1#
2# Copyright (c) 1999-2004 Damien Miller
3#
4# Permission to use, copy, modify, and distribute this software for any
5# purpose with or without fee is hereby granted, provided that the above
6# copyright notice and this permission notice appear in all copies.
7#
8# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15
16AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org])
17AC_REVISION($Revision: 1.583 $)
18AC_CONFIG_SRCDIR([ssh.c])
19AC_LANG([C])
20
21AC_CONFIG_HEADER([config.h])
22AC_PROG_CC([cc gcc])
23AC_CANONICAL_HOST
24AC_C_BIGENDIAN
25
26# Checks for programs.
27AC_PROG_AWK
28AC_PROG_CPP
29AC_PROG_RANLIB
30AC_PROG_INSTALL
31AC_PROG_EGREP
32AC_PROG_MKDIR_P
33AC_CHECK_TOOLS([AR], [ar])
34AC_PATH_PROG([CAT], [cat])
35AC_PATH_PROG([KILL], [kill])
36AC_PATH_PROG([SED], [sed])
37AC_PATH_PROG([ENT], [ent])
38AC_SUBST([ENT])
39AC_PATH_PROG([TEST_MINUS_S_SH], [bash])
40AC_PATH_PROG([TEST_MINUS_S_SH], [ksh])
41AC_PATH_PROG([TEST_MINUS_S_SH], [sh])
42AC_PATH_PROG([SH], [sh])
43AC_PATH_PROG([GROFF], [groff])
44AC_PATH_PROG([NROFF], [nroff awf])
45AC_PATH_PROG([MANDOC], [mandoc])
46AC_SUBST([TEST_SHELL], [sh])
47
48dnl select manpage formatter to be used to build "cat" format pages.
49if test "x$MANDOC" != "x" ; then
50	MANFMT="$MANDOC"
51elif test "x$NROFF" != "x" ; then
52	MANFMT="$NROFF -mandoc"
53elif test "x$GROFF" != "x" ; then
54	MANFMT="$GROFF -mandoc -Tascii"
55else
56	AC_MSG_WARN([no manpage formatter found])
57	MANFMT="false"
58fi
59AC_SUBST([MANFMT])
60
61dnl for buildpkg.sh
62AC_PATH_PROG([PATH_GROUPADD_PROG], [groupadd], [groupadd],
63	[/usr/sbin${PATH_SEPARATOR}/etc])
64AC_PATH_PROG([PATH_USERADD_PROG], [useradd], [useradd],
65	[/usr/sbin${PATH_SEPARATOR}/etc])
66AC_CHECK_PROG([MAKE_PACKAGE_SUPPORTED], [pkgmk], [yes], [no])
67if test -x /sbin/sh; then
68	AC_SUBST([STARTUP_SCRIPT_SHELL], [/sbin/sh])
69else
70	AC_SUBST([STARTUP_SCRIPT_SHELL], [/bin/sh])
71fi
72
73# System features
74AC_SYS_LARGEFILE
75
76if test -z "$AR" ; then
77	AC_MSG_ERROR([*** 'ar' missing, please install or fix your \$PATH ***])
78fi
79
80AC_PATH_PROG([PATH_PASSWD_PROG], [passwd])
81if test ! -z "$PATH_PASSWD_PROG" ; then
82	AC_DEFINE_UNQUOTED([_PATH_PASSWD_PROG], ["$PATH_PASSWD_PROG"],
83		[Full path of your "passwd" program])
84fi
85
86dnl Since autoconf doesn't support it very well,  we no longer allow users to
87dnl override LD, however keeping the hook here for now in case there's a use
88dnl use case we overlooked and someone needs to re-enable it.  Unless a good
89dnl reason is found we'll be removing this in future.
90LD="$CC"
91AC_SUBST([LD])
92
93AC_C_INLINE
94
95AC_CHECK_DECL([LLONG_MAX], [have_llong_max=1], , [#include <limits.h>])
96AC_CHECK_DECL([LONG_LONG_MAX], [have_long_long_max=1], , [#include <limits.h>])
97AC_CHECK_DECL([SYSTR_POLICY_KILL], [have_systr_policy_kill=1], , [
98	#include <sys/types.h>
99	#include <sys/param.h>
100	#include <dev/systrace.h>
101])
102AC_CHECK_DECL([RLIMIT_NPROC],
103    [AC_DEFINE([HAVE_RLIMIT_NPROC], [], [sys/resource.h has RLIMIT_NPROC])], , [
104	#include <sys/types.h>
105	#include <sys/resource.h>
106])
107AC_CHECK_DECL([PR_SET_NO_NEW_PRIVS], [have_linux_no_new_privs=1], , [
108	#include <sys/types.h>
109	#include <linux/prctl.h>
110])
111
112openssl=yes
113AC_ARG_WITH([openssl],
114	[  --without-openssl       Disable use of OpenSSL; use only limited internal crypto **EXPERIMENTAL** ],
115	[  if test "x$withval" = "xno" ; then
116		openssl=no
117	   fi
118	]
119)
120AC_MSG_CHECKING([whether OpenSSL will be used for cryptography])
121if test "x$openssl" = "xyes" ; then
122	AC_MSG_RESULT([yes])
123	AC_DEFINE_UNQUOTED([WITH_OPENSSL], [1], [use libcrypto for cryptography])
124else
125	AC_MSG_RESULT([no])
126fi
127
128use_stack_protector=1
129use_toolchain_hardening=1
130AC_ARG_WITH([stackprotect],
131    [  --without-stackprotect  Don't use compiler's stack protection], [
132    if test "x$withval" = "xno"; then
133	use_stack_protector=0
134    fi ])
135AC_ARG_WITH([hardening],
136    [  --without-hardening     Don't use toolchain hardening flags], [
137    if test "x$withval" = "xno"; then
138	use_toolchain_hardening=0
139    fi ])
140
141# We use -Werror for the tests only so that we catch warnings like "this is
142# on by default" for things like -fPIE.
143AC_MSG_CHECKING([if $CC supports -Werror])
144saved_CFLAGS="$CFLAGS"
145CFLAGS="$CFLAGS -Werror"
146AC_COMPILE_IFELSE([AC_LANG_SOURCE([[int main(void) { return 0; }]])],
147	[ AC_MSG_RESULT([yes])
148	  WERROR="-Werror"],
149	[ AC_MSG_RESULT([no])
150	  WERROR="" ]
151)
152CFLAGS="$saved_CFLAGS"
153
154if test "$GCC" = "yes" || test "$GCC" = "egcs"; then
155	OSSH_CHECK_CFLAG_COMPILE([-pipe])
156	OSSH_CHECK_CFLAG_COMPILE([-Wunknown-warning-option])
157	OSSH_CHECK_CFLAG_COMPILE([-Wno-error=format-truncation])
158	OSSH_CHECK_CFLAG_COMPILE([-Qunused-arguments])
159	OSSH_CHECK_CFLAG_COMPILE([-Wall])
160	OSSH_CHECK_CFLAG_COMPILE([-Wextra])
161	OSSH_CHECK_CFLAG_COMPILE([-Wpointer-arith])
162	OSSH_CHECK_CFLAG_COMPILE([-Wuninitialized])
163	OSSH_CHECK_CFLAG_COMPILE([-Wsign-compare])
164	OSSH_CHECK_CFLAG_COMPILE([-Wformat-security])
165	OSSH_CHECK_CFLAG_COMPILE([-Wsizeof-pointer-memaccess])
166	OSSH_CHECK_CFLAG_COMPILE([-Wpointer-sign], [-Wno-pointer-sign])
167	OSSH_CHECK_CFLAG_COMPILE([-Wunused-result], [-Wno-unused-result])
168	OSSH_CHECK_CFLAG_COMPILE([-Wimplicit-fallthrough])
169	OSSH_CHECK_CFLAG_COMPILE([-fno-strict-aliasing])
170    if test "x$use_toolchain_hardening" = "x1"; then
171	OSSH_CHECK_CFLAG_COMPILE([-mretpoline]) # clang
172	OSSH_CHECK_LDFLAG_LINK([-Wl,-z,retpolineplt])
173	OSSH_CHECK_CFLAG_COMPILE([-D_FORTIFY_SOURCE=2])
174	OSSH_CHECK_LDFLAG_LINK([-Wl,-z,relro])
175	OSSH_CHECK_LDFLAG_LINK([-Wl,-z,now])
176	OSSH_CHECK_LDFLAG_LINK([-Wl,-z,noexecstack])
177	# NB. -ftrapv expects certain support functions to be present in
178	# the compiler library (libgcc or similar) to detect integer operations
179	# that can overflow. We must check that the result of enabling it
180	# actually links. The test program compiled/linked includes a number
181	# of integer operations that should exercise this.
182	OSSH_CHECK_CFLAG_LINK([-ftrapv])
183    fi
184	AC_MSG_CHECKING([gcc version])
185	GCC_VER=`$CC -v 2>&1 | $AWK '/gcc version /{print $3}'`
186	case $GCC_VER in
187		1.*) no_attrib_nonnull=1 ;;
188		2.8* | 2.9*)
189		     no_attrib_nonnull=1
190		     ;;
191		2.*) no_attrib_nonnull=1 ;;
192		*) ;;
193	esac
194	AC_MSG_RESULT([$GCC_VER])
195
196	AC_MSG_CHECKING([if $CC accepts -fno-builtin-memset])
197	saved_CFLAGS="$CFLAGS"
198	CFLAGS="$CFLAGS -fno-builtin-memset"
199	AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include <string.h> ]],
200			[[ char b[10]; memset(b, 0, sizeof(b)); ]])],
201		[ AC_MSG_RESULT([yes]) ],
202		[ AC_MSG_RESULT([no])
203		  CFLAGS="$saved_CFLAGS" ]
204	)
205
206	# -fstack-protector-all doesn't always work for some GCC versions
207	# and/or platforms, so we test if we can.  If it's not supported
208	# on a given platform gcc will emit a warning so we use -Werror.
209	if test "x$use_stack_protector" = "x1"; then
210	    for t in -fstack-protector-strong -fstack-protector-all \
211		    -fstack-protector; do
212		AC_MSG_CHECKING([if $CC supports $t])
213		saved_CFLAGS="$CFLAGS"
214		saved_LDFLAGS="$LDFLAGS"
215		CFLAGS="$CFLAGS $t -Werror"
216		LDFLAGS="$LDFLAGS $t -Werror"
217		AC_LINK_IFELSE(
218			[AC_LANG_PROGRAM([[
219	#include <stdio.h>
220	int func (int t) {char b[100]; snprintf(b,sizeof b,"%d",t); return t;}
221			 ]],
222			[[
223	char x[256];
224	snprintf(x, sizeof(x), "XXX%d", func(1));
225			 ]])],
226		    [ AC_MSG_RESULT([yes])
227		      CFLAGS="$saved_CFLAGS $t"
228		      LDFLAGS="$saved_LDFLAGS $t"
229		      AC_MSG_CHECKING([if $t works])
230		      AC_RUN_IFELSE(
231			[AC_LANG_PROGRAM([[
232	#include <stdio.h>
233	int func (int t) {char b[100]; snprintf(b,sizeof b,"%d",t); return t;}
234			]],
235			[[
236	char x[256];
237	snprintf(x, sizeof(x), "XXX%d", func(1));
238			]])],
239			[ AC_MSG_RESULT([yes])
240			  break ],
241			[ AC_MSG_RESULT([no]) ],
242			[ AC_MSG_WARN([cross compiling: cannot test])
243			  break ]
244		      )
245		    ],
246		    [ AC_MSG_RESULT([no]) ]
247		)
248		CFLAGS="$saved_CFLAGS"
249		LDFLAGS="$saved_LDFLAGS"
250	    done
251	fi
252
253	if test -z "$have_llong_max"; then
254		# retry LLONG_MAX with -std=gnu99, needed on some Linuxes
255		unset ac_cv_have_decl_LLONG_MAX
256		saved_CFLAGS="$CFLAGS"
257		CFLAGS="$CFLAGS -std=gnu99"
258		AC_CHECK_DECL([LLONG_MAX],
259		    [have_llong_max=1],
260		    [CFLAGS="$saved_CFLAGS"],
261		    [#include <limits.h>]
262		)
263	fi
264fi
265
266AC_MSG_CHECKING([if compiler allows __attribute__ on return types])
267AC_COMPILE_IFELSE(
268    [AC_LANG_PROGRAM([[
269#include <stdlib.h>
270__attribute__((__unused__)) static void foo(void){return;}]],
271    [[ exit(0); ]])],
272    [ AC_MSG_RESULT([yes]) ],
273    [ AC_MSG_RESULT([no])
274      AC_DEFINE(NO_ATTRIBUTE_ON_RETURN_TYPE, 1,
275	 [compiler does not accept __attribute__ on return types]) ]
276)
277
278AC_MSG_CHECKING([if compiler allows __attribute__ prototype args])
279AC_COMPILE_IFELSE(
280    [AC_LANG_PROGRAM([[
281#include <stdlib.h>
282typedef void foo(const char *, ...) __attribute__((format(printf, 1, 2)));]],
283    [[ exit(0); ]])],
284    [ AC_MSG_RESULT([yes]) ],
285    [ AC_MSG_RESULT([no])
286      AC_DEFINE(NO_ATTRIBUTE_ON_PROTOTYPE_ARGS, 1,
287	 [compiler does not accept __attribute__ on prototype args]) ]
288)
289
290if test "x$no_attrib_nonnull" != "x1" ; then
291	AC_DEFINE([HAVE_ATTRIBUTE__NONNULL__], [1], [Have attribute nonnull])
292fi
293
294AC_ARG_WITH([rpath],
295	[  --without-rpath         Disable auto-added -R linker paths],
296	[
297		if test "x$withval" = "xno" ; then
298			rpath_opt=""
299		elif test "x$withval" = "xyes" ; then
300			rpath_opt="-R"
301		else
302			rpath_opt="$withval"
303		fi
304	]
305)
306
307# Allow user to specify flags
308AC_ARG_WITH([cflags],
309	[  --with-cflags           Specify additional flags to pass to compiler],
310	[
311		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
312		    test "x${withval}" != "xyes"; then
313			CFLAGS="$CFLAGS $withval"
314		fi
315	]
316)
317
318AC_ARG_WITH([cflags-after],
319	[  --with-cflags-after     Specify additional flags to pass to compiler after configure],
320	[
321		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
322		    test "x${withval}" != "xyes"; then
323			CFLAGS_AFTER="$withval"
324		fi
325	]
326)
327AC_ARG_WITH([cppflags],
328	[  --with-cppflags         Specify additional flags to pass to preprocessor] ,
329	[
330		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
331		    test "x${withval}" != "xyes"; then
332			CPPFLAGS="$CPPFLAGS $withval"
333		fi
334	]
335)
336AC_ARG_WITH([ldflags],
337	[  --with-ldflags          Specify additional flags to pass to linker],
338	[
339		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
340		    test "x${withval}" != "xyes"; then
341			LDFLAGS="$LDFLAGS $withval"
342		fi
343	]
344)
345AC_ARG_WITH([ldflags-after],
346	[  --with-ldflags-after    Specify additional flags to pass to linker after configure],
347	[
348		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
349		    test "x${withval}" != "xyes"; then
350			LDFLAGS_AFTER="$withval"
351		fi
352	]
353)
354AC_ARG_WITH([libs],
355	[  --with-libs             Specify additional libraries to link with],
356	[
357		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
358		    test "x${withval}" != "xyes"; then
359			LIBS="$LIBS $withval"
360		fi
361	]
362)
363AC_ARG_WITH([Werror],
364	[  --with-Werror           Build main code with -Werror],
365	[
366		if test -n "$withval"  &&  test "x$withval" != "xno"; then
367			werror_flags="-Werror"
368			if test "x${withval}" != "xyes"; then
369				werror_flags="$withval"
370			fi
371		fi
372	]
373)
374
375AC_CHECK_HEADERS([ \
376	blf.h \
377	bstring.h \
378	crypt.h \
379	crypto/sha2.h \
380	dirent.h \
381	endian.h \
382	elf.h \
383	err.h \
384	features.h \
385	fcntl.h \
386	floatingpoint.h \
387	fnmatch.h \
388	getopt.h \
389	glob.h \
390	ia.h \
391	iaf.h \
392	ifaddrs.h \
393	inttypes.h \
394	langinfo.h \
395	limits.h \
396	locale.h \
397	login.h \
398	maillock.h \
399	ndir.h \
400	net/if_tun.h \
401	netdb.h \
402	netgroup.h \
403	pam/pam_appl.h \
404	paths.h \
405	poll.h \
406	pty.h \
407	readpassphrase.h \
408	rpc/types.h \
409	security/pam_appl.h \
410	sha2.h \
411	shadow.h \
412	stddef.h \
413	stdint.h \
414	string.h \
415	strings.h \
416	sys/bitypes.h \
417	sys/byteorder.h \
418	sys/bsdtty.h \
419	sys/cdefs.h \
420	sys/dir.h \
421	sys/file.h \
422	sys/mman.h \
423	sys/label.h \
424	sys/ndir.h \
425	sys/poll.h \
426	sys/prctl.h \
427	sys/pstat.h \
428	sys/ptrace.h \
429	sys/random.h \
430	sys/select.h \
431	sys/stat.h \
432	sys/stream.h \
433	sys/stropts.h \
434	sys/strtio.h \
435	sys/statvfs.h \
436	sys/sysmacros.h \
437	sys/time.h \
438	sys/timers.h \
439	sys/vfs.h \
440	time.h \
441	tmpdir.h \
442	ttyent.h \
443	ucred.h \
444	unistd.h \
445	usersec.h \
446	util.h \
447	utime.h \
448	utmp.h \
449	utmpx.h \
450	vis.h \
451	wchar.h \
452])
453
454# On some platforms (eg SunOS4) sys/audit.h requires sys/[time|types|label.h]
455# to be included first.
456AC_CHECK_HEADERS([sys/audit.h], [], [], [
457#ifdef HAVE_SYS_TIME_H
458# include <sys/time.h>
459#endif
460#ifdef HAVE_SYS_TYPES_H
461# include <sys/types.h>
462#endif
463#ifdef HAVE_SYS_LABEL_H
464# include <sys/label.h>
465#endif
466])
467
468# sys/capsicum.h requires sys/types.h
469AC_CHECK_HEADERS([sys/capsicum.h], [], [], [
470#ifdef HAVE_SYS_TYPES_H
471# include <sys/types.h>
472#endif
473])
474
475# net/route.h requires sys/socket.h and sys/types.h.
476# sys/sysctl.h also requires sys/param.h
477AC_CHECK_HEADERS([net/route.h sys/sysctl.h], [], [], [
478#ifdef HAVE_SYS_TYPES_H
479# include <sys/types.h>
480#endif
481#include <sys/param.h>
482#include <sys/socket.h>
483])
484
485# lastlog.h requires sys/time.h to be included first on Solaris
486AC_CHECK_HEADERS([lastlog.h], [], [], [
487#ifdef HAVE_SYS_TIME_H
488# include <sys/time.h>
489#endif
490])
491
492# sys/ptms.h requires sys/stream.h to be included first on Solaris
493AC_CHECK_HEADERS([sys/ptms.h], [], [], [
494#ifdef HAVE_SYS_STREAM_H
495# include <sys/stream.h>
496#endif
497])
498
499# login_cap.h requires sys/types.h on NetBSD
500AC_CHECK_HEADERS([login_cap.h], [], [], [
501#include <sys/types.h>
502])
503
504# older BSDs need sys/param.h before sys/mount.h
505AC_CHECK_HEADERS([sys/mount.h], [], [], [
506#include <sys/param.h>
507])
508
509# Android requires sys/socket.h to be included before sys/un.h
510AC_CHECK_HEADERS([sys/un.h], [], [], [
511#include <sys/types.h>
512#include <sys/socket.h>
513])
514
515# Messages for features tested for in target-specific section
516SIA_MSG="no"
517SPC_MSG="no"
518SP_MSG="no"
519SPP_MSG="no"
520
521# Support for Solaris/Illumos privileges (this test is used by both
522# the --with-solaris-privs option and --with-sandbox=solaris).
523SOLARIS_PRIVS="no"
524
525# Check for some target-specific stuff
526case "$host" in
527*-*-aix*)
528	# Some versions of VAC won't allow macro redefinitions at
529	# -qlanglevel=ansi, and autoconf 2.60 sometimes insists on using that
530	# particularly with older versions of vac or xlc.
531	# It also throws errors about null macro arguments, but these are
532	# not fatal.
533	AC_MSG_CHECKING([if compiler allows macro redefinitions])
534	AC_COMPILE_IFELSE(
535	    [AC_LANG_PROGRAM([[
536#define testmacro foo
537#define testmacro bar]],
538	    [[ exit(0); ]])],
539	    [ AC_MSG_RESULT([yes]) ],
540	    [ AC_MSG_RESULT([no])
541	      CC="`echo $CC | sed 's/-qlanglvl\=ansi//g'`"
542	      CFLAGS="`echo $CFLAGS | sed 's/-qlanglvl\=ansi//g'`"
543	      CPPFLAGS="`echo $CPPFLAGS | sed 's/-qlanglvl\=ansi//g'`"
544	    ]
545	)
546
547	AC_MSG_CHECKING([how to specify blibpath for linker ($LD)])
548	if (test -z "$blibpath"); then
549		blibpath="/usr/lib:/lib"
550	fi
551	saved_LDFLAGS="$LDFLAGS"
552	if test "$GCC" = "yes"; then
553		flags="-Wl,-blibpath: -Wl,-rpath, -blibpath:"
554	else
555		flags="-blibpath: -Wl,-blibpath: -Wl,-rpath,"
556	fi
557	for tryflags in $flags ;do
558		if (test -z "$blibflags"); then
559			LDFLAGS="$saved_LDFLAGS $tryflags$blibpath"
560			AC_LINK_IFELSE([AC_LANG_PROGRAM([[]], [[]])],
561			[blibflags=$tryflags], [])
562		fi
563	done
564	if (test -z "$blibflags"); then
565		AC_MSG_RESULT([not found])
566		AC_MSG_ERROR([*** must be able to specify blibpath on AIX - check config.log])
567	else
568		AC_MSG_RESULT([$blibflags])
569	fi
570	LDFLAGS="$saved_LDFLAGS"
571	dnl Check for authenticate.  Might be in libs.a on older AIXes
572	AC_CHECK_FUNC([authenticate], [AC_DEFINE([WITH_AIXAUTHENTICATE], [1],
573		[Define if you want to enable AIX4's authenticate function])],
574		[AC_CHECK_LIB([s], [authenticate],
575			[ AC_DEFINE([WITH_AIXAUTHENTICATE])
576				LIBS="$LIBS -ls"
577			])
578		])
579	dnl Check for various auth function declarations in headers.
580	AC_CHECK_DECLS([authenticate, loginrestrictions, loginsuccess,
581	    passwdexpired, setauthdb], , , [#include <usersec.h>])
582	dnl Check if loginfailed is declared and takes 4 arguments (AIX >= 5.2)
583	AC_CHECK_DECLS([loginfailed],
584	    [AC_MSG_CHECKING([if loginfailed takes 4 arguments])
585	    AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <usersec.h> ]],
586		[[ (void)loginfailed("user","host","tty",0); ]])],
587		[AC_MSG_RESULT([yes])
588		AC_DEFINE([AIX_LOGINFAILED_4ARG], [1],
589			[Define if your AIX loginfailed() function
590			takes 4 arguments (AIX >= 5.2)])], [AC_MSG_RESULT([no])
591	    ])],
592	    [],
593	    [#include <usersec.h>]
594	)
595	AC_CHECK_FUNCS([getgrset setauthdb])
596	AC_CHECK_DECL([F_CLOSEM],
597	    AC_DEFINE([HAVE_FCNTL_CLOSEM], [1], [Use F_CLOSEM fcntl for closefrom]),
598	    [],
599	    [ #include <limits.h>
600	      #include <fcntl.h> ]
601	)
602	check_for_aix_broken_getaddrinfo=1
603	AC_DEFINE([SETEUID_BREAKS_SETUID], [1],
604	    [Define if your platform breaks doing a seteuid before a setuid])
605	AC_DEFINE([BROKEN_SETREUID], [1], [Define if your setreuid() is broken])
606	AC_DEFINE([BROKEN_SETREGID], [1], [Define if your setregid() is broken])
607	dnl AIX handles lastlog as part of its login message
608	AC_DEFINE([DISABLE_LASTLOG], [1], [Define if you don't want to use lastlog])
609	AC_DEFINE([LOGIN_NEEDS_UTMPX], [1],
610		[Some systems need a utmpx entry for /bin/login to work])
611	AC_DEFINE([SPT_TYPE], [SPT_REUSEARGV],
612		[Define to a Set Process Title type if your system is
613		supported by bsd-setproctitle.c])
614	AC_DEFINE([SSHPAM_CHAUTHTOK_NEEDS_RUID], [1],
615	    [AIX 5.2 and 5.3 (and presumably newer) require this])
616	AC_DEFINE([PTY_ZEROREAD], [1], [read(1) can return 0 for a non-closed fd])
617	AC_DEFINE([PLATFORM_SYS_DIR_UID], 2, [System dirs owned by bin (uid 2)])
618	AC_DEFINE([BROKEN_STRNDUP], 1, [strndup broken, see APAR IY61211])
619	AC_DEFINE([BROKEN_STRNLEN], 1, [strnlen broken, see APAR IY62551])
620	;;
621*-*-android*)
622	AC_DEFINE([DISABLE_UTMP], [1], [Define if you don't want to use utmp])
623	AC_DEFINE([DISABLE_WTMP], [1], [Define if you don't want to use wtmp])
624	;;
625*-*-cygwin*)
626	check_for_libcrypt_later=1
627	LIBS="$LIBS /usr/lib/textreadmode.o"
628	AC_DEFINE([HAVE_CYGWIN], [1], [Define if you are on Cygwin])
629	AC_DEFINE([USE_PIPES], [1], [Use PIPES instead of a socketpair()])
630	AC_DEFINE([NO_UID_RESTORATION_TEST], [1],
631		[Define to disable UID restoration test])
632	AC_DEFINE([DISABLE_SHADOW], [1],
633		[Define if you want to disable shadow passwords])
634	AC_DEFINE([NO_X11_UNIX_SOCKETS], [1],
635		[Define if X11 doesn't support AF_UNIX sockets on that system])
636	AC_DEFINE([DISABLE_FD_PASSING], [1],
637		[Define if your platform needs to skip post auth
638		file descriptor passing])
639	AC_DEFINE([SSH_IOBUFSZ], [65535], [Windows is sensitive to read buffer size])
640	AC_DEFINE([FILESYSTEM_NO_BACKSLASH], [1], [File names may not contain backslash characters])
641	# Cygwin defines optargs, optargs as declspec(dllimport) for historical
642	# reasons which cause compile warnings, so we disable those warnings.
643	OSSH_CHECK_CFLAG_COMPILE([-Wno-attributes])
644	;;
645*-*-dgux*)
646	AC_DEFINE([IP_TOS_IS_BROKEN], [1],
647		[Define if your system choked on IP TOS setting])
648	AC_DEFINE([SETEUID_BREAKS_SETUID])
649	AC_DEFINE([BROKEN_SETREUID])
650	AC_DEFINE([BROKEN_SETREGID])
651	;;
652*-*-darwin*)
653	use_pie=auto
654	AC_MSG_CHECKING([if we have working getaddrinfo])
655	AC_RUN_IFELSE([AC_LANG_SOURCE([[ #include <mach-o/dyld.h>
656main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
657		exit(0);
658	else
659		exit(1);
660}
661			]])],
662	[AC_MSG_RESULT([working])],
663	[AC_MSG_RESULT([buggy])
664	AC_DEFINE([BROKEN_GETADDRINFO], [1],
665		[getaddrinfo is broken (if present)])
666	],
667	[AC_MSG_RESULT([assume it is working])])
668	AC_DEFINE([SETEUID_BREAKS_SETUID])
669	AC_DEFINE([BROKEN_SETREUID])
670	AC_DEFINE([BROKEN_SETREGID])
671	AC_DEFINE([BROKEN_GLOB], [1], [OS X glob does not do what we expect])
672	AC_DEFINE_UNQUOTED([BIND_8_COMPAT], [1],
673		[Define if your resolver libs need this for getrrsetbyname])
674	AC_DEFINE([SSH_TUN_FREEBSD], [1], [Open tunnel devices the FreeBSD way])
675	AC_DEFINE([SSH_TUN_COMPAT_AF], [1],
676	    [Use tunnel device compatibility to OpenBSD])
677	AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
678	    [Prepend the address family to IP tunnel traffic])
679	m4_pattern_allow([AU_IPv])
680	AC_CHECK_DECL([AU_IPv4], [],
681	    AC_DEFINE([AU_IPv4], [0], [System only supports IPv4 audit records])
682	    [#include <bsm/audit.h>]
683	AC_DEFINE([LASTLOG_WRITE_PUTUTXLINE], [1],
684	    [Define if pututxline updates lastlog too])
685	)
686	AC_DEFINE([SPT_TYPE], [SPT_REUSEARGV],
687		[Define to a Set Process Title type if your system is
688		supported by bsd-setproctitle.c])
689	AC_CHECK_FUNCS([sandbox_init])
690	AC_CHECK_HEADERS([sandbox.h])
691	AC_CHECK_LIB([sandbox], [sandbox_apply], [
692	    SSHDLIBS="$SSHDLIBS -lsandbox"
693	])
694	# proc_pidinfo()-based closefrom() replacement.
