xref: /openssh-portable/configure.ac (revision 9880f348)
1#
2# Copyright (c) 1999-2004 Damien Miller
3#
4# Permission to use, copy, modify, and distribute this software for any
5# purpose with or without fee is hereby granted, provided that the above
6# copyright notice and this permission notice appear in all copies.
7#
8# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15
16AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org])
17AC_CONFIG_MACRO_DIR([m4])
18AC_CONFIG_SRCDIR([ssh.c])
19AC_LANG([C])
20
21AC_CONFIG_HEADERS([config.h])
22AC_PROG_CC([cc gcc])
23
24# XXX relax this after reimplementing logit() etc.
25AC_MSG_CHECKING([if $CC supports C99-style variadic macros])
26AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
27int f(int a, int b, int c) { return a + b + c; }
28#define F(a, ...) f(a, __VA_ARGS__)
29]], [[return F(1, 2, -3);]])],
30	[ AC_MSG_RESULT([yes]) ],
31	[ AC_MSG_ERROR([*** OpenSSH requires support for C99-style variadic macros]) ]
32)
33
34AC_CANONICAL_HOST
35AC_C_BIGENDIAN
36
37# Checks for programs.
38AC_PROG_AWK
39AC_PROG_CPP
40AC_PROG_RANLIB
41AC_PROG_INSTALL
42AC_PROG_EGREP
43AC_PROG_MKDIR_P
44AC_CHECK_TOOLS([AR], [ar])
45AC_PATH_PROG([CAT], [cat])
46AC_PATH_PROG([KILL], [kill])
47AC_PATH_PROG([SED], [sed])
48AC_PATH_PROG([TEST_MINUS_S_SH], [bash])
49AC_PATH_PROG([TEST_MINUS_S_SH], [ksh])
50AC_PATH_PROG([TEST_MINUS_S_SH], [sh])
51AC_PATH_PROG([SH], [sh])
52AC_PATH_PROG([GROFF], [groff])
53AC_PATH_PROG([NROFF], [nroff awf])
54AC_PATH_PROG([MANDOC], [mandoc])
55AC_SUBST([TEST_SHELL], [sh])
56
57dnl select manpage formatter to be used to build "cat" format pages.
58if test "x$MANDOC" != "x" ; then
59	MANFMT="$MANDOC"
60elif test "x$NROFF" != "x" ; then
61	MANFMT="$NROFF -mandoc"
62elif test "x$GROFF" != "x" ; then
63	MANFMT="$GROFF -mandoc -Tascii"
64else
65	AC_MSG_WARN([no manpage formatter found])
66	MANFMT="false"
67fi
68AC_SUBST([MANFMT])
69
70dnl for buildpkg.sh
71AC_PATH_PROG([PATH_GROUPADD_PROG], [groupadd], [groupadd],
72	[/usr/sbin${PATH_SEPARATOR}/etc])
73AC_PATH_PROG([PATH_USERADD_PROG], [useradd], [useradd],
74	[/usr/sbin${PATH_SEPARATOR}/etc])
75AC_CHECK_PROG([MAKE_PACKAGE_SUPPORTED], [pkgmk], [yes], [no])
76if test -x /sbin/sh; then
77	AC_SUBST([STARTUP_SCRIPT_SHELL], [/sbin/sh])
78else
79	AC_SUBST([STARTUP_SCRIPT_SHELL], [/bin/sh])
80fi
81
82# System features
83AC_SYS_LARGEFILE
84
85if test -z "$AR" ; then
86	AC_MSG_ERROR([*** 'ar' missing, please install or fix your \$PATH ***])
87fi
88
89AC_PATH_PROG([PATH_PASSWD_PROG], [passwd])
90if test ! -z "$PATH_PASSWD_PROG" ; then
91	AC_DEFINE_UNQUOTED([_PATH_PASSWD_PROG], ["$PATH_PASSWD_PROG"],
92		[Full path of your "passwd" program])
93fi
94
95dnl Since autoconf doesn't support it very well,  we no longer allow users to
96dnl override LD, however keeping the hook here for now in case there's a use
97dnl use case we overlooked and someone needs to re-enable it.  Unless a good
98dnl reason is found we'll be removing this in future.
99LD="$CC"
100AC_SUBST([LD])
101
102AC_C_INLINE
103
104AC_CHECK_DECL([LLONG_MAX], [have_llong_max=1], , [#include <limits.h>])
105AC_CHECK_DECL([LONG_LONG_MAX], [have_long_long_max=1], , [#include <limits.h>])
106AC_CHECK_DECL([SYSTR_POLICY_KILL], [have_systr_policy_kill=1], , [
107	#include <sys/types.h>
108	#include <sys/param.h>
109	#include <dev/systrace.h>
110])
111AC_CHECK_DECL([RLIMIT_NPROC],
112    [AC_DEFINE([HAVE_RLIMIT_NPROC], [], [sys/resource.h has RLIMIT_NPROC])], , [
113	#include <sys/types.h>
114	#include <sys/resource.h>
115])
116AC_CHECK_DECL([PR_SET_NO_NEW_PRIVS], [have_linux_no_new_privs=1], , [
117	#include <sys/types.h>
118	#include <linux/prctl.h>
119])
120
121openssl=yes
122AC_ARG_WITH([openssl],
123	[  --without-openssl       Disable use of OpenSSL; use only limited internal crypto **EXPERIMENTAL** ],
124	[  if test "x$withval" = "xno" ; then
125		openssl=no
126	   fi
127	]
128)
129AC_MSG_CHECKING([whether OpenSSL will be used for cryptography])
130if test "x$openssl" = "xyes" ; then
131	AC_MSG_RESULT([yes])
132	AC_DEFINE_UNQUOTED([WITH_OPENSSL], [1], [use libcrypto for cryptography])
133else
134	AC_MSG_RESULT([no])
135fi
136
137use_stack_protector=1
138use_toolchain_hardening=1
139AC_ARG_WITH([stackprotect],
140    [  --without-stackprotect  Don't use compiler's stack protection], [
141    if test "x$withval" = "xno"; then
142	use_stack_protector=0
143    fi ])
144AC_ARG_WITH([hardening],
145    [  --without-hardening     Don't use toolchain hardening flags], [
146    if test "x$withval" = "xno"; then
147	use_toolchain_hardening=0
148    fi ])
149
150# We use -Werror for the tests only so that we catch warnings like "this is
151# on by default" for things like -fPIE.
152AC_MSG_CHECKING([if $CC supports -Werror])
153saved_CFLAGS="$CFLAGS"
154CFLAGS="$CFLAGS -Werror"
155AC_COMPILE_IFELSE([AC_LANG_SOURCE([[int main(void) { return 0; }]])],
156	[ AC_MSG_RESULT([yes])
157	  WERROR="-Werror"],
158	[ AC_MSG_RESULT([no])
159	  WERROR="" ]
160)
161CFLAGS="$saved_CFLAGS"
162
163if test "$GCC" = "yes" || test "$GCC" = "egcs"; then
164	OSSH_CHECK_CFLAG_COMPILE([-pipe])
165	OSSH_CHECK_CFLAG_COMPILE([-Wunknown-warning-option])
166	OSSH_CHECK_CFLAG_COMPILE([-Wno-error=format-truncation])
167	OSSH_CHECK_CFLAG_COMPILE([-Qunused-arguments])
168	OSSH_CHECK_CFLAG_COMPILE([-Wall])
169	OSSH_CHECK_CFLAG_COMPILE([-Wextra])
170	OSSH_CHECK_CFLAG_COMPILE([-Wpointer-arith])
171	OSSH_CHECK_CFLAG_COMPILE([-Wuninitialized])
172	OSSH_CHECK_CFLAG_COMPILE([-Wsign-compare])
173	OSSH_CHECK_CFLAG_COMPILE([-Wformat-security])
174	OSSH_CHECK_CFLAG_COMPILE([-Wsizeof-pointer-memaccess])
175	OSSH_CHECK_CFLAG_COMPILE([-Wpointer-sign], [-Wno-pointer-sign])
176	OSSH_CHECK_CFLAG_COMPILE([-Wunused-parameter], [-Wno-unused-parameter])
177	OSSH_CHECK_CFLAG_COMPILE([-Wunused-result], [-Wno-unused-result])
178	OSSH_CHECK_CFLAG_COMPILE([-Wimplicit-fallthrough])
179	OSSH_CHECK_CFLAG_COMPILE([-fno-strict-aliasing])
180    if test "x$use_toolchain_hardening" = "x1"; then
181	OSSH_CHECK_CFLAG_COMPILE([-mretpoline]) # clang
182	OSSH_CHECK_LDFLAG_LINK([-Wl,-z,retpolineplt])
183	OSSH_CHECK_CFLAG_COMPILE([-D_FORTIFY_SOURCE=2])
184	OSSH_CHECK_LDFLAG_LINK([-Wl,-z,relro])
185	OSSH_CHECK_LDFLAG_LINK([-Wl,-z,now])
186	OSSH_CHECK_LDFLAG_LINK([-Wl,-z,noexecstack])
187	# NB. -ftrapv expects certain support functions to be present in
188	# the compiler library (libgcc or similar) to detect integer operations
189	# that can overflow. We must check that the result of enabling it
190	# actually links. The test program compiled/linked includes a number
191	# of integer operations that should exercise this.
192	OSSH_CHECK_CFLAG_LINK([-ftrapv])
193    fi
194	AC_MSG_CHECKING([gcc version])
195	GCC_VER=`$CC -v 2>&1 | $AWK '/gcc version /{print $3}'`
196	case $GCC_VER in
197		1.*) no_attrib_nonnull=1 ;;
198		2.8* | 2.9*)
199		     no_attrib_nonnull=1
200		     ;;
201		2.*) no_attrib_nonnull=1 ;;
202		*) ;;
203	esac
204	AC_MSG_RESULT([$GCC_VER])
205
206	AC_MSG_CHECKING([if $CC accepts -fno-builtin-memset])
207	saved_CFLAGS="$CFLAGS"
208	CFLAGS="$CFLAGS -fno-builtin-memset"
209	AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include <string.h> ]],
210			[[ char b[10]; memset(b, 0, sizeof(b)); ]])],
211		[ AC_MSG_RESULT([yes]) ],
212		[ AC_MSG_RESULT([no])
213		  CFLAGS="$saved_CFLAGS" ]
214	)
215
216	# -fstack-protector-all doesn't always work for some GCC versions
217	# and/or platforms, so we test if we can.  If it's not supported
218	# on a given platform gcc will emit a warning so we use -Werror.
219	if test "x$use_stack_protector" = "x1"; then
220	    for t in -fstack-protector-strong -fstack-protector-all \
221		    -fstack-protector; do
222		AC_MSG_CHECKING([if $CC supports $t])
223		saved_CFLAGS="$CFLAGS"
224		saved_LDFLAGS="$LDFLAGS"
225		CFLAGS="$CFLAGS $t -Werror"
226		LDFLAGS="$LDFLAGS $t -Werror"
227		AC_LINK_IFELSE(
228			[AC_LANG_PROGRAM([[
229	#include <stdio.h>
230	int func (int t) {char b[100]; snprintf(b,sizeof b,"%d",t); return t;}
231			 ]],
232			[[
233	char x[256];
234	snprintf(x, sizeof(x), "XXX%d", func(1));
235			 ]])],
236		    [ AC_MSG_RESULT([yes])
237		      CFLAGS="$saved_CFLAGS $t"
238		      LDFLAGS="$saved_LDFLAGS $t"
239		      AC_MSG_CHECKING([if $t works])
240		      AC_RUN_IFELSE(
241			[AC_LANG_PROGRAM([[
242	#include <stdio.h>
243	int func (int t) {char b[100]; snprintf(b,sizeof b,"%d",t); return t;}
244			]],
245			[[
246	char x[256];
247	snprintf(x, sizeof(x), "XXX%d", func(1));
248			]])],
249			[ AC_MSG_RESULT([yes])
250			  break ],
251			[ AC_MSG_RESULT([no]) ],
252			[ AC_MSG_WARN([cross compiling: cannot test])
253			  break ]
254		      )
255		    ],
256		    [ AC_MSG_RESULT([no]) ]
257		)
258		CFLAGS="$saved_CFLAGS"
259		LDFLAGS="$saved_LDFLAGS"
260	    done
261	fi
262
263	if test -z "$have_llong_max"; then
264		# retry LLONG_MAX with -std=gnu99, needed on some Linuxes
265		unset ac_cv_have_decl_LLONG_MAX
266		saved_CFLAGS="$CFLAGS"
267		CFLAGS="$CFLAGS -std=gnu99"
268		AC_CHECK_DECL([LLONG_MAX],
269		    [have_llong_max=1],
270		    [CFLAGS="$saved_CFLAGS"],
271		    [#include <limits.h>]
272		)
273	fi
274fi
275
276AC_MSG_CHECKING([if compiler allows __attribute__ on return types])
277AC_COMPILE_IFELSE(
278    [AC_LANG_PROGRAM([[
279#include <stdlib.h>
280__attribute__((__unused__)) static void foo(void){return;}]],
281    [[ exit(0); ]])],
282    [ AC_MSG_RESULT([yes]) ],
283    [ AC_MSG_RESULT([no])
284      AC_DEFINE(NO_ATTRIBUTE_ON_RETURN_TYPE, 1,
285	 [compiler does not accept __attribute__ on return types]) ]
286)
287
288AC_MSG_CHECKING([if compiler allows __attribute__ prototype args])
289AC_COMPILE_IFELSE(
290    [AC_LANG_PROGRAM([[
291#include <stdlib.h>
292typedef void foo(const char *, ...) __attribute__((format(printf, 1, 2)));]],
293    [[ exit(0); ]])],
294    [ AC_MSG_RESULT([yes]) ],
295    [ AC_MSG_RESULT([no])
296      AC_DEFINE(NO_ATTRIBUTE_ON_PROTOTYPE_ARGS, 1,
297	 [compiler does not accept __attribute__ on prototype args]) ]
298)
299
300if test "x$no_attrib_nonnull" != "x1" ; then
301	AC_DEFINE([HAVE_ATTRIBUTE__NONNULL__], [1], [Have attribute nonnull])
302fi
303
304AC_ARG_WITH([rpath],
305	[  --without-rpath         Disable auto-added -R linker paths],
306	[
307		if test "x$withval" = "xno" ; then
308			rpath_opt=""
309		elif test "x$withval" = "xyes" ; then
310			rpath_opt="-R"
311		else
312			rpath_opt="$withval"
313		fi
314	]
315)
316
317# Allow user to specify flags
318AC_ARG_WITH([cflags],
319	[  --with-cflags           Specify additional flags to pass to compiler],
320	[
321		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
322		    test "x${withval}" != "xyes"; then
323			CFLAGS="$CFLAGS $withval"
324		fi
325	]
326)
327
328AC_ARG_WITH([cflags-after],
329	[  --with-cflags-after     Specify additional flags to pass to compiler after configure],
330	[
331		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
332		    test "x${withval}" != "xyes"; then
333			CFLAGS_AFTER="$withval"
334		fi
335	]
336)
337AC_ARG_WITH([cppflags],
338	[  --with-cppflags         Specify additional flags to pass to preprocessor] ,
339	[
340		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
341		    test "x${withval}" != "xyes"; then
342			CPPFLAGS="$CPPFLAGS $withval"
343		fi
344	]
345)
346AC_ARG_WITH([ldflags],
347	[  --with-ldflags          Specify additional flags to pass to linker],
348	[
349		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
350		    test "x${withval}" != "xyes"; then
351			LDFLAGS="$LDFLAGS $withval"
352		fi
353	]
354)
355AC_ARG_WITH([ldflags-after],
356	[  --with-ldflags-after    Specify additional flags to pass to linker after configure],
357	[
358		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
359		    test "x${withval}" != "xyes"; then
360			LDFLAGS_AFTER="$withval"
361		fi
362	]
363)
364AC_ARG_WITH([libs],
365	[  --with-libs             Specify additional libraries to link with],
366	[
367		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
368		    test "x${withval}" != "xyes"; then
369			LIBS="$LIBS $withval"
370		fi
371	]
372)
373AC_ARG_WITH([Werror],
374	[  --with-Werror           Build main code with -Werror],
375	[
376		if test -n "$withval"  &&  test "x$withval" != "xno"; then
377			werror_flags="-Werror"
378			if test "x${withval}" != "xyes"; then
379				werror_flags="$withval"
380			fi
381		fi
382	]
383)
384
385AC_CHECK_HEADERS([ \
386	blf.h \
387	bstring.h \
388	crypt.h \
389	crypto/sha2.h \
390	dirent.h \
391	endian.h \
392	elf.h \
393	err.h \
394	features.h \
395	fcntl.h \
396	floatingpoint.h \
397	fnmatch.h \
398	getopt.h \
399	glob.h \
400	ia.h \
401	iaf.h \
402	ifaddrs.h \
403	inttypes.h \
404	langinfo.h \
405	limits.h \
406	locale.h \
407	login.h \
408	maillock.h \
409	ndir.h \
410	net/if_tun.h \
411	netdb.h \
412	netgroup.h \
413	pam/pam_appl.h \
414	paths.h \
415	poll.h \
416	pty.h \
417	readpassphrase.h \
418	rpc/types.h \
419	security/pam_appl.h \
420	sha2.h \
421	shadow.h \
422	stddef.h \
423	stdint.h \
424	string.h \
425	strings.h \
426	sys/bitypes.h \
427	sys/byteorder.h \
428	sys/bsdtty.h \
429	sys/cdefs.h \
430	sys/dir.h \
431	sys/file.h \
432	sys/mman.h \
433	sys/label.h \
434	sys/ndir.h \
435	sys/poll.h \
436	sys/prctl.h \
437	sys/pstat.h \
438	sys/ptrace.h \
439	sys/random.h \
440	sys/select.h \
441	sys/stat.h \
442	sys/stream.h \
443	sys/stropts.h \
444	sys/strtio.h \
445	sys/statvfs.h \
446	sys/sysmacros.h \
447	sys/time.h \
448	sys/timers.h \
449	sys/vfs.h \
450	time.h \
451	tmpdir.h \
452	ttyent.h \
453	ucred.h \
454	unistd.h \
455	usersec.h \
456	util.h \
457	utime.h \
458	utmp.h \
459	utmpx.h \
460	vis.h \
461	wchar.h \
462])
463
464# On some platforms (eg SunOS4) sys/audit.h requires sys/[time|types|label.h]
465# to be included first.
466AC_CHECK_HEADERS([sys/audit.h], [], [], [
467#ifdef HAVE_SYS_TIME_H
468# include <sys/time.h>
469#endif
470#ifdef HAVE_SYS_TYPES_H
471# include <sys/types.h>
472#endif
473#ifdef HAVE_SYS_LABEL_H
474# include <sys/label.h>
475#endif
476])
477
478# sys/capsicum.h requires sys/types.h
479AC_CHECK_HEADERS([sys/capsicum.h], [], [], [
480#ifdef HAVE_SYS_TYPES_H
481# include <sys/types.h>
482#endif
483])
484
485# net/route.h requires sys/socket.h and sys/types.h.
486# sys/sysctl.h also requires sys/param.h
487AC_CHECK_HEADERS([net/route.h sys/sysctl.h], [], [], [
488#ifdef HAVE_SYS_TYPES_H
489# include <sys/types.h>
490#endif
491#include <sys/param.h>
492#include <sys/socket.h>
493])
494
495# lastlog.h requires sys/time.h to be included first on Solaris
496AC_CHECK_HEADERS([lastlog.h], [], [], [
497#ifdef HAVE_SYS_TIME_H
498# include <sys/time.h>
499#endif
500])
501
502# sys/ptms.h requires sys/stream.h to be included first on Solaris
503AC_CHECK_HEADERS([sys/ptms.h], [], [], [
504#ifdef HAVE_SYS_STREAM_H
505# include <sys/stream.h>
506#endif
507])
508
509# login_cap.h requires sys/types.h on NetBSD
510AC_CHECK_HEADERS([login_cap.h], [], [], [
511#include <sys/types.h>
512])
513
514# older BSDs need sys/param.h before sys/mount.h
515AC_CHECK_HEADERS([sys/mount.h], [], [], [
516#include <sys/param.h>
517])
518
519# Android requires sys/socket.h to be included before sys/un.h
520AC_CHECK_HEADERS([sys/un.h], [], [], [
521#include <sys/types.h>
522#include <sys/socket.h>
523])
524
525# Messages for features tested for in target-specific section
526SIA_MSG="no"
527SPC_MSG="no"
528SP_MSG="no"
529SPP_MSG="no"
530
531# Support for Solaris/Illumos privileges (this test is used by both
532# the --with-solaris-privs option and --with-sandbox=solaris).
533SOLARIS_PRIVS="no"
534
535# Check for some target-specific stuff
536case "$host" in
537*-*-aix*)
538	# Some versions of VAC won't allow macro redefinitions at
539	# -qlanglevel=ansi, and autoconf 2.60 sometimes insists on using that
540	# particularly with older versions of vac or xlc.
541	# It also throws errors about null macro arguments, but these are
542	# not fatal.
543	AC_MSG_CHECKING([if compiler allows macro redefinitions])
544	AC_COMPILE_IFELSE(
545	    [AC_LANG_PROGRAM([[
546#define testmacro foo
547#define testmacro bar]],
548	    [[ exit(0); ]])],
549	    [ AC_MSG_RESULT([yes]) ],
550	    [ AC_MSG_RESULT([no])
551	      CC="`echo $CC | sed 's/-qlanglvl\=ansi//g'`"
552	      CFLAGS="`echo $CFLAGS | sed 's/-qlanglvl\=ansi//g'`"
553	      CPPFLAGS="`echo $CPPFLAGS | sed 's/-qlanglvl\=ansi//g'`"
554	    ]
555	)
556
557	AC_MSG_CHECKING([how to specify blibpath for linker ($LD)])
558	if (test -z "$blibpath"); then
559		blibpath="/usr/lib:/lib"
560	fi
561	saved_LDFLAGS="$LDFLAGS"
562	if test "$GCC" = "yes"; then
563		flags="-Wl,-blibpath: -Wl,-rpath, -blibpath:"
564	else
565		flags="-blibpath: -Wl,-blibpath: -Wl,-rpath,"
566	fi
567	for tryflags in $flags ;do
568		if (test -z "$blibflags"); then
569			LDFLAGS="$saved_LDFLAGS $tryflags$blibpath"
570			AC_LINK_IFELSE([AC_LANG_PROGRAM([[]], [[]])],
571			[blibflags=$tryflags], [])
572		fi
573	done
574	if (test -z "$blibflags"); then
575		AC_MSG_RESULT([not found])
576		AC_MSG_ERROR([*** must be able to specify blibpath on AIX - check config.log])
577	else
578		AC_MSG_RESULT([$blibflags])
579	fi
580	LDFLAGS="$saved_LDFLAGS"
581	dnl Check for authenticate.  Might be in libs.a on older AIXes
582	AC_CHECK_FUNC([authenticate], [AC_DEFINE([WITH_AIXAUTHENTICATE], [1],
583		[Define if you want to enable AIX4's authenticate function])],
584		[AC_CHECK_LIB([s], [authenticate],
585			[ AC_DEFINE([WITH_AIXAUTHENTICATE])
586				LIBS="$LIBS -ls"
587			])
588		])
589	dnl Check for various auth function declarations in headers.
590	AC_CHECK_DECLS([authenticate, loginrestrictions, loginsuccess,
591	    passwdexpired, setauthdb], , , [#include <usersec.h>])
592	dnl Check if loginfailed is declared and takes 4 arguments (AIX >= 5.2)
593	AC_CHECK_DECLS([loginfailed],
594	    [AC_MSG_CHECKING([if loginfailed takes 4 arguments])
595	    AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <usersec.h> ]],
596		[[ (void)loginfailed("user","host","tty",0); ]])],
597		[AC_MSG_RESULT([yes])
598		AC_DEFINE([AIX_LOGINFAILED_4ARG], [1],
599			[Define if your AIX loginfailed() function
600			takes 4 arguments (AIX >= 5.2)])], [AC_MSG_RESULT([no])
601	    ])],
602	    [],
603	    [#include <usersec.h>]
604	)
605	AC_CHECK_FUNCS([getgrset setauthdb])
606	AC_CHECK_DECL([F_CLOSEM],
607	    AC_DEFINE([HAVE_FCNTL_CLOSEM], [1], [Use F_CLOSEM fcntl for closefrom]),
608	    [],
609	    [ #include <limits.h>
610	      #include <fcntl.h> ]
611	)
612	check_for_aix_broken_getaddrinfo=1
613	AC_DEFINE([SETEUID_BREAKS_SETUID], [1],
614	    [Define if your platform breaks doing a seteuid before a setuid])
615	AC_DEFINE([BROKEN_SETREUID], [1], [Define if your setreuid() is broken])
616	AC_DEFINE([BROKEN_SETREGID], [1], [Define if your setregid() is broken])
617	dnl AIX handles lastlog as part of its login message
618	AC_DEFINE([DISABLE_LASTLOG], [1], [Define if you don't want to use lastlog])
619	AC_DEFINE([LOGIN_NEEDS_UTMPX], [1],
620		[Some systems need a utmpx entry for /bin/login to work])
621	AC_DEFINE([SPT_TYPE], [SPT_REUSEARGV],
622		[Define to a Set Process Title type if your system is
623		supported by bsd-setproctitle.c])
624	AC_DEFINE([SSHPAM_CHAUTHTOK_NEEDS_RUID], [1],
625	    [AIX 5.2 and 5.3 (and presumably newer) require this])
626	AC_DEFINE([PTY_ZEROREAD], [1], [read(1) can return 0 for a non-closed fd])
627	AC_DEFINE([PLATFORM_SYS_DIR_UID], 2, [System dirs owned by bin (uid 2)])
628	AC_DEFINE([BROKEN_STRNDUP], 1, [strndup broken, see APAR IY61211])
629	AC_DEFINE([BROKEN_STRNLEN], 1, [strnlen broken, see APAR IY62551])
630	;;
631*-*-android*)
632	AC_DEFINE([DISABLE_UTMP], [1], [Define if you don't want to use utmp])
633	AC_DEFINE([DISABLE_WTMP], [1], [Define if you don't want to use wtmp])
634	;;
635*-*-cygwin*)
636	check_for_libcrypt_later=1
637	LIBS="$LIBS /usr/lib/textreadmode.o"
638	AC_DEFINE([HAVE_CYGWIN], [1], [Define if you are on Cygwin])
639	AC_DEFINE([USE_PIPES], [1], [Use PIPES instead of a socketpair()])
640	AC_DEFINE([NO_UID_RESTORATION_TEST], [1],
641		[Define to disable UID restoration test])
642	AC_DEFINE([DISABLE_SHADOW], [1],
643		[Define if you want to disable shadow passwords])
644	AC_DEFINE([NO_X11_UNIX_SOCKETS], [1],
645		[Define if X11 doesn't support AF_UNIX sockets on that system])
646	AC_DEFINE([DISABLE_FD_PASSING], [1],
647		[Define if your platform needs to skip post auth
648		file descriptor passing])
649	AC_DEFINE([SSH_IOBUFSZ], [65535], [Windows is sensitive to read buffer size])
650	AC_DEFINE([FILESYSTEM_NO_BACKSLASH], [1], [File names may not contain backslash characters])
651	# Cygwin defines optargs, optargs as declspec(dllimport) for historical
652	# reasons which cause compile warnings, so we disable those warnings.
653	OSSH_CHECK_CFLAG_COMPILE([-Wno-attributes])
654	;;
655*-*-dgux*)
656	AC_DEFINE([IP_TOS_IS_BROKEN], [1],
657		[Define if your system choked on IP TOS setting])
658	AC_DEFINE([SETEUID_BREAKS_SETUID])
659	AC_DEFINE([BROKEN_SETREUID])
660	AC_DEFINE([BROKEN_SETREGID])
661	;;
662*-*-darwin*)
663	use_pie=auto
664	AC_MSG_CHECKING([if we have working getaddrinfo])
665	AC_RUN_IFELSE([AC_LANG_SOURCE([[
666#include <mach-o/dyld.h>
667#include <stdlib.h>
668main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
669		exit(0);
670	else
671		exit(1);
672}
673			]])],
674	[AC_MSG_RESULT([working])],
675	[AC_MSG_RESULT([buggy])
676	AC_DEFINE([BROKEN_GETADDRINFO], [1],
677		[getaddrinfo is broken (if present)])
678	],
679	[AC_MSG_RESULT([assume it is working])])
680	AC_DEFINE([SETEUID_BREAKS_SETUID])
681	AC_DEFINE([BROKEN_SETREUID])
682	AC_DEFINE([BROKEN_SETREGID])
683	AC_DEFINE([BROKEN_GLOB], [1], [OS X glob does not do what we expect])
684	AC_DEFINE_UNQUOTED([BIND_8_COMPAT], [1],
685		[Define if your resolver libs need this for getrrsetbyname])
686	AC_DEFINE([SSH_TUN_FREEBSD], [1], [Open tunnel devices the FreeBSD way])
687	AC_DEFINE([SSH_TUN_COMPAT_AF], [1],
688	    [Use tunnel device compatibility to OpenBSD])
689	AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
690	    [Prepend the address family to IP tunnel traffic])
691	m4_pattern_allow([AU_IPv])
692	AC_CHECK_DECL([AU_IPv4], [],
693	    AC_DEFINE([AU_IPv4], [0], [System only supports IPv4 audit records])
694	    [#include <bsm/audit.h>]
695	AC_DEFINE([LASTLOG_WRITE_PUTUTXLINE], [1],
696	    [Define if pututxline updates lastlog too])
697	)
698	AC_DEFINE([SPT_TYPE], [SPT_REUSEARGV],
699		[Define to a Set Process Title type if your system is
700		supported by bsd-setproctitle.c])
701	AC_CHECK_FUNCS([sandbox_init])
702	AC_CHECK_HEADERS([sandbox.h])
703	AC_CHECK_LIB([sandbox], [sandbox_apply], [
704	    SSHDLIBS="$SSHDLIBS -lsandbox"
705	])
706	# proc_pidinfo()-based closefrom() replacement.
