From nobody Fri Aug 11 03:11:10 2023 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4RMTMf5mVGz4m55Q; Fri, 11 Aug 2023 03:11:10 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4RMTMf3lnfz4Mrh; Fri, 11 Aug 2023 03:11:10 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1691723470; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=iH7sucwOTrhT4XwGWaF8IkyeQtQQqkt3BkkLlLEiyH0=; b=h1oUT9wwRGhR0C8NlCwCa5QC9S9gBkCKPZrbdECEbz33076hyWfFUohowzd7CLXf94NTqN ntn2l9F55rnP2x7J96fWujAhoz+tZZ/BlRalqkds6qG3JZUlekCCYppDwfj09hDe2jho5N ZtbmE55GMPSQLkZlmY9rVKPO6p7zPWTvAKPBG8Q/Bokx1kcYliWGrtE6N74dvqOpX81PI9 Et++iD3ZQDynHW0CPxRPsnbeKi3k9lb5mvUjokEfTESnde4O+ifB1KW69IRVDTsDM9EjxZ niC4+CJlLHyLlKcD3GPaD++3gX9nlJEJjOjW91DHnpGDlv/8qBq3J28+gO9Z6w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1691723470; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=iH7sucwOTrhT4XwGWaF8IkyeQtQQqkt3BkkLlLEiyH0=; b=ialoohgB3zKdYyU4KgELm/8gdint25KPPPpOSmT5QUBJdYcg9To2MEJGLkYjD2jLe78uqr X1BTdlZgB3uP/DCu/7Tbzwr7LR6yiHQIBuomwrrsQn26cJJmJ+rKK3NuRx70+ri32bdukp jG67ebkQ9mMvgtyqN5qNi8U6DA9uDofVwMhu4eKOOckffTWHQOMNkAq2J1dX5jNXGQ5PkJ fipDMHxoeWzv/5uK9l02Bm5kYPo4UKp5lFBFnETlE8F1/+ptXEezx2IXmK/Gr8aNIxp2yc jzEt6YiEPvFVnpFsq2sSZlrZqnoy1B6BDr7PMsvGhvw4sX42b29X+4jB3bL6Nw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1691723470; a=rsa-sha256; cv=none; b=vavlnHkCbxJFNAoTANAaHgkaWlch2zsB7GuR9zaIJxSrkGZ0SlCtMJ1polnVco3oWylYh+ 7RThE3LR0kvKGM1nS9cr93dol097ATQk7N8p9Xrl4Am7xpMF8B3xHgPjEU8vz6RyqogW7m VEAPizzSZHtzUrum3pr23kR9Mi5uWKkyIsRKqbF47y9HBM7fSDHnyGnzUsCylPHs9szW+z 5WRZNJckX7DSRnfO6Nqku00tARcpXSWxsdMjb9hPScaXSfe8HrXjzTRIqsdh9MSbwQAOIJ tHALeNiymOTcqX3U+ga5c6il1WgcZquEEhpoXNpZsdomxYRM1X0Obi5/5iGk8g== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4RMTMf2nh2z7dW; Fri, 11 Aug 2023 03:11:10 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 37B3BA7N005981; Fri, 11 Aug 2023 03:11:10 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 37B3BAmT005978; Fri, 11 Aug 2023 03:11:10 GMT (envelope-from git) Date: Fri, 11 Aug 2023 03:11:10 GMT Message-Id: <202308110311.37B3BAmT005978@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Ed Maste Subject: git: 535af610a4fd - main - ssh: Update to OpenSSH 9.4p1 List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-all@freebsd.org X-BeenThere: dev-commits-src-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: emaste X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 535af610a4fdace6d50960c0ad9be0597eea7a1b Auto-Submitted: auto-generated The branch main has been updated by emaste: URL: https://cgit.FreeBSD.org/src/commit/?id=535af610a4fdace6d50960c0ad9be0597eea7a1b commit 535af610a4fdace6d50960c0ad9be0597eea7a1b Merge: 6b405053c997 78f30535bcdb Author: Ed Maste AuthorDate: 2023-08-11 03:10:18 +0000 Commit: Ed Maste CommitDate: 2023-08-11 03:10:18 +0000 ssh: Update to OpenSSH 9.4p1 Excerpts from the release notes: * ssh-agent(1): PKCS#11 modules must now be specified by their full paths. Previously dlopen(3) could search for them in system library directories. * ssh(1): allow forwarding Unix Domain sockets via ssh -W. * ssh(1): add support for configuration tags to ssh(1). This adds a ssh_config(5) "Tag" directive and corresponding "Match tag" predicate that may be used to select blocks of configuration similar to the pf.conf(5) keywords of the same name. * ssh(1): add a "match localnetwork" predicate. This allows matching on the addresses of available network interfaces and may be used to vary the effective client configuration based on network location. * ssh-agent(1): improve isolation between loaded PKCS#11 modules by running separate ssh-pkcs11-helpers for each loaded provider. * ssh-agent(1), ssh(1): improve defences against invalid PKCS#11 modules being loaded by checking that the requested module contains the required symbol before loading it. * ssh(1): don't incorrectly disable hostname canonicalization when CanonicalizeHostname=yes and ProxyJump was expicitly set to "none". bz3567 Full release notes at https://www.openssh.com/txt/release-9.4 Relnotes: Yes Sponsored by: The FreeBSD Foundation crypto/openssh/.github/ci-status.md | 6 +- crypto/openssh/.github/configs | 45 +- crypto/openssh/.github/setup_ci.sh | 17 +- crypto/openssh/.github/workflows/c-cpp.yml | 26 +- crypto/openssh/.github/workflows/selfhosted.yml | 2 +- crypto/openssh/ChangeLog | 13191 ++++++++++--------- crypto/openssh/INSTALL | 8 +- crypto/openssh/PROTOCOL.agent | 4 +- crypto/openssh/PROTOCOL.krl | 55 +- crypto/openssh/README | 2 +- crypto/openssh/addr.c | 4 +- crypto/openssh/auth-options.c | 29 +- crypto/openssh/auth-pam.c | 4 +- crypto/openssh/auth2-gss.c | 12 +- crypto/openssh/auth2-pubkey.c | 35 +- crypto/openssh/canohost.c | 4 +- crypto/openssh/chacha.c | 3 +- crypto/openssh/channels.c | 19 +- crypto/openssh/channels.h | 8 +- crypto/openssh/cipher-aes.c | 2 +- crypto/openssh/cipher-chachapoly-libcrypto.c | 3 +- crypto/openssh/cipher-chachapoly.c | 3 +- crypto/openssh/clientloop.c | 14 +- crypto/openssh/config.h | 94 +- crypto/openssh/configure.ac | 107 +- crypto/openssh/contrib/redhat/openssh.spec | 2 +- crypto/openssh/contrib/ssh-copy-id | 75 +- crypto/openssh/contrib/ssh-copy-id.1 | 79 +- crypto/openssh/contrib/suse/openssh.spec | 2 +- crypto/openssh/gss-serv.c | 2 +- crypto/openssh/kexgexs.c | 4 +- crypto/openssh/krl.c | 280 +- crypto/openssh/krl.h | 10 +- crypto/openssh/match.c | 5 +- crypto/openssh/misc.c | 95 +- crypto/openssh/misc.h | 3 +- crypto/openssh/moduli | 868 +- crypto/openssh/monitor.c | 5 +- crypto/openssh/monitor_wrap.c | 6 +- crypto/openssh/mux.c | 76 +- crypto/openssh/openbsd-compat/bsd-getentropy.c | 6 +- crypto/openssh/openbsd-compat/bsd-snprintf.c | 31 +- .../openssh/openbsd-compat/libressl-api-compat.c | 556 +- crypto/openssh/openbsd-compat/openssl-compat.c | 20 +- crypto/openssh/openbsd-compat/openssl-compat.h | 158 +- crypto/openssh/openbsd-compat/port-linux.c | 39 +- .../openbsd-compat/regress/opensslvertest.c | 29 +- .../openssh/openbsd-compat/regress/snprintftest.c | 6 +- .../openssh/openbsd-compat/regress/strtonumtest.c | 2 +- crypto/openssh/packet.c | 4 +- crypto/openssh/poly1305.c | 3 +- crypto/openssh/progressmeter.c | 3 +- crypto/openssh/readconf.c | 108 +- crypto/openssh/readconf.h | 3 +- crypto/openssh/regress/Makefile | 10 +- crypto/openssh/regress/agent-ptrace.sh | 2 +- crypto/openssh/regress/forcecommand.sh | 8 +- crypto/openssh/regress/forward-control.sh | 6 +- crypto/openssh/regress/misc/sk-dummy/sk-dummy.c | 27 +- crypto/openssh/regress/percent.sh | 5 +- crypto/openssh/regress/sftp-chroot.sh | 23 +- .../openssh/regress/unittests/misc/test_ptimeout.c | 4 +- .../openssh/regress/unittests/sshkey/test_file.c | 2 + crypto/openssh/regress/unittests/sshsig/tests.c | 2 +- .../regress/unittests/test_helper/test_helper.c | 2 +- crypto/openssh/scp.c | 23 +- crypto/openssh/servconf.c | 20 +- crypto/openssh/sftp-client.c | 54 +- crypto/openssh/sftp-common.c | 4 +- crypto/openssh/sftp-server.c | 4 +- crypto/openssh/sftp.c | 12 +- crypto/openssh/sk-usbhid.c | 14 +- crypto/openssh/ssh-add.c | 6 +- crypto/openssh/ssh-agent.1 | 14 +- crypto/openssh/ssh-agent.c | 8 +- crypto/openssh/ssh-keygen.1 | 6 +- crypto/openssh/ssh-keygen.c | 16 +- crypto/openssh/ssh-keyscan.c | 28 +- crypto/openssh/ssh-pkcs11-client.c | 389 +- crypto/openssh/ssh-pkcs11.c | 43 +- crypto/openssh/ssh-sk.c | 8 +- crypto/openssh/ssh-xmss.c | 4 +- crypto/openssh/ssh.1 | 19 +- crypto/openssh/ssh.c | 59 +- crypto/openssh/ssh_config | 2 +- crypto/openssh/ssh_config.5 | 39 +- crypto/openssh/ssh_namespace.h | 3 + crypto/openssh/sshconnect2.c | 12 +- crypto/openssh/sshd_config | 2 +- crypto/openssh/sshd_config.5 | 14 +- crypto/openssh/sshkey.c | 18 +- crypto/openssh/sshkey.h | 4 +- crypto/openssh/sshsig.c | 11 +- crypto/openssh/version.h | 8 +- 94 files changed, 8883 insertions(+), 8229 deletions(-) diff --cc crypto/openssh/INSTALL index 77b56a9bb734,000000000000..adc6e0825738 mode 100644,000000..100644 --- a/crypto/openssh/INSTALL +++ b/crypto/openssh/INSTALL @@@ -1,297 -1,0 +1,293 @@@ +1. Prerequisites +---------------- + +A C compiler. Any C89 or better compiler that supports variadic macros +should work. Where supported, configure will attempt to enable the +compiler's run-time integrity checking options. Some notes about +specific compilers: + - clang: -ftrapv and -sanitize=integer require the compiler-rt runtime + (CC=clang LDFLAGS=--rtlib=compiler-rt ./configure) + +To support Privilege Separation (which is now required) you will need +to create the user, group and directory used by sshd for privilege +separation. See README.privsep for details. + + +The