X-Git-Url: http://andersk.mit.edu/gitweb/openssh.git/blobdiff_plain/1d42bcce36765e99927c432f171e1c52469f7db7..6ed8a3aebd733959924f545eba312fbf3827c271:/configure.ac diff --git a/configure.ac b/configure.ac index a07aa3c3..f3709b4f 100644 --- a/configure.ac +++ b/configure.ac @@ -90,18 +90,78 @@ AC_C_INLINE AC_CHECK_DECL(LLONG_MAX, have_llong_max=1, , [#include ]) +use_stack_protector=1 +AC_ARG_WITH(stackprotect, + [ --without-stackprotect Don't use compiler's stack protection], [ + if test "x$withval" = "xno"; then + use_stack_protector=0 + fi ]) + if test "$GCC" = "yes" || test "$GCC" = "egcs"; then CFLAGS="$CFLAGS -Wall -Wpointer-arith -Wuninitialized" GCC_VER=`$CC -v 2>&1 | $AWK '/gcc version /{print $3}'` case $GCC_VER in - 1.*) ;; - 2.8* | 2.9*) CFLAGS="$CFLAGS -Wsign-compare" ;; - 2.*) ;; + 1.*) no_attrib_nonnull=1 ;; + 2.8* | 2.9*) + CFLAGS="$CFLAGS -Wsign-compare" + no_attrib_nonnull=1 + ;; + 2.*) no_attrib_nonnull=1 ;; 3.*) CFLAGS="$CFLAGS -Wsign-compare" ;; 4.*) CFLAGS="$CFLAGS -Wsign-compare -Wno-pointer-sign" ;; *) ;; esac + AC_MSG_CHECKING(if $CC accepts -fno-builtin-memset) + saved_CFLAGS="$CFLAGS" + CFLAGS="$CFLAGS -fno-builtin-memset" + AC_LINK_IFELSE( [AC_LANG_SOURCE([[ +#include +int main(void){char b[10]; memset(b, 0, sizeof(b));} + ]])], + [ AC_MSG_RESULT(yes) ], + [ AC_MSG_RESULT(no) + CFLAGS="$saved_CFLAGS" ] +) + + # -fstack-protector-all doesn't always work for some GCC versions + # and/or platforms, so we test if we can. If it's not supported + # on a give platform gcc will emit a warning so we use -Werror. + if test "x$use_stack_protector" = "x1"; then + for t in -fstack-protector-all -fstack-protector; do + AC_MSG_CHECKING(if $CC supports $t) + saved_CFLAGS="$CFLAGS" + saved_LDFLAGS="$LDFLAGS" + CFLAGS="$CFLAGS $t -Werror" + LDFLAGS="$LDFLAGS $t -Werror" + AC_LINK_IFELSE( + [AC_LANG_SOURCE([ +#include +int main(void){return 0;} + ])], + [ AC_MSG_RESULT(yes) + CFLAGS="$saved_CFLAGS $t" + LDFLAGS="$saved_LDFLAGS $t" + AC_MSG_CHECKING(if $t works) + AC_RUN_IFELSE( + [AC_LANG_SOURCE([ +#include +int main(void){exit(0);} + ])], + [ AC_MSG_RESULT(yes) + break ], + [ AC_MSG_RESULT(no) ], + [ AC_MSG_WARN([cross compiling: cannot test]) + break ] + ) + ], + [ AC_MSG_RESULT(no) ] + ) + CFLAGS="$saved_CFLAGS" + LDFLAGS="$saved_LDFLAGS" + done + fi + if test -z "$have_llong_max"; then # retry LLONG_MAX with -std=gnu99, needed on some Linuxes unset ac_cv_have_decl_LLONG_MAX @@ -115,6 +175,10 @@ if test "$GCC" = "yes" || test "$GCC" = "egcs"; then fi fi +if test "x$no_attrib_nonnull" != "x1" ; then + AC_DEFINE(HAVE_ATTRIBUTE__NONNULL__, 