aboutsummaryrefslogtreecommitdiff
path: root/crypto/openssh/configure.ac
diff options
context:
space:
mode:
Diffstat (limited to 'crypto/openssh/configure.ac')
-rw-r--r--crypto/openssh/configure.ac584
1 files changed, 336 insertions, 248 deletions
diff --git a/crypto/openssh/configure.ac b/crypto/openssh/configure.ac
index d98ea1afce8d..b247017f3dae 100644
--- a/crypto/openssh/configure.ac
+++ b/crypto/openssh/configure.ac
@@ -16,6 +16,14 @@
AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org])
AC_CONFIG_MACRO_DIR([m4])
AC_CONFIG_SRCDIR([ssh.c])
+
+# Check for stale configure as early as possible.
+for i in $srcdir/configure.ac $srcdir/m4/*.m4; do
+ if test "$i" -nt "$srcdir/configure"; then
+ AC_MSG_ERROR([$i newer than configure, run autoreconf])
+ fi
+done
+
AC_LANG([C])
AC_CONFIG_HEADERS([config.h])
@@ -54,6 +62,7 @@ AC_PATH_PROG([SH], [sh])
AC_PATH_PROG([GROFF], [groff])
AC_PATH_PROG([NROFF], [nroff awf])
AC_PATH_PROG([MANDOC], [mandoc])
+AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no])
AC_SUBST([TEST_SHELL], [sh])
dnl select manpage formatter to be used to build "cat" format pages.
@@ -121,10 +130,12 @@ AC_CHECK_DECL([PR_SET_NO_NEW_PRIVS], [have_linux_no_new_privs=1], , [
])
openssl=yes
+openssl_bin=openssl
AC_ARG_WITH([openssl],
[ --without-openssl Disable use of OpenSSL; use only limited internal crypto **EXPERIMENTAL** ],
[ if test "x$withval" = "xno" ; then
openssl=no
+ openssl_bin=""
fi
]
)
@@ -138,6 +149,7 @@ fi
use_stack_protector=1
use_toolchain_hardening=1
+use_retpoline=1
AC_ARG_WITH([stackprotect],
[ --without-stackprotect Don't use compiler's stack protection], [
if test "x$withval" = "xno"; then
@@ -148,6 +160,11 @@ AC_ARG_WITH([hardening],
if test "x$withval" = "xno"; then
use_toolchain_hardening=0
fi ])
+AC_ARG_WITH([retpoline],
+ [ --without-retpoline Enable retpoline spectre mitigation], [
+ if test "x$withval" = "xno"; then
+ use_retpoline=0
+ fi ])
# We use -Werror for the tests only so that we catch warnings like "this is
# on by default" for things like -fPIE.
@@ -163,6 +180,29 @@ AC_COMPILE_IFELSE([AC_LANG_SOURCE([[int main(void) { return 0; }]])],
CFLAGS="$saved_CFLAGS"
if test "$GCC" = "yes" || test "$GCC" = "egcs"; then
+ AC_MSG_CHECKING([gcc version])
+ GCC_VER=`$CC -v 2>&1 | $AWK '/gcc version /{print $3}'`
+ case "$GCC_VER" in
+ 1.*) no_attrib_nonnull=1 ;;
+ 2.8* | 2.9*)
+ no_attrib_nonnull=1
+ ;;
+ 2.*) no_attrib_nonnull=1 ;;
+ *) ;;
+ esac
+ AC_MSG_RESULT([$GCC_VER])
+
+ AC_MSG_CHECKING([clang version])
+ ver="`$CC -v 2>&1`"
+ if echo "$ver" | grep "Apple" >/dev/null; then
+ CLANG_VER=apple-`echo "$ver" | grep 'clang version' | \
+ $SED 's/.*clang version //g' | $AWK '{print $1}'`
+ else
+ CLANG_VER=`echo "$ver" | grep 'clang version' | \
+ $SED 's/.*clang version //g' | $AWK '{print $1}'`
+ fi
+ AC_MSG_RESULT([$CLANG_VER])
+
OSSH_CHECK_CFLAG_COMPILE([-pipe])
OSSH_CHECK_CFLAG_COMPILE([-Wunknown-warning-option])
OSSH_CHECK_CFLAG_COMPILE([-Wno-error=format-truncation])
@@ -182,8 +222,6 @@ if test "$GCC" = "yes" || test "$GCC" = "egcs"; then
OSSH_CHECK_CFLAG_COMPILE([-Wbitwise-instead-of-logical])
OSSH_CHECK_CFLAG_COMPILE([-fno-strict-aliasing])
if test "x$use_toolchain_hardening" = "x1"; then
- OSSH_CHECK_CFLAG_COMPILE([-mretpoline]) # clang
- OSSH_CHECK_LDFLAG_LINK([-Wl,-z,retpolineplt])
OSSH_CHECK_CFLAG_COMPILE([-D_FORTIFY_SOURCE=2])
OSSH_CHECK_LDFLAG_LINK([-Wl,-z,relro])
OSSH_CHECK_LDFLAG_LINK([-Wl,-z,now])