707	AC_CHECK_HEADERS([libproc.h])
708	AC_CHECK_FUNCS([proc_pidinfo])
709	;;
710*-*-dragonfly*)
711	SSHDLIBS="$SSHDLIBS -lcrypt"
712	TEST_MALLOC_OPTIONS="AFGJPRX"
713	;;
714*-*-haiku*)
715	LIBS="$LIBS -lbsd "
716	CFLAGS="$CFLAGS -D_BSD_SOURCE"
717	AC_CHECK_LIB([network], [socket])
718	AC_DEFINE([HAVE_U_INT64_T])
719	AC_DEFINE([DISABLE_UTMPX], [1], [no utmpx])
720	MANTYPE=man
721	;;
722*-*-hpux*)
723	# first we define all of the options common to all HP-UX releases
724	CPPFLAGS="$CPPFLAGS -D_HPUX_SOURCE -D_XOPEN_SOURCE -D_XOPEN_SOURCE_EXTENDED=1"
725	IPADDR_IN_DISPLAY=yes
726	AC_DEFINE([USE_PIPES])
727	AC_DEFINE([LOGIN_NEEDS_UTMPX])
728	AC_DEFINE([LOCKED_PASSWD_STRING], ["*"],
729		[String used in /etc/passwd to denote locked account])
730	AC_DEFINE([SPT_TYPE], [SPT_PSTAT])
731	AC_DEFINE([PLATFORM_SYS_DIR_UID], 2, [System dirs owned by bin (uid 2)])
732	maildir="/var/mail"
733	LIBS="$LIBS -lsec"
734	AC_CHECK_LIB([xnet], [t_error], ,
735	    [AC_MSG_ERROR([*** -lxnet needed on HP-UX - check config.log ***])])
736
737	# next, we define all of the options specific to major releases
738	case "$host" in
739	*-*-hpux10*)
740		if test -z "$GCC"; then
741			CFLAGS="$CFLAGS -Ae"
742		fi
743		;;
744	*-*-hpux11*)
745		AC_DEFINE([PAM_SUN_CODEBASE], [1],
746			[Define if you are using Solaris-derived PAM which
747			passes pam_messages to the conversation function
748			with an extra level of indirection])
749		AC_DEFINE([DISABLE_UTMP], [1],
750			[Define if you don't want to use utmp])
751		AC_DEFINE([USE_BTMP], [1], [Use btmp to log bad logins])
752		check_for_hpux_broken_getaddrinfo=1
753		check_for_conflicting_getspnam=1
754		;;
755	esac
756
757	# lastly, we define options specific to minor releases
758	case "$host" in
759	*-*-hpux10.26)
760		AC_DEFINE([HAVE_SECUREWARE], [1],
761			[Define if you have SecureWare-based
762			protected password database])
763		disable_ptmx_check=yes
764		LIBS="$LIBS -lsecpw"
765		;;
766	esac
767	;;
768*-*-irix5*)
769	PATH="$PATH:/usr/etc"
770	AC_DEFINE([BROKEN_INET_NTOA], [1],
771		[Define if you system's inet_ntoa is busted
772		(e.g. Irix gcc issue)])
773	AC_DEFINE([SETEUID_BREAKS_SETUID])
774	AC_DEFINE([BROKEN_SETREUID])
775	AC_DEFINE([BROKEN_SETREGID])
776	AC_DEFINE([WITH_ABBREV_NO_TTY], [1],
777		[Define if you shouldn't strip 'tty' from your
778		ttyname in [uw]tmp])
779	AC_DEFINE([LOCKED_PASSWD_STRING], ["*LK*"])
780	;;
781*-*-irix6*)
782	PATH="$PATH:/usr/etc"
783	AC_DEFINE([WITH_IRIX_ARRAY], [1],
784		[Define if you have/want arrays
785		(cluster-wide session management, not C arrays)])
786	AC_DEFINE([WITH_IRIX_PROJECT], [1],
787		[Define if you want IRIX project management])
788	AC_DEFINE([WITH_IRIX_AUDIT], [1],
789		[Define if you want IRIX audit trails])
790	AC_CHECK_FUNC([jlimit_startjob], [AC_DEFINE([WITH_IRIX_JOBS], [1],
791		[Define if you want IRIX kernel jobs])])
792	AC_DEFINE([BROKEN_INET_NTOA])
793	AC_DEFINE([SETEUID_BREAKS_SETUID])
794	AC_DEFINE([BROKEN_SETREUID])
795	AC_DEFINE([BROKEN_SETREGID])
796	AC_DEFINE([BROKEN_UPDWTMPX], [1], [updwtmpx is broken (if present)])
797	AC_DEFINE([WITH_ABBREV_NO_TTY])
798	AC_DEFINE([LOCKED_PASSWD_STRING], ["*LK*"])
799	;;
800*-*-k*bsd*-gnu | *-*-kopensolaris*-gnu)
801	check_for_libcrypt_later=1
802	AC_DEFINE([PAM_TTY_KLUDGE])
803	AC_DEFINE([LOCKED_PASSWD_PREFIX], ["!"])
804	AC_DEFINE([SPT_TYPE], [SPT_REUSEARGV])
805	AC_DEFINE([_PATH_BTMP], ["/var/log/btmp"], [log for bad login attempts])
806	AC_DEFINE([USE_BTMP], [1], [Use btmp to log bad logins])
807	;;
808*-*-linux*)
809	no_dev_ptmx=1
810	use_pie=auto
811	check_for_libcrypt_later=1
812	check_for_openpty_ctty_bug=1
813	dnl Target SUSv3/POSIX.1-2001 plus BSD specifics.
814	dnl _DEFAULT_SOURCE is the new name for _BSD_SOURCE
815	CPPFLAGS="$CPPFLAGS -D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCE"
816	AC_DEFINE([PAM_TTY_KLUDGE], [1],
817		[Work around problematic Linux PAM modules handling of PAM_TTY])
818	AC_DEFINE([LOCKED_PASSWD_PREFIX], ["!"],
819		[String used in /etc/passwd to denote locked account])
820	AC_DEFINE([SPT_TYPE], [SPT_REUSEARGV])
821	AC_DEFINE([LINK_OPNOTSUPP_ERRNO], [EPERM],
822		[Define to whatever link() returns for "not supported"
823		if it doesn't return EOPNOTSUPP.])
824	AC_DEFINE([_PATH_BTMP], ["/var/log/btmp"], [log for bad login attempts])
825	AC_DEFINE([USE_BTMP])
826	AC_DEFINE([LINUX_OOM_ADJUST], [1], [Adjust Linux out-of-memory killer])
827	inet6_default_4in6=yes
828	case `uname -r` in
829	1.*|2.0.*)
830		AC_DEFINE([BROKEN_CMSG_TYPE], [1],
831			[Define if cmsg_type is not passed correctly])
832		;;
833	esac
834	# tun(4) forwarding compat code
835	AC_CHECK_HEADERS([linux/if_tun.h])
836	if test "x$ac_cv_header_linux_if_tun_h" = "xyes" ; then
837		AC_DEFINE([SSH_TUN_LINUX], [1],
838		    [Open tunnel devices the Linux tun/tap way])
839		AC_DEFINE([SSH_TUN_COMPAT_AF], [1],
840		    [Use tunnel device compatibility to OpenBSD])
841		AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
842		    [Prepend the address family to IP tunnel traffic])
843	fi
844	AC_CHECK_HEADER([linux/if.h],
845	    AC_DEFINE([SYS_RDOMAIN_LINUX], [1],
846		[Support routing domains using Linux VRF]), [], [
847#ifdef HAVE_SYS_TYPES_H
848# include <sys/types.h>
849#endif
850	    ])
851	AC_CHECK_HEADERS([linux/seccomp.h linux/filter.h linux/audit.h], [],
852	    [], [#include <linux/types.h>])
853	# Obtain MIPS ABI
854	case "$host" in
855	mips*)
856		AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
857#if _MIPS_SIM != _ABIO32
858#error
859#endif
860			]])],[mips_abi="o32"],[AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
861#if _MIPS_SIM != _ABIN32
862#error
863#endif
864				]])],[mips_abi="n32"],[AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
865#if _MIPS_SIM != _ABI64
866#error
867#endif
868					]])],[mips_abi="n64"],[AC_MSG_ERROR([unknown MIPS ABI])
869				])
870			])
871		])
872		;;
873	esac
874	AC_MSG_CHECKING([for seccomp architecture])
875	seccomp_audit_arch=
876	case "$host" in
877	x86_64-*)
878		seccomp_audit_arch=AUDIT_ARCH_X86_64
879		;;
880	i*86-*)
881		seccomp_audit_arch=AUDIT_ARCH_I386
882		;;
883	arm*-*)
884		seccomp_audit_arch=AUDIT_ARCH_ARM
885		;;
886	aarch64*-*)
887		seccomp_audit_arch=AUDIT_ARCH_AARCH64
888		;;
889	s390x-*)
890		seccomp_audit_arch=AUDIT_ARCH_S390X
891		;;
892	s390-*)
893		seccomp_audit_arch=AUDIT_ARCH_S390
894		;;
895	powerpc64-*)
896		seccomp_audit_arch=AUDIT_ARCH_PPC64
897		;;
898	powerpc64le-*)
899		seccomp_audit_arch=AUDIT_ARCH_PPC64LE
900		;;
901	mips-*)
902		seccomp_audit_arch=AUDIT_ARCH_MIPS
903		;;
904	mipsel-*)
905		seccomp_audit_arch=AUDIT_ARCH_MIPSEL
906		;;
907	mips64-*)
908		case "$mips_abi" in
909		"n32")
910			seccomp_audit_arch=AUDIT_ARCH_MIPS64N32
911			;;
912		"n64")
913			seccomp_audit_arch=AUDIT_ARCH_MIPS64
914			;;
915		esac
916		;;
917	mips64el-*)
918		case "$mips_abi" in
919		"n32")
920			seccomp_audit_arch=AUDIT_ARCH_MIPSEL64N32
921			;;
922		"n64")
923			seccomp_audit_arch=AUDIT_ARCH_MIPSEL64
924			;;
925		esac
926		;;
927	riscv64-*)
928		seccomp_audit_arch=AUDIT_ARCH_RISCV64
929		;;
930	esac
931	if test "x$seccomp_audit_arch" != "x" ; then
932		AC_MSG_RESULT(["$seccomp_audit_arch"])
933		AC_DEFINE_UNQUOTED([SECCOMP_AUDIT_ARCH], [$seccomp_audit_arch],
934		    [Specify the system call convention in use])
935	else
936		AC_MSG_RESULT([architecture not supported])
937	fi
938	;;
939mips-sony-bsd|mips-sony-newsos4)
940	AC_DEFINE([NEED_SETPGRP], [1], [Need setpgrp to acquire controlling tty])
941	SONY=1
942	;;
943*-*-netbsd*)
944	check_for_libcrypt_before=1
945	if test "x$withval" != "xno" ; then
946		rpath_opt="-R"
947	fi
948	CPPFLAGS="$CPPFLAGS -D_OPENBSD_SOURCE"
949	AC_DEFINE([SSH_TUN_FREEBSD], [1], [Open tunnel devices the FreeBSD way])
950	AC_CHECK_HEADER([net/if_tap.h], ,
951	    AC_DEFINE([SSH_TUN_NO_L2], [1], [No layer 2 tunnel support]))
952	AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
953	    [Prepend the address family to IP tunnel traffic])
954	TEST_MALLOC_OPTIONS="AJRX"
955	AC_DEFINE([BROKEN_READ_COMPARISON], [1],
956	    [NetBSD read function is sometimes redirected, breaking atomicio comparisons against it])
957	;;
958*-*-freebsd*)
959	check_for_libcrypt_later=1
960	AC_DEFINE([LOCKED_PASSWD_PREFIX], ["*LOCKED*"], [Account locked with pw(1)])
961	AC_DEFINE([SSH_TUN_FREEBSD], [1], [Open tunnel devices the FreeBSD way])
962	AC_CHECK_HEADER([net/if_tap.h], ,
963	    AC_DEFINE([SSH_TUN_NO_L2], [1], [No layer 2 tunnel support]))
964	AC_DEFINE([BROKEN_GLOB], [1], [FreeBSD glob does not do what we need])
965	TEST_MALLOC_OPTIONS="AJRX"
966	# Preauth crypto occasionally uses file descriptors for crypto offload
967	# and will crash if they cannot be opened.
968	AC_DEFINE([SANDBOX_SKIP_RLIMIT_NOFILE], [1],
969	    [define if setrlimit RLIMIT_NOFILE breaks things])
970	;;
971*-*-bsdi*)
972	AC_DEFINE([SETEUID_BREAKS_SETUID])
973	AC_DEFINE([BROKEN_SETREUID])
974	AC_DEFINE([BROKEN_SETREGID])
975	;;
976*-next-*)
977	conf_lastlog_location="/usr/adm/lastlog"
978	conf_utmp_location=/etc/utmp
979	conf_wtmp_location=/usr/adm/wtmp
980	maildir=/usr/spool/mail
981	AC_DEFINE([HAVE_NEXT], [1], [Define if you are on NeXT])
982	AC_DEFINE([USE_PIPES])
983	AC_DEFINE([BROKEN_SAVED_UIDS], [1], [Needed for NeXT])
984	;;
985*-*-openbsd*)
986	use_pie=auto
987	AC_DEFINE([HAVE_ATTRIBUTE__SENTINEL__], [1], [OpenBSD's gcc has sentinel])
988	AC_DEFINE([HAVE_ATTRIBUTE__BOUNDED__], [1], [OpenBSD's gcc has bounded])
989	AC_DEFINE([SSH_TUN_OPENBSD], [1], [Open tunnel devices the OpenBSD way])
990	AC_DEFINE([SYSLOG_R_SAFE_IN_SIGHAND], [1],
991	    [syslog_r function is safe to use in in a signal handler])
992	TEST_MALLOC_OPTIONS="AFGJPRX"
993	;;
994*-*-solaris*)
995	if test "x$withval" != "xno" ; then
996		rpath_opt="-R"
997	fi
998	AC_DEFINE([PAM_SUN_CODEBASE])
999	AC_DEFINE([LOGIN_NEEDS_UTMPX])
1000	AC_DEFINE([PAM_TTY_KLUDGE])
1001	AC_DEFINE([SSHPAM_CHAUTHTOK_NEEDS_RUID], [1],
1002		[Define if pam_chauthtok wants real uid set
1003		to the unpriv'ed user])
1004	AC_DEFINE([LOCKED_PASSWD_STRING], ["*LK*"])
1005	# Pushing STREAMS modules will cause sshd to acquire a controlling tty.
1006	AC_DEFINE([SSHD_ACQUIRES_CTTY], [1],
1007		[Define if sshd somehow reacquires a controlling TTY
1008		after setsid()])
1009	AC_DEFINE([PASSWD_NEEDS_USERNAME], [1], [must supply username to passwd
1010		in case the name is longer than 8 chars])
1011	AC_DEFINE([BROKEN_TCGETATTR_ICANON], [1], [tcgetattr with ICANON may hang])
1012	external_path_file=/etc/default/login
1013	# hardwire lastlog location (can't detect it on some versions)
1014	conf_lastlog_location="/var/adm/lastlog"
1015	AC_MSG_CHECKING([for obsolete utmp and wtmp in solaris2.x])
1016	sol2ver=`echo "$host"| sed -e 's/.*[[0-9]]\.//'`
1017	if test "$sol2ver" -ge 8; then
1018		AC_MSG_RESULT([yes])
1019		AC_DEFINE([DISABLE_UTMP])
1020		AC_DEFINE([DISABLE_WTMP], [1],
1021			[Define if you don't want to use wtmp])
1022	else
1023		AC_MSG_RESULT([no])
1024	fi
1025	AC_CHECK_FUNCS([setpflags])
1026	AC_CHECK_FUNCS([setppriv])
1027	AC_CHECK_FUNCS([priv_basicset])
1028	AC_CHECK_HEADERS([priv.h])
1029	AC_ARG_WITH([solaris-contracts],
1030		[  --with-solaris-contracts Enable Solaris process contracts (experimental)],
1031		[
1032		AC_CHECK_LIB([contract], [ct_tmpl_activate],
1033			[ AC_DEFINE([USE_SOLARIS_PROCESS_CONTRACTS], [1],
1034				[Define if you have Solaris process contracts])
1035			  LIBS="$LIBS -lcontract"
1036			  SPC_MSG="yes" ], )
1037		],
1038	)
1039	AC_ARG_WITH([solaris-projects],
1040		[  --with-solaris-projects Enable Solaris projects (experimental)],
1041		[
1042		AC_CHECK_LIB([project], [setproject],
1043			[ AC_DEFINE([USE_SOLARIS_PROJECTS], [1],
1044				[Define if you have Solaris projects])
1045			LIBS="$LIBS -lproject"
1046			SP_MSG="yes" ], )
1047		],
1048	)
1049	AC_ARG_WITH([solaris-privs],
1050		[  --with-solaris-privs    Enable Solaris/Illumos privileges (experimental)],
1051		[
1052		AC_MSG_CHECKING([for Solaris/Illumos privilege support])
1053		if test "x$ac_cv_func_setppriv" = "xyes" -a \
1054			"x$ac_cv_header_priv_h" = "xyes" ; then
1055			SOLARIS_PRIVS=yes
1056			AC_MSG_RESULT([found])
1057			AC_DEFINE([NO_UID_RESTORATION_TEST], [1],
1058				[Define to disable UID restoration test])
1059			AC_DEFINE([USE_SOLARIS_PRIVS], [1],
1060				[Define if you have Solaris privileges])
1061			SPP_MSG="yes"
1062		else
1063			AC_MSG_RESULT([not found])
1064			AC_MSG_ERROR([*** must have support for Solaris privileges to use --with-solaris-privs])
1065		fi
1066		],
1067	)
1068	TEST_SHELL=$SHELL	# let configure find us a capable shell
1069	;;
1070*-*-sunos4*)
1071	CPPFLAGS="$CPPFLAGS -DSUNOS4"
1072	AC_CHECK_FUNCS([getpwanam])
1073	AC_DEFINE([PAM_SUN_CODEBASE])
1074	conf_utmp_location=/etc/utmp
1075	conf_wtmp_location=/var/adm/wtmp
1076	conf_lastlog_location=/var/adm/lastlog
1077	AC_DEFINE([USE_PIPES])
1078	AC_DEFINE([DISABLE_UTMPX], [1], [no utmpx])
1079	;;
1080*-ncr-sysv*)
1081	LIBS="$LIBS -lc89"
1082	AC_DEFINE([USE_PIPES])
1083	AC_DEFINE([SSHD_ACQUIRES_CTTY])
1084	AC_DEFINE([SETEUID_BREAKS_SETUID])
1085	AC_DEFINE([BROKEN_SETREUID])
1086	AC_DEFINE([BROKEN_SETREGID])
1087	;;
1088*-sni-sysv*)
1089	# /usr/ucblib MUST NOT be searched on ReliantUNIX
1090	AC_CHECK_LIB([dl], [dlsym], ,)
1091	# -lresolv needs to be at the end of LIBS or DNS lookups break
1092	AC_CHECK_LIB([resolv], [res_query], [ LIBS="$LIBS -lresolv" ])
1093	IPADDR_IN_DISPLAY=yes
1094	AC_DEFINE([USE_PIPES])
1095	AC_DEFINE([IP_TOS_IS_BROKEN])
1096	AC_DEFINE([SETEUID_BREAKS_SETUID])
1097	AC_DEFINE([BROKEN_SETREUID])
1098	AC_DEFINE([BROKEN_SETREGID])
1099	AC_DEFINE([SSHD_ACQUIRES_CTTY])
1100	external_path_file=/etc/default/login
1101	# /usr/ucblib/libucb.a no longer needed on ReliantUNIX
1102	# Attention: always take care to bind libsocket and libnsl before libc,
1103	# otherwise you will find lots of "SIOCGPGRP errno 22" on syslog
1104	;;
1105# UnixWare 1.x, UnixWare 2.x, and others based on code from Univel.
1106*-*-sysv4.2*)
1107	AC_DEFINE([USE_PIPES])
1108	AC_DEFINE([SETEUID_BREAKS_SETUID])
1109	AC_DEFINE([BROKEN_SETREUID])
1110	AC_DEFINE([BROKEN_SETREGID])
1111	AC_DEFINE([PASSWD_NEEDS_USERNAME], [1], [must supply username to passwd])
1112	AC_DEFINE([LOCKED_PASSWD_STRING], ["*LK*"])
1113	TEST_SHELL=$SHELL	# let configure find us a capable shell
1114	;;
1115# UnixWare 7.x, OpenUNIX 8
1116*-*-sysv5*)
1117	CPPFLAGS="$CPPFLAGS -Dvsnprintf=_xvsnprintf -Dsnprintf=_xsnprintf"
1118	AC_DEFINE([UNIXWARE_LONG_PASSWORDS], [1], [Support passwords > 8 chars])
1119	AC_DEFINE([USE_PIPES])
1120	AC_DEFINE([SETEUID_BREAKS_SETUID])
1121	AC_DEFINE([BROKEN_GETADDRINFO])
1122	AC_DEFINE([BROKEN_SETREUID])
1123	AC_DEFINE([BROKEN_SETREGID])
1124	AC_DEFINE([PASSWD_NEEDS_USERNAME])
1125	AC_DEFINE([BROKEN_TCGETATTR_ICANON])
1126	TEST_SHELL=$SHELL	# let configure find us a capable shell
1127	check_for_libcrypt_later=1
1128	case "$host" in
1129	*-*-sysv5SCO_SV*)	# SCO OpenServer 6.x
1130		maildir=/var/spool/mail
1131		AC_DEFINE([BROKEN_UPDWTMPX])
1132		AC_CHECK_LIB([prot], [getluid], [ LIBS="$LIBS -lprot"
1133			AC_CHECK_FUNCS([getluid setluid], , , [-lprot])
1134			], , )
1135		;;
1136	*)	AC_DEFINE([LOCKED_PASSWD_STRING], ["*LK*"])
1137		;;
1138	esac
1139	;;
1140*-*-sysv*)
1141	;;
1142# SCO UNIX and OEM versions of SCO UNIX
1143*-*-sco3.2v4*)
1144	AC_MSG_ERROR("This Platform is no longer supported.")
1145	;;
1146# SCO OpenServer 5.x
1147*-*-sco3.2v5*)
1148	if test -z "$GCC"; then
1149		CFLAGS="$CFLAGS -belf"
1150	fi
1151	LIBS="$LIBS -lprot -lx -ltinfo -lm"
1152	no_dev_ptmx=1
1153	AC_DEFINE([USE_PIPES])
1154	AC_DEFINE([HAVE_SECUREWARE])
1155	AC_DEFINE([DISABLE_SHADOW])
1156	AC_DEFINE([DISABLE_FD_PASSING])
1157	AC_DEFINE([SETEUID_BREAKS_SETUID])
1158	AC_DEFINE([BROKEN_GETADDRINFO])
1159	AC_DEFINE([BROKEN_SETREUID])
1160	AC_DEFINE([BROKEN_SETREGID])
1161	AC_DEFINE([WITH_ABBREV_NO_TTY])
1162	AC_DEFINE([BROKEN_UPDWTMPX])
1163	AC_DEFINE([PASSWD_NEEDS_USERNAME])
1164	AC_CHECK_FUNCS([getluid setluid])
1165	MANTYPE=man
1166	TEST_SHELL=$SHELL	# let configure find us a capable shell
1167	SKIP_DISABLE_LASTLOG_DEFINE=yes
1168	;;
1169*-dec-osf*)
1170	AC_MSG_CHECKING([for Digital Unix SIA])
1171	no_osfsia=""
1172	AC_ARG_WITH([osfsia],
1173		[  --with-osfsia           Enable Digital Unix SIA],
1174		[
1175			if test "x$withval" = "xno" ; then
1176				AC_MSG_RESULT([disabled])
1177				no_osfsia=1
1178			fi
1179		],
1180	)
1181	if test -z "$no_osfsia" ; then
1182		if test -f /etc/sia/matrix.conf; then
1183			AC_MSG_RESULT([yes])
1184			AC_DEFINE([HAVE_OSF_SIA], [1],
1185				[Define if you have Digital Unix Security
1186				Integration Architecture])
1187			AC_DEFINE([DISABLE_LOGIN], [1],
1188				[Define if you don't want to use your
1189				system's login() call])
1190			AC_DEFINE([DISABLE_FD_PASSING])
1191			LIBS="$LIBS -lsecurity -ldb -lm -laud"
1192			SIA_MSG="yes"
1193		else
1194			AC_MSG_RESULT([no])
1195			AC_DEFINE([LOCKED_PASSWD_SUBSTR], ["Nologin"],
1196			  [String used in /etc/passwd to denote locked account])
1197		fi
1198	fi
1199	AC_DEFINE([BROKEN_GETADDRINFO])
1200	AC_DEFINE([SETEUID_BREAKS_SETUID])
1201	AC_DEFINE([BROKEN_SETREUID])
1202	AC_DEFINE([BROKEN_SETREGID])
1203	AC_DEFINE([BROKEN_READV_COMPARISON], [1], [Can't do comparisons on readv])
1204	;;
1205
1206*-*-nto-qnx*)
1207	AC_DEFINE([USE_PIPES])
1208	AC_DEFINE([NO_X11_UNIX_SOCKETS])
1209	AC_DEFINE([DISABLE_LASTLOG])
1210	AC_DEFINE([SSHD_ACQUIRES_CTTY])
1211	AC_DEFINE([BROKEN_SHADOW_EXPIRE], [1], [QNX shadow support is broken])
1212	enable_etc_default_login=no	# has incompatible /etc/default/login
1213	case "$host" in
1214	*-*-nto-qnx6*)
1215		AC_DEFINE([DISABLE_FD_PASSING])
1216		;;
1217	esac
1218	;;
1219
1220*-*-ultrix*)
1221	AC_DEFINE([BROKEN_GETGROUPS], [1], [getgroups(0,NULL) will return -1])
1222	AC_DEFINE([NEED_SETPGRP], [1], [Need setpgrp to for controlling tty])
1223	AC_DEFINE([HAVE_SYS_SYSLOG_H], [1], [Force use of sys/syslog.h on Ultrix])
1224	AC_DEFINE([DISABLE_UTMPX], [1], [Disable utmpx])
1225	# DISABLE_FD_PASSING so that we call setpgrp as root, otherwise we
1226	# don't get a controlling tty.
1227	AC_DEFINE([DISABLE_FD_PASSING], [1], [Need to call setpgrp as root])
1228	# On Ultrix some headers are not protected against multiple includes,
1229	# so we create wrappers and put it where the compiler will find it.
1230	AC_MSG_WARN([creating compat wrappers for headers])
1231	mkdir -p netinet
1232	for header in netinet/ip.h netdb.h resolv.h; do
1233		name=`echo $header | tr 'a-z/.' 'A-Z__'`
1234		cat >$header <<EOD
1235#ifndef _SSH_COMPAT_${name}
1236#define _SSH_COMPAT_${name}
1237#include "/usr/include/${header}"
1238#endif
1239EOD
1240	done
1241	;;
1242
1243*-*-lynxos)
1244	CFLAGS="$CFLAGS -D__NO_INCLUDE_WARN__"
1245	AC_DEFINE([BROKEN_SETVBUF], [1],
1246	    [LynxOS has broken setvbuf() implementation])
1247	;;
1248esac
1249
1250AC_MSG_CHECKING([compiler and flags for sanity])
1251AC_RUN_IFELSE([AC_LANG_PROGRAM([[ #include <stdlib.h> ]], [[ exit(0); ]])],
1252	[	AC_MSG_RESULT([yes]) ],
1253	[
1254		AC_MSG_RESULT([no])
1255		AC_MSG_ERROR([*** compiler cannot create working executables, check config.log ***])
1256	],
1257	[	AC_MSG_WARN([cross compiling: not checking compiler sanity]) ]
1258)
1259
1260dnl Checks for header files.
1261# Checks for libraries.
1262AC_CHECK_FUNC([setsockopt], , [AC_CHECK_LIB([socket], [setsockopt])])
1263
1264dnl IRIX and Solaris 2.5.1 have dirname() in libgen
1265AC_CHECK_FUNCS([dirname], [AC_CHECK_HEADERS([libgen.h])] , [
1266	AC_CHECK_LIB([gen], [dirname], [
1267		AC_CACHE_CHECK([for broken dirname],
1268			ac_cv_have_broken_dirname, [
1269			save_LIBS="$LIBS"
1270			LIBS="$LIBS -lgen"
1271			AC_RUN_IFELSE(
1272				[AC_LANG_SOURCE([[
1273#include <libgen.h>
1274#include <string.h>
1275#include <stdlib.h>
1276
1277int main(int argc, char **argv) {
1278    char *s, buf[32];
1279
1280    strncpy(buf,"/etc", 32);
1281    s = dirname(buf);
1282    if (!s || strncmp(s, "/", 32) != 0) {
1283	exit(1);
1284    } else {
1285	exit(0);
1286    }
1287}
1288				]])],
1289				[ ac_cv_have_broken_dirname="no" ],
1290				[ ac_cv_have_broken_dirname="yes" ],
1291				[ ac_cv_have_broken_dirname="no" ],
1292			)
1293			LIBS="$save_LIBS"
1294		])
1295		if test "x$ac_cv_have_broken_dirname" = "xno" ; then
1296			LIBS="$LIBS -lgen"
1297			AC_DEFINE([HAVE_DIRNAME])
1298			AC_CHECK_HEADERS([libgen.h])
1299		fi
1300	])
1301])
1302
1303AC_CHECK_FUNC([getspnam], ,
1304	[AC_CHECK_LIB([gen], [getspnam], [LIBS="$LIBS -lgen"])])
1305AC_SEARCH_LIBS([basename], [gen], [AC_DEFINE([HAVE_BASENAME], [1],
1306	[Define if you have the basename function.])])
