xref: /openssh-portable/configure.ac (revision abe2b245)
1#
2# Copyright (c) 1999-2004 Damien Miller
3#
4# Permission to use, copy, modify, and distribute this software for any
5# purpose with or without fee is hereby granted, provided that the above
6# copyright notice and this permission notice appear in all copies.
7#
8# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15
16AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org])
17AC_REVISION($Revision: 1.583 $)
18AC_CONFIG_SRCDIR([ssh.c])
19AC_LANG([C])
20
21AC_CONFIG_HEADER([config.h])
22AC_PROG_CC([cc gcc])
23AC_CANONICAL_HOST
24AC_C_BIGENDIAN
25
26# Checks for programs.
27AC_PROG_AWK
28AC_PROG_CPP
29AC_PROG_RANLIB
30AC_PROG_INSTALL
31AC_PROG_EGREP
32AC_PROG_MKDIR_P
33AC_CHECK_TOOLS([AR], [ar])
34AC_PATH_PROG([CAT], [cat])
35AC_PATH_PROG([KILL], [kill])
36AC_PATH_PROG([SED], [sed])
37AC_PATH_PROG([ENT], [ent])
38AC_SUBST([ENT])
39AC_PATH_PROG([TEST_MINUS_S_SH], [bash])
40AC_PATH_PROG([TEST_MINUS_S_SH], [ksh])
41AC_PATH_PROG([TEST_MINUS_S_SH], [sh])
42AC_PATH_PROG([SH], [sh])
43AC_PATH_PROG([GROFF], [groff])
44AC_PATH_PROG([NROFF], [nroff awf])
45AC_PATH_PROG([MANDOC], [mandoc])
46AC_SUBST([TEST_SHELL], [sh])
47
48dnl select manpage formatter to be used to build "cat" format pages.
49if test "x$MANDOC" != "x" ; then
50	MANFMT="$MANDOC"
51elif test "x$NROFF" != "x" ; then
52	MANFMT="$NROFF -mandoc"
53elif test "x$GROFF" != "x" ; then
54	MANFMT="$GROFF -mandoc -Tascii"
55else
56	AC_MSG_WARN([no manpage formatter found])
57	MANFMT="false"
58fi
59AC_SUBST([MANFMT])
60
61dnl for buildpkg.sh
62AC_PATH_PROG([PATH_GROUPADD_PROG], [groupadd], [groupadd],
63	[/usr/sbin${PATH_SEPARATOR}/etc])
64AC_PATH_PROG([PATH_USERADD_PROG], [useradd], [useradd],
65	[/usr/sbin${PATH_SEPARATOR}/etc])
66AC_CHECK_PROG([MAKE_PACKAGE_SUPPORTED], [pkgmk], [yes], [no])
67if test -x /sbin/sh; then
68	AC_SUBST([STARTUP_SCRIPT_SHELL], [/sbin/sh])
69else
70	AC_SUBST([STARTUP_SCRIPT_SHELL], [/bin/sh])
71fi
72
73# System features
74AC_SYS_LARGEFILE
75
76if test -z "$AR" ; then
77	AC_MSG_ERROR([*** 'ar' missing, please install or fix your \$PATH ***])
78fi
79
80AC_PATH_PROG([PATH_PASSWD_PROG], [passwd])
81if test ! -z "$PATH_PASSWD_PROG" ; then
82	AC_DEFINE_UNQUOTED([_PATH_PASSWD_PROG], ["$PATH_PASSWD_PROG"],
83		[Full path of your "passwd" program])
84fi
85
86dnl Since autoconf doesn't support it very well,  we no longer allow users to
87dnl override LD, however keeping the hook here for now in case there's a use
88dnl use case we overlooked and someone needs to re-enable it.  Unless a good
89dnl reason is found we'll be removing this in future.
90LD="$CC"
91AC_SUBST([LD])
92
93AC_C_INLINE
94
95AC_CHECK_DECL([LLONG_MAX], [have_llong_max=1], , [#include <limits.h>])
96AC_CHECK_DECL([SYSTR_POLICY_KILL], [have_systr_policy_kill=1], , [
97	#include <sys/types.h>
98	#include <sys/param.h>
99	#include <dev/systrace.h>
100])
101AC_CHECK_DECL([RLIMIT_NPROC],
102    [AC_DEFINE([HAVE_RLIMIT_NPROC], [], [sys/resource.h has RLIMIT_NPROC])], , [
103	#include <sys/types.h>
104	#include <sys/resource.h>
105])
106AC_CHECK_DECL([PR_SET_NO_NEW_PRIVS], [have_linux_no_new_privs=1], , [
107	#include <sys/types.h>
108	#include <linux/prctl.h>
109])
110
111openssl=yes
112AC_ARG_WITH([openssl],
113	[  --without-openssl       Disable use of OpenSSL; use only limited internal crypto **EXPERIMENTAL** ],
114	[  if test "x$withval" = "xno" ; then
115		openssl=no
116	   fi
117	]
118)
119AC_MSG_CHECKING([whether OpenSSL will be used for cryptography])
120if test "x$openssl" = "xyes" ; then
121	AC_MSG_RESULT([yes])
122	AC_DEFINE_UNQUOTED([WITH_OPENSSL], [1], [use libcrypto for cryptography])
123else
124	AC_MSG_RESULT([no])
125fi
126
127use_stack_protector=1
128use_toolchain_hardening=1
129AC_ARG_WITH([stackprotect],
130    [  --without-stackprotect  Don't use compiler's stack protection], [
131    if test "x$withval" = "xno"; then
132	use_stack_protector=0
133    fi ])
134AC_ARG_WITH([hardening],
135    [  --without-hardening     Don't use toolchain hardening flags], [
136    if test "x$withval" = "xno"; then
137	use_toolchain_hardening=0
138    fi ])
139
140# We use -Werror for the tests only so that we catch warnings like "this is
141# on by default" for things like -fPIE.
142AC_MSG_CHECKING([if $CC supports -Werror])
143saved_CFLAGS="$CFLAGS"
144CFLAGS="$CFLAGS -Werror"
145AC_COMPILE_IFELSE([AC_LANG_SOURCE([[int main(void) { return 0; }]])],
146	[ AC_MSG_RESULT([yes])
147	  WERROR="-Werror"],
148	[ AC_MSG_RESULT([no])
149	  WERROR="" ]
150)
151CFLAGS="$saved_CFLAGS"
152
153if test "$GCC" = "yes" || test "$GCC" = "egcs"; then
154	OSSH_CHECK_CFLAG_COMPILE([-pipe])
155	OSSH_CHECK_CFLAG_COMPILE([-Wunknown-warning-option])
156	OSSH_CHECK_CFLAG_COMPILE([-Wno-error=format-truncation])
157	OSSH_CHECK_CFLAG_COMPILE([-Qunused-arguments])
158	OSSH_CHECK_CFLAG_COMPILE([-Wall])
159	OSSH_CHECK_CFLAG_COMPILE([-Wextra])
160	OSSH_CHECK_CFLAG_COMPILE([-Wpointer-arith])
161	OSSH_CHECK_CFLAG_COMPILE([-Wuninitialized])
162	OSSH_CHECK_CFLAG_COMPILE([-Wsign-compare])
163	OSSH_CHECK_CFLAG_COMPILE([-Wformat-security])
164	OSSH_CHECK_CFLAG_COMPILE([-Wsizeof-pointer-memaccess])
165	OSSH_CHECK_CFLAG_COMPILE([-Wpointer-sign], [-Wno-pointer-sign])
166	OSSH_CHECK_CFLAG_COMPILE([-Wunused-result], [-Wno-unused-result])
167	OSSH_CHECK_CFLAG_COMPILE([-Wimplicit-fallthrough])
168	OSSH_CHECK_CFLAG_COMPILE([-fno-strict-aliasing])
169    if test "x$use_toolchain_hardening" = "x1"; then
170	OSSH_CHECK_CFLAG_COMPILE([-mretpoline]) # clang
171	OSSH_CHECK_LDFLAG_LINK([-Wl,-z,retpolineplt])
172	OSSH_CHECK_CFLAG_COMPILE([-D_FORTIFY_SOURCE=2])
173	OSSH_CHECK_LDFLAG_LINK([-Wl,-z,relro])
174	OSSH_CHECK_LDFLAG_LINK([-Wl,-z,now])
175	OSSH_CHECK_LDFLAG_LINK([-Wl,-z,noexecstack])
176	# NB. -ftrapv expects certain support functions to be present in
177	# the compiler library (libgcc or similar) to detect integer operations
178	# that can overflow. We must check that the result of enabling it
179	# actually links. The test program compiled/linked includes a number
180	# of integer operations that should exercise this.
181	OSSH_CHECK_CFLAG_LINK([-ftrapv])
182    fi
183	AC_MSG_CHECKING([gcc version])
184	GCC_VER=`$CC -v 2>&1 | $AWK '/gcc version /{print $3}'`
185	case $GCC_VER in
186		1.*) no_attrib_nonnull=1 ;;
187		2.8* | 2.9*)
188		     no_attrib_nonnull=1
189		     ;;
190		2.*) no_attrib_nonnull=1 ;;
191		*) ;;
192	esac
193	AC_MSG_RESULT([$GCC_VER])
194
195	AC_MSG_CHECKING([if $CC accepts -fno-builtin-memset])
196	saved_CFLAGS="$CFLAGS"
197	CFLAGS="$CFLAGS -fno-builtin-memset"
198	AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include <string.h> ]],
199			[[ char b[10]; memset(b, 0, sizeof(b)); ]])],
200		[ AC_MSG_RESULT([yes]) ],
201		[ AC_MSG_RESULT([no])
202		  CFLAGS="$saved_CFLAGS" ]
203	)
204
205	# -fstack-protector-all doesn't always work for some GCC versions
206	# and/or platforms, so we test if we can.  If it's not supported
207	# on a given platform gcc will emit a warning so we use -Werror.
208	if test "x$use_stack_protector" = "x1"; then
209	    for t in -fstack-protector-strong -fstack-protector-all \
210		    -fstack-protector; do
211		AC_MSG_CHECKING([if $CC supports $t])
212		saved_CFLAGS="$CFLAGS"
213		saved_LDFLAGS="$LDFLAGS"
214		CFLAGS="$CFLAGS $t -Werror"
215		LDFLAGS="$LDFLAGS $t -Werror"
216		AC_LINK_IFELSE(
217			[AC_LANG_PROGRAM([[
218	#include <stdio.h>
219	int func (int t) {char b[100]; snprintf(b,sizeof b,"%d",t); return t;}
220			 ]],
221			[[
222	char x[256];
223	snprintf(x, sizeof(x), "XXX%d", func(1));
224			 ]])],
225		    [ AC_MSG_RESULT([yes])
226		      CFLAGS="$saved_CFLAGS $t"
227		      LDFLAGS="$saved_LDFLAGS $t"
228		      AC_MSG_CHECKING([if $t works])
229		      AC_RUN_IFELSE(
230			[AC_LANG_PROGRAM([[
231	#include <stdio.h>
232	int func (int t) {char b[100]; snprintf(b,sizeof b,"%d",t); return t;}
233			]],
234			[[
235	char x[256];
236	snprintf(x, sizeof(x), "XXX%d", func(1));
237			]])],
238			[ AC_MSG_RESULT([yes])
239			  break ],
240			[ AC_MSG_RESULT([no]) ],
241			[ AC_MSG_WARN([cross compiling: cannot test])
242			  break ]
243		      )
244		    ],
245		    [ AC_MSG_RESULT([no]) ]
246		)
247		CFLAGS="$saved_CFLAGS"
248		LDFLAGS="$saved_LDFLAGS"
249	    done
250	fi
251
252	if test -z "$have_llong_max"; then
253		# retry LLONG_MAX with -std=gnu99, needed on some Linuxes
254		unset ac_cv_have_decl_LLONG_MAX
255		saved_CFLAGS="$CFLAGS"
256		CFLAGS="$CFLAGS -std=gnu99"
257		AC_CHECK_DECL([LLONG_MAX],
258		    [have_llong_max=1],
259		    [CFLAGS="$saved_CFLAGS"],
260		    [#include <limits.h>]
261		)
262	fi
263fi
264
265AC_MSG_CHECKING([if compiler allows __attribute__ on return types])
266AC_COMPILE_IFELSE(
267    [AC_LANG_PROGRAM([[
268#include <stdlib.h>
269__attribute__((__unused__)) static void foo(void){return;}]],
270    [[ exit(0); ]])],
271    [ AC_MSG_RESULT([yes]) ],
272    [ AC_MSG_RESULT([no])
273      AC_DEFINE(NO_ATTRIBUTE_ON_RETURN_TYPE, 1,
274	 [compiler does not accept __attribute__ on return types]) ]
275)
276
277AC_MSG_CHECKING([if compiler allows __attribute__ prototype args])
278AC_COMPILE_IFELSE(
279    [AC_LANG_PROGRAM([[
280#include <stdlib.h>
281typedef void foo(const char *, ...) __attribute__((format(printf, 1, 2)));]],
282    [[ exit(0); ]])],
283    [ AC_MSG_RESULT([yes]) ],
284    [ AC_MSG_RESULT([no])
285      AC_DEFINE(NO_ATTRIBUTE_ON_PROTOTYPE_ARGS, 1,
286	 [compiler does not accept __attribute__ on prototype args]) ]
287)
288
289if test "x$no_attrib_nonnull" != "x1" ; then
290	AC_DEFINE([HAVE_ATTRIBUTE__NONNULL__], [1], [Have attribute nonnull])
291fi
292
293AC_ARG_WITH([rpath],
294	[  --without-rpath         Disable auto-added -R linker paths],
295	[
296		if test "x$withval" = "xno" ; then
297			rpath_opt=""
298		elif test "x$withval" = "xyes" ; then
299			rpath_opt="-R"
300		else
301			rpath_opt="$withval"
302		fi
303	]
304)
305
306# Allow user to specify flags
307AC_ARG_WITH([cflags],
308	[  --with-cflags           Specify additional flags to pass to compiler],
309	[
310		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
311		    test "x${withval}" != "xyes"; then
312			CFLAGS="$CFLAGS $withval"
313		fi
314	]
315)
316
317AC_ARG_WITH([cflags-after],
318	[  --with-cflags-after     Specify additional flags to pass to compiler after configure],
319	[
320		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
321		    test "x${withval}" != "xyes"; then
322			CFLAGS_AFTER="$withval"
323		fi
324	]
325)
326AC_ARG_WITH([cppflags],
327	[  --with-cppflags         Specify additional flags to pass to preprocessor] ,
328	[
329		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
330		    test "x${withval}" != "xyes"; then
331			CPPFLAGS="$CPPFLAGS $withval"
332		fi
333	]
334)
335AC_ARG_WITH([ldflags],
336	[  --with-ldflags          Specify additional flags to pass to linker],
337	[
338		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
339		    test "x${withval}" != "xyes"; then
340			LDFLAGS="$LDFLAGS $withval"
341		fi
342	]
343)
344AC_ARG_WITH([ldflags-after],
345	[  --with-ldflags-after    Specify additional flags to pass to linker after configure],
346	[
347		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
348		    test "x${withval}" != "xyes"; then
349			LDFLAGS_AFTER="$withval"
350		fi
351	]
352)
353AC_ARG_WITH([libs],
354	[  --with-libs             Specify additional libraries to link with],
355	[
356		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
357		    test "x${withval}" != "xyes"; then
358			LIBS="$LIBS $withval"
359		fi
360	]
361)
362AC_ARG_WITH([Werror],
363	[  --with-Werror           Build main code with -Werror],
364	[
365		if test -n "$withval"  &&  test "x$withval" != "xno"; then
366			werror_flags="-Werror"
367			if test "x${withval}" != "xyes"; then
368				werror_flags="$withval"
369			fi
370		fi
371	]
372)
373
374AC_CHECK_HEADERS([ \
375	blf.h \
376	bstring.h \
377	crypt.h \
378	crypto/sha2.h \
379	dirent.h \
380	endian.h \
381	elf.h \
382	err.h \
383	features.h \
384	fcntl.h \
385	floatingpoint.h \
386	fnmatch.h \
387	getopt.h \
388	glob.h \
389	ia.h \
390	iaf.h \
391	ifaddrs.h \
392	inttypes.h \
393	langinfo.h \
394	limits.h \
395	locale.h \
396	login.h \
397	maillock.h \
398	ndir.h \
399	net/if_tun.h \
400	netdb.h \
401	netgroup.h \
402	pam/pam_appl.h \
403	paths.h \
404	poll.h \
405	pty.h \
406	readpassphrase.h \
407	rpc/types.h \
408	security/pam_appl.h \
409	sha2.h \
410	shadow.h \
411	stddef.h \
412	stdint.h \
413	string.h \
414	strings.h \
415	sys/bitypes.h \
416	sys/bsdtty.h \
417	sys/cdefs.h \
418	sys/dir.h \
419	sys/file.h \
420	sys/mman.h \
421	sys/label.h \
422	sys/ndir.h \
423	sys/poll.h \
424	sys/prctl.h \
425	sys/pstat.h \
426	sys/ptrace.h \
427	sys/random.h \
428	sys/select.h \
429	sys/stat.h \
430	sys/stream.h \
431	sys/stropts.h \
432	sys/strtio.h \
433	sys/statvfs.h \
434	sys/sysmacros.h \
435	sys/time.h \
436	sys/timers.h \
437	sys/vfs.h \
438	time.h \
439	tmpdir.h \
440	ttyent.h \
441	ucred.h \
442	unistd.h \
443	usersec.h \
444	util.h \
445	utime.h \
446	utmp.h \
447	utmpx.h \
448	vis.h \
449	wchar.h \
450])
451
452# On some platforms (eg SunOS4) sys/audit.h requires sys/[time|types|label.h]
453# to be included first.
454AC_CHECK_HEADERS([sys/audit.h], [], [], [
455#ifdef HAVE_SYS_TIME_H
456# include <sys/time.h>
457#endif
458#ifdef HAVE_SYS_TYPES_H
459# include <sys/types.h>
460#endif
461#ifdef HAVE_SYS_LABEL_H
462# include <sys/label.h>
463#endif
464])
465
466# sys/capsicum.h requires sys/types.h
467AC_CHECK_HEADERS([sys/capsicum.h], [], [], [
468#ifdef HAVE_SYS_TYPES_H
469# include <sys/types.h>
470#endif
471])
472
473# net/route.h requires sys/socket.h and sys/types.h.
474# sys/sysctl.h also requires sys/param.h
475AC_CHECK_HEADERS([net/route.h sys/sysctl.h], [], [], [
476#ifdef HAVE_SYS_TYPES_H
477# include <sys/types.h>
478#endif
479#include <sys/param.h>
480#include <sys/socket.h>
481])
482
483# lastlog.h requires sys/time.h to be included first on Solaris
484AC_CHECK_HEADERS([lastlog.h], [], [], [
485#ifdef HAVE_SYS_TIME_H
486# include <sys/time.h>
487#endif
488])
489
490# sys/ptms.h requires sys/stream.h to be included first on Solaris
491AC_CHECK_HEADERS([sys/ptms.h], [], [], [
492#ifdef HAVE_SYS_STREAM_H
493# include <sys/stream.h>
494#endif
495])
496
497# login_cap.h requires sys/types.h on NetBSD
498AC_CHECK_HEADERS([login_cap.h], [], [], [
499#include <sys/types.h>
500])
501
502# older BSDs need sys/param.h before sys/mount.h
503AC_CHECK_HEADERS([sys/mount.h], [], [], [
504#include <sys/param.h>
505])
506
507# Android requires sys/socket.h to be included before sys/un.h
508AC_CHECK_HEADERS([sys/un.h], [], [], [
509#include <sys/types.h>
510#include <sys/socket.h>
511])
512
513# Messages for features tested for in target-specific section
514SIA_MSG="no"
515SPC_MSG="no"
516SP_MSG="no"
517SPP_MSG="no"
518
519# Support for Solaris/Illumos privileges (this test is used by both
520# the --with-solaris-privs option and --with-sandbox=solaris).
521SOLARIS_PRIVS="no"
522
523# Check for some target-specific stuff
524case "$host" in
525*-*-aix*)
526	# Some versions of VAC won't allow macro redefinitions at
527	# -qlanglevel=ansi, and autoconf 2.60 sometimes insists on using that
528	# particularly with older versions of vac or xlc.
529	# It also throws errors about null macro arguments, but these are
530	# not fatal.
531	AC_MSG_CHECKING([if compiler allows macro redefinitions])
532	AC_COMPILE_IFELSE(
533	    [AC_LANG_PROGRAM([[
534#define testmacro foo
535#define testmacro bar]],
536	    [[ exit(0); ]])],
537	    [ AC_MSG_RESULT([yes]) ],
538	    [ AC_MSG_RESULT([no])
539	      CC="`echo $CC | sed 's/-qlanglvl\=ansi//g'`"
540	      CFLAGS="`echo $CFLAGS | sed 's/-qlanglvl\=ansi//g'`"
541	      CPPFLAGS="`echo $CPPFLAGS | sed 's/-qlanglvl\=ansi//g'`"
542	    ]
543	)
544
545	AC_MSG_CHECKING([how to specify blibpath for linker ($LD)])
546	if (test -z "$blibpath"); then
547		blibpath="/usr/lib:/lib"
548	fi
549	saved_LDFLAGS="$LDFLAGS"
550	if test "$GCC" = "yes"; then
551		flags="-Wl,-blibpath: -Wl,-rpath, -blibpath:"
552	else
553		flags="-blibpath: -Wl,-blibpath: -Wl,-rpath,"
554	fi
555	for tryflags in $flags ;do
556		if (test -z "$blibflags"); then
557			LDFLAGS="$saved_LDFLAGS $tryflags$blibpath"
558			AC_LINK_IFELSE([AC_LANG_PROGRAM([[]], [[]])],
559			[blibflags=$tryflags], [])
560		fi
561	done
562	if (test -z "$blibflags"); then
563		AC_MSG_RESULT([not found])
564		AC_MSG_ERROR([*** must be able to specify blibpath on AIX - check config.log])
565	else
566		AC_MSG_RESULT([$blibflags])
567	fi
568	LDFLAGS="$saved_LDFLAGS"
569	dnl Check for authenticate.  Might be in libs.a on older AIXes
570	AC_CHECK_FUNC([authenticate], [AC_DEFINE([WITH_AIXAUTHENTICATE], [1],
571		[Define if you want to enable AIX4's authenticate function])],
572		[AC_CHECK_LIB([s], [authenticate],
573			[ AC_DEFINE([WITH_AIXAUTHENTICATE])
574				LIBS="$LIBS -ls"
575			])
576		])
577	dnl Check for various auth function declarations in headers.
578	AC_CHECK_DECLS([authenticate, loginrestrictions, loginsuccess,
579	    passwdexpired, setauthdb], , , [#include <usersec.h>])
580	dnl Check if loginfailed is declared and takes 4 arguments (AIX >= 5.2)
581	AC_CHECK_DECLS([loginfailed],
582	    [AC_MSG_CHECKING([if loginfailed takes 4 arguments])
583	    AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <usersec.h> ]],
584		[[ (void)loginfailed("user","host","tty",0); ]])],
585		[AC_MSG_RESULT([yes])
586		AC_DEFINE([AIX_LOGINFAILED_4ARG], [1],
587			[Define if your AIX loginfailed() function
588			takes 4 arguments (AIX >= 5.2)])], [AC_MSG_RESULT([no])
589	    ])],
590	    [],
591	    [#include <usersec.h>]
592	)
593	AC_CHECK_FUNCS([getgrset setauthdb])
594	AC_CHECK_DECL([F_CLOSEM],
595	    AC_DEFINE([HAVE_FCNTL_CLOSEM], [1], [Use F_CLOSEM fcntl for closefrom]),
596	    [],
597	    [ #include <limits.h>
598	      #include <fcntl.h> ]
599	)
600	check_for_aix_broken_getaddrinfo=1
601	AC_DEFINE([SETEUID_BREAKS_SETUID], [1],
602	    [Define if your platform breaks doing a seteuid before a setuid])
603	AC_DEFINE([BROKEN_SETREUID], [1], [Define if your setreuid() is broken])
604	AC_DEFINE([BROKEN_SETREGID], [1], [Define if your setregid() is broken])
605	dnl AIX handles lastlog as part of its login message
606	AC_DEFINE([DISABLE_LASTLOG], [1], [Define if you don't want to use lastlog])
607	AC_DEFINE([LOGIN_NEEDS_UTMPX], [1],
608		[Some systems need a utmpx entry for /bin/login to work])
609	AC_DEFINE([SPT_TYPE], [SPT_REUSEARGV],
610		[Define to a Set Process Title type if your system is
611		supported by bsd-setproctitle.c])
612	AC_DEFINE([SSHPAM_CHAUTHTOK_NEEDS_RUID], [1],
613	    [AIX 5.2 and 5.3 (and presumably newer) require this])
614	AC_DEFINE([PTY_ZEROREAD], [1], [read(1) can return 0 for a non-closed fd])
615	AC_DEFINE([PLATFORM_SYS_DIR_UID], 2, [System dirs owned by bin (uid 2)])
616	AC_DEFINE([BROKEN_STRNDUP], 1, [strndup broken, see APAR IY61211])
617	AC_DEFINE([BROKEN_STRNLEN], 1, [strnlen broken, see APAR IY62551])
618	;;
619*-*-android*)
620	AC_DEFINE([DISABLE_UTMP], [1], [Define if you don't want to use utmp])
621	AC_DEFINE([DISABLE_WTMP], [1], [Define if you don't want to use wtmp])
622	;;
623*-*-cygwin*)
624	check_for_libcrypt_later=1
625	LIBS="$LIBS /usr/lib/textreadmode.o"
626	AC_DEFINE([HAVE_CYGWIN], [1], [Define if you are on Cygwin])
627	AC_DEFINE([USE_PIPES], [1], [Use PIPES instead of a socketpair()])
628	AC_DEFINE([NO_UID_RESTORATION_TEST], [1],
629		[Define to disable UID restoration test])
630	AC_DEFINE([DISABLE_SHADOW], [1],
631		[Define if you want to disable shadow passwords])
632	AC_DEFINE([NO_X11_UNIX_SOCKETS], [1],
633		[Define if X11 doesn't support AF_UNIX sockets on that system])
634	AC_DEFINE([DISABLE_FD_PASSING], [1],
635		[Define if your platform needs to skip post auth
636		file descriptor passing])
637	AC_DEFINE([SSH_IOBUFSZ], [65535], [Windows is sensitive to read buffer size])
638	AC_DEFINE([FILESYSTEM_NO_BACKSLASH], [1], [File names may not contain backslash characters])
639	# Cygwin defines optargs, optargs as declspec(dllimport) for historical
640	# reasons which cause compile warnings, so we disable those warnings.
641	OSSH_CHECK_CFLAG_COMPILE([-Wno-attributes])
642	;;
643*-*-dgux*)
644	AC_DEFINE([IP_TOS_IS_BROKEN], [1],
645		[Define if your system choked on IP TOS setting])
646	AC_DEFINE([SETEUID_BREAKS_SETUID])
647	AC_DEFINE([BROKEN_SETREUID])
648	AC_DEFINE([BROKEN_SETREGID])
649	;;
650*-*-darwin*)
651	use_pie=auto
652	AC_MSG_CHECKING([if we have working getaddrinfo])
653	AC_RUN_IFELSE([AC_LANG_SOURCE([[ #include <mach-o/dyld.h>
654main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
655		exit(0);
656	else
657		exit(1);
658}
659			]])],
660	[AC_MSG_RESULT([working])],
661	[AC_MSG_RESULT([buggy])
662	AC_DEFINE([BROKEN_GETADDRINFO], [1],
663		[getaddrinfo is broken (if present)])
664	],
665	[AC_MSG_RESULT([assume it is working])])
666	AC_DEFINE([SETEUID_BREAKS_SETUID])
667	AC_DEFINE([BROKEN_SETREUID])
668	AC_DEFINE([BROKEN_SETREGID])
669	AC_DEFINE([BROKEN_GLOB], [1], [OS X glob does not do what we expect])
670	AC_DEFINE_UNQUOTED([BIND_8_COMPAT], [1],
671		[Define if your resolver libs need this for getrrsetbyname])
672	AC_DEFINE([SSH_TUN_FREEBSD], [1], [Open tunnel devices the FreeBSD way])
673	AC_DEFINE([SSH_TUN_COMPAT_AF], [1],
674	    [Use tunnel device compatibility to OpenBSD])
675	AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
676	    [Prepend the address family to IP tunnel traffic])
677	m4_pattern_allow([AU_IPv])
678	AC_CHECK_DECL([AU_IPv4], [],
679	    AC_DEFINE([AU_IPv4], [0], [System only supports IPv4 audit records])
680	    [#include <bsm/audit.h>]
681	AC_DEFINE([LASTLOG_WRITE_PUTUTXLINE], [1],
682	    [Define if pututxline updates lastlog too])
683	)
684	AC_DEFINE([SPT_TYPE], [SPT_REUSEARGV],
685		[Define to a Set Process Title type if your system is
686		supported by bsd-setproctitle.c])
687	AC_CHECK_FUNCS([sandbox_init])
688	AC_CHECK_HEADERS([sandbox.h])
689	AC_CHECK_LIB([sandbox], [sandbox_apply], [
690	    SSHDLIBS="$SSHDLIBS -lsandbox"
691	])
692	# proc_pidinfo()-based closefrom() replacement.
