xref: /openssh-portable/configure.ac (revision bbcc858d)
1#
2# Copyright (c) 1999-2004 Damien Miller
3#
4# Permission to use, copy, modify, and distribute this software for any
5# purpose with or without fee is hereby granted, provided that the above
6# copyright notice and this permission notice appear in all copies.
7#
8# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15
16AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org])
17AC_CONFIG_SRCDIR([ssh.c])
18AC_LANG([C])
19
20AC_CONFIG_HEADER([config.h])
21AC_PROG_CC([cc gcc])
22AC_CANONICAL_HOST
23AC_C_BIGENDIAN
24
25# Checks for programs.
26AC_PROG_AWK
27AC_PROG_CPP
28AC_PROG_RANLIB
29AC_PROG_INSTALL
30AC_PROG_EGREP
31AC_PROG_MKDIR_P
32AC_CHECK_TOOLS([AR], [ar])
33AC_PATH_PROG([CAT], [cat])
34AC_PATH_PROG([KILL], [kill])
35AC_PATH_PROG([SED], [sed])
36AC_PATH_PROG([TEST_MINUS_S_SH], [bash])
37AC_PATH_PROG([TEST_MINUS_S_SH], [ksh])
38AC_PATH_PROG([TEST_MINUS_S_SH], [sh])
39AC_PATH_PROG([SH], [sh])
40AC_PATH_PROG([GROFF], [groff])
41AC_PATH_PROG([NROFF], [nroff awf])
42AC_PATH_PROG([MANDOC], [mandoc])
43AC_SUBST([TEST_SHELL], [sh])
44
45dnl select manpage formatter to be used to build "cat" format pages.
46if test "x$MANDOC" != "x" ; then
47	MANFMT="$MANDOC"
48elif test "x$NROFF" != "x" ; then
49	MANFMT="$NROFF -mandoc"
50elif test "x$GROFF" != "x" ; then
51	MANFMT="$GROFF -mandoc -Tascii"
52else
53	AC_MSG_WARN([no manpage formatter found])
54	MANFMT="false"
55fi
56AC_SUBST([MANFMT])
57
58dnl for buildpkg.sh
59AC_PATH_PROG([PATH_GROUPADD_PROG], [groupadd], [groupadd],
60	[/usr/sbin${PATH_SEPARATOR}/etc])
61AC_PATH_PROG([PATH_USERADD_PROG], [useradd], [useradd],
62	[/usr/sbin${PATH_SEPARATOR}/etc])
63AC_CHECK_PROG([MAKE_PACKAGE_SUPPORTED], [pkgmk], [yes], [no])
64if test -x /sbin/sh; then
65	AC_SUBST([STARTUP_SCRIPT_SHELL], [/sbin/sh])
66else
67	AC_SUBST([STARTUP_SCRIPT_SHELL], [/bin/sh])
68fi
69
70# System features
71AC_SYS_LARGEFILE
72
73if test -z "$AR" ; then
74	AC_MSG_ERROR([*** 'ar' missing, please install or fix your \$PATH ***])
75fi
76
77AC_PATH_PROG([PATH_PASSWD_PROG], [passwd])
78if test ! -z "$PATH_PASSWD_PROG" ; then
79	AC_DEFINE_UNQUOTED([_PATH_PASSWD_PROG], ["$PATH_PASSWD_PROG"],
80		[Full path of your "passwd" program])
81fi
82
83dnl Since autoconf doesn't support it very well,  we no longer allow users to
84dnl override LD, however keeping the hook here for now in case there's a use
85dnl use case we overlooked and someone needs to re-enable it.  Unless a good
86dnl reason is found we'll be removing this in future.
87LD="$CC"
88AC_SUBST([LD])
89
90AC_C_INLINE
91
92AC_CHECK_DECL([LLONG_MAX], [have_llong_max=1], , [#include <limits.h>])
93AC_CHECK_DECL([LONG_LONG_MAX], [have_long_long_max=1], , [#include <limits.h>])
94AC_CHECK_DECL([SYSTR_POLICY_KILL], [have_systr_policy_kill=1], , [
95	#include <sys/types.h>
96	#include <sys/param.h>
97	#include <dev/systrace.h>
98])
99AC_CHECK_DECL([RLIMIT_NPROC],
100    [AC_DEFINE([HAVE_RLIMIT_NPROC], [], [sys/resource.h has RLIMIT_NPROC])], , [
101	#include <sys/types.h>
102	#include <sys/resource.h>
103])
104AC_CHECK_DECL([PR_SET_NO_NEW_PRIVS], [have_linux_no_new_privs=1], , [
105	#include <sys/types.h>
106	#include <linux/prctl.h>
107])
108
109openssl=yes
110AC_ARG_WITH([openssl],
111	[  --without-openssl       Disable use of OpenSSL; use only limited internal crypto **EXPERIMENTAL** ],
112	[  if test "x$withval" = "xno" ; then
113		openssl=no
114	   fi
115	]
116)
117AC_MSG_CHECKING([whether OpenSSL will be used for cryptography])
118if test "x$openssl" = "xyes" ; then
119	AC_MSG_RESULT([yes])
120	AC_DEFINE_UNQUOTED([WITH_OPENSSL], [1], [use libcrypto for cryptography])
121else
122	AC_MSG_RESULT([no])
123fi
124
125use_stack_protector=1
126use_toolchain_hardening=1
127AC_ARG_WITH([stackprotect],
128    [  --without-stackprotect  Don't use compiler's stack protection], [
129    if test "x$withval" = "xno"; then
130	use_stack_protector=0
131    fi ])
132AC_ARG_WITH([hardening],
133    [  --without-hardening     Don't use toolchain hardening flags], [
134    if test "x$withval" = "xno"; then
135	use_toolchain_hardening=0
136    fi ])
137
138# We use -Werror for the tests only so that we catch warnings like "this is
139# on by default" for things like -fPIE.