695	AC_CHECK_HEADERS([libproc.h])
696	AC_CHECK_FUNCS([proc_pidinfo])
697	;;
698*-*-dragonfly*)
699	SSHDLIBS="$SSHDLIBS -lcrypt"
700	TEST_MALLOC_OPTIONS="AFGJPRX"
701	;;
702*-*-haiku*)
703	LIBS="$LIBS -lbsd "
704	CFLAGS="$CFLAGS -D_BSD_SOURCE"
705	AC_CHECK_LIB([network], [socket])
706	AC_DEFINE([HAVE_U_INT64_T])
707	AC_DEFINE([DISABLE_UTMPX], [1], [no utmpx])
708	MANTYPE=man
709	;;
710*-*-hpux*)
711	# first we define all of the options common to all HP-UX releases
712	CPPFLAGS="$CPPFLAGS -D_HPUX_SOURCE -D_XOPEN_SOURCE -D_XOPEN_SOURCE_EXTENDED=1"
713	IPADDR_IN_DISPLAY=yes
714	AC_DEFINE([USE_PIPES])
715	AC_DEFINE([LOGIN_NEEDS_UTMPX])
716	AC_DEFINE([LOCKED_PASSWD_STRING], ["*"],
717		[String used in /etc/passwd to denote locked account])
718	AC_DEFINE([SPT_TYPE], [SPT_PSTAT])
719	AC_DEFINE([PLATFORM_SYS_DIR_UID], 2, [System dirs owned by bin (uid 2)])
720	maildir="/var/mail"
721	LIBS="$LIBS -lsec"
722	AC_CHECK_LIB([xnet], [t_error], ,
723	    [AC_MSG_ERROR([*** -lxnet needed on HP-UX - check config.log ***])])
724
725	# next, we define all of the options specific to major releases
726	case "$host" in
727	*-*-hpux10*)
728		if test -z "$GCC"; then
729			CFLAGS="$CFLAGS -Ae"
730		fi
731		;;
732	*-*-hpux11*)
733		AC_DEFINE([PAM_SUN_CODEBASE], [1],
734			[Define if you are using Solaris-derived PAM which
735			passes pam_messages to the conversation function
736			with an extra level of indirection])
737		AC_DEFINE([DISABLE_UTMP], [1],
738			[Define if you don't want to use utmp])
739		AC_DEFINE([USE_BTMP], [1], [Use btmp to log bad logins])
740		check_for_hpux_broken_getaddrinfo=1
741		check_for_conflicting_getspnam=1
742		;;
743	esac
744
745	# lastly, we define options specific to minor releases
746	case "$host" in
747	*-*-hpux10.26)
748		AC_DEFINE([HAVE_SECUREWARE], [1],
749			[Define if you have SecureWare-based
750			protected password database])
751		disable_ptmx_check=yes
752		LIBS="$LIBS -lsecpw"
753		;;
754	esac
755	;;
756*-*-irix5*)
757	PATH="$PATH:/usr/etc"
758	AC_DEFINE([BROKEN_INET_NTOA], [1],
759		[Define if you system's inet_ntoa is busted
760		(e.g. Irix gcc issue)])
761	AC_DEFINE([SETEUID_BREAKS_SETUID])
762	AC_DEFINE([BROKEN_SETREUID])
763	AC_DEFINE([BROKEN_SETREGID])
764	AC_DEFINE([WITH_ABBREV_NO_TTY], [1],
765		[Define if you shouldn't strip 'tty' from your
766		ttyname in [uw]tmp])
767	AC_DEFINE([LOCKED_PASSWD_STRING], ["*LK*"])
768	;;
769*-*-irix6*)
770	PATH="$PATH:/usr/etc"
771	AC_DEFINE([WITH_IRIX_ARRAY], [1],
772		[Define if you have/want arrays
773		(cluster-wide session management, not C arrays)])
774	AC_DEFINE([WITH_IRIX_PROJECT], [1],
775		[Define if you want IRIX project management])
776	AC_DEFINE([WITH_IRIX_AUDIT], [1],
777		[Define if you want IRIX audit trails])
778	AC_CHECK_FUNC([jlimit_startjob], [AC_DEFINE([WITH_IRIX_JOBS], [1],
779		[Define if you want IRIX kernel jobs])])
780	AC_DEFINE([BROKEN_INET_NTOA])
781	AC_DEFINE([SETEUID_BREAKS_SETUID])
782	AC_DEFINE([BROKEN_SETREUID])
783	AC_DEFINE([BROKEN_SETREGID])
784	AC_DEFINE([BROKEN_UPDWTMPX], [1], [updwtmpx is broken (if present)])
785	AC_DEFINE([WITH_ABBREV_NO_TTY])
786	AC_DEFINE([LOCKED_PASSWD_STRING], ["*LK*"])
787	;;
788*-*-k*bsd*-gnu | *-*-kopensolaris*-gnu)
789	check_for_libcrypt_later=1
790	AC_DEFINE([PAM_TTY_KLUDGE])
791	AC_DEFINE([LOCKED_PASSWD_PREFIX], ["!"])
792	AC_DEFINE([SPT_TYPE], [SPT_REUSEARGV])
793	AC_DEFINE([_PATH_BTMP], ["/var/log/btmp"], [log for bad login attempts])
794	AC_DEFINE([USE_BTMP], [1], [Use btmp to log bad logins])
795	;;
796*-*-linux*)
797	no_dev_ptmx=1
798	use_pie=auto
799	check_for_libcrypt_later=1
800	check_for_openpty_ctty_bug=1
801	dnl Target SUSv3/POSIX.1-2001 plus BSD specifics.
802	dnl _DEFAULT_SOURCE is the new name for _BSD_SOURCE
803	CPPFLAGS="$CPPFLAGS -D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCE"
804	AC_DEFINE([PAM_TTY_KLUDGE], [1],
805		[Work around problematic Linux PAM modules handling of PAM_TTY])
806	AC_DEFINE([LOCKED_PASSWD_PREFIX], ["!"],
807		[String used in /etc/passwd to denote locked account])
808	AC_DEFINE([SPT_TYPE], [SPT_REUSEARGV])
809	AC_DEFINE([LINK_OPNOTSUPP_ERRNO], [EPERM],
810		[Define to whatever link() returns for "not supported"
811		if it doesn't return EOPNOTSUPP.])
812	AC_DEFINE([_PATH_BTMP], ["/var/log/btmp"], [log for bad login attempts])
813	AC_DEFINE([USE_BTMP])
814	AC_DEFINE([LINUX_OOM_ADJUST], [1], [Adjust Linux out-of-memory killer])
815	inet6_default_4in6=yes
816	case `uname -r` in
817	1.*|2.0.*)
818		AC_DEFINE([BROKEN_CMSG_TYPE], [1],
819			[Define if cmsg_type is not passed correctly])
820		;;
821	esac
822	# tun(4) forwarding compat code
823	AC_CHECK_HEADERS([linux/if_tun.h])
824	if test "x$ac_cv_header_linux_if_tun_h" = "xyes" ; then
825		AC_DEFINE([SSH_TUN_LINUX], [1],
826		    [Open tunnel devices the Linux tun/tap way])
827		AC_DEFINE([SSH_TUN_COMPAT_AF], [1],
828		    [Use tunnel device compatibility to OpenBSD])
829		AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
830		    [Prepend the address family to IP tunnel traffic])
831	fi
832	AC_CHECK_HEADER([linux/if.h],
833	    AC_DEFINE([SYS_RDOMAIN_LINUX], [1],
834		[Support routing domains using Linux VRF]), [], [
835#ifdef HAVE_SYS_TYPES_H
836# include <sys/types.h>
837#endif
838	    ])
839	AC_CHECK_HEADERS([linux/seccomp.h linux/filter.h linux/audit.h], [],
840	    [], [#include <linux/types.h>])
841	# Obtain MIPS ABI
842	case "$host" in
843	mips*)
844		AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
845#if _MIPS_SIM != _ABIO32
846#error
847#endif
848			]])],[mips_abi="o32"],[AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
849#if _MIPS_SIM != _ABIN32
850#error
851#endif
852				]])],[mips_abi="n32"],[AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
853#if _MIPS_SIM != _ABI64
854#error
855#endif
856					]])],[mips_abi="n64"],[AC_MSG_ERROR([unknown MIPS ABI])
857				])
858			])
859		])
860		;;
861	esac
862	AC_MSG_CHECKING([for seccomp architecture])
863	seccomp_audit_arch=
864	case "$host" in
865	x86_64-*)
866		seccomp_audit_arch=AUDIT_ARCH_X86_64
867		;;
868	i*86-*)
869		seccomp_audit_arch=AUDIT_ARCH_I386
870		;;
871	arm*-*)
872		seccomp_audit_arch=AUDIT_ARCH_ARM
873		;;
874	aarch64*-*)
875		seccomp_audit_arch=AUDIT_ARCH_AARCH64
876		;;
877	s390x-*)
878		seccomp_audit_arch=AUDIT_ARCH_S390X
879		;;
880	s390-*)
881		seccomp_audit_arch=AUDIT_ARCH_S390
882		;;
883	powerpc64-*)
884		seccomp_audit_arch=AUDIT_ARCH_PPC64
885		;;
886	powerpc64le-*)
887		seccomp_audit_arch=AUDIT_ARCH_PPC64LE
888		;;
889	mips-*)
890		seccomp_audit_arch=AUDIT_ARCH_MIPS
891		;;
892	mipsel-*)
893		seccomp_audit_arch=AUDIT_ARCH_MIPSEL
894		;;
895	mips64-*)
896		case "$mips_abi" in
897		"n32")
898			seccomp_audit_arch=AUDIT_ARCH_MIPS64N32
899			;;
900		"n64")
901			seccomp_audit_arch=AUDIT_ARCH_MIPS64
902			;;
903		esac
904		;;
905	mips64el-*)
906		case "$mips_abi" in
907		"n32")
908			seccomp_audit_arch=AUDIT_ARCH_MIPSEL64N32
909			;;
910		"n64")
911			seccomp_audit_arch=AUDIT_ARCH_MIPSEL64
912			;;
913		esac
914		;;
915	esac
916	if test "x$seccomp_audit_arch" != "x" ; then
917		AC_MSG_RESULT(["$seccomp_audit_arch"])
918		AC_DEFINE_UNQUOTED([SECCOMP_AUDIT_ARCH], [$seccomp_audit_arch],
919		    [Specify the system call convention in use])
920	else
921		AC_MSG_RESULT([architecture not supported])
922	fi
923	;;
924mips-sony-bsd|mips-sony-newsos4)
925	AC_DEFINE([NEED_SETPGRP], [1], [Need setpgrp to acquire controlling tty])
926	SONY=1
927	;;
928*-*-netbsd*)
929	check_for_libcrypt_before=1
930	if test "x$withval" != "xno" ; then
931		rpath_opt="-R"
932	fi
933	CPPFLAGS="$CPPFLAGS -D_OPENBSD_SOURCE"
934	AC_DEFINE([SSH_TUN_FREEBSD], [1], [Open tunnel devices the FreeBSD way])
935	AC_CHECK_HEADER([net/if_tap.h], ,
936	    AC_DEFINE([SSH_TUN_NO_L2], [1], [No layer 2 tunnel support]))
937	AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
938	    [Prepend the address family to IP tunnel traffic])
939	TEST_MALLOC_OPTIONS="AJRX"
940	AC_DEFINE([BROKEN_READ_COMPARISON], [1],
941	    [NetBSD read function is sometimes redirected, breaking atomicio comparisons against it])
942	;;
943*-*-freebsd*)
944	check_for_libcrypt_later=1
945	AC_DEFINE([LOCKED_PASSWD_PREFIX], ["*LOCKED*"], [Account locked with pw(1)])
946	AC_DEFINE([SSH_TUN_FREEBSD], [1], [Open tunnel devices the FreeBSD way])
947	AC_CHECK_HEADER([net/if_tap.h], ,
948	    AC_DEFINE([SSH_TUN_NO_L2], [1], [No layer 2 tunnel support]))
949	AC_DEFINE([BROKEN_GLOB], [1], [FreeBSD glob does not do what we need])
950	TEST_MALLOC_OPTIONS="AJRX"
951	# Preauth crypto occasionally uses file descriptors for crypto offload
952	# and will crash if they cannot be opened.
953	AC_DEFINE([SANDBOX_SKIP_RLIMIT_NOFILE], [1],
954	    [define if setrlimit RLIMIT_NOFILE breaks things])
955	;;
956*-*-bsdi*)
957	AC_DEFINE([SETEUID_BREAKS_SETUID])
958	AC_DEFINE([BROKEN_SETREUID])
959	AC_DEFINE([BROKEN_SETREGID])
960	;;
961*-next-*)
962	conf_lastlog_location="/usr/adm/lastlog"
963	conf_utmp_location=/etc/utmp
964	conf_wtmp_location=/usr/adm/wtmp
965	maildir=/usr/spool/mail
966	AC_DEFINE([HAVE_NEXT], [1], [Define if you are on NeXT])
967	AC_DEFINE([USE_PIPES])
968	AC_DEFINE([BROKEN_SAVED_UIDS], [1], [Needed for NeXT])
969	;;
970*-*-openbsd*)
971	use_pie=auto
972	AC_DEFINE([HAVE_ATTRIBUTE__SENTINEL__], [1], [OpenBSD's gcc has sentinel])
973	AC_DEFINE([HAVE_ATTRIBUTE__BOUNDED__], [1], [OpenBSD's gcc has bounded])
974	AC_DEFINE([SSH_TUN_OPENBSD], [1], [Open tunnel devices the OpenBSD way])
975	AC_DEFINE([SYSLOG_R_SAFE_IN_SIGHAND], [1],
976	    [syslog_r function is safe to use in in a signal handler])
977	TEST_MALLOC_OPTIONS="AFGJPRX"
978	;;
979*-*-solaris*)
980	if test "x$withval" != "xno" ; then
981		rpath_opt="-R"
982	fi
983	AC_DEFINE([PAM_SUN_CODEBASE])
984	AC_DEFINE([LOGIN_NEEDS_UTMPX])
985	AC_DEFINE([PAM_TTY_KLUDGE])
986	AC_DEFINE([SSHPAM_CHAUTHTOK_NEEDS_RUID], [1],
987		[Define if pam_chauthtok wants real uid set
988		to the unpriv'ed user])
989	AC_DEFINE([LOCKED_PASSWD_STRING], ["*LK*"])
990	# Pushing STREAMS modules will cause sshd to acquire a controlling tty.
991	AC_DEFINE([SSHD_ACQUIRES_CTTY], [1],
992		[Define if sshd somehow reacquires a controlling TTY
993		after setsid()])
994	AC_DEFINE([PASSWD_NEEDS_USERNAME], [1], [must supply username to passwd
995		in case the name is longer than 8 chars])
996	AC_DEFINE([BROKEN_TCGETATTR_ICANON], [1], [tcgetattr with ICANON may hang])
997	external_path_file=/etc/default/login
998	# hardwire lastlog location (can't detect it on some versions)
999	conf_lastlog_location="/var/adm/lastlog"
1000	AC_MSG_CHECKING([for obsolete utmp and wtmp in solaris2.x])
1001	sol2ver=`echo "$host"| sed -e 's/.*[[0-9]]\.//'`
1002	if test "$sol2ver" -ge 8; then
1003		AC_MSG_RESULT([yes])
1004		AC_DEFINE([DISABLE_UTMP])
1005		AC_DEFINE([DISABLE_WTMP], [1],
1006			[Define if you don't want to use wtmp])
1007	else
1008		AC_MSG_RESULT([no])
1009	fi
1010	AC_CHECK_FUNCS([setpflags])
1011	AC_CHECK_FUNCS([setppriv])
1012	AC_CHECK_FUNCS([priv_basicset])
1013	AC_CHECK_HEADERS([priv.h])
1014	AC_ARG_WITH([solaris-contracts],
1015		[  --with-solaris-contracts Enable Solaris process contracts (experimental)],
1016		[
1017		AC_CHECK_LIB([contract], [ct_tmpl_activate],
1018			[ AC_DEFINE([USE_SOLARIS_PROCESS_CONTRACTS], [1],
1019				[Define if you have Solaris process contracts])
1020			  LIBS="$LIBS -lcontract"
1021			  SPC_MSG="yes" ], )
1022		],
1023	)
1024	AC_ARG_WITH([solaris-projects],
1025		[  --with-solaris-projects Enable Solaris projects (experimental)],
1026		[
1027		AC_CHECK_LIB([project], [setproject],
1028			[ AC_DEFINE([USE_SOLARIS_PROJECTS], [1],
1029				[Define if you have Solaris projects])
1030			LIBS="$LIBS -lproject"
1031			SP_MSG="yes" ], )
1032		],
1033	)
1034	AC_ARG_WITH([solaris-privs],
1035		[  --with-solaris-privs    Enable Solaris/Illumos privileges (experimental)],
1036		[
1037		AC_MSG_CHECKING([for Solaris/Illumos privilege support])
1038		if test "x$ac_cv_func_setppriv" = "xyes" -a \
1039			"x$ac_cv_header_priv_h" = "xyes" ; then
1040			SOLARIS_PRIVS=yes
1041			AC_MSG_RESULT([found])
1042			AC_DEFINE([NO_UID_RESTORATION_TEST], [1],
1043				[Define to disable UID restoration test])
1044			AC_DEFINE([USE_SOLARIS_PRIVS], [1],
1045				[Define if you have Solaris privileges])
1046			SPP_MSG="yes"
1047		else
1048			AC_MSG_RESULT([not found])
1049			AC_MSG_ERROR([*** must have support for Solaris privileges to use --with-solaris-privs])
1050		fi
1051		],
1052	)
1053	TEST_SHELL=$SHELL	# let configure find us a capable shell
1054	;;
1055*-*-sunos4*)
1056	CPPFLAGS="$CPPFLAGS -DSUNOS4"
1057	AC_CHECK_FUNCS([getpwanam])
1058	AC_DEFINE([PAM_SUN_CODEBASE])
1059	conf_utmp_location=/etc/utmp
1060	conf_wtmp_location=/var/adm/wtmp
1061	conf_lastlog_location=/var/adm/lastlog
1062	AC_DEFINE([USE_PIPES])
1063	AC_DEFINE([DISABLE_UTMPX], [1], [no utmpx])
1064	;;
1065*-ncr-sysv*)
1066	LIBS="$LIBS -lc89"
1067	AC_DEFINE([USE_PIPES])
1068	AC_DEFINE([SSHD_ACQUIRES_CTTY])
1069	AC_DEFINE([SETEUID_BREAKS_SETUID])
1070	AC_DEFINE([BROKEN_SETREUID])
1071	AC_DEFINE([BROKEN_SETREGID])
1072	;;
1073*-sni-sysv*)
1074	# /usr/ucblib MUST NOT be searched on ReliantUNIX
1075	AC_CHECK_LIB([dl], [dlsym], ,)
1076	# -lresolv needs to be at the end of LIBS or DNS lookups break
1077	AC_CHECK_LIB([resolv], [res_query], [ LIBS="$LIBS -lresolv" ])
1078	IPADDR_IN_DISPLAY=yes
1079	AC_DEFINE([USE_PIPES])
1080	AC_DEFINE([IP_TOS_IS_BROKEN])
1081	AC_DEFINE([SETEUID_BREAKS_SETUID])
1082	AC_DEFINE([BROKEN_SETREUID])
1083	AC_DEFINE([BROKEN_SETREGID])
1084	AC_DEFINE([SSHD_ACQUIRES_CTTY])
1085	external_path_file=/etc/default/login
1086	# /usr/ucblib/libucb.a no longer needed on ReliantUNIX
1087	# Attention: always take care to bind libsocket and libnsl before libc,
1088	# otherwise you will find lots of "SIOCGPGRP errno 22" on syslog
1089	;;
1090# UnixWare 1.x, UnixWare 2.x, and others based on code from Univel.
1091*-*-sysv4.2*)
1092	AC_DEFINE([USE_PIPES])
1093	AC_DEFINE([SETEUID_BREAKS_SETUID])
1094	AC_DEFINE([BROKEN_SETREUID])
1095	AC_DEFINE([BROKEN_SETREGID])
1096	AC_DEFINE([PASSWD_NEEDS_USERNAME], [1], [must supply username to passwd])
1097	AC_DEFINE([LOCKED_PASSWD_STRING], ["*LK*"])
1098	TEST_SHELL=$SHELL	# let configure find us a capable shell
1099	;;
1100# UnixWare 7.x, OpenUNIX 8
1101*-*-sysv5*)
1102	CPPFLAGS="$CPPFLAGS -Dvsnprintf=_xvsnprintf -Dsnprintf=_xsnprintf"
1103	AC_DEFINE([UNIXWARE_LONG_PASSWORDS], [1], [Support passwords > 8 chars])
1104	AC_DEFINE([USE_PIPES])
1105	AC_DEFINE([SETEUID_BREAKS_SETUID])
1106	AC_DEFINE([BROKEN_GETADDRINFO])
1107	AC_DEFINE([BROKEN_SETREUID])
1108	AC_DEFINE([BROKEN_SETREGID])
1109	AC_DEFINE([PASSWD_NEEDS_USERNAME])
1110	AC_DEFINE([BROKEN_TCGETATTR_ICANON])
1111	TEST_SHELL=$SHELL	# let configure find us a capable shell
1112	check_for_libcrypt_later=1
1113	case "$host" in
1114	*-*-sysv5SCO_SV*)	# SCO OpenServer 6.x
1115		maildir=/var/spool/mail
1116		AC_DEFINE([BROKEN_UPDWTMPX])
1117		AC_CHECK_LIB([prot], [getluid], [ LIBS="$LIBS -lprot"
1118			AC_CHECK_FUNCS([getluid setluid], , , [-lprot])
1119			], , )
1120		;;
1121	*)	AC_DEFINE([LOCKED_PASSWD_STRING], ["*LK*"])
1122		;;
1123	esac
1124	;;
1125*-*-sysv*)
1126	;;
1127# SCO UNIX and OEM versions of SCO UNIX
1128*-*-sco3.2v4*)
1129	AC_MSG_ERROR("This Platform is no longer supported.")
1130	;;
1131# SCO OpenServer 5.x
1132*-*-sco3.2v5*)
1133	if test -z "$GCC"; then
1134		CFLAGS="$CFLAGS -belf"
1135	fi
1136	LIBS="$LIBS -lprot -lx -ltinfo -lm"
1137	no_dev_ptmx=1
1138	AC_DEFINE([USE_PIPES])
1139	AC_DEFINE([HAVE_SECUREWARE])
1140	AC_DEFINE([DISABLE_SHADOW])
1141	AC_DEFINE([DISABLE_FD_PASSING])
1142	AC_DEFINE([SETEUID_BREAKS_SETUID])
1143	AC_DEFINE([BROKEN_GETADDRINFO])
1144	AC_DEFINE([BROKEN_SETREUID])
1145	AC_DEFINE([BROKEN_SETREGID])
1146	AC_DEFINE([WITH_ABBREV_NO_TTY])
1147	AC_DEFINE([BROKEN_UPDWTMPX])
1148	AC_DEFINE([PASSWD_NEEDS_USERNAME])
1149	AC_CHECK_FUNCS([getluid setluid])
1150	MANTYPE=man
1151	TEST_SHELL=$SHELL	# let configure find us a capable shell
1152	SKIP_DISABLE_LASTLOG_DEFINE=yes
1153	;;
1154*-dec-osf*)
1155	AC_MSG_CHECKING([for Digital Unix SIA])
1156	no_osfsia=""
1157	AC_ARG_WITH([osfsia],
1158		[  --with-osfsia           Enable Digital Unix SIA],
1159		[
1160			if test "x$withval" = "xno" ; then
1161				AC_MSG_RESULT([disabled])
1162				no_osfsia=1
1163			fi
1164		],
1165	)
1166	if test -z "$no_osfsia" ; then
1167		if test -f /etc/sia/matrix.conf; then
1168			AC_MSG_RESULT([yes])
1169			AC_DEFINE([HAVE_OSF_SIA], [1],
1170				[Define if you have Digital Unix Security
1171				Integration Architecture])
1172			AC_DEFINE([DISABLE_LOGIN], [1],
1173				[Define if you don't want to use your
1174				system's login() call])
1175			AC_DEFINE([DISABLE_FD_PASSING])
1176			LIBS="$LIBS -lsecurity -ldb -lm -laud"
1177			SIA_MSG="yes"
1178		else
1179			AC_MSG_RESULT([no])
1180			AC_DEFINE([LOCKED_PASSWD_SUBSTR], ["Nologin"],
1181			  [String used in /etc/passwd to denote locked account])
1182		fi
1183	fi
1184	AC_DEFINE([BROKEN_GETADDRINFO])
1185	AC_DEFINE([SETEUID_BREAKS_SETUID])
1186	AC_DEFINE([BROKEN_SETREUID])
1187	AC_DEFINE([BROKEN_SETREGID])
1188	AC_DEFINE([BROKEN_READV_COMPARISON], [1], [Can't do comparisons on readv])
1189	;;
1190
1191*-*-nto-qnx*)
1192	AC_DEFINE([USE_PIPES])
1193	AC_DEFINE([NO_X11_UNIX_SOCKETS])
1194	AC_DEFINE([DISABLE_LASTLOG])
1195	AC_DEFINE([SSHD_ACQUIRES_CTTY])
1196	AC_DEFINE([BROKEN_SHADOW_EXPIRE], [1], [QNX shadow support is broken])
1197	enable_etc_default_login=no	# has incompatible /etc/default/login
1198	case "$host" in
1199	*-*-nto-qnx6*)
1200		AC_DEFINE([DISABLE_FD_PASSING])
1201		;;
1202	esac
1203	;;
1204
1205*-*-ultrix*)
1206	AC_DEFINE([BROKEN_GETGROUPS], [1], [getgroups(0,NULL) will return -1])
1207	AC_DEFINE([NEED_SETPGRP], [1], [Need setpgrp to for controlling tty])
1208	AC_DEFINE([HAVE_SYS_SYSLOG_H], [1], [Force use of sys/syslog.h on Ultrix])
1209	AC_DEFINE([DISABLE_UTMPX], [1], [Disable utmpx])
1210	# DISABLE_FD_PASSING so that we call setpgrp as root, otherwise we
1211	# don't get a controlling tty.
1212	AC_DEFINE([DISABLE_FD_PASSING], [1], [Need to call setpgrp as root])
1213	# On Ultrix some headers are not protected against multiple includes,
1214	# so we create wrappers and put it where the compiler will find it.
1215	AC_MSG_WARN([creating compat wrappers for headers])
1216	mkdir -p netinet
1217	for header in netinet/ip.h netdb.h resolv.h; do
1218		name=`echo $header | tr 'a-z/.' 'A-Z__'`
1219		cat >$header <<EOD
1220#ifndef _SSH_COMPAT_${name}
1221#define _SSH_COMPAT_${name}
1222#include "/usr/include/${header}"
1223#endif
1224EOD
1225	done
1226	;;
1227
1228*-*-lynxos)
1229	CFLAGS="$CFLAGS -D__NO_INCLUDE_WARN__"
1230	AC_DEFINE([BROKEN_SETVBUF], [1],
1231	    [LynxOS has broken setvbuf() implementation])
1232	;;
1233esac
1234
1235AC_MSG_CHECKING([compiler and flags for sanity])
1236AC_RUN_IFELSE([AC_LANG_PROGRAM([[ #include <stdio.h> ]], [[ exit(0); ]])],
1237	[	AC_MSG_RESULT([yes]) ],
1238	[
1239		AC_MSG_RESULT([no])
1240		AC_MSG_ERROR([*** compiler cannot create working executables, check config.log ***])
1241	],
1242	[	AC_MSG_WARN([cross compiling: not checking compiler sanity]) ]
1243)
1244
1245dnl Checks for header files.
1246# Checks for libraries.
1247AC_CHECK_FUNC([setsockopt], , [AC_CHECK_LIB([socket], [setsockopt])])
1248
1249dnl IRIX and Solaris 2.5.1 have dirname() in libgen
1250AC_CHECK_FUNCS([dirname], [AC_CHECK_HEADERS([libgen.h])] , [
1251	AC_CHECK_LIB([gen], [dirname], [
1252		AC_CACHE_CHECK([for broken dirname],
1253			ac_cv_have_broken_dirname, [
1254			save_LIBS="$LIBS"
1255			LIBS="$LIBS -lgen"
1256			AC_RUN_IFELSE(
1257				[AC_LANG_SOURCE([[
1258#include <libgen.h>
1259#include <string.h>
1260
1261int main(int argc, char **argv) {
1262    char *s, buf[32];
1263
1264    strncpy(buf,"/etc", 32);
1265    s = dirname(buf);
1266    if (!s || strncmp(s, "/", 32) != 0) {
1267	exit(1);
1268    } else {
1269	exit(0);
1270    }
1271}
1272				]])],
1273				[ ac_cv_have_broken_dirname="no" ],
1274				[ ac_cv_have_broken_dirname="yes" ],
1275				[ ac_cv_have_broken_dirname="no" ],
1276			)
1277			LIBS="$save_LIBS"
1278		])
1279		if test "x$ac_cv_have_broken_dirname" = "xno" ; then
1280			LIBS="$LIBS -lgen"
1281			AC_DEFINE([HAVE_DIRNAME])
1282			AC_CHECK_HEADERS([libgen.h])
1283		fi
1284	])
1285])
1286
1287AC_CHECK_FUNC([getspnam], ,
1288	[AC_CHECK_LIB([gen], [getspnam], [LIBS="$LIBS -lgen"])])
1289AC_SEARCH_LIBS([basename], [gen], [AC_DEFINE([HAVE_BASENAME], [1],
1290	[Define if you have the basename function.])])
