xref: /openssh-portable/configure.ac (revision 976c4f86)
1#
2# Copyright (c) 1999-2004 Damien Miller
3#
4# Permission to use, copy, modify, and distribute this software for any
5# purpose with or without fee is hereby granted, provided that the above
6# copyright notice and this permission notice appear in all copies.
7#
8# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15
16AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org])
17AC_REVISION($Revision: 1.583 $)
18AC_CONFIG_SRCDIR([ssh.c])
19AC_LANG([C])
20
21AC_CONFIG_HEADER([config.h])
22AC_PROG_CC([cc gcc])
23AC_CANONICAL_HOST
24AC_C_BIGENDIAN
25
26# Checks for programs.
27AC_PROG_AWK
28AC_PROG_CPP
29AC_PROG_RANLIB
30AC_PROG_INSTALL
31AC_PROG_EGREP
32AC_PROG_MKDIR_P
33AC_CHECK_TOOLS([AR], [ar])
34AC_PATH_PROG([CAT], [cat])
35AC_PATH_PROG([KILL], [kill])
36AC_PATH_PROG([SED], [sed])
37AC_PATH_PROG([ENT], [ent])
38AC_SUBST([ENT])
39AC_PATH_PROG([TEST_MINUS_S_SH], [bash])
40AC_PATH_PROG([TEST_MINUS_S_SH], [ksh])
41AC_PATH_PROG([TEST_MINUS_S_SH], [sh])
42AC_PATH_PROG([SH], [sh])
43AC_PATH_PROG([GROFF], [groff])
44AC_PATH_PROG([NROFF], [nroff awf])
45AC_PATH_PROG([MANDOC], [mandoc])
46AC_SUBST([TEST_SHELL], [sh])
47
48dnl select manpage formatter to be used to build "cat" format pages.
49if test "x$MANDOC" != "x" ; then
50	MANFMT="$MANDOC"
51elif test "x$NROFF" != "x" ; then
52	MANFMT="$NROFF -mandoc"
53elif test "x$GROFF" != "x" ; then
54	MANFMT="$GROFF -mandoc -Tascii"
55else
56	AC_MSG_WARN([no manpage formatter found])
57	MANFMT="false"
58fi
59AC_SUBST([MANFMT])
60
61dnl for buildpkg.sh
62AC_PATH_PROG([PATH_GROUPADD_PROG], [groupadd], [groupadd],
63	[/usr/sbin${PATH_SEPARATOR}/etc])
64AC_PATH_PROG([PATH_USERADD_PROG], [useradd], [useradd],
65	[/usr/sbin${PATH_SEPARATOR}/etc])
66AC_CHECK_PROG([MAKE_PACKAGE_SUPPORTED], [pkgmk], [yes], [no])
67if test -x /sbin/sh; then
68	AC_SUBST([STARTUP_SCRIPT_SHELL], [/sbin/sh])
69else
70	AC_SUBST([STARTUP_SCRIPT_SHELL], [/bin/sh])
71fi
72
73# System features
74AC_SYS_LARGEFILE
75
76if test -z "$AR" ; then
77	AC_MSG_ERROR([*** 'ar' missing, please install or fix your \$PATH ***])
78fi
79
80AC_PATH_PROG([PATH_PASSWD_PROG], [passwd])
81if test ! -z "$PATH_PASSWD_PROG" ; then
82	AC_DEFINE_UNQUOTED([_PATH_PASSWD_PROG], ["$PATH_PASSWD_PROG"],
83		[Full path of your "passwd" program])
84fi
85
86dnl Since autoconf doesn't support it very well,  we no longer allow users to
87dnl override LD, however keeping the hook here for now in case there's a use
88dnl use case we overlooked and someone needs to re-enable it.  Unless a good
89dnl reason is found we'll be removing this in future.
90LD="$CC"
91AC_SUBST([LD])
92
93AC_C_INLINE
94
95AC_CHECK_DECL([LLONG_MAX], [have_llong_max=1], , [#include <limits.h>])
96AC_CHECK_DECL([LONG_LONG_MAX], [have_long_long_max=1], , [#include <limits.h>])
97AC_CHECK_DECL([SYSTR_POLICY_KILL], [have_systr_policy_kill=1], , [
98	#include <sys/types.h>
99	#include <sys/param.h>
100	#include <dev/systrace.h>
101])
102AC_CHECK_DECL([RLIMIT_NPROC],
103    [AC_DEFINE([HAVE_RLIMIT_NPROC], [], [sys/resource.h has RLIMIT_NPROC])], , [
104	#include <sys/types.h>
105	#include <sys/resource.h>
106])
107AC_CHECK_DECL([PR_SET_NO_NEW_PRIVS], [have_linux_no_new_privs=1], , [
108	#include <sys/types.h>
109	#include <linux/prctl.h>
110])
111
112openssl=yes
113AC_ARG_WITH([openssl],
114	[  --without-openssl       Disable use of OpenSSL; use only limited internal crypto **EXPERIMENTAL** ],
115	[  if test "x$withval" = "xno" ; then
116		openssl=no
117	   fi
118	]
119)
120AC_MSG_CHECKING([whether OpenSSL will be used for cryptography])
121if test "x$openssl" = "xyes" ; then
122	AC_MSG_RESULT([yes])
123	AC_DEFINE_UNQUOTED([WITH_OPENSSL], [1], [use libcrypto for cryptography])
124else
125	AC_MSG_RESULT([no])
126fi
127
128use_stack_protector=1
129use_toolchain_hardening=1
130AC_ARG_WITH([stackprotect],
131    [  --without-stackprotect  Don't use compiler's stack protection], [
132    if test "x$withval" = "xno"; then
133	use_stack_protector=0
134    fi ])
135AC_ARG_WITH([hardening],
136    [  --without-hardening     Don't use toolchain hardening flags], [
137    if test "x$withval" = "xno"; then
138	use_toolchain_hardening=0
139    fi ])
140
141# We use -Werror for the tests only so that we catch warnings like "this is
142# on by default" for things like -fPIE.
143AC_MSG_CHECKING([if $CC supports -Werror])
144saved_CFLAGS="$CFLAGS"
145CFLAGS="$CFLAGS -Werror"
146AC_COMPILE_IFELSE([AC_LANG_SOURCE([[int main(void) { return 0; }]])],
147	[ AC_MSG_RESULT([yes])
148	  WERROR="-Werror"],
149	[ AC_MSG_RESULT([no])
150	  WERROR="" ]
151)
152CFLAGS="$saved_CFLAGS"
153
154if test "$GCC" = "yes" || test "$GCC" = "egcs"; then
155	OSSH_CHECK_CFLAG_COMPILE([-pipe])
156	OSSH_CHECK_CFLAG_COMPILE([-Wunknown-warning-option])
157	OSSH_CHECK_CFLAG_COMPILE([-Wno-error=format-truncation])
158	OSSH_CHECK_CFLAG_COMPILE([-Qunused-arguments])
159	OSSH_CHECK_CFLAG_COMPILE([-Wall])
160	OSSH_CHECK_CFLAG_COMPILE([-Wextra])
161	OSSH_CHECK_CFLAG_COMPILE([-Wpointer-arith])
162	OSSH_CHECK_CFLAG_COMPILE([-Wuninitialized])
163	OSSH_CHECK_CFLAG_COMPILE([-Wsign-compare])
164	OSSH_CHECK_CFLAG_COMPILE([-Wformat-security])
165	OSSH_CHECK_CFLAG_COMPILE([-Wsizeof-pointer-memaccess])
166	OSSH_CHECK_CFLAG_COMPILE([-Wpointer-sign], [-Wno-pointer-sign])
167	OSSH_CHECK_CFLAG_COMPILE([-Wunused-result], [-Wno-unused-result])
168	OSSH_CHECK_CFLAG_COMPILE([-Wimplicit-fallthrough])
169	OSSH_CHECK_CFLAG_COMPILE([-fno-strict-aliasing])
170    if test "x$use_toolchain_hardening" = "x1"; then
171	OSSH_CHECK_CFLAG_COMPILE([-mretpoline]) # clang
172	OSSH_CHECK_LDFLAG_LINK([-Wl,-z,retpolineplt])
173	OSSH_CHECK_CFLAG_COMPILE([-D_FORTIFY_SOURCE=2])
174	OSSH_CHECK_LDFLAG_LINK([-Wl,-z,relro])
175	OSSH_CHECK_LDFLAG_LINK([-Wl,-z,now])
176	OSSH_CHECK_LDFLAG_LINK([-Wl,-z,noexecstack])
177	# NB. -ftrapv expects certain support functions to be present in
178	# the compiler library (libgcc or similar) to detect integer operations
179	# that can overflow. We must check that the result of enabling it
180	# actually links. The test program compiled/linked includes a number
181	# of integer operations that should exercise this.
182	OSSH_CHECK_CFLAG_LINK([-ftrapv])
183    fi
184	AC_MSG_CHECKING([gcc version])
185	GCC_VER=`$CC -v 2>&1 | $AWK '/gcc version /{print $3}'`
186	case $GCC_VER in
187		1.*) no_attrib_nonnull=1 ;;
188		2.8* | 2.9*)
189		     no_attrib_nonnull=1
190		     ;;
191		2.*) no_attrib_nonnull=1 ;;
192		*) ;;
193	esac
194	AC_MSG_RESULT([$GCC_VER])
195
196	AC_MSG_CHECKING([if $CC accepts -fno-builtin-memset])
197	saved_CFLAGS="$CFLAGS"
198	CFLAGS="$CFLAGS -fno-builtin-memset"
199	AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include <string.h> ]],
200			[[ char b[10]; memset(b, 0, sizeof(b)); ]])],
201		[ AC_MSG_RESULT([yes]) ],
202		[ AC_MSG_RESULT([no])
203		  CFLAGS="$saved_CFLAGS" ]
204	)
205
206	# -fstack-protector-all doesn't always work for some GCC versions
207	# and/or platforms, so we test if we can.  If it's not supported
208	# on a given platform gcc will emit a warning so we use -Werror.
209	if test "x$use_stack_protector" = "x1"; then
210	    for t in -fstack-protector-strong -fstack-protector-all \
211		    -fstack-protector; do
212		AC_MSG_CHECKING([if $CC supports $t])
213		saved_CFLAGS="$CFLAGS"
214		saved_LDFLAGS="$LDFLAGS"
215		CFLAGS="$CFLAGS $t -Werror"
216		LDFLAGS="$LDFLAGS $t -Werror"
217		AC_LINK_IFELSE(
218			[AC_LANG_PROGRAM([[
219	#include <stdio.h>
220	int func (int t) {char b[100]; snprintf(b,sizeof b,"%d",t); return t;}
221			 ]],
222			[[
223	char x[256];
224	snprintf(x, sizeof(x), "XXX%d", func(1));
225			 ]])],
226		    [ AC_MSG_RESULT([yes])
227		      CFLAGS="$saved_CFLAGS $t"
228		      LDFLAGS="$saved_LDFLAGS $t"
229		      AC_MSG_CHECKING([if $t works])
230		      AC_RUN_IFELSE(
231			[AC_LANG_PROGRAM([[
232	#include <stdio.h>
233	int func (int t) {char b[100]; snprintf(b,sizeof b,"%d",t); return t;}
234			]],
235			[[
236	char x[256];
237	snprintf(x, sizeof(x), "XXX%d", func(1));
238			]])],
239			[ AC_MSG_RESULT([yes])
240			  break ],
241			[ AC_MSG_RESULT([no]) ],
242			[ AC_MSG_WARN([cross compiling: cannot test])
243			  break ]
244		      )
245		    ],
246		    [ AC_MSG_RESULT([no]) ]
247		)
248		CFLAGS="$saved_CFLAGS"
249		LDFLAGS="$saved_LDFLAGS"
250	    done
251	fi
252
253	if test -z "$have_llong_max"; then
254		# retry LLONG_MAX with -std=gnu99, needed on some Linuxes
255		unset ac_cv_have_decl_LLONG_MAX
256		saved_CFLAGS="$CFLAGS"
257		CFLAGS="$CFLAGS -std=gnu99"
258		AC_CHECK_DECL([LLONG_MAX],
259		    [have_llong_max=1],
260		    [CFLAGS="$saved_CFLAGS"],
261		    [#include <limits.h>]
262		)
263	fi
264fi
265
266AC_MSG_CHECKING([if compiler allows __attribute__ on return types])
267AC_COMPILE_IFELSE(
268    [AC_LANG_PROGRAM([[
269#include <stdlib.h>
270__attribute__((__unused__)) static void foo(void){return;}]],
271    [[ exit(0); ]])],
272    [ AC_MSG_RESULT([yes]) ],
273    [ AC_MSG_RESULT([no])
274      AC_DEFINE(NO_ATTRIBUTE_ON_RETURN_TYPE, 1,
275	 [compiler does not accept __attribute__ on return types]) ]
276)
277
278AC_MSG_CHECKING([if compiler allows __attribute__ prototype args])
279AC_COMPILE_IFELSE(
280    [AC_LANG_PROGRAM([[
281#include <stdlib.h>
282typedef void foo(const char *, ...) __attribute__((format(printf, 1, 2)));]],
283    [[ exit(0); ]])],
284    [ AC_MSG_RESULT([yes]) ],
285    [ AC_MSG_RESULT([no])
286      AC_DEFINE(NO_ATTRIBUTE_ON_PROTOTYPE_ARGS, 1,
287	 [compiler does not accept __attribute__ on prototype args]) ]
288)
289
290if test "x$no_attrib_nonnull" != "x1" ; then
291	AC_DEFINE([HAVE_ATTRIBUTE__NONNULL__], [1], [Have attribute nonnull])
292fi
293
294AC_ARG_WITH([rpath],
295	[  --without-rpath         Disable auto-added -R linker paths],
296	[
297		if test "x$withval" = "xno" ; then
298			rpath_opt=""
299		elif test "x$withval" = "xyes" ; then
300			rpath_opt="-R"
301		else
302			rpath_opt="$withval"
303		fi
304	]
305)
306
307# Allow user to specify flags
308AC_ARG_WITH([cflags],
309	[  --with-cflags           Specify additional flags to pass to compiler],
310	[
311		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
312		    test "x${withval}" != "xyes"; then
313			CFLAGS="$CFLAGS $withval"
314		fi
315	]
316)
317
318AC_ARG_WITH([cflags-after],
319	[  --with-cflags-after     Specify additional flags to pass to compiler after configure],
320	[
321		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
322		    test "x${withval}" != "xyes"; then
323			CFLAGS_AFTER="$withval"
324		fi
325	]
326)
327AC_ARG_WITH([cppflags],
328	[  --with-cppflags         Specify additional flags to pass to preprocessor] ,
329	[
330		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
331		    test "x${withval}" != "xyes"; then
332			CPPFLAGS="$CPPFLAGS $withval"
333		fi
334	]
335)
336AC_ARG_WITH([ldflags],
337	[  --with-ldflags          Specify additional flags to pass to linker],
338	[
339		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
340		    test "x${withval}" != "xyes"; then
341			LDFLAGS="$LDFLAGS $withval"
342		fi
343	]
344)
345AC_ARG_WITH([ldflags-after],
346	[  --with-ldflags-after    Specify additional flags to pass to linker after configure],
347	[
348		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
349		    test "x${withval}" != "xyes"; then
350			LDFLAGS_AFTER="$withval"
351		fi
352	]
353)
354AC_ARG_WITH([libs],
355	[  --with-libs             Specify additional libraries to link with],
356	[
357		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
358		    test "x${withval}" != "xyes"; then
359			LIBS="$LIBS $withval"
360		fi
361	]
362)
363AC_ARG_WITH([Werror],
364	[  --with-Werror           Build main code with -Werror],
365	[
366		if test -n "$withval"  &&  test "x$withval" != "xno"; then
367			werror_flags="-Werror"
368			if test "x${withval}" != "xyes"; then
369				werror_flags="$withval"
370			fi
371		fi
372	]
373)
374
375AC_CHECK_HEADERS([ \
376	blf.h \
377	bstring.h \
378	crypt.h \
379	crypto/sha2.h \
380	dirent.h \
381	endian.h \
382	elf.h \
383	err.h \
384	features.h \
385	fcntl.h \
386	floatingpoint.h \
387	fnmatch.h \
388	getopt.h \
389	glob.h \
390	ia.h \
391	iaf.h \
392	ifaddrs.h \
393	inttypes.h \
394	langinfo.h \
395	limits.h \
396	locale.h \
397	login.h \
398	maillock.h \
399	ndir.h \
400	net/if_tun.h \
401	netdb.h \
402	netgroup.h \
403	pam/pam_appl.h \
404	paths.h \
405	poll.h \
406	pty.h \
407	readpassphrase.h \
408	rpc/types.h \
409	security/pam_appl.h \
410	sha2.h \
411	shadow.h \
412	stddef.h \
413	stdint.h \
414	string.h \
415	strings.h \
416	sys/bitypes.h \
417	sys/byteorder.h \
418	sys/bsdtty.h \
419	sys/cdefs.h \
420	sys/dir.h \
421	sys/file.h \
422	sys/mman.h \
423	sys/label.h \
424	sys/ndir.h \
425	sys/poll.h \
426	sys/prctl.h \
427	sys/pstat.h \
428	sys/ptrace.h \
429	sys/random.h \
430	sys/select.h \
431	sys/stat.h \
432	sys/stream.h \
433	sys/stropts.h \
434	sys/strtio.h \
435	sys/statvfs.h \
436	sys/sysmacros.h \
437	sys/time.h \
438	sys/timers.h \
439	sys/vfs.h \
440	time.h \
441	tmpdir.h \
442	ttyent.h \
443	ucred.h \
444	unistd.h \
445	usersec.h \
446	util.h \
447	utime.h \
448	utmp.h \
449	utmpx.h \
450	vis.h \
451	wchar.h \
452])
453
454# On some platforms (eg SunOS4) sys/audit.h requires sys/[time|types|label.h]
455# to be included first.
456AC_CHECK_HEADERS([sys/audit.h], [], [], [
457#ifdef HAVE_SYS_TIME_H
458# include <sys/time.h>
459#endif
460#ifdef HAVE_SYS_TYPES_H
461# include <sys/types.h>
462#endif
463#ifdef HAVE_SYS_LABEL_H
464# include <sys/label.h>
465#endif
466])
467
468# sys/capsicum.h requires sys/types.h
469AC_CHECK_HEADERS([sys/capsicum.h], [], [], [
470#ifdef HAVE_SYS_TYPES_H
471# include <sys/types.h>
472#endif
473])
474
475# net/route.h requires sys/socket.h and sys/types.h.
476# sys/sysctl.h also requires sys/param.h
477AC_CHECK_HEADERS([net/route.h sys/sysctl.h], [], [], [
478#ifdef HAVE_SYS_TYPES_H
479# include <sys/types.h>
480#endif
481#include <sys/param.h>
482#include <sys/socket.h>
483])
484
485# lastlog.h requires sys/time.h to be included first on Solaris
486AC_CHECK_HEADERS([lastlog.h], [], [], [
487#ifdef HAVE_SYS_TIME_H
488# include <sys/time.h>
489#endif
490])
491
492# sys/ptms.h requires sys/stream.h to be included first on Solaris
493AC_CHECK_HEADERS([sys/ptms.h], [], [], [
494#ifdef HAVE_SYS_STREAM_H
495# include <sys/stream.h>
496#endif
497])
498
499# login_cap.h requires sys/types.h on NetBSD
500AC_CHECK_HEADERS([login_cap.h], [], [], [
501#include <sys/types.h>
502])
503
504# older BSDs need sys/param.h before sys/mount.h
505AC_CHECK_HEADERS([sys/mount.h], [], [], [
506#include <sys/param.h>
507])
508
509# Android requires sys/socket.h to be included before sys/un.h
510AC_CHECK_HEADERS([sys/un.h], [], [], [
511#include <sys/types.h>
512#include <sys/socket.h>
513])
514
515# Messages for features tested for in target-specific section
516SIA_MSG="no"
517SPC_MSG="no"
518SP_MSG="no"
519SPP_MSG="no"
520
521# Support for Solaris/Illumos privileges (this test is used by both
522# the --with-solaris-privs option and --with-sandbox=solaris).
523SOLARIS_PRIVS="no"
524
525# Check for some target-specific stuff
526case "$host" in
527*-*-aix*)
528	# Some versions of VAC won't allow macro redefinitions at
529	# -qlanglevel=ansi, and autoconf 2.60 sometimes insists on using that
530	# particularly with older versions of vac or xlc.
531	# It also throws errors about null macro arguments, but these are
532	# not fatal.
533	AC_MSG_CHECKING([if compiler allows macro redefinitions])
534	AC_COMPILE_IFELSE(
535	    [AC_LANG_PROGRAM([[
536#define testmacro foo
537#define testmacro bar]],
538	    [[ exit(0); ]])],
539	    [ AC_MSG_RESULT([yes]) ],
540	    [ AC_MSG_RESULT([no])
541	      CC="`echo $CC | sed 's/-qlanglvl\=ansi//g'`"
542	      CFLAGS="`echo $CFLAGS | sed 's/-qlanglvl\=ansi//g'`"
543	      CPPFLAGS="`echo $CPPFLAGS | sed 's/-qlanglvl\=ansi//g'`"
544	    ]
545	)
546
547	AC_MSG_CHECKING([how to specify blibpath for linker ($LD)])
548	if (test -z "$blibpath"); then
549		blibpath="/usr/lib:/lib"
550	fi
551	saved_LDFLAGS="$LDFLAGS"
552	if test "$GCC" = "yes"; then
553		flags="-Wl,-blibpath: -Wl,-rpath, -blibpath:"
554	else
555		flags="-blibpath: -Wl,-blibpath: -Wl,-rpath,"
556	fi
557	for tryflags in $flags ;do
558		if (test -z "$blibflags"); then
559			LDFLAGS="$saved_LDFLAGS $tryflags$blibpath"
560			AC_LINK_IFELSE([AC_LANG_PROGRAM([[]], [[]])],
561			[blibflags=$tryflags], [])
562		fi
563	done
564	if (test -z "$blibflags"); then
565		AC_MSG_RESULT([not found])
566		AC_MSG_ERROR([*** must be able to specify blibpath on AIX - check config.log])
567	else
568		AC_MSG_RESULT([$blibflags])
569	fi
570	LDFLAGS="$saved_LDFLAGS"
571	dnl Check for authenticate.  Might be in libs.a on older AIXes
572	AC_CHECK_FUNC([authenticate], [AC_DEFINE([WITH_AIXAUTHENTICATE], [1],
573		[Define if you want to enable AIX4's authenticate function])],
574		[AC_CHECK_LIB([s], [authenticate],
575			[ AC_DEFINE([WITH_AIXAUTHENTICATE])
576				LIBS="$LIBS -ls"
577			])
578		])
579	dnl Check for various auth function declarations in headers.
580	AC_CHECK_DECLS([authenticate, loginrestrictions, loginsuccess,
581	    passwdexpired, setauthdb], , , [#include <usersec.h>])
582	dnl Check if loginfailed is declared and takes 4 arguments (AIX >= 5.2)
583	AC_CHECK_DECLS([loginfailed],
584	    [AC_MSG_CHECKING([if loginfailed takes 4 arguments])
585	    AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <usersec.h> ]],
586		[[ (void)loginfailed("user","host","tty",0); ]])],
587		[AC_MSG_RESULT([yes])
588		AC_DEFINE([AIX_LOGINFAILED_4ARG], [1],
589			[Define if your AIX loginfailed() function
590			takes 4 arguments (AIX >= 5.2)])], [AC_MSG_RESULT([no])
591	    ])],
592	    [],
593	    [#include <usersec.h>]
594	)
595	AC_CHECK_FUNCS([getgrset setauthdb])
596	AC_CHECK_DECL([F_CLOSEM],
597	    AC_DEFINE([HAVE_FCNTL_CLOSEM], [1], [Use F_CLOSEM fcntl for closefrom]),
598	    [],
599	    [ #include <limits.h>
600	      #include <fcntl.h> ]
601	)
602	check_for_aix_broken_getaddrinfo=1
603	AC_DEFINE([SETEUID_BREAKS_SETUID], [1],
604	    [Define if your platform breaks doing a seteuid before a setuid])
605	AC_DEFINE([BROKEN_SETREUID], [1], [Define if your setreuid() is broken])
606	AC_DEFINE([BROKEN_SETREGID], [1], [Define if your setregid() is broken])
607	dnl AIX handles lastlog as part of its login message
608	AC_DEFINE([DISABLE_LASTLOG], [1], [Define if you don't want to use lastlog])
609	AC_DEFINE([LOGIN_NEEDS_UTMPX], [1],
610		[Some systems need a utmpx entry for /bin/login to work])
611	AC_DEFINE([SPT_TYPE], [SPT_REUSEARGV],
612		[Define to a Set Process Title type if your system is
613		supported by bsd-setproctitle.c])
614	AC_DEFINE([SSHPAM_CHAUTHTOK_NEEDS_RUID], [1],
615	    [AIX 5.2 and 5.3 (and presumably newer) require this])
616	AC_DEFINE([PTY_ZEROREAD], [1], [read(1) can return 0 for a non-closed fd])
617	AC_DEFINE([PLATFORM_SYS_DIR_UID], 2, [System dirs owned by bin (uid 2)])
618	AC_DEFINE([BROKEN_STRNDUP], 1, [strndup broken, see APAR IY61211])
619	AC_DEFINE([BROKEN_STRNLEN], 1, [strnlen broken, see APAR IY62551])
620	;;
621*-*-android*)
622	AC_DEFINE([DISABLE_UTMP], [1], [Define if you don't want to use utmp])
623	AC_DEFINE([DISABLE_WTMP], [1], [Define if you don't want to use wtmp])
624	;;
625*-*-cygwin*)
626	check_for_libcrypt_later=1
627	LIBS="$LIBS /usr/lib/textreadmode.o"
628	AC_DEFINE([HAVE_CYGWIN], [1], [Define if you are on Cygwin])
629	AC_DEFINE([USE_PIPES], [1], [Use PIPES instead of a socketpair()])
630	AC_DEFINE([NO_UID_RESTORATION_TEST], [1],
631		[Define to disable UID restoration test])
632	AC_DEFINE([DISABLE_SHADOW], [1],
633		[Define if you want to disable shadow passwords])
634	AC_DEFINE([NO_X11_UNIX_SOCKETS], [1],
635		[Define if X11 doesn't support AF_UNIX sockets on that system])
636	AC_DEFINE([DISABLE_FD_PASSING], [1],
637		[Define if your platform needs to skip post auth
638		file descriptor passing])
639	AC_DEFINE([SSH_IOBUFSZ], [65535], [Windows is sensitive to read buffer size])
640	AC_DEFINE([FILESYSTEM_NO_BACKSLASH], [1], [File names may not contain backslash characters])
641	# Cygwin defines optargs, optargs as declspec(dllimport) for historical
642	# reasons which cause compile warnings, so we disable those warnings.
643	OSSH_CHECK_CFLAG_COMPILE([-Wno-attributes])
644	;;
645*-*-dgux*)
646	AC_DEFINE([IP_TOS_IS_BROKEN], [1],
647		[Define if your system choked on IP TOS setting])
648	AC_DEFINE([SETEUID_BREAKS_SETUID])
649	AC_DEFINE([BROKEN_SETREUID])
650	AC_DEFINE([BROKEN_SETREGID])
651	;;
652*-*-darwin*)
653	use_pie=auto
654	AC_MSG_CHECKING([if we have working getaddrinfo])
655	AC_RUN_IFELSE([AC_LANG_SOURCE([[ #include <mach-o/dyld.h>
656main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
657		exit(0);
658	else
659		exit(1);
660}
661			]])],
662	[AC_MSG_RESULT([working])],
663	[AC_MSG_RESULT([buggy])
664	AC_DEFINE([BROKEN_GETADDRINFO], [1],
665		[getaddrinfo is broken (if present)])
666	],
667	[AC_MSG_RESULT([assume it is working])])
668	AC_DEFINE([SETEUID_BREAKS_SETUID])
669	AC_DEFINE([BROKEN_SETREUID])
670	AC_DEFINE([BROKEN_SETREGID])
671	AC_DEFINE([BROKEN_GLOB], [1], [OS X glob does not do what we expect])
672	AC_DEFINE_UNQUOTED([BIND_8_COMPAT], [1],
673		[Define if your resolver libs need this for getrrsetbyname])
674	AC_DEFINE([SSH_TUN_FREEBSD], [1], [Open tunnel devices the FreeBSD way])
675	AC_DEFINE([SSH_TUN_COMPAT_AF], [1],
676	    [Use tunnel device compatibility to OpenBSD])
677	AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
678	    [Prepend the address family to IP tunnel traffic])
679	m4_pattern_allow([AU_IPv])
680	AC_CHECK_DECL([AU_IPv4], [],
681	    AC_DEFINE([AU_IPv4], [0], [System only supports IPv4 audit records])
682	    [#include <bsm/audit.h>]
683	AC_DEFINE([LASTLOG_WRITE_PUTUTXLINE], [1],
684	    [Define if pututxline updates lastlog too])
685	)
686	AC_DEFINE([SPT_TYPE], [SPT_REUSEARGV],
687		[Define to a Set Process Title type if your system is
688		supported by bsd-setproctitle.c])
689	AC_CHECK_FUNCS([sandbox_init])
690	AC_CHECK_HEADERS([sandbox.h])
691	AC_CHECK_LIB([sandbox], [sandbox_apply], [
692	    SSHDLIBS="$SSHDLIBS -lsandbox"
693	])
694	# proc_pidinfo()-based closefrom() replacement.