remaining items are optional. + +A working installation of zlib: +Zlib 1.1.4 or 1.2.1.2 or greater (earlier 1.2.x versions have problems): +https://zlib.net/ + +libcrypto from either of LibreSSL or OpenSSL. Building without libcrypto +is supported but severely restricts the available ciphers and algorithms. - - LibreSSL (https://www.libressl.org/) - - OpenSSL (https://www.openssl.org) with any of the following versions: - - 1.0.x >= 1.0.1 or 1.1.0 >= 1.1.0g or any 1.1.1 - - Note that due to a bug in EVP_CipherInit OpenSSL 1.1 versions prior to - 1.1.0g can't be used. ++ - LibreSSL (https://www.libressl.org/) 3.1.0 or greater ++ - OpenSSL (https://www.openssl.org) 1.1.1 or greater + +LibreSSL/OpenSSL should be compiled as a position-independent library +(i.e. -fPIC, eg by configuring OpenSSL as "./config [options] -fPIC" +or LibreSSL as "CFLAGS=-fPIC ./configure") otherwise OpenSSH will not +be able to link with it. If you must use a non-position-independent +libcrypto, then you may need to configure OpenSSH --without-pie. + +If you build either from source, running the OpenSSL self-test ("make +tests") or the LibreSSL equivalent ("make check") and ensuring that all +tests pass is strongly recommended. + +NB. If you operating system supports /dev/random, you should configure +libcrypto (LibreSSL/OpenSSL) to use it. OpenSSH relies on libcrypto's +direct support of /dev/random, or failing that, either prngd or egd. + +PRNGD: + +If your system lacks kernel-based random collection, the use of Lutz +Jaenicke's PRNGd is recommended. It requires that libcrypto be configured +to support it. + +http://prngd.sourceforge.net/ + +EGD: + +The Entropy Gathering Daemon (EGD) supports the same interface as prngd. +It also supported only if libcrypto is configured to support it. + +http://egd.sourceforge.net/ + +PAM: + +OpenSSH can utilise Pluggable Authentication Modules (PAM) if your +system supports it. PAM is standard most Linux distributions, Solaris, +HP-UX 11, AIX >= 5.2, FreeBSD, NetBSD and Mac OS X. + +Information about the various PAM implementations are available: + +Solaris PAM: http://www.sun.com/software/solaris/pam/ +Linux PAM: http://www.kernel.org/pub/linux/libs/pam/ +OpenPAM: http://www.openpam.org/ + +If you wish to build the GNOME passphrase requester, you will need the GNOME +libraries and headers. + +GNOME: +http://www.gnome.org/ + +Alternatively, Jim Knoble has written an excellent X11 +passphrase requester. This is maintained separately at: + +http://www.jmknoble.net/software/x11-ssh-askpass/ + +TCP Wrappers: + +If you wish to use the TCP wrappers functionality you will need at least +tcpd.h and libwrap.a, either in the standard include and library paths, +or in the directory specified by --with-tcp-wrappers. Version 7.6 is +known to work. + +http://ftp.porcupine.org/pub/security/index.html + +LibEdit: + +sftp supports command-line editing via NetBSD's libedit. If your platform +has it available natively you can use that, alternatively you might try +these multi-platform ports: + +http://www.thrysoee.dk/editline/ +http://sourceforge.net/projects/libedit/ + +LDNS: + +LDNS is a DNS BSD-licensed resolver library which supports DNSSEC. + +http://nlnetlabs.nl/projects/ldns/ + +Autoconf: + +If you modify configure.ac or configure doesn't exist (eg if you checked +the code out of git yourself) then you will need autoconf-2.69 and +automake-1.16.1 to rebuild the automatically generated files by running +"autoreconf". Earlier versions may also work but this is not guaranteed. + +http://www.gnu.org/software/autoconf/ +http://www.gnu.org/software/automake/ + +Basic Security Module (BSM): + +Native BSM support is known to exist in Solaris from at least 2.5.1, +FreeBSD 6.1 and OS X. Alternatively, you may use the OpenBSM +implementation (http://www.openbsm.org). + +makedepend: + +https://www.x.org/archive/individual/util/ + +If you are making significant changes to the code you may need to rebuild +the dependency (.depend) file using "make depend", which requires the +"makedepend" tool from the X11 distribution. + +libfido2: + +libfido2 allows the use of hardware security keys over USB. libfido2 +in turn depends on libcbor. libfido2 >= 1.5.0 is strongly recommended. +Limited functionality is possible with earlier libfido2 