diff -ruN openssh-4.7p1+x509-6.0.1/aclocal.m4 openssh-4.7p1+x509-6.1/aclocal.m4 --- openssh-4.7p1+x509-6.0.1/aclocal.m4 2007-09-05 19:06:00.000000000 +0300 +++ openssh-4.7p1+x509-6.1/aclocal.m4 2007-10-25 19:06:00.000000000 +0300 @@ -103,7 +103,7 @@ dnl LDAP_LIBEXECDIR dnl LDAP_SYSCONFDIR -AC_DEFUN(AC_WITH_LDAP, +AC_DEFUN([AC_WITH_LDAP], [ dnl dnl Get the ldap paths @@ -279,3 +279,26 @@ AC_SUBST(LDAP_ON) AC_SUBST(LDAP_OFF) ]) + + +# AC_LDAP_FUNCS(FUNCTION...) +# -------------------------------- +AC_DEFUN([AC_LDAP_FUNCS], +[ +dnl +dnl Check ldap functions +dnl +AC_REQUIRE([AC_WITH_LDAP]) +if test "x$ac_ldap" = "xyes"; then + ac_save_CPPFLAGS="$CPPFLAGS" + ac_save_LDFLAGS="$LDFLAGS" + ac_save_LIBS="$LIBS" + CPPFLAGS="$CPPFLAGS $LDAP_CPPFLAGS" + LDFLAGS="$LDFLAGS $LDAP_LDFLAGS" + LIBS="$LDAP_LIBS $LIBS" + AC_CHECK_FUNCS([$1],[],[]) + LIBS="$ac_save_LIBS" + LDFLAGS="$ac_save_LDFLAGS" + CPPFLAGS="$ac_save_CPPFLAGS" +fi +]) diff -ruN openssh-4.7p1+x509-6.0.1/config.h.in openssh-4.7p1+x509-6.1/config.h.in --- openssh-4.7p1+x509-6.0.1/config.h.in 2007-09-05 19:06:01.000000000 +0300 +++ openssh-4.7p1+x509-6.1/config.h.in 2007-10-25 19:06:01.000000000 +0300 @@ -500,6 +500,18 @@ /* Define to 1 if you have the header file. */ #undef HAVE_LDAP_H +/* Define to 1 if you have the `ldap_initialize' function. */ +#undef HAVE_LDAP_INITIALIZE + +/* Define to 1 if you have the `ldap_parse_result' function. */ +#undef HAVE_LDAP_PARSE_RESULT + +/* Define to 1 if you have the `ldap_sasl_bind_s' function. */ +#undef HAVE_LDAP_SASL_BIND_S + +/* Define to 1 if you have the `ldap_search_ext_s' function. */ +#undef HAVE_LDAP_SEARCH_EXT_S + /* Define to 1 if you have the `bsm' library (-lbsm). */ #undef HAVE_LIBBSM diff -ruN openssh-4.7p1+x509-6.0.1/configure openssh-4.7p1+x509-6.1/configure --- openssh-4.7p1+x509-6.0.1/configure 2007-09-05 19:06:02.000000000 +0300 +++ openssh-4.7p1+x509-6.1/configure 2007-10-25 19:06:02.000000000 +0300 @@ -1324,7 +1324,7 @@ --disable-strip Disable calling strip(1) on install --disable-etc-default-login Disable using PATH from /etc/default/login no --disable-x509store Disable X.509 store - --enable-ocsp Enable OCSP validation + --disable-ocsp Disable OCSP validation --enable-ldap Enable LDAP queries --disable-lastlog disable use of lastlog even if detected no --disable-utmp disable use of utmp even if detected no @@ -27863,20 +27863,30 @@ fi -ssh_ocsp="no" +# enable/disable OCSP requests # Check whether --enable-ocsp was given. if test "${enable_ocsp+set}" = set; then enableval=$enable_ocsp; if test "x$enableval" = "xyes"; then - if test "x$ssh_x509store" = "xyes"; then - ssh_ocsp="yes" - else + if test "x$ssh_x509store" != "xyes"; then { { echo "$as_me:$LINENO: error: cannot enable OCSP when x509store is disabled" >&5 echo "$as_me: error: cannot enable OCSP when x509store is disabled" >&2;} { (exit 1); exit 1; }; } fi + ssh_ocsp="yes" + else + ssh_ocsp="no" fi +else + + if test "x$ssh_x509store" = "xyes"; then + ssh_ocsp="yes" + else + ssh_ocsp="no" + { echo "$as_me:$LINENO: x509store is disabled - skiping OCSP" >&5 +echo "$as_me: x509store is disabled - skiping OCSP" >&6;} + fi fi @@ -28133,6 +28143,7 @@ OCSP_ON='' OCSP_OFF='#' + LIBS="-lssl $LIBS" else OCSP_ON='#' OCSP_OFF='' @@ -28574,6 +28585,122 @@ if test "x$LDAP_ON" = "x"; then LDAP_MSG="yes" fi + + +if test "x$ac_ldap" = "xyes"; then + ac_save_CPPFLAGS="$CPPFLAGS" + ac_save_LDFLAGS="$LDFLAGS" + ac_save_LIBS="$LIBS" + CPPFLAGS="$CPPFLAGS $LDAP_CPPFLAGS" + LDFLAGS="$LDFLAGS $LDAP_LDFLAGS" + LIBS="$LDAP_LIBS $LIBS" + + + + +for ac_func in \ + ldap_initialize \ + ldap_parse_result \ + ldap_sasl_bind_s \ + ldap_search_ext_s \ + +do +as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh` +{ echo "$as_me:$LINENO: checking for $ac_func" >&5 +echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6; } +if { as_var=$as_ac_var; eval "test \"\${$as_var+set}\" = set"; }; then + echo $ECHO_N "(cached) $ECHO_C" >&6 +else + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +/* Define $ac_func to an innocuous variant, in case declares $ac_func. + For example, HP-UX 11i declares gettimeofday. */ +#define $ac_func innocuous_$ac_func + +/* System header to define __stub macros and hopefully few prototypes, + which can conflict with char $ac_func (); below. + Prefer to if __STDC__ is defined, since + exists even on freestanding compilers. */ + +#ifdef __STDC__ +# include +#else +# include +#endif + +#undef $ac_func + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char $ac_func (); +/* The GNU C library defines this for functions which it implements + to always fail with ENOSYS. Some functions are actually named + something starting with __ and the normal name is an alias. */ +#if defined __stub_$ac_func || defined __stub___$ac_func +choke me +#endif + +int +main () +{ +return $ac_func (); + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext conftest$ac_exeext +if { (ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 + (eval "$ac_link") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest$ac_exeext && + $as_test_x conftest$ac_exeext; then + eval "$as_ac_var=yes" +else + echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + eval "$as_ac_var=no" +fi + +rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ + conftest$ac_exeext conftest.$ac_ext +fi +ac_res=`eval echo '${'$as_ac_var'}'` + { echo "$as_me:$LINENO: result: $ac_res" >&5 +echo "${ECHO_T}$ac_res" >&6; } +if test `eval echo '${'$as_ac_var'}'` = yes; then + cat >>confdefs.h <<_ACEOF +#define `echo "HAVE_$ac_func" | $as_tr_cpp` 1 +_ACEOF + +fi +done + + LIBS="$ac_save_LIBS" + LDFLAGS="$ac_save_LDFLAGS" + CPPFLAGS="$ac_save_CPPFLAGS" +fi + else { echo "$as_me:$LINENO: x509store is disabled - skiping LDAP" >&5 echo "$as_me: x509store is disabled - skiping LDAP" >&6;} diff -ruN openssh-4.7p1+x509-6.0.1/configure.ac openssh-4.7p1+x509-6.1/configure.ac --- openssh-4.7p1+x509-6.0.1/configure.ac 2007-09-05 19:06:00.000000000 +0300 +++ openssh-4.7p1+x509-6.1/configure.ac 2007-10-25 19:06:00.000000000 +0300 @@ -3727,19 +3727,27 @@ fi -ssh_ocsp="no" +# enable/disable OCSP requests AC_ARG_ENABLE(ocsp, - [ --enable-ocsp Enable OCSP validation], + [ --disable-ocsp Disable OCSP validation], [ if test "x$enableval" = "xyes"; then - if test "x$ssh_x509store" = "xyes"; then - ssh_ocsp="yes" - else + if test "x$ssh_x509store" != "xyes"; then AC_MSG_ERROR([cannot enable OCSP when x509store is disabled]) fi + ssh_ocsp="yes" + else + ssh_ocsp="no" fi - ] -) + ], + [ + if test "x$ssh_x509store" = "xyes"; then + ssh_ocsp="yes" + else + ssh_ocsp="no" + AC_MSG_NOTICE([x509store is disabled - skiping OCSP]) + fi + ]) if test "x$ssh_ocsp" = "xyes"; then AC_CHECK_FUNCS(OCSP_sendreq_bio, [ @@ -3753,7 +3761,7 @@ [ ssh_ocsp="no" AC_MSG_WARN([Cannot find OCSP functions - OCSP is disabled]) - ]) + ]) fi if test "x$ssh_ocsp" = "xyes"; then AC_DEFINE_UNQUOTED( @@ -3761,6 +3769,7 @@ [Define if you don't want to validate X.509 certificates with OCSP]) OCSP_ON='' OCSP_OFF='#' + LIBS="-lssl $LIBS" else OCSP_ON='#' OCSP_OFF='' @@ -3776,6 +3785,12 @@ if test "x$LDAP_ON" = "x"; then LDAP_MSG="yes" fi + AC_LDAP_FUNCS([\ + ldap_initialize \ + ldap_parse_result \ + ldap_sasl_bind_s \ + ldap_search_ext_s \ + ]) else AC_MSG_NOTICE([x509store is disabled - skiping LDAP]) fi diff -ruN openssh-4.7p1+x509-6.0.1/configure.ac-ORIG openssh-4.7p1+x509-6.1/configure.ac-ORIG --- openssh-4.7p1+x509-6.0.1/configure.ac-ORIG 1970-01-01 02:00:00.000000000 +0200 +++ openssh-4.7p1+x509-6.1/configure.ac-ORIG 2007-10-25 09:06:00.000000000 +0300 @@ -0,0 +1,4267 @@ +# $Id$ +# +# Copyright (c) 1999-2004 Damien Miller +# +# Permission to use, copy, modify, and distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + +AC_INIT(OpenSSH, Portable, openssh-unix-dev@mindrot.org) +AC_REVISION($Revision: 1.383 $) +AC_CONFIG_SRCDIR([ssh.c]) + +AC_CONFIG_HEADER(config.h) +AC_PROG_CC +AC_CANONICAL_HOST +AC_C_BIGENDIAN + +# Checks for programs. +AC_PROG_AWK +AC_PROG_CPP +AC_PROG_RANLIB +AC_PROG_INSTALL +AC_PROG_EGREP +AC_PATH_PROG(AR, ar) +AC_PATH_PROG(CAT, cat) +AC_PATH_PROG(KILL, kill) +AC_PATH_PROGS(PERL, perl5 perl) +AC_PATH_PROG(SED, sed) +AC_SUBST(PERL) +AC_PATH_PROG(ENT, ent) +AC_SUBST(ENT) +AC_PATH_PROG(TEST_MINUS_S_SH, bash) +AC_PATH_PROG(TEST_MINUS_S_SH, ksh) +AC_PATH_PROG(TEST_MINUS_S_SH, sh) +AC_PATH_PROG(SH, sh) +AC_SUBST(TEST_SHELL,sh) + +dnl for buildpkg.sh +AC_PATH_PROG(PATH_GROUPADD_PROG, groupadd, groupadd, + [/usr/sbin${PATH_SEPARATOR}/etc]) +AC_PATH_PROG(PATH_USERADD_PROG, useradd, useradd, + [/usr/sbin${PATH_SEPARATOR}/etc]) +AC_CHECK_PROG(MAKE_PACKAGE_SUPPORTED, pkgmk, yes, no) +if test -x /sbin/sh; then + AC_SUBST(STARTUP_SCRIPT_SHELL,/sbin/sh) +else + AC_SUBST(STARTUP_SCRIPT_SHELL,/bin/sh) +fi + +# System features +AC_SYS_LARGEFILE + +if test -z "$AR" ; then + AC_MSG_ERROR([*** 'ar' missing, please install or fix your \$PATH ***]) +fi + +# Use LOGIN_PROGRAM from environment if possible +if test ! -z "$LOGIN_PROGRAM" ; then + AC_DEFINE_UNQUOTED(LOGIN_PROGRAM_FALLBACK, "$LOGIN_PROGRAM", + [If your header files don't define LOGIN_PROGRAM, + then use this (detected) from environment and PATH]) +else + # Search for login + AC_PATH_PROG(LOGIN_PROGRAM_FALLBACK, login) + if test ! -z "$LOGIN_PROGRAM_FALLBACK" ; then + AC_DEFINE_UNQUOTED(LOGIN_PROGRAM_FALLBACK, "$LOGIN_PROGRAM_FALLBACK") + fi +fi + +AC_PATH_PROG(PATH_PASSWD_PROG, passwd) +if test ! -z "$PATH_PASSWD_PROG" ; then + AC_DEFINE_UNQUOTED(_PATH_PASSWD_PROG, "$PATH_PASSWD_PROG", + [Full path of your "passwd" program]) +fi + +if test -z "$LD" ; then + LD=$CC +fi +AC_SUBST(LD) + +AC_C_INLINE + +AC_CHECK_DECL(LLONG_MAX, have_llong_max=1, , [#include ]) + +if test "$GCC" = "yes" || test "$GCC" = "egcs"; then + CFLAGS="$CFLAGS -Wall -Wpointer-arith -Wuninitialized" + GCC_VER=`$CC -v 2>&1 | $AWK '/gcc version /{print $3}'` + case $GCC_VER in + 1.*) no_attrib_nonnull=1 ;; + 2.8* | 2.9*) + CFLAGS="$CFLAGS -Wsign-compare" + no_attrib_nonnull=1 + ;; + 2.*) no_attrib_nonnull=1 ;; + 3.*) CFLAGS="$CFLAGS -Wsign-compare" ;; + 4.*) CFLAGS="$CFLAGS -Wsign-compare -Wno-pointer-sign" ;; + *) ;; + esac + + if test -z "$have_llong_max"; then + # retry LLONG_MAX with -std=gnu99, needed on some Linuxes + unset ac_cv_have_decl_LLONG_MAX + saved_CFLAGS="$CFLAGS" + CFLAGS="$CFLAGS -std=gnu99" + AC_CHECK_DECL(LLONG_MAX, + [have_llong_max=1], + [CFLAGS="$saved_CFLAGS"], + [#include ] + ) + fi +fi + +if test "x$no_attrib_nonnull" != "x1" ; then + AC_DEFINE(HAVE_ATTRIBUTE__NONNULL__, 1, [Have attribute nonnull]) +fi + +AC_ARG_WITH(rpath, + [ --without-rpath Disable auto-added -R linker paths], + [ + if test "x$withval" = "xno" ; then + need_dash_r="" + fi + if test "x$withval" = "xyes" ; then + need_dash_r=1 + fi + ] +) + +# Allow user to specify flags +AC_ARG_WITH(cflags, + [ --with-cflags Specify additional flags to pass to compiler], + [ + if test -n "$withval" && test "x$withval" != "xno" && \ + test "x${withval}" != "xyes"; then + CFLAGS="$CFLAGS $withval" + fi + ] +) +AC_ARG_WITH(cppflags, + [ --with-cppflags Specify additional flags to pass to preprocessor] , + [ + if test -n "$withval" && test "x$withval" != "xno" && \ + test "x${withval}" != "xyes"; then + CPPFLAGS="$CPPFLAGS $withval" + fi + ] +) +AC_ARG_WITH(ldflags, + [ --with-ldflags Specify additional flags to pass to linker], + [ + if test -n "$withval" && test "x$withval" != "xno" && \ + test "x${withval}" != "xyes"; then + LDFLAGS="$LDFLAGS $withval" + fi + ] +) +AC_ARG_WITH(libs, + [ --with-libs Specify additional libraries to link with], + [ + if test -n "$withval" && test "x$withval" != "xno" && \ + test "x${withval}" != "xyes"; then + LIBS="$LIBS $withval" + fi + ] +) +AC_ARG_WITH(Werror, + [ --with-Werror Build main code with -Werror], + [ + if test -n "$withval" && test "x$withval" != "xno"; then + werror_flags="-Werror" + if test "x${withval}" != "xyes"; then + werror_flags="$withval" + fi + fi + ] +) + +AC_CHECK_HEADERS( \ + bstring.h \ + crypt.h \ + crypto/sha2.h \ + dirent.h \ + endian.h \ + features.h \ + fcntl.h \ + floatingpoint.h \ + getopt.h \ + glob.h \ + ia.h \ + iaf.h \ + limits.h \ + login.h \ + maillock.h \ + ndir.h \ + net/if_tun.h \ + netdb.h \ + netgroup.h \ + pam/pam_appl.h \ + paths.h \ + poll.h \ + pty.h \ + readpassphrase.h \ + rpc/types.h \ + security/pam_appl.h \ + sha2.h \ + shadow.h \ + stddef.h \ + stdint.h \ + string.h \ + strings.h \ + sys/audit.h \ + sys/bitypes.h \ + sys/bsdtty.h \ + sys/cdefs.h \ + sys/dir.h \ + sys/mman.h \ + sys/ndir.h \ + sys/prctl.h \ + sys/pstat.h \ + sys/select.h \ + sys/stat.h \ + sys/stream.h \ + sys/stropts.h \ + sys/strtio.h \ + sys/sysmacros.h \ + sys/time.h \ + sys/timers.h \ + sys/un.h \ + time.h \ + tmpdir.h \ + ttyent.h \ + ucred.h \ + unistd.h \ + usersec.h \ + util.h \ + utime.h \ + utmp.h \ + utmpx.h \ + vis.h \ +) + +# lastlog.h requires sys/time.h to be included first on Solaris +AC_CHECK_HEADERS(lastlog.h, [], [], [ +#ifdef HAVE_SYS_TIME_H +# include +#endif +]) + +# sys/ptms.h requires sys/stream.h to be included first on Solaris +AC_CHECK_HEADERS(sys/ptms.h, [], [], [ +#ifdef HAVE_SYS_STREAM_H +# include +#endif +]) + +# login_cap.h requires sys/types.h on NetBSD +AC_CHECK_HEADERS(login_cap.h, [], [], [ +#include +]) + +# Messages for features tested for in target-specific section +SIA_MSG="no" +SPC_MSG="no" + +# Check for some target-specific stuff +case "$host" in +*-*-aix*) + # Some versions of VAC won't allow macro redefinitions at + # -qlanglevel=ansi, and autoconf 2.60 sometimes insists on using that + # particularly with older versions of vac or xlc. + # It also throws errors about null macro argments, but these are + # not fatal. + AC_MSG_CHECKING(if compiler allows macro redefinitions) + AC_COMPILE_IFELSE( + [AC_LANG_SOURCE([[ +#define testmacro foo +#define testmacro bar +int main(void) { exit(0); } + ]])], + [ AC_MSG_RESULT(yes) ], + [ AC_MSG_RESULT(no) + CC="`echo $CC | sed 's/-qlanglvl\=ansi//g'`" + LD="`echo $LD | sed 's/-qlanglvl\=ansi//g'`" + CFLAGS="`echo $CFLAGS | sed 's/-qlanglvl\=ansi//g'`" + CPPFLAGS="`echo $CPPFLAGS | sed 's/-qlanglvl\=ansi//g'`" + ] + ) + + AC_MSG_CHECKING([how to specify blibpath for linker ($LD)]) + if (test -z "$blibpath"); then + blibpath="/usr/lib:/lib" + fi + saved_LDFLAGS="$LDFLAGS" + if test "$GCC" = "yes"; then + flags="-Wl,-blibpath: -Wl,-rpath, -blibpath:" + else + flags="-blibpath: -Wl,-blibpath: -Wl,-rpath," + fi + for tryflags in $flags ;do + if (test -z "$blibflags"); then + LDFLAGS="$saved_LDFLAGS $tryflags$blibpath" + AC_TRY_LINK([], [], [blibflags=$tryflags]) + fi + done + if (test -z "$blibflags"); then + AC_MSG_RESULT(not found) + AC_MSG_ERROR([*** must be able to specify blibpath on AIX - check config.log]) + else + AC_MSG_RESULT($blibflags) + fi + LDFLAGS="$saved_LDFLAGS" + dnl Check for authenticate. Might be in libs.a on older AIXes + AC_CHECK_FUNC(authenticate, [AC_DEFINE(WITH_AIXAUTHENTICATE, 1, + [Define if you want to enable AIX4's authenticate function])], + [AC_CHECK_LIB(s,authenticate, + [ AC_DEFINE(WITH_AIXAUTHENTICATE) + LIBS="$LIBS -ls" + ]) + ]) + dnl Check for various auth function declarations in headers. + AC_CHECK_DECLS([authenticate, loginrestrictions, loginsuccess, + passwdexpired, setauthdb], , , [#include ]) + dnl Check if loginfailed is declared and takes 4 arguments (AIX >= 5.2) + AC_CHECK_DECLS(loginfailed, + [AC_MSG_CHECKING(if loginfailed takes 4 arguments) + AC_TRY_COMPILE( + [#include ], + [(void)loginfailed("user","host","tty",0);], + [AC_MSG_RESULT(yes) + AC_DEFINE(AIX_LOGINFAILED_4ARG, 1, + [Define if your AIX loginfailed() function + takes 4 arguments (AIX >= 5.2)])], + [AC_MSG_RESULT(no)] + )], + [], + [#include ] + ) + AC_CHECK_FUNCS(setauthdb) + AC_CHECK_DECL(F_CLOSEM, + AC_DEFINE(HAVE_FCNTL_CLOSEM, 1, [Use F_CLOSEM fcntl for closefrom]), + [], + [ #include + #include ] + ) + check_for_aix_broken_getaddrinfo=1 + AC_DEFINE(BROKEN_REALPATH, 1, [Define if you have a broken realpath.]) + AC_DEFINE(SETEUID_BREAKS_SETUID, 1, + [Define if your platform breaks doing a seteuid before a setuid]) + AC_DEFINE(BROKEN_SETREUID, 1, [Define if your setreuid() is broken]) + AC_DEFINE(BROKEN_SETREGID, 1, [Define if your setregid() is broken]) + dnl AIX handles lastlog as part of its login message + AC_DEFINE(DISABLE_LASTLOG, 1, [Define if you don't want to use lastlog]) + AC_DEFINE(LOGIN_NEEDS_UTMPX, 1, + [Some systems need a utmpx entry for /bin/login to work]) + AC_DEFINE(SPT_TYPE,SPT_REUSEARGV, + [Define to a Set Process Title type if your system is + supported by bsd-setproctitle.c]) + AC_DEFINE(SSHPAM_CHAUTHTOK_NEEDS_RUID, 1, + [AIX 5.2 and 5.3 (and presumably newer) require this]) + AC_DEFINE(PTY_ZEROREAD, 1, [read(1) can return 0 for a non-closed fd]) + ;; +*-*-cygwin*) + check_for_libcrypt_later=1 + LIBS="$LIBS /usr/lib/textreadmode.o" + AC_DEFINE(HAVE_CYGWIN, 1, [Define if you are on Cygwin]) + AC_DEFINE(USE_PIPES, 1, [Use PIPES instead of a socketpair()]) + AC_DEFINE(DISABLE_SHADOW, 1, + [Define if you want to disable shadow passwords]) + AC_DEFINE(IP_TOS_IS_BROKEN, 1, + [Define if your system choked on IP TOS setting]) + AC_DEFINE(NO_X11_UNIX_SOCKETS, 1, + [Define if X11 doesn't support AF_UNIX sockets on that system]) + AC_DEFINE(NO_IPPORT_RESERVED_CONCEPT, 1, + [Define if the concept of ports only accessible to + superusers isn't known]) + AC_DEFINE(DISABLE_FD_PASSING, 1, + [Define if your platform needs to skip post auth + file descriptor passing]) + ;; +*-*-dgux*) + AC_DEFINE(IP_TOS_IS_BROKEN) + AC_DEFINE(SETEUID_BREAKS_SETUID) + AC_DEFINE(BROKEN_SETREUID) + AC_DEFINE(BROKEN_SETREGID) + ;; +*-*-darwin*) + AC_MSG_CHECKING(if we have working getaddrinfo) + AC_TRY_RUN([#include +main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) + exit(0); + else + exit(1); +}], [AC_MSG_RESULT(working)], + [AC_MSG_RESULT(buggy) + AC_DEFINE(BROKEN_GETADDRINFO, 1, [getaddrinfo is broken (if present)])], + [AC_MSG_RESULT(assume it is working)]) + AC_DEFINE(SETEUID_BREAKS_SETUID) + AC_DEFINE(BROKEN_SETREUID) + AC_DEFINE(BROKEN_SETREGID) + AC_DEFINE_UNQUOTED(BIND_8_COMPAT, 1, + [Define if your resolver libs need this for getrrsetbyname]) + AC_DEFINE(SSH_TUN_FREEBSD, 1, [Open tunnel devices the FreeBSD way]) + AC_DEFINE(SSH_TUN_COMPAT_AF, 1, + [Use tunnel device compatibility to OpenBSD]) + AC_DEFINE(SSH_TUN_PREPEND_AF, 1, + [Prepend the address family to IP tunnel traffic]) + ;; +*-*-dragonfly*) + SSHDLIBS="$SSHDLIBS -lcrypt" + ;; +*-*-hpux*) + # first we define all of the options common to all HP-UX releases + CPPFLAGS="$CPPFLAGS -D_HPUX_SOURCE -D_XOPEN_SOURCE -D_XOPEN_SOURCE_EXTENDED=1" + IPADDR_IN_DISPLAY=yes + AC_DEFINE(USE_PIPES) + AC_DEFINE(LOGIN_NO_ENDOPT, 1, + [Define if your login program cannot handle end of options ("--")]) + AC_DEFINE(LOGIN_NEEDS_UTMPX) + AC_DEFINE(LOCKED_PASSWD_STRING, "*", + [String used in /etc/passwd to denote locked account]) + AC_DEFINE(SPT_TYPE,SPT_PSTAT) + MAIL="/var/mail/username" + LIBS="$LIBS -lsec" + AC_CHECK_LIB(xnet, t_error, , + AC_MSG_ERROR([*** -lxnet needed on HP-UX - check config.log ***])) + + # next, we define all of the options specific to major releases + case "$host" in + *-*-hpux10*) + if test -z "$GCC"; then + CFLAGS="$CFLAGS -Ae" + fi + ;; + *-*-hpux11*) + AC_DEFINE(PAM_SUN_CODEBASE, 1, + [Define if you are using Solaris-derived PAM which + passes pam_messages to the conversation function + with an extra level of indirection]) + AC_DEFINE(DISABLE_UTMP, 1, + [Define if you don't want to use utmp]) + AC_DEFINE(USE_BTMP, 1, [Use btmp to log bad logins]) + check_for_hpux_broken_getaddrinfo=1 + check_for_conflicting_getspnam=1 + ;; + esac + + # lastly, we define options specific to minor releases + case "$host" in + *-*-hpux10.26) + AC_DEFINE(HAVE_SECUREWARE, 1, + [Define if you have SecureWare-based + protected password database]) + disable_ptmx_check=yes + LIBS="$LIBS -lsecpw" + ;; + esac + ;; +*-*-irix5*) + PATH="$PATH:/usr/etc" + AC_DEFINE(BROKEN_INET_NTOA, 1, + [Define if you system's inet_ntoa is busted + (e.g. Irix gcc issue)]) + AC_DEFINE(SETEUID_BREAKS_SETUID) + AC_DEFINE(BROKEN_SETREUID) + AC_DEFINE(BROKEN_SETREGID) + AC_DEFINE(WITH_ABBREV_NO_TTY, 1, + [Define if you shouldn't strip 'tty' from your + ttyname in [uw]tmp]) + AC_DEFINE(LOCKED_PASSWD_STRING, "*LK*") + ;; +*-*-irix6*) + PATH="$PATH:/usr/etc" + AC_DEFINE(WITH_IRIX_ARRAY, 1, + [Define if you have/want arrays + (cluster-wide session managment, not C arrays)]) + AC_DEFINE(WITH_IRIX_PROJECT, 1, + [Define if you want IRIX project management]) + AC_DEFINE(WITH_IRIX_AUDIT, 1, + [Define if you want IRIX audit trails]) + AC_CHECK_FUNC(jlimit_startjob, [AC_DEFINE(WITH_IRIX_JOBS, 1, + [Define if you want IRIX kernel jobs])]) + AC_DEFINE(BROKEN_INET_NTOA) + AC_DEFINE(SETEUID_BREAKS_SETUID) + AC_DEFINE(BROKEN_SETREUID) + AC_DEFINE(BROKEN_SETREGID) + AC_DEFINE(BROKEN_UPDWTMPX, 1, [updwtmpx is broken (if present)]) + AC_DEFINE(WITH_ABBREV_NO_TTY) + AC_DEFINE(LOCKED_PASSWD_STRING, "*LK*") + ;; +*-*-linux*) + no_dev_ptmx=1 + check_for_libcrypt_later=1 + check_for_openpty_ctty_bug=1 + AC_DEFINE(DONT_TRY_OTHER_AF, 1, [Workaround more Linux IPv6 quirks]) + AC_DEFINE(PAM_TTY_KLUDGE, 1, + [Work around problematic Linux PAM modules handling of PAM_TTY]) + AC_DEFINE(LOCKED_PASSWD_PREFIX, "!", + [String used in /etc/passwd to denote locked account]) + AC_DEFINE(SPT_TYPE,SPT_REUSEARGV) + AC_DEFINE(LINK_OPNOTSUPP_ERRNO, EPERM, + [Define to whatever link() returns for "not supported" + if it doesn't return EOPNOTSUPP.]) + AC_DEFINE(_PATH_BTMP, "/var/log/btmp", [log for bad login attempts]) + AC_DEFINE(USE_BTMP) + inet6_default_4in6=yes + case `uname -r` in + 1.