
|
int func (int t) {char b[100]; snprintf(b,sizeof b,"%d",t); return t;}
|
|
]],
|
|
[[
|
|
char x[256];
|
|
snprintf(x, sizeof(x), "XXX%d", func(1));
|
|
]])],
|
|
[ AC_MSG_RESULT([yes])
|
|
break ],
|
|
[ AC_MSG_RESULT([no]) ],
|
|
[ AC_MSG_WARN([cross compiling: cannot test])
|
|
break ]
|
|
)
|
|
],
|
|
[ AC_MSG_RESULT([no]) ]
|
|
)
|
|
CFLAGS="$saved_CFLAGS"
|
|
LDFLAGS="$saved_LDFLAGS"
|
|
done
|
|
fi
|
|
|
|
if test -z "$have_llong_max"; then
|
|
# retry LLONG_MAX with -std=gnu99, needed on some Linuxes
|
|
unset ac_cv_have_decl_LLONG_MAX
|
|
saved_CFLAGS="$CFLAGS"
|
|
CFLAGS="$CFLAGS -std=gnu99"
|
|
AC_CHECK_DECL([LLONG_MAX],
|
|
[have_llong_max=1],
|
|
[CFLAGS="$saved_CFLAGS"],
|
|
[#include <limits.h>]
|
|
)
|
|
fi
|
|
fi
|
|
|
|
AC_MSG_CHECKING([if compiler allows __attribute__ on return types])
|
|
AC_COMPILE_IFELSE(
|
|
[AC_LANG_PROGRAM([[
|
|
#include <stdlib.h>
|
|
__attribute__((__unused__)) static void foo(void){return;}]],
|
|
[[ exit(0); ]])],
|
|
[ AC_MSG_RESULT([yes]) ],
|
|
[ AC_MSG_RESULT([no])
|
|
AC_DEFINE(NO_ATTRIBUTE_ON_RETURN_TYPE, 1,
|
|
[compiler does not accept __attribute__ on return types]) ]
|
|
)
|
|
|
|
AC_MSG_CHECKING([if compiler allows __attribute__ prototype args])
|
|
AC_COMPILE_IFELSE(
|
|
[AC_LANG_PROGRAM([[
|
|
#include <stdlib.h>
|
|
typedef void foo(const char *, ...) __attribute__((format(printf, 1, 2)));]],
|
|
[[ exit(0); ]])],
|
|
[ AC_MSG_RESULT([yes]) ],
|
|
[ AC_MSG_RESULT([no])
|
|
AC_DEFINE(NO_ATTRIBUTE_ON_PROTOTYPE_ARGS, 1,
|
|
[compiler does not accept __attribute__ on prototype args]) ]
|
|
)
|
|
|
|
AC_MSG_CHECKING([if compiler supports variable length arrays])
|
|
AC_COMPILE_IFELSE(
|
|
[AC_LANG_PROGRAM([[#include <stdlib.h>]],
|
|
[[ int i; for (i=0; i<3; i++){int a[i]; a[i-1]=0;} exit(0); ]])],
|
|
[ AC_MSG_RESULT([yes])
|
|
AC_DEFINE(VARIABLE_LENGTH_ARRAYS, [1],
|
|
[compiler supports variable length arrays]) ],
|
|
[ AC_MSG_RESULT([no]) ]
|
|
)
|
|
|
|
AC_MSG_CHECKING([if compiler accepts variable declarations after code])
|
|
AC_COMPILE_IFELSE(
|
|
[AC_LANG_PROGRAM([[#include <stdlib.h>]],
|
|
[[ int a; a = 1; int b = 1; exit(a-b); ]])],
|
|
[ AC_MSG_RESULT([yes])
|
|
AC_DEFINE(VARIABLE_DECLARATION_AFTER_CODE, [1],
|
|
[compiler variable declarations after code]) ],
|
|
[ AC_MSG_RESULT([no]) ]
|
|
)
|
|
|
|
if test "x$no_attrib_nonnull" != "x1" ; then
|
|
AC_DEFINE([HAVE_ATTRIBUTE__NONNULL__], [1], [Have attribute nonnull])
|
|
fi
|
|
|
|
AC_ARG_WITH([rpath],
|
|
[ --without-rpath Disable auto-added -R linker paths],
|
|
[
|
|
if test "x$withval" = "xno" ; then
|
|
rpath_opt=""
|
|
elif test "x$withval" = "xyes" ; then
|
|
rpath_opt="-R"
|
|
else
|
|
rpath_opt="$withval"
|
|
fi
|
|
]
|
|
)
|
|
|
|
# Allow user to specify flags
|
|
AC_ARG_WITH([cflags],
|
|
[ --with-cflags Specify additional flags to pass to compiler],
|
|
[
|
|
if test -n "$withval" && test "x$withval" != "xno" && \
|
|
test "x${withval}" != "xyes"; then
|
|
CFLAGS="$CFLAGS $withval"
|
|
fi
|
|
]
|
|
)
|
|
|
|
AC_ARG_WITH([cflags-after],
|
|
[ --with-cflags-after Specify additional flags to pass to compiler after configure],
|
|
[
|
|
if test -n "$withval" && test "x$withval" != "xno" && \
|
|
test "x${withval}" != "xyes"; then
|
|
CFLAGS_AFTER="$withval"
|
|
fi
|
|
]
|
|
)
|
|
AC_ARG_WITH([cppflags],
|
|
[ --with-cppflags Specify additional flags to pass to preprocessor] ,
|
|
[
|
|
if test -n "$withval" && test "x$withval" != "xno" && \
|
|
test "x${withval}" != "xyes"; then
|
|
CPPFLAGS="$CPPFLAGS $withval"
|
|
fi
|
|
]
|
|
)
|
|
AC_ARG_WITH([ldflags],
|
|
[ --with-ldflags Specify additional flags to pass to linker],
|
|
[
|
|
if test -n "$withval" && test "x$withval" != "xno" && \
|
|
test "x${withval}" != "xyes"; then
|
|
LDFLAGS="$LDFLAGS $withval"
|
|
fi
|
|
]
|
|
)
|
|
AC_ARG_WITH([ldflags-after],
|
|
[ --with-ldflags-after Specify additional flags to pass to linker after configure],
|
|
[
|
|
if test -n "$withval" && test "x$withval" != "xno" && \
|
|
test "x${withval}" != "xyes"; then
|
|
LDFLAGS_AFTER="$withval"
|
|
fi
|
|
]
|
|
)
|
|
AC_ARG_WITH([libs],
|
|
[ --with-libs Specify additional libraries to link with],
|
|
[
|
|
if test -n "$withval" && test "x$withval" != "xno" && \
|
|
test "x${withval}" != "xyes"; then
|
|
LIBS="$LIBS $withval"
|
|
fi
|
|
]
|
|
)
|
|
AC_ARG_WITH([Werror],
|
|
[ --with-Werror Build main code with -Werror],
|
|
[
|
|
if test -n "$withval" && test "x$withval" != "xno"; then
|
|
werror_flags="-Werror"
|
|
if test "x${withval}" != "xyes"; then
|
|
werror_flags="$withval"
|
|
fi
|
|
fi
|
|
]
|
|
)
|
|
|
|
dnl On some old platforms, sys/stat.h requires sys/types.h, but autoconf-2.71's
|
|
dnl AC_CHECK_INCLUDES_DEFAULT checks for them in the opposite order. If we
|
|
dnl haven't detected it, recheck.
|
|
if test "x$ac_cv_header_sys_stat_h" != "xyes"; then
|
|
unset ac_cv_header_sys_stat_h
|
|
AC_CHECK_HEADERS([sys/stat.h])
|
|
fi
|
|
|
|
AC_CHECK_HEADERS([ \
|
|
blf.h \
|
|
bstring.h \
|
|
crypt.h \
|
|
crypto/sha2.h \
|
|
dirent.h \
|
|
endian.h \
|
|
elf.h \
|
|
err.h \
|
|
features.h \
|
|
fcntl.h \
|
|
floatingpoint.h \
|
|
fnmatch.h \
|
|
getopt.h \
|
|
glob.h \
|
|
ia.h \
|
|
iaf.h \
|
|
ifaddrs.h \
|
|
inttypes.h \
|
|
langinfo.h \
|
|
limits.h \
|
|
locale.h \
|
|
login.h \
|
|
maillock.h \
|
|
ndir.h \
|
|
net/if_tun.h \
|
|
netdb.h \
|
|
netgroup.h \
|
|
pam/pam_appl.h \
|
|
paths.h \
|
|
poll.h \
|
|
pty.h \
|
|
readpassphrase.h \
|
|
rpc/types.h \
|
|
security/pam_appl.h \
|
|
sha2.h \
|
|
shadow.h \
|
|
stddef.h \
|
|
stdint.h \
|
|
string.h \
|
|
strings.h \
|
|
sys/bitypes.h \
|
|
sys/byteorder.h \
|
|
sys/bsdtty.h \
|
|
sys/cdefs.h \
|
|
sys/dir.h \
|
|
sys/file.h \
|
|
sys/mman.h \
|
|
sys/label.h \
|
|
sys/ndir.h \
|
|
sys/param.h \
|
|
sys/poll.h \
|
|
sys/prctl.h \
|
|
sys/procctl.h \
|
|
sys/pstat.h \
|
|
sys/ptrace.h \
|
|
sys/random.h \
|
|
sys/select.h \
|
|
sys/stream.h \
|
|
sys/stropts.h \
|
|
sys/strtio.h \
|
|
sys/statvfs.h \
|
|
sys/sysmacros.h \
|
|
sys/time.h \
|
|
sys/timers.h \
|
|
sys/vfs.h \
|
|
time.h \
|
|
tmpdir.h \
|
|
ttyent.h \
|
|
ucred.h \
|
|
unistd.h \
|
|
usersec.h \
|
|
util.h \
|
|
utime.h \
|
|
utmp.h \
|
|
utmpx.h \
|
|
vis.h \
|
|
wchar.h \
|
|
])
|
|
|
|
# On some platforms (eg SunOS4) sys/audit.h requires sys/[time|types|label.h]
|
|
# to be included first.
|
|
AC_CHECK_HEADERS([sys/audit.h], [], [], [
|
|
#ifdef HAVE_SYS_TIME_H
|
|
# include <sys/time.h>
|
|
#endif
|
|
#ifdef HAVE_SYS_TYPES_H
|
|
# include <sys/types.h>
|
|
#endif
|
|
#ifdef HAVE_SYS_LABEL_H
|
|
# include <sys/label.h>
|
|
#endif
|
|
])
|
|
|
|
# sys/capsicum.h requires sys/types.h
|
|
AC_CHECK_HEADERS([sys/capsicum.h capsicum_helpers.h], [], [], [
|
|
#ifdef HAVE_SYS_TYPES_H
|
|
# include <sys/types.h>
|
|
#endif
|
|
])
|
|
|
|
AC_MSG_CHECKING([for caph_cache_tzdata])
|
|
AC_LINK_IFELSE(
|
|
[AC_LANG_PROGRAM([[ #include <capsicum_helpers.h> ]],
|
|
[[caph_cache_tzdata();]])],
|
|
[
|
|
AC_MSG_RESULT([yes])
|
|
AC_DEFINE([HAVE_CAPH_CACHE_TZDATA], [1],
|
|
[Define if you have caph_cache_tzdata])
|
|
],
|
|
[ AC_MSG_RESULT([no]) ]
|
|
)
|
|
|
|
# net/route.h requires sys/socket.h and sys/types.h.
|
|
# sys/sysctl.h also requires sys/param.h
|
|
AC_CHECK_HEADERS([net/route.h sys/sysctl.h], [], [], [
|
|
#ifdef HAVE_SYS_TYPES_H
|
|
# include <sys/types.h>
|
|
#endif
|
|
#include <sys/param.h>
|
|
#include <sys/socket.h>
|
|
])
|
|
|
|
# lastlog.h requires sys/time.h to be included first on Solaris
|
|
AC_CHECK_HEADERS([lastlog.h], [], [], [
|
|
#ifdef HAVE_SYS_TIME_H
|
|
# include <sys/time.h>
|
|
#endif
|
|
])
|
|
|
|
# sys/ptms.h requires sys/stream.h to be included first on Solaris
|
|
AC_CHECK_HEADERS([sys/ptms.h], [], [], [
|
|
#ifdef HAVE_SYS_STREAM_H
|
|
# include <sys/stream.h>
|
|
#endif
|
|
])
|
|
|
|
# login_cap.h requires sys/types.h on NetBSD
|
|
AC_CHECK_HEADERS([login_cap.h], [], [], [
|
|
#include <sys/types.h>
|
|
])
|
|
|
|
# older BSDs need sys/param.h before sys/mount.h
|
|
AC_CHECK_HEADERS([sys/mount.h], [], [], [
|
|
#include <sys/param.h>
|
|
])
|
|
|
|
# Android requires sys/socket.h to be included before sys/un.h
|
|
AC_CHECK_HEADERS([sys/un.h], [], [], [
|
|
#include <sys/types.h>
|
|
#include <sys/socket.h>
|
|
])
|
|
|
|
# Messages for features tested for in target-specific section
|
|
SIA_MSG="no"
|
|
SPC_MSG="no"
|
|
SP_MSG="no"
|
|
SPP_MSG="no"
|
|
|
|
# Support for Solaris/Illumos privileges (this test is used by both
|
|
# the --with-solaris-privs option and --with-sandbox=solaris).
|
|
SOLARIS_PRIVS="no"
|
|
|
|
# Check for some target-specific stuff
|
|
case "$host" in
|
|
*-*-aix*)
|
|
# Some versions of VAC won't allow macro redefinitions at
|
|
# -qlanglevel=ansi, and autoconf 2.60 sometimes insists on using that
|
|
# particularly with older versions of vac or xlc.
|
|
# It also throws errors about null macro arguments, but these are
|
|
# not fatal.
|
|
AC_MSG_CHECKING([if compiler allows macro redefinitions])
|
|
AC_COMPILE_IFELSE(
|
|
[AC_LANG_PROGRAM([[
|
|
#define testmacro foo
|
|
#define testmacro bar]],
|
|
[[ exit(0); ]])],
|
|
[ AC_MSG_RESULT([yes]) ],
|
|
[ AC_MSG_RESULT([no])
|
|
CC="`echo $CC | sed 's/-qlanglvl\=ansi//g'`"
|
|
CFLAGS="`echo $CFLAGS | sed 's/-qlanglvl\=ansi//g'`"
|
|
CPPFLAGS="`echo $CPPFLAGS | sed 's/-qlanglvl\=ansi//g'`"
|
|
]
|
|
)
|
|
|
|
AC_MSG_CHECKING([how to specify blibpath for linker ($LD)])
|
|
if (test -z "$blibpath"); then
|
|
blibpath="/usr/lib:/lib"
|
|
fi
|
|
saved_LDFLAGS="$LDFLAGS"
|
|
if test "$GCC" = "yes"; then
|
|
flags="-Wl,-blibpath: -Wl,-rpath, -blibpath:"
|
|
else
|
|
flags="-blibpath: -Wl,-blibpath: -Wl,-rpath,"
|
|
fi
|
|
for tryflags in $flags ;do
|
|
if (test -z "$blibflags"); then
|
|
LDFLAGS="$saved_LDFLAGS $tryflags$blibpath"
|
|
AC_LINK_IFELSE([AC_LANG_PROGRAM([[]], [[]])],
|
|
[blibflags=$tryflags], [])
|
|
fi
|
|
done
|
|
if (test -z "$blibflags"); then
|
|
AC_MSG_RESULT([not found])
|
|
AC_MSG_ERROR([*** must be able to specify blibpath on AIX - check config.log])
|
|
else
|
|
AC_MSG_RESULT([$blibflags])
|
|
fi
|
|
LDFLAGS="$saved_LDFLAGS"
|
|
dnl Check for authenticate. Might be in libs.a on older AIXes
|
|
AC_CHECK_FUNC([authenticate], [AC_DEFINE([WITH_AIXAUTHENTICATE], [1],
|
|
[Define if you want to enable AIX4's authenticate function])],
|
|
[AC_CHECK_LIB([s], [authenticate],
|
|
[ AC_DEFINE([WITH_AIXAUTHENTICATE])
|
|
LIBS="$LIBS -ls"
|
|
])
|
|
])
|
|
dnl Check for various auth function declarations in headers.
|
|
AC_CHECK_DECLS([authenticate, loginrestrictions, loginsuccess,
|
|
passwdexpired, setauthdb], , , [#include <usersec.h>])
|
|
dnl Check if loginfailed is declared and takes 4 arguments (AIX >= 5.2)
|
|
AC_CHECK_DECLS([loginfailed],
|
|
[AC_MSG_CHECKING([if loginfailed takes 4 arguments])
|
|
AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <usersec.h> ]],
|
|
[[ (void)loginfailed("user","host","tty",0); ]])],
|
|
[AC_MSG_RESULT([yes])
|
|
AC_DEFINE([AIX_LOGINFAILED_4ARG], [1],
|
|
[Define if your AIX loginfailed() function
|
|
takes 4 arguments (AIX >= 5.2)])], [AC_MSG_RESULT([no])
|
|
])],
|
|
[],
|
|
[#include <usersec.h>]
|
|
)
|
|
AC_CHECK_FUNCS([getgrset setauthdb])
|
|
AC_CHECK_DECL([F_CLOSEM],
|
|
AC_DEFINE([HAVE_FCNTL_CLOSEM], [1], [Use F_CLOSEM fcntl for closefrom]),
|
|
[],
|
|
[ #include <limits.h>
|
|
#include <fcntl.h> ]
|
|
)
|
|
check_for_aix_broken_getaddrinfo=1
|
|
AC_DEFINE([SETEUID_BREAKS_SETUID], [1],
|
|
[Define if your platform breaks doing a seteuid before a setuid])
|
|
AC_DEFINE([BROKEN_SETREUID], [1], [Define if your setreuid() is broken])
|
|
AC_DEFINE([BROKEN_SETREGID], [1], [Define if your setregid() is broken])
|
|
dnl AIX handles lastlog as part of its login message
|
|
AC_DEFINE([DISABLE_LASTLOG], [1], [Define if you don't want to use lastlog])
|
|
AC_DEFINE([LOGIN_NEEDS_UTMPX], [1],
|
|
[Some systems need a utmpx entry for /bin/login to work])
|
|
AC_DEFINE([SPT_TYPE], [SPT_REUSEARGV],
|
|
[Define to a Set Process Title type if your system is
|
|
supported by bsd-setproctitle.c])
|
|
AC_DEFINE([SSHPAM_CHAUTHTOK_NEEDS_RUID], [1],
|
|
[AIX 5.2 and 5.3 (and presumably newer) require this])
|
|
AC_DEFINE([PTY_ZEROREAD], [1], [read(1) can return 0 for a non-closed fd])
|
|
AC_DEFINE([PLATFORM_SYS_DIR_UID], 2, [System dirs owned by bin (uid 2)])
|
|
AC_DEFINE([BROKEN_STRNDUP], 1, [strndup broken, see APAR IY61211])
|
|
AC_DEFINE([BROKEN_STRNLEN], 1, [strnlen broken, see APAR IY62551])
|
|
;;
|
|
*-*-android*)
|
|
AC_DEFINE([DISABLE_UTMP], [1], [Define if you don't want to use utmp])
|
|
AC_DEFINE([DISABLE_WTMP], [1], [Define if you don't want to use wtmp])
|
|
;;
|
|
*-*-cygwin*)
|
|
LIBS="$LIBS /usr/lib/textreadmode.o"
|
|
AC_DEFINE([HAVE_CYGWIN], [1], [Define if you are on Cygwin])
|
|
AC_DEFINE([USE_PIPES], [1], [Use PIPES instead of a socketpair()])
|
|
AC_DEFINE([NO_UID_RESTORATION_TEST], [1],
|
|
[Define to disable UID restoration test])
|
|
AC_DEFINE([DISABLE_SHADOW], [1],
|
|
[Define if you want to disable shadow passwords])
|
|
AC_DEFINE([NO_X11_UNIX_SOCKETS], [1],
|
|
[Define if X11 doesn't support AF_UNIX sockets on that system])
|
|
AC_DEFINE([DISABLE_FD_PASSING], [1],
|
|
[Define if your platform needs to skip post auth
|
|
file descriptor passing])
|
|
AC_DEFINE([SSH_IOBUFSZ], [65535], [Windows is sensitive to read buffer size])
|
|
AC_DEFINE([FILESYSTEM_NO_BACKSLASH], [1], [File names may not contain backslash characters])
|
|
# Cygwin defines optargs, optargs as declspec(dllimport) for historical
|
|
# reasons which cause compile warnings, so we disable those warnings.
|
|
OSSH_CHECK_CFLAG_COMPILE([-Wno-attributes])
|
|
;;
|
|
*-*-dgux*)
|
|
AC_DEFINE([IP_TOS_IS_BROKEN], [1],
|
|
[Define if your system choked on IP TOS setting])
|
|
AC_DEFINE([SETEUID_BREAKS_SETUID])
|
|
AC_DEFINE([BROKEN_SETREUID])
|
|
AC_DEFINE([BROKEN_SETREGID])
|
|
;;
|
|
*-*-darwin*)
|
|
use_pie=auto
|
|
AC_MSG_CHECKING([if we have working getaddrinfo])
|
|
AC_RUN_IFELSE([AC_LANG_SOURCE([[
|
|
#include <mach-o/dyld.h>
|
|
#include <stdlib.h>
|
|
int main(void) { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
|
|
exit(0);
|
|
else
|
|
exit(1);
|
|
}
|
|
]])],
|
|
[AC_MSG_RESULT([working])],
|
|
[AC_MSG_RESULT([buggy])
|
|
AC_DEFINE([BROKEN_GETADDRINFO], [1],
|
|
[getaddrinfo is broken (if present)])
|
|
],
|
|
[AC_MSG_RESULT([assume it is working])])
|
|
AC_DEFINE([SETEUID_BREAKS_SETUID])
|
|
AC_DEFINE([BROKEN_SETREUID])
|
|
AC_DEFINE([BROKEN_SETREGID])
|
|
AC_DEFINE([BROKEN_GLOB], [1], [OS X glob does not do what we expect])
|
|
AC_DEFINE_UNQUOTED([BIND_8_COMPAT], [1],
|
|
[Define if your resolver libs need this for getrrsetbyname])
|
|
AC_DEFINE([SSH_TUN_FREEBSD], [1], [Open tunnel devices the FreeBSD way])
|
|
AC_DEFINE([SSH_TUN_COMPAT_AF], [1],
|
|
[Use tunnel device compatibility to OpenBSD])
|
|
AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
|
|
[Prepend the address family to IP tunnel traffic])
|
|
m4_pattern_allow([AU_IPv])
|
|
AC_CHECK_DECL([AU_IPv4], [],
|
|
AC_DEFINE([AU_IPv4], [0], [System only supports IPv4 audit records])
|
|
[#include <bsm/audit.h>]
|
|
AC_DEFINE([LASTLOG_WRITE_PUTUTXLINE], [1],
|
|
[Define if pututxline updates lastlog too])
|
|
)
|
|
AC_DEFINE([SPT_TYPE], [SPT_REUSEARGV],
|
|
[Define to a Set Process Title type if your system is
|
|
supported by bsd-setproctitle.c])
|
|
AC_CHECK_FUNCS([sandbox_init])
|
|
AC_CHECK_HEADERS([sandbox.h])
|
|
AC_CHECK_LIB([sandbox], [sandbox_apply], [
|
|
SSHDLIBS="$SSHDLIBS -lsandbox"
|
|
])
|
|
# proc_pidinfo()-based closefrom() replacement.
|
|
AC_CHECK_HEADERS([libproc.h])
|
|
AC_CHECK_FUNCS([proc_pidinfo])
|
|
# poll(2) is broken for character-special devices (at least).
|
|
# cf. Apple bug 3710161 (not public, but searchable)
|
|
AC_DEFINE([BROKEN_POLL], [1],
|
|
[System poll(2) implementation is broken])
|
|
;;
|
|
*-*-dragonfly*)
|
|
SSHDLIBS="$SSHDLIBS"
|
|
TEST_MALLOC_OPTIONS="AFGJPRX"
|
|
;;
|
|
*-*-haiku*)
|
|
LIBS="$LIBS -lbsd "
|
|
CFLAGS="$CFLAGS -D_BSD_SOURCE"
|
|
AC_CHECK_LIB([network], [socket])
|
|
AC_DEFINE([HAVE_U_INT64_T])
|
|
AC_DEFINE([DISABLE_UTMPX], [1], [no utmpx])
|
|
MANTYPE=man
|
|
;;
|
|
*-*-hpux*)
|
|
# first we define all of the options common to all HP-UX releases
|
|
CPPFLAGS="$CPPFLAGS -D_HPUX_SOURCE -D_XOPEN_SOURCE -D_XOPEN_SOURCE_EXTENDED=1"
|
|
IPADDR_IN_DISPLAY=yes
|
|
AC_DEFINE([USE_PIPES])
|
|
AC_DEFINE([LOGIN_NEEDS_UTMPX])
|
|
AC_DEFINE([LOCKED_PASSWD_STRING], ["*"],
|
|
[String used in /etc/passwd to denote locked account])
|
|
AC_DEFINE([SPT_TYPE], [SPT_PSTAT])
|
|
AC_DEFINE([PLATFORM_SYS_DIR_UID], 2, [System dirs owned by bin (uid 2)])
|
|
maildir="/var/mail"
|
|
LIBS="$LIBS -lsec"
|
|
AC_CHECK_LIB([xnet], [t_error], ,
|
|
[AC_MSG_ERROR([*** -lxnet needed on HP-UX - check config.log ***])])
|
|
|
|
# next, we define all of the options specific to major releases
|
|
case "$host" in
|
|
*-*-hpux10*)
|
|
if test -z "$GCC"; then
|
|
CFLAGS="$CFLAGS -Ae"
|
|
fi
|
|
AC_DEFINE([BROKEN_GETLINE], [1], [getline is not what we expect])
|
|
;;
|
|
*-*-hpux11*)
|
|
AC_DEFINE([PAM_SUN_CODEBASE], [1],
|
|
[Define if you are using Solaris-derived PAM which
|
|
passes pam_messages to the conversation function
|
|
with an extra level of indirection])
|
|
AC_DEFINE([DISABLE_UTMP], [1],
|
|
[Define if you don't want to use utmp])
|
|
AC_DEFINE([USE_BTMP], [1], [Use btmp to log bad logins])
|
|
check_for_hpux_broken_getaddrinfo=1
|
|
check_for_conflicting_getspnam=1
|
|
;;
|
|
esac
|
|
|
|
# lastly, we define options specific to minor releases
|
|
case "$host" in
|
|
*-*-hpux10.26)
|
|
AC_DEFINE([HAVE_SECUREWARE], [1],
|
|
[Define if you have SecureWare-based
|
|
protected password database])
|
|
disable_ptmx_check=yes
|
|
LIBS="$LIBS -lsecpw"
|
|
;;
|
|
esac
|
|
;;
|
|
*-*-irix5*)
|
|
PATH="$PATH:/usr/etc"
|
|
AC_DEFINE([BROKEN_INET_NTOA], [1],
|
|
[Define if you system's inet_ntoa is busted
|
|
(e.g. Irix gcc issue)])
|
|
AC_DEFINE([SETEUID_BREAKS_SETUID])
|
|
AC_DEFINE([BROKEN_SETREUID])
|
|
AC_DEFINE([BROKEN_SETREGID])
|
|
AC_DEFINE([WITH_ABBREV_NO_TTY], [1],
|
|
[Define if you shouldn't strip 'tty' from your
|
|
ttyname in [uw]tmp])
|
|
AC_DEFINE([LOCKED_PASSWD_STRING], ["*LK*"])
|
|
;;
|
|
*-*-irix6*)
|
|
PATH="$PATH:/usr/etc"
|
|
AC_DEFINE([WITH_IRIX_ARRAY], [1],
|
|
[Define if you have/want arrays
|
|
(cluster-wide session management, not C arrays)])
|
|
AC_DEFINE([WITH_IRIX_PROJECT], [1],
|
|
[Define if you want IRIX project management])
|
|
AC_DEFINE([WITH_IRIX_AUDIT], [1],
|
|
[Define if you want IRIX audit trails])
|
|
AC_CHECK_FUNC([jlimit_startjob], [AC_DEFINE([WITH_IRIX_JOBS], [1],
|
|
[Define if you want IRIX kernel jobs])])
|
|
AC_DEFINE([BROKEN_INET_NTOA])
|
|
AC_DEFINE([SETEUID_BREAKS_SETUID])
|
|
AC_DEFINE([BROKEN_SETREUID])
|
|
AC_DEFINE([BROKEN_SETREGID])
|
|
AC_DEFINE([BROKEN_UPDWTMPX], [1], [updwtmpx is broken (if present)])
|
|
AC_DEFINE([WITH_ABBREV_NO_TTY])
|
|
AC_DEFINE([LOCKED_PASSWD_STRING], ["*LK*"])
|
|
;;
|
|
*-*-k*bsd*-gnu | *-*-kopensolaris*-gnu)
|
|
AC_DEFINE([PAM_TTY_KLUDGE])
|
|
AC_DEFINE([LOCKED_PASSWD_PREFIX], ["!"])
|
|
AC_DEFINE([SPT_TYPE], [SPT_REUSEARGV])
|
|
AC_DEFINE([_PATH_BTMP], ["/var/log/btmp"], [log for bad login attempts])
|
|
AC_DEFINE([USE_BTMP], [1], [Use btmp to log bad logins])
|
|
;;
|
|
*-*-linux*)
|
|
no_dev_ptmx=1
|
|
use_pie=auto
|
|
check_for_openpty_ctty_bug=1
|
|
dnl Target SUSv3/POSIX.1-2001 plus BSD specifics.
|
|
dnl _DEFAULT_SOURCE is the new name for _BSD_SOURCE
|
|
dnl _GNU_SOURCE is needed for setres*id prototypes.
|
|
CPPFLAGS="$CPPFLAGS -D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCE -D_GNU_SOURCE"
|
|
AC_DEFINE([BROKEN_CLOSEFROM], [1], [broken in chroots on older kernels])
|
|
AC_DEFINE([PAM_TTY_KLUDGE], [1],
|
|
[Work around problematic Linux PAM modules handling of PAM_TTY])
|
|
AC_DEFINE([LOCKED_PASSWD_PREFIX], ["!"],
|
|
[String used in /etc/passwd to denote locked account])
|
|
AC_DEFINE([SPT_TYPE], [SPT_REUSEARGV])
|
|
AC_DEFINE([LINK_OPNOTSUPP_ERRNO], [EPERM],
|
|
[Define to whatever link() returns for "not supported"
|
|
if it doesn't return EOPNOTSUPP.])
