Commit Graph

649 Commits

Author SHA1 Message Date
Damien Miller
f7849e6c83 remove configure --with-ssh1 2017-05-01 10:05:07 +10:00
Darren Tucker
d9048861be Check for and use gcc's -pipe.
Speeds up configure and build by a couple of percent.  ok djm@
2017-03-31 11:04:43 +11:00
Darren Tucker
5346f271fc Remove check for OpenSSL < 0.9.8g.
We no longer support OpenSSL < 1.0.1 so remove check for unreliable ECC
in OpenSSL < 0.9.8g.
2017-03-29 10:23:58 +11:00
Darren Tucker
7af27bf538 Enable ldns when using ldns-config.
Actually enable ldns when attempting to use ldns-config.  bz#2697, patch
from fredrik at fornwall.net.
2017-03-24 09:44:56 +11:00
Darren Tucker
d38f05dbdd Add llabs() implementation. 2017-03-20 13:39:27 +11:00
Damien Miller
2429cf78dd require OpenSSL >=1.0.1 2017-03-14 18:01:52 +11:00
Damien Miller
523db8540b prefer to use ldns-config to find libldns
Should fix bz#2603 - "Build with ldns and without kerberos support
fails if ldns compiled with kerberos support" by including correct
cflags/libs

ok dtucker@
2017-02-03 16:03:05 +11:00
Darren Tucker
c61d5ec3c1 Remove _XOPEN_SOURCE from wide char detection.
Having _XOPEN_SOURCE unconditionally causes problems on some platforms
and configurations, notably Solaris 64-bit binaries.  It was there for
the benefit of Linux put the required bits in the *-*linux* section.

Patch from yvoinov at gmail.com.
2017-02-03 14:10:34 +11:00
Darren Tucker
10e290ec00 Get default of TEST_SSH_UTF8 from environment. 2016-12-13 13:51:32 +11:00
Darren Tucker
afec07732a Add strcasestr to compat library.
Fixes build on (at least) Solaris 10.
2016-12-13 10:23:03 +11:00
Darren Tucker
c35995048f exit is in stdlib.h not unistd.h (that's _exit). 2016-12-09 12:52:02 +11:00
Darren Tucker
d399a8b914 Include <unistd.h> for exit in utf8 locale test. 2016-12-09 12:33:25 +11:00
Darren Tucker
47b8c99ab3 Check for utf8 local support before testing it.
Check for utf8 local support and if not found, do not attempt to run the
utf8 tests.  Suggested by djm@
2016-12-08 15:48:34 +11:00
Darren Tucker
4089fc1885 Use AC_PATH_TOOL for krb5-config.
This will use the host-prefixed version when cross compiling; patch from
david.michael at coreos.com.
2016-12-08 12:57:24 +11:00
Darren Tucker
5ee3fb5aff Use ptrace(PT_DENY_ATTACH, ..) on OS X. 2016-11-01 08:12:33 +11:00
Damien Miller
1cfd5c06ef Remove portability support for mmap
We no longer need to wrap/replace mmap for portability now that
pre-auth compression has been removed from OpenSSH.
2016-09-29 03:19:23 +10:00
Damien Miller
857568d2ac removing UseLogin bits from configure.ac 2016-08-23 14:32:37 +10:00
Darren Tucker
33ba55d9e3 Only check for prctl once. 2016-08-17 16:26:04 +10:00
Damien Miller
a1cc637e7e add a --with-login-program configure argument
Saves messing around with LOGIN_PROGRAM env var, which come
packaging environments make hard to do during configure phase.
2016-08-16 14:47:34 +10:00
Damien Miller
8bd81e1596 add --with-pam-service to specify PAM service name
Saves messing around with CFLAGS to do it.
2016-08-16 13:37:26 +10:00
Darren Tucker
5faa52d295 Use tabs consistently inside "case $host". 2016-08-02 15:22:40 +10:00
Darren Tucker
20e5e8ba9c Explicitly test for broken strnvis.
NetBSD added an strnvis and unfortunately made it incompatible with the
existing one in OpenBSD and Linux's libbsd (the former having existed
for over ten years). Despite this incompatibility being reported during
development (see http://gnats.netbsd.org/44977) they still shipped it.
Even more unfortunately FreeBSD and later MacOS picked up this incompatible
implementation.  Try to detect this mess, and assume the only safe option
if we're cross compiling.

OpenBSD 2.9 (2001): strnvis(char *dst, const char *src, size_t dlen, int flag);
NetBSD 6.0 (2012):  strnvis(char *dst, size_t dlen, const char *src, int flag);