*|2.0.*) + AC_DEFINE(BROKEN_CMSG_TYPE, 1, + [Define if cmsg_type is not passed correctly]) + ;; + esac + # tun(4) forwarding compat code + AC_CHECK_HEADERS(linux/if_tun.h) + if test "x$ac_cv_header_linux_if_tun_h" = "xyes" ; then + AC_DEFINE(SSH_TUN_LINUX, 1, + [Open tunnel devices the Linux tun/tap way]) + AC_DEFINE(SSH_TUN_COMPAT_AF, 1, + [Use tunnel device compatibility to OpenBSD]) + AC_DEFINE(SSH_TUN_PREPEND_AF, 1, + [Prepend the address family to IP tunnel traffic]) + fi + ;; +mips-sony-bsd|mips-sony-newsos4) + AC_DEFINE(NEED_SETPGRP, 1, [Need setpgrp to acquire controlling tty]) + SONY=1 + ;; +*-*-netbsd*) + check_for_libcrypt_before=1 + if test "x$withval" != "xno" ; then + need_dash_r=1 + fi + AC_DEFINE(SSH_TUN_FREEBSD, 1, [Open tunnel devices the FreeBSD way]) + AC_CHECK_HEADER([net/if_tap.h], , + AC_DEFINE(SSH_TUN_NO_L2, 1, [No layer 2 tunnel support])) + AC_DEFINE(SSH_TUN_PREPEND_AF, 1, + [Prepend the address family to IP tunnel traffic]) + ;; +*-*-freebsd*) + check_for_libcrypt_later=1 + AC_DEFINE(LOCKED_PASSWD_PREFIX, "*LOCKED*", [Account locked with pw(1)]) + AC_DEFINE(SSH_TUN_FREEBSD, 1, [Open tunnel devices the FreeBSD way]) + AC_CHECK_HEADER([net/if_tap.h], , + AC_DEFINE(SSH_TUN_NO_L2, 1, [No layer 2 tunnel support])) + ;; +*-*-bsdi*) + AC_DEFINE(SETEUID_BREAKS_SETUID) + AC_DEFINE(BROKEN_SETREUID) + AC_DEFINE(BROKEN_SETREGID) + ;; +*-next-*) + conf_lastlog_location="/usr/adm/lastlog" + conf_utmp_location=/etc/utmp + conf_wtmp_location=/usr/adm/wtmp + MAIL=/usr/spool/mail + AC_DEFINE(HAVE_NEXT, 1, [Define if you are on NeXT]) + AC_DEFINE(BROKEN_REALPATH) + AC_DEFINE(USE_PIPES) + AC_DEFINE(BROKEN_SAVED_UIDS, 1, [Needed for NeXT]) + ;; +*-*-openbsd*) + AC_DEFINE(HAVE_ATTRIBUTE__SENTINEL__, 1, [OpenBSD's gcc has sentinel]) + AC_DEFINE(HAVE_ATTRIBUTE__BOUNDED__, 1, [OpenBSD's gcc has bounded]) + AC_DEFINE(SSH_TUN_OPENBSD, 1, [Open tunnel devices the OpenBSD way]) + AC_DEFINE(SYSLOG_R_SAFE_IN_SIGHAND, 1, + [syslog_r function is safe to use in in a signal handler]) + ;; +*-*-solaris*) + if test "x$withval" != "xno" ; then + need_dash_r=1 + fi + AC_DEFINE(PAM_SUN_CODEBASE) + AC_DEFINE(LOGIN_NEEDS_UTMPX) + AC_DEFINE(LOGIN_NEEDS_TERM, 1, + [Some versions of /bin/login need the TERM supplied + on the commandline]) + AC_DEFINE(PAM_TTY_KLUDGE) + AC_DEFINE(SSHPAM_CHAUTHTOK_NEEDS_RUID, 1, + [Define if pam_chauthtok wants real uid set + to the unpriv'ed user]) + AC_DEFINE(LOCKED_PASSWD_STRING, "*LK*") + # Pushing STREAMS modules will cause sshd to acquire a controlling tty. + AC_DEFINE(SSHD_ACQUIRES_CTTY, 1, + [Define if sshd somehow reacquires a controlling TTY + after setsid()]) + AC_DEFINE(PASSWD_NEEDS_USERNAME, 1, [must supply username to passwd + in case the name is longer than 8 chars]) + external_path_file=/etc/default/login + # hardwire lastlog location (can't detect it on some versions) + conf_lastlog_location="/var/adm/lastlog" + AC_MSG_CHECKING(for obsolete utmp and wtmp in solaris2.x) + sol2ver=`echo "$host"| sed -e 's/.*[[0-9]]\.//'` + if test "$sol2ver" -ge 8; then + AC_MSG_RESULT(yes) + AC_DEFINE(DISABLE_UTMP) + AC_DEFINE(DISABLE_WTMP, 1, + [Define if you don't want to use wtmp]) + else + AC_MSG_RESULT(no) + fi + AC_ARG_WITH(solaris-contracts, + [ --with-solaris-contracts Enable Solaris process contracts (experimental)], + [ + AC_CHECK_LIB(contract, ct_tmpl_activate, + [ AC_DEFINE(USE_SOLARIS_PROCESS_CONTRACTS, 1, + [Define if you have Solaris process contracts]) + SSHDLIBS="$SSHDLIBS -lcontract" + AC_SUBST(SSHDLIBS) + SPC_MSG="yes" ], ) + ], + ) + ;; +*-*-sunos4*) + CPPFLAGS="$CPPFLAGS -DSUNOS4" + AC_CHECK_FUNCS(getpwanam) + AC_DEFINE(PAM_SUN_CODEBASE) + conf_utmp_location=/etc/utmp + conf_wtmp_location=/var/adm/wtmp + conf_lastlog_location=/var/adm/lastlog + AC_DEFINE(USE_PIPES) + ;; +*-ncr-sysv*) + LIBS="$LIBS -lc89" + AC_DEFINE(USE_PIPES) + AC_DEFINE(SSHD_ACQUIRES_CTTY) + AC_DEFINE(SETEUID_BREAKS_SETUID) + AC_DEFINE(BROKEN_SETREUID) + AC_DEFINE(BROKEN_SETREGID) + ;; +*-sni-sysv*) + # /usr/ucblib MUST NOT be searched on ReliantUNIX + AC_CHECK_LIB(dl, dlsym, ,) + # -lresolv needs to be at the end of LIBS or DNS lookups break + AC_CHECK_LIB(resolv, res_query, [ LIBS="$LIBS -lresolv" ]) + IPADDR_IN_DISPLAY=yes + AC_DEFINE(USE_PIPES) + AC_DEFINE(IP_TOS_IS_BROKEN) + AC_DEFINE(SETEUID_BREAKS_SETUID) + AC_DEFINE(BROKEN_SETREUID) + AC_DEFINE(BROKEN_SETREGID) + AC_DEFINE(SSHD_ACQUIRES_CTTY) + external_path_file=/etc/default/login + # /usr/ucblib/libucb.a no longer needed on ReliantUNIX + # Attention: always take care to bind libsocket and libnsl before libc, + # otherwise you will find lots of "SIOCGPGRP errno 22" on syslog + ;; +# UnixWare 1.x, UnixWare 2.x, and others based on code from Univel. +*-*-sysv4.2*) + AC_DEFINE(USE_PIPES) + AC_DEFINE(SETEUID_BREAKS_SETUID) + AC_DEFINE(BROKEN_SETREUID) + AC_DEFINE(BROKEN_SETREGID) + AC_DEFINE(PASSWD_NEEDS_USERNAME, 1, [must supply username to passwd]) + AC_DEFINE(LOCKED_PASSWD_STRING, "*LK*") + ;; +# UnixWare 7.x, OpenUNIX 8 +*-*-sysv5*) + check_for_libcrypt_later=1 + AC_DEFINE(UNIXWARE_LONG_PASSWORDS, 1, [Support passwords > 8 chars]) + AC_DEFINE(USE_PIPES) + AC_DEFINE(SETEUID_BREAKS_SETUID) + AC_DEFINE(BROKEN_SETREUID) + AC_DEFINE(BROKEN_SETREGID) + AC_DEFINE(PASSWD_NEEDS_USERNAME) + case "$host" in + *-*-sysv5SCO_SV*) # SCO OpenServer 6.x + TEST_SHELL=/u95/bin/sh + AC_DEFINE(BROKEN_LIBIAF, 1, + [ia_uinfo routines not supported by OS yet]) + AC_DEFINE(BROKEN_UPDWTMPX) + ;; + *) AC_DEFINE(LOCKED_PASSWD_STRING, "*LK*") + ;; + esac + ;; +*-*-sysv*) + ;; +# SCO UNIX and OEM versions of SCO UNIX +*-*-sco3.2v4*) + AC_MSG_ERROR("This Platform is no longer supported.") + ;; +# SCO OpenServer 5.x +*-*-sco3.2v5*) + if test -z "$GCC"; then + CFLAGS="$CFLAGS -belf" + fi + LIBS="$LIBS -lprot -lx -ltinfo -lm" + no_dev_ptmx=1 + AC_DEFINE(USE_PIPES) + AC_DEFINE(HAVE_SECUREWARE) + AC_DEFINE(DISABLE_SHADOW) + AC_DEFINE(DISABLE_FD_PASSING) + AC_DEFINE(SETEUID_BREAKS_SETUID) + AC_DEFINE(BROKEN_SETREUID) + AC_DEFINE(BROKEN_SETREGID) + AC_DEFINE(WITH_ABBREV_NO_TTY) + AC_DEFINE(BROKEN_UPDWTMPX) + AC_DEFINE(PASSWD_NEEDS_USERNAME) + AC_CHECK_FUNCS(getluid setluid) + MANTYPE=man + TEST_SHELL=ksh + ;; +*-*-unicosmk*) + AC_DEFINE(NO_SSH_LASTLOG, 1, + [Define if you don't want to use lastlog in session.c]) + AC_DEFINE(SETEUID_BREAKS_SETUID) + AC_DEFINE(BROKEN_SETREUID) + AC_DEFINE(BROKEN_SETREGID) + AC_DEFINE(USE_PIPES) + AC_DEFINE(DISABLE_FD_PASSING) + LDFLAGS="$LDFLAGS" + LIBS="$LIBS -lgen -lrsc -lshare -luex -lacm" + MANTYPE=cat + ;; +*-*-unicosmp*) + AC_DEFINE(SETEUID_BREAKS_SETUID) + AC_DEFINE(BROKEN_SETREUID) + AC_DEFINE(BROKEN_SETREGID) + AC_DEFINE(WITH_ABBREV_NO_TTY) + AC_DEFINE(USE_PIPES) + AC_DEFINE(DISABLE_FD_PASSING) + LDFLAGS="$LDFLAGS" + LIBS="$LIBS -lgen -lacid -ldb" + MANTYPE=cat + ;; +*-*-unicos*) + AC_DEFINE(SETEUID_BREAKS_SETUID) + AC_DEFINE(BROKEN_SETREUID) + AC_DEFINE(BROKEN_SETREGID) + AC_DEFINE(USE_PIPES) + AC_DEFINE(DISABLE_FD_PASSING) + AC_DEFINE(NO_SSH_LASTLOG) + LDFLAGS="$LDFLAGS -Wl,-Dmsglevel=334:fatal" + LIBS="$LIBS -lgen -lrsc -lshare -luex -lacm" + MANTYPE=cat + ;; +*-dec-osf*) + AC_MSG_CHECKING(for Digital Unix SIA) + no_osfsia="" + AC_ARG_WITH(osfsia, + [ --with-osfsia Enable Digital Unix SIA], + [ + if test "x$withval" = "xno" ; then + AC_MSG_RESULT(disabled) + no_osfsia=1 + fi + ], + ) + if test -z "$no_osfsia" ; then + if test -f /etc/sia/matrix.conf; then + AC_MSG_RESULT(yes) + AC_DEFINE(HAVE_OSF_SIA, 1, + [Define if you have Digital Unix Security + Integration Architecture]) + AC_DEFINE(DISABLE_LOGIN, 1, + [Define if you don't want to use your + system's login() call]) + AC_DEFINE(DISABLE_FD_PASSING) + LIBS="$LIBS -lsecurity -ldb -lm -laud" + SIA_MSG="yes" + else + AC_MSG_RESULT(no) + AC_DEFINE(LOCKED_PASSWD_SUBSTR, "Nologin", + [String used in /etc/passwd to denote locked account]) + fi + fi + AC_DEFINE(BROKEN_GETADDRINFO) + AC_DEFINE(SETEUID_BREAKS_SETUID) + AC_DEFINE(BROKEN_SETREUID) + AC_DEFINE(BROKEN_SETREGID) + ;; + +*-*-nto-qnx*) + AC_DEFINE(USE_PIPES) + AC_DEFINE(NO_X11_UNIX_SOCKETS) + AC_DEFINE(MISSING_NFDBITS, 1, [Define on *nto-qnx systems]) + AC_DEFINE(MISSING_HOWMANY, 1, [Define on *nto-qnx systems]) + AC_DEFINE(MISSING_FD_MASK, 1, [Define on *nto-qnx systems]) + AC_DEFINE(DISABLE_LASTLOG) + AC_DEFINE(SSHD_ACQUIRES_CTTY) + enable_etc_default_login=no # has incompatible /etc/default/login + case "$host" in + *-*-nto-qnx6*) + AC_DEFINE(DISABLE_FD_PASSING) + ;; + esac + ;; + +*-*-ultrix*) + AC_DEFINE(BROKEN_GETGROUPS, 1, [getgroups(0,NULL) will return -1]) + AC_DEFINE(BROKEN_MMAP, 1, [Ultrix mmap can't map files]) + AC_DEFINE(NEED_SETPGRP) + AC_DEFINE(HAVE_SYS_SYSLOG_H, 1, [Force use of sys/syslog.h on Ultrix]) + ;; + +*-*-lynxos) + CFLAGS="$CFLAGS -D__NO_INCLUDE_WARN__" + AC_DEFINE(MISSING_HOWMANY) + AC_DEFINE(BROKEN_SETVBUF, 1, [LynxOS has broken setvbuf() implementation]) + ;; +esac + +AC_MSG_CHECKING(compiler and flags for sanity) +AC_RUN_IFELSE( + [AC_LANG_SOURCE([ +#include +int main(){exit(0);} + ])], + [ AC_MSG_RESULT(yes) ], + [ + AC_MSG_RESULT(no) + AC_MSG_ERROR([*** compiler cannot create working executables, check config.log ***]) + ], + [ AC_MSG_WARN([cross compiling: not checking compiler sanity]) ] +) + +dnl Checks for header files. +# Checks for libraries. +AC_CHECK_FUNC(yp_match, , AC_CHECK_LIB(nsl, yp_match)) +AC_CHECK_FUNC(setsockopt, , AC_CHECK_LIB(socket, setsockopt)) + +dnl IRIX and Solaris 2.5.1 have dirname() in libgen +AC_CHECK_FUNCS(dirname, [AC_CHECK_HEADERS(libgen.h)] ,[ + AC_CHECK_LIB(gen, dirname,[ + AC_CACHE_CHECK([for broken dirname], + ac_cv_have_broken_dirname, [ + save_LIBS="$LIBS" + LIBS="$LIBS -lgen" + AC_RUN_IFELSE( + [AC_LANG_SOURCE([[ +#include +#include + +int main(int argc, char **argv) { + char *s, buf[32]; + + strncpy(buf,"/etc", 32); + s = dirname(buf); + if (!s || strncmp(s, "/", 32) != 0) { + exit(1); + } else { + exit(0); + } +} + ]])], + [ ac_cv_have_broken_dirname="no" ], + [ ac_cv_have_broken_dirname="yes" ], + [ ac_cv_have_broken_dirname="no" ], + ) + LIBS="$save_LIBS" + ]) + if test "x$ac_cv_have_broken_dirname" = "xno" ; then + LIBS="$LIBS -lgen" + AC_DEFINE(HAVE_DIRNAME) + AC_CHECK_HEADERS(libgen.h) + fi + ]) +]) + +AC_CHECK_FUNC(getspnam, , + AC_CHECK_LIB(gen, getspnam, LIBS="$LIBS -lgen")) +AC_SEARCH_LIBS(basename, gen, AC_DEFINE(HAVE_BASENAME, 1, + [Define if you have the basename function.])) + +dnl zlib is required +AC_ARG_WITH(zlib, + [ --with-zlib=PATH Use zlib in PATH], + [ if test "x$withval" = "xno" ; then + AC_MSG_ERROR([*** zlib is required ***]) + elif test "x$withval" != "xyes"; then + if test -d "$withval/lib"; then + if test -n "${need_dash_r}"; then + LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}" + else + LDFLAGS="-L${withval}/lib ${LDFLAGS}" + fi + else + if test -n "${need_dash_r}"; then + LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}" + else + LDFLAGS="-L${withval} ${LDFLAGS}" + fi + fi + if test -d "$withval/include"; then + CPPFLAGS="-I${withval}/include ${CPPFLAGS}" + else + CPPFLAGS="-I${withval} ${CPPFLAGS}" + fi + fi ] +) + +AC_CHECK_LIB(z, deflate, , + [ + saved_CPPFLAGS="$CPPFLAGS" + saved_LDFLAGS="$LDFLAGS" + save_LIBS="$LIBS" + dnl Check default zlib install dir + if test -n "${need_dash_r}"; then + LDFLAGS="-L/usr/local/lib -R/usr/local/lib ${saved_LDFLAGS}" + else + LDFLAGS="-L/usr/local/lib ${saved_LDFLAGS}" + fi + CPPFLAGS="-I/usr/local/include ${saved_CPPFLAGS}" + LIBS="$LIBS -lz" + AC_TRY_LINK_FUNC(deflate, AC_DEFINE(HAVE_LIBZ), + [ + AC_MSG_ERROR([*** zlib missing - please install first or check config.log ***]) + ] + ) + ] +) +AC_CHECK_HEADER([zlib.h], ,AC_MSG_ERROR([*** zlib.h missing - please install first or check config.log ***])) + +AC_ARG_WITH(zlib-version-check, + [ --without-zlib-version-check Disable zlib version check], + [ if test "x$withval" = "xno" ; then + zlib_check_nonfatal=1 + fi + ] +) + +AC_MSG_CHECKING(for possibly buggy zlib) +AC_RUN_IFELSE([AC_LANG_SOURCE([[ +#include +#include +int main() +{ + int a=0, b=0, c=0, d=0, n, v; + n = sscanf(ZLIB_VERSION, "%d.%d.%d.%d", &a, &b, &c, &d); + if (n != 3 && n != 4) + exit(1); + v = a*1000000 + b*10000 + c*100 + d; + fprintf(stderr, "found zlib version %s (%d)\n", ZLIB_VERSION, v); + + /* 1.1.4 is OK */ + if (a == 1 && b == 1 && c >= 4) + exit(0); + + /* 1.2.3 and up are OK */ + if (v >= 1020300) + exit(0); + + exit(2); +} + ]])], + AC_MSG_RESULT(no), + [ AC_MSG_RESULT(yes) + if test -z "$zlib_check_nonfatal" ; then + AC_MSG_ERROR([*** zlib too old - check config.log *** +Your reported zlib version has known security problems. It's possible your +vendor has fixed these problems without changing the version number. If you +are sure this is the case, you can disable the check by running +"./configure --without-zlib-version-check". +If you are in doubt, upgrade zlib to version 1.2.3 or greater. +See http://www.gzip.org/zlib/ for details.]) + else + AC_MSG_WARN([zlib version may have security problems]) + fi + ], + [ AC_MSG_WARN([cross compiling: not checking zlib version]) ] +) + +dnl UnixWare 2.x +AC_CHECK_FUNC(strcasecmp, + [], [ AC_CHECK_LIB(resolv, strcasecmp, LIBS="$LIBS -lresolv") ] +) +AC_CHECK_FUNCS(utimes, + [], [ AC_CHECK_LIB(c89, utimes, [AC_DEFINE(HAVE_UTIMES) + LIBS="$LIBS -lc89"]) ] +) + +dnl Checks for libutil functions +AC_CHECK_HEADERS(libutil.h) +AC_SEARCH_LIBS(login, util bsd, [AC_DEFINE(HAVE_LOGIN, 1, + [Define if your libraries define login()])]) +AC_CHECK_FUNCS(logout updwtmp logwtmp) + +AC_FUNC_STRFTIME + +# Check for ALTDIRFUNC glob() extension +AC_MSG_CHECKING(for GLOB_ALTDIRFUNC support) +AC_EGREP_CPP(FOUNDIT, + [ + #include + #ifdef GLOB_ALTDIRFUNC + FOUNDIT + #endif + ], + [ + AC_DEFINE(GLOB_HAS_ALTDIRFUNC, 1, + [Define if your system glob() function has + the GLOB_ALTDIRFUNC extension]) + AC_MSG_RESULT(yes) + ], + [ + AC_MSG_RESULT(no) + ] +) + +# Check for g.gl_matchc glob() extension +AC_MSG_CHECKING(for gl_matchc field in glob_t) +AC_TRY_COMPILE( + [ #include ], + [glob_t g; g.gl_matchc = 1;], + [ + AC_DEFINE(GLOB_HAS_GL_MATCHC, 1, + [Define if your system glob() function has + gl_matchc options in glob_t]) + AC_MSG_RESULT(yes) + ], + [ + AC_MSG_RESULT(no) + ] +) + +AC_CHECK_DECLS(GLOB_NOMATCH, , , [#include ]) + +AC_MSG_CHECKING([whether struct dirent allocates space for d_name]) +AC_RUN_IFELSE( + [AC_LANG_SOURCE([[ +#include +#include +int main(void){struct dirent d;exit(sizeof(d.d_name)<=sizeof(char));} + ]])], + [AC_MSG_RESULT(yes)], + [ + AC_MSG_RESULT(no) + AC_DEFINE(BROKEN_ONE_BYTE_DIRENT_D_NAME, 1, + [Define if your struct dirent expects you to + allocate extra space for d_name]) + ], + [ + AC_MSG_WARN([cross compiling: assuming BROKEN_ONE_BYTE_DIRENT_D_NAME]) + AC_DEFINE(BROKEN_ONE_BYTE_DIRENT_D_NAME) + ] +) + +AC_MSG_CHECKING([for /proc/pid/fd directory]) +if test -d "/proc/$$/fd" ; then + AC_DEFINE(HAVE_PROC_PID, 1, [Define if you have /proc/$pid/fd]) + AC_MSG_RESULT(yes) +else + AC_MSG_RESULT(no) +fi + +# Check whether user wants S/Key support +SKEY_MSG="no" +AC_ARG_WITH(skey, + [ --with-skey[[=PATH]] Enable S/Key support (optionally in PATH)], + [ + if test "x$withval" != "xno" ; then + + if test "x$withval" != "xyes" ; then + CPPFLAGS="$CPPFLAGS -I${withval}/include" + LDFLAGS="$LDFLAGS -L${withval}/lib" + fi + + AC_DEFINE(SKEY, 1, [Define if you want S/Key support]) + LIBS="-lskey $LIBS" + SKEY_MSG="yes" + + AC_MSG_CHECKING([for s/key support]) + AC_LINK_IFELSE( + [AC_LANG_SOURCE([[ +#include +#include +int main() { char *ff = skey_keyinfo(""); ff=""; exit(0); } + ]])], + [AC_MSG_RESULT(yes)], + [ + AC_MSG_RESULT(no) + AC_MSG_ERROR([** Incomplete or missing s/key libraries.]) + ]) + AC_MSG_CHECKING(if skeychallenge takes 4 arguments) + AC_TRY_COMPILE( + [#include + #include ], + [(void)skeychallenge(NULL,"name","",0);], + [AC_MSG_RESULT(yes) + AC_DEFINE(SKEYCHALLENGE_4ARG, 1, + [Define if your skeychallenge() + function takes 4 arguments (NetBSD)])], + [AC_MSG_RESULT(no)] + ) + fi + ] +) + +# Check whether user wants TCP wrappers support +TCPW_MSG="no" +AC_ARG_WITH(tcp-wrappers, + [ --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)], + [ + if test "x$withval" != "xno" ; then + saved_LIBS="$LIBS" + saved_LDFLAGS="$LDFLAGS" + saved_CPPFLAGS="$CPPFLAGS" + if test -n "${withval}" && \ + test "x${withval}" != "xyes"; then + if test -d "${withval}/lib"; then + if test -n "${need_dash_r}"; then + LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}" + else + LDFLAGS="-L${withval}/lib ${LDFLAGS}" + fi + else + if test -n "${need_dash_r}"; then + LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}" + else + LDFLAGS="-L${withval} ${LDFLAGS}" + fi + fi + if test -d "${withval}/include"; then + CPPFLAGS="-I${withval}/include ${CPPFLAGS}" + else + CPPFLAGS="-I${withval} ${CPPFLAGS}" + fi + fi + LIBS="-lwrap $LIBS" + AC_MSG_CHECKING(for libwrap) + AC_TRY_LINK( + [ +#include +#include +#include +#include + int deny_severity = 0, allow_severity = 0; + ], + [hosts_access(0);], + [ + AC_MSG_RESULT(yes) + AC_DEFINE(LIBWRAP, 1, + [Define if you want + TCP Wrappers support]) + SSHDLIBS="$SSHDLIBS -lwrap" + TCPW_MSG="yes" + ], + [ + AC_MSG_ERROR([*** libwrap missing]) + ] + ) + LIBS="$saved_LIBS" + fi + ] +) + +# Check whether user wants libedit support +LIBEDIT_MSG="no" +AC_ARG_WITH(libedit, + [ --with-libedit[[=PATH]] Enable libedit support for sftp], + [ if test "x$withval" != "xno" ; then + if test "x$withval" != "xyes"; then + CPPFLAGS="$CPPFLAGS -I${withval}/include" + if test -n "${need_dash_r}"; then + LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}" + else + LDFLAGS="-L${withval}/lib ${LDFLAGS}" + fi + fi + AC_CHECK_LIB(edit, el_init, + [ AC_DEFINE(USE_LIBEDIT, 1, [Use libedit for sftp]) + LIBEDIT="-ledit -lcurses" + LIBEDIT_MSG="yes" + AC_SUBST(LIBEDIT) + ], + [ AC_MSG_ERROR(libedit not found) ], + [ -lcurses ] + ) + AC_MSG_CHECKING(if libedit version is compatible) + AC_COMPILE_IFELSE( + [AC_LANG_SOURCE([[ +#include +int main(void) +{ + int i = H_SETSIZE; + el_init("", NULL, NULL, NULL); + exit(0); +} + ]])], + [ AC_MSG_RESULT(yes) ], + [ AC_MSG_RESULT(no) + AC_MSG_ERROR(libedit version is not compatible) ] + ) + fi ] +) + +AUDIT_MODULE=none +AC_ARG_WITH(audit, + [ --with-audit=module Enable EXPERIMENTAL audit support (modules=debug,bsm)], + [ + AC_MSG_CHECKING(for supported audit module) + case "$withval" in + bsm) + AC_MSG_RESULT(bsm) + AUDIT_MODULE=bsm + dnl Checks for headers, libs and functions + AC_CHECK_HEADERS(bsm/audit.h, [], + [AC_MSG_ERROR(BSM enabled and bsm/audit.h not found)], + [ +#ifdef HAVE_TIME_H +# include +#endif + ] +) + AC_CHECK_LIB(bsm, getaudit, [], + [AC_MSG_ERROR(BSM enabled and required library not found)]) + AC_CHECK_FUNCS(getaudit, [], + [AC_MSG_ERROR(BSM enabled and required function not found)]) + # These are optional + AC_CHECK_FUNCS(getaudit_addr) + AC_DEFINE(USE_BSM_AUDIT, 1, [Use BSM audit module]) + ;; + debug) + AUDIT_MODULE=debug + AC_MSG_RESULT(debug) + AC_DEFINE(SSH_AUDIT_EVENTS, 1, Use audit debugging module) + ;; + no) + AC_MSG_RESULT(no) + ;; + *) + AC_MSG_ERROR([Unknown audit module $withval]) + ;; + esac ] +) + +dnl Checks for library functions. Please keep in alphabetical order +AC_CHECK_FUNCS( \ + arc4random \ + asprintf \ + b64_ntop \ + __b64_ntop \ + b64_pton \ + __b64_pton \ + bcopy \ + bindresvport_sa \ + clock \ + closefrom \ + dirfd \ + fchmod \ + fchown \ + freeaddrinfo \ + futimes \ + getaddrinfo \ + getcwd \ + getgrouplist \ + getnameinfo \ + getopt \ + getpeereid \ + getpeerucred \ + _getpty \ + getrlimit \ + getttyent \ + glob \ + inet_aton \ + inet_ntoa \ + inet_ntop \ + innetgr \ + login_getcapbool \ + md5_crypt \ + memmove \ + mkdtemp \ + mmap \ + ngetaddrinfo \ + nsleep \ + ogetaddrinfo \ + openlog_r \ + openpty \ + poll \ + prctl \ + pstat \ + readpassphrase \ + realpath \ + recvmsg \ + rresvport_af \ + sendmsg \ + setdtablesize \ + setegid \ + setenv \ + seteuid \ + setgroups \ + setlogin \ + setpcred \ + setproctitle \ + setregid \ + setreuid \ + setrlimit \ + setsid \ + setvbuf \ + sigaction \ + sigvec \ + snprintf \ + socketpair \ + strdup \ + strerror \ + strlcat \ + strlcpy \ + strmode \ + strnvis \ + strtonum \ + strtoll \ + strtoul \ + swap32 \ + sysconf \ + tcgetpgrp \ + truncate \ + unsetenv \ + updwtmpx \ + vasprintf \ + vhangup \ + vsnprintf \ + waitpid \ +) + +# IRIX has a const char return value for gai_strerror() +AC_CHECK_FUNCS(gai_strerror,[ + AC_DEFINE(HAVE_GAI_STRERROR) + AC_TRY_COMPILE([ +#include +#include +#include + +const char *gai_strerror(int);],[ +char *str; + +str = gai_strerror(0);],[ + AC_DEFINE(HAVE_CONST_GAI_STRERROR_PROTO, 1, + [Define if gai_strerror() returns const char *])])]) + +AC_SEARCH_LIBS(nanosleep, rt posix4, AC_DEFINE(HAVE_NANOSLEEP, 1, + [Some systems put nanosleep outside of libc])) + +dnl Make sure prototypes are defined for these before using them. +AC_CHECK_DECL(getrusage, [AC_CHECK_FUNCS(getrusage)]) +AC_CHECK_DECL(strsep, + [AC_CHECK_FUNCS(strsep)], + [], + [ +#ifdef HAVE_STRING_H +# include +#endif + ]) + +dnl tcsendbreak might be a macro +AC_CHECK_DECL(tcsendbreak, + [AC_DEFINE(HAVE_TCSENDBREAK)], + [AC_CHECK_FUNCS(tcsendbreak)], + [#include ] +) + +AC_CHECK_DECLS(h_errno, , ,[#include ]) + +AC_CHECK_DECLS(SHUT_RD, , , + [ +#include +#include + ]) + +AC_CHECK_DECLS(O_NONBLOCK, , , + [ +#include +#ifdef HAVE_SYS_STAT_H +# include +#endif +#ifdef HAVE_FCNTL_H +# include +#endif + ]) + +AC_CHECK_DECLS(writev, , , [ +#include +#include +#include + ]) + +AC_CHECK_DECLS(MAXSYMLINKS, , , [ +#include + ]) + +AC_CHECK_DECLS(offsetof, , , [ +#include + ]) + +AC_CHECK_FUNCS(setresuid, [ + dnl Some platorms have setresuid that isn't implemented, test for this + AC_MSG_CHECKING(if setresuid seems to work) + AC_RUN_IFELSE( + [AC_LANG_SOURCE([[ +#include +#include +int main(){errno=0; setresuid(0,0,0); if (errno==ENOSYS) exit(1); else exit(0);} + ]])], + [AC_MSG_RESULT(yes)], + [AC_DEFINE(BROKEN_SETRESUID, 1, + [Define if your setresuid() is broken]) + AC_MSG_RESULT(not implemented)], + [AC_MSG_WARN([cross compiling: not checking setresuid])] + ) +]) + +AC_CHECK_FUNCS(setresgid, [ + dnl Some platorms have setresgid that isn't implemented, test for this + AC_MSG_CHECKING(if setresgid seems to work) + AC_RUN_IFELSE( + [AC_LANG_SOURCE([[ +#include +#include +int main(){errno=0; setresgid(0,0,0); if (errno==ENOSYS) exit(1); else exit(0);} + ]])], + [AC_MSG_RESULT(yes)], + [AC_DEFINE(BROKEN_SETRESGID, 1, + [Define if your setresgid() is broken]) + AC_MSG_RESULT(not implemented)], + [AC_MSG_WARN([cross compiling: not checking setresuid])] + ) +]) + +dnl Checks for time functions +AC_CHECK_FUNCS(gettimeofday time) +dnl Checks for utmp functions +AC_CHECK_FUNCS(endutent getutent getutid getutline pututline setutent) +AC_CHECK_FUNCS(utmpname) +dnl Checks for utmpx functions +AC_CHECK_FUNCS(endutxent getutxent getutxid getutxline pututxline ) +AC_CHECK_FUNCS(setutxent utmpxname) + +AC_CHECK_FUNC(daemon, + [AC_DEFINE(HAVE_DAEMON, 1, [Define if your libraries define daemon()])], + [AC_CHECK_LIB(bsd, daemon, + [LIBS="$LIBS -lbsd"; AC_DEFINE(HAVE_DAEMON)])] +) + +AC_CHECK_FUNC(getpagesize, + [AC_DEFINE(HAVE_GETPAGESIZE, 1, + [Define if your libraries define getpagesize()])], + [AC_CHECK_LIB(ucb, getpagesize, + [LIBS="$LIBS -lucb"; AC_DEFINE(HAVE_GETPAGESIZE)])] +) + +# Check for broken snprintf +if test "x$ac_cv_func_snprintf" = "xyes" ; then + AC_MSG_CHECKING([whether snprintf correctly terminates long strings]) + AC_RUN_IFELSE( + [AC_LANG_SOURCE([[ +#include +int main(void){char b[5];snprintf(b,5,"123456789");exit(b[4]!='\0');} + ]])], + [AC_MSG_RESULT(yes)], + [ + AC_MSG_RESULT(no) + AC_DEFINE(BROKEN_SNPRINTF, 1, + [Define if your snprintf is busted]) + AC_MSG_WARN([****** Your snprintf() function is broken, complain to your vendor]) + ], + [ AC_MSG_WARN([cross compiling: Assuming working snprintf()]) ] + ) +fi + +# If we don't have a working asprintf, then we strongly depend on vsnprintf +# returning the right thing on overflow: the number of characters it tried to +# create (as per SUSv3) +if test "x$ac_cv_func_asprintf" != "xyes" && \ + test "x$ac_cv_func_vsnprintf" = "xyes" ; then + AC_MSG_CHECKING([whether vsnprintf returns correct values on overflow]) + AC_RUN_IFELSE( + [AC_LANG_SOURCE([[ +#include +#include +#include + +int x_snprintf(char *str,size_t count,const char *fmt,...) +{ + size_t ret; va_list ap; + va_start(ap, fmt); ret = vsnprintf(str, count, fmt, ap); va_end(ap); + return ret; +} +int main(void) +{ + char x[1]; + exit(x_snprintf(x, 1, "%s %d", "hello", 12345) == 11 ? 0 : 1); +} ]])], + [AC_MSG_RESULT(yes)], + [ + AC_MSG_RESULT(no) + AC_DEFINE(BROKEN_SNPRINTF, 1, + [Define if your snprintf is busted]) + AC_MSG_WARN([****** Your vsnprintf() function is broken, complain to your vendor]) + ], + [ AC_MSG_WARN([cross compiling: Assuming working vsnprintf()]) ] + ) +fi + +# On systems where [v]snprintf is broken, but is declared in stdio, +# check that the fmt argument is const char * or just char *. +# This is only useful for when BROKEN_SNPRINTF +AC_MSG_CHECKING([whether snprintf can declare const char *fmt]) +AC_COMPILE_IFELSE([AC_LANG_SOURCE([[#include + int snprintf(char *a, size_t b, const char *c, ...) { return 0; } + int main(void) { snprintf(0, 0, 0); } + ]])], + [AC_MSG_RESULT(yes) + AC_DEFINE(SNPRINTF_CONST, [const], + [Define as const if snprintf() can declare const char *fmt])], + [AC_MSG_RESULT(no) + AC_DEFINE(SNPRINTF_CONST, [/* not const */])]) + +# Check for missing getpeereid (or equiv) support +NO_PEERCHECK="" +if test "x$ac_cv_func_getpeereid" != "xyes" -a "x$ac_cv_func_getpeerucred" != "xyes"; then + AC_MSG_CHECKING([whether system supports SO_PEERCRED getsockopt]) + AC_TRY_COMPILE( + [#include + #include ], + [int i = SO_PEERCRED;], + [ AC_MSG_RESULT(yes) + AC_DEFINE(HAVE_SO_PEERCRED, 1, [Have PEERCRED socket option]) + ], + [AC_MSG_RESULT(no) + NO_PEERCHECK=1] + ) +fi + +dnl see whether mkstemp() requires XXXXXX +if test "x$ac_cv_func_mkdtemp" = "xyes" ; then +AC_MSG_CHECKING([for (overly) strict mkstemp]) +AC_RUN_IFELSE( + [AC_LANG_SOURCE([[ +#include +main() { char template[]="conftest.mkstemp-test"; +if (mkstemp(template) == -1) + exit(1); +unlink(template); exit(0); +} + ]])], + [ + AC_MSG_RESULT(no) + ], + [ + AC_MSG_RESULT(yes) + AC_DEFINE(HAVE_STRICT_MKSTEMP, 1, [Silly mkstemp()]) + ], + [ + AC_MSG_RESULT(yes) + AC_DEFINE(HAVE_STRICT_MKSTEMP) + ] +) +fi + +dnl make sure that openpty does not reacquire controlling terminal +if test ! -z "$check_for_openpty_ctty_bug"; then + AC_MSG_CHECKING(if openpty correctly handles controlling tty) + AC_RUN_IFELSE( + [AC_LANG_SOURCE([[ +#include +#include +#include +#include + +int +main() +{ + pid_t pid; + int fd, ptyfd, ttyfd, status; + + pid = fork(); + if (pid < 0) { /* failed */ + exit(1); + } else if (pid > 0) { /* parent */ + waitpid(pid, &status, 0); + if (WIFEXITED(status)) + exit(WEXITSTATUS(status)); + else + exit(2); + } else { /* child */ + close(0); close(1); close(2); + setsid(); + openpty(&ptyfd, &ttyfd, NULL, NULL, NULL); + fd = open("/dev/tty", O_RDWR | O_NOCTTY); + if (fd >= 0) + exit(3); /* Acquired ctty: broken */ + else + exit(0); /* Did not acquire ctty: OK */ + } +} + ]])], + [ + AC_MSG_RESULT(yes) + ], + [ + AC_MSG_RESULT(no) + AC_DEFINE(SSHD_ACQUIRES_CTTY) + ], + [ + AC_MSG_RESULT(cross-compiling, assuming yes) + ] + ) +fi + +if test "x$ac_cv_func_getaddrinfo" = "xyes" && \ + test "x$check_for_hpux_broken_getaddrinfo" = "x1"; then + AC_MSG_CHECKING(if getaddrinfo seems to work) + AC_RUN_IFELSE( + [AC_LANG_SOURCE([[ +#include +#include +#include +#include +#include + +#define TEST_PORT "2222" + +int +main(void) +{ + int err, sock; + struct addrinfo *gai_ai, *ai, hints; + char ntop[NI_MAXHOST], strport[NI_MAXSERV], *name = NULL; + + memset(&hints, 0, sizeof(hints)); + hints.ai_family = PF_UNSPEC; + hints.ai_socktype = SOCK_STREAM; + hints.ai_flags = AI_PASSIVE; + + err = getaddrinfo(name, TEST_PORT, &hints, &gai_ai); + if (err != 0) { + fprintf(stderr, "getaddrinfo failed (%s)", gai_strerror(err)); + exit(1); + } + + for (ai = gai_ai; ai != NULL; ai = ai->ai_next) { + if (ai->ai_family != AF_INET6) + continue; + + err = getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop, + sizeof(ntop), strport, sizeof(strport), + NI_NUMERICHOST|NI_NUMERICSERV); + + if (err != 0) { + if (err == EAI_SYSTEM) + perror("getnameinfo EAI_SYSTEM"); + else + fprintf(stderr, "getnameinfo failed: %s\n", + gai_strerror(err)); + exit(2); + } + + sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol); + if (sock < 0) + perror("socket"); + if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) { + if (errno == EBADF) + exit(3); + } + } + exit(0); +} + ]])], + [ + AC_MSG_RESULT(yes) + ], + [ + AC_MSG_RESULT(no) + AC_DEFINE(BROKEN_GETADDRINFO) + ], + [ + AC_MSG_RESULT(cross-compiling, assuming yes) + ] + ) +fi + +if test "x$ac_cv_func_getaddrinfo" = "xyes" && \ + test "x$check_for_aix_broken_getaddrinfo" = "x1"; then + AC_MSG_CHECKING(if getaddrinfo seems to work) + AC_RUN_IFELSE( + [AC_LANG_SOURCE([[ +#include +#include +#include +#include +#include + +#define TEST_PORT "2222" + +int +main(void) +{ + int err, sock; + struct addrinfo *gai_ai, *ai, hints; + char ntop[NI_MAXHOST], strport[NI_MAXSERV], *name = NULL; + + memset(&hints, 0, sizeof(hints)); + hints.ai_family = PF_UNSPEC; + hints.ai_socktype = SOCK_STREAM; + hints.ai_flags = AI_PASSIVE; + + err = getaddrinfo(name, TEST_PORT, &hints, &gai_ai); + if (err != 0) { + fprintf(stderr, "getaddrinfo failed (%s)", gai_strerror(err)); + exit(1); + } + + for (ai = gai_ai; ai != NULL; ai = ai->ai_next) { + if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6) + continue; + + err = getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop, + sizeof(ntop), strport, sizeof(strport), + NI_NUMERICHOST|NI_NUMERICSERV); + + if (ai->ai_family == AF_INET && err != 0) { + perror("getnameinfo"); + exit(2); + } + } + exit(0); +} + ]])], + [ + AC_MSG_RESULT(yes) + AC_DEFINE(AIX_GETNAMEINFO_HACK, 1, + [Define if you have a getaddrinfo that fails + for the all-zeros IPv6 address]) + ], + [ + AC_MSG_RESULT(no) + AC_DEFINE(BROKEN_GETADDRINFO) + ], + [ + AC_MSG_RESULT(cross-compiling, assuming no) + ] + ) +fi + +if test "x$check_for_conflicting_getspnam" = "x1"; then + AC_MSG_CHECKING(for conflicting getspnam in shadow.h) + AC_COMPILE_IFELSE( + [ +#include +int main(void) {exit(0);} + ], + [ + AC_MSG_RESULT(no) + ], + [ + AC_MSG_RESULT(yes) + AC_DEFINE(GETSPNAM_CONFLICTING_DEFS, 1, + [Conflicting defs for getspnam]) + ] + ) +fi + +AC_FUNC_GETPGRP + +# Search for OpenSSL +saved_CPPFLAGS="$CPPFLAGS" +saved_LDFLAGS="$LDFLAGS" +AC_ARG_WITH(ssl-dir, + [ --with-ssl-dir=PATH Specify path to OpenSSL installation ], + [ + if test "x$withval" != "xno" ; then + case "$withval" in + # Relative paths + ./*|../*) withval="`pwd`/$withval" + esac + if test -d "$withval/lib"; then + if test -n "${need_dash_r}"; then + LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}" + else + LDFLAGS="-L${withval}/lib ${LDFLAGS}" + fi + else + if test -n "${need_dash_r}"; then + LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}" + else + LDFLAGS="-L${withval} ${LDFLAGS}" + fi + fi + if test -d "$withval/include"; then + CPPFLAGS="-I${withval}/include ${CPPFLAGS}" + else + CPPFLAGS="-I${withval} ${CPPFLAGS}" + fi + fi + ] +) +LIBS="-lcrypto $LIBS" +AC_TRY_LINK_FUNC(RAND_add, AC_DEFINE(HAVE_OPENSSL, 1, + [Define if your ssl headers are included + with #include ]), + [ + dnl Check default openssl install dir + if test -n "${need_dash_r}"; then + LDFLAGS="-L/usr/local/ssl/lib -R/usr/local/ssl/lib ${saved_LDFLAGS}" + else + LDFLAGS="-L/usr/local/ssl/lib ${saved_LDFLAGS}" + fi + CPPFLAGS="-I/usr/local/ssl/include ${saved_CPPFLAGS}" + AC_TRY_LINK_FUNC(RAND_add, AC_DEFINE(HAVE_OPENSSL), + [ + AC_MSG_ERROR([*** Can't find recent OpenSSL libcrypto (see config.log for details) ***]) + ] + ) + ] +) + +# Determine OpenSSL header version +AC_MSG_CHECKING([OpenSSL header version]) +AC_RUN_IFELSE( + [AC_LANG_SOURCE([[ +#include +#include +#include +#define DATA "conftest.sslincver" +int main(void) { + FILE *fd; + int rc; + + fd = fopen(DATA,"w"); + if(fd == NULL) + exit(1); + + if ((rc = fprintf(fd ,"%x (%s)\n", OPENSSL_VERSION_NUMBER, OPENSSL_VERSION_TEXT)) <0) + exit(1); + + exit(0); +} + ]])], + [ + ssl_header_ver=`cat conftest.sslincver` + AC_MSG_RESULT($ssl_header_ver) + ], + [ + AC_MSG_RESULT(not found) + AC_MSG_ERROR(OpenSSL version header not found.) + ], + [ + AC_MSG_WARN([cross compiling: not checking]) + ] +) + +# Determine OpenSSL library version +AC_MSG_CHECKING([OpenSSL library version]) +AC_RUN_IFELSE( + [AC_LANG_SOURCE([[ +#include +#include +#include +#include +#define DATA "conftest.ssllibver" +int main(void) { + FILE *fd; + int rc; + + fd = fopen(DATA,"w"); + if(fd == NULL) + exit(1); + + if ((rc = fprintf(fd ,"%x (%s)\n", SSLeay(), SSLeay_version(SSLEAY_VERSION))) <0) + exit(1); + + exit(0); +} + ]])], + [ + ssl_library_ver=`cat conftest.ssllibver` + AC_MSG_RESULT($ssl_library_ver) + ], + [ + AC_MSG_RESULT(not found) + AC_MSG_ERROR(OpenSSL library not found.) + ], + [ + AC_MSG_WARN([cross compiling: not checking]) + ] +) + +AC_ARG_WITH(openssl-header-check, + [ --without-openssl-header-check Disable OpenSSL version consistency check], + [ if test "x$withval" = "xno" ; then + openssl_check_nonfatal=1 + fi + ] +) + +# Sanity check OpenSSL headers +AC_MSG_CHECKING([whether OpenSSL's headers match the library]) +AC_RUN_IFELSE( + [AC_LANG_SOURCE([[ +#include +#include +int main(void) { exit(SSLeay() == OPENSSL_VERSION_NUMBER ? 0 : 1); } + ]])], + [ + AC_MSG_RESULT(yes) + ], + [ + AC_MSG_RESULT(no) + if test "x$openssl_check_nonfatal" = "x"; then + AC_MSG_ERROR([Your OpenSSL headers do not match your +library. Check config.log for details. +If you are sure your installation is consistent, you can disable the check +by running "./configure --without-openssl-header-check". +Also see contrib/findssl.sh for help identifying header/library mismatches. +]) + else + AC_MSG_WARN([Your OpenSSL headers do not match your +library. Check config.log for details. +Also see contrib/findssl.sh for help identifying header/library mismatches.]) + fi + ], + [ + AC_MSG_WARN([cross compiling: not checking]) + ] +) + +AC_MSG_CHECKING([if programs using OpenSSL functions will link]) +AC_LINK_IFELSE( + [AC_LANG_SOURCE([[ +#include +int main(void) { SSLeay_add_all_algorithms(); } + ]])], + [ + AC_MSG_RESULT(yes) + ], + [ + AC_MSG_RESULT(no) + saved_LIBS="$LIBS" + LIBS="$LIBS -ldl" + AC_MSG_CHECKING([if programs using OpenSSL need -ldl]) + AC_LINK_IFELSE( + [AC_LANG_SOURCE([[ +#include +int main(void) { SSLeay_add_all_algorithms(); } + ]])], + [ + AC_MSG_RESULT(yes) + ], + [ + AC_MSG_RESULT(no) + LIBS="$saved_LIBS" + ] + ) + ] +) + +AC_ARG_WITH(ssl-engine, + [ --with-ssl-engine Enable OpenSSL (hardware) ENGINE support ], + [ if test "x$withval" != "xno" ; then + AC_MSG_CHECKING(for OpenSSL ENGINE support) + AC_TRY_COMPILE( + [ #include ], + [ +ENGINE_load_builtin_engines();ENGINE_register_all_complete(); + ], + [ AC_MSG_RESULT(yes) + AC_DEFINE(USE_OPENSSL_ENGINE, 1, + [Enable OpenSSL engine support]) + ], + [ AC_MSG_ERROR(OpenSSL ENGINE support not found)] + ) + fi ] +) + +# Check for OpenSSL without EVP_aes_{192,256}_cbc +AC_MSG_CHECKING([whether OpenSSL has crippled AES support]) +AC_LINK_IFELSE( + [AC_LANG_SOURCE([[ +#include +#include +int main(void) { exit(EVP_aes_192_cbc() == NULL || EVP_aes_256_cbc() == NULL);} + ]])], + [ + AC_MSG_RESULT(no) + ], + [ + AC_MSG_RESULT(yes) + AC_DEFINE(OPENSSL_LOBOTOMISED_AES, 1, + [libcrypto is missing AES 192 and 256 bit functions]) + ] +) + +# Some systems want crypt() from libcrypt, *not* the version in OpenSSL, +# because the system crypt() is more featureful. +if test "x$check_for_libcrypt_before" = "x1"; then + AC_CHECK_LIB(crypt, crypt) +fi + +# Some Linux systems (Slackware) need crypt() from libcrypt, *not* the +# version in OpenSSL. +if test "x$check_for_libcrypt_later" = "x1"; then + AC_CHECK_LIB(crypt, crypt, LIBS="$LIBS -lcrypt") +fi + +# Search for SHA256 support in libc and/or OpenSSL +AC_CHECK_FUNCS(SHA256_Update EVP_sha256) + +saved_LIBS="$LIBS" +AC_CHECK_LIB(iaf, ia_openinfo, [ + LIBS="$LIBS -liaf" + AC_CHECK_FUNCS(set_id, [SSHDLIBS="$SSHDLIBS -liaf"]) +]) +LIBS="$saved_LIBS" + +### Configure cryptographic random number support + +# Check wheter OpenSSL seeds itself +AC_MSG_CHECKING([whether OpenSSL's PRNG is internally seeded]) +AC_RUN_IFELSE( + [AC_LANG_SOURCE([[ +#include +#include +int main(void) { exit(RAND_status() == 1 ? 