AC_CHECK_DECL(LLONG_MAX, have_llong_max=1, , [#include <limits.h>])
+use_stack_protector=1
+AC_ARG_WITH(stackprotect,
+ [ --without-stackprotect Don't use compiler's stack protection], [
+ if test "x$withval" = "xno"; then
+ use_stack_protector=0
+ fi ])
+
if test "$GCC" = "yes" || test "$GCC" = "egcs"; then
CFLAGS="$CFLAGS -Wall -Wpointer-arith -Wuninitialized"
GCC_VER=`$CC -v 2>&1 | $AWK '/gcc version /{print $3}'`
case $GCC_VER in
- 1.*) ;;
- 2.8* | 2.9*) CFLAGS="$CFLAGS -Wsign-compare" ;;
- 2.*) ;;
+ 1.*) no_attrib_nonnull=1 ;;
+ 2.8* | 2.9*)
+ CFLAGS="$CFLAGS -Wsign-compare"
+ no_attrib_nonnull=1
+ ;;
+ 2.*) no_attrib_nonnull=1 ;;
3.*) CFLAGS="$CFLAGS -Wsign-compare" ;;
4.*) CFLAGS="$CFLAGS -Wsign-compare -Wno-pointer-sign" ;;
*) ;;
esac
+ # -fstack-protector-all doesn't always work for some GCC versions
+ # and/or platforms, so we test if we can. If it's not supported
+ # on a give platform gcc will emit a warning so we use -Werror.
+ if test "x$use_stack_protector" = "x1"; then
+ for t in -fstack-protector-all -fstack-protector; do
+ AC_MSG_CHECKING(if $CC supports $t)
+ saved_CFLAGS="$CFLAGS"
+ saved_LDFLAGS="$LDFLAGS"
+ CFLAGS="$CFLAGS $t -Werror"
+ LDFLAGS="$LDFLAGS $t -Werror"
+ AC_LINK_IFELSE(
+ [AC_LANG_SOURCE([
+#include <stdlib.h>
+int main(void){return 0;}
+ ])],
+ [ AC_MSG_RESULT(yes)
+ CFLAGS="$saved_CFLAGS $t"
+ LDFLAGS="$saved_LDFLAGS $t"
+ AC_MSG_CHECKING(if $t works)
+ AC_RUN_IFELSE(
+ [AC_LANG_SOURCE([
+#include <stdlib.h>
+int main(void){exit(0);}
+ ])],
+ [ AC_MSG_RESULT(yes)
+ break ],
+ [ AC_MSG_RESULT(no) ],
+ [ AC_MSG_WARN([cross compiling: cannot test])
+ break ]
+ )
+ ],
+ [ AC_MSG_RESULT(no) ]
+ )
+ CFLAGS="$saved_CFLAGS"
+ LDFLAGS="$saved_LDFLAGS"
+ done
+ fi
+
if test -z "$have_llong_max"; then
# retry LLONG_MAX with -std=gnu99, needed on some Linuxes
unset ac_cv_have_decl_LLONG_MAX
fi
fi
+if test "x$no_attrib_nonnull" != "x1" ; then
+ AC_DEFINE(HAVE_ATTRIBUTE__NONNULL__, 1, [Have attribute nonnull])
+fi
+
AC_ARG_WITH(rpath,
[ --without-rpath Disable auto-added -R linker paths],
[
]
)
+# Allow user to specify flags
+AC_ARG_WITH(cflags,
+ [ --with-cflags Specify additional flags to pass to compiler],
+ [
+ if test -n "$withval" && test "x$withval" != "xno" && \
+ test "x${withval}" != "xyes"; then
+ CFLAGS="$CFLAGS $withval"
+ fi
+ ]
+)
+AC_ARG_WITH(cppflags,
+ [ --with-cppflags Specify additional flags to pass to preprocessor] ,
+ [
+ if test -n "$withval" && test "x$withval" != "xno" && \
+ test "x${withval}" != "xyes"; then
+ CPPFLAGS="$CPPFLAGS $withval"
+ fi
+ ]
+)
+AC_ARG_WITH(ldflags,
+ [ --with-ldflags Specify additional flags to pass to linker],
+ [
+ if test -n "$withval" && test "x$withval" != "xno" && \
