summaryrefslogtreecommitdiffstats
path: root/configure.ac (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Fix configure implicit declaration and format warnings.Jonas 'Sortie' Termansen2024-12-061-0/+5
|
* Fix configure message typo in sk-libfido2 standalone.Xavier Hsinyuan2024-12-061-1/+1
|
* Add wtmpdb support as Y2038 safe wtmp replacementThorsten Kukuk2024-12-021-0/+42
|
* Add make target for standalone sk-libfido2Jeremy Stott2024-11-281-0/+21
| | | | | | | | | | | | | | | | | | | | | | | | | | Add a Makefile target for sk-libfido2, the standalone fido2 security key shared library, suitable for use with the SecurityKeyProvider option. Add a new configure option `--with-security-key-standalone` that optionally sets the shared library target sk-libfido2$(SHLIBEXT), and adds it to $(TARGETS). misc.h is required when SK_STANDALONE is defined, because of the use of `monotime_tv` in `sk_select_by_touch`. Sets the shared library extension for sk-libfido2 is by setting `SHLIBEXT` depending on the platform in configure.ac. Add the shared library to the CI builds in the `sk` target config to make sure it can compile under the same conditions as `--with-security-key-builtin`. Add a libssh-pic.a static library that compiles with `-fPIC` reusing .c.lo method in sk-dummy.so for use in the shared library sk-libfido2. Note, a separate static library libssh-pic.a is needed, since defining -DSK_STANDALONE excludes some symbols needed in sshkey.lo.
* htole64() etc for systems without endian.hDamien Miller2024-10-271-1/+0
|
* Remove references to systrace and pledge sandboxes.Darren Tucker2024-10-181-19/+2
| | | | ok djm@
* declare defeat trying to detect C89 compilersDamien Miller2024-09-091-14/+0
| | | | | | | I can't find a reliable way to detect the features the ML-KEM code requires in configure. Give up for now and use VLA support (that we can detect) as a proxy for "old compiler" and turn off ML-KEM if it isn't supported.
* fix previous; check for C99 compound literalsDamien Miller2024-09-091-6/+7
| | | | | The previous commit was incorrect (or at least insufficient), the ML-KEM code is actually using compound literals, so test for them.
* test for compiler feature needed for ML-KEMDamien Miller2024-09-091-0/+13
| | | | | | | The ML-KEM implementation we uses need the compiler to support C99-style named struct initialisers (e.g foo = {.bar = 1}). We still support (barely) building OpenSSH with older compilers, so add a configure test for this.
* upstream: pull post-quantum ML-KEM/x25519 key exchange out fromdjm@openbsd.org2024-09-091-9/+0
| | | | | | | | | | | compile-time flag now than an IANA codepoint has been assigned for the algorithm. Add mlkem768x25519-sha256 in 2nd KexAlgorithms preference slot. ok markus@ OpenBSD-Commit-ID: 9f50a0fae7d7ae8b27fcca11f8dc6f979207451a
* upstream: Add experimental support for hybrid post-quantum key exchangedjm@openbsd.org2024-09-021-0/+9
| | | | | | | | | | | | | | | | | | ML-KEM768 with ECDH/X25519 from the Internet-draft: https://datatracker.ietf.org/doc/html/draft-kampanakis-curdle-ssh-pq-ke-03 This is based on previous patches from markus@ but adapted to use the final FIPS203 standard ML-KEM using a formally-verified implementation from libcrux. Note this key exchange method is still a draft and thus subject to change. It is therefore disabled by default; set MLKEM=yes to build it. We're making it available now to make it easy for other SSH implementations to test against it. ok markus@ deraadt@ OpenBSD-Commit-ID: 02a8730a570b63fa8acd9913ec66353735dea42c
* Add compat functions for EVP_Digest{Sign,Verify}.Darren Tucker2024-08-171-0/+2
| | | | | This should make LibreSSL 3.1.x through 3.3.x work again. Code from tb@, ok djm@. Restore the test configs covering those.
* sync TEST_MALLOC_OPTIONS for OpenBSDDamien Miller2024-08-151-1/+1
|
* Class-imposed login restrictionsYuichiro Naito2024-07-201-0/+2
| | | | | | | | | | If the following functions are available, add an additional check if users are allowed to login imposed by login class. * auth_hostok(3) * auth_timeok(3) These functions are implemented on FreeBSD.