140AC_MSG_CHECKING([if $CC supports -Werror])
141saved_CFLAGS="$CFLAGS"
142CFLAGS="$CFLAGS -Werror"
143AC_COMPILE_IFELSE([AC_LANG_SOURCE([[int main(void) { return 0; }]])],
144	[ AC_MSG_RESULT([yes])
145	  WERROR="-Werror"],
146	[ AC_MSG_RESULT([no])
147	  WERROR="" ]
148)
149CFLAGS="$saved_CFLAGS"
150
151if test "$GCC" = "yes" || test "$GCC" = "egcs"; then
152	OSSH_CHECK_CFLAG_COMPILE([-pipe])
153	OSSH_CHECK_CFLAG_COMPILE([-Wunknown-warning-option])
154	OSSH_CHECK_CFLAG_COMPILE([-Wno-error=format-truncation])
155	OSSH_CHECK_CFLAG_COMPILE([-Qunused-arguments])
156	OSSH_CHECK_CFLAG_COMPILE([-Wall])
157	OSSH_CHECK_CFLAG_COMPILE([-Wextra])
158	OSSH_CHECK_CFLAG_COMPILE([-Wpointer-arith])
159	OSSH_CHECK_CFLAG_COMPILE([-Wuninitialized])
160	OSSH_CHECK_CFLAG_COMPILE([-Wsign-compare])
161	OSSH_CHECK_CFLAG_COMPILE([-Wformat-security])
162	OSSH_CHECK_CFLAG_COMPILE([-Wsizeof-pointer-memaccess])
163	OSSH_CHECK_CFLAG_COMPILE([-Wpointer-sign], [-Wno-pointer-sign])
164	OSSH_CHECK_CFLAG_COMPILE([-Wunused-parameter], [-Wno-unused-parameter])
165	OSSH_CHECK_CFLAG_COMPILE([-Wunused-result], [-Wno-unused-result])
166	OSSH_CHECK_CFLAG_COMPILE([-Wimplicit-fallthrough])
167	OSSH_CHECK_CFLAG_COMPILE([-fno-strict-aliasing])
168    if test "x$use_toolchain_hardening" = "x1"; then
169	OSSH_CHECK_CFLAG_COMPILE([-mretpoline]) # clang
170	OSSH_CHECK_LDFLAG_LINK([-Wl,-z,retpolineplt])
171	OSSH_CHECK_CFLAG_COMPILE([-D_FORTIFY_SOURCE=2])
172	OSSH_CHECK_LDFLAG_LINK([-Wl,-z,relro])
173	OSSH_CHECK_LDFLAG_LINK([-Wl,-z,now])
174	OSSH_CHECK_LDFLAG_LINK([-Wl,-z,noexecstack])
175	# NB. -ftrapv expects certain support functions to be present in
176	# the compiler library (libgcc or similar) to detect integer operations
177	# that can overflow. We must check that the result of enabling it
178	# actually links. The test program compiled/linked includes a number
179	# of integer operations that should exercise this.
180	OSSH_CHECK_CFLAG_LINK([-ftrapv])
181    fi
182	AC_MSG_CHECKING([gcc version])
183	GCC_VER=`$CC -v 2>&1 | $AWK '/gcc version /{print $3}'`
184	case $GCC_VER in
185		1.*) no_attrib_nonnull=1 ;;
186		2.8* | 2.9*)
187		     no_attrib_nonnull=1
188		     ;;
189		2.*) no_attrib_nonnull=1 ;;
190		*) ;;
191	esac
192	AC_MSG_RESULT([$GCC_VER])
193
194	AC_MSG_CHECKING([if $CC accepts -fno-builtin-memset])
195	saved_CFLAGS="$CFLAGS"
196	CFLAGS="$CFLAGS -fno-builtin-memset"
197	AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include <string.h> ]],
198			[[ char b[10]; memset(b, 0, sizeof(b)); ]])],
199		[ AC_MSG_RESULT([yes]) ],
200		[ AC_MSG_RESULT([no])
201		  CFLAGS="$saved_CFLAGS" ]
202	)
203
204	# -fstack-protector-all doesn't always work for some GCC versions
205	# and/or platforms, so we test if we can.  If it's not supported
206	# on a given platform gcc will emit a warning so we use -Werror.
