xref: /openssh-portable/configure.ac (revision b79add37)
1#
2# Copyright (c) 1999-2004 Damien Miller
3#
4# Permission to use, copy, modify, and distribute this software for any
5# purpose with or without fee is hereby granted, provided that the above
6# copyright notice and this permission notice appear in all copies.
7#
8# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15
16AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org])
17AC_CONFIG_MACRO_DIR([m4])
18AC_CONFIG_SRCDIR([ssh.c])
19AC_LANG([C])
20
21AC_CONFIG_HEADERS([config.h])
22AC_PROG_CC([cc gcc])
23
24# XXX relax this after reimplementing logit() etc.
25AC_MSG_CHECKING([if $CC supports C99-style variadic macros])
26AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
27int f(int a, int b, int c) { return a + b + c; }
28#define F(a, ...) f(a, __VA_ARGS__)
29]], [[return F(1, 2, -3);]])],
30	[ AC_MSG_RESULT([yes]) ],
31	[ AC_MSG_ERROR([*** OpenSSH requires support for C99-style variadic macros]) ]
32)
33
34AC_CANONICAL_HOST
35AC_C_BIGENDIAN
36
37# Checks for programs.
38AC_PROG_AWK
39AC_PROG_CPP
40AC_PROG_RANLIB
41AC_PROG_INSTALL
42AC_PROG_EGREP
43AC_PROG_MKDIR_P
44AC_CHECK_TOOLS([AR], [ar])
45AC_PATH_PROG([CAT], [cat])
46AC_PATH_PROG([KILL], [kill])
47AC_PATH_PROG([SED], [sed])
48AC_PATH_PROG([TEST_MINUS_S_SH], [bash])
49AC_PATH_PROG([TEST_MINUS_S_SH], [ksh])
50AC_PATH_PROG([TEST_MINUS_S_SH], [sh])
51AC_PATH_PROG([SH], [sh])
52AC_PATH_PROG([GROFF], [groff])
53AC_PATH_PROG([NROFF], [nroff awf])
54AC_PATH_PROG([MANDOC], [mandoc])
55AC_SUBST([TEST_SHELL], [sh])
56
57dnl select manpage formatter to be used to build "cat" format pages.
58if test "x$MANDOC" != "x" ; then
59	MANFMT="$MANDOC"
60elif test "x$NROFF" != "x" ; then
61	MANFMT="$NROFF -mandoc"
62elif test "x$GROFF" != "x" ; then
63	MANFMT="$GROFF -mandoc -Tascii"
64else
65	AC_MSG_WARN([no manpage formatter found])
66	MANFMT="false"
67fi
68AC_SUBST([MANFMT])
69
70dnl for buildpkg.sh
71AC_PATH_PROG([PATH_GROUPADD_PROG], [groupadd], [groupadd],
72	[/usr/sbin${PATH_SEPARATOR}/etc])
73AC_PATH_PROG([PATH_USERADD_PROG], [useradd], [useradd],
74	[/usr/sbin${PATH_SEPARATOR}/etc])
75AC_CHECK_PROG([MAKE_PACKAGE_SUPPORTED], [pkgmk], [yes], [no])
76if test -x /sbin/sh; then
77	AC_SUBST([STARTUP_SCRIPT_SHELL], [/sbin/sh])
78else
79	AC_SUBST([STARTUP_SCRIPT_SHELL], [/bin/sh])
80fi
81
82# System features
83AC_SYS_LARGEFILE
84
85if test -z "$AR" ; then
86	AC_MSG_ERROR([*** 'ar' missing, please install or fix your \$PATH ***])
87fi
88
89AC_PATH_PROG([PATH_PASSWD_PROG], [passwd])
90if test ! -z "$PATH_PASSWD_PROG" ; then
91	AC_DEFINE_UNQUOTED([_PATH_PASSWD_PROG], ["$PATH_PASSWD_PROG"],
92		[Full path of your "passwd" program])
93fi
94
95dnl Since autoconf doesn't support it very well,  we no longer allow users to
96dnl override LD, however keeping the hook here for now in case there's a use
97dnl use case we overlooked and someone needs to re-enable it.  Unless a good
98dnl reason is found we'll be removing this in future.
99LD="$CC"
100AC_SUBST([LD])
101
102AC_C_INLINE
103
104AC_CHECK_DECL([LLONG_MAX], [have_llong_max=1], , [#include <limits.h>])
105AC_CHECK_DECL([LONG_LONG_MAX], [have_long_long_max=1], , [#include <limits.h>])
106AC_CHECK_DECL([SYSTR_POLICY_KILL], [have_systr_policy_kill=1], , [
107	#include <sys/types.h>
108	#include <sys/param.h>
109	#include <dev/systrace.h>
110])
111AC_CHECK_DECL([RLIMIT_NPROC],
112    [AC_DEFINE([HAVE_RLIMIT_NPROC], [], [sys/resource.h has RLIMIT_NPROC])], , [
113	#include <sys/types.h>
114	#include <sys/resource.h>
115])
116AC_CHECK_DECL([PR_SET_NO_NEW_PRIVS], [have_linux_no_new_privs=1], , [
117	#include <sys/types.h>
118	#include <linux/prctl.h>
119])
120
121openssl=yes
122AC_ARG_WITH([openssl],
123	[  --without-openssl       Disable use of OpenSSL; use only limited internal crypto **EXPERIMENTAL** ],
124	[  if test "x$withval" = "xno" ; then
125		openssl=no
126	   fi
127	]
128)
129AC_MSG_CHECKING([whether OpenSSL will be used for cryptography])
130if test "x$openssl" = "xyes" ; then
131	AC_MSG_RESULT([yes])
132	AC_DEFINE_UNQUOTED([WITH_OPENSSL], [1], [use libcrypto for cryptography])
133else
134	AC_MSG_RESULT([no])
135fi
136
137use_stack_protector=1
138use_toolchain_hardening=1
139AC_ARG_WITH([stackprotect],
140    [  --without-stackprotect  Don't use compiler's stack protection], [
141    if test "x$withval" = "xno"; then
142	use_stack_protector=0
143    fi ])
144AC_ARG_WITH([hardening],
145    [  --without-hardening     Don't use toolchain hardening flags], [
146    if test "x$withval" = "xno"; then
147	use_toolchain_hardening=0
148    fi ])
149
150# We use -Werror for the tests only so that we catch warnings like "this is
151# on by default" for things like -fPIE.
152AC_MSG_CHECKING([if $CC supports -Werror])
153saved_CFLAGS="$CFLAGS"
154CFLAGS="$CFLAGS -Werror"
155AC_COMPILE_IFELSE([AC_LANG_SOURCE([[int main(void) { return 0; }]])],
156	[ AC_MSG_RESULT([yes])
157	  WERROR="-Werror"],
158	[ AC_MSG_RESULT([no])
159	  WERROR="" ]
160)
161CFLAGS="$saved_CFLAGS"
162
163if test "$GCC" = "yes" || test "$GCC" = "egcs"; then
164	OSSH_CHECK_CFLAG_COMPILE([-pipe])
165	OSSH_CHECK_CFLAG_COMPILE([-Wunknown-warning-option])
166	OSSH_CHECK_CFLAG_COMPILE([-Wno-error=format-truncation])
167	OSSH_CHECK_CFLAG_COMPILE([-Qunused-arguments])
168	OSSH_CHECK_CFLAG_COMPILE([-Wall])
169	OSSH_CHECK_CFLAG_COMPILE([-Wextra])
170	OSSH_CHECK_CFLAG_COMPILE([-Wpointer-arith])
171	OSSH_CHECK_CFLAG_COMPILE([-Wuninitialized])
172	OSSH_CHECK_CFLAG_COMPILE([-Wsign-compare])
173	OSSH_CHECK_CFLAG_COMPILE([-Wformat-security])
174	OSSH_CHECK_CFLAG_COMPILE([-Wsizeof-pointer-memaccess])
175	OSSH_CHECK_CFLAG_COMPILE([-Wpointer-sign], [-Wno-pointer-sign])
176	OSSH_CHECK_CFLAG_COMPILE([-Wunused-parameter], [-Wno-unused-parameter])
177	OSSH_CHECK_CFLAG_COMPILE([-Wunused-result], [-Wno-unused-result])
178	OSSH_CHECK_CFLAG_COMPILE([-Wimplicit-fallthrough])
179	OSSH_CHECK_CFLAG_COMPILE([-fno-strict-aliasing])
180    if test "x$use_toolchain_hardening" = "x1"; then
181	OSSH_CHECK_CFLAG_COMPILE([-mretpoline]) # clang
182	OSSH_CHECK_LDFLAG_LINK([-Wl,-z,retpolineplt])
183	OSSH_CHECK_CFLAG_COMPILE([-D_FORTIFY_SOURCE=2])
184	OSSH_CHECK_LDFLAG_LINK([-Wl,-z,relro])
185	OSSH_CHECK_LDFLAG_LINK([-Wl,-z,now])
186	OSSH_CHECK_LDFLAG_LINK([-Wl,-z,noexecstack])
187	# NB. -ftrapv expects certain support functions to be present in
188	# the compiler library (libgcc or similar) to detect integer operations
189	# that can overflow. We must check that the result of enabling it
190	# actually links. The test program compiled/linked includes a number
191	# of integer operations that should exercise this.
192	OSSH_CHECK_CFLAG_LINK([-ftrapv])
193    fi
194	AC_MSG_CHECKING([gcc version])
195	GCC_VER=`$CC -v 2>&1 | $AWK '/gcc version /{print $3}'`
196	case $GCC_VER in
197		1.*) no_attrib_nonnull=1 ;;
198		2.8* | 2.9*)
199		     no_attrib_nonnull=1
200		     ;;
201		2.*) no_attrib_nonnull=1 ;;
202		*) ;;
203	esac
204	AC_MSG_RESULT([$GCC_VER])
205
206	AC_MSG_CHECKING([if $CC accepts -fno-builtin-memset])
207	saved_CFLAGS="$CFLAGS"
208	CFLAGS="$CFLAGS -fno-builtin-memset"
209	AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include <string.h> ]],
210			[[ char b[10]; memset(b, 0, sizeof(b)); ]])],
211		[ AC_MSG_RESULT([yes]) ],
212		[ AC_MSG_RESULT([no])
213		  CFLAGS="$saved_CFLAGS" ]
214	)
215
216	# -fstack-protector-all doesn't always work for some GCC versions
217	# and/or platforms, so we test if we can.  If it's not supported
218	# on a given platform gcc will emit a warning so we use -Werror.
219	if test "x$use_stack_protector" = "x1"; then
220	    for t in -fstack-protector-strong -fstack-protector-all \
221		    -fstack-protector; do
222		AC_MSG_CHECKING([if $CC supports $t])
223		saved_CFLAGS="$CFLAGS"
224		saved_LDFLAGS="$LDFLAGS"
225		CFLAGS="$CFLAGS $t -Werror"
226		LDFLAGS="$LDFLAGS $t -Werror"
227		AC_LINK_IFELSE(
228			[AC_LANG_PROGRAM([[
229	#include <stdio.h>
230	int func (int t) {char b[100]; snprintf(b,sizeof b,"%d",t); return t;}
231			 ]],
232			[[
233	char x[256];
234	snprintf(x, sizeof(x), "XXX%d", func(1));
235			 ]])],
236		    [ AC_MSG_RESULT([yes])
237		      CFLAGS="$saved_CFLAGS $t"
238		      LDFLAGS="$saved_LDFLAGS $t"
239		      AC_MSG_CHECKING([if $t works])
240		      AC_RUN_IFELSE(
241			[AC_LANG_PROGRAM([[
242	#include <stdio.h>
243	int func (int t) {char b[100]; snprintf(b,sizeof b,"%d",t); return t;}
244			]],
245			[[
246	char x[256];
247	snprintf(x, sizeof(x), "XXX%d", func(1));
248			]])],
249			[ AC_MSG_RESULT([yes])
250			  break ],
251			[ AC_MSG_RESULT([no]) ],
252			[ AC_MSG_WARN([cross compiling: cannot test])
253			  break ]
254		      )
255		    ],
256		    [ AC_MSG_RESULT([no]) ]
257		)
258		CFLAGS="$saved_CFLAGS"
259		LDFLAGS="$saved_LDFLAGS"
260	    done
261	fi
262
263	if test -z "$have_llong_max"; then
264		# retry LLONG_MAX with -std=gnu99, needed on some Linuxes
265		unset ac_cv_have_decl_LLONG_MAX
266		saved_CFLAGS="$CFLAGS"
267		CFLAGS="$CFLAGS -std=gnu99"
268		AC_CHECK_DECL([LLONG_MAX],
269		    [have_llong_max=1],
270		    [CFLAGS="$saved_CFLAGS"],
271		    [#include <limits.h>]
272		)
273	fi
274fi
275
276AC_MSG_CHECKING([if compiler allows __attribute__ on return types])
277AC_COMPILE_IFELSE(
278    [AC_LANG_PROGRAM([[
279#include <stdlib.h>
280__attribute__((__unused__)) static void foo(void){return;}]],
281    [[ exit(0); ]])],
282    [ AC_MSG_RESULT([yes]) ],
283    [ AC_MSG_RESULT([no])
284      AC_DEFINE(NO_ATTRIBUTE_ON_RETURN_TYPE, 1,
285	 [compiler does not accept __attribute__ on return types]) ]
286)
287
288AC_MSG_CHECKING([if compiler allows __attribute__ prototype args])
289AC_COMPILE_IFELSE(
290    [AC_LANG_PROGRAM([[
291#include <stdlib.h>
292typedef void foo(const char *, ...) __attribute__((format(printf, 1, 2)));]],
293    [[ exit(0); ]])],
294    [ AC_MSG_RESULT([yes]) ],
295    [ AC_MSG_RESULT([no])
296      AC_DEFINE(NO_ATTRIBUTE_ON_PROTOTYPE_ARGS, 1,
297	 [compiler does not accept __attribute__ on prototype args]) ]
298)
299
300if test "x$no_attrib_nonnull" != "x1" ; then
301	AC_DEFINE([HAVE_ATTRIBUTE__NONNULL__], [1], [Have attribute nonnull])
302fi
303
304AC_ARG_WITH([rpath],
305	[  --without-rpath         Disable auto-added -R linker paths],
306	[
307		if test "x$withval" = "xno" ; then
308			rpath_opt=""
309		elif test "x$withval" = "xyes" ; then
310			rpath_opt="-R"
311		else
312			rpath_opt="$withval"
313		fi
314	]
315)
316
317# Allow user to specify flags
318AC_ARG_WITH([cflags],
319	[  --with-cflags           Specify additional flags to pass to compiler],
320	[
321		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
322		    test "x${withval}" != "xyes"; then
323			CFLAGS="$CFLAGS $withval"
324		fi
325	]
326)
327
328AC_ARG_WITH([cflags-after],
329	[  --with-cflags-after     Specify additional flags to pass to compiler after configure],
330	[
331		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
332		    test "x${withval}" != "xyes"; then
333			CFLAGS_AFTER="$withval"
334		fi
335	]
336)
337AC_ARG_WITH([cppflags],
338	[  --with-cppflags         Specify additional flags to pass to preprocessor] ,
339	[
340		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
341		    test "x${withval}" != "xyes"; then
342			CPPFLAGS="$CPPFLAGS $withval"
343		fi
344	]
345)
346AC_ARG_WITH([ldflags],
347	[  --with-ldflags          Specify additional flags to pass to linker],
348	[
349		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
350		    test "x${withval}" != "xyes"; then
351			LDFLAGS="$LDFLAGS $withval"
352		fi
353	]
354)
355AC_ARG_WITH([ldflags-after],
356	[  --with-ldflags-after    Specify additional flags to pass to linker after configure],
357	[
358		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
359		    test "x${withval}" != "xyes"; then
360			LDFLAGS_AFTER="$withval"
361		fi
362	]
363)
364AC_ARG_WITH([libs],
365	[  --with-libs             Specify additional libraries to link with],
366	[
367		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
368		    test "x${withval}" != "xyes"; then
369			LIBS="$LIBS $withval"
370		fi
371	]
372)
373AC_ARG_WITH([Werror],
374	[  --with-Werror           Build main code with -Werror],
375	[
376		if test -n "$withval"  &&  test "x$withval" != "xno"; then
377			werror_flags="-Werror"
378			if test "x${withval}" != "xyes"; then
379				werror_flags="$withval"
380			fi
381		fi
382	]
383)
384
385AC_CHECK_HEADERS([ \
386	blf.h \
387	bstring.h \
388	crypt.h \
389	crypto/sha2.h \
390	dirent.h \
391	endian.h \
392	elf.h \
393	err.h \
394	features.h \
395	fcntl.h \
396	floatingpoint.h \
397	fnmatch.h \
398	getopt.h \
399	glob.h \
400	ia.h \
401	iaf.h \
402	ifaddrs.h \
403	inttypes.h \
404	langinfo.h \
405	limits.h \
406	locale.h \
407	login.h \
408	maillock.h \
409	ndir.h \
410	net/if_tun.h \
411	netdb.h \
412	netgroup.h \
413	pam/pam_appl.h \
414	paths.h \
415	poll.h \
416	pty.h \
417	readpassphrase.h \
418	rpc/types.h \
419	security/pam_appl.h \
420	sha2.h \
421	shadow.h \
422	stddef.h \
423	stdint.h \
424	string.h \
425	strings.h \
426	sys/bitypes.h \
427	sys/byteorder.h \
428	sys/bsdtty.h \
429	sys/cdefs.h \
430	sys/dir.h \
431	sys/file.h \
432	sys/mman.h \
433	sys/label.h \
434	sys/ndir.h \
435	sys/poll.h \
436	sys/prctl.h \
437	sys/pstat.h \
438	sys/ptrace.h \
439	sys/random.h \
440	sys/select.h \
441	sys/stat.h \
442	sys/stream.h \
443	sys/stropts.h \
444	sys/strtio.h \
445	sys/statvfs.h \
446	sys/sysmacros.h \
447	sys/time.h \
448	sys/timers.h \
449	sys/vfs.h \
450	time.h \
451	tmpdir.h \
452	ttyent.h \
453	ucred.h \
454	unistd.h \
455	usersec.h \
456	util.h \
457	utime.h \
458	utmp.h \
459	utmpx.h \
460	vis.h \
461	wchar.h \
462])
463
464# On some platforms (eg SunOS4) sys/audit.h requires sys/[time|types|label.h]
465# to be included first.
466AC_CHECK_HEADERS([sys/audit.h], [], [], [
467#ifdef HAVE_SYS_TIME_H
468# include <sys/time.h>
469#endif
470#ifdef HAVE_SYS_TYPES_H
471# include <sys/types.h>
472#endif
473#ifdef HAVE_SYS_LABEL_H
474# include <sys/label.h>
475#endif
476])
477
478# sys/capsicum.h requires sys/types.h
479AC_CHECK_HEADERS([sys/capsicum.h], [], [], [
480#ifdef HAVE_SYS_TYPES_H
481# include <sys/types.h>
482#endif
483])
484
485# net/route.h requires sys/socket.h and sys/types.h.
486# sys/sysctl.h also requires sys/param.h
487AC_CHECK_HEADERS([net/route.h sys/sysctl.h], [], [], [
488#ifdef HAVE_SYS_TYPES_H
489# include <sys/types.h>
490#endif
491#include <sys/param.h>
492#include <sys/socket.h>
493])
494
495# lastlog.h requires sys/time.h to be included first on Solaris
496AC_CHECK_HEADERS([lastlog.h], [], [], [
497#ifdef HAVE_SYS_TIME_H
498# include <sys/time.h>
499#endif
500])
501
502# sys/ptms.h requires sys/stream.h to be included first on Solaris
503AC_CHECK_HEADERS([sys/ptms.h], [], [], [
504#ifdef HAVE_SYS_STREAM_H
505# include <sys/stream.h>
506#endif
507])
508
509# login_cap.h requires sys/types.h on NetBSD
510AC_CHECK_HEADERS([login_cap.h], [], [], [
511#include <sys/types.h>
512])
513
514# older BSDs need sys/param.h before sys/mount.h
515AC_CHECK_HEADERS([sys/mount.h], [], [], [
516#include <sys/param.h>
517])
518
519# Android requires sys/socket.h to be included before sys/un.h
520AC_CHECK_HEADERS([sys/un.h], [], [], [
521#include <sys/types.h>
522#include <sys/socket.h>
523])
524
525# Messages for features tested for in target-specific section
526SIA_MSG="no"
527SPC_MSG="no"
528SP_MSG="no"
529SPP_MSG="no"
530
531# Support for Solaris/Illumos privileges (this test is used by both
532# the --with-solaris-privs option and --with-sandbox=solaris).
533SOLARIS_PRIVS="no"
534
535AC_CHECK_SIZEOF([size_t])
536
537# Check for some target-specific stuff
538case "$host" in
539*-*-aix*)
540	# Some versions of VAC won't allow macro redefinitions at
541	# -qlanglevel=ansi, and autoconf 2.60 sometimes insists on using that
542	# particularly with older versions of vac or xlc.
543	# It also throws errors about null macro arguments, but these are
544	# not fatal.
545	AC_MSG_CHECKING([if compiler allows macro redefinitions])
546	AC_COMPILE_IFELSE(
547	    [AC_LANG_PROGRAM([[
548#define testmacro foo
549#define testmacro bar]],
550	    [[ exit(0); ]])],
551	    [ AC_MSG_RESULT([yes]) ],
552	    [ AC_MSG_RESULT([no])
553	      CC="`echo $CC | sed 's/-qlanglvl\=ansi//g'`"
554	      CFLAGS="`echo $CFLAGS | sed 's/-qlanglvl\=ansi//g'`"
555	      CPPFLAGS="`echo $CPPFLAGS | sed 's/-qlanglvl\=ansi//g'`"
556	    ]
557	)
558
559	AC_MSG_CHECKING([how to specify blibpath for linker ($LD)])
560	if (test -z "$blibpath"); then
561		blibpath="/usr/lib:/lib"
562	fi
563	saved_LDFLAGS="$LDFLAGS"
564	if test "$GCC" = "yes"; then
565		flags="-Wl,-blibpath: -Wl,-rpath, -blibpath:"
566	else
567		flags="-blibpath: -Wl,-blibpath: -Wl,-rpath,"
568	fi
569	for tryflags in $flags ;do
570		if (test -z "$blibflags"); then
571			LDFLAGS="$saved_LDFLAGS $tryflags$blibpath"
572			AC_LINK_IFELSE([AC_LANG_PROGRAM([[]], [[]])],
573			[blibflags=$tryflags], [])
574		fi
575	done
576	if (test -z "$blibflags"); then
577		AC_MSG_RESULT([not found])
578		AC_MSG_ERROR([*** must be able to specify blibpath on AIX - check config.log])
579	else
580		AC_MSG_RESULT([$blibflags])
581	fi
582	LDFLAGS="$saved_LDFLAGS"
583	dnl Check for authenticate.  Might be in libs.a on older AIXes
584	AC_CHECK_FUNC([authenticate], [AC_DEFINE([WITH_AIXAUTHENTICATE], [1],
585		[Define if you want to enable AIX4's authenticate function])],
586		[AC_CHECK_LIB([s], [authenticate],
587			[ AC_DEFINE([WITH_AIXAUTHENTICATE])
588				LIBS="$LIBS -ls"
589			])
590		])
591	dnl Check for various auth function declarations in headers.
592	AC_CHECK_DECLS([authenticate, loginrestrictions, loginsuccess,
593	    passwdexpired, setauthdb], , , [#include <usersec.h>])
594	dnl Check if loginfailed is declared and takes 4 arguments (AIX >= 5.2)
595	AC_CHECK_DECLS([loginfailed],
596	    [AC_MSG_CHECKING([if loginfailed takes 4 arguments])
597	    AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <usersec.h> ]],
598		[[ (void)loginfailed("user","host","tty",0); ]])],
599		[AC_MSG_RESULT([yes])
600		AC_DEFINE([AIX_LOGINFAILED_4ARG], [1],
601			[Define if your AIX loginfailed() function
602			takes 4 arguments (AIX >= 5.2)])], [AC_MSG_RESULT([no])
603	    ])],
604	    [],
605	    [#include <usersec.h>]
606	)
607	AC_CHECK_FUNCS([getgrset setauthdb])
608	AC_CHECK_DECL([F_CLOSEM],
609	    AC_DEFINE([HAVE_FCNTL_CLOSEM], [1], [Use F_CLOSEM fcntl for closefrom]),
610	    [],
611	    [ #include <limits.h>
612	      #include <fcntl.h> ]
613	)
614	check_for_aix_broken_getaddrinfo=1
615	AC_DEFINE([SETEUID_BREAKS_SETUID], [1],
616	    [Define if your platform breaks doing a seteuid before a setuid])
617	AC_DEFINE([BROKEN_SETREUID], [1], [Define if your setreuid() is broken])
618	AC_DEFINE([BROKEN_SETREGID], [1], [Define if your setregid() is broken])
619	dnl AIX handles lastlog as part of its login message
620	AC_DEFINE([DISABLE_LASTLOG], [1], [Define if you don't want to use lastlog])
621	AC_DEFINE([LOGIN_NEEDS_UTMPX], [1],
622		[Some systems need a utmpx entry for /bin/login to work])
623	AC_DEFINE([SPT_TYPE], [SPT_REUSEARGV],
624		[Define to a Set Process Title type if your system is
625		supported by bsd-setproctitle.c])
626	AC_DEFINE([SSHPAM_CHAUTHTOK_NEEDS_RUID], [1],
627	    [AIX 5.2 and 5.3 (and presumably newer) require this])
628	AC_DEFINE([PTY_ZEROREAD], [1], [read(1) can return 0 for a non-closed fd])
629	AC_DEFINE([PLATFORM_SYS_DIR_UID], 2, [System dirs owned by bin (uid 2)])
630	AC_DEFINE([BROKEN_STRNDUP], 1, [strndup broken, see APAR IY61211])
631	AC_DEFINE([BROKEN_STRNLEN], 1, [strnlen broken, see APAR IY62551])
632	;;
633*-*-android*)
634	AC_DEFINE([DISABLE_UTMP], [1], [Define if you don't want to use utmp])
635	AC_DEFINE([DISABLE_WTMP], [1], [Define if you don't want to use wtmp])
636	;;
637*-*-cygwin*)
638	check_for_libcrypt_later=1
639	LIBS="$LIBS /usr/lib/textreadmode.o"
640	AC_DEFINE([HAVE_CYGWIN], [1], [Define if you are on Cygwin])
641	AC_DEFINE([USE_PIPES], [1], [Use PIPES instead of a socketpair()])
642	AC_DEFINE([NO_UID_RESTORATION_TEST], [1],
643		[Define to disable UID restoration test])
644	AC_DEFINE([DISABLE_SHADOW], [1],
645		[Define if you want to disable shadow passwords])
646	AC_DEFINE([NO_X11_UNIX_SOCKETS], [1],
647		[Define if X11 doesn't support AF_UNIX sockets on that system])
648	AC_DEFINE([DISABLE_FD_PASSING], [1],
649		[Define if your platform needs to skip post auth
650		file descriptor passing])
651	AC_DEFINE([SSH_IOBUFSZ], [65535], [Windows is sensitive to read buffer size])
652	AC_DEFINE([FILESYSTEM_NO_BACKSLASH], [1], [File names may not contain backslash characters])
653	# Cygwin defines optargs, optargs as declspec(dllimport) for historical
654	# reasons which cause compile warnings, so we disable those warnings.
655	OSSH_CHECK_CFLAG_COMPILE([-Wno-attributes])
656	;;
657*-*-dgux*)
658	AC_DEFINE([IP_TOS_IS_BROKEN], [1],
659		[Define if your system choked on IP TOS setting])
660	AC_DEFINE([SETEUID_BREAKS_SETUID])
661	AC_DEFINE([BROKEN_SETREUID])
662	AC_DEFINE([BROKEN_SETREGID])
663	;;
664*-*-darwin*)
665	use_pie=auto
666	AC_MSG_CHECKING([if we have working getaddrinfo])
667	AC_RUN_IFELSE([AC_LANG_SOURCE([[
668#include <mach-o/dyld.h>
669#include <stdlib.h>
670main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
671		exit(0);
672	else
673		exit(1);
674}
675			]])],
676	[AC_MSG_RESULT([working])],
677	[AC_MSG_RESULT([buggy])
678	AC_DEFINE([BROKEN_GETADDRINFO], [1],
679		[getaddrinfo is broken (if present)])
680	],
681	[AC_MSG_RESULT([assume it is working])])
682	AC_DEFINE([SETEUID_BREAKS_SETUID])
683	AC_DEFINE([BROKEN_SETREUID])
684	AC_DEFINE([BROKEN_SETREGID])
685	AC_DEFINE([BROKEN_GLOB], [1], [OS X glob does not do what we expect])
686	AC_DEFINE_UNQUOTED([BIND_8_COMPAT], [1],
687		[Define if your resolver libs need this for getrrsetbyname])
688	AC_DEFINE([SSH_TUN_FREEBSD], [1], [Open tunnel devices the FreeBSD way])
689	AC_DEFINE([SSH_TUN_COMPAT_AF], [1],
690	    [Use tunnel device compatibility to OpenBSD])
691	AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
692	    [Prepend the address family to IP tunnel traffic])
693	m4_pattern_allow([AU_IPv])
694	AC_CHECK_DECL([AU_IPv4], [],
695	    AC_DEFINE([AU_IPv4], [0], [System only supports IPv4 audit records])
696	    [#include <bsm/audit.h>]
697	AC_DEFINE([LASTLOG_WRITE_PUTUTXLINE], [1],
698	    [Define if pututxline updates lastlog too])
699	)
700	AC_DEFINE([SPT_TYPE], [SPT_REUSEARGV],
701		[Define to a Set Process Title type if your system is
702		supported by bsd-setproctitle.c])
703	AC_CHECK_FUNCS([sandbox_init])
704	AC_CHECK_HEADERS([sandbox.h])
705	AC_CHECK_LIB([sandbox], [sandbox_apply], [
706	    SSHDLIBS="$SSHDLIBS -lsandbox"
707	])
708	# proc_pidinfo()-based closefrom() replacement.