1291
1292dnl zlib defaults to enabled
1293zlib=yes
1294AC_ARG_WITH([zlib],
1295	[  --with-zlib=PATH        Use zlib in PATH],
1296	[ if test "x$withval" = "xno" ; then
1297		zlib=no
1298	  elif test "x$withval" != "xyes"; then
1299		if test -d "$withval/lib"; then
1300			if test -n "${rpath_opt}"; then
1301				LDFLAGS="-L${withval}/lib ${rpath_opt}${withval}/lib ${LDFLAGS}"
1302			else
1303				LDFLAGS="-L${withval}/lib ${LDFLAGS}"
1304			fi
1305		else
1306			if test -n "${rpath_opt}"; then
1307				LDFLAGS="-L${withval} ${rpath_opt}${withval} ${LDFLAGS}"
1308			else
1309				LDFLAGS="-L${withval} ${LDFLAGS}"
1310			fi
1311		fi
1312		if test -d "$withval/include"; then
1313			CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
1314		else
1315			CPPFLAGS="-I${withval} ${CPPFLAGS}"
1316		fi
1317	fi ]
1318)
1319
1320AC_MSG_CHECKING([for zlib])
1321if test "x${zlib}" = "xno"; then
1322	AC_MSG_RESULT([no])
1323else
1324	AC_MSG_RESULT([yes])
1325	AC_DEFINE([WITH_ZLIB], [1], [Enable zlib])
1326    AC_CHECK_HEADER([zlib.h], ,[AC_MSG_ERROR([*** zlib.h missing - please install first or check config.log ***])])
1327    AC_CHECK_LIB([z], [deflate], ,
1328	[
1329		saved_CPPFLAGS="$CPPFLAGS"
1330		saved_LDFLAGS="$LDFLAGS"
1331		save_LIBS="$LIBS"
1332		dnl Check default zlib install dir
1333		if test -n "${rpath_opt}"; then
1334			LDFLAGS="-L/usr/local/lib ${rpath_opt}/usr/local/lib ${saved_LDFLAGS}"
1335		else
1336			LDFLAGS="-L/usr/local/lib ${saved_LDFLAGS}"
1337		fi
1338		CPPFLAGS="-I/usr/local/include ${saved_CPPFLAGS}"
1339		LIBS="$LIBS -lz"
1340		AC_TRY_LINK_FUNC([deflate], [AC_DEFINE([HAVE_LIBZ])],
1341			[
1342				AC_MSG_ERROR([*** zlib missing - please install first or check config.log ***])
1343			]
1344		)
1345	]
1346    )
1347
1348    AC_ARG_WITH([zlib-version-check],
1349	[  --without-zlib-version-check Disable zlib version check],
1350	[  if test "x$withval" = "xno" ; then
1351		zlib_check_nonfatal=1
1352	   fi
1353	]
1354    )
1355
1356    AC_MSG_CHECKING([for possibly buggy zlib])
1357    AC_RUN_IFELSE([AC_LANG_PROGRAM([[
1358#include <stdio.h>
1359#include <stdlib.h>
1360#include <zlib.h>
1361	]],
1362	[[
1363	int a=0, b=0, c=0, d=0, n, v;
1364	n = sscanf(ZLIB_VERSION, "%d.%d.%d.%d", &a, &b, &c, &d);
1365	if (n != 3 && n != 4)
1366		exit(1);
1367	v = a*1000000 + b*10000 + c*100 + d;
1368	fprintf(stderr, "found zlib version %s (%d)\n", ZLIB_VERSION, v);
1369
1370	/* 1.1.4 is OK */
1371	if (a == 1 && b == 1 && c >= 4)
1372		exit(0);
1373
1374	/* 1.2.3 and up are OK */
1375	if (v >= 1020300)
1376		exit(0);
1377
1378	exit(2);
1379	]])],
1380	AC_MSG_RESULT([no]),
1381	[ AC_MSG_RESULT([yes])
1382	  if test -z "$zlib_check_nonfatal" ; then
1383		AC_MSG_ERROR([*** zlib too old - check config.log ***
1384Your reported zlib version has known security problems.  It's possible your
1385vendor has fixed these problems without changing the version number.  If you
1386are sure this is the case, you can disable the check by running
1387"./configure --without-zlib-version-check".
1388If you are in doubt, upgrade zlib to version 1.2.3 or greater.
1389See http://www.gzip.org/zlib/ for details.])
1390	  else
1391		AC_MSG_WARN([zlib version may have security problems])
1392	  fi
1393	],
1394	[	AC_MSG_WARN([cross compiling: not checking zlib version]) ]
1395    )
1396fi
1397
1398dnl UnixWare 2.x
1399AC_CHECK_FUNC([strcasecmp],
1400	[], [ AC_CHECK_LIB([resolv], [strcasecmp], [LIBS="$LIBS -lresolv"]) ]
1401)
1402AC_CHECK_FUNCS([utimes],
1403	[], [ AC_CHECK_LIB([c89], [utimes], [AC_DEFINE([HAVE_UTIMES])
1404					LIBS="$LIBS -lc89"]) ]
1405)
1406
1407dnl    Checks for libutil functions
1408AC_CHECK_HEADERS([bsd/libutil.h libutil.h])
1409AC_SEARCH_LIBS([fmt_scaled], [util bsd])
1410AC_SEARCH_LIBS([scan_scaled], [util bsd])
1411AC_SEARCH_LIBS([login], [util bsd])
1412AC_SEARCH_LIBS([logout], [util bsd])
1413AC_SEARCH_LIBS([logwtmp], [util bsd])
1414AC_SEARCH_LIBS([openpty], [util bsd])
1415AC_SEARCH_LIBS([updwtmp], [util bsd])
1416AC_CHECK_FUNCS([fmt_scaled scan_scaled login logout openpty updwtmp logwtmp])
1417
1418# On some platforms, inet_ntop and gethostbyname may be found in libresolv
1419# or libnsl.
1420AC_SEARCH_LIBS([inet_ntop], [resolv nsl])
1421AC_SEARCH_LIBS([gethostbyname], [resolv nsl])
1422
1423# "Particular Function Checks"
1424# see https://www.gnu.org/software/autoconf/manual/autoconf-2.69/html_node/Particular-Functions.html
1425AC_FUNC_STRFTIME
1426AC_FUNC_MALLOC
1427AC_FUNC_REALLOC
1428# autoconf doesn't have AC_FUNC_CALLOC so fake it if malloc returns NULL;
1429AC_MSG_CHECKING([if calloc(0, N) returns non-null])
1430AC_RUN_IFELSE(
1431	[AC_LANG_PROGRAM(
1432		[[ #include <stdlib.h> ]],
1433		[[ void *p = calloc(0, 1); exit(p == NULL); ]]
1434	)],
1435	[ func_calloc_0_nonnull=yes ],
1436	[ func_calloc_0_nonnull=no ],
1437	[ AC_MSG_WARN([cross compiling: assuming same as malloc])
1438	  func_calloc_0_nonnull="$ac_cv_func_malloc_0_nonnull"]
1439)
1440AC_MSG_RESULT([$func_calloc_0_nonnull])
1441
1442if test "x$func_calloc_0_nonnull" = "xyes"; then
1443	AC_DEFINE(HAVE_CALLOC, 1, [calloc(0, x) returns non-null])
1444else
1445	AC_DEFINE(HAVE_CALLOC, 0, [calloc(0, x) returns NULL])
1446	AC_DEFINE(calloc, rpl_calloc,
1447	    [Define to rpl_calloc if the replacement function should be used.])
1448fi
1449
1450# Check for ALTDIRFUNC glob() extension
1451AC_MSG_CHECKING([for GLOB_ALTDIRFUNC support])
1452AC_EGREP_CPP([FOUNDIT],
1453	[
1454		#include <glob.h>
1455		#ifdef GLOB_ALTDIRFUNC
1456		FOUNDIT
1457		#endif
1458	],
1459	[
1460		AC_DEFINE([GLOB_HAS_ALTDIRFUNC], [1],
1461			[Define if your system glob() function has
1462			the GLOB_ALTDIRFUNC extension])
1463		AC_MSG_RESULT([yes])
1464	],
1465	[
1466		AC_MSG_RESULT([no])
1467	]
1468)
1469
1470# Check for g.gl_matchc glob() extension
1471AC_MSG_CHECKING([for gl_matchc field in glob_t])
1472AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <glob.h> ]],
1473	[[ glob_t g; g.gl_matchc = 1; ]])],
1474	[
1475		AC_DEFINE([GLOB_HAS_GL_MATCHC], [1],
1476			[Define if your system glob() function has
1477			gl_matchc options in glob_t])
1478		AC_MSG_RESULT([yes])
1479	], [
1480		AC_MSG_RESULT([no])
1481])
1482
1483# Check for g.gl_statv glob() extension
1484AC_MSG_CHECKING([for gl_statv and GLOB_KEEPSTAT extensions for glob])
1485AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <glob.h> ]], [[
1486#ifndef GLOB_KEEPSTAT
1487#error "glob does not support GLOB_KEEPSTAT extension"
1488#endif
1489glob_t g;
1490g.gl_statv = NULL;
1491]])],
1492	[
1493		AC_DEFINE([GLOB_HAS_GL_STATV], [1],
1494			[Define if your system glob() function has
1495			gl_statv options in glob_t])
1496		AC_MSG_RESULT([yes])
1497	], [
1498		AC_MSG_RESULT([no])
1499
1500])
1501
1502AC_CHECK_DECLS([GLOB_NOMATCH], , , [#include <glob.h>])
1503
1504AC_CHECK_DECL([VIS_ALL], ,
1505    AC_DEFINE(BROKEN_STRNVIS, 1, [missing VIS_ALL]), [#include <vis.h>])
1506
1507AC_MSG_CHECKING([whether struct dirent allocates space for d_name])
1508AC_RUN_IFELSE(
1509	[AC_LANG_PROGRAM([[
1510#include <sys/types.h>
1511#include <dirent.h>]],
1512	[[
1513	struct dirent d;
1514	exit(sizeof(d.d_name)<=sizeof(char));
1515	]])],
1516	[AC_MSG_RESULT([yes])],
1517	[
1518		AC_MSG_RESULT([no])
1519		AC_DEFINE([BROKEN_ONE_BYTE_DIRENT_D_NAME], [1],
1520			[Define if your struct dirent expects you to
1521			allocate extra space for d_name])
1522	],
1523	[
1524		AC_MSG_WARN([cross compiling: assuming BROKEN_ONE_BYTE_DIRENT_D_NAME])
1525		AC_DEFINE([BROKEN_ONE_BYTE_DIRENT_D_NAME])
1526	]
1527)
1528
1529AC_MSG_CHECKING([for /proc/pid/fd directory])
1530if test -d "/proc/$$/fd" ; then
1531	AC_DEFINE([HAVE_PROC_PID], [1], [Define if you have /proc/$pid/fd])
1532	AC_MSG_RESULT([yes])
1533else
1534	AC_MSG_RESULT([no])
1535fi
1536
1537# Check whether user wants to use ldns
1538LDNS_MSG="no"
1539AC_ARG_WITH(ldns,
1540	[  --with-ldns[[=PATH]]      Use ldns for DNSSEC support (optionally in PATH)],
1541	[
1542	ldns=""
1543	if test "x$withval" = "xyes" ; then
1544		AC_PATH_TOOL([LDNSCONFIG], [ldns-config], [no])
1545		if test "x$LDNSCONFIG" = "xno"; then
1546			LIBS="-lldns $LIBS"
1547			ldns=yes
1548		else
1549			LIBS="$LIBS `$LDNSCONFIG --libs`"
1550			CPPFLAGS="$CPPFLAGS `$LDNSCONFIG --cflags`"
1551			ldns=yes
1552		fi
1553	elif test "x$withval" != "xno" ; then
1554			CPPFLAGS="$CPPFLAGS -I${withval}/include"
1555			LDFLAGS="$LDFLAGS -L${withval}/lib"
1556			LIBS="-lldns $LIBS"
1557			ldns=yes
1558	fi
1559
1560	# Verify that it works.
1561	if test "x$ldns" = "xyes" ; then
1562		AC_DEFINE(HAVE_LDNS, 1, [Define if you want ldns support])
1563		LDNS_MSG="yes"
1564		AC_MSG_CHECKING([for ldns support])
1565		AC_LINK_IFELSE(
1566			[AC_LANG_SOURCE([[
1567#include <stdio.h>
1568#include <stdlib.h>
1569#ifdef HAVE_STDINT_H
1570# include <stdint.h>
1571#endif
1572#include <ldns/ldns.h>
1573int main() { ldns_status status = ldns_verify_trusted(NULL, NULL, NULL, NULL); status=LDNS_STATUS_OK; exit(0); }
1574			]])
1575		],
1576			[AC_MSG_RESULT(yes)],
1577				[
1578					AC_MSG_RESULT(no)
1579					AC_MSG_ERROR([** Incomplete or missing ldns libraries.])
1580				])
1581	fi
1582])
1583
1584# Check whether user wants libedit support
1585LIBEDIT_MSG="no"
1586AC_ARG_WITH([libedit],
1587	[  --with-libedit[[=PATH]]   Enable libedit support for sftp],
1588	[ if test "x$withval" != "xno" ; then
1589		if test "x$withval" = "xyes" ; then
1590			AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no])
1591			if test "x$PKGCONFIG" != "xno"; then
1592				AC_MSG_CHECKING([if $PKGCONFIG knows about libedit])
1593				if "$PKGCONFIG" libedit; then
1594					AC_MSG_RESULT([yes])
1595					use_pkgconfig_for_libedit=yes
1596				else
1597					AC_MSG_RESULT([no])
1598				fi
1599			fi
1600		else
1601			CPPFLAGS="$CPPFLAGS -I${withval}/include"
1602			if test -n "${rpath_opt}"; then
1603				LDFLAGS="-L${withval}/lib ${rpath_opt}${withval}/lib ${LDFLAGS}"
1604			else
1605				LDFLAGS="-L${withval}/lib ${LDFLAGS}"
1606			fi
1607		fi
1608		if test "x$use_pkgconfig_for_libedit" = "xyes"; then
1609			LIBEDIT=`$PKGCONFIG --libs libedit`
1610			CPPFLAGS="$CPPFLAGS `$PKGCONFIG --cflags libedit`"
1611		else
1612			LIBEDIT="-ledit -lcurses"
1613		fi
1614		OTHERLIBS=`echo $LIBEDIT | sed 's/-ledit//'`
1615		AC_CHECK_LIB([edit], [el_init],
1616			[ AC_DEFINE([USE_LIBEDIT], [1], [Use libedit for sftp])
1617			  LIBEDIT_MSG="yes"
1618			  AC_SUBST([LIBEDIT])
1619			],
1620			[ AC_MSG_ERROR([libedit not found]) ],
1621			[ $OTHERLIBS ]
1622		)
1623		AC_MSG_CHECKING([if libedit version is compatible])
1624		AC_COMPILE_IFELSE(
1625		    [AC_LANG_PROGRAM([[ #include <histedit.h> ]],
1626		    [[
1627	int i = H_SETSIZE;
1628	el_init("", NULL, NULL, NULL);
1629	exit(0);
1630		    ]])],
1631		    [ AC_MSG_RESULT([yes]) ],
1632		    [ AC_MSG_RESULT([no])
1633		      AC_MSG_ERROR([libedit version is not compatible]) ]
1634		)
1635	fi ]
1636)
1637
1638AUDIT_MODULE=none
1639AC_ARG_WITH([audit],
1640	[  --with-audit=module     Enable audit support (modules=debug,bsm,linux)],
1641	[
1642	  AC_MSG_CHECKING([for supported audit module])
1643	  case "$withval" in
1644	  bsm)
1645		AC_MSG_RESULT([bsm])
1646		AUDIT_MODULE=bsm
1647		dnl    Checks for headers, libs and functions
1648		AC_CHECK_HEADERS([bsm/audit.h], [],
1649		    [AC_MSG_ERROR([BSM enabled and bsm/audit.h not found])],
1650		    [
1651#ifdef HAVE_TIME_H
1652# include <time.h>
1653#endif
1654		    ]
1655)
1656		AC_CHECK_LIB([bsm], [getaudit], [],
1657		    [AC_MSG_ERROR([BSM enabled and required library not found])])
1658		AC_CHECK_FUNCS([getaudit], [],
1659		    [AC_MSG_ERROR([BSM enabled and required function not found])])
1660		# These are optional
1661		AC_CHECK_FUNCS([getaudit_addr aug_get_machine])
1662		AC_DEFINE([USE_BSM_AUDIT], [1], [Use BSM audit module])
1663		if test "$sol2ver" -ge 11; then
1664			SSHDLIBS="$SSHDLIBS -lscf"
1665			AC_DEFINE([BROKEN_BSM_API], [1],
1666				[The system has incomplete BSM API])
1667		fi
1668		;;
1669	  linux)
1670		AC_MSG_RESULT([linux])
1671		AUDIT_MODULE=linux
1672		dnl    Checks for headers, libs and functions
1673		AC_CHECK_HEADERS([libaudit.h])
1674		SSHDLIBS="$SSHDLIBS -laudit"
1675		AC_DEFINE([USE_LINUX_AUDIT], [1], [Use Linux audit module])
1676		;;
1677	  debug)
1678		AUDIT_MODULE=debug
1679		AC_MSG_RESULT([debug])
1680		AC_DEFINE([SSH_AUDIT_EVENTS], [1], [Use audit debugging module])
1681		;;
1682	  no)
1683		AC_MSG_RESULT([no])
1684		;;
1685	  *)
1686		AC_MSG_ERROR([Unknown audit module $withval])
1687		;;
1688	esac ]
1689)
1690
1691AC_ARG_WITH([pie],
1692    [  --with-pie              Build Position Independent Executables if possible], [
1693	if test "x$withval" = "xno"; then
1694		use_pie=no
1695	fi
1696	if test "x$withval" = "xyes"; then
1697		use_pie=yes
1698	fi
1699    ]
1700)
1701if test "x$use_pie" = "x"; then
1702	use_pie=no
1703fi
1704if test "x$use_toolchain_hardening" != "x1" && test "x$use_pie" = "xauto"; then
1705	# Turn off automatic PIE when toolchain hardening is off.
1706	use_pie=no
1707fi
1708if test "x$use_pie" = "xauto"; then
1709	# Automatic PIE requires gcc >= 4.x
1710	AC_MSG_CHECKING([for gcc >= 4.x])
1711	AC_COMPILE_IFELSE([AC_LANG_SOURCE([[
1712#if !defined(__GNUC__) || __GNUC__ < 4
1713#error gcc is too old
1714#endif
1715]])],
1716	[ AC_MSG_RESULT([yes]) ],
1717	[ AC_MSG_RESULT([no])
1718	  use_pie=no ]
1719)
1720fi
1721if test "x$use_pie" != "xno"; then
1722	SAVED_CFLAGS="$CFLAGS"
1723	SAVED_LDFLAGS="$LDFLAGS"
1724	OSSH_CHECK_CFLAG_COMPILE([-fPIE])
1725	OSSH_CHECK_LDFLAG_LINK([-pie])
1726	# We use both -fPIE and -pie or neither.
1727	AC_MSG_CHECKING([whether both -fPIE and -pie are supported])
1728	if echo "x $CFLAGS"  | grep ' -fPIE' >/dev/null 2>&1 && \
1729	   echo "x $LDFLAGS" | grep ' -pie'  >/dev/null 2>&1 ; then
1730		AC_MSG_RESULT([yes])
1731	else
1732		AC_MSG_RESULT([no])
1733		CFLAGS="$SAVED_CFLAGS"
1734		LDFLAGS="$SAVED_LDFLAGS"
1735	fi
1736fi
1737
1738AC_MSG_CHECKING([whether -fPIC is accepted])
1739SAVED_CFLAGS="$CFLAGS"
1740CFLAGS="$CFLAGS -fPIC"
1741AC_COMPILE_IFELSE(
1742	[AC_LANG_PROGRAM( [[ #include <stdlib.h> ]], [[ exit(0); ]] )],
1743   [AC_MSG_RESULT([yes])
1744    PICFLAG="-fPIC"; ],
1745   [AC_MSG_RESULT([no])
1746    PICFLAG=""; ])
1747CFLAGS="$SAVED_CFLAGS"
1748AC_SUBST([PICFLAG])
1749
1750dnl    Checks for library functions. Please keep in alphabetical order
1751AC_CHECK_FUNCS([ \
1752	Blowfish_initstate \
1753	Blowfish_expandstate \
1754	Blowfish_expand0state \
1755	Blowfish_stream2word \
1756	SHA256Update \
1757	SHA384Update \
1758	SHA512Update \
1759	asprintf \
1760	b64_ntop \
1761	__b64_ntop \
1762	b64_pton \
1763	__b64_pton \
1764	bcopy \
1765	bcrypt_pbkdf \
1766	bindresvport_sa \
1767	blf_enc \
1768	bzero \
1769	cap_rights_limit \
1770	clock \
1771	closefrom \
1772	dirfd \
1773	endgrent \
1774	err \
1775	errx \
1776	explicit_bzero \
1777	fchmod \
1778	fchmodat \
1779	fchown \
1780	fchownat \
1781	flock \
1782	fnmatch \
1783	freeaddrinfo \
1784	freezero \
1785	fstatfs \
1786	fstatvfs \
1787	futimes \
1788	getaddrinfo \
1789	getcwd \
1790	getgrouplist \
1791	getline \
1792	getnameinfo \
1793	getopt \
1794	getpagesize \
1795	getpeereid \
1796	getpeerucred \
1797	getpgid \
1798	_getpty \
1799	getrlimit \
1800	getrandom \
1801	getsid \
1802	getttyent \
1803	glob \
1804	group_from_gid \
1805	inet_aton \
1806	inet_ntoa \
1807	inet_ntop \
1808	innetgr \
1809	llabs \
1810	localtime_r \
1811	login_getcapbool \
1812	md5_crypt \
1813	memmem \
1814	memmove \
1815	memset_s \
1816	mkdtemp \
1817	ngetaddrinfo \
1818	nsleep \
1819	ogetaddrinfo \
1820	openlog_r \
1821	pledge \
1822	poll \
1823	prctl \
1824	pstat \
1825	raise \
1826	readpassphrase \
1827	reallocarray \
1828	realpath \
1829	recvmsg \
1830	recallocarray \
1831	rresvport_af \
1832	sendmsg \
1833	setdtablesize \
1834	setegid \
1835	setenv \
1836	seteuid \
1837	setgroupent \
1838	setgroups \
1839	setlinebuf \
1840	setlogin \
1841	setpassent\
1842	setpcred \
1843	setproctitle \
1844	setregid \
1845	setreuid \
1846	setrlimit \
1847	setsid \
1848	setvbuf \
1849	sigaction \
1850	sigvec \
1851	snprintf \
1852	socketpair \
1853	statfs \
1854	statvfs \
1855	strcasestr \
1856	strdup \
1857	strerror \
1858	strlcat \
1859	strlcpy \
1860	strmode \
1861	strndup \
1862	strnlen \
1863	strnvis \
1864	strptime \
1865	strsignal \
1866	strtonum \
1867	strtoll \
1868	strtoul \
1869	strtoull \
1870	swap32 \
1871	sysconf \
1872	tcgetpgrp \
1873	timingsafe_bcmp \
1874	truncate \
1875	unsetenv \
1876	updwtmpx \
1877	utimensat \
1878	user_from_uid \
1879	usleep \
1880	vasprintf \
1881	vsnprintf \
1882	waitpid \
1883	warn \
1884])
1885
1886AC_CHECK_DECLS([bzero, memmem])
1887
1888dnl Wide character support.
1889AC_CHECK_FUNCS([mblen mbtowc nl_langinfo wcwidth])
1890
1891TEST_SSH_UTF8=${TEST_SSH_UTF8:=yes}
1892AC_MSG_CHECKING([for utf8 locale support])
1893AC_RUN_IFELSE(
1894	[AC_LANG_PROGRAM([[
1895#include <locale.h>
1896#include <stdlib.h>
1897	]], [[
1898	char *loc = setlocale(LC_CTYPE, "en_US.UTF-8");
1899	if (loc != NULL)
1900		exit(0);
1901	exit(1);
1902	]])],
1903	AC_MSG_RESULT(yes),
1904	[AC_MSG_RESULT(no)
1905	 TEST_SSH_UTF8=no],
1906	AC_MSG_WARN([cross compiling: assuming yes])
1907)
1908
1909AC_LINK_IFELSE(
1910        [AC_LANG_PROGRAM(
1911           [[ #include <ctype.h> ]],
1912           [[ return (isblank('a')); ]])],
1913	[AC_DEFINE([HAVE_ISBLANK], [1], [Define if you have isblank(3C).])
1914])
1915
1916disable_pkcs11=
1917AC_ARG_ENABLE([pkcs11],
1918	[  --disable-pkcs11        disable PKCS#11 support code [no]],
1919	[
1920		if test "x$enableval" = "xno" ; then
1921			disable_pkcs11=1
1922		fi
1923	]
1924)
1925
1926disable_sk=
1927AC_ARG_ENABLE([security-key],
1928	[  --disable-security-key  disable U2F/FIDO support code [no]],
1929	[
1930		if test "x$enableval" = "xno" ; then
1931			disable_sk=1
1932		fi
1933	]
1934)
1935enable_sk_internal=
1936AC_ARG_WITH([security-key-builtin],
1937	[  --with-security-key-builtin include builtin U2F/FIDO support],
1938	[
1939		if test "x$withval" != "xno" ; then
1940			enable_sk_internal=yes
1941		fi
1942	]
1943)
1944test "x$disable_sk" != "x" && enable_sk_internal=""
1945
1946AC_SEARCH_LIBS([dlopen], [dl])
1947AC_CHECK_FUNCS([dlopen])
1948AC_CHECK_DECL([RTLD_NOW], [], [], [#include <dlfcn.h>])
1949
1950# IRIX has a const char return value for gai_strerror()
1951AC_CHECK_FUNCS([gai_strerror], [
1952	AC_DEFINE([HAVE_GAI_STRERROR])
1953	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
1954#include <sys/types.h>
1955#include <sys/socket.h>
1956#include <netdb.h>
1957
1958const char *gai_strerror(int);
1959			]], [[
1960	char *str;
1961	str = gai_strerror(0);
1962			]])], [
1963		AC_DEFINE([HAVE_CONST_GAI_STRERROR_PROTO], [1],
1964		[Define if gai_strerror() returns const char *])], [])])
1965
1966AC_SEARCH_LIBS([nanosleep], [rt posix4], [AC_DEFINE([HAVE_NANOSLEEP], [1],
1967	[Some systems put nanosleep outside of libc])])
1968
1969AC_SEARCH_LIBS([clock_gettime], [rt],
1970	[AC_DEFINE([HAVE_CLOCK_GETTIME], [1], [Have clock_gettime])])
1971
1972dnl check if we need -D_REENTRANT for localtime_r declaration.
1973AC_CHECK_DECL([localtime_r], [],
1974	[ saved_CPPFLAGS="$CFLAGS"
1975	  CPPFLAGS="$CPPFLAGS -D_REENTRANT"
1976	  unset ac_cv_have_decl_localtime_r
1977	  AC_CHECK_DECL([localtime_r], [],
1978		[ CPPFLAGS="$saved_CPPFLAGS" ],
1979		[ #include <time.h> ]
1980	  )
1981	],
1982	[ #include <time.h> ]
1983)
1984
1985dnl Make sure prototypes are defined for these before using them.
