xref: /openssh-portable/configure.ac (revision 89fc3f41)
1#
2# Copyright (c) 1999-2004 Damien Miller
3#
4# Permission to use, copy, modify, and distribute this software for any
5# purpose with or without fee is hereby granted, provided that the above
6# copyright notice and this permission notice appear in all copies.
7#
8# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15
16AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org])
17AC_REVISION($Revision: 1.583 $)
18AC_CONFIG_SRCDIR([ssh.c])
19AC_LANG([C])
20
21AC_CONFIG_HEADER([config.h])
22AC_PROG_CC([cc gcc])
23AC_CANONICAL_HOST
24AC_C_BIGENDIAN
25
26# Checks for programs.
27AC_PROG_AWK
28AC_PROG_CPP
29AC_PROG_RANLIB
30AC_PROG_INSTALL
31AC_PROG_EGREP
32AC_PROG_MKDIR_P
33AC_CHECK_TOOLS([AR], [ar])
34AC_PATH_PROG([CAT], [cat])
35AC_PATH_PROG([KILL], [kill])
36AC_PATH_PROG([SED], [sed])
37AC_PATH_PROG([ENT], [ent])
38AC_SUBST([ENT])
39AC_PATH_PROG([TEST_MINUS_S_SH], [bash])
40AC_PATH_PROG([TEST_MINUS_S_SH], [ksh])
41AC_PATH_PROG([TEST_MINUS_S_SH], [sh])
42AC_PATH_PROG([SH], [sh])
43AC_PATH_PROG([GROFF], [groff])
44AC_PATH_PROG([NROFF], [nroff awf])
45AC_PATH_PROG([MANDOC], [mandoc])
46AC_SUBST([TEST_SHELL], [sh])
47
48dnl select manpage formatter to be used to build "cat" format pages.
49if test "x$MANDOC" != "x" ; then
50	MANFMT="$MANDOC"
51elif test "x$NROFF" != "x" ; then
52	MANFMT="$NROFF -mandoc"
53elif test "x$GROFF" != "x" ; then
54	MANFMT="$GROFF -mandoc -Tascii"
55else
56	AC_MSG_WARN([no manpage formatter found])
57	MANFMT="false"
58fi
59AC_SUBST([MANFMT])
60
61dnl for buildpkg.sh
62AC_PATH_PROG([PATH_GROUPADD_PROG], [groupadd], [groupadd],
63	[/usr/sbin${PATH_SEPARATOR}/etc])
64AC_PATH_PROG([PATH_USERADD_PROG], [useradd], [useradd],
65	[/usr/sbin${PATH_SEPARATOR}/etc])
66AC_CHECK_PROG([MAKE_PACKAGE_SUPPORTED], [pkgmk], [yes], [no])
67if test -x /sbin/sh; then
68	AC_SUBST([STARTUP_SCRIPT_SHELL], [/sbin/sh])
69else
70	AC_SUBST([STARTUP_SCRIPT_SHELL], [/bin/sh])
71fi
72
73# System features
74AC_SYS_LARGEFILE
75
76if test -z "$AR" ; then
77	AC_MSG_ERROR([*** 'ar' missing, please install or fix your \$PATH ***])
78fi
79
80AC_PATH_PROG([PATH_PASSWD_PROG], [passwd])
81if test ! -z "$PATH_PASSWD_PROG" ; then
82	AC_DEFINE_UNQUOTED([_PATH_PASSWD_PROG], ["$PATH_PASSWD_PROG"],
83		[Full path of your "passwd" program])
84fi
85
86dnl Since autoconf doesn't support it very well,  we no longer allow users to
87dnl override LD, however keeping the hook here for now in case there's a use
88dnl use case we overlooked and someone needs to re-enable it.  Unless a good
89dnl reason is found we'll be removing this in future.
90LD="$CC"
91AC_SUBST([LD])
92
93AC_C_INLINE
94
95AC_CHECK_DECL([LLONG_MAX], [have_llong_max=1], , [#include <limits.h>])
96AC_CHECK_DECL([LONG_LONG_MAX], [have_long_long_max=1], , [#include <limits.h>])
97AC_CHECK_DECL([SYSTR_POLICY_KILL], [have_systr_policy_kill=1], , [
98	#include <sys/types.h>
99	#include <sys/param.h>
100	#include <dev/systrace.h>
101])
102AC_CHECK_DECL([RLIMIT_NPROC],
103    [AC_DEFINE([HAVE_RLIMIT_NPROC], [], [sys/resource.h has RLIMIT_NPROC])], , [
104	#include <sys/types.h>
105	#include <sys/resource.h>
106])
107AC_CHECK_DECL([PR_SET_NO_NEW_PRIVS], [have_linux_no_new_privs=1], , [
108	#include <sys/types.h>
109	#include <linux/prctl.h>
110])
111
112openssl=yes
113AC_ARG_WITH([openssl],
114	[  --without-openssl       Disable use of OpenSSL; use only limited internal crypto **EXPERIMENTAL** ],
115	[  if test "x$withval" = "xno" ; then
116		openssl=no
117	   fi
118	]
119)
120AC_MSG_CHECKING([whether OpenSSL will be used for cryptography])
121if test "x$openssl" = "xyes" ; then
122	AC_MSG_RESULT([yes])
123	AC_DEFINE_UNQUOTED([WITH_OPENSSL], [1], [use libcrypto for cryptography])
124else
125	AC_MSG_RESULT([no])
126fi
127
128use_stack_protector=1
129use_toolchain_hardening=1
130AC_ARG_WITH([stackprotect],
131    [  --without-stackprotect  Don't use compiler's stack protection], [
132    if test "x$withval" = "xno"; then
133	use_stack_protector=0
134    fi ])
135AC_ARG_WITH([hardening],
136    [  --without-hardening     Don't use toolchain hardening flags], [
137    if test "x$withval" = "xno"; then
138	use_toolchain_hardening=0
139    fi ])
140
141# We use -Werror for the tests only so that we catch warnings like "this is
142# on by default" for things like -fPIE.
143AC_MSG_CHECKING([if $CC supports -Werror])
144saved_CFLAGS="$CFLAGS"
145CFLAGS="$CFLAGS -Werror"
146AC_COMPILE_IFELSE([AC_LANG_SOURCE([[int main(void) { return 0; }]])],
147	[ AC_MSG_RESULT([yes])
148	  WERROR="-Werror"],
149	[ AC_MSG_RESULT([no])
150	  WERROR="" ]
151)
152CFLAGS="$saved_CFLAGS"
153
154if test "$GCC" = "yes" || test "$GCC" = "egcs"; then
155	OSSH_CHECK_CFLAG_COMPILE([-pipe])
156	OSSH_CHECK_CFLAG_COMPILE([-Wunknown-warning-option])
157	OSSH_CHECK_CFLAG_COMPILE([-Wno-error=format-truncation])
158	OSSH_CHECK_CFLAG_COMPILE([-Qunused-arguments])
159	OSSH_CHECK_CFLAG_COMPILE([-Wall])
160	OSSH_CHECK_CFLAG_COMPILE([-Wextra])
161	OSSH_CHECK_CFLAG_COMPILE([-Wpointer-arith])
162	OSSH_CHECK_CFLAG_COMPILE([-Wuninitialized])
163	OSSH_CHECK_CFLAG_COMPILE([-Wsign-compare])
164	OSSH_CHECK_CFLAG_COMPILE([-Wformat-security])
165	OSSH_CHECK_CFLAG_COMPILE([-Wsizeof-pointer-memaccess])
166	OSSH_CHECK_CFLAG_COMPILE([-Wpointer-sign], [-Wno-pointer-sign])
167	OSSH_CHECK_CFLAG_COMPILE([-Wunused-parameter], [-Wno-unused-parameter])
168	OSSH_CHECK_CFLAG_COMPILE([-Wunused-result], [-Wno-unused-result])
169	OSSH_CHECK_CFLAG_COMPILE([-Wimplicit-fallthrough])
170	OSSH_CHECK_CFLAG_COMPILE([-fno-strict-aliasing])
171    if test "x$use_toolchain_hardening" = "x1"; then
172	OSSH_CHECK_CFLAG_COMPILE([-mretpoline]) # clang
173	OSSH_CHECK_LDFLAG_LINK([-Wl,-z,retpolineplt])
174	OSSH_CHECK_CFLAG_COMPILE([-D_FORTIFY_SOURCE=2])
175	OSSH_CHECK_LDFLAG_LINK([-Wl,-z,relro])
176	OSSH_CHECK_LDFLAG_LINK([-Wl,-z,now])
177	OSSH_CHECK_LDFLAG_LINK([-Wl,-z,noexecstack])
178	# NB. -ftrapv expects certain support functions to be present in
179	# the compiler library (libgcc or similar) to detect integer operations
180	# that can overflow. We must check that the result of enabling it
181	# actually links. The test program compiled/linked includes a number
182	# of integer operations that should exercise this.
183	OSSH_CHECK_CFLAG_LINK([-ftrapv])
184    fi
185	AC_MSG_CHECKING([gcc version])
186	GCC_VER=`$CC -v 2>&1 | $AWK '/gcc version /{print $3}'`
187	case $GCC_VER in
188		1.*) no_attrib_nonnull=1 ;;
189		2.8* | 2.9*)
190		     no_attrib_nonnull=1
191		     ;;
192		2.*) no_attrib_nonnull=1 ;;
193		*) ;;
194	esac
195	AC_MSG_RESULT([$GCC_VER])
196
197	AC_MSG_CHECKING([if $CC accepts -fno-builtin-memset])
198	saved_CFLAGS="$CFLAGS"
199	CFLAGS="$CFLAGS -fno-builtin-memset"
200	AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include <string.h> ]],
201			[[ char b[10]; memset(b, 0, sizeof(b)); ]])],
202		[ AC_MSG_RESULT([yes]) ],
203		[ AC_MSG_RESULT([no])
204		  CFLAGS="$saved_CFLAGS" ]
205	)
206
207	# -fstack-protector-all doesn't always work for some GCC versions
208	# and/or platforms, so we test if we can.  If it's not supported
209	# on a given platform gcc will emit a warning so we use -Werror.
210	if test "x$use_stack_protector" = "x1"; then
211	    for t in -fstack-protector-strong -fstack-protector-all \
212		    -fstack-protector; do
213		AC_MSG_CHECKING([if $CC supports $t])
214		saved_CFLAGS="$CFLAGS"
215		saved_LDFLAGS="$LDFLAGS"
216		CFLAGS="$CFLAGS $t -Werror"
217		LDFLAGS="$LDFLAGS $t -Werror"
218		AC_LINK_IFELSE(
219			[AC_LANG_PROGRAM([[
220	#include <stdio.h>
221	int func (int t) {char b[100]; snprintf(b,sizeof b,"%d",t); return t;}
222			 ]],
223			[[
224	char x[256];
225	snprintf(x, sizeof(x), "XXX%d", func(1));
226			 ]])],
227		    [ AC_MSG_RESULT([yes])
228		      CFLAGS="$saved_CFLAGS $t"
229		      LDFLAGS="$saved_LDFLAGS $t"
230		      AC_MSG_CHECKING([if $t works])
231		      AC_RUN_IFELSE(
232			[AC_LANG_PROGRAM([[
233	#include <stdio.h>
234	int func (int t) {char b[100]; snprintf(b,sizeof b,"%d",t); return t;}
235			]],
236			[[
237	char x[256];
238	snprintf(x, sizeof(x), "XXX%d", func(1));
239			]])],
240			[ AC_MSG_RESULT([yes])
241			  break ],
242			[ AC_MSG_RESULT([no]) ],
243			[ AC_MSG_WARN([cross compiling: cannot test])
244			  break ]
245		      )
246		    ],
247		    [ AC_MSG_RESULT([no]) ]
248		)
249		CFLAGS="$saved_CFLAGS"
250		LDFLAGS="$saved_LDFLAGS"
251	    done
252	fi
253
254	if test -z "$have_llong_max"; then
255		# retry LLONG_MAX with -std=gnu99, needed on some Linuxes
256		unset ac_cv_have_decl_LLONG_MAX
257		saved_CFLAGS="$CFLAGS"
258		CFLAGS="$CFLAGS -std=gnu99"
259		AC_CHECK_DECL([LLONG_MAX],
260		    [have_llong_max=1],
261		    [CFLAGS="$saved_CFLAGS"],
262		    [#include <limits.h>]
263		)
264	fi
265fi
266
267AC_MSG_CHECKING([if compiler allows __attribute__ on return types])
268AC_COMPILE_IFELSE(
269    [AC_LANG_PROGRAM([[
270#include <stdlib.h>
271__attribute__((__unused__)) static void foo(void){return;}]],
272    [[ exit(0); ]])],
273    [ AC_MSG_RESULT([yes]) ],
274    [ AC_MSG_RESULT([no])
275      AC_DEFINE(NO_ATTRIBUTE_ON_RETURN_TYPE, 1,
276	 [compiler does not accept __attribute__ on return types]) ]
277)
278
279AC_MSG_CHECKING([if compiler allows __attribute__ prototype args])
280AC_COMPILE_IFELSE(
281    [AC_LANG_PROGRAM([[
282#include <stdlib.h>
283typedef void foo(const char *, ...) __attribute__((format(printf, 1, 2)));]],
284    [[ exit(0); ]])],
285    [ AC_MSG_RESULT([yes]) ],
286    [ AC_MSG_RESULT([no])
287      AC_DEFINE(NO_ATTRIBUTE_ON_PROTOTYPE_ARGS, 1,
288	 [compiler does not accept __attribute__ on prototype args]) ]
289)
290
291if test "x$no_attrib_nonnull" != "x1" ; then
292	AC_DEFINE([HAVE_ATTRIBUTE__NONNULL__], [1], [Have attribute nonnull])
293fi
294
295AC_ARG_WITH([rpath],
296	[  --without-rpath         Disable auto-added -R linker paths],
297	[
298		if test "x$withval" = "xno" ; then
299			rpath_opt=""
300		elif test "x$withval" = "xyes" ; then
301			rpath_opt="-R"
302		else
303			rpath_opt="$withval"
304		fi
305	]
306)
307
308# Allow user to specify flags
309AC_ARG_WITH([cflags],
310	[  --with-cflags           Specify additional flags to pass to compiler],
311	[
312		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
313		    test "x${withval}" != "xyes"; then
314			CFLAGS="$CFLAGS $withval"
315		fi
316	]
317)
318
319AC_ARG_WITH([cflags-after],
320	[  --with-cflags-after     Specify additional flags to pass to compiler after configure],
321	[
322		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
323		    test "x${withval}" != "xyes"; then
324			CFLAGS_AFTER="$withval"
325		fi
326	]
327)
328AC_ARG_WITH([cppflags],
329	[  --with-cppflags         Specify additional flags to pass to preprocessor] ,
330	[
331		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
332		    test "x${withval}" != "xyes"; then
333			CPPFLAGS="$CPPFLAGS $withval"
334		fi
335	]
336)
337AC_ARG_WITH([ldflags],
338	[  --with-ldflags          Specify additional flags to pass to linker],
339	[
340		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
341		    test "x${withval}" != "xyes"; then
342			LDFLAGS="$LDFLAGS $withval"
343		fi
344	]
345)
346AC_ARG_WITH([ldflags-after],
347	[  --with-ldflags-after    Specify additional flags to pass to linker after configure],
348	[
349		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
350		    test "x${withval}" != "xyes"; then
351			LDFLAGS_AFTER="$withval"
352		fi
353	]
354)
355AC_ARG_WITH([libs],
356	[  --with-libs             Specify additional libraries to link with],
357	[
358		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
359		    test "x${withval}" != "xyes"; then
360			LIBS="$LIBS $withval"
361		fi
362	]
363)
364AC_ARG_WITH([Werror],
365	[  --with-Werror           Build main code with -Werror],
366	[
367		if test -n "$withval"  &&  test "x$withval" != "xno"; then
368			werror_flags="-Werror"
369			if test "x${withval}" != "xyes"; then
370				werror_flags="$withval"
371			fi
372		fi
373	]
374)
375
376AC_CHECK_HEADERS([ \
377	blf.h \
378	bstring.h \
379	crypt.h \
380	crypto/sha2.h \
381	dirent.h \
382	endian.h \
383	elf.h \
384	err.h \
385	features.h \
386	fcntl.h \
387	floatingpoint.h \
388	fnmatch.h \
389	getopt.h \
390	glob.h \
391	ia.h \
392	iaf.h \
393	ifaddrs.h \
394	inttypes.h \
395	langinfo.h \
396	limits.h \
397	locale.h \
398	login.h \
399	maillock.h \
400	ndir.h \
401	net/if_tun.h \
402	netdb.h \
403	netgroup.h \
404	pam/pam_appl.h \
405	paths.h \
406	poll.h \
407	pty.h \
408	readpassphrase.h \
409	rpc/types.h \
410	security/pam_appl.h \
411	sha2.h \
412	shadow.h \
413	stddef.h \
414	stdint.h \
415	string.h \
416	strings.h \
417	sys/bitypes.h \
418	sys/byteorder.h \
419	sys/bsdtty.h \
420	sys/cdefs.h \
421	sys/dir.h \
422	sys/file.h \
423	sys/mman.h \
424	sys/label.h \
425	sys/ndir.h \
426	sys/poll.h \
427	sys/prctl.h \
428	sys/pstat.h \
429	sys/ptrace.h \
430	sys/random.h \
431	sys/select.h \
432	sys/stat.h \
433	sys/stream.h \
434	sys/stropts.h \
435	sys/strtio.h \
436	sys/statvfs.h \
437	sys/sysmacros.h \
438	sys/time.h \
439	sys/timers.h \
440	sys/vfs.h \
441	time.h \
442	tmpdir.h \
443	ttyent.h \
444	ucred.h \
445	unistd.h \
446	usersec.h \
447	util.h \
448	utime.h \
449	utmp.h \
450	utmpx.h \
451	vis.h \
452	wchar.h \
453])
454
455# On some platforms (eg SunOS4) sys/audit.h requires sys/[time|types|label.h]
456# to be included first.
457AC_CHECK_HEADERS([sys/audit.h], [], [], [
458#ifdef HAVE_SYS_TIME_H
459# include <sys/time.h>
460#endif
461#ifdef HAVE_SYS_TYPES_H
462# include <sys/types.h>
463#endif
464#ifdef HAVE_SYS_LABEL_H
465# include <sys/label.h>
466#endif
467])
468
469# sys/capsicum.h requires sys/types.h
470AC_CHECK_HEADERS([sys/capsicum.h], [], [], [
471#ifdef HAVE_SYS_TYPES_H
472# include <sys/types.h>
473#endif
474])
475
476# net/route.h requires sys/socket.h and sys/types.h.
477# sys/sysctl.h also requires sys/param.h
478AC_CHECK_HEADERS([net/route.h sys/sysctl.h], [], [], [
479#ifdef HAVE_SYS_TYPES_H
480# include <sys/types.h>
481#endif
482#include <sys/param.h>
483#include <sys/socket.h>
484])
485
486# lastlog.h requires sys/time.h to be included first on Solaris
487AC_CHECK_HEADERS([lastlog.h], [], [], [
488#ifdef HAVE_SYS_TIME_H
489# include <sys/time.h>
490#endif
491])
492
493# sys/ptms.h requires sys/stream.h to be included first on Solaris
494AC_CHECK_HEADERS([sys/ptms.h], [], [], [
495#ifdef HAVE_SYS_STREAM_H
496# include <sys/stream.h>
497#endif
498])
499
500# login_cap.h requires sys/types.h on NetBSD
501AC_CHECK_HEADERS([login_cap.h], [], [], [
502#include <sys/types.h>
503])
504
505# older BSDs need sys/param.h before sys/mount.h
506AC_CHECK_HEADERS([sys/mount.h], [], [], [
507#include <sys/param.h>
508])
509
510# Android requires sys/socket.h to be included before sys/un.h
511AC_CHECK_HEADERS([sys/un.h], [], [], [
512#include <sys/types.h>
513#include <sys/socket.h>
514])
515
516# Messages for features tested for in target-specific section
517SIA_MSG="no"
518SPC_MSG="no"
519SP_MSG="no"
520SPP_MSG="no"
521
522# Support for Solaris/Illumos privileges (this test is used by both
523# the --with-solaris-privs option and --with-sandbox=solaris).
524SOLARIS_PRIVS="no"
525
526AC_CHECK_SIZEOF([size_t])
527
528# Check for some target-specific stuff
529case "$host" in
530*-*-aix*)
531	# Some versions of VAC won't allow macro redefinitions at
532	# -qlanglevel=ansi, and autoconf 2.60 sometimes insists on using that
533	# particularly with older versions of vac or xlc.
534	# It also throws errors about null macro arguments, but these are
535	# not fatal.
536	AC_MSG_CHECKING([if compiler allows macro redefinitions])
537	AC_COMPILE_IFELSE(
538	    [AC_LANG_PROGRAM([[
539#define testmacro foo
540#define testmacro bar]],
541	    [[ exit(0); ]])],
542	    [ AC_MSG_RESULT([yes]) ],
543	    [ AC_MSG_RESULT([no])
544	      CC="`echo $CC | sed 's/-qlanglvl\=ansi//g'`"
545	      CFLAGS="`echo $CFLAGS | sed 's/-qlanglvl\=ansi//g'`"
546	      CPPFLAGS="`echo $CPPFLAGS | sed 's/-qlanglvl\=ansi//g'`"
547	    ]
548	)
549
550	AC_MSG_CHECKING([how to specify blibpath for linker ($LD)])
551	if (test -z "$blibpath"); then
552		blibpath="/usr/lib:/lib"
553	fi
554	saved_LDFLAGS="$LDFLAGS"
555	if test "$GCC" = "yes"; then
556		flags="-Wl,-blibpath: -Wl,-rpath, -blibpath:"
557	else
558		flags="-blibpath: -Wl,-blibpath: -Wl,-rpath,"
559	fi
560	for tryflags in $flags ;do
561		if (test -z "$blibflags"); then
562			LDFLAGS="$saved_LDFLAGS $tryflags$blibpath"
563			AC_LINK_IFELSE([AC_LANG_PROGRAM([[]], [[]])],
564			[blibflags=$tryflags], [])
565		fi
566	done
567	if (test -z "$blibflags"); then
568		AC_MSG_RESULT([not found])
569		AC_MSG_ERROR([*** must be able to specify blibpath on AIX - check config.log])
570	else
571		AC_MSG_RESULT([$blibflags])
572	fi
573	LDFLAGS="$saved_LDFLAGS"
574	dnl Check for authenticate.  Might be in libs.a on older AIXes
575	AC_CHECK_FUNC([authenticate], [AC_DEFINE([WITH_AIXAUTHENTICATE], [1],
576		[Define if you want to enable AIX4's authenticate function])],
577		[AC_CHECK_LIB([s], [authenticate],
578			[ AC_DEFINE([WITH_AIXAUTHENTICATE])
579				LIBS="$LIBS -ls"
580			])
581		])
582	dnl Check for various auth function declarations in headers.
583	AC_CHECK_DECLS([authenticate, loginrestrictions, loginsuccess,
584	    passwdexpired, setauthdb], , , [#include <usersec.h>])
585	dnl Check if loginfailed is declared and takes 4 arguments (AIX >= 5.2)
586	AC_CHECK_DECLS([loginfailed],
587	    [AC_MSG_CHECKING([if loginfailed takes 4 arguments])
588	    AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <usersec.h> ]],
589		[[ (void)loginfailed("user","host","tty",0); ]])],
590		[AC_MSG_RESULT([yes])
591		AC_DEFINE([AIX_LOGINFAILED_4ARG], [1],
592			[Define if your AIX loginfailed() function
593			takes 4 arguments (AIX >= 5.2)])], [AC_MSG_RESULT([no])
594	    ])],
595	    [],
596	    [#include <usersec.h>]
597	)
598	AC_CHECK_FUNCS([getgrset setauthdb])
599	AC_CHECK_DECL([F_CLOSEM],
600	    AC_DEFINE([HAVE_FCNTL_CLOSEM], [1], [Use F_CLOSEM fcntl for closefrom]),
601	    [],
602	    [ #include <limits.h>
603	      #include <fcntl.h> ]
604	)
605	check_for_aix_broken_getaddrinfo=1
606	AC_DEFINE([SETEUID_BREAKS_SETUID], [1],
607	    [Define if your platform breaks doing a seteuid before a setuid])
608	AC_DEFINE([BROKEN_SETREUID], [1], [Define if your setreuid() is broken])
609	AC_DEFINE([BROKEN_SETREGID], [1], [Define if your setregid() is broken])
610	dnl AIX handles lastlog as part of its login message
611	AC_DEFINE([DISABLE_LASTLOG], [1], [Define if you don't want to use lastlog])
612	AC_DEFINE([LOGIN_NEEDS_UTMPX], [1],
613		[Some systems need a utmpx entry for /bin/login to work])
614	AC_DEFINE([SPT_TYPE], [SPT_REUSEARGV],
615		[Define to a Set Process Title type if your system is
616		supported by bsd-setproctitle.c])
617	AC_DEFINE([SSHPAM_CHAUTHTOK_NEEDS_RUID], [1],
618	    [AIX 5.2 and 5.3 (and presumably newer) require this])
619	AC_DEFINE([PTY_ZEROREAD], [1], [read(1) can return 0 for a non-closed fd])
620	AC_DEFINE([PLATFORM_SYS_DIR_UID], 2, [System dirs owned by bin (uid 2)])
621	AC_DEFINE([BROKEN_STRNDUP], 1, [strndup broken, see APAR IY61211])
622	AC_DEFINE([BROKEN_STRNLEN], 1, [strnlen broken, see APAR IY62551])
623	;;
624*-*-android*)
625	AC_DEFINE([DISABLE_UTMP], [1], [Define if you don't want to use utmp])
626	AC_DEFINE([DISABLE_WTMP], [1], [Define if you don't want to use wtmp])
627	;;
628*-*-cygwin*)
629	check_for_libcrypt_later=1
630	LIBS="$LIBS /usr/lib/textreadmode.o"
631	AC_DEFINE([HAVE_CYGWIN], [1], [Define if you are on Cygwin])
632	AC_DEFINE([USE_PIPES], [1], [Use PIPES instead of a socketpair()])
633	AC_DEFINE([NO_UID_RESTORATION_TEST], [1],
634		[Define to disable UID restoration test])
635	AC_DEFINE([DISABLE_SHADOW], [1],
636		[Define if you want to disable shadow passwords])
637	AC_DEFINE([NO_X11_UNIX_SOCKETS], [1],
638		[Define if X11 doesn't support AF_UNIX sockets on that system])
639	AC_DEFINE([DISABLE_FD_PASSING], [1],
640		[Define if your platform needs to skip post auth
641		file descriptor passing])
642	AC_DEFINE([SSH_IOBUFSZ], [65535], [Windows is sensitive to read buffer size])
643	AC_DEFINE([FILESYSTEM_NO_BACKSLASH], [1], [File names may not contain backslash characters])
644	# Cygwin defines optargs, optargs as declspec(dllimport) for historical
645	# reasons which cause compile warnings, so we disable those warnings.
646	OSSH_CHECK_CFLAG_COMPILE([-Wno-attributes])
647	;;
648*-*-dgux*)
649	AC_DEFINE([IP_TOS_IS_BROKEN], [1],
650		[Define if your system choked on IP TOS setting])
651	AC_DEFINE([SETEUID_BREAKS_SETUID])
652	AC_DEFINE([BROKEN_SETREUID])
653	AC_DEFINE([BROKEN_SETREGID])
654	;;
655*-*-darwin*)
656	use_pie=auto
657	AC_MSG_CHECKING([if we have working getaddrinfo])
658	AC_RUN_IFELSE([AC_LANG_SOURCE([[ #include <mach-o/dyld.h>
659main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
660		exit(0);
661	else
662		exit(1);
663}
664			]])],
665	[AC_MSG_RESULT([working])],
666	[AC_MSG_RESULT([buggy])
667	AC_DEFINE([BROKEN_GETADDRINFO], [1],
668		[getaddrinfo is broken (if present)])
669	],
670	[AC_MSG_RESULT([assume it is working])])
671	AC_DEFINE([SETEUID_BREAKS_SETUID])
672	AC_DEFINE([BROKEN_SETREUID])
673	AC_DEFINE([BROKEN_SETREGID])
674	AC_DEFINE([BROKEN_GLOB], [1], [OS X glob does not do what we expect])
675	AC_DEFINE_UNQUOTED([BIND_8_COMPAT], [1],
676		[Define if your resolver libs need this for getrrsetbyname])
677	AC_DEFINE([SSH_TUN_FREEBSD], [1], [Open tunnel devices the FreeBSD way])
678	AC_DEFINE([SSH_TUN_COMPAT_AF], [1],
679	    [Use tunnel device compatibility to OpenBSD])
680	AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
681	    [Prepend the address family to IP tunnel traffic])
682	m4_pattern_allow([AU_IPv])
683	AC_CHECK_DECL([AU_IPv4], [],
684	    AC_DEFINE([AU_IPv4], [0], [System only supports IPv4 audit records])
685	    [#include <bsm/audit.h>]
686	AC_DEFINE([LASTLOG_WRITE_PUTUTXLINE], [1],
687	    [Define if pututxline updates lastlog too])
688	)
689	AC_DEFINE([SPT_TYPE], [SPT_REUSEARGV],
690		[Define to a Set Process Title type if your system is
691		supported by bsd-setproctitle.c])
692	AC_CHECK_FUNCS([sandbox_init])
693	AC_CHECK_HEADERS([sandbox.h])
694	AC_CHECK_LIB([sandbox], [sandbox_apply], [
695	    SSHDLIBS="$SSHDLIBS -lsandbox"
696	])
697	# proc_pidinfo()-based closefrom() replacement.