@@ -194,20 +232,22 @@ if test "$GCC" = "yes" || test "$GCC" = "egcs"; then
# actually links. The test program compiled/linked includes a number
# of integer operations that should exercise this.
OSSH_CHECK_CFLAG_LINK([-ftrapv])
- OSSH_CHECK_CFLAG_COMPILE([-fzero-call-used-regs=all])
+ # clang 15 seems to have a bug in -fzero-call-used-regs=all. See
+ # https://bugzilla.mindrot.org/show_bug.cgi?id=3475 and
+ # https://github.com/llvm/llvm-project/issues/59242
+ # clang 17 has a different bug that causes an ICE when using this
+ # flag at all (https://bugzilla.mindrot.org/show_bug.cgi?id=3629)
+ case "$CLANG_VER" in
+ apple-15*) OSSH_CHECK_CFLAG_LINK([-fzero-call-used-regs=used]) ;;
+ 17*) ;;
+ *) OSSH_CHECK_CFLAG_LINK([-fzero-call-used-regs=used]) ;;
+ esac
OSSH_CHECK_CFLAG_COMPILE([-ftrivial-auto-var-init=zero])
fi
- AC_MSG_CHECKING([gcc version])
- GCC_VER=`$CC -v 2>&1 | $AWK '/gcc version /{print $3}'`
- case $GCC_VER in
- 1.*) no_attrib_nonnull=1 ;;
- 2.8* | 2.9*)
- no_attrib_nonnull=1
- ;;
- 2.*) no_attrib_nonnull=1 ;;
- *) ;;
- esac
- AC_MSG_RESULT([$GCC_VER])
+ if test "x$use_retpoline" = "x1"; then
+ OSSH_CHECK_CFLAG_COMPILE([-mretpoline]) # clang
+ OSSH_CHECK_LDFLAG_LINK([-Wl,-z,retpolineplt])
+ fi
AC_MSG_CHECKING([if $CC accepts -fno-builtin-memset])
saved_CFLAGS="$CFLAGS"
@@ -408,6 +448,14 @@ AC_ARG_WITH([Werror],
]
)
+dnl On some old platforms, sys/stat.h requires sys/types.h, but autoconf-2.71's
+dnl AC_CHECK_INCLUDES_DEFAULT checks for them in the opposite order. If we
+dnl haven't detected it, recheck.
+if test "x$ac_cv_header_sys_stat_h" != "xyes"; then
+ unset ac_cv_header_sys_stat_h
+ AC_CHECK_HEADERS([sys/stat.h])
+fi
+
AC_CHECK_HEADERS([ \
blf.h \
bstring.h \
@@ -466,7 +514,6 @@ AC_CHECK_HEADERS([ \
sys/ptrace.h \
sys/random.h \
sys/select.h \
- sys/stat.h \
sys/stream.h \
sys/stropts.h \
sys/strtio.h \
@@ -504,12 +551,24 @@ AC_CHECK_HEADERS([sys/audit.h], [], [], [
])
# sys/capsicum.h requires sys/types.h
-AC_CHECK_HEADERS([sys/capsicum.h], [], [], [
+AC_CHECK_HEADERS([sys/capsicum.h capsicum_helpers.h], [], [], [
#ifdef HAVE_SYS_TYPES_H
# include <sys/types.h>
#endif
])
+AC_MSG_CHECKING([for caph_cache_tzdata])
+AC_LINK_IFELSE(
+ [AC_LANG_PROGRAM([[ #include <capsicum_helpers.h> ]],
+ [[caph_cache_tzdata();]])],
+ [
+ AC_MSG_RESULT([yes])
+ AC_DEFINE([HAVE_CAPH_CACHE_TZDATA], [1],
+ [Define if you have caph_cache_tzdata])
+ ],
+ [ AC_MSG_RESULT([no]) ]
+)
+
# net/route.h requires sys/socket.h and sys/types.h.
# sys/sysctl.h also requires sys/param.h
AC_CHECK_HEADERS([net/route.h sys/sysctl.h], [], [], [
@@ -661,7 +720,6 @@ case "$host" in
AC_DEFINE([DISABLE_WTMP], [1], [Define if you don't want to use wtmp])
;;
*-*-cygwin*)
- check_for_libcrypt_later=1
LIBS="$LIBS /usr/lib/textreadmode.o"
AC_DEFINE([HAVE_CYGWIN], [1], [Define if you are on Cygwin])
AC_DEFINE([USE_PIPES], [1], [Use PIPES instead of a socketpair()])
@@ -693,7 +751,7 @@ case "$host" in
AC_RUN_IFELSE([AC_LANG_SOURCE([[
#include <mach-o/dyld.h>
#include <stdlib.h>
-main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
+int main(void) { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
exit(0);
else
exit(1);
@@ -740,7 +798,7 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
[System poll(2) implementation is broken])
;;
*-*-dragonfly*)
- SSHDLIBS="$SSHDLIBS -lcrypt"
+ SSHDLIBS="$SSHDLIBS"
TEST_MALLOC_OPTIONS="AFGJPRX"
;;
*-*-haiku*)
@@ -831,7 +889,6 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
AC_DEFINE([LOCKED_PASSWD_STRING], ["*LK*"])
;;
*-*-k*bsd*-gnu | *-*-kopensolaris*-gnu)
- check_for_libcrypt_later=1
AC_DEFINE([PAM_TTY_KLUDGE])
AC_DEFINE([LOCKED_PASSWD_PREFIX], ["!"])
AC_DEFINE([SPT_TYPE], [SPT_REUSEARGV])
@@ -841,11 +898,11 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
*-*-linux*)
no_dev_ptmx=1
use_pie=auto
- check_for_libcrypt_later=1
check_for_openpty_ctty_bug=1
dnl Target SUSv3/POSIX.1-2001 plus BSD specifics.
dnl _DEFAULT_SOURCE is the new name for _BSD_SOURCE
- CPPFLAGS="$CPPFLAGS -D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCE"
+ dnl _GNU_SOURCE is needed for setres*id prototypes.