709	AC_CHECK_HEADERS([libproc.h])
710	AC_CHECK_FUNCS([proc_pidinfo])
711	;;
712*-*-dragonfly*)
713	SSHDLIBS="$SSHDLIBS -lcrypt"
714	TEST_MALLOC_OPTIONS="AFGJPRX"
715	;;
716*-*-haiku*)
717	LIBS="$LIBS -lbsd "
718	CFLAGS="$CFLAGS -D_BSD_SOURCE"
719	AC_CHECK_LIB([network], [socket])
720	AC_DEFINE([HAVE_U_INT64_T])
721	AC_DEFINE([DISABLE_UTMPX], [1], [no utmpx])
722	MANTYPE=man
723	;;
724*-*-hpux*)
725	# first we define all of the options common to all HP-UX releases
726	CPPFLAGS="$CPPFLAGS -D_HPUX_SOURCE -D_XOPEN_SOURCE -D_XOPEN_SOURCE_EXTENDED=1"
727	IPADDR_IN_DISPLAY=yes
728	AC_DEFINE([USE_PIPES])
729	AC_DEFINE([LOGIN_NEEDS_UTMPX])
730	AC_DEFINE([LOCKED_PASSWD_STRING], ["*"],
731		[String used in /etc/passwd to denote locked account])
732	AC_DEFINE([SPT_TYPE], [SPT_PSTAT])
733	AC_DEFINE([PLATFORM_SYS_DIR_UID], 2, [System dirs owned by bin (uid 2)])
734	maildir="/var/mail"
735	LIBS="$LIBS -lsec"
736	AC_CHECK_LIB([xnet], [t_error], ,
737	    [AC_MSG_ERROR([*** -lxnet needed on HP-UX - check config.log ***])])
738
739	# next, we define all of the options specific to major releases
740	case "$host" in
741	*-*-hpux10*)
742		if test -z "$GCC"; then
743			CFLAGS="$CFLAGS -Ae"
744		fi
745		;;
746	*-*-hpux11*)
747		AC_DEFINE([PAM_SUN_CODEBASE], [1],
748			[Define if you are using Solaris-derived PAM which
749			passes pam_messages to the conversation function
750			with an extra level of indirection])
751		AC_DEFINE([DISABLE_UTMP], [1],
752			[Define if you don't want to use utmp])
753		AC_DEFINE([USE_BTMP], [1], [Use btmp to log bad logins])
754		check_for_hpux_broken_getaddrinfo=1
755		check_for_conflicting_getspnam=1
756		;;
757	esac
758
759	# lastly, we define options specific to minor releases
760	case "$host" in
761	*-*-hpux10.26)
762		AC_DEFINE([HAVE_SECUREWARE], [1],
763			[Define if you have SecureWare-based
764			protected password database])
765		disable_ptmx_check=yes
766		LIBS="$LIBS -lsecpw"
767		;;
768	esac
769	;;
770*-*-irix5*)
771	PATH="$PATH:/usr/etc"
772	AC_DEFINE([BROKEN_INET_NTOA], [1],
773		[Define if you system's inet_ntoa is busted
774		(e.g. Irix gcc issue)])
775	AC_DEFINE([SETEUID_BREAKS_SETUID])
776	AC_DEFINE([BROKEN_SETREUID])
777	AC_DEFINE([BROKEN_SETREGID])
778	AC_DEFINE([WITH_ABBREV_NO_TTY], [1],
779		[Define if you shouldn't strip 'tty' from your
780		ttyname in [uw]tmp])
781	AC_DEFINE([LOCKED_PASSWD_STRING], ["*LK*"])
782	;;
783*-*-irix6*)
784	PATH="$PATH:/usr/etc"
785	AC_DEFINE([WITH_IRIX_ARRAY], [1],
786		[Define if you have/want arrays
787		(cluster-wide session management, not C arrays)])
788	AC_DEFINE([WITH_IRIX_PROJECT], [1],
789		[Define if you want IRIX project management])
790	AC_DEFINE([WITH_IRIX_AUDIT], [1],
791		[Define if you want IRIX audit trails])
792	AC_CHECK_FUNC([jlimit_startjob], [AC_DEFINE([WITH_IRIX_JOBS], [1],
793		[Define if you want IRIX kernel jobs])])
794	AC_DEFINE([BROKEN_INET_NTOA])
795	AC_DEFINE([SETEUID_BREAKS_SETUID])
796	AC_DEFINE([BROKEN_SETREUID])
797	AC_DEFINE([BROKEN_SETREGID])
798	AC_DEFINE([BROKEN_UPDWTMPX], [1], [updwtmpx is broken (if present)])
799	AC_DEFINE([WITH_ABBREV_NO_TTY])
800	AC_DEFINE([LOCKED_PASSWD_STRING], ["*LK*"])
801	;;
802*-*-k*bsd*-gnu | *-*-kopensolaris*-gnu)
803	check_for_libcrypt_later=1
804	AC_DEFINE([PAM_TTY_KLUDGE])
805	AC_DEFINE([LOCKED_PASSWD_PREFIX], ["!"])
806	AC_DEFINE([SPT_TYPE], [SPT_REUSEARGV])
807	AC_DEFINE([_PATH_BTMP], ["/var/log/btmp"], [log for bad login attempts])
808	AC_DEFINE([USE_BTMP], [1], [Use btmp to log bad logins])
809	;;
810*-*-linux*)
811	no_dev_ptmx=1
812	use_pie=auto
813	check_for_libcrypt_later=1
814	check_for_openpty_ctty_bug=1
815	dnl Target SUSv3/POSIX.1-2001 plus BSD specifics.
816	dnl _DEFAULT_SOURCE is the new name for _BSD_SOURCE
817	CPPFLAGS="$CPPFLAGS -D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCE"
818	AC_DEFINE([PAM_TTY_KLUDGE], [1],
819		[Work around problematic Linux PAM modules handling of PAM_TTY])
820	AC_DEFINE([LOCKED_PASSWD_PREFIX], ["!"],
821		[String used in /etc/passwd to denote locked account])
822	AC_DEFINE([SPT_TYPE], [SPT_REUSEARGV])
823	AC_DEFINE([LINK_OPNOTSUPP_ERRNO], [EPERM],
824		[Define to whatever link() returns for "not supported"
825		if it doesn't return EOPNOTSUPP.])
826	AC_DEFINE([_PATH_BTMP], ["/var/log/btmp"], [log for bad login attempts])
827	AC_DEFINE([USE_BTMP])
828	AC_DEFINE([LINUX_OOM_ADJUST], [1], [Adjust Linux out-of-memory killer])
829	inet6_default_4in6=yes
830	case `uname -r` in
831	1.*|2.0.*)
832		AC_DEFINE([BROKEN_CMSG_TYPE], [1],
833			[Define if cmsg_type is not passed correctly])
834		;;
835	esac
836	# tun(4) forwarding compat code
837	AC_CHECK_HEADERS([linux/if_tun.h])
838	if test "x$ac_cv_header_linux_if_tun_h" = "xyes" ; then
839		AC_DEFINE([SSH_TUN_LINUX], [1],
840		    [Open tunnel devices the Linux tun/tap way])
841		AC_DEFINE([SSH_TUN_COMPAT_AF], [1],
842		    [Use tunnel device compatibility to OpenBSD])
843		AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
844		    [Prepend the address family to IP tunnel traffic])
845	fi
846	AC_CHECK_HEADER([linux/if.h],
847	    AC_DEFINE([SYS_RDOMAIN_LINUX], [1],
848		[Support routing domains using Linux VRF]), [], [
849#ifdef HAVE_SYS_TYPES_H
850# include <sys/types.h>
851#endif
852	    ])
853	AC_CHECK_HEADERS([linux/seccomp.h linux/filter.h linux/audit.h], [],
854	    [], [#include <linux/types.h>])
855	# Obtain MIPS ABI
856	case "$host" in
857	mips*)
858		AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
859#if _MIPS_SIM != _ABIO32
860#error
861#endif
862			]])],[mips_abi="o32"],[AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
863#if _MIPS_SIM != _ABIN32
864#error
865#endif
866				]])],[mips_abi="n32"],[AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
867#if _MIPS_SIM != _ABI64
868#error
869#endif
870					]])],[mips_abi="n64"],[AC_MSG_ERROR([unknown MIPS ABI])
871				])
872			])
873		])
874		;;
875	esac
876	AC_MSG_CHECKING([for seccomp architecture])
877	seccomp_audit_arch=
878	case "$host" in
879	x86_64-*)
880		seccomp_audit_arch=AUDIT_ARCH_X86_64
881		# X32: AMD64 instructions in 32bit address space.
882		if test "x$ac_cv_sizeof_size_t" = "x4" ; then
883			seccomp_audit_arch=AUDIT_ARCH_I386
884		fi
885		;;
886	i*86-*)
887		seccomp_audit_arch=AUDIT_ARCH_I386
888		;;
889	arm*-*)
890		seccomp_audit_arch=AUDIT_ARCH_ARM
891		;;
892	aarch64*-*)
893		seccomp_audit_arch=AUDIT_ARCH_AARCH64
894		;;
895	s390x-*)
896		seccomp_audit_arch=AUDIT_ARCH_S390X
897		;;
898	s390-*)
899		seccomp_audit_arch=AUDIT_ARCH_S390
900		;;
901	powerpc64-*)
902		seccomp_audit_arch=AUDIT_ARCH_PPC64
903		;;
904	powerpc64le-*)
905		seccomp_audit_arch=AUDIT_ARCH_PPC64LE
906		;;
907	mips-*)
908		seccomp_audit_arch=AUDIT_ARCH_MIPS
909		;;
910	mipsel-*)
911		seccomp_audit_arch=AUDIT_ARCH_MIPSEL
912		;;
913	mips64-*)
914		case "$mips_abi" in
915		"n32")
916			seccomp_audit_arch=AUDIT_ARCH_MIPS64N32
917			;;
918		"n64")
919			seccomp_audit_arch=AUDIT_ARCH_MIPS64
920			;;
921		esac
922		;;
923	mips64el-*)
924		case "$mips_abi" in
925		"n32")
926			seccomp_audit_arch=AUDIT_ARCH_MIPSEL64N32
927			;;
928		"n64")
929			seccomp_audit_arch=AUDIT_ARCH_MIPSEL64
930			;;
931		esac
932		;;
933	riscv64-*)
934		seccomp_audit_arch=AUDIT_ARCH_RISCV64
935		;;
936	esac
937	if test "x$seccomp_audit_arch" != "x" ; then
938		AC_MSG_RESULT(["$seccomp_audit_arch"])
939		AC_DEFINE_UNQUOTED([SECCOMP_AUDIT_ARCH], [$seccomp_audit_arch],
940		    [Specify the system call convention in use])
941	else
942		AC_MSG_RESULT([architecture not supported])
943	fi
944	;;
945mips-sony-bsd|mips-sony-newsos4)
946	AC_DEFINE([NEED_SETPGRP], [1], [Need setpgrp to acquire controlling tty])
947	SONY=1
948	;;
949*-*-netbsd*)
950	check_for_libcrypt_before=1
951	if test "x$withval" != "xno" ; then
952		rpath_opt="-R"
953	fi
954	CPPFLAGS="$CPPFLAGS -D_OPENBSD_SOURCE"
955	AC_DEFINE([SSH_TUN_FREEBSD], [1], [Open tunnel devices the FreeBSD way])
956	AC_CHECK_HEADER([net/if_tap.h], ,
957	    AC_DEFINE([SSH_TUN_NO_L2], [1], [No layer 2 tunnel support]))
958	AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
959	    [Prepend the address family to IP tunnel traffic])
960	TEST_MALLOC_OPTIONS="AJRX"
961	AC_DEFINE([BROKEN_READ_COMPARISON], [1],
962	    [NetBSD read function is sometimes redirected, breaking atomicio comparisons against it])
963	;;
964*-*-freebsd*)
965	check_for_libcrypt_later=1
966	AC_DEFINE([LOCKED_PASSWD_PREFIX], ["*LOCKED*"], [Account locked with pw(1)])
967	AC_DEFINE([SSH_TUN_FREEBSD], [1], [Open tunnel devices the FreeBSD way])
968	AC_CHECK_HEADER([net/if_tap.h], ,
969	    AC_DEFINE([SSH_TUN_NO_L2], [1], [No layer 2 tunnel support]))
970	AC_DEFINE([BROKEN_GLOB], [1], [FreeBSD glob does not do what we need])
971	TEST_MALLOC_OPTIONS="AJRX"
972	# Preauth crypto occasionally uses file descriptors for crypto offload
973	# and will crash if they cannot be opened.
974	AC_DEFINE([SANDBOX_SKIP_RLIMIT_NOFILE], [1],
975	    [define if setrlimit RLIMIT_NOFILE breaks things])
976	;;
977*-*-bsdi*)
978	AC_DEFINE([SETEUID_BREAKS_SETUID])
979	AC_DEFINE([BROKEN_SETREUID])
980	AC_DEFINE([BROKEN_SETREGID])
981	;;
982*-next-*)
983	conf_lastlog_location="/usr/adm/lastlog"
984	conf_utmp_location=/etc/utmp
985	conf_wtmp_location=/usr/adm/wtmp
986	maildir=/usr/spool/mail
987	AC_DEFINE([HAVE_NEXT], [1], [Define if you are on NeXT])
988	AC_DEFINE([USE_PIPES])
989	AC_DEFINE([BROKEN_SAVED_UIDS], [1], [Needed for NeXT])
990	;;
991*-*-openbsd*)
992	use_pie=auto
993	AC_DEFINE([HAVE_ATTRIBUTE__SENTINEL__], [1], [OpenBSD's gcc has sentinel])
994	AC_DEFINE([HAVE_ATTRIBUTE__BOUNDED__], [1], [OpenBSD's gcc has bounded])
995	AC_DEFINE([SSH_TUN_OPENBSD], [1], [Open tunnel devices the OpenBSD way])
996	AC_DEFINE([SYSLOG_R_SAFE_IN_SIGHAND], [1],
997	    [syslog_r function is safe to use in in a signal handler])
998	TEST_MALLOC_OPTIONS="AFGJPRX"
999	;;
1000*-*-solaris*)
1001	if test "x$withval" != "xno" ; then
1002		rpath_opt="-R"
1003	fi
1004	AC_DEFINE([PAM_SUN_CODEBASE])
1005	AC_DEFINE([LOGIN_NEEDS_UTMPX])
1006	AC_DEFINE([PAM_TTY_KLUDGE])
1007	AC_DEFINE([SSHPAM_CHAUTHTOK_NEEDS_RUID], [1],
1008		[Define if pam_chauthtok wants real uid set
1009		to the unpriv'ed user])
1010	AC_DEFINE([LOCKED_PASSWD_STRING], ["*LK*"])
1011	# Pushing STREAMS modules will cause sshd to acquire a controlling tty.
1012	AC_DEFINE([SSHD_ACQUIRES_CTTY], [1],
1013		[Define if sshd somehow reacquires a controlling TTY
1014		after setsid()])
1015	AC_DEFINE([PASSWD_NEEDS_USERNAME], [1], [must supply username to passwd
1016		in case the name is longer than 8 chars])
1017	AC_DEFINE([BROKEN_TCGETATTR_ICANON], [1], [tcgetattr with ICANON may hang])
1018	external_path_file=/etc/default/login
1019	# hardwire lastlog location (can't detect it on some versions)
1020	conf_lastlog_location="/var/adm/lastlog"
1021	AC_MSG_CHECKING([for obsolete utmp and wtmp in solaris2.x])
1022	sol2ver=`echo "$host"| sed -e 's/.*[[0-9]]\.//'`
1023	if test "$sol2ver" -ge 8; then
1024		AC_MSG_RESULT([yes])
1025		AC_DEFINE([DISABLE_UTMP])
1026		AC_DEFINE([DISABLE_WTMP], [1],
1027			[Define if you don't want to use wtmp])
1028	else
1029		AC_MSG_RESULT([no])
1030	fi
1031	AC_CHECK_FUNCS([setpflags])
1032	AC_CHECK_FUNCS([setppriv])
1033	AC_CHECK_FUNCS([priv_basicset])
1034	AC_CHECK_HEADERS([priv.h])
1035	AC_ARG_WITH([solaris-contracts],
1036		[  --with-solaris-contracts Enable Solaris process contracts (experimental)],
1037		[
1038		AC_CHECK_LIB([contract], [ct_tmpl_activate],
1039			[ AC_DEFINE([USE_SOLARIS_PROCESS_CONTRACTS], [1],
1040				[Define if you have Solaris process contracts])
1041			  LIBS="$LIBS -lcontract"
1042			  SPC_MSG="yes" ], )
1043		],
1044	)
1045	AC_ARG_WITH([solaris-projects],
1046		[  --with-solaris-projects Enable Solaris projects (experimental)],
1047		[
1048		AC_CHECK_LIB([project], [setproject],
1049			[ AC_DEFINE([USE_SOLARIS_PROJECTS], [1],
1050				[Define if you have Solaris projects])
1051			LIBS="$LIBS -lproject"
1052			SP_MSG="yes" ], )
1053		],
1054	)
1055	AC_ARG_WITH([solaris-privs],
1056		[  --with-solaris-privs    Enable Solaris/Illumos privileges (experimental)],
1057		[
1058		AC_MSG_CHECKING([for Solaris/Illumos privilege support])
1059		if test "x$ac_cv_func_setppriv" = "xyes" -a \
1060			"x$ac_cv_header_priv_h" = "xyes" ; then
1061			SOLARIS_PRIVS=yes
1062			AC_MSG_RESULT([found])
1063			AC_DEFINE([NO_UID_RESTORATION_TEST], [1],
1064				[Define to disable UID restoration test])
1065			AC_DEFINE([USE_SOLARIS_PRIVS], [1],
1066				[Define if you have Solaris privileges])
1067			SPP_MSG="yes"
1068		else
1069			AC_MSG_RESULT([not found])
1070			AC_MSG_ERROR([*** must have support for Solaris privileges to use --with-solaris-privs])
1071		fi
1072		],
1073	)
1074	TEST_SHELL=$SHELL	# let configure find us a capable shell
1075	;;
1076*-*-sunos4*)
1077	CPPFLAGS="$CPPFLAGS -DSUNOS4"
1078	AC_CHECK_FUNCS([getpwanam])
1079	AC_DEFINE([PAM_SUN_CODEBASE])
1080	conf_utmp_location=/etc/utmp
1081	conf_wtmp_location=/var/adm/wtmp
1082	conf_lastlog_location=/var/adm/lastlog
1083	AC_DEFINE([USE_PIPES])
1084	AC_DEFINE([DISABLE_UTMPX], [1], [no utmpx])
1085	;;
1086*-ncr-sysv*)
1087	LIBS="$LIBS -lc89"
1088	AC_DEFINE([USE_PIPES])
1089	AC_DEFINE([SSHD_ACQUIRES_CTTY])
1090	AC_DEFINE([SETEUID_BREAKS_SETUID])
1091	AC_DEFINE([BROKEN_SETREUID])
1092	AC_DEFINE([BROKEN_SETREGID])
1093	;;
1094*-sni-sysv*)
1095	# /usr/ucblib MUST NOT be searched on ReliantUNIX
1096	AC_CHECK_LIB([dl], [dlsym], ,)
1097	# -lresolv needs to be at the end of LIBS or DNS lookups break
1098	AC_CHECK_LIB([resolv], [res_query], [ LIBS="$LIBS -lresolv" ])
1099	IPADDR_IN_DISPLAY=yes
1100	AC_DEFINE([USE_PIPES])
1101	AC_DEFINE([IP_TOS_IS_BROKEN])
1102	AC_DEFINE([SETEUID_BREAKS_SETUID])
1103	AC_DEFINE([BROKEN_SETREUID])
1104	AC_DEFINE([BROKEN_SETREGID])
1105	AC_DEFINE([SSHD_ACQUIRES_CTTY])
1106	external_path_file=/etc/default/login
1107	# /usr/ucblib/libucb.a no longer needed on ReliantUNIX
1108	# Attention: always take care to bind libsocket and libnsl before libc,
1109	# otherwise you will find lots of "SIOCGPGRP errno 22" on syslog
1110	;;
1111# UnixWare 1.x, UnixWare 2.x, and others based on code from Univel.
1112*-*-sysv4.2*)
1113	AC_DEFINE([USE_PIPES])
1114	AC_DEFINE([SETEUID_BREAKS_SETUID])
1115	AC_DEFINE([BROKEN_SETREUID])
1116	AC_DEFINE([BROKEN_SETREGID])
1117	AC_DEFINE([PASSWD_NEEDS_USERNAME], [1], [must supply username to passwd])
1118	AC_DEFINE([LOCKED_PASSWD_STRING], ["*LK*"])
1119	TEST_SHELL=$SHELL	# let configure find us a capable shell
1120	;;
1121# UnixWare 7.x, OpenUNIX 8
1122*-*-sysv5*)
1123	CPPFLAGS="$CPPFLAGS -Dvsnprintf=_xvsnprintf -Dsnprintf=_xsnprintf"
1124	AC_DEFINE([UNIXWARE_LONG_PASSWORDS], [1], [Support passwords > 8 chars])
1125	AC_DEFINE([USE_PIPES])
1126	AC_DEFINE([SETEUID_BREAKS_SETUID])
1127	AC_DEFINE([BROKEN_GETADDRINFO])
1128	AC_DEFINE([BROKEN_SETREUID])
1129	AC_DEFINE([BROKEN_SETREGID])
1130	AC_DEFINE([PASSWD_NEEDS_USERNAME])
1131	AC_DEFINE([BROKEN_TCGETATTR_ICANON])
1132	TEST_SHELL=$SHELL	# let configure find us a capable shell
1133	check_for_libcrypt_later=1
1134	case "$host" in
1135	*-*-sysv5SCO_SV*)	# SCO OpenServer 6.x
1136		maildir=/var/spool/mail
1137		AC_DEFINE([BROKEN_UPDWTMPX])
1138		AC_CHECK_LIB([prot], [getluid], [ LIBS="$LIBS -lprot"
1139			AC_CHECK_FUNCS([getluid setluid], , , [-lprot])
1140			], , )
1141		;;
1142	*)	AC_DEFINE([LOCKED_PASSWD_STRING], ["*LK*"])
1143		;;
1144	esac
1145	;;
1146*-*-sysv*)
1147	;;
1148# SCO UNIX and OEM versions of SCO UNIX
1149*-*-sco3.2v4*)
1150	AC_MSG_ERROR("This Platform is no longer supported.")
1151	;;
1152# SCO OpenServer 5.x
1153*-*-sco3.2v5*)
1154	if test -z "$GCC"; then
1155		CFLAGS="$CFLAGS -belf"
1156	fi
1157	LIBS="$LIBS -lprot -lx -ltinfo -lm"
1158	no_dev_ptmx=1
1159	AC_DEFINE([USE_PIPES])
1160	AC_DEFINE([HAVE_SECUREWARE])
1161	AC_DEFINE([DISABLE_SHADOW])
1162	AC_DEFINE([DISABLE_FD_PASSING])
1163	AC_DEFINE([SETEUID_BREAKS_SETUID])
1164	AC_DEFINE([BROKEN_GETADDRINFO])
1165	AC_DEFINE([BROKEN_SETREUID])
1166	AC_DEFINE([BROKEN_SETREGID])
1167	AC_DEFINE([WITH_ABBREV_NO_TTY])
1168	AC_DEFINE([BROKEN_UPDWTMPX])
1169	AC_DEFINE([PASSWD_NEEDS_USERNAME])
1170	AC_CHECK_FUNCS([getluid setluid])
1171	MANTYPE=man
1172	TEST_SHELL=$SHELL	# let configure find us a capable shell
1173	SKIP_DISABLE_LASTLOG_DEFINE=yes
1174	;;
1175*-dec-osf*)
1176	AC_MSG_CHECKING([for Digital Unix SIA])
1177	no_osfsia=""
1178	AC_ARG_WITH([osfsia],
1179		[  --with-osfsia           Enable Digital Unix SIA],
1180		[
1181			if test "x$withval" = "xno" ; then
1182				AC_MSG_RESULT([disabled])
1183				no_osfsia=1
1184			fi
1185		],
1186	)
1187	if test -z "$no_osfsia" ; then
1188		if test -f /etc/sia/matrix.conf; then
1189			AC_MSG_RESULT([yes])
1190			AC_DEFINE([HAVE_OSF_SIA], [1],
1191				[Define if you have Digital Unix Security
1192				Integration Architecture])
1193			AC_DEFINE([DISABLE_LOGIN], [1],
1194				[Define if you don't want to use your
1195				system's login() call])
1196			AC_DEFINE([DISABLE_FD_PASSING])
1197			LIBS="$LIBS -lsecurity -ldb -lm -laud"
1198			SIA_MSG="yes"
1199		else
1200			AC_MSG_RESULT([no])
1201			AC_DEFINE([LOCKED_PASSWD_SUBSTR], ["Nologin"],
1202			  [String used in /etc/passwd to denote locked account])
1203		fi
1204	fi
1205	AC_DEFINE([BROKEN_GETADDRINFO])
1206	AC_DEFINE([SETEUID_BREAKS_SETUID])
1207	AC_DEFINE([BROKEN_SETREUID])
1208	AC_DEFINE([BROKEN_SETREGID])
1209	AC_DEFINE([BROKEN_READV_COMPARISON], [1], [Can't do comparisons on readv])
1210	;;
1211
1212*-*-nto-qnx*)
1213	AC_DEFINE([USE_PIPES])
1214	AC_DEFINE([NO_X11_UNIX_SOCKETS])
1215	AC_DEFINE([DISABLE_LASTLOG])
1216	AC_DEFINE([SSHD_ACQUIRES_CTTY])
1217	AC_DEFINE([BROKEN_SHADOW_EXPIRE], [1], [QNX shadow support is broken])
1218	enable_etc_default_login=no	# has incompatible /etc/default/login
1219	case "$host" in
1220	*-*-nto-qnx6*)
1221		AC_DEFINE([DISABLE_FD_PASSING])
1222		;;
1223	esac
1224	;;
1225
1226*-*-ultrix*)
1227	AC_DEFINE([BROKEN_GETGROUPS], [1], [getgroups(0,NULL) will return -1])
1228	AC_DEFINE([NEED_SETPGRP], [1], [Need setpgrp to for controlling tty])
1229	AC_DEFINE([HAVE_SYS_SYSLOG_H], [1], [Force use of sys/syslog.h on Ultrix])
1230	AC_DEFINE([DISABLE_UTMPX], [1], [Disable utmpx])
1231	# DISABLE_FD_PASSING so that we call setpgrp as root, otherwise we
1232	# don't get a controlling tty.
1233	AC_DEFINE([DISABLE_FD_PASSING], [1], [Need to call setpgrp as root])
1234	# On Ultrix some headers are not protected against multiple includes,
1235	# so we create wrappers and put it where the compiler will find it.
1236	AC_MSG_WARN([creating compat wrappers for headers])
1237	mkdir -p netinet
1238	for header in netinet/ip.h netdb.h resolv.h; do
1239		name=`echo $header | tr 'a-z/.' 'A-Z__'`
1240		cat >$header <<EOD
1241#ifndef _SSH_COMPAT_${name}
1242#define _SSH_COMPAT_${name}
1243#include "/usr/include/${header}"
1244#endif
1245EOD
1246	done
1247	;;
1248
1249*-*-lynxos)
1250	CFLAGS="$CFLAGS -D__NO_INCLUDE_WARN__"
1251	AC_DEFINE([BROKEN_SETVBUF], [1],
1252	    [LynxOS has broken setvbuf() implementation])
1253	;;
1254esac
1255
1256AC_MSG_CHECKING([compiler and flags for sanity])
1257AC_RUN_IFELSE([AC_LANG_PROGRAM([[ #include <stdlib.h> ]], [[ exit(0); ]])],
1258	[	AC_MSG_RESULT([yes]) ],
1259	[
1260		AC_MSG_RESULT([no])
1261		AC_MSG_ERROR([*** compiler cannot create working executables, check config.log ***])
1262	],
1263	[	AC_MSG_WARN([cross compiling: not checking compiler sanity]) ]
1264)
1265
1266dnl Checks for header files.
1267# Checks for libraries.
1268AC_CHECK_FUNC([setsockopt], , [AC_CHECK_LIB([socket], [setsockopt])])
1269
1270dnl IRIX and Solaris 2.5.1 have dirname() in libgen
1271AC_CHECK_FUNCS([dirname], [AC_CHECK_HEADERS([libgen.h])] , [
1272	AC_CHECK_LIB([gen], [dirname], [
1273		AC_CACHE_CHECK([for broken dirname],
1274			ac_cv_have_broken_dirname, [
1275			save_LIBS="$LIBS"
1276			LIBS="$LIBS -lgen"
1277			AC_RUN_IFELSE(
1278				[AC_LANG_SOURCE([[
1279#include <libgen.h>
1280#include <string.h>
1281#include <stdlib.h>
1282
1283int main(int argc, char **argv) {
1284    char *s, buf[32];
1285
1286    strncpy(buf,"/etc", 32);
1287    s = dirname(buf);
1288    if (!s || strncmp(s, "/", 32) != 0) {
1289	exit(1);
1290    } else {
1291	exit(0);
1292    }
1293}
1294				]])],
1295				[ ac_cv_have_broken_dirname="no" ],
1296				[ ac_cv_have_broken_dirname="yes" ],
1297				[ ac_cv_have_broken_dirname="no" ],
1298			)
1299			LIBS="$save_LIBS"
1300		])
1301		if test "x$ac_cv_have_broken_dirname" = "xno" ; then
1302			LIBS="$LIBS -lgen"
1303			AC_DEFINE([HAVE_DIRNAME])
1304			AC_CHECK_HEADERS([libgen.h])
1305		fi
1306	])
1307])
1308
1309AC_CHECK_FUNC([getspnam], ,
1310	[AC_CHECK_LIB([gen], [getspnam], [LIBS="$LIBS -lgen"])])
1311AC_SEARCH_LIBS([basename], [gen], [AC_DEFINE([HAVE_BASENAME], [1],
1312	[Define if you have the basename function.])])
