diff options
Diffstat (limited to 'configure')
-rwxr-xr-x | configure | 525 |
1 files changed, 486 insertions, 39 deletions
@@ -1,5 +1,5 @@ #! /bin/sh -# From configure.ac Revision: 1.480 . +# From configure.ac Revision: 1.489 . # Guess values for system-dependent variables and create Makefiles. # Generated by GNU Autoconf 2.68 for OpenSSH Portable. # @@ -722,6 +722,7 @@ with_zlib with_zlib_version_check with_skey with_tcp_wrappers +with_ldns with_libedit with_audit with_ssl_dir @@ -1411,6 +1412,7 @@ Optional Packages: --without-zlib-version-check Disable zlib version check --with-skey[=PATH] Enable S/Key support (optionally in PATH) --with-tcp-wrappers[=PATH] Enable tcpwrappers support (optionally in PATH) + --with-ldns[=PATH] Use ldns for DNSSEC support (optionally in PATH) --with-libedit[=PATH] Enable libedit support for sftp --with-audit=module Enable audit support (modules=debug,bsm,linux) --with-ssl-dir=PATH Specify path to OpenSSL installation @@ -1420,7 +1422,7 @@ Optional Packages: --with-prngd-socket=FILE read entropy from PRNGD/EGD socket FILE (default=/var/run/egd-pool) --with-pam Enable PAM support --with-privsep-user=user Specify non-privileged user for privilege separation - --with-sandbox=style Specify privilege separation sandbox (no, darwin, rlimit, systrace) + --with-sandbox=style Specify privilege separation sandbox (no, darwin, rlimit, systrace, seccomp_filter) --with-selinux Enable SELinux support --with-kerberos5=PATH Enable Kerberos 5 support --with-privsep-path=xxx Path for privilege separation chroot (default=/var/empty) @@ -5576,6 +5578,68 @@ $as_echo "#define HAVE_RLIMIT_NPROC /**/" >>confdefs.h fi +ac_fn_c_check_decl "$LINENO" "PR_SET_NO_NEW_PRIVS" "ac_cv_have_decl_PR_SET_NO_NEW_PRIVS" " + #include <sys/types.h> + #include <linux/prctl.h> + +" +if test "x$ac_cv_have_decl_PR_SET_NO_NEW_PRIVS" = xyes; then : + have_linux_no_new_privs=1 +fi + +if test "x$have_linux_no_new_privs" = "x1" ; then +ac_fn_c_check_decl "$LINENO" "SECCOMP_MODE_FILTER" "ac_cv_have_decl_SECCOMP_MODE_FILTER" " + #include <sys/types.h> + #include <linux/seccomp.h> + +" +if test "x$ac_cv_have_decl_SECCOMP_MODE_FILTER" = xyes; then : + have_seccomp_filter=1 +fi + +fi +if test "x$have_seccomp_filter" = "x1" ; then +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking kernel for seccomp_filter support" >&5 +$as_echo_n "checking kernel for seccomp_filter support... " >&6; } +if test "$cross_compiling" = yes; then : + { $as_echo "$as_me:${as_lineno-$LINENO}: result: cross-compiling, assuming yes" >&5 +$as_echo "cross-compiling, assuming yes" >&6; } + +else + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + + #include <errno.h> + #include <linux/seccomp.h> + #include <stdlib.h> + #include <sys/prctl.h> + +int +main () +{ + errno = 0; + prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, NULL, 0, 0); + exit(errno == EFAULT ? 0 : 1); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_run "$LINENO"; then : + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } +else + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + # Disable seccomp filter as a target + have_seccomp_filter=0 + +fi +rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ + conftest.$ac_objext conftest.beam conftest.$ac_ext +fi + +fi use_stack_protector=1 @@ -5774,6 +5838,29 @@ $as_echo "no" >&6; } fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext } + { + { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $CC supports -D_FORTIFY_SOURCE=2" >&5 +$as_echo_n "checking if $CC supports -D_FORTIFY_SOURCE=2... " >&6; } + saved_CFLAGS="$CFLAGS" + CFLAGS="$CFLAGS -D_FORTIFY_SOURCE=2" + _define_flag="" + test "x$_define_flag" = "x" && _define_flag="-D_FORTIFY_SOURCE=2" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +int main(void) { return 0; } +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + CFLAGS="$saved_CFLAGS $_define_flag" +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + CFLAGS="$saved_CFLAGS" + +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +} { $as_echo "$as_me:${as_lineno-$LINENO}: checking gcc version" >&5 $as_echo_n "checking gcc version... " >&6; } GCC_VER=`$CC -v 2>&1 | $AWK '/gcc version /{print $3}'` @@ -6837,6 +6924,46 @@ $as_echo "#define SSH_TUN_COMPAT_AF 1" >>confdefs.h $as_echo "#define SSH_TUN_PREPEND_AF 1" >>confdefs.h fi + for ac_header in linux/seccomp.h linux/filter.h linux/audit.h +do : + as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh` +ac_fn_c_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default" +if eval test \"x\$"$as_ac_Header"\" = x"yes"; then : + cat >>confdefs.h <<_ACEOF +#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1 +_ACEOF + +fi + +done + + for ac_func in prctl +do : + ac_fn_c_check_func "$LINENO" "prctl" "ac_cv_func_prctl" +if test "x$ac_cv_func_prctl" = xyes; then : + cat >>confdefs.h <<_ACEOF +#define HAVE_PRCTL 1 +_ACEOF + +fi +done + + have_seccomp_audit_arch=1 + case "$host" in + x86_64-*) + +$as_echo "#define SECCOMP_AUDIT_ARCH AUDIT_ARCH_X86_64" >>confdefs.h + + ;; + i*86-*) + +$as_echo "#define SECCOMP_AUDIT_ARCH AUDIT_ARCH_I386" >>confdefs.h + + ;; + *) + have_seccomp_audit_arch=0 + ;; + esac ;; mips-sony-bsd|mips-sony-newsos4) @@ -8214,6 +8341,62 @@ fi done +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing fmt_scaled" >&5 +$as_echo_n "checking for library containing fmt_scaled... " >&6; } +if ${ac_cv_search_fmt_scaled+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_func_search_save_LIBS=$LIBS +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char fmt_scaled (); +int +main () +{ +return fmt_scaled (); + ; + return 0; +} +_ACEOF +for ac_lib in '' util bsd; do + if test -z "$ac_lib"; then + ac_res="none required" + else + ac_res=-l$ac_lib + LIBS="-l$ac_lib $ac_func_search_save_LIBS" + fi + if ac_fn_c_try_link "$LINENO"; then : + ac_cv_search_fmt_scaled=$ac_res +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext + if ${ac_cv_search_fmt_scaled+:} false; then : + break +fi +done +if ${ac_cv_search_fmt_scaled+:} false; then : + +else + ac_cv_search_fmt_scaled=no +fi +rm conftest.$ac_ext +LIBS=$ac_func_search_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_fmt_scaled" >&5 +$as_echo "$ac_cv_search_fmt_scaled" >&6; } +ac_res=$ac_cv_search_fmt_scaled +if test "$ac_res" != no; then : + test "$ac_res" = "none required" || LIBS="$ac_res $LIBS" + +fi + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing login" >&5 $as_echo_n "checking for library containing login... " >&6; } if ${ac_cv_search_login+:} false; then : @@ -8268,11 +8451,233 @@ ac_res=$ac_cv_search_login if test "$ac_res" != no; then : test "$ac_res" = "none required" || LIBS="$ac_res $LIBS" -$as_echo "#define HAVE_LOGIN 1" >>confdefs.h +fi + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing logout" >&5 +$as_echo_n "checking for library containing logout... " >&6; } +if ${ac_cv_search_logout+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_func_search_save_LIBS=$LIBS +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char logout (); +int +main () +{ +return logout (); + ; + return 0; +} +_ACEOF +for ac_lib in '' util bsd; do + if test -z "$ac_lib"; then + ac_res="none required" + else + ac_res=-l$ac_lib + LIBS="-l$ac_lib $ac_func_search_save_LIBS" + fi + if ac_fn_c_try_link "$LINENO"; then : + ac_cv_search_logout=$ac_res +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext + if ${ac_cv_search_logout+:} false; then : + break +fi +done +if ${ac_cv_search_logout+:} false; then : + +else + ac_cv_search_logout=no +fi +rm conftest.