698	AC_CHECK_HEADERS([libproc.h])
699	AC_CHECK_FUNCS([proc_pidinfo])
700	;;
701*-*-dragonfly*)
702	SSHDLIBS="$SSHDLIBS -lcrypt"
703	TEST_MALLOC_OPTIONS="AFGJPRX"
704	;;
705*-*-haiku*)
706	LIBS="$LIBS -lbsd "
707	CFLAGS="$CFLAGS -D_BSD_SOURCE"
708	AC_CHECK_LIB([network], [socket])
709	AC_DEFINE([HAVE_U_INT64_T])
710	AC_DEFINE([DISABLE_UTMPX], [1], [no utmpx])
711	MANTYPE=man
712	;;
713*-*-hpux*)
714	# first we define all of the options common to all HP-UX releases
715	CPPFLAGS="$CPPFLAGS -D_HPUX_SOURCE -D_XOPEN_SOURCE -D_XOPEN_SOURCE_EXTENDED=1"
716	IPADDR_IN_DISPLAY=yes
717	AC_DEFINE([USE_PIPES])
718	AC_DEFINE([LOGIN_NEEDS_UTMPX])
719	AC_DEFINE([LOCKED_PASSWD_STRING], ["*"],
720		[String used in /etc/passwd to denote locked account])
721	AC_DEFINE([SPT_TYPE], [SPT_PSTAT])
722	AC_DEFINE([PLATFORM_SYS_DIR_UID], 2, [System dirs owned by bin (uid 2)])
723	maildir="/var/mail"
724	LIBS="$LIBS -lsec"
725	AC_CHECK_LIB([xnet], [t_error], ,
726	    [AC_MSG_ERROR([*** -lxnet needed on HP-UX - check config.log ***])])
727
728	# next, we define all of the options specific to major releases
729	case "$host" in
730	*-*-hpux10*)
731		if test -z "$GCC"; then
732			CFLAGS="$CFLAGS -Ae"
733		fi
734		;;
735	*-*-hpux11*)
736		AC_DEFINE([PAM_SUN_CODEBASE], [1],
737			[Define if you are using Solaris-derived PAM which
738			passes pam_messages to the conversation function
739			with an extra level of indirection])
740		AC_DEFINE([DISABLE_UTMP], [1],
741			[Define if you don't want to use utmp])
742		AC_DEFINE([USE_BTMP], [1], [Use btmp to log bad logins])
743		check_for_hpux_broken_getaddrinfo=1
744		check_for_conflicting_getspnam=1
745		;;
746	esac
747
748	# lastly, we define options specific to minor releases
749	case "$host" in
750	*-*-hpux10.26)
751		AC_DEFINE([HAVE_SECUREWARE], [1],
752			[Define if you have SecureWare-based
753			protected password database])
754		disable_ptmx_check=yes
755		LIBS="$LIBS -lsecpw"
756		;;
757	esac
758	;;
759*-*-irix5*)
760	PATH="$PATH:/usr/etc"
761	AC_DEFINE([BROKEN_INET_NTOA], [1],
762		[Define if you system's inet_ntoa is busted
763		(e.g. Irix gcc issue)])
764	AC_DEFINE([SETEUID_BREAKS_SETUID])
765	AC_DEFINE([BROKEN_SETREUID])
766	AC_DEFINE([BROKEN_SETREGID])
767	AC_DEFINE([WITH_ABBREV_NO_TTY], [1],
768		[Define if you shouldn't strip 'tty' from your
769		ttyname in [uw]tmp])
770	AC_DEFINE([LOCKED_PASSWD_STRING], ["*LK*"])
771	;;
772*-*-irix6*)
773	PATH="$PATH:/usr/etc"
774	AC_DEFINE([WITH_IRIX_ARRAY], [1],
775		[Define if you have/want arrays
776		(cluster-wide session management, not C arrays)])
777	AC_DEFINE([WITH_IRIX_PROJECT], [1],
778		[Define if you want IRIX project management])
779	AC_DEFINE([WITH_IRIX_AUDIT], [1],
780		[Define if you want IRIX audit trails])
781	AC_CHECK_FUNC([jlimit_startjob], [AC_DEFINE([WITH_IRIX_JOBS], [1],
782		[Define if you want IRIX kernel jobs])])
783	AC_DEFINE([BROKEN_INET_NTOA])
784	AC_DEFINE([SETEUID_BREAKS_SETUID])
785	AC_DEFINE([BROKEN_SETREUID])
786	AC_DEFINE([BROKEN_SETREGID])
787	AC_DEFINE([BROKEN_UPDWTMPX], [1], [updwtmpx is broken (if present)])
788	AC_DEFINE([WITH_ABBREV_NO_TTY])
789	AC_DEFINE([LOCKED_PASSWD_STRING], ["*LK*"])
790	;;
791*-*-k*bsd*-gnu | *-*-kopensolaris*-gnu)
792	check_for_libcrypt_later=1
793	AC_DEFINE([PAM_TTY_KLUDGE])
794	AC_DEFINE([LOCKED_PASSWD_PREFIX], ["!"])
795	AC_DEFINE([SPT_TYPE], [SPT_REUSEARGV])
796	AC_DEFINE([_PATH_BTMP], ["/var/log/btmp"], [log for bad login attempts])
797	AC_DEFINE([USE_BTMP], [1], [Use btmp to log bad logins])
798	;;
799*-*-linux*)
800	no_dev_ptmx=1
801	use_pie=auto
802	check_for_libcrypt_later=1
803	check_for_openpty_ctty_bug=1
804	dnl Target SUSv3/POSIX.1-2001 plus BSD specifics.
805	dnl _DEFAULT_SOURCE is the new name for _BSD_SOURCE
806	CPPFLAGS="$CPPFLAGS -D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCE"
807	AC_DEFINE([PAM_TTY_KLUDGE], [1],
808		[Work around problematic Linux PAM modules handling of PAM_TTY])
809	AC_DEFINE([LOCKED_PASSWD_PREFIX], ["!"],
810		[String used in /etc/passwd to denote locked account])
811	AC_DEFINE([SPT_TYPE], [SPT_REUSEARGV])
812	AC_DEFINE([LINK_OPNOTSUPP_ERRNO], [EPERM],
813		[Define to whatever link() returns for "not supported"
814		if it doesn't return EOPNOTSUPP.])
815	AC_DEFINE([_PATH_BTMP], ["/var/log/btmp"], [log for bad login attempts])
816	AC_DEFINE([USE_BTMP])
817	AC_DEFINE([LINUX_OOM_ADJUST], [1], [Adjust Linux out-of-memory killer])
818	inet6_default_4in6=yes
819	case `uname -r` in
820	1.*|2.0.*)
821		AC_DEFINE([BROKEN_CMSG_TYPE], [1],
822			[Define if cmsg_type is not passed correctly])
823		;;
824	esac
825	# tun(4) forwarding compat code
826	AC_CHECK_HEADERS([linux/if_tun.h])
827	if test "x$ac_cv_header_linux_if_tun_h" = "xyes" ; then
828		AC_DEFINE([SSH_TUN_LINUX], [1],
829		    [Open tunnel devices the Linux tun/tap way])
830		AC_DEFINE([SSH_TUN_COMPAT_AF], [1],
831		    [Use tunnel device compatibility to OpenBSD])
832		AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
833		    [Prepend the address family to IP tunnel traffic])
834	fi
835	AC_CHECK_HEADER([linux/if.h],
836	    AC_DEFINE([SYS_RDOMAIN_LINUX], [1],
837		[Support routing domains using Linux VRF]), [], [
838#ifdef HAVE_SYS_TYPES_H
839# include <sys/types.h>
840#endif
841	    ])
842	AC_CHECK_HEADERS([linux/seccomp.h linux/filter.h linux/audit.h], [],
843	    [], [#include <linux/types.h>])
844	# Obtain MIPS ABI
845	case "$host" in
846	mips*)
847		AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
848#if _MIPS_SIM != _ABIO32
849#error
850#endif
851			]])],[mips_abi="o32"],[AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
852#if _MIPS_SIM != _ABIN32
853#error
854#endif
855				]])],[mips_abi="n32"],[AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
856#if _MIPS_SIM != _ABI64
857#error
858#endif
859					]])],[mips_abi="n64"],[AC_MSG_ERROR([unknown MIPS ABI])
860				])
861			])
862		])
863		;;
864	esac
865	AC_MSG_CHECKING([for seccomp architecture])
866	seccomp_audit_arch=
867	case "$host" in
868	x86_64-*)
869		seccomp_audit_arch=AUDIT_ARCH_X86_64
870		# X32: AMD64 instructions in 32bit address space.
871		if test "x$ac_cv_sizeof_size_t" = "x4" ; then
872			seccomp_audit_arch=AUDIT_ARCH_I386
873		fi
874		;;
875	i*86-*)
876		seccomp_audit_arch=AUDIT_ARCH_I386
877		;;
878	arm*-*)
879		seccomp_audit_arch=AUDIT_ARCH_ARM
880		;;
881	aarch64*-*)
882		seccomp_audit_arch=AUDIT_ARCH_AARCH64
883		;;
884	s390x-*)
885		seccomp_audit_arch=AUDIT_ARCH_S390X
886		;;
887	s390-*)
888		seccomp_audit_arch=AUDIT_ARCH_S390
889		;;
890	powerpc64-*)
891		seccomp_audit_arch=AUDIT_ARCH_PPC64
892		;;
893	powerpc64le-*)
894		seccomp_audit_arch=AUDIT_ARCH_PPC64LE
895		;;
896	mips-*)
897		seccomp_audit_arch=AUDIT_ARCH_MIPS
898		;;
899	mipsel-*)
900		seccomp_audit_arch=AUDIT_ARCH_MIPSEL
901		;;
902	mips64-*)
903		case "$mips_abi" in
904		"n32")
905			seccomp_audit_arch=AUDIT_ARCH_MIPS64N32
906			;;
907		"n64")
908			seccomp_audit_arch=AUDIT_ARCH_MIPS64
909			;;
910		esac
911		;;
912	mips64el-*)
913		case "$mips_abi" in
914		"n32")
915			seccomp_audit_arch=AUDIT_ARCH_MIPSEL64N32
916			;;
917		"n64")
918			seccomp_audit_arch=AUDIT_ARCH_MIPSEL64
919			;;
920		esac
921		;;
922	riscv64-*)
923		seccomp_audit_arch=AUDIT_ARCH_RISCV64
924		;;
925	esac
926	if test "x$seccomp_audit_arch" != "x" ; then
927		AC_MSG_RESULT(["$seccomp_audit_arch"])
928		AC_DEFINE_UNQUOTED([SECCOMP_AUDIT_ARCH], [$seccomp_audit_arch],
929		    [Specify the system call convention in use])
930	else
931		AC_MSG_RESULT([architecture not supported])
932	fi
933	;;
934mips-sony-bsd|mips-sony-newsos4)
935	AC_DEFINE([NEED_SETPGRP], [1], [Need setpgrp to acquire controlling tty])
936	SONY=1
937	;;
938*-*-netbsd*)
939	check_for_libcrypt_before=1
940	if test "x$withval" != "xno" ; then
941		rpath_opt="-R"
942	fi
943	CPPFLAGS="$CPPFLAGS -D_OPENBSD_SOURCE"
944	AC_DEFINE([SSH_TUN_FREEBSD], [1], [Open tunnel devices the FreeBSD way])
945	AC_CHECK_HEADER([net/if_tap.h], ,
946	    AC_DEFINE([SSH_TUN_NO_L2], [1], [No layer 2 tunnel support]))
947	AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
948	    [Prepend the address family to IP tunnel traffic])
949	TEST_MALLOC_OPTIONS="AJRX"
950	AC_DEFINE([BROKEN_READ_COMPARISON], [1],
951	    [NetBSD read function is sometimes redirected, breaking atomicio comparisons against it])
952	;;
953*-*-freebsd*)
954	check_for_libcrypt_later=1
955	AC_DEFINE([LOCKED_PASSWD_PREFIX], ["*LOCKED*"], [Account locked with pw(1)])
956	AC_DEFINE([SSH_TUN_FREEBSD], [1], [Open tunnel devices the FreeBSD way])
957	AC_CHECK_HEADER([net/if_tap.h], ,
958	    AC_DEFINE([SSH_TUN_NO_L2], [1], [No layer 2 tunnel support]))
959	AC_DEFINE([BROKEN_GLOB], [1], [FreeBSD glob does not do what we need])
960	TEST_MALLOC_OPTIONS="AJRX"
961	# Preauth crypto occasionally uses file descriptors for crypto offload
962	# and will crash if they cannot be opened.
963	AC_DEFINE([SANDBOX_SKIP_RLIMIT_NOFILE], [1],
964	    [define if setrlimit RLIMIT_NOFILE breaks things])
965	;;
966*-*-bsdi*)
967	AC_DEFINE([SETEUID_BREAKS_SETUID])
968	AC_DEFINE([BROKEN_SETREUID])
969	AC_DEFINE([BROKEN_SETREGID])
970	;;
971*-next-*)
972	conf_lastlog_location="/usr/adm/lastlog"
973	conf_utmp_location=/etc/utmp
974	conf_wtmp_location=/usr/adm/wtmp
975	maildir=/usr/spool/mail
976	AC_DEFINE([HAVE_NEXT], [1], [Define if you are on NeXT])
977	AC_DEFINE([USE_PIPES])
978	AC_DEFINE([BROKEN_SAVED_UIDS], [1], [Needed for NeXT])
979	;;
980*-*-openbsd*)
981	use_pie=auto
982	AC_DEFINE([HAVE_ATTRIBUTE__SENTINEL__], [1], [OpenBSD's gcc has sentinel])
983	AC_DEFINE([HAVE_ATTRIBUTE__BOUNDED__], [1], [OpenBSD's gcc has bounded])
984	AC_DEFINE([SSH_TUN_OPENBSD], [1], [Open tunnel devices the OpenBSD way])
985	AC_DEFINE([SYSLOG_R_SAFE_IN_SIGHAND], [1],
986	    [syslog_r function is safe to use in in a signal handler])
987	TEST_MALLOC_OPTIONS="AFGJPRX"
988	;;
989*-*-solaris*)
990	if test "x$withval" != "xno" ; then
991		rpath_opt="-R"
992	fi
993	AC_DEFINE([PAM_SUN_CODEBASE])
994	AC_DEFINE([LOGIN_NEEDS_UTMPX])
995	AC_DEFINE([PAM_TTY_KLUDGE])
996	AC_DEFINE([SSHPAM_CHAUTHTOK_NEEDS_RUID], [1],
997		[Define if pam_chauthtok wants real uid set
998		to the unpriv'ed user])
999	AC_DEFINE([LOCKED_PASSWD_STRING], ["*LK*"])
1000	# Pushing STREAMS modules will cause sshd to acquire a controlling tty.
1001	AC_DEFINE([SSHD_ACQUIRES_CTTY], [1],
1002		[Define if sshd somehow reacquires a controlling TTY
1003		after setsid()])
1004	AC_DEFINE([PASSWD_NEEDS_USERNAME], [1], [must supply username to passwd
1005		in case the name is longer than 8 chars])
1006	AC_DEFINE([BROKEN_TCGETATTR_ICANON], [1], [tcgetattr with ICANON may hang])
1007	external_path_file=/etc/default/login
1008	# hardwire lastlog location (can't detect it on some versions)
1009	conf_lastlog_location="/var/adm/lastlog"
1010	AC_MSG_CHECKING([for obsolete utmp and wtmp in solaris2.x])
1011	sol2ver=`echo "$host"| sed -e 's/.*[[0-9]]\.//'`
1012	if test "$sol2ver" -ge 8; then
1013		AC_MSG_RESULT([yes])
1014		AC_DEFINE([DISABLE_UTMP])
1015		AC_DEFINE([DISABLE_WTMP], [1],
1016			[Define if you don't want to use wtmp])
1017	else
1018		AC_MSG_RESULT([no])
1019	fi
1020	AC_CHECK_FUNCS([setpflags])
1021	AC_CHECK_FUNCS([setppriv])
1022	AC_CHECK_FUNCS([priv_basicset])
1023	AC_CHECK_HEADERS([priv.h])
1024	AC_ARG_WITH([solaris-contracts],
1025		[  --with-solaris-contracts Enable Solaris process contracts (experimental)],
1026		[
1027		AC_CHECK_LIB([contract], [ct_tmpl_activate],
1028			[ AC_DEFINE([USE_SOLARIS_PROCESS_CONTRACTS], [1],
1029				[Define if you have Solaris process contracts])
1030			  LIBS="$LIBS -lcontract"
1031			  SPC_MSG="yes" ], )
1032		],
1033	)
1034	AC_ARG_WITH([solaris-projects],
1035		[  --with-solaris-projects Enable Solaris projects (experimental)],
1036		[
1037		AC_CHECK_LIB([project], [setproject],
1038			[ AC_DEFINE([USE_SOLARIS_PROJECTS], [1],
1039				[Define if you have Solaris projects])
1040			LIBS="$LIBS -lproject"
1041			SP_MSG="yes" ], )
1042		],
1043	)
1044	AC_ARG_WITH([solaris-privs],
1045		[  --with-solaris-privs    Enable Solaris/Illumos privileges (experimental)],
1046		[
1047		AC_MSG_CHECKING([for Solaris/Illumos privilege support])
1048		if test "x$ac_cv_func_setppriv" = "xyes" -a \
1049			"x$ac_cv_header_priv_h" = "xyes" ; then
1050			SOLARIS_PRIVS=yes
1051			AC_MSG_RESULT([found])
1052			AC_DEFINE([NO_UID_RESTORATION_TEST], [1],
1053				[Define to disable UID restoration test])
1054			AC_DEFINE([USE_SOLARIS_PRIVS], [1],
1055				[Define if you have Solaris privileges])
1056			SPP_MSG="yes"
1057		else
1058			AC_MSG_RESULT([not found])
1059			AC_MSG_ERROR([*** must have support for Solaris privileges to use --with-solaris-privs])
1060		fi
1061		],
1062	)
1063	TEST_SHELL=$SHELL	# let configure find us a capable shell
1064	;;
1065*-*-sunos4*)
1066	CPPFLAGS="$CPPFLAGS -DSUNOS4"
1067	AC_CHECK_FUNCS([getpwanam])
1068	AC_DEFINE([PAM_SUN_CODEBASE])
1069	conf_utmp_location=/etc/utmp
1070	conf_wtmp_location=/var/adm/wtmp
1071	conf_lastlog_location=/var/adm/lastlog
1072	AC_DEFINE([USE_PIPES])
1073	AC_DEFINE([DISABLE_UTMPX], [1], [no utmpx])
1074	;;
1075*-ncr-sysv*)
1076	LIBS="$LIBS -lc89"
1077	AC_DEFINE([USE_PIPES])
1078	AC_DEFINE([SSHD_ACQUIRES_CTTY])
1079	AC_DEFINE([SETEUID_BREAKS_SETUID])
1080	AC_DEFINE([BROKEN_SETREUID])
1081	AC_DEFINE([BROKEN_SETREGID])
1082	;;
1083*-sni-sysv*)
1084	# /usr/ucblib MUST NOT be searched on ReliantUNIX
1085	AC_CHECK_LIB([dl], [dlsym], ,)
1086	# -lresolv needs to be at the end of LIBS or DNS lookups break
1087	AC_CHECK_LIB([resolv], [res_query], [ LIBS="$LIBS -lresolv" ])
1088	IPADDR_IN_DISPLAY=yes
1089	AC_DEFINE([USE_PIPES])
1090	AC_DEFINE([IP_TOS_IS_BROKEN])
1091	AC_DEFINE([SETEUID_BREAKS_SETUID])
1092	AC_DEFINE([BROKEN_SETREUID])
1093	AC_DEFINE([BROKEN_SETREGID])
1094	AC_DEFINE([SSHD_ACQUIRES_CTTY])
1095	external_path_file=/etc/default/login
1096	# /usr/ucblib/libucb.a no longer needed on ReliantUNIX
1097	# Attention: always take care to bind libsocket and libnsl before libc,
1098	# otherwise you will find lots of "SIOCGPGRP errno 22" on syslog
1099	;;
1100# UnixWare 1.x, UnixWare 2.x, and others based on code from Univel.
1101*-*-sysv4.2*)
1102	AC_DEFINE([USE_PIPES])
1103	AC_DEFINE([SETEUID_BREAKS_SETUID])
1104	AC_DEFINE([BROKEN_SETREUID])
1105	AC_DEFINE([BROKEN_SETREGID])
1106	AC_DEFINE([PASSWD_NEEDS_USERNAME], [1], [must supply username to passwd])
1107	AC_DEFINE([LOCKED_PASSWD_STRING], ["*LK*"])
1108	TEST_SHELL=$SHELL	# let configure find us a capable shell
1109	;;
1110# UnixWare 7.x, OpenUNIX 8
1111*-*-sysv5*)
1112	CPPFLAGS="$CPPFLAGS -Dvsnprintf=_xvsnprintf -Dsnprintf=_xsnprintf"
1113	AC_DEFINE([UNIXWARE_LONG_PASSWORDS], [1], [Support passwords > 8 chars])
1114	AC_DEFINE([USE_PIPES])
1115	AC_DEFINE([SETEUID_BREAKS_SETUID])
1116	AC_DEFINE([BROKEN_GETADDRINFO])
1117	AC_DEFINE([BROKEN_SETREUID])
1118	AC_DEFINE([BROKEN_SETREGID])
1119	AC_DEFINE([PASSWD_NEEDS_USERNAME])
1120	AC_DEFINE([BROKEN_TCGETATTR_ICANON])
1121	TEST_SHELL=$SHELL	# let configure find us a capable shell
1122	check_for_libcrypt_later=1
1123	case "$host" in
1124	*-*-sysv5SCO_SV*)	# SCO OpenServer 6.x
1125		maildir=/var/spool/mail
1126		AC_DEFINE([BROKEN_UPDWTMPX])
1127		AC_CHECK_LIB([prot], [getluid], [ LIBS="$LIBS -lprot"
1128			AC_CHECK_FUNCS([getluid setluid], , , [-lprot])
1129			], , )
1130		;;
1131	*)	AC_DEFINE([LOCKED_PASSWD_STRING], ["*LK*"])
1132		;;
1133	esac
1134	;;
1135*-*-sysv*)
1136	;;
1137# SCO UNIX and OEM versions of SCO UNIX
1138*-*-sco3.2v4*)
1139	AC_MSG_ERROR("This Platform is no longer supported.")
1140	;;
1141# SCO OpenServer 5.x
1142*-*-sco3.2v5*)
1143	if test -z "$GCC"; then
1144		CFLAGS="$CFLAGS -belf"
1145	fi
1146	LIBS="$LIBS -lprot -lx -ltinfo -lm"
1147	no_dev_ptmx=1
1148	AC_DEFINE([USE_PIPES])
1149	AC_DEFINE([HAVE_SECUREWARE])
1150	AC_DEFINE([DISABLE_SHADOW])
1151	AC_DEFINE([DISABLE_FD_PASSING])
1152	AC_DEFINE([SETEUID_BREAKS_SETUID])
1153	AC_DEFINE([BROKEN_GETADDRINFO])
1154	AC_DEFINE([BROKEN_SETREUID])
1155	AC_DEFINE([BROKEN_SETREGID])
1156	AC_DEFINE([WITH_ABBREV_NO_TTY])
1157	AC_DEFINE([BROKEN_UPDWTMPX])
1158	AC_DEFINE([PASSWD_NEEDS_USERNAME])
1159	AC_CHECK_FUNCS([getluid setluid])
1160	MANTYPE=man
1161	TEST_SHELL=$SHELL	# let configure find us a capable shell
1162	SKIP_DISABLE_LASTLOG_DEFINE=yes
1163	;;
1164*-dec-osf*)
1165	AC_MSG_CHECKING([for Digital Unix SIA])
1166	no_osfsia=""
1167	AC_ARG_WITH([osfsia],
1168		[  --with-osfsia           Enable Digital Unix SIA],
1169		[
1170			if test "x$withval" = "xno" ; then
1171				AC_MSG_RESULT([disabled])
1172				no_osfsia=1
1173			fi
1174		],
1175	)
1176	if test -z "$no_osfsia" ; then
1177		if test -f /etc/sia/matrix.conf; then
1178			AC_MSG_RESULT([yes])
1179			AC_DEFINE([HAVE_OSF_SIA], [1],
1180				[Define if you have Digital Unix Security
1181				Integration Architecture])
1182			AC_DEFINE([DISABLE_LOGIN], [1],
1183				[Define if you don't want to use your
1184				system's login() call])
1185			AC_DEFINE([DISABLE_FD_PASSING])
1186			LIBS="$LIBS -lsecurity -ldb -lm -laud"
1187			SIA_MSG="yes"
1188		else
1189			AC_MSG_RESULT([no])
1190			AC_DEFINE([LOCKED_PASSWD_SUBSTR], ["Nologin"],
1191			  [String used in /etc/passwd to denote locked account])
1192		fi
1193	fi
1194	AC_DEFINE([BROKEN_GETADDRINFO])
1195	AC_DEFINE([SETEUID_BREAKS_SETUID])
1196	AC_DEFINE([BROKEN_SETREUID])
1197	AC_DEFINE([BROKEN_SETREGID])
1198	AC_DEFINE([BROKEN_READV_COMPARISON], [1], [Can't do comparisons on readv])
1199	;;
1200
1201*-*-nto-qnx*)
1202	AC_DEFINE([USE_PIPES])
1203	AC_DEFINE([NO_X11_UNIX_SOCKETS])
1204	AC_DEFINE([DISABLE_LASTLOG])
1205	AC_DEFINE([SSHD_ACQUIRES_CTTY])
1206	AC_DEFINE([BROKEN_SHADOW_EXPIRE], [1], [QNX shadow support is broken])
1207	enable_etc_default_login=no	# has incompatible /etc/default/login
1208	case "$host" in
1209	*-*-nto-qnx6*)
1210		AC_DEFINE([DISABLE_FD_PASSING])
1211		;;
1212	esac
1213	;;
1214
1215*-*-ultrix*)
1216	AC_DEFINE([BROKEN_GETGROUPS], [1], [getgroups(0,NULL) will return -1])
1217	AC_DEFINE([NEED_SETPGRP], [1], [Need setpgrp to for controlling tty])
1218	AC_DEFINE([HAVE_SYS_SYSLOG_H], [1], [Force use of sys/syslog.h on Ultrix])
1219	AC_DEFINE([DISABLE_UTMPX], [1], [Disable utmpx])
1220	# DISABLE_FD_PASSING so that we call setpgrp as root, otherwise we
1221	# don't get a controlling tty.
1222	AC_DEFINE([DISABLE_FD_PASSING], [1], [Need to call setpgrp as root])
1223	# On Ultrix some headers are not protected against multiple includes,
1224	# so we create wrappers and put it where the compiler will find it.
1225	AC_MSG_WARN([creating compat wrappers for headers])
1226	mkdir -p netinet
1227	for header in netinet/ip.h netdb.h resolv.h; do
1228		name=`echo $header | tr 'a-z/.' 'A-Z__'`
1229		cat >$header <<EOD
1230#ifndef _SSH_COMPAT_${name}
1231#define _SSH_COMPAT_${name}
1232#include "/usr/include/${header}"
1233#endif
1234EOD
1235	done
1236	;;
1237
1238*-*-lynxos)
1239	CFLAGS="$CFLAGS -D__NO_INCLUDE_WARN__"
1240	AC_DEFINE([BROKEN_SETVBUF], [1],
1241	    [LynxOS has broken setvbuf() implementation])
1242	;;
1243esac
1244
1245AC_MSG_CHECKING([compiler and flags for sanity])
1246AC_RUN_IFELSE([AC_LANG_PROGRAM([[ #include <stdio.h> ]], [[ exit(0); ]])],
1247	[	AC_MSG_RESULT([yes]) ],
1248	[
1249		AC_MSG_RESULT([no])
1250		AC_MSG_ERROR([*** compiler cannot create working executables, check config.log ***])
1251	],
1252	[	AC_MSG_WARN([cross compiling: not checking compiler sanity]) ]
1253)
1254
1255dnl Checks for header files.
1256# Checks for libraries.
1257AC_CHECK_FUNC([setsockopt], , [AC_CHECK_LIB([socket], [setsockopt])])
1258
1259dnl IRIX and Solaris 2.5.1 have dirname() in libgen
1260AC_CHECK_FUNCS([dirname], [AC_CHECK_HEADERS([libgen.h])] , [
1261	AC_CHECK_LIB([gen], [dirname], [
1262		AC_CACHE_CHECK([for broken dirname],
1263			ac_cv_have_broken_dirname, [
1264			save_LIBS="$LIBS"
1265			LIBS="$LIBS -lgen"
1266			AC_RUN_IFELSE(
1267				[AC_LANG_SOURCE([[
1268#include <libgen.h>
1269#include <string.h>
1270
1271int main(int argc, char **argv) {
1272    char *s, buf[32];
1273
1274    strncpy(buf,"/etc", 32);
1275    s = dirname(buf);
1276    if (!s || strncmp(s, "/", 32) != 0) {
1277	exit(1);
1278    } else {
1279	exit(0);
1280    }
1281}
1282				]])],
1283				[ ac_cv_have_broken_dirname="no" ],
1284				[ ac_cv_have_broken_dirname="yes" ],
1285				[ ac_cv_have_broken_dirname="no" ],
1286			)
1287			LIBS="$save_LIBS"
1288		])
1289		if test "x$ac_cv_have_broken_dirname" = "xno" ; then
1290			LIBS="$LIBS -lgen"
1291			AC_DEFINE([HAVE_DIRNAME])
1292			AC_CHECK_HEADERS([libgen.h])
1293		fi
1294	])
1295])
1296
1297AC_CHECK_FUNC([getspnam], ,
1298	[AC_CHECK_LIB([gen], [getspnam], [LIBS="$LIBS -lgen"])])
1299AC_SEARCH_LIBS([basename], [gen], [AC_DEFINE([HAVE_BASENAME], [1],
1300	[Define if you have the basename function.])])