1986AC_CHECK_DECL([strsep],
1987	[AC_CHECK_FUNCS([strsep])],
1988	[],
1989	[
1990#ifdef HAVE_STRING_H
1991# include <string.h>
1992#endif
1993	])
1994
1995dnl tcsendbreak might be a macro
1996AC_CHECK_DECL([tcsendbreak],
1997	[AC_DEFINE([HAVE_TCSENDBREAK])],
1998	[AC_CHECK_FUNCS([tcsendbreak])],
1999	[#include <termios.h>]
2000)
2001
2002AC_CHECK_DECLS([h_errno], , ,[#include <netdb.h>])
2003
2004AC_CHECK_DECLS([SHUT_RD, getpeereid], , ,
2005	[
2006#include <sys/types.h>
2007#include <sys/socket.h>
2008#include <unistd.h>
2009	])
2010
2011AC_CHECK_DECLS([O_NONBLOCK], , ,
2012	[
2013#include <sys/types.h>
2014#ifdef HAVE_SYS_STAT_H
2015# include <sys/stat.h>
2016#endif
2017#ifdef HAVE_FCNTL_H
2018# include <fcntl.h>
2019#endif
2020	])
2021
2022AC_CHECK_DECLS([readv, writev], , , [
2023#include <sys/types.h>
2024#include <sys/uio.h>
2025#include <unistd.h>
2026	])
2027
2028AC_CHECK_DECLS([MAXSYMLINKS], , , [
2029#include <sys/param.h>
2030	])
2031
2032AC_CHECK_DECLS([offsetof], , , [
2033#include <stddef.h>
2034	])
2035
2036# extra bits for select(2)
2037AC_CHECK_DECLS([howmany, NFDBITS], [], [], [[
2038#include <sys/param.h>
2039#include <sys/types.h>
2040#ifdef HAVE_SYS_SYSMACROS_H
2041#include <sys/sysmacros.h>
2042#endif
2043#ifdef HAVE_SYS_SELECT_H
2044#include <sys/select.h>
2045#endif
2046#ifdef HAVE_SYS_TIME_H
2047#include <sys/time.h>
2048#endif
2049#ifdef HAVE_UNISTD_H
2050#include <unistd.h>
2051#endif
2052	]])
2053AC_CHECK_TYPES([fd_mask], [], [], [[
2054#include <sys/param.h>
2055#include <sys/types.h>
2056#ifdef HAVE_SYS_SELECT_H
2057#include <sys/select.h>
2058#endif
2059#ifdef HAVE_SYS_TIME_H
2060#include <sys/time.h>
2061#endif
2062#ifdef HAVE_UNISTD_H
2063#include <unistd.h>
2064#endif
2065	]])
2066
2067AC_CHECK_FUNCS([setresuid], [
2068	dnl Some platorms have setresuid that isn't implemented, test for this
2069	AC_MSG_CHECKING([if setresuid seems to work])
2070	AC_RUN_IFELSE(
2071		[AC_LANG_PROGRAM([[
2072#include <stdlib.h>
2073#include <errno.h>
2074		]], [[
2075	errno=0;
2076	setresuid(0,0,0);
2077	if (errno==ENOSYS)
2078		exit(1);
2079	else
2080		exit(0);
2081		]])],
2082		[AC_MSG_RESULT([yes])],
2083		[AC_DEFINE([BROKEN_SETRESUID], [1],
2084			[Define if your setresuid() is broken])
2085		 AC_MSG_RESULT([not implemented])],
2086		[AC_MSG_WARN([cross compiling: not checking setresuid])]
2087	)
2088])
2089
2090AC_CHECK_FUNCS([setresgid], [
2091	dnl Some platorms have setresgid that isn't implemented, test for this
2092	AC_MSG_CHECKING([if setresgid seems to work])
2093	AC_RUN_IFELSE(
2094		[AC_LANG_PROGRAM([[
2095#include <stdlib.h>
2096#include <errno.h>
2097		]], [[
2098	errno=0;
2099	setresgid(0,0,0);
2100	if (errno==ENOSYS)
2101		exit(1);
2102	else
2103		exit(0);
2104		]])],
2105		[AC_MSG_RESULT([yes])],
2106		[AC_DEFINE([BROKEN_SETRESGID], [1],
2107			[Define if your setresgid() is broken])
2108		 AC_MSG_RESULT([not implemented])],
2109		[AC_MSG_WARN([cross compiling: not checking setresuid])]
2110	)
2111])
2112
2113AC_MSG_CHECKING([for working fflush(NULL)])
2114AC_RUN_IFELSE(
2115	[AC_LANG_PROGRAM([[#include <stdio.h>]], [[fflush(NULL); exit(0);]])],
2116	AC_MSG_RESULT([yes]),
2117	[AC_MSG_RESULT([no])
2118	 AC_DEFINE([FFLUSH_NULL_BUG], [1],
2119	    [define if fflush(NULL) does not work])],
2120	AC_MSG_WARN([cross compiling: assuming working])
2121)
2122
2123dnl    Checks for time functions
2124AC_CHECK_FUNCS([gettimeofday time])
2125dnl    Checks for utmp functions
2126AC_CHECK_FUNCS([endutent getutent getutid getutline pututline setutent])
2127AC_CHECK_FUNCS([utmpname])
2128dnl    Checks for utmpx functions
2129AC_CHECK_FUNCS([endutxent getutxent getutxid getutxline getutxuser pututxline])
2130AC_CHECK_FUNCS([setutxdb setutxent utmpxname])
2131dnl    Checks for lastlog functions
2132AC_CHECK_FUNCS([getlastlogxbyname])
2133
2134AC_CHECK_FUNC([daemon],
2135	[AC_DEFINE([HAVE_DAEMON], [1], [Define if your libraries define daemon()])],
2136	[AC_CHECK_LIB([bsd], [daemon],
2137		[LIBS="$LIBS -lbsd"; AC_DEFINE([HAVE_DAEMON])])]
2138)
2139
2140AC_CHECK_FUNC([getpagesize],
2141	[AC_DEFINE([HAVE_GETPAGESIZE], [1],
2142		[Define if your libraries define getpagesize()])],
2143	[AC_CHECK_LIB([ucb], [getpagesize],
2144		[LIBS="$LIBS -lucb"; AC_DEFINE([HAVE_GETPAGESIZE])])]
2145)
2146
2147# Check for broken snprintf
2148if test "x$ac_cv_func_snprintf" = "xyes" ; then
2149	AC_MSG_CHECKING([whether snprintf correctly terminates long strings])
2150	AC_RUN_IFELSE(
2151		[AC_LANG_PROGRAM([[ #include <stdio.h> ]],
2152		[[
2153	char b[5];
2154	snprintf(b,5,"123456789");
2155	exit(b[4]!='\0');
2156		]])],
2157		[AC_MSG_RESULT([yes])],
2158		[
2159			AC_MSG_RESULT([no])
2160			AC_DEFINE([BROKEN_SNPRINTF], [1],
2161				[Define if your snprintf is busted])
2162			AC_MSG_WARN([****** Your snprintf() function is broken, complain to your vendor])
2163		],
2164		[ AC_MSG_WARN([cross compiling: Assuming working snprintf()]) ]
2165	)
2166fi
2167
2168if test "x$ac_cv_func_snprintf" = "xyes" ; then
2169	AC_MSG_CHECKING([whether snprintf understands %zu])
2170	AC_RUN_IFELSE(
2171		[AC_LANG_PROGRAM([[
2172#include <sys/types.h>
2173#include <stdio.h>
2174		]],
2175		[[
2176	size_t a = 1, b = 2;
2177	char z[128];
2178	snprintf(z, sizeof z, "%zu%zu", a, b);
2179	exit(strcmp(z, "12"));
2180		]])],
2181		[AC_MSG_RESULT([yes])],
2182		[
2183			AC_MSG_RESULT([no])
2184			AC_DEFINE([BROKEN_SNPRINTF], [1],
2185				[snprintf does not understand %zu])
2186		],
2187		[ AC_MSG_WARN([cross compiling: Assuming working snprintf()]) ]
2188	)
2189fi
2190
2191# We depend on vsnprintf returning the right thing on overflow: the
2192# number of characters it tried to create (as per SUSv3)
2193if test "x$ac_cv_func_vsnprintf" = "xyes" ; then
2194	AC_MSG_CHECKING([whether vsnprintf returns correct values on overflow])
2195	AC_RUN_IFELSE(
2196		[AC_LANG_PROGRAM([[
2197#include <sys/types.h>
2198#include <stdio.h>
2199#include <stdarg.h>
2200
2201int x_snprintf(char *str, size_t count, const char *fmt, ...)
2202{
2203	size_t ret;
2204	va_list ap;
2205
2206	va_start(ap, fmt);
2207	ret = vsnprintf(str, count, fmt, ap);
2208	va_end(ap);
2209	return ret;
2210}
2211		]], [[
2212char x[1];
2213if (x_snprintf(x, 1, "%s %d", "hello", 12345) != 11)
2214	return 1;
2215if (x_snprintf(NULL, 0, "%s %d", "hello", 12345) != 11)
2216	return 1;
2217return 0;
2218		]])],
2219		[AC_MSG_RESULT([yes])],
2220		[
2221			AC_MSG_RESULT([no])
2222			AC_DEFINE([BROKEN_SNPRINTF], [1],
2223				[Define if your snprintf is busted])
2224			AC_MSG_WARN([****** Your vsnprintf() function is broken, complain to your vendor])
2225		],
2226		[ AC_MSG_WARN([cross compiling: Assuming working vsnprintf()]) ]
2227	)
2228fi
2229
2230# On systems where [v]snprintf is broken, but is declared in stdio,
2231# check that the fmt argument is const char * or just char *.
2232# This is only useful for when BROKEN_SNPRINTF
2233AC_MSG_CHECKING([whether snprintf can declare const char *fmt])
2234AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
2235#include <stdio.h>
2236int snprintf(char *a, size_t b, const char *c, ...) { return 0; }
2237		]], [[
2238	snprintf(0, 0, 0);
2239		]])],
2240   [AC_MSG_RESULT([yes])
2241    AC_DEFINE([SNPRINTF_CONST], [const],
2242              [Define as const if snprintf() can declare const char *fmt])],
2243   [AC_MSG_RESULT([no])
2244    AC_DEFINE([SNPRINTF_CONST], [/* not const */])])
2245
2246# Check for missing getpeereid (or equiv) support
2247NO_PEERCHECK=""
2248if test "x$ac_cv_func_getpeereid" != "xyes" -a "x$ac_cv_func_getpeerucred" != "xyes"; then
2249	AC_MSG_CHECKING([whether system supports SO_PEERCRED getsockopt])
2250	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
2251#include <sys/types.h>
2252#include <sys/socket.h>]], [[int i = SO_PEERCRED;]])],
2253		[ AC_MSG_RESULT([yes])
2254		  AC_DEFINE([HAVE_SO_PEERCRED], [1], [Have PEERCRED socket option])
2255		], [AC_MSG_RESULT([no])
2256		NO_PEERCHECK=1
2257        ])
2258fi
2259
2260dnl see whether mkstemp() requires XXXXXX
2261if test "x$ac_cv_func_mkdtemp" = "xyes" ; then
2262AC_MSG_CHECKING([for (overly) strict mkstemp])
2263AC_RUN_IFELSE(
2264	[AC_LANG_PROGRAM([[
2265#include <stdlib.h>
2266	]], [[
2267	char template[]="conftest.mkstemp-test";
2268	if (mkstemp(template) == -1)
2269		exit(1);
2270	unlink(template);
2271	exit(0);
2272	]])],
2273	[
2274		AC_MSG_RESULT([no])
2275	],
2276	[
2277		AC_MSG_RESULT([yes])
2278		AC_DEFINE([HAVE_STRICT_MKSTEMP], [1], [Silly mkstemp()])
2279	],
2280	[
2281		AC_MSG_RESULT([yes])
2282		AC_DEFINE([HAVE_STRICT_MKSTEMP])
2283	]
2284)
2285fi
2286
2287dnl make sure that openpty does not reacquire controlling terminal
2288if test ! -z "$check_for_openpty_ctty_bug"; then
2289	AC_MSG_CHECKING([if openpty correctly handles controlling tty])
2290	AC_RUN_IFELSE(
2291		[AC_LANG_PROGRAM([[
2292#include <stdio.h>
2293#include <sys/fcntl.h>
2294#include <sys/types.h>
2295#include <sys/wait.h>
2296		]], [[
2297	pid_t pid;
2298	int fd, ptyfd, ttyfd, status;
2299
2300	pid = fork();
2301	if (pid < 0) {		/* failed */
2302		exit(1);
2303	} else if (pid > 0) {	/* parent */
2304		waitpid(pid, &status, 0);
2305		if (WIFEXITED(status))
2306			exit(WEXITSTATUS(status));
2307		else
2308			exit(2);
2309	} else {		/* child */
2310		close(0); close(1); close(2);
2311		setsid();
2312		openpty(&ptyfd, &ttyfd, NULL, NULL, NULL);
2313		fd = open("/dev/tty", O_RDWR | O_NOCTTY);
2314		if (fd >= 0)
2315			exit(3);	/* Acquired ctty: broken */
2316		else
2317			exit(0);	/* Did not acquire ctty: OK */
2318	}
2319		]])],
2320		[
2321			AC_MSG_RESULT([yes])
2322		],
2323		[
2324			AC_MSG_RESULT([no])
2325			AC_DEFINE([SSHD_ACQUIRES_CTTY])
2326		],
2327		[
2328			AC_MSG_RESULT([cross-compiling, assuming yes])
2329		]
2330	)
2331fi
2332
2333if test "x$ac_cv_func_getaddrinfo" = "xyes" && \
2334    test "x$check_for_hpux_broken_getaddrinfo" = "x1"; then
2335	AC_MSG_CHECKING([if getaddrinfo seems to work])
2336	AC_RUN_IFELSE(
2337		[AC_LANG_PROGRAM([[
2338#include <stdio.h>
2339#include <sys/socket.h>
2340#include <netdb.h>
2341#include <errno.h>
2342#include <netinet/in.h>
2343
2344#define TEST_PORT "2222"
2345		]], [[
2346	int err, sock;
2347	struct addrinfo *gai_ai, *ai, hints;
2348	char ntop[NI_MAXHOST], strport[NI_MAXSERV], *name = NULL;
2349
2350	memset(&hints, 0, sizeof(hints));
2351	hints.ai_family = PF_UNSPEC;
2352	hints.ai_socktype = SOCK_STREAM;
2353	hints.ai_flags = AI_PASSIVE;
2354
2355	err = getaddrinfo(name, TEST_PORT, &hints, &gai_ai);
2356	if (err != 0) {
2357		fprintf(stderr, "getaddrinfo failed (%s)", gai_strerror(err));
2358		exit(1);
2359	}
2360
2361	for (ai = gai_ai; ai != NULL; ai = ai->ai_next) {
2362		if (ai->ai_family != AF_INET6)
2363			continue;
2364
2365		err = getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop,
2366		    sizeof(ntop), strport, sizeof(strport),
2367		    NI_NUMERICHOST|NI_NUMERICSERV);
2368
2369		if (err != 0) {
2370			if (err == EAI_SYSTEM)
2371				perror("getnameinfo EAI_SYSTEM");
2372			else
2373				fprintf(stderr, "getnameinfo failed: %s\n",
2374				    gai_strerror(err));
2375			exit(2);
2376		}
2377
2378		sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol);
2379		if (sock < 0)
2380			perror("socket");
2381		if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) {
2382			if (errno == EBADF)
2383				exit(3);
2384		}
2385	}
2386	exit(0);
2387		]])],
2388		[
2389			AC_MSG_RESULT([yes])
2390		],
2391		[
2392			AC_MSG_RESULT([no])
2393			AC_DEFINE([BROKEN_GETADDRINFO])
2394		],
2395		[
2396			AC_MSG_RESULT([cross-compiling, assuming yes])
2397		]
2398	)
2399fi
2400
2401if test "x$ac_cv_func_getaddrinfo" = "xyes" && \
2402    test "x$check_for_aix_broken_getaddrinfo" = "x1"; then
2403	AC_MSG_CHECKING([if getaddrinfo seems to work])
2404	AC_RUN_IFELSE(
2405		[AC_LANG_PROGRAM([[
2406#include <stdio.h>
2407#include <sys/socket.h>
2408#include <netdb.h>
2409#include <errno.h>
2410#include <netinet/in.h>
2411
2412#define TEST_PORT "2222"
2413		]], [[
2414	int err, sock;
2415	struct addrinfo *gai_ai, *ai, hints;
2416	char ntop[NI_MAXHOST], strport[NI_MAXSERV], *name = NULL;
2417
2418	memset(&hints, 0, sizeof(hints));
2419	hints.ai_family = PF_UNSPEC;
2420	hints.ai_socktype = SOCK_STREAM;
2421	hints.ai_flags = AI_PASSIVE;
2422
2423	err = getaddrinfo(name, TEST_PORT, &hints, &gai_ai);
2424	if (err != 0) {
2425		fprintf(stderr, "getaddrinfo failed (%s)", gai_strerror(err));
2426		exit(1);
2427	}
2428
2429	for (ai = gai_ai; ai != NULL; ai = ai->ai_next) {
2430		if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
2431			continue;
2432
2433		err = getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop,
2434		    sizeof(ntop), strport, sizeof(strport),
2435		    NI_NUMERICHOST|NI_NUMERICSERV);
2436
2437		if (ai->ai_family == AF_INET && err != 0) {
2438			perror("getnameinfo");
2439			exit(2);
2440		}
2441	}
2442	exit(0);
2443		]])],
2444		[
2445			AC_MSG_RESULT([yes])
2446			AC_DEFINE([AIX_GETNAMEINFO_HACK], [1],
2447				[Define if you have a getaddrinfo that fails
2448				for the all-zeros IPv6 address])
2449		],
2450		[
2451			AC_MSG_RESULT([no])
2452			AC_DEFINE([BROKEN_GETADDRINFO])
2453		],
2454		[
2455			AC_MSG_RESULT([cross-compiling, assuming no])
2456		]
2457	)
2458fi
2459
2460if test "x$ac_cv_func_getaddrinfo" = "xyes"; then
2461	AC_CHECK_DECLS(AI_NUMERICSERV, , ,
2462	    [#include <sys/types.h>
2463	     #include <sys/socket.h>
2464	     #include <netdb.h>])
2465fi
2466
2467if test "x$check_for_conflicting_getspnam" = "x1"; then
2468	AC_MSG_CHECKING([for conflicting getspnam in shadow.h])
2469	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <shadow.h> ]],
2470		[[ exit(0); ]])],
2471		[
2472			AC_MSG_RESULT([no])
2473		],
2474		[
2475			AC_MSG_RESULT([yes])
2476			AC_DEFINE([GETSPNAM_CONFLICTING_DEFS], [1],
2477			    [Conflicting defs for getspnam])
2478		]
2479	)
2480fi
2481
2482dnl NetBSD added an strnvis and unfortunately made it incompatible with the
2483dnl existing one in OpenBSD and Linux's libbsd (the former having existed
2484dnl for over ten years). Despite this incompatibility being reported during
2485dnl development (see http://gnats.netbsd.org/44977) they still shipped it.
2486dnl Even more unfortunately FreeBSD and later MacOS picked up this incompatible
2487dnl implementation.  Try to detect this mess, and assume the only safe option
2488dnl if we're cross compiling.
2489dnl
2490dnl OpenBSD, 2001: strnvis(char *dst, const char *src, size_t dlen, int flag);
2491dnl NetBSD: 2012,  strnvis(char *dst, size_t dlen, const char *src, int flag);
2492if test "x$ac_cv_func_strnvis" = "xyes"; then
2493	AC_MSG_CHECKING([for working strnvis])
2494	AC_RUN_IFELSE(
2495		[AC_LANG_PROGRAM([[
2496#include <signal.h>
2497#include <stdlib.h>
2498#include <string.h>
2499#include <vis.h>
2500static void sighandler(int sig) { _exit(1); }
2501		]], [[
2502	char dst[16];
2503
2504	signal(SIGSEGV, sighandler);
2505	if (strnvis(dst, "src", 4, 0) && strcmp(dst, "src") == 0)
2506		exit(0);
2507	exit(1)
2508		]])],
2509		[AC_MSG_RESULT([yes])],
2510		[AC_MSG_RESULT([no])
2511		 AC_DEFINE([BROKEN_STRNVIS], [1], [strnvis detected broken])],
2512		[AC_MSG_WARN([cross compiling: assuming broken])
2513		 AC_DEFINE([BROKEN_STRNVIS], [1], [strnvis assumed broken])]
2514	)
2515fi
2516
2517AC_MSG_CHECKING([if SA_RESTARTed signals interrupt select()])
2518AC_RUN_IFELSE(
2519	[AC_LANG_PROGRAM([[
2520#ifdef HAVE_SYS_SELECT
2521# include <sys/select.h>
2522#endif
2523#include <sys/types.h>
2524#include <sys/time.h>
2525#include <stdlib.h>
2526#include <signal.h>
2527static void sighandler(int sig) { }
2528		]], [[
2529	int r;
2530	pid_t pid;
2531	struct sigaction sa;
2532
2533	sa.sa_handler = sighandler;
2534	sa.sa_flags = SA_RESTART;
2535	(void)sigaction(SIGTERM, &sa, NULL);
2536	if ((pid = fork()) == 0) { /* child */
2537		pid = getppid();
2538		sleep(1);
2539		kill(pid, SIGTERM);
2540		sleep(1);
2541		if (getppid() == pid) /* if parent did not exit, shoot it */
2542			kill(pid, SIGKILL);
2543		exit(0);
2544	} else { /* parent */
2545		r = select(0, NULL, NULL, NULL, NULL);
2546	}
2547	exit(r == -1 ? 0 : 1);
2548	]])],
2549	[AC_MSG_RESULT([yes])],
2550	[AC_MSG_RESULT([no])
2551	 AC_DEFINE([NO_SA_RESTART], [1],
2552	    [SA_RESTARTed signals do no interrupt select])],
2553	[AC_MSG_WARN([cross compiling: assuming yes])]
2554)
2555
2556AC_CHECK_FUNCS([getpgrp],[
2557	AC_MSG_CHECKING([if getpgrp accepts zero args])
2558	AC_COMPILE_IFELSE(
2559		[AC_LANG_PROGRAM([[$ac_includes_default]], [[ getpgrp(); ]])],
2560		[ AC_MSG_RESULT([yes])
2561		  AC_DEFINE([GETPGRP_VOID], [1], [getpgrp takes zero args])],
2562		[ AC_MSG_RESULT([no])
2563		  AC_DEFINE([GETPGRP_VOID], [0], [getpgrp takes one arg])]
2564	)
2565])
2566
2567# Search for OpenSSL
2568saved_CPPFLAGS="$CPPFLAGS"
2569saved_LDFLAGS="$LDFLAGS"
2570AC_ARG_WITH([ssl-dir],
2571	[  --with-ssl-dir=PATH     Specify path to OpenSSL installation ],
2572	[
2573		if test "x$openssl" = "xno" ; then
2574			AC_MSG_ERROR([cannot use --with-ssl-dir when OpenSSL disabled])
2575		fi
2576		if test "x$withval" != "xno" ; then
2577			case "$withval" in
2578				# Relative paths
2579				./*|../*)	withval="`pwd`/$withval"
2580			esac
2581			if test -d "$withval/lib"; then
2582				if test -n "${rpath_opt}"; then
2583					LDFLAGS="-L${withval}/lib ${rpath_opt}${withval}/lib ${LDFLAGS}"
2584				else
2585					LDFLAGS="-L${withval}/lib ${LDFLAGS}"
2586				fi
2587			elif test -d "$withval/lib64"; then
2588				if test -n "${rpath_opt}"; then
2589					LDFLAGS="-L${withval}/lib64 ${rpath_opt}${withval}/lib64 ${LDFLAGS}"
2590				else
2591					LDFLAGS="-L${withval}/lib64 ${LDFLAGS}"
2592				fi
2593			else
2594				if test -n "${rpath_opt}"; then
2595					LDFLAGS="-L${withval} ${rpath_opt}${withval} ${LDFLAGS}"
2596				else
2597					LDFLAGS="-L${withval} ${LDFLAGS}"
2598				fi
2599			fi
2600			if test -d "$withval/include"; then
2601				CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
2602			else
2603				CPPFLAGS="-I${withval} ${CPPFLAGS}"
2604			fi
2605		fi
2606	]
2607)
2608
2609AC_ARG_WITH([openssl-header-check],
2610	[  --without-openssl-header-check Disable OpenSSL version consistency check],
2611	[
2612		if test "x$withval" = "xno" ; then
2613			openssl_check_nonfatal=1
2614		fi
2615	]
2616)
2617
2618openssl_engine=no
2619AC_ARG_WITH([ssl-engine],
2620	[  --with-ssl-engine       Enable OpenSSL (hardware) ENGINE support ],
2621	[
2622		if test "x$withval" != "xno" ; then
2623			if test "x$openssl" = "xno" ; then
2624				AC_MSG_ERROR([cannot use --with-ssl-engine when OpenSSL disabled])
2625			fi
2626			openssl_engine=yes
2627		fi
2628	]
2629)
2630
2631if test "x$openssl" = "xyes" ; then
2632	LIBS="-lcrypto $LIBS"
2633	AC_TRY_LINK_FUNC([RAND_add], ,
2634	    [AC_MSG_ERROR([*** working libcrypto not found, check config.log])])
2635	AC_CHECK_HEADER([openssl/opensslv.h], ,
2636	    [AC_MSG_ERROR([*** OpenSSL headers missing - please install first or check config.log ***])])
2637
2638	# Determine OpenSSL header version
2639	AC_MSG_CHECKING([OpenSSL header version])
2640	AC_RUN_IFELSE(
2641		[AC_LANG_PROGRAM([[
2642	#include <stdlib.h>
2643	#include <stdio.h>
2644	#include <string.h>
2645	#include <openssl/opensslv.h>
2646	#define DATA "conftest.sslincver"
2647		]], [[
2648		FILE *fd;
2649		int rc;
2650
2651		fd = fopen(DATA,"w");
2652		if(fd == NULL)
2653			exit(1);
2654
2655		if ((rc = fprintf(fd, "%08lx (%s)\n",
2656		    (unsigned long)OPENSSL_VERSION_NUMBER,
2657		     OPENSSL_VERSION_TEXT)) < 0)
2658			exit(1);
2659
2660		exit(0);
2661		]])],
2662		[
2663			ssl_header_ver=`cat conftest.sslincver`
2664			AC_MSG_RESULT([$ssl_header_ver])
2665		],
2666		[
2667			AC_MSG_RESULT([not found])
2668			AC_MSG_ERROR([OpenSSL version header not found.])
2669		],
2670		[
2671			AC_MSG_WARN([cross compiling: not checking])
2672		]
2673	)
2674
2675	# Determining OpenSSL library version is version dependent.
2676	AC_CHECK_FUNCS([OpenSSL_version OpenSSL_version_num])
2677
2678	# Determine OpenSSL library version
2679	AC_MSG_CHECKING([OpenSSL library version])
2680	AC_RUN_IFELSE(
2681		[AC_LANG_PROGRAM([[
2682	#include <stdio.h>
2683	#include <string.h>
2684	#include <openssl/opensslv.h>
2685	#include <openssl/crypto.h>
2686	#define DATA "conftest.ssllibver"
2687		]], [[
2688		FILE *fd;
2689		int rc;
2690
2691		fd = fopen(DATA,"w");
2692		if(fd == NULL)
2693			exit(1);
2694#ifndef OPENSSL_VERSION
2695# define OPENSSL_VERSION SSLEAY_VERSION
2696#endif
2697#ifndef HAVE_OPENSSL_VERSION
2698# define OpenSSL_version	SSLeay_version
2699#endif
2700#ifndef HAVE_OPENSSL_VERSION_NUM
2701# define OpenSSL_version_num	SSLeay
2702#endif
2703		if ((rc = fprintf(fd, "%08lx (%s)\n",
2704		    (unsigned long)OpenSSL_version_num(),
2705		    OpenSSL_version(OPENSSL_VERSION))) < 0)
2706			exit(1);
2707
2708		exit(0);
2709		]])],
2710		[
2711			ssl_library_ver=`cat conftest.ssllibver`
2712			# Check version is supported.
2713			case "$ssl_library_ver" in
2714			10000*|0*)
2715				AC_MSG_ERROR([OpenSSL >= 1.0.1 required (have "$ssl_library_ver")])
2716		                ;;
2717			100*)   ;; # 1.0.x
2718			101000[[0123456]]*)
2719				# https://github.com/openssl/openssl/pull/4613
2720				AC_MSG_ERROR([OpenSSL 1.1.x versions prior to 1.1.0g have a bug that breaks their use with OpenSSH (have "$ssl_library_ver")])
2721				;;
2722			101*)   ;; # 1.1.x
2723			200*)   ;; # LibreSSL
2724			300*)   ;; # OpenSSL development branch.
2725		        *)
2726				AC_MSG_ERROR([Unknown/unsupported OpenSSL version ("$ssl_library_ver")])
2727		                ;;
2728			esac
2729			AC_MSG_RESULT([$ssl_library_ver])
2730		],
2731		[
2732			AC_MSG_RESULT([not found])
2733			AC_MSG_ERROR([OpenSSL library not found.])
2734		],
2735		[
2736			AC_MSG_WARN([cross compiling: not checking])
2737		]
2738	)
2739
2740	# Sanity check OpenSSL headers
2741	AC_MSG_CHECKING([whether OpenSSL's headers match the library])
2742	AC_RUN_IFELSE(
2743		[AC_LANG_PROGRAM([[
2744	#include <string.h>
2745	#include <openssl/opensslv.h>
2746	#include <openssl/crypto.h>
2747		]], [[
2748#ifndef HAVE_OPENSSL_VERSION_NUM
2749# define OpenSSL_version_num	SSLeay
2750#endif
2751		exit(OpenSSL_version_num() == OPENSSL_VERSION_NUMBER ? 0 : 1);
2752		]])],
2753		[
2754			AC_MSG_RESULT([yes])
2755		],
2756		[
2757			AC_MSG_RESULT([no])
2758			if test "x$openssl_check_nonfatal" = "x"; then
2759				AC_MSG_ERROR([Your OpenSSL headers do not match your
2760	library. Check config.log for details.
2761	If you are sure your installation is consistent, you can disable the check
2762	by running "./configure --without-openssl-header-check".
2763	Also see contrib/findssl.sh for help identifying header/library mismatches.
2764	])
2765			else
2766				AC_MSG_WARN([Your OpenSSL headers do not match your
2767	library. Check config.log for details.
2768	Also see contrib/findssl.sh for help identifying header/library mismatches.])
2769			fi
2770		],
2771		[
2772			AC_MSG_WARN([cross compiling: not checking])
2773		]
2774	)
2775
2776	AC_MSG_CHECKING([if programs using OpenSSL functions will link])
2777	AC_LINK_IFELSE(
2778		[AC_LANG_PROGRAM([[ #include <openssl/err.h> ]],
2779		[[ ERR_load_crypto_strings(); ]])],
2780		[
2781			AC_MSG_RESULT([yes])
2782		],
2783		[
2784			AC_MSG_RESULT([no])
2785			saved_LIBS="$LIBS"
2786			LIBS="$LIBS -ldl"
2787			AC_MSG_CHECKING([if programs using OpenSSL need -ldl])
2788			AC_LINK_IFELSE(
2789				[AC_LANG_PROGRAM([[ #include <openssl/err.h> ]],
2790				[[ ERR_load_crypto_strings(); ]])],
2791				[
2792					AC_MSG_RESULT([yes])
2793				],
2794				[
2795					AC_MSG_RESULT([no])
2796					LIBS="$saved_LIBS"
2797				]
2798			)
2799		]
2800	)
2801
2802	AC_CHECK_FUNCS([ \
2803		BN_is_prime_ex \
2804		DSA_generate_parameters_ex \
2805		EVP_CIPHER_CTX_ctrl \
2806		EVP_DigestFinal_ex \
2807		EVP_DigestInit_ex \
2808		EVP_MD_CTX_cleanup \
2809		EVP_MD_CTX_copy_ex \
2810		EVP_MD_CTX_init \
2811		HMAC_CTX_init \
2812		RSA_generate_key_ex \
2813		RSA_get_default_method \
2814	])
2815
2816	# OpenSSL_add_all_algorithms may be a macro.