693	AC_CHECK_HEADERS([libproc.h])
694	AC_CHECK_FUNCS([proc_pidinfo])
695	;;
696*-*-dragonfly*)
697	SSHDLIBS="$SSHDLIBS -lcrypt"
698	TEST_MALLOC_OPTIONS="AFGJPRX"
699	;;
700*-*-haiku*)
701	LIBS="$LIBS -lbsd "
702	CFLAGS="$CFLAGS -D_BSD_SOURCE"
703	AC_CHECK_LIB([network], [socket])
704	AC_DEFINE([HAVE_U_INT64_T])
705	AC_DEFINE([DISABLE_UTMPX], [1], [no utmpx])
706	MANTYPE=man
707	;;
708*-*-hpux*)
709	# first we define all of the options common to all HP-UX releases
710	CPPFLAGS="$CPPFLAGS -D_HPUX_SOURCE -D_XOPEN_SOURCE -D_XOPEN_SOURCE_EXTENDED=1"
711	IPADDR_IN_DISPLAY=yes
712	AC_DEFINE([USE_PIPES])
713	AC_DEFINE([LOGIN_NEEDS_UTMPX])
714	AC_DEFINE([LOCKED_PASSWD_STRING], ["*"],
715		[String used in /etc/passwd to denote locked account])
716	AC_DEFINE([SPT_TYPE], [SPT_PSTAT])
717	AC_DEFINE([PLATFORM_SYS_DIR_UID], 2, [System dirs owned by bin (uid 2)])
718	maildir="/var/mail"
719	LIBS="$LIBS -lsec"
720	AC_CHECK_LIB([xnet], [t_error], ,
721	    [AC_MSG_ERROR([*** -lxnet needed on HP-UX - check config.log ***])])
722
723	# next, we define all of the options specific to major releases
724	case "$host" in
725	*-*-hpux10*)
726		if test -z "$GCC"; then
727			CFLAGS="$CFLAGS -Ae"
728		fi
729		;;
730	*-*-hpux11*)
731		AC_DEFINE([PAM_SUN_CODEBASE], [1],
732			[Define if you are using Solaris-derived PAM which
733			passes pam_messages to the conversation function
734			with an extra level of indirection])
735		AC_DEFINE([DISABLE_UTMP], [1],
736			[Define if you don't want to use utmp])
737		AC_DEFINE([USE_BTMP], [1], [Use btmp to log bad logins])
738		check_for_hpux_broken_getaddrinfo=1
739		check_for_conflicting_getspnam=1
740		;;
741	esac
742
743	# lastly, we define options specific to minor releases
744	case "$host" in
745	*-*-hpux10.26)
746		AC_DEFINE([HAVE_SECUREWARE], [1],
747			[Define if you have SecureWare-based
748			protected password database])
749		disable_ptmx_check=yes
750		LIBS="$LIBS -lsecpw"
751		;;
752	esac
753	;;
754*-*-irix5*)
755	PATH="$PATH:/usr/etc"
756	AC_DEFINE([BROKEN_INET_NTOA], [1],
757		[Define if you system's inet_ntoa is busted
758		(e.g. Irix gcc issue)])
759	AC_DEFINE([SETEUID_BREAKS_SETUID])
760	AC_DEFINE([BROKEN_SETREUID])
761	AC_DEFINE([BROKEN_SETREGID])
762	AC_DEFINE([WITH_ABBREV_NO_TTY], [1],
763		[Define if you shouldn't strip 'tty' from your
764		ttyname in [uw]tmp])
765	AC_DEFINE([LOCKED_PASSWD_STRING], ["*LK*"])
766	;;
767*-*-irix6*)
768	PATH="$PATH:/usr/etc"
769	AC_DEFINE([WITH_IRIX_ARRAY], [1],
770		[Define if you have/want arrays
771		(cluster-wide session management, not C arrays)])
772	AC_DEFINE([WITH_IRIX_PROJECT], [1],
773		[Define if you want IRIX project management])
774	AC_DEFINE([WITH_IRIX_AUDIT], [1],
775		[Define if you want IRIX audit trails])
776	AC_CHECK_FUNC([jlimit_startjob], [AC_DEFINE([WITH_IRIX_JOBS], [1],
777		[Define if you want IRIX kernel jobs])])
778	AC_DEFINE([BROKEN_INET_NTOA])
779	AC_DEFINE([SETEUID_BREAKS_SETUID])
780	AC_DEFINE([BROKEN_SETREUID])
781	AC_DEFINE([BROKEN_SETREGID])
782	AC_DEFINE([BROKEN_UPDWTMPX], [1], [updwtmpx is broken (if present)])
783	AC_DEFINE([WITH_ABBREV_NO_TTY])
784	AC_DEFINE([LOCKED_PASSWD_STRING], ["*LK*"])
785	;;
786*-*-k*bsd*-gnu | *-*-kopensolaris*-gnu)
787	check_for_libcrypt_later=1
788	AC_DEFINE([PAM_TTY_KLUDGE])
789	AC_DEFINE([LOCKED_PASSWD_PREFIX], ["!"])
790	AC_DEFINE([SPT_TYPE], [SPT_REUSEARGV])
791	AC_DEFINE([_PATH_BTMP], ["/var/log/btmp"], [log for bad login attempts])
792	AC_DEFINE([USE_BTMP], [1], [Use btmp to log bad logins])
793	;;
794*-*-linux*)
795	no_dev_ptmx=1
796	use_pie=auto
797	check_for_libcrypt_later=1
798	check_for_openpty_ctty_bug=1
799	dnl Target SUSv3/POSIX.1-2001 plus BSD specifics.
800	dnl _DEFAULT_SOURCE is the new name for _BSD_SOURCE
801	CPPFLAGS="$CPPFLAGS -D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCE"
802	AC_DEFINE([PAM_TTY_KLUDGE], [1],
803		[Work around problematic Linux PAM modules handling of PAM_TTY])
804	AC_DEFINE([LOCKED_PASSWD_PREFIX], ["!"],
805		[String used in /etc/passwd to denote locked account])
806	AC_DEFINE([SPT_TYPE], [SPT_REUSEARGV])
807	AC_DEFINE([LINK_OPNOTSUPP_ERRNO], [EPERM],
808		[Define to whatever link() returns for "not supported"
809		if it doesn't return EOPNOTSUPP.])
810	AC_DEFINE([_PATH_BTMP], ["/var/log/btmp"], [log for bad login attempts])
811	AC_DEFINE([USE_BTMP])
812	AC_DEFINE([LINUX_OOM_ADJUST], [1], [Adjust Linux out-of-memory killer])
813	inet6_default_4in6=yes
814	case `uname -r` in
815	1.*|2.0.*)
816		AC_DEFINE([BROKEN_CMSG_TYPE], [1],
817			[Define if cmsg_type is not passed correctly])
818		;;
819	esac
820	# tun(4) forwarding compat code
821	AC_CHECK_HEADERS([linux/if_tun.h])
822	if test "x$ac_cv_header_linux_if_tun_h" = "xyes" ; then
823		AC_DEFINE([SSH_TUN_LINUX], [1],
824		    [Open tunnel devices the Linux tun/tap way])
825		AC_DEFINE([SSH_TUN_COMPAT_AF], [1],
826		    [Use tunnel device compatibility to OpenBSD])
827		AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
828		    [Prepend the address family to IP tunnel traffic])
829	fi
830	AC_CHECK_HEADER([linux/if.h],
831	    AC_DEFINE([SYS_RDOMAIN_LINUX], [1],
832		[Support routing domains using Linux VRF]), [], [
833#ifdef HAVE_SYS_TYPES_H
834# include <sys/types.h>
835#endif
836	    ])
837	AC_CHECK_HEADERS([linux/seccomp.h linux/filter.h linux/audit.h], [],
838	    [], [#include <linux/types.h>])
839	# Obtain MIPS ABI
840	case "$host" in
841	mips*)
842		AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
843#if _MIPS_SIM != _ABIO32
844#error
845#endif
846			]])],[mips_abi="o32"],[AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
847#if _MIPS_SIM != _ABIN32
848#error
849#endif
850				]])],[mips_abi="n32"],[AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
851#if _MIPS_SIM != _ABI64
852#error
853#endif
854					]])],[mips_abi="n64"],[AC_MSG_ERROR([unknown MIPS ABI])
855				])
856			])
857		])
858		;;
859	esac
860	AC_MSG_CHECKING([for seccomp architecture])
861	seccomp_audit_arch=
862	case "$host" in
863	x86_64-*)
864		seccomp_audit_arch=AUDIT_ARCH_X86_64
865		;;
866	i*86-*)
867		seccomp_audit_arch=AUDIT_ARCH_I386
868		;;
869	arm*-*)
870		seccomp_audit_arch=AUDIT_ARCH_ARM
871		;;
872	aarch64*-*)
873		seccomp_audit_arch=AUDIT_ARCH_AARCH64
874		;;
875	s390x-*)
876		seccomp_audit_arch=AUDIT_ARCH_S390X
877		;;
878	s390-*)
879		seccomp_audit_arch=AUDIT_ARCH_S390
880		;;
881	powerpc64-*)
882		seccomp_audit_arch=AUDIT_ARCH_PPC64
883		;;
884	powerpc64le-*)
885		seccomp_audit_arch=AUDIT_ARCH_PPC64LE
886		;;
887	mips-*)
888		seccomp_audit_arch=AUDIT_ARCH_MIPS
889		;;
890	mipsel-*)
891		seccomp_audit_arch=AUDIT_ARCH_MIPSEL
892		;;
893	mips64-*)
894		case "$mips_abi" in
895		"n32")
896			seccomp_audit_arch=AUDIT_ARCH_MIPS64N32
897			;;
898		"n64")
899			seccomp_audit_arch=AUDIT_ARCH_MIPS64
900			;;
901		esac
902		;;
903	mips64el-*)
904		case "$mips_abi" in
905		"n32")
906			seccomp_audit_arch=AUDIT_ARCH_MIPSEL64N32
907			;;
908		"n64")
909			seccomp_audit_arch=AUDIT_ARCH_MIPSEL64
910			;;
911		esac
912		;;
913	esac
914	if test "x$seccomp_audit_arch" != "x" ; then
915		AC_MSG_RESULT(["$seccomp_audit_arch"])
916		AC_DEFINE_UNQUOTED([SECCOMP_AUDIT_ARCH], [$seccomp_audit_arch],
917		    [Specify the system call convention in use])
918	else
919		AC_MSG_RESULT([architecture not supported])
920	fi
921	;;
922mips-sony-bsd|mips-sony-newsos4)
923	AC_DEFINE([NEED_SETPGRP], [1], [Need setpgrp to acquire controlling tty])
924	SONY=1
925	;;
926*-*-netbsd*)
927	check_for_libcrypt_before=1
928	if test "x$withval" != "xno" ; then
929		rpath_opt="-R"
930	fi
931	CPPFLAGS="$CPPFLAGS -D_OPENBSD_SOURCE"
932	AC_DEFINE([SSH_TUN_FREEBSD], [1], [Open tunnel devices the FreeBSD way])
933	AC_CHECK_HEADER([net/if_tap.h], ,
934	    AC_DEFINE([SSH_TUN_NO_L2], [1], [No layer 2 tunnel support]))
935	AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
936	    [Prepend the address family to IP tunnel traffic])
937	TEST_MALLOC_OPTIONS="AJRX"
938	AC_DEFINE([BROKEN_READ_COMPARISON], [1],
939	    [NetBSD read function is sometimes redirected, breaking atomicio comparisons against it])
940	;;
941*-*-freebsd*)
942	check_for_libcrypt_later=1
943	AC_DEFINE([LOCKED_PASSWD_PREFIX], ["*LOCKED*"], [Account locked with pw(1)])
944	AC_DEFINE([SSH_TUN_FREEBSD], [1], [Open tunnel devices the FreeBSD way])
945	AC_CHECK_HEADER([net/if_tap.h], ,
946	    AC_DEFINE([SSH_TUN_NO_L2], [1], [No layer 2 tunnel support]))
947	AC_DEFINE([BROKEN_GLOB], [1], [FreeBSD glob does not do what we need])
948	TEST_MALLOC_OPTIONS="AJRX"
949	# Preauth crypto occasionally uses file descriptors for crypto offload
950	# and will crash if they cannot be opened.
951	AC_DEFINE([SANDBOX_SKIP_RLIMIT_NOFILE], [1],
952	    [define if setrlimit RLIMIT_NOFILE breaks things])
953	;;
954*-*-bsdi*)
955	AC_DEFINE([SETEUID_BREAKS_SETUID])
956	AC_DEFINE([BROKEN_SETREUID])
957	AC_DEFINE([BROKEN_SETREGID])
958	;;
959*-next-*)
960	conf_lastlog_location="/usr/adm/lastlog"
961	conf_utmp_location=/etc/utmp
962	conf_wtmp_location=/usr/adm/wtmp
963	maildir=/usr/spool/mail
964	AC_DEFINE([HAVE_NEXT], [1], [Define if you are on NeXT])
965	AC_DEFINE([USE_PIPES])
966	AC_DEFINE([BROKEN_SAVED_UIDS], [1], [Needed for NeXT])
967	;;
968*-*-openbsd*)
969	use_pie=auto
970	AC_DEFINE([HAVE_ATTRIBUTE__SENTINEL__], [1], [OpenBSD's gcc has sentinel])
971	AC_DEFINE([HAVE_ATTRIBUTE__BOUNDED__], [1], [OpenBSD's gcc has bounded])
972	AC_DEFINE([SSH_TUN_OPENBSD], [1], [Open tunnel devices the OpenBSD way])
973	AC_DEFINE([SYSLOG_R_SAFE_IN_SIGHAND], [1],
974	    [syslog_r function is safe to use in in a signal handler])
975	TEST_MALLOC_OPTIONS="AFGJPRX"
976	;;
977*-*-solaris*)
978	if test "x$withval" != "xno" ; then
979		rpath_opt="-R"
980	fi
981	AC_DEFINE([PAM_SUN_CODEBASE])
982	AC_DEFINE([LOGIN_NEEDS_UTMPX])
983	AC_DEFINE([PAM_TTY_KLUDGE])
984	AC_DEFINE([SSHPAM_CHAUTHTOK_NEEDS_RUID], [1],
985		[Define if pam_chauthtok wants real uid set
986		to the unpriv'ed user])
987	AC_DEFINE([LOCKED_PASSWD_STRING], ["*LK*"])
988	# Pushing STREAMS modules will cause sshd to acquire a controlling tty.
989	AC_DEFINE([SSHD_ACQUIRES_CTTY], [1],
990		[Define if sshd somehow reacquires a controlling TTY
991		after setsid()])
992	AC_DEFINE([PASSWD_NEEDS_USERNAME], [1], [must supply username to passwd
993		in case the name is longer than 8 chars])
994	AC_DEFINE([BROKEN_TCGETATTR_ICANON], [1], [tcgetattr with ICANON may hang])
995	external_path_file=/etc/default/login
996	# hardwire lastlog location (can't detect it on some versions)
997	conf_lastlog_location="/var/adm/lastlog"
998	AC_MSG_CHECKING([for obsolete utmp and wtmp in solaris2.x])
999	sol2ver=`echo "$host"| sed -e 's/.*[[0-9]]\.//'`
1000	if test "$sol2ver" -ge 8; then
1001		AC_MSG_RESULT([yes])
1002		AC_DEFINE([DISABLE_UTMP])
1003		AC_DEFINE([DISABLE_WTMP], [1],
1004			[Define if you don't want to use wtmp])
1005	else
1006		AC_MSG_RESULT([no])
1007	fi
1008	AC_CHECK_FUNCS([setpflags])
1009	AC_CHECK_FUNCS([setppriv])
1010	AC_CHECK_FUNCS([priv_basicset])
1011	AC_CHECK_HEADERS([priv.h])
1012	AC_ARG_WITH([solaris-contracts],
1013		[  --with-solaris-contracts Enable Solaris process contracts (experimental)],
1014		[
1015		AC_CHECK_LIB([contract], [ct_tmpl_activate],
1016			[ AC_DEFINE([USE_SOLARIS_PROCESS_CONTRACTS], [1],
1017				[Define if you have Solaris process contracts])
1018			  LIBS="$LIBS -lcontract"
1019			  SPC_MSG="yes" ], )
1020		],
1021	)
1022	AC_ARG_WITH([solaris-projects],
1023		[  --with-solaris-projects Enable Solaris projects (experimental)],
1024		[
1025		AC_CHECK_LIB([project], [setproject],
1026			[ AC_DEFINE([USE_SOLARIS_PROJECTS], [1],
1027				[Define if you have Solaris projects])
1028			LIBS="$LIBS -lproject"
1029			SP_MSG="yes" ], )
1030		],
1031	)
1032	AC_ARG_WITH([solaris-privs],
1033		[  --with-solaris-privs    Enable Solaris/Illumos privileges (experimental)],
1034		[
1035		AC_MSG_CHECKING([for Solaris/Illumos privilege support])
1036		if test "x$ac_cv_func_setppriv" = "xyes" -a \
1037			"x$ac_cv_header_priv_h" = "xyes" ; then
1038			SOLARIS_PRIVS=yes
1039			AC_MSG_RESULT([found])
1040			AC_DEFINE([NO_UID_RESTORATION_TEST], [1],
1041				[Define to disable UID restoration test])
1042			AC_DEFINE([USE_SOLARIS_PRIVS], [1],
1043				[Define if you have Solaris privileges])
1044			SPP_MSG="yes"
1045		else
1046			AC_MSG_RESULT([not found])
1047			AC_MSG_ERROR([*** must have support for Solaris privileges to use --with-solaris-privs])
1048		fi
1049		],
1050	)
1051	TEST_SHELL=$SHELL	# let configure find us a capable shell
1052	;;
1053*-*-sunos4*)
1054	CPPFLAGS="$CPPFLAGS -DSUNOS4"
1055	AC_CHECK_FUNCS([getpwanam])
1056	AC_DEFINE([PAM_SUN_CODEBASE])
1057	conf_utmp_location=/etc/utmp
1058	conf_wtmp_location=/var/adm/wtmp
1059	conf_lastlog_location=/var/adm/lastlog
1060	AC_DEFINE([USE_PIPES])
1061	AC_DEFINE([DISABLE_UTMPX], [1], [no utmpx])
1062	;;
1063*-ncr-sysv*)
1064	LIBS="$LIBS -lc89"
1065	AC_DEFINE([USE_PIPES])
1066	AC_DEFINE([SSHD_ACQUIRES_CTTY])
1067	AC_DEFINE([SETEUID_BREAKS_SETUID])
1068	AC_DEFINE([BROKEN_SETREUID])
1069	AC_DEFINE([BROKEN_SETREGID])
1070	;;
1071*-sni-sysv*)
1072	# /usr/ucblib MUST NOT be searched on ReliantUNIX
1073	AC_CHECK_LIB([dl], [dlsym], ,)
1074	# -lresolv needs to be at the end of LIBS or DNS lookups break
1075	AC_CHECK_LIB([resolv], [res_query], [ LIBS="$LIBS -lresolv" ])
1076	IPADDR_IN_DISPLAY=yes
1077	AC_DEFINE([USE_PIPES])
1078	AC_DEFINE([IP_TOS_IS_BROKEN])
1079	AC_DEFINE([SETEUID_BREAKS_SETUID])
1080	AC_DEFINE([BROKEN_SETREUID])
1081	AC_DEFINE([BROKEN_SETREGID])
1082	AC_DEFINE([SSHD_ACQUIRES_CTTY])
1083	external_path_file=/etc/default/login
1084	# /usr/ucblib/libucb.a no longer needed on ReliantUNIX
1085	# Attention: always take care to bind libsocket and libnsl before libc,
1086	# otherwise you will find lots of "SIOCGPGRP errno 22" on syslog
1087	;;
1088# UnixWare 1.x, UnixWare 2.x, and others based on code from Univel.
1089*-*-sysv4.2*)
1090	AC_DEFINE([USE_PIPES])
1091	AC_DEFINE([SETEUID_BREAKS_SETUID])
1092	AC_DEFINE([BROKEN_SETREUID])
1093	AC_DEFINE([BROKEN_SETREGID])
1094	AC_DEFINE([PASSWD_NEEDS_USERNAME], [1], [must supply username to passwd])
1095	AC_DEFINE([LOCKED_PASSWD_STRING], ["*LK*"])
1096	TEST_SHELL=$SHELL	# let configure find us a capable shell
1097	;;
1098# UnixWare 7.x, OpenUNIX 8
1099*-*-sysv5*)
1100	CPPFLAGS="$CPPFLAGS -Dvsnprintf=_xvsnprintf -Dsnprintf=_xsnprintf"
1101	AC_DEFINE([UNIXWARE_LONG_PASSWORDS], [1], [Support passwords > 8 chars])
1102	AC_DEFINE([USE_PIPES])
1103	AC_DEFINE([SETEUID_BREAKS_SETUID])
1104	AC_DEFINE([BROKEN_GETADDRINFO])
1105	AC_DEFINE([BROKEN_SETREUID])
1106	AC_DEFINE([BROKEN_SETREGID])
1107	AC_DEFINE([PASSWD_NEEDS_USERNAME])
1108	AC_DEFINE([BROKEN_TCGETATTR_ICANON])
1109	TEST_SHELL=$SHELL	# let configure find us a capable shell
1110	check_for_libcrypt_later=1
1111	case "$host" in
1112	*-*-sysv5SCO_SV*)	# SCO OpenServer 6.x
1113		maildir=/var/spool/mail
1114		AC_DEFINE([BROKEN_UPDWTMPX])
1115		AC_CHECK_LIB([prot], [getluid], [ LIBS="$LIBS -lprot"
1116			AC_CHECK_FUNCS([getluid setluid], , , [-lprot])
1117			], , )
1118		;;
1119	*)	AC_DEFINE([LOCKED_PASSWD_STRING], ["*LK*"])
1120		;;
1121	esac
1122	;;
1123*-*-sysv*)
1124	;;
1125# SCO UNIX and OEM versions of SCO UNIX
1126*-*-sco3.2v4*)
1127	AC_MSG_ERROR("This Platform is no longer supported.")
1128	;;
1129# SCO OpenServer 5.x
1130*-*-sco3.2v5*)
1131	if test -z "$GCC"; then
1132		CFLAGS="$CFLAGS -belf"
1133	fi
1134	LIBS="$LIBS -lprot -lx -ltinfo -lm"
1135	no_dev_ptmx=1
1136	AC_DEFINE([USE_PIPES])
1137	AC_DEFINE([HAVE_SECUREWARE])
1138	AC_DEFINE([DISABLE_SHADOW])
1139	AC_DEFINE([DISABLE_FD_PASSING])
1140	AC_DEFINE([SETEUID_BREAKS_SETUID])
1141	AC_DEFINE([BROKEN_GETADDRINFO])
1142	AC_DEFINE([BROKEN_SETREUID])
1143	AC_DEFINE([BROKEN_SETREGID])
1144	AC_DEFINE([WITH_ABBREV_NO_TTY])
1145	AC_DEFINE([BROKEN_UPDWTMPX])
1146	AC_DEFINE([PASSWD_NEEDS_USERNAME])
1147	AC_CHECK_FUNCS([getluid setluid])
1148	MANTYPE=man
1149	TEST_SHELL=$SHELL	# let configure find us a capable shell
1150	SKIP_DISABLE_LASTLOG_DEFINE=yes
1151	;;
1152*-dec-osf*)
1153	AC_MSG_CHECKING([for Digital Unix SIA])
1154	no_osfsia=""
1155	AC_ARG_WITH([osfsia],
1156		[  --with-osfsia           Enable Digital Unix SIA],
1157		[
1158			if test "x$withval" = "xno" ; then
1159				AC_MSG_RESULT([disabled])
1160				no_osfsia=1
1161			fi
1162		],
1163	)
1164	if test -z "$no_osfsia" ; then
1165		if test -f /etc/sia/matrix.conf; then
1166			AC_MSG_RESULT([yes])
1167			AC_DEFINE([HAVE_OSF_SIA], [1],
1168				[Define if you have Digital Unix Security
1169				Integration Architecture])
1170			AC_DEFINE([DISABLE_LOGIN], [1],
1171				[Define if you don't want to use your
1172				system's login() call])
1173			AC_DEFINE([DISABLE_FD_PASSING])
1174			LIBS="$LIBS -lsecurity -ldb -lm -laud"
1175			SIA_MSG="yes"
1176		else
1177			AC_MSG_RESULT([no])
1178			AC_DEFINE([LOCKED_PASSWD_SUBSTR], ["Nologin"],
1179			  [String used in /etc/passwd to denote locked account])
1180		fi
1181	fi
1182	AC_DEFINE([BROKEN_GETADDRINFO])
1183	AC_DEFINE([SETEUID_BREAKS_SETUID])
1184	AC_DEFINE([BROKEN_SETREUID])
1185	AC_DEFINE([BROKEN_SETREGID])
1186	AC_DEFINE([BROKEN_READV_COMPARISON], [1], [Can't do comparisons on readv])
1187	;;
1188
1189*-*-nto-qnx*)
1190	AC_DEFINE([USE_PIPES])
1191	AC_DEFINE([NO_X11_UNIX_SOCKETS])
1192	AC_DEFINE([DISABLE_LASTLOG])
1193	AC_DEFINE([SSHD_ACQUIRES_CTTY])
1194	AC_DEFINE([BROKEN_SHADOW_EXPIRE], [1], [QNX shadow support is broken])
1195	enable_etc_default_login=no	# has incompatible /etc/default/login
1196	case "$host" in
1197	*-*-nto-qnx6*)
1198		AC_DEFINE([DISABLE_FD_PASSING])
1199		;;
1200	esac
1201	;;
1202
1203*-*-ultrix*)
1204	AC_DEFINE([BROKEN_GETGROUPS], [1], [getgroups(0,NULL) will return -1])
1205	AC_DEFINE([NEED_SETPGRP], [1], [Need setpgrp to for controlling tty])
1206	AC_DEFINE([HAVE_SYS_SYSLOG_H], [1], [Force use of sys/syslog.h on Ultrix])
1207	AC_DEFINE([DISABLE_UTMPX], [1], [Disable utmpx])
1208	# DISABLE_FD_PASSING so that we call setpgrp as root, otherwise we
1209	# don't get a controlling tty.
1210	AC_DEFINE([DISABLE_FD_PASSING], [1], [Need to call setpgrp as root])
1211	# On Ultrix some headers are not protected against multiple includes,
1212	# so we create wrappers and put it where the compiler will find it.
1213	AC_MSG_WARN([creating compat wrappers for headers])
1214	mkdir -p netinet
1215	for header in netinet/ip.h netdb.h resolv.h; do
1216		name=`echo $header | tr 'a-z/.' 'A-Z__'`
1217		cat >$header <<EOD
1218#ifndef _SSH_COMPAT_${name}
1219#define _SSH_COMPAT_${name}
1220#include "/usr/include/${header}"
1221#endif
1222EOD
1223	done
1224	;;
1225
1226*-*-lynxos)
1227	CFLAGS="$CFLAGS -D__NO_INCLUDE_WARN__"
1228	AC_DEFINE([BROKEN_SETVBUF], [1],
1229	    [LynxOS has broken setvbuf() implementation])
1230	;;
1231esac
1232
1233AC_MSG_CHECKING([compiler and flags for sanity])
1234AC_RUN_IFELSE([AC_LANG_PROGRAM([[ #include <stdio.h> ]], [[ exit(0); ]])],
1235	[	AC_MSG_RESULT([yes]) ],
1236	[
1237		AC_MSG_RESULT([no])
1238		AC_MSG_ERROR([*** compiler cannot create working executables, check config.log ***])
1239	],
1240	[	AC_MSG_WARN([cross compiling: not checking compiler sanity]) ]
1241)
1242
1243dnl Checks for header files.
1244# Checks for libraries.
1245AC_CHECK_FUNC([setsockopt], , [AC_CHECK_LIB([socket], [setsockopt])])
1246
1247dnl IRIX and Solaris 2.5.1 have dirname() in libgen
1248AC_CHECK_FUNCS([dirname], [AC_CHECK_HEADERS([libgen.h])] , [
1249	AC_CHECK_LIB([gen], [dirname], [
1250		AC_CACHE_CHECK([for broken dirname],
1251			ac_cv_have_broken_dirname, [
1252			save_LIBS="$LIBS"
1253			LIBS="$LIBS -lgen"
1254			AC_RUN_IFELSE(
1255				[AC_LANG_SOURCE([[
1256#include <libgen.h>
1257#include <string.h>
1258
1259int main(int argc, char **argv) {
1260    char *s, buf[32];
1261
1262    strncpy(buf,"/etc", 32);
1263    s = dirname(buf);
1264    if (!s || strncmp(s, "/", 32) != 0) {
1265	exit(1);
1266    } else {
1267	exit(0);
1268    }
1269}
1270				]])],
1271				[ ac_cv_have_broken_dirname="no" ],
1272				[ ac_cv_have_broken_dirname="yes" ],
1273				[ ac_cv_have_broken_dirname="no" ],
1274			)
1275			LIBS="$save_LIBS"
1276		])
1277		if test "x$ac_cv_have_broken_dirname" = "xno" ; then
1278			LIBS="$LIBS -lgen"
1279			AC_DEFINE([HAVE_DIRNAME])
1280			AC_CHECK_HEADERS([libgen.h])
1281		fi
1282	])
1283])
1284
1285AC_CHECK_FUNC([getspnam], ,
1286	[AC_CHECK_LIB([gen], [getspnam], [LIBS="$LIBS -lgen"])])
1287AC_SEARCH_LIBS([basename], [gen], [AC_DEFINE([HAVE_BASENAME], [1],
1288	[Define if you have the basename function.])])