695	AC_CHECK_HEADERS([libproc.h])
696	AC_CHECK_FUNCS([proc_pidinfo])
697	;;
698*-*-dragonfly*)
699	SSHDLIBS="$SSHDLIBS -lcrypt"
700	TEST_MALLOC_OPTIONS="AFGJPRX"
701	;;
702*-*-haiku*)
703	LIBS="$LIBS -lbsd "
704	CFLAGS="$CFLAGS -D_BSD_SOURCE"
705	AC_CHECK_LIB([network], [socket])
706	AC_DEFINE([HAVE_U_INT64_T])
707	AC_DEFINE([DISABLE_UTMPX], [1], [no utmpx])
708	MANTYPE=man
709	;;
710*-*-hpux*)
711	# first we define all of the options common to all HP-UX releases
712	CPPFLAGS="$CPPFLAGS -D_HPUX_SOURCE -D_XOPEN_SOURCE -D_XOPEN_SOURCE_EXTENDED=1"
713	IPADDR_IN_DISPLAY=yes
714	AC_DEFINE([USE_PIPES])
715	AC_DEFINE([LOGIN_NEEDS_UTMPX])
716	AC_DEFINE([LOCKED_PASSWD_STRING], ["*"],
717		[String used in /etc/passwd to denote locked account])
718	AC_DEFINE([SPT_TYPE], [SPT_PSTAT])
719	AC_DEFINE([PLATFORM_SYS_DIR_UID], 2, [System dirs owned by bin (uid 2)])
720	maildir="/var/mail"
721	LIBS="$LIBS -lsec"
722	AC_CHECK_LIB([xnet], [t_error], ,
723	    [AC_MSG_ERROR([*** -lxnet needed on HP-UX - check config.log ***])])
724
725	# next, we define all of the options specific to major releases
726	case "$host" in
727	*-*-hpux10*)
728		if test -z "$GCC"; then
729			CFLAGS="$CFLAGS -Ae"
730		fi
731		;;
732	*-*-hpux11*)
733		AC_DEFINE([PAM_SUN_CODEBASE], [1],
734			[Define if you are using Solaris-derived PAM which
735			passes pam_messages to the conversation function
736			with an extra level of indirection])
737		AC_DEFINE([DISABLE_UTMP], [1],
738			[Define if you don't want to use utmp])
739		AC_DEFINE([USE_BTMP], [1], [Use btmp to log bad logins])
740		check_for_hpux_broken_getaddrinfo=1
741		check_for_conflicting_getspnam=1
742		;;
743	esac
744
745	# lastly, we define options specific to minor releases
746	case "$host" in
747	*-*-hpux10.26)
748		AC_DEFINE([HAVE_SECUREWARE], [1],
749			[Define if you have SecureWare-based
750			protected password database])
751		disable_ptmx_check=yes
752		LIBS="$LIBS -lsecpw"
753		;;
754	esac
755	;;
756*-*-irix5*)
757	PATH="$PATH:/usr/etc"
758	AC_DEFINE([BROKEN_INET_NTOA], [1],
759		[Define if you system's inet_ntoa is busted
760		(e.g. Irix gcc issue)])
761	AC_DEFINE([SETEUID_BREAKS_SETUID])
762	AC_DEFINE([BROKEN_SETREUID])
763	AC_DEFINE([BROKEN_SETREGID])
764	AC_DEFINE([WITH_ABBREV_NO_TTY], [1],
765		[Define if you shouldn't strip 'tty' from your
766		ttyname in [uw]tmp])
767	AC_DEFINE([LOCKED_PASSWD_STRING], ["*LK*"])
768	;;
769*-*-irix6*)
770	PATH="$PATH:/usr/etc"
771	AC_DEFINE([WITH_IRIX_ARRAY], [1],
772		[Define if you have/want arrays
773		(cluster-wide session management, not C arrays)])
774	AC_DEFINE([WITH_IRIX_PROJECT], [1],
775		[Define if you want IRIX project management])
776	AC_DEFINE([WITH_IRIX_AUDIT], [1],
777		[Define if you want IRIX audit trails])
778	AC_CHECK_FUNC([jlimit_startjob], [AC_DEFINE([WITH_IRIX_JOBS], [1],
779		[Define if you want IRIX kernel jobs])])
780	AC_DEFINE([BROKEN_INET_NTOA])
781	AC_DEFINE([SETEUID_BREAKS_SETUID])
782	AC_DEFINE([BROKEN_SETREUID])
783	AC_DEFINE([BROKEN_SETREGID])
784	AC_DEFINE([BROKEN_UPDWTMPX], [1], [updwtmpx is broken (if present)])
785	AC_DEFINE([WITH_ABBREV_NO_TTY])
786	AC_DEFINE([LOCKED_PASSWD_STRING], ["*LK*"])
787	;;
788*-*-k*bsd*-gnu | *-*-kopensolaris*-gnu)
789	check_for_libcrypt_later=1
790	AC_DEFINE([PAM_TTY_KLUDGE])
791	AC_DEFINE([LOCKED_PASSWD_PREFIX], ["!"])
792	AC_DEFINE([SPT_TYPE], [SPT_REUSEARGV])
793	AC_DEFINE([_PATH_BTMP], ["/var/log/btmp"], [log for bad login attempts])
794	AC_DEFINE([USE_BTMP], [1], [Use btmp to log bad logins])
795	;;
796*-*-linux*)
797	no_dev_ptmx=1
798	use_pie=auto
799	check_for_libcrypt_later=1
800	check_for_openpty_ctty_bug=1
801	dnl Target SUSv3/POSIX.1-2001 plus BSD specifics.
802	dnl _DEFAULT_SOURCE is the new name for _BSD_SOURCE
803	CPPFLAGS="$CPPFLAGS -D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCE"
804	AC_DEFINE([PAM_TTY_KLUDGE], [1],
805		[Work around problematic Linux PAM modules handling of PAM_TTY])
806	AC_DEFINE([LOCKED_PASSWD_PREFIX], ["!"],
807		[String used in /etc/passwd to denote locked account])
808	AC_DEFINE([SPT_TYPE], [SPT_REUSEARGV])
809	AC_DEFINE([LINK_OPNOTSUPP_ERRNO], [EPERM],
810		[Define to whatever link() returns for "not supported"
811		if it doesn't return EOPNOTSUPP.])
812	AC_DEFINE([_PATH_BTMP], ["/var/log/btmp"], [log for bad login attempts])
813	AC_DEFINE([USE_BTMP])
814	AC_DEFINE([LINUX_OOM_ADJUST], [1], [Adjust Linux out-of-memory killer])
815	inet6_default_4in6=yes
816	case `uname -r` in
817	1.*|2.0.*)
818		AC_DEFINE([BROKEN_CMSG_TYPE], [1],
819			[Define if cmsg_type is not passed correctly])
820		;;
821	esac
822	# tun(4) forwarding compat code
823	AC_CHECK_HEADERS([linux/if_tun.h])
824	if test "x$ac_cv_header_linux_if_tun_h" = "xyes" ; then
825		AC_DEFINE([SSH_TUN_LINUX], [1],
826		    [Open tunnel devices the Linux tun/tap way])
827		AC_DEFINE([SSH_TUN_COMPAT_AF], [1],
828		    [Use tunnel device compatibility to OpenBSD])
829		AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
830		    [Prepend the address family to IP tunnel traffic])
831	fi
832	AC_CHECK_HEADER([linux/if.h],
833	    AC_DEFINE([SYS_RDOMAIN_LINUX], [1],
834		[Support routing domains using Linux VRF]), [], [
835#ifdef HAVE_SYS_TYPES_H
836# include <sys/types.h>
837#endif
838	    ])
839	AC_CHECK_HEADERS([linux/seccomp.h linux/filter.h linux/audit.h], [],
840	    [], [#include <linux/types.h>])
841	# Obtain MIPS ABI
842	case "$host" in
843	mips*)
844		AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
845#if _MIPS_SIM != _ABIO32
846#error
847#endif
848			]])],[mips_abi="o32"],[AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
849#if _MIPS_SIM != _ABIN32
850#error
851#endif
852				]])],[mips_abi="n32"],[AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
853#if _MIPS_SIM != _ABI64
854#error
855#endif
856					]])],[mips_abi="n64"],[AC_MSG_ERROR([unknown MIPS ABI])
857				])
858			])
859		])
860		;;
861	esac
862	AC_MSG_CHECKING([for seccomp architecture])
863	seccomp_audit_arch=
864	case "$host" in
865	x86_64-*)
866		seccomp_audit_arch=AUDIT_ARCH_X86_64
867		;;
868	i*86-*)
869		seccomp_audit_arch=AUDIT_ARCH_I386
870		;;
871	arm*-*)
872		seccomp_audit_arch=AUDIT_ARCH_ARM
873		;;
874	aarch64*-*)
875		seccomp_audit_arch=AUDIT_ARCH_AARCH64
876		;;
877	s390x-*)
878		seccomp_audit_arch=AUDIT_ARCH_S390X
879		;;
880	s390-*)
881		seccomp_audit_arch=AUDIT_ARCH_S390
882		;;
883	powerpc64-*)
884		seccomp_audit_arch=AUDIT_ARCH_PPC64
885		;;
886	powerpc64le-*)
887		seccomp_audit_arch=AUDIT_ARCH_PPC64LE
888		;;
889	mips-*)
890		seccomp_audit_arch=AUDIT_ARCH_MIPS
891		;;
892	mipsel-*)
893		seccomp_audit_arch=AUDIT_ARCH_MIPSEL
894		;;
895	mips64-*)
896		case "$mips_abi" in
897		"n32")
898			seccomp_audit_arch=AUDIT_ARCH_MIPS64N32
899			;;
900		"n64")
901			seccomp_audit_arch=AUDIT_ARCH_MIPS64
902			;;
903		esac
904		;;
905	mips64el-*)
906		case "$mips_abi" in
907		"n32")
908			seccomp_audit_arch=AUDIT_ARCH_MIPSEL64N32
909			;;
910		"n64")
911			seccomp_audit_arch=AUDIT_ARCH_MIPSEL64
912			;;
913		esac
914		;;
915	riscv64-*)
916		seccomp_audit_arch=AUDIT_ARCH_RISCV64
917		;;
918	esac
919	if test "x$seccomp_audit_arch" != "x" ; then
920		AC_MSG_RESULT(["$seccomp_audit_arch"])
921		AC_DEFINE_UNQUOTED([SECCOMP_AUDIT_ARCH], [$seccomp_audit_arch],
922		    [Specify the system call convention in use])
923	else
924		AC_MSG_RESULT([architecture not supported])
925	fi
926	;;
927mips-sony-bsd|mips-sony-newsos4)
928	AC_DEFINE([NEED_SETPGRP], [1], [Need setpgrp to acquire controlling tty])
929	SONY=1
930	;;
931*-*-netbsd*)
932	check_for_libcrypt_before=1
933	if test "x$withval" != "xno" ; then
934		rpath_opt="-R"
935	fi
936	CPPFLAGS="$CPPFLAGS -D_OPENBSD_SOURCE"
937	AC_DEFINE([SSH_TUN_FREEBSD], [1], [Open tunnel devices the FreeBSD way])
938	AC_CHECK_HEADER([net/if_tap.h], ,
939	    AC_DEFINE([SSH_TUN_NO_L2], [1], [No layer 2 tunnel support]))
940	AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
941	    [Prepend the address family to IP tunnel traffic])
942	TEST_MALLOC_OPTIONS="AJRX"
943	AC_DEFINE([BROKEN_READ_COMPARISON], [1],
944	    [NetBSD read function is sometimes redirected, breaking atomicio comparisons against it])
945	;;
946*-*-freebsd*)
947	check_for_libcrypt_later=1
948	AC_DEFINE([LOCKED_PASSWD_PREFIX], ["*LOCKED*"], [Account locked with pw(1)])
949	AC_DEFINE([SSH_TUN_FREEBSD], [1], [Open tunnel devices the FreeBSD way])
950	AC_CHECK_HEADER([net/if_tap.h], ,
951	    AC_DEFINE([SSH_TUN_NO_L2], [1], [No layer 2 tunnel support]))
952	AC_DEFINE([BROKEN_GLOB], [1], [FreeBSD glob does not do what we need])
953	TEST_MALLOC_OPTIONS="AJRX"
954	# Preauth crypto occasionally uses file descriptors for crypto offload
955	# and will crash if they cannot be opened.
956	AC_DEFINE([SANDBOX_SKIP_RLIMIT_NOFILE], [1],
957	    [define if setrlimit RLIMIT_NOFILE breaks things])
958	;;
959*-*-bsdi*)
960	AC_DEFINE([SETEUID_BREAKS_SETUID])
961	AC_DEFINE([BROKEN_SETREUID])
962	AC_DEFINE([BROKEN_SETREGID])
963	;;
964*-next-*)
965	conf_lastlog_location="/usr/adm/lastlog"
966	conf_utmp_location=/etc/utmp
967	conf_wtmp_location=/usr/adm/wtmp
968	maildir=/usr/spool/mail
969	AC_DEFINE([HAVE_NEXT], [1], [Define if you are on NeXT])
970	AC_DEFINE([USE_PIPES])
971	AC_DEFINE([BROKEN_SAVED_UIDS], [1], [Needed for NeXT])
972	;;
973*-*-openbsd*)
974	use_pie=auto
975	AC_DEFINE([HAVE_ATTRIBUTE__SENTINEL__], [1], [OpenBSD's gcc has sentinel])
976	AC_DEFINE([HAVE_ATTRIBUTE__BOUNDED__], [1], [OpenBSD's gcc has bounded])
977	AC_DEFINE([SSH_TUN_OPENBSD], [1], [Open tunnel devices the OpenBSD way])
978	AC_DEFINE([SYSLOG_R_SAFE_IN_SIGHAND], [1],
979	    [syslog_r function is safe to use in in a signal handler])
980	TEST_MALLOC_OPTIONS="AFGJPRX"
981	;;
982*-*-solaris*)
983	if test "x$withval" != "xno" ; then
984		rpath_opt="-R"
985	fi
986	AC_DEFINE([PAM_SUN_CODEBASE])
987	AC_DEFINE([LOGIN_NEEDS_UTMPX])
988	AC_DEFINE([PAM_TTY_KLUDGE])
989	AC_DEFINE([SSHPAM_CHAUTHTOK_NEEDS_RUID], [1],
990		[Define if pam_chauthtok wants real uid set
991		to the unpriv'ed user])
992	AC_DEFINE([LOCKED_PASSWD_STRING], ["*LK*"])
993	# Pushing STREAMS modules will cause sshd to acquire a controlling tty.
994	AC_DEFINE([SSHD_ACQUIRES_CTTY], [1],
995		[Define if sshd somehow reacquires a controlling TTY
996		after setsid()])
997	AC_DEFINE([PASSWD_NEEDS_USERNAME], [1], [must supply username to passwd
998		in case the name is longer than 8 chars])
999	AC_DEFINE([BROKEN_TCGETATTR_ICANON], [1], [tcgetattr with ICANON may hang])
1000	external_path_file=/etc/default/login
1001	# hardwire lastlog location (can't detect it on some versions)
1002	conf_lastlog_location="/var/adm/lastlog"
1003	AC_MSG_CHECKING([for obsolete utmp and wtmp in solaris2.x])
1004	sol2ver=`echo "$host"| sed -e 's/.*[[0-9]]\.//'`
1005	if test "$sol2ver" -ge 8; then
1006		AC_MSG_RESULT([yes])
1007		AC_DEFINE([DISABLE_UTMP])
1008		AC_DEFINE([DISABLE_WTMP], [1],
1009			[Define if you don't want to use wtmp])
1010	else
1011		AC_MSG_RESULT([no])
1012	fi
1013	AC_CHECK_FUNCS([setpflags])
1014	AC_CHECK_FUNCS([setppriv])
1015	AC_CHECK_FUNCS([priv_basicset])
1016	AC_CHECK_HEADERS([priv.h])
1017	AC_ARG_WITH([solaris-contracts],
1018		[  --with-solaris-contracts Enable Solaris process contracts (experimental)],
1019		[
1020		AC_CHECK_LIB([contract], [ct_tmpl_activate],
1021			[ AC_DEFINE([USE_SOLARIS_PROCESS_CONTRACTS], [1],
1022				[Define if you have Solaris process contracts])
1023			  LIBS="$LIBS -lcontract"
1024			  SPC_MSG="yes" ], )
1025		],
1026	)
1027	AC_ARG_WITH([solaris-projects],
1028		[  --with-solaris-projects Enable Solaris projects (experimental)],
1029		[
1030		AC_CHECK_LIB([project], [setproject],
1031			[ AC_DEFINE([USE_SOLARIS_PROJECTS], [1],
1032				[Define if you have Solaris projects])
1033			LIBS="$LIBS -lproject"
1034			SP_MSG="yes" ], )
1035		],
1036	)
1037	AC_ARG_WITH([solaris-privs],
1038		[  --with-solaris-privs    Enable Solaris/Illumos privileges (experimental)],
1039		[
1040		AC_MSG_CHECKING([for Solaris/Illumos privilege support])
1041		if test "x$ac_cv_func_setppriv" = "xyes" -a \
1042			"x$ac_cv_header_priv_h" = "xyes" ; then
1043			SOLARIS_PRIVS=yes
1044			AC_MSG_RESULT([found])
1045			AC_DEFINE([NO_UID_RESTORATION_TEST], [1],
1046				[Define to disable UID restoration test])
1047			AC_DEFINE([USE_SOLARIS_PRIVS], [1],
1048				[Define if you have Solaris privileges])
1049			SPP_MSG="yes"
1050		else
1051			AC_MSG_RESULT([not found])
1052			AC_MSG_ERROR([*** must have support for Solaris privileges to use --with-solaris-privs])
1053		fi
1054		],
1055	)
1056	TEST_SHELL=$SHELL	# let configure find us a capable shell
1057	;;
1058*-*-sunos4*)
1059	CPPFLAGS="$CPPFLAGS -DSUNOS4"
1060	AC_CHECK_FUNCS([getpwanam])
1061	AC_DEFINE([PAM_SUN_CODEBASE])
1062	conf_utmp_location=/etc/utmp
1063	conf_wtmp_location=/var/adm/wtmp
1064	conf_lastlog_location=/var/adm/lastlog
1065	AC_DEFINE([USE_PIPES])
1066	AC_DEFINE([DISABLE_UTMPX], [1], [no utmpx])
1067	;;
1068*-ncr-sysv*)
1069	LIBS="$LIBS -lc89"
1070	AC_DEFINE([USE_PIPES])
1071	AC_DEFINE([SSHD_ACQUIRES_CTTY])
1072	AC_DEFINE([SETEUID_BREAKS_SETUID])
1073	AC_DEFINE([BROKEN_SETREUID])
1074	AC_DEFINE([BROKEN_SETREGID])
1075	;;
1076*-sni-sysv*)
1077	# /usr/ucblib MUST NOT be searched on ReliantUNIX
1078	AC_CHECK_LIB([dl], [dlsym], ,)
1079	# -lresolv needs to be at the end of LIBS or DNS lookups break
1080	AC_CHECK_LIB([resolv], [res_query], [ LIBS="$LIBS -lresolv" ])
1081	IPADDR_IN_DISPLAY=yes
1082	AC_DEFINE([USE_PIPES])
1083	AC_DEFINE([IP_TOS_IS_BROKEN])
1084	AC_DEFINE([SETEUID_BREAKS_SETUID])
1085	AC_DEFINE([BROKEN_SETREUID])
1086	AC_DEFINE([BROKEN_SETREGID])
1087	AC_DEFINE([SSHD_ACQUIRES_CTTY])
1088	external_path_file=/etc/default/login
1089	# /usr/ucblib/libucb.a no longer needed on ReliantUNIX
1090	# Attention: always take care to bind libsocket and libnsl before libc,
1091	# otherwise you will find lots of "SIOCGPGRP errno 22" on syslog
1092	;;
1093# UnixWare 1.x, UnixWare 2.x, and others based on code from Univel.
1094*-*-sysv4.2*)
1095	AC_DEFINE([USE_PIPES])
1096	AC_DEFINE([SETEUID_BREAKS_SETUID])
1097	AC_DEFINE([BROKEN_SETREUID])
1098	AC_DEFINE([BROKEN_SETREGID])
1099	AC_DEFINE([PASSWD_NEEDS_USERNAME], [1], [must supply username to passwd])
1100	AC_DEFINE([LOCKED_PASSWD_STRING], ["*LK*"])
1101	TEST_SHELL=$SHELL	# let configure find us a capable shell
1102	;;
1103# UnixWare 7.x, OpenUNIX 8
1104*-*-sysv5*)
1105	CPPFLAGS="$CPPFLAGS -Dvsnprintf=_xvsnprintf -Dsnprintf=_xsnprintf"
1106	AC_DEFINE([UNIXWARE_LONG_PASSWORDS], [1], [Support passwords > 8 chars])
1107	AC_DEFINE([USE_PIPES])
1108	AC_DEFINE([SETEUID_BREAKS_SETUID])
1109	AC_DEFINE([BROKEN_GETADDRINFO])
1110	AC_DEFINE([BROKEN_SETREUID])
1111	AC_DEFINE([BROKEN_SETREGID])
1112	AC_DEFINE([PASSWD_NEEDS_USERNAME])
1113	AC_DEFINE([BROKEN_TCGETATTR_ICANON])
1114	TEST_SHELL=$SHELL	# let configure find us a capable shell
1115	check_for_libcrypt_later=1
1116	case "$host" in
1117	*-*-sysv5SCO_SV*)	# SCO OpenServer 6.x
1118		maildir=/var/spool/mail
1119		AC_DEFINE([BROKEN_UPDWTMPX])
1120		AC_CHECK_LIB([prot], [getluid], [ LIBS="$LIBS -lprot"
1121			AC_CHECK_FUNCS([getluid setluid], , , [-lprot])
1122			], , )
1123		;;
1124	*)	AC_DEFINE([LOCKED_PASSWD_STRING], ["*LK*"])
1125		;;
1126	esac
1127	;;
1128*-*-sysv*)
1129	;;
1130# SCO UNIX and OEM versions of SCO UNIX
1131*-*-sco3.2v4*)
1132	AC_MSG_ERROR("This Platform is no longer supported.")
1133	;;
1134# SCO OpenServer 5.x
1135*-*-sco3.2v5*)
1136	if test -z "$GCC"; then
1137		CFLAGS="$CFLAGS -belf"
1138	fi
1139	LIBS="$LIBS -lprot -lx -ltinfo -lm"
1140	no_dev_ptmx=1
1141	AC_DEFINE([USE_PIPES])
1142	AC_DEFINE([HAVE_SECUREWARE])
1143	AC_DEFINE([DISABLE_SHADOW])
1144	AC_DEFINE([DISABLE_FD_PASSING])
1145	AC_DEFINE([SETEUID_BREAKS_SETUID])
1146	AC_DEFINE([BROKEN_GETADDRINFO])
1147	AC_DEFINE([BROKEN_SETREUID])
1148	AC_DEFINE([BROKEN_SETREGID])
1149	AC_DEFINE([WITH_ABBREV_NO_TTY])
1150	AC_DEFINE([BROKEN_UPDWTMPX])
1151	AC_DEFINE([PASSWD_NEEDS_USERNAME])
1152	AC_CHECK_FUNCS([getluid setluid])
1153	MANTYPE=man
1154	TEST_SHELL=$SHELL	# let configure find us a capable shell
1155	SKIP_DISABLE_LASTLOG_DEFINE=yes
1156	;;
1157*-dec-osf*)
1158	AC_MSG_CHECKING([for Digital Unix SIA])
1159	no_osfsia=""
1160	AC_ARG_WITH([osfsia],
1161		[  --with-osfsia           Enable Digital Unix SIA],
1162		[
1163			if test "x$withval" = "xno" ; then
1164				AC_MSG_RESULT([disabled])
1165				no_osfsia=1
1166			fi
1167		],
1168	)
1169	if test -z "$no_osfsia" ; then
1170		if test -f /etc/sia/matrix.conf; then
1171			AC_MSG_RESULT([yes])
1172			AC_DEFINE([HAVE_OSF_SIA], [1],
1173				[Define if you have Digital Unix Security
1174				Integration Architecture])
1175			AC_DEFINE([DISABLE_LOGIN], [1],
1176				[Define if you don't want to use your
1177				system's login() call])
1178			AC_DEFINE([DISABLE_FD_PASSING])
1179			LIBS="$LIBS -lsecurity -ldb -lm -laud"
1180			SIA_MSG="yes"
1181		else
1182			AC_MSG_RESULT([no])
1183			AC_DEFINE([LOCKED_PASSWD_SUBSTR], ["Nologin"],
1184			  [String used in /etc/passwd to denote locked account])
1185		fi
1186	fi
1187	AC_DEFINE([BROKEN_GETADDRINFO])
1188	AC_DEFINE([SETEUID_BREAKS_SETUID])
1189	AC_DEFINE([BROKEN_SETREUID])
1190	AC_DEFINE([BROKEN_SETREGID])
1191	AC_DEFINE([BROKEN_READV_COMPARISON], [1], [Can't do comparisons on readv])
1192	;;
1193
1194*-*-nto-qnx*)
1195	AC_DEFINE([USE_PIPES])
1196	AC_DEFINE([NO_X11_UNIX_SOCKETS])
1197	AC_DEFINE([DISABLE_LASTLOG])
1198	AC_DEFINE([SSHD_ACQUIRES_CTTY])
1199	AC_DEFINE([BROKEN_SHADOW_EXPIRE], [1], [QNX shadow support is broken])
1200	enable_etc_default_login=no	# has incompatible /etc/default/login
1201	case "$host" in
1202	*-*-nto-qnx6*)
1203		AC_DEFINE([DISABLE_FD_PASSING])
1204		;;
1205	esac
1206	;;
1207
1208*-*-ultrix*)
1209	AC_DEFINE([BROKEN_GETGROUPS], [1], [getgroups(0,NULL) will return -1])
1210	AC_DEFINE([NEED_SETPGRP], [1], [Need setpgrp to for controlling tty])
1211	AC_DEFINE([HAVE_SYS_SYSLOG_H], [1], [Force use of sys/syslog.h on Ultrix])
1212	AC_DEFINE([DISABLE_UTMPX], [1], [Disable utmpx])
1213	# DISABLE_FD_PASSING so that we call setpgrp as root, otherwise we
1214	# don't get a controlling tty.
1215	AC_DEFINE([DISABLE_FD_PASSING], [1], [Need to call setpgrp as root])
1216	# On Ultrix some headers are not protected against multiple includes,
1217	# so we create wrappers and put it where the compiler will find it.
1218	AC_MSG_WARN([creating compat wrappers for headers])
1219	mkdir -p netinet
1220	for header in netinet/ip.h netdb.h resolv.h; do
1221		name=`echo $header | tr 'a-z/.' 'A-Z__'`
1222		cat >$header <<EOD
1223#ifndef _SSH_COMPAT_${name}
1224#define _SSH_COMPAT_${name}
1225#include "/usr/include/${header}"
1226#endif
1227EOD
1228	done
1229	;;
1230
1231*-*-lynxos)
1232	CFLAGS="$CFLAGS -D__NO_INCLUDE_WARN__"
1233	AC_DEFINE([BROKEN_SETVBUF], [1],
1234	    [LynxOS has broken setvbuf() implementation])
1235	;;
1236esac
1237
1238AC_MSG_CHECKING([compiler and flags for sanity])
1239AC_RUN_IFELSE([AC_LANG_PROGRAM([[ #include <stdio.h> ]], [[ exit(0); ]])],
1240	[	AC_MSG_RESULT([yes]) ],
1241	[
1242		AC_MSG_RESULT([no])
1243		AC_MSG_ERROR([*** compiler cannot create working executables, check config.log ***])
1244	],
1245	[	AC_MSG_WARN([cross compiling: not checking compiler sanity]) ]
1246)
1247
1248dnl Checks for header files.
1249# Checks for libraries.
1250AC_CHECK_FUNC([setsockopt], , [AC_CHECK_LIB([socket], [setsockopt])])
1251
1252dnl IRIX and Solaris 2.5.1 have dirname() in libgen
1253AC_CHECK_FUNCS([dirname], [AC_CHECK_HEADERS([libgen.h])] , [
1254	AC_CHECK_LIB([gen], [dirname], [
1255		AC_CACHE_CHECK([for broken dirname],
1256			ac_cv_have_broken_dirname, [
1257			save_LIBS="$LIBS"
1258			LIBS="$LIBS -lgen"
1259			AC_RUN_IFELSE(
1260				[AC_LANG_SOURCE([[
1261#include <libgen.h>
1262#include <string.h>
1263
1264int main(int argc, char **argv) {
1265    char *s, buf[32];
1266
1267    strncpy(buf,"/etc", 32);
1268    s = dirname(buf);
1269    if (!s || strncmp(s, "/", 32) != 0) {
1270	exit(1);
1271    } else {
1272	exit(0);
1273    }
1274}
1275				]])],
1276				[ ac_cv_have_broken_dirname="no" ],
1277				[ ac_cv_have_broken_dirname="yes" ],
1278				[ ac_cv_have_broken_dirname="no" ],
1279			)
1280			LIBS="$save_LIBS"
1281		])
1282		if test "x$ac_cv_have_broken_dirname" = "xno" ; then
1283			LIBS="$LIBS -lgen"
1284			AC_DEFINE([HAVE_DIRNAME])
1285			AC_CHECK_HEADERS([libgen.h])
1286		fi
1287	])
1288])
1289
1290AC_CHECK_FUNC([getspnam], ,
1291	[AC_CHECK_LIB([gen], [getspnam], [LIBS="$LIBS -lgen"])])
1292AC_SEARCH_LIBS([basename], [gen], [AC_DEFINE([HAVE_BASENAME], [1],
1293	[Define if you have the basename function.])])