207	if test "x$use_stack_protector" = "x1"; then
208	    for t in -fstack-protector-strong -fstack-protector-all \
209		    -fstack-protector; do
210		AC_MSG_CHECKING([if $CC supports $t])
211		saved_CFLAGS="$CFLAGS"
212		saved_LDFLAGS="$LDFLAGS"
213		CFLAGS="$CFLAGS $t -Werror"
214		LDFLAGS="$LDFLAGS $t -Werror"
215		AC_LINK_IFELSE(
216			[AC_LANG_PROGRAM([[
217	#include <stdio.h>
218	int func (int t) {char b[100]; snprintf(b,sizeof b,"%d",t); return t;}
219			 ]],
220			[[
221	char x[256];
222	snprintf(x, sizeof(x), "XXX%d", func(1));
223			 ]])],
224		    [ AC_MSG_RESULT([yes])
225		      CFLAGS="$saved_CFLAGS $t"
226		      LDFLAGS="$saved_LDFLAGS $t"
227		      AC_MSG_CHECKING([if $t works])
228		      AC_RUN_IFELSE(
229			[AC_LANG_PROGRAM([[
230	#include <stdio.h>
231	int func (int t) {char b[100]; snprintf(b,sizeof b,"%d",t); return t;}
232			]],
233			[[
234	char x[256];
235	snprintf(x, sizeof(x), "XXX%d", func(1));
236			]])],
237			[ AC_MSG_RESULT([yes])
238			  break ],
239			[ AC_MSG_RESULT([no]) ],
240			[ AC_MSG_WARN([cross compiling: cannot test])
241			  break ]
242		      )
243		    ],
244		    [ AC_MSG_RESULT([no]) ]
245		)
246		CFLAGS="$saved_CFLAGS"
247		LDFLAGS="$saved_LDFLAGS"
248	    done
249	fi
250
251	if test -z "$have_llong_max"; then
252		# retry LLONG_MAX with -std=gnu99, needed on some Linuxes
253		unset ac_cv_have_decl_LLONG_MAX
254		saved_CFLAGS="$CFLAGS"
255		CFLAGS="$CFLAGS -std=gnu99"
256		AC_CHECK_DECL([LLONG_MAX],
257		    [have_llong_max=1],
258		    [CFLAGS="$saved_CFLAGS"],
259		    [#include <limits.h>]
260		)
261	fi
262fi
263
264AC_MSG_CHECKING([if compiler allows __attribute__ on return types])
265AC_COMPILE_IFELSE(
266    [AC_LANG_PROGRAM([[
267#include <stdlib.h>
268__attribute__((__unused__)) static void foo(void){return;}]],
269    [[ exit(0); ]])],
270    [ AC_MSG_RESULT([yes]) ],
271    [ AC_MSG_RESULT([no])
272      AC_DEFINE(NO_ATTRIBUTE_ON_RETURN_TYPE, 1,
273	 [compiler does not accept __attribute__ on return types]) ]
274)
275
276AC_MSG_CHECKING([if compiler allows __attribute__ prototype args])
277AC_COMPILE_IFELSE(
278    [AC_LANG_PROGRAM([[
279#include <stdlib.h>
280typedef void foo(const char *, ...) __attribute__((format(printf, 1, 2)));]],
281    [[ exit(0); ]])],
282    [ AC_MSG_RESULT([yes]) ],
283    [ AC_MSG_RESULT([no])
284      AC_DEFINE(NO_ATTRIBUTE_ON_PROTOTYPE_ARGS, 1,
285	 [compiler does not accept __attribute__ on prototype args]) ]
286)
287
288if test "x$no_attrib_nonnull" != "x1" ; then
289	AC_DEFINE([HAVE_ATTRIBUTE__NONNULL__], [1], [Have attribute nonnull])
290fi
291
292AC_ARG_WITH([rpath],
293	[  --without-rpath         Disable auto-added -R linker paths],
294	[
295		if test "x$withval" = "xno" ; then
296			rpath_opt=""
297		elif test "x$withval" = "xyes" ; then
298			rpath_opt="-R"
299		else
300			rpath_opt="$withval"
301		fi
302	]
303)
304
305# Allow user to specify flags
306AC_ARG_WITH([cflags],
307	[  --with-cflags           Specify additional flags to pass to compiler],
308	[
309		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
310		    test "x${withval}" != "xyes"; then
311			CFLAGS="$CFLAGS $withval"
312		fi
313	]
314)
315
316AC_ARG_WITH([cflags-after],
317	[  --with-cflags-after     Specify additional flags to pass to compiler after configure],
318	[
319		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
320		    test "x${withval}" != "xyes"; then
321			CFLAGS_AFTER="$withval"
322		fi
323	]
324)
325AC_ARG_WITH([cppflags],
326	[  --with-cppflags         Specify additional flags to pass to preprocessor] ,
327	[
328		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
329		    test "x${withval}" != "xyes"; then
330			CPPFLAGS="$CPPFLAGS $withval"
331		fi
332	]
333)
334AC_ARG_WITH([ldflags],
335	[  --with-ldflags          Specify additional flags to pass to linker],
336	[
337		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
338		    test "x${withval}" != "xyes"; then
339			LDFLAGS="$LDFLAGS $withval"
340		fi
341	]
342)
343AC_ARG_WITH([ldflags-after],
344	[  --with-ldflags-after    Specify additional flags to pass to linker after configure],
345	[
346		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
347		    test "x${withval}" != "xyes"; then
348			LDFLAGS_AFTER="$withval"
349		fi
350	]
351)
352AC_ARG_WITH([libs],
353	[  --with-libs             Specify additional libraries to link with],
354	[
355		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
356		    test "x${withval}" != "xyes"; then
357			LIBS="$LIBS $withval"
358		fi
359	]
360)
361AC_ARG_WITH([Werror],
362	[  --with-Werror           Build main code with -Werror],
363	[
364		if test -n "$withval"  &&  test "x$withval" != "xno"; then
365			werror_flags="-Werror"
366			if test "x${withval}" != "xyes"; then
367				werror_flags="$withval"
368			fi
369		fi
370	]
371)
372
373AC_CHECK_HEADERS([ \
374	blf.h \
375	bstring.h \
376	crypt.h \
377	crypto/sha2.h \
378	dirent.h \
379	endian.h \
380	elf.h \
381	err.h \
382	features.h \
383	fcntl.h \
384	floatingpoint.h \
385	fnmatch.h \
386	getopt.h \
387	glob.h \
388	ia.h \
389	iaf.h \
390	ifaddrs.h \
391	inttypes.h \
392	langinfo.h \
393	limits.h \
394	locale.h \
395	login.h \
396	maillock.h \
397	ndir.h \
398	net/if_tun.h \
399	netdb.h \
400	netgroup.h \
401	pam/pam_appl.h \
402	paths.h \
403	poll.h \
404	pty.h \
405	readpassphrase.h \
406	rpc/types.h \
407	security/pam_appl.h \
408	sha2.h \
409	shadow.h \
410	stddef.h \
411	stdint.h \
412	string.h \
413	strings.h \
414	sys/bitypes.h \
415	sys/byteorder.h \
416	sys/bsdtty.h \
417	sys/cdefs.h \
418	sys/dir.h \
419	sys/file.h \
420	sys/mman.h \
421	sys/label.h \
422	sys/ndir.h \
423	sys/poll.h \
424	sys/prctl.h \
425	sys/pstat.h \
426	sys/ptrace.h \
427	sys/random.h \
428	sys/select.h \
429	sys/stat.h \
430	sys/stream.h \
431	sys/stropts.h \
432	sys/strtio.h \
433	sys/statvfs.h \
434	sys/sysmacros.h \
435	sys/time.h \
436	sys/timers.h \
437	sys/vfs.h \
438	time.h \
439	tmpdir.h \
440	ttyent.h \
441	ucred.h \
442	unistd.h \
443	usersec.h \
444	util.h \
445	utime.h \
446	utmp.h \
447	utmpx.h \
448	vis.h \
449	wchar.h \
450])
451
452# On some platforms (eg SunOS4) sys/audit.h requires sys/[time|types|label.h]
453# to be included first.