1289
1290dnl zlib defaults to enabled
1291zlib=yes
1292AC_ARG_WITH([zlib],
1293	[  --with-zlib=PATH        Use zlib in PATH],
1294	[ if test "x$withval" = "xno" ; then
1295		zlib=no
1296	  elif test "x$withval" != "xyes"; then
1297		if test -d "$withval/lib"; then
1298			if test -n "${rpath_opt}"; then
1299				LDFLAGS="-L${withval}/lib ${rpath_opt}${withval}/lib ${LDFLAGS}"
1300			else
1301				LDFLAGS="-L${withval}/lib ${LDFLAGS}"
1302			fi
1303		else
1304			if test -n "${rpath_opt}"; then
1305				LDFLAGS="-L${withval} ${rpath_opt}${withval} ${LDFLAGS}"
1306			else
1307				LDFLAGS="-L${withval} ${LDFLAGS}"
1308			fi
1309		fi
1310		if test -d "$withval/include"; then
1311			CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
1312		else
1313			CPPFLAGS="-I${withval} ${CPPFLAGS}"
1314		fi
1315	fi ]
1316)
1317
1318AC_MSG_CHECKING([for zlib])
1319if test "x${zlib}" = "xno"; then
1320	AC_MSG_RESULT([no])
1321else
1322	AC_MSG_RESULT([yes])
1323	AC_DEFINE([WITH_ZLIB], [1], [Enable zlib])
1324    AC_CHECK_HEADER([zlib.h], ,[AC_MSG_ERROR([*** zlib.h missing - please install first or check config.log ***])])
1325    AC_CHECK_LIB([z], [deflate], ,
1326	[
1327		saved_CPPFLAGS="$CPPFLAGS"
1328		saved_LDFLAGS="$LDFLAGS"
1329		save_LIBS="$LIBS"
1330		dnl Check default zlib install dir
1331		if test -n "${rpath_opt}"; then
1332			LDFLAGS="-L/usr/local/lib ${rpath_opt}/usr/local/lib ${saved_LDFLAGS}"
1333		else
1334			LDFLAGS="-L/usr/local/lib ${saved_LDFLAGS}"
1335		fi
1336		CPPFLAGS="-I/usr/local/include ${saved_CPPFLAGS}"
1337		LIBS="$LIBS -lz"
1338		AC_TRY_LINK_FUNC([deflate], [AC_DEFINE([HAVE_LIBZ])],
1339			[
1340				AC_MSG_ERROR([*** zlib missing - please install first or check config.log ***])
1341			]
1342		)
1343	]
1344    )
1345
1346    AC_ARG_WITH([zlib-version-check],
1347	[  --without-zlib-version-check Disable zlib version check],
1348	[  if test "x$withval" = "xno" ; then
1349		zlib_check_nonfatal=1
1350	   fi
1351	]
1352    )
1353
1354    AC_MSG_CHECKING([for possibly buggy zlib])
1355    AC_RUN_IFELSE([AC_LANG_PROGRAM([[
1356#include <stdio.h>
1357#include <stdlib.h>
1358#include <zlib.h>
1359	]],
1360	[[
1361	int a=0, b=0, c=0, d=0, n, v;
1362	n = sscanf(ZLIB_VERSION, "%d.%d.%d.%d", &a, &b, &c, &d);
1363	if (n != 3 && n != 4)
1364		exit(1);
1365	v = a*1000000 + b*10000 + c*100 + d;
1366	fprintf(stderr, "found zlib version %s (%d)\n", ZLIB_VERSION, v);
1367
1368	/* 1.1.4 is OK */
1369	if (a == 1 && b == 1 && c >= 4)
1370		exit(0);
1371
1372	/* 1.2.3 and up are OK */
1373	if (v >= 1020300)
1374		exit(0);
1375
1376	exit(2);
1377	]])],
1378	AC_MSG_RESULT([no]),
1379	[ AC_MSG_RESULT([yes])
1380	  if test -z "$zlib_check_nonfatal" ; then
1381		AC_MSG_ERROR([*** zlib too old - check config.log ***
1382Your reported zlib version has known security problems.  It's possible your
1383vendor has fixed these problems without changing the version number.  If you
1384are sure this is the case, you can disable the check by running
1385"./configure --without-zlib-version-check".
1386If you are in doubt, upgrade zlib to version 1.2.3 or greater.
1387See http://www.gzip.org/zlib/ for details.])
1388	  else
1389		AC_MSG_WARN([zlib version may have security problems])
1390	  fi
1391	],
1392	[	AC_MSG_WARN([cross compiling: not checking zlib version]) ]
1393    )
1394fi
1395
1396dnl UnixWare 2.x
1397AC_CHECK_FUNC([strcasecmp],
1398	[], [ AC_CHECK_LIB([resolv], [strcasecmp], [LIBS="$LIBS -lresolv"]) ]
1399)
1400AC_CHECK_FUNCS([utimes],
1401	[], [ AC_CHECK_LIB([c89], [utimes], [AC_DEFINE([HAVE_UTIMES])
1402					LIBS="$LIBS -lc89"]) ]
1403)
1404
1405dnl    Checks for libutil functions
1406AC_CHECK_HEADERS([bsd/libutil.h libutil.h])
1407AC_SEARCH_LIBS([fmt_scaled], [util bsd])
1408AC_SEARCH_LIBS([scan_scaled], [util bsd])
1409AC_SEARCH_LIBS([login], [util bsd])
1410AC_SEARCH_LIBS([logout], [util bsd])
1411AC_SEARCH_LIBS([logwtmp], [util bsd])
1412AC_SEARCH_LIBS([openpty], [util bsd])
1413AC_SEARCH_LIBS([updwtmp], [util bsd])
1414AC_CHECK_FUNCS([fmt_scaled scan_scaled login logout openpty updwtmp logwtmp])
1415
1416# On some platforms, inet_ntop and gethostbyname may be found in libresolv
1417# or libnsl.
1418AC_SEARCH_LIBS([inet_ntop], [resolv nsl])
1419AC_SEARCH_LIBS([gethostbyname], [resolv nsl])
1420
1421# "Particular Function Checks"
1422# see https://www.gnu.org/software/autoconf/manual/autoconf-2.69/html_node/Particular-Functions.html
1423AC_FUNC_STRFTIME
1424AC_FUNC_MALLOC
1425AC_FUNC_REALLOC
1426# autoconf doesn't have AC_FUNC_CALLOC so fake it if malloc returns NULL;
1427AC_MSG_CHECKING([if calloc(0, N) returns non-null])
1428AC_RUN_IFELSE(
1429	[AC_LANG_PROGRAM(
1430		[[ #include <stdlib.h> ]],
1431		[[ void *p = calloc(0, 1); exit(p == NULL); ]]
1432	)],
1433	[ func_calloc_0_nonnull=yes ],
1434	[ func_calloc_0_nonnull=no ],
1435	[ AC_MSG_WARN([cross compiling: assuming same as malloc])
1436	  func_calloc_0_nonnull="$ac_cv_func_malloc_0_nonnull"]
1437)
1438AC_MSG_RESULT([$func_calloc_0_nonnull])
1439
1440if test "x$func_calloc_0_nonnull" = "xyes"; then
1441	AC_DEFINE(HAVE_CALLOC, 1, [calloc(0, x) returns non-null])
1442else
1443	AC_DEFINE(HAVE_CALLOC, 0, [calloc(0, x) returns NULL])
1444	AC_DEFINE(calloc, rpl_calloc,
1445	    [Define to rpl_calloc if the replacement function should be used.])
1446fi
1447
1448# Check for ALTDIRFUNC glob() extension
1449AC_MSG_CHECKING([for GLOB_ALTDIRFUNC support])
1450AC_EGREP_CPP([FOUNDIT],
1451	[
1452		#include <glob.h>
1453		#ifdef GLOB_ALTDIRFUNC
1454		FOUNDIT
1455		#endif
1456	],
1457	[
1458		AC_DEFINE([GLOB_HAS_ALTDIRFUNC], [1],
1459			[Define if your system glob() function has
1460			the GLOB_ALTDIRFUNC extension])
1461		AC_MSG_RESULT([yes])
1462	],
1463	[
1464		AC_MSG_RESULT([no])
1465	]
1466)
1467
1468# Check for g.gl_matchc glob() extension
1469AC_MSG_CHECKING([for gl_matchc field in glob_t])
1470AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <glob.h> ]],
1471	[[ glob_t g; g.gl_matchc = 1; ]])],
1472	[
1473		AC_DEFINE([GLOB_HAS_GL_MATCHC], [1],
1474			[Define if your system glob() function has
1475			gl_matchc options in glob_t])
1476		AC_MSG_RESULT([yes])
1477	], [
1478		AC_MSG_RESULT([no])
1479])
1480
1481# Check for g.gl_statv glob() extension
1482AC_MSG_CHECKING([for gl_statv and GLOB_KEEPSTAT extensions for glob])
1483AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <glob.h> ]], [[
1484#ifndef GLOB_KEEPSTAT
1485#error "glob does not support GLOB_KEEPSTAT extension"
1486#endif
1487glob_t g;
1488g.gl_statv = NULL;
1489]])],
1490	[
1491		AC_DEFINE([GLOB_HAS_GL_STATV], [1],
1492			[Define if your system glob() function has
1493			gl_statv options in glob_t])
1494		AC_MSG_RESULT([yes])
1495	], [
1496		AC_MSG_RESULT([no])
1497
1498])
1499
1500AC_CHECK_DECLS([GLOB_NOMATCH], , , [#include <glob.h>])
1501
1502AC_CHECK_DECL([VIS_ALL], ,
1503    AC_DEFINE(BROKEN_STRNVIS, 1, [missing VIS_ALL]), [#include <vis.h>])
1504
1505AC_MSG_CHECKING([whether struct dirent allocates space for d_name])
1506AC_RUN_IFELSE(
1507	[AC_LANG_PROGRAM([[
1508#include <sys/types.h>
1509#include <dirent.h>]],
1510	[[
1511	struct dirent d;
1512	exit(sizeof(d.d_name)<=sizeof(char));
1513	]])],
1514	[AC_MSG_RESULT([yes])],
1515	[
1516		AC_MSG_RESULT([no])
1517		AC_DEFINE([BROKEN_ONE_BYTE_DIRENT_D_NAME], [1],
1518			[Define if your struct dirent expects you to
1519			allocate extra space for d_name])
1520	],
1521	[
1522		AC_MSG_WARN([cross compiling: assuming BROKEN_ONE_BYTE_DIRENT_D_NAME])
1523		AC_DEFINE([BROKEN_ONE_BYTE_DIRENT_D_NAME])
1524	]
1525)
1526
1527AC_MSG_CHECKING([for /proc/pid/fd directory])
1528if test -d "/proc/$$/fd" ; then
1529	AC_DEFINE([HAVE_PROC_PID], [1], [Define if you have /proc/$pid/fd])
1530	AC_MSG_RESULT([yes])
1531else
1532	AC_MSG_RESULT([no])
1533fi
1534
1535# Check whether user wants to use ldns
1536LDNS_MSG="no"
1537AC_ARG_WITH(ldns,
1538	[  --with-ldns[[=PATH]]      Use ldns for DNSSEC support (optionally in PATH)],
1539	[
1540	ldns=""
1541	if test "x$withval" = "xyes" ; then
1542		AC_PATH_TOOL([LDNSCONFIG], [ldns-config], [no])
1543		if test "x$LDNSCONFIG" = "xno"; then
1544			LIBS="-lldns $LIBS"
1545			ldns=yes
1546		else
1547			LIBS="$LIBS `$LDNSCONFIG --libs`"
1548			CPPFLAGS="$CPPFLAGS `$LDNSCONFIG --cflags`"
1549			ldns=yes
1550		fi
1551	elif test "x$withval" != "xno" ; then
1552			CPPFLAGS="$CPPFLAGS -I${withval}/include"
1553			LDFLAGS="$LDFLAGS -L${withval}/lib"
1554			LIBS="-lldns $LIBS"
1555			ldns=yes
1556	fi
1557
1558	# Verify that it works.
1559	if test "x$ldns" = "xyes" ; then
1560		AC_DEFINE(HAVE_LDNS, 1, [Define if you want ldns support])
1561		LDNS_MSG="yes"
1562		AC_MSG_CHECKING([for ldns support])
1563		AC_LINK_IFELSE(
1564			[AC_LANG_SOURCE([[
1565#include <stdio.h>
1566#include <stdlib.h>
1567#ifdef HAVE_STDINT_H
1568# include <stdint.h>
1569#endif
1570#include <ldns/ldns.h>
1571int main() { ldns_status status = ldns_verify_trusted(NULL, NULL, NULL, NULL); status=LDNS_STATUS_OK; exit(0); }
1572			]])
1573		],
1574			[AC_MSG_RESULT(yes)],
1575				[
1576					AC_MSG_RESULT(no)
1577					AC_MSG_ERROR([** Incomplete or missing ldns libraries.])
1578				])
1579	fi
1580])
1581
1582# Check whether user wants libedit support
1583LIBEDIT_MSG="no"
1584AC_ARG_WITH([libedit],
1585	[  --with-libedit[[=PATH]]   Enable libedit support for sftp],
1586	[ if test "x$withval" != "xno" ; then
1587		if test "x$withval" = "xyes" ; then
1588			AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no])
1589			if test "x$PKGCONFIG" != "xno"; then
1590				AC_MSG_CHECKING([if $PKGCONFIG knows about libedit])
1591				if "$PKGCONFIG" libedit; then
1592					AC_MSG_RESULT([yes])
1593					use_pkgconfig_for_libedit=yes
1594				else
1595					AC_MSG_RESULT([no])
1596				fi
1597			fi
1598		else
1599			CPPFLAGS="$CPPFLAGS -I${withval}/include"
1600			if test -n "${rpath_opt}"; then
1601				LDFLAGS="-L${withval}/lib ${rpath_opt}${withval}/lib ${LDFLAGS}"
1602			else
1603				LDFLAGS="-L${withval}/lib ${LDFLAGS}"
1604			fi
1605		fi
1606		if test "x$use_pkgconfig_for_libedit" = "xyes"; then
1607			LIBEDIT=`$PKGCONFIG --libs libedit`
1608			CPPFLAGS="$CPPFLAGS `$PKGCONFIG --cflags libedit`"
1609		else
1610			LIBEDIT="-ledit -lcurses"
1611		fi
1612		OTHERLIBS=`echo $LIBEDIT | sed 's/-ledit//'`
1613		AC_CHECK_LIB([edit], [el_init],
1614			[ AC_DEFINE([USE_LIBEDIT], [1], [Use libedit for sftp])
1615			  LIBEDIT_MSG="yes"
1616			  AC_SUBST([LIBEDIT])
1617			],
1618			[ AC_MSG_ERROR([libedit not found]) ],
1619			[ $OTHERLIBS ]
1620		)
1621		AC_MSG_CHECKING([if libedit version is compatible])
1622		AC_COMPILE_IFELSE(
1623		    [AC_LANG_PROGRAM([[ #include <histedit.h> ]],
1624		    [[
1625	int i = H_SETSIZE;
1626	el_init("", NULL, NULL, NULL);
1627	exit(0);
1628		    ]])],
1629		    [ AC_MSG_RESULT([yes]) ],
1630		    [ AC_MSG_RESULT([no])
1631		      AC_MSG_ERROR([libedit version is not compatible]) ]
1632		)
1633	fi ]
1634)
1635
1636AUDIT_MODULE=none
1637AC_ARG_WITH([audit],
1638	[  --with-audit=module     Enable audit support (modules=debug,bsm,linux)],
1639	[
1640	  AC_MSG_CHECKING([for supported audit module])
1641	  case "$withval" in
1642	  bsm)
1643		AC_MSG_RESULT([bsm])
1644		AUDIT_MODULE=bsm
1645		dnl    Checks for headers, libs and functions
1646		AC_CHECK_HEADERS([bsm/audit.h], [],
1647		    [AC_MSG_ERROR([BSM enabled and bsm/audit.h not found])],
1648		    [
1649#ifdef HAVE_TIME_H
1650# include <time.h>
1651#endif
1652		    ]
1653)
1654		AC_CHECK_LIB([bsm], [getaudit], [],
1655		    [AC_MSG_ERROR([BSM enabled and required library not found])])
1656		AC_CHECK_FUNCS([getaudit], [],
1657		    [AC_MSG_ERROR([BSM enabled and required function not found])])
1658		# These are optional
1659		AC_CHECK_FUNCS([getaudit_addr aug_get_machine])
1660		AC_DEFINE([USE_BSM_AUDIT], [1], [Use BSM audit module])
1661		if test "$sol2ver" -ge 11; then
1662			SSHDLIBS="$SSHDLIBS -lscf"
1663			AC_DEFINE([BROKEN_BSM_API], [1],
1664				[The system has incomplete BSM API])
1665		fi
1666		;;
1667	  linux)
1668		AC_MSG_RESULT([linux])
1669		AUDIT_MODULE=linux
1670		dnl    Checks for headers, libs and functions
1671		AC_CHECK_HEADERS([libaudit.h])
1672		SSHDLIBS="$SSHDLIBS -laudit"
1673		AC_DEFINE([USE_LINUX_AUDIT], [1], [Use Linux audit module])
1674		;;
1675	  debug)
1676		AUDIT_MODULE=debug
1677		AC_MSG_RESULT([debug])
1678		AC_DEFINE([SSH_AUDIT_EVENTS], [1], [Use audit debugging module])
1679		;;
1680	  no)
1681		AC_MSG_RESULT([no])
1682		;;
1683	  *)
1684		AC_MSG_ERROR([Unknown audit module $withval])
1685		;;
1686	esac ]
1687)
1688
1689AC_ARG_WITH([pie],
1690    [  --with-pie              Build Position Independent Executables if possible], [
1691	if test "x$withval" = "xno"; then
1692		use_pie=no
1693	fi
1694	if test "x$withval" = "xyes"; then
1695		use_pie=yes
1696	fi
1697    ]
1698)
1699if test "x$use_pie" = "x"; then
1700	use_pie=no
1701fi
1702if test "x$use_toolchain_hardening" != "x1" && test "x$use_pie" = "xauto"; then
1703	# Turn off automatic PIE when toolchain hardening is off.
1704	use_pie=no
1705fi
1706if test "x$use_pie" = "xauto"; then
1707	# Automatic PIE requires gcc >= 4.x
1708	AC_MSG_CHECKING([for gcc >= 4.x])
1709	AC_COMPILE_IFELSE([AC_LANG_SOURCE([[
1710#if !defined(__GNUC__) || __GNUC__ < 4
1711#error gcc is too old
1712#endif
1713]])],
1714	[ AC_MSG_RESULT([yes]) ],
1715	[ AC_MSG_RESULT([no])
1716	  use_pie=no ]
1717)
1718fi
1719if test "x$use_pie" != "xno"; then
1720	SAVED_CFLAGS="$CFLAGS"
1721	SAVED_LDFLAGS="$LDFLAGS"
1722	OSSH_CHECK_CFLAG_COMPILE([-fPIE])
1723	OSSH_CHECK_LDFLAG_LINK([-pie])
1724	# We use both -fPIE and -pie or neither.
1725	AC_MSG_CHECKING([whether both -fPIE and -pie are supported])
1726	if echo "x $CFLAGS"  | grep ' -fPIE' >/dev/null 2>&1 && \
1727	   echo "x $LDFLAGS" | grep ' -pie'  >/dev/null 2>&1 ; then
1728		AC_MSG_RESULT([yes])
1729	else
1730		AC_MSG_RESULT([no])
1731		CFLAGS="$SAVED_CFLAGS"
1732		LDFLAGS="$SAVED_LDFLAGS"
1733	fi
1734fi
1735
1736AC_MSG_CHECKING([whether -fPIC is accepted])
1737SAVED_CFLAGS="$CFLAGS"
1738CFLAGS="$CFLAGS -fPIC"
1739AC_COMPILE_IFELSE(
1740	[AC_LANG_PROGRAM( [[ #include <stdlib.h> ]], [[ exit(0); ]] )],
1741   [AC_MSG_RESULT([yes])
1742    PICFLAG="-fPIC"; ],
1743   [AC_MSG_RESULT([no])
1744    PICFLAG=""; ])
1745CFLAGS="$SAVED_CFLAGS"
1746AC_SUBST([PICFLAG])
1747
1748dnl    Checks for library functions. Please keep in alphabetical order
1749AC_CHECK_FUNCS([ \
1750	Blowfish_initstate \
1751	Blowfish_expandstate \
1752	Blowfish_expand0state \
1753	Blowfish_stream2word \
1754	SHA256Update \
1755	SHA384Update \
1756	SHA512Update \
1757	asprintf \
1758	b64_ntop \
1759	__b64_ntop \
1760	b64_pton \
1761	__b64_pton \
1762	bcopy \
1763	bcrypt_pbkdf \
1764	bindresvport_sa \
1765	blf_enc \
1766	bzero \
1767	cap_rights_limit \
1768	clock \
1769	closefrom \
1770	dirfd \
1771	endgrent \
1772	err \
1773	errx \
1774	explicit_bzero \
1775	fchmod \
1776	fchmodat \
1777	fchown \
1778	fchownat \
1779	flock \
1780	fnmatch \
1781	freeaddrinfo \
1782	freezero \
1783	fstatfs \
1784	fstatvfs \
1785	futimes \
1786	getaddrinfo \
1787	getcwd \
1788	getgrouplist \
1789	getline \
1790	getnameinfo \
1791	getopt \
1792	getpagesize \
1793	getpeereid \
1794	getpeerucred \
1795	getpgid \
1796	_getpty \
1797	getrlimit \
1798	getrandom \
1799	getsid \
1800	getttyent \
1801	glob \
1802	group_from_gid \
1803	inet_aton \
1804	inet_ntoa \
1805	inet_ntop \
1806	innetgr \
1807	llabs \
1808	localtime_r \
1809	login_getcapbool \
1810	md5_crypt \
1811	memmem \
1812	memmove \
1813	memset_s \
1814	mkdtemp \
1815	ngetaddrinfo \
1816	nsleep \
1817	ogetaddrinfo \
1818	openlog_r \
1819	pledge \
1820	poll \
1821	prctl \
1822	pstat \
1823	raise \
1824	readpassphrase \
1825	reallocarray \
1826	realpath \
1827	recvmsg \
1828	recallocarray \
1829	rresvport_af \
1830	sendmsg \
1831	setdtablesize \
1832	setegid \
1833	setenv \
1834	seteuid \
1835	setgroupent \
1836	setgroups \
1837	setlinebuf \
1838	setlogin \
1839	setpassent\
1840	setpcred \
1841	setproctitle \
1842	setregid \
1843	setreuid \
1844	setrlimit \
1845	setsid \
1846	setvbuf \
1847	sigaction \
1848	sigvec \
1849	snprintf \
1850	socketpair \
1851	statfs \
1852	statvfs \
1853	strcasestr \
1854	strdup \
1855	strerror \
1856	strlcat \
1857	strlcpy \
1858	strmode \
1859	strndup \
1860	strnlen \
1861	strnvis \
1862	strptime \
1863	strsignal \
1864	strtonum \
1865	strtoll \
1866	strtoul \
1867	strtoull \
1868	swap32 \
1869	sysconf \
1870	tcgetpgrp \
1871	timingsafe_bcmp \
1872	truncate \
1873	unsetenv \
1874	updwtmpx \
1875	utimensat \
1876	user_from_uid \
1877	usleep \
1878	vasprintf \
1879	vsnprintf \
1880	waitpid \
1881	warn \
1882])
1883
1884AC_CHECK_DECLS([bzero, memmem])
1885
1886dnl Wide character support.
1887AC_CHECK_FUNCS([mblen mbtowc nl_langinfo wcwidth])
1888
1889TEST_SSH_UTF8=${TEST_SSH_UTF8:=yes}
1890AC_MSG_CHECKING([for utf8 locale support])
1891AC_RUN_IFELSE(
1892	[AC_LANG_PROGRAM([[
1893#include <locale.h>
1894#include <stdlib.h>
1895	]], [[
1896	char *loc = setlocale(LC_CTYPE, "en_US.UTF-8");
1897	if (loc != NULL)
1898		exit(0);
1899	exit(1);
1900	]])],
1901	AC_MSG_RESULT(yes),
1902	[AC_MSG_RESULT(no)
1903	 TEST_SSH_UTF8=no],
1904	AC_MSG_WARN([cross compiling: assuming yes])
1905)
1906
1907AC_LINK_IFELSE(
1908        [AC_LANG_PROGRAM(
1909           [[ #include <ctype.h> ]],
1910           [[ return (isblank('a')); ]])],
1911	[AC_DEFINE([HAVE_ISBLANK], [1], [Define if you have isblank(3C).])
1912])
1913
1914disable_pkcs11=
1915AC_ARG_ENABLE([pkcs11],
1916	[  --disable-pkcs11        disable PKCS#11 support code [no]],
1917	[
1918		if test "x$enableval" = "xno" ; then
1919			disable_pkcs11=1
1920		fi
1921	]
1922)
1923
1924disable_sk=
1925AC_ARG_ENABLE([security-key],
1926	[  --disable-security-key  disable U2F/FIDO support code [no]],
1927	[
1928		if test "x$enableval" = "xno" ; then
1929			disable_sk=1
1930		fi
1931	]
1932)
1933enable_sk_internal=
1934AC_ARG_WITH([security-key-builtin],
1935	[  --with-security-key-builtin include builtin U2F/FIDO support],
1936	[
1937		if test "x$withval" != "xno" ; then
1938			enable_sk_internal=yes
1939		fi
1940	]
1941)
1942test "x$disable_sk" != "x" && enable_sk_internal=""
1943
1944AC_SEARCH_LIBS([dlopen], [dl])
1945AC_CHECK_FUNCS([dlopen])
1946AC_CHECK_DECL([RTLD_NOW], [], [], [#include <dlfcn.h>])
1947
1948# IRIX has a const char return value for gai_strerror()
1949AC_CHECK_FUNCS([gai_strerror], [
1950	AC_DEFINE([HAVE_GAI_STRERROR])
1951	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
1952#include <sys/types.h>
1953#include <sys/socket.h>
1954#include <netdb.h>
1955
1956const char *gai_strerror(int);
1957			]], [[
1958	char *str;
1959	str = gai_strerror(0);
1960			]])], [
1961		AC_DEFINE([HAVE_CONST_GAI_STRERROR_PROTO], [1],
1962		[Define if gai_strerror() returns const char *])], [])])
1963
1964AC_SEARCH_LIBS([nanosleep], [rt posix4], [AC_DEFINE([HAVE_NANOSLEEP], [1],
1965	[Some systems put nanosleep outside of libc])])
1966
1967AC_SEARCH_LIBS([clock_gettime], [rt],
1968	[AC_DEFINE([HAVE_CLOCK_GETTIME], [1], [Have clock_gettime])])
1969
1970dnl Make sure prototypes are defined for these before using them.
