xref: /openssh-portable/configure.ac (revision 5b56bd0a)
1#
2# Copyright (c) 1999-2004 Damien Miller
3#
4# Permission to use, copy, modify, and distribute this software for any
5# purpose with or without fee is hereby granted, provided that the above
6# copyright notice and this permission notice appear in all copies.
7#
8# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15
16AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org])
17AC_REVISION($Revision: 1.583 $)
18AC_CONFIG_SRCDIR([ssh.c])
19AC_LANG([C])
20
21AC_CONFIG_HEADER([config.h])
22AC_PROG_CC([cc gcc])
23AC_CANONICAL_HOST
24AC_C_BIGENDIAN
25
26# Checks for programs.
27AC_PROG_AWK
28AC_PROG_CPP
29AC_PROG_RANLIB
30AC_PROG_INSTALL
31AC_PROG_EGREP
32AC_PROG_MKDIR_P
33AC_CHECK_TOOLS([AR], [ar])
34AC_PATH_PROG([CAT], [cat])
35AC_PATH_PROG([KILL], [kill])
36AC_PATH_PROG([SED], [sed])
37AC_PATH_PROG([ENT], [ent])
38AC_SUBST([ENT])
39AC_PATH_PROG([TEST_MINUS_S_SH], [bash])
40AC_PATH_PROG([TEST_MINUS_S_SH], [ksh])
41AC_PATH_PROG([TEST_MINUS_S_SH], [sh])
42AC_PATH_PROG([SH], [sh])
43AC_PATH_PROG([GROFF], [groff])
44AC_PATH_PROG([NROFF], [nroff awf])
45AC_PATH_PROG([MANDOC], [mandoc])
46AC_SUBST([TEST_SHELL], [sh])
47
48dnl select manpage formatter to be used to build "cat" format pages.
49if test "x$MANDOC" != "x" ; then
50	MANFMT="$MANDOC"
51elif test "x$NROFF" != "x" ; then
52	MANFMT="$NROFF -mandoc"
53elif test "x$GROFF" != "x" ; then
54	MANFMT="$GROFF -mandoc -Tascii"
55else
56	AC_MSG_WARN([no manpage formatter found])
57	MANFMT="false"
58fi
59AC_SUBST([MANFMT])
60
61dnl for buildpkg.sh
62AC_PATH_PROG([PATH_GROUPADD_PROG], [groupadd], [groupadd],
63	[/usr/sbin${PATH_SEPARATOR}/etc])
64AC_PATH_PROG([PATH_USERADD_PROG], [useradd], [useradd],
65	[/usr/sbin${PATH_SEPARATOR}/etc])
66AC_CHECK_PROG([MAKE_PACKAGE_SUPPORTED], [pkgmk], [yes], [no])
67if test -x /sbin/sh; then
68	AC_SUBST([STARTUP_SCRIPT_SHELL], [/sbin/sh])
69else
70	AC_SUBST([STARTUP_SCRIPT_SHELL], [/bin/sh])
71fi
72
73# System features
74AC_SYS_LARGEFILE
75
76if test -z "$AR" ; then
77	AC_MSG_ERROR([*** 'ar' missing, please install or fix your \$PATH ***])
78fi
79
80AC_PATH_PROG([PATH_PASSWD_PROG], [passwd])
81if test ! -z "$PATH_PASSWD_PROG" ; then
82	AC_DEFINE_UNQUOTED([_PATH_PASSWD_PROG], ["$PATH_PASSWD_PROG"],
83		[Full path of your "passwd" program])
84fi
85
86dnl Since autoconf doesn't support it very well,  we no longer allow users to
87dnl override LD, however keeping the hook here for now in case there's a use
88dnl use case we overlooked and someone needs to re-enable it.  Unless a good
89dnl reason is found we'll be removing this in future.
90LD="$CC"
91AC_SUBST([LD])
92
93AC_C_INLINE
94
95AC_CHECK_DECL([LLONG_MAX], [have_llong_max=1], , [#include <limits.h>])
96AC_CHECK_DECL([LONG_LONG_MAX], [have_long_long_max=1], , [#include <limits.h>])
97AC_CHECK_DECL([SYSTR_POLICY_KILL], [have_systr_policy_kill=1], , [
98	#include <sys/types.h>
99	#include <sys/param.h>
100	#include <dev/systrace.h>
101])
102AC_CHECK_DECL([RLIMIT_NPROC],
103    [AC_DEFINE([HAVE_RLIMIT_NPROC], [], [sys/resource.h has RLIMIT_NPROC])], , [
104	#include <sys/types.h>
105	#include <sys/resource.h>
106])
107AC_CHECK_DECL([PR_SET_NO_NEW_PRIVS], [have_linux_no_new_privs=1], , [
108	#include <sys/types.h>
109	#include <linux/prctl.h>
110])
111
112openssl=yes
113AC_ARG_WITH([openssl],
114	[  --without-openssl       Disable use of OpenSSL; use only limited internal crypto **EXPERIMENTAL** ],
115	[  if test "x$withval" = "xno" ; then
116		openssl=no
117	   fi
118	]
119)
120AC_MSG_CHECKING([whether OpenSSL will be used for cryptography])
121if test "x$openssl" = "xyes" ; then
122	AC_MSG_RESULT([yes])
123	AC_DEFINE_UNQUOTED([WITH_OPENSSL], [1], [use libcrypto for cryptography])
124else
125	AC_MSG_RESULT([no])
126fi
127
128use_stack_protector=1
129use_toolchain_hardening=1
130AC_ARG_WITH([stackprotect],
131    [  --without-stackprotect  Don't use compiler's stack protection], [
132    if test "x$withval" = "xno"; then
133	use_stack_protector=0
134    fi ])
135AC_ARG_WITH([hardening],
136    [  --without-hardening     Don't use toolchain hardening flags], [
137    if test "x$withval" = "xno"; then
138	use_toolchain_hardening=0
139    fi ])
140
141# We use -Werror for the tests only so that we catch warnings like "this is
142# on by default" for things like -fPIE.
143AC_MSG_CHECKING([if $CC supports -Werror])
144saved_CFLAGS="$CFLAGS"
145CFLAGS="$CFLAGS -Werror"
146AC_COMPILE_IFELSE([AC_LANG_SOURCE([[int main(void) { return 0; }]])],
147	[ AC_MSG_RESULT([yes])
148	  WERROR="-Werror"],
149	[ AC_MSG_RESULT([no])
150	  WERROR="" ]
151)
152CFLAGS="$saved_CFLAGS"
153
154if test "$GCC" = "yes" || test "$GCC" = "egcs"; then
155	OSSH_CHECK_CFLAG_COMPILE([-pipe])
156	OSSH_CHECK_CFLAG_COMPILE([-Wunknown-warning-option])
157	OSSH_CHECK_CFLAG_COMPILE([-Wno-error=format-truncation])
158	OSSH_CHECK_CFLAG_COMPILE([-Qunused-arguments])
159	OSSH_CHECK_CFLAG_COMPILE([-Wall])
160	OSSH_CHECK_CFLAG_COMPILE([-Wextra])
161	OSSH_CHECK_CFLAG_COMPILE([-Wpointer-arith])
162	OSSH_CHECK_CFLAG_COMPILE([-Wuninitialized])
163	OSSH_CHECK_CFLAG_COMPILE([-Wsign-compare])
164	OSSH_CHECK_CFLAG_COMPILE([-Wformat-security])
165	OSSH_CHECK_CFLAG_COMPILE([-Wsizeof-pointer-memaccess])
166	OSSH_CHECK_CFLAG_COMPILE([-Wpointer-sign], [-Wno-pointer-sign])
167	OSSH_CHECK_CFLAG_COMPILE([-Wunused-result], [-Wno-unused-result])
168	OSSH_CHECK_CFLAG_COMPILE([-Wimplicit-fallthrough])
169	OSSH_CHECK_CFLAG_COMPILE([-fno-strict-aliasing])
170    if test "x$use_toolchain_hardening" = "x1"; then
171	OSSH_CHECK_CFLAG_COMPILE([-mretpoline]) # clang
172	OSSH_CHECK_LDFLAG_LINK([-Wl,-z,retpolineplt])
173	OSSH_CHECK_CFLAG_COMPILE([-D_FORTIFY_SOURCE=2])
174	OSSH_CHECK_LDFLAG_LINK([-Wl,-z,relro])
175	OSSH_CHECK_LDFLAG_LINK([-Wl,-z,now])
176	OSSH_CHECK_LDFLAG_LINK([-Wl,-z,noexecstack])
177	# NB. -ftrapv expects certain support functions to be present in
178	# the compiler library (libgcc or similar) to detect integer operations
179	# that can overflow. We must check that the result of enabling it
180	# actually links. The test program compiled/linked includes a number
181	# of integer operations that should exercise this.
182	OSSH_CHECK_CFLAG_LINK([-ftrapv])
183    fi
184	AC_MSG_CHECKING([gcc version])
185	GCC_VER=`$CC -v 2>&1 | $AWK '/gcc version /{print $3}'`
186	case $GCC_VER in
187		1.*) no_attrib_nonnull=1 ;;
188		2.8* | 2.9*)
189		     no_attrib_nonnull=1
190		     ;;
191		2.*) no_attrib_nonnull=1 ;;
192		*) ;;
193	esac
194	AC_MSG_RESULT([$GCC_VER])
195
196	AC_MSG_CHECKING([if $CC accepts -fno-builtin-memset])
197	saved_CFLAGS="$CFLAGS"
198	CFLAGS="$CFLAGS -fno-builtin-memset"
199	AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include <string.h> ]],
200			[[ char b[10]; memset(b, 0, sizeof(b)); ]])],
201		[ AC_MSG_RESULT([yes]) ],
202		[ AC_MSG_RESULT([no])
203		  CFLAGS="$saved_CFLAGS" ]
204	)
205
206	# -fstack-protector-all doesn't always work for some GCC versions
207	# and/or platforms, so we test if we can.  If it's not supported
208	# on a given platform gcc will emit a warning so we use -Werror.
209	if test "x$use_stack_protector" = "x1"; then
210	    for t in -fstack-protector-strong -fstack-protector-all \
211		    -fstack-protector; do
212		AC_MSG_CHECKING([if $CC supports $t])
213		saved_CFLAGS="$CFLAGS"
214		saved_LDFLAGS="$LDFLAGS"
215		CFLAGS="$CFLAGS $t -Werror"
216		LDFLAGS="$LDFLAGS $t -Werror"
217		AC_LINK_IFELSE(
218			[AC_LANG_PROGRAM([[
219	#include <stdio.h>
220	int func (int t) {char b[100]; snprintf(b,sizeof b,"%d",t); return t;}
221			 ]],
222			[[
223	char x[256];
224	snprintf(x, sizeof(x), "XXX%d", func(1));
225			 ]])],
226		    [ AC_MSG_RESULT([yes])
227		      CFLAGS="$saved_CFLAGS $t"
228		      LDFLAGS="$saved_LDFLAGS $t"
229		      AC_MSG_CHECKING([if $t works])
230		      AC_RUN_IFELSE(
231			[AC_LANG_PROGRAM([[
232	#include <stdio.h>
233	int func (int t) {char b[100]; snprintf(b,sizeof b,"%d",t); return t;}
234			]],
235			[[
236	char x[256];
237	snprintf(x, sizeof(x), "XXX%d", func(1));
238			]])],
239			[ AC_MSG_RESULT([yes])
240			  break ],
241			[ AC_MSG_RESULT([no]) ],
242			[ AC_MSG_WARN([cross compiling: cannot test])
243			  break ]
244		      )
245		    ],
246		    [ AC_MSG_RESULT([no]) ]
247		)
248		CFLAGS="$saved_CFLAGS"
249		LDFLAGS="$saved_LDFLAGS"
250	    done
251	fi
252
253	if test -z "$have_llong_max"; then
254		# retry LLONG_MAX with -std=gnu99, needed on some Linuxes
255		unset ac_cv_have_decl_LLONG_MAX
256		saved_CFLAGS="$CFLAGS"
257		CFLAGS="$CFLAGS -std=gnu99"
258		AC_CHECK_DECL([LLONG_MAX],
259		    [have_llong_max=1],
260		    [CFLAGS="$saved_CFLAGS"],
261		    [#include <limits.h>]
262		)
263	fi
264fi
265
266AC_MSG_CHECKING([if compiler allows __attribute__ on return types])
267AC_COMPILE_IFELSE(
268    [AC_LANG_PROGRAM([[
269#include <stdlib.h>
270__attribute__((__unused__)) static void foo(void){return;}]],
271    [[ exit(0); ]])],
272    [ AC_MSG_RESULT([yes]) ],
273    [ AC_MSG_RESULT([no])
274      AC_DEFINE(NO_ATTRIBUTE_ON_RETURN_TYPE, 1,
275	 [compiler does not accept __attribute__ on return types]) ]
276)
277
278AC_MSG_CHECKING([if compiler allows __attribute__ prototype args])
279AC_COMPILE_IFELSE(
280    [AC_LANG_PROGRAM([[
281#include <stdlib.h>
282typedef void foo(const char *, ...) __attribute__((format(printf, 1, 2)));]],
283    [[ exit(0); ]])],
284    [ AC_MSG_RESULT([yes]) ],
285    [ AC_MSG_RESULT([no])
286      AC_DEFINE(NO_ATTRIBUTE_ON_PROTOTYPE_ARGS, 1,
287	 [compiler does not accept __attribute__ on prototype args]) ]
288)
289
290if test "x$no_attrib_nonnull" != "x1" ; then
291	AC_DEFINE([HAVE_ATTRIBUTE__NONNULL__], [1], [Have attribute nonnull])
292fi
293
294AC_ARG_WITH([rpath],
295	[  --without-rpath         Disable auto-added -R linker paths],
296	[
297		if test "x$withval" = "xno" ; then
298			rpath_opt=""
299		elif test "x$withval" = "xyes" ; then
300			rpath_opt="-R"
301		else
302			rpath_opt="$withval"
303		fi
304	]
305)
306
307# Allow user to specify flags
308AC_ARG_WITH([cflags],
309	[  --with-cflags           Specify additional flags to pass to compiler],
310	[
311		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
312		    test "x${withval}" != "xyes"; then
313			CFLAGS="$CFLAGS $withval"
314		fi
315	]
316)
317
318AC_ARG_WITH([cflags-after],
319	[  --with-cflags-after     Specify additional flags to pass to compiler after configure],
320	[
321		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
322		    test "x${withval}" != "xyes"; then
323			CFLAGS_AFTER="$withval"
324		fi
325	]
326)
327AC_ARG_WITH([cppflags],
328	[  --with-cppflags         Specify additional flags to pass to preprocessor] ,
329	[
330		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
331		    test "x${withval}" != "xyes"; then
332			CPPFLAGS="$CPPFLAGS $withval"
333		fi
334	]
335)
336AC_ARG_WITH([ldflags],
337	[  --with-ldflags          Specify additional flags to pass to linker],
338	[
339		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
340		    test "x${withval}" != "xyes"; then
341			LDFLAGS="$LDFLAGS $withval"
342		fi
343	]
344)
345AC_ARG_WITH([ldflags-after],
346	[  --with-ldflags-after    Specify additional flags to pass to linker after configure],
347	[
348		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
349		    test "x${withval}" != "xyes"; then
350			LDFLAGS_AFTER="$withval"
351		fi
352	]
353)
354AC_ARG_WITH([libs],
355	[  --with-libs             Specify additional libraries to link with],
356	[
357		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
358		    test "x${withval}" != "xyes"; then
359			LIBS="$LIBS $withval"
360		fi
361	]
362)
363AC_ARG_WITH([Werror],
364	[  --with-Werror           Build main code with -Werror],
365	[
366		if test -n "$withval"  &&  test "x$withval" != "xno"; then
367			werror_flags="-Werror"
368			if test "x${withval}" != "xyes"; then
369				werror_flags="$withval"
370			fi
371		fi
372	]
373)
374
375AC_CHECK_HEADERS([ \
376	blf.h \
377	bstring.h \
378	crypt.h \
379	crypto/sha2.h \
380	dirent.h \
381	endian.h \
382	elf.h \
383	err.h \
384	features.h \
385	fcntl.h \
386	floatingpoint.h \
387	fnmatch.h \
388	getopt.h \
389	glob.h \
390	ia.h \
391	iaf.h \
392	ifaddrs.h \
393	inttypes.h \
394	langinfo.h \
395	limits.h \
396	locale.h \
397	login.h \
398	maillock.h \
399	ndir.h \
400	net/if_tun.h \
401	netdb.h \
402	netgroup.h \
403	pam/pam_appl.h \
404	paths.h \
405	poll.h \
406	pty.h \
407	readpassphrase.h \
408	rpc/types.h \
409	security/pam_appl.h \
410	sha2.h \
411	shadow.h \
412	stddef.h \
413	stdint.h \
414	string.h \
415	strings.h \
416	sys/bitypes.h \
417	sys/byteorder.h \
418	sys/bsdtty.h \
419	sys/cdefs.h \
420	sys/dir.h \
421	sys/file.h \
422	sys/mman.h \
423	sys/label.h \
424	sys/ndir.h \
425	sys/poll.h \
426	sys/prctl.h \
427	sys/pstat.h \
428	sys/ptrace.h \
429	sys/random.h \
430	sys/select.h \
431	sys/stat.h \
432	sys/stream.h \
433	sys/stropts.h \
434	sys/strtio.h \
435	sys/statvfs.h \
436	sys/sysmacros.h \
437	sys/time.h \
438	sys/timers.h \
439	sys/vfs.h \
440	time.h \
441	tmpdir.h \
442	ttyent.h \
443	ucred.h \
444	unistd.h \
445	usersec.h \
446	util.h \
447	utime.h \
448	utmp.h \
449	utmpx.h \
450	vis.h \
451	wchar.h \
452])
453
454# On some platforms (eg SunOS4) sys/audit.h requires sys/[time|types|label.h]
455# to be included first.
456AC_CHECK_HEADERS([sys/audit.h], [], [], [
457#ifdef HAVE_SYS_TIME_H
458# include <sys/time.h>
459#endif
460#ifdef HAVE_SYS_TYPES_H
461# include <sys/types.h>
462#endif
463#ifdef HAVE_SYS_LABEL_H
464# include <sys/label.h>
465#endif
466])
467
468# sys/capsicum.h requires sys/types.h
469AC_CHECK_HEADERS([sys/capsicum.h], [], [], [
470#ifdef HAVE_SYS_TYPES_H
471# include <sys/types.h>
472#endif
473])
474
475# net/route.h requires sys/socket.h and sys/types.h.
476# sys/sysctl.h also requires sys/param.h
477AC_CHECK_HEADERS([net/route.h sys/sysctl.h], [], [], [
478#ifdef HAVE_SYS_TYPES_H
479# include <sys/types.h>
480#endif
481#include <sys/param.h>
482#include <sys/socket.h>
483])
484
485# lastlog.h requires sys/time.h to be included first on Solaris
486AC_CHECK_HEADERS([lastlog.h], [], [], [
487#ifdef HAVE_SYS_TIME_H
488# include <sys/time.h>
489#endif
490])
491
492# sys/ptms.h requires sys/stream.h to be included first on Solaris
493AC_CHECK_HEADERS([sys/ptms.h], [], [], [
494#ifdef HAVE_SYS_STREAM_H
495# include <sys/stream.h>
496#endif
497])
498
499# login_cap.h requires sys/types.h on NetBSD
500AC_CHECK_HEADERS([login_cap.h], [], [], [
501#include <sys/types.h>
502])
503
504# older BSDs need sys/param.h before sys/mount.h
505AC_CHECK_HEADERS([sys/mount.h], [], [], [
506#include <sys/param.h>
507])
508
509# Android requires sys/socket.h to be included before sys/un.h
510AC_CHECK_HEADERS([sys/un.h], [], [], [
511#include <sys/types.h>
512#include <sys/socket.h>
513])
514
515# Messages for features tested for in target-specific section
516SIA_MSG="no"
517SPC_MSG="no"
518SP_MSG="no"
519SPP_MSG="no"
520
521# Support for Solaris/Illumos privileges (this test is used by both
522# the --with-solaris-privs option and --with-sandbox=solaris).
523SOLARIS_PRIVS="no"
524
525AC_CHECK_SIZEOF([size_t])
526
527# Check for some target-specific stuff
528case "$host" in
529*-*-aix*)
530	# Some versions of VAC won't allow macro redefinitions at
531	# -qlanglevel=ansi, and autoconf 2.60 sometimes insists on using that
532	# particularly with older versions of vac or xlc.
533	# It also throws errors about null macro arguments, but these are
534	# not fatal.
535	AC_MSG_CHECKING([if compiler allows macro redefinitions])
536	AC_COMPILE_IFELSE(
537	    [AC_LANG_PROGRAM([[
538#define testmacro foo
539#define testmacro bar]],
540	    [[ exit(0); ]])],
541	    [ AC_MSG_RESULT([yes]) ],
542	    [ AC_MSG_RESULT([no])
543	      CC="`echo $CC | sed 's/-qlanglvl\=ansi//g'`"
544	      CFLAGS="`echo $CFLAGS | sed 's/-qlanglvl\=ansi//g'`"
545	      CPPFLAGS="`echo $CPPFLAGS | sed 's/-qlanglvl\=ansi//g'`"
546	    ]
547	)
548
549	AC_MSG_CHECKING([how to specify blibpath for linker ($LD)])
550	if (test -z "$blibpath"); then
551		blibpath="/usr/lib:/lib"
552	fi
553	saved_LDFLAGS="$LDFLAGS"
554	if test "$GCC" = "yes"; then
555		flags="-Wl,-blibpath: -Wl,-rpath, -blibpath:"
556	else
557		flags="-blibpath: -Wl,-blibpath: -Wl,-rpath,"
558	fi
559	for tryflags in $flags ;do
560		if (test -z "$blibflags"); then
561			LDFLAGS="$saved_LDFLAGS $tryflags$blibpath"
562			AC_LINK_IFELSE([AC_LANG_PROGRAM([[]], [[]])],
563			[blibflags=$tryflags], [])
564		fi
565	done
566	if (test -z "$blibflags"); then
567		AC_MSG_RESULT([not found])
568		AC_MSG_ERROR([*** must be able to specify blibpath on AIX - check config.log])
569	else
570		AC_MSG_RESULT([$blibflags])
571	fi
572	LDFLAGS="$saved_LDFLAGS"
573	dnl Check for authenticate.  Might be in libs.a on older AIXes
574	AC_CHECK_FUNC([authenticate], [AC_DEFINE([WITH_AIXAUTHENTICATE], [1],
575		[Define if you want to enable AIX4's authenticate function])],
576		[AC_CHECK_LIB([s], [authenticate],
577			[ AC_DEFINE([WITH_AIXAUTHENTICATE])
578				LIBS="$LIBS -ls"
579			])
580		])
581	dnl Check for various auth function declarations in headers.
582	AC_CHECK_DECLS([authenticate, loginrestrictions, loginsuccess,
583	    passwdexpired, setauthdb], , , [#include <usersec.h>])
584	dnl Check if loginfailed is declared and takes 4 arguments (AIX >= 5.2)
585	AC_CHECK_DECLS([loginfailed],
586	    [AC_MSG_CHECKING([if loginfailed takes 4 arguments])
587	    AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <usersec.h> ]],
588		[[ (void)loginfailed("user","host","tty",0); ]])],
589		[AC_MSG_RESULT([yes])
590		AC_DEFINE([AIX_LOGINFAILED_4ARG], [1],
591			[Define if your AIX loginfailed() function
592			takes 4 arguments (AIX >= 5.2)])], [AC_MSG_RESULT([no])
593	    ])],
594	    [],
595	    [#include <usersec.h>]
596	)
597	AC_CHECK_FUNCS([getgrset setauthdb])
598	AC_CHECK_DECL([F_CLOSEM],
599	    AC_DEFINE([HAVE_FCNTL_CLOSEM], [1], [Use F_CLOSEM fcntl for closefrom]),
600	    [],
601	    [ #include <limits.h>
602	      #include <fcntl.h> ]
603	)
604	check_for_aix_broken_getaddrinfo=1
605	AC_DEFINE([SETEUID_BREAKS_SETUID], [1],
606	    [Define if your platform breaks doing a seteuid before a setuid])
607	AC_DEFINE([BROKEN_SETREUID], [1], [Define if your setreuid() is broken])
608	AC_DEFINE([BROKEN_SETREGID], [1], [Define if your setregid() is broken])
609	dnl AIX handles lastlog as part of its login message
610	AC_DEFINE([DISABLE_LASTLOG], [1], [Define if you don't want to use lastlog])
611	AC_DEFINE([LOGIN_NEEDS_UTMPX], [1],
612		[Some systems need a utmpx entry for /bin/login to work])
613	AC_DEFINE([SPT_TYPE], [SPT_REUSEARGV],
614		[Define to a Set Process Title type if your system is
615		supported by bsd-setproctitle.c])
616	AC_DEFINE([SSHPAM_CHAUTHTOK_NEEDS_RUID], [1],
617	    [AIX 5.2 and 5.3 (and presumably newer) require this])
618	AC_DEFINE([PTY_ZEROREAD], [1], [read(1) can return 0 for a non-closed fd])
619	AC_DEFINE([PLATFORM_SYS_DIR_UID], 2, [System dirs owned by bin (uid 2)])
620	AC_DEFINE([BROKEN_STRNDUP], 1, [strndup broken, see APAR IY61211])
621	AC_DEFINE([BROKEN_STRNLEN], 1, [strnlen broken, see APAR IY62551])
622	;;
623*-*-android*)
624	AC_DEFINE([DISABLE_UTMP], [1], [Define if you don't want to use utmp])
625	AC_DEFINE([DISABLE_WTMP], [1], [Define if you don't want to use wtmp])
626	;;
627*-*-cygwin*)
628	check_for_libcrypt_later=1
629	LIBS="$LIBS /usr/lib/textreadmode.o"
630	AC_DEFINE([HAVE_CYGWIN], [1], [Define if you are on Cygwin])
631	AC_DEFINE([USE_PIPES], [1], [Use PIPES instead of a socketpair()])
632	AC_DEFINE([NO_UID_RESTORATION_TEST], [1],
633		[Define to disable UID restoration test])
634	AC_DEFINE([DISABLE_SHADOW], [1],
635		[Define if you want to disable shadow passwords])
636	AC_DEFINE([NO_X11_UNIX_SOCKETS], [1],
637		[Define if X11 doesn't support AF_UNIX sockets on that system])
638	AC_DEFINE([DISABLE_FD_PASSING], [1],
639		[Define if your platform needs to skip post auth
640		file descriptor passing])
641	AC_DEFINE([SSH_IOBUFSZ], [65535], [Windows is sensitive to read buffer size])
642	AC_DEFINE([FILESYSTEM_NO_BACKSLASH], [1], [File names may not contain backslash characters])
643	# Cygwin defines optargs, optargs as declspec(dllimport) for historical
644	# reasons which cause compile warnings, so we disable those warnings.
645	OSSH_CHECK_CFLAG_COMPILE([-Wno-attributes])
646	;;
647*-*-dgux*)
648	AC_DEFINE([IP_TOS_IS_BROKEN], [1],
649		[Define if your system choked on IP TOS setting])
650	AC_DEFINE([SETEUID_BREAKS_SETUID])
651	AC_DEFINE([BROKEN_SETREUID])
652	AC_DEFINE([BROKEN_SETREGID])
653	;;
654*-*-darwin*)
655	use_pie=auto
656	AC_MSG_CHECKING([if we have working getaddrinfo])
657	AC_RUN_IFELSE([AC_LANG_SOURCE([[ #include <mach-o/dyld.h>
658main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
659		exit(0);
660	else
661		exit(1);
662}
663			]])],
664	[AC_MSG_RESULT([working])],
665	[AC_MSG_RESULT([buggy])
666	AC_DEFINE([BROKEN_GETADDRINFO], [1],
667		[getaddrinfo is broken (if present)])
668	],
669	[AC_MSG_RESULT([assume it is working])])
670	AC_DEFINE([SETEUID_BREAKS_SETUID])
671	AC_DEFINE([BROKEN_SETREUID])
672	AC_DEFINE([BROKEN_SETREGID])
673	AC_DEFINE([BROKEN_GLOB], [1], [OS X glob does not do what we expect])
674	AC_DEFINE_UNQUOTED([BIND_8_COMPAT], [1],
675		[Define if your resolver libs need this for getrrsetbyname])
676	AC_DEFINE([SSH_TUN_FREEBSD], [1], [Open tunnel devices the FreeBSD way])
677	AC_DEFINE([SSH_TUN_COMPAT_AF], [1],
678	    [Use tunnel device compatibility to OpenBSD])
679	AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
680	    [Prepend the address family to IP tunnel traffic])
681	m4_pattern_allow([AU_IPv])
682	AC_CHECK_DECL([AU_IPv4], [],
683	    AC_DEFINE([AU_IPv4], [0], [System only supports IPv4 audit records])
684	    [#include <bsm/audit.h>]
685	AC_DEFINE([LASTLOG_WRITE_PUTUTXLINE], [1],
686	    [Define if pututxline updates lastlog too])
687	)
688	AC_DEFINE([SPT_TYPE], [SPT_REUSEARGV],
689		[Define to a Set Process Title type if your system is
690		supported by bsd-setproctitle.c])
691	AC_CHECK_FUNCS([sandbox_init])
692	AC_CHECK_HEADERS([sandbox.h])
693	AC_CHECK_LIB([sandbox], [sandbox_apply], [
694	    SSHDLIBS="$SSHDLIBS -lsandbox"
695	])
696	# proc_pidinfo()-based closefrom() replacement.