0 : 1); } + ]])], + [ + OPENSSL_SEEDS_ITSELF=yes + AC_MSG_RESULT(yes) + ], + [ + AC_MSG_RESULT(no) + # Default to use of the rand helper if OpenSSL doesn't + # seed itself + USE_RAND_HELPER=yes + ], + [ + AC_MSG_WARN([cross compiling: assuming yes]) + # This is safe, since all recent OpenSSL versions will + # complain at runtime if not seeded correctly. + OPENSSL_SEEDS_ITSELF=yes + ] +) + +# Check for PAM libs +PAM_MSG="no" +AC_ARG_WITH(pam, + [ --with-pam Enable PAM support ], + [ + if test "x$withval" != "xno" ; then + if test "x$ac_cv_header_security_pam_appl_h" != "xyes" && \ + test "x$ac_cv_header_pam_pam_appl_h" != "xyes" ; then + AC_MSG_ERROR([PAM headers not found]) + fi + + saved_LIBS="$LIBS" + AC_CHECK_LIB(dl, dlopen, , ) + AC_CHECK_LIB(pam, pam_set_item, , AC_MSG_ERROR([*** libpam missing])) + AC_CHECK_FUNCS(pam_getenvlist) + AC_CHECK_FUNCS(pam_putenv) + LIBS="$saved_LIBS" + + PAM_MSG="yes" + + SSHDLIBS="$SSHDLIBS -lpam" + AC_DEFINE(USE_PAM, 1, + [Define if you want to enable PAM support]) + + if test $ac_cv_lib_dl_dlopen = yes; then + case "$LIBS" in + *-ldl*) + # libdl already in LIBS + ;; + *) + SSHDLIBS="$SSHDLIBS -ldl" + ;; + esac + fi + fi + ] +) + +# Check for older PAM +if test "x$PAM_MSG" = "xyes" ; then + # Check PAM strerror arguments (old PAM) + AC_MSG_CHECKING([whether pam_strerror takes only one argument]) + AC_TRY_COMPILE( + [ +#include +#if defined(HAVE_SECURITY_PAM_APPL_H) +#include +#elif defined (HAVE_PAM_PAM_APPL_H) +#include +#endif + ], + [(void)pam_strerror((pam_handle_t *)NULL, -1);], + [AC_MSG_RESULT(no)], + [ + AC_DEFINE(HAVE_OLD_PAM, 1, + [Define if you have an old version of PAM + which takes only one argument to pam_strerror]) + AC_MSG_RESULT(yes) + PAM_MSG="yes (old library)" + ] + ) +fi + +# Do we want to force the use of the rand helper? +AC_ARG_WITH(rand-helper, + [ --with-rand-helper Use subprocess to gather strong randomness ], + [ + if test "x$withval" = "xno" ; then + # Force use of OpenSSL's internal RNG, even if + # the previous test showed it to be unseeded. + if test -z "$OPENSSL_SEEDS_ITSELF" ; then + AC_MSG_WARN([*** Forcing use of OpenSSL's non-self-seeding PRNG]) + OPENSSL_SEEDS_ITSELF=yes + USE_RAND_HELPER="" + fi + else + USE_RAND_HELPER=yes + fi + ], +) + +# Which randomness source do we use? +if test ! -z "$OPENSSL_SEEDS_ITSELF" && test -z "$USE_RAND_HELPER" ; then + # OpenSSL only + AC_DEFINE(OPENSSL_PRNG_ONLY, 1, + [Define if you want OpenSSL's internally seeded PRNG only]) + RAND_MSG="OpenSSL internal ONLY" + INSTALL_SSH_RAND_HELPER="" +elif test ! -z "$USE_RAND_HELPER" ; then + # install rand helper + RAND_MSG="ssh-rand-helper" + INSTALL_SSH_RAND_HELPER="yes" +fi +AC_SUBST(INSTALL_SSH_RAND_HELPER) + +### Configuration of ssh-rand-helper + +# PRNGD TCP socket +AC_ARG_WITH(prngd-port, + [ --with-prngd-port=PORT read entropy from PRNGD/EGD TCP localhost:PORT], + [ + case "$withval" in + no) + withval="" + ;; + [[0-9]]*) + ;; + *) + AC_MSG_ERROR(You must specify a numeric port number for --with-prngd-port) + ;; + esac + if test ! -z "$withval" ; then + PRNGD_PORT="$withval" + AC_DEFINE_UNQUOTED(PRNGD_PORT, $PRNGD_PORT, + [Port number of PRNGD/EGD random number socket]) + fi + ] +) + +# PRNGD Unix domain socket +AC_ARG_WITH(prngd-socket, + [ --with-prngd-socket=FILE read entropy from PRNGD/EGD socket FILE (default=/var/run/egd-pool)], + [ + case "$withval" in + yes) + withval="/var/run/egd-pool" + ;; + no) + withval="" + ;; + /*) + ;; + *) + AC_MSG_ERROR(You must specify an absolute path to the entropy socket) + ;; + esac + + if test ! -z "$withval" ; then + if test ! -z "$PRNGD_PORT" ; then + AC_MSG_ERROR(You may not specify both a PRNGD/EGD port and socket) + fi + if test ! -r "$withval" ; then + AC_MSG_WARN(Entropy socket is not readable) + fi + PRNGD_SOCKET="$withval" + AC_DEFINE_UNQUOTED(PRNGD_SOCKET, "$PRNGD_SOCKET", + [Location of PRNGD/EGD random number socket]) + fi + ], + [ + # Check for existing socket only if we don't have a random device already + if test "$USE_RAND_HELPER" = yes ; then + AC_MSG_CHECKING(for PRNGD/EGD socket) + # Insert other locations here + for sock in /var/run/egd-pool /dev/egd-pool /etc/entropy; do + if test -r $sock && $TEST_MINUS_S_SH -c "test -S $sock -o -p $sock" ; then + PRNGD_SOCKET="$sock" + AC_DEFINE_UNQUOTED(PRNGD_SOCKET, "$PRNGD_SOCKET") + break; + fi + done + if test ! -z "$PRNGD_SOCKET" ; then + AC_MSG_RESULT($PRNGD_SOCKET) + else + AC_MSG_RESULT(not found) + fi + fi + ] +) + +# Change default command timeout for hashing entropy source +entropy_timeout=200 +AC_ARG_WITH(entropy-timeout, + [ --with-entropy-timeout Specify entropy gathering command timeout (msec)], + [ + if test -n "$withval" && test "x$withval" != "xno" && \ + test "x${withval}" != "xyes"; then + entropy_timeout=$withval + fi + ] +) +AC_DEFINE_UNQUOTED(ENTROPY_TIMEOUT_MSEC, $entropy_timeout, + [Builtin PRNG command timeout]) + +SSH_PRIVSEP_USER=sshd +AC_ARG_WITH(privsep-user, + [ --with-privsep-user=user Specify non-privileged user for privilege separation], + [ + if test -n "$withval" && test "x$withval" != "xno" && \ + test "x${withval}" != "xyes"; then + SSH_PRIVSEP_USER=$withval + fi + ] +) +AC_DEFINE_UNQUOTED(SSH_PRIVSEP_USER, "$SSH_PRIVSEP_USER", + [non-privileged user for privilege separation]) +AC_SUBST(SSH_PRIVSEP_USER) + +# We do this little dance with the search path to insure +# that programs that we select for use by installed programs +# (which may be run by the super-user) come from trusted +# locations before they come from the user's private area. +# This should help avoid accidentally configuring some +# random version of a program in someone's personal bin. + +OPATH=$PATH +PATH=/bin:/usr/bin +test -h /bin 2> /dev/null && PATH=/usr/bin +test -d /sbin && PATH=$PATH:/sbin +test -d /usr/sbin && PATH=$PATH:/usr/sbin +PATH=$PATH:/etc:$OPATH + +# These programs are used by the command hashing source to gather entropy +OSSH_PATH_ENTROPY_PROG(PROG_LS, ls) +OSSH_PATH_ENTROPY_PROG(PROG_NETSTAT, netstat) +OSSH_PATH_ENTROPY_PROG(PROG_ARP, arp) +OSSH_PATH_ENTROPY_PROG(PROG_IFCONFIG, ifconfig) +OSSH_PATH_ENTROPY_PROG(PROG_JSTAT, jstat) +OSSH_PATH_ENTROPY_PROG(PROG_PS, ps) +OSSH_PATH_ENTROPY_PROG(PROG_SAR, sar) +OSSH_PATH_ENTROPY_PROG(PROG_W, w) +OSSH_PATH_ENTROPY_PROG(PROG_WHO, who) +OSSH_PATH_ENTROPY_PROG(PROG_LAST, last) +OSSH_PATH_ENTROPY_PROG(PROG_LASTLOG, lastlog) +OSSH_PATH_ENTROPY_PROG(PROG_DF, df) +OSSH_PATH_ENTROPY_PROG(PROG_VMSTAT, vmstat) +OSSH_PATH_ENTROPY_PROG(PROG_UPTIME, uptime) +OSSH_PATH_ENTROPY_PROG(PROG_IPCS, ipcs) +OSSH_PATH_ENTROPY_PROG(PROG_TAIL, tail) +# restore PATH +PATH=$OPATH + +# Where does ssh-rand-helper get its randomness from? +INSTALL_SSH_PRNG_CMDS="" +if test ! -z "$INSTALL_SSH_RAND_HELPER" ; then + if test ! -z "$PRNGD_PORT" ; then + RAND_HELPER_MSG="TCP localhost:$PRNGD_PORT" + elif test ! -z "$PRNGD_SOCKET" ; then + RAND_HELPER_MSG="Unix domain socket \"$PRNGD_SOCKET\"" + else + RAND_HELPER_MSG="Command hashing (timeout $entropy_timeout)" + RAND_HELPER_CMDHASH=yes + INSTALL_SSH_PRNG_CMDS="yes" + fi +fi +AC_SUBST(INSTALL_SSH_PRNG_CMDS) + + +# Cheap hack to ensure NEWS-OS libraries are arranged right. +if test ! -z "$SONY" ; then + LIBS="$LIBS -liberty"; +fi + +# Check for long long datatypes +AC_CHECK_TYPES([long long, unsigned long long, long double]) + +# Check datatype sizes +AC_CHECK_SIZEOF(char, 1) +AC_CHECK_SIZEOF(short int, 2) +AC_CHECK_SIZEOF(int, 4) +AC_CHECK_SIZEOF(long int, 4) +AC_CHECK_SIZEOF(long long int, 8) + +# Sanity check long long for some platforms (AIX) +if test "x$ac_cv_sizeof_long_long_int" = "x4" ; then + ac_cv_sizeof_long_long_int=0 +fi + +# compute LLONG_MIN and LLONG_MAX if we don't know them. +if test -z "$have_llong_max"; then + AC_MSG_CHECKING([for max value of long long]) + AC_RUN_IFELSE( + [AC_LANG_SOURCE([[ +#include +/* Why is this so damn hard? */ +#ifdef __GNUC__ +# undef __GNUC__ +#endif +#define __USE_ISOC99 +#include +#define DATA "conftest.llminmax" +#define my_abs(a) ((a) < 0 ? ((a) * -1) : (a)) + +/* + * printf in libc on some platforms (eg old Tru64) does not understand %lld so + * we do this the hard way. + */ +static int +fprint_ll(FILE *f, long long n) +{ + unsigned int i; + int l[sizeof(long long) * 8]; + + if (n < 0) + if (fprintf(f, "-") < 0) + return -1; + for (i = 0; n != 0; i++) { + l[i] = my_abs(n % 10); + n /= 10; + } + do { + if (fprintf(f, "%d", l[--i]) < 0) + return -1; + } while (i != 0); + if (fprintf(f, " ") < 0) + return -1; + return 0; +} + +int main(void) { + FILE *f; + long long i, llmin, llmax = 0; + + if((f = fopen(DATA,"w")) == NULL) + exit(1); + +#if defined(LLONG_MIN) && defined(LLONG_MAX) + fprintf(stderr, "Using system header for LLONG_MIN and LLONG_MAX\n"); + llmin = LLONG_MIN; + llmax = LLONG_MAX; +#else + fprintf(stderr, "Calculating LLONG_MIN and LLONG_MAX\n"); + /* This will work on one's complement and two's complement */ + for (i = 1; i > llmax; i <<= 1, i++) + llmax = i; + llmin = llmax + 1LL; /* wrap */ +#endif + + /* Sanity check */ + if (llmin + 1 < llmin || llmin - 1 < llmin || llmax + 1 > llmax + || llmax - 1 > llmax || llmin == llmax || llmin == 0 + || llmax == 0 || llmax < LONG_MAX || llmin > LONG_MIN) { + fprintf(f, "unknown unknown\n"); + exit(2); + } + + if (fprint_ll(f, llmin) < 0) + exit(3); + if (fprint_ll(f, llmax) < 0) + exit(4); + if (fclose(f) < 0) + exit(5); + exit(0); +} + ]])], + [ + llong_min=`$AWK '{print $1}' conftest.llminmax` + llong_max=`$AWK '{print $2}' conftest.llminmax` + + AC_MSG_RESULT($llong_max) + AC_DEFINE_UNQUOTED(LLONG_MAX, [${llong_max}LL], + [max value of long long calculated by configure]) + AC_MSG_CHECKING([for min value of long long]) + AC_MSG_RESULT($llong_min) + AC_DEFINE_UNQUOTED(LLONG_MIN, [${llong_min}LL], + [min value of long long calculated by configure]) + ], + [ + AC_MSG_RESULT(not found) + ], + [ + AC_MSG_WARN([cross compiling: not checking]) + ] + ) +fi + + +# More checks for data types +AC_CACHE_CHECK([for u_int type], ac_cv_have_u_int, [ + AC_TRY_COMPILE( + [ #include ], + [ u_int a; a = 1;], + [ ac_cv_have_u_int="yes" ], + [ ac_cv_have_u_int="no" ] + ) +]) +if test "x$ac_cv_have_u_int" = "xyes" ; then + AC_DEFINE(HAVE_U_INT, 1, [define if you have u_int data type]) + have_u_int=1 +fi + +AC_CACHE_CHECK([for intXX_t types], ac_cv_have_intxx_t, [ + AC_TRY_COMPILE( + [ #include ], + [ int8_t a; int16_t b; int32_t c; a = b = c = 1;], + [ ac_cv_have_intxx_t="yes" ], + [ ac_cv_have_intxx_t="no" ] + ) +]) +if test "x$ac_cv_have_intxx_t" = "xyes" ; then + AC_DEFINE(HAVE_INTXX_T, 1, [define if you have intxx_t data type]) + have_intxx_t=1 +fi + +if (test -z "$have_intxx_t" && \ + test "x$ac_cv_header_stdint_h" = "xyes") +then + AC_MSG_CHECKING([for intXX_t types in stdint.h]) + AC_TRY_COMPILE( + [ #include ], + [ int8_t a; int16_t b; int32_t c; a = b = c = 1;], + [ + AC_DEFINE(HAVE_INTXX_T) + AC_MSG_RESULT(yes) + ], + [ AC_MSG_RESULT(no) ] + ) +fi + +AC_CACHE_CHECK([for int64_t type], ac_cv_have_int64_t, [ + AC_TRY_COMPILE( + [ +#include +#ifdef HAVE_STDINT_H +# include +#endif +#include +#ifdef HAVE_SYS_BITYPES_H +# include +#endif + ], + [ int64_t a; a = 1;], + [ ac_cv_have_int64_t="yes" ], + [ ac_cv_have_int64_t="no" ] + ) +]) +if test "x$ac_cv_have_int64_t" = "xyes" ; then + AC_DEFINE(HAVE_INT64_T, 1, [define if you have int64_t data type]) +fi + +AC_CACHE_CHECK([for u_intXX_t types], ac_cv_have_u_intxx_t, [ + AC_TRY_COMPILE( + [ #include ], + [ u_int8_t a; u_int16_t b; u_int32_t c; a = b = c = 1;], + [ ac_cv_have_u_intxx_t="yes" ], + [ ac_cv_have_u_intxx_t="no" ] + ) +]) +if test "x$ac_cv_have_u_intxx_t" = "xyes" ; then + AC_DEFINE(HAVE_U_INTXX_T, 1, [define if you have u_intxx_t data type]) + have_u_intxx_t=1 +fi + +if test -z "$have_u_intxx_t" ; then + AC_MSG_CHECKING([for u_intXX_t types in sys/socket.h]) + AC_TRY_COMPILE( + [ #include ], + [ u_int8_t a; u_int16_t b; u_int32_t c; a = b = c = 1;], + [ + AC_DEFINE(HAVE_U_INTXX_T) + AC_MSG_RESULT(yes) + ], + [ AC_MSG_RESULT(no) ] + ) +fi + +AC_CACHE_CHECK([for u_int64_t types], ac_cv_have_u_int64_t, [ + AC_TRY_COMPILE( + [ #include ], + [ u_int64_t a; a = 1;], + [ ac_cv_have_u_int64_t="yes" ], + [ ac_cv_have_u_int64_t="no" ] + ) +]) +if test "x$ac_cv_have_u_int64_t" = "xyes" ; then + AC_DEFINE(HAVE_U_INT64_T, 1, [define if you have u_int64_t data type]) + have_u_int64_t=1 +fi + +if test -z "$have_u_int64_t" ; then + AC_MSG_CHECKING([for u_int64_t type in sys/bitypes.h]) + AC_TRY_COMPILE( + [ #include ], + [ u_int64_t a; a = 1], + [ + AC_DEFINE(HAVE_U_INT64_T) + AC_MSG_RESULT(yes) + ], + [ AC_MSG_RESULT(no) ] + ) +fi + +if test -z "$have_u_intxx_t" ; then + AC_CACHE_CHECK([for uintXX_t types], ac_cv_have_uintxx_t, [ + AC_TRY_COMPILE( + [ +#include + ], + [ uint8_t a; uint16_t b; uint32_t c; a = b = c = 1; ], + [ ac_cv_have_uintxx_t="yes" ], + [ ac_cv_have_uintxx_t="no" ] + ) + ]) + if test "x$ac_cv_have_uintxx_t" = "xyes" ; then + AC_DEFINE(HAVE_UINTXX_T, 1, + [define if you have uintxx_t data type]) + fi +fi + +if test -z "$have_uintxx_t" ; then + AC_MSG_CHECKING([for uintXX_t types in stdint.h]) + AC_TRY_COMPILE( + [ #include ], + [ uint8_t a; uint16_t b; uint32_t c; a = b = c = 1;], + [ + AC_DEFINE(HAVE_UINTXX_T) + AC_MSG_RESULT(yes) + ], + [ AC_MSG_RESULT(no) ] + ) +fi + +if (test -z "$have_u_intxx_t" || test -z "$have_intxx_t" && \ + test "x$ac_cv_header_sys_bitypes_h" = "xyes") +then + AC_MSG_CHECKING([for intXX_t and u_intXX_t types in sys/bitypes.h]) + AC_TRY_COMPILE( + [ +#include + ], + [ + int8_t a; int16_t b; int32_t c; + u_int8_t e; u_int16_t f; u_int32_t g; + a = b = c = e = f = g = 1; + ], + [ + AC_DEFINE(HAVE_U_INTXX_T) + AC_DEFINE(HAVE_INTXX_T) + AC_MSG_RESULT(yes) + ], + [AC_MSG_RESULT(no)] + ) +fi + + +AC_CACHE_CHECK([for u_char], ac_cv_have_u_char, [ + AC_TRY_COMPILE( + [ +#include + ], + [ u_char foo; foo = 125; ], + [ ac_cv_have_u_char="yes" ], + [ ac_cv_have_u_char="no" ] + ) +]) +if test "x$ac_cv_have_u_char" = "xyes" ; then + AC_DEFINE(HAVE_U_CHAR, 1, [define if you have u_char data type]) +fi + +TYPE_SOCKLEN_T + +AC_CHECK_TYPES(sig_atomic_t,,,[#include ]) + +AC_CHECK_TYPES(in_addr_t,,, +[#include +#include ]) + +AC_CACHE_CHECK([for size_t], ac_cv_have_size_t, [ + AC_TRY_COMPILE( + [ +#include + ], + [ size_t foo; foo = 1235; ], + [ ac_cv_have_size_t="yes" ], + [ ac_cv_have_size_t="no" ] + ) +]) +if test "x$ac_cv_have_size_t" = "xyes" ; then + AC_DEFINE(HAVE_SIZE_T, 1, [define if you have size_t data type]) +fi + +AC_CACHE_CHECK([for ssize_t], ac_cv_have_ssize_t, [ + AC_TRY_COMPILE( + [ +#include + ], + [ ssize_t foo; foo = 1235; ], + [ ac_cv_have_ssize_t="yes" ], + [ ac_cv_have_ssize_t="no" ] + ) +]) +if test "x$ac_cv_have_ssize_t" = "xyes" ; then + AC_DEFINE(HAVE_SSIZE_T, 1, [define if you have ssize_t data type]) +fi + +AC_CACHE_CHECK([for clock_t], ac_cv_have_clock_t, [ + AC_TRY_COMPILE( + [ +#include + ], + [ clock_t foo; foo = 1235; ], + [ ac_cv_have_clock_t="yes" ], + [ ac_cv_have_clock_t="no" ] + ) +]) +if test "x$ac_cv_have_clock_t" = "xyes" ; then + AC_DEFINE(HAVE_CLOCK_T, 1, [define if you have clock_t data type]) +fi + +AC_CACHE_CHECK([for sa_family_t], ac_cv_have_sa_family_t, [ + AC_TRY_COMPILE( + [ +#include +#include + ], + [ sa_family_t foo; foo = 1235; ], + [ ac_cv_have_sa_family_t="yes" ], + [ AC_TRY_COMPILE( + [ +#include +#include +#include + ], + [ sa_family_t foo; foo = 1235; ], + [ ac_cv_have_sa_family_t="yes" ], + + [ ac_cv_have_sa_family_t="no" ] + )] + ) +]) +if test "x$ac_cv_have_sa_family_t" = "xyes" ; then + AC_DEFINE(HAVE_SA_FAMILY_T, 1, + [define if you have sa_family_t data type]) +fi + +AC_CACHE_CHECK([for pid_t], ac_cv_have_pid_t, [ + AC_TRY_COMPILE( + [ +#include + ], + [ pid_t foo; foo = 1235; ], + [ ac_cv_have_pid_t="yes" ], + [ ac_cv_have_pid_t="no" ] + ) +]) +if test "x$ac_cv_have_pid_t" = "xyes" ; then + AC_DEFINE(HAVE_PID_T, 1, [define if you have pid_t data type]) +fi + +AC_CACHE_CHECK([for mode_t], ac_cv_have_mode_t, [ + AC_TRY_COMPILE( + [ +#include + ], + [ mode_t foo; foo = 1235; ], + [ ac_cv_have_mode_t="yes" ], + [ ac_cv_have_mode_t="no" ] + ) +]) +if test "x$ac_cv_have_mode_t" = "xyes" ; then + AC_DEFINE(HAVE_MODE_T, 1, [define if you have mode_t data type]) +fi + + +AC_CACHE_CHECK([for struct sockaddr_storage], ac_cv_have_struct_sockaddr_storage, [ + AC_TRY_COMPILE( + [ +#include +#include + ], + [ struct sockaddr_storage s; ], + [ ac_cv_have_struct_sockaddr_storage="yes" ], + [ ac_cv_have_struct_sockaddr_storage="no" ] + ) +]) +if test "x$ac_cv_have_struct_sockaddr_storage" = "xyes" ; then + AC_DEFINE(HAVE_STRUCT_SOCKADDR_STORAGE, 1, + [define if you have struct sockaddr_storage data type]) +fi + +AC_CACHE_CHECK([for struct sockaddr_in6], ac_cv_have_struct_sockaddr_in6, [ + AC_TRY_COMPILE( + [ +#include +#include + ], + [ struct sockaddr_in6 s; s.sin6_family = 0; ], + [ ac_cv_have_struct_sockaddr_in6="yes" ], + [ ac_cv_have_struct_sockaddr_in6="no" ] + ) +]) +if test "x$ac_cv_have_struct_sockaddr_in6" = "xyes" ; then + AC_DEFINE(HAVE_STRUCT_SOCKADDR_IN6, 1, + [define if you have struct sockaddr_in6 data type]) +fi + +AC_CACHE_CHECK([for struct in6_addr], ac_cv_have_struct_in6_addr, [ + AC_TRY_COMPILE( + [ +#include +#include + ], + [ struct in6_addr s; s.s6_addr[0] = 0; ], + [ ac_cv_have_struct_in6_addr="yes" ], + [ ac_cv_have_struct_in6_addr="no" ] + ) +]) +if test "x$ac_cv_have_struct_in6_addr" = "xyes" ; then + AC_DEFINE(HAVE_STRUCT_IN6_ADDR, 1, + [define if you have struct in6_addr data type]) +fi + +AC_CACHE_CHECK([for struct addrinfo], ac_cv_have_struct_addrinfo, [ + AC_TRY_COMPILE( + [ +#include +#include +#include + ], + [ struct addrinfo s; s.ai_flags = AI_PASSIVE; ], + [ ac_cv_have_struct_addrinfo="yes" ], + [ ac_cv_have_struct_addrinfo="no" ] + ) +]) +if test "x$ac_cv_have_struct_addrinfo" = "xyes" ; then + AC_DEFINE(HAVE_STRUCT_ADDRINFO, 1, + [define if you have struct addrinfo data type]) +fi + +AC_CACHE_CHECK([for struct timeval], ac_cv_have_struct_timeval, [ + AC_TRY_COMPILE( + [ #include ], + [ struct timeval tv; tv.tv_sec = 1;], + [ ac_cv_have_struct_timeval="yes" ], + [ ac_cv_have_struct_timeval="no" ] + ) +]) +if test "x$ac_cv_have_struct_timeval" = "xyes" ; then + AC_DEFINE(HAVE_STRUCT_TIMEVAL, 1, [define if you have struct timeval]) + have_struct_timeval=1 +fi + +AC_CHECK_TYPES(struct timespec) + +# We need int64_t or else certian parts of the compile will fail. +if test "x$ac_cv_have_int64_t" = "xno" && \ + test "x$ac_cv_sizeof_long_int" != "x8" && \ + test "x$ac_cv_sizeof_long_long_int" = "x0" ; then + echo "OpenSSH requires int64_t support. Contact your vendor or install" + echo "an alternative compiler (I.E., GCC) before continuing." + echo "" + exit 1; +else +dnl test snprintf (broken on SCO w/gcc) + AC_RUN_IFELSE( + [AC_LANG_SOURCE([[ +#include +#include +#ifdef HAVE_SNPRINTF +main() +{ + char buf[50]; + char expected_out[50]; + int mazsize = 50 ; +#if (SIZEOF_LONG_INT == 8) + long int num = 0x7fffffffffffffff; +#else + long long num = 0x7fffffffffffffffll; +#endif + strcpy(expected_out, "9223372036854775807"); + snprintf(buf, mazsize, "%lld", num); + if(strcmp(buf, expected_out) != 0) + exit(1); + exit(0); +} +#else +main() { exit(0); } +#endif + ]])], [ true ], [ AC_DEFINE(BROKEN_SNPRINTF) ], + AC_MSG_WARN([cross compiling: Assuming working snprintf()]) + ) +fi + +dnl Checks for structure members +OSSH_CHECK_HEADER_FOR_FIELD(ut_host, utmp.h, HAVE_HOST_IN_UTMP) +OSSH_CHECK_HEADER_FOR_FIELD(ut_host, utmpx.h, HAVE_HOST_IN_UTMPX) +OSSH_CHECK_HEADER_FOR_FIELD(syslen, utmpx.h, HAVE_SYSLEN_IN_UTMPX) +OSSH_CHECK_HEADER_FOR_FIELD(ut_pid, utmp.h, HAVE_PID_IN_UTMP) +OSSH_CHECK_HEADER_FOR_FIELD(ut_type, utmp.h, HAVE_TYPE_IN_UTMP) +OSSH_CHECK_HEADER_FOR_FIELD(ut_type, utmpx.h, HAVE_TYPE_IN_UTMPX) +OSSH_CHECK_HEADER_FOR_FIELD(ut_tv, utmp.h, HAVE_TV_IN_UTMP) +OSSH_CHECK_HEADER_FOR_FIELD(ut_id, utmp.h, HAVE_ID_IN_UTMP) +OSSH_CHECK_HEADER_FOR_FIELD(ut_id, utmpx.h, HAVE_ID_IN_UTMPX) +OSSH_CHECK_HEADER_FOR_FIELD(ut_addr, utmp.h, HAVE_ADDR_IN_UTMP) +OSSH_CHECK_HEADER_FOR_FIELD(ut_addr, utmpx.h, HAVE_ADDR_IN_UTMPX) +OSSH_CHECK_HEADER_FOR_FIELD(ut_addr_v6, utmp.h, HAVE_ADDR_V6_IN_UTMP) +OSSH_CHECK_HEADER_FOR_FIELD(ut_addr_v6, utmpx.h, HAVE_ADDR_V6_IN_UTMPX) +OSSH_CHECK_HEADER_FOR_FIELD(ut_exit, utmp.h, HAVE_EXIT_IN_UTMP) +OSSH_CHECK_HEADER_FOR_FIELD(ut_time, utmp.h, HAVE_TIME_IN_UTMP) +OSSH_CHECK_HEADER_FOR_FIELD(ut_time, utmpx.h, HAVE_TIME_IN_UTMPX) +OSSH_CHECK_HEADER_FOR_FIELD(ut_tv, utmpx.h, HAVE_TV_IN_UTMPX) + +AC_CHECK_MEMBERS([struct stat.st_blksize]) +AC_CHECK_MEMBER([struct __res_state.retrans], [], [AC_DEFINE(__res_state, state, + [Define if we don't have struct __res_state in resolv.h])], +[ +#include +#if HAVE_SYS_TYPES_H +# include +#endif +#include +#include +#include +]) + +AC_CACHE_CHECK([for ss_family field in struct sockaddr_storage], + ac_cv_have_ss_family_in_struct_ss, [ + AC_TRY_COMPILE( + [ +#include +#include + ], + [ struct sockaddr_storage s; s.ss_family = 1; ], + [ ac_cv_have_ss_family_in_struct_ss="yes" ], + [ ac_cv_have_ss_family_in_struct_ss="no" ], + ) +]) +if test "x$ac_cv_have_ss_family_in_struct_ss" = "xyes" ; then + AC_DEFINE(HAVE_SS_FAMILY_IN_SS, 1, [Fields in struct sockaddr_storage]) +fi + +AC_CACHE_CHECK([for __ss_family field in struct sockaddr_storage], + ac_cv_have___ss_family_in_struct_ss, [ + AC_TRY_COMPILE( + [ +#include +#include + ], + [ struct sockaddr_storage s; s.