454AC_CHECK_HEADERS([sys/audit.h], [], [], [
455#ifdef HAVE_SYS_TIME_H
456# include <sys/time.h>
457#endif
458#ifdef HAVE_SYS_TYPES_H
459# include <sys/types.h>
460#endif
461#ifdef HAVE_SYS_LABEL_H
462# include <sys/label.h>
463#endif
464])
465
466# sys/capsicum.h requires sys/types.h
467AC_CHECK_HEADERS([sys/capsicum.h], [], [], [
468#ifdef HAVE_SYS_TYPES_H
469# include <sys/types.h>
470#endif
471])
472
473# net/route.h requires sys/socket.h and sys/types.h.
474# sys/sysctl.h also requires sys/param.h
475AC_CHECK_HEADERS([net/route.h sys/sysctl.h], [], [], [
476#ifdef HAVE_SYS_TYPES_H
477# include <sys/types.h>
478#endif
479#include <sys/param.h>
480#include <sys/socket.h>
481])
482
483# lastlog.h requires sys/time.h to be included first on Solaris
484AC_CHECK_HEADERS([lastlog.h], [], [], [
485#ifdef HAVE_SYS_TIME_H
486# include <sys/time.h>
487#endif
488])
489
490# sys/ptms.h requires sys/stream.h to be included first on Solaris
491AC_CHECK_HEADERS([sys/ptms.h], [], [], [
492#ifdef HAVE_SYS_STREAM_H
493# include <sys/stream.h>
494#endif
495])
496
497# login_cap.h requires sys/types.h on NetBSD
498AC_CHECK_HEADERS([login_cap.h], [], [], [
499#include <sys/types.h>
500])
501
502# older BSDs need sys/param.h before sys/mount.h
503AC_CHECK_HEADERS([sys/mount.h], [], [], [
504#include <sys/param.h>
505])
506
507# Android requires sys/socket.h to be included before sys/un.h
508AC_CHECK_HEADERS([sys/un.h], [], [], [
509#include <sys/types.h>
510#include <sys/socket.h>
511])
512
513# Messages for features tested for in target-specific section
514SIA_MSG="no"
515SPC_MSG="no"
516SP_MSG="no"
517SPP_MSG="no"
518
519# Support for Solaris/Illumos privileges (this test is used by both
520# the --with-solaris-privs option and --with-sandbox=solaris).
521SOLARIS_PRIVS="no"
522
523AC_CHECK_SIZEOF([size_t])
524
525# Check for some target-specific stuff
526case "$host" in
527*-*-aix*)
528	# Some versions of VAC won't allow macro redefinitions at
529	# -qlanglevel=ansi, and autoconf 2.60 sometimes insists on using that
530	# particularly with older versions of vac or xlc.
531	# It also throws errors about null macro arguments, but these are
532	# not fatal.
533	AC_MSG_CHECKING([if compiler allows macro redefinitions])
534	AC_COMPILE_IFELSE(
535	    [AC_LANG_PROGRAM([[
536#define testmacro foo
537#define testmacro bar]],
538	    [[ exit(0); ]])],
539	    [ AC_MSG_RESULT([yes]) ],
540	    [ AC_MSG_RESULT([no])
541	      CC="`echo $CC | sed 's/-qlanglvl\=ansi//g'`"
542	      CFLAGS="`echo $CFLAGS | sed 's/-qlanglvl\=ansi//g'`"
543	      CPPFLAGS="`echo $CPPFLAGS | sed 's/-qlanglvl\=ansi//g'`"
544	    ]
545	)
546
547	AC_MSG_CHECKING([how to specify blibpath for linker ($LD)])
548	if (test -z "$blibpath"); then
549		blibpath="/usr/lib:/lib"
550	fi
551	saved_LDFLAGS="$LDFLAGS"
552	if test "$GCC" = "yes"; then
553		flags="-Wl,-blibpath: -Wl,-rpath, -blibpath:"
554	else
555		flags="-blibpath: -Wl,-blibpath: -Wl,-rpath,"
556	fi
557	for tryflags in $flags ;do
558		if (test -z "$blibflags"); then
559			LDFLAGS="$saved_LDFLAGS $tryflags$blibpath"
560			AC_LINK_IFELSE([AC_LANG_PROGRAM([[]], [[]])],
561			[blibflags=$tryflags], [])
562		fi
563	done
564	if (test -z "$blibflags"); then
565		AC_MSG_RESULT([not found])
566		AC_MSG_ERROR([*** must be able to specify blibpath on AIX - check config.log])
567	else
568		AC_MSG_RESULT([$blibflags])
569	fi
570	LDFLAGS="$saved_LDFLAGS"
571	dnl Check for authenticate.  Might be in libs.a on older AIXes
572	AC_CHECK_FUNC([authenticate], [AC_DEFINE([WITH_AIXAUTHENTICATE], [1],
573		[Define if you want to enable AIX4's authenticate function])],
574		[AC_CHECK_LIB([s], [authenticate],
575			[ AC_DEFINE([WITH_AIXAUTHENTICATE])
576				LIBS="$LIBS -ls"
577			])
578		])
579	dnl Check for various auth function declarations in headers.