|
|
AC_DEFINE([_PATH_BTMP], ["/var/log/btmp"], [log for bad login attempts])
|
|
AC_DEFINE([USE_BTMP])
|
|
AC_DEFINE([LINUX_OOM_ADJUST], [1], [Adjust Linux out-of-memory killer])
|
|
inet6_default_4in6=yes
|
|
case `uname -r` in
|
|
1.*|2.0.*)
|
|
AC_DEFINE([BROKEN_CMSG_TYPE], [1],
|
|
[Define if cmsg_type is not passed correctly])
|
|
;;
|
|
esac
|
|
# tun(4) forwarding compat code
|
|
AC_CHECK_HEADERS([linux/if_tun.h])
|
|
if test "x$ac_cv_header_linux_if_tun_h" = "xyes" ; then
|
|
AC_DEFINE([SSH_TUN_LINUX], [1],
|
|
[Open tunnel devices the Linux tun/tap way])
|
|
AC_DEFINE([SSH_TUN_COMPAT_AF], [1],
|
|
[Use tunnel device compatibility to OpenBSD])
|
|
AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
|
|
[Prepend the address family to IP tunnel traffic])
|
|
fi
|
|
AC_CHECK_HEADER([linux/if.h],
|
|
AC_DEFINE([SYS_RDOMAIN_LINUX], [1],
|
|
[Support routing domains using Linux VRF]), [], [
|
|
#ifdef HAVE_SYS_TYPES_H
|
|
# include <sys/types.h>
|
|
#endif
|
|
])
|
|
AC_CHECK_HEADERS([linux/seccomp.h linux/filter.h linux/audit.h], [],
|
|
[], [#include <linux/types.h>])
|
|
# Obtain MIPS ABI
|
|
case "$host" in
|
|
mips*)
|
|
AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
|
|
#if _MIPS_SIM != _ABIO32
|
|
#error
|
|
#endif
|
|
]])],[mips_abi="o32"],[AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
|
|
#if _MIPS_SIM != _ABIN32
|
|
#error
|
|
#endif
|
|
]])],[mips_abi="n32"],[AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
|
|
#if _MIPS_SIM != _ABI64
|
|
#error
|
|
#endif
|
|
]])],[mips_abi="n64"],[AC_MSG_ERROR([unknown MIPS ABI])
|
|
])
|
|
])
|
|
])
|
|
;;
|
|
esac
|
|
AC_MSG_CHECKING([for seccomp architecture])
|
|
seccomp_audit_arch=
|
|
case "$host" in
|
|
x86_64-*)
|
|
seccomp_audit_arch=AUDIT_ARCH_X86_64
|
|
;;
|
|
i*86-*)
|
|
seccomp_audit_arch=AUDIT_ARCH_I386
|
|
;;
|
|
arm*-*)
|
|
seccomp_audit_arch=AUDIT_ARCH_ARM
|
|
;;
|
|
aarch64*-*)
|
|
seccomp_audit_arch=AUDIT_ARCH_AARCH64
|
|
;;
|
|
s390x-*)
|
|
seccomp_audit_arch=AUDIT_ARCH_S390X
|
|
;;
|
|
s390-*)
|
|
seccomp_audit_arch=AUDIT_ARCH_S390
|
|
;;
|
|
powerpc-*)
|
|
seccomp_audit_arch=AUDIT_ARCH_PPC
|
|
;;
|
|
powerpc64-*)
|
|
seccomp_audit_arch=AUDIT_ARCH_PPC64
|
|
;;
|
|
powerpc64le-*)
|
|
seccomp_audit_arch=AUDIT_ARCH_PPC64LE
|
|
;;
|
|
mips-*)
|
|
seccomp_audit_arch=AUDIT_ARCH_MIPS
|
|
;;
|
|
mipsel-*)
|
|
seccomp_audit_arch=AUDIT_ARCH_MIPSEL
|
|
;;
|
|
mips64-*)
|
|
case "$mips_abi" in
|
|
"n32")
|
|
seccomp_audit_arch=AUDIT_ARCH_MIPS64N32
|
|
;;
|
|
"n64")
|
|
seccomp_audit_arch=AUDIT_ARCH_MIPS64
|
|
;;
|
|
esac
|
|
;;
|
|
mips64el-*)
|
|
case "$mips_abi" in
|
|
"n32")
|
|
seccomp_audit_arch=AUDIT_ARCH_MIPSEL64N32
|
|
;;
|
|
"n64")
|
|
seccomp_audit_arch=AUDIT_ARCH_MIPSEL64
|
|
;;
|
|
esac
|
|
;;
|
|
riscv64-*)
|
|
seccomp_audit_arch=AUDIT_ARCH_RISCV64
|
|
;;
|
|
esac
|
|
if test "x$seccomp_audit_arch" != "x" ; then
|
|
AC_MSG_RESULT(["$seccomp_audit_arch"])
|
|
AC_DEFINE_UNQUOTED([SECCOMP_AUDIT_ARCH], [$seccomp_audit_arch],
|
|
[Specify the system call convention in use])
|
|
else
|
|
AC_MSG_RESULT([architecture not supported])
|
|
fi
|
|
;;
|
|
*-*-minix)
|
|
AC_DEFINE([SETEUID_BREAKS_SETUID])
|
|
# poll(2) seems to choke on /dev/null; "Bad file descriptor"
|
|
AC_DEFINE([BROKEN_POLL], [1],
|
|
[System poll(2) implementation is broken])
|
|
;;
|
|
mips-sony-bsd|mips-sony-newsos4)
|
|
AC_DEFINE([NEED_SETPGRP], [1], [Need setpgrp to acquire controlling tty])
|
|
SONY=1
|
|
;;
|
|
*-*-netbsd*)
|
|
if test "x$withval" != "xno" ; then
|
|
rpath_opt="-R"
|
|
fi
|
|
CPPFLAGS="$CPPFLAGS -D_OPENBSD_SOURCE"
|
|
AC_DEFINE([SSH_TUN_FREEBSD], [1], [Open tunnel devices the FreeBSD way])
|
|
AC_CHECK_HEADER([net/if_tap.h], ,
|
|
AC_DEFINE([SSH_TUN_NO_L2], [1], [No layer 2 tunnel support]))
|
|
AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
|
|
[Prepend the address family to IP tunnel traffic])
|
|
TEST_MALLOC_OPTIONS="AJRX"
|
|
AC_DEFINE([BROKEN_READ_COMPARISON], [1],
|
|
[NetBSD read function is sometimes redirected, breaking atomicio comparisons against it])
|
|
;;
|
|
*-*-freebsd*)
|
|
AC_DEFINE([LOCKED_PASSWD_PREFIX], ["*LOCKED*"], [Account locked with pw(1)])
|
|
AC_DEFINE([SSH_TUN_FREEBSD], [1], [Open tunnel devices the FreeBSD way])
|
|
AC_CHECK_HEADER([net/if_tap.h], ,
|
|
AC_DEFINE([SSH_TUN_NO_L2], [1], [No layer 2 tunnel support]))
|
|
AC_DEFINE([BROKEN_GLOB], [1], [FreeBSD glob does not do what we need])
|
|
TEST_MALLOC_OPTIONS="AJRX"
|
|
# Preauth crypto occasionally uses file descriptors for crypto offload
|
|
# and will crash if they cannot be opened.
|
|
AC_DEFINE([SANDBOX_SKIP_RLIMIT_NOFILE], [1],
|
|
[define if setrlimit RLIMIT_NOFILE breaks things])
|
|
case "$host" in
|
|
*-*-freebsd9.*|*-*-freebsd10.*)
|
|
# Capsicum on 9 and 10 do not allow ppoll() so don't auto-enable.
|
|
disable_capsicum=yes
|
|
esac
|
|
;;
|
|
*-*-bsdi*)
|
|
AC_DEFINE([SETEUID_BREAKS_SETUID])
|
|
AC_DEFINE([BROKEN_SETREUID])
|
|
AC_DEFINE([BROKEN_SETREGID])
|
|
;;
|
|
*-next-*)
|
|
conf_lastlog_location="/usr/adm/lastlog"
|
|
conf_utmp_location=/etc/utmp
|
|
conf_wtmp_location=/usr/adm/wtmp
|
|
maildir=/usr/spool/mail
|
|
AC_DEFINE([HAVE_NEXT], [1], [Define if you are on NeXT])
|
|
AC_DEFINE([USE_PIPES])
|
|
AC_DEFINE([BROKEN_SAVED_UIDS], [1], [Needed for NeXT])
|
|
;;
|
|
*-*-openbsd*)
|
|
use_pie=auto
|
|
AC_DEFINE([HAVE_ATTRIBUTE__SENTINEL__], [1], [OpenBSD's gcc has sentinel])
|
|
AC_DEFINE([HAVE_ATTRIBUTE__BOUNDED__], [1], [OpenBSD's gcc has bounded])
|
|
AC_DEFINE([SSH_TUN_OPENBSD], [1], [Open tunnel devices the OpenBSD way])
|
|
AC_DEFINE([SYSLOG_R_SAFE_IN_SIGHAND], [1],
|
|
[syslog_r function is safe to use in in a signal handler])
|
|
TEST_MALLOC_OPTIONS="AFGJPRX"
|
|
;;
|
|
*-*-solaris*)
|
|
if test "x$withval" != "xno" ; then
|
|
rpath_opt="-R"
|
|
fi
|
|
AC_DEFINE([PAM_SUN_CODEBASE])
|
|
AC_DEFINE([LOGIN_NEEDS_UTMPX])
|
|
AC_DEFINE([PAM_TTY_KLUDGE])
|
|
AC_DEFINE([SSHPAM_CHAUTHTOK_NEEDS_RUID], [1],
|
|
[Define if pam_chauthtok wants real uid set
|
|
to the unpriv'ed user])
|
|
AC_DEFINE([LOCKED_PASSWD_STRING], ["*LK*"])
|
|
# Pushing STREAMS modules will cause sshd to acquire a controlling tty.
|
|
AC_DEFINE([SSHD_ACQUIRES_CTTY], [1],
|
|
[Define if sshd somehow reacquires a controlling TTY
|
|
after setsid()])
|
|
AC_DEFINE([PASSWD_NEEDS_USERNAME], [1], [must supply username to passwd
|
|
in case the name is longer than 8 chars])
|
|
AC_DEFINE([BROKEN_TCGETATTR_ICANON], [1], [tcgetattr with ICANON may hang])
|
|
external_path_file=/etc/default/login
|
|
# hardwire lastlog location (can't detect it on some versions)
|
|
conf_lastlog_location="/var/adm/lastlog"
|
|
AC_MSG_CHECKING([for obsolete utmp and wtmp in solaris2.x])
|
|
sol2ver=`echo "$host"| sed -e 's/.*[[0-9]]\.//'`
|
|
if test "$sol2ver" -ge 8; then
|
|
AC_MSG_RESULT([yes])
|
|
AC_DEFINE([DISABLE_UTMP])
|
|
AC_DEFINE([DISABLE_WTMP], [1],
|
|
[Define if you don't want to use wtmp])
|
|
else
|
|
AC_MSG_RESULT([no])
|
|
fi
|
|
AC_CHECK_FUNCS([setpflags])
|
|
AC_CHECK_FUNCS([setppriv])
|
|
AC_CHECK_FUNCS([priv_basicset])
|
|
AC_CHECK_HEADERS([priv.h])
|
|
AC_ARG_WITH([solaris-contracts],
|
|
[ --with-solaris-contracts Enable Solaris process contracts (experimental)],
|
|
[
|
|
AC_CHECK_LIB([contract], [ct_tmpl_activate],
|
|
[ AC_DEFINE([USE_SOLARIS_PROCESS_CONTRACTS], [1],
|
|
[Define if you have Solaris process contracts])
|
|
LIBS="$LIBS -lcontract"
|
|
SPC_MSG="yes" ], )
|
|
],
|
|
)
|
|
AC_ARG_WITH([solaris-projects],
|
|
[ --with-solaris-projects Enable Solaris projects (experimental)],
|
|
[
|
|
AC_CHECK_LIB([project], [setproject],
|
|
[ AC_DEFINE([USE_SOLARIS_PROJECTS], [1],
|
|
[Define if you have Solaris projects])
|
|
LIBS="$LIBS -lproject"
|
|
SP_MSG="yes" ], )
|
|
],
|
|
)
|
|
AC_ARG_WITH([solaris-privs],
|
|
[ --with-solaris-privs Enable Solaris/Illumos privileges (experimental)],
|
|
[
|
|
AC_MSG_CHECKING([for Solaris/Illumos privilege support])
|
|
if test "x$ac_cv_func_setppriv" = "xyes" -a \
|
|
"x$ac_cv_header_priv_h" = "xyes" ; then
|
|
SOLARIS_PRIVS=yes
|
|
AC_MSG_RESULT([found])
|
|
AC_DEFINE([NO_UID_RESTORATION_TEST], [1],
|
|
[Define to disable UID restoration test])
|
|
AC_DEFINE([USE_SOLARIS_PRIVS], [1],
|
|
[Define if you have Solaris privileges])
|
|
SPP_MSG="yes"
|
|
else
|
|
AC_MSG_RESULT([not found])
|
|
AC_MSG_ERROR([*** must have support for Solaris privileges to use --with-solaris-privs])
|
|
fi
|
|
],
|
|
)
|
|
TEST_SHELL=$SHELL # let configure find us a capable shell
|
|
;;
|
|
*-*-sunos4*)
|
|
CPPFLAGS="$CPPFLAGS -DSUNOS4"
|
|
AC_CHECK_FUNCS([getpwanam])
|
|
AC_DEFINE([PAM_SUN_CODEBASE])
|
|
conf_utmp_location=/etc/utmp
|
|
conf_wtmp_location=/var/adm/wtmp
|
|
conf_lastlog_location=/var/adm/lastlog
|
|
AC_DEFINE([USE_PIPES])
|
|
AC_DEFINE([DISABLE_UTMPX], [1], [no utmpx])
|
|
;;
|
|
*-ncr-sysv*)
|
|
LIBS="$LIBS -lc89"
|
|
AC_DEFINE([USE_PIPES])
|
|
AC_DEFINE([SSHD_ACQUIRES_CTTY])
|
|
AC_DEFINE([SETEUID_BREAKS_SETUID])
|
|
AC_DEFINE([BROKEN_SETREUID])
|
|
AC_DEFINE([BROKEN_SETREGID])
|
|
;;
|
|
*-sni-sysv*)
|
|
# /usr/ucblib MUST NOT be searched on ReliantUNIX
|
|
AC_CHECK_LIB([dl], [dlsym], ,)
|
|
# -lresolv needs to be at the end of LIBS or DNS lookups break
|
|
AC_CHECK_LIB([resolv], [res_query], [ LIBS="$LIBS -lresolv" ])
|
|
IPADDR_IN_DISPLAY=yes
|
|
AC_DEFINE([USE_PIPES])
|
|
AC_DEFINE([IP_TOS_IS_BROKEN])
|
|
AC_DEFINE([SETEUID_BREAKS_SETUID])
|
|
AC_DEFINE([BROKEN_SETREUID])
|
|
AC_DEFINE([BROKEN_SETREGID])
|
|
AC_DEFINE([SSHD_ACQUIRES_CTTY])
|
|
external_path_file=/etc/default/login
|
|
# /usr/ucblib/libucb.a no longer needed on ReliantUNIX
|
|
# Attention: always take care to bind libsocket and libnsl before libc,
|
|
# otherwise you will find lots of "SIOCGPGRP errno 22" on syslog
|
|
;;
|
|
# UnixWare 1.x, UnixWare 2.x, and others based on code from Univel.
|
|
*-*-sysv4.2*)
|
|
AC_DEFINE([USE_PIPES])
|
|
AC_DEFINE([SETEUID_BREAKS_SETUID])
|
|
AC_DEFINE([BROKEN_SETREUID])
|
|
AC_DEFINE([BROKEN_SETREGID])
|
|
AC_DEFINE([PASSWD_NEEDS_USERNAME], [1], [must supply username to passwd])
|
|
AC_DEFINE([LOCKED_PASSWD_STRING], ["*LK*"])
|
|
TEST_SHELL=$SHELL # let configure find us a capable shell
|
|
;;
|
|
# UnixWare 7.x, OpenUNIX 8
|
|
*-*-sysv5*)
|
|
CPPFLAGS="$CPPFLAGS -Dvsnprintf=_xvsnprintf -Dsnprintf=_xsnprintf"
|
|
AC_DEFINE([UNIXWARE_LONG_PASSWORDS], [1], [Support passwords > 8 chars])
|
|
AC_DEFINE([USE_PIPES])
|
|
AC_DEFINE([SETEUID_BREAKS_SETUID])
|
|
AC_DEFINE([BROKEN_GETADDRINFO])
|
|
AC_DEFINE([BROKEN_SETREUID])
|
|
AC_DEFINE([BROKEN_SETREGID])
|
|
AC_DEFINE([PASSWD_NEEDS_USERNAME])
|
|
AC_DEFINE([BROKEN_TCGETATTR_ICANON])
|
|
TEST_SHELL=$SHELL # let configure find us a capable shell
|
|
case "$host" in
|
|
*-*-sysv5SCO_SV*) # SCO OpenServer 6.x
|
|
maildir=/var/spool/mail
|
|
AC_DEFINE([BROKEN_UPDWTMPX])
|
|
AC_CHECK_LIB([prot], [getluid], [ LIBS="$LIBS -lprot"
|
|
AC_CHECK_FUNCS([getluid setluid], , , [-lprot])
|
|
], , )
|
|
;;
|
|
*) AC_DEFINE([LOCKED_PASSWD_STRING], ["*LK*"])
|
|
;;
|
|
esac
|
|
;;
|
|
*-*-sysv*)
|
|
;;
|
|
# SCO UNIX and OEM versions of SCO UNIX
|
|
*-*-sco3.2v4*)
|
|
AC_MSG_ERROR("This Platform is no longer supported.")
|
|
;;
|
|
# SCO OpenServer 5.x
|
|
*-*-sco3.2v5*)
|
|
if test -z "$GCC"; then
|
|
CFLAGS="$CFLAGS -belf"
|
|
fi
|
|
LIBS="$LIBS -lprot -lx -ltinfo -lm"
|
|
no_dev_ptmx=1
|
|
AC_DEFINE([USE_PIPES])
|
|
AC_DEFINE([HAVE_SECUREWARE])
|
|
AC_DEFINE([DISABLE_SHADOW])
|
|
AC_DEFINE([DISABLE_FD_PASSING])
|
|
AC_DEFINE([SETEUID_BREAKS_SETUID])
|
|
AC_DEFINE([BROKEN_GETADDRINFO])
|
|
AC_DEFINE([BROKEN_SETREUID])
|
|
AC_DEFINE([BROKEN_SETREGID])
|
|
AC_DEFINE([WITH_ABBREV_NO_TTY])
|
|
AC_DEFINE([BROKEN_UPDWTMPX])
|
|
AC_DEFINE([PASSWD_NEEDS_USERNAME])
|
|
AC_CHECK_FUNCS([getluid setluid])
|
|
MANTYPE=man
|
|
TEST_SHELL=$SHELL # let configure find us a capable shell
|
|
SKIP_DISABLE_LASTLOG_DEFINE=yes
|
|
;;
|
|
*-dec-osf*)
|
|
AC_MSG_CHECKING([for Digital Unix SIA])
|
|
no_osfsia=""
|
|
AC_ARG_WITH([osfsia],
|
|
[ --with-osfsia Enable Digital Unix SIA],
|
|
[
|
|
if test "x$withval" = "xno" ; then
|
|
AC_MSG_RESULT([disabled])
|
|
no_osfsia=1
|
|
fi
|
|
],
|
|
)
|
|
if test -z "$no_osfsia" ; then
|
|
if test -f /etc/sia/matrix.conf; then
|
|
AC_MSG_RESULT([yes])
|
|
AC_DEFINE([HAVE_OSF_SIA], [1],
|
|
[Define if you have Digital Unix Security
|
|
Integration Architecture])
|
|
AC_DEFINE([DISABLE_LOGIN], [1],
|
|
[Define if you don't want to use your
|
|
system's login() call])
|
|
AC_DEFINE([DISABLE_FD_PASSING])
|
|
LIBS="$LIBS -lsecurity -ldb -lm -laud"
|
|
SIA_MSG="yes"
|
|
else
|
|
AC_MSG_RESULT([no])
|
|
AC_DEFINE([LOCKED_PASSWD_SUBSTR], ["Nologin"],
|
|
[String used in /etc/passwd to denote locked account])
|
|
fi
|
|
fi
|
|
AC_DEFINE([BROKEN_GETADDRINFO])
|
|
AC_DEFINE([SETEUID_BREAKS_SETUID])
|
|
AC_DEFINE([BROKEN_SETREUID])
|
|
AC_DEFINE([BROKEN_SETREGID])
|
|
AC_DEFINE([BROKEN_READV_COMPARISON], [1], [Can't do comparisons on readv])
|
|
;;
|
|
|
|
*-*-nto-qnx*)
|
|
AC_DEFINE([USE_PIPES])
|
|
AC_DEFINE([NO_X11_UNIX_SOCKETS])
|
|
AC_DEFINE([DISABLE_LASTLOG])
|
|
AC_DEFINE([SSHD_ACQUIRES_CTTY])
|
|
AC_DEFINE([BROKEN_SHADOW_EXPIRE], [1], [QNX shadow support is broken])
|
|
enable_etc_default_login=no # has incompatible /etc/default/login
|
|
case "$host" in
|
|
*-*-nto-qnx6*)
|
|
AC_DEFINE([DISABLE_FD_PASSING])
|
|
;;
|
|
esac
|
|
;;
|
|
|
|
*-*-ultrix*)
|
|
AC_DEFINE([BROKEN_GETGROUPS], [1], [getgroups(0,NULL) will return -1])
|
|
AC_DEFINE([NEED_SETPGRP], [1], [Need setpgrp to for controlling tty])
|
|
AC_DEFINE([HAVE_SYS_SYSLOG_H], [1], [Force use of sys/syslog.h on Ultrix])
|
|
AC_DEFINE([DISABLE_UTMPX], [1], [Disable utmpx])
|
|
# DISABLE_FD_PASSING so that we call setpgrp as root, otherwise we
|
|
# don't get a controlling tty.
|
|
AC_DEFINE([DISABLE_FD_PASSING], [1], [Need to call setpgrp as root])
|
|
# On Ultrix some headers are not protected against multiple includes,
|
|
# so we create wrappers and put it where the compiler will find it.
|
|
AC_MSG_WARN([creating compat wrappers for headers])
|
|
mkdir -p netinet
|
|
for header in netinet/ip.h netdb.h resolv.h; do
|
|
name=`echo $header | tr 'a-z/.' 'A-Z__'`
|
|
cat >$header <<EOD
|
|
#ifndef _SSH_COMPAT_${name}
|
|
#define _SSH_COMPAT_${name}
|
|
#include "/usr/include/${header}"
|
|
#endif
|
|
EOD
|
|
done
|
|
;;
|
|
|
|
*-*-lynxos)
|
|
CFLAGS="$CFLAGS -D__NO_INCLUDE_WARN__"
|
|
AC_DEFINE([BROKEN_SETVBUF], [1],
|
|
[LynxOS has broken setvbuf() implementation])
|
|
;;
|
|
esac
|
|
|
|
AC_MSG_CHECKING([compiler and flags for sanity])
|
|
AC_RUN_IFELSE([AC_LANG_PROGRAM([[ #include <stdlib.h> ]], [[ exit(0); ]])],
|
|
[ AC_MSG_RESULT([yes]) ],
|
|
[
|
|
AC_MSG_RESULT([no])
|
|
AC_MSG_ERROR([*** compiler cannot create working executables, check config.log ***])
|
|
],
|
|
[ AC_MSG_WARN([cross compiling: not checking compiler sanity]) ]
|
|
)
|
|
|
|
dnl Checks for header files.
|
|
# Checks for libraries.
|
|
AC_CHECK_FUNC([setsockopt], , [AC_CHECK_LIB([socket], [setsockopt])])
|
|
|
|
dnl IRIX and Solaris 2.5.1 have dirname() in libgen
|
|
AC_CHECK_FUNCS([dirname], [AC_CHECK_HEADERS([libgen.h])] , [
|
|
AC_CHECK_LIB([gen], [dirname], [
|
|
AC_CACHE_CHECK([for broken dirname],
|
|
ac_cv_have_broken_dirname, [
|
|
save_LIBS="$LIBS"
|
|
LIBS="$LIBS -lgen"
|
|
AC_RUN_IFELSE(
|
|
[AC_LANG_SOURCE([[
|
|
#include <libgen.h>
|
|
#include <string.h>
|
|
#include <stdlib.h>
|
|
|
|
int main(int argc, char **argv) {
|
|
char *s, buf[32];
|
|
|
|
strncpy(buf,"/etc", 32);
|
|
s = dirname(buf);
|
|
if (!s || strncmp(s, "/", 32) != 0) {
|
|
exit(1);
|
|
} else {
|
|
exit(0);
|
|
}
|
|
}
|
|
]])],
|
|
[ ac_cv_have_broken_dirname="no" ],
|
|
[ ac_cv_have_broken_dirname="yes" ],
|
|
[ ac_cv_have_broken_dirname="no" ],
|
|
)
|
|
LIBS="$save_LIBS"
|
|
])
|
|
if test "x$ac_cv_have_broken_dirname" = "xno" ; then
|
|
LIBS="$LIBS -lgen"
|
|
AC_DEFINE([HAVE_DIRNAME])
|
|
AC_CHECK_HEADERS([libgen.h])
|
|
fi
|
|
])
|
|
])
|
|
|
|
AC_CHECK_FUNC([getspnam], ,
|
|
[AC_CHECK_LIB([gen], [getspnam], [LIBS="$LIBS -lgen"])])
|
|
AC_SEARCH_LIBS([basename], [gen], [AC_DEFINE([HAVE_BASENAME], [1],
|
|
[Define if you have the basename function.])])
|
|
|
|
dnl zlib defaults to enabled
|
|
zlib=yes
|
|
AC_ARG_WITH([zlib],
|
|
[ --with-zlib=PATH Use zlib in PATH],
|
|
[ if test "x$withval" = "xno" ; then
|
|
zlib=no
|
|
elif test "x$withval" != "xyes"; then
|
|
if test -d "$withval/lib"; then
|
|
if test -n "${rpath_opt}"; then
|
|
LDFLAGS="-L${withval}/lib ${rpath_opt}${withval}/lib ${LDFLAGS}"
|
|
else
|
|
LDFLAGS="-L${withval}/lib ${LDFLAGS}"
|
|
fi
|
|
else
|
|
if test -n "${rpath_opt}"; then
|
|
LDFLAGS="-L${withval} ${rpath_opt}${withval} ${LDFLAGS}"
|
|
else
|
|
LDFLAGS="-L${withval} ${LDFLAGS}"
|
|
fi
|
|
fi
|
|
if test -d "$withval/include"; then
|
|
CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
|
|
else
|
|
CPPFLAGS="-I${withval} ${CPPFLAGS}"
|
|
fi
|
|
fi ]
|
|
)
|
|
|
|
# These libraries are needed for anything that links in the channel code.
|
|
CHANNELLIBS=""
|
|
AC_MSG_CHECKING([for zlib])
|
|
if test "x${zlib}" = "xno"; then
|
|
AC_MSG_RESULT([no])
|
|
else
|
|
saved_LIBS="$LIBS"
|
|
CHANNELLIBS="$CHANNELLIBS -lz"
|
|
AC_MSG_RESULT([yes])
|
|
AC_DEFINE([WITH_ZLIB], [1], [Enable zlib])
|
|
AC_CHECK_HEADER([zlib.h], ,[AC_MSG_ERROR([*** zlib.h missing - please install first or check config.log ***])])
|
|
AC_CHECK_LIB([z], [deflate], [],
|
|
[
|
|
saved_CPPFLAGS="$CPPFLAGS"
|
|
saved_LDFLAGS="$LDFLAGS"
|
|
dnl Check default zlib install dir
|
|
if test -n "${rpath_opt}"; then
|
|
LDFLAGS="-L/usr/local/lib ${rpath_opt}/usr/local/lib ${saved_LDFLAGS}"
|
|
else
|
|
LDFLAGS="-L/usr/local/lib ${saved_LDFLAGS}"
|
|
fi
|
|
CPPFLAGS="-I/usr/local/include ${saved_CPPFLAGS}"
|
|
AC_TRY_LINK_FUNC([deflate], [AC_DEFINE([HAVE_LIBZ])],
|
|
[
|
|
AC_MSG_ERROR([*** zlib missing - please install first or check config.log ***])
|
|
]
|
|
)
|
|
]
|
|
)
|
|
|
|
AC_ARG_WITH([zlib-version-check],
|
|
[ --without-zlib-version-check Disable zlib version check],
|
|
[ if test "x$withval" = "xno" ; then
|
|
zlib_check_nonfatal=1
|
|
fi
|
|
]
|
|
)
|
|
|
|
AC_MSG_CHECKING([for possibly buggy zlib])
|
|
AC_RUN_IFELSE([AC_LANG_PROGRAM([[
|
|
#include <stdio.h>
|
|
#include <stdlib.h>
|
|
#include <zlib.h>
|
|
]],
|
|
[[
|
|
int a=0, b=0, c=0, d=0, n, v;
|
|
n = sscanf(ZLIB_VERSION, "%d.%d.%d.%d", &a, &b, &c, &d);
|
|
if (n != 3 && n != 4)
|
|
exit(1);
|
|
v = a*1000000 + b*10000 + c*100 + d;
|
|
fprintf(stderr, "found zlib version %s (%d)\n", ZLIB_VERSION, v);
|
|
|
|
/* 1.1.4 is OK */
|
|
if (a == 1 && b == 1 && c >= 4)
|
|
exit(0);
|
|
|
|
/* 1.2.3 and up are OK */
|
|
if (v >= 1020300)
|
|
exit(0);
|
|
|
|
exit(2);
|
|
]])],
|
|
AC_MSG_RESULT([no]),
|
|
[ AC_MSG_RESULT([yes])
|
|
if test -z "$zlib_check_nonfatal" ; then
|
|
AC_MSG_ERROR([*** zlib too old - check config.log ***
|
|
Your reported zlib version has known security problems. It's possible your
|
|
vendor has fixed these problems without changing the version number. If you
|
|
are sure this is the case, you can disable the check by running
|
|
"./configure --without-zlib-version-check".
|
|
If you are in doubt, upgrade zlib to version 1.2.3 or greater.
|
|
See http://www.gzip.org/zlib/ for details.])