1971AC_CHECK_DECL([strsep],
1972	[AC_CHECK_FUNCS([strsep])],
1973	[],
1974	[
1975#ifdef HAVE_STRING_H
1976# include <string.h>
1977#endif
1978	])
1979
1980dnl tcsendbreak might be a macro
1981AC_CHECK_DECL([tcsendbreak],
1982	[AC_DEFINE([HAVE_TCSENDBREAK])],
1983	[AC_CHECK_FUNCS([tcsendbreak])],
1984	[#include <termios.h>]
1985)
1986
1987AC_CHECK_DECLS([h_errno], , ,[#include <netdb.h>])
1988
1989AC_CHECK_DECLS([SHUT_RD, getpeereid], , ,
1990	[
1991#include <sys/types.h>
1992#include <sys/socket.h>
1993#include <unistd.h>
1994	])
1995
1996AC_CHECK_DECLS([O_NONBLOCK], , ,
1997	[
1998#include <sys/types.h>
1999#ifdef HAVE_SYS_STAT_H
2000# include <sys/stat.h>
2001#endif
2002#ifdef HAVE_FCNTL_H
2003# include <fcntl.h>
2004#endif
2005	])
2006
2007AC_CHECK_DECLS([readv, writev], , , [
2008#include <sys/types.h>
2009#include <sys/uio.h>
2010#include <unistd.h>
2011	])
2012
2013AC_CHECK_DECLS([MAXSYMLINKS], , , [
2014#include <sys/param.h>
2015	])
2016
2017AC_CHECK_DECLS([offsetof], , , [
2018#include <stddef.h>
2019	])
2020
2021# extra bits for select(2)
2022AC_CHECK_DECLS([howmany, NFDBITS], [], [], [[
2023#include <sys/param.h>
2024#include <sys/types.h>
2025#ifdef HAVE_SYS_SYSMACROS_H
2026#include <sys/sysmacros.h>
2027#endif
2028#ifdef HAVE_SYS_SELECT_H
2029#include <sys/select.h>
2030#endif
2031#ifdef HAVE_SYS_TIME_H
2032#include <sys/time.h>
2033#endif
2034#ifdef HAVE_UNISTD_H
2035#include <unistd.h>
2036#endif
2037	]])
2038AC_CHECK_TYPES([fd_mask], [], [], [[
2039#include <sys/param.h>
2040#include <sys/types.h>
2041#ifdef HAVE_SYS_SELECT_H
2042#include <sys/select.h>
2043#endif
2044#ifdef HAVE_SYS_TIME_H
2045#include <sys/time.h>
2046#endif
2047#ifdef HAVE_UNISTD_H
2048#include <unistd.h>
2049#endif
2050	]])
2051
2052AC_CHECK_FUNCS([setresuid], [
2053	dnl Some platorms have setresuid that isn't implemented, test for this
2054	AC_MSG_CHECKING([if setresuid seems to work])
2055	AC_RUN_IFELSE(
2056		[AC_LANG_PROGRAM([[
2057#include <stdlib.h>
2058#include <errno.h>
2059		]], [[
2060	errno=0;
2061	setresuid(0,0,0);
2062	if (errno==ENOSYS)
2063		exit(1);
2064	else
2065		exit(0);
2066		]])],
2067		[AC_MSG_RESULT([yes])],
2068		[AC_DEFINE([BROKEN_SETRESUID], [1],
2069			[Define if your setresuid() is broken])
2070		 AC_MSG_RESULT([not implemented])],
2071		[AC_MSG_WARN([cross compiling: not checking setresuid])]
2072	)
2073])
2074
2075AC_CHECK_FUNCS([setresgid], [
2076	dnl Some platorms have setresgid that isn't implemented, test for this
2077	AC_MSG_CHECKING([if setresgid seems to work])
2078	AC_RUN_IFELSE(
2079		[AC_LANG_PROGRAM([[
2080#include <stdlib.h>
2081#include <errno.h>
2082		]], [[
2083	errno=0;
2084	setresgid(0,0,0);
2085	if (errno==ENOSYS)
2086		exit(1);
2087	else
2088		exit(0);
2089		]])],
2090		[AC_MSG_RESULT([yes])],
2091		[AC_DEFINE([BROKEN_SETRESGID], [1],
2092			[Define if your setresgid() is broken])
2093		 AC_MSG_RESULT([not implemented])],
2094		[AC_MSG_WARN([cross compiling: not checking setresuid])]
2095	)
2096])
2097
2098AC_MSG_CHECKING([for working fflush(NULL)])
2099AC_RUN_IFELSE(
2100	[AC_LANG_PROGRAM([[#include <stdio.h>]], [[fflush(NULL); exit(0);]])],
2101	AC_MSG_RESULT([yes]),
2102	[AC_MSG_RESULT([no])
2103	 AC_DEFINE([FFLUSH_NULL_BUG], [1],
2104	    [define if fflush(NULL) does not work])],
2105	AC_MSG_WARN([cross compiling: assuming working])
2106)
2107
2108dnl    Checks for time functions
2109AC_CHECK_FUNCS([gettimeofday time])
2110dnl    Checks for utmp functions
2111AC_CHECK_FUNCS([endutent getutent getutid getutline pututline setutent])
2112AC_CHECK_FUNCS([utmpname])
2113dnl    Checks for utmpx functions
2114AC_CHECK_FUNCS([endutxent getutxent getutxid getutxline getutxuser pututxline])
2115AC_CHECK_FUNCS([setutxdb setutxent utmpxname])
2116dnl    Checks for lastlog functions
2117AC_CHECK_FUNCS([getlastlogxbyname])
2118
2119AC_CHECK_FUNC([daemon],
2120	[AC_DEFINE([HAVE_DAEMON], [1], [Define if your libraries define daemon()])],
2121	[AC_CHECK_LIB([bsd], [daemon],
2122		[LIBS="$LIBS -lbsd"; AC_DEFINE([HAVE_DAEMON])])]
2123)
2124
2125AC_CHECK_FUNC([getpagesize],
2126	[AC_DEFINE([HAVE_GETPAGESIZE], [1],
2127		[Define if your libraries define getpagesize()])],
2128	[AC_CHECK_LIB([ucb], [getpagesize],
2129		[LIBS="$LIBS -lucb"; AC_DEFINE([HAVE_GETPAGESIZE])])]
2130)
2131
2132# Check for broken snprintf
2133if test "x$ac_cv_func_snprintf" = "xyes" ; then
2134	AC_MSG_CHECKING([whether snprintf correctly terminates long strings])
2135	AC_RUN_IFELSE(
2136		[AC_LANG_PROGRAM([[ #include <stdio.h> ]],
2137		[[
2138	char b[5];
2139	snprintf(b,5,"123456789");
2140	exit(b[4]!='\0');
2141		]])],
2142		[AC_MSG_RESULT([yes])],
2143		[
2144			AC_MSG_RESULT([no])
2145			AC_DEFINE([BROKEN_SNPRINTF], [1],
2146				[Define if your snprintf is busted])
2147			AC_MSG_WARN([****** Your snprintf() function is broken, complain to your vendor])
2148		],
2149		[ AC_MSG_WARN([cross compiling: Assuming working snprintf()]) ]
2150	)
2151fi
2152
2153if test "x$ac_cv_func_snprintf" = "xyes" ; then
2154	AC_MSG_CHECKING([whether snprintf understands %zu])
2155	AC_RUN_IFELSE(
2156		[AC_LANG_PROGRAM([[
2157#include <sys/types.h>
2158#include <stdio.h>
2159		]],
2160		[[
2161	size_t a = 1, b = 2;
2162	char z[128];
2163	snprintf(z, sizeof z, "%zu%zu", a, b);
2164	exit(strcmp(z, "12"));
2165		]])],
2166		[AC_MSG_RESULT([yes])],
2167		[
2168			AC_MSG_RESULT([no])
2169			AC_DEFINE([BROKEN_SNPRINTF], [1],
2170				[snprintf does not understand %zu])
2171		],
2172		[ AC_MSG_WARN([cross compiling: Assuming working snprintf()]) ]
2173	)
2174fi
2175
2176# We depend on vsnprintf returning the right thing on overflow: the
2177# number of characters it tried to create (as per SUSv3)
2178if test "x$ac_cv_func_vsnprintf" = "xyes" ; then
2179	AC_MSG_CHECKING([whether vsnprintf returns correct values on overflow])
2180	AC_RUN_IFELSE(
2181		[AC_LANG_PROGRAM([[
2182#include <sys/types.h>
2183#include <stdio.h>
2184#include <stdarg.h>
2185
2186int x_snprintf(char *str, size_t count, const char *fmt, ...)
2187{
2188	size_t ret;
2189	va_list ap;
2190
2191	va_start(ap, fmt);
2192	ret = vsnprintf(str, count, fmt, ap);
2193	va_end(ap);
2194	return ret;
2195}
2196		]], [[
2197char x[1];
2198if (x_snprintf(x, 1, "%s %d", "hello", 12345) != 11)
2199	return 1;
2200if (x_snprintf(NULL, 0, "%s %d", "hello", 12345) != 11)
2201	return 1;
2202return 0;
2203		]])],
2204		[AC_MSG_RESULT([yes])],
2205		[
2206			AC_MSG_RESULT([no])
2207			AC_DEFINE([BROKEN_SNPRINTF], [1],
2208				[Define if your snprintf is busted])
2209			AC_MSG_WARN([****** Your vsnprintf() function is broken, complain to your vendor])
2210		],
2211		[ AC_MSG_WARN([cross compiling: Assuming working vsnprintf()]) ]
2212	)
2213fi
2214
2215# On systems where [v]snprintf is broken, but is declared in stdio,
2216# check that the fmt argument is const char * or just char *.
2217# This is only useful for when BROKEN_SNPRINTF
2218AC_MSG_CHECKING([whether snprintf can declare const char *fmt])
2219AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
2220#include <stdio.h>
2221int snprintf(char *a, size_t b, const char *c, ...) { return 0; }
2222		]], [[
2223	snprintf(0, 0, 0);
2224		]])],
2225   [AC_MSG_RESULT([yes])
2226    AC_DEFINE([SNPRINTF_CONST], [const],
2227              [Define as const if snprintf() can declare const char *fmt])],
2228   [AC_MSG_RESULT([no])
2229    AC_DEFINE([SNPRINTF_CONST], [/* not const */])])
2230
2231# Check for missing getpeereid (or equiv) support
2232NO_PEERCHECK=""
2233if test "x$ac_cv_func_getpeereid" != "xyes" -a "x$ac_cv_func_getpeerucred" != "xyes"; then
2234	AC_MSG_CHECKING([whether system supports SO_PEERCRED getsockopt])
2235	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
2236#include <sys/types.h>
2237#include <sys/socket.h>]], [[int i = SO_PEERCRED;]])],
2238		[ AC_MSG_RESULT([yes])
2239		  AC_DEFINE([HAVE_SO_PEERCRED], [1], [Have PEERCRED socket option])
2240		], [AC_MSG_RESULT([no])
2241		NO_PEERCHECK=1
2242        ])
2243fi
2244
2245dnl see whether mkstemp() requires XXXXXX
2246if test "x$ac_cv_func_mkdtemp" = "xyes" ; then
2247AC_MSG_CHECKING([for (overly) strict mkstemp])
2248AC_RUN_IFELSE(
2249	[AC_LANG_PROGRAM([[
2250#include <stdlib.h>
2251	]], [[
2252	char template[]="conftest.mkstemp-test";
2253	if (mkstemp(template) == -1)
2254		exit(1);
2255	unlink(template);
2256	exit(0);
2257	]])],
2258	[
2259		AC_MSG_RESULT([no])
2260	],
2261	[
2262		AC_MSG_RESULT([yes])
2263		AC_DEFINE([HAVE_STRICT_MKSTEMP], [1], [Silly mkstemp()])
2264	],
2265	[
2266		AC_MSG_RESULT([yes])
2267		AC_DEFINE([HAVE_STRICT_MKSTEMP])
2268	]
2269)
2270fi
2271
2272dnl make sure that openpty does not reacquire controlling terminal
2273if test ! -z "$check_for_openpty_ctty_bug"; then
2274	AC_MSG_CHECKING([if openpty correctly handles controlling tty])
2275	AC_RUN_IFELSE(
2276		[AC_LANG_PROGRAM([[
2277#include <stdio.h>
2278#include <sys/fcntl.h>
2279#include <sys/types.h>
2280#include <sys/wait.h>
2281		]], [[
2282	pid_t pid;
2283	int fd, ptyfd, ttyfd, status;
2284
2285	pid = fork();
2286	if (pid < 0) {		/* failed */
2287		exit(1);
2288	} else if (pid > 0) {	/* parent */
2289		waitpid(pid, &status, 0);
2290		if (WIFEXITED(status))
2291			exit(WEXITSTATUS(status));
2292		else
2293			exit(2);
2294	} else {		/* child */
2295		close(0); close(1); close(2);
2296		setsid();
2297		openpty(&ptyfd, &ttyfd, NULL, NULL, NULL);
2298		fd = open("/dev/tty", O_RDWR | O_NOCTTY);
2299		if (fd >= 0)
2300			exit(3);	/* Acquired ctty: broken */
2301		else
2302			exit(0);	/* Did not acquire ctty: OK */
2303	}
2304		]])],
2305		[
2306			AC_MSG_RESULT([yes])
2307		],
2308		[
2309			AC_MSG_RESULT([no])
2310			AC_DEFINE([SSHD_ACQUIRES_CTTY])
2311		],
2312		[
2313			AC_MSG_RESULT([cross-compiling, assuming yes])
2314		]
2315	)
2316fi
2317
2318if test "x$ac_cv_func_getaddrinfo" = "xyes" && \
2319    test "x$check_for_hpux_broken_getaddrinfo" = "x1"; then
2320	AC_MSG_CHECKING([if getaddrinfo seems to work])
2321	AC_RUN_IFELSE(
2322		[AC_LANG_PROGRAM([[
2323#include <stdio.h>
2324#include <sys/socket.h>
2325#include <netdb.h>
2326#include <errno.h>
2327#include <netinet/in.h>
2328
2329#define TEST_PORT "2222"
2330		]], [[
2331	int err, sock;
2332	struct addrinfo *gai_ai, *ai, hints;
2333	char ntop[NI_MAXHOST], strport[NI_MAXSERV], *name = NULL;
2334
2335	memset(&hints, 0, sizeof(hints));
2336	hints.ai_family = PF_UNSPEC;
2337	hints.ai_socktype = SOCK_STREAM;
2338	hints.ai_flags = AI_PASSIVE;
2339
2340	err = getaddrinfo(name, TEST_PORT, &hints, &gai_ai);
2341	if (err != 0) {
2342		fprintf(stderr, "getaddrinfo failed (%s)", gai_strerror(err));
2343		exit(1);
2344	}
2345
2346	for (ai = gai_ai; ai != NULL; ai = ai->ai_next) {
2347		if (ai->ai_family != AF_INET6)
2348			continue;
2349
2350		err = getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop,
2351		    sizeof(ntop), strport, sizeof(strport),
2352		    NI_NUMERICHOST|NI_NUMERICSERV);
2353
2354		if (err != 0) {
2355			if (err == EAI_SYSTEM)
2356				perror("getnameinfo EAI_SYSTEM");
2357			else
2358				fprintf(stderr, "getnameinfo failed: %s\n",
2359				    gai_strerror(err));
2360			exit(2);
2361		}
2362
2363		sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol);
2364		if (sock < 0)
2365			perror("socket");
2366		if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) {
2367			if (errno == EBADF)
2368				exit(3);
2369		}
2370	}
2371	exit(0);
2372		]])],
2373		[
2374			AC_MSG_RESULT([yes])
2375		],
2376		[
2377			AC_MSG_RESULT([no])
2378			AC_DEFINE([BROKEN_GETADDRINFO])
2379		],
2380		[
2381			AC_MSG_RESULT([cross-compiling, assuming yes])
2382		]
2383	)
2384fi
2385
2386if test "x$ac_cv_func_getaddrinfo" = "xyes" && \
2387    test "x$check_for_aix_broken_getaddrinfo" = "x1"; then
2388	AC_MSG_CHECKING([if getaddrinfo seems to work])
2389	AC_RUN_IFELSE(
2390		[AC_LANG_PROGRAM([[
2391#include <stdio.h>
2392#include <sys/socket.h>
2393#include <netdb.h>
2394#include <errno.h>
2395#include <netinet/in.h>
2396
2397#define TEST_PORT "2222"
2398		]], [[
2399	int err, sock;
2400	struct addrinfo *gai_ai, *ai, hints;
2401	char ntop[NI_MAXHOST], strport[NI_MAXSERV], *name = NULL;
2402
2403	memset(&hints, 0, sizeof(hints));
2404	hints.ai_family = PF_UNSPEC;
2405	hints.ai_socktype = SOCK_STREAM;
2406	hints.ai_flags = AI_PASSIVE;
2407
2408	err = getaddrinfo(name, TEST_PORT, &hints, &gai_ai);
2409	if (err != 0) {
2410		fprintf(stderr, "getaddrinfo failed (%s)", gai_strerror(err));
2411		exit(1);
2412	}
2413
2414	for (ai = gai_ai; ai != NULL; ai = ai->ai_next) {
2415		if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
2416			continue;
2417
2418		err = getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop,
2419		    sizeof(ntop), strport, sizeof(strport),
2420		    NI_NUMERICHOST|NI_NUMERICSERV);
2421
2422		if (ai->ai_family == AF_INET && err != 0) {
2423			perror("getnameinfo");
2424			exit(2);
2425		}
2426	}
2427	exit(0);
2428		]])],
2429		[
2430			AC_MSG_RESULT([yes])
2431			AC_DEFINE([AIX_GETNAMEINFO_HACK], [1],
2432				[Define if you have a getaddrinfo that fails
2433				for the all-zeros IPv6 address])
2434		],
2435		[
2436			AC_MSG_RESULT([no])
2437			AC_DEFINE([BROKEN_GETADDRINFO])
2438		],
2439		[
2440			AC_MSG_RESULT([cross-compiling, assuming no])
2441		]
2442	)
2443fi
2444
2445if test "x$ac_cv_func_getaddrinfo" = "xyes"; then
2446	AC_CHECK_DECLS(AI_NUMERICSERV, , ,
2447	    [#include <sys/types.h>
2448	     #include <sys/socket.h>
2449	     #include <netdb.h>])
2450fi
2451
2452if test "x$check_for_conflicting_getspnam" = "x1"; then
2453	AC_MSG_CHECKING([for conflicting getspnam in shadow.h])
2454	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <shadow.h> ]],
2455		[[ exit(0); ]])],
2456		[
2457			AC_MSG_RESULT([no])
2458		],
2459		[
2460			AC_MSG_RESULT([yes])
2461			AC_DEFINE([GETSPNAM_CONFLICTING_DEFS], [1],
2462			    [Conflicting defs for getspnam])
2463		]
2464	)
2465fi
2466
2467dnl NetBSD added an strnvis and unfortunately made it incompatible with the
2468dnl existing one in OpenBSD and Linux's libbsd (the former having existed
2469dnl for over ten years). Despite this incompatibility being reported during
2470dnl development (see http://gnats.netbsd.org/44977) they still shipped it.
2471dnl Even more unfortunately FreeBSD and later MacOS picked up this incompatible
2472dnl implementation.  Try to detect this mess, and assume the only safe option
2473dnl if we're cross compiling.
2474dnl
2475dnl OpenBSD, 2001: strnvis(char *dst, const char *src, size_t dlen, int flag);
2476dnl NetBSD: 2012,  strnvis(char *dst, size_t dlen, const char *src, int flag);
2477if test "x$ac_cv_func_strnvis" = "xyes"; then
2478	AC_MSG_CHECKING([for working strnvis])
2479	AC_RUN_IFELSE(
2480		[AC_LANG_PROGRAM([[
2481#include <signal.h>
2482#include <stdlib.h>
2483#include <string.h>
2484#include <vis.h>
2485static void sighandler(int sig) { _exit(1); }
2486		]], [[
2487	char dst[16];
2488
2489	signal(SIGSEGV, sighandler);
2490	if (strnvis(dst, "src", 4, 0) && strcmp(dst, "src") == 0)
2491		exit(0);
2492	exit(1)
2493		]])],
2494		[AC_MSG_RESULT([yes])],
2495		[AC_MSG_RESULT([no])
2496		 AC_DEFINE([BROKEN_STRNVIS], [1], [strnvis detected broken])],
2497		[AC_MSG_WARN([cross compiling: assuming broken])
2498		 AC_DEFINE([BROKEN_STRNVIS], [1], [strnvis assumed broken])]
2499	)
2500fi
2501
2502AC_CHECK_FUNCS([getpgrp],[
2503	AC_MSG_CHECKING([if getpgrp accepts zero args])
2504	AC_COMPILE_IFELSE(
2505		[AC_LANG_PROGRAM([[$ac_includes_default]], [[ getpgrp(); ]])],
2506		[ AC_MSG_RESULT([yes])
2507		  AC_DEFINE([GETPGRP_VOID], [1], [getpgrp takes zero args])],
2508		[ AC_MSG_RESULT([no])
2509		  AC_DEFINE([GETPGRP_VOID], [0], [getpgrp takes one arg])]
2510	)
2511])
2512
2513# Search for OpenSSL
2514saved_CPPFLAGS="$CPPFLAGS"
2515saved_LDFLAGS="$LDFLAGS"
2516AC_ARG_WITH([ssl-dir],
2517	[  --with-ssl-dir=PATH     Specify path to OpenSSL installation ],
2518	[
2519		if test "x$openssl" = "xno" ; then
2520			AC_MSG_ERROR([cannot use --with-ssl-dir when OpenSSL disabled])
2521		fi
2522		if test "x$withval" != "xno" ; then
2523			case "$withval" in
2524				# Relative paths
2525				./*|../*)	withval="`pwd`/$withval"
2526			esac
2527			if test -d "$withval/lib"; then
2528				if test -n "${rpath_opt}"; then
2529					LDFLAGS="-L${withval}/lib ${rpath_opt}${withval}/lib ${LDFLAGS}"
2530				else
2531					LDFLAGS="-L${withval}/lib ${LDFLAGS}"
2532				fi
2533			elif test -d "$withval/lib64"; then
2534				if test -n "${rpath_opt}"; then
2535					LDFLAGS="-L${withval}/lib64 ${rpath_opt}${withval}/lib64 ${LDFLAGS}"
2536				else
2537					LDFLAGS="-L${withval}/lib64 ${LDFLAGS}"
2538				fi
2539			else
2540				if test -n "${rpath_opt}"; then
2541					LDFLAGS="-L${withval} ${rpath_opt}${withval} ${LDFLAGS}"
2542				else
2543					LDFLAGS="-L${withval} ${LDFLAGS}"
2544				fi
2545			fi
2546			if test -d "$withval/include"; then
2547				CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
2548			else
2549				CPPFLAGS="-I${withval} ${CPPFLAGS}"
2550			fi
2551		fi
2552	]
2553)
2554
2555AC_ARG_WITH([openssl-header-check],
2556	[  --without-openssl-header-check Disable OpenSSL version consistency check],
2557	[
2558		if test "x$withval" = "xno" ; then
2559			openssl_check_nonfatal=1
2560		fi
2561	]
2562)
2563
2564openssl_engine=no
2565AC_ARG_WITH([ssl-engine],
2566	[  --with-ssl-engine       Enable OpenSSL (hardware) ENGINE support ],
2567	[
2568		if test "x$withval" != "xno" ; then
2569			if test "x$openssl" = "xno" ; then
2570				AC_MSG_ERROR([cannot use --with-ssl-engine when OpenSSL disabled])
2571			fi
2572			openssl_engine=yes
2573		fi
2574	]
2575)
2576
2577if test "x$openssl" = "xyes" ; then
2578	LIBS="-lcrypto $LIBS"
2579	AC_TRY_LINK_FUNC([RAND_add], ,
2580	    [AC_MSG_ERROR([*** working libcrypto not found, check config.log])])
2581	AC_CHECK_HEADER([openssl/opensslv.h], ,
2582	    [AC_MSG_ERROR([*** OpenSSL headers missing - please install first or check config.log ***])])
2583
2584	# Determine OpenSSL header version
2585	AC_MSG_CHECKING([OpenSSL header version])
2586	AC_RUN_IFELSE(
2587		[AC_LANG_PROGRAM([[
2588	#include <stdlib.h>
2589	#include <stdio.h>
2590	#include <string.h>
2591	#include <openssl/opensslv.h>
2592	#define DATA "conftest.sslincver"
2593		]], [[
2594		FILE *fd;
2595		int rc;
2596
2597		fd = fopen(DATA,"w");
2598		if(fd == NULL)
2599			exit(1);
2600
2601		if ((rc = fprintf(fd, "%08lx (%s)\n",
2602		    (unsigned long)OPENSSL_VERSION_NUMBER,
2603		     OPENSSL_VERSION_TEXT)) < 0)
2604			exit(1);
2605
2606		exit(0);
2607		]])],
2608		[
2609			ssl_header_ver=`cat conftest.sslincver`
2610			AC_MSG_RESULT([$ssl_header_ver])
2611		],
2612		[
2613			AC_MSG_RESULT([not found])
2614			AC_MSG_ERROR([OpenSSL version header not found.])
2615		],
2616		[
2617			AC_MSG_WARN([cross compiling: not checking])
2618		]
2619	)
2620
2621	# Determining OpenSSL library version is version dependent.
2622	AC_CHECK_FUNCS([OpenSSL_version OpenSSL_version_num])
2623
2624	# Determine OpenSSL library version
2625	AC_MSG_CHECKING([OpenSSL library version])
2626	AC_RUN_IFELSE(
2627		[AC_LANG_PROGRAM([[
2628	#include <stdio.h>
2629	#include <string.h>
2630	#include <openssl/opensslv.h>
2631	#include <openssl/crypto.h>
2632	#define DATA "conftest.ssllibver"
2633		]], [[
2634		FILE *fd;
2635		int rc;
2636
2637		fd = fopen(DATA,"w");
2638		if(fd == NULL)
2639			exit(1);
2640#ifndef OPENSSL_VERSION
2641# define OPENSSL_VERSION SSLEAY_VERSION
2642#endif
2643#ifndef HAVE_OPENSSL_VERSION
2644# define OpenSSL_version	SSLeay_version
2645#endif
2646#ifndef HAVE_OPENSSL_VERSION_NUM
2647# define OpenSSL_version_num	SSLeay
2648#endif
2649		if ((rc = fprintf(fd, "%08lx (%s)\n",
2650		    (unsigned long)OpenSSL_version_num(),
2651		    OpenSSL_version(OPENSSL_VERSION))) < 0)
2652			exit(1);
2653
2654		exit(0);
2655		]])],
2656		[
2657			ssl_library_ver=`cat conftest.ssllibver`
2658			# Check version is supported.
2659			case "$ssl_library_ver" in
2660			10000*|0*)
2661				AC_MSG_ERROR([OpenSSL >= 1.0.1 required (have "$ssl_library_ver")])
2662		                ;;
2663			100*)   ;; # 1.0.x
2664			101000[[0123456]]*)
2665				# https://github.com/openssl/openssl/pull/4613
2666				AC_MSG_ERROR([OpenSSL 1.1.x versions prior to 1.1.0g have a bug that breaks their use with OpenSSH (have "$ssl_library_ver")])
2667				;;
2668			101*)   ;; # 1.1.x
2669			200*)   ;; # LibreSSL
2670			300*)   ;; # OpenSSL development branch.
2671		        *)
2672				AC_MSG_ERROR([Unknown/unsupported OpenSSL version ("$ssl_library_ver")])
2673		                ;;
2674			esac
2675			AC_MSG_RESULT([$ssl_library_ver])
2676		],
2677		[
2678			AC_MSG_RESULT([not found])
2679			AC_MSG_ERROR([OpenSSL library not found.])
2680		],
2681		[
2682			AC_MSG_WARN([cross compiling: not checking])
2683		]
2684	)
2685
2686	# Sanity check OpenSSL headers
2687	AC_MSG_CHECKING([whether OpenSSL's headers match the library])
2688	AC_RUN_IFELSE(
2689		[AC_LANG_PROGRAM([[
2690	#include <string.h>
2691	#include <openssl/opensslv.h>
2692	#include <openssl/crypto.h>
2693		]], [[
2694#ifndef HAVE_OPENSSL_VERSION_NUM
2695# define OpenSSL_version_num	SSLeay
2696#endif
2697		exit(OpenSSL_version_num() == OPENSSL_VERSION_NUMBER ? 0 : 1);
2698		]])],
2699		[
2700			AC_MSG_RESULT([yes])
2701		],
2702		[
2703			AC_MSG_RESULT([no])
2704			if test "x$openssl_check_nonfatal" = "x"; then
2705				AC_MSG_ERROR([Your OpenSSL headers do not match your
2706	library. Check config.log for details.
2707	If you are sure your installation is consistent, you can disable the check
2708	by running "./configure --without-openssl-header-check".
2709	Also see contrib/findssl.sh for help identifying header/library mismatches.
2710	])
2711			else
2712				AC_MSG_WARN([Your OpenSSL headers do not match your
2713	library. Check config.log for details.
2714	Also see contrib/findssl.sh for help identifying header/library mismatches.])
2715			fi
2716		],
2717		[
2718			AC_MSG_WARN([cross compiling: not checking])
2719		]
2720	)
2721
2722	AC_MSG_CHECKING([if programs using OpenSSL functions will link])
2723	AC_LINK_IFELSE(
2724		[AC_LANG_PROGRAM([[ #include <openssl/err.h> ]],
2725		[[ ERR_load_crypto_strings(); ]])],
2726		[
2727			AC_MSG_RESULT([yes])
2728		],
2729		[
2730			AC_MSG_RESULT([no])
2731			saved_LIBS="$LIBS"
2732			LIBS="$LIBS -ldl"
2733			AC_MSG_CHECKING([if programs using OpenSSL need -ldl])
2734			AC_LINK_IFELSE(
2735				[AC_LANG_PROGRAM([[ #include <openssl/err.h> ]],
2736				[[ ERR_load_crypto_strings(); ]])],
2737				[
2738					AC_MSG_RESULT([yes])
2739				],
2740				[
2741					AC_MSG_RESULT([no])
2742					LIBS="$saved_LIBS"
2743				]
2744			)
2745		]
2746	)
2747
2748	AC_CHECK_FUNCS([ \
2749		BN_is_prime_ex \
2750		DSA_generate_parameters_ex \
2751		EVP_CIPHER_CTX_ctrl \
2752		EVP_DigestFinal_ex \
2753		EVP_DigestInit_ex \
2754		EVP_MD_CTX_cleanup \
2755		EVP_MD_CTX_copy_ex \
2756		EVP_MD_CTX_init \
2757		HMAC_CTX_init \
2758		RSA_generate_key_ex \
2759		RSA_get_default_method \
2760	])
2761
2762	# OpenSSL_add_all_algorithms may be a macro.