1301
1302dnl zlib defaults to enabled
1303zlib=yes
1304AC_ARG_WITH([zlib],
1305	[  --with-zlib=PATH        Use zlib in PATH],
1306	[ if test "x$withval" = "xno" ; then
1307		zlib=no
1308	  elif test "x$withval" != "xyes"; then
1309		if test -d "$withval/lib"; then
1310			if test -n "${rpath_opt}"; then
1311				LDFLAGS="-L${withval}/lib ${rpath_opt}${withval}/lib ${LDFLAGS}"
1312			else
1313				LDFLAGS="-L${withval}/lib ${LDFLAGS}"
1314			fi
1315		else
1316			if test -n "${rpath_opt}"; then
1317				LDFLAGS="-L${withval} ${rpath_opt}${withval} ${LDFLAGS}"
1318			else
1319				LDFLAGS="-L${withval} ${LDFLAGS}"
1320			fi
1321		fi
1322		if test -d "$withval/include"; then
1323			CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
1324		else
1325			CPPFLAGS="-I${withval} ${CPPFLAGS}"
1326		fi
1327	fi ]
1328)
1329
1330AC_MSG_CHECKING([for zlib])
1331if test "x${zlib}" = "xno"; then
1332	AC_MSG_RESULT([no])
1333else
1334	AC_MSG_RESULT([yes])
1335	AC_DEFINE([WITH_ZLIB], [1], [Enable zlib])
1336    AC_CHECK_HEADER([zlib.h], ,[AC_MSG_ERROR([*** zlib.h missing - please install first or check config.log ***])])
1337    AC_CHECK_LIB([z], [deflate], ,
1338	[
1339		saved_CPPFLAGS="$CPPFLAGS"
1340		saved_LDFLAGS="$LDFLAGS"
1341		save_LIBS="$LIBS"
1342		dnl Check default zlib install dir
1343		if test -n "${rpath_opt}"; then
1344			LDFLAGS="-L/usr/local/lib ${rpath_opt}/usr/local/lib ${saved_LDFLAGS}"
1345		else
1346			LDFLAGS="-L/usr/local/lib ${saved_LDFLAGS}"
1347		fi
1348		CPPFLAGS="-I/usr/local/include ${saved_CPPFLAGS}"
1349		LIBS="$LIBS -lz"
1350		AC_TRY_LINK_FUNC([deflate], [AC_DEFINE([HAVE_LIBZ])],
1351			[
1352				AC_MSG_ERROR([*** zlib missing - please install first or check config.log ***])
1353			]
1354		)
1355	]
1356    )
1357
1358    AC_ARG_WITH([zlib-version-check],
1359	[  --without-zlib-version-check Disable zlib version check],
1360	[  if test "x$withval" = "xno" ; then
1361		zlib_check_nonfatal=1
1362	   fi
1363	]
1364    )
1365
1366    AC_MSG_CHECKING([for possibly buggy zlib])
1367    AC_RUN_IFELSE([AC_LANG_PROGRAM([[
1368#include <stdio.h>
1369#include <stdlib.h>
1370#include <zlib.h>
1371	]],
1372	[[
1373	int a=0, b=0, c=0, d=0, n, v;
1374	n = sscanf(ZLIB_VERSION, "%d.%d.%d.%d", &a, &b, &c, &d);
1375	if (n != 3 && n != 4)
1376		exit(1);
1377	v = a*1000000 + b*10000 + c*100 + d;
1378	fprintf(stderr, "found zlib version %s (%d)\n", ZLIB_VERSION, v);
1379
1380	/* 1.1.4 is OK */
1381	if (a == 1 && b == 1 && c >= 4)
1382		exit(0);
1383
1384	/* 1.2.3 and up are OK */
1385	if (v >= 1020300)
1386		exit(0);
1387
1388	exit(2);
1389	]])],
1390	AC_MSG_RESULT([no]),
1391	[ AC_MSG_RESULT([yes])
1392	  if test -z "$zlib_check_nonfatal" ; then
1393		AC_MSG_ERROR([*** zlib too old - check config.log ***
1394Your reported zlib version has known security problems.  It's possible your
1395vendor has fixed these problems without changing the version number.  If you
1396are sure this is the case, you can disable the check by running
1397"./configure --without-zlib-version-check".
1398If you are in doubt, upgrade zlib to version 1.2.3 or greater.
1399See http://www.gzip.org/zlib/ for details.])
1400	  else
1401		AC_MSG_WARN([zlib version may have security problems])
1402	  fi
1403	],
1404	[	AC_MSG_WARN([cross compiling: not checking zlib version]) ]
1405    )
1406fi
1407
1408dnl UnixWare 2.x
1409AC_CHECK_FUNC([strcasecmp],
1410	[], [ AC_CHECK_LIB([resolv], [strcasecmp], [LIBS="$LIBS -lresolv"]) ]
1411)
1412AC_CHECK_FUNCS([utimes],
1413	[], [ AC_CHECK_LIB([c89], [utimes], [AC_DEFINE([HAVE_UTIMES])
1414					LIBS="$LIBS -lc89"]) ]
1415)
1416
1417dnl    Checks for libutil functions
1418AC_CHECK_HEADERS([bsd/libutil.h libutil.h])
1419AC_SEARCH_LIBS([fmt_scaled], [util bsd])
1420AC_SEARCH_LIBS([scan_scaled], [util bsd])
1421AC_SEARCH_LIBS([login], [util bsd])
1422AC_SEARCH_LIBS([logout], [util bsd])
1423AC_SEARCH_LIBS([logwtmp], [util bsd])
1424AC_SEARCH_LIBS([openpty], [util bsd])
1425AC_SEARCH_LIBS([updwtmp], [util bsd])
1426AC_CHECK_FUNCS([fmt_scaled scan_scaled login logout openpty updwtmp logwtmp])
1427
1428# On some platforms, inet_ntop and gethostbyname may be found in libresolv
1429# or libnsl.
1430AC_SEARCH_LIBS([inet_ntop], [resolv nsl])
1431AC_SEARCH_LIBS([gethostbyname], [resolv nsl])
1432
1433# "Particular Function Checks"
1434# see https://www.gnu.org/software/autoconf/manual/autoconf-2.69/html_node/Particular-Functions.html
1435AC_FUNC_STRFTIME
1436AC_FUNC_MALLOC
1437AC_FUNC_REALLOC
1438# autoconf doesn't have AC_FUNC_CALLOC so fake it if malloc returns NULL;
1439AC_MSG_CHECKING([if calloc(0, N) returns non-null])
1440AC_RUN_IFELSE(
1441	[AC_LANG_PROGRAM(
1442		[[ #include <stdlib.h> ]],
1443		[[ void *p = calloc(0, 1); exit(p == NULL); ]]
1444	)],
1445	[ func_calloc_0_nonnull=yes ],
1446	[ func_calloc_0_nonnull=no ],
1447	[ AC_MSG_WARN([cross compiling: assuming same as malloc])
1448	  func_calloc_0_nonnull="$ac_cv_func_malloc_0_nonnull"]
1449)
1450AC_MSG_RESULT([$func_calloc_0_nonnull])
1451
1452if test "x$func_calloc_0_nonnull" = "xyes"; then
1453	AC_DEFINE(HAVE_CALLOC, 1, [calloc(0, x) returns non-null])
1454else
1455	AC_DEFINE(HAVE_CALLOC, 0, [calloc(0, x) returns NULL])
1456	AC_DEFINE(calloc, rpl_calloc,
1457	    [Define to rpl_calloc if the replacement function should be used.])
1458fi
1459
1460# Check for ALTDIRFUNC glob() extension
1461AC_MSG_CHECKING([for GLOB_ALTDIRFUNC support])
1462AC_EGREP_CPP([FOUNDIT],
1463	[
1464		#include <glob.h>
1465		#ifdef GLOB_ALTDIRFUNC
1466		FOUNDIT
1467		#endif
1468	],
1469	[
1470		AC_DEFINE([GLOB_HAS_ALTDIRFUNC], [1],
1471			[Define if your system glob() function has
1472			the GLOB_ALTDIRFUNC extension])
1473		AC_MSG_RESULT([yes])
1474	],
1475	[
1476		AC_MSG_RESULT([no])
1477	]
1478)
1479
1480# Check for g.gl_matchc glob() extension
1481AC_MSG_CHECKING([for gl_matchc field in glob_t])
1482AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <glob.h> ]],
1483	[[ glob_t g; g.gl_matchc = 1; ]])],
1484	[
1485		AC_DEFINE([GLOB_HAS_GL_MATCHC], [1],
1486			[Define if your system glob() function has
1487			gl_matchc options in glob_t])
1488		AC_MSG_RESULT([yes])
1489	], [
1490		AC_MSG_RESULT([no])
1491])
1492
1493# Check for g.gl_statv glob() extension
1494AC_MSG_CHECKING([for gl_statv and GLOB_KEEPSTAT extensions for glob])
1495AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <glob.h> ]], [[
1496#ifndef GLOB_KEEPSTAT
1497#error "glob does not support GLOB_KEEPSTAT extension"
1498#endif
1499glob_t g;
1500g.gl_statv = NULL;
1501]])],
1502	[
1503		AC_DEFINE([GLOB_HAS_GL_STATV], [1],
1504			[Define if your system glob() function has
1505			gl_statv options in glob_t])
1506		AC_MSG_RESULT([yes])
1507	], [
1508		AC_MSG_RESULT([no])
1509
1510])
1511
1512AC_CHECK_DECLS([GLOB_NOMATCH], , , [#include <glob.h>])
1513
1514AC_CHECK_DECL([VIS_ALL], ,
1515    AC_DEFINE(BROKEN_STRNVIS, 1, [missing VIS_ALL]), [#include <vis.h>])
1516
1517AC_MSG_CHECKING([whether struct dirent allocates space for d_name])
1518AC_RUN_IFELSE(
1519	[AC_LANG_PROGRAM([[
1520#include <sys/types.h>
1521#include <dirent.h>]],
1522	[[
1523	struct dirent d;
1524	exit(sizeof(d.d_name)<=sizeof(char));
1525	]])],
1526	[AC_MSG_RESULT([yes])],
1527	[
1528		AC_MSG_RESULT([no])
1529		AC_DEFINE([BROKEN_ONE_BYTE_DIRENT_D_NAME], [1],
1530			[Define if your struct dirent expects you to
1531			allocate extra space for d_name])
1532	],
1533	[
1534		AC_MSG_WARN([cross compiling: assuming BROKEN_ONE_BYTE_DIRENT_D_NAME])
1535		AC_DEFINE([BROKEN_ONE_BYTE_DIRENT_D_NAME])
1536	]
1537)
1538
1539AC_MSG_CHECKING([for /proc/pid/fd directory])
1540if test -d "/proc/$$/fd" ; then
1541	AC_DEFINE([HAVE_PROC_PID], [1], [Define if you have /proc/$pid/fd])
1542	AC_MSG_RESULT([yes])
1543else
1544	AC_MSG_RESULT([no])
1545fi
1546
1547# Check whether user wants to use ldns
1548LDNS_MSG="no"
1549AC_ARG_WITH(ldns,
1550	[  --with-ldns[[=PATH]]      Use ldns for DNSSEC support (optionally in PATH)],
1551	[
1552	ldns=""
1553	if test "x$withval" = "xyes" ; then
1554		AC_PATH_TOOL([LDNSCONFIG], [ldns-config], [no])
1555		if test "x$LDNSCONFIG" = "xno"; then
1556			LIBS="-lldns $LIBS"
1557			ldns=yes
1558		else
1559			LIBS="$LIBS `$LDNSCONFIG --libs`"
1560			CPPFLAGS="$CPPFLAGS `$LDNSCONFIG --cflags`"
1561			ldns=yes
1562		fi
1563	elif test "x$withval" != "xno" ; then
1564			CPPFLAGS="$CPPFLAGS -I${withval}/include"
1565			LDFLAGS="$LDFLAGS -L${withval}/lib"
1566			LIBS="-lldns $LIBS"
1567			ldns=yes
1568	fi
1569
1570	# Verify that it works.
1571	if test "x$ldns" = "xyes" ; then
1572		AC_DEFINE(HAVE_LDNS, 1, [Define if you want ldns support])
1573		LDNS_MSG="yes"
1574		AC_MSG_CHECKING([for ldns support])
1575		AC_LINK_IFELSE(
1576			[AC_LANG_SOURCE([[
1577#include <stdio.h>
1578#include <stdlib.h>
1579#ifdef HAVE_STDINT_H
1580# include <stdint.h>
1581#endif
1582#include <ldns/ldns.h>
1583int main() { ldns_status status = ldns_verify_trusted(NULL, NULL, NULL, NULL); status=LDNS_STATUS_OK; exit(0); }
1584			]])
1585		],
1586			[AC_MSG_RESULT(yes)],
1587				[
1588					AC_MSG_RESULT(no)
1589					AC_MSG_ERROR([** Incomplete or missing ldns libraries.])
1590				])
1591	fi
1592])
1593
1594# Check whether user wants libedit support
1595LIBEDIT_MSG="no"
1596AC_ARG_WITH([libedit],
1597	[  --with-libedit[[=PATH]]   Enable libedit support for sftp],
1598	[ if test "x$withval" != "xno" ; then
1599		if test "x$withval" = "xyes" ; then
1600			AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no])
1601			if test "x$PKGCONFIG" != "xno"; then
1602				AC_MSG_CHECKING([if $PKGCONFIG knows about libedit])
1603				if "$PKGCONFIG" libedit; then
1604					AC_MSG_RESULT([yes])
1605					use_pkgconfig_for_libedit=yes
1606				else
1607					AC_MSG_RESULT([no])
1608				fi
1609			fi
1610		else
1611			CPPFLAGS="$CPPFLAGS -I${withval}/include"
1612			if test -n "${rpath_opt}"; then
1613				LDFLAGS="-L${withval}/lib ${rpath_opt}${withval}/lib ${LDFLAGS}"
1614			else
1615				LDFLAGS="-L${withval}/lib ${LDFLAGS}"
1616			fi
1617		fi
1618		if test "x$use_pkgconfig_for_libedit" = "xyes"; then
1619			LIBEDIT=`$PKGCONFIG --libs libedit`
1620			CPPFLAGS="$CPPFLAGS `$PKGCONFIG --cflags libedit`"
1621		else
1622			LIBEDIT="-ledit -lcurses"
1623		fi
1624		OTHERLIBS=`echo $LIBEDIT | sed 's/-ledit//'`
1625		AC_CHECK_LIB([edit], [el_init],
1626			[ AC_DEFINE([USE_LIBEDIT], [1], [Use libedit for sftp])
1627			  LIBEDIT_MSG="yes"
1628			  AC_SUBST([LIBEDIT])
1629			],
1630			[ AC_MSG_ERROR([libedit not found]) ],
1631			[ $OTHERLIBS ]
1632		)
1633		AC_MSG_CHECKING([if libedit version is compatible])
1634		AC_COMPILE_IFELSE(
1635		    [AC_LANG_PROGRAM([[ #include <histedit.h> ]],
1636		    [[
1637	int i = H_SETSIZE;
1638	el_init("", NULL, NULL, NULL);
1639	exit(0);
1640		    ]])],
1641		    [ AC_MSG_RESULT([yes]) ],
1642		    [ AC_MSG_RESULT([no])
1643		      AC_MSG_ERROR([libedit version is not compatible]) ]
1644		)
1645	fi ]
1646)
1647
1648AUDIT_MODULE=none
1649AC_ARG_WITH([audit],
1650	[  --with-audit=module     Enable audit support (modules=debug,bsm,linux)],
1651	[
1652	  AC_MSG_CHECKING([for supported audit module])
1653	  case "$withval" in
1654	  bsm)
1655		AC_MSG_RESULT([bsm])
1656		AUDIT_MODULE=bsm
1657		dnl    Checks for headers, libs and functions
1658		AC_CHECK_HEADERS([bsm/audit.h], [],
1659		    [AC_MSG_ERROR([BSM enabled and bsm/audit.h not found])],
1660		    [
1661#ifdef HAVE_TIME_H
1662# include <time.h>
1663#endif
1664		    ]
1665)
1666		AC_CHECK_LIB([bsm], [getaudit], [],
1667		    [AC_MSG_ERROR([BSM enabled and required library not found])])
1668		AC_CHECK_FUNCS([getaudit], [],
1669		    [AC_MSG_ERROR([BSM enabled and required function not found])])
1670		# These are optional
1671		AC_CHECK_FUNCS([getaudit_addr aug_get_machine])
1672		AC_DEFINE([USE_BSM_AUDIT], [1], [Use BSM audit module])
1673		if test "$sol2ver" -ge 11; then
1674			SSHDLIBS="$SSHDLIBS -lscf"
1675			AC_DEFINE([BROKEN_BSM_API], [1],
1676				[The system has incomplete BSM API])
1677		fi
1678		;;
1679	  linux)
1680		AC_MSG_RESULT([linux])
1681		AUDIT_MODULE=linux
1682		dnl    Checks for headers, libs and functions
1683		AC_CHECK_HEADERS([libaudit.h])
1684		SSHDLIBS="$SSHDLIBS -laudit"
1685		AC_DEFINE([USE_LINUX_AUDIT], [1], [Use Linux audit module])
1686		;;
1687	  debug)
1688		AUDIT_MODULE=debug
1689		AC_MSG_RESULT([debug])
1690		AC_DEFINE([SSH_AUDIT_EVENTS], [1], [Use audit debugging module])
1691		;;
1692	  no)
1693		AC_MSG_RESULT([no])
1694		;;
1695	  *)
1696		AC_MSG_ERROR([Unknown audit module $withval])
1697		;;
1698	esac ]
1699)
1700
1701AC_ARG_WITH([pie],
1702    [  --with-pie              Build Position Independent Executables if possible], [
1703	if test "x$withval" = "xno"; then
1704		use_pie=no
1705	fi
1706	if test "x$withval" = "xyes"; then
1707		use_pie=yes
1708	fi
1709    ]
1710)
1711if test "x$use_pie" = "x"; then
1712	use_pie=no
1713fi
1714if test "x$use_toolchain_hardening" != "x1" && test "x$use_pie" = "xauto"; then
1715	# Turn off automatic PIE when toolchain hardening is off.
1716	use_pie=no
1717fi
1718if test "x$use_pie" = "xauto"; then
1719	# Automatic PIE requires gcc >= 4.x
1720	AC_MSG_CHECKING([for gcc >= 4.x])
1721	AC_COMPILE_IFELSE([AC_LANG_SOURCE([[
1722#if !defined(__GNUC__) || __GNUC__ < 4
1723#error gcc is too old
1724#endif
1725]])],
1726	[ AC_MSG_RESULT([yes]) ],
1727	[ AC_MSG_RESULT([no])
1728	  use_pie=no ]
1729)
1730fi
1731if test "x$use_pie" != "xno"; then
1732	SAVED_CFLAGS="$CFLAGS"
1733	SAVED_LDFLAGS="$LDFLAGS"
1734	OSSH_CHECK_CFLAG_COMPILE([-fPIE])
1735	OSSH_CHECK_LDFLAG_LINK([-pie])
1736	# We use both -fPIE and -pie or neither.
1737	AC_MSG_CHECKING([whether both -fPIE and -pie are supported])
1738	if echo "x $CFLAGS"  | grep ' -fPIE' >/dev/null 2>&1 && \
1739	   echo "x $LDFLAGS" | grep ' -pie'  >/dev/null 2>&1 ; then
1740		AC_MSG_RESULT([yes])
1741	else
1742		AC_MSG_RESULT([no])
1743		CFLAGS="$SAVED_CFLAGS"
1744		LDFLAGS="$SAVED_LDFLAGS"
1745	fi
1746fi
1747
1748AC_MSG_CHECKING([whether -fPIC is accepted])
1749SAVED_CFLAGS="$CFLAGS"
1750CFLAGS="$CFLAGS -fPIC"
1751AC_COMPILE_IFELSE(
1752	[AC_LANG_PROGRAM( [[ #include <stdlib.h> ]], [[ exit(0); ]] )],
1753   [AC_MSG_RESULT([yes])
1754    PICFLAG="-fPIC"; ],
1755   [AC_MSG_RESULT([no])
1756    PICFLAG=""; ])
1757CFLAGS="$SAVED_CFLAGS"
1758AC_SUBST([PICFLAG])
1759
1760dnl    Checks for library functions. Please keep in alphabetical order
1761AC_CHECK_FUNCS([ \
1762	Blowfish_initstate \
1763	Blowfish_expandstate \
1764	Blowfish_expand0state \
1765	Blowfish_stream2word \
1766	SHA256Update \
1767	SHA384Update \
1768	SHA512Update \
1769	asprintf \
1770	b64_ntop \
1771	__b64_ntop \
1772	b64_pton \
1773	__b64_pton \
1774	bcopy \
1775	bcrypt_pbkdf \
1776	bindresvport_sa \
1777	blf_enc \
1778	bzero \
1779	cap_rights_limit \
1780	clock \
1781	closefrom \
1782	dirfd \
1783	endgrent \
1784	err \
1785	errx \
1786	explicit_bzero \
1787	fchmod \
1788	fchmodat \
1789	fchown \
1790	fchownat \
1791	flock \
1792	fnmatch \
1793	freeaddrinfo \
1794	freezero \
1795	fstatfs \
1796	fstatvfs \
1797	futimes \
1798	getaddrinfo \
1799	getcwd \
1800	getgrouplist \
1801	getline \
1802	getnameinfo \
1803	getopt \
1804	getpagesize \
1805	getpeereid \
1806	getpeerucred \
1807	getpgid \
1808	_getpty \
1809	getrlimit \
1810	getrandom \
1811	getsid \
1812	getttyent \
1813	glob \
1814	group_from_gid \
1815	inet_aton \
1816	inet_ntoa \
1817	inet_ntop \
1818	innetgr \
1819	llabs \
1820	localtime_r \
1821	login_getcapbool \
1822	md5_crypt \
1823	memmem \
1824	memmove \
1825	memset_s \
1826	mkdtemp \
1827	ngetaddrinfo \
1828	nsleep \
1829	ogetaddrinfo \
1830	openlog_r \
1831	pledge \
1832	poll \
1833	prctl \
1834	pstat \
1835	raise \
1836	readpassphrase \
1837	reallocarray \
1838	realpath \
1839	recvmsg \
1840	recallocarray \
1841	rresvport_af \
1842	sendmsg \
1843	setdtablesize \
1844	setegid \
1845	setenv \
1846	seteuid \
1847	setgroupent \
1848	setgroups \
1849	setlinebuf \
1850	setlogin \
1851	setpassent\
1852	setpcred \
1853	setproctitle \
1854	setregid \
1855	setreuid \
1856	setrlimit \
1857	setsid \
1858	setvbuf \
1859	sigaction \
1860	sigvec \
1861	snprintf \
1862	socketpair \
1863	statfs \
1864	statvfs \
1865	strcasestr \
1866	strdup \
1867	strerror \
1868	strlcat \
1869	strlcpy \
1870	strmode \
1871	strndup \
1872	strnlen \
1873	strnvis \
1874	strptime \
1875	strsignal \
1876	strtonum \
1877	strtoll \
1878	strtoul \
1879	strtoull \
1880	swap32 \
1881	sysconf \
1882	tcgetpgrp \
1883	timingsafe_bcmp \
1884	truncate \
1885	unsetenv \
1886	updwtmpx \
1887	utimensat \
1888	user_from_uid \
1889	usleep \
1890	vasprintf \
1891	vsnprintf \
1892	waitpid \
1893	warn \
1894])
1895
1896AC_CHECK_DECLS([bzero, memmem])
1897
1898dnl Wide character support.
1899AC_CHECK_FUNCS([mblen mbtowc nl_langinfo wcwidth])
1900
1901TEST_SSH_UTF8=${TEST_SSH_UTF8:=yes}
1902AC_MSG_CHECKING([for utf8 locale support])
1903AC_RUN_IFELSE(
1904	[AC_LANG_PROGRAM([[
1905#include <locale.h>
1906#include <stdlib.h>
1907	]], [[
1908	char *loc = setlocale(LC_CTYPE, "en_US.UTF-8");
1909	if (loc != NULL)
1910		exit(0);
1911	exit(1);
1912	]])],
1913	AC_MSG_RESULT(yes),
1914	[AC_MSG_RESULT(no)
1915	 TEST_SSH_UTF8=no],
1916	AC_MSG_WARN([cross compiling: assuming yes])
1917)
1918
1919AC_LINK_IFELSE(
1920        [AC_LANG_PROGRAM(
1921           [[ #include <ctype.h> ]],
1922           [[ return (isblank('a')); ]])],
1923	[AC_DEFINE([HAVE_ISBLANK], [1], [Define if you have isblank(3C).])
1924])
1925
1926disable_pkcs11=
1927AC_ARG_ENABLE([pkcs11],
1928	[  --disable-pkcs11        disable PKCS#11 support code [no]],
1929	[
1930		if test "x$enableval" = "xno" ; then
1931			disable_pkcs11=1
1932		fi
1933	]
1934)
1935
1936disable_sk=
1937AC_ARG_ENABLE([security-key],
1938	[  --disable-security-key  disable U2F/FIDO support code [no]],
1939	[
1940		if test "x$enableval" = "xno" ; then
1941			disable_sk=1
1942		fi
1943	]
1944)
1945enable_sk_internal=
1946AC_ARG_WITH([security-key-builtin],
1947	[  --with-security-key-builtin include builtin U2F/FIDO support],
1948	[
1949		if test "x$withval" != "xno" ; then
1950			enable_sk_internal=yes
1951		fi
1952	]
1953)
1954test "x$disable_sk" != "x" && enable_sk_internal=""
1955
1956AC_SEARCH_LIBS([dlopen], [dl])
1957AC_CHECK_FUNCS([dlopen])
1958AC_CHECK_DECL([RTLD_NOW], [], [], [#include <dlfcn.h>])
1959
1960# IRIX has a const char return value for gai_strerror()
1961AC_CHECK_FUNCS([gai_strerror], [
1962	AC_DEFINE([HAVE_GAI_STRERROR])
1963	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
1964#include <sys/types.h>
1965#include <sys/socket.h>
1966#include <netdb.h>
1967
1968const char *gai_strerror(int);
1969			]], [[
1970	char *str;
1971	str = gai_strerror(0);
1972			]])], [
1973		AC_DEFINE([HAVE_CONST_GAI_STRERROR_PROTO], [1],
1974		[Define if gai_strerror() returns const char *])], [])])
1975
1976AC_SEARCH_LIBS([nanosleep], [rt posix4], [AC_DEFINE([HAVE_NANOSLEEP], [1],
1977	[Some systems put nanosleep outside of libc])])
1978
1979AC_SEARCH_LIBS([clock_gettime], [rt],
1980	[AC_DEFINE([HAVE_CLOCK_GETTIME], [1], [Have clock_gettime])])
1981
1982dnl check if we need -D_REENTRANT for localtime_r declaration.
1983AC_CHECK_DECL([localtime_r], [],
1984	[ saved_CPPFLAGS="$CFLAGS"
1985	  CPPFLAGS="$CPPFLAGS -D_REENTRANT"
1986	  unset ac_cv_have_decl_localtime_r
1987	  AC_CHECK_DECL([localtime_r], [],
1988		[ CPPFLAGS="$saved_CPPFLAGS" ],
1989		[ #include <time.h> ]
1990	  )
1991	],
1992	[ #include <time.h> ]
1993)
1994
1995dnl Make sure prototypes are defined for these before using them.