+ test "x${withval}" != "xyes"; then
+ LDFLAGS="$LDFLAGS $withval"
+ fi
+ ]
+)
+AC_ARG_WITH(libs,
+ [ --with-libs Specify additional libraries to link with],
+ [
+ if test -n "$withval" && test "x$withval" != "xno" && \
+ test "x${withval}" != "xyes"; then
+ LIBS="$LIBS $withval"
+ fi
+ ]
+)
+AC_ARG_WITH(Werror,
+ [ --with-Werror Build main code with -Werror],
+ [
+ if test -n "$withval" && test "x$withval" != "xno"; then
+ werror_flags="-Werror"
+ if test "x${withval}" != "xyes"; then
+ werror_flags="$withval"
+ fi
+ fi
+ ]
+)
+
+AC_CHECK_HEADERS( \
+ bstring.h \
+ crypt.h \
+ crypto/sha2.h \
+ dirent.h \
+ endian.h \
+ features.h \
+ fcntl.h \
+ floatingpoint.h \
+ getopt.h \
+ glob.h \
+ ia.h \
+ iaf.h \
+ limits.h \
+ login.h \
+ maillock.h \
+ ndir.h \
+ net/if_tun.h \
+ netdb.h \
+ netgroup.h \
+ pam/pam_appl.h \
+ paths.h \
+ poll.h \
+ pty.h \
+ readpassphrase.h \
+ rpc/types.h \
+ security/pam_appl.h \
+ sha2.h \
+ shadow.h \
+ stddef.h \
+ stdint.h \
+ string.h \
+ strings.h \
+ sys/audit.h \
+ sys/bitypes.h \
+ sys/bsdtty.h \
+ sys/cdefs.h \
+ sys/dir.h \
+ sys/mman.h \
+ sys/ndir.h \
+ sys/poll.h \
+ sys/prctl.h \
+ sys/pstat.h \
+ sys/select.h \
+ sys/stat.h \
+ sys/stream.h \
+ sys/stropts.h \
+ sys/strtio.h \
+ sys/sysmacros.h \
+ sys/time.h \
+ sys/timers.h \
+ sys/un.h \
+ time.h \
+ tmpdir.h \
+ ttyent.h \
+ ucred.h \
+ unistd.h \
+ usersec.h \
+ util.h \
+ utime.h \
+ utmp.h \
+ utmpx.h \
+ vis.h \
+)
+
+# lastlog.h requires sys/time.h to be included first on Solaris
+AC_CHECK_HEADERS(lastlog.h, [], [], [
+#ifdef HAVE_SYS_TIME_H
+# include <sys/time.h>
+#endif
+])
+
+# sys/ptms.h requires sys/stream.h to be included first on Solaris
+AC_CHECK_HEADERS(sys/ptms.h, [], [], [
+#ifdef HAVE_SYS_STREAM_H
+# include <sys/stream.h>
+#endif
+])
+
+# login_cap.h requires sys/types.h on NetBSD
+AC_CHECK_HEADERS(login_cap.h, [], [], [
+#include <sys/types.h>
+])
+
# Messages for features tested for in target-specific section
SIA_MSG="no"
SPC_MSG="no"
[],
[#include <usersec.h>]
)
- AC_CHECK_FUNCS(setauthdb)
+ AC_CHECK_FUNCS(getgrset setauthdb)
AC_CHECK_DECL(F_CLOSEM,
AC_DEFINE(HAVE_FCNTL_CLOSEM, 1, [Use F_CLOSEM fcntl for closefrom]),
[],
;;
*-*-cygwin*)
check_for_libcrypt_later=1
- LIBS="$LIBS /usr/lib/textmode.o"
+ LIBS="$LIBS /usr/lib/textreadmode.o"
AC_DEFINE(HAVE_CYGWIN, 1, [Define if you are on Cygwin])
AC_DEFINE(USE_PIPES, 1, [Use PIPES instead of a socketpair()])
AC_DEFINE(DISABLE_SHADOW, 1,
AC_DEFINE(BROKEN_SETREGID)
;;
*-*-darwin*)
- AC_DEFINE(BROKEN_GETADDRINFO, 1, [getaddrinfo is broken (if present)])],
+ AC_DEFINE(BROKEN_GETADDRINFO, 1, [Define if getaddrinfo is broken)])
+ AC_DEFINE(BROKEN_GETADDRINFO)
AC_DEFINE(SETEUID_BREAKS_SETUID)
AC_DEFINE(BROKEN_SETREUID)