1307
1308dnl zlib defaults to enabled
1309zlib=yes
1310AC_ARG_WITH([zlib],
1311	[  --with-zlib=PATH        Use zlib in PATH],
1312	[ if test "x$withval" = "xno" ; then
1313		zlib=no
1314	  elif test "x$withval" != "xyes"; then
1315		if test -d "$withval/lib"; then
1316			if test -n "${rpath_opt}"; then
1317				LDFLAGS="-L${withval}/lib ${rpath_opt}${withval}/lib ${LDFLAGS}"
1318			else
1319				LDFLAGS="-L${withval}/lib ${LDFLAGS}"
1320			fi
1321		else
1322			if test -n "${rpath_opt}"; then
1323				LDFLAGS="-L${withval} ${rpath_opt}${withval} ${LDFLAGS}"
1324			else
1325				LDFLAGS="-L${withval} ${LDFLAGS}"
1326			fi
1327		fi
1328		if test -d "$withval/include"; then
1329			CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
1330		else
1331			CPPFLAGS="-I${withval} ${CPPFLAGS}"
1332		fi
1333	fi ]
1334)
1335
1336AC_MSG_CHECKING([for zlib])
1337if test "x${zlib}" = "xno"; then
1338	AC_MSG_RESULT([no])
1339else
1340	AC_MSG_RESULT([yes])
1341	AC_DEFINE([WITH_ZLIB], [1], [Enable zlib])
1342    AC_CHECK_HEADER([zlib.h], ,[AC_MSG_ERROR([*** zlib.h missing - please install first or check config.log ***])])
1343    AC_CHECK_LIB([z], [deflate], ,
1344	[
1345		saved_CPPFLAGS="$CPPFLAGS"
1346		saved_LDFLAGS="$LDFLAGS"
1347		save_LIBS="$LIBS"
1348		dnl Check default zlib install dir
1349		if test -n "${rpath_opt}"; then
1350			LDFLAGS="-L/usr/local/lib ${rpath_opt}/usr/local/lib ${saved_LDFLAGS}"
1351		else
1352			LDFLAGS="-L/usr/local/lib ${saved_LDFLAGS}"
1353		fi
1354		CPPFLAGS="-I/usr/local/include ${saved_CPPFLAGS}"
1355		LIBS="$LIBS -lz"
1356		AC_TRY_LINK_FUNC([deflate], [AC_DEFINE([HAVE_LIBZ])],
1357			[
1358				AC_MSG_ERROR([*** zlib missing - please install first or check config.log ***])
1359			]
1360		)
1361	]
1362    )
1363
1364    AC_ARG_WITH([zlib-version-check],
1365	[  --without-zlib-version-check Disable zlib version check],
1366	[  if test "x$withval" = "xno" ; then
1367		zlib_check_nonfatal=1
1368	   fi
1369	]
1370    )
1371
1372    AC_MSG_CHECKING([for possibly buggy zlib])
1373    AC_RUN_IFELSE([AC_LANG_PROGRAM([[
1374#include <stdio.h>
1375#include <stdlib.h>
1376#include <zlib.h>
1377	]],
1378	[[
1379	int a=0, b=0, c=0, d=0, n, v;
1380	n = sscanf(ZLIB_VERSION, "%d.%d.%d.%d", &a, &b, &c, &d);
1381	if (n != 3 && n != 4)
1382		exit(1);
1383	v = a*1000000 + b*10000 + c*100 + d;
1384	fprintf(stderr, "found zlib version %s (%d)\n", ZLIB_VERSION, v);
1385
1386	/* 1.1.4 is OK */
1387	if (a == 1 && b == 1 && c >= 4)
1388		exit(0);
1389
1390	/* 1.2.3 and up are OK */
1391	if (v >= 1020300)
1392		exit(0);
1393
1394	exit(2);
1395	]])],
1396	AC_MSG_RESULT([no]),
1397	[ AC_MSG_RESULT([yes])
1398	  if test -z "$zlib_check_nonfatal" ; then
1399		AC_MSG_ERROR([*** zlib too old - check config.log ***
1400Your reported zlib version has known security problems.  It's possible your
1401vendor has fixed these problems without changing the version number.  If you
1402are sure this is the case, you can disable the check by running
1403"./configure --without-zlib-version-check".
1404If you are in doubt, upgrade zlib to version 1.2.3 or greater.
1405See http://www.gzip.org/zlib/ for details.])
1406	  else
1407		AC_MSG_WARN([zlib version may have security problems])
1408	  fi
1409	],
1410	[	AC_MSG_WARN([cross compiling: not checking zlib version]) ]
1411    )
1412fi
1413
1414dnl UnixWare 2.x
1415AC_CHECK_FUNC([strcasecmp],
1416	[], [ AC_CHECK_LIB([resolv], [strcasecmp], [LIBS="$LIBS -lresolv"]) ]
1417)
1418AC_CHECK_FUNCS([utimes],
1419	[], [ AC_CHECK_LIB([c89], [utimes], [AC_DEFINE([HAVE_UTIMES])
1420					LIBS="$LIBS -lc89"]) ]
1421)
1422
1423dnl    Checks for libutil functions
1424AC_CHECK_HEADERS([bsd/libutil.h libutil.h])
1425AC_SEARCH_LIBS([fmt_scaled], [util bsd])
1426AC_SEARCH_LIBS([scan_scaled], [util bsd])
1427AC_SEARCH_LIBS([login], [util bsd])
1428AC_SEARCH_LIBS([logout], [util bsd])
1429AC_SEARCH_LIBS([logwtmp], [util bsd])
1430AC_SEARCH_LIBS([openpty], [util bsd])
1431AC_SEARCH_LIBS([updwtmp], [util bsd])
1432AC_CHECK_FUNCS([fmt_scaled scan_scaled login logout openpty updwtmp logwtmp])
1433
1434# On some platforms, inet_ntop and gethostbyname may be found in libresolv
1435# or libnsl.
1436AC_SEARCH_LIBS([inet_ntop], [resolv nsl])
1437AC_SEARCH_LIBS([gethostbyname], [resolv nsl])
1438
1439# "Particular Function Checks"
1440# see https://www.gnu.org/software/autoconf/manual/autoconf-2.69/html_node/Particular-Functions.html
1441AC_FUNC_STRFTIME
1442AC_FUNC_MALLOC
1443AC_FUNC_REALLOC
1444# autoconf doesn't have AC_FUNC_CALLOC so fake it if malloc returns NULL;
1445AC_MSG_CHECKING([if calloc(0, N) returns non-null])
1446AC_RUN_IFELSE(
1447	[AC_LANG_PROGRAM(
1448		[[ #include <stdlib.h> ]],
1449		[[ void *p = calloc(0, 1); exit(p == NULL); ]]
1450	)],
1451	[ func_calloc_0_nonnull=yes ],
1452	[ func_calloc_0_nonnull=no ],
1453	[ AC_MSG_WARN([cross compiling: assuming same as malloc])
1454	  func_calloc_0_nonnull="$ac_cv_func_malloc_0_nonnull"]
1455)
1456AC_MSG_RESULT([$func_calloc_0_nonnull])
1457
1458if test "x$func_calloc_0_nonnull" = "xyes"; then
1459	AC_DEFINE(HAVE_CALLOC, 1, [calloc(0, x) returns non-null])
1460else
1461	AC_DEFINE(HAVE_CALLOC, 0, [calloc(0, x) returns NULL])
1462	AC_DEFINE(calloc, rpl_calloc,
1463	    [Define to rpl_calloc if the replacement function should be used.])
1464fi
1465
1466# Check for ALTDIRFUNC glob() extension
1467AC_MSG_CHECKING([for GLOB_ALTDIRFUNC support])
1468AC_EGREP_CPP([FOUNDIT],
1469	[
1470		#include <glob.h>
1471		#ifdef GLOB_ALTDIRFUNC
1472		FOUNDIT
1473		#endif
1474	],
1475	[
1476		AC_DEFINE([GLOB_HAS_ALTDIRFUNC], [1],
1477			[Define if your system glob() function has
1478			the GLOB_ALTDIRFUNC extension])
1479		AC_MSG_RESULT([yes])
1480	],
1481	[
1482		AC_MSG_RESULT([no])
1483	]
1484)
1485
1486# Check for g.gl_matchc glob() extension
1487AC_MSG_CHECKING([for gl_matchc field in glob_t])
1488AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <glob.h> ]],
1489	[[ glob_t g; g.gl_matchc = 1; ]])],
1490	[
1491		AC_DEFINE([GLOB_HAS_GL_MATCHC], [1],
1492			[Define if your system glob() function has
1493			gl_matchc options in glob_t])
1494		AC_MSG_RESULT([yes])
1495	], [
1496		AC_MSG_RESULT([no])
1497])
1498
1499# Check for g.gl_statv glob() extension
1500AC_MSG_CHECKING([for gl_statv and GLOB_KEEPSTAT extensions for glob])
1501AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <glob.h> ]], [[
1502#ifndef GLOB_KEEPSTAT
1503#error "glob does not support GLOB_KEEPSTAT extension"
1504#endif
1505glob_t g;
1506g.gl_statv = NULL;
1507]])],
1508	[
1509		AC_DEFINE([GLOB_HAS_GL_STATV], [1],
1510			[Define if your system glob() function has
1511			gl_statv options in glob_t])
1512		AC_MSG_RESULT([yes])
1513	], [
1514		AC_MSG_RESULT([no])
1515
1516])
1517
1518AC_CHECK_DECLS([GLOB_NOMATCH], , , [#include <glob.h>])
1519
1520AC_CHECK_DECL([VIS_ALL], ,
1521    AC_DEFINE(BROKEN_STRNVIS, 1, [missing VIS_ALL]), [#include <vis.h>])
1522
1523AC_MSG_CHECKING([whether struct dirent allocates space for d_name])
1524AC_RUN_IFELSE(
1525	[AC_LANG_PROGRAM([[
1526#include <sys/types.h>
1527#include <dirent.h>
1528#include <stdlib.h>
1529	]],
1530	[[
1531	struct dirent d;
1532	exit(sizeof(d.d_name)<=sizeof(char));
1533	]])],
1534	[AC_MSG_RESULT([yes])],
1535	[
1536		AC_MSG_RESULT([no])
1537		AC_DEFINE([BROKEN_ONE_BYTE_DIRENT_D_NAME], [1],
1538			[Define if your struct dirent expects you to
1539			allocate extra space for d_name])
1540	],
1541	[
1542		AC_MSG_WARN([cross compiling: assuming BROKEN_ONE_BYTE_DIRENT_D_NAME])
1543		AC_DEFINE([BROKEN_ONE_BYTE_DIRENT_D_NAME])
1544	]
1545)
1546
1547AC_MSG_CHECKING([for /proc/pid/fd directory])
1548if test -d "/proc/$$/fd" ; then
1549	AC_DEFINE([HAVE_PROC_PID], [1], [Define if you have /proc/$pid/fd])
1550	AC_MSG_RESULT([yes])
1551else
1552	AC_MSG_RESULT([no])
1553fi
1554
1555# Check whether user wants to use ldns
1556LDNS_MSG="no"
1557AC_ARG_WITH(ldns,
1558	[  --with-ldns[[=PATH]]      Use ldns for DNSSEC support (optionally in PATH)],
1559	[
1560	ldns=""
1561	if test "x$withval" = "xyes" ; then
1562		AC_PATH_TOOL([LDNSCONFIG], [ldns-config], [no])
1563		if test "x$LDNSCONFIG" = "xno"; then
1564			LIBS="-lldns $LIBS"
1565			ldns=yes
1566		else
1567			LIBS="$LIBS `$LDNSCONFIG --libs`"
1568			CPPFLAGS="$CPPFLAGS `$LDNSCONFIG --cflags`"
1569			ldns=yes
1570		fi
1571	elif test "x$withval" != "xno" ; then
1572			CPPFLAGS="$CPPFLAGS -I${withval}/include"
1573			LDFLAGS="$LDFLAGS -L${withval}/lib"
1574			LIBS="-lldns $LIBS"
1575			ldns=yes
1576	fi
1577
1578	# Verify that it works.
1579	if test "x$ldns" = "xyes" ; then
1580		AC_DEFINE(HAVE_LDNS, 1, [Define if you want ldns support])
1581		LDNS_MSG="yes"
1582		AC_MSG_CHECKING([for ldns support])
1583		AC_LINK_IFELSE(
1584			[AC_LANG_SOURCE([[
1585#include <stdio.h>
1586#include <stdlib.h>
1587#ifdef HAVE_STDINT_H
1588# include <stdint.h>
1589#endif
1590#include <ldns/ldns.h>
1591int main() { ldns_status status = ldns_verify_trusted(NULL, NULL, NULL, NULL); status=LDNS_STATUS_OK; exit(0); }
1592			]])
1593		],
1594			[AC_MSG_RESULT(yes)],
1595				[
1596					AC_MSG_RESULT(no)
1597					AC_MSG_ERROR([** Incomplete or missing ldns libraries.])
1598				])
1599	fi
1600])
1601
1602# Check whether user wants libedit support
1603LIBEDIT_MSG="no"
1604AC_ARG_WITH([libedit],
1605	[  --with-libedit[[=PATH]]   Enable libedit support for sftp],
1606	[ if test "x$withval" != "xno" ; then
1607		if test "x$withval" = "xyes" ; then
1608			AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no])
1609			if test "x$PKGCONFIG" != "xno"; then
1610				AC_MSG_CHECKING([if $PKGCONFIG knows about libedit])
1611				if "$PKGCONFIG" libedit; then
1612					AC_MSG_RESULT([yes])
1613					use_pkgconfig_for_libedit=yes
1614				else
1615					AC_MSG_RESULT([no])
1616				fi
1617			fi
1618		else
1619			CPPFLAGS="$CPPFLAGS -I${withval}/include"
1620			if test -n "${rpath_opt}"; then
1621				LDFLAGS="-L${withval}/lib ${rpath_opt}${withval}/lib ${LDFLAGS}"
1622			else
1623				LDFLAGS="-L${withval}/lib ${LDFLAGS}"
1624			fi
1625		fi
1626		if test "x$use_pkgconfig_for_libedit" = "xyes"; then
1627			LIBEDIT=`$PKGCONFIG --libs libedit`
1628			CPPFLAGS="$CPPFLAGS `$PKGCONFIG --cflags libedit`"
1629		else
1630			LIBEDIT="-ledit -lcurses"
1631		fi
1632		OTHERLIBS=`echo $LIBEDIT | sed 's/-ledit//'`
1633		AC_CHECK_LIB([edit], [el_init],
1634			[ AC_DEFINE([USE_LIBEDIT], [1], [Use libedit for sftp])
1635			  LIBEDIT_MSG="yes"
1636			  AC_SUBST([LIBEDIT])
1637			],
1638			[ AC_MSG_ERROR([libedit not found]) ],
1639			[ $OTHERLIBS ]
1640		)
1641		AC_MSG_CHECKING([if libedit version is compatible])
1642		AC_COMPILE_IFELSE(
1643		    [AC_LANG_PROGRAM([[
1644#include <histedit.h>
1645#include <stdlib.h>
1646		    ]],
1647		    [[
1648	int i = H_SETSIZE;
1649	el_init("", NULL, NULL, NULL);
1650	exit(0);
1651		    ]])],
1652		    [ AC_MSG_RESULT([yes]) ],
1653		    [ AC_MSG_RESULT([no])
1654		      AC_MSG_ERROR([libedit version is not compatible]) ]
1655		)
1656	fi ]
1657)
1658
1659AUDIT_MODULE=none
1660AC_ARG_WITH([audit],
1661	[  --with-audit=module     Enable audit support (modules=debug,bsm,linux)],
1662	[
1663	  AC_MSG_CHECKING([for supported audit module])
1664	  case "$withval" in
1665	  bsm)
1666		AC_MSG_RESULT([bsm])
1667		AUDIT_MODULE=bsm
1668		dnl    Checks for headers, libs and functions
1669		AC_CHECK_HEADERS([bsm/audit.h], [],
1670		    [AC_MSG_ERROR([BSM enabled and bsm/audit.h not found])],
1671		    [
1672#ifdef HAVE_TIME_H
1673# include <time.h>
1674#endif
1675		    ]
1676)
1677		AC_CHECK_LIB([bsm], [getaudit], [],
1678		    [AC_MSG_ERROR([BSM enabled and required library not found])])
1679		AC_CHECK_FUNCS([getaudit], [],
1680		    [AC_MSG_ERROR([BSM enabled and required function not found])])
1681		# These are optional
1682		AC_CHECK_FUNCS([getaudit_addr aug_get_machine])
1683		AC_DEFINE([USE_BSM_AUDIT], [1], [Use BSM audit module])
1684		if test "$sol2ver" -ge 11; then
1685			SSHDLIBS="$SSHDLIBS -lscf"
1686			AC_DEFINE([BROKEN_BSM_API], [1],
1687				[The system has incomplete BSM API])
1688		fi
1689		;;
1690	  linux)
1691		AC_MSG_RESULT([linux])
1692		AUDIT_MODULE=linux
1693		dnl    Checks for headers, libs and functions
1694		AC_CHECK_HEADERS([libaudit.h])
1695		SSHDLIBS="$SSHDLIBS -laudit"
1696		AC_DEFINE([USE_LINUX_AUDIT], [1], [Use Linux audit module])
1697		;;
1698	  debug)
1699		AUDIT_MODULE=debug
1700		AC_MSG_RESULT([debug])
1701		AC_DEFINE([SSH_AUDIT_EVENTS], [1], [Use audit debugging module])
1702		;;
1703	  no)
1704		AC_MSG_RESULT([no])
1705		;;
1706	  *)
1707		AC_MSG_ERROR([Unknown audit module $withval])
1708		;;
1709	esac ]
1710)
1711
1712AC_ARG_WITH([pie],
1713    [  --with-pie              Build Position Independent Executables if possible], [
1714	if test "x$withval" = "xno"; then
1715		use_pie=no
1716	fi
1717	if test "x$withval" = "xyes"; then
1718		use_pie=yes
1719	fi
1720    ]
1721)
1722if test "x$use_pie" = "x"; then
1723	use_pie=no
1724fi
1725if test "x$use_toolchain_hardening" != "x1" && test "x$use_pie" = "xauto"; then
1726	# Turn off automatic PIE when toolchain hardening is off.
1727	use_pie=no
1728fi
1729if test "x$use_pie" = "xauto"; then
1730	# Automatic PIE requires gcc >= 4.x
1731	AC_MSG_CHECKING([for gcc >= 4.x])
1732	AC_COMPILE_IFELSE([AC_LANG_SOURCE([[
1733#if !defined(__GNUC__) || __GNUC__ < 4
1734#error gcc is too old
1735#endif
1736]])],
1737	[ AC_MSG_RESULT([yes]) ],
1738	[ AC_MSG_RESULT([no])
1739	  use_pie=no ]
1740)
1741fi
1742if test "x$use_pie" != "xno"; then
1743	SAVED_CFLAGS="$CFLAGS"
1744	SAVED_LDFLAGS="$LDFLAGS"
1745	OSSH_CHECK_CFLAG_COMPILE([-fPIE])
1746	OSSH_CHECK_LDFLAG_LINK([-pie])
1747	# We use both -fPIE and -pie or neither.
1748	AC_MSG_CHECKING([whether both -fPIE and -pie are supported])
1749	if echo "x $CFLAGS"  | grep ' -fPIE' >/dev/null 2>&1 && \
1750	   echo "x $LDFLAGS" | grep ' -pie'  >/dev/null 2>&1 ; then
1751		AC_MSG_RESULT([yes])
1752	else
1753		AC_MSG_RESULT([no])
1754		CFLAGS="$SAVED_CFLAGS"
1755		LDFLAGS="$SAVED_LDFLAGS"
1756	fi
1757fi
1758
1759AC_MSG_CHECKING([whether -fPIC is accepted])
1760SAVED_CFLAGS="$CFLAGS"
1761CFLAGS="$CFLAGS -fPIC"
1762AC_COMPILE_IFELSE(
1763	[AC_LANG_PROGRAM( [[ #include <stdlib.h> ]], [[ exit(0); ]] )],
1764   [AC_MSG_RESULT([yes])
1765    PICFLAG="-fPIC"; ],
1766   [AC_MSG_RESULT([no])
1767    PICFLAG=""; ])
1768CFLAGS="$SAVED_CFLAGS"
1769AC_SUBST([PICFLAG])
1770
1771dnl    Checks for library functions. Please keep in alphabetical order
1772AC_CHECK_FUNCS([ \
1773	Blowfish_initstate \
1774	Blowfish_expandstate \
1775	Blowfish_expand0state \
1776	Blowfish_stream2word \
1777	SHA256Update \
1778	SHA384Update \
1779	SHA512Update \
1780	asprintf \
1781	b64_ntop \
1782	__b64_ntop \
1783	b64_pton \
1784	__b64_pton \
1785	bcopy \
1786	bcrypt_pbkdf \
1787	bindresvport_sa \
1788	blf_enc \
1789	bzero \
1790	cap_rights_limit \
1791	clock \
1792	closefrom \
1793	dirfd \
1794	endgrent \
1795	err \
1796	errx \
1797	explicit_bzero \
1798	fchmod \
1799	fchmodat \
1800	fchown \
1801	fchownat \
1802	flock \
1803	fnmatch \
1804	freeaddrinfo \
1805	freezero \
1806	fstatfs \
1807	fstatvfs \
1808	futimes \
1809	getaddrinfo \
1810	getcwd \
1811	getgrouplist \
1812	getline \
1813	getnameinfo \
1814	getopt \
1815	getpagesize \
1816	getpeereid \
1817	getpeerucred \
1818	getpgid \
1819	_getpty \
1820	getrlimit \
1821	getrandom \
1822	getsid \
1823	getttyent \
1824	glob \
1825	group_from_gid \
1826	inet_aton \
1827	inet_ntoa \
1828	inet_ntop \
1829	innetgr \
1830	llabs \
1831	localtime_r \
1832	login_getcapbool \
1833	md5_crypt \
1834	memmem \
1835	memmove \
1836	memset_s \
1837	mkdtemp \
1838	ngetaddrinfo \
1839	nsleep \
1840	ogetaddrinfo \
1841	openlog_r \
1842	pledge \
1843	poll \
1844	prctl \
1845	pstat \
1846	raise \
1847	readpassphrase \
1848	reallocarray \
1849	realpath \
1850	recvmsg \
1851	recallocarray \
1852	rresvport_af \
1853	sendmsg \
1854	setdtablesize \
1855	setegid \
1856	setenv \
1857	seteuid \
1858	setgroupent \
1859	setgroups \
1860	setlinebuf \
1861	setlogin \
1862	setpassent\
1863	setpcred \
1864	setproctitle \
1865	setregid \
1866	setreuid \
1867	setrlimit \
1868	setsid \
1869	setvbuf \
1870	sigaction \
1871	sigvec \
1872	snprintf \
1873	socketpair \
1874	statfs \
1875	statvfs \
1876	strcasestr \
1877	strdup \
1878	strerror \
1879	strlcat \
1880	strlcpy \
1881	strmode \
1882	strndup \
1883	strnlen \
1884	strnvis \
1885	strptime \
1886	strsignal \
1887	strtonum \
1888	strtoll \
1889	strtoul \
1890	strtoull \
1891	swap32 \
1892	sysconf \
1893	tcgetpgrp \
1894	timingsafe_bcmp \
1895	truncate \
1896	unsetenv \
1897	updwtmpx \
1898	utimensat \
1899	user_from_uid \
1900	usleep \
1901	vasprintf \
1902	vsnprintf \
1903	waitpid \
1904	warn \
1905])
1906
1907AC_CHECK_DECLS([bzero, memmem])
1908
1909dnl Wide character support.
1910AC_CHECK_FUNCS([mblen mbtowc nl_langinfo wcwidth])
1911
1912TEST_SSH_UTF8=${TEST_SSH_UTF8:=yes}
1913AC_MSG_CHECKING([for utf8 locale support])
1914AC_RUN_IFELSE(
1915	[AC_LANG_PROGRAM([[
1916#include <locale.h>
1917#include <stdlib.h>
1918	]], [[
1919	char *loc = setlocale(LC_CTYPE, "en_US.UTF-8");
1920	if (loc != NULL)
1921		exit(0);
1922	exit(1);
1923	]])],
1924	AC_MSG_RESULT(yes),
1925	[AC_MSG_RESULT(no)
1926	 TEST_SSH_UTF8=no],
1927	AC_MSG_WARN([cross compiling: assuming yes])
1928)
1929
1930AC_LINK_IFELSE(
1931        [AC_LANG_PROGRAM(
1932           [[ #include <ctype.h> ]],
1933           [[ return (isblank('a')); ]])],
1934	[AC_DEFINE([HAVE_ISBLANK], [1], [Define if you have isblank(3C).])
1935])
1936
1937disable_pkcs11=
1938AC_ARG_ENABLE([pkcs11],
1939	[  --disable-pkcs11        disable PKCS#11 support code [no]],
1940	[
1941		if test "x$enableval" = "xno" ; then
1942			disable_pkcs11=1
1943		fi
1944	]
1945)
1946
1947disable_sk=
1948AC_ARG_ENABLE([security-key],
1949	[  --disable-security-key  disable U2F/FIDO support code [no]],
1950	[
1951		if test "x$enableval" = "xno" ; then
1952			disable_sk=1
1953		fi
1954	]
1955)
1956enable_sk_internal=
1957AC_ARG_WITH([security-key-builtin],
1958	[  --with-security-key-builtin include builtin U2F/FIDO support],
1959	[
1960		if test "x$withval" != "xno" ; then
1961			enable_sk_internal=yes
1962		fi
1963	]
1964)
1965test "x$disable_sk" != "x" && enable_sk_internal=""
1966
1967AC_SEARCH_LIBS([dlopen], [dl])
1968AC_CHECK_FUNCS([dlopen])
1969AC_CHECK_DECL([RTLD_NOW], [], [], [#include <dlfcn.h>])
1970
1971# IRIX has a const char return value for gai_strerror()
1972AC_CHECK_FUNCS([gai_strerror], [
1973	AC_DEFINE([HAVE_GAI_STRERROR])
1974	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
1975#include <sys/types.h>
1976#include <sys/socket.h>
1977#include <netdb.h>
1978
1979const char *gai_strerror(int);
1980			]], [[
1981	char *str;
1982	str = gai_strerror(0);
1983			]])], [
1984		AC_DEFINE([HAVE_CONST_GAI_STRERROR_PROTO], [1],
1985		[Define if gai_strerror() returns const char *])], [])])
1986
1987AC_SEARCH_LIBS([nanosleep], [rt posix4], [AC_DEFINE([HAVE_NANOSLEEP], [1],
1988	[Some systems put nanosleep outside of libc])])
1989
1990AC_SEARCH_LIBS([clock_gettime], [rt],
1991	[AC_DEFINE([HAVE_CLOCK_GETTIME], [1], [Have clock_gettime])])
1992
1993dnl check if we need -D_REENTRANT for localtime_r declaration.
1994AC_CHECK_DECL([localtime_r], [],
1995	[ saved_CPPFLAGS="$CPPFLAGS"
1996	  CPPFLAGS="$CPPFLAGS -D_REENTRANT"
1997	  unset ac_cv_have_decl_localtime_r
1998	  AC_CHECK_DECL([localtime_r], [],
1999		[ CPPFLAGS="$saved_CPPFLAGS" ],
2000		[ #include <time.h> ]
2001	  )
2002	],
2003	[ #include <time.h> ]
2004)
2005
2006dnl Make sure prototypes are defined for these before using them.