1996AC_CHECK_DECL([strsep],
1997	[AC_CHECK_FUNCS([strsep])],
1998	[],
1999	[
2000#ifdef HAVE_STRING_H
2001# include <string.h>
2002#endif
2003	])
2004
2005dnl tcsendbreak might be a macro
2006AC_CHECK_DECL([tcsendbreak],
2007	[AC_DEFINE([HAVE_TCSENDBREAK])],
2008	[AC_CHECK_FUNCS([tcsendbreak])],
2009	[#include <termios.h>]
2010)
2011
2012AC_CHECK_DECLS([h_errno], , ,[#include <netdb.h>])
2013
2014AC_CHECK_DECLS([SHUT_RD, getpeereid], , ,
2015	[
2016#include <sys/types.h>
2017#include <sys/socket.h>
2018#include <unistd.h>
2019	])
2020
2021AC_CHECK_DECLS([O_NONBLOCK], , ,
2022	[
2023#include <sys/types.h>
2024#ifdef HAVE_SYS_STAT_H
2025# include <sys/stat.h>
2026#endif
2027#ifdef HAVE_FCNTL_H
2028# include <fcntl.h>
2029#endif
2030	])
2031
2032AC_CHECK_DECLS([readv, writev], , , [
2033#include <sys/types.h>
2034#include <sys/uio.h>
2035#include <unistd.h>
2036	])
2037
2038AC_CHECK_DECLS([MAXSYMLINKS], , , [
2039#include <sys/param.h>
2040	])
2041
2042AC_CHECK_DECLS([offsetof], , , [
2043#include <stddef.h>
2044	])
2045
2046# extra bits for select(2)
2047AC_CHECK_DECLS([howmany, NFDBITS], [], [], [[
2048#include <sys/param.h>
2049#include <sys/types.h>
2050#ifdef HAVE_SYS_SYSMACROS_H
2051#include <sys/sysmacros.h>
2052#endif
2053#ifdef HAVE_SYS_SELECT_H
2054#include <sys/select.h>
2055#endif
2056#ifdef HAVE_SYS_TIME_H
2057#include <sys/time.h>
2058#endif
2059#ifdef HAVE_UNISTD_H
2060#include <unistd.h>
2061#endif
2062	]])
2063AC_CHECK_TYPES([fd_mask], [], [], [[
2064#include <sys/param.h>
2065#include <sys/types.h>
2066#ifdef HAVE_SYS_SELECT_H
2067#include <sys/select.h>
2068#endif
2069#ifdef HAVE_SYS_TIME_H
2070#include <sys/time.h>
2071#endif
2072#ifdef HAVE_UNISTD_H
2073#include <unistd.h>
2074#endif
2075	]])
2076
2077AC_CHECK_FUNCS([setresuid], [
2078	dnl Some platorms have setresuid that isn't implemented, test for this
2079	AC_MSG_CHECKING([if setresuid seems to work])
2080	AC_RUN_IFELSE(
2081		[AC_LANG_PROGRAM([[
2082#include <stdlib.h>
2083#include <errno.h>
2084		]], [[
2085	errno=0;
2086	setresuid(0,0,0);
2087	if (errno==ENOSYS)
2088		exit(1);
2089	else
2090		exit(0);
2091		]])],
2092		[AC_MSG_RESULT([yes])],
2093		[AC_DEFINE([BROKEN_SETRESUID], [1],
2094			[Define if your setresuid() is broken])
2095		 AC_MSG_RESULT([not implemented])],
2096		[AC_MSG_WARN([cross compiling: not checking setresuid])]
2097	)
2098])
2099
2100AC_CHECK_FUNCS([setresgid], [
2101	dnl Some platorms have setresgid that isn't implemented, test for this
2102	AC_MSG_CHECKING([if setresgid seems to work])
2103	AC_RUN_IFELSE(
2104		[AC_LANG_PROGRAM([[
2105#include <stdlib.h>
2106#include <errno.h>
2107		]], [[
2108	errno=0;
2109	setresgid(0,0,0);
2110	if (errno==ENOSYS)
2111		exit(1);
2112	else
2113		exit(0);
2114		]])],
2115		[AC_MSG_RESULT([yes])],
2116		[AC_DEFINE([BROKEN_SETRESGID], [1],
2117			[Define if your setresgid() is broken])
2118		 AC_MSG_RESULT([not implemented])],
2119		[AC_MSG_WARN([cross compiling: not checking setresuid])]
2120	)
2121])
2122
2123AC_MSG_CHECKING([for working fflush(NULL)])
2124AC_RUN_IFELSE(
2125	[AC_LANG_PROGRAM([[#include <stdio.h>]], [[fflush(NULL); exit(0);]])],
2126	AC_MSG_RESULT([yes]),
2127	[AC_MSG_RESULT([no])
2128	 AC_DEFINE([FFLUSH_NULL_BUG], [1],
2129	    [define if fflush(NULL) does not work])],
2130	AC_MSG_WARN([cross compiling: assuming working])
2131)
2132
2133dnl    Checks for time functions
2134AC_CHECK_FUNCS([gettimeofday time])
2135dnl    Checks for utmp functions
2136AC_CHECK_FUNCS([endutent getutent getutid getutline pututline setutent])
2137AC_CHECK_FUNCS([utmpname])
2138dnl    Checks for utmpx functions
2139AC_CHECK_FUNCS([endutxent getutxent getutxid getutxline getutxuser pututxline])
2140AC_CHECK_FUNCS([setutxdb setutxent utmpxname])
2141dnl    Checks for lastlog functions
2142AC_CHECK_FUNCS([getlastlogxbyname])
2143
2144AC_CHECK_FUNC([daemon],
2145	[AC_DEFINE([HAVE_DAEMON], [1], [Define if your libraries define daemon()])],
2146	[AC_CHECK_LIB([bsd], [daemon],
2147		[LIBS="$LIBS -lbsd"; AC_DEFINE([HAVE_DAEMON])])]
2148)
2149
2150AC_CHECK_FUNC([getpagesize],
2151	[AC_DEFINE([HAVE_GETPAGESIZE], [1],
2152		[Define if your libraries define getpagesize()])],
2153	[AC_CHECK_LIB([ucb], [getpagesize],
2154		[LIBS="$LIBS -lucb"; AC_DEFINE([HAVE_GETPAGESIZE])])]
2155)
2156
2157# Check for broken snprintf
2158if test "x$ac_cv_func_snprintf" = "xyes" ; then
2159	AC_MSG_CHECKING([whether snprintf correctly terminates long strings])
2160	AC_RUN_IFELSE(
2161		[AC_LANG_PROGRAM([[ #include <stdio.h> ]],
2162		[[
2163	char b[5];
2164	snprintf(b,5,"123456789");
2165	exit(b[4]!='\0');
2166		]])],
2167		[AC_MSG_RESULT([yes])],
2168		[
2169			AC_MSG_RESULT([no])
2170			AC_DEFINE([BROKEN_SNPRINTF], [1],
2171				[Define if your snprintf is busted])
2172			AC_MSG_WARN([****** Your snprintf() function is broken, complain to your vendor])
2173		],
2174		[ AC_MSG_WARN([cross compiling: Assuming working snprintf()]) ]
2175	)
2176fi
2177
2178if test "x$ac_cv_func_snprintf" = "xyes" ; then
2179	AC_MSG_CHECKING([whether snprintf understands %zu])
2180	AC_RUN_IFELSE(
2181		[AC_LANG_PROGRAM([[
2182#include <sys/types.h>
2183#include <stdio.h>
2184		]],
2185		[[
2186	size_t a = 1, b = 2;
2187	char z[128];
2188	snprintf(z, sizeof z, "%zu%zu", a, b);
2189	exit(strcmp(z, "12"));
2190		]])],
2191		[AC_MSG_RESULT([yes])],
2192		[
2193			AC_MSG_RESULT([no])
2194			AC_DEFINE([BROKEN_SNPRINTF], [1],
2195				[snprintf does not understand %zu])
2196		],
2197		[ AC_MSG_WARN([cross compiling: Assuming working snprintf()]) ]
2198	)
2199fi
2200
2201# We depend on vsnprintf returning the right thing on overflow: the
2202# number of characters it tried to create (as per SUSv3)
2203if test "x$ac_cv_func_vsnprintf" = "xyes" ; then
2204	AC_MSG_CHECKING([whether vsnprintf returns correct values on overflow])
2205	AC_RUN_IFELSE(
2206		[AC_LANG_PROGRAM([[
2207#include <sys/types.h>
2208#include <stdio.h>
2209#include <stdarg.h>
2210
2211int x_snprintf(char *str, size_t count, const char *fmt, ...)
2212{
2213	size_t ret;
2214	va_list ap;
2215
2216	va_start(ap, fmt);
2217	ret = vsnprintf(str, count, fmt, ap);
2218	va_end(ap);
2219	return ret;
2220}
2221		]], [[
2222char x[1];
2223if (x_snprintf(x, 1, "%s %d", "hello", 12345) != 11)
2224	return 1;
2225if (x_snprintf(NULL, 0, "%s %d", "hello", 12345) != 11)
2226	return 1;
2227return 0;
2228		]])],
2229		[AC_MSG_RESULT([yes])],
2230		[
2231			AC_MSG_RESULT([no])
2232			AC_DEFINE([BROKEN_SNPRINTF], [1],
2233				[Define if your snprintf is busted])
2234			AC_MSG_WARN([****** Your vsnprintf() function is broken, complain to your vendor])
2235		],
2236		[ AC_MSG_WARN([cross compiling: Assuming working vsnprintf()]) ]
2237	)
2238fi
2239
2240# On systems where [v]snprintf is broken, but is declared in stdio,
2241# check that the fmt argument is const char * or just char *.
2242# This is only useful for when BROKEN_SNPRINTF
2243AC_MSG_CHECKING([whether snprintf can declare const char *fmt])
2244AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
2245#include <stdio.h>
2246int snprintf(char *a, size_t b, const char *c, ...) { return 0; }
2247		]], [[
2248	snprintf(0, 0, 0);
2249		]])],
2250   [AC_MSG_RESULT([yes])
2251    AC_DEFINE([SNPRINTF_CONST], [const],
2252              [Define as const if snprintf() can declare const char *fmt])],
2253   [AC_MSG_RESULT([no])
2254    AC_DEFINE([SNPRINTF_CONST], [/* not const */])])
2255
2256# Check for missing getpeereid (or equiv) support
2257NO_PEERCHECK=""
2258if test "x$ac_cv_func_getpeereid" != "xyes" -a "x$ac_cv_func_getpeerucred" != "xyes"; then
2259	AC_MSG_CHECKING([whether system supports SO_PEERCRED getsockopt])
2260	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
2261#include <sys/types.h>
2262#include <sys/socket.h>]], [[int i = SO_PEERCRED;]])],
2263		[ AC_MSG_RESULT([yes])
2264		  AC_DEFINE([HAVE_SO_PEERCRED], [1], [Have PEERCRED socket option])
2265		], [AC_MSG_RESULT([no])
2266		NO_PEERCHECK=1
2267        ])
2268fi
2269
2270dnl see whether mkstemp() requires XXXXXX
2271if test "x$ac_cv_func_mkdtemp" = "xyes" ; then
2272AC_MSG_CHECKING([for (overly) strict mkstemp])
2273AC_RUN_IFELSE(
2274	[AC_LANG_PROGRAM([[
2275#include <stdlib.h>
2276	]], [[
2277	char template[]="conftest.mkstemp-test";
2278	if (mkstemp(template) == -1)
2279		exit(1);
2280	unlink(template);
2281	exit(0);
2282	]])],
2283	[
2284		AC_MSG_RESULT([no])
2285	],
2286	[
2287		AC_MSG_RESULT([yes])
2288		AC_DEFINE([HAVE_STRICT_MKSTEMP], [1], [Silly mkstemp()])
2289	],
2290	[
2291		AC_MSG_RESULT([yes])
2292		AC_DEFINE([HAVE_STRICT_MKSTEMP])
2293	]
2294)
2295fi
2296
2297dnl make sure that openpty does not reacquire controlling terminal
2298if test ! -z "$check_for_openpty_ctty_bug"; then
2299	AC_MSG_CHECKING([if openpty correctly handles controlling tty])
2300	AC_RUN_IFELSE(
2301		[AC_LANG_PROGRAM([[
2302#include <stdio.h>
2303#include <sys/fcntl.h>
2304#include <sys/types.h>
2305#include <sys/wait.h>
2306		]], [[
2307	pid_t pid;
2308	int fd, ptyfd, ttyfd, status;
2309
2310	pid = fork();
2311	if (pid < 0) {		/* failed */
2312		exit(1);
2313	} else if (pid > 0) {	/* parent */
2314		waitpid(pid, &status, 0);
2315		if (WIFEXITED(status))
2316			exit(WEXITSTATUS(status));
2317		else
2318			exit(2);
2319	} else {		/* child */
2320		close(0); close(1); close(2);
2321		setsid();
2322		openpty(&ptyfd, &ttyfd, NULL, NULL, NULL);
2323		fd = open("/dev/tty", O_RDWR | O_NOCTTY);
2324		if (fd >= 0)
2325			exit(3);	/* Acquired ctty: broken */
2326		else
2327			exit(0);	/* Did not acquire ctty: OK */
2328	}
2329		]])],
2330		[
2331			AC_MSG_RESULT([yes])
2332		],
2333		[
2334			AC_MSG_RESULT([no])
2335			AC_DEFINE([SSHD_ACQUIRES_CTTY])
2336		],
2337		[
2338			AC_MSG_RESULT([cross-compiling, assuming yes])
2339		]
2340	)
2341fi
2342
2343if test "x$ac_cv_func_getaddrinfo" = "xyes" && \
2344    test "x$check_for_hpux_broken_getaddrinfo" = "x1"; then
2345	AC_MSG_CHECKING([if getaddrinfo seems to work])
2346	AC_RUN_IFELSE(
2347		[AC_LANG_PROGRAM([[
2348#include <stdio.h>
2349#include <sys/socket.h>
2350#include <netdb.h>
2351#include <errno.h>
2352#include <netinet/in.h>
2353
2354#define TEST_PORT "2222"
2355		]], [[
2356	int err, sock;
2357	struct addrinfo *gai_ai, *ai, hints;
2358	char ntop[NI_MAXHOST], strport[NI_MAXSERV], *name = NULL;
2359
2360	memset(&hints, 0, sizeof(hints));
2361	hints.ai_family = PF_UNSPEC;
2362	hints.ai_socktype = SOCK_STREAM;
2363	hints.ai_flags = AI_PASSIVE;
2364
2365	err = getaddrinfo(name, TEST_PORT, &hints, &gai_ai);
2366	if (err != 0) {
2367		fprintf(stderr, "getaddrinfo failed (%s)", gai_strerror(err));
2368		exit(1);
2369	}
2370
2371	for (ai = gai_ai; ai != NULL; ai = ai->ai_next) {
2372		if (ai->ai_family != AF_INET6)
2373			continue;
2374
2375		err = getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop,
2376		    sizeof(ntop), strport, sizeof(strport),
2377		    NI_NUMERICHOST|NI_NUMERICSERV);
2378
2379		if (err != 0) {
2380			if (err == EAI_SYSTEM)
2381				perror("getnameinfo EAI_SYSTEM");
2382			else
2383				fprintf(stderr, "getnameinfo failed: %s\n",
2384				    gai_strerror(err));
2385			exit(2);
2386		}
2387
2388		sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol);
2389		if (sock < 0)
2390			perror("socket");
2391		if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) {
2392			if (errno == EBADF)
2393				exit(3);
2394		}
2395	}
2396	exit(0);
2397		]])],
2398		[
2399			AC_MSG_RESULT([yes])
2400		],
2401		[
2402			AC_MSG_RESULT([no])
2403			AC_DEFINE([BROKEN_GETADDRINFO])
2404		],
2405		[
2406			AC_MSG_RESULT([cross-compiling, assuming yes])
2407		]
2408	)
2409fi
2410
2411if test "x$ac_cv_func_getaddrinfo" = "xyes" && \
2412    test "x$check_for_aix_broken_getaddrinfo" = "x1"; then
2413	AC_MSG_CHECKING([if getaddrinfo seems to work])
2414	AC_RUN_IFELSE(
2415		[AC_LANG_PROGRAM([[
2416#include <stdio.h>
2417#include <sys/socket.h>
2418#include <netdb.h>
2419#include <errno.h>
2420#include <netinet/in.h>
2421
2422#define TEST_PORT "2222"
2423		]], [[
2424	int err, sock;
2425	struct addrinfo *gai_ai, *ai, hints;
2426	char ntop[NI_MAXHOST], strport[NI_MAXSERV], *name = NULL;
2427
2428	memset(&hints, 0, sizeof(hints));
2429	hints.ai_family = PF_UNSPEC;
2430	hints.ai_socktype = SOCK_STREAM;
2431	hints.ai_flags = AI_PASSIVE;
2432
2433	err = getaddrinfo(name, TEST_PORT, &hints, &gai_ai);
2434	if (err != 0) {
2435		fprintf(stderr, "getaddrinfo failed (%s)", gai_strerror(err));
2436		exit(1);
2437	}
2438
2439	for (ai = gai_ai; ai != NULL; ai = ai->ai_next) {
2440		if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
2441			continue;
2442
2443		err = getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop,
2444		    sizeof(ntop), strport, sizeof(strport),
2445		    NI_NUMERICHOST|NI_NUMERICSERV);
2446
2447		if (ai->ai_family == AF_INET && err != 0) {
2448			perror("getnameinfo");
2449			exit(2);
2450		}
2451	}
2452	exit(0);
2453		]])],
2454		[
2455			AC_MSG_RESULT([yes])
2456			AC_DEFINE([AIX_GETNAMEINFO_HACK], [1],
2457				[Define if you have a getaddrinfo that fails
2458				for the all-zeros IPv6 address])
2459		],
2460		[
2461			AC_MSG_RESULT([no])
2462			AC_DEFINE([BROKEN_GETADDRINFO])
2463		],
2464		[
2465			AC_MSG_RESULT([cross-compiling, assuming no])
2466		]
2467	)
2468fi
2469
2470if test "x$ac_cv_func_getaddrinfo" = "xyes"; then
2471	AC_CHECK_DECLS(AI_NUMERICSERV, , ,
2472	    [#include <sys/types.h>
2473	     #include <sys/socket.h>
2474	     #include <netdb.h>])
2475fi
2476
2477if test "x$check_for_conflicting_getspnam" = "x1"; then
2478	AC_MSG_CHECKING([for conflicting getspnam in shadow.h])
2479	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <shadow.h> ]],
2480		[[ exit(0); ]])],
2481		[
2482			AC_MSG_RESULT([no])
2483		],
2484		[
2485			AC_MSG_RESULT([yes])
2486			AC_DEFINE([GETSPNAM_CONFLICTING_DEFS], [1],
2487			    [Conflicting defs for getspnam])
2488		]
2489	)
2490fi
2491
2492dnl NetBSD added an strnvis and unfortunately made it incompatible with the
2493dnl existing one in OpenBSD and Linux's libbsd (the former having existed
2494dnl for over ten years). Despite this incompatibility being reported during
2495dnl development (see http://gnats.netbsd.org/44977) they still shipped it.
2496dnl Even more unfortunately FreeBSD and later MacOS picked up this incompatible
2497dnl implementation.  Try to detect this mess, and assume the only safe option
2498dnl if we're cross compiling.
2499dnl
2500dnl OpenBSD, 2001: strnvis(char *dst, const char *src, size_t dlen, int flag);
2501dnl NetBSD: 2012,  strnvis(char *dst, size_t dlen, const char *src, int flag);
2502if test "x$ac_cv_func_strnvis" = "xyes"; then
2503	AC_MSG_CHECKING([for working strnvis])
2504	AC_RUN_IFELSE(
2505		[AC_LANG_PROGRAM([[
2506#include <signal.h>
2507#include <stdlib.h>
2508#include <string.h>
2509#include <vis.h>
2510static void sighandler(int sig) { _exit(1); }
2511		]], [[
2512	char dst[16];
2513
2514	signal(SIGSEGV, sighandler);
2515	if (strnvis(dst, "src", 4, 0) && strcmp(dst, "src") == 0)
2516		exit(0);
2517	exit(1)
2518		]])],
2519		[AC_MSG_RESULT([yes])],
2520		[AC_MSG_RESULT([no])
2521		 AC_DEFINE([BROKEN_STRNVIS], [1], [strnvis detected broken])],
2522		[AC_MSG_WARN([cross compiling: assuming broken])
2523		 AC_DEFINE([BROKEN_STRNVIS], [1], [strnvis assumed broken])]
2524	)
2525fi
2526
2527AC_MSG_CHECKING([if SA_RESTARTed signals interrupt select()])
2528AC_RUN_IFELSE(
2529	[AC_LANG_PROGRAM([[
2530#ifdef HAVE_SYS_SELECT
2531# include <sys/select.h>
2532#endif
2533#include <sys/types.h>
2534#include <sys/time.h>
2535#include <stdlib.h>
2536#include <signal.h>
2537static void sighandler(int sig) { }
2538		]], [[
2539	int r;
2540	pid_t pid;
2541	struct sigaction sa;
2542
2543	sa.sa_handler = sighandler;
2544	sa.sa_flags = SA_RESTART;
2545	(void)sigaction(SIGTERM, &sa, NULL);
2546	if ((pid = fork()) == 0) { /* child */
2547		pid = getppid();
2548		sleep(1);
2549		kill(pid, SIGTERM);
2550		sleep(1);
2551		if (getppid() == pid) /* if parent did not exit, shoot it */
2552			kill(pid, SIGKILL);
2553		exit(0);
2554	} else { /* parent */
2555		r = select(0, NULL, NULL, NULL, NULL);
2556	}
2557	exit(r == -1 ? 0 : 1);
2558	]])],
2559	[AC_MSG_RESULT([yes])],
2560	[AC_MSG_RESULT([no])
2561	 AC_DEFINE([NO_SA_RESTART], [1],
2562	    [SA_RESTARTed signals do no interrupt select])],
2563	[AC_MSG_WARN([cross compiling: assuming yes])]
2564)
2565
2566AC_CHECK_FUNCS([getpgrp],[
2567	AC_MSG_CHECKING([if getpgrp accepts zero args])
2568	AC_COMPILE_IFELSE(
2569		[AC_LANG_PROGRAM([[$ac_includes_default]], [[ getpgrp(); ]])],
2570		[ AC_MSG_RESULT([yes])
2571		  AC_DEFINE([GETPGRP_VOID], [1], [getpgrp takes zero args])],
2572		[ AC_MSG_RESULT([no])
2573		  AC_DEFINE([GETPGRP_VOID], [0], [getpgrp takes one arg])]
2574	)
2575])
2576
2577# Search for OpenSSL
2578saved_CPPFLAGS="$CPPFLAGS"
2579saved_LDFLAGS="$LDFLAGS"
2580AC_ARG_WITH([ssl-dir],
2581	[  --with-ssl-dir=PATH     Specify path to OpenSSL installation ],
2582	[
2583		if test "x$openssl" = "xno" ; then
2584			AC_MSG_ERROR([cannot use --with-ssl-dir when OpenSSL disabled])
2585		fi
2586		if test "x$withval" != "xno" ; then
2587			case "$withval" in
2588				# Relative paths
2589				./*|../*)	withval="`pwd`/$withval"
2590			esac
2591			if test -d "$withval/lib"; then
2592				if test -n "${rpath_opt}"; then
2593					LDFLAGS="-L${withval}/lib ${rpath_opt}${withval}/lib ${LDFLAGS}"
2594				else
2595					LDFLAGS="-L${withval}/lib ${LDFLAGS}"
2596				fi
2597			elif test -d "$withval/lib64"; then
2598				if test -n "${rpath_opt}"; then
2599					LDFLAGS="-L${withval}/lib64 ${rpath_opt}${withval}/lib64 ${LDFLAGS}"
2600				else
2601					LDFLAGS="-L${withval}/lib64 ${LDFLAGS}"
2602				fi
2603			else
2604				if test -n "${rpath_opt}"; then
2605					LDFLAGS="-L${withval} ${rpath_opt}${withval} ${LDFLAGS}"
2606				else
2607					LDFLAGS="-L${withval} ${LDFLAGS}"
2608				fi
2609			fi
2610			if test -d "$withval/include"; then
2611				CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
2612			else
2613				CPPFLAGS="-I${withval} ${CPPFLAGS}"
2614			fi
2615		fi
2616	]
2617)
2618
2619AC_ARG_WITH([openssl-header-check],
2620	[  --without-openssl-header-check Disable OpenSSL version consistency check],
2621	[
2622		if test "x$withval" = "xno" ; then
2623			openssl_check_nonfatal=1
2624		fi
2625	]
2626)
2627
2628openssl_engine=no
2629AC_ARG_WITH([ssl-engine],
2630	[  --with-ssl-engine       Enable OpenSSL (hardware) ENGINE support ],
2631	[
2632		if test "x$withval" != "xno" ; then
2633			if test "x$openssl" = "xno" ; then
2634				AC_MSG_ERROR([cannot use --with-ssl-engine when OpenSSL disabled])
2635			fi
2636			openssl_engine=yes
2637		fi
2638	]
2639)
2640
2641if test "x$openssl" = "xyes" ; then
2642	LIBS="-lcrypto $LIBS"
2643	AC_TRY_LINK_FUNC([RAND_add], ,
2644	    [AC_MSG_ERROR([*** working libcrypto not found, check config.log])])
2645	AC_CHECK_HEADER([openssl/opensslv.h], ,
2646	    [AC_MSG_ERROR([*** OpenSSL headers missing - please install first or check config.log ***])])
2647
2648	# Determine OpenSSL header version
2649	AC_MSG_CHECKING([OpenSSL header version])
2650	AC_RUN_IFELSE(
2651		[AC_LANG_PROGRAM([[
2652	#include <stdlib.h>
2653	#include <stdio.h>
2654	#include <string.h>
2655	#include <openssl/opensslv.h>
2656	#define DATA "conftest.sslincver"
2657		]], [[
2658		FILE *fd;
2659		int rc;
2660
2661		fd = fopen(DATA,"w");
2662		if(fd == NULL)
2663			exit(1);
2664
2665		if ((rc = fprintf(fd, "%08lx (%s)\n",
2666		    (unsigned long)OPENSSL_VERSION_NUMBER,
2667		     OPENSSL_VERSION_TEXT)) < 0)
2668			exit(1);
2669
2670		exit(0);
2671		]])],
2672		[
2673			ssl_header_ver=`cat conftest.sslincver`
2674			AC_MSG_RESULT([$ssl_header_ver])
2675		],
2676		[
2677			AC_MSG_RESULT([not found])
2678			AC_MSG_ERROR([OpenSSL version header not found.])
2679		],
2680		[
2681			AC_MSG_WARN([cross compiling: not checking])
2682		]
2683	)
2684
2685	# Determining OpenSSL library version is version dependent.
2686	AC_CHECK_FUNCS([OpenSSL_version OpenSSL_version_num])
2687
2688	# Determine OpenSSL library version
2689	AC_MSG_CHECKING([OpenSSL library version])
2690	AC_RUN_IFELSE(
2691		[AC_LANG_PROGRAM([[
2692	#include <stdio.h>
2693	#include <string.h>
2694	#include <openssl/opensslv.h>
2695	#include <openssl/crypto.h>
2696	#define DATA "conftest.ssllibver"
2697		]], [[
2698		FILE *fd;
2699		int rc;
2700
2701		fd = fopen(DATA,"w");
2702		if(fd == NULL)
2703			exit(1);
2704#ifndef OPENSSL_VERSION
2705# define OPENSSL_VERSION SSLEAY_VERSION
2706#endif
2707#ifndef HAVE_OPENSSL_VERSION
2708# define OpenSSL_version	SSLeay_version
2709#endif
2710#ifndef HAVE_OPENSSL_VERSION_NUM
2711# define OpenSSL_version_num	SSLeay
2712#endif
2713		if ((rc = fprintf(fd, "%08lx (%s)\n",
2714		    (unsigned long)OpenSSL_version_num(),
2715		    OpenSSL_version(OPENSSL_VERSION))) < 0)
2716			exit(1);
2717
2718		exit(0);
2719		]])],
2720		[
2721			ssl_library_ver=`cat conftest.ssllibver`
2722			# Check version is supported.
2723			case "$ssl_library_ver" in
2724			10000*|0*)
2725				AC_MSG_ERROR([OpenSSL >= 1.0.1 required (have "$ssl_library_ver")])
2726		                ;;
2727			100*)   ;; # 1.0.x
2728			101000[[0123456]]*)
2729				# https://github.com/openssl/openssl/pull/4613
2730				AC_MSG_ERROR([OpenSSL 1.1.x versions prior to 1.1.0g have a bug that breaks their use with OpenSSH (have "$ssl_library_ver")])
2731				;;
2732			101*)   ;; # 1.1.x
2733			200*)   ;; # LibreSSL
2734			300*)   ;; # OpenSSL development branch.
2735		        *)
2736				AC_MSG_ERROR([Unknown/unsupported OpenSSL version ("$ssl_library_ver")])
2737		                ;;
2738			esac
2739			AC_MSG_RESULT([$ssl_library_ver])
2740		],
2741		[
2742			AC_MSG_RESULT([not found])
2743			AC_MSG_ERROR([OpenSSL library not found.])
2744		],
2745		[
2746			AC_MSG_WARN([cross compiling: not checking])
2747		]
2748	)
2749
2750	# Sanity check OpenSSL headers
2751	AC_MSG_CHECKING([whether OpenSSL's headers match the library])
2752	AC_RUN_IFELSE(
2753		[AC_LANG_PROGRAM([[
2754	#include <string.h>
2755	#include <openssl/opensslv.h>
2756	#include <openssl/crypto.h>
2757		]], [[
2758#ifndef HAVE_OPENSSL_VERSION_NUM
2759# define OpenSSL_version_num	SSLeay
2760#endif
2761		exit(OpenSSL_version_num() == OPENSSL_VERSION_NUMBER ? 0 : 1);
2762		]])],
2763		[
2764			AC_MSG_RESULT([yes])
2765		],
2766		[
2767			AC_MSG_RESULT([no])
2768			if test "x$openssl_check_nonfatal" = "x"; then
2769				AC_MSG_ERROR([Your OpenSSL headers do not match your
2770	library. Check config.log for details.
2771	If you are sure your installation is consistent, you can disable the check
2772	by running "./configure --without-openssl-header-check".
2773	Also see contrib/findssl.sh for help identifying header/library mismatches.
2774	])
2775			else
2776				AC_MSG_WARN([Your OpenSSL headers do not match your
2777	library. Check config.log for details.
2778	Also see contrib/findssl.sh for help identifying header/library mismatches.])
2779			fi
2780		],
2781		[
2782			AC_MSG_WARN([cross compiling: not checking])
2783		]
2784	)
2785
2786	AC_MSG_CHECKING([if programs using OpenSSL functions will link])
2787	AC_LINK_IFELSE(
2788		[AC_LANG_PROGRAM([[ #include <openssl/err.h> ]],
2789		[[ ERR_load_crypto_strings(); ]])],
2790		[
2791			AC_MSG_RESULT([yes])
2792		],
2793		[
2794			AC_MSG_RESULT([no])
2795			saved_LIBS="$LIBS"
2796			LIBS="$LIBS -ldl"
2797			AC_MSG_CHECKING([if programs using OpenSSL need -ldl])
2798			AC_LINK_IFELSE(
2799				[AC_LANG_PROGRAM([[ #include <openssl/err.h> ]],
2800				[[ ERR_load_crypto_strings(); ]])],
2801				[
2802					AC_MSG_RESULT([yes])
2803				],
2804				[
2805					AC_MSG_RESULT([no])
2806					LIBS="$saved_LIBS"
2807				]
2808			)
2809		]
2810	)
2811
2812	AC_CHECK_FUNCS([ \
2813		BN_is_prime_ex \
2814		DSA_generate_parameters_ex \
2815		EVP_CIPHER_CTX_ctrl \
2816		EVP_DigestFinal_ex \
2817		EVP_DigestInit_ex \
2818		EVP_MD_CTX_cleanup \
2819		EVP_MD_CTX_copy_ex \
2820		EVP_MD_CTX_init \
2821		HMAC_CTX_init \
2822		RSA_generate_key_ex \
2823		RSA_get_default_method \
2824	])
2825
2826	# OpenSSL_add_all_algorithms may be a macro.
