| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
| |
Needed to detect old versions and give good "your version is bad"
messages at configure time; spotted by dtucker@
|
| |
|
|
|
|
|
| |
OpenSSH now requires LibreSSL 3.1.0 or greater or
OpenSSL 1.1.1 or greater
with/ok dtucker@
|
| |
|
|
|
| |
Place libfido2 before additional libraries (that it may depend upon)
and not after. bz3530 from James Zhang; ok dtucker@
|
| |
|
|
|
|
|
| |
It's possible to install an OpenSSL in a path not in the system's
default library search path. OpenSSH can still use this (eg if you
specify an rpath) but the openssl binary there may not work. If one is
available on the system path just use that.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
clang 15 seems to have a problem with -fzero-call-used-reg=all which
causes spurious "incorrect signature" failures with ED25519. On those
versions, use -fzero-call-used-regs=used instead. (We may add exceptions
later if specific versions prove to be OK). Also move the GCC version
check to match.
Initial investigation by Daniel Pouzzner (douzzer at mega nu), workaround
suggested by Bill Wendling (morbo at google com). bz#3475, ok djm@
|
| |
|
|
|
|
|
|
| |
On some very old platforms, sys/stat.h needs sys/types.h, however
autoconf 2.71's AC_CHECK_INCLUDES_DEFAULT checks for them in the
opposite order, which in combination with modern autoconf's
"present but cannot be compiled" behaviour causes it to not be
detected.
|
| |
|
|
|
|
|
| |
glibc has the prototypes for setresuid and setresgid behind _GNU_SOURCE,
and clang 16 will error out on implicit function definitions, so add
_GNU_SOURCE and the required headers to the configure checks. From
sam at @gentoo.org via bz#3497.
|
| |
|
|
|
|
|
|
| |
Clang 16 now warns on this and it'll be removed in C23, so let's
just be future proof. It also reduces noise when doing general
Clang 16 porting work (which is a big job as it is). github PR#355.
Signed-off-by: Sam James <sam@gentoo.org>
|
| |
|
|
|
|
|
|
| |
Another Clang 16ish fix (which makes -Wimplicit-function-declaration
an error by default). github PR#355.
See: 2efd71da49b9cfeab7987058cf5919e473ff466b
See: be197635329feb839865fdc738e34e24afd1fca8
|
| |
|
|
|
| |
If found, set SOCK_HAS_LEN which is used in addr.c. Should fix keyscan
tests on platforms with this (eg old NetBSD).
|
| |
|
|
| |
While there, also accept 301 which it shat it was previously.
|
| | |
|
| |
|
|
|
|
| |
Clang 15 -Wimplicit-int defaults to an error in C99 mode and above.
A handful of tests have "main(..." and not "int main(..." which caused
the tests to produce incorrect results.
|
| |
|
|
| |
Fixes build on (at least Solaris 10).
|
| |
|
|
| |
Signed-off-by: Corinna Vinschen <vinschen@redhat.com>
|
| |
|
|
|
|
|
| |
Factor out the arc4random seeding into its own file and change the
interface to match getentropy. Use native getentropy if available.
This will make it easier to resync OpenBSD changes to arc4random.
Prompted by bz#3467, ok djm@.