580	AC_CHECK_DECLS([authenticate, loginrestrictions, loginsuccess,
581	    passwdexpired, setauthdb], , , [#include <usersec.h>])
582	dnl Check if loginfailed is declared and takes 4 arguments (AIX >= 5.2)
583	AC_CHECK_DECLS([loginfailed],
584	    [AC_MSG_CHECKING([if loginfailed takes 4 arguments])
585	    AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <usersec.h> ]],
586		[[ (void)loginfailed("user","host","tty",0); ]])],
587		[AC_MSG_RESULT([yes])
588		AC_DEFINE([AIX_LOGINFAILED_4ARG], [1],
589			[Define if your AIX loginfailed() function
590			takes 4 arguments (AIX >= 5.2)])], [AC_MSG_RESULT([no])
591	    ])],
592	    [],
593	    [#include <usersec.h>]
594	)
595	AC_CHECK_FUNCS([getgrset setauthdb])
596	AC_CHECK_DECL([F_CLOSEM],
597	    AC_DEFINE([HAVE_FCNTL_CLOSEM], [1], [Use F_CLOSEM fcntl for closefrom]),
598	    [],
599	    [ #include <limits.h>
600	      #include <fcntl.h> ]
601	)
602	check_for_aix_broken_getaddrinfo=1
603	AC_DEFINE([SETEUID_BREAKS_SETUID], [1],
604	    [Define if your platform breaks doing a seteuid before a setuid])
605	AC_DEFINE([BROKEN_SETREUID], [1], [Define if your setreuid() is broken])
606	AC_DEFINE([BROKEN_SETREGID], [1], [Define if your setregid() is broken])
607	dnl AIX handles lastlog as part of its login message
608	AC_DEFINE([DISABLE_LASTLOG], [1], [Define if you don't want to use lastlog])
609	AC_DEFINE([LOGIN_NEEDS_UTMPX], [1],
610		[Some systems need a utmpx entry for /bin/login to work])
611	AC_DEFINE([SPT_TYPE], [SPT_REUSEARGV],
612		[Define to a Set Process Title type if your system is
613		supported by bsd-setproctitle.c])
614	AC_DEFINE([SSHPAM_CHAUTHTOK_NEEDS_RUID], [1],
615	    [AIX 5.2 and 5.3 (and presumably newer) require this])
616	AC_DEFINE([PTY_ZEROREAD], [1], [read(1) can return 0 for a non-closed fd])
617	AC_DEFINE([PLATFORM_SYS_DIR_UID], 2, [System dirs owned by bin (uid 2)])
618	AC_DEFINE([BROKEN_STRNDUP], 1, [strndup broken, see APAR IY61211])
619	AC_DEFINE([BROKEN_STRNLEN], 1, [strnlen broken, see APAR IY62551])
620	;;
621*-*-android*)
622	AC_DEFINE([DISABLE_UTMP], [1], [Define if you don't want to use utmp])
623	AC_DEFINE([DISABLE_WTMP], [1], [Define if you don't want to use wtmp])
624	;;
625*-*-cygwin*)
626	check_for_libcrypt_later=1
627	LIBS="$LIBS /usr/lib/textreadmode.o"
628	AC_DEFINE([HAVE_CYGWIN], [1], [Define if you are on Cygwin])
629	AC_DEFINE([USE_PIPES], [1], [Use PIPES instead of a socketpair()])
630	AC_DEFINE([NO_UID_RESTORATION_TEST], [1],
631		[Define to disable UID restoration test])
632	AC_DEFINE([DISABLE_SHADOW], [1],
633		[Define if you want to disable shadow passwords])
634	AC_DEFINE([NO_X11_UNIX_SOCKETS], [1],
635		[Define if X11 doesn't support AF_UNIX sockets on that system])
636	AC_DEFINE([DISABLE_FD_PASSING], [1],
637		[Define if your platform needs to skip post auth
638		file descriptor passing])
639	AC_DEFINE([SSH_IOBUFSZ], [65535], [Windows is sensitive to read buffer size])
640	AC_DEFINE([FILESYSTEM_NO_BACKSLASH], [1], [File names may not contain backslash characters])
641	# Cygwin defines optargs, optargs as declspec(dllimport) for historical
642	# reasons which cause compile warnings, so we disable those warnings.