versions. + +https://github.com/Yubico/libfido2 +https://github.com/pjk/libcbor + + +2. Building / Installation +-------------------------- + +To install OpenSSH with default options: + +./configure +make +make install + +This will install the OpenSSH binaries in /usr/local/bin, configuration files +in /usr/local/etc, the server in /usr/local/sbin, etc. To specify a different +installation prefix, use the --prefix option to configure: + +./configure --prefix=/opt +make +make install + +Will install OpenSSH in /opt/{bin,etc,lib,sbin}. You can also override +specific paths, for example: + +./configure --prefix=/opt --sysconfdir=/etc/ssh +make +make install + +This will install the binaries in /opt/{bin,lib,sbin}, but will place the +configuration files in /etc/ssh. + +If you are using PAM, you may need to manually install a PAM control +file as "/etc/pam.d/sshd" (or wherever your system prefers to keep +them). Note that the service name used to start PAM is __progname, +which is the basename of the path of your sshd (e.g., the service name +for /usr/sbin/osshd will be osshd). If you have renamed your sshd +executable, your PAM configuration may need to be modified. + +A generic PAM configuration is included as "contrib/sshd.pam.generic", +you may need to edit it before using it on your system. If you are +using a recent version of Red Hat Linux, the config file in +contrib/redhat/sshd.pam should be more useful. Failure to install a +valid PAM file may result in an inability to use password +authentication. On HP-UX 11 and Solaris, the standard /etc/pam.conf +configuration will work with sshd (sshd will match the other service +name). + +There are a few other options to the configure script: + +--with-audit=[module] enable additional auditing via the specified module. +Currently, drivers for "debug" (additional info via syslog) and "bsm" +(Sun's Basic Security Module) are supported. + +--with-pam enables PAM support. If PAM support is compiled in, it must +also be enabled in sshd_config (refer to the UsePAM directive). + +--with-prngd-socket=/some/file allows you to enable EGD or PRNGD +support and to specify a PRNGd socket. Use this if your Unix lacks +/dev/random. + +--with-prngd-port=portnum allows you to enable EGD or PRNGD support +and to specify a EGD localhost TCP port. Use this if your Unix lacks +/dev/random. + +--with-lastlog=FILE will specify the location of the lastlog file. +./configure searches a few locations for lastlog, but may not find +it if lastlog is installed in a different place. + +--without-lastlog will disable lastlog support entirely. + +--with-osfsia, --without-osfsia will enable or disable OSF1's Security +Integration Architecture. The default for OSF1 machines is enable. + +--with-tcp-wrappers will enable TCP Wrappers (/etc/hosts.allow|deny) +support. + +--with-utmpx enables utmpx support. utmpx support is automatic for +some platforms. + +--without-shadow disables shadow password support. + +--with-ipaddr-display forces the use of a numeric IP address in the +$DISPLAY environment variable. Some broken systems need this. + +--with-default-path=PATH allows you to specify a default $PATH for sessions +started by sshd. This replaces the standard path entirely. + +--with-pid-dir=PATH specifies the directory in which the sshd.pid file is +created. + +--with-xauth=PATH specifies the location of the xauth binary + +--with-ssl-dir=DIR allows you to specify where your Libre/OpenSSL +libraries are installed. + +--with-ssl-engine enables Libre/OpenSSL's (hardware) ENGINE support + +--without-openssl builds without using OpenSSL. Only a subset of ciphers +and algorithms are supported in this configuration. + +--without-zlib builds without zlib. This disables the Compression option. + +--with-4in6 Check for IPv4 in IPv6 mapped addresses and convert them to +real (AF_INET) IPv4 addresses. Works around some quirks on Linux. + +If you need to pass special options to the compiler or linker, you +can specify these as environment variables before running ./configure. +For example: + +CC="/usr/foo/cc" CFLAGS="-O" LDFLAGS="-s" LIBS="-lrubbish" ./configure + +3. Configuration +---------------- + +The runtime configuration files are installed by in ${prefix}/etc or +whatever you specified as your --sysconfdir (/usr/local/etc