1, [Have attribute nonnull]) +fi + AC_ARG_WITH(rpath, [ --without-rpath Disable auto-added -R linker paths], [ @@ -198,6 +262,7 @@ AC_CHECK_HEADERS( \ netgroup.h \ pam/pam_appl.h \ paths.h \ + poll.h \ pty.h \ readpassphrase.h \ rpc/types.h \ @@ -214,7 +279,9 @@ AC_CHECK_HEADERS( \ sys/cdefs.h \ sys/dir.h \ sys/mman.h \ + sys/mount.h \ sys/ndir.h \ + sys/poll.h \ sys/prctl.h \ sys/pstat.h \ sys/select.h \ @@ -222,6 +289,7 @@ AC_CHECK_HEADERS( \ sys/stream.h \ sys/stropts.h \ sys/strtio.h \ + sys/statvfs.h \ sys/sysmacros.h \ sys/time.h \ sys/timers.h \ @@ -229,6 +297,7 @@ AC_CHECK_HEADERS( \ time.h \ tmpdir.h \ ttyent.h \ + ucred.h \ unistd.h \ usersec.h \ util.h \ @@ -334,7 +403,7 @@ int main(void) { exit(0); } [], [#include ] ) - AC_CHECK_FUNCS(setauthdb) + AC_CHECK_FUNCS(getgrset setauthdb) AC_CHECK_DECL(F_CLOSEM, AC_DEFINE(HAVE_FCNTL_CLOSEM, 1, [Use F_CLOSEM fcntl for closefrom]), [], @@ -396,6 +465,7 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) AC_DEFINE(SETEUID_BREAKS_SETUID) AC_DEFINE(BROKEN_SETREUID) AC_DEFINE(BROKEN_SETREGID) + AC_DEFINE(BROKEN_GLOB, 1, [OS X glob does not do what we expect]) AC_DEFINE_UNQUOTED(BIND_8_COMPAT, 1, [Define if your resolver libs need this for getrrsetbyname]) AC_DEFINE(SSH_TUN_FREEBSD, 1, [Open tunnel devices the FreeBSD way]) @@ -403,6 +473,11 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) [Use tunnel device compatibility to OpenBSD]) AC_DEFINE(SSH_TUN_PREPEND_AF, 1, [Prepend the address family to IP tunnel traffic]) + m4_pattern_allow(AU_IPv) + AC_CHECK_DECL(AU_IPv4, [], + AC_DEFINE(AU_IPv4, 0, [System only supports IPv4 audit records]) + [#include ] + ) ;; *-*-dragonfly*) SSHDLIBS="$SSHDLIBS -lcrypt" @@ -490,7 +565,6 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) no_dev_ptmx=1 check_for_libcrypt_later=1 check_for_openpty_ctty_bug=1 - AC_DEFINE(DONT_TRY_OTHER_AF, 1, [Workaround more Linux IPv6 quirks]) AC_DEFINE(PAM_TTY_KLUDGE, 1, [Work around problematic Linux PAM modules handling of PAM_TTY]) AC_DEFINE(LOCKED_PASSWD_PREFIX, "!", @@ -540,6 +614,7 @@ mips-sony-bsd|mips-sony-newsos4) AC_DEFINE(SSH_TUN_FREEBSD, 1, [Open tunnel devices the FreeBSD way]) AC_CHECK_HEADER([net/if_tap.h], , AC_DEFINE(SSH_TUN_NO_L2, 1, [No layer 2 tunnel support])) + AC_DEFINE(BROKEN_GLOB, 1, [FreeBSD glob does not do what we need]) ;; *-*-bsdi*) AC_DEFINE(SETEUID_BREAKS_SETUID) @@ -766,6 +841,7 @@ mips-sony-bsd|mips-sony-newsos4) AC_DEFINE(SETEUID_BREAKS_SETUID) AC_DEFINE(BROKEN_SETREUID) AC_DEFINE(BROKEN_SETREGID) + AC_DEFINE(BROKEN_READV_COMPARISON, 1, [Can't do comparisons on readv]) ;; *-*-nto-qnx*) @@ -776,7 +852,13 @@ mips-sony-bsd|mips-sony-newsos4) AC_DEFINE(MISSING_FD_MASK, 1, [Define on *nto-qnx systems]) AC_DEFINE(DISABLE_LASTLOG) AC_DEFINE(SSHD_ACQUIRES_CTTY) + AC_DEFINE(BROKEN_SHADOW_EXPIRE, 1, [QNX shadow support is broken]) enable_etc_default_login=no # has incompatible /etc/default/login + case "$host" in + *-*-nto-qnx6*) + AC_DEFINE(DISABLE_FD_PASSING) + ;; + esac ;; *-*-ultrix*) @@ -966,7 +1048,7 @@ dnl Checks for libutil functions AC_CHECK_HEADERS(libutil.h) AC_SEARCH_LIBS(login, util bsd, [AC_DEFINE(HAVE_LOGIN, 1, [Define if your libraries define login()])]) -AC_CHECK_FUNCS(logout updwtmp logwtmp) +AC_CHECK_FUNCS(fmt_scaled logout updwtmp logwtmp) AC_FUNC_STRFTIME @@ -1109,8 +1191,7 @@ AC_ARG_WITH(tcp-wrappers, CPPFLAGS="-I${withval} ${CPPFLAGS}" fi fi - LIBWRAP="-lwrap" - LIBS="$LIBWRAP $LIBS" + LIBS="-lwrap $LIBS" AC_MSG_CHECKING(for libwrap) AC_TRY_LINK( [ @@ -1126,7 +1207,7 @@ AC_ARG_WITH(tcp-wrappers, AC_DEFINE(LIBWRAP, 1, [Define if you want TCP Wrappers support]) - AC_SUBST(LIBWRAP) + SSHDLIBS="$SSHDLIBS -lwrap" TCPW_MSG="yes" ], [ @@ -1201,7 +1282,7 @@ AC_ARG_WITH(audit, AC_CHECK_FUNCS(getaudit, [], [AC_MSG_ERROR(BSM enabled and required function not found)]) # These are optional - AC_CHECK_FUNCS(getaudit_addr) + AC_CHECK_FUNCS(getaudit_addr aug_get_machine) AC_DEFINE(USE_BSM_AUDIT, 1, [Use BSM audit module]) ;; debug) @@ -1221,6 +1302,8 @@ AC_ARG_WITH(audit, dnl Checks for library functions. Please keep in alphabetical order AC_CHECK_FUNCS( \ arc4random \ + arc4random_buf \ + arc4random_uniform \ asprintf \ b64_ntop \ __b64_ntop \ @@ -1234,6 +1317,7 @@ AC_CHECK_FUNCS( \ fchmod \ fchown \ freeaddrinfo \ + fstatvfs \ futimes \ getaddrinfo \ getcwd \ @@ -1241,6 +1325,7 @@ AC_CHECK_FUNCS( \ getnameinfo \ getopt \ getpeereid \ + getpeerucred \ _getpty \ getrlimit \ getttyent \ @@ -1259,6 +1344,7 @@ AC_CHECK_FUNCS( \ ogetaddrinfo \ openlog_r \ openpty \ + poll \ prctl \ pstat \ readpassphrase \ @@ -1283,6 +1369,8 @@ AC_CHECK_FUNCS( \ sigvec \ snprintf \ socketpair \ + statfs \ + statvfs \ strdup \ strerror \ strlcat \ @@ -1292,6 +1380,7 @@ AC_CHECK_FUNCS( \ strtonum \ strtoll \ strtoul \ + swap32 \ sysconf \ tcgetpgrp \ truncate \ @@ -1364,6 +1453,14 @@ AC_CHECK_DECLS(writev, , , [ #include ]) +AC_CHECK_DECLS(MAXSYMLINKS, , , [ +#include + ]) + +AC_CHECK_DECLS(offsetof, , , [ +#include + ]) + AC_CHECK_FUNCS(setresuid, [ dnl Some platorms have setresuid that isn't implemented, test for this AC_MSG_CHECKING(if setresuid seems to work) @@ -1489,7 +1586,7 @@ AC_COMPILE_IFELSE([AC_LANG_SOURCE([[#include # Check for missing getpeereid (or