643	OSSH_CHECK_CFLAG_COMPILE([-Wno-attributes])
644	;;
645*-*-dgux*)
646	AC_DEFINE([IP_TOS_IS_BROKEN], [1],
647		[Define if your system choked on IP TOS setting])
648	AC_DEFINE([SETEUID_BREAKS_SETUID])
649	AC_DEFINE([BROKEN_SETREUID])
650	AC_DEFINE([BROKEN_SETREGID])
651	;;
652*-*-darwin*)
653	use_pie=auto
654	AC_MSG_CHECKING([if we have working getaddrinfo])
655	AC_RUN_IFELSE([AC_LANG_SOURCE([[ #include <mach-o/dyld.h>
656main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
657		exit(0);
658	else
659		exit(1);
660}
661			]])],
662	[AC_MSG_RESULT([working])],
663	[AC_MSG_RESULT([buggy])
664	AC_DEFINE([BROKEN_GETADDRINFO], [1],
665		[getaddrinfo is broken (if present)])
666	],
667	[AC_MSG_RESULT([assume it is working])])
668	AC_DEFINE([SETEUID_BREAKS_SETUID])
669	AC_DEFINE([BROKEN_SETREUID])
670	AC_DEFINE([BROKEN_SETREGID])
671	AC_DEFINE([BROKEN_GLOB], [1], [OS X glob does not do what we expect])
672	AC_DEFINE_UNQUOTED([BIND_8_COMPAT], [1],
673		[Define if your resolver libs need this for getrrsetbyname])
674	AC_DEFINE([SSH_TUN_FREEBSD], [1], [Open tunnel devices the FreeBSD way])
675	AC_DEFINE([SSH_TUN_COMPAT_AF], [1],
676	    [Use tunnel device compatibility to OpenBSD])
677	AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
678	    [Prepend the address family to IP tunnel traffic])
679	m4_pattern_allow([AU_IPv])
680	AC_CHECK_DECL([AU_IPv4], [],
681	    AC_DEFINE([AU_IPv4], [0], [System only supports IPv4 audit records])
682	    [#include <bsm/audit.h>]
683	AC_DEFINE([LASTLOG_WRITE_PUTUTXLINE], [1],
684	    [Define if pututxline updates lastlog too])
685	)
686	AC_DEFINE([SPT_TYPE], [SPT_REUSEARGV],
687		[Define to a Set Process Title type if your system is
688		supported by bsd-setproctitle.c])
689	AC_CHECK_FUNCS([sandbox_init])
690	AC_CHECK_HEADERS([sandbox.h])
691	AC_CHECK_LIB([sandbox], [sandbox_apply], [
692	    SSHDLIBS="$SSHDLIBS -lsandbox"
693	])
694	# proc_pidinfo()-based closefrom() replacement.
695	AC_CHECK_HEADERS([libproc.h])
696	AC_CHECK_FUNCS([proc_pidinfo])
697	;;
698*-*-dragonfly*)
699	SSHDLIBS="$SSHDLIBS -lcrypt"
700	TEST_MALLOC_OPTIONS="AFGJPRX"
701	;;
702*-*-haiku*)
703	LIBS="$LIBS -lbsd "
704	CFLAGS="$CFLAGS -D_BSD_SOURCE"
705	AC_CHECK_LIB([network], [socket])
706	AC_DEFINE([HAVE_U_INT64_T])
707	AC_DEFINE([DISABLE_UTMPX], [1], [no utmpx])
708	MANTYPE=man
709	;;
710*-*-hpux*)
711	# first we define all of the options common to all HP-UX releases
712	CPPFLAGS="$CPPFLAGS -D_HPUX_SOURCE -D_XOPEN_SOURCE -D_XOPEN_SOURCE_EXTENDED=1"
713	IPADDR_IN_DISPLAY=yes
714	AC_DEFINE([USE_PIPES])
715	AC_DEFINE([LOGIN_NEEDS_UTMPX])
716	AC_DEFINE([LOCKED_PASSWD_STRING], ["*"],
717		[String used in /etc/passwd to denote locked account])
718	AC_DEFINE([SPT_TYPE], [SPT_PSTAT])
719	AC_DEFINE([PLATFORM_SYS_DIR_UID], 2, [System dirs owned by bin (uid 2)])
720	maildir="/var/mail"
721	LIBS="$LIBS -lsec"
722	AC_CHECK_LIB([xnet], [t_error], ,
723	    [AC_MSG_ERROR([*** -lxnet needed on HP-UX - check config.log ***])])
724
725	# next, we define all of the options specific to major releases
726	case "$host" in
727	*-*-hpux10*)
728		if test -z "$GCC"; then
729			CFLAGS="$CFLAGS -Ae"
730		fi
731		;;
732	*-*-hpux11*)
733		AC_DEFINE([PAM_SUN_CODEBASE], [1],
734			[Define if you are using Solaris-derived PAM which
735			passes pam_messages to the conversation function
736			with an extra level of indirection])
737		AC_DEFINE([DISABLE_UTMP], [1],
738			[Define if you don't want to use utmp])
739		AC_DEFINE([USE_BTMP], [1], [Use btmp to log bad logins])
740		check_for_hpux_broken_getaddrinfo=1
741		check_for_conflicting_getspnam=1
742		;;
743	esac
744
745	# lastly, we define options specific to minor releases
746	case "$host" in
747	*-*-hpux10.26)
748		AC_DEFINE([HAVE_SECUREWARE], [1],
749			[Define if you have SecureWare-based
750			protected password database])
751		disable_ptmx_check=yes
752		LIBS="$LIBS -lsecpw"
753		;;
754	esac
755	;;
756*-*-irix5*)
757	PATH="$PATH:/usr/etc"
758	AC_DEFINE([BROKEN_INET_NTOA], [1],
759		[Define if you system's inet_ntoa is busted
760		(e.g. Irix gcc issue)])
761	AC_DEFINE([SETEUID_BREAKS_SETUID])
762	AC_DEFINE([BROKEN_SETREUID])
763	AC_DEFINE([BROKEN_SETREGID])
764	AC_DEFINE([WITH_ABBREV_NO_TTY], [1],
765		[Define if you shouldn't strip 'tty' from your
766		ttyname in [uw]tmp])
767	AC_DEFINE([LOCKED_PASSWD_STRING], ["*LK*"])
768	;;
769*-*-irix6*)
770	PATH="$PATH:/usr/etc"
771	AC_DEFINE([WITH_IRIX_ARRAY], [1],
772		[Define if you have/want arrays
773		(cluster-wide session management, not C arrays)])
774	AC_DEFINE([WITH_IRIX_PROJECT], [1],
775		[Define if you want IRIX project management])
776	AC_DEFINE([WITH_IRIX_AUDIT], [1],
777		[Define if you want IRIX audit trails])
778	AC_CHECK_FUNC([jlimit_startjob], [AC_DEFINE([WITH_IRIX_JOBS], [1],
779		[Define if you want IRIX kernel jobs])])
780	AC_DEFINE([BROKEN_INET_NTOA])
781	AC_DEFINE([SETEUID_BREAKS_SETUID])
782	AC_DEFINE([BROKEN_SETREUID])
783	AC_DEFINE([BROKEN_SETREGID])
784	AC_DEFINE([BROKEN_UPDWTMPX], [1], [updwtmpx is broken (if present)])
785	AC_DEFINE([WITH_ABBREV_NO_TTY])
786	AC_DEFINE([LOCKED_PASSWD_STRING], ["*LK*"])
787	;;
788*-*-k*bsd*-gnu | *-*-kopensolaris*-gnu)