1294
1295dnl zlib defaults to enabled
1296zlib=yes
1297AC_ARG_WITH([zlib],
1298	[  --with-zlib=PATH        Use zlib in PATH],
1299	[ if test "x$withval" = "xno" ; then
1300		zlib=no
1301	  elif test "x$withval" != "xyes"; then
1302		if test -d "$withval/lib"; then
1303			if test -n "${rpath_opt}"; then
1304				LDFLAGS="-L${withval}/lib ${rpath_opt}${withval}/lib ${LDFLAGS}"
1305			else
1306				LDFLAGS="-L${withval}/lib ${LDFLAGS}"
1307			fi
1308		else
1309			if test -n "${rpath_opt}"; then
1310				LDFLAGS="-L${withval} ${rpath_opt}${withval} ${LDFLAGS}"
1311			else
1312				LDFLAGS="-L${withval} ${LDFLAGS}"
1313			fi
1314		fi
1315		if test -d "$withval/include"; then
1316			CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
1317		else
1318			CPPFLAGS="-I${withval} ${CPPFLAGS}"
1319		fi
1320	fi ]
1321)
1322
1323AC_MSG_CHECKING([for zlib])
1324if test "x${zlib}" = "xno"; then
1325	AC_MSG_RESULT([no])
1326else
1327	AC_MSG_RESULT([yes])
1328	AC_DEFINE([WITH_ZLIB], [1], [Enable zlib])
1329    AC_CHECK_HEADER([zlib.h], ,[AC_MSG_ERROR([*** zlib.h missing - please install first or check config.log ***])])
1330    AC_CHECK_LIB([z], [deflate], ,
1331	[
1332		saved_CPPFLAGS="$CPPFLAGS"
1333		saved_LDFLAGS="$LDFLAGS"
1334		save_LIBS="$LIBS"
1335		dnl Check default zlib install dir
1336		if test -n "${rpath_opt}"; then
1337			LDFLAGS="-L/usr/local/lib ${rpath_opt}/usr/local/lib ${saved_LDFLAGS}"
1338		else
1339			LDFLAGS="-L/usr/local/lib ${saved_LDFLAGS}"
1340		fi
1341		CPPFLAGS="-I/usr/local/include ${saved_CPPFLAGS}"
1342		LIBS="$LIBS -lz"
1343		AC_TRY_LINK_FUNC([deflate], [AC_DEFINE([HAVE_LIBZ])],
1344			[
1345				AC_MSG_ERROR([*** zlib missing - please install first or check config.log ***])
1346			]
1347		)
1348	]
1349    )
1350
1351    AC_ARG_WITH([zlib-version-check],
1352	[  --without-zlib-version-check Disable zlib version check],
1353	[  if test "x$withval" = "xno" ; then
1354		zlib_check_nonfatal=1
1355	   fi
1356	]
1357    )
1358
1359    AC_MSG_CHECKING([for possibly buggy zlib])
1360    AC_RUN_IFELSE([AC_LANG_PROGRAM([[
1361#include <stdio.h>
1362#include <stdlib.h>
1363#include <zlib.h>
1364	]],
1365	[[
1366	int a=0, b=0, c=0, d=0, n, v;
1367	n = sscanf(ZLIB_VERSION, "%d.%d.%d.%d", &a, &b, &c, &d);
1368	if (n != 3 && n != 4)
1369		exit(1);
1370	v = a*1000000 + b*10000 + c*100 + d;
1371	fprintf(stderr, "found zlib version %s (%d)\n", ZLIB_VERSION, v);
1372
1373	/* 1.1.4 is OK */
1374	if (a == 1 && b == 1 && c >= 4)
1375		exit(0);
1376
1377	/* 1.2.3 and up are OK */
1378	if (v >= 1020300)
1379		exit(0);
1380
1381	exit(2);
1382	]])],
1383	AC_MSG_RESULT([no]),
1384	[ AC_MSG_RESULT([yes])
1385	  if test -z "$zlib_check_nonfatal" ; then
1386		AC_MSG_ERROR([*** zlib too old - check config.log ***
1387Your reported zlib version has known security problems.  It's possible your
1388vendor has fixed these problems without changing the version number.  If you
1389are sure this is the case, you can disable the check by running
1390"./configure --without-zlib-version-check".
1391If you are in doubt, upgrade zlib to version 1.2.3 or greater.
1392See http://www.gzip.org/zlib/ for details.])
1393	  else
1394		AC_MSG_WARN([zlib version may have security problems])
1395	  fi
1396	],
1397	[	AC_MSG_WARN([cross compiling: not checking zlib version]) ]
1398    )
1399fi
1400
1401dnl UnixWare 2.x
1402AC_CHECK_FUNC([strcasecmp],
1403	[], [ AC_CHECK_LIB([resolv], [strcasecmp], [LIBS="$LIBS -lresolv"]) ]
1404)
1405AC_CHECK_FUNCS([utimes],
1406	[], [ AC_CHECK_LIB([c89], [utimes], [AC_DEFINE([HAVE_UTIMES])
1407					LIBS="$LIBS -lc89"]) ]
1408)
1409
1410dnl    Checks for libutil functions
1411AC_CHECK_HEADERS([bsd/libutil.h libutil.h])
1412AC_SEARCH_LIBS([fmt_scaled], [util bsd])
1413AC_SEARCH_LIBS([scan_scaled], [util bsd])
1414AC_SEARCH_LIBS([login], [util bsd])
1415AC_SEARCH_LIBS([logout], [util bsd])
1416AC_SEARCH_LIBS([logwtmp], [util bsd])
1417AC_SEARCH_LIBS([openpty], [util bsd])
1418AC_SEARCH_LIBS([updwtmp], [util bsd])
1419AC_CHECK_FUNCS([fmt_scaled scan_scaled login logout openpty updwtmp logwtmp])
1420
1421# On some platforms, inet_ntop and gethostbyname may be found in libresolv
1422# or libnsl.
1423AC_SEARCH_LIBS([inet_ntop], [resolv nsl])
1424AC_SEARCH_LIBS([gethostbyname], [resolv nsl])
1425
1426# "Particular Function Checks"
1427# see https://www.gnu.org/software/autoconf/manual/autoconf-2.69/html_node/Particular-Functions.html
1428AC_FUNC_STRFTIME
1429AC_FUNC_MALLOC
1430AC_FUNC_REALLOC
1431# autoconf doesn't have AC_FUNC_CALLOC so fake it if malloc returns NULL;
1432AC_MSG_CHECKING([if calloc(0, N) returns non-null])
1433AC_RUN_IFELSE(
1434	[AC_LANG_PROGRAM(
1435		[[ #include <stdlib.h> ]],
1436		[[ void *p = calloc(0, 1); exit(p == NULL); ]]
1437	)],
1438	[ func_calloc_0_nonnull=yes ],
1439	[ func_calloc_0_nonnull=no ],
1440	[ AC_MSG_WARN([cross compiling: assuming same as malloc])
1441	  func_calloc_0_nonnull="$ac_cv_func_malloc_0_nonnull"]
1442)
1443AC_MSG_RESULT([$func_calloc_0_nonnull])
1444
1445if test "x$func_calloc_0_nonnull" = "xyes"; then
1446	AC_DEFINE(HAVE_CALLOC, 1, [calloc(0, x) returns non-null])
1447else
1448	AC_DEFINE(HAVE_CALLOC, 0, [calloc(0, x) returns NULL])
1449	AC_DEFINE(calloc, rpl_calloc,
1450	    [Define to rpl_calloc if the replacement function should be used.])
1451fi
1452
1453# Check for ALTDIRFUNC glob() extension
1454AC_MSG_CHECKING([for GLOB_ALTDIRFUNC support])
1455AC_EGREP_CPP([FOUNDIT],
1456	[
1457		#include <glob.h>
1458		#ifdef GLOB_ALTDIRFUNC
1459		FOUNDIT
1460		#endif
1461	],
1462	[
1463		AC_DEFINE([GLOB_HAS_ALTDIRFUNC], [1],
1464			[Define if your system glob() function has
1465			the GLOB_ALTDIRFUNC extension])
1466		AC_MSG_RESULT([yes])
1467	],
1468	[
1469		AC_MSG_RESULT([no])
1470	]
1471)
1472
1473# Check for g.gl_matchc glob() extension
1474AC_MSG_CHECKING([for gl_matchc field in glob_t])
1475AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <glob.h> ]],
1476	[[ glob_t g; g.gl_matchc = 1; ]])],
1477	[
1478		AC_DEFINE([GLOB_HAS_GL_MATCHC], [1],
1479			[Define if your system glob() function has
1480			gl_matchc options in glob_t])
1481		AC_MSG_RESULT([yes])
1482	], [
1483		AC_MSG_RESULT([no])
1484])
1485
1486# Check for g.gl_statv glob() extension
1487AC_MSG_CHECKING([for gl_statv and GLOB_KEEPSTAT extensions for glob])
1488AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <glob.h> ]], [[
1489#ifndef GLOB_KEEPSTAT
1490#error "glob does not support GLOB_KEEPSTAT extension"
1491#endif
1492glob_t g;
1493g.gl_statv = NULL;
1494]])],
1495	[
1496		AC_DEFINE([GLOB_HAS_GL_STATV], [1],
1497			[Define if your system glob() function has
1498			gl_statv options in glob_t])
1499		AC_MSG_RESULT([yes])
1500	], [
1501		AC_MSG_RESULT([no])
1502
1503])
1504
1505AC_CHECK_DECLS([GLOB_NOMATCH], , , [#include <glob.h>])
1506
1507AC_CHECK_DECL([VIS_ALL], ,
1508    AC_DEFINE(BROKEN_STRNVIS, 1, [missing VIS_ALL]), [#include <vis.h>])
1509
1510AC_MSG_CHECKING([whether struct dirent allocates space for d_name])
1511AC_RUN_IFELSE(
1512	[AC_LANG_PROGRAM([[
1513#include <sys/types.h>
1514#include <dirent.h>]],
1515	[[
1516	struct dirent d;
1517	exit(sizeof(d.d_name)<=sizeof(char));
1518	]])],
1519	[AC_MSG_RESULT([yes])],
1520	[
1521		AC_MSG_RESULT([no])
1522		AC_DEFINE([BROKEN_ONE_BYTE_DIRENT_D_NAME], [1],
1523			[Define if your struct dirent expects you to
1524			allocate extra space for d_name])
1525	],
1526	[
1527		AC_MSG_WARN([cross compiling: assuming BROKEN_ONE_BYTE_DIRENT_D_NAME])
1528		AC_DEFINE([BROKEN_ONE_BYTE_DIRENT_D_NAME])
1529	]
1530)
1531
1532AC_MSG_CHECKING([for /proc/pid/fd directory])
1533if test -d "/proc/$$/fd" ; then
1534	AC_DEFINE([HAVE_PROC_PID], [1], [Define if you have /proc/$pid/fd])
1535	AC_MSG_RESULT([yes])
1536else
1537	AC_MSG_RESULT([no])
1538fi
1539
1540# Check whether user wants to use ldns
1541LDNS_MSG="no"
1542AC_ARG_WITH(ldns,
1543	[  --with-ldns[[=PATH]]      Use ldns for DNSSEC support (optionally in PATH)],
1544	[
1545	ldns=""
1546	if test "x$withval" = "xyes" ; then
1547		AC_PATH_TOOL([LDNSCONFIG], [ldns-config], [no])
1548		if test "x$LDNSCONFIG" = "xno"; then
1549			LIBS="-lldns $LIBS"
1550			ldns=yes
1551		else
1552			LIBS="$LIBS `$LDNSCONFIG --libs`"
1553			CPPFLAGS="$CPPFLAGS `$LDNSCONFIG --cflags`"
1554			ldns=yes
1555		fi
1556	elif test "x$withval" != "xno" ; then
1557			CPPFLAGS="$CPPFLAGS -I${withval}/include"
1558			LDFLAGS="$LDFLAGS -L${withval}/lib"
1559			LIBS="-lldns $LIBS"
1560			ldns=yes
1561	fi
1562
1563	# Verify that it works.
1564	if test "x$ldns" = "xyes" ; then
1565		AC_DEFINE(HAVE_LDNS, 1, [Define if you want ldns support])
1566		LDNS_MSG="yes"
1567		AC_MSG_CHECKING([for ldns support])
1568		AC_LINK_IFELSE(
1569			[AC_LANG_SOURCE([[
1570#include <stdio.h>
1571#include <stdlib.h>
1572#ifdef HAVE_STDINT_H
1573# include <stdint.h>
1574#endif
1575#include <ldns/ldns.h>
1576int main() { ldns_status status = ldns_verify_trusted(NULL, NULL, NULL, NULL); status=LDNS_STATUS_OK; exit(0); }
1577			]])
1578		],
1579			[AC_MSG_RESULT(yes)],
1580				[
1581					AC_MSG_RESULT(no)
1582					AC_MSG_ERROR([** Incomplete or missing ldns libraries.])
1583				])
1584	fi
1585])
1586
1587# Check whether user wants libedit support
1588LIBEDIT_MSG="no"
1589AC_ARG_WITH([libedit],
1590	[  --with-libedit[[=PATH]]   Enable libedit support for sftp],
1591	[ if test "x$withval" != "xno" ; then
1592		if test "x$withval" = "xyes" ; then
1593			AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no])
1594			if test "x$PKGCONFIG" != "xno"; then
1595				AC_MSG_CHECKING([if $PKGCONFIG knows about libedit])
1596				if "$PKGCONFIG" libedit; then
1597					AC_MSG_RESULT([yes])
1598					use_pkgconfig_for_libedit=yes
1599				else
1600					AC_MSG_RESULT([no])
1601				fi
1602			fi
1603		else
1604			CPPFLAGS="$CPPFLAGS -I${withval}/include"
1605			if test -n "${rpath_opt}"; then
1606				LDFLAGS="-L${withval}/lib ${rpath_opt}${withval}/lib ${LDFLAGS}"
1607			else
1608				LDFLAGS="-L${withval}/lib ${LDFLAGS}"
1609			fi
1610		fi
1611		if test "x$use_pkgconfig_for_libedit" = "xyes"; then
1612			LIBEDIT=`$PKGCONFIG --libs libedit`
1613			CPPFLAGS="$CPPFLAGS `$PKGCONFIG --cflags libedit`"
1614		else
1615			LIBEDIT="-ledit -lcurses"
1616		fi
1617		OTHERLIBS=`echo $LIBEDIT | sed 's/-ledit//'`
1618		AC_CHECK_LIB([edit], [el_init],
1619			[ AC_DEFINE([USE_LIBEDIT], [1], [Use libedit for sftp])
1620			  LIBEDIT_MSG="yes"
1621			  AC_SUBST([LIBEDIT])
1622			],
1623			[ AC_MSG_ERROR([libedit not found]) ],
1624			[ $OTHERLIBS ]
1625		)
1626		AC_MSG_CHECKING([if libedit version is compatible])
1627		AC_COMPILE_IFELSE(
1628		    [AC_LANG_PROGRAM([[ #include <histedit.h> ]],
1629		    [[
1630	int i = H_SETSIZE;
1631	el_init("", NULL, NULL, NULL);
1632	exit(0);
1633		    ]])],
1634		    [ AC_MSG_RESULT([yes]) ],
1635		    [ AC_MSG_RESULT([no])
1636		      AC_MSG_ERROR([libedit version is not compatible]) ]
1637		)
1638	fi ]
1639)
1640
1641AUDIT_MODULE=none
1642AC_ARG_WITH([audit],
1643	[  --with-audit=module     Enable audit support (modules=debug,bsm,linux)],
1644	[
1645	  AC_MSG_CHECKING([for supported audit module])
1646	  case "$withval" in
1647	  bsm)
1648		AC_MSG_RESULT([bsm])
1649		AUDIT_MODULE=bsm
1650		dnl    Checks for headers, libs and functions
1651		AC_CHECK_HEADERS([bsm/audit.h], [],
1652		    [AC_MSG_ERROR([BSM enabled and bsm/audit.h not found])],
1653		    [
1654#ifdef HAVE_TIME_H
1655# include <time.h>
1656#endif
1657		    ]
1658)
1659		AC_CHECK_LIB([bsm], [getaudit], [],
1660		    [AC_MSG_ERROR([BSM enabled and required library not found])])
1661		AC_CHECK_FUNCS([getaudit], [],
1662		    [AC_MSG_ERROR([BSM enabled and required function not found])])
1663		# These are optional
1664		AC_CHECK_FUNCS([getaudit_addr aug_get_machine])
1665		AC_DEFINE([USE_BSM_AUDIT], [1], [Use BSM audit module])
1666		if test "$sol2ver" -ge 11; then
1667			SSHDLIBS="$SSHDLIBS -lscf"
1668			AC_DEFINE([BROKEN_BSM_API], [1],
1669				[The system has incomplete BSM API])
1670		fi
1671		;;
1672	  linux)
1673		AC_MSG_RESULT([linux])
1674		AUDIT_MODULE=linux
1675		dnl    Checks for headers, libs and functions
1676		AC_CHECK_HEADERS([libaudit.h])
1677		SSHDLIBS="$SSHDLIBS -laudit"
1678		AC_DEFINE([USE_LINUX_AUDIT], [1], [Use Linux audit module])
1679		;;
1680	  debug)
1681		AUDIT_MODULE=debug
1682		AC_MSG_RESULT([debug])
1683		AC_DEFINE([SSH_AUDIT_EVENTS], [1], [Use audit debugging module])
1684		;;
1685	  no)
1686		AC_MSG_RESULT([no])
1687		;;
1688	  *)
1689		AC_MSG_ERROR([Unknown audit module $withval])
1690		;;
1691	esac ]
1692)
1693
1694AC_ARG_WITH([pie],
1695    [  --with-pie              Build Position Independent Executables if possible], [
1696	if test "x$withval" = "xno"; then
1697		use_pie=no
1698	fi
1699	if test "x$withval" = "xyes"; then
1700		use_pie=yes
1701	fi
1702    ]
1703)
1704if test "x$use_pie" = "x"; then
1705	use_pie=no
1706fi
1707if test "x$use_toolchain_hardening" != "x1" && test "x$use_pie" = "xauto"; then
1708	# Turn off automatic PIE when toolchain hardening is off.
1709	use_pie=no
1710fi
1711if test "x$use_pie" = "xauto"; then
1712	# Automatic PIE requires gcc >= 4.x
1713	AC_MSG_CHECKING([for gcc >= 4.x])
1714	AC_COMPILE_IFELSE([AC_LANG_SOURCE([[
1715#if !defined(__GNUC__) || __GNUC__ < 4
1716#error gcc is too old
1717#endif
1718]])],
1719	[ AC_MSG_RESULT([yes]) ],
1720	[ AC_MSG_RESULT([no])
1721	  use_pie=no ]
1722)
1723fi
1724if test "x$use_pie" != "xno"; then
1725	SAVED_CFLAGS="$CFLAGS"
1726	SAVED_LDFLAGS="$LDFLAGS"
1727	OSSH_CHECK_CFLAG_COMPILE([-fPIE])
1728	OSSH_CHECK_LDFLAG_LINK([-pie])
1729	# We use both -fPIE and -pie or neither.
1730	AC_MSG_CHECKING([whether both -fPIE and -pie are supported])
1731	if echo "x $CFLAGS"  | grep ' -fPIE' >/dev/null 2>&1 && \
1732	   echo "x $LDFLAGS" | grep ' -pie'  >/dev/null 2>&1 ; then
1733		AC_MSG_RESULT([yes])
1734	else
1735		AC_MSG_RESULT([no])
1736		CFLAGS="$SAVED_CFLAGS"
1737		LDFLAGS="$SAVED_LDFLAGS"
1738	fi
1739fi
1740
1741AC_MSG_CHECKING([whether -fPIC is accepted])
1742SAVED_CFLAGS="$CFLAGS"
1743CFLAGS="$CFLAGS -fPIC"
1744AC_COMPILE_IFELSE(
1745	[AC_LANG_PROGRAM( [[ #include <stdlib.h> ]], [[ exit(0); ]] )],
1746   [AC_MSG_RESULT([yes])
1747    PICFLAG="-fPIC"; ],
1748   [AC_MSG_RESULT([no])
1749    PICFLAG=""; ])
1750CFLAGS="$SAVED_CFLAGS"
1751AC_SUBST([PICFLAG])
1752
1753dnl    Checks for library functions. Please keep in alphabetical order
1754AC_CHECK_FUNCS([ \
1755	Blowfish_initstate \
1756	Blowfish_expandstate \
1757	Blowfish_expand0state \
1758	Blowfish_stream2word \
1759	SHA256Update \
1760	SHA384Update \
1761	SHA512Update \
1762	asprintf \
1763	b64_ntop \
1764	__b64_ntop \
1765	b64_pton \
1766	__b64_pton \
1767	bcopy \
1768	bcrypt_pbkdf \
1769	bindresvport_sa \
1770	blf_enc \
1771	bzero \
1772	cap_rights_limit \
1773	clock \
1774	closefrom \
1775	dirfd \
1776	endgrent \
1777	err \
1778	errx \
1779	explicit_bzero \
1780	fchmod \
1781	fchmodat \
1782	fchown \
1783	fchownat \
1784	flock \
1785	fnmatch \
1786	freeaddrinfo \
1787	freezero \
1788	fstatfs \
1789	fstatvfs \
1790	futimes \
1791	getaddrinfo \
1792	getcwd \
1793	getgrouplist \
1794	getline \
1795	getnameinfo \
1796	getopt \
1797	getpagesize \
1798	getpeereid \
1799	getpeerucred \
1800	getpgid \
1801	_getpty \
1802	getrlimit \
1803	getrandom \
1804	getsid \
1805	getttyent \
1806	glob \
1807	group_from_gid \
1808	inet_aton \
1809	inet_ntoa \
1810	inet_ntop \
1811	innetgr \
1812	llabs \
1813	localtime_r \
1814	login_getcapbool \
1815	md5_crypt \
1816	memmem \
1817	memmove \
1818	memset_s \
1819	mkdtemp \
1820	ngetaddrinfo \
1821	nsleep \
1822	ogetaddrinfo \
1823	openlog_r \
1824	pledge \
1825	poll \
1826	prctl \
1827	pstat \
1828	raise \
1829	readpassphrase \
1830	reallocarray \
1831	realpath \
1832	recvmsg \
1833	recallocarray \
1834	rresvport_af \
1835	sendmsg \
1836	setdtablesize \
1837	setegid \
1838	setenv \
1839	seteuid \
1840	setgroupent \
1841	setgroups \
1842	setlinebuf \
1843	setlogin \
1844	setpassent\
1845	setpcred \
1846	setproctitle \
1847	setregid \
1848	setreuid \
1849	setrlimit \
1850	setsid \
1851	setvbuf \
1852	sigaction \
1853	sigvec \
1854	snprintf \
1855	socketpair \
1856	statfs \
1857	statvfs \
1858	strcasestr \
1859	strdup \
1860	strerror \
1861	strlcat \
1862	strlcpy \
1863	strmode \
1864	strndup \
1865	strnlen \
1866	strnvis \
1867	strptime \
1868	strsignal \
1869	strtonum \
1870	strtoll \
1871	strtoul \
1872	strtoull \
1873	swap32 \
1874	sysconf \
1875	tcgetpgrp \
1876	timingsafe_bcmp \
1877	truncate \
1878	unsetenv \
1879	updwtmpx \
1880	utimensat \
1881	user_from_uid \
1882	usleep \
1883	vasprintf \
1884	vsnprintf \
1885	waitpid \
1886	warn \
1887])
1888
1889AC_CHECK_DECLS([bzero, memmem])
1890
1891dnl Wide character support.
1892AC_CHECK_FUNCS([mblen mbtowc nl_langinfo wcwidth])
1893
1894TEST_SSH_UTF8=${TEST_SSH_UTF8:=yes}
1895AC_MSG_CHECKING([for utf8 locale support])
1896AC_RUN_IFELSE(
1897	[AC_LANG_PROGRAM([[
1898#include <locale.h>
1899#include <stdlib.h>
1900	]], [[
1901	char *loc = setlocale(LC_CTYPE, "en_US.UTF-8");
1902	if (loc != NULL)
1903		exit(0);
1904	exit(1);
1905	]])],
1906	AC_MSG_RESULT(yes),
1907	[AC_MSG_RESULT(no)
1908	 TEST_SSH_UTF8=no],
1909	AC_MSG_WARN([cross compiling: assuming yes])
1910)
1911
1912AC_LINK_IFELSE(
1913        [AC_LANG_PROGRAM(
1914           [[ #include <ctype.h> ]],
1915           [[ return (isblank('a')); ]])],
1916	[AC_DEFINE([HAVE_ISBLANK], [1], [Define if you have isblank(3C).])
1917])
1918
1919disable_pkcs11=
1920AC_ARG_ENABLE([pkcs11],
1921	[  --disable-pkcs11        disable PKCS#11 support code [no]],
1922	[
1923		if test "x$enableval" = "xno" ; then
1924			disable_pkcs11=1
1925		fi
1926	]
1927)
1928
1929disable_sk=
1930AC_ARG_ENABLE([security-key],
1931	[  --disable-security-key  disable U2F/FIDO support code [no]],
1932	[
1933		if test "x$enableval" = "xno" ; then
1934			disable_sk=1
1935		fi
1936	]
1937)
1938enable_sk_internal=
1939AC_ARG_WITH([security-key-builtin],
1940	[  --with-security-key-builtin include builtin U2F/FIDO support],
1941	[
1942		if test "x$withval" != "xno" ; then
1943			enable_sk_internal=yes
1944		fi
1945	]
1946)
1947test "x$disable_sk" != "x" && enable_sk_internal=""
1948
1949AC_SEARCH_LIBS([dlopen], [dl])
1950AC_CHECK_FUNCS([dlopen])
1951AC_CHECK_DECL([RTLD_NOW], [], [], [#include <dlfcn.h>])
1952
1953# IRIX has a const char return value for gai_strerror()
1954AC_CHECK_FUNCS([gai_strerror], [
1955	AC_DEFINE([HAVE_GAI_STRERROR])
1956	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
1957#include <sys/types.h>
1958#include <sys/socket.h>
1959#include <netdb.h>
1960
1961const char *gai_strerror(int);
1962			]], [[
1963	char *str;
1964	str = gai_strerror(0);
1965			]])], [
1966		AC_DEFINE([HAVE_CONST_GAI_STRERROR_PROTO], [1],
1967		[Define if gai_strerror() returns const char *])], [])])
1968
1969AC_SEARCH_LIBS([nanosleep], [rt posix4], [AC_DEFINE([HAVE_NANOSLEEP], [1],
1970	[Some systems put nanosleep outside of libc])])
1971
1972AC_SEARCH_LIBS([clock_gettime], [rt],
1973	[AC_DEFINE([HAVE_CLOCK_GETTIME], [1], [Have clock_gettime])])
1974
1975dnl check if we need -D_REENTRANT for localtime_r declaration.
1976AC_CHECK_DECL([localtime_r], [],
1977	[ saved_CPPFLAGS="$CFLAGS"
1978	  CPPFLAGS="$CPPFLAGS -D_REENTRANT"
1979	  unset ac_cv_have_decl_localtime_r
1980	  AC_CHECK_DECL([localtime_r], [],
1981		[ CPPFLAGS="$saved_CPPFLAGS" ],
1982		[ #include <time.h> ]
1983	  )
1984	],
1985	[ #include <time.h> ]
1986)
1987
1988dnl Make sure prototypes are defined for these before using them.
