xref: /openssh-portable/configure.ac (revision a2f3ae38)
1#
2# Copyright (c) 1999-2004 Damien Miller
3#
4# Permission to use, copy, modify, and distribute this software for any
5# purpose with or without fee is hereby granted, provided that the above
6# copyright notice and this permission notice appear in all copies.
7#
8# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15
16AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org])
17AC_CONFIG_MACRO_DIR([m4])
18AC_CONFIG_SRCDIR([ssh.c])
19AC_LANG([C])
20
21AC_CONFIG_HEADER([config.h])
22AC_PROG_CC([cc gcc])
23AC_CANONICAL_HOST
24AC_C_BIGENDIAN
25
26# Checks for programs.
27AC_PROG_AWK
28AC_PROG_CPP
29AC_PROG_RANLIB
30AC_PROG_INSTALL
31AC_PROG_EGREP
32AC_PROG_MKDIR_P
33AC_CHECK_TOOLS([AR], [ar])
34AC_PATH_PROG([CAT], [cat])
35AC_PATH_PROG([KILL], [kill])
36AC_PATH_PROG([SED], [sed])
37AC_PATH_PROG([TEST_MINUS_S_SH], [bash])
38AC_PATH_PROG([TEST_MINUS_S_SH], [ksh])
39AC_PATH_PROG([TEST_MINUS_S_SH], [sh])
40AC_PATH_PROG([SH], [sh])
41AC_PATH_PROG([GROFF], [groff])
42AC_PATH_PROG([NROFF], [nroff awf])
43AC_PATH_PROG([MANDOC], [mandoc])
44AC_SUBST([TEST_SHELL], [sh])
45
46dnl select manpage formatter to be used to build "cat" format pages.
47if test "x$MANDOC" != "x" ; then
48	MANFMT="$MANDOC"
49elif test "x$NROFF" != "x" ; then
50	MANFMT="$NROFF -mandoc"
51elif test "x$GROFF" != "x" ; then
52	MANFMT="$GROFF -mandoc -Tascii"
53else
54	AC_MSG_WARN([no manpage formatter found])
55	MANFMT="false"
56fi
57AC_SUBST([MANFMT])
58
59dnl for buildpkg.sh
60AC_PATH_PROG([PATH_GROUPADD_PROG], [groupadd], [groupadd],
61	[/usr/sbin${PATH_SEPARATOR}/etc])
62AC_PATH_PROG([PATH_USERADD_PROG], [useradd], [useradd],
63	[/usr/sbin${PATH_SEPARATOR}/etc])
64AC_CHECK_PROG([MAKE_PACKAGE_SUPPORTED], [pkgmk], [yes], [no])
65if test -x /sbin/sh; then
66	AC_SUBST([STARTUP_SCRIPT_SHELL], [/sbin/sh])
67else
68	AC_SUBST([STARTUP_SCRIPT_SHELL], [/bin/sh])
69fi
70
71# System features
72AC_SYS_LARGEFILE
73
74if test -z "$AR" ; then
75	AC_MSG_ERROR([*** 'ar' missing, please install or fix your \$PATH ***])
76fi
77
78AC_PATH_PROG([PATH_PASSWD_PROG], [passwd])
79if test ! -z "$PATH_PASSWD_PROG" ; then
80	AC_DEFINE_UNQUOTED([_PATH_PASSWD_PROG], ["$PATH_PASSWD_PROG"],
81		[Full path of your "passwd" program])
82fi
83
84dnl Since autoconf doesn't support it very well,  we no longer allow users to
85dnl override LD, however keeping the hook here for now in case there's a use
86dnl use case we overlooked and someone needs to re-enable it.  Unless a good
87dnl reason is found we'll be removing this in future.
88LD="$CC"
89AC_SUBST([LD])
90
91AC_C_INLINE
92
93AC_CHECK_DECL([LLONG_MAX], [have_llong_max=1], , [#include <limits.h>])
94AC_CHECK_DECL([LONG_LONG_MAX], [have_long_long_max=1], , [#include <limits.h>])
95AC_CHECK_DECL([SYSTR_POLICY_KILL], [have_systr_policy_kill=1], , [
96	#include <sys/types.h>
97	#include <sys/param.h>
98	#include <dev/systrace.h>
99])
100AC_CHECK_DECL([RLIMIT_NPROC],
101    [AC_DEFINE([HAVE_RLIMIT_NPROC], [], [sys/resource.h has RLIMIT_NPROC])], , [
102	#include <sys/types.h>
103	#include <sys/resource.h>
104])
105AC_CHECK_DECL([PR_SET_NO_NEW_PRIVS], [have_linux_no_new_privs=1], , [
106	#include <sys/types.h>
107	#include <linux/prctl.h>
108])
109
110openssl=yes
111AC_ARG_WITH([openssl],
112	[  --without-openssl       Disable use of OpenSSL; use only limited internal crypto **EXPERIMENTAL** ],
113	[  if test "x$withval" = "xno" ; then
114		openssl=no
115	   fi
116	]
117)
118AC_MSG_CHECKING([whether OpenSSL will be used for cryptography])
119if test "x$openssl" = "xyes" ; then
120	AC_MSG_RESULT([yes])
121	AC_DEFINE_UNQUOTED([WITH_OPENSSL], [1], [use libcrypto for cryptography])
122else
123	AC_MSG_RESULT([no])
124fi
125
126use_stack_protector=1
127use_toolchain_hardening=1
128AC_ARG_WITH([stackprotect],
129    [  --without-stackprotect  Don't use compiler's stack protection], [
130    if test "x$withval" = "xno"; then
131	use_stack_protector=0
132    fi ])
133AC_ARG_WITH([hardening],
134    [  --without-hardening     Don't use toolchain hardening flags], [
135    if test "x$withval" = "xno"; then
136	use_toolchain_hardening=0
137    fi ])
138
139# We use -Werror for the tests only so that we catch warnings like "this is
140# on by default" for things like -fPIE.
141AC_MSG_CHECKING([if $CC supports -Werror])
142saved_CFLAGS="$CFLAGS"
143CFLAGS="$CFLAGS -Werror"
144AC_COMPILE_IFELSE([AC_LANG_SOURCE([[int main(void) { return 0; }]])],
145	[ AC_MSG_RESULT([yes])
146	  WERROR="-Werror"],
147	[ AC_MSG_RESULT([no])
148	  WERROR="" ]
149)
150CFLAGS="$saved_CFLAGS"
151
152if test "$GCC" = "yes" || test "$GCC" = "egcs"; then
153	OSSH_CHECK_CFLAG_COMPILE([-pipe])
154	OSSH_CHECK_CFLAG_COMPILE([-Wunknown-warning-option])
155	OSSH_CHECK_CFLAG_COMPILE([-Wno-error=format-truncation])
156	OSSH_CHECK_CFLAG_COMPILE([-Qunused-arguments])
157	OSSH_CHECK_CFLAG_COMPILE([-Wall])
158	OSSH_CHECK_CFLAG_COMPILE([-Wextra])
159	OSSH_CHECK_CFLAG_COMPILE([-Wpointer-arith])
160	OSSH_CHECK_CFLAG_COMPILE([-Wuninitialized])
161	OSSH_CHECK_CFLAG_COMPILE([-Wsign-compare])
162	OSSH_CHECK_CFLAG_COMPILE([-Wformat-security])
163	OSSH_CHECK_CFLAG_COMPILE([-Wsizeof-pointer-memaccess])
164	OSSH_CHECK_CFLAG_COMPILE([-Wpointer-sign], [-Wno-pointer-sign])
165	OSSH_CHECK_CFLAG_COMPILE([-Wunused-parameter], [-Wno-unused-parameter])
166	OSSH_CHECK_CFLAG_COMPILE([-Wunused-result], [-Wno-unused-result])
167	OSSH_CHECK_CFLAG_COMPILE([-Wimplicit-fallthrough])
168	OSSH_CHECK_CFLAG_COMPILE([-fno-strict-aliasing])
169    if test "x$use_toolchain_hardening" = "x1"; then
170	OSSH_CHECK_CFLAG_COMPILE([-mretpoline]) # clang
171	OSSH_CHECK_LDFLAG_LINK([-Wl,-z,retpolineplt])
172	OSSH_CHECK_CFLAG_COMPILE([-D_FORTIFY_SOURCE=2])
173	OSSH_CHECK_LDFLAG_LINK([-Wl,-z,relro])
174	OSSH_CHECK_LDFLAG_LINK([-Wl,-z,now])
175	OSSH_CHECK_LDFLAG_LINK([-Wl,-z,noexecstack])
176	# NB. -ftrapv expects certain support functions to be present in
177	# the compiler library (libgcc or similar) to detect integer operations
178	# that can overflow. We must check that the result of enabling it
179	# actually links. The test program compiled/linked includes a number
180	# of integer operations that should exercise this.
181	OSSH_CHECK_CFLAG_LINK([-ftrapv])
182    fi
183	AC_MSG_CHECKING([gcc version])
184	GCC_VER=`$CC -v 2>&1 | $AWK '/gcc version /{print $3}'`
185	case $GCC_VER in
186		1.*) no_attrib_nonnull=1 ;;
187		2.8* | 2.9*)
188		     no_attrib_nonnull=1
189		     ;;
190		2.*) no_attrib_nonnull=1 ;;
191		*) ;;
192	esac
193	AC_MSG_RESULT([$GCC_VER])
194
195	AC_MSG_CHECKING([if $CC accepts -fno-builtin-memset])
196	saved_CFLAGS="$CFLAGS"
197	CFLAGS="$CFLAGS -fno-builtin-memset"
198	AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include <string.h> ]],
199			[[ char b[10]; memset(b, 0, sizeof(b)); ]])],
200		[ AC_MSG_RESULT([yes]) ],
201		[ AC_MSG_RESULT([no])
202		  CFLAGS="$saved_CFLAGS" ]
203	)
204
205	# -fstack-protector-all doesn't always work for some GCC versions
206	# and/or platforms, so we test if we can.  If it's not supported
207	# on a given platform gcc will emit a warning so we use -Werror.
208	if test "x$use_stack_protector" = "x1"; then
209	    for t in -fstack-protector-strong -fstack-protector-all \
210		    -fstack-protector; do
211		AC_MSG_CHECKING([if $CC supports $t])
212		saved_CFLAGS="$CFLAGS"
213		saved_LDFLAGS="$LDFLAGS"
214		CFLAGS="$CFLAGS $t -Werror"
215		LDFLAGS="$LDFLAGS $t -Werror"
216		AC_LINK_IFELSE(
217			[AC_LANG_PROGRAM([[
218	#include <stdio.h>
219	int func (int t) {char b[100]; snprintf(b,sizeof b,"%d",t); return t;}
220			 ]],
221			[[
222	char x[256];
223	snprintf(x, sizeof(x), "XXX%d", func(1));
224			 ]])],
225		    [ AC_MSG_RESULT([yes])
226		      CFLAGS="$saved_CFLAGS $t"
227		      LDFLAGS="$saved_LDFLAGS $t"
228		      AC_MSG_CHECKING([if $t works])
229		      AC_RUN_IFELSE(
230			[AC_LANG_PROGRAM([[
231	#include <stdio.h>
232	int func (int t) {char b[100]; snprintf(b,sizeof b,"%d",t); return t;}
233			]],
234			[[
235	char x[256];
236	snprintf(x, sizeof(x), "XXX%d", func(1));
237			]])],
238			[ AC_MSG_RESULT([yes])
239			  break ],
240			[ AC_MSG_RESULT([no]) ],
241			[ AC_MSG_WARN([cross compiling: cannot test])
242			  break ]
243		      )
244		    ],
245		    [ AC_MSG_RESULT([no]) ]
246		)
247		CFLAGS="$saved_CFLAGS"
248		LDFLAGS="$saved_LDFLAGS"
249	    done
250	fi
251
252	if test -z "$have_llong_max"; then
253		# retry LLONG_MAX with -std=gnu99, needed on some Linuxes
254		unset ac_cv_have_decl_LLONG_MAX
255		saved_CFLAGS="$CFLAGS"
256		CFLAGS="$CFLAGS -std=gnu99"
257		AC_CHECK_DECL([LLONG_MAX],
258		    [have_llong_max=1],
259		    [CFLAGS="$saved_CFLAGS"],
260		    [#include <limits.h>]
261		)
262	fi
263fi
264
265AC_MSG_CHECKING([if compiler allows __attribute__ on return types])
266AC_COMPILE_IFELSE(
267    [AC_LANG_PROGRAM([[
268#include <stdlib.h>
269__attribute__((__unused__)) static void foo(void){return;}]],
270    [[ exit(0); ]])],
271    [ AC_MSG_RESULT([yes]) ],
272    [ AC_MSG_RESULT([no])
273      AC_DEFINE(NO_ATTRIBUTE_ON_RETURN_TYPE, 1,
274	 [compiler does not accept __attribute__ on return types]) ]
275)
276
277AC_MSG_CHECKING([if compiler allows __attribute__ prototype args])
278AC_COMPILE_IFELSE(
279    [AC_LANG_PROGRAM([[
280#include <stdlib.h>
281typedef void foo(const char *, ...) __attribute__((format(printf, 1, 2)));]],
282    [[ exit(0); ]])],
283    [ AC_MSG_RESULT([yes]) ],
284    [ AC_MSG_RESULT([no])
285      AC_DEFINE(NO_ATTRIBUTE_ON_PROTOTYPE_ARGS, 1,
286	 [compiler does not accept __attribute__ on prototype args]) ]
287)
288
289if test "x$no_attrib_nonnull" != "x1" ; then
290	AC_DEFINE([HAVE_ATTRIBUTE__NONNULL__], [1], [Have attribute nonnull])
291fi
292
293AC_ARG_WITH([rpath],
294	[  --without-rpath         Disable auto-added -R linker paths],
295	[
296		if test "x$withval" = "xno" ; then
297			rpath_opt=""
298		elif test "x$withval" = "xyes" ; then
299			rpath_opt="-R"
300		else
301			rpath_opt="$withval"
302		fi
303	]
304)
305
306# Allow user to specify flags
307AC_ARG_WITH([cflags],
308	[  --with-cflags           Specify additional flags to pass to compiler],
309	[
310		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
311		    test "x${withval}" != "xyes"; then
312			CFLAGS="$CFLAGS $withval"
313		fi
314	]
315)
316
317AC_ARG_WITH([cflags-after],
318	[  --with-cflags-after     Specify additional flags to pass to compiler after configure],
319	[
320		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
321		    test "x${withval}" != "xyes"; then
322			CFLAGS_AFTER="$withval"
323		fi
324	]
325)
326AC_ARG_WITH([cppflags],
327	[  --with-cppflags         Specify additional flags to pass to preprocessor] ,
328	[
329		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
330		    test "x${withval}" != "xyes"; then
331			CPPFLAGS="$CPPFLAGS $withval"
332		fi
333	]
334)
335AC_ARG_WITH([ldflags],
336	[  --with-ldflags          Specify additional flags to pass to linker],
337	[
338		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
339		    test "x${withval}" != "xyes"; then
340			LDFLAGS="$LDFLAGS $withval"
341		fi
342	]
343)
344AC_ARG_WITH([ldflags-after],
345	[  --with-ldflags-after    Specify additional flags to pass to linker after configure],
346	[
347		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
348		    test "x${withval}" != "xyes"; then
349			LDFLAGS_AFTER="$withval"
350		fi
351	]
352)
353AC_ARG_WITH([libs],
354	[  --with-libs             Specify additional libraries to link with],
355	[
356		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
357		    test "x${withval}" != "xyes"; then
358			LIBS="$LIBS $withval"
359		fi
360	]
361)
362AC_ARG_WITH([Werror],
363	[  --with-Werror           Build main code with -Werror],
364	[
365		if test -n "$withval"  &&  test "x$withval" != "xno"; then
366			werror_flags="-Werror"
367			if test "x${withval}" != "xyes"; then
368				werror_flags="$withval"
369			fi
370		fi
371	]
372)
373
374AC_CHECK_HEADERS([ \
375	blf.h \
376	bstring.h \
377	crypt.h \
378	crypto/sha2.h \
379	dirent.h \
380	endian.h \
381	elf.h \
382	err.h \
383	features.h \
384	fcntl.h \
385	floatingpoint.h \
386	fnmatch.h \
387	getopt.h \
388	glob.h \
389	ia.h \
390	iaf.h \
391	ifaddrs.h \
392	inttypes.h \
393	langinfo.h \
394	limits.h \
395	locale.h \
396	login.h \
397	maillock.h \
398	ndir.h \
399	net/if_tun.h \
400	netdb.h \
401	netgroup.h \
402	pam/pam_appl.h \
403	paths.h \
404	poll.h \
405	pty.h \
406	readpassphrase.h \
407	rpc/types.h \
408	security/pam_appl.h \
409	sha2.h \
410	shadow.h \
411	stddef.h \
412	stdint.h \
413	string.h \
414	strings.h \
415	sys/bitypes.h \
416	sys/byteorder.h \
417	sys/bsdtty.h \
418	sys/cdefs.h \
419	sys/dir.h \
420	sys/file.h \
421	sys/mman.h \
422	sys/label.h \
423	sys/ndir.h \
424	sys/poll.h \
425	sys/prctl.h \
426	sys/pstat.h \
427	sys/ptrace.h \
428	sys/random.h \
429	sys/select.h \
430	sys/stat.h \
431	sys/stream.h \
432	sys/stropts.h \
433	sys/strtio.h \
434	sys/statvfs.h \
435	sys/sysmacros.h \
436	sys/time.h \
437	sys/timers.h \
438	sys/vfs.h \
439	time.h \
440	tmpdir.h \
441	ttyent.h \
442	ucred.h \
443	unistd.h \
444	usersec.h \
445	util.h \
446	utime.h \
447	utmp.h \
448	utmpx.h \
449	vis.h \
450	wchar.h \
451])
452
453# On some platforms (eg SunOS4) sys/audit.h requires sys/[time|types|label.h]
454# to be included first.
455AC_CHECK_HEADERS([sys/audit.h], [], [], [
456#ifdef HAVE_SYS_TIME_H
457# include <sys/time.h>
458#endif
459#ifdef HAVE_SYS_TYPES_H
460# include <sys/types.h>
461#endif
462#ifdef HAVE_SYS_LABEL_H
463# include <sys/label.h>
464#endif
465])
466
467# sys/capsicum.h requires sys/types.h
468AC_CHECK_HEADERS([sys/capsicum.h], [], [], [
469#ifdef HAVE_SYS_TYPES_H
470# include <sys/types.h>
471#endif
472])
473
474# net/route.h requires sys/socket.h and sys/types.h.
475# sys/sysctl.h also requires sys/param.h
476AC_CHECK_HEADERS([net/route.h sys/sysctl.h], [], [], [
477#ifdef HAVE_SYS_TYPES_H
478# include <sys/types.h>
479#endif
480#include <sys/param.h>
481#include <sys/socket.h>
482])
483
484# lastlog.h requires sys/time.h to be included first on Solaris
485AC_CHECK_HEADERS([lastlog.h], [], [], [
486#ifdef HAVE_SYS_TIME_H
487# include <sys/time.h>
488#endif
489])
490
491# sys/ptms.h requires sys/stream.h to be included first on Solaris
492AC_CHECK_HEADERS([sys/ptms.h], [], [], [
493#ifdef HAVE_SYS_STREAM_H
494# include <sys/stream.h>
495#endif
496])
497
498# login_cap.h requires sys/types.h on NetBSD
499AC_CHECK_HEADERS([login_cap.h], [], [], [
500#include <sys/types.h>
501])
502
503# older BSDs need sys/param.h before sys/mount.h
504AC_CHECK_HEADERS([sys/mount.h], [], [], [
505#include <sys/param.h>
506])
507
508# Android requires sys/socket.h to be included before sys/un.h
509AC_CHECK_HEADERS([sys/un.h], [], [], [
510#include <sys/types.h>
511#include <sys/socket.h>
512])
513
514# Messages for features tested for in target-specific section
515SIA_MSG="no"
516SPC_MSG="no"
517SP_MSG="no"
518SPP_MSG="no"
519
520# Support for Solaris/Illumos privileges (this test is used by both
521# the --with-solaris-privs option and --with-sandbox=solaris).
522SOLARIS_PRIVS="no"
523
524AC_CHECK_SIZEOF([size_t])
525
526# Check for some target-specific stuff
527case "$host" in
528*-*-aix*)
529	# Some versions of VAC won't allow macro redefinitions at
530	# -qlanglevel=ansi, and autoconf 2.60 sometimes insists on using that
531	# particularly with older versions of vac or xlc.
532	# It also throws errors about null macro arguments, but these are
533	# not fatal.
534	AC_MSG_CHECKING([if compiler allows macro redefinitions])
535	AC_COMPILE_IFELSE(
536	    [AC_LANG_PROGRAM([[
537#define testmacro foo
538#define testmacro bar]],
539	    [[ exit(0); ]])],
540	    [ AC_MSG_RESULT([yes]) ],
541	    [ AC_MSG_RESULT([no])
542	      CC="`echo $CC | sed 's/-qlanglvl\=ansi//g'`"
543	      CFLAGS="`echo $CFLAGS | sed 's/-qlanglvl\=ansi//g'`"
544	      CPPFLAGS="`echo $CPPFLAGS | sed 's/-qlanglvl\=ansi//g'`"
545	    ]
546	)
547
548	AC_MSG_CHECKING([how to specify blibpath for linker ($LD)])
549	if (test -z "$blibpath"); then
550		blibpath="/usr/lib:/lib"
551	fi
552	saved_LDFLAGS="$LDFLAGS"
553	if test "$GCC" = "yes"; then
554		flags="-Wl,-blibpath: -Wl,-rpath, -blibpath:"
555	else
556		flags="-blibpath: -Wl,-blibpath: -Wl,-rpath,"
557	fi
558	for tryflags in $flags ;do
559		if (test -z "$blibflags"); then
560			LDFLAGS="$saved_LDFLAGS $tryflags$blibpath"
561			AC_LINK_IFELSE([AC_LANG_PROGRAM([[]], [[]])],
562			[blibflags=$tryflags], [])
563		fi
564	done
565	if (test -z "$blibflags"); then
566		AC_MSG_RESULT([not found])
567		AC_MSG_ERROR([*** must be able to specify blibpath on AIX - check config.log])
568	else
569		AC_MSG_RESULT([$blibflags])
570	fi
571	LDFLAGS="$saved_LDFLAGS"
572	dnl Check for authenticate.  Might be in libs.a on older AIXes
573	AC_CHECK_FUNC([authenticate], [AC_DEFINE([WITH_AIXAUTHENTICATE], [1],
574		[Define if you want to enable AIX4's authenticate function])],
575		[AC_CHECK_LIB([s], [authenticate],
576			[ AC_DEFINE([WITH_AIXAUTHENTICATE])
577				LIBS="$LIBS -ls"
578			])
579		])
580	dnl Check for various auth function declarations in headers.
581	AC_CHECK_DECLS([authenticate, loginrestrictions, loginsuccess,
582	    passwdexpired, setauthdb], , , [#include <usersec.h>])
583	dnl Check if loginfailed is declared and takes 4 arguments (AIX >= 5.2)
584	AC_CHECK_DECLS([loginfailed],
585	    [AC_MSG_CHECKING([if loginfailed takes 4 arguments])
586	    AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <usersec.h> ]],
587		[[ (void)loginfailed("user","host","tty",0); ]])],
588		[AC_MSG_RESULT([yes])
589		AC_DEFINE([AIX_LOGINFAILED_4ARG], [1],
590			[Define if your AIX loginfailed() function
591			takes 4 arguments (AIX >= 5.2)])], [AC_MSG_RESULT([no])
592	    ])],
593	    [],
594	    [#include <usersec.h>]
595	)
596	AC_CHECK_FUNCS([getgrset setauthdb])
597	AC_CHECK_DECL([F_CLOSEM],
598	    AC_DEFINE([HAVE_FCNTL_CLOSEM], [1], [Use F_CLOSEM fcntl for closefrom]),
599	    [],
600	    [ #include <limits.h>
601	      #include <fcntl.h> ]
602	)
603	check_for_aix_broken_getaddrinfo=1
604	AC_DEFINE([SETEUID_BREAKS_SETUID], [1],
605	    [Define if your platform breaks doing a seteuid before a setuid])
606	AC_DEFINE([BROKEN_SETREUID], [1], [Define if your setreuid() is broken])
607	AC_DEFINE([BROKEN_SETREGID], [1], [Define if your setregid() is broken])
608	dnl AIX handles lastlog as part of its login message
609	AC_DEFINE([DISABLE_LASTLOG], [1], [Define if you don't want to use lastlog])
610	AC_DEFINE([LOGIN_NEEDS_UTMPX], [1],
611		[Some systems need a utmpx entry for /bin/login to work])
612	AC_DEFINE([SPT_TYPE], [SPT_REUSEARGV],
613		[Define to a Set Process Title type if your system is
614		supported by bsd-setproctitle.c])
615	AC_DEFINE([SSHPAM_CHAUTHTOK_NEEDS_RUID], [1],
616	    [AIX 5.2 and 5.3 (and presumably newer) require this])
617	AC_DEFINE([PTY_ZEROREAD], [1], [read(1) can return 0 for a non-closed fd])
618	AC_DEFINE([PLATFORM_SYS_DIR_UID], 2, [System dirs owned by bin (uid 2)])
619	AC_DEFINE([BROKEN_STRNDUP], 1, [strndup broken, see APAR IY61211])
620	AC_DEFINE([BROKEN_STRNLEN], 1, [strnlen broken, see APAR IY62551])
621	;;
622*-*-android*)
623	AC_DEFINE([DISABLE_UTMP], [1], [Define if you don't want to use utmp])
624	AC_DEFINE([DISABLE_WTMP], [1], [Define if you don't want to use wtmp])
625	;;
626*-*-cygwin*)
627	check_for_libcrypt_later=1
628	LIBS="$LIBS /usr/lib/textreadmode.o"
629	AC_DEFINE([HAVE_CYGWIN], [1], [Define if you are on Cygwin])
630	AC_DEFINE([USE_PIPES], [1], [Use PIPES instead of a socketpair()])
631	AC_DEFINE([NO_UID_RESTORATION_TEST], [1],
632		[Define to disable UID restoration test])
633	AC_DEFINE([DISABLE_SHADOW], [1],
634		[Define if you want to disable shadow passwords])
635	AC_DEFINE([NO_X11_UNIX_SOCKETS], [1],
636		[Define if X11 doesn't support AF_UNIX sockets on that system])
637	AC_DEFINE([DISABLE_FD_PASSING], [1],
638		[Define if your platform needs to skip post auth
639		file descriptor passing])
640	AC_DEFINE([SSH_IOBUFSZ], [65535], [Windows is sensitive to read buffer size])
641	AC_DEFINE([FILESYSTEM_NO_BACKSLASH], [1], [File names may not contain backslash characters])
642	# Cygwin defines optargs, optargs as declspec(dllimport) for historical
643	# reasons which cause compile warnings, so we disable those warnings.
644	OSSH_CHECK_CFLAG_COMPILE([-Wno-attributes])
645	;;
646*-*-dgux*)
647	AC_DEFINE([IP_TOS_IS_BROKEN], [1],
648		[Define if your system choked on IP TOS setting])
649	AC_DEFINE([SETEUID_BREAKS_SETUID])
650	AC_DEFINE([BROKEN_SETREUID])
651	AC_DEFINE([BROKEN_SETREGID])
652	;;
653*-*-darwin*)
654	use_pie=auto
655	AC_MSG_CHECKING([if we have working getaddrinfo])
656	AC_RUN_IFELSE([AC_LANG_SOURCE([[ #include <mach-o/dyld.h>
657main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
658		exit(0);
659	else
660		exit(1);
661}
662			]])],
663	[AC_MSG_RESULT([working])],
664	[AC_MSG_RESULT([buggy])
665	AC_DEFINE([BROKEN_GETADDRINFO], [1],
666		[getaddrinfo is broken (if present)])
667	],
668	[AC_MSG_RESULT([assume it is working])])
669	AC_DEFINE([SETEUID_BREAKS_SETUID])
670	AC_DEFINE([BROKEN_SETREUID])
671	AC_DEFINE([BROKEN_SETREGID])
672	AC_DEFINE([BROKEN_GLOB], [1], [OS X glob does not do what we expect])
673	AC_DEFINE_UNQUOTED([BIND_8_COMPAT], [1],
674		[Define if your resolver libs need this for getrrsetbyname])
675	AC_DEFINE([SSH_TUN_FREEBSD], [1], [Open tunnel devices the FreeBSD way])
676	AC_DEFINE([SSH_TUN_COMPAT_AF], [1],
677	    [Use tunnel device compatibility to OpenBSD])
678	AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
679	    [Prepend the address family to IP tunnel traffic])
680	m4_pattern_allow([AU_IPv])
681	AC_CHECK_DECL([AU_IPv4], [],
682	    AC_DEFINE([AU_IPv4], [0], [System only supports IPv4 audit records])
683	    [#include <bsm/audit.h>]
684	AC_DEFINE([LASTLOG_WRITE_PUTUTXLINE], [1],
685	    [Define if pututxline updates lastlog too])
686	)
687	AC_DEFINE([SPT_TYPE], [SPT_REUSEARGV],
688		[Define to a Set Process Title type if your system is
689		supported by bsd-setproctitle.c])
690	AC_CHECK_FUNCS([sandbox_init])
691	AC_CHECK_HEADERS([sandbox.h])
692	AC_CHECK_LIB([sandbox], [sandbox_apply], [
693	    SSHDLIBS="$SSHDLIBS -lsandbox"
694	])
695	# proc_pidinfo()-based closefrom() replacement.