2007AC_CHECK_DECL([strsep],
2008	[AC_CHECK_FUNCS([strsep])],
2009	[],
2010	[
2011#ifdef HAVE_STRING_H
2012# include <string.h>
2013#endif
2014	])
2015
2016dnl tcsendbreak might be a macro
2017AC_CHECK_DECL([tcsendbreak],
2018	[AC_DEFINE([HAVE_TCSENDBREAK])],
2019	[AC_CHECK_FUNCS([tcsendbreak])],
2020	[#include <termios.h>]
2021)
2022
2023AC_CHECK_DECLS([h_errno], , ,[#include <netdb.h>])
2024
2025AC_CHECK_DECLS([SHUT_RD, getpeereid], , ,
2026	[
2027#include <sys/types.h>
2028#include <sys/socket.h>
2029#include <unistd.h>
2030	])
2031
2032AC_CHECK_DECLS([O_NONBLOCK], , ,
2033	[
2034#include <sys/types.h>
2035#ifdef HAVE_SYS_STAT_H
2036# include <sys/stat.h>
2037#endif
2038#ifdef HAVE_FCNTL_H
2039# include <fcntl.h>
2040#endif
2041	])
2042
2043AC_CHECK_DECLS([readv, writev], , , [
2044#include <sys/types.h>
2045#include <sys/uio.h>
2046#include <unistd.h>
2047	])
2048
2049AC_CHECK_DECLS([MAXSYMLINKS], , , [
2050#include <sys/param.h>
2051	])
2052
2053AC_CHECK_DECLS([offsetof], , , [
2054#include <stddef.h>
2055	])
2056
2057# extra bits for select(2)
2058AC_CHECK_DECLS([howmany, NFDBITS], [], [], [[
2059#include <sys/param.h>
2060#include <sys/types.h>
2061#ifdef HAVE_SYS_SYSMACROS_H
2062#include <sys/sysmacros.h>
2063#endif
2064#ifdef HAVE_SYS_SELECT_H
2065#include <sys/select.h>
2066#endif
2067#ifdef HAVE_SYS_TIME_H
2068#include <sys/time.h>
2069#endif
2070#ifdef HAVE_UNISTD_H
2071#include <unistd.h>
2072#endif
2073	]])
2074AC_CHECK_TYPES([fd_mask], [], [], [[
2075#include <sys/param.h>
2076#include <sys/types.h>
2077#ifdef HAVE_SYS_SELECT_H
2078#include <sys/select.h>
2079#endif
2080#ifdef HAVE_SYS_TIME_H
2081#include <sys/time.h>
2082#endif
2083#ifdef HAVE_UNISTD_H
2084#include <unistd.h>
2085#endif
2086	]])
2087
2088AC_CHECK_FUNCS([setresuid], [
2089	dnl Some platorms have setresuid that isn't implemented, test for this
2090	AC_MSG_CHECKING([if setresuid seems to work])
2091	AC_RUN_IFELSE(
2092		[AC_LANG_PROGRAM([[
2093#include <stdlib.h>
2094#include <errno.h>
2095		]], [[
2096	errno=0;
2097	setresuid(0,0,0);
2098	if (errno==ENOSYS)
2099		exit(1);
2100	else
2101		exit(0);
2102		]])],
2103		[AC_MSG_RESULT([yes])],
2104		[AC_DEFINE([BROKEN_SETRESUID], [1],
2105			[Define if your setresuid() is broken])
2106		 AC_MSG_RESULT([not implemented])],
2107		[AC_MSG_WARN([cross compiling: not checking setresuid])]
2108	)
2109])
2110
2111AC_CHECK_FUNCS([setresgid], [
2112	dnl Some platorms have setresgid that isn't implemented, test for this
2113	AC_MSG_CHECKING([if setresgid seems to work])
2114	AC_RUN_IFELSE(
2115		[AC_LANG_PROGRAM([[
2116#include <stdlib.h>
2117#include <errno.h>
2118		]], [[
2119	errno=0;
2120	setresgid(0,0,0);
2121	if (errno==ENOSYS)
2122		exit(1);
2123	else
2124		exit(0);
2125		]])],
2126		[AC_MSG_RESULT([yes])],
2127		[AC_DEFINE([BROKEN_SETRESGID], [1],
2128			[Define if your setresgid() is broken])
2129		 AC_MSG_RESULT([not implemented])],
2130		[AC_MSG_WARN([cross compiling: not checking setresuid])]
2131	)
2132])
2133
2134AC_MSG_CHECKING([for working fflush(NULL)])
2135AC_RUN_IFELSE(
2136	[AC_LANG_PROGRAM([[
2137#include <stdio.h>
2138#include <stdlib.h>
2139	]],
2140	[[fflush(NULL); exit(0);]])],
2141	AC_MSG_RESULT([yes]),
2142	[AC_MSG_RESULT([no])
2143	 AC_DEFINE([FFLUSH_NULL_BUG], [1],
2144	    [define if fflush(NULL) does not work])],
2145	AC_MSG_WARN([cross compiling: assuming working])
2146)
2147
2148dnl    Checks for time functions
2149AC_CHECK_FUNCS([gettimeofday time])
2150dnl    Checks for utmp functions
2151AC_CHECK_FUNCS([endutent getutent getutid getutline pututline setutent])
2152AC_CHECK_FUNCS([utmpname])
2153dnl    Checks for utmpx functions
2154AC_CHECK_FUNCS([endutxent getutxent getutxid getutxline getutxuser pututxline])
2155AC_CHECK_FUNCS([setutxdb setutxent utmpxname])
2156dnl    Checks for lastlog functions
2157AC_CHECK_FUNCS([getlastlogxbyname])
2158
2159AC_CHECK_FUNC([daemon],
2160	[AC_DEFINE([HAVE_DAEMON], [1], [Define if your libraries define daemon()])],
2161	[AC_CHECK_LIB([bsd], [daemon],
2162		[LIBS="$LIBS -lbsd"; AC_DEFINE([HAVE_DAEMON])])]
2163)
2164
2165AC_CHECK_FUNC([getpagesize],
2166	[AC_DEFINE([HAVE_GETPAGESIZE], [1],
2167		[Define if your libraries define getpagesize()])],
2168	[AC_CHECK_LIB([ucb], [getpagesize],
2169		[LIBS="$LIBS -lucb"; AC_DEFINE([HAVE_GETPAGESIZE])])]
2170)
2171
2172# Check for broken snprintf
2173if test "x$ac_cv_func_snprintf" = "xyes" ; then
2174	AC_MSG_CHECKING([whether snprintf correctly terminates long strings])
2175	AC_RUN_IFELSE(
2176		[AC_LANG_PROGRAM([[
2177#include <stdio.h>
2178#include <stdlib.h>
2179		]],
2180		[[
2181	char b[5];
2182	snprintf(b,5,"123456789");
2183	exit(b[4]!='\0');
2184		]])],
2185		[AC_MSG_RESULT([yes])],
2186		[
2187			AC_MSG_RESULT([no])
2188			AC_DEFINE([BROKEN_SNPRINTF], [1],
2189				[Define if your snprintf is busted])
2190			AC_MSG_WARN([****** Your snprintf() function is broken, complain to your vendor])
2191		],
2192		[ AC_MSG_WARN([cross compiling: Assuming working snprintf()]) ]
2193	)
2194fi
2195
2196if test "x$ac_cv_func_snprintf" = "xyes" ; then
2197	AC_MSG_CHECKING([whether snprintf understands %zu])
2198	AC_RUN_IFELSE(
2199		[AC_LANG_PROGRAM([[
2200#include <sys/types.h>
2201#include <stdio.h>
2202#include <stdlib.h>
2203#include <string.h>
2204		]],
2205		[[
2206	size_t a = 1, b = 2;
2207	char z[128];
2208	snprintf(z, sizeof z, "%zu%zu", a, b);
2209	exit(strcmp(z, "12"));
2210		]])],
2211		[AC_MSG_RESULT([yes])],
2212		[
2213			AC_MSG_RESULT([no])
2214			AC_DEFINE([BROKEN_SNPRINTF], [1],
2215				[snprintf does not understand %zu])
2216		],
2217		[ AC_MSG_WARN([cross compiling: Assuming working snprintf()]) ]
2218	)
2219fi
2220
2221# We depend on vsnprintf returning the right thing on overflow: the
2222# number of characters it tried to create (as per SUSv3)
2223if test "x$ac_cv_func_vsnprintf" = "xyes" ; then
2224	AC_MSG_CHECKING([whether vsnprintf returns correct values on overflow])
2225	AC_RUN_IFELSE(
2226		[AC_LANG_PROGRAM([[
2227#include <sys/types.h>
2228#include <stdio.h>
2229#include <stdarg.h>
2230
2231int x_snprintf(char *str, size_t count, const char *fmt, ...)
2232{
2233	size_t ret;
2234	va_list ap;
2235
2236	va_start(ap, fmt);
2237	ret = vsnprintf(str, count, fmt, ap);
2238	va_end(ap);
2239	return ret;
2240}
2241		]], [[
2242char x[1];
2243if (x_snprintf(x, 1, "%s %d", "hello", 12345) != 11)
2244	return 1;
2245if (x_snprintf(NULL, 0, "%s %d", "hello", 12345) != 11)
2246	return 1;
2247return 0;
2248		]])],
2249		[AC_MSG_RESULT([yes])],
2250		[
2251			AC_MSG_RESULT([no])
2252			AC_DEFINE([BROKEN_SNPRINTF], [1],
2253				[Define if your snprintf is busted])
2254			AC_MSG_WARN([****** Your vsnprintf() function is broken, complain to your vendor])
2255		],
2256		[ AC_MSG_WARN([cross compiling: Assuming working vsnprintf()]) ]
2257	)
2258fi
2259
2260# On systems where [v]snprintf is broken, but is declared in stdio,
2261# check that the fmt argument is const char * or just char *.
2262# This is only useful for when BROKEN_SNPRINTF
2263AC_MSG_CHECKING([whether snprintf can declare const char *fmt])
2264AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
2265#include <stdio.h>
2266int snprintf(char *a, size_t b, const char *c, ...) { return 0; }
2267		]], [[
2268	snprintf(0, 0, 0);
2269		]])],
2270   [AC_MSG_RESULT([yes])
2271    AC_DEFINE([SNPRINTF_CONST], [const],
2272              [Define as const if snprintf() can declare const char *fmt])],
2273   [AC_MSG_RESULT([no])
2274    AC_DEFINE([SNPRINTF_CONST], [/* not const */])])
2275
2276# Check for missing getpeereid (or equiv) support
2277NO_PEERCHECK=""
2278if test "x$ac_cv_func_getpeereid" != "xyes" -a "x$ac_cv_func_getpeerucred" != "xyes"; then
2279	AC_MSG_CHECKING([whether system supports SO_PEERCRED getsockopt])
2280	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
2281#include <sys/types.h>
2282#include <sys/socket.h>]], [[int i = SO_PEERCRED;]])],
2283		[ AC_MSG_RESULT([yes])
2284		  AC_DEFINE([HAVE_SO_PEERCRED], [1], [Have PEERCRED socket option])
2285		], [AC_MSG_RESULT([no])
2286		NO_PEERCHECK=1
2287        ])
2288fi
2289
2290dnl make sure that openpty does not reacquire controlling terminal
2291if test ! -z "$check_for_openpty_ctty_bug"; then
2292	AC_MSG_CHECKING([if openpty correctly handles controlling tty])
2293	AC_RUN_IFELSE(
2294		[AC_LANG_PROGRAM([[
2295#include <stdio.h>
2296#include <stdlib.h>
2297#include <unistd.h>
2298#include <sys/fcntl.h>
2299#include <sys/types.h>
2300#include <sys/wait.h>
2301		]], [[
2302	pid_t pid;
2303	int fd, ptyfd, ttyfd, status;
2304
2305	pid = fork();
2306	if (pid < 0) {		/* failed */
2307		exit(1);
2308	} else if (pid > 0) {	/* parent */
2309		waitpid(pid, &status, 0);
2310		if (WIFEXITED(status))
2311			exit(WEXITSTATUS(status));
2312		else
2313			exit(2);
2314	} else {		/* child */
2315		close(0); close(1); close(2);
2316		setsid();
2317		openpty(&ptyfd, &ttyfd, NULL, NULL, NULL);
2318		fd = open("/dev/tty", O_RDWR | O_NOCTTY);
2319		if (fd >= 0)
2320			exit(3);	/* Acquired ctty: broken */
2321		else
2322			exit(0);	/* Did not acquire ctty: OK */
2323	}
2324		]])],
2325		[
2326			AC_MSG_RESULT([yes])
2327		],
2328		[
2329			AC_MSG_RESULT([no])
2330			AC_DEFINE([SSHD_ACQUIRES_CTTY])
2331		],
2332		[
2333			AC_MSG_RESULT([cross-compiling, assuming yes])
2334		]
2335	)
2336fi
2337
2338if test "x$ac_cv_func_getaddrinfo" = "xyes" && \
2339    test "x$check_for_hpux_broken_getaddrinfo" = "x1"; then
2340	AC_MSG_CHECKING([if getaddrinfo seems to work])
2341	AC_RUN_IFELSE(
2342		[AC_LANG_PROGRAM([[
2343#include <stdio.h>
2344#include <stdlib.h>
2345#include <sys/socket.h>
2346#include <netdb.h>
2347#include <errno.h>
2348#include <netinet/in.h>
2349
2350#define TEST_PORT "2222"
2351		]], [[
2352	int err, sock;
2353	struct addrinfo *gai_ai, *ai, hints;
2354	char ntop[NI_MAXHOST], strport[NI_MAXSERV], *name = NULL;
2355
2356	memset(&hints, 0, sizeof(hints));
2357	hints.ai_family = PF_UNSPEC;
2358	hints.ai_socktype = SOCK_STREAM;
2359	hints.ai_flags = AI_PASSIVE;
2360
2361	err = getaddrinfo(name, TEST_PORT, &hints, &gai_ai);
2362	if (err != 0) {
2363		fprintf(stderr, "getaddrinfo failed (%s)", gai_strerror(err));
2364		exit(1);
2365	}
2366
2367	for (ai = gai_ai; ai != NULL; ai = ai->ai_next) {
2368		if (ai->ai_family != AF_INET6)
2369			continue;
2370
2371		err = getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop,
2372		    sizeof(ntop), strport, sizeof(strport),
2373		    NI_NUMERICHOST|NI_NUMERICSERV);
2374
2375		if (err != 0) {
2376			if (err == EAI_SYSTEM)
2377				perror("getnameinfo EAI_SYSTEM");
2378			else
2379				fprintf(stderr, "getnameinfo failed: %s\n",
2380				    gai_strerror(err));
2381			exit(2);
2382		}
2383
2384		sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol);
2385		if (sock < 0)
2386			perror("socket");
2387		if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) {
2388			if (errno == EBADF)
2389				exit(3);
2390		}
2391	}
2392	exit(0);
2393		]])],
2394		[
2395			AC_MSG_RESULT([yes])
2396		],
2397		[
2398			AC_MSG_RESULT([no])
2399			AC_DEFINE([BROKEN_GETADDRINFO])
2400		],
2401		[
2402			AC_MSG_RESULT([cross-compiling, assuming yes])
2403		]
2404	)
2405fi
2406
2407if test "x$ac_cv_func_getaddrinfo" = "xyes" && \
2408    test "x$check_for_aix_broken_getaddrinfo" = "x1"; then
2409	AC_MSG_CHECKING([if getaddrinfo seems to work])
2410	AC_RUN_IFELSE(
2411		[AC_LANG_PROGRAM([[
2412#include <stdio.h>
2413#include <stdlib.h>
2414#include <sys/socket.h>
2415#include <netdb.h>
2416#include <errno.h>
2417#include <netinet/in.h>
2418
2419#define TEST_PORT "2222"
2420		]], [[
2421	int err, sock;
2422	struct addrinfo *gai_ai, *ai, hints;
2423	char ntop[NI_MAXHOST], strport[NI_MAXSERV], *name = NULL;
2424
2425	memset(&hints, 0, sizeof(hints));
2426	hints.ai_family = PF_UNSPEC;
2427	hints.ai_socktype = SOCK_STREAM;
2428	hints.ai_flags = AI_PASSIVE;
2429
2430	err = getaddrinfo(name, TEST_PORT, &hints, &gai_ai);
2431	if (err != 0) {
2432		fprintf(stderr, "getaddrinfo failed (%s)", gai_strerror(err));
2433		exit(1);
2434	}
2435
2436	for (ai = gai_ai; ai != NULL; ai = ai->ai_next) {
2437		if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
2438			continue;
2439
2440		err = getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop,
2441		    sizeof(ntop), strport, sizeof(strport),
2442		    NI_NUMERICHOST|NI_NUMERICSERV);
2443
2444		if (ai->ai_family == AF_INET && err != 0) {
2445			perror("getnameinfo");
2446			exit(2);
2447		}
2448	}
2449	exit(0);
2450		]])],
2451		[
2452			AC_MSG_RESULT([yes])
2453			AC_DEFINE([AIX_GETNAMEINFO_HACK], [1],
2454				[Define if you have a getaddrinfo that fails
2455				for the all-zeros IPv6 address])
2456		],
2457		[
2458			AC_MSG_RESULT([no])
2459			AC_DEFINE([BROKEN_GETADDRINFO])
2460		],
2461		[
2462			AC_MSG_RESULT([cross-compiling, assuming no])
2463		]
2464	)
2465fi
2466
2467if test "x$ac_cv_func_getaddrinfo" = "xyes"; then
2468	AC_CHECK_DECLS(AI_NUMERICSERV, , ,
2469	    [#include <sys/types.h>
2470	     #include <sys/socket.h>
2471	     #include <netdb.h>])
2472fi
2473
2474if test "x$check_for_conflicting_getspnam" = "x1"; then
2475	AC_MSG_CHECKING([for conflicting getspnam in shadow.h])
2476	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
2477#include <shadow.h>
2478#include <stdlib.h>
2479		]],
2480		[[ exit(0); ]])],
2481		[
2482			AC_MSG_RESULT([no])
2483		],
2484		[
2485			AC_MSG_RESULT([yes])
2486			AC_DEFINE([GETSPNAM_CONFLICTING_DEFS], [1],
2487			    [Conflicting defs for getspnam])
2488		]
2489	)
2490fi
2491
2492dnl NetBSD added an strnvis and unfortunately made it incompatible with the
2493dnl existing one in OpenBSD and Linux's libbsd (the former having existed
2494dnl for over ten years). Despite this incompatibility being reported during
2495dnl development (see http://gnats.netbsd.org/44977) they still shipped it.
2496dnl Even more unfortunately FreeBSD and later MacOS picked up this incompatible
2497dnl implementation.  Try to detect this mess, and assume the only safe option
2498dnl if we're cross compiling.
2499dnl
2500dnl OpenBSD, 2001: strnvis(char *dst, const char *src, size_t dlen, int flag);
2501dnl NetBSD: 2012,  strnvis(char *dst, size_t dlen, const char *src, int flag);
2502if test "x$ac_cv_func_strnvis" = "xyes"; then
2503	AC_MSG_CHECKING([for working strnvis])
2504	AC_RUN_IFELSE(
2505		[AC_LANG_PROGRAM([[
2506#include <signal.h>
2507#include <stdlib.h>
2508#include <string.h>
2509#include <unistd.h>
2510#include <vis.h>
2511static void sighandler(int sig) { _exit(1); }
2512		]], [[
2513	char dst[16];
2514
2515	signal(SIGSEGV, sighandler);
2516	if (strnvis(dst, "src", 4, 0) && strcmp(dst, "src") == 0)
2517		exit(0);
2518	exit(1)
2519		]])],
2520		[AC_MSG_RESULT([yes])],
2521		[AC_MSG_RESULT([no])
2522		 AC_DEFINE([BROKEN_STRNVIS], [1], [strnvis detected broken])],
2523		[AC_MSG_WARN([cross compiling: assuming broken])
2524		 AC_DEFINE([BROKEN_STRNVIS], [1], [strnvis assumed broken])]
2525	)
2526fi
2527
2528AC_MSG_CHECKING([if SA_RESTARTed signals interrupt select()])
2529AC_RUN_IFELSE(
2530	[AC_LANG_PROGRAM([[
2531#ifdef HAVE_SYS_SELECT
2532# include <sys/select.h>
2533#endif
2534#include <sys/types.h>
2535#include <sys/time.h>
2536#include <stdlib.h>
2537#include <signal.h>
2538#include <unistd.h>
2539static void sighandler(int sig) { }
2540		]], [[
2541	int r;
2542	pid_t pid;
2543	struct sigaction sa;
2544
2545	sa.sa_handler = sighandler;
2546	sa.sa_flags = SA_RESTART;
2547	(void)sigaction(SIGTERM, &sa, NULL);
2548	if ((pid = fork()) == 0) { /* child */
2549		pid = getppid();
2550		sleep(1);
2551		kill(pid, SIGTERM);
2552		sleep(1);
2553		if (getppid() == pid) /* if parent did not exit, shoot it */
2554			kill(pid, SIGKILL);
2555		exit(0);
2556	} else { /* parent */
2557		r = select(0, NULL, NULL, NULL, NULL);
2558	}
2559	exit(r == -1 ? 0 : 1);
2560	]])],
2561	[AC_MSG_RESULT([yes])],
2562	[AC_MSG_RESULT([no])
2563	 AC_DEFINE([NO_SA_RESTART], [1],
2564	    [SA_RESTARTed signals do no interrupt select])],
2565	[AC_MSG_WARN([cross compiling: assuming yes])]
2566)
2567
2568AC_CHECK_FUNCS([getpgrp],[
2569	AC_MSG_CHECKING([if getpgrp accepts zero args])
2570	AC_COMPILE_IFELSE(
2571		[AC_LANG_PROGRAM([[$ac_includes_default]], [[ getpgrp(); ]])],
2572		[ AC_MSG_RESULT([yes])
2573		  AC_DEFINE([GETPGRP_VOID], [1], [getpgrp takes zero args])],
2574		[ AC_MSG_RESULT([no])
2575		  AC_DEFINE([GETPGRP_VOID], [0], [getpgrp takes one arg])]
2576	)
2577])
2578
2579# Search for OpenSSL
2580saved_CPPFLAGS="$CPPFLAGS"
2581saved_LDFLAGS="$LDFLAGS"
2582AC_ARG_WITH([ssl-dir],
2583	[  --with-ssl-dir=PATH     Specify path to OpenSSL installation ],
2584	[
2585		if test "x$openssl" = "xno" ; then
2586			AC_MSG_ERROR([cannot use --with-ssl-dir when OpenSSL disabled])
2587		fi
2588		if test "x$withval" != "xno" ; then
2589			case "$withval" in
2590				# Relative paths
2591				./*|../*)	withval="`pwd`/$withval"
2592			esac
2593			if test -d "$withval/lib"; then
2594				if test -n "${rpath_opt}"; then
2595					LDFLAGS="-L${withval}/lib ${rpath_opt}${withval}/lib ${LDFLAGS}"
2596				else
2597					LDFLAGS="-L${withval}/lib ${LDFLAGS}"
2598				fi
2599			elif test -d "$withval/lib64"; then
2600				if test -n "${rpath_opt}"; then
2601					LDFLAGS="-L${withval}/lib64 ${rpath_opt}${withval}/lib64 ${LDFLAGS}"
2602				else
2603					LDFLAGS="-L${withval}/lib64 ${LDFLAGS}"
2604				fi
2605			else
2606				if test -n "${rpath_opt}"; then
2607					LDFLAGS="-L${withval} ${rpath_opt}${withval} ${LDFLAGS}"
2608				else
2609					LDFLAGS="-L${withval} ${LDFLAGS}"
2610				fi
2611			fi
2612			if test -d "$withval/include"; then
2613				CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
2614			else
2615				CPPFLAGS="-I${withval} ${CPPFLAGS}"
2616			fi
2617		fi
2618	]
2619)
2620
2621AC_ARG_WITH([openssl-header-check],
2622	[  --without-openssl-header-check Disable OpenSSL version consistency check],
2623	[
2624		if test "x$withval" = "xno" ; then
2625			openssl_check_nonfatal=1
2626		fi
2627	]
2628)
2629
2630openssl_engine=no
2631AC_ARG_WITH([ssl-engine],
2632	[  --with-ssl-engine       Enable OpenSSL (hardware) ENGINE support ],
2633	[
2634		if test "x$withval" != "xno" ; then
2635			if test "x$openssl" = "xno" ; then
2636				AC_MSG_ERROR([cannot use --with-ssl-engine when OpenSSL disabled])
2637			fi
2638			openssl_engine=yes
2639		fi
2640	]
2641)
2642
2643if test "x$openssl" = "xyes" ; then
2644	LIBS="-lcrypto $LIBS"
2645	AC_TRY_LINK_FUNC([RAND_add], ,
2646	    [AC_MSG_ERROR([*** working libcrypto not found, check config.log])])
2647	AC_CHECK_HEADER([openssl/opensslv.h], ,
2648	    [AC_MSG_ERROR([*** OpenSSL headers missing - please install first or check config.log ***])])
2649
2650	# Determine OpenSSL header version
2651	AC_MSG_CHECKING([OpenSSL header version])
2652	AC_RUN_IFELSE(
2653		[AC_LANG_PROGRAM([[
2654	#include <stdlib.h>
2655	#include <stdio.h>
2656	#include <string.h>
2657	#include <openssl/opensslv.h>
2658	#define DATA "conftest.sslincver"
2659		]], [[
2660		FILE *fd;
2661		int rc;
2662
2663		fd = fopen(DATA,"w");
2664		if(fd == NULL)
2665			exit(1);
2666
2667		if ((rc = fprintf(fd, "%08lx (%s)\n",
2668		    (unsigned long)OPENSSL_VERSION_NUMBER,
2669		     OPENSSL_VERSION_TEXT)) < 0)
2670			exit(1);
2671
2672		exit(0);
2673		]])],
2674		[
2675			ssl_header_ver=`cat conftest.sslincver`
2676			AC_MSG_RESULT([$ssl_header_ver])
2677		],
2678		[
2679			AC_MSG_RESULT([not found])
2680			AC_MSG_ERROR([OpenSSL version header not found.])
2681		],
2682		[
2683			AC_MSG_WARN([cross compiling: not checking])
2684		]
2685	)
2686
2687	# Determining OpenSSL library version is version dependent.
2688	AC_CHECK_FUNCS([OpenSSL_version OpenSSL_version_num])
2689
2690	# Determine OpenSSL library version
2691	AC_MSG_CHECKING([OpenSSL library version])
2692	AC_RUN_IFELSE(
2693		[AC_LANG_PROGRAM([[
2694	#include <stdio.h>
2695	#include <stdlib.h>
2696	#include <string.h>
2697	#include <openssl/opensslv.h>
2698	#include <openssl/crypto.h>
2699	#define DATA "conftest.ssllibver"
2700		]], [[
2701		FILE *fd;
2702		int rc;
2703
2704		fd = fopen(DATA,"w");
2705		if(fd == NULL)
2706			exit(1);
2707#ifndef OPENSSL_VERSION
2708# define OPENSSL_VERSION SSLEAY_VERSION
2709#endif
2710#ifndef HAVE_OPENSSL_VERSION
2711# define OpenSSL_version	SSLeay_version
2712#endif
2713#ifndef HAVE_OPENSSL_VERSION_NUM
2714# define OpenSSL_version_num	SSLeay
2715#endif
2716		if ((rc = fprintf(fd, "%08lx (%s)\n",
2717		    (unsigned long)OpenSSL_version_num(),
2718		    OpenSSL_version(OPENSSL_VERSION))) < 0)
2719			exit(1);
2720
2721		exit(0);
2722		]])],
2723		[
2724			ssl_library_ver=`cat conftest.ssllibver`
2725			# Check version is supported.
2726			case "$ssl_library_ver" in
2727			10000*|0*)
2728				AC_MSG_ERROR([OpenSSL >= 1.0.1 required (have "$ssl_library_ver")])
2729		                ;;
2730			100*)   ;; # 1.0.x
2731			101000[[0123456]]*)
2732				# https://github.com/openssl/openssl/pull/4613
2733				AC_MSG_ERROR([OpenSSL 1.1.x versions prior to 1.1.0g have a bug that breaks their use with OpenSSH (have "$ssl_library_ver")])
2734				;;
2735			101*)   ;; # 1.1.x
2736			200*)   ;; # LibreSSL
2737			300*)   ;; # OpenSSL development branch.
2738		        *)
2739				AC_MSG_ERROR([Unknown/unsupported OpenSSL version ("$ssl_library_ver")])
2740		                ;;
2741			esac
2742			AC_MSG_RESULT([$ssl_library_ver])
2743		],
2744		[
2745			AC_MSG_RESULT([not found])
2746			AC_MSG_ERROR([OpenSSL library not found.])
2747		],
2748		[
2749			AC_MSG_WARN([cross compiling: not checking])
2750		]
2751	)
2752
2753	# Sanity check OpenSSL headers
2754	AC_MSG_CHECKING([whether OpenSSL's headers match the library])
2755	AC_RUN_IFELSE(
2756		[AC_LANG_PROGRAM([[
2757	#include <stdlib.h>
2758	#include <string.h>
2759	#include <openssl/opensslv.h>
2760	#include <openssl/crypto.h>
2761		]], [[
2762#ifndef HAVE_OPENSSL_VERSION_NUM
2763# define OpenSSL_version_num	SSLeay
2764#endif
2765		exit(OpenSSL_version_num() == OPENSSL_VERSION_NUMBER ? 0 : 1);
2766		]])],
2767		[
2768			AC_MSG_RESULT([yes])
2769		],
2770		[
2771			AC_MSG_RESULT([no])
2772			if test "x$openssl_check_nonfatal" = "x"; then
2773				AC_MSG_ERROR([Your OpenSSL headers do not match your
2774	library. Check config.log for details.
2775	If you are sure your installation is consistent, you can disable the check
2776	by running "./configure --without-openssl-header-check".
2777	Also see contrib/findssl.sh for help identifying header/library mismatches.
2778	])
2779			else
2780				AC_MSG_WARN([Your OpenSSL headers do not match your
2781	library. Check config.log for details.
2782	Also see contrib/findssl.sh for help identifying header/library mismatches.])
2783			fi
2784		],
2785		[
2786			AC_MSG_WARN([cross compiling: not checking])
2787		]
2788	)
2789
2790	AC_MSG_CHECKING([if programs using OpenSSL functions will link])
2791	AC_LINK_IFELSE(
2792		[AC_LANG_PROGRAM([[ #include <openssl/err.h> ]],
2793		[[ ERR_load_crypto_strings(); ]])],
2794		[
2795			AC_MSG_RESULT([yes])
2796		],
2797		[
2798			AC_MSG_RESULT([no])
2799			saved_LIBS="$LIBS"
2800			LIBS="$LIBS -ldl"
2801			AC_MSG_CHECKING([if programs using OpenSSL need -ldl])
2802			AC_LINK_IFELSE(
2803				[AC_LANG_PROGRAM([[ #include <openssl/err.h> ]],
2804				[[ ERR_load_crypto_strings(); ]])],
2805				[
2806					AC_MSG_RESULT([yes])
2807				],
2808				[
2809					AC_MSG_RESULT([no])
2810					LIBS="$saved_LIBS"
2811				]
2812			)
2813		]
2814	)
2815
2816	AC_CHECK_FUNCS([ \
2817		BN_is_prime_ex \
2818		DSA_generate_parameters_ex \
2819		EVP_CIPHER_CTX_ctrl \
2820		EVP_DigestFinal_ex \
2821		EVP_DigestInit_ex \
2822		EVP_MD_CTX_cleanup \
2823		EVP_MD_CTX_copy_ex \
2824		EVP_MD_CTX_init \
2825		HMAC_CTX_init \
2826		RSA_generate_key_ex \
2827		RSA_get_default_method \
2828	])
2829
2830	# OpenSSL_add_all_algorithms may be a macro.