1989AC_CHECK_DECL([strsep],
1990	[AC_CHECK_FUNCS([strsep])],
1991	[],
1992	[
1993#ifdef HAVE_STRING_H
1994# include <string.h>
1995#endif
1996	])
1997
1998dnl tcsendbreak might be a macro
1999AC_CHECK_DECL([tcsendbreak],
2000	[AC_DEFINE([HAVE_TCSENDBREAK])],
2001	[AC_CHECK_FUNCS([tcsendbreak])],
2002	[#include <termios.h>]
2003)
2004
2005AC_CHECK_DECLS([h_errno], , ,[#include <netdb.h>])
2006
2007AC_CHECK_DECLS([SHUT_RD, getpeereid], , ,
2008	[
2009#include <sys/types.h>
2010#include <sys/socket.h>
2011#include <unistd.h>
2012	])
2013
2014AC_CHECK_DECLS([O_NONBLOCK], , ,
2015	[
2016#include <sys/types.h>
2017#ifdef HAVE_SYS_STAT_H
2018# include <sys/stat.h>
2019#endif
2020#ifdef HAVE_FCNTL_H
2021# include <fcntl.h>
2022#endif
2023	])
2024
2025AC_CHECK_DECLS([readv, writev], , , [
2026#include <sys/types.h>
2027#include <sys/uio.h>
2028#include <unistd.h>
2029	])
2030
2031AC_CHECK_DECLS([MAXSYMLINKS], , , [
2032#include <sys/param.h>
2033	])
2034
2035AC_CHECK_DECLS([offsetof], , , [
2036#include <stddef.h>
2037	])
2038
2039# extra bits for select(2)
2040AC_CHECK_DECLS([howmany, NFDBITS], [], [], [[
2041#include <sys/param.h>
2042#include <sys/types.h>
2043#ifdef HAVE_SYS_SYSMACROS_H
2044#include <sys/sysmacros.h>
2045#endif
2046#ifdef HAVE_SYS_SELECT_H
2047#include <sys/select.h>
2048#endif
2049#ifdef HAVE_SYS_TIME_H
2050#include <sys/time.h>
2051#endif
2052#ifdef HAVE_UNISTD_H
2053#include <unistd.h>
2054#endif
2055	]])
2056AC_CHECK_TYPES([fd_mask], [], [], [[
2057#include <sys/param.h>
2058#include <sys/types.h>
2059#ifdef HAVE_SYS_SELECT_H
2060#include <sys/select.h>
2061#endif
2062#ifdef HAVE_SYS_TIME_H
2063#include <sys/time.h>
2064#endif
2065#ifdef HAVE_UNISTD_H
2066#include <unistd.h>
2067#endif
2068	]])
2069
2070AC_CHECK_FUNCS([setresuid], [
2071	dnl Some platorms have setresuid that isn't implemented, test for this
2072	AC_MSG_CHECKING([if setresuid seems to work])
2073	AC_RUN_IFELSE(
2074		[AC_LANG_PROGRAM([[
2075#include <stdlib.h>
2076#include <errno.h>
2077		]], [[
2078	errno=0;
2079	setresuid(0,0,0);
2080	if (errno==ENOSYS)
2081		exit(1);
2082	else
2083		exit(0);
2084		]])],
2085		[AC_MSG_RESULT([yes])],
2086		[AC_DEFINE([BROKEN_SETRESUID], [1],
2087			[Define if your setresuid() is broken])
2088		 AC_MSG_RESULT([not implemented])],
2089		[AC_MSG_WARN([cross compiling: not checking setresuid])]
2090	)
2091])
2092
2093AC_CHECK_FUNCS([setresgid], [
2094	dnl Some platorms have setresgid that isn't implemented, test for this
2095	AC_MSG_CHECKING([if setresgid seems to work])
2096	AC_RUN_IFELSE(
2097		[AC_LANG_PROGRAM([[
2098#include <stdlib.h>
2099#include <errno.h>
2100		]], [[
2101	errno=0;
2102	setresgid(0,0,0);
2103	if (errno==ENOSYS)
2104		exit(1);
2105	else
2106		exit(0);
2107		]])],
2108		[AC_MSG_RESULT([yes])],
2109		[AC_DEFINE([BROKEN_SETRESGID], [1],
2110			[Define if your setresgid() is broken])
2111		 AC_MSG_RESULT([not implemented])],
2112		[AC_MSG_WARN([cross compiling: not checking setresuid])]
2113	)
2114])
2115
2116AC_MSG_CHECKING([for working fflush(NULL)])
2117AC_RUN_IFELSE(
2118	[AC_LANG_PROGRAM([[#include <stdio.h>]], [[fflush(NULL); exit(0);]])],
2119	AC_MSG_RESULT([yes]),
2120	[AC_MSG_RESULT([no])
2121	 AC_DEFINE([FFLUSH_NULL_BUG], [1],
2122	    [define if fflush(NULL) does not work])],
2123	AC_MSG_WARN([cross compiling: assuming working])
2124)
2125
2126dnl    Checks for time functions
2127AC_CHECK_FUNCS([gettimeofday time])
2128dnl    Checks for utmp functions
2129AC_CHECK_FUNCS([endutent getutent getutid getutline pututline setutent])
2130AC_CHECK_FUNCS([utmpname])
2131dnl    Checks for utmpx functions
2132AC_CHECK_FUNCS([endutxent getutxent getutxid getutxline getutxuser pututxline])
2133AC_CHECK_FUNCS([setutxdb setutxent utmpxname])
2134dnl    Checks for lastlog functions
2135AC_CHECK_FUNCS([getlastlogxbyname])
2136
2137AC_CHECK_FUNC([daemon],
2138	[AC_DEFINE([HAVE_DAEMON], [1], [Define if your libraries define daemon()])],
2139	[AC_CHECK_LIB([bsd], [daemon],
2140		[LIBS="$LIBS -lbsd"; AC_DEFINE([HAVE_DAEMON])])]
2141)
2142
2143AC_CHECK_FUNC([getpagesize],
2144	[AC_DEFINE([HAVE_GETPAGESIZE], [1],
2145		[Define if your libraries define getpagesize()])],
2146	[AC_CHECK_LIB([ucb], [getpagesize],
2147		[LIBS="$LIBS -lucb"; AC_DEFINE([HAVE_GETPAGESIZE])])]
2148)
2149
2150# Check for broken snprintf
2151if test "x$ac_cv_func_snprintf" = "xyes" ; then
2152	AC_MSG_CHECKING([whether snprintf correctly terminates long strings])
2153	AC_RUN_IFELSE(
2154		[AC_LANG_PROGRAM([[ #include <stdio.h> ]],
2155		[[
2156	char b[5];
2157	snprintf(b,5,"123456789");
2158	exit(b[4]!='\0');
2159		]])],
2160		[AC_MSG_RESULT([yes])],
2161		[
2162			AC_MSG_RESULT([no])
2163			AC_DEFINE([BROKEN_SNPRINTF], [1],
2164				[Define if your snprintf is busted])
2165			AC_MSG_WARN([****** Your snprintf() function is broken, complain to your vendor])
2166		],
2167		[ AC_MSG_WARN([cross compiling: Assuming working snprintf()]) ]
2168	)
2169fi
2170
2171if test "x$ac_cv_func_snprintf" = "xyes" ; then
2172	AC_MSG_CHECKING([whether snprintf understands %zu])
2173	AC_RUN_IFELSE(
2174		[AC_LANG_PROGRAM([[
2175#include <sys/types.h>
2176#include <stdio.h>
2177		]],
2178		[[
2179	size_t a = 1, b = 2;
2180	char z[128];
2181	snprintf(z, sizeof z, "%zu%zu", a, b);
2182	exit(strcmp(z, "12"));
2183		]])],
2184		[AC_MSG_RESULT([yes])],
2185		[
2186			AC_MSG_RESULT([no])
2187			AC_DEFINE([BROKEN_SNPRINTF], [1],
2188				[snprintf does not understand %zu])
2189		],
2190		[ AC_MSG_WARN([cross compiling: Assuming working snprintf()]) ]
2191	)
2192fi
2193
2194# We depend on vsnprintf returning the right thing on overflow: the
2195# number of characters it tried to create (as per SUSv3)
2196if test "x$ac_cv_func_vsnprintf" = "xyes" ; then
2197	AC_MSG_CHECKING([whether vsnprintf returns correct values on overflow])
2198	AC_RUN_IFELSE(
2199		[AC_LANG_PROGRAM([[
2200#include <sys/types.h>
2201#include <stdio.h>
2202#include <stdarg.h>
2203
2204int x_snprintf(char *str, size_t count, const char *fmt, ...)
2205{
2206	size_t ret;
2207	va_list ap;
2208
2209	va_start(ap, fmt);
2210	ret = vsnprintf(str, count, fmt, ap);
2211	va_end(ap);
2212	return ret;
2213}
2214		]], [[
2215char x[1];
2216if (x_snprintf(x, 1, "%s %d", "hello", 12345) != 11)
2217	return 1;
2218if (x_snprintf(NULL, 0, "%s %d", "hello", 12345) != 11)
2219	return 1;
2220return 0;
2221		]])],
2222		[AC_MSG_RESULT([yes])],
2223		[
2224			AC_MSG_RESULT([no])
2225			AC_DEFINE([BROKEN_SNPRINTF], [1],
2226				[Define if your snprintf is busted])
2227			AC_MSG_WARN([****** Your vsnprintf() function is broken, complain to your vendor])
2228		],
2229		[ AC_MSG_WARN([cross compiling: Assuming working vsnprintf()]) ]
2230	)
2231fi
2232
2233# On systems where [v]snprintf is broken, but is declared in stdio,
2234# check that the fmt argument is const char * or just char *.
2235# This is only useful for when BROKEN_SNPRINTF
2236AC_MSG_CHECKING([whether snprintf can declare const char *fmt])
2237AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
2238#include <stdio.h>
2239int snprintf(char *a, size_t b, const char *c, ...) { return 0; }
2240		]], [[
2241	snprintf(0, 0, 0);
2242		]])],
2243   [AC_MSG_RESULT([yes])
2244    AC_DEFINE([SNPRINTF_CONST], [const],
2245              [Define as const if snprintf() can declare const char *fmt])],
2246   [AC_MSG_RESULT([no])
2247    AC_DEFINE([SNPRINTF_CONST], [/* not const */])])
2248
2249# Check for missing getpeereid (or equiv) support
2250NO_PEERCHECK=""
2251if test "x$ac_cv_func_getpeereid" != "xyes" -a "x$ac_cv_func_getpeerucred" != "xyes"; then
2252	AC_MSG_CHECKING([whether system supports SO_PEERCRED getsockopt])
2253	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
2254#include <sys/types.h>
2255#include <sys/socket.h>]], [[int i = SO_PEERCRED;]])],
2256		[ AC_MSG_RESULT([yes])
2257		  AC_DEFINE([HAVE_SO_PEERCRED], [1], [Have PEERCRED socket option])
2258		], [AC_MSG_RESULT([no])
2259		NO_PEERCHECK=1
2260        ])
2261fi
2262
2263dnl see whether mkstemp() requires XXXXXX
2264if test "x$ac_cv_func_mkdtemp" = "xyes" ; then
2265AC_MSG_CHECKING([for (overly) strict mkstemp])
2266AC_RUN_IFELSE(
2267	[AC_LANG_PROGRAM([[
2268#include <stdlib.h>
2269	]], [[
2270	char template[]="conftest.mkstemp-test";
2271	if (mkstemp(template) == -1)
2272		exit(1);
2273	unlink(template);
2274	exit(0);
2275	]])],
2276	[
2277		AC_MSG_RESULT([no])
2278	],
2279	[
2280		AC_MSG_RESULT([yes])
2281		AC_DEFINE([HAVE_STRICT_MKSTEMP], [1], [Silly mkstemp()])
2282	],
2283	[
2284		AC_MSG_RESULT([yes])
2285		AC_DEFINE([HAVE_STRICT_MKSTEMP])
2286	]
2287)
2288fi
2289
2290dnl make sure that openpty does not reacquire controlling terminal
2291if test ! -z "$check_for_openpty_ctty_bug"; then
2292	AC_MSG_CHECKING([if openpty correctly handles controlling tty])
2293	AC_RUN_IFELSE(
2294		[AC_LANG_PROGRAM([[
2295#include <stdio.h>
2296#include <sys/fcntl.h>
2297#include <sys/types.h>
2298#include <sys/wait.h>
2299		]], [[
2300	pid_t pid;
2301	int fd, ptyfd, ttyfd, status;
2302
2303	pid = fork();
2304	if (pid < 0) {		/* failed */
2305		exit(1);
2306	} else if (pid > 0) {	/* parent */
2307		waitpid(pid, &status, 0);
2308		if (WIFEXITED(status))
2309			exit(WEXITSTATUS(status));
2310		else
2311			exit(2);
2312	} else {		/* child */
2313		close(0); close(1); close(2);
2314		setsid();
2315		openpty(&ptyfd, &ttyfd, NULL, NULL, NULL);
2316		fd = open("/dev/tty", O_RDWR | O_NOCTTY);
2317		if (fd >= 0)
2318			exit(3);	/* Acquired ctty: broken */
2319		else
2320			exit(0);	/* Did not acquire ctty: OK */
2321	}
2322		]])],
2323		[
2324			AC_MSG_RESULT([yes])
2325		],
2326		[
2327			AC_MSG_RESULT([no])
2328			AC_DEFINE([SSHD_ACQUIRES_CTTY])
2329		],
2330		[
2331			AC_MSG_RESULT([cross-compiling, assuming yes])
2332		]
2333	)
2334fi
2335
2336if test "x$ac_cv_func_getaddrinfo" = "xyes" && \
2337    test "x$check_for_hpux_broken_getaddrinfo" = "x1"; then
2338	AC_MSG_CHECKING([if getaddrinfo seems to work])
2339	AC_RUN_IFELSE(
2340		[AC_LANG_PROGRAM([[
2341#include <stdio.h>
2342#include <sys/socket.h>
2343#include <netdb.h>
2344#include <errno.h>
2345#include <netinet/in.h>
2346
2347#define TEST_PORT "2222"
2348		]], [[
2349	int err, sock;
2350	struct addrinfo *gai_ai, *ai, hints;
2351	char ntop[NI_MAXHOST], strport[NI_MAXSERV], *name = NULL;
2352
2353	memset(&hints, 0, sizeof(hints));
2354	hints.ai_family = PF_UNSPEC;
2355	hints.ai_socktype = SOCK_STREAM;
2356	hints.ai_flags = AI_PASSIVE;
2357
2358	err = getaddrinfo(name, TEST_PORT, &hints, &gai_ai);
2359	if (err != 0) {
2360		fprintf(stderr, "getaddrinfo failed (%s)", gai_strerror(err));
2361		exit(1);
2362	}
2363
2364	for (ai = gai_ai; ai != NULL; ai = ai->ai_next) {
2365		if (ai->ai_family != AF_INET6)
2366			continue;
2367
2368		err = getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop,
2369		    sizeof(ntop), strport, sizeof(strport),
2370		    NI_NUMERICHOST|NI_NUMERICSERV);
2371
2372		if (err != 0) {
2373			if (err == EAI_SYSTEM)
2374				perror("getnameinfo EAI_SYSTEM");
2375			else
2376				fprintf(stderr, "getnameinfo failed: %s\n",
2377				    gai_strerror(err));
2378			exit(2);
2379		}
2380
2381		sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol);
2382		if (sock < 0)
2383			perror("socket");
2384		if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) {
2385			if (errno == EBADF)
2386				exit(3);
2387		}
2388	}
2389	exit(0);
2390		]])],
2391		[
2392			AC_MSG_RESULT([yes])
2393		],
2394		[
2395			AC_MSG_RESULT([no])
2396			AC_DEFINE([BROKEN_GETADDRINFO])
2397		],
2398		[
2399			AC_MSG_RESULT([cross-compiling, assuming yes])
2400		]
2401	)
2402fi
2403
2404if test "x$ac_cv_func_getaddrinfo" = "xyes" && \
2405    test "x$check_for_aix_broken_getaddrinfo" = "x1"; then
2406	AC_MSG_CHECKING([if getaddrinfo seems to work])
2407	AC_RUN_IFELSE(
2408		[AC_LANG_PROGRAM([[
2409#include <stdio.h>
2410#include <sys/socket.h>
2411#include <netdb.h>
2412#include <errno.h>
2413#include <netinet/in.h>
2414
2415#define TEST_PORT "2222"
2416		]], [[
2417	int err, sock;
2418	struct addrinfo *gai_ai, *ai, hints;
2419	char ntop[NI_MAXHOST], strport[NI_MAXSERV], *name = NULL;
2420
2421	memset(&hints, 0, sizeof(hints));
2422	hints.ai_family = PF_UNSPEC;
2423	hints.ai_socktype = SOCK_STREAM;
2424	hints.ai_flags = AI_PASSIVE;
2425
2426	err = getaddrinfo(name, TEST_PORT, &hints, &gai_ai);
2427	if (err != 0) {
2428		fprintf(stderr, "getaddrinfo failed (%s)", gai_strerror(err));
2429		exit(1);
2430	}
2431
2432	for (ai = gai_ai; ai != NULL; ai = ai->ai_next) {
2433		if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
2434			continue;
2435
2436		err = getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop,
2437		    sizeof(ntop), strport, sizeof(strport),
2438		    NI_NUMERICHOST|NI_NUMERICSERV);
2439
2440		if (ai->ai_family == AF_INET && err != 0) {
2441			perror("getnameinfo");
2442			exit(2);
2443		}
2444	}
2445	exit(0);
2446		]])],
2447		[
2448			AC_MSG_RESULT([yes])
2449			AC_DEFINE([AIX_GETNAMEINFO_HACK], [1],
2450				[Define if you have a getaddrinfo that fails
2451				for the all-zeros IPv6 address])
2452		],
2453		[
2454			AC_MSG_RESULT([no])
2455			AC_DEFINE([BROKEN_GETADDRINFO])
2456		],
2457		[
2458			AC_MSG_RESULT([cross-compiling, assuming no])
2459		]
2460	)
2461fi
2462
2463if test "x$ac_cv_func_getaddrinfo" = "xyes"; then
2464	AC_CHECK_DECLS(AI_NUMERICSERV, , ,
2465	    [#include <sys/types.h>
2466	     #include <sys/socket.h>
2467	     #include <netdb.h>])
2468fi
2469
2470if test "x$check_for_conflicting_getspnam" = "x1"; then
2471	AC_MSG_CHECKING([for conflicting getspnam in shadow.h])
2472	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <shadow.h> ]],
2473		[[ exit(0); ]])],
2474		[
2475			AC_MSG_RESULT([no])
2476		],
2477		[
2478			AC_MSG_RESULT([yes])
2479			AC_DEFINE([GETSPNAM_CONFLICTING_DEFS], [1],
2480			    [Conflicting defs for getspnam])
2481		]
2482	)
2483fi
2484
2485dnl NetBSD added an strnvis and unfortunately made it incompatible with the
2486dnl existing one in OpenBSD and Linux's libbsd (the former having existed
2487dnl for over ten years). Despite this incompatibility being reported during
2488dnl development (see http://gnats.netbsd.org/44977) they still shipped it.
2489dnl Even more unfortunately FreeBSD and later MacOS picked up this incompatible
2490dnl implementation.  Try to detect this mess, and assume the only safe option
2491dnl if we're cross compiling.
2492dnl
2493dnl OpenBSD, 2001: strnvis(char *dst, const char *src, size_t dlen, int flag);
2494dnl NetBSD: 2012,  strnvis(char *dst, size_t dlen, const char *src, int flag);
2495if test "x$ac_cv_func_strnvis" = "xyes"; then
2496	AC_MSG_CHECKING([for working strnvis])
2497	AC_RUN_IFELSE(
2498		[AC_LANG_PROGRAM([[
2499#include <signal.h>
2500#include <stdlib.h>
2501#include <string.h>
2502#include <vis.h>
2503static void sighandler(int sig) { _exit(1); }
2504		]], [[
2505	char dst[16];
2506
2507	signal(SIGSEGV, sighandler);
2508	if (strnvis(dst, "src", 4, 0) && strcmp(dst, "src") == 0)
2509		exit(0);
2510	exit(1)
2511		]])],
2512		[AC_MSG_RESULT([yes])],
2513		[AC_MSG_RESULT([no])
2514		 AC_DEFINE([BROKEN_STRNVIS], [1], [strnvis detected broken])],
2515		[AC_MSG_WARN([cross compiling: assuming broken])
2516		 AC_DEFINE([BROKEN_STRNVIS], [1], [strnvis assumed broken])]
2517	)
2518fi
2519
2520AC_MSG_CHECKING([if SA_RESTARTed signals interrupt select()])
2521AC_RUN_IFELSE(
2522	[AC_LANG_PROGRAM([[
2523#ifdef HAVE_SYS_SELECT
2524# include <sys/select.h>
2525#endif
2526#include <sys/types.h>
2527#include <sys/time.h>
2528#include <stdlib.h>
2529#include <signal.h>
2530static void sighandler(int sig) { }
2531		]], [[
2532	int r;
2533	pid_t pid;
2534	struct sigaction sa;
2535
2536	sa.sa_handler = sighandler;
2537	sa.sa_flags = SA_RESTART;
2538	(void)sigaction(SIGTERM, &sa, NULL);
2539	if ((pid = fork()) == 0) { /* child */
2540		pid = getppid();
2541		sleep(1);
2542		kill(pid, SIGTERM);
2543		sleep(1);
2544		if (getppid() == pid) /* if parent did not exit, shoot it */
2545			kill(pid, SIGKILL);
2546		exit(0);
2547	} else { /* parent */
2548		r = select(0, NULL, NULL, NULL, NULL);
2549	}
2550	exit(r == -1 ? 0 : 1);
2551	]])],
2552	[AC_MSG_RESULT([yes])],
2553	[AC_MSG_RESULT([no])
2554	 AC_DEFINE([NO_SA_RESTART], [1],
2555	    [SA_RESTARTed signals do no interrupt select])],
2556	[AC_MSG_WARN([cross compiling: assuming yes])]
2557)
2558
2559AC_CHECK_FUNCS([getpgrp],[
2560	AC_MSG_CHECKING([if getpgrp accepts zero args])
2561	AC_COMPILE_IFELSE(
2562		[AC_LANG_PROGRAM([[$ac_includes_default]], [[ getpgrp(); ]])],
2563		[ AC_MSG_RESULT([yes])
2564		  AC_DEFINE([GETPGRP_VOID], [1], [getpgrp takes zero args])],
2565		[ AC_MSG_RESULT([no])
2566		  AC_DEFINE([GETPGRP_VOID], [0], [getpgrp takes one arg])]
2567	)
2568])
2569
2570# Search for OpenSSL
2571saved_CPPFLAGS="$CPPFLAGS"
2572saved_LDFLAGS="$LDFLAGS"
2573AC_ARG_WITH([ssl-dir],
2574	[  --with-ssl-dir=PATH     Specify path to OpenSSL installation ],
2575	[
2576		if test "x$openssl" = "xno" ; then
2577			AC_MSG_ERROR([cannot use --with-ssl-dir when OpenSSL disabled])
2578		fi
2579		if test "x$withval" != "xno" ; then
2580			case "$withval" in
2581				# Relative paths
2582				./*|../*)	withval="`pwd`/$withval"
2583			esac
2584			if test -d "$withval/lib"; then
2585				if test -n "${rpath_opt}"; then
2586					LDFLAGS="-L${withval}/lib ${rpath_opt}${withval}/lib ${LDFLAGS}"
2587				else
2588					LDFLAGS="-L${withval}/lib ${LDFLAGS}"
2589				fi
2590			elif test -d "$withval/lib64"; then
2591				if test -n "${rpath_opt}"; then
2592					LDFLAGS="-L${withval}/lib64 ${rpath_opt}${withval}/lib64 ${LDFLAGS}"
2593				else
2594					LDFLAGS="-L${withval}/lib64 ${LDFLAGS}"
2595				fi
2596			else
2597				if test -n "${rpath_opt}"; then
2598					LDFLAGS="-L${withval} ${rpath_opt}${withval} ${LDFLAGS}"
2599				else
2600					LDFLAGS="-L${withval} ${LDFLAGS}"
2601				fi
2602			fi
2603			if test -d "$withval/include"; then
2604				CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
2605			else
2606				CPPFLAGS="-I${withval} ${CPPFLAGS}"
2607			fi
2608		fi
2609	]
2610)
2611
2612AC_ARG_WITH([openssl-header-check],
2613	[  --without-openssl-header-check Disable OpenSSL version consistency check],
2614	[
2615		if test "x$withval" = "xno" ; then
2616			openssl_check_nonfatal=1
2617		fi
2618	]
2619)
2620
2621openssl_engine=no
2622AC_ARG_WITH([ssl-engine],
2623	[  --with-ssl-engine       Enable OpenSSL (hardware) ENGINE support ],
2624	[
2625		if test "x$withval" != "xno" ; then
2626			if test "x$openssl" = "xno" ; then
2627				AC_MSG_ERROR([cannot use --with-ssl-engine when OpenSSL disabled])
2628			fi
2629			openssl_engine=yes
2630		fi
2631	]
2632)
2633
2634if test "x$openssl" = "xyes" ; then
2635	LIBS="-lcrypto $LIBS"
2636	AC_TRY_LINK_FUNC([RAND_add], ,
2637	    [AC_MSG_ERROR([*** working libcrypto not found, check config.log])])
2638	AC_CHECK_HEADER([openssl/opensslv.h], ,
2639	    [AC_MSG_ERROR([*** OpenSSL headers missing - please install first or check config.log ***])])
2640
2641	# Determine OpenSSL header version
2642	AC_MSG_CHECKING([OpenSSL header version])
2643	AC_RUN_IFELSE(
2644		[AC_LANG_PROGRAM([[
2645	#include <stdlib.h>
2646	#include <stdio.h>
2647	#include <string.h>
2648	#include <openssl/opensslv.h>
2649	#define DATA "conftest.sslincver"
2650		]], [[
2651		FILE *fd;
2652		int rc;
2653
2654		fd = fopen(DATA,"w");
2655		if(fd == NULL)
2656			exit(1);
2657
2658		if ((rc = fprintf(fd, "%08lx (%s)\n",
2659		    (unsigned long)OPENSSL_VERSION_NUMBER,
2660		     OPENSSL_VERSION_TEXT)) < 0)
2661			exit(1);
2662
2663		exit(0);
2664		]])],
2665		[
2666			ssl_header_ver=`cat conftest.sslincver`
2667			AC_MSG_RESULT([$ssl_header_ver])
2668		],
2669		[
2670			AC_MSG_RESULT([not found])
2671			AC_MSG_ERROR([OpenSSL version header not found.])
2672		],
2673		[
2674			AC_MSG_WARN([cross compiling: not checking])
2675		]
2676	)
2677
2678	# Determining OpenSSL library version is version dependent.
2679	AC_CHECK_FUNCS([OpenSSL_version OpenSSL_version_num])
2680
2681	# Determine OpenSSL library version
2682	AC_MSG_CHECKING([OpenSSL library version])
2683	AC_RUN_IFELSE(
2684		[AC_LANG_PROGRAM([[
2685	#include <stdio.h>
2686	#include <string.h>
2687	#include <openssl/opensslv.h>
2688	#include <openssl/crypto.h>
2689	#define DATA "conftest.ssllibver"
2690		]], [[
2691		FILE *fd;
2692		int rc;
2693
2694		fd = fopen(DATA,"w");
2695		if(fd == NULL)
2696			exit(1);
2697#ifndef OPENSSL_VERSION
2698# define OPENSSL_VERSION SSLEAY_VERSION
2699#endif
2700#ifndef HAVE_OPENSSL_VERSION
2701# define OpenSSL_version	SSLeay_version
2702#endif
2703#ifndef HAVE_OPENSSL_VERSION_NUM
2704# define OpenSSL_version_num	SSLeay
2705#endif
2706		if ((rc = fprintf(fd, "%08lx (%s)\n",
2707		    (unsigned long)OpenSSL_version_num(),
2708		    OpenSSL_version(OPENSSL_VERSION))) < 0)
2709			exit(1);
2710
2711		exit(0);
2712		]])],
2713		[
2714			ssl_library_ver=`cat conftest.ssllibver`
2715			# Check version is supported.
2716			case "$ssl_library_ver" in
2717			10000*|0*)
2718				AC_MSG_ERROR([OpenSSL >= 1.0.1 required (have "$ssl_library_ver")])
2719		                ;;
2720			100*)   ;; # 1.0.x
2721			101000[[0123456]]*)
2722				# https://github.com/openssl/openssl/pull/4613
2723				AC_MSG_ERROR([OpenSSL 1.1.x versions prior to 1.1.0g have a bug that breaks their use with OpenSSH (have "$ssl_library_ver")])
2724				;;
2725			101*)   ;; # 1.1.x
2726			200*)   ;; # LibreSSL
2727			300*)   ;; # OpenSSL development branch.
2728		        *)
2729				AC_MSG_ERROR([Unknown/unsupported OpenSSL version ("$ssl_library_ver")])
2730		                ;;
2731			esac
2732			AC_MSG_RESULT([$ssl_library_ver])
2733		],
2734		[
2735			AC_MSG_RESULT([not found])
2736			AC_MSG_ERROR([OpenSSL library not found.])
2737		],
2738		[
2739			AC_MSG_WARN([cross compiling: not checking])
2740		]
2741	)
2742
2743	# Sanity check OpenSSL headers
2744	AC_MSG_CHECKING([whether OpenSSL's headers match the library])
2745	AC_RUN_IFELSE(
2746		[AC_LANG_PROGRAM([[
2747	#include <string.h>
2748	#include <openssl/opensslv.h>
2749	#include <openssl/crypto.h>
2750		]], [[
2751#ifndef HAVE_OPENSSL_VERSION_NUM
2752# define OpenSSL_version_num	SSLeay
2753#endif
2754		exit(OpenSSL_version_num() == OPENSSL_VERSION_NUMBER ? 0 : 1);
2755		]])],
2756		[
2757			AC_MSG_RESULT([yes])
2758		],
2759		[
2760			AC_MSG_RESULT([no])
2761			if test "x$openssl_check_nonfatal" = "x"; then
2762				AC_MSG_ERROR([Your OpenSSL headers do not match your
2763	library. Check config.log for details.
2764	If you are sure your installation is consistent, you can disable the check
2765	by running "./configure --without-openssl-header-check".
2766	Also see contrib/findssl.sh for help identifying header/library mismatches.
2767	])
2768			else
2769				AC_MSG_WARN([Your OpenSSL headers do not match your
2770	library. Check config.log for details.
2771	Also see contrib/findssl.sh for help identifying header/library mismatches.])
2772			fi
2773		],
2774		[
2775			AC_MSG_WARN([cross compiling: not checking])
2776		]
2777	)
2778
2779	AC_MSG_CHECKING([if programs using OpenSSL functions will link])
2780	AC_LINK_IFELSE(
2781		[AC_LANG_PROGRAM([[ #include <openssl/err.h> ]],
2782		[[ ERR_load_crypto_strings(); ]])],
2783		[
2784			AC_MSG_RESULT([yes])
2785		],
2786		[
2787			AC_MSG_RESULT([no])
2788			saved_LIBS="$LIBS"
2789			LIBS="$LIBS -ldl"
2790			AC_MSG_CHECKING([if programs using OpenSSL need -ldl])
2791			AC_LINK_IFELSE(
2792				[AC_LANG_PROGRAM([[ #include <openssl/err.h> ]],
2793				[[ ERR_load_crypto_strings(); ]])],
2794				[
2795					AC_MSG_RESULT([yes])
2796				],
2797				[
2798					AC_MSG_RESULT([no])
2799					LIBS="$saved_LIBS"
2800				]
2801			)
2802		]
2803	)
2804
2805	AC_CHECK_FUNCS([ \
2806		BN_is_prime_ex \
2807		DSA_generate_parameters_ex \
2808		EVP_CIPHER_CTX_ctrl \
2809		EVP_DigestFinal_ex \
2810		EVP_DigestInit_ex \
2811		EVP_MD_CTX_cleanup \
2812		EVP_MD_CTX_copy_ex \
2813		EVP_MD_CTX_init \
2814		HMAC_CTX_init \
2815		RSA_generate_key_ex \
2816		RSA_get_default_method \
2817	])
2818
2819	# OpenSSL_add_all_algorithms may be a macro.