+ CPPFLAGS="$CPPFLAGS -D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCE -D_GNU_SOURCE"
AC_DEFINE([BROKEN_CLOSEFROM], [1], [broken in chroots on older kernels])
AC_DEFINE([PAM_TTY_KLUDGE], [1],
[Work around problematic Linux PAM modules handling of PAM_TTY])
@@ -926,6 +983,9 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
s390-*)
seccomp_audit_arch=AUDIT_ARCH_S390
;;
+ powerpc-*)
+ seccomp_audit_arch=AUDIT_ARCH_PPC
+ ;;
powerpc64-*)
seccomp_audit_arch=AUDIT_ARCH_PPC64
;;
@@ -981,7 +1041,6 @@ mips-sony-bsd|mips-sony-newsos4)
SONY=1
;;
*-*-netbsd*)
- check_for_libcrypt_before=1
if test "x$withval" != "xno" ; then
rpath_opt="-R"
fi
@@ -996,7 +1055,7 @@ mips-sony-bsd|mips-sony-newsos4)
[NetBSD read function is sometimes redirected, breaking atomicio comparisons against it])
;;
*-*-freebsd*)
- check_for_libcrypt_later=1
+ SKIP_DISABLE_LASTLOG_DEFINE=yes
AC_DEFINE([LOCKED_PASSWD_PREFIX], ["*LOCKED*"], [Account locked with pw(1)])
AC_DEFINE([SSH_TUN_FREEBSD], [1], [Open tunnel devices the FreeBSD way])
AC_CHECK_HEADER([net/if_tap.h], ,
@@ -1169,7 +1228,6 @@ mips-sony-bsd|mips-sony-newsos4)
AC_DEFINE([PASSWD_NEEDS_USERNAME])
AC_DEFINE([BROKEN_TCGETATTR_ICANON])
TEST_SHELL=$SHELL # let configure find us a capable shell
- check_for_libcrypt_later=1
case "$host" in
*-*-sysv5SCO_SV*) # SCO OpenServer 6.x
maildir=/var/spool/mail
@@ -1378,18 +1436,21 @@ AC_ARG_WITH([zlib],
fi ]
)
+# These libraries are needed for anything that links in the channel code.
+CHANNELLIBS=""
AC_MSG_CHECKING([for zlib])
if test "x${zlib}" = "xno"; then
AC_MSG_RESULT([no])
else
- AC_MSG_RESULT([yes])
- AC_DEFINE([WITH_ZLIB], [1], [Enable zlib])
+ saved_LIBS="$LIBS"
+ CHANNELLIBS="$CHANNELLIBS -lz"
+ AC_MSG_RESULT([yes])
+ AC_DEFINE([WITH_ZLIB], [1], [Enable zlib])
AC_CHECK_HEADER([zlib.h], ,[AC_MSG_ERROR([*** zlib.h missing - please install first or check config.log ***])])
- AC_CHECK_LIB([z], [deflate], ,
+ AC_CHECK_LIB([z], [deflate], [],
[
saved_CPPFLAGS="$CPPFLAGS"
saved_LDFLAGS="$LDFLAGS"
- save_LIBS="$LIBS"
dnl Check default zlib install dir
if test -n "${rpath_opt}"; then
LDFLAGS="-L/usr/local/lib ${rpath_opt}/usr/local/lib ${saved_LDFLAGS}"
@@ -1397,7 +1458,6 @@ else
LDFLAGS="-L/usr/local/lib ${saved_LDFLAGS}"
fi
CPPFLAGS="-I/usr/local/include ${saved_CPPFLAGS}"
- LIBS="$LIBS -lz"
AC_TRY_LINK_FUNC([deflate], [AC_DEFINE([HAVE_LIBZ])],
[
AC_MSG_ERROR([*** zlib missing - please install first or check config.log ***])
@@ -1423,7 +1483,7 @@ else
[[
int a=0, b=0, c=0, d=0, n, v;
n = sscanf(ZLIB_VERSION, "%d.%d.%d.%d", &a, &b, &c, &d);
- if (n != 3 && n != 4)
+ if (n < 1)
exit(1);
v = a*1000000 + b*10000 + c*100 + d;
fprintf(stderr, "found zlib version %s (%d)\n", ZLIB_VERSION, v);
@@ -1454,6 +1514,7 @@ See http://www.gzip.org/zlib/ for details.])
],
[ AC_MSG_WARN([cross compiling: not checking zlib version]) ]
)
+ LIBS="$saved_LIBS"
fi
dnl UnixWare 2.x
@@ -1692,7 +1753,7 @@ AC_ARG_WITH(ldns,
# include <stdint.h>
#endif
#include <ldns/ldns.h>
-int main() { ldns_status status = ldns_verify_trusted(NULL, NULL, NULL, NULL); status=LDNS_STATUS_OK; exit(0); }
+int main(void) { ldns_status status = ldns_verify_trusted(NULL, NULL, NULL, NULL); status=LDNS_STATUS_OK; exit(0); }
]])
],
[AC_MSG_RESULT(yes)],
@@ -1709,7 +1770,6 @@ AC_ARG_WITH([libedit],
[ --with-libedit[[=PATH]] Enable libedit support for sftp],
[ if test "x$withval" != "xno" ; then
if test "x$withval" = "xyes" ; then
- AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no])
if test "x$PKGCONFIG" != "xno"; then
AC_MSG_CHECKING([if $PKGCONFIG knows about libedit])
if "$PKGCONFIG" libedit; then
@@ -1916,6 +1976,7 @@ AC_CHECK_FUNCS([ \
futimes \
getaddrinfo \
getcwd \
+ getentropy \
getgrouplist \
getline \
getnameinfo \
@@ -2003,6 +2064,7 @@ AC_CHECK_FUNCS([ \
swap32 \
sysconf \
tcgetpgrp \
+ timegm \
timingsafe_bcmp \
truncate \
unsetenv \
@@ -2068,13 +2130,20 @@ AC_ARG_ENABLE([security-key],
enable_sk_internal=
AC_ARG_WITH([security-key-builtin],
[ --with-security-key-builtin include builtin U2F/FIDO support],
+ [ enable_sk_internal=$withval ]
+)
+
+disable_ecdsa=
+AC_ARG_ENABLE([dsa-keys],
+ [ --disable-dsa-keys disable DSA key support [no]],
[
- if test "x$withval" != "xno" ; then
- enable_sk_internal=yes
+ if test "x$enableval" = "xno" ; then
+ disable_ecdsa=1
fi
]
)
-test "x$disable_sk" != "x" && enable_sk_internal=""
+test -z "$disable_ecdsa" &&
+ AC_DEFINE([WITH_DSA], [1], [Define if to enable DSA keys.])
