similar to: more compiler safety flags

Hi all. Any reason not to turn these on if the system supports them? They're cheap but not free (a bit under 1% slower to run the complete regress suite in a completely unscientific test). They're based on info from these places: https://wiki.ubuntu.com/ToolChain/CompilerFlags http://wiki.debian.org/Hardening http://www.gentoo.org/proj/en/hardened/gnu-stack.xml and I've attempted to

On 8 June 2018 at 10:52, PGNet Dev <pgnet.dev at gmail.com> wrote: [...] > So, there's a problem for OpenSSH build with spec'ing LD=/usr/bin/ld ? in this particular case, apparently yes. not generally, though. [...] > What's *intended* re: openssh? Support for LD=ld or only =gcc, or undef'd ? Well the intent is you should be able to set CC and LD to whatever you

Hi. Both GCC and clang are adding mitigations for Spectre variant 2 although neither have yet made a release and neither are on by default. After trolling through and building release candidate branches for both I believe this is what is required for the ssh programs (although all the dependent libraries will also need to be built with mitigations, and I suspect libcrypto is a more likely

hi On 6/7/18 4:03 PM, Darren Tucker wrote: > On 8 June 2018 at 07:09, PGNet Dev <pgnet.dev at gmail.com> wrote: >> Verifying a report I just got pinged about, building vanilla openssh 7.7p1 on linux configures ok, but fails build around 'retpoline' > [...] >> Should the retpoline flag be getting added? If so, what's needed to make LD happy with it? > >

Verifying a report I just got pinged about, building vanilla openssh 7.7p1 on linux configures ok, but fails build around 'retpoline' I've started looking through recent reports; haven't _yet_ found anything similar. While I continue, is any of the following familiar/expected? Either known bug/issue or env conflict? The current env includes supposedly retpoline-ready GCC 8.1.1,

On Thu, Jun 07, 2018 at 06:14:42PM -0700, PGNet Dev wrote: > On 6/7/18 6:08 PM, Darren Tucker wrote: > > Well the intent is you should be able to set CC and LD to whatever you > > want as long as they work. In this case, the OSSH_CHECK_LDFLAG_LINK > > test invokes autoconf's AC_LINK_IFELSE with uses CC not LD. I'm not > > sure what to do about it yet though. I

We recently discovered that our OpenSSH distribution binaries contain retpoline thunks. It's due to this OSSH_CHECK_CFLAG_COMPILE([-mfunction-return=thunk]) # gcc OSSH_CHECK_CFLAG_COMPILE([-mindirect-branch=thunk]) # gcc This was quite surprising because at least the GNU/Linux userspace has no provisions for retpolines. You also fail to enable -fno-plt, so you need

Below I've includes a patch which helps build OpenSSH outside from a read-only source tree, find OpenSSL on Mac OS X, and fix a typo. This applies to OpenSSH 2.1.1p4. You should already have gotten a note from Melissa O'Neil about a conflict with the crc32() symbol in zlib, which was causing a crash on Darwin. I've noticed another bug. If ssh is setuid, I get a permission

Known issues: 1) Linux 'sleep 20' -- Unfixable before 2.5.0 (known work around) 2) HP/UX signal issue -- Patched and HP/UX 11 works in v2 3) SCO 2/ Native Compiler -- Unfixable before 2.5.0 (known work around) 4) NeXTStep -- Resynced, MAX_GROUPS vs NGROUPS unresolved (not major) 5) DG/UX regcomp/regexec -- Fixed. 6) Cray signal issues -- ??? 7) Solaris '$PATH' issue -- ??