696	AC_CHECK_HEADERS([libproc.h])
697	AC_CHECK_FUNCS([proc_pidinfo])
698	;;
699*-*-dragonfly*)
700	SSHDLIBS="$SSHDLIBS -lcrypt"
701	TEST_MALLOC_OPTIONS="AFGJPRX"
702	;;
703*-*-haiku*)
704	LIBS="$LIBS -lbsd "
705	CFLAGS="$CFLAGS -D_BSD_SOURCE"
706	AC_CHECK_LIB([network], [socket])
707	AC_DEFINE([HAVE_U_INT64_T])
708	AC_DEFINE([DISABLE_UTMPX], [1], [no utmpx])
709	MANTYPE=man
710	;;
711*-*-hpux*)
712	# first we define all of the options common to all HP-UX releases
713	CPPFLAGS="$CPPFLAGS -D_HPUX_SOURCE -D_XOPEN_SOURCE -D_XOPEN_SOURCE_EXTENDED=1"
714	IPADDR_IN_DISPLAY=yes
715	AC_DEFINE([USE_PIPES])
716	AC_DEFINE([LOGIN_NEEDS_UTMPX])
717	AC_DEFINE([LOCKED_PASSWD_STRING], ["*"],
718		[String used in /etc/passwd to denote locked account])
719	AC_DEFINE([SPT_TYPE], [SPT_PSTAT])
720	AC_DEFINE([PLATFORM_SYS_DIR_UID], 2, [System dirs owned by bin (uid 2)])
721	maildir="/var/mail"
722	LIBS="$LIBS -lsec"
723	AC_CHECK_LIB([xnet], [t_error], ,
724	    [AC_MSG_ERROR([*** -lxnet needed on HP-UX - check config.log ***])])
725
726	# next, we define all of the options specific to major releases
727	case "$host" in
728	*-*-hpux10*)
729		if test -z "$GCC"; then
730			CFLAGS="$CFLAGS -Ae"
731		fi
732		;;
733	*-*-hpux11*)
734		AC_DEFINE([PAM_SUN_CODEBASE], [1],
735			[Define if you are using Solaris-derived PAM which
736			passes pam_messages to the conversation function
737			with an extra level of indirection])
738		AC_DEFINE([DISABLE_UTMP], [1],
739			[Define if you don't want to use utmp])
740		AC_DEFINE([USE_BTMP], [1], [Use btmp to log bad logins])
741		check_for_hpux_broken_getaddrinfo=1
742		check_for_conflicting_getspnam=1
743		;;
744	esac
745
746	# lastly, we define options specific to minor releases
747	case "$host" in
748	*-*-hpux10.26)
749		AC_DEFINE([HAVE_SECUREWARE], [1],
750			[Define if you have SecureWare-based
751			protected password database])
752		disable_ptmx_check=yes
753		LIBS="$LIBS -lsecpw"
754		;;
755	esac
756	;;
757*-*-irix5*)
758	PATH="$PATH:/usr/etc"
759	AC_DEFINE([BROKEN_INET_NTOA], [1],
760		[Define if you system's inet_ntoa is busted
761		(e.g. Irix gcc issue)])
762	AC_DEFINE([SETEUID_BREAKS_SETUID])
763	AC_DEFINE([BROKEN_SETREUID])
764	AC_DEFINE([BROKEN_SETREGID])
765	AC_DEFINE([WITH_ABBREV_NO_TTY], [1],
766		[Define if you shouldn't strip 'tty' from your
767		ttyname in [uw]tmp])
768	AC_DEFINE([LOCKED_PASSWD_STRING], ["*LK*"])
769	;;
770*-*-irix6*)
771	PATH="$PATH:/usr/etc"
772	AC_DEFINE([WITH_IRIX_ARRAY], [1],
773		[Define if you have/want arrays
774		(cluster-wide session management, not C arrays)])
775	AC_DEFINE([WITH_IRIX_PROJECT], [1],
776		[Define if you want IRIX project management])
777	AC_DEFINE([WITH_IRIX_AUDIT], [1],
778		[Define if you want IRIX audit trails])
779	AC_CHECK_FUNC([jlimit_startjob], [AC_DEFINE([WITH_IRIX_JOBS], [1],
780		[Define if you want IRIX kernel jobs])])
781	AC_DEFINE([BROKEN_INET_NTOA])
782	AC_DEFINE([SETEUID_BREAKS_SETUID])
783	AC_DEFINE([BROKEN_SETREUID])
784	AC_DEFINE([BROKEN_SETREGID])
785	AC_DEFINE([BROKEN_UPDWTMPX], [1], [updwtmpx is broken (if present)])
786	AC_DEFINE([WITH_ABBREV_NO_TTY])
787	AC_DEFINE([LOCKED_PASSWD_STRING], ["*LK*"])
788	;;
789*-*-k*bsd*-gnu | *-*-kopensolaris*-gnu)
790	check_for_libcrypt_later=1
791	AC_DEFINE([PAM_TTY_KLUDGE])
792	AC_DEFINE([LOCKED_PASSWD_PREFIX], ["!"])
793	AC_DEFINE([SPT_TYPE], [SPT_REUSEARGV])
794	AC_DEFINE([_PATH_BTMP], ["/var/log/btmp"], [log for bad login attempts])
795	AC_DEFINE([USE_BTMP], [1], [Use btmp to log bad logins])
796	;;
797*-*-linux*)
798	no_dev_ptmx=1
799	use_pie=auto
800	check_for_libcrypt_later=1
801	check_for_openpty_ctty_bug=1
802	dnl Target SUSv3/POSIX.1-2001 plus BSD specifics.
803	dnl _DEFAULT_SOURCE is the new name for _BSD_SOURCE
804	CPPFLAGS="$CPPFLAGS -D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCE"
805	AC_DEFINE([PAM_TTY_KLUDGE], [1],
806		[Work around problematic Linux PAM modules handling of PAM_TTY])
807	AC_DEFINE([LOCKED_PASSWD_PREFIX], ["!"],
808		[String used in /etc/passwd to denote locked account])
809	AC_DEFINE([SPT_TYPE], [SPT_REUSEARGV])
810	AC_DEFINE([LINK_OPNOTSUPP_ERRNO], [EPERM],
811		[Define to whatever link() returns for "not supported"
812		if it doesn't return EOPNOTSUPP.])
813	AC_DEFINE([_PATH_BTMP], ["/var/log/btmp"], [log for bad login attempts])
814	AC_DEFINE([USE_BTMP])
815	AC_DEFINE([LINUX_OOM_ADJUST], [1], [Adjust Linux out-of-memory killer])
816	inet6_default_4in6=yes
817	case `uname -r` in
818	1.*|2.0.*)
819		AC_DEFINE([BROKEN_CMSG_TYPE], [1],
820			[Define if cmsg_type is not passed correctly])
821		;;
822	esac
823	# tun(4) forwarding compat code
824	AC_CHECK_HEADERS([linux/if_tun.h])
825	if test "x$ac_cv_header_linux_if_tun_h" = "xyes" ; then
826		AC_DEFINE([SSH_TUN_LINUX], [1],
827		    [Open tunnel devices the Linux tun/tap way])
828		AC_DEFINE([SSH_TUN_COMPAT_AF], [1],
829		    [Use tunnel device compatibility to OpenBSD])
830		AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
831		    [Prepend the address family to IP tunnel traffic])
832	fi
833	AC_CHECK_HEADER([linux/if.h],
834	    AC_DEFINE([SYS_RDOMAIN_LINUX], [1],
835		[Support routing domains using Linux VRF]), [], [
836#ifdef HAVE_SYS_TYPES_H
837# include <sys/types.h>
838#endif
839	    ])
840	AC_CHECK_HEADERS([linux/seccomp.h linux/filter.h linux/audit.h], [],
841	    [], [#include <linux/types.h>])
842	# Obtain MIPS ABI
843	case "$host" in
844	mips*)
845		AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
846#if _MIPS_SIM != _ABIO32
847#error
848#endif
849			]])],[mips_abi="o32"],[AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
850#if _MIPS_SIM != _ABIN32
851#error
852#endif
853				]])],[mips_abi="n32"],[AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
854#if _MIPS_SIM != _ABI64
855#error
856#endif
857					]])],[mips_abi="n64"],[AC_MSG_ERROR([unknown MIPS ABI])
858				])
859			])
860		])
861		;;
862	esac
863	AC_MSG_CHECKING([for seccomp architecture])
864	seccomp_audit_arch=
865	case "$host" in
866	x86_64-*)
867		seccomp_audit_arch=AUDIT_ARCH_X86_64
868		# X32: AMD64 instructions in 32bit address space.
869		if test "x$ac_cv_sizeof_size_t" = "x4" ; then
870			seccomp_audit_arch=AUDIT_ARCH_I386
871		fi
872		;;
873	i*86-*)
874		seccomp_audit_arch=AUDIT_ARCH_I386
875		;;
876	arm*-*)
877		seccomp_audit_arch=AUDIT_ARCH_ARM
878		;;
879	aarch64*-*)
880		seccomp_audit_arch=AUDIT_ARCH_AARCH64
881		;;
882	s390x-*)
883		seccomp_audit_arch=AUDIT_ARCH_S390X
884		;;
885	s390-*)
886		seccomp_audit_arch=AUDIT_ARCH_S390
887		;;
888	powerpc64-*)
889		seccomp_audit_arch=AUDIT_ARCH_PPC64
890		;;
891	powerpc64le-*)
892		seccomp_audit_arch=AUDIT_ARCH_PPC64LE
893		;;
894	mips-*)
895		seccomp_audit_arch=AUDIT_ARCH_MIPS
896		;;
897	mipsel-*)
898		seccomp_audit_arch=AUDIT_ARCH_MIPSEL
899		;;
900	mips64-*)
901		case "$mips_abi" in
902		"n32")
903			seccomp_audit_arch=AUDIT_ARCH_MIPS64N32
904			;;
905		"n64")
906			seccomp_audit_arch=AUDIT_ARCH_MIPS64
907			;;
908		esac
909		;;
910	mips64el-*)
911		case "$mips_abi" in
912		"n32")
913			seccomp_audit_arch=AUDIT_ARCH_MIPSEL64N32
914			;;
915		"n64")
916			seccomp_audit_arch=AUDIT_ARCH_MIPSEL64
917			;;
918		esac
919		;;
920	riscv64-*)
921		seccomp_audit_arch=AUDIT_ARCH_RISCV64
922		;;
923	esac
924	if test "x$seccomp_audit_arch" != "x" ; then
925		AC_MSG_RESULT(["$seccomp_audit_arch"])
926		AC_DEFINE_UNQUOTED([SECCOMP_AUDIT_ARCH], [$seccomp_audit_arch],
927		    [Specify the system call convention in use])
928	else
929		AC_MSG_RESULT([architecture not supported])
930	fi
931	;;
932mips-sony-bsd|mips-sony-newsos4)
933	AC_DEFINE([NEED_SETPGRP], [1], [Need setpgrp to acquire controlling tty])
934	SONY=1
935	;;
936*-*-netbsd*)
937	check_for_libcrypt_before=1
938	if test "x$withval" != "xno" ; then
939		rpath_opt="-R"
940	fi
941	CPPFLAGS="$CPPFLAGS -D_OPENBSD_SOURCE"
942	AC_DEFINE([SSH_TUN_FREEBSD], [1], [Open tunnel devices the FreeBSD way])
943	AC_CHECK_HEADER([net/if_tap.h], ,
944	    AC_DEFINE([SSH_TUN_NO_L2], [1], [No layer 2 tunnel support]))
945	AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
946	    [Prepend the address family to IP tunnel traffic])
947	TEST_MALLOC_OPTIONS="AJRX"
948	AC_DEFINE([BROKEN_READ_COMPARISON], [1],
949	    [NetBSD read function is sometimes redirected, breaking atomicio comparisons against it])
950	;;
951*-*-freebsd*)
952	check_for_libcrypt_later=1
953	AC_DEFINE([LOCKED_PASSWD_PREFIX], ["*LOCKED*"], [Account locked with pw(1)])
954	AC_DEFINE([SSH_TUN_FREEBSD], [1], [Open tunnel devices the FreeBSD way])
955	AC_CHECK_HEADER([net/if_tap.h], ,
956	    AC_DEFINE([SSH_TUN_NO_L2], [1], [No layer 2 tunnel support]))
957	AC_DEFINE([BROKEN_GLOB], [1], [FreeBSD glob does not do what we need])
958	TEST_MALLOC_OPTIONS="AJRX"
959	# Preauth crypto occasionally uses file descriptors for crypto offload
960	# and will crash if they cannot be opened.
961	AC_DEFINE([SANDBOX_SKIP_RLIMIT_NOFILE], [1],
962	    [define if setrlimit RLIMIT_NOFILE breaks things])
963	;;
964*-*-bsdi*)
965	AC_DEFINE([SETEUID_BREAKS_SETUID])
966	AC_DEFINE([BROKEN_SETREUID])
967	AC_DEFINE([BROKEN_SETREGID])
968	;;
969*-next-*)
970	conf_lastlog_location="/usr/adm/lastlog"
971	conf_utmp_location=/etc/utmp
972	conf_wtmp_location=/usr/adm/wtmp
973	maildir=/usr/spool/mail
974	AC_DEFINE([HAVE_NEXT], [1], [Define if you are on NeXT])
975	AC_DEFINE([USE_PIPES])
976	AC_DEFINE([BROKEN_SAVED_UIDS], [1], [Needed for NeXT])
977	;;
978*-*-openbsd*)
979	use_pie=auto
980	AC_DEFINE([HAVE_ATTRIBUTE__SENTINEL__], [1], [OpenBSD's gcc has sentinel])
981	AC_DEFINE([HAVE_ATTRIBUTE__BOUNDED__], [1], [OpenBSD's gcc has bounded])
982	AC_DEFINE([SSH_TUN_OPENBSD], [1], [Open tunnel devices the OpenBSD way])
983	AC_DEFINE([SYSLOG_R_SAFE_IN_SIGHAND], [1],
984	    [syslog_r function is safe to use in in a signal handler])
985	TEST_MALLOC_OPTIONS="AFGJPRX"
986	;;
987*-*-solaris*)
988	if test "x$withval" != "xno" ; then
989		rpath_opt="-R"
990	fi
991	AC_DEFINE([PAM_SUN_CODEBASE])
992	AC_DEFINE([LOGIN_NEEDS_UTMPX])
993	AC_DEFINE([PAM_TTY_KLUDGE])
994	AC_DEFINE([SSHPAM_CHAUTHTOK_NEEDS_RUID], [1],
995		[Define if pam_chauthtok wants real uid set
996		to the unpriv'ed user])
997	AC_DEFINE([LOCKED_PASSWD_STRING], ["*LK*"])
998	# Pushing STREAMS modules will cause sshd to acquire a controlling tty.
999	AC_DEFINE([SSHD_ACQUIRES_CTTY], [1],
1000		[Define if sshd somehow reacquires a controlling TTY
1001		after setsid()])
1002	AC_DEFINE([PASSWD_NEEDS_USERNAME], [1], [must supply username to passwd
1003		in case the name is longer than 8 chars])
1004	AC_DEFINE([BROKEN_TCGETATTR_ICANON], [1], [tcgetattr with ICANON may hang])
1005	external_path_file=/etc/default/login
1006	# hardwire lastlog location (can't detect it on some versions)
1007	conf_lastlog_location="/var/adm/lastlog"
1008	AC_MSG_CHECKING([for obsolete utmp and wtmp in solaris2.x])
1009	sol2ver=`echo "$host"| sed -e 's/.*[[0-9]]\.//'`
1010	if test "$sol2ver" -ge 8; then
1011		AC_MSG_RESULT([yes])
1012		AC_DEFINE([DISABLE_UTMP])
1013		AC_DEFINE([DISABLE_WTMP], [1],
1014			[Define if you don't want to use wtmp])
1015	else
1016		AC_MSG_RESULT([no])
1017	fi
1018	AC_CHECK_FUNCS([setpflags])
1019	AC_CHECK_FUNCS([setppriv])
1020	AC_CHECK_FUNCS([priv_basicset])
1021	AC_CHECK_HEADERS([priv.h])
1022	AC_ARG_WITH([solaris-contracts],
1023		[  --with-solaris-contracts Enable Solaris process contracts (experimental)],
1024		[
1025		AC_CHECK_LIB([contract], [ct_tmpl_activate],
1026			[ AC_DEFINE([USE_SOLARIS_PROCESS_CONTRACTS], [1],
1027				[Define if you have Solaris process contracts])
1028			  LIBS="$LIBS -lcontract"
1029			  SPC_MSG="yes" ], )
1030		],
1031	)
1032	AC_ARG_WITH([solaris-projects],
1033		[  --with-solaris-projects Enable Solaris projects (experimental)],
1034		[
1035		AC_CHECK_LIB([project], [setproject],
1036			[ AC_DEFINE([USE_SOLARIS_PROJECTS], [1],
1037				[Define if you have Solaris projects])
1038			LIBS="$LIBS -lproject"
1039			SP_MSG="yes" ], )
1040		],
1041	)
1042	AC_ARG_WITH([solaris-privs],
1043		[  --with-solaris-privs    Enable Solaris/Illumos privileges (experimental)],
1044		[
1045		AC_MSG_CHECKING([for Solaris/Illumos privilege support])
1046		if test "x$ac_cv_func_setppriv" = "xyes" -a \
1047			"x$ac_cv_header_priv_h" = "xyes" ; then
1048			SOLARIS_PRIVS=yes
1049			AC_MSG_RESULT([found])
1050			AC_DEFINE([NO_UID_RESTORATION_TEST], [1],
1051				[Define to disable UID restoration test])
1052			AC_DEFINE([USE_SOLARIS_PRIVS], [1],
1053				[Define if you have Solaris privileges])
1054			SPP_MSG="yes"
1055		else
1056			AC_MSG_RESULT([not found])
1057			AC_MSG_ERROR([*** must have support for Solaris privileges to use --with-solaris-privs])
1058		fi
1059		],
1060	)
1061	TEST_SHELL=$SHELL	# let configure find us a capable shell
1062	;;
1063*-*-sunos4*)
1064	CPPFLAGS="$CPPFLAGS -DSUNOS4"
1065	AC_CHECK_FUNCS([getpwanam])
1066	AC_DEFINE([PAM_SUN_CODEBASE])
1067	conf_utmp_location=/etc/utmp
1068	conf_wtmp_location=/var/adm/wtmp
1069	conf_lastlog_location=/var/adm/lastlog
1070	AC_DEFINE([USE_PIPES])
1071	AC_DEFINE([DISABLE_UTMPX], [1], [no utmpx])
1072	;;
1073*-ncr-sysv*)
1074	LIBS="$LIBS -lc89"
1075	AC_DEFINE([USE_PIPES])
1076	AC_DEFINE([SSHD_ACQUIRES_CTTY])
1077	AC_DEFINE([SETEUID_BREAKS_SETUID])
1078	AC_DEFINE([BROKEN_SETREUID])
1079	AC_DEFINE([BROKEN_SETREGID])
1080	;;
1081*-sni-sysv*)
1082	# /usr/ucblib MUST NOT be searched on ReliantUNIX
1083	AC_CHECK_LIB([dl], [dlsym], ,)
1084	# -lresolv needs to be at the end of LIBS or DNS lookups break
1085	AC_CHECK_LIB([resolv], [res_query], [ LIBS="$LIBS -lresolv" ])
1086	IPADDR_IN_DISPLAY=yes
1087	AC_DEFINE([USE_PIPES])
1088	AC_DEFINE([IP_TOS_IS_BROKEN])
1089	AC_DEFINE([SETEUID_BREAKS_SETUID])
1090	AC_DEFINE([BROKEN_SETREUID])
1091	AC_DEFINE([BROKEN_SETREGID])
1092	AC_DEFINE([SSHD_ACQUIRES_CTTY])
1093	external_path_file=/etc/default/login
1094	# /usr/ucblib/libucb.a no longer needed on ReliantUNIX
1095	# Attention: always take care to bind libsocket and libnsl before libc,
1096	# otherwise you will find lots of "SIOCGPGRP errno 22" on syslog
1097	;;
1098# UnixWare 1.x, UnixWare 2.x, and others based on code from Univel.
1099*-*-sysv4.2*)
1100	AC_DEFINE([USE_PIPES])
1101	AC_DEFINE([SETEUID_BREAKS_SETUID])
1102	AC_DEFINE([BROKEN_SETREUID])
1103	AC_DEFINE([BROKEN_SETREGID])
1104	AC_DEFINE([PASSWD_NEEDS_USERNAME], [1], [must supply username to passwd])
1105	AC_DEFINE([LOCKED_PASSWD_STRING], ["*LK*"])
1106	TEST_SHELL=$SHELL	# let configure find us a capable shell
1107	;;
1108# UnixWare 7.x, OpenUNIX 8
1109*-*-sysv5*)
1110	CPPFLAGS="$CPPFLAGS -Dvsnprintf=_xvsnprintf -Dsnprintf=_xsnprintf"
1111	AC_DEFINE([UNIXWARE_LONG_PASSWORDS], [1], [Support passwords > 8 chars])
1112	AC_DEFINE([USE_PIPES])
1113	AC_DEFINE([SETEUID_BREAKS_SETUID])
1114	AC_DEFINE([BROKEN_GETADDRINFO])
1115	AC_DEFINE([BROKEN_SETREUID])
1116	AC_DEFINE([BROKEN_SETREGID])
1117	AC_DEFINE([PASSWD_NEEDS_USERNAME])
1118	AC_DEFINE([BROKEN_TCGETATTR_ICANON])
1119	TEST_SHELL=$SHELL	# let configure find us a capable shell
1120	check_for_libcrypt_later=1
1121	case "$host" in
1122	*-*-sysv5SCO_SV*)	# SCO OpenServer 6.x
1123		maildir=/var/spool/mail
1124		AC_DEFINE([BROKEN_UPDWTMPX])
1125		AC_CHECK_LIB([prot], [getluid], [ LIBS="$LIBS -lprot"
1126			AC_CHECK_FUNCS([getluid setluid], , , [-lprot])
1127			], , )
1128		;;
1129	*)	AC_DEFINE([LOCKED_PASSWD_STRING], ["*LK*"])
1130		;;
1131	esac
1132	;;
1133*-*-sysv*)
1134	;;
1135# SCO UNIX and OEM versions of SCO UNIX
1136*-*-sco3.2v4*)
1137	AC_MSG_ERROR("This Platform is no longer supported.")
1138	;;
1139# SCO OpenServer 5.x
1140*-*-sco3.2v5*)
1141	if test -z "$GCC"; then
1142		CFLAGS="$CFLAGS -belf"
1143	fi
1144	LIBS="$LIBS -lprot -lx -ltinfo -lm"
1145	no_dev_ptmx=1
1146	AC_DEFINE([USE_PIPES])
1147	AC_DEFINE([HAVE_SECUREWARE])
1148	AC_DEFINE([DISABLE_SHADOW])
1149	AC_DEFINE([DISABLE_FD_PASSING])
1150	AC_DEFINE([SETEUID_BREAKS_SETUID])
1151	AC_DEFINE([BROKEN_GETADDRINFO])
1152	AC_DEFINE([BROKEN_SETREUID])
1153	AC_DEFINE([BROKEN_SETREGID])
1154	AC_DEFINE([WITH_ABBREV_NO_TTY])
1155	AC_DEFINE([BROKEN_UPDWTMPX])
1156	AC_DEFINE([PASSWD_NEEDS_USERNAME])
1157	AC_CHECK_FUNCS([getluid setluid])
1158	MANTYPE=man
1159	TEST_SHELL=$SHELL	# let configure find us a capable shell
1160	SKIP_DISABLE_LASTLOG_DEFINE=yes
1161	;;
1162*-dec-osf*)
1163	AC_MSG_CHECKING([for Digital Unix SIA])
1164	no_osfsia=""
1165	AC_ARG_WITH([osfsia],
1166		[  --with-osfsia           Enable Digital Unix SIA],
1167		[
1168			if test "x$withval" = "xno" ; then
1169				AC_MSG_RESULT([disabled])
1170				no_osfsia=1
1171			fi
1172		],
1173	)
1174	if test -z "$no_osfsia" ; then
1175		if test -f /etc/sia/matrix.conf; then
1176			AC_MSG_RESULT([yes])
1177			AC_DEFINE([HAVE_OSF_SIA], [1],
1178				[Define if you have Digital Unix Security
1179				Integration Architecture])
1180			AC_DEFINE([DISABLE_LOGIN], [1],
1181				[Define if you don't want to use your
1182				system's login() call])
1183			AC_DEFINE([DISABLE_FD_PASSING])
1184			LIBS="$LIBS -lsecurity -ldb -lm -laud"
1185			SIA_MSG="yes"
1186		else
1187			AC_MSG_RESULT([no])
1188			AC_DEFINE([LOCKED_PASSWD_SUBSTR], ["Nologin"],
1189			  [String used in /etc/passwd to denote locked account])
1190		fi
1191	fi
1192	AC_DEFINE([BROKEN_GETADDRINFO])
1193	AC_DEFINE([SETEUID_BREAKS_SETUID])
1194	AC_DEFINE([BROKEN_SETREUID])
1195	AC_DEFINE([BROKEN_SETREGID])
1196	AC_DEFINE([BROKEN_READV_COMPARISON], [1], [Can't do comparisons on readv])
1197	;;
1198
1199*-*-nto-qnx*)
1200	AC_DEFINE([USE_PIPES])
1201	AC_DEFINE([NO_X11_UNIX_SOCKETS])
1202	AC_DEFINE([DISABLE_LASTLOG])
1203	AC_DEFINE([SSHD_ACQUIRES_CTTY])
1204	AC_DEFINE([BROKEN_SHADOW_EXPIRE], [1], [QNX shadow support is broken])
1205	enable_etc_default_login=no	# has incompatible /etc/default/login
1206	case "$host" in
1207	*-*-nto-qnx6*)
1208		AC_DEFINE([DISABLE_FD_PASSING])
1209		;;
1210	esac
1211	;;
1212
1213*-*-ultrix*)
1214	AC_DEFINE([BROKEN_GETGROUPS], [1], [getgroups(0,NULL) will return -1])
1215	AC_DEFINE([NEED_SETPGRP], [1], [Need setpgrp to for controlling tty])
1216	AC_DEFINE([HAVE_SYS_SYSLOG_H], [1], [Force use of sys/syslog.h on Ultrix])
1217	AC_DEFINE([DISABLE_UTMPX], [1], [Disable utmpx])
1218	# DISABLE_FD_PASSING so that we call setpgrp as root, otherwise we
1219	# don't get a controlling tty.
1220	AC_DEFINE([DISABLE_FD_PASSING], [1], [Need to call setpgrp as root])
1221	# On Ultrix some headers are not protected against multiple includes,
1222	# so we create wrappers and put it where the compiler will find it.
1223	AC_MSG_WARN([creating compat wrappers for headers])
1224	mkdir -p netinet
1225	for header in netinet/ip.h netdb.h resolv.h; do
1226		name=`echo $header | tr 'a-z/.' 'A-Z__'`
1227		cat >$header <<EOD
1228#ifndef _SSH_COMPAT_${name}
1229#define _SSH_COMPAT_${name}
1230#include "/usr/include/${header}"
1231#endif
1232EOD
1233	done
1234	;;
1235
1236*-*-lynxos)
1237	CFLAGS="$CFLAGS -D__NO_INCLUDE_WARN__"
1238	AC_DEFINE([BROKEN_SETVBUF], [1],
1239	    [LynxOS has broken setvbuf() implementation])
1240	;;
1241esac
1242
1243AC_MSG_CHECKING([compiler and flags for sanity])
1244AC_RUN_IFELSE([AC_LANG_PROGRAM([[ #include <stdio.h> ]], [[ exit(0); ]])],
1245	[	AC_MSG_RESULT([yes]) ],
1246	[
1247		AC_MSG_RESULT([no])
1248		AC_MSG_ERROR([*** compiler cannot create working executables, check config.log ***])
1249	],
1250	[	AC_MSG_WARN([cross compiling: not checking compiler sanity]) ]
1251)
1252
1253dnl Checks for header files.
1254# Checks for libraries.
1255AC_CHECK_FUNC([setsockopt], , [AC_CHECK_LIB([socket], [setsockopt])])
1256
1257dnl IRIX and Solaris 2.5.1 have dirname() in libgen
1258AC_CHECK_FUNCS([dirname], [AC_CHECK_HEADERS([libgen.h])] , [
1259	AC_CHECK_LIB([gen], [dirname], [
1260		AC_CACHE_CHECK([for broken dirname],
1261			ac_cv_have_broken_dirname, [
1262			save_LIBS="$LIBS"
1263			LIBS="$LIBS -lgen"
1264			AC_RUN_IFELSE(
1265				[AC_LANG_SOURCE([[
1266#include <libgen.h>
1267#include <string.h>
1268
1269int main(int argc, char **argv) {
1270    char *s, buf[32];
1271
1272    strncpy(buf,"/etc", 32);
1273    s = dirname(buf);
1274    if (!s || strncmp(s, "/", 32) != 0) {
1275	exit(1);
1276    } else {
1277	exit(0);
1278    }
1279}
1280				]])],
1281				[ ac_cv_have_broken_dirname="no" ],
1282				[ ac_cv_have_broken_dirname="yes" ],
1283				[ ac_cv_have_broken_dirname="no" ],
1284			)
1285			LIBS="$save_LIBS"
1286		])
1287		if test "x$ac_cv_have_broken_dirname" = "xno" ; then
1288			LIBS="$LIBS -lgen"
1289			AC_DEFINE([HAVE_DIRNAME])
1290			AC_CHECK_HEADERS([libgen.h])
1291		fi
1292	])
1293])
1294
1295AC_CHECK_FUNC([getspnam], ,
1296	[AC_CHECK_LIB([gen], [getspnam], [LIBS="$LIBS -lgen"])])
1297AC_SEARCH_LIBS([basename], [gen], [AC_DEFINE([HAVE_BASENAME], [1],
1298	[Define if you have the basename function.])])