697	AC_CHECK_HEADERS([libproc.h])
698	AC_CHECK_FUNCS([proc_pidinfo])
699	;;
700*-*-dragonfly*)
701	SSHDLIBS="$SSHDLIBS -lcrypt"
702	TEST_MALLOC_OPTIONS="AFGJPRX"
703	;;
704*-*-haiku*)
705	LIBS="$LIBS -lbsd "
706	CFLAGS="$CFLAGS -D_BSD_SOURCE"
707	AC_CHECK_LIB([network], [socket])
708	AC_DEFINE([HAVE_U_INT64_T])
709	AC_DEFINE([DISABLE_UTMPX], [1], [no utmpx])
710	MANTYPE=man
711	;;
712*-*-hpux*)
713	# first we define all of the options common to all HP-UX releases
714	CPPFLAGS="$CPPFLAGS -D_HPUX_SOURCE -D_XOPEN_SOURCE -D_XOPEN_SOURCE_EXTENDED=1"
715	IPADDR_IN_DISPLAY=yes
716	AC_DEFINE([USE_PIPES])
717	AC_DEFINE([LOGIN_NEEDS_UTMPX])
718	AC_DEFINE([LOCKED_PASSWD_STRING], ["*"],
719		[String used in /etc/passwd to denote locked account])
720	AC_DEFINE([SPT_TYPE], [SPT_PSTAT])
721	AC_DEFINE([PLATFORM_SYS_DIR_UID], 2, [System dirs owned by bin (uid 2)])
722	maildir="/var/mail"
723	LIBS="$LIBS -lsec"
724	AC_CHECK_LIB([xnet], [t_error], ,
725	    [AC_MSG_ERROR([*** -lxnet needed on HP-UX - check config.log ***])])
726
727	# next, we define all of the options specific to major releases
728	case "$host" in
729	*-*-hpux10*)
730		if test -z "$GCC"; then
731			CFLAGS="$CFLAGS -Ae"
732		fi
733		;;
734	*-*-hpux11*)
735		AC_DEFINE([PAM_SUN_CODEBASE], [1],
736			[Define if you are using Solaris-derived PAM which
737			passes pam_messages to the conversation function
738			with an extra level of indirection])
739		AC_DEFINE([DISABLE_UTMP], [1],
740			[Define if you don't want to use utmp])
741		AC_DEFINE([USE_BTMP], [1], [Use btmp to log bad logins])
742		check_for_hpux_broken_getaddrinfo=1
743		check_for_conflicting_getspnam=1
744		;;
745	esac
746
747	# lastly, we define options specific to minor releases
748	case "$host" in
749	*-*-hpux10.26)
750		AC_DEFINE([HAVE_SECUREWARE], [1],
751			[Define if you have SecureWare-based
752			protected password database])
753		disable_ptmx_check=yes
754		LIBS="$LIBS -lsecpw"
755		;;
756	esac
757	;;
758*-*-irix5*)
759	PATH="$PATH:/usr/etc"
760	AC_DEFINE([BROKEN_INET_NTOA], [1],
761		[Define if you system's inet_ntoa is busted
762		(e.g. Irix gcc issue)])
763	AC_DEFINE([SETEUID_BREAKS_SETUID])
764	AC_DEFINE([BROKEN_SETREUID])
765	AC_DEFINE([BROKEN_SETREGID])
766	AC_DEFINE([WITH_ABBREV_NO_TTY], [1],
767		[Define if you shouldn't strip 'tty' from your
768		ttyname in [uw]tmp])
769	AC_DEFINE([LOCKED_PASSWD_STRING], ["*LK*"])
770	;;
771*-*-irix6*)
772	PATH="$PATH:/usr/etc"
773	AC_DEFINE([WITH_IRIX_ARRAY], [1],
774		[Define if you have/want arrays
775		(cluster-wide session management, not C arrays)])
776	AC_DEFINE([WITH_IRIX_PROJECT], [1],
777		[Define if you want IRIX project management])
778	AC_DEFINE([WITH_IRIX_AUDIT], [1],
779		[Define if you want IRIX audit trails])
780	AC_CHECK_FUNC([jlimit_startjob], [AC_DEFINE([WITH_IRIX_JOBS], [1],
781		[Define if you want IRIX kernel jobs])])
782	AC_DEFINE([BROKEN_INET_NTOA])
783	AC_DEFINE([SETEUID_BREAKS_SETUID])
784	AC_DEFINE([BROKEN_SETREUID])
785	AC_DEFINE([BROKEN_SETREGID])
786	AC_DEFINE([BROKEN_UPDWTMPX], [1], [updwtmpx is broken (if present)])
787	AC_DEFINE([WITH_ABBREV_NO_TTY])
788	AC_DEFINE([LOCKED_PASSWD_STRING], ["*LK*"])
789	;;
790*-*-k*bsd*-gnu | *-*-kopensolaris*-gnu)
791	check_for_libcrypt_later=1
792	AC_DEFINE([PAM_TTY_KLUDGE])
793	AC_DEFINE([LOCKED_PASSWD_PREFIX], ["!"])
794	AC_DEFINE([SPT_TYPE], [SPT_REUSEARGV])
795	AC_DEFINE([_PATH_BTMP], ["/var/log/btmp"], [log for bad login attempts])
796	AC_DEFINE([USE_BTMP], [1], [Use btmp to log bad logins])
797	;;
798*-*-linux*)
799	no_dev_ptmx=1
800	use_pie=auto
801	check_for_libcrypt_later=1
802	check_for_openpty_ctty_bug=1
803	dnl Target SUSv3/POSIX.1-2001 plus BSD specifics.
804	dnl _DEFAULT_SOURCE is the new name for _BSD_SOURCE
805	CPPFLAGS="$CPPFLAGS -D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCE"
806	AC_DEFINE([PAM_TTY_KLUDGE], [1],
807		[Work around problematic Linux PAM modules handling of PAM_TTY])
808	AC_DEFINE([LOCKED_PASSWD_PREFIX], ["!"],
809		[String used in /etc/passwd to denote locked account])
810	AC_DEFINE([SPT_TYPE], [SPT_REUSEARGV])
811	AC_DEFINE([LINK_OPNOTSUPP_ERRNO], [EPERM],
812		[Define to whatever link() returns for "not supported"
813		if it doesn't return EOPNOTSUPP.])
814	AC_DEFINE([_PATH_BTMP], ["/var/log/btmp"], [log for bad login attempts])
815	AC_DEFINE([USE_BTMP])
816	AC_DEFINE([LINUX_OOM_ADJUST], [1], [Adjust Linux out-of-memory killer])
817	inet6_default_4in6=yes
818	case `uname -r` in
819	1.*|2.0.*)
820		AC_DEFINE([BROKEN_CMSG_TYPE], [1],
821			[Define if cmsg_type is not passed correctly])
822		;;
823	esac
824	# tun(4) forwarding compat code
825	AC_CHECK_HEADERS([linux/if_tun.h])
826	if test "x$ac_cv_header_linux_if_tun_h" = "xyes" ; then
827		AC_DEFINE([SSH_TUN_LINUX], [1],
828		    [Open tunnel devices the Linux tun/tap way])
829		AC_DEFINE([SSH_TUN_COMPAT_AF], [1],
830		    [Use tunnel device compatibility to OpenBSD])
831		AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
832		    [Prepend the address family to IP tunnel traffic])
833	fi
834	AC_CHECK_HEADER([linux/if.h],
835	    AC_DEFINE([SYS_RDOMAIN_LINUX], [1],
836		[Support routing domains using Linux VRF]), [], [
837#ifdef HAVE_SYS_TYPES_H
838# include <sys/types.h>
839#endif
840	    ])
841	AC_CHECK_HEADERS([linux/seccomp.h linux/filter.h linux/audit.h], [],
842	    [], [#include <linux/types.h>])
843	# Obtain MIPS ABI
844	case "$host" in
845	mips*)
846		AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
847#if _MIPS_SIM != _ABIO32
848#error
849#endif
850			]])],[mips_abi="o32"],[AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
851#if _MIPS_SIM != _ABIN32
852#error
853#endif
854				]])],[mips_abi="n32"],[AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
855#if _MIPS_SIM != _ABI64
856#error
857#endif
858					]])],[mips_abi="n64"],[AC_MSG_ERROR([unknown MIPS ABI])
859				])
860			])
861		])
862		;;
863	esac
864	AC_MSG_CHECKING([for seccomp architecture])
865	seccomp_audit_arch=
866	case "$host" in
867	x86_64-*)
868		seccomp_audit_arch=AUDIT_ARCH_X86_64
869		# X32: AMD64 instructions in 32bit address space.
870		if test "x$ac_cv_sizeof_size_t" = "x4" ; then
871			seccomp_audit_arch=AUDIT_ARCH_I386
872		fi
873		;;
874	i*86-*)
875		seccomp_audit_arch=AUDIT_ARCH_I386
876		;;
877	arm*-*)
878		seccomp_audit_arch=AUDIT_ARCH_ARM
879		;;
880	aarch64*-*)
881		seccomp_audit_arch=AUDIT_ARCH_AARCH64
882		;;
883	s390x-*)
884		seccomp_audit_arch=AUDIT_ARCH_S390X
885		;;
886	s390-*)
887		seccomp_audit_arch=AUDIT_ARCH_S390
888		;;
889	powerpc64-*)
890		seccomp_audit_arch=AUDIT_ARCH_PPC64
891		;;
892	powerpc64le-*)
893		seccomp_audit_arch=AUDIT_ARCH_PPC64LE
894		;;
895	mips-*)
896		seccomp_audit_arch=AUDIT_ARCH_MIPS
897		;;
898	mipsel-*)
899		seccomp_audit_arch=AUDIT_ARCH_MIPSEL
900		;;
901	mips64-*)
902		case "$mips_abi" in
903		"n32")
904			seccomp_audit_arch=AUDIT_ARCH_MIPS64N32
905			;;
906		"n64")
907			seccomp_audit_arch=AUDIT_ARCH_MIPS64
908			;;
909		esac
910		;;
911	mips64el-*)
912		case "$mips_abi" in
913		"n32")
914			seccomp_audit_arch=AUDIT_ARCH_MIPSEL64N32
915			;;
916		"n64")
917			seccomp_audit_arch=AUDIT_ARCH_MIPSEL64
918			;;
919		esac
920		;;
921	riscv64-*)
922		seccomp_audit_arch=AUDIT_ARCH_RISCV64
923		;;
924	esac
925	if test "x$seccomp_audit_arch" != "x" ; then
926		AC_MSG_RESULT(["$seccomp_audit_arch"])
927		AC_DEFINE_UNQUOTED([SECCOMP_AUDIT_ARCH], [$seccomp_audit_arch],
928		    [Specify the system call convention in use])
929	else
930		AC_MSG_RESULT([architecture not supported])
931	fi
932	;;
933mips-sony-bsd|mips-sony-newsos4)
934	AC_DEFINE([NEED_SETPGRP], [1], [Need setpgrp to acquire controlling tty])
935	SONY=1
936	;;
937*-*-netbsd*)
938	check_for_libcrypt_before=1
939	if test "x$withval" != "xno" ; then
940		rpath_opt="-R"
941	fi
942	CPPFLAGS="$CPPFLAGS -D_OPENBSD_SOURCE"
943	AC_DEFINE([SSH_TUN_FREEBSD], [1], [Open tunnel devices the FreeBSD way])
944	AC_CHECK_HEADER([net/if_tap.h], ,
945	    AC_DEFINE([SSH_TUN_NO_L2], [1], [No layer 2 tunnel support]))
946	AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
947	    [Prepend the address family to IP tunnel traffic])
948	TEST_MALLOC_OPTIONS="AJRX"
949	AC_DEFINE([BROKEN_READ_COMPARISON], [1],
950	    [NetBSD read function is sometimes redirected, breaking atomicio comparisons against it])
951	;;
952*-*-freebsd*)
953	check_for_libcrypt_later=1
954	AC_DEFINE([LOCKED_PASSWD_PREFIX], ["*LOCKED*"], [Account locked with pw(1)])
955	AC_DEFINE([SSH_TUN_FREEBSD], [1], [Open tunnel devices the FreeBSD way])
956	AC_CHECK_HEADER([net/if_tap.h], ,
957	    AC_DEFINE([SSH_TUN_NO_L2], [1], [No layer 2 tunnel support]))
958	AC_DEFINE([BROKEN_GLOB], [1], [FreeBSD glob does not do what we need])
959	TEST_MALLOC_OPTIONS="AJRX"
960	# Preauth crypto occasionally uses file descriptors for crypto offload
961	# and will crash if they cannot be opened.
962	AC_DEFINE([SANDBOX_SKIP_RLIMIT_NOFILE], [1],
963	    [define if setrlimit RLIMIT_NOFILE breaks things])
964	;;
965*-*-bsdi*)
966	AC_DEFINE([SETEUID_BREAKS_SETUID])
967	AC_DEFINE([BROKEN_SETREUID])
968	AC_DEFINE([BROKEN_SETREGID])
969	;;
970*-next-*)
971	conf_lastlog_location="/usr/adm/lastlog"
972	conf_utmp_location=/etc/utmp
973	conf_wtmp_location=/usr/adm/wtmp
974	maildir=/usr/spool/mail
975	AC_DEFINE([HAVE_NEXT], [1], [Define if you are on NeXT])
976	AC_DEFINE([USE_PIPES])
977	AC_DEFINE([BROKEN_SAVED_UIDS], [1], [Needed for NeXT])
978	;;
979*-*-openbsd*)
980	use_pie=auto
981	AC_DEFINE([HAVE_ATTRIBUTE__SENTINEL__], [1], [OpenBSD's gcc has sentinel])
982	AC_DEFINE([HAVE_ATTRIBUTE__BOUNDED__], [1], [OpenBSD's gcc has bounded])
983	AC_DEFINE([SSH_TUN_OPENBSD], [1], [Open tunnel devices the OpenBSD way])
984	AC_DEFINE([SYSLOG_R_SAFE_IN_SIGHAND], [1],
985	    [syslog_r function is safe to use in in a signal handler])
986	TEST_MALLOC_OPTIONS="AFGJPRX"
987	;;
988*-*-solaris*)
989	if test "x$withval" != "xno" ; then
990		rpath_opt="-R"
991	fi
992	AC_DEFINE([PAM_SUN_CODEBASE])
993	AC_DEFINE([LOGIN_NEEDS_UTMPX])
994	AC_DEFINE([PAM_TTY_KLUDGE])
995	AC_DEFINE([SSHPAM_CHAUTHTOK_NEEDS_RUID], [1],
996		[Define if pam_chauthtok wants real uid set
997		to the unpriv'ed user])
998	AC_DEFINE([LOCKED_PASSWD_STRING], ["*LK*"])
999	# Pushing STREAMS modules will cause sshd to acquire a controlling tty.
1000	AC_DEFINE([SSHD_ACQUIRES_CTTY], [1],
1001		[Define if sshd somehow reacquires a controlling TTY
1002		after setsid()])
1003	AC_DEFINE([PASSWD_NEEDS_USERNAME], [1], [must supply username to passwd
1004		in case the name is longer than 8 chars])
1005	AC_DEFINE([BROKEN_TCGETATTR_ICANON], [1], [tcgetattr with ICANON may hang])
1006	external_path_file=/etc/default/login
1007	# hardwire lastlog location (can't detect it on some versions)
1008	conf_lastlog_location="/var/adm/lastlog"
1009	AC_MSG_CHECKING([for obsolete utmp and wtmp in solaris2.x])
1010	sol2ver=`echo "$host"| sed -e 's/.*[[0-9]]\.//'`
1011	if test "$sol2ver" -ge 8; then
1012		AC_MSG_RESULT([yes])
1013		AC_DEFINE([DISABLE_UTMP])
1014		AC_DEFINE([DISABLE_WTMP], [1],
1015			[Define if you don't want to use wtmp])
1016	else
1017		AC_MSG_RESULT([no])
1018	fi
1019	AC_CHECK_FUNCS([setpflags])
1020	AC_CHECK_FUNCS([setppriv])
1021	AC_CHECK_FUNCS([priv_basicset])
1022	AC_CHECK_HEADERS([priv.h])
1023	AC_ARG_WITH([solaris-contracts],
1024		[  --with-solaris-contracts Enable Solaris process contracts (experimental)],
1025		[
1026		AC_CHECK_LIB([contract], [ct_tmpl_activate],
1027			[ AC_DEFINE([USE_SOLARIS_PROCESS_CONTRACTS], [1],
1028				[Define if you have Solaris process contracts])
1029			  LIBS="$LIBS -lcontract"
1030			  SPC_MSG="yes" ], )
1031		],
1032	)
1033	AC_ARG_WITH([solaris-projects],
1034		[  --with-solaris-projects Enable Solaris projects (experimental)],
1035		[
1036		AC_CHECK_LIB([project], [setproject],
1037			[ AC_DEFINE([USE_SOLARIS_PROJECTS], [1],
1038				[Define if you have Solaris projects])
1039			LIBS="$LIBS -lproject"
1040			SP_MSG="yes" ], )
1041		],
1042	)
1043	AC_ARG_WITH([solaris-privs],
1044		[  --with-solaris-privs    Enable Solaris/Illumos privileges (experimental)],
1045		[
1046		AC_MSG_CHECKING([for Solaris/Illumos privilege support])
1047		if test "x$ac_cv_func_setppriv" = "xyes" -a \
1048			"x$ac_cv_header_priv_h" = "xyes" ; then
1049			SOLARIS_PRIVS=yes
1050			AC_MSG_RESULT([found])
1051			AC_DEFINE([NO_UID_RESTORATION_TEST], [1],
1052				[Define to disable UID restoration test])
1053			AC_DEFINE([USE_SOLARIS_PRIVS], [1],
1054				[Define if you have Solaris privileges])
1055			SPP_MSG="yes"
1056		else
1057			AC_MSG_RESULT([not found])
1058			AC_MSG_ERROR([*** must have support for Solaris privileges to use --with-solaris-privs])
1059		fi
1060		],
1061	)
1062	TEST_SHELL=$SHELL	# let configure find us a capable shell
1063	;;
1064*-*-sunos4*)
1065	CPPFLAGS="$CPPFLAGS -DSUNOS4"
1066	AC_CHECK_FUNCS([getpwanam])
1067	AC_DEFINE([PAM_SUN_CODEBASE])
1068	conf_utmp_location=/etc/utmp
1069	conf_wtmp_location=/var/adm/wtmp
1070	conf_lastlog_location=/var/adm/lastlog
1071	AC_DEFINE([USE_PIPES])
1072	AC_DEFINE([DISABLE_UTMPX], [1], [no utmpx])
1073	;;
1074*-ncr-sysv*)
1075	LIBS="$LIBS -lc89"
1076	AC_DEFINE([USE_PIPES])
1077	AC_DEFINE([SSHD_ACQUIRES_CTTY])
1078	AC_DEFINE([SETEUID_BREAKS_SETUID])
1079	AC_DEFINE([BROKEN_SETREUID])
1080	AC_DEFINE([BROKEN_SETREGID])
1081	;;
1082*-sni-sysv*)
1083	# /usr/ucblib MUST NOT be searched on ReliantUNIX
1084	AC_CHECK_LIB([dl], [dlsym], ,)
1085	# -lresolv needs to be at the end of LIBS or DNS lookups break
1086	AC_CHECK_LIB([resolv], [res_query], [ LIBS="$LIBS -lresolv" ])
1087	IPADDR_IN_DISPLAY=yes
1088	AC_DEFINE([USE_PIPES])
1089	AC_DEFINE([IP_TOS_IS_BROKEN])
1090	AC_DEFINE([SETEUID_BREAKS_SETUID])
1091	AC_DEFINE([BROKEN_SETREUID])
1092	AC_DEFINE([BROKEN_SETREGID])
1093	AC_DEFINE([SSHD_ACQUIRES_CTTY])
1094	external_path_file=/etc/default/login
1095	# /usr/ucblib/libucb.a no longer needed on ReliantUNIX
1096	# Attention: always take care to bind libsocket and libnsl before libc,
1097	# otherwise you will find lots of "SIOCGPGRP errno 22" on syslog
1098	;;
1099# UnixWare 1.x, UnixWare 2.x, and others based on code from Univel.
1100*-*-sysv4.2*)
1101	AC_DEFINE([USE_PIPES])
1102	AC_DEFINE([SETEUID_BREAKS_SETUID])
1103	AC_DEFINE([BROKEN_SETREUID])
1104	AC_DEFINE([BROKEN_SETREGID])
1105	AC_DEFINE([PASSWD_NEEDS_USERNAME], [1], [must supply username to passwd])
1106	AC_DEFINE([LOCKED_PASSWD_STRING], ["*LK*"])
1107	TEST_SHELL=$SHELL	# let configure find us a capable shell
1108	;;
1109# UnixWare 7.x, OpenUNIX 8
1110*-*-sysv5*)
1111	CPPFLAGS="$CPPFLAGS -Dvsnprintf=_xvsnprintf -Dsnprintf=_xsnprintf"
1112	AC_DEFINE([UNIXWARE_LONG_PASSWORDS], [1], [Support passwords > 8 chars])
1113	AC_DEFINE([USE_PIPES])
1114	AC_DEFINE([SETEUID_BREAKS_SETUID])
1115	AC_DEFINE([BROKEN_GETADDRINFO])
1116	AC_DEFINE([BROKEN_SETREUID])
1117	AC_DEFINE([BROKEN_SETREGID])
1118	AC_DEFINE([PASSWD_NEEDS_USERNAME])
1119	AC_DEFINE([BROKEN_TCGETATTR_ICANON])
1120	TEST_SHELL=$SHELL	# let configure find us a capable shell
1121	check_for_libcrypt_later=1
1122	case "$host" in
1123	*-*-sysv5SCO_SV*)	# SCO OpenServer 6.x
1124		maildir=/var/spool/mail
1125		AC_DEFINE([BROKEN_UPDWTMPX])
1126		AC_CHECK_LIB([prot], [getluid], [ LIBS="$LIBS -lprot"
1127			AC_CHECK_FUNCS([getluid setluid], , , [-lprot])
1128			], , )
1129		;;
1130	*)	AC_DEFINE([LOCKED_PASSWD_STRING], ["*LK*"])
1131		;;
1132	esac
1133	;;
1134*-*-sysv*)
1135	;;
1136# SCO UNIX and OEM versions of SCO UNIX
1137*-*-sco3.2v4*)
1138	AC_MSG_ERROR("This Platform is no longer supported.")
1139	;;
1140# SCO OpenServer 5.x
1141*-*-sco3.2v5*)
1142	if test -z "$GCC"; then
1143		CFLAGS="$CFLAGS -belf"
1144	fi
1145	LIBS="$LIBS -lprot -lx -ltinfo -lm"
1146	no_dev_ptmx=1
1147	AC_DEFINE([USE_PIPES])
1148	AC_DEFINE([HAVE_SECUREWARE])
1149	AC_DEFINE([DISABLE_SHADOW])
1150	AC_DEFINE([DISABLE_FD_PASSING])
1151	AC_DEFINE([SETEUID_BREAKS_SETUID])
1152	AC_DEFINE([BROKEN_GETADDRINFO])
1153	AC_DEFINE([BROKEN_SETREUID])
1154	AC_DEFINE([BROKEN_SETREGID])
1155	AC_DEFINE([WITH_ABBREV_NO_TTY])
1156	AC_DEFINE([BROKEN_UPDWTMPX])
1157	AC_DEFINE([PASSWD_NEEDS_USERNAME])
1158	AC_CHECK_FUNCS([getluid setluid])
1159	MANTYPE=man
1160	TEST_SHELL=$SHELL	# let configure find us a capable shell
1161	SKIP_DISABLE_LASTLOG_DEFINE=yes
1162	;;
1163*-dec-osf*)
1164	AC_MSG_CHECKING([for Digital Unix SIA])
1165	no_osfsia=""
1166	AC_ARG_WITH([osfsia],
1167		[  --with-osfsia           Enable Digital Unix SIA],
1168		[
1169			if test "x$withval" = "xno" ; then
1170				AC_MSG_RESULT([disabled])
1171				no_osfsia=1
1172			fi
1173		],
1174	)
1175	if test -z "$no_osfsia" ; then
1176		if test -f /etc/sia/matrix.conf; then
1177			AC_MSG_RESULT([yes])
1178			AC_DEFINE([HAVE_OSF_SIA], [1],
1179				[Define if you have Digital Unix Security
1180				Integration Architecture])
1181			AC_DEFINE([DISABLE_LOGIN], [1],
1182				[Define if you don't want to use your
1183				system's login() call])
1184			AC_DEFINE([DISABLE_FD_PASSING])
1185			LIBS="$LIBS -lsecurity -ldb -lm -laud"
1186			SIA_MSG="yes"
1187		else
1188			AC_MSG_RESULT([no])
1189			AC_DEFINE([LOCKED_PASSWD_SUBSTR], ["Nologin"],
1190			  [String used in /etc/passwd to denote locked account])
1191		fi
1192	fi
1193	AC_DEFINE([BROKEN_GETADDRINFO])
1194	AC_DEFINE([SETEUID_BREAKS_SETUID])
1195	AC_DEFINE([BROKEN_SETREUID])
1196	AC_DEFINE([BROKEN_SETREGID])
1197	AC_DEFINE([BROKEN_READV_COMPARISON], [1], [Can't do comparisons on readv])
1198	;;
1199
1200*-*-nto-qnx*)
1201	AC_DEFINE([USE_PIPES])
1202	AC_DEFINE([NO_X11_UNIX_SOCKETS])
1203	AC_DEFINE([DISABLE_LASTLOG])
1204	AC_DEFINE([SSHD_ACQUIRES_CTTY])
1205	AC_DEFINE([BROKEN_SHADOW_EXPIRE], [1], [QNX shadow support is broken])
1206	enable_etc_default_login=no	# has incompatible /etc/default/login
1207	case "$host" in
1208	*-*-nto-qnx6*)
1209		AC_DEFINE([DISABLE_FD_PASSING])
1210		;;
1211	esac
1212	;;
1213
1214*-*-ultrix*)
1215	AC_DEFINE([BROKEN_GETGROUPS], [1], [getgroups(0,NULL) will return -1])
1216	AC_DEFINE([NEED_SETPGRP], [1], [Need setpgrp to for controlling tty])
1217	AC_DEFINE([HAVE_SYS_SYSLOG_H], [1], [Force use of sys/syslog.h on Ultrix])
1218	AC_DEFINE([DISABLE_UTMPX], [1], [Disable utmpx])
1219	# DISABLE_FD_PASSING so that we call setpgrp as root, otherwise we
1220	# don't get a controlling tty.
1221	AC_DEFINE([DISABLE_FD_PASSING], [1], [Need to call setpgrp as root])
1222	# On Ultrix some headers are not protected against multiple includes,
1223	# so we create wrappers and put it where the compiler will find it.
1224	AC_MSG_WARN([creating compat wrappers for headers])
1225	mkdir -p netinet
1226	for header in netinet/ip.h netdb.h resolv.h; do
1227		name=`echo $header | tr 'a-z/.' 'A-Z__'`
1228		cat >$header <<EOD
1229#ifndef _SSH_COMPAT_${name}
1230#define _SSH_COMPAT_${name}
1231#include "/usr/include/${header}"
1232#endif
1233EOD
1234	done
1235	;;
1236
1237*-*-lynxos)
1238	CFLAGS="$CFLAGS -D__NO_INCLUDE_WARN__"
1239	AC_DEFINE([BROKEN_SETVBUF], [1],
1240	    [LynxOS has broken setvbuf() implementation])
1241	;;
1242esac
1243
1244AC_MSG_CHECKING([compiler and flags for sanity])
1245AC_RUN_IFELSE([AC_LANG_PROGRAM([[ #include <stdio.h> ]], [[ exit(0); ]])],
1246	[	AC_MSG_RESULT([yes]) ],
1247	[
1248		AC_MSG_RESULT([no])
1249		AC_MSG_ERROR([*** compiler cannot create working executables, check config.log ***])
1250	],
1251	[	AC_MSG_WARN([cross compiling: not checking compiler sanity]) ]
1252)
1253
1254dnl Checks for header files.
1255# Checks for libraries.
1256AC_CHECK_FUNC([setsockopt], , [AC_CHECK_LIB([socket], [setsockopt])])
1257
1258dnl IRIX and Solaris 2.5.1 have dirname() in libgen
1259AC_CHECK_FUNCS([dirname], [AC_CHECK_HEADERS([libgen.h])] , [
1260	AC_CHECK_LIB([gen], [dirname], [
1261		AC_CACHE_CHECK([for broken dirname],
1262			ac_cv_have_broken_dirname, [
1263			save_LIBS="$LIBS"
1264			LIBS="$LIBS -lgen"
1265			AC_RUN_IFELSE(
1266				[AC_LANG_SOURCE([[
1267#include <libgen.h>
1268#include <string.h>
1269
1270int main(int argc, char **argv) {
1271    char *s, buf[32];
1272
1273    strncpy(buf,"/etc", 32);
1274    s = dirname(buf);
1275    if (!s || strncmp(s, "/", 32) != 0) {
1276	exit(1);
1277    } else {
1278	exit(0);
1279    }
1280}
1281				]])],
1282				[ ac_cv_have_broken_dirname="no" ],
1283				[ ac_cv_have_broken_dirname="yes" ],
1284				[ ac_cv_have_broken_dirname="no" ],
1285			)
1286			LIBS="$save_LIBS"
1287		])
1288		if test "x$ac_cv_have_broken_dirname" = "xno" ; then
1289			LIBS="$LIBS -lgen"
1290			AC_DEFINE([HAVE_DIRNAME])
1291			AC_CHECK_HEADERS([libgen.h])
1292		fi
1293	])
1294])
1295
1296AC_CHECK_FUNC([getspnam], ,
1297	[AC_CHECK_LIB([gen], [getspnam], [LIBS="$LIBS -lgen"])])
1298AC_SEARCH_LIBS([basename], [gen], [AC_DEFINE([HAVE_BASENAME], [1],
1299	[Define if you have the basename function.])])