2763	AC_CHECK_FUNC(OpenSSL_add_all_algorithms,
2764	    AC_DEFINE(HAVE_OPENSSL_ADD_ALL_ALGORITHMS, 1, [as a function]),
2765	    AC_CHECK_DECL(OpenSSL_add_all_algorithms,
2766		AC_DEFINE(HAVE_OPENSSL_ADD_ALL_ALGORITHMS, 1, [as a macro]), ,
2767		[[#include <openssl/evp.h>]]
2768	    )
2769	)
2770
2771	# LibreSSL/OpenSSL 1.1x API
2772	AC_CHECK_FUNCS([ \
2773		OPENSSL_init_crypto \
2774		DH_get0_key \
2775		DH_get0_pqg \
2776		DH_set0_key \
2777		DH_set_length \
2778		DH_set0_pqg \
2779		DSA_get0_key \
2780		DSA_get0_pqg \
2781		DSA_set0_key \
2782		DSA_set0_pqg \
2783		DSA_SIG_get0 \
2784		DSA_SIG_set0 \
2785		ECDSA_SIG_get0 \
2786		ECDSA_SIG_set0 \
2787		EVP_CIPHER_CTX_iv \
2788		EVP_CIPHER_CTX_iv_noconst \
2789		EVP_CIPHER_CTX_get_iv \
2790		EVP_CIPHER_CTX_set_iv \
2791		RSA_get0_crt_params \
2792		RSA_get0_factors \
2793		RSA_get0_key \
2794		RSA_set0_crt_params \
2795		RSA_set0_factors \
2796		RSA_set0_key \
2797		RSA_meth_free \
2798		RSA_meth_dup \
2799		RSA_meth_set1_name \
2800		RSA_meth_get_finish \
2801		RSA_meth_set_priv_enc \
2802		RSA_meth_set_priv_dec \
2803		RSA_meth_set_finish \
2804		EVP_PKEY_get0_RSA \
2805		EVP_MD_CTX_new \
2806		EVP_MD_CTX_free \
2807		EVP_chacha20 \
2808	])
2809
2810	if test "x$openssl_engine" = "xyes" ; then
2811		AC_MSG_CHECKING([for OpenSSL ENGINE support])
2812		AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
2813	#include <openssl/engine.h>
2814			]], [[
2815				ENGINE_load_builtin_engines();
2816				ENGINE_register_all_complete();
2817			]])],
2818			[ AC_MSG_RESULT([yes])
2819			  AC_DEFINE([USE_OPENSSL_ENGINE], [1],
2820			     [Enable OpenSSL engine support])
2821			], [ AC_MSG_ERROR([OpenSSL ENGINE support not found])
2822		])
2823	fi
2824
2825	# Check for OpenSSL without EVP_aes_{192,256}_cbc
2826	AC_MSG_CHECKING([whether OpenSSL has crippled AES support])
2827	AC_LINK_IFELSE(
2828		[AC_LANG_PROGRAM([[
2829	#include <string.h>
2830	#include <openssl/evp.h>
2831		]], [[
2832		exit(EVP_aes_192_cbc() == NULL || EVP_aes_256_cbc() == NULL);
2833		]])],
2834		[
2835			AC_MSG_RESULT([no])
2836		],
2837		[
2838			AC_MSG_RESULT([yes])
2839			AC_DEFINE([OPENSSL_LOBOTOMISED_AES], [1],
2840			    [libcrypto is missing AES 192 and 256 bit functions])
2841		]
2842	)
2843
2844	# Check for OpenSSL with EVP_aes_*ctr
2845	AC_MSG_CHECKING([whether OpenSSL has AES CTR via EVP])
2846	AC_LINK_IFELSE(
2847		[AC_LANG_PROGRAM([[
2848	#include <string.h>
2849	#include <openssl/evp.h>
2850		]], [[
2851		exit(EVP_aes_128_ctr() == NULL ||
2852		    EVP_aes_192_cbc() == NULL ||
2853		    EVP_aes_256_cbc() == NULL);
2854		]])],
2855		[
2856			AC_MSG_RESULT([yes])
2857			AC_DEFINE([OPENSSL_HAVE_EVPCTR], [1],
2858			    [libcrypto has EVP AES CTR])
2859		],
2860		[
2861			AC_MSG_RESULT([no])
2862		]
2863	)
2864
2865	# Check for OpenSSL with EVP_aes_*gcm
2866	AC_MSG_CHECKING([whether OpenSSL has AES GCM via EVP])
2867	AC_LINK_IFELSE(
2868		[AC_LANG_PROGRAM([[
2869	#include <string.h>
2870	#include <openssl/evp.h>
2871		]], [[
2872		exit(EVP_aes_128_gcm() == NULL ||
2873		    EVP_aes_256_gcm() == NULL ||
2874		    EVP_CTRL_GCM_SET_IV_FIXED == 0 ||
2875		    EVP_CTRL_GCM_IV_GEN == 0 ||
2876		    EVP_CTRL_GCM_SET_TAG == 0 ||
2877		    EVP_CTRL_GCM_GET_TAG == 0 ||
2878		    EVP_CIPHER_CTX_ctrl(NULL, 0, 0, NULL) == 0);
2879		]])],
2880		[
2881			AC_MSG_RESULT([yes])
2882			AC_DEFINE([OPENSSL_HAVE_EVPGCM], [1],
2883			    [libcrypto has EVP AES GCM])
2884		],
2885		[
2886			AC_MSG_RESULT([no])
2887			unsupported_algorithms="$unsupported_cipers \
2888			   aes128-gcm@openssh.com \
2889			   aes256-gcm@openssh.com"
2890		]
2891	)
2892
2893	AC_MSG_CHECKING([if EVP_DigestUpdate returns an int])
2894	AC_LINK_IFELSE(
2895		[AC_LANG_PROGRAM([[
2896	#include <string.h>
2897	#include <openssl/evp.h>
2898		]], [[
2899		if(EVP_DigestUpdate(NULL, NULL,0))
2900			exit(0);
2901		]])],
2902		[
2903			AC_MSG_RESULT([yes])
2904		],
2905		[
2906			AC_MSG_RESULT([no])
2907			AC_DEFINE([OPENSSL_EVP_DIGESTUPDATE_VOID], [1],
2908			    [Define if EVP_DigestUpdate returns void])
2909		]
2910	)
2911
2912	# Some systems want crypt() from libcrypt, *not* the version in OpenSSL,
2913	# because the system crypt() is more featureful.
2914	if test "x$check_for_libcrypt_before" = "x1"; then
2915		AC_CHECK_LIB([crypt], [crypt])
2916	fi
2917
2918	# Some Linux systems (Slackware) need crypt() from libcrypt, *not* the
2919	# version in OpenSSL.
2920	if test "x$check_for_libcrypt_later" = "x1"; then
2921		AC_CHECK_LIB([crypt], [crypt], [LIBS="$LIBS -lcrypt"])
2922	fi
2923	AC_CHECK_FUNCS([crypt DES_crypt])
2924
2925	# Check for SHA256, SHA384 and SHA512 support in OpenSSL
2926	AC_CHECK_FUNCS([EVP_sha256 EVP_sha384 EVP_sha512])
2927
2928	# Check complete ECC support in OpenSSL
2929	AC_MSG_CHECKING([whether OpenSSL has NID_X9_62_prime256v1])
2930	AC_LINK_IFELSE(
2931		[AC_LANG_PROGRAM([[
2932	#include <openssl/ec.h>
2933	#include <openssl/ecdh.h>
2934	#include <openssl/ecdsa.h>
2935	#include <openssl/evp.h>
2936	#include <openssl/objects.h>
2937	#include <openssl/opensslv.h>
2938		]], [[
2939		EC_KEY *e = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
2940		const EVP_MD *m = EVP_sha256(); /* We need this too */
2941		]])],
2942		[ AC_MSG_RESULT([yes])
2943		  enable_nistp256=1 ],
2944		[ AC_MSG_RESULT([no]) ]
2945	)
2946
2947	AC_MSG_CHECKING([whether OpenSSL has NID_secp384r1])
2948	AC_LINK_IFELSE(
2949		[AC_LANG_PROGRAM([[
2950	#include <openssl/ec.h>
2951	#include <openssl/ecdh.h>
2952	#include <openssl/ecdsa.h>
2953	#include <openssl/evp.h>
2954	#include <openssl/objects.h>
2955	#include <openssl/opensslv.h>
2956		]], [[
2957		EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp384r1);
2958		const EVP_MD *m = EVP_sha384(); /* We need this too */
2959		]])],
2960		[ AC_MSG_RESULT([yes])
2961		  enable_nistp384=1 ],
2962		[ AC_MSG_RESULT([no]) ]
2963	)
2964
2965	AC_MSG_CHECKING([whether OpenSSL has NID_secp521r1])
2966	AC_LINK_IFELSE(
2967		[AC_LANG_PROGRAM([[
2968	#include <openssl/ec.h>
2969	#include <openssl/ecdh.h>
2970	#include <openssl/ecdsa.h>
2971	#include <openssl/evp.h>
2972	#include <openssl/objects.h>
2973	#include <openssl/opensslv.h>
2974		]], [[
2975		EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp521r1);
2976		const EVP_MD *m = EVP_sha512(); /* We need this too */
2977		]])],
2978		[ AC_MSG_RESULT([yes])
2979		  AC_MSG_CHECKING([if OpenSSL's NID_secp521r1 is functional])
2980		  AC_RUN_IFELSE(
2981			[AC_LANG_PROGRAM([[
2982	#include <openssl/ec.h>
2983	#include <openssl/ecdh.h>
2984	#include <openssl/ecdsa.h>
2985	#include <openssl/evp.h>
2986	#include <openssl/objects.h>
2987	#include <openssl/opensslv.h>
2988			]],[[
2989			EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp521r1);
2990			const EVP_MD *m = EVP_sha512(); /* We need this too */
2991			exit(e == NULL || m == NULL);
2992			]])],
2993			[ AC_MSG_RESULT([yes])
2994			  enable_nistp521=1 ],
2995			[ AC_MSG_RESULT([no]) ],
2996			[ AC_MSG_WARN([cross-compiling: assuming yes])
2997			  enable_nistp521=1 ]
2998		  )],
2999		AC_MSG_RESULT([no])
3000	)
3001
3002	COMMENT_OUT_ECC="#no ecc#"
3003	TEST_SSH_ECC=no
3004
3005	if test x$enable_nistp256 = x1 || test x$enable_nistp384 = x1 || \
3006	    test x$enable_nistp521 = x1; then
3007		AC_DEFINE(OPENSSL_HAS_ECC, [1], [OpenSSL has ECC])
3008		AC_CHECK_FUNCS([EC_KEY_METHOD_new])
3009		openssl_ecc=yes
3010	else
3011		openssl_ecc=no
3012	fi
3013	if test x$enable_nistp256 = x1; then
3014		AC_DEFINE([OPENSSL_HAS_NISTP256], [1],
3015		    [libcrypto has NID_X9_62_prime256v1])
3016		TEST_SSH_ECC=yes
3017		COMMENT_OUT_ECC=""
3018	else
3019		unsupported_algorithms="$unsupported_algorithms \
3020			ecdsa-sha2-nistp256 \
3021			ecdh-sha2-nistp256 \
3022			ecdsa-sha2-nistp256-cert-v01@openssh.com"
3023	fi
3024	if test x$enable_nistp384 = x1; then
3025		AC_DEFINE([OPENSSL_HAS_NISTP384], [1], [libcrypto has NID_secp384r1])
3026		TEST_SSH_ECC=yes
3027		COMMENT_OUT_ECC=""
3028	else
3029		unsupported_algorithms="$unsupported_algorithms \
3030			ecdsa-sha2-nistp384 \
3031			ecdh-sha2-nistp384 \
3032			ecdsa-sha2-nistp384-cert-v01@openssh.com"
3033	fi
3034	if test x$enable_nistp521 = x1; then
3035		AC_DEFINE([OPENSSL_HAS_NISTP521], [1], [libcrypto has NID_secp521r1])
3036		TEST_SSH_ECC=yes
3037		COMMENT_OUT_ECC=""
3038	else
3039		unsupported_algorithms="$unsupported_algorithms \
3040			ecdh-sha2-nistp521 \
3041			ecdsa-sha2-nistp521 \
3042			ecdsa-sha2-nistp521-cert-v01@openssh.com"
3043	fi
3044
3045	AC_SUBST([TEST_SSH_ECC])
3046	AC_SUBST([COMMENT_OUT_ECC])
3047else
3048	AC_CHECK_LIB([crypt], [crypt], [LIBS="$LIBS -lcrypt"])
3049	AC_CHECK_FUNCS([crypt])
3050fi
3051
3052# PKCS11/U2F depend on OpenSSL and dlopen().
3053enable_pkcs11=yes
3054enable_sk=yes
3055if test "x$openssl" != "xyes" ; then
3056	enable_pkcs11="disabled; missing libcrypto"
3057	enable_sk="disabled; missing libcrypto"
3058fi
3059if test "x$openssl_ecc" != "xyes" ; then
3060	enable_sk="disabled; OpenSSL has no ECC support"
3061fi
3062if test "x$ac_cv_func_dlopen" != "xyes" ; then
3063	enable_pkcs11="disabled; missing dlopen(3)"
3064	enable_sk="disabled; missing dlopen(3)"
3065fi
3066if test "x$ac_cv_have_decl_RTLD_NOW" != "xyes" ; then
3067	enable_pkcs11="disabled; missing RTLD_NOW"
3068	enable_sk="disabled; missing RTLD_NOW"
3069fi
3070if test ! -z "$disable_pkcs11" ; then
3071	enable_pkcs11="disabled by user"
3072fi
3073if test ! -z "$disable_sk" ; then
3074	enable_sk="disabled by user"
3075fi
3076
3077AC_MSG_CHECKING([whether to enable PKCS11])
3078if test "x$enable_pkcs11" = "xyes" ; then
3079	AC_DEFINE([ENABLE_PKCS11], [], [Enable for PKCS#11 support])
3080fi
3081AC_MSG_RESULT([$enable_pkcs11])
3082
3083AC_MSG_CHECKING([whether to enable U2F])
3084if test "x$enable_sk" = "xyes" ; then
3085	AC_DEFINE([ENABLE_SK], [], [Enable for U2F/FIDO support])
3086fi
3087AC_MSG_RESULT([$enable_sk])
3088
3089# Now check for built-in security key support.
3090if test "x$enable_sk" = "xyes" -a "x$enable_sk_internal" = "xyes" ; then
3091	AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no])
3092	use_pkgconfig_for_libfido2=
3093	if test "x$PKGCONFIG" != "xno"; then
3094		AC_MSG_CHECKING([if $PKGCONFIG knows about libfido2])
3095		if "$PKGCONFIG" libfido2; then
3096			AC_MSG_RESULT([yes])
3097			use_pkgconfig_for_libfido2=yes
3098		else
3099			AC_MSG_RESULT([no])
3100		fi
3101	fi
3102	if test "x$use_pkgconfig_for_libfido2" = "xyes"; then
3103		LIBFIDO2=`$PKGCONFIG --libs libfido2`
3104		CPPFLAGS="$CPPFLAGS `$PKGCONFIG --cflags libfido2`"
3105	else
3106		LIBFIDO2="-lfido2 -lcbor"
3107	fi
3108	OTHERLIBS=`echo $LIBFIDO2 | sed 's/-lfido2//'`
3109	AC_CHECK_LIB([fido2], [fido_init],
3110		[
3111			AC_SUBST([LIBFIDO2])
3112			AC_DEFINE([ENABLE_SK_INTERNAL], [],
3113			    [Enable for built-in U2F/FIDO support])
3114			enable_sk="built-in"
3115		], [ AC_MSG_ERROR([no usable libfido2 found]) ],
3116		[ $OTHERLIBS ]
3117	)
3118	AC_CHECK_HEADER([fido.h], [],
3119		AC_MSG_ERROR([missing fido.h from libfido2]))
3120	AC_CHECK_HEADER([fido/credman.h], [],
3121		AC_MSG_ERROR([missing fido/credman.h from libfido2]),
3122		[#include <fido.h>]
3123	)
3124fi
3125
3126AC_CHECK_FUNCS([ \
3127	arc4random \
3128	arc4random_buf \
3129	arc4random_stir \
3130	arc4random_uniform \
3131])
3132
3133saved_LIBS="$LIBS"
3134AC_CHECK_LIB([iaf], [ia_openinfo], [
3135	LIBS="$LIBS -liaf"
3136	AC_CHECK_FUNCS([set_id], [SSHDLIBS="$SSHDLIBS -liaf"
3137				AC_DEFINE([HAVE_LIBIAF], [1],
3138			[Define if system has libiaf that supports set_id])
3139				])
3140])
3141LIBS="$saved_LIBS"
3142
3143### Configure cryptographic random number support
3144
3145# Check whether OpenSSL seeds itself
3146if test "x$openssl" = "xyes" ; then
3147	AC_MSG_CHECKING([whether OpenSSL's PRNG is internally seeded])
3148	AC_RUN_IFELSE(
3149		[AC_LANG_PROGRAM([[
3150	#include <string.h>
3151	#include <openssl/rand.h>
3152		]], [[
3153		exit(RAND_status() == 1 ? 0 : 1);
3154		]])],
3155		[
3156			OPENSSL_SEEDS_ITSELF=yes
3157			AC_MSG_RESULT([yes])
3158		],
3159		[
3160			AC_MSG_RESULT([no])
3161		],
3162		[
3163			AC_MSG_WARN([cross compiling: assuming yes])
3164			# This is safe, since we will fatal() at runtime if
3165			# OpenSSL is not seeded correctly.
3166			OPENSSL_SEEDS_ITSELF=yes
3167		]
3168	)
3169fi
3170
3171# PRNGD TCP socket
3172AC_ARG_WITH([prngd-port],
3173	[  --with-prngd-port=PORT  read entropy from PRNGD/EGD TCP localhost:PORT],
3174	[
3175		case "$withval" in
3176		no)
3177			withval=""
3178			;;
3179		[[0-9]]*)
3180			;;
3181		*)
3182			AC_MSG_ERROR([You must specify a numeric port number for --with-prngd-port])
3183			;;
3184		esac
3185		if test ! -z "$withval" ; then
3186			PRNGD_PORT="$withval"
3187			AC_DEFINE_UNQUOTED([PRNGD_PORT], [$PRNGD_PORT],
3188				[Port number of PRNGD/EGD random number socket])
3189		fi
3190	]
3191)
3192
3193# PRNGD Unix domain socket
3194AC_ARG_WITH([prngd-socket],
3195	[  --with-prngd-socket=FILE read entropy from PRNGD/EGD socket FILE (default=/var/run/egd-pool)],
3196	[
3197		case "$withval" in
3198		yes)
3199			withval="/var/run/egd-pool"
3200			;;
3201		no)
3202			withval=""
3203			;;
3204		/*)
3205			;;
3206		*)
3207			AC_MSG_ERROR([You must specify an absolute path to the entropy socket])
3208			;;
3209		esac
3210
3211		if test ! -z "$withval" ; then
3212			if test ! -z "$PRNGD_PORT" ; then
3213				AC_MSG_ERROR([You may not specify both a PRNGD/EGD port and socket])
3214			fi
3215			if test ! -r "$withval" ; then
3216				AC_MSG_WARN([Entropy socket is not readable])
3217			fi
3218			PRNGD_SOCKET="$withval"
3219			AC_DEFINE_UNQUOTED([PRNGD_SOCKET], ["$PRNGD_SOCKET"],
3220				[Location of PRNGD/EGD random number socket])
3221		fi
3222	],
3223	[
3224		# Check for existing socket only if we don't have a random device already
3225		if test "x$OPENSSL_SEEDS_ITSELF" != "xyes" ; then
3226			AC_MSG_CHECKING([for PRNGD/EGD socket])
3227			# Insert other locations here
3228			for sock in /var/run/egd-pool /dev/egd-pool /etc/entropy; do
3229				if test -r $sock && $TEST_MINUS_S_SH -c "test -S $sock -o -p $sock" ; then
3230					PRNGD_SOCKET="$sock"
3231					AC_DEFINE_UNQUOTED([PRNGD_SOCKET], ["$PRNGD_SOCKET"])
3232					break;
3233				fi
3234			done
3235			if test ! -z "$PRNGD_SOCKET" ; then
3236				AC_MSG_RESULT([$PRNGD_SOCKET])
3237			else
3238				AC_MSG_RESULT([not found])
3239			fi
3240		fi
3241	]
3242)
3243
3244# Which randomness source do we use?
3245if test ! -z "$PRNGD_PORT" ; then
3246	RAND_MSG="PRNGd port $PRNGD_PORT"
3247elif test ! -z "$PRNGD_SOCKET" ; then
3248	RAND_MSG="PRNGd socket $PRNGD_SOCKET"
3249elif test ! -z "$OPENSSL_SEEDS_ITSELF" ; then
3250	AC_DEFINE([OPENSSL_PRNG_ONLY], [1],
3251		[Define if you want the OpenSSL internally seeded PRNG only])
3252	RAND_MSG="OpenSSL internal ONLY"
3253elif test "x$openssl" = "xno" ; then
3254	AC_MSG_WARN([OpenSSH will use /dev/urandom as a source of random numbers. It will fail if this device is not supported or accessible])
3255else
3256	AC_MSG_ERROR([OpenSSH has no source of random numbers. Please configure OpenSSL with an entropy source or re-run configure using one of the --with-prngd-port or --with-prngd-socket options])
3257fi
3258
3259# Check for PAM libs
3260PAM_MSG="no"
3261AC_ARG_WITH([pam],
3262	[  --with-pam              Enable PAM support ],
3263	[
3264		if test "x$withval" != "xno" ; then
3265			if test "x$ac_cv_header_security_pam_appl_h" != "xyes" && \
3266			   test "x$ac_cv_header_pam_pam_appl_h" != "xyes" ; then
3267				AC_MSG_ERROR([PAM headers not found])
3268			fi
3269
3270			saved_LIBS="$LIBS"
3271			AC_CHECK_LIB([dl], [dlopen], , )
3272			AC_CHECK_LIB([pam], [pam_set_item], , [AC_MSG_ERROR([*** libpam missing])])
3273			AC_CHECK_FUNCS([pam_getenvlist])
3274			AC_CHECK_FUNCS([pam_putenv])
3275			LIBS="$saved_LIBS"
3276
3277			PAM_MSG="yes"
3278
3279			SSHDLIBS="$SSHDLIBS -lpam"
3280			AC_DEFINE([USE_PAM], [1],
3281				[Define if you want to enable PAM support])
3282
3283			if test $ac_cv_lib_dl_dlopen = yes; then
3284				case "$LIBS" in
3285				*-ldl*)
3286					# libdl already in LIBS
3287					;;
3288				*)
3289					SSHDLIBS="$SSHDLIBS -ldl"
3290					;;
3291				esac
3292			fi
3293		fi
3294	]
3295)
3296
3297AC_ARG_WITH([pam-service],
3298	[  --with-pam-service=name Specify PAM service name ],
3299	[
3300		if test "x$withval" != "xno" && \
3301		   test "x$withval" != "xyes" ; then
3302			AC_DEFINE_UNQUOTED([SSHD_PAM_SERVICE],
3303				["$withval"], [sshd PAM service name])
3304		fi
3305	]
3306)
3307
3308# Check for older PAM
3309if test "x$PAM_MSG" = "xyes" ; then
3310	# Check PAM strerror arguments (old PAM)
3311	AC_MSG_CHECKING([whether pam_strerror takes only one argument])
3312	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
3313#include <stdlib.h>
3314#if defined(HAVE_SECURITY_PAM_APPL_H)
3315#include <security/pam_appl.h>
3316#elif defined (HAVE_PAM_PAM_APPL_H)
3317#include <pam/pam_appl.h>
3318#endif
3319		]], [[
3320(void)pam_strerror((pam_handle_t *)NULL, -1);
3321		]])], [AC_MSG_RESULT([no])], [
3322			AC_DEFINE([HAVE_OLD_PAM], [1],
3323				[Define if you have an old version of PAM
3324				which takes only one argument to pam_strerror])
3325			AC_MSG_RESULT([yes])
3326			PAM_MSG="yes (old library)"
3327
3328	])
3329fi
3330
3331case "$host" in
3332*-*-cygwin*)
3333	SSH_PRIVSEP_USER=CYGWIN_SSH_PRIVSEP_USER
3334	;;
3335*)
3336	SSH_PRIVSEP_USER=sshd
3337	;;
3338esac
3339AC_ARG_WITH([privsep-user],
3340	[  --with-privsep-user=user Specify non-privileged user for privilege separation],
3341	[
3342		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
3343		    test "x${withval}" != "xyes"; then
3344			SSH_PRIVSEP_USER=$withval
3345		fi
3346	]
3347)
3348if test "x$SSH_PRIVSEP_USER" = "xCYGWIN_SSH_PRIVSEP_USER" ; then
3349	AC_DEFINE_UNQUOTED([SSH_PRIVSEP_USER], [CYGWIN_SSH_PRIVSEP_USER],
3350		[Cygwin function to fetch non-privileged user for privilege separation])
3351else
3352	AC_DEFINE_UNQUOTED([SSH_PRIVSEP_USER], ["$SSH_PRIVSEP_USER"],
3353		[non-privileged user for privilege separation])
3354fi
3355AC_SUBST([SSH_PRIVSEP_USER])
3356
3357if test "x$have_linux_no_new_privs" = "x1" ; then
3358AC_CHECK_DECL([SECCOMP_MODE_FILTER], [have_seccomp_filter=1], , [
3359	#include <sys/types.h>
3360	#include <linux/seccomp.h>
3361])
3362fi
3363if test "x$have_seccomp_filter" = "x1" ; then
3364AC_MSG_CHECKING([kernel for seccomp_filter support])
3365AC_LINK_IFELSE([AC_LANG_PROGRAM([[
3366		#include <errno.h>
3367		#include <elf.h>
3368		#include <linux/audit.h>
3369		#include <linux/seccomp.h>
3370		#include <stdlib.h>
3371		#include <sys/prctl.h>
3372	]],
3373	[[ int i = $seccomp_audit_arch;
3374	   errno = 0;
3375	   prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, NULL, 0, 0);
3376	   exit(errno == EFAULT ? 0 : 1); ]])],
3377	[ AC_MSG_RESULT([yes]) ], [
3378		AC_MSG_RESULT([no])
3379		# Disable seccomp filter as a target
3380		have_seccomp_filter=0
3381	]
3382)
3383fi
3384
3385# Decide which sandbox style to use
3386sandbox_arg=""
3387AC_ARG_WITH([sandbox],
3388	[  --with-sandbox=style    Specify privilege separation sandbox (no, capsicum, darwin, rlimit, seccomp_filter, systrace, pledge)],
3389	[
3390		if test "x$withval" = "xyes" ; then
3391			sandbox_arg=""
3392		else
3393			sandbox_arg="$withval"
3394		fi
3395	]
3396)
3397
3398# Some platforms (seems to be the ones that have a kernel poll(2)-type
3399# function with which they implement select(2)) use an extra file descriptor
3400# when calling select(2), which means we can't use the rlimit sandbox.
