xref: /openssh-portable/configure.ac (revision 493339a9)
1#
2# Copyright (c) 1999-2004 Damien Miller
3#
4# Permission to use, copy, modify, and distribute this software for any
5# purpose with or without fee is hereby granted, provided that the above
6# copyright notice and this permission notice appear in all copies.
7#
8# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15
16AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org])
17AC_CONFIG_MACRO_DIR([m4])
18AC_CONFIG_SRCDIR([ssh.c])
19AC_LANG([C])
20
21AC_CONFIG_HEADERS([config.h])
22AC_PROG_CC([cc gcc])
23
24# XXX relax this after reimplementing logit() etc.
25AC_MSG_CHECKING([if $CC supports C99-style variadic macros])
26AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
27int f(int a, int b, int c) { return a + b + c; }
28#define F(a, ...) f(a, __VA_ARGS__)
29]], [[return F(1, 2, -3);]])],
30	[ AC_MSG_RESULT([yes]) ],
31	[ AC_MSG_ERROR([*** OpenSSH requires support for C99-style variadic macros]) ]
32)
33
34AC_CANONICAL_HOST
35AC_C_BIGENDIAN
36
37# Checks for programs.
38AC_PROG_AWK
39AC_PROG_CPP
40AC_PROG_RANLIB
41AC_PROG_INSTALL
42AC_PROG_EGREP
43AC_PROG_MKDIR_P
44AC_CHECK_TOOLS([AR], [ar])
45AC_PATH_PROG([CAT], [cat])
46AC_PATH_PROG([KILL], [kill])
47AC_PATH_PROG([SED], [sed])
48AC_PATH_PROG([TEST_MINUS_S_SH], [bash])
49AC_PATH_PROG([TEST_MINUS_S_SH], [ksh])
50AC_PATH_PROG([TEST_MINUS_S_SH], [sh])
51AC_PATH_PROG([SH], [sh])
52AC_PATH_PROG([GROFF], [groff])
53AC_PATH_PROG([NROFF], [nroff awf])
54AC_PATH_PROG([MANDOC], [mandoc])
55AC_SUBST([TEST_SHELL], [sh])
56
57dnl select manpage formatter to be used to build "cat" format pages.
58if test "x$MANDOC" != "x" ; then
59	MANFMT="$MANDOC"
60elif test "x$NROFF" != "x" ; then
61	MANFMT="$NROFF -mandoc"
62elif test "x$GROFF" != "x" ; then
63	MANFMT="$GROFF -mandoc -Tascii"
64else
65	AC_MSG_WARN([no manpage formatter found])
66	MANFMT="false"
67fi
68AC_SUBST([MANFMT])
69
70dnl for buildpkg.sh
71AC_PATH_PROG([PATH_GROUPADD_PROG], [groupadd], [groupadd],
72	[/usr/sbin${PATH_SEPARATOR}/etc])
73AC_PATH_PROG([PATH_USERADD_PROG], [useradd], [useradd],
74	[/usr/sbin${PATH_SEPARATOR}/etc])
75AC_CHECK_PROG([MAKE_PACKAGE_SUPPORTED], [pkgmk], [yes], [no])
76if test -x /sbin/sh; then
77	AC_SUBST([STARTUP_SCRIPT_SHELL], [/sbin/sh])
78else
79	AC_SUBST([STARTUP_SCRIPT_SHELL], [/bin/sh])
80fi
81
82# System features
83AC_SYS_LARGEFILE
84
85if test -z "$AR" ; then
86	AC_MSG_ERROR([*** 'ar' missing, please install or fix your \$PATH ***])
87fi
88
89AC_PATH_PROG([PATH_PASSWD_PROG], [passwd])
90if test ! -z "$PATH_PASSWD_PROG" ; then
91	AC_DEFINE_UNQUOTED([_PATH_PASSWD_PROG], ["$PATH_PASSWD_PROG"],
92		[Full path of your "passwd" program])
93fi
94
95dnl Since autoconf doesn't support it very well,  we no longer allow users to
96dnl override LD, however keeping the hook here for now in case there's a use
97dnl use case we overlooked and someone needs to re-enable it.  Unless a good
98dnl reason is found we'll be removing this in future.
99LD="$CC"
100AC_SUBST([LD])
101
102AC_C_INLINE
103
104AC_CHECK_DECL([LLONG_MAX], [have_llong_max=1], , [#include <limits.h>])
105AC_CHECK_DECL([LONG_LONG_MAX], [have_long_long_max=1], , [#include <limits.h>])
106AC_CHECK_DECL([SYSTR_POLICY_KILL], [have_systr_policy_kill=1], , [
107	#include <sys/types.h>
108	#include <sys/param.h>
109	#include <dev/systrace.h>
110])
111AC_CHECK_DECL([RLIMIT_NPROC],
112    [AC_DEFINE([HAVE_RLIMIT_NPROC], [], [sys/resource.h has RLIMIT_NPROC])], , [
113	#include <sys/types.h>
114	#include <sys/resource.h>
115])
116AC_CHECK_DECL([PR_SET_NO_NEW_PRIVS], [have_linux_no_new_privs=1], , [
117	#include <sys/types.h>
118	#include <linux/prctl.h>
119])
120
121openssl=yes
122AC_ARG_WITH([openssl],
123	[  --without-openssl       Disable use of OpenSSL; use only limited internal crypto **EXPERIMENTAL** ],
124	[  if test "x$withval" = "xno" ; then
125		openssl=no
126	   fi
127	]
128)
129AC_MSG_CHECKING([whether OpenSSL will be used for cryptography])
130if test "x$openssl" = "xyes" ; then
131	AC_MSG_RESULT([yes])
132	AC_DEFINE_UNQUOTED([WITH_OPENSSL], [1], [use libcrypto for cryptography])
133else
134	AC_MSG_RESULT([no])
135fi
136
137use_stack_protector=1
138use_toolchain_hardening=1
139AC_ARG_WITH([stackprotect],
140    [  --without-stackprotect  Don't use compiler's stack protection], [
141    if test "x$withval" = "xno"; then
142	use_stack_protector=0
143    fi ])
144AC_ARG_WITH([hardening],
145    [  --without-hardening     Don't use toolchain hardening flags], [
146    if test "x$withval" = "xno"; then
147	use_toolchain_hardening=0
148    fi ])
149
150# We use -Werror for the tests only so that we catch warnings like "this is
151# on by default" for things like -fPIE.
152AC_MSG_CHECKING([if $CC supports -Werror])
153saved_CFLAGS="$CFLAGS"
154CFLAGS="$CFLAGS -Werror"
155AC_COMPILE_IFELSE([AC_LANG_SOURCE([[int main(void) { return 0; }]])],
156	[ AC_MSG_RESULT([yes])
157	  WERROR="-Werror"],
158	[ AC_MSG_RESULT([no])
159	  WERROR="" ]
160)
161CFLAGS="$saved_CFLAGS"
162
163if test "$GCC" = "yes" || test "$GCC" = "egcs"; then
164	OSSH_CHECK_CFLAG_COMPILE([-pipe])
165	OSSH_CHECK_CFLAG_COMPILE([-Wunknown-warning-option])
166	OSSH_CHECK_CFLAG_COMPILE([-Wno-error=format-truncation])
167	OSSH_CHECK_CFLAG_COMPILE([-Qunused-arguments])
168	OSSH_CHECK_CFLAG_COMPILE([-Wall])
169	OSSH_CHECK_CFLAG_COMPILE([-Wextra])
170	OSSH_CHECK_CFLAG_COMPILE([-Wpointer-arith])
171	OSSH_CHECK_CFLAG_COMPILE([-Wuninitialized])
172	OSSH_CHECK_CFLAG_COMPILE([-Wsign-compare])
173	OSSH_CHECK_CFLAG_COMPILE([-Wformat-security])
174	OSSH_CHECK_CFLAG_COMPILE([-Wsizeof-pointer-memaccess])
175	OSSH_CHECK_CFLAG_COMPILE([-Wpointer-sign], [-Wno-pointer-sign])
176	OSSH_CHECK_CFLAG_COMPILE([-Wunused-parameter], [-Wno-unused-parameter])
177	OSSH_CHECK_CFLAG_COMPILE([-Wunused-result], [-Wno-unused-result])
178	OSSH_CHECK_CFLAG_COMPILE([-Wimplicit-fallthrough])
179	OSSH_CHECK_CFLAG_COMPILE([-fno-strict-aliasing])
180    if test "x$use_toolchain_hardening" = "x1"; then
181	OSSH_CHECK_CFLAG_COMPILE([-mretpoline]) # clang
182	OSSH_CHECK_LDFLAG_LINK([-Wl,-z,retpolineplt])
183	OSSH_CHECK_CFLAG_COMPILE([-D_FORTIFY_SOURCE=2])
184	OSSH_CHECK_LDFLAG_LINK([-Wl,-z,relro])
185	OSSH_CHECK_LDFLAG_LINK([-Wl,-z,now])
186	OSSH_CHECK_LDFLAG_LINK([-Wl,-z,noexecstack])
187	# NB. -ftrapv expects certain support functions to be present in
188	# the compiler library (libgcc or similar) to detect integer operations
189	# that can overflow. We must check that the result of enabling it
190	# actually links. The test program compiled/linked includes a number
191	# of integer operations that should exercise this.
192	OSSH_CHECK_CFLAG_LINK([-ftrapv])
193    fi
194	AC_MSG_CHECKING([gcc version])
195	GCC_VER=`$CC -v 2>&1 | $AWK '/gcc version /{print $3}'`
196	case $GCC_VER in
197		1.*) no_attrib_nonnull=1 ;;
198		2.8* | 2.9*)
199		     no_attrib_nonnull=1
200		     ;;
201		2.*) no_attrib_nonnull=1 ;;
202		*) ;;
203	esac
204	AC_MSG_RESULT([$GCC_VER])
205
206	AC_MSG_CHECKING([if $CC accepts -fno-builtin-memset])
207	saved_CFLAGS="$CFLAGS"
208	CFLAGS="$CFLAGS -fno-builtin-memset"
209	AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include <string.h> ]],
210			[[ char b[10]; memset(b, 0, sizeof(b)); ]])],
211		[ AC_MSG_RESULT([yes]) ],
212		[ AC_MSG_RESULT([no])
213		  CFLAGS="$saved_CFLAGS" ]
214	)
215
216	# -fstack-protector-all doesn't always work for some GCC versions
217	# and/or platforms, so we test if we can.  If it's not supported
218	# on a given platform gcc will emit a warning so we use -Werror.
219	if test "x$use_stack_protector" = "x1"; then
220	    for t in -fstack-protector-strong -fstack-protector-all \
221		    -fstack-protector; do
222		AC_MSG_CHECKING([if $CC supports $t])
223		saved_CFLAGS="$CFLAGS"
224		saved_LDFLAGS="$LDFLAGS"
225		CFLAGS="$CFLAGS $t -Werror"
226		LDFLAGS="$LDFLAGS $t -Werror"
227		AC_LINK_IFELSE(
228			[AC_LANG_PROGRAM([[
229	#include <stdio.h>
230	int func (int t) {char b[100]; snprintf(b,sizeof b,"%d",t); return t;}
231			 ]],
232			[[
233	char x[256];
234	snprintf(x, sizeof(x), "XXX%d", func(1));
235			 ]])],
236		    [ AC_MSG_RESULT([yes])
237		      CFLAGS="$saved_CFLAGS $t"
238		      LDFLAGS="$saved_LDFLAGS $t"
239		      AC_MSG_CHECKING([if $t works])
240		      AC_RUN_IFELSE(
241			[AC_LANG_PROGRAM([[
242	#include <stdio.h>
243	int func (int t) {char b[100]; snprintf(b,sizeof b,"%d",t); return t;}
244			]],
245			[[
246	char x[256];
247	snprintf(x, sizeof(x), "XXX%d", func(1));
248			]])],
249			[ AC_MSG_RESULT([yes])
250			  break ],
251			[ AC_MSG_RESULT([no]) ],
252			[ AC_MSG_WARN([cross compiling: cannot test])
253			  break ]
254		      )
255		    ],
256		    [ AC_MSG_RESULT([no]) ]
257		)
258		CFLAGS="$saved_CFLAGS"
259		LDFLAGS="$saved_LDFLAGS"
260	    done
261	fi
262
263	if test -z "$have_llong_max"; then
264		# retry LLONG_MAX with -std=gnu99, needed on some Linuxes
265		unset ac_cv_have_decl_LLONG_MAX
266		saved_CFLAGS="$CFLAGS"
267		CFLAGS="$CFLAGS -std=gnu99"
268		AC_CHECK_DECL([LLONG_MAX],
269		    [have_llong_max=1],
270		    [CFLAGS="$saved_CFLAGS"],
271		    [#include <limits.h>]
272		)
273	fi
274fi
275
276AC_MSG_CHECKING([if compiler allows __attribute__ on return types])
277AC_COMPILE_IFELSE(
278    [AC_LANG_PROGRAM([[
279#include <stdlib.h>
280__attribute__((__unused__)) static void foo(void){return;}]],
281    [[ exit(0); ]])],
282    [ AC_MSG_RESULT([yes]) ],
283    [ AC_MSG_RESULT([no])
284      AC_DEFINE(NO_ATTRIBUTE_ON_RETURN_TYPE, 1,
285	 [compiler does not accept __attribute__ on return types]) ]
286)
287
288AC_MSG_CHECKING([if compiler allows __attribute__ prototype args])
289AC_COMPILE_IFELSE(
290    [AC_LANG_PROGRAM([[
291#include <stdlib.h>
292typedef void foo(const char *, ...) __attribute__((format(printf, 1, 2)));]],
293    [[ exit(0); ]])],
294    [ AC_MSG_RESULT([yes]) ],
295    [ AC_MSG_RESULT([no])
296      AC_DEFINE(NO_ATTRIBUTE_ON_PROTOTYPE_ARGS, 1,
297	 [compiler does not accept __attribute__ on prototype args]) ]
298)
299
300AC_MSG_CHECKING([if compiler supports variable length arrays])
301AC_COMPILE_IFELSE(
302    [AC_LANG_PROGRAM([[#include <stdlib.h>]],
303    [[ int i; for (i=0; i<3; i++){int a[i]; a[i-1]=0;} exit(0); ]])],
304    [ AC_MSG_RESULT([yes])
305      AC_DEFINE(VARIABLE_LENGTH_ARRAYS, [1],
306	 [compiler supports variable length arrays]) ],
307    [ AC_MSG_RESULT([no]) ]
308)
309
310if test "x$no_attrib_nonnull" != "x1" ; then
311	AC_DEFINE([HAVE_ATTRIBUTE__NONNULL__], [1], [Have attribute nonnull])
312fi
313
314AC_ARG_WITH([rpath],
315	[  --without-rpath         Disable auto-added -R linker paths],
316	[
317		if test "x$withval" = "xno" ; then
318			rpath_opt=""
319		elif test "x$withval" = "xyes" ; then
320			rpath_opt="-R"
321		else
322			rpath_opt="$withval"
323		fi
324	]
325)
326
327# Allow user to specify flags
328AC_ARG_WITH([cflags],
329	[  --with-cflags           Specify additional flags to pass to compiler],
330	[
331		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
332		    test "x${withval}" != "xyes"; then
333			CFLAGS="$CFLAGS $withval"
334		fi
335	]
336)
337
338AC_ARG_WITH([cflags-after],
339	[  --with-cflags-after     Specify additional flags to pass to compiler after configure],
340	[
341		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
342		    test "x${withval}" != "xyes"; then
343			CFLAGS_AFTER="$withval"
344		fi
345	]
346)
347AC_ARG_WITH([cppflags],
348	[  --with-cppflags         Specify additional flags to pass to preprocessor] ,
349	[
350		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
351		    test "x${withval}" != "xyes"; then
352			CPPFLAGS="$CPPFLAGS $withval"
353		fi
354	]
355)
356AC_ARG_WITH([ldflags],
357	[  --with-ldflags          Specify additional flags to pass to linker],
358	[
359		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
360		    test "x${withval}" != "xyes"; then
361			LDFLAGS="$LDFLAGS $withval"
362		fi
363	]
364)
365AC_ARG_WITH([ldflags-after],
366	[  --with-ldflags-after    Specify additional flags to pass to linker after configure],
367	[
368		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
369		    test "x${withval}" != "xyes"; then
370			LDFLAGS_AFTER="$withval"
371		fi
372	]
373)
374AC_ARG_WITH([libs],
375	[  --with-libs             Specify additional libraries to link with],
376	[
377		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
378		    test "x${withval}" != "xyes"; then
379			LIBS="$LIBS $withval"
380		fi
381	]
382)
383AC_ARG_WITH([Werror],
384	[  --with-Werror           Build main code with -Werror],
385	[
386		if test -n "$withval"  &&  test "x$withval" != "xno"; then
387			werror_flags="-Werror"
388			if test "x${withval}" != "xyes"; then
389				werror_flags="$withval"
390			fi
391		fi
392	]
393)
394
395AC_CHECK_HEADERS([ \
396	blf.h \
397	bstring.h \
398	crypt.h \
399	crypto/sha2.h \
400	dirent.h \
401	endian.h \
402	elf.h \
403	err.h \
404	features.h \
405	fcntl.h \
406	floatingpoint.h \
407	fnmatch.h \
408	getopt.h \
409	glob.h \
410	ia.h \
411	iaf.h \
412	ifaddrs.h \
413	inttypes.h \
414	langinfo.h \
415	limits.h \
416	locale.h \
417	login.h \
418	maillock.h \
419	ndir.h \
420	net/if_tun.h \
421	netdb.h \
422	netgroup.h \
423	pam/pam_appl.h \
424	paths.h \
425	poll.h \
426	pty.h \
427	readpassphrase.h \
428	rpc/types.h \
429	security/pam_appl.h \
430	sha2.h \
431	shadow.h \
432	stddef.h \
433	stdint.h \
434	string.h \
435	strings.h \
436	sys/bitypes.h \
437	sys/byteorder.h \
438	sys/bsdtty.h \
439	sys/cdefs.h \
440	sys/dir.h \
441	sys/file.h \
442	sys/mman.h \
443	sys/label.h \
444	sys/ndir.h \
445	sys/poll.h \
446	sys/prctl.h \
447	sys/pstat.h \
448	sys/ptrace.h \
449	sys/random.h \
450	sys/select.h \
451	sys/stat.h \
452	sys/stream.h \
453	sys/stropts.h \
454	sys/strtio.h \
455	sys/statvfs.h \
456	sys/sysmacros.h \
457	sys/time.h \
458	sys/timers.h \
459	sys/vfs.h \
460	time.h \
461	tmpdir.h \
462	ttyent.h \
463	ucred.h \
464	unistd.h \
465	usersec.h \
466	util.h \
467	utime.h \
468	utmp.h \
469	utmpx.h \
470	vis.h \
471	wchar.h \
472])
473
474# On some platforms (eg SunOS4) sys/audit.h requires sys/[time|types|label.h]
475# to be included first.
476AC_CHECK_HEADERS([sys/audit.h], [], [], [
477#ifdef HAVE_SYS_TIME_H
478# include <sys/time.h>
479#endif
480#ifdef HAVE_SYS_TYPES_H
481# include <sys/types.h>
482#endif
483#ifdef HAVE_SYS_LABEL_H
484# include <sys/label.h>
485#endif
486])
487
488# sys/capsicum.h requires sys/types.h
489AC_CHECK_HEADERS([sys/capsicum.h], [], [], [
490#ifdef HAVE_SYS_TYPES_H
491# include <sys/types.h>
492#endif
493])
494
495# net/route.h requires sys/socket.h and sys/types.h.
496# sys/sysctl.h also requires sys/param.h
497AC_CHECK_HEADERS([net/route.h sys/sysctl.h], [], [], [
498#ifdef HAVE_SYS_TYPES_H
499# include <sys/types.h>
500#endif
501#include <sys/param.h>
502#include <sys/socket.h>
503])
504
505# lastlog.h requires sys/time.h to be included first on Solaris
506AC_CHECK_HEADERS([lastlog.h], [], [], [
507#ifdef HAVE_SYS_TIME_H
508# include <sys/time.h>
509#endif
510])
511
512# sys/ptms.h requires sys/stream.h to be included first on Solaris
513AC_CHECK_HEADERS([sys/ptms.h], [], [], [
514#ifdef HAVE_SYS_STREAM_H
515# include <sys/stream.h>
516#endif
517])
518
519# login_cap.h requires sys/types.h on NetBSD
520AC_CHECK_HEADERS([login_cap.h], [], [], [
521#include <sys/types.h>
522])
523
524# older BSDs need sys/param.h before sys/mount.h
525AC_CHECK_HEADERS([sys/mount.h], [], [], [
526#include <sys/param.h>
527])
528
529# Android requires sys/socket.h to be included before sys/un.h
530AC_CHECK_HEADERS([sys/un.h], [], [], [
531#include <sys/types.h>
532#include <sys/socket.h>
533])
534
535# Messages for features tested for in target-specific section
536SIA_MSG="no"
537SPC_MSG="no"
538SP_MSG="no"
539SPP_MSG="no"
540
541# Support for Solaris/Illumos privileges (this test is used by both
542# the --with-solaris-privs option and --with-sandbox=solaris).
543SOLARIS_PRIVS="no"
544
545# Check for some target-specific stuff
546case "$host" in
547*-*-aix*)
548	# Some versions of VAC won't allow macro redefinitions at
549	# -qlanglevel=ansi, and autoconf 2.60 sometimes insists on using that
550	# particularly with older versions of vac or xlc.
551	# It also throws errors about null macro arguments, but these are
552	# not fatal.
553	AC_MSG_CHECKING([if compiler allows macro redefinitions])
554	AC_COMPILE_IFELSE(
555	    [AC_LANG_PROGRAM([[
556#define testmacro foo
557#define testmacro bar]],
558	    [[ exit(0); ]])],
559	    [ AC_MSG_RESULT([yes]) ],
560	    [ AC_MSG_RESULT([no])
561	      CC="`echo $CC | sed 's/-qlanglvl\=ansi//g'`"
562	      CFLAGS="`echo $CFLAGS | sed 's/-qlanglvl\=ansi//g'`"
563	      CPPFLAGS="`echo $CPPFLAGS | sed 's/-qlanglvl\=ansi//g'`"
564	    ]
565	)
566
567	AC_MSG_CHECKING([how to specify blibpath for linker ($LD)])
568	if (test -z "$blibpath"); then
569		blibpath="/usr/lib:/lib"
570	fi
571	saved_LDFLAGS="$LDFLAGS"
572	if test "$GCC" = "yes"; then
573		flags="-Wl,-blibpath: -Wl,-rpath, -blibpath:"
574	else
575		flags="-blibpath: -Wl,-blibpath: -Wl,-rpath,"
576	fi
577	for tryflags in $flags ;do
578		if (test -z "$blibflags"); then
579			LDFLAGS="$saved_LDFLAGS $tryflags$blibpath"
580			AC_LINK_IFELSE([AC_LANG_PROGRAM([[]], [[]])],
581			[blibflags=$tryflags], [])
582		fi
583	done
584	if (test -z "$blibflags"); then
585		AC_MSG_RESULT([not found])
586		AC_MSG_ERROR([*** must be able to specify blibpath on AIX - check config.log])
587	else
588		AC_MSG_RESULT([$blibflags])
589	fi
590	LDFLAGS="$saved_LDFLAGS"
591	dnl Check for authenticate.  Might be in libs.a on older AIXes
592	AC_CHECK_FUNC([authenticate], [AC_DEFINE([WITH_AIXAUTHENTICATE], [1],
593		[Define if you want to enable AIX4's authenticate function])],
594		[AC_CHECK_LIB([s], [authenticate],
595			[ AC_DEFINE([WITH_AIXAUTHENTICATE])
596				LIBS="$LIBS -ls"
597			])
598		])
599	dnl Check for various auth function declarations in headers.
600	AC_CHECK_DECLS([authenticate, loginrestrictions, loginsuccess,
601	    passwdexpired, setauthdb], , , [#include <usersec.h>])
602	dnl Check if loginfailed is declared and takes 4 arguments (AIX >= 5.2)
603	AC_CHECK_DECLS([loginfailed],
604	    [AC_MSG_CHECKING([if loginfailed takes 4 arguments])
605	    AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <usersec.h> ]],
606		[[ (void)loginfailed("user","host","tty",0); ]])],
607		[AC_MSG_RESULT([yes])
608		AC_DEFINE([AIX_LOGINFAILED_4ARG], [1],
609			[Define if your AIX loginfailed() function
610			takes 4 arguments (AIX >= 5.2)])], [AC_MSG_RESULT([no])
611	    ])],
612	    [],
613	    [#include <usersec.h>]
614	)
615	AC_CHECK_FUNCS([getgrset setauthdb])
616	AC_CHECK_DECL([F_CLOSEM],
617	    AC_DEFINE([HAVE_FCNTL_CLOSEM], [1], [Use F_CLOSEM fcntl for closefrom]),
618	    [],
619	    [ #include <limits.h>
620	      #include <fcntl.h> ]
621	)
622	check_for_aix_broken_getaddrinfo=1
623	AC_DEFINE([SETEUID_BREAKS_SETUID], [1],
624	    [Define if your platform breaks doing a seteuid before a setuid])
625	AC_DEFINE([BROKEN_SETREUID], [1], [Define if your setreuid() is broken])
626	AC_DEFINE([BROKEN_SETREGID], [1], [Define if your setregid() is broken])
627	dnl AIX handles lastlog as part of its login message
628	AC_DEFINE([DISABLE_LASTLOG], [1], [Define if you don't want to use lastlog])
629	AC_DEFINE([LOGIN_NEEDS_UTMPX], [1],
630		[Some systems need a utmpx entry for /bin/login to work])
631	AC_DEFINE([SPT_TYPE], [SPT_REUSEARGV],
632		[Define to a Set Process Title type if your system is
633		supported by bsd-setproctitle.c])
634	AC_DEFINE([SSHPAM_CHAUTHTOK_NEEDS_RUID], [1],
635	    [AIX 5.2 and 5.3 (and presumably newer) require this])
636	AC_DEFINE([PTY_ZEROREAD], [1], [read(1) can return 0 for a non-closed fd])
637	AC_DEFINE([PLATFORM_SYS_DIR_UID], 2, [System dirs owned by bin (uid 2)])
638	AC_DEFINE([BROKEN_STRNDUP], 1, [strndup broken, see APAR IY61211])
639	AC_DEFINE([BROKEN_STRNLEN], 1, [strnlen broken, see APAR IY62551])
640	;;
641*-*-android*)
642	AC_DEFINE([DISABLE_UTMP], [1], [Define if you don't want to use utmp])
643	AC_DEFINE([DISABLE_WTMP], [1], [Define if you don't want to use wtmp])
644	;;
645*-*-cygwin*)
646	check_for_libcrypt_later=1
647	LIBS="$LIBS /usr/lib/textreadmode.o"
648	AC_DEFINE([HAVE_CYGWIN], [1], [Define if you are on Cygwin])
649	AC_DEFINE([USE_PIPES], [1], [Use PIPES instead of a socketpair()])
650	AC_DEFINE([NO_UID_RESTORATION_TEST], [1],
651		[Define to disable UID restoration test])
652	AC_DEFINE([DISABLE_SHADOW], [1],
653		[Define if you want to disable shadow passwords])
654	AC_DEFINE([NO_X11_UNIX_SOCKETS], [1],
655		[Define if X11 doesn't support AF_UNIX sockets on that system])
656	AC_DEFINE([DISABLE_FD_PASSING], [1],
657		[Define if your platform needs to skip post auth
658		file descriptor passing])
659	AC_DEFINE([SSH_IOBUFSZ], [65535], [Windows is sensitive to read buffer size])
660	AC_DEFINE([FILESYSTEM_NO_BACKSLASH], [1], [File names may not contain backslash characters])
661	# Cygwin defines optargs, optargs as declspec(dllimport) for historical
662	# reasons which cause compile warnings, so we disable those warnings.
663	OSSH_CHECK_CFLAG_COMPILE([-Wno-attributes])
664	;;
665*-*-dgux*)
666	AC_DEFINE([IP_TOS_IS_BROKEN], [1],
667		[Define if your system choked on IP TOS setting])
668	AC_DEFINE([SETEUID_BREAKS_SETUID])
669	AC_DEFINE([BROKEN_SETREUID])
670	AC_DEFINE([BROKEN_SETREGID])
671	;;
672*-*-darwin*)
673	use_pie=auto
674	AC_MSG_CHECKING([if we have working getaddrinfo])
675	AC_RUN_IFELSE([AC_LANG_SOURCE([[
676#include <mach-o/dyld.h>
677#include <stdlib.h>
678main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
679		exit(0);
680	else
681		exit(1);
682}
683			]])],
684	[AC_MSG_RESULT([working])],
685	[AC_MSG_RESULT([buggy])
686	AC_DEFINE([BROKEN_GETADDRINFO], [1],
687		[getaddrinfo is broken (if present)])
688	],
689	[AC_MSG_RESULT([assume it is working])])
690	AC_DEFINE([SETEUID_BREAKS_SETUID])
691	AC_DEFINE([BROKEN_SETREUID])
692	AC_DEFINE([BROKEN_SETREGID])
693	AC_DEFINE([BROKEN_GLOB], [1], [OS X glob does not do what we expect])
694	AC_DEFINE_UNQUOTED([BIND_8_COMPAT], [1],
695		[Define if your resolver libs need this for getrrsetbyname])
696	AC_DEFINE([SSH_TUN_FREEBSD], [1], [Open tunnel devices the FreeBSD way])
697	AC_DEFINE([SSH_TUN_COMPAT_AF], [1],
698	    [Use tunnel device compatibility to OpenBSD])
699	AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
700	    [Prepend the address family to IP tunnel traffic])
701	m4_pattern_allow([AU_IPv])
702	AC_CHECK_DECL([AU_IPv4], [],
703	    AC_DEFINE([AU_IPv4], [0], [System only supports IPv4 audit records])
704	    [#include <bsm/audit.h>]
705	AC_DEFINE([LASTLOG_WRITE_PUTUTXLINE], [1],
706	    [Define if pututxline updates lastlog too])
707	)
708	AC_DEFINE([SPT_TYPE], [SPT_REUSEARGV],
709		[Define to a Set Process Title type if your system is
710		supported by bsd-setproctitle.c])
711	AC_CHECK_FUNCS([sandbox_init])
712	AC_CHECK_HEADERS([sandbox.h])
713	AC_CHECK_LIB([sandbox], [sandbox_apply], [
714	    SSHDLIBS="$SSHDLIBS -lsandbox"
715	])
716	# proc_pidinfo()-based closefrom() replacement.