1300
1301dnl zlib defaults to enabled
1302zlib=yes
1303AC_ARG_WITH([zlib],
1304	[  --with-zlib=PATH        Use zlib in PATH],
1305	[ if test "x$withval" = "xno" ; then
1306		zlib=no
1307	  elif test "x$withval" != "xyes"; then
1308		if test -d "$withval/lib"; then
1309			if test -n "${rpath_opt}"; then
1310				LDFLAGS="-L${withval}/lib ${rpath_opt}${withval}/lib ${LDFLAGS}"
1311			else
1312				LDFLAGS="-L${withval}/lib ${LDFLAGS}"
1313			fi
1314		else
1315			if test -n "${rpath_opt}"; then
1316				LDFLAGS="-L${withval} ${rpath_opt}${withval} ${LDFLAGS}"
1317			else
1318				LDFLAGS="-L${withval} ${LDFLAGS}"
1319			fi
1320		fi
1321		if test -d "$withval/include"; then
1322			CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
1323		else
1324			CPPFLAGS="-I${withval} ${CPPFLAGS}"
1325		fi
1326	fi ]
1327)
1328
1329AC_MSG_CHECKING([for zlib])
1330if test "x${zlib}" = "xno"; then
1331	AC_MSG_RESULT([no])
1332else
1333	AC_MSG_RESULT([yes])
1334	AC_DEFINE([WITH_ZLIB], [1], [Enable zlib])
1335    AC_CHECK_HEADER([zlib.h], ,[AC_MSG_ERROR([*** zlib.h missing - please install first or check config.log ***])])
1336    AC_CHECK_LIB([z], [deflate], ,
1337	[
1338		saved_CPPFLAGS="$CPPFLAGS"
1339		saved_LDFLAGS="$LDFLAGS"
1340		save_LIBS="$LIBS"
1341		dnl Check default zlib install dir
1342		if test -n "${rpath_opt}"; then
1343			LDFLAGS="-L/usr/local/lib ${rpath_opt}/usr/local/lib ${saved_LDFLAGS}"
1344		else
1345			LDFLAGS="-L/usr/local/lib ${saved_LDFLAGS}"
1346		fi
1347		CPPFLAGS="-I/usr/local/include ${saved_CPPFLAGS}"
1348		LIBS="$LIBS -lz"
1349		AC_TRY_LINK_FUNC([deflate], [AC_DEFINE([HAVE_LIBZ])],
1350			[
1351				AC_MSG_ERROR([*** zlib missing - please install first or check config.log ***])
1352			]
1353		)
1354	]
1355    )
1356
1357    AC_ARG_WITH([zlib-version-check],
1358	[  --without-zlib-version-check Disable zlib version check],
1359	[  if test "x$withval" = "xno" ; then
1360		zlib_check_nonfatal=1
1361	   fi
1362	]
1363    )
1364
1365    AC_MSG_CHECKING([for possibly buggy zlib])
1366    AC_RUN_IFELSE([AC_LANG_PROGRAM([[
1367#include <stdio.h>
1368#include <stdlib.h>
1369#include <zlib.h>
1370	]],
1371	[[
1372	int a=0, b=0, c=0, d=0, n, v;
1373	n = sscanf(ZLIB_VERSION, "%d.%d.%d.%d", &a, &b, &c, &d);
1374	if (n != 3 && n != 4)
1375		exit(1);
1376	v = a*1000000 + b*10000 + c*100 + d;
1377	fprintf(stderr, "found zlib version %s (%d)\n", ZLIB_VERSION, v);
1378
1379	/* 1.1.4 is OK */
1380	if (a == 1 && b == 1 && c >= 4)
1381		exit(0);
1382
1383	/* 1.2.3 and up are OK */
1384	if (v >= 1020300)
1385		exit(0);
1386
1387	exit(2);
1388	]])],
1389	AC_MSG_RESULT([no]),
1390	[ AC_MSG_RESULT([yes])
1391	  if test -z "$zlib_check_nonfatal" ; then
1392		AC_MSG_ERROR([*** zlib too old - check config.log ***
1393Your reported zlib version has known security problems.  It's possible your
1394vendor has fixed these problems without changing the version number.  If you
1395are sure this is the case, you can disable the check by running
1396"./configure --without-zlib-version-check".
1397If you are in doubt, upgrade zlib to version 1.2.3 or greater.
1398See http://www.gzip.org/zlib/ for details.])
1399	  else
1400		AC_MSG_WARN([zlib version may have security problems])
1401	  fi
1402	],
1403	[	AC_MSG_WARN([cross compiling: not checking zlib version]) ]
1404    )
1405fi
1406
1407dnl UnixWare 2.x
1408AC_CHECK_FUNC([strcasecmp],
1409	[], [ AC_CHECK_LIB([resolv], [strcasecmp], [LIBS="$LIBS -lresolv"]) ]
1410)
1411AC_CHECK_FUNCS([utimes],
1412	[], [ AC_CHECK_LIB([c89], [utimes], [AC_DEFINE([HAVE_UTIMES])
1413					LIBS="$LIBS -lc89"]) ]
1414)
1415
1416dnl    Checks for libutil functions
1417AC_CHECK_HEADERS([bsd/libutil.h libutil.h])
1418AC_SEARCH_LIBS([fmt_scaled], [util bsd])
1419AC_SEARCH_LIBS([scan_scaled], [util bsd])
1420AC_SEARCH_LIBS([login], [util bsd])
1421AC_SEARCH_LIBS([logout], [util bsd])
1422AC_SEARCH_LIBS([logwtmp], [util bsd])
1423AC_SEARCH_LIBS([openpty], [util bsd])
1424AC_SEARCH_LIBS([updwtmp], [util bsd])
1425AC_CHECK_FUNCS([fmt_scaled scan_scaled login logout openpty updwtmp logwtmp])
1426
1427# On some platforms, inet_ntop and gethostbyname may be found in libresolv
1428# or libnsl.
1429AC_SEARCH_LIBS([inet_ntop], [resolv nsl])
1430AC_SEARCH_LIBS([gethostbyname], [resolv nsl])
1431
1432# "Particular Function Checks"
1433# see https://www.gnu.org/software/autoconf/manual/autoconf-2.69/html_node/Particular-Functions.html
1434AC_FUNC_STRFTIME
1435AC_FUNC_MALLOC
1436AC_FUNC_REALLOC
1437# autoconf doesn't have AC_FUNC_CALLOC so fake it if malloc returns NULL;
1438AC_MSG_CHECKING([if calloc(0, N) returns non-null])
1439AC_RUN_IFELSE(
1440	[AC_LANG_PROGRAM(
1441		[[ #include <stdlib.h> ]],
1442		[[ void *p = calloc(0, 1); exit(p == NULL); ]]
1443	)],
1444	[ func_calloc_0_nonnull=yes ],
1445	[ func_calloc_0_nonnull=no ],
1446	[ AC_MSG_WARN([cross compiling: assuming same as malloc])
1447	  func_calloc_0_nonnull="$ac_cv_func_malloc_0_nonnull"]
1448)
1449AC_MSG_RESULT([$func_calloc_0_nonnull])
1450
1451if test "x$func_calloc_0_nonnull" = "xyes"; then
1452	AC_DEFINE(HAVE_CALLOC, 1, [calloc(0, x) returns non-null])
1453else
1454	AC_DEFINE(HAVE_CALLOC, 0, [calloc(0, x) returns NULL])
1455	AC_DEFINE(calloc, rpl_calloc,
1456	    [Define to rpl_calloc if the replacement function should be used.])
1457fi
1458
1459# Check for ALTDIRFUNC glob() extension
1460AC_MSG_CHECKING([for GLOB_ALTDIRFUNC support])
1461AC_EGREP_CPP([FOUNDIT],
1462	[
1463		#include <glob.h>
1464		#ifdef GLOB_ALTDIRFUNC
1465		FOUNDIT
1466		#endif
1467	],
1468	[
1469		AC_DEFINE([GLOB_HAS_ALTDIRFUNC], [1],
1470			[Define if your system glob() function has
1471			the GLOB_ALTDIRFUNC extension])
1472		AC_MSG_RESULT([yes])
1473	],
1474	[
1475		AC_MSG_RESULT([no])
1476	]
1477)
1478
1479# Check for g.gl_matchc glob() extension
1480AC_MSG_CHECKING([for gl_matchc field in glob_t])
1481AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <glob.h> ]],
1482	[[ glob_t g; g.gl_matchc = 1; ]])],
1483	[
1484		AC_DEFINE([GLOB_HAS_GL_MATCHC], [1],
1485			[Define if your system glob() function has
1486			gl_matchc options in glob_t])
1487		AC_MSG_RESULT([yes])
1488	], [
1489		AC_MSG_RESULT([no])
1490])
1491
1492# Check for g.gl_statv glob() extension
1493AC_MSG_CHECKING([for gl_statv and GLOB_KEEPSTAT extensions for glob])
1494AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <glob.h> ]], [[
1495#ifndef GLOB_KEEPSTAT
1496#error "glob does not support GLOB_KEEPSTAT extension"
1497#endif
1498glob_t g;
1499g.gl_statv = NULL;
1500]])],
1501	[
1502		AC_DEFINE([GLOB_HAS_GL_STATV], [1],
1503			[Define if your system glob() function has
1504			gl_statv options in glob_t])
1505		AC_MSG_RESULT([yes])
1506	], [
1507		AC_MSG_RESULT([no])
1508
1509])
1510
1511AC_CHECK_DECLS([GLOB_NOMATCH], , , [#include <glob.h>])
1512
1513AC_CHECK_DECL([VIS_ALL], ,
1514    AC_DEFINE(BROKEN_STRNVIS, 1, [missing VIS_ALL]), [#include <vis.h>])
1515
1516AC_MSG_CHECKING([whether struct dirent allocates space for d_name])
1517AC_RUN_IFELSE(
1518	[AC_LANG_PROGRAM([[
1519#include <sys/types.h>
1520#include <dirent.h>]],
1521	[[
1522	struct dirent d;
1523	exit(sizeof(d.d_name)<=sizeof(char));
1524	]])],
1525	[AC_MSG_RESULT([yes])],
1526	[
1527		AC_MSG_RESULT([no])
1528		AC_DEFINE([BROKEN_ONE_BYTE_DIRENT_D_NAME], [1],
1529			[Define if your struct dirent expects you to
1530			allocate extra space for d_name])
1531	],
1532	[
1533		AC_MSG_WARN([cross compiling: assuming BROKEN_ONE_BYTE_DIRENT_D_NAME])
1534		AC_DEFINE([BROKEN_ONE_BYTE_DIRENT_D_NAME])
1535	]
1536)
1537
1538AC_MSG_CHECKING([for /proc/pid/fd directory])
1539if test -d "/proc/$$/fd" ; then
1540	AC_DEFINE([HAVE_PROC_PID], [1], [Define if you have /proc/$pid/fd])
1541	AC_MSG_RESULT([yes])
1542else
1543	AC_MSG_RESULT([no])
1544fi
1545
1546# Check whether user wants to use ldns
1547LDNS_MSG="no"
1548AC_ARG_WITH(ldns,
1549	[  --with-ldns[[=PATH]]      Use ldns for DNSSEC support (optionally in PATH)],
1550	[
1551	ldns=""
1552	if test "x$withval" = "xyes" ; then
1553		AC_PATH_TOOL([LDNSCONFIG], [ldns-config], [no])
1554		if test "x$LDNSCONFIG" = "xno"; then
1555			LIBS="-lldns $LIBS"
1556			ldns=yes
1557		else
1558			LIBS="$LIBS `$LDNSCONFIG --libs`"
1559			CPPFLAGS="$CPPFLAGS `$LDNSCONFIG --cflags`"
1560			ldns=yes
1561		fi
1562	elif test "x$withval" != "xno" ; then
1563			CPPFLAGS="$CPPFLAGS -I${withval}/include"
1564			LDFLAGS="$LDFLAGS -L${withval}/lib"
1565			LIBS="-lldns $LIBS"
1566			ldns=yes
1567	fi
1568
1569	# Verify that it works.
1570	if test "x$ldns" = "xyes" ; then
1571		AC_DEFINE(HAVE_LDNS, 1, [Define if you want ldns support])
1572		LDNS_MSG="yes"
1573		AC_MSG_CHECKING([for ldns support])
1574		AC_LINK_IFELSE(
1575			[AC_LANG_SOURCE([[
1576#include <stdio.h>
1577#include <stdlib.h>
1578#ifdef HAVE_STDINT_H
1579# include <stdint.h>
1580#endif
1581#include <ldns/ldns.h>
1582int main() { ldns_status status = ldns_verify_trusted(NULL, NULL, NULL, NULL); status=LDNS_STATUS_OK; exit(0); }
1583			]])
1584		],
1585			[AC_MSG_RESULT(yes)],
1586				[
1587					AC_MSG_RESULT(no)
1588					AC_MSG_ERROR([** Incomplete or missing ldns libraries.])
1589				])
1590	fi
1591])
1592
1593# Check whether user wants libedit support
1594LIBEDIT_MSG="no"
1595AC_ARG_WITH([libedit],
1596	[  --with-libedit[[=PATH]]   Enable libedit support for sftp],
1597	[ if test "x$withval" != "xno" ; then
1598		if test "x$withval" = "xyes" ; then
1599			AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no])
1600			if test "x$PKGCONFIG" != "xno"; then
1601				AC_MSG_CHECKING([if $PKGCONFIG knows about libedit])
1602				if "$PKGCONFIG" libedit; then
1603					AC_MSG_RESULT([yes])
1604					use_pkgconfig_for_libedit=yes
1605				else
1606					AC_MSG_RESULT([no])
1607				fi
1608			fi
1609		else
1610			CPPFLAGS="$CPPFLAGS -I${withval}/include"
1611			if test -n "${rpath_opt}"; then
1612				LDFLAGS="-L${withval}/lib ${rpath_opt}${withval}/lib ${LDFLAGS}"
1613			else
1614				LDFLAGS="-L${withval}/lib ${LDFLAGS}"
1615			fi
1616		fi
1617		if test "x$use_pkgconfig_for_libedit" = "xyes"; then
1618			LIBEDIT=`$PKGCONFIG --libs libedit`
1619			CPPFLAGS="$CPPFLAGS `$PKGCONFIG --cflags libedit`"
1620		else
1621			LIBEDIT="-ledit -lcurses"
1622		fi
1623		OTHERLIBS=`echo $LIBEDIT | sed 's/-ledit//'`
1624		AC_CHECK_LIB([edit], [el_init],
1625			[ AC_DEFINE([USE_LIBEDIT], [1], [Use libedit for sftp])
1626			  LIBEDIT_MSG="yes"
1627			  AC_SUBST([LIBEDIT])
1628			],
1629			[ AC_MSG_ERROR([libedit not found]) ],
1630			[ $OTHERLIBS ]
1631		)
1632		AC_MSG_CHECKING([if libedit version is compatible])
1633		AC_COMPILE_IFELSE(
1634		    [AC_LANG_PROGRAM([[ #include <histedit.h> ]],
1635		    [[
1636	int i = H_SETSIZE;
1637	el_init("", NULL, NULL, NULL);
1638	exit(0);
1639		    ]])],
1640		    [ AC_MSG_RESULT([yes]) ],
1641		    [ AC_MSG_RESULT([no])
1642		      AC_MSG_ERROR([libedit version is not compatible]) ]
1643		)
1644	fi ]
1645)
1646
1647AUDIT_MODULE=none
1648AC_ARG_WITH([audit],
1649	[  --with-audit=module     Enable audit support (modules=debug,bsm,linux)],
1650	[
1651	  AC_MSG_CHECKING([for supported audit module])
1652	  case "$withval" in
1653	  bsm)
1654		AC_MSG_RESULT([bsm])
1655		AUDIT_MODULE=bsm
1656		dnl    Checks for headers, libs and functions
1657		AC_CHECK_HEADERS([bsm/audit.h], [],
1658		    [AC_MSG_ERROR([BSM enabled and bsm/audit.h not found])],
1659		    [
1660#ifdef HAVE_TIME_H
1661# include <time.h>
1662#endif
1663		    ]
1664)
1665		AC_CHECK_LIB([bsm], [getaudit], [],
1666		    [AC_MSG_ERROR([BSM enabled and required library not found])])
1667		AC_CHECK_FUNCS([getaudit], [],
1668		    [AC_MSG_ERROR([BSM enabled and required function not found])])
1669		# These are optional
1670		AC_CHECK_FUNCS([getaudit_addr aug_get_machine])
1671		AC_DEFINE([USE_BSM_AUDIT], [1], [Use BSM audit module])
1672		if test "$sol2ver" -ge 11; then
1673			SSHDLIBS="$SSHDLIBS -lscf"
1674			AC_DEFINE([BROKEN_BSM_API], [1],
1675				[The system has incomplete BSM API])
1676		fi
1677		;;
1678	  linux)
1679		AC_MSG_RESULT([linux])
1680		AUDIT_MODULE=linux
1681		dnl    Checks for headers, libs and functions
1682		AC_CHECK_HEADERS([libaudit.h])
1683		SSHDLIBS="$SSHDLIBS -laudit"
1684		AC_DEFINE([USE_LINUX_AUDIT], [1], [Use Linux audit module])
1685		;;
1686	  debug)
1687		AUDIT_MODULE=debug
1688		AC_MSG_RESULT([debug])
1689		AC_DEFINE([SSH_AUDIT_EVENTS], [1], [Use audit debugging module])
1690		;;
1691	  no)
1692		AC_MSG_RESULT([no])
1693		;;
1694	  *)
1695		AC_MSG_ERROR([Unknown audit module $withval])
1696		;;
1697	esac ]
1698)
1699
1700AC_ARG_WITH([pie],
1701    [  --with-pie              Build Position Independent Executables if possible], [
1702	if test "x$withval" = "xno"; then
1703		use_pie=no
1704	fi
1705	if test "x$withval" = "xyes"; then
1706		use_pie=yes
1707	fi
1708    ]
1709)
1710if test "x$use_pie" = "x"; then
1711	use_pie=no
1712fi
1713if test "x$use_toolchain_hardening" != "x1" && test "x$use_pie" = "xauto"; then
1714	# Turn off automatic PIE when toolchain hardening is off.
1715	use_pie=no
1716fi
1717if test "x$use_pie" = "xauto"; then
1718	# Automatic PIE requires gcc >= 4.x
1719	AC_MSG_CHECKING([for gcc >= 4.x])
1720	AC_COMPILE_IFELSE([AC_LANG_SOURCE([[
1721#if !defined(__GNUC__) || __GNUC__ < 4
1722#error gcc is too old
1723#endif
1724]])],
1725	[ AC_MSG_RESULT([yes]) ],
1726	[ AC_MSG_RESULT([no])
1727	  use_pie=no ]
1728)
1729fi
1730if test "x$use_pie" != "xno"; then
1731	SAVED_CFLAGS="$CFLAGS"
1732	SAVED_LDFLAGS="$LDFLAGS"
1733	OSSH_CHECK_CFLAG_COMPILE([-fPIE])
1734	OSSH_CHECK_LDFLAG_LINK([-pie])
1735	# We use both -fPIE and -pie or neither.
1736	AC_MSG_CHECKING([whether both -fPIE and -pie are supported])
1737	if echo "x $CFLAGS"  | grep ' -fPIE' >/dev/null 2>&1 && \
1738	   echo "x $LDFLAGS" | grep ' -pie'  >/dev/null 2>&1 ; then
1739		AC_MSG_RESULT([yes])
1740	else
1741		AC_MSG_RESULT([no])
1742		CFLAGS="$SAVED_CFLAGS"
1743		LDFLAGS="$SAVED_LDFLAGS"
1744	fi
1745fi
1746
1747AC_MSG_CHECKING([whether -fPIC is accepted])
1748SAVED_CFLAGS="$CFLAGS"
1749CFLAGS="$CFLAGS -fPIC"
1750AC_COMPILE_IFELSE(
1751	[AC_LANG_PROGRAM( [[ #include <stdlib.h> ]], [[ exit(0); ]] )],
1752   [AC_MSG_RESULT([yes])
1753    PICFLAG="-fPIC"; ],
1754   [AC_MSG_RESULT([no])
1755    PICFLAG=""; ])
1756CFLAGS="$SAVED_CFLAGS"
1757AC_SUBST([PICFLAG])
1758
1759dnl    Checks for library functions. Please keep in alphabetical order
1760AC_CHECK_FUNCS([ \
1761	Blowfish_initstate \
1762	Blowfish_expandstate \
1763	Blowfish_expand0state \
1764	Blowfish_stream2word \
1765	SHA256Update \
1766	SHA384Update \
1767	SHA512Update \
1768	asprintf \
1769	b64_ntop \
1770	__b64_ntop \
1771	b64_pton \
1772	__b64_pton \
1773	bcopy \
1774	bcrypt_pbkdf \
1775	bindresvport_sa \
1776	blf_enc \
1777	bzero \
1778	cap_rights_limit \
1779	clock \
1780	closefrom \
1781	dirfd \
1782	endgrent \
1783	err \
1784	errx \
1785	explicit_bzero \
1786	fchmod \
1787	fchmodat \
1788	fchown \
1789	fchownat \
1790	flock \
1791	fnmatch \
1792	freeaddrinfo \
1793	freezero \
1794	fstatfs \
1795	fstatvfs \
1796	futimes \
1797	getaddrinfo \
1798	getcwd \
1799	getgrouplist \
1800	getline \
1801	getnameinfo \
1802	getopt \
1803	getpagesize \
1804	getpeereid \
1805	getpeerucred \
1806	getpgid \
1807	_getpty \
1808	getrlimit \
1809	getrandom \
1810	getsid \
1811	getttyent \
1812	glob \
1813	group_from_gid \
1814	inet_aton \
1815	inet_ntoa \
1816	inet_ntop \
1817	innetgr \
1818	llabs \
1819	localtime_r \
1820	login_getcapbool \
1821	md5_crypt \
1822	memmem \
1823	memmove \
1824	memset_s \
1825	mkdtemp \
1826	ngetaddrinfo \
1827	nsleep \
1828	ogetaddrinfo \
1829	openlog_r \
1830	pledge \
1831	poll \
1832	prctl \
1833	pstat \
1834	raise \
1835	readpassphrase \
1836	reallocarray \
1837	realpath \
1838	recvmsg \
1839	recallocarray \
1840	rresvport_af \
1841	sendmsg \
1842	setdtablesize \
1843	setegid \
1844	setenv \
1845	seteuid \
1846	setgroupent \
1847	setgroups \
1848	setlinebuf \
1849	setlogin \
1850	setpassent\
1851	setpcred \
1852	setproctitle \
1853	setregid \
1854	setreuid \
1855	setrlimit \
1856	setsid \
1857	setvbuf \
1858	sigaction \
1859	sigvec \
1860	snprintf \
1861	socketpair \
1862	statfs \
1863	statvfs \
1864	strcasestr \
1865	strdup \
1866	strerror \
1867	strlcat \
1868	strlcpy \
1869	strmode \
1870	strndup \
1871	strnlen \
1872	strnvis \
1873	strptime \
1874	strsignal \
1875	strtonum \
1876	strtoll \
1877	strtoul \
1878	strtoull \
1879	swap32 \
1880	sysconf \
1881	tcgetpgrp \
1882	timingsafe_bcmp \
1883	truncate \
1884	unsetenv \
1885	updwtmpx \
1886	utimensat \
1887	user_from_uid \
1888	usleep \
1889	vasprintf \
1890	vsnprintf \
1891	waitpid \
1892	warn \
1893])
1894
1895AC_CHECK_DECLS([bzero, memmem])
1896
1897dnl Wide character support.
1898AC_CHECK_FUNCS([mblen mbtowc nl_langinfo wcwidth])
1899
1900TEST_SSH_UTF8=${TEST_SSH_UTF8:=yes}
1901AC_MSG_CHECKING([for utf8 locale support])
1902AC_RUN_IFELSE(
1903	[AC_LANG_PROGRAM([[
1904#include <locale.h>
1905#include <stdlib.h>
1906	]], [[
1907	char *loc = setlocale(LC_CTYPE, "en_US.UTF-8");
1908	if (loc != NULL)
1909		exit(0);
1910	exit(1);
1911	]])],
1912	AC_MSG_RESULT(yes),
1913	[AC_MSG_RESULT(no)
1914	 TEST_SSH_UTF8=no],
1915	AC_MSG_WARN([cross compiling: assuming yes])
1916)
1917
1918AC_LINK_IFELSE(
1919        [AC_LANG_PROGRAM(
1920           [[ #include <ctype.h> ]],
1921           [[ return (isblank('a')); ]])],
1922	[AC_DEFINE([HAVE_ISBLANK], [1], [Define if you have isblank(3C).])
1923])
1924
1925disable_pkcs11=
1926AC_ARG_ENABLE([pkcs11],
1927	[  --disable-pkcs11        disable PKCS#11 support code [no]],
1928	[
1929		if test "x$enableval" = "xno" ; then
1930			disable_pkcs11=1
1931		fi
1932	]
1933)
1934
1935disable_sk=
1936AC_ARG_ENABLE([security-key],
1937	[  --disable-security-key  disable U2F/FIDO support code [no]],
1938	[
1939		if test "x$enableval" = "xno" ; then
1940			disable_sk=1
1941		fi
1942	]
1943)
1944enable_sk_internal=
1945AC_ARG_WITH([security-key-builtin],
1946	[  --with-security-key-builtin include builtin U2F/FIDO support],
1947	[
1948		if test "x$withval" != "xno" ; then
1949			enable_sk_internal=yes
1950		fi
1951	]
1952)
1953test "x$disable_sk" != "x" && enable_sk_internal=""
1954
1955AC_SEARCH_LIBS([dlopen], [dl])
1956AC_CHECK_FUNCS([dlopen])
1957AC_CHECK_DECL([RTLD_NOW], [], [], [#include <dlfcn.h>])
1958
1959# IRIX has a const char return value for gai_strerror()
1960AC_CHECK_FUNCS([gai_strerror], [
1961	AC_DEFINE([HAVE_GAI_STRERROR])
1962	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
1963#include <sys/types.h>
1964#include <sys/socket.h>
1965#include <netdb.h>
1966
1967const char *gai_strerror(int);
1968			]], [[
1969	char *str;
1970	str = gai_strerror(0);
1971			]])], [
1972		AC_DEFINE([HAVE_CONST_GAI_STRERROR_PROTO], [1],
1973		[Define if gai_strerror() returns const char *])], [])])
1974
1975AC_SEARCH_LIBS([nanosleep], [rt posix4], [AC_DEFINE([HAVE_NANOSLEEP], [1],
1976	[Some systems put nanosleep outside of libc])])
1977
1978AC_SEARCH_LIBS([clock_gettime], [rt],
1979	[AC_DEFINE([HAVE_CLOCK_GETTIME], [1], [Have clock_gettime])])
1980
1981dnl check if we need -D_REENTRANT for localtime_r declaration.
1982AC_CHECK_DECL([localtime_r], [],
1983	[ saved_CPPFLAGS="$CFLAGS"
1984	  CPPFLAGS="$CPPFLAGS -D_REENTRANT"
1985	  unset ac_cv_have_decl_localtime_r
1986	  AC_CHECK_DECL([localtime_r], [],
1987		[ CPPFLAGS="$saved_CPPFLAGS" ],
1988		[ #include <time.h> ]
1989	  )
1990	],
1991	[ #include <time.h> ]
1992)
1993
1994dnl Make sure prototypes are defined for these before using them.