3401AC_MSG_CHECKING([if select works with descriptor rlimit])
3402AC_RUN_IFELSE(
3403	[AC_LANG_PROGRAM([[
3404#include <sys/types.h>
3405#ifdef HAVE_SYS_TIME_H
3406# include <sys/time.h>
3407#endif
3408#include <sys/resource.h>
3409#ifdef HAVE_SYS_SELECT_H
3410# include <sys/select.h>
3411#endif
3412#include <errno.h>
3413#include <fcntl.h>
3414#include <stdlib.h>
3415	]],[[
3416	struct rlimit rl_zero;
3417	int fd, r;
3418	fd_set fds;
3419	struct timeval tv;
3420
3421	fd = open("/dev/null", O_RDONLY);
3422	FD_ZERO(&fds);
3423	FD_SET(fd, &fds);
3424	rl_zero.rlim_cur = rl_zero.rlim_max = 0;
3425	setrlimit(RLIMIT_FSIZE, &rl_zero);
3426	setrlimit(RLIMIT_NOFILE, &rl_zero);
3427	tv.tv_sec = 1;
3428	tv.tv_usec = 0;
3429	r = select(fd+1, &fds, NULL, NULL, &tv);
3430	exit (r == -1 ? 1 : 0);
3431	]])],
3432	[AC_MSG_RESULT([yes])
3433	 select_works_with_rlimit=yes],
3434	[AC_MSG_RESULT([no])
3435	 select_works_with_rlimit=no],
3436	[AC_MSG_WARN([cross compiling: assuming yes])
3437	 select_works_with_rlimit=yes]
3438)
3439
3440AC_MSG_CHECKING([if setrlimit(RLIMIT_NOFILE,{0,0}) works])
3441AC_RUN_IFELSE(
3442	[AC_LANG_PROGRAM([[
3443#include <sys/types.h>
3444#ifdef HAVE_SYS_TIME_H
3445# include <sys/time.h>
3446#endif
3447#include <sys/resource.h>
3448#include <errno.h>
3449#include <stdlib.h>
3450	]],[[
3451	struct rlimit rl_zero;
3452	int r;
3453
3454	rl_zero.rlim_cur = rl_zero.rlim_max = 0;
3455	r = setrlimit(RLIMIT_NOFILE, &rl_zero);
3456	exit (r == -1 ? 1 : 0);
3457	]])],
3458	[AC_MSG_RESULT([yes])
3459	 rlimit_nofile_zero_works=yes],
3460	[AC_MSG_RESULT([no])
3461	 rlimit_nofile_zero_works=no],
3462	[AC_MSG_WARN([cross compiling: assuming yes])
3463	 rlimit_nofile_zero_works=yes]
3464)
3465
3466AC_MSG_CHECKING([if setrlimit RLIMIT_FSIZE works])
3467AC_RUN_IFELSE(
3468	[AC_LANG_PROGRAM([[
3469#include <sys/types.h>
3470#include <sys/resource.h>
3471#include <stdlib.h>
3472	]],[[
3473		struct rlimit rl_zero;
3474
3475		rl_zero.rlim_cur = rl_zero.rlim_max = 0;
3476		exit(setrlimit(RLIMIT_FSIZE, &rl_zero) != 0);
3477	]])],
3478	[AC_MSG_RESULT([yes])],
3479	[AC_MSG_RESULT([no])
3480	 AC_DEFINE(SANDBOX_SKIP_RLIMIT_FSIZE, 1,
3481	    [setrlimit RLIMIT_FSIZE works])],
3482	[AC_MSG_WARN([cross compiling: assuming yes])]
3483)
3484
3485if test "x$sandbox_arg" = "xpledge" || \
3486   ( test -z "$sandbox_arg" && test "x$ac_cv_func_pledge" = "xyes" ) ; then
3487	test "x$ac_cv_func_pledge" != "xyes" && \
3488		AC_MSG_ERROR([pledge sandbox requires pledge(2) support])
3489	SANDBOX_STYLE="pledge"
3490	AC_DEFINE([SANDBOX_PLEDGE], [1], [Sandbox using pledge(2)])
3491elif test "x$sandbox_arg" = "xsystrace" || \
3492   ( test -z "$sandbox_arg" && test "x$have_systr_policy_kill" = "x1" ) ; then
3493	test "x$have_systr_policy_kill" != "x1" && \
3494		AC_MSG_ERROR([systrace sandbox requires systrace headers and SYSTR_POLICY_KILL support])
3495	SANDBOX_STYLE="systrace"
3496	AC_DEFINE([SANDBOX_SYSTRACE], [1], [Sandbox using systrace(4)])
3497elif test "x$sandbox_arg" = "xdarwin" || \
3498     ( test -z "$sandbox_arg" && test "x$ac_cv_func_sandbox_init" = "xyes" && \
3499       test "x$ac_cv_header_sandbox_h" = "xyes") ; then
3500	test "x$ac_cv_func_sandbox_init" != "xyes" -o \
3501	     "x$ac_cv_header_sandbox_h" != "xyes" && \
3502		AC_MSG_ERROR([Darwin seatbelt sandbox requires sandbox.h and sandbox_init function])
3503	SANDBOX_STYLE="darwin"
3504	AC_DEFINE([SANDBOX_DARWIN], [1], [Sandbox using Darwin sandbox_init(3)])
3505elif test "x$sandbox_arg" = "xseccomp_filter" || \
3506     ( test -z "$sandbox_arg" && \
3507       test "x$have_seccomp_filter" = "x1" && \
3508       test "x$ac_cv_header_elf_h" = "xyes" && \
3509       test "x$ac_cv_header_linux_audit_h" = "xyes" && \
3510       test "x$ac_cv_header_linux_filter_h" = "xyes" && \
3511       test "x$seccomp_audit_arch" != "x" && \
3512       test "x$have_linux_no_new_privs" = "x1" && \
3513       test "x$ac_cv_func_prctl" = "xyes" ) ; then
3514	test "x$seccomp_audit_arch" = "x" && \
3515		AC_MSG_ERROR([seccomp_filter sandbox not supported on $host])
3516	test "x$have_linux_no_new_privs" != "x1" && \
3517		AC_MSG_ERROR([seccomp_filter sandbox requires PR_SET_NO_NEW_PRIVS])
3518	test "x$have_seccomp_filter" != "x1" && \
3519		AC_MSG_ERROR([seccomp_filter sandbox requires seccomp headers])
3520	test "x$ac_cv_func_prctl" != "xyes" && \
3521		AC_MSG_ERROR([seccomp_filter sandbox requires prctl function])
3522	SANDBOX_STYLE="seccomp_filter"
3523	AC_DEFINE([SANDBOX_SECCOMP_FILTER], [1], [Sandbox using seccomp filter])
3524elif test "x$sandbox_arg" = "xcapsicum" || \
3525     ( test -z "$sandbox_arg" && \
3526       test "x$ac_cv_header_sys_capsicum_h" = "xyes" && \
3527       test "x$ac_cv_func_cap_rights_limit" = "xyes") ; then
3528       test "x$ac_cv_header_sys_capsicum_h" != "xyes" && \
3529		AC_MSG_ERROR([capsicum sandbox requires sys/capsicum.h header])
3530       test "x$ac_cv_func_cap_rights_limit" != "xyes" && \
3531		AC_MSG_ERROR([capsicum sandbox requires cap_rights_limit function])
3532       SANDBOX_STYLE="capsicum"
3533       AC_DEFINE([SANDBOX_CAPSICUM], [1], [Sandbox using capsicum])
3534elif test "x$sandbox_arg" = "xrlimit" || \
3535     ( test -z "$sandbox_arg" && test "x$ac_cv_func_setrlimit" = "xyes" && \
3536       test "x$select_works_with_rlimit" = "xyes" && \
3537       test "x$rlimit_nofile_zero_works" = "xyes" ) ; then
3538	test "x$ac_cv_func_setrlimit" != "xyes" && \
3539		AC_MSG_ERROR([rlimit sandbox requires setrlimit function])
3540	test "x$select_works_with_rlimit" != "xyes" && \
3541		AC_MSG_ERROR([rlimit sandbox requires select to work with rlimit])
3542	SANDBOX_STYLE="rlimit"
3543	AC_DEFINE([SANDBOX_RLIMIT], [1], [Sandbox using setrlimit(2)])
3544elif test "x$sandbox_arg" = "xsolaris" || \
3545   ( test -z "$sandbox_arg" && test "x$SOLARIS_PRIVS" = "xyes" ) ; then
3546	SANDBOX_STYLE="solaris"
3547	AC_DEFINE([SANDBOX_SOLARIS], [1], [Sandbox using Solaris/Illumos privileges])
3548elif test -z "$sandbox_arg" || test "x$sandbox_arg" = "xno" || \
3549     test "x$sandbox_arg" = "xnone" || test "x$sandbox_arg" = "xnull" ; then
3550	SANDBOX_STYLE="none"
3551	AC_DEFINE([SANDBOX_NULL], [1], [no privsep sandboxing])
3552else
3553	AC_MSG_ERROR([unsupported --with-sandbox])
3554fi
3555
3556# Cheap hack to ensure NEWS-OS libraries are arranged right.
3557if test ! -z "$SONY" ; then
3558  LIBS="$LIBS -liberty";
3559fi
3560
3561# Check for  long long datatypes
3562AC_CHECK_TYPES([long long, unsigned long long, long double])
3563
3564# Check datatype sizes
3565AC_CHECK_SIZEOF([short int])
3566AC_CHECK_SIZEOF([int])
3567AC_CHECK_SIZEOF([long int])
3568AC_CHECK_SIZEOF([long long int])
3569
3570# Sanity check long long for some platforms (AIX)
3571if test "x$ac_cv_sizeof_long_long_int" = "x4" ; then
3572	ac_cv_sizeof_long_long_int=0
3573fi
3574
3575# compute LLONG_MIN and LLONG_MAX if we don't know them.
3576if test -z "$have_llong_max"; then
3577	AC_MSG_CHECKING([for max value of long long])
3578	AC_RUN_IFELSE(
3579		[AC_LANG_PROGRAM([[
3580#include <stdio.h>
3581/* Why is this so damn hard? */
3582#ifdef __GNUC__
3583# undef __GNUC__
3584#endif
3585#define __USE_ISOC99
3586#include <limits.h>
3587#define DATA "conftest.llminmax"
3588#define my_abs(a) ((a) < 0 ? ((a) * -1) : (a))
3589
3590/*
3591 * printf in libc on some platforms (eg old Tru64) does not understand %lld so
3592 * we do this the hard way.
3593 */
3594static int
3595fprint_ll(FILE *f, long long n)
3596{
3597	unsigned int i;
3598	int l[sizeof(long long) * 8];
3599
3600	if (n < 0)
3601		if (fprintf(f, "-") < 0)
3602			return -1;
3603	for (i = 0; n != 0; i++) {
3604		l[i] = my_abs(n % 10);
3605		n /= 10;
3606	}
3607	do {
3608		if (fprintf(f, "%d", l[--i]) < 0)
3609			return -1;
3610	} while (i != 0);
3611	if (fprintf(f, " ") < 0)
3612		return -1;
3613	return 0;
3614}
3615		]], [[
3616	FILE *f;
3617	long long i, llmin, llmax = 0;
3618
3619	if((f = fopen(DATA,"w")) == NULL)
3620		exit(1);
3621
3622#if defined(LLONG_MIN) && defined(LLONG_MAX)
3623	fprintf(stderr, "Using system header for LLONG_MIN and LLONG_MAX\n");
3624	llmin = LLONG_MIN;
3625	llmax = LLONG_MAX;
3626#else
3627	fprintf(stderr, "Calculating  LLONG_MIN and LLONG_MAX\n");
3628	/* This will work on one's complement and two's complement */
3629	for (i = 1; i > llmax; i <<= 1, i++)
3630		llmax = i;
3631	llmin = llmax + 1LL;	/* wrap */
3632#endif
3633
3634	/* Sanity check */
3635	if (llmin + 1 < llmin || llmin - 1 < llmin || llmax + 1 > llmax
3636	    || llmax - 1 > llmax || llmin == llmax || llmin == 0
3637	    || llmax == 0 || llmax < LONG_MAX || llmin > LONG_MIN) {
3638		fprintf(f, "unknown unknown\n");
3639		exit(2);
3640	}
3641
3642	if (fprint_ll(f, llmin) < 0)
3643		exit(3);
3644	if (fprint_ll(f, llmax) < 0)
3645		exit(4);
3646	if (fclose(f) < 0)
3647		exit(5);
3648	exit(0);
3649		]])],
3650		[
3651			llong_min=`$AWK '{print $1}' conftest.llminmax`
3652			llong_max=`$AWK '{print $2}' conftest.llminmax`
3653
3654			AC_MSG_RESULT([$llong_max])
3655			AC_DEFINE_UNQUOTED([LLONG_MAX], [${llong_max}LL],
3656			    [max value of long long calculated by configure])
3657			AC_MSG_CHECKING([for min value of long long])
3658			AC_MSG_RESULT([$llong_min])
3659			AC_DEFINE_UNQUOTED([LLONG_MIN], [${llong_min}LL],
3660			    [min value of long long calculated by configure])
3661		],
3662		[
3663			AC_MSG_RESULT([not found])
3664		],
3665		[
3666			AC_MSG_WARN([cross compiling: not checking])
3667		]
3668	)
3669fi
3670
3671AC_CHECK_DECLS([UINT32_MAX], , , [[
3672#ifdef HAVE_SYS_LIMITS_H
3673# include <sys/limits.h>
3674#endif
3675#ifdef HAVE_LIMITS_H
3676# include <limits.h>
3677#endif
3678#ifdef HAVE_STDINT_H
3679# include <stdint.h>
3680#endif
3681]])
3682
3683# More checks for data types
3684AC_CACHE_CHECK([for u_int type], ac_cv_have_u_int, [
3685	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
3686	[[ u_int a; a = 1;]])],
3687	[ ac_cv_have_u_int="yes" ], [ ac_cv_have_u_int="no"
3688	])
3689])
3690if test "x$ac_cv_have_u_int" = "xyes" ; then
3691	AC_DEFINE([HAVE_U_INT], [1], [define if you have u_int data type])
3692	have_u_int=1
3693fi
3694
3695AC_CACHE_CHECK([for intXX_t types], ac_cv_have_intxx_t, [
3696	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
3697	[[ int8_t a; int16_t b; int32_t c; a = b = c = 1;]])],
3698	[ ac_cv_have_intxx_t="yes" ], [ ac_cv_have_intxx_t="no"
3699	])
3700])
3701if test "x$ac_cv_have_intxx_t" = "xyes" ; then
3702	AC_DEFINE([HAVE_INTXX_T], [1], [define if you have intxx_t data type])
3703	have_intxx_t=1
3704fi
3705
3706if (test -z "$have_intxx_t" && \
3707	   test "x$ac_cv_header_stdint_h" = "xyes")
3708then
3709    AC_MSG_CHECKING([for intXX_t types in stdint.h])
3710	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <stdint.h> ]],
3711	[[ int8_t a; int16_t b; int32_t c; a = b = c = 1;]])],
3712		[
3713			AC_DEFINE([HAVE_INTXX_T])
3714			AC_MSG_RESULT([yes])
3715		], [ AC_MSG_RESULT([no])
3716	])
3717fi
3718
3719AC_CACHE_CHECK([for int64_t type], ac_cv_have_int64_t, [
3720	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
3721#include <sys/types.h>
3722#ifdef HAVE_STDINT_H
3723# include <stdint.h>
3724#endif
3725#include <sys/socket.h>
3726#ifdef HAVE_SYS_BITYPES_H
3727# include <sys/bitypes.h>
3728#endif
3729		]], [[
3730int64_t a; a = 1;
3731		]])],
3732	[ ac_cv_have_int64_t="yes" ], [ ac_cv_have_int64_t="no"
3733	])
3734])
3735if test "x$ac_cv_have_int64_t" = "xyes" ; then
3736	AC_DEFINE([HAVE_INT64_T], [1], [define if you have int64_t data type])
3737fi
3738
3739AC_CACHE_CHECK([for u_intXX_t types], ac_cv_have_u_intxx_t, [
3740	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
3741	[[ u_int8_t a; u_int16_t b; u_int32_t c; a = b = c = 1;]])],
3742	[ ac_cv_have_u_intxx_t="yes" ], [ ac_cv_have_u_intxx_t="no"
3743	])
3744])
3745if test "x$ac_cv_have_u_intxx_t" = "xyes" ; then
3746	AC_DEFINE([HAVE_U_INTXX_T], [1], [define if you have u_intxx_t data type])
3747	have_u_intxx_t=1
3748fi
3749
3750if test -z "$have_u_intxx_t" ; then
3751    AC_MSG_CHECKING([for u_intXX_t types in sys/socket.h])
3752	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/socket.h> ]],
3753	[[ u_int8_t a; u_int16_t b; u_int32_t c; a = b = c = 1;]])],
3754		[
3755			AC_DEFINE([HAVE_U_INTXX_T])
3756			AC_MSG_RESULT([yes])
3757		], [ AC_MSG_RESULT([no])
3758	])
3759fi
3760
3761AC_CACHE_CHECK([for u_int64_t types], ac_cv_have_u_int64_t, [
3762	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
3763	[[ u_int64_t a; a = 1;]])],
3764	[ ac_cv_have_u_int64_t="yes" ], [ ac_cv_have_u_int64_t="no"
3765	])
3766])
3767if test "x$ac_cv_have_u_int64_t" = "xyes" ; then
3768	AC_DEFINE([HAVE_U_INT64_T], [1], [define if you have u_int64_t data type])
3769	have_u_int64_t=1
3770fi
3771
3772if (test -z "$have_u_int64_t" && \
3773	   test "x$ac_cv_header_sys_bitypes_h" = "xyes")
3774then
3775    AC_MSG_CHECKING([for u_int64_t type in sys/bitypes.h])
3776	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/bitypes.h> ]],
3777	[[ u_int64_t a; a = 1]])],
3778		[
3779			AC_DEFINE([HAVE_U_INT64_T])
3780			AC_MSG_RESULT([yes])
3781		], [ AC_MSG_RESULT([no])
3782	])
3783fi
3784
3785if test -z "$have_u_intxx_t" ; then
3786	AC_CACHE_CHECK([for uintXX_t types], ac_cv_have_uintxx_t, [
3787		AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
3788#include <sys/types.h>
3789			]], [[
3790	uint8_t a;
3791	uint16_t b;
3792	uint32_t c;
3793	a = b = c = 1;
3794			]])],
3795		[ ac_cv_have_uintxx_t="yes" ], [ ac_cv_have_uintxx_t="no"
3796		])
3797	])
3798	if test "x$ac_cv_have_uintxx_t" = "xyes" ; then
3799		AC_DEFINE([HAVE_UINTXX_T], [1],
3800			[define if you have uintxx_t data type])
3801	fi
3802fi
3803
3804if (test -z "$have_uintxx_t" && \
3805	   test "x$ac_cv_header_stdint_h" = "xyes")
3806then
3807    AC_MSG_CHECKING([for uintXX_t types in stdint.h])
3808	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <stdint.h> ]],
3809	[[ uint8_t a; uint16_t b; uint32_t c; a = b = c = 1;]])],
3810		[
3811			AC_DEFINE([HAVE_UINTXX_T])
3812			AC_MSG_RESULT([yes])
3813		], [ AC_MSG_RESULT([no])
3814	])
3815fi
3816
3817if (test -z "$have_uintxx_t" && \
3818	   test "x$ac_cv_header_inttypes_h" = "xyes")
3819then
3820    AC_MSG_CHECKING([for uintXX_t types in inttypes.h])
3821	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <inttypes.h> ]],
3822	[[ uint8_t a; uint16_t b; uint32_t c; a = b = c = 1;]])],
3823		[
3824			AC_DEFINE([HAVE_UINTXX_T])
3825			AC_MSG_RESULT([yes])
3826		], [ AC_MSG_RESULT([no])
3827	])
3828fi
3829
3830if (test -z "$have_u_intxx_t" || test -z "$have_intxx_t" && \
3831	   test "x$ac_cv_header_sys_bitypes_h" = "xyes")
3832then
3833	AC_MSG_CHECKING([for intXX_t and u_intXX_t types in sys/bitypes.h])
3834	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
3835#include <sys/bitypes.h>
3836		]], [[
3837			int8_t a; int16_t b; int32_t c;
3838			u_int8_t e; u_int16_t f; u_int32_t g;
3839			a = b = c = e = f = g = 1;
3840		]])],
3841		[
3842			AC_DEFINE([HAVE_U_INTXX_T])
3843			AC_DEFINE([HAVE_INTXX_T])
3844			AC_MSG_RESULT([yes])
3845		], [AC_MSG_RESULT([no])
3846	])
3847fi
3848
3849
3850AC_CACHE_CHECK([for u_char], ac_cv_have_u_char, [
3851	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
3852	[[ u_char foo; foo = 125; ]])],
3853	[ ac_cv_have_u_char="yes" ], [ ac_cv_have_u_char="no"
3854	])
3855])
3856if test "x$ac_cv_have_u_char" = "xyes" ; then
3857	AC_DEFINE([HAVE_U_CHAR], [1], [define if you have u_char data type])
3858fi
3859
3860AC_CHECK_TYPES([intmax_t, uintmax_t], , , [
3861#include <sys/types.h>
3862#ifdef HAVE_STDINT_H
3863# include <stdint.h>
3864#endif
3865])
3866
3867TYPE_SOCKLEN_T
3868
3869AC_CHECK_TYPES([sig_atomic_t], , , [#include <signal.h>])
3870AC_CHECK_TYPES([fsblkcnt_t, fsfilcnt_t], , , [
3871#include <sys/types.h>
3872#ifdef HAVE_SYS_BITYPES_H
3873#include <sys/bitypes.h>
3874#endif
3875#ifdef HAVE_SYS_STATFS_H
3876#include <sys/statfs.h>
3877#endif
3878#ifdef HAVE_SYS_STATVFS_H
3879#include <sys/statvfs.h>
3880#endif
3881])
3882
3883AC_CHECK_MEMBERS([struct statfs.f_files, struct statfs.f_flags], [], [], [[
3884#include <sys/param.h>
3885#include <sys/types.h>
3886#ifdef HAVE_SYS_BITYPES_H
3887#include <sys/bitypes.h>
3888#endif
3889#ifdef HAVE_SYS_STATFS_H
3890#include <sys/statfs.h>
3891#endif
3892#ifdef HAVE_SYS_STATVFS_H
3893#include <sys/statvfs.h>
3894#endif
3895#ifdef HAVE_SYS_VFS_H
3896#include <sys/vfs.h>
3897#endif
3898#ifdef HAVE_SYS_MOUNT_H
3899#include <sys/mount.h>
3900#endif
3901]])
3902
3903
3904AC_CHECK_TYPES([in_addr_t, in_port_t], , ,
3905[#include <sys/types.h>
3906#include <netinet/in.h>])
3907
3908AC_CACHE_CHECK([for size_t], ac_cv_have_size_t, [
3909	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
3910	[[ size_t foo; foo = 1235; ]])],
3911	[ ac_cv_have_size_t="yes" ], [ ac_cv_have_size_t="no"
3912	])
3913])
3914if test "x$ac_cv_have_size_t" = "xyes" ; then
3915	AC_DEFINE([HAVE_SIZE_T], [1], [define if you have size_t data type])
3916fi
3917
3918AC_CACHE_CHECK([for ssize_t], ac_cv_have_ssize_t, [
3919	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
3920	[[ ssize_t foo; foo = 1235; ]])],
3921	[ ac_cv_have_ssize_t="yes" ], [ ac_cv_have_ssize_t="no"
3922	])
3923])
3924if test "x$ac_cv_have_ssize_t" = "xyes" ; then
3925	AC_DEFINE([HAVE_SSIZE_T], [1], [define if you have ssize_t data type])
3926fi
3927
3928AC_CACHE_CHECK([for clock_t], ac_cv_have_clock_t, [
3929	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <time.h> ]],
3930	[[ clock_t foo; foo = 1235; ]])],
3931	[ ac_cv_have_clock_t="yes" ], [ ac_cv_have_clock_t="no"
3932	])
3933])
3934if test "x$ac_cv_have_clock_t" = "xyes" ; then
3935	AC_DEFINE([HAVE_CLOCK_T], [1], [define if you have clock_t data type])
3936fi
3937
3938AC_CACHE_CHECK([for sa_family_t], ac_cv_have_sa_family_t, [
3939	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
3940#include <sys/types.h>
3941#include <sys/socket.h>
3942		]], [[ sa_family_t foo; foo = 1235; ]])],
3943	[ ac_cv_have_sa_family_t="yes" ],
3944	[ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
3945#include <sys/types.h>
3946#include <sys/socket.h>
3947#include <netinet/in.h>
3948		]], [[ sa_family_t foo; foo = 1235; ]])],
3949		[ ac_cv_have_sa_family_t="yes" ],
3950		[ ac_cv_have_sa_family_t="no" ]
3951	)
3952	])
3953])
3954if test "x$ac_cv_have_sa_family_t" = "xyes" ; then
3955	AC_DEFINE([HAVE_SA_FAMILY_T], [1],
3956		[define if you have sa_family_t data type])
3957fi
3958
3959AC_CACHE_CHECK([for pid_t], ac_cv_have_pid_t, [
3960	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
3961	[[ pid_t foo; foo = 1235; ]])],
3962	[ ac_cv_have_pid_t="yes" ], [ ac_cv_have_pid_t="no"
3963	])
3964])
3965if test "x$ac_cv_have_pid_t" = "xyes" ; then
3966	AC_DEFINE([HAVE_PID_T], [1], [define if you have pid_t data type])
3967fi
3968
3969AC_CACHE_CHECK([for mode_t], ac_cv_have_mode_t, [
3970	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
3971	[[ mode_t foo; foo = 1235; ]])],
3972	[ ac_cv_have_mode_t="yes" ], [ ac_cv_have_mode_t="no"
3973	])
3974])
3975if test "x$ac_cv_have_mode_t" = "xyes" ; then
3976	AC_DEFINE([HAVE_MODE_T], [1], [define if you have mode_t data type])
3977fi
3978
3979
3980AC_CACHE_CHECK([for struct sockaddr_storage], ac_cv_have_struct_sockaddr_storage, [
3981	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
3982#include <sys/types.h>
3983#include <sys/socket.h>
3984		]], [[ struct sockaddr_storage s; ]])],
3985	[ ac_cv_have_struct_sockaddr_storage="yes" ],
3986	[ ac_cv_have_struct_sockaddr_storage="no"
3987	])
3988])
3989if test "x$ac_cv_have_struct_sockaddr_storage" = "xyes" ; then
3990	AC_DEFINE([HAVE_STRUCT_SOCKADDR_STORAGE], [1],
3991		[define if you have struct sockaddr_storage data type])
3992fi
3993
3994AC_CACHE_CHECK([for struct sockaddr_in6], ac_cv_have_struct_sockaddr_in6, [
3995	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
3996#include <sys/types.h>
3997#include <netinet/in.h>
3998		]], [[ struct sockaddr_in6 s; s.sin6_family = 0; ]])],
3999	[ ac_cv_have_struct_sockaddr_in6="yes" ],
4000	[ ac_cv_have_struct_sockaddr_in6="no"
4001	])
4002])
4003if test "x$ac_cv_have_struct_sockaddr_in6" = "xyes" ; then
4004	AC_DEFINE([HAVE_STRUCT_SOCKADDR_IN6], [1],
4005		[define if you have struct sockaddr_in6 data type])
4006fi
4007
4008AC_CACHE_CHECK([for struct in6_addr], ac_cv_have_struct_in6_addr, [
4009	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4010#include <sys/types.h>
4011#include <netinet/in.h>
4012		]], [[ struct in6_addr s; s.s6_addr[0] = 0; ]])],
4013	[ ac_cv_have_struct_in6_addr="yes" ],
4014	[ ac_cv_have_struct_in6_addr="no"
4015	])
4016])
4017if test "x$ac_cv_have_struct_in6_addr" = "xyes" ; then
4018	AC_DEFINE([HAVE_STRUCT_IN6_ADDR], [1],
4019		[define if you have struct in6_addr data type])
4020
4021dnl Now check for sin6_scope_id
4022	AC_CHECK_MEMBERS([struct sockaddr_in6.sin6_scope_id], , ,
4023		[
4024#ifdef HAVE_SYS_TYPES_H
4025#include <sys/types.h>
4026#endif
4027#include <netinet/in.h>
4028		])
4029fi
4030
4031AC_CACHE_CHECK([for struct addrinfo], ac_cv_have_struct_addrinfo, [
4032	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4033#include <sys/types.h>
4034#include <sys/socket.h>
4035#include <netdb.h>
4036		]], [[ struct addrinfo s; s.ai_flags = AI_PASSIVE; ]])],
4037	[ ac_cv_have_struct_addrinfo="yes" ],
4038	[ ac_cv_have_struct_addrinfo="no"
4039	])
4040])
4041if test "x$ac_cv_have_struct_addrinfo" = "xyes" ; then
4042	AC_DEFINE([HAVE_STRUCT_ADDRINFO], [1],
4043		[define if you have struct addrinfo data type])
4044fi
4045
4046AC_HEADER_TIME
4047
4048AC_CACHE_CHECK([for struct timeval], ac_cv_have_struct_timeval, [
4049	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/time.h> ]],
4050	[[ struct timeval tv; tv.tv_sec = 1;]])],
4051	[ ac_cv_have_struct_timeval="yes" ],
4052	[ ac_cv_have_struct_timeval="no"
4053	])
4054])
4055if test "x$ac_cv_have_struct_timeval" = "xyes" ; then
4056	AC_DEFINE([HAVE_STRUCT_TIMEVAL], [1], [define if you have struct timeval])
4057	have_struct_timeval=1
4058fi
4059
4060AC_CACHE_CHECK([for struct timespec], ac_cv_have_struct_timespec, [
4061	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4062    #ifdef TIME_WITH_SYS_TIME
4063    # include <sys/time.h>
4064    # include <time.h>
4065    #else
4066    # ifdef HAVE_SYS_TIME_H
4067    #  include <sys/time.h>
4068    # else
4069    #  include <time.h>
4070    # endif
4071    #endif
4072	]],
4073	[[ struct timespec ts; ts.tv_sec = 1;]])],
4074	[ ac_cv_have_struct_timespec="yes" ],
4075	[ ac_cv_have_struct_timespec="no"
4076	])
4077])
4078if test "x$ac_cv_have_struct_timespec" = "xyes" ; then
4079	AC_DEFINE([HAVE_STRUCT_TIMESPEC], [1], [define if you have struct timespec])
4080	have_struct_timespec=1
4081fi
4082
4083# We need int64_t or else certain parts of the compile will fail.
4084if test "x$ac_cv_have_int64_t" = "xno" && \
4085	test "x$ac_cv_sizeof_long_int" != "x8" && \
4086	test "x$ac_cv_sizeof_long_long_int" = "x0" ; then
4087	echo "OpenSSH requires int64_t support.  Contact your vendor or install"
4088	echo "an alternative compiler (I.E., GCC) before continuing."