789	check_for_libcrypt_later=1
790	AC_DEFINE([PAM_TTY_KLUDGE])
791	AC_DEFINE([LOCKED_PASSWD_PREFIX], ["!"])
792	AC_DEFINE([SPT_TYPE], [SPT_REUSEARGV])
793	AC_DEFINE([_PATH_BTMP], ["/var/log/btmp"], [log for bad login attempts])
794	AC_DEFINE([USE_BTMP], [1], [Use btmp to log bad logins])
795	;;
796*-*-linux*)
797	no_dev_ptmx=1
798	use_pie=auto
799	check_for_libcrypt_later=1
800	check_for_openpty_ctty_bug=1
801	dnl Target SUSv3/POSIX.1-2001 plus BSD specifics.
802	dnl _DEFAULT_SOURCE is the new name for _BSD_SOURCE
803	CPPFLAGS="$CPPFLAGS -D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCE"
804	AC_DEFINE([PAM_TTY_KLUDGE], [1],
805		[Work around problematic Linux PAM modules handling of PAM_TTY])
806	AC_DEFINE([LOCKED_PASSWD_PREFIX], ["!"],
807		[String used in /etc/passwd to denote locked account])
808	AC_DEFINE([SPT_TYPE], [SPT_REUSEARGV])
809	AC_DEFINE([LINK_OPNOTSUPP_ERRNO], [EPERM],
810		[Define to whatever link() returns for "not supported"
811		if it doesn't return EOPNOTSUPP.])
812	AC_DEFINE([_PATH_BTMP], ["/var/log/btmp"], [log for bad login attempts])
813	AC_DEFINE([USE_BTMP])
814	AC_DEFINE([LINUX_OOM_ADJUST], [1], [Adjust Linux out-of-memory killer])
815	inet6_default_4in6=yes
816	case `uname -r` in
817	1.*|2.0.*)
818		AC_DEFINE([BROKEN_CMSG_TYPE], [1],
819			[Define if cmsg_type is not passed correctly])
820		;;
821	esac
822	# tun(4) forwarding compat code
823	AC_CHECK_HEADERS([linux/if_tun.h])
824	if test "x$ac_cv_header_linux_if_tun_h" = "xyes" ; then
825		AC_DEFINE([SSH_TUN_LINUX], [1],
826		    [Open tunnel devices the Linux tun/tap way])
827		AC_DEFINE([SSH_TUN_COMPAT_AF], [1],
828		    [Use tunnel device compatibility to OpenBSD])
829		AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
830		    [Prepend the address family to IP tunnel traffic])
831	fi
832	AC_CHECK_HEADER([linux/if.h],
833	    AC_DEFINE([SYS_RDOMAIN_LINUX], [1],
834		[Support routing domains using Linux VRF]), [], [
835#ifdef HAVE_SYS_TYPES_H
836# include <sys/types.h>
837#endif
838	    ])
839	AC_CHECK_HEADERS([linux/seccomp.h linux/filter.h linux/audit.h], [],
840	    [], [#include <linux/types.h>])
841	# Obtain MIPS ABI
842	case "$host" in
843	mips*)
844		AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
845#if _MIPS_SIM != _ABIO32
846#error
847#endif
848			]])],[mips_abi="o32"],[AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
849#if _MIPS_SIM != _ABIN32
850#error
851#endif
852				]])],[mips_abi="n32"],[AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
853#if _MIPS_SIM != _ABI64
854#error
855#endif
856					]])],[mips_abi="n64"],[AC_MSG_ERROR([unknown MIPS ABI])
857				])
858			])
859		])
860		;;
861	esac
862	AC_MSG_CHECKING([for seccomp architecture])
863	seccomp_audit_arch=
864	case "$host" in
865	x86_64-*)
866		seccomp_audit_arch=AUDIT_ARCH_X86_64
867		# X32: AMD64 instructions in 32bit address space.