2831	AC_CHECK_FUNC(OpenSSL_add_all_algorithms,
2832	    AC_DEFINE(HAVE_OPENSSL_ADD_ALL_ALGORITHMS, 1, [as a function]),
2833	    AC_CHECK_DECL(OpenSSL_add_all_algorithms,
2834		AC_DEFINE(HAVE_OPENSSL_ADD_ALL_ALGORITHMS, 1, [as a macro]), ,
2835		[[#include <openssl/evp.h>]]
2836	    )
2837	)
2838
2839	# LibreSSL/OpenSSL 1.1x API
2840	AC_CHECK_FUNCS([ \
2841		OPENSSL_init_crypto \
2842		DH_get0_key \
2843		DH_get0_pqg \
2844		DH_set0_key \
2845		DH_set_length \
2846		DH_set0_pqg \
2847		DSA_get0_key \
2848		DSA_get0_pqg \
2849		DSA_set0_key \
2850		DSA_set0_pqg \
2851		DSA_SIG_get0 \
2852		DSA_SIG_set0 \
2853		ECDSA_SIG_get0 \
2854		ECDSA_SIG_set0 \
2855		EVP_CIPHER_CTX_iv \
2856		EVP_CIPHER_CTX_iv_noconst \
2857		EVP_CIPHER_CTX_get_iv \
2858		EVP_CIPHER_CTX_set_iv \
2859		RSA_get0_crt_params \
2860		RSA_get0_factors \
2861		RSA_get0_key \
2862		RSA_set0_crt_params \
2863		RSA_set0_factors \
2864		RSA_set0_key \
2865		RSA_meth_free \
2866		RSA_meth_dup \
2867		RSA_meth_set1_name \
2868		RSA_meth_get_finish \
2869		RSA_meth_set_priv_enc \
2870		RSA_meth_set_priv_dec \
2871		RSA_meth_set_finish \
2872		EVP_PKEY_get0_RSA \
2873		EVP_MD_CTX_new \
2874		EVP_MD_CTX_free \
2875		EVP_chacha20 \
2876	])
2877
2878	if test "x$openssl_engine" = "xyes" ; then
2879		AC_MSG_CHECKING([for OpenSSL ENGINE support])
2880		AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
2881	#include <openssl/engine.h>
2882			]], [[
2883				ENGINE_load_builtin_engines();
2884				ENGINE_register_all_complete();
2885			]])],
2886			[ AC_MSG_RESULT([yes])
2887			  AC_DEFINE([USE_OPENSSL_ENGINE], [1],
2888			     [Enable OpenSSL engine support])
2889			], [ AC_MSG_ERROR([OpenSSL ENGINE support not found])
2890		])
2891	fi
2892
2893	# Check for OpenSSL without EVP_aes_{192,256}_cbc
2894	AC_MSG_CHECKING([whether OpenSSL has crippled AES support])
2895	AC_LINK_IFELSE(
2896		[AC_LANG_PROGRAM([[
2897	#include <stdlib.h>
2898	#include <string.h>
2899	#include <openssl/evp.h>
2900		]], [[
2901		exit(EVP_aes_192_cbc() == NULL || EVP_aes_256_cbc() == NULL);
2902		]])],
2903		[
2904			AC_MSG_RESULT([no])
2905		],
2906		[
2907			AC_MSG_RESULT([yes])
2908			AC_DEFINE([OPENSSL_LOBOTOMISED_AES], [1],
2909			    [libcrypto is missing AES 192 and 256 bit functions])
2910		]
2911	)
2912
2913	# Check for OpenSSL with EVP_aes_*ctr
2914	AC_MSG_CHECKING([whether OpenSSL has AES CTR via EVP])
2915	AC_LINK_IFELSE(
2916		[AC_LANG_PROGRAM([[
2917	#include <stdlib.h>
2918	#include <string.h>
2919	#include <openssl/evp.h>
2920		]], [[
2921		exit(EVP_aes_128_ctr() == NULL ||
2922		    EVP_aes_192_cbc() == NULL ||
2923		    EVP_aes_256_cbc() == NULL);
2924		]])],
2925		[
2926			AC_MSG_RESULT([yes])
2927			AC_DEFINE([OPENSSL_HAVE_EVPCTR], [1],
2928			    [libcrypto has EVP AES CTR])
2929		],
2930		[
2931			AC_MSG_RESULT([no])
2932		]
2933	)
2934
2935	# Check for OpenSSL with EVP_aes_*gcm
2936	AC_MSG_CHECKING([whether OpenSSL has AES GCM via EVP])
2937	AC_LINK_IFELSE(
2938		[AC_LANG_PROGRAM([[
2939	#include <stdlib.h>
2940	#include <string.h>
2941	#include <openssl/evp.h>
2942		]], [[
2943		exit(EVP_aes_128_gcm() == NULL ||
2944		    EVP_aes_256_gcm() == NULL ||
2945		    EVP_CTRL_GCM_SET_IV_FIXED == 0 ||
2946		    EVP_CTRL_GCM_IV_GEN == 0 ||
2947		    EVP_CTRL_GCM_SET_TAG == 0 ||
2948		    EVP_CTRL_GCM_GET_TAG == 0 ||
2949		    EVP_CIPHER_CTX_ctrl(NULL, 0, 0, NULL) == 0);
2950		]])],
2951		[
2952			AC_MSG_RESULT([yes])
2953			AC_DEFINE([OPENSSL_HAVE_EVPGCM], [1],
2954			    [libcrypto has EVP AES GCM])
2955		],
2956		[
2957			AC_MSG_RESULT([no])
2958			unsupported_algorithms="$unsupported_cipers \
2959			   aes128-gcm@openssh.com \
2960			   aes256-gcm@openssh.com"
2961		]
2962	)
2963
2964	AC_MSG_CHECKING([if EVP_DigestUpdate returns an int])
2965	AC_LINK_IFELSE(
2966		[AC_LANG_PROGRAM([[
2967	#include <stdlib.h>
2968	#include <string.h>
2969	#include <openssl/evp.h>
2970		]], [[
2971		if(EVP_DigestUpdate(NULL, NULL,0))
2972			exit(0);
2973		]])],
2974		[
2975			AC_MSG_RESULT([yes])
2976		],
2977		[
2978			AC_MSG_RESULT([no])
2979			AC_DEFINE([OPENSSL_EVP_DIGESTUPDATE_VOID], [1],
2980			    [Define if EVP_DigestUpdate returns void])
2981		]
2982	)
2983
2984	# Some systems want crypt() from libcrypt, *not* the version in OpenSSL,
2985	# because the system crypt() is more featureful.
2986	if test "x$check_for_libcrypt_before" = "x1"; then
2987		AC_CHECK_LIB([crypt], [crypt])
2988	fi
2989
2990	# Some Linux systems (Slackware) need crypt() from libcrypt, *not* the
2991	# version in OpenSSL.
2992	if test "x$check_for_libcrypt_later" = "x1"; then
2993		AC_CHECK_LIB([crypt], [crypt], [LIBS="$LIBS -lcrypt"])
2994	fi
2995	AC_CHECK_FUNCS([crypt DES_crypt])
2996
2997	# Check for SHA256, SHA384 and SHA512 support in OpenSSL
2998	AC_CHECK_FUNCS([EVP_sha256 EVP_sha384 EVP_sha512])
2999
3000	# Check complete ECC support in OpenSSL
3001	AC_MSG_CHECKING([whether OpenSSL has NID_X9_62_prime256v1])
3002	AC_LINK_IFELSE(
3003		[AC_LANG_PROGRAM([[
3004	#include <openssl/ec.h>
3005	#include <openssl/ecdh.h>
3006	#include <openssl/ecdsa.h>
3007	#include <openssl/evp.h>
3008	#include <openssl/objects.h>
3009	#include <openssl/opensslv.h>
3010		]], [[
3011		EC_KEY *e = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
3012		const EVP_MD *m = EVP_sha256(); /* We need this too */
3013		]])],
3014		[ AC_MSG_RESULT([yes])
3015		  enable_nistp256=1 ],
3016		[ AC_MSG_RESULT([no]) ]
3017	)
3018
3019	AC_MSG_CHECKING([whether OpenSSL has NID_secp384r1])
3020	AC_LINK_IFELSE(
3021		[AC_LANG_PROGRAM([[
3022	#include <openssl/ec.h>
3023	#include <openssl/ecdh.h>
3024	#include <openssl/ecdsa.h>
3025	#include <openssl/evp.h>
3026	#include <openssl/objects.h>
3027	#include <openssl/opensslv.h>
3028		]], [[
3029		EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp384r1);
3030		const EVP_MD *m = EVP_sha384(); /* We need this too */
3031		]])],
3032		[ AC_MSG_RESULT([yes])
3033		  enable_nistp384=1 ],
3034		[ AC_MSG_RESULT([no]) ]
3035	)
3036
3037	AC_MSG_CHECKING([whether OpenSSL has NID_secp521r1])
3038	AC_LINK_IFELSE(
3039		[AC_LANG_PROGRAM([[
3040	#include <openssl/ec.h>
3041	#include <openssl/ecdh.h>
3042	#include <openssl/ecdsa.h>
3043	#include <openssl/evp.h>
3044	#include <openssl/objects.h>
3045	#include <openssl/opensslv.h>
3046		]], [[
3047		EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp521r1);
3048		const EVP_MD *m = EVP_sha512(); /* We need this too */
3049		]])],
3050		[ AC_MSG_RESULT([yes])
3051		  AC_MSG_CHECKING([if OpenSSL's NID_secp521r1 is functional])
3052		  AC_RUN_IFELSE(
3053			[AC_LANG_PROGRAM([[
3054	#include <stdlib.h>
3055	#include <openssl/ec.h>
3056	#include <openssl/ecdh.h>
3057	#include <openssl/ecdsa.h>
3058	#include <openssl/evp.h>
3059	#include <openssl/objects.h>
3060	#include <openssl/opensslv.h>
3061			]],[[
3062			EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp521r1);
3063			const EVP_MD *m = EVP_sha512(); /* We need this too */
3064			exit(e == NULL || m == NULL);
3065			]])],
3066			[ AC_MSG_RESULT([yes])
3067			  enable_nistp521=1 ],
3068			[ AC_MSG_RESULT([no]) ],
3069			[ AC_MSG_WARN([cross-compiling: assuming yes])
3070			  enable_nistp521=1 ]
3071		  )],
3072		AC_MSG_RESULT([no])
3073	)
3074
3075	COMMENT_OUT_ECC="#no ecc#"
3076	TEST_SSH_ECC=no
3077
3078	if test x$enable_nistp256 = x1 || test x$enable_nistp384 = x1 || \
3079	    test x$enable_nistp521 = x1; then
3080		AC_DEFINE(OPENSSL_HAS_ECC, [1], [OpenSSL has ECC])
3081		AC_CHECK_FUNCS([EC_KEY_METHOD_new])
3082		openssl_ecc=yes
3083	else
3084		openssl_ecc=no
3085	fi
3086	if test x$enable_nistp256 = x1; then
3087		AC_DEFINE([OPENSSL_HAS_NISTP256], [1],
3088		    [libcrypto has NID_X9_62_prime256v1])
3089		TEST_SSH_ECC=yes
3090		COMMENT_OUT_ECC=""
3091	else
3092		unsupported_algorithms="$unsupported_algorithms \
3093			ecdsa-sha2-nistp256 \
3094			ecdh-sha2-nistp256 \
3095			ecdsa-sha2-nistp256-cert-v01@openssh.com"
3096	fi
3097	if test x$enable_nistp384 = x1; then
3098		AC_DEFINE([OPENSSL_HAS_NISTP384], [1], [libcrypto has NID_secp384r1])
3099		TEST_SSH_ECC=yes
3100		COMMENT_OUT_ECC=""
3101	else
3102		unsupported_algorithms="$unsupported_algorithms \
3103			ecdsa-sha2-nistp384 \
3104			ecdh-sha2-nistp384 \
3105			ecdsa-sha2-nistp384-cert-v01@openssh.com"
3106	fi
3107	if test x$enable_nistp521 = x1; then
3108		AC_DEFINE([OPENSSL_HAS_NISTP521], [1], [libcrypto has NID_secp521r1])
3109		TEST_SSH_ECC=yes
3110		COMMENT_OUT_ECC=""
3111	else
3112		unsupported_algorithms="$unsupported_algorithms \
3113			ecdh-sha2-nistp521 \
3114			ecdsa-sha2-nistp521 \
3115			ecdsa-sha2-nistp521-cert-v01@openssh.com"
3116	fi
3117
3118	AC_SUBST([TEST_SSH_ECC])
3119	AC_SUBST([COMMENT_OUT_ECC])
3120else
3121	AC_CHECK_LIB([crypt], [crypt], [LIBS="$LIBS -lcrypt"])
3122	AC_CHECK_FUNCS([crypt])
3123fi
3124
3125# PKCS11/U2F depend on OpenSSL and dlopen().
3126enable_pkcs11=yes
3127enable_sk=yes
3128if test "x$openssl" != "xyes" ; then
3129	enable_pkcs11="disabled; missing libcrypto"
3130	enable_sk="disabled; missing libcrypto"
3131fi
3132if test "x$openssl_ecc" != "xyes" ; then
3133	enable_sk="disabled; OpenSSL has no ECC support"
3134fi
3135if test "x$ac_cv_func_dlopen" != "xyes" ; then
3136	enable_pkcs11="disabled; missing dlopen(3)"
3137	enable_sk="disabled; missing dlopen(3)"
3138fi
3139if test "x$ac_cv_have_decl_RTLD_NOW" != "xyes" ; then
3140	enable_pkcs11="disabled; missing RTLD_NOW"
3141	enable_sk="disabled; missing RTLD_NOW"
3142fi
3143if test ! -z "$disable_pkcs11" ; then
3144	enable_pkcs11="disabled by user"
3145fi
3146if test ! -z "$disable_sk" ; then
3147	enable_sk="disabled by user"
3148fi
3149
3150AC_MSG_CHECKING([whether to enable PKCS11])
3151if test "x$enable_pkcs11" = "xyes" ; then
3152	AC_DEFINE([ENABLE_PKCS11], [], [Enable for PKCS#11 support])
3153fi
3154AC_MSG_RESULT([$enable_pkcs11])
3155
3156AC_MSG_CHECKING([whether to enable U2F])
3157if test "x$enable_sk" = "xyes" ; then
3158	AC_DEFINE([ENABLE_SK], [], [Enable for U2F/FIDO support])
3159	AC_SUBST(SK_DUMMY_LIBRARY, [regress/misc/sk-dummy/sk-dummy.so])
3160else
3161	# Do not try to build sk-dummy library.
3162	AC_SUBST(SK_DUMMY_LIBRARY, [""])
3163fi
3164AC_MSG_RESULT([$enable_sk])
3165
3166# Now check for built-in security key support.
3167if test "x$enable_sk" = "xyes" -a "x$enable_sk_internal" = "xyes" ; then
3168	AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no])
3169	use_pkgconfig_for_libfido2=
3170	if test "x$PKGCONFIG" != "xno"; then
3171		AC_MSG_CHECKING([if $PKGCONFIG knows about libfido2])
3172		if "$PKGCONFIG" libfido2; then
3173			AC_MSG_RESULT([yes])
3174			use_pkgconfig_for_libfido2=yes
3175		else
3176			AC_MSG_RESULT([no])
3177		fi
3178	fi
3179	if test "x$use_pkgconfig_for_libfido2" = "xyes"; then
3180		LIBFIDO2=`$PKGCONFIG --libs libfido2`
3181		CPPFLAGS="$CPPFLAGS `$PKGCONFIG --cflags libfido2`"
3182	else
3183		LIBFIDO2="-lfido2 -lcbor"
3184	fi
3185	OTHERLIBS=`echo $LIBFIDO2 | sed 's/-lfido2//'`
3186	AC_CHECK_LIB([fido2], [fido_init],
3187		[
3188			AC_SUBST([LIBFIDO2])
3189			AC_DEFINE([ENABLE_SK_INTERNAL], [],
3190			    [Enable for built-in U2F/FIDO support])
3191			enable_sk="built-in"
3192		], [ AC_MSG_ERROR([no usable libfido2 found]) ],
3193		[ $OTHERLIBS ]
3194	)
3195	saved_LIBS="$LIBS"
3196	LIBS="$LIBS $LIBFIDO2"
3197	AC_CHECK_FUNCS([ \
3198		fido_cred_prot \
3199		fido_cred_set_prot \
3200		fido_dev_get_touch_begin \
3201		fido_dev_get_touch_status \
3202		fido_dev_supports_cred_prot \
3203	])
3204	LIBS="$saved_LIBS"
3205	AC_CHECK_HEADER([fido.h], [],
3206		AC_MSG_ERROR([missing fido.h from libfido2]))
3207	AC_CHECK_HEADER([fido/credman.h], [],
3208		AC_MSG_ERROR([missing fido/credman.h from libfido2]),
3209		[#include <fido.h>]
3210	)
3211fi
3212
3213AC_CHECK_FUNCS([ \
3214	arc4random \
3215	arc4random_buf \
3216	arc4random_stir \
3217	arc4random_uniform \
3218])
3219
3220saved_LIBS="$LIBS"
3221AC_CHECK_LIB([iaf], [ia_openinfo], [
3222	LIBS="$LIBS -liaf"
3223	AC_CHECK_FUNCS([set_id], [SSHDLIBS="$SSHDLIBS -liaf"
3224				AC_DEFINE([HAVE_LIBIAF], [1],
3225			[Define if system has libiaf that supports set_id])
3226				])
3227])
3228LIBS="$saved_LIBS"
3229
3230### Configure cryptographic random number support
3231
3232# Check whether OpenSSL seeds itself
3233if test "x$openssl" = "xyes" ; then
3234	AC_MSG_CHECKING([whether OpenSSL's PRNG is internally seeded])
3235	AC_RUN_IFELSE(
3236		[AC_LANG_PROGRAM([[
3237	#include <stdlib.h>
3238	#include <string.h>
3239	#include <openssl/rand.h>
3240		]], [[
3241		exit(RAND_status() == 1 ? 0 : 1);
3242		]])],
3243		[
3244			OPENSSL_SEEDS_ITSELF=yes
3245			AC_MSG_RESULT([yes])
3246		],
3247		[
3248			AC_MSG_RESULT([no])
3249		],
3250		[
3251			AC_MSG_WARN([cross compiling: assuming yes])
3252			# This is safe, since we will fatal() at runtime if
3253			# OpenSSL is not seeded correctly.
3254			OPENSSL_SEEDS_ITSELF=yes
3255		]
3256	)
3257fi
3258
3259# PRNGD TCP socket
3260AC_ARG_WITH([prngd-port],
3261	[  --with-prngd-port=PORT  read entropy from PRNGD/EGD TCP localhost:PORT],
3262	[
3263		case "$withval" in
3264		no)
3265			withval=""
3266			;;
3267		[[0-9]]*)
3268			;;
3269		*)
3270			AC_MSG_ERROR([You must specify a numeric port number for --with-prngd-port])
3271			;;
3272		esac
3273		if test ! -z "$withval" ; then
3274			PRNGD_PORT="$withval"
3275			AC_DEFINE_UNQUOTED([PRNGD_PORT], [$PRNGD_PORT],
3276				[Port number of PRNGD/EGD random number socket])
3277		fi
3278	]
3279)
3280
3281# PRNGD Unix domain socket
3282AC_ARG_WITH([prngd-socket],
3283	[  --with-prngd-socket=FILE read entropy from PRNGD/EGD socket FILE (default=/var/run/egd-pool)],
3284	[
3285		case "$withval" in
3286		yes)
3287			withval="/var/run/egd-pool"
3288			;;
3289		no)
3290			withval=""
3291			;;
3292		/*)
3293			;;
3294		*)
3295			AC_MSG_ERROR([You must specify an absolute path to the entropy socket])
3296			;;
3297		esac
3298
3299		if test ! -z "$withval" ; then
3300			if test ! -z "$PRNGD_PORT" ; then
3301				AC_MSG_ERROR([You may not specify both a PRNGD/EGD port and socket])
3302			fi
3303			if test ! -r "$withval" ; then
3304				AC_MSG_WARN([Entropy socket is not readable])
3305			fi
3306			PRNGD_SOCKET="$withval"
3307			AC_DEFINE_UNQUOTED([PRNGD_SOCKET], ["$PRNGD_SOCKET"],
3308				[Location of PRNGD/EGD random number socket])
3309		fi
3310	],
3311	[
3312		# Check for existing socket only if we don't have a random device already
3313		if test "x$OPENSSL_SEEDS_ITSELF" != "xyes" ; then
3314			AC_MSG_CHECKING([for PRNGD/EGD socket])
3315			# Insert other locations here
3316			for sock in /var/run/egd-pool /dev/egd-pool /etc/entropy; do
3317				if test -r $sock && $TEST_MINUS_S_SH -c "test -S $sock -o -p $sock" ; then
3318					PRNGD_SOCKET="$sock"
3319					AC_DEFINE_UNQUOTED([PRNGD_SOCKET], ["$PRNGD_SOCKET"])
3320					break;
3321				fi
3322			done
3323			if test ! -z "$PRNGD_SOCKET" ; then
3324				AC_MSG_RESULT([$PRNGD_SOCKET])
3325			else
3326				AC_MSG_RESULT([not found])
3327			fi
3328		fi
3329	]
3330)
3331
3332# Which randomness source do we use?
3333if test ! -z "$PRNGD_PORT" ; then
3334	RAND_MSG="PRNGd port $PRNGD_PORT"
3335elif test ! -z "$PRNGD_SOCKET" ; then
3336	RAND_MSG="PRNGd socket $PRNGD_SOCKET"
3337elif test ! -z "$OPENSSL_SEEDS_ITSELF" ; then
3338	AC_DEFINE([OPENSSL_PRNG_ONLY], [1],
3339		[Define if you want the OpenSSL internally seeded PRNG only])
3340	RAND_MSG="OpenSSL internal ONLY"
3341elif test "x$openssl" = "xno" ; then
3342	AC_MSG_WARN([OpenSSH will use /dev/urandom as a source of random numbers. It will fail if this device is not supported or accessible])
3343else
3344	AC_MSG_ERROR([OpenSSH has no source of random numbers. Please configure OpenSSL with an entropy source or re-run configure using one of the --with-prngd-port or --with-prngd-socket options])
3345fi
3346
3347# Check for PAM libs
3348PAM_MSG="no"
3349AC_ARG_WITH([pam],
3350	[  --with-pam              Enable PAM support ],
3351	[
3352		if test "x$withval" != "xno" ; then
3353			if test "x$ac_cv_header_security_pam_appl_h" != "xyes" && \
3354			   test "x$ac_cv_header_pam_pam_appl_h" != "xyes" ; then
3355				AC_MSG_ERROR([PAM headers not found])
3356			fi
3357
3358			saved_LIBS="$LIBS"
3359			AC_CHECK_LIB([dl], [dlopen], , )
3360			AC_CHECK_LIB([pam], [pam_set_item], , [AC_MSG_ERROR([*** libpam missing])])
3361			AC_CHECK_FUNCS([pam_getenvlist])
3362			AC_CHECK_FUNCS([pam_putenv])
3363			LIBS="$saved_LIBS"
3364
3365			PAM_MSG="yes"
3366
3367			SSHDLIBS="$SSHDLIBS -lpam"
3368			AC_DEFINE([USE_PAM], [1],
3369				[Define if you want to enable PAM support])
3370
3371			if test $ac_cv_lib_dl_dlopen = yes; then
3372				case "$LIBS" in
3373				*-ldl*)
3374					# libdl already in LIBS
3375					;;
3376				*)
3377					SSHDLIBS="$SSHDLIBS -ldl"
3378					;;
3379				esac
3380			fi
3381		fi
3382	]
3383)
3384
3385AC_ARG_WITH([pam-service],
3386	[  --with-pam-service=name Specify PAM service name ],
3387	[
3388		if test "x$withval" != "xno" && \
3389		   test "x$withval" != "xyes" ; then
3390			AC_DEFINE_UNQUOTED([SSHD_PAM_SERVICE],
3391				["$withval"], [sshd PAM service name])
3392		fi
3393	]
3394)
3395
3396# Check for older PAM
3397if test "x$PAM_MSG" = "xyes" ; then
3398	# Check PAM strerror arguments (old PAM)
3399	AC_MSG_CHECKING([whether pam_strerror takes only one argument])
3400	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
3401#include <stdlib.h>
3402#if defined(HAVE_SECURITY_PAM_APPL_H)
3403#include <security/pam_appl.h>
3404#elif defined (HAVE_PAM_PAM_APPL_H)
3405#include <pam/pam_appl.h>
3406#endif
3407		]], [[
3408(void)pam_strerror((pam_handle_t *)NULL, -1);
3409		]])], [AC_MSG_RESULT([no])], [
3410			AC_DEFINE([HAVE_OLD_PAM], [1],
3411				[Define if you have an old version of PAM
3412				which takes only one argument to pam_strerror])
3413			AC_MSG_RESULT([yes])
3414			PAM_MSG="yes (old library)"
3415
3416	])
3417fi
3418
3419case "$host" in
3420*-*-cygwin*)
3421	SSH_PRIVSEP_USER=CYGWIN_SSH_PRIVSEP_USER
3422	;;
3423*)
3424	SSH_PRIVSEP_USER=sshd
3425	;;
3426esac
3427AC_ARG_WITH([privsep-user],
3428	[  --with-privsep-user=user Specify non-privileged user for privilege separation],
3429	[
3430		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
3431		    test "x${withval}" != "xyes"; then
3432			SSH_PRIVSEP_USER=$withval
3433		fi
3434	]
3435)
3436if test "x$SSH_PRIVSEP_USER" = "xCYGWIN_SSH_PRIVSEP_USER" ; then
3437	AC_DEFINE_UNQUOTED([SSH_PRIVSEP_USER], [CYGWIN_SSH_PRIVSEP_USER],
3438		[Cygwin function to fetch non-privileged user for privilege separation])
3439else
3440	AC_DEFINE_UNQUOTED([SSH_PRIVSEP_USER], ["$SSH_PRIVSEP_USER"],
3441		[non-privileged user for privilege separation])
3442fi
3443AC_SUBST([SSH_PRIVSEP_USER])
3444
3445if test "x$have_linux_no_new_privs" = "x1" ; then
3446AC_CHECK_DECL([SECCOMP_MODE_FILTER], [have_seccomp_filter=1], , [
3447	#include <sys/types.h>
3448	#include <linux/seccomp.h>
3449])
3450fi
3451if test "x$have_seccomp_filter" = "x1" ; then
3452AC_MSG_CHECKING([kernel for seccomp_filter support])
3453AC_LINK_IFELSE([AC_LANG_PROGRAM([[
3454		#include <errno.h>
3455		#include <elf.h>
3456		#include <linux/audit.h>
3457		#include <linux/seccomp.h>
3458		#include <stdlib.h>
3459		#include <sys/prctl.h>
3460	]],
3461	[[ int i = $seccomp_audit_arch;
3462	   errno = 0;
3463	   prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, NULL, 0, 0);
3464	   exit(errno == EFAULT ? 0 : 1); ]])],
3465	[ AC_MSG_RESULT([yes]) ], [
3466		AC_MSG_RESULT([no])
3467		# Disable seccomp filter as a target
3468		have_seccomp_filter=0
3469	]
3470)
3471fi
3472
3473# Decide which sandbox style to use
3474sandbox_arg=""
3475AC_ARG_WITH([sandbox],
3476	[  --with-sandbox=style    Specify privilege separation sandbox (no, capsicum, darwin, rlimit, seccomp_filter, systrace, pledge)],
3477	[
3478		if test "x$withval" = "xyes" ; then
3479			sandbox_arg=""
3480		else
3481			sandbox_arg="$withval"
3482		fi
3483	]
3484)
3485
3486# Some platforms (seems to be the ones that have a kernel poll(2)-type
3487# function with which they implement select(2)) use an extra file descriptor
3488# when calling select(2), which means we can't use the rlimit sandbox.