1995AC_CHECK_DECL([strsep],
1996	[AC_CHECK_FUNCS([strsep])],
1997	[],
1998	[
1999#ifdef HAVE_STRING_H
2000# include <string.h>
2001#endif
2002	])
2003
2004dnl tcsendbreak might be a macro
2005AC_CHECK_DECL([tcsendbreak],
2006	[AC_DEFINE([HAVE_TCSENDBREAK])],
2007	[AC_CHECK_FUNCS([tcsendbreak])],
2008	[#include <termios.h>]
2009)
2010
2011AC_CHECK_DECLS([h_errno], , ,[#include <netdb.h>])
2012
2013AC_CHECK_DECLS([SHUT_RD, getpeereid], , ,
2014	[
2015#include <sys/types.h>
2016#include <sys/socket.h>
2017#include <unistd.h>
2018	])
2019
2020AC_CHECK_DECLS([O_NONBLOCK], , ,
2021	[
2022#include <sys/types.h>
2023#ifdef HAVE_SYS_STAT_H
2024# include <sys/stat.h>
2025#endif
2026#ifdef HAVE_FCNTL_H
2027# include <fcntl.h>
2028#endif
2029	])
2030
2031AC_CHECK_DECLS([readv, writev], , , [
2032#include <sys/types.h>
2033#include <sys/uio.h>
2034#include <unistd.h>
2035	])
2036
2037AC_CHECK_DECLS([MAXSYMLINKS], , , [
2038#include <sys/param.h>
2039	])
2040
2041AC_CHECK_DECLS([offsetof], , , [
2042#include <stddef.h>
2043	])
2044
2045# extra bits for select(2)
2046AC_CHECK_DECLS([howmany, NFDBITS], [], [], [[
2047#include <sys/param.h>
2048#include <sys/types.h>
2049#ifdef HAVE_SYS_SYSMACROS_H
2050#include <sys/sysmacros.h>
2051#endif
2052#ifdef HAVE_SYS_SELECT_H
2053#include <sys/select.h>
2054#endif
2055#ifdef HAVE_SYS_TIME_H
2056#include <sys/time.h>
2057#endif
2058#ifdef HAVE_UNISTD_H
2059#include <unistd.h>
2060#endif
2061	]])
2062AC_CHECK_TYPES([fd_mask], [], [], [[
2063#include <sys/param.h>
2064#include <sys/types.h>
2065#ifdef HAVE_SYS_SELECT_H
2066#include <sys/select.h>
2067#endif
2068#ifdef HAVE_SYS_TIME_H
2069#include <sys/time.h>
2070#endif
2071#ifdef HAVE_UNISTD_H
2072#include <unistd.h>
2073#endif
2074	]])
2075
2076AC_CHECK_FUNCS([setresuid], [
2077	dnl Some platorms have setresuid that isn't implemented, test for this
2078	AC_MSG_CHECKING([if setresuid seems to work])
2079	AC_RUN_IFELSE(
2080		[AC_LANG_PROGRAM([[
2081#include <stdlib.h>
2082#include <errno.h>
2083		]], [[
2084	errno=0;
2085	setresuid(0,0,0);
2086	if (errno==ENOSYS)
2087		exit(1);
2088	else
2089		exit(0);
2090		]])],
2091		[AC_MSG_RESULT([yes])],
2092		[AC_DEFINE([BROKEN_SETRESUID], [1],
2093			[Define if your setresuid() is broken])
2094		 AC_MSG_RESULT([not implemented])],
2095		[AC_MSG_WARN([cross compiling: not checking setresuid])]
2096	)
2097])
2098
2099AC_CHECK_FUNCS([setresgid], [
2100	dnl Some platorms have setresgid that isn't implemented, test for this
2101	AC_MSG_CHECKING([if setresgid seems to work])
2102	AC_RUN_IFELSE(
2103		[AC_LANG_PROGRAM([[
2104#include <stdlib.h>
2105#include <errno.h>
2106		]], [[
2107	errno=0;
2108	setresgid(0,0,0);
2109	if (errno==ENOSYS)
2110		exit(1);
2111	else
2112		exit(0);
2113		]])],
2114		[AC_MSG_RESULT([yes])],
2115		[AC_DEFINE([BROKEN_SETRESGID], [1],
2116			[Define if your setresgid() is broken])
2117		 AC_MSG_RESULT([not implemented])],
2118		[AC_MSG_WARN([cross compiling: not checking setresuid])]
2119	)
2120])
2121
2122AC_MSG_CHECKING([for working fflush(NULL)])
2123AC_RUN_IFELSE(
2124	[AC_LANG_PROGRAM([[#include <stdio.h>]], [[fflush(NULL); exit(0);]])],
2125	AC_MSG_RESULT([yes]),
2126	[AC_MSG_RESULT([no])
2127	 AC_DEFINE([FFLUSH_NULL_BUG], [1],
2128	    [define if fflush(NULL) does not work])],
2129	AC_MSG_WARN([cross compiling: assuming working])
2130)
2131
2132dnl    Checks for time functions
2133AC_CHECK_FUNCS([gettimeofday time])
2134dnl    Checks for utmp functions
2135AC_CHECK_FUNCS([endutent getutent getutid getutline pututline setutent])
2136AC_CHECK_FUNCS([utmpname])
2137dnl    Checks for utmpx functions
2138AC_CHECK_FUNCS([endutxent getutxent getutxid getutxline getutxuser pututxline])
2139AC_CHECK_FUNCS([setutxdb setutxent utmpxname])
2140dnl    Checks for lastlog functions
2141AC_CHECK_FUNCS([getlastlogxbyname])
2142
2143AC_CHECK_FUNC([daemon],
2144	[AC_DEFINE([HAVE_DAEMON], [1], [Define if your libraries define daemon()])],
2145	[AC_CHECK_LIB([bsd], [daemon],
2146		[LIBS="$LIBS -lbsd"; AC_DEFINE([HAVE_DAEMON])])]
2147)
2148
2149AC_CHECK_FUNC([getpagesize],
2150	[AC_DEFINE([HAVE_GETPAGESIZE], [1],
2151		[Define if your libraries define getpagesize()])],
2152	[AC_CHECK_LIB([ucb], [getpagesize],
2153		[LIBS="$LIBS -lucb"; AC_DEFINE([HAVE_GETPAGESIZE])])]
2154)
2155
2156# Check for broken snprintf
2157if test "x$ac_cv_func_snprintf" = "xyes" ; then
2158	AC_MSG_CHECKING([whether snprintf correctly terminates long strings])
2159	AC_RUN_IFELSE(
2160		[AC_LANG_PROGRAM([[ #include <stdio.h> ]],
2161		[[
2162	char b[5];
2163	snprintf(b,5,"123456789");
2164	exit(b[4]!='\0');
2165		]])],
2166		[AC_MSG_RESULT([yes])],
2167		[
2168			AC_MSG_RESULT([no])
2169			AC_DEFINE([BROKEN_SNPRINTF], [1],
2170				[Define if your snprintf is busted])
2171			AC_MSG_WARN([****** Your snprintf() function is broken, complain to your vendor])
2172		],
2173		[ AC_MSG_WARN([cross compiling: Assuming working snprintf()]) ]
2174	)
2175fi
2176
2177if test "x$ac_cv_func_snprintf" = "xyes" ; then
2178	AC_MSG_CHECKING([whether snprintf understands %zu])
2179	AC_RUN_IFELSE(
2180		[AC_LANG_PROGRAM([[
2181#include <sys/types.h>
2182#include <stdio.h>
2183		]],
2184		[[
2185	size_t a = 1, b = 2;
2186	char z[128];
2187	snprintf(z, sizeof z, "%zu%zu", a, b);
2188	exit(strcmp(z, "12"));
2189		]])],
2190		[AC_MSG_RESULT([yes])],
2191		[
2192			AC_MSG_RESULT([no])
2193			AC_DEFINE([BROKEN_SNPRINTF], [1],
2194				[snprintf does not understand %zu])
2195		],
2196		[ AC_MSG_WARN([cross compiling: Assuming working snprintf()]) ]
2197	)
2198fi
2199
2200# We depend on vsnprintf returning the right thing on overflow: the
2201# number of characters it tried to create (as per SUSv3)
2202if test "x$ac_cv_func_vsnprintf" = "xyes" ; then
2203	AC_MSG_CHECKING([whether vsnprintf returns correct values on overflow])
2204	AC_RUN_IFELSE(
2205		[AC_LANG_PROGRAM([[
2206#include <sys/types.h>
2207#include <stdio.h>
2208#include <stdarg.h>
2209
2210int x_snprintf(char *str, size_t count, const char *fmt, ...)
2211{
2212	size_t ret;
2213	va_list ap;
2214
2215	va_start(ap, fmt);
2216	ret = vsnprintf(str, count, fmt, ap);
2217	va_end(ap);
2218	return ret;
2219}
2220		]], [[
2221char x[1];
2222if (x_snprintf(x, 1, "%s %d", "hello", 12345) != 11)
2223	return 1;
2224if (x_snprintf(NULL, 0, "%s %d", "hello", 12345) != 11)
2225	return 1;
2226return 0;
2227		]])],
2228		[AC_MSG_RESULT([yes])],
2229		[
2230			AC_MSG_RESULT([no])
2231			AC_DEFINE([BROKEN_SNPRINTF], [1],
2232				[Define if your snprintf is busted])
2233			AC_MSG_WARN([****** Your vsnprintf() function is broken, complain to your vendor])
2234		],
2235		[ AC_MSG_WARN([cross compiling: Assuming working vsnprintf()]) ]
2236	)
2237fi
2238
2239# On systems where [v]snprintf is broken, but is declared in stdio,
2240# check that the fmt argument is const char * or just char *.
2241# This is only useful for when BROKEN_SNPRINTF
2242AC_MSG_CHECKING([whether snprintf can declare const char *fmt])
2243AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
2244#include <stdio.h>
2245int snprintf(char *a, size_t b, const char *c, ...) { return 0; }
2246		]], [[
2247	snprintf(0, 0, 0);
2248		]])],
2249   [AC_MSG_RESULT([yes])
2250    AC_DEFINE([SNPRINTF_CONST], [const],
2251              [Define as const if snprintf() can declare const char *fmt])],
2252   [AC_MSG_RESULT([no])
2253    AC_DEFINE([SNPRINTF_CONST], [/* not const */])])
2254
2255# Check for missing getpeereid (or equiv) support
2256NO_PEERCHECK=""
2257if test "x$ac_cv_func_getpeereid" != "xyes" -a "x$ac_cv_func_getpeerucred" != "xyes"; then
2258	AC_MSG_CHECKING([whether system supports SO_PEERCRED getsockopt])
2259	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
2260#include <sys/types.h>
2261#include <sys/socket.h>]], [[int i = SO_PEERCRED;]])],
2262		[ AC_MSG_RESULT([yes])
2263		  AC_DEFINE([HAVE_SO_PEERCRED], [1], [Have PEERCRED socket option])
2264		], [AC_MSG_RESULT([no])
2265		NO_PEERCHECK=1
2266        ])
2267fi
2268
2269dnl see whether mkstemp() requires XXXXXX
2270if test "x$ac_cv_func_mkdtemp" = "xyes" ; then
2271AC_MSG_CHECKING([for (overly) strict mkstemp])
2272AC_RUN_IFELSE(
2273	[AC_LANG_PROGRAM([[
2274#include <stdlib.h>
2275	]], [[
2276	char template[]="conftest.mkstemp-test";
2277	if (mkstemp(template) == -1)
2278		exit(1);
2279	unlink(template);
2280	exit(0);
2281	]])],
2282	[
2283		AC_MSG_RESULT([no])
2284	],
2285	[
2286		AC_MSG_RESULT([yes])
2287		AC_DEFINE([HAVE_STRICT_MKSTEMP], [1], [Silly mkstemp()])
2288	],
2289	[
2290		AC_MSG_RESULT([yes])
2291		AC_DEFINE([HAVE_STRICT_MKSTEMP])
2292	]
2293)
2294fi
2295
2296dnl make sure that openpty does not reacquire controlling terminal
2297if test ! -z "$check_for_openpty_ctty_bug"; then
2298	AC_MSG_CHECKING([if openpty correctly handles controlling tty])
2299	AC_RUN_IFELSE(
2300		[AC_LANG_PROGRAM([[
2301#include <stdio.h>
2302#include <sys/fcntl.h>
2303#include <sys/types.h>
2304#include <sys/wait.h>
2305		]], [[
2306	pid_t pid;
2307	int fd, ptyfd, ttyfd, status;
2308
2309	pid = fork();
2310	if (pid < 0) {		/* failed */
2311		exit(1);
2312	} else if (pid > 0) {	/* parent */
2313		waitpid(pid, &status, 0);
2314		if (WIFEXITED(status))
2315			exit(WEXITSTATUS(status));
2316		else
2317			exit(2);
2318	} else {		/* child */
2319		close(0); close(1); close(2);
2320		setsid();
2321		openpty(&ptyfd, &ttyfd, NULL, NULL, NULL);
2322		fd = open("/dev/tty", O_RDWR | O_NOCTTY);
2323		if (fd >= 0)
2324			exit(3);	/* Acquired ctty: broken */
2325		else
2326			exit(0);	/* Did not acquire ctty: OK */
2327	}
2328		]])],
2329		[
2330			AC_MSG_RESULT([yes])
2331		],
2332		[
2333			AC_MSG_RESULT([no])
2334			AC_DEFINE([SSHD_ACQUIRES_CTTY])
2335		],
2336		[
2337			AC_MSG_RESULT([cross-compiling, assuming yes])
2338		]
2339	)
2340fi
2341
2342if test "x$ac_cv_func_getaddrinfo" = "xyes" && \
2343    test "x$check_for_hpux_broken_getaddrinfo" = "x1"; then
2344	AC_MSG_CHECKING([if getaddrinfo seems to work])
2345	AC_RUN_IFELSE(
2346		[AC_LANG_PROGRAM([[
2347#include <stdio.h>
2348#include <sys/socket.h>
2349#include <netdb.h>
2350#include <errno.h>
2351#include <netinet/in.h>
2352
2353#define TEST_PORT "2222"
2354		]], [[
2355	int err, sock;
2356	struct addrinfo *gai_ai, *ai, hints;
2357	char ntop[NI_MAXHOST], strport[NI_MAXSERV], *name = NULL;
2358
2359	memset(&hints, 0, sizeof(hints));
2360	hints.ai_family = PF_UNSPEC;
2361	hints.ai_socktype = SOCK_STREAM;
2362	hints.ai_flags = AI_PASSIVE;
2363
2364	err = getaddrinfo(name, TEST_PORT, &hints, &gai_ai);
2365	if (err != 0) {
2366		fprintf(stderr, "getaddrinfo failed (%s)", gai_strerror(err));
2367		exit(1);
2368	}
2369
2370	for (ai = gai_ai; ai != NULL; ai = ai->ai_next) {
2371		if (ai->ai_family != AF_INET6)
2372			continue;
2373
2374		err = getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop,
2375		    sizeof(ntop), strport, sizeof(strport),
2376		    NI_NUMERICHOST|NI_NUMERICSERV);
2377
2378		if (err != 0) {
2379			if (err == EAI_SYSTEM)
2380				perror("getnameinfo EAI_SYSTEM");
2381			else
2382				fprintf(stderr, "getnameinfo failed: %s\n",
2383				    gai_strerror(err));
2384			exit(2);
2385		}
2386
2387		sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol);
2388		if (sock < 0)
2389			perror("socket");
2390		if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) {
2391			if (errno == EBADF)
2392				exit(3);
2393		}
2394	}
2395	exit(0);
2396		]])],
2397		[
2398			AC_MSG_RESULT([yes])
2399		],
2400		[
2401			AC_MSG_RESULT([no])
2402			AC_DEFINE([BROKEN_GETADDRINFO])
2403		],
2404		[
2405			AC_MSG_RESULT([cross-compiling, assuming yes])
2406		]
2407	)
2408fi
2409
2410if test "x$ac_cv_func_getaddrinfo" = "xyes" && \
2411    test "x$check_for_aix_broken_getaddrinfo" = "x1"; then
2412	AC_MSG_CHECKING([if getaddrinfo seems to work])
2413	AC_RUN_IFELSE(
2414		[AC_LANG_PROGRAM([[
2415#include <stdio.h>
2416#include <sys/socket.h>
2417#include <netdb.h>
2418#include <errno.h>
2419#include <netinet/in.h>
2420
2421#define TEST_PORT "2222"
2422		]], [[
2423	int err, sock;
2424	struct addrinfo *gai_ai, *ai, hints;
2425	char ntop[NI_MAXHOST], strport[NI_MAXSERV], *name = NULL;
2426
2427	memset(&hints, 0, sizeof(hints));
2428	hints.ai_family = PF_UNSPEC;
2429	hints.ai_socktype = SOCK_STREAM;
2430	hints.ai_flags = AI_PASSIVE;
2431
2432	err = getaddrinfo(name, TEST_PORT, &hints, &gai_ai);
2433	if (err != 0) {
2434		fprintf(stderr, "getaddrinfo failed (%s)", gai_strerror(err));
2435		exit(1);
2436	}
2437
2438	for (ai = gai_ai; ai != NULL; ai = ai->ai_next) {
2439		if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
2440			continue;
2441
2442		err = getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop,
2443		    sizeof(ntop), strport, sizeof(strport),
2444		    NI_NUMERICHOST|NI_NUMERICSERV);
2445
2446		if (ai->ai_family == AF_INET && err != 0) {
2447			perror("getnameinfo");
2448			exit(2);
2449		}
2450	}
2451	exit(0);
2452		]])],
2453		[
2454			AC_MSG_RESULT([yes])
2455			AC_DEFINE([AIX_GETNAMEINFO_HACK], [1],
2456				[Define if you have a getaddrinfo that fails
2457				for the all-zeros IPv6 address])
2458		],
2459		[
2460			AC_MSG_RESULT([no])
2461			AC_DEFINE([BROKEN_GETADDRINFO])
2462		],
2463		[
2464			AC_MSG_RESULT([cross-compiling, assuming no])
2465		]
2466	)
2467fi
2468
2469if test "x$ac_cv_func_getaddrinfo" = "xyes"; then
2470	AC_CHECK_DECLS(AI_NUMERICSERV, , ,
2471	    [#include <sys/types.h>
2472	     #include <sys/socket.h>
2473	     #include <netdb.h>])
2474fi
2475
2476if test "x$check_for_conflicting_getspnam" = "x1"; then
2477	AC_MSG_CHECKING([for conflicting getspnam in shadow.h])
2478	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <shadow.h> ]],
2479		[[ exit(0); ]])],
2480		[
2481			AC_MSG_RESULT([no])
2482		],
2483		[
2484			AC_MSG_RESULT([yes])
2485			AC_DEFINE([GETSPNAM_CONFLICTING_DEFS], [1],
2486			    [Conflicting defs for getspnam])
2487		]
2488	)
2489fi
2490
2491dnl NetBSD added an strnvis and unfortunately made it incompatible with the
2492dnl existing one in OpenBSD and Linux's libbsd (the former having existed
2493dnl for over ten years). Despite this incompatibility being reported during
2494dnl development (see http://gnats.netbsd.org/44977) they still shipped it.
2495dnl Even more unfortunately FreeBSD and later MacOS picked up this incompatible
2496dnl implementation.  Try to detect this mess, and assume the only safe option
2497dnl if we're cross compiling.
2498dnl
2499dnl OpenBSD, 2001: strnvis(char *dst, const char *src, size_t dlen, int flag);
2500dnl NetBSD: 2012,  strnvis(char *dst, size_t dlen, const char *src, int flag);
2501if test "x$ac_cv_func_strnvis" = "xyes"; then
2502	AC_MSG_CHECKING([for working strnvis])
2503	AC_RUN_IFELSE(
2504		[AC_LANG_PROGRAM([[
2505#include <signal.h>
2506#include <stdlib.h>
2507#include <string.h>
2508#include <vis.h>
2509static void sighandler(int sig) { _exit(1); }
2510		]], [[
2511	char dst[16];
2512
2513	signal(SIGSEGV, sighandler);
2514	if (strnvis(dst, "src", 4, 0) && strcmp(dst, "src") == 0)
2515		exit(0);
2516	exit(1)
2517		]])],
2518		[AC_MSG_RESULT([yes])],
2519		[AC_MSG_RESULT([no])
2520		 AC_DEFINE([BROKEN_STRNVIS], [1], [strnvis detected broken])],
2521		[AC_MSG_WARN([cross compiling: assuming broken])
2522		 AC_DEFINE([BROKEN_STRNVIS], [1], [strnvis assumed broken])]
2523	)
2524fi
2525
2526AC_MSG_CHECKING([if SA_RESTARTed signals interrupt select()])
2527AC_RUN_IFELSE(
2528	[AC_LANG_PROGRAM([[
2529#ifdef HAVE_SYS_SELECT
2530# include <sys/select.h>
2531#endif
2532#include <sys/types.h>
2533#include <sys/time.h>
2534#include <stdlib.h>
2535#include <signal.h>
2536static void sighandler(int sig) { }
2537		]], [[
2538	int r;
2539	pid_t pid;
2540	struct sigaction sa;
2541
2542	sa.sa_handler = sighandler;
2543	sa.sa_flags = SA_RESTART;
2544	(void)sigaction(SIGTERM, &sa, NULL);
2545	if ((pid = fork()) == 0) { /* child */
2546		pid = getppid();
2547		sleep(1);
2548		kill(pid, SIGTERM);
2549		sleep(1);
2550		if (getppid() == pid) /* if parent did not exit, shoot it */
2551			kill(pid, SIGKILL);
2552		exit(0);
2553	} else { /* parent */
2554		r = select(0, NULL, NULL, NULL, NULL);
2555	}
2556	exit(r == -1 ? 0 : 1);
2557	]])],
2558	[AC_MSG_RESULT([yes])],
2559	[AC_MSG_RESULT([no])
2560	 AC_DEFINE([NO_SA_RESTART], [1],
2561	    [SA_RESTARTed signals do no interrupt select])],
2562	[AC_MSG_WARN([cross compiling: assuming yes])]
2563)
2564
2565AC_CHECK_FUNCS([getpgrp],[
2566	AC_MSG_CHECKING([if getpgrp accepts zero args])
2567	AC_COMPILE_IFELSE(
2568		[AC_LANG_PROGRAM([[$ac_includes_default]], [[ getpgrp(); ]])],
2569		[ AC_MSG_RESULT([yes])
2570		  AC_DEFINE([GETPGRP_VOID], [1], [getpgrp takes zero args])],
2571		[ AC_MSG_RESULT([no])
2572		  AC_DEFINE([GETPGRP_VOID], [0], [getpgrp takes one arg])]
2573	)
2574])
2575
2576# Search for OpenSSL
2577saved_CPPFLAGS="$CPPFLAGS"
2578saved_LDFLAGS="$LDFLAGS"
2579AC_ARG_WITH([ssl-dir],
2580	[  --with-ssl-dir=PATH     Specify path to OpenSSL installation ],
2581	[
2582		if test "x$openssl" = "xno" ; then
2583			AC_MSG_ERROR([cannot use --with-ssl-dir when OpenSSL disabled])
2584		fi
2585		if test "x$withval" != "xno" ; then
2586			case "$withval" in
2587				# Relative paths
2588				./*|../*)	withval="`pwd`/$withval"
2589			esac
2590			if test -d "$withval/lib"; then
2591				if test -n "${rpath_opt}"; then
2592					LDFLAGS="-L${withval}/lib ${rpath_opt}${withval}/lib ${LDFLAGS}"
2593				else
2594					LDFLAGS="-L${withval}/lib ${LDFLAGS}"
2595				fi
2596			elif test -d "$withval/lib64"; then
2597				if test -n "${rpath_opt}"; then
2598					LDFLAGS="-L${withval}/lib64 ${rpath_opt}${withval}/lib64 ${LDFLAGS}"
2599				else
2600					LDFLAGS="-L${withval}/lib64 ${LDFLAGS}"
2601				fi
2602			else
2603				if test -n "${rpath_opt}"; then
2604					LDFLAGS="-L${withval} ${rpath_opt}${withval} ${LDFLAGS}"
2605				else
2606					LDFLAGS="-L${withval} ${LDFLAGS}"
2607				fi
2608			fi
2609			if test -d "$withval/include"; then
2610				CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
2611			else
2612				CPPFLAGS="-I${withval} ${CPPFLAGS}"
2613			fi
2614		fi
2615	]
2616)
2617
2618AC_ARG_WITH([openssl-header-check],
2619	[  --without-openssl-header-check Disable OpenSSL version consistency check],
2620	[
2621		if test "x$withval" = "xno" ; then
2622			openssl_check_nonfatal=1
2623		fi
2624	]
2625)
2626
2627openssl_engine=no
2628AC_ARG_WITH([ssl-engine],
2629	[  --with-ssl-engine       Enable OpenSSL (hardware) ENGINE support ],
2630	[
2631		if test "x$withval" != "xno" ; then
2632			if test "x$openssl" = "xno" ; then
2633				AC_MSG_ERROR([cannot use --with-ssl-engine when OpenSSL disabled])
2634			fi
2635			openssl_engine=yes
2636		fi
2637	]
2638)
2639
2640if test "x$openssl" = "xyes" ; then
2641	LIBS="-lcrypto $LIBS"
2642	AC_TRY_LINK_FUNC([RAND_add], ,
2643	    [AC_MSG_ERROR([*** working libcrypto not found, check config.log])])
2644	AC_CHECK_HEADER([openssl/opensslv.h], ,
2645	    [AC_MSG_ERROR([*** OpenSSL headers missing - please install first or check config.log ***])])
2646
2647	# Determine OpenSSL header version
2648	AC_MSG_CHECKING([OpenSSL header version])
2649	AC_RUN_IFELSE(
2650		[AC_LANG_PROGRAM([[
2651	#include <stdlib.h>
2652	#include <stdio.h>
2653	#include <string.h>
2654	#include <openssl/opensslv.h>
2655	#define DATA "conftest.sslincver"
2656		]], [[
2657		FILE *fd;
2658		int rc;
2659
2660		fd = fopen(DATA,"w");
2661		if(fd == NULL)
2662			exit(1);
2663
2664		if ((rc = fprintf(fd, "%08lx (%s)\n",
2665		    (unsigned long)OPENSSL_VERSION_NUMBER,
2666		     OPENSSL_VERSION_TEXT)) < 0)
2667			exit(1);
2668
2669		exit(0);
2670		]])],
2671		[
2672			ssl_header_ver=`cat conftest.sslincver`
2673			AC_MSG_RESULT([$ssl_header_ver])
2674		],
2675		[
2676			AC_MSG_RESULT([not found])
2677			AC_MSG_ERROR([OpenSSL version header not found.])
2678		],
2679		[
2680			AC_MSG_WARN([cross compiling: not checking])
2681		]
2682	)
2683
2684	# Determining OpenSSL library version is version dependent.
2685	AC_CHECK_FUNCS([OpenSSL_version OpenSSL_version_num])
2686
2687	# Determine OpenSSL library version
2688	AC_MSG_CHECKING([OpenSSL library version])
2689	AC_RUN_IFELSE(
2690		[AC_LANG_PROGRAM([[
2691	#include <stdio.h>
2692	#include <string.h>
2693	#include <openssl/opensslv.h>
2694	#include <openssl/crypto.h>
2695	#define DATA "conftest.ssllibver"
2696		]], [[
2697		FILE *fd;
2698		int rc;
2699
2700		fd = fopen(DATA,"w");
2701		if(fd == NULL)
2702			exit(1);
2703#ifndef OPENSSL_VERSION
2704# define OPENSSL_VERSION SSLEAY_VERSION
2705#endif
2706#ifndef HAVE_OPENSSL_VERSION
2707# define OpenSSL_version	SSLeay_version
2708#endif
2709#ifndef HAVE_OPENSSL_VERSION_NUM
2710# define OpenSSL_version_num	SSLeay
2711#endif
2712		if ((rc = fprintf(fd, "%08lx (%s)\n",
2713		    (unsigned long)OpenSSL_version_num(),
2714		    OpenSSL_version(OPENSSL_VERSION))) < 0)
2715			exit(1);
2716
2717		exit(0);
2718		]])],
2719		[
2720			ssl_library_ver=`cat conftest.ssllibver`
2721			# Check version is supported.
2722			case "$ssl_library_ver" in
2723			10000*|0*)
2724				AC_MSG_ERROR([OpenSSL >= 1.0.1 required (have "$ssl_library_ver")])
2725		                ;;
2726			100*)   ;; # 1.0.x
2727			101000[[0123456]]*)
2728				# https://github.com/openssl/openssl/pull/4613
2729				AC_MSG_ERROR([OpenSSL 1.1.x versions prior to 1.1.0g have a bug that breaks their use with OpenSSH (have "$ssl_library_ver")])
2730				;;
2731			101*)   ;; # 1.1.x
2732			200*)   ;; # LibreSSL
2733			300*)   ;; # OpenSSL development branch.
2734		        *)
2735				AC_MSG_ERROR([Unknown/unsupported OpenSSL version ("$ssl_library_ver")])
2736		                ;;
2737			esac
2738			AC_MSG_RESULT([$ssl_library_ver])
2739		],
2740		[
2741			AC_MSG_RESULT([not found])
2742			AC_MSG_ERROR([OpenSSL library not found.])
2743		],
2744		[
2745			AC_MSG_WARN([cross compiling: not checking])
2746		]
2747	)
2748
2749	# Sanity check OpenSSL headers
2750	AC_MSG_CHECKING([whether OpenSSL's headers match the library])
2751	AC_RUN_IFELSE(
2752		[AC_LANG_PROGRAM([[
2753	#include <string.h>
2754	#include <openssl/opensslv.h>
2755	#include <openssl/crypto.h>
2756		]], [[
2757#ifndef HAVE_OPENSSL_VERSION_NUM
2758# define OpenSSL_version_num	SSLeay
2759#endif
2760		exit(OpenSSL_version_num() == OPENSSL_VERSION_NUMBER ? 0 : 1);
2761		]])],
2762		[
2763			AC_MSG_RESULT([yes])
2764		],
2765		[
2766			AC_MSG_RESULT([no])
2767			if test "x$openssl_check_nonfatal" = "x"; then
2768				AC_MSG_ERROR([Your OpenSSL headers do not match your
2769	library. Check config.log for details.
2770	If you are sure your installation is consistent, you can disable the check
2771	by running "./configure --without-openssl-header-check".
2772	Also see contrib/findssl.sh for help identifying header/library mismatches.
2773	])
2774			else
2775				AC_MSG_WARN([Your OpenSSL headers do not match your
2776	library. Check config.log for details.
2777	Also see contrib/findssl.sh for help identifying header/library mismatches.])
2778			fi
2779		],
2780		[
2781			AC_MSG_WARN([cross compiling: not checking])
2782		]
2783	)
2784
2785	AC_MSG_CHECKING([if programs using OpenSSL functions will link])
2786	AC_LINK_IFELSE(
2787		[AC_LANG_PROGRAM([[ #include <openssl/err.h> ]],
2788		[[ ERR_load_crypto_strings(); ]])],
2789		[
2790			AC_MSG_RESULT([yes])
2791		],
2792		[
2793			AC_MSG_RESULT([no])
2794			saved_LIBS="$LIBS"
2795			LIBS="$LIBS -ldl"
2796			AC_MSG_CHECKING([if programs using OpenSSL need -ldl])
2797			AC_LINK_IFELSE(
2798				[AC_LANG_PROGRAM([[ #include <openssl/err.h> ]],
2799				[[ ERR_load_crypto_strings(); ]])],
2800				[
2801					AC_MSG_RESULT([yes])
2802				],
2803				[
2804					AC_MSG_RESULT([no])
2805					LIBS="$saved_LIBS"
2806				]
2807			)
2808		]
2809	)
2810
2811	AC_CHECK_FUNCS([ \
2812		BN_is_prime_ex \
2813		DSA_generate_parameters_ex \
2814		EVP_CIPHER_CTX_ctrl \
2815		EVP_DigestFinal_ex \
2816		EVP_DigestInit_ex \
2817		EVP_MD_CTX_cleanup \
2818		EVP_MD_CTX_copy_ex \
2819		EVP_MD_CTX_init \
2820		HMAC_CTX_init \
2821		RSA_generate_key_ex \
2822		RSA_get_default_method \
2823	])
2824
2825	# OpenSSL_add_all_algorithms may be a macro.