1299
1300dnl zlib defaults to enabled
1301zlib=yes
1302AC_ARG_WITH([zlib],
1303	[  --with-zlib=PATH        Use zlib in PATH],
1304	[ if test "x$withval" = "xno" ; then
1305		zlib=no
1306	  elif test "x$withval" != "xyes"; then
1307		if test -d "$withval/lib"; then
1308			if test -n "${rpath_opt}"; then
1309				LDFLAGS="-L${withval}/lib ${rpath_opt}${withval}/lib ${LDFLAGS}"
1310			else
1311				LDFLAGS="-L${withval}/lib ${LDFLAGS}"
1312			fi
1313		else
1314			if test -n "${rpath_opt}"; then
1315				LDFLAGS="-L${withval} ${rpath_opt}${withval} ${LDFLAGS}"
1316			else
1317				LDFLAGS="-L${withval} ${LDFLAGS}"
1318			fi
1319		fi
1320		if test -d "$withval/include"; then
1321			CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
1322		else
1323			CPPFLAGS="-I${withval} ${CPPFLAGS}"
1324		fi
1325	fi ]
1326)
1327
1328AC_MSG_CHECKING([for zlib])
1329if test "x${zlib}" = "xno"; then
1330	AC_MSG_RESULT([no])
1331else
1332	AC_MSG_RESULT([yes])
1333	AC_DEFINE([WITH_ZLIB], [1], [Enable zlib])
1334    AC_CHECK_HEADER([zlib.h], ,[AC_MSG_ERROR([*** zlib.h missing - please install first or check config.log ***])])
1335    AC_CHECK_LIB([z], [deflate], ,
1336	[
1337		saved_CPPFLAGS="$CPPFLAGS"
1338		saved_LDFLAGS="$LDFLAGS"
1339		save_LIBS="$LIBS"
1340		dnl Check default zlib install dir
1341		if test -n "${rpath_opt}"; then
1342			LDFLAGS="-L/usr/local/lib ${rpath_opt}/usr/local/lib ${saved_LDFLAGS}"
1343		else
1344			LDFLAGS="-L/usr/local/lib ${saved_LDFLAGS}"
1345		fi
1346		CPPFLAGS="-I/usr/local/include ${saved_CPPFLAGS}"
1347		LIBS="$LIBS -lz"
1348		AC_TRY_LINK_FUNC([deflate], [AC_DEFINE([HAVE_LIBZ])],
1349			[
1350				AC_MSG_ERROR([*** zlib missing - please install first or check config.log ***])
1351			]
1352		)
1353	]
1354    )
1355
1356    AC_ARG_WITH([zlib-version-check],
1357	[  --without-zlib-version-check Disable zlib version check],
1358	[  if test "x$withval" = "xno" ; then
1359		zlib_check_nonfatal=1
1360	   fi
1361	]
1362    )
1363
1364    AC_MSG_CHECKING([for possibly buggy zlib])
1365    AC_RUN_IFELSE([AC_LANG_PROGRAM([[
1366#include <stdio.h>
1367#include <stdlib.h>
1368#include <zlib.h>
1369	]],
1370	[[
1371	int a=0, b=0, c=0, d=0, n, v;
1372	n = sscanf(ZLIB_VERSION, "%d.%d.%d.%d", &a, &b, &c, &d);
1373	if (n != 3 && n != 4)
1374		exit(1);
1375	v = a*1000000 + b*10000 + c*100 + d;
1376	fprintf(stderr, "found zlib version %s (%d)\n", ZLIB_VERSION, v);
1377
1378	/* 1.1.4 is OK */
1379	if (a == 1 && b == 1 && c >= 4)
1380		exit(0);
1381
1382	/* 1.2.3 and up are OK */
1383	if (v >= 1020300)
1384		exit(0);
1385
1386	exit(2);
1387	]])],
1388	AC_MSG_RESULT([no]),
1389	[ AC_MSG_RESULT([yes])
1390	  if test -z "$zlib_check_nonfatal" ; then
1391		AC_MSG_ERROR([*** zlib too old - check config.log ***
1392Your reported zlib version has known security problems.  It's possible your
1393vendor has fixed these problems without changing the version number.  If you
1394are sure this is the case, you can disable the check by running
1395"./configure --without-zlib-version-check".
1396If you are in doubt, upgrade zlib to version 1.2.3 or greater.
1397See http://www.gzip.org/zlib/ for details.])
1398	  else
1399		AC_MSG_WARN([zlib version may have security problems])
1400	  fi
1401	],
1402	[	AC_MSG_WARN([cross compiling: not checking zlib version]) ]
1403    )
1404fi
1405
1406dnl UnixWare 2.x
1407AC_CHECK_FUNC([strcasecmp],
1408	[], [ AC_CHECK_LIB([resolv], [strcasecmp], [LIBS="$LIBS -lresolv"]) ]
1409)
1410AC_CHECK_FUNCS([utimes],
1411	[], [ AC_CHECK_LIB([c89], [utimes], [AC_DEFINE([HAVE_UTIMES])
1412					LIBS="$LIBS -lc89"]) ]
1413)
1414
1415dnl    Checks for libutil functions
1416AC_CHECK_HEADERS([bsd/libutil.h libutil.h])
1417AC_SEARCH_LIBS([fmt_scaled], [util bsd])
1418AC_SEARCH_LIBS([scan_scaled], [util bsd])
1419AC_SEARCH_LIBS([login], [util bsd])
1420AC_SEARCH_LIBS([logout], [util bsd])
1421AC_SEARCH_LIBS([logwtmp], [util bsd])
1422AC_SEARCH_LIBS([openpty], [util bsd])
1423AC_SEARCH_LIBS([updwtmp], [util bsd])
1424AC_CHECK_FUNCS([fmt_scaled scan_scaled login logout openpty updwtmp logwtmp])
1425
1426# On some platforms, inet_ntop and gethostbyname may be found in libresolv
1427# or libnsl.
1428AC_SEARCH_LIBS([inet_ntop], [resolv nsl])
1429AC_SEARCH_LIBS([gethostbyname], [resolv nsl])
1430
1431# "Particular Function Checks"
1432# see https://www.gnu.org/software/autoconf/manual/autoconf-2.69/html_node/Particular-Functions.html
1433AC_FUNC_STRFTIME
1434AC_FUNC_MALLOC
1435AC_FUNC_REALLOC
1436# autoconf doesn't have AC_FUNC_CALLOC so fake it if malloc returns NULL;
1437AC_MSG_CHECKING([if calloc(0, N) returns non-null])
1438AC_RUN_IFELSE(
1439	[AC_LANG_PROGRAM(
1440		[[ #include <stdlib.h> ]],
1441		[[ void *p = calloc(0, 1); exit(p == NULL); ]]
1442	)],
1443	[ func_calloc_0_nonnull=yes ],
1444	[ func_calloc_0_nonnull=no ],
1445	[ AC_MSG_WARN([cross compiling: assuming same as malloc])
1446	  func_calloc_0_nonnull="$ac_cv_func_malloc_0_nonnull"]
1447)
1448AC_MSG_RESULT([$func_calloc_0_nonnull])
1449
1450if test "x$func_calloc_0_nonnull" = "xyes"; then
1451	AC_DEFINE(HAVE_CALLOC, 1, [calloc(0, x) returns non-null])
1452else
1453	AC_DEFINE(HAVE_CALLOC, 0, [calloc(0, x) returns NULL])
1454	AC_DEFINE(calloc, rpl_calloc,
1455	    [Define to rpl_calloc if the replacement function should be used.])
1456fi
1457
1458# Check for ALTDIRFUNC glob() extension
1459AC_MSG_CHECKING([for GLOB_ALTDIRFUNC support])
1460AC_EGREP_CPP([FOUNDIT],
1461	[
1462		#include <glob.h>
1463		#ifdef GLOB_ALTDIRFUNC
1464		FOUNDIT
1465		#endif
1466	],
1467	[
1468		AC_DEFINE([GLOB_HAS_ALTDIRFUNC], [1],
1469			[Define if your system glob() function has
1470			the GLOB_ALTDIRFUNC extension])
1471		AC_MSG_RESULT([yes])
1472	],
1473	[
1474		AC_MSG_RESULT([no])
1475	]
1476)
1477
1478# Check for g.gl_matchc glob() extension
1479AC_MSG_CHECKING([for gl_matchc field in glob_t])
1480AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <glob.h> ]],
1481	[[ glob_t g; g.gl_matchc = 1; ]])],
1482	[
1483		AC_DEFINE([GLOB_HAS_GL_MATCHC], [1],
1484			[Define if your system glob() function has
1485			gl_matchc options in glob_t])
1486		AC_MSG_RESULT([yes])
1487	], [
1488		AC_MSG_RESULT([no])
1489])
1490
1491# Check for g.gl_statv glob() extension
1492AC_MSG_CHECKING([for gl_statv and GLOB_KEEPSTAT extensions for glob])
1493AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <glob.h> ]], [[
1494#ifndef GLOB_KEEPSTAT
1495#error "glob does not support GLOB_KEEPSTAT extension"
1496#endif
1497glob_t g;
1498g.gl_statv = NULL;
1499]])],
1500	[
1501		AC_DEFINE([GLOB_HAS_GL_STATV], [1],
1502			[Define if your system glob() function has
1503			gl_statv options in glob_t])
1504		AC_MSG_RESULT([yes])
1505	], [
1506		AC_MSG_RESULT([no])
1507
1508])
1509
1510AC_CHECK_DECLS([GLOB_NOMATCH], , , [#include <glob.h>])
1511
1512AC_CHECK_DECL([VIS_ALL], ,
1513    AC_DEFINE(BROKEN_STRNVIS, 1, [missing VIS_ALL]), [#include <vis.h>])
1514
1515AC_MSG_CHECKING([whether struct dirent allocates space for d_name])
1516AC_RUN_IFELSE(
1517	[AC_LANG_PROGRAM([[
1518#include <sys/types.h>
1519#include <dirent.h>]],
1520	[[
1521	struct dirent d;
1522	exit(sizeof(d.d_name)<=sizeof(char));
1523	]])],
1524	[AC_MSG_RESULT([yes])],
1525	[
1526		AC_MSG_RESULT([no])
1527		AC_DEFINE([BROKEN_ONE_BYTE_DIRENT_D_NAME], [1],
1528			[Define if your struct dirent expects you to
1529			allocate extra space for d_name])
1530	],
1531	[
1532		AC_MSG_WARN([cross compiling: assuming BROKEN_ONE_BYTE_DIRENT_D_NAME])
1533		AC_DEFINE([BROKEN_ONE_BYTE_DIRENT_D_NAME])
1534	]
1535)
1536
1537AC_MSG_CHECKING([for /proc/pid/fd directory])
1538if test -d "/proc/$$/fd" ; then
1539	AC_DEFINE([HAVE_PROC_PID], [1], [Define if you have /proc/$pid/fd])
1540	AC_MSG_RESULT([yes])
1541else
1542	AC_MSG_RESULT([no])
1543fi
1544
1545# Check whether user wants to use ldns
1546LDNS_MSG="no"
1547AC_ARG_WITH(ldns,
1548	[  --with-ldns[[=PATH]]      Use ldns for DNSSEC support (optionally in PATH)],
1549	[
1550	ldns=""
1551	if test "x$withval" = "xyes" ; then
1552		AC_PATH_TOOL([LDNSCONFIG], [ldns-config], [no])
1553		if test "x$LDNSCONFIG" = "xno"; then
1554			LIBS="-lldns $LIBS"
1555			ldns=yes
1556		else
1557			LIBS="$LIBS `$LDNSCONFIG --libs`"
1558			CPPFLAGS="$CPPFLAGS `$LDNSCONFIG --cflags`"
1559			ldns=yes
1560		fi
1561	elif test "x$withval" != "xno" ; then
1562			CPPFLAGS="$CPPFLAGS -I${withval}/include"
1563			LDFLAGS="$LDFLAGS -L${withval}/lib"
1564			LIBS="-lldns $LIBS"
1565			ldns=yes
1566	fi
1567
1568	# Verify that it works.
1569	if test "x$ldns" = "xyes" ; then
1570		AC_DEFINE(HAVE_LDNS, 1, [Define if you want ldns support])
1571		LDNS_MSG="yes"
1572		AC_MSG_CHECKING([for ldns support])
1573		AC_LINK_IFELSE(
1574			[AC_LANG_SOURCE([[
1575#include <stdio.h>
1576#include <stdlib.h>
1577#ifdef HAVE_STDINT_H
1578# include <stdint.h>
1579#endif
1580#include <ldns/ldns.h>
1581int main() { ldns_status status = ldns_verify_trusted(NULL, NULL, NULL, NULL); status=LDNS_STATUS_OK; exit(0); }
1582			]])
1583		],
1584			[AC_MSG_RESULT(yes)],
1585				[
1586					AC_MSG_RESULT(no)
1587					AC_MSG_ERROR([** Incomplete or missing ldns libraries.])
1588				])
1589	fi
1590])
1591
1592# Check whether user wants libedit support
1593LIBEDIT_MSG="no"
1594AC_ARG_WITH([libedit],
1595	[  --with-libedit[[=PATH]]   Enable libedit support for sftp],
1596	[ if test "x$withval" != "xno" ; then
1597		if test "x$withval" = "xyes" ; then
1598			AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no])
1599			if test "x$PKGCONFIG" != "xno"; then
1600				AC_MSG_CHECKING([if $PKGCONFIG knows about libedit])
1601				if "$PKGCONFIG" libedit; then
1602					AC_MSG_RESULT([yes])
1603					use_pkgconfig_for_libedit=yes
1604				else
1605					AC_MSG_RESULT([no])
1606				fi
1607			fi
1608		else
1609			CPPFLAGS="$CPPFLAGS -I${withval}/include"
1610			if test -n "${rpath_opt}"; then
1611				LDFLAGS="-L${withval}/lib ${rpath_opt}${withval}/lib ${LDFLAGS}"
1612			else
1613				LDFLAGS="-L${withval}/lib ${LDFLAGS}"
1614			fi
1615		fi
1616		if test "x$use_pkgconfig_for_libedit" = "xyes"; then
1617			LIBEDIT=`$PKGCONFIG --libs libedit`
1618			CPPFLAGS="$CPPFLAGS `$PKGCONFIG --cflags libedit`"
1619		else
1620			LIBEDIT="-ledit -lcurses"
1621		fi
1622		OTHERLIBS=`echo $LIBEDIT | sed 's/-ledit//'`
1623		AC_CHECK_LIB([edit], [el_init],
1624			[ AC_DEFINE([USE_LIBEDIT], [1], [Use libedit for sftp])
1625			  LIBEDIT_MSG="yes"
1626			  AC_SUBST([LIBEDIT])
1627			],
1628			[ AC_MSG_ERROR([libedit not found]) ],
1629			[ $OTHERLIBS ]
1630		)
1631		AC_MSG_CHECKING([if libedit version is compatible])
1632		AC_COMPILE_IFELSE(
1633		    [AC_LANG_PROGRAM([[ #include <histedit.h> ]],
1634		    [[
1635	int i = H_SETSIZE;
1636	el_init("", NULL, NULL, NULL);
1637	exit(0);
1638		    ]])],
1639		    [ AC_MSG_RESULT([yes]) ],
1640		    [ AC_MSG_RESULT([no])
1641		      AC_MSG_ERROR([libedit version is not compatible]) ]
1642		)
1643	fi ]
1644)
1645
1646AUDIT_MODULE=none
1647AC_ARG_WITH([audit],
1648	[  --with-audit=module     Enable audit support (modules=debug,bsm,linux)],
1649	[
1650	  AC_MSG_CHECKING([for supported audit module])
1651	  case "$withval" in
1652	  bsm)
1653		AC_MSG_RESULT([bsm])
1654		AUDIT_MODULE=bsm
1655		dnl    Checks for headers, libs and functions
1656		AC_CHECK_HEADERS([bsm/audit.h], [],
1657		    [AC_MSG_ERROR([BSM enabled and bsm/audit.h not found])],
1658		    [
1659#ifdef HAVE_TIME_H
1660# include <time.h>
1661#endif
1662		    ]
1663)
1664		AC_CHECK_LIB([bsm], [getaudit], [],
1665		    [AC_MSG_ERROR([BSM enabled and required library not found])])
1666		AC_CHECK_FUNCS([getaudit], [],
1667		    [AC_MSG_ERROR([BSM enabled and required function not found])])
1668		# These are optional
1669		AC_CHECK_FUNCS([getaudit_addr aug_get_machine])
1670		AC_DEFINE([USE_BSM_AUDIT], [1], [Use BSM audit module])
1671		if test "$sol2ver" -ge 11; then
1672			SSHDLIBS="$SSHDLIBS -lscf"
1673			AC_DEFINE([BROKEN_BSM_API], [1],
1674				[The system has incomplete BSM API])
1675		fi
1676		;;
1677	  linux)
1678		AC_MSG_RESULT([linux])
1679		AUDIT_MODULE=linux
1680		dnl    Checks for headers, libs and functions
1681		AC_CHECK_HEADERS([libaudit.h])
1682		SSHDLIBS="$SSHDLIBS -laudit"
1683		AC_DEFINE([USE_LINUX_AUDIT], [1], [Use Linux audit module])
1684		;;
1685	  debug)
1686		AUDIT_MODULE=debug
1687		AC_MSG_RESULT([debug])
1688		AC_DEFINE([SSH_AUDIT_EVENTS], [1], [Use audit debugging module])
1689		;;
1690	  no)
1691		AC_MSG_RESULT([no])
1692		;;
1693	  *)
1694		AC_MSG_ERROR([Unknown audit module $withval])
1695		;;
1696	esac ]
1697)
1698
1699AC_ARG_WITH([pie],
1700    [  --with-pie              Build Position Independent Executables if possible], [
1701	if test "x$withval" = "xno"; then
1702		use_pie=no
1703	fi
1704	if test "x$withval" = "xyes"; then
1705		use_pie=yes
1706	fi
1707    ]
1708)
1709if test "x$use_pie" = "x"; then
1710	use_pie=no
1711fi
1712if test "x$use_toolchain_hardening" != "x1" && test "x$use_pie" = "xauto"; then
1713	# Turn off automatic PIE when toolchain hardening is off.
1714	use_pie=no
1715fi
1716if test "x$use_pie" = "xauto"; then
1717	# Automatic PIE requires gcc >= 4.x
1718	AC_MSG_CHECKING([for gcc >= 4.x])
1719	AC_COMPILE_IFELSE([AC_LANG_SOURCE([[
1720#if !defined(__GNUC__) || __GNUC__ < 4
1721#error gcc is too old
1722#endif
1723]])],
1724	[ AC_MSG_RESULT([yes]) ],
1725	[ AC_MSG_RESULT([no])
1726	  use_pie=no ]
1727)
1728fi
1729if test "x$use_pie" != "xno"; then
1730	SAVED_CFLAGS="$CFLAGS"
1731	SAVED_LDFLAGS="$LDFLAGS"
1732	OSSH_CHECK_CFLAG_COMPILE([-fPIE])
1733	OSSH_CHECK_LDFLAG_LINK([-pie])
1734	# We use both -fPIE and -pie or neither.
1735	AC_MSG_CHECKING([whether both -fPIE and -pie are supported])
1736	if echo "x $CFLAGS"  | grep ' -fPIE' >/dev/null 2>&1 && \
1737	   echo "x $LDFLAGS" | grep ' -pie'  >/dev/null 2>&1 ; then
1738		AC_MSG_RESULT([yes])
1739	else
1740		AC_MSG_RESULT([no])
1741		CFLAGS="$SAVED_CFLAGS"
1742		LDFLAGS="$SAVED_LDFLAGS"
1743	fi
1744fi
1745
1746AC_MSG_CHECKING([whether -fPIC is accepted])
1747SAVED_CFLAGS="$CFLAGS"
1748CFLAGS="$CFLAGS -fPIC"
1749AC_COMPILE_IFELSE(
1750	[AC_LANG_PROGRAM( [[ #include <stdlib.h> ]], [[ exit(0); ]] )],
1751   [AC_MSG_RESULT([yes])
1752    PICFLAG="-fPIC"; ],
1753   [AC_MSG_RESULT([no])
1754    PICFLAG=""; ])
1755CFLAGS="$SAVED_CFLAGS"
1756AC_SUBST([PICFLAG])
1757
1758dnl    Checks for library functions. Please keep in alphabetical order
1759AC_CHECK_FUNCS([ \
1760	Blowfish_initstate \
1761	Blowfish_expandstate \
1762	Blowfish_expand0state \
1763	Blowfish_stream2word \
1764	SHA256Update \
1765	SHA384Update \
1766	SHA512Update \
1767	asprintf \
1768	b64_ntop \
1769	__b64_ntop \
1770	b64_pton \
1771	__b64_pton \
1772	bcopy \
1773	bcrypt_pbkdf \
1774	bindresvport_sa \
1775	blf_enc \
1776	bzero \
1777	cap_rights_limit \
1778	clock \
1779	closefrom \
1780	dirfd \
1781	endgrent \
1782	err \
1783	errx \
1784	explicit_bzero \
1785	fchmod \
1786	fchmodat \
1787	fchown \
1788	fchownat \
1789	flock \
1790	fnmatch \
1791	freeaddrinfo \
1792	freezero \
1793	fstatfs \
1794	fstatvfs \
1795	futimes \
1796	getaddrinfo \
1797	getcwd \
1798	getgrouplist \
1799	getline \
1800	getnameinfo \
1801	getopt \
1802	getpagesize \
1803	getpeereid \
1804	getpeerucred \
1805	getpgid \
1806	_getpty \
1807	getrlimit \
1808	getrandom \
1809	getsid \
1810	getttyent \
1811	glob \
1812	group_from_gid \
1813	inet_aton \
1814	inet_ntoa \
1815	inet_ntop \
1816	innetgr \
1817	llabs \
1818	localtime_r \
1819	login_getcapbool \
1820	md5_crypt \
1821	memmem \
1822	memmove \
1823	memset_s \
1824	mkdtemp \
1825	ngetaddrinfo \
1826	nsleep \
1827	ogetaddrinfo \
1828	openlog_r \
1829	pledge \
1830	poll \
1831	prctl \
1832	pstat \
1833	raise \
1834	readpassphrase \
1835	reallocarray \
1836	realpath \
1837	recvmsg \
1838	recallocarray \
1839	rresvport_af \
1840	sendmsg \
1841	setdtablesize \
1842	setegid \
1843	setenv \
1844	seteuid \
1845	setgroupent \
1846	setgroups \
1847	setlinebuf \
1848	setlogin \
1849	setpassent\
1850	setpcred \
1851	setproctitle \
1852	setregid \
1853	setreuid \
1854	setrlimit \
1855	setsid \
1856	setvbuf \
1857	sigaction \
1858	sigvec \
1859	snprintf \
1860	socketpair \
1861	statfs \
1862	statvfs \
1863	strcasestr \
1864	strdup \
1865	strerror \
1866	strlcat \
1867	strlcpy \
1868	strmode \
1869	strndup \
1870	strnlen \
1871	strnvis \
1872	strptime \
1873	strsignal \
1874	strtonum \
1875	strtoll \
1876	strtoul \
1877	strtoull \
1878	swap32 \
1879	sysconf \
1880	tcgetpgrp \
1881	timingsafe_bcmp \
1882	truncate \
1883	unsetenv \
1884	updwtmpx \
1885	utimensat \
1886	user_from_uid \
1887	usleep \
1888	vasprintf \
1889	vsnprintf \
1890	waitpid \
1891	warn \
1892])
1893
1894AC_CHECK_DECLS([bzero, memmem])
1895
1896dnl Wide character support.
1897AC_CHECK_FUNCS([mblen mbtowc nl_langinfo wcwidth])
1898
1899TEST_SSH_UTF8=${TEST_SSH_UTF8:=yes}
1900AC_MSG_CHECKING([for utf8 locale support])
1901AC_RUN_IFELSE(
1902	[AC_LANG_PROGRAM([[
1903#include <locale.h>
1904#include <stdlib.h>
1905	]], [[
1906	char *loc = setlocale(LC_CTYPE, "en_US.UTF-8");
1907	if (loc != NULL)
1908		exit(0);
1909	exit(1);
1910	]])],
1911	AC_MSG_RESULT(yes),
1912	[AC_MSG_RESULT(no)
1913	 TEST_SSH_UTF8=no],
1914	AC_MSG_WARN([cross compiling: assuming yes])
1915)
1916
1917AC_LINK_IFELSE(
1918        [AC_LANG_PROGRAM(
1919           [[ #include <ctype.h> ]],
1920           [[ return (isblank('a')); ]])],
1921	[AC_DEFINE([HAVE_ISBLANK], [1], [Define if you have isblank(3C).])
1922])
1923
1924disable_pkcs11=
1925AC_ARG_ENABLE([pkcs11],
1926	[  --disable-pkcs11        disable PKCS#11 support code [no]],
1927	[
1928		if test "x$enableval" = "xno" ; then
1929			disable_pkcs11=1
1930		fi
1931	]
1932)
1933
1934disable_sk=
1935AC_ARG_ENABLE([security-key],
1936	[  --disable-security-key  disable U2F/FIDO support code [no]],
1937	[
1938		if test "x$enableval" = "xno" ; then
1939			disable_sk=1
1940		fi
1941	]
1942)
1943enable_sk_internal=
1944AC_ARG_WITH([security-key-builtin],
1945	[  --with-security-key-builtin include builtin U2F/FIDO support],
1946	[
1947		if test "x$withval" != "xno" ; then
1948			enable_sk_internal=yes
1949		fi
1950	]
1951)
1952test "x$disable_sk" != "x" && enable_sk_internal=""
1953
1954AC_SEARCH_LIBS([dlopen], [dl])
1955AC_CHECK_FUNCS([dlopen])
1956AC_CHECK_DECL([RTLD_NOW], [], [], [#include <dlfcn.h>])
1957
1958# IRIX has a const char return value for gai_strerror()
1959AC_CHECK_FUNCS([gai_strerror], [
1960	AC_DEFINE([HAVE_GAI_STRERROR])
1961	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
1962#include <sys/types.h>
1963#include <sys/socket.h>
1964#include <netdb.h>
1965
1966const char *gai_strerror(int);
1967			]], [[
1968	char *str;
1969	str = gai_strerror(0);
1970			]])], [
1971		AC_DEFINE([HAVE_CONST_GAI_STRERROR_PROTO], [1],
1972		[Define if gai_strerror() returns const char *])], [])])
1973
1974AC_SEARCH_LIBS([nanosleep], [rt posix4], [AC_DEFINE([HAVE_NANOSLEEP], [1],
1975	[Some systems put nanosleep outside of libc])])
1976
1977AC_SEARCH_LIBS([clock_gettime], [rt],
1978	[AC_DEFINE([HAVE_CLOCK_GETTIME], [1], [Have clock_gettime])])
1979
1980dnl check if we need -D_REENTRANT for localtime_r declaration.
1981AC_CHECK_DECL([localtime_r], [],
1982	[ saved_CPPFLAGS="$CFLAGS"
1983	  CPPFLAGS="$CPPFLAGS -D_REENTRANT"
1984	  unset ac_cv_have_decl_localtime_r
1985	  AC_CHECK_DECL([localtime_r], [],
1986		[ CPPFLAGS="$saved_CPPFLAGS" ],
1987		[ #include <time.h> ]
1988	  )
1989	],
1990	[ #include <time.h> ]
1991)
1992
1993dnl Make sure prototypes are defined for these before using them.