by default). + +The default configuration should be instantly usable, though you should +review it to ensure that it matches your security requirements. + +To generate a host key, run "make host-key". Alternately you can do so +manually using the following commands: + + ssh-keygen -t [type] -f /etc/ssh/ssh_host_key -N "" + +for each of the types you wish to generate (rsa, dsa or ecdsa) or + + ssh-keygen -A + +to generate keys for all supported types. + +Replacing /etc/ssh with the correct path to the configuration directory. +(${prefix}/etc or whatever you specified with --sysconfdir during +configuration). + +If you have configured OpenSSH with EGD/prngd support, ensure that EGD or +prngd is running and has collected some entropy first. + +For more information on configuration, please refer to the manual pages +for sshd, ssh and ssh-agent. + +4. (Optional) Send survey +------------------------- + +$ make survey +[check the contents of the file "survey" to ensure there's no information +that you consider sensitive] +$ make send-survey + +This will send configuration information for the currently configured +host to a survey address. This will help determine which configurations +are actually in use, and what valid combinations of configure options +exist. The raw data is available only to the OpenSSH developers, however +summary data may be published. + +5. Problems? +------------ + +If you experience problems compiling, installing or running OpenSSH, +please refer to the "reporting bugs" section of the webpage at +https://www.openssh.com/ diff --cc crypto/openssh/config.h index 4a274147b22e,000000000000..385e53c82ea3 mode 100644,000000..100644 --- a/crypto/openssh/config.h +++ b/crypto/openssh/config.h @@@ -1,2132 -1,0 +1,2042 @@@ +/* config.h. Generated from config.h.in by configure. */ +/* config.h.in. Generated from configure.ac by autoheader. */ + +/* Define if building universal (internal helper macro) */ +/* #undef AC_APPLE_UNIVERSAL_BUILD */ + +/* Define if you have a getaddrinfo that fails for the all-zeros IPv6 address + */ +/* #undef AIX_GETNAMEINFO_HACK */ + +/* Define if your AIX loginfailed() function takes 4 arguments (AIX >= 5.2) */ +/* #undef AIX_LOGINFAILED_4ARG */ + +/* System only supports IPv4 audit records */ +/* #undef AU_IPv4 */ + +/* Define if your resolver libs need this for getrrsetbyname */ +/* #undef BIND_8_COMPAT */ + +/* The system has incomplete BSM API */ +/* #undef BROKEN_BSM_API */ + +/* broken in chroots on older kernels */ +/* #undef BROKEN_CLOSEFROM */ + +/* Define if cmsg_type is not passed correctly */ +/* #undef BROKEN_CMSG_TYPE */ + +/* getaddrinfo is broken (if present) */ +/* #undef BROKEN_GETADDRINFO */ + +/* getgroups(0,NULL) will return -1 */ +/* #undef BROKEN_GETGROUPS */ + +/* getline is not what we expect */ +/* #undef BROKEN_GETLINE */ + +/* FreeBSD glob does not do what we need */ +#define BROKEN_GLOB 1 + +/* Define if you system's inet_ntoa is busted (e.g. Irix gcc issue) */ +/* #undef BROKEN_INET_NTOA */ + +/* Define if your struct dirent expects you to allocate extra space for d_name + */ +/* #undef BROKEN_ONE_BYTE_DIRENT_D_NAME */ + +/* System poll(2) implementation is broken */ +/* #undef BROKEN_POLL */ + +/* Can't do comparisons on readv */ +/* #undef BROKEN_READV_COMPARISON */ + +/* NetBSD read function is sometimes redirected, breaking atomicio comparisons + against it */ +/* #undef BROKEN_READ_COMPARISON */ + +/* Needed for NeXT */ +/* #undef BROKEN_SAVED_UIDS */ + +/* Define if your setregid() is broken */ +/* #undef BROKEN_SETREGID */ + +/* Define if your setresgid() is broken */ +/* #undef BROKEN_SETRESGID */ + +/* Define if your setresuid() is broken */ +/* #undef BROKEN_SETRESUID */ + +/* Define if your setreuid() is broken */ +/* #undef BROKEN_SETREUID */ + +/* LynxOS has broken setvbuf() implementation */ +/* #undef BROKEN_SETVBUF */ + +/* QNX shadow support is broken */ +/* #undef BROKEN_SHADOW_EXPIRE */ + +/* Define if your snprintf is busted */ +/* #undef BROKEN_SNPRINTF */ + +/* strndup broken, see APAR IY61211 */ +/* #undef BROKEN_STRNDUP */ + +/* strnlen broken, see APAR IY62551 */ +/* #undef BROKEN_STRNLEN */ + +/* strnvis detected broken */ +#define BROKEN_STRNVIS 1 + +/* tcgetattr with ICANON may hang */ +/* #undef BROKEN_TCGETATTR_ICANON */ + +/* updwtmpx is broken (if present) */ +/* #undef BROKEN_UPDWTMPX */ + +/* Define if you have BSD auth support */ +/* #undef BSD_AUTH */ + +/* Define if you want to specify the path to your lastlog file */ +/* #undef CONF_LASTLOG_FILE */ + +/* Define if you want to specify the path to your utmp file */ +/* #undef CONF_UTMP_FILE */ + +/* Define if you want to specify the path to your wtmpx file */ +/* #undef CONF_WTMPX_FILE */ + +/* Define if you want to specify the path to your wtmp file */ +/* #undef CONF_WTMP_FILE */ + +/* Need to call setpgrp as root */ +/* #undef DISABLE_FD_PASSING */ + +/* Define if you don't want to use lastlog */ +/* #undef DISABLE_LASTLOG */ + +/* Define if you don't want to use your system's login() call */ +/* #undef DISABLE_LOGIN */ + +/* Define if you don't want to use pututline() etc. to write [uw]tmp */ +/* #undef DISABLE_PUTUTLINE */ + +/* Define if you don't want to use pututxline() etc. to write [uw]tmpx */ +/* #undef DISABLE_PUTUTXLINE */ + +/* Define if you want to disable shadow passwords */ +/* #undef DISABLE_SHADOW */ + +/* Define if you don't want to use utmp */ +#define DISABLE_UTMP 1 + +/* Define if you don't want to use utmpx */ +/* #undef DISABLE_UTMPX */ + +/* Define if you don't want to use wtmp */ +#define DISABLE_WTMP 1 + +/* Define if you don't want to use wtmpx */ +#define DISABLE_WTMPX 1 + +/* Enable for PKCS#11 support */ +#define ENABLE_PKCS11 /**/ + +/* Enable for U2F/FIDO support */ +#define ENABLE_SK /**/ + +/* Enable for built-in U2F/FIDO support */ +/* #undef ENABLE_SK_INTERNAL */ + +/* define if fflush(NULL) does not work */ +/* #undef FFLUSH_NULL_BUG */ + +/* File names may not contain backslash characters */ +/* #undef FILESYSTEM_NO_BACKSLASH */ + +/* fsid_t has member val */ +/* #undef FSID_HAS_VAL */ + +/* fsid_t has member __val */ +/* #undef FSID_HAS___VAL */ + +/* getpgrp takes one arg */ +#define GETPGRP_VOID 1 + +/* Conflicting defs for getspnam */ +/* #undef GETSPNAM_CONFLICTING_DEFS */ + +/* Define if your system glob() function has the GLOB_ALTDIRFUNC extension */ +#define GLOB_HAS_ALTDIRFUNC 1 + +/* Define if your system glob() function has gl_matchc options in glob_t */ +#define GLOB_HAS_GL_MATCHC 1 + +/* Define if your system glob() function has gl_statv options in glob_t */ +/* #undef GLOB_HAS_GL_STATV */ + +/* Define this if you want GSSAPI support in the version 2 protocol */ +/* #undef GSSAPI */ + +/* Define if you want to use shadow password expire field */ +/* #undef HAS_SHADOW_EXPIRE */ + +/* Define if your system uses access rights style file descriptor passing */ +/* #undef HAVE_ACCRIGHTS_IN_MSGHDR */ + +/* Define if you have ut_addr in utmp.h */ +/* #undef HAVE_ADDR_IN_UTMP */ + +/* Define if you have ut_addr in utmpx.h */ +/* #undef HAVE_ADDR_IN_UTMPX */ + +/* Define if you have ut_addr_v6 in utmp.h */ +/* #undef HAVE_ADDR_V6_IN_UTMP */ + +/* Define if you have ut_addr_v6 in utmpx.h */ +/* #undef HAVE_ADDR_V6_IN_UTMPX */ + +/* Define to 1 if you have the `arc4random' function. */ +#define HAVE_ARC4RANDOM 1 + +/* Define to 1 if you have the `arc4random_buf' function. */ +#define HAVE_ARC4RANDOM_BUF 1 + +/* Define to 1 if you have the `arc4random_stir' function. */ +/* #undef HAVE_ARC4RANDOM_STIR */ + +/* Define to 1 if you have the `arc4random_uniform' function. */ +#define HAVE_ARC4RANDOM_UNIFORM 1 + +/* Define to 1 if you have the `asprintf' function. */ +#define HAVE_ASPRINTF 1 + +/* OpenBSD's gcc has bounded */ +/* #undef HAVE_ATTRIBUTE__BOUNDED__ */ + +/* Have attribute nonnull */ +#define HAVE_ATTRIBUTE__NONNULL__ 1 + +/* OpenBSD's gcc has sentinel */ +/* #undef HAVE_ATTRIBUTE__SENTINEL__ */ + +/* Define to 1 if you have the `aug_get_machine' function. */ +/* #undef HAVE_AUG_GET_MACHINE */ + +/* Define to 1 if you have the `auth_hostok' function. */ +#define HAVE_AUTH_HOSTOK 1 + +/* Define to 1 if you have the `auth_timeok' function. */ +#define HAVE_AUTH_TIMEOK 1 + +/* Define to 1 if you have the `b64_ntop' function. */ +/* #undef HAVE_B64_NTOP */ + +/* Define to 1 if you have the `b64_pton' function. */ +/* #undef HAVE_B64_PTON */ + +/* Define if you have the basename function. */ +#define HAVE_BASENAME 1 + +/* Define to 1 if you have the `bcopy' function. */ +#define HAVE_BCOPY 1 + +/* Define to 1 if you have the `bcrypt_pbkdf' function. */ +/* #undef HAVE_BCRYPT_PBKDF */ + +/* Define to 1 if you have the `bindresvport_sa' function. */ +#define HAVE_BINDRESVPORT_SA 1 + +/* Define to 1 if you have the `blf_enc' function. */ +/* #undef HAVE_BLF_ENC */ + +/* Define to 1 if you have the header file. */ +/* #undef HAVE_BLF_H */ + +/* Define to 1 if you have the `Blowfish_expand0state' function. */ +/* #undef HAVE_BLOWFISH_EXPAND0STATE */ + +/* Define to 1 if you have the `Blowfish_expandstate' function. */ +/* #undef HAVE_BLOWFISH_EXPANDSTATE */ + +/* Define to 1 if you have the `Blowfish_initstate' function. */ +/* #undef HAVE_BLOWFISH_INITSTATE */ + +/* Define to 1 if you have the `Blowfish_stream2word' function. */ +/* #undef HAVE_BLOWFISH_STREAM2WORD */ + +/* Define to 1 if you have the `BN_is_prime_ex' function. */ +#define HAVE_BN_IS_PRIME_EX 1 + +/* Define to 1 if you have the header file. */ +/* #undef HAVE_BSD_LIBUTIL_H */ + +/* Define to 1 if you have the header file. */ +/* #undef HAVE_BSM_AUDIT_H */ + +/* Define to 1 if you have the header file. */ +/* #undef HAVE_BSTRING_H */ + +/* Define to 1 if you have the `bzero' function. */ +#define HAVE_BZERO 1 + +/* calloc(0, x) returns NULL */ +#define HAVE_CALLOC 1 + +/* Define if you have caph_cache_tzdata */ +#define HAVE_CAPH_CACHE_TZDATA 1 + +/* Define to 1 if you have the header file. */ +#define HAVE_CAPSICUM_HELPERS_H 1 + +/* Define to 1 if you have the `cap_rights_limit' function. */ +#define HAVE_CAP_RIGHTS_LIMIT 1 + +/* Define to 1 if you have the `clock' function. */ +#define HAVE_CLOCK 1 + +/* Have clock_gettime */ +#define HAVE_CLOCK_GETTIME 1 + +/* define if you have clock_t data type */ +#define HAVE_CLOCK_T 1 + +/* Define to 1 if you have the `closefrom' function. */ +#define HAVE_CLOSEFROM 1 + +/* Define to 1 if you have the `close_range' function. */ +#define HAVE_CLOSE_RANGE 1 + +/* Define if gai_strerror() returns const char * */ +#define HAVE_CONST_GAI_STRERROR_PROTO 1 + +/* Define if your system uses ancillary data style file descriptor passing */ +#define HAVE_CONTROL_IN_MSGHDR 1 + +/* Define to 1 if you have the `crypt' function. */ +#define HAVE_CRYPT 1 + +/* Define to 1 if you have the header file. */ +/* #undef HAVE_CRYPTO_SHA2_H */ + +/* Define to 1 if you have the header file. */ +/* #undef HAVE_CRYPT_H */ + +/* Define if you are on Cygwin */ +/* #undef HAVE_CYGWIN */ + +/* Define if your libraries define daemon() */ +#define HAVE_DAEMON 1 + +/* Define to 1 if you have the declaration of `AI_NUMERICSERV', and to 0 if + you don't. */ +#define HAVE_DECL_AI_NUMERICSERV 1 + +/* Define to 1 if you have the declaration of `authenticate', and to 0 if you + don't. */ +/* #undef HAVE_DECL_AUTHENTICATE */ + +/* Define to 1 if you have the declaration of `bzero', and to 0 if you don't. + */ +#define HAVE_DECL_BZERO 1 + +/* Define to 1 if you have the declaration of `ftruncate', and to 0 if you + don't. */ +#define HAVE_DECL_FTRUNCATE 1 + +/* Define to 1 if you have the declaration of `getentropy', and to 0 if you + don't. */ +#define HAVE_DECL_GETENTROPY 1 + +/* Define to 1 if you have the declaration of `getpeereid', and to 0 if you + don't. */ +#define HAVE_DECL_GETPEEREID 1 + +/* Define to 1 if you have the declaration of `GLOB_NOMATCH', and to 0 if you + don't. */ +#define HAVE_DECL_GLOB_NOMATCH 1 + +/* Define to 1 if you have the declaration of `GSS_C_NT_HOSTBASED_SERVICE', + and to 0 if you don't. */ +/* #undef HAVE_DECL_GSS_C_NT_HOSTBASED_SERVICE */ + +/* Define to 1 if you have the declaration of `howmany', and to 0 if you + don't. */ +#define HAVE_DECL_HOWMANY 1 + +/* Define to 1 if you have the declaration of `h_errno', and to 0 if you + don't. */ +#define HAVE_DECL_H_ERRNO 1 + +/* Define to 1 if you have the declaration of `loginfailed', and to 0 if you + don't. */ +/* #undef HAVE_DECL_LOGINFAILED */ + +/* Define to 1 if you have the declaration of `loginrestrictions', and to 0 if + you don't. */ +/* #undef HAVE_DECL_LOGINRESTRICTIONS */ + +/* Define to 1 if you have the declaration of `loginsuccess', and to 0 if you + don't. */ +/* #undef HAVE_DECL_LOGINSUCCESS */ + +/* Define to 1 if you have the declaration of `MAXSYMLINKS', and to 0 if you + don't. */ +#define HAVE_DECL_MAXSYMLINKS 1 + +/* Define to 1 if you have the declaration of `memmem', and to 0 if you