717	AC_CHECK_HEADERS([libproc.h])
718	AC_CHECK_FUNCS([proc_pidinfo])
719	;;
720*-*-dragonfly*)
721	SSHDLIBS="$SSHDLIBS -lcrypt"
722	TEST_MALLOC_OPTIONS="AFGJPRX"
723	;;
724*-*-haiku*)
725	LIBS="$LIBS -lbsd "
726	CFLAGS="$CFLAGS -D_BSD_SOURCE"
727	AC_CHECK_LIB([network], [socket])
728	AC_DEFINE([HAVE_U_INT64_T])
729	AC_DEFINE([DISABLE_UTMPX], [1], [no utmpx])
730	MANTYPE=man
731	;;
732*-*-hpux*)
733	# first we define all of the options common to all HP-UX releases
734	CPPFLAGS="$CPPFLAGS -D_HPUX_SOURCE -D_XOPEN_SOURCE -D_XOPEN_SOURCE_EXTENDED=1"
735	IPADDR_IN_DISPLAY=yes
736	AC_DEFINE([USE_PIPES])
737	AC_DEFINE([LOGIN_NEEDS_UTMPX])
738	AC_DEFINE([LOCKED_PASSWD_STRING], ["*"],
739		[String used in /etc/passwd to denote locked account])
740	AC_DEFINE([SPT_TYPE], [SPT_PSTAT])
741	AC_DEFINE([PLATFORM_SYS_DIR_UID], 2, [System dirs owned by bin (uid 2)])
742	maildir="/var/mail"
743	LIBS="$LIBS -lsec"
744	AC_CHECK_LIB([xnet], [t_error], ,
745	    [AC_MSG_ERROR([*** -lxnet needed on HP-UX - check config.log ***])])
746
747	# next, we define all of the options specific to major releases
748	case "$host" in
749	*-*-hpux10*)
750		if test -z "$GCC"; then
751			CFLAGS="$CFLAGS -Ae"
752		fi
753		;;
754	*-*-hpux11*)
755		AC_DEFINE([PAM_SUN_CODEBASE], [1],
756			[Define if you are using Solaris-derived PAM which
757			passes pam_messages to the conversation function
758			with an extra level of indirection])
759		AC_DEFINE([DISABLE_UTMP], [1],
760			[Define if you don't want to use utmp])
761		AC_DEFINE([USE_BTMP], [1], [Use btmp to log bad logins])
762		check_for_hpux_broken_getaddrinfo=1
763		check_for_conflicting_getspnam=1
764		;;
765	esac
766
767	# lastly, we define options specific to minor releases
768	case "$host" in
769	*-*-hpux10.26)
770		AC_DEFINE([HAVE_SECUREWARE], [1],
771			[Define if you have SecureWare-based
772			protected password database])
773		disable_ptmx_check=yes
774		LIBS="$LIBS -lsecpw"
775		;;
776	esac
777	;;
778*-*-irix5*)
779	PATH="$PATH:/usr/etc"
780	AC_DEFINE([BROKEN_INET_NTOA], [1],
781		[Define if you system's inet_ntoa is busted
782		(e.g. Irix gcc issue)])
783	AC_DEFINE([SETEUID_BREAKS_SETUID])
784	AC_DEFINE([BROKEN_SETREUID])
785	AC_DEFINE([BROKEN_SETREGID])
786	AC_DEFINE([WITH_ABBREV_NO_TTY], [1],
787		[Define if you shouldn't strip 'tty' from your
788		ttyname in [uw]tmp])
789	AC_DEFINE([LOCKED_PASSWD_STRING], ["*LK*"])
790	;;
791*-*-irix6*)
792	PATH="$PATH:/usr/etc"
793	AC_DEFINE([WITH_IRIX_ARRAY], [1],
794		[Define if you have/want arrays
795		(cluster-wide session management, not C arrays)])
796	AC_DEFINE([WITH_IRIX_PROJECT], [1],
797		[Define if you want IRIX project management])
798	AC_DEFINE([WITH_IRIX_AUDIT], [1],
799		[Define if you want IRIX audit trails])
800	AC_CHECK_FUNC([jlimit_startjob], [AC_DEFINE([WITH_IRIX_JOBS], [1],
801		[Define if you want IRIX kernel jobs])])
802	AC_DEFINE([BROKEN_INET_NTOA])
803	AC_DEFINE([SETEUID_BREAKS_SETUID])
804	AC_DEFINE([BROKEN_SETREUID])
805	AC_DEFINE([BROKEN_SETREGID])
806	AC_DEFINE([BROKEN_UPDWTMPX], [1], [updwtmpx is broken (if present)])
807	AC_DEFINE([WITH_ABBREV_NO_TTY])
808	AC_DEFINE([LOCKED_PASSWD_STRING], ["*LK*"])
809	;;
810*-*-k*bsd*-gnu | *-*-kopensolaris*-gnu)
811	check_for_libcrypt_later=1
812	AC_DEFINE([PAM_TTY_KLUDGE])
813	AC_DEFINE([LOCKED_PASSWD_PREFIX], ["!"])
814	AC_DEFINE([SPT_TYPE], [SPT_REUSEARGV])
815	AC_DEFINE([_PATH_BTMP], ["/var/log/btmp"], [log for bad login attempts])
816	AC_DEFINE([USE_BTMP], [1], [Use btmp to log bad logins])
817	;;
818*-*-linux*)
819	no_dev_ptmx=1
820	use_pie=auto
821	check_for_libcrypt_later=1
822	check_for_openpty_ctty_bug=1
823	dnl Target SUSv3/POSIX.1-2001 plus BSD specifics.
824	dnl _DEFAULT_SOURCE is the new name for _BSD_SOURCE
825	CPPFLAGS="$CPPFLAGS -D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCE"
826	AC_DEFINE([PAM_TTY_KLUDGE], [1],
827		[Work around problematic Linux PAM modules handling of PAM_TTY])
828	AC_DEFINE([LOCKED_PASSWD_PREFIX], ["!"],
829		[String used in /etc/passwd to denote locked account])
830	AC_DEFINE([SPT_TYPE], [SPT_REUSEARGV])
831	AC_DEFINE([LINK_OPNOTSUPP_ERRNO], [EPERM],
832		[Define to whatever link() returns for "not supported"
833		if it doesn't return EOPNOTSUPP.])
834	AC_DEFINE([_PATH_BTMP], ["/var/log/btmp"], [log for bad login attempts])
835	AC_DEFINE([USE_BTMP])
836	AC_DEFINE([LINUX_OOM_ADJUST], [1], [Adjust Linux out-of-memory killer])
837	inet6_default_4in6=yes
838	case `uname -r` in
839	1.*|2.0.*)
840		AC_DEFINE([BROKEN_CMSG_TYPE], [1],
841			[Define if cmsg_type is not passed correctly])
842		;;
843	esac
844	# tun(4) forwarding compat code
845	AC_CHECK_HEADERS([linux/if_tun.h])
846	if test "x$ac_cv_header_linux_if_tun_h" = "xyes" ; then
847		AC_DEFINE([SSH_TUN_LINUX], [1],
848		    [Open tunnel devices the Linux tun/tap way])
849		AC_DEFINE([SSH_TUN_COMPAT_AF], [1],
850		    [Use tunnel device compatibility to OpenBSD])
851		AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
852		    [Prepend the address family to IP tunnel traffic])
853	fi
854	AC_CHECK_HEADER([linux/if.h],
855	    AC_DEFINE([SYS_RDOMAIN_LINUX], [1],
856		[Support routing domains using Linux VRF]), [], [
857#ifdef HAVE_SYS_TYPES_H
858# include <sys/types.h>
859#endif
860	    ])
861	AC_CHECK_HEADERS([linux/seccomp.h linux/filter.h linux/audit.h], [],
862	    [], [#include <linux/types.h>])
863	# Obtain MIPS ABI
864	case "$host" in
865	mips*)
866		AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
867#if _MIPS_SIM != _ABIO32
868#error
869#endif
870			]])],[mips_abi="o32"],[AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
871#if _MIPS_SIM != _ABIN32
872#error
873#endif
874				]])],[mips_abi="n32"],[AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
875#if _MIPS_SIM != _ABI64
876#error
877#endif
878					]])],[mips_abi="n64"],[AC_MSG_ERROR([unknown MIPS ABI])
879				])
880			])
881		])
882		;;
883	esac
884	AC_MSG_CHECKING([for seccomp architecture])
885	seccomp_audit_arch=
886	case "$host" in
887	x86_64-*)
888		seccomp_audit_arch=AUDIT_ARCH_X86_64
889		;;
890	i*86-*)
891		seccomp_audit_arch=AUDIT_ARCH_I386
892		;;
893	arm*-*)
894		seccomp_audit_arch=AUDIT_ARCH_ARM
895		;;
896	aarch64*-*)
897		seccomp_audit_arch=AUDIT_ARCH_AARCH64
898		;;
899	s390x-*)
900		seccomp_audit_arch=AUDIT_ARCH_S390X
901		;;
902	s390-*)
903		seccomp_audit_arch=AUDIT_ARCH_S390
904		;;
905	powerpc64-*)
906		seccomp_audit_arch=AUDIT_ARCH_PPC64
907		;;
908	powerpc64le-*)
909		seccomp_audit_arch=AUDIT_ARCH_PPC64LE
910		;;
911	mips-*)
912		seccomp_audit_arch=AUDIT_ARCH_MIPS
913		;;
914	mipsel-*)
915		seccomp_audit_arch=AUDIT_ARCH_MIPSEL
916		;;
917	mips64-*)
918		case "$mips_abi" in
919		"n32")
920			seccomp_audit_arch=AUDIT_ARCH_MIPS64N32
921			;;
922		"n64")
923			seccomp_audit_arch=AUDIT_ARCH_MIPS64
924			;;
925		esac
926		;;
927	mips64el-*)
928		case "$mips_abi" in
929		"n32")
930			seccomp_audit_arch=AUDIT_ARCH_MIPSEL64N32
931			;;
932		"n64")
933			seccomp_audit_arch=AUDIT_ARCH_MIPSEL64
934			;;
935		esac
936		;;
937	riscv64-*)
938		seccomp_audit_arch=AUDIT_ARCH_RISCV64
939		;;
940	esac
941	if test "x$seccomp_audit_arch" != "x" ; then
942		AC_MSG_RESULT(["$seccomp_audit_arch"])
943		AC_DEFINE_UNQUOTED([SECCOMP_AUDIT_ARCH], [$seccomp_audit_arch],
944		    [Specify the system call convention in use])
945	else
946		AC_MSG_RESULT([architecture not supported])
947	fi
948	;;
949mips-sony-bsd|mips-sony-newsos4)
950	AC_DEFINE([NEED_SETPGRP], [1], [Need setpgrp to acquire controlling tty])
951	SONY=1
952	;;
953*-*-netbsd*)
954	check_for_libcrypt_before=1
955	if test "x$withval" != "xno" ; then
956		rpath_opt="-R"
957	fi
958	CPPFLAGS="$CPPFLAGS -D_OPENBSD_SOURCE"
959	AC_DEFINE([SSH_TUN_FREEBSD], [1], [Open tunnel devices the FreeBSD way])
960	AC_CHECK_HEADER([net/if_tap.h], ,
961	    AC_DEFINE([SSH_TUN_NO_L2], [1], [No layer 2 tunnel support]))
962	AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
963	    [Prepend the address family to IP tunnel traffic])
964	TEST_MALLOC_OPTIONS="AJRX"
965	AC_DEFINE([BROKEN_READ_COMPARISON], [1],
966	    [NetBSD read function is sometimes redirected, breaking atomicio comparisons against it])
967	;;
968*-*-freebsd*)
969	check_for_libcrypt_later=1
970	AC_DEFINE([LOCKED_PASSWD_PREFIX], ["*LOCKED*"], [Account locked with pw(1)])
971	AC_DEFINE([SSH_TUN_FREEBSD], [1], [Open tunnel devices the FreeBSD way])
972	AC_CHECK_HEADER([net/if_tap.h], ,
973	    AC_DEFINE([SSH_TUN_NO_L2], [1], [No layer 2 tunnel support]))
974	AC_DEFINE([BROKEN_GLOB], [1], [FreeBSD glob does not do what we need])
975	TEST_MALLOC_OPTIONS="AJRX"
976	# Preauth crypto occasionally uses file descriptors for crypto offload
977	# and will crash if they cannot be opened.
978	AC_DEFINE([SANDBOX_SKIP_RLIMIT_NOFILE], [1],
979	    [define if setrlimit RLIMIT_NOFILE breaks things])
980	;;
981*-*-bsdi*)
982	AC_DEFINE([SETEUID_BREAKS_SETUID])
983	AC_DEFINE([BROKEN_SETREUID])
984	AC_DEFINE([BROKEN_SETREGID])
985	;;
986*-next-*)
987	conf_lastlog_location="/usr/adm/lastlog"
988	conf_utmp_location=/etc/utmp
989	conf_wtmp_location=/usr/adm/wtmp
990	maildir=/usr/spool/mail
991	AC_DEFINE([HAVE_NEXT], [1], [Define if you are on NeXT])
992	AC_DEFINE([USE_PIPES])
993	AC_DEFINE([BROKEN_SAVED_UIDS], [1], [Needed for NeXT])
994	;;
995*-*-openbsd*)
996	use_pie=auto
997	AC_DEFINE([HAVE_ATTRIBUTE__SENTINEL__], [1], [OpenBSD's gcc has sentinel])
998	AC_DEFINE([HAVE_ATTRIBUTE__BOUNDED__], [1], [OpenBSD's gcc has bounded])
999	AC_DEFINE([SSH_TUN_OPENBSD], [1], [Open tunnel devices the OpenBSD way])
1000	AC_DEFINE([SYSLOG_R_SAFE_IN_SIGHAND], [1],
1001	    [syslog_r function is safe to use in in a signal handler])
1002	TEST_MALLOC_OPTIONS="AFGJPRX"
1003	;;
1004*-*-solaris*)
1005	if test "x$withval" != "xno" ; then
1006		rpath_opt="-R"
1007	fi
1008	AC_DEFINE([PAM_SUN_CODEBASE])
1009	AC_DEFINE([LOGIN_NEEDS_UTMPX])
1010	AC_DEFINE([PAM_TTY_KLUDGE])
1011	AC_DEFINE([SSHPAM_CHAUTHTOK_NEEDS_RUID], [1],
1012		[Define if pam_chauthtok wants real uid set
1013		to the unpriv'ed user])
1014	AC_DEFINE([LOCKED_PASSWD_STRING], ["*LK*"])
1015	# Pushing STREAMS modules will cause sshd to acquire a controlling tty.
1016	AC_DEFINE([SSHD_ACQUIRES_CTTY], [1],
1017		[Define if sshd somehow reacquires a controlling TTY
1018		after setsid()])
1019	AC_DEFINE([PASSWD_NEEDS_USERNAME], [1], [must supply username to passwd
1020		in case the name is longer than 8 chars])
1021	AC_DEFINE([BROKEN_TCGETATTR_ICANON], [1], [tcgetattr with ICANON may hang])
1022	external_path_file=/etc/default/login
1023	# hardwire lastlog location (can't detect it on some versions)
1024	conf_lastlog_location="/var/adm/lastlog"
1025	AC_MSG_CHECKING([for obsolete utmp and wtmp in solaris2.x])
1026	sol2ver=`echo "$host"| sed -e 's/.*[[0-9]]\.//'`
1027	if test "$sol2ver" -ge 8; then
1028		AC_MSG_RESULT([yes])
1029		AC_DEFINE([DISABLE_UTMP])
1030		AC_DEFINE([DISABLE_WTMP], [1],
1031			[Define if you don't want to use wtmp])
1032	else
1033		AC_MSG_RESULT([no])
1034	fi
1035	AC_CHECK_FUNCS([setpflags])
1036	AC_CHECK_FUNCS([setppriv])
1037	AC_CHECK_FUNCS([priv_basicset])
1038	AC_CHECK_HEADERS([priv.h])
1039	AC_ARG_WITH([solaris-contracts],
1040		[  --with-solaris-contracts Enable Solaris process contracts (experimental)],
1041		[
1042		AC_CHECK_LIB([contract], [ct_tmpl_activate],
1043			[ AC_DEFINE([USE_SOLARIS_PROCESS_CONTRACTS], [1],
1044				[Define if you have Solaris process contracts])
1045			  LIBS="$LIBS -lcontract"
1046			  SPC_MSG="yes" ], )
1047		],
1048	)
1049	AC_ARG_WITH([solaris-projects],
1050		[  --with-solaris-projects Enable Solaris projects (experimental)],
1051		[
1052		AC_CHECK_LIB([project], [setproject],
1053			[ AC_DEFINE([USE_SOLARIS_PROJECTS], [1],
1054				[Define if you have Solaris projects])
1055			LIBS="$LIBS -lproject"
1056			SP_MSG="yes" ], )
1057		],
1058	)
1059	AC_ARG_WITH([solaris-privs],
1060		[  --with-solaris-privs    Enable Solaris/Illumos privileges (experimental)],
1061		[
1062		AC_MSG_CHECKING([for Solaris/Illumos privilege support])
1063		if test "x$ac_cv_func_setppriv" = "xyes" -a \
1064			"x$ac_cv_header_priv_h" = "xyes" ; then
1065			SOLARIS_PRIVS=yes
1066			AC_MSG_RESULT([found])
1067			AC_DEFINE([NO_UID_RESTORATION_TEST], [1],
1068				[Define to disable UID restoration test])
1069			AC_DEFINE([USE_SOLARIS_PRIVS], [1],
1070				[Define if you have Solaris privileges])
1071			SPP_MSG="yes"
1072		else
1073			AC_MSG_RESULT([not found])
1074			AC_MSG_ERROR([*** must have support for Solaris privileges to use --with-solaris-privs])
1075		fi
1076		],
1077	)
1078	TEST_SHELL=$SHELL	# let configure find us a capable shell
1079	;;
1080*-*-sunos4*)
1081	CPPFLAGS="$CPPFLAGS -DSUNOS4"
1082	AC_CHECK_FUNCS([getpwanam])
1083	AC_DEFINE([PAM_SUN_CODEBASE])
1084	conf_utmp_location=/etc/utmp
1085	conf_wtmp_location=/var/adm/wtmp
1086	conf_lastlog_location=/var/adm/lastlog
1087	AC_DEFINE([USE_PIPES])
1088	AC_DEFINE([DISABLE_UTMPX], [1], [no utmpx])
1089	;;
1090*-ncr-sysv*)
1091	LIBS="$LIBS -lc89"
1092	AC_DEFINE([USE_PIPES])
1093	AC_DEFINE([SSHD_ACQUIRES_CTTY])
1094	AC_DEFINE([SETEUID_BREAKS_SETUID])
1095	AC_DEFINE([BROKEN_SETREUID])
1096	AC_DEFINE([BROKEN_SETREGID])
1097	;;
1098*-sni-sysv*)
1099	# /usr/ucblib MUST NOT be searched on ReliantUNIX
1100	AC_CHECK_LIB([dl], [dlsym], ,)
1101	# -lresolv needs to be at the end of LIBS or DNS lookups break
1102	AC_CHECK_LIB([resolv], [res_query], [ LIBS="$LIBS -lresolv" ])
1103	IPADDR_IN_DISPLAY=yes
1104	AC_DEFINE([USE_PIPES])
1105	AC_DEFINE([IP_TOS_IS_BROKEN])
1106	AC_DEFINE([SETEUID_BREAKS_SETUID])
1107	AC_DEFINE([BROKEN_SETREUID])
1108	AC_DEFINE([BROKEN_SETREGID])
1109	AC_DEFINE([SSHD_ACQUIRES_CTTY])
1110	external_path_file=/etc/default/login
1111	# /usr/ucblib/libucb.a no longer needed on ReliantUNIX
1112	# Attention: always take care to bind libsocket and libnsl before libc,
1113	# otherwise you will find lots of "SIOCGPGRP errno 22" on syslog
1114	;;
1115# UnixWare 1.x, UnixWare 2.x, and others based on code from Univel.
1116*-*-sysv4.2*)
1117	AC_DEFINE([USE_PIPES])
1118	AC_DEFINE([SETEUID_BREAKS_SETUID])
1119	AC_DEFINE([BROKEN_SETREUID])
1120	AC_DEFINE([BROKEN_SETREGID])
1121	AC_DEFINE([PASSWD_NEEDS_USERNAME], [1], [must supply username to passwd])
1122	AC_DEFINE([LOCKED_PASSWD_STRING], ["*LK*"])
1123	TEST_SHELL=$SHELL	# let configure find us a capable shell
1124	;;
1125# UnixWare 7.x, OpenUNIX 8
1126*-*-sysv5*)
1127	CPPFLAGS="$CPPFLAGS -Dvsnprintf=_xvsnprintf -Dsnprintf=_xsnprintf"
1128	AC_DEFINE([UNIXWARE_LONG_PASSWORDS], [1], [Support passwords > 8 chars])
1129	AC_DEFINE([USE_PIPES])
1130	AC_DEFINE([SETEUID_BREAKS_SETUID])
1131	AC_DEFINE([BROKEN_GETADDRINFO])
1132	AC_DEFINE([BROKEN_SETREUID])
1133	AC_DEFINE([BROKEN_SETREGID])
1134	AC_DEFINE([PASSWD_NEEDS_USERNAME])
1135	AC_DEFINE([BROKEN_TCGETATTR_ICANON])
1136	TEST_SHELL=$SHELL	# let configure find us a capable shell
1137	check_for_libcrypt_later=1
1138	case "$host" in
1139	*-*-sysv5SCO_SV*)	# SCO OpenServer 6.x
1140		maildir=/var/spool/mail
1141		AC_DEFINE([BROKEN_UPDWTMPX])
1142		AC_CHECK_LIB([prot], [getluid], [ LIBS="$LIBS -lprot"
1143			AC_CHECK_FUNCS([getluid setluid], , , [-lprot])
1144			], , )
1145		;;
1146	*)	AC_DEFINE([LOCKED_PASSWD_STRING], ["*LK*"])
1147		;;
1148	esac
1149	;;
1150*-*-sysv*)
1151	;;
1152# SCO UNIX and OEM versions of SCO UNIX
1153*-*-sco3.2v4*)
1154	AC_MSG_ERROR("This Platform is no longer supported.")
1155	;;
1156# SCO OpenServer 5.x
1157*-*-sco3.2v5*)
1158	if test -z "$GCC"; then
1159		CFLAGS="$CFLAGS -belf"
1160	fi
1161	LIBS="$LIBS -lprot -lx -ltinfo -lm"
1162	no_dev_ptmx=1
1163	AC_DEFINE([USE_PIPES])
1164	AC_DEFINE([HAVE_SECUREWARE])
1165	AC_DEFINE([DISABLE_SHADOW])
1166	AC_DEFINE([DISABLE_FD_PASSING])
1167	AC_DEFINE([SETEUID_BREAKS_SETUID])
1168	AC_DEFINE([BROKEN_GETADDRINFO])
1169	AC_DEFINE([BROKEN_SETREUID])
1170	AC_DEFINE([BROKEN_SETREGID])
1171	AC_DEFINE([WITH_ABBREV_NO_TTY])
1172	AC_DEFINE([BROKEN_UPDWTMPX])
1173	AC_DEFINE([PASSWD_NEEDS_USERNAME])
1174	AC_CHECK_FUNCS([getluid setluid])
1175	MANTYPE=man
1176	TEST_SHELL=$SHELL	# let configure find us a capable shell
1177	SKIP_DISABLE_LASTLOG_DEFINE=yes
1178	;;
1179*-dec-osf*)
1180	AC_MSG_CHECKING([for Digital Unix SIA])
1181	no_osfsia=""
1182	AC_ARG_WITH([osfsia],
1183		[  --with-osfsia           Enable Digital Unix SIA],
1184		[
1185			if test "x$withval" = "xno" ; then
1186				AC_MSG_RESULT([disabled])
1187				no_osfsia=1
1188			fi
1189		],
1190	)
1191	if test -z "$no_osfsia" ; then
1192		if test -f /etc/sia/matrix.conf; then
1193			AC_MSG_RESULT([yes])
1194			AC_DEFINE([HAVE_OSF_SIA], [1],
1195				[Define if you have Digital Unix Security
1196				Integration Architecture])
1197			AC_DEFINE([DISABLE_LOGIN], [1],
1198				[Define if you don't want to use your
1199				system's login() call])
1200			AC_DEFINE([DISABLE_FD_PASSING])
1201			LIBS="$LIBS -lsecurity -ldb -lm -laud"
1202			SIA_MSG="yes"
1203		else
1204			AC_MSG_RESULT([no])
1205			AC_DEFINE([LOCKED_PASSWD_SUBSTR], ["Nologin"],
1206			  [String used in /etc/passwd to denote locked account])
1207		fi
1208	fi
1209	AC_DEFINE([BROKEN_GETADDRINFO])
1210	AC_DEFINE([SETEUID_BREAKS_SETUID])
1211	AC_DEFINE([BROKEN_SETREUID])
1212	AC_DEFINE([BROKEN_SETREGID])
1213	AC_DEFINE([BROKEN_READV_COMPARISON], [1], [Can't do comparisons on readv])
1214	;;
1215
1216*-*-nto-qnx*)
1217	AC_DEFINE([USE_PIPES])
1218	AC_DEFINE([NO_X11_UNIX_SOCKETS])
1219	AC_DEFINE([DISABLE_LASTLOG])
1220	AC_DEFINE([SSHD_ACQUIRES_CTTY])
1221	AC_DEFINE([BROKEN_SHADOW_EXPIRE], [1], [QNX shadow support is broken])
1222	enable_etc_default_login=no	# has incompatible /etc/default/login
1223	case "$host" in
1224	*-*-nto-qnx6*)
1225		AC_DEFINE([DISABLE_FD_PASSING])
1226		;;
1227	esac
1228	;;
1229
1230*-*-ultrix*)
1231	AC_DEFINE([BROKEN_GETGROUPS], [1], [getgroups(0,NULL) will return -1])
1232	AC_DEFINE([NEED_SETPGRP], [1], [Need setpgrp to for controlling tty])
1233	AC_DEFINE([HAVE_SYS_SYSLOG_H], [1], [Force use of sys/syslog.h on Ultrix])
1234	AC_DEFINE([DISABLE_UTMPX], [1], [Disable utmpx])
1235	# DISABLE_FD_PASSING so that we call setpgrp as root, otherwise we
1236	# don't get a controlling tty.
1237	AC_DEFINE([DISABLE_FD_PASSING], [1], [Need to call setpgrp as root])
1238	# On Ultrix some headers are not protected against multiple includes,
1239	# so we create wrappers and put it where the compiler will find it.
1240	AC_MSG_WARN([creating compat wrappers for headers])
1241	mkdir -p netinet
1242	for header in netinet/ip.h netdb.h resolv.h; do
1243		name=`echo $header | tr 'a-z/.' 'A-Z__'`
1244		cat >$header <<EOD
1245#ifndef _SSH_COMPAT_${name}
1246#define _SSH_COMPAT_${name}
1247#include "/usr/include/${header}"
1248#endif
1249EOD
1250	done
1251	;;
1252
1253*-*-lynxos)
1254	CFLAGS="$CFLAGS -D__NO_INCLUDE_WARN__"
1255	AC_DEFINE([BROKEN_SETVBUF], [1],
1256	    [LynxOS has broken setvbuf() implementation])
1257	;;
1258esac
1259
1260AC_MSG_CHECKING([compiler and flags for sanity])
1261AC_RUN_IFELSE([AC_LANG_PROGRAM([[ #include <stdlib.h> ]], [[ exit(0); ]])],
1262	[	AC_MSG_RESULT([yes]) ],
1263	[
1264		AC_MSG_RESULT([no])
1265		AC_MSG_ERROR([*** compiler cannot create working executables, check config.log ***])
1266	],
1267	[	AC_MSG_WARN([cross compiling: not checking compiler sanity]) ]
1268)
1269
1270dnl Checks for header files.
1271# Checks for libraries.
1272AC_CHECK_FUNC([setsockopt], , [AC_CHECK_LIB([socket], [setsockopt])])
1273
1274dnl IRIX and Solaris 2.5.1 have dirname() in libgen
1275AC_CHECK_FUNCS([dirname], [AC_CHECK_HEADERS([libgen.h])] , [
1276	AC_CHECK_LIB([gen], [dirname], [
1277		AC_CACHE_CHECK([for broken dirname],
1278			ac_cv_have_broken_dirname, [
1279			save_LIBS="$LIBS"
1280			LIBS="$LIBS -lgen"
1281			AC_RUN_IFELSE(
1282				[AC_LANG_SOURCE([[
1283#include <libgen.h>
1284#include <string.h>
1285#include <stdlib.h>
1286
1287int main(int argc, char **argv) {
1288    char *s, buf[32];
1289
1290    strncpy(buf,"/etc", 32);
1291    s = dirname(buf);
1292    if (!s || strncmp(s, "/", 32) != 0) {
1293	exit(1);
1294    } else {
1295	exit(0);
1296    }
1297}
1298				]])],
1299				[ ac_cv_have_broken_dirname="no" ],
1300				[ ac_cv_have_broken_dirname="yes" ],
1301				[ ac_cv_have_broken_dirname="no" ],
1302			)
1303			LIBS="$save_LIBS"
1304		])
1305		if test "x$ac_cv_have_broken_dirname" = "xno" ; then
1306			LIBS="$LIBS -lgen"
1307			AC_DEFINE([HAVE_DIRNAME])
1308			AC_CHECK_HEADERS([libgen.h])
1309		fi
1310	])
1311])
1312
1313AC_CHECK_FUNC([getspnam], ,
1314	[AC_CHECK_LIB([gen], [getspnam], [LIBS="$LIBS -lgen"])])
1315AC_SEARCH_LIBS([basename], [gen], [AC_DEFINE([HAVE_BASENAME], [1],
1316	[Define if you have the basename function.])])