2817	AC_CHECK_FUNC(OpenSSL_add_all_algorithms,
2818	    AC_DEFINE(HAVE_OPENSSL_ADD_ALL_ALGORITHMS, 1, [as a function]),
2819	    AC_CHECK_DECL(OpenSSL_add_all_algorithms,
2820		AC_DEFINE(HAVE_OPENSSL_ADD_ALL_ALGORITHMS, 1, [as a macro]), ,
2821		[[#include <openssl/evp.h>]]
2822	    )
2823	)
2824
2825	# LibreSSL/OpenSSL 1.1x API
2826	AC_CHECK_FUNCS([ \
2827		OPENSSL_init_crypto \
2828		DH_get0_key \
2829		DH_get0_pqg \
2830		DH_set0_key \
2831		DH_set_length \
2832		DH_set0_pqg \
2833		DSA_get0_key \
2834		DSA_get0_pqg \
2835		DSA_set0_key \
2836		DSA_set0_pqg \
2837		DSA_SIG_get0 \
2838		DSA_SIG_set0 \
2839		ECDSA_SIG_get0 \
2840		ECDSA_SIG_set0 \
2841		EVP_CIPHER_CTX_iv \
2842		EVP_CIPHER_CTX_iv_noconst \
2843		EVP_CIPHER_CTX_get_iv \
2844		EVP_CIPHER_CTX_set_iv \
2845		RSA_get0_crt_params \
2846		RSA_get0_factors \
2847		RSA_get0_key \
2848		RSA_set0_crt_params \
2849		RSA_set0_factors \
2850		RSA_set0_key \
2851		RSA_meth_free \
2852		RSA_meth_dup \
2853		RSA_meth_set1_name \
2854		RSA_meth_get_finish \
2855		RSA_meth_set_priv_enc \
2856		RSA_meth_set_priv_dec \
2857		RSA_meth_set_finish \
2858		EVP_PKEY_get0_RSA \
2859		EVP_MD_CTX_new \
2860		EVP_MD_CTX_free \
2861		EVP_chacha20 \
2862	])
2863
2864	if test "x$openssl_engine" = "xyes" ; then
2865		AC_MSG_CHECKING([for OpenSSL ENGINE support])
2866		AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
2867	#include <openssl/engine.h>
2868			]], [[
2869				ENGINE_load_builtin_engines();
2870				ENGINE_register_all_complete();
2871			]])],
2872			[ AC_MSG_RESULT([yes])
2873			  AC_DEFINE([USE_OPENSSL_ENGINE], [1],
2874			     [Enable OpenSSL engine support])
2875			], [ AC_MSG_ERROR([OpenSSL ENGINE support not found])
2876		])
2877	fi
2878
2879	# Check for OpenSSL without EVP_aes_{192,256}_cbc
2880	AC_MSG_CHECKING([whether OpenSSL has crippled AES support])
2881	AC_LINK_IFELSE(
2882		[AC_LANG_PROGRAM([[
2883	#include <string.h>
2884	#include <openssl/evp.h>
2885		]], [[
2886		exit(EVP_aes_192_cbc() == NULL || EVP_aes_256_cbc() == NULL);
2887		]])],
2888		[
2889			AC_MSG_RESULT([no])
2890		],
2891		[
2892			AC_MSG_RESULT([yes])
2893			AC_DEFINE([OPENSSL_LOBOTOMISED_AES], [1],
2894			    [libcrypto is missing AES 192 and 256 bit functions])
2895		]
2896	)
2897
2898	# Check for OpenSSL with EVP_aes_*ctr
2899	AC_MSG_CHECKING([whether OpenSSL has AES CTR via EVP])
2900	AC_LINK_IFELSE(
2901		[AC_LANG_PROGRAM([[
2902	#include <string.h>
2903	#include <openssl/evp.h>
2904		]], [[
2905		exit(EVP_aes_128_ctr() == NULL ||
2906		    EVP_aes_192_cbc() == NULL ||
2907		    EVP_aes_256_cbc() == NULL);
2908		]])],
2909		[
2910			AC_MSG_RESULT([yes])
2911			AC_DEFINE([OPENSSL_HAVE_EVPCTR], [1],
2912			    [libcrypto has EVP AES CTR])
2913		],
2914		[
2915			AC_MSG_RESULT([no])
2916		]
2917	)
2918
2919	# Check for OpenSSL with EVP_aes_*gcm
2920	AC_MSG_CHECKING([whether OpenSSL has AES GCM via EVP])
2921	AC_LINK_IFELSE(
2922		[AC_LANG_PROGRAM([[
2923	#include <string.h>
2924	#include <openssl/evp.h>
2925		]], [[
2926		exit(EVP_aes_128_gcm() == NULL ||
2927		    EVP_aes_256_gcm() == NULL ||
2928		    EVP_CTRL_GCM_SET_IV_FIXED == 0 ||
2929		    EVP_CTRL_GCM_IV_GEN == 0 ||
2930		    EVP_CTRL_GCM_SET_TAG == 0 ||
2931		    EVP_CTRL_GCM_GET_TAG == 0 ||
2932		    EVP_CIPHER_CTX_ctrl(NULL, 0, 0, NULL) == 0);
2933		]])],
2934		[
2935			AC_MSG_RESULT([yes])
2936			AC_DEFINE([OPENSSL_HAVE_EVPGCM], [1],
2937			    [libcrypto has EVP AES GCM])
2938		],
2939		[
2940			AC_MSG_RESULT([no])
2941			unsupported_algorithms="$unsupported_cipers \
2942			   aes128-gcm@openssh.com \
2943			   aes256-gcm@openssh.com"
2944		]
2945	)
2946
2947	AC_MSG_CHECKING([if EVP_DigestUpdate returns an int])
2948	AC_LINK_IFELSE(
2949		[AC_LANG_PROGRAM([[
2950	#include <string.h>
2951	#include <openssl/evp.h>
2952		]], [[
2953		if(EVP_DigestUpdate(NULL, NULL,0))
2954			exit(0);
2955		]])],
2956		[
2957			AC_MSG_RESULT([yes])
2958		],
2959		[
2960			AC_MSG_RESULT([no])
2961			AC_DEFINE([OPENSSL_EVP_DIGESTUPDATE_VOID], [1],
2962			    [Define if EVP_DigestUpdate returns void])
2963		]
2964	)
2965
2966	# Some systems want crypt() from libcrypt, *not* the version in OpenSSL,
2967	# because the system crypt() is more featureful.
2968	if test "x$check_for_libcrypt_before" = "x1"; then
2969		AC_CHECK_LIB([crypt], [crypt])
2970	fi
2971
2972	# Some Linux systems (Slackware) need crypt() from libcrypt, *not* the
2973	# version in OpenSSL.
2974	if test "x$check_for_libcrypt_later" = "x1"; then
2975		AC_CHECK_LIB([crypt], [crypt], [LIBS="$LIBS -lcrypt"])
2976	fi
2977	AC_CHECK_FUNCS([crypt DES_crypt])
2978
2979	# Check for SHA256, SHA384 and SHA512 support in OpenSSL
2980	AC_CHECK_FUNCS([EVP_sha256 EVP_sha384 EVP_sha512])
2981
2982	# Check complete ECC support in OpenSSL
2983	AC_MSG_CHECKING([whether OpenSSL has NID_X9_62_prime256v1])
2984	AC_LINK_IFELSE(
2985		[AC_LANG_PROGRAM([[
2986	#include <openssl/ec.h>
2987	#include <openssl/ecdh.h>
2988	#include <openssl/ecdsa.h>
2989	#include <openssl/evp.h>
2990	#include <openssl/objects.h>
2991	#include <openssl/opensslv.h>
2992		]], [[
2993		EC_KEY *e = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
2994		const EVP_MD *m = EVP_sha256(); /* We need this too */
2995		]])],
2996		[ AC_MSG_RESULT([yes])
2997		  enable_nistp256=1 ],
2998		[ AC_MSG_RESULT([no]) ]
2999	)
3000
3001	AC_MSG_CHECKING([whether OpenSSL has NID_secp384r1])
3002	AC_LINK_IFELSE(
3003		[AC_LANG_PROGRAM([[
3004	#include <openssl/ec.h>
3005	#include <openssl/ecdh.h>
3006	#include <openssl/ecdsa.h>
3007	#include <openssl/evp.h>
3008	#include <openssl/objects.h>
3009	#include <openssl/opensslv.h>
3010		]], [[
3011		EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp384r1);
3012		const EVP_MD *m = EVP_sha384(); /* We need this too */
3013		]])],
3014		[ AC_MSG_RESULT([yes])
3015		  enable_nistp384=1 ],
3016		[ AC_MSG_RESULT([no]) ]
3017	)
3018
3019	AC_MSG_CHECKING([whether OpenSSL has NID_secp521r1])
3020	AC_LINK_IFELSE(
3021		[AC_LANG_PROGRAM([[
3022	#include <openssl/ec.h>
3023	#include <openssl/ecdh.h>
3024	#include <openssl/ecdsa.h>
3025	#include <openssl/evp.h>
3026	#include <openssl/objects.h>
3027	#include <openssl/opensslv.h>
3028		]], [[
3029		EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp521r1);
3030		const EVP_MD *m = EVP_sha512(); /* We need this too */
3031		]])],
3032		[ AC_MSG_RESULT([yes])
3033		  AC_MSG_CHECKING([if OpenSSL's NID_secp521r1 is functional])
3034		  AC_RUN_IFELSE(
3035			[AC_LANG_PROGRAM([[
3036	#include <openssl/ec.h>
3037	#include <openssl/ecdh.h>
3038	#include <openssl/ecdsa.h>
3039	#include <openssl/evp.h>
3040	#include <openssl/objects.h>
3041	#include <openssl/opensslv.h>
3042			]],[[
3043			EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp521r1);
3044			const EVP_MD *m = EVP_sha512(); /* We need this too */
3045			exit(e == NULL || m == NULL);
3046			]])],
3047			[ AC_MSG_RESULT([yes])
3048			  enable_nistp521=1 ],
3049			[ AC_MSG_RESULT([no]) ],
3050			[ AC_MSG_WARN([cross-compiling: assuming yes])
3051			  enable_nistp521=1 ]
3052		  )],
3053		AC_MSG_RESULT([no])
3054	)
3055
3056	COMMENT_OUT_ECC="#no ecc#"
3057	TEST_SSH_ECC=no
3058
3059	if test x$enable_nistp256 = x1 || test x$enable_nistp384 = x1 || \
3060	    test x$enable_nistp521 = x1; then
3061		AC_DEFINE(OPENSSL_HAS_ECC, [1], [OpenSSL has ECC])
3062		AC_CHECK_FUNCS([EC_KEY_METHOD_new])
3063		openssl_ecc=yes
3064	else
3065		openssl_ecc=no
3066	fi
3067	if test x$enable_nistp256 = x1; then
3068		AC_DEFINE([OPENSSL_HAS_NISTP256], [1],
3069		    [libcrypto has NID_X9_62_prime256v1])
3070		TEST_SSH_ECC=yes
3071		COMMENT_OUT_ECC=""
3072	else
3073		unsupported_algorithms="$unsupported_algorithms \
3074			ecdsa-sha2-nistp256 \
3075			ecdh-sha2-nistp256 \
3076			ecdsa-sha2-nistp256-cert-v01@openssh.com"
3077	fi
3078	if test x$enable_nistp384 = x1; then
3079		AC_DEFINE([OPENSSL_HAS_NISTP384], [1], [libcrypto has NID_secp384r1])
3080		TEST_SSH_ECC=yes
3081		COMMENT_OUT_ECC=""
3082	else
3083		unsupported_algorithms="$unsupported_algorithms \
3084			ecdsa-sha2-nistp384 \
3085			ecdh-sha2-nistp384 \
3086			ecdsa-sha2-nistp384-cert-v01@openssh.com"
3087	fi
3088	if test x$enable_nistp521 = x1; then
3089		AC_DEFINE([OPENSSL_HAS_NISTP521], [1], [libcrypto has NID_secp521r1])
3090		TEST_SSH_ECC=yes
3091		COMMENT_OUT_ECC=""
3092	else
3093		unsupported_algorithms="$unsupported_algorithms \
3094			ecdh-sha2-nistp521 \
3095			ecdsa-sha2-nistp521 \
3096			ecdsa-sha2-nistp521-cert-v01@openssh.com"
3097	fi
3098
3099	AC_SUBST([TEST_SSH_ECC])
3100	AC_SUBST([COMMENT_OUT_ECC])
3101else
3102	AC_CHECK_LIB([crypt], [crypt], [LIBS="$LIBS -lcrypt"])
3103	AC_CHECK_FUNCS([crypt])
3104fi
3105
3106# PKCS11/U2F depend on OpenSSL and dlopen().
3107enable_pkcs11=yes
3108enable_sk=yes
3109if test "x$openssl" != "xyes" ; then
3110	enable_pkcs11="disabled; missing libcrypto"
3111	enable_sk="disabled; missing libcrypto"
3112fi
3113if test "x$openssl_ecc" != "xyes" ; then
3114	enable_sk="disabled; OpenSSL has no ECC support"
3115fi
3116if test "x$ac_cv_func_dlopen" != "xyes" ; then
3117	enable_pkcs11="disabled; missing dlopen(3)"
3118	enable_sk="disabled; missing dlopen(3)"
3119fi
3120if test "x$ac_cv_have_decl_RTLD_NOW" != "xyes" ; then
3121	enable_pkcs11="disabled; missing RTLD_NOW"
3122	enable_sk="disabled; missing RTLD_NOW"
3123fi
3124if test ! -z "$disable_pkcs11" ; then
3125	enable_pkcs11="disabled by user"
3126fi
3127if test ! -z "$disable_sk" ; then
3128	enable_sk="disabled by user"
3129fi
3130
3131AC_MSG_CHECKING([whether to enable PKCS11])
3132if test "x$enable_pkcs11" = "xyes" ; then
3133	AC_DEFINE([ENABLE_PKCS11], [], [Enable for PKCS#11 support])
3134fi
3135AC_MSG_RESULT([$enable_pkcs11])
3136
3137AC_MSG_CHECKING([whether to enable U2F])
3138if test "x$enable_sk" = "xyes" ; then
3139	AC_DEFINE([ENABLE_SK], [], [Enable for U2F/FIDO support])
3140	AC_SUBST(SK_DUMMY_LIBRARY, [regress/misc/sk-dummy/sk-dummy.so])
3141else
3142	# Do not try to build sk-dummy library.
3143	AC_SUBST(SK_DUMMY_LIBRARY, [""])
3144fi
3145AC_MSG_RESULT([$enable_sk])
3146
3147# Now check for built-in security key support.
3148if test "x$enable_sk" = "xyes" -a "x$enable_sk_internal" = "xyes" ; then
3149	AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no])
3150	use_pkgconfig_for_libfido2=
3151	if test "x$PKGCONFIG" != "xno"; then
3152		AC_MSG_CHECKING([if $PKGCONFIG knows about libfido2])
3153		if "$PKGCONFIG" libfido2; then
3154			AC_MSG_RESULT([yes])
3155			use_pkgconfig_for_libfido2=yes
3156		else
3157			AC_MSG_RESULT([no])
3158		fi
3159	fi
3160	if test "x$use_pkgconfig_for_libfido2" = "xyes"; then
3161		LIBFIDO2=`$PKGCONFIG --libs libfido2`
3162		CPPFLAGS="$CPPFLAGS `$PKGCONFIG --cflags libfido2`"
3163	else
3164		LIBFIDO2="-lfido2 -lcbor"
3165	fi
3166	OTHERLIBS=`echo $LIBFIDO2 | sed 's/-lfido2//'`
3167	AC_CHECK_LIB([fido2], [fido_init],
3168		[
3169			AC_SUBST([LIBFIDO2])
3170			AC_DEFINE([ENABLE_SK_INTERNAL], [],
3171			    [Enable for built-in U2F/FIDO support])
3172			enable_sk="built-in"
3173		], [ AC_MSG_ERROR([no usable libfido2 found]) ],
3174		[ $OTHERLIBS ]
3175	)
3176	AC_CHECK_HEADER([fido.h], [],
3177		AC_MSG_ERROR([missing fido.h from libfido2]))
3178	AC_CHECK_HEADER([fido/credman.h], [],
3179		AC_MSG_ERROR([missing fido/credman.h from libfido2]),
3180		[#include <fido.h>]
3181	)
3182fi
3183
3184AC_CHECK_FUNCS([ \
3185	arc4random \
3186	arc4random_buf \
3187	arc4random_stir \
3188	arc4random_uniform \
3189])
3190
3191saved_LIBS="$LIBS"
3192AC_CHECK_LIB([iaf], [ia_openinfo], [
3193	LIBS="$LIBS -liaf"
3194	AC_CHECK_FUNCS([set_id], [SSHDLIBS="$SSHDLIBS -liaf"
3195				AC_DEFINE([HAVE_LIBIAF], [1],
3196			[Define if system has libiaf that supports set_id])
3197				])
3198])
3199LIBS="$saved_LIBS"
3200
3201### Configure cryptographic random number support
3202
3203# Check whether OpenSSL seeds itself
3204if test "x$openssl" = "xyes" ; then
3205	AC_MSG_CHECKING([whether OpenSSL's PRNG is internally seeded])
3206	AC_RUN_IFELSE(
3207		[AC_LANG_PROGRAM([[
3208	#include <string.h>
3209	#include <openssl/rand.h>
3210		]], [[
3211		exit(RAND_status() == 1 ? 0 : 1);
3212		]])],
3213		[
3214			OPENSSL_SEEDS_ITSELF=yes
3215			AC_MSG_RESULT([yes])
3216		],
3217		[
3218			AC_MSG_RESULT([no])
3219		],
3220		[
3221			AC_MSG_WARN([cross compiling: assuming yes])
3222			# This is safe, since we will fatal() at runtime if
3223			# OpenSSL is not seeded correctly.
3224			OPENSSL_SEEDS_ITSELF=yes
3225		]
3226	)
3227fi
3228
3229# PRNGD TCP socket
3230AC_ARG_WITH([prngd-port],
3231	[  --with-prngd-port=PORT  read entropy from PRNGD/EGD TCP localhost:PORT],
3232	[
3233		case "$withval" in
3234		no)
3235			withval=""
3236			;;
3237		[[0-9]]*)
3238			;;
3239		*)
3240			AC_MSG_ERROR([You must specify a numeric port number for --with-prngd-port])
3241			;;
3242		esac
3243		if test ! -z "$withval" ; then
3244			PRNGD_PORT="$withval"
3245			AC_DEFINE_UNQUOTED([PRNGD_PORT], [$PRNGD_PORT],
3246				[Port number of PRNGD/EGD random number socket])
3247		fi
3248	]
3249)
3250
3251# PRNGD Unix domain socket
3252AC_ARG_WITH([prngd-socket],
3253	[  --with-prngd-socket=FILE read entropy from PRNGD/EGD socket FILE (default=/var/run/egd-pool)],
3254	[
3255		case "$withval" in
3256		yes)
3257			withval="/var/run/egd-pool"
3258			;;
3259		no)
3260			withval=""
3261			;;
3262		/*)
3263			;;
3264		*)
3265			AC_MSG_ERROR([You must specify an absolute path to the entropy socket])
3266			;;
3267		esac
3268
3269		if test ! -z "$withval" ; then
3270			if test ! -z "$PRNGD_PORT" ; then
3271				AC_MSG_ERROR([You may not specify both a PRNGD/EGD port and socket])
3272			fi
3273			if test ! -r "$withval" ; then
3274				AC_MSG_WARN([Entropy socket is not readable])
3275			fi
3276			PRNGD_SOCKET="$withval"
3277			AC_DEFINE_UNQUOTED([PRNGD_SOCKET], ["$PRNGD_SOCKET"],
3278				[Location of PRNGD/EGD random number socket])
3279		fi
3280	],
3281	[
3282		# Check for existing socket only if we don't have a random device already
3283		if test "x$OPENSSL_SEEDS_ITSELF" != "xyes" ; then
3284			AC_MSG_CHECKING([for PRNGD/EGD socket])
3285			# Insert other locations here
3286			for sock in /var/run/egd-pool /dev/egd-pool /etc/entropy; do
3287				if test -r $sock && $TEST_MINUS_S_SH -c "test -S $sock -o -p $sock" ; then
3288					PRNGD_SOCKET="$sock"
3289					AC_DEFINE_UNQUOTED([PRNGD_SOCKET], ["$PRNGD_SOCKET"])
3290					break;
3291				fi
3292			done
3293			if test ! -z "$PRNGD_SOCKET" ; then
3294				AC_MSG_RESULT([$PRNGD_SOCKET])
3295			else
3296				AC_MSG_RESULT([not found])
3297			fi
3298		fi
3299	]
3300)
3301
3302# Which randomness source do we use?
3303if test ! -z "$PRNGD_PORT" ; then
3304	RAND_MSG="PRNGd port $PRNGD_PORT"
3305elif test ! -z "$PRNGD_SOCKET" ; then
3306	RAND_MSG="PRNGd socket $PRNGD_SOCKET"
3307elif test ! -z "$OPENSSL_SEEDS_ITSELF" ; then
3308	AC_DEFINE([OPENSSL_PRNG_ONLY], [1],
3309		[Define if you want the OpenSSL internally seeded PRNG only])
3310	RAND_MSG="OpenSSL internal ONLY"
3311elif test "x$openssl" = "xno" ; then
3312	AC_MSG_WARN([OpenSSH will use /dev/urandom as a source of random numbers. It will fail if this device is not supported or accessible])
3313else
3314	AC_MSG_ERROR([OpenSSH has no source of random numbers. Please configure OpenSSL with an entropy source or re-run configure using one of the --with-prngd-port or --with-prngd-socket options])
3315fi
3316
3317# Check for PAM libs
3318PAM_MSG="no"
3319AC_ARG_WITH([pam],
3320	[  --with-pam              Enable PAM support ],
3321	[
3322		if test "x$withval" != "xno" ; then
3323			if test "x$ac_cv_header_security_pam_appl_h" != "xyes" && \
3324			   test "x$ac_cv_header_pam_pam_appl_h" != "xyes" ; then
3325				AC_MSG_ERROR([PAM headers not found])
3326			fi
3327
3328			saved_LIBS="$LIBS"
3329			AC_CHECK_LIB([dl], [dlopen], , )
3330			AC_CHECK_LIB([pam], [pam_set_item], , [AC_MSG_ERROR([*** libpam missing])])
3331			AC_CHECK_FUNCS([pam_getenvlist])
3332			AC_CHECK_FUNCS([pam_putenv])
3333			LIBS="$saved_LIBS"
3334
3335			PAM_MSG="yes"
3336
3337			SSHDLIBS="$SSHDLIBS -lpam"
3338			AC_DEFINE([USE_PAM], [1],
3339				[Define if you want to enable PAM support])
3340
3341			if test $ac_cv_lib_dl_dlopen = yes; then
3342				case "$LIBS" in
3343				*-ldl*)
3344					# libdl already in LIBS
3345					;;
3346				*)
3347					SSHDLIBS="$SSHDLIBS -ldl"
3348					;;
3349				esac
3350			fi
3351		fi
3352	]
3353)
3354
3355AC_ARG_WITH([pam-service],
3356	[  --with-pam-service=name Specify PAM service name ],
3357	[
3358		if test "x$withval" != "xno" && \
3359		   test "x$withval" != "xyes" ; then
3360			AC_DEFINE_UNQUOTED([SSHD_PAM_SERVICE],
3361				["$withval"], [sshd PAM service name])
3362		fi
3363	]
3364)
3365
3366# Check for older PAM
3367if test "x$PAM_MSG" = "xyes" ; then
3368	# Check PAM strerror arguments (old PAM)
3369	AC_MSG_CHECKING([whether pam_strerror takes only one argument])
3370	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
3371#include <stdlib.h>
3372#if defined(HAVE_SECURITY_PAM_APPL_H)
3373#include <security/pam_appl.h>
3374#elif defined (HAVE_PAM_PAM_APPL_H)
3375#include <pam/pam_appl.h>
3376#endif
3377		]], [[
3378(void)pam_strerror((pam_handle_t *)NULL, -1);
3379		]])], [AC_MSG_RESULT([no])], [
3380			AC_DEFINE([HAVE_OLD_PAM], [1],
3381				[Define if you have an old version of PAM
3382				which takes only one argument to pam_strerror])
3383			AC_MSG_RESULT([yes])
3384			PAM_MSG="yes (old library)"
3385
3386	])
3387fi
3388
3389case "$host" in
3390*-*-cygwin*)
3391	SSH_PRIVSEP_USER=CYGWIN_SSH_PRIVSEP_USER
3392	;;
3393*)
3394	SSH_PRIVSEP_USER=sshd
3395	;;
3396esac
3397AC_ARG_WITH([privsep-user],
3398	[  --with-privsep-user=user Specify non-privileged user for privilege separation],
3399	[
3400		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
3401		    test "x${withval}" != "xyes"; then
3402			SSH_PRIVSEP_USER=$withval
3403		fi
3404	]
3405)
3406if test "x$SSH_PRIVSEP_USER" = "xCYGWIN_SSH_PRIVSEP_USER" ; then
3407	AC_DEFINE_UNQUOTED([SSH_PRIVSEP_USER], [CYGWIN_SSH_PRIVSEP_USER],
3408		[Cygwin function to fetch non-privileged user for privilege separation])
3409else
3410	AC_DEFINE_UNQUOTED([SSH_PRIVSEP_USER], ["$SSH_PRIVSEP_USER"],
3411		[non-privileged user for privilege separation])
3412fi
3413AC_SUBST([SSH_PRIVSEP_USER])
3414
3415if test "x$have_linux_no_new_privs" = "x1" ; then
3416AC_CHECK_DECL([SECCOMP_MODE_FILTER], [have_seccomp_filter=1], , [
3417	#include <sys/types.h>
3418	#include <linux/seccomp.h>
3419])
3420fi
3421if test "x$have_seccomp_filter" = "x1" ; then
3422AC_MSG_CHECKING([kernel for seccomp_filter support])
3423AC_LINK_IFELSE([AC_LANG_PROGRAM([[
3424		#include <errno.h>
3425		#include <elf.h>
3426		#include <linux/audit.h>
3427		#include <linux/seccomp.h>
3428		#include <stdlib.h>
3429		#include <sys/prctl.h>
3430	]],
3431	[[ int i = $seccomp_audit_arch;
3432	   errno = 0;
3433	   prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, NULL, 0, 0);
3434	   exit(errno == EFAULT ? 0 : 1); ]])],
3435	[ AC_MSG_RESULT([yes]) ], [
3436		AC_MSG_RESULT([no])
3437		# Disable seccomp filter as a target
3438		have_seccomp_filter=0
3439	]
3440)
3441fi
3442
3443# Decide which sandbox style to use
3444sandbox_arg=""
3445AC_ARG_WITH([sandbox],
3446	[  --with-sandbox=style    Specify privilege separation sandbox (no, capsicum, darwin, rlimit, seccomp_filter, systrace, pledge)],
3447	[
3448		if test "x$withval" = "xyes" ; then
3449			sandbox_arg=""
3450		else
3451			sandbox_arg="$withval"
3452		fi
3453	]
3454)
3455
3456# Some platforms (seems to be the ones that have a kernel poll(2)-type
3457# function with which they implement select(2)) use an extra file descriptor
3458# when calling select(2), which means we can't use the rlimit sandbox.