AC_SEARCH_LIBS([dlopen], [dl])
AC_CHECK_FUNCS([dlopen])
@@ -2152,7 +2221,7 @@ AC_CHECK_DECLS([O_NONBLOCK], , ,
#endif
])
-AC_CHECK_DECLS([ftruncate], , ,
+AC_CHECK_DECLS([ftruncate, getentropy], , ,
[
#include <sys/types.h>
#include <unistd.h>
@@ -2208,8 +2277,9 @@ AC_CHECK_FUNCS([setresuid], [
AC_MSG_CHECKING([if setresuid seems to work])
AC_RUN_IFELSE(
[AC_LANG_PROGRAM([[
-#include <stdlib.h>
#include <errno.h>
+#include <stdlib.h>
+#include <unistd.h>
]], [[
errno=0;
setresuid(0,0,0);
@@ -2231,8 +2301,9 @@ AC_CHECK_FUNCS([setresgid], [
AC_MSG_CHECKING([if setresgid seems to work])
AC_RUN_IFELSE(
[AC_LANG_PROGRAM([[
-#include <stdlib.h>
#include <errno.h>
+#include <stdlib.h>
+#include <unistd.h>
]], [[
errno=0;
setresgid(0,0,0);
@@ -2413,6 +2484,9 @@ if test ! -z "$check_for_openpty_ctty_bug"; then
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
+#ifdef HAVE_PTY_H
+# include <pty.h>
+#endif
#include <sys/fcntl.h>
#include <sys/types.h>
#include <sys/wait.h>
@@ -2697,6 +2771,7 @@ AC_CHECK_FUNCS([getpgrp],[
# Search for OpenSSL
saved_CPPFLAGS="$CPPFLAGS"
saved_LDFLAGS="$LDFLAGS"
+openssl_bin_PATH="$PATH"
AC_ARG_WITH([ssl-dir],
[ --with-ssl-dir=PATH Specify path to OpenSSL installation ],
[
@@ -2726,9 +2801,20 @@ AC_ARG_WITH([ssl-dir],
else
CPPFLAGS="-I${withval} ${CPPFLAGS}"
fi
+ dnl Ensure specified openssl binary works, eg it can
+ dnl find its runtime libraries, before trying to use.
+ if test -x "${withval}/bin/openssl" && \
+ "${withval}/bin/openssl" version >/dev/null 2>&1; then
+ openssl_bin_PATH="${withval}/bin${PATH_SEPARATOR}${PATH}"
+ elif test -x "${withval}/apps/openssl" && \
+ "${withval}/apps/openssl" version >/dev/null 2>&1; then
+ openssl_bin_PATH="${withval}/apps${PATH_SEPARATOR}${PATH}"
+ fi
fi
]
)
+AC_PATH_PROGS([openssl_bin], openssl, [], [$openssl_bin_PATH])
+AC_SUBST(OPENSSL_BIN, [${openssl_bin}])
AC_ARG_WITH([openssl-header-check],
[ --without-openssl-header-check Disable OpenSSL version consistency check],
@@ -2752,8 +2838,10 @@ AC_ARG_WITH([ssl-engine],
]
)
+nocrypto_saved_LIBS="$LIBS"
if test "x$openssl" = "xyes" ; then
LIBS="-lcrypto $LIBS"
+ CHANNELLIBS="-lcrypto $CHANNELLIBS"
AC_TRY_LINK_FUNC([RAND_add], ,
[AC_MSG_ERROR([*** working libcrypto not found, check config.log])])
AC_CHECK_HEADER([openssl/opensslv.h], ,
@@ -2788,8 +2876,8 @@ if test "x$openssl" = "xyes" ; then
AC_MSG_RESULT([$ssl_header_ver])
],
[
- AC_MSG_RESULT([not found])
- AC_MSG_ERROR([OpenSSL version header not found.])
+ AC_MSG_RESULT([failed])
+ AC_MSG_ERROR([OpenSSL version test program failed.])
],
[
AC_MSG_WARN([cross compiling: not checking])
@@ -2810,49 +2898,62 @@ if test "x$openssl" = "xyes" ; then
#include <openssl/crypto.h>
#define DATA "conftest.ssllibver"
]], [[
- FILE *fd;
- int rc;
-
- fd = fopen(DATA,"w");
- if(fd == NULL)
+ FILE *f;
+ /* We need these legacy bits to warn for old libcrypto */
+ #ifndef OPENSSL_VERSION
+ # define OPENSSL_VERSION SSLEAY_VERSION
+ #endif
+ #ifndef HAVE_OPENSSL_VERSION
+ # define OpenSSL_version SSLeay_version
+ #endif
+ #ifndef HAVE_OPENSSL_VERSION_NUM
+ # define OpenSSL_version_num SSLeay
+ #endif
+ if ((f = fopen(DATA, "w")) == NULL)
exit(1);
-#ifndef OPENSSL_VERSION
-# define OPENSSL_VERSION SSLEAY_VERSION
-#endif
-#ifndef HAVE_OPENSSL_VERSION
-# define OpenSSL_version SSLeay_version
-#endif
-#ifndef HAVE_OPENSSL_VERSION_NUM
-# define OpenSSL_version_num SSLeay
-#endif
- if ((rc = fprintf(fd, "%08lx (%s)\n",
+ if (fprintf(f, "%08lx (%s)",
(unsigned long)OpenSSL_version_num(),
- OpenSSL_version(OPENSSL_VERSION))) < 0)
+ OpenSSL_version(OPENSSL_VERSION)) < 0)
+ exit(1);
+#ifdef LIBRESSL_VERSION_NUMBER
+ if (fprintf(f, " libressl-%08lx", LIBRESSL_VERSION_NUMBER) < 0)
+ exit(1);
+#endif
+ if (fputc('\n', f) == EOF || fclose(f) == EOF)
exit(1);
-
exit(0);
]])],
[
- ssl_library_ver=`cat conftest.ssllibver`
+ sslver=`cat conftest.ssllibver`
+ ssl_showver=`echo "$sslver" | sed 's/ libressl-.*//'`
# Check version is supported.
- case "$ssl_library_ver" in
- 10000*|0*)
- AC_MSG_ERROR([OpenSSL >= 1.0.1 required (have "$ssl_library_ver")])
- ;;
- 100*) ;; # 1.0.x
- 101000[[0123456]]*)
- # https://github.com/openssl/openssl/pull/4613
- AC_MSG_ERROR([OpenSSL 1.1.x versions prior to 1.1.0g have a bug that breaks their use with OpenSSH (have "$ssl_library_ver")])
+ case "$sslver" in
+ 100*|10100*) # 1.0.x, 1.1.0x
+ AC_MSG_ERROR([OpenSSL >= 1.1.1 required (have "$ssl_showver")])
;;
101*) ;; # 1.1.x
- 200*) ;; # LibreSSL
- 300*) ;; # OpenSSL 3
- 301*) ;; # OpenSSL development branch.