* Fix detection of setres*id on GNU/HurdSamuel Thibault2024-07-031-0/+7
| | | | | | | | Like Linux, proper _SOURCE macros need to be set to get declarations of various standard functions, notably setres*id. Now that Debian is using -Werror=implicit-function-declaration this is really required. While at it, define other _SOURCE macros like on GNU/Linux, since GNU/Hurd uses the same glibc.
* upstream: disable the DSA signature algorithm by default; okdjm@openbsd.org2024-06-171-18/+13
| | | | | | | | | markus@ (yes, I know this expands to "the Digitial Signature Algorithm signature algorithm) OpenBSD-Commit-ID: 961ef594e46dd2dcade8dd5721fa565cee79ffed
* Merge flags for OpenSSL 3.x versions.Darren Tucker2024-04-251-5/+2
| | | | | | | | | OpenSSL has moved to 3.4 which we don't currently accept. Based on the OpenSSL versioning policy[0] it looks like all of the 3.x versions should work with OpenSSH, so remove the distinction in configure and accept all of them. [0] https://openssl.org/policies/general/versioning-policy.html
* notify systemd on listen and reloadDamien Miller2024-04-031-0/+1
| | | | | | Standalone implementation that does not depend on libsystemd. With assistance from Luca Boccassi, and feedback/testing from Colin Watson. bz2641
* Check if OpenSSL implementation supports DSA.Darren Tucker2024-03-301-8/+31
| | | | | | If --enable/disable-dsa-keys is not specified, set based on what OpenSSL supports. If specified as enabled, but not supported by OpenSSL error out. ok djm@
* Fix OpenSSL ED25519 support detectionAlkaid2024-03-301-1/+1
| | | | | Wrong function signature in configure.ac prevents openssh from enabling the recently new support for ED25519 priv keys in PEM PKCS8 format.
* Prefer openssl binary from --with-ssl-dir directory.Darren Tucker2024-03-071-1/+9
| | | | | Use openssl in the directory specified by --with-ssl-dir as long as it's functional. Reported by The Doctor.
* add a --without-retpoline configure optionDamien Miller2024-03-061-2/+10
| | | | discussed with deraadt and dtucker a while ago
* more descriptive configure test nameDamien Miller2024-02-221-1/+1
|
* Improve error message for OpenSSL header check.Darren Tucker2024-02-191-2/+2
| | | | bz#3668, ok djm@
* Add --disable-fd-passing option.Darren Tucker2024-02-061-0/+10
| | | | | .. and enable for the minix3 test VM. This will cause it to more reliably skip tests that need FD passing and should fix the current test breakage.
* upstream: make DSA key support compile-time optional, defaulting todjm@openbsd.org2024-01-111-0/+12
| | | | | | | | on ok markus@ OpenBSD-Commit-ID: 4f8e98fc1fd6de399d0921d5b31b3127a03f581d
* better detection of broken -fzero-call-used-regsDamien Miller2023-12-181-2/+2
| | | | | | | Use OSSH_CHECK_CFLAG_LINK() for detection of these flags and extend test program to exercise varargs, which seems to catch more stuff. ok dtucker@
* Stop using -fzero-call-used-regs=allDarren Tucker2023-11-211-2/+5
| | | | | | | ... since it seems to be problematic with several different versions of clang. Only use -fzero-call-used-regs=used which is less problematic, except with Apple's clang where we don't use it at all. bz#3629, ok djm@
* Allow for vendor prefix on clang version numbers.Darren Tucker2023-11-211-3/+4
| | | | | Correctly detects the version of OpenBSD's native clang, as well as Apple's. Spotted tb@, ok djm@.
* Add OpenSSL 3.3.0 as a known dev version.Darren Tucker2023-10-301-1/+1
|
* Have configure find PuTTY and Conch binaries.Darren Tucker2023-10-201-0/+3
| | | | | This will let us remove some -portable specific changes from test-exec.sh.