equiv) support NO_PEERCHECK="" -if test "x$ac_cv_func_getpeereid" != "xyes" ; then +if test "x$ac_cv_func_getpeereid" != "xyes" -a "x$ac_cv_func_getpeerucred" != "xyes"; then AC_MSG_CHECKING([whether system supports SO_PEERCRED getsockopt]) AC_TRY_COMPILE( [#include @@ -1977,7 +2074,15 @@ fi # Search for SHA256 support in libc and/or OpenSSL AC_CHECK_FUNCS(SHA256_Update EVP_sha256) -AC_CHECK_LIB(iaf, ia_openinfo) +saved_LIBS="$LIBS" +AC_CHECK_LIB(iaf, ia_openinfo, [ + LIBS="$LIBS -liaf" + AC_CHECK_FUNCS(set_id, [SSHDLIBS="$SSHDLIBS -liaf" + AC_DEFINE(HAVE_LIBIAF, 1, + [Define if system has libiaf that supports set_id]) + ]) +]) +LIBS="$saved_LIBS" ### Configure cryptographic random number support @@ -2027,7 +2132,7 @@ AC_ARG_WITH(pam, PAM_MSG="yes" - LIBPAM="-lpam" + SSHDLIBS="$SSHDLIBS -lpam" AC_DEFINE(USE_PAM, 1, [Define if you want to enable PAM support]) @@ -2037,11 +2142,10 @@ AC_ARG_WITH(pam, # libdl already in LIBS ;; *) - LIBPAM="$LIBPAM -ldl" + SSHDLIBS="$SSHDLIBS -ldl" ;; esac fi - AC_SUBST(LIBPAM) fi ] ) @@ -2560,6 +2664,18 @@ fi TYPE_SOCKLEN_T AC_CHECK_TYPES(sig_atomic_t,,,[#include ]) +AC_CHECK_TYPES([fsblkcnt_t, fsfilcnt_t],,,[ +#include +#ifdef HAVE_SYS_BITYPES_H +#include +#endif +#ifdef HAVE_SYS_STATFS_H +#include +#endif +#ifdef HAVE_SYS_STATVFS_H +#include +#endif +]) AC_CHECK_TYPES(in_addr_t,,, [#include @@ -2922,6 +3038,16 @@ if test "x$ac_cv_have_accrights_in_msghdr" = "xyes" ; then file descriptor passing]) fi +AC_MSG_CHECKING(if f_fsid has val members) +AC_TRY_COMPILE([ +#include +#include ], +[struct fsid_t t; t.val[0] = 0;], + [ AC_MSG_RESULT(yes) + AC_DEFINE(FSID_HAS_VAL, 1, f_fsid has members) ], + [ AC_MSG_RESULT(no) ] +) + AC_CACHE_CHECK([for msg_control field in struct msghdr], ac_cv_have_control_in_msghdr, [ AC_COMPILE_IFELSE( @@ -3150,25 +3276,43 @@ int main() [#include ]) ]) +AC_MSG_CHECKING(if struct __res_state _res is an extern) +AC_LINK_IFELSE([ +#include +#if HAVE_SYS_TYPES_H +# include +#endif +#include +#include +#include +extern struct __res_state _res; +int main() { return 0; } + ], + [AC_MSG_RESULT(yes) + AC_DEFINE(HAVE__RES_EXTERN, 1, + [Define if you have struct __res_state _res as an extern]) + ], + [ AC_MSG_RESULT(no) ] +) + # Check whether user wants SELinux support SELINUX_MSG="no" LIBSELINUX="" AC_ARG_WITH(selinux, - [ --with-selinux Enable SELinux support], + [ --with-selinux Enable SELinux support], [ if test "x$withval" != "xno" ; then + save_LIBS="$LIBS" AC_DEFINE(WITH_SELINUX,1,[Define if you want SELinux support.]) SELINUX_MSG="yes" AC_CHECK_HEADER([selinux/selinux.h], , AC_MSG_ERROR(SELinux support