2827	AC_CHECK_FUNC(OpenSSL_add_all_algorithms,
2828	    AC_DEFINE(HAVE_OPENSSL_ADD_ALL_ALGORITHMS, 1, [as a function]),
2829	    AC_CHECK_DECL(OpenSSL_add_all_algorithms,
2830		AC_DEFINE(HAVE_OPENSSL_ADD_ALL_ALGORITHMS, 1, [as a macro]), ,
2831		[[#include <openssl/evp.h>]]
2832	    )
2833	)
2834
2835	# LibreSSL/OpenSSL 1.1x API
2836	AC_CHECK_FUNCS([ \
2837		OPENSSL_init_crypto \
2838		DH_get0_key \
2839		DH_get0_pqg \
2840		DH_set0_key \
2841		DH_set_length \
2842		DH_set0_pqg \
2843		DSA_get0_key \
2844		DSA_get0_pqg \
2845		DSA_set0_key \
2846		DSA_set0_pqg \
2847		DSA_SIG_get0 \
2848		DSA_SIG_set0 \
2849		ECDSA_SIG_get0 \
2850		ECDSA_SIG_set0 \
2851		EVP_CIPHER_CTX_iv \
2852		EVP_CIPHER_CTX_iv_noconst \
2853		EVP_CIPHER_CTX_get_iv \
2854		EVP_CIPHER_CTX_set_iv \
2855		RSA_get0_crt_params \
2856		RSA_get0_factors \
2857		RSA_get0_key \
2858		RSA_set0_crt_params \
2859		RSA_set0_factors \
2860		RSA_set0_key \
2861		RSA_meth_free \
2862		RSA_meth_dup \
2863		RSA_meth_set1_name \
2864		RSA_meth_get_finish \
2865		RSA_meth_set_priv_enc \
2866		RSA_meth_set_priv_dec \
2867		RSA_meth_set_finish \
2868		EVP_PKEY_get0_RSA \
2869		EVP_MD_CTX_new \
2870		EVP_MD_CTX_free \
2871		EVP_chacha20 \
2872	])
2873
2874	if test "x$openssl_engine" = "xyes" ; then
2875		AC_MSG_CHECKING([for OpenSSL ENGINE support])
2876		AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
2877	#include <openssl/engine.h>
2878			]], [[
2879				ENGINE_load_builtin_engines();
2880				ENGINE_register_all_complete();
2881			]])],
2882			[ AC_MSG_RESULT([yes])
2883			  AC_DEFINE([USE_OPENSSL_ENGINE], [1],
2884			     [Enable OpenSSL engine support])
2885			], [ AC_MSG_ERROR([OpenSSL ENGINE support not found])
2886		])
2887	fi
2888
2889	# Check for OpenSSL without EVP_aes_{192,256}_cbc
2890	AC_MSG_CHECKING([whether OpenSSL has crippled AES support])
2891	AC_LINK_IFELSE(
2892		[AC_LANG_PROGRAM([[
2893	#include <string.h>
2894	#include <openssl/evp.h>
2895		]], [[
2896		exit(EVP_aes_192_cbc() == NULL || EVP_aes_256_cbc() == NULL);
2897		]])],
2898		[
2899			AC_MSG_RESULT([no])
2900		],
2901		[
2902			AC_MSG_RESULT([yes])
2903			AC_DEFINE([OPENSSL_LOBOTOMISED_AES], [1],
2904			    [libcrypto is missing AES 192 and 256 bit functions])
2905		]
2906	)
2907
2908	# Check for OpenSSL with EVP_aes_*ctr
2909	AC_MSG_CHECKING([whether OpenSSL has AES CTR via EVP])
2910	AC_LINK_IFELSE(
2911		[AC_LANG_PROGRAM([[
2912	#include <string.h>
2913	#include <openssl/evp.h>
2914		]], [[
2915		exit(EVP_aes_128_ctr() == NULL ||
2916		    EVP_aes_192_cbc() == NULL ||
2917		    EVP_aes_256_cbc() == NULL);
2918		]])],
2919		[
2920			AC_MSG_RESULT([yes])
2921			AC_DEFINE([OPENSSL_HAVE_EVPCTR], [1],
2922			    [libcrypto has EVP AES CTR])
2923		],
2924		[
2925			AC_MSG_RESULT([no])
2926		]
2927	)
2928
2929	# Check for OpenSSL with EVP_aes_*gcm
2930	AC_MSG_CHECKING([whether OpenSSL has AES GCM via EVP])
2931	AC_LINK_IFELSE(
2932		[AC_LANG_PROGRAM([[
2933	#include <string.h>
2934	#include <openssl/evp.h>
2935		]], [[
2936		exit(EVP_aes_128_gcm() == NULL ||
2937		    EVP_aes_256_gcm() == NULL ||
2938		    EVP_CTRL_GCM_SET_IV_FIXED == 0 ||
2939		    EVP_CTRL_GCM_IV_GEN == 0 ||
2940		    EVP_CTRL_GCM_SET_TAG == 0 ||
2941		    EVP_CTRL_GCM_GET_TAG == 0 ||
2942		    EVP_CIPHER_CTX_ctrl(NULL, 0, 0, NULL) == 0);
2943		]])],
2944		[
2945			AC_MSG_RESULT([yes])
2946			AC_DEFINE([OPENSSL_HAVE_EVPGCM], [1],
2947			    [libcrypto has EVP AES GCM])
2948		],
2949		[
2950			AC_MSG_RESULT([no])
2951			unsupported_algorithms="$unsupported_cipers \
2952			   aes128-gcm@openssh.com \
2953			   aes256-gcm@openssh.com"
2954		]
2955	)
2956
2957	AC_MSG_CHECKING([if EVP_DigestUpdate returns an int])
2958	AC_LINK_IFELSE(
2959		[AC_LANG_PROGRAM([[
2960	#include <string.h>
2961	#include <openssl/evp.h>
2962		]], [[
2963		if(EVP_DigestUpdate(NULL, NULL,0))
2964			exit(0);
2965		]])],
2966		[
2967			AC_MSG_RESULT([yes])
2968		],
2969		[
2970			AC_MSG_RESULT([no])
2971			AC_DEFINE([OPENSSL_EVP_DIGESTUPDATE_VOID], [1],
2972			    [Define if EVP_DigestUpdate returns void])
2973		]
2974	)
2975
2976	# Some systems want crypt() from libcrypt, *not* the version in OpenSSL,
2977	# because the system crypt() is more featureful.
2978	if test "x$check_for_libcrypt_before" = "x1"; then
2979		AC_CHECK_LIB([crypt], [crypt])
2980	fi
2981
2982	# Some Linux systems (Slackware) need crypt() from libcrypt, *not* the
2983	# version in OpenSSL.
2984	if test "x$check_for_libcrypt_later" = "x1"; then
2985		AC_CHECK_LIB([crypt], [crypt], [LIBS="$LIBS -lcrypt"])
2986	fi
2987	AC_CHECK_FUNCS([crypt DES_crypt])
2988
2989	# Check for SHA256, SHA384 and SHA512 support in OpenSSL
2990	AC_CHECK_FUNCS([EVP_sha256 EVP_sha384 EVP_sha512])
2991
2992	# Check complete ECC support in OpenSSL
2993	AC_MSG_CHECKING([whether OpenSSL has NID_X9_62_prime256v1])
2994	AC_LINK_IFELSE(
2995		[AC_LANG_PROGRAM([[
2996	#include <openssl/ec.h>
2997	#include <openssl/ecdh.h>
2998	#include <openssl/ecdsa.h>
2999	#include <openssl/evp.h>
3000	#include <openssl/objects.h>
3001	#include <openssl/opensslv.h>
3002		]], [[
3003		EC_KEY *e = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
3004		const EVP_MD *m = EVP_sha256(); /* We need this too */
3005		]])],
3006		[ AC_MSG_RESULT([yes])
3007		  enable_nistp256=1 ],
3008		[ AC_MSG_RESULT([no]) ]
3009	)
3010
3011	AC_MSG_CHECKING([whether OpenSSL has NID_secp384r1])
3012	AC_LINK_IFELSE(
3013		[AC_LANG_PROGRAM([[
3014	#include <openssl/ec.h>
3015	#include <openssl/ecdh.h>
3016	#include <openssl/ecdsa.h>
3017	#include <openssl/evp.h>
3018	#include <openssl/objects.h>
3019	#include <openssl/opensslv.h>
3020		]], [[
3021		EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp384r1);
3022		const EVP_MD *m = EVP_sha384(); /* We need this too */
3023		]])],
3024		[ AC_MSG_RESULT([yes])
3025		  enable_nistp384=1 ],
3026		[ AC_MSG_RESULT([no]) ]
3027	)
3028
3029	AC_MSG_CHECKING([whether OpenSSL has NID_secp521r1])
3030	AC_LINK_IFELSE(
3031		[AC_LANG_PROGRAM([[
3032	#include <openssl/ec.h>
3033	#include <openssl/ecdh.h>
3034	#include <openssl/ecdsa.h>
3035	#include <openssl/evp.h>
3036	#include <openssl/objects.h>
3037	#include <openssl/opensslv.h>
3038		]], [[
3039		EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp521r1);
3040		const EVP_MD *m = EVP_sha512(); /* We need this too */
3041		]])],
3042		[ AC_MSG_RESULT([yes])
3043		  AC_MSG_CHECKING([if OpenSSL's NID_secp521r1 is functional])
3044		  AC_RUN_IFELSE(
3045			[AC_LANG_PROGRAM([[
3046	#include <openssl/ec.h>
3047	#include <openssl/ecdh.h>
3048	#include <openssl/ecdsa.h>
3049	#include <openssl/evp.h>
3050	#include <openssl/objects.h>
3051	#include <openssl/opensslv.h>
3052			]],[[
3053			EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp521r1);
3054			const EVP_MD *m = EVP_sha512(); /* We need this too */
3055			exit(e == NULL || m == NULL);
3056			]])],
3057			[ AC_MSG_RESULT([yes])
3058			  enable_nistp521=1 ],
3059			[ AC_MSG_RESULT([no]) ],
3060			[ AC_MSG_WARN([cross-compiling: assuming yes])
3061			  enable_nistp521=1 ]
3062		  )],
3063		AC_MSG_RESULT([no])
3064	)
3065
3066	COMMENT_OUT_ECC="#no ecc#"
3067	TEST_SSH_ECC=no
3068
3069	if test x$enable_nistp256 = x1 || test x$enable_nistp384 = x1 || \
3070	    test x$enable_nistp521 = x1; then
3071		AC_DEFINE(OPENSSL_HAS_ECC, [1], [OpenSSL has ECC])
3072		AC_CHECK_FUNCS([EC_KEY_METHOD_new])
3073		openssl_ecc=yes
3074	else
3075		openssl_ecc=no
3076	fi
3077	if test x$enable_nistp256 = x1; then
3078		AC_DEFINE([OPENSSL_HAS_NISTP256], [1],
3079		    [libcrypto has NID_X9_62_prime256v1])
3080		TEST_SSH_ECC=yes
3081		COMMENT_OUT_ECC=""
3082	else
3083		unsupported_algorithms="$unsupported_algorithms \
3084			ecdsa-sha2-nistp256 \
3085			ecdh-sha2-nistp256 \
3086			ecdsa-sha2-nistp256-cert-v01@openssh.com"
3087	fi
3088	if test x$enable_nistp384 = x1; then
3089		AC_DEFINE([OPENSSL_HAS_NISTP384], [1], [libcrypto has NID_secp384r1])
3090		TEST_SSH_ECC=yes
3091		COMMENT_OUT_ECC=""
3092	else
3093		unsupported_algorithms="$unsupported_algorithms \
3094			ecdsa-sha2-nistp384 \
3095			ecdh-sha2-nistp384 \
3096			ecdsa-sha2-nistp384-cert-v01@openssh.com"
3097	fi
3098	if test x$enable_nistp521 = x1; then
3099		AC_DEFINE([OPENSSL_HAS_NISTP521], [1], [libcrypto has NID_secp521r1])
3100		TEST_SSH_ECC=yes
3101		COMMENT_OUT_ECC=""
3102	else
3103		unsupported_algorithms="$unsupported_algorithms \
3104			ecdh-sha2-nistp521 \
3105			ecdsa-sha2-nistp521 \
3106			ecdsa-sha2-nistp521-cert-v01@openssh.com"
3107	fi
3108
3109	AC_SUBST([TEST_SSH_ECC])
3110	AC_SUBST([COMMENT_OUT_ECC])
3111else
3112	AC_CHECK_LIB([crypt], [crypt], [LIBS="$LIBS -lcrypt"])
3113	AC_CHECK_FUNCS([crypt])
3114fi
3115
3116# PKCS11/U2F depend on OpenSSL and dlopen().
3117enable_pkcs11=yes
3118enable_sk=yes
3119if test "x$openssl" != "xyes" ; then
3120	enable_pkcs11="disabled; missing libcrypto"
3121	enable_sk="disabled; missing libcrypto"
3122fi
3123if test "x$openssl_ecc" != "xyes" ; then
3124	enable_sk="disabled; OpenSSL has no ECC support"
3125fi
3126if test "x$ac_cv_func_dlopen" != "xyes" ; then
3127	enable_pkcs11="disabled; missing dlopen(3)"
3128	enable_sk="disabled; missing dlopen(3)"
3129fi
3130if test "x$ac_cv_have_decl_RTLD_NOW" != "xyes" ; then
3131	enable_pkcs11="disabled; missing RTLD_NOW"
3132	enable_sk="disabled; missing RTLD_NOW"
3133fi
3134if test ! -z "$disable_pkcs11" ; then
3135	enable_pkcs11="disabled by user"
3136fi
3137if test ! -z "$disable_sk" ; then
3138	enable_sk="disabled by user"
3139fi
3140
3141AC_MSG_CHECKING([whether to enable PKCS11])
3142if test "x$enable_pkcs11" = "xyes" ; then
3143	AC_DEFINE([ENABLE_PKCS11], [], [Enable for PKCS#11 support])
3144fi
3145AC_MSG_RESULT([$enable_pkcs11])
3146
3147AC_MSG_CHECKING([whether to enable U2F])
3148if test "x$enable_sk" = "xyes" ; then
3149	AC_DEFINE([ENABLE_SK], [], [Enable for U2F/FIDO support])
3150	AC_SUBST(SK_DUMMY_LIBRARY, [regress/misc/sk-dummy/sk-dummy.so])
3151else
3152	# Do not try to build sk-dummy library.
3153	AC_SUBST(SK_DUMMY_LIBRARY, [""])
3154fi
3155AC_MSG_RESULT([$enable_sk])
3156
3157# Now check for built-in security key support.
3158if test "x$enable_sk" = "xyes" -a "x$enable_sk_internal" = "xyes" ; then
3159	AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no])
3160	use_pkgconfig_for_libfido2=
3161	if test "x$PKGCONFIG" != "xno"; then
3162		AC_MSG_CHECKING([if $PKGCONFIG knows about libfido2])
3163		if "$PKGCONFIG" libfido2; then
3164			AC_MSG_RESULT([yes])
3165			use_pkgconfig_for_libfido2=yes
3166		else
3167			AC_MSG_RESULT([no])
3168		fi
3169	fi
3170	if test "x$use_pkgconfig_for_libfido2" = "xyes"; then
3171		LIBFIDO2=`$PKGCONFIG --libs libfido2`
3172		CPPFLAGS="$CPPFLAGS `$PKGCONFIG --cflags libfido2`"
3173	else
3174		LIBFIDO2="-lfido2 -lcbor"
3175	fi
3176	OTHERLIBS=`echo $LIBFIDO2 | sed 's/-lfido2//'`
3177	AC_CHECK_LIB([fido2], [fido_init],
3178		[
3179			AC_SUBST([LIBFIDO2])
3180			AC_DEFINE([ENABLE_SK_INTERNAL], [],
3181			    [Enable for built-in U2F/FIDO support])
3182			enable_sk="built-in"
3183		], [ AC_MSG_ERROR([no usable libfido2 found]) ],
3184		[ $OTHERLIBS ]
3185	)
3186	AC_CHECK_LIB([fido2], [fido_cred_set_prot], [],
3187		[ AC_MSG_ERROR([libfido2 missing fido_cred_set_prot; please use libfido2 >= 1.4.0]) ],
3188	)
3189	AC_CHECK_HEADER([fido.h], [],
3190		AC_MSG_ERROR([missing fido.h from libfido2]))
3191	AC_CHECK_HEADER([fido/credman.h], [],
3192		AC_MSG_ERROR([missing fido/credman.h from libfido2]),
3193		[#include <fido.h>]
3194	)
3195fi
3196
3197AC_CHECK_FUNCS([ \
3198	arc4random \
3199	arc4random_buf \
3200	arc4random_stir \
3201	arc4random_uniform \
3202])
3203
3204saved_LIBS="$LIBS"
3205AC_CHECK_LIB([iaf], [ia_openinfo], [
3206	LIBS="$LIBS -liaf"
3207	AC_CHECK_FUNCS([set_id], [SSHDLIBS="$SSHDLIBS -liaf"
3208				AC_DEFINE([HAVE_LIBIAF], [1],
3209			[Define if system has libiaf that supports set_id])
3210				])
3211])
3212LIBS="$saved_LIBS"
3213
3214### Configure cryptographic random number support
3215
3216# Check whether OpenSSL seeds itself
3217if test "x$openssl" = "xyes" ; then
3218	AC_MSG_CHECKING([whether OpenSSL's PRNG is internally seeded])
3219	AC_RUN_IFELSE(
3220		[AC_LANG_PROGRAM([[
3221	#include <string.h>
3222	#include <openssl/rand.h>
3223		]], [[
3224		exit(RAND_status() == 1 ? 0 : 1);
3225		]])],
3226		[
3227			OPENSSL_SEEDS_ITSELF=yes
3228			AC_MSG_RESULT([yes])
3229		],
3230		[
3231			AC_MSG_RESULT([no])
3232		],
3233		[
3234			AC_MSG_WARN([cross compiling: assuming yes])
3235			# This is safe, since we will fatal() at runtime if
3236			# OpenSSL is not seeded correctly.
3237			OPENSSL_SEEDS_ITSELF=yes
3238		]
3239	)
3240fi
3241
3242# PRNGD TCP socket
3243AC_ARG_WITH([prngd-port],
3244	[  --with-prngd-port=PORT  read entropy from PRNGD/EGD TCP localhost:PORT],
3245	[
3246		case "$withval" in
3247		no)
3248			withval=""
3249			;;
3250		[[0-9]]*)
3251			;;
3252		*)
3253			AC_MSG_ERROR([You must specify a numeric port number for --with-prngd-port])
3254			;;
3255		esac
3256		if test ! -z "$withval" ; then
3257			PRNGD_PORT="$withval"
3258			AC_DEFINE_UNQUOTED([PRNGD_PORT], [$PRNGD_PORT],
3259				[Port number of PRNGD/EGD random number socket])
3260		fi
3261	]
3262)
3263
3264# PRNGD Unix domain socket
3265AC_ARG_WITH([prngd-socket],
3266	[  --with-prngd-socket=FILE read entropy from PRNGD/EGD socket FILE (default=/var/run/egd-pool)],
3267	[
3268		case "$withval" in
3269		yes)
3270			withval="/var/run/egd-pool"
3271			;;
3272		no)
3273			withval=""
3274			;;
3275		/*)
3276			;;
3277		*)
3278			AC_MSG_ERROR([You must specify an absolute path to the entropy socket])
3279			;;
3280		esac
3281
3282		if test ! -z "$withval" ; then
3283			if test ! -z "$PRNGD_PORT" ; then
3284				AC_MSG_ERROR([You may not specify both a PRNGD/EGD port and socket])
3285			fi
3286			if test ! -r "$withval" ; then
3287				AC_MSG_WARN([Entropy socket is not readable])
3288			fi
3289			PRNGD_SOCKET="$withval"
3290			AC_DEFINE_UNQUOTED([PRNGD_SOCKET], ["$PRNGD_SOCKET"],
3291				[Location of PRNGD/EGD random number socket])
3292		fi
3293	],
3294	[
3295		# Check for existing socket only if we don't have a random device already
3296		if test "x$OPENSSL_SEEDS_ITSELF" != "xyes" ; then
3297			AC_MSG_CHECKING([for PRNGD/EGD socket])
3298			# Insert other locations here
3299			for sock in /var/run/egd-pool /dev/egd-pool /etc/entropy; do
3300				if test -r $sock && $TEST_MINUS_S_SH -c "test -S $sock -o -p $sock" ; then
3301					PRNGD_SOCKET="$sock"
3302					AC_DEFINE_UNQUOTED([PRNGD_SOCKET], ["$PRNGD_SOCKET"])
3303					break;
3304				fi
3305			done
3306			if test ! -z "$PRNGD_SOCKET" ; then
3307				AC_MSG_RESULT([$PRNGD_SOCKET])
3308			else
3309				AC_MSG_RESULT([not found])
3310			fi
3311		fi
3312	]
3313)
3314
3315# Which randomness source do we use?
3316if test ! -z "$PRNGD_PORT" ; then
3317	RAND_MSG="PRNGd port $PRNGD_PORT"
3318elif test ! -z "$PRNGD_SOCKET" ; then
3319	RAND_MSG="PRNGd socket $PRNGD_SOCKET"
3320elif test ! -z "$OPENSSL_SEEDS_ITSELF" ; then
3321	AC_DEFINE([OPENSSL_PRNG_ONLY], [1],
3322		[Define if you want the OpenSSL internally seeded PRNG only])
3323	RAND_MSG="OpenSSL internal ONLY"
3324elif test "x$openssl" = "xno" ; then
3325	AC_MSG_WARN([OpenSSH will use /dev/urandom as a source of random numbers. It will fail if this device is not supported or accessible])
3326else
3327	AC_MSG_ERROR([OpenSSH has no source of random numbers. Please configure OpenSSL with an entropy source or re-run configure using one of the --with-prngd-port or --with-prngd-socket options])
3328fi
3329
3330# Check for PAM libs
3331PAM_MSG="no"
3332AC_ARG_WITH([pam],
3333	[  --with-pam              Enable PAM support ],
3334	[
3335		if test "x$withval" != "xno" ; then
3336			if test "x$ac_cv_header_security_pam_appl_h" != "xyes" && \
3337			   test "x$ac_cv_header_pam_pam_appl_h" != "xyes" ; then
3338				AC_MSG_ERROR([PAM headers not found])
3339			fi
3340
3341			saved_LIBS="$LIBS"
3342			AC_CHECK_LIB([dl], [dlopen], , )
3343			AC_CHECK_LIB([pam], [pam_set_item], , [AC_MSG_ERROR([*** libpam missing])])
3344			AC_CHECK_FUNCS([pam_getenvlist])
3345			AC_CHECK_FUNCS([pam_putenv])
3346			LIBS="$saved_LIBS"
3347
3348			PAM_MSG="yes"
3349
3350			SSHDLIBS="$SSHDLIBS -lpam"
3351			AC_DEFINE([USE_PAM], [1],
3352				[Define if you want to enable PAM support])
3353
3354			if test $ac_cv_lib_dl_dlopen = yes; then
3355				case "$LIBS" in
3356				*-ldl*)
3357					# libdl already in LIBS
3358					;;
3359				*)
3360					SSHDLIBS="$SSHDLIBS -ldl"
3361					;;
3362				esac
3363			fi
3364		fi
3365	]
3366)
3367
3368AC_ARG_WITH([pam-service],
3369	[  --with-pam-service=name Specify PAM service name ],
3370	[
3371		if test "x$withval" != "xno" && \
3372		   test "x$withval" != "xyes" ; then
3373			AC_DEFINE_UNQUOTED([SSHD_PAM_SERVICE],
3374				["$withval"], [sshd PAM service name])
3375		fi
3376	]
3377)
3378
3379# Check for older PAM
3380if test "x$PAM_MSG" = "xyes" ; then
3381	# Check PAM strerror arguments (old PAM)
3382	AC_MSG_CHECKING([whether pam_strerror takes only one argument])
3383	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
3384#include <stdlib.h>
3385#if defined(HAVE_SECURITY_PAM_APPL_H)
3386#include <security/pam_appl.h>
3387#elif defined (HAVE_PAM_PAM_APPL_H)
3388#include <pam/pam_appl.h>
3389#endif
3390		]], [[
3391(void)pam_strerror((pam_handle_t *)NULL, -1);
3392		]])], [AC_MSG_RESULT([no])], [
3393			AC_DEFINE([HAVE_OLD_PAM], [1],
3394				[Define if you have an old version of PAM
3395				which takes only one argument to pam_strerror])
3396			AC_MSG_RESULT([yes])
3397			PAM_MSG="yes (old library)"
3398
3399	])
3400fi
3401
3402case "$host" in
3403*-*-cygwin*)
3404	SSH_PRIVSEP_USER=CYGWIN_SSH_PRIVSEP_USER
3405	;;
3406*)
3407	SSH_PRIVSEP_USER=sshd
3408	;;
3409esac
3410AC_ARG_WITH([privsep-user],
3411	[  --with-privsep-user=user Specify non-privileged user for privilege separation],
3412	[
3413		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
3414		    test "x${withval}" != "xyes"; then
3415			SSH_PRIVSEP_USER=$withval
3416		fi
3417	]
3418)
3419if test "x$SSH_PRIVSEP_USER" = "xCYGWIN_SSH_PRIVSEP_USER" ; then
3420	AC_DEFINE_UNQUOTED([SSH_PRIVSEP_USER], [CYGWIN_SSH_PRIVSEP_USER],
3421		[Cygwin function to fetch non-privileged user for privilege separation])
3422else
3423	AC_DEFINE_UNQUOTED([SSH_PRIVSEP_USER], ["$SSH_PRIVSEP_USER"],
3424		[non-privileged user for privilege separation])
3425fi
3426AC_SUBST([SSH_PRIVSEP_USER])
3427
3428if test "x$have_linux_no_new_privs" = "x1" ; then
3429AC_CHECK_DECL([SECCOMP_MODE_FILTER], [have_seccomp_filter=1], , [
3430	#include <sys/types.h>
3431	#include <linux/seccomp.h>
3432])
3433fi
3434if test "x$have_seccomp_filter" = "x1" ; then
3435AC_MSG_CHECKING([kernel for seccomp_filter support])
3436AC_LINK_IFELSE([AC_LANG_PROGRAM([[
3437		#include <errno.h>
3438		#include <elf.h>
3439		#include <linux/audit.h>
3440		#include <linux/seccomp.h>
3441		#include <stdlib.h>
3442		#include <sys/prctl.h>
3443	]],
3444	[[ int i = $seccomp_audit_arch;
3445	   errno = 0;
3446	   prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, NULL, 0, 0);
3447	   exit(errno == EFAULT ? 0 : 1); ]])],
3448	[ AC_MSG_RESULT([yes]) ], [
3449		AC_MSG_RESULT([no])
3450		# Disable seccomp filter as a target
3451		have_seccomp_filter=0
3452	]
3453)
3454fi
3455
3456# Decide which sandbox style to use
3457sandbox_arg=""
3458AC_ARG_WITH([sandbox],
3459	[  --with-sandbox=style    Specify privilege separation sandbox (no, capsicum, darwin, rlimit, seccomp_filter, systrace, pledge)],
3460	[
3461		if test "x$withval" = "xyes" ; then
3462			sandbox_arg=""
3463		else
3464			sandbox_arg="$withval"
3465		fi
3466	]
3467)
3468
3469# Some platforms (seems to be the ones that have a kernel poll(2)-type
3470# function with which they implement select(2)) use an extra file descriptor
3471# when calling select(2), which means we can't use the rlimit sandbox.