3489AC_MSG_CHECKING([if select works with descriptor rlimit])
3490AC_RUN_IFELSE(
3491	[AC_LANG_PROGRAM([[
3492#include <sys/types.h>
3493#ifdef HAVE_SYS_TIME_H
3494# include <sys/time.h>
3495#endif
3496#include <sys/resource.h>
3497#ifdef HAVE_SYS_SELECT_H
3498# include <sys/select.h>
3499#endif
3500#include <errno.h>
3501#include <fcntl.h>
3502#include <stdlib.h>
3503	]],[[
3504	struct rlimit rl_zero;
3505	int fd, r;
3506	fd_set fds;
3507	struct timeval tv;
3508
3509	fd = open("/dev/null", O_RDONLY);
3510	FD_ZERO(&fds);
3511	FD_SET(fd, &fds);
3512	rl_zero.rlim_cur = rl_zero.rlim_max = 0;
3513	setrlimit(RLIMIT_FSIZE, &rl_zero);
3514	setrlimit(RLIMIT_NOFILE, &rl_zero);
3515	tv.tv_sec = 1;
3516	tv.tv_usec = 0;
3517	r = select(fd+1, &fds, NULL, NULL, &tv);
3518	exit (r == -1 ? 1 : 0);
3519	]])],
3520	[AC_MSG_RESULT([yes])
3521	 select_works_with_rlimit=yes],
3522	[AC_MSG_RESULT([no])
3523	 select_works_with_rlimit=no],
3524	[AC_MSG_WARN([cross compiling: assuming yes])
3525	 select_works_with_rlimit=yes]
3526)
3527
3528AC_MSG_CHECKING([if setrlimit(RLIMIT_NOFILE,{0,0}) works])
3529AC_RUN_IFELSE(
3530	[AC_LANG_PROGRAM([[
3531#include <sys/types.h>
3532#ifdef HAVE_SYS_TIME_H
3533# include <sys/time.h>
3534#endif
3535#include <sys/resource.h>
3536#include <errno.h>
3537#include <stdlib.h>
3538	]],[[
3539	struct rlimit rl_zero;
3540	int r;
3541
3542	rl_zero.rlim_cur = rl_zero.rlim_max = 0;
3543	r = setrlimit(RLIMIT_NOFILE, &rl_zero);
3544	exit (r == -1 ? 1 : 0);
3545	]])],
3546	[AC_MSG_RESULT([yes])
3547	 rlimit_nofile_zero_works=yes],
3548	[AC_MSG_RESULT([no])
3549	 rlimit_nofile_zero_works=no],
3550	[AC_MSG_WARN([cross compiling: assuming yes])
3551	 rlimit_nofile_zero_works=yes]
3552)
3553
3554AC_MSG_CHECKING([if setrlimit RLIMIT_FSIZE works])
3555AC_RUN_IFELSE(
3556	[AC_LANG_PROGRAM([[
3557#include <sys/types.h>
3558#include <sys/resource.h>
3559#include <stdlib.h>
3560	]],[[
3561		struct rlimit rl_zero;
3562
3563		rl_zero.rlim_cur = rl_zero.rlim_max = 0;
3564		exit(setrlimit(RLIMIT_FSIZE, &rl_zero) != 0);
3565	]])],
3566	[AC_MSG_RESULT([yes])],
3567	[AC_MSG_RESULT([no])
3568	 AC_DEFINE(SANDBOX_SKIP_RLIMIT_FSIZE, 1,
3569	    [setrlimit RLIMIT_FSIZE works])],
3570	[AC_MSG_WARN([cross compiling: assuming yes])]
3571)
3572
3573if test "x$sandbox_arg" = "xpledge" || \
3574   ( test -z "$sandbox_arg" && test "x$ac_cv_func_pledge" = "xyes" ) ; then
3575	test "x$ac_cv_func_pledge" != "xyes" && \
3576		AC_MSG_ERROR([pledge sandbox requires pledge(2) support])
3577	SANDBOX_STYLE="pledge"
3578	AC_DEFINE([SANDBOX_PLEDGE], [1], [Sandbox using pledge(2)])
3579elif test "x$sandbox_arg" = "xsystrace" || \
3580   ( test -z "$sandbox_arg" && test "x$have_systr_policy_kill" = "x1" ) ; then
3581	test "x$have_systr_policy_kill" != "x1" && \
3582		AC_MSG_ERROR([systrace sandbox requires systrace headers and SYSTR_POLICY_KILL support])
3583	SANDBOX_STYLE="systrace"
3584	AC_DEFINE([SANDBOX_SYSTRACE], [1], [Sandbox using systrace(4)])
3585elif test "x$sandbox_arg" = "xdarwin" || \
3586     ( test -z "$sandbox_arg" && test "x$ac_cv_func_sandbox_init" = "xyes" && \
3587       test "x$ac_cv_header_sandbox_h" = "xyes") ; then
3588	test "x$ac_cv_func_sandbox_init" != "xyes" -o \
3589	     "x$ac_cv_header_sandbox_h" != "xyes" && \
3590		AC_MSG_ERROR([Darwin seatbelt sandbox requires sandbox.h and sandbox_init function])
3591	SANDBOX_STYLE="darwin"
3592	AC_DEFINE([SANDBOX_DARWIN], [1], [Sandbox using Darwin sandbox_init(3)])
3593elif test "x$sandbox_arg" = "xseccomp_filter" || \
3594     ( test -z "$sandbox_arg" && \
3595       test "x$have_seccomp_filter" = "x1" && \
3596       test "x$ac_cv_header_elf_h" = "xyes" && \
3597       test "x$ac_cv_header_linux_audit_h" = "xyes" && \
3598       test "x$ac_cv_header_linux_filter_h" = "xyes" && \
3599       test "x$seccomp_audit_arch" != "x" && \
3600       test "x$have_linux_no_new_privs" = "x1" && \
3601       test "x$ac_cv_func_prctl" = "xyes" ) ; then
3602	test "x$seccomp_audit_arch" = "x" && \
3603		AC_MSG_ERROR([seccomp_filter sandbox not supported on $host])
3604	test "x$have_linux_no_new_privs" != "x1" && \
3605		AC_MSG_ERROR([seccomp_filter sandbox requires PR_SET_NO_NEW_PRIVS])
3606	test "x$have_seccomp_filter" != "x1" && \
3607		AC_MSG_ERROR([seccomp_filter sandbox requires seccomp headers])
3608	test "x$ac_cv_func_prctl" != "xyes" && \
3609		AC_MSG_ERROR([seccomp_filter sandbox requires prctl function])
3610	SANDBOX_STYLE="seccomp_filter"
3611	AC_DEFINE([SANDBOX_SECCOMP_FILTER], [1], [Sandbox using seccomp filter])
3612elif test "x$sandbox_arg" = "xcapsicum" || \
3613     ( test -z "$sandbox_arg" && \
3614       test "x$ac_cv_header_sys_capsicum_h" = "xyes" && \
3615       test "x$ac_cv_func_cap_rights_limit" = "xyes") ; then
3616       test "x$ac_cv_header_sys_capsicum_h" != "xyes" && \
3617		AC_MSG_ERROR([capsicum sandbox requires sys/capsicum.h header])
3618       test "x$ac_cv_func_cap_rights_limit" != "xyes" && \
3619		AC_MSG_ERROR([capsicum sandbox requires cap_rights_limit function])
3620       SANDBOX_STYLE="capsicum"
3621       AC_DEFINE([SANDBOX_CAPSICUM], [1], [Sandbox using capsicum])
3622elif test "x$sandbox_arg" = "xrlimit" || \
3623     ( test -z "$sandbox_arg" && test "x$ac_cv_func_setrlimit" = "xyes" && \
3624       test "x$select_works_with_rlimit" = "xyes" && \
3625       test "x$rlimit_nofile_zero_works" = "xyes" ) ; then
3626	test "x$ac_cv_func_setrlimit" != "xyes" && \
3627		AC_MSG_ERROR([rlimit sandbox requires setrlimit function])
3628	test "x$select_works_with_rlimit" != "xyes" && \
3629		AC_MSG_ERROR([rlimit sandbox requires select to work with rlimit])
3630	SANDBOX_STYLE="rlimit"
3631	AC_DEFINE([SANDBOX_RLIMIT], [1], [Sandbox using setrlimit(2)])
3632elif test "x$sandbox_arg" = "xsolaris" || \
3633   ( test -z "$sandbox_arg" && test "x$SOLARIS_PRIVS" = "xyes" ) ; then
3634	SANDBOX_STYLE="solaris"
3635	AC_DEFINE([SANDBOX_SOLARIS], [1], [Sandbox using Solaris/Illumos privileges])
3636elif test -z "$sandbox_arg" || test "x$sandbox_arg" = "xno" || \
3637     test "x$sandbox_arg" = "xnone" || test "x$sandbox_arg" = "xnull" ; then
3638	SANDBOX_STYLE="none"
3639	AC_DEFINE([SANDBOX_NULL], [1], [no privsep sandboxing])
3640else
3641	AC_MSG_ERROR([unsupported --with-sandbox])
3642fi
3643
3644# Cheap hack to ensure NEWS-OS libraries are arranged right.
3645if test ! -z "$SONY" ; then
3646  LIBS="$LIBS -liberty";
3647fi
3648
3649# Check for  long long datatypes
3650AC_CHECK_TYPES([long long, unsigned long long, long double])
3651
3652# Check datatype sizes
3653AC_CHECK_SIZEOF([short int])
3654AC_CHECK_SIZEOF([int])
3655AC_CHECK_SIZEOF([long int])
3656AC_CHECK_SIZEOF([long long int])
3657
3658# Sanity check long long for some platforms (AIX)
3659if test "x$ac_cv_sizeof_long_long_int" = "x4" ; then
3660	ac_cv_sizeof_long_long_int=0
3661fi
3662
3663# compute LLONG_MIN and LLONG_MAX if we don't know them.
3664if test -z "$have_llong_max" && test -z "$have_long_long_max"; then
3665	AC_MSG_CHECKING([for max value of long long])
3666	AC_RUN_IFELSE(
3667		[AC_LANG_PROGRAM([[
3668#include <stdio.h>
3669#include <stdlib.h>
3670/* Why is this so damn hard? */
3671#ifdef __GNUC__
3672# undef __GNUC__
3673#endif
3674#define __USE_ISOC99
3675#include <limits.h>
3676#define DATA "conftest.llminmax"
3677#define my_abs(a) ((a) < 0 ? ((a) * -1) : (a))
3678
3679/*
3680 * printf in libc on some platforms (eg old Tru64) does not understand %lld so
3681 * we do this the hard way.
3682 */
3683static int
3684fprint_ll(FILE *f, long long n)
3685{
3686	unsigned int i;
3687	int l[sizeof(long long) * 8];
3688
3689	if (n < 0)
3690		if (fprintf(f, "-") < 0)
3691			return -1;
3692	for (i = 0; n != 0; i++) {
3693		l[i] = my_abs(n % 10);
3694		n /= 10;
3695	}
3696	do {
3697		if (fprintf(f, "%d", l[--i]) < 0)
3698			return -1;
3699	} while (i != 0);
3700	if (fprintf(f, " ") < 0)
3701		return -1;
3702	return 0;
3703}
3704		]], [[
3705	FILE *f;
3706	long long i, llmin, llmax = 0;
3707
3708	if((f = fopen(DATA,"w")) == NULL)
3709		exit(1);
3710
3711#if defined(LLONG_MIN) && defined(LLONG_MAX)
3712	fprintf(stderr, "Using system header for LLONG_MIN and LLONG_MAX\n");
3713	llmin = LLONG_MIN;
3714	llmax = LLONG_MAX;
3715#else
3716	fprintf(stderr, "Calculating  LLONG_MIN and LLONG_MAX\n");
3717	/* This will work on one's complement and two's complement */
3718	for (i = 1; i > llmax; i <<= 1, i++)
3719		llmax = i;
3720	llmin = llmax + 1LL;	/* wrap */
3721#endif
3722
3723	/* Sanity check */
3724	if (llmin + 1 < llmin || llmin - 1 < llmin || llmax + 1 > llmax
3725	    || llmax - 1 > llmax || llmin == llmax || llmin == 0
3726	    || llmax == 0 || llmax < LONG_MAX || llmin > LONG_MIN) {
3727		fprintf(f, "unknown unknown\n");
3728		exit(2);
3729	}
3730
3731	if (fprint_ll(f, llmin) < 0)
3732		exit(3);
3733	if (fprint_ll(f, llmax) < 0)
3734		exit(4);
3735	if (fclose(f) < 0)
3736		exit(5);
3737	exit(0);
3738		]])],
3739		[
3740			llong_min=`$AWK '{print $1}' conftest.llminmax`
3741			llong_max=`$AWK '{print $2}' conftest.llminmax`
3742
3743			AC_MSG_RESULT([$llong_max])
3744			AC_DEFINE_UNQUOTED([LLONG_MAX], [${llong_max}LL],
3745			    [max value of long long calculated by configure])
3746			AC_MSG_CHECKING([for min value of long long])
3747			AC_MSG_RESULT([$llong_min])
3748			AC_DEFINE_UNQUOTED([LLONG_MIN], [${llong_min}LL],
3749			    [min value of long long calculated by configure])
3750		],
3751		[
3752			AC_MSG_RESULT([not found])
3753		],
3754		[
3755			AC_MSG_WARN([cross compiling: not checking])
3756		]
3757	)
3758fi
3759
3760AC_CHECK_DECLS([UINT32_MAX], , , [[
3761#ifdef HAVE_SYS_LIMITS_H
3762# include <sys/limits.h>
3763#endif
3764#ifdef HAVE_LIMITS_H
3765# include <limits.h>
3766#endif
3767#ifdef HAVE_STDINT_H
3768# include <stdint.h>
3769#endif
3770]])
3771
3772# More checks for data types
3773AC_CACHE_CHECK([for u_int type], ac_cv_have_u_int, [
3774	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
3775	[[ u_int a; a = 1;]])],
3776	[ ac_cv_have_u_int="yes" ], [ ac_cv_have_u_int="no"
3777	])
3778])
3779if test "x$ac_cv_have_u_int" = "xyes" ; then
3780	AC_DEFINE([HAVE_U_INT], [1], [define if you have u_int data type])
3781	have_u_int=1
3782fi
3783
3784AC_CACHE_CHECK([for intXX_t types], ac_cv_have_intxx_t, [
3785	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
3786	[[ int8_t a; int16_t b; int32_t c; a = b = c = 1;]])],
3787	[ ac_cv_have_intxx_t="yes" ], [ ac_cv_have_intxx_t="no"
3788	])
3789])
3790if test "x$ac_cv_have_intxx_t" = "xyes" ; then
3791	AC_DEFINE([HAVE_INTXX_T], [1], [define if you have intxx_t data type])
3792	have_intxx_t=1
3793fi
3794
3795if (test -z "$have_intxx_t" && \
3796	   test "x$ac_cv_header_stdint_h" = "xyes")
3797then
3798    AC_MSG_CHECKING([for intXX_t types in stdint.h])
3799	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <stdint.h> ]],
3800	[[ int8_t a; int16_t b; int32_t c; a = b = c = 1;]])],
3801		[
3802			AC_DEFINE([HAVE_INTXX_T])
3803			AC_MSG_RESULT([yes])
3804		], [ AC_MSG_RESULT([no])
3805	])
3806fi
3807
3808AC_CACHE_CHECK([for int64_t type], ac_cv_have_int64_t, [
3809	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
3810#include <sys/types.h>
3811#ifdef HAVE_STDINT_H
3812# include <stdint.h>
3813#endif
3814#include <sys/socket.h>
3815#ifdef HAVE_SYS_BITYPES_H
3816# include <sys/bitypes.h>
3817#endif
3818		]], [[
3819int64_t a; a = 1;
3820		]])],
3821	[ ac_cv_have_int64_t="yes" ], [ ac_cv_have_int64_t="no"
3822	])
3823])
3824if test "x$ac_cv_have_int64_t" = "xyes" ; then
3825	AC_DEFINE([HAVE_INT64_T], [1], [define if you have int64_t data type])
3826fi
3827
3828AC_CACHE_CHECK([for u_intXX_t types], ac_cv_have_u_intxx_t, [
3829	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
3830	[[ u_int8_t a; u_int16_t b; u_int32_t c; a = b = c = 1;]])],
3831	[ ac_cv_have_u_intxx_t="yes" ], [ ac_cv_have_u_intxx_t="no"
3832	])
3833])
3834if test "x$ac_cv_have_u_intxx_t" = "xyes" ; then
3835	AC_DEFINE([HAVE_U_INTXX_T], [1], [define if you have u_intxx_t data type])
3836	have_u_intxx_t=1
3837fi
3838
3839if test -z "$have_u_intxx_t" ; then
3840    AC_MSG_CHECKING([for u_intXX_t types in sys/socket.h])
3841	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/socket.h> ]],
3842	[[ u_int8_t a; u_int16_t b; u_int32_t c; a = b = c = 1;]])],
3843		[
3844			AC_DEFINE([HAVE_U_INTXX_T])
3845			AC_MSG_RESULT([yes])
3846		], [ AC_MSG_RESULT([no])
3847	])
3848fi
3849
3850AC_CACHE_CHECK([for u_int64_t types], ac_cv_have_u_int64_t, [
3851	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
3852	[[ u_int64_t a; a = 1;]])],
3853	[ ac_cv_have_u_int64_t="yes" ], [ ac_cv_have_u_int64_t="no"
3854	])
3855])
3856if test "x$ac_cv_have_u_int64_t" = "xyes" ; then
3857	AC_DEFINE([HAVE_U_INT64_T], [1], [define if you have u_int64_t data type])
3858	have_u_int64_t=1
3859fi
3860
3861if (test -z "$have_u_int64_t" && \
3862	   test "x$ac_cv_header_sys_bitypes_h" = "xyes")
3863then
3864    AC_MSG_CHECKING([for u_int64_t type in sys/bitypes.h])
3865	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/bitypes.h> ]],
3866	[[ u_int64_t a; a = 1]])],
3867		[
3868			AC_DEFINE([HAVE_U_INT64_T])
3869			AC_MSG_RESULT([yes])
3870		], [ AC_MSG_RESULT([no])
3871	])
3872fi
3873
3874if test -z "$have_u_intxx_t" ; then
3875	AC_CACHE_CHECK([for uintXX_t types], ac_cv_have_uintxx_t, [
3876		AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
3877#include <sys/types.h>
3878			]], [[
3879	uint8_t a;
3880	uint16_t b;
3881	uint32_t c;
3882	a = b = c = 1;
3883			]])],
3884		[ ac_cv_have_uintxx_t="yes" ], [ ac_cv_have_uintxx_t="no"
3885		])
3886	])
3887	if test "x$ac_cv_have_uintxx_t" = "xyes" ; then
3888		AC_DEFINE([HAVE_UINTXX_T], [1],
3889			[define if you have uintxx_t data type])
3890	fi
3891fi
3892
3893if (test -z "$have_uintxx_t" && \
3894	   test "x$ac_cv_header_stdint_h" = "xyes")
3895then
3896    AC_MSG_CHECKING([for uintXX_t types in stdint.h])
3897	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <stdint.h> ]],
3898	[[ uint8_t a; uint16_t b; uint32_t c; a = b = c = 1;]])],
3899		[
3900			AC_DEFINE([HAVE_UINTXX_T])
3901			AC_MSG_RESULT([yes])
3902		], [ AC_MSG_RESULT([no])
3903	])
3904fi
3905
3906if (test -z "$have_uintxx_t" && \
3907	   test "x$ac_cv_header_inttypes_h" = "xyes")
3908then
3909    AC_MSG_CHECKING([for uintXX_t types in inttypes.h])
3910	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <inttypes.h> ]],
3911	[[ uint8_t a; uint16_t b; uint32_t c; a = b = c = 1;]])],
3912		[
3913			AC_DEFINE([HAVE_UINTXX_T])
3914			AC_MSG_RESULT([yes])
3915		], [ AC_MSG_RESULT([no])
3916	])
3917fi
3918
3919if (test -z "$have_u_intxx_t" || test -z "$have_intxx_t" && \
3920	   test "x$ac_cv_header_sys_bitypes_h" = "xyes")
3921then
3922	AC_MSG_CHECKING([for intXX_t and u_intXX_t types in sys/bitypes.h])
3923	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
3924#include <sys/bitypes.h>
3925		]], [[
3926			int8_t a; int16_t b; int32_t c;
3927			u_int8_t e; u_int16_t f; u_int32_t g;
3928			a = b = c = e = f = g = 1;
3929		]])],
3930		[
3931			AC_DEFINE([HAVE_U_INTXX_T])
3932			AC_DEFINE([HAVE_INTXX_T])
3933			AC_MSG_RESULT([yes])
3934		], [AC_MSG_RESULT([no])
3935	])
3936fi
3937
3938
3939AC_CACHE_CHECK([for u_char], ac_cv_have_u_char, [
3940	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
3941	[[ u_char foo; foo = 125; ]])],
3942	[ ac_cv_have_u_char="yes" ], [ ac_cv_have_u_char="no"
3943	])
3944])
3945if test "x$ac_cv_have_u_char" = "xyes" ; then
3946	AC_DEFINE([HAVE_U_CHAR], [1], [define if you have u_char data type])
3947fi
3948
3949AC_CHECK_TYPES([intmax_t, uintmax_t], , , [
3950#include <sys/types.h>
3951#ifdef HAVE_STDINT_H
3952# include <stdint.h>
3953#endif
3954])
3955
3956TYPE_SOCKLEN_T
3957
3958AC_CHECK_TYPES([sig_atomic_t], , , [#include <signal.h>])
3959AC_CHECK_TYPES([fsblkcnt_t, fsfilcnt_t], , , [
3960#include <sys/types.h>
3961#ifdef HAVE_SYS_BITYPES_H
3962#include <sys/bitypes.h>
3963#endif
3964#ifdef HAVE_SYS_STATFS_H
3965#include <sys/statfs.h>
3966#endif
3967#ifdef HAVE_SYS_STATVFS_H
3968#include <sys/statvfs.h>
3969#endif
3970])
3971
3972AC_CHECK_MEMBERS([struct statfs.f_files, struct statfs.f_flags], [], [], [[
3973#include <sys/param.h>
3974#include <sys/types.h>
3975#ifdef HAVE_SYS_BITYPES_H
3976#include <sys/bitypes.h>
3977#endif
3978#ifdef HAVE_SYS_STATFS_H
3979#include <sys/statfs.h>
3980#endif
3981#ifdef HAVE_SYS_STATVFS_H
3982#include <sys/statvfs.h>
3983#endif
3984#ifdef HAVE_SYS_VFS_H
3985#include <sys/vfs.h>
3986#endif
3987#ifdef HAVE_SYS_MOUNT_H
3988#include <sys/mount.h>
3989#endif
3990]])
3991
3992
3993AC_CHECK_TYPES([in_addr_t, in_port_t], , ,
3994[#include <sys/types.h>
3995#include <netinet/in.h>])
3996
3997AC_CACHE_CHECK([for size_t], ac_cv_have_size_t, [
3998	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
3999	[[ size_t foo; foo = 1235; ]])],
4000	[ ac_cv_have_size_t="yes" ], [ ac_cv_have_size_t="no"
4001	])
4002])
4003if test "x$ac_cv_have_size_t" = "xyes" ; then
4004	AC_DEFINE([HAVE_SIZE_T], [1], [define if you have size_t data type])
4005fi
4006
4007AC_CACHE_CHECK([for ssize_t], ac_cv_have_ssize_t, [
4008	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
4009	[[ ssize_t foo; foo = 1235; ]])],
4010	[ ac_cv_have_ssize_t="yes" ], [ ac_cv_have_ssize_t="no"
4011	])
4012])
4013if test "x$ac_cv_have_ssize_t" = "xyes" ; then
4014	AC_DEFINE([HAVE_SSIZE_T], [1], [define if you have ssize_t data type])
4015fi
4016
4017AC_CACHE_CHECK([for clock_t], ac_cv_have_clock_t, [
4018	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <time.h> ]],
4019	[[ clock_t foo; foo = 1235; ]])],
4020	[ ac_cv_have_clock_t="yes" ], [ ac_cv_have_clock_t="no"
4021	])
4022])
4023if test "x$ac_cv_have_clock_t" = "xyes" ; then
4024	AC_DEFINE([HAVE_CLOCK_T], [1], [define if you have clock_t data type])
4025fi
4026
4027AC_CACHE_CHECK([for sa_family_t], ac_cv_have_sa_family_t, [
4028	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4029#include <sys/types.h>
4030#include <sys/socket.h>
4031		]], [[ sa_family_t foo; foo = 1235; ]])],
4032	[ ac_cv_have_sa_family_t="yes" ],
4033	[ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4034#include <sys/types.h>
4035#include <sys/socket.h>
4036#include <netinet/in.h>
4037		]], [[ sa_family_t foo; foo = 1235; ]])],
4038		[ ac_cv_have_sa_family_t="yes" ],
4039		[ ac_cv_have_sa_family_t="no" ]
4040	)
4041	])
4042])
4043if test "x$ac_cv_have_sa_family_t" = "xyes" ; then
4044	AC_DEFINE([HAVE_SA_FAMILY_T], [1],
4045		[define if you have sa_family_t data type])
4046fi
4047
4048AC_CACHE_CHECK([for pid_t], ac_cv_have_pid_t, [
4049	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
4050	[[ pid_t foo; foo = 1235; ]])],
4051	[ ac_cv_have_pid_t="yes" ], [ ac_cv_have_pid_t="no"
4052	])
4053])
4054if test "x$ac_cv_have_pid_t" = "xyes" ; then
4055	AC_DEFINE([HAVE_PID_T], [1], [define if you have pid_t data type])
4056fi
4057
4058AC_CACHE_CHECK([for mode_t], ac_cv_have_mode_t, [
4059	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
4060	[[ mode_t foo; foo = 1235; ]])],
4061	[ ac_cv_have_mode_t="yes" ], [ ac_cv_have_mode_t="no"
4062	])
4063])
4064if test "x$ac_cv_have_mode_t" = "xyes" ; then
4065	AC_DEFINE([HAVE_MODE_T], [1], [define if you have mode_t data type])
4066fi
4067
4068
4069AC_CACHE_CHECK([for struct sockaddr_storage], ac_cv_have_struct_sockaddr_storage, [
4070	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4071#include <sys/types.h>
4072#include <sys/socket.h>
4073		]], [[ struct sockaddr_storage s; ]])],
4074	[ ac_cv_have_struct_sockaddr_storage="yes" ],
4075	[ ac_cv_have_struct_sockaddr_storage="no"
4076	])
4077])
4078if test "x$ac_cv_have_struct_sockaddr_storage" = "xyes" ; then
4079	AC_DEFINE([HAVE_STRUCT_SOCKADDR_STORAGE], [1],
4080		[define if you have struct sockaddr_storage data type])
4081fi
4082
4083AC_CACHE_CHECK([for struct sockaddr_in6], ac_cv_have_struct_sockaddr_in6, [
4084	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4085#include <sys/types.h>
4086#include <netinet/in.h>
4087		]], [[ struct sockaddr_in6 s; s.sin6_family = 0; ]])],
4088	[ ac_cv_have_struct_sockaddr_in6="yes" ],
4089	[ ac_cv_have_struct_sockaddr_in6="no"
4090	])
4091])
4092if test "x$ac_cv_have_struct_sockaddr_in6" = "xyes" ; then
4093	AC_DEFINE([HAVE_STRUCT_SOCKADDR_IN6], [1],
4094		[define if you have struct sockaddr_in6 data type])
4095fi
4096
4097AC_CACHE_CHECK([for struct in6_addr], ac_cv_have_struct_in6_addr, [
4098	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4099#include <sys/types.h>
4100#include <netinet/in.h>
4101		]], [[ struct in6_addr s; s.s6_addr[0] = 0; ]])],
4102	[ ac_cv_have_struct_in6_addr="yes" ],
4103	[ ac_cv_have_struct_in6_addr="no"
4104	])
4105])
4106if test "x$ac_cv_have_struct_in6_addr" = "xyes" ; then
4107	AC_DEFINE([HAVE_STRUCT_IN6_ADDR], [1],
4108		[define if you have struct in6_addr data type])
4109
4110dnl Now check for sin6_scope_id
4111	AC_CHECK_MEMBERS([struct sockaddr_in6.sin6_scope_id], , ,
4112		[
4113#ifdef HAVE_SYS_TYPES_H
4114#include <sys/types.h>
4115#endif
4116#include <netinet/in.h>
4117		])
4118fi
4119
4120AC_CACHE_CHECK([for struct addrinfo], ac_cv_have_struct_addrinfo, [
4121	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4122#include <sys/types.h>
4123#include <sys/socket.h>
4124#include <netdb.h>
4125		]], [[ struct addrinfo s; s.ai_flags = AI_PASSIVE; ]])],
4126	[ ac_cv_have_struct_addrinfo="yes" ],
4127	[ ac_cv_have_struct_addrinfo="no"
4128	])
4129])
4130if test "x$ac_cv_have_struct_addrinfo" = "xyes" ; then
4131	AC_DEFINE([HAVE_STRUCT_ADDRINFO], [1],
4132		[define if you have struct addrinfo data type])
4133fi
4134
4135AC_CACHE_CHECK([for struct timeval], ac_cv_have_struct_timeval, [
4136	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/time.h> ]],
4137	[[ struct timeval tv; tv.tv_sec = 1;]])],
4138	[ ac_cv_have_struct_timeval="yes" ],
4139	[ ac_cv_have_struct_timeval="no"
4140	])
4141])
4142if test "x$ac_cv_have_struct_timeval" = "xyes" ; then
4143	AC_DEFINE([HAVE_STRUCT_TIMEVAL], [1], [define if you have struct timeval])
4144	have_struct_timeval=1
4145fi
4146
4147AC_CACHE_CHECK([for struct timespec], ac_cv_have_struct_timespec, [
4148	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4149    #ifdef HAVE_SYS_TIME_H
4150    # include <sys/time.h>
4151    #endif
4152    #ifdef HAVE_TIME_H
4153    # include <time.h>
4154    #endif
4155	]],
4156	[[ struct timespec ts; ts.tv_sec = 1;]])],
4157	[ ac_cv_have_struct_timespec="yes" ],
4158	[ ac_cv_have_struct_timespec="no"
4159	])
4160])
4161if test "x$ac_cv_have_struct_timespec" = "xyes" ; then
4162	AC_DEFINE([HAVE_STRUCT_TIMESPEC], [1], [define if you have struct timespec])
4163	have_struct_timespec=1
4164fi
4165
4166# We need int64_t or else certain parts of the compile will fail.
4167if test "x$ac_cv_have_int64_t" = "xno" && \
4168	test "x$ac_cv_sizeof_long_int" != "x8" && \
4169	test "x$ac_cv_sizeof_long_long_int" = "x0" ; then
4170	echo "OpenSSH requires int64_t support.  Contact your vendor or install"
4171	echo "an alternative compiler (I.E., GCC) before continuing."