4089	echo ""
4090	exit 1;
4091else
4092dnl test snprintf (broken on SCO w/gcc)
4093	AC_RUN_IFELSE(
4094		[AC_LANG_SOURCE([[
4095#include <stdio.h>
4096#include <string.h>
4097#ifdef HAVE_SNPRINTF
4098main()
4099{
4100	char buf[50];
4101	char expected_out[50];
4102	int mazsize = 50 ;
4103#if (SIZEOF_LONG_INT == 8)
4104	long int num = 0x7fffffffffffffff;
4105#else
4106	long long num = 0x7fffffffffffffffll;
4107#endif
4108	strcpy(expected_out, "9223372036854775807");
4109	snprintf(buf, mazsize, "%lld", num);
4110	if(strcmp(buf, expected_out) != 0)
4111		exit(1);
4112	exit(0);
4113}
4114#else
4115main() { exit(0); }
4116#endif
4117		]])], [ true ], [ AC_DEFINE([BROKEN_SNPRINTF]) ],
4118		AC_MSG_WARN([cross compiling: Assuming working snprintf()])
4119	)
4120fi
4121
4122dnl Checks for structure members
4123OSSH_CHECK_HEADER_FOR_FIELD([ut_host], [utmp.h], [HAVE_HOST_IN_UTMP])
4124OSSH_CHECK_HEADER_FOR_FIELD([ut_host], [utmpx.h], [HAVE_HOST_IN_UTMPX])
4125OSSH_CHECK_HEADER_FOR_FIELD([syslen], [utmpx.h], [HAVE_SYSLEN_IN_UTMPX])
4126OSSH_CHECK_HEADER_FOR_FIELD([ut_pid], [utmp.h], [HAVE_PID_IN_UTMP])
4127OSSH_CHECK_HEADER_FOR_FIELD([ut_type], [utmp.h], [HAVE_TYPE_IN_UTMP])
4128OSSH_CHECK_HEADER_FOR_FIELD([ut_type], [utmpx.h], [HAVE_TYPE_IN_UTMPX])
4129OSSH_CHECK_HEADER_FOR_FIELD([ut_tv], [utmp.h], [HAVE_TV_IN_UTMP])
4130OSSH_CHECK_HEADER_FOR_FIELD([ut_id], [utmp.h], [HAVE_ID_IN_UTMP])
4131OSSH_CHECK_HEADER_FOR_FIELD([ut_id], [utmpx.h], [HAVE_ID_IN_UTMPX])
4132OSSH_CHECK_HEADER_FOR_FIELD([ut_addr], [utmp.h], [HAVE_ADDR_IN_UTMP])
4133OSSH_CHECK_HEADER_FOR_FIELD([ut_addr], [utmpx.h], [HAVE_ADDR_IN_UTMPX])
4134OSSH_CHECK_HEADER_FOR_FIELD([ut_addr_v6], [utmp.h], [HAVE_ADDR_V6_IN_UTMP])
4135OSSH_CHECK_HEADER_FOR_FIELD([ut_addr_v6], [utmpx.h], [HAVE_ADDR_V6_IN_UTMPX])
4136OSSH_CHECK_HEADER_FOR_FIELD([ut_exit], [utmp.h], [HAVE_EXIT_IN_UTMP])
4137OSSH_CHECK_HEADER_FOR_FIELD([ut_time], [utmp.h], [HAVE_TIME_IN_UTMP])
4138OSSH_CHECK_HEADER_FOR_FIELD([ut_time], [utmpx.h], [HAVE_TIME_IN_UTMPX])
4139OSSH_CHECK_HEADER_FOR_FIELD([ut_tv], [utmpx.h], [HAVE_TV_IN_UTMPX])
4140
4141AC_CHECK_MEMBERS([struct stat.st_blksize])
4142AC_CHECK_MEMBERS([struct stat.st_mtim])
4143AC_CHECK_MEMBERS([struct stat.st_mtime])
4144AC_CHECK_MEMBERS([struct passwd.pw_gecos, struct passwd.pw_class,
4145struct passwd.pw_change, struct passwd.pw_expire],
4146[], [], [[
4147#include <sys/types.h>
4148#include <pwd.h>
4149]])
4150
4151AC_CHECK_MEMBER([struct __res_state.retrans], [], [AC_DEFINE([__res_state], [state],
4152	[Define if we don't have struct __res_state in resolv.h])],
4153[[
4154#include <stdio.h>
4155#if HAVE_SYS_TYPES_H
4156# include <sys/types.h>
4157#endif
4158#include <netinet/in.h>
4159#include <arpa/nameser.h>
4160#include <resolv.h>
4161]])
4162
4163AC_CACHE_CHECK([for ss_family field in struct sockaddr_storage],
4164		ac_cv_have_ss_family_in_struct_ss, [
4165	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4166#include <sys/types.h>
4167#include <sys/socket.h>
4168		]], [[ struct sockaddr_storage s; s.ss_family = 1; ]])],
4169	[ ac_cv_have_ss_family_in_struct_ss="yes" ],
4170	[ ac_cv_have_ss_family_in_struct_ss="no" ])
4171])
4172if test "x$ac_cv_have_ss_family_in_struct_ss" = "xyes" ; then
4173	AC_DEFINE([HAVE_SS_FAMILY_IN_SS], [1], [Fields in struct sockaddr_storage])
4174fi
4175
4176AC_CACHE_CHECK([for __ss_family field in struct sockaddr_storage],
4177		ac_cv_have___ss_family_in_struct_ss, [
4178	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4179#include <sys/types.h>
4180#include <sys/socket.h>
4181		]], [[ struct sockaddr_storage s; s.__ss_family = 1; ]])],
4182	[ ac_cv_have___ss_family_in_struct_ss="yes" ],
4183	[ ac_cv_have___ss_family_in_struct_ss="no"
4184	])
4185])
4186if test "x$ac_cv_have___ss_family_in_struct_ss" = "xyes" ; then
4187	AC_DEFINE([HAVE___SS_FAMILY_IN_SS], [1],
4188		[Fields in struct sockaddr_storage])
4189fi
4190
4191dnl make sure we're using the real structure members and not defines
4192AC_CACHE_CHECK([for msg_accrights field in struct msghdr],
4193		ac_cv_have_accrights_in_msghdr, [
4194	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4195#include <sys/types.h>
4196#include <sys/socket.h>
4197#include <sys/uio.h>
4198		]], [[
4199#ifdef msg_accrights
4200#error "msg_accrights is a macro"
4201exit(1);
4202#endif
4203struct msghdr m;
4204m.msg_accrights = 0;
4205exit(0);
4206		]])],
4207		[ ac_cv_have_accrights_in_msghdr="yes" ],
4208		[ ac_cv_have_accrights_in_msghdr="no" ]
4209	)
4210])
4211if test "x$ac_cv_have_accrights_in_msghdr" = "xyes" ; then
4212	AC_DEFINE([HAVE_ACCRIGHTS_IN_MSGHDR], [1],
4213		[Define if your system uses access rights style
4214		file descriptor passing])
4215fi
4216
4217AC_MSG_CHECKING([if struct statvfs.f_fsid is integral type])
4218AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4219#include <sys/param.h>
4220#include <sys/stat.h>
4221#ifdef HAVE_SYS_TIME_H
4222# include <sys/time.h>
4223#endif
4224#ifdef HAVE_SYS_MOUNT_H
4225#include <sys/mount.h>
4226#endif
4227#ifdef HAVE_SYS_STATVFS_H
4228#include <sys/statvfs.h>
4229#endif
4230	]], [[ struct statvfs s; s.f_fsid = 0; ]])],
4231	[ AC_MSG_RESULT([yes]) ],
4232	[ AC_MSG_RESULT([no])
4233
4234	AC_MSG_CHECKING([if fsid_t has member val])
4235	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4236#include <sys/types.h>
4237#include <sys/statvfs.h>
4238	]], [[ fsid_t t; t.val[0] = 0; ]])],
4239	[ AC_MSG_RESULT([yes])
4240	  AC_DEFINE([FSID_HAS_VAL], [1], [fsid_t has member val]) ],
4241	[ AC_MSG_RESULT([no]) ])
4242
4243	AC_MSG_CHECKING([if f_fsid has member __val])
4244	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4245#include <sys/types.h>
4246#include <sys/statvfs.h>
4247	]], [[ fsid_t t; t.__val[0] = 0; ]])],
4248	[ AC_MSG_RESULT([yes])
4249	  AC_DEFINE([FSID_HAS___VAL], [1], [fsid_t has member __val]) ],
4250	[ AC_MSG_RESULT([no]) ])
4251])
4252
4253AC_CACHE_CHECK([for msg_control field in struct msghdr],
4254		ac_cv_have_control_in_msghdr, [
4255	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4256#include <sys/types.h>
4257#include <sys/socket.h>
4258#include <sys/uio.h>
4259		]], [[
4260#ifdef msg_control
4261#error "msg_control is a macro"
4262exit(1);
4263#endif
4264struct msghdr m;
4265m.msg_control = 0;
4266exit(0);
4267		]])],
4268		[ ac_cv_have_control_in_msghdr="yes" ],
4269		[ ac_cv_have_control_in_msghdr="no" ]
4270	)
4271])
4272if test "x$ac_cv_have_control_in_msghdr" = "xyes" ; then
4273	AC_DEFINE([HAVE_CONTROL_IN_MSGHDR], [1],
4274		[Define if your system uses ancillary data style
4275		file descriptor passing])
4276fi
4277
4278AC_CACHE_CHECK([if libc defines __progname], ac_cv_libc_defines___progname, [
4279	AC_LINK_IFELSE([AC_LANG_PROGRAM([[]],
4280		[[ extern char *__progname; printf("%s", __progname); ]])],
4281	[ ac_cv_libc_defines___progname="yes" ],
4282	[ ac_cv_libc_defines___progname="no"
4283	])
4284])
4285if test "x$ac_cv_libc_defines___progname" = "xyes" ; then
4286	AC_DEFINE([HAVE___PROGNAME], [1], [Define if libc defines __progname])
4287fi
4288
4289AC_CACHE_CHECK([whether $CC implements __FUNCTION__], ac_cv_cc_implements___FUNCTION__, [
4290	AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include <stdio.h> ]],
4291		[[ printf("%s", __FUNCTION__); ]])],
4292	[ ac_cv_cc_implements___FUNCTION__="yes" ],
4293	[ ac_cv_cc_implements___FUNCTION__="no"
4294	])
4295])
4296if test "x$ac_cv_cc_implements___FUNCTION__" = "xyes" ; then
4297	AC_DEFINE([HAVE___FUNCTION__], [1],
4298		[Define if compiler implements __FUNCTION__])
4299fi
4300
4301AC_CACHE_CHECK([whether $CC implements __func__], ac_cv_cc_implements___func__, [
4302	AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include <stdio.h> ]],
4303		[[ printf("%s", __func__); ]])],
4304	[ ac_cv_cc_implements___func__="yes" ],
4305	[ ac_cv_cc_implements___func__="no"
4306	])
4307])
4308if test "x$ac_cv_cc_implements___func__" = "xyes" ; then
4309	AC_DEFINE([HAVE___func__], [1], [Define if compiler implements __func__])
4310fi
4311
4312AC_CACHE_CHECK([whether va_copy exists], ac_cv_have_va_copy, [
4313	AC_LINK_IFELSE([AC_LANG_PROGRAM([[
4314#include <stdarg.h>
4315va_list x,y;
4316		]], [[ va_copy(x,y); ]])],
4317	[ ac_cv_have_va_copy="yes" ],
4318	[ ac_cv_have_va_copy="no"
4319	])
4320])
4321if test "x$ac_cv_have_va_copy" = "xyes" ; then
4322	AC_DEFINE([HAVE_VA_COPY], [1], [Define if va_copy exists])
4323fi
4324
4325AC_CACHE_CHECK([whether __va_copy exists], ac_cv_have___va_copy, [
4326	AC_LINK_IFELSE([AC_LANG_PROGRAM([[
4327#include <stdarg.h>
4328va_list x,y;
4329		]], [[ __va_copy(x,y); ]])],
4330	[ ac_cv_have___va_copy="yes" ], [ ac_cv_have___va_copy="no"
4331	])
4332])
4333if test "x$ac_cv_have___va_copy" = "xyes" ; then
4334	AC_DEFINE([HAVE___VA_COPY], [1], [Define if __va_copy exists])
4335fi
4336
4337AC_CACHE_CHECK([whether getopt has optreset support],
4338		ac_cv_have_getopt_optreset, [
4339	AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include <getopt.h> ]],
4340		[[ extern int optreset; optreset = 0; ]])],
4341	[ ac_cv_have_getopt_optreset="yes" ],
4342	[ ac_cv_have_getopt_optreset="no"
4343	])
4344])
4345if test "x$ac_cv_have_getopt_optreset" = "xyes" ; then
4346	AC_DEFINE([HAVE_GETOPT_OPTRESET], [1],
4347		[Define if your getopt(3) defines and uses optreset])
4348fi
4349
4350AC_CACHE_CHECK([if libc defines sys_errlist], ac_cv_libc_defines_sys_errlist, [
4351	AC_LINK_IFELSE([AC_LANG_PROGRAM([[]],
4352[[ extern const char *const sys_errlist[]; printf("%s", sys_errlist[0]);]])],
4353	[ ac_cv_libc_defines_sys_errlist="yes" ],
4354	[ ac_cv_libc_defines_sys_errlist="no"
4355	])
4356])
4357if test "x$ac_cv_libc_defines_sys_errlist" = "xyes" ; then
4358	AC_DEFINE([HAVE_SYS_ERRLIST], [1],
4359		[Define if your system defines sys_errlist[]])
4360fi
4361
4362
4363AC_CACHE_CHECK([if libc defines sys_nerr], ac_cv_libc_defines_sys_nerr, [
4364	AC_LINK_IFELSE([AC_LANG_PROGRAM([[]],
4365[[ extern int sys_nerr; printf("%i", sys_nerr);]])],
4366	[ ac_cv_libc_defines_sys_nerr="yes" ],
4367	[ ac_cv_libc_defines_sys_nerr="no"
4368	])
4369])
4370if test "x$ac_cv_libc_defines_sys_nerr" = "xyes" ; then
4371	AC_DEFINE([HAVE_SYS_NERR], [1], [Define if your system defines sys_nerr])
4372fi
4373
4374# Check libraries needed by DNS fingerprint support
4375AC_SEARCH_LIBS([getrrsetbyname], [resolv],
4376	[AC_DEFINE([HAVE_GETRRSETBYNAME], [1],
4377		[Define if getrrsetbyname() exists])],
4378	[
4379		# Needed by our getrrsetbyname()
4380		AC_SEARCH_LIBS([res_query], [resolv])
4381		AC_SEARCH_LIBS([dn_expand], [resolv])
4382		AC_MSG_CHECKING([if res_query will link])
4383		AC_LINK_IFELSE([AC_LANG_PROGRAM([[
4384#include <sys/types.h>
4385#include <netinet/in.h>
4386#include <arpa/nameser.h>
4387#include <netdb.h>
4388#include <resolv.h>
4389				]], [[
4390	res_query (0, 0, 0, 0, 0);
4391				]])],
4392		    AC_MSG_RESULT([yes]),
4393		   [AC_MSG_RESULT([no])
4394		    saved_LIBS="$LIBS"
4395		    LIBS="$LIBS -lresolv"
4396		    AC_MSG_CHECKING([for res_query in -lresolv])
4397		    AC_LINK_IFELSE([AC_LANG_PROGRAM([[
4398#include <sys/types.h>
4399#include <netinet/in.h>
4400#include <arpa/nameser.h>
4401#include <netdb.h>
4402#include <resolv.h>
4403				]], [[
4404	res_query (0, 0, 0, 0, 0);
4405				]])],
4406			[AC_MSG_RESULT([yes])],
4407			[LIBS="$saved_LIBS"
4408			 AC_MSG_RESULT([no])])
4409		    ])
4410		AC_CHECK_FUNCS([_getshort _getlong])
4411		AC_CHECK_DECLS([_getshort, _getlong], , ,
4412		    [#include <sys/types.h>
4413		    #include <arpa/nameser.h>])
4414		AC_CHECK_MEMBER([HEADER.ad],
4415			[AC_DEFINE([HAVE_HEADER_AD], [1],
4416			    [Define if HEADER.ad exists in arpa/nameser.h])], ,
4417			[#include <arpa/nameser.h>])
4418	])
4419
4420AC_MSG_CHECKING([if struct __res_state _res is an extern])
4421AC_LINK_IFELSE([AC_LANG_PROGRAM([[
4422#include <stdio.h>
4423#if HAVE_SYS_TYPES_H
4424# include <sys/types.h>
4425#endif
4426#include <netinet/in.h>
4427#include <arpa/nameser.h>
4428#include <resolv.h>
4429extern struct __res_state _res;
4430		]], [[
4431struct __res_state *volatile p = &_res;  /* force resolution of _res */
4432return 0;
4433		]],)],
4434		[AC_MSG_RESULT([yes])
4435		 AC_DEFINE([HAVE__RES_EXTERN], [1],
4436		    [Define if you have struct __res_state _res as an extern])
4437		],
4438		[ AC_MSG_RESULT([no]) ]
4439)
4440
4441# Check whether user wants SELinux support
4442SELINUX_MSG="no"
4443LIBSELINUX=""
4444AC_ARG_WITH([selinux],
4445	[  --with-selinux          Enable SELinux support],
4446	[ if test "x$withval" != "xno" ; then
4447		save_LIBS="$LIBS"
4448		AC_DEFINE([WITH_SELINUX], [1],
4449			[Define if you want SELinux support.])
4450		SELINUX_MSG="yes"
4451		AC_CHECK_HEADER([selinux/selinux.h], ,
4452			AC_MSG_ERROR([SELinux support requires selinux.h header]))
4453		AC_CHECK_LIB([selinux], [setexeccon],
4454			[ LIBSELINUX="-lselinux"
4455			  LIBS="$LIBS -lselinux"
4456			],
4457			AC_MSG_ERROR([SELinux support requires libselinux library]))
4458		SSHLIBS="$SSHLIBS $LIBSELINUX"
4459		SSHDLIBS="$SSHDLIBS $LIBSELINUX"
4460		AC_CHECK_FUNCS([getseuserbyname get_default_context_with_level])
4461		LIBS="$save_LIBS"
4462	fi ]
4463)
4464AC_SUBST([SSHLIBS])
4465AC_SUBST([SSHDLIBS])
4466
4467# Check whether user wants Kerberos 5 support
4468KRB5_MSG="no"
4469AC_ARG_WITH([kerberos5],
4470	[  --with-kerberos5=PATH   Enable Kerberos 5 support],
4471	[ if test "x$withval" != "xno" ; then
4472		if test "x$withval" = "xyes" ; then
4473			KRB5ROOT="/usr/local"
4474		else
4475			KRB5ROOT=${withval}
4476		fi
4477
4478		AC_DEFINE([KRB5], [1], [Define if you want Kerberos 5 support])
4479		KRB5_MSG="yes"
4480
4481		AC_PATH_TOOL([KRB5CONF], [krb5-config],
4482			     [$KRB5ROOT/bin/krb5-config],
4483			     [$KRB5ROOT/bin:$PATH])
4484		if test -x $KRB5CONF ; then
4485			K5CFLAGS="`$KRB5CONF --cflags`"
4486			K5LIBS="`$KRB5CONF --libs`"
4487			CPPFLAGS="$CPPFLAGS $K5CFLAGS"
4488
4489			AC_MSG_CHECKING([for gssapi support])
4490			if $KRB5CONF | grep gssapi >/dev/null ; then
4491				AC_MSG_RESULT([yes])
4492				AC_DEFINE([GSSAPI], [1],
4493					[Define this if you want GSSAPI
4494					support in the version 2 protocol])
4495				GSSCFLAGS="`$KRB5CONF --cflags gssapi`"
4496				GSSLIBS="`$KRB5CONF --libs gssapi`"
4497				CPPFLAGS="$CPPFLAGS $GSSCFLAGS"
4498			else
4499				AC_MSG_RESULT([no])
4500			fi
4501			AC_MSG_CHECKING([whether we are using Heimdal])
4502			AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <krb5.h>
4503				]], [[ char *tmp = heimdal_version; ]])],
4504				[ AC_MSG_RESULT([yes])
4505				AC_DEFINE([HEIMDAL], [1],
4506				[Define this if you are using the Heimdal
4507				version of Kerberos V5]) ],
4508				[AC_MSG_RESULT([no])
4509			])
4510		else
4511			CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include"
4512			LDFLAGS="$LDFLAGS -L${KRB5ROOT}/lib"
4513			AC_MSG_CHECKING([whether we are using Heimdal])
4514			AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <krb5.h>
4515				]], [[ char *tmp = heimdal_version; ]])],
4516					[ AC_MSG_RESULT([yes])
4517					 AC_DEFINE([HEIMDAL])
4518					 K5LIBS="-lkrb5"
4519					 K5LIBS="$K5LIBS -lcom_err -lasn1"
4520					 AC_CHECK_LIB([roken], [net_write],
4521					   [K5LIBS="$K5LIBS -lroken"])
4522					 AC_CHECK_LIB([des], [des_cbc_encrypt],
4523					   [K5LIBS="$K5LIBS -ldes"])
4524				       ], [ AC_MSG_RESULT([no])
4525					 K5LIBS="-lkrb5 -lk5crypto -lcom_err"
4526			])
4527			AC_SEARCH_LIBS([dn_expand], [resolv])
4528
4529			AC_CHECK_LIB([gssapi_krb5], [gss_init_sec_context],
4530				[ AC_DEFINE([GSSAPI])
4531				  GSSLIBS="-lgssapi_krb5" ],
4532				[ AC_CHECK_LIB([gssapi], [gss_init_sec_context],
4533					[ AC_DEFINE([GSSAPI])
4534					  GSSLIBS="-lgssapi" ],
4535					[ AC_CHECK_LIB([gss], [gss_init_sec_context],
4536						[ AC_DEFINE([GSSAPI])
4537						  GSSLIBS="-lgss" ],
4538						AC_MSG_WARN([Cannot find any suitable gss-api library - build may fail]))
4539					])
4540				])
4541
4542			AC_CHECK_HEADER([gssapi.h], ,
4543				[ unset ac_cv_header_gssapi_h
4544				  CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include/gssapi"
4545				  AC_CHECK_HEADERS([gssapi.h], ,
4546					AC_MSG_WARN([Cannot find any suitable gss-api header - build may fail])
4547				  )
4548				]
4549			)
4550
4551			oldCPP="$CPPFLAGS"
4552			CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include/gssapi"
4553			AC_CHECK_HEADER([gssapi_krb5.h], ,
4554					[ CPPFLAGS="$oldCPP" ])
4555
4556		fi
4557		if test -n "${rpath_opt}" ; then
4558			LDFLAGS="$LDFLAGS ${rpath_opt}${KRB5ROOT}/lib"
4559		fi
4560		if test ! -z "$blibpath" ; then
4561			blibpath="$blibpath:${KRB5ROOT}/lib"
4562		fi
4563
4564		AC_CHECK_HEADERS([gssapi.h gssapi/gssapi.h])
4565		AC_CHECK_HEADERS([gssapi_krb5.h gssapi/gssapi_krb5.h])
4566		AC_CHECK_HEADERS([gssapi_generic.h gssapi/gssapi_generic.h])
4567
4568		AC_SEARCH_LIBS([k_hasafs], [kafs], [AC_DEFINE([USE_AFS], [1],
4569			[Define this if you want to use libkafs' AFS support])])
4570
4571		AC_CHECK_DECLS([GSS_C_NT_HOSTBASED_SERVICE], [], [], [[
4572#ifdef HAVE_GSSAPI_H
4573# include <gssapi.h>
4574#elif defined(HAVE_GSSAPI_GSSAPI_H)
4575# include <gssapi/gssapi.h>
4576#endif
4577
4578#ifdef HAVE_GSSAPI_GENERIC_H
4579# include <gssapi_generic.h>
4580#elif defined(HAVE_GSSAPI_GSSAPI_GENERIC_H)
4581# include <gssapi/gssapi_generic.h>
4582#endif
4583		]])
4584		saved_LIBS="$LIBS"
4585		LIBS="$LIBS $K5LIBS"
4586		AC_CHECK_FUNCS([krb5_cc_new_unique krb5_get_error_message krb5_free_error_message])
4587		LIBS="$saved_LIBS"
4588
4589	fi
4590	]
4591)
4592AC_SUBST([GSSLIBS])
4593AC_SUBST([K5LIBS])
4594
4595# Looking for programs, paths and files
4596
4597PRIVSEP_PATH=/var/empty
4598AC_ARG_WITH([privsep-path],
4599	[  --with-privsep-path=xxx Path for privilege separation chroot (default=/var/empty)],
4600	[
4601		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
4602		    test "x${withval}" != "xyes"; then
4603			PRIVSEP_PATH=$withval
4604		fi
4605	]
4606)
4607AC_SUBST([PRIVSEP_PATH])
4608
4609AC_ARG_WITH([xauth],
4610	[  --with-xauth=PATH       Specify path to xauth program ],
4611	[
4612		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
4613		    test "x${withval}" != "xyes"; then
4614			xauth_path=$withval
4615		fi
4616	],
4617	[
4618		TestPath="$PATH"
4619		TestPath="${TestPath}${PATH_SEPARATOR}/usr/X/bin"
4620		TestPath="${TestPath}${PATH_SEPARATOR}/usr/bin/X11"
4621		TestPath="${TestPath}${PATH_SEPARATOR}/usr/X11R6/bin"
4622		TestPath="${TestPath}${PATH_SEPARATOR}/usr/openwin/bin"
4623		AC_PATH_PROG([xauth_path], [xauth], , [$TestPath])
4624		if (test ! -z "$xauth_path" && test -x "/usr/openwin/bin/xauth") ; then
4625			xauth_path="/usr/openwin/bin/xauth"
4626		fi
4627	]
4628)
4629
4630STRIP_OPT=-s
4631AC_ARG_ENABLE([strip],
4632	[  --disable-strip         Disable calling strip(1) on install],
4633	[
4634		if test "x$enableval" = "xno" ; then
4635			STRIP_OPT=
4636		fi
4637	]
4638)
4639AC_SUBST([STRIP_OPT])
4640
4641if test -z "$xauth_path" ; then
4642	XAUTH_PATH="undefined"
4643	AC_SUBST([XAUTH_PATH])
4644else
4645	AC_DEFINE_UNQUOTED([XAUTH_PATH], ["$xauth_path"],
4646		[Define if xauth is found in your path])
4647	XAUTH_PATH=$xauth_path
4648	AC_SUBST([XAUTH_PATH])
4649fi
4650
4651dnl # --with-maildir=/path/to/mail gets top priority.
4652dnl # if maildir is set in the platform case statement above we use that.
4653dnl # Otherwise we run a program to get the dir from system headers.
4654dnl # We first look for _PATH_MAILDIR then MAILDIR then _PATH_MAIL
4655dnl # If we find _PATH_MAILDIR we do nothing because that is what
4656dnl # session.c expects anyway. Otherwise we set to the value found
4657dnl # stripping any trailing slash. If for some strage reason our program
4658dnl # does not find what it needs, we default to /var/spool/mail.