1317
1318dnl zlib defaults to enabled
1319zlib=yes
1320AC_ARG_WITH([zlib],
1321	[  --with-zlib=PATH        Use zlib in PATH],
1322	[ if test "x$withval" = "xno" ; then
1323		zlib=no
1324	  elif test "x$withval" != "xyes"; then
1325		if test -d "$withval/lib"; then
1326			if test -n "${rpath_opt}"; then
1327				LDFLAGS="-L${withval}/lib ${rpath_opt}${withval}/lib ${LDFLAGS}"
1328			else
1329				LDFLAGS="-L${withval}/lib ${LDFLAGS}"
1330			fi
1331		else
1332			if test -n "${rpath_opt}"; then
1333				LDFLAGS="-L${withval} ${rpath_opt}${withval} ${LDFLAGS}"
1334			else
1335				LDFLAGS="-L${withval} ${LDFLAGS}"
1336			fi
1337		fi
1338		if test -d "$withval/include"; then
1339			CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
1340		else
1341			CPPFLAGS="-I${withval} ${CPPFLAGS}"
1342		fi
1343	fi ]
1344)
1345
1346AC_MSG_CHECKING([for zlib])
1347if test "x${zlib}" = "xno"; then
1348	AC_MSG_RESULT([no])
1349else
1350	AC_MSG_RESULT([yes])
1351	AC_DEFINE([WITH_ZLIB], [1], [Enable zlib])
1352    AC_CHECK_HEADER([zlib.h], ,[AC_MSG_ERROR([*** zlib.h missing - please install first or check config.log ***])])
1353    AC_CHECK_LIB([z], [deflate], ,
1354	[
1355		saved_CPPFLAGS="$CPPFLAGS"
1356		saved_LDFLAGS="$LDFLAGS"
1357		save_LIBS="$LIBS"
1358		dnl Check default zlib install dir
1359		if test -n "${rpath_opt}"; then
1360			LDFLAGS="-L/usr/local/lib ${rpath_opt}/usr/local/lib ${saved_LDFLAGS}"
1361		else
1362			LDFLAGS="-L/usr/local/lib ${saved_LDFLAGS}"
1363		fi
1364		CPPFLAGS="-I/usr/local/include ${saved_CPPFLAGS}"
1365		LIBS="$LIBS -lz"
1366		AC_TRY_LINK_FUNC([deflate], [AC_DEFINE([HAVE_LIBZ])],
1367			[
1368				AC_MSG_ERROR([*** zlib missing - please install first or check config.log ***])
1369			]
1370		)
1371	]
1372    )
1373
1374    AC_ARG_WITH([zlib-version-check],
1375	[  --without-zlib-version-check Disable zlib version check],
1376	[  if test "x$withval" = "xno" ; then
1377		zlib_check_nonfatal=1
1378	   fi
1379	]
1380    )
1381
1382    AC_MSG_CHECKING([for possibly buggy zlib])
1383    AC_RUN_IFELSE([AC_LANG_PROGRAM([[
1384#include <stdio.h>
1385#include <stdlib.h>
1386#include <zlib.h>
1387	]],
1388	[[
1389	int a=0, b=0, c=0, d=0, n, v;
1390	n = sscanf(ZLIB_VERSION, "%d.%d.%d.%d", &a, &b, &c, &d);
1391	if (n != 3 && n != 4)
1392		exit(1);
1393	v = a*1000000 + b*10000 + c*100 + d;
1394	fprintf(stderr, "found zlib version %s (%d)\n", ZLIB_VERSION, v);
1395
1396	/* 1.1.4 is OK */
1397	if (a == 1 && b == 1 && c >= 4)
1398		exit(0);
1399
1400	/* 1.2.3 and up are OK */
1401	if (v >= 1020300)
1402		exit(0);
1403
1404	exit(2);
1405	]])],
1406	AC_MSG_RESULT([no]),
1407	[ AC_MSG_RESULT([yes])
1408	  if test -z "$zlib_check_nonfatal" ; then
1409		AC_MSG_ERROR([*** zlib too old - check config.log ***
1410Your reported zlib version has known security problems.  It's possible your
1411vendor has fixed these problems without changing the version number.  If you
1412are sure this is the case, you can disable the check by running
1413"./configure --without-zlib-version-check".
1414If you are in doubt, upgrade zlib to version 1.2.3 or greater.
1415See http://www.gzip.org/zlib/ for details.])
1416	  else
1417		AC_MSG_WARN([zlib version may have security problems])
1418	  fi
1419	],
1420	[	AC_MSG_WARN([cross compiling: not checking zlib version]) ]
1421    )
1422fi
1423
1424dnl UnixWare 2.x
1425AC_CHECK_FUNC([strcasecmp],
1426	[], [ AC_CHECK_LIB([resolv], [strcasecmp], [LIBS="$LIBS -lresolv"]) ]
1427)
1428AC_CHECK_FUNCS([utimes],
1429	[], [ AC_CHECK_LIB([c89], [utimes], [AC_DEFINE([HAVE_UTIMES])
1430					LIBS="$LIBS -lc89"]) ]
1431)
1432
1433dnl    Checks for libutil functions
1434AC_CHECK_HEADERS([bsd/libutil.h libutil.h])
1435AC_SEARCH_LIBS([fmt_scaled], [util bsd])
1436AC_SEARCH_LIBS([scan_scaled], [util bsd])
1437AC_SEARCH_LIBS([login], [util bsd])
1438AC_SEARCH_LIBS([logout], [util bsd])
1439AC_SEARCH_LIBS([logwtmp], [util bsd])
1440AC_SEARCH_LIBS([openpty], [util bsd])
1441AC_SEARCH_LIBS([updwtmp], [util bsd])
1442AC_CHECK_FUNCS([fmt_scaled scan_scaled login logout openpty updwtmp logwtmp])
1443
1444# On some platforms, inet_ntop and gethostbyname may be found in libresolv
1445# or libnsl.
1446AC_SEARCH_LIBS([inet_ntop], [resolv nsl])
1447AC_SEARCH_LIBS([gethostbyname], [resolv nsl])
1448
1449# Some Linux distribtions ship the BSD libc hashing functions in
1450# separate libraries.
1451AC_SEARCH_LIBS([SHA256Update], [md bsd])
1452
1453# "Particular Function Checks"
1454# see https://www.gnu.org/software/autoconf/manual/autoconf-2.69/html_node/Particular-Functions.html
1455AC_FUNC_STRFTIME
1456AC_FUNC_MALLOC
1457AC_FUNC_REALLOC
1458# autoconf doesn't have AC_FUNC_CALLOC so fake it if malloc returns NULL;
1459AC_MSG_CHECKING([if calloc(0, N) returns non-null])
1460AC_RUN_IFELSE(
1461	[AC_LANG_PROGRAM(
1462		[[ #include <stdlib.h> ]],
1463		[[ void *p = calloc(0, 1); exit(p == NULL); ]]
1464	)],
1465	[ func_calloc_0_nonnull=yes ],
1466	[ func_calloc_0_nonnull=no ],
1467	[ AC_MSG_WARN([cross compiling: assuming same as malloc])
1468	  func_calloc_0_nonnull="$ac_cv_func_malloc_0_nonnull"]
1469)
1470AC_MSG_RESULT([$func_calloc_0_nonnull])
1471
1472if test "x$func_calloc_0_nonnull" = "xyes"; then
1473	AC_DEFINE(HAVE_CALLOC, 1, [calloc(0, x) returns non-null])
1474else
1475	AC_DEFINE(HAVE_CALLOC, 0, [calloc(0, x) returns NULL])
1476	AC_DEFINE(calloc, rpl_calloc,
1477	    [Define to rpl_calloc if the replacement function should be used.])
1478fi
1479
1480# Check for ALTDIRFUNC glob() extension
1481AC_MSG_CHECKING([for GLOB_ALTDIRFUNC support])
1482AC_EGREP_CPP([FOUNDIT],
1483	[
1484		#include <glob.h>
1485		#ifdef GLOB_ALTDIRFUNC
1486		FOUNDIT
1487		#endif
1488	],
1489	[
1490		AC_DEFINE([GLOB_HAS_ALTDIRFUNC], [1],
1491			[Define if your system glob() function has
1492			the GLOB_ALTDIRFUNC extension])
1493		AC_MSG_RESULT([yes])
1494	],
1495	[
1496		AC_MSG_RESULT([no])
1497	]
1498)
1499
1500# Check for g.gl_matchc glob() extension
1501AC_MSG_CHECKING([for gl_matchc field in glob_t])
1502AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <glob.h> ]],
1503	[[ glob_t g; g.gl_matchc = 1; ]])],
1504	[
1505		AC_DEFINE([GLOB_HAS_GL_MATCHC], [1],
1506			[Define if your system glob() function has
1507			gl_matchc options in glob_t])
1508		AC_MSG_RESULT([yes])
1509	], [
1510		AC_MSG_RESULT([no])
1511])
1512
1513# Check for g.gl_statv glob() extension
1514AC_MSG_CHECKING([for gl_statv and GLOB_KEEPSTAT extensions for glob])
1515AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <glob.h> ]], [[
1516#ifndef GLOB_KEEPSTAT
1517#error "glob does not support GLOB_KEEPSTAT extension"
1518#endif
1519glob_t g;
1520g.gl_statv = NULL;
1521]])],
1522	[
1523		AC_DEFINE([GLOB_HAS_GL_STATV], [1],
1524			[Define if your system glob() function has
1525			gl_statv options in glob_t])
1526		AC_MSG_RESULT([yes])
1527	], [
1528		AC_MSG_RESULT([no])
1529
1530])
1531
1532AC_CHECK_DECLS([GLOB_NOMATCH], , , [#include <glob.h>])
1533
1534AC_CHECK_DECL([VIS_ALL], ,
1535    AC_DEFINE(BROKEN_STRNVIS, 1, [missing VIS_ALL]), [#include <vis.h>])
1536
1537AC_MSG_CHECKING([whether struct dirent allocates space for d_name])
1538AC_RUN_IFELSE(
1539	[AC_LANG_PROGRAM([[
1540#include <sys/types.h>
1541#include <dirent.h>
1542#include <stdlib.h>
1543	]],
1544	[[
1545	struct dirent d;
1546	exit(sizeof(d.d_name)<=sizeof(char));
1547	]])],
1548	[AC_MSG_RESULT([yes])],
1549	[
1550		AC_MSG_RESULT([no])
1551		AC_DEFINE([BROKEN_ONE_BYTE_DIRENT_D_NAME], [1],
1552			[Define if your struct dirent expects you to
1553			allocate extra space for d_name])
1554	],
1555	[
1556		AC_MSG_WARN([cross compiling: assuming BROKEN_ONE_BYTE_DIRENT_D_NAME])
1557		AC_DEFINE([BROKEN_ONE_BYTE_DIRENT_D_NAME])
1558	]
1559)
1560
1561AC_MSG_CHECKING([for /proc/pid/fd directory])
1562if test -d "/proc/$$/fd" ; then
1563	AC_DEFINE([HAVE_PROC_PID], [1], [Define if you have /proc/$pid/fd])
1564	AC_MSG_RESULT([yes])
1565else
1566	AC_MSG_RESULT([no])
1567fi
1568
1569# Check whether user wants to use ldns
1570LDNS_MSG="no"
1571AC_ARG_WITH(ldns,
1572	[  --with-ldns[[=PATH]]      Use ldns for DNSSEC support (optionally in PATH)],
1573	[
1574	ldns=""
1575	if test "x$withval" = "xyes" ; then
1576		AC_PATH_TOOL([LDNSCONFIG], [ldns-config], [no])
1577		if test "x$LDNSCONFIG" = "xno"; then
1578			LIBS="-lldns $LIBS"
1579			ldns=yes
1580		else
1581			LIBS="$LIBS `$LDNSCONFIG --libs`"
1582			CPPFLAGS="$CPPFLAGS `$LDNSCONFIG --cflags`"
1583			ldns=yes
1584		fi
1585	elif test "x$withval" != "xno" ; then
1586			CPPFLAGS="$CPPFLAGS -I${withval}/include"
1587			LDFLAGS="$LDFLAGS -L${withval}/lib"
1588			LIBS="-lldns $LIBS"
1589			ldns=yes
1590	fi
1591
1592	# Verify that it works.
1593	if test "x$ldns" = "xyes" ; then
1594		AC_DEFINE(HAVE_LDNS, 1, [Define if you want ldns support])
1595		LDNS_MSG="yes"
1596		AC_MSG_CHECKING([for ldns support])
1597		AC_LINK_IFELSE(
1598			[AC_LANG_SOURCE([[
1599#include <stdio.h>
1600#include <stdlib.h>
1601#ifdef HAVE_STDINT_H
1602# include <stdint.h>
1603#endif
1604#include <ldns/ldns.h>
1605int main() { ldns_status status = ldns_verify_trusted(NULL, NULL, NULL, NULL); status=LDNS_STATUS_OK; exit(0); }
1606			]])
1607		],
1608			[AC_MSG_RESULT(yes)],
1609				[
1610					AC_MSG_RESULT(no)
1611					AC_MSG_ERROR([** Incomplete or missing ldns libraries.])
1612				])
1613	fi
1614])
1615
1616# Check whether user wants libedit support
1617LIBEDIT_MSG="no"
1618AC_ARG_WITH([libedit],
1619	[  --with-libedit[[=PATH]]   Enable libedit support for sftp],
1620	[ if test "x$withval" != "xno" ; then
1621		if test "x$withval" = "xyes" ; then
1622			AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no])
1623			if test "x$PKGCONFIG" != "xno"; then
1624				AC_MSG_CHECKING([if $PKGCONFIG knows about libedit])
1625				if "$PKGCONFIG" libedit; then
1626					AC_MSG_RESULT([yes])
1627					use_pkgconfig_for_libedit=yes
1628				else
1629					AC_MSG_RESULT([no])
1630				fi
1631			fi
1632		else
1633			CPPFLAGS="$CPPFLAGS -I${withval}/include"
1634			if test -n "${rpath_opt}"; then
1635				LDFLAGS="-L${withval}/lib ${rpath_opt}${withval}/lib ${LDFLAGS}"
1636			else
1637				LDFLAGS="-L${withval}/lib ${LDFLAGS}"
1638			fi
1639		fi
1640		if test "x$use_pkgconfig_for_libedit" = "xyes"; then
1641			LIBEDIT=`$PKGCONFIG --libs libedit`
1642			CPPFLAGS="$CPPFLAGS `$PKGCONFIG --cflags libedit`"
1643		else
1644			LIBEDIT="-ledit -lcurses"
1645		fi
1646		OTHERLIBS=`echo $LIBEDIT | sed 's/-ledit//'`
1647		AC_CHECK_LIB([edit], [el_init],
1648			[ AC_DEFINE([USE_LIBEDIT], [1], [Use libedit for sftp])
1649			  LIBEDIT_MSG="yes"
1650			  AC_SUBST([LIBEDIT])
1651			],
1652			[ AC_MSG_ERROR([libedit not found]) ],
1653			[ $OTHERLIBS ]
1654		)
1655		AC_MSG_CHECKING([if libedit version is compatible])
1656		AC_COMPILE_IFELSE(
1657		    [AC_LANG_PROGRAM([[
1658#include <histedit.h>
1659#include <stdlib.h>
1660		    ]],
1661		    [[
1662	int i = H_SETSIZE;
1663	el_init("", NULL, NULL, NULL);
1664	exit(0);
1665		    ]])],
1666		    [ AC_MSG_RESULT([yes]) ],
1667		    [ AC_MSG_RESULT([no])
1668		      AC_MSG_ERROR([libedit version is not compatible]) ]
1669		)
1670	fi ]
1671)
1672
1673AUDIT_MODULE=none
1674AC_ARG_WITH([audit],
1675	[  --with-audit=module     Enable audit support (modules=debug,bsm,linux)],
1676	[
1677	  AC_MSG_CHECKING([for supported audit module])
1678	  case "$withval" in
1679	  bsm)
1680		AC_MSG_RESULT([bsm])
1681		AUDIT_MODULE=bsm
1682		dnl    Checks for headers, libs and functions
1683		AC_CHECK_HEADERS([bsm/audit.h], [],
1684		    [AC_MSG_ERROR([BSM enabled and bsm/audit.h not found])],
1685		    [
1686#ifdef HAVE_TIME_H
1687# include <time.h>
1688#endif
1689		    ]
1690)
1691		AC_CHECK_LIB([bsm], [getaudit], [],
1692		    [AC_MSG_ERROR([BSM enabled and required library not found])])
1693		AC_CHECK_FUNCS([getaudit], [],
1694		    [AC_MSG_ERROR([BSM enabled and required function not found])])
1695		# These are optional
1696		AC_CHECK_FUNCS([getaudit_addr aug_get_machine])
1697		AC_DEFINE([USE_BSM_AUDIT], [1], [Use BSM audit module])
1698		if test "$sol2ver" -ge 11; then
1699			SSHDLIBS="$SSHDLIBS -lscf"
1700			AC_DEFINE([BROKEN_BSM_API], [1],
1701				[The system has incomplete BSM API])
1702		fi
1703		;;
1704	  linux)
1705		AC_MSG_RESULT([linux])
1706		AUDIT_MODULE=linux
1707		dnl    Checks for headers, libs and functions
1708		AC_CHECK_HEADERS([libaudit.h])
1709		SSHDLIBS="$SSHDLIBS -laudit"
1710		AC_DEFINE([USE_LINUX_AUDIT], [1], [Use Linux audit module])
1711		;;
1712	  debug)
1713		AUDIT_MODULE=debug
1714		AC_MSG_RESULT([debug])
1715		AC_DEFINE([SSH_AUDIT_EVENTS], [1], [Use audit debugging module])
1716		;;
1717	  no)
1718		AC_MSG_RESULT([no])
1719		;;
1720	  *)
1721		AC_MSG_ERROR([Unknown audit module $withval])
1722		;;
1723	esac ]
1724)
1725
1726AC_ARG_WITH([pie],
1727    [  --with-pie              Build Position Independent Executables if possible], [
1728	if test "x$withval" = "xno"; then
1729		use_pie=no
1730	fi
1731	if test "x$withval" = "xyes"; then
1732		use_pie=yes
1733	fi
1734    ]
1735)
1736if test "x$use_pie" = "x"; then
1737	use_pie=no
1738fi
1739if test "x$use_toolchain_hardening" != "x1" && test "x$use_pie" = "xauto"; then
1740	# Turn off automatic PIE when toolchain hardening is off.
1741	use_pie=no
1742fi
1743if test "x$use_pie" = "xauto"; then
1744	# Automatic PIE requires gcc >= 4.x
1745	AC_MSG_CHECKING([for gcc >= 4.x])
1746	AC_COMPILE_IFELSE([AC_LANG_SOURCE([[
1747#if !defined(__GNUC__) || __GNUC__ < 4
1748#error gcc is too old
1749#endif
1750]])],
1751	[ AC_MSG_RESULT([yes]) ],
1752	[ AC_MSG_RESULT([no])
1753	  use_pie=no ]
1754)
1755fi
1756if test "x$use_pie" != "xno"; then
1757	SAVED_CFLAGS="$CFLAGS"
1758	SAVED_LDFLAGS="$LDFLAGS"
1759	OSSH_CHECK_CFLAG_COMPILE([-fPIE])
1760	OSSH_CHECK_LDFLAG_LINK([-pie])
1761	# We use both -fPIE and -pie or neither.
1762	AC_MSG_CHECKING([whether both -fPIE and -pie are supported])
1763	if echo "x $CFLAGS"  | grep ' -fPIE' >/dev/null 2>&1 && \
1764	   echo "x $LDFLAGS" | grep ' -pie'  >/dev/null 2>&1 ; then
1765		AC_MSG_RESULT([yes])
1766	else
1767		AC_MSG_RESULT([no])
1768		CFLAGS="$SAVED_CFLAGS"
1769		LDFLAGS="$SAVED_LDFLAGS"
1770	fi
1771fi
1772
1773AC_MSG_CHECKING([whether -fPIC is accepted])
1774SAVED_CFLAGS="$CFLAGS"
1775CFLAGS="$CFLAGS -fPIC"
1776AC_COMPILE_IFELSE(
1777	[AC_LANG_PROGRAM( [[ #include <stdlib.h> ]], [[ exit(0); ]] )],
1778   [AC_MSG_RESULT([yes])
1779    PICFLAG="-fPIC"; ],
1780   [AC_MSG_RESULT([no])
1781    PICFLAG=""; ])
1782CFLAGS="$SAVED_CFLAGS"
1783AC_SUBST([PICFLAG])
1784
1785dnl    Checks for library functions. Please keep in alphabetical order
1786AC_CHECK_FUNCS([ \
1787	Blowfish_initstate \
1788	Blowfish_expandstate \
1789	Blowfish_expand0state \
1790	Blowfish_stream2word \
1791	SHA256Update \
1792	SHA384Update \
1793	SHA512Update \
1794	asprintf \
1795	b64_ntop \
1796	__b64_ntop \
1797	b64_pton \
1798	__b64_pton \
1799	bcopy \
1800	bcrypt_pbkdf \
1801	bindresvport_sa \
1802	blf_enc \
1803	bzero \
1804	cap_rights_limit \
1805	clock \
1806	closefrom \
1807	dirfd \
1808	endgrent \
1809	err \
1810	errx \
1811	explicit_bzero \
1812	explicit_memset \
1813	fchmod \
1814	fchmodat \
1815	fchown \
1816	fchownat \
1817	flock \
1818	fnmatch \
1819	freeaddrinfo \
1820	freezero \
1821	fstatfs \
1822	fstatvfs \
1823	futimes \
1824	getaddrinfo \
1825	getcwd \
1826	getgrouplist \
1827	getline \
1828	getnameinfo \
1829	getopt \
1830	getpagesize \
1831	getpeereid \
1832	getpeerucred \
1833	getpgid \
1834	_getpty \
1835	getrlimit \
1836	getrandom \
1837	getsid \
1838	getttyent \
1839	glob \
1840	group_from_gid \
1841	inet_aton \
1842	inet_ntoa \
1843	inet_ntop \
1844	innetgr \
1845	llabs \
1846	localtime_r \
1847	login_getcapbool \
1848	login_getpwclass \
1849	md5_crypt \
1850	memmem \
1851	memmove \
1852	memset_s \
1853	mkdtemp \
1854	ngetaddrinfo \
1855	nsleep \
1856	ogetaddrinfo \
1857	openlog_r \
1858	pledge \
1859	poll \
1860	prctl \
1861	pstat \
1862	raise \
1863	readpassphrase \
1864	reallocarray \
1865	realpath \
1866	recvmsg \
1867	recallocarray \
1868	rresvport_af \
1869	sendmsg \
1870	setdtablesize \
1871	setegid \
1872	setenv \
1873	seteuid \
1874	setgroupent \
1875	setgroups \
1876	setlinebuf \
1877	setlogin \
1878	setpassent\
1879	setpcred \
1880	setproctitle \
1881	setregid \
1882	setreuid \
1883	setrlimit \
1884	setsid \
1885	setvbuf \
1886	sigaction \
1887	sigvec \
1888	snprintf \
1889	socketpair \
1890	statfs \
1891	statvfs \
1892	strcasestr \
1893	strdup \
1894	strerror \
1895	strlcat \
1896	strlcpy \
1897	strmode \
1898	strndup \
1899	strnlen \
1900	strnvis \
1901	strptime \
1902	strsignal \
1903	strtonum \
1904	strtoll \
1905	strtoul \
1906	strtoull \
1907	swap32 \
1908	sysconf \
1909	tcgetpgrp \
1910	timingsafe_bcmp \
1911	truncate \
1912	unsetenv \
1913	updwtmpx \
1914	utimensat \
1915	user_from_uid \
1916	usleep \
1917	vasprintf \
1918	vsnprintf \
1919	waitpid \
1920	warn \
1921])
1922
1923AC_CHECK_DECLS([bzero, memmem])
1924
1925dnl Wide character support.
1926AC_CHECK_FUNCS([mblen mbtowc nl_langinfo wcwidth])
1927
1928TEST_SSH_UTF8=${TEST_SSH_UTF8:=yes}
1929AC_MSG_CHECKING([for utf8 locale support])
1930AC_RUN_IFELSE(
1931	[AC_LANG_PROGRAM([[
1932#include <locale.h>
1933#include <stdlib.h>
1934	]], [[
1935	char *loc = setlocale(LC_CTYPE, "en_US.UTF-8");
1936	if (loc != NULL)
1937		exit(0);
1938	exit(1);
1939	]])],
1940	AC_MSG_RESULT(yes),
1941	[AC_MSG_RESULT(no)
1942	 TEST_SSH_UTF8=no],
1943	AC_MSG_WARN([cross compiling: assuming yes])
1944)
1945
1946AC_LINK_IFELSE(
1947        [AC_LANG_PROGRAM(
1948           [[ #include <ctype.h> ]],
1949           [[ return (isblank('a')); ]])],
1950	[AC_DEFINE([HAVE_ISBLANK], [1], [Define if you have isblank(3C).])
1951])
1952
1953disable_pkcs11=
1954AC_ARG_ENABLE([pkcs11],
1955	[  --disable-pkcs11        disable PKCS#11 support code [no]],
1956	[
1957		if test "x$enableval" = "xno" ; then
1958			disable_pkcs11=1
1959		fi
1960	]
1961)
1962
1963disable_sk=
1964AC_ARG_ENABLE([security-key],
1965	[  --disable-security-key  disable U2F/FIDO support code [no]],
1966	[
1967		if test "x$enableval" = "xno" ; then
1968			disable_sk=1
1969		fi
1970	]
1971)
1972enable_sk_internal=
1973AC_ARG_WITH([security-key-builtin],
1974	[  --with-security-key-builtin include builtin U2F/FIDO support],
1975	[
1976		if test "x$withval" != "xno" ; then
1977			enable_sk_internal=yes
1978		fi
1979	]
1980)
1981test "x$disable_sk" != "x" && enable_sk_internal=""
1982
1983AC_SEARCH_LIBS([dlopen], [dl])
1984AC_CHECK_FUNCS([dlopen])
1985AC_CHECK_DECL([RTLD_NOW], [], [], [#include <dlfcn.h>])
1986
1987# IRIX has a const char return value for gai_strerror()
1988AC_CHECK_FUNCS([gai_strerror], [
1989	AC_DEFINE([HAVE_GAI_STRERROR])
1990	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
1991#include <sys/types.h>
1992#include <sys/socket.h>
1993#include <netdb.h>
1994
1995const char *gai_strerror(int);
1996			]], [[
1997	char *str;
1998	str = gai_strerror(0);
1999			]])], [
2000		AC_DEFINE([HAVE_CONST_GAI_STRERROR_PROTO], [1],
2001		[Define if gai_strerror() returns const char *])], [])])
2002
2003AC_SEARCH_LIBS([nanosleep], [rt posix4], [AC_DEFINE([HAVE_NANOSLEEP], [1],
2004	[Some systems put nanosleep outside of libc])])
2005
2006AC_SEARCH_LIBS([clock_gettime], [rt],
2007	[AC_DEFINE([HAVE_CLOCK_GETTIME], [1], [Have clock_gettime])])
2008
2009dnl check if we need -D_REENTRANT for localtime_r declaration.
2010AC_CHECK_DECL([localtime_r], [],
2011	[ saved_CPPFLAGS="$CPPFLAGS"
2012	  CPPFLAGS="$CPPFLAGS -D_REENTRANT"
2013	  unset ac_cv_have_decl_localtime_r
2014	  AC_CHECK_DECL([localtime_r], [],
2015		[ CPPFLAGS="$saved_CPPFLAGS" ],
2016		[ #include <time.h> ]
2017	  )
2018	],
2019	[ #include <time.h> ]
2020)
2021
2022dnl Make sure prototypes are defined for these before using them.