3472AC_MSG_CHECKING([if select works with descriptor rlimit])
3473AC_RUN_IFELSE(
3474	[AC_LANG_PROGRAM([[
3475#include <sys/types.h>
3476#ifdef HAVE_SYS_TIME_H
3477# include <sys/time.h>
3478#endif
3479#include <sys/resource.h>
3480#ifdef HAVE_SYS_SELECT_H
3481# include <sys/select.h>
3482#endif
3483#include <errno.h>
3484#include <fcntl.h>
3485#include <stdlib.h>
3486	]],[[
3487	struct rlimit rl_zero;
3488	int fd, r;
3489	fd_set fds;
3490	struct timeval tv;
3491
3492	fd = open("/dev/null", O_RDONLY);
3493	FD_ZERO(&fds);
3494	FD_SET(fd, &fds);
3495	rl_zero.rlim_cur = rl_zero.rlim_max = 0;
3496	setrlimit(RLIMIT_FSIZE, &rl_zero);
3497	setrlimit(RLIMIT_NOFILE, &rl_zero);
3498	tv.tv_sec = 1;
3499	tv.tv_usec = 0;
3500	r = select(fd+1, &fds, NULL, NULL, &tv);
3501	exit (r == -1 ? 1 : 0);
3502	]])],
3503	[AC_MSG_RESULT([yes])
3504	 select_works_with_rlimit=yes],
3505	[AC_MSG_RESULT([no])
3506	 select_works_with_rlimit=no],
3507	[AC_MSG_WARN([cross compiling: assuming yes])
3508	 select_works_with_rlimit=yes]
3509)
3510
3511AC_MSG_CHECKING([if setrlimit(RLIMIT_NOFILE,{0,0}) works])
3512AC_RUN_IFELSE(
3513	[AC_LANG_PROGRAM([[
3514#include <sys/types.h>
3515#ifdef HAVE_SYS_TIME_H
3516# include <sys/time.h>
3517#endif
3518#include <sys/resource.h>
3519#include <errno.h>
3520#include <stdlib.h>
3521	]],[[
3522	struct rlimit rl_zero;
3523	int r;
3524
3525	rl_zero.rlim_cur = rl_zero.rlim_max = 0;
3526	r = setrlimit(RLIMIT_NOFILE, &rl_zero);
3527	exit (r == -1 ? 1 : 0);
3528	]])],
3529	[AC_MSG_RESULT([yes])
3530	 rlimit_nofile_zero_works=yes],
3531	[AC_MSG_RESULT([no])
3532	 rlimit_nofile_zero_works=no],
3533	[AC_MSG_WARN([cross compiling: assuming yes])
3534	 rlimit_nofile_zero_works=yes]
3535)
3536
3537AC_MSG_CHECKING([if setrlimit RLIMIT_FSIZE works])
3538AC_RUN_IFELSE(
3539	[AC_LANG_PROGRAM([[
3540#include <sys/types.h>
3541#include <sys/resource.h>
3542#include <stdlib.h>
3543	]],[[
3544		struct rlimit rl_zero;
3545
3546		rl_zero.rlim_cur = rl_zero.rlim_max = 0;
3547		exit(setrlimit(RLIMIT_FSIZE, &rl_zero) != 0);
3548	]])],
3549	[AC_MSG_RESULT([yes])],
3550	[AC_MSG_RESULT([no])
3551	 AC_DEFINE(SANDBOX_SKIP_RLIMIT_FSIZE, 1,
3552	    [setrlimit RLIMIT_FSIZE works])],
3553	[AC_MSG_WARN([cross compiling: assuming yes])]
3554)
3555
3556if test "x$sandbox_arg" = "xpledge" || \
3557   ( test -z "$sandbox_arg" && test "x$ac_cv_func_pledge" = "xyes" ) ; then
3558	test "x$ac_cv_func_pledge" != "xyes" && \
3559		AC_MSG_ERROR([pledge sandbox requires pledge(2) support])
3560	SANDBOX_STYLE="pledge"
3561	AC_DEFINE([SANDBOX_PLEDGE], [1], [Sandbox using pledge(2)])
3562elif test "x$sandbox_arg" = "xsystrace" || \
3563   ( test -z "$sandbox_arg" && test "x$have_systr_policy_kill" = "x1" ) ; then
3564	test "x$have_systr_policy_kill" != "x1" && \
3565		AC_MSG_ERROR([systrace sandbox requires systrace headers and SYSTR_POLICY_KILL support])
3566	SANDBOX_STYLE="systrace"
3567	AC_DEFINE([SANDBOX_SYSTRACE], [1], [Sandbox using systrace(4)])
3568elif test "x$sandbox_arg" = "xdarwin" || \
3569     ( test -z "$sandbox_arg" && test "x$ac_cv_func_sandbox_init" = "xyes" && \
3570       test "x$ac_cv_header_sandbox_h" = "xyes") ; then
3571	test "x$ac_cv_func_sandbox_init" != "xyes" -o \
3572	     "x$ac_cv_header_sandbox_h" != "xyes" && \
3573		AC_MSG_ERROR([Darwin seatbelt sandbox requires sandbox.h and sandbox_init function])
3574	SANDBOX_STYLE="darwin"
3575	AC_DEFINE([SANDBOX_DARWIN], [1], [Sandbox using Darwin sandbox_init(3)])
3576elif test "x$sandbox_arg" = "xseccomp_filter" || \
3577     ( test -z "$sandbox_arg" && \
3578       test "x$have_seccomp_filter" = "x1" && \
3579       test "x$ac_cv_header_elf_h" = "xyes" && \
3580       test "x$ac_cv_header_linux_audit_h" = "xyes" && \
3581       test "x$ac_cv_header_linux_filter_h" = "xyes" && \
3582       test "x$seccomp_audit_arch" != "x" && \
3583       test "x$have_linux_no_new_privs" = "x1" && \
3584       test "x$ac_cv_func_prctl" = "xyes" ) ; then
3585	test "x$seccomp_audit_arch" = "x" && \
3586		AC_MSG_ERROR([seccomp_filter sandbox not supported on $host])
3587	test "x$have_linux_no_new_privs" != "x1" && \
3588		AC_MSG_ERROR([seccomp_filter sandbox requires PR_SET_NO_NEW_PRIVS])
3589	test "x$have_seccomp_filter" != "x1" && \
3590		AC_MSG_ERROR([seccomp_filter sandbox requires seccomp headers])
3591	test "x$ac_cv_func_prctl" != "xyes" && \
3592		AC_MSG_ERROR([seccomp_filter sandbox requires prctl function])
3593	SANDBOX_STYLE="seccomp_filter"
3594	AC_DEFINE([SANDBOX_SECCOMP_FILTER], [1], [Sandbox using seccomp filter])
3595elif test "x$sandbox_arg" = "xcapsicum" || \
3596     ( test -z "$sandbox_arg" && \
3597       test "x$ac_cv_header_sys_capsicum_h" = "xyes" && \
3598       test "x$ac_cv_func_cap_rights_limit" = "xyes") ; then
3599       test "x$ac_cv_header_sys_capsicum_h" != "xyes" && \
3600		AC_MSG_ERROR([capsicum sandbox requires sys/capsicum.h header])
3601       test "x$ac_cv_func_cap_rights_limit" != "xyes" && \
3602		AC_MSG_ERROR([capsicum sandbox requires cap_rights_limit function])
3603       SANDBOX_STYLE="capsicum"
3604       AC_DEFINE([SANDBOX_CAPSICUM], [1], [Sandbox using capsicum])
3605elif test "x$sandbox_arg" = "xrlimit" || \
3606     ( test -z "$sandbox_arg" && test "x$ac_cv_func_setrlimit" = "xyes" && \
3607       test "x$select_works_with_rlimit" = "xyes" && \
3608       test "x$rlimit_nofile_zero_works" = "xyes" ) ; then
3609	test "x$ac_cv_func_setrlimit" != "xyes" && \
3610		AC_MSG_ERROR([rlimit sandbox requires setrlimit function])
3611	test "x$select_works_with_rlimit" != "xyes" && \
3612		AC_MSG_ERROR([rlimit sandbox requires select to work with rlimit])
3613	SANDBOX_STYLE="rlimit"
3614	AC_DEFINE([SANDBOX_RLIMIT], [1], [Sandbox using setrlimit(2)])
3615elif test "x$sandbox_arg" = "xsolaris" || \
3616   ( test -z "$sandbox_arg" && test "x$SOLARIS_PRIVS" = "xyes" ) ; then
3617	SANDBOX_STYLE="solaris"
3618	AC_DEFINE([SANDBOX_SOLARIS], [1], [Sandbox using Solaris/Illumos privileges])
3619elif test -z "$sandbox_arg" || test "x$sandbox_arg" = "xno" || \
3620     test "x$sandbox_arg" = "xnone" || test "x$sandbox_arg" = "xnull" ; then
3621	SANDBOX_STYLE="none"
3622	AC_DEFINE([SANDBOX_NULL], [1], [no privsep sandboxing])
3623else
3624	AC_MSG_ERROR([unsupported --with-sandbox])
3625fi
3626
3627# Cheap hack to ensure NEWS-OS libraries are arranged right.
3628if test ! -z "$SONY" ; then
3629  LIBS="$LIBS -liberty";
3630fi
3631
3632# Check for  long long datatypes
3633AC_CHECK_TYPES([long long, unsigned long long, long double])
3634
3635# Check datatype sizes
3636AC_CHECK_SIZEOF([short int])
3637AC_CHECK_SIZEOF([int])
3638AC_CHECK_SIZEOF([long int])
3639AC_CHECK_SIZEOF([long long int])
3640
3641# Sanity check long long for some platforms (AIX)
3642if test "x$ac_cv_sizeof_long_long_int" = "x4" ; then
3643	ac_cv_sizeof_long_long_int=0
3644fi
3645
3646# compute LLONG_MIN and LLONG_MAX if we don't know them.
3647if test -z "$have_llong_max" && test -z "$have_long_long_max"; then
3648	AC_MSG_CHECKING([for max value of long long])
3649	AC_RUN_IFELSE(
3650		[AC_LANG_PROGRAM([[
3651#include <stdio.h>
3652/* Why is this so damn hard? */
3653#ifdef __GNUC__
3654# undef __GNUC__
3655#endif
3656#define __USE_ISOC99
3657#include <limits.h>
3658#define DATA "conftest.llminmax"
3659#define my_abs(a) ((a) < 0 ? ((a) * -1) : (a))
3660
3661/*
3662 * printf in libc on some platforms (eg old Tru64) does not understand %lld so
3663 * we do this the hard way.
3664 */
3665static int
3666fprint_ll(FILE *f, long long n)
3667{
3668	unsigned int i;
3669	int l[sizeof(long long) * 8];
3670
3671	if (n < 0)
3672		if (fprintf(f, "-") < 0)
3673			return -1;
3674	for (i = 0; n != 0; i++) {
3675		l[i] = my_abs(n % 10);
3676		n /= 10;
3677	}
3678	do {
3679		if (fprintf(f, "%d", l[--i]) < 0)
3680			return -1;
3681	} while (i != 0);
3682	if (fprintf(f, " ") < 0)
3683		return -1;
3684	return 0;
3685}
3686		]], [[
3687	FILE *f;
3688	long long i, llmin, llmax = 0;
3689
3690	if((f = fopen(DATA,"w")) == NULL)
3691		exit(1);
3692
3693#if defined(LLONG_MIN) && defined(LLONG_MAX)
3694	fprintf(stderr, "Using system header for LLONG_MIN and LLONG_MAX\n");
3695	llmin = LLONG_MIN;
3696	llmax = LLONG_MAX;
3697#else
3698	fprintf(stderr, "Calculating  LLONG_MIN and LLONG_MAX\n");
3699	/* This will work on one's complement and two's complement */
3700	for (i = 1; i > llmax; i <<= 1, i++)
3701		llmax = i;
3702	llmin = llmax + 1LL;	/* wrap */
3703#endif
3704
3705	/* Sanity check */
3706	if (llmin + 1 < llmin || llmin - 1 < llmin || llmax + 1 > llmax
3707	    || llmax - 1 > llmax || llmin == llmax || llmin == 0
3708	    || llmax == 0 || llmax < LONG_MAX || llmin > LONG_MIN) {
3709		fprintf(f, "unknown unknown\n");
3710		exit(2);
3711	}
3712
3713	if (fprint_ll(f, llmin) < 0)
3714		exit(3);
3715	if (fprint_ll(f, llmax) < 0)
3716		exit(4);
3717	if (fclose(f) < 0)
3718		exit(5);
3719	exit(0);
3720		]])],
3721		[
3722			llong_min=`$AWK '{print $1}' conftest.llminmax`
3723			llong_max=`$AWK '{print $2}' conftest.llminmax`
3724
3725			AC_MSG_RESULT([$llong_max])
3726			AC_DEFINE_UNQUOTED([LLONG_MAX], [${llong_max}LL],
3727			    [max value of long long calculated by configure])
3728			AC_MSG_CHECKING([for min value of long long])
3729			AC_MSG_RESULT([$llong_min])
3730			AC_DEFINE_UNQUOTED([LLONG_MIN], [${llong_min}LL],
3731			    [min value of long long calculated by configure])
3732		],
3733		[
3734			AC_MSG_RESULT([not found])
3735		],
3736		[
3737			AC_MSG_WARN([cross compiling: not checking])
3738		]
3739	)
3740fi
3741
3742AC_CHECK_DECLS([UINT32_MAX], , , [[
3743#ifdef HAVE_SYS_LIMITS_H
3744# include <sys/limits.h>
3745#endif
3746#ifdef HAVE_LIMITS_H
3747# include <limits.h>
3748#endif
3749#ifdef HAVE_STDINT_H
3750# include <stdint.h>
3751#endif
3752]])
3753
3754# More checks for data types
3755AC_CACHE_CHECK([for u_int type], ac_cv_have_u_int, [
3756	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
3757	[[ u_int a; a = 1;]])],
3758	[ ac_cv_have_u_int="yes" ], [ ac_cv_have_u_int="no"
3759	])
3760])
3761if test "x$ac_cv_have_u_int" = "xyes" ; then
3762	AC_DEFINE([HAVE_U_INT], [1], [define if you have u_int data type])
3763	have_u_int=1
3764fi
3765
3766AC_CACHE_CHECK([for intXX_t types], ac_cv_have_intxx_t, [
3767	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
3768	[[ int8_t a; int16_t b; int32_t c; a = b = c = 1;]])],
3769	[ ac_cv_have_intxx_t="yes" ], [ ac_cv_have_intxx_t="no"
3770	])
3771])
3772if test "x$ac_cv_have_intxx_t" = "xyes" ; then
3773	AC_DEFINE([HAVE_INTXX_T], [1], [define if you have intxx_t data type])
3774	have_intxx_t=1
3775fi
3776
3777if (test -z "$have_intxx_t" && \
3778	   test "x$ac_cv_header_stdint_h" = "xyes")
3779then
3780    AC_MSG_CHECKING([for intXX_t types in stdint.h])
3781	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <stdint.h> ]],
3782	[[ int8_t a; int16_t b; int32_t c; a = b = c = 1;]])],
3783		[
3784			AC_DEFINE([HAVE_INTXX_T])
3785			AC_MSG_RESULT([yes])
3786		], [ AC_MSG_RESULT([no])
3787	])
3788fi
3789
3790AC_CACHE_CHECK([for int64_t type], ac_cv_have_int64_t, [
3791	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
3792#include <sys/types.h>
3793#ifdef HAVE_STDINT_H
3794# include <stdint.h>
3795#endif
3796#include <sys/socket.h>
3797#ifdef HAVE_SYS_BITYPES_H
3798# include <sys/bitypes.h>
3799#endif
3800		]], [[
3801int64_t a; a = 1;
3802		]])],
3803	[ ac_cv_have_int64_t="yes" ], [ ac_cv_have_int64_t="no"
3804	])
3805])
3806if test "x$ac_cv_have_int64_t" = "xyes" ; then
3807	AC_DEFINE([HAVE_INT64_T], [1], [define if you have int64_t data type])
3808fi
3809
3810AC_CACHE_CHECK([for u_intXX_t types], ac_cv_have_u_intxx_t, [
3811	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
3812	[[ u_int8_t a; u_int16_t b; u_int32_t c; a = b = c = 1;]])],
3813	[ ac_cv_have_u_intxx_t="yes" ], [ ac_cv_have_u_intxx_t="no"
3814	])
3815])
3816if test "x$ac_cv_have_u_intxx_t" = "xyes" ; then
3817	AC_DEFINE([HAVE_U_INTXX_T], [1], [define if you have u_intxx_t data type])
3818	have_u_intxx_t=1
3819fi
3820
3821if test -z "$have_u_intxx_t" ; then
3822    AC_MSG_CHECKING([for u_intXX_t types in sys/socket.h])
3823	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/socket.h> ]],
3824	[[ u_int8_t a; u_int16_t b; u_int32_t c; a = b = c = 1;]])],
3825		[
3826			AC_DEFINE([HAVE_U_INTXX_T])
3827			AC_MSG_RESULT([yes])
3828		], [ AC_MSG_RESULT([no])
3829	])
3830fi
3831
3832AC_CACHE_CHECK([for u_int64_t types], ac_cv_have_u_int64_t, [
3833	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
3834	[[ u_int64_t a; a = 1;]])],
3835	[ ac_cv_have_u_int64_t="yes" ], [ ac_cv_have_u_int64_t="no"
3836	])
3837])
3838if test "x$ac_cv_have_u_int64_t" = "xyes" ; then
3839	AC_DEFINE([HAVE_U_INT64_T], [1], [define if you have u_int64_t data type])
3840	have_u_int64_t=1
3841fi
3842
3843if (test -z "$have_u_int64_t" && \
3844	   test "x$ac_cv_header_sys_bitypes_h" = "xyes")
3845then
3846    AC_MSG_CHECKING([for u_int64_t type in sys/bitypes.h])
3847	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/bitypes.h> ]],
3848	[[ u_int64_t a; a = 1]])],
3849		[
3850			AC_DEFINE([HAVE_U_INT64_T])
3851			AC_MSG_RESULT([yes])
3852		], [ AC_MSG_RESULT([no])
3853	])
3854fi
3855
3856if test -z "$have_u_intxx_t" ; then
3857	AC_CACHE_CHECK([for uintXX_t types], ac_cv_have_uintxx_t, [
3858		AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
3859#include <sys/types.h>
3860			]], [[
3861	uint8_t a;
3862	uint16_t b;
3863	uint32_t c;
3864	a = b = c = 1;
3865			]])],
3866		[ ac_cv_have_uintxx_t="yes" ], [ ac_cv_have_uintxx_t="no"
3867		])
3868	])
3869	if test "x$ac_cv_have_uintxx_t" = "xyes" ; then
3870		AC_DEFINE([HAVE_UINTXX_T], [1],
3871			[define if you have uintxx_t data type])
3872	fi
3873fi
3874
3875if (test -z "$have_uintxx_t" && \
3876	   test "x$ac_cv_header_stdint_h" = "xyes")
3877then
3878    AC_MSG_CHECKING([for uintXX_t types in stdint.h])
3879	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <stdint.h> ]],
3880	[[ uint8_t a; uint16_t b; uint32_t c; a = b = c = 1;]])],
3881		[
3882			AC_DEFINE([HAVE_UINTXX_T])
3883			AC_MSG_RESULT([yes])
3884		], [ AC_MSG_RESULT([no])
3885	])
3886fi
3887
3888if (test -z "$have_uintxx_t" && \
3889	   test "x$ac_cv_header_inttypes_h" = "xyes")
3890then
3891    AC_MSG_CHECKING([for uintXX_t types in inttypes.h])
3892	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <inttypes.h> ]],
3893	[[ uint8_t a; uint16_t b; uint32_t c; a = b = c = 1;]])],
3894		[
3895			AC_DEFINE([HAVE_UINTXX_T])
3896			AC_MSG_RESULT([yes])
3897		], [ AC_MSG_RESULT([no])
3898	])
3899fi
3900
3901if (test -z "$have_u_intxx_t" || test -z "$have_intxx_t" && \
3902	   test "x$ac_cv_header_sys_bitypes_h" = "xyes")
3903then
3904	AC_MSG_CHECKING([for intXX_t and u_intXX_t types in sys/bitypes.h])
3905	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
3906#include <sys/bitypes.h>
3907		]], [[
3908			int8_t a; int16_t b; int32_t c;
3909			u_int8_t e; u_int16_t f; u_int32_t g;
3910			a = b = c = e = f = g = 1;
3911		]])],
3912		[
3913			AC_DEFINE([HAVE_U_INTXX_T])
3914			AC_DEFINE([HAVE_INTXX_T])
3915			AC_MSG_RESULT([yes])
3916		], [AC_MSG_RESULT([no])
3917	])
3918fi
3919
3920
3921AC_CACHE_CHECK([for u_char], ac_cv_have_u_char, [
3922	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
3923	[[ u_char foo; foo = 125; ]])],
3924	[ ac_cv_have_u_char="yes" ], [ ac_cv_have_u_char="no"
3925	])
3926])
3927if test "x$ac_cv_have_u_char" = "xyes" ; then
3928	AC_DEFINE([HAVE_U_CHAR], [1], [define if you have u_char data type])
3929fi
3930
3931AC_CHECK_TYPES([intmax_t, uintmax_t], , , [
3932#include <sys/types.h>
3933#ifdef HAVE_STDINT_H
3934# include <stdint.h>
3935#endif
3936])
3937
3938TYPE_SOCKLEN_T
3939
3940AC_CHECK_TYPES([sig_atomic_t], , , [#include <signal.h>])
3941AC_CHECK_TYPES([fsblkcnt_t, fsfilcnt_t], , , [
3942#include <sys/types.h>
3943#ifdef HAVE_SYS_BITYPES_H
3944#include <sys/bitypes.h>
3945#endif
3946#ifdef HAVE_SYS_STATFS_H
3947#include <sys/statfs.h>
3948#endif
3949#ifdef HAVE_SYS_STATVFS_H
3950#include <sys/statvfs.h>
3951#endif
3952])
3953
3954AC_CHECK_MEMBERS([struct statfs.f_files, struct statfs.f_flags], [], [], [[
3955#include <sys/param.h>
3956#include <sys/types.h>
3957#ifdef HAVE_SYS_BITYPES_H
3958#include <sys/bitypes.h>
3959#endif
3960#ifdef HAVE_SYS_STATFS_H
3961#include <sys/statfs.h>
3962#endif
3963#ifdef HAVE_SYS_STATVFS_H
3964#include <sys/statvfs.h>
3965#endif
3966#ifdef HAVE_SYS_VFS_H
3967#include <sys/vfs.h>
3968#endif
3969#ifdef HAVE_SYS_MOUNT_H
3970#include <sys/mount.h>
3971#endif
3972]])
3973
3974
3975AC_CHECK_TYPES([in_addr_t, in_port_t], , ,
3976[#include <sys/types.h>
3977#include <netinet/in.h>])
3978
3979AC_CACHE_CHECK([for size_t], ac_cv_have_size_t, [
3980	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
3981	[[ size_t foo; foo = 1235; ]])],
3982	[ ac_cv_have_size_t="yes" ], [ ac_cv_have_size_t="no"
3983	])
3984])
3985if test "x$ac_cv_have_size_t" = "xyes" ; then
3986	AC_DEFINE([HAVE_SIZE_T], [1], [define if you have size_t data type])
3987fi
3988
3989AC_CACHE_CHECK([for ssize_t], ac_cv_have_ssize_t, [
3990	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
3991	[[ ssize_t foo; foo = 1235; ]])],
3992	[ ac_cv_have_ssize_t="yes" ], [ ac_cv_have_ssize_t="no"
3993	])
3994])
3995if test "x$ac_cv_have_ssize_t" = "xyes" ; then
3996	AC_DEFINE([HAVE_SSIZE_T], [1], [define if you have ssize_t data type])
3997fi
3998
3999AC_CACHE_CHECK([for clock_t], ac_cv_have_clock_t, [
4000	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <time.h> ]],
4001	[[ clock_t foo; foo = 1235; ]])],
4002	[ ac_cv_have_clock_t="yes" ], [ ac_cv_have_clock_t="no"
4003	])
4004])
4005if test "x$ac_cv_have_clock_t" = "xyes" ; then
4006	AC_DEFINE([HAVE_CLOCK_T], [1], [define if you have clock_t data type])
4007fi
4008
4009AC_CACHE_CHECK([for sa_family_t], ac_cv_have_sa_family_t, [
4010	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4011#include <sys/types.h>
4012#include <sys/socket.h>
4013		]], [[ sa_family_t foo; foo = 1235; ]])],
4014	[ ac_cv_have_sa_family_t="yes" ],
4015	[ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4016#include <sys/types.h>
4017#include <sys/socket.h>
4018#include <netinet/in.h>
4019		]], [[ sa_family_t foo; foo = 1235; ]])],
4020		[ ac_cv_have_sa_family_t="yes" ],
4021		[ ac_cv_have_sa_family_t="no" ]
4022	)
4023	])
4024])
4025if test "x$ac_cv_have_sa_family_t" = "xyes" ; then
4026	AC_DEFINE([HAVE_SA_FAMILY_T], [1],
4027		[define if you have sa_family_t data type])
4028fi
4029
4030AC_CACHE_CHECK([for pid_t], ac_cv_have_pid_t, [
4031	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
4032	[[ pid_t foo; foo = 1235; ]])],
4033	[ ac_cv_have_pid_t="yes" ], [ ac_cv_have_pid_t="no"
4034	])
4035])
4036if test "x$ac_cv_have_pid_t" = "xyes" ; then
4037	AC_DEFINE([HAVE_PID_T], [1], [define if you have pid_t data type])
4038fi
4039
4040AC_CACHE_CHECK([for mode_t], ac_cv_have_mode_t, [
4041	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
4042	[[ mode_t foo; foo = 1235; ]])],
4043	[ ac_cv_have_mode_t="yes" ], [ ac_cv_have_mode_t="no"
4044	])
4045])
4046if test "x$ac_cv_have_mode_t" = "xyes" ; then
4047	AC_DEFINE([HAVE_MODE_T], [1], [define if you have mode_t data type])
4048fi
4049
4050
4051AC_CACHE_CHECK([for struct sockaddr_storage], ac_cv_have_struct_sockaddr_storage, [
4052	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4053#include <sys/types.h>
4054#include <sys/socket.h>
4055		]], [[ struct sockaddr_storage s; ]])],
4056	[ ac_cv_have_struct_sockaddr_storage="yes" ],
4057	[ ac_cv_have_struct_sockaddr_storage="no"
4058	])
4059])
4060if test "x$ac_cv_have_struct_sockaddr_storage" = "xyes" ; then
4061	AC_DEFINE([HAVE_STRUCT_SOCKADDR_STORAGE], [1],
4062		[define if you have struct sockaddr_storage data type])
4063fi
4064
4065AC_CACHE_CHECK([for struct sockaddr_in6], ac_cv_have_struct_sockaddr_in6, [
4066	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4067#include <sys/types.h>
4068#include <netinet/in.h>
4069		]], [[ struct sockaddr_in6 s; s.sin6_family = 0; ]])],
4070	[ ac_cv_have_struct_sockaddr_in6="yes" ],
4071	[ ac_cv_have_struct_sockaddr_in6="no"
4072	])
4073])
4074if test "x$ac_cv_have_struct_sockaddr_in6" = "xyes" ; then
4075	AC_DEFINE([HAVE_STRUCT_SOCKADDR_IN6], [1],
4076		[define if you have struct sockaddr_in6 data type])
4077fi
4078
4079AC_CACHE_CHECK([for struct in6_addr], ac_cv_have_struct_in6_addr, [
4080	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4081#include <sys/types.h>
4082#include <netinet/in.h>
4083		]], [[ struct in6_addr s; s.s6_addr[0] = 0; ]])],
4084	[ ac_cv_have_struct_in6_addr="yes" ],
4085	[ ac_cv_have_struct_in6_addr="no"
4086	])
4087])
4088if test "x$ac_cv_have_struct_in6_addr" = "xyes" ; then
4089	AC_DEFINE([HAVE_STRUCT_IN6_ADDR], [1],
4090		[define if you have struct in6_addr data type])
4091
4092dnl Now check for sin6_scope_id
4093	AC_CHECK_MEMBERS([struct sockaddr_in6.sin6_scope_id], , ,
4094		[
4095#ifdef HAVE_SYS_TYPES_H
4096#include <sys/types.h>
4097#endif
4098#include <netinet/in.h>
4099		])
4100fi
4101
4102AC_CACHE_CHECK([for struct addrinfo], ac_cv_have_struct_addrinfo, [
4103	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4104#include <sys/types.h>
4105#include <sys/socket.h>
4106#include <netdb.h>
4107		]], [[ struct addrinfo s; s.ai_flags = AI_PASSIVE; ]])],
4108	[ ac_cv_have_struct_addrinfo="yes" ],
4109	[ ac_cv_have_struct_addrinfo="no"
4110	])
4111])
4112if test "x$ac_cv_have_struct_addrinfo" = "xyes" ; then
4113	AC_DEFINE([HAVE_STRUCT_ADDRINFO], [1],
4114		[define if you have struct addrinfo data type])
4115fi
4116
4117AC_HEADER_TIME
4118
4119AC_CACHE_CHECK([for struct timeval], ac_cv_have_struct_timeval, [
4120	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/time.h> ]],
4121	[[ struct timeval tv; tv.tv_sec = 1;]])],
4122	[ ac_cv_have_struct_timeval="yes" ],
4123	[ ac_cv_have_struct_timeval="no"
4124	])
4125])
4126if test "x$ac_cv_have_struct_timeval" = "xyes" ; then
4127	AC_DEFINE([HAVE_STRUCT_TIMEVAL], [1], [define if you have struct timeval])
4128	have_struct_timeval=1
4129fi
4130
4131AC_CACHE_CHECK([for struct timespec], ac_cv_have_struct_timespec, [
4132	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4133    #ifdef TIME_WITH_SYS_TIME
4134    # include <sys/time.h>
4135    # include <time.h>
4136    #else
4137    # ifdef HAVE_SYS_TIME_H
4138    #  include <sys/time.h>
4139    # else
4140    #  include <time.h>
4141    # endif
4142    #endif
4143	]],
4144	[[ struct timespec ts; ts.tv_sec = 1;]])],
4145	[ ac_cv_have_struct_timespec="yes" ],
4146	[ ac_cv_have_struct_timespec="no"
4147	])
4148])
4149if test "x$ac_cv_have_struct_timespec" = "xyes" ; then
4150	AC_DEFINE([HAVE_STRUCT_TIMESPEC], [1], [define if you have struct timespec])
4151	have_struct_timespec=1
4152fi
4153
4154# We need int64_t or else certain parts of the compile will fail.
4155if test "x$ac_cv_have_int64_t" = "xno" && \
4156	test "x$ac_cv_sizeof_long_int" != "x8" && \
4157	test "x$ac_cv_sizeof_long_long_int" = "x0" ; then
4158	echo "OpenSSH requires int64_t support.  Contact your vendor or install"
4159	echo "an alternative compiler (I.E., GCC) before continuing."