2826	AC_CHECK_FUNC(OpenSSL_add_all_algorithms,
2827	    AC_DEFINE(HAVE_OPENSSL_ADD_ALL_ALGORITHMS, 1, [as a function]),
2828	    AC_CHECK_DECL(OpenSSL_add_all_algorithms,
2829		AC_DEFINE(HAVE_OPENSSL_ADD_ALL_ALGORITHMS, 1, [as a macro]), ,
2830		[[#include <openssl/evp.h>]]
2831	    )
2832	)
2833
2834	# LibreSSL/OpenSSL 1.1x API
2835	AC_CHECK_FUNCS([ \
2836		OPENSSL_init_crypto \
2837		DH_get0_key \
2838		DH_get0_pqg \
2839		DH_set0_key \
2840		DH_set_length \
2841		DH_set0_pqg \
2842		DSA_get0_key \
2843		DSA_get0_pqg \
2844		DSA_set0_key \
2845		DSA_set0_pqg \
2846		DSA_SIG_get0 \
2847		DSA_SIG_set0 \
2848		ECDSA_SIG_get0 \
2849		ECDSA_SIG_set0 \
2850		EVP_CIPHER_CTX_iv \
2851		EVP_CIPHER_CTX_iv_noconst \
2852		EVP_CIPHER_CTX_get_iv \
2853		EVP_CIPHER_CTX_set_iv \
2854		RSA_get0_crt_params \
2855		RSA_get0_factors \
2856		RSA_get0_key \
2857		RSA_set0_crt_params \
2858		RSA_set0_factors \
2859		RSA_set0_key \
2860		RSA_meth_free \
2861		RSA_meth_dup \
2862		RSA_meth_set1_name \
2863		RSA_meth_get_finish \
2864		RSA_meth_set_priv_enc \
2865		RSA_meth_set_priv_dec \
2866		RSA_meth_set_finish \
2867		EVP_PKEY_get0_RSA \
2868		EVP_MD_CTX_new \
2869		EVP_MD_CTX_free \
2870		EVP_chacha20 \
2871	])
2872
2873	if test "x$openssl_engine" = "xyes" ; then
2874		AC_MSG_CHECKING([for OpenSSL ENGINE support])
2875		AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
2876	#include <openssl/engine.h>
2877			]], [[
2878				ENGINE_load_builtin_engines();
2879				ENGINE_register_all_complete();
2880			]])],
2881			[ AC_MSG_RESULT([yes])
2882			  AC_DEFINE([USE_OPENSSL_ENGINE], [1],
2883			     [Enable OpenSSL engine support])
2884			], [ AC_MSG_ERROR([OpenSSL ENGINE support not found])
2885		])
2886	fi
2887
2888	# Check for OpenSSL without EVP_aes_{192,256}_cbc
2889	AC_MSG_CHECKING([whether OpenSSL has crippled AES support])
2890	AC_LINK_IFELSE(
2891		[AC_LANG_PROGRAM([[
2892	#include <string.h>
2893	#include <openssl/evp.h>
2894		]], [[
2895		exit(EVP_aes_192_cbc() == NULL || EVP_aes_256_cbc() == NULL);
2896		]])],
2897		[
2898			AC_MSG_RESULT([no])
2899		],
2900		[
2901			AC_MSG_RESULT([yes])
2902			AC_DEFINE([OPENSSL_LOBOTOMISED_AES], [1],
2903			    [libcrypto is missing AES 192 and 256 bit functions])
2904		]
2905	)
2906
2907	# Check for OpenSSL with EVP_aes_*ctr
2908	AC_MSG_CHECKING([whether OpenSSL has AES CTR via EVP])
2909	AC_LINK_IFELSE(
2910		[AC_LANG_PROGRAM([[
2911	#include <string.h>
2912	#include <openssl/evp.h>
2913		]], [[
2914		exit(EVP_aes_128_ctr() == NULL ||
2915		    EVP_aes_192_cbc() == NULL ||
2916		    EVP_aes_256_cbc() == NULL);
2917		]])],
2918		[
2919			AC_MSG_RESULT([yes])
2920			AC_DEFINE([OPENSSL_HAVE_EVPCTR], [1],
2921			    [libcrypto has EVP AES CTR])
2922		],
2923		[
2924			AC_MSG_RESULT([no])
2925		]
2926	)
2927
2928	# Check for OpenSSL with EVP_aes_*gcm
2929	AC_MSG_CHECKING([whether OpenSSL has AES GCM via EVP])
2930	AC_LINK_IFELSE(
2931		[AC_LANG_PROGRAM([[
2932	#include <string.h>
2933	#include <openssl/evp.h>
2934		]], [[
2935		exit(EVP_aes_128_gcm() == NULL ||
2936		    EVP_aes_256_gcm() == NULL ||
2937		    EVP_CTRL_GCM_SET_IV_FIXED == 0 ||
2938		    EVP_CTRL_GCM_IV_GEN == 0 ||
2939		    EVP_CTRL_GCM_SET_TAG == 0 ||
2940		    EVP_CTRL_GCM_GET_TAG == 0 ||
2941		    EVP_CIPHER_CTX_ctrl(NULL, 0, 0, NULL) == 0);
2942		]])],
2943		[
2944			AC_MSG_RESULT([yes])
2945			AC_DEFINE([OPENSSL_HAVE_EVPGCM], [1],
2946			    [libcrypto has EVP AES GCM])
2947		],
2948		[
2949			AC_MSG_RESULT([no])
2950			unsupported_algorithms="$unsupported_cipers \
2951			   aes128-gcm@openssh.com \
2952			   aes256-gcm@openssh.com"
2953		]
2954	)
2955
2956	AC_MSG_CHECKING([if EVP_DigestUpdate returns an int])
2957	AC_LINK_IFELSE(
2958		[AC_LANG_PROGRAM([[
2959	#include <string.h>
2960	#include <openssl/evp.h>
2961		]], [[
2962		if(EVP_DigestUpdate(NULL, NULL,0))
2963			exit(0);
2964		]])],
2965		[
2966			AC_MSG_RESULT([yes])
2967		],
2968		[
2969			AC_MSG_RESULT([no])
2970			AC_DEFINE([OPENSSL_EVP_DIGESTUPDATE_VOID], [1],
2971			    [Define if EVP_DigestUpdate returns void])
2972		]
2973	)
2974
2975	# Some systems want crypt() from libcrypt, *not* the version in OpenSSL,
2976	# because the system crypt() is more featureful.
2977	if test "x$check_for_libcrypt_before" = "x1"; then
2978		AC_CHECK_LIB([crypt], [crypt])
2979	fi
2980
2981	# Some Linux systems (Slackware) need crypt() from libcrypt, *not* the
2982	# version in OpenSSL.
2983	if test "x$check_for_libcrypt_later" = "x1"; then
2984		AC_CHECK_LIB([crypt], [crypt], [LIBS="$LIBS -lcrypt"])
2985	fi
2986	AC_CHECK_FUNCS([crypt DES_crypt])
2987
2988	# Check for SHA256, SHA384 and SHA512 support in OpenSSL
2989	AC_CHECK_FUNCS([EVP_sha256 EVP_sha384 EVP_sha512])
2990
2991	# Check complete ECC support in OpenSSL
2992	AC_MSG_CHECKING([whether OpenSSL has NID_X9_62_prime256v1])
2993	AC_LINK_IFELSE(
2994		[AC_LANG_PROGRAM([[
2995	#include <openssl/ec.h>
2996	#include <openssl/ecdh.h>
2997	#include <openssl/ecdsa.h>
2998	#include <openssl/evp.h>
2999	#include <openssl/objects.h>
3000	#include <openssl/opensslv.h>
3001		]], [[
3002		EC_KEY *e = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
3003		const EVP_MD *m = EVP_sha256(); /* We need this too */
3004		]])],
3005		[ AC_MSG_RESULT([yes])
3006		  enable_nistp256=1 ],
3007		[ AC_MSG_RESULT([no]) ]
3008	)
3009
3010	AC_MSG_CHECKING([whether OpenSSL has NID_secp384r1])
3011	AC_LINK_IFELSE(
3012		[AC_LANG_PROGRAM([[
3013	#include <openssl/ec.h>
3014	#include <openssl/ecdh.h>
3015	#include <openssl/ecdsa.h>
3016	#include <openssl/evp.h>
3017	#include <openssl/objects.h>
3018	#include <openssl/opensslv.h>
3019		]], [[
3020		EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp384r1);
3021		const EVP_MD *m = EVP_sha384(); /* We need this too */
3022		]])],
3023		[ AC_MSG_RESULT([yes])
3024		  enable_nistp384=1 ],
3025		[ AC_MSG_RESULT([no]) ]
3026	)
3027
3028	AC_MSG_CHECKING([whether OpenSSL has NID_secp521r1])
3029	AC_LINK_IFELSE(
3030		[AC_LANG_PROGRAM([[
3031	#include <openssl/ec.h>
3032	#include <openssl/ecdh.h>
3033	#include <openssl/ecdsa.h>
3034	#include <openssl/evp.h>
3035	#include <openssl/objects.h>
3036	#include <openssl/opensslv.h>
3037		]], [[
3038		EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp521r1);
3039		const EVP_MD *m = EVP_sha512(); /* We need this too */
3040		]])],
3041		[ AC_MSG_RESULT([yes])
3042		  AC_MSG_CHECKING([if OpenSSL's NID_secp521r1 is functional])
3043		  AC_RUN_IFELSE(
3044			[AC_LANG_PROGRAM([[
3045	#include <openssl/ec.h>
3046	#include <openssl/ecdh.h>
3047	#include <openssl/ecdsa.h>
3048	#include <openssl/evp.h>
3049	#include <openssl/objects.h>
3050	#include <openssl/opensslv.h>
3051			]],[[
3052			EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp521r1);
3053			const EVP_MD *m = EVP_sha512(); /* We need this too */
3054			exit(e == NULL || m == NULL);
3055			]])],
3056			[ AC_MSG_RESULT([yes])
3057			  enable_nistp521=1 ],
3058			[ AC_MSG_RESULT([no]) ],
3059			[ AC_MSG_WARN([cross-compiling: assuming yes])
3060			  enable_nistp521=1 ]
3061		  )],
3062		AC_MSG_RESULT([no])
3063	)
3064
3065	COMMENT_OUT_ECC="#no ecc#"
3066	TEST_SSH_ECC=no
3067
3068	if test x$enable_nistp256 = x1 || test x$enable_nistp384 = x1 || \
3069	    test x$enable_nistp521 = x1; then
3070		AC_DEFINE(OPENSSL_HAS_ECC, [1], [OpenSSL has ECC])
3071		AC_CHECK_FUNCS([EC_KEY_METHOD_new])
3072		openssl_ecc=yes
3073	else
3074		openssl_ecc=no
3075	fi
3076	if test x$enable_nistp256 = x1; then
3077		AC_DEFINE([OPENSSL_HAS_NISTP256], [1],
3078		    [libcrypto has NID_X9_62_prime256v1])
3079		TEST_SSH_ECC=yes
3080		COMMENT_OUT_ECC=""
3081	else
3082		unsupported_algorithms="$unsupported_algorithms \
3083			ecdsa-sha2-nistp256 \
3084			ecdh-sha2-nistp256 \
3085			ecdsa-sha2-nistp256-cert-v01@openssh.com"
3086	fi
3087	if test x$enable_nistp384 = x1; then
3088		AC_DEFINE([OPENSSL_HAS_NISTP384], [1], [libcrypto has NID_secp384r1])
3089		TEST_SSH_ECC=yes
3090		COMMENT_OUT_ECC=""
3091	else
3092		unsupported_algorithms="$unsupported_algorithms \
3093			ecdsa-sha2-nistp384 \
3094			ecdh-sha2-nistp384 \
3095			ecdsa-sha2-nistp384-cert-v01@openssh.com"
3096	fi
3097	if test x$enable_nistp521 = x1; then
3098		AC_DEFINE([OPENSSL_HAS_NISTP521], [1], [libcrypto has NID_secp521r1])
3099		TEST_SSH_ECC=yes
3100		COMMENT_OUT_ECC=""
3101	else
3102		unsupported_algorithms="$unsupported_algorithms \
3103			ecdh-sha2-nistp521 \
3104			ecdsa-sha2-nistp521 \
3105			ecdsa-sha2-nistp521-cert-v01@openssh.com"
3106	fi
3107
3108	AC_SUBST([TEST_SSH_ECC])
3109	AC_SUBST([COMMENT_OUT_ECC])
3110else
3111	AC_CHECK_LIB([crypt], [crypt], [LIBS="$LIBS -lcrypt"])
3112	AC_CHECK_FUNCS([crypt])
3113fi
3114
3115# PKCS11/U2F depend on OpenSSL and dlopen().
3116enable_pkcs11=yes
3117enable_sk=yes
3118if test "x$openssl" != "xyes" ; then
3119	enable_pkcs11="disabled; missing libcrypto"
3120	enable_sk="disabled; missing libcrypto"
3121fi
3122if test "x$openssl_ecc" != "xyes" ; then
3123	enable_sk="disabled; OpenSSL has no ECC support"
3124fi
3125if test "x$ac_cv_func_dlopen" != "xyes" ; then
3126	enable_pkcs11="disabled; missing dlopen(3)"
3127	enable_sk="disabled; missing dlopen(3)"
3128fi
3129if test "x$ac_cv_have_decl_RTLD_NOW" != "xyes" ; then
3130	enable_pkcs11="disabled; missing RTLD_NOW"
3131	enable_sk="disabled; missing RTLD_NOW"
3132fi
3133if test ! -z "$disable_pkcs11" ; then
3134	enable_pkcs11="disabled by user"
3135fi
3136if test ! -z "$disable_sk" ; then
3137	enable_sk="disabled by user"
3138fi
3139
3140AC_MSG_CHECKING([whether to enable PKCS11])
3141if test "x$enable_pkcs11" = "xyes" ; then
3142	AC_DEFINE([ENABLE_PKCS11], [], [Enable for PKCS#11 support])
3143fi
3144AC_MSG_RESULT([$enable_pkcs11])
3145
3146AC_MSG_CHECKING([whether to enable U2F])
3147if test "x$enable_sk" = "xyes" ; then
3148	AC_DEFINE([ENABLE_SK], [], [Enable for U2F/FIDO support])
3149	AC_SUBST(SK_DUMMY_LIBRARY, [regress/misc/sk-dummy/sk-dummy.so])
3150else
3151	# Do not try to build sk-dummy library.
3152	AC_SUBST(SK_DUMMY_LIBRARY, [""])
3153fi
3154AC_MSG_RESULT([$enable_sk])
3155
3156# Now check for built-in security key support.
3157if test "x$enable_sk" = "xyes" -a "x$enable_sk_internal" = "xyes" ; then
3158	AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no])
3159	use_pkgconfig_for_libfido2=
3160	if test "x$PKGCONFIG" != "xno"; then
3161		AC_MSG_CHECKING([if $PKGCONFIG knows about libfido2])
3162		if "$PKGCONFIG" libfido2; then
3163			AC_MSG_RESULT([yes])
3164			use_pkgconfig_for_libfido2=yes
3165		else
3166			AC_MSG_RESULT([no])
3167		fi
3168	fi
3169	if test "x$use_pkgconfig_for_libfido2" = "xyes"; then
3170		LIBFIDO2=`$PKGCONFIG --libs libfido2`
3171		CPPFLAGS="$CPPFLAGS `$PKGCONFIG --cflags libfido2`"
3172	else
3173		LIBFIDO2="-lfido2 -lcbor"
3174	fi
3175	OTHERLIBS=`echo $LIBFIDO2 | sed 's/-lfido2//'`
3176	AC_CHECK_LIB([fido2], [fido_init],
3177		[
3178			AC_SUBST([LIBFIDO2])
3179			AC_DEFINE([ENABLE_SK_INTERNAL], [],
3180			    [Enable for built-in U2F/FIDO support])
3181			enable_sk="built-in"
3182		], [ AC_MSG_ERROR([no usable libfido2 found]) ],
3183		[ $OTHERLIBS ]
3184	)
3185	AC_CHECK_LIB([fido2], [fido_cred_set_prot], [],
3186		[ AC_MSG_ERROR([libfido2 missing fido_cred_set_prot; please use libfido2 >= 1.4.0]) ],
3187	)
3188	AC_CHECK_HEADER([fido.h], [],
3189		AC_MSG_ERROR([missing fido.h from libfido2]))
3190	AC_CHECK_HEADER([fido/credman.h], [],
3191		AC_MSG_ERROR([missing fido/credman.h from libfido2]),
3192		[#include <fido.h>]
3193	)
3194fi
3195
3196AC_CHECK_FUNCS([ \
3197	arc4random \
3198	arc4random_buf \
3199	arc4random_stir \
3200	arc4random_uniform \
3201])
3202
3203saved_LIBS="$LIBS"
3204AC_CHECK_LIB([iaf], [ia_openinfo], [
3205	LIBS="$LIBS -liaf"
3206	AC_CHECK_FUNCS([set_id], [SSHDLIBS="$SSHDLIBS -liaf"
3207				AC_DEFINE([HAVE_LIBIAF], [1],
3208			[Define if system has libiaf that supports set_id])
3209				])
3210])
3211LIBS="$saved_LIBS"
3212
3213### Configure cryptographic random number support
3214
3215# Check whether OpenSSL seeds itself
3216if test "x$openssl" = "xyes" ; then
3217	AC_MSG_CHECKING([whether OpenSSL's PRNG is internally seeded])
3218	AC_RUN_IFELSE(
3219		[AC_LANG_PROGRAM([[
3220	#include <string.h>
3221	#include <openssl/rand.h>
3222		]], [[
3223		exit(RAND_status() == 1 ? 0 : 1);
3224		]])],
3225		[
3226			OPENSSL_SEEDS_ITSELF=yes
3227			AC_MSG_RESULT([yes])
3228		],
3229		[
3230			AC_MSG_RESULT([no])
3231		],
3232		[
3233			AC_MSG_WARN([cross compiling: assuming yes])
3234			# This is safe, since we will fatal() at runtime if
3235			# OpenSSL is not seeded correctly.
3236			OPENSSL_SEEDS_ITSELF=yes
3237		]
3238	)
3239fi
3240
3241# PRNGD TCP socket
3242AC_ARG_WITH([prngd-port],
3243	[  --with-prngd-port=PORT  read entropy from PRNGD/EGD TCP localhost:PORT],
3244	[
3245		case "$withval" in
3246		no)
3247			withval=""
3248			;;
3249		[[0-9]]*)
3250			;;
3251		*)
3252			AC_MSG_ERROR([You must specify a numeric port number for --with-prngd-port])
3253			;;
3254		esac
3255		if test ! -z "$withval" ; then
3256			PRNGD_PORT="$withval"
3257			AC_DEFINE_UNQUOTED([PRNGD_PORT], [$PRNGD_PORT],
3258				[Port number of PRNGD/EGD random number socket])
3259		fi
3260	]
3261)
3262
3263# PRNGD Unix domain socket
3264AC_ARG_WITH([prngd-socket],
3265	[  --with-prngd-socket=FILE read entropy from PRNGD/EGD socket FILE (default=/var/run/egd-pool)],
3266	[
3267		case "$withval" in
3268		yes)
3269			withval="/var/run/egd-pool"
3270			;;
3271		no)
3272			withval=""
3273			;;
3274		/*)
3275			;;
3276		*)
3277			AC_MSG_ERROR([You must specify an absolute path to the entropy socket])
3278			;;
3279		esac
3280
3281		if test ! -z "$withval" ; then
3282			if test ! -z "$PRNGD_PORT" ; then
3283				AC_MSG_ERROR([You may not specify both a PRNGD/EGD port and socket])
3284			fi
3285			if test ! -r "$withval" ; then
3286				AC_MSG_WARN([Entropy socket is not readable])
3287			fi
3288			PRNGD_SOCKET="$withval"
3289			AC_DEFINE_UNQUOTED([PRNGD_SOCKET], ["$PRNGD_SOCKET"],
3290				[Location of PRNGD/EGD random number socket])
3291		fi
3292	],
3293	[
3294		# Check for existing socket only if we don't have a random device already
3295		if test "x$OPENSSL_SEEDS_ITSELF" != "xyes" ; then
3296			AC_MSG_CHECKING([for PRNGD/EGD socket])
3297			# Insert other locations here
3298			for sock in /var/run/egd-pool /dev/egd-pool /etc/entropy; do
3299				if test -r $sock && $TEST_MINUS_S_SH -c "test -S $sock -o -p $sock" ; then
3300					PRNGD_SOCKET="$sock"
3301					AC_DEFINE_UNQUOTED([PRNGD_SOCKET], ["$PRNGD_SOCKET"])
3302					break;
3303				fi
3304			done
3305			if test ! -z "$PRNGD_SOCKET" ; then
3306				AC_MSG_RESULT([$PRNGD_SOCKET])
3307			else
3308				AC_MSG_RESULT([not found])
3309			fi
3310		fi
3311	]
3312)
3313
3314# Which randomness source do we use?
3315if test ! -z "$PRNGD_PORT" ; then
3316	RAND_MSG="PRNGd port $PRNGD_PORT"
3317elif test ! -z "$PRNGD_SOCKET" ; then
3318	RAND_MSG="PRNGd socket $PRNGD_SOCKET"
3319elif test ! -z "$OPENSSL_SEEDS_ITSELF" ; then
3320	AC_DEFINE([OPENSSL_PRNG_ONLY], [1],
3321		[Define if you want the OpenSSL internally seeded PRNG only])
3322	RAND_MSG="OpenSSL internal ONLY"
3323elif test "x$openssl" = "xno" ; then
3324	AC_MSG_WARN([OpenSSH will use /dev/urandom as a source of random numbers. It will fail if this device is not supported or accessible])
3325else
3326	AC_MSG_ERROR([OpenSSH has no source of random numbers. Please configure OpenSSL with an entropy source or re-run configure using one of the --with-prngd-port or --with-prngd-socket options])
3327fi
3328
3329# Check for PAM libs
3330PAM_MSG="no"
3331AC_ARG_WITH([pam],
3332	[  --with-pam              Enable PAM support ],
3333	[
3334		if test "x$withval" != "xno" ; then
3335			if test "x$ac_cv_header_security_pam_appl_h" != "xyes" && \
3336			   test "x$ac_cv_header_pam_pam_appl_h" != "xyes" ; then
3337				AC_MSG_ERROR([PAM headers not found])
3338			fi
3339
3340			saved_LIBS="$LIBS"
3341			AC_CHECK_LIB([dl], [dlopen], , )
3342			AC_CHECK_LIB([pam], [pam_set_item], , [AC_MSG_ERROR([*** libpam missing])])
3343			AC_CHECK_FUNCS([pam_getenvlist])
3344			AC_CHECK_FUNCS([pam_putenv])
3345			LIBS="$saved_LIBS"
3346
3347			PAM_MSG="yes"
3348
3349			SSHDLIBS="$SSHDLIBS -lpam"
3350			AC_DEFINE([USE_PAM], [1],
3351				[Define if you want to enable PAM support])
3352
3353			if test $ac_cv_lib_dl_dlopen = yes; then
3354				case "$LIBS" in
3355				*-ldl*)
3356					# libdl already in LIBS
3357					;;
3358				*)
3359					SSHDLIBS="$SSHDLIBS -ldl"
3360					;;
3361				esac
3362			fi
3363		fi
3364	]
3365)
3366
3367AC_ARG_WITH([pam-service],
3368	[  --with-pam-service=name Specify PAM service name ],
3369	[
3370		if test "x$withval" != "xno" && \
3371		   test "x$withval" != "xyes" ; then
3372			AC_DEFINE_UNQUOTED([SSHD_PAM_SERVICE],
3373				["$withval"], [sshd PAM service name])
3374		fi
3375	]
3376)
3377
3378# Check for older PAM
3379if test "x$PAM_MSG" = "xyes" ; then
3380	# Check PAM strerror arguments (old PAM)
3381	AC_MSG_CHECKING([whether pam_strerror takes only one argument])
3382	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
3383#include <stdlib.h>
3384#if defined(HAVE_SECURITY_PAM_APPL_H)
3385#include <security/pam_appl.h>
3386#elif defined (HAVE_PAM_PAM_APPL_H)
3387#include <pam/pam_appl.h>
3388#endif
3389		]], [[
3390(void)pam_strerror((pam_handle_t *)NULL, -1);
3391		]])], [AC_MSG_RESULT([no])], [
3392			AC_DEFINE([HAVE_OLD_PAM], [1],
3393				[Define if you have an old version of PAM
3394				which takes only one argument to pam_strerror])
3395			AC_MSG_RESULT([yes])
3396			PAM_MSG="yes (old library)"
3397
3398	])
3399fi
3400
3401case "$host" in
3402*-*-cygwin*)
3403	SSH_PRIVSEP_USER=CYGWIN_SSH_PRIVSEP_USER
3404	;;
3405*)
3406	SSH_PRIVSEP_USER=sshd
3407	;;
3408esac
3409AC_ARG_WITH([privsep-user],
3410	[  --with-privsep-user=user Specify non-privileged user for privilege separation],
3411	[
3412		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
3413		    test "x${withval}" != "xyes"; then
3414			SSH_PRIVSEP_USER=$withval
3415		fi
3416	]
3417)
3418if test "x$SSH_PRIVSEP_USER" = "xCYGWIN_SSH_PRIVSEP_USER" ; then
3419	AC_DEFINE_UNQUOTED([SSH_PRIVSEP_USER], [CYGWIN_SSH_PRIVSEP_USER],
3420		[Cygwin function to fetch non-privileged user for privilege separation])
3421else
3422	AC_DEFINE_UNQUOTED([SSH_PRIVSEP_USER], ["$SSH_PRIVSEP_USER"],
3423		[non-privileged user for privilege separation])
3424fi
3425AC_SUBST([SSH_PRIVSEP_USER])
3426
3427if test "x$have_linux_no_new_privs" = "x1" ; then
3428AC_CHECK_DECL([SECCOMP_MODE_FILTER], [have_seccomp_filter=1], , [
3429	#include <sys/types.h>
3430	#include <linux/seccomp.h>
3431])
3432fi
3433if test "x$have_seccomp_filter" = "x1" ; then
3434AC_MSG_CHECKING([kernel for seccomp_filter support])
3435AC_LINK_IFELSE([AC_LANG_PROGRAM([[
3436		#include <errno.h>
3437		#include <elf.h>
3438		#include <linux/audit.h>
3439		#include <linux/seccomp.h>
3440		#include <stdlib.h>
3441		#include <sys/prctl.h>
3442	]],
3443	[[ int i = $seccomp_audit_arch;
3444	   errno = 0;
3445	   prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, NULL, 0, 0);
3446	   exit(errno == EFAULT ? 0 : 1); ]])],
3447	[ AC_MSG_RESULT([yes]) ], [
3448		AC_MSG_RESULT([no])
3449		# Disable seccomp filter as a target
3450		have_seccomp_filter=0
3451	]
3452)
3453fi
3454
3455# Decide which sandbox style to use
3456sandbox_arg=""
3457AC_ARG_WITH([sandbox],
3458	[  --with-sandbox=style    Specify privilege separation sandbox (no, capsicum, darwin, rlimit, seccomp_filter, systrace, pledge)],
3459	[
3460		if test "x$withval" = "xyes" ; then
3461			sandbox_arg=""
3462		else
3463			sandbox_arg="$withval"
3464		fi
3465	]
3466)
3467
3468# Some platforms (seems to be the ones that have a kernel poll(2)-type
3469# function with which they implement select(2)) use an extra file descriptor
3470# when calling select(2), which means we can't use the rlimit sandbox.