2023AC_CHECK_DECL([strsep],
2024	[AC_CHECK_FUNCS([strsep])],
2025	[],
2026	[
2027#ifdef HAVE_STRING_H
2028# include <string.h>
2029#endif
2030	])
2031
2032dnl tcsendbreak might be a macro
2033AC_CHECK_DECL([tcsendbreak],
2034	[AC_DEFINE([HAVE_TCSENDBREAK])],
2035	[AC_CHECK_FUNCS([tcsendbreak])],
2036	[#include <termios.h>]
2037)
2038
2039AC_CHECK_DECLS([h_errno], , ,[#include <netdb.h>])
2040
2041AC_CHECK_DECLS([SHUT_RD, getpeereid], , ,
2042	[
2043#include <sys/types.h>
2044#include <sys/socket.h>
2045#include <unistd.h>
2046	])
2047
2048AC_CHECK_DECLS([O_NONBLOCK], , ,
2049	[
2050#include <sys/types.h>
2051#ifdef HAVE_SYS_STAT_H
2052# include <sys/stat.h>
2053#endif
2054#ifdef HAVE_FCNTL_H
2055# include <fcntl.h>
2056#endif
2057	])
2058
2059AC_CHECK_DECLS([readv, writev], , , [
2060#include <sys/types.h>
2061#include <sys/uio.h>
2062#include <unistd.h>
2063	])
2064
2065AC_CHECK_DECLS([MAXSYMLINKS], , , [
2066#include <sys/param.h>
2067	])
2068
2069AC_CHECK_DECLS([offsetof], , , [
2070#include <stddef.h>
2071	])
2072
2073# extra bits for select(2)
2074AC_CHECK_DECLS([howmany, NFDBITS], [], [], [[
2075#include <sys/param.h>
2076#include <sys/types.h>
2077#ifdef HAVE_SYS_SYSMACROS_H
2078#include <sys/sysmacros.h>
2079#endif
2080#ifdef HAVE_SYS_SELECT_H
2081#include <sys/select.h>
2082#endif
2083#ifdef HAVE_SYS_TIME_H
2084#include <sys/time.h>
2085#endif
2086#ifdef HAVE_UNISTD_H
2087#include <unistd.h>
2088#endif
2089	]])
2090AC_CHECK_TYPES([fd_mask], [], [], [[
2091#include <sys/param.h>
2092#include <sys/types.h>
2093#ifdef HAVE_SYS_SELECT_H
2094#include <sys/select.h>
2095#endif
2096#ifdef HAVE_SYS_TIME_H
2097#include <sys/time.h>
2098#endif
2099#ifdef HAVE_UNISTD_H
2100#include <unistd.h>
2101#endif
2102	]])
2103
2104AC_CHECK_FUNCS([setresuid], [
2105	dnl Some platorms have setresuid that isn't implemented, test for this
2106	AC_MSG_CHECKING([if setresuid seems to work])
2107	AC_RUN_IFELSE(
2108		[AC_LANG_PROGRAM([[
2109#include <stdlib.h>
2110#include <errno.h>
2111		]], [[
2112	errno=0;
2113	setresuid(0,0,0);
2114	if (errno==ENOSYS)
2115		exit(1);
2116	else
2117		exit(0);
2118		]])],
2119		[AC_MSG_RESULT([yes])],
2120		[AC_DEFINE([BROKEN_SETRESUID], [1],
2121			[Define if your setresuid() is broken])
2122		 AC_MSG_RESULT([not implemented])],
2123		[AC_MSG_WARN([cross compiling: not checking setresuid])]
2124	)
2125])
2126
2127AC_CHECK_FUNCS([setresgid], [
2128	dnl Some platorms have setresgid that isn't implemented, test for this
2129	AC_MSG_CHECKING([if setresgid seems to work])
2130	AC_RUN_IFELSE(
2131		[AC_LANG_PROGRAM([[
2132#include <stdlib.h>
2133#include <errno.h>
2134		]], [[
2135	errno=0;
2136	setresgid(0,0,0);
2137	if (errno==ENOSYS)
2138		exit(1);
2139	else
2140		exit(0);
2141		]])],
2142		[AC_MSG_RESULT([yes])],
2143		[AC_DEFINE([BROKEN_SETRESGID], [1],
2144			[Define if your setresgid() is broken])
2145		 AC_MSG_RESULT([not implemented])],
2146		[AC_MSG_WARN([cross compiling: not checking setresuid])]
2147	)
2148])
2149
2150AC_MSG_CHECKING([for working fflush(NULL)])
2151AC_RUN_IFELSE(
2152	[AC_LANG_PROGRAM([[
2153#include <stdio.h>
2154#include <stdlib.h>
2155	]],
2156	[[fflush(NULL); exit(0);]])],
2157	AC_MSG_RESULT([yes]),
2158	[AC_MSG_RESULT([no])
2159	 AC_DEFINE([FFLUSH_NULL_BUG], [1],
2160	    [define if fflush(NULL) does not work])],
2161	AC_MSG_WARN([cross compiling: assuming working])
2162)
2163
2164dnl    Checks for time functions
2165AC_CHECK_FUNCS([gettimeofday time])
2166dnl    Checks for utmp functions
2167AC_CHECK_FUNCS([endutent getutent getutid getutline pututline setutent])
2168AC_CHECK_FUNCS([utmpname])
2169dnl    Checks for utmpx functions
2170AC_CHECK_FUNCS([endutxent getutxent getutxid getutxline getutxuser pututxline])
2171AC_CHECK_FUNCS([setutxdb setutxent utmpxname])
2172dnl    Checks for lastlog functions
2173AC_CHECK_FUNCS([getlastlogxbyname])
2174
2175AC_CHECK_FUNC([daemon],
2176	[AC_DEFINE([HAVE_DAEMON], [1], [Define if your libraries define daemon()])],
2177	[AC_CHECK_LIB([bsd], [daemon],
2178		[LIBS="$LIBS -lbsd"; AC_DEFINE([HAVE_DAEMON])])]
2179)
2180
2181AC_CHECK_FUNC([getpagesize],
2182	[AC_DEFINE([HAVE_GETPAGESIZE], [1],
2183		[Define if your libraries define getpagesize()])],
2184	[AC_CHECK_LIB([ucb], [getpagesize],
2185		[LIBS="$LIBS -lucb"; AC_DEFINE([HAVE_GETPAGESIZE])])]
2186)
2187
2188# Check for broken snprintf
2189if test "x$ac_cv_func_snprintf" = "xyes" ; then
2190	AC_MSG_CHECKING([whether snprintf correctly terminates long strings])
2191	AC_RUN_IFELSE(
2192		[AC_LANG_PROGRAM([[
2193#include <stdio.h>
2194#include <stdlib.h>
2195		]],
2196		[[
2197	char b[5];
2198	snprintf(b,5,"123456789");
2199	exit(b[4]!='\0');
2200		]])],
2201		[AC_MSG_RESULT([yes])],
2202		[
2203			AC_MSG_RESULT([no])
2204			AC_DEFINE([BROKEN_SNPRINTF], [1],
2205				[Define if your snprintf is busted])
2206			AC_MSG_WARN([****** Your snprintf() function is broken, complain to your vendor])
2207		],
2208		[ AC_MSG_WARN([cross compiling: Assuming working snprintf()]) ]
2209	)
2210fi
2211
2212if test "x$ac_cv_func_snprintf" = "xyes" ; then
2213	AC_MSG_CHECKING([whether snprintf understands %zu])
2214	AC_RUN_IFELSE(
2215		[AC_LANG_PROGRAM([[
2216#include <sys/types.h>
2217#include <stdio.h>
2218#include <stdlib.h>
2219#include <string.h>
2220		]],
2221		[[
2222	size_t a = 1, b = 2;
2223	char z[128];
2224	snprintf(z, sizeof z, "%zu%zu", a, b);
2225	exit(strcmp(z, "12"));
2226		]])],
2227		[AC_MSG_RESULT([yes])],
2228		[
2229			AC_MSG_RESULT([no])
2230			AC_DEFINE([BROKEN_SNPRINTF], [1],
2231				[snprintf does not understand %zu])
2232		],
2233		[ AC_MSG_WARN([cross compiling: Assuming working snprintf()]) ]
2234	)
2235fi
2236
2237# We depend on vsnprintf returning the right thing on overflow: the
2238# number of characters it tried to create (as per SUSv3)
2239if test "x$ac_cv_func_vsnprintf" = "xyes" ; then
2240	AC_MSG_CHECKING([whether vsnprintf returns correct values on overflow])
2241	AC_RUN_IFELSE(
2242		[AC_LANG_PROGRAM([[
2243#include <sys/types.h>
2244#include <stdio.h>
2245#include <stdarg.h>
2246
2247int x_snprintf(char *str, size_t count, const char *fmt, ...)
2248{
2249	size_t ret;
2250	va_list ap;
2251
2252	va_start(ap, fmt);
2253	ret = vsnprintf(str, count, fmt, ap);
2254	va_end(ap);
2255	return ret;
2256}
2257		]], [[
2258char x[1];
2259if (x_snprintf(x, 1, "%s %d", "hello", 12345) != 11)
2260	return 1;
2261if (x_snprintf(NULL, 0, "%s %d", "hello", 12345) != 11)
2262	return 1;
2263return 0;
2264		]])],
2265		[AC_MSG_RESULT([yes])],
2266		[
2267			AC_MSG_RESULT([no])
2268			AC_DEFINE([BROKEN_SNPRINTF], [1],
2269				[Define if your snprintf is busted])
2270			AC_MSG_WARN([****** Your vsnprintf() function is broken, complain to your vendor])
2271		],
2272		[ AC_MSG_WARN([cross compiling: Assuming working vsnprintf()]) ]
2273	)
2274fi
2275
2276# On systems where [v]snprintf is broken, but is declared in stdio,
2277# check that the fmt argument is const char * or just char *.
2278# This is only useful for when BROKEN_SNPRINTF
2279AC_MSG_CHECKING([whether snprintf can declare const char *fmt])
2280AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
2281#include <stdio.h>
2282int snprintf(char *a, size_t b, const char *c, ...) { return 0; }
2283		]], [[
2284	snprintf(0, 0, 0);
2285		]])],
2286   [AC_MSG_RESULT([yes])
2287    AC_DEFINE([SNPRINTF_CONST], [const],
2288              [Define as const if snprintf() can declare const char *fmt])],
2289   [AC_MSG_RESULT([no])
2290    AC_DEFINE([SNPRINTF_CONST], [/* not const */])])
2291
2292# Check for missing getpeereid (or equiv) support
2293NO_PEERCHECK=""
2294if test "x$ac_cv_func_getpeereid" != "xyes" -a "x$ac_cv_func_getpeerucred" != "xyes"; then
2295	AC_MSG_CHECKING([whether system supports SO_PEERCRED getsockopt])
2296	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
2297#include <sys/types.h>
2298#include <sys/socket.h>]], [[int i = SO_PEERCRED;]])],
2299		[ AC_MSG_RESULT([yes])
2300		  AC_DEFINE([HAVE_SO_PEERCRED], [1], [Have PEERCRED socket option])
2301		], [AC_MSG_RESULT([no])
2302		NO_PEERCHECK=1
2303        ])
2304fi
2305
2306dnl make sure that openpty does not reacquire controlling terminal
2307if test ! -z "$check_for_openpty_ctty_bug"; then
2308	AC_MSG_CHECKING([if openpty correctly handles controlling tty])
2309	AC_RUN_IFELSE(
2310		[AC_LANG_PROGRAM([[
2311#include <stdio.h>
2312#include <stdlib.h>
2313#include <unistd.h>
2314#include <sys/fcntl.h>
2315#include <sys/types.h>
2316#include <sys/wait.h>
2317		]], [[
2318	pid_t pid;
2319	int fd, ptyfd, ttyfd, status;
2320
2321	pid = fork();
2322	if (pid < 0) {		/* failed */
2323		exit(1);
2324	} else if (pid > 0) {	/* parent */
2325		waitpid(pid, &status, 0);
2326		if (WIFEXITED(status))
2327			exit(WEXITSTATUS(status));
2328		else
2329			exit(2);
2330	} else {		/* child */
2331		close(0); close(1); close(2);
2332		setsid();
2333		openpty(&ptyfd, &ttyfd, NULL, NULL, NULL);
2334		fd = open("/dev/tty", O_RDWR | O_NOCTTY);
2335		if (fd >= 0)
2336			exit(3);	/* Acquired ctty: broken */
2337		else
2338			exit(0);	/* Did not acquire ctty: OK */
2339	}
2340		]])],
2341		[
2342			AC_MSG_RESULT([yes])
2343		],
2344		[
2345			AC_MSG_RESULT([no])
2346			AC_DEFINE([SSHD_ACQUIRES_CTTY])
2347		],
2348		[
2349			AC_MSG_RESULT([cross-compiling, assuming yes])
2350		]
2351	)
2352fi
2353
2354if test "x$ac_cv_func_getaddrinfo" = "xyes" && \
2355    test "x$check_for_hpux_broken_getaddrinfo" = "x1"; then
2356	AC_MSG_CHECKING([if getaddrinfo seems to work])
2357	AC_RUN_IFELSE(
2358		[AC_LANG_PROGRAM([[
2359#include <stdio.h>
2360#include <stdlib.h>
2361#include <sys/socket.h>
2362#include <netdb.h>
2363#include <errno.h>
2364#include <netinet/in.h>
2365
2366#define TEST_PORT "2222"
2367		]], [[
2368	int err, sock;
2369	struct addrinfo *gai_ai, *ai, hints;
2370	char ntop[NI_MAXHOST], strport[NI_MAXSERV], *name = NULL;
2371
2372	memset(&hints, 0, sizeof(hints));
2373	hints.ai_family = PF_UNSPEC;
2374	hints.ai_socktype = SOCK_STREAM;
2375	hints.ai_flags = AI_PASSIVE;
2376
2377	err = getaddrinfo(name, TEST_PORT, &hints, &gai_ai);
2378	if (err != 0) {
2379		fprintf(stderr, "getaddrinfo failed (%s)", gai_strerror(err));
2380		exit(1);
2381	}
2382
2383	for (ai = gai_ai; ai != NULL; ai = ai->ai_next) {
2384		if (ai->ai_family != AF_INET6)
2385			continue;
2386
2387		err = getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop,
2388		    sizeof(ntop), strport, sizeof(strport),
2389		    NI_NUMERICHOST|NI_NUMERICSERV);
2390
2391		if (err != 0) {
2392			if (err == EAI_SYSTEM)
2393				perror("getnameinfo EAI_SYSTEM");
2394			else
2395				fprintf(stderr, "getnameinfo failed: %s\n",
2396				    gai_strerror(err));
2397			exit(2);
2398		}
2399
2400		sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol);
2401		if (sock < 0)
2402			perror("socket");
2403		if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) {
2404			if (errno == EBADF)
2405				exit(3);
2406		}
2407	}
2408	exit(0);
2409		]])],
2410		[
2411			AC_MSG_RESULT([yes])
2412		],
2413		[
2414			AC_MSG_RESULT([no])
2415			AC_DEFINE([BROKEN_GETADDRINFO])
2416		],
2417		[
2418			AC_MSG_RESULT([cross-compiling, assuming yes])
2419		]
2420	)
2421fi
2422
2423if test "x$ac_cv_func_getaddrinfo" = "xyes" && \
2424    test "x$check_for_aix_broken_getaddrinfo" = "x1"; then
2425	AC_MSG_CHECKING([if getaddrinfo seems to work])
2426	AC_RUN_IFELSE(
2427		[AC_LANG_PROGRAM([[
2428#include <stdio.h>
2429#include <stdlib.h>
2430#include <sys/socket.h>
2431#include <netdb.h>
2432#include <errno.h>
2433#include <netinet/in.h>
2434
2435#define TEST_PORT "2222"
2436		]], [[
2437	int err, sock;
2438	struct addrinfo *gai_ai, *ai, hints;
2439	char ntop[NI_MAXHOST], strport[NI_MAXSERV], *name = NULL;
2440
2441	memset(&hints, 0, sizeof(hints));
2442	hints.ai_family = PF_UNSPEC;
2443	hints.ai_socktype = SOCK_STREAM;
2444	hints.ai_flags = AI_PASSIVE;
2445
2446	err = getaddrinfo(name, TEST_PORT, &hints, &gai_ai);
2447	if (err != 0) {
2448		fprintf(stderr, "getaddrinfo failed (%s)", gai_strerror(err));
2449		exit(1);
2450	}
2451
2452	for (ai = gai_ai; ai != NULL; ai = ai->ai_next) {
2453		if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
2454			continue;
2455
2456		err = getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop,
2457		    sizeof(ntop), strport, sizeof(strport),
2458		    NI_NUMERICHOST|NI_NUMERICSERV);
2459
2460		if (ai->ai_family == AF_INET && err != 0) {
2461			perror("getnameinfo");
2462			exit(2);
2463		}
2464	}
2465	exit(0);
2466		]])],
2467		[
2468			AC_MSG_RESULT([yes])
2469			AC_DEFINE([AIX_GETNAMEINFO_HACK], [1],
2470				[Define if you have a getaddrinfo that fails
2471				for the all-zeros IPv6 address])
2472		],
2473		[
2474			AC_MSG_RESULT([no])
2475			AC_DEFINE([BROKEN_GETADDRINFO])
2476		],
2477		[
2478			AC_MSG_RESULT([cross-compiling, assuming no])
2479		]
2480	)
2481fi
2482
2483if test "x$ac_cv_func_getaddrinfo" = "xyes"; then
2484	AC_CHECK_DECLS(AI_NUMERICSERV, , ,
2485	    [#include <sys/types.h>
2486	     #include <sys/socket.h>
2487	     #include <netdb.h>])
2488fi
2489
2490if test "x$check_for_conflicting_getspnam" = "x1"; then
2491	AC_MSG_CHECKING([for conflicting getspnam in shadow.h])
2492	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
2493#include <shadow.h>
2494#include <stdlib.h>
2495		]],
2496		[[ exit(0); ]])],
2497		[
2498			AC_MSG_RESULT([no])
2499		],
2500		[
2501			AC_MSG_RESULT([yes])
2502			AC_DEFINE([GETSPNAM_CONFLICTING_DEFS], [1],
2503			    [Conflicting defs for getspnam])
2504		]
2505	)
2506fi
2507
2508dnl NetBSD added an strnvis and unfortunately made it incompatible with the
2509dnl existing one in OpenBSD and Linux's libbsd (the former having existed
2510dnl for over ten years). Despite this incompatibility being reported during
2511dnl development (see http://gnats.netbsd.org/44977) they still shipped it.
2512dnl Even more unfortunately FreeBSD and later MacOS picked up this incompatible
2513dnl implementation.  Try to detect this mess, and assume the only safe option
2514dnl if we're cross compiling.
2515dnl
2516dnl OpenBSD, 2001: strnvis(char *dst, const char *src, size_t dlen, int flag);
2517dnl NetBSD: 2012,  strnvis(char *dst, size_t dlen, const char *src, int flag);
2518if test "x$ac_cv_func_strnvis" = "xyes"; then
2519	AC_MSG_CHECKING([for working strnvis])
2520	AC_RUN_IFELSE(
2521		[AC_LANG_PROGRAM([[
2522#include <signal.h>
2523#include <stdlib.h>
2524#include <string.h>
2525#include <unistd.h>
2526#include <vis.h>
2527static void sighandler(int sig) { _exit(1); }
2528		]], [[
2529	char dst[16];
2530
2531	signal(SIGSEGV, sighandler);
2532	if (strnvis(dst, "src", 4, 0) && strcmp(dst, "src") == 0)
2533		exit(0);
2534	exit(1)
2535		]])],
2536		[AC_MSG_RESULT([yes])],
2537		[AC_MSG_RESULT([no])
2538		 AC_DEFINE([BROKEN_STRNVIS], [1], [strnvis detected broken])],
2539		[AC_MSG_WARN([cross compiling: assuming broken])
2540		 AC_DEFINE([BROKEN_STRNVIS], [1], [strnvis assumed broken])]
2541	)
2542fi
2543
2544AC_MSG_CHECKING([if SA_RESTARTed signals interrupt select()])
2545AC_RUN_IFELSE(
2546	[AC_LANG_PROGRAM([[
2547#ifdef HAVE_SYS_SELECT
2548# include <sys/select.h>
2549#endif
2550#include <sys/types.h>
2551#include <sys/time.h>
2552#include <stdlib.h>
2553#include <signal.h>
2554#include <unistd.h>
2555static void sighandler(int sig) { }
2556		]], [[
2557	int r;
2558	pid_t pid;
2559	struct sigaction sa;
2560
2561	sa.sa_handler = sighandler;
2562	sa.sa_flags = SA_RESTART;
2563	(void)sigaction(SIGTERM, &sa, NULL);
2564	if ((pid = fork()) == 0) { /* child */
2565		pid = getppid();
2566		sleep(1);
2567		kill(pid, SIGTERM);
2568		sleep(1);
2569		if (getppid() == pid) /* if parent did not exit, shoot it */
2570			kill(pid, SIGKILL);
2571		exit(0);
2572	} else { /* parent */
2573		r = select(0, NULL, NULL, NULL, NULL);
2574	}
2575	exit(r == -1 ? 0 : 1);
2576	]])],
2577	[AC_MSG_RESULT([yes])],
2578	[AC_MSG_RESULT([no])
2579	 AC_DEFINE([NO_SA_RESTART], [1],
2580	    [SA_RESTARTed signals do no interrupt select])],
2581	[AC_MSG_WARN([cross compiling: assuming yes])]
2582)
2583
2584AC_CHECK_FUNCS([getpgrp],[
2585	AC_MSG_CHECKING([if getpgrp accepts zero args])
2586	AC_COMPILE_IFELSE(
2587		[AC_LANG_PROGRAM([[$ac_includes_default]], [[ getpgrp(); ]])],
2588		[ AC_MSG_RESULT([yes])
2589		  AC_DEFINE([GETPGRP_VOID], [1], [getpgrp takes zero args])],
2590		[ AC_MSG_RESULT([no])
2591		  AC_DEFINE([GETPGRP_VOID], [0], [getpgrp takes one arg])]
2592	)
2593])
2594
2595# Search for OpenSSL
2596saved_CPPFLAGS="$CPPFLAGS"
2597saved_LDFLAGS="$LDFLAGS"
2598AC_ARG_WITH([ssl-dir],
2599	[  --with-ssl-dir=PATH     Specify path to OpenSSL installation ],
2600	[
2601		if test "x$openssl" = "xno" ; then
2602			AC_MSG_ERROR([cannot use --with-ssl-dir when OpenSSL disabled])
2603		fi
2604		if test "x$withval" != "xno" ; then
2605			case "$withval" in
2606				# Relative paths
2607				./*|../*)	withval="`pwd`/$withval"
2608			esac
2609			if test -d "$withval/lib"; then
2610				if test -n "${rpath_opt}"; then
2611					LDFLAGS="-L${withval}/lib ${rpath_opt}${withval}/lib ${LDFLAGS}"
2612				else
2613					LDFLAGS="-L${withval}/lib ${LDFLAGS}"
2614				fi
2615			elif test -d "$withval/lib64"; then
2616				if test -n "${rpath_opt}"; then
2617					LDFLAGS="-L${withval}/lib64 ${rpath_opt}${withval}/lib64 ${LDFLAGS}"
2618				else
2619					LDFLAGS="-L${withval}/lib64 ${LDFLAGS}"
2620				fi
2621			else
2622				if test -n "${rpath_opt}"; then
2623					LDFLAGS="-L${withval} ${rpath_opt}${withval} ${LDFLAGS}"
2624				else
2625					LDFLAGS="-L${withval} ${LDFLAGS}"
2626				fi
2627			fi
2628			if test -d "$withval/include"; then
2629				CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
2630			else
2631				CPPFLAGS="-I${withval} ${CPPFLAGS}"
2632			fi
2633		fi
2634	]
2635)
2636
2637AC_ARG_WITH([openssl-header-check],
2638	[  --without-openssl-header-check Disable OpenSSL version consistency check],
2639	[
2640		if test "x$withval" = "xno" ; then
2641			openssl_check_nonfatal=1
2642		fi
2643	]
2644)
2645
2646openssl_engine=no
2647AC_ARG_WITH([ssl-engine],
2648	[  --with-ssl-engine       Enable OpenSSL (hardware) ENGINE support ],
2649	[
2650		if test "x$withval" != "xno" ; then
2651			if test "x$openssl" = "xno" ; then
2652				AC_MSG_ERROR([cannot use --with-ssl-engine when OpenSSL disabled])
2653			fi
2654			openssl_engine=yes
2655		fi
2656	]
2657)
2658
2659if test "x$openssl" = "xyes" ; then
2660	LIBS="-lcrypto $LIBS"
2661	AC_TRY_LINK_FUNC([RAND_add], ,
2662	    [AC_MSG_ERROR([*** working libcrypto not found, check config.log])])
2663	AC_CHECK_HEADER([openssl/opensslv.h], ,
2664	    [AC_MSG_ERROR([*** OpenSSL headers missing - please install first or check config.log ***])])
2665
2666	# Determine OpenSSL header version
2667	AC_MSG_CHECKING([OpenSSL header version])
2668	AC_RUN_IFELSE(
2669		[AC_LANG_PROGRAM([[
2670	#include <stdlib.h>
2671	#include <stdio.h>
2672	#include <string.h>
2673	#include <openssl/opensslv.h>
2674	#define DATA "conftest.sslincver"
2675		]], [[
2676		FILE *fd;
2677		int rc;
2678
2679		fd = fopen(DATA,"w");
2680		if(fd == NULL)
2681			exit(1);
2682
2683		if ((rc = fprintf(fd, "%08lx (%s)\n",
2684		    (unsigned long)OPENSSL_VERSION_NUMBER,
2685		     OPENSSL_VERSION_TEXT)) < 0)
2686			exit(1);
2687
2688		exit(0);
2689		]])],
2690		[
2691			ssl_header_ver=`cat conftest.sslincver`
2692			AC_MSG_RESULT([$ssl_header_ver])
2693		],
2694		[
2695			AC_MSG_RESULT([not found])
2696			AC_MSG_ERROR([OpenSSL version header not found.])
2697		],
2698		[
2699			AC_MSG_WARN([cross compiling: not checking])
2700		]
2701	)
2702
2703	# Determining OpenSSL library version is version dependent.
2704	AC_CHECK_FUNCS([OpenSSL_version OpenSSL_version_num])
2705
2706	# Determine OpenSSL library version
2707	AC_MSG_CHECKING([OpenSSL library version])
2708	AC_RUN_IFELSE(
2709		[AC_LANG_PROGRAM([[
2710	#include <stdio.h>
2711	#include <stdlib.h>
2712	#include <string.h>
2713	#include <openssl/opensslv.h>
2714	#include <openssl/crypto.h>
2715	#define DATA "conftest.ssllibver"
2716		]], [[
2717		FILE *fd;
2718		int rc;
2719
2720		fd = fopen(DATA,"w");
2721		if(fd == NULL)
2722			exit(1);
2723#ifndef OPENSSL_VERSION
2724# define OPENSSL_VERSION SSLEAY_VERSION
2725#endif
2726#ifndef HAVE_OPENSSL_VERSION
2727# define OpenSSL_version	SSLeay_version
2728#endif
2729#ifndef HAVE_OPENSSL_VERSION_NUM
2730# define OpenSSL_version_num	SSLeay
2731#endif
2732		if ((rc = fprintf(fd, "%08lx (%s)\n",
2733		    (unsigned long)OpenSSL_version_num(),
2734		    OpenSSL_version(OPENSSL_VERSION))) < 0)
2735			exit(1);
2736
2737		exit(0);
2738		]])],
2739		[
2740			ssl_library_ver=`cat conftest.ssllibver`
2741			# Check version is supported.
2742			case "$ssl_library_ver" in
2743			10000*|0*)
2744				AC_MSG_ERROR([OpenSSL >= 1.0.1 required (have "$ssl_library_ver")])
2745		                ;;
2746			100*)   ;; # 1.0.x
2747			101000[[0123456]]*)
2748				# https://github.com/openssl/openssl/pull/4613
2749				AC_MSG_ERROR([OpenSSL 1.1.x versions prior to 1.1.0g have a bug that breaks their use with OpenSSH (have "$ssl_library_ver")])
2750				;;
2751			101*)   ;; # 1.1.x
2752			200*)   ;; # LibreSSL
2753			300*)   ;; # OpenSSL development branch.
2754		        *)
2755				AC_MSG_ERROR([Unknown/unsupported OpenSSL version ("$ssl_library_ver")])
2756		                ;;
2757			esac
2758			AC_MSG_RESULT([$ssl_library_ver])
2759		],
2760		[
2761			AC_MSG_RESULT([not found])
2762			AC_MSG_ERROR([OpenSSL library not found.])
2763		],
2764		[
2765			AC_MSG_WARN([cross compiling: not checking])
2766		]
2767	)
2768
2769	# Sanity check OpenSSL headers
2770	AC_MSG_CHECKING([whether OpenSSL's headers match the library])
2771	AC_RUN_IFELSE(
2772		[AC_LANG_PROGRAM([[
2773	#include <stdlib.h>
2774	#include <string.h>
2775	#include <openssl/opensslv.h>
2776	#include <openssl/crypto.h>
2777		]], [[
2778#ifndef HAVE_OPENSSL_VERSION_NUM
2779# define OpenSSL_version_num	SSLeay
2780#endif
2781		exit(OpenSSL_version_num() == OPENSSL_VERSION_NUMBER ? 0 : 1);
2782		]])],
2783		[
2784			AC_MSG_RESULT([yes])
2785		],
2786		[
2787			AC_MSG_RESULT([no])
2788			if test "x$openssl_check_nonfatal" = "x"; then
2789				AC_MSG_ERROR([Your OpenSSL headers do not match your
2790	library. Check config.log for details.
2791	If you are sure your installation is consistent, you can disable the check
2792	by running "./configure --without-openssl-header-check".
2793	Also see contrib/findssl.sh for help identifying header/library mismatches.
2794	])
2795			else
2796				AC_MSG_WARN([Your OpenSSL headers do not match your
2797	library. Check config.log for details.
2798	Also see contrib/findssl.sh for help identifying header/library mismatches.])
2799			fi
2800		],
2801		[
2802			AC_MSG_WARN([cross compiling: not checking])
2803		]
2804	)
2805
2806	AC_MSG_CHECKING([if programs using OpenSSL functions will link])
2807	AC_LINK_IFELSE(
2808		[AC_LANG_PROGRAM([[ #include <openssl/err.h> ]],
2809		[[ ERR_load_crypto_strings(); ]])],
2810		[
2811			AC_MSG_RESULT([yes])
2812		],
2813		[
2814			AC_MSG_RESULT([no])
2815			saved_LIBS="$LIBS"
2816			LIBS="$LIBS -ldl"
2817			AC_MSG_CHECKING([if programs using OpenSSL need -ldl])
2818			AC_LINK_IFELSE(
2819				[AC_LANG_PROGRAM([[ #include <openssl/err.h> ]],
2820				[[ ERR_load_crypto_strings(); ]])],
2821				[
2822					AC_MSG_RESULT([yes])
2823				],
2824				[
2825					AC_MSG_RESULT([no])
2826					LIBS="$saved_LIBS"
2827				]
2828			)
2829		]
2830	)
2831
2832	AC_CHECK_FUNCS([ \
2833		BN_is_prime_ex \
2834		DSA_generate_parameters_ex \
2835		EVP_CIPHER_CTX_ctrl \
2836		EVP_DigestFinal_ex \
2837		EVP_DigestInit_ex \
2838		EVP_MD_CTX_cleanup \
2839		EVP_MD_CTX_copy_ex \
2840		EVP_MD_CTX_init \
2841		HMAC_CTX_init \
2842		RSA_generate_key_ex \
2843		RSA_get_default_method \
2844	])
2845
2846	# OpenSSL_add_all_algorithms may be a macro.