4160	echo ""
4161	exit 1;
4162else
4163dnl test snprintf (broken on SCO w/gcc)
4164	AC_RUN_IFELSE(
4165		[AC_LANG_SOURCE([[
4166#include <stdio.h>
4167#include <string.h>
4168#ifdef HAVE_SNPRINTF
4169main()
4170{
4171	char buf[50];
4172	char expected_out[50];
4173	int mazsize = 50 ;
4174#if (SIZEOF_LONG_INT == 8)
4175	long int num = 0x7fffffffffffffff;
4176#else
4177	long long num = 0x7fffffffffffffffll;
4178#endif
4179	strcpy(expected_out, "9223372036854775807");
4180	snprintf(buf, mazsize, "%lld", num);
4181	if(strcmp(buf, expected_out) != 0)
4182		exit(1);
4183	exit(0);
4184}
4185#else
4186main() { exit(0); }
4187#endif
4188		]])], [ true ], [ AC_DEFINE([BROKEN_SNPRINTF]) ],
4189		AC_MSG_WARN([cross compiling: Assuming working snprintf()])
4190	)
4191fi
4192
4193dnl Checks for structure members
4194OSSH_CHECK_HEADER_FOR_FIELD([ut_host], [utmp.h], [HAVE_HOST_IN_UTMP])
4195OSSH_CHECK_HEADER_FOR_FIELD([ut_host], [utmpx.h], [HAVE_HOST_IN_UTMPX])
4196OSSH_CHECK_HEADER_FOR_FIELD([syslen], [utmpx.h], [HAVE_SYSLEN_IN_UTMPX])
4197OSSH_CHECK_HEADER_FOR_FIELD([ut_pid], [utmp.h], [HAVE_PID_IN_UTMP])
4198OSSH_CHECK_HEADER_FOR_FIELD([ut_type], [utmp.h], [HAVE_TYPE_IN_UTMP])
4199OSSH_CHECK_HEADER_FOR_FIELD([ut_type], [utmpx.h], [HAVE_TYPE_IN_UTMPX])
4200OSSH_CHECK_HEADER_FOR_FIELD([ut_tv], [utmp.h], [HAVE_TV_IN_UTMP])
4201OSSH_CHECK_HEADER_FOR_FIELD([ut_id], [utmp.h], [HAVE_ID_IN_UTMP])
4202OSSH_CHECK_HEADER_FOR_FIELD([ut_id], [utmpx.h], [HAVE_ID_IN_UTMPX])
4203OSSH_CHECK_HEADER_FOR_FIELD([ut_addr], [utmp.h], [HAVE_ADDR_IN_UTMP])
4204OSSH_CHECK_HEADER_FOR_FIELD([ut_addr], [utmpx.h], [HAVE_ADDR_IN_UTMPX])
4205OSSH_CHECK_HEADER_FOR_FIELD([ut_addr_v6], [utmp.h], [HAVE_ADDR_V6_IN_UTMP])
4206OSSH_CHECK_HEADER_FOR_FIELD([ut_addr_v6], [utmpx.h], [HAVE_ADDR_V6_IN_UTMPX])
4207OSSH_CHECK_HEADER_FOR_FIELD([ut_exit], [utmp.h], [HAVE_EXIT_IN_UTMP])
4208OSSH_CHECK_HEADER_FOR_FIELD([ut_time], [utmp.h], [HAVE_TIME_IN_UTMP])
4209OSSH_CHECK_HEADER_FOR_FIELD([ut_time], [utmpx.h], [HAVE_TIME_IN_UTMPX])
4210OSSH_CHECK_HEADER_FOR_FIELD([ut_tv], [utmpx.h], [HAVE_TV_IN_UTMPX])
4211
4212AC_CHECK_MEMBERS([struct stat.st_blksize])
4213AC_CHECK_MEMBERS([struct stat.st_mtim])
4214AC_CHECK_MEMBERS([struct stat.st_mtime])
4215AC_CHECK_MEMBERS([struct passwd.pw_gecos, struct passwd.pw_class,
4216struct passwd.pw_change, struct passwd.pw_expire],
4217[], [], [[
4218#include <sys/types.h>
4219#include <pwd.h>
4220]])
4221
4222AC_CHECK_MEMBER([struct __res_state.retrans], [], [AC_DEFINE([__res_state], [state],
4223	[Define if we don't have struct __res_state in resolv.h])],
4224[[
4225#include <stdio.h>
4226#if HAVE_SYS_TYPES_H
4227# include <sys/types.h>
4228#endif
4229#include <netinet/in.h>
4230#include <arpa/nameser.h>
4231#include <resolv.h>
4232]])
4233
4234AC_CACHE_CHECK([for ss_family field in struct sockaddr_storage],
4235		ac_cv_have_ss_family_in_struct_ss, [
4236	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4237#include <sys/types.h>
4238#include <sys/socket.h>
4239		]], [[ struct sockaddr_storage s; s.ss_family = 1; ]])],
4240	[ ac_cv_have_ss_family_in_struct_ss="yes" ],
4241	[ ac_cv_have_ss_family_in_struct_ss="no" ])
4242])
4243if test "x$ac_cv_have_ss_family_in_struct_ss" = "xyes" ; then
4244	AC_DEFINE([HAVE_SS_FAMILY_IN_SS], [1], [Fields in struct sockaddr_storage])
4245fi
4246
4247AC_CACHE_CHECK([for __ss_family field in struct sockaddr_storage],
4248		ac_cv_have___ss_family_in_struct_ss, [
4249	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4250#include <sys/types.h>
4251#include <sys/socket.h>
4252		]], [[ struct sockaddr_storage s; s.__ss_family = 1; ]])],
4253	[ ac_cv_have___ss_family_in_struct_ss="yes" ],
4254	[ ac_cv_have___ss_family_in_struct_ss="no"
4255	])
4256])
4257if test "x$ac_cv_have___ss_family_in_struct_ss" = "xyes" ; then
4258	AC_DEFINE([HAVE___SS_FAMILY_IN_SS], [1],
4259		[Fields in struct sockaddr_storage])
4260fi
4261
4262dnl make sure we're using the real structure members and not defines
4263AC_CACHE_CHECK([for msg_accrights field in struct msghdr],
4264		ac_cv_have_accrights_in_msghdr, [
4265	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4266#include <sys/types.h>
4267#include <sys/socket.h>
4268#include <sys/uio.h>
4269		]], [[
4270#ifdef msg_accrights
4271#error "msg_accrights is a macro"
4272exit(1);
4273#endif
4274struct msghdr m;
4275m.msg_accrights = 0;
4276exit(0);
4277		]])],
4278		[ ac_cv_have_accrights_in_msghdr="yes" ],
4279		[ ac_cv_have_accrights_in_msghdr="no" ]
4280	)
4281])
4282if test "x$ac_cv_have_accrights_in_msghdr" = "xyes" ; then
4283	AC_DEFINE([HAVE_ACCRIGHTS_IN_MSGHDR], [1],
4284		[Define if your system uses access rights style
4285		file descriptor passing])
4286fi
4287
4288AC_MSG_CHECKING([if struct statvfs.f_fsid is integral type])
4289AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4290#include <sys/param.h>
4291#include <sys/stat.h>
4292#ifdef HAVE_SYS_TIME_H
4293# include <sys/time.h>
4294#endif
4295#ifdef HAVE_SYS_MOUNT_H
4296#include <sys/mount.h>
4297#endif
4298#ifdef HAVE_SYS_STATVFS_H
4299#include <sys/statvfs.h>
4300#endif
4301	]], [[ struct statvfs s; s.f_fsid = 0; ]])],
4302	[ AC_MSG_RESULT([yes]) ],
4303	[ AC_MSG_RESULT([no])
4304
4305	AC_MSG_CHECKING([if fsid_t has member val])
4306	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4307#include <sys/types.h>
4308#include <sys/statvfs.h>
4309	]], [[ fsid_t t; t.val[0] = 0; ]])],
4310	[ AC_MSG_RESULT([yes])
4311	  AC_DEFINE([FSID_HAS_VAL], [1], [fsid_t has member val]) ],
4312	[ AC_MSG_RESULT([no]) ])
4313
4314	AC_MSG_CHECKING([if f_fsid has member __val])
4315	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4316#include <sys/types.h>
4317#include <sys/statvfs.h>
4318	]], [[ fsid_t t; t.__val[0] = 0; ]])],
4319	[ AC_MSG_RESULT([yes])
4320	  AC_DEFINE([FSID_HAS___VAL], [1], [fsid_t has member __val]) ],
4321	[ AC_MSG_RESULT([no]) ])
4322])
4323
4324AC_CACHE_CHECK([for msg_control field in struct msghdr],
4325		ac_cv_have_control_in_msghdr, [
4326	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4327#include <sys/types.h>
4328#include <sys/socket.h>
4329#include <sys/uio.h>
4330		]], [[
4331#ifdef msg_control
4332#error "msg_control is a macro"
4333exit(1);
4334#endif
4335struct msghdr m;
4336m.msg_control = 0;
4337exit(0);
4338		]])],
4339		[ ac_cv_have_control_in_msghdr="yes" ],
4340		[ ac_cv_have_control_in_msghdr="no" ]
4341	)
4342])
4343if test "x$ac_cv_have_control_in_msghdr" = "xyes" ; then
4344	AC_DEFINE([HAVE_CONTROL_IN_MSGHDR], [1],
4345		[Define if your system uses ancillary data style
4346		file descriptor passing])
4347fi
4348
4349AC_CACHE_CHECK([if libc defines __progname], ac_cv_libc_defines___progname, [
4350	AC_LINK_IFELSE([AC_LANG_PROGRAM([[]],
4351		[[ extern char *__progname; printf("%s", __progname); ]])],
4352	[ ac_cv_libc_defines___progname="yes" ],
4353	[ ac_cv_libc_defines___progname="no"
4354	])
4355])
4356if test "x$ac_cv_libc_defines___progname" = "xyes" ; then
4357	AC_DEFINE([HAVE___PROGNAME], [1], [Define if libc defines __progname])
4358fi
4359
4360AC_CACHE_CHECK([whether $CC implements __FUNCTION__], ac_cv_cc_implements___FUNCTION__, [
4361	AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include <stdio.h> ]],
4362		[[ printf("%s", __FUNCTION__); ]])],
4363	[ ac_cv_cc_implements___FUNCTION__="yes" ],
4364	[ ac_cv_cc_implements___FUNCTION__="no"
4365	])
4366])
4367if test "x$ac_cv_cc_implements___FUNCTION__" = "xyes" ; then
4368	AC_DEFINE([HAVE___FUNCTION__], [1],
4369		[Define if compiler implements __FUNCTION__])
4370fi
4371
4372AC_CACHE_CHECK([whether $CC implements __func__], ac_cv_cc_implements___func__, [
4373	AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include <stdio.h> ]],
4374		[[ printf("%s", __func__); ]])],
4375	[ ac_cv_cc_implements___func__="yes" ],
4376	[ ac_cv_cc_implements___func__="no"
4377	])
4378])
4379if test "x$ac_cv_cc_implements___func__" = "xyes" ; then
4380	AC_DEFINE([HAVE___func__], [1], [Define if compiler implements __func__])
4381fi
4382
4383AC_CACHE_CHECK([whether va_copy exists], ac_cv_have_va_copy, [
4384	AC_LINK_IFELSE([AC_LANG_PROGRAM([[
4385#include <stdarg.h>
4386va_list x,y;
4387		]], [[ va_copy(x,y); ]])],
4388	[ ac_cv_have_va_copy="yes" ],
4389	[ ac_cv_have_va_copy="no"
4390	])
4391])
4392if test "x$ac_cv_have_va_copy" = "xyes" ; then
4393	AC_DEFINE([HAVE_VA_COPY], [1], [Define if va_copy exists])
4394fi
4395
4396AC_CACHE_CHECK([whether __va_copy exists], ac_cv_have___va_copy, [
4397	AC_LINK_IFELSE([AC_LANG_PROGRAM([[
4398#include <stdarg.h>
4399va_list x,y;
4400		]], [[ __va_copy(x,y); ]])],
4401	[ ac_cv_have___va_copy="yes" ], [ ac_cv_have___va_copy="no"
4402	])
4403])
4404if test "x$ac_cv_have___va_copy" = "xyes" ; then
4405	AC_DEFINE([HAVE___VA_COPY], [1], [Define if __va_copy exists])
4406fi
4407
4408AC_CACHE_CHECK([whether getopt has optreset support],
4409		ac_cv_have_getopt_optreset, [
4410	AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include <getopt.h> ]],
4411		[[ extern int optreset; optreset = 0; ]])],
4412	[ ac_cv_have_getopt_optreset="yes" ],
4413	[ ac_cv_have_getopt_optreset="no"
4414	])
4415])
4416if test "x$ac_cv_have_getopt_optreset" = "xyes" ; then
4417	AC_DEFINE([HAVE_GETOPT_OPTRESET], [1],
4418		[Define if your getopt(3) defines and uses optreset])
4419fi
4420
4421AC_CACHE_CHECK([if libc defines sys_errlist], ac_cv_libc_defines_sys_errlist, [
4422	AC_LINK_IFELSE([AC_LANG_PROGRAM([[]],
4423[[ extern const char *const sys_errlist[]; printf("%s", sys_errlist[0]);]])],
4424	[ ac_cv_libc_defines_sys_errlist="yes" ],
4425	[ ac_cv_libc_defines_sys_errlist="no"
4426	])
4427])
4428if test "x$ac_cv_libc_defines_sys_errlist" = "xyes" ; then
4429	AC_DEFINE([HAVE_SYS_ERRLIST], [1],
4430		[Define if your system defines sys_errlist[]])
4431fi
4432
4433
4434AC_CACHE_CHECK([if libc defines sys_nerr], ac_cv_libc_defines_sys_nerr, [
4435	AC_LINK_IFELSE([AC_LANG_PROGRAM([[]],
4436[[ extern int sys_nerr; printf("%i", sys_nerr);]])],
4437	[ ac_cv_libc_defines_sys_nerr="yes" ],
4438	[ ac_cv_libc_defines_sys_nerr="no"
4439	])
4440])
4441if test "x$ac_cv_libc_defines_sys_nerr" = "xyes" ; then
4442	AC_DEFINE([HAVE_SYS_NERR], [1], [Define if your system defines sys_nerr])
4443fi
4444
4445# Check libraries needed by DNS fingerprint support
4446AC_SEARCH_LIBS([getrrsetbyname], [resolv],
4447	[AC_DEFINE([HAVE_GETRRSETBYNAME], [1],
4448		[Define if getrrsetbyname() exists])],
4449	[
4450		# Needed by our getrrsetbyname()
4451		AC_SEARCH_LIBS([res_query], [resolv])
4452		AC_SEARCH_LIBS([dn_expand], [resolv])
4453		AC_MSG_CHECKING([if res_query will link])
4454		AC_LINK_IFELSE([AC_LANG_PROGRAM([[
4455#include <sys/types.h>
4456#include <netinet/in.h>
4457#include <arpa/nameser.h>
4458#include <netdb.h>
4459#include <resolv.h>
4460				]], [[
4461	res_query (0, 0, 0, 0, 0);
4462				]])],
4463		    AC_MSG_RESULT([yes]),
4464		   [AC_MSG_RESULT([no])
4465		    saved_LIBS="$LIBS"
4466		    LIBS="$LIBS -lresolv"
4467		    AC_MSG_CHECKING([for res_query in -lresolv])
4468		    AC_LINK_IFELSE([AC_LANG_PROGRAM([[
4469#include <sys/types.h>
4470#include <netinet/in.h>
4471#include <arpa/nameser.h>
4472#include <netdb.h>
4473#include <resolv.h>
4474				]], [[
4475	res_query (0, 0, 0, 0, 0);
4476				]])],
4477			[AC_MSG_RESULT([yes])],
4478			[LIBS="$saved_LIBS"
4479			 AC_MSG_RESULT([no])])
4480		    ])
4481		AC_CHECK_FUNCS([_getshort _getlong])
4482		AC_CHECK_DECLS([_getshort, _getlong], , ,
4483		    [#include <sys/types.h>
4484		    #include <arpa/nameser.h>])
4485		AC_CHECK_MEMBER([HEADER.ad],
4486			[AC_DEFINE([HAVE_HEADER_AD], [1],
4487			    [Define if HEADER.ad exists in arpa/nameser.h])], ,
4488			[#include <arpa/nameser.h>])
4489	])
4490
4491AC_MSG_CHECKING([if struct __res_state _res is an extern])
4492AC_LINK_IFELSE([AC_LANG_PROGRAM([[
4493#include <stdio.h>
4494#if HAVE_SYS_TYPES_H
4495# include <sys/types.h>
4496#endif
4497#include <netinet/in.h>
4498#include <arpa/nameser.h>
4499#include <resolv.h>
4500extern struct __res_state _res;
4501		]], [[
4502struct __res_state *volatile p = &_res;  /* force resolution of _res */
4503return 0;
4504		]],)],
4505		[AC_MSG_RESULT([yes])
4506		 AC_DEFINE([HAVE__RES_EXTERN], [1],
4507		    [Define if you have struct __res_state _res as an extern])
4508		],
4509		[ AC_MSG_RESULT([no]) ]
4510)
4511
4512# Check whether user wants SELinux support
4513SELINUX_MSG="no"
4514LIBSELINUX=""
4515AC_ARG_WITH([selinux],
4516	[  --with-selinux          Enable SELinux support],
4517	[ if test "x$withval" != "xno" ; then
4518		save_LIBS="$LIBS"
4519		AC_DEFINE([WITH_SELINUX], [1],
4520			[Define if you want SELinux support.])
4521		SELINUX_MSG="yes"
4522		AC_CHECK_HEADER([selinux/selinux.h], ,
4523			AC_MSG_ERROR([SELinux support requires selinux.h header]))
4524		AC_CHECK_LIB([selinux], [setexeccon],
4525			[ LIBSELINUX="-lselinux"
4526			  LIBS="$LIBS -lselinux"
4527			],
4528			AC_MSG_ERROR([SELinux support requires libselinux library]))
4529		AC_CHECK_FUNCS([getseuserbyname get_default_context_with_level])
4530		LIBS="$save_LIBS $LIBSELINUX"
4531	fi ]
4532)
4533AC_SUBST([SSHDLIBS])
4534
4535# Check whether user wants Kerberos 5 support
4536KRB5_MSG="no"
4537AC_ARG_WITH([kerberos5],
4538	[  --with-kerberos5=PATH   Enable Kerberos 5 support],
4539	[ if test "x$withval" != "xno" ; then
4540		if test "x$withval" = "xyes" ; then
4541			KRB5ROOT="/usr/local"
4542		else
4543			KRB5ROOT=${withval}
4544		fi
4545
4546		AC_DEFINE([KRB5], [1], [Define if you want Kerberos 5 support])
4547		KRB5_MSG="yes"
4548
4549		AC_PATH_TOOL([KRB5CONF], [krb5-config],
4550			     [$KRB5ROOT/bin/krb5-config],
4551			     [$KRB5ROOT/bin:$PATH])
4552		if test -x $KRB5CONF ; then
4553			K5CFLAGS="`$KRB5CONF --cflags`"
4554			K5LIBS="`$KRB5CONF --libs`"
4555			CPPFLAGS="$CPPFLAGS $K5CFLAGS"
4556
4557			AC_MSG_CHECKING([for gssapi support])
4558			if $KRB5CONF | grep gssapi >/dev/null ; then
4559				AC_MSG_RESULT([yes])
4560				AC_DEFINE([GSSAPI], [1],
4561					[Define this if you want GSSAPI
4562					support in the version 2 protocol])
4563				GSSCFLAGS="`$KRB5CONF --cflags gssapi`"
4564				GSSLIBS="`$KRB5CONF --libs gssapi`"
4565				CPPFLAGS="$CPPFLAGS $GSSCFLAGS"
4566			else
4567				AC_MSG_RESULT([no])
4568			fi
4569			AC_MSG_CHECKING([whether we are using Heimdal])
4570			AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <krb5.h>
4571				]], [[ char *tmp = heimdal_version; ]])],
4572				[ AC_MSG_RESULT([yes])
4573				AC_DEFINE([HEIMDAL], [1],
4574				[Define this if you are using the Heimdal
4575				version of Kerberos V5]) ],
4576				[AC_MSG_RESULT([no])
4577			])
4578		else
4579			CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include"
4580			LDFLAGS="$LDFLAGS -L${KRB5ROOT}/lib"
4581			AC_MSG_CHECKING([whether we are using Heimdal])
4582			AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <krb5.h>
4583				]], [[ char *tmp = heimdal_version; ]])],
4584					[ AC_MSG_RESULT([yes])
4585					 AC_DEFINE([HEIMDAL])
4586					 K5LIBS="-lkrb5"
4587					 K5LIBS="$K5LIBS -lcom_err -lasn1"
4588					 AC_CHECK_LIB([roken], [net_write],
4589					   [K5LIBS="$K5LIBS -lroken"])
4590					 AC_CHECK_LIB([des], [des_cbc_encrypt],
4591					   [K5LIBS="$K5LIBS -ldes"])
4592				       ], [ AC_MSG_RESULT([no])
4593					 K5LIBS="-lkrb5 -lk5crypto -lcom_err"
4594			])
4595			AC_SEARCH_LIBS([dn_expand], [resolv])
4596
4597			AC_CHECK_LIB([gssapi_krb5], [gss_init_sec_context],
4598				[ AC_DEFINE([GSSAPI])
4599				  GSSLIBS="-lgssapi_krb5" ],
4600				[ AC_CHECK_LIB([gssapi], [gss_init_sec_context],
4601					[ AC_DEFINE([GSSAPI])
4602					  GSSLIBS="-lgssapi" ],
4603					[ AC_CHECK_LIB([gss], [gss_init_sec_context],
4604						[ AC_DEFINE([GSSAPI])
4605						  GSSLIBS="-lgss" ],
4606						AC_MSG_WARN([Cannot find any suitable gss-api library - build may fail]))
4607					])
4608				])
4609
4610			AC_CHECK_HEADER([gssapi.h], ,
4611				[ unset ac_cv_header_gssapi_h
4612				  CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include/gssapi"
4613				  AC_CHECK_HEADERS([gssapi.h], ,
4614					AC_MSG_WARN([Cannot find any suitable gss-api header - build may fail])
4615				  )
4616				]
4617			)
4618
4619			oldCPP="$CPPFLAGS"
4620			CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include/gssapi"
4621			AC_CHECK_HEADER([gssapi_krb5.h], ,
4622					[ CPPFLAGS="$oldCPP" ])
4623
4624		fi
4625		if test -n "${rpath_opt}" ; then
4626			LDFLAGS="$LDFLAGS ${rpath_opt}${KRB5ROOT}/lib"
4627		fi
4628		if test ! -z "$blibpath" ; then
4629			blibpath="$blibpath:${KRB5ROOT}/lib"
4630		fi
4631
4632		AC_CHECK_HEADERS([gssapi.h gssapi/gssapi.h])
4633		AC_CHECK_HEADERS([gssapi_krb5.h gssapi/gssapi_krb5.h])
4634		AC_CHECK_HEADERS([gssapi_generic.h gssapi/gssapi_generic.h])
4635
4636		AC_SEARCH_LIBS([k_hasafs], [kafs], [AC_DEFINE([USE_AFS], [1],
4637			[Define this if you want to use libkafs' AFS support])])
4638
4639		AC_CHECK_DECLS([GSS_C_NT_HOSTBASED_SERVICE], [], [], [[
4640#ifdef HAVE_GSSAPI_H
4641# include <gssapi.h>
4642#elif defined(HAVE_GSSAPI_GSSAPI_H)
4643# include <gssapi/gssapi.h>
4644#endif
4645
4646#ifdef HAVE_GSSAPI_GENERIC_H
4647# include <gssapi_generic.h>
4648#elif defined(HAVE_GSSAPI_GSSAPI_GENERIC_H)
4649# include <gssapi/gssapi_generic.h>
4650#endif
4651		]])
4652		saved_LIBS="$LIBS"
4653		LIBS="$LIBS $K5LIBS"
4654		AC_CHECK_FUNCS([krb5_cc_new_unique krb5_get_error_message krb5_free_error_message])
4655		LIBS="$saved_LIBS"
4656
4657	fi
4658	]
4659)
4660AC_SUBST([GSSLIBS])
4661AC_SUBST([K5LIBS])
4662
4663# Looking for programs, paths and files
4664
4665PRIVSEP_PATH=/var/empty
4666AC_ARG_WITH([privsep-path],
4667	[  --with-privsep-path=xxx Path for privilege separation chroot (default=/var/empty)],
4668	[
4669		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
4670		    test "x${withval}" != "xyes"; then
4671			PRIVSEP_PATH=$withval
4672		fi
4673	]
4674)
4675AC_SUBST([PRIVSEP_PATH])
4676
4677AC_ARG_WITH([xauth],
4678	[  --with-xauth=PATH       Specify path to xauth program ],
4679	[
4680		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
4681		    test "x${withval}" != "xyes"; then
4682			xauth_path=$withval
4683		fi
4684	],
4685	[
4686		TestPath="$PATH"
4687		TestPath="${TestPath}${PATH_SEPARATOR}/usr/X/bin"
4688		TestPath="${TestPath}${PATH_SEPARATOR}/usr/bin/X11"
4689		TestPath="${TestPath}${PATH_SEPARATOR}/usr/X11R6/bin"
4690		TestPath="${TestPath}${PATH_SEPARATOR}/usr/openwin/bin"
4691		AC_PATH_PROG([xauth_path], [xauth], , [$TestPath])
4692		if (test ! -z "$xauth_path" && test -x "/usr/openwin/bin/xauth") ; then
4693			xauth_path="/usr/openwin/bin/xauth"
4694		fi
4695	]
4696)
4697
4698STRIP_OPT=-s
4699AC_ARG_ENABLE([strip],
4700	[  --disable-strip         Disable calling strip(1) on install],
4701	[
4702		if test "x$enableval" = "xno" ; then
4703			STRIP_OPT=
4704		fi
4705	]
4706)
4707AC_SUBST([STRIP_OPT])
4708
4709if test -z "$xauth_path" ; then
4710	XAUTH_PATH="undefined"
4711	AC_SUBST([XAUTH_PATH])
4712else
4713	AC_DEFINE_UNQUOTED([XAUTH_PATH], ["$xauth_path"],
4714		[Define if xauth is found in your path])
4715	XAUTH_PATH=$xauth_path
4716	AC_SUBST([XAUTH_PATH])
4717fi
4718
4719dnl # --with-maildir=/path/to/mail gets top priority.
4720dnl # if maildir is set in the platform case statement above we use that.
4721dnl # Otherwise we run a program to get the dir from system headers.
4722dnl # We first look for _PATH_MAILDIR then MAILDIR then _PATH_MAIL
4723dnl # If we find _PATH_MAILDIR we do nothing because that is what
4724dnl # session.c expects anyway. Otherwise we set to the value found
4725dnl # stripping any trailing slash. If for some strage reason our program
4726dnl # does not find what it needs, we default to /var/spool/mail.