__ss_family = 1; ], + [ ac_cv_have___ss_family_in_struct_ss="yes" ], + [ ac_cv_have___ss_family_in_struct_ss="no" ] + ) +]) +if test "x$ac_cv_have___ss_family_in_struct_ss" = "xyes" ; then + AC_DEFINE(HAVE___SS_FAMILY_IN_SS, 1, + [Fields in struct sockaddr_storage]) +fi + +AC_CACHE_CHECK([for pw_class field in struct passwd], + ac_cv_have_pw_class_in_struct_passwd, [ + AC_TRY_COMPILE( + [ +#include + ], + [ struct passwd p; p.pw_class = 0; ], + [ ac_cv_have_pw_class_in_struct_passwd="yes" ], + [ ac_cv_have_pw_class_in_struct_passwd="no" ] + ) +]) +if test "x$ac_cv_have_pw_class_in_struct_passwd" = "xyes" ; then + AC_DEFINE(HAVE_PW_CLASS_IN_PASSWD, 1, + [Define if your password has a pw_class field]) +fi + +AC_CACHE_CHECK([for pw_expire field in struct passwd], + ac_cv_have_pw_expire_in_struct_passwd, [ + AC_TRY_COMPILE( + [ +#include + ], + [ struct passwd p; p.pw_expire = 0; ], + [ ac_cv_have_pw_expire_in_struct_passwd="yes" ], + [ ac_cv_have_pw_expire_in_struct_passwd="no" ] + ) +]) +if test "x$ac_cv_have_pw_expire_in_struct_passwd" = "xyes" ; then + AC_DEFINE(HAVE_PW_EXPIRE_IN_PASSWD, 1, + [Define if your password has a pw_expire field]) +fi + +AC_CACHE_CHECK([for pw_change field in struct passwd], + ac_cv_have_pw_change_in_struct_passwd, [ + AC_TRY_COMPILE( + [ +#include + ], + [ struct passwd p; p.pw_change = 0; ], + [ ac_cv_have_pw_change_in_struct_passwd="yes" ], + [ ac_cv_have_pw_change_in_struct_passwd="no" ] + ) +]) +if test "x$ac_cv_have_pw_change_in_struct_passwd" = "xyes" ; then + AC_DEFINE(HAVE_PW_CHANGE_IN_PASSWD, 1, + [Define if your password has a pw_change field]) +fi + +dnl make sure we're using the real structure members and not defines +AC_CACHE_CHECK([for msg_accrights field in struct msghdr], + ac_cv_have_accrights_in_msghdr, [ + AC_COMPILE_IFELSE( + [ +#include +#include +#include +int main() { +#ifdef msg_accrights +#error "msg_accrights is a macro" +exit(1); +#endif +struct msghdr m; +m.msg_accrights = 0; +exit(0); +} + ], + [ ac_cv_have_accrights_in_msghdr="yes" ], + [ ac_cv_have_accrights_in_msghdr="no" ] + ) +]) +if test "x$ac_cv_have_accrights_in_msghdr" = "xyes" ; then + AC_DEFINE(HAVE_ACCRIGHTS_IN_MSGHDR, 1, + [Define if your system uses access rights style + file descriptor passing]) +fi + +AC_CACHE_CHECK([for msg_control field in struct msghdr], + ac_cv_have_control_in_msghdr, [ + AC_COMPILE_IFELSE( + [ +#include +#include +#include +int main() { +#ifdef msg_control +#error "msg_control is a macro" +exit(1); +#endif +struct msghdr m; +m.msg_control = 0; +exit(0); +} + ], + [ ac_cv_have_control_in_msghdr="yes" ], + [ ac_cv_have_control_in_msghdr="no" ] + ) +]) +if test "x$ac_cv_have_control_in_msghdr" = "xyes" ; then + AC_DEFINE(HAVE_CONTROL_IN_MSGHDR, 1, + [Define if your system uses ancillary data style + file descriptor passing]) +fi + +AC_CACHE_CHECK([if libc defines __progname], ac_cv_libc_defines___progname, [ + AC_TRY_LINK([], + [ extern char *__progname; printf("%s", __progname); ], + [ ac_cv_libc_defines___progname="yes" ], + [ ac_cv_libc_defines___progname="no" ] + ) +]) +if test "x$ac_cv_libc_defines___progname" = "xyes" ; then + AC_DEFINE(HAVE___PROGNAME, 1, [Define if libc defines __progname]) +fi + +AC_CACHE_CHECK([whether $CC implements __FUNCTION__], ac_cv_cc_implements___FUNCTION__, [ + AC_TRY_LINK([ +#include +], + [ printf("%s", __FUNCTION__); ], + [ ac_cv_cc_implements___FUNCTION__="yes" ], + [ ac_cv_cc_implements___FUNCTION__="no" ] + ) +]) +if test "x$ac_cv_cc_implements___FUNCTION__" = "xyes" ; then + AC_DEFINE(HAVE___FUNCTION__, 1, + [Define if compiler implements __FUNCTION__]) +fi + +AC_CACHE_CHECK([whether $CC implements __func__], ac_cv_cc_implements___func__, [ + AC_TRY_LINK([ +#include +], + [ printf("%s", __func__); ], + [ ac_cv_cc_implements___func__="yes" ], + [ ac_cv_cc_implements___func__="no" ] + ) +]) +if test "x$ac_cv_cc_implements___func__" = "xyes" ; then + AC_DEFINE(HAVE___func__, 1, [Define if compiler implements __func__]) +fi + +AC_CACHE_CHECK([whether va_copy exists], ac_cv_have_va_copy, [ + AC_TRY_LINK( + [#include + va_list x,y;], + [va_copy(x,y);], + [ ac_cv_have_va_copy="yes" ], + [ ac_cv_have_va_copy="no" ] + ) +]) +if test "x$ac_cv_have_va_copy" = "xyes" ; then + AC_DEFINE(HAVE_VA_COPY, 1, [Define if va_copy exists]) +fi + +AC_CACHE_CHECK([whether __va_copy exists], ac_cv_have___va_copy, [ + AC_TRY_LINK( + [#include + va_list x,y;], + [__va_copy(x,y);], + [ ac_cv_have___va_copy="yes" ], + [ ac_cv_have___va_copy="no" ] + ) +]) +if test "x$ac_cv_have___va_copy" = "xyes" ; then + AC_DEFINE(HAVE___VA_COPY, 1, [Define if __va_copy exists]) +fi + +AC_CACHE_CHECK([whether getopt has optreset support], + ac_cv_have_getopt_optreset, [ + AC_TRY_LINK( + [ +#include + ], + [ extern int optreset; optreset = 0; ], + [ ac_cv_have_getopt_optreset="yes" ], + [ ac_cv_have_getopt_optreset="no" ] + ) +]) +if test "x$ac_cv_have_getopt_optreset" = "xyes" ; then + AC_DEFINE(HAVE_GETOPT_OPTRESET, 1, + [Define if your getopt(3) defines and uses optreset]) +fi + +AC_CACHE_CHECK([if libc defines sys_errlist], ac_cv_libc_defines_sys_errlist, [ + AC_TRY_LINK([], + [ extern const char *const sys_errlist[]; printf("%s", sys_errlist[0]);], + [ ac_cv_libc_defines_sys_errlist="yes" ], + [ ac_cv_libc_defines_sys_errlist="no" ] + ) +]) +if test "x$ac_cv_libc_defines_sys_errlist" = "xyes" ; then + AC_DEFINE(HAVE_SYS_ERRLIST, 1, + [Define if your system defines sys_errlist[]]) +fi + + +AC_CACHE_CHECK([if libc defines sys_nerr], ac_cv_libc_defines_sys_nerr, [ + AC_TRY_LINK([], + [ extern int sys_nerr; printf("%i", sys_nerr);], + [ ac_cv_libc_defines_sys_nerr="yes" ], + [ ac_cv_libc_defines_sys_nerr="no" ] + ) +]) +if test "x$ac_cv_libc_defines_sys_nerr" = "xyes" ; then + AC_DEFINE(HAVE_SYS_NERR, 1, [Define if your system defines sys_nerr]) +fi + +SCARD_MSG="no" +# Check whether user wants sectok support +AC_ARG_WITH(sectok, + [ --with-sectok Enable smartcard support using libsectok], + [ + if test "x$withval" != "xno" ; then + if test "x$withval" != "xyes" ; then + CPPFLAGS="$CPPFLAGS -I${withval}" + LDFLAGS="$LDFLAGS -L${withval}" + if test ! -z "$need_dash_r" ; then + LDFLAGS="$LDFLAGS -R${withval}" + fi + if test ! -z "$blibpath" ; then + blibpath="$blibpath:${withval}" + fi + fi + AC_CHECK_HEADERS(sectok.h) + if test "$ac_cv_header_sectok_h" != yes; then + AC_MSG_ERROR(Can't find sectok.h) + fi + AC_CHECK_LIB(sectok, sectok_open) + if test "$ac_cv_lib_sectok_sectok_open" != yes; then + AC_MSG_ERROR(Can't find libsectok) + fi + AC_DEFINE(SMARTCARD, 1, + [Define if you want smartcard support]) + AC_DEFINE(USE_SECTOK, 1, + [Define if you want smartcard support + using sectok]) + SCARD_MSG="yes, using sectok" + fi + ] +) + +# Check whether user wants OpenSC support +OPENSC_CONFIG="no" +AC_ARG_WITH(opensc, + [ --with-opensc[[=PFX]] Enable smartcard support using OpenSC (optionally in PATH)], + [ + if test "x$withval" != "xno" ; then + if test "x$withval" != "xyes" ; then + OPENSC_CONFIG=$withval/bin/opensc-config + else + AC_PATH_PROG(OPENSC_CONFIG, opensc-config, no) + fi + if test "$OPENSC_CONFIG" != "no"; then + LIBOPENSC_CFLAGS=`$OPENSC_CONFIG --cflags` + LIBOPENSC_LIBS=`$OPENSC_CONFIG --libs` + CPPFLAGS="$CPPFLAGS $LIBOPENSC_CFLAGS" + LIBS="$LIBS $LIBOPENSC_LIBS" + AC_DEFINE(SMARTCARD) + AC_DEFINE(USE_OPENSC, 1, + [Define if you want smartcard support + using OpenSC]) + SCARD_MSG="yes, using OpenSC" + fi + fi + ] +) + +# Check libraries needed by DNS fingerprint support +AC_SEARCH_LIBS(getrrsetbyname, resolv, + [AC_DEFINE(HAVE_GETRRSETBYNAME, 1, + [Define if getrrsetbyname() exists])], + [ + # Needed by our getrrsetbyname() + AC_SEARCH_LIBS(res_query, resolv) + AC_SEARCH_LIBS(dn_expand, resolv) + AC_MSG_CHECKING(if res_query will link) + AC_TRY_LINK_FUNC(res_query, AC_MSG_RESULT(yes), + [AC_MSG_RESULT(no) + saved_LIBS="$LIBS" + LIBS="$LIBS -lresolv" + AC_MSG_CHECKING(for res_query in -lresolv) + AC_LINK_IFELSE([ +#include +int main() +{ + res_query (0, 0, 0, 0, 0); + return 0; +} + ], + [LIBS="$LIBS -lresolv" + AC_MSG_RESULT(yes)], + [LIBS="$saved_LIBS" + AC_MSG_RESULT(no)]) + ]) + AC_CHECK_FUNCS(_getshort _getlong) + AC_CHECK_DECLS([_getshort, _getlong], , , + [#include + #include ]) + AC_CHECK_MEMBER(HEADER.ad, + [AC_DEFINE(HAVE_HEADER_AD, 1, + [Define if HEADER.ad exists in arpa/nameser.h])],, + [#include ]) + ]) + +AC_MSG_CHECKING(if struct __res_state _res is an extern) +AC_LINK_IFELSE([ +#include +#if HAVE_SYS_TYPES_H +# include +#endif +#include +#include +#include +extern struct __res_state _res; +int main() { return 0; } + ], + [AC_MSG_RESULT(yes) + AC_DEFINE(HAVE__RES_EXTERN, 1, + [Define if you have struct __res_state _res as an extern]) + ], + [ AC_MSG_RESULT(no) ] +) + +# Check whether user wants SELinux support +SELINUX_MSG="no" +LIBSELINUX="" +AC_ARG_WITH(selinux, + [ --with-selinux Enable SELinux support], + [ if test "x$withval" != "xno" ; then + save_LIBS="$LIBS" + AC_DEFINE(WITH_SELINUX,1,[Define if you want SELinux support.]) + SELINUX_MSG="yes" + AC_CHECK_HEADER([selinux/selinux.h], , + AC_MSG_ERROR(SELinux support requires selinux.h header)) + AC_CHECK_LIB(selinux, setexeccon, [ LIBSELINUX="-lselinux" ], + AC_MSG_ERROR(SELinux support requires libselinux library)) + SSHDLIBS="$SSHDLIBS $LIBSELINUX" + AC_CHECK_FUNCS(getseuserbyname get_default_context_with_level) + LIBS="$save_LIBS" + fi ] +) + +# Check whether user wants Kerberos 5 support +KRB5_MSG="no" +AC_ARG_WITH(kerberos5, + [ --with-kerberos5=PATH Enable Kerberos 5 support], + [ if test "x$withval" != "xno" ; then + if test "x$withval" = "xyes" ; then + KRB5ROOT="/usr/local" + else + KRB5ROOT=${withval} + fi + + AC_DEFINE(KRB5, 1, [Define if you want Kerberos 5 support]) + KRB5_MSG="yes" + + AC_MSG_CHECKING(for krb5-config) + if test -x $KRB5ROOT/bin/krb5-config ; then + KRB5CONF=$KRB5ROOT/bin/krb5-config + AC_MSG_RESULT($KRB5CONF) + + AC_MSG_CHECKING(for gssapi support) + if $KRB5CONF | grep gssapi >/dev/null ; then + AC_MSG_RESULT(yes) + AC_DEFINE(GSSAPI, 1, + [Define this if you want GSSAPI + support in the version 2 protocol]) + k5confopts=gssapi + else + AC_MSG_RESULT(no) + k5confopts="" + fi + K5CFLAGS="`$KRB5CONF --cflags $k5confopts`" + K5LIBS="`$KRB5CONF --libs $k5confopts`" + CPPFLAGS="$CPPFLAGS $K5CFLAGS" + AC_MSG_CHECKING(whether we are using Heimdal) + AC_TRY_COMPILE([ #include ], + [ char *tmp = heimdal_version; ], + [ AC_MSG_RESULT(yes) + AC_DEFINE(HEIMDAL, 1, + [Define this if you are using the + Heimdal version of Kerberos V5]) ], + AC_MSG_RESULT(no) + ) + else + AC_MSG_RESULT(no) + CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include" + LDFLAGS="$LDFLAGS -L${KRB5ROOT}/lib" + AC_MSG_CHECKING(whether we are using Heimdal) + AC_TRY_COMPILE([ #include ], + [ char *tmp = heimdal_version; ], + [ AC_MSG_RESULT(yes) + AC_DEFINE(HEIMDAL) + K5LIBS="-lkrb5 -ldes" + K5LIBS="$K5LIBS -lcom_err -lasn1" + AC_CHECK_LIB(roken, net_write, + [K5LIBS="$K5LIBS -lroken"]) + ], + [ AC_MSG_RESULT(no) + K5LIBS="-lkrb5 -lk5crypto -lcom_err" + ] + ) + AC_SEARCH_LIBS(dn_expand, resolv) + + AC_CHECK_LIB(gssapi,gss_init_sec_context, + [ AC_DEFINE(GSSAPI) + K5LIBS="-lgssapi $K5LIBS" ], + [ AC_CHECK_LIB(gssapi_krb5,gss_init_sec_context, + [ AC_DEFINE(GSSAPI) + K5LIBS="-lgssapi_krb5 $K5LIBS" ], + AC_MSG_WARN([Cannot find any suitable gss-api library - build may fail]), + $K5LIBS) + ], + $K5LIBS) + + AC_CHECK_HEADER(gssapi.h, , + [ unset ac_cv_header_gssapi_h + CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include/gssapi" + AC_CHECK_HEADERS(gssapi.h, , + AC_MSG_WARN([Cannot find any suitable gss-api header - build may fail]) + ) + ] + ) + + oldCPP="$CPPFLAGS" + CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include/gssapi" + AC_CHECK_HEADER(gssapi_krb5.h, , + [ CPPFLAGS="$oldCPP" ]) + + fi + if test ! -z "$need_dash_r" ; then + LDFLAGS="$LDFLAGS -R${KRB5ROOT}/lib" + fi + if test ! -z "$blibpath" ; then + blibpath="$blibpath:${KRB5ROOT}/lib" + fi + + AC_CHECK_HEADERS(gssapi.h gssapi/gssapi.h) + AC_CHECK_HEADERS(gssapi_krb5.h gssapi/gssapi_krb5.h) + AC_CHECK_HEADERS(gssapi_generic.h gssapi/gssapi_generic.h) + + LIBS="$LIBS $K5LIBS" + AC_SEARCH_LIBS(k_hasafs, kafs, AC_DEFINE(USE_AFS, 1, + [Define this if you want to use libkafs' AFS support])) + fi + ] +) + +# Looking for programs, paths and files + +PRIVSEP_PATH=/var/empty +AC_ARG_WITH(privsep-path, + [ --with-privsep-path=xxx Path for privilege separation chroot (default=/var/empty)], + [ + if test -n "$withval" && test "x$withval" != "xno" && \ + test "x${withval}" != "xyes"; then + PRIVSEP_PATH=$withval + fi + ] +) +AC_SUBST(PRIVSEP_PATH) + +AC_ARG_WITH(xauth, + [ --with-xauth=PATH Specify path to xauth program ], + [ + if test -n "$withval" && test "x$withval" != "xno" && \ + test "x${withval}" != "xyes"; then + xauth_path=$withval + fi + ], + [ + TestPath="$PATH" + TestPath="${TestPath}${PATH_SEPARATOR}/usr/X/bin" + TestPath="${TestPath}${PATH_SEPARATOR}/usr/bin/X11" + TestPath="${TestPath}${PATH_SEPARATOR}/usr/X11R6/bin" + TestPath="${TestPath}${PATH_SEPARATOR}/usr/openwin/bin" + AC_PATH_PROG(xauth_path, xauth, , $TestPath) + if (test ! -z "$xauth_path" && test -x "/usr/openwin/bin/xauth") ; then + xauth_path="/usr/openwin/bin/xauth" + fi + ] +) + +STRIP_OPT=-s +AC_ARG_ENABLE(strip, + [ --disable-strip Disable calling strip(1) on install], + [ + if test "x$enableval" = "xno" ; then + STRIP_OPT= + fi + ] +) +AC_SUBST(STRIP_OPT) + +if test -z "$xauth_path" ; then + XAUTH_PATH="undefined" + AC_SUBST(XAUTH_PATH) +else + AC_DEFINE_UNQUOTED(XAUTH_PATH, "$xauth_path", + [Define if xauth is found in your path]) + XAUTH_PATH=$xauth_path + AC_SUBST(XAUTH_PATH) +fi + +# Check for mail directory (last resort if we cannot get it from headers) +if test ! -z "$MAIL" ; then + maildir=`dirname $MAIL` + AC_DEFINE_UNQUOTED(MAIL_DIRECTORY, "$maildir", + [Set this to your mail directory if you don't have maillock.h]) +fi + +if test ! -z "$cross_compiling" && test "x$cross_compiling" = "xyes"; then + AC_MSG_WARN([cross compiling: Disabling /dev/ptmx test]) + disable_ptmx_check=yes +fi +if test -z "$no_dev_ptmx" ; then + if test "x$disable_ptmx_check" != "xyes" ; then + AC_CHECK_FILE("/dev/ptmx", + [ + AC_DEFINE_UNQUOTED(HAVE_DEV_PTMX, 1, + [Define if you have /dev/ptmx]) + have_dev_ptmx=1 + ] + ) + fi +fi + +if test ! -z "$cross_compiling" && test "x$cross_compiling" != "xyes"; then + AC_CHECK_FILE("/dev/ptc", + [ + AC_DEFINE_UNQUOTED(HAVE_DEV_PTS_AND_PTC, 1, + [Define if you have /dev/ptc]) + have_dev_ptc=1 + ] + ) +else + AC_MSG_WARN([cross compiling: Disabling /dev/ptc test]) +fi + +# Options from here on. Some of these are preset by platform above +AC_ARG_WITH(mantype, + [ --with-mantype=man|cat|doc Set man page type], + [ + case "$withval" in + man|cat|doc) + MANTYPE=$withval + ;; + *) + AC_MSG_ERROR(invalid man type: $withval) + ;; + esac + ] +) +if test -z "$MANTYPE"; then + TestPath="/usr/bin${PATH_SEPARATOR}/usr/ucb" + AC_PATH_PROGS(NROFF, nroff awf, /bin/false, $TestPath) + if ${NROFF} -mdoc ${srcdir}/ssh.1 >/dev/null 2>&1; then + MANTYPE=doc + elif ${NROFF} -man ${srcdir}/ssh.1 >/dev/null 2>&1; then + MANTYPE=man + else + MANTYPE=cat + fi +fi +AC_SUBST(MANTYPE) +if test "$MANTYPE" = "doc"; then + mansubdir=man; +else + mansubdir=$MANTYPE; +fi +AC_SUBST(mansubdir) + +# Check whether to enable MD5 passwords +MD5_MSG="no" +AC_ARG_WITH(md5-passwords, + [ --with-md5-passwords Enable use of MD5 passwords], + [ + if test "x$withval" != "xno" ; then + AC_DEFINE(HAVE_MD5_PASSWORDS, 1, + [Define if you want to allow MD5 passwords]) + MD5_MSG="yes" + fi + ] +) + +# Whether to disable shadow password support +AC_ARG_WITH(shadow, + [ --without-shadow Disable shadow password support], + [ + if test "x$withval" = "xno" ; then + AC_DEFINE(DISABLE_SHADOW) + disable_shadow=yes + fi + ] +) + +if test -z "$disable_shadow" ; then + AC_MSG_CHECKING([if the systems has expire shadow information]) + AC_TRY_COMPILE( + [ +#include +#include + struct spwd sp; + ],[ sp.sp_expire = sp.sp_lstchg = sp.sp_inact = 0; ], + [ sp_expire_available=yes ], [] + ) + + if test "x$sp_expire_available" = "xyes" ; then + AC_MSG_RESULT(yes) + AC_DEFINE(HAS_SHADOW_EXPIRE, 1, + [Define if you want to use shadow password expire field]) + else + AC_MSG_RESULT(no) + fi +fi + +# Use ip address instead of hostname in $DISPLAY +if test ! -z "$IPADDR_IN_DISPLAY" ; then + DISPLAY_HACK_MSG="yes" + AC_DEFINE(IPADDR_IN_DISPLAY, 1, + [Define if you need to use IP address + instead of hostname in $DISPLAY]) +else + DISPLAY_HACK_MSG="no" + AC_ARG_WITH(ipaddr-display, + [ --with-ipaddr-display Use ip address instead of hostname in \$DISPLAY], + [ + if test "x$withval" != "xno" ; then + AC_DEFINE(IPADDR_IN_DISPLAY) + DISPLAY_HACK_MSG="yes" + fi + ] + ) +fi + +# check for /etc/default/login and use it if present. +AC_ARG_ENABLE(etc-default-login, + [ --disable-etc-default-login Disable using PATH from /etc/default/login [no]], + [ if test "x$enableval" = "xno"; then + AC_MSG_NOTICE([/etc/default/login handling disabled]) + etc_default_login=no + else + etc_default_login=yes + fi ], + [ if test ! -z "$cross_compiling" && test "x$cross_compiling" = "xyes"; + then + AC_MSG_WARN([cross compiling: not checking /etc/default/login]) + etc_default_login=no + else + etc_default_login=yes + fi ] +) + +if test "x$etc_default_login" != "xno"; then + AC_CHECK_FILE("/etc/default/login", + [ external_path_file=/etc/default/login ]) + if test "x$external_path_file" = "x/etc/default/login"; then + AC_DEFINE(HAVE_ETC_DEFAULT_LOGIN, 1, + [Define if your system has /etc/default/login]) + fi +fi + +dnl BSD systems use /etc/login.conf so --with-default-path= has no effect +if test $ac_cv_func_login_getcapbool = "yes" && \ + test $ac_cv_header_login_cap_h = "yes" ; then + external_path_file=/etc/login.conf +fi + +# Whether to mess with the default path +SERVER_PATH_MSG="(default)" +AC_ARG_WITH(default-path, + [ --with-default-path= Specify default \$PATH environment for server], + [ + if test "x$external_path_file" = "x/etc/login.conf" ; then + AC_MSG_WARN([ +--with-default-path=PATH has no effect on this system. +Edit /etc/login.conf instead.]) + elif test "x$withval" != "xno" ; then + if test ! -z "$external_path_file" ; then + AC_MSG_WARN([ +--with-default-path=PATH will only be used if PATH is not defined in +$external_path_file .]) + fi + user_path="$withval" + SERVER_PATH_MSG="$withval" + fi + ], + [ if test "x$external_path_file" = "x/etc/login.conf" ; then + AC_MSG_WARN([Make sure the path to scp is in /etc/login.conf]) + else + if test ! -z "$external_path_file" ; then + AC_MSG_WARN([ +If PATH is defined in $external_path_file, ensure the path to scp is included, +otherwise scp will not work.]) + fi + AC_RUN_IFELSE( + [AC_LANG_SOURCE([[ +/* find out what STDPATH is */ +#include +#ifdef HAVE_PATHS_H +# include +#endif +#ifndef _PATH_STDPATH +# ifdef _PATH_USERPATH /* Irix */ +# define _PATH_STDPATH _PATH_USERPATH +# else +# define _PATH_STDPATH "/usr/bin:/bin:/usr/sbin:/sbin" +# endif +#endif +#include +#include +#include +#define DATA "conftest.stdpath" + +main() +{ + FILE *fd; + int rc; + + fd = fopen(DATA,"w"); + if(fd == NULL) + exit(1); + + if ((rc = fprintf(fd,"%s", _PATH_STDPATH)) < 0) + exit(1); + + exit(0); +} + ]])], + [ user_path=`cat conftest.stdpath` ], + [ user_path="/usr/bin:/bin:/usr/sbin:/sbin" ], + [ user_path="/usr/bin:/bin:/usr/sbin:/sbin" ] + ) +# make sure $bindir is in USER_PATH so scp will work + t_bindir=`eval echo ${bindir}` + case $t_bindir in + NONE/*) t_bindir=`echo $t_bindir | sed "s~NONE~$prefix~"` ;; + esac + case $t_bindir in + NONE/*) t_bindir=`echo $t_bindir | sed "s~NONE~$ac_default_prefix~"` ;; + esac + echo $user_path | grep ":$t_bindir" > /dev/null 2>&1 + if test $? -ne 0 ; then + echo $user_path | grep "^$t_bindir" > /dev/null 2>&1 + if test $? -ne 0 ; then + user_path=$user_path:$t_bindir + AC_MSG_RESULT(Adding $t_bindir to USER_PATH so scp will work) + fi + fi + fi ] +) +if test "x$external_path_file" != "x/etc/login.conf" ; then + AC_DEFINE_UNQUOTED(USER_PATH, "$user_path", [Specify default $PATH]) + AC_SUBST(user_path) +fi + +# Set superuser path separately to user path +AC_ARG_WITH(superuser-path, + [ --with-superuser-path= Specify different path for super-user], + [ + if test -n "$withval" && test "x$withval" != "xno" && \ + test "x${withval}" != "xyes"; then + AC_DEFINE_UNQUOTED(SUPERUSER_PATH, "$withval", + [Define if you want a different $PATH + for the superuser]) + superuser_path=$withval + fi + ] +) + + +AC_MSG_CHECKING([if we need to convert IPv4 in IPv6-mapped addresses]) +IPV4_IN6_HACK_MSG="no" +AC_ARG_WITH(4in6, + [ --with-4in6 Check for and convert IPv4 in IPv6 mapped addresses], + [ + if test "x$withval" != "xno" ; then + AC_MSG_RESULT(yes) + AC_DEFINE(IPV4_IN_IPV6, 1, + [Detect IPv4 in IPv6 mapped addresses + and treat as IPv4]) + IPV4_IN6_HACK_MSG="yes" + else + AC_MSG_RESULT(no) + fi + ],[ + if test "x$inet6_default_4in6" = "xyes"; then + AC_MSG_RESULT([yes (default)]) + AC_DEFINE(IPV4_IN_IPV6) + IPV4_IN6_HACK_MSG="yes" + else + AC_MSG_RESULT([no (default)]) + fi + ] +) + +# Whether to enable BSD auth support +BSD_AUTH_MSG=no +AC_ARG_WITH(bsd-auth, + [ --with-bsd-auth Enable BSD auth support], + [ + if test "x$withval" != "xno" ; then + AC_DEFINE(BSD_AUTH, 1, + [Define if you have BSD auth support]) + BSD_AUTH_MSG=yes + fi + ] +) + +# X.509 support +ssh_x509="yes" +# Reserved for future use +#AC_DEFINE_UNQUOTED( +# X509_DISABLED, 1, +# [Define if you want to disable X.509 certificates]) + +# Where to place ssh CA root +sshcadir='${sysconfdir}/ca' +sshcadir=`eval echo ${sshcadir}` +sshcadir=`eval echo ${sshcadir}` +case $sshcadir in + NONE/*) sshcadir=`echo $sshcadir | sed "s~NONE~$ac_default_prefix~"` ;; +esac + +AC_ARG_WITH(sshca-dir, + [ --with-sshca-dir=PATH Specify location of ssh CA root], + [ + if test "x$withval" != "xno" ; then + sshcadir=$withval + fi + ] +) + +AC_DEFINE_UNQUOTED(SSHCADIR, "$sshcadir", [Specify location of ssh CA root]) +AC_SUBST(sshcadir) + + +ssh_x509store="yes" +AC_ARG_ENABLE(x509store, + [ --disable-x509store Disable X.509 store], + [ + if test "x$enableval" = "xno"; then + ssh_x509store="no" + fi + ] +) +if test "x$ssh_x509store" = "xno"; then + AC_DEFINE_UNQUOTED( + SSH_X509STORE_DISABLED, 1, + [Define if you don't want to verify certificates]) +fi + + +# enable/disable OCSP requests +AC_ARG_ENABLE(ocsp, + [ --disable-ocsp Disable OCSP validation], + [ + if test "x$enableval" = "xyes"; then + if test "x$ssh_x509store" != "xyes"; then + AC_MSG_ERROR([cannot enable OCSP when x509store is disabled]) + fi + ssh_ocsp="yes" + else + ssh_ocsp="no" + fi + ], + [ + if test "x$ssh_x509store" = "xyes"; then + ssh_ocsp="yes" + else + ssh_ocsp="no" + AC_MSG_NOTICE([x509store is disabled - skiping OCSP]) + fi + ]) +if test "x$ssh_ocsp" = "xyes"; then + AC_CHECK_FUNCS(OCSP_sendreq_bio, + [ + AC_CHECK_HEADER(openssl/ocsp.h, + [], + [ + ssh_ocsp="no" + AC_MSG_ERROR([OCSP header not found]) + ]) + ], + [ + ssh_ocsp="no" + AC_MSG_WARN([Cannot find OCSP functions - OCSP is disabled]) + ]) +fi +if test "x$ssh_ocsp" = "xyes"; then + AC_DEFINE_UNQUOTED( + SSH_OCSP_ENABLED, 1, + [Define if you don't want to validate X.509 certificates with OCSP]) + OCSP_ON='' + OCSP_OFF='#' +else + OCSP_ON='#' + OCSP_OFF='' +fi +AC_SUBST(OCSP_ON) +AC_SUBST(OCSP_OFF) + + +# enable LDAP queries +LDAP_MSG="no" +if test "x$ssh_x509store" = "xyes"; then + AC_WITH_LDAP + if test "x$LDAP_ON" = "x"; then + LDAP_MSG="yes" + fi + AC_LDAP_FUNCS([\ + ldap_initialize \ + ldap_parse_result \ + ldap_sasl_bind_s \ + ldap_search_ext_s \ + ]) +else + AC_MSG_NOTICE([x509store is disabled - skiping LDAP]) +fi + + +ssh_x509dn_email="yes" +if test "x$ssh_x509store" = "xyes"; then + # Check for Email in X.509 'Distinguished Name' + AC_MSG_CHECKING([for Email in X.509 'Distinguished Name']) + AC_RUN_IFELSE( + [AC_LANG_SOURCE([ +#include + +int main(void) { + int nid; + nid = OBJ_txt2nid("Email"); + if (nid == NID_undef) + exit (1); + exit (0); + return (0); +} + ])], + [ AC_MSG_RESULT(yes) ], + [ + AC_MSG_RESULT(no) + ssh_x509dn_email="no" + ], + [ + AC_MSG_WARN([cross compiling: assuming no]) + ssh_x509dn_email="no" + ] +) + # Check for the existence of "X509_VERIFY_PARAM *param" + AC_CHECK_MEMBERS([X509_STORE_CTX.param],,,[#include ]) +fi +if test "x$ssh_x509dn_email" = "xno"; then + AC_DEFINE_UNQUOTED( + SSH_OPENSSL_DN_WITHOUT_EMAIL, 1, + [Define if your openssl library don't support Email in X.509 'Distinguished Name']) +fi + +# Check for the existence of "EVP_MD members" +AC_CHECK_MEMBERS([EVP_MD.flags],,,[#include ]) +AC_CHECK_MEMBERS([EVP_MD.copy],,,[#include ]) +AC_CHECK_MEMBERS([EVP_MD.cleanup],,,[#include ]) +AC_CHECK_MEMBERS([EVP_MD_CTX.md_data],,,[#include ]) + +# Where to place sshd.pid +piddir=/var/run +# make sure the directory exists +if test ! -d $piddir ; then + piddir=`eval echo ${sysconfdir}` + case $piddir in + NONE/*) piddir=`echo $piddir | sed "s~NONE~$ac_default_prefix~"` ;; + esac +fi + +AC_ARG_WITH(pid-dir, + [ --with-pid-dir=PATH Specify location of ssh.pid file], + [ + if test -n "$withval" && test "x$withval" != "xno" && \ + test "x${withval}" != "xyes"; then + piddir=$withval + if test ! -d $piddir ; then + AC_MSG_WARN([** no $piddir directory on this system **]) + fi + fi + ] +) + +AC_DEFINE_UNQUOTED(_PATH_SSH_PIDDIR, "$piddir", [Specify location of ssh.pid]) +AC_SUBST(piddir) + +dnl allow user to disable some login recording features +AC_ARG_ENABLE(lastlog, + [ --disable-lastlog disable use of lastlog even if detected [no]], + [ + if test "x$enableval" = "xno" ; then + AC_DEFINE(DISABLE_LASTLOG) + fi + ] +) +AC_ARG_ENABLE(utmp, + [ --disable-utmp disable use of utmp even if detected [no]], + [ + if test "x$enableval" = "xno" ; then + AC_DEFINE(DISABLE_UTMP) + fi + ] +) +AC_ARG_ENABLE(utmpx, + [ --disable-utmpx disable use of utmpx even if detected [no]], + [ + if test "x$enableval" = "xno" ; then + AC_DEFINE(DISABLE_UTMPX, 1, + [Define if you don't want to use utmpx]) + fi + ] +) +AC_ARG_ENABLE(wtmp, + [ --disable-wtmp disable use of wtmp even if detected [no]], + [ + if test "x$enableval" = "xno" ; then + AC_DEFINE(DISABLE_WTMP) + fi + ] +) +AC_ARG_ENABLE(wtmpx, + [ --disable-wtmpx disable use of wtmpx even if detected [no]], + [ + if test "x$enableval" = "xno" ; then + AC_DEFINE(DISABLE_WTMPX, 1, + [Define if you don't want to use wtmpx]) + fi + ] +) +AC_ARG_ENABLE(libutil, + [ --disable-libutil disable use of libutil (login() etc.) [no]], + [ + if test "x$enableval" = "xno" ; then + AC_DEFINE(DISABLE_LOGIN) + fi + ] +) +AC_ARG_ENABLE(pututline, + [ --disable-pututline disable use of pututline() etc. ([uw]tmp) [no]], + [ + if test "x$enableval" = "xno" ; then + AC_DEFINE(DISABLE_PUTUTLINE, 1, + [Define if you don't want to use pututline() + etc. to write [uw]tmp]) + fi + ] +) +AC_ARG_ENABLE(pututxline, + [ --disable-pututxline disable use of pututxline() etc. ([uw]tmpx) [no]], + [ + if test "x$enableval" = "xno" ; then + AC_DEFINE(DISABLE_PUTUTXLINE, 1, + [Define if you don't want to use pututxline() + etc. to write [uw]tmpx]) + fi + ] +) +AC_ARG_WITH(lastlog, + [ --with-lastlog=FILE|DIR specify lastlog location [common locations]], + [ + if test "x$withval" = "xno" ; then + AC_DEFINE(DISABLE_LASTLOG) + elif test -n "$withval" && test "x${withval}" != "xyes"; then + conf_lastlog_location=$withval + fi + ] +) + +dnl lastlog, [uw]tmpx? detection +dnl NOTE: set the paths in the platform section to avoid the +dnl need for command-line parameters +dnl lastlog and [uw]tmp are subject to a file search if all else fails + +dnl lastlog detection +dnl NOTE: the code itself will detect if lastlog is a directory +AC_MSG_CHECKING([if your system defines LASTLOG_FILE]) +AC_TRY_COMPILE([ +#include +#include +#ifdef HAVE_LASTLOG_H +# include +#endif +#ifdef HAVE_PATHS_H +# include +#endif +#ifdef HAVE_LOGIN_H +# include +#endif + ], + [ char *lastlog = LASTLOG_FILE; ], + [ AC_MSG_RESULT(yes) ], + [ + AC_MSG_RESULT(no) + AC_MSG_CHECKING([if your system defines _PATH_LASTLOG]) + AC_TRY_COMPILE([ +#include +#include +#ifdef HAVE_LASTLOG_H +# include +#endif +#ifdef HAVE_PATHS_H +# include +#endif + ], + [ char *lastlog = _PATH_LASTLOG; ], + [ AC_MSG_RESULT(yes) ], + [ + AC_MSG_RESULT(no) + system_lastlog_path=no + ]) + ] +) + +if test -z "$conf_lastlog_location"; then + if test x"$system_lastlog_path" = x"no" ; then + for f in /var/log/lastlog /usr/adm/lastlog /var/adm/lastlog /etc/security/lastlog ; do + if (test -d "$f" || test -f "$f") ; then + conf_lastlog_location=$f + fi + done + if test -z "$conf_lastlog_location"; then + AC_MSG_WARN([** Cannot find lastlog **]) + dnl Don't define DISABLE_LASTLOG - that means we don't try wtmp/wtmpx + fi + fi +fi + +if test -n "$conf_lastlog_location"; then + AC_DEFINE_UNQUOTED(CONF_LASTLOG_FILE, "$conf_lastlog_location", + [Define if you want to specify the path to your lastlog file]) +fi + +dnl utmp detection +AC_MSG_CHECKING([if your system defines UTMP_FILE]) +AC_TRY_COMPILE([ +#include +#include +#ifdef HAVE_PATHS_H +# include +#endif + ], + [ char *utmp = UTMP_FILE; ], + [ AC_MSG_RESULT(yes) ], + [ AC_MSG_RESULT(no) + system_utmp_path=no ] +) +if test -z "$conf_utmp_location"; then + if test x"$system_utmp_path" = x"no" ; then + for f in /etc/utmp /usr/adm/utmp /var/run/utmp; do + if test -f $f ; then + conf_utmp_location=$f + fi + done + if test -z "$conf_utmp_location"; then + AC_DEFINE(DISABLE_UTMP) + fi + fi +fi +if test -n "$conf_utmp_location"; then + AC_DEFINE_UNQUOTED(CONF_UTMP_FILE, "$conf_utmp_location", + [Define if you want to specify the path to your utmp file]) +fi + +dnl wtmp detection +AC_MSG_CHECKING([if your system defines WTMP_FILE]) +AC_TRY_COMPILE([ +#include +#include +#ifdef HAVE_PATHS_H +# include +#endif + ], + [ char *wtmp = WTMP_FILE; ], + [ AC_MSG_RESULT(yes) ], + [ AC_MSG_RESULT(no) + system_wtmp_path=no ] +) +if test -z "$conf_wtmp_location"; then + if test x"$system_wtmp_path" = x"no" ; then + for f in /usr/adm/wtmp /var/log/wtmp; do + if test -f $f ; then + conf_wtmp_location=$f + fi + done + if test -z "$conf_wtmp_location"; then + AC_DEFINE(DISABLE_WTMP) + fi + fi +fi +if test -n "$conf_wtmp_location"; then + AC_DEFINE_UNQUOTED(CONF_WTMP_FILE, "$conf_wtmp_location", + [Define if you want to specify the path to your wtmp file]) +fi + + +dnl utmpx detection - I don't know any system so perverse as to require +dnl utmpx, but not define UTMPX_FILE (ditto wtmpx.) No doubt it's out +dnl there, though. +AC_MSG_CHECKING([if your system defines UTMPX_FILE]) +AC_TRY_COMPILE([ +#include +#include +#ifdef HAVE_UTMPX_H +#include +#endif +#ifdef HAVE_PATHS_H +# include +#endif + ], + [ char *utmpx = UTMPX_FILE; ], + [ AC_MSG_RESULT(yes) ], + [ AC_MSG_RESULT(no) + system_utmpx_path=no ] +) +if test -z "$conf_utmpx_location"; then + if test x"$system_utmpx_path" = x"no" ; then + AC_DEFINE(DISABLE_UTMPX) + fi +else + AC_DEFINE_UNQUOTED(CONF_UTMPX_FILE, "$conf_utmpx_location", + [Define if you want to specify the path to your utmpx file]) +fi + +dnl wtmpx detection +AC_MSG_CHECKING([if your system defines WTMPX_FILE]) +AC_TRY_COMPILE([ +#include +#include +#ifdef HAVE_UTMPX_H +#include +#endif +#ifdef HAVE_PATHS_H +# include +#endif + ], + [ char *wtmpx = WTMPX_FILE; ], + [ AC_MSG_RESULT(yes) ], + [ AC_MSG_RESULT(no) + system_wtmpx_path=no ] +) +if test -z "$conf_wtmpx_location"; then + if test x"$system_wtmpx_path" = x"no" ; then + AC_DEFINE(DISABLE_WTMPX) + fi +else + AC_DEFINE_UNQUOTED(CONF_WTMPX_FILE, "$conf_wtmpx_location", + [Define if you want to specify the path to your wtmpx file]) +fi + + +if test ! -z "$blibpath" ; then + LDFLAGS="$LDFLAGS $blibflags$blibpath" + AC_MSG_WARN([Please check and edit blibpath in LDFLAGS in Makefile]) +fi + +dnl Adding -Werror to CFLAGS early prevents configure tests from running. +dnl Add now. +CFLAGS="$CFLAGS $werror_flags" + +AC_EXEEXT +AC_CONFIG_FILES([Makefile buildpkg.sh opensshd.init openssh.xml \ + openbsd-compat/Makefile openbsd-compat/regress/Makefile \ + scard/Makefile ssh_prng_cmds survey.sh \ + tests/CA/Makefile tests/CA/env]) +AC_OUTPUT + +# Print summary of options + +# Someone please show me a better way :) +A=`eval echo ${prefix}` ; A=`eval echo ${A}` +B=`eval echo ${bindir}` ; B=`eval echo ${B}` +C=`eval echo ${sbindir}` ; C=`eval echo ${C}` +D=`eval echo ${sysconfdir}` ; D=`eval echo ${D}` +E=`eval echo ${libexecdir}/ssh-askpass` ; E=`eval echo ${E}` +F=`eval echo ${mandir}/${mansubdir}X` ; F=`eval echo ${F}` +G=`eval echo ${piddir}` ; G=`eval echo ${G}` +H=`eval echo ${PRIVSEP_PATH}` ; H=`eval echo ${H}` +I=`eval echo ${user_path}` ; I=`eval echo ${I}` +J=`eval echo ${superuser_path}` ; J=`eval echo ${J}` + +echo "" +echo "OpenSSH has been configured with the following options:" +echo " User binaries: $B" +echo " System binaries: $C" +echo " Configuration files: $D" +echo " CA root: $sshcadir" +echo " Askpass program: $E" +echo " Manual pages: $F" +echo " PID file: $G" +echo " Privilege separation chroot path: $H" +if test "x$external_path_file" = "x/etc/login.conf" ; then +echo " At runtime, sshd will use the path defined in $external_path_file" +echo " Make sure the path to scp is present, otherwise scp will not work" +else +echo " sshd default user PATH: $I" + if test ! -z "$external_path_file"; then +echo " (If PATH is set in $external_path_file it will be used instead. If" +echo " used, ensure the path to scp is present, otherwise scp will not work.)" + fi +fi +if test ! -z "$superuser_path" ; then +echo " sshd superuser user PATH: $J" +fi +echo " Manpage format: $MANTYPE" +echo " PAM support: $PAM_MSG" +echo " OSF SIA support: $SIA_MSG" +echo " KerberosV support: $KRB5_MSG" +echo " SELinux support: $SELINUX_MSG" +echo " Smartcard support: $SCARD_MSG" +echo " S/KEY support: $SKEY_MSG" +echo " TCP Wrappers support: $TCPW_MSG" +echo " MD5 password support: $MD5_MSG" +echo " X.509 store support: $ssh_x509store" +echo " OCSP support: $ssh_ocsp" +echo " LDAP queries: $LDAP_MSG" +echo " libedit support: $LIBEDIT_MSG" +echo " Solaris process contract support: $SPC_MSG" +echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG" +echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG" +echo " BSD Auth support: $BSD_AUTH_MSG" +echo " Random number source: $RAND_MSG" +if test ! -z "$USE_RAND_HELPER" ; then +echo " ssh-rand-helper collects from: $RAND_HELPER_MSG" +fi + +echo "" + +echo " Host: ${host}" +echo " Compiler: ${CC}" +echo " Compiler flags: ${CFLAGS}" +echo "Preprocessor flags: ${CPPFLAGS}" +echo " Linker flags: ${LDFLAGS}" +echo " Libraries: ${LIBS}" +if test ! -z "${SSHDLIBS}"; then +echo " +for sshd: ${SSHDLIBS}" +fi + +echo "" + +if test "x$MAKE_PACKAGE_SUPPORTED" = "xyes" ; then + echo "SVR4 style packages are supported with \"make package\"" + echo "" +fi + +if test "x$LDAP_MSG" = "xyes" ; then +echo "Extra LDAP flags:" +echo " LDAP compiler flags: ${LDAP_CFLAGS}" +echo "LDAP preprocessor flags: ${LDAP_CPPFLAGS}" +echo " LDAP linker flags: ${LDAP_LDFLAGS}" +echo " LDAP libraries: ${LDAP_LIBS}" +echo "" +echo "LDAP paths(used only in tests):" +echo " LDAP sysconfig dir: ${LDAP_SYSCONFDIR}" +echo " LDAP libexec dir: ${LDAP_LIBEXECDIR}" +echo " LDAP bin dir: ${LDAP_BINDIR}" +echo "" +fi + +if test "x$PAM_MSG" = "xyes" ; then + echo "PAM is enabled. You may need to install a PAM control file " + echo "for sshd, otherwise password authentication may fail. " + echo "Example PAM control files can be found in the contrib/ " + echo "subdirectory" + echo "" +fi + +if test ! -z "$RAND_HELPER_CMDHASH" ; then + echo "WARNING: you are using the builtin random number collection " + echo "service. Please read WARNING.RNG and request that your OS " + echo "vendor includes kernel-based random number collection in " + echo "future versions of your OS." + echo "" +fi + +if test ! -z "$NO_PEERCHECK" ; then + echo "WARNING: the operating system that you are using does not" + echo "appear to support getpeereid(), getpeerucred() or the" + echo "SO_PEERCRED getsockopt() option. These facilities are used to" + echo "enforce security checks to prevent unauthorised connections to" + echo "ssh-agent. Their absence increases the risk that a malicious" + echo "user can connect to your agent." + echo "" +fi + +if test "$AUDIT_MODULE" = "bsm" ; then + echo "WARNING: BSM audit support is currently considered EXPERIMENTAL." + echo "See the Solaris section in README.platform for details." +fi diff -ruN openssh-4.7p1+x509-6.0.1/m4/ldap.m4 openssh-4.7p1+x509-6.1/m4/ldap.m4 --- openssh-4.7p1+x509-6.0.1/m4/ldap.m4 2005-07-19 23:11:01.000000000 +0300 +++ openssh-4.7p1+x509-6.1/m4/ldap.m4 2007-10-22 23:05:29.000000000 +0300 @@ -1,7 +1,7 @@ # Options to build with LDAP # # Author: Roumen Petrov -# Revision: 19 Jul 2005 +# Revision: 22 Oct 2007 # dnl The variables provided are : dnl - build flags: @@ -16,7 +16,7 @@ dnl LDAP_LIBEXECDIR dnl LDAP_SYSCONFDIR -AC_DEFUN(AC_WITH_LDAP, +AC_DEFUN([AC_WITH_LDAP], [ dnl dnl Get the ldap paths @@ -192,3 +192,26 @@ AC_SUBST(LDAP_ON) AC_SUBST(LDAP_OFF) ]) + + +# AC_LDAP_FUNCS(FUNCTION...) +# -------------------------------- +AC_DEFUN([AC_LDAP_FUNCS], +[ +dnl +dnl Check ldap functions +dnl +AC_REQUIRE([AC_WITH_LDAP]) +if test "x$ac_ldap" = "xyes"; then + ac_save_CPPFLAGS="$CPPFLAGS" + ac_save_LDFLAGS="$LDFLAGS" + ac_save_LIBS="$LIBS" + CPPFLAGS="$CPPFLAGS $LDAP_CPPFLAGS" + LDFLAGS="$LDFLAGS $LDAP_LDFLAGS" + LIBS="$LDAP_LIBS $LIBS" + AC_CHECK_FUNCS([$1],[],[]) + LIBS="$ac_save_LIBS" + LDFLAGS="$ac_save_LDFLAGS" + CPPFLAGS="$ac_save_CPPFLAGS" +fi +]) diff -ruN openssh-4.7p1+x509-6.0.1/README.x509v3 openssh-4.7p1+x509-6.1/README.x509v3 --- openssh-4.7p1+x509-6.0.1/README.x509v3 2006-04-26 00:16:07.000000000 +0300 +++ openssh-4.7p1+x509-6.1/README.x509v3 2007-10-24 00:53:39.000000000 +0300 @@ -1,6 +1,6 @@ Roumen Petrov Sofia, Bulgaria - Wed Apr 12 2006 + Wed Oct 24 2007 How to use X.509 certificates with OpenSSH? @@ -112,11 +112,18 @@ - WORDDN is case insensitive ! - is like output from command: -$ openssl x509 -noout -subject -in A_CERTIFICATE_FILE +$ openssl x509 -noout -subject -in A_CERTIFICATE_FILE -nameopt oneline - can be in RFC2253 format like output from command: $ openssl x509 -noout -subject -in A_CERTIFICATE_FILE -nameopt RFC2253 +IMPORTANT NOTE (if a distinguished name contain non-ascii character): +- for versions 6.