2847	AC_CHECK_FUNC(OpenSSL_add_all_algorithms,
2848	    AC_DEFINE(HAVE_OPENSSL_ADD_ALL_ALGORITHMS, 1, [as a function]),
2849	    AC_CHECK_DECL(OpenSSL_add_all_algorithms,
2850		AC_DEFINE(HAVE_OPENSSL_ADD_ALL_ALGORITHMS, 1, [as a macro]), ,
2851		[[#include <openssl/evp.h>]]
2852	    )
2853	)
2854
2855	# LibreSSL/OpenSSL 1.1x API
2856	AC_CHECK_FUNCS([ \
2857		OPENSSL_init_crypto \
2858		DH_get0_key \
2859		DH_get0_pqg \
2860		DH_set0_key \
2861		DH_set_length \
2862		DH_set0_pqg \
2863		DSA_get0_key \
2864		DSA_get0_pqg \
2865		DSA_set0_key \
2866		DSA_set0_pqg \
2867		DSA_SIG_get0 \
2868		DSA_SIG_set0 \
2869		ECDSA_SIG_get0 \
2870		ECDSA_SIG_set0 \
2871		EVP_CIPHER_CTX_iv \
2872		EVP_CIPHER_CTX_iv_noconst \
2873		EVP_CIPHER_CTX_get_iv \
2874		EVP_CIPHER_CTX_get_updated_iv \
2875		EVP_CIPHER_CTX_set_iv \
2876		RSA_get0_crt_params \
2877		RSA_get0_factors \
2878		RSA_get0_key \
2879		RSA_set0_crt_params \
2880		RSA_set0_factors \
2881		RSA_set0_key \
2882		RSA_meth_free \
2883		RSA_meth_dup \
2884		RSA_meth_set1_name \
2885		RSA_meth_get_finish \
2886		RSA_meth_set_priv_enc \
2887		RSA_meth_set_priv_dec \
2888		RSA_meth_set_finish \
2889		EVP_PKEY_get0_RSA \
2890		EVP_MD_CTX_new \
2891		EVP_MD_CTX_free \
2892		EVP_chacha20 \
2893	])
2894
2895	if test "x$openssl_engine" = "xyes" ; then
2896		AC_MSG_CHECKING([for OpenSSL ENGINE support])
2897		AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
2898	#include <openssl/engine.h>
2899			]], [[
2900				ENGINE_load_builtin_engines();
2901				ENGINE_register_all_complete();
2902			]])],
2903			[ AC_MSG_RESULT([yes])
2904			  AC_DEFINE([USE_OPENSSL_ENGINE], [1],
2905			     [Enable OpenSSL engine support])
2906			], [ AC_MSG_ERROR([OpenSSL ENGINE support not found])
2907		])
2908	fi
2909
2910	# Check for OpenSSL without EVP_aes_{192,256}_cbc
2911	AC_MSG_CHECKING([whether OpenSSL has crippled AES support])
2912	AC_LINK_IFELSE(
2913		[AC_LANG_PROGRAM([[
2914	#include <stdlib.h>
2915	#include <string.h>
2916	#include <openssl/evp.h>
2917		]], [[
2918		exit(EVP_aes_192_cbc() == NULL || EVP_aes_256_cbc() == NULL);
2919		]])],
2920		[
2921			AC_MSG_RESULT([no])
2922		],
2923		[
2924			AC_MSG_RESULT([yes])
2925			AC_DEFINE([OPENSSL_LOBOTOMISED_AES], [1],
2926			    [libcrypto is missing AES 192 and 256 bit functions])
2927		]
2928	)
2929
2930	# Check for OpenSSL with EVP_aes_*ctr
2931	AC_MSG_CHECKING([whether OpenSSL has AES CTR via EVP])
2932	AC_LINK_IFELSE(
2933		[AC_LANG_PROGRAM([[
2934	#include <stdlib.h>
2935	#include <string.h>
2936	#include <openssl/evp.h>
2937		]], [[
2938		exit(EVP_aes_128_ctr() == NULL ||
2939		    EVP_aes_192_cbc() == NULL ||
2940		    EVP_aes_256_cbc() == NULL);
2941		]])],
2942		[
2943			AC_MSG_RESULT([yes])
2944			AC_DEFINE([OPENSSL_HAVE_EVPCTR], [1],
2945			    [libcrypto has EVP AES CTR])
2946		],
2947		[
2948			AC_MSG_RESULT([no])
2949		]
2950	)
2951
2952	# Check for OpenSSL with EVP_aes_*gcm
2953	AC_MSG_CHECKING([whether OpenSSL has AES GCM via EVP])
2954	AC_LINK_IFELSE(
2955		[AC_LANG_PROGRAM([[
2956	#include <stdlib.h>
2957	#include <string.h>
2958	#include <openssl/evp.h>
2959		]], [[
2960		exit(EVP_aes_128_gcm() == NULL ||
2961		    EVP_aes_256_gcm() == NULL ||
2962		    EVP_CTRL_GCM_SET_IV_FIXED == 0 ||
2963		    EVP_CTRL_GCM_IV_GEN == 0 ||
2964		    EVP_CTRL_GCM_SET_TAG == 0 ||
2965		    EVP_CTRL_GCM_GET_TAG == 0 ||
2966		    EVP_CIPHER_CTX_ctrl(NULL, 0, 0, NULL) == 0);
2967		]])],
2968		[
2969			AC_MSG_RESULT([yes])
2970			AC_DEFINE([OPENSSL_HAVE_EVPGCM], [1],
2971			    [libcrypto has EVP AES GCM])
2972		],
2973		[
2974			AC_MSG_RESULT([no])
2975			unsupported_algorithms="$unsupported_cipers \
2976			   aes128-gcm@openssh.com \
2977			   aes256-gcm@openssh.com"
2978		]
2979	)
2980
2981	AC_MSG_CHECKING([if EVP_DigestUpdate returns an int])
2982	AC_LINK_IFELSE(
2983		[AC_LANG_PROGRAM([[
2984	#include <stdlib.h>
2985	#include <string.h>
2986	#include <openssl/evp.h>
2987		]], [[
2988		if(EVP_DigestUpdate(NULL, NULL,0))
2989			exit(0);
2990		]])],
2991		[
2992			AC_MSG_RESULT([yes])
2993		],
2994		[
2995			AC_MSG_RESULT([no])
2996			AC_DEFINE([OPENSSL_EVP_DIGESTUPDATE_VOID], [1],
2997			    [Define if EVP_DigestUpdate returns void])
2998		]
2999	)
3000
3001	# Some systems want crypt() from libcrypt, *not* the version in OpenSSL,
3002	# because the system crypt() is more featureful.
3003	if test "x$check_for_libcrypt_before" = "x1"; then
3004		AC_CHECK_LIB([crypt], [crypt])
3005	fi
3006
3007	# Some Linux systems (Slackware) need crypt() from libcrypt, *not* the
3008	# version in OpenSSL.
3009	if test "x$check_for_libcrypt_later" = "x1"; then
3010		AC_CHECK_LIB([crypt], [crypt], [LIBS="$LIBS -lcrypt"])
3011	fi
3012	AC_CHECK_FUNCS([crypt DES_crypt])
3013
3014	# Check for SHA256, SHA384 and SHA512 support in OpenSSL
3015	AC_CHECK_FUNCS([EVP_sha256 EVP_sha384 EVP_sha512])
3016
3017	# Check complete ECC support in OpenSSL
3018	AC_MSG_CHECKING([whether OpenSSL has NID_X9_62_prime256v1])
3019	AC_LINK_IFELSE(
3020		[AC_LANG_PROGRAM([[
3021	#include <openssl/ec.h>
3022	#include <openssl/ecdh.h>
3023	#include <openssl/ecdsa.h>
3024	#include <openssl/evp.h>
3025	#include <openssl/objects.h>
3026	#include <openssl/opensslv.h>
3027		]], [[
3028		EC_KEY *e = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
3029		const EVP_MD *m = EVP_sha256(); /* We need this too */
3030		]])],
3031		[ AC_MSG_RESULT([yes])
3032		  enable_nistp256=1 ],
3033		[ AC_MSG_RESULT([no]) ]
3034	)
3035
3036	AC_MSG_CHECKING([whether OpenSSL has NID_secp384r1])
3037	AC_LINK_IFELSE(
3038		[AC_LANG_PROGRAM([[
3039	#include <openssl/ec.h>
3040	#include <openssl/ecdh.h>
3041	#include <openssl/ecdsa.h>
3042	#include <openssl/evp.h>
3043	#include <openssl/objects.h>
3044	#include <openssl/opensslv.h>
3045		]], [[
3046		EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp384r1);
3047		const EVP_MD *m = EVP_sha384(); /* We need this too */
3048		]])],
3049		[ AC_MSG_RESULT([yes])
3050		  enable_nistp384=1 ],
3051		[ AC_MSG_RESULT([no]) ]
3052	)
3053
3054	AC_MSG_CHECKING([whether OpenSSL has NID_secp521r1])
3055	AC_LINK_IFELSE(
3056		[AC_LANG_PROGRAM([[
3057	#include <openssl/ec.h>
3058	#include <openssl/ecdh.h>
3059	#include <openssl/ecdsa.h>
3060	#include <openssl/evp.h>
3061	#include <openssl/objects.h>
3062	#include <openssl/opensslv.h>
3063		]], [[
3064		EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp521r1);
3065		const EVP_MD *m = EVP_sha512(); /* We need this too */
3066		]])],
3067		[ AC_MSG_RESULT([yes])
3068		  AC_MSG_CHECKING([if OpenSSL's NID_secp521r1 is functional])
3069		  AC_RUN_IFELSE(
3070			[AC_LANG_PROGRAM([[
3071	#include <stdlib.h>
3072	#include <openssl/ec.h>
3073	#include <openssl/ecdh.h>
3074	#include <openssl/ecdsa.h>
3075	#include <openssl/evp.h>
3076	#include <openssl/objects.h>
3077	#include <openssl/opensslv.h>
3078			]],[[
3079			EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp521r1);
3080			const EVP_MD *m = EVP_sha512(); /* We need this too */
3081			exit(e == NULL || m == NULL);
3082			]])],
3083			[ AC_MSG_RESULT([yes])
3084			  enable_nistp521=1 ],
3085			[ AC_MSG_RESULT([no]) ],
3086			[ AC_MSG_WARN([cross-compiling: assuming yes])
3087			  enable_nistp521=1 ]
3088		  )],
3089		AC_MSG_RESULT([no])
3090	)
3091
3092	COMMENT_OUT_ECC="#no ecc#"
3093	TEST_SSH_ECC=no
3094
3095	if test x$enable_nistp256 = x1 || test x$enable_nistp384 = x1 || \
3096	    test x$enable_nistp521 = x1; then
3097		AC_DEFINE(OPENSSL_HAS_ECC, [1], [OpenSSL has ECC])
3098		AC_CHECK_FUNCS([EC_KEY_METHOD_new])
3099		openssl_ecc=yes
3100	else
3101		openssl_ecc=no
3102	fi
3103	if test x$enable_nistp256 = x1; then
3104		AC_DEFINE([OPENSSL_HAS_NISTP256], [1],
3105		    [libcrypto has NID_X9_62_prime256v1])
3106		TEST_SSH_ECC=yes
3107		COMMENT_OUT_ECC=""
3108	else
3109		unsupported_algorithms="$unsupported_algorithms \
3110			ecdsa-sha2-nistp256 \
3111			ecdh-sha2-nistp256 \
3112			ecdsa-sha2-nistp256-cert-v01@openssh.com"
3113	fi
3114	if test x$enable_nistp384 = x1; then
3115		AC_DEFINE([OPENSSL_HAS_NISTP384], [1], [libcrypto has NID_secp384r1])
3116		TEST_SSH_ECC=yes
3117		COMMENT_OUT_ECC=""
3118	else
3119		unsupported_algorithms="$unsupported_algorithms \
3120			ecdsa-sha2-nistp384 \
3121			ecdh-sha2-nistp384 \
3122			ecdsa-sha2-nistp384-cert-v01@openssh.com"
3123	fi
3124	if test x$enable_nistp521 = x1; then
3125		AC_DEFINE([OPENSSL_HAS_NISTP521], [1], [libcrypto has NID_secp521r1])
3126		TEST_SSH_ECC=yes
3127		COMMENT_OUT_ECC=""
3128	else
3129		unsupported_algorithms="$unsupported_algorithms \
3130			ecdh-sha2-nistp521 \
3131			ecdsa-sha2-nistp521 \
3132			ecdsa-sha2-nistp521-cert-v01@openssh.com"
3133	fi
3134
3135	AC_SUBST([TEST_SSH_ECC])
3136	AC_SUBST([COMMENT_OUT_ECC])
3137else
3138	AC_CHECK_LIB([crypt], [crypt], [LIBS="$LIBS -lcrypt"])
3139	AC_CHECK_FUNCS([crypt])
3140fi
3141
3142# PKCS11/U2F depend on OpenSSL and dlopen().
3143enable_pkcs11=yes
3144enable_sk=yes
3145if test "x$openssl" != "xyes" ; then
3146	enable_pkcs11="disabled; missing libcrypto"
3147	enable_sk="disabled; missing libcrypto"
3148fi
3149if test "x$openssl_ecc" != "xyes" ; then
3150	enable_sk="disabled; OpenSSL has no ECC support"
3151fi
3152if test "x$ac_cv_func_dlopen" != "xyes" ; then
3153	enable_pkcs11="disabled; missing dlopen(3)"
3154	enable_sk="disabled; missing dlopen(3)"
3155fi
3156if test "x$ac_cv_have_decl_RTLD_NOW" != "xyes" ; then
3157	enable_pkcs11="disabled; missing RTLD_NOW"
3158	enable_sk="disabled; missing RTLD_NOW"
3159fi
3160if test ! -z "$disable_pkcs11" ; then
3161	enable_pkcs11="disabled by user"
3162fi
3163if test ! -z "$disable_sk" ; then
3164	enable_sk="disabled by user"
3165fi
3166
3167AC_MSG_CHECKING([whether to enable PKCS11])
3168if test "x$enable_pkcs11" = "xyes" ; then
3169	AC_DEFINE([ENABLE_PKCS11], [], [Enable for PKCS#11 support])
3170fi
3171AC_MSG_RESULT([$enable_pkcs11])
3172
3173AC_MSG_CHECKING([whether to enable U2F])
3174if test "x$enable_sk" = "xyes" ; then
3175	AC_DEFINE([ENABLE_SK], [], [Enable for U2F/FIDO support])
3176	AC_SUBST(SK_DUMMY_LIBRARY, [regress/misc/sk-dummy/sk-dummy.so])
3177else
3178	# Do not try to build sk-dummy library.
3179	AC_SUBST(SK_DUMMY_LIBRARY, [""])
3180fi
3181AC_MSG_RESULT([$enable_sk])
3182
3183# Now check for built-in security key support.
3184if test "x$enable_sk" = "xyes" -a "x$enable_sk_internal" = "xyes" ; then
3185	AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no])
3186	use_pkgconfig_for_libfido2=
3187	if test "x$PKGCONFIG" != "xno"; then
3188		AC_MSG_CHECKING([if $PKGCONFIG knows about libfido2])
3189		if "$PKGCONFIG" libfido2; then
3190			AC_MSG_RESULT([yes])
3191			use_pkgconfig_for_libfido2=yes
3192		else
3193			AC_MSG_RESULT([no])
3194		fi
3195	fi
3196	if test "x$use_pkgconfig_for_libfido2" = "xyes"; then
3197		LIBFIDO2=`$PKGCONFIG --libs libfido2`
3198		CPPFLAGS="$CPPFLAGS `$PKGCONFIG --cflags libfido2`"
3199	else
3200		LIBFIDO2="-lfido2 -lcbor"
3201	fi
3202	OTHERLIBS=`echo $LIBFIDO2 | sed 's/-lfido2//'`
3203	AC_CHECK_LIB([fido2], [fido_init],
3204		[
3205			AC_SUBST([LIBFIDO2])
3206			AC_DEFINE([ENABLE_SK_INTERNAL], [],
3207			    [Enable for built-in U2F/FIDO support])
3208			enable_sk="built-in"
3209		], [ AC_MSG_ERROR([no usable libfido2 found]) ],
3210		[ $OTHERLIBS ]
3211	)
3212	saved_LIBS="$LIBS"
3213	LIBS="$LIBS $LIBFIDO2"
3214	AC_CHECK_FUNCS([ \
3215		fido_cred_prot \
3216		fido_cred_set_prot \
3217		fido_dev_get_touch_begin \
3218		fido_dev_get_touch_status \
3219		fido_dev_supports_cred_prot \
3220	])
3221	LIBS="$saved_LIBS"
3222	AC_CHECK_HEADER([fido.h], [],
3223		AC_MSG_ERROR([missing fido.h from libfido2]))
3224	AC_CHECK_HEADER([fido/credman.h], [],
3225		AC_MSG_ERROR([missing fido/credman.h from libfido2]),
3226		[#include <fido.h>]
3227	)
3228fi
3229
3230AC_CHECK_FUNCS([ \
3231	arc4random \
3232	arc4random_buf \
3233	arc4random_stir \
3234	arc4random_uniform \
3235])
3236
3237saved_LIBS="$LIBS"
3238AC_CHECK_LIB([iaf], [ia_openinfo], [
3239	LIBS="$LIBS -liaf"
3240	AC_CHECK_FUNCS([set_id], [SSHDLIBS="$SSHDLIBS -liaf"
3241				AC_DEFINE([HAVE_LIBIAF], [1],
3242			[Define if system has libiaf that supports set_id])
3243				])
3244])
3245LIBS="$saved_LIBS"
3246
3247### Configure cryptographic random number support
3248
3249# Check whether OpenSSL seeds itself
3250if test "x$openssl" = "xyes" ; then
3251	AC_MSG_CHECKING([whether OpenSSL's PRNG is internally seeded])
3252	AC_RUN_IFELSE(
3253		[AC_LANG_PROGRAM([[
3254	#include <stdlib.h>
3255	#include <string.h>
3256	#include <openssl/rand.h>
3257		]], [[
3258		exit(RAND_status() == 1 ? 0 : 1);
3259		]])],
3260		[
3261			OPENSSL_SEEDS_ITSELF=yes
3262			AC_MSG_RESULT([yes])
3263		],
3264		[
3265			AC_MSG_RESULT([no])
3266		],
3267		[
3268			AC_MSG_WARN([cross compiling: assuming yes])
3269			# This is safe, since we will fatal() at runtime if
3270			# OpenSSL is not seeded correctly.
3271			OPENSSL_SEEDS_ITSELF=yes
3272		]
3273	)
3274fi
3275
3276# PRNGD TCP socket
3277AC_ARG_WITH([prngd-port],
3278	[  --with-prngd-port=PORT  read entropy from PRNGD/EGD TCP localhost:PORT],
3279	[
3280		case "$withval" in
3281		no)
3282			withval=""
3283			;;
3284		[[0-9]]*)
3285			;;
3286		*)
3287			AC_MSG_ERROR([You must specify a numeric port number for --with-prngd-port])
3288			;;
3289		esac
3290		if test ! -z "$withval" ; then
3291			PRNGD_PORT="$withval"
3292			AC_DEFINE_UNQUOTED([PRNGD_PORT], [$PRNGD_PORT],
3293				[Port number of PRNGD/EGD random number socket])
3294		fi
3295	]
3296)
3297
3298# PRNGD Unix domain socket
3299AC_ARG_WITH([prngd-socket],
3300	[  --with-prngd-socket=FILE read entropy from PRNGD/EGD socket FILE (default=/var/run/egd-pool)],
3301	[
3302		case "$withval" in
3303		yes)
3304			withval="/var/run/egd-pool"
3305			;;
3306		no)
3307			withval=""
3308			;;
3309		/*)
3310			;;
3311		*)
3312			AC_MSG_ERROR([You must specify an absolute path to the entropy socket])
3313			;;
3314		esac
3315
3316		if test ! -z "$withval" ; then
3317			if test ! -z "$PRNGD_PORT" ; then
3318				AC_MSG_ERROR([You may not specify both a PRNGD/EGD port and socket])
3319			fi
3320			if test ! -r "$withval" ; then
3321				AC_MSG_WARN([Entropy socket is not readable])
3322			fi
3323			PRNGD_SOCKET="$withval"
3324			AC_DEFINE_UNQUOTED([PRNGD_SOCKET], ["$PRNGD_SOCKET"],
3325				[Location of PRNGD/EGD random number socket])
3326		fi
3327	],
3328	[
3329		# Check for existing socket only if we don't have a random device already
3330		if test "x$OPENSSL_SEEDS_ITSELF" != "xyes" ; then
3331			AC_MSG_CHECKING([for PRNGD/EGD socket])
3332			# Insert other locations here
3333			for sock in /var/run/egd-pool /dev/egd-pool /etc/entropy; do
3334				if test -r $sock && $TEST_MINUS_S_SH -c "test -S $sock -o -p $sock" ; then
3335					PRNGD_SOCKET="$sock"
3336					AC_DEFINE_UNQUOTED([PRNGD_SOCKET], ["$PRNGD_SOCKET"])
3337					break;
3338				fi
3339			done
3340			if test ! -z "$PRNGD_SOCKET" ; then
3341				AC_MSG_RESULT([$PRNGD_SOCKET])
3342			else
3343				AC_MSG_RESULT([not found])
3344			fi
3345		fi
3346	]
3347)
3348
3349# Which randomness source do we use?
3350if test ! -z "$PRNGD_PORT" ; then
3351	RAND_MSG="PRNGd port $PRNGD_PORT"
3352elif test ! -z "$PRNGD_SOCKET" ; then
3353	RAND_MSG="PRNGd socket $PRNGD_SOCKET"
3354elif test ! -z "$OPENSSL_SEEDS_ITSELF" ; then
3355	AC_DEFINE([OPENSSL_PRNG_ONLY], [1],
3356		[Define if you want the OpenSSL internally seeded PRNG only])
3357	RAND_MSG="OpenSSL internal ONLY"
3358elif test "x$openssl" = "xno" ; then
3359	AC_MSG_WARN([OpenSSH will use /dev/urandom as a source of random numbers. It will fail if this device is not supported or accessible])
3360else
3361	AC_MSG_ERROR([OpenSSH has no source of random numbers. Please configure OpenSSL with an entropy source or re-run configure using one of the --with-prngd-port or --with-prngd-socket options])
3362fi
3363
3364# Check for PAM libs
3365PAM_MSG="no"
3366AC_ARG_WITH([pam],
3367	[  --with-pam              Enable PAM support ],
3368	[
3369		if test "x$withval" != "xno" ; then
3370			if test "x$ac_cv_header_security_pam_appl_h" != "xyes" && \
3371			   test "x$ac_cv_header_pam_pam_appl_h" != "xyes" ; then
3372				AC_MSG_ERROR([PAM headers not found])
3373			fi
3374
3375			saved_LIBS="$LIBS"
3376			AC_CHECK_LIB([dl], [dlopen], , )
3377			AC_CHECK_LIB([pam], [pam_set_item], , [AC_MSG_ERROR([*** libpam missing])])
3378			AC_CHECK_FUNCS([pam_getenvlist])
3379			AC_CHECK_FUNCS([pam_putenv])
3380			LIBS="$saved_LIBS"
3381
3382			PAM_MSG="yes"
3383
3384			SSHDLIBS="$SSHDLIBS -lpam"
3385			AC_DEFINE([USE_PAM], [1],
3386				[Define if you want to enable PAM support])
3387
3388			if test $ac_cv_lib_dl_dlopen = yes; then
3389				case "$LIBS" in
3390				*-ldl*)
3391					# libdl already in LIBS
3392					;;
3393				*)
3394					SSHDLIBS="$SSHDLIBS -ldl"
3395					;;
3396				esac
3397			fi
3398		fi
3399	]
3400)
3401
3402AC_ARG_WITH([pam-service],
3403	[  --with-pam-service=name Specify PAM service name ],
3404	[
3405		if test "x$withval" != "xno" && \
3406		   test "x$withval" != "xyes" ; then
3407			AC_DEFINE_UNQUOTED([SSHD_PAM_SERVICE],
3408				["$withval"], [sshd PAM service name])
3409		fi
3410	]
3411)
3412
3413# Check for older PAM
3414if test "x$PAM_MSG" = "xyes" ; then
3415	# Check PAM strerror arguments (old PAM)
3416	AC_MSG_CHECKING([whether pam_strerror takes only one argument])
3417	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
3418#include <stdlib.h>
3419#if defined(HAVE_SECURITY_PAM_APPL_H)
3420#include <security/pam_appl.h>
3421#elif defined (HAVE_PAM_PAM_APPL_H)
3422#include <pam/pam_appl.h>
3423#endif
3424		]], [[
3425(void)pam_strerror((pam_handle_t *)NULL, -1);
3426		]])], [AC_MSG_RESULT([no])], [
3427			AC_DEFINE([HAVE_OLD_PAM], [1],
3428				[Define if you have an old version of PAM
3429				which takes only one argument to pam_strerror])
3430			AC_MSG_RESULT([yes])
3431			PAM_MSG="yes (old library)"
3432
3433	])
3434fi
3435
3436case "$host" in
3437*-*-cygwin*)
3438	SSH_PRIVSEP_USER=CYGWIN_SSH_PRIVSEP_USER
3439	;;
3440*)
3441	SSH_PRIVSEP_USER=sshd
3442	;;
3443esac
3444AC_ARG_WITH([privsep-user],
3445	[  --with-privsep-user=user Specify non-privileged user for privilege separation],
3446	[
3447		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
3448		    test "x${withval}" != "xyes"; then
3449			SSH_PRIVSEP_USER=$withval
3450		fi
3451	]
3452)
3453if test "x$SSH_PRIVSEP_USER" = "xCYGWIN_SSH_PRIVSEP_USER" ; then
3454	AC_DEFINE_UNQUOTED([SSH_PRIVSEP_USER], [CYGWIN_SSH_PRIVSEP_USER],
3455		[Cygwin function to fetch non-privileged user for privilege separation])
3456else
3457	AC_DEFINE_UNQUOTED([SSH_PRIVSEP_USER], ["$SSH_PRIVSEP_USER"],
3458		[non-privileged user for privilege separation])
3459fi
3460AC_SUBST([SSH_PRIVSEP_USER])
3461
3462if test "x$have_linux_no_new_privs" = "x1" ; then
3463AC_CHECK_DECL([SECCOMP_MODE_FILTER], [have_seccomp_filter=1], , [
3464	#include <sys/types.h>
3465	#include <linux/seccomp.h>
3466])
3467fi
3468if test "x$have_seccomp_filter" = "x1" ; then
3469AC_MSG_CHECKING([kernel for seccomp_filter support])
3470AC_LINK_IFELSE([AC_LANG_PROGRAM([[
3471		#include <errno.h>
3472		#include <elf.h>
3473		#include <linux/audit.h>
3474		#include <linux/seccomp.h>
3475		#include <stdlib.h>
3476		#include <sys/prctl.h>
3477	]],
3478	[[ int i = $seccomp_audit_arch;
3479	   errno = 0;
3480	   prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, NULL, 0, 0);
3481	   exit(errno == EFAULT ? 0 : 1); ]])],
3482	[ AC_MSG_RESULT([yes]) ], [
3483		AC_MSG_RESULT([no])
3484		# Disable seccomp filter as a target
3485		have_seccomp_filter=0
3486	]
3487)
3488fi
3489
3490# Decide which sandbox style to use
3491sandbox_arg=""
3492AC_ARG_WITH([sandbox],
3493	[  --with-sandbox=style    Specify privilege separation sandbox (no, capsicum, darwin, rlimit, seccomp_filter, systrace, pledge)],
3494	[
3495		if test "x$withval" = "xyes" ; then
3496			sandbox_arg=""
3497		else
3498			sandbox_arg="$withval"
3499		fi
3500	]
3501)
3502
3503# Some platforms (seems to be the ones that have a kernel poll(2)-type
3504# function with which they implement select(2)) use an extra file descriptor
3505# when calling select(2), which means we can't use the rlimit sandbox.