1994AC_CHECK_DECL([strsep],
1995	[AC_CHECK_FUNCS([strsep])],
1996	[],
1997	[
1998#ifdef HAVE_STRING_H
1999# include <string.h>
2000#endif
2001	])
2002
2003dnl tcsendbreak might be a macro
2004AC_CHECK_DECL([tcsendbreak],
2005	[AC_DEFINE([HAVE_TCSENDBREAK])],
2006	[AC_CHECK_FUNCS([tcsendbreak])],
2007	[#include <termios.h>]
2008)
2009
2010AC_CHECK_DECLS([h_errno], , ,[#include <netdb.h>])
2011
2012AC_CHECK_DECLS([SHUT_RD, getpeereid], , ,
2013	[
2014#include <sys/types.h>
2015#include <sys/socket.h>
2016#include <unistd.h>
2017	])
2018
2019AC_CHECK_DECLS([O_NONBLOCK], , ,
2020	[
2021#include <sys/types.h>
2022#ifdef HAVE_SYS_STAT_H
2023# include <sys/stat.h>
2024#endif
2025#ifdef HAVE_FCNTL_H
2026# include <fcntl.h>
2027#endif
2028	])
2029
2030AC_CHECK_DECLS([readv, writev], , , [
2031#include <sys/types.h>
2032#include <sys/uio.h>
2033#include <unistd.h>
2034	])
2035
2036AC_CHECK_DECLS([MAXSYMLINKS], , , [
2037#include <sys/param.h>
2038	])
2039
2040AC_CHECK_DECLS([offsetof], , , [
2041#include <stddef.h>
2042	])
2043
2044# extra bits for select(2)
2045AC_CHECK_DECLS([howmany, NFDBITS], [], [], [[
2046#include <sys/param.h>
2047#include <sys/types.h>
2048#ifdef HAVE_SYS_SYSMACROS_H
2049#include <sys/sysmacros.h>
2050#endif
2051#ifdef HAVE_SYS_SELECT_H
2052#include <sys/select.h>
2053#endif
2054#ifdef HAVE_SYS_TIME_H
2055#include <sys/time.h>
2056#endif
2057#ifdef HAVE_UNISTD_H
2058#include <unistd.h>
2059#endif
2060	]])
2061AC_CHECK_TYPES([fd_mask], [], [], [[
2062#include <sys/param.h>
2063#include <sys/types.h>
2064#ifdef HAVE_SYS_SELECT_H
2065#include <sys/select.h>
2066#endif
2067#ifdef HAVE_SYS_TIME_H
2068#include <sys/time.h>
2069#endif
2070#ifdef HAVE_UNISTD_H
2071#include <unistd.h>
2072#endif
2073	]])
2074
2075AC_CHECK_FUNCS([setresuid], [
2076	dnl Some platorms have setresuid that isn't implemented, test for this
2077	AC_MSG_CHECKING([if setresuid seems to work])
2078	AC_RUN_IFELSE(
2079		[AC_LANG_PROGRAM([[
2080#include <stdlib.h>
2081#include <errno.h>
2082		]], [[
2083	errno=0;
2084	setresuid(0,0,0);
2085	if (errno==ENOSYS)
2086		exit(1);
2087	else
2088		exit(0);
2089		]])],
2090		[AC_MSG_RESULT([yes])],
2091		[AC_DEFINE([BROKEN_SETRESUID], [1],
2092			[Define if your setresuid() is broken])
2093		 AC_MSG_RESULT([not implemented])],
2094		[AC_MSG_WARN([cross compiling: not checking setresuid])]
2095	)
2096])
2097
2098AC_CHECK_FUNCS([setresgid], [
2099	dnl Some platorms have setresgid that isn't implemented, test for this
2100	AC_MSG_CHECKING([if setresgid seems to work])
2101	AC_RUN_IFELSE(
2102		[AC_LANG_PROGRAM([[
2103#include <stdlib.h>
2104#include <errno.h>
2105		]], [[
2106	errno=0;
2107	setresgid(0,0,0);
2108	if (errno==ENOSYS)
2109		exit(1);
2110	else
2111		exit(0);
2112		]])],
2113		[AC_MSG_RESULT([yes])],
2114		[AC_DEFINE([BROKEN_SETRESGID], [1],
2115			[Define if your setresgid() is broken])
2116		 AC_MSG_RESULT([not implemented])],
2117		[AC_MSG_WARN([cross compiling: not checking setresuid])]
2118	)
2119])
2120
2121AC_MSG_CHECKING([for working fflush(NULL)])
2122AC_RUN_IFELSE(
2123	[AC_LANG_PROGRAM([[#include <stdio.h>]], [[fflush(NULL); exit(0);]])],
2124	AC_MSG_RESULT([yes]),
2125	[AC_MSG_RESULT([no])
2126	 AC_DEFINE([FFLUSH_NULL_BUG], [1],
2127	    [define if fflush(NULL) does not work])],
2128	AC_MSG_WARN([cross compiling: assuming working])
2129)
2130
2131dnl    Checks for time functions
2132AC_CHECK_FUNCS([gettimeofday time])
2133dnl    Checks for utmp functions
2134AC_CHECK_FUNCS([endutent getutent getutid getutline pututline setutent])
2135AC_CHECK_FUNCS([utmpname])
2136dnl    Checks for utmpx functions
2137AC_CHECK_FUNCS([endutxent getutxent getutxid getutxline getutxuser pututxline])
2138AC_CHECK_FUNCS([setutxdb setutxent utmpxname])
2139dnl    Checks for lastlog functions
2140AC_CHECK_FUNCS([getlastlogxbyname])
2141
2142AC_CHECK_FUNC([daemon],
2143	[AC_DEFINE([HAVE_DAEMON], [1], [Define if your libraries define daemon()])],
2144	[AC_CHECK_LIB([bsd], [daemon],
2145		[LIBS="$LIBS -lbsd"; AC_DEFINE([HAVE_DAEMON])])]
2146)
2147
2148AC_CHECK_FUNC([getpagesize],
2149	[AC_DEFINE([HAVE_GETPAGESIZE], [1],
2150		[Define if your libraries define getpagesize()])],
2151	[AC_CHECK_LIB([ucb], [getpagesize],
2152		[LIBS="$LIBS -lucb"; AC_DEFINE([HAVE_GETPAGESIZE])])]
2153)
2154
2155# Check for broken snprintf
2156if test "x$ac_cv_func_snprintf" = "xyes" ; then
2157	AC_MSG_CHECKING([whether snprintf correctly terminates long strings])
2158	AC_RUN_IFELSE(
2159		[AC_LANG_PROGRAM([[ #include <stdio.h> ]],
2160		[[
2161	char b[5];
2162	snprintf(b,5,"123456789");
2163	exit(b[4]!='\0');
2164		]])],
2165		[AC_MSG_RESULT([yes])],
2166		[
2167			AC_MSG_RESULT([no])
2168			AC_DEFINE([BROKEN_SNPRINTF], [1],
2169				[Define if your snprintf is busted])
2170			AC_MSG_WARN([****** Your snprintf() function is broken, complain to your vendor])
2171		],
2172		[ AC_MSG_WARN([cross compiling: Assuming working snprintf()]) ]
2173	)
2174fi
2175
2176if test "x$ac_cv_func_snprintf" = "xyes" ; then
2177	AC_MSG_CHECKING([whether snprintf understands %zu])
2178	AC_RUN_IFELSE(
2179		[AC_LANG_PROGRAM([[
2180#include <sys/types.h>
2181#include <stdio.h>
2182		]],
2183		[[
2184	size_t a = 1, b = 2;
2185	char z[128];
2186	snprintf(z, sizeof z, "%zu%zu", a, b);
2187	exit(strcmp(z, "12"));
2188		]])],
2189		[AC_MSG_RESULT([yes])],
2190		[
2191			AC_MSG_RESULT([no])
2192			AC_DEFINE([BROKEN_SNPRINTF], [1],
2193				[snprintf does not understand %zu])
2194		],
2195		[ AC_MSG_WARN([cross compiling: Assuming working snprintf()]) ]
2196	)
2197fi
2198
2199# We depend on vsnprintf returning the right thing on overflow: the
2200# number of characters it tried to create (as per SUSv3)
2201if test "x$ac_cv_func_vsnprintf" = "xyes" ; then
2202	AC_MSG_CHECKING([whether vsnprintf returns correct values on overflow])
2203	AC_RUN_IFELSE(
2204		[AC_LANG_PROGRAM([[
2205#include <sys/types.h>
2206#include <stdio.h>
2207#include <stdarg.h>
2208
2209int x_snprintf(char *str, size_t count, const char *fmt, ...)
2210{
2211	size_t ret;
2212	va_list ap;
2213
2214	va_start(ap, fmt);
2215	ret = vsnprintf(str, count, fmt, ap);
2216	va_end(ap);
2217	return ret;
2218}
2219		]], [[
2220char x[1];
2221if (x_snprintf(x, 1, "%s %d", "hello", 12345) != 11)
2222	return 1;
2223if (x_snprintf(NULL, 0, "%s %d", "hello", 12345) != 11)
2224	return 1;
2225return 0;
2226		]])],
2227		[AC_MSG_RESULT([yes])],
2228		[
2229			AC_MSG_RESULT([no])
2230			AC_DEFINE([BROKEN_SNPRINTF], [1],
2231				[Define if your snprintf is busted])
2232			AC_MSG_WARN([****** Your vsnprintf() function is broken, complain to your vendor])
2233		],
2234		[ AC_MSG_WARN([cross compiling: Assuming working vsnprintf()]) ]
2235	)
2236fi
2237
2238# On systems where [v]snprintf is broken, but is declared in stdio,
2239# check that the fmt argument is const char * or just char *.
2240# This is only useful for when BROKEN_SNPRINTF
2241AC_MSG_CHECKING([whether snprintf can declare const char *fmt])
2242AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
2243#include <stdio.h>
2244int snprintf(char *a, size_t b, const char *c, ...) { return 0; }
2245		]], [[
2246	snprintf(0, 0, 0);
2247		]])],
2248   [AC_MSG_RESULT([yes])
2249    AC_DEFINE([SNPRINTF_CONST], [const],
2250              [Define as const if snprintf() can declare const char *fmt])],
2251   [AC_MSG_RESULT([no])
2252    AC_DEFINE([SNPRINTF_CONST], [/* not const */])])
2253
2254# Check for missing getpeereid (or equiv) support
2255NO_PEERCHECK=""
2256if test "x$ac_cv_func_getpeereid" != "xyes" -a "x$ac_cv_func_getpeerucred" != "xyes"; then
2257	AC_MSG_CHECKING([whether system supports SO_PEERCRED getsockopt])
2258	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
2259#include <sys/types.h>
2260#include <sys/socket.h>]], [[int i = SO_PEERCRED;]])],
2261		[ AC_MSG_RESULT([yes])
2262		  AC_DEFINE([HAVE_SO_PEERCRED], [1], [Have PEERCRED socket option])
2263		], [AC_MSG_RESULT([no])
2264		NO_PEERCHECK=1
2265        ])
2266fi
2267
2268dnl see whether mkstemp() requires XXXXXX
2269if test "x$ac_cv_func_mkdtemp" = "xyes" ; then
2270AC_MSG_CHECKING([for (overly) strict mkstemp])
2271AC_RUN_IFELSE(
2272	[AC_LANG_PROGRAM([[
2273#include <stdlib.h>
2274	]], [[
2275	char template[]="conftest.mkstemp-test";
2276	if (mkstemp(template) == -1)
2277		exit(1);
2278	unlink(template);
2279	exit(0);
2280	]])],
2281	[
2282		AC_MSG_RESULT([no])
2283	],
2284	[
2285		AC_MSG_RESULT([yes])
2286		AC_DEFINE([HAVE_STRICT_MKSTEMP], [1], [Silly mkstemp()])
2287	],
2288	[
2289		AC_MSG_RESULT([yes])
2290		AC_DEFINE([HAVE_STRICT_MKSTEMP])
2291	]
2292)
2293fi
2294
2295dnl make sure that openpty does not reacquire controlling terminal
2296if test ! -z "$check_for_openpty_ctty_bug"; then
2297	AC_MSG_CHECKING([if openpty correctly handles controlling tty])
2298	AC_RUN_IFELSE(
2299		[AC_LANG_PROGRAM([[
2300#include <stdio.h>
2301#include <sys/fcntl.h>
2302#include <sys/types.h>
2303#include <sys/wait.h>
2304		]], [[
2305	pid_t pid;
2306	int fd, ptyfd, ttyfd, status;
2307
2308	pid = fork();
2309	if (pid < 0) {		/* failed */
2310		exit(1);
2311	} else if (pid > 0) {	/* parent */
2312		waitpid(pid, &status, 0);
2313		if (WIFEXITED(status))
2314			exit(WEXITSTATUS(status));
2315		else
2316			exit(2);
2317	} else {		/* child */
2318		close(0); close(1); close(2);
2319		setsid();
2320		openpty(&ptyfd, &ttyfd, NULL, NULL, NULL);
2321		fd = open("/dev/tty", O_RDWR | O_NOCTTY);
2322		if (fd >= 0)
2323			exit(3);	/* Acquired ctty: broken */
2324		else
2325			exit(0);	/* Did not acquire ctty: OK */
2326	}
2327		]])],
2328		[
2329			AC_MSG_RESULT([yes])
2330		],
2331		[
2332			AC_MSG_RESULT([no])
2333			AC_DEFINE([SSHD_ACQUIRES_CTTY])
2334		],
2335		[
2336			AC_MSG_RESULT([cross-compiling, assuming yes])
2337		]
2338	)
2339fi
2340
2341if test "x$ac_cv_func_getaddrinfo" = "xyes" && \
2342    test "x$check_for_hpux_broken_getaddrinfo" = "x1"; then
2343	AC_MSG_CHECKING([if getaddrinfo seems to work])
2344	AC_RUN_IFELSE(
2345		[AC_LANG_PROGRAM([[
2346#include <stdio.h>
2347#include <sys/socket.h>
2348#include <netdb.h>
2349#include <errno.h>
2350#include <netinet/in.h>
2351
2352#define TEST_PORT "2222"
2353		]], [[
2354	int err, sock;
2355	struct addrinfo *gai_ai, *ai, hints;
2356	char ntop[NI_MAXHOST], strport[NI_MAXSERV], *name = NULL;
2357
2358	memset(&hints, 0, sizeof(hints));
2359	hints.ai_family = PF_UNSPEC;
2360	hints.ai_socktype = SOCK_STREAM;
2361	hints.ai_flags = AI_PASSIVE;
2362
2363	err = getaddrinfo(name, TEST_PORT, &hints, &gai_ai);
2364	if (err != 0) {
2365		fprintf(stderr, "getaddrinfo failed (%s)", gai_strerror(err));
2366		exit(1);
2367	}
2368
2369	for (ai = gai_ai; ai != NULL; ai = ai->ai_next) {
2370		if (ai->ai_family != AF_INET6)
2371			continue;
2372
2373		err = getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop,
2374		    sizeof(ntop), strport, sizeof(strport),
2375		    NI_NUMERICHOST|NI_NUMERICSERV);
2376
2377		if (err != 0) {
2378			if (err == EAI_SYSTEM)
2379				perror("getnameinfo EAI_SYSTEM");
2380			else
2381				fprintf(stderr, "getnameinfo failed: %s\n",
2382				    gai_strerror(err));
2383			exit(2);
2384		}
2385
2386		sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol);
2387		if (sock < 0)
2388			perror("socket");
2389		if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) {
2390			if (errno == EBADF)
2391				exit(3);
2392		}
2393	}
2394	exit(0);
2395		]])],
2396		[
2397			AC_MSG_RESULT([yes])
2398		],
2399		[
2400			AC_MSG_RESULT([no])
2401			AC_DEFINE([BROKEN_GETADDRINFO])
2402		],
2403		[
2404			AC_MSG_RESULT([cross-compiling, assuming yes])
2405		]
2406	)
2407fi
2408
2409if test "x$ac_cv_func_getaddrinfo" = "xyes" && \
2410    test "x$check_for_aix_broken_getaddrinfo" = "x1"; then
2411	AC_MSG_CHECKING([if getaddrinfo seems to work])
2412	AC_RUN_IFELSE(
2413		[AC_LANG_PROGRAM([[
2414#include <stdio.h>
2415#include <sys/socket.h>
2416#include <netdb.h>
2417#include <errno.h>
2418#include <netinet/in.h>
2419
2420#define TEST_PORT "2222"
2421		]], [[
2422	int err, sock;
2423	struct addrinfo *gai_ai, *ai, hints;
2424	char ntop[NI_MAXHOST], strport[NI_MAXSERV], *name = NULL;
2425
2426	memset(&hints, 0, sizeof(hints));
2427	hints.ai_family = PF_UNSPEC;
2428	hints.ai_socktype = SOCK_STREAM;
2429	hints.ai_flags = AI_PASSIVE;
2430
2431	err = getaddrinfo(name, TEST_PORT, &hints, &gai_ai);
2432	if (err != 0) {
2433		fprintf(stderr, "getaddrinfo failed (%s)", gai_strerror(err));
2434		exit(1);
2435	}
2436
2437	for (ai = gai_ai; ai != NULL; ai = ai->ai_next) {
2438		if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
2439			continue;
2440
2441		err = getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop,
2442		    sizeof(ntop), strport, sizeof(strport),
2443		    NI_NUMERICHOST|NI_NUMERICSERV);
2444
2445		if (ai->ai_family == AF_INET && err != 0) {
2446			perror("getnameinfo");
2447			exit(2);
2448		}
2449	}
2450	exit(0);
2451		]])],
2452		[
2453			AC_MSG_RESULT([yes])
2454			AC_DEFINE([AIX_GETNAMEINFO_HACK], [1],
2455				[Define if you have a getaddrinfo that fails
2456				for the all-zeros IPv6 address])
2457		],
2458		[
2459			AC_MSG_RESULT([no])
2460			AC_DEFINE([BROKEN_GETADDRINFO])
2461		],
2462		[
2463			AC_MSG_RESULT([cross-compiling, assuming no])
2464		]
2465	)
2466fi
2467
2468if test "x$ac_cv_func_getaddrinfo" = "xyes"; then
2469	AC_CHECK_DECLS(AI_NUMERICSERV, , ,
2470	    [#include <sys/types.h>
2471	     #include <sys/socket.h>
2472	     #include <netdb.h>])
2473fi
2474
2475if test "x$check_for_conflicting_getspnam" = "x1"; then
2476	AC_MSG_CHECKING([for conflicting getspnam in shadow.h])
2477	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <shadow.h> ]],
2478		[[ exit(0); ]])],
2479		[
2480			AC_MSG_RESULT([no])
2481		],
2482		[
2483			AC_MSG_RESULT([yes])
2484			AC_DEFINE([GETSPNAM_CONFLICTING_DEFS], [1],
2485			    [Conflicting defs for getspnam])
2486		]
2487	)
2488fi
2489
2490dnl NetBSD added an strnvis and unfortunately made it incompatible with the
2491dnl existing one in OpenBSD and Linux's libbsd (the former having existed
2492dnl for over ten years). Despite this incompatibility being reported during
2493dnl development (see http://gnats.netbsd.org/44977) they still shipped it.
2494dnl Even more unfortunately FreeBSD and later MacOS picked up this incompatible
2495dnl implementation.  Try to detect this mess, and assume the only safe option
2496dnl if we're cross compiling.
2497dnl
2498dnl OpenBSD, 2001: strnvis(char *dst, const char *src, size_t dlen, int flag);
2499dnl NetBSD: 2012,  strnvis(char *dst, size_t dlen, const char *src, int flag);
2500if test "x$ac_cv_func_strnvis" = "xyes"; then
2501	AC_MSG_CHECKING([for working strnvis])
2502	AC_RUN_IFELSE(
2503		[AC_LANG_PROGRAM([[
2504#include <signal.h>
2505#include <stdlib.h>
2506#include <string.h>
2507#include <vis.h>
2508static void sighandler(int sig) { _exit(1); }
2509		]], [[
2510	char dst[16];
2511
2512	signal(SIGSEGV, sighandler);
2513	if (strnvis(dst, "src", 4, 0) && strcmp(dst, "src") == 0)
2514		exit(0);
2515	exit(1)
2516		]])],
2517		[AC_MSG_RESULT([yes])],
2518		[AC_MSG_RESULT([no])
2519		 AC_DEFINE([BROKEN_STRNVIS], [1], [strnvis detected broken])],
2520		[AC_MSG_WARN([cross compiling: assuming broken])
2521		 AC_DEFINE([BROKEN_STRNVIS], [1], [strnvis assumed broken])]
2522	)
2523fi
2524
2525AC_MSG_CHECKING([if SA_RESTARTed signals interrupt select()])
2526AC_RUN_IFELSE(
2527	[AC_LANG_PROGRAM([[
2528#ifdef HAVE_SYS_SELECT
2529# include <sys/select.h>
2530#endif
2531#include <sys/types.h>
2532#include <sys/time.h>
2533#include <stdlib.h>
2534#include <signal.h>
2535static void sighandler(int sig) { }
2536		]], [[
2537	int r;
2538	pid_t pid;
2539	struct sigaction sa;
2540
2541	sa.sa_handler = sighandler;
2542	sa.sa_flags = SA_RESTART;
2543	(void)sigaction(SIGTERM, &sa, NULL);
2544	if ((pid = fork()) == 0) { /* child */
2545		pid = getppid();
2546		sleep(1);
2547		kill(pid, SIGTERM);
2548		sleep(1);
2549		if (getppid() == pid) /* if parent did not exit, shoot it */
2550			kill(pid, SIGKILL);
2551		exit(0);
2552	} else { /* parent */
2553		r = select(0, NULL, NULL, NULL, NULL);
2554	}
2555	exit(r == -1 ? 0 : 1);
2556	]])],
2557	[AC_MSG_RESULT([yes])],
2558	[AC_MSG_RESULT([no])
2559	 AC_DEFINE([NO_SA_RESTART], [1],
2560	    [SA_RESTARTed signals do no interrupt select])],
2561	[AC_MSG_WARN([cross compiling: assuming yes])]
2562)
2563
2564AC_CHECK_FUNCS([getpgrp],[
2565	AC_MSG_CHECKING([if getpgrp accepts zero args])
2566	AC_COMPILE_IFELSE(
2567		[AC_LANG_PROGRAM([[$ac_includes_default]], [[ getpgrp(); ]])],
2568		[ AC_MSG_RESULT([yes])
2569		  AC_DEFINE([GETPGRP_VOID], [1], [getpgrp takes zero args])],
2570		[ AC_MSG_RESULT([no])
2571		  AC_DEFINE([GETPGRP_VOID], [0], [getpgrp takes one arg])]
2572	)
2573])
2574
2575# Search for OpenSSL
2576saved_CPPFLAGS="$CPPFLAGS"
2577saved_LDFLAGS="$LDFLAGS"
2578AC_ARG_WITH([ssl-dir],
2579	[  --with-ssl-dir=PATH     Specify path to OpenSSL installation ],
2580	[
2581		if test "x$openssl" = "xno" ; then
2582			AC_MSG_ERROR([cannot use --with-ssl-dir when OpenSSL disabled])
2583		fi
2584		if test "x$withval" != "xno" ; then
2585			case "$withval" in
2586				# Relative paths
2587				./*|../*)	withval="`pwd`/$withval"
2588			esac
2589			if test -d "$withval/lib"; then
2590				if test -n "${rpath_opt}"; then
2591					LDFLAGS="-L${withval}/lib ${rpath_opt}${withval}/lib ${LDFLAGS}"
2592				else
2593					LDFLAGS="-L${withval}/lib ${LDFLAGS}"
2594				fi
2595			elif test -d "$withval/lib64"; then
2596				if test -n "${rpath_opt}"; then
2597					LDFLAGS="-L${withval}/lib64 ${rpath_opt}${withval}/lib64 ${LDFLAGS}"
2598				else
2599					LDFLAGS="-L${withval}/lib64 ${LDFLAGS}"
2600				fi
2601			else
2602				if test -n "${rpath_opt}"; then
2603					LDFLAGS="-L${withval} ${rpath_opt}${withval} ${LDFLAGS}"
2604				else
2605					LDFLAGS="-L${withval} ${LDFLAGS}"
2606				fi
2607			fi
2608			if test -d "$withval/include"; then
2609				CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
2610			else
2611				CPPFLAGS="-I${withval} ${CPPFLAGS}"
2612			fi
2613		fi
2614	]
2615)
2616
2617AC_ARG_WITH([openssl-header-check],
2618	[  --without-openssl-header-check Disable OpenSSL version consistency check],
2619	[
2620		if test "x$withval" = "xno" ; then
2621			openssl_check_nonfatal=1
2622		fi
2623	]
2624)
2625
2626openssl_engine=no
2627AC_ARG_WITH([ssl-engine],
2628	[  --with-ssl-engine       Enable OpenSSL (hardware) ENGINE support ],
2629	[
2630		if test "x$withval" != "xno" ; then
2631			if test "x$openssl" = "xno" ; then
2632				AC_MSG_ERROR([cannot use --with-ssl-engine when OpenSSL disabled])
2633			fi
2634			openssl_engine=yes
2635		fi
2636	]
2637)
2638
2639if test "x$openssl" = "xyes" ; then
2640	LIBS="-lcrypto $LIBS"
2641	AC_TRY_LINK_FUNC([RAND_add], ,
2642	    [AC_MSG_ERROR([*** working libcrypto not found, check config.log])])
2643	AC_CHECK_HEADER([openssl/opensslv.h], ,
2644	    [AC_MSG_ERROR([*** OpenSSL headers missing - please install first or check config.log ***])])
2645
2646	# Determine OpenSSL header version
2647	AC_MSG_CHECKING([OpenSSL header version])
2648	AC_RUN_IFELSE(
2649		[AC_LANG_PROGRAM([[
2650	#include <stdlib.h>
2651	#include <stdio.h>
2652	#include <string.h>
2653	#include <openssl/opensslv.h>
2654	#define DATA "conftest.sslincver"
2655		]], [[
2656		FILE *fd;
2657		int rc;
2658
2659		fd = fopen(DATA,"w");
2660		if(fd == NULL)
2661			exit(1);
2662
2663		if ((rc = fprintf(fd, "%08lx (%s)\n",
2664		    (unsigned long)OPENSSL_VERSION_NUMBER,
2665		     OPENSSL_VERSION_TEXT)) < 0)
2666			exit(1);
2667
2668		exit(0);
2669		]])],
2670		[
2671			ssl_header_ver=`cat conftest.sslincver`
2672			AC_MSG_RESULT([$ssl_header_ver])
2673		],
2674		[
2675			AC_MSG_RESULT([not found])
2676			AC_MSG_ERROR([OpenSSL version header not found.])
2677		],
2678		[
2679			AC_MSG_WARN([cross compiling: not checking])
2680		]
2681	)
2682
2683	# Determining OpenSSL library version is version dependent.
2684	AC_CHECK_FUNCS([OpenSSL_version OpenSSL_version_num])
2685
2686	# Determine OpenSSL library version
2687	AC_MSG_CHECKING([OpenSSL library version])
2688	AC_RUN_IFELSE(
2689		[AC_LANG_PROGRAM([[
2690	#include <stdio.h>
2691	#include <string.h>
2692	#include <openssl/opensslv.h>
2693	#include <openssl/crypto.h>
2694	#define DATA "conftest.ssllibver"
2695		]], [[
2696		FILE *fd;
2697		int rc;
2698
2699		fd = fopen(DATA,"w");
2700		if(fd == NULL)
2701			exit(1);
2702#ifndef OPENSSL_VERSION
2703# define OPENSSL_VERSION SSLEAY_VERSION
2704#endif
2705#ifndef HAVE_OPENSSL_VERSION
2706# define OpenSSL_version	SSLeay_version
2707#endif
2708#ifndef HAVE_OPENSSL_VERSION_NUM
2709# define OpenSSL_version_num	SSLeay
2710#endif
2711		if ((rc = fprintf(fd, "%08lx (%s)\n",
2712		    (unsigned long)OpenSSL_version_num(),
2713		    OpenSSL_version(OPENSSL_VERSION))) < 0)
2714			exit(1);
2715
2716		exit(0);
2717		]])],
2718		[
2719			ssl_library_ver=`cat conftest.ssllibver`
2720			# Check version is supported.
2721			case "$ssl_library_ver" in
2722			10000*|0*)
2723				AC_MSG_ERROR([OpenSSL >= 1.0.1 required (have "$ssl_library_ver")])
2724		                ;;
2725			100*)   ;; # 1.0.x
2726			101000[[0123456]]*)
2727				# https://github.com/openssl/openssl/pull/4613
2728				AC_MSG_ERROR([OpenSSL 1.1.x versions prior to 1.1.0g have a bug that breaks their use with OpenSSH (have "$ssl_library_ver")])
2729				;;
2730			101*)   ;; # 1.1.x
2731			200*)   ;; # LibreSSL
2732			300*)   ;; # OpenSSL development branch.
2733		        *)
2734				AC_MSG_ERROR([Unknown/unsupported OpenSSL version ("$ssl_library_ver")])
2735		                ;;
2736			esac
2737			AC_MSG_RESULT([$ssl_library_ver])
2738		],
2739		[
2740			AC_MSG_RESULT([not found])
2741			AC_MSG_ERROR([OpenSSL library not found.])
2742		],
2743		[
2744			AC_MSG_WARN([cross compiling: not checking])
2745		]
2746	)
2747
2748	# Sanity check OpenSSL headers
2749	AC_MSG_CHECKING([whether OpenSSL's headers match the library])
2750	AC_RUN_IFELSE(
2751		[AC_LANG_PROGRAM([[
2752	#include <string.h>
2753	#include <openssl/opensslv.h>
2754	#include <openssl/crypto.h>
2755		]], [[
2756#ifndef HAVE_OPENSSL_VERSION_NUM
2757# define OpenSSL_version_num	SSLeay
2758#endif
2759		exit(OpenSSL_version_num() == OPENSSL_VERSION_NUMBER ? 0 : 1);
2760		]])],
2761		[
2762			AC_MSG_RESULT([yes])
2763		],
2764		[
2765			AC_MSG_RESULT([no])
2766			if test "x$openssl_check_nonfatal" = "x"; then
2767				AC_MSG_ERROR([Your OpenSSL headers do not match your
2768	library. Check config.log for details.
2769	If you are sure your installation is consistent, you can disable the check
2770	by running "./configure --without-openssl-header-check".
2771	Also see contrib/findssl.sh for help identifying header/library mismatches.
2772	])
2773			else
2774				AC_MSG_WARN([Your OpenSSL headers do not match your
2775	library. Check config.log for details.
2776	Also see contrib/findssl.sh for help identifying header/library mismatches.])
2777			fi
2778		],
2779		[
2780			AC_MSG_WARN([cross compiling: not checking])
2781		]
2782	)
2783
2784	AC_MSG_CHECKING([if programs using OpenSSL functions will link])
2785	AC_LINK_IFELSE(
2786		[AC_LANG_PROGRAM([[ #include <openssl/err.h> ]],
2787		[[ ERR_load_crypto_strings(); ]])],
2788		[
2789			AC_MSG_RESULT([yes])
2790		],
2791		[
2792			AC_MSG_RESULT([no])
2793			saved_LIBS="$LIBS"
2794			LIBS="$LIBS -ldl"
2795			AC_MSG_CHECKING([if programs using OpenSSL need -ldl])
2796			AC_LINK_IFELSE(
2797				[AC_LANG_PROGRAM([[ #include <openssl/err.h> ]],
2798				[[ ERR_load_crypto_strings(); ]])],
2799				[
2800					AC_MSG_RESULT([yes])
2801				],
2802				[
2803					AC_MSG_RESULT([no])
2804					LIBS="$saved_LIBS"
2805				]
2806			)
2807		]
2808	)
2809
2810	AC_CHECK_FUNCS([ \
2811		BN_is_prime_ex \
2812		DSA_generate_parameters_ex \
2813		EVP_CIPHER_CTX_ctrl \
2814		EVP_DigestFinal_ex \
2815		EVP_DigestInit_ex \
2816		EVP_MD_CTX_cleanup \
2817		EVP_MD_CTX_copy_ex \
2818		EVP_MD_CTX_init \
2819		HMAC_CTX_init \
2820		RSA_generate_key_ex \
2821		RSA_get_default_method \
2822	])
2823
2824	# OpenSSL_add_all_algorithms may be a macro.