3471AC_MSG_CHECKING([if select works with descriptor rlimit])
3472AC_RUN_IFELSE(
3473	[AC_LANG_PROGRAM([[
3474#include <sys/types.h>
3475#ifdef HAVE_SYS_TIME_H
3476# include <sys/time.h>
3477#endif
3478#include <sys/resource.h>
3479#ifdef HAVE_SYS_SELECT_H
3480# include <sys/select.h>
3481#endif
3482#include <errno.h>
3483#include <fcntl.h>
3484#include <stdlib.h>
3485	]],[[
3486	struct rlimit rl_zero;
3487	int fd, r;
3488	fd_set fds;
3489	struct timeval tv;
3490
3491	fd = open("/dev/null", O_RDONLY);
3492	FD_ZERO(&fds);
3493	FD_SET(fd, &fds);
3494	rl_zero.rlim_cur = rl_zero.rlim_max = 0;
3495	setrlimit(RLIMIT_FSIZE, &rl_zero);
3496	setrlimit(RLIMIT_NOFILE, &rl_zero);
3497	tv.tv_sec = 1;
3498	tv.tv_usec = 0;
3499	r = select(fd+1, &fds, NULL, NULL, &tv);
3500	exit (r == -1 ? 1 : 0);
3501	]])],
3502	[AC_MSG_RESULT([yes])
3503	 select_works_with_rlimit=yes],
3504	[AC_MSG_RESULT([no])
3505	 select_works_with_rlimit=no],
3506	[AC_MSG_WARN([cross compiling: assuming yes])
3507	 select_works_with_rlimit=yes]
3508)
3509
3510AC_MSG_CHECKING([if setrlimit(RLIMIT_NOFILE,{0,0}) works])
3511AC_RUN_IFELSE(
3512	[AC_LANG_PROGRAM([[
3513#include <sys/types.h>
3514#ifdef HAVE_SYS_TIME_H
3515# include <sys/time.h>
3516#endif
3517#include <sys/resource.h>
3518#include <errno.h>
3519#include <stdlib.h>
3520	]],[[
3521	struct rlimit rl_zero;
3522	int r;
3523
3524	rl_zero.rlim_cur = rl_zero.rlim_max = 0;
3525	r = setrlimit(RLIMIT_NOFILE, &rl_zero);
3526	exit (r == -1 ? 1 : 0);
3527	]])],
3528	[AC_MSG_RESULT([yes])
3529	 rlimit_nofile_zero_works=yes],
3530	[AC_MSG_RESULT([no])
3531	 rlimit_nofile_zero_works=no],
3532	[AC_MSG_WARN([cross compiling: assuming yes])
3533	 rlimit_nofile_zero_works=yes]
3534)
3535
3536AC_MSG_CHECKING([if setrlimit RLIMIT_FSIZE works])
3537AC_RUN_IFELSE(
3538	[AC_LANG_PROGRAM([[
3539#include <sys/types.h>
3540#include <sys/resource.h>
3541#include <stdlib.h>
3542	]],[[
3543		struct rlimit rl_zero;
3544
3545		rl_zero.rlim_cur = rl_zero.rlim_max = 0;
3546		exit(setrlimit(RLIMIT_FSIZE, &rl_zero) != 0);
3547	]])],
3548	[AC_MSG_RESULT([yes])],
3549	[AC_MSG_RESULT([no])
3550	 AC_DEFINE(SANDBOX_SKIP_RLIMIT_FSIZE, 1,
3551	    [setrlimit RLIMIT_FSIZE works])],
3552	[AC_MSG_WARN([cross compiling: assuming yes])]
3553)
3554
3555if test "x$sandbox_arg" = "xpledge" || \
3556   ( test -z "$sandbox_arg" && test "x$ac_cv_func_pledge" = "xyes" ) ; then
3557	test "x$ac_cv_func_pledge" != "xyes" && \
3558		AC_MSG_ERROR([pledge sandbox requires pledge(2) support])
3559	SANDBOX_STYLE="pledge"
3560	AC_DEFINE([SANDBOX_PLEDGE], [1], [Sandbox using pledge(2)])
3561elif test "x$sandbox_arg" = "xsystrace" || \
3562   ( test -z "$sandbox_arg" && test "x$have_systr_policy_kill" = "x1" ) ; then
3563	test "x$have_systr_policy_kill" != "x1" && \
3564		AC_MSG_ERROR([systrace sandbox requires systrace headers and SYSTR_POLICY_KILL support])
3565	SANDBOX_STYLE="systrace"
3566	AC_DEFINE([SANDBOX_SYSTRACE], [1], [Sandbox using systrace(4)])
3567elif test "x$sandbox_arg" = "xdarwin" || \
3568     ( test -z "$sandbox_arg" && test "x$ac_cv_func_sandbox_init" = "xyes" && \
3569       test "x$ac_cv_header_sandbox_h" = "xyes") ; then
3570	test "x$ac_cv_func_sandbox_init" != "xyes" -o \
3571	     "x$ac_cv_header_sandbox_h" != "xyes" && \
3572		AC_MSG_ERROR([Darwin seatbelt sandbox requires sandbox.h and sandbox_init function])
3573	SANDBOX_STYLE="darwin"
3574	AC_DEFINE([SANDBOX_DARWIN], [1], [Sandbox using Darwin sandbox_init(3)])
3575elif test "x$sandbox_arg" = "xseccomp_filter" || \
3576     ( test -z "$sandbox_arg" && \
3577       test "x$have_seccomp_filter" = "x1" && \
3578       test "x$ac_cv_header_elf_h" = "xyes" && \
3579       test "x$ac_cv_header_linux_audit_h" = "xyes" && \
3580       test "x$ac_cv_header_linux_filter_h" = "xyes" && \
3581       test "x$seccomp_audit_arch" != "x" && \
3582       test "x$have_linux_no_new_privs" = "x1" && \
3583       test "x$ac_cv_func_prctl" = "xyes" ) ; then
3584	test "x$seccomp_audit_arch" = "x" && \
3585		AC_MSG_ERROR([seccomp_filter sandbox not supported on $host])
3586	test "x$have_linux_no_new_privs" != "x1" && \
3587		AC_MSG_ERROR([seccomp_filter sandbox requires PR_SET_NO_NEW_PRIVS])
3588	test "x$have_seccomp_filter" != "x1" && \
3589		AC_MSG_ERROR([seccomp_filter sandbox requires seccomp headers])
3590	test "x$ac_cv_func_prctl" != "xyes" && \
3591		AC_MSG_ERROR([seccomp_filter sandbox requires prctl function])
3592	SANDBOX_STYLE="seccomp_filter"
3593	AC_DEFINE([SANDBOX_SECCOMP_FILTER], [1], [Sandbox using seccomp filter])
3594elif test "x$sandbox_arg" = "xcapsicum" || \
3595     ( test -z "$sandbox_arg" && \
3596       test "x$ac_cv_header_sys_capsicum_h" = "xyes" && \
3597       test "x$ac_cv_func_cap_rights_limit" = "xyes") ; then
3598       test "x$ac_cv_header_sys_capsicum_h" != "xyes" && \
3599		AC_MSG_ERROR([capsicum sandbox requires sys/capsicum.h header])
3600       test "x$ac_cv_func_cap_rights_limit" != "xyes" && \
3601		AC_MSG_ERROR([capsicum sandbox requires cap_rights_limit function])
3602       SANDBOX_STYLE="capsicum"
3603       AC_DEFINE([SANDBOX_CAPSICUM], [1], [Sandbox using capsicum])
3604elif test "x$sandbox_arg" = "xrlimit" || \
3605     ( test -z "$sandbox_arg" && test "x$ac_cv_func_setrlimit" = "xyes" && \
3606       test "x$select_works_with_rlimit" = "xyes" && \
3607       test "x$rlimit_nofile_zero_works" = "xyes" ) ; then
3608	test "x$ac_cv_func_setrlimit" != "xyes" && \
3609		AC_MSG_ERROR([rlimit sandbox requires setrlimit function])
3610	test "x$select_works_with_rlimit" != "xyes" && \
3611		AC_MSG_ERROR([rlimit sandbox requires select to work with rlimit])
3612	SANDBOX_STYLE="rlimit"
3613	AC_DEFINE([SANDBOX_RLIMIT], [1], [Sandbox using setrlimit(2)])
3614elif test "x$sandbox_arg" = "xsolaris" || \
3615   ( test -z "$sandbox_arg" && test "x$SOLARIS_PRIVS" = "xyes" ) ; then
3616	SANDBOX_STYLE="solaris"
3617	AC_DEFINE([SANDBOX_SOLARIS], [1], [Sandbox using Solaris/Illumos privileges])
3618elif test -z "$sandbox_arg" || test "x$sandbox_arg" = "xno" || \
3619     test "x$sandbox_arg" = "xnone" || test "x$sandbox_arg" = "xnull" ; then
3620	SANDBOX_STYLE="none"
3621	AC_DEFINE([SANDBOX_NULL], [1], [no privsep sandboxing])
3622else
3623	AC_MSG_ERROR([unsupported --with-sandbox])
3624fi
3625
3626# Cheap hack to ensure NEWS-OS libraries are arranged right.
3627if test ! -z "$SONY" ; then
3628  LIBS="$LIBS -liberty";
3629fi
3630
3631# Check for  long long datatypes
3632AC_CHECK_TYPES([long long, unsigned long long, long double])
3633
3634# Check datatype sizes
3635AC_CHECK_SIZEOF([short int])
3636AC_CHECK_SIZEOF([int])
3637AC_CHECK_SIZEOF([long int])
3638AC_CHECK_SIZEOF([long long int])
3639
3640# Sanity check long long for some platforms (AIX)
3641if test "x$ac_cv_sizeof_long_long_int" = "x4" ; then
3642	ac_cv_sizeof_long_long_int=0
3643fi
3644
3645# compute LLONG_MIN and LLONG_MAX if we don't know them.
3646if test -z "$have_llong_max" && test -z "$have_long_long_max"; then
3647	AC_MSG_CHECKING([for max value of long long])
3648	AC_RUN_IFELSE(
3649		[AC_LANG_PROGRAM([[
3650#include <stdio.h>
3651/* Why is this so damn hard? */
3652#ifdef __GNUC__
3653# undef __GNUC__
3654#endif
3655#define __USE_ISOC99
3656#include <limits.h>
3657#define DATA "conftest.llminmax"
3658#define my_abs(a) ((a) < 0 ? ((a) * -1) : (a))
3659
3660/*
3661 * printf in libc on some platforms (eg old Tru64) does not understand %lld so
3662 * we do this the hard way.
3663 */
3664static int
3665fprint_ll(FILE *f, long long n)
3666{
3667	unsigned int i;
3668	int l[sizeof(long long) * 8];
3669
3670	if (n < 0)
3671		if (fprintf(f, "-") < 0)
3672			return -1;
3673	for (i = 0; n != 0; i++) {
3674		l[i] = my_abs(n % 10);
3675		n /= 10;
3676	}
3677	do {
3678		if (fprintf(f, "%d", l[--i]) < 0)
3679			return -1;
3680	} while (i != 0);
3681	if (fprintf(f, " ") < 0)
3682		return -1;
3683	return 0;
3684}
3685		]], [[
3686	FILE *f;
3687	long long i, llmin, llmax = 0;
3688
3689	if((f = fopen(DATA,"w")) == NULL)
3690		exit(1);
3691
3692#if defined(LLONG_MIN) && defined(LLONG_MAX)
3693	fprintf(stderr, "Using system header for LLONG_MIN and LLONG_MAX\n");
3694	llmin = LLONG_MIN;
3695	llmax = LLONG_MAX;
3696#else
3697	fprintf(stderr, "Calculating  LLONG_MIN and LLONG_MAX\n");
3698	/* This will work on one's complement and two's complement */
3699	for (i = 1; i > llmax; i <<= 1, i++)
3700		llmax = i;
3701	llmin = llmax + 1LL;	/* wrap */
3702#endif
3703
3704	/* Sanity check */
3705	if (llmin + 1 < llmin || llmin - 1 < llmin || llmax + 1 > llmax
3706	    || llmax - 1 > llmax || llmin == llmax || llmin == 0
3707	    || llmax == 0 || llmax < LONG_MAX || llmin > LONG_MIN) {
3708		fprintf(f, "unknown unknown\n");
3709		exit(2);
3710	}
3711
3712	if (fprint_ll(f, llmin) < 0)
3713		exit(3);
3714	if (fprint_ll(f, llmax) < 0)
3715		exit(4);
3716	if (fclose(f) < 0)
3717		exit(5);
3718	exit(0);
3719		]])],
3720		[
3721			llong_min=`$AWK '{print $1}' conftest.llminmax`
3722			llong_max=`$AWK '{print $2}' conftest.llminmax`
3723
3724			AC_MSG_RESULT([$llong_max])
3725			AC_DEFINE_UNQUOTED([LLONG_MAX], [${llong_max}LL],
3726			    [max value of long long calculated by configure])
3727			AC_MSG_CHECKING([for min value of long long])
3728			AC_MSG_RESULT([$llong_min])
3729			AC_DEFINE_UNQUOTED([LLONG_MIN], [${llong_min}LL],
3730			    [min value of long long calculated by configure])
3731		],
3732		[
3733			AC_MSG_RESULT([not found])
3734		],
3735		[
3736			AC_MSG_WARN([cross compiling: not checking])
3737		]
3738	)
3739fi
3740
3741AC_CHECK_DECLS([UINT32_MAX], , , [[
3742#ifdef HAVE_SYS_LIMITS_H
3743# include <sys/limits.h>
3744#endif
3745#ifdef HAVE_LIMITS_H
3746# include <limits.h>
3747#endif
3748#ifdef HAVE_STDINT_H
3749# include <stdint.h>
3750#endif
3751]])
3752
3753# More checks for data types
3754AC_CACHE_CHECK([for u_int type], ac_cv_have_u_int, [
3755	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
3756	[[ u_int a; a = 1;]])],
3757	[ ac_cv_have_u_int="yes" ], [ ac_cv_have_u_int="no"
3758	])
3759])
3760if test "x$ac_cv_have_u_int" = "xyes" ; then
3761	AC_DEFINE([HAVE_U_INT], [1], [define if you have u_int data type])
3762	have_u_int=1
3763fi
3764
3765AC_CACHE_CHECK([for intXX_t types], ac_cv_have_intxx_t, [
3766	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
3767	[[ int8_t a; int16_t b; int32_t c; a = b = c = 1;]])],
3768	[ ac_cv_have_intxx_t="yes" ], [ ac_cv_have_intxx_t="no"
3769	])
3770])
3771if test "x$ac_cv_have_intxx_t" = "xyes" ; then
3772	AC_DEFINE([HAVE_INTXX_T], [1], [define if you have intxx_t data type])
3773	have_intxx_t=1
3774fi
3775
3776if (test -z "$have_intxx_t" && \
3777	   test "x$ac_cv_header_stdint_h" = "xyes")
3778then
3779    AC_MSG_CHECKING([for intXX_t types in stdint.h])
3780	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <stdint.h> ]],
3781	[[ int8_t a; int16_t b; int32_t c; a = b = c = 1;]])],
3782		[
3783			AC_DEFINE([HAVE_INTXX_T])
3784			AC_MSG_RESULT([yes])
3785		], [ AC_MSG_RESULT([no])
3786	])
3787fi
3788
3789AC_CACHE_CHECK([for int64_t type], ac_cv_have_int64_t, [
3790	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
3791#include <sys/types.h>
3792#ifdef HAVE_STDINT_H
3793# include <stdint.h>
3794#endif
3795#include <sys/socket.h>
3796#ifdef HAVE_SYS_BITYPES_H
3797# include <sys/bitypes.h>
3798#endif
3799		]], [[
3800int64_t a; a = 1;
3801		]])],
3802	[ ac_cv_have_int64_t="yes" ], [ ac_cv_have_int64_t="no"
3803	])
3804])
3805if test "x$ac_cv_have_int64_t" = "xyes" ; then
3806	AC_DEFINE([HAVE_INT64_T], [1], [define if you have int64_t data type])
3807fi
3808
3809AC_CACHE_CHECK([for u_intXX_t types], ac_cv_have_u_intxx_t, [
3810	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
3811	[[ u_int8_t a; u_int16_t b; u_int32_t c; a = b = c = 1;]])],
3812	[ ac_cv_have_u_intxx_t="yes" ], [ ac_cv_have_u_intxx_t="no"
3813	])
3814])
3815if test "x$ac_cv_have_u_intxx_t" = "xyes" ; then
3816	AC_DEFINE([HAVE_U_INTXX_T], [1], [define if you have u_intxx_t data type])
3817	have_u_intxx_t=1
3818fi
3819
3820if test -z "$have_u_intxx_t" ; then
3821    AC_MSG_CHECKING([for u_intXX_t types in sys/socket.h])
3822	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/socket.h> ]],
3823	[[ u_int8_t a; u_int16_t b; u_int32_t c; a = b = c = 1;]])],
3824		[
3825			AC_DEFINE([HAVE_U_INTXX_T])
3826			AC_MSG_RESULT([yes])
3827		], [ AC_MSG_RESULT([no])
3828	])
3829fi
3830
3831AC_CACHE_CHECK([for u_int64_t types], ac_cv_have_u_int64_t, [
3832	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
3833	[[ u_int64_t a; a = 1;]])],
3834	[ ac_cv_have_u_int64_t="yes" ], [ ac_cv_have_u_int64_t="no"
3835	])
3836])
3837if test "x$ac_cv_have_u_int64_t" = "xyes" ; then
3838	AC_DEFINE([HAVE_U_INT64_T], [1], [define if you have u_int64_t data type])
3839	have_u_int64_t=1
3840fi
3841
3842if (test -z "$have_u_int64_t" && \
3843	   test "x$ac_cv_header_sys_bitypes_h" = "xyes")
3844then
3845    AC_MSG_CHECKING([for u_int64_t type in sys/bitypes.h])
3846	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/bitypes.h> ]],
3847	[[ u_int64_t a; a = 1]])],
3848		[
3849			AC_DEFINE([HAVE_U_INT64_T])
3850			AC_MSG_RESULT([yes])
3851		], [ AC_MSG_RESULT([no])
3852	])
3853fi
3854
3855if test -z "$have_u_intxx_t" ; then
3856	AC_CACHE_CHECK([for uintXX_t types], ac_cv_have_uintxx_t, [
3857		AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
3858#include <sys/types.h>
3859			]], [[
3860	uint8_t a;
3861	uint16_t b;
3862	uint32_t c;
3863	a = b = c = 1;
3864			]])],
3865		[ ac_cv_have_uintxx_t="yes" ], [ ac_cv_have_uintxx_t="no"
3866		])
3867	])
3868	if test "x$ac_cv_have_uintxx_t" = "xyes" ; then
3869		AC_DEFINE([HAVE_UINTXX_T], [1],
3870			[define if you have uintxx_t data type])
3871	fi
3872fi
3873
3874if (test -z "$have_uintxx_t" && \
3875	   test "x$ac_cv_header_stdint_h" = "xyes")
3876then
3877    AC_MSG_CHECKING([for uintXX_t types in stdint.h])
3878	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <stdint.h> ]],
3879	[[ uint8_t a; uint16_t b; uint32_t c; a = b = c = 1;]])],
3880		[
3881			AC_DEFINE([HAVE_UINTXX_T])
3882			AC_MSG_RESULT([yes])
3883		], [ AC_MSG_RESULT([no])
3884	])
3885fi
3886
3887if (test -z "$have_uintxx_t" && \
3888	   test "x$ac_cv_header_inttypes_h" = "xyes")
3889then
3890    AC_MSG_CHECKING([for uintXX_t types in inttypes.h])
3891	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <inttypes.h> ]],
3892	[[ uint8_t a; uint16_t b; uint32_t c; a = b = c = 1;]])],
3893		[
3894			AC_DEFINE([HAVE_UINTXX_T])
3895			AC_MSG_RESULT([yes])
3896		], [ AC_MSG_RESULT([no])
3897	])
3898fi
3899
3900if (test -z "$have_u_intxx_t" || test -z "$have_intxx_t" && \
3901	   test "x$ac_cv_header_sys_bitypes_h" = "xyes")
3902then
3903	AC_MSG_CHECKING([for intXX_t and u_intXX_t types in sys/bitypes.h])
3904	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
3905#include <sys/bitypes.h>
3906		]], [[
3907			int8_t a; int16_t b; int32_t c;
3908			u_int8_t e; u_int16_t f; u_int32_t g;
3909			a = b = c = e = f = g = 1;
3910		]])],
3911		[
3912			AC_DEFINE([HAVE_U_INTXX_T])
3913			AC_DEFINE([HAVE_INTXX_T])
3914			AC_MSG_RESULT([yes])
3915		], [AC_MSG_RESULT([no])
3916	])
3917fi
3918
3919
3920AC_CACHE_CHECK([for u_char], ac_cv_have_u_char, [
3921	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
3922	[[ u_char foo; foo = 125; ]])],
3923	[ ac_cv_have_u_char="yes" ], [ ac_cv_have_u_char="no"
3924	])
3925])
3926if test "x$ac_cv_have_u_char" = "xyes" ; then
3927	AC_DEFINE([HAVE_U_CHAR], [1], [define if you have u_char data type])
3928fi
3929
3930AC_CHECK_TYPES([intmax_t, uintmax_t], , , [
3931#include <sys/types.h>
3932#ifdef HAVE_STDINT_H
3933# include <stdint.h>
3934#endif
3935])
3936
3937TYPE_SOCKLEN_T
3938
3939AC_CHECK_TYPES([sig_atomic_t], , , [#include <signal.h>])
3940AC_CHECK_TYPES([fsblkcnt_t, fsfilcnt_t], , , [
3941#include <sys/types.h>
3942#ifdef HAVE_SYS_BITYPES_H
3943#include <sys/bitypes.h>
3944#endif
3945#ifdef HAVE_SYS_STATFS_H
3946#include <sys/statfs.h>
3947#endif
3948#ifdef HAVE_SYS_STATVFS_H
3949#include <sys/statvfs.h>
3950#endif
3951])
3952
3953AC_CHECK_MEMBERS([struct statfs.f_files, struct statfs.f_flags], [], [], [[
3954#include <sys/param.h>
3955#include <sys/types.h>
3956#ifdef HAVE_SYS_BITYPES_H
3957#include <sys/bitypes.h>
3958#endif
3959#ifdef HAVE_SYS_STATFS_H
3960#include <sys/statfs.h>
3961#endif
3962#ifdef HAVE_SYS_STATVFS_H
3963#include <sys/statvfs.h>
3964#endif
3965#ifdef HAVE_SYS_VFS_H
3966#include <sys/vfs.h>
3967#endif
3968#ifdef HAVE_SYS_MOUNT_H
3969#include <sys/mount.h>
3970#endif
3971]])
3972
3973
3974AC_CHECK_TYPES([in_addr_t, in_port_t], , ,
3975[#include <sys/types.h>
3976#include <netinet/in.h>])
3977
3978AC_CACHE_CHECK([for size_t], ac_cv_have_size_t, [
3979	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
3980	[[ size_t foo; foo = 1235; ]])],
3981	[ ac_cv_have_size_t="yes" ], [ ac_cv_have_size_t="no"
3982	])
3983])
3984if test "x$ac_cv_have_size_t" = "xyes" ; then
3985	AC_DEFINE([HAVE_SIZE_T], [1], [define if you have size_t data type])
3986fi
3987
3988AC_CACHE_CHECK([for ssize_t], ac_cv_have_ssize_t, [
3989	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
3990	[[ ssize_t foo; foo = 1235; ]])],
3991	[ ac_cv_have_ssize_t="yes" ], [ ac_cv_have_ssize_t="no"
3992	])
3993])
3994if test "x$ac_cv_have_ssize_t" = "xyes" ; then
3995	AC_DEFINE([HAVE_SSIZE_T], [1], [define if you have ssize_t data type])
3996fi
3997
3998AC_CACHE_CHECK([for clock_t], ac_cv_have_clock_t, [
3999	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <time.h> ]],
4000	[[ clock_t foo; foo = 1235; ]])],
4001	[ ac_cv_have_clock_t="yes" ], [ ac_cv_have_clock_t="no"
4002	])
4003])
4004if test "x$ac_cv_have_clock_t" = "xyes" ; then
4005	AC_DEFINE([HAVE_CLOCK_T], [1], [define if you have clock_t data type])
4006fi
4007
4008AC_CACHE_CHECK([for sa_family_t], ac_cv_have_sa_family_t, [
4009	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4010#include <sys/types.h>
4011#include <sys/socket.h>
4012		]], [[ sa_family_t foo; foo = 1235; ]])],
4013	[ ac_cv_have_sa_family_t="yes" ],
4014	[ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4015#include <sys/types.h>
4016#include <sys/socket.h>
4017#include <netinet/in.h>
4018		]], [[ sa_family_t foo; foo = 1235; ]])],
4019		[ ac_cv_have_sa_family_t="yes" ],
4020		[ ac_cv_have_sa_family_t="no" ]
4021	)
4022	])
4023])
4024if test "x$ac_cv_have_sa_family_t" = "xyes" ; then
4025	AC_DEFINE([HAVE_SA_FAMILY_T], [1],
4026		[define if you have sa_family_t data type])
4027fi
4028
4029AC_CACHE_CHECK([for pid_t], ac_cv_have_pid_t, [
4030	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
4031	[[ pid_t foo; foo = 1235; ]])],
4032	[ ac_cv_have_pid_t="yes" ], [ ac_cv_have_pid_t="no"
4033	])
4034])
4035if test "x$ac_cv_have_pid_t" = "xyes" ; then
4036	AC_DEFINE([HAVE_PID_T], [1], [define if you have pid_t data type])
4037fi
4038
4039AC_CACHE_CHECK([for mode_t], ac_cv_have_mode_t, [
4040	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
4041	[[ mode_t foo; foo = 1235; ]])],
4042	[ ac_cv_have_mode_t="yes" ], [ ac_cv_have_mode_t="no"
4043	])
4044])
4045if test "x$ac_cv_have_mode_t" = "xyes" ; then
4046	AC_DEFINE([HAVE_MODE_T], [1], [define if you have mode_t data type])
4047fi
4048
4049
4050AC_CACHE_CHECK([for struct sockaddr_storage], ac_cv_have_struct_sockaddr_storage, [
4051	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4052#include <sys/types.h>
4053#include <sys/socket.h>
4054		]], [[ struct sockaddr_storage s; ]])],
4055	[ ac_cv_have_struct_sockaddr_storage="yes" ],
4056	[ ac_cv_have_struct_sockaddr_storage="no"
4057	])
4058])
4059if test "x$ac_cv_have_struct_sockaddr_storage" = "xyes" ; then
4060	AC_DEFINE([HAVE_STRUCT_SOCKADDR_STORAGE], [1],
4061		[define if you have struct sockaddr_storage data type])
4062fi
4063
4064AC_CACHE_CHECK([for struct sockaddr_in6], ac_cv_have_struct_sockaddr_in6, [
4065	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4066#include <sys/types.h>
4067#include <netinet/in.h>
4068		]], [[ struct sockaddr_in6 s; s.sin6_family = 0; ]])],
4069	[ ac_cv_have_struct_sockaddr_in6="yes" ],
4070	[ ac_cv_have_struct_sockaddr_in6="no"
4071	])
4072])
4073if test "x$ac_cv_have_struct_sockaddr_in6" = "xyes" ; then
4074	AC_DEFINE([HAVE_STRUCT_SOCKADDR_IN6], [1],
4075		[define if you have struct sockaddr_in6 data type])
4076fi
4077
4078AC_CACHE_CHECK([for struct in6_addr], ac_cv_have_struct_in6_addr, [
4079	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4080#include <sys/types.h>
4081#include <netinet/in.h>
4082		]], [[ struct in6_addr s; s.s6_addr[0] = 0; ]])],
4083	[ ac_cv_have_struct_in6_addr="yes" ],
4084	[ ac_cv_have_struct_in6_addr="no"
4085	])
4086])
4087if test "x$ac_cv_have_struct_in6_addr" = "xyes" ; then
4088	AC_DEFINE([HAVE_STRUCT_IN6_ADDR], [1],
4089		[define if you have struct in6_addr data type])
4090
4091dnl Now check for sin6_scope_id
4092	AC_CHECK_MEMBERS([struct sockaddr_in6.sin6_scope_id], , ,
4093		[
4094#ifdef HAVE_SYS_TYPES_H
4095#include <sys/types.h>
4096#endif
4097#include <netinet/in.h>
4098		])
4099fi
4100
4101AC_CACHE_CHECK([for struct addrinfo], ac_cv_have_struct_addrinfo, [
4102	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4103#include <sys/types.h>
4104#include <sys/socket.h>
4105#include <netdb.h>
4106		]], [[ struct addrinfo s; s.ai_flags = AI_PASSIVE; ]])],
4107	[ ac_cv_have_struct_addrinfo="yes" ],
4108	[ ac_cv_have_struct_addrinfo="no"
4109	])
4110])
4111if test "x$ac_cv_have_struct_addrinfo" = "xyes" ; then
4112	AC_DEFINE([HAVE_STRUCT_ADDRINFO], [1],
4113		[define if you have struct addrinfo data type])
4114fi
4115
4116AC_HEADER_TIME
4117
4118AC_CACHE_CHECK([for struct timeval], ac_cv_have_struct_timeval, [
4119	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/time.h> ]],
4120	[[ struct timeval tv; tv.tv_sec = 1;]])],
4121	[ ac_cv_have_struct_timeval="yes" ],
4122	[ ac_cv_have_struct_timeval="no"
4123	])
4124])
4125if test "x$ac_cv_have_struct_timeval" = "xyes" ; then
4126	AC_DEFINE([HAVE_STRUCT_TIMEVAL], [1], [define if you have struct timeval])
4127	have_struct_timeval=1
4128fi
4129
4130AC_CACHE_CHECK([for struct timespec], ac_cv_have_struct_timespec, [
4131	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4132    #ifdef TIME_WITH_SYS_TIME
4133    # include <sys/time.h>
4134    # include <time.h>
4135    #else
4136    # ifdef HAVE_SYS_TIME_H
4137    #  include <sys/time.h>
4138    # else
4139    #  include <time.h>
4140    # endif
4141    #endif
4142	]],
4143	[[ struct timespec ts; ts.tv_sec = 1;]])],
4144	[ ac_cv_have_struct_timespec="yes" ],
4145	[ ac_cv_have_struct_timespec="no"
4146	])
4147])
4148if test "x$ac_cv_have_struct_timespec" = "xyes" ; then
4149	AC_DEFINE([HAVE_STRUCT_TIMESPEC], [1], [define if you have struct timespec])
4150	have_struct_timespec=1
4151fi
4152
4153# We need int64_t or else certain parts of the compile will fail.
4154if test "x$ac_cv_have_int64_t" = "xno" && \
4155	test "x$ac_cv_sizeof_long_int" != "x8" && \
4156	test "x$ac_cv_sizeof_long_long_int" = "x0" ; then
4157	echo "OpenSSH requires int64_t support.  Contact your vendor or install"
4158	echo "an alternative compiler (I.E., GCC) before continuing."