1313
1314dnl zlib defaults to enabled
1315zlib=yes
1316AC_ARG_WITH([zlib],
1317	[  --with-zlib=PATH        Use zlib in PATH],
1318	[ if test "x$withval" = "xno" ; then
1319		zlib=no
1320	  elif test "x$withval" != "xyes"; then
1321		if test -d "$withval/lib"; then
1322			if test -n "${rpath_opt}"; then
1323				LDFLAGS="-L${withval}/lib ${rpath_opt}${withval}/lib ${LDFLAGS}"
1324			else
1325				LDFLAGS="-L${withval}/lib ${LDFLAGS}"
1326			fi
1327		else
1328			if test -n "${rpath_opt}"; then
1329				LDFLAGS="-L${withval} ${rpath_opt}${withval} ${LDFLAGS}"
1330			else
1331				LDFLAGS="-L${withval} ${LDFLAGS}"
1332			fi
1333		fi
1334		if test -d "$withval/include"; then
1335			CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
1336		else
1337			CPPFLAGS="-I${withval} ${CPPFLAGS}"
1338		fi
1339	fi ]
1340)
1341
1342AC_MSG_CHECKING([for zlib])
1343if test "x${zlib}" = "xno"; then
1344	AC_MSG_RESULT([no])
1345else
1346	AC_MSG_RESULT([yes])
1347	AC_DEFINE([WITH_ZLIB], [1], [Enable zlib])
1348    AC_CHECK_HEADER([zlib.h], ,[AC_MSG_ERROR([*** zlib.h missing - please install first or check config.log ***])])
1349    AC_CHECK_LIB([z], [deflate], ,
1350	[
1351		saved_CPPFLAGS="$CPPFLAGS"
1352		saved_LDFLAGS="$LDFLAGS"
1353		save_LIBS="$LIBS"
1354		dnl Check default zlib install dir
1355		if test -n "${rpath_opt}"; then
1356			LDFLAGS="-L/usr/local/lib ${rpath_opt}/usr/local/lib ${saved_LDFLAGS}"
1357		else
1358			LDFLAGS="-L/usr/local/lib ${saved_LDFLAGS}"
1359		fi
1360		CPPFLAGS="-I/usr/local/include ${saved_CPPFLAGS}"
1361		LIBS="$LIBS -lz"
1362		AC_TRY_LINK_FUNC([deflate], [AC_DEFINE([HAVE_LIBZ])],
1363			[
1364				AC_MSG_ERROR([*** zlib missing - please install first or check config.log ***])
1365			]
1366		)
1367	]
1368    )
1369
1370    AC_ARG_WITH([zlib-version-check],
1371	[  --without-zlib-version-check Disable zlib version check],
1372	[  if test "x$withval" = "xno" ; then
1373		zlib_check_nonfatal=1
1374	   fi
1375	]
1376    )
1377
1378    AC_MSG_CHECKING([for possibly buggy zlib])
1379    AC_RUN_IFELSE([AC_LANG_PROGRAM([[
1380#include <stdio.h>
1381#include <stdlib.h>
1382#include <zlib.h>
1383	]],
1384	[[
1385	int a=0, b=0, c=0, d=0, n, v;
1386	n = sscanf(ZLIB_VERSION, "%d.%d.%d.%d", &a, &b, &c, &d);
1387	if (n != 3 && n != 4)
1388		exit(1);
1389	v = a*1000000 + b*10000 + c*100 + d;
1390	fprintf(stderr, "found zlib version %s (%d)\n", ZLIB_VERSION, v);
1391
1392	/* 1.1.4 is OK */
1393	if (a == 1 && b == 1 && c >= 4)
1394		exit(0);
1395
1396	/* 1.2.3 and up are OK */
1397	if (v >= 1020300)
1398		exit(0);
1399
1400	exit(2);
1401	]])],
1402	AC_MSG_RESULT([no]),
1403	[ AC_MSG_RESULT([yes])
1404	  if test -z "$zlib_check_nonfatal" ; then
1405		AC_MSG_ERROR([*** zlib too old - check config.log ***
1406Your reported zlib version has known security problems.  It's possible your
1407vendor has fixed these problems without changing the version number.  If you
1408are sure this is the case, you can disable the check by running
1409"./configure --without-zlib-version-check".
1410If you are in doubt, upgrade zlib to version 1.2.3 or greater.
1411See http://www.gzip.org/zlib/ for details.])
1412	  else
1413		AC_MSG_WARN([zlib version may have security problems])
1414	  fi
1415	],
1416	[	AC_MSG_WARN([cross compiling: not checking zlib version]) ]
1417    )
1418fi
1419
1420dnl UnixWare 2.x
1421AC_CHECK_FUNC([strcasecmp],
1422	[], [ AC_CHECK_LIB([resolv], [strcasecmp], [LIBS="$LIBS -lresolv"]) ]
1423)
1424AC_CHECK_FUNCS([utimes],
1425	[], [ AC_CHECK_LIB([c89], [utimes], [AC_DEFINE([HAVE_UTIMES])
1426					LIBS="$LIBS -lc89"]) ]
1427)
1428
1429dnl    Checks for libutil functions
1430AC_CHECK_HEADERS([bsd/libutil.h libutil.h])
1431AC_SEARCH_LIBS([fmt_scaled], [util bsd])
1432AC_SEARCH_LIBS([scan_scaled], [util bsd])
1433AC_SEARCH_LIBS([login], [util bsd])
1434AC_SEARCH_LIBS([logout], [util bsd])
1435AC_SEARCH_LIBS([logwtmp], [util bsd])
1436AC_SEARCH_LIBS([openpty], [util bsd])
1437AC_SEARCH_LIBS([updwtmp], [util bsd])
1438AC_CHECK_FUNCS([fmt_scaled scan_scaled login logout openpty updwtmp logwtmp])
1439
1440# On some platforms, inet_ntop and gethostbyname may be found in libresolv
1441# or libnsl.
1442AC_SEARCH_LIBS([inet_ntop], [resolv nsl])
1443AC_SEARCH_LIBS([gethostbyname], [resolv nsl])
1444
1445# "Particular Function Checks"
1446# see https://www.gnu.org/software/autoconf/manual/autoconf-2.69/html_node/Particular-Functions.html
1447AC_FUNC_STRFTIME
1448AC_FUNC_MALLOC
1449AC_FUNC_REALLOC
1450# autoconf doesn't have AC_FUNC_CALLOC so fake it if malloc returns NULL;
1451AC_MSG_CHECKING([if calloc(0, N) returns non-null])
1452AC_RUN_IFELSE(
1453	[AC_LANG_PROGRAM(
1454		[[ #include <stdlib.h> ]],
1455		[[ void *p = calloc(0, 1); exit(p == NULL); ]]
1456	)],
1457	[ func_calloc_0_nonnull=yes ],
1458	[ func_calloc_0_nonnull=no ],
1459	[ AC_MSG_WARN([cross compiling: assuming same as malloc])
1460	  func_calloc_0_nonnull="$ac_cv_func_malloc_0_nonnull"]
1461)
1462AC_MSG_RESULT([$func_calloc_0_nonnull])
1463
1464if test "x$func_calloc_0_nonnull" = "xyes"; then
1465	AC_DEFINE(HAVE_CALLOC, 1, [calloc(0, x) returns non-null])
1466else
1467	AC_DEFINE(HAVE_CALLOC, 0, [calloc(0, x) returns NULL])
1468	AC_DEFINE(calloc, rpl_calloc,
1469	    [Define to rpl_calloc if the replacement function should be used.])
1470fi
1471
1472# Check for ALTDIRFUNC glob() extension
1473AC_MSG_CHECKING([for GLOB_ALTDIRFUNC support])
1474AC_EGREP_CPP([FOUNDIT],
1475	[
1476		#include <glob.h>
1477		#ifdef GLOB_ALTDIRFUNC
1478		FOUNDIT
1479		#endif
1480	],
1481	[
1482		AC_DEFINE([GLOB_HAS_ALTDIRFUNC], [1],
1483			[Define if your system glob() function has
1484			the GLOB_ALTDIRFUNC extension])
1485		AC_MSG_RESULT([yes])
1486	],
1487	[
1488		AC_MSG_RESULT([no])
1489	]
1490)
1491
1492# Check for g.gl_matchc glob() extension
1493AC_MSG_CHECKING([for gl_matchc field in glob_t])
1494AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <glob.h> ]],
1495	[[ glob_t g; g.gl_matchc = 1; ]])],
1496	[
1497		AC_DEFINE([GLOB_HAS_GL_MATCHC], [1],
1498			[Define if your system glob() function has
1499			gl_matchc options in glob_t])
1500		AC_MSG_RESULT([yes])
1501	], [
1502		AC_MSG_RESULT([no])
1503])
1504
1505# Check for g.gl_statv glob() extension
1506AC_MSG_CHECKING([for gl_statv and GLOB_KEEPSTAT extensions for glob])
1507AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <glob.h> ]], [[
1508#ifndef GLOB_KEEPSTAT
1509#error "glob does not support GLOB_KEEPSTAT extension"
1510#endif
1511glob_t g;
1512g.gl_statv = NULL;
1513]])],
1514	[
1515		AC_DEFINE([GLOB_HAS_GL_STATV], [1],
1516			[Define if your system glob() function has
1517			gl_statv options in glob_t])
1518		AC_MSG_RESULT([yes])
1519	], [
1520		AC_MSG_RESULT([no])
1521
1522])
1523
1524AC_CHECK_DECLS([GLOB_NOMATCH], , , [#include <glob.h>])
1525
1526AC_CHECK_DECL([VIS_ALL], ,
1527    AC_DEFINE(BROKEN_STRNVIS, 1, [missing VIS_ALL]), [#include <vis.h>])
1528
1529AC_MSG_CHECKING([whether struct dirent allocates space for d_name])
1530AC_RUN_IFELSE(
1531	[AC_LANG_PROGRAM([[
1532#include <sys/types.h>
1533#include <dirent.h>
1534#include <stdlib.h>
1535	]],
1536	[[
1537	struct dirent d;
1538	exit(sizeof(d.d_name)<=sizeof(char));
1539	]])],
1540	[AC_MSG_RESULT([yes])],
1541	[
1542		AC_MSG_RESULT([no])
1543		AC_DEFINE([BROKEN_ONE_BYTE_DIRENT_D_NAME], [1],
1544			[Define if your struct dirent expects you to
1545			allocate extra space for d_name])
1546	],
1547	[
1548		AC_MSG_WARN([cross compiling: assuming BROKEN_ONE_BYTE_DIRENT_D_NAME])
1549		AC_DEFINE([BROKEN_ONE_BYTE_DIRENT_D_NAME])
1550	]
1551)
1552
1553AC_MSG_CHECKING([for /proc/pid/fd directory])
1554if test -d "/proc/$$/fd" ; then
1555	AC_DEFINE([HAVE_PROC_PID], [1], [Define if you have /proc/$pid/fd])
1556	AC_MSG_RESULT([yes])
1557else
1558	AC_MSG_RESULT([no])
1559fi
1560
1561# Check whether user wants to use ldns
1562LDNS_MSG="no"
1563AC_ARG_WITH(ldns,
1564	[  --with-ldns[[=PATH]]      Use ldns for DNSSEC support (optionally in PATH)],
1565	[
1566	ldns=""
1567	if test "x$withval" = "xyes" ; then
1568		AC_PATH_TOOL([LDNSCONFIG], [ldns-config], [no])
1569		if test "x$LDNSCONFIG" = "xno"; then
1570			LIBS="-lldns $LIBS"
1571			ldns=yes
1572		else
1573			LIBS="$LIBS `$LDNSCONFIG --libs`"
1574			CPPFLAGS="$CPPFLAGS `$LDNSCONFIG --cflags`"
1575			ldns=yes
1576		fi
1577	elif test "x$withval" != "xno" ; then
1578			CPPFLAGS="$CPPFLAGS -I${withval}/include"
1579			LDFLAGS="$LDFLAGS -L${withval}/lib"
1580			LIBS="-lldns $LIBS"
1581			ldns=yes
1582	fi
1583
1584	# Verify that it works.
1585	if test "x$ldns" = "xyes" ; then
1586		AC_DEFINE(HAVE_LDNS, 1, [Define if you want ldns support])
1587		LDNS_MSG="yes"
1588		AC_MSG_CHECKING([for ldns support])
1589		AC_LINK_IFELSE(
1590			[AC_LANG_SOURCE([[
1591#include <stdio.h>
1592#include <stdlib.h>
1593#ifdef HAVE_STDINT_H
1594# include <stdint.h>
1595#endif
1596#include <ldns/ldns.h>
1597int main() { ldns_status status = ldns_verify_trusted(NULL, NULL, NULL, NULL); status=LDNS_STATUS_OK; exit(0); }
1598			]])
1599		],
1600			[AC_MSG_RESULT(yes)],
1601				[
1602					AC_MSG_RESULT(no)
1603					AC_MSG_ERROR([** Incomplete or missing ldns libraries.])
1604				])
1605	fi
1606])
1607
1608# Check whether user wants libedit support
1609LIBEDIT_MSG="no"
1610AC_ARG_WITH([libedit],
1611	[  --with-libedit[[=PATH]]   Enable libedit support for sftp],
1612	[ if test "x$withval" != "xno" ; then
1613		if test "x$withval" = "xyes" ; then
1614			AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no])
1615			if test "x$PKGCONFIG" != "xno"; then
1616				AC_MSG_CHECKING([if $PKGCONFIG knows about libedit])
1617				if "$PKGCONFIG" libedit; then
1618					AC_MSG_RESULT([yes])
1619					use_pkgconfig_for_libedit=yes
1620				else
1621					AC_MSG_RESULT([no])
1622				fi
1623			fi
1624		else
1625			CPPFLAGS="$CPPFLAGS -I${withval}/include"
1626			if test -n "${rpath_opt}"; then
1627				LDFLAGS="-L${withval}/lib ${rpath_opt}${withval}/lib ${LDFLAGS}"
1628			else
1629				LDFLAGS="-L${withval}/lib ${LDFLAGS}"
1630			fi
1631		fi
1632		if test "x$use_pkgconfig_for_libedit" = "xyes"; then
1633			LIBEDIT=`$PKGCONFIG --libs libedit`
1634			CPPFLAGS="$CPPFLAGS `$PKGCONFIG --cflags libedit`"
1635		else
1636			LIBEDIT="-ledit -lcurses"
1637		fi
1638		OTHERLIBS=`echo $LIBEDIT | sed 's/-ledit//'`
1639		AC_CHECK_LIB([edit], [el_init],
1640			[ AC_DEFINE([USE_LIBEDIT], [1], [Use libedit for sftp])
1641			  LIBEDIT_MSG="yes"
1642			  AC_SUBST([LIBEDIT])
1643			],
1644			[ AC_MSG_ERROR([libedit not found]) ],
1645			[ $OTHERLIBS ]
1646		)
1647		AC_MSG_CHECKING([if libedit version is compatible])
1648		AC_COMPILE_IFELSE(
1649		    [AC_LANG_PROGRAM([[
1650#include <histedit.h>
1651#include <stdlib.h>
1652		    ]],
1653		    [[
1654	int i = H_SETSIZE;
1655	el_init("", NULL, NULL, NULL);
1656	exit(0);
1657		    ]])],
1658		    [ AC_MSG_RESULT([yes]) ],
1659		    [ AC_MSG_RESULT([no])
1660		      AC_MSG_ERROR([libedit version is not compatible]) ]
1661		)
1662	fi ]
1663)
1664
1665AUDIT_MODULE=none
1666AC_ARG_WITH([audit],
1667	[  --with-audit=module     Enable audit support (modules=debug,bsm,linux)],
1668	[
1669	  AC_MSG_CHECKING([for supported audit module])
1670	  case "$withval" in
1671	  bsm)
1672		AC_MSG_RESULT([bsm])
1673		AUDIT_MODULE=bsm
1674		dnl    Checks for headers, libs and functions
1675		AC_CHECK_HEADERS([bsm/audit.h], [],
1676		    [AC_MSG_ERROR([BSM enabled and bsm/audit.h not found])],
1677		    [
1678#ifdef HAVE_TIME_H
1679# include <time.h>
1680#endif
1681		    ]
1682)
1683		AC_CHECK_LIB([bsm], [getaudit], [],
1684		    [AC_MSG_ERROR([BSM enabled and required library not found])])
1685		AC_CHECK_FUNCS([getaudit], [],
1686		    [AC_MSG_ERROR([BSM enabled and required function not found])])
1687		# These are optional
1688		AC_CHECK_FUNCS([getaudit_addr aug_get_machine])
1689		AC_DEFINE([USE_BSM_AUDIT], [1], [Use BSM audit module])
1690		if test "$sol2ver" -ge 11; then
1691			SSHDLIBS="$SSHDLIBS -lscf"
1692			AC_DEFINE([BROKEN_BSM_API], [1],
1693				[The system has incomplete BSM API])
1694		fi
1695		;;
1696	  linux)
1697		AC_MSG_RESULT([linux])
1698		AUDIT_MODULE=linux
1699		dnl    Checks for headers, libs and functions
1700		AC_CHECK_HEADERS([libaudit.h])
1701		SSHDLIBS="$SSHDLIBS -laudit"
1702		AC_DEFINE([USE_LINUX_AUDIT], [1], [Use Linux audit module])
1703		;;
1704	  debug)
1705		AUDIT_MODULE=debug
1706		AC_MSG_RESULT([debug])
1707		AC_DEFINE([SSH_AUDIT_EVENTS], [1], [Use audit debugging module])
1708		;;
1709	  no)
1710		AC_MSG_RESULT([no])
1711		;;
1712	  *)
1713		AC_MSG_ERROR([Unknown audit module $withval])
1714		;;
1715	esac ]
1716)
1717
1718AC_ARG_WITH([pie],
1719    [  --with-pie              Build Position Independent Executables if possible], [
1720	if test "x$withval" = "xno"; then
1721		use_pie=no
1722	fi
1723	if test "x$withval" = "xyes"; then
1724		use_pie=yes
1725	fi
1726    ]
1727)
1728if test "x$use_pie" = "x"; then
1729	use_pie=no
1730fi
1731if test "x$use_toolchain_hardening" != "x1" && test "x$use_pie" = "xauto"; then
1732	# Turn off automatic PIE when toolchain hardening is off.
1733	use_pie=no
1734fi
1735if test "x$use_pie" = "xauto"; then
1736	# Automatic PIE requires gcc >= 4.x
1737	AC_MSG_CHECKING([for gcc >= 4.x])
1738	AC_COMPILE_IFELSE([AC_LANG_SOURCE([[
1739#if !defined(__GNUC__) || __GNUC__ < 4
1740#error gcc is too old
1741#endif
1742]])],
1743	[ AC_MSG_RESULT([yes]) ],
1744	[ AC_MSG_RESULT([no])
1745	  use_pie=no ]
1746)
1747fi
1748if test "x$use_pie" != "xno"; then
1749	SAVED_CFLAGS="$CFLAGS"
1750	SAVED_LDFLAGS="$LDFLAGS"
1751	OSSH_CHECK_CFLAG_COMPILE([-fPIE])
1752	OSSH_CHECK_LDFLAG_LINK([-pie])
1753	# We use both -fPIE and -pie or neither.
1754	AC_MSG_CHECKING([whether both -fPIE and -pie are supported])
1755	if echo "x $CFLAGS"  | grep ' -fPIE' >/dev/null 2>&1 && \
1756	   echo "x $LDFLAGS" | grep ' -pie'  >/dev/null 2>&1 ; then
1757		AC_MSG_RESULT([yes])
1758	else
1759		AC_MSG_RESULT([no])
1760		CFLAGS="$SAVED_CFLAGS"
1761		LDFLAGS="$SAVED_LDFLAGS"
1762	fi
1763fi
1764
1765AC_MSG_CHECKING([whether -fPIC is accepted])
1766SAVED_CFLAGS="$CFLAGS"
1767CFLAGS="$CFLAGS -fPIC"
1768AC_COMPILE_IFELSE(
1769	[AC_LANG_PROGRAM( [[ #include <stdlib.h> ]], [[ exit(0); ]] )],
1770   [AC_MSG_RESULT([yes])
1771    PICFLAG="-fPIC"; ],
1772   [AC_MSG_RESULT([no])
1773    PICFLAG=""; ])
1774CFLAGS="$SAVED_CFLAGS"
1775AC_SUBST([PICFLAG])
1776
1777dnl    Checks for library functions. Please keep in alphabetical order
1778AC_CHECK_FUNCS([ \
1779	Blowfish_initstate \
1780	Blowfish_expandstate \
1781	Blowfish_expand0state \
1782	Blowfish_stream2word \
1783	SHA256Update \
1784	SHA384Update \
1785	SHA512Update \
1786	asprintf \
1787	b64_ntop \
1788	__b64_ntop \
1789	b64_pton \
1790	__b64_pton \
1791	bcopy \
1792	bcrypt_pbkdf \
1793	bindresvport_sa \
1794	blf_enc \
1795	bzero \
1796	cap_rights_limit \
1797	clock \
1798	closefrom \
1799	dirfd \
1800	endgrent \
1801	err \
1802	errx \
1803	explicit_bzero \
1804	fchmod \
1805	fchmodat \
1806	fchown \
1807	fchownat \
1808	flock \
1809	fnmatch \
1810	freeaddrinfo \
1811	freezero \
1812	fstatfs \
1813	fstatvfs \
1814	futimes \
1815	getaddrinfo \
1816	getcwd \
1817	getgrouplist \
1818	getline \
1819	getnameinfo \
1820	getopt \
1821	getpagesize \
1822	getpeereid \
1823	getpeerucred \
1824	getpgid \
1825	_getpty \
1826	getrlimit \
1827	getrandom \
1828	getsid \
1829	getttyent \
1830	glob \
1831	group_from_gid \
1832	inet_aton \
1833	inet_ntoa \
1834	inet_ntop \
1835	innetgr \
1836	llabs \
1837	localtime_r \
1838	login_getcapbool \
1839	md5_crypt \
1840	memmem \
1841	memmove \
1842	memset_s \
1843	mkdtemp \
1844	ngetaddrinfo \
1845	nsleep \
1846	ogetaddrinfo \
1847	openlog_r \
1848	pledge \
1849	poll \
1850	prctl \
1851	pstat \
1852	raise \
1853	readpassphrase \
1854	reallocarray \
1855	realpath \
1856	recvmsg \
1857	recallocarray \
1858	rresvport_af \
1859	sendmsg \
1860	setdtablesize \
1861	setegid \
1862	setenv \
1863	seteuid \
1864	setgroupent \
1865	setgroups \
1866	setlinebuf \
1867	setlogin \
1868	setpassent\
1869	setpcred \
1870	setproctitle \
1871	setregid \
1872	setreuid \
1873	setrlimit \
1874	setsid \
1875	setvbuf \
1876	sigaction \
1877	sigvec \
1878	snprintf \
1879	socketpair \
1880	statfs \
1881	statvfs \
1882	strcasestr \
1883	strdup \
1884	strerror \
1885	strlcat \
1886	strlcpy \
1887	strmode \
1888	strndup \
1889	strnlen \
1890	strnvis \
1891	strptime \
1892	strsignal \
1893	strtonum \
1894	strtoll \
1895	strtoul \
1896	strtoull \
1897	swap32 \
1898	sysconf \
1899	tcgetpgrp \
1900	timingsafe_bcmp \
1901	truncate \
1902	unsetenv \
1903	updwtmpx \
1904	utimensat \
1905	user_from_uid \
1906	usleep \
1907	vasprintf \
1908	vsnprintf \
1909	waitpid \
1910	warn \
1911])
1912
1913AC_CHECK_DECLS([bzero, memmem])
1914
1915dnl Wide character support.
1916AC_CHECK_FUNCS([mblen mbtowc nl_langinfo wcwidth])
1917
1918TEST_SSH_UTF8=${TEST_SSH_UTF8:=yes}
1919AC_MSG_CHECKING([for utf8 locale support])
1920AC_RUN_IFELSE(
1921	[AC_LANG_PROGRAM([[
1922#include <locale.h>
1923#include <stdlib.h>
1924	]], [[
1925	char *loc = setlocale(LC_CTYPE, "en_US.UTF-8");
1926	if (loc != NULL)
1927		exit(0);
1928	exit(1);
1929	]])],
1930	AC_MSG_RESULT(yes),
1931	[AC_MSG_RESULT(no)
1932	 TEST_SSH_UTF8=no],
1933	AC_MSG_WARN([cross compiling: assuming yes])
1934)
1935
1936AC_LINK_IFELSE(
1937        [AC_LANG_PROGRAM(
1938           [[ #include <ctype.h> ]],
1939           [[ return (isblank('a')); ]])],
1940	[AC_DEFINE([HAVE_ISBLANK], [1], [Define if you have isblank(3C).])
1941])
1942
1943disable_pkcs11=
1944AC_ARG_ENABLE([pkcs11],
1945	[  --disable-pkcs11        disable PKCS#11 support code [no]],
1946	[
1947		if test "x$enableval" = "xno" ; then
1948			disable_pkcs11=1
1949		fi
1950	]
1951)
1952
1953disable_sk=
1954AC_ARG_ENABLE([security-key],
1955	[  --disable-security-key  disable U2F/FIDO support code [no]],
1956	[
1957		if test "x$enableval" = "xno" ; then
1958			disable_sk=1
1959		fi
1960	]
1961)
1962enable_sk_internal=
1963AC_ARG_WITH([security-key-builtin],
1964	[  --with-security-key-builtin include builtin U2F/FIDO support],
1965	[
1966		if test "x$withval" != "xno" ; then
1967			enable_sk_internal=yes
1968		fi
1969	]
1970)
1971test "x$disable_sk" != "x" && enable_sk_internal=""
1972
1973AC_SEARCH_LIBS([dlopen], [dl])
1974AC_CHECK_FUNCS([dlopen])
1975AC_CHECK_DECL([RTLD_NOW], [], [], [#include <dlfcn.h>])
1976
1977# IRIX has a const char return value for gai_strerror()
1978AC_CHECK_FUNCS([gai_strerror], [
1979	AC_DEFINE([HAVE_GAI_STRERROR])
1980	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
1981#include <sys/types.h>
1982#include <sys/socket.h>
1983#include <netdb.h>
1984
1985const char *gai_strerror(int);
1986			]], [[
1987	char *str;
1988	str = gai_strerror(0);
1989			]])], [
1990		AC_DEFINE([HAVE_CONST_GAI_STRERROR_PROTO], [1],
1991		[Define if gai_strerror() returns const char *])], [])])
1992
1993AC_SEARCH_LIBS([nanosleep], [rt posix4], [AC_DEFINE([HAVE_NANOSLEEP], [1],
1994	[Some systems put nanosleep outside of libc])])
1995
1996AC_SEARCH_LIBS([clock_gettime], [rt],
1997	[AC_DEFINE([HAVE_CLOCK_GETTIME], [1], [Have clock_gettime])])
1998
1999dnl check if we need -D_REENTRANT for localtime_r declaration.
2000AC_CHECK_DECL([localtime_r], [],
2001	[ saved_CPPFLAGS="$CFLAGS"
2002	  CPPFLAGS="$CPPFLAGS -D_REENTRANT"
2003	  unset ac_cv_have_decl_localtime_r
2004	  AC_CHECK_DECL([localtime_r], [],
2005		[ CPPFLAGS="$saved_CPPFLAGS" ],
2006		[ #include <time.h> ]
2007	  )
2008	],
2009	[ #include <time.h> ]
2010)
2011
2012dnl Make sure prototypes are defined for these before using them.