ok djm@
2016-08-02 12:16:34 +10:00
Tim Rice
cf3e0be7f5 modified: configure.ac opensshd.init.in
Skip generating missing RSA1 key on startup unless ssh1 support is enabled.
Spotted by Jean-Pierre Radley
2016-08-01 14:31:52 -07:00
Damien Miller
99522ba7ec define _OPENBSD_SOURCE for reallocarray on NetBSD
Report by and debugged with Hisashi T Fujinaka, dtucker nailed
the problem (lack of prototype causing return type confusion).
2016-07-28 08:54:27 +10:00
Darren Tucker
353766e088 Move Cygwin IPPORT_RESERVED overrride to defines.h
Patch from vinschen at redhat.com.
2016-07-23 16:14:42 +10:00
Damien Miller
5fbe93fc6f add a --disable-pkcs11 knob 2016-07-15 14:28:59 +10:00
Damien Miller
679ce88ec2 fix newline escaping for unsupported_algorithms
The hmac-ripemd160 was incorrect and could lead to broken
Makefiles on systems that lacked support for it, but I made
all the others consistent too.
2016-07-15 14:28:59 +10:00
Darren Tucker
7df91b01fc Check for VIS_ALL.
If we don't have it, set BROKEN_STRNVIS to activate the compat replacement.
2016-07-14 12:26:54 +10:00
Darren Tucker
a233358417 Add compat code for missing wcwidth.
If we don't have wcwidth force fallback implementations of nl_langinfo
and mbtowc.  Based on advice from Ingo Schwarze.
2016-07-14 10:59:09 +10:00
Darren Tucker
6310ef27a2 Move err.h replacements into compat lib.
Move implementations of err.h replacement functions into their own file
in the libopenbsd-compat so we can use them in kexfuzz.c too.  ok djm@
2016-07-13 14:42:35 +10:00
Darren Tucker
f3f2cc8386 Check for wchar.h and langinfo.h
Wrap includes in the appropriate #ifdefs.
2016-07-11 17:26:49 +10:00
Damien Miller
b9c50614eb whitelist more architectures for seccomp-bpf
bz#2590 - testing and patch from Jakub Jelen
2016-07-08 13:59:13 +10:00
Darren Tucker
a86ec4d073 Use Solaris setpflags(__PROC_PROTECT, ...).
Where possible, use Solaris setpflags to disable process tracing on
ssh-agent and sftp-server.  bz#2584, based on a patch from huieying.lee
at oracle.com, ok djm.
2016-06-14 10:48:27 +10:00
Tim Rice
e1d93705f8 modified: configure.ac
whitspace clean up. No code changes.
2016-05-31 11:13:22 -07:00
Darren Tucker
5f41f030e2 Remove NO_IPPORT_RESERVED_CONCEPT
Replace by defining IPPORT_RESERVED to zero on Cygwin, which should have
the same effect without causing problems syncing patches with OpenBSD.
Resync the two affected functions with OpenBSD.  ok djm, sanity checked
by Corinna.
2016-04-08 21:21:27 +10:00
Darren Tucker
b3413534aa Tidy up openssl header test. 2016-04-04 11:09:21 +10:00
Darren Tucker
815bcac0b9 Fix configure-time warnings for openssl test. 2016-04-04 11:07:59 +10:00
Damien Miller
39f303b1f3 fix sandbox on OSX Lion
sshd was failing with:

ssh_sandbox_child: sandbox_init: dlopen(/usr/lib/libsandbox.1.dylib, 261):cw
  image not found [preauth]

caused by chroot before sandboxing. Avoid by explicitly linking libsandbox
to sshd. Spotted by Darren.
2016-02-23 12:58:53 +11:00
Darren Tucker
907091acb1 Make Solaris privs code build on older systems.
Not all systems with Solaris privs have priv_basicset so factor that
out and provide backward compatibility code.  Similarly, not all have
PRIV_NET_ACCESS so wrap that in #ifdef.  Based on code from
alex at cooperi.net and djm@ with help from carson at taltos.org and
wieland at purdue.edu.
2016-02-19 09:05:39 +11:00
Darren Tucker
2fee909c3c Look for gethostbyname in libresolv and libnsl.
Should fix build problem on Solaris 2.6 reported by Tom G. Christensen.
2016-02-17 09:48:15 +11:00
Damien Miller
4626cbaf78 Support Illumos/Solaris fine-grained privileges
Includes a pre-auth privsep sandbox and several pledge()
emulations. bz#2511, patch by Alex Wilson.

ok dtucker@
2016-01-08 14:29:12 +11:00
Darren Tucker
b5fa0cd735 Allow --without-ssl-engine with --without-openssl
Patch from Mike Frysinger via github.
2015-12-15 15:10:32 +11:00
Darren Tucker
c1d7e546f6 Include openssl crypto.h for SSLeay.
Patch from doughdemon via github.
2015-12-15 14:27:09 +11:00
Darren Tucker
3ddd15e1b6 Add a null implementation of pledge.
Fixes builds on almost everything.
2015-11-30 07:23:53 +11:00
Darren Tucker
1560596f44 Fix compiler warnings in the openssl header check.
Noted by Austin English.
2015-11-10 11:14:47 +11:00
Damien Miller
fafe1d84a2 s/SANDBOX_TAME/SANDBOX_PLEDGE/g 2015-10-14 09:22:15 -07:00
deraadt@openbsd.org
2539dce2a0 upstream commit
Change all tame callers to namechange to pledge(2).

Upstream-ID: 17e654fc27ceaf523c60f4ffd9ec7ae4e7efc7f2
2015-10-14 03:22:08 +11:00
Damien Miller
9846a2f406 hook tame(2) sandbox up to build
OpenBSD only for now
2015-10-08 04:30:48 +11:00
Darren Tucker
366bada1e9 Correct default value for --with-ssh1.
bz#2457, from konto-mindrot.org at walimnieto.com.
2015-09-11 13:33:23 +10:00
Darren Tucker
7ad8b287c8 Force resolution of _res for correct detection.
bz#2259, from sconeu at yahoo.com.
2015-09-11 13:11:02 +10:00