4727# Check for mail directory
4728AC_ARG_WITH([maildir],
4729    [  --with-maildir=/path/to/mail    Specify your system mail directory],
4730    [
4731	if test "X$withval" != X  &&  test "x$withval" != xno  &&  \
4732	    test "x${withval}" != xyes; then
4733		AC_DEFINE_UNQUOTED([MAIL_DIRECTORY], ["$withval"],
4734            [Set this to your mail directory if you do not have _PATH_MAILDIR])
4735	    fi
4736     ],[
4737	if test "X$maildir" != "X"; then
4738	    AC_DEFINE_UNQUOTED([MAIL_DIRECTORY], ["$maildir"])
4739	else
4740	    AC_MSG_CHECKING([Discovering system mail directory])
4741	    AC_RUN_IFELSE(
4742		[AC_LANG_PROGRAM([[
4743#include <stdio.h>
4744#include <string.h>
4745#ifdef HAVE_PATHS_H
4746#include <paths.h>
4747#endif
4748#ifdef HAVE_MAILLOCK_H
4749#include <maillock.h>
4750#endif
4751#define DATA "conftest.maildir"
4752	]], [[
4753	FILE *fd;
4754	int rc;
4755
4756	fd = fopen(DATA,"w");
4757	if(fd == NULL)
4758		exit(1);
4759
4760#if defined (_PATH_MAILDIR)
4761	if ((rc = fprintf(fd ,"_PATH_MAILDIR:%s\n", _PATH_MAILDIR)) <0)
4762		exit(1);
4763#elif defined (MAILDIR)
4764	if ((rc = fprintf(fd ,"MAILDIR:%s\n", MAILDIR)) <0)
4765		exit(1);
4766#elif defined (_PATH_MAIL)
4767	if ((rc = fprintf(fd ,"_PATH_MAIL:%s\n", _PATH_MAIL)) <0)
4768		exit(1);
4769#else
4770	exit (2);
4771#endif
4772
4773	exit(0);
4774		]])],
4775		[
4776		    maildir_what=`awk -F: '{print $1}' conftest.maildir`
4777		    maildir=`awk -F: '{print $2}' conftest.maildir \
4778			| sed 's|/$||'`
4779		    AC_MSG_RESULT([Using: $maildir from $maildir_what])
4780		    if test "x$maildir_what" != "x_PATH_MAILDIR"; then
4781			AC_DEFINE_UNQUOTED([MAIL_DIRECTORY], ["$maildir"])
4782		    fi
4783		],
4784		[
4785		    if test "X$ac_status" = "X2";then
4786# our test program didn't find it. Default to /var/spool/mail
4787			AC_MSG_RESULT([Using: default value of /var/spool/mail])
4788			AC_DEFINE_UNQUOTED([MAIL_DIRECTORY], ["/var/spool/mail"])
4789		     else
4790			AC_MSG_RESULT([*** not found ***])
4791		     fi
4792		],
4793		[
4794			AC_MSG_WARN([cross compiling: use --with-maildir=/path/to/mail])
4795		]
4796	    )
4797	fi
4798    ]
4799) # maildir
4800
4801if test ! -z "$cross_compiling" && test "x$cross_compiling" = "xyes"; then
4802	AC_MSG_WARN([cross compiling: Disabling /dev/ptmx test])
4803	disable_ptmx_check=yes
4804fi
4805if test -z "$no_dev_ptmx" ; then
4806	if test "x$disable_ptmx_check" != "xyes" ; then
4807		AC_CHECK_FILE(["/dev/ptmx"],
4808			[
4809				AC_DEFINE_UNQUOTED([HAVE_DEV_PTMX], [1],
4810					[Define if you have /dev/ptmx])
4811				have_dev_ptmx=1
4812			]
4813		)
4814	fi
4815fi
4816
4817if test ! -z "$cross_compiling" && test "x$cross_compiling" != "xyes"; then
4818	AC_CHECK_FILE(["/dev/ptc"],
4819		[
4820			AC_DEFINE_UNQUOTED([HAVE_DEV_PTS_AND_PTC], [1],
4821				[Define if you have /dev/ptc])
4822			have_dev_ptc=1
4823		]
4824	)
4825else
4826	AC_MSG_WARN([cross compiling: Disabling /dev/ptc test])
4827fi
4828
4829# Options from here on. Some of these are preset by platform above
4830AC_ARG_WITH([mantype],
4831	[  --with-mantype=man|cat|doc  Set man page type],
4832	[
4833		case "$withval" in
4834		man|cat|doc)
4835			MANTYPE=$withval
4836			;;
4837		*)
4838			AC_MSG_ERROR([invalid man type: $withval])
4839			;;
4840		esac
4841	]
4842)
4843if test -z "$MANTYPE"; then
4844	if ${MANDOC} ${srcdir}/ssh.1 >/dev/null 2>&1; then
4845		MANTYPE=doc
4846	elif ${NROFF} -mdoc ${srcdir}/ssh.1 >/dev/null 2>&1; then
4847		MANTYPE=doc
4848	elif ${NROFF} -man ${srcdir}/ssh.1 >/dev/null 2>&1; then
4849		MANTYPE=man
4850	else
4851		MANTYPE=cat
4852	fi
4853fi
4854AC_SUBST([MANTYPE])
4855if test "$MANTYPE" = "doc"; then
4856	mansubdir=man;
4857else
4858	mansubdir=$MANTYPE;
4859fi
4860AC_SUBST([mansubdir])
4861
4862# Check whether to enable MD5 passwords
4863MD5_MSG="no"
4864AC_ARG_WITH([md5-passwords],
4865	[  --with-md5-passwords    Enable use of MD5 passwords],
4866	[
4867		if test "x$withval" != "xno" ; then
4868			AC_DEFINE([HAVE_MD5_PASSWORDS], [1],
4869				[Define if you want to allow MD5 passwords])
4870			MD5_MSG="yes"
4871		fi
4872	]
4873)
4874
4875# Whether to disable shadow password support
4876AC_ARG_WITH([shadow],
4877	[  --without-shadow        Disable shadow password support],
4878	[
4879		if test "x$withval" = "xno" ; then
4880			AC_DEFINE([DISABLE_SHADOW])
4881			disable_shadow=yes
4882		fi
4883	]
4884)
4885
4886if test -z "$disable_shadow" ; then
4887	AC_MSG_CHECKING([if the systems has expire shadow information])
4888	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4889#include <sys/types.h>
4890#include <shadow.h>
4891struct spwd sp;
4892		]], [[ sp.sp_expire = sp.sp_lstchg = sp.sp_inact = 0; ]])],
4893		[ sp_expire_available=yes ], [
4894	])
4895
4896	if test "x$sp_expire_available" = "xyes" ; then
4897		AC_MSG_RESULT([yes])
4898		AC_DEFINE([HAS_SHADOW_EXPIRE], [1],
4899		    [Define if you want to use shadow password expire field])
4900	else
4901		AC_MSG_RESULT([no])
4902	fi
4903fi
4904
4905# Use ip address instead of hostname in $DISPLAY
4906if test ! -z "$IPADDR_IN_DISPLAY" ; then
4907	DISPLAY_HACK_MSG="yes"
4908	AC_DEFINE([IPADDR_IN_DISPLAY], [1],
4909		[Define if you need to use IP address
4910		instead of hostname in $DISPLAY])
4911else
4912	DISPLAY_HACK_MSG="no"
4913	AC_ARG_WITH([ipaddr-display],
4914		[  --with-ipaddr-display   Use ip address instead of hostname in $DISPLAY],
4915		[
4916			if test "x$withval" != "xno" ; then
4917				AC_DEFINE([IPADDR_IN_DISPLAY])
4918				DISPLAY_HACK_MSG="yes"
4919			fi
4920		]
4921	)
4922fi
4923
4924# check for /etc/default/login and use it if present.
4925AC_ARG_ENABLE([etc-default-login],
4926	[  --disable-etc-default-login Disable using PATH from /etc/default/login [no]],
4927	[ if test "x$enableval" = "xno"; then
4928		AC_MSG_NOTICE([/etc/default/login handling disabled])
4929		etc_default_login=no
4930	  else
4931		etc_default_login=yes
4932	  fi ],
4933	[ if test ! -z "$cross_compiling" && test "x$cross_compiling" = "xyes";
4934	  then
4935		AC_MSG_WARN([cross compiling: not checking /etc/default/login])
4936		etc_default_login=no
4937	  else
4938		etc_default_login=yes
4939	  fi ]
4940)
4941
4942if test "x$etc_default_login" != "xno"; then
4943	AC_CHECK_FILE(["/etc/default/login"],
4944	    [ external_path_file=/etc/default/login ])
4945	if test "x$external_path_file" = "x/etc/default/login"; then
4946		AC_DEFINE([HAVE_ETC_DEFAULT_LOGIN], [1],
4947			[Define if your system has /etc/default/login])
4948	fi
4949fi
4950
4951dnl BSD systems use /etc/login.conf so --with-default-path= has no effect
4952if test $ac_cv_func_login_getcapbool = "yes" && \
4953	test $ac_cv_header_login_cap_h = "yes" ; then
4954	external_path_file=/etc/login.conf
4955fi
4956
4957# Whether to mess with the default path
4958SERVER_PATH_MSG="(default)"
4959AC_ARG_WITH([default-path],
4960	[  --with-default-path=    Specify default $PATH environment for server],
4961	[
4962		if test "x$external_path_file" = "x/etc/login.conf" ; then
4963			AC_MSG_WARN([
4964--with-default-path=PATH has no effect on this system.
4965Edit /etc/login.conf instead.])
4966		elif test "x$withval" != "xno" ; then
4967			if test ! -z "$external_path_file" ; then
4968				AC_MSG_WARN([
4969--with-default-path=PATH will only be used if PATH is not defined in
4970$external_path_file .])
4971			fi
4972			user_path="$withval"
4973			SERVER_PATH_MSG="$withval"
4974		fi
4975	],
4976	[ if test "x$external_path_file" = "x/etc/login.conf" ; then
4977		AC_MSG_WARN([Make sure the path to scp is in /etc/login.conf])
4978	else
4979		if test ! -z "$external_path_file" ; then
4980			AC_MSG_WARN([
4981If PATH is defined in $external_path_file, ensure the path to scp is included,
4982otherwise scp will not work.])
4983		fi
4984		AC_RUN_IFELSE(
4985			[AC_LANG_PROGRAM([[
4986/* find out what STDPATH is */
4987#include <stdio.h>
4988#ifdef HAVE_PATHS_H
4989# include <paths.h>
4990#endif
4991#ifndef _PATH_STDPATH
4992# ifdef _PATH_USERPATH	/* Irix */
4993#  define _PATH_STDPATH _PATH_USERPATH
4994# else
4995#  define _PATH_STDPATH "/usr/bin:/bin:/usr/sbin:/sbin"
4996# endif
4997#endif
4998#include <sys/types.h>
4999#include <sys/stat.h>
5000#include <fcntl.h>
5001#define DATA "conftest.stdpath"
5002			]], [[
5003	FILE *fd;
5004	int rc;
5005
5006	fd = fopen(DATA,"w");
5007	if(fd == NULL)
5008		exit(1);
5009
5010	if ((rc = fprintf(fd,"%s", _PATH_STDPATH)) < 0)
5011		exit(1);
5012
5013	exit(0);
5014		]])],
5015		[ user_path=`cat conftest.stdpath` ],
5016		[ user_path="/usr/bin:/bin:/usr/sbin:/sbin" ],
5017		[ user_path="/usr/bin:/bin:/usr/sbin:/sbin" ]
5018	)
5019# make sure $bindir is in USER_PATH so scp will work
5020		t_bindir="${bindir}"
5021		while echo "${t_bindir}" | egrep '\$\{|NONE/' >/dev/null 2>&1; do
5022			t_bindir=`eval echo ${t_bindir}`
5023			case $t_bindir in
5024				NONE/*) t_bindir=`echo $t_bindir | sed "s~NONE~$prefix~"` ;;
5025			esac
5026			case $t_bindir in
5027				NONE/*) t_bindir=`echo $t_bindir | sed "s~NONE~$ac_default_prefix~"` ;;
5028			esac
5029		done
5030		echo $user_path | grep ":$t_bindir"  > /dev/null 2>&1
5031		if test $? -ne 0  ; then
5032			echo $user_path | grep "^$t_bindir"  > /dev/null 2>&1
5033			if test $? -ne 0  ; then
5034				user_path=$user_path:$t_bindir
5035				AC_MSG_RESULT([Adding $t_bindir to USER_PATH so scp will work])
5036			fi
5037		fi
5038	fi ]
5039)
5040if test "x$external_path_file" != "x/etc/login.conf" ; then
5041	AC_DEFINE_UNQUOTED([USER_PATH], ["$user_path"], [Specify default $PATH])
5042	AC_SUBST([user_path])
5043fi
5044
5045# Set superuser path separately to user path
5046AC_ARG_WITH([superuser-path],
5047	[  --with-superuser-path=  Specify different path for super-user],
5048	[
5049		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
5050		    test "x${withval}" != "xyes"; then
5051			AC_DEFINE_UNQUOTED([SUPERUSER_PATH], ["$withval"],
5052				[Define if you want a different $PATH
5053				for the superuser])
5054			superuser_path=$withval
5055		fi
5056	]
5057)
5058
5059
5060AC_MSG_CHECKING([if we need to convert IPv4 in IPv6-mapped addresses])
5061IPV4_IN6_HACK_MSG="no"
5062AC_ARG_WITH(4in6,
5063	[  --with-4in6             Check for and convert IPv4 in IPv6 mapped addresses],
5064	[
5065		if test "x$withval" != "xno" ; then
5066			AC_MSG_RESULT([yes])
5067			AC_DEFINE([IPV4_IN_IPV6], [1],
5068				[Detect IPv4 in IPv6 mapped addresses
5069				and treat as IPv4])
5070			IPV4_IN6_HACK_MSG="yes"
5071		else
5072			AC_MSG_RESULT([no])
5073		fi
5074	], [
5075		if test "x$inet6_default_4in6" = "xyes"; then
5076			AC_MSG_RESULT([yes (default)])
5077			AC_DEFINE([IPV4_IN_IPV6])
5078			IPV4_IN6_HACK_MSG="yes"
5079		else
5080			AC_MSG_RESULT([no (default)])
5081		fi
5082	]
5083)
5084
5085# Whether to enable BSD auth support
5086BSD_AUTH_MSG=no
5087AC_ARG_WITH([bsd-auth],
5088	[  --with-bsd-auth         Enable BSD auth support],
5089	[
5090		if test "x$withval" != "xno" ; then
5091			AC_DEFINE([BSD_AUTH], [1],
5092				[Define if you have BSD auth support])
5093			BSD_AUTH_MSG=yes
5094		fi
5095	]
5096)
5097
5098# Where to place sshd.pid
5099piddir=/var/run
5100# make sure the directory exists
5101if test ! -d $piddir ; then
5102	piddir=`eval echo ${sysconfdir}`
5103	case $piddir in
5104		NONE/*) piddir=`echo $piddir | sed "s~NONE~$ac_default_prefix~"` ;;
5105	esac
5106fi
5107
5108AC_ARG_WITH([pid-dir],
5109	[  --with-pid-dir=PATH     Specify location of sshd.pid file],
5110	[
5111		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
5112		    test "x${withval}" != "xyes"; then
5113			piddir=$withval
5114			if test ! -d $piddir ; then
5115			AC_MSG_WARN([** no $piddir directory on this system **])
5116			fi
5117		fi
5118	]
5119)
5120
5121AC_DEFINE_UNQUOTED([_PATH_SSH_PIDDIR], ["$piddir"],
5122	[Specify location of ssh.pid])
5123AC_SUBST([piddir])
5124
5125dnl allow user to disable some login recording features
5126AC_ARG_ENABLE([lastlog],
5127	[  --disable-lastlog       disable use of lastlog even if detected [no]],
5128	[
5129		if test "x$enableval" = "xno" ; then
5130			AC_DEFINE([DISABLE_LASTLOG])
5131		fi
5132	]
5133)
5134AC_ARG_ENABLE([utmp],
5135	[  --disable-utmp          disable use of utmp even if detected [no]],
5136	[
5137		if test "x$enableval" = "xno" ; then
5138			AC_DEFINE([DISABLE_UTMP])
5139		fi
5140	]
5141)
5142AC_ARG_ENABLE([utmpx],
5143	[  --disable-utmpx         disable use of utmpx even if detected [no]],
5144	[
5145		if test "x$enableval" = "xno" ; then
5146			AC_DEFINE([DISABLE_UTMPX], [1],
5147				[Define if you don't want to use utmpx])
5148		fi
5149	]
5150)
5151AC_ARG_ENABLE([wtmp],
5152	[  --disable-wtmp          disable use of wtmp even if detected [no]],
5153	[
5154		if test "x$enableval" = "xno" ; then
5155			AC_DEFINE([DISABLE_WTMP])
5156		fi
5157	]
5158)
5159AC_ARG_ENABLE([wtmpx],
5160	[  --disable-wtmpx         disable use of wtmpx even if detected [no]],
5161	[
5162		if test "x$enableval" = "xno" ; then
5163			AC_DEFINE([DISABLE_WTMPX], [1],
5164				[Define if you don't want to use wtmpx])
5165		fi
5166	]
5167)
5168AC_ARG_ENABLE([libutil],
5169	[  --disable-libutil       disable use of libutil (login() etc.) [no]],
5170	[
5171		if test "x$enableval" = "xno" ; then
5172			AC_DEFINE([DISABLE_LOGIN])
5173		fi
5174	]
5175)
5176AC_ARG_ENABLE([pututline],
5177	[  --disable-pututline     disable use of pututline() etc. ([uw]tmp) [no]],
5178	[
5179		if test "x$enableval" = "xno" ; then
5180			AC_DEFINE([DISABLE_PUTUTLINE], [1],
5181				[Define if you don't want to use pututline()
5182				etc. to write [uw]tmp])
5183		fi
5184	]
5185)
5186AC_ARG_ENABLE([pututxline],
5187	[  --disable-pututxline    disable use of pututxline() etc. ([uw]tmpx) [no]],
5188	[
5189		if test "x$enableval" = "xno" ; then
5190			AC_DEFINE([DISABLE_PUTUTXLINE], [1],
5191				[Define if you don't want to use pututxline()
5192				etc. to write [uw]tmpx])
5193		fi
5194	]
5195)
5196AC_ARG_WITH([lastlog],
5197  [  --with-lastlog=FILE|DIR specify lastlog location [common locations]],
5198	[
5199		if test "x$withval" = "xno" ; then
5200			AC_DEFINE([DISABLE_LASTLOG])
5201		elif test -n "$withval"  &&  test "x${withval}" != "xyes"; then
5202			conf_lastlog_location=$withval
5203		fi
5204	]
5205)
5206
5207dnl lastlog, [uw]tmpx? detection
5208dnl  NOTE: set the paths in the platform section to avoid the
5209dnl   need for command-line parameters
5210dnl lastlog and [uw]tmp are subject to a file search if all else fails
5211
5212dnl lastlog detection
5213dnl  NOTE: the code itself will detect if lastlog is a directory
5214AC_MSG_CHECKING([if your system defines LASTLOG_FILE])
5215AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
5216#include <sys/types.h>
5217#include <utmp.h>
5218#ifdef HAVE_LASTLOG_H
5219#  include <lastlog.h>
5220#endif
5221#ifdef HAVE_PATHS_H
5222#  include <paths.h>
5223#endif
5224#ifdef HAVE_LOGIN_H
5225# include <login.h>
5226#endif
5227	]], [[ char *lastlog = LASTLOG_FILE; ]])],
5228		[ AC_MSG_RESULT([yes]) ],
5229		[
5230		AC_MSG_RESULT([no])
5231		AC_MSG_CHECKING([if your system defines _PATH_LASTLOG])
5232		AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
5233#include <sys/types.h>
5234#include <utmp.h>
5235#ifdef HAVE_LASTLOG_H
5236#  include <lastlog.h>
5237#endif
5238#ifdef HAVE_PATHS_H
5239#  include <paths.h>
5240#endif
5241		]], [[ char *lastlog = _PATH_LASTLOG; ]])],
5242		[ AC_MSG_RESULT([yes]) ],
5243		[
5244			AC_MSG_RESULT([no])
5245			system_lastlog_path=no
5246		])
5247])
5248
5249if test -z "$conf_lastlog_location"; then
5250	if test x"$system_lastlog_path" = x"no" ; then
5251		for f in /var/log/lastlog /usr/adm/lastlog /var/adm/lastlog /etc/security/lastlog ; do
5252				if (test -d "$f" || test -f "$f") ; then
5253					conf_lastlog_location=$f
5254				fi
5255		done
5256		if test -z "$conf_lastlog_location"; then
5257			AC_MSG_WARN([** Cannot find lastlog **])
5258			dnl Don't define DISABLE_LASTLOG - that means we don't try wtmp/wtmpx
5259		fi
5260	fi
5261fi
5262
5263if test -n "$conf_lastlog_location"; then
5264	AC_DEFINE_UNQUOTED([CONF_LASTLOG_FILE], ["$conf_lastlog_location"],
5265		[Define if you want to specify the path to your lastlog file])
5266fi
5267
5268dnl utmp detection
5269AC_MSG_CHECKING([if your system defines UTMP_FILE])
5270AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
5271#include <sys/types.h>
5272#include <utmp.h>
5273#ifdef HAVE_PATHS_H
5274#  include <paths.h>
5275#endif
5276	]], [[ char *utmp = UTMP_FILE; ]])],
5277	[ AC_MSG_RESULT([yes]) ],
5278	[ AC_MSG_RESULT([no])
5279	  system_utmp_path=no
5280])
5281if test -z "$conf_utmp_location"; then
5282	if test x"$system_utmp_path" = x"no" ; then
5283		for f in /etc/utmp /usr/adm/utmp /var/run/utmp; do
5284			if test -f $f ; then
5285				conf_utmp_location=$f
5286			fi
5287		done
5288		if test -z "$conf_utmp_location"; then
5289			AC_DEFINE([DISABLE_UTMP])
5290		fi
5291	fi
5292fi
5293if test -n "$conf_utmp_location"; then
5294	AC_DEFINE_UNQUOTED([CONF_UTMP_FILE], ["$conf_utmp_location"],
5295		[Define if you want to specify the path to your utmp file])
5296fi
5297
5298dnl wtmp detection
5299AC_MSG_CHECKING([if your system defines WTMP_FILE])
5300AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
5301#include <sys/types.h>
5302#include <utmp.h>
5303#ifdef HAVE_PATHS_H
5304#  include <paths.h>
5305#endif
5306	]], [[ char *wtmp = WTMP_FILE; ]])],
5307	[ AC_MSG_RESULT([yes]) ],
5308	[ AC_MSG_RESULT([no])
5309	  system_wtmp_path=no
5310])
5311if test -z "$conf_wtmp_location"; then
5312	if test x"$system_wtmp_path" = x"no" ; then
5313		for f in /usr/adm/wtmp /var/log/wtmp; do
5314			if test -f $f ; then
5315				conf_wtmp_location=$f
5316			fi
5317		done
5318		if test -z "$conf_wtmp_location"; then
5319			AC_DEFINE([DISABLE_WTMP])
5320		fi
5321	fi
5322fi
5323if test -n "$conf_wtmp_location"; then
5324	AC_DEFINE_UNQUOTED([CONF_WTMP_FILE], ["$conf_wtmp_location"],
5325		[Define if you want to specify the path to your wtmp file])
5326fi
5327
5328dnl wtmpx detection
5329AC_MSG_CHECKING([if your system defines WTMPX_FILE])
5330AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
5331#include <sys/types.h>
5332#include <utmp.h>
5333#ifdef HAVE_UTMPX_H
5334#include <utmpx.h>
5335#endif
5336#ifdef HAVE_PATHS_H
5337#  include <paths.h>
5338#endif
5339	]], [[ char *wtmpx = WTMPX_FILE; ]])],
5340	[ AC_MSG_RESULT([yes]) ],
5341	[ AC_MSG_RESULT([no])
5342	  system_wtmpx_path=no
5343])
5344if test -z "$conf_wtmpx_location"; then
5345	if test x"$system_wtmpx_path" = x"no" ; then
5346		AC_DEFINE([DISABLE_WTMPX])
5347	fi
5348else
5349	AC_DEFINE_UNQUOTED([CONF_WTMPX_FILE], ["$conf_wtmpx_location"],
5350		[Define if you want to specify the path to your wtmpx file])
5351fi
5352
5353
5354if test ! -z "$blibpath" ; then
5355	LDFLAGS="$LDFLAGS $blibflags$blibpath"
5356	AC_MSG_WARN([Please check and edit blibpath in LDFLAGS in Makefile])
5357fi
5358
5359AC_CHECK_MEMBER([struct lastlog.ll_line], [], [
5360    if test x$SKIP_DISABLE_LASTLOG_DEFINE != "xyes" ; then
5361	AC_DEFINE([DISABLE_LASTLOG])
5362    fi
5363	], [
5364#ifdef HAVE_SYS_TYPES_H
5365#include <sys/types.h>
5366#endif
5367#ifdef HAVE_UTMP_H
5368#include <utmp.h>
5369#endif
5370#ifdef HAVE_UTMPX_H
5371#include <utmpx.h>
5372#endif
5373#ifdef HAVE_LASTLOG_H
5374#include <lastlog.h>
5375#endif
5376	])
5377
5378AC_CHECK_MEMBER([struct utmp.ut_line], [], [
5379	AC_DEFINE([DISABLE_UTMP])
5380	AC_DEFINE([DISABLE_WTMP])
5381	], [
5382#ifdef HAVE_SYS_TYPES_H
5383#include <sys/types.h>
5384#endif
5385#ifdef HAVE_UTMP_H
5386#include <utmp.h>
5387#endif
5388#ifdef HAVE_UTMPX_H
5389#include <utmpx.h>
5390#endif
5391#ifdef HAVE_LASTLOG_H
5392#include <lastlog.h>
5393#endif
5394	])
5395
5396dnl Adding -Werror to CFLAGS early prevents configure tests from running.
5397dnl Add now.
5398CFLAGS="$CFLAGS $werror_flags"
5399
5400if test "x$ac_cv_func_getaddrinfo" != "xyes" ; then
5401	TEST_SSH_IPV6=no
5402else
5403	TEST_SSH_IPV6=yes
5404fi
5405AC_CHECK_DECL([BROKEN_GETADDRINFO],  [TEST_SSH_IPV6=no])
5406AC_SUBST([TEST_SSH_IPV6], [$TEST_SSH_IPV6])
5407AC_SUBST([TEST_SSH_UTF8], [$TEST_SSH_UTF8])
5408AC_SUBST([TEST_MALLOC_OPTIONS], [$TEST_MALLOC_OPTIONS])
5409AC_SUBST([UNSUPPORTED_ALGORITHMS], [$unsupported_algorithms])
5410AC_SUBST([DEPEND], [$(cat $srcdir/.depend)])
5411
5412CFLAGS="${CFLAGS} ${CFLAGS_AFTER}"
5413LDFLAGS="${LDFLAGS} ${LDFLAGS_AFTER}"
5414
5415# Make a copy of CFLAGS/LDFLAGS without PIE options.
5416LDFLAGS_NOPIE=`echo "$LDFLAGS" | sed 's/ -pie//'`
5417CFLAGS_NOPIE=`echo "$CFLAGS" | sed 's/ -fPIE//'`
5418AC_SUBST([LDFLAGS_NOPIE])
5419AC_SUBST([CFLAGS_NOPIE])
5420
5421AC_EXEEXT
5422AC_CONFIG_FILES([Makefile buildpkg.sh opensshd.init openssh.xml \
5423	openbsd-compat/Makefile openbsd-compat/regress/Makefile \
5424	survey.sh])
5425AC_OUTPUT
5426
5427# Print summary of options
5428
5429# Someone please show me a better way :)
5430A=`eval echo ${prefix}` ; A=`eval echo ${A}`
5431B=`eval echo ${bindir}` ; B=`eval echo ${B}`
5432C=`eval echo ${sbindir}` ; C=`eval echo ${C}`
5433D=`eval echo ${sysconfdir}` ; D=`eval echo ${D}`
5434E=`eval echo ${libexecdir}/ssh-askpass` ; E=`eval echo ${E}`
5435F=`eval echo ${mandir}/${mansubdir}X` ; F=`eval echo ${F}`
5436G=`eval echo ${piddir}` ; G=`eval echo ${G}`
5437H=`eval echo ${PRIVSEP_PATH}` ; H=`eval echo ${H}`
5438I=`eval echo ${user_path}` ; I=`eval echo ${I}`
5439J=`eval echo ${superuser_path}` ; J=`eval echo ${J}`
5440
5441echo ""
5442echo "OpenSSH has been configured with the following options:"
5443echo "                     User binaries: $B"
5444echo "                   System binaries: $C"
5445echo "               Configuration files: $D"
5446echo "                   Askpass program: $E"
5447echo "                      Manual pages: $F"
5448echo "                          PID file: $G"
5449echo "  Privilege separation chroot path: $H"
5450if test "x$external_path_file" = "x/etc/login.conf" ; then
5451echo "   At runtime, sshd will use the path defined in $external_path_file"
5452echo "   Make sure the path to scp is present, otherwise scp will not work"
5453else
5454echo "            sshd default user PATH: $I"
5455	if test ! -z "$external_path_file"; then
5456echo "   (If PATH is set in $external_path_file it will be used instead. If"
5457echo "   used, ensure the path to scp is present, otherwise scp will not work.)"
5458	fi
5459fi
5460if test ! -z "$superuser_path" ; then
5461echo "          sshd superuser user PATH: $J"
5462fi
5463echo "                    Manpage format: $MANTYPE"
5464echo "                       PAM support: $PAM_MSG"
5465echo "                   OSF SIA support: $SIA_MSG"
5466echo "                 KerberosV support: $KRB5_MSG"
5467echo "                   SELinux support: $SELINUX_MSG"
5468echo "              MD5 password support: $MD5_MSG"
5469echo "                   libedit support: $LIBEDIT_MSG"
5470echo "                   libldns support: $LDNS_MSG"
5471echo "  Solaris process contract support: $SPC_MSG"
5472echo "           Solaris project support: $SP_MSG"
5473echo "         Solaris privilege support: $SPP_MSG"
5474echo "       IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG"
5475echo "           Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
5476echo "                  BSD Auth support: $BSD_AUTH_MSG"
5477echo "              Random number source: $RAND_MSG"
5478echo "             Privsep sandbox style: $SANDBOX_STYLE"
5479echo "                   PKCS#11 support: $enable_pkcs11"
5480echo "                  U2F/FIDO support: $enable_sk"
5481
5482echo ""
5483
5484echo "              Host: ${host}"
5485echo "          Compiler: ${CC}"
5486echo "    Compiler flags: ${CFLAGS}"
5487echo "Preprocessor flags: ${CPPFLAGS}"
5488echo "      Linker flags: ${LDFLAGS}"
5489echo "         Libraries: ${LIBS}"
5490if test ! -z "${SSHDLIBS}"; then
5491echo "         +for sshd: ${SSHDLIBS}"
5492fi
5493
5494echo ""
5495
5496if test "x$MAKE_PACKAGE_SUPPORTED" = "xyes" ; then
5497	echo "SVR4 style packages are supported with \"make package\""
5498	echo ""
5499fi
5500
5501if test "x$PAM_MSG" = "xyes" ; then
5502	echo "PAM is enabled. You may need to install a PAM control file "
5503	echo "for sshd, otherwise password authentication may fail. "
5504	echo "Example PAM control files can be found in the contrib/ "
5505	echo "subdirectory"
5506	echo ""
5507fi
5508
5509if test ! -z "$NO_PEERCHECK" ; then
5510	echo "WARNING: the operating system that you are using does not"
5511	echo "appear to support getpeereid(), getpeerucred() or the"
5512	echo "SO_PEERCRED getsockopt() option. These facilities are used to"
5513	echo "enforce security checks to prevent unauthorised connections to"
5514	echo "ssh-agent. Their absence increases the risk that a malicious"
5515	echo "user can connect to your agent."
5516	echo ""
5517fi
5518
5519if test "$AUDIT_MODULE" = "bsm" ; then
5520	echo "WARNING: BSM audit support is currently considered EXPERIMENTAL."
5521	echo "See the Solaris section in README.platform for details."
5522fi
5523