|
|
else
|
|
AC_MSG_WARN([zlib version may have security problems])
|
|
fi
|
|
],
|
|
[ AC_MSG_WARN([cross compiling: not checking zlib version]) ]
|
|
)
|
|
LIBS="$saved_LIBS"
|
|
fi
|
|
|
|
dnl UnixWare 2.x
|
|
AC_CHECK_FUNC([strcasecmp],
|
|
[], [ AC_CHECK_LIB([resolv], [strcasecmp], [LIBS="$LIBS -lresolv"]) ]
|
|
)
|
|
AC_CHECK_FUNCS([utimes],
|
|
[], [ AC_CHECK_LIB([c89], [utimes], [AC_DEFINE([HAVE_UTIMES])
|
|
LIBS="$LIBS -lc89"]) ]
|
|
)
|
|
|
|
dnl Checks for libutil functions
|
|
AC_CHECK_HEADERS([bsd/libutil.h libutil.h])
|
|
AC_SEARCH_LIBS([fmt_scaled], [util bsd])
|
|
AC_SEARCH_LIBS([scan_scaled], [util bsd])
|
|
AC_SEARCH_LIBS([login], [util bsd])
|
|
AC_SEARCH_LIBS([logout], [util bsd])
|
|
AC_SEARCH_LIBS([logwtmp], [util bsd])
|
|
AC_SEARCH_LIBS([openpty], [util bsd])
|
|
AC_SEARCH_LIBS([updwtmp], [util bsd])
|
|
AC_CHECK_FUNCS([fmt_scaled scan_scaled login logout openpty updwtmp logwtmp])
|
|
|
|
# On some platforms, inet_ntop and gethostbyname may be found in libresolv
|
|
# or libnsl.
|
|
AC_SEARCH_LIBS([inet_ntop], [resolv nsl])
|
|
AC_SEARCH_LIBS([gethostbyname], [resolv nsl])
|
|
|
|
# Some Linux distribtions ship the BSD libc hashing functions in
|
|
# separate libraries.
|
|
AC_SEARCH_LIBS([SHA256Update], [md bsd])
|
|
|
|
# "Particular Function Checks"
|
|
# see https://www.gnu.org/software/autoconf/manual/autoconf-2.69/html_node/Particular-Functions.html
|
|
AC_FUNC_STRFTIME
|
|
AC_FUNC_MALLOC
|
|
AC_FUNC_REALLOC
|
|
# autoconf doesn't have AC_FUNC_CALLOC so fake it if malloc returns NULL;
|
|
AC_MSG_CHECKING([if calloc(0, N) returns non-null])
|
|
AC_RUN_IFELSE(
|
|
[AC_LANG_PROGRAM(
|
|
[[ #include <stdlib.h> ]],
|
|
[[ void *p = calloc(0, 1); exit(p == NULL); ]]
|
|
)],
|
|
[ func_calloc_0_nonnull=yes ],
|
|
[ func_calloc_0_nonnull=no ],
|
|
[ AC_MSG_WARN([cross compiling: assuming same as malloc])
|
|
func_calloc_0_nonnull="$ac_cv_func_malloc_0_nonnull"]
|
|
)
|
|
AC_MSG_RESULT([$func_calloc_0_nonnull])
|
|
|
|
if test "x$func_calloc_0_nonnull" = "xyes"; then
|
|
AC_DEFINE(HAVE_CALLOC, 1, [calloc(0, x) returns non-null])
|
|
else
|
|
AC_DEFINE(HAVE_CALLOC, 0, [calloc(0, x) returns NULL])
|
|
AC_DEFINE(calloc, rpl_calloc,
|
|
[Define to rpl_calloc if the replacement function should be used.])
|
|
fi
|
|
|
|
# Check for ALTDIRFUNC glob() extension
|
|
AC_MSG_CHECKING([for GLOB_ALTDIRFUNC support])
|
|
AC_EGREP_CPP([FOUNDIT],
|
|
[
|
|
#include <glob.h>
|
|
#ifdef GLOB_ALTDIRFUNC
|
|
FOUNDIT
|
|
#endif
|
|
],
|
|
[
|
|
AC_DEFINE([GLOB_HAS_ALTDIRFUNC], [1],
|
|
[Define if your system glob() function has
|
|
the GLOB_ALTDIRFUNC extension])
|
|
AC_MSG_RESULT([yes])
|
|
],
|
|
[
|
|
AC_MSG_RESULT([no])
|
|
]
|
|
)
|
|
|
|
# Check for g.gl_matchc glob() extension
|
|
AC_MSG_CHECKING([for gl_matchc field in glob_t])
|
|
AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <glob.h> ]],
|
|
[[ glob_t g; g.gl_matchc = 1; ]])],
|
|
[
|
|
AC_DEFINE([GLOB_HAS_GL_MATCHC], [1],
|
|
[Define if your system glob() function has
|
|
gl_matchc options in glob_t])
|
|
AC_MSG_RESULT([yes])
|
|
], [
|
|
AC_MSG_RESULT([no])
|
|
])
|
|
|
|
# Check for g.gl_statv glob() extension
|
|
AC_MSG_CHECKING([for gl_statv and GLOB_KEEPSTAT extensions for glob])
|
|
AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <glob.h> ]], [[
|
|
#ifndef GLOB_KEEPSTAT
|
|
#error "glob does not support GLOB_KEEPSTAT extension"
|
|
#endif
|
|
glob_t g;
|
|
g.gl_statv = NULL;
|
|
]])],
|
|
[
|
|
AC_DEFINE([GLOB_HAS_GL_STATV], [1],
|
|
[Define if your system glob() function has
|
|
gl_statv options in glob_t])
|
|
AC_MSG_RESULT([yes])
|
|
], [
|
|
AC_MSG_RESULT([no])
|
|
|
|
])
|
|
|
|
AC_CHECK_DECLS([GLOB_NOMATCH], , , [#include <glob.h>])
|
|
|
|
AC_CHECK_DECL([VIS_ALL], ,
|
|
AC_DEFINE(BROKEN_STRNVIS, 1, [missing VIS_ALL]), [#include <vis.h>])
|
|
|
|
AC_MSG_CHECKING([whether struct dirent allocates space for d_name])
|
|
AC_RUN_IFELSE(
|
|
[AC_LANG_PROGRAM([[
|
|
#include <sys/types.h>
|
|
#include <dirent.h>
|
|
#include <stdlib.h>
|
|
]],
|
|
[[
|
|
struct dirent d;
|
|
exit(sizeof(d.d_name)<=sizeof(char));
|
|
]])],
|
|
[AC_MSG_RESULT([yes])],
|
|
[
|
|
AC_MSG_RESULT([no])
|
|
AC_DEFINE([BROKEN_ONE_BYTE_DIRENT_D_NAME], [1],
|
|
[Define if your struct dirent expects you to
|
|
allocate extra space for d_name])
|
|
],
|
|
[
|
|
AC_MSG_WARN([cross compiling: assuming BROKEN_ONE_BYTE_DIRENT_D_NAME])
|
|
AC_DEFINE([BROKEN_ONE_BYTE_DIRENT_D_NAME])
|
|
]
|
|
)
|
|
|
|
AC_MSG_CHECKING([for /proc/pid/fd directory])
|
|
if test -d "/proc/$$/fd" ; then
|
|
AC_DEFINE([HAVE_PROC_PID], [1], [Define if you have /proc/$pid/fd])
|
|
AC_MSG_RESULT([yes])
|
|
else
|
|
AC_MSG_RESULT([no])
|
|
fi
|
|
|
|
# Check whether user wants to use ldns
|
|
LDNS_MSG="no"
|
|
AC_ARG_WITH(ldns,
|
|
[ --with-ldns[[=PATH]] Use ldns for DNSSEC support (optionally in PATH)],
|
|
[
|
|
ldns=""
|
|
if test "x$withval" = "xyes" ; then
|
|
AC_PATH_TOOL([LDNSCONFIG], [ldns-config], [no])
|
|
if test "x$LDNSCONFIG" = "xno"; then
|
|
LIBS="-lldns $LIBS"
|
|
ldns=yes
|
|
else
|
|
LIBS="$LIBS `$LDNSCONFIG --libs`"
|
|
CPPFLAGS="$CPPFLAGS `$LDNSCONFIG --cflags`"
|
|
ldns=yes
|
|
fi
|
|
elif test "x$withval" != "xno" ; then
|
|
CPPFLAGS="$CPPFLAGS -I${withval}/include"
|
|
LDFLAGS="$LDFLAGS -L${withval}/lib"
|
|
LIBS="-lldns $LIBS"
|
|
ldns=yes
|
|
fi
|
|
|
|
# Verify that it works.
|
|
if test "x$ldns" = "xyes" ; then
|
|
AC_DEFINE(HAVE_LDNS, 1, [Define if you want ldns support])
|
|
LDNS_MSG="yes"
|
|
AC_MSG_CHECKING([for ldns support])
|
|
AC_LINK_IFELSE(
|
|
[AC_LANG_SOURCE([[
|
|
#include <stdio.h>
|
|
#include <stdlib.h>
|
|
#ifdef HAVE_STDINT_H
|
|
# include <stdint.h>
|
|
#endif
|
|
#include <ldns/ldns.h>
|
|
int main(void) { ldns_status status = ldns_verify_trusted(NULL, NULL, NULL, NULL); status=LDNS_STATUS_OK; exit(0); }
|
|
]])
|
|
],
|
|
[AC_MSG_RESULT(yes)],
|
|
[
|
|
AC_MSG_RESULT(no)
|
|
AC_MSG_ERROR([** Incomplete or missing ldns libraries.])
|
|
])
|
|
fi
|
|
])
|
|
|
|
# Check whether user wants libedit support
|
|
LIBEDIT_MSG="no"
|
|
AC_ARG_WITH([libedit],
|
|
[ --with-libedit[[=PATH]] Enable libedit support for sftp],
|
|
[ if test "x$withval" != "xno" ; then
|
|
if test "x$withval" = "xyes" ; then
|
|
if test "x$PKGCONFIG" != "xno"; then
|
|
AC_MSG_CHECKING([if $PKGCONFIG knows about libedit])
|
|
if "$PKGCONFIG" libedit; then
|
|
AC_MSG_RESULT([yes])
|
|
use_pkgconfig_for_libedit=yes
|
|
else
|
|
AC_MSG_RESULT([no])
|
|
fi
|
|
fi
|
|
else
|
|
CPPFLAGS="$CPPFLAGS -I${withval}/include"
|
|
if test -n "${rpath_opt}"; then
|
|
LDFLAGS="-L${withval}/lib ${rpath_opt}${withval}/lib ${LDFLAGS}"
|
|
else
|
|
LDFLAGS="-L${withval}/lib ${LDFLAGS}"
|
|
fi
|
|
fi
|
|
if test "x$use_pkgconfig_for_libedit" = "xyes"; then
|
|
LIBEDIT=`$PKGCONFIG --libs libedit`
|
|
CPPFLAGS="$CPPFLAGS `$PKGCONFIG --cflags libedit`"
|
|
else
|
|
LIBEDIT="-ledit -lcurses"
|
|
fi
|
|
OTHERLIBS=`echo $LIBEDIT | sed 's/-ledit//'`
|
|
AC_CHECK_LIB([edit], [el_init],
|
|
[ AC_DEFINE([USE_LIBEDIT], [1], [Use libedit for sftp])
|
|
LIBEDIT_MSG="yes"
|
|
AC_SUBST([LIBEDIT])
|
|
],
|
|
[ AC_MSG_ERROR([libedit not found]) ],
|
|
[ $OTHERLIBS ]
|
|
)
|
|
AC_MSG_CHECKING([if libedit version is compatible])
|
|
AC_COMPILE_IFELSE(
|
|
[AC_LANG_PROGRAM([[
|
|
#include <histedit.h>
|
|
#include <stdlib.h>
|
|
]],
|
|
[[
|
|
int i = H_SETSIZE;
|
|
el_init("", NULL, NULL, NULL);
|
|
exit(0);
|
|
]])],
|
|
[ AC_MSG_RESULT([yes]) ],
|
|
[ AC_MSG_RESULT([no])
|
|
AC_MSG_ERROR([libedit version is not compatible]) ]
|
|
)
|
|
fi ]
|
|
)
|
|
|
|
AUDIT_MODULE=none
|
|
AC_ARG_WITH([audit],
|
|
[ --with-audit=module Enable audit support (modules=debug,bsm,linux)],
|
|
[
|
|
AC_MSG_CHECKING([for supported audit module])
|
|
case "$withval" in
|
|
bsm)
|
|
AC_MSG_RESULT([bsm])
|
|
AUDIT_MODULE=bsm
|
|
dnl Checks for headers, libs and functions
|
|
AC_CHECK_HEADERS([bsm/audit.h], [],
|
|
[AC_MSG_ERROR([BSM enabled and bsm/audit.h not found])],
|
|
[
|
|
#ifdef HAVE_TIME_H
|
|
# include <time.h>
|
|
#endif
|
|
]
|
|
)
|
|
AC_CHECK_LIB([bsm], [getaudit], [],
|
|
[AC_MSG_ERROR([BSM enabled and required library not found])])
|
|
AC_CHECK_FUNCS([getaudit], [],
|
|
[AC_MSG_ERROR([BSM enabled and required function not found])])
|
|
# These are optional
|
|
AC_CHECK_FUNCS([getaudit_addr aug_get_machine])
|
|
AC_DEFINE([USE_BSM_AUDIT], [1], [Use BSM audit module])
|
|
if test "$sol2ver" -ge 11; then
|
|
SSHDLIBS="$SSHDLIBS -lscf"
|
|
AC_DEFINE([BROKEN_BSM_API], [1],
|
|
[The system has incomplete BSM API])
|
|
fi
|
|
;;
|
|
linux)
|
|
AC_MSG_RESULT([linux])
|
|
AUDIT_MODULE=linux
|
|
dnl Checks for headers, libs and functions
|
|
AC_CHECK_HEADERS([libaudit.h])
|
|
SSHDLIBS="$SSHDLIBS -laudit"
|
|
AC_DEFINE([USE_LINUX_AUDIT], [1], [Use Linux audit module])
|
|
;;
|
|
debug)
|
|
AUDIT_MODULE=debug
|
|
AC_MSG_RESULT([debug])
|
|
AC_DEFINE([SSH_AUDIT_EVENTS], [1], [Use audit debugging module])
|
|
;;
|
|
no)
|
|
AC_MSG_RESULT([no])
|
|
;;
|
|
*)
|
|
AC_MSG_ERROR([Unknown audit module $withval])
|
|
;;
|
|
esac ]
|
|
)
|
|
|
|
AC_ARG_WITH([pie],
|
|
[ --with-pie Build Position Independent Executables if possible], [
|
|
if test "x$withval" = "xno"; then
|
|
use_pie=no
|
|
fi
|
|
if test "x$withval" = "xyes"; then
|
|
use_pie=yes
|
|
fi
|
|
]
|
|
)
|
|
if test "x$use_pie" = "x"; then
|
|
use_pie=no
|
|
fi
|
|
if test "x$use_toolchain_hardening" != "x1" && test "x$use_pie" = "xauto"; then
|
|
# Turn off automatic PIE when toolchain hardening is off.
|
|
use_pie=no
|
|
fi
|
|
if test "x$use_pie" = "xauto"; then
|
|
# Automatic PIE requires gcc >= 4.x
|
|
AC_MSG_CHECKING([for gcc >= 4.x])
|
|
AC_COMPILE_IFELSE([AC_LANG_SOURCE([[
|
|
#if !defined(__GNUC__) || __GNUC__ < 4
|
|
#error gcc is too old
|
|
#endif
|
|
]])],
|
|
[ AC_MSG_RESULT([yes]) ],
|
|
[ AC_MSG_RESULT([no])
|
|
use_pie=no ]
|
|
)
|
|
fi
|
|
if test "x$use_pie" != "xno"; then
|
|
SAVED_CFLAGS="$CFLAGS"
|
|
SAVED_LDFLAGS="$LDFLAGS"
|
|
OSSH_CHECK_CFLAG_COMPILE([-fPIE])
|
|
OSSH_CHECK_LDFLAG_LINK([-pie])
|
|
# We use both -fPIE and -pie or neither.
|
|
AC_MSG_CHECKING([whether both -fPIE and -pie are supported])
|
|
if echo "x $CFLAGS" | grep ' -fPIE' >/dev/null 2>&1 && \
|
|
echo "x $LDFLAGS" | grep ' -pie' >/dev/null 2>&1 ; then
|
|
AC_MSG_RESULT([yes])
|
|
else
|
|
AC_MSG_RESULT([no])
|
|
CFLAGS="$SAVED_CFLAGS"
|
|
LDFLAGS="$SAVED_LDFLAGS"
|
|
fi
|
|
fi
|
|
|
|
AC_MSG_CHECKING([whether -fPIC is accepted])
|
|
SAVED_CFLAGS="$CFLAGS"
|
|
CFLAGS="$CFLAGS -fPIC"
|
|
AC_COMPILE_IFELSE(
|
|
[AC_LANG_PROGRAM( [[ #include <stdlib.h> ]], [[ exit(0); ]] )],
|
|
[AC_MSG_RESULT([yes])
|
|
PICFLAG="-fPIC"; ],
|
|
[AC_MSG_RESULT([no])
|
|
PICFLAG=""; ])
|
|
CFLAGS="$SAVED_CFLAGS"
|
|
AC_SUBST([PICFLAG])
|
|
|
|
dnl Checks for library functions. Please keep in alphabetical order
|
|
AC_CHECK_FUNCS([ \
|
|
Blowfish_initstate \
|
|
Blowfish_expandstate \
|
|
Blowfish_expand0state \
|
|
Blowfish_stream2word \
|
|
SHA256Update \
|
|
SHA384Update \
|
|
SHA512Update \
|
|
asprintf \
|
|
b64_ntop \
|
|
__b64_ntop \
|
|
b64_pton \
|
|
__b64_pton \
|
|
bcopy \
|
|
bcrypt_pbkdf \
|
|
bindresvport_sa \
|
|
blf_enc \
|
|
bzero \
|
|
cap_rights_limit \
|
|
clock \
|
|
closefrom \
|
|
close_range \
|
|
dirfd \
|
|
endgrent \
|
|
err \
|
|
errx \
|
|
explicit_bzero \
|
|
explicit_memset \
|
|
fchmod \
|
|
fchmodat \
|
|
fchown \
|
|
fchownat \
|
|
flock \
|
|
fnmatch \
|
|
freeaddrinfo \
|
|
freezero \
|
|
fstatfs \
|
|
fstatvfs \
|
|
futimes \
|
|
getaddrinfo \
|
|
getcwd \
|
|
getentropy \
|
|
getgrouplist \
|
|
getline \
|
|
getnameinfo \
|
|
getopt \
|
|
getpagesize \
|
|
getpeereid \
|
|
getpeerucred \
|
|
getpgid \
|
|
_getpty \
|
|
getrlimit \
|
|
getrandom \
|
|
getsid \
|
|
getttyent \
|
|
glob \
|
|
group_from_gid \
|
|
inet_aton \
|
|
inet_ntoa \
|
|
inet_ntop \
|
|
innetgr \
|
|
killpg \
|
|
llabs \
|
|
localtime_r \
|
|
login_getcapbool \
|
|
login_getpwclass \
|
|
memmem \
|
|
memmove \
|
|
memset_s \
|
|
mkdtemp \
|
|
ngetaddrinfo \
|
|
nsleep \
|
|
ogetaddrinfo \
|
|
openlog_r \
|
|
pledge \
|
|
poll \
|
|
ppoll \
|
|
prctl \
|
|
procctl \
|
|
pselect \
|
|
pstat \
|
|
raise \
|
|
readpassphrase \
|
|
reallocarray \
|
|
realpath \
|
|
recvmsg \
|
|
recallocarray \
|
|
rresvport_af \
|
|
sendmsg \
|
|
setdtablesize \
|
|
setegid \
|
|
setenv \
|
|
seteuid \
|
|
setgroupent \
|
|
setgroups \
|
|
setlinebuf \
|
|
setlogin \
|
|
setpassent\
|
|
setpcred \
|
|
setproctitle \
|
|
setregid \
|
|
setreuid \
|
|
setrlimit \
|
|
setsid \
|
|
setvbuf \
|
|
sigaction \
|
|
sigvec \
|
|
snprintf \
|
|
socketpair \
|
|
statfs \
|
|
statvfs \
|
|
strcasestr \
|
|
strdup \
|
|
strerror \
|
|
strlcat \
|
|
strlcpy \
|
|
strmode \
|
|
strndup \
|
|
strnlen \
|
|
strnvis \
|
|
strptime \
|
|
strsignal \
|
|
strtonum \
|
|
strtoll \
|
|
strtoul \
|
|
strtoull \
|
|
swap32 \
|
|
sysconf \
|
|
tcgetpgrp \
|
|
timegm \
|
|
timingsafe_bcmp \
|
|
truncate \
|
|
unsetenv \
|
|
updwtmpx \
|
|
utimensat \
|
|
user_from_uid \
|
|
usleep \
|
|
vasprintf \
|
|
vsnprintf \
|
|
waitpid \
|
|
warn \
|
|
])
|
|
|
|
AC_CHECK_DECLS([bzero, memmem])
|
|
|
|
dnl Wide character support.
|
|
AC_CHECK_FUNCS([mblen mbtowc nl_langinfo wcwidth])
|
|
|
|
TEST_SSH_UTF8=${TEST_SSH_UTF8:=yes}
|
|
AC_MSG_CHECKING([for utf8 locale support])
|
|
AC_RUN_IFELSE(
|
|
[AC_LANG_PROGRAM([[
|
|
#include <locale.h>
|
|
#include <stdlib.h>
|
|
]], [[
|
|
char *loc = setlocale(LC_CTYPE, "en_US.UTF-8");
|
|
if (loc != NULL)
|
|
exit(0);
|
|
exit(1);
|
|
]])],
|
|
AC_MSG_RESULT(yes),
|
|
[AC_MSG_RESULT(no)
|
|
TEST_SSH_UTF8=no],
|
|
AC_MSG_WARN([cross compiling: assuming yes])
|
|
)
|
|
|
|
AC_LINK_IFELSE(
|
|
[AC_LANG_PROGRAM(
|
|
[[ #include <ctype.h> ]],
|
|
[[ return (isblank('a')); ]])],
|
|
[AC_DEFINE([HAVE_ISBLANK], [1], [Define if you have isblank(3C).])
|
|
])
|
|
|
|
disable_pkcs11=
|
|
AC_ARG_ENABLE([pkcs11],
|
|
[ --disable-pkcs11 disable PKCS#11 support code [no]],
|
|
[
|
|
if test "x$enableval" = "xno" ; then
|
|
disable_pkcs11=1
|
|
fi
|
|
]
|
|
)
|
|
|
|
disable_sk=
|
|
AC_ARG_ENABLE([security-key],
|
|
[ --disable-security-key disable U2F/FIDO support code [no]],
|
|
[
|
|
if test "x$enableval" = "xno" ; then
|
|
disable_sk=1
|
|
fi
|
|
]
|
|
)
|
|
enable_sk_internal=
|
|
AC_ARG_WITH([security-key-builtin],
|
|
[ --with-security-key-builtin include builtin U2F/FIDO support],
|
|
[ enable_sk_internal=$withval ]
|
|
)
|
|
|
|
AC_SEARCH_LIBS([dlopen], [dl])
|
|
AC_CHECK_FUNCS([dlopen])
|
|
AC_CHECK_DECL([RTLD_NOW], [], [], [#include <dlfcn.h>])
|
|
|
|
# IRIX has a const char return value for gai_strerror()
|
|
AC_CHECK_FUNCS([gai_strerror], [
|
|
AC_DEFINE([HAVE_GAI_STRERROR])
|
|
AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
|
|
#include <sys/types.h>
|
|
#include <sys/socket.h>
|
|
#include <netdb.h>
|
|
|
|
const char *gai_strerror(int);
|
|
]], [[
|
|
char *str;
|
|
str = gai_strerror(0);
|
|
]])], [
|
|
AC_DEFINE([HAVE_CONST_GAI_STRERROR_PROTO], [1],
|
|
[Define if gai_strerror() returns const char *])], [])])
|
|
|
|
AC_SEARCH_LIBS([nanosleep], [rt posix4], [AC_DEFINE([HAVE_NANOSLEEP], [1],
|
|
[Some systems put nanosleep outside of libc])])
|
|
|
|
AC_SEARCH_LIBS([clock_gettime], [rt],
|
|
[AC_DEFINE([HAVE_CLOCK_GETTIME], [1], [Have clock_gettime])])
|
|
|
|
dnl check if we need -D_REENTRANT for localtime_r declaration.
|
|
AC_CHECK_DECL([localtime_r], [],
|
|
[ saved_CPPFLAGS="$CPPFLAGS"
|
|
CPPFLAGS="$CPPFLAGS -D_REENTRANT"
|
|
unset ac_cv_have_decl_localtime_r
|
|
AC_CHECK_DECL([localtime_r], [],
|
|
[ CPPFLAGS="$saved_CPPFLAGS" ],
|
|
[ #include <time.h> ]
|
|
)
|
|
],
|
|
[ #include <time.h> ]
|
|
)
|
|
|
|
dnl Make sure prototypes are defined for these before using them.
|
|
AC_CHECK_DECL([strsep],
|
|
[AC_CHECK_FUNCS([strsep])],
|
|
[],
|
|
[
|
|
#ifdef HAVE_STRING_H
|
|
# include <string.h>
|
|
#endif
|
|
])
|
|
|
|
dnl tcsendbreak might be a macro
|
|
AC_CHECK_DECL([tcsendbreak],
|
|
[AC_DEFINE([HAVE_TCSENDBREAK])],
|
|
[AC_CHECK_FUNCS([tcsendbreak])],
|
|
[#include <termios.h>]
|
|
)
|
|
|
|
AC_CHECK_DECLS([h_errno], , ,[#include <netdb.h>])
|
|
|
|
AC_CHECK_DECLS([SHUT_RD, getpeereid], , ,
|
|
[
|
|
#include <sys/types.h>
|
|
#include <sys/socket.h>
|
|
#include <unistd.h>
|
|
])
|
|
|
|
AC_CHECK_DECLS([O_NONBLOCK], , ,
|
|
[
|
|
#include <sys/types.h>
|
|
#ifdef HAVE_SYS_STAT_H
|
|
# include <sys/stat.h>
|
|
#endif
|
|
#ifdef HAVE_FCNTL_H
|
|
# include <fcntl.h>
|
|
#endif
|
|
])
|
|
|
|
AC_CHECK_DECLS([ftruncate, getentropy], , ,
|
|
[
|
|
#include <sys/types.h>
|
|
#include <unistd.h>
|
|
])
|
|
|
|
AC_CHECK_DECLS([readv, writev], , , [
|
|
#include <sys/types.h>
|
|
#include <sys/uio.h>
|
|
#include <unistd.h>
|
|
])
|
|
|
|
AC_CHECK_DECLS([MAXSYMLINKS], , , [
|
|
#include <sys/param.h>
|
|
])
|
|
|
|
AC_CHECK_DECLS([offsetof], , , [
|
|
#include <stddef.h>
|
|
])
|
|
|
|
# extra bits for select(2)
|
|
AC_CHECK_DECLS([howmany, NFDBITS], [], [], [[
|
|
#include <sys/param.h>
|
|
#include <sys/types.h>
|
|
#ifdef HAVE_SYS_SYSMACROS_H
|
|
#include <sys/sysmacros.h>
|
|
#endif
|
|
#ifdef HAVE_SYS_SELECT_H
|
|
#include <sys/select.h>
|
|
#endif
|
|
#ifdef HAVE_SYS_TIME_H
|
|
#include <sys/time.h>
|
|
#endif
|
|
#ifdef HAVE_UNISTD_H
|
|
#include <unistd.h>
|
|
#endif
|
|
]])
|
|
AC_CHECK_TYPES([fd_mask], [], [], [[
|
|
#include <sys/param.h>
|
|
#include <sys/types.h>
|
|
#ifdef HAVE_SYS_SELECT_H
|
|
#include <sys/select.h>
|
|
#endif
|
|
#ifdef HAVE_SYS_TIME_H
|
|
#include <sys/time.h>
|
|
#endif
|
|
#ifdef HAVE_UNISTD_H
|
|
#include <unistd.h>
|
|
#endif
|
|
]])
|
|
|
|
AC_CHECK_FUNCS([setresuid], [
|
|
dnl Some platorms have setresuid that isn't implemented, test for this
|
|
AC_MSG_CHECKING([if setresuid seems to work])
|
|
AC_RUN_IFELSE(
|
|
[AC_LANG_PROGRAM([[
|
|
#include <errno.h>
|
|
#include <stdlib.h>
|
|
#include <unistd.h>
|
|
]], [[
|
|
errno=0;
|
|
setresuid(0,0,0);
|
|
if (errno==ENOSYS)
|
|
exit(1);
|
|
else
|
|
exit(0);
|
|
]])],
|
|
[AC_MSG_RESULT([yes])],
|
|
[AC_DEFINE([BROKEN_SETRESUID], [1],
|
|
[Define if your setresuid() is broken])
|
|
AC_MSG_RESULT([not implemented])],
|
|
[AC_MSG_WARN([cross compiling: not checking setresuid])]
|
|
)
|
|
])
|
|
|
|
AC_CHECK_FUNCS([setresgid], [
|
|
dnl Some platorms have setresgid that isn't implemented, test for this
|
|
AC_MSG_CHECKING([if setresgid seems to work])
|
|
AC_RUN_IFELSE(
|
|
[AC_LANG_PROGRAM([[
|
|
#include <errno.h>
|
|
#include <stdlib.h>
|
|
#include <unistd.h>
|
|
]], [[
|
|
errno=0;
|
|
setresgid(0,0,0);
|
|
if (errno==ENOSYS)
|
|
exit(1);
|
|
else
|
|
exit(0);
|
|
]])],
|
|
[AC_MSG_RESULT([yes])],
|
|
[AC_DEFINE([BROKEN_SETRESGID], [1],
|
|
[Define if your setresgid() is broken])
|
|
AC_MSG_RESULT([not implemented])],
|
|
[AC_MSG_WARN([cross compiling: not checking setresuid])]
|
|
)
|
|
])
|
|
|
|
AC_MSG_CHECKING([for working fflush(NULL)])
|
|
AC_RUN_IFELSE(
|
|
[AC_LANG_PROGRAM([[
|
|
#include <stdio.h>
|
|
#include <stdlib.h>
|
|
]],
|
|
[[fflush(NULL); exit(0);]])],
|
|
AC_MSG_RESULT([yes]),
|
|
[AC_MSG_RESULT([no])
|
|
AC_DEFINE([FFLUSH_NULL_BUG], [1],
|
|
[define if fflush(NULL) does not work])],
|
|
AC_MSG_WARN([cross compiling: assuming working])
|
|
)
|
|
|
|
dnl Checks for time functions
|
|
AC_CHECK_FUNCS([gettimeofday time])
|
|
dnl Checks for utmp functions
|
|
AC_CHECK_FUNCS([endutent getutent getutid getutline pututline setutent])
|
|
AC_CHECK_FUNCS([utmpname])
|
|
dnl Checks for utmpx functions
|
|
AC_CHECK_FUNCS([endutxent getutxent getutxid getutxline getutxuser pututxline])
|
|
AC_CHECK_FUNCS([setutxdb setutxent utmpxname])
|
|
dnl Checks for lastlog functions
|
|
AC_CHECK_FUNCS([getlastlogxbyname])
|
|
|
|
AC_CHECK_FUNC([daemon],
|
|
[AC_DEFINE([HAVE_DAEMON], [1], [Define if your libraries define daemon()])],
|
|
[AC_CHECK_LIB([bsd], [daemon],
|
|
[LIBS="$LIBS -lbsd"; AC_DEFINE([HAVE_DAEMON])])]
|
|
)
|
|
|
|
AC_CHECK_FUNC([getpagesize],
|
|
[AC_DEFINE([HAVE_GETPAGESIZE], [1],
|
|
[Define if your libraries define getpagesize()])],
|
|
[AC_CHECK_LIB([ucb], [getpagesize],
|
|
[LIBS="$LIBS -lucb"; AC_DEFINE([HAVE_GETPAGESIZE])])]
|
|
)
|
|
|
|
# Check for broken snprintf
|
|
if test "x$ac_cv_func_snprintf" = "xyes" ; then
|
|
AC_MSG_CHECKING([whether snprintf correctly terminates long strings])
|
|
AC_RUN_IFELSE(
|
|
[AC_LANG_PROGRAM([[
|
|
#include <stdio.h>
|
|
#include <stdlib.h>
|
|
]],
|
|
[[
|
|
char b[5];
|
|
snprintf(b,5,"123456789");
|
|
exit(b[4]!='\0');
|
|
]])],
|
|
[AC_MSG_RESULT([yes])],
|
|
[
|
|
AC_MSG_RESULT([no])
|
|
AC_DEFINE([BROKEN_SNPRINTF], [1],
|
|
[Define if your snprintf is busted])
|
|
AC_MSG_WARN([****** Your snprintf() function is broken, complain to your vendor])
|
|
],
|
|
[ AC_MSG_WARN([cross compiling: Assuming working snprintf()]) ]
|
|
)
|
|
fi
|
|
|
|
if test "x$ac_cv_func_snprintf" = "xyes" ; then
|
|
AC_MSG_CHECKING([whether snprintf understands %zu])
|
|
AC_RUN_IFELSE(
|
|
[AC_LANG_PROGRAM([[
|
|
#include <sys/types.h>
|
|
#include <stdio.h>
|
|
#include <stdlib.h>
|
|
#include <string.h>
|
|
]],
|
|
[[
|
|
size_t a = 1, b = 2;
|
|
char z[128];
|
|
snprintf(z, sizeof z, "%zu%zu", a, b);
|
|
exit(strcmp(z, "12"));
|
|
]])],
|
|
[AC_MSG_RESULT([yes])],
|
|
[
|
|
AC_MSG_RESULT([no])
|
|
AC_DEFINE([BROKEN_SNPRINTF], [1],
|
|
[snprintf does not understand %zu])
|
|
],
|
|
[ AC_MSG_WARN([cross compiling: Assuming working snprintf()]) ]
|
|
)
|
|
fi
|
|
|
|
# We depend on vsnprintf returning the right thing on overflow: the
|
|
# number of characters it tried to create (as per SUSv3)
|
|
if test "x$ac_cv_func_vsnprintf" = "xyes" ; then
|
|
AC_MSG_CHECKING([whether vsnprintf returns correct values on overflow])
|
|
AC_RUN_IFELSE(
|
|
[AC_LANG_PROGRAM([[
|
|
#include <sys/types.h>
|
|
#include <stdio.h>
|
|
#include <stdarg.h>
|
|
|
|
int x_snprintf(char *str, size_t count, const char *fmt, ...)