+ 200*) # LibreSSL
+ lver=`echo "$sslver" | sed 's/.*libressl-//'`
+ case "$lver" in
+ 2*|300*) # 2.x, 3.0.0
+ AC_MSG_ERROR([LibreSSL >= 3.1.0 required (have "$ssl_showver")])
+ ;;
+ *) ;; # Assume all other versions are good.
+ esac
+ ;;
+ 300*)
+ # OpenSSL 3; we use the 1.1x API
+ CPPFLAGS="$CPPFLAGS -DOPENSSL_API_COMPAT=0x10100000L"
+ ;;
+ 301*|302*|303*)
+ # OpenSSL development branch; request 1.1x API
+ CPPFLAGS="$CPPFLAGS -DOPENSSL_API_COMPAT=0x10100000L"
+ ;;
*)
- AC_MSG_ERROR([Unknown/unsupported OpenSSL version ("$ssl_library_ver")])
+ AC_MSG_ERROR([Unknown/unsupported OpenSSL version ("$ssl_showver")])
;;
esac
- AC_MSG_RESULT([$ssl_library_ver])
+ AC_MSG_RESULT([$ssl_showver])
],
[
AC_MSG_RESULT([not found])
@@ -2863,6 +2964,15 @@ if test "x$openssl" = "xyes" ; then
]
)
+ case "$host" in
+ x86_64-*)
+ case "$sslver" in
+ 3000004*)
+ AC_MSG_ERROR([OpenSSL 3.0.4 has a potential RCE in its RSA implementation (CVE-2022-2274)])
+ ;;
+ esac
+ esac
+
# Sanity check OpenSSL headers
AC_MSG_CHECKING([whether OpenSSL's headers match the library])
AC_RUN_IFELSE(
@@ -2872,9 +2982,6 @@ if test "x$openssl" = "xyes" ; then
#include <openssl/opensslv.h>
#include <openssl/crypto.h>
]], [[
-#ifndef HAVE_OPENSSL_VERSION_NUM
-# define OpenSSL_version_num SSLeay
-#endif
exit(OpenSSL_version_num() == OPENSSL_VERSION_NUMBER ? 0 : 1);
]])],
[
@@ -2909,7 +3016,6 @@ if test "x$openssl" = "xyes" ; then
],
[
AC_MSG_RESULT([no])
- saved_LIBS="$LIBS"
LIBS="$LIBS -ldl"
AC_MSG_CHECKING([if programs using OpenSSL need -ldl])
AC_LINK_IFELSE(
@@ -2917,10 +3023,10 @@ if test "x$openssl" = "xyes" ; then
[[ ERR_load_crypto_strings(); ]])],
[
AC_MSG_RESULT([yes])
+ CHANNELLIBS="$CHANNELLIBS -ldl"
],
[
AC_MSG_RESULT([no])
- LIBS="$saved_LIBS"
]
)
]
@@ -2928,8 +3034,8 @@ if test "x$openssl" = "xyes" ; then
AC_CHECK_FUNCS([ \
BN_is_prime_ex \
+ DES_crypt \
DSA_generate_parameters_ex \
- EVP_CIPHER_CTX_ctrl \
EVP_DigestFinal_ex \
EVP_DigestInit_ex \
EVP_MD_CTX_cleanup \
@@ -2949,44 +3055,13 @@ if test "x$openssl" = "xyes" ; then
)
)
- # LibreSSL/OpenSSL 1.1x API
+ # LibreSSL/OpenSSL API differences
AC_CHECK_FUNCS([ \
- OPENSSL_init_crypto \
- DH_get0_key \
- DH_get0_pqg \
- DH_set0_key \
- DH_set_length \
- DH_set0_pqg \
- DSA_get0_key \
- DSA_get0_pqg \
- DSA_set0_key \
- DSA_set0_pqg \
- DSA_SIG_get0 \
- DSA_SIG_set0 \
- ECDSA_SIG_get0 \
- ECDSA_SIG_set0 \
EVP_CIPHER_CTX_iv \
EVP_CIPHER_CTX_iv_noconst \
EVP_CIPHER_CTX_get_iv \
EVP_CIPHER_CTX_get_updated_iv \
EVP_CIPHER_CTX_set_iv \
- RSA_get0_crt_params \
- RSA_get0_factors \
- RSA_get0_key \
- RSA_set0_crt_params \
- RSA_set0_factors \
- RSA_set0_key \
- RSA_meth_free \
- RSA_meth_dup \
- RSA_meth_set1_name \
- RSA_meth_get_finish \
- RSA_meth_set_priv_enc \
- RSA_meth_set_priv_dec \
- RSA_meth_set_finish \
- EVP_PKEY_get0_RSA \
- EVP_MD_CTX_new \
- EVP_MD_CTX_free \
- EVP_chacha20 \
])
if test "x$openssl_engine" = "xyes" ; then
@@ -3005,7 +3080,7 @@ if test "x$openssl" = "xyes" ; then
fi
# Check for OpenSSL without EVP_aes_{192,256}_cbc
- AC_MSG_CHECKING([whether OpenSSL has crippled AES support])
+ AC_MSG_CHECKING([whether OpenSSL lacks support for AES 192/256])