+: + ALWAIS use "openssl x509" command option -nameopt ! + The parser don't and willn't support output without -nameopt +- for versions prior 6.0: + The program could'not parse subject. Use "blob" format (see below). + - Order of items in is not important and separator can be symbol "/", "," or mixed. All following subjects are equal: a)CN=dsa test certificate,OU=OpenSSH Testers,O=Test Team,ST=World,C=XX @@ -131,6 +138,7 @@ $ ( printf 'x509v3-sign-rsa '; openssl x509 -noout -subject \ -in A_OPENSSH_IDENTITY_FILE \ + -nameopt oneline \ ) >> $HOME/.ssh/authorized_keys - "blob" format: diff -ruN openssh-4.7p1+x509-6.0.1/scp.0 openssh-4.7p1+x509-6.1/scp.0 --- openssh-4.7p1+x509-6.0.1/scp.0 2007-09-05 19:06:00.000000000 +0300 +++ openssh-4.7p1+x509-6.1/scp.0 2007-10-25 19:06:00.000000000 +0300 @@ -91,4 +91,4 @@ Timo Rinne Tatu Ylonen -BSD September 5, 2007 BSD +BSD October 27, 2007 BSD diff -ruN openssh-4.7p1+x509-6.0.1/sftp.0 openssh-4.7p1+x509-6.1/sftp.0 --- openssh-4.7p1+x509-6.0.1/sftp.0 2007-09-05 19:06:00.000000000 +0300 +++ openssh-4.7p1+x509-6.1/sftp.0 2007-10-25 19:06:00.000000000 +0300 @@ -213,4 +213,4 @@ T. Ylonen and S. Lehtinen, SSH File Transfer Protocol, draft-ietf-secsh- filexfer-00.txt, January 2001, work in progress material. -BSD September 5, 2007 BSD +BSD October 27, 2007 BSD diff -ruN openssh-4.7p1+x509-6.0.1/sftp-server.0 openssh-4.7p1+x509-6.1/sftp-server.0 --- openssh-4.7p1+x509-6.0.1/sftp-server.0 2007-09-05 19:06:00.000000000 +0300 +++ openssh-4.7p1+x509-6.1/sftp-server.0 2007-10-25 19:06:00.000000000 +0300 @@ -43,4 +43,4 @@ AUTHORS Markus Friedl -BSD September 5, 2007 BSD +BSD October 27, 2007 BSD diff -ruN openssh-4.7p1+x509-6.0.1/ssh.0 openssh-4.7p1+x509-6.1/ssh.0 --- openssh-4.7p1+x509-6.0.1/ssh.0 2007-09-05 19:06:00.000000000 +0300 +++ openssh-4.7p1+x509-6.1/ssh.0 2007-10-25 19:06:00.000000000 +0300 @@ -824,4 +824,4 @@ versions 1.5 and 2.0. Roumen Petrov contributed support for X.509 cer- tificates. -BSD September 5, 2007 BSD +BSD October 27, 2007 BSD diff -ruN openssh-4.7p1+x509-6.0.1/ssh-add.0 openssh-4.7p1+x509-6.1/ssh-add.0 --- openssh-4.7p1+x509-6.0.1/ssh-add.0 2007-09-05 19:06:00.000000000 +0300 +++ openssh-4.7p1+x509-6.1/ssh-add.0 2007-10-25 19:06:00.000000000 +0300 @@ -107,4 +107,4 @@ versions 1.5 and 2.0. Roumen Petrov contributed support for X.509 cer- tificates. -BSD September 5, 2007 BSD +BSD October 27, 2007 BSD diff -ruN openssh-4.7p1+x509-6.0.1/ssh-agent.0 openssh-4.7p1+x509-6.1/ssh-agent.0 --- openssh-4.7p1+x509-6.0.1/ssh-agent.0 2007-09-05 19:06:00.000000000 +0300 +++ openssh-4.7p1+x509-6.1/ssh-agent.0 2007-10-25 19:06:00.000000000 +0300 @@ -119,4 +119,4 @@ versions 1.5 and 2.0. Roumen Petrov contributed support for X.509 cer- tificates. -BSD September 5, 2007 BSD +BSD October 27, 2007 BSD diff -ruN openssh-4.7p1+x509-6.0.1/ssh_config.0 openssh-4.7p1+x509-6.1/ssh_config.0 --- openssh-4.7p1+x509-6.0.1/ssh_config.0 2007-09-05 19:06:00.000000000 +0300 +++ openssh-4.7p1+x509-6.1/ssh_config.0 2007-10-25 19:06:00.000000000 +0300 @@ -56,9 +56,12 @@ The intended use for the X.509 server certificate. Without this option no chain verification will be done. Currently accepted uses are case insensitive: - o 'sslserver' , 'SSL server' , 'SSL_server' or 'server' ; - o 'any' , 'Any Purpose' , 'Any_Purpose' or 'AnyPurpose' ; - o 'skip' or '' (empty): do not check purpose. + sslserver | SSL server | SSL_server | server + only SSL-server purpose + any | Any Purpose | Any_Purpose | AnyPurpose + allow any purpose + skip | '' (empty) + do not check purpose The default is ``sslserver''. BatchMode @@ -93,7 +96,9 @@ ``X509 store'' option: Specifies hostport and dn of LDAP URLs (Uniform Resource Locators) as detailed in RFC 2255. The rest of URL is build internally. Because of OpenSSH options parser limi- - tation use '%3D' instead of '=' ! + tation use '%3D' instead of '=' ! LDAP initialization method may + require URL to be escaped, i.e. use '%2C' instead of ',' (comma). + Escaped URL don't depend from LDAP initialization method. CARevocationFile ``X509 store'' option: This file contain multiple ``Certificate @@ -677,11 +682,11 @@ VAType Specifies whether 'Online Certificate Status Protocol' (OCSP) is used to validate X.509 certificates. Accepted values are case insensitive: - o 'none' : do not use OCSP to validate certificates; - o 'ocspcert' : validate only certificates that specify 'OCSP - Service Locator' URL; - o 'ocspspec' : use specified in the configuration 'OCSP - Responder' to validate all certificates. + none do not use OCSP to validate certificates; + ocspcert validate only certificates that specify 'OCSP + Service Locator' URL; + ocspspec use specified in the configuration 'OCSP + Responder' to validate all certificates. The default is ``none''. VAOCSPResponderURL @@ -771,4 +776,4 @@ versions 1.5 and 2.0. Roumen Petrov contributed support for X.509 cer- tificates. -BSD September 5, 2007 BSD +BSD October 27, 2007 BSD diff -ruN openssh-4.7p1+x509-6.0.1/ssh_config.5 openssh-4.7p1+x509-6.1/ssh_config.5 --- openssh-4.7p1+x509-6.0.1/ssh_config.5 2007-09-05 19:06:00.000000000 +0300 +++ openssh-4.7p1+x509-6.1/ssh_config.5 2007-10-25 19:06:00.000000000 +0300 @@ -128,31 +128,13 @@ The intended use for the X.509 server certificate. Without this option no chain verification will be done. Currently accepted uses are case insensitive: -.Bl -bullet -compact -.It -.Sq sslserver -, -.Sq SSL server -, -.Sq SSL_server -or -.Sq server -; -.It -.Sq any -, -.Sq Any Purpose -, -.Sq Any_Purpose -or -.Sq AnyPurpose -; -.It -.Sq skip -or -.Sq -.. -(empty): do not check purpose. +.Bl -tag -width Ds -compact +.It Cm sslserver | Cm SSL server | Cm SSL_server | Cm server +only SSL-server purpose +.It Cm any | Cm Any Purpose | Cm Any_Purpose | Cm AnyPurpose +allow any purpose +.It Cm skip | Cm '' Li (empty) +do not check purpose .El The default is .Dq sslserver . @@ -206,6 +188,12 @@ instead of .Sq = ! +LDAP initialization method may require URL to be escaped, i.e. use +.Sq %2C +instead of +.Sq \&, +(comma). +Escaped URL don't depend from LDAP initialization method. .It Cm CARevocationFile .Dq X509 store option: @@ -1188,18 +1176,15 @@ .Sq "Online Certificate Status Protocol" (OCSP) is used to validate X.509 certificates. Accepted values are case insensitive: -.Bl -bullet -compact -.It -.Sq none -: do not use OCSP to validate certificates; -.It -.Sq ocspcert -: validate only certificates that specify +.Bl -tag -offset indent -compact +.It none +do not use OCSP to validate certificates; +.It ocspcert +validate only certificates that specify .Sq "OCSP Service Locator" URL; -.It -.Sq ocspspec -: use specified in the configuration +.It ocspspec +use specified in the configuration .Sq "OCSP Responder" to validate all certificates. .El diff -ruN openssh-4.7p1+x509-6.0.1/sshconnect.c openssh-4.7p1+x509-6.1/sshconnect.c --- openssh-4.7p1+x509-6.0.1/sshconnect.c 2007-09-05 19:06:01.000000000 +0300 +++ openssh-4.7p1+x509-6.1/sshconnect.c 2007-10-25 19:06:01.000000000 +0300 @@ -13,7 +13,7 @@ * called by a name other than "ssh" or "Secure Shell". * * X.509 certificates support, - * Copyright (c) 2002-2005 Roumen Petrov. All rights reserved. + * Copyright (c) 2002-2007 Roumen Petrov. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -748,8 +748,8 @@ if ((host_key->type == KEY_X509_RSA) || (host_key->type == KEY_X509_DSA)) { subject = x509key_subject(host_key); snprintf(extramsg, sizeof(extramsg), - "Distinguished name is %.*s.\n", - (int) X509_NAME_MAXLEN, subject); + "Distinguished name is '%s'.\n", + subject); } else { subject = NULL; *extramsg = '\0'; @@ -1112,8 +1112,7 @@ type, fp); if ((host_key->type == KEY_X509_RSA) || (host_key->type == KEY_X509_DSA)) { char *subject = x509key_subject(host_key); - error("Distinguished name sent by remote host is\n%.*s.", - (int) X509_NAME_MAXLEN, subject); + error("Distinguished name sent by remote host is '%s'.", subject); xfree(subject); } error("Please contact your system administrator."); diff -ruN openssh-4.7p1+x509-6.0.1/sshd.0 openssh-4.7p1+x509-6.1/sshd.0 --- openssh-4.7p1+x509-6.0.1/sshd.0 2007-09-05 19:06:00.000000000 +0300 +++ openssh-4.7p1+x509-6.1/sshd.0 2007-10-25 19:06:00.000000000 +0300 @@ -580,4 +580,4 @@ System security is not improved unless rshd, rlogind, and rexecd are dis- abled (thus completely disabling rlogin and rsh into the machine). -BSD September 5, 2007 BSD +BSD October 27, 2007 BSD diff -ruN openssh-4.7p1+x509-6.0.1/sshd_config openssh-4.7p1+x509-6.1/sshd_config --- openssh-4.7p1+x509-6.0.1/sshd_config 2007-09-05 19:06:00.000000000 +0300 +++ openssh-4.7p1+x509-6.1/sshd_config 2007-10-25 19:06:00.000000000 +0300 @@ -77,8 +77,11 @@ # Note because of OpenSSH options parser limitation # use %3D instead of = ! +# LDAP initialization may require URL to be escaped, i.e. +# use %2C instead of ,(comma). Escaped URL don't depend from +# LDAP initialization method. # Example: -# CAldapURL ldap://localhost:389/dc%3Dexample,dc%3Dcom +# CAldapURL ldap://localhost:389/dc%3Dexample%2Cdc%3Dcom # SSH can use "Online Certificate Status Protocol"(OCSP) # to validate certificate. Set VAType to diff -ruN openssh-4.7p1+x509-6.0.1/sshd_config.0 openssh-4.7p1+x509-6.1/sshd_config.0 --- openssh-4.7p1+x509-6.0.1/sshd_config.0 2007-09-05 19:06:00.000000000 +0300 +++ openssh-4.7p1+x509-6.1/sshd_config.0 2007-10-25 19:06:00.000000000 +0300 @@ -38,9 +38,12 @@ The intended use for the X.509 client certificate. Without this option no chain verification will be done. Currently accepted uses are case insensitive: - o 'sslclient' , 'SSL client' , 'SSL_client' or 'client' ; - o 'any' , 'Any Purpose' , 'Any_Purpose' or 'AnyPurpose' ; - o 'skip' or '' (empty): do not check purpose. + sslclient | SSL client | SSL_client | client + only SSL-client purpose + any | Any Purpose | Any_Purpose | AnyPurpose + allow any purpose + skip | '' (empty) + do not check purpose The default is ``sslclient''. AllowGroups @@ -111,7 +114,10 @@ ``X509 store'' option: Specifies hostport and dn(distinguished name) of LDAP URLs (Uniform Resource Locators) as detailed in RFC 2255. The rest of URL is build internally. Because of OpenSSH - options parser limitation use '%3D' instead of '=' ! + options parser limitation use '%3D' instead of '=' ! LDAP ini- + tialization method may require URL to be escaped, i.e. use '%2C' + instead of ',' (comma). Escaped URL don't depend from LDAP ini- + tialization method. CARevocationFile ``X509 store'' option: This file contain multiple ``Certificate @@ -582,11 +588,11 @@ VAType Specifies whether 'Online Certificate Status Protocol' (OCSP) is used to validate X.509 certificates. Accepted values are case insensitive: - o 'none' : do not use OCSP to validate certificates; - o 'ocspcert' : validate only certificates that specify 'OCSP - Service Locator' URL; - o 'ocspspec' : use specified in the configuration 'OCSP - Responder' to validate all certificates. + none do not use OCSP to validate certificates; + ocspcert validate only certificates that specify 'OCSP + Service Locator' URL; + ocspspec use specified in the configuration 'OCSP + Responder' to validate all certificates. The default is ``none''. VAOCSPResponderURL @@ -708,4 +714,4 @@ for privilege separation. Roumen Petrov contributed support for X.509 certificates. -BSD September 5, 2007 BSD +BSD October 27, 2007 BSD diff -ruN openssh-4.7p1+x509-6.0.1/sshd_config.5 openssh-4.7p1+x509-6.1/sshd_config.5 --- openssh-4.7p1+x509-6.0.1/sshd_config.5 2007-09-05 19:06:00.000000000 +0300 +++ openssh-4.7p1+x509-6.1/sshd_config.5 2007-10-25 19:06:00.000000000 +0300 @@ -100,31 +100,13 @@ The intended use for the X.509 client certificate. Without this option no chain verification will be done. Currently accepted uses are case insensitive: -.Bl -bullet -compact -.It -.Sq sslclient -, -.Sq SSL client -, -.Sq SSL_client -or -.Sq client -; -.It -.Sq any -, -.Sq Any Purpose -, -.Sq Any_Purpose -or -.Sq AnyPurpose -; -.It -.Sq skip -or -.Sq -.. -(empty): do not check purpose. +.Bl -tag -width Ds -compact +.It Cm sslclient | Cm SSL client | Cm SSL_client | Cm client +only SSL-client purpose +.It Cm any | Cm Any Purpose | Cm Any_Purpose | Cm AnyPurpose +allow any purpose +.It Cm skip | Cm '' Li (empty) +do not check purpose .El The default is .Dq sslclient . @@ -228,6 +210,12 @@ instead of .Sq = ! +LDAP initialization method may require URL to be escaped, i.e. use +.Sq %2C +instead of +.Sq \&, +(comma). +Escaped URL don't depend from LDAP initialization method. .It Cm CARevocationFile .Dq X509 store option: @@ -993,18 +981,15 @@ .Sq "Online Certificate Status Protocol" (OCSP) is used to validate X.509 certificates. Accepted values are case insensitive: -.Bl -bullet -compact -.It -.Sq none -: do not use OCSP to validate certificates; -.It -.Sq ocspcert -: validate only certificates that specify +.Bl -tag -offset indent -compact +.It none +do not use OCSP to validate certificates; +.It ocspcert +validate only certificates that specify .Sq "OCSP Service Locator" URL; -.It -.Sq ocspspec -: use specified in the configuration +.It ocspspec +use specified in the configuration .Sq "OCSP Responder" to validate all certificates. .El diff -ruN openssh-4.7p1+x509-6.0.1/ssh-keygen.0 openssh-4.7p1+x509-6.1/ssh-keygen.0 --- openssh-4.7p1+x509-6.0.1/ssh-keygen.0 2007-09-05 19:06:00.000000000 +0300 +++ openssh-4.7p1+x509-6.1/ssh-keygen.0 2007-10-25 19:06:00.000000000 +0300 @@ -304,4 +304,4 @@ versions 1.5 and 2.0. Roumen Petrov contributed support for X.509 cer- tificates. -BSD September 5, 2007 BSD +BSD October 27, 2007 BSD diff -ruN openssh-4.7p1+x509-6.0.1/ssh-keyscan.0 openssh-4.7p1+x509-6.1/ssh-keyscan.0 --- openssh-4.7p1+x509-6.0.1/ssh-keyscan.0 2007-09-05 19:06:00.000000000 +0300 +++ openssh-4.7p1+x509-6.1/ssh-keyscan.0 2007-10-25 19:06:00.000000000 +0300 @@ -111,4 +111,4 @@ This is because it opens a connection to the ssh port, reads the public key, and drops the connection as soon as it gets the key. -BSD September 5, 2007 BSD +BSD October 27, 2007 BSD diff -ruN openssh-4.7p1+x509-6.0.1/ssh-keysign.0 openssh-4.7p1+x509-6.1/ssh-keysign.0 --- openssh-4.7p1+x509-6.0.1/ssh-keysign.0 2007-09-05 19:06:00.000000000 +0300 +++ openssh-4.7p1+x509-6.1/ssh-keysign.0 2007-10-25 19:06:00.000000000 +0300 @@ -41,4 +41,4 @@ AUTHORS Markus Friedl -BSD September 5, 2007 BSD +BSD October 27, 2007 BSD diff -ruN openssh-4.7p1+x509-6.0.1/ssh-ocsp.c openssh-4.7p1+x509-6.1/ssh-ocsp.c --- openssh-4.7p1+x509-6.0.1/ssh-ocsp.c 2006-09-01 23:38:21.000000000 +0300 +++ openssh-4.7p1+x509-6.1/ssh-ocsp.c 2007-10-04 23:12:47.000000000 +0300 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2004-2006 Roumen Petrov. All rights reserved. + * Copyright (c) 2004-2007 Roumen Petrov. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -315,8 +315,7 @@ error("ssh_ocspreq_addcert: sk_OCSP_CERTID_push fail"); return(0); } - subj = xmalloc(X509_NAME_MAXLEN); /*fatal on error*/ - X509_NAME_oneline(X509_get_subject_name(cert), subj, X509_NAME_MAXLEN); + subj = ssh_X509_NAME_oneline(X509_get_subject_name(cert)); /*fatal on error*/ if (!sk_push(subjs, subj)) { error("ssh_ocspreq_addcert: sk_push(..., subj) fail"); return(0); @@ -581,12 +580,11 @@ int k; logit("ssh_ocsp_get_basicresp: VA certs num=%d", sk_X509_num(vacrts)); for (k = 0; k < sk_X509_num(vacrts); k++) { - char buf[X509_NAME_MAXLEN]; + char *buf; X509 *x = sk_X509_value(vacrts, k); - X509_NAME_oneline(X509_get_subject_name(x), buf, sizeof(buf)); - logit("ssh_ocsp_get_basicresp: VA[%d] subject='%.*s'" - , k - , (int) sizeof(buf), buf); + buf = ssh_X509_NAME_oneline(X509_get_subject_name(x)); /*fatal on error*/ + logit("ssh_ocsp_get_basicresp: VA[%d] subject='%s'", k, buf); + xfree(buf); } } #endif /*def SSHOCSPTEST*/ @@ -696,9 +694,7 @@ if (get_log_level() >= SYSLOG_LEVEL_DEBUG3) { char *subject = sk_value(subjs, k); - debug3("ssh_ocsp_check_validity: cert[%d]='%.*s'" - , k - , (int) X509_NAME_MAXLEN, subject); + debug3("ssh_ocsp_check_validity: cert[%d]='%s'", k, subject); } if (!OCSP_resp_find_status( @@ -986,9 +982,9 @@ ssh_ocsp_conn *conn = NULL; if (get_log_level() >= SYSLOG_LEVEL_DEBUG3) { - char buf[X509_NAME_MAXLEN]; - X509_NAME_oneline( X509_get_subject_name(cert), buf, sizeof(buf)); - debug3("ssh_ocsp_validate: for '%.*s'", (int) sizeof(buf), buf); + char *buf = ssh_X509_NAME_oneline(X509_get_subject_name(cert)); /*fatal on error*/ + debug3("ssh_ocsp_validate: for '%s'", buf); + xfree(buf); } switch (va.type) { @@ -997,6 +993,7 @@ fatal("ssh_ocsp_validate: invalid validator type %d", va.type); break; /*;-)*/ case SSHVA_NONE: + debug3("ssh_ocsp_validate: none"); ret = 1; break; case SSHVA_OCSP_CERT: diff -ruN openssh-4.7p1+x509-6.0.1/ssh-x509.c openssh-4.7p1+x509-6.1/ssh-x509.c --- openssh-4.7p1+x509-6.0.1/ssh-x509.c 2007-08-06 20:43:27.000000000 +0300 +++ openssh-4.7p1+x509-6.1/ssh-x509.c 2007-10-24 01:09:03.000000000 +0300 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2002-2005 Roumen Petrov. All rights reserved. + * Copyright (c) 2002-2007 Roumen Petrov. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -35,6 +35,9 @@ #include "x509store.h" #include "compat.h" +#ifndef ISSPACE +# define ISSPACE(ch) (isspace((int)(unsigned char)(ch))) +#endif int (*pssh_x509cert_check)(X509 *_cert) = NULL; @@ -49,6 +52,56 @@ } +int +ssh_X509_NAME_print(BIO* bio, X509_NAME *xn) { + static u_long print_flags = ((XN_FLAG_ONELINE & \ + ~XN_FLAG_SPC_EQ & \ + ~XN_FLAG_SEP_MASK) | \ + XN_FLAG_SEP_COMMA_PLUS); + + if (xn == NULL) return(-1); + + X509_NAME_print_ex(bio, xn, 0, print_flags); + BIO_flush(bio); + + return(BIO_pending(bio)); +} + + +char* +ssh_X509_NAME_oneline(X509_NAME *xn) { + char *buf = NULL; + int size; + BIO* mbio = NULL; + + if (xn == NULL) return(NULL); + + mbio = BIO_new(BIO_s_mem()); + if (mbio == NULL) return(buf); + + size = ssh_X509_NAME_print(mbio, xn); + if (size <= 0) { + error("ssh_X509_NAME_oneline: no data in buffer"); + goto done; + } + + buf = xmalloc(size + 1); /*fatal on error*/ + + /* we should request one byte more !?!? */ + if (size != BIO_gets(mbio, buf, size + 1)) { + error("ssh_X509_NAME_oneline: cannot get data from buffer"); + goto done; + } + buf[size] = '\0'; + +done: + /* This call will walk the chain freeing all the BIOs */ + BIO_free_all(mbio); + + return(buf); +} + + #ifndef SSH_X509STORE_DISABLED static const char* x509key_find_subject(const char* s) { @@ -68,21 +121,21 @@ error("x509key_find_subject: no input data"); return(NULL); } - for (; *s && isspace((int)*s); s++) + for (; *s && ISSPACE(*s); s++) {/*skip space*/} for (q=keywords; *q; q++) { len = strlen(*q); if (strncasecmp(s, *q, len) != 0) continue; - for (p = s + len; *p && isspace((int)*p); p++) + for (p = s + len; *p && ISSPACE(*p); p++) {/*skip space*/} if (!*p) { error("x509key_find_subject: no data after keyword"); return(NULL); } if (*p == ':' || *p == '=') { - for (p++; *p && isspace((int)*p); p++) + for (p++; *p && ISSPACE(*p); p++) {/*skip space*/} if (!*p) { error("x509key_find_subject: no data after separator"); @@ -91,7 +144,7 @@ } if (*p == '/' || *p == ',') { /*skip leading [Relative]DistinguishedName elements separator*/ - for (p++; *p && isspace((int)*p); p++) + for (p++; *p && ISSPACE(*p); p++) {/*skip space*/} if (!*p) { error("x509key_find_subject: no data"); @@ -108,10 +161,10 @@ #ifndef SSH_X509STORE_DISABLED static unsigned long ssh_hctol(u_char ch) { -#ifndef CHARSET_EBCDIC -/* '0'-'9' = 0x30 - 0x39 */ -/* 'A'-'F' = 0x41 - 0x46 */ -/* 'a'-'f' = 0x61 - 0x66 */ +/* '0'-'9' = 0x30 - 0x39 (ascii) */ +/* 'A'-'F' = 0x41 - 0x46 (ascii) */ +/* 'a'-'f' = 0x61 - 0x66 (ascii) */ +/* should work for EBCDIC */ if (('0' <= ch) && (ch <= '9')) { return((long)(ch - '0')); } @@ -121,9 +174,6 @@ if (('a' <= ch) && (ch <= 'f')) { return((long)(ch - ('a' - 10))); } -#else -# include "ssh_hctol is not implemented for EBCDIC charset" -#endif return(-1); } @@ -158,6 +208,7 @@ "{\\}\\W%08lX" "{\\}\\U%04lX" "{\\}\\%02X" + "{\\}\\x%02X" - X509_NAME_oneline format */ if (ch == '\\') { if (value) *value = ch; @@ -193,7 +244,35 @@ if (value) *value = v; return(5); } - +#if 0 +/* +The code bellow isn't correct. Let 'O' is not 8-bit string(as example +BMPString) then "X509_NAME_oneline" will output "\x00O"(!). +The X509_NAME_oneline output format will left unsupported, i.e.: +Unsupported: +$ openssl x509 -in cert_file -subject -noout +Supported: + v0.9.7+ +$ openssl x509 -in cert_file -subject -noout -nameopt oneline[,] + v0.9.6 +$ openssl x509 -in cert_file -subject -noout -nameopt oneline [-nameopt ] +*/ + if ((ch == 'x') || (ch == 'X')) { + if (len < 3) { + error("get_escsymbol:" + " to short 8-bit hex sequence"); + return(-1); + } + v = ssh_hatol(++str, 2); + if (v < 0) { + error("get_escsymbol:" + " invalid character in 8-bit hex sequence"); + return(-1); + } + if (value) *value = v; + return(3); + } +#endif v = ssh_hctol(*str); if (v < 0) { /*a character is escaped ?*/ @@ -244,20 +323,23 @@ int type = MBSTRING_ASC; u_long ch; u_char *p; + const u_char *q; size_t k; /*this is internal method and we don't check validity of some arguments*/ p = buf; + q = str; k = sizeof(buf); while ((len > 0) && (k > 0)) { - if (*str == '\0') { + int ch_utf8 = 1; + if (*q == '\0') { error("ssh_X509_NAME_add_entry_by_NID:" " unsupported zero(NIL) symbol in name"); return(0); } - if (*str == '\\') { + if (*q == '\\') { len--; if (len <= 0) { error("ssh_X509_NAME_add_entry_by_NID:" @@ -265,26 +347,35 @@ return(0); } - ret = get_escsymbol(++str, len, &ch); + ret = get_escsymbol(++q, len, &ch); if (ret < 0) return(0); + if (ret == 2) { + /*escaped two hex numbers*/ + ch_utf8 = 0; + } } else { - ret = UTF8_getc(str, len, &ch); + ret = UTF8_getc(q, len, &ch); if(ret < 0) { error("ssh_X509_NAME_add_entry_by_NID:" " cannot get next symbol(%.32s)" - , str); + , q); return(0); } } len -= ret; - str += ret; + q += ret; - /* UTF8_putc return negative if buffer is too short */ - ret = UTF8_putc(p, k, ch); - if (ret < 0) { - error("ssh_X509_NAME_add_entry_by_NID:" - " UTF8_putc fail for symbol %ld", ch); - return(0); + if (ch_utf8) { + /* UTF8_putc return negative if buffer is too short */ + ret = UTF8_putc(p, k, ch); + if (ret < 0) { + error("ssh_X509_NAME_add_entry_by_NID:" + " UTF8_putc fail for symbol %ld", ch); + return(0); + } + } else { + *p = (u_char)ch; + ret = 1; } k -= ret; p += ret; @@ -317,7 +408,7 @@ error("ssh_X509_NAME_add_entry_by_NID: X509_NAME_add_entry_by_NID" " fail with errormsg='%.*s'" " for nid=%d/%.32s" - " and data='%.128s'" + " and data='%.512s'" , sizeof(ebuf), openssl_errormsg(ebuf, sizeof(ebuf)) , nid, OBJ_nid2ln(nid) , str); @@ -341,7 +432,7 @@ p = (char*)str; while (*p) { int nid; - for (; *p && isspace((int)*p); p++) + for (; *p && ISSPACE(*p); p++) {/*skip space*/} if (!