|
|
{
|
|
size_t ret;
|
|
va_list ap;
|
|
|
|
va_start(ap, fmt);
|
|
ret = vsnprintf(str, count, fmt, ap);
|
|
va_end(ap);
|
|
return ret;
|
|
}
|
|
]], [[
|
|
char x[1];
|
|
if (x_snprintf(x, 1, "%s %d", "hello", 12345) != 11)
|
|
return 1;
|
|
if (x_snprintf(NULL, 0, "%s %d", "hello", 12345) != 11)
|
|
return 1;
|
|
return 0;
|
|
]])],
|
|
[AC_MSG_RESULT([yes])],
|
|
[
|
|
AC_MSG_RESULT([no])
|
|
AC_DEFINE([BROKEN_SNPRINTF], [1],
|
|
[Define if your snprintf is busted])
|
|
AC_MSG_WARN([****** Your vsnprintf() function is broken, complain to your vendor])
|
|
],
|
|
[ AC_MSG_WARN([cross compiling: Assuming working vsnprintf()]) ]
|
|
)
|
|
fi
|
|
|
|
# On systems where [v]snprintf is broken, but is declared in stdio,
|
|
# check that the fmt argument is const char * or just char *.
|
|
# This is only useful for when BROKEN_SNPRINTF
|
|
AC_MSG_CHECKING([whether snprintf can declare const char *fmt])
|
|
AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
|
|
#include <stdio.h>
|
|
int snprintf(char *a, size_t b, const char *c, ...) { return 0; }
|
|
]], [[
|
|
snprintf(0, 0, 0);
|
|
]])],
|
|
[AC_MSG_RESULT([yes])
|
|
AC_DEFINE([SNPRINTF_CONST], [const],
|
|
[Define as const if snprintf() can declare const char *fmt])],
|
|
[AC_MSG_RESULT([no])
|
|
AC_DEFINE([SNPRINTF_CONST], [/* not const */])])
|
|
|
|
# Check for missing getpeereid (or equiv) support
|
|
NO_PEERCHECK=""
|
|
if test "x$ac_cv_func_getpeereid" != "xyes" -a "x$ac_cv_func_getpeerucred" != "xyes"; then
|
|
AC_MSG_CHECKING([whether system supports SO_PEERCRED getsockopt])
|
|
AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
|
|
#include <sys/types.h>
|
|
#include <sys/socket.h>]], [[int i = SO_PEERCRED;]])],
|
|
[ AC_MSG_RESULT([yes])
|
|
AC_DEFINE([HAVE_SO_PEERCRED], [1], [Have PEERCRED socket option])
|
|
], [AC_MSG_RESULT([no])
|
|
NO_PEERCHECK=1
|
|
])
|
|
fi
|
|
|
|
dnl make sure that openpty does not reacquire controlling terminal
|
|
if test ! -z "$check_for_openpty_ctty_bug"; then
|
|
AC_MSG_CHECKING([if openpty correctly handles controlling tty])
|
|
AC_RUN_IFELSE(
|
|
[AC_LANG_PROGRAM([[
|
|
#include <stdio.h>
|
|
#include <stdlib.h>
|
|
#include <unistd.h>
|
|
#ifdef HAVE_PTY_H
|
|
# include <pty.h>
|
|
#endif
|
|
#include <sys/fcntl.h>
|
|
#include <sys/types.h>
|
|
#include <sys/wait.h>
|
|
]], [[
|
|
pid_t pid;
|
|
int fd, ptyfd, ttyfd, status;
|
|
|
|
pid = fork();
|
|
if (pid < 0) { /* failed */
|
|
exit(1);
|
|
} else if (pid > 0) { /* parent */
|
|
waitpid(pid, &status, 0);
|
|
if (WIFEXITED(status))
|
|
exit(WEXITSTATUS(status));
|
|
else
|
|
exit(2);
|
|
} else { /* child */
|
|
close(0); close(1); close(2);
|
|
setsid();
|
|
openpty(&ptyfd, &ttyfd, NULL, NULL, NULL);
|
|
fd = open("/dev/tty", O_RDWR | O_NOCTTY);
|
|
if (fd >= 0)
|
|
exit(3); /* Acquired ctty: broken */
|
|
else
|
|
exit(0); /* Did not acquire ctty: OK */
|
|
}
|
|
]])],
|
|
[
|
|
AC_MSG_RESULT([yes])
|
|
],
|
|
[
|
|
AC_MSG_RESULT([no])
|
|
AC_DEFINE([SSHD_ACQUIRES_CTTY])
|
|
],
|
|
[
|
|
AC_MSG_RESULT([cross-compiling, assuming yes])
|
|
]
|
|
)
|
|
fi
|
|
|
|
if test "x$ac_cv_func_getaddrinfo" = "xyes" && \
|
|
test "x$check_for_hpux_broken_getaddrinfo" = "x1"; then
|
|
AC_MSG_CHECKING([if getaddrinfo seems to work])
|
|
AC_RUN_IFELSE(
|
|
[AC_LANG_PROGRAM([[
|
|
#include <stdio.h>
|
|
#include <stdlib.h>
|
|
#include <sys/socket.h>
|
|
#include <netdb.h>
|
|
#include <errno.h>
|
|
#include <netinet/in.h>
|
|
|
|
#define TEST_PORT "2222"
|
|
]], [[
|
|
int err, sock;
|
|
struct addrinfo *gai_ai, *ai, hints;
|
|
char ntop[NI_MAXHOST], strport[NI_MAXSERV], *name = NULL;
|
|
|
|
memset(&hints, 0, sizeof(hints));
|
|
hints.ai_family = PF_UNSPEC;
|
|
hints.ai_socktype = SOCK_STREAM;
|
|
hints.ai_flags = AI_PASSIVE;
|
|
|
|
err = getaddrinfo(name, TEST_PORT, &hints, &gai_ai);
|
|
if (err != 0) {
|
|
fprintf(stderr, "getaddrinfo failed (%s)", gai_strerror(err));
|
|
exit(1);
|
|
}
|
|
|
|
for (ai = gai_ai; ai != NULL; ai = ai->ai_next) {
|
|
if (ai->ai_family != AF_INET6)
|
|
continue;
|
|
|
|
err = getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop,
|
|
sizeof(ntop), strport, sizeof(strport),
|
|
NI_NUMERICHOST|NI_NUMERICSERV);
|
|
|
|
if (err != 0) {
|
|
if (err == EAI_SYSTEM)
|
|
perror("getnameinfo EAI_SYSTEM");
|
|
else
|
|
fprintf(stderr, "getnameinfo failed: %s\n",
|
|
gai_strerror(err));
|
|
exit(2);
|
|
}
|
|
|
|
sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol);
|
|
if (sock < 0)
|
|
perror("socket");
|
|
if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) {
|
|
if (errno == EBADF)
|
|
exit(3);
|
|
}
|
|
}
|
|
exit(0);
|
|
]])],
|
|
[
|
|
AC_MSG_RESULT([yes])
|
|
],
|
|
[
|
|
AC_MSG_RESULT([no])
|
|
AC_DEFINE([BROKEN_GETADDRINFO])
|
|
],
|
|
[
|
|
AC_MSG_RESULT([cross-compiling, assuming yes])
|
|
]
|
|
)
|
|
fi
|
|
|
|
if test "x$ac_cv_func_getaddrinfo" = "xyes" && \
|
|
test "x$check_for_aix_broken_getaddrinfo" = "x1"; then
|
|
AC_MSG_CHECKING([if getaddrinfo seems to work])
|
|
AC_RUN_IFELSE(
|
|
[AC_LANG_PROGRAM([[
|
|
#include <stdio.h>
|
|
#include <stdlib.h>
|
|
#include <sys/socket.h>
|
|
#include <netdb.h>
|
|
#include <errno.h>
|
|
#include <netinet/in.h>
|
|
|
|
#define TEST_PORT "2222"
|
|
]], [[
|
|
int err, sock;
|
|
struct addrinfo *gai_ai, *ai, hints;
|
|
char ntop[NI_MAXHOST], strport[NI_MAXSERV], *name = NULL;
|
|
|
|
memset(&hints, 0, sizeof(hints));
|
|
hints.ai_family = PF_UNSPEC;
|
|
hints.ai_socktype = SOCK_STREAM;
|
|
hints.ai_flags = AI_PASSIVE;
|
|
|
|
err = getaddrinfo(name, TEST_PORT, &hints, &gai_ai);
|
|
if (err != 0) {
|
|
fprintf(stderr, "getaddrinfo failed (%s)", gai_strerror(err));
|
|
exit(1);
|
|
}
|
|
|
|
for (ai = gai_ai; ai != NULL; ai = ai->ai_next) {
|
|
if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
|
|
continue;
|
|
|
|
err = getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop,
|
|
sizeof(ntop), strport, sizeof(strport),
|
|
NI_NUMERICHOST|NI_NUMERICSERV);
|
|
|
|
if (ai->ai_family == AF_INET && err != 0) {
|
|
perror("getnameinfo");
|
|
exit(2);
|
|
}
|
|
}
|
|
exit(0);
|
|
]])],
|
|
[
|
|
AC_MSG_RESULT([yes])
|
|
AC_DEFINE([AIX_GETNAMEINFO_HACK], [1],
|
|
[Define if you have a getaddrinfo that fails
|
|
for the all-zeros IPv6 address])
|
|
],
|
|
[
|
|
AC_MSG_RESULT([no])
|
|
AC_DEFINE([BROKEN_GETADDRINFO])
|
|
],
|
|
[
|
|
AC_MSG_RESULT([cross-compiling, assuming no])
|
|
]
|
|
)
|
|
fi
|
|
|
|
if test "x$ac_cv_func_getaddrinfo" = "xyes"; then
|
|
AC_CHECK_DECLS(AI_NUMERICSERV, , ,
|
|
[#include <sys/types.h>
|
|
#include <sys/socket.h>
|
|
#include <netdb.h>])
|
|
fi
|
|
|
|
if test "x$check_for_conflicting_getspnam" = "x1"; then
|
|
AC_MSG_CHECKING([for conflicting getspnam in shadow.h])
|
|
AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
|
|
#include <shadow.h>
|
|
#include <stdlib.h>
|
|
]],
|
|
[[ exit(0); ]])],
|
|
[
|
|
AC_MSG_RESULT([no])
|
|
],
|
|
[
|
|
AC_MSG_RESULT([yes])
|
|
AC_DEFINE([GETSPNAM_CONFLICTING_DEFS], [1],
|
|
[Conflicting defs for getspnam])
|
|
]
|
|
)
|
|
fi
|
|
|
|
dnl NetBSD added an strnvis and unfortunately made it incompatible with the
|
|
dnl existing one in OpenBSD and Linux's libbsd (the former having existed
|
|
dnl for over ten years). Despite this incompatibility being reported during
|
|
dnl development (see http://gnats.netbsd.org/44977) they still shipped it.
|
|
dnl Even more unfortunately FreeBSD and later MacOS picked up this incompatible
|
|
dnl implementation. Try to detect this mess, and assume the only safe option
|
|
dnl if we're cross compiling.
|
|
dnl
|
|
dnl OpenBSD, 2001: strnvis(char *dst, const char *src, size_t dlen, int flag);
|
|
dnl NetBSD: 2012, strnvis(char *dst, size_t dlen, const char *src, int flag);
|
|
if test "x$ac_cv_func_strnvis" = "xyes"; then
|
|
AC_MSG_CHECKING([for working strnvis])
|
|
AC_RUN_IFELSE(
|
|
[AC_LANG_PROGRAM([[
|
|
#include <signal.h>
|
|
#include <stdlib.h>
|
|
#include <string.h>
|
|
#include <unistd.h>
|
|
#include <vis.h>
|
|
static void sighandler(int sig) { _exit(1); }
|
|
]], [[
|
|
char dst[16];
|
|
|
|
signal(SIGSEGV, sighandler);
|
|
if (strnvis(dst, "src", 4, 0) && strcmp(dst, "src") == 0)
|
|
exit(0);
|
|
exit(1)
|
|
]])],
|
|
[AC_MSG_RESULT([yes])],
|
|
[AC_MSG_RESULT([no])
|
|
AC_DEFINE([BROKEN_STRNVIS], [1], [strnvis detected broken])],
|
|
[AC_MSG_WARN([cross compiling: assuming broken])
|
|
AC_DEFINE([BROKEN_STRNVIS], [1], [strnvis assumed broken])]
|
|
)
|
|
fi
|
|
|
|
AC_MSG_CHECKING([if SA_RESTARTed signals interrupt select()])
|
|
AC_RUN_IFELSE(
|
|
[AC_LANG_PROGRAM([[
|
|
#ifdef HAVE_SYS_SELECT
|
|
# include <sys/select.h>
|
|
#endif
|
|
#include <sys/types.h>
|
|
#include <sys/time.h>
|
|
#include <stdlib.h>
|
|
#include <signal.h>
|
|
#include <unistd.h>
|
|
static void sighandler(int sig) { }
|
|
]], [[
|
|
int r;
|
|
pid_t pid;
|
|
struct sigaction sa;
|
|
|
|
sa.sa_handler = sighandler;
|
|
sa.sa_flags = SA_RESTART;
|
|
(void)sigaction(SIGTERM, &sa, NULL);
|
|
if ((pid = fork()) == 0) { /* child */
|
|
pid = getppid();
|
|
sleep(1);
|
|
kill(pid, SIGTERM);
|
|
sleep(1);
|
|
if (getppid() == pid) /* if parent did not exit, shoot it */
|
|
kill(pid, SIGKILL);
|
|
exit(0);
|
|
} else { /* parent */
|
|
r = select(0, NULL, NULL, NULL, NULL);
|
|
}
|
|
exit(r == -1 ? 0 : 1);
|
|
]])],
|
|
[AC_MSG_RESULT([yes])],
|
|
[AC_MSG_RESULT([no])
|
|
AC_DEFINE([NO_SA_RESTART], [1],
|
|
[SA_RESTARTed signals do no interrupt select])],
|
|
[AC_MSG_WARN([cross compiling: assuming yes])]
|
|
)
|
|
|
|
AC_CHECK_FUNCS([getpgrp],[
|
|
AC_MSG_CHECKING([if getpgrp accepts zero args])
|
|
AC_COMPILE_IFELSE(
|
|
[AC_LANG_PROGRAM([[$ac_includes_default]], [[ getpgrp(); ]])],
|
|
[ AC_MSG_RESULT([yes])
|
|
AC_DEFINE([GETPGRP_VOID], [1], [getpgrp takes zero args])],
|
|
[ AC_MSG_RESULT([no])
|
|
AC_DEFINE([GETPGRP_VOID], [0], [getpgrp takes one arg])]
|
|
)
|
|
])
|
|
|
|
# Search for OpenSSL
|
|
saved_CPPFLAGS="$CPPFLAGS"
|
|
saved_LDFLAGS="$LDFLAGS"
|
|
openssl_bin_PATH="$PATH"
|
|
AC_ARG_WITH([ssl-dir],
|
|
[ --with-ssl-dir=PATH Specify path to OpenSSL installation ],
|
|
[
|
|
if test "x$openssl" = "xno" ; then
|
|
AC_MSG_ERROR([cannot use --with-ssl-dir when OpenSSL disabled])
|
|
fi
|
|
if test "x$withval" != "xno" ; then
|
|
case "$withval" in
|
|
# Relative paths
|
|
./*|../*) withval="`pwd`/$withval"
|
|
esac
|
|
if test -d "$withval/lib"; then
|
|
libcrypto_path="${withval}/lib"
|
|
elif test -d "$withval/lib64"; then
|
|
libcrypto_path="$withval/lib64"
|
|
else
|
|
# Built but not installed
|
|
libcrypto_path="${withval}"
|
|
fi
|
|
if test -n "${rpath_opt}"; then
|
|
LDFLAGS="-L${libcrypto_path} ${rpath_opt}${libcrypto_path} ${LDFLAGS}"
|
|
else
|
|
LDFLAGS="-L${libcrypto_path} ${LDFLAGS}"
|
|
fi
|
|
if test -d "$withval/include"; then
|
|
CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
|
|
else
|
|
CPPFLAGS="-I${withval} ${CPPFLAGS}"
|
|
fi
|
|
openssl_bin_PATH="${PATH}${PATH_SEPARATOR}${withval}/bin${PATH_SEPARATOR}${withval}/apps"
|
|
fi
|
|
]
|
|
)
|
|
AC_PATH_PROGS([openssl_bin], openssl, [], [$openssl_bin_PATH])
|
|
AC_SUBST(OPENSSL_BIN, [${openssl_bin}])
|
|
|
|
AC_ARG_WITH([openssl-header-check],
|
|
[ --without-openssl-header-check Disable OpenSSL version consistency check],
|
|
[
|
|
if test "x$withval" = "xno" ; then
|
|
openssl_check_nonfatal=1
|
|
fi
|
|
]
|
|
)
|
|
|
|
openssl_engine=no
|
|
AC_ARG_WITH([ssl-engine],
|
|
[ --with-ssl-engine Enable OpenSSL (hardware) ENGINE support ],
|
|
[
|
|
if test "x$withval" != "xno" ; then
|
|
if test "x$openssl" = "xno" ; then
|
|
AC_MSG_ERROR([cannot use --with-ssl-engine when OpenSSL disabled])
|
|
fi
|
|
openssl_engine=yes
|
|
fi
|
|
]
|
|
)
|
|
|
|
nocrypto_saved_LIBS="$LIBS"
|
|
if test "x$openssl" = "xyes" ; then
|
|
LIBS="-lcrypto $LIBS"
|
|
CHANNELLIBS="-lcrypto $CHANNELLIBS"
|
|
AC_TRY_LINK_FUNC([RAND_add], ,
|
|
[AC_MSG_ERROR([*** working libcrypto not found, check config.log])])
|
|
AC_CHECK_HEADER([openssl/opensslv.h], ,
|
|
[AC_MSG_ERROR([*** OpenSSL headers missing - please install first or check config.log ***])])
|
|
|
|
# Determine OpenSSL header version
|
|
AC_MSG_CHECKING([OpenSSL header version])
|
|
AC_RUN_IFELSE(
|
|
[AC_LANG_PROGRAM([[
|
|
#include <stdlib.h>
|
|
#include <stdio.h>
|
|
#include <string.h>
|
|
#include <openssl/opensslv.h>
|
|
#define DATA "conftest.sslincver"
|
|
]], [[
|
|
FILE *fd;
|
|
int rc;
|
|
|
|
fd = fopen(DATA,"w");
|
|
if(fd == NULL)
|
|
exit(1);
|
|
|
|
if ((rc = fprintf(fd, "%08lx (%s)\n",
|
|
(unsigned long)OPENSSL_VERSION_NUMBER,
|
|
OPENSSL_VERSION_TEXT)) < 0)
|
|
exit(1);
|
|
|
|
exit(0);
|
|
]])],
|
|
[
|
|
ssl_header_ver=`cat conftest.sslincver`
|
|
AC_MSG_RESULT([$ssl_header_ver])
|
|
],
|
|
[
|
|
AC_MSG_RESULT([not found])
|
|
AC_MSG_ERROR([OpenSSL version header not found.])
|
|
],
|
|
[
|
|
AC_MSG_WARN([cross compiling: not checking])
|
|
]
|
|
)
|
|
|
|
# Determining OpenSSL library version is version dependent.
|
|
AC_CHECK_FUNCS([OpenSSL_version OpenSSL_version_num])
|
|
|
|
# Determine OpenSSL library version
|
|
AC_MSG_CHECKING([OpenSSL library version])
|
|
AC_RUN_IFELSE(
|
|
[AC_LANG_PROGRAM([[
|
|
#include <stdio.h>
|
|
#include <stdlib.h>
|
|
#include <string.h>
|
|
#include <openssl/opensslv.h>
|
|
#include <openssl/crypto.h>
|
|
#define DATA "conftest.ssllibver"
|
|
]], [[
|
|
FILE *fd;
|
|
int rc;
|
|
|
|
fd = fopen(DATA,"w");
|
|
if(fd == NULL)
|
|
exit(1);
|
|
#ifndef OPENSSL_VERSION
|
|
# define OPENSSL_VERSION SSLEAY_VERSION
|
|
#endif
|
|
#ifndef HAVE_OPENSSL_VERSION
|
|
# define OpenSSL_version SSLeay_version
|
|
#endif
|
|
#ifndef HAVE_OPENSSL_VERSION_NUM
|
|
# define OpenSSL_version_num SSLeay
|
|
#endif
|
|
if ((rc = fprintf(fd, "%08lx (%s)\n",
|
|
(unsigned long)OpenSSL_version_num(),
|
|
OpenSSL_version(OPENSSL_VERSION))) < 0)
|
|
exit(1);
|
|
|
|
exit(0);
|
|
]])],
|
|
[
|
|
ssl_library_ver=`cat conftest.ssllibver`
|
|
# Check version is supported.
|
|
case "$ssl_library_ver" in
|
|
10000*|0*)
|
|
AC_MSG_ERROR([OpenSSL >= 1.0.1 required (have "$ssl_library_ver")])
|
|
;;
|
|
100*) ;; # 1.0.x
|
|
101000[[0123456]]*)
|
|
# https://github.com/openssl/openssl/pull/4613
|
|
AC_MSG_ERROR([OpenSSL 1.1.x versions prior to 1.1.0g have a bug that breaks their use with OpenSSH (have "$ssl_library_ver")])
|
|
;;
|
|
101*) ;; # 1.1.x
|
|
200*) ;; # LibreSSL
|
|
300*)
|
|
# OpenSSL 3; we use the 1.1x API
|
|
CPPFLAGS="$CPPFLAGS -DOPENSSL_API_COMPAT=0x10100000L"
|
|
;;
|
|
301*|302*)
|
|
# OpenSSL development branch; request 1.1x API
|
|
CPPFLAGS="$CPPFLAGS -DOPENSSL_API_COMPAT=0x10100000L"
|
|
;;
|
|
*)
|
|
AC_MSG_ERROR([Unknown/unsupported OpenSSL version ("$ssl_library_ver")])
|
|
;;
|
|
esac
|
|
AC_MSG_RESULT([$ssl_library_ver])
|
|
],
|
|
[
|
|
AC_MSG_RESULT([not found])
|
|
AC_MSG_ERROR([OpenSSL library not found.])
|
|
],
|
|
[
|
|
AC_MSG_WARN([cross compiling: not checking])
|
|
]
|
|
)
|
|
|
|
case "$host" in
|
|
x86_64-*)
|
|
case "$ssl_library_ver" in
|
|
3000004*)
|
|
AC_MSG_ERROR([OpenSSL 3.0.4 has a potential RCE in its RSA implementation (CVE-2022-2274)])
|
|
;;
|
|
esac
|
|
esac
|
|
|
|
# Sanity check OpenSSL headers
|
|
AC_MSG_CHECKING([whether OpenSSL's headers match the library])
|
|
AC_RUN_IFELSE(
|
|
[AC_LANG_PROGRAM([[
|
|
#include <stdlib.h>
|
|
#include <string.h>
|
|
#include <openssl/opensslv.h>
|
|
#include <openssl/crypto.h>
|
|
]], [[
|
|
#ifndef HAVE_OPENSSL_VERSION_NUM
|
|
# define OpenSSL_version_num SSLeay
|
|
#endif
|
|
exit(OpenSSL_version_num() == OPENSSL_VERSION_NUMBER ? 0 : 1);
|
|
]])],
|
|
[
|
|
AC_MSG_RESULT([yes])
|
|
],
|
|
[
|
|
AC_MSG_RESULT([no])
|
|
if test "x$openssl_check_nonfatal" = "x"; then
|
|
AC_MSG_ERROR([Your OpenSSL headers do not match your
|
|
library. Check config.log for details.
|
|
If you are sure your installation is consistent, you can disable the check
|
|
by running "./configure --without-openssl-header-check".
|
|
Also see contrib/findssl.sh for help identifying header/library mismatches.
|
|
])
|
|
else
|
|
AC_MSG_WARN([Your OpenSSL headers do not match your
|
|
library. Check config.log for details.
|
|
Also see contrib/findssl.sh for help identifying header/library mismatches.])
|
|
fi
|
|
],
|
|
[
|
|
AC_MSG_WARN([cross compiling: not checking])
|
|
]
|
|
)
|
|
|
|
AC_MSG_CHECKING([if programs using OpenSSL functions will link])
|
|
AC_LINK_IFELSE(
|
|
[AC_LANG_PROGRAM([[ #include <openssl/err.h> ]],
|
|
[[ ERR_load_crypto_strings(); ]])],
|
|
[
|
|
AC_MSG_RESULT([yes])
|
|
],
|
|
[
|
|
AC_MSG_RESULT([no])
|
|
LIBS="$LIBS -ldl"
|
|
AC_MSG_CHECKING([if programs using OpenSSL need -ldl])
|
|
AC_LINK_IFELSE(
|
|
[AC_LANG_PROGRAM([[ #include <openssl/err.h> ]],
|
|
[[ ERR_load_crypto_strings(); ]])],
|
|
[
|
|
AC_MSG_RESULT([yes])
|
|
CHANNELLIBS="$CHANNELLIBS -ldl"
|
|
],
|
|
[
|
|
AC_MSG_RESULT([no])
|
|
]
|
|
)
|
|
]
|
|
)
|
|
|
|
AC_CHECK_FUNCS([ \
|
|
BN_is_prime_ex \
|
|
DES_crypt \
|
|
DSA_generate_parameters_ex \
|
|
EVP_DigestFinal_ex \
|
|
EVP_DigestInit_ex \
|
|
EVP_MD_CTX_cleanup \
|
|
EVP_MD_CTX_copy_ex \
|
|
EVP_MD_CTX_init \
|
|
HMAC_CTX_init \
|
|
RSA_generate_key_ex \
|
|
RSA_get_default_method \
|
|
])