AC_DEFINE(BROKEN_SETREGID)
+ AC_DEFINE(BROKEN_GLOB, 1, [OS X glob does not do what we expect])
AC_DEFINE_UNQUOTED(BIND_8_COMPAT, 1,
[Define if your resolver libs need this for getrrsetbyname])
AC_DEFINE(SSH_TUN_FREEBSD, 1, [Open tunnel devices the FreeBSD way])
[Use tunnel device compatibility to OpenBSD])
AC_DEFINE(SSH_TUN_PREPEND_AF, 1,
[Prepend the address family to IP tunnel traffic])
+ m4_pattern_allow(AU_IPv)
+ AC_CHECK_DECL(AU_IPv4, [],
+ AC_DEFINE(AU_IPv4, 0, [System only supports IPv4 audit records])
+ [#include <bsm/audit.h>]
+ )
AC_MSG_CHECKING(if we have the Security Authorization Session API)
AC_TRY_COMPILE([#include <Security/AuthSession.h>],
[SessionCreate(0, 0);],
fi],
[AC_MSG_RESULT(no)]
)
- ;;
+ ;;
*-*-dragonfly*)
SSHDLIBS="$SSHDLIBS -lcrypt"
;;
AC_DEFINE(SSH_TUN_FREEBSD, 1, [Open tunnel devices the FreeBSD way])
AC_CHECK_HEADER([net/if_tap.h], ,
AC_DEFINE(SSH_TUN_NO_L2, 1, [No layer 2 tunnel support]))
+ AC_DEFINE(BROKEN_GLOB, 1, [FreeBSD glob does not do what we need])
;;
*-*-bsdi*)
AC_DEFINE(SETEUID_BREAKS_SETUID)
AC_DEFINE(MISSING_FD_MASK, 1, [Define on *nto-qnx systems])
AC_DEFINE(DISABLE_LASTLOG)
AC_DEFINE(SSHD_ACQUIRES_CTTY)
+ AC_DEFINE(BROKEN_SHADOW_EXPIRE, 1, [QNX shadow support is broken])
enable_etc_default_login=no # has incompatible /etc/default/login
+ case "$host" in
+ *-*-nto-qnx6*)
+ AC_DEFINE(DISABLE_FD_PASSING)
+ ;;
+ esac
;;
*-*-ultrix*)
;;
esac
-# Allow user to specify flags
-AC_ARG_WITH(cflags,
- [ --with-cflags Specify additional flags to pass to compiler],
- [
- if test -n "$withval" && test "x$withval" != "xno" && \
- test "x${withval}" != "xyes"; then
- CFLAGS="$CFLAGS $withval"
- fi
- ]
-)
-AC_ARG_WITH(cppflags,
- [ --with-cppflags Specify additional flags to pass to preprocessor] ,
- [
- if test -n "$withval" && test "x$withval" != "xno" && \
- test "x${withval}" != "xyes"; then
- CPPFLAGS="$CPPFLAGS $withval"
- fi
- ]
-)
-AC_ARG_WITH(ldflags,
- [ --with-ldflags Specify additional flags to pass to linker],
- [
- if test -n "$withval" && test "x$withval" != "xno" && \
- test "x${withval}" != "xyes"; then
- LDFLAGS="$LDFLAGS $withval"
- fi
- ]
-)
-AC_ARG_WITH(libs,
- [ --with-libs Specify additional libraries to link with],
- [
- if test -n "$withval" && test "x$withval" != "xno" && \
- test "x${withval}" != "xyes"; then
- LIBS="$LIBS $withval"
- fi
- ]
-)
-AC_ARG_WITH(Werror,
- [ --with-Werror Build main code with -Werror],
- [
- if test -n "$withval" && test "x$withval" != "xno"; then
- werror_flags="-Werror"
- if test "x${withval}" != "xyes"; then
- werror_flags="$withval"
- fi
- fi
- ]
-)
-
AC_MSG_CHECKING(compiler and flags for sanity)
AC_RUN_IFELSE(
[AC_LANG_SOURCE([
)
dnl Checks for header files.