*p) break; @@ -373,7 +464,7 @@ } { char *s = q; - for(--s; isspace((int)*s) && (s > p); s--) + for(--s; ISSPACE(*s) && (s > p); s--) {/*skip trailing space*/} *++s = 0; } @@ -399,9 +490,9 @@ break; } - for (; *p && isspace((int)*p); p++) + for (; *p && ISSPACE(*p); p++) {/*skip space*/} - for (q = token - 1; (q >= p) && isspace((int)*q); q--) + for (q = token - 1; (q >= p) && ISSPACE(*q); q--) {/*skip unexpected \n, etc. from end*/} *++q = 0; @@ -434,13 +525,13 @@ debug3("x509key_from_subject: %d is not x509 key", _keytype); return(NULL); } - debug3("x509key_from_subject(%d, [%.*s]) called", - _keytype, X509_NAME_MAXLEN, (_cp ? _cp : "")); + debug3("x509key_from_subject(%d, [%.1024s]) called", + _keytype, (_cp ? _cp : "")); subject = x509key_find_subject(_cp); if (subject == NULL) return(NULL); - debug3("x509key_from_subject: subject=[%.*s]", X509_NAME_MAXLEN, subject); + debug3("x509key_from_subject: subject=[%.1024s]", subject); key = key_new(_keytype); if (key == NULL) { error("x509key_from_subject: out of memory"); @@ -589,13 +680,13 @@ char* x509key_subject(const Key *key) { - char *buf = NULL; + X509_NAME *dn; - if (!x509key_check("x509key_subject", key)) return(buf); + if (!x509key_check("x509key_subject", key)) return(NULL); - buf = xmalloc(X509_NAME_MAXLEN); /*fatal on error*/ - X509_NAME_oneline(X509_get_subject_name(key->x509), buf, X509_NAME_MAXLEN); - return(buf); + /* it is better to match format used in x509key_write_subject */ + dn = X509_get_subject_name(key->x509); + return(ssh_X509_NAME_oneline(dn)); /*fatal on error*/ } @@ -642,9 +733,6 @@ int x509key_write_subject2(const Key *key, const char *keyname, FILE *f) { BIO *out; -#if 0 - char buf[X509_NAME_MAXLEN]; -#endif if (!x509key_check("x509key_write_subject2", key)) return(0); if (keyname == NULL) return(0); @@ -660,12 +748,7 @@ BIO_puts(out, keyname); BIO_puts(out, " Subject:"); -#if 0 - X509_NAME_oneline(X509_get_subject_name(key->x509), buf, sizeof(buf)); - BIO_puts(out, buf); -#else - X509_NAME_print_ex(out, X509_get_subject_name(key->x509), 0, SSH_XN_FLAG_ONELINE); -#endif + ssh_X509_NAME_print(out, X509_get_subject_name(key->x509)); BIO_free_all(out); return(1); @@ -698,7 +781,6 @@ x509key_save_cert(FILE *fp, X509 *x509) { int ret = 0; BIO *out; - char buf[X509_NAME_MAXLEN]; out = BIO_new_fp(fp, BIO_NOCLOSE); if (out == NULL) return(0); @@ -710,20 +792,20 @@ #endif BIO_puts(out, "issuer= "); - X509_NAME_oneline(X509_get_issuer_name(x509), buf, sizeof(buf)); - BIO_puts(out, buf); + ssh_X509_NAME_print(out, X509_get_issuer_name(x509)); BIO_puts(out, "\n"); BIO_puts(out, "subject= "); - X509_NAME_oneline(X509_get_subject_name(x509), buf, sizeof(buf)); - BIO_puts(out, buf); + ssh_X509_NAME_print(out, X509_get_subject_name(x509)); BIO_puts(out, "\n"); + { const char *alstr = (const char*)X509_alias_get0(x509, NULL); if (alstr == NULL) alstr = ""; BIO_puts(out, alstr); BIO_puts(out, "\n"); } + ret = PEM_write_bio_X509(out, x509); if (!ret) { char ebuf[256]; diff -ruN openssh-4.7p1+x509-6.0.1/tests/CA/test-by_ldap.sh.inc openssh-4.7p1+x509-6.1/tests/CA/test-by_ldap.sh.inc --- openssh-4.7p1+x509-6.0.1/tests/CA/test-by_ldap.sh.inc 2007-08-28 01:08:05.000000000 +0300 +++ openssh-4.7p1+x509-6.1/tests/CA/test-by_ldap.sh.inc 2007-10-22 22:30:52.000000000 +0300 @@ -217,7 +217,7 @@ creTestSSHDcfgFile #openssh config parser limitation -SSH_CONF_LDAP_DC=`echo ${SSH_LDAP_DC} | sed -e 's|=|%3D|g'` +SSH_CONF_LDAP_DC=`echo ${SSH_LDAP_DC} | sed -e 's|=|%3D|g' -e 's|,|%2C|'` cat >> "$SSHD_CFG" < +#ifndef LDAP_DEPRECATED + /* to suppress warnings in some 2.3x versions */ +# define LDAP_DEPRECATED 0 +#endif #include @@ -87,6 +91,88 @@ } +/* ================================================================== */ +/* wrappers to some depricated functions */ +static void +ldaplookup_parse_result ( + LDAP *ld, + LDAPMessage *res +) { + static const int freeit = 0; + int result; +#ifdef HAVE_LDAP_PARSE_RESULT + int ret; + char *matcheddn; + char *errmsg; + + ret = ldap_parse_result(ld, res, &result, &matcheddn, &errmsg, NULL, NULL, freeit); + if (ret == LDAP_SUCCESS) { + if (errmsg) ERR_add_error_data(1, errmsg); + } + if (matcheddn) ldap_memfree(matcheddn); + if (errmsg) ldap_memfree(errmsg); +#else + result = ldap_result2error(ld, res, freeit); + openssl_add_ldap_error(result); +#endif +} + + +static int +ldaplookup_bind_s(LDAP *ld) { + int result; + + /* anonymous bind - data must be retrieved by anybody */ +#ifdef HAVE_LDAP_SASL_BIND_S +{ + static struct berval cred = { 0, (char*)"" }; + + result = ldap_sasl_bind_s( + ld, NULL/*dn*/, LDAP_SASL_SIMPLE, &cred, + NULL, NULL, NULL); +} +#else + result = ldap_simple_bind_s(ld, NULL/*binddn*/, NULL/*bindpw*/); +#endif + +#ifdef TRACE_BY_LDAP +fprintf(stderr, "TRACE_BY_LDAP ldaplookup_bind_s:" +" ldap_XXX_bind_s return 0x%x(%s)\n" +, result, ldap_err2string(result)); +#endif + return(result); +} + + +static int +ldaplookup_search_s( + LDAP *ld, + LDAP_CONST char *base, + int scope, + LDAP_CONST char *filter, + char **attrs, + int attrsonly, + LDAPMessage **res +) { + int result; +#ifdef HAVE_LDAP_SEARCH_EXT_S + result = ldap_search_ext_s(ld, base, + scope, filter, attrs, attrsonly, + NULL, NULL, NULL, 0, res); +#else + result = ldap_search_s(ld, base, scope, filter, attrs, attrsonly, res); +#endif + +#ifdef TRACE_BY_LDAP +fprintf(stderr, "TRACE_BY_LDAP ldaplookup_search_s:" +"\n base=%s\n filter=%s\n" +" ldap_search_{XXX}s return 0x%x(%s)\n" +, base, filter +, result, ldap_err2string(result)); +#endif + return(result); +} + /* ================================================================== */ /* LOOKUP by LDAP */ @@ -144,6 +230,8 @@ ldaplookup_ctrl(X509_LOOKUP *ctx, int cmd, const char *argc, long argl, char **retp) { int ret = 0; + (void)argl; + (void)retp; #ifdef TRACE_BY_LDAP fprintf(stderr, "TRACE_BY_LDAP ldaplookup_ctrl: cmd=%d, argc=%s\n", cmd, argc); #endif @@ -199,6 +287,7 @@ #ifdef TRACE_BY_LDAP fprintf(stderr, "TRACE_BY_LDAP ldaplookup_init:\n"); #endif + (void)ctx; return(1); } @@ -208,6 +297,7 @@ #ifdef TRACE_BY_LDAP fprintf(stderr, "TRACE_BY_LDAP ldaplookup_shutdown:\n"); #endif + (void)ctx; return(1); } @@ -233,7 +323,7 @@ goto error; } - ret = ldap_url_parse(url, &p->ldapurl); + ret = ldap_url_parse(p->url, &p->ldapurl); if (ret != 0) { X509byLDAPerr(X509byLDAP_F_LDAPHOST_NEW, X509byLDAP_R_INVALID_URL); openssl_add_ldap_error(ret); @@ -245,11 +335,23 @@ #endif /* open ldap connection */ +#ifdef HAVE_LDAP_INITIALIZE + ret = ldap_initialize(&p->ld, p->url); + if (ret != LDAP_SUCCESS) { + X509byLDAPerr(X509byLDAP_F_LDAPHOST_NEW, X509byLDAP_R_INITIALIZATION_ERROR); + openssl_add_ldap_error(ret); + goto error; + } +#ifdef TRACE_BY_LDAP +fprintf(stderr, "TRACE_BY_LDAP ldaphost_new: ldap_initialize(..., url=%s)\n", p->url); +#endif +#else /*ndef HAVE_LDAP_INITIALIZE*/ p->ld = ldap_init(p->ldapurl->lud_host, p->ldapurl->lud_port); if(p->ld == NULL) { X509byLDAPerr(X509byLDAP_F_LDAPHOST_NEW, X509byLDAP_R_INITIALIZATION_ERROR); goto error; } +#endif /*ndef HAVE_LDAP_INITIALIZE*/ { int version = -1; @@ -330,6 +432,9 @@ if (ver == NULL) return(0); p = (ldaphost*) ctx->method_data; +#ifdef TRACE_BY_LDAP +fprintf(stderr, "TRACE_BY_LDAP ldaplookup_set_protocol(..., %s) p=%p\n", ver, (void*)p); +#endif if (p == NULL) return(0); n = (int) strtol(ver, &q, 10); @@ -558,9 +663,8 @@ result = ldap_count_entries(ld, res); if (result < 0) { - result = ldap_result2error(ld, res, 0); X509byLDAPerr(X509byLDAP_F_RESULT2STORE, X509byLDAP_R_UNABLE_TO_COUNT_ENTRIES); - openssl_add_ldap_error(result); + ldaplookup_parse_result (ld, res); goto done; } #ifdef TRACE_BY_LDAP @@ -673,8 +777,7 @@ } #endif - /* anonymous bind - data must be retrieved by anybody */ - result = ldap_simple_bind_s(lh->ld, NULL/*binddn*/, NULL/*bindpw*/); + result = ldaplookup_bind_s(lh->ld); if (result != LDAP_SUCCESS) { X509byLDAPerr(X509byLDAP_F_GET_BY_SUBJECT, X509byLDAP_R_UNABLE_TO_BIND); { @@ -690,13 +793,8 @@ continue; } - result = ldap_search_s(lh->ld, lh->ldapurl->lud_dn, LDAP_SCOPE_SUBTREE, filter, (char**)attrs, 0, &res); -#ifdef TRACE_BY_LDAP -fprintf(stderr, "TRACE_BY_LDAP ldaplookup_by_subject:" -" ldap_search_s return 0x%x(%s)\n" -, result, ldap_err2string(result)); -#endif - + result = ldaplookup_search_s(lh->ld, lh->ldapurl->lud_dn, + LDAP_SCOPE_SUBTREE, filter, (char**)attrs, 0, &res); if (result != LDAP_SUCCESS) { X509byLDAPerr(X509byLDAP_F_GET_BY_SUBJECT, X509byLDAP_R_SEARCH_FAIL); ldap_msgfree(res); @@ -758,7 +856,7 @@ tmp = NULL; CRYPTO_r_unlock(CRYPTO_LOCK_X509_STORE); #ifdef TRACE_BY_LDAP -fprintf(stderr, "TRACE_BY_LDAP ldaplookup_by_subject: k=%d, tmp=%p\n", k, tmp); +fprintf(stderr, "TRACE_BY_LDAP ldaplookup_by_subject: k=%d, tmp=%p\n", k, (void*)tmp); #endif if (tmp == NULL) { diff -ruN openssh-4.7p1+x509-6.0.1/x509_nm_cmp.c openssh-4.7p1+x509-6.1/x509_nm_cmp.c --- openssh-4.7p1+x509-6.0.1/x509_nm_cmp.c 2007-01-27 18:37:52.000000000 +0200 +++ openssh-4.7p1+x509-6.1/x509_nm_cmp.c 2007-10-21 19:48:55.000000000 +0300 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2005 Roumen Petrov. All rights reserved. + * Copyright (c) 2005-2007 Roumen Petrov. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -31,6 +31,7 @@ #include "x509store.h" #include "log.h" +#include "xmalloc.h" static int @@ -184,7 +185,7 @@ n = -1; goto done; } - lb = ssh_ASN1_STRING_to_UTF8(&ub, a); + lb = ssh_ASN1_STRING_to_UTF8(&ub, b); if (lb <= 0) { /*second string is greater in case of error or zero length*/ n = 1; @@ -394,16 +395,16 @@ nid = OBJ_obj2nid(neA->object); loc = X509_NAME_get_index_by_NID(b, nid, -1); if (loc < 0) { - char buf1[X509_NAME_MAXLEN]; - char buf2[X509_NAME_MAXLEN]; + char *buf1, *buf2; - X509_NAME_oneline(_a, buf1, sizeof(buf1)); - X509_NAME_oneline(_b, buf2, sizeof(buf2)); + buf1 = ssh_X509_NAME_oneline(_a); /*fatal on error*/ + buf2 = ssh_X509_NAME_oneline(_b); /*fatal on error*/ debug3("ssh_X509_NAME_cmp: insufficient entries with nid=%d(%.40s) in second name." - " na=%.*s, nb=%.*s", + " na=%s, nb=%s", nid, OBJ_nid2ln(nid), - (int) sizeof(buf1), buf1, - (int) sizeof(buf1), buf2); + buf1, buf2); + xfree(buf1); + xfree(buf2); n = -1; break; } diff -ruN openssh-4.7p1+x509-6.0.1/x509store.c openssh-4.7p1+x509-6.1/x509store.c --- openssh-4.7p1+x509-6.0.1/x509store.c 2006-09-01 21:23:45.000000000 +0300 +++ openssh-4.7p1+x509-6.1/x509store.c 2007-10-24 00:15:30.000000000 +0300 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2002-2006 Roumen Petrov. All rights reserved. + * Copyright (c) 2002-2007 Roumen Petrov. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -120,13 +120,14 @@ ok = ssh_is_selfsigned(ctx->cert); } if (!ok) { - char buf[X509_NAME_MAXLEN]; - X509_NAME_oneline(X509_get_subject_name(ctx->current_cert), buf, sizeof(buf)); - error("ssh_x509store_cb: subject='%.*s', error %d at %d depth lookup:%.200s", - (int) sizeof(buf), buf, + char *buf; + buf = ssh_X509_NAME_oneline(X509_get_subject_name(ctx->current_cert)); /*fatal on error*/ + error("ssh_x509store_cb: subject='%s', error %d at %d depth lookup:%.200s", + buf, ctx->error, ctx->error_depth, X509_verify_cert_error_string(ctx->error)); + xfree(buf); #if 0 if (ctx->error == X509_V_ERR_CERT_HAS_EXPIRED) ok=1; @@ -267,16 +268,22 @@ #ifndef SSH_X509STORE_DISABLED int/*bool*/ ssh_is_selfsigned(X509 *_cert) { - char buf[X509_NAME_MAXLEN]; X509_NAME *issuer, *subject; issuer = X509_get_issuer_name(_cert); - X509_NAME_oneline(issuer, buf, sizeof(buf)); - debug3("ssh_is_selfsigned: issuer='%.*s'", (int) sizeof(buf), buf); - subject = X509_get_subject_name(_cert); - X509_NAME_oneline(subject, buf, sizeof(buf)); - debug3("ssh_is_selfsigned: subject='%.*s'", (int) sizeof(buf), buf); + + if (get_log_level() >= SYSLOG_LEVEL_DEBUG3) { + char *buf; + + buf = ssh_X509_NAME_oneline(issuer); /*fatal on error*/ + debug3("ssh_is_selfsigned: issuer='%s'", buf); + xfree(buf); + + buf = ssh_X509_NAME_oneline(subject); /*fatal on error*/ + debug3("ssh_is_selfsigned: subject='%s'", buf); + xfree(buf); + } return (ssh_X509_NAME_cmp(issuer, subject) == 0); } @@ -574,13 +581,15 @@ #ifndef SSH_X509STORE_DISABLED if (x509store == NULL) { error("ssh_x509cert_check: context is NULL"); - return(-1); + ret = -1; + goto done; } if (get_log_level() >= SYSLOG_LEVEL_DEBUG3) { - char buf[X509_NAME_MAXLEN]; - X509_NAME_oneline( X509_get_subject_name(_cert), buf, sizeof(buf)); - debug3("ssh_x509cert_check: for '%.*s'", (int) sizeof(buf), buf); + char *buf; + buf = ssh_X509_NAME_oneline(X509_get_subject_name(_cert)); /*fatal on error*/ + debug3("ssh_x509cert_check: for '%s'", buf); + xfree(buf); } csc = X509_STORE_CTX_new(); @@ -592,7 +601,8 @@ /* clear rest of errors in OpenSSL "error buffer" */ ERR_clear_error(); - return(-1); + ret = -1; + goto done; } ret = ssh_verify_cert(csc, _cert); @@ -658,7 +668,11 @@ } } #endif /*def SSH_X509STORE_DISABLED*/ - debug3("ssh_x509cert_check: return %d", ret); +done: +{ + const char *msg = (ret > 0) ? "trusted" : (ret < 0 ? "error" : "rejected"); + debug3("ssh_x509cert_check: return %d(%s)", ret, msg); +} return(ret); } @@ -668,18 +682,17 @@ static void ssh_get_namestr_and_hash( X509_NAME *name, - char *buf, - size_t len, + char **buf, u_long *hash ) { if (name == NULL) { debug("ssh_get_namestr_and_hash: name is NULL"); - if (buf ) *buf = '\0'; + if (buf ) *buf = NULL; if (hash) *hash = 0; /* not correct but :-( */ return; } - if (buf ) X509_NAME_oneline(name, buf, len); + if (buf ) *buf = ssh_X509_NAME_oneline(name); /*fatal on error*/ if (hash) *hash = X509_NAME_hash(name); } @@ -688,7 +701,6 @@ ssh_check_crl(X509_STORE_CTX *_ctx, X509* _issuer, X509_CRL *_crl) { time_t *pcheck_time; int k; - char buf[X509_NAME_MAXLEN]; u_long hash; if (_issuer == NULL) { @@ -710,12 +722,12 @@ return(0); /* ;-) */ } - X509_NAME_oneline(X509_CRL_get_issuer(_crl), buf, sizeof(buf)); + ssh_X509_NAME_print(bio, X509_CRL_get_issuer(_crl)); - BIO_printf(bio, ", Last Update: "); + BIO_printf(bio, "; Last Update: "); ASN1_UTCTIME_print(bio, X509_CRL_get_lastUpdate(_crl)); - BIO_printf(bio, ", Next Update: "); + BIO_printf(bio, "; Next Update: "); ASN1_UTCTIME_print(bio, X509_CRL_get_nextUpdate(_crl)); k = BIO_pending(bio); @@ -723,7 +735,7 @@ k = BIO_read(bio, p, k); p[k] = '\0'; - debug3("ssh_check_crl: Issuer: %s%s", buf, p); + debug3("ssh_check_crl: Issuer: %s", p); xfree(p); BIO_free(bio); @@ -738,17 +750,18 @@ if (/*???(_issuer->ex_flags & EXFLAG_KUSAGE) &&*/ !(_issuer->ex_kusage & KU_CRL_SIGN) ) { - ssh_get_namestr_and_hash(X509_get_subject_name(_issuer), buf, sizeof(buf), &hash); - error("ssh_check_crl:" - " to verify crl signature key usage 'cRLSign'" - " must present in issuer certificate '%.*s' with hash=0x%08lx" - , (int) sizeof(buf), buf - , hash - ); + char *buf; #ifdef X509_V_ERR_KEYUSAGE_NO_CRL_SIGN /*first defined in OpenSSL 0.9.7d*/ X509_STORE_CTX_set_error(_ctx, X509_V_ERR_KEYUSAGE_NO_CRL_SIGN); #endif + ssh_get_namestr_and_hash(X509_get_subject_name(_issuer), &buf, &hash); + error("ssh_check_crl:" + " to verify crl signature key usage 'cRLSign'" + " must present in issuer certificate '%s' with hash=0x%08lx" + , buf, hash + ); + xfree(buf); return(0); } @@ -761,13 +774,15 @@ } if (X509_CRL_verify(_crl, pkey) <= 0) { - ssh_get_namestr_and_hash(X509_CRL_get_issuer(_crl), buf, sizeof(buf), &hash); + char *buf; + + ssh_get_namestr_and_hash(X509_CRL_get_issuer(_crl), &buf, &hash); error("ssh_check_crl: CRL has invalid signature" - ": issuer='%.*s', hash=0x%08lx" - , (int) sizeof(buf), buf - , hash + ": issuer='%s', hash=0x%08lx" + , buf, hash ); X509_STORE_CTX_set_error(_ctx, X509_V_ERR_CRL_SIGNATURE_FAILURE); + xfree(buf); return(0); } EVP_PKEY_free(pkey); @@ -781,35 +796,41 @@ k = X509_cmp_time(X509_CRL_get_lastUpdate(_crl), pcheck_time); if (k == 0) { - ssh_get_namestr_and_hash(X509_CRL_get_issuer(_crl), buf, sizeof(buf), &hash); + char *buf; + + ssh_get_namestr_and_hash(X509_CRL_get_issuer(_crl), &buf, &hash); error("ssh_check_crl: CRL has invalid lastUpdate field" - ": issuer='%.*s', hash=0x%08lx" - , (int) sizeof(buf), buf - , hash + ": issuer='%s', hash=0x%08lx" + , buf, hash ); X509_STORE_CTX_set_error(_ctx, X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD); + xfree(buf); return(0); } if (k > 0) { - ssh_get_namestr_and_hash(X509_CRL_get_issuer(_crl), buf, sizeof(buf), &hash); + char *buf; + + ssh_get_namestr_and_hash(X509_CRL_get_issuer(_crl), &buf, &hash); error("ssh_check_crl: CRL is not yet valid" - ": issuer='%.*s', hash=0x%08lx" - , (int) sizeof(buf), buf - , hash + ": issuer='%s', hash=0x%08lx" + , buf, hash ); X509_STORE_CTX_set_error(_ctx, X509_V_ERR_CRL_NOT_YET_VALID); + xfree(buf); return(0); } k = X509_cmp_time(X509_CRL_get_nextUpdate(_crl), pcheck_time); if (k == 0) { - ssh_get_namestr_and_hash(X509_CRL_get_issuer(_crl), buf, sizeof(buf), &hash); + char *buf; + + ssh_get_namestr_and_hash(X509_CRL_get_issuer(_crl), &buf, &hash); error("ssh_check_crl: CRL has invalid nextUpdate field" - ": issuer='%.*s', hash=0x%08lx" - , (int) sizeof(buf), buf - , hash + ": issuer='%s', hash=0x%08lx" + , buf, hash ); X509_STORE_CTX_set_error(_ctx, X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD); + xfree(buf); return(0); } #if 0 @@ -825,13 +846,15 @@ } #endif if (k < 0) { - ssh_get_namestr_and_hash(X509_CRL_get_issuer(_crl), buf, sizeof(buf), &hash); + char *buf; + + ssh_get_namestr_and_hash(X509_CRL_get_issuer(_crl), &buf, &hash); error("ssh_check_crl: CRL is expired" - ": issuer='%.*s', hash=0x%08lx" - , (int) sizeof(buf), buf - , hash + ": issuer='%s', hash=0x%08lx" + , buf, hash ); X509_STORE_CTX_set_error(_ctx, X509_V_ERR_CRL_HAS_EXPIRED); + xfree(buf); return(0); } @@ -843,7 +866,7 @@ ssh_is_cert_revoked(X509_STORE_CTX *_ctx, X509_CRL *_crl, X509 *_cert) { X509_REVOKED revoked; int k; - char *p, buf1[X509_NAME_MAXLEN], buf2[X509_NAME_MAXLEN]; + char *dn, *ser, *in; if (_crl == NULL) return(1); revoked.serialNumber = X509_get_serialNumber(_cert); @@ -852,15 +875,15 @@ X509_STORE_CTX_set_error(_ctx, X509_V_ERR_CERT_REVOKED); /* yes, revoked. print log and ...*/ - p = ssh_ASN1_INTEGER_2_string(revoked.serialNumber); - X509_NAME_oneline(X509_get_subject_name(_cert), buf1, sizeof(buf1)); - X509_NAME_oneline(X509_CRL_get_issuer (_crl ), buf2, sizeof(buf2)); - - error("certificate '%.*s' with serial '%.40s' revoked from issuer '%.*s'" - , (int) sizeof(buf1), buf1 - , p - , (int) sizeof(buf2), buf2); - xfree(p); + dn = ssh_X509_NAME_oneline(X509_get_subject_name(_cert)); /*fatal on error*/ + ser = ssh_ASN1_INTEGER_2_string(revoked.serialNumber); + in = ssh_X509_NAME_oneline(X509_CRL_get_issuer (_crl )); /*fatal on error*/ + + error("certificate '%s' with serial '%.40s' revoked from issuer '%s'" + , dn, ser, in); + xfree(dn); + xfree(ser); + xfree(in); return(1); } @@ -882,13 +905,15 @@ } if (get_log_level() >= SYSLOG_LEVEL_DEBUG3) { - char buf[X509_NAME_MAXLEN]; - - X509_NAME_oneline(X509_get_issuer_name(cert), buf, sizeof(buf)); - debug3("ssh_x509revoked_cb: issuer =%.*s", (int) sizeof(buf), buf); + char *buf; - X509_NAME_oneline(X509_get_subject_name(cert), buf, sizeof(buf)); - debug3("ssh_x509revoked_cb: subject=%.*s", (int) sizeof(buf), buf); + buf = ssh_X509_NAME_oneline(X509_get_issuer_name(cert)); /*fatal on error*/ + debug3("ssh_x509revoked_cb: Issuer: %s", buf); + xfree(buf); + + buf = ssh_X509_NAME_oneline(X509_get_subject_name(cert)); /*fatal on error*/ + debug3("ssh_x509revoked_cb: Subject: %s", buf); + xfree(buf); } memset(&xobj, 0, sizeof(xobj)); diff -ruN openssh-4.7p1+x509-6.0.1/x509store.h openssh-4.7p1+x509-6.1/x509store.h --- openssh-4.7p1+x509-6.0.1/x509store.h 2007-02-27 23:00:42.000000000 +0200 +++ openssh-4.7p1+x509-6.1/x509store.h 2007-10-04 22:54:04.000000000 +0300 @@ -1,7 +1,7 @@ #ifndef X509STORE_H #define X509STORE_H /* - * Copyright (c) 2002-2006 Roumen Petrov. All rights reserved. + * Copyright (c) 2002-2007 Roumen Petrov. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -28,11 +28,8 @@ #include -#define X509_NAME_MAXLEN 512 -#define SSH_XN_FLAG_ONELINE ((XN_FLAG_ONELINE & \ - ~XN_FLAG_SPC_EQ & \ - ~XN_FLAG_SEP_MASK) | \ - XN_FLAG_SEP_COMMA_PLUS) +int ssh_X509_NAME_print(BIO* bio, X509_NAME *xn); +char* ssh_X509_NAME_oneline(X509_NAME *xn); int ssh_x509cert_check(X509 *_cert);