3506AC_MSG_CHECKING([if select works with descriptor rlimit])
3507AC_RUN_IFELSE(
3508	[AC_LANG_PROGRAM([[
3509#include <sys/types.h>
3510#ifdef HAVE_SYS_TIME_H
3511# include <sys/time.h>
3512#endif
3513#include <sys/resource.h>
3514#ifdef HAVE_SYS_SELECT_H
3515# include <sys/select.h>
3516#endif
3517#include <errno.h>
3518#include <fcntl.h>
3519#include <stdlib.h>
3520	]],[[
3521	struct rlimit rl_zero;
3522	int fd, r;
3523	fd_set fds;
3524	struct timeval tv;
3525
3526	fd = open("/dev/null", O_RDONLY);
3527	FD_ZERO(&fds);
3528	FD_SET(fd, &fds);
3529	rl_zero.rlim_cur = rl_zero.rlim_max = 0;
3530	setrlimit(RLIMIT_FSIZE, &rl_zero);
3531	setrlimit(RLIMIT_NOFILE, &rl_zero);
3532	tv.tv_sec = 1;
3533	tv.tv_usec = 0;
3534	r = select(fd+1, &fds, NULL, NULL, &tv);
3535	exit (r == -1 ? 1 : 0);
3536	]])],
3537	[AC_MSG_RESULT([yes])
3538	 select_works_with_rlimit=yes],
3539	[AC_MSG_RESULT([no])
3540	 select_works_with_rlimit=no],
3541	[AC_MSG_WARN([cross compiling: assuming yes])
3542	 select_works_with_rlimit=yes]
3543)
3544
3545AC_MSG_CHECKING([if setrlimit(RLIMIT_NOFILE,{0,0}) works])
3546AC_RUN_IFELSE(
3547	[AC_LANG_PROGRAM([[
3548#include <sys/types.h>
3549#ifdef HAVE_SYS_TIME_H
3550# include <sys/time.h>
3551#endif
3552#include <sys/resource.h>
3553#include <errno.h>
3554#include <stdlib.h>
3555	]],[[
3556	struct rlimit rl_zero;
3557	int r;
3558
3559	rl_zero.rlim_cur = rl_zero.rlim_max = 0;
3560	r = setrlimit(RLIMIT_NOFILE, &rl_zero);
3561	exit (r == -1 ? 1 : 0);
3562	]])],
3563	[AC_MSG_RESULT([yes])
3564	 rlimit_nofile_zero_works=yes],
3565	[AC_MSG_RESULT([no])
3566	 rlimit_nofile_zero_works=no],
3567	[AC_MSG_WARN([cross compiling: assuming yes])
3568	 rlimit_nofile_zero_works=yes]
3569)
3570
3571AC_MSG_CHECKING([if setrlimit RLIMIT_FSIZE works])
3572AC_RUN_IFELSE(
3573	[AC_LANG_PROGRAM([[
3574#include <sys/types.h>
3575#include <sys/resource.h>
3576#include <stdlib.h>
3577	]],[[
3578		struct rlimit rl_zero;
3579
3580		rl_zero.rlim_cur = rl_zero.rlim_max = 0;
3581		exit(setrlimit(RLIMIT_FSIZE, &rl_zero) != 0);
3582	]])],
3583	[AC_MSG_RESULT([yes])],
3584	[AC_MSG_RESULT([no])
3585	 AC_DEFINE(SANDBOX_SKIP_RLIMIT_FSIZE, 1,
3586	    [setrlimit RLIMIT_FSIZE works])],
3587	[AC_MSG_WARN([cross compiling: assuming yes])]
3588)
3589
3590if test "x$sandbox_arg" = "xpledge" || \
3591   ( test -z "$sandbox_arg" && test "x$ac_cv_func_pledge" = "xyes" ) ; then
3592	test "x$ac_cv_func_pledge" != "xyes" && \
3593		AC_MSG_ERROR([pledge sandbox requires pledge(2) support])
3594	SANDBOX_STYLE="pledge"
3595	AC_DEFINE([SANDBOX_PLEDGE], [1], [Sandbox using pledge(2)])
3596elif test "x$sandbox_arg" = "xsystrace" || \
3597   ( test -z "$sandbox_arg" && test "x$have_systr_policy_kill" = "x1" ) ; then
3598	test "x$have_systr_policy_kill" != "x1" && \
3599		AC_MSG_ERROR([systrace sandbox requires systrace headers and SYSTR_POLICY_KILL support])
3600	SANDBOX_STYLE="systrace"
3601	AC_DEFINE([SANDBOX_SYSTRACE], [1], [Sandbox using systrace(4)])
3602elif test "x$sandbox_arg" = "xdarwin" || \
3603     ( test -z "$sandbox_arg" && test "x$ac_cv_func_sandbox_init" = "xyes" && \
3604       test "x$ac_cv_header_sandbox_h" = "xyes") ; then
3605	test "x$ac_cv_func_sandbox_init" != "xyes" -o \
3606	     "x$ac_cv_header_sandbox_h" != "xyes" && \
3607		AC_MSG_ERROR([Darwin seatbelt sandbox requires sandbox.h and sandbox_init function])
3608	SANDBOX_STYLE="darwin"
3609	AC_DEFINE([SANDBOX_DARWIN], [1], [Sandbox using Darwin sandbox_init(3)])
3610elif test "x$sandbox_arg" = "xseccomp_filter" || \
3611     ( test -z "$sandbox_arg" && \
3612       test "x$have_seccomp_filter" = "x1" && \
3613       test "x$ac_cv_header_elf_h" = "xyes" && \
3614       test "x$ac_cv_header_linux_audit_h" = "xyes" && \
3615       test "x$ac_cv_header_linux_filter_h" = "xyes" && \
3616       test "x$seccomp_audit_arch" != "x" && \
3617       test "x$have_linux_no_new_privs" = "x1" && \
3618       test "x$ac_cv_func_prctl" = "xyes" ) ; then
3619	test "x$seccomp_audit_arch" = "x" && \
3620		AC_MSG_ERROR([seccomp_filter sandbox not supported on $host])
3621	test "x$have_linux_no_new_privs" != "x1" && \
3622		AC_MSG_ERROR([seccomp_filter sandbox requires PR_SET_NO_NEW_PRIVS])
3623	test "x$have_seccomp_filter" != "x1" && \
3624		AC_MSG_ERROR([seccomp_filter sandbox requires seccomp headers])
3625	test "x$ac_cv_func_prctl" != "xyes" && \
3626		AC_MSG_ERROR([seccomp_filter sandbox requires prctl function])
3627	SANDBOX_STYLE="seccomp_filter"
3628	AC_DEFINE([SANDBOX_SECCOMP_FILTER], [1], [Sandbox using seccomp filter])
3629elif test "x$sandbox_arg" = "xcapsicum" || \
3630     ( test -z "$sandbox_arg" && \
3631       test "x$ac_cv_header_sys_capsicum_h" = "xyes" && \
3632       test "x$ac_cv_func_cap_rights_limit" = "xyes") ; then
3633       test "x$ac_cv_header_sys_capsicum_h" != "xyes" && \
3634		AC_MSG_ERROR([capsicum sandbox requires sys/capsicum.h header])
3635       test "x$ac_cv_func_cap_rights_limit" != "xyes" && \
3636		AC_MSG_ERROR([capsicum sandbox requires cap_rights_limit function])
3637       SANDBOX_STYLE="capsicum"
3638       AC_DEFINE([SANDBOX_CAPSICUM], [1], [Sandbox using capsicum])
3639elif test "x$sandbox_arg" = "xrlimit" || \
3640     ( test -z "$sandbox_arg" && test "x$ac_cv_func_setrlimit" = "xyes" && \
3641       test "x$select_works_with_rlimit" = "xyes" && \
3642       test "x$rlimit_nofile_zero_works" = "xyes" ) ; then
3643	test "x$ac_cv_func_setrlimit" != "xyes" && \
3644		AC_MSG_ERROR([rlimit sandbox requires setrlimit function])
3645	test "x$select_works_with_rlimit" != "xyes" && \
3646		AC_MSG_ERROR([rlimit sandbox requires select to work with rlimit])
3647	SANDBOX_STYLE="rlimit"
3648	AC_DEFINE([SANDBOX_RLIMIT], [1], [Sandbox using setrlimit(2)])
3649elif test "x$sandbox_arg" = "xsolaris" || \
3650   ( test -z "$sandbox_arg" && test "x$SOLARIS_PRIVS" = "xyes" ) ; then
3651	SANDBOX_STYLE="solaris"
3652	AC_DEFINE([SANDBOX_SOLARIS], [1], [Sandbox using Solaris/Illumos privileges])
3653elif test -z "$sandbox_arg" || test "x$sandbox_arg" = "xno" || \
3654     test "x$sandbox_arg" = "xnone" || test "x$sandbox_arg" = "xnull" ; then
3655	SANDBOX_STYLE="none"
3656	AC_DEFINE([SANDBOX_NULL], [1], [no privsep sandboxing])
3657else
3658	AC_MSG_ERROR([unsupported --with-sandbox])
3659fi
3660
3661# Cheap hack to ensure NEWS-OS libraries are arranged right.
3662if test ! -z "$SONY" ; then
3663  LIBS="$LIBS -liberty";
3664fi
3665
3666# Check for  long long datatypes
3667AC_CHECK_TYPES([long long, unsigned long long, long double])
3668
3669# Check datatype sizes
3670AC_CHECK_SIZEOF([short int])
3671AC_CHECK_SIZEOF([int])
3672AC_CHECK_SIZEOF([long int])
3673AC_CHECK_SIZEOF([long long int])
3674
3675# Sanity check long long for some platforms (AIX)
3676if test "x$ac_cv_sizeof_long_long_int" = "x4" ; then
3677	ac_cv_sizeof_long_long_int=0
3678fi
3679
3680# compute LLONG_MIN and LLONG_MAX if we don't know them.
3681if test -z "$have_llong_max" && test -z "$have_long_long_max"; then
3682	AC_MSG_CHECKING([for max value of long long])
3683	AC_RUN_IFELSE(
3684		[AC_LANG_PROGRAM([[
3685#include <stdio.h>
3686#include <stdlib.h>
3687/* Why is this so damn hard? */
3688#ifdef __GNUC__
3689# undef __GNUC__
3690#endif
3691#define __USE_ISOC99
3692#include <limits.h>
3693#define DATA "conftest.llminmax"
3694#define my_abs(a) ((a) < 0 ? ((a) * -1) : (a))
3695
3696/*
3697 * printf in libc on some platforms (eg old Tru64) does not understand %lld so
3698 * we do this the hard way.
3699 */
3700static int
3701fprint_ll(FILE *f, long long n)
3702{
3703	unsigned int i;
3704	int l[sizeof(long long) * 8];
3705
3706	if (n < 0)
3707		if (fprintf(f, "-") < 0)
3708			return -1;
3709	for (i = 0; n != 0; i++) {
3710		l[i] = my_abs(n % 10);
3711		n /= 10;
3712	}
3713	do {
3714		if (fprintf(f, "%d", l[--i]) < 0)
3715			return -1;
3716	} while (i != 0);
3717	if (fprintf(f, " ") < 0)
3718		return -1;
3719	return 0;
3720}
3721		]], [[
3722	FILE *f;
3723	long long i, llmin, llmax = 0;
3724
3725	if((f = fopen(DATA,"w")) == NULL)
3726		exit(1);
3727
3728#if defined(LLONG_MIN) && defined(LLONG_MAX)
3729	fprintf(stderr, "Using system header for LLONG_MIN and LLONG_MAX\n");
3730	llmin = LLONG_MIN;
3731	llmax = LLONG_MAX;
3732#else
3733	fprintf(stderr, "Calculating  LLONG_MIN and LLONG_MAX\n");
3734	/* This will work on one's complement and two's complement */
3735	for (i = 1; i > llmax; i <<= 1, i++)
3736		llmax = i;
3737	llmin = llmax + 1LL;	/* wrap */
3738#endif
3739
3740	/* Sanity check */
3741	if (llmin + 1 < llmin || llmin - 1 < llmin || llmax + 1 > llmax
3742	    || llmax - 1 > llmax || llmin == llmax || llmin == 0
3743	    || llmax == 0 || llmax < LONG_MAX || llmin > LONG_MIN) {
3744		fprintf(f, "unknown unknown\n");
3745		exit(2);
3746	}
3747
3748	if (fprint_ll(f, llmin) < 0)
3749		exit(3);
3750	if (fprint_ll(f, llmax) < 0)
3751		exit(4);
3752	if (fclose(f) < 0)
3753		exit(5);
3754	exit(0);
3755		]])],
3756		[
3757			llong_min=`$AWK '{print $1}' conftest.llminmax`
3758			llong_max=`$AWK '{print $2}' conftest.llminmax`
3759
3760			AC_MSG_RESULT([$llong_max])
3761			AC_DEFINE_UNQUOTED([LLONG_MAX], [${llong_max}LL],
3762			    [max value of long long calculated by configure])
3763			AC_MSG_CHECKING([for min value of long long])
3764			AC_MSG_RESULT([$llong_min])
3765			AC_DEFINE_UNQUOTED([LLONG_MIN], [${llong_min}LL],
3766			    [min value of long long calculated by configure])
3767		],
3768		[
3769			AC_MSG_RESULT([not found])
3770		],
3771		[
3772			AC_MSG_WARN([cross compiling: not checking])
3773		]
3774	)
3775fi
3776
3777AC_CHECK_DECLS([UINT32_MAX], , , [[
3778#ifdef HAVE_SYS_LIMITS_H
3779# include <sys/limits.h>
3780#endif
3781#ifdef HAVE_LIMITS_H
3782# include <limits.h>
3783#endif
3784#ifdef HAVE_STDINT_H
3785# include <stdint.h>
3786#endif
3787]])
3788
3789# More checks for data types
3790AC_CACHE_CHECK([for u_int type], ac_cv_have_u_int, [
3791	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
3792	[[ u_int a; a = 1;]])],
3793	[ ac_cv_have_u_int="yes" ], [ ac_cv_have_u_int="no"
3794	])
3795])
3796if test "x$ac_cv_have_u_int" = "xyes" ; then
3797	AC_DEFINE([HAVE_U_INT], [1], [define if you have u_int data type])
3798	have_u_int=1
3799fi
3800
3801AC_CACHE_CHECK([for intXX_t types], ac_cv_have_intxx_t, [
3802	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
3803	[[ int8_t a; int16_t b; int32_t c; a = b = c = 1;]])],
3804	[ ac_cv_have_intxx_t="yes" ], [ ac_cv_have_intxx_t="no"
3805	])
3806])
3807if test "x$ac_cv_have_intxx_t" = "xyes" ; then
3808	AC_DEFINE([HAVE_INTXX_T], [1], [define if you have intxx_t data type])
3809	have_intxx_t=1
3810fi
3811
3812if (test -z "$have_intxx_t" && \
3813	   test "x$ac_cv_header_stdint_h" = "xyes")
3814then
3815    AC_MSG_CHECKING([for intXX_t types in stdint.h])
3816	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <stdint.h> ]],
3817	[[ int8_t a; int16_t b; int32_t c; a = b = c = 1;]])],
3818		[
3819			AC_DEFINE([HAVE_INTXX_T])
3820			AC_MSG_RESULT([yes])
3821		], [ AC_MSG_RESULT([no])
3822	])
3823fi
3824
3825AC_CACHE_CHECK([for int64_t type], ac_cv_have_int64_t, [
3826	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
3827#include <sys/types.h>
3828#ifdef HAVE_STDINT_H
3829# include <stdint.h>
3830#endif
3831#include <sys/socket.h>
3832#ifdef HAVE_SYS_BITYPES_H
3833# include <sys/bitypes.h>
3834#endif
3835		]], [[
3836int64_t a; a = 1;
3837		]])],
3838	[ ac_cv_have_int64_t="yes" ], [ ac_cv_have_int64_t="no"
3839	])
3840])
3841if test "x$ac_cv_have_int64_t" = "xyes" ; then
3842	AC_DEFINE([HAVE_INT64_T], [1], [define if you have int64_t data type])
3843fi
3844
3845AC_CACHE_CHECK([for u_intXX_t types], ac_cv_have_u_intxx_t, [
3846	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
3847	[[ u_int8_t a; u_int16_t b; u_int32_t c; a = b = c = 1;]])],
3848	[ ac_cv_have_u_intxx_t="yes" ], [ ac_cv_have_u_intxx_t="no"
3849	])
3850])
3851if test "x$ac_cv_have_u_intxx_t" = "xyes" ; then
3852	AC_DEFINE([HAVE_U_INTXX_T], [1], [define if you have u_intxx_t data type])
3853	have_u_intxx_t=1
3854fi
3855
3856if test -z "$have_u_intxx_t" ; then
3857    AC_MSG_CHECKING([for u_intXX_t types in sys/socket.h])
3858	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/socket.h> ]],
3859	[[ u_int8_t a; u_int16_t b; u_int32_t c; a = b = c = 1;]])],
3860		[
3861			AC_DEFINE([HAVE_U_INTXX_T])
3862			AC_MSG_RESULT([yes])
3863		], [ AC_MSG_RESULT([no])
3864	])
3865fi
3866
3867AC_CACHE_CHECK([for u_int64_t types], ac_cv_have_u_int64_t, [
3868	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
3869	[[ u_int64_t a; a = 1;]])],
3870	[ ac_cv_have_u_int64_t="yes" ], [ ac_cv_have_u_int64_t="no"
3871	])
3872])
3873if test "x$ac_cv_have_u_int64_t" = "xyes" ; then
3874	AC_DEFINE([HAVE_U_INT64_T], [1], [define if you have u_int64_t data type])
3875	have_u_int64_t=1
3876fi
3877
3878if (test -z "$have_u_int64_t" && \
3879	   test "x$ac_cv_header_sys_bitypes_h" = "xyes")
3880then
3881    AC_MSG_CHECKING([for u_int64_t type in sys/bitypes.h])
3882	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/bitypes.h> ]],
3883	[[ u_int64_t a; a = 1]])],
3884		[
3885			AC_DEFINE([HAVE_U_INT64_T])
3886			AC_MSG_RESULT([yes])
3887		], [ AC_MSG_RESULT([no])
3888	])
3889fi
3890
3891if test -z "$have_u_intxx_t" ; then
3892	AC_CACHE_CHECK([for uintXX_t types], ac_cv_have_uintxx_t, [
3893		AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
3894#include <sys/types.h>
3895			]], [[
3896	uint8_t a;
3897	uint16_t b;
3898	uint32_t c;
3899	a = b = c = 1;
3900			]])],
3901		[ ac_cv_have_uintxx_t="yes" ], [ ac_cv_have_uintxx_t="no"
3902		])
3903	])
3904	if test "x$ac_cv_have_uintxx_t" = "xyes" ; then
3905		AC_DEFINE([HAVE_UINTXX_T], [1],
3906			[define if you have uintxx_t data type])
3907	fi
3908fi
3909
3910if (test -z "$have_uintxx_t" && \
3911	   test "x$ac_cv_header_stdint_h" = "xyes")
3912then
3913    AC_MSG_CHECKING([for uintXX_t types in stdint.h])
3914	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <stdint.h> ]],
3915	[[ uint8_t a; uint16_t b; uint32_t c; a = b = c = 1;]])],
3916		[
3917			AC_DEFINE([HAVE_UINTXX_T])
3918			AC_MSG_RESULT([yes])
3919		], [ AC_MSG_RESULT([no])
3920	])
3921fi
3922
3923if (test -z "$have_uintxx_t" && \
3924	   test "x$ac_cv_header_inttypes_h" = "xyes")
3925then
3926    AC_MSG_CHECKING([for uintXX_t types in inttypes.h])
3927	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <inttypes.h> ]],
3928	[[ uint8_t a; uint16_t b; uint32_t c; a = b = c = 1;]])],
3929		[
3930			AC_DEFINE([HAVE_UINTXX_T])
3931			AC_MSG_RESULT([yes])
3932		], [ AC_MSG_RESULT([no])
3933	])
3934fi
3935
3936if (test -z "$have_u_intxx_t" || test -z "$have_intxx_t" && \
3937	   test "x$ac_cv_header_sys_bitypes_h" = "xyes")
3938then
3939	AC_MSG_CHECKING([for intXX_t and u_intXX_t types in sys/bitypes.h])
3940	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
3941#include <sys/bitypes.h>
3942		]], [[
3943			int8_t a; int16_t b; int32_t c;
3944			u_int8_t e; u_int16_t f; u_int32_t g;
3945			a = b = c = e = f = g = 1;
3946		]])],
3947		[
3948			AC_DEFINE([HAVE_U_INTXX_T])
3949			AC_DEFINE([HAVE_INTXX_T])
3950			AC_MSG_RESULT([yes])
3951		], [AC_MSG_RESULT([no])
3952	])
3953fi
3954
3955
3956AC_CACHE_CHECK([for u_char], ac_cv_have_u_char, [
3957	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
3958	[[ u_char foo; foo = 125; ]])],
3959	[ ac_cv_have_u_char="yes" ], [ ac_cv_have_u_char="no"
3960	])
3961])
3962if test "x$ac_cv_have_u_char" = "xyes" ; then
3963	AC_DEFINE([HAVE_U_CHAR], [1], [define if you have u_char data type])
3964fi
3965
3966AC_CHECK_TYPES([intmax_t, uintmax_t], , , [
3967#include <sys/types.h>
3968#ifdef HAVE_STDINT_H
3969# include <stdint.h>
3970#endif
3971])
3972
3973TYPE_SOCKLEN_T
3974
3975AC_CHECK_TYPES([sig_atomic_t], , , [#include <signal.h>])
3976AC_CHECK_TYPES([fsblkcnt_t, fsfilcnt_t], , , [
3977#include <sys/types.h>
3978#ifdef HAVE_SYS_BITYPES_H
3979#include <sys/bitypes.h>
3980#endif
3981#ifdef HAVE_SYS_STATFS_H
3982#include <sys/statfs.h>
3983#endif
3984#ifdef HAVE_SYS_STATVFS_H
3985#include <sys/statvfs.h>
3986#endif
3987])
3988
3989AC_CHECK_MEMBERS([struct statfs.f_files, struct statfs.f_flags], [], [], [[
3990#include <sys/param.h>
3991#include <sys/types.h>
3992#ifdef HAVE_SYS_BITYPES_H
3993#include <sys/bitypes.h>
3994#endif
3995#ifdef HAVE_SYS_STATFS_H
3996#include <sys/statfs.h>
3997#endif
3998#ifdef HAVE_SYS_STATVFS_H
3999#include <sys/statvfs.h>
4000#endif
4001#ifdef HAVE_SYS_VFS_H
4002#include <sys/vfs.h>
4003#endif
4004#ifdef HAVE_SYS_MOUNT_H
4005#include <sys/mount.h>
4006#endif
4007]])
4008
4009
4010AC_CHECK_TYPES([in_addr_t, in_port_t], , ,
4011[#include <sys/types.h>
4012#include <netinet/in.h>])
4013
4014AC_CACHE_CHECK([for size_t], ac_cv_have_size_t, [
4015	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
4016	[[ size_t foo; foo = 1235; ]])],
4017	[ ac_cv_have_size_t="yes" ], [ ac_cv_have_size_t="no"
4018	])
4019])
4020if test "x$ac_cv_have_size_t" = "xyes" ; then
4021	AC_DEFINE([HAVE_SIZE_T], [1], [define if you have size_t data type])
4022fi
4023
4024AC_CACHE_CHECK([for ssize_t], ac_cv_have_ssize_t, [
4025	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
4026	[[ ssize_t foo; foo = 1235; ]])],
4027	[ ac_cv_have_ssize_t="yes" ], [ ac_cv_have_ssize_t="no"
4028	])
4029])
4030if test "x$ac_cv_have_ssize_t" = "xyes" ; then
4031	AC_DEFINE([HAVE_SSIZE_T], [1], [define if you have ssize_t data type])
4032fi
4033
4034AC_CACHE_CHECK([for clock_t], ac_cv_have_clock_t, [
4035	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <time.h> ]],
4036	[[ clock_t foo; foo = 1235; ]])],
4037	[ ac_cv_have_clock_t="yes" ], [ ac_cv_have_clock_t="no"
4038	])
4039])
4040if test "x$ac_cv_have_clock_t" = "xyes" ; then
4041	AC_DEFINE([HAVE_CLOCK_T], [1], [define if you have clock_t data type])
4042fi
4043
4044AC_CACHE_CHECK([for sa_family_t], ac_cv_have_sa_family_t, [
4045	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4046#include <sys/types.h>
4047#include <sys/socket.h>
4048		]], [[ sa_family_t foo; foo = 1235; ]])],
4049	[ ac_cv_have_sa_family_t="yes" ],
4050	[ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4051#include <sys/types.h>
4052#include <sys/socket.h>
4053#include <netinet/in.h>
4054		]], [[ sa_family_t foo; foo = 1235; ]])],
4055		[ ac_cv_have_sa_family_t="yes" ],
4056		[ ac_cv_have_sa_family_t="no" ]
4057	)
4058	])
4059])
4060if test "x$ac_cv_have_sa_family_t" = "xyes" ; then
4061	AC_DEFINE([HAVE_SA_FAMILY_T], [1],
4062		[define if you have sa_family_t data type])
4063fi
4064
4065AC_CACHE_CHECK([for pid_t], ac_cv_have_pid_t, [
4066	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
4067	[[ pid_t foo; foo = 1235; ]])],
4068	[ ac_cv_have_pid_t="yes" ], [ ac_cv_have_pid_t="no"
4069	])
4070])
4071if test "x$ac_cv_have_pid_t" = "xyes" ; then
4072	AC_DEFINE([HAVE_PID_T], [1], [define if you have pid_t data type])
4073fi
4074
4075AC_CACHE_CHECK([for mode_t], ac_cv_have_mode_t, [
4076	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
4077	[[ mode_t foo; foo = 1235; ]])],
4078	[ ac_cv_have_mode_t="yes" ], [ ac_cv_have_mode_t="no"
4079	])
4080])
4081if test "x$ac_cv_have_mode_t" = "xyes" ; then
4082	AC_DEFINE([HAVE_MODE_T], [1], [define if you have mode_t data type])
4083fi
4084
4085
4086AC_CACHE_CHECK([for struct sockaddr_storage], ac_cv_have_struct_sockaddr_storage, [
4087	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4088#include <sys/types.h>
4089#include <sys/socket.h>
4090		]], [[ struct sockaddr_storage s; ]])],
4091	[ ac_cv_have_struct_sockaddr_storage="yes" ],
4092	[ ac_cv_have_struct_sockaddr_storage="no"
4093	])
4094])
4095if test "x$ac_cv_have_struct_sockaddr_storage" = "xyes" ; then
4096	AC_DEFINE([HAVE_STRUCT_SOCKADDR_STORAGE], [1],
4097		[define if you have struct sockaddr_storage data type])
4098fi
4099
4100AC_CACHE_CHECK([for struct sockaddr_in6], ac_cv_have_struct_sockaddr_in6, [
4101	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4102#include <sys/types.h>
4103#include <netinet/in.h>
4104		]], [[ struct sockaddr_in6 s; s.sin6_family = 0; ]])],
4105	[ ac_cv_have_struct_sockaddr_in6="yes" ],
4106	[ ac_cv_have_struct_sockaddr_in6="no"
4107	])
4108])
4109if test "x$ac_cv_have_struct_sockaddr_in6" = "xyes" ; then
4110	AC_DEFINE([HAVE_STRUCT_SOCKADDR_IN6], [1],
4111		[define if you have struct sockaddr_in6 data type])
4112fi
4113
4114AC_CACHE_CHECK([for struct in6_addr], ac_cv_have_struct_in6_addr, [
4115	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4116#include <sys/types.h>
4117#include <netinet/in.h>
4118		]], [[ struct in6_addr s; s.s6_addr[0] = 0; ]])],
4119	[ ac_cv_have_struct_in6_addr="yes" ],
4120	[ ac_cv_have_struct_in6_addr="no"
4121	])
4122])
4123if test "x$ac_cv_have_struct_in6_addr" = "xyes" ; then
4124	AC_DEFINE([HAVE_STRUCT_IN6_ADDR], [1],
4125		[define if you have struct in6_addr data type])
4126
4127dnl Now check for sin6_scope_id
4128	AC_CHECK_MEMBERS([struct sockaddr_in6.sin6_scope_id], , ,
4129		[
4130#ifdef HAVE_SYS_TYPES_H
4131#include <sys/types.h>
4132#endif
4133#include <netinet/in.h>
4134		])
4135fi
4136
4137AC_CACHE_CHECK([for struct addrinfo], ac_cv_have_struct_addrinfo, [
4138	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4139#include <sys/types.h>
4140#include <sys/socket.h>
4141#include <netdb.h>
4142		]], [[ struct addrinfo s; s.ai_flags = AI_PASSIVE; ]])],
4143	[ ac_cv_have_struct_addrinfo="yes" ],
4144	[ ac_cv_have_struct_addrinfo="no"
4145	])
4146])
4147if test "x$ac_cv_have_struct_addrinfo" = "xyes" ; then
4148	AC_DEFINE([HAVE_STRUCT_ADDRINFO], [1],
4149		[define if you have struct addrinfo data type])
4150fi
4151
4152AC_CACHE_CHECK([for struct timeval], ac_cv_have_struct_timeval, [
4153	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/time.h> ]],
4154	[[ struct timeval tv; tv.tv_sec = 1;]])],
4155	[ ac_cv_have_struct_timeval="yes" ],
4156	[ ac_cv_have_struct_timeval="no"
4157	])
4158])
4159if test "x$ac_cv_have_struct_timeval" = "xyes" ; then
4160	AC_DEFINE([HAVE_STRUCT_TIMEVAL], [1], [define if you have struct timeval])
4161	have_struct_timeval=1
4162fi
4163
4164AC_CACHE_CHECK([for struct timespec], ac_cv_have_struct_timespec, [
4165	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4166    #ifdef HAVE_SYS_TIME_H
4167    # include <sys/time.h>
4168    #endif
4169    #ifdef HAVE_TIME_H
4170    # include <time.h>
4171    #endif
4172	]],
4173	[[ struct timespec ts; ts.tv_sec = 1;]])],
4174	[ ac_cv_have_struct_timespec="yes" ],
4175	[ ac_cv_have_struct_timespec="no"
4176	])
4177])
4178if test "x$ac_cv_have_struct_timespec" = "xyes" ; then
4179	AC_DEFINE([HAVE_STRUCT_TIMESPEC], [1], [define if you have struct timespec])
4180	have_struct_timespec=1
4181fi
4182
4183# We need int64_t or else certain parts of the compile will fail.
4184if test "x$ac_cv_have_int64_t" = "xno" && \
4185	test "x$ac_cv_sizeof_long_int" != "x8" && \
4186	test "x$ac_cv_sizeof_long_long_int" = "x0" ; then
4187	echo "OpenSSH requires int64_t support.  Contact your vendor or install"
4188	echo "an alternative compiler (I.E., GCC) before continuing."