-AC_CHECK_HEADERS( \
- bstring.h \
- crypt.h \
- crypto/sha2.h \
- dirent.h \
- endian.h \
- features.h \
- fcntl.h \
- floatingpoint.h \
- getopt.h \
- glob.h \
- ia.h \
- iaf.h \
- limits.h \
- login.h \
- maillock.h \
- ndir.h \
- net/if_tun.h \
- netdb.h \
- netgroup.h \
- pam/pam_appl.h \
- paths.h \
- pty.h \
- readpassphrase.h \
- rpc/types.h \
- security/pam_appl.h \
- sha2.h \
- shadow.h \
- stddef.h \
- stdint.h \
- string.h \
- strings.h \
- sys/audit.h \
- sys/bitypes.h \
- sys/bsdtty.h \
- sys/cdefs.h \
- sys/dir.h \
- sys/mman.h \
- sys/ndir.h \
- sys/prctl.h \
- sys/pstat.h \
- sys/select.h \
- sys/stat.h \
- sys/stream.h \
- sys/stropts.h \
- sys/strtio.h \
- sys/sysmacros.h \
- sys/time.h \
- sys/timers.h \
- sys/un.h \
- time.h \
- tmpdir.h \
- ttyent.h \
- unistd.h \
- usersec.h \
- util.h \
- utime.h \
- utmp.h \
- utmpx.h \
- vis.h \
-)
-
-# lastlog.h requires sys/time.h to be included first on Solaris
-AC_CHECK_HEADERS(lastlog.h, [], [], [
-#ifdef HAVE_SYS_TIME_H
-# include <sys/time.h>
-#endif
-])
-
-# sys/ptms.h requires sys/stream.h to be included first on Solaris
-AC_CHECK_HEADERS(sys/ptms.h, [], [], [
-#ifdef HAVE_SYS_STREAM_H
-# include <sys/stream.h>
-#endif
-])
-
-# login_cap.h requires sys/types.h on NetBSD
-AC_CHECK_HEADERS(login_cap.h, [], [], [
-#include <sys/types.h>
-])
-
# Checks for libraries.
AC_CHECK_FUNC(yp_match, , AC_CHECK_LIB(nsl, yp_match))
AC_CHECK_FUNC(setsockopt, , AC_CHECK_LIB(socket, setsockopt))
GSI_CPPFLAGS="-I${GLOBUS_INCLUDE}"
if test -x ${gsi_path}/bin/globus-makefile-header ; then
- GSI_LIBS=`${gsi_path}/bin/globus-makefile-header --flavor=${globus_flavor_type} ${gsi_static} globus_gss_assist | perl -n -e 'if (/GLOBUS_PKG_LIBS = (.*)/){print $1;}'`
+ ${gsi_path}/bin/globus-makefile-header --flavor=${globus_flavor_type} ${gsi_static} globus_gss_assist | sed 's/ = \(.*\)/="\1"/' > ./gpt_build_tmp.sh
elif test -x ${gsi_path}/sbin/globus-makefile-header ; then
- GSI_LIBS=`${gsi_path}/sbin/globus-makefile-header --flavor=${globus_flavor_type} ${gsi_static} globus_gss_assist | perl -n -e 'if (/GLOBUS_PKG_LIBS = (.*)/){print $1;}'`
+ ${gsi_path}/sbin/globus-makefile-header --flavor=${globus_flavor_type} ${gsi_static} globus_gss_assist | sed 's/ = \(.*\)/="\1"/' > ./gpt_build_tmp.sh
else
AC_MSG_ERROR(Cannot find globus-makefile-header: Globus installation is incomplete)
fi
+ . ./gpt_build_tmp.sh
if test -n "${need_dash_r}"; then
- GSI_LDFLAGS="-L${gsi_path}/lib -R{gsi_path}/lib"
+ GSI_LDFLAGS="-L${gsi_path}/lib -R${gsi_path}/lib"
else
GSI_LDFLAGS="-L${gsi_path}/lib"
fi
- if test -z "$GSI_LIBS" ; then
+ if test -z "$GLOBUS_PKG_LIBS" ; then
AC_MSG_ERROR(globus-makefile-header failed)