2820	AC_CHECK_FUNC(OpenSSL_add_all_algorithms,
2821	    AC_DEFINE(HAVE_OPENSSL_ADD_ALL_ALGORITHMS, 1, [as a function]),
2822	    AC_CHECK_DECL(OpenSSL_add_all_algorithms,
2823		AC_DEFINE(HAVE_OPENSSL_ADD_ALL_ALGORITHMS, 1, [as a macro]), ,
2824		[[#include <openssl/evp.h>]]
2825	    )
2826	)
2827
2828	# LibreSSL/OpenSSL 1.1x API
2829	AC_CHECK_FUNCS([ \
2830		OPENSSL_init_crypto \
2831		DH_get0_key \
2832		DH_get0_pqg \
2833		DH_set0_key \
2834		DH_set_length \
2835		DH_set0_pqg \
2836		DSA_get0_key \
2837		DSA_get0_pqg \
2838		DSA_set0_key \
2839		DSA_set0_pqg \
2840		DSA_SIG_get0 \
2841		DSA_SIG_set0 \
2842		ECDSA_SIG_get0 \
2843		ECDSA_SIG_set0 \
2844		EVP_CIPHER_CTX_iv \
2845		EVP_CIPHER_CTX_iv_noconst \
2846		EVP_CIPHER_CTX_get_iv \
2847		EVP_CIPHER_CTX_set_iv \
2848		RSA_get0_crt_params \
2849		RSA_get0_factors \
2850		RSA_get0_key \
2851		RSA_set0_crt_params \
2852		RSA_set0_factors \
2853		RSA_set0_key \
2854		RSA_meth_free \
2855		RSA_meth_dup \
2856		RSA_meth_set1_name \
2857		RSA_meth_get_finish \
2858		RSA_meth_set_priv_enc \
2859		RSA_meth_set_priv_dec \
2860		RSA_meth_set_finish \
2861		EVP_PKEY_get0_RSA \
2862		EVP_MD_CTX_new \
2863		EVP_MD_CTX_free \
2864		EVP_chacha20 \
2865	])
2866
2867	if test "x$openssl_engine" = "xyes" ; then
2868		AC_MSG_CHECKING([for OpenSSL ENGINE support])
2869		AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
2870	#include <openssl/engine.h>
2871			]], [[
2872				ENGINE_load_builtin_engines();
2873				ENGINE_register_all_complete();
2874			]])],
2875			[ AC_MSG_RESULT([yes])
2876			  AC_DEFINE([USE_OPENSSL_ENGINE], [1],
2877			     [Enable OpenSSL engine support])
2878			], [ AC_MSG_ERROR([OpenSSL ENGINE support not found])
2879		])
2880	fi
2881
2882	# Check for OpenSSL without EVP_aes_{192,256}_cbc
2883	AC_MSG_CHECKING([whether OpenSSL has crippled AES support])
2884	AC_LINK_IFELSE(
2885		[AC_LANG_PROGRAM([[
2886	#include <string.h>
2887	#include <openssl/evp.h>
2888		]], [[
2889		exit(EVP_aes_192_cbc() == NULL || EVP_aes_256_cbc() == NULL);
2890		]])],
2891		[
2892			AC_MSG_RESULT([no])
2893		],
2894		[
2895			AC_MSG_RESULT([yes])
2896			AC_DEFINE([OPENSSL_LOBOTOMISED_AES], [1],
2897			    [libcrypto is missing AES 192 and 256 bit functions])
2898		]
2899	)
2900
2901	# Check for OpenSSL with EVP_aes_*ctr
2902	AC_MSG_CHECKING([whether OpenSSL has AES CTR via EVP])
2903	AC_LINK_IFELSE(
2904		[AC_LANG_PROGRAM([[
2905	#include <string.h>
2906	#include <openssl/evp.h>
2907		]], [[
2908		exit(EVP_aes_128_ctr() == NULL ||
2909		    EVP_aes_192_cbc() == NULL ||
2910		    EVP_aes_256_cbc() == NULL);
2911		]])],
2912		[
2913			AC_MSG_RESULT([yes])
2914			AC_DEFINE([OPENSSL_HAVE_EVPCTR], [1],
2915			    [libcrypto has EVP AES CTR])
2916		],
2917		[
2918			AC_MSG_RESULT([no])
2919		]
2920	)
2921
2922	# Check for OpenSSL with EVP_aes_*gcm
2923	AC_MSG_CHECKING([whether OpenSSL has AES GCM via EVP])
2924	AC_LINK_IFELSE(
2925		[AC_LANG_PROGRAM([[
2926	#include <string.h>
2927	#include <openssl/evp.h>
2928		]], [[
2929		exit(EVP_aes_128_gcm() == NULL ||
2930		    EVP_aes_256_gcm() == NULL ||
2931		    EVP_CTRL_GCM_SET_IV_FIXED == 0 ||
2932		    EVP_CTRL_GCM_IV_GEN == 0 ||
2933		    EVP_CTRL_GCM_SET_TAG == 0 ||
2934		    EVP_CTRL_GCM_GET_TAG == 0 ||
2935		    EVP_CIPHER_CTX_ctrl(NULL, 0, 0, NULL) == 0);
2936		]])],
2937		[
2938			AC_MSG_RESULT([yes])
2939			AC_DEFINE([OPENSSL_HAVE_EVPGCM], [1],
2940			    [libcrypto has EVP AES GCM])
2941		],
2942		[
2943			AC_MSG_RESULT([no])
2944			unsupported_algorithms="$unsupported_cipers \
2945			   aes128-gcm@openssh.com \
2946			   aes256-gcm@openssh.com"
2947		]
2948	)
2949
2950	AC_MSG_CHECKING([if EVP_DigestUpdate returns an int])
2951	AC_LINK_IFELSE(
2952		[AC_LANG_PROGRAM([[
2953	#include <string.h>
2954	#include <openssl/evp.h>
2955		]], [[
2956		if(EVP_DigestUpdate(NULL, NULL,0))
2957			exit(0);
2958		]])],
2959		[
2960			AC_MSG_RESULT([yes])
2961		],
2962		[
2963			AC_MSG_RESULT([no])
2964			AC_DEFINE([OPENSSL_EVP_DIGESTUPDATE_VOID], [1],
2965			    [Define if EVP_DigestUpdate returns void])
2966		]
2967	)
2968
2969	# Some systems want crypt() from libcrypt, *not* the version in OpenSSL,
2970	# because the system crypt() is more featureful.
2971	if test "x$check_for_libcrypt_before" = "x1"; then
2972		AC_CHECK_LIB([crypt], [crypt])
2973	fi
2974
2975	# Some Linux systems (Slackware) need crypt() from libcrypt, *not* the
2976	# version in OpenSSL.
2977	if test "x$check_for_libcrypt_later" = "x1"; then
2978		AC_CHECK_LIB([crypt], [crypt], [LIBS="$LIBS -lcrypt"])
2979	fi
2980	AC_CHECK_FUNCS([crypt DES_crypt])
2981
2982	# Check for SHA256, SHA384 and SHA512 support in OpenSSL
2983	AC_CHECK_FUNCS([EVP_sha256 EVP_sha384 EVP_sha512])
2984
2985	# Check complete ECC support in OpenSSL
2986	AC_MSG_CHECKING([whether OpenSSL has NID_X9_62_prime256v1])
2987	AC_LINK_IFELSE(
2988		[AC_LANG_PROGRAM([[
2989	#include <openssl/ec.h>
2990	#include <openssl/ecdh.h>
2991	#include <openssl/ecdsa.h>
2992	#include <openssl/evp.h>
2993	#include <openssl/objects.h>
2994	#include <openssl/opensslv.h>
2995		]], [[
2996		EC_KEY *e = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
2997		const EVP_MD *m = EVP_sha256(); /* We need this too */
2998		]])],
2999		[ AC_MSG_RESULT([yes])
3000		  enable_nistp256=1 ],
3001		[ AC_MSG_RESULT([no]) ]
3002	)
3003
3004	AC_MSG_CHECKING([whether OpenSSL has NID_secp384r1])
3005	AC_LINK_IFELSE(
3006		[AC_LANG_PROGRAM([[
3007	#include <openssl/ec.h>
3008	#include <openssl/ecdh.h>
3009	#include <openssl/ecdsa.h>
3010	#include <openssl/evp.h>
3011	#include <openssl/objects.h>
3012	#include <openssl/opensslv.h>
3013		]], [[
3014		EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp384r1);
3015		const EVP_MD *m = EVP_sha384(); /* We need this too */
3016		]])],
3017		[ AC_MSG_RESULT([yes])
3018		  enable_nistp384=1 ],
3019		[ AC_MSG_RESULT([no]) ]
3020	)
3021
3022	AC_MSG_CHECKING([whether OpenSSL has NID_secp521r1])
3023	AC_LINK_IFELSE(
3024		[AC_LANG_PROGRAM([[
3025	#include <openssl/ec.h>
3026	#include <openssl/ecdh.h>
3027	#include <openssl/ecdsa.h>
3028	#include <openssl/evp.h>
3029	#include <openssl/objects.h>
3030	#include <openssl/opensslv.h>
3031		]], [[
3032		EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp521r1);
3033		const EVP_MD *m = EVP_sha512(); /* We need this too */
3034		]])],
3035		[ AC_MSG_RESULT([yes])
3036		  AC_MSG_CHECKING([if OpenSSL's NID_secp521r1 is functional])
3037		  AC_RUN_IFELSE(
3038			[AC_LANG_PROGRAM([[
3039	#include <openssl/ec.h>
3040	#include <openssl/ecdh.h>
3041	#include <openssl/ecdsa.h>
3042	#include <openssl/evp.h>
3043	#include <openssl/objects.h>
3044	#include <openssl/opensslv.h>
3045			]],[[
3046			EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp521r1);
3047			const EVP_MD *m = EVP_sha512(); /* We need this too */
3048			exit(e == NULL || m == NULL);
3049			]])],
3050			[ AC_MSG_RESULT([yes])
3051			  enable_nistp521=1 ],
3052			[ AC_MSG_RESULT([no]) ],
3053			[ AC_MSG_WARN([cross-compiling: assuming yes])
3054			  enable_nistp521=1 ]
3055		  )],
3056		AC_MSG_RESULT([no])
3057	)
3058
3059	COMMENT_OUT_ECC="#no ecc#"
3060	TEST_SSH_ECC=no
3061
3062	if test x$enable_nistp256 = x1 || test x$enable_nistp384 = x1 || \
3063	    test x$enable_nistp521 = x1; then
3064		AC_DEFINE(OPENSSL_HAS_ECC, [1], [OpenSSL has ECC])
3065		AC_CHECK_FUNCS([EC_KEY_METHOD_new])
3066		openssl_ecc=yes
3067	else
3068		openssl_ecc=no
3069	fi
3070	if test x$enable_nistp256 = x1; then
3071		AC_DEFINE([OPENSSL_HAS_NISTP256], [1],
3072		    [libcrypto has NID_X9_62_prime256v1])
3073		TEST_SSH_ECC=yes
3074		COMMENT_OUT_ECC=""
3075	else
3076		unsupported_algorithms="$unsupported_algorithms \
3077			ecdsa-sha2-nistp256 \
3078			ecdh-sha2-nistp256 \
3079			ecdsa-sha2-nistp256-cert-v01@openssh.com"
3080	fi
3081	if test x$enable_nistp384 = x1; then
3082		AC_DEFINE([OPENSSL_HAS_NISTP384], [1], [libcrypto has NID_secp384r1])
3083		TEST_SSH_ECC=yes
3084		COMMENT_OUT_ECC=""
3085	else
3086		unsupported_algorithms="$unsupported_algorithms \
3087			ecdsa-sha2-nistp384 \
3088			ecdh-sha2-nistp384 \
3089			ecdsa-sha2-nistp384-cert-v01@openssh.com"
3090	fi
3091	if test x$enable_nistp521 = x1; then
3092		AC_DEFINE([OPENSSL_HAS_NISTP521], [1], [libcrypto has NID_secp521r1])
3093		TEST_SSH_ECC=yes
3094		COMMENT_OUT_ECC=""
3095	else
3096		unsupported_algorithms="$unsupported_algorithms \
3097			ecdh-sha2-nistp521 \
3098			ecdsa-sha2-nistp521 \
3099			ecdsa-sha2-nistp521-cert-v01@openssh.com"
3100	fi
3101
3102	AC_SUBST([TEST_SSH_ECC])
3103	AC_SUBST([COMMENT_OUT_ECC])
3104else
3105	AC_CHECK_LIB([crypt], [crypt], [LIBS="$LIBS -lcrypt"])
3106	AC_CHECK_FUNCS([crypt])
3107fi
3108
3109# PKCS11/U2F depend on OpenSSL and dlopen().
3110enable_pkcs11=yes
3111enable_sk=yes
3112if test "x$openssl" != "xyes" ; then
3113	enable_pkcs11="disabled; missing libcrypto"
3114	enable_sk="disabled; missing libcrypto"
3115fi
3116if test "x$openssl_ecc" != "xyes" ; then
3117	enable_sk="disabled; OpenSSL has no ECC support"
3118fi
3119if test "x$ac_cv_func_dlopen" != "xyes" ; then
3120	enable_pkcs11="disabled; missing dlopen(3)"
3121	enable_sk="disabled; missing dlopen(3)"
3122fi
3123if test "x$ac_cv_have_decl_RTLD_NOW" != "xyes" ; then
3124	enable_pkcs11="disabled; missing RTLD_NOW"
3125	enable_sk="disabled; missing RTLD_NOW"
3126fi
3127if test ! -z "$disable_pkcs11" ; then
3128	enable_pkcs11="disabled by user"
3129fi
3130if test ! -z "$disable_sk" ; then
3131	enable_sk="disabled by user"
3132fi
3133
3134AC_MSG_CHECKING([whether to enable PKCS11])
3135if test "x$enable_pkcs11" = "xyes" ; then
3136	AC_DEFINE([ENABLE_PKCS11], [], [Enable for PKCS#11 support])
3137fi
3138AC_MSG_RESULT([$enable_pkcs11])
3139
3140AC_MSG_CHECKING([whether to enable U2F])
3141if test "x$enable_sk" = "xyes" ; then
3142	AC_DEFINE([ENABLE_SK], [], [Enable for U2F/FIDO support])
3143	AC_SUBST(SK_DUMMY_LIBRARY, [regress/misc/sk-dummy/sk-dummy.so])
3144else
3145	# Do not try to build sk-dummy library.
3146	AC_SUBST(SK_DUMMY_LIBRARY, [""])
3147fi
3148AC_MSG_RESULT([$enable_sk])
3149
3150# Now check for built-in security key support.
3151if test "x$enable_sk" = "xyes" -a "x$enable_sk_internal" = "xyes" ; then
3152	AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no])
3153	use_pkgconfig_for_libfido2=
3154	if test "x$PKGCONFIG" != "xno"; then
3155		AC_MSG_CHECKING([if $PKGCONFIG knows about libfido2])
3156		if "$PKGCONFIG" libfido2; then
3157			AC_MSG_RESULT([yes])
3158			use_pkgconfig_for_libfido2=yes
3159		else
3160			AC_MSG_RESULT([no])
3161		fi
3162	fi
3163	if test "x$use_pkgconfig_for_libfido2" = "xyes"; then
3164		LIBFIDO2=`$PKGCONFIG --libs libfido2`
3165		CPPFLAGS="$CPPFLAGS `$PKGCONFIG --cflags libfido2`"
3166	else
3167		LIBFIDO2="-lfido2 -lcbor"
3168	fi
3169	OTHERLIBS=`echo $LIBFIDO2 | sed 's/-lfido2//'`
3170	AC_CHECK_LIB([fido2], [fido_init],
3171		[
3172			AC_SUBST([LIBFIDO2])
3173			AC_DEFINE([ENABLE_SK_INTERNAL], [],
3174			    [Enable for built-in U2F/FIDO support])
3175			enable_sk="built-in"
3176		], [ AC_MSG_ERROR([no usable libfido2 found]) ],
3177		[ $OTHERLIBS ]
3178	)
3179	AC_CHECK_HEADER([fido.h], [],
3180		AC_MSG_ERROR([missing fido.h from libfido2]))
3181	AC_CHECK_HEADER([fido/credman.h], [],
3182		AC_MSG_ERROR([missing fido/credman.h from libfido2]),
3183		[#include <fido.h>]
3184	)
3185fi
3186
3187AC_CHECK_FUNCS([ \
3188	arc4random \
3189	arc4random_buf \
3190	arc4random_stir \
3191	arc4random_uniform \
3192])
3193
3194saved_LIBS="$LIBS"
3195AC_CHECK_LIB([iaf], [ia_openinfo], [
3196	LIBS="$LIBS -liaf"
3197	AC_CHECK_FUNCS([set_id], [SSHDLIBS="$SSHDLIBS -liaf"
3198				AC_DEFINE([HAVE_LIBIAF], [1],
3199			[Define if system has libiaf that supports set_id])
3200				])
3201])
3202LIBS="$saved_LIBS"
3203
3204### Configure cryptographic random number support
3205
3206# Check whether OpenSSL seeds itself
3207if test "x$openssl" = "xyes" ; then
3208	AC_MSG_CHECKING([whether OpenSSL's PRNG is internally seeded])
3209	AC_RUN_IFELSE(
3210		[AC_LANG_PROGRAM([[
3211	#include <string.h>
3212	#include <openssl/rand.h>
3213		]], [[
3214		exit(RAND_status() == 1 ? 0 : 1);
3215		]])],
3216		[
3217			OPENSSL_SEEDS_ITSELF=yes
3218			AC_MSG_RESULT([yes])
3219		],
3220		[
3221			AC_MSG_RESULT([no])
3222		],
3223		[
3224			AC_MSG_WARN([cross compiling: assuming yes])
3225			# This is safe, since we will fatal() at runtime if
3226			# OpenSSL is not seeded correctly.
3227			OPENSSL_SEEDS_ITSELF=yes
3228		]
3229	)
3230fi
3231
3232# PRNGD TCP socket
3233AC_ARG_WITH([prngd-port],
3234	[  --with-prngd-port=PORT  read entropy from PRNGD/EGD TCP localhost:PORT],
3235	[
3236		case "$withval" in
3237		no)
3238			withval=""
3239			;;
3240		[[0-9]]*)
3241			;;
3242		*)
3243			AC_MSG_ERROR([You must specify a numeric port number for --with-prngd-port])
3244			;;
3245		esac
3246		if test ! -z "$withval" ; then
3247			PRNGD_PORT="$withval"
3248			AC_DEFINE_UNQUOTED([PRNGD_PORT], [$PRNGD_PORT],
3249				[Port number of PRNGD/EGD random number socket])
3250		fi
3251	]
3252)
3253
3254# PRNGD Unix domain socket
3255AC_ARG_WITH([prngd-socket],
3256	[  --with-prngd-socket=FILE read entropy from PRNGD/EGD socket FILE (default=/var/run/egd-pool)],
3257	[
3258		case "$withval" in
3259		yes)
3260			withval="/var/run/egd-pool"
3261			;;
3262		no)
3263			withval=""
3264			;;
3265		/*)
3266			;;
3267		*)
3268			AC_MSG_ERROR([You must specify an absolute path to the entropy socket])
3269			;;
3270		esac
3271
3272		if test ! -z "$withval" ; then
3273			if test ! -z "$PRNGD_PORT" ; then
3274				AC_MSG_ERROR([You may not specify both a PRNGD/EGD port and socket])
3275			fi
3276			if test ! -r "$withval" ; then
3277				AC_MSG_WARN([Entropy socket is not readable])
3278			fi
3279			PRNGD_SOCKET="$withval"
3280			AC_DEFINE_UNQUOTED([PRNGD_SOCKET], ["$PRNGD_SOCKET"],
3281				[Location of PRNGD/EGD random number socket])
3282		fi
3283	],
3284	[
3285		# Check for existing socket only if we don't have a random device already
3286		if test "x$OPENSSL_SEEDS_ITSELF" != "xyes" ; then
3287			AC_MSG_CHECKING([for PRNGD/EGD socket])
3288			# Insert other locations here
3289			for sock in /var/run/egd-pool /dev/egd-pool /etc/entropy; do
3290				if test -r $sock && $TEST_MINUS_S_SH -c "test -S $sock -o -p $sock" ; then
3291					PRNGD_SOCKET="$sock"
3292					AC_DEFINE_UNQUOTED([PRNGD_SOCKET], ["$PRNGD_SOCKET"])
3293					break;
3294				fi
3295			done
3296			if test ! -z "$PRNGD_SOCKET" ; then
3297				AC_MSG_RESULT([$PRNGD_SOCKET])
3298			else
3299				AC_MSG_RESULT([not found])
3300			fi
3301		fi
3302	]
3303)
3304
3305# Which randomness source do we use?
3306if test ! -z "$PRNGD_PORT" ; then
3307	RAND_MSG="PRNGd port $PRNGD_PORT"
3308elif test ! -z "$PRNGD_SOCKET" ; then
3309	RAND_MSG="PRNGd socket $PRNGD_SOCKET"
3310elif test ! -z "$OPENSSL_SEEDS_ITSELF" ; then
3311	AC_DEFINE([OPENSSL_PRNG_ONLY], [1],
3312		[Define if you want the OpenSSL internally seeded PRNG only])
3313	RAND_MSG="OpenSSL internal ONLY"
3314elif test "x$openssl" = "xno" ; then
3315	AC_MSG_WARN([OpenSSH will use /dev/urandom as a source of random numbers. It will fail if this device is not supported or accessible])
3316else
3317	AC_MSG_ERROR([OpenSSH has no source of random numbers. Please configure OpenSSL with an entropy source or re-run configure using one of the --with-prngd-port or --with-prngd-socket options])
3318fi
3319
3320# Check for PAM libs
3321PAM_MSG="no"
3322AC_ARG_WITH([pam],
3323	[  --with-pam              Enable PAM support ],
3324	[
3325		if test "x$withval" != "xno" ; then
3326			if test "x$ac_cv_header_security_pam_appl_h" != "xyes" && \
3327			   test "x$ac_cv_header_pam_pam_appl_h" != "xyes" ; then
3328				AC_MSG_ERROR([PAM headers not found])
3329			fi
3330
3331			saved_LIBS="$LIBS"
3332			AC_CHECK_LIB([dl], [dlopen], , )
3333			AC_CHECK_LIB([pam], [pam_set_item], , [AC_MSG_ERROR([*** libpam missing])])
3334			AC_CHECK_FUNCS([pam_getenvlist])
3335			AC_CHECK_FUNCS([pam_putenv])
3336			LIBS="$saved_LIBS"
3337
3338			PAM_MSG="yes"
3339
3340			SSHDLIBS="$SSHDLIBS -lpam"
3341			AC_DEFINE([USE_PAM], [1],
3342				[Define if you want to enable PAM support])
3343
3344			if test $ac_cv_lib_dl_dlopen = yes; then
3345				case "$LIBS" in
3346				*-ldl*)
3347					# libdl already in LIBS
3348					;;
3349				*)
3350					SSHDLIBS="$SSHDLIBS -ldl"
3351					;;
3352				esac
3353			fi
3354		fi
3355	]
3356)
3357
3358AC_ARG_WITH([pam-service],
3359	[  --with-pam-service=name Specify PAM service name ],
3360	[
3361		if test "x$withval" != "xno" && \
3362		   test "x$withval" != "xyes" ; then
3363			AC_DEFINE_UNQUOTED([SSHD_PAM_SERVICE],
3364				["$withval"], [sshd PAM service name])
3365		fi
3366	]
3367)
3368
3369# Check for older PAM
3370if test "x$PAM_MSG" = "xyes" ; then
3371	# Check PAM strerror arguments (old PAM)
3372	AC_MSG_CHECKING([whether pam_strerror takes only one argument])
3373	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
3374#include <stdlib.h>
3375#if defined(HAVE_SECURITY_PAM_APPL_H)
3376#include <security/pam_appl.h>
3377#elif defined (HAVE_PAM_PAM_APPL_H)
3378#include <pam/pam_appl.h>
3379#endif
3380		]], [[
3381(void)pam_strerror((pam_handle_t *)NULL, -1);
3382		]])], [AC_MSG_RESULT([no])], [
3383			AC_DEFINE([HAVE_OLD_PAM], [1],
3384				[Define if you have an old version of PAM
3385				which takes only one argument to pam_strerror])
3386			AC_MSG_RESULT([yes])
3387			PAM_MSG="yes (old library)"
3388
3389	])
3390fi
3391
3392case "$host" in
3393*-*-cygwin*)
3394	SSH_PRIVSEP_USER=CYGWIN_SSH_PRIVSEP_USER
3395	;;
3396*)
3397	SSH_PRIVSEP_USER=sshd
3398	;;
3399esac
3400AC_ARG_WITH([privsep-user],
3401	[  --with-privsep-user=user Specify non-privileged user for privilege separation],
3402	[
3403		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
3404		    test "x${withval}" != "xyes"; then
3405			SSH_PRIVSEP_USER=$withval
3406		fi
3407	]
3408)
3409if test "x$SSH_PRIVSEP_USER" = "xCYGWIN_SSH_PRIVSEP_USER" ; then
3410	AC_DEFINE_UNQUOTED([SSH_PRIVSEP_USER], [CYGWIN_SSH_PRIVSEP_USER],
3411		[Cygwin function to fetch non-privileged user for privilege separation])
3412else
3413	AC_DEFINE_UNQUOTED([SSH_PRIVSEP_USER], ["$SSH_PRIVSEP_USER"],
3414		[non-privileged user for privilege separation])
3415fi
3416AC_SUBST([SSH_PRIVSEP_USER])
3417
3418if test "x$have_linux_no_new_privs" = "x1" ; then
3419AC_CHECK_DECL([SECCOMP_MODE_FILTER], [have_seccomp_filter=1], , [
3420	#include <sys/types.h>
3421	#include <linux/seccomp.h>
3422])
3423fi
3424if test "x$have_seccomp_filter" = "x1" ; then
3425AC_MSG_CHECKING([kernel for seccomp_filter support])
3426AC_LINK_IFELSE([AC_LANG_PROGRAM([[
3427		#include <errno.h>
3428		#include <elf.h>
3429		#include <linux/audit.h>
3430		#include <linux/seccomp.h>
3431		#include <stdlib.h>
3432		#include <sys/prctl.h>
3433	]],
3434	[[ int i = $seccomp_audit_arch;
3435	   errno = 0;
3436	   prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, NULL, 0, 0);
3437	   exit(errno == EFAULT ? 0 : 1); ]])],
3438	[ AC_MSG_RESULT([yes]) ], [
3439		AC_MSG_RESULT([no])
3440		# Disable seccomp filter as a target
3441		have_seccomp_filter=0
3442	]
3443)
3444fi
3445
3446# Decide which sandbox style to use
3447sandbox_arg=""
3448AC_ARG_WITH([sandbox],
3449	[  --with-sandbox=style    Specify privilege separation sandbox (no, capsicum, darwin, rlimit, seccomp_filter, systrace, pledge)],
3450	[
3451		if test "x$withval" = "xyes" ; then
3452			sandbox_arg=""
3453		else
3454			sandbox_arg="$withval"
3455		fi
3456	]
3457)
3458
3459# Some platforms (seems to be the ones that have a kernel poll(2)-type
3460# function with which they implement select(2)) use an extra file descriptor
3461# when calling select(2), which means we can't use the rlimit sandbox.