|
| | |
|
| |
|
|
|
|
|
| |
We added a check in Makefile to catch the case where configure needs to
be rebuilt, however this did not happen until a build was attempted in
which case all of the work done by configure was wasted. Move this check
to the start of configure to catch it as early as possible. ok djm@
|
| |
|
|
|
| |
This will result in sftp, sftp-server and scp no longer being linked
against libcrypto. ok djm@
|
| |
|
|
|
| |
They're related more than the libcrypt or libiaf checks which are
currently between them. ok djm@
|
| |
|
|
|
|
|
|
| |
Some of our binaries (eg sftp, sftp-server, scp) do not interact with
the channels code and thus do use libraries such as zlib and libcrypto
although they are linked with them. This adds a CHANNELLIBS and starts
by moving zlib into it, which means the aformentioned binaries are no
longer linked against zlib. ok djm@
|
| |
|
|
|
|
|
| |
We have some compatibility hacks that were added to support OpenSSL
versions that do not support AES CTR mode. Since that time, however,
the minimum OpenSSL version that we support has moved to 1.0.1 which
*does* have CTR, so this is no longer needed. ok djm@
|
| |
|
|
|
|
|
| |
We have some compatibility hacks that were added to support OpenSSL
versions that do not support AES GCM mode. Since that time, however,
the minimum OpenSSL version that we support has moved to 1.0.1 which
*does* have GCM, so this is no longer needed. ok djm@
|
| |
|
|
| |
Patch from dries.deschout at dodeco.eu.
|
| |
|
|
|
|
|
|
|
|
|
| |
Configure goes to some lengths to pick crypt() from either libcrypt
or OpenSSL's libcrypto because they can more or less featureful (eg
supporting md5-style passwords).
OpenSSL removed its crypt() interface in 2002:
https://github.com/openssl/openssl/commit/69deec58 so these hijinks
should no longer be necessary. This also only links sshd with libcrypt
which is the only thing that needs it. ok djm@
|
| |
|
|
|
| |
The potential RCE only impacts x86_64, so only refuse to use it if we're
targetting a potentially impacted architecture. ok djm@
|
| |
|
|
|
| |
OpenSSL has a potential RCE in its RSA implementation (CVE-2022-2274)
so refuse to use that specific version.
|
| |
|
|
|
| |
The rlimit tests can hang when being run with some compiler sanitizers
so skip all of them if sandbox=no.
|
| |
|
|
|
|
| |
Move the checks for struct pollfd.fd and nfds_t to before the sandboxing
checks. This groups all the sandbox checks together so we can skip them
all when sandboxing is disabled.
|
| |
|
|
|
| |
It's not needed in that case, and the test can fail when being built
with some compiler memory sanitizer flags. bz#3441
|
| |
|
|
|
| |
Prevents us from trying to link them into ssh-sk-helper and failing to
build.
|
| | |
|
| | |
|
| |
|
|
| |
idea/patch from Pedro Martelletto via GHPR#322; ok dtucker@
|
| |
|
|
|
|
|
|
| |
If libfido2 is found and usable, then enable the built-in
security key support unless --without-security-key-builtin
was requested.
ok dtucker@
|
| |
|
|
|
| |
HAVE_CAPH_CACHE_TZDATA to be missing from config.h.in.
Spotted by Bryan Drewery
|
| |
|
|
|
| |
From emaste at freebsd.org, originally part of FreeBSD commit r339216
/ fc3c19a9 with autoconf bits added by me.
|
| | |
|
| |
|
|
| |
Based on github PR#301 for Tandem NonStop.
|
| |
|
|
| |
From github PR#301 in conjunction with rsbeckerca.
|
| |
|
|
|
|
| |
On most systems poll(2) does not work when the number of FDs is reduced
with setrlimit, so assume it doesn't when cross compiling and we can't
run the test. bz#3398.
|
| |
|
|
|
|
|
|
|
|
| |
POSIX specifies that poll() shall fail if "nfds argument is greater
than {OPEN_MAX}". The setrlimit sandbox sets this to effectively zero
so this causes poll() to fail in the preauth privsep process.
This is likely the underlying cause for the previously observed similar
behaviour of select() on plaforms where it is implement in userspace on
top of poll().
|
| |
|
|
| |
Needed for howmany() on MUSL systems such as Alpine.
|
| | |
|
| |
|
|
| |
ok djm@
|
| | |
|
| |
|
|
|
|
|
| |
of manually hashing data outselves. Saves a fair bit of code and makes life
easier for some -portable platforms.
OpenBSD-Commit-ID: 351dfaaa5ab1ee928c0e623041fca28078cff0e0
|