4159	echo ""
4160	exit 1;
4161else
4162dnl test snprintf (broken on SCO w/gcc)
4163	AC_RUN_IFELSE(
4164		[AC_LANG_SOURCE([[
4165#include <stdio.h>
4166#include <string.h>
4167#ifdef HAVE_SNPRINTF
4168main()
4169{
4170	char buf[50];
4171	char expected_out[50];
4172	int mazsize = 50 ;
4173#if (SIZEOF_LONG_INT == 8)
4174	long int num = 0x7fffffffffffffff;
4175#else
4176	long long num = 0x7fffffffffffffffll;
4177#endif
4178	strcpy(expected_out, "9223372036854775807");
4179	snprintf(buf, mazsize, "%lld", num);
4180	if(strcmp(buf, expected_out) != 0)
4181		exit(1);
4182	exit(0);
4183}
4184#else
4185main() { exit(0); }
4186#endif
4187		]])], [ true ], [ AC_DEFINE([BROKEN_SNPRINTF]) ],
4188		AC_MSG_WARN([cross compiling: Assuming working snprintf()])
4189	)
4190fi
4191
4192dnl Checks for structure members
4193OSSH_CHECK_HEADER_FOR_FIELD([ut_host], [utmp.h], [HAVE_HOST_IN_UTMP])
4194OSSH_CHECK_HEADER_FOR_FIELD([ut_host], [utmpx.h], [HAVE_HOST_IN_UTMPX])
4195OSSH_CHECK_HEADER_FOR_FIELD([syslen], [utmpx.h], [HAVE_SYSLEN_IN_UTMPX])
4196OSSH_CHECK_HEADER_FOR_FIELD([ut_pid], [utmp.h], [HAVE_PID_IN_UTMP])
4197OSSH_CHECK_HEADER_FOR_FIELD([ut_type], [utmp.h], [HAVE_TYPE_IN_UTMP])
4198OSSH_CHECK_HEADER_FOR_FIELD([ut_type], [utmpx.h], [HAVE_TYPE_IN_UTMPX])
4199OSSH_CHECK_HEADER_FOR_FIELD([ut_tv], [utmp.h], [HAVE_TV_IN_UTMP])
4200OSSH_CHECK_HEADER_FOR_FIELD([ut_id], [utmp.h], [HAVE_ID_IN_UTMP])
4201OSSH_CHECK_HEADER_FOR_FIELD([ut_id], [utmpx.h], [HAVE_ID_IN_UTMPX])
4202OSSH_CHECK_HEADER_FOR_FIELD([ut_addr], [utmp.h], [HAVE_ADDR_IN_UTMP])
4203OSSH_CHECK_HEADER_FOR_FIELD([ut_addr], [utmpx.h], [HAVE_ADDR_IN_UTMPX])
4204OSSH_CHECK_HEADER_FOR_FIELD([ut_addr_v6], [utmp.h], [HAVE_ADDR_V6_IN_UTMP])
4205OSSH_CHECK_HEADER_FOR_FIELD([ut_addr_v6], [utmpx.h], [HAVE_ADDR_V6_IN_UTMPX])
4206OSSH_CHECK_HEADER_FOR_FIELD([ut_exit], [utmp.h], [HAVE_EXIT_IN_UTMP])
4207OSSH_CHECK_HEADER_FOR_FIELD([ut_time], [utmp.h], [HAVE_TIME_IN_UTMP])
4208OSSH_CHECK_HEADER_FOR_FIELD([ut_time], [utmpx.h], [HAVE_TIME_IN_UTMPX])
4209OSSH_CHECK_HEADER_FOR_FIELD([ut_tv], [utmpx.h], [HAVE_TV_IN_UTMPX])
4210
4211AC_CHECK_MEMBERS([struct stat.st_blksize])
4212AC_CHECK_MEMBERS([struct stat.st_mtim])
4213AC_CHECK_MEMBERS([struct stat.st_mtime])
4214AC_CHECK_MEMBERS([struct passwd.pw_gecos, struct passwd.pw_class,
4215struct passwd.pw_change, struct passwd.pw_expire],
4216[], [], [[
4217#include <sys/types.h>
4218#include <pwd.h>
4219]])
4220
4221AC_CHECK_MEMBER([struct __res_state.retrans], [], [AC_DEFINE([__res_state], [state],
4222	[Define if we don't have struct __res_state in resolv.h])],
4223[[
4224#include <stdio.h>
4225#if HAVE_SYS_TYPES_H
4226# include <sys/types.h>
4227#endif
4228#include <netinet/in.h>
4229#include <arpa/nameser.h>
4230#include <resolv.h>
4231]])
4232
4233AC_CACHE_CHECK([for ss_family field in struct sockaddr_storage],
4234		ac_cv_have_ss_family_in_struct_ss, [
4235	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4236#include <sys/types.h>
4237#include <sys/socket.h>
4238		]], [[ struct sockaddr_storage s; s.ss_family = 1; ]])],
4239	[ ac_cv_have_ss_family_in_struct_ss="yes" ],
4240	[ ac_cv_have_ss_family_in_struct_ss="no" ])
4241])
4242if test "x$ac_cv_have_ss_family_in_struct_ss" = "xyes" ; then
4243	AC_DEFINE([HAVE_SS_FAMILY_IN_SS], [1], [Fields in struct sockaddr_storage])
4244fi
4245
4246AC_CACHE_CHECK([for __ss_family field in struct sockaddr_storage],
4247		ac_cv_have___ss_family_in_struct_ss, [
4248	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4249#include <sys/types.h>
4250#include <sys/socket.h>
4251		]], [[ struct sockaddr_storage s; s.__ss_family = 1; ]])],
4252	[ ac_cv_have___ss_family_in_struct_ss="yes" ],
4253	[ ac_cv_have___ss_family_in_struct_ss="no"
4254	])
4255])
4256if test "x$ac_cv_have___ss_family_in_struct_ss" = "xyes" ; then
4257	AC_DEFINE([HAVE___SS_FAMILY_IN_SS], [1],
4258		[Fields in struct sockaddr_storage])
4259fi
4260
4261dnl make sure we're using the real structure members and not defines
4262AC_CACHE_CHECK([for msg_accrights field in struct msghdr],
4263		ac_cv_have_accrights_in_msghdr, [
4264	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4265#include <sys/types.h>
4266#include <sys/socket.h>
4267#include <sys/uio.h>
4268		]], [[
4269#ifdef msg_accrights
4270#error "msg_accrights is a macro"
4271exit(1);
4272#endif
4273struct msghdr m;
4274m.msg_accrights = 0;
4275exit(0);
4276		]])],
4277		[ ac_cv_have_accrights_in_msghdr="yes" ],
4278		[ ac_cv_have_accrights_in_msghdr="no" ]
4279	)
4280])
4281if test "x$ac_cv_have_accrights_in_msghdr" = "xyes" ; then
4282	AC_DEFINE([HAVE_ACCRIGHTS_IN_MSGHDR], [1],
4283		[Define if your system uses access rights style
4284		file descriptor passing])
4285fi
4286
4287AC_MSG_CHECKING([if struct statvfs.f_fsid is integral type])
4288AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4289#include <sys/param.h>
4290#include <sys/stat.h>
4291#ifdef HAVE_SYS_TIME_H
4292# include <sys/time.h>
4293#endif
4294#ifdef HAVE_SYS_MOUNT_H
4295#include <sys/mount.h>
4296#endif
4297#ifdef HAVE_SYS_STATVFS_H
4298#include <sys/statvfs.h>
4299#endif
4300	]], [[ struct statvfs s; s.f_fsid = 0; ]])],
4301	[ AC_MSG_RESULT([yes]) ],
4302	[ AC_MSG_RESULT([no])
4303
4304	AC_MSG_CHECKING([if fsid_t has member val])
4305	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4306#include <sys/types.h>
4307#include <sys/statvfs.h>
4308	]], [[ fsid_t t; t.val[0] = 0; ]])],
4309	[ AC_MSG_RESULT([yes])
4310	  AC_DEFINE([FSID_HAS_VAL], [1], [fsid_t has member val]) ],
4311	[ AC_MSG_RESULT([no]) ])
4312
4313	AC_MSG_CHECKING([if f_fsid has member __val])
4314	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4315#include <sys/types.h>
4316#include <sys/statvfs.h>
4317	]], [[ fsid_t t; t.__val[0] = 0; ]])],
4318	[ AC_MSG_RESULT([yes])
4319	  AC_DEFINE([FSID_HAS___VAL], [1], [fsid_t has member __val]) ],
4320	[ AC_MSG_RESULT([no]) ])
4321])
4322
4323AC_CACHE_CHECK([for msg_control field in struct msghdr],
4324		ac_cv_have_control_in_msghdr, [
4325	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4326#include <sys/types.h>
4327#include <sys/socket.h>
4328#include <sys/uio.h>
4329		]], [[
4330#ifdef msg_control
4331#error "msg_control is a macro"
4332exit(1);
4333#endif
4334struct msghdr m;
4335m.msg_control = 0;
4336exit(0);
4337		]])],
4338		[ ac_cv_have_control_in_msghdr="yes" ],
4339		[ ac_cv_have_control_in_msghdr="no" ]
4340	)
4341])
4342if test "x$ac_cv_have_control_in_msghdr" = "xyes" ; then
4343	AC_DEFINE([HAVE_CONTROL_IN_MSGHDR], [1],
4344		[Define if your system uses ancillary data style
4345		file descriptor passing])
4346fi
4347
4348AC_CACHE_CHECK([if libc defines __progname], ac_cv_libc_defines___progname, [
4349	AC_LINK_IFELSE([AC_LANG_PROGRAM([[]],
4350		[[ extern char *__progname; printf("%s", __progname); ]])],
4351	[ ac_cv_libc_defines___progname="yes" ],
4352	[ ac_cv_libc_defines___progname="no"
4353	])
4354])
4355if test "x$ac_cv_libc_defines___progname" = "xyes" ; then
4356	AC_DEFINE([HAVE___PROGNAME], [1], [Define if libc defines __progname])
4357fi
4358
4359AC_CACHE_CHECK([whether $CC implements __FUNCTION__], ac_cv_cc_implements___FUNCTION__, [
4360	AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include <stdio.h> ]],
4361		[[ printf("%s", __FUNCTION__); ]])],
4362	[ ac_cv_cc_implements___FUNCTION__="yes" ],
4363	[ ac_cv_cc_implements___FUNCTION__="no"
4364	])
4365])
4366if test "x$ac_cv_cc_implements___FUNCTION__" = "xyes" ; then
4367	AC_DEFINE([HAVE___FUNCTION__], [1],
4368		[Define if compiler implements __FUNCTION__])
4369fi
4370
4371AC_CACHE_CHECK([whether $CC implements __func__], ac_cv_cc_implements___func__, [
4372	AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include <stdio.h> ]],
4373		[[ printf("%s", __func__); ]])],
4374	[ ac_cv_cc_implements___func__="yes" ],
4375	[ ac_cv_cc_implements___func__="no"
4376	])
4377])
4378if test "x$ac_cv_cc_implements___func__" = "xyes" ; then
4379	AC_DEFINE([HAVE___func__], [1], [Define if compiler implements __func__])
4380fi
4381
4382AC_CACHE_CHECK([whether va_copy exists], ac_cv_have_va_copy, [
4383	AC_LINK_IFELSE([AC_LANG_PROGRAM([[
4384#include <stdarg.h>
4385va_list x,y;
4386		]], [[ va_copy(x,y); ]])],
4387	[ ac_cv_have_va_copy="yes" ],
4388	[ ac_cv_have_va_copy="no"
4389	])
4390])
4391if test "x$ac_cv_have_va_copy" = "xyes" ; then
4392	AC_DEFINE([HAVE_VA_COPY], [1], [Define if va_copy exists])
4393fi
4394
4395AC_CACHE_CHECK([whether __va_copy exists], ac_cv_have___va_copy, [
4396	AC_LINK_IFELSE([AC_LANG_PROGRAM([[
4397#include <stdarg.h>
4398va_list x,y;
4399		]], [[ __va_copy(x,y); ]])],
4400	[ ac_cv_have___va_copy="yes" ], [ ac_cv_have___va_copy="no"
4401	])
4402])
4403if test "x$ac_cv_have___va_copy" = "xyes" ; then
4404	AC_DEFINE([HAVE___VA_COPY], [1], [Define if __va_copy exists])
4405fi
4406
4407AC_CACHE_CHECK([whether getopt has optreset support],
4408		ac_cv_have_getopt_optreset, [
4409	AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include <getopt.h> ]],
4410		[[ extern int optreset; optreset = 0; ]])],
4411	[ ac_cv_have_getopt_optreset="yes" ],
4412	[ ac_cv_have_getopt_optreset="no"
4413	])
4414])
4415if test "x$ac_cv_have_getopt_optreset" = "xyes" ; then
4416	AC_DEFINE([HAVE_GETOPT_OPTRESET], [1],
4417		[Define if your getopt(3) defines and uses optreset])
4418fi
4419
4420AC_CACHE_CHECK([if libc defines sys_errlist], ac_cv_libc_defines_sys_errlist, [
4421	AC_LINK_IFELSE([AC_LANG_PROGRAM([[]],
4422[[ extern const char *const sys_errlist[]; printf("%s", sys_errlist[0]);]])],
4423	[ ac_cv_libc_defines_sys_errlist="yes" ],
4424	[ ac_cv_libc_defines_sys_errlist="no"
4425	])
4426])
4427if test "x$ac_cv_libc_defines_sys_errlist" = "xyes" ; then
4428	AC_DEFINE([HAVE_SYS_ERRLIST], [1],
4429		[Define if your system defines sys_errlist[]])
4430fi
4431
4432
4433AC_CACHE_CHECK([if libc defines sys_nerr], ac_cv_libc_defines_sys_nerr, [
4434	AC_LINK_IFELSE([AC_LANG_PROGRAM([[]],
4435[[ extern int sys_nerr; printf("%i", sys_nerr);]])],
4436	[ ac_cv_libc_defines_sys_nerr="yes" ],
4437	[ ac_cv_libc_defines_sys_nerr="no"
4438	])
4439])
4440if test "x$ac_cv_libc_defines_sys_nerr" = "xyes" ; then
4441	AC_DEFINE([HAVE_SYS_NERR], [1], [Define if your system defines sys_nerr])
4442fi
4443
4444# Check libraries needed by DNS fingerprint support
4445AC_SEARCH_LIBS([getrrsetbyname], [resolv],
4446	[AC_DEFINE([HAVE_GETRRSETBYNAME], [1],
4447		[Define if getrrsetbyname() exists])],
4448	[
4449		# Needed by our getrrsetbyname()
4450		AC_SEARCH_LIBS([res_query], [resolv])
4451		AC_SEARCH_LIBS([dn_expand], [resolv])
4452		AC_MSG_CHECKING([if res_query will link])
4453		AC_LINK_IFELSE([AC_LANG_PROGRAM([[
4454#include <sys/types.h>
4455#include <netinet/in.h>
4456#include <arpa/nameser.h>
4457#include <netdb.h>
4458#include <resolv.h>
4459				]], [[
4460	res_query (0, 0, 0, 0, 0);
4461				]])],
4462		    AC_MSG_RESULT([yes]),
4463		   [AC_MSG_RESULT([no])
4464		    saved_LIBS="$LIBS"
4465		    LIBS="$LIBS -lresolv"
4466		    AC_MSG_CHECKING([for res_query in -lresolv])
4467		    AC_LINK_IFELSE([AC_LANG_PROGRAM([[
4468#include <sys/types.h>
4469#include <netinet/in.h>
4470#include <arpa/nameser.h>
4471#include <netdb.h>
4472#include <resolv.h>
4473				]], [[
4474	res_query (0, 0, 0, 0, 0);
4475				]])],
4476			[AC_MSG_RESULT([yes])],
4477			[LIBS="$saved_LIBS"
4478			 AC_MSG_RESULT([no])])
4479		    ])
4480		AC_CHECK_FUNCS([_getshort _getlong])
4481		AC_CHECK_DECLS([_getshort, _getlong], , ,
4482		    [#include <sys/types.h>
4483		    #include <arpa/nameser.h>])
4484		AC_CHECK_MEMBER([HEADER.ad],
4485			[AC_DEFINE([HAVE_HEADER_AD], [1],
4486			    [Define if HEADER.ad exists in arpa/nameser.h])], ,
4487			[#include <arpa/nameser.h>])
4488	])
4489
4490AC_MSG_CHECKING([if struct __res_state _res is an extern])
4491AC_LINK_IFELSE([AC_LANG_PROGRAM([[
4492#include <stdio.h>
4493#if HAVE_SYS_TYPES_H
4494# include <sys/types.h>
4495#endif
4496#include <netinet/in.h>
4497#include <arpa/nameser.h>
4498#include <resolv.h>
4499extern struct __res_state _res;
4500		]], [[
4501struct __res_state *volatile p = &_res;  /* force resolution of _res */
4502return 0;
4503		]],)],
4504		[AC_MSG_RESULT([yes])
4505		 AC_DEFINE([HAVE__RES_EXTERN], [1],
4506		    [Define if you have struct __res_state _res as an extern])
4507		],
4508		[ AC_MSG_RESULT([no]) ]
4509)
4510
4511# Check whether user wants SELinux support
4512SELINUX_MSG="no"
4513LIBSELINUX=""
4514AC_ARG_WITH([selinux],
4515	[  --with-selinux          Enable SELinux support],
4516	[ if test "x$withval" != "xno" ; then
4517		save_LIBS="$LIBS"
4518		AC_DEFINE([WITH_SELINUX], [1],
4519			[Define if you want SELinux support.])
4520		SELINUX_MSG="yes"
4521		AC_CHECK_HEADER([selinux/selinux.h], ,
4522			AC_MSG_ERROR([SELinux support requires selinux.h header]))
4523		AC_CHECK_LIB([selinux], [setexeccon],
4524			[ LIBSELINUX="-lselinux"
4525			  LIBS="$LIBS -lselinux"
4526			],
4527			AC_MSG_ERROR([SELinux support requires libselinux library]))
4528		AC_CHECK_FUNCS([getseuserbyname get_default_context_with_level])
4529		LIBS="$save_LIBS $LIBSELINUX"
4530	fi ]
4531)
4532AC_SUBST([SSHDLIBS])
4533
4534# Check whether user wants Kerberos 5 support
4535KRB5_MSG="no"
4536AC_ARG_WITH([kerberos5],
4537	[  --with-kerberos5=PATH   Enable Kerberos 5 support],
4538	[ if test "x$withval" != "xno" ; then
4539		if test "x$withval" = "xyes" ; then
4540			KRB5ROOT="/usr/local"
4541		else
4542			KRB5ROOT=${withval}
4543		fi
4544
4545		AC_DEFINE([KRB5], [1], [Define if you want Kerberos 5 support])
4546		KRB5_MSG="yes"
4547
4548		AC_PATH_TOOL([KRB5CONF], [krb5-config],
4549			     [$KRB5ROOT/bin/krb5-config],
4550			     [$KRB5ROOT/bin:$PATH])
4551		if test -x $KRB5CONF ; then
4552			K5CFLAGS="`$KRB5CONF --cflags`"
4553			K5LIBS="`$KRB5CONF --libs`"
4554			CPPFLAGS="$CPPFLAGS $K5CFLAGS"
4555
4556			AC_MSG_CHECKING([for gssapi support])
4557			if $KRB5CONF | grep gssapi >/dev/null ; then
4558				AC_MSG_RESULT([yes])
4559				AC_DEFINE([GSSAPI], [1],
4560					[Define this if you want GSSAPI
4561					support in the version 2 protocol])
4562				GSSCFLAGS="`$KRB5CONF --cflags gssapi`"
4563				GSSLIBS="`$KRB5CONF --libs gssapi`"
4564				CPPFLAGS="$CPPFLAGS $GSSCFLAGS"
4565			else
4566				AC_MSG_RESULT([no])
4567			fi
4568			AC_MSG_CHECKING([whether we are using Heimdal])
4569			AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <krb5.h>
4570				]], [[ char *tmp = heimdal_version; ]])],
4571				[ AC_MSG_RESULT([yes])
4572				AC_DEFINE([HEIMDAL], [1],
4573				[Define this if you are using the Heimdal
4574				version of Kerberos V5]) ],
4575				[AC_MSG_RESULT([no])
4576			])
4577		else
4578			CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include"
4579			LDFLAGS="$LDFLAGS -L${KRB5ROOT}/lib"
4580			AC_MSG_CHECKING([whether we are using Heimdal])
4581			AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <krb5.h>
4582				]], [[ char *tmp = heimdal_version; ]])],
4583					[ AC_MSG_RESULT([yes])
4584					 AC_DEFINE([HEIMDAL])
4585					 K5LIBS="-lkrb5"
4586					 K5LIBS="$K5LIBS -lcom_err -lasn1"
4587					 AC_CHECK_LIB([roken], [net_write],
4588					   [K5LIBS="$K5LIBS -lroken"])
4589					 AC_CHECK_LIB([des], [des_cbc_encrypt],
4590					   [K5LIBS="$K5LIBS -ldes"])
4591				       ], [ AC_MSG_RESULT([no])
4592					 K5LIBS="-lkrb5 -lk5crypto -lcom_err"
4593			])
4594			AC_SEARCH_LIBS([dn_expand], [resolv])
4595
4596			AC_CHECK_LIB([gssapi_krb5], [gss_init_sec_context],
4597				[ AC_DEFINE([GSSAPI])
4598				  GSSLIBS="-lgssapi_krb5" ],
4599				[ AC_CHECK_LIB([gssapi], [gss_init_sec_context],
4600					[ AC_DEFINE([GSSAPI])
4601					  GSSLIBS="-lgssapi" ],
4602					[ AC_CHECK_LIB([gss], [gss_init_sec_context],
4603						[ AC_DEFINE([GSSAPI])
4604						  GSSLIBS="-lgss" ],
4605						AC_MSG_WARN([Cannot find any suitable gss-api library - build may fail]))
4606					])
4607				])
4608
4609			AC_CHECK_HEADER([gssapi.h], ,
4610				[ unset ac_cv_header_gssapi_h
4611				  CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include/gssapi"
4612				  AC_CHECK_HEADERS([gssapi.h], ,
4613					AC_MSG_WARN([Cannot find any suitable gss-api header - build may fail])
4614				  )
4615				]
4616			)
4617
4618			oldCPP="$CPPFLAGS"
4619			CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include/gssapi"
4620			AC_CHECK_HEADER([gssapi_krb5.h], ,
4621					[ CPPFLAGS="$oldCPP" ])
4622
4623		fi
4624		if test -n "${rpath_opt}" ; then
4625			LDFLAGS="$LDFLAGS ${rpath_opt}${KRB5ROOT}/lib"
4626		fi
4627		if test ! -z "$blibpath" ; then
4628			blibpath="$blibpath:${KRB5ROOT}/lib"
4629		fi
4630
4631		AC_CHECK_HEADERS([gssapi.h gssapi/gssapi.h])
4632		AC_CHECK_HEADERS([gssapi_krb5.h gssapi/gssapi_krb5.h])
4633		AC_CHECK_HEADERS([gssapi_generic.h gssapi/gssapi_generic.h])
4634
4635		AC_SEARCH_LIBS([k_hasafs], [kafs], [AC_DEFINE([USE_AFS], [1],
4636			[Define this if you want to use libkafs' AFS support])])
4637
4638		AC_CHECK_DECLS([GSS_C_NT_HOSTBASED_SERVICE], [], [], [[
4639#ifdef HAVE_GSSAPI_H
4640# include <gssapi.h>
4641#elif defined(HAVE_GSSAPI_GSSAPI_H)
4642# include <gssapi/gssapi.h>
4643#endif
4644
4645#ifdef HAVE_GSSAPI_GENERIC_H
4646# include <gssapi_generic.h>
4647#elif defined(HAVE_GSSAPI_GSSAPI_GENERIC_H)
4648# include <gssapi/gssapi_generic.h>
4649#endif
4650		]])
4651		saved_LIBS="$LIBS"
4652		LIBS="$LIBS $K5LIBS"
4653		AC_CHECK_FUNCS([krb5_cc_new_unique krb5_get_error_message krb5_free_error_message])
4654		LIBS="$saved_LIBS"
4655
4656	fi
4657	]
4658)
4659AC_SUBST([GSSLIBS])
4660AC_SUBST([K5LIBS])
4661
4662# Looking for programs, paths and files
4663
4664PRIVSEP_PATH=/var/empty
4665AC_ARG_WITH([privsep-path],
4666	[  --with-privsep-path=xxx Path for privilege separation chroot (default=/var/empty)],
4667	[
4668		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
4669		    test "x${withval}" != "xyes"; then
4670			PRIVSEP_PATH=$withval
4671		fi
4672	]
4673)
4674AC_SUBST([PRIVSEP_PATH])
4675
4676AC_ARG_WITH([xauth],
4677	[  --with-xauth=PATH       Specify path to xauth program ],
4678	[
4679		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
4680		    test "x${withval}" != "xyes"; then
4681			xauth_path=$withval
4682		fi
4683	],
4684	[
4685		TestPath="$PATH"
4686		TestPath="${TestPath}${PATH_SEPARATOR}/usr/X/bin"
4687		TestPath="${TestPath}${PATH_SEPARATOR}/usr/bin/X11"
4688		TestPath="${TestPath}${PATH_SEPARATOR}/usr/X11R6/bin"
4689		TestPath="${TestPath}${PATH_SEPARATOR}/usr/openwin/bin"
4690		AC_PATH_PROG([xauth_path], [xauth], , [$TestPath])
4691		if (test ! -z "$xauth_path" && test -x "/usr/openwin/bin/xauth") ; then
4692			xauth_path="/usr/openwin/bin/xauth"
4693		fi
4694	]
4695)
4696
4697STRIP_OPT=-s
4698AC_ARG_ENABLE([strip],
4699	[  --disable-strip         Disable calling strip(1) on install],
4700	[
4701		if test "x$enableval" = "xno" ; then
4702			STRIP_OPT=
4703		fi
4704	]
4705)
4706AC_SUBST([STRIP_OPT])
4707
4708if test -z "$xauth_path" ; then
4709	XAUTH_PATH="undefined"
4710	AC_SUBST([XAUTH_PATH])
4711else
4712	AC_DEFINE_UNQUOTED([XAUTH_PATH], ["$xauth_path"],
4713		[Define if xauth is found in your path])
4714	XAUTH_PATH=$xauth_path
4715	AC_SUBST([XAUTH_PATH])
4716fi
4717
4718dnl # --with-maildir=/path/to/mail gets top priority.
4719dnl # if maildir is set in the platform case statement above we use that.
4720dnl # Otherwise we run a program to get the dir from system headers.
4721dnl # We first look for _PATH_MAILDIR then MAILDIR then _PATH_MAIL
4722dnl # If we find _PATH_MAILDIR we do nothing because that is what
4723dnl # session.c expects anyway. Otherwise we set to the value found
4724dnl # stripping any trailing slash. If for some strage reason our program
4725dnl # does not find what it needs, we default to /var/spool/mail.