|
|
|
|
# OpenSSL_add_all_algorithms may be a macro.
|
|
AC_CHECK_FUNC(OpenSSL_add_all_algorithms,
|
|
AC_DEFINE(HAVE_OPENSSL_ADD_ALL_ALGORITHMS, 1, [as a function]),
|
|
AC_CHECK_DECL(OpenSSL_add_all_algorithms,
|
|
AC_DEFINE(HAVE_OPENSSL_ADD_ALL_ALGORITHMS, 1, [as a macro]), ,
|
|
[[#include <openssl/evp.h>]]
|
|
)
|
|
)
|
|
|
|
# LibreSSL/OpenSSL 1.1x API
|
|
AC_CHECK_FUNCS([ \
|
|
OPENSSL_init_crypto \
|
|
DH_get0_key \
|
|
DH_get0_pqg \
|
|
DH_set0_key \
|
|
DH_set_length \
|
|
DH_set0_pqg \
|
|
DSA_get0_key \
|
|
DSA_get0_pqg \
|
|
DSA_set0_key \
|
|
DSA_set0_pqg \
|
|
DSA_SIG_get0 \
|
|
DSA_SIG_set0 \
|
|
ECDSA_SIG_get0 \
|
|
ECDSA_SIG_set0 \
|
|
EVP_CIPHER_CTX_iv \
|
|
EVP_CIPHER_CTX_iv_noconst \
|
|
EVP_CIPHER_CTX_get_iv \
|
|
EVP_CIPHER_CTX_get_updated_iv \
|
|
EVP_CIPHER_CTX_set_iv \
|
|
RSA_get0_crt_params \
|
|
RSA_get0_factors \
|
|
RSA_get0_key \
|
|
RSA_set0_crt_params \
|
|
RSA_set0_factors \
|
|
RSA_set0_key \
|
|
RSA_meth_free \
|
|
RSA_meth_dup \
|
|
RSA_meth_set1_name \
|
|
RSA_meth_get_finish \
|
|
RSA_meth_set_priv_enc \
|
|
RSA_meth_set_priv_dec \
|
|
RSA_meth_set_finish \
|
|
EVP_PKEY_get0_RSA \
|
|
EVP_MD_CTX_new \
|
|
EVP_MD_CTX_free \
|
|
EVP_chacha20 \
|
|
])
|
|
|
|
if test "x$openssl_engine" = "xyes" ; then
|
|
AC_MSG_CHECKING([for OpenSSL ENGINE support])
|
|
AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
|
|
#include <openssl/engine.h>
|
|
]], [[
|
|
ENGINE_load_builtin_engines();
|
|
ENGINE_register_all_complete();
|
|
]])],
|
|
[ AC_MSG_RESULT([yes])
|
|
AC_DEFINE([USE_OPENSSL_ENGINE], [1],
|
|
[Enable OpenSSL engine support])
|
|
], [ AC_MSG_ERROR([OpenSSL ENGINE support not found])
|
|
])
|
|
fi
|
|
|
|
# Check for OpenSSL without EVP_aes_{192,256}_cbc
|
|
AC_MSG_CHECKING([whether OpenSSL has crippled AES support])
|
|
AC_LINK_IFELSE(
|
|
[AC_LANG_PROGRAM([[
|
|
#include <stdlib.h>
|
|
#include <string.h>
|
|
#include <openssl/evp.h>
|
|
]], [[
|
|
exit(EVP_aes_192_cbc() == NULL || EVP_aes_256_cbc() == NULL);
|
|
]])],
|
|
[
|
|
AC_MSG_RESULT([no])
|
|
],
|
|
[
|
|
AC_MSG_RESULT([yes])
|
|
AC_DEFINE([OPENSSL_LOBOTOMISED_AES], [1],
|
|
[libcrypto is missing AES 192 and 256 bit functions])
|
|
]
|
|
)
|
|
|
|
AC_MSG_CHECKING([if EVP_DigestUpdate returns an int])
|
|
AC_LINK_IFELSE(
|
|
[AC_LANG_PROGRAM([[
|
|
#include <stdlib.h>
|
|
#include <string.h>
|
|
#include <openssl/evp.h>
|
|
]], [[
|
|
if(EVP_DigestUpdate(NULL, NULL,0))
|
|
exit(0);
|
|
]])],
|
|
[
|
|
AC_MSG_RESULT([yes])
|
|
],
|
|
[
|
|
AC_MSG_RESULT([no])
|
|
AC_DEFINE([OPENSSL_EVP_DIGESTUPDATE_VOID], [1],
|
|
[Define if EVP_DigestUpdate returns void])
|
|
]
|
|
)
|
|
|
|
# Check for SHA256, SHA384 and SHA512 support in OpenSSL
|
|
AC_CHECK_FUNCS([EVP_sha256 EVP_sha384 EVP_sha512])
|
|
|
|
# Check complete ECC support in OpenSSL
|
|
AC_MSG_CHECKING([whether OpenSSL has NID_X9_62_prime256v1])
|
|
AC_LINK_IFELSE(
|
|
[AC_LANG_PROGRAM([[
|
|
#include <openssl/ec.h>
|
|
#include <openssl/ecdh.h>
|
|
#include <openssl/ecdsa.h>
|
|
#include <openssl/evp.h>
|
|
#include <openssl/objects.h>
|
|
#include <openssl/opensslv.h>
|
|
]], [[
|
|
EC_KEY *e = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
|
|
const EVP_MD *m = EVP_sha256(); /* We need this too */
|
|
]])],
|
|
[ AC_MSG_RESULT([yes])
|
|
enable_nistp256=1 ],
|
|
[ AC_MSG_RESULT([no]) ]
|
|
)
|
|
|
|
AC_MSG_CHECKING([whether OpenSSL has NID_secp384r1])
|
|
AC_LINK_IFELSE(
|
|
[AC_LANG_PROGRAM([[
|
|
#include <openssl/ec.h>
|
|
#include <openssl/ecdh.h>
|
|
#include <openssl/ecdsa.h>
|
|
#include <openssl/evp.h>
|
|
#include <openssl/objects.h>
|
|
#include <openssl/opensslv.h>
|
|
]], [[
|
|
EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp384r1);
|
|
const EVP_MD *m = EVP_sha384(); /* We need this too */
|
|
]])],
|
|
[ AC_MSG_RESULT([yes])
|
|
enable_nistp384=1 ],
|
|
[ AC_MSG_RESULT([no]) ]
|
|
)
|
|
|
|
AC_MSG_CHECKING([whether OpenSSL has NID_secp521r1])
|
|
AC_LINK_IFELSE(
|
|
[AC_LANG_PROGRAM([[
|
|
#include <openssl/ec.h>
|
|
#include <openssl/ecdh.h>
|
|
#include <openssl/ecdsa.h>
|
|
#include <openssl/evp.h>
|
|
#include <openssl/objects.h>
|
|
#include <openssl/opensslv.h>
|
|
]], [[
|
|
EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp521r1);
|
|
const EVP_MD *m = EVP_sha512(); /* We need this too */
|
|
]])],
|
|
[ AC_MSG_RESULT([yes])
|
|
AC_MSG_CHECKING([if OpenSSL's NID_secp521r1 is functional])
|
|
AC_RUN_IFELSE(
|
|
[AC_LANG_PROGRAM([[
|
|
#include <stdlib.h>
|
|
#include <openssl/ec.h>
|
|
#include <openssl/ecdh.h>
|
|
#include <openssl/ecdsa.h>
|
|
#include <openssl/evp.h>
|
|
#include <openssl/objects.h>
|
|
#include <openssl/opensslv.h>
|
|
]],[[
|
|
EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp521r1);
|
|
const EVP_MD *m = EVP_sha512(); /* We need this too */
|
|
exit(e == NULL || m == NULL);
|
|
]])],
|
|
[ AC_MSG_RESULT([yes])
|
|
enable_nistp521=1 ],
|
|
[ AC_MSG_RESULT([no]) ],
|
|
[ AC_MSG_WARN([cross-compiling: assuming yes])
|
|
enable_nistp521=1 ]
|
|
)],
|
|
AC_MSG_RESULT([no])
|
|
)
|
|
|
|
if test x$enable_nistp256 = x1 || test x$enable_nistp384 = x1 || \
|
|
test x$enable_nistp521 = x1; then
|
|
AC_DEFINE(OPENSSL_HAS_ECC, [1], [OpenSSL has ECC])
|
|
AC_CHECK_FUNCS([EC_KEY_METHOD_new])
|
|
openssl_ecc=yes
|
|
else
|
|
openssl_ecc=no
|
|
fi
|
|
if test x$enable_nistp256 = x1; then
|
|
AC_DEFINE([OPENSSL_HAS_NISTP256], [1],
|
|
[libcrypto has NID_X9_62_prime256v1])
|
|
else
|
|
unsupported_algorithms="$unsupported_algorithms \
|
|
ecdsa-sha2-nistp256 \
|
|
ecdh-sha2-nistp256 \
|
|
ecdsa-sha2-nistp256-cert-v01@openssh.com"
|
|
fi
|
|
if test x$enable_nistp384 = x1; then
|
|
AC_DEFINE([OPENSSL_HAS_NISTP384], [1], [libcrypto has NID_secp384r1])
|
|
else
|
|
unsupported_algorithms="$unsupported_algorithms \
|
|
ecdsa-sha2-nistp384 \
|
|
ecdh-sha2-nistp384 \
|
|
ecdsa-sha2-nistp384-cert-v01@openssh.com"
|
|
fi
|
|
if test x$enable_nistp521 = x1; then
|
|
AC_DEFINE([OPENSSL_HAS_NISTP521], [1], [libcrypto has NID_secp521r1])
|
|
else
|
|
unsupported_algorithms="$unsupported_algorithms \
|
|
ecdh-sha2-nistp521 \
|
|
ecdsa-sha2-nistp521 \
|
|
ecdsa-sha2-nistp521-cert-v01@openssh.com"
|
|
fi
|
|
fi
|
|
|
|
# PKCS11/U2F depend on OpenSSL and dlopen().
|
|
enable_pkcs11=yes
|
|
enable_sk=yes
|
|
if test "x$openssl" != "xyes" ; then
|
|
enable_pkcs11="disabled; missing libcrypto"
|
|
fi
|
|
if test "x$ac_cv_func_dlopen" != "xyes" ; then
|
|
enable_pkcs11="disabled; missing dlopen(3)"
|
|
enable_sk="disabled; missing dlopen(3)"
|
|
fi
|
|
if test "x$ac_cv_have_decl_RTLD_NOW" != "xyes" ; then
|
|
enable_pkcs11="disabled; missing RTLD_NOW"
|
|
enable_sk="disabled; missing RTLD_NOW"
|
|
fi
|
|
if test ! -z "$disable_pkcs11" ; then
|
|
enable_pkcs11="disabled by user"
|
|
fi
|
|
if test ! -z "$disable_sk" ; then
|
|
enable_sk="disabled by user"
|
|
fi
|
|
|
|
AC_MSG_CHECKING([whether to enable PKCS11])
|
|
if test "x$enable_pkcs11" = "xyes" ; then
|
|
AC_DEFINE([ENABLE_PKCS11], [], [Enable for PKCS#11 support])
|
|
fi
|
|
AC_MSG_RESULT([$enable_pkcs11])
|
|
|
|
AC_MSG_CHECKING([whether to enable U2F])
|
|
if test "x$enable_sk" = "xyes" ; then
|
|
AC_DEFINE([ENABLE_SK], [], [Enable for U2F/FIDO support])
|
|
AC_SUBST(SK_DUMMY_LIBRARY, [regress/misc/sk-dummy/sk-dummy.so])
|
|
else
|
|
# Do not try to build sk-dummy library.
|
|
AC_SUBST(SK_DUMMY_LIBRARY, [""])
|
|
fi
|
|
AC_MSG_RESULT([$enable_sk])
|
|
|
|
# Now check for built-in security key support.
|
|
if test "x$enable_sk" = "xyes" -a "x$enable_sk_internal" != "xno" ; then
|
|
use_pkgconfig_for_libfido2=
|
|
if test "x$PKGCONFIG" != "xno"; then
|
|
AC_MSG_CHECKING([if $PKGCONFIG knows about libfido2])
|
|
if "$PKGCONFIG" libfido2; then
|
|
AC_MSG_RESULT([yes])
|
|
use_pkgconfig_for_libfido2=yes
|
|
else
|
|
AC_MSG_RESULT([no])
|
|
fi
|
|
fi
|
|
if test "x$use_pkgconfig_for_libfido2" = "xyes"; then
|
|
LIBFIDO2=`$PKGCONFIG --libs libfido2`
|
|
CPPFLAGS="$CPPFLAGS `$PKGCONFIG --cflags libfido2`"
|
|
else
|
|
LIBFIDO2="-lfido2 -lcbor"
|
|
fi
|
|
OTHERLIBS=`echo $LIBFIDO2 | sed 's/-lfido2//'`
|
|
fido2_error=
|
|
AC_CHECK_LIB([fido2], [fido_init],
|
|
[ ],
|
|
[ fido2_error="missing/unusable libfido2" ],
|
|
[ $OTHERLIBS ]
|
|
)
|
|
AC_CHECK_HEADER([fido.h], [],
|
|
[ fido2_error="missing fido.h from libfido2" ])
|
|
AC_CHECK_HEADER([fido/credman.h], [],
|
|
[ fido2_error="missing fido/credman.h from libfido2" ],
|
|
[ #include <fido.h> ]
|
|
)
|
|
AC_MSG_CHECKING([for usable libfido2 installation])
|
|
if test ! -z "$fido2_error" ; then
|
|
AC_MSG_RESULT([$fido2_error])
|
|
if test "x$enable_sk_internal" = "xyes" ; then
|
|
AC_MSG_ERROR([No usable libfido2 library/headers found])
|
|
fi
|
|
LIBFIDO2=""
|
|
else
|
|
AC_MSG_RESULT([yes])
|
|
AC_SUBST([LIBFIDO2])
|
|
AC_DEFINE([ENABLE_SK_INTERNAL], [],
|
|
[Enable for built-in U2F/FIDO support])
|
|
enable_sk="built-in"
|
|
saved_LIBS="$LIBS"
|
|
LIBS="$LIBFIDO2 $LIBS"
|
|
AC_CHECK_FUNCS([ \
|
|
fido_assert_set_clientdata \
|
|
fido_cred_prot \
|
|
fido_cred_set_prot \
|
|
fido_cred_set_clientdata \
|
|
fido_dev_get_touch_begin \
|
|
fido_dev_get_touch_status \
|
|
fido_dev_supports_cred_prot \
|
|
fido_dev_is_winhello \
|
|
])
|
|
LIBS="$saved_LIBS"
|
|
fi
|
|
fi
|
|
|
|
AC_CHECK_FUNCS([ \
|
|
arc4random \
|
|
arc4random_buf \
|
|
arc4random_stir \
|
|
arc4random_uniform \
|
|
])
|
|
### Configure cryptographic random number support
|
|
|
|
# Check whether OpenSSL seeds itself
|
|
if test "x$openssl" = "xyes" ; then
|
|
AC_MSG_CHECKING([whether OpenSSL's PRNG is internally seeded])
|
|
AC_RUN_IFELSE(
|
|
[AC_LANG_PROGRAM([[
|
|
#include <stdlib.h>
|
|
#include <string.h>
|
|
#include <openssl/rand.h>
|
|
]], [[
|
|
exit(RAND_status() == 1 ? 0 : 1);
|
|
]])],
|
|
[
|
|
OPENSSL_SEEDS_ITSELF=yes
|
|
AC_MSG_RESULT([yes])
|
|
],
|
|
[
|
|
AC_MSG_RESULT([no])
|
|
],
|
|
[
|
|
AC_MSG_WARN([cross compiling: assuming yes])
|
|
# This is safe, since we will fatal() at runtime if
|
|
# OpenSSL is not seeded correctly.
|
|
OPENSSL_SEEDS_ITSELF=yes
|
|
]
|
|
)
|
|
fi
|
|
|
|
# PRNGD TCP socket
|
|
AC_ARG_WITH([prngd-port],
|
|
[ --with-prngd-port=PORT read entropy from PRNGD/EGD TCP localhost:PORT],
|
|
[
|
|
case "$withval" in
|
|
no)
|
|
withval=""
|
|
;;
|
|
[[0-9]]*)
|
|
;;
|
|
*)
|
|
AC_MSG_ERROR([You must specify a numeric port number for --with-prngd-port])
|
|
;;
|
|
esac
|
|
if test ! -z "$withval" ; then
|
|
PRNGD_PORT="$withval"
|
|
AC_DEFINE_UNQUOTED([PRNGD_PORT], [$PRNGD_PORT],
|
|
[Port number of PRNGD/EGD random number socket])
|
|
fi
|
|
]
|
|
)
|
|
|
|
# PRNGD Unix domain socket
|
|
AC_ARG_WITH([prngd-socket],
|
|
[ --with-prngd-socket=FILE read entropy from PRNGD/EGD socket FILE (default=/var/run/egd-pool)],
|
|
[
|
|
case "$withval" in
|
|
yes)
|
|
withval="/var/run/egd-pool"
|
|
;;
|
|
no)
|
|
withval=""
|
|
;;
|
|
/*)
|
|
;;
|
|
*)
|
|
AC_MSG_ERROR([You must specify an absolute path to the entropy socket])
|
|
;;
|
|
esac
|
|
|
|
if test ! -z "$withval" ; then
|
|
if test ! -z "$PRNGD_PORT" ; then
|
|
AC_MSG_ERROR([You may not specify both a PRNGD/EGD port and socket])
|
|
fi
|
|
if test ! -r "$withval" ; then
|
|
AC_MSG_WARN([Entropy socket is not readable])
|
|
fi
|
|
PRNGD_SOCKET="$withval"
|
|
AC_DEFINE_UNQUOTED([PRNGD_SOCKET], ["$PRNGD_SOCKET"],
|
|
[Location of PRNGD/EGD random number socket])
|
|
fi
|
|
],
|
|
[
|
|
# Check for existing socket only if we don't have a random device already
|
|
if test "x$OPENSSL_SEEDS_ITSELF" != "xyes" ; then
|
|
AC_MSG_CHECKING([for PRNGD/EGD socket])
|
|
# Insert other locations here
|
|
for sock in /var/run/egd-pool /dev/egd-pool /etc/entropy; do
|
|
if test -r $sock && $TEST_MINUS_S_SH -c "test -S $sock -o -p $sock" ; then
|
|
PRNGD_SOCKET="$sock"
|
|
AC_DEFINE_UNQUOTED([PRNGD_SOCKET], ["$PRNGD_SOCKET"])
|
|
break;
|
|
fi
|
|
done
|
|
if test ! -z "$PRNGD_SOCKET" ; then
|
|
AC_MSG_RESULT([$PRNGD_SOCKET])
|
|
else
|
|
AC_MSG_RESULT([not found])
|
|
fi
|
|
fi
|
|
]
|
|
)
|
|
|
|
# Which randomness source do we use?
|
|
if test ! -z "$PRNGD_PORT" ; then
|
|
RAND_MSG="PRNGd port $PRNGD_PORT"
|
|
elif test ! -z "$PRNGD_SOCKET" ; then
|
|
RAND_MSG="PRNGd socket $PRNGD_SOCKET"
|
|
elif test ! -z "$OPENSSL_SEEDS_ITSELF" ; then
|
|
AC_DEFINE([OPENSSL_PRNG_ONLY], [1],
|
|
[Define if you want the OpenSSL internally seeded PRNG only])
|
|
RAND_MSG="OpenSSL internal ONLY"
|
|
elif test "x$openssl" = "xno" ; then
|
|
AC_MSG_WARN([OpenSSH will use /dev/urandom as a source of random numbers. It will fail if this device is not supported or accessible])
|
|
else
|
|
AC_MSG_ERROR([OpenSSH has no source of random numbers. Please configure OpenSSL with an entropy source or re-run configure using one of the --with-prngd-port or --with-prngd-socket options])
|
|
fi
|
|
LIBS="$nocrypto_saved_LIBS"
|
|
|
|
saved_LIBS="$LIBS"
|
|
AC_CHECK_LIB([iaf], [ia_openinfo], [
|
|
LIBS="$LIBS -liaf"
|
|
AC_CHECK_FUNCS([set_id], [SSHDLIBS="$SSHDLIBS -liaf"
|
|
AC_DEFINE([HAVE_LIBIAF], [1],
|
|
[Define if system has libiaf that supports set_id])
|
|
])
|
|
])
|
|
LIBS="$saved_LIBS"
|
|
|
|
# Check for crypt() in libcrypt. If we have it, we only need it for sshd.
|
|
saved_LIBS="$LIBS"
|
|
AC_CHECK_LIB([crypt], [crypt], [
|
|
LIBS="-lcrypt $LIBS"
|
|
SSHDLIBS="-lcrypt $SSHDLIBS"
|
|
])
|
|
AC_CHECK_FUNCS([crypt])
|
|
LIBS="$saved_LIBS"
|
|
|
|
# Check for PAM libs
|
|
PAM_MSG="no"
|
|
AC_ARG_WITH([pam],
|
|
[ --with-pam Enable PAM support ],
|
|
[
|
|
if test "x$withval" != "xno" ; then
|
|
if test "x$ac_cv_header_security_pam_appl_h" != "xyes" && \
|
|
test "x$ac_cv_header_pam_pam_appl_h" != "xyes" ; then
|
|
AC_MSG_ERROR([PAM headers not found])
|
|
fi
|
|
|
|
saved_LIBS="$LIBS"
|
|
AC_CHECK_LIB([dl], [dlopen], , )
|
|
AC_CHECK_LIB([pam], [pam_set_item], , [AC_MSG_ERROR([*** libpam missing])])
|
|
AC_CHECK_FUNCS([pam_getenvlist])
|
|
AC_CHECK_FUNCS([pam_putenv])
|
|
LIBS="$saved_LIBS"
|
|
|
|
PAM_MSG="yes"
|
|
|
|
SSHDLIBS="$SSHDLIBS -lpam"
|
|
AC_DEFINE([USE_PAM], [1],
|
|
[Define if you want to enable PAM support])
|
|
|
|
if test $ac_cv_lib_dl_dlopen = yes; then
|
|
case "$LIBS" in
|
|
*-ldl*)
|
|
# libdl already in LIBS
|
|
;;
|
|
*)
|
|
SSHDLIBS="$SSHDLIBS -ldl"
|
|
;;
|
|
esac
|
|
fi
|
|
fi
|
|
]
|
|
)
|
|
|
|
AC_ARG_WITH([pam-service],
|
|
[ --with-pam-service=name Specify PAM service name ],
|
|
[
|
|
if test "x$withval" != "xno" && \
|
|
test "x$withval" != "xyes" ; then
|
|
AC_DEFINE_UNQUOTED([SSHD_PAM_SERVICE],
|
|
["$withval"], [sshd PAM service name])
|
|
fi
|
|
]
|
|
)
|
|
|
|
# Check for older PAM
|
|
if test "x$PAM_MSG" = "xyes" ; then
|
|
# Check PAM strerror arguments (old PAM)
|
|
AC_MSG_CHECKING([whether pam_strerror takes only one argument])
|
|
AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
|
|
#include <stdlib.h>
|
|
#if defined(HAVE_SECURITY_PAM_APPL_H)
|
|
#include <security/pam_appl.h>
|
|
#elif defined (HAVE_PAM_PAM_APPL_H)
|
|
#include <pam/pam_appl.h>
|
|
#endif
|
|
]], [[
|
|
(void)pam_strerror((pam_handle_t *)NULL, -1);
|
|
]])], [AC_MSG_RESULT([no])], [
|
|
AC_DEFINE([HAVE_OLD_PAM], [1],
|
|
[Define if you have an old version of PAM
|
|
which takes only one argument to pam_strerror])
|
|
AC_MSG_RESULT([yes])
|
|
PAM_MSG="yes (old library)"
|
|
|
|
])
|
|
fi
|
|
|
|
case "$host" in
|
|
*-*-cygwin*)
|
|
SSH_PRIVSEP_USER=CYGWIN_SSH_PRIVSEP_USER
|
|
;;
|
|
*)
|
|
SSH_PRIVSEP_USER=sshd
|
|
;;
|
|
esac
|
|
AC_ARG_WITH([privsep-user],
|
|
[ --with-privsep-user=user Specify non-privileged user for privilege separation],
|
|
[
|
|
if test -n "$withval" && test "x$withval" != "xno" && \
|
|
test "x${withval}" != "xyes"; then
|
|
SSH_PRIVSEP_USER=$withval
|
|
fi
|
|
]
|
|
)
|
|
if test "x$SSH_PRIVSEP_USER" = "xCYGWIN_SSH_PRIVSEP_USER" ; then
|
|
AC_DEFINE_UNQUOTED([SSH_PRIVSEP_USER], [CYGWIN_SSH_PRIVSEP_USER],
|
|
[Cygwin function to fetch non-privileged user for privilege separation])
|
|
else
|
|
AC_DEFINE_UNQUOTED([SSH_PRIVSEP_USER], ["$SSH_PRIVSEP_USER"],
|
|
[non-privileged user for privilege separation])
|
|
fi
|
|
AC_SUBST([SSH_PRIVSEP_USER])
|
|
|
|
if test "x$have_linux_no_new_privs" = "x1" ; then
|
|
AC_CHECK_DECL([SECCOMP_MODE_FILTER], [have_seccomp_filter=1], , [
|
|
#include <sys/types.h>
|
|
#include <linux/seccomp.h>
|
|
])
|
|
fi
|
|
if test "x$have_seccomp_filter" = "x1" ; then
|
|
AC_MSG_CHECKING([kernel for seccomp_filter support])
|
|
AC_LINK_IFELSE([AC_LANG_PROGRAM([[
|
|
#include <errno.h>
|
|
#include <elf.h>
|
|
#include <linux/audit.h>
|
|
#include <linux/seccomp.h>
|
|
#include <stdlib.h>
|
|
#include <sys/prctl.h>
|
|
]],
|
|
[[ int i = $seccomp_audit_arch;
|
|
errno = 0;
|
|
prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, NULL, 0, 0);
|
|
exit(errno == EFAULT ? 0 : 1); ]])],
|
|
[ AC_MSG_RESULT([yes]) ], [
|
|
AC_MSG_RESULT([no])
|
|
# Disable seccomp filter as a target
|
|
have_seccomp_filter=0
|
|
]
|
|
)
|
|
fi
|
|
|
|
AC_CHECK_MEMBERS([struct pollfd.fd], [], [], [[
|
|
#include <sys/types.h>
|
|
#ifdef HAVE_POLL_H
|
|
#include <poll.h>
|
|
#endif
|
|
#ifdef HAVE_SYS_POLL_H
|
|
#include <sys/poll.h>
|
|
#endif
|
|
]])
|
|
|
|
AC_CHECK_TYPES([nfds_t], , , [
|
|
#include <sys/types.h>
|
|
#ifdef HAVE_POLL_H
|
|
#include <poll.h>
|
|
#endif
|
|
#ifdef HAVE_SYS_POLL_H
|
|
#include <sys/poll.h>
|
|
#endif
|
|
])
|
|
|
|
# Decide which sandbox style to use
|
|
sandbox_arg=""
|
|
AC_ARG_WITH([sandbox],
|
|
[ --with-sandbox=style Specify privilege separation sandbox (no, capsicum, darwin, rlimit, seccomp_filter, systrace, pledge)],
|
|
[
|
|
if test "x$withval" = "xyes" ; then
|
|
sandbox_arg=""
|
|
else
|
|
sandbox_arg="$withval"
|
|
fi
|
|
]
|
|
)
|
|
|
|
if test "x$sandbox_arg" != "xno"; then
|
|
# POSIX specifies that poll() "shall fail with EINVAL if the nfds argument
|
|
# is greater than OPEN_MAX". On some platforms that includes implementions
|
|
# of select in userspace on top of poll() so check both work with rlimit
|
|
# NOFILES so check that both work before enabling the rlimit sandbox.
|
|
AC_MSG_CHECKING([if select and/or poll works with descriptor rlimit])
|
|
AC_RUN_IFELSE(
|
|
[AC_LANG_PROGRAM([[
|
|
#include <sys/types.h>
|
|
#ifdef HAVE_SYS_TIME_H
|
|
# include <sys/time.h>
|
|
#endif
|
|
#include <sys/resource.h>
|
|
#ifdef HAVE_SYS_SELECT_H
|
|
# include <sys/select.h>
|
|
#endif
|
|
#ifdef HAVE_POLL_H
|
|
# include <poll.h>
|
|
#elif HAVE_SYS_POLL_H
|
|
# include <sys/poll.h>
|
|
#endif
|
|
#include <errno.h>
|
|
#include <fcntl.h>
|
|
#include <stdlib.h>
|
|
]],[[
|
|
struct rlimit rl_zero;
|
|
int fd, r;
|
|
fd_set fds;
|
|
struct timeval tv;
|
|
#ifdef HAVE_POLL
|
|
struct pollfd pfd;
|
|
#endif
|
|
|
|
fd = open("/dev/null", O_RDONLY);
|
|
FD_ZERO(&fds);
|
|
FD_SET(fd, &fds);
|
|
rl_zero.rlim_cur = rl_zero.rlim_max = 0;
|
|
setrlimit(RLIMIT_FSIZE, &rl_zero);
|
|
setrlimit(RLIMIT_NOFILE, &rl_zero);
|
|
tv.tv_sec = 1;
|
|
tv.tv_usec = 0;
|
|
r = select(fd+1, &fds, NULL, NULL, &tv);
|
|
if (r == -1)
|
|
exit(1);
|
|
#ifdef HAVE_POLL
|
|
pfd.fd = fd;
|
|
pfd.events = POLLIN;
|
|
r = poll(&pfd, 1, 1);
|
|
if (r == -1)
|
|
exit(2);
|
|
#endif
|
|
exit(0);
|
|
]])],
|
|
[AC_MSG_RESULT([yes])
|
|
select_works_with_rlimit=yes],
|
|
[AC_MSG_RESULT([no])
|
|
select_works_with_rlimit=no],
|
|
[AC_MSG_WARN([cross compiling: assuming no])
|
|
select_works_with_rlimit=no]
|
|
)
|
|
|
|
AC_MSG_CHECKING([if setrlimit(RLIMIT_NOFILE,{0,0}) works])
|
|
AC_RUN_IFELSE(
|
|
[AC_LANG_PROGRAM([[
|
|
#include <sys/types.h>
|
|
#ifdef HAVE_SYS_TIME_H
|
|
# include <sys/time.h>
|
|
#endif
|
|
#include <sys/resource.h>
|
|
#include <errno.h>
|
|
#include <stdlib.h>
|
|
]],[[
|
|
struct rlimit rl_zero;
|
|
int r;
|
|
|
|
rl_zero.rlim_cur = rl_zero.rlim_max = 0;
|
|
r = setrlimit(RLIMIT_NOFILE, &rl_zero);
|
|
exit (r == -1 ? 1 : 0);
|
|
]])],
|
|
[AC_MSG_RESULT([yes])
|
|
rlimit_nofile_zero_works=yes],
|
|
[AC_MSG_RESULT([no])
|
|
rlimit_nofile_zero_works=no],
|
|
[AC_MSG_WARN([cross compiling: assuming yes])
|
|
rlimit_nofile_zero_works=yes]
|
|
)
|
|
|
|
AC_MSG_CHECKING([if setrlimit RLIMIT_FSIZE works])
|
|
AC_RUN_IFELSE(
|
|
[AC_LANG_PROGRAM([[
|
|
#include <sys/types.h>
|
|
#include <sys/resource.h>
|
|
#include <stdlib.h>
|
|
]],[[
|
|
struct rlimit rl_zero;
|
|
|
|
rl_zero.rlim_cur = rl_zero.rlim_max = 0;
|
|
exit(setrlimit(RLIMIT_FSIZE, &rl_zero) != 0);
|
|
]])],
|
|
[AC_MSG_RESULT([yes])],
|
|
[AC_MSG_RESULT([no])
|
|
AC_DEFINE(SANDBOX_SKIP_RLIMIT_FSIZE, 1,
|
|
[setrlimit RLIMIT_FSIZE works])],
|
|
[AC_MSG_WARN([cross compiling: assuming yes])]
|
|
)
|
|
fi
|
|
|
|
if test "x$sandbox_arg" = "xpledge" || \
|
|
( test -z "$sandbox_arg" && test "x$ac_cv_func_pledge" = "xyes" ) ; then
|
|
test "x$ac_cv_func_pledge" != "xyes" && \
|
|
AC_MSG_ERROR([pledge sandbox requires pledge(2) support])
|
|
SANDBOX_STYLE="pledge"
|
|
AC_DEFINE([SANDBOX_PLEDGE], [1], [Sandbox using pledge(2)])
|
|
elif test "x$sandbox_arg" = "xsystrace" || \
|
|
( test -z "$sandbox_arg" && test "x$have_systr_policy_kill" = "x1" ) ; then
|
|
test "x$have_systr_policy_kill" != "x1" && \
|
|
AC_MSG_ERROR([systrace sandbox requires systrace headers and SYSTR_POLICY_KILL support])
|
|
SANDBOX_STYLE="systrace"
|
|
AC_DEFINE([SANDBOX_SYSTRACE], [1], [Sandbox using systrace(4)])
|
|
elif test "x$sandbox_arg" = "xdarwin" || \
|
|
( test -z "$sandbox_arg" && test "x$ac_cv_func_sandbox_init" = "xyes" && \
|
|
test "x$ac_cv_header_sandbox_h" = "xyes") ; then
|
|
test "x$ac_cv_func_sandbox_init" != "xyes" -o \
|
|
"x$ac_cv_header_sandbox_h" != "xyes" && \
|
|
AC_MSG_ERROR([Darwin seatbelt sandbox requires sandbox.h and sandbox_init function])
|
|
SANDBOX_STYLE="darwin"
|
|
AC_DEFINE([SANDBOX_DARWIN], [1], [Sandbox using Darwin sandbox_init(3)])
|
|
elif test "x$sandbox_arg" = "xseccomp_filter" || \
|
|
( test -z "$sandbox_arg" && \
|
|
test "x$have_seccomp_filter" = "x1" && \
|
|
test "x$ac_cv_header_elf_h" = "xyes" && \
|
|
test "x$ac_cv_header_linux_audit_h" = "xyes" && \
|
|
test "x$ac_cv_header_linux_filter_h" = "xyes" && \
|
|
test "x$seccomp_audit_arch" != "x" && \
|
|
test "x$have_linux_no_new_privs" = "x1" && \
|
|
test "x$ac_cv_func_prctl" = "xyes" ) ; then
|
|
test "x$seccomp_audit_arch" = "x" && \
|
|
AC_MSG_ERROR([seccomp_filter sandbox not supported on $host])
|
|
test "x$have_linux_no_new_privs" != "x1" && \
|
|
AC_MSG_ERROR([seccomp_filter sandbox requires PR_SET_NO_NEW_PRIVS])
|
|
test "x$have_seccomp_filter" != "x1" && \
|
|
AC_MSG_ERROR([seccomp_filter sandbox requires seccomp headers])
|
|
test "x$ac_cv_func_prctl" != "xyes" && \
|
|
AC_MSG_ERROR([seccomp_filter sandbox requires prctl function])
|
|
SANDBOX_STYLE="seccomp_filter"
|
|
AC_DEFINE([SANDBOX_SECCOMP_FILTER], [1], [Sandbox using seccomp filter])
|
|
elif test "x$sandbox_arg" = "xcapsicum" || \
|
|
( test -z "$sandbox_arg" && \
|
|
test "x$disable_capsicum" != "xyes" && \
|
|
test "x$ac_cv_header_sys_capsicum_h" = "xyes" && \
|
|
test "x$ac_cv_func_cap_rights_limit" = "xyes") ; then
|
|
test "x$ac_cv_header_sys_capsicum_h" != "xyes" && \
|
|
AC_MSG_ERROR([capsicum sandbox requires sys/capsicum.h header])
|
|
test "x$ac_cv_func_cap_rights_limit" != "xyes" && \
|
|
AC_MSG_ERROR([capsicum sandbox requires cap_rights_limit function])
|
|
SANDBOX_STYLE="capsicum"
|
|
AC_DEFINE([SANDBOX_CAPSICUM], [1], [Sandbox using capsicum])
|
|
elif test "x$sandbox_arg" = "xrlimit" || \
|
|
( test -z "$sandbox_arg" && test "x$ac_cv_func_setrlimit" = "xyes" && \
|
|
test "x$select_works_with_rlimit" = "xyes" && \
|
|
test "x$rlimit_nofile_zero_works" = "xyes" ) ; then
|
|
test "x$ac_cv_func_setrlimit" != "xyes" && \
|
|
AC_MSG_ERROR([rlimit sandbox requires setrlimit function])
|
|
test "x$select_works_with_rlimit" != "xyes" && \
|
|
AC_MSG_ERROR([rlimit sandbox requires select to work with rlimit])
|
|
SANDBOX_STYLE="rlimit"
|
|
AC_DEFINE([SANDBOX_RLIMIT], [1], [Sandbox using setrlimit(2)])
|
|
elif test "x$sandbox_arg" = "xsolaris" || \
|
|
( test -z "$sandbox_arg" && test "x$SOLARIS_PRIVS" = "xyes" ) ; then
|
|
SANDBOX_STYLE="solaris"
|
|
AC_DEFINE([SANDBOX_SOLARIS], [1], [Sandbox using Solaris/Illumos privileges])
|
|
elif test -z "$sandbox_arg" || test "x$sandbox_arg" = "xno" || \
|
|
test "x$sandbox_arg" = "xnone" || test "x$sandbox_arg" = "xnull" ; then
|
|
SANDBOX_STYLE="none"
|
|
AC_DEFINE([SANDBOX_NULL], [1], [no privsep sandboxing])
|
|
else
|
|
AC_MSG_ERROR([unsupported --with-sandbox])