3462AC_MSG_CHECKING([if select works with descriptor rlimit])
3463AC_RUN_IFELSE(
3464	[AC_LANG_PROGRAM([[
3465#include <sys/types.h>
3466#ifdef HAVE_SYS_TIME_H
3467# include <sys/time.h>
3468#endif
3469#include <sys/resource.h>
3470#ifdef HAVE_SYS_SELECT_H
3471# include <sys/select.h>
3472#endif
3473#include <errno.h>
3474#include <fcntl.h>
3475#include <stdlib.h>
3476	]],[[
3477	struct rlimit rl_zero;
3478	int fd, r;
3479	fd_set fds;
3480	struct timeval tv;
3481
3482	fd = open("/dev/null", O_RDONLY);
3483	FD_ZERO(&fds);
3484	FD_SET(fd, &fds);
3485	rl_zero.rlim_cur = rl_zero.rlim_max = 0;
3486	setrlimit(RLIMIT_FSIZE, &rl_zero);
3487	setrlimit(RLIMIT_NOFILE, &rl_zero);
3488	tv.tv_sec = 1;
3489	tv.tv_usec = 0;
3490	r = select(fd+1, &fds, NULL, NULL, &tv);
3491	exit (r == -1 ? 1 : 0);
3492	]])],
3493	[AC_MSG_RESULT([yes])
3494	 select_works_with_rlimit=yes],
3495	[AC_MSG_RESULT([no])
3496	 select_works_with_rlimit=no],
3497	[AC_MSG_WARN([cross compiling: assuming yes])
3498	 select_works_with_rlimit=yes]
3499)
3500
3501AC_MSG_CHECKING([if setrlimit(RLIMIT_NOFILE,{0,0}) works])
3502AC_RUN_IFELSE(
3503	[AC_LANG_PROGRAM([[
3504#include <sys/types.h>
3505#ifdef HAVE_SYS_TIME_H
3506# include <sys/time.h>
3507#endif
3508#include <sys/resource.h>
3509#include <errno.h>
3510#include <stdlib.h>
3511	]],[[
3512	struct rlimit rl_zero;
3513	int r;
3514
3515	rl_zero.rlim_cur = rl_zero.rlim_max = 0;
3516	r = setrlimit(RLIMIT_NOFILE, &rl_zero);
3517	exit (r == -1 ? 1 : 0);
3518	]])],
3519	[AC_MSG_RESULT([yes])
3520	 rlimit_nofile_zero_works=yes],
3521	[AC_MSG_RESULT([no])
3522	 rlimit_nofile_zero_works=no],
3523	[AC_MSG_WARN([cross compiling: assuming yes])
3524	 rlimit_nofile_zero_works=yes]
3525)
3526
3527AC_MSG_CHECKING([if setrlimit RLIMIT_FSIZE works])
3528AC_RUN_IFELSE(
3529	[AC_LANG_PROGRAM([[
3530#include <sys/types.h>
3531#include <sys/resource.h>
3532#include <stdlib.h>
3533	]],[[
3534		struct rlimit rl_zero;
3535
3536		rl_zero.rlim_cur = rl_zero.rlim_max = 0;
3537		exit(setrlimit(RLIMIT_FSIZE, &rl_zero) != 0);
3538	]])],
3539	[AC_MSG_RESULT([yes])],
3540	[AC_MSG_RESULT([no])
3541	 AC_DEFINE(SANDBOX_SKIP_RLIMIT_FSIZE, 1,
3542	    [setrlimit RLIMIT_FSIZE works])],
3543	[AC_MSG_WARN([cross compiling: assuming yes])]
3544)
3545
3546if test "x$sandbox_arg" = "xpledge" || \
3547   ( test -z "$sandbox_arg" && test "x$ac_cv_func_pledge" = "xyes" ) ; then
3548	test "x$ac_cv_func_pledge" != "xyes" && \
3549		AC_MSG_ERROR([pledge sandbox requires pledge(2) support])
3550	SANDBOX_STYLE="pledge"
3551	AC_DEFINE([SANDBOX_PLEDGE], [1], [Sandbox using pledge(2)])
3552elif test "x$sandbox_arg" = "xsystrace" || \
3553   ( test -z "$sandbox_arg" && test "x$have_systr_policy_kill" = "x1" ) ; then
3554	test "x$have_systr_policy_kill" != "x1" && \
3555		AC_MSG_ERROR([systrace sandbox requires systrace headers and SYSTR_POLICY_KILL support])
3556	SANDBOX_STYLE="systrace"
3557	AC_DEFINE([SANDBOX_SYSTRACE], [1], [Sandbox using systrace(4)])
3558elif test "x$sandbox_arg" = "xdarwin" || \
3559     ( test -z "$sandbox_arg" && test "x$ac_cv_func_sandbox_init" = "xyes" && \
3560       test "x$ac_cv_header_sandbox_h" = "xyes") ; then
3561	test "x$ac_cv_func_sandbox_init" != "xyes" -o \
3562	     "x$ac_cv_header_sandbox_h" != "xyes" && \
3563		AC_MSG_ERROR([Darwin seatbelt sandbox requires sandbox.h and sandbox_init function])
3564	SANDBOX_STYLE="darwin"
3565	AC_DEFINE([SANDBOX_DARWIN], [1], [Sandbox using Darwin sandbox_init(3)])
3566elif test "x$sandbox_arg" = "xseccomp_filter" || \
3567     ( test -z "$sandbox_arg" && \
3568       test "x$have_seccomp_filter" = "x1" && \
3569       test "x$ac_cv_header_elf_h" = "xyes" && \
3570       test "x$ac_cv_header_linux_audit_h" = "xyes" && \
3571       test "x$ac_cv_header_linux_filter_h" = "xyes" && \
3572       test "x$seccomp_audit_arch" != "x" && \
3573       test "x$have_linux_no_new_privs" = "x1" && \
3574       test "x$ac_cv_func_prctl" = "xyes" ) ; then
3575	test "x$seccomp_audit_arch" = "x" && \
3576		AC_MSG_ERROR([seccomp_filter sandbox not supported on $host])
3577	test "x$have_linux_no_new_privs" != "x1" && \
3578		AC_MSG_ERROR([seccomp_filter sandbox requires PR_SET_NO_NEW_PRIVS])
3579	test "x$have_seccomp_filter" != "x1" && \
3580		AC_MSG_ERROR([seccomp_filter sandbox requires seccomp headers])
3581	test "x$ac_cv_func_prctl" != "xyes" && \
3582		AC_MSG_ERROR([seccomp_filter sandbox requires prctl function])
3583	SANDBOX_STYLE="seccomp_filter"
3584	AC_DEFINE([SANDBOX_SECCOMP_FILTER], [1], [Sandbox using seccomp filter])
3585elif test "x$sandbox_arg" = "xcapsicum" || \
3586     ( test -z "$sandbox_arg" && \
3587       test "x$ac_cv_header_sys_capsicum_h" = "xyes" && \
3588       test "x$ac_cv_func_cap_rights_limit" = "xyes") ; then
3589       test "x$ac_cv_header_sys_capsicum_h" != "xyes" && \
3590		AC_MSG_ERROR([capsicum sandbox requires sys/capsicum.h header])
3591       test "x$ac_cv_func_cap_rights_limit" != "xyes" && \
3592		AC_MSG_ERROR([capsicum sandbox requires cap_rights_limit function])
3593       SANDBOX_STYLE="capsicum"
3594       AC_DEFINE([SANDBOX_CAPSICUM], [1], [Sandbox using capsicum])
3595elif test "x$sandbox_arg" = "xrlimit" || \
3596     ( test -z "$sandbox_arg" && test "x$ac_cv_func_setrlimit" = "xyes" && \
3597       test "x$select_works_with_rlimit" = "xyes" && \
3598       test "x$rlimit_nofile_zero_works" = "xyes" ) ; then
3599	test "x$ac_cv_func_setrlimit" != "xyes" && \
3600		AC_MSG_ERROR([rlimit sandbox requires setrlimit function])
3601	test "x$select_works_with_rlimit" != "xyes" && \
3602		AC_MSG_ERROR([rlimit sandbox requires select to work with rlimit])
3603	SANDBOX_STYLE="rlimit"
3604	AC_DEFINE([SANDBOX_RLIMIT], [1], [Sandbox using setrlimit(2)])
3605elif test "x$sandbox_arg" = "xsolaris" || \
3606   ( test -z "$sandbox_arg" && test "x$SOLARIS_PRIVS" = "xyes" ) ; then
3607	SANDBOX_STYLE="solaris"
3608	AC_DEFINE([SANDBOX_SOLARIS], [1], [Sandbox using Solaris/Illumos privileges])
3609elif test -z "$sandbox_arg" || test "x$sandbox_arg" = "xno" || \
3610     test "x$sandbox_arg" = "xnone" || test "x$sandbox_arg" = "xnull" ; then
3611	SANDBOX_STYLE="none"
3612	AC_DEFINE([SANDBOX_NULL], [1], [no privsep sandboxing])
3613else
3614	AC_MSG_ERROR([unsupported --with-sandbox])
3615fi
3616
3617# Cheap hack to ensure NEWS-OS libraries are arranged right.
3618if test ! -z "$SONY" ; then
3619  LIBS="$LIBS -liberty";
3620fi
3621
3622# Check for  long long datatypes
3623AC_CHECK_TYPES([long long, unsigned long long, long double])
3624
3625# Check datatype sizes
3626AC_CHECK_SIZEOF([short int])
3627AC_CHECK_SIZEOF([int])
3628AC_CHECK_SIZEOF([long int])
3629AC_CHECK_SIZEOF([long long int])
3630
3631# Sanity check long long for some platforms (AIX)
3632if test "x$ac_cv_sizeof_long_long_int" = "x4" ; then
3633	ac_cv_sizeof_long_long_int=0
3634fi
3635
3636# compute LLONG_MIN and LLONG_MAX if we don't know them.
3637if test -z "$have_llong_max" && test -z "$have_long_long_max"; then
3638	AC_MSG_CHECKING([for max value of long long])
3639	AC_RUN_IFELSE(
3640		[AC_LANG_PROGRAM([[
3641#include <stdio.h>
3642/* Why is this so damn hard? */
3643#ifdef __GNUC__
3644# undef __GNUC__
3645#endif
3646#define __USE_ISOC99
3647#include <limits.h>
3648#define DATA "conftest.llminmax"
3649#define my_abs(a) ((a) < 0 ? ((a) * -1) : (a))
3650
3651/*
3652 * printf in libc on some platforms (eg old Tru64) does not understand %lld so
3653 * we do this the hard way.
3654 */
3655static int
3656fprint_ll(FILE *f, long long n)
3657{
3658	unsigned int i;
3659	int l[sizeof(long long) * 8];
3660
3661	if (n < 0)
3662		if (fprintf(f, "-") < 0)
3663			return -1;
3664	for (i = 0; n != 0; i++) {
3665		l[i] = my_abs(n % 10);
3666		n /= 10;
3667	}
3668	do {
3669		if (fprintf(f, "%d", l[--i]) < 0)
3670			return -1;
3671	} while (i != 0);
3672	if (fprintf(f, " ") < 0)
3673		return -1;
3674	return 0;
3675}
3676		]], [[
3677	FILE *f;
3678	long long i, llmin, llmax = 0;
3679
3680	if((f = fopen(DATA,"w")) == NULL)
3681		exit(1);
3682
3683#if defined(LLONG_MIN) && defined(LLONG_MAX)
3684	fprintf(stderr, "Using system header for LLONG_MIN and LLONG_MAX\n");
3685	llmin = LLONG_MIN;
3686	llmax = LLONG_MAX;
3687#else
3688	fprintf(stderr, "Calculating  LLONG_MIN and LLONG_MAX\n");
3689	/* This will work on one's complement and two's complement */
3690	for (i = 1; i > llmax; i <<= 1, i++)
3691		llmax = i;
3692	llmin = llmax + 1LL;	/* wrap */
3693#endif
3694
3695	/* Sanity check */
3696	if (llmin + 1 < llmin || llmin - 1 < llmin || llmax + 1 > llmax
3697	    || llmax - 1 > llmax || llmin == llmax || llmin == 0
3698	    || llmax == 0 || llmax < LONG_MAX || llmin > LONG_MIN) {
3699		fprintf(f, "unknown unknown\n");
3700		exit(2);
3701	}
3702
3703	if (fprint_ll(f, llmin) < 0)
3704		exit(3);
3705	if (fprint_ll(f, llmax) < 0)
3706		exit(4);
3707	if (fclose(f) < 0)
3708		exit(5);
3709	exit(0);
3710		]])],
3711		[
3712			llong_min=`$AWK '{print $1}' conftest.llminmax`
3713			llong_max=`$AWK '{print $2}' conftest.llminmax`
3714
3715			AC_MSG_RESULT([$llong_max])
3716			AC_DEFINE_UNQUOTED([LLONG_MAX], [${llong_max}LL],
3717			    [max value of long long calculated by configure])
3718			AC_MSG_CHECKING([for min value of long long])
3719			AC_MSG_RESULT([$llong_min])
3720			AC_DEFINE_UNQUOTED([LLONG_MIN], [${llong_min}LL],
3721			    [min value of long long calculated by configure])
3722		],
3723		[
3724			AC_MSG_RESULT([not found])
3725		],
3726		[
3727			AC_MSG_WARN([cross compiling: not checking])
3728		]
3729	)
3730fi
3731
3732AC_CHECK_DECLS([UINT32_MAX], , , [[
3733#ifdef HAVE_SYS_LIMITS_H
3734# include <sys/limits.h>
3735#endif
3736#ifdef HAVE_LIMITS_H
3737# include <limits.h>
3738#endif
3739#ifdef HAVE_STDINT_H
3740# include <stdint.h>
3741#endif
3742]])
3743
3744# More checks for data types
3745AC_CACHE_CHECK([for u_int type], ac_cv_have_u_int, [
3746	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
3747	[[ u_int a; a = 1;]])],
3748	[ ac_cv_have_u_int="yes" ], [ ac_cv_have_u_int="no"
3749	])
3750])
3751if test "x$ac_cv_have_u_int" = "xyes" ; then
3752	AC_DEFINE([HAVE_U_INT], [1], [define if you have u_int data type])
3753	have_u_int=1
3754fi
3755
3756AC_CACHE_CHECK([for intXX_t types], ac_cv_have_intxx_t, [
3757	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
3758	[[ int8_t a; int16_t b; int32_t c; a = b = c = 1;]])],
3759	[ ac_cv_have_intxx_t="yes" ], [ ac_cv_have_intxx_t="no"
3760	])
3761])
3762if test "x$ac_cv_have_intxx_t" = "xyes" ; then
3763	AC_DEFINE([HAVE_INTXX_T], [1], [define if you have intxx_t data type])
3764	have_intxx_t=1
3765fi
3766
3767if (test -z "$have_intxx_t" && \
3768	   test "x$ac_cv_header_stdint_h" = "xyes")
3769then
3770    AC_MSG_CHECKING([for intXX_t types in stdint.h])
3771	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <stdint.h> ]],
3772	[[ int8_t a; int16_t b; int32_t c; a = b = c = 1;]])],
3773		[
3774			AC_DEFINE([HAVE_INTXX_T])
3775			AC_MSG_RESULT([yes])
3776		], [ AC_MSG_RESULT([no])
3777	])
3778fi
3779
3780AC_CACHE_CHECK([for int64_t type], ac_cv_have_int64_t, [
3781	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
3782#include <sys/types.h>
3783#ifdef HAVE_STDINT_H
3784# include <stdint.h>
3785#endif
3786#include <sys/socket.h>
3787#ifdef HAVE_SYS_BITYPES_H
3788# include <sys/bitypes.h>
3789#endif
3790		]], [[
3791int64_t a; a = 1;
3792		]])],
3793	[ ac_cv_have_int64_t="yes" ], [ ac_cv_have_int64_t="no"
3794	])
3795])
3796if test "x$ac_cv_have_int64_t" = "xyes" ; then
3797	AC_DEFINE([HAVE_INT64_T], [1], [define if you have int64_t data type])
3798fi
3799
3800AC_CACHE_CHECK([for u_intXX_t types], ac_cv_have_u_intxx_t, [
3801	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
3802	[[ u_int8_t a; u_int16_t b; u_int32_t c; a = b = c = 1;]])],
3803	[ ac_cv_have_u_intxx_t="yes" ], [ ac_cv_have_u_intxx_t="no"
3804	])
3805])
3806if test "x$ac_cv_have_u_intxx_t" = "xyes" ; then
3807	AC_DEFINE([HAVE_U_INTXX_T], [1], [define if you have u_intxx_t data type])
3808	have_u_intxx_t=1
3809fi
3810
3811if test -z "$have_u_intxx_t" ; then
3812    AC_MSG_CHECKING([for u_intXX_t types in sys/socket.h])
3813	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/socket.h> ]],
3814	[[ u_int8_t a; u_int16_t b; u_int32_t c; a = b = c = 1;]])],
3815		[
3816			AC_DEFINE([HAVE_U_INTXX_T])
3817			AC_MSG_RESULT([yes])
3818		], [ AC_MSG_RESULT([no])
3819	])
3820fi
3821
3822AC_CACHE_CHECK([for u_int64_t types], ac_cv_have_u_int64_t, [
3823	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
3824	[[ u_int64_t a; a = 1;]])],
3825	[ ac_cv_have_u_int64_t="yes" ], [ ac_cv_have_u_int64_t="no"
3826	])
3827])
3828if test "x$ac_cv_have_u_int64_t" = "xyes" ; then
3829	AC_DEFINE([HAVE_U_INT64_T], [1], [define if you have u_int64_t data type])
3830	have_u_int64_t=1
3831fi
3832
3833if (test -z "$have_u_int64_t" && \
3834	   test "x$ac_cv_header_sys_bitypes_h" = "xyes")
3835then
3836    AC_MSG_CHECKING([for u_int64_t type in sys/bitypes.h])
3837	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/bitypes.h> ]],
3838	[[ u_int64_t a; a = 1]])],
3839		[
3840			AC_DEFINE([HAVE_U_INT64_T])
3841			AC_MSG_RESULT([yes])
3842		], [ AC_MSG_RESULT([no])
3843	])
3844fi
3845
3846if test -z "$have_u_intxx_t" ; then
3847	AC_CACHE_CHECK([for uintXX_t types], ac_cv_have_uintxx_t, [
3848		AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
3849#include <sys/types.h>
3850			]], [[
3851	uint8_t a;
3852	uint16_t b;
3853	uint32_t c;
3854	a = b = c = 1;
3855			]])],
3856		[ ac_cv_have_uintxx_t="yes" ], [ ac_cv_have_uintxx_t="no"
3857		])
3858	])
3859	if test "x$ac_cv_have_uintxx_t" = "xyes" ; then
3860		AC_DEFINE([HAVE_UINTXX_T], [1],
3861			[define if you have uintxx_t data type])
3862	fi
3863fi
3864
3865if (test -z "$have_uintxx_t" && \
3866	   test "x$ac_cv_header_stdint_h" = "xyes")
3867then
3868    AC_MSG_CHECKING([for uintXX_t types in stdint.h])
3869	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <stdint.h> ]],
3870	[[ uint8_t a; uint16_t b; uint32_t c; a = b = c = 1;]])],
3871		[
3872			AC_DEFINE([HAVE_UINTXX_T])
3873			AC_MSG_RESULT([yes])
3874		], [ AC_MSG_RESULT([no])
3875	])
3876fi
3877
3878if (test -z "$have_uintxx_t" && \
3879	   test "x$ac_cv_header_inttypes_h" = "xyes")
3880then
3881    AC_MSG_CHECKING([for uintXX_t types in inttypes.h])
3882	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <inttypes.h> ]],
3883	[[ uint8_t a; uint16_t b; uint32_t c; a = b = c = 1;]])],
3884		[
3885			AC_DEFINE([HAVE_UINTXX_T])
3886			AC_MSG_RESULT([yes])
3887		], [ AC_MSG_RESULT([no])
3888	])
3889fi
3890
3891if (test -z "$have_u_intxx_t" || test -z "$have_intxx_t" && \
3892	   test "x$ac_cv_header_sys_bitypes_h" = "xyes")
3893then
3894	AC_MSG_CHECKING([for intXX_t and u_intXX_t types in sys/bitypes.h])
3895	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
3896#include <sys/bitypes.h>
3897		]], [[
3898			int8_t a; int16_t b; int32_t c;
3899			u_int8_t e; u_int16_t f; u_int32_t g;
3900			a = b = c = e = f = g = 1;
3901		]])],
3902		[
3903			AC_DEFINE([HAVE_U_INTXX_T])
3904			AC_DEFINE([HAVE_INTXX_T])
3905			AC_MSG_RESULT([yes])
3906		], [AC_MSG_RESULT([no])
3907	])
3908fi
3909
3910
3911AC_CACHE_CHECK([for u_char], ac_cv_have_u_char, [
3912	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
3913	[[ u_char foo; foo = 125; ]])],
3914	[ ac_cv_have_u_char="yes" ], [ ac_cv_have_u_char="no"
3915	])
3916])
3917if test "x$ac_cv_have_u_char" = "xyes" ; then
3918	AC_DEFINE([HAVE_U_CHAR], [1], [define if you have u_char data type])
3919fi
3920
3921AC_CHECK_TYPES([intmax_t, uintmax_t], , , [
3922#include <sys/types.h>
3923#ifdef HAVE_STDINT_H
3924# include <stdint.h>
3925#endif
3926])
3927
3928TYPE_SOCKLEN_T
3929
3930AC_CHECK_TYPES([sig_atomic_t], , , [#include <signal.h>])
3931AC_CHECK_TYPES([fsblkcnt_t, fsfilcnt_t], , , [
3932#include <sys/types.h>
3933#ifdef HAVE_SYS_BITYPES_H
3934#include <sys/bitypes.h>
3935#endif
3936#ifdef HAVE_SYS_STATFS_H
3937#include <sys/statfs.h>
3938#endif
3939#ifdef HAVE_SYS_STATVFS_H
3940#include <sys/statvfs.h>
3941#endif
3942])
3943
3944AC_CHECK_MEMBERS([struct statfs.f_files, struct statfs.f_flags], [], [], [[
3945#include <sys/param.h>
3946#include <sys/types.h>
3947#ifdef HAVE_SYS_BITYPES_H
3948#include <sys/bitypes.h>
3949#endif
3950#ifdef HAVE_SYS_STATFS_H
3951#include <sys/statfs.h>
3952#endif
3953#ifdef HAVE_SYS_STATVFS_H
3954#include <sys/statvfs.h>
3955#endif
3956#ifdef HAVE_SYS_VFS_H
3957#include <sys/vfs.h>
3958#endif
3959#ifdef HAVE_SYS_MOUNT_H
3960#include <sys/mount.h>
3961#endif
3962]])
3963
3964
3965AC_CHECK_TYPES([in_addr_t, in_port_t], , ,
3966[#include <sys/types.h>
3967#include <netinet/in.h>])
3968
3969AC_CACHE_CHECK([for size_t], ac_cv_have_size_t, [
3970	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
3971	[[ size_t foo; foo = 1235; ]])],
3972	[ ac_cv_have_size_t="yes" ], [ ac_cv_have_size_t="no"
3973	])
3974])
3975if test "x$ac_cv_have_size_t" = "xyes" ; then
3976	AC_DEFINE([HAVE_SIZE_T], [1], [define if you have size_t data type])
3977fi
3978
3979AC_CACHE_CHECK([for ssize_t], ac_cv_have_ssize_t, [
3980	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
3981	[[ ssize_t foo; foo = 1235; ]])],
3982	[ ac_cv_have_ssize_t="yes" ], [ ac_cv_have_ssize_t="no"
3983	])
3984])
3985if test "x$ac_cv_have_ssize_t" = "xyes" ; then
3986	AC_DEFINE([HAVE_SSIZE_T], [1], [define if you have ssize_t data type])
3987fi
3988
3989AC_CACHE_CHECK([for clock_t], ac_cv_have_clock_t, [
3990	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <time.h> ]],
3991	[[ clock_t foo; foo = 1235; ]])],
3992	[ ac_cv_have_clock_t="yes" ], [ ac_cv_have_clock_t="no"
3993	])
3994])
3995if test "x$ac_cv_have_clock_t" = "xyes" ; then
3996	AC_DEFINE([HAVE_CLOCK_T], [1], [define if you have clock_t data type])
3997fi
3998
3999AC_CACHE_CHECK([for sa_family_t], ac_cv_have_sa_family_t, [
4000	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4001#include <sys/types.h>
4002#include <sys/socket.h>
4003		]], [[ sa_family_t foo; foo = 1235; ]])],
4004	[ ac_cv_have_sa_family_t="yes" ],
4005	[ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4006#include <sys/types.h>
4007#include <sys/socket.h>
4008#include <netinet/in.h>
4009		]], [[ sa_family_t foo; foo = 1235; ]])],
4010		[ ac_cv_have_sa_family_t="yes" ],
4011		[ ac_cv_have_sa_family_t="no" ]
4012	)
4013	])
4014])
4015if test "x$ac_cv_have_sa_family_t" = "xyes" ; then
4016	AC_DEFINE([HAVE_SA_FAMILY_T], [1],
4017		[define if you have sa_family_t data type])
4018fi
4019
4020AC_CACHE_CHECK([for pid_t], ac_cv_have_pid_t, [
4021	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
4022	[[ pid_t foo; foo = 1235; ]])],
4023	[ ac_cv_have_pid_t="yes" ], [ ac_cv_have_pid_t="no"
4024	])
4025])
4026if test "x$ac_cv_have_pid_t" = "xyes" ; then
4027	AC_DEFINE([HAVE_PID_T], [1], [define if you have pid_t data type])
4028fi
4029
4030AC_CACHE_CHECK([for mode_t], ac_cv_have_mode_t, [
4031	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
4032	[[ mode_t foo; foo = 1235; ]])],
4033	[ ac_cv_have_mode_t="yes" ], [ ac_cv_have_mode_t="no"
4034	])
4035])
4036if test "x$ac_cv_have_mode_t" = "xyes" ; then
4037	AC_DEFINE([HAVE_MODE_T], [1], [define if you have mode_t data type])
4038fi
4039
4040
4041AC_CACHE_CHECK([for struct sockaddr_storage], ac_cv_have_struct_sockaddr_storage, [
4042	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4043#include <sys/types.h>
4044#include <sys/socket.h>
4045		]], [[ struct sockaddr_storage s; ]])],
4046	[ ac_cv_have_struct_sockaddr_storage="yes" ],
4047	[ ac_cv_have_struct_sockaddr_storage="no"
4048	])
4049])
4050if test "x$ac_cv_have_struct_sockaddr_storage" = "xyes" ; then
4051	AC_DEFINE([HAVE_STRUCT_SOCKADDR_STORAGE], [1],
4052		[define if you have struct sockaddr_storage data type])
4053fi
4054
4055AC_CACHE_CHECK([for struct sockaddr_in6], ac_cv_have_struct_sockaddr_in6, [
4056	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4057#include <sys/types.h>
4058#include <netinet/in.h>
4059		]], [[ struct sockaddr_in6 s; s.sin6_family = 0; ]])],
4060	[ ac_cv_have_struct_sockaddr_in6="yes" ],
4061	[ ac_cv_have_struct_sockaddr_in6="no"
4062	])
4063])
4064if test "x$ac_cv_have_struct_sockaddr_in6" = "xyes" ; then
4065	AC_DEFINE([HAVE_STRUCT_SOCKADDR_IN6], [1],
4066		[define if you have struct sockaddr_in6 data type])
4067fi
4068
4069AC_CACHE_CHECK([for struct in6_addr], ac_cv_have_struct_in6_addr, [
4070	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4071#include <sys/types.h>
4072#include <netinet/in.h>
4073		]], [[ struct in6_addr s; s.s6_addr[0] = 0; ]])],
4074	[ ac_cv_have_struct_in6_addr="yes" ],
4075	[ ac_cv_have_struct_in6_addr="no"
4076	])
4077])
4078if test "x$ac_cv_have_struct_in6_addr" = "xyes" ; then
4079	AC_DEFINE([HAVE_STRUCT_IN6_ADDR], [1],
4080		[define if you have struct in6_addr data type])
4081
4082dnl Now check for sin6_scope_id
4083	AC_CHECK_MEMBERS([struct sockaddr_in6.sin6_scope_id], , ,
4084		[
4085#ifdef HAVE_SYS_TYPES_H
4086#include <sys/types.h>
4087#endif
4088#include <netinet/in.h>
4089		])
4090fi
4091
4092AC_CACHE_CHECK([for struct addrinfo], ac_cv_have_struct_addrinfo, [
4093	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4094#include <sys/types.h>
4095#include <sys/socket.h>
4096#include <netdb.h>
4097		]], [[ struct addrinfo s; s.ai_flags = AI_PASSIVE; ]])],
4098	[ ac_cv_have_struct_addrinfo="yes" ],
4099	[ ac_cv_have_struct_addrinfo="no"
4100	])
4101])
4102if test "x$ac_cv_have_struct_addrinfo" = "xyes" ; then
4103	AC_DEFINE([HAVE_STRUCT_ADDRINFO], [1],
4104		[define if you have struct addrinfo data type])
4105fi
4106
4107AC_HEADER_TIME
4108
4109AC_CACHE_CHECK([for struct timeval], ac_cv_have_struct_timeval, [
4110	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/time.h> ]],
4111	[[ struct timeval tv; tv.tv_sec = 1;]])],
4112	[ ac_cv_have_struct_timeval="yes" ],
4113	[ ac_cv_have_struct_timeval="no"
4114	])
4115])
4116if test "x$ac_cv_have_struct_timeval" = "xyes" ; then
4117	AC_DEFINE([HAVE_STRUCT_TIMEVAL], [1], [define if you have struct timeval])
4118	have_struct_timeval=1
4119fi
4120
4121AC_CACHE_CHECK([for struct timespec], ac_cv_have_struct_timespec, [
4122	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4123    #ifdef TIME_WITH_SYS_TIME
4124    # include <sys/time.h>
4125    # include <time.h>
4126    #else
4127    # ifdef HAVE_SYS_TIME_H
4128    #  include <sys/time.h>
4129    # else
4130    #  include <time.h>
4131    # endif
4132    #endif
4133	]],
4134	[[ struct timespec ts; ts.tv_sec = 1;]])],
4135	[ ac_cv_have_struct_timespec="yes" ],
4136	[ ac_cv_have_struct_timespec="no"
4137	])
4138])
4139if test "x$ac_cv_have_struct_timespec" = "xyes" ; then
4140	AC_DEFINE([HAVE_STRUCT_TIMESPEC], [1], [define if you have struct timespec])
4141	have_struct_timespec=1
4142fi
4143
4144# We need int64_t or else certain parts of the compile will fail.
4145if test "x$ac_cv_have_int64_t" = "xno" && \
4146	test "x$ac_cv_sizeof_long_int" != "x8" && \
4147	test "x$ac_cv_sizeof_long_long_int" = "x0" ; then
4148	echo "OpenSSH requires int64_t support.  Contact your vendor or install"
4149	echo "an alternative compiler (I.E., GCC) before continuing."