2013AC_CHECK_DECL([strsep],
2014	[AC_CHECK_FUNCS([strsep])],
2015	[],
2016	[
2017#ifdef HAVE_STRING_H
2018# include <string.h>
2019#endif
2020	])
2021
2022dnl tcsendbreak might be a macro
2023AC_CHECK_DECL([tcsendbreak],
2024	[AC_DEFINE([HAVE_TCSENDBREAK])],
2025	[AC_CHECK_FUNCS([tcsendbreak])],
2026	[#include <termios.h>]
2027)
2028
2029AC_CHECK_DECLS([h_errno], , ,[#include <netdb.h>])
2030
2031AC_CHECK_DECLS([SHUT_RD, getpeereid], , ,
2032	[
2033#include <sys/types.h>
2034#include <sys/socket.h>
2035#include <unistd.h>
2036	])
2037
2038AC_CHECK_DECLS([O_NONBLOCK], , ,
2039	[
2040#include <sys/types.h>
2041#ifdef HAVE_SYS_STAT_H
2042# include <sys/stat.h>
2043#endif
2044#ifdef HAVE_FCNTL_H
2045# include <fcntl.h>
2046#endif
2047	])
2048
2049AC_CHECK_DECLS([readv, writev], , , [
2050#include <sys/types.h>
2051#include <sys/uio.h>
2052#include <unistd.h>
2053	])
2054
2055AC_CHECK_DECLS([MAXSYMLINKS], , , [
2056#include <sys/param.h>
2057	])
2058
2059AC_CHECK_DECLS([offsetof], , , [
2060#include <stddef.h>
2061	])
2062
2063# extra bits for select(2)
2064AC_CHECK_DECLS([howmany, NFDBITS], [], [], [[
2065#include <sys/param.h>
2066#include <sys/types.h>
2067#ifdef HAVE_SYS_SYSMACROS_H
2068#include <sys/sysmacros.h>
2069#endif
2070#ifdef HAVE_SYS_SELECT_H
2071#include <sys/select.h>
2072#endif
2073#ifdef HAVE_SYS_TIME_H
2074#include <sys/time.h>
2075#endif
2076#ifdef HAVE_UNISTD_H
2077#include <unistd.h>
2078#endif
2079	]])
2080AC_CHECK_TYPES([fd_mask], [], [], [[
2081#include <sys/param.h>
2082#include <sys/types.h>
2083#ifdef HAVE_SYS_SELECT_H
2084#include <sys/select.h>
2085#endif
2086#ifdef HAVE_SYS_TIME_H
2087#include <sys/time.h>
2088#endif
2089#ifdef HAVE_UNISTD_H
2090#include <unistd.h>
2091#endif
2092	]])
2093
2094AC_CHECK_FUNCS([setresuid], [
2095	dnl Some platorms have setresuid that isn't implemented, test for this
2096	AC_MSG_CHECKING([if setresuid seems to work])
2097	AC_RUN_IFELSE(
2098		[AC_LANG_PROGRAM([[
2099#include <stdlib.h>
2100#include <errno.h>
2101		]], [[
2102	errno=0;
2103	setresuid(0,0,0);
2104	if (errno==ENOSYS)
2105		exit(1);
2106	else
2107		exit(0);
2108		]])],
2109		[AC_MSG_RESULT([yes])],
2110		[AC_DEFINE([BROKEN_SETRESUID], [1],
2111			[Define if your setresuid() is broken])
2112		 AC_MSG_RESULT([not implemented])],
2113		[AC_MSG_WARN([cross compiling: not checking setresuid])]
2114	)
2115])
2116
2117AC_CHECK_FUNCS([setresgid], [
2118	dnl Some platorms have setresgid that isn't implemented, test for this
2119	AC_MSG_CHECKING([if setresgid seems to work])
2120	AC_RUN_IFELSE(
2121		[AC_LANG_PROGRAM([[
2122#include <stdlib.h>
2123#include <errno.h>
2124		]], [[
2125	errno=0;
2126	setresgid(0,0,0);
2127	if (errno==ENOSYS)
2128		exit(1);
2129	else
2130		exit(0);
2131		]])],
2132		[AC_MSG_RESULT([yes])],
2133		[AC_DEFINE([BROKEN_SETRESGID], [1],
2134			[Define if your setresgid() is broken])
2135		 AC_MSG_RESULT([not implemented])],
2136		[AC_MSG_WARN([cross compiling: not checking setresuid])]
2137	)
2138])
2139
2140AC_MSG_CHECKING([for working fflush(NULL)])
2141AC_RUN_IFELSE(
2142	[AC_LANG_PROGRAM([[
2143#include <stdio.h>
2144#include <stdlib.h>
2145	]],
2146	[[fflush(NULL); exit(0);]])],
2147	AC_MSG_RESULT([yes]),
2148	[AC_MSG_RESULT([no])
2149	 AC_DEFINE([FFLUSH_NULL_BUG], [1],
2150	    [define if fflush(NULL) does not work])],
2151	AC_MSG_WARN([cross compiling: assuming working])
2152)
2153
2154dnl    Checks for time functions
2155AC_CHECK_FUNCS([gettimeofday time])
2156dnl    Checks for utmp functions
2157AC_CHECK_FUNCS([endutent getutent getutid getutline pututline setutent])
2158AC_CHECK_FUNCS([utmpname])
2159dnl    Checks for utmpx functions
2160AC_CHECK_FUNCS([endutxent getutxent getutxid getutxline getutxuser pututxline])
2161AC_CHECK_FUNCS([setutxdb setutxent utmpxname])
2162dnl    Checks for lastlog functions
2163AC_CHECK_FUNCS([getlastlogxbyname])
2164
2165AC_CHECK_FUNC([daemon],
2166	[AC_DEFINE([HAVE_DAEMON], [1], [Define if your libraries define daemon()])],
2167	[AC_CHECK_LIB([bsd], [daemon],
2168		[LIBS="$LIBS -lbsd"; AC_DEFINE([HAVE_DAEMON])])]
2169)
2170
2171AC_CHECK_FUNC([getpagesize],
2172	[AC_DEFINE([HAVE_GETPAGESIZE], [1],
2173		[Define if your libraries define getpagesize()])],
2174	[AC_CHECK_LIB([ucb], [getpagesize],
2175		[LIBS="$LIBS -lucb"; AC_DEFINE([HAVE_GETPAGESIZE])])]
2176)
2177
2178# Check for broken snprintf
2179if test "x$ac_cv_func_snprintf" = "xyes" ; then
2180	AC_MSG_CHECKING([whether snprintf correctly terminates long strings])
2181	AC_RUN_IFELSE(
2182		[AC_LANG_PROGRAM([[
2183#include <stdio.h>
2184#include <stdlib.h>
2185		]],
2186		[[
2187	char b[5];
2188	snprintf(b,5,"123456789");
2189	exit(b[4]!='\0');
2190		]])],
2191		[AC_MSG_RESULT([yes])],
2192		[
2193			AC_MSG_RESULT([no])
2194			AC_DEFINE([BROKEN_SNPRINTF], [1],
2195				[Define if your snprintf is busted])
2196			AC_MSG_WARN([****** Your snprintf() function is broken, complain to your vendor])
2197		],
2198		[ AC_MSG_WARN([cross compiling: Assuming working snprintf()]) ]
2199	)
2200fi
2201
2202if test "x$ac_cv_func_snprintf" = "xyes" ; then
2203	AC_MSG_CHECKING([whether snprintf understands %zu])
2204	AC_RUN_IFELSE(
2205		[AC_LANG_PROGRAM([[
2206#include <sys/types.h>
2207#include <stdio.h>
2208#include <stdlib.h>
2209#include <string.h>
2210		]],
2211		[[
2212	size_t a = 1, b = 2;
2213	char z[128];
2214	snprintf(z, sizeof z, "%zu%zu", a, b);
2215	exit(strcmp(z, "12"));
2216		]])],
2217		[AC_MSG_RESULT([yes])],
2218		[
2219			AC_MSG_RESULT([no])
2220			AC_DEFINE([BROKEN_SNPRINTF], [1],
2221				[snprintf does not understand %zu])
2222		],
2223		[ AC_MSG_WARN([cross compiling: Assuming working snprintf()]) ]
2224	)
2225fi
2226
2227# We depend on vsnprintf returning the right thing on overflow: the
2228# number of characters it tried to create (as per SUSv3)
2229if test "x$ac_cv_func_vsnprintf" = "xyes" ; then
2230	AC_MSG_CHECKING([whether vsnprintf returns correct values on overflow])
2231	AC_RUN_IFELSE(
2232		[AC_LANG_PROGRAM([[
2233#include <sys/types.h>
2234#include <stdio.h>
2235#include <stdarg.h>
2236
2237int x_snprintf(char *str, size_t count, const char *fmt, ...)
2238{
2239	size_t ret;
2240	va_list ap;
2241
2242	va_start(ap, fmt);
2243	ret = vsnprintf(str, count, fmt, ap);
2244	va_end(ap);
2245	return ret;
2246}
2247		]], [[
2248char x[1];
2249if (x_snprintf(x, 1, "%s %d", "hello", 12345) != 11)
2250	return 1;
2251if (x_snprintf(NULL, 0, "%s %d", "hello", 12345) != 11)
2252	return 1;
2253return 0;
2254		]])],
2255		[AC_MSG_RESULT([yes])],
2256		[
2257			AC_MSG_RESULT([no])
2258			AC_DEFINE([BROKEN_SNPRINTF], [1],
2259				[Define if your snprintf is busted])
2260			AC_MSG_WARN([****** Your vsnprintf() function is broken, complain to your vendor])
2261		],
2262		[ AC_MSG_WARN([cross compiling: Assuming working vsnprintf()]) ]
2263	)
2264fi
2265
2266# On systems where [v]snprintf is broken, but is declared in stdio,
2267# check that the fmt argument is const char * or just char *.
2268# This is only useful for when BROKEN_SNPRINTF
2269AC_MSG_CHECKING([whether snprintf can declare const char *fmt])
2270AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
2271#include <stdio.h>
2272int snprintf(char *a, size_t b, const char *c, ...) { return 0; }
2273		]], [[
2274	snprintf(0, 0, 0);
2275		]])],
2276   [AC_MSG_RESULT([yes])
2277    AC_DEFINE([SNPRINTF_CONST], [const],
2278              [Define as const if snprintf() can declare const char *fmt])],
2279   [AC_MSG_RESULT([no])
2280    AC_DEFINE([SNPRINTF_CONST], [/* not const */])])
2281
2282# Check for missing getpeereid (or equiv) support
2283NO_PEERCHECK=""
2284if test "x$ac_cv_func_getpeereid" != "xyes" -a "x$ac_cv_func_getpeerucred" != "xyes"; then
2285	AC_MSG_CHECKING([whether system supports SO_PEERCRED getsockopt])
2286	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
2287#include <sys/types.h>
2288#include <sys/socket.h>]], [[int i = SO_PEERCRED;]])],
2289		[ AC_MSG_RESULT([yes])
2290		  AC_DEFINE([HAVE_SO_PEERCRED], [1], [Have PEERCRED socket option])
2291		], [AC_MSG_RESULT([no])
2292		NO_PEERCHECK=1
2293        ])
2294fi
2295
2296dnl make sure that openpty does not reacquire controlling terminal
2297if test ! -z "$check_for_openpty_ctty_bug"; then
2298	AC_MSG_CHECKING([if openpty correctly handles controlling tty])
2299	AC_RUN_IFELSE(
2300		[AC_LANG_PROGRAM([[
2301#include <stdio.h>
2302#include <stdlib.h>
2303#include <unistd.h>
2304#include <sys/fcntl.h>
2305#include <sys/types.h>
2306#include <sys/wait.h>
2307		]], [[
2308	pid_t pid;
2309	int fd, ptyfd, ttyfd, status;
2310
2311	pid = fork();
2312	if (pid < 0) {		/* failed */
2313		exit(1);
2314	} else if (pid > 0) {	/* parent */
2315		waitpid(pid, &status, 0);
2316		if (WIFEXITED(status))
2317			exit(WEXITSTATUS(status));
2318		else
2319			exit(2);
2320	} else {		/* child */
2321		close(0); close(1); close(2);
2322		setsid();
2323		openpty(&ptyfd, &ttyfd, NULL, NULL, NULL);
2324		fd = open("/dev/tty", O_RDWR | O_NOCTTY);
2325		if (fd >= 0)
2326			exit(3);	/* Acquired ctty: broken */
2327		else
2328			exit(0);	/* Did not acquire ctty: OK */
2329	}
2330		]])],
2331		[
2332			AC_MSG_RESULT([yes])
2333		],
2334		[
2335			AC_MSG_RESULT([no])
2336			AC_DEFINE([SSHD_ACQUIRES_CTTY])
2337		],
2338		[
2339			AC_MSG_RESULT([cross-compiling, assuming yes])
2340		]
2341	)
2342fi
2343
2344if test "x$ac_cv_func_getaddrinfo" = "xyes" && \
2345    test "x$check_for_hpux_broken_getaddrinfo" = "x1"; then
2346	AC_MSG_CHECKING([if getaddrinfo seems to work])
2347	AC_RUN_IFELSE(
2348		[AC_LANG_PROGRAM([[
2349#include <stdio.h>
2350#include <stdlib.h>
2351#include <sys/socket.h>
2352#include <netdb.h>
2353#include <errno.h>
2354#include <netinet/in.h>
2355
2356#define TEST_PORT "2222"
2357		]], [[
2358	int err, sock;
2359	struct addrinfo *gai_ai, *ai, hints;
2360	char ntop[NI_MAXHOST], strport[NI_MAXSERV], *name = NULL;
2361
2362	memset(&hints, 0, sizeof(hints));
2363	hints.ai_family = PF_UNSPEC;
2364	hints.ai_socktype = SOCK_STREAM;
2365	hints.ai_flags = AI_PASSIVE;
2366
2367	err = getaddrinfo(name, TEST_PORT, &hints, &gai_ai);
2368	if (err != 0) {
2369		fprintf(stderr, "getaddrinfo failed (%s)", gai_strerror(err));
2370		exit(1);
2371	}
2372
2373	for (ai = gai_ai; ai != NULL; ai = ai->ai_next) {
2374		if (ai->ai_family != AF_INET6)
2375			continue;
2376
2377		err = getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop,
2378		    sizeof(ntop), strport, sizeof(strport),
2379		    NI_NUMERICHOST|NI_NUMERICSERV);
2380
2381		if (err != 0) {
2382			if (err == EAI_SYSTEM)
2383				perror("getnameinfo EAI_SYSTEM");
2384			else
2385				fprintf(stderr, "getnameinfo failed: %s\n",
2386				    gai_strerror(err));
2387			exit(2);
2388		}
2389
2390		sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol);
2391		if (sock < 0)
2392			perror("socket");
2393		if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) {
2394			if (errno == EBADF)
2395				exit(3);
2396		}
2397	}
2398	exit(0);
2399		]])],
2400		[
2401			AC_MSG_RESULT([yes])
2402		],
2403		[
2404			AC_MSG_RESULT([no])
2405			AC_DEFINE([BROKEN_GETADDRINFO])
2406		],
2407		[
2408			AC_MSG_RESULT([cross-compiling, assuming yes])
2409		]
2410	)
2411fi
2412
2413if test "x$ac_cv_func_getaddrinfo" = "xyes" && \
2414    test "x$check_for_aix_broken_getaddrinfo" = "x1"; then
2415	AC_MSG_CHECKING([if getaddrinfo seems to work])
2416	AC_RUN_IFELSE(
2417		[AC_LANG_PROGRAM([[
2418#include <stdio.h>
2419#include <stdlib.h>
2420#include <sys/socket.h>
2421#include <netdb.h>
2422#include <errno.h>
2423#include <netinet/in.h>
2424
2425#define TEST_PORT "2222"
2426		]], [[
2427	int err, sock;
2428	struct addrinfo *gai_ai, *ai, hints;
2429	char ntop[NI_MAXHOST], strport[NI_MAXSERV], *name = NULL;
2430
2431	memset(&hints, 0, sizeof(hints));
2432	hints.ai_family = PF_UNSPEC;
2433	hints.ai_socktype = SOCK_STREAM;
2434	hints.ai_flags = AI_PASSIVE;
2435
2436	err = getaddrinfo(name, TEST_PORT, &hints, &gai_ai);
2437	if (err != 0) {
2438		fprintf(stderr, "getaddrinfo failed (%s)", gai_strerror(err));
2439		exit(1);
2440	}
2441
2442	for (ai = gai_ai; ai != NULL; ai = ai->ai_next) {
2443		if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
2444			continue;
2445
2446		err = getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop,
2447		    sizeof(ntop), strport, sizeof(strport),
2448		    NI_NUMERICHOST|NI_NUMERICSERV);
2449
2450		if (ai->ai_family == AF_INET && err != 0) {
2451			perror("getnameinfo");
2452			exit(2);
2453		}
2454	}
2455	exit(0);
2456		]])],
2457		[
2458			AC_MSG_RESULT([yes])
2459			AC_DEFINE([AIX_GETNAMEINFO_HACK], [1],
2460				[Define if you have a getaddrinfo that fails
2461				for the all-zeros IPv6 address])
2462		],
2463		[
2464			AC_MSG_RESULT([no])
2465			AC_DEFINE([BROKEN_GETADDRINFO])
2466		],
2467		[
2468			AC_MSG_RESULT([cross-compiling, assuming no])
2469		]
2470	)
2471fi
2472
2473if test "x$ac_cv_func_getaddrinfo" = "xyes"; then
2474	AC_CHECK_DECLS(AI_NUMERICSERV, , ,
2475	    [#include <sys/types.h>
2476	     #include <sys/socket.h>
2477	     #include <netdb.h>])
2478fi
2479
2480if test "x$check_for_conflicting_getspnam" = "x1"; then
2481	AC_MSG_CHECKING([for conflicting getspnam in shadow.h])
2482	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
2483#include <shadow.h>
2484#include <stdlib.h>
2485		]],
2486		[[ exit(0); ]])],
2487		[
2488			AC_MSG_RESULT([no])
2489		],
2490		[
2491			AC_MSG_RESULT([yes])
2492			AC_DEFINE([GETSPNAM_CONFLICTING_DEFS], [1],
2493			    [Conflicting defs for getspnam])
2494		]
2495	)
2496fi
2497
2498dnl NetBSD added an strnvis and unfortunately made it incompatible with the
2499dnl existing one in OpenBSD and Linux's libbsd (the former having existed
2500dnl for over ten years). Despite this incompatibility being reported during
2501dnl development (see http://gnats.netbsd.org/44977) they still shipped it.
2502dnl Even more unfortunately FreeBSD and later MacOS picked up this incompatible
2503dnl implementation.  Try to detect this mess, and assume the only safe option
2504dnl if we're cross compiling.
2505dnl
2506dnl OpenBSD, 2001: strnvis(char *dst, const char *src, size_t dlen, int flag);
2507dnl NetBSD: 2012,  strnvis(char *dst, size_t dlen, const char *src, int flag);
2508if test "x$ac_cv_func_strnvis" = "xyes"; then
2509	AC_MSG_CHECKING([for working strnvis])
2510	AC_RUN_IFELSE(
2511		[AC_LANG_PROGRAM([[
2512#include <signal.h>
2513#include <stdlib.h>
2514#include <string.h>
2515#include <unistd.h>
2516#include <vis.h>
2517static void sighandler(int sig) { _exit(1); }
2518		]], [[
2519	char dst[16];
2520
2521	signal(SIGSEGV, sighandler);
2522	if (strnvis(dst, "src", 4, 0) && strcmp(dst, "src") == 0)
2523		exit(0);
2524	exit(1)
2525		]])],
2526		[AC_MSG_RESULT([yes])],
2527		[AC_MSG_RESULT([no])
2528		 AC_DEFINE([BROKEN_STRNVIS], [1], [strnvis detected broken])],
2529		[AC_MSG_WARN([cross compiling: assuming broken])
2530		 AC_DEFINE([BROKEN_STRNVIS], [1], [strnvis assumed broken])]
2531	)
2532fi
2533
2534AC_MSG_CHECKING([if SA_RESTARTed signals interrupt select()])
2535AC_RUN_IFELSE(
2536	[AC_LANG_PROGRAM([[
2537#ifdef HAVE_SYS_SELECT
2538# include <sys/select.h>
2539#endif
2540#include <sys/types.h>
2541#include <sys/time.h>
2542#include <stdlib.h>
2543#include <signal.h>
2544#include <unistd.h>
2545static void sighandler(int sig) { }
2546		]], [[
2547	int r;
2548	pid_t pid;
2549	struct sigaction sa;
2550
2551	sa.sa_handler = sighandler;
2552	sa.sa_flags = SA_RESTART;
2553	(void)sigaction(SIGTERM, &sa, NULL);
2554	if ((pid = fork()) == 0) { /* child */
2555		pid = getppid();
2556		sleep(1);
2557		kill(pid, SIGTERM);
2558		sleep(1);
2559		if (getppid() == pid) /* if parent did not exit, shoot it */
2560			kill(pid, SIGKILL);
2561		exit(0);
2562	} else { /* parent */
2563		r = select(0, NULL, NULL, NULL, NULL);
2564	}
2565	exit(r == -1 ? 0 : 1);
2566	]])],
2567	[AC_MSG_RESULT([yes])],
2568	[AC_MSG_RESULT([no])
2569	 AC_DEFINE([NO_SA_RESTART], [1],
2570	    [SA_RESTARTed signals do no interrupt select])],
2571	[AC_MSG_WARN([cross compiling: assuming yes])]
2572)
2573
2574AC_CHECK_FUNCS([getpgrp],[
2575	AC_MSG_CHECKING([if getpgrp accepts zero args])
2576	AC_COMPILE_IFELSE(
2577		[AC_LANG_PROGRAM([[$ac_includes_default]], [[ getpgrp(); ]])],
2578		[ AC_MSG_RESULT([yes])
2579		  AC_DEFINE([GETPGRP_VOID], [1], [getpgrp takes zero args])],
2580		[ AC_MSG_RESULT([no])
2581		  AC_DEFINE([GETPGRP_VOID], [0], [getpgrp takes one arg])]
2582	)
2583])
2584
2585# Search for OpenSSL
2586saved_CPPFLAGS="$CPPFLAGS"
2587saved_LDFLAGS="$LDFLAGS"
2588AC_ARG_WITH([ssl-dir],
2589	[  --with-ssl-dir=PATH     Specify path to OpenSSL installation ],
2590	[
2591		if test "x$openssl" = "xno" ; then
2592			AC_MSG_ERROR([cannot use --with-ssl-dir when OpenSSL disabled])
2593		fi
2594		if test "x$withval" != "xno" ; then
2595			case "$withval" in
2596				# Relative paths
2597				./*|../*)	withval="`pwd`/$withval"
2598			esac
2599			if test -d "$withval/lib"; then
2600				if test -n "${rpath_opt}"; then
2601					LDFLAGS="-L${withval}/lib ${rpath_opt}${withval}/lib ${LDFLAGS}"
2602				else
2603					LDFLAGS="-L${withval}/lib ${LDFLAGS}"
2604				fi
2605			elif test -d "$withval/lib64"; then
2606				if test -n "${rpath_opt}"; then
2607					LDFLAGS="-L${withval}/lib64 ${rpath_opt}${withval}/lib64 ${LDFLAGS}"
2608				else
2609					LDFLAGS="-L${withval}/lib64 ${LDFLAGS}"
2610				fi
2611			else
2612				if test -n "${rpath_opt}"; then
2613					LDFLAGS="-L${withval} ${rpath_opt}${withval} ${LDFLAGS}"
2614				else
2615					LDFLAGS="-L${withval} ${LDFLAGS}"
2616				fi
2617			fi
2618			if test -d "$withval/include"; then
2619				CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
2620			else
2621				CPPFLAGS="-I${withval} ${CPPFLAGS}"
2622			fi
2623		fi
2624	]
2625)
2626
2627AC_ARG_WITH([openssl-header-check],
2628	[  --without-openssl-header-check Disable OpenSSL version consistency check],
2629	[
2630		if test "x$withval" = "xno" ; then
2631			openssl_check_nonfatal=1
2632		fi
2633	]
2634)
2635
2636openssl_engine=no
2637AC_ARG_WITH([ssl-engine],
2638	[  --with-ssl-engine       Enable OpenSSL (hardware) ENGINE support ],
2639	[
2640		if test "x$withval" != "xno" ; then
2641			if test "x$openssl" = "xno" ; then
2642				AC_MSG_ERROR([cannot use --with-ssl-engine when OpenSSL disabled])
2643			fi
2644			openssl_engine=yes
2645		fi
2646	]
2647)
2648
2649if test "x$openssl" = "xyes" ; then
2650	LIBS="-lcrypto $LIBS"
2651	AC_TRY_LINK_FUNC([RAND_add], ,
2652	    [AC_MSG_ERROR([*** working libcrypto not found, check config.log])])
2653	AC_CHECK_HEADER([openssl/opensslv.h], ,
2654	    [AC_MSG_ERROR([*** OpenSSL headers missing - please install first or check config.log ***])])
2655
2656	# Determine OpenSSL header version
2657	AC_MSG_CHECKING([OpenSSL header version])
2658	AC_RUN_IFELSE(
2659		[AC_LANG_PROGRAM([[
2660	#include <stdlib.h>
2661	#include <stdio.h>
2662	#include <string.h>
2663	#include <openssl/opensslv.h>
2664	#define DATA "conftest.sslincver"
2665		]], [[
2666		FILE *fd;
2667		int rc;
2668
2669		fd = fopen(DATA,"w");
2670		if(fd == NULL)
2671			exit(1);
2672
2673		if ((rc = fprintf(fd, "%08lx (%s)\n",
2674		    (unsigned long)OPENSSL_VERSION_NUMBER,
2675		     OPENSSL_VERSION_TEXT)) < 0)
2676			exit(1);
2677
2678		exit(0);
2679		]])],
2680		[
2681			ssl_header_ver=`cat conftest.sslincver`
2682			AC_MSG_RESULT([$ssl_header_ver])
2683		],
2684		[
2685			AC_MSG_RESULT([not found])
2686			AC_MSG_ERROR([OpenSSL version header not found.])
2687		],
2688		[
2689			AC_MSG_WARN([cross compiling: not checking])
2690		]
2691	)
2692
2693	# Determining OpenSSL library version is version dependent.
2694	AC_CHECK_FUNCS([OpenSSL_version OpenSSL_version_num])
2695
2696	# Determine OpenSSL library version
2697	AC_MSG_CHECKING([OpenSSL library version])
2698	AC_RUN_IFELSE(
2699		[AC_LANG_PROGRAM([[
2700	#include <stdio.h>
2701	#include <stdlib.h>
2702	#include <string.h>
2703	#include <openssl/opensslv.h>
2704	#include <openssl/crypto.h>
2705	#define DATA "conftest.ssllibver"
2706		]], [[
2707		FILE *fd;
2708		int rc;
2709
2710		fd = fopen(DATA,"w");
2711		if(fd == NULL)
2712			exit(1);
2713#ifndef OPENSSL_VERSION
2714# define OPENSSL_VERSION SSLEAY_VERSION
2715#endif
2716#ifndef HAVE_OPENSSL_VERSION
2717# define OpenSSL_version	SSLeay_version
2718#endif
2719#ifndef HAVE_OPENSSL_VERSION_NUM
2720# define OpenSSL_version_num	SSLeay
2721#endif
2722		if ((rc = fprintf(fd, "%08lx (%s)\n",
2723		    (unsigned long)OpenSSL_version_num(),
2724		    OpenSSL_version(OPENSSL_VERSION))) < 0)
2725			exit(1);
2726
2727		exit(0);
2728		]])],
2729		[
2730			ssl_library_ver=`cat conftest.ssllibver`
2731			# Check version is supported.
2732			case "$ssl_library_ver" in
2733			10000*|0*)
2734				AC_MSG_ERROR([OpenSSL >= 1.0.1 required (have "$ssl_library_ver")])
2735		                ;;
2736			100*)   ;; # 1.0.x
2737			101000[[0123456]]*)
2738				# https://github.com/openssl/openssl/pull/4613
2739				AC_MSG_ERROR([OpenSSL 1.1.x versions prior to 1.1.0g have a bug that breaks their use with OpenSSH (have "$ssl_library_ver")])
2740				;;
2741			101*)   ;; # 1.1.x
2742			200*)   ;; # LibreSSL
2743			300*)   ;; # OpenSSL development branch.
2744		        *)
2745				AC_MSG_ERROR([Unknown/unsupported OpenSSL version ("$ssl_library_ver")])
2746		                ;;
2747			esac
2748			AC_MSG_RESULT([$ssl_library_ver])
2749		],
2750		[
2751			AC_MSG_RESULT([not found])
2752			AC_MSG_ERROR([OpenSSL library not found.])
2753		],
2754		[
2755			AC_MSG_WARN([cross compiling: not checking])
2756		]
2757	)
2758
2759	# Sanity check OpenSSL headers
2760	AC_MSG_CHECKING([whether OpenSSL's headers match the library])
2761	AC_RUN_IFELSE(
2762		[AC_LANG_PROGRAM([[
2763	#include <stdlib.h>
2764	#include <string.h>
2765	#include <openssl/opensslv.h>
2766	#include <openssl/crypto.h>
2767		]], [[
2768#ifndef HAVE_OPENSSL_VERSION_NUM
2769# define OpenSSL_version_num	SSLeay
2770#endif
2771		exit(OpenSSL_version_num() == OPENSSL_VERSION_NUMBER ? 0 : 1);
2772		]])],
2773		[
2774			AC_MSG_RESULT([yes])
2775		],
2776		[
2777			AC_MSG_RESULT([no])
2778			if test "x$openssl_check_nonfatal" = "x"; then
2779				AC_MSG_ERROR([Your OpenSSL headers do not match your
2780	library. Check config.log for details.
2781	If you are sure your installation is consistent, you can disable the check
2782	by running "./configure --without-openssl-header-check".
2783	Also see contrib/findssl.sh for help identifying header/library mismatches.
2784	])
2785			else
2786				AC_MSG_WARN([Your OpenSSL headers do not match your
2787	library. Check config.log for details.
2788	Also see contrib/findssl.sh for help identifying header/library mismatches.])
2789			fi
2790		],
2791		[
2792			AC_MSG_WARN([cross compiling: not checking])
2793		]
2794	)
2795
2796	AC_MSG_CHECKING([if programs using OpenSSL functions will link])
2797	AC_LINK_IFELSE(
2798		[AC_LANG_PROGRAM([[ #include <openssl/err.h> ]],
2799		[[ ERR_load_crypto_strings(); ]])],
2800		[
2801			AC_MSG_RESULT([yes])
2802		],
2803		[
2804			AC_MSG_RESULT([no])
2805			saved_LIBS="$LIBS"
2806			LIBS="$LIBS -ldl"
2807			AC_MSG_CHECKING([if programs using OpenSSL need -ldl])
2808			AC_LINK_IFELSE(
2809				[AC_LANG_PROGRAM([[ #include <openssl/err.h> ]],
2810				[[ ERR_load_crypto_strings(); ]])],
2811				[
2812					AC_MSG_RESULT([yes])
2813				],
2814				[
2815					AC_MSG_RESULT([no])
2816					LIBS="$saved_LIBS"
2817				]
2818			)
2819		]
2820	)
2821
2822	AC_CHECK_FUNCS([ \
2823		BN_is_prime_ex \
2824		DSA_generate_parameters_ex \
2825		EVP_CIPHER_CTX_ctrl \
2826		EVP_DigestFinal_ex \
2827		EVP_DigestInit_ex \
2828		EVP_MD_CTX_cleanup \
2829		EVP_MD_CTX_copy_ex \
2830		EVP_MD_CTX_init \
2831		HMAC_CTX_init \
2832		RSA_generate_key_ex \
2833		RSA_get_default_method \
2834	])
2835
2836	# OpenSSL_add_all_algorithms may be a macro.