* upstream: Allow overriding the locations of the Dropbear binariesdtucker@openbsd.org2023-10-201-0/+6
| | | | | | similar to what we do for the PuTTY ones. OpenBSD-Regress-ID: 7de0e00518fb0c8fdc5f243b7f82f523c936049c
* Correct arg order for ED255519 AC_LINK_IFELSE test.Darren Tucker2023-10-121-3/+3
|
* upstream: add support for reading ED25519 private keys in PEM PKCS8djm@openbsd.org2023-10-121-0/+24
| | | | | | format; ok markus@ tb@ OpenBSD-Commit-ID: 01b85c91757e6b057e9b23b8a23f96415c3c7174
* Use zero-call-used-regs=used with Apple compilers.Darren Tucker2023-09-101-2/+8
| | | | | | | | | Apple's versions of clang have version numbers that do not match the corresponding upstream clang versions. Unfortunately, they do still have the clang-15 zero-call-used-regs=all bug, so for now use the value that doesn't result in segfaults. We could allowlist future versions that are known to work. bz#3584 (and probably also our github CI failures).
* Fix zlib version check for 1.3 and future version.Darren Tucker2023-08-181-1/+1
| | | | bz#3604.
* put back SSLeay_version compat in configure testDamien Miller2023-03-241-1/+10
| | | | | Needed to detect old versions and give good "your version is bad" messages at configure time; spotted by dtucker@
* remove support for old libcryptoDamien Miller2023-03-241-66/+30
| | | | | | | OpenSSH now requires LibreSSL 3.1.0 or greater or OpenSSL 1.1.1 or greater with/ok dtucker@
* fix libfido2 detection without pkg-configDamien Miller2023-02-011-1/+1
| | | | | Place libfido2 before additional libraries (that it may depend upon) and not after. bz3530 from James Zhang; ok dtucker@
* Use autoconf to find openssl binary.Darren Tucker2023-01-071-5/+3
| | | | | | | It's possible to install an OpenSSL in a path not in the system's default library search path. OpenSSH can still use this (eg if you specify an rpath) but the openssl binary there may not work. If one is available on the system path just use that.
* Check openssl_bin path is executable before using.Darren Tucker2023-01-071-3/+5
|
* Set OPENSSL_BIN from OpenSSL directory.Darren Tucker2023-01-061-0/+6
|
* Fix typo in comment. Spotted by tim@Darren Tucker2022-12-061-1/+1
|
* Use -fzero-call-used-regs=used on clang 15.Darren Tucker2022-11-301-12/+23
| | | | | | | | | | | clang 15 seems to have a problem with -fzero-call-used-reg=all which causes spurious "incorrect signature" failures with ED25519. On those versions, use -fzero-call-used-regs=used instead. (We may add exceptions later if specific versions prove to be OK). Also move the GCC version check to match. Initial investigation by Daniel Pouzzner (douzzer at mega nu), workaround suggested by Bill Wendling (morbo at google com). bz#3475, ok djm@
* If we haven't found it yet, recheck for sys/stat.h.Darren Tucker2022-11-231-1/+8
| | | | | | | | On some very old platforms, sys/stat.h needs sys/types.h, however autoconf 2.71's AC_CHECK_INCLUDES_DEFAULT checks for them in the opposite order, which in combination with modern autoconf's "present but cannot be compiled" behaviour causes it to not be detected.
* Fix setres*id checks to work with clang-16.Darren Tucker2022-11-071-3/+6
| | | | | | | glibc has the prototypes for setresuid and setresgid behind _GNU_SOURCE, and clang 16 will error out on implicit function definitions, so add _GNU_SOURCE and the required headers to the configure checks. From sam at @gentoo.org via bz#3497.
* configure.ac: Fix -Wstrict-prototypesSam James2022-11-061-4/+4
| | | | | | | | Clang 16 now warns on this and it'll be removed in C23, so let's just be future proof. It also reduces noise when doing general Clang 16 porting work (which is a big job as it is). github PR#355. Signed-off-by: Sam James <sam@gentoo.org>
* configure.ac: Add <pty.h> include for openptySam James2022-11-061-0/+3
| | | | | | | | Another Clang 16ish fix (which makes -Wimplicit-function-declaration an error by default). github PR#355. See: 2efd71da49b9cfeab7987058cf5919e473ff466b See: be197635329feb839865fdc738e34e24afd1fca8
* Check for sockaddr_in.sin_len.Darren Tucker2022-11-021-0/+10
| | | | | If found, set SOCK_HAS_LEN which is used in addr.c. Should fix keyscan tests on platforms with this (eg old NetBSD).
* OpenSSL dev branch is 302 not 320.Darren Tucker2022-10-301-1/+1
| | | | While there, also accept 301 which it shat it was previously.