4172	echo ""
4173	exit 1;
4174else
4175dnl test snprintf (broken on SCO w/gcc)
4176	AC_RUN_IFELSE(
4177		[AC_LANG_SOURCE([[
4178#include <stdio.h>
4179#include <stdlib.h>
4180#include <string.h>
4181#ifdef HAVE_SNPRINTF
4182main()
4183{
4184	char buf[50];
4185	char expected_out[50];
4186	int mazsize = 50 ;
4187#if (SIZEOF_LONG_INT == 8)
4188	long int num = 0x7fffffffffffffff;
4189#else
4190	long long num = 0x7fffffffffffffffll;
4191#endif
4192	strcpy(expected_out, "9223372036854775807");
4193	snprintf(buf, mazsize, "%lld", num);
4194	if(strcmp(buf, expected_out) != 0)
4195		exit(1);
4196	exit(0);
4197}
4198#else
4199main() { exit(0); }
4200#endif
4201		]])], [ true ], [ AC_DEFINE([BROKEN_SNPRINTF]) ],
4202		AC_MSG_WARN([cross compiling: Assuming working snprintf()])
4203	)
4204fi
4205
4206dnl Checks for structure members
4207OSSH_CHECK_HEADER_FOR_FIELD([ut_host], [utmp.h], [HAVE_HOST_IN_UTMP])
4208OSSH_CHECK_HEADER_FOR_FIELD([ut_host], [utmpx.h], [HAVE_HOST_IN_UTMPX])
4209OSSH_CHECK_HEADER_FOR_FIELD([syslen], [utmpx.h], [HAVE_SYSLEN_IN_UTMPX])
4210OSSH_CHECK_HEADER_FOR_FIELD([ut_pid], [utmp.h], [HAVE_PID_IN_UTMP])
4211OSSH_CHECK_HEADER_FOR_FIELD([ut_type], [utmp.h], [HAVE_TYPE_IN_UTMP])
4212OSSH_CHECK_HEADER_FOR_FIELD([ut_type], [utmpx.h], [HAVE_TYPE_IN_UTMPX])
4213OSSH_CHECK_HEADER_FOR_FIELD([ut_tv], [utmp.h], [HAVE_TV_IN_UTMP])
4214OSSH_CHECK_HEADER_FOR_FIELD([ut_id], [utmp.h], [HAVE_ID_IN_UTMP])
4215OSSH_CHECK_HEADER_FOR_FIELD([ut_id], [utmpx.h], [HAVE_ID_IN_UTMPX])
4216OSSH_CHECK_HEADER_FOR_FIELD([ut_addr], [utmp.h], [HAVE_ADDR_IN_UTMP])
4217OSSH_CHECK_HEADER_FOR_FIELD([ut_addr], [utmpx.h], [HAVE_ADDR_IN_UTMPX])
4218OSSH_CHECK_HEADER_FOR_FIELD([ut_addr_v6], [utmp.h], [HAVE_ADDR_V6_IN_UTMP])
4219OSSH_CHECK_HEADER_FOR_FIELD([ut_addr_v6], [utmpx.h], [HAVE_ADDR_V6_IN_UTMPX])
4220OSSH_CHECK_HEADER_FOR_FIELD([ut_exit], [utmp.h], [HAVE_EXIT_IN_UTMP])
4221OSSH_CHECK_HEADER_FOR_FIELD([ut_time], [utmp.h], [HAVE_TIME_IN_UTMP])
4222OSSH_CHECK_HEADER_FOR_FIELD([ut_time], [utmpx.h], [HAVE_TIME_IN_UTMPX])
4223OSSH_CHECK_HEADER_FOR_FIELD([ut_tv], [utmpx.h], [HAVE_TV_IN_UTMPX])
4224OSSH_CHECK_HEADER_FOR_FIELD([ut_ss], [utmpx.h], [HAVE_SS_IN_UTMPX])
4225
4226AC_CHECK_MEMBERS([struct stat.st_blksize])
4227AC_CHECK_MEMBERS([struct stat.st_mtim])
4228AC_CHECK_MEMBERS([struct stat.st_mtime])
4229AC_CHECK_MEMBERS([struct passwd.pw_gecos, struct passwd.pw_class,
4230struct passwd.pw_change, struct passwd.pw_expire],
4231[], [], [[
4232#include <sys/types.h>
4233#include <pwd.h>
4234]])
4235
4236AC_CHECK_MEMBER([struct __res_state.retrans], [], [AC_DEFINE([__res_state], [state],
4237	[Define if we don't have struct __res_state in resolv.h])],
4238[[
4239#include <stdio.h>
4240#if HAVE_SYS_TYPES_H
4241# include <sys/types.h>
4242#endif
4243#include <netinet/in.h>
4244#include <arpa/nameser.h>
4245#include <resolv.h>
4246]])
4247
4248AC_CACHE_CHECK([for ss_family field in struct sockaddr_storage],
4249		ac_cv_have_ss_family_in_struct_ss, [
4250	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4251#include <sys/types.h>
4252#include <sys/socket.h>
4253		]], [[ struct sockaddr_storage s; s.ss_family = 1; ]])],
4254	[ ac_cv_have_ss_family_in_struct_ss="yes" ],
4255	[ ac_cv_have_ss_family_in_struct_ss="no" ])
4256])
4257if test "x$ac_cv_have_ss_family_in_struct_ss" = "xyes" ; then
4258	AC_DEFINE([HAVE_SS_FAMILY_IN_SS], [1], [Fields in struct sockaddr_storage])
4259fi
4260
4261AC_CACHE_CHECK([for __ss_family field in struct sockaddr_storage],
4262		ac_cv_have___ss_family_in_struct_ss, [
4263	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4264#include <sys/types.h>
4265#include <sys/socket.h>
4266		]], [[ struct sockaddr_storage s; s.__ss_family = 1; ]])],
4267	[ ac_cv_have___ss_family_in_struct_ss="yes" ],
4268	[ ac_cv_have___ss_family_in_struct_ss="no"
4269	])
4270])
4271if test "x$ac_cv_have___ss_family_in_struct_ss" = "xyes" ; then
4272	AC_DEFINE([HAVE___SS_FAMILY_IN_SS], [1],
4273		[Fields in struct sockaddr_storage])
4274fi
4275
4276dnl make sure we're using the real structure members and not defines
4277AC_CACHE_CHECK([for msg_accrights field in struct msghdr],
4278		ac_cv_have_accrights_in_msghdr, [
4279	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4280#include <sys/types.h>
4281#include <sys/socket.h>
4282#include <sys/uio.h>
4283#include <stdlib.h>
4284		]], [[
4285#ifdef msg_accrights
4286#error "msg_accrights is a macro"
4287exit(1);
4288#endif
4289struct msghdr m;
4290m.msg_accrights = 0;
4291exit(0);
4292		]])],
4293		[ ac_cv_have_accrights_in_msghdr="yes" ],
4294		[ ac_cv_have_accrights_in_msghdr="no" ]
4295	)
4296])
4297if test "x$ac_cv_have_accrights_in_msghdr" = "xyes" ; then
4298	AC_DEFINE([HAVE_ACCRIGHTS_IN_MSGHDR], [1],
4299		[Define if your system uses access rights style
4300		file descriptor passing])
4301fi
4302
4303AC_MSG_CHECKING([if struct statvfs.f_fsid is integral type])
4304AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4305#include <sys/param.h>
4306#include <sys/stat.h>
4307#ifdef HAVE_SYS_TIME_H
4308# include <sys/time.h>
4309#endif
4310#ifdef HAVE_SYS_MOUNT_H
4311#include <sys/mount.h>
4312#endif
4313#ifdef HAVE_SYS_STATVFS_H
4314#include <sys/statvfs.h>
4315#endif
4316	]], [[ struct statvfs s; s.f_fsid = 0; ]])],
4317	[ AC_MSG_RESULT([yes]) ],
4318	[ AC_MSG_RESULT([no])
4319
4320	AC_MSG_CHECKING([if fsid_t has member val])
4321	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4322#include <sys/types.h>
4323#include <sys/statvfs.h>
4324	]], [[ fsid_t t; t.val[0] = 0; ]])],
4325	[ AC_MSG_RESULT([yes])
4326	  AC_DEFINE([FSID_HAS_VAL], [1], [fsid_t has member val]) ],
4327	[ AC_MSG_RESULT([no]) ])
4328
4329	AC_MSG_CHECKING([if f_fsid has member __val])
4330	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4331#include <sys/types.h>
4332#include <sys/statvfs.h>
4333	]], [[ fsid_t t; t.__val[0] = 0; ]])],
4334	[ AC_MSG_RESULT([yes])
4335	  AC_DEFINE([FSID_HAS___VAL], [1], [fsid_t has member __val]) ],
4336	[ AC_MSG_RESULT([no]) ])
4337])
4338
4339AC_CACHE_CHECK([for msg_control field in struct msghdr],
4340		ac_cv_have_control_in_msghdr, [
4341	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4342#include <sys/types.h>
4343#include <sys/socket.h>
4344#include <sys/uio.h>
4345#include <stdlib.h>
4346		]], [[
4347#ifdef msg_control
4348#error "msg_control is a macro"
4349exit(1);
4350#endif
4351struct msghdr m;
4352m.msg_control = 0;
4353exit(0);
4354		]])],
4355		[ ac_cv_have_control_in_msghdr="yes" ],
4356		[ ac_cv_have_control_in_msghdr="no" ]
4357	)
4358])
4359if test "x$ac_cv_have_control_in_msghdr" = "xyes" ; then
4360	AC_DEFINE([HAVE_CONTROL_IN_MSGHDR], [1],
4361		[Define if your system uses ancillary data style
4362		file descriptor passing])
4363fi
4364
4365AC_CACHE_CHECK([if libc defines __progname], ac_cv_libc_defines___progname, [
4366	AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include <stdio.h> ]],
4367		[[ extern char *__progname; printf("%s", __progname); ]])],
4368	[ ac_cv_libc_defines___progname="yes" ],
4369	[ ac_cv_libc_defines___progname="no"
4370	])
4371])
4372if test "x$ac_cv_libc_defines___progname" = "xyes" ; then
4373	AC_DEFINE([HAVE___PROGNAME], [1], [Define if libc defines __progname])
4374fi
4375
4376AC_CACHE_CHECK([whether $CC implements __FUNCTION__], ac_cv_cc_implements___FUNCTION__, [
4377	AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include <stdio.h> ]],
4378		[[ printf("%s", __FUNCTION__); ]])],
4379	[ ac_cv_cc_implements___FUNCTION__="yes" ],
4380	[ ac_cv_cc_implements___FUNCTION__="no"
4381	])
4382])
4383if test "x$ac_cv_cc_implements___FUNCTION__" = "xyes" ; then
4384	AC_DEFINE([HAVE___FUNCTION__], [1],
4385		[Define if compiler implements __FUNCTION__])
4386fi
4387
4388AC_CACHE_CHECK([whether $CC implements __func__], ac_cv_cc_implements___func__, [
4389	AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include <stdio.h> ]],
4390		[[ printf("%s", __func__); ]])],
4391	[ ac_cv_cc_implements___func__="yes" ],
4392	[ ac_cv_cc_implements___func__="no"
4393	])
4394])
4395if test "x$ac_cv_cc_implements___func__" = "xyes" ; then
4396	AC_DEFINE([HAVE___func__], [1], [Define if compiler implements __func__])
4397fi
4398
4399AC_CACHE_CHECK([whether va_copy exists], ac_cv_have_va_copy, [
4400	AC_LINK_IFELSE([AC_LANG_PROGRAM([[
4401#include <stdarg.h>
4402va_list x,y;
4403		]], [[ va_copy(x,y); ]])],
4404	[ ac_cv_have_va_copy="yes" ],
4405	[ ac_cv_have_va_copy="no"
4406	])
4407])
4408if test "x$ac_cv_have_va_copy" = "xyes" ; then
4409	AC_DEFINE([HAVE_VA_COPY], [1], [Define if va_copy exists])
4410fi
4411
4412AC_CACHE_CHECK([whether __va_copy exists], ac_cv_have___va_copy, [
4413	AC_LINK_IFELSE([AC_LANG_PROGRAM([[
4414#include <stdarg.h>
4415va_list x,y;
4416		]], [[ __va_copy(x,y); ]])],
4417	[ ac_cv_have___va_copy="yes" ], [ ac_cv_have___va_copy="no"
4418	])
4419])
4420if test "x$ac_cv_have___va_copy" = "xyes" ; then
4421	AC_DEFINE([HAVE___VA_COPY], [1], [Define if __va_copy exists])
4422fi
4423
4424AC_CACHE_CHECK([whether getopt has optreset support],
4425		ac_cv_have_getopt_optreset, [
4426	AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include <getopt.h> ]],
4427		[[ extern int optreset; optreset = 0; ]])],
4428	[ ac_cv_have_getopt_optreset="yes" ],
4429	[ ac_cv_have_getopt_optreset="no"
4430	])
4431])
4432if test "x$ac_cv_have_getopt_optreset" = "xyes" ; then
4433	AC_DEFINE([HAVE_GETOPT_OPTRESET], [1],
4434		[Define if your getopt(3) defines and uses optreset])
4435fi
4436
4437AC_CACHE_CHECK([if libc defines sys_errlist], ac_cv_libc_defines_sys_errlist, [
4438	AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include <stdio.h> ]],
4439[[ extern const char *const sys_errlist[]; printf("%s", sys_errlist[0]);]])],
4440	[ ac_cv_libc_defines_sys_errlist="yes" ],
4441	[ ac_cv_libc_defines_sys_errlist="no"
4442	])
4443])
4444if test "x$ac_cv_libc_defines_sys_errlist" = "xyes" ; then
4445	AC_DEFINE([HAVE_SYS_ERRLIST], [1],
4446		[Define if your system defines sys_errlist[]])
4447fi
4448
4449
4450AC_CACHE_CHECK([if libc defines sys_nerr], ac_cv_libc_defines_sys_nerr, [
4451	AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include <stdio.h> ]],
4452[[ extern int sys_nerr; printf("%i", sys_nerr);]])],
4453	[ ac_cv_libc_defines_sys_nerr="yes" ],
4454	[ ac_cv_libc_defines_sys_nerr="no"
4455	])
4456])
4457if test "x$ac_cv_libc_defines_sys_nerr" = "xyes" ; then
4458	AC_DEFINE([HAVE_SYS_NERR], [1], [Define if your system defines sys_nerr])
4459fi
4460
4461# Check libraries needed by DNS fingerprint support
4462AC_SEARCH_LIBS([getrrsetbyname], [resolv],
4463	[AC_DEFINE([HAVE_GETRRSETBYNAME], [1],
4464		[Define if getrrsetbyname() exists])],
4465	[
4466		# Needed by our getrrsetbyname()
4467		AC_SEARCH_LIBS([res_query], [resolv])
4468		AC_SEARCH_LIBS([dn_expand], [resolv])
4469		AC_MSG_CHECKING([if res_query will link])
4470		AC_LINK_IFELSE([AC_LANG_PROGRAM([[
4471#include <sys/types.h>
4472#include <netinet/in.h>
4473#include <arpa/nameser.h>
4474#include <netdb.h>
4475#include <resolv.h>
4476				]], [[
4477	res_query (0, 0, 0, 0, 0);
4478				]])],
4479		    AC_MSG_RESULT([yes]),
4480		   [AC_MSG_RESULT([no])
4481		    saved_LIBS="$LIBS"
4482		    LIBS="$LIBS -lresolv"
4483		    AC_MSG_CHECKING([for res_query in -lresolv])
4484		    AC_LINK_IFELSE([AC_LANG_PROGRAM([[
4485#include <sys/types.h>
4486#include <netinet/in.h>
4487#include <arpa/nameser.h>
4488#include <netdb.h>
4489#include <resolv.h>
4490				]], [[
4491	res_query (0, 0, 0, 0, 0);
4492				]])],
4493			[AC_MSG_RESULT([yes])],
4494			[LIBS="$saved_LIBS"
4495			 AC_MSG_RESULT([no])])
4496		    ])
4497		AC_CHECK_FUNCS([_getshort _getlong])
4498		AC_CHECK_DECLS([_getshort, _getlong], , ,
4499		    [#include <sys/types.h>
4500		    #include <arpa/nameser.h>])
4501		AC_CHECK_MEMBER([HEADER.ad],
4502			[AC_DEFINE([HAVE_HEADER_AD], [1],
4503			    [Define if HEADER.ad exists in arpa/nameser.h])], ,
4504			[#include <arpa/nameser.h>])
4505	])
4506
4507AC_MSG_CHECKING([if struct __res_state _res is an extern])
4508AC_LINK_IFELSE([AC_LANG_PROGRAM([[
4509#include <stdio.h>
4510#if HAVE_SYS_TYPES_H
4511# include <sys/types.h>
4512#endif
4513#include <netinet/in.h>
4514#include <arpa/nameser.h>
4515#include <resolv.h>
4516extern struct __res_state _res;
4517		]], [[
4518struct __res_state *volatile p = &_res;  /* force resolution of _res */
4519return 0;
4520		]],)],
4521		[AC_MSG_RESULT([yes])
4522		 AC_DEFINE([HAVE__RES_EXTERN], [1],
4523		    [Define if you have struct __res_state _res as an extern])
4524		],
4525		[ AC_MSG_RESULT([no]) ]
4526)
4527
4528# Check whether user wants SELinux support
4529SELINUX_MSG="no"
4530LIBSELINUX=""
4531AC_ARG_WITH([selinux],
4532	[  --with-selinux          Enable SELinux support],
4533	[ if test "x$withval" != "xno" ; then
4534		save_LIBS="$LIBS"
4535		AC_DEFINE([WITH_SELINUX], [1],
4536			[Define if you want SELinux support.])
4537		SELINUX_MSG="yes"
4538		AC_CHECK_HEADER([selinux/selinux.h], ,
4539			AC_MSG_ERROR([SELinux support requires selinux.h header]))
4540		AC_CHECK_LIB([selinux], [setexeccon],
4541			[ LIBSELINUX="-lselinux"
4542			  LIBS="$LIBS -lselinux"
4543			],
4544			AC_MSG_ERROR([SELinux support requires libselinux library]))
4545		AC_CHECK_FUNCS([getseuserbyname get_default_context_with_level])
4546		LIBS="$save_LIBS $LIBSELINUX"
4547	fi ]
4548)
4549AC_SUBST([SSHDLIBS])
4550
4551# Check whether user wants Kerberos 5 support
4552KRB5_MSG="no"
4553AC_ARG_WITH([kerberos5],
4554	[  --with-kerberos5=PATH   Enable Kerberos 5 support],
4555	[ if test "x$withval" != "xno" ; then
4556		if test "x$withval" = "xyes" ; then
4557			KRB5ROOT="/usr/local"
4558		else
4559			KRB5ROOT=${withval}
4560		fi
4561
4562		AC_DEFINE([KRB5], [1], [Define if you want Kerberos 5 support])
4563		KRB5_MSG="yes"
4564
4565		AC_PATH_TOOL([KRB5CONF], [krb5-config],
4566			     [$KRB5ROOT/bin/krb5-config],
4567			     [$KRB5ROOT/bin:$PATH])
4568		if test -x $KRB5CONF ; then
4569			K5CFLAGS="`$KRB5CONF --cflags`"
4570			K5LIBS="`$KRB5CONF --libs`"
4571			CPPFLAGS="$CPPFLAGS $K5CFLAGS"
4572
4573			AC_MSG_CHECKING([for gssapi support])
4574			if $KRB5CONF | grep gssapi >/dev/null ; then
4575				AC_MSG_RESULT([yes])
4576				AC_DEFINE([GSSAPI], [1],
4577					[Define this if you want GSSAPI
4578					support in the version 2 protocol])
4579				GSSCFLAGS="`$KRB5CONF --cflags gssapi`"
4580				GSSLIBS="`$KRB5CONF --libs gssapi`"
4581				CPPFLAGS="$CPPFLAGS $GSSCFLAGS"
4582			else
4583				AC_MSG_RESULT([no])
4584			fi
4585			AC_MSG_CHECKING([whether we are using Heimdal])
4586			AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <krb5.h>
4587				]], [[ char *tmp = heimdal_version; ]])],
4588				[ AC_MSG_RESULT([yes])
4589				AC_DEFINE([HEIMDAL], [1],
4590				[Define this if you are using the Heimdal
4591				version of Kerberos V5]) ],
4592				[AC_MSG_RESULT([no])
4593			])
4594		else
4595			CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include"
4596			LDFLAGS="$LDFLAGS -L${KRB5ROOT}/lib"
4597			AC_MSG_CHECKING([whether we are using Heimdal])
4598			AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <krb5.h>
4599				]], [[ char *tmp = heimdal_version; ]])],
4600					[ AC_MSG_RESULT([yes])
4601					 AC_DEFINE([HEIMDAL])
4602					 K5LIBS="-lkrb5"
4603					 K5LIBS="$K5LIBS -lcom_err -lasn1"
4604					 AC_CHECK_LIB([roken], [net_write],
4605					   [K5LIBS="$K5LIBS -lroken"])
4606					 AC_CHECK_LIB([des], [des_cbc_encrypt],
4607					   [K5LIBS="$K5LIBS -ldes"])
4608				       ], [ AC_MSG_RESULT([no])
4609					 K5LIBS="-lkrb5 -lk5crypto -lcom_err"
4610			])
4611			AC_SEARCH_LIBS([dn_expand], [resolv])
4612
4613			AC_CHECK_LIB([gssapi_krb5], [gss_init_sec_context],
4614				[ AC_DEFINE([GSSAPI])
4615				  GSSLIBS="-lgssapi_krb5" ],
4616				[ AC_CHECK_LIB([gssapi], [gss_init_sec_context],
4617					[ AC_DEFINE([GSSAPI])
4618					  GSSLIBS="-lgssapi" ],
4619					[ AC_CHECK_LIB([gss], [gss_init_sec_context],
4620						[ AC_DEFINE([GSSAPI])
4621						  GSSLIBS="-lgss" ],
4622						AC_MSG_WARN([Cannot find any suitable gss-api library - build may fail]))
4623					])
4624				])
4625
4626			AC_CHECK_HEADER([gssapi.h], ,
4627				[ unset ac_cv_header_gssapi_h
4628				  CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include/gssapi"
4629				  AC_CHECK_HEADERS([gssapi.h], ,
4630					AC_MSG_WARN([Cannot find any suitable gss-api header - build may fail])
4631				  )
4632				]
4633			)
4634
4635			oldCPP="$CPPFLAGS"
4636			CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include/gssapi"
4637			AC_CHECK_HEADER([gssapi_krb5.h], ,
4638					[ CPPFLAGS="$oldCPP" ])
4639
4640		fi
4641		if test -n "${rpath_opt}" ; then
4642			LDFLAGS="$LDFLAGS ${rpath_opt}${KRB5ROOT}/lib"
4643		fi
4644		if test ! -z "$blibpath" ; then
4645			blibpath="$blibpath:${KRB5ROOT}/lib"
4646		fi
4647
4648		AC_CHECK_HEADERS([gssapi.h gssapi/gssapi.h])
4649		AC_CHECK_HEADERS([gssapi_krb5.h gssapi/gssapi_krb5.h])
4650		AC_CHECK_HEADERS([gssapi_generic.h gssapi/gssapi_generic.h])
4651
4652		AC_SEARCH_LIBS([k_hasafs], [kafs], [AC_DEFINE([USE_AFS], [1],
4653			[Define this if you want to use libkafs' AFS support])])
4654
4655		AC_CHECK_DECLS([GSS_C_NT_HOSTBASED_SERVICE], [], [], [[
4656#ifdef HAVE_GSSAPI_H
4657# include <gssapi.h>
4658#elif defined(HAVE_GSSAPI_GSSAPI_H)
4659# include <gssapi/gssapi.h>
4660#endif
4661
4662#ifdef HAVE_GSSAPI_GENERIC_H
4663# include <gssapi_generic.h>
4664#elif defined(HAVE_GSSAPI_GSSAPI_GENERIC_H)
4665# include <gssapi/gssapi_generic.h>
4666#endif
4667		]])
4668		saved_LIBS="$LIBS"
4669		LIBS="$LIBS $K5LIBS"
4670		AC_CHECK_FUNCS([krb5_cc_new_unique krb5_get_error_message krb5_free_error_message])
4671		LIBS="$saved_LIBS"
4672
4673	fi
4674	]
4675)
4676AC_SUBST([GSSLIBS])
4677AC_SUBST([K5LIBS])
4678
4679# Looking for programs, paths and files
4680
4681PRIVSEP_PATH=/var/empty
4682AC_ARG_WITH([privsep-path],
4683	[  --with-privsep-path=xxx Path for privilege separation chroot (default=/var/empty)],
4684	[
4685		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
4686		    test "x${withval}" != "xyes"; then
4687			PRIVSEP_PATH=$withval
4688		fi
4689	]
4690)
4691AC_SUBST([PRIVSEP_PATH])
4692
4693AC_ARG_WITH([xauth],
4694	[  --with-xauth=PATH       Specify path to xauth program ],
4695	[
4696		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
4697		    test "x${withval}" != "xyes"; then
4698			xauth_path=$withval
4699		fi
4700	],
4701	[
4702		TestPath="$PATH"
4703		TestPath="${TestPath}${PATH_SEPARATOR}/usr/X/bin"
4704		TestPath="${TestPath}${PATH_SEPARATOR}/usr/bin/X11"
4705		TestPath="${TestPath}${PATH_SEPARATOR}/usr/X11R6/bin"
4706		TestPath="${TestPath}${PATH_SEPARATOR}/usr/openwin/bin"
4707		AC_PATH_PROG([xauth_path], [xauth], , [$TestPath])
4708		if (test ! -z "$xauth_path" && test -x "/usr/openwin/bin/xauth") ; then
4709			xauth_path="/usr/openwin/bin/xauth"
4710		fi
4711	]
4712)
4713
4714STRIP_OPT=-s
4715AC_ARG_ENABLE([strip],
4716	[  --disable-strip         Disable calling strip(1) on install],
4717	[
4718		if test "x$enableval" = "xno" ; then
4719			STRIP_OPT=
4720		fi
4721	]
4722)
4723AC_SUBST([STRIP_OPT])
4724
4725if test -z "$xauth_path" ; then
4726	XAUTH_PATH="undefined"
4727	AC_SUBST([XAUTH_PATH])
4728else
4729	AC_DEFINE_UNQUOTED([XAUTH_PATH], ["$xauth_path"],
4730		[Define if xauth is found in your path])
4731	XAUTH_PATH=$xauth_path
4732	AC_SUBST([XAUTH_PATH])
4733fi
4734
4735dnl # --with-maildir=/path/to/mail gets top priority.
4736dnl # if maildir is set in the platform case statement above we use that.
4737dnl # Otherwise we run a program to get the dir from system headers.
4738dnl # We first look for _PATH_MAILDIR then MAILDIR then _PATH_MAIL
4739dnl # If we find _PATH_MAILDIR we do nothing because that is what
4740dnl # session.c expects anyway. Otherwise we set to the value found
4741dnl # stripping any trailing slash. If for some strage reason our program
4742dnl # does not find what it needs, we default to /var/spool/mail.