2837	AC_CHECK_FUNC(OpenSSL_add_all_algorithms,
2838	    AC_DEFINE(HAVE_OPENSSL_ADD_ALL_ALGORITHMS, 1, [as a function]),
2839	    AC_CHECK_DECL(OpenSSL_add_all_algorithms,
2840		AC_DEFINE(HAVE_OPENSSL_ADD_ALL_ALGORITHMS, 1, [as a macro]), ,
2841		[[#include <openssl/evp.h>]]
2842	    )
2843	)
2844
2845	# LibreSSL/OpenSSL 1.1x API
2846	AC_CHECK_FUNCS([ \
2847		OPENSSL_init_crypto \
2848		DH_get0_key \
2849		DH_get0_pqg \
2850		DH_set0_key \
2851		DH_set_length \
2852		DH_set0_pqg \
2853		DSA_get0_key \
2854		DSA_get0_pqg \
2855		DSA_set0_key \
2856		DSA_set0_pqg \
2857		DSA_SIG_get0 \
2858		DSA_SIG_set0 \
2859		ECDSA_SIG_get0 \
2860		ECDSA_SIG_set0 \
2861		EVP_CIPHER_CTX_iv \
2862		EVP_CIPHER_CTX_iv_noconst \
2863		EVP_CIPHER_CTX_get_iv \
2864		EVP_CIPHER_CTX_set_iv \
2865		RSA_get0_crt_params \
2866		RSA_get0_factors \
2867		RSA_get0_key \
2868		RSA_set0_crt_params \
2869		RSA_set0_factors \
2870		RSA_set0_key \
2871		RSA_meth_free \
2872		RSA_meth_dup \
2873		RSA_meth_set1_name \
2874		RSA_meth_get_finish \
2875		RSA_meth_set_priv_enc \
2876		RSA_meth_set_priv_dec \
2877		RSA_meth_set_finish \
2878		EVP_PKEY_get0_RSA \
2879		EVP_MD_CTX_new \
2880		EVP_MD_CTX_free \
2881		EVP_chacha20 \
2882	])
2883
2884	if test "x$openssl_engine" = "xyes" ; then
2885		AC_MSG_CHECKING([for OpenSSL ENGINE support])
2886		AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
2887	#include <openssl/engine.h>
2888			]], [[
2889				ENGINE_load_builtin_engines();
2890				ENGINE_register_all_complete();
2891			]])],
2892			[ AC_MSG_RESULT([yes])
2893			  AC_DEFINE([USE_OPENSSL_ENGINE], [1],
2894			     [Enable OpenSSL engine support])
2895			], [ AC_MSG_ERROR([OpenSSL ENGINE support not found])
2896		])
2897	fi
2898
2899	# Check for OpenSSL without EVP_aes_{192,256}_cbc
2900	AC_MSG_CHECKING([whether OpenSSL has crippled AES support])
2901	AC_LINK_IFELSE(
2902		[AC_LANG_PROGRAM([[
2903	#include <stdlib.h>
2904	#include <string.h>
2905	#include <openssl/evp.h>
2906		]], [[
2907		exit(EVP_aes_192_cbc() == NULL || EVP_aes_256_cbc() == NULL);
2908		]])],
2909		[
2910			AC_MSG_RESULT([no])
2911		],
2912		[
2913			AC_MSG_RESULT([yes])
2914			AC_DEFINE([OPENSSL_LOBOTOMISED_AES], [1],
2915			    [libcrypto is missing AES 192 and 256 bit functions])
2916		]
2917	)
2918
2919	# Check for OpenSSL with EVP_aes_*ctr
2920	AC_MSG_CHECKING([whether OpenSSL has AES CTR via EVP])
2921	AC_LINK_IFELSE(
2922		[AC_LANG_PROGRAM([[
2923	#include <stdlib.h>
2924	#include <string.h>
2925	#include <openssl/evp.h>
2926		]], [[
2927		exit(EVP_aes_128_ctr() == NULL ||
2928		    EVP_aes_192_cbc() == NULL ||
2929		    EVP_aes_256_cbc() == NULL);
2930		]])],
2931		[
2932			AC_MSG_RESULT([yes])
2933			AC_DEFINE([OPENSSL_HAVE_EVPCTR], [1],
2934			    [libcrypto has EVP AES CTR])
2935		],
2936		[
2937			AC_MSG_RESULT([no])
2938		]
2939	)
2940
2941	# Check for OpenSSL with EVP_aes_*gcm
2942	AC_MSG_CHECKING([whether OpenSSL has AES GCM via EVP])
2943	AC_LINK_IFELSE(
2944		[AC_LANG_PROGRAM([[
2945	#include <stdlib.h>
2946	#include <string.h>
2947	#include <openssl/evp.h>
2948		]], [[
2949		exit(EVP_aes_128_gcm() == NULL ||
2950		    EVP_aes_256_gcm() == NULL ||
2951		    EVP_CTRL_GCM_SET_IV_FIXED == 0 ||
2952		    EVP_CTRL_GCM_IV_GEN == 0 ||
2953		    EVP_CTRL_GCM_SET_TAG == 0 ||
2954		    EVP_CTRL_GCM_GET_TAG == 0 ||
2955		    EVP_CIPHER_CTX_ctrl(NULL, 0, 0, NULL) == 0);
2956		]])],
2957		[
2958			AC_MSG_RESULT([yes])
2959			AC_DEFINE([OPENSSL_HAVE_EVPGCM], [1],
2960			    [libcrypto has EVP AES GCM])
2961		],
2962		[
2963			AC_MSG_RESULT([no])
2964			unsupported_algorithms="$unsupported_cipers \
2965			   aes128-gcm@openssh.com \
2966			   aes256-gcm@openssh.com"
2967		]
2968	)
2969
2970	AC_MSG_CHECKING([if EVP_DigestUpdate returns an int])
2971	AC_LINK_IFELSE(
2972		[AC_LANG_PROGRAM([[
2973	#include <stdlib.h>
2974	#include <string.h>
2975	#include <openssl/evp.h>
2976		]], [[
2977		if(EVP_DigestUpdate(NULL, NULL,0))
2978			exit(0);
2979		]])],
2980		[
2981			AC_MSG_RESULT([yes])
2982		],
2983		[
2984			AC_MSG_RESULT([no])
2985			AC_DEFINE([OPENSSL_EVP_DIGESTUPDATE_VOID], [1],
2986			    [Define if EVP_DigestUpdate returns void])
2987		]
2988	)
2989
2990	# Some systems want crypt() from libcrypt, *not* the version in OpenSSL,
2991	# because the system crypt() is more featureful.
2992	if test "x$check_for_libcrypt_before" = "x1"; then
2993		AC_CHECK_LIB([crypt], [crypt])
2994	fi
2995
2996	# Some Linux systems (Slackware) need crypt() from libcrypt, *not* the
2997	# version in OpenSSL.
2998	if test "x$check_for_libcrypt_later" = "x1"; then
2999		AC_CHECK_LIB([crypt], [crypt], [LIBS="$LIBS -lcrypt"])
3000	fi
3001	AC_CHECK_FUNCS([crypt DES_crypt])
3002
3003	# Check for SHA256, SHA384 and SHA512 support in OpenSSL
3004	AC_CHECK_FUNCS([EVP_sha256 EVP_sha384 EVP_sha512])
3005
3006	# Check complete ECC support in OpenSSL
3007	AC_MSG_CHECKING([whether OpenSSL has NID_X9_62_prime256v1])
3008	AC_LINK_IFELSE(
3009		[AC_LANG_PROGRAM([[
3010	#include <openssl/ec.h>
3011	#include <openssl/ecdh.h>
3012	#include <openssl/ecdsa.h>
3013	#include <openssl/evp.h>
3014	#include <openssl/objects.h>
3015	#include <openssl/opensslv.h>
3016		]], [[
3017		EC_KEY *e = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
3018		const EVP_MD *m = EVP_sha256(); /* We need this too */
3019		]])],
3020		[ AC_MSG_RESULT([yes])
3021		  enable_nistp256=1 ],
3022		[ AC_MSG_RESULT([no]) ]
3023	)
3024
3025	AC_MSG_CHECKING([whether OpenSSL has NID_secp384r1])
3026	AC_LINK_IFELSE(
3027		[AC_LANG_PROGRAM([[
3028	#include <openssl/ec.h>
3029	#include <openssl/ecdh.h>
3030	#include <openssl/ecdsa.h>
3031	#include <openssl/evp.h>
3032	#include <openssl/objects.h>
3033	#include <openssl/opensslv.h>
3034		]], [[
3035		EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp384r1);
3036		const EVP_MD *m = EVP_sha384(); /* We need this too */
3037		]])],
3038		[ AC_MSG_RESULT([yes])
3039		  enable_nistp384=1 ],
3040		[ AC_MSG_RESULT([no]) ]
3041	)
3042
3043	AC_MSG_CHECKING([whether OpenSSL has NID_secp521r1])
3044	AC_LINK_IFELSE(
3045		[AC_LANG_PROGRAM([[
3046	#include <openssl/ec.h>
3047	#include <openssl/ecdh.h>
3048	#include <openssl/ecdsa.h>
3049	#include <openssl/evp.h>
3050	#include <openssl/objects.h>
3051	#include <openssl/opensslv.h>
3052		]], [[
3053		EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp521r1);
3054		const EVP_MD *m = EVP_sha512(); /* We need this too */
3055		]])],
3056		[ AC_MSG_RESULT([yes])
3057		  AC_MSG_CHECKING([if OpenSSL's NID_secp521r1 is functional])
3058		  AC_RUN_IFELSE(
3059			[AC_LANG_PROGRAM([[
3060	#include <stdlib.h>
3061	#include <openssl/ec.h>
3062	#include <openssl/ecdh.h>
3063	#include <openssl/ecdsa.h>
3064	#include <openssl/evp.h>
3065	#include <openssl/objects.h>
3066	#include <openssl/opensslv.h>
3067			]],[[
3068			EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp521r1);
3069			const EVP_MD *m = EVP_sha512(); /* We need this too */
3070			exit(e == NULL || m == NULL);
3071			]])],
3072			[ AC_MSG_RESULT([yes])
3073			  enable_nistp521=1 ],
3074			[ AC_MSG_RESULT([no]) ],
3075			[ AC_MSG_WARN([cross-compiling: assuming yes])
3076			  enable_nistp521=1 ]
3077		  )],
3078		AC_MSG_RESULT([no])
3079	)
3080
3081	COMMENT_OUT_ECC="#no ecc#"
3082	TEST_SSH_ECC=no
3083
3084	if test x$enable_nistp256 = x1 || test x$enable_nistp384 = x1 || \
3085	    test x$enable_nistp521 = x1; then
3086		AC_DEFINE(OPENSSL_HAS_ECC, [1], [OpenSSL has ECC])
3087		AC_CHECK_FUNCS([EC_KEY_METHOD_new])
3088		openssl_ecc=yes
3089	else
3090		openssl_ecc=no
3091	fi
3092	if test x$enable_nistp256 = x1; then
3093		AC_DEFINE([OPENSSL_HAS_NISTP256], [1],
3094		    [libcrypto has NID_X9_62_prime256v1])
3095		TEST_SSH_ECC=yes
3096		COMMENT_OUT_ECC=""
3097	else
3098		unsupported_algorithms="$unsupported_algorithms \
3099			ecdsa-sha2-nistp256 \
3100			ecdh-sha2-nistp256 \
3101			ecdsa-sha2-nistp256-cert-v01@openssh.com"
3102	fi
3103	if test x$enable_nistp384 = x1; then
3104		AC_DEFINE([OPENSSL_HAS_NISTP384], [1], [libcrypto has NID_secp384r1])
3105		TEST_SSH_ECC=yes
3106		COMMENT_OUT_ECC=""
3107	else
3108		unsupported_algorithms="$unsupported_algorithms \
3109			ecdsa-sha2-nistp384 \
3110			ecdh-sha2-nistp384 \
3111			ecdsa-sha2-nistp384-cert-v01@openssh.com"
3112	fi
3113	if test x$enable_nistp521 = x1; then
3114		AC_DEFINE([OPENSSL_HAS_NISTP521], [1], [libcrypto has NID_secp521r1])
3115		TEST_SSH_ECC=yes
3116		COMMENT_OUT_ECC=""
3117	else
3118		unsupported_algorithms="$unsupported_algorithms \
3119			ecdh-sha2-nistp521 \
3120			ecdsa-sha2-nistp521 \
3121			ecdsa-sha2-nistp521-cert-v01@openssh.com"
3122	fi
3123
3124	AC_SUBST([TEST_SSH_ECC])
3125	AC_SUBST([COMMENT_OUT_ECC])
3126else
3127	AC_CHECK_LIB([crypt], [crypt], [LIBS="$LIBS -lcrypt"])
3128	AC_CHECK_FUNCS([crypt])
3129fi
3130
3131# PKCS11/U2F depend on OpenSSL and dlopen().
3132enable_pkcs11=yes
3133enable_sk=yes
3134if test "x$openssl" != "xyes" ; then
3135	enable_pkcs11="disabled; missing libcrypto"
3136	enable_sk="disabled; missing libcrypto"
3137fi
3138if test "x$openssl_ecc" != "xyes" ; then
3139	enable_sk="disabled; OpenSSL has no ECC support"
3140fi
3141if test "x$ac_cv_func_dlopen" != "xyes" ; then
3142	enable_pkcs11="disabled; missing dlopen(3)"
3143	enable_sk="disabled; missing dlopen(3)"
3144fi
3145if test "x$ac_cv_have_decl_RTLD_NOW" != "xyes" ; then
3146	enable_pkcs11="disabled; missing RTLD_NOW"
3147	enable_sk="disabled; missing RTLD_NOW"
3148fi
3149if test ! -z "$disable_pkcs11" ; then
3150	enable_pkcs11="disabled by user"
3151fi
3152if test ! -z "$disable_sk" ; then
3153	enable_sk="disabled by user"
3154fi
3155
3156AC_MSG_CHECKING([whether to enable PKCS11])
3157if test "x$enable_pkcs11" = "xyes" ; then
3158	AC_DEFINE([ENABLE_PKCS11], [], [Enable for PKCS#11 support])
3159fi
3160AC_MSG_RESULT([$enable_pkcs11])
3161
3162AC_MSG_CHECKING([whether to enable U2F])
3163if test "x$enable_sk" = "xyes" ; then
3164	AC_DEFINE([ENABLE_SK], [], [Enable for U2F/FIDO support])
3165	AC_SUBST(SK_DUMMY_LIBRARY, [regress/misc/sk-dummy/sk-dummy.so])
3166else
3167	# Do not try to build sk-dummy library.
3168	AC_SUBST(SK_DUMMY_LIBRARY, [""])
3169fi
3170AC_MSG_RESULT([$enable_sk])
3171
3172# Now check for built-in security key support.
3173if test "x$enable_sk" = "xyes" -a "x$enable_sk_internal" = "xyes" ; then
3174	AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no])
3175	use_pkgconfig_for_libfido2=
3176	if test "x$PKGCONFIG" != "xno"; then
3177		AC_MSG_CHECKING([if $PKGCONFIG knows about libfido2])
3178		if "$PKGCONFIG" libfido2; then
3179			AC_MSG_RESULT([yes])
3180			use_pkgconfig_for_libfido2=yes
3181		else
3182			AC_MSG_RESULT([no])
3183		fi
3184	fi
3185	if test "x$use_pkgconfig_for_libfido2" = "xyes"; then
3186		LIBFIDO2=`$PKGCONFIG --libs libfido2`
3187		CPPFLAGS="$CPPFLAGS `$PKGCONFIG --cflags libfido2`"
3188	else
3189		LIBFIDO2="-lfido2 -lcbor"
3190	fi
3191	OTHERLIBS=`echo $LIBFIDO2 | sed 's/-lfido2//'`
3192	AC_CHECK_LIB([fido2], [fido_init],
3193		[
3194			AC_SUBST([LIBFIDO2])
3195			AC_DEFINE([ENABLE_SK_INTERNAL], [],
3196			    [Enable for built-in U2F/FIDO support])
3197			enable_sk="built-in"
3198		], [ AC_MSG_ERROR([no usable libfido2 found]) ],
3199		[ $OTHERLIBS ]
3200	)
3201	saved_LIBS="$LIBS"
3202	LIBS="$LIBS $LIBFIDO2"
3203	AC_CHECK_FUNCS([ \
3204		fido_cred_prot \
3205		fido_cred_set_prot \
3206		fido_dev_get_touch_begin \
3207		fido_dev_get_touch_status \
3208		fido_dev_supports_cred_prot \
3209	])
3210	LIBS="$saved_LIBS"
3211	AC_CHECK_HEADER([fido.h], [],
3212		AC_MSG_ERROR([missing fido.h from libfido2]))
3213	AC_CHECK_HEADER([fido/credman.h], [],
3214		AC_MSG_ERROR([missing fido/credman.h from libfido2]),
3215		[#include <fido.h>]
3216	)
3217fi
3218
3219AC_CHECK_FUNCS([ \
3220	arc4random \
3221	arc4random_buf \
3222	arc4random_stir \
3223	arc4random_uniform \
3224])
3225
3226saved_LIBS="$LIBS"
3227AC_CHECK_LIB([iaf], [ia_openinfo], [
3228	LIBS="$LIBS -liaf"
3229	AC_CHECK_FUNCS([set_id], [SSHDLIBS="$SSHDLIBS -liaf"
3230				AC_DEFINE([HAVE_LIBIAF], [1],
3231			[Define if system has libiaf that supports set_id])
3232				])
3233])
3234LIBS="$saved_LIBS"
3235
3236### Configure cryptographic random number support
3237
3238# Check whether OpenSSL seeds itself
3239if test "x$openssl" = "xyes" ; then
3240	AC_MSG_CHECKING([whether OpenSSL's PRNG is internally seeded])
3241	AC_RUN_IFELSE(
3242		[AC_LANG_PROGRAM([[
3243	#include <stdlib.h>
3244	#include <string.h>
3245	#include <openssl/rand.h>
3246		]], [[
3247		exit(RAND_status() == 1 ? 0 : 1);
3248		]])],
3249		[
3250			OPENSSL_SEEDS_ITSELF=yes
3251			AC_MSG_RESULT([yes])
3252		],
3253		[
3254			AC_MSG_RESULT([no])
3255		],
3256		[
3257			AC_MSG_WARN([cross compiling: assuming yes])
3258			# This is safe, since we will fatal() at runtime if
3259			# OpenSSL is not seeded correctly.
3260			OPENSSL_SEEDS_ITSELF=yes
3261		]
3262	)
3263fi
3264
3265# PRNGD TCP socket
3266AC_ARG_WITH([prngd-port],
3267	[  --with-prngd-port=PORT  read entropy from PRNGD/EGD TCP localhost:PORT],
3268	[
3269		case "$withval" in
3270		no)
3271			withval=""
3272			;;
3273		[[0-9]]*)
3274			;;
3275		*)
3276			AC_MSG_ERROR([You must specify a numeric port number for --with-prngd-port])
3277			;;
3278		esac
3279		if test ! -z "$withval" ; then
3280			PRNGD_PORT="$withval"
3281			AC_DEFINE_UNQUOTED([PRNGD_PORT], [$PRNGD_PORT],
3282				[Port number of PRNGD/EGD random number socket])
3283		fi
3284	]
3285)
3286
3287# PRNGD Unix domain socket
3288AC_ARG_WITH([prngd-socket],
3289	[  --with-prngd-socket=FILE read entropy from PRNGD/EGD socket FILE (default=/var/run/egd-pool)],
3290	[
3291		case "$withval" in
3292		yes)
3293			withval="/var/run/egd-pool"
3294			;;
3295		no)
3296			withval=""
3297			;;
3298		/*)
3299			;;
3300		*)
3301			AC_MSG_ERROR([You must specify an absolute path to the entropy socket])
3302			;;
3303		esac
3304
3305		if test ! -z "$withval" ; then
3306			if test ! -z "$PRNGD_PORT" ; then
3307				AC_MSG_ERROR([You may not specify both a PRNGD/EGD port and socket])
3308			fi
3309			if test ! -r "$withval" ; then
3310				AC_MSG_WARN([Entropy socket is not readable])
3311			fi
3312			PRNGD_SOCKET="$withval"
3313			AC_DEFINE_UNQUOTED([PRNGD_SOCKET], ["$PRNGD_SOCKET"],
3314				[Location of PRNGD/EGD random number socket])
3315		fi
3316	],
3317	[
3318		# Check for existing socket only if we don't have a random device already
3319		if test "x$OPENSSL_SEEDS_ITSELF" != "xyes" ; then
3320			AC_MSG_CHECKING([for PRNGD/EGD socket])
3321			# Insert other locations here
3322			for sock in /var/run/egd-pool /dev/egd-pool /etc/entropy; do
3323				if test -r $sock && $TEST_MINUS_S_SH -c "test -S $sock -o -p $sock" ; then
3324					PRNGD_SOCKET="$sock"
3325					AC_DEFINE_UNQUOTED([PRNGD_SOCKET], ["$PRNGD_SOCKET"])
3326					break;
3327				fi
3328			done
3329			if test ! -z "$PRNGD_SOCKET" ; then
3330				AC_MSG_RESULT([$PRNGD_SOCKET])
3331			else
3332				AC_MSG_RESULT([not found])
3333			fi
3334		fi
3335	]
3336)
3337
3338# Which randomness source do we use?
3339if test ! -z "$PRNGD_PORT" ; then
3340	RAND_MSG="PRNGd port $PRNGD_PORT"
3341elif test ! -z "$PRNGD_SOCKET" ; then
3342	RAND_MSG="PRNGd socket $PRNGD_SOCKET"
3343elif test ! -z "$OPENSSL_SEEDS_ITSELF" ; then
3344	AC_DEFINE([OPENSSL_PRNG_ONLY], [1],
3345		[Define if you want the OpenSSL internally seeded PRNG only])
3346	RAND_MSG="OpenSSL internal ONLY"
3347elif test "x$openssl" = "xno" ; then
3348	AC_MSG_WARN([OpenSSH will use /dev/urandom as a source of random numbers. It will fail if this device is not supported or accessible])
3349else
3350	AC_MSG_ERROR([OpenSSH has no source of random numbers. Please configure OpenSSL with an entropy source or re-run configure using one of the --with-prngd-port or --with-prngd-socket options])
3351fi
3352
3353# Check for PAM libs
3354PAM_MSG="no"
3355AC_ARG_WITH([pam],
3356	[  --with-pam              Enable PAM support ],
3357	[
3358		if test "x$withval" != "xno" ; then
3359			if test "x$ac_cv_header_security_pam_appl_h" != "xyes" && \
3360			   test "x$ac_cv_header_pam_pam_appl_h" != "xyes" ; then
3361				AC_MSG_ERROR([PAM headers not found])
3362			fi
3363
3364			saved_LIBS="$LIBS"
3365			AC_CHECK_LIB([dl], [dlopen], , )
3366			AC_CHECK_LIB([pam], [pam_set_item], , [AC_MSG_ERROR([*** libpam missing])])
3367			AC_CHECK_FUNCS([pam_getenvlist])
3368			AC_CHECK_FUNCS([pam_putenv])
3369			LIBS="$saved_LIBS"
3370
3371			PAM_MSG="yes"
3372
3373			SSHDLIBS="$SSHDLIBS -lpam"
3374			AC_DEFINE([USE_PAM], [1],
3375				[Define if you want to enable PAM support])
3376
3377			if test $ac_cv_lib_dl_dlopen = yes; then
3378				case "$LIBS" in
3379				*-ldl*)
3380					# libdl already in LIBS
3381					;;
3382				*)
3383					SSHDLIBS="$SSHDLIBS -ldl"
3384					;;
3385				esac
3386			fi
3387		fi
3388	]
3389)
3390
3391AC_ARG_WITH([pam-service],
3392	[  --with-pam-service=name Specify PAM service name ],
3393	[
3394		if test "x$withval" != "xno" && \
3395		   test "x$withval" != "xyes" ; then
3396			AC_DEFINE_UNQUOTED([SSHD_PAM_SERVICE],
3397				["$withval"], [sshd PAM service name])
3398		fi
3399	]
3400)
3401
3402# Check for older PAM
3403if test "x$PAM_MSG" = "xyes" ; then
3404	# Check PAM strerror arguments (old PAM)
3405	AC_MSG_CHECKING([whether pam_strerror takes only one argument])
3406	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
3407#include <stdlib.h>
3408#if defined(HAVE_SECURITY_PAM_APPL_H)
3409#include <security/pam_appl.h>
3410#elif defined (HAVE_PAM_PAM_APPL_H)
3411#include <pam/pam_appl.h>
3412#endif
3413		]], [[
3414(void)pam_strerror((pam_handle_t *)NULL, -1);
3415		]])], [AC_MSG_RESULT([no])], [
3416			AC_DEFINE([HAVE_OLD_PAM], [1],
3417				[Define if you have an old version of PAM
3418				which takes only one argument to pam_strerror])
3419			AC_MSG_RESULT([yes])
3420			PAM_MSG="yes (old library)"
3421
3422	])
3423fi
3424
3425case "$host" in
3426*-*-cygwin*)
3427	SSH_PRIVSEP_USER=CYGWIN_SSH_PRIVSEP_USER
3428	;;
3429*)
3430	SSH_PRIVSEP_USER=sshd
3431	;;
3432esac
3433AC_ARG_WITH([privsep-user],
3434	[  --with-privsep-user=user Specify non-privileged user for privilege separation],
3435	[
3436		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
3437		    test "x${withval}" != "xyes"; then
3438			SSH_PRIVSEP_USER=$withval
3439		fi
3440	]
3441)
3442if test "x$SSH_PRIVSEP_USER" = "xCYGWIN_SSH_PRIVSEP_USER" ; then
3443	AC_DEFINE_UNQUOTED([SSH_PRIVSEP_USER], [CYGWIN_SSH_PRIVSEP_USER],
3444		[Cygwin function to fetch non-privileged user for privilege separation])
3445else
3446	AC_DEFINE_UNQUOTED([SSH_PRIVSEP_USER], ["$SSH_PRIVSEP_USER"],
3447		[non-privileged user for privilege separation])
3448fi
3449AC_SUBST([SSH_PRIVSEP_USER])
3450
3451if test "x$have_linux_no_new_privs" = "x1" ; then
3452AC_CHECK_DECL([SECCOMP_MODE_FILTER], [have_seccomp_filter=1], , [
3453	#include <sys/types.h>
3454	#include <linux/seccomp.h>
3455])
3456fi
3457if test "x$have_seccomp_filter" = "x1" ; then
3458AC_MSG_CHECKING([kernel for seccomp_filter support])
3459AC_LINK_IFELSE([AC_LANG_PROGRAM([[
3460		#include <errno.h>
3461		#include <elf.h>
3462		#include <linux/audit.h>
3463		#include <linux/seccomp.h>
3464		#include <stdlib.h>
3465		#include <sys/prctl.h>
3466	]],
3467	[[ int i = $seccomp_audit_arch;
3468	   errno = 0;
3469	   prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, NULL, 0, 0);
3470	   exit(errno == EFAULT ? 0 : 1); ]])],
3471	[ AC_MSG_RESULT([yes]) ], [
3472		AC_MSG_RESULT([no])
3473		# Disable seccomp filter as a target
3474		have_seccomp_filter=0
3475	]
3476)
3477fi
3478
3479# Decide which sandbox style to use
3480sandbox_arg=""
3481AC_ARG_WITH([sandbox],
3482	[  --with-sandbox=style    Specify privilege separation sandbox (no, capsicum, darwin, rlimit, seccomp_filter, systrace, pledge)],
3483	[
3484		if test "x$withval" = "xyes" ; then
3485			sandbox_arg=""
3486		else
3487			sandbox_arg="$withval"
3488		fi
3489	]
3490)
3491
3492# Some platforms (seems to be the ones that have a kernel poll(2)-type
3493# function with which they implement select(2)) use an extra file descriptor
3494# when calling select(2), which means we can't use the rlimit sandbox.