3459AC_MSG_CHECKING([if select works with descriptor rlimit])
3460AC_RUN_IFELSE(
3461	[AC_LANG_PROGRAM([[
3462#include <sys/types.h>
3463#ifdef HAVE_SYS_TIME_H
3464# include <sys/time.h>
3465#endif
3466#include <sys/resource.h>
3467#ifdef HAVE_SYS_SELECT_H
3468# include <sys/select.h>
3469#endif
3470#include <errno.h>
3471#include <fcntl.h>
3472#include <stdlib.h>
3473	]],[[
3474	struct rlimit rl_zero;
3475	int fd, r;
3476	fd_set fds;
3477	struct timeval tv;
3478
3479	fd = open("/dev/null", O_RDONLY);
3480	FD_ZERO(&fds);
3481	FD_SET(fd, &fds);
3482	rl_zero.rlim_cur = rl_zero.rlim_max = 0;
3483	setrlimit(RLIMIT_FSIZE, &rl_zero);
3484	setrlimit(RLIMIT_NOFILE, &rl_zero);
3485	tv.tv_sec = 1;
3486	tv.tv_usec = 0;
3487	r = select(fd+1, &fds, NULL, NULL, &tv);
3488	exit (r == -1 ? 1 : 0);
3489	]])],
3490	[AC_MSG_RESULT([yes])
3491	 select_works_with_rlimit=yes],
3492	[AC_MSG_RESULT([no])
3493	 select_works_with_rlimit=no],
3494	[AC_MSG_WARN([cross compiling: assuming yes])
3495	 select_works_with_rlimit=yes]
3496)
3497
3498AC_MSG_CHECKING([if setrlimit(RLIMIT_NOFILE,{0,0}) works])
3499AC_RUN_IFELSE(
3500	[AC_LANG_PROGRAM([[
3501#include <sys/types.h>
3502#ifdef HAVE_SYS_TIME_H
3503# include <sys/time.h>
3504#endif
3505#include <sys/resource.h>
3506#include <errno.h>
3507#include <stdlib.h>
3508	]],[[
3509	struct rlimit rl_zero;
3510	int r;
3511
3512	rl_zero.rlim_cur = rl_zero.rlim_max = 0;
3513	r = setrlimit(RLIMIT_NOFILE, &rl_zero);
3514	exit (r == -1 ? 1 : 0);
3515	]])],
3516	[AC_MSG_RESULT([yes])
3517	 rlimit_nofile_zero_works=yes],
3518	[AC_MSG_RESULT([no])
3519	 rlimit_nofile_zero_works=no],
3520	[AC_MSG_WARN([cross compiling: assuming yes])
3521	 rlimit_nofile_zero_works=yes]
3522)
3523
3524AC_MSG_CHECKING([if setrlimit RLIMIT_FSIZE works])
3525AC_RUN_IFELSE(
3526	[AC_LANG_PROGRAM([[
3527#include <sys/types.h>
3528#include <sys/resource.h>
3529#include <stdlib.h>
3530	]],[[
3531		struct rlimit rl_zero;
3532
3533		rl_zero.rlim_cur = rl_zero.rlim_max = 0;
3534		exit(setrlimit(RLIMIT_FSIZE, &rl_zero) != 0);
3535	]])],
3536	[AC_MSG_RESULT([yes])],
3537	[AC_MSG_RESULT([no])
3538	 AC_DEFINE(SANDBOX_SKIP_RLIMIT_FSIZE, 1,
3539	    [setrlimit RLIMIT_FSIZE works])],
3540	[AC_MSG_WARN([cross compiling: assuming yes])]
3541)
3542
3543if test "x$sandbox_arg" = "xpledge" || \
3544   ( test -z "$sandbox_arg" && test "x$ac_cv_func_pledge" = "xyes" ) ; then
3545	test "x$ac_cv_func_pledge" != "xyes" && \
3546		AC_MSG_ERROR([pledge sandbox requires pledge(2) support])
3547	SANDBOX_STYLE="pledge"
3548	AC_DEFINE([SANDBOX_PLEDGE], [1], [Sandbox using pledge(2)])
3549elif test "x$sandbox_arg" = "xsystrace" || \
3550   ( test -z "$sandbox_arg" && test "x$have_systr_policy_kill" = "x1" ) ; then
3551	test "x$have_systr_policy_kill" != "x1" && \
3552		AC_MSG_ERROR([systrace sandbox requires systrace headers and SYSTR_POLICY_KILL support])
3553	SANDBOX_STYLE="systrace"
3554	AC_DEFINE([SANDBOX_SYSTRACE], [1], [Sandbox using systrace(4)])
3555elif test "x$sandbox_arg" = "xdarwin" || \
3556     ( test -z "$sandbox_arg" && test "x$ac_cv_func_sandbox_init" = "xyes" && \
3557       test "x$ac_cv_header_sandbox_h" = "xyes") ; then
3558	test "x$ac_cv_func_sandbox_init" != "xyes" -o \
3559	     "x$ac_cv_header_sandbox_h" != "xyes" && \
3560		AC_MSG_ERROR([Darwin seatbelt sandbox requires sandbox.h and sandbox_init function])
3561	SANDBOX_STYLE="darwin"
3562	AC_DEFINE([SANDBOX_DARWIN], [1], [Sandbox using Darwin sandbox_init(3)])
3563elif test "x$sandbox_arg" = "xseccomp_filter" || \
3564     ( test -z "$sandbox_arg" && \
3565       test "x$have_seccomp_filter" = "x1" && \
3566       test "x$ac_cv_header_elf_h" = "xyes" && \
3567       test "x$ac_cv_header_linux_audit_h" = "xyes" && \
3568       test "x$ac_cv_header_linux_filter_h" = "xyes" && \
3569       test "x$seccomp_audit_arch" != "x" && \
3570       test "x$have_linux_no_new_privs" = "x1" && \
3571       test "x$ac_cv_func_prctl" = "xyes" ) ; then
3572	test "x$seccomp_audit_arch" = "x" && \
3573		AC_MSG_ERROR([seccomp_filter sandbox not supported on $host])
3574	test "x$have_linux_no_new_privs" != "x1" && \
3575		AC_MSG_ERROR([seccomp_filter sandbox requires PR_SET_NO_NEW_PRIVS])
3576	test "x$have_seccomp_filter" != "x1" && \
3577		AC_MSG_ERROR([seccomp_filter sandbox requires seccomp headers])
3578	test "x$ac_cv_func_prctl" != "xyes" && \
3579		AC_MSG_ERROR([seccomp_filter sandbox requires prctl function])
3580	SANDBOX_STYLE="seccomp_filter"
3581	AC_DEFINE([SANDBOX_SECCOMP_FILTER], [1], [Sandbox using seccomp filter])
3582elif test "x$sandbox_arg" = "xcapsicum" || \
3583     ( test -z "$sandbox_arg" && \
3584       test "x$ac_cv_header_sys_capsicum_h" = "xyes" && \
3585       test "x$ac_cv_func_cap_rights_limit" = "xyes") ; then
3586       test "x$ac_cv_header_sys_capsicum_h" != "xyes" && \
3587		AC_MSG_ERROR([capsicum sandbox requires sys/capsicum.h header])
3588       test "x$ac_cv_func_cap_rights_limit" != "xyes" && \
3589		AC_MSG_ERROR([capsicum sandbox requires cap_rights_limit function])
3590       SANDBOX_STYLE="capsicum"
3591       AC_DEFINE([SANDBOX_CAPSICUM], [1], [Sandbox using capsicum])
3592elif test "x$sandbox_arg" = "xrlimit" || \
3593     ( test -z "$sandbox_arg" && test "x$ac_cv_func_setrlimit" = "xyes" && \
3594       test "x$select_works_with_rlimit" = "xyes" && \
3595       test "x$rlimit_nofile_zero_works" = "xyes" ) ; then
3596	test "x$ac_cv_func_setrlimit" != "xyes" && \
3597		AC_MSG_ERROR([rlimit sandbox requires setrlimit function])
3598	test "x$select_works_with_rlimit" != "xyes" && \
3599		AC_MSG_ERROR([rlimit sandbox requires select to work with rlimit])
3600	SANDBOX_STYLE="rlimit"
3601	AC_DEFINE([SANDBOX_RLIMIT], [1], [Sandbox using setrlimit(2)])
3602elif test "x$sandbox_arg" = "xsolaris" || \
3603   ( test -z "$sandbox_arg" && test "x$SOLARIS_PRIVS" = "xyes" ) ; then
3604	SANDBOX_STYLE="solaris"
3605	AC_DEFINE([SANDBOX_SOLARIS], [1], [Sandbox using Solaris/Illumos privileges])
3606elif test -z "$sandbox_arg" || test "x$sandbox_arg" = "xno" || \
3607     test "x$sandbox_arg" = "xnone" || test "x$sandbox_arg" = "xnull" ; then
3608	SANDBOX_STYLE="none"
3609	AC_DEFINE([SANDBOX_NULL], [1], [no privsep sandboxing])
3610else
3611	AC_MSG_ERROR([unsupported --with-sandbox])
3612fi
3613
3614# Cheap hack to ensure NEWS-OS libraries are arranged right.
3615if test ! -z "$SONY" ; then
3616  LIBS="$LIBS -liberty";
3617fi
3618
3619# Check for  long long datatypes
3620AC_CHECK_TYPES([long long, unsigned long long, long double])
3621
3622# Check datatype sizes
3623AC_CHECK_SIZEOF([short int])
3624AC_CHECK_SIZEOF([int])
3625AC_CHECK_SIZEOF([long int])
3626AC_CHECK_SIZEOF([long long int])
3627
3628# Sanity check long long for some platforms (AIX)
3629if test "x$ac_cv_sizeof_long_long_int" = "x4" ; then
3630	ac_cv_sizeof_long_long_int=0
3631fi
3632
3633# compute LLONG_MIN and LLONG_MAX if we don't know them.
3634if test -z "$have_llong_max" && test -z "$have_long_long_max"; then
3635	AC_MSG_CHECKING([for max value of long long])
3636	AC_RUN_IFELSE(
3637		[AC_LANG_PROGRAM([[
3638#include <stdio.h>
3639/* Why is this so damn hard? */
3640#ifdef __GNUC__
3641# undef __GNUC__
3642#endif
3643#define __USE_ISOC99
3644#include <limits.h>
3645#define DATA "conftest.llminmax"
3646#define my_abs(a) ((a) < 0 ? ((a) * -1) : (a))
3647
3648/*
3649 * printf in libc on some platforms (eg old Tru64) does not understand %lld so
3650 * we do this the hard way.
3651 */
3652static int
3653fprint_ll(FILE *f, long long n)
3654{
3655	unsigned int i;
3656	int l[sizeof(long long) * 8];
3657
3658	if (n < 0)
3659		if (fprintf(f, "-") < 0)
3660			return -1;
3661	for (i = 0; n != 0; i++) {
3662		l[i] = my_abs(n % 10);
3663		n /= 10;
3664	}
3665	do {
3666		if (fprintf(f, "%d", l[--i]) < 0)
3667			return -1;
3668	} while (i != 0);
3669	if (fprintf(f, " ") < 0)
3670		return -1;
3671	return 0;
3672}
3673		]], [[
3674	FILE *f;
3675	long long i, llmin, llmax = 0;
3676
3677	if((f = fopen(DATA,"w")) == NULL)
3678		exit(1);
3679
3680#if defined(LLONG_MIN) && defined(LLONG_MAX)
3681	fprintf(stderr, "Using system header for LLONG_MIN and LLONG_MAX\n");
3682	llmin = LLONG_MIN;
3683	llmax = LLONG_MAX;
3684#else
3685	fprintf(stderr, "Calculating  LLONG_MIN and LLONG_MAX\n");
3686	/* This will work on one's complement and two's complement */
3687	for (i = 1; i > llmax; i <<= 1, i++)
3688		llmax = i;
3689	llmin = llmax + 1LL;	/* wrap */
3690#endif
3691
3692	/* Sanity check */
3693	if (llmin + 1 < llmin || llmin - 1 < llmin || llmax + 1 > llmax
3694	    || llmax - 1 > llmax || llmin == llmax || llmin == 0
3695	    || llmax == 0 || llmax < LONG_MAX || llmin > LONG_MIN) {
3696		fprintf(f, "unknown unknown\n");
3697		exit(2);
3698	}
3699
3700	if (fprint_ll(f, llmin) < 0)
3701		exit(3);
3702	if (fprint_ll(f, llmax) < 0)
3703		exit(4);
3704	if (fclose(f) < 0)
3705		exit(5);
3706	exit(0);
3707		]])],
3708		[
3709			llong_min=`$AWK '{print $1}' conftest.llminmax`
3710			llong_max=`$AWK '{print $2}' conftest.llminmax`
3711
3712			AC_MSG_RESULT([$llong_max])
3713			AC_DEFINE_UNQUOTED([LLONG_MAX], [${llong_max}LL],
3714			    [max value of long long calculated by configure])
3715			AC_MSG_CHECKING([for min value of long long])
3716			AC_MSG_RESULT([$llong_min])
3717			AC_DEFINE_UNQUOTED([LLONG_MIN], [${llong_min}LL],
3718			    [min value of long long calculated by configure])
3719		],
3720		[
3721			AC_MSG_RESULT([not found])
3722		],
3723		[
3724			AC_MSG_WARN([cross compiling: not checking])
3725		]
3726	)
3727fi
3728
3729AC_CHECK_DECLS([UINT32_MAX], , , [[
3730#ifdef HAVE_SYS_LIMITS_H
3731# include <sys/limits.h>
3732#endif
3733#ifdef HAVE_LIMITS_H
3734# include <limits.h>
3735#endif
3736#ifdef HAVE_STDINT_H
3737# include <stdint.h>
3738#endif
3739]])
3740
3741# More checks for data types
3742AC_CACHE_CHECK([for u_int type], ac_cv_have_u_int, [
3743	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
3744	[[ u_int a; a = 1;]])],
3745	[ ac_cv_have_u_int="yes" ], [ ac_cv_have_u_int="no"
3746	])
3747])
3748if test "x$ac_cv_have_u_int" = "xyes" ; then
3749	AC_DEFINE([HAVE_U_INT], [1], [define if you have u_int data type])
3750	have_u_int=1
3751fi
3752
3753AC_CACHE_CHECK([for intXX_t types], ac_cv_have_intxx_t, [
3754	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
3755	[[ int8_t a; int16_t b; int32_t c; a = b = c = 1;]])],
3756	[ ac_cv_have_intxx_t="yes" ], [ ac_cv_have_intxx_t="no"
3757	])
3758])
3759if test "x$ac_cv_have_intxx_t" = "xyes" ; then
3760	AC_DEFINE([HAVE_INTXX_T], [1], [define if you have intxx_t data type])
3761	have_intxx_t=1
3762fi
3763
3764if (test -z "$have_intxx_t" && \
3765	   test "x$ac_cv_header_stdint_h" = "xyes")
3766then
3767    AC_MSG_CHECKING([for intXX_t types in stdint.h])
3768	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <stdint.h> ]],
3769	[[ int8_t a; int16_t b; int32_t c; a = b = c = 1;]])],
3770		[
3771			AC_DEFINE([HAVE_INTXX_T])
3772			AC_MSG_RESULT([yes])
3773		], [ AC_MSG_RESULT([no])
3774	])
3775fi
3776
3777AC_CACHE_CHECK([for int64_t type], ac_cv_have_int64_t, [
3778	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
3779#include <sys/types.h>
3780#ifdef HAVE_STDINT_H
3781# include <stdint.h>
3782#endif
3783#include <sys/socket.h>
3784#ifdef HAVE_SYS_BITYPES_H
3785# include <sys/bitypes.h>
3786#endif
3787		]], [[
3788int64_t a; a = 1;
3789		]])],
3790	[ ac_cv_have_int64_t="yes" ], [ ac_cv_have_int64_t="no"
3791	])
3792])
3793if test "x$ac_cv_have_int64_t" = "xyes" ; then
3794	AC_DEFINE([HAVE_INT64_T], [1], [define if you have int64_t data type])
3795fi
3796
3797AC_CACHE_CHECK([for u_intXX_t types], ac_cv_have_u_intxx_t, [
3798	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
3799	[[ u_int8_t a; u_int16_t b; u_int32_t c; a = b = c = 1;]])],
3800	[ ac_cv_have_u_intxx_t="yes" ], [ ac_cv_have_u_intxx_t="no"
3801	])
3802])
3803if test "x$ac_cv_have_u_intxx_t" = "xyes" ; then
3804	AC_DEFINE([HAVE_U_INTXX_T], [1], [define if you have u_intxx_t data type])
3805	have_u_intxx_t=1
3806fi
3807
3808if test -z "$have_u_intxx_t" ; then
3809    AC_MSG_CHECKING([for u_intXX_t types in sys/socket.h])
3810	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/socket.h> ]],
3811	[[ u_int8_t a; u_int16_t b; u_int32_t c; a = b = c = 1;]])],
3812		[
3813			AC_DEFINE([HAVE_U_INTXX_T])
3814			AC_MSG_RESULT([yes])
3815		], [ AC_MSG_RESULT([no])
3816	])
3817fi
3818
3819AC_CACHE_CHECK([for u_int64_t types], ac_cv_have_u_int64_t, [
3820	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
3821	[[ u_int64_t a; a = 1;]])],
3822	[ ac_cv_have_u_int64_t="yes" ], [ ac_cv_have_u_int64_t="no"
3823	])
3824])
3825if test "x$ac_cv_have_u_int64_t" = "xyes" ; then
3826	AC_DEFINE([HAVE_U_INT64_T], [1], [define if you have u_int64_t data type])
3827	have_u_int64_t=1
3828fi
3829
3830if (test -z "$have_u_int64_t" && \
3831	   test "x$ac_cv_header_sys_bitypes_h" = "xyes")
3832then
3833    AC_MSG_CHECKING([for u_int64_t type in sys/bitypes.h])
3834	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/bitypes.h> ]],
3835	[[ u_int64_t a; a = 1]])],
3836		[
3837			AC_DEFINE([HAVE_U_INT64_T])
3838			AC_MSG_RESULT([yes])
3839		], [ AC_MSG_RESULT([no])
3840	])
3841fi
3842
3843if test -z "$have_u_intxx_t" ; then
3844	AC_CACHE_CHECK([for uintXX_t types], ac_cv_have_uintxx_t, [
3845		AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
3846#include <sys/types.h>
3847			]], [[
3848	uint8_t a;
3849	uint16_t b;
3850	uint32_t c;
3851	a = b = c = 1;
3852			]])],
3853		[ ac_cv_have_uintxx_t="yes" ], [ ac_cv_have_uintxx_t="no"
3854		])
3855	])
3856	if test "x$ac_cv_have_uintxx_t" = "xyes" ; then
3857		AC_DEFINE([HAVE_UINTXX_T], [1],
3858			[define if you have uintxx_t data type])
3859	fi
3860fi
3861
3862if (test -z "$have_uintxx_t" && \
3863	   test "x$ac_cv_header_stdint_h" = "xyes")
3864then
3865    AC_MSG_CHECKING([for uintXX_t types in stdint.h])
3866	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <stdint.h> ]],
3867	[[ uint8_t a; uint16_t b; uint32_t c; a = b = c = 1;]])],
3868		[
3869			AC_DEFINE([HAVE_UINTXX_T])
3870			AC_MSG_RESULT([yes])
3871		], [ AC_MSG_RESULT([no])
3872	])
3873fi
3874
3875if (test -z "$have_uintxx_t" && \
3876	   test "x$ac_cv_header_inttypes_h" = "xyes")
3877then
3878    AC_MSG_CHECKING([for uintXX_t types in inttypes.h])
3879	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <inttypes.h> ]],
3880	[[ uint8_t a; uint16_t b; uint32_t c; a = b = c = 1;]])],
3881		[
3882			AC_DEFINE([HAVE_UINTXX_T])
3883			AC_MSG_RESULT([yes])
3884		], [ AC_MSG_RESULT([no])
3885	])
3886fi
3887
3888if (test -z "$have_u_intxx_t" || test -z "$have_intxx_t" && \
3889	   test "x$ac_cv_header_sys_bitypes_h" = "xyes")
3890then
3891	AC_MSG_CHECKING([for intXX_t and u_intXX_t types in sys/bitypes.h])
3892	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
3893#include <sys/bitypes.h>
3894		]], [[
3895			int8_t a; int16_t b; int32_t c;
3896			u_int8_t e; u_int16_t f; u_int32_t g;
3897			a = b = c = e = f = g = 1;
3898		]])],
3899		[
3900			AC_DEFINE([HAVE_U_INTXX_T])
3901			AC_DEFINE([HAVE_INTXX_T])
3902			AC_MSG_RESULT([yes])
3903		], [AC_MSG_RESULT([no])
3904	])
3905fi
3906
3907
3908AC_CACHE_CHECK([for u_char], ac_cv_have_u_char, [
3909	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
3910	[[ u_char foo; foo = 125; ]])],
3911	[ ac_cv_have_u_char="yes" ], [ ac_cv_have_u_char="no"
3912	])
3913])
3914if test "x$ac_cv_have_u_char" = "xyes" ; then
3915	AC_DEFINE([HAVE_U_CHAR], [1], [define if you have u_char data type])
3916fi
3917
3918AC_CHECK_TYPES([intmax_t, uintmax_t], , , [
3919#include <sys/types.h>
3920#ifdef HAVE_STDINT_H
3921# include <stdint.h>
3922#endif
3923])
3924
3925TYPE_SOCKLEN_T
3926
3927AC_CHECK_TYPES([sig_atomic_t], , , [#include <signal.h>])
3928AC_CHECK_TYPES([fsblkcnt_t, fsfilcnt_t], , , [
3929#include <sys/types.h>
3930#ifdef HAVE_SYS_BITYPES_H
3931#include <sys/bitypes.h>
3932#endif
3933#ifdef HAVE_SYS_STATFS_H
3934#include <sys/statfs.h>
3935#endif
3936#ifdef HAVE_SYS_STATVFS_H
3937#include <sys/statvfs.h>
3938#endif
3939])
3940
3941AC_CHECK_MEMBERS([struct statfs.f_files, struct statfs.f_flags], [], [], [[
3942#include <sys/param.h>
3943#include <sys/types.h>
3944#ifdef HAVE_SYS_BITYPES_H
3945#include <sys/bitypes.h>
3946#endif
3947#ifdef HAVE_SYS_STATFS_H
3948#include <sys/statfs.h>
3949#endif
3950#ifdef HAVE_SYS_STATVFS_H
3951#include <sys/statvfs.h>
3952#endif
3953#ifdef HAVE_SYS_VFS_H
3954#include <sys/vfs.h>
3955#endif
3956#ifdef HAVE_SYS_MOUNT_H
3957#include <sys/mount.h>
3958#endif
3959]])
3960
3961
3962AC_CHECK_TYPES([in_addr_t, in_port_t], , ,
3963[#include <sys/types.h>
3964#include <netinet/in.h>])
3965
3966AC_CACHE_CHECK([for size_t], ac_cv_have_size_t, [
3967	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
3968	[[ size_t foo; foo = 1235; ]])],
3969	[ ac_cv_have_size_t="yes" ], [ ac_cv_have_size_t="no"
3970	])
3971])
3972if test "x$ac_cv_have_size_t" = "xyes" ; then
3973	AC_DEFINE([HAVE_SIZE_T], [1], [define if you have size_t data type])
3974fi
3975
3976AC_CACHE_CHECK([for ssize_t], ac_cv_have_ssize_t, [
3977	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
3978	[[ ssize_t foo; foo = 1235; ]])],
3979	[ ac_cv_have_ssize_t="yes" ], [ ac_cv_have_ssize_t="no"
3980	])
3981])
3982if test "x$ac_cv_have_ssize_t" = "xyes" ; then
3983	AC_DEFINE([HAVE_SSIZE_T], [1], [define if you have ssize_t data type])
3984fi
3985
3986AC_CACHE_CHECK([for clock_t], ac_cv_have_clock_t, [
3987	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <time.h> ]],
3988	[[ clock_t foo; foo = 1235; ]])],
3989	[ ac_cv_have_clock_t="yes" ], [ ac_cv_have_clock_t="no"
3990	])
3991])
3992if test "x$ac_cv_have_clock_t" = "xyes" ; then
3993	AC_DEFINE([HAVE_CLOCK_T], [1], [define if you have clock_t data type])
3994fi
3995
3996AC_CACHE_CHECK([for sa_family_t], ac_cv_have_sa_family_t, [
3997	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
3998#include <sys/types.h>
3999#include <sys/socket.h>
4000		]], [[ sa_family_t foo; foo = 1235; ]])],
4001	[ ac_cv_have_sa_family_t="yes" ],
4002	[ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4003#include <sys/types.h>
4004#include <sys/socket.h>
4005#include <netinet/in.h>
4006		]], [[ sa_family_t foo; foo = 1235; ]])],
4007		[ ac_cv_have_sa_family_t="yes" ],
4008		[ ac_cv_have_sa_family_t="no" ]
4009	)
4010	])
4011])
4012if test "x$ac_cv_have_sa_family_t" = "xyes" ; then
4013	AC_DEFINE([HAVE_SA_FAMILY_T], [1],
4014		[define if you have sa_family_t data type])
4015fi
4016
4017AC_CACHE_CHECK([for pid_t], ac_cv_have_pid_t, [
4018	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
4019	[[ pid_t foo; foo = 1235; ]])],
4020	[ ac_cv_have_pid_t="yes" ], [ ac_cv_have_pid_t="no"
4021	])
4022])
4023if test "x$ac_cv_have_pid_t" = "xyes" ; then
4024	AC_DEFINE([HAVE_PID_T], [1], [define if you have pid_t data type])
4025fi
4026
4027AC_CACHE_CHECK([for mode_t], ac_cv_have_mode_t, [
4028	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
4029	[[ mode_t foo; foo = 1235; ]])],
4030	[ ac_cv_have_mode_t="yes" ], [ ac_cv_have_mode_t="no"
4031	])
4032])
4033if test "x$ac_cv_have_mode_t" = "xyes" ; then
4034	AC_DEFINE([HAVE_MODE_T], [1], [define if you have mode_t data type])
4035fi
4036
4037
4038AC_CACHE_CHECK([for struct sockaddr_storage], ac_cv_have_struct_sockaddr_storage, [
4039	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4040#include <sys/types.h>
4041#include <sys/socket.h>
4042		]], [[ struct sockaddr_storage s; ]])],
4043	[ ac_cv_have_struct_sockaddr_storage="yes" ],
4044	[ ac_cv_have_struct_sockaddr_storage="no"
4045	])
4046])
4047if test "x$ac_cv_have_struct_sockaddr_storage" = "xyes" ; then
4048	AC_DEFINE([HAVE_STRUCT_SOCKADDR_STORAGE], [1],
4049		[define if you have struct sockaddr_storage data type])
4050fi
4051
4052AC_CACHE_CHECK([for struct sockaddr_in6], ac_cv_have_struct_sockaddr_in6, [
4053	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4054#include <sys/types.h>
4055#include <netinet/in.h>
4056		]], [[ struct sockaddr_in6 s; s.sin6_family = 0; ]])],
4057	[ ac_cv_have_struct_sockaddr_in6="yes" ],
4058	[ ac_cv_have_struct_sockaddr_in6="no"
4059	])
4060])
4061if test "x$ac_cv_have_struct_sockaddr_in6" = "xyes" ; then
4062	AC_DEFINE([HAVE_STRUCT_SOCKADDR_IN6], [1],
4063		[define if you have struct sockaddr_in6 data type])
4064fi
4065
4066AC_CACHE_CHECK([for struct in6_addr], ac_cv_have_struct_in6_addr, [
4067	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4068#include <sys/types.h>
4069#include <netinet/in.h>
4070		]], [[ struct in6_addr s; s.s6_addr[0] = 0; ]])],
4071	[ ac_cv_have_struct_in6_addr="yes" ],
4072	[ ac_cv_have_struct_in6_addr="no"
4073	])
4074])
4075if test "x$ac_cv_have_struct_in6_addr" = "xyes" ; then
4076	AC_DEFINE([HAVE_STRUCT_IN6_ADDR], [1],
4077		[define if you have struct in6_addr data type])
4078
4079dnl Now check for sin6_scope_id
4080	AC_CHECK_MEMBERS([struct sockaddr_in6.sin6_scope_id], , ,
4081		[
4082#ifdef HAVE_SYS_TYPES_H
4083#include <sys/types.h>
4084#endif
4085#include <netinet/in.h>
4086		])
4087fi
4088
4089AC_CACHE_CHECK([for struct addrinfo], ac_cv_have_struct_addrinfo, [
4090	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4091#include <sys/types.h>
4092#include <sys/socket.h>
4093#include <netdb.h>
4094		]], [[ struct addrinfo s; s.ai_flags = AI_PASSIVE; ]])],
4095	[ ac_cv_have_struct_addrinfo="yes" ],
4096	[ ac_cv_have_struct_addrinfo="no"
4097	])
4098])
4099if test "x$ac_cv_have_struct_addrinfo" = "xyes" ; then
4100	AC_DEFINE([HAVE_STRUCT_ADDRINFO], [1],
4101		[define if you have struct addrinfo data type])
4102fi
4103
4104AC_HEADER_TIME
4105
4106AC_CACHE_CHECK([for struct timeval], ac_cv_have_struct_timeval, [
4107	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/time.h> ]],
4108	[[ struct timeval tv; tv.tv_sec = 1;]])],
4109	[ ac_cv_have_struct_timeval="yes" ],
4110	[ ac_cv_have_struct_timeval="no"
4111	])
4112])
4113if test "x$ac_cv_have_struct_timeval" = "xyes" ; then
4114	AC_DEFINE([HAVE_STRUCT_TIMEVAL], [1], [define if you have struct timeval])
4115	have_struct_timeval=1
4116fi
4117
4118AC_CACHE_CHECK([for struct timespec], ac_cv_have_struct_timespec, [
4119	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4120    #ifdef TIME_WITH_SYS_TIME
4121    # include <sys/time.h>
4122    # include <time.h>
4123    #else
4124    # ifdef HAVE_SYS_TIME_H
4125    #  include <sys/time.h>
4126    # else
4127    #  include <time.h>
4128    # endif
4129    #endif
4130	]],
4131	[[ struct timespec ts; ts.tv_sec = 1;]])],
4132	[ ac_cv_have_struct_timespec="yes" ],
4133	[ ac_cv_have_struct_timespec="no"
4134	])
4135])
4136if test "x$ac_cv_have_struct_timespec" = "xyes" ; then
4137	AC_DEFINE([HAVE_STRUCT_TIMESPEC], [1], [define if you have struct timespec])
4138	have_struct_timespec=1
4139fi
4140
4141# We need int64_t or else certain parts of the compile will fail.
4142if test "x$ac_cv_have_int64_t" = "xno" && \
4143	test "x$ac_cv_sizeof_long_int" != "x8" && \
4144	test "x$ac_cv_sizeof_long_long_int" = "x0" ; then
4145	echo "OpenSSH requires int64_t support.  Contact your vendor or install"
4146	echo "an alternative compiler (I.E., GCC) before continuing."