fi
AC_DEFINE(HAVE_GSSAPI_H)
- LIBS="$LIBS $GSI_LIBS"
+ LIBS="$LIBS $GLOBUS_LIBS $GLOBUS_PKG_LIBS"
LDFLAGS="$LDFLAGS $GSI_LDFLAGS"
CPPFLAGS="$CPPFLAGS $GSI_CPPFLAGS"
CPPFLAGS="-I${withval} ${CPPFLAGS}"
fi
fi
- LIBWRAP="-lwrap"
- LIBS="$LIBWRAP $LIBS"
+ LIBS="-lwrap $LIBS"
AC_MSG_CHECKING(for libwrap)
AC_TRY_LINK(
[
AC_DEFINE(LIBWRAP, 1,
[Define if you want
TCP Wrappers support])
- AC_SUBST(LIBWRAP)
+ SSHDLIBS="$SSHDLIBS -lwrap"
TCPW_MSG="yes"
],
[
AC_CHECK_FUNCS(getaudit, [],
[AC_MSG_ERROR(BSM enabled and required function not found)])
# These are optional
- AC_CHECK_FUNCS(getaudit_addr)
+ AC_CHECK_FUNCS(getaudit_addr aug_get_machine)
AC_DEFINE(USE_BSM_AUDIT, 1, [Use BSM audit module])
;;
debug)
getnameinfo \
getopt \
getpeereid \
+ getpeerucred \
_getpty \
getrlimit \
getttyent \
ogetaddrinfo \
openlog_r \
openpty \
+ poll \
prctl \
pstat \
readpassphrase \
strtonum \
strtoll \
strtoul \
+ swap32 \
sysconf \
tcgetpgrp \
truncate \
#include <unistd.h>
])
+AC_CHECK_DECLS(MAXSYMLINKS, , , [
+#include <sys/param.h>
+ ])
+
+AC_CHECK_DECLS(offsetof, , , [
+#include <stddef.h>
+ ])
+
AC_CHECK_FUNCS(setresuid, [
dnl Some platorms have setresuid that isn't implemented, test for this
AC_MSG_CHECKING(if setresuid seems to work)
# Check for missing getpeereid (or equiv) support
NO_PEERCHECK=""
-if test "x$ac_cv_func_getpeereid" != "xyes" ; then
+if test "x$ac_cv_func_getpeereid" != "xyes" -a "x$ac_cv_func_getpeerucred" != "xyes"; then
AC_MSG_CHECKING([whether system supports SO_PEERCRED getsockopt])
AC_TRY_COMPILE(
[#include <sys/types.h>
fi
]
)
-if test -z "$GSI_LIBS" ; then
+if test -z "$GSI_LDFLAGS" ; then
LIBS="-lcrypto $LIBS"
fi
AC_TRY_LINK_FUNC(RAND_add, AC_DEFINE(HAVE_OPENSSL, 1,
]
)
+AC_ARG_WITH(openssl-header-check,
+ [ --without-openssl-header-check Disable OpenSSL version consistency check],
+ [ if test "x$withval" = "xno" ; then
+ openssl_check_nonfatal=1
+ fi
+ ]
+)
+
# Sanity check OpenSSL headers
AC_MSG_CHECKING([whether OpenSSL's headers match the library])
AC_RUN_IFELSE(
],
[
AC_MSG_RESULT(no)
- AC_MSG_ERROR([Your OpenSSL headers do not match your library.
-Check config.log for details.
+ if test "x$openssl_check_nonfatal" = "x"; then
+ AC_MSG_ERROR([Your OpenSSL headers do not match your
+library. Check config.log for details.
+If you are sure your installation is consistent, you can disable the check
+by running "./configure --without-openssl-header-check".
+Also see contrib/findssl.sh for help identifying header/library mismatches.
+])
+ else
+ AC_MSG_WARN([Your OpenSSL headers do not match your
+library. Check config.log for details.
Also see contrib/findssl.sh for help identifying header/library mismatches.])