2825	AC_CHECK_FUNC(OpenSSL_add_all_algorithms,
2826	    AC_DEFINE(HAVE_OPENSSL_ADD_ALL_ALGORITHMS, 1, [as a function]),
2827	    AC_CHECK_DECL(OpenSSL_add_all_algorithms,
2828		AC_DEFINE(HAVE_OPENSSL_ADD_ALL_ALGORITHMS, 1, [as a macro]), ,
2829		[[#include <openssl/evp.h>]]
2830	    )
2831	)
2832
2833	# LibreSSL/OpenSSL 1.1x API
2834	AC_CHECK_FUNCS([ \
2835		OPENSSL_init_crypto \
2836		DH_get0_key \
2837		DH_get0_pqg \
2838		DH_set0_key \
2839		DH_set_length \
2840		DH_set0_pqg \
2841		DSA_get0_key \
2842		DSA_get0_pqg \
2843		DSA_set0_key \
2844		DSA_set0_pqg \
2845		DSA_SIG_get0 \
2846		DSA_SIG_set0 \
2847		ECDSA_SIG_get0 \
2848		ECDSA_SIG_set0 \
2849		EVP_CIPHER_CTX_iv \
2850		EVP_CIPHER_CTX_iv_noconst \
2851		EVP_CIPHER_CTX_get_iv \
2852		EVP_CIPHER_CTX_set_iv \
2853		RSA_get0_crt_params \
2854		RSA_get0_factors \
2855		RSA_get0_key \
2856		RSA_set0_crt_params \
2857		RSA_set0_factors \
2858		RSA_set0_key \
2859		RSA_meth_free \
2860		RSA_meth_dup \
2861		RSA_meth_set1_name \
2862		RSA_meth_get_finish \
2863		RSA_meth_set_priv_enc \
2864		RSA_meth_set_priv_dec \
2865		RSA_meth_set_finish \
2866		EVP_PKEY_get0_RSA \
2867		EVP_MD_CTX_new \
2868		EVP_MD_CTX_free \
2869		EVP_chacha20 \
2870	])
2871
2872	if test "x$openssl_engine" = "xyes" ; then
2873		AC_MSG_CHECKING([for OpenSSL ENGINE support])
2874		AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
2875	#include <openssl/engine.h>
2876			]], [[
2877				ENGINE_load_builtin_engines();
2878				ENGINE_register_all_complete();
2879			]])],
2880			[ AC_MSG_RESULT([yes])
2881			  AC_DEFINE([USE_OPENSSL_ENGINE], [1],
2882			     [Enable OpenSSL engine support])
2883			], [ AC_MSG_ERROR([OpenSSL ENGINE support not found])
2884		])
2885	fi
2886
2887	# Check for OpenSSL without EVP_aes_{192,256}_cbc
2888	AC_MSG_CHECKING([whether OpenSSL has crippled AES support])
2889	AC_LINK_IFELSE(
2890		[AC_LANG_PROGRAM([[
2891	#include <string.h>
2892	#include <openssl/evp.h>
2893		]], [[
2894		exit(EVP_aes_192_cbc() == NULL || EVP_aes_256_cbc() == NULL);
2895		]])],
2896		[
2897			AC_MSG_RESULT([no])
2898		],
2899		[
2900			AC_MSG_RESULT([yes])
2901			AC_DEFINE([OPENSSL_LOBOTOMISED_AES], [1],
2902			    [libcrypto is missing AES 192 and 256 bit functions])
2903		]
2904	)
2905
2906	# Check for OpenSSL with EVP_aes_*ctr
2907	AC_MSG_CHECKING([whether OpenSSL has AES CTR via EVP])
2908	AC_LINK_IFELSE(
2909		[AC_LANG_PROGRAM([[
2910	#include <string.h>
2911	#include <openssl/evp.h>
2912		]], [[
2913		exit(EVP_aes_128_ctr() == NULL ||
2914		    EVP_aes_192_cbc() == NULL ||
2915		    EVP_aes_256_cbc() == NULL);
2916		]])],
2917		[
2918			AC_MSG_RESULT([yes])
2919			AC_DEFINE([OPENSSL_HAVE_EVPCTR], [1],
2920			    [libcrypto has EVP AES CTR])
2921		],
2922		[
2923			AC_MSG_RESULT([no])
2924		]
2925	)
2926
2927	# Check for OpenSSL with EVP_aes_*gcm
2928	AC_MSG_CHECKING([whether OpenSSL has AES GCM via EVP])
2929	AC_LINK_IFELSE(
2930		[AC_LANG_PROGRAM([[
2931	#include <string.h>
2932	#include <openssl/evp.h>
2933		]], [[
2934		exit(EVP_aes_128_gcm() == NULL ||
2935		    EVP_aes_256_gcm() == NULL ||
2936		    EVP_CTRL_GCM_SET_IV_FIXED == 0 ||
2937		    EVP_CTRL_GCM_IV_GEN == 0 ||
2938		    EVP_CTRL_GCM_SET_TAG == 0 ||
2939		    EVP_CTRL_GCM_GET_TAG == 0 ||
2940		    EVP_CIPHER_CTX_ctrl(NULL, 0, 0, NULL) == 0);
2941		]])],
2942		[
2943			AC_MSG_RESULT([yes])
2944			AC_DEFINE([OPENSSL_HAVE_EVPGCM], [1],
2945			    [libcrypto has EVP AES GCM])
2946		],
2947		[
2948			AC_MSG_RESULT([no])
2949			unsupported_algorithms="$unsupported_cipers \
2950			   aes128-gcm@openssh.com \
2951			   aes256-gcm@openssh.com"
2952		]
2953	)
2954
2955	AC_MSG_CHECKING([if EVP_DigestUpdate returns an int])
2956	AC_LINK_IFELSE(
2957		[AC_LANG_PROGRAM([[
2958	#include <string.h>
2959	#include <openssl/evp.h>
2960		]], [[
2961		if(EVP_DigestUpdate(NULL, NULL,0))
2962			exit(0);
2963		]])],
2964		[
2965			AC_MSG_RESULT([yes])
2966		],
2967		[
2968			AC_MSG_RESULT([no])
2969			AC_DEFINE([OPENSSL_EVP_DIGESTUPDATE_VOID], [1],
2970			    [Define if EVP_DigestUpdate returns void])
2971		]
2972	)
2973
2974	# Some systems want crypt() from libcrypt, *not* the version in OpenSSL,
2975	# because the system crypt() is more featureful.
2976	if test "x$check_for_libcrypt_before" = "x1"; then
2977		AC_CHECK_LIB([crypt], [crypt])
2978	fi
2979
2980	# Some Linux systems (Slackware) need crypt() from libcrypt, *not* the
2981	# version in OpenSSL.
2982	if test "x$check_for_libcrypt_later" = "x1"; then
2983		AC_CHECK_LIB([crypt], [crypt], [LIBS="$LIBS -lcrypt"])
2984	fi
2985	AC_CHECK_FUNCS([crypt DES_crypt])
2986
2987	# Check for SHA256, SHA384 and SHA512 support in OpenSSL
2988	AC_CHECK_FUNCS([EVP_sha256 EVP_sha384 EVP_sha512])
2989
2990	# Check complete ECC support in OpenSSL
2991	AC_MSG_CHECKING([whether OpenSSL has NID_X9_62_prime256v1])
2992	AC_LINK_IFELSE(
2993		[AC_LANG_PROGRAM([[
2994	#include <openssl/ec.h>
2995	#include <openssl/ecdh.h>
2996	#include <openssl/ecdsa.h>
2997	#include <openssl/evp.h>
2998	#include <openssl/objects.h>
2999	#include <openssl/opensslv.h>
3000		]], [[
3001		EC_KEY *e = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
3002		const EVP_MD *m = EVP_sha256(); /* We need this too */
3003		]])],
3004		[ AC_MSG_RESULT([yes])
3005		  enable_nistp256=1 ],
3006		[ AC_MSG_RESULT([no]) ]
3007	)
3008
3009	AC_MSG_CHECKING([whether OpenSSL has NID_secp384r1])
3010	AC_LINK_IFELSE(
3011		[AC_LANG_PROGRAM([[
3012	#include <openssl/ec.h>
3013	#include <openssl/ecdh.h>
3014	#include <openssl/ecdsa.h>
3015	#include <openssl/evp.h>
3016	#include <openssl/objects.h>
3017	#include <openssl/opensslv.h>
3018		]], [[
3019		EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp384r1);
3020		const EVP_MD *m = EVP_sha384(); /* We need this too */
3021		]])],
3022		[ AC_MSG_RESULT([yes])
3023		  enable_nistp384=1 ],
3024		[ AC_MSG_RESULT([no]) ]
3025	)
3026
3027	AC_MSG_CHECKING([whether OpenSSL has NID_secp521r1])
3028	AC_LINK_IFELSE(
3029		[AC_LANG_PROGRAM([[
3030	#include <openssl/ec.h>
3031	#include <openssl/ecdh.h>
3032	#include <openssl/ecdsa.h>
3033	#include <openssl/evp.h>
3034	#include <openssl/objects.h>
3035	#include <openssl/opensslv.h>
3036		]], [[
3037		EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp521r1);
3038		const EVP_MD *m = EVP_sha512(); /* We need this too */
3039		]])],
3040		[ AC_MSG_RESULT([yes])
3041		  AC_MSG_CHECKING([if OpenSSL's NID_secp521r1 is functional])
3042		  AC_RUN_IFELSE(
3043			[AC_LANG_PROGRAM([[
3044	#include <openssl/ec.h>
3045	#include <openssl/ecdh.h>
3046	#include <openssl/ecdsa.h>
3047	#include <openssl/evp.h>
3048	#include <openssl/objects.h>
3049	#include <openssl/opensslv.h>
3050			]],[[
3051			EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp521r1);
3052			const EVP_MD *m = EVP_sha512(); /* We need this too */
3053			exit(e == NULL || m == NULL);
3054			]])],
3055			[ AC_MSG_RESULT([yes])
3056			  enable_nistp521=1 ],
3057			[ AC_MSG_RESULT([no]) ],
3058			[ AC_MSG_WARN([cross-compiling: assuming yes])
3059			  enable_nistp521=1 ]
3060		  )],
3061		AC_MSG_RESULT([no])
3062	)
3063
3064	COMMENT_OUT_ECC="#no ecc#"
3065	TEST_SSH_ECC=no
3066
3067	if test x$enable_nistp256 = x1 || test x$enable_nistp384 = x1 || \
3068	    test x$enable_nistp521 = x1; then
3069		AC_DEFINE(OPENSSL_HAS_ECC, [1], [OpenSSL has ECC])
3070		AC_CHECK_FUNCS([EC_KEY_METHOD_new])
3071		openssl_ecc=yes
3072	else
3073		openssl_ecc=no
3074	fi
3075	if test x$enable_nistp256 = x1; then
3076		AC_DEFINE([OPENSSL_HAS_NISTP256], [1],
3077		    [libcrypto has NID_X9_62_prime256v1])
3078		TEST_SSH_ECC=yes
3079		COMMENT_OUT_ECC=""
3080	else
3081		unsupported_algorithms="$unsupported_algorithms \
3082			ecdsa-sha2-nistp256 \
3083			ecdh-sha2-nistp256 \
3084			ecdsa-sha2-nistp256-cert-v01@openssh.com"
3085	fi
3086	if test x$enable_nistp384 = x1; then
3087		AC_DEFINE([OPENSSL_HAS_NISTP384], [1], [libcrypto has NID_secp384r1])
3088		TEST_SSH_ECC=yes
3089		COMMENT_OUT_ECC=""
3090	else
3091		unsupported_algorithms="$unsupported_algorithms \
3092			ecdsa-sha2-nistp384 \
3093			ecdh-sha2-nistp384 \
3094			ecdsa-sha2-nistp384-cert-v01@openssh.com"
3095	fi
3096	if test x$enable_nistp521 = x1; then
3097		AC_DEFINE([OPENSSL_HAS_NISTP521], [1], [libcrypto has NID_secp521r1])
3098		TEST_SSH_ECC=yes
3099		COMMENT_OUT_ECC=""
3100	else
3101		unsupported_algorithms="$unsupported_algorithms \
3102			ecdh-sha2-nistp521 \
3103			ecdsa-sha2-nistp521 \
3104			ecdsa-sha2-nistp521-cert-v01@openssh.com"
3105	fi
3106
3107	AC_SUBST([TEST_SSH_ECC])
3108	AC_SUBST([COMMENT_OUT_ECC])
3109else
3110	AC_CHECK_LIB([crypt], [crypt], [LIBS="$LIBS -lcrypt"])
3111	AC_CHECK_FUNCS([crypt])
3112fi
3113
3114# PKCS11/U2F depend on OpenSSL and dlopen().
3115enable_pkcs11=yes
3116enable_sk=yes
3117if test "x$openssl" != "xyes" ; then
3118	enable_pkcs11="disabled; missing libcrypto"
3119	enable_sk="disabled; missing libcrypto"
3120fi
3121if test "x$openssl_ecc" != "xyes" ; then
3122	enable_sk="disabled; OpenSSL has no ECC support"
3123fi
3124if test "x$ac_cv_func_dlopen" != "xyes" ; then
3125	enable_pkcs11="disabled; missing dlopen(3)"
3126	enable_sk="disabled; missing dlopen(3)"
3127fi
3128if test "x$ac_cv_have_decl_RTLD_NOW" != "xyes" ; then
3129	enable_pkcs11="disabled; missing RTLD_NOW"
3130	enable_sk="disabled; missing RTLD_NOW"
3131fi
3132if test ! -z "$disable_pkcs11" ; then
3133	enable_pkcs11="disabled by user"
3134fi
3135if test ! -z "$disable_sk" ; then
3136	enable_sk="disabled by user"
3137fi
3138
3139AC_MSG_CHECKING([whether to enable PKCS11])
3140if test "x$enable_pkcs11" = "xyes" ; then
3141	AC_DEFINE([ENABLE_PKCS11], [], [Enable for PKCS#11 support])
3142fi
3143AC_MSG_RESULT([$enable_pkcs11])
3144
3145AC_MSG_CHECKING([whether to enable U2F])
3146if test "x$enable_sk" = "xyes" ; then
3147	AC_DEFINE([ENABLE_SK], [], [Enable for U2F/FIDO support])
3148	AC_SUBST(SK_DUMMY_LIBRARY, [regress/misc/sk-dummy/sk-dummy.so])
3149else
3150	# Do not try to build sk-dummy library.
3151	AC_SUBST(SK_DUMMY_LIBRARY, [""])
3152fi
3153AC_MSG_RESULT([$enable_sk])
3154
3155# Now check for built-in security key support.
3156if test "x$enable_sk" = "xyes" -a "x$enable_sk_internal" = "xyes" ; then
3157	AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no])
3158	use_pkgconfig_for_libfido2=
3159	if test "x$PKGCONFIG" != "xno"; then
3160		AC_MSG_CHECKING([if $PKGCONFIG knows about libfido2])
3161		if "$PKGCONFIG" libfido2; then
3162			AC_MSG_RESULT([yes])
3163			use_pkgconfig_for_libfido2=yes
3164		else
3165			AC_MSG_RESULT([no])
3166		fi
3167	fi
3168	if test "x$use_pkgconfig_for_libfido2" = "xyes"; then
3169		LIBFIDO2=`$PKGCONFIG --libs libfido2`
3170		CPPFLAGS="$CPPFLAGS `$PKGCONFIG --cflags libfido2`"
3171	else
3172		LIBFIDO2="-lfido2 -lcbor"
3173	fi
3174	OTHERLIBS=`echo $LIBFIDO2 | sed 's/-lfido2//'`
3175	AC_CHECK_LIB([fido2], [fido_init],
3176		[
3177			AC_SUBST([LIBFIDO2])
3178			AC_DEFINE([ENABLE_SK_INTERNAL], [],
3179			    [Enable for built-in U2F/FIDO support])
3180			enable_sk="built-in"
3181		], [ AC_MSG_ERROR([no usable libfido2 found]) ],
3182		[ $OTHERLIBS ]
3183	)
3184	saved_LIBS="$LIBS"
3185	LIBS="$LIBS $LIBFIDO2"
3186	AC_CHECK_FUNCS([ \
3187		fido_cred_prot \
3188		fido_cred_set_prot \
3189		fido_dev_get_touch_begin \
3190		fido_dev_get_touch_status \
3191		fido_dev_supports_cred_prot \
3192	])
3193	LIBS="$saved_LIBS"
3194	AC_CHECK_HEADER([fido.h], [],
3195		AC_MSG_ERROR([missing fido.h from libfido2]))
3196	AC_CHECK_HEADER([fido/credman.h], [],
3197		AC_MSG_ERROR([missing fido/credman.h from libfido2]),
3198		[#include <fido.h>]
3199	)
3200fi
3201
3202AC_CHECK_FUNCS([ \
3203	arc4random \
3204	arc4random_buf \
3205	arc4random_stir \
3206	arc4random_uniform \
3207])
3208
3209saved_LIBS="$LIBS"
3210AC_CHECK_LIB([iaf], [ia_openinfo], [
3211	LIBS="$LIBS -liaf"
3212	AC_CHECK_FUNCS([set_id], [SSHDLIBS="$SSHDLIBS -liaf"
3213				AC_DEFINE([HAVE_LIBIAF], [1],
3214			[Define if system has libiaf that supports set_id])
3215				])
3216])
3217LIBS="$saved_LIBS"
3218
3219### Configure cryptographic random number support
3220
3221# Check whether OpenSSL seeds itself
3222if test "x$openssl" = "xyes" ; then
3223	AC_MSG_CHECKING([whether OpenSSL's PRNG is internally seeded])
3224	AC_RUN_IFELSE(
3225		[AC_LANG_PROGRAM([[
3226	#include <string.h>
3227	#include <openssl/rand.h>
3228		]], [[
3229		exit(RAND_status() == 1 ? 0 : 1);
3230		]])],
3231		[
3232			OPENSSL_SEEDS_ITSELF=yes
3233			AC_MSG_RESULT([yes])
3234		],
3235		[
3236			AC_MSG_RESULT([no])
3237		],
3238		[
3239			AC_MSG_WARN([cross compiling: assuming yes])
3240			# This is safe, since we will fatal() at runtime if
3241			# OpenSSL is not seeded correctly.
3242			OPENSSL_SEEDS_ITSELF=yes
3243		]
3244	)
3245fi
3246
3247# PRNGD TCP socket
3248AC_ARG_WITH([prngd-port],
3249	[  --with-prngd-port=PORT  read entropy from PRNGD/EGD TCP localhost:PORT],
3250	[
3251		case "$withval" in
3252		no)
3253			withval=""
3254			;;
3255		[[0-9]]*)
3256			;;
3257		*)
3258			AC_MSG_ERROR([You must specify a numeric port number for --with-prngd-port])
3259			;;
3260		esac
3261		if test ! -z "$withval" ; then
3262			PRNGD_PORT="$withval"
3263			AC_DEFINE_UNQUOTED([PRNGD_PORT], [$PRNGD_PORT],
3264				[Port number of PRNGD/EGD random number socket])
3265		fi
3266	]
3267)
3268
3269# PRNGD Unix domain socket
3270AC_ARG_WITH([prngd-socket],
3271	[  --with-prngd-socket=FILE read entropy from PRNGD/EGD socket FILE (default=/var/run/egd-pool)],
3272	[
3273		case "$withval" in
3274		yes)
3275			withval="/var/run/egd-pool"
3276			;;
3277		no)
3278			withval=""
3279			;;
3280		/*)
3281			;;
3282		*)
3283			AC_MSG_ERROR([You must specify an absolute path to the entropy socket])
3284			;;
3285		esac
3286
3287		if test ! -z "$withval" ; then
3288			if test ! -z "$PRNGD_PORT" ; then
3289				AC_MSG_ERROR([You may not specify both a PRNGD/EGD port and socket])
3290			fi
3291			if test ! -r "$withval" ; then
3292				AC_MSG_WARN([Entropy socket is not readable])
3293			fi
3294			PRNGD_SOCKET="$withval"
3295			AC_DEFINE_UNQUOTED([PRNGD_SOCKET], ["$PRNGD_SOCKET"],
3296				[Location of PRNGD/EGD random number socket])
3297		fi
3298	],
3299	[
3300		# Check for existing socket only if we don't have a random device already
3301		if test "x$OPENSSL_SEEDS_ITSELF" != "xyes" ; then
3302			AC_MSG_CHECKING([for PRNGD/EGD socket])
3303			# Insert other locations here
3304			for sock in /var/run/egd-pool /dev/egd-pool /etc/entropy; do
3305				if test -r $sock && $TEST_MINUS_S_SH -c "test -S $sock -o -p $sock" ; then
3306					PRNGD_SOCKET="$sock"
3307					AC_DEFINE_UNQUOTED([PRNGD_SOCKET], ["$PRNGD_SOCKET"])
3308					break;
3309				fi
3310			done
3311			if test ! -z "$PRNGD_SOCKET" ; then
3312				AC_MSG_RESULT([$PRNGD_SOCKET])
3313			else
3314				AC_MSG_RESULT([not found])
3315			fi
3316		fi
3317	]
3318)
3319
3320# Which randomness source do we use?
3321if test ! -z "$PRNGD_PORT" ; then
3322	RAND_MSG="PRNGd port $PRNGD_PORT"
3323elif test ! -z "$PRNGD_SOCKET" ; then
3324	RAND_MSG="PRNGd socket $PRNGD_SOCKET"
3325elif test ! -z "$OPENSSL_SEEDS_ITSELF" ; then
3326	AC_DEFINE([OPENSSL_PRNG_ONLY], [1],
3327		[Define if you want the OpenSSL internally seeded PRNG only])
3328	RAND_MSG="OpenSSL internal ONLY"
3329elif test "x$openssl" = "xno" ; then
3330	AC_MSG_WARN([OpenSSH will use /dev/urandom as a source of random numbers. It will fail if this device is not supported or accessible])
3331else
3332	AC_MSG_ERROR([OpenSSH has no source of random numbers. Please configure OpenSSL with an entropy source or re-run configure using one of the --with-prngd-port or --with-prngd-socket options])
3333fi
3334
3335# Check for PAM libs
3336PAM_MSG="no"
3337AC_ARG_WITH([pam],
3338	[  --with-pam              Enable PAM support ],
3339	[
3340		if test "x$withval" != "xno" ; then
3341			if test "x$ac_cv_header_security_pam_appl_h" != "xyes" && \
3342			   test "x$ac_cv_header_pam_pam_appl_h" != "xyes" ; then
3343				AC_MSG_ERROR([PAM headers not found])
3344			fi
3345
3346			saved_LIBS="$LIBS"
3347			AC_CHECK_LIB([dl], [dlopen], , )
3348			AC_CHECK_LIB([pam], [pam_set_item], , [AC_MSG_ERROR([*** libpam missing])])
3349			AC_CHECK_FUNCS([pam_getenvlist])
3350			AC_CHECK_FUNCS([pam_putenv])
3351			LIBS="$saved_LIBS"
3352
3353			PAM_MSG="yes"
3354
3355			SSHDLIBS="$SSHDLIBS -lpam"
3356			AC_DEFINE([USE_PAM], [1],
3357				[Define if you want to enable PAM support])
3358
3359			if test $ac_cv_lib_dl_dlopen = yes; then
3360				case "$LIBS" in
3361				*-ldl*)
3362					# libdl already in LIBS
3363					;;
3364				*)
3365					SSHDLIBS="$SSHDLIBS -ldl"
3366					;;
3367				esac
3368			fi
3369		fi
3370	]
3371)
3372
3373AC_ARG_WITH([pam-service],
3374	[  --with-pam-service=name Specify PAM service name ],
3375	[
3376		if test "x$withval" != "xno" && \
3377		   test "x$withval" != "xyes" ; then
3378			AC_DEFINE_UNQUOTED([SSHD_PAM_SERVICE],
3379				["$withval"], [sshd PAM service name])
3380		fi
3381	]
3382)
3383
3384# Check for older PAM
3385if test "x$PAM_MSG" = "xyes" ; then
3386	# Check PAM strerror arguments (old PAM)
3387	AC_MSG_CHECKING([whether pam_strerror takes only one argument])
3388	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
3389#include <stdlib.h>
3390#if defined(HAVE_SECURITY_PAM_APPL_H)
3391#include <security/pam_appl.h>
3392#elif defined (HAVE_PAM_PAM_APPL_H)
3393#include <pam/pam_appl.h>
3394#endif
3395		]], [[
3396(void)pam_strerror((pam_handle_t *)NULL, -1);
3397		]])], [AC_MSG_RESULT([no])], [
3398			AC_DEFINE([HAVE_OLD_PAM], [1],
3399				[Define if you have an old version of PAM
3400				which takes only one argument to pam_strerror])
3401			AC_MSG_RESULT([yes])
3402			PAM_MSG="yes (old library)"
3403
3404	])
3405fi
3406
3407case "$host" in
3408*-*-cygwin*)
3409	SSH_PRIVSEP_USER=CYGWIN_SSH_PRIVSEP_USER
3410	;;
3411*)
3412	SSH_PRIVSEP_USER=sshd
3413	;;
3414esac
3415AC_ARG_WITH([privsep-user],
3416	[  --with-privsep-user=user Specify non-privileged user for privilege separation],
3417	[
3418		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
3419		    test "x${withval}" != "xyes"; then
3420			SSH_PRIVSEP_USER=$withval
3421		fi
3422	]
3423)
3424if test "x$SSH_PRIVSEP_USER" = "xCYGWIN_SSH_PRIVSEP_USER" ; then
3425	AC_DEFINE_UNQUOTED([SSH_PRIVSEP_USER], [CYGWIN_SSH_PRIVSEP_USER],
3426		[Cygwin function to fetch non-privileged user for privilege separation])
3427else
3428	AC_DEFINE_UNQUOTED([SSH_PRIVSEP_USER], ["$SSH_PRIVSEP_USER"],
3429		[non-privileged user for privilege separation])
3430fi
3431AC_SUBST([SSH_PRIVSEP_USER])
3432
3433if test "x$have_linux_no_new_privs" = "x1" ; then
3434AC_CHECK_DECL([SECCOMP_MODE_FILTER], [have_seccomp_filter=1], , [
3435	#include <sys/types.h>
3436	#include <linux/seccomp.h>
3437])
3438fi
3439if test "x$have_seccomp_filter" = "x1" ; then
3440AC_MSG_CHECKING([kernel for seccomp_filter support])
3441AC_LINK_IFELSE([AC_LANG_PROGRAM([[
3442		#include <errno.h>
3443		#include <elf.h>
3444		#include <linux/audit.h>
3445		#include <linux/seccomp.h>
3446		#include <stdlib.h>
3447		#include <sys/prctl.h>
3448	]],
3449	[[ int i = $seccomp_audit_arch;
3450	   errno = 0;
3451	   prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, NULL, 0, 0);
3452	   exit(errno == EFAULT ? 0 : 1); ]])],
3453	[ AC_MSG_RESULT([yes]) ], [
3454		AC_MSG_RESULT([no])
3455		# Disable seccomp filter as a target
3456		have_seccomp_filter=0
3457	]
3458)
3459fi
3460
3461# Decide which sandbox style to use
3462sandbox_arg=""
3463AC_ARG_WITH([sandbox],
3464	[  --with-sandbox=style    Specify privilege separation sandbox (no, capsicum, darwin, rlimit, seccomp_filter, systrace, pledge)],
3465	[
3466		if test "x$withval" = "xyes" ; then
3467			sandbox_arg=""
3468		else
3469			sandbox_arg="$withval"
3470		fi
3471	]
3472)
3473
3474# Some platforms (seems to be the ones that have a kernel poll(2)-type
3475# function with which they implement select(2)) use an extra file descriptor
3476# when calling select(2), which means we can't use the rlimit sandbox.