4147	echo ""
4148	exit 1;
4149else
4150dnl test snprintf (broken on SCO w/gcc)
4151	AC_RUN_IFELSE(
4152		[AC_LANG_SOURCE([[
4153#include <stdio.h>
4154#include <string.h>
4155#ifdef HAVE_SNPRINTF
4156main()
4157{
4158	char buf[50];
4159	char expected_out[50];
4160	int mazsize = 50 ;
4161#if (SIZEOF_LONG_INT == 8)
4162	long int num = 0x7fffffffffffffff;
4163#else
4164	long long num = 0x7fffffffffffffffll;
4165#endif
4166	strcpy(expected_out, "9223372036854775807");
4167	snprintf(buf, mazsize, "%lld", num);
4168	if(strcmp(buf, expected_out) != 0)
4169		exit(1);
4170	exit(0);
4171}
4172#else
4173main() { exit(0); }
4174#endif
4175		]])], [ true ], [ AC_DEFINE([BROKEN_SNPRINTF]) ],
4176		AC_MSG_WARN([cross compiling: Assuming working snprintf()])
4177	)
4178fi
4179
4180dnl Checks for structure members
4181OSSH_CHECK_HEADER_FOR_FIELD([ut_host], [utmp.h], [HAVE_HOST_IN_UTMP])
4182OSSH_CHECK_HEADER_FOR_FIELD([ut_host], [utmpx.h], [HAVE_HOST_IN_UTMPX])
4183OSSH_CHECK_HEADER_FOR_FIELD([syslen], [utmpx.h], [HAVE_SYSLEN_IN_UTMPX])
4184OSSH_CHECK_HEADER_FOR_FIELD([ut_pid], [utmp.h], [HAVE_PID_IN_UTMP])
4185OSSH_CHECK_HEADER_FOR_FIELD([ut_type], [utmp.h], [HAVE_TYPE_IN_UTMP])
4186OSSH_CHECK_HEADER_FOR_FIELD([ut_type], [utmpx.h], [HAVE_TYPE_IN_UTMPX])
4187OSSH_CHECK_HEADER_FOR_FIELD([ut_tv], [utmp.h], [HAVE_TV_IN_UTMP])
4188OSSH_CHECK_HEADER_FOR_FIELD([ut_id], [utmp.h], [HAVE_ID_IN_UTMP])
4189OSSH_CHECK_HEADER_FOR_FIELD([ut_id], [utmpx.h], [HAVE_ID_IN_UTMPX])
4190OSSH_CHECK_HEADER_FOR_FIELD([ut_addr], [utmp.h], [HAVE_ADDR_IN_UTMP])
4191OSSH_CHECK_HEADER_FOR_FIELD([ut_addr], [utmpx.h], [HAVE_ADDR_IN_UTMPX])
4192OSSH_CHECK_HEADER_FOR_FIELD([ut_addr_v6], [utmp.h], [HAVE_ADDR_V6_IN_UTMP])
4193OSSH_CHECK_HEADER_FOR_FIELD([ut_addr_v6], [utmpx.h], [HAVE_ADDR_V6_IN_UTMPX])
4194OSSH_CHECK_HEADER_FOR_FIELD([ut_exit], [utmp.h], [HAVE_EXIT_IN_UTMP])
4195OSSH_CHECK_HEADER_FOR_FIELD([ut_time], [utmp.h], [HAVE_TIME_IN_UTMP])
4196OSSH_CHECK_HEADER_FOR_FIELD([ut_time], [utmpx.h], [HAVE_TIME_IN_UTMPX])
4197OSSH_CHECK_HEADER_FOR_FIELD([ut_tv], [utmpx.h], [HAVE_TV_IN_UTMPX])
4198
4199AC_CHECK_MEMBERS([struct stat.st_blksize])
4200AC_CHECK_MEMBERS([struct stat.st_mtim])
4201AC_CHECK_MEMBERS([struct stat.st_mtime])
4202AC_CHECK_MEMBERS([struct passwd.pw_gecos, struct passwd.pw_class,
4203struct passwd.pw_change, struct passwd.pw_expire],
4204[], [], [[
4205#include <sys/types.h>
4206#include <pwd.h>
4207]])
4208
4209AC_CHECK_MEMBER([struct __res_state.retrans], [], [AC_DEFINE([__res_state], [state],
4210	[Define if we don't have struct __res_state in resolv.h])],
4211[[
4212#include <stdio.h>
4213#if HAVE_SYS_TYPES_H
4214# include <sys/types.h>
4215#endif
4216#include <netinet/in.h>
4217#include <arpa/nameser.h>
4218#include <resolv.h>
4219]])
4220
4221AC_CACHE_CHECK([for ss_family field in struct sockaddr_storage],
4222		ac_cv_have_ss_family_in_struct_ss, [
4223	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4224#include <sys/types.h>
4225#include <sys/socket.h>
4226		]], [[ struct sockaddr_storage s; s.ss_family = 1; ]])],
4227	[ ac_cv_have_ss_family_in_struct_ss="yes" ],
4228	[ ac_cv_have_ss_family_in_struct_ss="no" ])
4229])
4230if test "x$ac_cv_have_ss_family_in_struct_ss" = "xyes" ; then
4231	AC_DEFINE([HAVE_SS_FAMILY_IN_SS], [1], [Fields in struct sockaddr_storage])
4232fi
4233
4234AC_CACHE_CHECK([for __ss_family field in struct sockaddr_storage],
4235		ac_cv_have___ss_family_in_struct_ss, [
4236	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4237#include <sys/types.h>
4238#include <sys/socket.h>
4239		]], [[ struct sockaddr_storage s; s.__ss_family = 1; ]])],
4240	[ ac_cv_have___ss_family_in_struct_ss="yes" ],
4241	[ ac_cv_have___ss_family_in_struct_ss="no"
4242	])
4243])
4244if test "x$ac_cv_have___ss_family_in_struct_ss" = "xyes" ; then
4245	AC_DEFINE([HAVE___SS_FAMILY_IN_SS], [1],
4246		[Fields in struct sockaddr_storage])
4247fi
4248
4249dnl make sure we're using the real structure members and not defines
4250AC_CACHE_CHECK([for msg_accrights field in struct msghdr],
4251		ac_cv_have_accrights_in_msghdr, [
4252	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4253#include <sys/types.h>
4254#include <sys/socket.h>
4255#include <sys/uio.h>
4256		]], [[
4257#ifdef msg_accrights
4258#error "msg_accrights is a macro"
4259exit(1);
4260#endif
4261struct msghdr m;
4262m.msg_accrights = 0;
4263exit(0);
4264		]])],
4265		[ ac_cv_have_accrights_in_msghdr="yes" ],
4266		[ ac_cv_have_accrights_in_msghdr="no" ]
4267	)
4268])
4269if test "x$ac_cv_have_accrights_in_msghdr" = "xyes" ; then
4270	AC_DEFINE([HAVE_ACCRIGHTS_IN_MSGHDR], [1],
4271		[Define if your system uses access rights style
4272		file descriptor passing])
4273fi
4274
4275AC_MSG_CHECKING([if struct statvfs.f_fsid is integral type])
4276AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4277#include <sys/param.h>
4278#include <sys/stat.h>
4279#ifdef HAVE_SYS_TIME_H
4280# include <sys/time.h>
4281#endif
4282#ifdef HAVE_SYS_MOUNT_H
4283#include <sys/mount.h>
4284#endif
4285#ifdef HAVE_SYS_STATVFS_H
4286#include <sys/statvfs.h>
4287#endif
4288	]], [[ struct statvfs s; s.f_fsid = 0; ]])],
4289	[ AC_MSG_RESULT([yes]) ],
4290	[ AC_MSG_RESULT([no])
4291
4292	AC_MSG_CHECKING([if fsid_t has member val])
4293	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4294#include <sys/types.h>
4295#include <sys/statvfs.h>
4296	]], [[ fsid_t t; t.val[0] = 0; ]])],
4297	[ AC_MSG_RESULT([yes])
4298	  AC_DEFINE([FSID_HAS_VAL], [1], [fsid_t has member val]) ],
4299	[ AC_MSG_RESULT([no]) ])
4300
4301	AC_MSG_CHECKING([if f_fsid has member __val])
4302	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4303#include <sys/types.h>
4304#include <sys/statvfs.h>
4305	]], [[ fsid_t t; t.__val[0] = 0; ]])],
4306	[ AC_MSG_RESULT([yes])
4307	  AC_DEFINE([FSID_HAS___VAL], [1], [fsid_t has member __val]) ],
4308	[ AC_MSG_RESULT([no]) ])
4309])
4310
4311AC_CACHE_CHECK([for msg_control field in struct msghdr],
4312		ac_cv_have_control_in_msghdr, [
4313	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4314#include <sys/types.h>
4315#include <sys/socket.h>
4316#include <sys/uio.h>
4317		]], [[
4318#ifdef msg_control
4319#error "msg_control is a macro"
4320exit(1);
4321#endif
4322struct msghdr m;
4323m.msg_control = 0;
4324exit(0);
4325		]])],
4326		[ ac_cv_have_control_in_msghdr="yes" ],
4327		[ ac_cv_have_control_in_msghdr="no" ]
4328	)
4329])
4330if test "x$ac_cv_have_control_in_msghdr" = "xyes" ; then
4331	AC_DEFINE([HAVE_CONTROL_IN_MSGHDR], [1],
4332		[Define if your system uses ancillary data style
4333		file descriptor passing])
4334fi
4335
4336AC_CACHE_CHECK([if libc defines __progname], ac_cv_libc_defines___progname, [
4337	AC_LINK_IFELSE([AC_LANG_PROGRAM([[]],
4338		[[ extern char *__progname; printf("%s", __progname); ]])],
4339	[ ac_cv_libc_defines___progname="yes" ],
4340	[ ac_cv_libc_defines___progname="no"
4341	])
4342])
4343if test "x$ac_cv_libc_defines___progname" = "xyes" ; then
4344	AC_DEFINE([HAVE___PROGNAME], [1], [Define if libc defines __progname])
4345fi
4346
4347AC_CACHE_CHECK([whether $CC implements __FUNCTION__], ac_cv_cc_implements___FUNCTION__, [
4348	AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include <stdio.h> ]],
4349		[[ printf("%s", __FUNCTION__); ]])],
4350	[ ac_cv_cc_implements___FUNCTION__="yes" ],
4351	[ ac_cv_cc_implements___FUNCTION__="no"
4352	])
4353])
4354if test "x$ac_cv_cc_implements___FUNCTION__" = "xyes" ; then
4355	AC_DEFINE([HAVE___FUNCTION__], [1],
4356		[Define if compiler implements __FUNCTION__])
4357fi
4358
4359AC_CACHE_CHECK([whether $CC implements __func__], ac_cv_cc_implements___func__, [
4360	AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include <stdio.h> ]],
4361		[[ printf("%s", __func__); ]])],
4362	[ ac_cv_cc_implements___func__="yes" ],
4363	[ ac_cv_cc_implements___func__="no"
4364	])
4365])
4366if test "x$ac_cv_cc_implements___func__" = "xyes" ; then
4367	AC_DEFINE([HAVE___func__], [1], [Define if compiler implements __func__])
4368fi
4369
4370AC_CACHE_CHECK([whether va_copy exists], ac_cv_have_va_copy, [
4371	AC_LINK_IFELSE([AC_LANG_PROGRAM([[
4372#include <stdarg.h>
4373va_list x,y;
4374		]], [[ va_copy(x,y); ]])],
4375	[ ac_cv_have_va_copy="yes" ],
4376	[ ac_cv_have_va_copy="no"
4377	])
4378])
4379if test "x$ac_cv_have_va_copy" = "xyes" ; then
4380	AC_DEFINE([HAVE_VA_COPY], [1], [Define if va_copy exists])
4381fi
4382
4383AC_CACHE_CHECK([whether __va_copy exists], ac_cv_have___va_copy, [
4384	AC_LINK_IFELSE([AC_LANG_PROGRAM([[
4385#include <stdarg.h>
4386va_list x,y;
4387		]], [[ __va_copy(x,y); ]])],
4388	[ ac_cv_have___va_copy="yes" ], [ ac_cv_have___va_copy="no"
4389	])
4390])
4391if test "x$ac_cv_have___va_copy" = "xyes" ; then
4392	AC_DEFINE([HAVE___VA_COPY], [1], [Define if __va_copy exists])
4393fi
4394
4395AC_CACHE_CHECK([whether getopt has optreset support],
4396		ac_cv_have_getopt_optreset, [
4397	AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include <getopt.h> ]],
4398		[[ extern int optreset; optreset = 0; ]])],
4399	[ ac_cv_have_getopt_optreset="yes" ],
4400	[ ac_cv_have_getopt_optreset="no"
4401	])
4402])
4403if test "x$ac_cv_have_getopt_optreset" = "xyes" ; then
4404	AC_DEFINE([HAVE_GETOPT_OPTRESET], [1],
4405		[Define if your getopt(3) defines and uses optreset])
4406fi
4407
4408AC_CACHE_CHECK([if libc defines sys_errlist], ac_cv_libc_defines_sys_errlist, [
4409	AC_LINK_IFELSE([AC_LANG_PROGRAM([[]],
4410[[ extern const char *const sys_errlist[]; printf("%s", sys_errlist[0]);]])],
4411	[ ac_cv_libc_defines_sys_errlist="yes" ],
4412	[ ac_cv_libc_defines_sys_errlist="no"
4413	])
4414])
4415if test "x$ac_cv_libc_defines_sys_errlist" = "xyes" ; then
4416	AC_DEFINE([HAVE_SYS_ERRLIST], [1],
4417		[Define if your system defines sys_errlist[]])
4418fi
4419
4420
4421AC_CACHE_CHECK([if libc defines sys_nerr], ac_cv_libc_defines_sys_nerr, [
4422	AC_LINK_IFELSE([AC_LANG_PROGRAM([[]],
4423[[ extern int sys_nerr; printf("%i", sys_nerr);]])],
4424	[ ac_cv_libc_defines_sys_nerr="yes" ],
4425	[ ac_cv_libc_defines_sys_nerr="no"
4426	])
4427])
4428if test "x$ac_cv_libc_defines_sys_nerr" = "xyes" ; then
4429	AC_DEFINE([HAVE_SYS_NERR], [1], [Define if your system defines sys_nerr])
4430fi
4431
4432# Check libraries needed by DNS fingerprint support
4433AC_SEARCH_LIBS([getrrsetbyname], [resolv],
4434	[AC_DEFINE([HAVE_GETRRSETBYNAME], [1],
4435		[Define if getrrsetbyname() exists])],
4436	[
4437		# Needed by our getrrsetbyname()
4438		AC_SEARCH_LIBS([res_query], [resolv])
4439		AC_SEARCH_LIBS([dn_expand], [resolv])
4440		AC_MSG_CHECKING([if res_query will link])
4441		AC_LINK_IFELSE([AC_LANG_PROGRAM([[
4442#include <sys/types.h>
4443#include <netinet/in.h>
4444#include <arpa/nameser.h>
4445#include <netdb.h>
4446#include <resolv.h>
4447				]], [[
4448	res_query (0, 0, 0, 0, 0);
4449				]])],
4450		    AC_MSG_RESULT([yes]),
4451		   [AC_MSG_RESULT([no])
4452		    saved_LIBS="$LIBS"
4453		    LIBS="$LIBS -lresolv"
4454		    AC_MSG_CHECKING([for res_query in -lresolv])
4455		    AC_LINK_IFELSE([AC_LANG_PROGRAM([[
4456#include <sys/types.h>
4457#include <netinet/in.h>
4458#include <arpa/nameser.h>
4459#include <netdb.h>
4460#include <resolv.h>
4461				]], [[
4462	res_query (0, 0, 0, 0, 0);
4463				]])],
4464			[AC_MSG_RESULT([yes])],
4465			[LIBS="$saved_LIBS"
4466			 AC_MSG_RESULT([no])])
4467		    ])
4468		AC_CHECK_FUNCS([_getshort _getlong])
4469		AC_CHECK_DECLS([_getshort, _getlong], , ,
4470		    [#include <sys/types.h>
4471		    #include <arpa/nameser.h>])
4472		AC_CHECK_MEMBER([HEADER.ad],
4473			[AC_DEFINE([HAVE_HEADER_AD], [1],
4474			    [Define if HEADER.ad exists in arpa/nameser.h])], ,
4475			[#include <arpa/nameser.h>])
4476	])
4477
4478AC_MSG_CHECKING([if struct __res_state _res is an extern])
4479AC_LINK_IFELSE([AC_LANG_PROGRAM([[
4480#include <stdio.h>
4481#if HAVE_SYS_TYPES_H
4482# include <sys/types.h>
4483#endif
4484#include <netinet/in.h>
4485#include <arpa/nameser.h>
4486#include <resolv.h>
4487extern struct __res_state _res;
4488		]], [[
4489struct __res_state *volatile p = &_res;  /* force resolution of _res */
4490return 0;
4491		]],)],
4492		[AC_MSG_RESULT([yes])
4493		 AC_DEFINE([HAVE__RES_EXTERN], [1],
4494		    [Define if you have struct __res_state _res as an extern])
4495		],
4496		[ AC_MSG_RESULT([no]) ]
4497)
4498
4499# Check whether user wants SELinux support
4500SELINUX_MSG="no"
4501LIBSELINUX=""
4502AC_ARG_WITH([selinux],
4503	[  --with-selinux          Enable SELinux support],
4504	[ if test "x$withval" != "xno" ; then
4505		save_LIBS="$LIBS"
4506		AC_DEFINE([WITH_SELINUX], [1],
4507			[Define if you want SELinux support.])
4508		SELINUX_MSG="yes"
4509		AC_CHECK_HEADER([selinux/selinux.h], ,
4510			AC_MSG_ERROR([SELinux support requires selinux.h header]))
4511		AC_CHECK_LIB([selinux], [setexeccon],
4512			[ LIBSELINUX="-lselinux"
4513			  LIBS="$LIBS -lselinux"
4514			],
4515			AC_MSG_ERROR([SELinux support requires libselinux library]))
4516		SSHLIBS="$SSHLIBS $LIBSELINUX"
4517		SSHDLIBS="$SSHDLIBS $LIBSELINUX"
4518		AC_CHECK_FUNCS([getseuserbyname get_default_context_with_level])
4519		LIBS="$save_LIBS"
4520	fi ]
4521)
4522AC_SUBST([SSHLIBS])
4523AC_SUBST([SSHDLIBS])
4524
4525# Check whether user wants Kerberos 5 support
4526KRB5_MSG="no"
4527AC_ARG_WITH([kerberos5],
4528	[  --with-kerberos5=PATH   Enable Kerberos 5 support],
4529	[ if test "x$withval" != "xno" ; then
4530		if test "x$withval" = "xyes" ; then
4531			KRB5ROOT="/usr/local"
4532		else
4533			KRB5ROOT=${withval}
4534		fi
4535
4536		AC_DEFINE([KRB5], [1], [Define if you want Kerberos 5 support])
4537		KRB5_MSG="yes"
4538
4539		AC_PATH_TOOL([KRB5CONF], [krb5-config],
4540			     [$KRB5ROOT/bin/krb5-config],
4541			     [$KRB5ROOT/bin:$PATH])
4542		if test -x $KRB5CONF ; then
4543			K5CFLAGS="`$KRB5CONF --cflags`"
4544			K5LIBS="`$KRB5CONF --libs`"
4545			CPPFLAGS="$CPPFLAGS $K5CFLAGS"
4546
4547			AC_MSG_CHECKING([for gssapi support])
4548			if $KRB5CONF | grep gssapi >/dev/null ; then
4549				AC_MSG_RESULT([yes])
4550				AC_DEFINE([GSSAPI], [1],
4551					[Define this if you want GSSAPI
4552					support in the version 2 protocol])
4553				GSSCFLAGS="`$KRB5CONF --cflags gssapi`"
4554				GSSLIBS="`$KRB5CONF --libs gssapi`"
4555				CPPFLAGS="$CPPFLAGS $GSSCFLAGS"
4556			else
4557				AC_MSG_RESULT([no])
4558			fi
4559			AC_MSG_CHECKING([whether we are using Heimdal])
4560			AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <krb5.h>
4561				]], [[ char *tmp = heimdal_version; ]])],
4562				[ AC_MSG_RESULT([yes])
4563				AC_DEFINE([HEIMDAL], [1],
4564				[Define this if you are using the Heimdal
4565				version of Kerberos V5]) ],
4566				[AC_MSG_RESULT([no])
4567			])
4568		else
4569			CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include"
4570			LDFLAGS="$LDFLAGS -L${KRB5ROOT}/lib"
4571			AC_MSG_CHECKING([whether we are using Heimdal])
4572			AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <krb5.h>
4573				]], [[ char *tmp = heimdal_version; ]])],
4574					[ AC_MSG_RESULT([yes])
4575					 AC_DEFINE([HEIMDAL])
4576					 K5LIBS="-lkrb5"
4577					 K5LIBS="$K5LIBS -lcom_err -lasn1"
4578					 AC_CHECK_LIB([roken], [net_write],
4579					   [K5LIBS="$K5LIBS -lroken"])
4580					 AC_CHECK_LIB([des], [des_cbc_encrypt],
4581					   [K5LIBS="$K5LIBS -ldes"])
4582				       ], [ AC_MSG_RESULT([no])
4583					 K5LIBS="-lkrb5 -lk5crypto -lcom_err"
4584			])
4585			AC_SEARCH_LIBS([dn_expand], [resolv])
4586
4587			AC_CHECK_LIB([gssapi_krb5], [gss_init_sec_context],
4588				[ AC_DEFINE([GSSAPI])
4589				  GSSLIBS="-lgssapi_krb5" ],
4590				[ AC_CHECK_LIB([gssapi], [gss_init_sec_context],
4591					[ AC_DEFINE([GSSAPI])
4592					  GSSLIBS="-lgssapi" ],
4593					[ AC_CHECK_LIB([gss], [gss_init_sec_context],
4594						[ AC_DEFINE([GSSAPI])
4595						  GSSLIBS="-lgss" ],
4596						AC_MSG_WARN([Cannot find any suitable gss-api library - build may fail]))
4597					])
4598				])
4599
4600			AC_CHECK_HEADER([gssapi.h], ,
4601				[ unset ac_cv_header_gssapi_h
4602				  CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include/gssapi"
4603				  AC_CHECK_HEADERS([gssapi.h], ,
4604					AC_MSG_WARN([Cannot find any suitable gss-api header - build may fail])
4605				  )
4606				]
4607			)
4608
4609			oldCPP="$CPPFLAGS"
4610			CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include/gssapi"
4611			AC_CHECK_HEADER([gssapi_krb5.h], ,
4612					[ CPPFLAGS="$oldCPP" ])
4613
4614		fi
4615		if test -n "${rpath_opt}" ; then
4616			LDFLAGS="$LDFLAGS ${rpath_opt}${KRB5ROOT}/lib"
4617		fi
4618		if test ! -z "$blibpath" ; then
4619			blibpath="$blibpath:${KRB5ROOT}/lib"
4620		fi
4621
4622		AC_CHECK_HEADERS([gssapi.h gssapi/gssapi.h])
4623		AC_CHECK_HEADERS([gssapi_krb5.h gssapi/gssapi_krb5.h])
4624		AC_CHECK_HEADERS([gssapi_generic.h gssapi/gssapi_generic.h])
4625
4626		AC_SEARCH_LIBS([k_hasafs], [kafs], [AC_DEFINE([USE_AFS], [1],
4627			[Define this if you want to use libkafs' AFS support])])
4628
4629		AC_CHECK_DECLS([GSS_C_NT_HOSTBASED_SERVICE], [], [], [[
4630#ifdef HAVE_GSSAPI_H
4631# include <gssapi.h>
4632#elif defined(HAVE_GSSAPI_GSSAPI_H)
4633# include <gssapi/gssapi.h>
4634#endif
4635
4636#ifdef HAVE_GSSAPI_GENERIC_H
4637# include <gssapi_generic.h>
4638#elif defined(HAVE_GSSAPI_GSSAPI_GENERIC_H)
4639# include <gssapi/gssapi_generic.h>
4640#endif
4641		]])
4642		saved_LIBS="$LIBS"
4643		LIBS="$LIBS $K5LIBS"
4644		AC_CHECK_FUNCS([krb5_cc_new_unique krb5_get_error_message krb5_free_error_message])
4645		LIBS="$saved_LIBS"
4646
4647	fi
4648	]
4649)
4650AC_SUBST([GSSLIBS])
4651AC_SUBST([K5LIBS])
4652
4653# Looking for programs, paths and files
4654
4655PRIVSEP_PATH=/var/empty
4656AC_ARG_WITH([privsep-path],
4657	[  --with-privsep-path=xxx Path for privilege separation chroot (default=/var/empty)],
4658	[
4659		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
4660		    test "x${withval}" != "xyes"; then
4661			PRIVSEP_PATH=$withval
4662		fi
4663	]
4664)
4665AC_SUBST([PRIVSEP_PATH])
4666
4667AC_ARG_WITH([xauth],
4668	[  --with-xauth=PATH       Specify path to xauth program ],
4669	[
4670		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
4671		    test "x${withval}" != "xyes"; then
4672			xauth_path=$withval
4673		fi
4674	],
4675	[
4676		TestPath="$PATH"
4677		TestPath="${TestPath}${PATH_SEPARATOR}/usr/X/bin"
4678		TestPath="${TestPath}${PATH_SEPARATOR}/usr/bin/X11"
4679		TestPath="${TestPath}${PATH_SEPARATOR}/usr/X11R6/bin"
4680		TestPath="${TestPath}${PATH_SEPARATOR}/usr/openwin/bin"
4681		AC_PATH_PROG([xauth_path], [xauth], , [$TestPath])
4682		if (test ! -z "$xauth_path" && test -x "/usr/openwin/bin/xauth") ; then
4683			xauth_path="/usr/openwin/bin/xauth"
4684		fi
4685	]
4686)
4687
4688STRIP_OPT=-s
4689AC_ARG_ENABLE([strip],
4690	[  --disable-strip         Disable calling strip(1) on install],
4691	[
4692		if test "x$enableval" = "xno" ; then
4693			STRIP_OPT=
4694		fi
4695	]
4696)
4697AC_SUBST([STRIP_OPT])
4698
4699if test -z "$xauth_path" ; then
4700	XAUTH_PATH="undefined"
4701	AC_SUBST([XAUTH_PATH])
4702else
4703	AC_DEFINE_UNQUOTED([XAUTH_PATH], ["$xauth_path"],
4704		[Define if xauth is found in your path])
4705	XAUTH_PATH=$xauth_path
4706	AC_SUBST([XAUTH_PATH])
4707fi
4708
4709dnl # --with-maildir=/path/to/mail gets top priority.
4710dnl # if maildir is set in the platform case statement above we use that.
4711dnl # Otherwise we run a program to get the dir from system headers.
4712dnl # We first look for _PATH_MAILDIR then MAILDIR then _PATH_MAIL
4713dnl # If we find _PATH_MAILDIR we do nothing because that is what
4714dnl # session.c expects anyway. Otherwise we set to the value found
4715dnl # stripping any trailing slash. If for some strage reason our program
4716dnl # does not find what it needs, we default to /var/spool/mail.