3495AC_MSG_CHECKING([if select works with descriptor rlimit])
3496AC_RUN_IFELSE(
3497	[AC_LANG_PROGRAM([[
3498#include <sys/types.h>
3499#ifdef HAVE_SYS_TIME_H
3500# include <sys/time.h>
3501#endif
3502#include <sys/resource.h>
3503#ifdef HAVE_SYS_SELECT_H
3504# include <sys/select.h>
3505#endif
3506#include <errno.h>
3507#include <fcntl.h>
3508#include <stdlib.h>
3509	]],[[
3510	struct rlimit rl_zero;
3511	int fd, r;
3512	fd_set fds;
3513	struct timeval tv;
3514
3515	fd = open("/dev/null", O_RDONLY);
3516	FD_ZERO(&fds);
3517	FD_SET(fd, &fds);
3518	rl_zero.rlim_cur = rl_zero.rlim_max = 0;
3519	setrlimit(RLIMIT_FSIZE, &rl_zero);
3520	setrlimit(RLIMIT_NOFILE, &rl_zero);
3521	tv.tv_sec = 1;
3522	tv.tv_usec = 0;
3523	r = select(fd+1, &fds, NULL, NULL, &tv);
3524	exit (r == -1 ? 1 : 0);
3525	]])],
3526	[AC_MSG_RESULT([yes])
3527	 select_works_with_rlimit=yes],
3528	[AC_MSG_RESULT([no])
3529	 select_works_with_rlimit=no],
3530	[AC_MSG_WARN([cross compiling: assuming yes])
3531	 select_works_with_rlimit=yes]
3532)
3533
3534AC_MSG_CHECKING([if setrlimit(RLIMIT_NOFILE,{0,0}) works])
3535AC_RUN_IFELSE(
3536	[AC_LANG_PROGRAM([[
3537#include <sys/types.h>
3538#ifdef HAVE_SYS_TIME_H
3539# include <sys/time.h>
3540#endif
3541#include <sys/resource.h>
3542#include <errno.h>
3543#include <stdlib.h>
3544	]],[[
3545	struct rlimit rl_zero;
3546	int r;
3547
3548	rl_zero.rlim_cur = rl_zero.rlim_max = 0;
3549	r = setrlimit(RLIMIT_NOFILE, &rl_zero);
3550	exit (r == -1 ? 1 : 0);
3551	]])],
3552	[AC_MSG_RESULT([yes])
3553	 rlimit_nofile_zero_works=yes],
3554	[AC_MSG_RESULT([no])
3555	 rlimit_nofile_zero_works=no],
3556	[AC_MSG_WARN([cross compiling: assuming yes])
3557	 rlimit_nofile_zero_works=yes]
3558)
3559
3560AC_MSG_CHECKING([if setrlimit RLIMIT_FSIZE works])
3561AC_RUN_IFELSE(
3562	[AC_LANG_PROGRAM([[
3563#include <sys/types.h>
3564#include <sys/resource.h>
3565#include <stdlib.h>
3566	]],[[
3567		struct rlimit rl_zero;
3568
3569		rl_zero.rlim_cur = rl_zero.rlim_max = 0;
3570		exit(setrlimit(RLIMIT_FSIZE, &rl_zero) != 0);
3571	]])],
3572	[AC_MSG_RESULT([yes])],
3573	[AC_MSG_RESULT([no])
3574	 AC_DEFINE(SANDBOX_SKIP_RLIMIT_FSIZE, 1,
3575	    [setrlimit RLIMIT_FSIZE works])],
3576	[AC_MSG_WARN([cross compiling: assuming yes])]
3577)
3578
3579if test "x$sandbox_arg" = "xpledge" || \
3580   ( test -z "$sandbox_arg" && test "x$ac_cv_func_pledge" = "xyes" ) ; then
3581	test "x$ac_cv_func_pledge" != "xyes" && \
3582		AC_MSG_ERROR([pledge sandbox requires pledge(2) support])
3583	SANDBOX_STYLE="pledge"
3584	AC_DEFINE([SANDBOX_PLEDGE], [1], [Sandbox using pledge(2)])
3585elif test "x$sandbox_arg" = "xsystrace" || \
3586   ( test -z "$sandbox_arg" && test "x$have_systr_policy_kill" = "x1" ) ; then
3587	test "x$have_systr_policy_kill" != "x1" && \
3588		AC_MSG_ERROR([systrace sandbox requires systrace headers and SYSTR_POLICY_KILL support])
3589	SANDBOX_STYLE="systrace"
3590	AC_DEFINE([SANDBOX_SYSTRACE], [1], [Sandbox using systrace(4)])
3591elif test "x$sandbox_arg" = "xdarwin" || \
3592     ( test -z "$sandbox_arg" && test "x$ac_cv_func_sandbox_init" = "xyes" && \
3593       test "x$ac_cv_header_sandbox_h" = "xyes") ; then
3594	test "x$ac_cv_func_sandbox_init" != "xyes" -o \
3595	     "x$ac_cv_header_sandbox_h" != "xyes" && \
3596		AC_MSG_ERROR([Darwin seatbelt sandbox requires sandbox.h and sandbox_init function])
3597	SANDBOX_STYLE="darwin"
3598	AC_DEFINE([SANDBOX_DARWIN], [1], [Sandbox using Darwin sandbox_init(3)])
3599elif test "x$sandbox_arg" = "xseccomp_filter" || \
3600     ( test -z "$sandbox_arg" && \
3601       test "x$have_seccomp_filter" = "x1" && \
3602       test "x$ac_cv_header_elf_h" = "xyes" && \
3603       test "x$ac_cv_header_linux_audit_h" = "xyes" && \
3604       test "x$ac_cv_header_linux_filter_h" = "xyes" && \
3605       test "x$seccomp_audit_arch" != "x" && \
3606       test "x$have_linux_no_new_privs" = "x1" && \
3607       test "x$ac_cv_func_prctl" = "xyes" ) ; then
3608	test "x$seccomp_audit_arch" = "x" && \
3609		AC_MSG_ERROR([seccomp_filter sandbox not supported on $host])
3610	test "x$have_linux_no_new_privs" != "x1" && \
3611		AC_MSG_ERROR([seccomp_filter sandbox requires PR_SET_NO_NEW_PRIVS])
3612	test "x$have_seccomp_filter" != "x1" && \
3613		AC_MSG_ERROR([seccomp_filter sandbox requires seccomp headers])
3614	test "x$ac_cv_func_prctl" != "xyes" && \
3615		AC_MSG_ERROR([seccomp_filter sandbox requires prctl function])
3616	SANDBOX_STYLE="seccomp_filter"
3617	AC_DEFINE([SANDBOX_SECCOMP_FILTER], [1], [Sandbox using seccomp filter])
3618elif test "x$sandbox_arg" = "xcapsicum" || \
3619     ( test -z "$sandbox_arg" && \
3620       test "x$ac_cv_header_sys_capsicum_h" = "xyes" && \
3621       test "x$ac_cv_func_cap_rights_limit" = "xyes") ; then
3622       test "x$ac_cv_header_sys_capsicum_h" != "xyes" && \
3623		AC_MSG_ERROR([capsicum sandbox requires sys/capsicum.h header])
3624       test "x$ac_cv_func_cap_rights_limit" != "xyes" && \
3625		AC_MSG_ERROR([capsicum sandbox requires cap_rights_limit function])
3626       SANDBOX_STYLE="capsicum"
3627       AC_DEFINE([SANDBOX_CAPSICUM], [1], [Sandbox using capsicum])
3628elif test "x$sandbox_arg" = "xrlimit" || \
3629     ( test -z "$sandbox_arg" && test "x$ac_cv_func_setrlimit" = "xyes" && \
3630       test "x$select_works_with_rlimit" = "xyes" && \
3631       test "x$rlimit_nofile_zero_works" = "xyes" ) ; then
3632	test "x$ac_cv_func_setrlimit" != "xyes" && \
3633		AC_MSG_ERROR([rlimit sandbox requires setrlimit function])
3634	test "x$select_works_with_rlimit" != "xyes" && \
3635		AC_MSG_ERROR([rlimit sandbox requires select to work with rlimit])
3636	SANDBOX_STYLE="rlimit"
3637	AC_DEFINE([SANDBOX_RLIMIT], [1], [Sandbox using setrlimit(2)])
3638elif test "x$sandbox_arg" = "xsolaris" || \
3639   ( test -z "$sandbox_arg" && test "x$SOLARIS_PRIVS" = "xyes" ) ; then
3640	SANDBOX_STYLE="solaris"
3641	AC_DEFINE([SANDBOX_SOLARIS], [1], [Sandbox using Solaris/Illumos privileges])
3642elif test -z "$sandbox_arg" || test "x$sandbox_arg" = "xno" || \
3643     test "x$sandbox_arg" = "xnone" || test "x$sandbox_arg" = "xnull" ; then
3644	SANDBOX_STYLE="none"
3645	AC_DEFINE([SANDBOX_NULL], [1], [no privsep sandboxing])
3646else
3647	AC_MSG_ERROR([unsupported --with-sandbox])
3648fi
3649
3650# Cheap hack to ensure NEWS-OS libraries are arranged right.
3651if test ! -z "$SONY" ; then
3652  LIBS="$LIBS -liberty";
3653fi
3654
3655# Check for  long long datatypes
3656AC_CHECK_TYPES([long long, unsigned long long, long double])
3657
3658# Check datatype sizes
3659AC_CHECK_SIZEOF([short int])
3660AC_CHECK_SIZEOF([int])
3661AC_CHECK_SIZEOF([long int])
3662AC_CHECK_SIZEOF([long long int])
3663
3664# Sanity check long long for some platforms (AIX)
3665if test "x$ac_cv_sizeof_long_long_int" = "x4" ; then
3666	ac_cv_sizeof_long_long_int=0
3667fi
3668
3669# compute LLONG_MIN and LLONG_MAX if we don't know them.
3670if test -z "$have_llong_max" && test -z "$have_long_long_max"; then
3671	AC_MSG_CHECKING([for max value of long long])
3672	AC_RUN_IFELSE(
3673		[AC_LANG_PROGRAM([[
3674#include <stdio.h>
3675#include <stdlib.h>
3676/* Why is this so damn hard? */
3677#ifdef __GNUC__
3678# undef __GNUC__
3679#endif
3680#define __USE_ISOC99
3681#include <limits.h>
3682#define DATA "conftest.llminmax"
3683#define my_abs(a) ((a) < 0 ? ((a) * -1) : (a))
3684
3685/*
3686 * printf in libc on some platforms (eg old Tru64) does not understand %lld so
3687 * we do this the hard way.
3688 */
3689static int
3690fprint_ll(FILE *f, long long n)
3691{
3692	unsigned int i;
3693	int l[sizeof(long long) * 8];
3694
3695	if (n < 0)
3696		if (fprintf(f, "-") < 0)
3697			return -1;
3698	for (i = 0; n != 0; i++) {
3699		l[i] = my_abs(n % 10);
3700		n /= 10;
3701	}
3702	do {
3703		if (fprintf(f, "%d", l[--i]) < 0)
3704			return -1;
3705	} while (i != 0);
3706	if (fprintf(f, " ") < 0)
3707		return -1;
3708	return 0;
3709}
3710		]], [[
3711	FILE *f;
3712	long long i, llmin, llmax = 0;
3713
3714	if((f = fopen(DATA,"w")) == NULL)
3715		exit(1);
3716
3717#if defined(LLONG_MIN) && defined(LLONG_MAX)
3718	fprintf(stderr, "Using system header for LLONG_MIN and LLONG_MAX\n");
3719	llmin = LLONG_MIN;
3720	llmax = LLONG_MAX;
3721#else
3722	fprintf(stderr, "Calculating  LLONG_MIN and LLONG_MAX\n");
3723	/* This will work on one's complement and two's complement */
3724	for (i = 1; i > llmax; i <<= 1, i++)
3725		llmax = i;
3726	llmin = llmax + 1LL;	/* wrap */
3727#endif
3728
3729	/* Sanity check */
3730	if (llmin + 1 < llmin || llmin - 1 < llmin || llmax + 1 > llmax
3731	    || llmax - 1 > llmax || llmin == llmax || llmin == 0
3732	    || llmax == 0 || llmax < LONG_MAX || llmin > LONG_MIN) {
3733		fprintf(f, "unknown unknown\n");
3734		exit(2);
3735	}
3736
3737	if (fprint_ll(f, llmin) < 0)
3738		exit(3);
3739	if (fprint_ll(f, llmax) < 0)
3740		exit(4);
3741	if (fclose(f) < 0)
3742		exit(5);
3743	exit(0);
3744		]])],
3745		[
3746			llong_min=`$AWK '{print $1}' conftest.llminmax`
3747			llong_max=`$AWK '{print $2}' conftest.llminmax`
3748
3749			AC_MSG_RESULT([$llong_max])
3750			AC_DEFINE_UNQUOTED([LLONG_MAX], [${llong_max}LL],
3751			    [max value of long long calculated by configure])
3752			AC_MSG_CHECKING([for min value of long long])
3753			AC_MSG_RESULT([$llong_min])
3754			AC_DEFINE_UNQUOTED([LLONG_MIN], [${llong_min}LL],
3755			    [min value of long long calculated by configure])
3756		],
3757		[
3758			AC_MSG_RESULT([not found])
3759		],
3760		[
3761			AC_MSG_WARN([cross compiling: not checking])
3762		]
3763	)
3764fi
3765
3766AC_CHECK_DECLS([UINT32_MAX], , , [[
3767#ifdef HAVE_SYS_LIMITS_H
3768# include <sys/limits.h>
3769#endif
3770#ifdef HAVE_LIMITS_H
3771# include <limits.h>
3772#endif
3773#ifdef HAVE_STDINT_H
3774# include <stdint.h>
3775#endif
3776]])
3777
3778# More checks for data types
3779AC_CACHE_CHECK([for u_int type], ac_cv_have_u_int, [
3780	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
3781	[[ u_int a; a = 1;]])],
3782	[ ac_cv_have_u_int="yes" ], [ ac_cv_have_u_int="no"
3783	])
3784])
3785if test "x$ac_cv_have_u_int" = "xyes" ; then
3786	AC_DEFINE([HAVE_U_INT], [1], [define if you have u_int data type])
3787	have_u_int=1
3788fi
3789
3790AC_CACHE_CHECK([for intXX_t types], ac_cv_have_intxx_t, [
3791	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
3792	[[ int8_t a; int16_t b; int32_t c; a = b = c = 1;]])],
3793	[ ac_cv_have_intxx_t="yes" ], [ ac_cv_have_intxx_t="no"
3794	])
3795])
3796if test "x$ac_cv_have_intxx_t" = "xyes" ; then
3797	AC_DEFINE([HAVE_INTXX_T], [1], [define if you have intxx_t data type])
3798	have_intxx_t=1
3799fi
3800
3801if (test -z "$have_intxx_t" && \
3802	   test "x$ac_cv_header_stdint_h" = "xyes")
3803then
3804    AC_MSG_CHECKING([for intXX_t types in stdint.h])
3805	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <stdint.h> ]],
3806	[[ int8_t a; int16_t b; int32_t c; a = b = c = 1;]])],
3807		[
3808			AC_DEFINE([HAVE_INTXX_T])
3809			AC_MSG_RESULT([yes])
3810		], [ AC_MSG_RESULT([no])
3811	])
3812fi
3813
3814AC_CACHE_CHECK([for int64_t type], ac_cv_have_int64_t, [
3815	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
3816#include <sys/types.h>
3817#ifdef HAVE_STDINT_H
3818# include <stdint.h>
3819#endif
3820#include <sys/socket.h>
3821#ifdef HAVE_SYS_BITYPES_H
3822# include <sys/bitypes.h>
3823#endif
3824		]], [[
3825int64_t a; a = 1;
3826		]])],
3827	[ ac_cv_have_int64_t="yes" ], [ ac_cv_have_int64_t="no"
3828	])
3829])
3830if test "x$ac_cv_have_int64_t" = "xyes" ; then
3831	AC_DEFINE([HAVE_INT64_T], [1], [define if you have int64_t data type])
3832fi
3833
3834AC_CACHE_CHECK([for u_intXX_t types], ac_cv_have_u_intxx_t, [
3835	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
3836	[[ u_int8_t a; u_int16_t b; u_int32_t c; a = b = c = 1;]])],
3837	[ ac_cv_have_u_intxx_t="yes" ], [ ac_cv_have_u_intxx_t="no"
3838	])
3839])
3840if test "x$ac_cv_have_u_intxx_t" = "xyes" ; then
3841	AC_DEFINE([HAVE_U_INTXX_T], [1], [define if you have u_intxx_t data type])
3842	have_u_intxx_t=1
3843fi
3844
3845if test -z "$have_u_intxx_t" ; then
3846    AC_MSG_CHECKING([for u_intXX_t types in sys/socket.h])
3847	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/socket.h> ]],
3848	[[ u_int8_t a; u_int16_t b; u_int32_t c; a = b = c = 1;]])],
3849		[
3850			AC_DEFINE([HAVE_U_INTXX_T])
3851			AC_MSG_RESULT([yes])
3852		], [ AC_MSG_RESULT([no])
3853	])
3854fi
3855
3856AC_CACHE_CHECK([for u_int64_t types], ac_cv_have_u_int64_t, [
3857	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
3858	[[ u_int64_t a; a = 1;]])],
3859	[ ac_cv_have_u_int64_t="yes" ], [ ac_cv_have_u_int64_t="no"
3860	])
3861])
3862if test "x$ac_cv_have_u_int64_t" = "xyes" ; then
3863	AC_DEFINE([HAVE_U_INT64_T], [1], [define if you have u_int64_t data type])
3864	have_u_int64_t=1
3865fi
3866
3867if (test -z "$have_u_int64_t" && \
3868	   test "x$ac_cv_header_sys_bitypes_h" = "xyes")
3869then
3870    AC_MSG_CHECKING([for u_int64_t type in sys/bitypes.h])
3871	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/bitypes.h> ]],
3872	[[ u_int64_t a; a = 1]])],
3873		[
3874			AC_DEFINE([HAVE_U_INT64_T])
3875			AC_MSG_RESULT([yes])
3876		], [ AC_MSG_RESULT([no])
3877	])
3878fi
3879
3880if test -z "$have_u_intxx_t" ; then
3881	AC_CACHE_CHECK([for uintXX_t types], ac_cv_have_uintxx_t, [
3882		AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
3883#include <sys/types.h>
3884			]], [[
3885	uint8_t a;
3886	uint16_t b;
3887	uint32_t c;
3888	a = b = c = 1;
3889			]])],
3890		[ ac_cv_have_uintxx_t="yes" ], [ ac_cv_have_uintxx_t="no"
3891		])
3892	])
3893	if test "x$ac_cv_have_uintxx_t" = "xyes" ; then
3894		AC_DEFINE([HAVE_UINTXX_T], [1],
3895			[define if you have uintxx_t data type])
3896	fi
3897fi
3898
3899if (test -z "$have_uintxx_t" && \
3900	   test "x$ac_cv_header_stdint_h" = "xyes")
3901then
3902    AC_MSG_CHECKING([for uintXX_t types in stdint.h])
3903	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <stdint.h> ]],
3904	[[ uint8_t a; uint16_t b; uint32_t c; a = b = c = 1;]])],
3905		[
3906			AC_DEFINE([HAVE_UINTXX_T])
3907			AC_MSG_RESULT([yes])
3908		], [ AC_MSG_RESULT([no])
3909	])
3910fi
3911
3912if (test -z "$have_uintxx_t" && \
3913	   test "x$ac_cv_header_inttypes_h" = "xyes")
3914then
3915    AC_MSG_CHECKING([for uintXX_t types in inttypes.h])
3916	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <inttypes.h> ]],
3917	[[ uint8_t a; uint16_t b; uint32_t c; a = b = c = 1;]])],
3918		[
3919			AC_DEFINE([HAVE_UINTXX_T])
3920			AC_MSG_RESULT([yes])
3921		], [ AC_MSG_RESULT([no])
3922	])
3923fi
3924
3925if (test -z "$have_u_intxx_t" || test -z "$have_intxx_t" && \
3926	   test "x$ac_cv_header_sys_bitypes_h" = "xyes")
3927then
3928	AC_MSG_CHECKING([for intXX_t and u_intXX_t types in sys/bitypes.h])
3929	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
3930#include <sys/bitypes.h>
3931		]], [[
3932			int8_t a; int16_t b; int32_t c;
3933			u_int8_t e; u_int16_t f; u_int32_t g;
3934			a = b = c = e = f = g = 1;
3935		]])],
3936		[
3937			AC_DEFINE([HAVE_U_INTXX_T])
3938			AC_DEFINE([HAVE_INTXX_T])
3939			AC_MSG_RESULT([yes])
3940		], [AC_MSG_RESULT([no])
3941	])
3942fi
3943
3944
3945AC_CACHE_CHECK([for u_char], ac_cv_have_u_char, [
3946	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
3947	[[ u_char foo; foo = 125; ]])],
3948	[ ac_cv_have_u_char="yes" ], [ ac_cv_have_u_char="no"
3949	])
3950])
3951if test "x$ac_cv_have_u_char" = "xyes" ; then
3952	AC_DEFINE([HAVE_U_CHAR], [1], [define if you have u_char data type])
3953fi
3954
3955AC_CHECK_TYPES([intmax_t, uintmax_t], , , [
3956#include <sys/types.h>
3957#ifdef HAVE_STDINT_H
3958# include <stdint.h>
3959#endif
3960])
3961
3962TYPE_SOCKLEN_T
3963
3964AC_CHECK_TYPES([sig_atomic_t], , , [#include <signal.h>])
3965AC_CHECK_TYPES([fsblkcnt_t, fsfilcnt_t], , , [
3966#include <sys/types.h>
3967#ifdef HAVE_SYS_BITYPES_H
3968#include <sys/bitypes.h>
3969#endif
3970#ifdef HAVE_SYS_STATFS_H
3971#include <sys/statfs.h>
3972#endif
3973#ifdef HAVE_SYS_STATVFS_H
3974#include <sys/statvfs.h>
3975#endif
3976])
3977
3978AC_CHECK_MEMBERS([struct statfs.f_files, struct statfs.f_flags], [], [], [[
3979#include <sys/param.h>
3980#include <sys/types.h>
3981#ifdef HAVE_SYS_BITYPES_H
3982#include <sys/bitypes.h>
3983#endif
3984#ifdef HAVE_SYS_STATFS_H
3985#include <sys/statfs.h>
3986#endif
3987#ifdef HAVE_SYS_STATVFS_H
3988#include <sys/statvfs.h>
3989#endif
3990#ifdef HAVE_SYS_VFS_H
3991#include <sys/vfs.h>
3992#endif
3993#ifdef HAVE_SYS_MOUNT_H
3994#include <sys/mount.h>
3995#endif
3996]])
3997
3998
3999AC_CHECK_TYPES([in_addr_t, in_port_t], , ,
4000[#include <sys/types.h>
4001#include <netinet/in.h>])
4002
4003AC_CACHE_CHECK([for size_t], ac_cv_have_size_t, [
4004	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
4005	[[ size_t foo; foo = 1235; ]])],
4006	[ ac_cv_have_size_t="yes" ], [ ac_cv_have_size_t="no"
4007	])
4008])
4009if test "x$ac_cv_have_size_t" = "xyes" ; then
4010	AC_DEFINE([HAVE_SIZE_T], [1], [define if you have size_t data type])
4011fi
4012
4013AC_CACHE_CHECK([for ssize_t], ac_cv_have_ssize_t, [
4014	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
4015	[[ ssize_t foo; foo = 1235; ]])],
4016	[ ac_cv_have_ssize_t="yes" ], [ ac_cv_have_ssize_t="no"
4017	])
4018])
4019if test "x$ac_cv_have_ssize_t" = "xyes" ; then
4020	AC_DEFINE([HAVE_SSIZE_T], [1], [define if you have ssize_t data type])
4021fi
4022
4023AC_CACHE_CHECK([for clock_t], ac_cv_have_clock_t, [
4024	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <time.h> ]],
4025	[[ clock_t foo; foo = 1235; ]])],
4026	[ ac_cv_have_clock_t="yes" ], [ ac_cv_have_clock_t="no"
4027	])
4028])
4029if test "x$ac_cv_have_clock_t" = "xyes" ; then
4030	AC_DEFINE([HAVE_CLOCK_T], [1], [define if you have clock_t data type])
4031fi
4032
4033AC_CACHE_CHECK([for sa_family_t], ac_cv_have_sa_family_t, [
4034	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4035#include <sys/types.h>
4036#include <sys/socket.h>
4037		]], [[ sa_family_t foo; foo = 1235; ]])],
4038	[ ac_cv_have_sa_family_t="yes" ],
4039	[ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4040#include <sys/types.h>
4041#include <sys/socket.h>
4042#include <netinet/in.h>
4043		]], [[ sa_family_t foo; foo = 1235; ]])],
4044		[ ac_cv_have_sa_family_t="yes" ],
4045		[ ac_cv_have_sa_family_t="no" ]
4046	)
4047	])
4048])
4049if test "x$ac_cv_have_sa_family_t" = "xyes" ; then
4050	AC_DEFINE([HAVE_SA_FAMILY_T], [1],
4051		[define if you have sa_family_t data type])
4052fi
4053
4054AC_CACHE_CHECK([for pid_t], ac_cv_have_pid_t, [
4055	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
4056	[[ pid_t foo; foo = 1235; ]])],
4057	[ ac_cv_have_pid_t="yes" ], [ ac_cv_have_pid_t="no"
4058	])
4059])
4060if test "x$ac_cv_have_pid_t" = "xyes" ; then
4061	AC_DEFINE([HAVE_PID_T], [1], [define if you have pid_t data type])
4062fi
4063
4064AC_CACHE_CHECK([for mode_t], ac_cv_have_mode_t, [
4065	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
4066	[[ mode_t foo; foo = 1235; ]])],
4067	[ ac_cv_have_mode_t="yes" ], [ ac_cv_have_mode_t="no"
4068	])
4069])
4070if test "x$ac_cv_have_mode_t" = "xyes" ; then
4071	AC_DEFINE([HAVE_MODE_T], [1], [define if you have mode_t data type])
4072fi
4073
4074
4075AC_CACHE_CHECK([for struct sockaddr_storage], ac_cv_have_struct_sockaddr_storage, [
4076	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4077#include <sys/types.h>
4078#include <sys/socket.h>
4079		]], [[ struct sockaddr_storage s; ]])],
4080	[ ac_cv_have_struct_sockaddr_storage="yes" ],
4081	[ ac_cv_have_struct_sockaddr_storage="no"
4082	])
4083])
4084if test "x$ac_cv_have_struct_sockaddr_storage" = "xyes" ; then
4085	AC_DEFINE([HAVE_STRUCT_SOCKADDR_STORAGE], [1],
4086		[define if you have struct sockaddr_storage data type])
4087fi
4088
4089AC_CACHE_CHECK([for struct sockaddr_in6], ac_cv_have_struct_sockaddr_in6, [
4090	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4091#include <sys/types.h>
4092#include <netinet/in.h>
4093		]], [[ struct sockaddr_in6 s; s.sin6_family = 0; ]])],
4094	[ ac_cv_have_struct_sockaddr_in6="yes" ],
4095	[ ac_cv_have_struct_sockaddr_in6="no"
4096	])
4097])
4098if test "x$ac_cv_have_struct_sockaddr_in6" = "xyes" ; then
4099	AC_DEFINE([HAVE_STRUCT_SOCKADDR_IN6], [1],
4100		[define if you have struct sockaddr_in6 data type])
4101fi
4102
4103AC_CACHE_CHECK([for struct in6_addr], ac_cv_have_struct_in6_addr, [
4104	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4105#include <sys/types.h>
4106#include <netinet/in.h>
4107		]], [[ struct in6_addr s; s.s6_addr[0] = 0; ]])],
4108	[ ac_cv_have_struct_in6_addr="yes" ],
4109	[ ac_cv_have_struct_in6_addr="no"
4110	])
4111])
4112if test "x$ac_cv_have_struct_in6_addr" = "xyes" ; then
4113	AC_DEFINE([HAVE_STRUCT_IN6_ADDR], [1],
4114		[define if you have struct in6_addr data type])
4115
4116dnl Now check for sin6_scope_id
4117	AC_CHECK_MEMBERS([struct sockaddr_in6.sin6_scope_id], , ,
4118		[
4119#ifdef HAVE_SYS_TYPES_H
4120#include <sys/types.h>
4121#endif
4122#include <netinet/in.h>
4123		])
4124fi
4125
4126AC_CACHE_CHECK([for struct addrinfo], ac_cv_have_struct_addrinfo, [
4127	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4128#include <sys/types.h>
4129#include <sys/socket.h>
4130#include <netdb.h>
4131		]], [[ struct addrinfo s; s.ai_flags = AI_PASSIVE; ]])],
4132	[ ac_cv_have_struct_addrinfo="yes" ],
4133	[ ac_cv_have_struct_addrinfo="no"
4134	])
4135])
4136if test "x$ac_cv_have_struct_addrinfo" = "xyes" ; then
4137	AC_DEFINE([HAVE_STRUCT_ADDRINFO], [1],
4138		[define if you have struct addrinfo data type])
4139fi
4140
4141AC_CACHE_CHECK([for struct timeval], ac_cv_have_struct_timeval, [
4142	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/time.h> ]],
4143	[[ struct timeval tv; tv.tv_sec = 1;]])],
4144	[ ac_cv_have_struct_timeval="yes" ],
4145	[ ac_cv_have_struct_timeval="no"
4146	])
4147])
4148if test "x$ac_cv_have_struct_timeval" = "xyes" ; then
4149	AC_DEFINE([HAVE_STRUCT_TIMEVAL], [1], [define if you have struct timeval])
4150	have_struct_timeval=1
4151fi
4152
4153AC_CACHE_CHECK([for struct timespec], ac_cv_have_struct_timespec, [
4154	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4155    #ifdef TIME_WITH_SYS_TIME
4156    # include <sys/time.h>
4157    # include <time.h>
4158    #else
4159    # ifdef HAVE_SYS_TIME_H
4160    #  include <sys/time.h>
4161    # else
4162    #  include <time.h>
4163    # endif
4164    #endif
4165	]],
4166	[[ struct timespec ts; ts.tv_sec = 1;]])],
4167	[ ac_cv_have_struct_timespec="yes" ],
4168	[ ac_cv_have_struct_timespec="no"
4169	])
4170])
4171if test "x$ac_cv_have_struct_timespec" = "xyes" ; then
4172	AC_DEFINE([HAVE_STRUCT_TIMESPEC], [1], [define if you have struct timespec])
4173	have_struct_timespec=1
4174fi
4175
4176# We need int64_t or else certain parts of the compile will fail.
4177if test "x$ac_cv_have_int64_t" = "xno" && \
4178	test "x$ac_cv_sizeof_long_int" != "x8" && \
4179	test "x$ac_cv_sizeof_long_long_int" = "x0" ; then
4180	echo "OpenSSH requires int64_t support.  Contact your vendor or install"
4181	echo "an alternative compiler (I.E., GCC) before continuing."