4743# Check for mail directory
4744AC_ARG_WITH([maildir],
4745    [  --with-maildir=/path/to/mail    Specify your system mail directory],
4746    [
4747	if test "X$withval" != X  &&  test "x$withval" != xno  &&  \
4748	    test "x${withval}" != xyes; then
4749		AC_DEFINE_UNQUOTED([MAIL_DIRECTORY], ["$withval"],
4750            [Set this to your mail directory if you do not have _PATH_MAILDIR])
4751	    fi
4752     ],[
4753	if test "X$maildir" != "X"; then
4754	    AC_DEFINE_UNQUOTED([MAIL_DIRECTORY], ["$maildir"])
4755	else
4756	    AC_MSG_CHECKING([Discovering system mail directory])
4757	    AC_RUN_IFELSE(
4758		[AC_LANG_PROGRAM([[
4759#include <stdio.h>
4760#include <stdlib.h>
4761#include <string.h>
4762#ifdef HAVE_PATHS_H
4763#include <paths.h>
4764#endif
4765#ifdef HAVE_MAILLOCK_H
4766#include <maillock.h>
4767#endif
4768#define DATA "conftest.maildir"
4769	]], [[
4770	FILE *fd;
4771	int rc;
4772
4773	fd = fopen(DATA,"w");
4774	if(fd == NULL)
4775		exit(1);
4776
4777#if defined (_PATH_MAILDIR)
4778	if ((rc = fprintf(fd ,"_PATH_MAILDIR:%s\n", _PATH_MAILDIR)) <0)
4779		exit(1);
4780#elif defined (MAILDIR)
4781	if ((rc = fprintf(fd ,"MAILDIR:%s\n", MAILDIR)) <0)
4782		exit(1);
4783#elif defined (_PATH_MAIL)
4784	if ((rc = fprintf(fd ,"_PATH_MAIL:%s\n", _PATH_MAIL)) <0)
4785		exit(1);
4786#else
4787	exit (2);
4788#endif
4789
4790	exit(0);
4791		]])],
4792		[
4793		    maildir_what=`awk -F: '{print $1}' conftest.maildir`
4794		    maildir=`awk -F: '{print $2}' conftest.maildir \
4795			| sed 's|/$||'`
4796		    AC_MSG_RESULT([Using: $maildir from $maildir_what])
4797		    if test "x$maildir_what" != "x_PATH_MAILDIR"; then
4798			AC_DEFINE_UNQUOTED([MAIL_DIRECTORY], ["$maildir"])
4799		    fi
4800		],
4801		[
4802		    if test "X$ac_status" = "X2";then
4803# our test program didn't find it. Default to /var/spool/mail
4804			AC_MSG_RESULT([Using: default value of /var/spool/mail])
4805			AC_DEFINE_UNQUOTED([MAIL_DIRECTORY], ["/var/spool/mail"])
4806		     else
4807			AC_MSG_RESULT([*** not found ***])
4808		     fi
4809		],
4810		[
4811			AC_MSG_WARN([cross compiling: use --with-maildir=/path/to/mail])
4812		]
4813	    )
4814	fi
4815    ]
4816) # maildir
4817
4818if test ! -z "$cross_compiling" && test "x$cross_compiling" = "xyes"; then
4819	AC_MSG_WARN([cross compiling: Disabling /dev/ptmx test])
4820	disable_ptmx_check=yes
4821fi
4822if test -z "$no_dev_ptmx" ; then
4823	if test "x$disable_ptmx_check" != "xyes" ; then
4824		AC_CHECK_FILE(["/dev/ptmx"],
4825			[
4826				AC_DEFINE_UNQUOTED([HAVE_DEV_PTMX], [1],
4827					[Define if you have /dev/ptmx])
4828				have_dev_ptmx=1
4829			]
4830		)
4831	fi
4832fi
4833
4834if test ! -z "$cross_compiling" && test "x$cross_compiling" != "xyes"; then
4835	AC_CHECK_FILE(["/dev/ptc"],
4836		[
4837			AC_DEFINE_UNQUOTED([HAVE_DEV_PTS_AND_PTC], [1],
4838				[Define if you have /dev/ptc])
4839			have_dev_ptc=1
4840		]
4841	)
4842else
4843	AC_MSG_WARN([cross compiling: Disabling /dev/ptc test])
4844fi
4845
4846# Options from here on. Some of these are preset by platform above
4847AC_ARG_WITH([mantype],
4848	[  --with-mantype=man|cat|doc  Set man page type],
4849	[
4850		case "$withval" in
4851		man|cat|doc)
4852			MANTYPE=$withval
4853			;;
4854		*)
4855			AC_MSG_ERROR([invalid man type: $withval])
4856			;;
4857		esac
4858	]
4859)
4860if test -z "$MANTYPE"; then
4861	if ${MANDOC} ${srcdir}/ssh.1 >/dev/null 2>&1; then
4862		MANTYPE=doc
4863	elif ${NROFF} -mdoc ${srcdir}/ssh.1 >/dev/null 2>&1; then
4864		MANTYPE=doc
4865	elif ${NROFF} -man ${srcdir}/ssh.1 >/dev/null 2>&1; then
4866		MANTYPE=man
4867	else
4868		MANTYPE=cat
4869	fi
4870fi
4871AC_SUBST([MANTYPE])
4872if test "$MANTYPE" = "doc"; then
4873	mansubdir=man;
4874else
4875	mansubdir=$MANTYPE;
4876fi
4877AC_SUBST([mansubdir])
4878
4879# Check whether to enable MD5 passwords
4880MD5_MSG="no"
4881AC_ARG_WITH([md5-passwords],
4882	[  --with-md5-passwords    Enable use of MD5 passwords],
4883	[
4884		if test "x$withval" != "xno" ; then
4885			AC_DEFINE([HAVE_MD5_PASSWORDS], [1],
4886				[Define if you want to allow MD5 passwords])
4887			MD5_MSG="yes"
4888		fi
4889	]
4890)
4891
4892# Whether to disable shadow password support
4893AC_ARG_WITH([shadow],
4894	[  --without-shadow        Disable shadow password support],
4895	[
4896		if test "x$withval" = "xno" ; then
4897			AC_DEFINE([DISABLE_SHADOW])
4898			disable_shadow=yes
4899		fi
4900	]
4901)
4902
4903if test -z "$disable_shadow" ; then
4904	AC_MSG_CHECKING([if the systems has expire shadow information])
4905	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4906#include <sys/types.h>
4907#include <shadow.h>
4908struct spwd sp;
4909		]], [[ sp.sp_expire = sp.sp_lstchg = sp.sp_inact = 0; ]])],
4910		[ sp_expire_available=yes ], [
4911	])
4912
4913	if test "x$sp_expire_available" = "xyes" ; then
4914		AC_MSG_RESULT([yes])
4915		AC_DEFINE([HAS_SHADOW_EXPIRE], [1],
4916		    [Define if you want to use shadow password expire field])
4917	else
4918		AC_MSG_RESULT([no])
4919	fi
4920fi
4921
4922# Use ip address instead of hostname in $DISPLAY
4923if test ! -z "$IPADDR_IN_DISPLAY" ; then
4924	DISPLAY_HACK_MSG="yes"
4925	AC_DEFINE([IPADDR_IN_DISPLAY], [1],
4926		[Define if you need to use IP address
4927		instead of hostname in $DISPLAY])
4928else
4929	DISPLAY_HACK_MSG="no"
4930	AC_ARG_WITH([ipaddr-display],
4931		[  --with-ipaddr-display   Use ip address instead of hostname in $DISPLAY],
4932		[
4933			if test "x$withval" != "xno" ; then
4934				AC_DEFINE([IPADDR_IN_DISPLAY])
4935				DISPLAY_HACK_MSG="yes"
4936			fi
4937		]
4938	)
4939fi
4940
4941# check for /etc/default/login and use it if present.
4942AC_ARG_ENABLE([etc-default-login],
4943	[  --disable-etc-default-login Disable using PATH from /etc/default/login [no]],
4944	[ if test "x$enableval" = "xno"; then
4945		AC_MSG_NOTICE([/etc/default/login handling disabled])
4946		etc_default_login=no
4947	  else
4948		etc_default_login=yes
4949	  fi ],
4950	[ if test ! -z "$cross_compiling" && test "x$cross_compiling" = "xyes";
4951	  then
4952		AC_MSG_WARN([cross compiling: not checking /etc/default/login])
4953		etc_default_login=no
4954	  else
4955		etc_default_login=yes
4956	  fi ]
4957)
4958
4959if test "x$etc_default_login" != "xno"; then
4960	AC_CHECK_FILE(["/etc/default/login"],
4961	    [ external_path_file=/etc/default/login ])
4962	if test "x$external_path_file" = "x/etc/default/login"; then
4963		AC_DEFINE([HAVE_ETC_DEFAULT_LOGIN], [1],
4964			[Define if your system has /etc/default/login])
4965	fi
4966fi
4967
4968dnl BSD systems use /etc/login.conf so --with-default-path= has no effect
4969if test $ac_cv_func_login_getcapbool = "yes" && \
4970	test $ac_cv_header_login_cap_h = "yes" ; then
4971	external_path_file=/etc/login.conf
4972fi
4973
4974# Whether to mess with the default path
4975SERVER_PATH_MSG="(default)"
4976AC_ARG_WITH([default-path],
4977	[  --with-default-path=    Specify default $PATH environment for server],
4978	[
4979		if test "x$external_path_file" = "x/etc/login.conf" ; then
4980			AC_MSG_WARN([
4981--with-default-path=PATH has no effect on this system.
4982Edit /etc/login.conf instead.])
4983		elif test "x$withval" != "xno" ; then
4984			if test ! -z "$external_path_file" ; then
4985				AC_MSG_WARN([
4986--with-default-path=PATH will only be used if PATH is not defined in
4987$external_path_file .])
4988			fi
4989			user_path="$withval"
4990			SERVER_PATH_MSG="$withval"
4991		fi
4992	],
4993	[ if test "x$external_path_file" = "x/etc/login.conf" ; then
4994		AC_MSG_WARN([Make sure the path to scp is in /etc/login.conf])
4995	else
4996		if test ! -z "$external_path_file" ; then
4997			AC_MSG_WARN([
4998If PATH is defined in $external_path_file, ensure the path to scp is included,
4999otherwise scp will not work.])
5000		fi
5001		AC_RUN_IFELSE(
5002			[AC_LANG_PROGRAM([[
5003/* find out what STDPATH is */
5004#include <stdio.h>
5005#include <stdlib.h>
5006#ifdef HAVE_PATHS_H
5007# include <paths.h>
5008#endif
5009#ifndef _PATH_STDPATH
5010# ifdef _PATH_USERPATH	/* Irix */
5011#  define _PATH_STDPATH _PATH_USERPATH
5012# else
5013#  define _PATH_STDPATH "/usr/bin:/bin:/usr/sbin:/sbin"
5014# endif
5015#endif
5016#include <sys/types.h>
5017#include <sys/stat.h>
5018#include <fcntl.h>
5019#define DATA "conftest.stdpath"
5020			]], [[
5021	FILE *fd;
5022	int rc;
5023
5024	fd = fopen(DATA,"w");
5025	if(fd == NULL)
5026		exit(1);
5027
5028	if ((rc = fprintf(fd,"%s", _PATH_STDPATH)) < 0)
5029		exit(1);
5030
5031	exit(0);
5032		]])],
5033		[ user_path=`cat conftest.stdpath` ],
5034		[ user_path="/usr/bin:/bin:/usr/sbin:/sbin" ],
5035		[ user_path="/usr/bin:/bin:/usr/sbin:/sbin" ]
5036	)
5037# make sure $bindir is in USER_PATH so scp will work
5038		t_bindir="${bindir}"
5039		while echo "${t_bindir}" | egrep '\$\{|NONE/' >/dev/null 2>&1; do
5040			t_bindir=`eval echo ${t_bindir}`
5041			case $t_bindir in
5042				NONE/*) t_bindir=`echo $t_bindir | sed "s~NONE~$prefix~"` ;;
5043			esac
5044			case $t_bindir in
5045				NONE/*) t_bindir=`echo $t_bindir | sed "s~NONE~$ac_default_prefix~"` ;;
5046			esac
5047		done
5048		echo $user_path | grep ":$t_bindir"  > /dev/null 2>&1
5049		if test $? -ne 0  ; then
5050			echo $user_path | grep "^$t_bindir"  > /dev/null 2>&1
5051			if test $? -ne 0  ; then
5052				user_path=$user_path:$t_bindir
5053				AC_MSG_RESULT([Adding $t_bindir to USER_PATH so scp will work])
5054			fi
5055		fi
5056	fi ]
5057)
5058if test "x$external_path_file" != "x/etc/login.conf" ; then
5059	AC_DEFINE_UNQUOTED([USER_PATH], ["$user_path"], [Specify default $PATH])
5060	AC_SUBST([user_path])
5061fi
5062
5063# Set superuser path separately to user path
5064AC_ARG_WITH([superuser-path],
5065	[  --with-superuser-path=  Specify different path for super-user],
5066	[
5067		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
5068		    test "x${withval}" != "xyes"; then
5069			AC_DEFINE_UNQUOTED([SUPERUSER_PATH], ["$withval"],
5070				[Define if you want a different $PATH
5071				for the superuser])
5072			superuser_path=$withval
5073		fi
5074	]
5075)
5076
5077
5078AC_MSG_CHECKING([if we need to convert IPv4 in IPv6-mapped addresses])
5079IPV4_IN6_HACK_MSG="no"
5080AC_ARG_WITH(4in6,
5081	[  --with-4in6             Check for and convert IPv4 in IPv6 mapped addresses],
5082	[
5083		if test "x$withval" != "xno" ; then
5084			AC_MSG_RESULT([yes])
5085			AC_DEFINE([IPV4_IN_IPV6], [1],
5086				[Detect IPv4 in IPv6 mapped addresses
5087				and treat as IPv4])
5088			IPV4_IN6_HACK_MSG="yes"
5089		else
5090			AC_MSG_RESULT([no])
5091		fi
5092	], [
5093		if test "x$inet6_default_4in6" = "xyes"; then
5094			AC_MSG_RESULT([yes (default)])
5095			AC_DEFINE([IPV4_IN_IPV6])
5096			IPV4_IN6_HACK_MSG="yes"
5097		else
5098			AC_MSG_RESULT([no (default)])
5099		fi
5100	]
5101)
5102
5103# Whether to enable BSD auth support
5104BSD_AUTH_MSG=no
5105AC_ARG_WITH([bsd-auth],
5106	[  --with-bsd-auth         Enable BSD auth support],
5107	[
5108		if test "x$withval" != "xno" ; then
5109			AC_DEFINE([BSD_AUTH], [1],
5110				[Define if you have BSD auth support])
5111			BSD_AUTH_MSG=yes
5112		fi
5113	]
5114)
5115
5116# Where to place sshd.pid
5117piddir=/var/run
5118# make sure the directory exists
5119if test ! -d $piddir ; then
5120	piddir=`eval echo ${sysconfdir}`
5121	case $piddir in
5122		NONE/*) piddir=`echo $piddir | sed "s~NONE~$ac_default_prefix~"` ;;
5123	esac
5124fi
5125
5126AC_ARG_WITH([pid-dir],
5127	[  --with-pid-dir=PATH     Specify location of sshd.pid file],
5128	[
5129		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
5130		    test "x${withval}" != "xyes"; then
5131			piddir=$withval
5132			if test ! -d $piddir ; then
5133			AC_MSG_WARN([** no $piddir directory on this system **])
5134			fi
5135		fi
5136	]
5137)
5138
5139AC_DEFINE_UNQUOTED([_PATH_SSH_PIDDIR], ["$piddir"],
5140	[Specify location of ssh.pid])
5141AC_SUBST([piddir])
5142
5143dnl allow user to disable some login recording features
5144AC_ARG_ENABLE([lastlog],
5145	[  --disable-lastlog       disable use of lastlog even if detected [no]],
5146	[
5147		if test "x$enableval" = "xno" ; then
5148			AC_DEFINE([DISABLE_LASTLOG])
5149		fi
5150	]
5151)
5152AC_ARG_ENABLE([utmp],
5153	[  --disable-utmp          disable use of utmp even if detected [no]],
5154	[
5155		if test "x$enableval" = "xno" ; then
5156			AC_DEFINE([DISABLE_UTMP])
5157		fi
5158	]
5159)
5160AC_ARG_ENABLE([utmpx],
5161	[  --disable-utmpx         disable use of utmpx even if detected [no]],
5162	[
5163		if test "x$enableval" = "xno" ; then
5164			AC_DEFINE([DISABLE_UTMPX], [1],
5165				[Define if you don't want to use utmpx])
5166		fi
5167	]
5168)
5169AC_ARG_ENABLE([wtmp],
5170	[  --disable-wtmp          disable use of wtmp even if detected [no]],
5171	[
5172		if test "x$enableval" = "xno" ; then
5173			AC_DEFINE([DISABLE_WTMP])
5174		fi
5175	]
5176)
5177AC_ARG_ENABLE([wtmpx],
5178	[  --disable-wtmpx         disable use of wtmpx even if detected [no]],
5179	[
5180		if test "x$enableval" = "xno" ; then
5181			AC_DEFINE([DISABLE_WTMPX], [1],
5182				[Define if you don't want to use wtmpx])
5183		fi
5184	]
5185)
5186AC_ARG_ENABLE([libutil],
5187	[  --disable-libutil       disable use of libutil (login() etc.) [no]],
5188	[
5189		if test "x$enableval" = "xno" ; then
5190			AC_DEFINE([DISABLE_LOGIN])
5191		fi
5192	]
5193)
5194AC_ARG_ENABLE([pututline],
5195	[  --disable-pututline     disable use of pututline() etc. ([uw]tmp) [no]],
5196	[
5197		if test "x$enableval" = "xno" ; then
5198			AC_DEFINE([DISABLE_PUTUTLINE], [1],
5199				[Define if you don't want to use pututline()
5200				etc. to write [uw]tmp])
5201		fi
5202	]
5203)
5204AC_ARG_ENABLE([pututxline],
5205	[  --disable-pututxline    disable use of pututxline() etc. ([uw]tmpx) [no]],
5206	[
5207		if test "x$enableval" = "xno" ; then
5208			AC_DEFINE([DISABLE_PUTUTXLINE], [1],
5209				[Define if you don't want to use pututxline()
5210				etc. to write [uw]tmpx])
5211		fi
5212	]
5213)
5214AC_ARG_WITH([lastlog],
5215  [  --with-lastlog=FILE|DIR specify lastlog location [common locations]],
5216	[
5217		if test "x$withval" = "xno" ; then
5218			AC_DEFINE([DISABLE_LASTLOG])
5219		elif test -n "$withval"  &&  test "x${withval}" != "xyes"; then
5220			conf_lastlog_location=$withval
5221		fi
5222	]
5223)
5224
5225dnl lastlog, [uw]tmpx? detection
5226dnl  NOTE: set the paths in the platform section to avoid the
5227dnl   need for command-line parameters
5228dnl lastlog and [uw]tmp are subject to a file search if all else fails
5229
5230dnl lastlog detection
5231dnl  NOTE: the code itself will detect if lastlog is a directory
5232AC_MSG_CHECKING([if your system defines LASTLOG_FILE])
5233AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
5234#include <sys/types.h>
5235#include <utmp.h>
5236#ifdef HAVE_LASTLOG_H
5237#  include <lastlog.h>
5238#endif
5239#ifdef HAVE_PATHS_H
5240#  include <paths.h>
5241#endif
5242#ifdef HAVE_LOGIN_H
5243# include <login.h>
5244#endif
5245	]], [[ char *lastlog = LASTLOG_FILE; ]])],
5246		[ AC_MSG_RESULT([yes]) ],
5247		[
5248		AC_MSG_RESULT([no])
5249		AC_MSG_CHECKING([if your system defines _PATH_LASTLOG])
5250		AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
5251#include <sys/types.h>
5252#include <utmp.h>
5253#ifdef HAVE_LASTLOG_H
5254#  include <lastlog.h>
5255#endif
5256#ifdef HAVE_PATHS_H
5257#  include <paths.h>
5258#endif
5259		]], [[ char *lastlog = _PATH_LASTLOG; ]])],
5260		[ AC_MSG_RESULT([yes]) ],
5261		[
5262			AC_MSG_RESULT([no])
5263			system_lastlog_path=no
5264		])
5265])
5266
5267if test -z "$conf_lastlog_location"; then
5268	if test x"$system_lastlog_path" = x"no" ; then
5269		for f in /var/log/lastlog /usr/adm/lastlog /var/adm/lastlog /etc/security/lastlog ; do
5270				if (test -d "$f" || test -f "$f") ; then
5271					conf_lastlog_location=$f
5272				fi
5273		done
5274		if test -z "$conf_lastlog_location"; then
5275			AC_MSG_WARN([** Cannot find lastlog **])
5276			dnl Don't define DISABLE_LASTLOG - that means we don't try wtmp/wtmpx
5277		fi
5278	fi
5279fi
5280
5281if test -n "$conf_lastlog_location"; then
5282	AC_DEFINE_UNQUOTED([CONF_LASTLOG_FILE], ["$conf_lastlog_location"],
5283		[Define if you want to specify the path to your lastlog file])
5284fi
5285
5286dnl utmp detection
5287AC_MSG_CHECKING([if your system defines UTMP_FILE])
5288AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
5289#include <sys/types.h>
5290#include <utmp.h>
5291#ifdef HAVE_PATHS_H
5292#  include <paths.h>
5293#endif
5294	]], [[ char *utmp = UTMP_FILE; ]])],
5295	[ AC_MSG_RESULT([yes]) ],
5296	[ AC_MSG_RESULT([no])
5297	  system_utmp_path=no
5298])
5299if test -z "$conf_utmp_location"; then
5300	if test x"$system_utmp_path" = x"no" ; then
5301		for f in /etc/utmp /usr/adm/utmp /var/run/utmp; do
5302			if test -f $f ; then
5303				conf_utmp_location=$f
5304			fi
5305		done
5306		if test -z "$conf_utmp_location"; then
5307			AC_DEFINE([DISABLE_UTMP])
5308		fi
5309	fi
5310fi
5311if test -n "$conf_utmp_location"; then
5312	AC_DEFINE_UNQUOTED([CONF_UTMP_FILE], ["$conf_utmp_location"],
5313		[Define if you want to specify the path to your utmp file])
5314fi
5315
5316dnl wtmp detection
5317AC_MSG_CHECKING([if your system defines WTMP_FILE])
5318AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
5319#include <sys/types.h>
5320#include <utmp.h>
5321#ifdef HAVE_PATHS_H
5322#  include <paths.h>
5323#endif
5324	]], [[ char *wtmp = WTMP_FILE; ]])],
5325	[ AC_MSG_RESULT([yes]) ],
5326	[ AC_MSG_RESULT([no])
5327	  system_wtmp_path=no
5328])
5329if test -z "$conf_wtmp_location"; then
5330	if test x"$system_wtmp_path" = x"no" ; then
5331		for f in /usr/adm/wtmp /var/log/wtmp; do
5332			if test -f $f ; then
5333				conf_wtmp_location=$f
5334			fi
5335		done
5336		if test -z "$conf_wtmp_location"; then
5337			AC_DEFINE([DISABLE_WTMP])
5338		fi
5339	fi
5340fi
5341if test -n "$conf_wtmp_location"; then
5342	AC_DEFINE_UNQUOTED([CONF_WTMP_FILE], ["$conf_wtmp_location"],
5343		[Define if you want to specify the path to your wtmp file])
5344fi
5345
5346dnl wtmpx detection
5347AC_MSG_CHECKING([if your system defines WTMPX_FILE])
5348AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
5349#include <sys/types.h>
5350#include <utmp.h>
5351#ifdef HAVE_UTMPX_H
5352#include <utmpx.h>
5353#endif
5354#ifdef HAVE_PATHS_H
5355#  include <paths.h>
5356#endif
5357	]], [[ char *wtmpx = WTMPX_FILE; ]])],
5358	[ AC_MSG_RESULT([yes]) ],
5359	[ AC_MSG_RESULT([no])
5360	  system_wtmpx_path=no
5361])
5362if test -z "$conf_wtmpx_location"; then
5363	if test x"$system_wtmpx_path" = x"no" ; then
5364		AC_DEFINE([DISABLE_WTMPX])
5365	fi
5366else
5367	AC_DEFINE_UNQUOTED([CONF_WTMPX_FILE], ["$conf_wtmpx_location"],
5368		[Define if you want to specify the path to your wtmpx file])
5369fi
5370
5371
5372if test ! -z "$blibpath" ; then
5373	LDFLAGS="$LDFLAGS $blibflags$blibpath"
5374	AC_MSG_WARN([Please check and edit blibpath in LDFLAGS in Makefile])
5375fi
5376
5377AC_CHECK_MEMBER([struct lastlog.ll_line], [], [
5378    if test x$SKIP_DISABLE_LASTLOG_DEFINE != "xyes" ; then
5379	AC_DEFINE([DISABLE_LASTLOG])
5380    fi
5381	], [
5382#ifdef HAVE_SYS_TYPES_H
5383#include <sys/types.h>
5384#endif
5385#ifdef HAVE_UTMP_H
5386#include <utmp.h>
5387#endif
5388#ifdef HAVE_UTMPX_H
5389#include <utmpx.h>
5390#endif
5391#ifdef HAVE_LASTLOG_H
5392#include <lastlog.h>
5393#endif
5394	])
5395
5396AC_CHECK_MEMBER([struct utmp.ut_line], [], [
5397	AC_DEFINE([DISABLE_UTMP])
5398	AC_DEFINE([DISABLE_WTMP])
5399	], [
5400#ifdef HAVE_SYS_TYPES_H
5401#include <sys/types.h>
5402#endif
5403#ifdef HAVE_UTMP_H
5404#include <utmp.h>
5405#endif
5406#ifdef HAVE_UTMPX_H
5407#include <utmpx.h>
5408#endif
5409#ifdef HAVE_LASTLOG_H
5410#include <lastlog.h>
5411#endif
5412	])
5413
5414dnl Adding -Werror to CFLAGS early prevents configure tests from running.
5415dnl Add now.
5416CFLAGS="$CFLAGS $werror_flags"
5417
5418if test "x$ac_cv_func_getaddrinfo" != "xyes" ; then
5419	TEST_SSH_IPV6=no
5420else
5421	TEST_SSH_IPV6=yes
5422fi
5423AC_CHECK_DECL([BROKEN_GETADDRINFO],  [TEST_SSH_IPV6=no])
5424AC_SUBST([TEST_SSH_IPV6], [$TEST_SSH_IPV6])
5425AC_SUBST([TEST_SSH_UTF8], [$TEST_SSH_UTF8])
5426AC_SUBST([TEST_MALLOC_OPTIONS], [$TEST_MALLOC_OPTIONS])
5427AC_SUBST([UNSUPPORTED_ALGORITHMS], [$unsupported_algorithms])
5428AC_SUBST([DEPEND], [$(cat $srcdir/.depend)])
5429
5430CFLAGS="${CFLAGS} ${CFLAGS_AFTER}"
5431LDFLAGS="${LDFLAGS} ${LDFLAGS_AFTER}"
5432
5433# Make a copy of CFLAGS/LDFLAGS without PIE options.
5434LDFLAGS_NOPIE=`echo "$LDFLAGS" | sed 's/ -pie//'`
5435CFLAGS_NOPIE=`echo "$CFLAGS" | sed 's/ -fPIE//'`
5436AC_SUBST([LDFLAGS_NOPIE])
5437AC_SUBST([CFLAGS_NOPIE])
5438
5439AC_EXEEXT
5440AC_CONFIG_FILES([Makefile buildpkg.sh opensshd.init openssh.xml \
5441	openbsd-compat/Makefile openbsd-compat/regress/Makefile \
5442	survey.sh])
5443AC_OUTPUT
5444
5445# Print summary of options
5446
5447# Someone please show me a better way :)
5448A=`eval echo ${prefix}` ; A=`eval echo ${A}`
5449B=`eval echo ${bindir}` ; B=`eval echo ${B}`
5450C=`eval echo ${sbindir}` ; C=`eval echo ${C}`
5451D=`eval echo ${sysconfdir}` ; D=`eval echo ${D}`
5452E=`eval echo ${libexecdir}/ssh-askpass` ; E=`eval echo ${E}`
5453F=`eval echo ${mandir}/${mansubdir}X` ; F=`eval echo ${F}`
5454G=`eval echo ${piddir}` ; G=`eval echo ${G}`
5455H=`eval echo ${PRIVSEP_PATH}` ; H=`eval echo ${H}`
5456I=`eval echo ${user_path}` ; I=`eval echo ${I}`
5457J=`eval echo ${superuser_path}` ; J=`eval echo ${J}`
5458
5459echo ""
5460echo "OpenSSH has been configured with the following options:"
5461echo "                     User binaries: $B"
5462echo "                   System binaries: $C"
5463echo "               Configuration files: $D"
5464echo "                   Askpass program: $E"
5465echo "                      Manual pages: $F"
5466echo "                          PID file: $G"
5467echo "  Privilege separation chroot path: $H"
5468if test "x$external_path_file" = "x/etc/login.conf" ; then
5469echo "   At runtime, sshd will use the path defined in $external_path_file"
5470echo "   Make sure the path to scp is present, otherwise scp will not work"
5471else
5472echo "            sshd default user PATH: $I"
5473	if test ! -z "$external_path_file"; then
5474echo "   (If PATH is set in $external_path_file it will be used instead. If"
5475echo "   used, ensure the path to scp is present, otherwise scp will not work.)"
5476	fi
5477fi
5478if test ! -z "$superuser_path" ; then
5479echo "          sshd superuser user PATH: $J"
5480fi
5481echo "                    Manpage format: $MANTYPE"
5482echo "                       PAM support: $PAM_MSG"
5483echo "                   OSF SIA support: $SIA_MSG"
5484echo "                 KerberosV support: $KRB5_MSG"
5485echo "                   SELinux support: $SELINUX_MSG"
5486echo "              MD5 password support: $MD5_MSG"
5487echo "                   libedit support: $LIBEDIT_MSG"
5488echo "                   libldns support: $LDNS_MSG"
5489echo "  Solaris process contract support: $SPC_MSG"
5490echo "           Solaris project support: $SP_MSG"
5491echo "         Solaris privilege support: $SPP_MSG"
5492echo "       IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG"
5493echo "           Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
5494echo "                  BSD Auth support: $BSD_AUTH_MSG"
5495echo "              Random number source: $RAND_MSG"
5496echo "             Privsep sandbox style: $SANDBOX_STYLE"
5497echo "                   PKCS#11 support: $enable_pkcs11"
5498echo "                  U2F/FIDO support: $enable_sk"
5499
5500echo ""
5501
5502echo "              Host: ${host}"
5503echo "          Compiler: ${CC}"
5504echo "    Compiler flags: ${CFLAGS}"
5505echo "Preprocessor flags: ${CPPFLAGS}"
5506echo "      Linker flags: ${LDFLAGS}"
5507echo "         Libraries: ${LIBS}"
5508if test ! -z "${SSHDLIBS}"; then
5509echo "         +for sshd: ${SSHDLIBS}"
5510fi
5511
5512echo ""
5513
5514if test "x$MAKE_PACKAGE_SUPPORTED" = "xyes" ; then
5515	echo "SVR4 style packages are supported with \"make package\""
5516	echo ""
5517fi
5518
5519if test "x$PAM_MSG" = "xyes" ; then
5520	echo "PAM is enabled. You may need to install a PAM control file "
5521	echo "for sshd, otherwise password authentication may fail. "
5522	echo "Example PAM control files can be found in the contrib/ "
5523	echo "subdirectory"
5524	echo ""
5525fi
5526
5527if test ! -z "$NO_PEERCHECK" ; then
5528	echo "WARNING: the operating system that you are using does not"
5529	echo "appear to support getpeereid(), getpeerucred() or the"
5530	echo "SO_PEERCRED getsockopt() option. These facilities are used to"
5531	echo "enforce security checks to prevent unauthorised connections to"
5532	echo "ssh-agent. Their absence increases the risk that a malicious"
5533	echo "user can connect to your agent."
5534	echo ""
5535fi
5536
5537if test "$AUDIT_MODULE" = "bsm" ; then
5538	echo "WARNING: BSM audit support is currently considered EXPERIMENTAL."
5539	echo "See the Solaris section in README.platform for details."
5540fi
5541