Hi Jack, > Is anyone building dragon-egg on darwin? Anton built it once. There were some problems with dynamic libraries: gcc's plugin support requires the use of dynamic libraries, and the configure logic it uses thinks that darwin does not support dynamic libraries! So it is possible that plugin support was automatically disabled because of this. Try configuring with

On Sat, Apr 10, 2010 at 01:52:18PM +0200, Duncan Sands wrote: > Hi Jack, > > > Is anyone building dragon-egg on darwin? > > Anton built it once. There were some problems with dynamic libraries: gcc's > plugin support requires the use of dynamic libraries, and the configure logic > it uses thinks that darwin does not support dynamic libraries! So it is >

https://bugzilla.mindrot.org/show_bug.cgi?id=2574 Bug ID: 2574 Summary: configure: line 5805: syntax error near unexpected token `-Qunused-arguments' Product: Portable OpenSSH Version: 7.2p1 Hardware: amd64 OS: Linux Status: NEW Severity: critical Priority: P5

https://bugzilla.mindrot.org/show_bug.cgi?id=3629 Bug ID: 3629 Summary: Building with Clang-17 fails due to -fzero-call-used-regs Product: Portable OpenSSH Version: 9.5p1 Hardware: amd64 OS: Mac OS X Status: NEW Severity: critical Priority: P5 Component: Build system

In opus-tools, the current PIE configure test assumes that the opus headers have been installed under the default header search path of the compiler. This isn't necessarily the case (/usr/local, /opt, ...). Straightforward fix: --- configure.ac.orig Thu Jun 12 02:11:24 2014 +++ configure.ac Wed Jan 27 16:50:22 2016 @@ -261,11 +261,11 @@ saved_CFLAGS="$CFLAGS"

Good evening, guys! I have built dragonegg.dll on cygwin and it works (it seems). I have not tried stage2 build yet. It would be applicable to also mingw32-gcc to enhance gcc/plugin.c. ...Takumi [Instructions] 1. Apply two patches. one is for gcc/config/i386/i386.c. --- a/gcc/configure +++ b/gcc/configure @@ -25621,6 +25621,9 @@ rm -f core conftest.err conftest.$ac_objext \ fi

these days many unix-based systems contain crypt() with more than DES support (for instance, MD5 in freebsd/openbsd/netbsd, bcrypt in openbsd/netbsd). we need to use crypt() in libcrypt, not in licrypto, as much as possible. itojun --- configure.ac.orig Tue Jun 25 10:56:47 2002 +++ configure.ac Tue Jun 25 10:57:25 2002 @@ -697,6 +702,9 @@ ) fi +# use libcrypt if there is

Greetings, In openssh 6.5p1, configure --with-ssl-dir=/usr/local/openssl failed for me because it could not find opensslv.h. This is because that section of the configure hardwires the /usr/local/ssl directory instead of using the --with-ssl-dir value. From configure.ac: .. LDFLAGS="-L/usr/local/ssl/lib -R/usr/local/ssl/lib ${sa\ ved_LDFLAGS}"

One difference I notice is that in your failing example you are invoking /usr/bin/ld directly to link: /usr/bin/ld -o ssh ssh.o readconf.o clientloop.o sshtty.o sshconnect.o sshconnect2.o mux.o -L. -Lopenbsd-compat/ -Wl,-z,retpolineplt -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -fstack-protector-strong -pie -lssh -lopenbsd-compat -lutil -lz -lcrypt -lresolv whereas my example is

Hi All. First the questions: Is there anything objectionable in this patch? Is AUDIT_FAIL_AUTH appropriate for the "Reason" field? Now the details: attached is a patch that changes some of the #includes for AIX. It moves the AIX-specific includes to port-aix.h and adds includes that contain the prototypes for many of the authentication functions. The idea isto fix some warnings.

Is anyone building dragon-egg on darwin? I am trying to build against the fink gcc45 package that I have prepared for darwin and a updated fink llvm 2.7 package that is built as... ../llvm-2.7/configure --prefix=/sw --prefix=/sw/lib/llvm --mandir=/sw/share/man --infodir=/sw/share/info --with-gmp=/sw --with-libiconv-prefix=/usr --with-system-zlib --with-as=/Developer/usr/bin/as