3477AC_MSG_CHECKING([if select works with descriptor rlimit])
3478AC_RUN_IFELSE(
3479	[AC_LANG_PROGRAM([[
3480#include <sys/types.h>
3481#ifdef HAVE_SYS_TIME_H
3482# include <sys/time.h>
3483#endif
3484#include <sys/resource.h>
3485#ifdef HAVE_SYS_SELECT_H
3486# include <sys/select.h>
3487#endif
3488#include <errno.h>
3489#include <fcntl.h>
3490#include <stdlib.h>
3491	]],[[
3492	struct rlimit rl_zero;
3493	int fd, r;
3494	fd_set fds;
3495	struct timeval tv;
3496
3497	fd = open("/dev/null", O_RDONLY);
3498	FD_ZERO(&fds);
3499	FD_SET(fd, &fds);
3500	rl_zero.rlim_cur = rl_zero.rlim_max = 0;
3501	setrlimit(RLIMIT_FSIZE, &rl_zero);
3502	setrlimit(RLIMIT_NOFILE, &rl_zero);
3503	tv.tv_sec = 1;
3504	tv.tv_usec = 0;
3505	r = select(fd+1, &fds, NULL, NULL, &tv);
3506	exit (r == -1 ? 1 : 0);
3507	]])],
3508	[AC_MSG_RESULT([yes])
3509	 select_works_with_rlimit=yes],
3510	[AC_MSG_RESULT([no])
3511	 select_works_with_rlimit=no],
3512	[AC_MSG_WARN([cross compiling: assuming yes])
3513	 select_works_with_rlimit=yes]
3514)
3515
3516AC_MSG_CHECKING([if setrlimit(RLIMIT_NOFILE,{0,0}) works])
3517AC_RUN_IFELSE(
3518	[AC_LANG_PROGRAM([[
3519#include <sys/types.h>
3520#ifdef HAVE_SYS_TIME_H
3521# include <sys/time.h>
3522#endif
3523#include <sys/resource.h>
3524#include <errno.h>
3525#include <stdlib.h>
3526	]],[[
3527	struct rlimit rl_zero;
3528	int r;
3529
3530	rl_zero.rlim_cur = rl_zero.rlim_max = 0;
3531	r = setrlimit(RLIMIT_NOFILE, &rl_zero);
3532	exit (r == -1 ? 1 : 0);
3533	]])],
3534	[AC_MSG_RESULT([yes])
3535	 rlimit_nofile_zero_works=yes],
3536	[AC_MSG_RESULT([no])
3537	 rlimit_nofile_zero_works=no],
3538	[AC_MSG_WARN([cross compiling: assuming yes])
3539	 rlimit_nofile_zero_works=yes]
3540)
3541
3542AC_MSG_CHECKING([if setrlimit RLIMIT_FSIZE works])
3543AC_RUN_IFELSE(
3544	[AC_LANG_PROGRAM([[
3545#include <sys/types.h>
3546#include <sys/resource.h>
3547#include <stdlib.h>
3548	]],[[
3549		struct rlimit rl_zero;
3550
3551		rl_zero.rlim_cur = rl_zero.rlim_max = 0;
3552		exit(setrlimit(RLIMIT_FSIZE, &rl_zero) != 0);
3553	]])],
3554	[AC_MSG_RESULT([yes])],
3555	[AC_MSG_RESULT([no])
3556	 AC_DEFINE(SANDBOX_SKIP_RLIMIT_FSIZE, 1,
3557	    [setrlimit RLIMIT_FSIZE works])],
3558	[AC_MSG_WARN([cross compiling: assuming yes])]
3559)
3560
3561if test "x$sandbox_arg" = "xpledge" || \
3562   ( test -z "$sandbox_arg" && test "x$ac_cv_func_pledge" = "xyes" ) ; then
3563	test "x$ac_cv_func_pledge" != "xyes" && \
3564		AC_MSG_ERROR([pledge sandbox requires pledge(2) support])
3565	SANDBOX_STYLE="pledge"
3566	AC_DEFINE([SANDBOX_PLEDGE], [1], [Sandbox using pledge(2)])
3567elif test "x$sandbox_arg" = "xsystrace" || \
3568   ( test -z "$sandbox_arg" && test "x$have_systr_policy_kill" = "x1" ) ; then
3569	test "x$have_systr_policy_kill" != "x1" && \
3570		AC_MSG_ERROR([systrace sandbox requires systrace headers and SYSTR_POLICY_KILL support])
3571	SANDBOX_STYLE="systrace"
3572	AC_DEFINE([SANDBOX_SYSTRACE], [1], [Sandbox using systrace(4)])
3573elif test "x$sandbox_arg" = "xdarwin" || \
3574     ( test -z "$sandbox_arg" && test "x$ac_cv_func_sandbox_init" = "xyes" && \
3575       test "x$ac_cv_header_sandbox_h" = "xyes") ; then
3576	test "x$ac_cv_func_sandbox_init" != "xyes" -o \
3577	     "x$ac_cv_header_sandbox_h" != "xyes" && \
3578		AC_MSG_ERROR([Darwin seatbelt sandbox requires sandbox.h and sandbox_init function])
3579	SANDBOX_STYLE="darwin"
3580	AC_DEFINE([SANDBOX_DARWIN], [1], [Sandbox using Darwin sandbox_init(3)])
3581elif test "x$sandbox_arg" = "xseccomp_filter" || \
3582     ( test -z "$sandbox_arg" && \
3583       test "x$have_seccomp_filter" = "x1" && \
3584       test "x$ac_cv_header_elf_h" = "xyes" && \
3585       test "x$ac_cv_header_linux_audit_h" = "xyes" && \
3586       test "x$ac_cv_header_linux_filter_h" = "xyes" && \
3587       test "x$seccomp_audit_arch" != "x" && \
3588       test "x$have_linux_no_new_privs" = "x1" && \
3589       test "x$ac_cv_func_prctl" = "xyes" ) ; then
3590	test "x$seccomp_audit_arch" = "x" && \
3591		AC_MSG_ERROR([seccomp_filter sandbox not supported on $host])
3592	test "x$have_linux_no_new_privs" != "x1" && \
3593		AC_MSG_ERROR([seccomp_filter sandbox requires PR_SET_NO_NEW_PRIVS])
3594	test "x$have_seccomp_filter" != "x1" && \
3595		AC_MSG_ERROR([seccomp_filter sandbox requires seccomp headers])
3596	test "x$ac_cv_func_prctl" != "xyes" && \
3597		AC_MSG_ERROR([seccomp_filter sandbox requires prctl function])
3598	SANDBOX_STYLE="seccomp_filter"
3599	AC_DEFINE([SANDBOX_SECCOMP_FILTER], [1], [Sandbox using seccomp filter])
3600elif test "x$sandbox_arg" = "xcapsicum" || \
3601     ( test -z "$sandbox_arg" && \
3602       test "x$ac_cv_header_sys_capsicum_h" = "xyes" && \
3603       test "x$ac_cv_func_cap_rights_limit" = "xyes") ; then
3604       test "x$ac_cv_header_sys_capsicum_h" != "xyes" && \
3605		AC_MSG_ERROR([capsicum sandbox requires sys/capsicum.h header])
3606       test "x$ac_cv_func_cap_rights_limit" != "xyes" && \
3607		AC_MSG_ERROR([capsicum sandbox requires cap_rights_limit function])
3608       SANDBOX_STYLE="capsicum"
3609       AC_DEFINE([SANDBOX_CAPSICUM], [1], [Sandbox using capsicum])
3610elif test "x$sandbox_arg" = "xrlimit" || \
3611     ( test -z "$sandbox_arg" && test "x$ac_cv_func_setrlimit" = "xyes" && \
3612       test "x$select_works_with_rlimit" = "xyes" && \
3613       test "x$rlimit_nofile_zero_works" = "xyes" ) ; then
3614	test "x$ac_cv_func_setrlimit" != "xyes" && \
3615		AC_MSG_ERROR([rlimit sandbox requires setrlimit function])
3616	test "x$select_works_with_rlimit" != "xyes" && \
3617		AC_MSG_ERROR([rlimit sandbox requires select to work with rlimit])
3618	SANDBOX_STYLE="rlimit"
3619	AC_DEFINE([SANDBOX_RLIMIT], [1], [Sandbox using setrlimit(2)])
3620elif test "x$sandbox_arg" = "xsolaris" || \
3621   ( test -z "$sandbox_arg" && test "x$SOLARIS_PRIVS" = "xyes" ) ; then
3622	SANDBOX_STYLE="solaris"
3623	AC_DEFINE([SANDBOX_SOLARIS], [1], [Sandbox using Solaris/Illumos privileges])
3624elif test -z "$sandbox_arg" || test "x$sandbox_arg" = "xno" || \
3625     test "x$sandbox_arg" = "xnone" || test "x$sandbox_arg" = "xnull" ; then
3626	SANDBOX_STYLE="none"
3627	AC_DEFINE([SANDBOX_NULL], [1], [no privsep sandboxing])
3628else
3629	AC_MSG_ERROR([unsupported --with-sandbox])
3630fi
3631
3632# Cheap hack to ensure NEWS-OS libraries are arranged right.
3633if test ! -z "$SONY" ; then
3634  LIBS="$LIBS -liberty";
3635fi
3636
3637# Check for  long long datatypes
3638AC_CHECK_TYPES([long long, unsigned long long, long double])
3639
3640# Check datatype sizes
3641AC_CHECK_SIZEOF([short int])
3642AC_CHECK_SIZEOF([int])
3643AC_CHECK_SIZEOF([long int])
3644AC_CHECK_SIZEOF([long long int])
3645
3646# Sanity check long long for some platforms (AIX)
3647if test "x$ac_cv_sizeof_long_long_int" = "x4" ; then
3648	ac_cv_sizeof_long_long_int=0
3649fi
3650
3651# compute LLONG_MIN and LLONG_MAX if we don't know them.
3652if test -z "$have_llong_max" && test -z "$have_long_long_max"; then
3653	AC_MSG_CHECKING([for max value of long long])
3654	AC_RUN_IFELSE(
3655		[AC_LANG_PROGRAM([[
3656#include <stdio.h>
3657/* Why is this so damn hard? */
3658#ifdef __GNUC__
3659# undef __GNUC__
3660#endif
3661#define __USE_ISOC99
3662#include <limits.h>
3663#define DATA "conftest.llminmax"
3664#define my_abs(a) ((a) < 0 ? ((a) * -1) : (a))
3665
3666/*
3667 * printf in libc on some platforms (eg old Tru64) does not understand %lld so
3668 * we do this the hard way.
3669 */
3670static int
3671fprint_ll(FILE *f, long long n)
3672{
3673	unsigned int i;
3674	int l[sizeof(long long) * 8];
3675
3676	if (n < 0)
3677		if (fprintf(f, "-") < 0)
3678			return -1;
3679	for (i = 0; n != 0; i++) {
3680		l[i] = my_abs(n % 10);
3681		n /= 10;
3682	}
3683	do {
3684		if (fprintf(f, "%d", l[--i]) < 0)
3685			return -1;
3686	} while (i != 0);
3687	if (fprintf(f, " ") < 0)
3688		return -1;
3689	return 0;
3690}
3691		]], [[
3692	FILE *f;
3693	long long i, llmin, llmax = 0;
3694
3695	if((f = fopen(DATA,"w")) == NULL)
3696		exit(1);
3697
3698#if defined(LLONG_MIN) && defined(LLONG_MAX)
3699	fprintf(stderr, "Using system header for LLONG_MIN and LLONG_MAX\n");
3700	llmin = LLONG_MIN;
3701	llmax = LLONG_MAX;
3702#else
3703	fprintf(stderr, "Calculating  LLONG_MIN and LLONG_MAX\n");
3704	/* This will work on one's complement and two's complement */
3705	for (i = 1; i > llmax; i <<= 1, i++)
3706		llmax = i;
3707	llmin = llmax + 1LL;	/* wrap */
3708#endif
3709
3710	/* Sanity check */
3711	if (llmin + 1 < llmin || llmin - 1 < llmin || llmax + 1 > llmax
3712	    || llmax - 1 > llmax || llmin == llmax || llmin == 0
3713	    || llmax == 0 || llmax < LONG_MAX || llmin > LONG_MIN) {
3714		fprintf(f, "unknown unknown\n");
3715		exit(2);
3716	}
3717
3718	if (fprint_ll(f, llmin) < 0)
3719		exit(3);
3720	if (fprint_ll(f, llmax) < 0)
3721		exit(4);
3722	if (fclose(f) < 0)
3723		exit(5);
3724	exit(0);
3725		]])],
3726		[
3727			llong_min=`$AWK '{print $1}' conftest.llminmax`
3728			llong_max=`$AWK '{print $2}' conftest.llminmax`
3729
3730			AC_MSG_RESULT([$llong_max])
3731			AC_DEFINE_UNQUOTED([LLONG_MAX], [${llong_max}LL],
3732			    [max value of long long calculated by configure])
3733			AC_MSG_CHECKING([for min value of long long])
3734			AC_MSG_RESULT([$llong_min])
3735			AC_DEFINE_UNQUOTED([LLONG_MIN], [${llong_min}LL],
3736			    [min value of long long calculated by configure])
3737		],
3738		[
3739			AC_MSG_RESULT([not found])
3740		],
3741		[
3742			AC_MSG_WARN([cross compiling: not checking])
3743		]
3744	)
3745fi
3746
3747AC_CHECK_DECLS([UINT32_MAX], , , [[
3748#ifdef HAVE_SYS_LIMITS_H
3749# include <sys/limits.h>
3750#endif
3751#ifdef HAVE_LIMITS_H
3752# include <limits.h>
3753#endif
3754#ifdef HAVE_STDINT_H
3755# include <stdint.h>
3756#endif
3757]])
3758
3759# More checks for data types
3760AC_CACHE_CHECK([for u_int type], ac_cv_have_u_int, [
3761	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
3762	[[ u_int a; a = 1;]])],
3763	[ ac_cv_have_u_int="yes" ], [ ac_cv_have_u_int="no"
3764	])
3765])
3766if test "x$ac_cv_have_u_int" = "xyes" ; then
3767	AC_DEFINE([HAVE_U_INT], [1], [define if you have u_int data type])
3768	have_u_int=1
3769fi
3770
3771AC_CACHE_CHECK([for intXX_t types], ac_cv_have_intxx_t, [
3772	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
3773	[[ int8_t a; int16_t b; int32_t c; a = b = c = 1;]])],
3774	[ ac_cv_have_intxx_t="yes" ], [ ac_cv_have_intxx_t="no"
3775	])
3776])
3777if test "x$ac_cv_have_intxx_t" = "xyes" ; then
3778	AC_DEFINE([HAVE_INTXX_T], [1], [define if you have intxx_t data type])
3779	have_intxx_t=1
3780fi
3781
3782if (test -z "$have_intxx_t" && \
3783	   test "x$ac_cv_header_stdint_h" = "xyes")
3784then
3785    AC_MSG_CHECKING([for intXX_t types in stdint.h])
3786	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <stdint.h> ]],
3787	[[ int8_t a; int16_t b; int32_t c; a = b = c = 1;]])],
3788		[
3789			AC_DEFINE([HAVE_INTXX_T])
3790			AC_MSG_RESULT([yes])
3791		], [ AC_MSG_RESULT([no])
3792	])
3793fi
3794
3795AC_CACHE_CHECK([for int64_t type], ac_cv_have_int64_t, [
3796	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
3797#include <sys/types.h>
3798#ifdef HAVE_STDINT_H
3799# include <stdint.h>
3800#endif
3801#include <sys/socket.h>
3802#ifdef HAVE_SYS_BITYPES_H
3803# include <sys/bitypes.h>
3804#endif
3805		]], [[
3806int64_t a; a = 1;
3807		]])],
3808	[ ac_cv_have_int64_t="yes" ], [ ac_cv_have_int64_t="no"
3809	])
3810])
3811if test "x$ac_cv_have_int64_t" = "xyes" ; then
3812	AC_DEFINE([HAVE_INT64_T], [1], [define if you have int64_t data type])
3813fi
3814
3815AC_CACHE_CHECK([for u_intXX_t types], ac_cv_have_u_intxx_t, [
3816	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
3817	[[ u_int8_t a; u_int16_t b; u_int32_t c; a = b = c = 1;]])],
3818	[ ac_cv_have_u_intxx_t="yes" ], [ ac_cv_have_u_intxx_t="no"
3819	])
3820])
3821if test "x$ac_cv_have_u_intxx_t" = "xyes" ; then
3822	AC_DEFINE([HAVE_U_INTXX_T], [1], [define if you have u_intxx_t data type])
3823	have_u_intxx_t=1
3824fi
3825
3826if test -z "$have_u_intxx_t" ; then
3827    AC_MSG_CHECKING([for u_intXX_t types in sys/socket.h])
3828	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/socket.h> ]],
3829	[[ u_int8_t a; u_int16_t b; u_int32_t c; a = b = c = 1;]])],
3830		[
3831			AC_DEFINE([HAVE_U_INTXX_T])
3832			AC_MSG_RESULT([yes])
3833		], [ AC_MSG_RESULT([no])
3834	])
3835fi
3836
3837AC_CACHE_CHECK([for u_int64_t types], ac_cv_have_u_int64_t, [
3838	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
3839	[[ u_int64_t a; a = 1;]])],
3840	[ ac_cv_have_u_int64_t="yes" ], [ ac_cv_have_u_int64_t="no"
3841	])
3842])
3843if test "x$ac_cv_have_u_int64_t" = "xyes" ; then
3844	AC_DEFINE([HAVE_U_INT64_T], [1], [define if you have u_int64_t data type])
3845	have_u_int64_t=1
3846fi
3847
3848if (test -z "$have_u_int64_t" && \
3849	   test "x$ac_cv_header_sys_bitypes_h" = "xyes")
3850then
3851    AC_MSG_CHECKING([for u_int64_t type in sys/bitypes.h])
3852	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/bitypes.h> ]],
3853	[[ u_int64_t a; a = 1]])],
3854		[
3855			AC_DEFINE([HAVE_U_INT64_T])
3856			AC_MSG_RESULT([yes])
3857		], [ AC_MSG_RESULT([no])
3858	])
3859fi
3860
3861if test -z "$have_u_intxx_t" ; then
3862	AC_CACHE_CHECK([for uintXX_t types], ac_cv_have_uintxx_t, [
3863		AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
3864#include <sys/types.h>
3865			]], [[
3866	uint8_t a;
3867	uint16_t b;
3868	uint32_t c;
3869	a = b = c = 1;
3870			]])],
3871		[ ac_cv_have_uintxx_t="yes" ], [ ac_cv_have_uintxx_t="no"
3872		])
3873	])
3874	if test "x$ac_cv_have_uintxx_t" = "xyes" ; then
3875		AC_DEFINE([HAVE_UINTXX_T], [1],
3876			[define if you have uintxx_t data type])
3877	fi
3878fi
3879
3880if (test -z "$have_uintxx_t" && \
3881	   test "x$ac_cv_header_stdint_h" = "xyes")
3882then
3883    AC_MSG_CHECKING([for uintXX_t types in stdint.h])
3884	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <stdint.h> ]],
3885	[[ uint8_t a; uint16_t b; uint32_t c; a = b = c = 1;]])],
3886		[
3887			AC_DEFINE([HAVE_UINTXX_T])
3888			AC_MSG_RESULT([yes])
3889		], [ AC_MSG_RESULT([no])
3890	])
3891fi
3892
3893if (test -z "$have_uintxx_t" && \
3894	   test "x$ac_cv_header_inttypes_h" = "xyes")
3895then
3896    AC_MSG_CHECKING([for uintXX_t types in inttypes.h])
3897	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <inttypes.h> ]],
3898	[[ uint8_t a; uint16_t b; uint32_t c; a = b = c = 1;]])],
3899		[
3900			AC_DEFINE([HAVE_UINTXX_T])
3901			AC_MSG_RESULT([yes])
3902		], [ AC_MSG_RESULT([no])
3903	])
3904fi
3905
3906if (test -z "$have_u_intxx_t" || test -z "$have_intxx_t" && \
3907	   test "x$ac_cv_header_sys_bitypes_h" = "xyes")
3908then
3909	AC_MSG_CHECKING([for intXX_t and u_intXX_t types in sys/bitypes.h])
3910	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
3911#include <sys/bitypes.h>
3912		]], [[
3913			int8_t a; int16_t b; int32_t c;
3914			u_int8_t e; u_int16_t f; u_int32_t g;
3915			a = b = c = e = f = g = 1;
3916		]])],
3917		[
3918			AC_DEFINE([HAVE_U_INTXX_T])
3919			AC_DEFINE([HAVE_INTXX_T])
3920			AC_MSG_RESULT([yes])
3921		], [AC_MSG_RESULT([no])
3922	])
3923fi
3924
3925
3926AC_CACHE_CHECK([for u_char], ac_cv_have_u_char, [
3927	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
3928	[[ u_char foo; foo = 125; ]])],
3929	[ ac_cv_have_u_char="yes" ], [ ac_cv_have_u_char="no"
3930	])
3931])
3932if test "x$ac_cv_have_u_char" = "xyes" ; then
3933	AC_DEFINE([HAVE_U_CHAR], [1], [define if you have u_char data type])
3934fi
3935
3936AC_CHECK_TYPES([intmax_t, uintmax_t], , , [
3937#include <sys/types.h>
3938#ifdef HAVE_STDINT_H
3939# include <stdint.h>
3940#endif
3941])
3942
3943TYPE_SOCKLEN_T
3944
3945AC_CHECK_TYPES([sig_atomic_t], , , [#include <signal.h>])
3946AC_CHECK_TYPES([fsblkcnt_t, fsfilcnt_t], , , [
3947#include <sys/types.h>
3948#ifdef HAVE_SYS_BITYPES_H
3949#include <sys/bitypes.h>
3950#endif
3951#ifdef HAVE_SYS_STATFS_H
3952#include <sys/statfs.h>
3953#endif
3954#ifdef HAVE_SYS_STATVFS_H
3955#include <sys/statvfs.h>
3956#endif
3957])
3958
3959AC_CHECK_MEMBERS([struct statfs.f_files, struct statfs.f_flags], [], [], [[
3960#include <sys/param.h>
3961#include <sys/types.h>
3962#ifdef HAVE_SYS_BITYPES_H
3963#include <sys/bitypes.h>
3964#endif
3965#ifdef HAVE_SYS_STATFS_H
3966#include <sys/statfs.h>
3967#endif
3968#ifdef HAVE_SYS_STATVFS_H
3969#include <sys/statvfs.h>
3970#endif
3971#ifdef HAVE_SYS_VFS_H
3972#include <sys/vfs.h>
3973#endif
3974#ifdef HAVE_SYS_MOUNT_H
3975#include <sys/mount.h>
3976#endif
3977]])
3978
3979
3980AC_CHECK_TYPES([in_addr_t, in_port_t], , ,
3981[#include <sys/types.h>
3982#include <netinet/in.h>])
3983
3984AC_CACHE_CHECK([for size_t], ac_cv_have_size_t, [
3985	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
3986	[[ size_t foo; foo = 1235; ]])],
3987	[ ac_cv_have_size_t="yes" ], [ ac_cv_have_size_t="no"
3988	])
3989])
3990if test "x$ac_cv_have_size_t" = "xyes" ; then
3991	AC_DEFINE([HAVE_SIZE_T], [1], [define if you have size_t data type])
3992fi
3993
3994AC_CACHE_CHECK([for ssize_t], ac_cv_have_ssize_t, [
3995	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
3996	[[ ssize_t foo; foo = 1235; ]])],
3997	[ ac_cv_have_ssize_t="yes" ], [ ac_cv_have_ssize_t="no"
3998	])
3999])
4000if test "x$ac_cv_have_ssize_t" = "xyes" ; then
4001	AC_DEFINE([HAVE_SSIZE_T], [1], [define if you have ssize_t data type])
4002fi
4003
4004AC_CACHE_CHECK([for clock_t], ac_cv_have_clock_t, [
4005	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <time.h> ]],
4006	[[ clock_t foo; foo = 1235; ]])],
4007	[ ac_cv_have_clock_t="yes" ], [ ac_cv_have_clock_t="no"
4008	])
4009])
4010if test "x$ac_cv_have_clock_t" = "xyes" ; then
4011	AC_DEFINE([HAVE_CLOCK_T], [1], [define if you have clock_t data type])
4012fi
4013
4014AC_CACHE_CHECK([for sa_family_t], ac_cv_have_sa_family_t, [
4015	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4016#include <sys/types.h>
4017#include <sys/socket.h>
4018		]], [[ sa_family_t foo; foo = 1235; ]])],
4019	[ ac_cv_have_sa_family_t="yes" ],
4020	[ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4021#include <sys/types.h>
4022#include <sys/socket.h>
4023#include <netinet/in.h>
4024		]], [[ sa_family_t foo; foo = 1235; ]])],
4025		[ ac_cv_have_sa_family_t="yes" ],
4026		[ ac_cv_have_sa_family_t="no" ]
4027	)
4028	])
4029])
4030if test "x$ac_cv_have_sa_family_t" = "xyes" ; then
4031	AC_DEFINE([HAVE_SA_FAMILY_T], [1],
4032		[define if you have sa_family_t data type])
4033fi
4034
4035AC_CACHE_CHECK([for pid_t], ac_cv_have_pid_t, [
4036	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
4037	[[ pid_t foo; foo = 1235; ]])],
4038	[ ac_cv_have_pid_t="yes" ], [ ac_cv_have_pid_t="no"
4039	])
4040])
4041if test "x$ac_cv_have_pid_t" = "xyes" ; then
4042	AC_DEFINE([HAVE_PID_T], [1], [define if you have pid_t data type])
4043fi
4044
4045AC_CACHE_CHECK([for mode_t], ac_cv_have_mode_t, [
4046	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
4047	[[ mode_t foo; foo = 1235; ]])],
4048	[ ac_cv_have_mode_t="yes" ], [ ac_cv_have_mode_t="no"
4049	])
4050])
4051if test "x$ac_cv_have_mode_t" = "xyes" ; then
4052	AC_DEFINE([HAVE_MODE_T], [1], [define if you have mode_t data type])
4053fi
4054
4055
4056AC_CACHE_CHECK([for struct sockaddr_storage], ac_cv_have_struct_sockaddr_storage, [
4057	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4058#include <sys/types.h>
4059#include <sys/socket.h>
4060		]], [[ struct sockaddr_storage s; ]])],
4061	[ ac_cv_have_struct_sockaddr_storage="yes" ],
4062	[ ac_cv_have_struct_sockaddr_storage="no"
4063	])
4064])
4065if test "x$ac_cv_have_struct_sockaddr_storage" = "xyes" ; then
4066	AC_DEFINE([HAVE_STRUCT_SOCKADDR_STORAGE], [1],
4067		[define if you have struct sockaddr_storage data type])
4068fi
4069
4070AC_CACHE_CHECK([for struct sockaddr_in6], ac_cv_have_struct_sockaddr_in6, [
4071	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4072#include <sys/types.h>
4073#include <netinet/in.h>
4074		]], [[ struct sockaddr_in6 s; s.sin6_family = 0; ]])],
4075	[ ac_cv_have_struct_sockaddr_in6="yes" ],
4076	[ ac_cv_have_struct_sockaddr_in6="no"
4077	])
4078])
4079if test "x$ac_cv_have_struct_sockaddr_in6" = "xyes" ; then
4080	AC_DEFINE([HAVE_STRUCT_SOCKADDR_IN6], [1],
4081		[define if you have struct sockaddr_in6 data type])
4082fi
4083
4084AC_CACHE_CHECK([for struct in6_addr], ac_cv_have_struct_in6_addr, [
4085	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4086#include <sys/types.h>
4087#include <netinet/in.h>
4088		]], [[ struct in6_addr s; s.s6_addr[0] = 0; ]])],
4089	[ ac_cv_have_struct_in6_addr="yes" ],
4090	[ ac_cv_have_struct_in6_addr="no"
4091	])
4092])
4093if test "x$ac_cv_have_struct_in6_addr" = "xyes" ; then
4094	AC_DEFINE([HAVE_STRUCT_IN6_ADDR], [1],
4095		[define if you have struct in6_addr data type])
4096
4097dnl Now check for sin6_scope_id
4098	AC_CHECK_MEMBERS([struct sockaddr_in6.sin6_scope_id], , ,
4099		[
4100#ifdef HAVE_SYS_TYPES_H
4101#include <sys/types.h>
4102#endif
4103#include <netinet/in.h>
4104		])
4105fi
4106
4107AC_CACHE_CHECK([for struct addrinfo], ac_cv_have_struct_addrinfo, [
4108	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4109#include <sys/types.h>
4110#include <sys/socket.h>
4111#include <netdb.h>
4112		]], [[ struct addrinfo s; s.ai_flags = AI_PASSIVE; ]])],
4113	[ ac_cv_have_struct_addrinfo="yes" ],
4114	[ ac_cv_have_struct_addrinfo="no"
4115	])
4116])
4117if test "x$ac_cv_have_struct_addrinfo" = "xyes" ; then
4118	AC_DEFINE([HAVE_STRUCT_ADDRINFO], [1],
4119		[define if you have struct addrinfo data type])
4120fi
4121
4122AC_HEADER_TIME
4123
4124AC_CACHE_CHECK([for struct timeval], ac_cv_have_struct_timeval, [
4125	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/time.h> ]],
4126	[[ struct timeval tv; tv.tv_sec = 1;]])],
4127	[ ac_cv_have_struct_timeval="yes" ],
4128	[ ac_cv_have_struct_timeval="no"
4129	])
4130])
4131if test "x$ac_cv_have_struct_timeval" = "xyes" ; then
4132	AC_DEFINE([HAVE_STRUCT_TIMEVAL], [1], [define if you have struct timeval])
4133	have_struct_timeval=1
4134fi
4135
4136AC_CACHE_CHECK([for struct timespec], ac_cv_have_struct_timespec, [
4137	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4138    #ifdef TIME_WITH_SYS_TIME
4139    # include <sys/time.h>
4140    # include <time.h>
4141    #else
4142    # ifdef HAVE_SYS_TIME_H
4143    #  include <sys/time.h>
4144    # else
4145    #  include <time.h>
4146    # endif
4147    #endif
4148	]],
4149	[[ struct timespec ts; ts.tv_sec = 1;]])],
4150	[ ac_cv_have_struct_timespec="yes" ],
4151	[ ac_cv_have_struct_timespec="no"
4152	])
4153])
4154if test "x$ac_cv_have_struct_timespec" = "xyes" ; then
4155	AC_DEFINE([HAVE_STRUCT_TIMESPEC], [1], [define if you have struct timespec])
4156	have_struct_timespec=1
4157fi
4158
4159# We need int64_t or else certain parts of the compile will fail.
4160if test "x$ac_cv_have_int64_t" = "xno" && \
4161	test "x$ac_cv_sizeof_long_int" != "x8" && \
4162	test "x$ac_cv_sizeof_long_long_int" = "x0" ; then
4163	echo "OpenSSH requires int64_t support.  Contact your vendor or install"
4164	echo "an alternative compiler (I.E., GCC) before continuing."