AC_LINK_IFELSE(
[AC_LANG_PROGRAM([[
#include <stdlib.h>
@@ -3024,57 +3099,6 @@ if test "x$openssl" = "xyes" ; then
]
)
- # Check for OpenSSL with EVP_aes_*ctr
- AC_MSG_CHECKING([whether OpenSSL has AES CTR via EVP])
- AC_LINK_IFELSE(
- [AC_LANG_PROGRAM([[
- #include <stdlib.h>
- #include <string.h>
- #include <openssl/evp.h>
- ]], [[
- exit(EVP_aes_128_ctr() == NULL ||
- EVP_aes_192_cbc() == NULL ||
- EVP_aes_256_cbc() == NULL);
- ]])],
- [
- AC_MSG_RESULT([yes])
- AC_DEFINE([OPENSSL_HAVE_EVPCTR], [1],
- [libcrypto has EVP AES CTR])
- ],
- [
- AC_MSG_RESULT([no])
- ]
- )
-
- # Check for OpenSSL with EVP_aes_*gcm
- AC_MSG_CHECKING([whether OpenSSL has AES GCM via EVP])
- AC_LINK_IFELSE(
- [AC_LANG_PROGRAM([[
- #include <stdlib.h>
- #include <string.h>
- #include <openssl/evp.h>
- ]], [[
- exit(EVP_aes_128_gcm() == NULL ||
- EVP_aes_256_gcm() == NULL ||
- EVP_CTRL_GCM_SET_IV_FIXED == 0 ||
- EVP_CTRL_GCM_IV_GEN == 0 ||
- EVP_CTRL_GCM_SET_TAG == 0 ||
- EVP_CTRL_GCM_GET_TAG == 0 ||
- EVP_CIPHER_CTX_ctrl(NULL, 0, 0, NULL) == 0);
- ]])],
- [
- AC_MSG_RESULT([yes])
- AC_DEFINE([OPENSSL_HAVE_EVPGCM], [1],
- [libcrypto has EVP AES GCM])
- ],
- [
- AC_MSG_RESULT([no])
- unsupported_algorithms="$unsupported_cipers \
- aes128-gcm@openssh.com \
- aes256-gcm@openssh.com"
- ]
- )
-
AC_MSG_CHECKING([if EVP_DigestUpdate returns an int])
AC_LINK_IFELSE(
[AC_LANG_PROGRAM([[
@@ -3095,21 +3119,8 @@ if test "x$openssl" = "xyes" ; then
]
)
- # Some systems want crypt() from libcrypt, *not* the version in OpenSSL,
- # because the system crypt() is more featureful.
- if test "x$check_for_libcrypt_before" = "x1"; then
- AC_CHECK_LIB([crypt], [crypt])
- fi
-
- # Some Linux systems (Slackware) need crypt() from libcrypt, *not* the
- # version in OpenSSL.
- if test "x$check_for_libcrypt_later" = "x1"; then
- AC_CHECK_LIB([crypt], [crypt], [LIBS="$LIBS -lcrypt"])
- fi
- AC_CHECK_FUNCS([crypt DES_crypt])
-
- # Check for SHA256, SHA384 and SHA512 support in OpenSSL
- AC_CHECK_FUNCS([EVP_sha256 EVP_sha384 EVP_sha512])
+ # Check for various EVP support in OpenSSL
+ AC_CHECK_FUNCS([EVP_sha256 EVP_sha384 EVP_sha512 EVP_chacha20])
# Check complete ECC support in OpenSSL
AC_MSG_CHECKING([whether OpenSSL has NID_X9_62_prime256v1])
@@ -3220,9 +3231,29 @@ if test "x$openssl" = "xyes" ; then
ecdsa-sha2-nistp521-cert-v01@openssh.com"
fi
-else
- AC_CHECK_LIB([crypt], [crypt], [LIBS="$LIBS -lcrypt"])
- AC_CHECK_FUNCS([crypt])
+ # Check libcrypto ED25519 support
+ AC_CHECK_FUNCS([EVP_PKEY_get_raw_public_key])
+ AC_CHECK_FUNCS([EVP_PKEY_get_raw_private_key])
+ AC_MSG_CHECKING([whether OpenSSL has ED25519 support])
+ AC_LINK_IFELSE(
+ [AC_LANG_PROGRAM([[
+ #include <string.h>
+ #include <openssl/evp.h>
+ ]], [[
+ unsigned char buf[64];
+ memset(buf, 0, sizeof(buf));
+ exit(EVP_PKEY_new_raw_private_key(EVP_PKEY_ED25519,
+ buf, sizeof(buf)) == NULL);
+ ]])],
+ [
+ AC_MSG_RESULT([yes])
+ AC_DEFINE([OPENSSL_HAS_ED25519], [1],
+ [libcrypto has ed25519 support])
+ ],
+ [
+ AC_MSG_RESULT([no])
+ ]
+ )
fi
# PKCS11/U2F depend on OpenSSL and dlopen().
@@ -3263,8 +3294,7 @@ fi
AC_MSG_RESULT([$enable_sk])