4150	echo ""
4151	exit 1;
4152else
4153dnl test snprintf (broken on SCO w/gcc)
4154	AC_RUN_IFELSE(
4155		[AC_LANG_SOURCE([[
4156#include <stdio.h>
4157#include <string.h>
4158#ifdef HAVE_SNPRINTF
4159main()
4160{
4161	char buf[50];
4162	char expected_out[50];
4163	int mazsize = 50 ;
4164#if (SIZEOF_LONG_INT == 8)
4165	long int num = 0x7fffffffffffffff;
4166#else
4167	long long num = 0x7fffffffffffffffll;
4168#endif
4169	strcpy(expected_out, "9223372036854775807");
4170	snprintf(buf, mazsize, "%lld", num);
4171	if(strcmp(buf, expected_out) != 0)
4172		exit(1);
4173	exit(0);
4174}
4175#else
4176main() { exit(0); }
4177#endif
4178		]])], [ true ], [ AC_DEFINE([BROKEN_SNPRINTF]) ],
4179		AC_MSG_WARN([cross compiling: Assuming working snprintf()])
4180	)
4181fi
4182
4183dnl Checks for structure members
4184OSSH_CHECK_HEADER_FOR_FIELD([ut_host], [utmp.h], [HAVE_HOST_IN_UTMP])
4185OSSH_CHECK_HEADER_FOR_FIELD([ut_host], [utmpx.h], [HAVE_HOST_IN_UTMPX])
4186OSSH_CHECK_HEADER_FOR_FIELD([syslen], [utmpx.h], [HAVE_SYSLEN_IN_UTMPX])
4187OSSH_CHECK_HEADER_FOR_FIELD([ut_pid], [utmp.h], [HAVE_PID_IN_UTMP])
4188OSSH_CHECK_HEADER_FOR_FIELD([ut_type], [utmp.h], [HAVE_TYPE_IN_UTMP])
4189OSSH_CHECK_HEADER_FOR_FIELD([ut_type], [utmpx.h], [HAVE_TYPE_IN_UTMPX])
4190OSSH_CHECK_HEADER_FOR_FIELD([ut_tv], [utmp.h], [HAVE_TV_IN_UTMP])
4191OSSH_CHECK_HEADER_FOR_FIELD([ut_id], [utmp.h], [HAVE_ID_IN_UTMP])
4192OSSH_CHECK_HEADER_FOR_FIELD([ut_id], [utmpx.h], [HAVE_ID_IN_UTMPX])
4193OSSH_CHECK_HEADER_FOR_FIELD([ut_addr], [utmp.h], [HAVE_ADDR_IN_UTMP])
4194OSSH_CHECK_HEADER_FOR_FIELD([ut_addr], [utmpx.h], [HAVE_ADDR_IN_UTMPX])
4195OSSH_CHECK_HEADER_FOR_FIELD([ut_addr_v6], [utmp.h], [HAVE_ADDR_V6_IN_UTMP])
4196OSSH_CHECK_HEADER_FOR_FIELD([ut_addr_v6], [utmpx.h], [HAVE_ADDR_V6_IN_UTMPX])
4197OSSH_CHECK_HEADER_FOR_FIELD([ut_exit], [utmp.h], [HAVE_EXIT_IN_UTMP])
4198OSSH_CHECK_HEADER_FOR_FIELD([ut_time], [utmp.h], [HAVE_TIME_IN_UTMP])
4199OSSH_CHECK_HEADER_FOR_FIELD([ut_time], [utmpx.h], [HAVE_TIME_IN_UTMPX])
4200OSSH_CHECK_HEADER_FOR_FIELD([ut_tv], [utmpx.h], [HAVE_TV_IN_UTMPX])
4201
4202AC_CHECK_MEMBERS([struct stat.st_blksize])
4203AC_CHECK_MEMBERS([struct stat.st_mtim])
4204AC_CHECK_MEMBERS([struct stat.st_mtime])
4205AC_CHECK_MEMBERS([struct passwd.pw_gecos, struct passwd.pw_class,
4206struct passwd.pw_change, struct passwd.pw_expire],
4207[], [], [[
4208#include <sys/types.h>
4209#include <pwd.h>
4210]])
4211
4212AC_CHECK_MEMBER([struct __res_state.retrans], [], [AC_DEFINE([__res_state], [state],
4213	[Define if we don't have struct __res_state in resolv.h])],
4214[[
4215#include <stdio.h>
4216#if HAVE_SYS_TYPES_H
4217# include <sys/types.h>
4218#endif
4219#include <netinet/in.h>
4220#include <arpa/nameser.h>
4221#include <resolv.h>
4222]])
4223
4224AC_CACHE_CHECK([for ss_family field in struct sockaddr_storage],
4225		ac_cv_have_ss_family_in_struct_ss, [
4226	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4227#include <sys/types.h>
4228#include <sys/socket.h>
4229		]], [[ struct sockaddr_storage s; s.ss_family = 1; ]])],
4230	[ ac_cv_have_ss_family_in_struct_ss="yes" ],
4231	[ ac_cv_have_ss_family_in_struct_ss="no" ])
4232])
4233if test "x$ac_cv_have_ss_family_in_struct_ss" = "xyes" ; then
4234	AC_DEFINE([HAVE_SS_FAMILY_IN_SS], [1], [Fields in struct sockaddr_storage])
4235fi
4236
4237AC_CACHE_CHECK([for __ss_family field in struct sockaddr_storage],
4238		ac_cv_have___ss_family_in_struct_ss, [
4239	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4240#include <sys/types.h>
4241#include <sys/socket.h>
4242		]], [[ struct sockaddr_storage s; s.__ss_family = 1; ]])],
4243	[ ac_cv_have___ss_family_in_struct_ss="yes" ],
4244	[ ac_cv_have___ss_family_in_struct_ss="no"
4245	])
4246])
4247if test "x$ac_cv_have___ss_family_in_struct_ss" = "xyes" ; then
4248	AC_DEFINE([HAVE___SS_FAMILY_IN_SS], [1],
4249		[Fields in struct sockaddr_storage])
4250fi
4251
4252dnl make sure we're using the real structure members and not defines
4253AC_CACHE_CHECK([for msg_accrights field in struct msghdr],
4254		ac_cv_have_accrights_in_msghdr, [
4255	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4256#include <sys/types.h>
4257#include <sys/socket.h>
4258#include <sys/uio.h>
4259		]], [[
4260#ifdef msg_accrights
4261#error "msg_accrights is a macro"
4262exit(1);
4263#endif
4264struct msghdr m;
4265m.msg_accrights = 0;
4266exit(0);
4267		]])],
4268		[ ac_cv_have_accrights_in_msghdr="yes" ],
4269		[ ac_cv_have_accrights_in_msghdr="no" ]
4270	)
4271])
4272if test "x$ac_cv_have_accrights_in_msghdr" = "xyes" ; then
4273	AC_DEFINE([HAVE_ACCRIGHTS_IN_MSGHDR], [1],
4274		[Define if your system uses access rights style
4275		file descriptor passing])
4276fi
4277
4278AC_MSG_CHECKING([if struct statvfs.f_fsid is integral type])
4279AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4280#include <sys/param.h>
4281#include <sys/stat.h>
4282#ifdef HAVE_SYS_TIME_H
4283# include <sys/time.h>
4284#endif
4285#ifdef HAVE_SYS_MOUNT_H
4286#include <sys/mount.h>
4287#endif
4288#ifdef HAVE_SYS_STATVFS_H
4289#include <sys/statvfs.h>
4290#endif
4291	]], [[ struct statvfs s; s.f_fsid = 0; ]])],
4292	[ AC_MSG_RESULT([yes]) ],
4293	[ AC_MSG_RESULT([no])
4294
4295	AC_MSG_CHECKING([if fsid_t has member val])
4296	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4297#include <sys/types.h>
4298#include <sys/statvfs.h>
4299	]], [[ fsid_t t; t.val[0] = 0; ]])],
4300	[ AC_MSG_RESULT([yes])
4301	  AC_DEFINE([FSID_HAS_VAL], [1], [fsid_t has member val]) ],
4302	[ AC_MSG_RESULT([no]) ])
4303
4304	AC_MSG_CHECKING([if f_fsid has member __val])
4305	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4306#include <sys/types.h>
4307#include <sys/statvfs.h>
4308	]], [[ fsid_t t; t.__val[0] = 0; ]])],
4309	[ AC_MSG_RESULT([yes])
4310	  AC_DEFINE([FSID_HAS___VAL], [1], [fsid_t has member __val]) ],
4311	[ AC_MSG_RESULT([no]) ])
4312])
4313
4314AC_CACHE_CHECK([for msg_control field in struct msghdr],
4315		ac_cv_have_control_in_msghdr, [
4316	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4317#include <sys/types.h>
4318#include <sys/socket.h>
4319#include <sys/uio.h>
4320		]], [[
4321#ifdef msg_control
4322#error "msg_control is a macro"
4323exit(1);
4324#endif
4325struct msghdr m;
4326m.msg_control = 0;
4327exit(0);
4328		]])],
4329		[ ac_cv_have_control_in_msghdr="yes" ],
4330		[ ac_cv_have_control_in_msghdr="no" ]
4331	)
4332])
4333if test "x$ac_cv_have_control_in_msghdr" = "xyes" ; then
4334	AC_DEFINE([HAVE_CONTROL_IN_MSGHDR], [1],
4335		[Define if your system uses ancillary data style
4336		file descriptor passing])
4337fi
4338
4339AC_CACHE_CHECK([if libc defines __progname], ac_cv_libc_defines___progname, [
4340	AC_LINK_IFELSE([AC_LANG_PROGRAM([[]],
4341		[[ extern char *__progname; printf("%s", __progname); ]])],
4342	[ ac_cv_libc_defines___progname="yes" ],
4343	[ ac_cv_libc_defines___progname="no"
4344	])
4345])
4346if test "x$ac_cv_libc_defines___progname" = "xyes" ; then
4347	AC_DEFINE([HAVE___PROGNAME], [1], [Define if libc defines __progname])
4348fi
4349
4350AC_CACHE_CHECK([whether $CC implements __FUNCTION__], ac_cv_cc_implements___FUNCTION__, [
4351	AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include <stdio.h> ]],
4352		[[ printf("%s", __FUNCTION__); ]])],
4353	[ ac_cv_cc_implements___FUNCTION__="yes" ],
4354	[ ac_cv_cc_implements___FUNCTION__="no"
4355	])
4356])
4357if test "x$ac_cv_cc_implements___FUNCTION__" = "xyes" ; then
4358	AC_DEFINE([HAVE___FUNCTION__], [1],
4359		[Define if compiler implements __FUNCTION__])
4360fi
4361
4362AC_CACHE_CHECK([whether $CC implements __func__], ac_cv_cc_implements___func__, [
4363	AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include <stdio.h> ]],
4364		[[ printf("%s", __func__); ]])],
4365	[ ac_cv_cc_implements___func__="yes" ],
4366	[ ac_cv_cc_implements___func__="no"
4367	])
4368])
4369if test "x$ac_cv_cc_implements___func__" = "xyes" ; then
4370	AC_DEFINE([HAVE___func__], [1], [Define if compiler implements __func__])
4371fi
4372
4373AC_CACHE_CHECK([whether va_copy exists], ac_cv_have_va_copy, [
4374	AC_LINK_IFELSE([AC_LANG_PROGRAM([[
4375#include <stdarg.h>
4376va_list x,y;
4377		]], [[ va_copy(x,y); ]])],
4378	[ ac_cv_have_va_copy="yes" ],
4379	[ ac_cv_have_va_copy="no"
4380	])
4381])
4382if test "x$ac_cv_have_va_copy" = "xyes" ; then
4383	AC_DEFINE([HAVE_VA_COPY], [1], [Define if va_copy exists])
4384fi
4385
4386AC_CACHE_CHECK([whether __va_copy exists], ac_cv_have___va_copy, [
4387	AC_LINK_IFELSE([AC_LANG_PROGRAM([[
4388#include <stdarg.h>
4389va_list x,y;
4390		]], [[ __va_copy(x,y); ]])],
4391	[ ac_cv_have___va_copy="yes" ], [ ac_cv_have___va_copy="no"
4392	])
4393])
4394if test "x$ac_cv_have___va_copy" = "xyes" ; then
4395	AC_DEFINE([HAVE___VA_COPY], [1], [Define if __va_copy exists])
4396fi
4397
4398AC_CACHE_CHECK([whether getopt has optreset support],
4399		ac_cv_have_getopt_optreset, [
4400	AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include <getopt.h> ]],
4401		[[ extern int optreset; optreset = 0; ]])],
4402	[ ac_cv_have_getopt_optreset="yes" ],
4403	[ ac_cv_have_getopt_optreset="no"
4404	])
4405])
4406if test "x$ac_cv_have_getopt_optreset" = "xyes" ; then
4407	AC_DEFINE([HAVE_GETOPT_OPTRESET], [1],
4408		[Define if your getopt(3) defines and uses optreset])
4409fi
4410
4411AC_CACHE_CHECK([if libc defines sys_errlist], ac_cv_libc_defines_sys_errlist, [
4412	AC_LINK_IFELSE([AC_LANG_PROGRAM([[]],
4413[[ extern const char *const sys_errlist[]; printf("%s", sys_errlist[0]);]])],
4414	[ ac_cv_libc_defines_sys_errlist="yes" ],
4415	[ ac_cv_libc_defines_sys_errlist="no"
4416	])
4417])
4418if test "x$ac_cv_libc_defines_sys_errlist" = "xyes" ; then
4419	AC_DEFINE([HAVE_SYS_ERRLIST], [1],
4420		[Define if your system defines sys_errlist[]])
4421fi
4422
4423
4424AC_CACHE_CHECK([if libc defines sys_nerr], ac_cv_libc_defines_sys_nerr, [
4425	AC_LINK_IFELSE([AC_LANG_PROGRAM([[]],
4426[[ extern int sys_nerr; printf("%i", sys_nerr);]])],
4427	[ ac_cv_libc_defines_sys_nerr="yes" ],
4428	[ ac_cv_libc_defines_sys_nerr="no"
4429	])
4430])
4431if test "x$ac_cv_libc_defines_sys_nerr" = "xyes" ; then
4432	AC_DEFINE([HAVE_SYS_NERR], [1], [Define if your system defines sys_nerr])
4433fi
4434
4435# Check libraries needed by DNS fingerprint support
4436AC_SEARCH_LIBS([getrrsetbyname], [resolv],
4437	[AC_DEFINE([HAVE_GETRRSETBYNAME], [1],
4438		[Define if getrrsetbyname() exists])],
4439	[
4440		# Needed by our getrrsetbyname()
4441		AC_SEARCH_LIBS([res_query], [resolv])
4442		AC_SEARCH_LIBS([dn_expand], [resolv])
4443		AC_MSG_CHECKING([if res_query will link])
4444		AC_LINK_IFELSE([AC_LANG_PROGRAM([[
4445#include <sys/types.h>
4446#include <netinet/in.h>
4447#include <arpa/nameser.h>
4448#include <netdb.h>
4449#include <resolv.h>
4450				]], [[
4451	res_query (0, 0, 0, 0, 0);
4452				]])],
4453		    AC_MSG_RESULT([yes]),
4454		   [AC_MSG_RESULT([no])
4455		    saved_LIBS="$LIBS"
4456		    LIBS="$LIBS -lresolv"
4457		    AC_MSG_CHECKING([for res_query in -lresolv])
4458		    AC_LINK_IFELSE([AC_LANG_PROGRAM([[
4459#include <sys/types.h>
4460#include <netinet/in.h>
4461#include <arpa/nameser.h>
4462#include <netdb.h>
4463#include <resolv.h>
4464				]], [[
4465	res_query (0, 0, 0, 0, 0);
4466				]])],
4467			[AC_MSG_RESULT([yes])],
4468			[LIBS="$saved_LIBS"
4469			 AC_MSG_RESULT([no])])
4470		    ])
4471		AC_CHECK_FUNCS([_getshort _getlong])
4472		AC_CHECK_DECLS([_getshort, _getlong], , ,
4473		    [#include <sys/types.h>
4474		    #include <arpa/nameser.h>])
4475		AC_CHECK_MEMBER([HEADER.ad],
4476			[AC_DEFINE([HAVE_HEADER_AD], [1],
4477			    [Define if HEADER.ad exists in arpa/nameser.h])], ,
4478			[#include <arpa/nameser.h>])
4479	])
4480
4481AC_MSG_CHECKING([if struct __res_state _res is an extern])
4482AC_LINK_IFELSE([AC_LANG_PROGRAM([[
4483#include <stdio.h>
4484#if HAVE_SYS_TYPES_H
4485# include <sys/types.h>
4486#endif
4487#include <netinet/in.h>
4488#include <arpa/nameser.h>
4489#include <resolv.h>
4490extern struct __res_state _res;
4491		]], [[
4492struct __res_state *volatile p = &_res;  /* force resolution of _res */
4493return 0;
4494		]],)],
4495		[AC_MSG_RESULT([yes])
4496		 AC_DEFINE([HAVE__RES_EXTERN], [1],
4497		    [Define if you have struct __res_state _res as an extern])
4498		],
4499		[ AC_MSG_RESULT([no]) ]
4500)
4501
4502# Check whether user wants SELinux support
4503SELINUX_MSG="no"
4504LIBSELINUX=""
4505AC_ARG_WITH([selinux],
4506	[  --with-selinux          Enable SELinux support],
4507	[ if test "x$withval" != "xno" ; then
4508		save_LIBS="$LIBS"
4509		AC_DEFINE([WITH_SELINUX], [1],
4510			[Define if you want SELinux support.])
4511		SELINUX_MSG="yes"
4512		AC_CHECK_HEADER([selinux/selinux.h], ,
4513			AC_MSG_ERROR([SELinux support requires selinux.h header]))
4514		AC_CHECK_LIB([selinux], [setexeccon],
4515			[ LIBSELINUX="-lselinux"
4516			  LIBS="$LIBS -lselinux"
4517			],
4518			AC_MSG_ERROR([SELinux support requires libselinux library]))
4519		AC_CHECK_FUNCS([getseuserbyname get_default_context_with_level])
4520		LIBS="$save_LIBS $LIBSELINUX"
4521	fi ]
4522)
4523AC_SUBST([SSHDLIBS])
4524
4525# Check whether user wants Kerberos 5 support
4526KRB5_MSG="no"
4527AC_ARG_WITH([kerberos5],
4528	[  --with-kerberos5=PATH   Enable Kerberos 5 support],
4529	[ if test "x$withval" != "xno" ; then
4530		if test "x$withval" = "xyes" ; then
4531			KRB5ROOT="/usr/local"
4532		else
4533			KRB5ROOT=${withval}
4534		fi
4535
4536		AC_DEFINE([KRB5], [1], [Define if you want Kerberos 5 support])
4537		KRB5_MSG="yes"
4538
4539		AC_PATH_TOOL([KRB5CONF], [krb5-config],
4540			     [$KRB5ROOT/bin/krb5-config],
4541			     [$KRB5ROOT/bin:$PATH])
4542		if test -x $KRB5CONF ; then
4543			K5CFLAGS="`$KRB5CONF --cflags`"
4544			K5LIBS="`$KRB5CONF --libs`"
4545			CPPFLAGS="$CPPFLAGS $K5CFLAGS"
4546
4547			AC_MSG_CHECKING([for gssapi support])
4548			if $KRB5CONF | grep gssapi >/dev/null ; then
4549				AC_MSG_RESULT([yes])
4550				AC_DEFINE([GSSAPI], [1],
4551					[Define this if you want GSSAPI
4552					support in the version 2 protocol])
4553				GSSCFLAGS="`$KRB5CONF --cflags gssapi`"
4554				GSSLIBS="`$KRB5CONF --libs gssapi`"
4555				CPPFLAGS="$CPPFLAGS $GSSCFLAGS"
4556			else
4557				AC_MSG_RESULT([no])
4558			fi
4559			AC_MSG_CHECKING([whether we are using Heimdal])
4560			AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <krb5.h>
4561				]], [[ char *tmp = heimdal_version; ]])],
4562				[ AC_MSG_RESULT([yes])
4563				AC_DEFINE([HEIMDAL], [1],
4564				[Define this if you are using the Heimdal
4565				version of Kerberos V5]) ],
4566				[AC_MSG_RESULT([no])
4567			])
4568		else
4569			CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include"
4570			LDFLAGS="$LDFLAGS -L${KRB5ROOT}/lib"
4571			AC_MSG_CHECKING([whether we are using Heimdal])
4572			AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <krb5.h>
4573				]], [[ char *tmp = heimdal_version; ]])],
4574					[ AC_MSG_RESULT([yes])
4575					 AC_DEFINE([HEIMDAL])
4576					 K5LIBS="-lkrb5"
4577					 K5LIBS="$K5LIBS -lcom_err -lasn1"
4578					 AC_CHECK_LIB([roken], [net_write],
4579					   [K5LIBS="$K5LIBS -lroken"])
4580					 AC_CHECK_LIB([des], [des_cbc_encrypt],
4581					   [K5LIBS="$K5LIBS -ldes"])
4582				       ], [ AC_MSG_RESULT([no])
4583					 K5LIBS="-lkrb5 -lk5crypto -lcom_err"
4584			])
4585			AC_SEARCH_LIBS([dn_expand], [resolv])
4586
4587			AC_CHECK_LIB([gssapi_krb5], [gss_init_sec_context],
4588				[ AC_DEFINE([GSSAPI])
4589				  GSSLIBS="-lgssapi_krb5" ],
4590				[ AC_CHECK_LIB([gssapi], [gss_init_sec_context],
4591					[ AC_DEFINE([GSSAPI])
4592					  GSSLIBS="-lgssapi" ],
4593					[ AC_CHECK_LIB([gss], [gss_init_sec_context],
4594						[ AC_DEFINE([GSSAPI])
4595						  GSSLIBS="-lgss" ],
4596						AC_MSG_WARN([Cannot find any suitable gss-api library - build may fail]))
4597					])
4598				])
4599
4600			AC_CHECK_HEADER([gssapi.h], ,
4601				[ unset ac_cv_header_gssapi_h
4602				  CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include/gssapi"
4603				  AC_CHECK_HEADERS([gssapi.h], ,
4604					AC_MSG_WARN([Cannot find any suitable gss-api header - build may fail])
4605				  )
4606				]
4607			)
4608
4609			oldCPP="$CPPFLAGS"
4610			CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include/gssapi"
4611			AC_CHECK_HEADER([gssapi_krb5.h], ,
4612					[ CPPFLAGS="$oldCPP" ])
4613
4614		fi
4615		if test -n "${rpath_opt}" ; then
4616			LDFLAGS="$LDFLAGS ${rpath_opt}${KRB5ROOT}/lib"
4617		fi
4618		if test ! -z "$blibpath" ; then
4619			blibpath="$blibpath:${KRB5ROOT}/lib"
4620		fi
4621
4622		AC_CHECK_HEADERS([gssapi.h gssapi/gssapi.h])
4623		AC_CHECK_HEADERS([gssapi_krb5.h gssapi/gssapi_krb5.h])
4624		AC_CHECK_HEADERS([gssapi_generic.h gssapi/gssapi_generic.h])
4625
4626		AC_SEARCH_LIBS([k_hasafs], [kafs], [AC_DEFINE([USE_AFS], [1],
4627			[Define this if you want to use libkafs' AFS support])])
4628
4629		AC_CHECK_DECLS([GSS_C_NT_HOSTBASED_SERVICE], [], [], [[
4630#ifdef HAVE_GSSAPI_H
4631# include <gssapi.h>
4632#elif defined(HAVE_GSSAPI_GSSAPI_H)
4633# include <gssapi/gssapi.h>
4634#endif
4635
4636#ifdef HAVE_GSSAPI_GENERIC_H
4637# include <gssapi_generic.h>
4638#elif defined(HAVE_GSSAPI_GSSAPI_GENERIC_H)
4639# include <gssapi/gssapi_generic.h>
4640#endif
4641		]])
4642		saved_LIBS="$LIBS"
4643		LIBS="$LIBS $K5LIBS"
4644		AC_CHECK_FUNCS([krb5_cc_new_unique krb5_get_error_message krb5_free_error_message])
4645		LIBS="$saved_LIBS"
4646
4647	fi
4648	]
4649)
4650AC_SUBST([GSSLIBS])
4651AC_SUBST([K5LIBS])
4652
4653# Looking for programs, paths and files
4654
4655PRIVSEP_PATH=/var/empty
4656AC_ARG_WITH([privsep-path],
4657	[  --with-privsep-path=xxx Path for privilege separation chroot (default=/var/empty)],
4658	[
4659		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
4660		    test "x${withval}" != "xyes"; then
4661			PRIVSEP_PATH=$withval
4662		fi
4663	]
4664)
4665AC_SUBST([PRIVSEP_PATH])
4666
4667AC_ARG_WITH([xauth],
4668	[  --with-xauth=PATH       Specify path to xauth program ],
4669	[
4670		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
4671		    test "x${withval}" != "xyes"; then
4672			xauth_path=$withval
4673		fi
4674	],
4675	[
4676		TestPath="$PATH"
4677		TestPath="${TestPath}${PATH_SEPARATOR}/usr/X/bin"
4678		TestPath="${TestPath}${PATH_SEPARATOR}/usr/bin/X11"
4679		TestPath="${TestPath}${PATH_SEPARATOR}/usr/X11R6/bin"
4680		TestPath="${TestPath}${PATH_SEPARATOR}/usr/openwin/bin"
4681		AC_PATH_PROG([xauth_path], [xauth], , [$TestPath])
4682		if (test ! -z "$xauth_path" && test -x "/usr/openwin/bin/xauth") ; then
4683			xauth_path="/usr/openwin/bin/xauth"
4684		fi
4685	]
4686)
4687
4688STRIP_OPT=-s
4689AC_ARG_ENABLE([strip],
4690	[  --disable-strip         Disable calling strip(1) on install],
4691	[
4692		if test "x$enableval" = "xno" ; then
4693			STRIP_OPT=
4694		fi
4695	]
4696)
4697AC_SUBST([STRIP_OPT])
4698
4699if test -z "$xauth_path" ; then
4700	XAUTH_PATH="undefined"
4701	AC_SUBST([XAUTH_PATH])
4702else
4703	AC_DEFINE_UNQUOTED([XAUTH_PATH], ["$xauth_path"],
4704		[Define if xauth is found in your path])
4705	XAUTH_PATH=$xauth_path
4706	AC_SUBST([XAUTH_PATH])
4707fi
4708
4709dnl # --with-maildir=/path/to/mail gets top priority.
4710dnl # if maildir is set in the platform case statement above we use that.
4711dnl # Otherwise we run a program to get the dir from system headers.
4712dnl # We first look for _PATH_MAILDIR then MAILDIR then _PATH_MAIL
4713dnl # If we find _PATH_MAILDIR we do nothing because that is what
4714dnl # session.c expects anyway. Otherwise we set to the value found
4715dnl # stripping any trailing slash. If for some strage reason our program
4716dnl # does not find what it needs, we default to /var/spool/mail.