4659# Check for mail directory
4660AC_ARG_WITH([maildir],
4661    [  --with-maildir=/path/to/mail    Specify your system mail directory],
4662    [
4663	if test "X$withval" != X  &&  test "x$withval" != xno  &&  \
4664	    test "x${withval}" != xyes; then
4665		AC_DEFINE_UNQUOTED([MAIL_DIRECTORY], ["$withval"],
4666            [Set this to your mail directory if you do not have _PATH_MAILDIR])
4667	    fi
4668     ],[
4669	if test "X$maildir" != "X"; then
4670	    AC_DEFINE_UNQUOTED([MAIL_DIRECTORY], ["$maildir"])
4671	else
4672	    AC_MSG_CHECKING([Discovering system mail directory])
4673	    AC_RUN_IFELSE(
4674		[AC_LANG_PROGRAM([[
4675#include <stdio.h>
4676#include <string.h>
4677#ifdef HAVE_PATHS_H
4678#include <paths.h>
4679#endif
4680#ifdef HAVE_MAILLOCK_H
4681#include <maillock.h>
4682#endif
4683#define DATA "conftest.maildir"
4684	]], [[
4685	FILE *fd;
4686	int rc;
4687
4688	fd = fopen(DATA,"w");
4689	if(fd == NULL)
4690		exit(1);
4691
4692#if defined (_PATH_MAILDIR)
4693	if ((rc = fprintf(fd ,"_PATH_MAILDIR:%s\n", _PATH_MAILDIR)) <0)
4694		exit(1);
4695#elif defined (MAILDIR)
4696	if ((rc = fprintf(fd ,"MAILDIR:%s\n", MAILDIR)) <0)
4697		exit(1);
4698#elif defined (_PATH_MAIL)
4699	if ((rc = fprintf(fd ,"_PATH_MAIL:%s\n", _PATH_MAIL)) <0)
4700		exit(1);
4701#else
4702	exit (2);
4703#endif
4704
4705	exit(0);
4706		]])],
4707		[
4708		    maildir_what=`awk -F: '{print $1}' conftest.maildir`
4709		    maildir=`awk -F: '{print $2}' conftest.maildir \
4710			| sed 's|/$||'`
4711		    AC_MSG_RESULT([Using: $maildir from $maildir_what])
4712		    if test "x$maildir_what" != "x_PATH_MAILDIR"; then
4713			AC_DEFINE_UNQUOTED([MAIL_DIRECTORY], ["$maildir"])
4714		    fi
4715		],
4716		[
4717		    if test "X$ac_status" = "X2";then
4718# our test program didn't find it. Default to /var/spool/mail
4719			AC_MSG_RESULT([Using: default value of /var/spool/mail])
4720			AC_DEFINE_UNQUOTED([MAIL_DIRECTORY], ["/var/spool/mail"])
4721		     else
4722			AC_MSG_RESULT([*** not found ***])
4723		     fi
4724		],
4725		[
4726			AC_MSG_WARN([cross compiling: use --with-maildir=/path/to/mail])
4727		]
4728	    )
4729	fi
4730    ]
4731) # maildir
4732
4733if test ! -z "$cross_compiling" && test "x$cross_compiling" = "xyes"; then
4734	AC_MSG_WARN([cross compiling: Disabling /dev/ptmx test])
4735	disable_ptmx_check=yes
4736fi
4737if test -z "$no_dev_ptmx" ; then
4738	if test "x$disable_ptmx_check" != "xyes" ; then
4739		AC_CHECK_FILE(["/dev/ptmx"],
4740			[
4741				AC_DEFINE_UNQUOTED([HAVE_DEV_PTMX], [1],
4742					[Define if you have /dev/ptmx])
4743				have_dev_ptmx=1
4744			]
4745		)
4746	fi
4747fi
4748
4749if test ! -z "$cross_compiling" && test "x$cross_compiling" != "xyes"; then
4750	AC_CHECK_FILE(["/dev/ptc"],
4751		[
4752			AC_DEFINE_UNQUOTED([HAVE_DEV_PTS_AND_PTC], [1],
4753				[Define if you have /dev/ptc])
4754			have_dev_ptc=1
4755		]
4756	)
4757else
4758	AC_MSG_WARN([cross compiling: Disabling /dev/ptc test])
4759fi
4760
4761# Options from here on. Some of these are preset by platform above
4762AC_ARG_WITH([mantype],
4763	[  --with-mantype=man|cat|doc  Set man page type],
4764	[
4765		case "$withval" in
4766		man|cat|doc)
4767			MANTYPE=$withval
4768			;;
4769		*)
4770			AC_MSG_ERROR([invalid man type: $withval])
4771			;;
4772		esac
4773	]
4774)
4775if test -z "$MANTYPE"; then
4776	if ${MANDOC} ${srcdir}/ssh.1 >/dev/null 2>&1; then
4777		MANTYPE=doc
4778	elif ${NROFF} -mdoc ${srcdir}/ssh.1 >/dev/null 2>&1; then
4779		MANTYPE=doc
4780	elif ${NROFF} -man ${srcdir}/ssh.1 >/dev/null 2>&1; then
4781		MANTYPE=man
4782	else
4783		MANTYPE=cat
4784	fi
4785fi
4786AC_SUBST([MANTYPE])
4787if test "$MANTYPE" = "doc"; then
4788	mansubdir=man;
4789else
4790	mansubdir=$MANTYPE;
4791fi
4792AC_SUBST([mansubdir])
4793
4794# Check whether to enable MD5 passwords
4795MD5_MSG="no"
4796AC_ARG_WITH([md5-passwords],
4797	[  --with-md5-passwords    Enable use of MD5 passwords],
4798	[
4799		if test "x$withval" != "xno" ; then
4800			AC_DEFINE([HAVE_MD5_PASSWORDS], [1],
4801				[Define if you want to allow MD5 passwords])
4802			MD5_MSG="yes"
4803		fi
4804	]
4805)
4806
4807# Whether to disable shadow password support
4808AC_ARG_WITH([shadow],
4809	[  --without-shadow        Disable shadow password support],
4810	[
4811		if test "x$withval" = "xno" ; then
4812			AC_DEFINE([DISABLE_SHADOW])
4813			disable_shadow=yes
4814		fi
4815	]
4816)
4817
4818if test -z "$disable_shadow" ; then
4819	AC_MSG_CHECKING([if the systems has expire shadow information])
4820	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4821#include <sys/types.h>
4822#include <shadow.h>
4823struct spwd sp;
4824		]], [[ sp.sp_expire = sp.sp_lstchg = sp.sp_inact = 0; ]])],
4825		[ sp_expire_available=yes ], [
4826	])
4827
4828	if test "x$sp_expire_available" = "xyes" ; then
4829		AC_MSG_RESULT([yes])
4830		AC_DEFINE([HAS_SHADOW_EXPIRE], [1],
4831		    [Define if you want to use shadow password expire field])
4832	else
4833		AC_MSG_RESULT([no])
4834	fi
4835fi
4836
4837# Use ip address instead of hostname in $DISPLAY
4838if test ! -z "$IPADDR_IN_DISPLAY" ; then
4839	DISPLAY_HACK_MSG="yes"
4840	AC_DEFINE([IPADDR_IN_DISPLAY], [1],
4841		[Define if you need to use IP address
4842		instead of hostname in $DISPLAY])
4843else
4844	DISPLAY_HACK_MSG="no"
4845	AC_ARG_WITH([ipaddr-display],
4846		[  --with-ipaddr-display   Use ip address instead of hostname in $DISPLAY],
4847		[
4848			if test "x$withval" != "xno" ; then
4849				AC_DEFINE([IPADDR_IN_DISPLAY])
4850				DISPLAY_HACK_MSG="yes"
4851			fi
4852		]
4853	)
4854fi
4855
4856# check for /etc/default/login and use it if present.
4857AC_ARG_ENABLE([etc-default-login],
4858	[  --disable-etc-default-login Disable using PATH from /etc/default/login [no]],
4859	[ if test "x$enableval" = "xno"; then
4860		AC_MSG_NOTICE([/etc/default/login handling disabled])
4861		etc_default_login=no
4862	  else
4863		etc_default_login=yes
4864	  fi ],
4865	[ if test ! -z "$cross_compiling" && test "x$cross_compiling" = "xyes";
4866	  then
4867		AC_MSG_WARN([cross compiling: not checking /etc/default/login])
4868		etc_default_login=no
4869	  else
4870		etc_default_login=yes
4871	  fi ]
4872)
4873
4874if test "x$etc_default_login" != "xno"; then
4875	AC_CHECK_FILE(["/etc/default/login"],
4876	    [ external_path_file=/etc/default/login ])
4877	if test "x$external_path_file" = "x/etc/default/login"; then
4878		AC_DEFINE([HAVE_ETC_DEFAULT_LOGIN], [1],
4879			[Define if your system has /etc/default/login])
4880	fi
4881fi
4882
4883dnl BSD systems use /etc/login.conf so --with-default-path= has no effect
4884if test $ac_cv_func_login_getcapbool = "yes" && \
4885	test $ac_cv_header_login_cap_h = "yes" ; then
4886	external_path_file=/etc/login.conf
4887fi
4888
4889# Whether to mess with the default path
4890SERVER_PATH_MSG="(default)"
4891AC_ARG_WITH([default-path],
4892	[  --with-default-path=    Specify default $PATH environment for server],
4893	[
4894		if test "x$external_path_file" = "x/etc/login.conf" ; then
4895			AC_MSG_WARN([
4896--with-default-path=PATH has no effect on this system.
4897Edit /etc/login.conf instead.])
4898		elif test "x$withval" != "xno" ; then
4899			if test ! -z "$external_path_file" ; then
4900				AC_MSG_WARN([
4901--with-default-path=PATH will only be used if PATH is not defined in
4902$external_path_file .])
4903			fi
4904			user_path="$withval"
4905			SERVER_PATH_MSG="$withval"
4906		fi
4907	],
4908	[ if test "x$external_path_file" = "x/etc/login.conf" ; then
4909		AC_MSG_WARN([Make sure the path to scp is in /etc/login.conf])
4910	else
4911		if test ! -z "$external_path_file" ; then
4912			AC_MSG_WARN([
4913If PATH is defined in $external_path_file, ensure the path to scp is included,
4914otherwise scp will not work.])
4915		fi
4916		AC_RUN_IFELSE(
4917			[AC_LANG_PROGRAM([[
4918/* find out what STDPATH is */
4919#include <stdio.h>
4920#ifdef HAVE_PATHS_H
4921# include <paths.h>
4922#endif
4923#ifndef _PATH_STDPATH
4924# ifdef _PATH_USERPATH	/* Irix */
4925#  define _PATH_STDPATH _PATH_USERPATH
4926# else
4927#  define _PATH_STDPATH "/usr/bin:/bin:/usr/sbin:/sbin"
4928# endif
4929#endif
4930#include <sys/types.h>
4931#include <sys/stat.h>
4932#include <fcntl.h>
4933#define DATA "conftest.stdpath"
4934			]], [[
4935	FILE *fd;
4936	int rc;
4937
4938	fd = fopen(DATA,"w");
4939	if(fd == NULL)
4940		exit(1);
4941
4942	if ((rc = fprintf(fd,"%s", _PATH_STDPATH)) < 0)
4943		exit(1);
4944
4945	exit(0);
4946		]])],
4947		[ user_path=`cat conftest.stdpath` ],
4948		[ user_path="/usr/bin:/bin:/usr/sbin:/sbin" ],
4949		[ user_path="/usr/bin:/bin:/usr/sbin:/sbin" ]
4950	)
4951# make sure $bindir is in USER_PATH so scp will work
4952		t_bindir="${bindir}"
4953		while echo "${t_bindir}" | egrep '\$\{|NONE/' >/dev/null 2>&1; do
4954			t_bindir=`eval echo ${t_bindir}`
4955			case $t_bindir in
4956				NONE/*) t_bindir=`echo $t_bindir | sed "s~NONE~$prefix~"` ;;
4957			esac
4958			case $t_bindir in
4959				NONE/*) t_bindir=`echo $t_bindir | sed "s~NONE~$ac_default_prefix~"` ;;
4960			esac
4961		done
4962		echo $user_path | grep ":$t_bindir"  > /dev/null 2>&1
4963		if test $? -ne 0  ; then
4964			echo $user_path | grep "^$t_bindir"  > /dev/null 2>&1
4965			if test $? -ne 0  ; then
4966				user_path=$user_path:$t_bindir
4967				AC_MSG_RESULT([Adding $t_bindir to USER_PATH so scp will work])
4968			fi
4969		fi
4970	fi ]
4971)
4972if test "x$external_path_file" != "x/etc/login.conf" ; then
4973	AC_DEFINE_UNQUOTED([USER_PATH], ["$user_path"], [Specify default $PATH])
4974	AC_SUBST([user_path])
4975fi
4976
4977# Set superuser path separately to user path
4978AC_ARG_WITH([superuser-path],
4979	[  --with-superuser-path=  Specify different path for super-user],
4980	[
4981		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
4982		    test "x${withval}" != "xyes"; then
4983			AC_DEFINE_UNQUOTED([SUPERUSER_PATH], ["$withval"],
4984				[Define if you want a different $PATH
4985				for the superuser])
4986			superuser_path=$withval
4987		fi
4988	]
4989)
4990
4991
4992AC_MSG_CHECKING([if we need to convert IPv4 in IPv6-mapped addresses])
4993IPV4_IN6_HACK_MSG="no"
4994AC_ARG_WITH(4in6,
4995	[  --with-4in6             Check for and convert IPv4 in IPv6 mapped addresses],
4996	[
4997		if test "x$withval" != "xno" ; then
4998			AC_MSG_RESULT([yes])
4999			AC_DEFINE([IPV4_IN_IPV6], [1],
5000				[Detect IPv4 in IPv6 mapped addresses
5001				and treat as IPv4])
5002			IPV4_IN6_HACK_MSG="yes"
5003		else
5004			AC_MSG_RESULT([no])
5005		fi
5006	], [
5007		if test "x$inet6_default_4in6" = "xyes"; then
5008			AC_MSG_RESULT([yes (default)])
5009			AC_DEFINE([IPV4_IN_IPV6])
5010			IPV4_IN6_HACK_MSG="yes"
5011		else
5012			AC_MSG_RESULT([no (default)])
5013		fi
5014	]
5015)
5016
5017# Whether to enable BSD auth support
5018BSD_AUTH_MSG=no
5019AC_ARG_WITH([bsd-auth],
5020	[  --with-bsd-auth         Enable BSD auth support],
5021	[
5022		if test "x$withval" != "xno" ; then
5023			AC_DEFINE([BSD_AUTH], [1],
5024				[Define if you have BSD auth support])
5025			BSD_AUTH_MSG=yes
5026		fi
5027	]
5028)
5029
5030# Where to place sshd.pid
5031piddir=/var/run
5032# make sure the directory exists
5033if test ! -d $piddir ; then
5034	piddir=`eval echo ${sysconfdir}`
5035	case $piddir in
5036		NONE/*) piddir=`echo $piddir | sed "s~NONE~$ac_default_prefix~"` ;;
5037	esac
5038fi
5039
5040AC_ARG_WITH([pid-dir],
5041	[  --with-pid-dir=PATH     Specify location of sshd.pid file],
5042	[
5043		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
5044		    test "x${withval}" != "xyes"; then
5045			piddir=$withval
5046			if test ! -d $piddir ; then
5047			AC_MSG_WARN([** no $piddir directory on this system **])
5048			fi
5049		fi
5050	]
5051)
5052
5053AC_DEFINE_UNQUOTED([_PATH_SSH_PIDDIR], ["$piddir"],
5054	[Specify location of ssh.pid])
5055AC_SUBST([piddir])
5056
5057dnl allow user to disable some login recording features
5058AC_ARG_ENABLE([lastlog],
5059	[  --disable-lastlog       disable use of lastlog even if detected [no]],
5060	[
5061		if test "x$enableval" = "xno" ; then
5062			AC_DEFINE([DISABLE_LASTLOG])
5063		fi
5064	]
5065)
5066AC_ARG_ENABLE([utmp],
5067	[  --disable-utmp          disable use of utmp even if detected [no]],
5068	[
5069		if test "x$enableval" = "xno" ; then
5070			AC_DEFINE([DISABLE_UTMP])
5071		fi
5072	]
5073)
5074AC_ARG_ENABLE([utmpx],
5075	[  --disable-utmpx         disable use of utmpx even if detected [no]],
5076	[
5077		if test "x$enableval" = "xno" ; then
5078			AC_DEFINE([DISABLE_UTMPX], [1],
5079				[Define if you don't want to use utmpx])
5080		fi
5081	]
5082)
5083AC_ARG_ENABLE([wtmp],
5084	[  --disable-wtmp          disable use of wtmp even if detected [no]],
5085	[
5086		if test "x$enableval" = "xno" ; then
5087			AC_DEFINE([DISABLE_WTMP])
5088		fi
5089	]
5090)
5091AC_ARG_ENABLE([wtmpx],
5092	[  --disable-wtmpx         disable use of wtmpx even if detected [no]],
5093	[
5094		if test "x$enableval" = "xno" ; then
5095			AC_DEFINE([DISABLE_WTMPX], [1],
5096				[Define if you don't want to use wtmpx])
5097		fi
5098	]
5099)
5100AC_ARG_ENABLE([libutil],
5101	[  --disable-libutil       disable use of libutil (login() etc.) [no]],
5102	[
5103		if test "x$enableval" = "xno" ; then
5104			AC_DEFINE([DISABLE_LOGIN])
5105		fi
5106	]
5107)
5108AC_ARG_ENABLE([pututline],
5109	[  --disable-pututline     disable use of pututline() etc. ([uw]tmp) [no]],
5110	[
5111		if test "x$enableval" = "xno" ; then
5112			AC_DEFINE([DISABLE_PUTUTLINE], [1],
5113				[Define if you don't want to use pututline()
5114				etc. to write [uw]tmp])
5115		fi
5116	]
5117)
5118AC_ARG_ENABLE([pututxline],
5119	[  --disable-pututxline    disable use of pututxline() etc. ([uw]tmpx) [no]],
5120	[
5121		if test "x$enableval" = "xno" ; then
5122			AC_DEFINE([DISABLE_PUTUTXLINE], [1],
5123				[Define if you don't want to use pututxline()
5124				etc. to write [uw]tmpx])
5125		fi
5126	]
5127)
5128AC_ARG_WITH([lastlog],
5129  [  --with-lastlog=FILE|DIR specify lastlog location [common locations]],
5130	[
5131		if test "x$withval" = "xno" ; then
5132			AC_DEFINE([DISABLE_LASTLOG])
5133		elif test -n "$withval"  &&  test "x${withval}" != "xyes"; then
5134			conf_lastlog_location=$withval
5135		fi
5136	]
5137)
5138
5139dnl lastlog, [uw]tmpx? detection
5140dnl  NOTE: set the paths in the platform section to avoid the
5141dnl   need for command-line parameters
5142dnl lastlog and [uw]tmp are subject to a file search if all else fails
5143
5144dnl lastlog detection
5145dnl  NOTE: the code itself will detect if lastlog is a directory
5146AC_MSG_CHECKING([if your system defines LASTLOG_FILE])
5147AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
5148#include <sys/types.h>
5149#include <utmp.h>
5150#ifdef HAVE_LASTLOG_H
5151#  include <lastlog.h>
5152#endif
5153#ifdef HAVE_PATHS_H
5154#  include <paths.h>
5155#endif
5156#ifdef HAVE_LOGIN_H
5157# include <login.h>
5158#endif
5159	]], [[ char *lastlog = LASTLOG_FILE; ]])],
5160		[ AC_MSG_RESULT([yes]) ],
5161		[
5162		AC_MSG_RESULT([no])
5163		AC_MSG_CHECKING([if your system defines _PATH_LASTLOG])
5164		AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
5165#include <sys/types.h>
5166#include <utmp.h>
5167#ifdef HAVE_LASTLOG_H
5168#  include <lastlog.h>
5169#endif
5170#ifdef HAVE_PATHS_H
5171#  include <paths.h>
5172#endif
5173		]], [[ char *lastlog = _PATH_LASTLOG; ]])],
5174		[ AC_MSG_RESULT([yes]) ],
5175		[
5176			AC_MSG_RESULT([no])
5177			system_lastlog_path=no
5178		])
5179])
5180
5181if test -z "$conf_lastlog_location"; then
5182	if test x"$system_lastlog_path" = x"no" ; then
5183		for f in /var/log/lastlog /usr/adm/lastlog /var/adm/lastlog /etc/security/lastlog ; do
5184				if (test -d "$f" || test -f "$f") ; then
5185					conf_lastlog_location=$f
5186				fi
5187		done
5188		if test -z "$conf_lastlog_location"; then
5189			AC_MSG_WARN([** Cannot find lastlog **])
5190			dnl Don't define DISABLE_LASTLOG - that means we don't try wtmp/wtmpx
5191		fi
5192	fi
5193fi
5194
5195if test -n "$conf_lastlog_location"; then
5196	AC_DEFINE_UNQUOTED([CONF_LASTLOG_FILE], ["$conf_lastlog_location"],
5197		[Define if you want to specify the path to your lastlog file])
5198fi
5199
5200dnl utmp detection
5201AC_MSG_CHECKING([if your system defines UTMP_FILE])
5202AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
5203#include <sys/types.h>
5204#include <utmp.h>
5205#ifdef HAVE_PATHS_H
5206#  include <paths.h>
5207#endif
5208	]], [[ char *utmp = UTMP_FILE; ]])],
5209	[ AC_MSG_RESULT([yes]) ],
5210	[ AC_MSG_RESULT([no])
5211	  system_utmp_path=no
5212])
5213if test -z "$conf_utmp_location"; then
5214	if test x"$system_utmp_path" = x"no" ; then
5215		for f in /etc/utmp /usr/adm/utmp /var/run/utmp; do
5216			if test -f $f ; then
5217				conf_utmp_location=$f
5218			fi
5219		done
5220		if test -z "$conf_utmp_location"; then
5221			AC_DEFINE([DISABLE_UTMP])
5222		fi
5223	fi
5224fi
5225if test -n "$conf_utmp_location"; then
5226	AC_DEFINE_UNQUOTED([CONF_UTMP_FILE], ["$conf_utmp_location"],
5227		[Define if you want to specify the path to your utmp file])
5228fi
5229
5230dnl wtmp detection
5231AC_MSG_CHECKING([if your system defines WTMP_FILE])
5232AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
5233#include <sys/types.h>
5234#include <utmp.h>
5235#ifdef HAVE_PATHS_H
5236#  include <paths.h>
5237#endif
5238	]], [[ char *wtmp = WTMP_FILE; ]])],
5239	[ AC_MSG_RESULT([yes]) ],
5240	[ AC_MSG_RESULT([no])
5241	  system_wtmp_path=no
5242])
5243if test -z "$conf_wtmp_location"; then
5244	if test x"$system_wtmp_path" = x"no" ; then
5245		for f in /usr/adm/wtmp /var/log/wtmp; do
5246			if test -f $f ; then
5247				conf_wtmp_location=$f
5248			fi
5249		done
5250		if test -z "$conf_wtmp_location"; then
5251			AC_DEFINE([DISABLE_WTMP])
5252		fi
5253	fi
5254fi
5255if test -n "$conf_wtmp_location"; then
5256	AC_DEFINE_UNQUOTED([CONF_WTMP_FILE], ["$conf_wtmp_location"],
5257		[Define if you want to specify the path to your wtmp file])
5258fi
5259
5260dnl wtmpx detection
5261AC_MSG_CHECKING([if your system defines WTMPX_FILE])
5262AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
5263#include <sys/types.h>
5264#include <utmp.h>
5265#ifdef HAVE_UTMPX_H
5266#include <utmpx.h>
5267#endif
5268#ifdef HAVE_PATHS_H
5269#  include <paths.h>
5270#endif
5271	]], [[ char *wtmpx = WTMPX_FILE; ]])],
5272	[ AC_MSG_RESULT([yes]) ],
5273	[ AC_MSG_RESULT([no])
5274	  system_wtmpx_path=no
5275])
5276if test -z "$conf_wtmpx_location"; then
5277	if test x"$system_wtmpx_path" = x"no" ; then
5278		AC_DEFINE([DISABLE_WTMPX])
5279	fi
5280else
5281	AC_DEFINE_UNQUOTED([CONF_WTMPX_FILE], ["$conf_wtmpx_location"],
5282		[Define if you want to specify the path to your wtmpx file])
5283fi
5284
5285
5286if test ! -z "$blibpath" ; then
5287	LDFLAGS="$LDFLAGS $blibflags$blibpath"
5288	AC_MSG_WARN([Please check and edit blibpath in LDFLAGS in Makefile])
5289fi
5290
5291AC_CHECK_MEMBER([struct lastlog.ll_line], [], [
5292    if test x$SKIP_DISABLE_LASTLOG_DEFINE != "xyes" ; then
5293	AC_DEFINE([DISABLE_LASTLOG])
5294    fi
5295	], [
5296#ifdef HAVE_SYS_TYPES_H
5297#include <sys/types.h>
5298#endif
5299#ifdef HAVE_UTMP_H
5300#include <utmp.h>
5301#endif
5302#ifdef HAVE_UTMPX_H
5303#include <utmpx.h>
5304#endif
5305#ifdef HAVE_LASTLOG_H
5306#include <lastlog.h>
5307#endif
5308	])
5309
5310AC_CHECK_MEMBER([struct utmp.ut_line], [], [
5311	AC_DEFINE([DISABLE_UTMP])
5312	AC_DEFINE([DISABLE_WTMP])
5313	], [
5314#ifdef HAVE_SYS_TYPES_H
5315#include <sys/types.h>
5316#endif
5317#ifdef HAVE_UTMP_H
5318#include <utmp.h>
5319#endif
5320#ifdef HAVE_UTMPX_H
5321#include <utmpx.h>
5322#endif
5323#ifdef HAVE_LASTLOG_H
5324#include <lastlog.h>
5325#endif
5326	])
5327
5328dnl Adding -Werror to CFLAGS early prevents configure tests from running.
5329dnl Add now.
5330CFLAGS="$CFLAGS $werror_flags"
5331
5332if test "x$ac_cv_func_getaddrinfo" != "xyes" ; then
5333	TEST_SSH_IPV6=no
5334else
5335	TEST_SSH_IPV6=yes
5336fi
5337AC_CHECK_DECL([BROKEN_GETADDRINFO],  [TEST_SSH_IPV6=no])
5338AC_SUBST([TEST_SSH_IPV6], [$TEST_SSH_IPV6])
5339AC_SUBST([TEST_SSH_UTF8], [$TEST_SSH_UTF8])
5340AC_SUBST([TEST_MALLOC_OPTIONS], [$TEST_MALLOC_OPTIONS])
5341AC_SUBST([UNSUPPORTED_ALGORITHMS], [$unsupported_algorithms])
5342AC_SUBST([DEPEND], [$(cat $srcdir/.depend)])
5343
5344CFLAGS="${CFLAGS} ${CFLAGS_AFTER}"
5345LDFLAGS="${LDFLAGS} ${LDFLAGS_AFTER}"
5346
5347# Make a copy of CFLAGS/LDFLAGS without PIE options.
5348LDFLAGS_NOPIE=`echo "$LDFLAGS" | sed 's/ -pie//'`
5349CFLAGS_NOPIE=`echo "$CFLAGS" | sed 's/ -fPIE//'`
5350AC_SUBST([LDFLAGS_NOPIE])
5351AC_SUBST([CFLAGS_NOPIE])
5352
5353AC_EXEEXT
5354AC_CONFIG_FILES([Makefile buildpkg.sh opensshd.init openssh.xml \
5355	openbsd-compat/Makefile openbsd-compat/regress/Makefile \
5356	survey.sh])
5357AC_OUTPUT
5358
5359# Print summary of options
5360
5361# Someone please show me a better way :)
5362A=`eval echo ${prefix}` ; A=`eval echo ${A}`
5363B=`eval echo ${bindir}` ; B=`eval echo ${B}`
5364C=`eval echo ${sbindir}` ; C=`eval echo ${C}`
5365D=`eval echo ${sysconfdir}` ; D=`eval echo ${D}`
5366E=`eval echo ${libexecdir}/ssh-askpass` ; E=`eval echo ${E}`
5367F=`eval echo ${mandir}/${mansubdir}X` ; F=`eval echo ${F}`
5368G=`eval echo ${piddir}` ; G=`eval echo ${G}`
5369H=`eval echo ${PRIVSEP_PATH}` ; H=`eval echo ${H}`
5370I=`eval echo ${user_path}` ; I=`eval echo ${I}`
5371J=`eval echo ${superuser_path}` ; J=`eval echo ${J}`
5372
5373echo ""
5374echo "OpenSSH has been configured with the following options:"
5375echo "                     User binaries: $B"
5376echo "                   System binaries: $C"
5377echo "               Configuration files: $D"
5378echo "                   Askpass program: $E"
5379echo "                      Manual pages: $F"
5380echo "                          PID file: $G"
5381echo "  Privilege separation chroot path: $H"
5382if test "x$external_path_file" = "x/etc/login.conf" ; then
5383echo "   At runtime, sshd will use the path defined in $external_path_file"
5384echo "   Make sure the path to scp is present, otherwise scp will not work"
5385else
5386echo "            sshd default user PATH: $I"
5387	if test ! -z "$external_path_file"; then
5388echo "   (If PATH is set in $external_path_file it will be used instead. If"
5389echo "   used, ensure the path to scp is present, otherwise scp will not work.)"
5390	fi
5391fi
5392if test ! -z "$superuser_path" ; then
5393echo "          sshd superuser user PATH: $J"
5394fi
5395echo "                    Manpage format: $MANTYPE"
5396echo "                       PAM support: $PAM_MSG"
5397echo "                   OSF SIA support: $SIA_MSG"
5398echo "                 KerberosV support: $KRB5_MSG"
5399echo "                   SELinux support: $SELINUX_MSG"
5400echo "              MD5 password support: $MD5_MSG"
5401echo "                   libedit support: $LIBEDIT_MSG"
5402echo "                   libldns support: $LDNS_MSG"
5403echo "  Solaris process contract support: $SPC_MSG"
5404echo "           Solaris project support: $SP_MSG"
5405echo "         Solaris privilege support: $SPP_MSG"
5406echo "       IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG"
5407echo "           Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
5408echo "                  BSD Auth support: $BSD_AUTH_MSG"
5409echo "              Random number source: $RAND_MSG"
5410echo "             Privsep sandbox style: $SANDBOX_STYLE"
5411echo "                   PKCS#11 support: $enable_pkcs11"
5412echo "                  U2F/FIDO support: $enable_sk"
5413
5414echo ""
5415
5416echo "              Host: ${host}"
5417echo "          Compiler: ${CC}"
5418echo "    Compiler flags: ${CFLAGS}"
5419echo "Preprocessor flags: ${CPPFLAGS}"
5420echo "      Linker flags: ${LDFLAGS}"
5421echo "         Libraries: ${LIBS}"
5422if test ! -z "${SSHDLIBS}"; then
5423echo "         +for sshd: ${SSHDLIBS}"
5424fi
5425if test ! -z "${SSHLIBS}"; then
5426echo "          +for ssh: ${SSHLIBS}"
5427fi
5428
5429echo ""
5430
5431if test "x$MAKE_PACKAGE_SUPPORTED" = "xyes" ; then
5432	echo "SVR4 style packages are supported with \"make package\""
5433	echo ""
5434fi
5435
5436if test "x$PAM_MSG" = "xyes" ; then
5437	echo "PAM is enabled. You may need to install a PAM control file "
5438	echo "for sshd, otherwise password authentication may fail. "
5439	echo "Example PAM control files can be found in the contrib/ "
5440	echo "subdirectory"
5441	echo ""
5442fi
5443
5444if test ! -z "$NO_PEERCHECK" ; then
5445	echo "WARNING: the operating system that you are using does not"
5446	echo "appear to support getpeereid(), getpeerucred() or the"
5447	echo "SO_PEERCRED getsockopt() option. These facilities are used to"
5448	echo "enforce security checks to prevent unauthorised connections to"
5449	echo "ssh-agent. Their absence increases the risk that a malicious"
5450	echo "user can connect to your agent."
5451	echo ""
5452fi
5453
5454if test "$AUDIT_MODULE" = "bsm" ; then
5455	echo "WARNING: BSM audit support is currently considered EXPERIMENTAL."
5456	echo "See the Solaris section in README.platform for details."
5457fi
5458