| Age | Commit message (Collapse) | Author |
|---|
|
Use openssl in the directory specified by --with-ssl-dir as long
as it's functional. Reported by The Doctor.
|
|
discussed with deraadt and dtucker a while ago
|
|
|
|
bz#3668, ok djm@
|
|
.. and enable for the minix3 test VM. This will cause it to more reliably
skip tests that need FD passing and should fix the current test breakage.
|
|
on
ok markus@
OpenBSD-Commit-ID: 4f8e98fc1fd6de399d0921d5b31b3127a03f581d
|
|
Use OSSH_CHECK_CFLAG_LINK() for detection of these flags and extend
test program to exercise varargs, which seems to catch more stuff.
ok dtucker@
|
|
... since it seems to be problematic with several different versions of
clang. Only use -fzero-call-used-regs=used which is less
problematic, except with Apple's clang where we don't use it at all.
bz#3629, ok djm@
|
|
Correctly detects the version of OpenBSD's native clang, as well as
Apple's. Spotted tb@, ok djm@.
|
|
|
|
This will let us remove some -portable specific changes from
test-exec.sh.
|
|
similar to what we do for the PuTTY ones.
OpenBSD-Regress-ID: 7de0e00518fb0c8fdc5f243b7f82f523c936049c
|
|
|
|
format; ok markus@ tb@
OpenBSD-Commit-ID: 01b85c91757e6b057e9b23b8a23f96415c3c7174
|
|
Apple's versions of clang have version numbers that do not match the
corresponding upstream clang versions. Unfortunately, they do still
have the clang-15 zero-call-used-regs=all bug, so for now use the value
that doesn't result in segfaults. We could allowlist future versions
that are known to work. bz#3584 (and probably also our github CI
failures).
|
|
bz#3604.
|
|
Needed to detect old versions and give good "your version is bad"
messages at configure time; spotted by dtucker@
|
|
OpenSSH now requires LibreSSL 3.1.0 or greater or
OpenSSL 1.1.1 or greater
with/ok dtucker@
|
|
Place libfido2 before additional libraries (that it may depend upon)
and not after. bz3530 from James Zhang; ok dtucker@
|
|
It's possible to install an OpenSSL in a path not in the system's
default library search path. OpenSSH can still use this (eg if you
specify an rpath) but the openssl binary there may not work. If one is
available on the system path just use that.
|
|
|
|
|
|
|
|
clang 15 seems to have a problem with -fzero-call-used-reg=all which
causes spurious "incorrect signature" failures with ED25519. On those
versions, use -fzero-call-used-regs=used instead. (We may add exceptions
later if specific versions prove to be OK). Also move the GCC version
check to match.
Initial investigation by Daniel Pouzzner (douzzer at mega nu), workaround
suggested by Bill Wendling (morbo at google com). bz#3475, ok djm@
|
|
On some very old platforms, sys/stat.h needs sys/types.h, however
autoconf 2.71's AC_CHECK_INCLUDES_DEFAULT checks for them in the
opposite order, which in combination with modern autoconf's
"present but cannot be compiled" behaviour causes it to not be
detected.
|
|
glibc has the prototypes for setresuid and setresgid behind _GNU_SOURCE,
and clang 16 will error out on implicit function definitions, so add
_GNU_SOURCE and the required headers to the configure checks. From
sam at @gentoo.org via bz#3497.
|
|
Clang 16 now warns on this and it'll be removed in C23, so let's
just be future proof. It also reduces noise when doing general
Clang 16 porting work (which is a big job as it is). github PR#355.
Signed-off-by: Sam James <sam@gentoo.org>
|
|
Another Clang 16ish fix (which makes -Wimplicit-function-declaration
an error by default). github PR#355.
See: 2efd71da49b9cfeab7987058cf5919e473ff466b
See: be197635329feb839865fdc738e34e24afd1fca8
|
|
If found, set SOCK_HAS_LEN which is used in addr.c. Should fix keyscan
tests on platforms with this (eg old NetBSD).
|
|
While there, also accept 301 which it shat it was previously.
|
|
|
|
Clang 15 -Wimplicit-int defaults to an error in C99 mode and above.
A handful of tests have "main(..." and not "int main(..." which caused
the tests to produce incorrect results.
|
|
Fixes build on (at least Solaris 10).
|
|
Signed-off-by: Corinna Vinschen <vinschen@redhat.com>
|
|
Factor out the arc4random seeding into its own file and change the
interface to match getentropy. Use native getentropy if available.
This will make it easier to resync OpenBSD changes to arc4random.
Prompted by bz#3467, ok djm@.
|
|
|
|
We added a check in Makefile to catch the case where configure needs to
be rebuilt, however this did not happen until a build was attempted in
which case all of the work done by configure was wasted. Move this check
to the start of configure to catch it as early as possible. ok djm@
|
|
This will result in sftp, sftp-server and scp no longer being linked
against libcrypto. ok djm@
|
|
They're related more than the libcrypt or libiaf checks which are
currently between them. ok djm@
|
|
Some of our binaries (eg sftp, sftp-server, scp) do not interact with
the channels code and thus do use libraries such as zlib and libcrypto
although they are linked with them. This adds a CHANNELLIBS and starts
by moving zlib into it, which means the aformentioned binaries are no
longer linked against zlib. ok djm@
|
|
We have some compatibility hacks that were added to support OpenSSL
versions that do not support AES CTR mode. Since that time, however,
the minimum OpenSSL version that we support has moved to 1.0.1 which
*does* have CTR, so this is no longer needed. ok djm@
|
|
We have some compatibility hacks that were added to support OpenSSL
versions that do not support AES GCM mode. Since that time, however,
the minimum OpenSSL version that we support has moved to 1.0.1 which
*does* have GCM, so this is no longer needed. ok djm@
|
|
Patch from dries.deschout at dodeco.eu.
|
|
Configure goes to some lengths to pick crypt() from either libcrypt
or OpenSSL's libcrypto because they can more or less featureful (eg
supporting md5-style passwords).
OpenSSL removed its crypt() interface in 2002:
https://github.com/openssl/openssl/commit/69deec58 so these hijinks
should no longer be necessary. This also only links sshd with libcrypt
which is the only thing that needs it. ok djm@
|
|
The potential RCE only impacts x86_64, so only refuse to use it if we're
targetting a potentially impacted architecture. ok djm@
|
|
OpenSSL has a potential RCE in its RSA implementation (CVE-2022-2274)
so refuse to use that specific version.
|
|
The rlimit tests can hang when being run with some compiler sanitizers
so skip all of them if sandbox=no.
|
|
Move the checks for struct pollfd.fd and nfds_t to before the sandboxing
checks. This groups all the sandbox checks together so we can skip them
all when sandboxing is disabled.
|
|
It's not needed in that case, and the test can fail when being built
with some compiler memory sanitizer flags. bz#3441
|
|
Prevents us from trying to link them into ssh-sk-helper and failing to
build.
|