|
|
fi
|
|
|
|
# Cheap hack to ensure NEWS-OS libraries are arranged right.
|
|
if test ! -z "$SONY" ; then
|
|
LIBS="$LIBS -liberty";
|
|
fi
|
|
|
|
# Check for long long datatypes
|
|
AC_CHECK_TYPES([long long, unsigned long long, long double])
|
|
|
|
# Check datatype sizes
|
|
AC_CHECK_SIZEOF([short int])
|
|
AC_CHECK_SIZEOF([int])
|
|
AC_CHECK_SIZEOF([long int])
|
|
AC_CHECK_SIZEOF([long long int])
|
|
AC_CHECK_SIZEOF([time_t], [], [[
|
|
#include <sys/types.h>
|
|
#ifdef HAVE_SYS_TIME_H
|
|
# include <sys/time.h>
|
|
#endif
|
|
#ifdef HAVE_TIME_H
|
|
# include <time.h>
|
|
#endif
|
|
]]
|
|
)
|
|
|
|
# Sanity check long long for some platforms (AIX)
|
|
if test "x$ac_cv_sizeof_long_long_int" = "x4" ; then
|
|
ac_cv_sizeof_long_long_int=0
|
|
fi
|
|
|
|
# compute LLONG_MIN and LLONG_MAX if we don't know them.
|
|
if test -z "$have_llong_max" && test -z "$have_long_long_max"; then
|
|
AC_MSG_CHECKING([for max value of long long])
|
|
AC_RUN_IFELSE(
|
|
[AC_LANG_PROGRAM([[
|
|
#include <stdio.h>
|
|
#include <stdlib.h>
|
|
/* Why is this so damn hard? */
|
|
#ifdef __GNUC__
|
|
# undef __GNUC__
|
|
#endif
|
|
#define __USE_ISOC99
|
|
#include <limits.h>
|
|
#define DATA "conftest.llminmax"
|
|
#define my_abs(a) ((a) < 0 ? ((a) * -1) : (a))
|
|
|
|
/*
|
|
* printf in libc on some platforms (eg old Tru64) does not understand %lld so
|
|
* we do this the hard way.
|
|
*/
|
|
static int
|
|
fprint_ll(FILE *f, long long n)
|
|
{
|
|
unsigned int i;
|
|
int l[sizeof(long long) * 8];
|
|
|
|
if (n < 0)
|
|
if (fprintf(f, "-") < 0)
|
|
return -1;
|
|
for (i = 0; n != 0; i++) {
|
|
l[i] = my_abs(n % 10);
|
|
n /= 10;
|
|
}
|
|
do {
|
|
if (fprintf(f, "%d", l[--i]) < 0)
|
|
return -1;
|
|
} while (i != 0);
|
|
if (fprintf(f, " ") < 0)
|
|
return -1;
|
|
return 0;
|
|
}
|
|
]], [[
|
|
FILE *f;
|
|
long long i, llmin, llmax = 0;
|
|
|
|
if((f = fopen(DATA,"w")) == NULL)
|
|
exit(1);
|
|
|
|
#if defined(LLONG_MIN) && defined(LLONG_MAX)
|
|
fprintf(stderr, "Using system header for LLONG_MIN and LLONG_MAX\n");
|
|
llmin = LLONG_MIN;
|
|
llmax = LLONG_MAX;
|
|
#else
|
|
fprintf(stderr, "Calculating LLONG_MIN and LLONG_MAX\n");
|
|
/* This will work on one's complement and two's complement */
|
|
for (i = 1; i > llmax; i <<= 1, i++)
|
|
llmax = i;
|
|
llmin = llmax + 1LL; /* wrap */
|
|
#endif
|
|
|
|
/* Sanity check */
|
|
if (llmin + 1 < llmin || llmin - 1 < llmin || llmax + 1 > llmax
|
|
|| llmax - 1 > llmax || llmin == llmax || llmin == 0
|
|
|| llmax == 0 || llmax < LONG_MAX || llmin > LONG_MIN) {
|
|
fprintf(f, "unknown unknown\n");
|
|
exit(2);
|
|
}
|
|
|
|
if (fprint_ll(f, llmin) < 0)
|
|
exit(3);
|
|
if (fprint_ll(f, llmax) < 0)
|
|
exit(4);
|
|
if (fclose(f) < 0)
|
|
exit(5);
|
|
exit(0);
|
|
]])],
|
|
[
|
|
llong_min=`$AWK '{print $1}' conftest.llminmax`
|
|
llong_max=`$AWK '{print $2}' conftest.llminmax`
|
|
|
|
AC_MSG_RESULT([$llong_max])
|
|
AC_DEFINE_UNQUOTED([LLONG_MAX], [${llong_max}LL],
|
|
[max value of long long calculated by configure])
|
|
AC_MSG_CHECKING([for min value of long long])
|
|
AC_MSG_RESULT([$llong_min])
|
|
AC_DEFINE_UNQUOTED([LLONG_MIN], [${llong_min}LL],
|
|
[min value of long long calculated by configure])
|
|
],
|
|
[
|
|
AC_MSG_RESULT([not found])
|
|
],
|
|
[
|
|
AC_MSG_WARN([cross compiling: not checking])
|
|
]
|
|
)
|
|
fi
|
|
|
|
AC_CHECK_DECLS([UINT32_MAX], , , [[
|
|
#ifdef HAVE_SYS_LIMITS_H
|
|
# include <sys/limits.h>
|
|
#endif
|
|
#ifdef HAVE_LIMITS_H
|
|
# include <limits.h>
|
|
#endif
|
|
#ifdef HAVE_STDINT_H
|
|
# include <stdint.h>
|
|
#endif
|
|
]])
|
|
|
|
# More checks for data types
|
|
AC_CACHE_CHECK([for u_int type], ac_cv_have_u_int, [
|
|
AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
|
|
[[ u_int a; a = 1;]])],
|
|
[ ac_cv_have_u_int="yes" ], [ ac_cv_have_u_int="no"
|
|
])
|
|
])
|
|
if test "x$ac_cv_have_u_int" = "xyes" ; then
|
|
AC_DEFINE([HAVE_U_INT], [1], [define if you have u_int data type])
|
|
have_u_int=1
|
|
fi
|
|
|
|
AC_CACHE_CHECK([for intXX_t types], ac_cv_have_intxx_t, [
|
|
AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
|
|
[[ int8_t a; int16_t b; int32_t c; a = b = c = 1;]])],
|
|
[ ac_cv_have_intxx_t="yes" ], [ ac_cv_have_intxx_t="no"
|
|
])
|
|
])
|
|
if test "x$ac_cv_have_intxx_t" = "xyes" ; then
|
|
AC_DEFINE([HAVE_INTXX_T], [1], [define if you have intxx_t data type])
|
|
have_intxx_t=1
|
|
fi
|
|
|
|
if (test -z "$have_intxx_t" && \
|
|
test "x$ac_cv_header_stdint_h" = "xyes")
|
|
then
|
|
AC_MSG_CHECKING([for intXX_t types in stdint.h])
|
|
AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <stdint.h> ]],
|
|
[[ int8_t a; int16_t b; int32_t c; a = b = c = 1;]])],
|
|
[
|
|
AC_DEFINE([HAVE_INTXX_T])
|
|
AC_MSG_RESULT([yes])
|
|
], [ AC_MSG_RESULT([no])
|
|
])
|
|
fi
|
|
|
|
AC_CACHE_CHECK([for int64_t type], ac_cv_have_int64_t, [
|
|
AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
|
|
#include <sys/types.h>
|
|
#ifdef HAVE_STDINT_H
|
|
# include <stdint.h>
|
|
#endif
|
|
#include <sys/socket.h>
|
|
#ifdef HAVE_SYS_BITYPES_H
|
|
# include <sys/bitypes.h>
|
|
#endif
|
|
]], [[
|
|
int64_t a; a = 1;
|
|
]])],
|
|
[ ac_cv_have_int64_t="yes" ], [ ac_cv_have_int64_t="no"
|
|
])
|
|
])
|
|
if test "x$ac_cv_have_int64_t" = "xyes" ; then
|
|
AC_DEFINE([HAVE_INT64_T], [1], [define if you have int64_t data type])
|
|
fi
|
|
|
|
AC_CACHE_CHECK([for u_intXX_t types], ac_cv_have_u_intxx_t, [
|
|
AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
|
|
[[ u_int8_t a; u_int16_t b; u_int32_t c; a = b = c = 1;]])],
|
|
[ ac_cv_have_u_intxx_t="yes" ], [ ac_cv_have_u_intxx_t="no"
|
|
])
|
|
])
|
|
if test "x$ac_cv_have_u_intxx_t" = "xyes" ; then
|
|
AC_DEFINE([HAVE_U_INTXX_T], [1], [define if you have u_intxx_t data type])
|
|
have_u_intxx_t=1
|
|
fi
|
|
|
|
if test -z "$have_u_intxx_t" ; then
|
|
AC_MSG_CHECKING([for u_intXX_t types in sys/socket.h])
|
|
AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/socket.h> ]],
|
|
[[ u_int8_t a; u_int16_t b; u_int32_t c; a = b = c = 1;]])],
|
|
[
|
|
AC_DEFINE([HAVE_U_INTXX_T])
|
|
AC_MSG_RESULT([yes])
|
|
], [ AC_MSG_RESULT([no])
|
|
])
|
|
fi
|
|
|
|
AC_CACHE_CHECK([for u_int64_t types], ac_cv_have_u_int64_t, [
|
|
AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
|
|
[[ u_int64_t a; a = 1;]])],
|
|
[ ac_cv_have_u_int64_t="yes" ], [ ac_cv_have_u_int64_t="no"
|
|
])
|
|
])
|
|
if test "x$ac_cv_have_u_int64_t" = "xyes" ; then
|
|
AC_DEFINE([HAVE_U_INT64_T], [1], [define if you have u_int64_t data type])
|
|
have_u_int64_t=1
|
|
fi
|
|
|
|
if (test -z "$have_u_int64_t" && \
|
|
test "x$ac_cv_header_sys_bitypes_h" = "xyes")
|
|
then
|
|
AC_MSG_CHECKING([for u_int64_t type in sys/bitypes.h])
|
|
AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/bitypes.h> ]],
|
|
[[ u_int64_t a; a = 1]])],
|
|
[
|
|
AC_DEFINE([HAVE_U_INT64_T])
|
|
AC_MSG_RESULT([yes])
|
|
], [ AC_MSG_RESULT([no])
|
|
])
|
|
fi
|
|
|
|
if test -z "$have_u_intxx_t" ; then
|
|
AC_CACHE_CHECK([for uintXX_t types], ac_cv_have_uintxx_t, [
|
|
AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
|
|
#include <sys/types.h>
|
|
]], [[
|
|
uint8_t a;
|
|
uint16_t b;
|
|
uint32_t c;
|
|
a = b = c = 1;
|
|
]])],
|
|
[ ac_cv_have_uintxx_t="yes" ], [ ac_cv_have_uintxx_t="no"
|
|
])
|
|
])
|
|
if test "x$ac_cv_have_uintxx_t" = "xyes" ; then
|
|
AC_DEFINE([HAVE_UINTXX_T], [1],
|
|
[define if you have uintxx_t data type])
|
|
fi
|
|
fi
|
|
|
|
if (test -z "$have_uintxx_t" && \
|
|
test "x$ac_cv_header_stdint_h" = "xyes")
|
|
then
|
|
AC_MSG_CHECKING([for uintXX_t types in stdint.h])
|
|
AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <stdint.h> ]],
|
|
[[ uint8_t a; uint16_t b; uint32_t c; a = b = c = 1;]])],
|
|
[
|
|
AC_DEFINE([HAVE_UINTXX_T])
|
|
AC_MSG_RESULT([yes])
|
|
], [ AC_MSG_RESULT([no])
|
|
])
|
|
fi
|
|
|
|
if (test -z "$have_uintxx_t" && \
|
|
test "x$ac_cv_header_inttypes_h" = "xyes")
|
|
then
|
|
AC_MSG_CHECKING([for uintXX_t types in inttypes.h])
|
|
AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <inttypes.h> ]],
|
|
[[ uint8_t a; uint16_t b; uint32_t c; a = b = c = 1;]])],
|
|
[
|
|
AC_DEFINE([HAVE_UINTXX_T])
|
|
AC_MSG_RESULT([yes])
|
|
], [ AC_MSG_RESULT([no])
|
|
])
|
|
fi
|
|
|
|
if (test -z "$have_u_intxx_t" || test -z "$have_intxx_t" && \
|
|
test "x$ac_cv_header_sys_bitypes_h" = "xyes")
|
|
then
|
|
AC_MSG_CHECKING([for intXX_t and u_intXX_t types in sys/bitypes.h])
|
|
AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
|
|
#include <sys/bitypes.h>
|
|
]], [[
|
|
int8_t a; int16_t b; int32_t c;
|
|
u_int8_t e; u_int16_t f; u_int32_t g;
|
|
a = b = c = e = f = g = 1;
|
|
]])],
|
|
[
|
|
AC_DEFINE([HAVE_U_INTXX_T])
|
|
AC_DEFINE([HAVE_INTXX_T])
|
|
AC_MSG_RESULT([yes])
|
|
], [AC_MSG_RESULT([no])
|
|
])
|
|
fi
|
|
|
|
|
|
AC_CACHE_CHECK([for u_char], ac_cv_have_u_char, [
|
|
AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
|
|
[[ u_char foo; foo = 125; ]])],
|
|
[ ac_cv_have_u_char="yes" ], [ ac_cv_have_u_char="no"
|
|
])
|
|
])
|
|
if test "x$ac_cv_have_u_char" = "xyes" ; then
|
|
AC_DEFINE([HAVE_U_CHAR], [1], [define if you have u_char data type])
|
|
fi
|
|
|
|
AC_CHECK_TYPES([intmax_t, uintmax_t], , , [
|
|
#include <sys/types.h>
|
|
#ifdef HAVE_STDINT_H
|
|
# include <stdint.h>
|
|
#endif
|
|
])
|
|
|
|
TYPE_SOCKLEN_T
|
|
|
|
AC_CHECK_TYPES([sig_atomic_t, sighandler_t], , , [#include <signal.h>])
|
|
AC_CHECK_TYPES([fsblkcnt_t, fsfilcnt_t], , , [
|
|
#include <sys/types.h>
|
|
#ifdef HAVE_SYS_BITYPES_H
|
|
#include <sys/bitypes.h>
|
|
#endif
|
|
#ifdef HAVE_SYS_STATFS_H
|
|
#include <sys/statfs.h>
|
|
#endif
|
|
#ifdef HAVE_SYS_STATVFS_H
|
|
#include <sys/statvfs.h>
|
|
#endif
|
|
])
|
|
|
|
AC_CHECK_MEMBERS([struct statfs.f_files, struct statfs.f_flags], [], [], [[
|
|
#include <sys/param.h>
|
|
#include <sys/types.h>
|
|
#ifdef HAVE_SYS_BITYPES_H
|
|
#include <sys/bitypes.h>
|
|
#endif
|
|
#ifdef HAVE_SYS_STATFS_H
|
|
#include <sys/statfs.h>
|
|
#endif
|
|
#ifdef HAVE_SYS_STATVFS_H
|
|
#include <sys/statvfs.h>
|
|
#endif
|
|
#ifdef HAVE_SYS_VFS_H
|
|
#include <sys/vfs.h>
|
|
#endif
|
|
#ifdef HAVE_SYS_MOUNT_H
|
|
#include <sys/mount.h>
|
|
#endif
|
|
]])
|
|
|
|
|
|
AC_CHECK_TYPES([in_addr_t, in_port_t], , ,
|
|
[#include <sys/types.h>
|
|
#include <netinet/in.h>])
|
|
|
|
AC_CACHE_CHECK([for size_t], ac_cv_have_size_t, [
|
|
AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
|
|
[[ size_t foo; foo = 1235; ]])],
|
|
[ ac_cv_have_size_t="yes" ], [ ac_cv_have_size_t="no"
|
|
])
|
|
])
|
|
if test "x$ac_cv_have_size_t" = "xyes" ; then
|
|
AC_DEFINE([HAVE_SIZE_T], [1], [define if you have size_t data type])
|
|
fi
|
|
|
|
AC_CACHE_CHECK([for ssize_t], ac_cv_have_ssize_t, [
|
|
AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
|
|
[[ ssize_t foo; foo = 1235; ]])],
|
|
[ ac_cv_have_ssize_t="yes" ], [ ac_cv_have_ssize_t="no"
|
|
])
|
|
])
|
|
if test "x$ac_cv_have_ssize_t" = "xyes" ; then
|
|
AC_DEFINE([HAVE_SSIZE_T], [1], [define if you have ssize_t data type])
|
|
fi
|
|
|
|
AC_CACHE_CHECK([for clock_t], ac_cv_have_clock_t, [
|
|
AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <time.h> ]],
|
|
[[ clock_t foo; foo = 1235; ]])],
|
|
[ ac_cv_have_clock_t="yes" ], [ ac_cv_have_clock_t="no"
|
|
])
|
|
])
|
|
if test "x$ac_cv_have_clock_t" = "xyes" ; then
|
|
AC_DEFINE([HAVE_CLOCK_T], [1], [define if you have clock_t data type])
|
|
fi
|
|
|
|
AC_CACHE_CHECK([for sa_family_t], ac_cv_have_sa_family_t, [
|
|
AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
|
|
#include <sys/types.h>
|
|
#include <sys/socket.h>
|
|
]], [[ sa_family_t foo; foo = 1235; ]])],
|
|
[ ac_cv_have_sa_family_t="yes" ],
|
|
[ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
|
|
#include <sys/types.h>
|
|
#include <sys/socket.h>
|
|
#include <netinet/in.h>
|
|
]], [[ sa_family_t foo; foo = 1235; ]])],
|
|
[ ac_cv_have_sa_family_t="yes" ],
|
|
[ ac_cv_have_sa_family_t="no" ]
|
|
)
|
|
])
|
|
])
|
|
if test "x$ac_cv_have_sa_family_t" = "xyes" ; then
|
|
AC_DEFINE([HAVE_SA_FAMILY_T], [1],
|
|
[define if you have sa_family_t data type])
|
|
fi
|
|
|
|
AC_CACHE_CHECK([for pid_t], ac_cv_have_pid_t, [
|
|
AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
|
|
[[ pid_t foo; foo = 1235; ]])],
|
|
[ ac_cv_have_pid_t="yes" ], [ ac_cv_have_pid_t="no"
|
|
])
|
|
])
|
|
if test "x$ac_cv_have_pid_t" = "xyes" ; then
|
|
AC_DEFINE([HAVE_PID_T], [1], [define if you have pid_t data type])
|
|
fi
|
|
|
|
AC_CACHE_CHECK([for mode_t], ac_cv_have_mode_t, [
|
|
AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
|
|
[[ mode_t foo; foo = 1235; ]])],
|
|
[ ac_cv_have_mode_t="yes" ], [ ac_cv_have_mode_t="no"
|
|
])
|
|
])
|
|
if test "x$ac_cv_have_mode_t" = "xyes" ; then
|
|
AC_DEFINE([HAVE_MODE_T], [1], [define if you have mode_t data type])
|
|
fi
|
|
|
|
|
|
AC_CACHE_CHECK([for struct sockaddr_storage], ac_cv_have_struct_sockaddr_storage, [
|
|
AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
|
|
#include <sys/types.h>
|
|
#include <sys/socket.h>
|
|
]], [[ struct sockaddr_storage s; ]])],
|
|
[ ac_cv_have_struct_sockaddr_storage="yes" ],
|
|
[ ac_cv_have_struct_sockaddr_storage="no"
|
|
])
|
|
])
|
|
if test "x$ac_cv_have_struct_sockaddr_storage" = "xyes" ; then
|
|
AC_DEFINE([HAVE_STRUCT_SOCKADDR_STORAGE], [1],
|
|
[define if you have struct sockaddr_storage data type])
|
|
fi
|
|
|
|
AC_CACHE_CHECK([for struct sockaddr_in6], ac_cv_have_struct_sockaddr_in6, [
|
|
AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
|
|
#include <sys/types.h>
|
|
#include <netinet/in.h>
|
|
]], [[ struct sockaddr_in6 s; s.sin6_family = 0; ]])],
|
|
[ ac_cv_have_struct_sockaddr_in6="yes" ],
|
|
[ ac_cv_have_struct_sockaddr_in6="no"
|
|
])
|
|
])
|
|
if test "x$ac_cv_have_struct_sockaddr_in6" = "xyes" ; then
|
|
AC_DEFINE([HAVE_STRUCT_SOCKADDR_IN6], [1],
|
|
[define if you have struct sockaddr_in6 data type])
|
|
fi
|
|
|
|
AC_CACHE_CHECK([for struct in6_addr], ac_cv_have_struct_in6_addr, [
|
|
AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
|
|
#include <sys/types.h>
|
|
#include <netinet/in.h>
|
|
]], [[ struct in6_addr s; s.s6_addr[0] = 0; ]])],
|
|
[ ac_cv_have_struct_in6_addr="yes" ],
|
|
[ ac_cv_have_struct_in6_addr="no"
|
|
])
|
|
])
|
|
if test "x$ac_cv_have_struct_in6_addr" = "xyes" ; then
|
|
AC_DEFINE([HAVE_STRUCT_IN6_ADDR], [1],
|
|
[define if you have struct in6_addr data type])
|
|
|
|
dnl Now check for sin6_scope_id
|
|
AC_CHECK_MEMBERS([struct sockaddr_in6.sin6_scope_id], , ,
|
|
[
|
|
#ifdef HAVE_SYS_TYPES_H
|
|
#include <sys/types.h>
|
|
#endif
|
|
#include <netinet/in.h>
|
|
])
|
|
fi
|
|
|
|
AC_CACHE_CHECK([for struct addrinfo], ac_cv_have_struct_addrinfo, [
|
|
AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
|
|
#include <sys/types.h>
|
|
#include <sys/socket.h>
|
|
#include <netdb.h>
|
|
]], [[ struct addrinfo s; s.ai_flags = AI_PASSIVE; ]])],
|
|
[ ac_cv_have_struct_addrinfo="yes" ],
|
|
[ ac_cv_have_struct_addrinfo="no"
|
|
])
|
|
])
|
|
if test "x$ac_cv_have_struct_addrinfo" = "xyes" ; then
|
|
AC_DEFINE([HAVE_STRUCT_ADDRINFO], [1],
|
|
[define if you have struct addrinfo data type])
|
|
fi
|
|
|
|
AC_CACHE_CHECK([for struct timeval], ac_cv_have_struct_timeval, [
|
|
AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/time.h> ]],
|
|
[[ struct timeval tv; tv.tv_sec = 1;]])],
|
|
[ ac_cv_have_struct_timeval="yes" ],
|
|
[ ac_cv_have_struct_timeval="no"
|
|
])
|
|
])
|
|
if test "x$ac_cv_have_struct_timeval" = "xyes" ; then
|
|
AC_DEFINE([HAVE_STRUCT_TIMEVAL], [1], [define if you have struct timeval])
|
|
have_struct_timeval=1
|
|
fi
|
|
|
|
AC_CACHE_CHECK([for struct timespec], ac_cv_have_struct_timespec, [
|
|
AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
|
|
#ifdef HAVE_SYS_TIME_H
|
|
# include <sys/time.h>
|
|
#endif
|
|
#ifdef HAVE_TIME_H
|
|
# include <time.h>
|
|
#endif
|
|
]],
|
|
[[ struct timespec ts; ts.tv_sec = 1;]])],
|
|
[ ac_cv_have_struct_timespec="yes" ],
|
|
[ ac_cv_have_struct_timespec="no"
|
|
])
|
|
])
|
|
if test "x$ac_cv_have_struct_timespec" = "xyes" ; then
|
|
AC_DEFINE([HAVE_STRUCT_TIMESPEC], [1], [define if you have struct timespec])
|
|
have_struct_timespec=1
|
|
fi
|
|
|
|
# We need int64_t or else certain parts of the compile will fail.
|
|
if test "x$ac_cv_have_int64_t" = "xno" && \
|
|
test "x$ac_cv_sizeof_long_int" != "x8" && \
|
|
test "x$ac_cv_sizeof_long_long_int" = "x0" ; then
|
|
echo "OpenSSH requires int64_t support. Contact your vendor or install"
|
|
echo "an alternative compiler (I.E., GCC) before continuing."