requires selinux.h header)) AC_CHECK_LIB(selinux, setexeccon, [ LIBSELINUX="-lselinux" ], AC_MSG_ERROR(SELinux support requires libselinux library)) - save_LIBS="$LIBS" - LIBS="$LIBS $LIBSELINUX" + SSHDLIBS="$SSHDLIBS $LIBSELINUX" AC_CHECK_FUNCS(getseuserbyname get_default_context_with_level) LIBS="$save_LIBS" fi ] ) -AC_SUBST(LIBSELINUX) # Check whether user wants Kerberos 5 support KRB5_MSG="no" @@ -3232,12 +3376,12 @@ AC_ARG_WITH(kerberos5, ) AC_SEARCH_LIBS(dn_expand, resolv) - AC_CHECK_LIB(gssapi,gss_init_sec_context, + AC_CHECK_LIB(gssapi_krb5, gss_init_sec_context, [ AC_DEFINE(GSSAPI) - K5LIBS="-lgssapi $K5LIBS" ], - [ AC_CHECK_LIB(gssapi_krb5,gss_init_sec_context, + K5LIBS="-lgssapi_krb5 $K5LIBS" ], + [ AC_CHECK_LIB(gssapi, gss_init_sec_context, [ AC_DEFINE(GSSAPI) - K5LIBS="-lgssapi_krb5 $K5LIBS" ], + K5LIBS="-lgssapi $K5LIBS" ], AC_MSG_WARN([Cannot find any suitable gss-api library - build may fail]), $K5LIBS) ], @@ -3936,6 +4080,13 @@ dnl Adding -Werror to CFLAGS early prevents configure tests from running. dnl Add now. CFLAGS="$CFLAGS $werror_flags" +if grep "#define BROKEN_GETADDRINFO 1" confdefs.h >/dev/null || \ + test "x$ac_cv_func_getaddrinfo" != "xyes" ; then + AC_SUBST(TEST_SSH_IPV6, no) +else + AC_SUBST(TEST_SSH_IPV6, yes) +fi + AC_EXEEXT AC_CONFIG_FILES([Makefile buildpkg.sh opensshd.init openssh.xml \ openbsd-compat/Makefile openbsd-compat/regress/Makefile \ @@ -4004,7 +4155,10 @@ echo " Compiler: ${CC}" echo " Compiler flags: ${CFLAGS}" echo "Preprocessor flags: ${CPPFLAGS}" echo " Linker flags: ${LDFLAGS}" -echo " Libraries: ${LIBWRAP} ${LIBPAM} ${LIBS}" +echo " Libraries: ${LIBS}" +if test ! -z "${SSHDLIBS}"; then +echo " +for sshd: ${SSHDLIBS}" +fi echo "" @@ -4030,12 +4184,12 @@ if test ! -z "$RAND_HELPER_CMDHASH" ; then fi if test ! -z "$NO_PEERCHECK" ; then - echo "WARNING: the operating system that you are using does not " - echo "appear to support either the getpeereid() API nor the " - echo "SO_PEERCRED getsockopt() option. These facilities are used to " - echo "enforce security checks to prevent unauthorised connections to " - echo "ssh-agent. Their absence increases the risk that a malicious " - echo "user can connect to your agent. " + echo "WARNING: the operating system that you are using does not" + echo "appear to support getpeereid(), getpeerucred() or the" + echo "SO_PEERCRED getsockopt() option. These facilities are used to" + echo "enforce security checks to prevent unauthorised connections to" + echo "ssh-agent. Their absence increases the risk that a malicious" + echo "user can connect to your agent." echo "" fi