4189	echo ""
4190	exit 1;
4191else
4192dnl test snprintf (broken on SCO w/gcc)
4193	AC_RUN_IFELSE(
4194		[AC_LANG_SOURCE([[
4195#include <stdio.h>
4196#include <stdlib.h>
4197#include <string.h>
4198#ifdef HAVE_SNPRINTF
4199main()
4200{
4201	char buf[50];
4202	char expected_out[50];
4203	int mazsize = 50 ;
4204#if (SIZEOF_LONG_INT == 8)
4205	long int num = 0x7fffffffffffffff;
4206#else
4207	long long num = 0x7fffffffffffffffll;
4208#endif
4209	strcpy(expected_out, "9223372036854775807");
4210	snprintf(buf, mazsize, "%lld", num);
4211	if(strcmp(buf, expected_out) != 0)
4212		exit(1);
4213	exit(0);
4214}
4215#else
4216main() { exit(0); }
4217#endif
4218		]])], [ true ], [ AC_DEFINE([BROKEN_SNPRINTF]) ],
4219		AC_MSG_WARN([cross compiling: Assuming working snprintf()])
4220	)
4221fi
4222
4223dnl Checks for structure members
4224OSSH_CHECK_HEADER_FOR_FIELD([ut_host], [utmp.h], [HAVE_HOST_IN_UTMP])
4225OSSH_CHECK_HEADER_FOR_FIELD([ut_host], [utmpx.h], [HAVE_HOST_IN_UTMPX])
4226OSSH_CHECK_HEADER_FOR_FIELD([syslen], [utmpx.h], [HAVE_SYSLEN_IN_UTMPX])
4227OSSH_CHECK_HEADER_FOR_FIELD([ut_pid], [utmp.h], [HAVE_PID_IN_UTMP])
4228OSSH_CHECK_HEADER_FOR_FIELD([ut_type], [utmp.h], [HAVE_TYPE_IN_UTMP])
4229OSSH_CHECK_HEADER_FOR_FIELD([ut_type], [utmpx.h], [HAVE_TYPE_IN_UTMPX])
4230OSSH_CHECK_HEADER_FOR_FIELD([ut_tv], [utmp.h], [HAVE_TV_IN_UTMP])
4231OSSH_CHECK_HEADER_FOR_FIELD([ut_id], [utmp.h], [HAVE_ID_IN_UTMP])
4232OSSH_CHECK_HEADER_FOR_FIELD([ut_id], [utmpx.h], [HAVE_ID_IN_UTMPX])
4233OSSH_CHECK_HEADER_FOR_FIELD([ut_addr], [utmp.h], [HAVE_ADDR_IN_UTMP])
4234OSSH_CHECK_HEADER_FOR_FIELD([ut_addr], [utmpx.h], [HAVE_ADDR_IN_UTMPX])
4235OSSH_CHECK_HEADER_FOR_FIELD([ut_addr_v6], [utmp.h], [HAVE_ADDR_V6_IN_UTMP])
4236OSSH_CHECK_HEADER_FOR_FIELD([ut_addr_v6], [utmpx.h], [HAVE_ADDR_V6_IN_UTMPX])
4237OSSH_CHECK_HEADER_FOR_FIELD([ut_exit], [utmp.h], [HAVE_EXIT_IN_UTMP])
4238OSSH_CHECK_HEADER_FOR_FIELD([ut_time], [utmp.h], [HAVE_TIME_IN_UTMP])
4239OSSH_CHECK_HEADER_FOR_FIELD([ut_time], [utmpx.h], [HAVE_TIME_IN_UTMPX])
4240OSSH_CHECK_HEADER_FOR_FIELD([ut_tv], [utmpx.h], [HAVE_TV_IN_UTMPX])
4241OSSH_CHECK_HEADER_FOR_FIELD([ut_ss], [utmpx.h], [HAVE_SS_IN_UTMPX])
4242
4243AC_CHECK_MEMBERS([struct stat.st_blksize])
4244AC_CHECK_MEMBERS([struct stat.st_mtim])
4245AC_CHECK_MEMBERS([struct stat.st_mtime])
4246AC_CHECK_MEMBERS([struct passwd.pw_gecos, struct passwd.pw_class,
4247struct passwd.pw_change, struct passwd.pw_expire],
4248[], [], [[
4249#include <sys/types.h>
4250#include <pwd.h>
4251]])
4252
4253AC_CHECK_MEMBER([struct __res_state.retrans], [], [AC_DEFINE([__res_state], [state],
4254	[Define if we don't have struct __res_state in resolv.h])],
4255[[
4256#include <stdio.h>
4257#if HAVE_SYS_TYPES_H
4258# include <sys/types.h>
4259#endif
4260#include <netinet/in.h>
4261#include <arpa/nameser.h>
4262#include <resolv.h>
4263]])
4264
4265AC_CACHE_CHECK([for ss_family field in struct sockaddr_storage],
4266		ac_cv_have_ss_family_in_struct_ss, [
4267	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4268#include <sys/types.h>
4269#include <sys/socket.h>
4270		]], [[ struct sockaddr_storage s; s.ss_family = 1; ]])],
4271	[ ac_cv_have_ss_family_in_struct_ss="yes" ],
4272	[ ac_cv_have_ss_family_in_struct_ss="no" ])
4273])
4274if test "x$ac_cv_have_ss_family_in_struct_ss" = "xyes" ; then
4275	AC_DEFINE([HAVE_SS_FAMILY_IN_SS], [1], [Fields in struct sockaddr_storage])
4276fi
4277
4278AC_CACHE_CHECK([for __ss_family field in struct sockaddr_storage],
4279		ac_cv_have___ss_family_in_struct_ss, [
4280	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4281#include <sys/types.h>
4282#include <sys/socket.h>
4283		]], [[ struct sockaddr_storage s; s.__ss_family = 1; ]])],
4284	[ ac_cv_have___ss_family_in_struct_ss="yes" ],
4285	[ ac_cv_have___ss_family_in_struct_ss="no"
4286	])
4287])
4288if test "x$ac_cv_have___ss_family_in_struct_ss" = "xyes" ; then
4289	AC_DEFINE([HAVE___SS_FAMILY_IN_SS], [1],
4290		[Fields in struct sockaddr_storage])
4291fi
4292
4293dnl make sure we're using the real structure members and not defines
4294AC_CACHE_CHECK([for msg_accrights field in struct msghdr],
4295		ac_cv_have_accrights_in_msghdr, [
4296	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4297#include <sys/types.h>
4298#include <sys/socket.h>
4299#include <sys/uio.h>
4300#include <stdlib.h>
4301		]], [[
4302#ifdef msg_accrights
4303#error "msg_accrights is a macro"
4304exit(1);
4305#endif
4306struct msghdr m;
4307m.msg_accrights = 0;
4308exit(0);
4309		]])],
4310		[ ac_cv_have_accrights_in_msghdr="yes" ],
4311		[ ac_cv_have_accrights_in_msghdr="no" ]
4312	)
4313])
4314if test "x$ac_cv_have_accrights_in_msghdr" = "xyes" ; then
4315	AC_DEFINE([HAVE_ACCRIGHTS_IN_MSGHDR], [1],
4316		[Define if your system uses access rights style
4317		file descriptor passing])
4318fi
4319
4320AC_MSG_CHECKING([if struct statvfs.f_fsid is integral type])
4321AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4322#include <sys/param.h>
4323#include <sys/stat.h>
4324#ifdef HAVE_SYS_TIME_H
4325# include <sys/time.h>
4326#endif
4327#ifdef HAVE_SYS_MOUNT_H
4328#include <sys/mount.h>
4329#endif
4330#ifdef HAVE_SYS_STATVFS_H
4331#include <sys/statvfs.h>
4332#endif
4333	]], [[ struct statvfs s; s.f_fsid = 0; ]])],
4334	[ AC_MSG_RESULT([yes]) ],
4335	[ AC_MSG_RESULT([no])
4336
4337	AC_MSG_CHECKING([if fsid_t has member val])
4338	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4339#include <sys/types.h>
4340#include <sys/statvfs.h>
4341	]], [[ fsid_t t; t.val[0] = 0; ]])],
4342	[ AC_MSG_RESULT([yes])
4343	  AC_DEFINE([FSID_HAS_VAL], [1], [fsid_t has member val]) ],
4344	[ AC_MSG_RESULT([no]) ])
4345
4346	AC_MSG_CHECKING([if f_fsid has member __val])
4347	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4348#include <sys/types.h>
4349#include <sys/statvfs.h>
4350	]], [[ fsid_t t; t.__val[0] = 0; ]])],
4351	[ AC_MSG_RESULT([yes])
4352	  AC_DEFINE([FSID_HAS___VAL], [1], [fsid_t has member __val]) ],
4353	[ AC_MSG_RESULT([no]) ])
4354])
4355
4356AC_CACHE_CHECK([for msg_control field in struct msghdr],
4357		ac_cv_have_control_in_msghdr, [
4358	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4359#include <sys/types.h>
4360#include <sys/socket.h>
4361#include <sys/uio.h>
4362#include <stdlib.h>
4363		]], [[
4364#ifdef msg_control
4365#error "msg_control is a macro"
4366exit(1);
4367#endif
4368struct msghdr m;
4369m.msg_control = 0;
4370exit(0);
4371		]])],
4372		[ ac_cv_have_control_in_msghdr="yes" ],
4373		[ ac_cv_have_control_in_msghdr="no" ]
4374	)
4375])
4376if test "x$ac_cv_have_control_in_msghdr" = "xyes" ; then
4377	AC_DEFINE([HAVE_CONTROL_IN_MSGHDR], [1],
4378		[Define if your system uses ancillary data style
4379		file descriptor passing])
4380fi
4381
4382AC_CACHE_CHECK([if libc defines __progname], ac_cv_libc_defines___progname, [
4383	AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include <stdio.h> ]],
4384		[[ extern char *__progname; printf("%s", __progname); ]])],
4385	[ ac_cv_libc_defines___progname="yes" ],
4386	[ ac_cv_libc_defines___progname="no"
4387	])
4388])
4389if test "x$ac_cv_libc_defines___progname" = "xyes" ; then
4390	AC_DEFINE([HAVE___PROGNAME], [1], [Define if libc defines __progname])
4391fi
4392
4393AC_CACHE_CHECK([whether $CC implements __FUNCTION__], ac_cv_cc_implements___FUNCTION__, [
4394	AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include <stdio.h> ]],
4395		[[ printf("%s", __FUNCTION__); ]])],
4396	[ ac_cv_cc_implements___FUNCTION__="yes" ],
4397	[ ac_cv_cc_implements___FUNCTION__="no"
4398	])
4399])
4400if test "x$ac_cv_cc_implements___FUNCTION__" = "xyes" ; then
4401	AC_DEFINE([HAVE___FUNCTION__], [1],
4402		[Define if compiler implements __FUNCTION__])
4403fi
4404
4405AC_CACHE_CHECK([whether $CC implements __func__], ac_cv_cc_implements___func__, [
4406	AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include <stdio.h> ]],
4407		[[ printf("%s", __func__); ]])],
4408	[ ac_cv_cc_implements___func__="yes" ],
4409	[ ac_cv_cc_implements___func__="no"
4410	])
4411])
4412if test "x$ac_cv_cc_implements___func__" = "xyes" ; then
4413	AC_DEFINE([HAVE___func__], [1], [Define if compiler implements __func__])
4414fi
4415
4416AC_CACHE_CHECK([whether va_copy exists], ac_cv_have_va_copy, [
4417	AC_LINK_IFELSE([AC_LANG_PROGRAM([[
4418#include <stdarg.h>
4419va_list x,y;
4420		]], [[ va_copy(x,y); ]])],
4421	[ ac_cv_have_va_copy="yes" ],
4422	[ ac_cv_have_va_copy="no"
4423	])
4424])
4425if test "x$ac_cv_have_va_copy" = "xyes" ; then
4426	AC_DEFINE([HAVE_VA_COPY], [1], [Define if va_copy exists])
4427fi
4428
4429AC_CACHE_CHECK([whether __va_copy exists], ac_cv_have___va_copy, [
4430	AC_LINK_IFELSE([AC_LANG_PROGRAM([[
4431#include <stdarg.h>
4432va_list x,y;
4433		]], [[ __va_copy(x,y); ]])],
4434	[ ac_cv_have___va_copy="yes" ], [ ac_cv_have___va_copy="no"
4435	])
4436])
4437if test "x$ac_cv_have___va_copy" = "xyes" ; then
4438	AC_DEFINE([HAVE___VA_COPY], [1], [Define if __va_copy exists])
4439fi
4440
4441AC_CACHE_CHECK([whether getopt has optreset support],
4442		ac_cv_have_getopt_optreset, [
4443	AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include <getopt.h> ]],
4444		[[ extern int optreset; optreset = 0; ]])],
4445	[ ac_cv_have_getopt_optreset="yes" ],
4446	[ ac_cv_have_getopt_optreset="no"
4447	])
4448])
4449if test "x$ac_cv_have_getopt_optreset" = "xyes" ; then
4450	AC_DEFINE([HAVE_GETOPT_OPTRESET], [1],
4451		[Define if your getopt(3) defines and uses optreset])
4452fi
4453
4454AC_CACHE_CHECK([if libc defines sys_errlist], ac_cv_libc_defines_sys_errlist, [
4455	AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include <stdio.h> ]],
4456[[ extern const char *const sys_errlist[]; printf("%s", sys_errlist[0]);]])],
4457	[ ac_cv_libc_defines_sys_errlist="yes" ],
4458	[ ac_cv_libc_defines_sys_errlist="no"
4459	])
4460])
4461if test "x$ac_cv_libc_defines_sys_errlist" = "xyes" ; then
4462	AC_DEFINE([HAVE_SYS_ERRLIST], [1],
4463		[Define if your system defines sys_errlist[]])
4464fi
4465
4466
4467AC_CACHE_CHECK([if libc defines sys_nerr], ac_cv_libc_defines_sys_nerr, [
4468	AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include <stdio.h> ]],
4469[[ extern int sys_nerr; printf("%i", sys_nerr);]])],
4470	[ ac_cv_libc_defines_sys_nerr="yes" ],
4471	[ ac_cv_libc_defines_sys_nerr="no"
4472	])
4473])
4474if test "x$ac_cv_libc_defines_sys_nerr" = "xyes" ; then
4475	AC_DEFINE([HAVE_SYS_NERR], [1], [Define if your system defines sys_nerr])
4476fi
4477
4478# Check libraries needed by DNS fingerprint support
4479AC_SEARCH_LIBS([getrrsetbyname], [resolv],
4480	[AC_DEFINE([HAVE_GETRRSETBYNAME], [1],
4481		[Define if getrrsetbyname() exists])],
4482	[
4483		# Needed by our getrrsetbyname()
4484		AC_SEARCH_LIBS([res_query], [resolv])
4485		AC_SEARCH_LIBS([dn_expand], [resolv])
4486		AC_MSG_CHECKING([if res_query will link])
4487		AC_LINK_IFELSE([AC_LANG_PROGRAM([[
4488#include <sys/types.h>
4489#include <netinet/in.h>
4490#include <arpa/nameser.h>
4491#include <netdb.h>
4492#include <resolv.h>
4493				]], [[
4494	res_query (0, 0, 0, 0, 0);
4495				]])],
4496		    AC_MSG_RESULT([yes]),
4497		   [AC_MSG_RESULT([no])
4498		    saved_LIBS="$LIBS"
4499		    LIBS="$LIBS -lresolv"
4500		    AC_MSG_CHECKING([for res_query in -lresolv])
4501		    AC_LINK_IFELSE([AC_LANG_PROGRAM([[
4502#include <sys/types.h>
4503#include <netinet/in.h>
4504#include <arpa/nameser.h>
4505#include <netdb.h>
4506#include <resolv.h>
4507				]], [[
4508	res_query (0, 0, 0, 0, 0);
4509				]])],
4510			[AC_MSG_RESULT([yes])],
4511			[LIBS="$saved_LIBS"
4512			 AC_MSG_RESULT([no])])
4513		    ])
4514		AC_CHECK_FUNCS([_getshort _getlong])
4515		AC_CHECK_DECLS([_getshort, _getlong], , ,
4516		    [#include <sys/types.h>
4517		    #include <arpa/nameser.h>])
4518		AC_CHECK_MEMBER([HEADER.ad],
4519			[AC_DEFINE([HAVE_HEADER_AD], [1],
4520			    [Define if HEADER.ad exists in arpa/nameser.h])], ,
4521			[#include <arpa/nameser.h>])
4522	])
4523
4524AC_MSG_CHECKING([if struct __res_state _res is an extern])
4525AC_LINK_IFELSE([AC_LANG_PROGRAM([[
4526#include <stdio.h>
4527#if HAVE_SYS_TYPES_H
4528# include <sys/types.h>
4529#endif
4530#include <netinet/in.h>
4531#include <arpa/nameser.h>
4532#include <resolv.h>
4533extern struct __res_state _res;
4534		]], [[
4535struct __res_state *volatile p = &_res;  /* force resolution of _res */
4536return 0;
4537		]],)],
4538		[AC_MSG_RESULT([yes])
4539		 AC_DEFINE([HAVE__RES_EXTERN], [1],
4540		    [Define if you have struct __res_state _res as an extern])
4541		],
4542		[ AC_MSG_RESULT([no]) ]
4543)
4544
4545# Check whether user wants SELinux support
4546SELINUX_MSG="no"
4547LIBSELINUX=""
4548AC_ARG_WITH([selinux],
4549	[  --with-selinux          Enable SELinux support],
4550	[ if test "x$withval" != "xno" ; then
4551		save_LIBS="$LIBS"
4552		AC_DEFINE([WITH_SELINUX], [1],
4553			[Define if you want SELinux support.])
4554		SELINUX_MSG="yes"
4555		AC_CHECK_HEADER([selinux/selinux.h], ,
4556			AC_MSG_ERROR([SELinux support requires selinux.h header]))
4557		AC_CHECK_LIB([selinux], [setexeccon],
4558			[ LIBSELINUX="-lselinux"
4559			  LIBS="$LIBS -lselinux"
4560			],
4561			AC_MSG_ERROR([SELinux support requires libselinux library]))
4562		AC_CHECK_FUNCS([getseuserbyname get_default_context_with_level])
4563		LIBS="$save_LIBS $LIBSELINUX"
4564	fi ]
4565)
4566AC_SUBST([SSHDLIBS])
4567
4568# Check whether user wants Kerberos 5 support
4569KRB5_MSG="no"
4570AC_ARG_WITH([kerberos5],
4571	[  --with-kerberos5=PATH   Enable Kerberos 5 support],
4572	[ if test "x$withval" != "xno" ; then
4573		if test "x$withval" = "xyes" ; then
4574			KRB5ROOT="/usr/local"
4575		else
4576			KRB5ROOT=${withval}
4577		fi
4578
4579		AC_DEFINE([KRB5], [1], [Define if you want Kerberos 5 support])
4580		KRB5_MSG="yes"
4581
4582		AC_PATH_TOOL([KRB5CONF], [krb5-config],
4583			     [$KRB5ROOT/bin/krb5-config],
4584			     [$KRB5ROOT/bin:$PATH])
4585		if test -x $KRB5CONF ; then
4586			K5CFLAGS="`$KRB5CONF --cflags`"
4587			K5LIBS="`$KRB5CONF --libs`"
4588			CPPFLAGS="$CPPFLAGS $K5CFLAGS"
4589
4590			AC_MSG_CHECKING([for gssapi support])
4591			if $KRB5CONF | grep gssapi >/dev/null ; then
4592				AC_MSG_RESULT([yes])
4593				AC_DEFINE([GSSAPI], [1],
4594					[Define this if you want GSSAPI
4595					support in the version 2 protocol])
4596				GSSCFLAGS="`$KRB5CONF --cflags gssapi`"
4597				GSSLIBS="`$KRB5CONF --libs gssapi`"
4598				CPPFLAGS="$CPPFLAGS $GSSCFLAGS"
4599			else
4600				AC_MSG_RESULT([no])
4601			fi
4602			AC_MSG_CHECKING([whether we are using Heimdal])
4603			AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <krb5.h>
4604				]], [[ char *tmp = heimdal_version; ]])],
4605				[ AC_MSG_RESULT([yes])
4606				AC_DEFINE([HEIMDAL], [1],
4607				[Define this if you are using the Heimdal
4608				version of Kerberos V5]) ],
4609				[AC_MSG_RESULT([no])
4610			])
4611		else
4612			CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include"
4613			LDFLAGS="$LDFLAGS -L${KRB5ROOT}/lib"
4614			AC_MSG_CHECKING([whether we are using Heimdal])
4615			AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <krb5.h>
4616				]], [[ char *tmp = heimdal_version; ]])],
4617					[ AC_MSG_RESULT([yes])
4618					 AC_DEFINE([HEIMDAL])
4619					 K5LIBS="-lkrb5"
4620					 K5LIBS="$K5LIBS -lcom_err -lasn1"
4621					 AC_CHECK_LIB([roken], [net_write],
4622					   [K5LIBS="$K5LIBS -lroken"])
4623					 AC_CHECK_LIB([des], [des_cbc_encrypt],
4624					   [K5LIBS="$K5LIBS -ldes"])
4625				       ], [ AC_MSG_RESULT([no])
4626					 K5LIBS="-lkrb5 -lk5crypto -lcom_err"
4627			])
4628			AC_SEARCH_LIBS([dn_expand], [resolv])
4629
4630			AC_CHECK_LIB([gssapi_krb5], [gss_init_sec_context],
4631				[ AC_DEFINE([GSSAPI])
4632				  GSSLIBS="-lgssapi_krb5" ],
4633				[ AC_CHECK_LIB([gssapi], [gss_init_sec_context],
4634					[ AC_DEFINE([GSSAPI])
4635					  GSSLIBS="-lgssapi" ],
4636					[ AC_CHECK_LIB([gss], [gss_init_sec_context],
4637						[ AC_DEFINE([GSSAPI])
4638						  GSSLIBS="-lgss" ],
4639						AC_MSG_WARN([Cannot find any suitable gss-api library - build may fail]))
4640					])
4641				])
4642
4643			AC_CHECK_HEADER([gssapi.h], ,
4644				[ unset ac_cv_header_gssapi_h
4645				  CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include/gssapi"
4646				  AC_CHECK_HEADERS([gssapi.h], ,
4647					AC_MSG_WARN([Cannot find any suitable gss-api header - build may fail])
4648				  )
4649				]
4650			)
4651
4652			oldCPP="$CPPFLAGS"
4653			CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include/gssapi"
4654			AC_CHECK_HEADER([gssapi_krb5.h], ,
4655					[ CPPFLAGS="$oldCPP" ])
4656
4657		fi
4658		if test -n "${rpath_opt}" ; then
4659			LDFLAGS="$LDFLAGS ${rpath_opt}${KRB5ROOT}/lib"
4660		fi
4661		if test ! -z "$blibpath" ; then
4662			blibpath="$blibpath:${KRB5ROOT}/lib"
4663		fi
4664
4665		AC_CHECK_HEADERS([gssapi.h gssapi/gssapi.h])
4666		AC_CHECK_HEADERS([gssapi_krb5.h gssapi/gssapi_krb5.h])
4667		AC_CHECK_HEADERS([gssapi_generic.h gssapi/gssapi_generic.h])
4668
4669		AC_SEARCH_LIBS([k_hasafs], [kafs], [AC_DEFINE([USE_AFS], [1],
4670			[Define this if you want to use libkafs' AFS support])])
4671
4672		AC_CHECK_DECLS([GSS_C_NT_HOSTBASED_SERVICE], [], [], [[
4673#ifdef HAVE_GSSAPI_H
4674# include <gssapi.h>
4675#elif defined(HAVE_GSSAPI_GSSAPI_H)
4676# include <gssapi/gssapi.h>
4677#endif
4678
4679#ifdef HAVE_GSSAPI_GENERIC_H
4680# include <gssapi_generic.h>
4681#elif defined(HAVE_GSSAPI_GSSAPI_GENERIC_H)
4682# include <gssapi/gssapi_generic.h>
4683#endif
4684		]])
4685		saved_LIBS="$LIBS"
4686		LIBS="$LIBS $K5LIBS"
4687		AC_CHECK_FUNCS([krb5_cc_new_unique krb5_get_error_message krb5_free_error_message])
4688		LIBS="$saved_LIBS"
4689
4690	fi
4691	]
4692)
4693AC_SUBST([GSSLIBS])
4694AC_SUBST([K5LIBS])
4695
4696# Looking for programs, paths and files
4697
4698PRIVSEP_PATH=/var/empty
4699AC_ARG_WITH([privsep-path],
4700	[  --with-privsep-path=xxx Path for privilege separation chroot (default=/var/empty)],
4701	[
4702		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
4703		    test "x${withval}" != "xyes"; then
4704			PRIVSEP_PATH=$withval
4705		fi
4706	]
4707)
4708AC_SUBST([PRIVSEP_PATH])
4709
4710AC_ARG_WITH([xauth],
4711	[  --with-xauth=PATH       Specify path to xauth program ],
4712	[
4713		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
4714		    test "x${withval}" != "xyes"; then
4715			xauth_path=$withval
4716		fi
4717	],
4718	[
4719		TestPath="$PATH"
4720		TestPath="${TestPath}${PATH_SEPARATOR}/usr/X/bin"
4721		TestPath="${TestPath}${PATH_SEPARATOR}/usr/bin/X11"
4722		TestPath="${TestPath}${PATH_SEPARATOR}/usr/X11R6/bin"
4723		TestPath="${TestPath}${PATH_SEPARATOR}/usr/openwin/bin"
4724		AC_PATH_PROG([xauth_path], [xauth], , [$TestPath])
4725		if (test ! -z "$xauth_path" && test -x "/usr/openwin/bin/xauth") ; then
4726			xauth_path="/usr/openwin/bin/xauth"
4727		fi
4728	]
4729)
4730
4731STRIP_OPT=-s
4732AC_ARG_ENABLE([strip],
4733	[  --disable-strip         Disable calling strip(1) on install],
4734	[
4735		if test "x$enableval" = "xno" ; then
4736			STRIP_OPT=
4737		fi
4738	]
4739)
4740AC_SUBST([STRIP_OPT])
4741
4742if test -z "$xauth_path" ; then
4743	XAUTH_PATH="undefined"
4744	AC_SUBST([XAUTH_PATH])
4745else
4746	AC_DEFINE_UNQUOTED([XAUTH_PATH], ["$xauth_path"],
4747		[Define if xauth is found in your path])
4748	XAUTH_PATH=$xauth_path
4749	AC_SUBST([XAUTH_PATH])
4750fi
4751
4752dnl # --with-maildir=/path/to/mail gets top priority.
4753dnl # if maildir is set in the platform case statement above we use that.
4754dnl # Otherwise we run a program to get the dir from system headers.
4755dnl # We first look for _PATH_MAILDIR then MAILDIR then _PATH_MAIL
4756dnl # If we find _PATH_MAILDIR we do nothing because that is what
4757dnl # session.c expects anyway. Otherwise we set to the value found
4758dnl # stripping any trailing slash. If for some strage reason our program
4759dnl # does not find what it needs, we default to /var/spool/mail.