4726# Check for mail directory
4727AC_ARG_WITH([maildir],
4728    [  --with-maildir=/path/to/mail    Specify your system mail directory],
4729    [
4730	if test "X$withval" != X  &&  test "x$withval" != xno  &&  \
4731	    test "x${withval}" != xyes; then
4732		AC_DEFINE_UNQUOTED([MAIL_DIRECTORY], ["$withval"],
4733            [Set this to your mail directory if you do not have _PATH_MAILDIR])
4734	    fi
4735     ],[
4736	if test "X$maildir" != "X"; then
4737	    AC_DEFINE_UNQUOTED([MAIL_DIRECTORY], ["$maildir"])
4738	else
4739	    AC_MSG_CHECKING([Discovering system mail directory])
4740	    AC_RUN_IFELSE(
4741		[AC_LANG_PROGRAM([[
4742#include <stdio.h>
4743#include <string.h>
4744#ifdef HAVE_PATHS_H
4745#include <paths.h>
4746#endif
4747#ifdef HAVE_MAILLOCK_H
4748#include <maillock.h>
4749#endif
4750#define DATA "conftest.maildir"
4751	]], [[
4752	FILE *fd;
4753	int rc;
4754
4755	fd = fopen(DATA,"w");
4756	if(fd == NULL)
4757		exit(1);
4758
4759#if defined (_PATH_MAILDIR)
4760	if ((rc = fprintf(fd ,"_PATH_MAILDIR:%s\n", _PATH_MAILDIR)) <0)
4761		exit(1);
4762#elif defined (MAILDIR)
4763	if ((rc = fprintf(fd ,"MAILDIR:%s\n", MAILDIR)) <0)
4764		exit(1);
4765#elif defined (_PATH_MAIL)
4766	if ((rc = fprintf(fd ,"_PATH_MAIL:%s\n", _PATH_MAIL)) <0)
4767		exit(1);
4768#else
4769	exit (2);
4770#endif
4771
4772	exit(0);
4773		]])],
4774		[
4775		    maildir_what=`awk -F: '{print $1}' conftest.maildir`
4776		    maildir=`awk -F: '{print $2}' conftest.maildir \
4777			| sed 's|/$||'`
4778		    AC_MSG_RESULT([Using: $maildir from $maildir_what])
4779		    if test "x$maildir_what" != "x_PATH_MAILDIR"; then
4780			AC_DEFINE_UNQUOTED([MAIL_DIRECTORY], ["$maildir"])
4781		    fi
4782		],
4783		[
4784		    if test "X$ac_status" = "X2";then
4785# our test program didn't find it. Default to /var/spool/mail
4786			AC_MSG_RESULT([Using: default value of /var/spool/mail])
4787			AC_DEFINE_UNQUOTED([MAIL_DIRECTORY], ["/var/spool/mail"])
4788		     else
4789			AC_MSG_RESULT([*** not found ***])
4790		     fi
4791		],
4792		[
4793			AC_MSG_WARN([cross compiling: use --with-maildir=/path/to/mail])
4794		]
4795	    )
4796	fi
4797    ]
4798) # maildir
4799
4800if test ! -z "$cross_compiling" && test "x$cross_compiling" = "xyes"; then
4801	AC_MSG_WARN([cross compiling: Disabling /dev/ptmx test])
4802	disable_ptmx_check=yes
4803fi
4804if test -z "$no_dev_ptmx" ; then
4805	if test "x$disable_ptmx_check" != "xyes" ; then
4806		AC_CHECK_FILE(["/dev/ptmx"],
4807			[
4808				AC_DEFINE_UNQUOTED([HAVE_DEV_PTMX], [1],
4809					[Define if you have /dev/ptmx])
4810				have_dev_ptmx=1
4811			]
4812		)
4813	fi
4814fi
4815
4816if test ! -z "$cross_compiling" && test "x$cross_compiling" != "xyes"; then
4817	AC_CHECK_FILE(["/dev/ptc"],
4818		[
4819			AC_DEFINE_UNQUOTED([HAVE_DEV_PTS_AND_PTC], [1],
4820				[Define if you have /dev/ptc])
4821			have_dev_ptc=1
4822		]
4823	)
4824else
4825	AC_MSG_WARN([cross compiling: Disabling /dev/ptc test])
4826fi
4827
4828# Options from here on. Some of these are preset by platform above
4829AC_ARG_WITH([mantype],
4830	[  --with-mantype=man|cat|doc  Set man page type],
4831	[
4832		case "$withval" in
4833		man|cat|doc)
4834			MANTYPE=$withval
4835			;;
4836		*)
4837			AC_MSG_ERROR([invalid man type: $withval])
4838			;;
4839		esac
4840	]
4841)
4842if test -z "$MANTYPE"; then
4843	if ${MANDOC} ${srcdir}/ssh.1 >/dev/null 2>&1; then
4844		MANTYPE=doc
4845	elif ${NROFF} -mdoc ${srcdir}/ssh.1 >/dev/null 2>&1; then
4846		MANTYPE=doc
4847	elif ${NROFF} -man ${srcdir}/ssh.1 >/dev/null 2>&1; then
4848		MANTYPE=man
4849	else
4850		MANTYPE=cat
4851	fi
4852fi
4853AC_SUBST([MANTYPE])
4854if test "$MANTYPE" = "doc"; then
4855	mansubdir=man;
4856else
4857	mansubdir=$MANTYPE;
4858fi
4859AC_SUBST([mansubdir])
4860
4861# Check whether to enable MD5 passwords
4862MD5_MSG="no"
4863AC_ARG_WITH([md5-passwords],
4864	[  --with-md5-passwords    Enable use of MD5 passwords],
4865	[
4866		if test "x$withval" != "xno" ; then
4867			AC_DEFINE([HAVE_MD5_PASSWORDS], [1],
4868				[Define if you want to allow MD5 passwords])
4869			MD5_MSG="yes"
4870		fi
4871	]
4872)
4873
4874# Whether to disable shadow password support
4875AC_ARG_WITH([shadow],
4876	[  --without-shadow        Disable shadow password support],
4877	[
4878		if test "x$withval" = "xno" ; then
4879			AC_DEFINE([DISABLE_SHADOW])
4880			disable_shadow=yes
4881		fi
4882	]
4883)
4884
4885if test -z "$disable_shadow" ; then
4886	AC_MSG_CHECKING([if the systems has expire shadow information])
4887	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4888#include <sys/types.h>
4889#include <shadow.h>
4890struct spwd sp;
4891		]], [[ sp.sp_expire = sp.sp_lstchg = sp.sp_inact = 0; ]])],
4892		[ sp_expire_available=yes ], [
4893	])
4894
4895	if test "x$sp_expire_available" = "xyes" ; then
4896		AC_MSG_RESULT([yes])
4897		AC_DEFINE([HAS_SHADOW_EXPIRE], [1],
4898		    [Define if you want to use shadow password expire field])
4899	else
4900		AC_MSG_RESULT([no])
4901	fi
4902fi
4903
4904# Use ip address instead of hostname in $DISPLAY
4905if test ! -z "$IPADDR_IN_DISPLAY" ; then
4906	DISPLAY_HACK_MSG="yes"
4907	AC_DEFINE([IPADDR_IN_DISPLAY], [1],
4908		[Define if you need to use IP address
4909		instead of hostname in $DISPLAY])
4910else
4911	DISPLAY_HACK_MSG="no"
4912	AC_ARG_WITH([ipaddr-display],
4913		[  --with-ipaddr-display   Use ip address instead of hostname in $DISPLAY],
4914		[
4915			if test "x$withval" != "xno" ; then
4916				AC_DEFINE([IPADDR_IN_DISPLAY])
4917				DISPLAY_HACK_MSG="yes"
4918			fi
4919		]
4920	)
4921fi
4922
4923# check for /etc/default/login and use it if present.
4924AC_ARG_ENABLE([etc-default-login],
4925	[  --disable-etc-default-login Disable using PATH from /etc/default/login [no]],
4926	[ if test "x$enableval" = "xno"; then
4927		AC_MSG_NOTICE([/etc/default/login handling disabled])
4928		etc_default_login=no
4929	  else
4930		etc_default_login=yes
4931	  fi ],
4932	[ if test ! -z "$cross_compiling" && test "x$cross_compiling" = "xyes";
4933	  then
4934		AC_MSG_WARN([cross compiling: not checking /etc/default/login])
4935		etc_default_login=no
4936	  else
4937		etc_default_login=yes
4938	  fi ]
4939)
4940
4941if test "x$etc_default_login" != "xno"; then
4942	AC_CHECK_FILE(["/etc/default/login"],
4943	    [ external_path_file=/etc/default/login ])
4944	if test "x$external_path_file" = "x/etc/default/login"; then
4945		AC_DEFINE([HAVE_ETC_DEFAULT_LOGIN], [1],
4946			[Define if your system has /etc/default/login])
4947	fi
4948fi
4949
4950dnl BSD systems use /etc/login.conf so --with-default-path= has no effect
4951if test $ac_cv_func_login_getcapbool = "yes" && \
4952	test $ac_cv_header_login_cap_h = "yes" ; then
4953	external_path_file=/etc/login.conf
4954fi
4955
4956# Whether to mess with the default path
4957SERVER_PATH_MSG="(default)"
4958AC_ARG_WITH([default-path],
4959	[  --with-default-path=    Specify default $PATH environment for server],
4960	[
4961		if test "x$external_path_file" = "x/etc/login.conf" ; then
4962			AC_MSG_WARN([
4963--with-default-path=PATH has no effect on this system.
4964Edit /etc/login.conf instead.])
4965		elif test "x$withval" != "xno" ; then
4966			if test ! -z "$external_path_file" ; then
4967				AC_MSG_WARN([
4968--with-default-path=PATH will only be used if PATH is not defined in
4969$external_path_file .])
4970			fi
4971			user_path="$withval"
4972			SERVER_PATH_MSG="$withval"
4973		fi
4974	],
4975	[ if test "x$external_path_file" = "x/etc/login.conf" ; then
4976		AC_MSG_WARN([Make sure the path to scp is in /etc/login.conf])
4977	else
4978		if test ! -z "$external_path_file" ; then
4979			AC_MSG_WARN([
4980If PATH is defined in $external_path_file, ensure the path to scp is included,
4981otherwise scp will not work.])
4982		fi
4983		AC_RUN_IFELSE(
4984			[AC_LANG_PROGRAM([[
4985/* find out what STDPATH is */
4986#include <stdio.h>
4987#ifdef HAVE_PATHS_H
4988# include <paths.h>
4989#endif
4990#ifndef _PATH_STDPATH
4991# ifdef _PATH_USERPATH	/* Irix */
4992#  define _PATH_STDPATH _PATH_USERPATH
4993# else
4994#  define _PATH_STDPATH "/usr/bin:/bin:/usr/sbin:/sbin"
4995# endif
4996#endif
4997#include <sys/types.h>
4998#include <sys/stat.h>
4999#include <fcntl.h>
5000#define DATA "conftest.stdpath"
5001			]], [[
5002	FILE *fd;
5003	int rc;
5004
5005	fd = fopen(DATA,"w");
5006	if(fd == NULL)
5007		exit(1);
5008
5009	if ((rc = fprintf(fd,"%s", _PATH_STDPATH)) < 0)
5010		exit(1);
5011
5012	exit(0);
5013		]])],
5014		[ user_path=`cat conftest.stdpath` ],
5015		[ user_path="/usr/bin:/bin:/usr/sbin:/sbin" ],
5016		[ user_path="/usr/bin:/bin:/usr/sbin:/sbin" ]
5017	)
5018# make sure $bindir is in USER_PATH so scp will work
5019		t_bindir="${bindir}"
5020		while echo "${t_bindir}" | egrep '\$\{|NONE/' >/dev/null 2>&1; do
5021			t_bindir=`eval echo ${t_bindir}`
5022			case $t_bindir in
5023				NONE/*) t_bindir=`echo $t_bindir | sed "s~NONE~$prefix~"` ;;
5024			esac
5025			case $t_bindir in
5026				NONE/*) t_bindir=`echo $t_bindir | sed "s~NONE~$ac_default_prefix~"` ;;
5027			esac
5028		done
5029		echo $user_path | grep ":$t_bindir"  > /dev/null 2>&1
5030		if test $? -ne 0  ; then
5031			echo $user_path | grep "^$t_bindir"  > /dev/null 2>&1
5032			if test $? -ne 0  ; then
5033				user_path=$user_path:$t_bindir
5034				AC_MSG_RESULT([Adding $t_bindir to USER_PATH so scp will work])
5035			fi
5036		fi
5037	fi ]
5038)
5039if test "x$external_path_file" != "x/etc/login.conf" ; then
5040	AC_DEFINE_UNQUOTED([USER_PATH], ["$user_path"], [Specify default $PATH])
5041	AC_SUBST([user_path])
5042fi
5043
5044# Set superuser path separately to user path
5045AC_ARG_WITH([superuser-path],
5046	[  --with-superuser-path=  Specify different path for super-user],
5047	[
5048		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
5049		    test "x${withval}" != "xyes"; then
5050			AC_DEFINE_UNQUOTED([SUPERUSER_PATH], ["$withval"],
5051				[Define if you want a different $PATH
5052				for the superuser])
5053			superuser_path=$withval
5054		fi
5055	]
5056)
5057
5058
5059AC_MSG_CHECKING([if we need to convert IPv4 in IPv6-mapped addresses])
5060IPV4_IN6_HACK_MSG="no"
5061AC_ARG_WITH(4in6,
5062	[  --with-4in6             Check for and convert IPv4 in IPv6 mapped addresses],
5063	[
5064		if test "x$withval" != "xno" ; then
5065			AC_MSG_RESULT([yes])
5066			AC_DEFINE([IPV4_IN_IPV6], [1],
5067				[Detect IPv4 in IPv6 mapped addresses
5068				and treat as IPv4])
5069			IPV4_IN6_HACK_MSG="yes"
5070		else
5071			AC_MSG_RESULT([no])
5072		fi
5073	], [
5074		if test "x$inet6_default_4in6" = "xyes"; then
5075			AC_MSG_RESULT([yes (default)])
5076			AC_DEFINE([IPV4_IN_IPV6])
5077			IPV4_IN6_HACK_MSG="yes"
5078		else
5079			AC_MSG_RESULT([no (default)])
5080		fi
5081	]
5082)
5083
5084# Whether to enable BSD auth support
5085BSD_AUTH_MSG=no
5086AC_ARG_WITH([bsd-auth],
5087	[  --with-bsd-auth         Enable BSD auth support],
5088	[
5089		if test "x$withval" != "xno" ; then
5090			AC_DEFINE([BSD_AUTH], [1],
5091				[Define if you have BSD auth support])
5092			BSD_AUTH_MSG=yes
5093		fi
5094	]
5095)
5096
5097# Where to place sshd.pid
5098piddir=/var/run
5099# make sure the directory exists
5100if test ! -d $piddir ; then
5101	piddir=`eval echo ${sysconfdir}`
5102	case $piddir in
5103		NONE/*) piddir=`echo $piddir | sed "s~NONE~$ac_default_prefix~"` ;;
5104	esac
5105fi
5106
5107AC_ARG_WITH([pid-dir],
5108	[  --with-pid-dir=PATH     Specify location of sshd.pid file],
5109	[
5110		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
5111		    test "x${withval}" != "xyes"; then
5112			piddir=$withval
5113			if test ! -d $piddir ; then
5114			AC_MSG_WARN([** no $piddir directory on this system **])
5115			fi
5116		fi
5117	]
5118)
5119
5120AC_DEFINE_UNQUOTED([_PATH_SSH_PIDDIR], ["$piddir"],
5121	[Specify location of ssh.pid])
5122AC_SUBST([piddir])
5123
5124dnl allow user to disable some login recording features
5125AC_ARG_ENABLE([lastlog],
5126	[  --disable-lastlog       disable use of lastlog even if detected [no]],
5127	[
5128		if test "x$enableval" = "xno" ; then
5129			AC_DEFINE([DISABLE_LASTLOG])
5130		fi
5131	]
5132)
5133AC_ARG_ENABLE([utmp],
5134	[  --disable-utmp          disable use of utmp even if detected [no]],
5135	[
5136		if test "x$enableval" = "xno" ; then
5137			AC_DEFINE([DISABLE_UTMP])
5138		fi
5139	]
5140)
5141AC_ARG_ENABLE([utmpx],
5142	[  --disable-utmpx         disable use of utmpx even if detected [no]],
5143	[
5144		if test "x$enableval" = "xno" ; then
5145			AC_DEFINE([DISABLE_UTMPX], [1],
5146				[Define if you don't want to use utmpx])
5147		fi
5148	]
5149)
5150AC_ARG_ENABLE([wtmp],
5151	[  --disable-wtmp          disable use of wtmp even if detected [no]],
5152	[
5153		if test "x$enableval" = "xno" ; then
5154			AC_DEFINE([DISABLE_WTMP])
5155		fi
5156	]
5157)
5158AC_ARG_ENABLE([wtmpx],
5159	[  --disable-wtmpx         disable use of wtmpx even if detected [no]],
5160	[
5161		if test "x$enableval" = "xno" ; then
5162			AC_DEFINE([DISABLE_WTMPX], [1],
5163				[Define if you don't want to use wtmpx])
5164		fi
5165	]
5166)
5167AC_ARG_ENABLE([libutil],
5168	[  --disable-libutil       disable use of libutil (login() etc.) [no]],
5169	[
5170		if test "x$enableval" = "xno" ; then
5171			AC_DEFINE([DISABLE_LOGIN])
5172		fi
5173	]
5174)
5175AC_ARG_ENABLE([pututline],
5176	[  --disable-pututline     disable use of pututline() etc. ([uw]tmp) [no]],
5177	[
5178		if test "x$enableval" = "xno" ; then
5179			AC_DEFINE([DISABLE_PUTUTLINE], [1],
5180				[Define if you don't want to use pututline()
5181				etc. to write [uw]tmp])
5182		fi
5183	]
5184)
5185AC_ARG_ENABLE([pututxline],
5186	[  --disable-pututxline    disable use of pututxline() etc. ([uw]tmpx) [no]],
5187	[
5188		if test "x$enableval" = "xno" ; then
5189			AC_DEFINE([DISABLE_PUTUTXLINE], [1],
5190				[Define if you don't want to use pututxline()
5191				etc. to write [uw]tmpx])
5192		fi
5193	]
5194)
5195AC_ARG_WITH([lastlog],
5196  [  --with-lastlog=FILE|DIR specify lastlog location [common locations]],
5197	[
5198		if test "x$withval" = "xno" ; then
5199			AC_DEFINE([DISABLE_LASTLOG])
5200		elif test -n "$withval"  &&  test "x${withval}" != "xyes"; then
5201			conf_lastlog_location=$withval
5202		fi
5203	]
5204)
5205
5206dnl lastlog, [uw]tmpx? detection
5207dnl  NOTE: set the paths in the platform section to avoid the
5208dnl   need for command-line parameters
5209dnl lastlog and [uw]tmp are subject to a file search if all else fails
5210
5211dnl lastlog detection
5212dnl  NOTE: the code itself will detect if lastlog is a directory
5213AC_MSG_CHECKING([if your system defines LASTLOG_FILE])
5214AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
5215#include <sys/types.h>
5216#include <utmp.h>
5217#ifdef HAVE_LASTLOG_H
5218#  include <lastlog.h>
5219#endif
5220#ifdef HAVE_PATHS_H
5221#  include <paths.h>
5222#endif
5223#ifdef HAVE_LOGIN_H
5224# include <login.h>
5225#endif
5226	]], [[ char *lastlog = LASTLOG_FILE; ]])],
5227		[ AC_MSG_RESULT([yes]) ],
5228		[
5229		AC_MSG_RESULT([no])
5230		AC_MSG_CHECKING([if your system defines _PATH_LASTLOG])
5231		AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
5232#include <sys/types.h>
5233#include <utmp.h>
5234#ifdef HAVE_LASTLOG_H
5235#  include <lastlog.h>
5236#endif
5237#ifdef HAVE_PATHS_H
5238#  include <paths.h>
5239#endif
5240		]], [[ char *lastlog = _PATH_LASTLOG; ]])],
5241		[ AC_MSG_RESULT([yes]) ],
5242		[
5243			AC_MSG_RESULT([no])
5244			system_lastlog_path=no
5245		])
5246])
5247
5248if test -z "$conf_lastlog_location"; then
5249	if test x"$system_lastlog_path" = x"no" ; then
5250		for f in /var/log/lastlog /usr/adm/lastlog /var/adm/lastlog /etc/security/lastlog ; do
5251				if (test -d "$f" || test -f "$f") ; then
5252					conf_lastlog_location=$f
5253				fi
5254		done
5255		if test -z "$conf_lastlog_location"; then
5256			AC_MSG_WARN([** Cannot find lastlog **])
5257			dnl Don't define DISABLE_LASTLOG - that means we don't try wtmp/wtmpx
5258		fi
5259	fi
5260fi
5261
5262if test -n "$conf_lastlog_location"; then
5263	AC_DEFINE_UNQUOTED([CONF_LASTLOG_FILE], ["$conf_lastlog_location"],
5264		[Define if you want to specify the path to your lastlog file])
5265fi
5266
5267dnl utmp detection
5268AC_MSG_CHECKING([if your system defines UTMP_FILE])
5269AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
5270#include <sys/types.h>
5271#include <utmp.h>
5272#ifdef HAVE_PATHS_H
5273#  include <paths.h>
5274#endif
5275	]], [[ char *utmp = UTMP_FILE; ]])],
5276	[ AC_MSG_RESULT([yes]) ],
5277	[ AC_MSG_RESULT([no])
5278	  system_utmp_path=no
5279])
5280if test -z "$conf_utmp_location"; then
5281	if test x"$system_utmp_path" = x"no" ; then
5282		for f in /etc/utmp /usr/adm/utmp /var/run/utmp; do
5283			if test -f $f ; then
5284				conf_utmp_location=$f
5285			fi
5286		done
5287		if test -z "$conf_utmp_location"; then
5288			AC_DEFINE([DISABLE_UTMP])
5289		fi
5290	fi
5291fi
5292if test -n "$conf_utmp_location"; then
5293	AC_DEFINE_UNQUOTED([CONF_UTMP_FILE], ["$conf_utmp_location"],
5294		[Define if you want to specify the path to your utmp file])
5295fi
5296
5297dnl wtmp detection
5298AC_MSG_CHECKING([if your system defines WTMP_FILE])
5299AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
5300#include <sys/types.h>
5301#include <utmp.h>
5302#ifdef HAVE_PATHS_H
5303#  include <paths.h>
5304#endif
5305	]], [[ char *wtmp = WTMP_FILE; ]])],
5306	[ AC_MSG_RESULT([yes]) ],
5307	[ AC_MSG_RESULT([no])
5308	  system_wtmp_path=no
5309])
5310if test -z "$conf_wtmp_location"; then
5311	if test x"$system_wtmp_path" = x"no" ; then
5312		for f in /usr/adm/wtmp /var/log/wtmp; do
5313			if test -f $f ; then
5314				conf_wtmp_location=$f
5315			fi
5316		done
5317		if test -z "$conf_wtmp_location"; then
5318			AC_DEFINE([DISABLE_WTMP])
5319		fi
5320	fi
5321fi
5322if test -n "$conf_wtmp_location"; then
5323	AC_DEFINE_UNQUOTED([CONF_WTMP_FILE], ["$conf_wtmp_location"],
5324		[Define if you want to specify the path to your wtmp file])
5325fi
5326
5327dnl wtmpx detection
5328AC_MSG_CHECKING([if your system defines WTMPX_FILE])
5329AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
5330#include <sys/types.h>
5331#include <utmp.h>
5332#ifdef HAVE_UTMPX_H
5333#include <utmpx.h>
5334#endif
5335#ifdef HAVE_PATHS_H
5336#  include <paths.h>
5337#endif
5338	]], [[ char *wtmpx = WTMPX_FILE; ]])],
5339	[ AC_MSG_RESULT([yes]) ],
5340	[ AC_MSG_RESULT([no])
5341	  system_wtmpx_path=no
5342])
5343if test -z "$conf_wtmpx_location"; then
5344	if test x"$system_wtmpx_path" = x"no" ; then
5345		AC_DEFINE([DISABLE_WTMPX])
5346	fi
5347else
5348	AC_DEFINE_UNQUOTED([CONF_WTMPX_FILE], ["$conf_wtmpx_location"],
5349		[Define if you want to specify the path to your wtmpx file])
5350fi
5351
5352
5353if test ! -z "$blibpath" ; then
5354	LDFLAGS="$LDFLAGS $blibflags$blibpath"
5355	AC_MSG_WARN([Please check and edit blibpath in LDFLAGS in Makefile])
5356fi
5357
5358AC_CHECK_MEMBER([struct lastlog.ll_line], [], [
5359    if test x$SKIP_DISABLE_LASTLOG_DEFINE != "xyes" ; then
5360	AC_DEFINE([DISABLE_LASTLOG])
5361    fi
5362	], [
5363#ifdef HAVE_SYS_TYPES_H
5364#include <sys/types.h>
5365#endif
5366#ifdef HAVE_UTMP_H
5367#include <utmp.h>
5368#endif
5369#ifdef HAVE_UTMPX_H
5370#include <utmpx.h>
5371#endif
5372#ifdef HAVE_LASTLOG_H
5373#include <lastlog.h>
5374#endif
5375	])
5376
5377AC_CHECK_MEMBER([struct utmp.ut_line], [], [
5378	AC_DEFINE([DISABLE_UTMP])
5379	AC_DEFINE([DISABLE_WTMP])
5380	], [
5381#ifdef HAVE_SYS_TYPES_H
5382#include <sys/types.h>
5383#endif
5384#ifdef HAVE_UTMP_H
5385#include <utmp.h>
5386#endif
5387#ifdef HAVE_UTMPX_H
5388#include <utmpx.h>
5389#endif
5390#ifdef HAVE_LASTLOG_H
5391#include <lastlog.h>
5392#endif
5393	])
5394
5395dnl Adding -Werror to CFLAGS early prevents configure tests from running.
5396dnl Add now.
5397CFLAGS="$CFLAGS $werror_flags"
5398
5399if test "x$ac_cv_func_getaddrinfo" != "xyes" ; then
5400	TEST_SSH_IPV6=no
5401else
5402	TEST_SSH_IPV6=yes
5403fi
5404AC_CHECK_DECL([BROKEN_GETADDRINFO],  [TEST_SSH_IPV6=no])
5405AC_SUBST([TEST_SSH_IPV6], [$TEST_SSH_IPV6])
5406AC_SUBST([TEST_SSH_UTF8], [$TEST_SSH_UTF8])
5407AC_SUBST([TEST_MALLOC_OPTIONS], [$TEST_MALLOC_OPTIONS])
5408AC_SUBST([UNSUPPORTED_ALGORITHMS], [$unsupported_algorithms])
5409AC_SUBST([DEPEND], [$(cat $srcdir/.depend)])
5410
5411CFLAGS="${CFLAGS} ${CFLAGS_AFTER}"
5412LDFLAGS="${LDFLAGS} ${LDFLAGS_AFTER}"
5413
5414# Make a copy of CFLAGS/LDFLAGS without PIE options.
5415LDFLAGS_NOPIE=`echo "$LDFLAGS" | sed 's/ -pie//'`
5416CFLAGS_NOPIE=`echo "$CFLAGS" | sed 's/ -fPIE//'`
5417AC_SUBST([LDFLAGS_NOPIE])
5418AC_SUBST([CFLAGS_NOPIE])
5419
5420AC_EXEEXT
5421AC_CONFIG_FILES([Makefile buildpkg.sh opensshd.init openssh.xml \
5422	openbsd-compat/Makefile openbsd-compat/regress/Makefile \
5423	survey.sh])
5424AC_OUTPUT
5425
5426# Print summary of options
5427
5428# Someone please show me a better way :)
5429A=`eval echo ${prefix}` ; A=`eval echo ${A}`
5430B=`eval echo ${bindir}` ; B=`eval echo ${B}`
5431C=`eval echo ${sbindir}` ; C=`eval echo ${C}`
5432D=`eval echo ${sysconfdir}` ; D=`eval echo ${D}`
5433E=`eval echo ${libexecdir}/ssh-askpass` ; E=`eval echo ${E}`
5434F=`eval echo ${mandir}/${mansubdir}X` ; F=`eval echo ${F}`
5435G=`eval echo ${piddir}` ; G=`eval echo ${G}`
5436H=`eval echo ${PRIVSEP_PATH}` ; H=`eval echo ${H}`
5437I=`eval echo ${user_path}` ; I=`eval echo ${I}`
5438J=`eval echo ${superuser_path}` ; J=`eval echo ${J}`
5439
5440echo ""
5441echo "OpenSSH has been configured with the following options:"
5442echo "                     User binaries: $B"
5443echo "                   System binaries: $C"
5444echo "               Configuration files: $D"
5445echo "                   Askpass program: $E"
5446echo "                      Manual pages: $F"
5447echo "                          PID file: $G"
5448echo "  Privilege separation chroot path: $H"
5449if test "x$external_path_file" = "x/etc/login.conf" ; then
5450echo "   At runtime, sshd will use the path defined in $external_path_file"
5451echo "   Make sure the path to scp is present, otherwise scp will not work"
5452else
5453echo "            sshd default user PATH: $I"
5454	if test ! -z "$external_path_file"; then
5455echo "   (If PATH is set in $external_path_file it will be used instead. If"
5456echo "   used, ensure the path to scp is present, otherwise scp will not work.)"
5457	fi
5458fi
5459if test ! -z "$superuser_path" ; then
5460echo "          sshd superuser user PATH: $J"
5461fi
5462echo "                    Manpage format: $MANTYPE"
5463echo "                       PAM support: $PAM_MSG"
5464echo "                   OSF SIA support: $SIA_MSG"
5465echo "                 KerberosV support: $KRB5_MSG"
5466echo "                   SELinux support: $SELINUX_MSG"
5467echo "              MD5 password support: $MD5_MSG"
5468echo "                   libedit support: $LIBEDIT_MSG"
5469echo "                   libldns support: $LDNS_MSG"
5470echo "  Solaris process contract support: $SPC_MSG"
5471echo "           Solaris project support: $SP_MSG"
5472echo "         Solaris privilege support: $SPP_MSG"
5473echo "       IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG"
5474echo "           Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
5475echo "                  BSD Auth support: $BSD_AUTH_MSG"
5476echo "              Random number source: $RAND_MSG"
5477echo "             Privsep sandbox style: $SANDBOX_STYLE"
5478echo "                   PKCS#11 support: $enable_pkcs11"
5479echo "                  U2F/FIDO support: $enable_sk"
5480
5481echo ""
5482
5483echo "              Host: ${host}"
5484echo "          Compiler: ${CC}"
5485echo "    Compiler flags: ${CFLAGS}"
5486echo "Preprocessor flags: ${CPPFLAGS}"
5487echo "      Linker flags: ${LDFLAGS}"
5488echo "         Libraries: ${LIBS}"
5489if test ! -z "${SSHDLIBS}"; then
5490echo "         +for sshd: ${SSHDLIBS}"
5491fi
5492
5493echo ""
5494
5495if test "x$MAKE_PACKAGE_SUPPORTED" = "xyes" ; then
5496	echo "SVR4 style packages are supported with \"make package\""
5497	echo ""
5498fi
5499
5500if test "x$PAM_MSG" = "xyes" ; then
5501	echo "PAM is enabled. You may need to install a PAM control file "
5502	echo "for sshd, otherwise password authentication may fail. "
5503	echo "Example PAM control files can be found in the contrib/ "
5504	echo "subdirectory"
5505	echo ""
5506fi
5507
5508if test ! -z "$NO_PEERCHECK" ; then
5509	echo "WARNING: the operating system that you are using does not"
5510	echo "appear to support getpeereid(), getpeerucred() or the"
5511	echo "SO_PEERCRED getsockopt() option. These facilities are used to"
5512	echo "enforce security checks to prevent unauthorised connections to"
5513	echo "ssh-agent. Their absence increases the risk that a malicious"
5514	echo "user can connect to your agent."
5515	echo ""
5516fi
5517
5518if test "$AUDIT_MODULE" = "bsm" ; then
5519	echo "WARNING: BSM audit support is currently considered EXPERIMENTAL."
5520	echo "See the Solaris section in README.platform for details."
5521fi
5522