4165	echo ""
4166	exit 1;
4167else
4168dnl test snprintf (broken on SCO w/gcc)
4169	AC_RUN_IFELSE(
4170		[AC_LANG_SOURCE([[
4171#include <stdio.h>
4172#include <string.h>
4173#ifdef HAVE_SNPRINTF
4174main()
4175{
4176	char buf[50];
4177	char expected_out[50];
4178	int mazsize = 50 ;
4179#if (SIZEOF_LONG_INT == 8)
4180	long int num = 0x7fffffffffffffff;
4181#else
4182	long long num = 0x7fffffffffffffffll;
4183#endif
4184	strcpy(expected_out, "9223372036854775807");
4185	snprintf(buf, mazsize, "%lld", num);
4186	if(strcmp(buf, expected_out) != 0)
4187		exit(1);
4188	exit(0);
4189}
4190#else
4191main() { exit(0); }
4192#endif
4193		]])], [ true ], [ AC_DEFINE([BROKEN_SNPRINTF]) ],
4194		AC_MSG_WARN([cross compiling: Assuming working snprintf()])
4195	)
4196fi
4197
4198dnl Checks for structure members
4199OSSH_CHECK_HEADER_FOR_FIELD([ut_host], [utmp.h], [HAVE_HOST_IN_UTMP])
4200OSSH_CHECK_HEADER_FOR_FIELD([ut_host], [utmpx.h], [HAVE_HOST_IN_UTMPX])
4201OSSH_CHECK_HEADER_FOR_FIELD([syslen], [utmpx.h], [HAVE_SYSLEN_IN_UTMPX])
4202OSSH_CHECK_HEADER_FOR_FIELD([ut_pid], [utmp.h], [HAVE_PID_IN_UTMP])
4203OSSH_CHECK_HEADER_FOR_FIELD([ut_type], [utmp.h], [HAVE_TYPE_IN_UTMP])
4204OSSH_CHECK_HEADER_FOR_FIELD([ut_type], [utmpx.h], [HAVE_TYPE_IN_UTMPX])
4205OSSH_CHECK_HEADER_FOR_FIELD([ut_tv], [utmp.h], [HAVE_TV_IN_UTMP])
4206OSSH_CHECK_HEADER_FOR_FIELD([ut_id], [utmp.h], [HAVE_ID_IN_UTMP])
4207OSSH_CHECK_HEADER_FOR_FIELD([ut_id], [utmpx.h], [HAVE_ID_IN_UTMPX])
4208OSSH_CHECK_HEADER_FOR_FIELD([ut_addr], [utmp.h], [HAVE_ADDR_IN_UTMP])
4209OSSH_CHECK_HEADER_FOR_FIELD([ut_addr], [utmpx.h], [HAVE_ADDR_IN_UTMPX])
4210OSSH_CHECK_HEADER_FOR_FIELD([ut_addr_v6], [utmp.h], [HAVE_ADDR_V6_IN_UTMP])
4211OSSH_CHECK_HEADER_FOR_FIELD([ut_addr_v6], [utmpx.h], [HAVE_ADDR_V6_IN_UTMPX])
4212OSSH_CHECK_HEADER_FOR_FIELD([ut_exit], [utmp.h], [HAVE_EXIT_IN_UTMP])
4213OSSH_CHECK_HEADER_FOR_FIELD([ut_time], [utmp.h], [HAVE_TIME_IN_UTMP])
4214OSSH_CHECK_HEADER_FOR_FIELD([ut_time], [utmpx.h], [HAVE_TIME_IN_UTMPX])
4215OSSH_CHECK_HEADER_FOR_FIELD([ut_tv], [utmpx.h], [HAVE_TV_IN_UTMPX])
4216OSSH_CHECK_HEADER_FOR_FIELD([ut_ss], [utmpx.h], [HAVE_SS_IN_UTMPX])
4217
4218AC_CHECK_MEMBERS([struct stat.st_blksize])
4219AC_CHECK_MEMBERS([struct stat.st_mtim])
4220AC_CHECK_MEMBERS([struct stat.st_mtime])
4221AC_CHECK_MEMBERS([struct passwd.pw_gecos, struct passwd.pw_class,
4222struct passwd.pw_change, struct passwd.pw_expire],
4223[], [], [[
4224#include <sys/types.h>
4225#include <pwd.h>
4226]])
4227
4228AC_CHECK_MEMBER([struct __res_state.retrans], [], [AC_DEFINE([__res_state], [state],
4229	[Define if we don't have struct __res_state in resolv.h])],
4230[[
4231#include <stdio.h>
4232#if HAVE_SYS_TYPES_H
4233# include <sys/types.h>
4234#endif
4235#include <netinet/in.h>
4236#include <arpa/nameser.h>
4237#include <resolv.h>
4238]])
4239
4240AC_CACHE_CHECK([for ss_family field in struct sockaddr_storage],
4241		ac_cv_have_ss_family_in_struct_ss, [
4242	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4243#include <sys/types.h>
4244#include <sys/socket.h>
4245		]], [[ struct sockaddr_storage s; s.ss_family = 1; ]])],
4246	[ ac_cv_have_ss_family_in_struct_ss="yes" ],
4247	[ ac_cv_have_ss_family_in_struct_ss="no" ])
4248])
4249if test "x$ac_cv_have_ss_family_in_struct_ss" = "xyes" ; then
4250	AC_DEFINE([HAVE_SS_FAMILY_IN_SS], [1], [Fields in struct sockaddr_storage])
4251fi
4252
4253AC_CACHE_CHECK([for __ss_family field in struct sockaddr_storage],
4254		ac_cv_have___ss_family_in_struct_ss, [
4255	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4256#include <sys/types.h>
4257#include <sys/socket.h>
4258		]], [[ struct sockaddr_storage s; s.__ss_family = 1; ]])],
4259	[ ac_cv_have___ss_family_in_struct_ss="yes" ],
4260	[ ac_cv_have___ss_family_in_struct_ss="no"
4261	])
4262])
4263if test "x$ac_cv_have___ss_family_in_struct_ss" = "xyes" ; then
4264	AC_DEFINE([HAVE___SS_FAMILY_IN_SS], [1],
4265		[Fields in struct sockaddr_storage])
4266fi
4267
4268dnl make sure we're using the real structure members and not defines
4269AC_CACHE_CHECK([for msg_accrights field in struct msghdr],
4270		ac_cv_have_accrights_in_msghdr, [
4271	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4272#include <sys/types.h>
4273#include <sys/socket.h>
4274#include <sys/uio.h>
4275		]], [[
4276#ifdef msg_accrights
4277#error "msg_accrights is a macro"
4278exit(1);
4279#endif
4280struct msghdr m;
4281m.msg_accrights = 0;
4282exit(0);
4283		]])],
4284		[ ac_cv_have_accrights_in_msghdr="yes" ],
4285		[ ac_cv_have_accrights_in_msghdr="no" ]
4286	)
4287])
4288if test "x$ac_cv_have_accrights_in_msghdr" = "xyes" ; then
4289	AC_DEFINE([HAVE_ACCRIGHTS_IN_MSGHDR], [1],
4290		[Define if your system uses access rights style
4291		file descriptor passing])
4292fi
4293
4294AC_MSG_CHECKING([if struct statvfs.f_fsid is integral type])
4295AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4296#include <sys/param.h>
4297#include <sys/stat.h>
4298#ifdef HAVE_SYS_TIME_H
4299# include <sys/time.h>
4300#endif
4301#ifdef HAVE_SYS_MOUNT_H
4302#include <sys/mount.h>
4303#endif
4304#ifdef HAVE_SYS_STATVFS_H
4305#include <sys/statvfs.h>
4306#endif
4307	]], [[ struct statvfs s; s.f_fsid = 0; ]])],
4308	[ AC_MSG_RESULT([yes]) ],
4309	[ AC_MSG_RESULT([no])
4310
4311	AC_MSG_CHECKING([if fsid_t has member val])
4312	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4313#include <sys/types.h>
4314#include <sys/statvfs.h>
4315	]], [[ fsid_t t; t.val[0] = 0; ]])],
4316	[ AC_MSG_RESULT([yes])
4317	  AC_DEFINE([FSID_HAS_VAL], [1], [fsid_t has member val]) ],
4318	[ AC_MSG_RESULT([no]) ])
4319
4320	AC_MSG_CHECKING([if f_fsid has member __val])
4321	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4322#include <sys/types.h>
4323#include <sys/statvfs.h>
4324	]], [[ fsid_t t; t.__val[0] = 0; ]])],
4325	[ AC_MSG_RESULT([yes])
4326	  AC_DEFINE([FSID_HAS___VAL], [1], [fsid_t has member __val]) ],
4327	[ AC_MSG_RESULT([no]) ])
4328])
4329
4330AC_CACHE_CHECK([for msg_control field in struct msghdr],
4331		ac_cv_have_control_in_msghdr, [
4332	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4333#include <sys/types.h>
4334#include <sys/socket.h>
4335#include <sys/uio.h>
4336		]], [[
4337#ifdef msg_control
4338#error "msg_control is a macro"
4339exit(1);
4340#endif
4341struct msghdr m;
4342m.msg_control = 0;
4343exit(0);
4344		]])],
4345		[ ac_cv_have_control_in_msghdr="yes" ],
4346		[ ac_cv_have_control_in_msghdr="no" ]
4347	)
4348])
4349if test "x$ac_cv_have_control_in_msghdr" = "xyes" ; then
4350	AC_DEFINE([HAVE_CONTROL_IN_MSGHDR], [1],
4351		[Define if your system uses ancillary data style
4352		file descriptor passing])
4353fi
4354
4355AC_CACHE_CHECK([if libc defines __progname], ac_cv_libc_defines___progname, [
4356	AC_LINK_IFELSE([AC_LANG_PROGRAM([[]],
4357		[[ extern char *__progname; printf("%s", __progname); ]])],
4358	[ ac_cv_libc_defines___progname="yes" ],
4359	[ ac_cv_libc_defines___progname="no"
4360	])
4361])
4362if test "x$ac_cv_libc_defines___progname" = "xyes" ; then
4363	AC_DEFINE([HAVE___PROGNAME], [1], [Define if libc defines __progname])
4364fi
4365
4366AC_CACHE_CHECK([whether $CC implements __FUNCTION__], ac_cv_cc_implements___FUNCTION__, [
4367	AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include <stdio.h> ]],
4368		[[ printf("%s", __FUNCTION__); ]])],
4369	[ ac_cv_cc_implements___FUNCTION__="yes" ],
4370	[ ac_cv_cc_implements___FUNCTION__="no"
4371	])
4372])
4373if test "x$ac_cv_cc_implements___FUNCTION__" = "xyes" ; then
4374	AC_DEFINE([HAVE___FUNCTION__], [1],
4375		[Define if compiler implements __FUNCTION__])
4376fi
4377
4378AC_CACHE_CHECK([whether $CC implements __func__], ac_cv_cc_implements___func__, [
4379	AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include <stdio.h> ]],
4380		[[ printf("%s", __func__); ]])],
4381	[ ac_cv_cc_implements___func__="yes" ],
4382	[ ac_cv_cc_implements___func__="no"
4383	])
4384])
4385if test "x$ac_cv_cc_implements___func__" = "xyes" ; then
4386	AC_DEFINE([HAVE___func__], [1], [Define if compiler implements __func__])
4387fi
4388
4389AC_CACHE_CHECK([whether va_copy exists], ac_cv_have_va_copy, [
4390	AC_LINK_IFELSE([AC_LANG_PROGRAM([[
4391#include <stdarg.h>
4392va_list x,y;
4393		]], [[ va_copy(x,y); ]])],
4394	[ ac_cv_have_va_copy="yes" ],
4395	[ ac_cv_have_va_copy="no"
4396	])
4397])
4398if test "x$ac_cv_have_va_copy" = "xyes" ; then
4399	AC_DEFINE([HAVE_VA_COPY], [1], [Define if va_copy exists])
4400fi
4401
4402AC_CACHE_CHECK([whether __va_copy exists], ac_cv_have___va_copy, [
4403	AC_LINK_IFELSE([AC_LANG_PROGRAM([[
4404#include <stdarg.h>
4405va_list x,y;
4406		]], [[ __va_copy(x,y); ]])],
4407	[ ac_cv_have___va_copy="yes" ], [ ac_cv_have___va_copy="no"
4408	])
4409])
4410if test "x$ac_cv_have___va_copy" = "xyes" ; then
4411	AC_DEFINE([HAVE___VA_COPY], [1], [Define if __va_copy exists])
4412fi
4413
4414AC_CACHE_CHECK([whether getopt has optreset support],
4415		ac_cv_have_getopt_optreset, [
4416	AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include <getopt.h> ]],
4417		[[ extern int optreset; optreset = 0; ]])],
4418	[ ac_cv_have_getopt_optreset="yes" ],
4419	[ ac_cv_have_getopt_optreset="no"
4420	])
4421])
4422if test "x$ac_cv_have_getopt_optreset" = "xyes" ; then
4423	AC_DEFINE([HAVE_GETOPT_OPTRESET], [1],
4424		[Define if your getopt(3) defines and uses optreset])
4425fi
4426
4427AC_CACHE_CHECK([if libc defines sys_errlist], ac_cv_libc_defines_sys_errlist, [
4428	AC_LINK_IFELSE([AC_LANG_PROGRAM([[]],
4429[[ extern const char *const sys_errlist[]; printf("%s", sys_errlist[0]);]])],
4430	[ ac_cv_libc_defines_sys_errlist="yes" ],
4431	[ ac_cv_libc_defines_sys_errlist="no"
4432	])
4433])
4434if test "x$ac_cv_libc_defines_sys_errlist" = "xyes" ; then
4435	AC_DEFINE([HAVE_SYS_ERRLIST], [1],
4436		[Define if your system defines sys_errlist[]])
4437fi
4438
4439
4440AC_CACHE_CHECK([if libc defines sys_nerr], ac_cv_libc_defines_sys_nerr, [
4441	AC_LINK_IFELSE([AC_LANG_PROGRAM([[]],
4442[[ extern int sys_nerr; printf("%i", sys_nerr);]])],
4443	[ ac_cv_libc_defines_sys_nerr="yes" ],
4444	[ ac_cv_libc_defines_sys_nerr="no"
4445	])
4446])
4447if test "x$ac_cv_libc_defines_sys_nerr" = "xyes" ; then
4448	AC_DEFINE([HAVE_SYS_NERR], [1], [Define if your system defines sys_nerr])
4449fi
4450
4451# Check libraries needed by DNS fingerprint support
4452AC_SEARCH_LIBS([getrrsetbyname], [resolv],
4453	[AC_DEFINE([HAVE_GETRRSETBYNAME], [1],
4454		[Define if getrrsetbyname() exists])],
4455	[
4456		# Needed by our getrrsetbyname()
4457		AC_SEARCH_LIBS([res_query], [resolv])
4458		AC_SEARCH_LIBS([dn_expand], [resolv])
4459		AC_MSG_CHECKING([if res_query will link])
4460		AC_LINK_IFELSE([AC_LANG_PROGRAM([[
4461#include <sys/types.h>
4462#include <netinet/in.h>
4463#include <arpa/nameser.h>
4464#include <netdb.h>
4465#include <resolv.h>
4466				]], [[
4467	res_query (0, 0, 0, 0, 0);
4468				]])],
4469		    AC_MSG_RESULT([yes]),
4470		   [AC_MSG_RESULT([no])
4471		    saved_LIBS="$LIBS"
4472		    LIBS="$LIBS -lresolv"
4473		    AC_MSG_CHECKING([for res_query in -lresolv])
4474		    AC_LINK_IFELSE([AC_LANG_PROGRAM([[
4475#include <sys/types.h>
4476#include <netinet/in.h>
4477#include <arpa/nameser.h>
4478#include <netdb.h>
4479#include <resolv.h>
4480				]], [[
4481	res_query (0, 0, 0, 0, 0);
4482				]])],
4483			[AC_MSG_RESULT([yes])],
4484			[LIBS="$saved_LIBS"
4485			 AC_MSG_RESULT([no])])
4486		    ])
4487		AC_CHECK_FUNCS([_getshort _getlong])
4488		AC_CHECK_DECLS([_getshort, _getlong], , ,
4489		    [#include <sys/types.h>
4490		    #include <arpa/nameser.h>])
4491		AC_CHECK_MEMBER([HEADER.ad],
4492			[AC_DEFINE([HAVE_HEADER_AD], [1],
4493			    [Define if HEADER.ad exists in arpa/nameser.h])], ,
4494			[#include <arpa/nameser.h>])
4495	])
4496
4497AC_MSG_CHECKING([if struct __res_state _res is an extern])
4498AC_LINK_IFELSE([AC_LANG_PROGRAM([[
4499#include <stdio.h>
4500#if HAVE_SYS_TYPES_H
4501# include <sys/types.h>
4502#endif
4503#include <netinet/in.h>
4504#include <arpa/nameser.h>
4505#include <resolv.h>
4506extern struct __res_state _res;
4507		]], [[
4508struct __res_state *volatile p = &_res;  /* force resolution of _res */
4509return 0;
4510		]],)],
4511		[AC_MSG_RESULT([yes])
4512		 AC_DEFINE([HAVE__RES_EXTERN], [1],
4513		    [Define if you have struct __res_state _res as an extern])
4514		],
4515		[ AC_MSG_RESULT([no]) ]
4516)
4517
4518# Check whether user wants SELinux support
4519SELINUX_MSG="no"
4520LIBSELINUX=""
4521AC_ARG_WITH([selinux],
4522	[  --with-selinux          Enable SELinux support],
4523	[ if test "x$withval" != "xno" ; then
4524		save_LIBS="$LIBS"
4525		AC_DEFINE([WITH_SELINUX], [1],
4526			[Define if you want SELinux support.])
4527		SELINUX_MSG="yes"
4528		AC_CHECK_HEADER([selinux/selinux.h], ,
4529			AC_MSG_ERROR([SELinux support requires selinux.h header]))
4530		AC_CHECK_LIB([selinux], [setexeccon],
4531			[ LIBSELINUX="-lselinux"
4532			  LIBS="$LIBS -lselinux"
4533			],
4534			AC_MSG_ERROR([SELinux support requires libselinux library]))
4535		AC_CHECK_FUNCS([getseuserbyname get_default_context_with_level])
4536		LIBS="$save_LIBS $LIBSELINUX"
4537	fi ]
4538)
4539AC_SUBST([SSHDLIBS])
4540
4541# Check whether user wants Kerberos 5 support
4542KRB5_MSG="no"
4543AC_ARG_WITH([kerberos5],
4544	[  --with-kerberos5=PATH   Enable Kerberos 5 support],
4545	[ if test "x$withval" != "xno" ; then
4546		if test "x$withval" = "xyes" ; then
4547			KRB5ROOT="/usr/local"
4548		else
4549			KRB5ROOT=${withval}
4550		fi
4551
4552		AC_DEFINE([KRB5], [1], [Define if you want Kerberos 5 support])
4553		KRB5_MSG="yes"
4554
4555		AC_PATH_TOOL([KRB5CONF], [krb5-config],
4556			     [$KRB5ROOT/bin/krb5-config],
4557			     [$KRB5ROOT/bin:$PATH])
4558		if test -x $KRB5CONF ; then
4559			K5CFLAGS="`$KRB5CONF --cflags`"
4560			K5LIBS="`$KRB5CONF --libs`"
4561			CPPFLAGS="$CPPFLAGS $K5CFLAGS"
4562
4563			AC_MSG_CHECKING([for gssapi support])
4564			if $KRB5CONF | grep gssapi >/dev/null ; then
4565				AC_MSG_RESULT([yes])
4566				AC_DEFINE([GSSAPI], [1],
4567					[Define this if you want GSSAPI
4568					support in the version 2 protocol])
4569				GSSCFLAGS="`$KRB5CONF --cflags gssapi`"
4570				GSSLIBS="`$KRB5CONF --libs gssapi`"
4571				CPPFLAGS="$CPPFLAGS $GSSCFLAGS"
4572			else
4573				AC_MSG_RESULT([no])
4574			fi
4575			AC_MSG_CHECKING([whether we are using Heimdal])
4576			AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <krb5.h>
4577				]], [[ char *tmp = heimdal_version; ]])],
4578				[ AC_MSG_RESULT([yes])
4579				AC_DEFINE([HEIMDAL], [1],
4580				[Define this if you are using the Heimdal
4581				version of Kerberos V5]) ],
4582				[AC_MSG_RESULT([no])
4583			])
4584		else
4585			CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include"
4586			LDFLAGS="$LDFLAGS -L${KRB5ROOT}/lib"
4587			AC_MSG_CHECKING([whether we are using Heimdal])
4588			AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <krb5.h>
4589				]], [[ char *tmp = heimdal_version; ]])],
4590					[ AC_MSG_RESULT([yes])
4591					 AC_DEFINE([HEIMDAL])
4592					 K5LIBS="-lkrb5"
4593					 K5LIBS="$K5LIBS -lcom_err -lasn1"
4594					 AC_CHECK_LIB([roken], [net_write],
4595					   [K5LIBS="$K5LIBS -lroken"])
4596					 AC_CHECK_LIB([des], [des_cbc_encrypt],
4597					   [K5LIBS="$K5LIBS -ldes"])
4598				       ], [ AC_MSG_RESULT([no])
4599					 K5LIBS="-lkrb5 -lk5crypto -lcom_err"
4600			])
4601			AC_SEARCH_LIBS([dn_expand], [resolv])
4602
4603			AC_CHECK_LIB([gssapi_krb5], [gss_init_sec_context],
4604				[ AC_DEFINE([GSSAPI])
4605				  GSSLIBS="-lgssapi_krb5" ],
4606				[ AC_CHECK_LIB([gssapi], [gss_init_sec_context],
4607					[ AC_DEFINE([GSSAPI])
4608					  GSSLIBS="-lgssapi" ],
4609					[ AC_CHECK_LIB([gss], [gss_init_sec_context],
4610						[ AC_DEFINE([GSSAPI])
4611						  GSSLIBS="-lgss" ],
4612						AC_MSG_WARN([Cannot find any suitable gss-api library - build may fail]))
4613					])
4614				])
4615
4616			AC_CHECK_HEADER([gssapi.h], ,
4617				[ unset ac_cv_header_gssapi_h
4618				  CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include/gssapi"
4619				  AC_CHECK_HEADERS([gssapi.h], ,
4620					AC_MSG_WARN([Cannot find any suitable gss-api header - build may fail])
4621				  )
4622				]
4623			)
4624
4625			oldCPP="$CPPFLAGS"
4626			CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include/gssapi"
4627			AC_CHECK_HEADER([gssapi_krb5.h], ,
4628					[ CPPFLAGS="$oldCPP" ])
4629
4630		fi
4631		if test -n "${rpath_opt}" ; then
4632			LDFLAGS="$LDFLAGS ${rpath_opt}${KRB5ROOT}/lib"
4633		fi
4634		if test ! -z "$blibpath" ; then
4635			blibpath="$blibpath:${KRB5ROOT}/lib"
4636		fi
4637
4638		AC_CHECK_HEADERS([gssapi.h gssapi/gssapi.h])
4639		AC_CHECK_HEADERS([gssapi_krb5.h gssapi/gssapi_krb5.h])
4640		AC_CHECK_HEADERS([gssapi_generic.h gssapi/gssapi_generic.h])
4641
4642		AC_SEARCH_LIBS([k_hasafs], [kafs], [AC_DEFINE([USE_AFS], [1],
4643			[Define this if you want to use libkafs' AFS support])])
4644
4645		AC_CHECK_DECLS([GSS_C_NT_HOSTBASED_SERVICE], [], [], [[
4646#ifdef HAVE_GSSAPI_H
4647# include <gssapi.h>
4648#elif defined(HAVE_GSSAPI_GSSAPI_H)
4649# include <gssapi/gssapi.h>
4650#endif
4651
4652#ifdef HAVE_GSSAPI_GENERIC_H
4653# include <gssapi_generic.h>
4654#elif defined(HAVE_GSSAPI_GSSAPI_GENERIC_H)
4655# include <gssapi/gssapi_generic.h>
4656#endif
4657		]])
4658		saved_LIBS="$LIBS"
4659		LIBS="$LIBS $K5LIBS"
4660		AC_CHECK_FUNCS([krb5_cc_new_unique krb5_get_error_message krb5_free_error_message])
4661		LIBS="$saved_LIBS"
4662
4663	fi
4664	]
4665)
4666AC_SUBST([GSSLIBS])
4667AC_SUBST([K5LIBS])
4668
4669# Looking for programs, paths and files
4670
4671PRIVSEP_PATH=/var/empty
4672AC_ARG_WITH([privsep-path],
4673	[  --with-privsep-path=xxx Path for privilege separation chroot (default=/var/empty)],
4674	[
4675		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
4676		    test "x${withval}" != "xyes"; then
4677			PRIVSEP_PATH=$withval
4678		fi
4679	]
4680)
4681AC_SUBST([PRIVSEP_PATH])
4682
4683AC_ARG_WITH([xauth],
4684	[  --with-xauth=PATH       Specify path to xauth program ],
4685	[
4686		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
4687		    test "x${withval}" != "xyes"; then
4688			xauth_path=$withval
4689		fi
4690	],
4691	[
4692		TestPath="$PATH"
4693		TestPath="${TestPath}${PATH_SEPARATOR}/usr/X/bin"
4694		TestPath="${TestPath}${PATH_SEPARATOR}/usr/bin/X11"
4695		TestPath="${TestPath}${PATH_SEPARATOR}/usr/X11R6/bin"
4696		TestPath="${TestPath}${PATH_SEPARATOR}/usr/openwin/bin"
4697		AC_PATH_PROG([xauth_path], [xauth], , [$TestPath])
4698		if (test ! -z "$xauth_path" && test -x "/usr/openwin/bin/xauth") ; then
4699			xauth_path="/usr/openwin/bin/xauth"
4700		fi
4701	]
4702)
4703
4704STRIP_OPT=-s
4705AC_ARG_ENABLE([strip],
4706	[  --disable-strip         Disable calling strip(1) on install],
4707	[
4708		if test "x$enableval" = "xno" ; then
4709			STRIP_OPT=
4710		fi
4711	]
4712)
4713AC_SUBST([STRIP_OPT])
4714
4715if test -z "$xauth_path" ; then
4716	XAUTH_PATH="undefined"
4717	AC_SUBST([XAUTH_PATH])
4718else
4719	AC_DEFINE_UNQUOTED([XAUTH_PATH], ["$xauth_path"],
4720		[Define if xauth is found in your path])
4721	XAUTH_PATH=$xauth_path
4722	AC_SUBST([XAUTH_PATH])
4723fi
4724
4725dnl # --with-maildir=/path/to/mail gets top priority.
4726dnl # if maildir is set in the platform case statement above we use that.
4727dnl # Otherwise we run a program to get the dir from system headers.
4728dnl # We first look for _PATH_MAILDIR then MAILDIR then _PATH_MAIL
4729dnl # If we find _PATH_MAILDIR we do nothing because that is what
4730dnl # session.c expects anyway. Otherwise we set to the value found
4731dnl # stripping any trailing slash. If for some strage reason our program
4732dnl # does not find what it needs, we default to /var/spool/mail.