|
|
echo ""
|
|
exit 1;
|
|
else
|
|
dnl test snprintf (broken on SCO w/gcc)
|
|
AC_RUN_IFELSE(
|
|
[AC_LANG_SOURCE([[
|
|
#include <stdio.h>
|
|
#include <stdlib.h>
|
|
#include <string.h>
|
|
#ifdef HAVE_SNPRINTF
|
|
int main(void)
|
|
{
|
|
char buf[50];
|
|
char expected_out[50];
|
|
int mazsize = 50 ;
|
|
#if (SIZEOF_LONG_INT == 8)
|
|
long int num = 0x7fffffffffffffff;
|
|
#else
|
|
long long num = 0x7fffffffffffffffll;
|
|
#endif
|
|
strcpy(expected_out, "9223372036854775807");
|
|
snprintf(buf, mazsize, "%lld", num);
|
|
if(strcmp(buf, expected_out) != 0)
|
|
exit(1);
|
|
exit(0);
|
|
}
|
|
#else
|
|
int main(void) { exit(0); }
|
|
#endif
|
|
]])], [ true ], [ AC_DEFINE([BROKEN_SNPRINTF]) ],
|
|
AC_MSG_WARN([cross compiling: Assuming working snprintf()])
|
|
)
|
|
fi
|
|
|
|
dnl Checks for structure members
|
|
OSSH_CHECK_HEADER_FOR_FIELD([ut_host], [utmp.h], [HAVE_HOST_IN_UTMP])
|
|
OSSH_CHECK_HEADER_FOR_FIELD([ut_host], [utmpx.h], [HAVE_HOST_IN_UTMPX])
|
|
OSSH_CHECK_HEADER_FOR_FIELD([syslen], [utmpx.h], [HAVE_SYSLEN_IN_UTMPX])
|
|
OSSH_CHECK_HEADER_FOR_FIELD([ut_pid], [utmp.h], [HAVE_PID_IN_UTMP])
|
|
OSSH_CHECK_HEADER_FOR_FIELD([ut_type], [utmp.h], [HAVE_TYPE_IN_UTMP])
|
|
OSSH_CHECK_HEADER_FOR_FIELD([ut_type], [utmpx.h], [HAVE_TYPE_IN_UTMPX])
|
|
OSSH_CHECK_HEADER_FOR_FIELD([ut_tv], [utmp.h], [HAVE_TV_IN_UTMP])
|
|
OSSH_CHECK_HEADER_FOR_FIELD([ut_id], [utmp.h], [HAVE_ID_IN_UTMP])
|
|
OSSH_CHECK_HEADER_FOR_FIELD([ut_id], [utmpx.h], [HAVE_ID_IN_UTMPX])
|
|
OSSH_CHECK_HEADER_FOR_FIELD([ut_addr], [utmp.h], [HAVE_ADDR_IN_UTMP])
|
|
OSSH_CHECK_HEADER_FOR_FIELD([ut_addr], [utmpx.h], [HAVE_ADDR_IN_UTMPX])
|
|
OSSH_CHECK_HEADER_FOR_FIELD([ut_addr_v6], [utmp.h], [HAVE_ADDR_V6_IN_UTMP])
|
|
OSSH_CHECK_HEADER_FOR_FIELD([ut_addr_v6], [utmpx.h], [HAVE_ADDR_V6_IN_UTMPX])
|
|
OSSH_CHECK_HEADER_FOR_FIELD([ut_exit], [utmp.h], [HAVE_EXIT_IN_UTMP])
|
|
OSSH_CHECK_HEADER_FOR_FIELD([ut_time], [utmp.h], [HAVE_TIME_IN_UTMP])
|
|
OSSH_CHECK_HEADER_FOR_FIELD([ut_time], [utmpx.h], [HAVE_TIME_IN_UTMPX])
|
|
OSSH_CHECK_HEADER_FOR_FIELD([ut_tv], [utmpx.h], [HAVE_TV_IN_UTMPX])
|
|
OSSH_CHECK_HEADER_FOR_FIELD([ut_ss], [utmpx.h], [HAVE_SS_IN_UTMPX])
|
|
|
|
AC_CHECK_MEMBERS([struct stat.st_blksize])
|
|
AC_CHECK_MEMBERS([struct stat.st_mtim])
|
|
AC_CHECK_MEMBERS([struct stat.st_mtime])
|
|
AC_CHECK_MEMBERS([struct passwd.pw_gecos, struct passwd.pw_class,
|
|
struct passwd.pw_change, struct passwd.pw_expire],
|
|
[], [], [[
|
|
#include <sys/types.h>
|
|
#include <pwd.h>
|
|
]])
|
|
|
|
AC_CHECK_MEMBER([struct __res_state.retrans], [], [AC_DEFINE([__res_state], [state],
|
|
[Define if we don't have struct __res_state in resolv.h])],
|
|
[[
|
|
#include <stdio.h>
|
|
#if HAVE_SYS_TYPES_H
|
|
# include <sys/types.h>
|
|
#endif
|
|
#include <netinet/in.h>
|
|
#include <arpa/nameser.h>
|
|
#include <resolv.h>
|
|
]])
|
|
|
|
AC_CHECK_MEMBER([struct sockaddr_in.sin_len],
|
|
[AC_DEFINE([SOCK_HAS_LEN], [1], [sockaddr_in has sin_len])],
|
|
[],
|
|
[AC_LANG_SOURCE([[
|
|
#include <sys/types.h>
|
|
#include <sys/socket.h>
|
|
#include <netinet/in.h>
|
|
]])]
|
|
)
|
|
|
|
AC_CACHE_CHECK([for ss_family field in struct sockaddr_storage],
|
|
ac_cv_have_ss_family_in_struct_ss, [
|
|
AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
|
|
#include <sys/types.h>
|
|
#include <sys/socket.h>
|
|
]], [[ struct sockaddr_storage s; s.ss_family = 1; ]])],
|
|
[ ac_cv_have_ss_family_in_struct_ss="yes" ],
|
|
[ ac_cv_have_ss_family_in_struct_ss="no" ])
|
|
])
|
|
if test "x$ac_cv_have_ss_family_in_struct_ss" = "xyes" ; then
|
|
AC_DEFINE([HAVE_SS_FAMILY_IN_SS], [1], [Fields in struct sockaddr_storage])
|
|
fi
|
|
|
|
AC_CACHE_CHECK([for __ss_family field in struct sockaddr_storage],
|
|
ac_cv_have___ss_family_in_struct_ss, [
|
|
AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
|
|
#include <sys/types.h>
|
|
#include <sys/socket.h>
|
|
]], [[ struct sockaddr_storage s; s.__ss_family = 1; ]])],
|
|
[ ac_cv_have___ss_family_in_struct_ss="yes" ],
|
|
[ ac_cv_have___ss_family_in_struct_ss="no"
|
|
])
|
|
])
|
|
if test "x$ac_cv_have___ss_family_in_struct_ss" = "xyes" ; then
|
|
AC_DEFINE([HAVE___SS_FAMILY_IN_SS], [1],
|
|
[Fields in struct sockaddr_storage])
|
|
fi
|
|
|
|
dnl make sure we're using the real structure members and not defines
|
|
AC_CACHE_CHECK([for msg_accrights field in struct msghdr],
|
|
ac_cv_have_accrights_in_msghdr, [
|
|
AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
|
|
#include <sys/types.h>
|
|
#include <sys/socket.h>
|
|
#include <sys/uio.h>
|
|
#include <stdlib.h>
|
|
]], [[
|
|
#ifdef msg_accrights
|
|
#error "msg_accrights is a macro"
|
|
exit(1);
|
|
#endif
|
|
struct msghdr m;
|
|
m.msg_accrights = 0;
|
|
exit(0);
|
|
]])],
|
|
[ ac_cv_have_accrights_in_msghdr="yes" ],
|
|
[ ac_cv_have_accrights_in_msghdr="no" ]
|
|
)
|
|
])
|
|
if test "x$ac_cv_have_accrights_in_msghdr" = "xyes" ; then
|
|
AC_DEFINE([HAVE_ACCRIGHTS_IN_MSGHDR], [1],
|
|
[Define if your system uses access rights style
|
|
file descriptor passing])
|
|
fi
|
|
|
|
AC_MSG_CHECKING([if struct statvfs.f_fsid is integral type])
|
|
AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
|
|
#include <sys/param.h>
|
|
#include <sys/stat.h>
|
|
#ifdef HAVE_SYS_TIME_H
|
|
# include <sys/time.h>
|
|
#endif
|
|
#ifdef HAVE_SYS_MOUNT_H
|
|
#include <sys/mount.h>
|
|
#endif
|
|
#ifdef HAVE_SYS_STATVFS_H
|
|
#include <sys/statvfs.h>
|
|
#endif
|
|
]], [[ struct statvfs s; s.f_fsid = 0; ]])],
|
|
[ AC_MSG_RESULT([yes]) ],
|
|
[ AC_MSG_RESULT([no])
|
|
|
|
AC_MSG_CHECKING([if fsid_t has member val])
|
|
AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
|
|
#include <sys/types.h>
|
|
#include <sys/statvfs.h>
|
|
]], [[ fsid_t t; t.val[0] = 0; ]])],
|
|
[ AC_MSG_RESULT([yes])
|
|
AC_DEFINE([FSID_HAS_VAL], [1], [fsid_t has member val]) ],
|
|
[ AC_MSG_RESULT([no]) ])
|
|
|
|
AC_MSG_CHECKING([if f_fsid has member __val])
|
|
AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
|
|
#include <sys/types.h>
|
|
#include <sys/statvfs.h>
|
|
]], [[ fsid_t t; t.__val[0] = 0; ]])],
|
|
[ AC_MSG_RESULT([yes])
|
|
AC_DEFINE([FSID_HAS___VAL], [1], [fsid_t has member __val]) ],
|
|
[ AC_MSG_RESULT([no]) ])
|
|
])
|
|
|
|
AC_CACHE_CHECK([for msg_control field in struct msghdr],
|
|
ac_cv_have_control_in_msghdr, [
|
|
AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
|
|
#include <sys/types.h>
|
|
#include <sys/socket.h>
|
|
#include <sys/uio.h>
|
|
#include <stdlib.h>
|
|
]], [[
|
|
#ifdef msg_control
|
|
#error "msg_control is a macro"
|
|
exit(1);
|
|
#endif
|
|
struct msghdr m;
|
|
m.msg_control = 0;
|
|
exit(0);
|
|
]])],
|
|
[ ac_cv_have_control_in_msghdr="yes" ],
|
|
[ ac_cv_have_control_in_msghdr="no" ]
|
|
)
|
|
])
|
|
if test "x$ac_cv_have_control_in_msghdr" = "xyes" ; then
|
|
AC_DEFINE([HAVE_CONTROL_IN_MSGHDR], [1],
|
|
[Define if your system uses ancillary data style
|
|
file descriptor passing])
|
|
fi
|
|
|
|
AC_CACHE_CHECK([if libc defines __progname], ac_cv_libc_defines___progname, [
|
|
AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include <stdio.h> ]],
|
|
[[ extern char *__progname; printf("%s", __progname); ]])],
|
|
[ ac_cv_libc_defines___progname="yes" ],
|
|
[ ac_cv_libc_defines___progname="no"
|
|
])
|
|
])
|
|
if test "x$ac_cv_libc_defines___progname" = "xyes" ; then
|
|
AC_DEFINE([HAVE___PROGNAME], [1], [Define if libc defines __progname])
|
|
fi
|
|
|
|
AC_CACHE_CHECK([whether $CC implements __FUNCTION__], ac_cv_cc_implements___FUNCTION__, [
|
|
AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include <stdio.h> ]],
|
|
[[ printf("%s", __FUNCTION__); ]])],
|
|
[ ac_cv_cc_implements___FUNCTION__="yes" ],
|
|
[ ac_cv_cc_implements___FUNCTION__="no"
|
|
])
|
|
])
|
|
if test "x$ac_cv_cc_implements___FUNCTION__" = "xyes" ; then
|
|
AC_DEFINE([HAVE___FUNCTION__], [1],
|
|
[Define if compiler implements __FUNCTION__])
|
|
fi
|
|
|
|
AC_CACHE_CHECK([whether $CC implements __func__], ac_cv_cc_implements___func__, [
|
|
AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include <stdio.h> ]],
|
|
[[ printf("%s", __func__); ]])],
|
|
[ ac_cv_cc_implements___func__="yes" ],
|
|
[ ac_cv_cc_implements___func__="no"
|
|
])
|
|
])
|
|
if test "x$ac_cv_cc_implements___func__" = "xyes" ; then
|
|
AC_DEFINE([HAVE___func__], [1], [Define if compiler implements __func__])
|
|
fi
|
|
|
|
AC_CACHE_CHECK([whether va_copy exists], ac_cv_have_va_copy, [
|
|
AC_LINK_IFELSE([AC_LANG_PROGRAM([[
|
|
#include <stdarg.h>
|
|
va_list x,y;
|
|
]], [[ va_copy(x,y); ]])],
|
|
[ ac_cv_have_va_copy="yes" ],
|
|
[ ac_cv_have_va_copy="no"
|
|
])
|
|
])
|
|
if test "x$ac_cv_have_va_copy" = "xyes" ; then
|
|
AC_DEFINE([HAVE_VA_COPY], [1], [Define if va_copy exists])
|
|
fi
|
|
|
|
AC_CACHE_CHECK([whether __va_copy exists], ac_cv_have___va_copy, [
|
|
AC_LINK_IFELSE([AC_LANG_PROGRAM([[
|
|
#include <stdarg.h>
|
|
va_list x,y;
|
|
]], [[ __va_copy(x,y); ]])],
|
|
[ ac_cv_have___va_copy="yes" ], [ ac_cv_have___va_copy="no"
|
|
])
|
|
])
|
|
if test "x$ac_cv_have___va_copy" = "xyes" ; then
|
|
AC_DEFINE([HAVE___VA_COPY], [1], [Define if __va_copy exists])
|
|
fi
|
|
|
|
AC_CACHE_CHECK([whether getopt has optreset support],
|
|
ac_cv_have_getopt_optreset, [
|
|
AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include <getopt.h> ]],
|
|
[[ extern int optreset; optreset = 0; ]])],
|
|
[ ac_cv_have_getopt_optreset="yes" ],
|
|
[ ac_cv_have_getopt_optreset="no"
|
|
])
|
|
])
|
|
if test "x$ac_cv_have_getopt_optreset" = "xyes" ; then
|
|
AC_DEFINE([HAVE_GETOPT_OPTRESET], [1],
|
|
[Define if your getopt(3) defines and uses optreset])
|
|
fi
|
|
|
|
AC_CACHE_CHECK([if libc defines sys_errlist], ac_cv_libc_defines_sys_errlist, [
|
|
AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include <stdio.h> ]],
|
|
[[ extern const char *const sys_errlist[]; printf("%s", sys_errlist[0]);]])],
|
|
[ ac_cv_libc_defines_sys_errlist="yes" ],
|
|
[ ac_cv_libc_defines_sys_errlist="no"
|
|
])
|
|
])
|
|
if test "x$ac_cv_libc_defines_sys_errlist" = "xyes" ; then
|
|
AC_DEFINE([HAVE_SYS_ERRLIST], [1],
|
|
[Define if your system defines sys_errlist[]])
|
|
fi
|
|
|
|
|
|
AC_CACHE_CHECK([if libc defines sys_nerr], ac_cv_libc_defines_sys_nerr, [
|
|
AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include <stdio.h> ]],
|
|
[[ extern int sys_nerr; printf("%i", sys_nerr);]])],
|
|
[ ac_cv_libc_defines_sys_nerr="yes" ],
|
|
[ ac_cv_libc_defines_sys_nerr="no"
|
|
])
|
|
])
|
|
if test "x$ac_cv_libc_defines_sys_nerr" = "xyes" ; then
|
|
AC_DEFINE([HAVE_SYS_NERR], [1], [Define if your system defines sys_nerr])
|
|
fi
|
|
|
|
# Check libraries needed by DNS fingerprint support
|
|
AC_SEARCH_LIBS([getrrsetbyname], [resolv],
|
|
[AC_DEFINE([HAVE_GETRRSETBYNAME], [1],
|
|
[Define if getrrsetbyname() exists])],
|
|
[
|
|
# Needed by our getrrsetbyname()
|
|
AC_SEARCH_LIBS([res_query], [resolv])
|
|
AC_SEARCH_LIBS([dn_expand], [resolv])
|
|
AC_MSG_CHECKING([if res_query will link])
|
|
AC_LINK_IFELSE([AC_LANG_PROGRAM([[
|
|
#include <sys/types.h>
|
|
#include <netinet/in.h>
|
|
#include <arpa/nameser.h>
|
|
#include <netdb.h>
|
|
#include <resolv.h>
|
|
]], [[
|
|
res_query (0, 0, 0, 0, 0);
|
|
]])],
|
|
AC_MSG_RESULT([yes]),
|
|
[AC_MSG_RESULT([no])
|
|
saved_LIBS="$LIBS"
|
|
LIBS="$LIBS -lresolv"
|
|
AC_MSG_CHECKING([for res_query in -lresolv])
|
|
AC_LINK_IFELSE([AC_LANG_PROGRAM([[
|
|
#include <sys/types.h>
|
|
#include <netinet/in.h>
|
|
#include <arpa/nameser.h>
|
|
#include <netdb.h>
|
|
#include <resolv.h>
|
|
]], [[
|
|
res_query (0, 0, 0, 0, 0);
|
|
]])],
|
|
[AC_MSG_RESULT([yes])],
|
|
[LIBS="$saved_LIBS"
|
|
AC_MSG_RESULT([no])])
|
|
])
|
|
AC_CHECK_FUNCS([_getshort _getlong])
|
|
AC_CHECK_DECLS([_getshort, _getlong], , ,
|
|
[#include <sys/types.h>
|
|
#include <arpa/nameser.h>])
|
|
AC_CHECK_MEMBER([HEADER.ad],
|
|
[AC_DEFINE([HAVE_HEADER_AD], [1],
|
|
[Define if HEADER.ad exists in arpa/nameser.h])], ,
|
|
[#include <arpa/nameser.h>])
|
|
])
|
|
|
|
AC_MSG_CHECKING([if struct __res_state _res is an extern])
|
|
AC_LINK_IFELSE([AC_LANG_PROGRAM([[
|
|
#include <stdio.h>
|
|
#if HAVE_SYS_TYPES_H
|
|
# include <sys/types.h>
|
|
#endif
|
|
#include <netinet/in.h>
|
|
#include <arpa/nameser.h>
|
|
#include <resolv.h>
|
|
extern struct __res_state _res;
|
|
]], [[
|
|
struct __res_state *volatile p = &_res; /* force resolution of _res */
|
|
return 0;
|
|
]],)],
|
|
[AC_MSG_RESULT([yes])
|
|
AC_DEFINE([HAVE__RES_EXTERN], [1],
|
|
[Define if you have struct __res_state _res as an extern])
|
|
],
|
|
[ AC_MSG_RESULT([no]) ]
|
|
)
|
|
|
|
# Check whether user wants SELinux support
|
|
SELINUX_MSG="no"
|
|
LIBSELINUX=""
|
|
AC_ARG_WITH([selinux],
|
|
[ --with-selinux Enable SELinux support],
|
|
[ if test "x$withval" != "xno" ; then
|
|
save_LIBS="$LIBS"
|
|
AC_DEFINE([WITH_SELINUX], [1],
|
|
[Define if you want SELinux support.])
|
|
SELINUX_MSG="yes"
|
|
AC_CHECK_HEADER([selinux/selinux.h], ,
|
|
AC_MSG_ERROR([SELinux support requires selinux.h header]))
|
|
AC_CHECK_LIB([selinux], [setexeccon],
|
|
[ LIBSELINUX="-lselinux"
|
|
LIBS="$LIBS -lselinux"
|
|
],
|
|
AC_MSG_ERROR([SELinux support requires libselinux library]))
|
|
AC_CHECK_FUNCS([getseuserbyname get_default_context_with_level])
|
|
LIBS="$save_LIBS $LIBSELINUX"
|
|
fi ]
|
|
)
|
|
AC_SUBST([SSHDLIBS])
|
|
|
|
# Check whether user wants Kerberos 5 support
|
|
KRB5_MSG="no"
|
|
AC_ARG_WITH([kerberos5],
|
|
[ --with-kerberos5=PATH Enable Kerberos 5 support],
|
|
[ if test "x$withval" != "xno" ; then
|
|
if test "x$withval" = "xyes" ; then
|
|
KRB5ROOT="/usr/local"
|
|
else
|
|
KRB5ROOT=${withval}
|
|
fi
|
|
|
|
AC_DEFINE([KRB5], [1], [Define if you want Kerberos 5 support])
|
|
KRB5_MSG="yes"
|
|
|
|
use_pkgconfig_for_krb5=
|
|
if test "x$PKGCONFIG" != "xno"; then
|
|
AC_MSG_CHECKING([if $PKGCONFIG knows about kerberos5])
|
|
if "$PKGCONFIG" krb5; then
|
|
AC_MSG_RESULT([yes])
|
|
use_pkgconfig_for_krb5=yes
|
|
else
|
|
AC_MSG_RESULT([no])
|
|
fi
|
|
fi
|
|
if test "x$use_pkgconfig_for_krb5" = "xyes"; then
|
|
K5CFLAGS=`$PKGCONFIG --cflags krb5`
|
|
K5LIBS=`$PKGCONFIG --libs krb5`
|
|
CPPFLAGS="$CPPFLAGS $K5CFLAGS"
|
|
|
|
AC_MSG_CHECKING([for gssapi support])
|
|
if "$PKGCONFIG" krb5-gssapi; then
|
|
AC_MSG_RESULT([yes])
|
|
AC_DEFINE([GSSAPI], [1],
|
|
[Define this if you want GSSAPI
|
|
support in the version 2 protocol])
|
|
GSSCFLAGS="`$PKGCONFIG --cflags krb5-gssapi`"
|
|
GSSLIBS="`$PKGCONFIG --libs krb5-gssapi`"
|
|
CPPFLAGS="$CPPFLAGS $GSSCFLAGS"
|
|
else
|
|
AC_MSG_RESULT([no])
|
|
fi
|
|
AC_MSG_CHECKING([whether we are using Heimdal])
|
|
AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <krb5.h>
|
|
]], [[ char *tmp = heimdal_version; ]])],
|
|
[ AC_MSG_RESULT([yes])
|
|
AC_DEFINE([HEIMDAL], [1],
|
|
[Define this if you are using the Heimdal
|
|
version of Kerberos V5]) ],
|
|
[AC_MSG_RESULT([no])
|
|
])
|
|
else
|
|
AC_PATH_TOOL([KRB5CONF], [krb5-config],
|
|
[$KRB5ROOT/bin/krb5-config],
|
|
[$KRB5ROOT/bin:$PATH])
|
|
if test -x $KRB5CONF ; then
|
|
K5CFLAGS="`$KRB5CONF --cflags`"
|
|
K5LIBS="`$KRB5CONF --libs`"
|
|
CPPFLAGS="$CPPFLAGS $K5CFLAGS"
|
|
|
|
AC_MSG_CHECKING([for gssapi support])
|
|
if $KRB5CONF | grep gssapi >/dev/null ; then
|
|
AC_MSG_RESULT([yes])
|
|
AC_DEFINE([GSSAPI], [1],
|
|
[Define this if you want GSSAPI
|
|
support in the version 2 protocol])
|
|
GSSCFLAGS="`$KRB5CONF --cflags gssapi`"
|
|
GSSLIBS="`$KRB5CONF --libs gssapi`"
|
|
CPPFLAGS="$CPPFLAGS $GSSCFLAGS"
|
|
else
|
|
AC_MSG_RESULT([no])
|
|
fi
|
|
AC_MSG_CHECKING([whether we are using Heimdal])
|
|
AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <krb5.h>
|
|
]], [[ char *tmp = heimdal_version; ]])],
|
|
[ AC_MSG_RESULT([yes])
|
|
AC_DEFINE([HEIMDAL], [1],
|
|
[Define this if you are using the Heimdal
|
|
version of Kerberos V5]) ],
|
|
[AC_MSG_RESULT([no])
|
|
])
|
|
else
|
|
CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include"
|
|
LDFLAGS="$LDFLAGS -L${KRB5ROOT}/lib"
|
|
AC_MSG_CHECKING([whether we are using Heimdal])
|
|
AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <krb5.h>
|
|
]], [[ char *tmp = heimdal_version; ]])],
|
|
[ AC_MSG_RESULT([yes])
|
|
AC_DEFINE([HEIMDAL])
|
|
K5LIBS="-lkrb5"
|
|
K5LIBS="$K5LIBS -lcom_err -lasn1"
|
|
AC_CHECK_LIB([roken], [net_write],
|
|
[K5LIBS="$K5LIBS -lroken"])
|
|
AC_CHECK_LIB([des], [des_cbc_encrypt],
|
|
[K5LIBS="$K5LIBS -ldes"])
|
|
], [ AC_MSG_RESULT([no])
|
|
K5LIBS="-lkrb5 -lk5crypto -lcom_err"
|
|
])
|
|
AC_SEARCH_LIBS([dn_expand], [resolv])
|
|
|
|
AC_CHECK_LIB([gssapi_krb5], [gss_init_sec_context],
|
|
[ AC_DEFINE([GSSAPI])
|
|
GSSLIBS="-lgssapi_krb5" ],
|
|
[ AC_CHECK_LIB([gssapi], [gss_init_sec_context],
|
|
[ AC_DEFINE([GSSAPI])
|
|
GSSLIBS="-lgssapi" ],
|
|
[ AC_CHECK_LIB([gss], [gss_init_sec_context],
|
|
[ AC_DEFINE([GSSAPI])
|
|
GSSLIBS="-lgss" ],
|
|
AC_MSG_WARN([Cannot find any suitable gss-api library - build may fail]))
|
|
])
|
|
])
|
|
|
|
AC_CHECK_HEADER([gssapi.h], ,
|
|
[ unset ac_cv_header_gssapi_h
|
|
CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include/gssapi"
|
|
AC_CHECK_HEADERS([gssapi.h], ,
|
|
AC_MSG_WARN([Cannot find any suitable gss-api header - build may fail])
|
|
)
|
|
]
|
|
)
|
|
|
|
oldCPP="$CPPFLAGS"
|
|
CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include/gssapi"
|
|
AC_CHECK_HEADER([gssapi_krb5.h], ,
|
|
[ CPPFLAGS="$oldCPP" ])
|
|
|
|
fi
|
|
fi
|
|
if test -n "${rpath_opt}" ; then
|
|
LDFLAGS="$LDFLAGS ${rpath_opt}${KRB5ROOT}/lib"
|
|
fi
|
|
if test ! -z "$blibpath" ; then
|
|
blibpath="$blibpath:${KRB5ROOT}/lib"
|
|
fi
|
|
|
|
AC_CHECK_HEADERS([gssapi.h gssapi/gssapi.h])
|
|
AC_CHECK_HEADERS([gssapi_krb5.h gssapi/gssapi_krb5.h])
|
|
AC_CHECK_HEADERS([gssapi_generic.h gssapi/gssapi_generic.h])
|
|
|
|
AC_SEARCH_LIBS([k_hasafs], [kafs], [AC_DEFINE([USE_AFS], [1],
|
|
[Define this if you want to use libkafs' AFS support])])
|
|
|
|
AC_CHECK_DECLS([GSS_C_NT_HOSTBASED_SERVICE], [], [], [[
|
|
#ifdef HAVE_GSSAPI_H
|
|
# include <gssapi.h>
|
|
#elif defined(HAVE_GSSAPI_GSSAPI_H)
|
|
# include <gssapi/gssapi.h>
|
|
#endif
|
|
|
|
#ifdef HAVE_GSSAPI_GENERIC_H
|
|
# include <gssapi_generic.h>
|
|
#elif defined(HAVE_GSSAPI_GSSAPI_GENERIC_H)
|
|
# include <gssapi/gssapi_generic.h>
|
|
#endif
|
|
]])
|
|
saved_LIBS="$LIBS"
|
|
LIBS="$LIBS $K5LIBS"
|
|
AC_CHECK_FUNCS([krb5_cc_new_unique krb5_get_error_message krb5_free_error_message])
|
|
LIBS="$saved_LIBS"
|
|
|
|
fi
|
|
]
|
|
)
|
|
AC_SUBST([GSSLIBS])
|
|
AC_SUBST([K5LIBS])
|
|
AC_SUBST([CHANNELLIBS])
|
|
|
|
# Looking for programs, paths and files
|
|
|
|
PRIVSEP_PATH=/var/empty
|
|
AC_ARG_WITH([privsep-path],
|
|
[ --with-privsep-path=xxx Path for privilege separation chroot (default=/var/empty)],
|
|
[
|
|
if test -n "$withval" && test "x$withval" != "xno" && \
|
|
test "x${withval}" != "xyes"; then
|
|
PRIVSEP_PATH=$withval
|
|
fi
|
|
]
|
|
)
|
|
AC_SUBST([PRIVSEP_PATH])
|
|
|
|
AC_ARG_WITH([xauth],
|
|
[ --with-xauth=PATH Specify path to xauth program ],
|
|
[
|
|
if test -n "$withval" && test "x$withval" != "xno" && \
|
|
test "x${withval}" != "xyes"; then
|
|
xauth_path=$withval
|
|
fi
|
|
],
|
|
[
|
|
TestPath="$PATH"
|
|
TestPath="${TestPath}${PATH_SEPARATOR}/usr/X/bin"
|
|
TestPath="${TestPath}${PATH_SEPARATOR}/usr/bin/X11"
|
|
TestPath="${TestPath}${PATH_SEPARATOR}/usr/X11R6/bin"
|
|
TestPath="${TestPath}${PATH_SEPARATOR}/usr/openwin/bin"
|
|
AC_PATH_PROG([xauth_path], [xauth], , [$TestPath])
|
|
if (test ! -z "$xauth_path" && test -x "/usr/openwin/bin/xauth") ; then
|
|
xauth_path="/usr/openwin/bin/xauth"
|
|
fi
|
|
]
|
|
)
|
|
|
|
STRIP_OPT=-s
|
|
AC_ARG_ENABLE([strip],
|
|
[ --disable-strip Disable calling strip(1) on install],
|
|
[
|
|
if test "x$enableval" = "xno" ; then
|
|
STRIP_OPT=
|
|
fi
|
|
]
|
|
)
|
|
AC_SUBST([STRIP_OPT])
|
|
|
|
if test -z "$xauth_path" ; then
|
|
XAUTH_PATH="undefined"
|
|
AC_SUBST([XAUTH_PATH])
|
|
else
|
|
AC_DEFINE_UNQUOTED([XAUTH_PATH], ["$xauth_path"],
|
|
[Define if xauth is found in your path])
|
|
XAUTH_PATH=$xauth_path
|
|
AC_SUBST([XAUTH_PATH])
|
|
fi
|
|
|
|
dnl # --with-maildir=/path/to/mail gets top priority.
|
|
dnl # if maildir is set in the platform case statement above we use that.
|
|
dnl # Otherwise we run a program to get the dir from system headers.
|
|
dnl # We first look for _PATH_MAILDIR then MAILDIR then _PATH_MAIL
|
|
dnl # If we find _PATH_MAILDIR we do nothing because that is what
|
|
dnl # session.c expects anyway. Otherwise we set to the value found
|
|
dnl # stripping any trailing slash. If for some strage reason our program
|
|
dnl # does not find what it needs, we default to /var/spool/mail.