# Now check for built-in security key support.
-if test "x$enable_sk" = "xyes" -a "x$enable_sk_internal" = "xyes" ; then
- AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no])
+if test "x$enable_sk" = "xyes" -a "x$enable_sk_internal" != "xno" ; then
use_pkgconfig_for_libfido2=
if test "x$PKGCONFIG" != "xno"; then
AC_MSG_CHECKING([if $PKGCONFIG knows about libfido2])
@@ -3282,33 +3312,45 @@ if test "x$enable_sk" = "xyes" -a "x$enable_sk_internal" = "xyes" ; then
LIBFIDO2="-lprivatefido2 -lprivatecbor"
fi
OTHERLIBS=`echo $LIBFIDO2 | sed 's/-lfido2//'`
+ fido2_error=
AC_CHECK_LIB([privatefido2], [fido_init],
- [
- AC_SUBST([LIBFIDO2])
- AC_DEFINE([ENABLE_SK_INTERNAL], [],
- [Enable for built-in U2F/FIDO support])
- enable_sk="built-in"
- ], [ AC_MSG_ERROR([no usable libprivatefido2 found]) ],
+ [ ],
+ [ fido2_error="missing/unusable libfido2" ],
[ $OTHERLIBS ]
)
- saved_LIBS="$LIBS"
- LIBS="$LIBS $LIBFIDO2"
- AC_CHECK_FUNCS([ \
- fido_assert_set_clientdata \
- fido_cred_prot \
- fido_cred_set_prot \
- fido_cred_set_clientdata \
- fido_dev_get_touch_begin \
- fido_dev_get_touch_status \
- fido_dev_supports_cred_prot \
- ])
- LIBS="$saved_LIBS"
AC_CHECK_HEADER([fido.h], [],
- AC_MSG_ERROR([missing fido.h from libfido2]))
+ [ fido2_error="missing fido.h from libfido2" ])
AC_CHECK_HEADER([fido/credman.h], [],
- AC_MSG_ERROR([missing fido/credman.h from libfido2]),
- [#include <fido.h>]
+ [ fido2_error="missing fido/credman.h from libfido2" ],
+ [ #include <fido.h> ]
)
+ AC_MSG_CHECKING([for usable libfido2 installation])
+ if test ! -z "$fido2_error" ; then
+ AC_MSG_RESULT([$fido2_error])
+ if test "x$enable_sk_internal" = "xyes" ; then
+ AC_MSG_ERROR([No usable libfido2 library/headers found])
+ fi
+ LIBFIDO2=""
+ else
+ AC_MSG_RESULT([yes])
+ AC_SUBST([LIBFIDO2])
+ AC_DEFINE([ENABLE_SK_INTERNAL], [],
+ [Enable for built-in U2F/FIDO support])
+ enable_sk="built-in"
+ saved_LIBS="$LIBS"
+ LIBS="$LIBFIDO2 $LIBS"
+ AC_CHECK_FUNCS([ \
+ fido_assert_set_clientdata \
+ fido_cred_prot \
+ fido_cred_set_prot \
+ fido_cred_set_clientdata \
+ fido_dev_get_touch_begin \
+ fido_dev_get_touch_status \
+ fido_dev_supports_cred_prot \
+ fido_dev_is_winhello \
+ ])
+ LIBS="$saved_LIBS"
+ fi
fi
AC_CHECK_FUNCS([ \
@@ -3317,17 +3359,6 @@ AC_CHECK_FUNCS([ \
arc4random_stir \
arc4random_uniform \
])
-
-saved_LIBS="$LIBS"
-AC_CHECK_LIB([iaf], [ia_openinfo], [
- LIBS="$LIBS -liaf"
- AC_CHECK_FUNCS([set_id], [SSHDLIBS="$SSHDLIBS -liaf"
- AC_DEFINE([HAVE_LIBIAF], [1],
- [Define if system has libiaf that supports set_id])
- ])
-])
-LIBS="$saved_LIBS"
-
### Configure cryptographic random number support
# Check whether OpenSSL seeds itself
@@ -3444,6 +3475,26 @@ elif test "x$openssl" = "xno" ; then
else
AC_MSG_ERROR([OpenSSH has no source of random numbers. Please configure OpenSSL with an entropy source or re-run configure using one of the --with-prngd-port or --with-prngd-socket options])
fi
+LIBS="$nocrypto_saved_LIBS"
+
+saved_LIBS="$LIBS"
+AC_CHECK_LIB([iaf], [ia_openinfo], [
+ LIBS="$LIBS -liaf"
+ AC_CHECK_FUNCS([set_id], [SSHDLIBS="$SSHDLIBS -liaf"
+ AC_DEFINE([HAVE_LIBIAF], [1],
+ [Define if system has libiaf that supports set_id])
+ ])
+])
+LIBS="$saved_LIBS"
+
+# Check for crypt() in libcrypt. If we have it, we only need it for sshd.
+saved_LIBS="$LIBS"
+AC_CHECK_LIB([crypt], [crypt], [
+ LIBS="-lcrypt $LIBS"
+ SSHDLIBS="-lcrypt $SSHDLIBS"
+])
+AC_CHECK_FUNCS([crypt])
+LIBS="$saved_LIBS"
# Check for PAM libs
PAM_MSG="no"
@@ -3571,6 +3622,26 @@ AC_LINK_IFELSE([AC_LANG_PROGRAM([[
)
fi
+AC_CHECK_MEMBERS([struct pollfd.fd], [], [], [[
+#include <sys/types.h>
+#ifdef HAVE_POLL_H
+#include <poll.h>
+#endif
+#ifdef HAVE_SYS_POLL_H
+#include <sys/poll.h>
+#endif
+]])
+
+AC_CHECK_TYPES([nfds_t], , , [
+#include <sys/types.h>
+#ifdef HAVE_POLL_H
+#include <poll.h>
+#endif
+#ifdef HAVE_SYS_POLL_H
+#include <sys/poll.h>
+#endif
+])
+
# Decide which sandbox style to use
sandbox_arg=""
AC_ARG_WITH([sandbox],
@@ -3584,12 +3655,13 @@ AC_ARG_WITH([sandbox],
]
)
+if test "x$sandbox_arg" != "xno"; then
# POSIX specifies that poll() "shall fail with EINVAL if the nfds argument
# is greater than OPEN_MAX". On some platforms that includes implementions
-# ofselect in userspace on top of poll() so check both work with rlimit NOFILES
-# so check that both work before enabling the rlimit sandbox.
-AC_MSG_CHECKING([if select and/or poll works with descriptor rlimit])
-AC_RUN_IFELSE(
+# of select in userspace on top of poll() so check both work with rlimit
+# NOFILES so check that both work before enabling the rlimit sandbox.