4182	echo ""
4183	exit 1;
4184else
4185dnl test snprintf (broken on SCO w/gcc)
4186	AC_RUN_IFELSE(
4187		[AC_LANG_SOURCE([[
4188#include <stdio.h>
4189#include <stdlib.h>
4190#include <string.h>
4191#ifdef HAVE_SNPRINTF
4192main()
4193{
4194	char buf[50];
4195	char expected_out[50];
4196	int mazsize = 50 ;
4197#if (SIZEOF_LONG_INT == 8)
4198	long int num = 0x7fffffffffffffff;
4199#else
4200	long long num = 0x7fffffffffffffffll;
4201#endif
4202	strcpy(expected_out, "9223372036854775807");
4203	snprintf(buf, mazsize, "%lld", num);
4204	if(strcmp(buf, expected_out) != 0)
4205		exit(1);
4206	exit(0);
4207}
4208#else
4209main() { exit(0); }
4210#endif
4211		]])], [ true ], [ AC_DEFINE([BROKEN_SNPRINTF]) ],
4212		AC_MSG_WARN([cross compiling: Assuming working snprintf()])
4213	)
4214fi
4215
4216dnl Checks for structure members
4217OSSH_CHECK_HEADER_FOR_FIELD([ut_host], [utmp.h], [HAVE_HOST_IN_UTMP])
4218OSSH_CHECK_HEADER_FOR_FIELD([ut_host], [utmpx.h], [HAVE_HOST_IN_UTMPX])
4219OSSH_CHECK_HEADER_FOR_FIELD([syslen], [utmpx.h], [HAVE_SYSLEN_IN_UTMPX])
4220OSSH_CHECK_HEADER_FOR_FIELD([ut_pid], [utmp.h], [HAVE_PID_IN_UTMP])
4221OSSH_CHECK_HEADER_FOR_FIELD([ut_type], [utmp.h], [HAVE_TYPE_IN_UTMP])
4222OSSH_CHECK_HEADER_FOR_FIELD([ut_type], [utmpx.h], [HAVE_TYPE_IN_UTMPX])
4223OSSH_CHECK_HEADER_FOR_FIELD([ut_tv], [utmp.h], [HAVE_TV_IN_UTMP])
4224OSSH_CHECK_HEADER_FOR_FIELD([ut_id], [utmp.h], [HAVE_ID_IN_UTMP])
4225OSSH_CHECK_HEADER_FOR_FIELD([ut_id], [utmpx.h], [HAVE_ID_IN_UTMPX])
4226OSSH_CHECK_HEADER_FOR_FIELD([ut_addr], [utmp.h], [HAVE_ADDR_IN_UTMP])
4227OSSH_CHECK_HEADER_FOR_FIELD([ut_addr], [utmpx.h], [HAVE_ADDR_IN_UTMPX])
4228OSSH_CHECK_HEADER_FOR_FIELD([ut_addr_v6], [utmp.h], [HAVE_ADDR_V6_IN_UTMP])
4229OSSH_CHECK_HEADER_FOR_FIELD([ut_addr_v6], [utmpx.h], [HAVE_ADDR_V6_IN_UTMPX])
4230OSSH_CHECK_HEADER_FOR_FIELD([ut_exit], [utmp.h], [HAVE_EXIT_IN_UTMP])
4231OSSH_CHECK_HEADER_FOR_FIELD([ut_time], [utmp.h], [HAVE_TIME_IN_UTMP])
4232OSSH_CHECK_HEADER_FOR_FIELD([ut_time], [utmpx.h], [HAVE_TIME_IN_UTMPX])
4233OSSH_CHECK_HEADER_FOR_FIELD([ut_tv], [utmpx.h], [HAVE_TV_IN_UTMPX])
4234OSSH_CHECK_HEADER_FOR_FIELD([ut_ss], [utmpx.h], [HAVE_SS_IN_UTMPX])
4235
4236AC_CHECK_MEMBERS([struct stat.st_blksize])
4237AC_CHECK_MEMBERS([struct stat.st_mtim])
4238AC_CHECK_MEMBERS([struct stat.st_mtime])
4239AC_CHECK_MEMBERS([struct passwd.pw_gecos, struct passwd.pw_class,
4240struct passwd.pw_change, struct passwd.pw_expire],
4241[], [], [[
4242#include <sys/types.h>
4243#include <pwd.h>
4244]])
4245
4246AC_CHECK_MEMBER([struct __res_state.retrans], [], [AC_DEFINE([__res_state], [state],
4247	[Define if we don't have struct __res_state in resolv.h])],
4248[[
4249#include <stdio.h>
4250#if HAVE_SYS_TYPES_H
4251# include <sys/types.h>
4252#endif
4253#include <netinet/in.h>
4254#include <arpa/nameser.h>
4255#include <resolv.h>
4256]])
4257
4258AC_CACHE_CHECK([for ss_family field in struct sockaddr_storage],
4259		ac_cv_have_ss_family_in_struct_ss, [
4260	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4261#include <sys/types.h>
4262#include <sys/socket.h>
4263		]], [[ struct sockaddr_storage s; s.ss_family = 1; ]])],
4264	[ ac_cv_have_ss_family_in_struct_ss="yes" ],
4265	[ ac_cv_have_ss_family_in_struct_ss="no" ])
4266])
4267if test "x$ac_cv_have_ss_family_in_struct_ss" = "xyes" ; then
4268	AC_DEFINE([HAVE_SS_FAMILY_IN_SS], [1], [Fields in struct sockaddr_storage])
4269fi
4270
4271AC_CACHE_CHECK([for __ss_family field in struct sockaddr_storage],
4272		ac_cv_have___ss_family_in_struct_ss, [
4273	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4274#include <sys/types.h>
4275#include <sys/socket.h>
4276		]], [[ struct sockaddr_storage s; s.__ss_family = 1; ]])],
4277	[ ac_cv_have___ss_family_in_struct_ss="yes" ],
4278	[ ac_cv_have___ss_family_in_struct_ss="no"
4279	])
4280])
4281if test "x$ac_cv_have___ss_family_in_struct_ss" = "xyes" ; then
4282	AC_DEFINE([HAVE___SS_FAMILY_IN_SS], [1],
4283		[Fields in struct sockaddr_storage])
4284fi
4285
4286dnl make sure we're using the real structure members and not defines
4287AC_CACHE_CHECK([for msg_accrights field in struct msghdr],
4288		ac_cv_have_accrights_in_msghdr, [
4289	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4290#include <sys/types.h>
4291#include <sys/socket.h>
4292#include <sys/uio.h>
4293#include <stdlib.h>
4294		]], [[
4295#ifdef msg_accrights
4296#error "msg_accrights is a macro"
4297exit(1);
4298#endif
4299struct msghdr m;
4300m.msg_accrights = 0;
4301exit(0);
4302		]])],
4303		[ ac_cv_have_accrights_in_msghdr="yes" ],
4304		[ ac_cv_have_accrights_in_msghdr="no" ]
4305	)
4306])
4307if test "x$ac_cv_have_accrights_in_msghdr" = "xyes" ; then
4308	AC_DEFINE([HAVE_ACCRIGHTS_IN_MSGHDR], [1],
4309		[Define if your system uses access rights style
4310		file descriptor passing])
4311fi
4312
4313AC_MSG_CHECKING([if struct statvfs.f_fsid is integral type])
4314AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4315#include <sys/param.h>
4316#include <sys/stat.h>
4317#ifdef HAVE_SYS_TIME_H
4318# include <sys/time.h>
4319#endif
4320#ifdef HAVE_SYS_MOUNT_H
4321#include <sys/mount.h>
4322#endif
4323#ifdef HAVE_SYS_STATVFS_H
4324#include <sys/statvfs.h>
4325#endif
4326	]], [[ struct statvfs s; s.f_fsid = 0; ]])],
4327	[ AC_MSG_RESULT([yes]) ],
4328	[ AC_MSG_RESULT([no])
4329
4330	AC_MSG_CHECKING([if fsid_t has member val])
4331	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4332#include <sys/types.h>
4333#include <sys/statvfs.h>
4334	]], [[ fsid_t t; t.val[0] = 0; ]])],
4335	[ AC_MSG_RESULT([yes])
4336	  AC_DEFINE([FSID_HAS_VAL], [1], [fsid_t has member val]) ],
4337	[ AC_MSG_RESULT([no]) ])
4338
4339	AC_MSG_CHECKING([if f_fsid has member __val])
4340	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4341#include <sys/types.h>
4342#include <sys/statvfs.h>
4343	]], [[ fsid_t t; t.__val[0] = 0; ]])],
4344	[ AC_MSG_RESULT([yes])
4345	  AC_DEFINE([FSID_HAS___VAL], [1], [fsid_t has member __val]) ],
4346	[ AC_MSG_RESULT([no]) ])
4347])
4348
4349AC_CACHE_CHECK([for msg_control field in struct msghdr],
4350		ac_cv_have_control_in_msghdr, [
4351	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4352#include <sys/types.h>
4353#include <sys/socket.h>
4354#include <sys/uio.h>
4355#include <stdlib.h>
4356		]], [[
4357#ifdef msg_control
4358#error "msg_control is a macro"
4359exit(1);
4360#endif
4361struct msghdr m;
4362m.msg_control = 0;
4363exit(0);
4364		]])],
4365		[ ac_cv_have_control_in_msghdr="yes" ],
4366		[ ac_cv_have_control_in_msghdr="no" ]
4367	)
4368])
4369if test "x$ac_cv_have_control_in_msghdr" = "xyes" ; then
4370	AC_DEFINE([HAVE_CONTROL_IN_MSGHDR], [1],
4371		[Define if your system uses ancillary data style
4372		file descriptor passing])
4373fi
4374
4375AC_CACHE_CHECK([if libc defines __progname], ac_cv_libc_defines___progname, [
4376	AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include <stdio.h> ]],
4377		[[ extern char *__progname; printf("%s", __progname); ]])],
4378	[ ac_cv_libc_defines___progname="yes" ],
4379	[ ac_cv_libc_defines___progname="no"
4380	])
4381])
4382if test "x$ac_cv_libc_defines___progname" = "xyes" ; then
4383	AC_DEFINE([HAVE___PROGNAME], [1], [Define if libc defines __progname])
4384fi
4385
4386AC_CACHE_CHECK([whether $CC implements __FUNCTION__], ac_cv_cc_implements___FUNCTION__, [
4387	AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include <stdio.h> ]],
4388		[[ printf("%s", __FUNCTION__); ]])],
4389	[ ac_cv_cc_implements___FUNCTION__="yes" ],
4390	[ ac_cv_cc_implements___FUNCTION__="no"
4391	])
4392])
4393if test "x$ac_cv_cc_implements___FUNCTION__" = "xyes" ; then
4394	AC_DEFINE([HAVE___FUNCTION__], [1],
4395		[Define if compiler implements __FUNCTION__])
4396fi
4397
4398AC_CACHE_CHECK([whether $CC implements __func__], ac_cv_cc_implements___func__, [
4399	AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include <stdio.h> ]],
4400		[[ printf("%s", __func__); ]])],
4401	[ ac_cv_cc_implements___func__="yes" ],
4402	[ ac_cv_cc_implements___func__="no"
4403	])
4404])
4405if test "x$ac_cv_cc_implements___func__" = "xyes" ; then
4406	AC_DEFINE([HAVE___func__], [1], [Define if compiler implements __func__])
4407fi
4408
4409AC_CACHE_CHECK([whether va_copy exists], ac_cv_have_va_copy, [
4410	AC_LINK_IFELSE([AC_LANG_PROGRAM([[
4411#include <stdarg.h>
4412va_list x,y;
4413		]], [[ va_copy(x,y); ]])],
4414	[ ac_cv_have_va_copy="yes" ],
4415	[ ac_cv_have_va_copy="no"
4416	])
4417])
4418if test "x$ac_cv_have_va_copy" = "xyes" ; then
4419	AC_DEFINE([HAVE_VA_COPY], [1], [Define if va_copy exists])
4420fi
4421
4422AC_CACHE_CHECK([whether __va_copy exists], ac_cv_have___va_copy, [
4423	AC_LINK_IFELSE([AC_LANG_PROGRAM([[
4424#include <stdarg.h>
4425va_list x,y;
4426		]], [[ __va_copy(x,y); ]])],
4427	[ ac_cv_have___va_copy="yes" ], [ ac_cv_have___va_copy="no"
4428	])
4429])
4430if test "x$ac_cv_have___va_copy" = "xyes" ; then
4431	AC_DEFINE([HAVE___VA_COPY], [1], [Define if __va_copy exists])
4432fi
4433
4434AC_CACHE_CHECK([whether getopt has optreset support],
4435		ac_cv_have_getopt_optreset, [
4436	AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include <getopt.h> ]],
4437		[[ extern int optreset; optreset = 0; ]])],
4438	[ ac_cv_have_getopt_optreset="yes" ],
4439	[ ac_cv_have_getopt_optreset="no"
4440	])
4441])
4442if test "x$ac_cv_have_getopt_optreset" = "xyes" ; then
4443	AC_DEFINE([HAVE_GETOPT_OPTRESET], [1],
4444		[Define if your getopt(3) defines and uses optreset])
4445fi
4446
4447AC_CACHE_CHECK([if libc defines sys_errlist], ac_cv_libc_defines_sys_errlist, [
4448	AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include <stdio.h> ]],
4449[[ extern const char *const sys_errlist[]; printf("%s", sys_errlist[0]);]])],
4450	[ ac_cv_libc_defines_sys_errlist="yes" ],
4451	[ ac_cv_libc_defines_sys_errlist="no"
4452	])
4453])
4454if test "x$ac_cv_libc_defines_sys_errlist" = "xyes" ; then
4455	AC_DEFINE([HAVE_SYS_ERRLIST], [1],
4456		[Define if your system defines sys_errlist[]])
4457fi
4458
4459
4460AC_CACHE_CHECK([if libc defines sys_nerr], ac_cv_libc_defines_sys_nerr, [
4461	AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include <stdio.h> ]],
4462[[ extern int sys_nerr; printf("%i", sys_nerr);]])],
4463	[ ac_cv_libc_defines_sys_nerr="yes" ],
4464	[ ac_cv_libc_defines_sys_nerr="no"
4465	])
4466])
4467if test "x$ac_cv_libc_defines_sys_nerr" = "xyes" ; then
4468	AC_DEFINE([HAVE_SYS_NERR], [1], [Define if your system defines sys_nerr])
4469fi
4470
4471# Check libraries needed by DNS fingerprint support
4472AC_SEARCH_LIBS([getrrsetbyname], [resolv],
4473	[AC_DEFINE([HAVE_GETRRSETBYNAME], [1],
4474		[Define if getrrsetbyname() exists])],
4475	[
4476		# Needed by our getrrsetbyname()
4477		AC_SEARCH_LIBS([res_query], [resolv])
4478		AC_SEARCH_LIBS([dn_expand], [resolv])
4479		AC_MSG_CHECKING([if res_query will link])
4480		AC_LINK_IFELSE([AC_LANG_PROGRAM([[
4481#include <sys/types.h>
4482#include <netinet/in.h>
4483#include <arpa/nameser.h>
4484#include <netdb.h>
4485#include <resolv.h>
4486				]], [[
4487	res_query (0, 0, 0, 0, 0);
4488				]])],
4489		    AC_MSG_RESULT([yes]),
4490		   [AC_MSG_RESULT([no])
4491		    saved_LIBS="$LIBS"
4492		    LIBS="$LIBS -lresolv"
4493		    AC_MSG_CHECKING([for res_query in -lresolv])
4494		    AC_LINK_IFELSE([AC_LANG_PROGRAM([[
4495#include <sys/types.h>
4496#include <netinet/in.h>
4497#include <arpa/nameser.h>
4498#include <netdb.h>
4499#include <resolv.h>
4500				]], [[
4501	res_query (0, 0, 0, 0, 0);
4502				]])],
4503			[AC_MSG_RESULT([yes])],
4504			[LIBS="$saved_LIBS"
4505			 AC_MSG_RESULT([no])])
4506		    ])
4507		AC_CHECK_FUNCS([_getshort _getlong])
4508		AC_CHECK_DECLS([_getshort, _getlong], , ,
4509		    [#include <sys/types.h>
4510		    #include <arpa/nameser.h>])
4511		AC_CHECK_MEMBER([HEADER.ad],
4512			[AC_DEFINE([HAVE_HEADER_AD], [1],
4513			    [Define if HEADER.ad exists in arpa/nameser.h])], ,
4514			[#include <arpa/nameser.h>])
4515	])
4516
4517AC_MSG_CHECKING([if struct __res_state _res is an extern])
4518AC_LINK_IFELSE([AC_LANG_PROGRAM([[
4519#include <stdio.h>
4520#if HAVE_SYS_TYPES_H
4521# include <sys/types.h>
4522#endif
4523#include <netinet/in.h>
4524#include <arpa/nameser.h>
4525#include <resolv.h>
4526extern struct __res_state _res;
4527		]], [[
4528struct __res_state *volatile p = &_res;  /* force resolution of _res */
4529return 0;
4530		]],)],
4531		[AC_MSG_RESULT([yes])
4532		 AC_DEFINE([HAVE__RES_EXTERN], [1],
4533		    [Define if you have struct __res_state _res as an extern])
4534		],
4535		[ AC_MSG_RESULT([no]) ]
4536)
4537
4538# Check whether user wants SELinux support
4539SELINUX_MSG="no"
4540LIBSELINUX=""
4541AC_ARG_WITH([selinux],
4542	[  --with-selinux          Enable SELinux support],
4543	[ if test "x$withval" != "xno" ; then
4544		save_LIBS="$LIBS"
4545		AC_DEFINE([WITH_SELINUX], [1],
4546			[Define if you want SELinux support.])
4547		SELINUX_MSG="yes"
4548		AC_CHECK_HEADER([selinux/selinux.h], ,
4549			AC_MSG_ERROR([SELinux support requires selinux.h header]))
4550		AC_CHECK_LIB([selinux], [setexeccon],
4551			[ LIBSELINUX="-lselinux"
4552			  LIBS="$LIBS -lselinux"
4553			],
4554			AC_MSG_ERROR([SELinux support requires libselinux library]))
4555		AC_CHECK_FUNCS([getseuserbyname get_default_context_with_level])
4556		LIBS="$save_LIBS $LIBSELINUX"
4557	fi ]
4558)
4559AC_SUBST([SSHDLIBS])
4560
4561# Check whether user wants Kerberos 5 support
4562KRB5_MSG="no"
4563AC_ARG_WITH([kerberos5],
4564	[  --with-kerberos5=PATH   Enable Kerberos 5 support],
4565	[ if test "x$withval" != "xno" ; then
4566		if test "x$withval" = "xyes" ; then
4567			KRB5ROOT="/usr/local"
4568		else
4569			KRB5ROOT=${withval}
4570		fi
4571
4572		AC_DEFINE([KRB5], [1], [Define if you want Kerberos 5 support])
4573		KRB5_MSG="yes"
4574
4575		AC_PATH_TOOL([KRB5CONF], [krb5-config],
4576			     [$KRB5ROOT/bin/krb5-config],
4577			     [$KRB5ROOT/bin:$PATH])
4578		if test -x $KRB5CONF ; then
4579			K5CFLAGS="`$KRB5CONF --cflags`"
4580			K5LIBS="`$KRB5CONF --libs`"
4581			CPPFLAGS="$CPPFLAGS $K5CFLAGS"
4582
4583			AC_MSG_CHECKING([for gssapi support])
4584			if $KRB5CONF | grep gssapi >/dev/null ; then
4585				AC_MSG_RESULT([yes])
4586				AC_DEFINE([GSSAPI], [1],
4587					[Define this if you want GSSAPI
4588					support in the version 2 protocol])
4589				GSSCFLAGS="`$KRB5CONF --cflags gssapi`"
4590				GSSLIBS="`$KRB5CONF --libs gssapi`"
4591				CPPFLAGS="$CPPFLAGS $GSSCFLAGS"
4592			else
4593				AC_MSG_RESULT([no])
4594			fi
4595			AC_MSG_CHECKING([whether we are using Heimdal])
4596			AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <krb5.h>
4597				]], [[ char *tmp = heimdal_version; ]])],
4598				[ AC_MSG_RESULT([yes])
4599				AC_DEFINE([HEIMDAL], [1],
4600				[Define this if you are using the Heimdal
4601				version of Kerberos V5]) ],
4602				[AC_MSG_RESULT([no])
4603			])
4604		else
4605			CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include"
4606			LDFLAGS="$LDFLAGS -L${KRB5ROOT}/lib"
4607			AC_MSG_CHECKING([whether we are using Heimdal])
4608			AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <krb5.h>
4609				]], [[ char *tmp = heimdal_version; ]])],
4610					[ AC_MSG_RESULT([yes])
4611					 AC_DEFINE([HEIMDAL])
4612					 K5LIBS="-lkrb5"
4613					 K5LIBS="$K5LIBS -lcom_err -lasn1"
4614					 AC_CHECK_LIB([roken], [net_write],
4615					   [K5LIBS="$K5LIBS -lroken"])
4616					 AC_CHECK_LIB([des], [des_cbc_encrypt],
4617					   [K5LIBS="$K5LIBS -ldes"])
4618				       ], [ AC_MSG_RESULT([no])
4619					 K5LIBS="-lkrb5 -lk5crypto -lcom_err"
4620			])
4621			AC_SEARCH_LIBS([dn_expand], [resolv])
4622
4623			AC_CHECK_LIB([gssapi_krb5], [gss_init_sec_context],
4624				[ AC_DEFINE([GSSAPI])
4625				  GSSLIBS="-lgssapi_krb5" ],
4626				[ AC_CHECK_LIB([gssapi], [gss_init_sec_context],
4627					[ AC_DEFINE([GSSAPI])
4628					  GSSLIBS="-lgssapi" ],
4629					[ AC_CHECK_LIB([gss], [gss_init_sec_context],
4630						[ AC_DEFINE([GSSAPI])
4631						  GSSLIBS="-lgss" ],
4632						AC_MSG_WARN([Cannot find any suitable gss-api library - build may fail]))
4633					])
4634				])
4635
4636			AC_CHECK_HEADER([gssapi.h], ,
4637				[ unset ac_cv_header_gssapi_h
4638				  CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include/gssapi"
4639				  AC_CHECK_HEADERS([gssapi.h], ,
4640					AC_MSG_WARN([Cannot find any suitable gss-api header - build may fail])
4641				  )
4642				]
4643			)
4644
4645			oldCPP="$CPPFLAGS"
4646			CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include/gssapi"
4647			AC_CHECK_HEADER([gssapi_krb5.h], ,
4648					[ CPPFLAGS="$oldCPP" ])
4649
4650		fi
4651		if test -n "${rpath_opt}" ; then
4652			LDFLAGS="$LDFLAGS ${rpath_opt}${KRB5ROOT}/lib"
4653		fi
4654		if test ! -z "$blibpath" ; then
4655			blibpath="$blibpath:${KRB5ROOT}/lib"
4656		fi
4657
4658		AC_CHECK_HEADERS([gssapi.h gssapi/gssapi.h])
4659		AC_CHECK_HEADERS([gssapi_krb5.h gssapi/gssapi_krb5.h])
4660		AC_CHECK_HEADERS([gssapi_generic.h gssapi/gssapi_generic.h])
4661
4662		AC_SEARCH_LIBS([k_hasafs], [kafs], [AC_DEFINE([USE_AFS], [1],
4663			[Define this if you want to use libkafs' AFS support])])
4664
4665		AC_CHECK_DECLS([GSS_C_NT_HOSTBASED_SERVICE], [], [], [[
4666#ifdef HAVE_GSSAPI_H
4667# include <gssapi.h>
4668#elif defined(HAVE_GSSAPI_GSSAPI_H)
4669# include <gssapi/gssapi.h>
4670#endif
4671
4672#ifdef HAVE_GSSAPI_GENERIC_H
4673# include <gssapi_generic.h>
4674#elif defined(HAVE_GSSAPI_GSSAPI_GENERIC_H)
4675# include <gssapi/gssapi_generic.h>
4676#endif
4677		]])
4678		saved_LIBS="$LIBS"
4679		LIBS="$LIBS $K5LIBS"
4680		AC_CHECK_FUNCS([krb5_cc_new_unique krb5_get_error_message krb5_free_error_message])
4681		LIBS="$saved_LIBS"
4682
4683	fi
4684	]
4685)
4686AC_SUBST([GSSLIBS])
4687AC_SUBST([K5LIBS])
4688
4689# Looking for programs, paths and files
4690
4691PRIVSEP_PATH=/var/empty
4692AC_ARG_WITH([privsep-path],
4693	[  --with-privsep-path=xxx Path for privilege separation chroot (default=/var/empty)],
4694	[
4695		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
4696		    test "x${withval}" != "xyes"; then
4697			PRIVSEP_PATH=$withval
4698		fi
4699	]
4700)
4701AC_SUBST([PRIVSEP_PATH])
4702
4703AC_ARG_WITH([xauth],
4704	[  --with-xauth=PATH       Specify path to xauth program ],
4705	[
4706		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
4707		    test "x${withval}" != "xyes"; then
4708			xauth_path=$withval
4709		fi
4710	],
4711	[
4712		TestPath="$PATH"
4713		TestPath="${TestPath}${PATH_SEPARATOR}/usr/X/bin"
4714		TestPath="${TestPath}${PATH_SEPARATOR}/usr/bin/X11"
4715		TestPath="${TestPath}${PATH_SEPARATOR}/usr/X11R6/bin"
4716		TestPath="${TestPath}${PATH_SEPARATOR}/usr/openwin/bin"
4717		AC_PATH_PROG([xauth_path], [xauth], , [$TestPath])
4718		if (test ! -z "$xauth_path" && test -x "/usr/openwin/bin/xauth") ; then
4719			xauth_path="/usr/openwin/bin/xauth"
4720		fi
4721	]
4722)
4723
4724STRIP_OPT=-s
4725AC_ARG_ENABLE([strip],
4726	[  --disable-strip         Disable calling strip(1) on install],
4727	[
4728		if test "x$enableval" = "xno" ; then
4729			STRIP_OPT=
4730		fi
4731	]
4732)
4733AC_SUBST([STRIP_OPT])
4734
4735if test -z "$xauth_path" ; then
4736	XAUTH_PATH="undefined"
4737	AC_SUBST([XAUTH_PATH])
4738else
4739	AC_DEFINE_UNQUOTED([XAUTH_PATH], ["$xauth_path"],
4740		[Define if xauth is found in your path])
4741	XAUTH_PATH=$xauth_path
4742	AC_SUBST([XAUTH_PATH])
4743fi
4744
4745dnl # --with-maildir=/path/to/mail gets top priority.
4746dnl # if maildir is set in the platform case statement above we use that.
4747dnl # Otherwise we run a program to get the dir from system headers.
4748dnl # We first look for _PATH_MAILDIR then MAILDIR then _PATH_MAIL
4749dnl # If we find _PATH_MAILDIR we do nothing because that is what
4750dnl # session.c expects anyway. Otherwise we set to the value found
4751dnl # stripping any trailing slash. If for some strage reason our program
4752dnl # does not find what it needs, we default to /var/spool/mail.