4717# Check for mail directory
4718AC_ARG_WITH([maildir],
4719    [  --with-maildir=/path/to/mail    Specify your system mail directory],
4720    [
4721	if test "X$withval" != X  &&  test "x$withval" != xno  &&  \
4722	    test "x${withval}" != xyes; then
4723		AC_DEFINE_UNQUOTED([MAIL_DIRECTORY], ["$withval"],
4724            [Set this to your mail directory if you do not have _PATH_MAILDIR])
4725	    fi
4726     ],[
4727	if test "X$maildir" != "X"; then
4728	    AC_DEFINE_UNQUOTED([MAIL_DIRECTORY], ["$maildir"])
4729	else
4730	    AC_MSG_CHECKING([Discovering system mail directory])
4731	    AC_RUN_IFELSE(
4732		[AC_LANG_PROGRAM([[
4733#include <stdio.h>
4734#include <string.h>
4735#ifdef HAVE_PATHS_H
4736#include <paths.h>
4737#endif
4738#ifdef HAVE_MAILLOCK_H
4739#include <maillock.h>
4740#endif
4741#define DATA "conftest.maildir"
4742	]], [[
4743	FILE *fd;
4744	int rc;
4745
4746	fd = fopen(DATA,"w");
4747	if(fd == NULL)
4748		exit(1);
4749
4750#if defined (_PATH_MAILDIR)
4751	if ((rc = fprintf(fd ,"_PATH_MAILDIR:%s\n", _PATH_MAILDIR)) <0)
4752		exit(1);
4753#elif defined (MAILDIR)
4754	if ((rc = fprintf(fd ,"MAILDIR:%s\n", MAILDIR)) <0)
4755		exit(1);
4756#elif defined (_PATH_MAIL)
4757	if ((rc = fprintf(fd ,"_PATH_MAIL:%s\n", _PATH_MAIL)) <0)
4758		exit(1);
4759#else
4760	exit (2);
4761#endif
4762
4763	exit(0);
4764		]])],
4765		[
4766		    maildir_what=`awk -F: '{print $1}' conftest.maildir`
4767		    maildir=`awk -F: '{print $2}' conftest.maildir \
4768			| sed 's|/$||'`
4769		    AC_MSG_RESULT([Using: $maildir from $maildir_what])
4770		    if test "x$maildir_what" != "x_PATH_MAILDIR"; then
4771			AC_DEFINE_UNQUOTED([MAIL_DIRECTORY], ["$maildir"])
4772		    fi
4773		],
4774		[
4775		    if test "X$ac_status" = "X2";then
4776# our test program didn't find it. Default to /var/spool/mail
4777			AC_MSG_RESULT([Using: default value of /var/spool/mail])
4778			AC_DEFINE_UNQUOTED([MAIL_DIRECTORY], ["/var/spool/mail"])
4779		     else
4780			AC_MSG_RESULT([*** not found ***])
4781		     fi
4782		],
4783		[
4784			AC_MSG_WARN([cross compiling: use --with-maildir=/path/to/mail])
4785		]
4786	    )
4787	fi
4788    ]
4789) # maildir
4790
4791if test ! -z "$cross_compiling" && test "x$cross_compiling" = "xyes"; then
4792	AC_MSG_WARN([cross compiling: Disabling /dev/ptmx test])
4793	disable_ptmx_check=yes
4794fi
4795if test -z "$no_dev_ptmx" ; then
4796	if test "x$disable_ptmx_check" != "xyes" ; then
4797		AC_CHECK_FILE(["/dev/ptmx"],
4798			[
4799				AC_DEFINE_UNQUOTED([HAVE_DEV_PTMX], [1],
4800					[Define if you have /dev/ptmx])
4801				have_dev_ptmx=1
4802			]
4803		)
4804	fi
4805fi
4806
4807if test ! -z "$cross_compiling" && test "x$cross_compiling" != "xyes"; then
4808	AC_CHECK_FILE(["/dev/ptc"],
4809		[
4810			AC_DEFINE_UNQUOTED([HAVE_DEV_PTS_AND_PTC], [1],
4811				[Define if you have /dev/ptc])
4812			have_dev_ptc=1
4813		]
4814	)
4815else
4816	AC_MSG_WARN([cross compiling: Disabling /dev/ptc test])
4817fi
4818
4819# Options from here on. Some of these are preset by platform above
4820AC_ARG_WITH([mantype],
4821	[  --with-mantype=man|cat|doc  Set man page type],
4822	[
4823		case "$withval" in
4824		man|cat|doc)
4825			MANTYPE=$withval
4826			;;
4827		*)
4828			AC_MSG_ERROR([invalid man type: $withval])
4829			;;
4830		esac
4831	]
4832)
4833if test -z "$MANTYPE"; then
4834	if ${MANDOC} ${srcdir}/ssh.1 >/dev/null 2>&1; then
4835		MANTYPE=doc
4836	elif ${NROFF} -mdoc ${srcdir}/ssh.1 >/dev/null 2>&1; then
4837		MANTYPE=doc
4838	elif ${NROFF} -man ${srcdir}/ssh.1 >/dev/null 2>&1; then
4839		MANTYPE=man
4840	else
4841		MANTYPE=cat
4842	fi
4843fi
4844AC_SUBST([MANTYPE])
4845if test "$MANTYPE" = "doc"; then
4846	mansubdir=man;
4847else
4848	mansubdir=$MANTYPE;
4849fi
4850AC_SUBST([mansubdir])
4851
4852# Check whether to enable MD5 passwords
4853MD5_MSG="no"
4854AC_ARG_WITH([md5-passwords],
4855	[  --with-md5-passwords    Enable use of MD5 passwords],
4856	[
4857		if test "x$withval" != "xno" ; then
4858			AC_DEFINE([HAVE_MD5_PASSWORDS], [1],
4859				[Define if you want to allow MD5 passwords])
4860			MD5_MSG="yes"
4861		fi
4862	]
4863)
4864
4865# Whether to disable shadow password support
4866AC_ARG_WITH([shadow],
4867	[  --without-shadow        Disable shadow password support],
4868	[
4869		if test "x$withval" = "xno" ; then
4870			AC_DEFINE([DISABLE_SHADOW])
4871			disable_shadow=yes
4872		fi
4873	]
4874)
4875
4876if test -z "$disable_shadow" ; then
4877	AC_MSG_CHECKING([if the systems has expire shadow information])
4878	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4879#include <sys/types.h>
4880#include <shadow.h>
4881struct spwd sp;
4882		]], [[ sp.sp_expire = sp.sp_lstchg = sp.sp_inact = 0; ]])],
4883		[ sp_expire_available=yes ], [
4884	])
4885
4886	if test "x$sp_expire_available" = "xyes" ; then
4887		AC_MSG_RESULT([yes])
4888		AC_DEFINE([HAS_SHADOW_EXPIRE], [1],
4889		    [Define if you want to use shadow password expire field])
4890	else
4891		AC_MSG_RESULT([no])
4892	fi
4893fi
4894
4895# Use ip address instead of hostname in $DISPLAY
4896if test ! -z "$IPADDR_IN_DISPLAY" ; then
4897	DISPLAY_HACK_MSG="yes"
4898	AC_DEFINE([IPADDR_IN_DISPLAY], [1],
4899		[Define if you need to use IP address
4900		instead of hostname in $DISPLAY])
4901else
4902	DISPLAY_HACK_MSG="no"
4903	AC_ARG_WITH([ipaddr-display],
4904		[  --with-ipaddr-display   Use ip address instead of hostname in $DISPLAY],
4905		[
4906			if test "x$withval" != "xno" ; then
4907				AC_DEFINE([IPADDR_IN_DISPLAY])
4908				DISPLAY_HACK_MSG="yes"
4909			fi
4910		]
4911	)
4912fi
4913
4914# check for /etc/default/login and use it if present.
4915AC_ARG_ENABLE([etc-default-login],
4916	[  --disable-etc-default-login Disable using PATH from /etc/default/login [no]],
4917	[ if test "x$enableval" = "xno"; then
4918		AC_MSG_NOTICE([/etc/default/login handling disabled])
4919		etc_default_login=no
4920	  else
4921		etc_default_login=yes
4922	  fi ],
4923	[ if test ! -z "$cross_compiling" && test "x$cross_compiling" = "xyes";
4924	  then
4925		AC_MSG_WARN([cross compiling: not checking /etc/default/login])
4926		etc_default_login=no
4927	  else
4928		etc_default_login=yes
4929	  fi ]
4930)
4931
4932if test "x$etc_default_login" != "xno"; then
4933	AC_CHECK_FILE(["/etc/default/login"],
4934	    [ external_path_file=/etc/default/login ])
4935	if test "x$external_path_file" = "x/etc/default/login"; then
4936		AC_DEFINE([HAVE_ETC_DEFAULT_LOGIN], [1],
4937			[Define if your system has /etc/default/login])
4938	fi
4939fi
4940
4941dnl BSD systems use /etc/login.conf so --with-default-path= has no effect
4942if test $ac_cv_func_login_getcapbool = "yes" && \
4943	test $ac_cv_header_login_cap_h = "yes" ; then
4944	external_path_file=/etc/login.conf
4945fi
4946
4947# Whether to mess with the default path
4948SERVER_PATH_MSG="(default)"
4949AC_ARG_WITH([default-path],
4950	[  --with-default-path=    Specify default $PATH environment for server],
4951	[
4952		if test "x$external_path_file" = "x/etc/login.conf" ; then
4953			AC_MSG_WARN([
4954--with-default-path=PATH has no effect on this system.
4955Edit /etc/login.conf instead.])
4956		elif test "x$withval" != "xno" ; then
4957			if test ! -z "$external_path_file" ; then
4958				AC_MSG_WARN([
4959--with-default-path=PATH will only be used if PATH is not defined in
4960$external_path_file .])
4961			fi
4962			user_path="$withval"
4963			SERVER_PATH_MSG="$withval"
4964		fi
4965	],
4966	[ if test "x$external_path_file" = "x/etc/login.conf" ; then
4967		AC_MSG_WARN([Make sure the path to scp is in /etc/login.conf])
4968	else
4969		if test ! -z "$external_path_file" ; then
4970			AC_MSG_WARN([
4971If PATH is defined in $external_path_file, ensure the path to scp is included,
4972otherwise scp will not work.])
4973		fi
4974		AC_RUN_IFELSE(
4975			[AC_LANG_PROGRAM([[
4976/* find out what STDPATH is */
4977#include <stdio.h>
4978#ifdef HAVE_PATHS_H
4979# include <paths.h>
4980#endif
4981#ifndef _PATH_STDPATH
4982# ifdef _PATH_USERPATH	/* Irix */
4983#  define _PATH_STDPATH _PATH_USERPATH
4984# else
4985#  define _PATH_STDPATH "/usr/bin:/bin:/usr/sbin:/sbin"
4986# endif
4987#endif
4988#include <sys/types.h>
4989#include <sys/stat.h>
4990#include <fcntl.h>
4991#define DATA "conftest.stdpath"
4992			]], [[
4993	FILE *fd;
4994	int rc;
4995
4996	fd = fopen(DATA,"w");
4997	if(fd == NULL)
4998		exit(1);
4999
5000	if ((rc = fprintf(fd,"%s", _PATH_STDPATH)) < 0)
5001		exit(1);
5002
5003	exit(0);
5004		]])],
5005		[ user_path=`cat conftest.stdpath` ],
5006		[ user_path="/usr/bin:/bin:/usr/sbin:/sbin" ],
5007		[ user_path="/usr/bin:/bin:/usr/sbin:/sbin" ]
5008	)
5009# make sure $bindir is in USER_PATH so scp will work
5010		t_bindir="${bindir}"
5011		while echo "${t_bindir}" | egrep '\$\{|NONE/' >/dev/null 2>&1; do
5012			t_bindir=`eval echo ${t_bindir}`
5013			case $t_bindir in
5014				NONE/*) t_bindir=`echo $t_bindir | sed "s~NONE~$prefix~"` ;;
5015			esac
5016			case $t_bindir in
5017				NONE/*) t_bindir=`echo $t_bindir | sed "s~NONE~$ac_default_prefix~"` ;;
5018			esac
5019		done
5020		echo $user_path | grep ":$t_bindir"  > /dev/null 2>&1
5021		if test $? -ne 0  ; then
5022			echo $user_path | grep "^$t_bindir"  > /dev/null 2>&1
5023			if test $? -ne 0  ; then
5024				user_path=$user_path:$t_bindir
5025				AC_MSG_RESULT([Adding $t_bindir to USER_PATH so scp will work])
5026			fi
5027		fi
5028	fi ]
5029)
5030if test "x$external_path_file" != "x/etc/login.conf" ; then
5031	AC_DEFINE_UNQUOTED([USER_PATH], ["$user_path"], [Specify default $PATH])
5032	AC_SUBST([user_path])
5033fi
5034
5035# Set superuser path separately to user path
5036AC_ARG_WITH([superuser-path],
5037	[  --with-superuser-path=  Specify different path for super-user],
5038	[
5039		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
5040		    test "x${withval}" != "xyes"; then
5041			AC_DEFINE_UNQUOTED([SUPERUSER_PATH], ["$withval"],
5042				[Define if you want a different $PATH
5043				for the superuser])
5044			superuser_path=$withval
5045		fi
5046	]
5047)
5048
5049
5050AC_MSG_CHECKING([if we need to convert IPv4 in IPv6-mapped addresses])
5051IPV4_IN6_HACK_MSG="no"
5052AC_ARG_WITH(4in6,
5053	[  --with-4in6             Check for and convert IPv4 in IPv6 mapped addresses],
5054	[
5055		if test "x$withval" != "xno" ; then
5056			AC_MSG_RESULT([yes])
5057			AC_DEFINE([IPV4_IN_IPV6], [1],
5058				[Detect IPv4 in IPv6 mapped addresses
5059				and treat as IPv4])
5060			IPV4_IN6_HACK_MSG="yes"
5061		else
5062			AC_MSG_RESULT([no])
5063		fi
5064	], [
5065		if test "x$inet6_default_4in6" = "xyes"; then
5066			AC_MSG_RESULT([yes (default)])
5067			AC_DEFINE([IPV4_IN_IPV6])
5068			IPV4_IN6_HACK_MSG="yes"
5069		else
5070			AC_MSG_RESULT([no (default)])
5071		fi
5072	]
5073)
5074
5075# Whether to enable BSD auth support
5076BSD_AUTH_MSG=no
5077AC_ARG_WITH([bsd-auth],
5078	[  --with-bsd-auth         Enable BSD auth support],
5079	[
5080		if test "x$withval" != "xno" ; then
5081			AC_DEFINE([BSD_AUTH], [1],
5082				[Define if you have BSD auth support])
5083			BSD_AUTH_MSG=yes
5084		fi
5085	]
5086)
5087
5088# Where to place sshd.pid
5089piddir=/var/run
5090# make sure the directory exists
5091if test ! -d $piddir ; then
5092	piddir=`eval echo ${sysconfdir}`
5093	case $piddir in
5094		NONE/*) piddir=`echo $piddir | sed "s~NONE~$ac_default_prefix~"` ;;
5095	esac
5096fi
5097
5098AC_ARG_WITH([pid-dir],
5099	[  --with-pid-dir=PATH     Specify location of sshd.pid file],
5100	[
5101		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
5102		    test "x${withval}" != "xyes"; then
5103			piddir=$withval
5104			if test ! -d $piddir ; then
5105			AC_MSG_WARN([** no $piddir directory on this system **])
5106			fi
5107		fi
5108	]
5109)
5110
5111AC_DEFINE_UNQUOTED([_PATH_SSH_PIDDIR], ["$piddir"],
5112	[Specify location of ssh.pid])
5113AC_SUBST([piddir])
5114
5115dnl allow user to disable some login recording features
5116AC_ARG_ENABLE([lastlog],
5117	[  --disable-lastlog       disable use of lastlog even if detected [no]],
5118	[
5119		if test "x$enableval" = "xno" ; then
5120			AC_DEFINE([DISABLE_LASTLOG])
5121		fi
5122	]
5123)
5124AC_ARG_ENABLE([utmp],
5125	[  --disable-utmp          disable use of utmp even if detected [no]],
5126	[
5127		if test "x$enableval" = "xno" ; then
5128			AC_DEFINE([DISABLE_UTMP])
5129		fi
5130	]
5131)
5132AC_ARG_ENABLE([utmpx],
5133	[  --disable-utmpx         disable use of utmpx even if detected [no]],
5134	[
5135		if test "x$enableval" = "xno" ; then
5136			AC_DEFINE([DISABLE_UTMPX], [1],
5137				[Define if you don't want to use utmpx])
5138		fi
5139	]
5140)
5141AC_ARG_ENABLE([wtmp],
5142	[  --disable-wtmp          disable use of wtmp even if detected [no]],
5143	[
5144		if test "x$enableval" = "xno" ; then
5145			AC_DEFINE([DISABLE_WTMP])
5146		fi
5147	]
5148)
5149AC_ARG_ENABLE([wtmpx],
5150	[  --disable-wtmpx         disable use of wtmpx even if detected [no]],
5151	[
5152		if test "x$enableval" = "xno" ; then
5153			AC_DEFINE([DISABLE_WTMPX], [1],
5154				[Define if you don't want to use wtmpx])
5155		fi
5156	]
5157)
5158AC_ARG_ENABLE([libutil],
5159	[  --disable-libutil       disable use of libutil (login() etc.) [no]],
5160	[
5161		if test "x$enableval" = "xno" ; then
5162			AC_DEFINE([DISABLE_LOGIN])
5163		fi
5164	]
5165)
5166AC_ARG_ENABLE([pututline],
5167	[  --disable-pututline     disable use of pututline() etc. ([uw]tmp) [no]],
5168	[
5169		if test "x$enableval" = "xno" ; then
5170			AC_DEFINE([DISABLE_PUTUTLINE], [1],
5171				[Define if you don't want to use pututline()
5172				etc. to write [uw]tmp])
5173		fi
5174	]
5175)
5176AC_ARG_ENABLE([pututxline],
5177	[  --disable-pututxline    disable use of pututxline() etc. ([uw]tmpx) [no]],
5178	[
5179		if test "x$enableval" = "xno" ; then
5180			AC_DEFINE([DISABLE_PUTUTXLINE], [1],
5181				[Define if you don't want to use pututxline()
5182				etc. to write [uw]tmpx])
5183		fi
5184	]
5185)
5186AC_ARG_WITH([lastlog],
5187  [  --with-lastlog=FILE|DIR specify lastlog location [common locations]],
5188	[
5189		if test "x$withval" = "xno" ; then
5190			AC_DEFINE([DISABLE_LASTLOG])
5191		elif test -n "$withval"  &&  test "x${withval}" != "xyes"; then
5192			conf_lastlog_location=$withval
5193		fi
5194	]
5195)
5196
5197dnl lastlog, [uw]tmpx? detection
5198dnl  NOTE: set the paths in the platform section to avoid the
5199dnl   need for command-line parameters
5200dnl lastlog and [uw]tmp are subject to a file search if all else fails
5201
5202dnl lastlog detection
5203dnl  NOTE: the code itself will detect if lastlog is a directory
5204AC_MSG_CHECKING([if your system defines LASTLOG_FILE])
5205AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
5206#include <sys/types.h>
5207#include <utmp.h>
5208#ifdef HAVE_LASTLOG_H
5209#  include <lastlog.h>
5210#endif
5211#ifdef HAVE_PATHS_H
5212#  include <paths.h>
5213#endif
5214#ifdef HAVE_LOGIN_H
5215# include <login.h>
5216#endif
5217	]], [[ char *lastlog = LASTLOG_FILE; ]])],
5218		[ AC_MSG_RESULT([yes]) ],
5219		[
5220		AC_MSG_RESULT([no])
5221		AC_MSG_CHECKING([if your system defines _PATH_LASTLOG])
5222		AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
5223#include <sys/types.h>
5224#include <utmp.h>
5225#ifdef HAVE_LASTLOG_H
5226#  include <lastlog.h>
5227#endif
5228#ifdef HAVE_PATHS_H
5229#  include <paths.h>
5230#endif
5231		]], [[ char *lastlog = _PATH_LASTLOG; ]])],
5232		[ AC_MSG_RESULT([yes]) ],
5233		[
5234			AC_MSG_RESULT([no])
5235			system_lastlog_path=no
5236		])
5237])
5238
5239if test -z "$conf_lastlog_location"; then
5240	if test x"$system_lastlog_path" = x"no" ; then
5241		for f in /var/log/lastlog /usr/adm/lastlog /var/adm/lastlog /etc/security/lastlog ; do
5242				if (test -d "$f" || test -f "$f") ; then
5243					conf_lastlog_location=$f
5244				fi
5245		done
5246		if test -z "$conf_lastlog_location"; then
5247			AC_MSG_WARN([** Cannot find lastlog **])
5248			dnl Don't define DISABLE_LASTLOG - that means we don't try wtmp/wtmpx
5249		fi
5250	fi
5251fi
5252
5253if test -n "$conf_lastlog_location"; then
5254	AC_DEFINE_UNQUOTED([CONF_LASTLOG_FILE], ["$conf_lastlog_location"],
5255		[Define if you want to specify the path to your lastlog file])
5256fi
5257
5258dnl utmp detection
5259AC_MSG_CHECKING([if your system defines UTMP_FILE])
5260AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
5261#include <sys/types.h>
5262#include <utmp.h>
5263#ifdef HAVE_PATHS_H
5264#  include <paths.h>
5265#endif
5266	]], [[ char *utmp = UTMP_FILE; ]])],
5267	[ AC_MSG_RESULT([yes]) ],
5268	[ AC_MSG_RESULT([no])
5269	  system_utmp_path=no
5270])
5271if test -z "$conf_utmp_location"; then
5272	if test x"$system_utmp_path" = x"no" ; then
5273		for f in /etc/utmp /usr/adm/utmp /var/run/utmp; do
5274			if test -f $f ; then
5275				conf_utmp_location=$f
5276			fi
5277		done
5278		if test -z "$conf_utmp_location"; then
5279			AC_DEFINE([DISABLE_UTMP])
5280		fi
5281	fi
5282fi
5283if test -n "$conf_utmp_location"; then
5284	AC_DEFINE_UNQUOTED([CONF_UTMP_FILE], ["$conf_utmp_location"],
5285		[Define if you want to specify the path to your utmp file])
5286fi
5287
5288dnl wtmp detection
5289AC_MSG_CHECKING([if your system defines WTMP_FILE])
5290AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
5291#include <sys/types.h>
5292#include <utmp.h>
5293#ifdef HAVE_PATHS_H
5294#  include <paths.h>
5295#endif
5296	]], [[ char *wtmp = WTMP_FILE; ]])],
5297	[ AC_MSG_RESULT([yes]) ],
5298	[ AC_MSG_RESULT([no])
5299	  system_wtmp_path=no
5300])
5301if test -z "$conf_wtmp_location"; then
5302	if test x"$system_wtmp_path" = x"no" ; then
5303		for f in /usr/adm/wtmp /var/log/wtmp; do
5304			if test -f $f ; then
5305				conf_wtmp_location=$f
5306			fi
5307		done
5308		if test -z "$conf_wtmp_location"; then
5309			AC_DEFINE([DISABLE_WTMP])
5310		fi
5311	fi
5312fi
5313if test -n "$conf_wtmp_location"; then
5314	AC_DEFINE_UNQUOTED([CONF_WTMP_FILE], ["$conf_wtmp_location"],
5315		[Define if you want to specify the path to your wtmp file])
5316fi
5317
5318dnl wtmpx detection
5319AC_MSG_CHECKING([if your system defines WTMPX_FILE])
5320AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
5321#include <sys/types.h>
5322#include <utmp.h>
5323#ifdef HAVE_UTMPX_H
5324#include <utmpx.h>
5325#endif
5326#ifdef HAVE_PATHS_H
5327#  include <paths.h>
5328#endif
5329	]], [[ char *wtmpx = WTMPX_FILE; ]])],
5330	[ AC_MSG_RESULT([yes]) ],
5331	[ AC_MSG_RESULT([no])
5332	  system_wtmpx_path=no
5333])
5334if test -z "$conf_wtmpx_location"; then
5335	if test x"$system_wtmpx_path" = x"no" ; then
5336		AC_DEFINE([DISABLE_WTMPX])
5337	fi
5338else
5339	AC_DEFINE_UNQUOTED([CONF_WTMPX_FILE], ["$conf_wtmpx_location"],
5340		[Define if you want to specify the path to your wtmpx file])
5341fi
5342
5343
5344if test ! -z "$blibpath" ; then
5345	LDFLAGS="$LDFLAGS $blibflags$blibpath"
5346	AC_MSG_WARN([Please check and edit blibpath in LDFLAGS in Makefile])
5347fi
5348
5349AC_CHECK_MEMBER([struct lastlog.ll_line], [], [
5350    if test x$SKIP_DISABLE_LASTLOG_DEFINE != "xyes" ; then
5351	AC_DEFINE([DISABLE_LASTLOG])
5352    fi
5353	], [
5354#ifdef HAVE_SYS_TYPES_H
5355#include <sys/types.h>
5356#endif
5357#ifdef HAVE_UTMP_H
5358#include <utmp.h>
5359#endif
5360#ifdef HAVE_UTMPX_H
5361#include <utmpx.h>
5362#endif
5363#ifdef HAVE_LASTLOG_H
5364#include <lastlog.h>
5365#endif
5366	])
5367
5368AC_CHECK_MEMBER([struct utmp.ut_line], [], [
5369	AC_DEFINE([DISABLE_UTMP])
5370	AC_DEFINE([DISABLE_WTMP])
5371	], [
5372#ifdef HAVE_SYS_TYPES_H
5373#include <sys/types.h>
5374#endif
5375#ifdef HAVE_UTMP_H
5376#include <utmp.h>
5377#endif
5378#ifdef HAVE_UTMPX_H
5379#include <utmpx.h>
5380#endif
5381#ifdef HAVE_LASTLOG_H
5382#include <lastlog.h>
5383#endif
5384	])
5385
5386dnl Adding -Werror to CFLAGS early prevents configure tests from running.
5387dnl Add now.
5388CFLAGS="$CFLAGS $werror_flags"
5389
5390if test "x$ac_cv_func_getaddrinfo" != "xyes" ; then
5391	TEST_SSH_IPV6=no
5392else
5393	TEST_SSH_IPV6=yes
5394fi
5395AC_CHECK_DECL([BROKEN_GETADDRINFO],  [TEST_SSH_IPV6=no])
5396AC_SUBST([TEST_SSH_IPV6], [$TEST_SSH_IPV6])
5397AC_SUBST([TEST_SSH_UTF8], [$TEST_SSH_UTF8])
5398AC_SUBST([TEST_MALLOC_OPTIONS], [$TEST_MALLOC_OPTIONS])
5399AC_SUBST([UNSUPPORTED_ALGORITHMS], [$unsupported_algorithms])
5400AC_SUBST([DEPEND], [$(cat $srcdir/.depend)])
5401
5402CFLAGS="${CFLAGS} ${CFLAGS_AFTER}"
5403LDFLAGS="${LDFLAGS} ${LDFLAGS_AFTER}"
5404
5405# Make a copy of CFLAGS/LDFLAGS without PIE options.
5406LDFLAGS_NOPIE=`echo "$LDFLAGS" | sed 's/ -pie//'`
5407CFLAGS_NOPIE=`echo "$CFLAGS" | sed 's/ -fPIE//'`
5408AC_SUBST([LDFLAGS_NOPIE])
5409AC_SUBST([CFLAGS_NOPIE])
5410
5411AC_EXEEXT
5412AC_CONFIG_FILES([Makefile buildpkg.sh opensshd.init openssh.xml \
5413	openbsd-compat/Makefile openbsd-compat/regress/Makefile \
5414	survey.sh])
5415AC_OUTPUT
5416
5417# Print summary of options
5418
5419# Someone please show me a better way :)
5420A=`eval echo ${prefix}` ; A=`eval echo ${A}`
5421B=`eval echo ${bindir}` ; B=`eval echo ${B}`
5422C=`eval echo ${sbindir}` ; C=`eval echo ${C}`
5423D=`eval echo ${sysconfdir}` ; D=`eval echo ${D}`
5424E=`eval echo ${libexecdir}/ssh-askpass` ; E=`eval echo ${E}`
5425F=`eval echo ${mandir}/${mansubdir}X` ; F=`eval echo ${F}`
5426G=`eval echo ${piddir}` ; G=`eval echo ${G}`
5427H=`eval echo ${PRIVSEP_PATH}` ; H=`eval echo ${H}`
5428I=`eval echo ${user_path}` ; I=`eval echo ${I}`
5429J=`eval echo ${superuser_path}` ; J=`eval echo ${J}`
5430
5431echo ""
5432echo "OpenSSH has been configured with the following options:"
5433echo "                     User binaries: $B"
5434echo "                   System binaries: $C"
5435echo "               Configuration files: $D"
5436echo "                   Askpass program: $E"
5437echo "                      Manual pages: $F"
5438echo "                          PID file: $G"
5439echo "  Privilege separation chroot path: $H"
5440if test "x$external_path_file" = "x/etc/login.conf" ; then
5441echo "   At runtime, sshd will use the path defined in $external_path_file"
5442echo "   Make sure the path to scp is present, otherwise scp will not work"
5443else
5444echo "            sshd default user PATH: $I"
5445	if test ! -z "$external_path_file"; then
5446echo "   (If PATH is set in $external_path_file it will be used instead. If"
5447echo "   used, ensure the path to scp is present, otherwise scp will not work.)"
5448	fi
5449fi
5450if test ! -z "$superuser_path" ; then
5451echo "          sshd superuser user PATH: $J"
5452fi
5453echo "                    Manpage format: $MANTYPE"
5454echo "                       PAM support: $PAM_MSG"
5455echo "                   OSF SIA support: $SIA_MSG"
5456echo "                 KerberosV support: $KRB5_MSG"
5457echo "                   SELinux support: $SELINUX_MSG"
5458echo "              MD5 password support: $MD5_MSG"
5459echo "                   libedit support: $LIBEDIT_MSG"
5460echo "                   libldns support: $LDNS_MSG"
5461echo "  Solaris process contract support: $SPC_MSG"
5462echo "           Solaris project support: $SP_MSG"
5463echo "         Solaris privilege support: $SPP_MSG"
5464echo "       IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG"
5465echo "           Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
5466echo "                  BSD Auth support: $BSD_AUTH_MSG"
5467echo "              Random number source: $RAND_MSG"
5468echo "             Privsep sandbox style: $SANDBOX_STYLE"
5469echo "                   PKCS#11 support: $enable_pkcs11"
5470echo "                  U2F/FIDO support: $enable_sk"
5471
5472echo ""
5473
5474echo "              Host: ${host}"
5475echo "          Compiler: ${CC}"
5476echo "    Compiler flags: ${CFLAGS}"
5477echo "Preprocessor flags: ${CPPFLAGS}"
5478echo "      Linker flags: ${LDFLAGS}"
5479echo "         Libraries: ${LIBS}"
5480if test ! -z "${SSHDLIBS}"; then
5481echo "         +for sshd: ${SSHDLIBS}"
5482fi
5483
5484echo ""
5485
5486if test "x$MAKE_PACKAGE_SUPPORTED" = "xyes" ; then
5487	echo "SVR4 style packages are supported with \"make package\""
5488	echo ""
5489fi
5490
5491if test "x$PAM_MSG" = "xyes" ; then
5492	echo "PAM is enabled. You may need to install a PAM control file "
5493	echo "for sshd, otherwise password authentication may fail. "
5494	echo "Example PAM control files can be found in the contrib/ "
5495	echo "subdirectory"
5496	echo ""
5497fi
5498
5499if test ! -z "$NO_PEERCHECK" ; then
5500	echo "WARNING: the operating system that you are using does not"
5501	echo "appear to support getpeereid(), getpeerucred() or the"
5502	echo "SO_PEERCRED getsockopt() option. These facilities are used to"
5503	echo "enforce security checks to prevent unauthorised connections to"
5504	echo "ssh-agent. Their absence increases the risk that a malicious"
5505	echo "user can connect to your agent."
5506	echo ""
5507fi
5508
5509if test "$AUDIT_MODULE" = "bsm" ; then
5510	echo "WARNING: BSM audit support is currently considered EXPERIMENTAL."
5511	echo "See the Solaris section in README.platform for details."
5512fi
5513