$ac_ext +LIBS=$ac_func_search_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_logout" >&5 +$as_echo "$ac_cv_search_logout" >&6; } +ac_res=$ac_cv_search_logout +if test "$ac_res" != no; then : + test "$ac_res" = "none required" || LIBS="$ac_res $LIBS" + +fi + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing logwtmp" >&5 +$as_echo_n "checking for library containing logwtmp... " >&6; } +if ${ac_cv_search_logwtmp+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_func_search_save_LIBS=$LIBS +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char logwtmp (); +int +main () +{ +return logwtmp (); + ; + return 0; +} +_ACEOF +for ac_lib in '' util bsd; do + if test -z "$ac_lib"; then + ac_res="none required" + else + ac_res=-l$ac_lib + LIBS="-l$ac_lib $ac_func_search_save_LIBS" + fi + if ac_fn_c_try_link "$LINENO"; then : + ac_cv_search_logwtmp=$ac_res +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext + if ${ac_cv_search_logwtmp+:} false; then : + break +fi +done +if ${ac_cv_search_logwtmp+:} false; then : + +else + ac_cv_search_logwtmp=no +fi +rm conftest.$ac_ext +LIBS=$ac_func_search_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_logwtmp" >&5 +$as_echo "$ac_cv_search_logwtmp" >&6; } +ac_res=$ac_cv_search_logwtmp +if test "$ac_res" != no; then : + test "$ac_res" = "none required" || LIBS="$ac_res $LIBS" + +fi + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing openpty" >&5 +$as_echo_n "checking for library containing openpty... " >&6; } +if ${ac_cv_search_openpty+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_func_search_save_LIBS=$LIBS +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char openpty (); +int +main () +{ +return openpty (); + ; + return 0; +} +_ACEOF +for ac_lib in '' util bsd; do + if test -z "$ac_lib"; then + ac_res="none required" + else + ac_res=-l$ac_lib + LIBS="-l$ac_lib $ac_func_search_save_LIBS" + fi + if ac_fn_c_try_link "$LINENO"; then : + ac_cv_search_openpty=$ac_res +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext + if ${ac_cv_search_openpty+:} false; then : + break +fi +done +if ${ac_cv_search_openpty+:} false; then : + +else + ac_cv_search_openpty=no +fi +rm conftest.$ac_ext +LIBS=$ac_func_search_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_openpty" >&5 +$as_echo "$ac_cv_search_openpty" >&6; } +ac_res=$ac_cv_search_openpty +if test "$ac_res" != no; then : + test "$ac_res" = "none required" || LIBS="$ac_res $LIBS" fi -for ac_func in fmt_scaled logout updwtmp logwtmp +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing updwtmp" >&5 +$as_echo_n "checking for library containing updwtmp... " >&6; } +if ${ac_cv_search_updwtmp+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_func_search_save_LIBS=$LIBS +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char updwtmp (); +int +main () +{ +return updwtmp (); + ; + return 0; +} +_ACEOF +for ac_lib in '' util bsd; do + if test -z "$ac_lib"; then + ac_res="none required" + else + ac_res=-l$ac_lib + LIBS="-l$ac_lib $ac_func_search_save_LIBS" + fi + if ac_fn_c_try_link "$LINENO"; then : + ac_cv_search_updwtmp=$ac_res +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext + if ${ac_cv_search_updwtmp+:} false; then : + break +fi +done +if ${ac_cv_search_updwtmp+:} false; then : + +else + ac_cv_search_updwtmp=no +fi +rm conftest.$ac_ext +LIBS=$ac_func_search_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_updwtmp" >&5 +$as_echo "$ac_cv_search_updwtmp" >&6; } +ac_res=$ac_cv_search_updwtmp +if test "$ac_res" != no; then : + test "$ac_res" = "none required" || LIBS="$ac_res $LIBS" + +fi + +for ac_func in fmt_scaled login logout openpty updwtmp logwtmp do : as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var" @@ -8675,6 +9080,56 @@ rm -f core conftest.err conftest.$ac_objext \ fi +# Check whether user wants to use ldns +LDNS_MSG="no" + +# Check whether --with-ldns was given. +if test "${with_ldns+set}" = set; then : + withval=$with_ldns; + if test "x$withval" != "xno" ; then + + if test "x$withval" != "xyes" ; then + CPPFLAGS="$CPPFLAGS -I${withval}/include" + LDFLAGS="$LDFLAGS -L${withval}/lib" + fi + + +$as_echo "#define HAVE_LDNS 1" >>confdefs.h + + LIBS="-lldns $LIBS" + LDNS_MSG="yes" + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for ldns support" >&5 +$as_echo_n "checking for ldns support... " >&6; } + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +#include <stdio.h> +#include <stdlib.h> +#include <stdint.h> +#include <ldns/ldns.h> +int main() { ldns_status status = ldns_verify_trusted(NULL, NULL, NULL, NULL); status=LDNS_STATUS_OK; exit(0); } + + +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } +else + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + as_fn_error $? "** Incomplete or missing ldns libraries." "$LINENO" 5 + +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext + fi + + +fi + + # Check whether user wants libedit support LIBEDIT_MSG="no" @@ -8938,6 +9393,12 @@ done $as_echo "#define USE_BSM_AUDIT 1" >>confdefs.h + if test "$sol2ver" -eq 11; then + SSHDLIBS="$SSHDLIBS -lscf" + +$as_echo "#define BROKEN_BSM_API 1" >>confdefs.h + + fi ;; linux) { $as_echo "$as_me:${as_lineno-$LINENO}: result: linux" >&5 @@ -9024,7 +9485,6 @@ for ac_func in \ nsleep \ ogetaddrinfo \ openlog_r \ - openpty \ poll \ prctl \ pstat \ @@ -9059,6 +9519,7 @@ for ac_func in \ strlcat \ strlcpy \ strmode \ + strnlen \ strnvis \ strptime \ strtonum \ @@ -10590,7 +11051,7 @@ fi rm -f core conftest.err conftest.$ac_objext \ conftest$ac_exeext conftest.$ac_ext -for ac_func in RSA_generate_key_ex DSA_generate_parameters_ex BN_is_prime_ex RSA_get_default_method +for ac_func in RSA_generate_key_ex DSA_generate_parameters_ex BN_is_prime_ex RSA_get_default_method HMAC_CTX_init do : as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var" @@ -11341,6 +11802,25 @@ elif test "x$sandbox_arg" = "xdarwin" || \ $as_echo "#define SANDBOX_DARWIN 1" >>confdefs.h +elif test "x$sandbox_arg" = "xseccomp_filter" || \ + ( test -z "$sandbox_arg" && \ + test "x$have_seccomp_filter" == "x1" && \ + test "x$ac_cv_header_linux_audit_h" = "xyes" && \ + test "x$have_seccomp_audit_arch" = "x1" && \ + test "x$have_linux_no_new_privs" = "x1" && \ + test "x$ac_cv_func_prctl" = "xyes" ) ; then + test "x$have_seccomp_audit_arch" != "x1" && \ + as_fn_error $? "seccomp_filter sandbox not supported on $host" "$LINENO" 5 + test "x$have_linux_no_new_privs" != "x1" && \ + as_fn_error $? "seccomp_filter sandbox requires PR_SET_NO_NEW_PRIVS" "$LINENO" 5 + test "x$have_seccomp_filter" != "x1" && \ + as_fn_error $? "seccomp_filter sandbox requires seccomp headers" "$LINENO" 5 + test "x$ac_cv_func_prctl" != "xyes" && \ + as_fn_error $? "seccomp_filter sandbox requires prctl function" "$LINENO" 5 + SANDBOX_STYLE="seccomp_filter" + +$as_echo "#define SANDBOX_SECCOMP_FILTER 1" >>confdefs.h + elif test "x$sandbox_arg" = "xrlimit" || \ ( test -z "$sandbox_arg" && test "x$ac_cv_func_setrlimit" = "xyes" ) ; then test "x$ac_cv_func_setrlimit" != "xyes" && \ @@ -11399,39 +11879,6 @@ fi # version HP92453-01 B.11.11.23709.GP, which incorrectly rejects # declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'. # This bug is HP SR number 8606223364. -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking size of char" >&5 -$as_echo_n "checking size of char... " >&6; } -if ${ac_cv_sizeof_char+:} false; then : - $as_echo_n "(cached) " >&6 -else - if ac_fn_c_compute_int "$LINENO" "(long int) (sizeof (char))" "ac_cv_sizeof_char" "$ac_includes_default"; then : - -else - if test "$ac_cv_type_char" = yes; then - { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 -$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} -as_fn_error 77 "cannot compute sizeof (char) -See \`config.log' for more details" "$LINENO" 5; } - else - ac_cv_sizeof_char=0 - fi -fi - -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_sizeof_char" >&5 -$as_echo "$ac_cv_sizeof_char" >&6; } - - - -cat >>confdefs.h <<_ACEOF -#define SIZEOF_CHAR $ac_cv_sizeof_char -_ACEOF - - -# The cast to long int works around a bug in the HP C Compiler -# version HP92453-01 B.11.11.23709.GP, which incorrectly rejects -# declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'. -# This bug is HP SR number 8606223364. { $as_echo "$as_me:${as_lineno-$LINENO}: checking size of short int" >&5 $as_echo_n "checking size of short int... " >&6; } if ${ac_cv_sizeof_short_int+:} false; then : |