4760# Check for mail directory
4761AC_ARG_WITH([maildir],
4762    [  --with-maildir=/path/to/mail    Specify your system mail directory],
4763    [
4764	if test "X$withval" != X  &&  test "x$withval" != xno  &&  \
4765	    test "x${withval}" != xyes; then
4766		AC_DEFINE_UNQUOTED([MAIL_DIRECTORY], ["$withval"],
4767            [Set this to your mail directory if you do not have _PATH_MAILDIR])
4768	    fi
4769     ],[
4770	if test "X$maildir" != "X"; then
4771	    AC_DEFINE_UNQUOTED([MAIL_DIRECTORY], ["$maildir"])
4772	else
4773	    AC_MSG_CHECKING([Discovering system mail directory])
4774	    AC_RUN_IFELSE(
4775		[AC_LANG_PROGRAM([[
4776#include <stdio.h>
4777#include <stdlib.h>
4778#include <string.h>
4779#ifdef HAVE_PATHS_H
4780#include <paths.h>
4781#endif
4782#ifdef HAVE_MAILLOCK_H
4783#include <maillock.h>
4784#endif
4785#define DATA "conftest.maildir"
4786	]], [[
4787	FILE *fd;
4788	int rc;
4789
4790	fd = fopen(DATA,"w");
4791	if(fd == NULL)
4792		exit(1);
4793
4794#if defined (_PATH_MAILDIR)
4795	if ((rc = fprintf(fd ,"_PATH_MAILDIR:%s\n", _PATH_MAILDIR)) <0)
4796		exit(1);
4797#elif defined (MAILDIR)
4798	if ((rc = fprintf(fd ,"MAILDIR:%s\n", MAILDIR)) <0)
4799		exit(1);
4800#elif defined (_PATH_MAIL)
4801	if ((rc = fprintf(fd ,"_PATH_MAIL:%s\n", _PATH_MAIL)) <0)
4802		exit(1);
4803#else
4804	exit (2);
4805#endif
4806
4807	exit(0);
4808		]])],
4809		[
4810		    maildir_what=`awk -F: '{print $1}' conftest.maildir`
4811		    maildir=`awk -F: '{print $2}' conftest.maildir \
4812			| sed 's|/$||'`
4813		    AC_MSG_RESULT([Using: $maildir from $maildir_what])
4814		    if test "x$maildir_what" != "x_PATH_MAILDIR"; then
4815			AC_DEFINE_UNQUOTED([MAIL_DIRECTORY], ["$maildir"])
4816		    fi
4817		],
4818		[
4819		    if test "X$ac_status" = "X2";then
4820# our test program didn't find it. Default to /var/spool/mail
4821			AC_MSG_RESULT([Using: default value of /var/spool/mail])
4822			AC_DEFINE_UNQUOTED([MAIL_DIRECTORY], ["/var/spool/mail"])
4823		     else
4824			AC_MSG_RESULT([*** not found ***])
4825		     fi
4826		],
4827		[
4828			AC_MSG_WARN([cross compiling: use --with-maildir=/path/to/mail])
4829		]
4830	    )
4831	fi
4832    ]
4833) # maildir
4834
4835if test ! -z "$cross_compiling" && test "x$cross_compiling" = "xyes"; then
4836	AC_MSG_WARN([cross compiling: Disabling /dev/ptmx test])
4837	disable_ptmx_check=yes
4838fi
4839if test -z "$no_dev_ptmx" ; then
4840	if test "x$disable_ptmx_check" != "xyes" ; then
4841		AC_CHECK_FILE(["/dev/ptmx"],
4842			[
4843				AC_DEFINE_UNQUOTED([HAVE_DEV_PTMX], [1],
4844					[Define if you have /dev/ptmx])
4845				have_dev_ptmx=1
4846			]
4847		)
4848	fi
4849fi
4850
4851if test ! -z "$cross_compiling" && test "x$cross_compiling" != "xyes"; then
4852	AC_CHECK_FILE(["/dev/ptc"],
4853		[
4854			AC_DEFINE_UNQUOTED([HAVE_DEV_PTS_AND_PTC], [1],
4855				[Define if you have /dev/ptc])
4856			have_dev_ptc=1
4857		]
4858	)
4859else
4860	AC_MSG_WARN([cross compiling: Disabling /dev/ptc test])
4861fi
4862
4863# Options from here on. Some of these are preset by platform above
4864AC_ARG_WITH([mantype],
4865	[  --with-mantype=man|cat|doc  Set man page type],
4866	[
4867		case "$withval" in
4868		man|cat|doc)
4869			MANTYPE=$withval
4870			;;
4871		*)
4872			AC_MSG_ERROR([invalid man type: $withval])
4873			;;
4874		esac
4875	]
4876)
4877if test -z "$MANTYPE"; then
4878	if ${MANDOC} ${srcdir}/ssh.1 >/dev/null 2>&1; then
4879		MANTYPE=doc
4880	elif ${NROFF} -mdoc ${srcdir}/ssh.1 >/dev/null 2>&1; then
4881		MANTYPE=doc
4882	elif ${NROFF} -man ${srcdir}/ssh.1 >/dev/null 2>&1; then
4883		MANTYPE=man
4884	else
4885		MANTYPE=cat
4886	fi
4887fi
4888AC_SUBST([MANTYPE])
4889if test "$MANTYPE" = "doc"; then
4890	mansubdir=man;
4891else
4892	mansubdir=$MANTYPE;
4893fi
4894AC_SUBST([mansubdir])
4895
4896# Check whether to enable MD5 passwords
4897MD5_MSG="no"
4898AC_ARG_WITH([md5-passwords],
4899	[  --with-md5-passwords    Enable use of MD5 passwords],
4900	[
4901		if test "x$withval" != "xno" ; then
4902			AC_DEFINE([HAVE_MD5_PASSWORDS], [1],
4903				[Define if you want to allow MD5 passwords])
4904			MD5_MSG="yes"
4905		fi
4906	]
4907)
4908
4909# Whether to disable shadow password support
4910AC_ARG_WITH([shadow],
4911	[  --without-shadow        Disable shadow password support],
4912	[
4913		if test "x$withval" = "xno" ; then
4914			AC_DEFINE([DISABLE_SHADOW])
4915			disable_shadow=yes
4916		fi
4917	]
4918)
4919
4920if test -z "$disable_shadow" ; then
4921	AC_MSG_CHECKING([if the systems has expire shadow information])
4922	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4923#include <sys/types.h>
4924#include <shadow.h>
4925struct spwd sp;
4926		]], [[ sp.sp_expire = sp.sp_lstchg = sp.sp_inact = 0; ]])],
4927		[ sp_expire_available=yes ], [
4928	])
4929
4930	if test "x$sp_expire_available" = "xyes" ; then
4931		AC_MSG_RESULT([yes])
4932		AC_DEFINE([HAS_SHADOW_EXPIRE], [1],
4933		    [Define if you want to use shadow password expire field])
4934	else
4935		AC_MSG_RESULT([no])
4936	fi
4937fi
4938
4939# Use ip address instead of hostname in $DISPLAY
4940if test ! -z "$IPADDR_IN_DISPLAY" ; then
4941	DISPLAY_HACK_MSG="yes"
4942	AC_DEFINE([IPADDR_IN_DISPLAY], [1],
4943		[Define if you need to use IP address
4944		instead of hostname in $DISPLAY])
4945else
4946	DISPLAY_HACK_MSG="no"
4947	AC_ARG_WITH([ipaddr-display],
4948		[  --with-ipaddr-display   Use ip address instead of hostname in $DISPLAY],
4949		[
4950			if test "x$withval" != "xno" ; then
4951				AC_DEFINE([IPADDR_IN_DISPLAY])
4952				DISPLAY_HACK_MSG="yes"
4953			fi
4954		]
4955	)
4956fi
4957
4958# check for /etc/default/login and use it if present.
4959AC_ARG_ENABLE([etc-default-login],
4960	[  --disable-etc-default-login Disable using PATH from /etc/default/login [no]],
4961	[ if test "x$enableval" = "xno"; then
4962		AC_MSG_NOTICE([/etc/default/login handling disabled])
4963		etc_default_login=no
4964	  else
4965		etc_default_login=yes
4966	  fi ],
4967	[ if test ! -z "$cross_compiling" && test "x$cross_compiling" = "xyes";
4968	  then
4969		AC_MSG_WARN([cross compiling: not checking /etc/default/login])
4970		etc_default_login=no
4971	  else
4972		etc_default_login=yes
4973	  fi ]
4974)
4975
4976if test "x$etc_default_login" != "xno"; then
4977	AC_CHECK_FILE(["/etc/default/login"],
4978	    [ external_path_file=/etc/default/login ])
4979	if test "x$external_path_file" = "x/etc/default/login"; then
4980		AC_DEFINE([HAVE_ETC_DEFAULT_LOGIN], [1],
4981			[Define if your system has /etc/default/login])
4982	fi
4983fi
4984
4985dnl BSD systems use /etc/login.conf so --with-default-path= has no effect
4986if test $ac_cv_func_login_getcapbool = "yes" && \
4987	test $ac_cv_header_login_cap_h = "yes" ; then
4988	external_path_file=/etc/login.conf
4989fi
4990
4991# Whether to mess with the default path
4992SERVER_PATH_MSG="(default)"
4993AC_ARG_WITH([default-path],
4994	[  --with-default-path=    Specify default $PATH environment for server],
4995	[
4996		if test "x$external_path_file" = "x/etc/login.conf" ; then
4997			AC_MSG_WARN([
4998--with-default-path=PATH has no effect on this system.
4999Edit /etc/login.conf instead.])
5000		elif test "x$withval" != "xno" ; then
5001			if test ! -z "$external_path_file" ; then
5002				AC_MSG_WARN([
5003--with-default-path=PATH will only be used if PATH is not defined in
5004$external_path_file .])
5005			fi
5006			user_path="$withval"
5007			SERVER_PATH_MSG="$withval"
5008		fi
5009	],
5010	[ if test "x$external_path_file" = "x/etc/login.conf" ; then
5011		AC_MSG_WARN([Make sure the path to scp is in /etc/login.conf])
5012	else
5013		if test ! -z "$external_path_file" ; then
5014			AC_MSG_WARN([
5015If PATH is defined in $external_path_file, ensure the path to scp is included,
5016otherwise scp will not work.])
5017		fi
5018		AC_RUN_IFELSE(
5019			[AC_LANG_PROGRAM([[
5020/* find out what STDPATH is */
5021#include <stdio.h>
5022#include <stdlib.h>
5023#ifdef HAVE_PATHS_H
5024# include <paths.h>
5025#endif
5026#ifndef _PATH_STDPATH
5027# ifdef _PATH_USERPATH	/* Irix */
5028#  define _PATH_STDPATH _PATH_USERPATH
5029# else
5030#  define _PATH_STDPATH "/usr/bin:/bin:/usr/sbin:/sbin"
5031# endif
5032#endif
5033#include <sys/types.h>
5034#include <sys/stat.h>
5035#include <fcntl.h>
5036#define DATA "conftest.stdpath"
5037			]], [[
5038	FILE *fd;
5039	int rc;
5040
5041	fd = fopen(DATA,"w");
5042	if(fd == NULL)
5043		exit(1);
5044
5045	if ((rc = fprintf(fd,"%s", _PATH_STDPATH)) < 0)
5046		exit(1);
5047
5048	exit(0);
5049		]])],
5050		[ user_path=`cat conftest.stdpath` ],
5051		[ user_path="/usr/bin:/bin:/usr/sbin:/sbin" ],
5052		[ user_path="/usr/bin:/bin:/usr/sbin:/sbin" ]
5053	)
5054# make sure $bindir is in USER_PATH so scp will work
5055		t_bindir="${bindir}"
5056		while echo "${t_bindir}" | egrep '\$\{|NONE/' >/dev/null 2>&1; do
5057			t_bindir=`eval echo ${t_bindir}`
5058			case $t_bindir in
5059				NONE/*) t_bindir=`echo $t_bindir | sed "s~NONE~$prefix~"` ;;
5060			esac
5061			case $t_bindir in
5062				NONE/*) t_bindir=`echo $t_bindir | sed "s~NONE~$ac_default_prefix~"` ;;
5063			esac
5064		done
5065		echo $user_path | grep ":$t_bindir"  > /dev/null 2>&1
5066		if test $? -ne 0  ; then
5067			echo $user_path | grep "^$t_bindir"  > /dev/null 2>&1
5068			if test $? -ne 0  ; then
5069				user_path=$user_path:$t_bindir
5070				AC_MSG_RESULT([Adding $t_bindir to USER_PATH so scp will work])
5071			fi
5072		fi
5073	fi ]
5074)
5075if test "x$external_path_file" != "x/etc/login.conf" ; then
5076	AC_DEFINE_UNQUOTED([USER_PATH], ["$user_path"], [Specify default $PATH])
5077	AC_SUBST([user_path])
5078fi
5079
5080# Set superuser path separately to user path
5081AC_ARG_WITH([superuser-path],
5082	[  --with-superuser-path=  Specify different path for super-user],
5083	[
5084		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
5085		    test "x${withval}" != "xyes"; then
5086			AC_DEFINE_UNQUOTED([SUPERUSER_PATH], ["$withval"],
5087				[Define if you want a different $PATH
5088				for the superuser])
5089			superuser_path=$withval
5090		fi
5091	]
5092)
5093
5094
5095AC_MSG_CHECKING([if we need to convert IPv4 in IPv6-mapped addresses])
5096IPV4_IN6_HACK_MSG="no"
5097AC_ARG_WITH(4in6,
5098	[  --with-4in6             Check for and convert IPv4 in IPv6 mapped addresses],
5099	[
5100		if test "x$withval" != "xno" ; then
5101			AC_MSG_RESULT([yes])
5102			AC_DEFINE([IPV4_IN_IPV6], [1],
5103				[Detect IPv4 in IPv6 mapped addresses
5104				and treat as IPv4])
5105			IPV4_IN6_HACK_MSG="yes"
5106		else
5107			AC_MSG_RESULT([no])
5108		fi
5109	], [
5110		if test "x$inet6_default_4in6" = "xyes"; then
5111			AC_MSG_RESULT([yes (default)])
5112			AC_DEFINE([IPV4_IN_IPV6])
5113			IPV4_IN6_HACK_MSG="yes"
5114		else
5115			AC_MSG_RESULT([no (default)])
5116		fi
5117	]
5118)
5119
5120# Whether to enable BSD auth support
5121BSD_AUTH_MSG=no
5122AC_ARG_WITH([bsd-auth],
5123	[  --with-bsd-auth         Enable BSD auth support],
5124	[
5125		if test "x$withval" != "xno" ; then
5126			AC_DEFINE([BSD_AUTH], [1],
5127				[Define if you have BSD auth support])
5128			BSD_AUTH_MSG=yes
5129		fi
5130	]
5131)
5132
5133# Where to place sshd.pid
5134piddir=/var/run
5135# make sure the directory exists
5136if test ! -d $piddir ; then
5137	piddir=`eval echo ${sysconfdir}`
5138	case $piddir in
5139		NONE/*) piddir=`echo $piddir | sed "s~NONE~$ac_default_prefix~"` ;;
5140	esac
5141fi
5142
5143AC_ARG_WITH([pid-dir],
5144	[  --with-pid-dir=PATH     Specify location of sshd.pid file],
5145	[
5146		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
5147		    test "x${withval}" != "xyes"; then
5148			piddir=$withval
5149			if test ! -d $piddir ; then
5150			AC_MSG_WARN([** no $piddir directory on this system **])
5151			fi
5152		fi
5153	]
5154)
5155
5156AC_DEFINE_UNQUOTED([_PATH_SSH_PIDDIR], ["$piddir"],
5157	[Specify location of ssh.pid])
5158AC_SUBST([piddir])
5159
5160dnl allow user to disable some login recording features
5161AC_ARG_ENABLE([lastlog],
5162	[  --disable-lastlog       disable use of lastlog even if detected [no]],
5163	[
5164		if test "x$enableval" = "xno" ; then
5165			AC_DEFINE([DISABLE_LASTLOG])
5166		fi
5167	]
5168)
5169AC_ARG_ENABLE([utmp],
5170	[  --disable-utmp          disable use of utmp even if detected [no]],
5171	[
5172		if test "x$enableval" = "xno" ; then
5173			AC_DEFINE([DISABLE_UTMP])
5174		fi
5175	]
5176)
5177AC_ARG_ENABLE([utmpx],
5178	[  --disable-utmpx         disable use of utmpx even if detected [no]],
5179	[
5180		if test "x$enableval" = "xno" ; then
5181			AC_DEFINE([DISABLE_UTMPX], [1],
5182				[Define if you don't want to use utmpx])
5183		fi
5184	]
5185)
5186AC_ARG_ENABLE([wtmp],
5187	[  --disable-wtmp          disable use of wtmp even if detected [no]],
5188	[
5189		if test "x$enableval" = "xno" ; then
5190			AC_DEFINE([DISABLE_WTMP])
5191		fi
5192	]
5193)
5194AC_ARG_ENABLE([wtmpx],
5195	[  --disable-wtmpx         disable use of wtmpx even if detected [no]],
5196	[
5197		if test "x$enableval" = "xno" ; then
5198			AC_DEFINE([DISABLE_WTMPX], [1],
5199				[Define if you don't want to use wtmpx])
5200		fi
5201	]
5202)
5203AC_ARG_ENABLE([libutil],
5204	[  --disable-libutil       disable use of libutil (login() etc.) [no]],
5205	[
5206		if test "x$enableval" = "xno" ; then
5207			AC_DEFINE([DISABLE_LOGIN])
5208		fi
5209	]
5210)
5211AC_ARG_ENABLE([pututline],
5212	[  --disable-pututline     disable use of pututline() etc. ([uw]tmp) [no]],
5213	[
5214		if test "x$enableval" = "xno" ; then
5215			AC_DEFINE([DISABLE_PUTUTLINE], [1],
5216				[Define if you don't want to use pututline()
5217				etc. to write [uw]tmp])
5218		fi
5219	]
5220)
5221AC_ARG_ENABLE([pututxline],
5222	[  --disable-pututxline    disable use of pututxline() etc. ([uw]tmpx) [no]],
5223	[
5224		if test "x$enableval" = "xno" ; then
5225			AC_DEFINE([DISABLE_PUTUTXLINE], [1],
5226				[Define if you don't want to use pututxline()
5227				etc. to write [uw]tmpx])
5228		fi
5229	]
5230)
5231AC_ARG_WITH([lastlog],
5232  [  --with-lastlog=FILE|DIR specify lastlog location [common locations]],
5233	[
5234		if test "x$withval" = "xno" ; then
5235			AC_DEFINE([DISABLE_LASTLOG])
5236		elif test -n "$withval"  &&  test "x${withval}" != "xyes"; then
5237			conf_lastlog_location=$withval
5238		fi
5239	]
5240)
5241
5242dnl lastlog, [uw]tmpx? detection
5243dnl  NOTE: set the paths in the platform section to avoid the
5244dnl   need for command-line parameters
5245dnl lastlog and [uw]tmp are subject to a file search if all else fails
5246
5247dnl lastlog detection
5248dnl  NOTE: the code itself will detect if lastlog is a directory
5249AC_MSG_CHECKING([if your system defines LASTLOG_FILE])
5250AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
5251#include <sys/types.h>
5252#include <utmp.h>
5253#ifdef HAVE_LASTLOG_H
5254#  include <lastlog.h>
5255#endif
5256#ifdef HAVE_PATHS_H
5257#  include <paths.h>
5258#endif
5259#ifdef HAVE_LOGIN_H
5260# include <login.h>
5261#endif
5262	]], [[ char *lastlog = LASTLOG_FILE; ]])],
5263		[ AC_MSG_RESULT([yes]) ],
5264		[
5265		AC_MSG_RESULT([no])
5266		AC_MSG_CHECKING([if your system defines _PATH_LASTLOG])
5267		AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
5268#include <sys/types.h>
5269#include <utmp.h>
5270#ifdef HAVE_LASTLOG_H
5271#  include <lastlog.h>
5272#endif
5273#ifdef HAVE_PATHS_H
5274#  include <paths.h>
5275#endif
5276		]], [[ char *lastlog = _PATH_LASTLOG; ]])],
5277		[ AC_MSG_RESULT([yes]) ],
5278		[
5279			AC_MSG_RESULT([no])
5280			system_lastlog_path=no
5281		])
5282])
5283
5284if test -z "$conf_lastlog_location"; then
5285	if test x"$system_lastlog_path" = x"no" ; then
5286		for f in /var/log/lastlog /usr/adm/lastlog /var/adm/lastlog /etc/security/lastlog ; do
5287				if (test -d "$f" || test -f "$f") ; then
5288					conf_lastlog_location=$f
5289				fi
5290		done
5291		if test -z "$conf_lastlog_location"; then
5292			AC_MSG_WARN([** Cannot find lastlog **])
5293			dnl Don't define DISABLE_LASTLOG - that means we don't try wtmp/wtmpx
5294		fi
5295	fi
5296fi
5297
5298if test -n "$conf_lastlog_location"; then
5299	AC_DEFINE_UNQUOTED([CONF_LASTLOG_FILE], ["$conf_lastlog_location"],
5300		[Define if you want to specify the path to your lastlog file])
5301fi
5302
5303dnl utmp detection
5304AC_MSG_CHECKING([if your system defines UTMP_FILE])
5305AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
5306#include <sys/types.h>
5307#include <utmp.h>
5308#ifdef HAVE_PATHS_H
5309#  include <paths.h>
5310#endif
5311	]], [[ char *utmp = UTMP_FILE; ]])],
5312	[ AC_MSG_RESULT([yes]) ],
5313	[ AC_MSG_RESULT([no])
5314	  system_utmp_path=no
5315])
5316if test -z "$conf_utmp_location"; then
5317	if test x"$system_utmp_path" = x"no" ; then
5318		for f in /etc/utmp /usr/adm/utmp /var/run/utmp; do
5319			if test -f $f ; then
5320				conf_utmp_location=$f
5321			fi
5322		done
5323		if test -z "$conf_utmp_location"; then
5324			AC_DEFINE([DISABLE_UTMP])
5325		fi
5326	fi
5327fi
5328if test -n "$conf_utmp_location"; then
5329	AC_DEFINE_UNQUOTED([CONF_UTMP_FILE], ["$conf_utmp_location"],
5330		[Define if you want to specify the path to your utmp file])
5331fi
5332
5333dnl wtmp detection
5334AC_MSG_CHECKING([if your system defines WTMP_FILE])
5335AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
5336#include <sys/types.h>
5337#include <utmp.h>
5338#ifdef HAVE_PATHS_H
5339#  include <paths.h>
5340#endif
5341	]], [[ char *wtmp = WTMP_FILE; ]])],
5342	[ AC_MSG_RESULT([yes]) ],
5343	[ AC_MSG_RESULT([no])
5344	  system_wtmp_path=no
5345])
5346if test -z "$conf_wtmp_location"; then
5347	if test x"$system_wtmp_path" = x"no" ; then
5348		for f in /usr/adm/wtmp /var/log/wtmp; do
5349			if test -f $f ; then
5350				conf_wtmp_location=$f
5351			fi
5352		done
5353		if test -z "$conf_wtmp_location"; then
5354			AC_DEFINE([DISABLE_WTMP])
5355		fi
5356	fi
5357fi
5358if test -n "$conf_wtmp_location"; then
5359	AC_DEFINE_UNQUOTED([CONF_WTMP_FILE], ["$conf_wtmp_location"],
5360		[Define if you want to specify the path to your wtmp file])
5361fi
5362
5363dnl wtmpx detection
5364AC_MSG_CHECKING([if your system defines WTMPX_FILE])
5365AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
5366#include <sys/types.h>
5367#include <utmp.h>
5368#ifdef HAVE_UTMPX_H
5369#include <utmpx.h>
5370#endif
5371#ifdef HAVE_PATHS_H
5372#  include <paths.h>
5373#endif
5374	]], [[ char *wtmpx = WTMPX_FILE; ]])],
5375	[ AC_MSG_RESULT([yes]) ],
5376	[ AC_MSG_RESULT([no])
5377	  system_wtmpx_path=no
5378])
5379if test -z "$conf_wtmpx_location"; then
5380	if test x"$system_wtmpx_path" = x"no" ; then
5381		AC_DEFINE([DISABLE_WTMPX])
5382	fi
5383else
5384	AC_DEFINE_UNQUOTED([CONF_WTMPX_FILE], ["$conf_wtmpx_location"],
5385		[Define if you want to specify the path to your wtmpx file])
5386fi
5387
5388
5389if test ! -z "$blibpath" ; then
5390	LDFLAGS="$LDFLAGS $blibflags$blibpath"
5391	AC_MSG_WARN([Please check and edit blibpath in LDFLAGS in Makefile])
5392fi
5393
5394AC_CHECK_MEMBER([struct lastlog.ll_line], [], [
5395    if test x$SKIP_DISABLE_LASTLOG_DEFINE != "xyes" ; then
5396	AC_DEFINE([DISABLE_LASTLOG])
5397    fi
5398	], [
5399#ifdef HAVE_SYS_TYPES_H
5400#include <sys/types.h>
5401#endif
5402#ifdef HAVE_UTMP_H
5403#include <utmp.h>
5404#endif
5405#ifdef HAVE_UTMPX_H
5406#include <utmpx.h>
5407#endif
5408#ifdef HAVE_LASTLOG_H
5409#include <lastlog.h>
5410#endif
5411	])
5412
5413AC_CHECK_MEMBER([struct utmp.ut_line], [], [
5414	AC_DEFINE([DISABLE_UTMP])
5415	AC_DEFINE([DISABLE_WTMP])
5416	], [
5417#ifdef HAVE_SYS_TYPES_H
5418#include <sys/types.h>
5419#endif
5420#ifdef HAVE_UTMP_H
5421#include <utmp.h>
5422#endif
5423#ifdef HAVE_UTMPX_H
5424#include <utmpx.h>
5425#endif
5426#ifdef HAVE_LASTLOG_H
5427#include <lastlog.h>
5428#endif
5429	])
5430
5431dnl Adding -Werror to CFLAGS early prevents configure tests from running.
5432dnl Add now.
5433CFLAGS="$CFLAGS $werror_flags"
5434
5435if test "x$ac_cv_func_getaddrinfo" != "xyes" ; then
5436	TEST_SSH_IPV6=no
5437else
5438	TEST_SSH_IPV6=yes
5439fi
5440AC_CHECK_DECL([BROKEN_GETADDRINFO],  [TEST_SSH_IPV6=no])
5441AC_SUBST([TEST_SSH_IPV6], [$TEST_SSH_IPV6])
5442AC_SUBST([TEST_SSH_UTF8], [$TEST_SSH_UTF8])
5443AC_SUBST([TEST_MALLOC_OPTIONS], [$TEST_MALLOC_OPTIONS])
5444AC_SUBST([UNSUPPORTED_ALGORITHMS], [$unsupported_algorithms])
5445AC_SUBST([DEPEND], [$(cat $srcdir/.depend)])
5446
5447CFLAGS="${CFLAGS} ${CFLAGS_AFTER}"
5448LDFLAGS="${LDFLAGS} ${LDFLAGS_AFTER}"
5449
5450# Make a copy of CFLAGS/LDFLAGS without PIE options.
5451LDFLAGS_NOPIE=`echo "$LDFLAGS" | sed 's/ -pie//'`
5452CFLAGS_NOPIE=`echo "$CFLAGS" | sed 's/ -fPIE//'`
5453AC_SUBST([LDFLAGS_NOPIE])
5454AC_SUBST([CFLAGS_NOPIE])
5455
5456AC_EXEEXT
5457AC_CONFIG_FILES([Makefile buildpkg.sh opensshd.init openssh.xml \
5458	openbsd-compat/Makefile openbsd-compat/regress/Makefile \
5459	survey.sh])
5460AC_OUTPUT
5461
5462# Print summary of options
5463
5464# Someone please show me a better way :)
5465A=`eval echo ${prefix}` ; A=`eval echo ${A}`
5466B=`eval echo ${bindir}` ; B=`eval echo ${B}`
5467C=`eval echo ${sbindir}` ; C=`eval echo ${C}`
5468D=`eval echo ${sysconfdir}` ; D=`eval echo ${D}`
5469E=`eval echo ${libexecdir}/ssh-askpass` ; E=`eval echo ${E}`
5470F=`eval echo ${mandir}/${mansubdir}X` ; F=`eval echo ${F}`
5471G=`eval echo ${piddir}` ; G=`eval echo ${G}`
5472H=`eval echo ${PRIVSEP_PATH}` ; H=`eval echo ${H}`
5473I=`eval echo ${user_path}` ; I=`eval echo ${I}`
5474J=`eval echo ${superuser_path}` ; J=`eval echo ${J}`
5475
5476echo ""
5477echo "OpenSSH has been configured with the following options:"
5478echo "                     User binaries: $B"
5479echo "                   System binaries: $C"
5480echo "               Configuration files: $D"
5481echo "                   Askpass program: $E"
5482echo "                      Manual pages: $F"
5483echo "                          PID file: $G"
5484echo "  Privilege separation chroot path: $H"
5485if test "x$external_path_file" = "x/etc/login.conf" ; then
5486echo "   At runtime, sshd will use the path defined in $external_path_file"
5487echo "   Make sure the path to scp is present, otherwise scp will not work"
5488else
5489echo "            sshd default user PATH: $I"
5490	if test ! -z "$external_path_file"; then
5491echo "   (If PATH is set in $external_path_file it will be used instead. If"
5492echo "   used, ensure the path to scp is present, otherwise scp will not work.)"
5493	fi
5494fi
5495if test ! -z "$superuser_path" ; then
5496echo "          sshd superuser user PATH: $J"
5497fi
5498echo "                    Manpage format: $MANTYPE"
5499echo "                       PAM support: $PAM_MSG"
5500echo "                   OSF SIA support: $SIA_MSG"
5501echo "                 KerberosV support: $KRB5_MSG"
5502echo "                   SELinux support: $SELINUX_MSG"
5503echo "              MD5 password support: $MD5_MSG"
5504echo "                   libedit support: $LIBEDIT_MSG"
5505echo "                   libldns support: $LDNS_MSG"
5506echo "  Solaris process contract support: $SPC_MSG"
5507echo "           Solaris project support: $SP_MSG"
5508echo "         Solaris privilege support: $SPP_MSG"
5509echo "       IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG"
5510echo "           Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
5511echo "                  BSD Auth support: $BSD_AUTH_MSG"
5512echo "              Random number source: $RAND_MSG"
5513echo "             Privsep sandbox style: $SANDBOX_STYLE"
5514echo "                   PKCS#11 support: $enable_pkcs11"
5515echo "                  U2F/FIDO support: $enable_sk"
5516
5517echo ""
5518
5519echo "              Host: ${host}"
5520echo "          Compiler: ${CC}"
5521echo "    Compiler flags: ${CFLAGS}"
5522echo "Preprocessor flags: ${CPPFLAGS}"
5523echo "      Linker flags: ${LDFLAGS}"
5524echo "         Libraries: ${LIBS}"
5525if test ! -z "${SSHDLIBS}"; then
5526echo "         +for sshd: ${SSHDLIBS}"
5527fi
5528
5529echo ""
5530
5531if test "x$MAKE_PACKAGE_SUPPORTED" = "xyes" ; then
5532	echo "SVR4 style packages are supported with \"make package\""
5533	echo ""
5534fi
5535
5536if test "x$PAM_MSG" = "xyes" ; then
5537	echo "PAM is enabled. You may need to install a PAM control file "
5538	echo "for sshd, otherwise password authentication may fail. "
5539	echo "Example PAM control files can be found in the contrib/ "
5540	echo "subdirectory"
5541	echo ""
5542fi
5543
5544if test ! -z "$NO_PEERCHECK" ; then
5545	echo "WARNING: the operating system that you are using does not"
5546	echo "appear to support getpeereid(), getpeerucred() or the"
5547	echo "SO_PEERCRED getsockopt() option. These facilities are used to"
5548	echo "enforce security checks to prevent unauthorised connections to"
5549	echo "ssh-agent. Their absence increases the risk that a malicious"
5550	echo "user can connect to your agent."
5551	echo ""
5552fi
5553
5554if test "$AUDIT_MODULE" = "bsm" ; then
5555	echo "WARNING: BSM audit support is currently considered EXPERIMENTAL."
5556	echo "See the Solaris section in README.platform for details."
5557fi
5558