don't. + */ +#define HAVE_DECL_MEMMEM 1 + +/* Define to 1 if you have the declaration of `NFDBITS', and to 0 if you + don't. */ +#define HAVE_DECL_NFDBITS 1 + +/* Define to 1 if you have the declaration of `offsetof', and to 0 if you + don't. */ +#define HAVE_DECL_OFFSETOF 1 + +/* Define to 1 if you have the declaration of `O_NONBLOCK', and to 0 if you + don't. */ +#define HAVE_DECL_O_NONBLOCK 1 + +/* Define to 1 if you have the declaration of `passwdexpired', and to 0 if you + don't. */ +/* #undef HAVE_DECL_PASSWDEXPIRED */ + +/* Define to 1 if you have the declaration of `readv', and to 0 if you don't. + */ +#define HAVE_DECL_READV 1 + +/* Define to 1 if you have the declaration of `setauthdb', and to 0 if you + don't. */ +/* #undef HAVE_DECL_SETAUTHDB */ + +/* Define to 1 if you have the declaration of `SHUT_RD', and to 0 if you + don't. */ +#define HAVE_DECL_SHUT_RD 1 + +/* Define to 1 if you have the declaration of `UINT32_MAX', and to 0 if you + don't. */ +#define HAVE_DECL_UINT32_MAX 1 + +/* Define to 1 if you have the declaration of `writev', and to 0 if you don't. + */ +#define HAVE_DECL_WRITEV 1 + +/* Define to 1 if you have the declaration of `_getlong', and to 0 if you + don't. */ +#define HAVE_DECL__GETLONG 0 + +/* Define to 1 if you have the declaration of `_getshort', and to 0 if you + don't. */ +#define HAVE_DECL__GETSHORT 0 + +/* Define to 1 if you have the `DES_crypt' function. */ +#define HAVE_DES_CRYPT 1 + +/* Define if you have /dev/ptmx */ +/* #undef HAVE_DEV_PTMX */ + +/* Define if you have /dev/ptc */ +/* #undef HAVE_DEV_PTS_AND_PTC */ + - /* Define to 1 if you have the `DH_get0_key' function. */ - #define HAVE_DH_GET0_KEY 1 - - /* Define to 1 if you have the `DH_get0_pqg' function. */ - #define HAVE_DH_GET0_PQG 1 - - /* Define to 1 if you have the `DH_set0_key' function. */ - #define HAVE_DH_SET0_KEY 1 - - /* Define to 1 if you have the `DH_set0_pqg' function. */ - #define HAVE_DH_SET0_PQG 1 - - /* Define to 1 if you have the `DH_set_length' function. */ - #define HAVE_DH_SET_LENGTH 1 - +/* Define to 1 if you have the header file. */ +#define HAVE_DIRENT_H 1 + +/* Define to 1 if you have the `dirfd' function. */ +#define HAVE_DIRFD 1 + +/* Define to 1 if you have the `dirname' function. */ +#define HAVE_DIRNAME 1 + +/* Define to 1 if you have the `dlopen' function. */ +#define HAVE_DLOPEN 1 + +/* Define to 1 if you have the `DSA_generate_parameters_ex' function. */ +#define HAVE_DSA_GENERATE_PARAMETERS_EX 1 + - /* Define to 1 if you have the `DSA_get0_key' function. */ - #define HAVE_DSA_GET0_KEY 1 - - /* Define to 1 if you have the `DSA_get0_pqg' function. */ - #define HAVE_DSA_GET0_PQG 1 - - /* Define to 1 if you have the `DSA_set0_key' function. */ - #define HAVE_DSA_SET0_KEY 1 - - /* Define to 1 if you have the `DSA_set0_pqg' function. */ - #define HAVE_DSA_SET0_PQG 1 - - /* Define to 1 if you have the `DSA_SIG_get0' function. */ - #define HAVE_DSA_SIG_GET0 1 - - /* Define to 1 if you have the `DSA_SIG_set0' function. */ - #define HAVE_DSA_SIG_SET0 1 - - /* Define to 1 if you have the `ECDSA_SIG_get0' function. */ - #define HAVE_ECDSA_SIG_GET0 1 - - /* Define to 1 if you have the `ECDSA_SIG_set0' function. */ - #define HAVE_ECDSA_SIG_SET0 1 - +/* Define to 1 if you have the `EC_KEY_METHOD_new' function. */ +#define HAVE_EC_KEY_METHOD_NEW 1 + +/* Define to 1 if you have the header file. */ +#define HAVE_ELF_H 1 + +/* Define to 1 if you have the `endgrent' function. */ +#define HAVE_ENDGRENT 1 + +/* Define to 1 if you have the header file. */ - /* #undef HAVE_ENDIAN_H */ ++#define HAVE_ENDIAN_H 1 + +/* Define to 1 if you have the `endutent' function. */ +/* #undef HAVE_ENDUTENT */ + +/* Define to 1 if you have the `endutxent' function. */ +#define HAVE_ENDUTXENT 1 + +/* Define to 1 if you have the `err' function. */ +#define HAVE_ERR 1 + +/* Define to 1 if you have the `errx' function. */ +#define HAVE_ERRX 1 + +/* Define to 1 if you have the header file. */ +#define HAVE_ERR_H 1 + +/* Define if your system has /etc/default/login */ +/* #undef HAVE_ETC_DEFAULT_LOGIN */ + +/* Define to 1 if you have the `EVP_chacha20' function. */ +#define HAVE_EVP_CHACHA20 1 + +/* Define to 1 if you have the `EVP_CIPHER_CTX_get_iv' function. */ +/* #undef HAVE_EVP_CIPHER_CTX_GET_IV */ *** 11214 LINES SKIPPED ***