4733# Check for mail directory
4734AC_ARG_WITH([maildir],
4735    [  --with-maildir=/path/to/mail    Specify your system mail directory],
4736    [
4737	if test "X$withval" != X  &&  test "x$withval" != xno  &&  \
4738	    test "x${withval}" != xyes; then
4739		AC_DEFINE_UNQUOTED([MAIL_DIRECTORY], ["$withval"],
4740            [Set this to your mail directory if you do not have _PATH_MAILDIR])
4741	    fi
4742     ],[
4743	if test "X$maildir" != "X"; then
4744	    AC_DEFINE_UNQUOTED([MAIL_DIRECTORY], ["$maildir"])
4745	else
4746	    AC_MSG_CHECKING([Discovering system mail directory])
4747	    AC_RUN_IFELSE(
4748		[AC_LANG_PROGRAM([[
4749#include <stdio.h>
4750#include <string.h>
4751#ifdef HAVE_PATHS_H
4752#include <paths.h>
4753#endif
4754#ifdef HAVE_MAILLOCK_H
4755#include <maillock.h>
4756#endif
4757#define DATA "conftest.maildir"
4758	]], [[
4759	FILE *fd;
4760	int rc;
4761
4762	fd = fopen(DATA,"w");
4763	if(fd == NULL)
4764		exit(1);
4765
4766#if defined (_PATH_MAILDIR)
4767	if ((rc = fprintf(fd ,"_PATH_MAILDIR:%s\n", _PATH_MAILDIR)) <0)
4768		exit(1);
4769#elif defined (MAILDIR)
4770	if ((rc = fprintf(fd ,"MAILDIR:%s\n", MAILDIR)) <0)
4771		exit(1);
4772#elif defined (_PATH_MAIL)
4773	if ((rc = fprintf(fd ,"_PATH_MAIL:%s\n", _PATH_MAIL)) <0)
4774		exit(1);
4775#else
4776	exit (2);
4777#endif
4778
4779	exit(0);
4780		]])],
4781		[
4782		    maildir_what=`awk -F: '{print $1}' conftest.maildir`
4783		    maildir=`awk -F: '{print $2}' conftest.maildir \
4784			| sed 's|/$||'`
4785		    AC_MSG_RESULT([Using: $maildir from $maildir_what])
4786		    if test "x$maildir_what" != "x_PATH_MAILDIR"; then
4787			AC_DEFINE_UNQUOTED([MAIL_DIRECTORY], ["$maildir"])
4788		    fi
4789		],
4790		[
4791		    if test "X$ac_status" = "X2";then
4792# our test program didn't find it. Default to /var/spool/mail
4793			AC_MSG_RESULT([Using: default value of /var/spool/mail])
4794			AC_DEFINE_UNQUOTED([MAIL_DIRECTORY], ["/var/spool/mail"])
4795		     else
4796			AC_MSG_RESULT([*** not found ***])
4797		     fi
4798		],
4799		[
4800			AC_MSG_WARN([cross compiling: use --with-maildir=/path/to/mail])
4801		]
4802	    )
4803	fi
4804    ]
4805) # maildir
4806
4807if test ! -z "$cross_compiling" && test "x$cross_compiling" = "xyes"; then
4808	AC_MSG_WARN([cross compiling: Disabling /dev/ptmx test])
4809	disable_ptmx_check=yes
4810fi
4811if test -z "$no_dev_ptmx" ; then
4812	if test "x$disable_ptmx_check" != "xyes" ; then
4813		AC_CHECK_FILE(["/dev/ptmx"],
4814			[
4815				AC_DEFINE_UNQUOTED([HAVE_DEV_PTMX], [1],
4816					[Define if you have /dev/ptmx])
4817				have_dev_ptmx=1
4818			]
4819		)
4820	fi
4821fi
4822
4823if test ! -z "$cross_compiling" && test "x$cross_compiling" != "xyes"; then
4824	AC_CHECK_FILE(["/dev/ptc"],
4825		[
4826			AC_DEFINE_UNQUOTED([HAVE_DEV_PTS_AND_PTC], [1],
4827				[Define if you have /dev/ptc])
4828			have_dev_ptc=1
4829		]
4830	)
4831else
4832	AC_MSG_WARN([cross compiling: Disabling /dev/ptc test])
4833fi
4834
4835# Options from here on. Some of these are preset by platform above
4836AC_ARG_WITH([mantype],
4837	[  --with-mantype=man|cat|doc  Set man page type],
4838	[
4839		case "$withval" in
4840		man|cat|doc)
4841			MANTYPE=$withval
4842			;;
4843		*)
4844			AC_MSG_ERROR([invalid man type: $withval])
4845			;;
4846		esac
4847	]
4848)
4849if test -z "$MANTYPE"; then
4850	if ${MANDOC} ${srcdir}/ssh.1 >/dev/null 2>&1; then
4851		MANTYPE=doc
4852	elif ${NROFF} -mdoc ${srcdir}/ssh.1 >/dev/null 2>&1; then
4853		MANTYPE=doc
4854	elif ${NROFF} -man ${srcdir}/ssh.1 >/dev/null 2>&1; then
4855		MANTYPE=man
4856	else
4857		MANTYPE=cat
4858	fi
4859fi
4860AC_SUBST([MANTYPE])
4861if test "$MANTYPE" = "doc"; then
4862	mansubdir=man;
4863else
4864	mansubdir=$MANTYPE;
4865fi
4866AC_SUBST([mansubdir])
4867
4868# Check whether to enable MD5 passwords
4869MD5_MSG="no"
4870AC_ARG_WITH([md5-passwords],
4871	[  --with-md5-passwords    Enable use of MD5 passwords],
4872	[
4873		if test "x$withval" != "xno" ; then
4874			AC_DEFINE([HAVE_MD5_PASSWORDS], [1],
4875				[Define if you want to allow MD5 passwords])
4876			MD5_MSG="yes"
4877		fi
4878	]
4879)
4880
4881# Whether to disable shadow password support
4882AC_ARG_WITH([shadow],
4883	[  --without-shadow        Disable shadow password support],
4884	[
4885		if test "x$withval" = "xno" ; then
4886			AC_DEFINE([DISABLE_SHADOW])
4887			disable_shadow=yes
4888		fi
4889	]
4890)
4891
4892if test -z "$disable_shadow" ; then
4893	AC_MSG_CHECKING([if the systems has expire shadow information])
4894	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4895#include <sys/types.h>
4896#include <shadow.h>
4897struct spwd sp;
4898		]], [[ sp.sp_expire = sp.sp_lstchg = sp.sp_inact = 0; ]])],
4899		[ sp_expire_available=yes ], [
4900	])
4901
4902	if test "x$sp_expire_available" = "xyes" ; then
4903		AC_MSG_RESULT([yes])
4904		AC_DEFINE([HAS_SHADOW_EXPIRE], [1],
4905		    [Define if you want to use shadow password expire field])
4906	else
4907		AC_MSG_RESULT([no])
4908	fi
4909fi
4910
4911# Use ip address instead of hostname in $DISPLAY
4912if test ! -z "$IPADDR_IN_DISPLAY" ; then
4913	DISPLAY_HACK_MSG="yes"
4914	AC_DEFINE([IPADDR_IN_DISPLAY], [1],
4915		[Define if you need to use IP address
4916		instead of hostname in $DISPLAY])
4917else
4918	DISPLAY_HACK_MSG="no"
4919	AC_ARG_WITH([ipaddr-display],
4920		[  --with-ipaddr-display   Use ip address instead of hostname in $DISPLAY],
4921		[
4922			if test "x$withval" != "xno" ; then
4923				AC_DEFINE([IPADDR_IN_DISPLAY])
4924				DISPLAY_HACK_MSG="yes"
4925			fi
4926		]
4927	)
4928fi
4929
4930# check for /etc/default/login and use it if present.
4931AC_ARG_ENABLE([etc-default-login],
4932	[  --disable-etc-default-login Disable using PATH from /etc/default/login [no]],
4933	[ if test "x$enableval" = "xno"; then
4934		AC_MSG_NOTICE([/etc/default/login handling disabled])
4935		etc_default_login=no
4936	  else
4937		etc_default_login=yes
4938	  fi ],
4939	[ if test ! -z "$cross_compiling" && test "x$cross_compiling" = "xyes";
4940	  then
4941		AC_MSG_WARN([cross compiling: not checking /etc/default/login])
4942		etc_default_login=no
4943	  else
4944		etc_default_login=yes
4945	  fi ]
4946)
4947
4948if test "x$etc_default_login" != "xno"; then
4949	AC_CHECK_FILE(["/etc/default/login"],
4950	    [ external_path_file=/etc/default/login ])
4951	if test "x$external_path_file" = "x/etc/default/login"; then
4952		AC_DEFINE([HAVE_ETC_DEFAULT_LOGIN], [1],
4953			[Define if your system has /etc/default/login])
4954	fi
4955fi
4956
4957dnl BSD systems use /etc/login.conf so --with-default-path= has no effect
4958if test $ac_cv_func_login_getcapbool = "yes" && \
4959	test $ac_cv_header_login_cap_h = "yes" ; then
4960	external_path_file=/etc/login.conf
4961fi
4962
4963# Whether to mess with the default path
4964SERVER_PATH_MSG="(default)"
4965AC_ARG_WITH([default-path],
4966	[  --with-default-path=    Specify default $PATH environment for server],
4967	[
4968		if test "x$external_path_file" = "x/etc/login.conf" ; then
4969			AC_MSG_WARN([
4970--with-default-path=PATH has no effect on this system.
4971Edit /etc/login.conf instead.])
4972		elif test "x$withval" != "xno" ; then
4973			if test ! -z "$external_path_file" ; then
4974				AC_MSG_WARN([
4975--with-default-path=PATH will only be used if PATH is not defined in
4976$external_path_file .])
4977			fi
4978			user_path="$withval"
4979			SERVER_PATH_MSG="$withval"
4980		fi
4981	],
4982	[ if test "x$external_path_file" = "x/etc/login.conf" ; then
4983		AC_MSG_WARN([Make sure the path to scp is in /etc/login.conf])
4984	else
4985		if test ! -z "$external_path_file" ; then
4986			AC_MSG_WARN([
4987If PATH is defined in $external_path_file, ensure the path to scp is included,
4988otherwise scp will not work.])
4989		fi
4990		AC_RUN_IFELSE(
4991			[AC_LANG_PROGRAM([[
4992/* find out what STDPATH is */
4993#include <stdio.h>
4994#ifdef HAVE_PATHS_H
4995# include <paths.h>
4996#endif
4997#ifndef _PATH_STDPATH
4998# ifdef _PATH_USERPATH	/* Irix */
4999#  define _PATH_STDPATH _PATH_USERPATH
5000# else
5001#  define _PATH_STDPATH "/usr/bin:/bin:/usr/sbin:/sbin"
5002# endif
5003#endif
5004#include <sys/types.h>
5005#include <sys/stat.h>
5006#include <fcntl.h>
5007#define DATA "conftest.stdpath"
5008			]], [[
5009	FILE *fd;
5010	int rc;
5011
5012	fd = fopen(DATA,"w");
5013	if(fd == NULL)
5014		exit(1);
5015
5016	if ((rc = fprintf(fd,"%s", _PATH_STDPATH)) < 0)
5017		exit(1);
5018
5019	exit(0);
5020		]])],
5021		[ user_path=`cat conftest.stdpath` ],
5022		[ user_path="/usr/bin:/bin:/usr/sbin:/sbin" ],
5023		[ user_path="/usr/bin:/bin:/usr/sbin:/sbin" ]
5024	)
5025# make sure $bindir is in USER_PATH so scp will work
5026		t_bindir="${bindir}"
5027		while echo "${t_bindir}" | egrep '\$\{|NONE/' >/dev/null 2>&1; do
5028			t_bindir=`eval echo ${t_bindir}`
5029			case $t_bindir in
5030				NONE/*) t_bindir=`echo $t_bindir | sed "s~NONE~$prefix~"` ;;
5031			esac
5032			case $t_bindir in
5033				NONE/*) t_bindir=`echo $t_bindir | sed "s~NONE~$ac_default_prefix~"` ;;
5034			esac
5035		done
5036		echo $user_path | grep ":$t_bindir"  > /dev/null 2>&1
5037		if test $? -ne 0  ; then
5038			echo $user_path | grep "^$t_bindir"  > /dev/null 2>&1
5039			if test $? -ne 0  ; then
5040				user_path=$user_path:$t_bindir
5041				AC_MSG_RESULT([Adding $t_bindir to USER_PATH so scp will work])
5042			fi
5043		fi
5044	fi ]
5045)
5046if test "x$external_path_file" != "x/etc/login.conf" ; then
5047	AC_DEFINE_UNQUOTED([USER_PATH], ["$user_path"], [Specify default $PATH])
5048	AC_SUBST([user_path])
5049fi
5050
5051# Set superuser path separately to user path
5052AC_ARG_WITH([superuser-path],
5053	[  --with-superuser-path=  Specify different path for super-user],
5054	[
5055		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
5056		    test "x${withval}" != "xyes"; then
5057			AC_DEFINE_UNQUOTED([SUPERUSER_PATH], ["$withval"],
5058				[Define if you want a different $PATH
5059				for the superuser])
5060			superuser_path=$withval
5061		fi
5062	]
5063)
5064
5065
5066AC_MSG_CHECKING([if we need to convert IPv4 in IPv6-mapped addresses])
5067IPV4_IN6_HACK_MSG="no"
5068AC_ARG_WITH(4in6,
5069	[  --with-4in6             Check for and convert IPv4 in IPv6 mapped addresses],
5070	[
5071		if test "x$withval" != "xno" ; then
5072			AC_MSG_RESULT([yes])
5073			AC_DEFINE([IPV4_IN_IPV6], [1],
5074				[Detect IPv4 in IPv6 mapped addresses
5075				and treat as IPv4])
5076			IPV4_IN6_HACK_MSG="yes"
5077		else
5078			AC_MSG_RESULT([no])
5079		fi
5080	], [
5081		if test "x$inet6_default_4in6" = "xyes"; then
5082			AC_MSG_RESULT([yes (default)])
5083			AC_DEFINE([IPV4_IN_IPV6])
5084			IPV4_IN6_HACK_MSG="yes"
5085		else
5086			AC_MSG_RESULT([no (default)])
5087		fi
5088	]
5089)
5090
5091# Whether to enable BSD auth support
5092BSD_AUTH_MSG=no
5093AC_ARG_WITH([bsd-auth],
5094	[  --with-bsd-auth         Enable BSD auth support],
5095	[
5096		if test "x$withval" != "xno" ; then
5097			AC_DEFINE([BSD_AUTH], [1],
5098				[Define if you have BSD auth support])
5099			BSD_AUTH_MSG=yes
5100		fi
5101	]
5102)
5103
5104# Where to place sshd.pid
5105piddir=/var/run
5106# make sure the directory exists
5107if test ! -d $piddir ; then
5108	piddir=`eval echo ${sysconfdir}`
5109	case $piddir in
5110		NONE/*) piddir=`echo $piddir | sed "s~NONE~$ac_default_prefix~"` ;;
5111	esac
5112fi
5113
5114AC_ARG_WITH([pid-dir],
5115	[  --with-pid-dir=PATH     Specify location of sshd.pid file],
5116	[
5117		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
5118		    test "x${withval}" != "xyes"; then
5119			piddir=$withval
5120			if test ! -d $piddir ; then
5121			AC_MSG_WARN([** no $piddir directory on this system **])
5122			fi
5123		fi
5124	]
5125)
5126
5127AC_DEFINE_UNQUOTED([_PATH_SSH_PIDDIR], ["$piddir"],
5128	[Specify location of ssh.pid])
5129AC_SUBST([piddir])
5130
5131dnl allow user to disable some login recording features
5132AC_ARG_ENABLE([lastlog],
5133	[  --disable-lastlog       disable use of lastlog even if detected [no]],
5134	[
5135		if test "x$enableval" = "xno" ; then
5136			AC_DEFINE([DISABLE_LASTLOG])
5137		fi
5138	]
5139)
5140AC_ARG_ENABLE([utmp],
5141	[  --disable-utmp          disable use of utmp even if detected [no]],
5142	[
5143		if test "x$enableval" = "xno" ; then
5144			AC_DEFINE([DISABLE_UTMP])
5145		fi
5146	]
5147)
5148AC_ARG_ENABLE([utmpx],
5149	[  --disable-utmpx         disable use of utmpx even if detected [no]],
5150	[
5151		if test "x$enableval" = "xno" ; then
5152			AC_DEFINE([DISABLE_UTMPX], [1],
5153				[Define if you don't want to use utmpx])
5154		fi
5155	]
5156)
5157AC_ARG_ENABLE([wtmp],
5158	[  --disable-wtmp          disable use of wtmp even if detected [no]],
5159	[
5160		if test "x$enableval" = "xno" ; then
5161			AC_DEFINE([DISABLE_WTMP])
5162		fi
5163	]
5164)
5165AC_ARG_ENABLE([wtmpx],
5166	[  --disable-wtmpx         disable use of wtmpx even if detected [no]],
5167	[
5168		if test "x$enableval" = "xno" ; then
5169			AC_DEFINE([DISABLE_WTMPX], [1],
5170				[Define if you don't want to use wtmpx])
5171		fi
5172	]
5173)
5174AC_ARG_ENABLE([libutil],
5175	[  --disable-libutil       disable use of libutil (login() etc.) [no]],
5176	[
5177		if test "x$enableval" = "xno" ; then
5178			AC_DEFINE([DISABLE_LOGIN])
5179		fi
5180	]
5181)
5182AC_ARG_ENABLE([pututline],
5183	[  --disable-pututline     disable use of pututline() etc. ([uw]tmp) [no]],
5184	[
5185		if test "x$enableval" = "xno" ; then
5186			AC_DEFINE([DISABLE_PUTUTLINE], [1],
5187				[Define if you don't want to use pututline()
5188				etc. to write [uw]tmp])
5189		fi
5190	]
5191)
5192AC_ARG_ENABLE([pututxline],
5193	[  --disable-pututxline    disable use of pututxline() etc. ([uw]tmpx) [no]],
5194	[
5195		if test "x$enableval" = "xno" ; then
5196			AC_DEFINE([DISABLE_PUTUTXLINE], [1],
5197				[Define if you don't want to use pututxline()
5198				etc. to write [uw]tmpx])
5199		fi
5200	]
5201)
5202AC_ARG_WITH([lastlog],
5203  [  --with-lastlog=FILE|DIR specify lastlog location [common locations]],
5204	[
5205		if test "x$withval" = "xno" ; then
5206			AC_DEFINE([DISABLE_LASTLOG])
5207		elif test -n "$withval"  &&  test "x${withval}" != "xyes"; then
5208			conf_lastlog_location=$withval
5209		fi
5210	]
5211)
5212
5213dnl lastlog, [uw]tmpx? detection
5214dnl  NOTE: set the paths in the platform section to avoid the
5215dnl   need for command-line parameters
5216dnl lastlog and [uw]tmp are subject to a file search if all else fails
5217
5218dnl lastlog detection
5219dnl  NOTE: the code itself will detect if lastlog is a directory
5220AC_MSG_CHECKING([if your system defines LASTLOG_FILE])
5221AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
5222#include <sys/types.h>
5223#include <utmp.h>
5224#ifdef HAVE_LASTLOG_H
5225#  include <lastlog.h>
5226#endif
5227#ifdef HAVE_PATHS_H
5228#  include <paths.h>
5229#endif
5230#ifdef HAVE_LOGIN_H
5231# include <login.h>
5232#endif
5233	]], [[ char *lastlog = LASTLOG_FILE; ]])],
5234		[ AC_MSG_RESULT([yes]) ],
5235		[
5236		AC_MSG_RESULT([no])
5237		AC_MSG_CHECKING([if your system defines _PATH_LASTLOG])
5238		AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
5239#include <sys/types.h>
5240#include <utmp.h>
5241#ifdef HAVE_LASTLOG_H
5242#  include <lastlog.h>
5243#endif
5244#ifdef HAVE_PATHS_H
5245#  include <paths.h>
5246#endif
5247		]], [[ char *lastlog = _PATH_LASTLOG; ]])],
5248		[ AC_MSG_RESULT([yes]) ],
5249		[
5250			AC_MSG_RESULT([no])
5251			system_lastlog_path=no
5252		])
5253])
5254
5255if test -z "$conf_lastlog_location"; then
5256	if test x"$system_lastlog_path" = x"no" ; then
5257		for f in /var/log/lastlog /usr/adm/lastlog /var/adm/lastlog /etc/security/lastlog ; do
5258				if (test -d "$f" || test -f "$f") ; then
5259					conf_lastlog_location=$f
5260				fi
5261		done
5262		if test -z "$conf_lastlog_location"; then
5263			AC_MSG_WARN([** Cannot find lastlog **])
5264			dnl Don't define DISABLE_LASTLOG - that means we don't try wtmp/wtmpx
5265		fi
5266	fi
5267fi
5268
5269if test -n "$conf_lastlog_location"; then
5270	AC_DEFINE_UNQUOTED([CONF_LASTLOG_FILE], ["$conf_lastlog_location"],
5271		[Define if you want to specify the path to your lastlog file])
5272fi
5273
5274dnl utmp detection
5275AC_MSG_CHECKING([if your system defines UTMP_FILE])
5276AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
5277#include <sys/types.h>
5278#include <utmp.h>
5279#ifdef HAVE_PATHS_H
5280#  include <paths.h>
5281#endif
5282	]], [[ char *utmp = UTMP_FILE; ]])],
5283	[ AC_MSG_RESULT([yes]) ],
5284	[ AC_MSG_RESULT([no])
5285	  system_utmp_path=no
5286])
5287if test -z "$conf_utmp_location"; then
5288	if test x"$system_utmp_path" = x"no" ; then
5289		for f in /etc/utmp /usr/adm/utmp /var/run/utmp; do
5290			if test -f $f ; then
5291				conf_utmp_location=$f
5292			fi
5293		done
5294		if test -z "$conf_utmp_location"; then
5295			AC_DEFINE([DISABLE_UTMP])
5296		fi
5297	fi
5298fi
5299if test -n "$conf_utmp_location"; then
5300	AC_DEFINE_UNQUOTED([CONF_UTMP_FILE], ["$conf_utmp_location"],
5301		[Define if you want to specify the path to your utmp file])
5302fi
5303
5304dnl wtmp detection
5305AC_MSG_CHECKING([if your system defines WTMP_FILE])
5306AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
5307#include <sys/types.h>
5308#include <utmp.h>
5309#ifdef HAVE_PATHS_H
5310#  include <paths.h>
5311#endif
5312	]], [[ char *wtmp = WTMP_FILE; ]])],
5313	[ AC_MSG_RESULT([yes]) ],
5314	[ AC_MSG_RESULT([no])
5315	  system_wtmp_path=no
5316])
5317if test -z "$conf_wtmp_location"; then
5318	if test x"$system_wtmp_path" = x"no" ; then
5319		for f in /usr/adm/wtmp /var/log/wtmp; do
5320			if test -f $f ; then
5321				conf_wtmp_location=$f
5322			fi
5323		done
5324		if test -z "$conf_wtmp_location"; then
5325			AC_DEFINE([DISABLE_WTMP])
5326		fi
5327	fi
5328fi
5329if test -n "$conf_wtmp_location"; then
5330	AC_DEFINE_UNQUOTED([CONF_WTMP_FILE], ["$conf_wtmp_location"],
5331		[Define if you want to specify the path to your wtmp file])
5332fi
5333
5334dnl wtmpx detection
5335AC_MSG_CHECKING([if your system defines WTMPX_FILE])
5336AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
5337#include <sys/types.h>
5338#include <utmp.h>
5339#ifdef HAVE_UTMPX_H
5340#include <utmpx.h>
5341#endif
5342#ifdef HAVE_PATHS_H
5343#  include <paths.h>
5344#endif
5345	]], [[ char *wtmpx = WTMPX_FILE; ]])],
5346	[ AC_MSG_RESULT([yes]) ],
5347	[ AC_MSG_RESULT([no])
5348	  system_wtmpx_path=no
5349])
5350if test -z "$conf_wtmpx_location"; then
5351	if test x"$system_wtmpx_path" = x"no" ; then
5352		AC_DEFINE([DISABLE_WTMPX])
5353	fi
5354else
5355	AC_DEFINE_UNQUOTED([CONF_WTMPX_FILE], ["$conf_wtmpx_location"],
5356		[Define if you want to specify the path to your wtmpx file])
5357fi
5358
5359
5360if test ! -z "$blibpath" ; then
5361	LDFLAGS="$LDFLAGS $blibflags$blibpath"
5362	AC_MSG_WARN([Please check and edit blibpath in LDFLAGS in Makefile])
5363fi
5364
5365AC_CHECK_MEMBER([struct lastlog.ll_line], [], [
5366    if test x$SKIP_DISABLE_LASTLOG_DEFINE != "xyes" ; then
5367	AC_DEFINE([DISABLE_LASTLOG])
5368    fi
5369	], [
5370#ifdef HAVE_SYS_TYPES_H
5371#include <sys/types.h>
5372#endif
5373#ifdef HAVE_UTMP_H
5374#include <utmp.h>
5375#endif
5376#ifdef HAVE_UTMPX_H
5377#include <utmpx.h>
5378#endif
5379#ifdef HAVE_LASTLOG_H
5380#include <lastlog.h>
5381#endif
5382	])
5383
5384AC_CHECK_MEMBER([struct utmp.ut_line], [], [
5385	AC_DEFINE([DISABLE_UTMP])
5386	AC_DEFINE([DISABLE_WTMP])
5387	], [
5388#ifdef HAVE_SYS_TYPES_H
5389#include <sys/types.h>
5390#endif
5391#ifdef HAVE_UTMP_H
5392#include <utmp.h>
5393#endif
5394#ifdef HAVE_UTMPX_H
5395#include <utmpx.h>
5396#endif
5397#ifdef HAVE_LASTLOG_H
5398#include <lastlog.h>
5399#endif
5400	])
5401
5402dnl Adding -Werror to CFLAGS early prevents configure tests from running.
5403dnl Add now.
5404CFLAGS="$CFLAGS $werror_flags"
5405
5406if test "x$ac_cv_func_getaddrinfo" != "xyes" ; then
5407	TEST_SSH_IPV6=no
5408else
5409	TEST_SSH_IPV6=yes
5410fi
5411AC_CHECK_DECL([BROKEN_GETADDRINFO],  [TEST_SSH_IPV6=no])
5412AC_SUBST([TEST_SSH_IPV6], [$TEST_SSH_IPV6])
5413AC_SUBST([TEST_SSH_UTF8], [$TEST_SSH_UTF8])
5414AC_SUBST([TEST_MALLOC_OPTIONS], [$TEST_MALLOC_OPTIONS])
5415AC_SUBST([UNSUPPORTED_ALGORITHMS], [$unsupported_algorithms])
5416AC_SUBST([DEPEND], [$(cat $srcdir/.depend)])
5417
5418CFLAGS="${CFLAGS} ${CFLAGS_AFTER}"
5419LDFLAGS="${LDFLAGS} ${LDFLAGS_AFTER}"
5420
5421# Make a copy of CFLAGS/LDFLAGS without PIE options.
5422LDFLAGS_NOPIE=`echo "$LDFLAGS" | sed 's/ -pie//'`
5423CFLAGS_NOPIE=`echo "$CFLAGS" | sed 's/ -fPIE//'`
5424AC_SUBST([LDFLAGS_NOPIE])
5425AC_SUBST([CFLAGS_NOPIE])
5426
5427AC_EXEEXT
5428AC_CONFIG_FILES([Makefile buildpkg.sh opensshd.init openssh.xml \
5429	openbsd-compat/Makefile openbsd-compat/regress/Makefile \
5430	survey.sh])
5431AC_OUTPUT
5432
5433# Print summary of options
5434
5435# Someone please show me a better way :)
5436A=`eval echo ${prefix}` ; A=`eval echo ${A}`
5437B=`eval echo ${bindir}` ; B=`eval echo ${B}`
5438C=`eval echo ${sbindir}` ; C=`eval echo ${C}`
5439D=`eval echo ${sysconfdir}` ; D=`eval echo ${D}`
5440E=`eval echo ${libexecdir}/ssh-askpass` ; E=`eval echo ${E}`
5441F=`eval echo ${mandir}/${mansubdir}X` ; F=`eval echo ${F}`
5442G=`eval echo ${piddir}` ; G=`eval echo ${G}`
5443H=`eval echo ${PRIVSEP_PATH}` ; H=`eval echo ${H}`
5444I=`eval echo ${user_path}` ; I=`eval echo ${I}`
5445J=`eval echo ${superuser_path}` ; J=`eval echo ${J}`
5446
5447echo ""
5448echo "OpenSSH has been configured with the following options:"
5449echo "                     User binaries: $B"
5450echo "                   System binaries: $C"
5451echo "               Configuration files: $D"
5452echo "                   Askpass program: $E"
5453echo "                      Manual pages: $F"
5454echo "                          PID file: $G"
5455echo "  Privilege separation chroot path: $H"
5456if test "x$external_path_file" = "x/etc/login.conf" ; then
5457echo "   At runtime, sshd will use the path defined in $external_path_file"
5458echo "   Make sure the path to scp is present, otherwise scp will not work"
5459else
5460echo "            sshd default user PATH: $I"
5461	if test ! -z "$external_path_file"; then
5462echo "   (If PATH is set in $external_path_file it will be used instead. If"
5463echo "   used, ensure the path to scp is present, otherwise scp will not work.)"
5464	fi
5465fi
5466if test ! -z "$superuser_path" ; then
5467echo "          sshd superuser user PATH: $J"
5468fi
5469echo "                    Manpage format: $MANTYPE"
5470echo "                       PAM support: $PAM_MSG"
5471echo "                   OSF SIA support: $SIA_MSG"
5472echo "                 KerberosV support: $KRB5_MSG"
5473echo "                   SELinux support: $SELINUX_MSG"
5474echo "              MD5 password support: $MD5_MSG"
5475echo "                   libedit support: $LIBEDIT_MSG"
5476echo "                   libldns support: $LDNS_MSG"
5477echo "  Solaris process contract support: $SPC_MSG"
5478echo "           Solaris project support: $SP_MSG"
5479echo "         Solaris privilege support: $SPP_MSG"
5480echo "       IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG"
5481echo "           Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
5482echo "                  BSD Auth support: $BSD_AUTH_MSG"
5483echo "              Random number source: $RAND_MSG"
5484echo "             Privsep sandbox style: $SANDBOX_STYLE"
5485echo "                   PKCS#11 support: $enable_pkcs11"
5486echo "                  U2F/FIDO support: $enable_sk"
5487
5488echo ""
5489
5490echo "              Host: ${host}"
5491echo "          Compiler: ${CC}"
5492echo "    Compiler flags: ${CFLAGS}"
5493echo "Preprocessor flags: ${CPPFLAGS}"
5494echo "      Linker flags: ${LDFLAGS}"
5495echo "         Libraries: ${LIBS}"
5496if test ! -z "${SSHDLIBS}"; then
5497echo "         +for sshd: ${SSHDLIBS}"
5498fi
5499
5500echo ""
5501
5502if test "x$MAKE_PACKAGE_SUPPORTED" = "xyes" ; then
5503	echo "SVR4 style packages are supported with \"make package\""
5504	echo ""
5505fi
5506
5507if test "x$PAM_MSG" = "xyes" ; then
5508	echo "PAM is enabled. You may need to install a PAM control file "
5509	echo "for sshd, otherwise password authentication may fail. "
5510	echo "Example PAM control files can be found in the contrib/ "
5511	echo "subdirectory"
5512	echo ""
5513fi
5514
5515if test ! -z "$NO_PEERCHECK" ; then
5516	echo "WARNING: the operating system that you are using does not"
5517	echo "appear to support getpeereid(), getpeerucred() or the"
5518	echo "SO_PEERCRED getsockopt() option. These facilities are used to"
5519	echo "enforce security checks to prevent unauthorised connections to"
5520	echo "ssh-agent. Their absence increases the risk that a malicious"
5521	echo "user can connect to your agent."
5522	echo ""
5523fi
5524
5525if test "$AUDIT_MODULE" = "bsm" ; then
5526	echo "WARNING: BSM audit support is currently considered EXPERIMENTAL."
5527	echo "See the Solaris section in README.platform for details."
5528fi
5529