+ AC_MSG_CHECKING([if select and/or poll works with descriptor rlimit])
+ AC_RUN_IFELSE(
[AC_LANG_PROGRAM([[
#include <sys/types.h>
#ifdef HAVE_SYS_TIME_H
@@ -3642,30 +3714,10 @@ AC_RUN_IFELSE(
select_works_with_rlimit=no],
[AC_MSG_WARN([cross compiling: assuming no])
select_works_with_rlimit=no]
-)
-
-AC_CHECK_MEMBERS([struct pollfd.fd], [], [], [[
-#include <sys/types.h>
-#ifdef HAVE_POLL_H
-#include <poll.h>
-#endif
-#ifdef HAVE_SYS_POLL_H
-#include <sys/poll.h>
-#endif
-]])
-
-AC_CHECK_TYPES([nfds_t], , , [
-#include <sys/types.h>
-#ifdef HAVE_POLL_H
-#include <poll.h>
-#endif
-#ifdef HAVE_SYS_POLL_H
-#include <sys/poll.h>
-#endif
-])
+ )
-AC_MSG_CHECKING([if setrlimit(RLIMIT_NOFILE,{0,0}) works])
-AC_RUN_IFELSE(
+ AC_MSG_CHECKING([if setrlimit(RLIMIT_NOFILE,{0,0}) works])
+ AC_RUN_IFELSE(
[AC_LANG_PROGRAM([[
#include <sys/types.h>
#ifdef HAVE_SYS_TIME_H
@@ -3688,10 +3740,10 @@ AC_RUN_IFELSE(
rlimit_nofile_zero_works=no],
[AC_MSG_WARN([cross compiling: assuming yes])
rlimit_nofile_zero_works=yes]
-)
+ )
-AC_MSG_CHECKING([if setrlimit RLIMIT_FSIZE works])
-AC_RUN_IFELSE(
+ AC_MSG_CHECKING([if setrlimit RLIMIT_FSIZE works])
+ AC_RUN_IFELSE(
[AC_LANG_PROGRAM([[
#include <sys/types.h>
#include <sys/resource.h>
@@ -3707,7 +3759,8 @@ AC_RUN_IFELSE(
AC_DEFINE(SANDBOX_SKIP_RLIMIT_FSIZE, 1,
[setrlimit RLIMIT_FSIZE works])],
[AC_MSG_WARN([cross compiling: assuming yes])]
-)
+ )
+fi
if test "x$sandbox_arg" = "xpledge" || \
( test -z "$sandbox_arg" && test "x$ac_cv_func_pledge" = "xyes" ) ; then
@@ -4329,7 +4382,7 @@ dnl test snprintf (broken on SCO w/gcc)
#include <stdlib.h>
#include <string.h>
#ifdef HAVE_SNPRINTF
-main()
+int main(void)
{
char buf[50];
char expected_out[50];
@@ -4346,7 +4399,7 @@ main()
exit(0);
}
#else
-main() { exit(0); }
+int main(void) { exit(0); }
#endif
]])], [ true ], [ AC_DEFINE([BROKEN_SNPRINTF]) ],
AC_MSG_WARN([cross compiling: Assuming working snprintf()])
@@ -4395,6 +4448,16 @@ AC_CHECK_MEMBER([struct __res_state.retrans], [], [AC_DEFINE([__res_state], [sta
#include <resolv.h>
]])
+AC_CHECK_MEMBER([struct sockaddr_in.sin_len],
+ [AC_DEFINE([SOCK_HAS_LEN], [1], [sockaddr_in has sin_len])],
+ [],
+ [AC_LANG_SOURCE([[
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+ ]])]
+)
+
AC_CACHE_CHECK([for ss_family field in struct sockaddr_storage],
ac_cv_have_ss_family_in_struct_ss, [
AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
@@ -4712,7 +4775,6 @@ AC_ARG_WITH([kerberos5],
AC_DEFINE([KRB5], [1], [Define if you want Kerberos 5 support])
KRB5_MSG="yes"
- AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no])
use_pkgconfig_for_krb5=
if test "x$PKGCONFIG" != "xno"; then
AC_MSG_CHECKING([if $PKGCONFIG knows about kerberos5])
@@ -4864,6 +4926,7 @@ AC_ARG_WITH([kerberos5],
)
AC_SUBST([GSSLIBS])
AC_SUBST([K5LIBS])
+AC_SUBST([CHANNELLIBS])
# Looking for programs, paths and files
@@ -5316,6 +5379,16 @@ AC_DEFINE_UNQUOTED([_PATH_SSH_PIDDIR], ["$piddir"],
[Specify location of ssh.pid])
AC_SUBST([piddir])
+
+AC_ARG_ENABLE([fd-passing],
+ [ --disable-fd-passing disable file descriptor passsing [no]],
+ [
+ if test "x$enableval" = "xno" ; then
+ AC_DEFINE([DISABLE_FD_PASSING])
+ fi
+ ]
+)
+
dnl allow user to disable some login recording features
AC_ARG_ENABLE([lastlog],
[ --disable-lastlog disable use of lastlog even if detected [no]],
@@ -5603,6 +5676,15 @@ AC_SUBST([TEST_MALLOC_OPTIONS], [$TEST_MALLOC_OPTIONS])
AC_SUBST([UNSUPPORTED_ALGORITHMS], [$unsupported_algorithms])
AC_SUBST([DEPEND], [$(cat $srcdir/.depend)])
+# Binaries for interop tests.
+AC_PATH_PROG([PLINK], [plink])
+AC_PATH_PROG([PUTTYGEN], [puttygen])
+AC_PATH_PROG([CONCH], [conch])
+AC_PATH_PROG([DROPBEAR], [dropbear])
+AC_PATH_PROG([DBCLIENT], [dbclient])
+AC_PATH_PROG([DROPBEARKEY], [dropbearkey])
+AC_PATH_PROG([DROPBEARCONVERT], [dropbearconvert])
+
CFLAGS="${CFLAGS} ${CFLAGS_AFTER}"
LDFLAGS="${LDFLAGS} ${LDFLAGS_AFTER}"
@@ -5681,6 +5763,12 @@ echo " Compiler flags: ${CFLAGS}"
echo "Preprocessor flags: ${CPPFLAGS}"
echo " Linker flags: ${LDFLAGS}"
echo " Libraries: ${LIBS}"
+if test ! -z "${CHANNELLIBS}"; then
+echo " +for channels: ${CHANNELLIBS}"
+fi
+if test ! -z "${LIBFIDO2}"; then
+echo " +for FIDO2: ${LIBFIDO2}"
+fi
if test ! -z "${SSHDLIBS}"; then
echo " +for sshd: ${SSHDLIBS}"
fi