|
|
# Check for mail directory
|
|
AC_ARG_WITH([maildir],
|
|
[ --with-maildir=/path/to/mail Specify your system mail directory],
|
|
[
|
|
if test "X$withval" != X && test "x$withval" != xno && \
|
|
test "x${withval}" != xyes; then
|
|
AC_DEFINE_UNQUOTED([MAIL_DIRECTORY], ["$withval"],
|
|
[Set this to your mail directory if you do not have _PATH_MAILDIR])
|
|
fi
|
|
],[
|
|
if test "X$maildir" != "X"; then
|
|
AC_DEFINE_UNQUOTED([MAIL_DIRECTORY], ["$maildir"])
|
|
else
|
|
AC_MSG_CHECKING([Discovering system mail directory])
|
|
AC_RUN_IFELSE(
|
|
[AC_LANG_PROGRAM([[
|
|
#include <stdio.h>
|
|
#include <stdlib.h>
|
|
#include <string.h>
|
|
#ifdef HAVE_PATHS_H
|
|
#include <paths.h>
|
|
#endif
|
|
#ifdef HAVE_MAILLOCK_H
|
|
#include <maillock.h>
|
|
#endif
|
|
#define DATA "conftest.maildir"
|
|
]], [[
|
|
FILE *fd;
|
|
int rc;
|
|
|
|
fd = fopen(DATA,"w");
|
|
if(fd == NULL)
|
|
exit(1);
|
|
|
|
#if defined (_PATH_MAILDIR)
|
|
if ((rc = fprintf(fd ,"_PATH_MAILDIR:%s\n", _PATH_MAILDIR)) <0)
|
|
exit(1);
|
|
#elif defined (MAILDIR)
|
|
if ((rc = fprintf(fd ,"MAILDIR:%s\n", MAILDIR)) <0)
|
|
exit(1);
|
|
#elif defined (_PATH_MAIL)
|
|
if ((rc = fprintf(fd ,"_PATH_MAIL:%s\n", _PATH_MAIL)) <0)
|
|
exit(1);
|
|
#else
|
|
exit (2);
|
|
#endif
|
|
|
|
exit(0);
|
|
]])],
|
|
[
|
|
maildir_what=`awk -F: '{print $1}' conftest.maildir`
|
|
maildir=`awk -F: '{print $2}' conftest.maildir \
|
|
| sed 's|/$||'`
|
|
AC_MSG_RESULT([Using: $maildir from $maildir_what])
|
|
if test "x$maildir_what" != "x_PATH_MAILDIR"; then
|
|
AC_DEFINE_UNQUOTED([MAIL_DIRECTORY], ["$maildir"])
|
|
fi
|
|
],
|
|
[
|
|
if test "X$ac_status" = "X2";then
|
|
# our test program didn't find it. Default to /var/spool/mail
|
|
AC_MSG_RESULT([Using: default value of /var/spool/mail])
|
|
AC_DEFINE_UNQUOTED([MAIL_DIRECTORY], ["/var/spool/mail"])
|
|
else
|
|
AC_MSG_RESULT([*** not found ***])
|
|
fi
|
|
],
|
|
[
|
|
AC_MSG_WARN([cross compiling: use --with-maildir=/path/to/mail])
|
|
]
|
|
)
|
|
fi
|
|
]
|
|
) # maildir
|
|
|
|
if test ! -z "$cross_compiling" && test "x$cross_compiling" = "xyes"; then
|
|
AC_MSG_WARN([cross compiling: Disabling /dev/ptmx test])
|
|
disable_ptmx_check=yes
|
|
fi
|
|
if test -z "$no_dev_ptmx" ; then
|
|
if test "x$disable_ptmx_check" != "xyes" ; then
|
|
AC_CHECK_FILE(["/dev/ptmx"],
|
|
[
|
|
AC_DEFINE_UNQUOTED([HAVE_DEV_PTMX], [1],
|
|
[Define if you have /dev/ptmx])
|
|
have_dev_ptmx=1
|
|
]
|
|
)
|
|
fi
|
|
fi
|
|
|
|
if test ! -z "$cross_compiling" && test "x$cross_compiling" != "xyes"; then
|
|
AC_CHECK_FILE(["/dev/ptc"],
|
|
[
|
|
AC_DEFINE_UNQUOTED([HAVE_DEV_PTS_AND_PTC], [1],
|
|
[Define if you have /dev/ptc])
|
|
have_dev_ptc=1
|
|
]
|
|
)
|
|
else
|
|
AC_MSG_WARN([cross compiling: Disabling /dev/ptc test])
|
|
fi
|
|
|
|
# Options from here on. Some of these are preset by platform above
|
|
AC_ARG_WITH([mantype],
|
|
[ --with-mantype=man|cat|doc Set man page type],
|
|
[
|
|
case "$withval" in
|
|
man|cat|doc)
|
|
MANTYPE=$withval
|
|
;;
|
|
*)
|
|
AC_MSG_ERROR([invalid man type: $withval])
|
|
;;
|
|
esac
|
|
]
|
|
)
|
|
if test -z "$MANTYPE"; then
|
|
if ${MANDOC} ${srcdir}/ssh.1 >/dev/null 2>&1; then
|
|
MANTYPE=doc
|
|
elif ${NROFF} -mdoc ${srcdir}/ssh.1 >/dev/null 2>&1; then
|
|
MANTYPE=doc
|
|
elif ${NROFF} -man ${srcdir}/ssh.1 >/dev/null 2>&1; then
|
|
MANTYPE=man
|
|
else
|
|
MANTYPE=cat
|
|
fi
|
|
fi
|
|
AC_SUBST([MANTYPE])
|
|
if test "$MANTYPE" = "doc"; then
|
|
mansubdir=man;
|
|
else
|
|
mansubdir=$MANTYPE;
|
|
fi
|
|
AC_SUBST([mansubdir])
|
|
|
|
# Whether to disable shadow password support
|
|
AC_ARG_WITH([shadow],
|
|
[ --without-shadow Disable shadow password support],
|
|
[
|
|
if test "x$withval" = "xno" ; then
|
|
AC_DEFINE([DISABLE_SHADOW])
|
|
disable_shadow=yes
|
|
fi
|
|
]
|
|
)
|
|
|
|
if test -z "$disable_shadow" ; then
|
|
AC_MSG_CHECKING([if the systems has expire shadow information])
|
|
AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
|
|
#include <sys/types.h>
|
|
#include <shadow.h>
|
|
struct spwd sp;
|
|
]], [[ sp.sp_expire = sp.sp_lstchg = sp.sp_inact = 0; ]])],
|
|
[ sp_expire_available=yes ], [
|
|
])
|
|
|
|
if test "x$sp_expire_available" = "xyes" ; then
|
|
AC_MSG_RESULT([yes])
|
|
AC_DEFINE([HAS_SHADOW_EXPIRE], [1],
|
|
[Define if you want to use shadow password expire field])
|
|
else
|
|
AC_MSG_RESULT([no])
|
|
fi
|
|
fi
|
|
|
|
# Use ip address instead of hostname in $DISPLAY
|
|
if test ! -z "$IPADDR_IN_DISPLAY" ; then
|
|
DISPLAY_HACK_MSG="yes"
|
|
AC_DEFINE([IPADDR_IN_DISPLAY], [1],
|
|
[Define if you need to use IP address
|
|
instead of hostname in $DISPLAY])
|
|
else
|
|
DISPLAY_HACK_MSG="no"
|
|
AC_ARG_WITH([ipaddr-display],
|
|
[ --with-ipaddr-display Use ip address instead of hostname in $DISPLAY],
|
|
[
|
|
if test "x$withval" != "xno" ; then
|
|
AC_DEFINE([IPADDR_IN_DISPLAY])
|
|
DISPLAY_HACK_MSG="yes"
|
|
fi
|
|
]
|
|
)
|
|
fi
|
|
|
|
# check for /etc/default/login and use it if present.
|
|
AC_ARG_ENABLE([etc-default-login],
|
|
[ --disable-etc-default-login Disable using PATH from /etc/default/login [no]],
|
|
[ if test "x$enableval" = "xno"; then
|
|
AC_MSG_NOTICE([/etc/default/login handling disabled])
|
|
etc_default_login=no
|
|
else
|
|
etc_default_login=yes
|
|
fi ],
|
|
[ if test ! -z "$cross_compiling" && test "x$cross_compiling" = "xyes";
|
|
then
|
|
AC_MSG_WARN([cross compiling: not checking /etc/default/login])
|
|
etc_default_login=no
|
|
else
|
|
etc_default_login=yes
|
|
fi ]
|
|
)
|
|
|
|
if test "x$etc_default_login" != "xno"; then
|
|
AC_CHECK_FILE(["/etc/default/login"],
|
|
[ external_path_file=/etc/default/login ])
|
|
if test "x$external_path_file" = "x/etc/default/login"; then
|
|
AC_DEFINE([HAVE_ETC_DEFAULT_LOGIN], [1],
|
|
[Define if your system has /etc/default/login])
|
|
fi
|
|
fi
|
|
|
|
dnl BSD systems use /etc/login.conf so --with-default-path= has no effect
|
|
if test $ac_cv_func_login_getcapbool = "yes" && \
|
|
test $ac_cv_header_login_cap_h = "yes" ; then
|
|
external_path_file=/etc/login.conf
|
|
fi
|
|
|
|
# Whether to mess with the default path
|
|
SERVER_PATH_MSG="(default)"
|
|
AC_ARG_WITH([default-path],
|
|
[ --with-default-path= Specify default $PATH environment for server],
|
|
[
|
|
if test "x$external_path_file" = "x/etc/login.conf" ; then
|
|
AC_MSG_WARN([
|
|
--with-default-path=PATH has no effect on this system.
|
|
Edit /etc/login.conf instead.])
|
|
elif test "x$withval" != "xno" ; then
|
|
if test ! -z "$external_path_file" ; then
|
|
AC_MSG_WARN([
|
|
--with-default-path=PATH will only be used if PATH is not defined in
|
|
$external_path_file .])
|
|
fi
|
|
user_path="$withval"
|
|
SERVER_PATH_MSG="$withval"
|
|
fi
|
|
],
|
|
[ if test "x$external_path_file" = "x/etc/login.conf" ; then
|
|
AC_MSG_WARN([Make sure the path to scp is in /etc/login.conf])
|
|
else
|
|
if test ! -z "$external_path_file" ; then
|
|
AC_MSG_WARN([
|
|
If PATH is defined in $external_path_file, ensure the path to scp is included,
|
|
otherwise scp will not work.])
|
|
fi
|
|
AC_RUN_IFELSE(
|
|
[AC_LANG_PROGRAM([[
|
|
/* find out what STDPATH is */
|
|
#include <stdio.h>
|
|
#include <stdlib.h>
|
|
#ifdef HAVE_PATHS_H
|
|
# include <paths.h>
|
|
#endif
|
|
#ifndef _PATH_STDPATH
|
|
# ifdef _PATH_USERPATH /* Irix */
|
|
# define _PATH_STDPATH _PATH_USERPATH
|
|
# else
|
|
# define _PATH_STDPATH "/usr/bin:/bin:/usr/sbin:/sbin"
|
|
# endif
|
|
#endif
|
|
#include <sys/types.h>
|
|
#include <sys/stat.h>
|
|
#include <fcntl.h>
|
|
#define DATA "conftest.stdpath"
|
|
]], [[
|
|
FILE *fd;
|
|
int rc;
|
|
|
|
fd = fopen(DATA,"w");
|
|
if(fd == NULL)
|
|
exit(1);
|
|
|
|
if ((rc = fprintf(fd,"%s", _PATH_STDPATH)) < 0)
|
|
exit(1);
|
|
|
|
exit(0);
|
|
]])],
|
|
[ user_path=`cat conftest.stdpath` ],
|
|
[ user_path="/usr/bin:/bin:/usr/sbin:/sbin" ],
|
|
[ user_path="/usr/bin:/bin:/usr/sbin:/sbin" ]
|
|
)
|
|
# make sure $bindir is in USER_PATH so scp will work
|
|
t_bindir="${bindir}"
|
|
while echo "${t_bindir}" | egrep '\$\{|NONE/' >/dev/null 2>&1; do
|
|
t_bindir=`eval echo ${t_bindir}`
|
|
case $t_bindir in
|
|
NONE/*) t_bindir=`echo $t_bindir | sed "s~NONE~$prefix~"` ;;
|
|
esac
|
|
case $t_bindir in
|
|
NONE/*) t_bindir=`echo $t_bindir | sed "s~NONE~$ac_default_prefix~"` ;;
|
|
esac
|
|
done
|
|
echo $user_path | grep ":$t_bindir" > /dev/null 2>&1
|
|
if test $? -ne 0 ; then
|
|
echo $user_path | grep "^$t_bindir" > /dev/null 2>&1
|
|
if test $? -ne 0 ; then
|
|
user_path=$user_path:$t_bindir
|
|
AC_MSG_RESULT([Adding $t_bindir to USER_PATH so scp will work])
|
|
fi
|
|
fi
|
|
fi ]
|
|
)
|
|
if test "x$external_path_file" != "x/etc/login.conf" ; then
|
|
AC_DEFINE_UNQUOTED([USER_PATH], ["$user_path"], [Specify default $PATH])
|
|
AC_SUBST([user_path])
|
|
fi
|
|
|
|
# Set superuser path separately to user path
|
|
AC_ARG_WITH([superuser-path],
|
|
[ --with-superuser-path= Specify different path for super-user],
|
|
[
|
|
if test -n "$withval" && test "x$withval" != "xno" && \
|
|
test "x${withval}" != "xyes"; then
|
|
AC_DEFINE_UNQUOTED([SUPERUSER_PATH], ["$withval"],
|
|
[Define if you want a different $PATH
|
|
for the superuser])
|
|
superuser_path=$withval
|
|
fi
|
|
]
|
|
)
|
|
|
|
|
|
AC_MSG_CHECKING([if we need to convert IPv4 in IPv6-mapped addresses])
|
|
IPV4_IN6_HACK_MSG="no"
|
|
AC_ARG_WITH(4in6,
|
|
[ --with-4in6 Check for and convert IPv4 in IPv6 mapped addresses],
|
|
[
|
|
if test "x$withval" != "xno" ; then
|
|
AC_MSG_RESULT([yes])
|
|
AC_DEFINE([IPV4_IN_IPV6], [1],
|
|
[Detect IPv4 in IPv6 mapped addresses
|
|
and treat as IPv4])
|
|
IPV4_IN6_HACK_MSG="yes"
|
|
else
|
|
AC_MSG_RESULT([no])
|
|
fi
|
|
], [
|
|
if test "x$inet6_default_4in6" = "xyes"; then
|
|
AC_MSG_RESULT([yes (default)])
|
|
AC_DEFINE([IPV4_IN_IPV6])
|
|
IPV4_IN6_HACK_MSG="yes"
|
|
else
|
|
AC_MSG_RESULT([no (default)])
|
|
fi
|
|
]
|
|
)
|
|
|
|
# Whether to enable BSD auth support
|
|
BSD_AUTH_MSG=no
|
|
AC_ARG_WITH([bsd-auth],
|
|
[ --with-bsd-auth Enable BSD auth support],
|
|
[
|
|
if test "x$withval" != "xno" ; then
|
|
AC_DEFINE([BSD_AUTH], [1],
|
|
[Define if you have BSD auth support])
|
|
BSD_AUTH_MSG=yes
|
|
fi
|
|
]
|
|
)
|
|
|
|
# Where to place sshd.pid
|
|
piddir=/var/run
|
|
# make sure the directory exists
|
|
if test ! -d $piddir ; then
|
|
piddir=`eval echo ${sysconfdir}`
|
|
case $piddir in
|
|
NONE/*) piddir=`echo $piddir | sed "s~NONE~$ac_default_prefix~"` ;;
|
|
esac
|
|
fi
|
|
|
|
AC_ARG_WITH([pid-dir],
|
|
[ --with-pid-dir=PATH Specify location of sshd.pid file],
|
|
[
|
|
if test -n "$withval" && test "x$withval" != "xno" && \
|
|
test "x${withval}" != "xyes"; then
|
|
piddir=$withval
|
|
if test ! -d $piddir ; then
|
|
AC_MSG_WARN([** no $piddir directory on this system **])
|
|
fi
|
|
fi
|
|
]
|
|
)
|
|
|
|
AC_DEFINE_UNQUOTED([_PATH_SSH_PIDDIR], ["$piddir"],
|
|
[Specify location of ssh.pid])
|
|
AC_SUBST([piddir])
|
|
|
|
dnl allow user to disable some login recording features
|
|
AC_ARG_ENABLE([lastlog],
|
|
[ --disable-lastlog disable use of lastlog even if detected [no]],
|
|
[
|
|
if test "x$enableval" = "xno" ; then
|
|
AC_DEFINE([DISABLE_LASTLOG])
|
|
fi
|
|
]
|
|
)
|
|
AC_ARG_ENABLE([utmp],
|
|
[ --disable-utmp disable use of utmp even if detected [no]],
|
|
[
|
|
if test "x$enableval" = "xno" ; then
|
|
AC_DEFINE([DISABLE_UTMP])
|
|
fi
|
|
]
|
|
)
|
|
AC_ARG_ENABLE([utmpx],
|
|
[ --disable-utmpx disable use of utmpx even if detected [no]],
|
|
[
|
|
if test "x$enableval" = "xno" ; then
|
|
AC_DEFINE([DISABLE_UTMPX], [1],
|
|
[Define if you don't want to use utmpx])
|
|
fi
|
|
]
|
|
)
|
|
AC_ARG_ENABLE([wtmp],
|
|
[ --disable-wtmp disable use of wtmp even if detected [no]],
|
|
[
|
|
if test "x$enableval" = "xno" ; then
|
|
AC_DEFINE([DISABLE_WTMP])
|
|
fi
|
|
]
|
|
)
|
|
AC_ARG_ENABLE([wtmpx],
|
|
[ --disable-wtmpx disable use of wtmpx even if detected [no]],
|
|
[
|
|
if test "x$enableval" = "xno" ; then
|
|
AC_DEFINE([DISABLE_WTMPX], [1],
|
|
[Define if you don't want to use wtmpx])
|
|
fi
|
|
]
|
|
)
|
|
AC_ARG_ENABLE([libutil],
|
|
[ --disable-libutil disable use of libutil (login() etc.) [no]],
|
|
[
|
|
if test "x$enableval" = "xno" ; then
|
|
AC_DEFINE([DISABLE_LOGIN])
|
|
fi
|
|
]
|
|
)
|
|
AC_ARG_ENABLE([pututline],
|
|
[ --disable-pututline disable use of pututline() etc. ([uw]tmp) [no]],
|
|
[
|
|
if test "x$enableval" = "xno" ; then
|
|
AC_DEFINE([DISABLE_PUTUTLINE], [1],
|
|
[Define if you don't want to use pututline()
|
|
etc. to write [uw]tmp])
|
|
fi
|
|
]
|
|
)
|
|
AC_ARG_ENABLE([pututxline],
|
|
[ --disable-pututxline disable use of pututxline() etc. ([uw]tmpx) [no]],
|
|
[
|
|
if test "x$enableval" = "xno" ; then
|
|
AC_DEFINE([DISABLE_PUTUTXLINE], [1],
|
|
[Define if you don't want to use pututxline()
|
|
etc. to write [uw]tmpx])
|
|
fi
|
|
]
|
|
)
|
|
AC_ARG_WITH([lastlog],
|
|
[ --with-lastlog=FILE|DIR specify lastlog location [common locations]],
|
|
[
|
|
if test "x$withval" = "xno" ; then
|
|
AC_DEFINE([DISABLE_LASTLOG])
|
|
elif test -n "$withval" && test "x${withval}" != "xyes"; then
|
|
conf_lastlog_location=$withval
|
|
fi
|
|
]
|
|
)
|
|
|
|
dnl lastlog, [uw]tmpx? detection
|
|
dnl NOTE: set the paths in the platform section to avoid the
|
|
dnl need for command-line parameters
|
|
dnl lastlog and [uw]tmp are subject to a file search if all else fails
|
|
|
|
dnl lastlog detection
|
|
dnl NOTE: the code itself will detect if lastlog is a directory
|
|
AC_MSG_CHECKING([if your system defines LASTLOG_FILE])
|
|
AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
|
|
#include <sys/types.h>
|
|
#include <utmp.h>
|
|
#ifdef HAVE_LASTLOG_H
|
|
# include <lastlog.h>
|
|
#endif
|
|
#ifdef HAVE_PATHS_H
|
|
# include <paths.h>
|
|
#endif
|
|
#ifdef HAVE_LOGIN_H
|
|
# include <login.h>
|
|
#endif
|
|
]], [[ char *lastlog = LASTLOG_FILE; ]])],
|
|
[ AC_MSG_RESULT([yes]) ],
|
|
[
|
|
AC_MSG_RESULT([no])
|
|
AC_MSG_CHECKING([if your system defines _PATH_LASTLOG])
|
|
AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
|
|
#include <sys/types.h>
|
|
#include <utmp.h>
|
|
#ifdef HAVE_LASTLOG_H
|
|
# include <lastlog.h>
|
|
#endif
|
|
#ifdef HAVE_PATHS_H
|
|
# include <paths.h>
|
|
#endif
|
|
]], [[ char *lastlog = _PATH_LASTLOG; ]])],
|
|
[ AC_MSG_RESULT([yes]) ],
|
|
[
|
|
AC_MSG_RESULT([no])
|
|
system_lastlog_path=no
|
|
])
|
|
])
|
|
|
|
if test -z "$conf_lastlog_location"; then
|
|
if test x"$system_lastlog_path" = x"no" ; then
|
|
for f in /var/log/lastlog /usr/adm/lastlog /var/adm/lastlog /etc/security/lastlog ; do
|
|
if (test -d "$f" || test -f "$f") ; then
|
|
conf_lastlog_location=$f
|
|
fi
|
|
done
|
|
if test -z "$conf_lastlog_location"; then
|
|
AC_MSG_WARN([** Cannot find lastlog **])
|
|
dnl Don't define DISABLE_LASTLOG - that means we don't try wtmp/wtmpx
|
|
fi
|
|
fi
|
|
fi
|
|
|
|
if test -n "$conf_lastlog_location"; then
|
|
AC_DEFINE_UNQUOTED([CONF_LASTLOG_FILE], ["$conf_lastlog_location"],
|
|
[Define if you want to specify the path to your lastlog file])
|
|
fi
|
|
|
|
dnl utmp detection
|
|
AC_MSG_CHECKING([if your system defines UTMP_FILE])
|
|
AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
|
|
#include <sys/types.h>
|
|
#include <utmp.h>
|
|
#ifdef HAVE_PATHS_H
|
|
# include <paths.h>
|
|
#endif
|
|
]], [[ char *utmp = UTMP_FILE; ]])],
|
|
[ AC_MSG_RESULT([yes]) ],
|
|
[ AC_MSG_RESULT([no])
|
|
system_utmp_path=no
|
|
])
|
|
if test -z "$conf_utmp_location"; then
|
|
if test x"$system_utmp_path" = x"no" ; then
|
|
for f in /etc/utmp /usr/adm/utmp /var/run/utmp; do
|
|
if test -f $f ; then
|
|
conf_utmp_location=$f
|
|
fi
|
|
done
|
|
if test -z "$conf_utmp_location"; then
|
|
AC_DEFINE([DISABLE_UTMP])
|
|
fi
|
|
fi
|
|
fi
|
|
if test -n "$conf_utmp_location"; then
|
|
AC_DEFINE_UNQUOTED([CONF_UTMP_FILE], ["$conf_utmp_location"],
|
|
[Define if you want to specify the path to your utmp file])
|
|
fi
|
|
|
|
dnl wtmp detection
|
|
AC_MSG_CHECKING([if your system defines WTMP_FILE])
|
|
AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
|
|
#include <sys/types.h>
|
|
#include <utmp.h>
|
|
#ifdef HAVE_PATHS_H
|
|
# include <paths.h>
|
|
#endif
|
|
]], [[ char *wtmp = WTMP_FILE; ]])],
|
|
[ AC_MSG_RESULT([yes]) ],
|
|
[ AC_MSG_RESULT([no])
|
|
system_wtmp_path=no
|
|
])
|
|
if test -z "$conf_wtmp_location"; then
|
|
if test x"$system_wtmp_path" = x"no" ; then
|
|
for f in /usr/adm/wtmp /var/log/wtmp; do
|
|
if test -f $f ; then
|
|
conf_wtmp_location=$f
|
|
fi
|
|
done
|
|
if test -z "$conf_wtmp_location"; then
|
|
AC_DEFINE([DISABLE_WTMP])
|
|
fi
|
|
fi
|
|
fi
|
|
if test -n "$conf_wtmp_location"; then
|
|
AC_DEFINE_UNQUOTED([CONF_WTMP_FILE], ["$conf_wtmp_location"],
|
|
[Define if you want to specify the path to your wtmp file])
|
|
fi
|
|
|
|
dnl wtmpx detection
|
|
AC_MSG_CHECKING([if your system defines WTMPX_FILE])
|
|
AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
|
|
#include <sys/types.h>
|
|
#include <utmp.h>
|
|
#ifdef HAVE_UTMPX_H
|
|
#include <utmpx.h>
|
|
#endif
|
|
#ifdef HAVE_PATHS_H
|
|
# include <paths.h>
|
|
#endif
|
|
]], [[ char *wtmpx = WTMPX_FILE; ]])],
|
|
[ AC_MSG_RESULT([yes]) ],
|
|
[ AC_MSG_RESULT([no])
|
|
system_wtmpx_path=no
|
|
])
|
|
if test -z "$conf_wtmpx_location"; then
|
|
if test x"$system_wtmpx_path" = x"no" ; then
|
|
AC_DEFINE([DISABLE_WTMPX])
|
|
fi
|
|
else
|
|
AC_DEFINE_UNQUOTED([CONF_WTMPX_FILE], ["$conf_wtmpx_location"],
|
|
[Define if you want to specify the path to your wtmpx file])
|
|
fi
|
|
|
|
|
|
if test ! -z "$blibpath" ; then
|
|
LDFLAGS="$LDFLAGS $blibflags$blibpath"
|
|
AC_MSG_WARN([Please check and edit blibpath in LDFLAGS in Makefile])
|
|
fi
|
|
|
|
AC_CHECK_MEMBER([struct lastlog.ll_line], [], [
|
|
if test x$SKIP_DISABLE_LASTLOG_DEFINE != "xyes" ; then
|
|
AC_DEFINE([DISABLE_LASTLOG])
|
|
fi
|
|
], [
|
|
#ifdef HAVE_SYS_TYPES_H
|
|
#include <sys/types.h>
|
|
#endif
|
|
#ifdef HAVE_UTMP_H
|
|
#include <utmp.h>
|
|
#endif
|
|
#ifdef HAVE_UTMPX_H
|
|
#include <utmpx.h>
|
|
#endif
|
|
#ifdef HAVE_LASTLOG_H
|
|
#include <lastlog.h>
|
|
#endif
|
|
])
|
|
|
|
AC_CHECK_MEMBER([struct utmp.ut_line], [], [
|
|
AC_DEFINE([DISABLE_UTMP])
|
|
AC_DEFINE([DISABLE_WTMP])
|
|
], [
|
|
#ifdef HAVE_SYS_TYPES_H
|
|
#include <sys/types.h>
|
|
#endif
|
|
#ifdef HAVE_UTMP_H
|
|
#include <utmp.h>
|
|
#endif
|
|
#ifdef HAVE_UTMPX_H
|
|
#include <utmpx.h>
|
|
#endif
|
|
#ifdef HAVE_LASTLOG_H
|
|
#include <lastlog.h>
|
|
#endif
|
|
])
|
|
|
|
dnl Adding -Werror to CFLAGS early prevents configure tests from running.
|
|
dnl Add now.
|
|
CFLAGS="$CFLAGS $werror_flags"
|
|
|
|
if test "x$ac_cv_func_getaddrinfo" != "xyes" ; then
|
|
TEST_SSH_IPV6=no
|
|
else
|
|
TEST_SSH_IPV6=yes
|
|
fi
|
|
AC_CHECK_DECL([BROKEN_GETADDRINFO], [TEST_SSH_IPV6=no])
|
|
AC_SUBST([TEST_SSH_IPV6], [$TEST_SSH_IPV6])
|
|
AC_SUBST([TEST_SSH_UTF8], [$TEST_SSH_UTF8])
|
|
AC_SUBST([TEST_MALLOC_OPTIONS], [$TEST_MALLOC_OPTIONS])
|
|
AC_SUBST([UNSUPPORTED_ALGORITHMS], [$unsupported_algorithms])
|
|
AC_SUBST([DEPEND], [$(cat $srcdir/.depend)])
|
|
|
|
CFLAGS="${CFLAGS} ${CFLAGS_AFTER}"
|
|
LDFLAGS="${LDFLAGS} ${LDFLAGS_AFTER}"
|
|
|
|
# Make a copy of CFLAGS/LDFLAGS without PIE options.
|
|
LDFLAGS_NOPIE=`echo "$LDFLAGS" | sed 's/ -pie//'`
|
|
CFLAGS_NOPIE=`echo "$CFLAGS" | sed 's/ -fPIE//'`
|
|
AC_SUBST([LDFLAGS_NOPIE])
|
|
AC_SUBST([CFLAGS_NOPIE])
|
|
|
|
AC_EXEEXT
|
|
AC_CONFIG_FILES([Makefile buildpkg.sh opensshd.init openssh.xml \
|
|
openbsd-compat/Makefile openbsd-compat/regress/Makefile \
|
|
survey.sh])
|
|
AC_OUTPUT
|
|
|
|
# Print summary of options
|
|
|
|
# Someone please show me a better way :)
|
|
A=`eval echo ${prefix}` ; A=`eval echo ${A}`
|
|
B=`eval echo ${bindir}` ; B=`eval echo ${B}`
|
|
C=`eval echo ${sbindir}` ; C=`eval echo ${C}`
|
|
D=`eval echo ${sysconfdir}` ; D=`eval echo ${D}`
|
|
E=`eval echo ${libexecdir}/ssh-askpass` ; E=`eval echo ${E}`
|
|
F=`eval echo ${mandir}/${mansubdir}X` ; F=`eval echo ${F}`
|
|
G=`eval echo ${piddir}` ; G=`eval echo ${G}`
|
|
H=`eval echo ${PRIVSEP_PATH}` ; H=`eval echo ${H}`
|
|
I=`eval echo ${user_path}` ; I=`eval echo ${I}`
|
|
J=`eval echo ${superuser_path}` ; J=`eval echo ${J}`
|
|
|
|
echo ""
|
|
echo "OpenSSH has been configured with the following options:"
|
|
echo " User binaries: $B"
|
|
echo " System binaries: $C"
|
|
echo " Configuration files: $D"
|
|
echo " Askpass program: $E"
|
|
echo " Manual pages: $F"
|
|
echo " PID file: $G"
|
|
echo " Privilege separation chroot path: $H"
|
|
if test "x$external_path_file" = "x/etc/login.conf" ; then
|
|
echo " At runtime, sshd will use the path defined in $external_path_file"
|
|
echo " Make sure the path to scp is present, otherwise scp will not work"
|
|
else
|
|
echo " sshd default user PATH: $I"
|
|
if test ! -z "$external_path_file"; then
|
|
echo " (If PATH is set in $external_path_file it will be used instead. If"
|
|
echo " used, ensure the path to scp is present, otherwise scp will not work.)"
|
|
fi
|
|
fi
|
|
if test ! -z "$superuser_path" ; then
|
|
echo " sshd superuser user PATH: $J"
|
|
fi
|
|
echo " Manpage format: $MANTYPE"
|
|
echo " PAM support: $PAM_MSG"
|
|
echo " OSF SIA support: $SIA_MSG"
|
|
echo " KerberosV support: $KRB5_MSG"
|
|
echo " SELinux support: $SELINUX_MSG"
|
|
echo " libedit support: $LIBEDIT_MSG"
|
|
echo " libldns support: $LDNS_MSG"
|
|
echo " Solaris process contract support: $SPC_MSG"
|
|
echo " Solaris project support: $SP_MSG"
|
|
echo " Solaris privilege support: $SPP_MSG"
|
|
echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG"
|
|
echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
|
|
echo " BSD Auth support: $BSD_AUTH_MSG"
|
|
echo " Random number source: $RAND_MSG"
|
|
echo " Privsep sandbox style: $SANDBOX_STYLE"
|
|
echo " PKCS#11 support: $enable_pkcs11"
|
|
echo " U2F/FIDO support: $enable_sk"
|
|
|
|
echo ""
|
|
|
|
echo " Host: ${host}"
|
|
echo " Compiler: ${CC}"
|
|
echo " Compiler flags: ${CFLAGS}"
|
|
echo "Preprocessor flags: ${CPPFLAGS}"
|
|
echo " Linker flags: ${LDFLAGS}"
|
|
echo " Libraries: ${LIBS}"
|
|
if test ! -z "${CHANNELLIBS}"; then
|
|
echo " +for channels: ${CHANNELLIBS}"
|
|
fi
|
|
if test ! -z "${LIBFIDO2}"; then
|
|
echo " +for FIDO2: ${LIBFIDO2}"
|
|
fi
|
|
if test ! -z "${SSHDLIBS}"; then
|
|
echo " +for sshd: ${SSHDLIBS}"
|
|
fi
|
|
|
|
echo ""
|
|
|
|
if test "x$MAKE_PACKAGE_SUPPORTED" = "xyes" ; then
|
|
echo "SVR4 style packages are supported with \"make package\""
|
|
echo ""
|
|
fi
|
|
|
|
if test "x$PAM_MSG" = "xyes" ; then
|
|
echo "PAM is enabled. You may need to install a PAM control file "
|
|
echo "for sshd, otherwise password authentication may fail. "
|
|
echo "Example PAM control files can be found in the contrib/ "
|
|
echo "subdirectory"
|
|
echo ""
|
|
fi
|
|
|
|
if test ! -z "$NO_PEERCHECK" ; then
|
|
echo "WARNING: the operating system that you are using does not"
|
|
echo "appear to support getpeereid(), getpeerucred() or the"
|
|
echo "SO_PEERCRED getsockopt() option. These facilities are used to"
|
|
echo "enforce security checks to prevent unauthorised connections to"
|
|
echo "ssh-agent. Their absence increases the risk that a malicious"
|
|
echo "user can connect to your agent."
|
|
echo ""
|
|
fi
|
|
|
|
if test "$AUDIT_MODULE" = "bsm" ; then
|
|
echo "WARNING: BSM audit support is currently considered EXPERIMENTAL."
|
|
echo "See the Solaris section in README.platform for details."
|
|
fi
|