4717# Check for mail directory
4718AC_ARG_WITH([maildir],
4719    [  --with-maildir=/path/to/mail    Specify your system mail directory],
4720    [
4721	if test "X$withval" != X  &&  test "x$withval" != xno  &&  \
4722	    test "x${withval}" != xyes; then
4723		AC_DEFINE_UNQUOTED([MAIL_DIRECTORY], ["$withval"],
4724            [Set this to your mail directory if you do not have _PATH_MAILDIR])
4725	    fi
4726     ],[
4727	if test "X$maildir" != "X"; then
4728	    AC_DEFINE_UNQUOTED([MAIL_DIRECTORY], ["$maildir"])
4729	else
4730	    AC_MSG_CHECKING([Discovering system mail directory])
4731	    AC_RUN_IFELSE(
4732		[AC_LANG_PROGRAM([[
4733#include <stdio.h>
4734#include <string.h>
4735#ifdef HAVE_PATHS_H
4736#include <paths.h>
4737#endif
4738#ifdef HAVE_MAILLOCK_H
4739#include <maillock.h>
4740#endif
4741#define DATA "conftest.maildir"
4742	]], [[
4743	FILE *fd;
4744	int rc;
4745
4746	fd = fopen(DATA,"w");
4747	if(fd == NULL)
4748		exit(1);
4749
4750#if defined (_PATH_MAILDIR)
4751	if ((rc = fprintf(fd ,"_PATH_MAILDIR:%s\n", _PATH_MAILDIR)) <0)
4752		exit(1);
4753#elif defined (MAILDIR)
4754	if ((rc = fprintf(fd ,"MAILDIR:%s\n", MAILDIR)) <0)
4755		exit(1);
4756#elif defined (_PATH_MAIL)
4757	if ((rc = fprintf(fd ,"_PATH_MAIL:%s\n", _PATH_MAIL)) <0)
4758		exit(1);
4759#else
4760	exit (2);
4761#endif
4762
4763	exit(0);
4764		]])],
4765		[
4766		    maildir_what=`awk -F: '{print $1}' conftest.maildir`
4767		    maildir=`awk -F: '{print $2}' conftest.maildir \
4768			| sed 's|/$||'`
4769		    AC_MSG_RESULT([Using: $maildir from $maildir_what])
4770		    if test "x$maildir_what" != "x_PATH_MAILDIR"; then
4771			AC_DEFINE_UNQUOTED([MAIL_DIRECTORY], ["$maildir"])
4772		    fi
4773		],
4774		[
4775		    if test "X$ac_status" = "X2";then
4776# our test program didn't find it. Default to /var/spool/mail
4777			AC_MSG_RESULT([Using: default value of /var/spool/mail])
4778			AC_DEFINE_UNQUOTED([MAIL_DIRECTORY], ["/var/spool/mail"])
4779		     else
4780			AC_MSG_RESULT([*** not found ***])
4781		     fi
4782		],
4783		[
4784			AC_MSG_WARN([cross compiling: use --with-maildir=/path/to/mail])
4785		]
4786	    )
4787	fi
4788    ]
4789) # maildir
4790
4791if test ! -z "$cross_compiling" && test "x$cross_compiling" = "xyes"; then
4792	AC_MSG_WARN([cross compiling: Disabling /dev/ptmx test])
4793	disable_ptmx_check=yes
4794fi
4795if test -z "$no_dev_ptmx" ; then
4796	if test "x$disable_ptmx_check" != "xyes" ; then
4797		AC_CHECK_FILE(["/dev/ptmx"],
4798			[
4799				AC_DEFINE_UNQUOTED([HAVE_DEV_PTMX], [1],
4800					[Define if you have /dev/ptmx])
4801				have_dev_ptmx=1
4802			]
4803		)
4804	fi
4805fi
4806
4807if test ! -z "$cross_compiling" && test "x$cross_compiling" != "xyes"; then
4808	AC_CHECK_FILE(["/dev/ptc"],
4809		[
4810			AC_DEFINE_UNQUOTED([HAVE_DEV_PTS_AND_PTC], [1],
4811				[Define if you have /dev/ptc])
4812			have_dev_ptc=1
4813		]
4814	)
4815else
4816	AC_MSG_WARN([cross compiling: Disabling /dev/ptc test])
4817fi
4818
4819# Options from here on. Some of these are preset by platform above
4820AC_ARG_WITH([mantype],
4821	[  --with-mantype=man|cat|doc  Set man page type],
4822	[
4823		case "$withval" in
4824		man|cat|doc)
4825			MANTYPE=$withval
4826			;;
4827		*)
4828			AC_MSG_ERROR([invalid man type: $withval])
4829			;;
4830		esac
4831	]
4832)
4833if test -z "$MANTYPE"; then
4834	if ${MANDOC} ${srcdir}/ssh.1 >/dev/null 2>&1; then
4835		MANTYPE=doc
4836	elif ${NROFF} -mdoc ${srcdir}/ssh.1 >/dev/null 2>&1; then
4837		MANTYPE=doc
4838	elif ${NROFF} -man ${srcdir}/ssh.1 >/dev/null 2>&1; then
4839		MANTYPE=man
4840	else
4841		MANTYPE=cat
4842	fi
4843fi
4844AC_SUBST([MANTYPE])
4845if test "$MANTYPE" = "doc"; then
4846	mansubdir=man;
4847else
4848	mansubdir=$MANTYPE;
4849fi
4850AC_SUBST([mansubdir])
4851
4852# Check whether to enable MD5 passwords
4853MD5_MSG="no"
4854AC_ARG_WITH([md5-passwords],
4855	[  --with-md5-passwords    Enable use of MD5 passwords],
4856	[
4857		if test "x$withval" != "xno" ; then
4858			AC_DEFINE([HAVE_MD5_PASSWORDS], [1],
4859				[Define if you want to allow MD5 passwords])
4860			MD5_MSG="yes"
4861		fi
4862	]
4863)
4864
4865# Whether to disable shadow password support
4866AC_ARG_WITH([shadow],
4867	[  --without-shadow        Disable shadow password support],
4868	[
4869		if test "x$withval" = "xno" ; then
4870			AC_DEFINE([DISABLE_SHADOW])
4871			disable_shadow=yes
4872		fi
4873	]
4874)
4875
4876if test -z "$disable_shadow" ; then
4877	AC_MSG_CHECKING([if the systems has expire shadow information])
4878	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4879#include <sys/types.h>
4880#include <shadow.h>
4881struct spwd sp;
4882		]], [[ sp.sp_expire = sp.sp_lstchg = sp.sp_inact = 0; ]])],
4883		[ sp_expire_available=yes ], [
4884	])
4885
4886	if test "x$sp_expire_available" = "xyes" ; then
4887		AC_MSG_RESULT([yes])
4888		AC_DEFINE([HAS_SHADOW_EXPIRE], [1],
4889		    [Define if you want to use shadow password expire field])
4890	else
4891		AC_MSG_RESULT([no])
4892	fi
4893fi
4894
4895# Use ip address instead of hostname in $DISPLAY
4896if test ! -z "$IPADDR_IN_DISPLAY" ; then
4897	DISPLAY_HACK_MSG="yes"
4898	AC_DEFINE([IPADDR_IN_DISPLAY], [1],
4899		[Define if you need to use IP address
4900		instead of hostname in $DISPLAY])
4901else
4902	DISPLAY_HACK_MSG="no"
4903	AC_ARG_WITH([ipaddr-display],
4904		[  --with-ipaddr-display   Use ip address instead of hostname in $DISPLAY],
4905		[
4906			if test "x$withval" != "xno" ; then
4907				AC_DEFINE([IPADDR_IN_DISPLAY])
4908				DISPLAY_HACK_MSG="yes"
4909			fi
4910		]
4911	)
4912fi
4913
4914# check for /etc/default/login and use it if present.
4915AC_ARG_ENABLE([etc-default-login],
4916	[  --disable-etc-default-login Disable using PATH from /etc/default/login [no]],
4917	[ if test "x$enableval" = "xno"; then
4918		AC_MSG_NOTICE([/etc/default/login handling disabled])
4919		etc_default_login=no
4920	  else
4921		etc_default_login=yes
4922	  fi ],
4923	[ if test ! -z "$cross_compiling" && test "x$cross_compiling" = "xyes";
4924	  then
4925		AC_MSG_WARN([cross compiling: not checking /etc/default/login])
4926		etc_default_login=no
4927	  else
4928		etc_default_login=yes
4929	  fi ]
4930)
4931
4932if test "x$etc_default_login" != "xno"; then
4933	AC_CHECK_FILE(["/etc/default/login"],
4934	    [ external_path_file=/etc/default/login ])
4935	if test "x$external_path_file" = "x/etc/default/login"; then
4936		AC_DEFINE([HAVE_ETC_DEFAULT_LOGIN], [1],
4937			[Define if your system has /etc/default/login])
4938	fi
4939fi
4940
4941dnl BSD systems use /etc/login.conf so --with-default-path= has no effect
4942if test $ac_cv_func_login_getcapbool = "yes" && \
4943	test $ac_cv_header_login_cap_h = "yes" ; then
4944	external_path_file=/etc/login.conf
4945fi
4946
4947# Whether to mess with the default path
4948SERVER_PATH_MSG="(default)"
4949AC_ARG_WITH([default-path],
4950	[  --with-default-path=    Specify default $PATH environment for server],
4951	[
4952		if test "x$external_path_file" = "x/etc/login.conf" ; then
4953			AC_MSG_WARN([
4954--with-default-path=PATH has no effect on this system.
4955Edit /etc/login.conf instead.])
4956		elif test "x$withval" != "xno" ; then
4957			if test ! -z "$external_path_file" ; then
4958				AC_MSG_WARN([
4959--with-default-path=PATH will only be used if PATH is not defined in
4960$external_path_file .])
4961			fi
4962			user_path="$withval"
4963			SERVER_PATH_MSG="$withval"
4964		fi
4965	],
4966	[ if test "x$external_path_file" = "x/etc/login.conf" ; then
4967		AC_MSG_WARN([Make sure the path to scp is in /etc/login.conf])
4968	else
4969		if test ! -z "$external_path_file" ; then
4970			AC_MSG_WARN([
4971If PATH is defined in $external_path_file, ensure the path to scp is included,
4972otherwise scp will not work.])
4973		fi
4974		AC_RUN_IFELSE(
4975			[AC_LANG_PROGRAM([[
4976/* find out what STDPATH is */
4977#include <stdio.h>
4978#ifdef HAVE_PATHS_H
4979# include <paths.h>
4980#endif
4981#ifndef _PATH_STDPATH
4982# ifdef _PATH_USERPATH	/* Irix */
4983#  define _PATH_STDPATH _PATH_USERPATH
4984# else
4985#  define _PATH_STDPATH "/usr/bin:/bin:/usr/sbin:/sbin"
4986# endif
4987#endif
4988#include <sys/types.h>
4989#include <sys/stat.h>
4990#include <fcntl.h>
4991#define DATA "conftest.stdpath"
4992			]], [[
4993	FILE *fd;
4994	int rc;
4995
4996	fd = fopen(DATA,"w");
4997	if(fd == NULL)
4998		exit(1);
4999
5000	if ((rc = fprintf(fd,"%s", _PATH_STDPATH)) < 0)
5001		exit(1);
5002
5003	exit(0);
5004		]])],
5005		[ user_path=`cat conftest.stdpath` ],
5006		[ user_path="/usr/bin:/bin:/usr/sbin:/sbin" ],
5007		[ user_path="/usr/bin:/bin:/usr/sbin:/sbin" ]
5008	)
5009# make sure $bindir is in USER_PATH so scp will work
5010		t_bindir="${bindir}"
5011		while echo "${t_bindir}" | egrep '\$\{|NONE/' >/dev/null 2>&1; do
5012			t_bindir=`eval echo ${t_bindir}`
5013			case $t_bindir in
5014				NONE/*) t_bindir=`echo $t_bindir | sed "s~NONE~$prefix~"` ;;
5015			esac
5016			case $t_bindir in
5017				NONE/*) t_bindir=`echo $t_bindir | sed "s~NONE~$ac_default_prefix~"` ;;
5018			esac
5019		done
5020		echo $user_path | grep ":$t_bindir"  > /dev/null 2>&1
5021		if test $? -ne 0  ; then
5022			echo $user_path | grep "^$t_bindir"  > /dev/null 2>&1
5023			if test $? -ne 0  ; then
5024				user_path=$user_path:$t_bindir
5025				AC_MSG_RESULT([Adding $t_bindir to USER_PATH so scp will work])
5026			fi
5027		fi
5028	fi ]
5029)
5030if test "x$external_path_file" != "x/etc/login.conf" ; then
5031	AC_DEFINE_UNQUOTED([USER_PATH], ["$user_path"], [Specify default $PATH])
5032	AC_SUBST([user_path])
5033fi
5034
5035# Set superuser path separately to user path
5036AC_ARG_WITH([superuser-path],
5037	[  --with-superuser-path=  Specify different path for super-user],
5038	[
5039		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
5040		    test "x${withval}" != "xyes"; then
5041			AC_DEFINE_UNQUOTED([SUPERUSER_PATH], ["$withval"],
5042				[Define if you want a different $PATH
5043				for the superuser])
5044			superuser_path=$withval
5045		fi
5046	]
5047)
5048
5049
5050AC_MSG_CHECKING([if we need to convert IPv4 in IPv6-mapped addresses])
5051IPV4_IN6_HACK_MSG="no"
5052AC_ARG_WITH(4in6,
5053	[  --with-4in6             Check for and convert IPv4 in IPv6 mapped addresses],
5054	[
5055		if test "x$withval" != "xno" ; then
5056			AC_MSG_RESULT([yes])
5057			AC_DEFINE([IPV4_IN_IPV6], [1],
5058				[Detect IPv4 in IPv6 mapped addresses
5059				and treat as IPv4])
5060			IPV4_IN6_HACK_MSG="yes"
5061		else
5062			AC_MSG_RESULT([no])
5063		fi
5064	], [
5065		if test "x$inet6_default_4in6" = "xyes"; then
5066			AC_MSG_RESULT([yes (default)])
5067			AC_DEFINE([IPV4_IN_IPV6])
5068			IPV4_IN6_HACK_MSG="yes"
5069		else
5070			AC_MSG_RESULT([no (default)])
5071		fi
5072	]
5073)
5074
5075# Whether to enable BSD auth support
5076BSD_AUTH_MSG=no
5077AC_ARG_WITH([bsd-auth],
5078	[  --with-bsd-auth         Enable BSD auth support],
5079	[
5080		if test "x$withval" != "xno" ; then
5081			AC_DEFINE([BSD_AUTH], [1],
5082				[Define if you have BSD auth support])
5083			BSD_AUTH_MSG=yes
5084		fi
5085	]
5086)
5087
5088# Where to place sshd.pid
5089piddir=/var/run
5090# make sure the directory exists
5091if test ! -d $piddir ; then
5092	piddir=`eval echo ${sysconfdir}`
5093	case $piddir in
5094		NONE/*) piddir=`echo $piddir | sed "s~NONE~$ac_default_prefix~"` ;;
5095	esac
5096fi
5097
5098AC_ARG_WITH([pid-dir],
5099	[  --with-pid-dir=PATH     Specify location of sshd.pid file],
5100	[
5101		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
5102		    test "x${withval}" != "xyes"; then
5103			piddir=$withval
5104			if test ! -d $piddir ; then
5105			AC_MSG_WARN([** no $piddir directory on this system **])
5106			fi
5107		fi
5108	]
5109)
5110
5111AC_DEFINE_UNQUOTED([_PATH_SSH_PIDDIR], ["$piddir"],
5112	[Specify location of ssh.pid])
5113AC_SUBST([piddir])
5114
5115dnl allow user to disable some login recording features
5116AC_ARG_ENABLE([lastlog],
5117	[  --disable-lastlog       disable use of lastlog even if detected [no]],
5118	[
5119		if test "x$enableval" = "xno" ; then
5120			AC_DEFINE([DISABLE_LASTLOG])
5121		fi
5122	]
5123)
5124AC_ARG_ENABLE([utmp],
5125	[  --disable-utmp          disable use of utmp even if detected [no]],
5126	[
5127		if test "x$enableval" = "xno" ; then
5128			AC_DEFINE([DISABLE_UTMP])
5129		fi
5130	]
5131)
5132AC_ARG_ENABLE([utmpx],
5133	[  --disable-utmpx         disable use of utmpx even if detected [no]],
5134	[
5135		if test "x$enableval" = "xno" ; then
5136			AC_DEFINE([DISABLE_UTMPX], [1],
5137				[Define if you don't want to use utmpx])
5138		fi
5139	]
5140)
5141AC_ARG_ENABLE([wtmp],
5142	[  --disable-wtmp          disable use of wtmp even if detected [no]],
5143	[
5144		if test "x$enableval" = "xno" ; then
5145			AC_DEFINE([DISABLE_WTMP])
5146		fi
5147	]
5148)
5149AC_ARG_ENABLE([wtmpx],
5150	[  --disable-wtmpx         disable use of wtmpx even if detected [no]],
5151	[
5152		if test "x$enableval" = "xno" ; then
5153			AC_DEFINE([DISABLE_WTMPX], [1],
5154				[Define if you don't want to use wtmpx])
5155		fi
5156	]
5157)
5158AC_ARG_ENABLE([libutil],
5159	[  --disable-libutil       disable use of libutil (login() etc.) [no]],
5160	[
5161		if test "x$enableval" = "xno" ; then
5162			AC_DEFINE([DISABLE_LOGIN])
5163		fi
5164	]
5165)
5166AC_ARG_ENABLE([pututline],
5167	[  --disable-pututline     disable use of pututline() etc. ([uw]tmp) [no]],
5168	[
5169		if test "x$enableval" = "xno" ; then
5170			AC_DEFINE([DISABLE_PUTUTLINE], [1],
5171				[Define if you don't want to use pututline()
5172				etc. to write [uw]tmp])
5173		fi
5174	]
5175)
5176AC_ARG_ENABLE([pututxline],
5177	[  --disable-pututxline    disable use of pututxline() etc. ([uw]tmpx) [no]],
5178	[
5179		if test "x$enableval" = "xno" ; then
5180			AC_DEFINE([DISABLE_PUTUTXLINE], [1],
5181				[Define if you don't want to use pututxline()
5182				etc. to write [uw]tmpx])
5183		fi
5184	]
5185)
5186AC_ARG_WITH([lastlog],
5187  [  --with-lastlog=FILE|DIR specify lastlog location [common locations]],
5188	[
5189		if test "x$withval" = "xno" ; then
5190			AC_DEFINE([DISABLE_LASTLOG])
5191		elif test -n "$withval"  &&  test "x${withval}" != "xyes"; then
5192			conf_lastlog_location=$withval
5193		fi
5194	]
5195)
5196
5197dnl lastlog, [uw]tmpx? detection
5198dnl  NOTE: set the paths in the platform section to avoid the
5199dnl   need for command-line parameters
5200dnl lastlog and [uw]tmp are subject to a file search if all else fails
5201
5202dnl lastlog detection
5203dnl  NOTE: the code itself will detect if lastlog is a directory
5204AC_MSG_CHECKING([if your system defines LASTLOG_FILE])
5205AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
5206#include <sys/types.h>
5207#include <utmp.h>
5208#ifdef HAVE_LASTLOG_H
5209#  include <lastlog.h>
5210#endif
5211#ifdef HAVE_PATHS_H
5212#  include <paths.h>
5213#endif
5214#ifdef HAVE_LOGIN_H
5215# include <login.h>
5216#endif
5217	]], [[ char *lastlog = LASTLOG_FILE; ]])],
5218		[ AC_MSG_RESULT([yes]) ],
5219		[
5220		AC_MSG_RESULT([no])
5221		AC_MSG_CHECKING([if your system defines _PATH_LASTLOG])
5222		AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
5223#include <sys/types.h>
5224#include <utmp.h>
5225#ifdef HAVE_LASTLOG_H
5226#  include <lastlog.h>
5227#endif
5228#ifdef HAVE_PATHS_H
5229#  include <paths.h>
5230#endif
5231		]], [[ char *lastlog = _PATH_LASTLOG; ]])],
5232		[ AC_MSG_RESULT([yes]) ],
5233		[
5234			AC_MSG_RESULT([no])
5235			system_lastlog_path=no
5236		])
5237])
5238
5239if test -z "$conf_lastlog_location"; then
5240	if test x"$system_lastlog_path" = x"no" ; then
5241		for f in /var/log/lastlog /usr/adm/lastlog /var/adm/lastlog /etc/security/lastlog ; do
5242				if (test -d "$f" || test -f "$f") ; then
5243					conf_lastlog_location=$f
5244				fi
5245		done
5246		if test -z "$conf_lastlog_location"; then
5247			AC_MSG_WARN([** Cannot find lastlog **])
5248			dnl Don't define DISABLE_LASTLOG - that means we don't try wtmp/wtmpx
5249		fi
5250	fi
5251fi
5252
5253if test -n "$conf_lastlog_location"; then
5254	AC_DEFINE_UNQUOTED([CONF_LASTLOG_FILE], ["$conf_lastlog_location"],
5255		[Define if you want to specify the path to your lastlog file])
5256fi
5257
5258dnl utmp detection
5259AC_MSG_CHECKING([if your system defines UTMP_FILE])
5260AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
5261#include <sys/types.h>
5262#include <utmp.h>
5263#ifdef HAVE_PATHS_H
5264#  include <paths.h>
5265#endif
5266	]], [[ char *utmp = UTMP_FILE; ]])],
5267	[ AC_MSG_RESULT([yes]) ],
5268	[ AC_MSG_RESULT([no])
5269	  system_utmp_path=no
5270])
5271if test -z "$conf_utmp_location"; then
5272	if test x"$system_utmp_path" = x"no" ; then
5273		for f in /etc/utmp /usr/adm/utmp /var/run/utmp; do
5274			if test -f $f ; then
5275				conf_utmp_location=$f
5276			fi
5277		done
5278		if test -z "$conf_utmp_location"; then
5279			AC_DEFINE([DISABLE_UTMP])
5280		fi
5281	fi
5282fi
5283if test -n "$conf_utmp_location"; then
5284	AC_DEFINE_UNQUOTED([CONF_UTMP_FILE], ["$conf_utmp_location"],
5285		[Define if you want to specify the path to your utmp file])
5286fi
5287
5288dnl wtmp detection
5289AC_MSG_CHECKING([if your system defines WTMP_FILE])
5290AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
5291#include <sys/types.h>
5292#include <utmp.h>
5293#ifdef HAVE_PATHS_H
5294#  include <paths.h>
5295#endif
5296	]], [[ char *wtmp = WTMP_FILE; ]])],
5297	[ AC_MSG_RESULT([yes]) ],
5298	[ AC_MSG_RESULT([no])
5299	  system_wtmp_path=no
5300])
5301if test -z "$conf_wtmp_location"; then
5302	if test x"$system_wtmp_path" = x"no" ; then
5303		for f in /usr/adm/wtmp /var/log/wtmp; do
5304			if test -f $f ; then
5305				conf_wtmp_location=$f
5306			fi
5307		done
5308		if test -z "$conf_wtmp_location"; then
5309			AC_DEFINE([DISABLE_WTMP])
5310		fi
5311	fi
5312fi
5313if test -n "$conf_wtmp_location"; then
5314	AC_DEFINE_UNQUOTED([CONF_WTMP_FILE], ["$conf_wtmp_location"],
5315		[Define if you want to specify the path to your wtmp file])
5316fi
5317
5318dnl wtmpx detection
5319AC_MSG_CHECKING([if your system defines WTMPX_FILE])
5320AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
5321#include <sys/types.h>
5322#include <utmp.h>
5323#ifdef HAVE_UTMPX_H
5324#include <utmpx.h>
5325#endif
5326#ifdef HAVE_PATHS_H
5327#  include <paths.h>
5328#endif
5329	]], [[ char *wtmpx = WTMPX_FILE; ]])],
5330	[ AC_MSG_RESULT([yes]) ],
5331	[ AC_MSG_RESULT([no])
5332	  system_wtmpx_path=no
5333])
5334if test -z "$conf_wtmpx_location"; then
5335	if test x"$system_wtmpx_path" = x"no" ; then
5336		AC_DEFINE([DISABLE_WTMPX])
5337	fi
5338else
5339	AC_DEFINE_UNQUOTED([CONF_WTMPX_FILE], ["$conf_wtmpx_location"],
5340		[Define if you want to specify the path to your wtmpx file])
5341fi
5342
5343
5344if test ! -z "$blibpath" ; then
5345	LDFLAGS="$LDFLAGS $blibflags$blibpath"
5346	AC_MSG_WARN([Please check and edit blibpath in LDFLAGS in Makefile])
5347fi
5348
5349AC_CHECK_MEMBER([struct lastlog.ll_line], [], [
5350    if test x$SKIP_DISABLE_LASTLOG_DEFINE != "xyes" ; then
5351	AC_DEFINE([DISABLE_LASTLOG])
5352    fi
5353	], [
5354#ifdef HAVE_SYS_TYPES_H
5355#include <sys/types.h>
5356#endif
5357#ifdef HAVE_UTMP_H
5358#include <utmp.h>
5359#endif
5360#ifdef HAVE_UTMPX_H
5361#include <utmpx.h>
5362#endif
5363#ifdef HAVE_LASTLOG_H
5364#include <lastlog.h>
5365#endif
5366	])
5367
5368AC_CHECK_MEMBER([struct utmp.ut_line], [], [
5369	AC_DEFINE([DISABLE_UTMP])
5370	AC_DEFINE([DISABLE_WTMP])
5371	], [
5372#ifdef HAVE_SYS_TYPES_H
5373#include <sys/types.h>
5374#endif
5375#ifdef HAVE_UTMP_H
5376#include <utmp.h>
5377#endif
5378#ifdef HAVE_UTMPX_H
5379#include <utmpx.h>
5380#endif
5381#ifdef HAVE_LASTLOG_H
5382#include <lastlog.h>
5383#endif
5384	])
5385
5386dnl Adding -Werror to CFLAGS early prevents configure tests from running.
5387dnl Add now.
5388CFLAGS="$CFLAGS $werror_flags"
5389
5390if test "x$ac_cv_func_getaddrinfo" != "xyes" ; then
5391	TEST_SSH_IPV6=no
5392else
5393	TEST_SSH_IPV6=yes
5394fi
5395AC_CHECK_DECL([BROKEN_GETADDRINFO],  [TEST_SSH_IPV6=no])
5396AC_SUBST([TEST_SSH_IPV6], [$TEST_SSH_IPV6])
5397AC_SUBST([TEST_SSH_UTF8], [$TEST_SSH_UTF8])
5398AC_SUBST([TEST_MALLOC_OPTIONS], [$TEST_MALLOC_OPTIONS])
5399AC_SUBST([UNSUPPORTED_ALGORITHMS], [$unsupported_algorithms])
5400AC_SUBST([DEPEND], [$(cat $srcdir/.depend)])
5401
5402CFLAGS="${CFLAGS} ${CFLAGS_AFTER}"
5403LDFLAGS="${LDFLAGS} ${LDFLAGS_AFTER}"
5404
5405# Make a copy of CFLAGS/LDFLAGS without PIE options.
5406LDFLAGS_NOPIE=`echo "$LDFLAGS" | sed 's/ -pie//'`
5407CFLAGS_NOPIE=`echo "$CFLAGS" | sed 's/ -fPIE//'`
5408AC_SUBST([LDFLAGS_NOPIE])
5409AC_SUBST([CFLAGS_NOPIE])
5410
5411AC_EXEEXT
5412AC_CONFIG_FILES([Makefile buildpkg.sh opensshd.init openssh.xml \
5413	openbsd-compat/Makefile openbsd-compat/regress/Makefile \
5414	survey.sh])
5415AC_OUTPUT
5416
5417# Print summary of options
5418
5419# Someone please show me a better way :)
5420A=`eval echo ${prefix}` ; A=`eval echo ${A}`
5421B=`eval echo ${bindir}` ; B=`eval echo ${B}`
5422C=`eval echo ${sbindir}` ; C=`eval echo ${C}`
5423D=`eval echo ${sysconfdir}` ; D=`eval echo ${D}`
5424E=`eval echo ${libexecdir}/ssh-askpass` ; E=`eval echo ${E}`
5425F=`eval echo ${mandir}/${mansubdir}X` ; F=`eval echo ${F}`
5426G=`eval echo ${piddir}` ; G=`eval echo ${G}`
5427H=`eval echo ${PRIVSEP_PATH}` ; H=`eval echo ${H}`
5428I=`eval echo ${user_path}` ; I=`eval echo ${I}`
5429J=`eval echo ${superuser_path}` ; J=`eval echo ${J}`
5430
5431echo ""
5432echo "OpenSSH has been configured with the following options:"
5433echo "                     User binaries: $B"
5434echo "                   System binaries: $C"
5435echo "               Configuration files: $D"
5436echo "                   Askpass program: $E"
5437echo "                      Manual pages: $F"
5438echo "                          PID file: $G"
5439echo "  Privilege separation chroot path: $H"
5440if test "x$external_path_file" = "x/etc/login.conf" ; then
5441echo "   At runtime, sshd will use the path defined in $external_path_file"
5442echo "   Make sure the path to scp is present, otherwise scp will not work"
5443else
5444echo "            sshd default user PATH: $I"
5445	if test ! -z "$external_path_file"; then
5446echo "   (If PATH is set in $external_path_file it will be used instead. If"
5447echo "   used, ensure the path to scp is present, otherwise scp will not work.)"
5448	fi
5449fi
5450if test ! -z "$superuser_path" ; then
5451echo "          sshd superuser user PATH: $J"
5452fi
5453echo "                    Manpage format: $MANTYPE"
5454echo "                       PAM support: $PAM_MSG"
5455echo "                   OSF SIA support: $SIA_MSG"
5456echo "                 KerberosV support: $KRB5_MSG"
5457echo "                   SELinux support: $SELINUX_MSG"
5458echo "              MD5 password support: $MD5_MSG"
5459echo "                   libedit support: $LIBEDIT_MSG"
5460echo "                   libldns support: $LDNS_MSG"
5461echo "  Solaris process contract support: $SPC_MSG"
5462echo "           Solaris project support: $SP_MSG"
5463echo "         Solaris privilege support: $SPP_MSG"
5464echo "       IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG"
5465echo "           Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
5466echo "                  BSD Auth support: $BSD_AUTH_MSG"
5467echo "              Random number source: $RAND_MSG"
5468echo "             Privsep sandbox style: $SANDBOX_STYLE"
5469echo "                   PKCS#11 support: $enable_pkcs11"
5470echo "                  U2F/FIDO support: $enable_sk"
5471
5472echo ""
5473
5474echo "              Host: ${host}"
5475echo "          Compiler: ${CC}"
5476echo "    Compiler flags: ${CFLAGS}"
5477echo "Preprocessor flags: ${CPPFLAGS}"
5478echo "      Linker flags: ${LDFLAGS}"
5479echo "         Libraries: ${LIBS}"
5480if test ! -z "${SSHDLIBS}"; then
5481echo "         +for sshd: ${SSHDLIBS}"
5482fi
5483if test ! -z "${SSHLIBS}"; then
5484echo "          +for ssh: ${SSHLIBS}"
5485fi
5486
5487echo ""
5488
5489if test "x$MAKE_PACKAGE_SUPPORTED" = "xyes" ; then
5490	echo "SVR4 style packages are supported with \"make package\""
5491	echo ""
5492fi
5493
5494if test "x$PAM_MSG" = "xyes" ; then
5495	echo "PAM is enabled. You may need to install a PAM control file "
5496	echo "for sshd, otherwise password authentication may fail. "
5497	echo "Example PAM control files can be found in the contrib/ "
5498	echo "subdirectory"
5499	echo ""
5500fi
5501
5502if test ! -z "$NO_PEERCHECK" ; then
5503	echo "WARNING: the operating system that you are using does not"
5504	echo "appear to support getpeereid(), getpeerucred() or the"
5505	echo "SO_PEERCRED getsockopt() option. These facilities are used to"
5506	echo "enforce security checks to prevent unauthorised connections to"
5507	echo "ssh-agent. Their absence increases the risk that a malicious"
5508	echo "user can connect to your agent."
5509	echo ""
5510fi
5511
5512if test "$AUDIT_MODULE" = "bsm" ; then
5513	echo "WARNING: BSM audit support is currently considered EXPERIMENTAL."
5514	echo "See the Solaris section in README.platform for details."
5515fi
5516