4753# Check for mail directory
4754AC_ARG_WITH([maildir],
4755    [  --with-maildir=/path/to/mail    Specify your system mail directory],
4756    [
4757	if test "X$withval" != X  &&  test "x$withval" != xno  &&  \
4758	    test "x${withval}" != xyes; then
4759		AC_DEFINE_UNQUOTED([MAIL_DIRECTORY], ["$withval"],
4760            [Set this to your mail directory if you do not have _PATH_MAILDIR])
4761	    fi
4762     ],[
4763	if test "X$maildir" != "X"; then
4764	    AC_DEFINE_UNQUOTED([MAIL_DIRECTORY], ["$maildir"])
4765	else
4766	    AC_MSG_CHECKING([Discovering system mail directory])
4767	    AC_RUN_IFELSE(
4768		[AC_LANG_PROGRAM([[
4769#include <stdio.h>
4770#include <stdlib.h>
4771#include <string.h>
4772#ifdef HAVE_PATHS_H
4773#include <paths.h>
4774#endif
4775#ifdef HAVE_MAILLOCK_H
4776#include <maillock.h>
4777#endif
4778#define DATA "conftest.maildir"
4779	]], [[
4780	FILE *fd;
4781	int rc;
4782
4783	fd = fopen(DATA,"w");
4784	if(fd == NULL)
4785		exit(1);
4786
4787#if defined (_PATH_MAILDIR)
4788	if ((rc = fprintf(fd ,"_PATH_MAILDIR:%s\n", _PATH_MAILDIR)) <0)
4789		exit(1);
4790#elif defined (MAILDIR)
4791	if ((rc = fprintf(fd ,"MAILDIR:%s\n", MAILDIR)) <0)
4792		exit(1);
4793#elif defined (_PATH_MAIL)
4794	if ((rc = fprintf(fd ,"_PATH_MAIL:%s\n", _PATH_MAIL)) <0)
4795		exit(1);
4796#else
4797	exit (2);
4798#endif
4799
4800	exit(0);
4801		]])],
4802		[
4803		    maildir_what=`awk -F: '{print $1}' conftest.maildir`
4804		    maildir=`awk -F: '{print $2}' conftest.maildir \
4805			| sed 's|/$||'`
4806		    AC_MSG_RESULT([Using: $maildir from $maildir_what])
4807		    if test "x$maildir_what" != "x_PATH_MAILDIR"; then
4808			AC_DEFINE_UNQUOTED([MAIL_DIRECTORY], ["$maildir"])
4809		    fi
4810		],
4811		[
4812		    if test "X$ac_status" = "X2";then
4813# our test program didn't find it. Default to /var/spool/mail
4814			AC_MSG_RESULT([Using: default value of /var/spool/mail])
4815			AC_DEFINE_UNQUOTED([MAIL_DIRECTORY], ["/var/spool/mail"])
4816		     else
4817			AC_MSG_RESULT([*** not found ***])
4818		     fi
4819		],
4820		[
4821			AC_MSG_WARN([cross compiling: use --with-maildir=/path/to/mail])
4822		]
4823	    )
4824	fi
4825    ]
4826) # maildir
4827
4828if test ! -z "$cross_compiling" && test "x$cross_compiling" = "xyes"; then
4829	AC_MSG_WARN([cross compiling: Disabling /dev/ptmx test])
4830	disable_ptmx_check=yes
4831fi
4832if test -z "$no_dev_ptmx" ; then
4833	if test "x$disable_ptmx_check" != "xyes" ; then
4834		AC_CHECK_FILE(["/dev/ptmx"],
4835			[
4836				AC_DEFINE_UNQUOTED([HAVE_DEV_PTMX], [1],
4837					[Define if you have /dev/ptmx])
4838				have_dev_ptmx=1
4839			]
4840		)
4841	fi
4842fi
4843
4844if test ! -z "$cross_compiling" && test "x$cross_compiling" != "xyes"; then
4845	AC_CHECK_FILE(["/dev/ptc"],
4846		[
4847			AC_DEFINE_UNQUOTED([HAVE_DEV_PTS_AND_PTC], [1],
4848				[Define if you have /dev/ptc])
4849			have_dev_ptc=1
4850		]
4851	)
4852else
4853	AC_MSG_WARN([cross compiling: Disabling /dev/ptc test])
4854fi
4855
4856# Options from here on. Some of these are preset by platform above
4857AC_ARG_WITH([mantype],
4858	[  --with-mantype=man|cat|doc  Set man page type],
4859	[
4860		case "$withval" in
4861		man|cat|doc)
4862			MANTYPE=$withval
4863			;;
4864		*)
4865			AC_MSG_ERROR([invalid man type: $withval])
4866			;;
4867		esac
4868	]
4869)
4870if test -z "$MANTYPE"; then
4871	if ${MANDOC} ${srcdir}/ssh.1 >/dev/null 2>&1; then
4872		MANTYPE=doc
4873	elif ${NROFF} -mdoc ${srcdir}/ssh.1 >/dev/null 2>&1; then
4874		MANTYPE=doc
4875	elif ${NROFF} -man ${srcdir}/ssh.1 >/dev/null 2>&1; then
4876		MANTYPE=man
4877	else
4878		MANTYPE=cat
4879	fi
4880fi
4881AC_SUBST([MANTYPE])
4882if test "$MANTYPE" = "doc"; then
4883	mansubdir=man;
4884else
4885	mansubdir=$MANTYPE;
4886fi
4887AC_SUBST([mansubdir])
4888
4889# Check whether to enable MD5 passwords
4890MD5_MSG="no"
4891AC_ARG_WITH([md5-passwords],
4892	[  --with-md5-passwords    Enable use of MD5 passwords],
4893	[
4894		if test "x$withval" != "xno" ; then
4895			AC_DEFINE([HAVE_MD5_PASSWORDS], [1],
4896				[Define if you want to allow MD5 passwords])
4897			MD5_MSG="yes"
4898		fi
4899	]
4900)
4901
4902# Whether to disable shadow password support
4903AC_ARG_WITH([shadow],
4904	[  --without-shadow        Disable shadow password support],
4905	[
4906		if test "x$withval" = "xno" ; then
4907			AC_DEFINE([DISABLE_SHADOW])
4908			disable_shadow=yes
4909		fi
4910	]
4911)
4912
4913if test -z "$disable_shadow" ; then
4914	AC_MSG_CHECKING([if the systems has expire shadow information])
4915	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4916#include <sys/types.h>
4917#include <shadow.h>
4918struct spwd sp;
4919		]], [[ sp.sp_expire = sp.sp_lstchg = sp.sp_inact = 0; ]])],
4920		[ sp_expire_available=yes ], [
4921	])
4922
4923	if test "x$sp_expire_available" = "xyes" ; then
4924		AC_MSG_RESULT([yes])
4925		AC_DEFINE([HAS_SHADOW_EXPIRE], [1],
4926		    [Define if you want to use shadow password expire field])
4927	else
4928		AC_MSG_RESULT([no])
4929	fi
4930fi
4931
4932# Use ip address instead of hostname in $DISPLAY
4933if test ! -z "$IPADDR_IN_DISPLAY" ; then
4934	DISPLAY_HACK_MSG="yes"
4935	AC_DEFINE([IPADDR_IN_DISPLAY], [1],
4936		[Define if you need to use IP address
4937		instead of hostname in $DISPLAY])
4938else
4939	DISPLAY_HACK_MSG="no"
4940	AC_ARG_WITH([ipaddr-display],
4941		[  --with-ipaddr-display   Use ip address instead of hostname in $DISPLAY],
4942		[
4943			if test "x$withval" != "xno" ; then
4944				AC_DEFINE([IPADDR_IN_DISPLAY])
4945				DISPLAY_HACK_MSG="yes"
4946			fi
4947		]
4948	)
4949fi
4950
4951# check for /etc/default/login and use it if present.
4952AC_ARG_ENABLE([etc-default-login],
4953	[  --disable-etc-default-login Disable using PATH from /etc/default/login [no]],
4954	[ if test "x$enableval" = "xno"; then
4955		AC_MSG_NOTICE([/etc/default/login handling disabled])
4956		etc_default_login=no
4957	  else
4958		etc_default_login=yes
4959	  fi ],
4960	[ if test ! -z "$cross_compiling" && test "x$cross_compiling" = "xyes";
4961	  then
4962		AC_MSG_WARN([cross compiling: not checking /etc/default/login])
4963		etc_default_login=no
4964	  else
4965		etc_default_login=yes
4966	  fi ]
4967)
4968
4969if test "x$etc_default_login" != "xno"; then
4970	AC_CHECK_FILE(["/etc/default/login"],
4971	    [ external_path_file=/etc/default/login ])
4972	if test "x$external_path_file" = "x/etc/default/login"; then
4973		AC_DEFINE([HAVE_ETC_DEFAULT_LOGIN], [1],
4974			[Define if your system has /etc/default/login])
4975	fi
4976fi
4977
4978dnl BSD systems use /etc/login.conf so --with-default-path= has no effect
4979if test $ac_cv_func_login_getcapbool = "yes" && \
4980	test $ac_cv_header_login_cap_h = "yes" ; then
4981	external_path_file=/etc/login.conf
4982fi
4983
4984# Whether to mess with the default path
4985SERVER_PATH_MSG="(default)"
4986AC_ARG_WITH([default-path],
4987	[  --with-default-path=    Specify default $PATH environment for server],
4988	[
4989		if test "x$external_path_file" = "x/etc/login.conf" ; then
4990			AC_MSG_WARN([
4991--with-default-path=PATH has no effect on this system.
4992Edit /etc/login.conf instead.])
4993		elif test "x$withval" != "xno" ; then
4994			if test ! -z "$external_path_file" ; then
4995				AC_MSG_WARN([
4996--with-default-path=PATH will only be used if PATH is not defined in
4997$external_path_file .])
4998			fi
4999			user_path="$withval"
5000			SERVER_PATH_MSG="$withval"
5001		fi
5002	],
5003	[ if test "x$external_path_file" = "x/etc/login.conf" ; then
5004		AC_MSG_WARN([Make sure the path to scp is in /etc/login.conf])
5005	else
5006		if test ! -z "$external_path_file" ; then
5007			AC_MSG_WARN([
5008If PATH is defined in $external_path_file, ensure the path to scp is included,
5009otherwise scp will not work.])
5010		fi
5011		AC_RUN_IFELSE(
5012			[AC_LANG_PROGRAM([[
5013/* find out what STDPATH is */
5014#include <stdio.h>
5015#include <stdlib.h>
5016#ifdef HAVE_PATHS_H
5017# include <paths.h>
5018#endif
5019#ifndef _PATH_STDPATH
5020# ifdef _PATH_USERPATH	/* Irix */
5021#  define _PATH_STDPATH _PATH_USERPATH
5022# else
5023#  define _PATH_STDPATH "/usr/bin:/bin:/usr/sbin:/sbin"
5024# endif
5025#endif
5026#include <sys/types.h>
5027#include <sys/stat.h>
5028#include <fcntl.h>
5029#define DATA "conftest.stdpath"
5030			]], [[
5031	FILE *fd;
5032	int rc;
5033
5034	fd = fopen(DATA,"w");
5035	if(fd == NULL)
5036		exit(1);
5037
5038	if ((rc = fprintf(fd,"%s", _PATH_STDPATH)) < 0)
5039		exit(1);
5040
5041	exit(0);
5042		]])],
5043		[ user_path=`cat conftest.stdpath` ],
5044		[ user_path="/usr/bin:/bin:/usr/sbin:/sbin" ],
5045		[ user_path="/usr/bin:/bin:/usr/sbin:/sbin" ]
5046	)
5047# make sure $bindir is in USER_PATH so scp will work
5048		t_bindir="${bindir}"
5049		while echo "${t_bindir}" | egrep '\$\{|NONE/' >/dev/null 2>&1; do
5050			t_bindir=`eval echo ${t_bindir}`
5051			case $t_bindir in
5052				NONE/*) t_bindir=`echo $t_bindir | sed "s~NONE~$prefix~"` ;;
5053			esac
5054			case $t_bindir in
5055				NONE/*) t_bindir=`echo $t_bindir | sed "s~NONE~$ac_default_prefix~"` ;;
5056			esac
5057		done
5058		echo $user_path | grep ":$t_bindir"  > /dev/null 2>&1
5059		if test $? -ne 0  ; then
5060			echo $user_path | grep "^$t_bindir"  > /dev/null 2>&1
5061			if test $? -ne 0  ; then
5062				user_path=$user_path:$t_bindir
5063				AC_MSG_RESULT([Adding $t_bindir to USER_PATH so scp will work])
5064			fi
5065		fi
5066	fi ]
5067)
5068if test "x$external_path_file" != "x/etc/login.conf" ; then
5069	AC_DEFINE_UNQUOTED([USER_PATH], ["$user_path"], [Specify default $PATH])
5070	AC_SUBST([user_path])
5071fi
5072
5073# Set superuser path separately to user path
5074AC_ARG_WITH([superuser-path],
5075	[  --with-superuser-path=  Specify different path for super-user],
5076	[
5077		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
5078		    test "x${withval}" != "xyes"; then
5079			AC_DEFINE_UNQUOTED([SUPERUSER_PATH], ["$withval"],
5080				[Define if you want a different $PATH
5081				for the superuser])
5082			superuser_path=$withval
5083		fi
5084	]
5085)
5086
5087
5088AC_MSG_CHECKING([if we need to convert IPv4 in IPv6-mapped addresses])
5089IPV4_IN6_HACK_MSG="no"
5090AC_ARG_WITH(4in6,
5091	[  --with-4in6             Check for and convert IPv4 in IPv6 mapped addresses],
5092	[
5093		if test "x$withval" != "xno" ; then
5094			AC_MSG_RESULT([yes])
5095			AC_DEFINE([IPV4_IN_IPV6], [1],
5096				[Detect IPv4 in IPv6 mapped addresses
5097				and treat as IPv4])
5098			IPV4_IN6_HACK_MSG="yes"
5099		else
5100			AC_MSG_RESULT([no])
5101		fi
5102	], [
5103		if test "x$inet6_default_4in6" = "xyes"; then
5104			AC_MSG_RESULT([yes (default)])
5105			AC_DEFINE([IPV4_IN_IPV6])
5106			IPV4_IN6_HACK_MSG="yes"
5107		else
5108			AC_MSG_RESULT([no (default)])
5109		fi
5110	]
5111)
5112
5113# Whether to enable BSD auth support
5114BSD_AUTH_MSG=no
5115AC_ARG_WITH([bsd-auth],
5116	[  --with-bsd-auth         Enable BSD auth support],
5117	[
5118		if test "x$withval" != "xno" ; then
5119			AC_DEFINE([BSD_AUTH], [1],
5120				[Define if you have BSD auth support])
5121			BSD_AUTH_MSG=yes
5122		fi
5123	]
5124)
5125
5126# Where to place sshd.pid
5127piddir=/var/run
5128# make sure the directory exists
5129if test ! -d $piddir ; then
5130	piddir=`eval echo ${sysconfdir}`
5131	case $piddir in
5132		NONE/*) piddir=`echo $piddir | sed "s~NONE~$ac_default_prefix~"` ;;
5133	esac
5134fi
5135
5136AC_ARG_WITH([pid-dir],
5137	[  --with-pid-dir=PATH     Specify location of sshd.pid file],
5138	[
5139		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
5140		    test "x${withval}" != "xyes"; then
5141			piddir=$withval
5142			if test ! -d $piddir ; then
5143			AC_MSG_WARN([** no $piddir directory on this system **])
5144			fi
5145		fi
5146	]
5147)
5148
5149AC_DEFINE_UNQUOTED([_PATH_SSH_PIDDIR], ["$piddir"],
5150	[Specify location of ssh.pid])
5151AC_SUBST([piddir])
5152
5153dnl allow user to disable some login recording features
5154AC_ARG_ENABLE([lastlog],
5155	[  --disable-lastlog       disable use of lastlog even if detected [no]],
5156	[
5157		if test "x$enableval" = "xno" ; then
5158			AC_DEFINE([DISABLE_LASTLOG])
5159		fi
5160	]
5161)
5162AC_ARG_ENABLE([utmp],
5163	[  --disable-utmp          disable use of utmp even if detected [no]],
5164	[
5165		if test "x$enableval" = "xno" ; then
5166			AC_DEFINE([DISABLE_UTMP])
5167		fi
5168	]
5169)
5170AC_ARG_ENABLE([utmpx],
5171	[  --disable-utmpx         disable use of utmpx even if detected [no]],
5172	[
5173		if test "x$enableval" = "xno" ; then
5174			AC_DEFINE([DISABLE_UTMPX], [1],
5175				[Define if you don't want to use utmpx])
5176		fi
5177	]
5178)
5179AC_ARG_ENABLE([wtmp],
5180	[  --disable-wtmp          disable use of wtmp even if detected [no]],
5181	[
5182		if test "x$enableval" = "xno" ; then
5183			AC_DEFINE([DISABLE_WTMP])
5184		fi
5185	]
5186)
5187AC_ARG_ENABLE([wtmpx],
5188	[  --disable-wtmpx         disable use of wtmpx even if detected [no]],
5189	[
5190		if test "x$enableval" = "xno" ; then
5191			AC_DEFINE([DISABLE_WTMPX], [1],
5192				[Define if you don't want to use wtmpx])
5193		fi
5194	]
5195)
5196AC_ARG_ENABLE([libutil],
5197	[  --disable-libutil       disable use of libutil (login() etc.) [no]],
5198	[
5199		if test "x$enableval" = "xno" ; then
5200			AC_DEFINE([DISABLE_LOGIN])
5201		fi
5202	]
5203)
5204AC_ARG_ENABLE([pututline],
5205	[  --disable-pututline     disable use of pututline() etc. ([uw]tmp) [no]],
5206	[
5207		if test "x$enableval" = "xno" ; then
5208			AC_DEFINE([DISABLE_PUTUTLINE], [1],
5209				[Define if you don't want to use pututline()
5210				etc. to write [uw]tmp])
5211		fi
5212	]
5213)
5214AC_ARG_ENABLE([pututxline],
5215	[  --disable-pututxline    disable use of pututxline() etc. ([uw]tmpx) [no]],
5216	[
5217		if test "x$enableval" = "xno" ; then
5218			AC_DEFINE([DISABLE_PUTUTXLINE], [1],
5219				[Define if you don't want to use pututxline()
5220				etc. to write [uw]tmpx])
5221		fi
5222	]
5223)
5224AC_ARG_WITH([lastlog],
5225  [  --with-lastlog=FILE|DIR specify lastlog location [common locations]],
5226	[
5227		if test "x$withval" = "xno" ; then
5228			AC_DEFINE([DISABLE_LASTLOG])
5229		elif test -n "$withval"  &&  test "x${withval}" != "xyes"; then
5230			conf_lastlog_location=$withval
5231		fi
5232	]
5233)
5234
5235dnl lastlog, [uw]tmpx? detection
5236dnl  NOTE: set the paths in the platform section to avoid the
5237dnl   need for command-line parameters
5238dnl lastlog and [uw]tmp are subject to a file search if all else fails
5239
5240dnl lastlog detection
5241dnl  NOTE: the code itself will detect if lastlog is a directory
5242AC_MSG_CHECKING([if your system defines LASTLOG_FILE])
5243AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
5244#include <sys/types.h>
5245#include <utmp.h>
5246#ifdef HAVE_LASTLOG_H
5247#  include <lastlog.h>
5248#endif
5249#ifdef HAVE_PATHS_H
5250#  include <paths.h>
5251#endif
5252#ifdef HAVE_LOGIN_H
5253# include <login.h>
5254#endif
5255	]], [[ char *lastlog = LASTLOG_FILE; ]])],
5256		[ AC_MSG_RESULT([yes]) ],
5257		[
5258		AC_MSG_RESULT([no])
5259		AC_MSG_CHECKING([if your system defines _PATH_LASTLOG])
5260		AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
5261#include <sys/types.h>
5262#include <utmp.h>
5263#ifdef HAVE_LASTLOG_H
5264#  include <lastlog.h>
5265#endif
5266#ifdef HAVE_PATHS_H
5267#  include <paths.h>
5268#endif
5269		]], [[ char *lastlog = _PATH_LASTLOG; ]])],
5270		[ AC_MSG_RESULT([yes]) ],
5271		[
5272			AC_MSG_RESULT([no])
5273			system_lastlog_path=no
5274		])
5275])
5276
5277if test -z "$conf_lastlog_location"; then
5278	if test x"$system_lastlog_path" = x"no" ; then
5279		for f in /var/log/lastlog /usr/adm/lastlog /var/adm/lastlog /etc/security/lastlog ; do
5280				if (test -d "$f" || test -f "$f") ; then
5281					conf_lastlog_location=$f
5282				fi
5283		done
5284		if test -z "$conf_lastlog_location"; then
5285			AC_MSG_WARN([** Cannot find lastlog **])
5286			dnl Don't define DISABLE_LASTLOG - that means we don't try wtmp/wtmpx
5287		fi
5288	fi
5289fi
5290
5291if test -n "$conf_lastlog_location"; then
5292	AC_DEFINE_UNQUOTED([CONF_LASTLOG_FILE], ["$conf_lastlog_location"],
5293		[Define if you want to specify the path to your lastlog file])
5294fi
5295
5296dnl utmp detection
5297AC_MSG_CHECKING([if your system defines UTMP_FILE])
5298AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
5299#include <sys/types.h>
5300#include <utmp.h>
5301#ifdef HAVE_PATHS_H
5302#  include <paths.h>
5303#endif
5304	]], [[ char *utmp = UTMP_FILE; ]])],
5305	[ AC_MSG_RESULT([yes]) ],
5306	[ AC_MSG_RESULT([no])
5307	  system_utmp_path=no
5308])
5309if test -z "$conf_utmp_location"; then
5310	if test x"$system_utmp_path" = x"no" ; then
5311		for f in /etc/utmp /usr/adm/utmp /var/run/utmp; do
5312			if test -f $f ; then
5313				conf_utmp_location=$f
5314			fi
5315		done
5316		if test -z "$conf_utmp_location"; then
5317			AC_DEFINE([DISABLE_UTMP])
5318		fi
5319	fi
5320fi
5321if test -n "$conf_utmp_location"; then
5322	AC_DEFINE_UNQUOTED([CONF_UTMP_FILE], ["$conf_utmp_location"],
5323		[Define if you want to specify the path to your utmp file])
5324fi
5325
5326dnl wtmp detection
5327AC_MSG_CHECKING([if your system defines WTMP_FILE])
5328AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
5329#include <sys/types.h>
5330#include <utmp.h>
5331#ifdef HAVE_PATHS_H
5332#  include <paths.h>
5333#endif
5334	]], [[ char *wtmp = WTMP_FILE; ]])],
5335	[ AC_MSG_RESULT([yes]) ],
5336	[ AC_MSG_RESULT([no])
5337	  system_wtmp_path=no
5338])
5339if test -z "$conf_wtmp_location"; then
5340	if test x"$system_wtmp_path" = x"no" ; then
5341		for f in /usr/adm/wtmp /var/log/wtmp; do
5342			if test -f $f ; then
5343				conf_wtmp_location=$f
5344			fi
5345		done
5346		if test -z "$conf_wtmp_location"; then
5347			AC_DEFINE([DISABLE_WTMP])
5348		fi
5349	fi
5350fi
5351if test -n "$conf_wtmp_location"; then
5352	AC_DEFINE_UNQUOTED([CONF_WTMP_FILE], ["$conf_wtmp_location"],
5353		[Define if you want to specify the path to your wtmp file])
5354fi
5355
5356dnl wtmpx detection
5357AC_MSG_CHECKING([if your system defines WTMPX_FILE])
5358AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
5359#include <sys/types.h>
5360#include <utmp.h>
5361#ifdef HAVE_UTMPX_H
5362#include <utmpx.h>
5363#endif
5364#ifdef HAVE_PATHS_H
5365#  include <paths.h>
5366#endif
5367	]], [[ char *wtmpx = WTMPX_FILE; ]])],
5368	[ AC_MSG_RESULT([yes]) ],
5369	[ AC_MSG_RESULT([no])
5370	  system_wtmpx_path=no
5371])
5372if test -z "$conf_wtmpx_location"; then
5373	if test x"$system_wtmpx_path" = x"no" ; then
5374		AC_DEFINE([DISABLE_WTMPX])
5375	fi
5376else
5377	AC_DEFINE_UNQUOTED([CONF_WTMPX_FILE], ["$conf_wtmpx_location"],
5378		[Define if you want to specify the path to your wtmpx file])
5379fi
5380
5381
5382if test ! -z "$blibpath" ; then
5383	LDFLAGS="$LDFLAGS $blibflags$blibpath"
5384	AC_MSG_WARN([Please check and edit blibpath in LDFLAGS in Makefile])
5385fi
5386
5387AC_CHECK_MEMBER([struct lastlog.ll_line], [], [
5388    if test x$SKIP_DISABLE_LASTLOG_DEFINE != "xyes" ; then
5389	AC_DEFINE([DISABLE_LASTLOG])
5390    fi
5391	], [
5392#ifdef HAVE_SYS_TYPES_H
5393#include <sys/types.h>
5394#endif
5395#ifdef HAVE_UTMP_H
5396#include <utmp.h>
5397#endif
5398#ifdef HAVE_UTMPX_H
5399#include <utmpx.h>
5400#endif
5401#ifdef HAVE_LASTLOG_H
5402#include <lastlog.h>
5403#endif
5404	])
5405
5406AC_CHECK_MEMBER([struct utmp.ut_line], [], [
5407	AC_DEFINE([DISABLE_UTMP])
5408	AC_DEFINE([DISABLE_WTMP])
5409	], [
5410#ifdef HAVE_SYS_TYPES_H
5411#include <sys/types.h>
5412#endif
5413#ifdef HAVE_UTMP_H
5414#include <utmp.h>
5415#endif
5416#ifdef HAVE_UTMPX_H
5417#include <utmpx.h>
5418#endif
5419#ifdef HAVE_LASTLOG_H
5420#include <lastlog.h>
5421#endif
5422	])
5423
5424dnl Adding -Werror to CFLAGS early prevents configure tests from running.
5425dnl Add now.
5426CFLAGS="$CFLAGS $werror_flags"
5427
5428if test "x$ac_cv_func_getaddrinfo" != "xyes" ; then
5429	TEST_SSH_IPV6=no
5430else
5431	TEST_SSH_IPV6=yes
5432fi
5433AC_CHECK_DECL([BROKEN_GETADDRINFO],  [TEST_SSH_IPV6=no])
5434AC_SUBST([TEST_SSH_IPV6], [$TEST_SSH_IPV6])
5435AC_SUBST([TEST_SSH_UTF8], [$TEST_SSH_UTF8])
5436AC_SUBST([TEST_MALLOC_OPTIONS], [$TEST_MALLOC_OPTIONS])
5437AC_SUBST([UNSUPPORTED_ALGORITHMS], [$unsupported_algorithms])
5438AC_SUBST([DEPEND], [$(cat $srcdir/.depend)])
5439
5440CFLAGS="${CFLAGS} ${CFLAGS_AFTER}"
5441LDFLAGS="${LDFLAGS} ${LDFLAGS_AFTER}"
5442
5443# Make a copy of CFLAGS/LDFLAGS without PIE options.
5444LDFLAGS_NOPIE=`echo "$LDFLAGS" | sed 's/ -pie//'`
5445CFLAGS_NOPIE=`echo "$CFLAGS" | sed 's/ -fPIE//'`
5446AC_SUBST([LDFLAGS_NOPIE])
5447AC_SUBST([CFLAGS_NOPIE])
5448
5449AC_EXEEXT
5450AC_CONFIG_FILES([Makefile buildpkg.sh opensshd.init openssh.xml \
5451	openbsd-compat/Makefile openbsd-compat/regress/Makefile \
5452	survey.sh])
5453AC_OUTPUT
5454
5455# Print summary of options
5456
5457# Someone please show me a better way :)
5458A=`eval echo ${prefix}` ; A=`eval echo ${A}`
5459B=`eval echo ${bindir}` ; B=`eval echo ${B}`
5460C=`eval echo ${sbindir}` ; C=`eval echo ${C}`
5461D=`eval echo ${sysconfdir}` ; D=`eval echo ${D}`
5462E=`eval echo ${libexecdir}/ssh-askpass` ; E=`eval echo ${E}`
5463F=`eval echo ${mandir}/${mansubdir}X` ; F=`eval echo ${F}`
5464G=`eval echo ${piddir}` ; G=`eval echo ${G}`
5465H=`eval echo ${PRIVSEP_PATH}` ; H=`eval echo ${H}`
5466I=`eval echo ${user_path}` ; I=`eval echo ${I}`
5467J=`eval echo ${superuser_path}` ; J=`eval echo ${J}`
5468
5469echo ""
5470echo "OpenSSH has been configured with the following options:"
5471echo "                     User binaries: $B"
5472echo "                   System binaries: $C"
5473echo "               Configuration files: $D"
5474echo "                   Askpass program: $E"
5475echo "                      Manual pages: $F"
5476echo "                          PID file: $G"
5477echo "  Privilege separation chroot path: $H"
5478if test "x$external_path_file" = "x/etc/login.conf" ; then
5479echo "   At runtime, sshd will use the path defined in $external_path_file"
5480echo "   Make sure the path to scp is present, otherwise scp will not work"
5481else
5482echo "            sshd default user PATH: $I"
5483	if test ! -z "$external_path_file"; then
5484echo "   (If PATH is set in $external_path_file it will be used instead. If"
5485echo "   used, ensure the path to scp is present, otherwise scp will not work.)"
5486	fi
5487fi
5488if test ! -z "$superuser_path" ; then
5489echo "          sshd superuser user PATH: $J"
5490fi
5491echo "                    Manpage format: $MANTYPE"
5492echo "                       PAM support: $PAM_MSG"
5493echo "                   OSF SIA support: $SIA_MSG"
5494echo "                 KerberosV support: $KRB5_MSG"
5495echo "                   SELinux support: $SELINUX_MSG"
5496echo "              MD5 password support: $MD5_MSG"
5497echo "                   libedit support: $LIBEDIT_MSG"
5498echo "                   libldns support: $LDNS_MSG"
5499echo "  Solaris process contract support: $SPC_MSG"
5500echo "           Solaris project support: $SP_MSG"
5501echo "         Solaris privilege support: $SPP_MSG"
5502echo "       IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG"
5503echo "           Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
5504echo "                  BSD Auth support: $BSD_AUTH_MSG"
5505echo "              Random number source: $RAND_MSG"
5506echo "             Privsep sandbox style: $SANDBOX_STYLE"
5507echo "                   PKCS#11 support: $enable_pkcs11"
5508echo "                  U2F/FIDO support: $enable_sk"
5509
5510echo ""
5511
5512echo "              Host: ${host}"
5513echo "          Compiler: ${CC}"
5514echo "    Compiler flags: ${CFLAGS}"
5515echo "Preprocessor flags: ${CPPFLAGS}"
5516echo "      Linker flags: ${LDFLAGS}"
5517echo "         Libraries: ${LIBS}"
5518if test ! -z "${SSHDLIBS}"; then
5519echo "         +for sshd: ${SSHDLIBS}"
5520fi
5521
5522echo ""
5523
5524if test "x$MAKE_PACKAGE_SUPPORTED" = "xyes" ; then
5525	echo "SVR4 style packages are supported with \"make package\""
5526	echo ""
5527fi
5528
5529if test "x$PAM_MSG" = "xyes" ; then
5530	echo "PAM is enabled. You may need to install a PAM control file "
5531	echo "for sshd, otherwise password authentication may fail. "
5532	echo "Example PAM control files can be found in the contrib/ "
5533	echo "subdirectory"
5534	echo ""
5535fi
5536
5537if test ! -z "$NO_PEERCHECK" ; then
5538	echo "WARNING: the operating system that you are using does not"
5539	echo "appear to support getpeereid(), getpeerucred() or the"
5540	echo "SO_PEERCRED getsockopt() option. These facilities are used to"
5541	echo "enforce security checks to prevent unauthorised connections to"
5542	echo "ssh-agent. Their absence increases the risk that a malicious"
5543	echo "user can connect to your agent."
5544	echo ""
5545fi
5546
5547if test "$AUDIT_MODULE" = "bsm" ; then
5548	echo "WARNING: BSM audit support is currently considered EXPERIMENTAL."
5549	echo "See the Solaris section in README.platform for details."
5550fi
5551