+ fi
],
[
AC_MSG_WARN([cross compiling: not checking])
AC_TRY_COMPILE(
[ #include <openssl/engine.h>],
[
-int main(void){ENGINE_load_builtin_engines();ENGINE_register_all_complete();}
+ENGINE_load_builtin_engines();ENGINE_register_all_complete();
],
[ AC_MSG_RESULT(yes)
AC_DEFINE(USE_OPENSSL_ENGINE, 1,
# Search for SHA256 support in libc and/or OpenSSL
AC_CHECK_FUNCS(SHA256_Update EVP_sha256)
-AC_CHECK_LIB(iaf, ia_openinfo)
+saved_LIBS="$LIBS"
+AC_CHECK_LIB(iaf, ia_openinfo, [
+ LIBS="$LIBS -liaf"
+ AC_CHECK_FUNCS(set_id, [SSHDLIBS="$SSHDLIBS -liaf"
+ AC_DEFINE(HAVE_LIBIAF, 1,
+ [Define if system has libiaf that supports set_id])
+ ])
+])
+LIBS="$saved_LIBS"
### Configure cryptographic random number support
PAM_MSG="yes"
- LIBPAM="-lpam"
+ SSHDLIBS="$SSHDLIBS -lpam"
AC_DEFINE(USE_PAM, 1,
[Define if you want to enable PAM support])
# libdl already in LIBS
;;
*)
- LIBPAM="$LIBPAM -ldl"
+ SSHDLIBS="$SSHDLIBS -ldl"
;;
esac
fi
- AC_SUBST(LIBPAM)
fi
]
)
[#include <arpa/nameser.h>])
])
+AC_MSG_CHECKING(if struct __res_state _res is an extern)
+AC_LINK_IFELSE([
+#include <stdio.h>
+#if HAVE_SYS_TYPES_H
+# include <sys/types.h>
+#endif
+#include <netinet/in.h>
+#include <arpa/nameser.h>
+#include <resolv.h>
+extern struct __res_state _res;
+int main() { return 0; }
+ ],
+ [AC_MSG_RESULT(yes)
+ AC_DEFINE(HAVE__RES_EXTERN, 1,
+ [Define if you have struct __res_state _res as an extern])
+ ],
+ [ AC_MSG_RESULT(no) ]
+)
+
# Check whether user wants SELinux support
SELINUX_MSG="no"
LIBSELINUX=""
AC_ARG_WITH(selinux,
- [ --with-selinux Enable SELinux support],
+ [ --with-selinux Enable SELinux support],
[ if test "x$withval" != "xno" ; then
+ save_LIBS="$LIBS"
AC_DEFINE(WITH_SELINUX,1,[Define if you want SELinux support.])
SELINUX_MSG="yes"
AC_CHECK_HEADER([selinux/selinux.h], ,
AC_MSG_ERROR(SELinux support requires selinux.h header))
AC_CHECK_LIB(selinux, setexeccon, [ LIBSELINUX="-lselinux" ],
AC_MSG_ERROR(SELinux support requires libselinux library))
+ SSHDLIBS="$SSHDLIBS $LIBSELINUX"
AC_CHECK_FUNCS(getseuserbyname get_default_context_with_level)
+ LIBS="$save_LIBS"
fi ]
)
-AC_SUBST(LIBSELINUX)
# Check whether user wants Kerberos 5 support
KRB5_MSG="no"
echo " Compiler flags: ${CFLAGS}"
echo "Preprocessor flags: ${CPPFLAGS}"
echo " Linker flags: ${LDFLAGS}"
-echo " Libraries: ${LIBWRAP} ${LIBPAM} ${LIBS}"
+echo " Libraries: ${LIBS}"
+if test ! -z "${SSHDLIBS}"; then
+echo " +for sshd: ${SSHDLIBS}"
+fi
echo ""
fi
if test ! -z "$NO_PEERCHECK" ; then
- echo "WARNING: the operating system that you are using does not "
- echo "appear to support either the getpeereid() API nor the "
- echo "SO_PEERCRED getsockopt() option. These facilities are used to "
- echo "enforce security checks to prevent unauthorised connections to "
- echo "ssh-agent. Their absence increases the risk that a malicious "
- echo "user can connect to your agent. "
+ echo "WARNING: the operating system that you are using does not"
+ echo "appear to support getpeereid(), getpeerucred() or the"
+ echo "SO_PEERCRED getsockopt() option. These facilities are used to"
+ echo "enforce security checks to prevent unauthorised connections to"
+ echo "ssh-agent. Their absence increases the risk that a malicious"
+ echo "user can connect to your agent."
echo ""
fi