868		if test "x$ac_cv_sizeof_size_t" = "x4" ; then
869			seccomp_audit_arch=AUDIT_ARCH_I386
870		fi
871		;;
872	i*86-*)
873		seccomp_audit_arch=AUDIT_ARCH_I386
874		;;
875	arm*-*)
876		seccomp_audit_arch=AUDIT_ARCH_ARM
877		;;
878	aarch64*-*)
879		seccomp_audit_arch=AUDIT_ARCH_AARCH64
880		;;
881	s390x-*)
882		seccomp_audit_arch=AUDIT_ARCH_S390X
883		;;
884	s390-*)
885		seccomp_audit_arch=AUDIT_ARCH_S390
886		;;
887	powerpc64-*)
888		seccomp_audit_arch=AUDIT_ARCH_PPC64
889		;;
890	powerpc64le-*)
891		seccomp_audit_arch=AUDIT_ARCH_PPC64LE
892		;;
893	mips-*)
894		seccomp_audit_arch=AUDIT_ARCH_MIPS
895		;;
896	mipsel-*)
897		seccomp_audit_arch=AUDIT_ARCH_MIPSEL
898		;;
899	mips64-*)
900		case "$mips_abi" in
901		"n32")
902			seccomp_audit_arch=AUDIT_ARCH_MIPS64N32
903			;;
904		"n64")
905			seccomp_audit_arch=AUDIT_ARCH_MIPS64
906			;;
907		esac
908		;;
909	mips64el-*)
910		case "$mips_abi" in
911		"n32")
912			seccomp_audit_arch=AUDIT_ARCH_MIPSEL64N32
913			;;
914		"n64")
915			seccomp_audit_arch=AUDIT_ARCH_MIPSEL64
916			;;
917		esac
918		;;
919	riscv64-*)
920		seccomp_audit_arch=AUDIT_ARCH_RISCV64
921		;;
922	esac
923	if test "x$seccomp_audit_arch" != "x" ; then
924		AC_MSG_RESULT(["$seccomp_audit_arch"])
925		AC_DEFINE_UNQUOTED([SECCOMP_AUDIT_ARCH], [$seccomp_audit_arch],
926		    [Specify the system call convention in use])
927	else
928		AC_MSG_RESULT([architecture not supported])
929	fi
930	;;
931mips-sony-bsd|mips-sony-newsos4)
932	AC_DEFINE([NEED_SETPGRP], [1], [Need setpgrp to acquire controlling tty])
933	SONY=1
934	;;
935*-*-netbsd*)
936	check_for_libcrypt_before=1
937	if test "x$withval" != "xno" ; then
938		rpath_opt="-R"
939	fi
940	CPPFLAGS="$CPPFLAGS -D_OPENBSD_SOURCE"
941	AC_DEFINE([SSH_TUN_FREEBSD], [1], [Open tunnel devices the FreeBSD way])
942	AC_CHECK_HEADER([net/if_tap.h], ,
943	    AC_DEFINE([SSH_TUN_NO_L2], [1], [No layer 2 tunnel support]))
944	AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
945	    [Prepend the address family to IP tunnel traffic])
946	TEST_MALLOC_OPTIONS="AJRX"
947	AC_DEFINE([BROKEN_READ_COMPARISON], [1],
948	    [NetBSD read function is sometimes redirected, breaking atomicio comparisons against it])
949	;;
950*-*-freebsd*)
951	check_for_libcrypt_later=1
952	AC_DEFINE([LOCKED_PASSWD_PREFIX], ["*LOCKED*"], [Account locked with pw(1)])
953	AC_DEFINE([SSH_TUN_FREEBSD], [1], [Open tunnel devices the FreeBSD way])
954	AC_CHECK_HEADER([net/if_tap.h], ,
955	    AC_DEFINE([SSH_TUN_NO_L2], [1], [No layer 2 tunnel support]))
956	AC_DEFINE([BROKEN_GLOB], [1], [FreeBSD glob does not do what we need])
957	TEST_MALLOC_OPTIONS="AJRX"
958	# Preauth crypto occasionally uses file descriptors for crypto offload
959	# and will crash if they cannot be opened.
960	AC_DEFINE([SANDBOX_SKIP_RLIMIT_NOFILE], [1],
961	    [define if setrlimit RLIMIT_NOFILE breaks things])
962	;;
963*-*-bsdi*)
964	AC_DEFINE([SETEUID_BREAKS_SETUID])
965	AC_DEFINE([BROKEN_SETREUID])
966	AC_DEFINE([BROKEN_SETREGID])
967	;;
968*-next-*)
969	conf_lastlog_location="/usr/adm/lastlog"
970	conf_utmp_location=/etc/utmp
971	conf_wtmp_location=/usr/adm/wtmp
972	maildir=/usr/spool/mail
973	AC_DEFINE([HAVE_NEXT], [1], [Define if you are on NeXT])
974	AC_DEFINE([USE_PIPES])
975	AC_DEFINE([BROKEN_SAVED_UIDS], [1], [Needed for NeXT])
976	;;
977*-*-openbsd*)
978	use_pie=auto
979	AC_DEFINE([HAVE_ATTRIBUTE__SENTINEL__], [1], [OpenBSD's gcc has sentinel])
980	AC_DEFINE([HAVE_ATTRIBUTE__BOUNDED__], [1], [OpenBSD's gcc has bounded])
981	AC_DEFINE([SSH_TUN_OPENBSD], [1], [Open tunnel devices the OpenBSD way])
982	AC_DEFINE([SYSLOG_R_SAFE_IN_SIGHAND], [1],
983	    [syslog_r function is safe to use in in a signal handler])
984	TEST_MALLOC_OPTIONS="AFGJPRX"
985	;;
986*-*-solaris*)
987	if test "x$withval" != "xno" ; then
988		rpath_opt="-R"
989	fi
990	AC_DEFINE([PAM_SUN_CODEBASE])
991	AC_DEFINE([LOGIN_NEEDS_UTMPX])
992	AC_DEFINE([PAM_TTY_KLUDGE])
993	AC_DEFINE([SSHPAM_CHAUTHTOK_NEEDS_RUID], [1],
994		[Define if pam_chauthtok wants real uid set
995		to the unpriv'ed user])
996	AC_DEFINE([LOCKED_PASSWD_STRING], ["*LK*"])
997	# Pushing STREAMS modules will cause sshd to acquire a controlling tty.
998	AC_DEFINE([SSHD_ACQUIRES_CTTY], [1],
999		[Define if sshd somehow reacquires a controlling TTY
1000		after setsid()])
1001	AC_DEFINE([PASSWD_NEEDS_USERNAME], [1], [must supply username to passwd
1002		in case the name is longer than 8 chars])
1003	AC_DEFINE([BROKEN_TCGETATTR_ICANON], [1], [tcgetattr with ICANON may hang])
1004	external_path_file=/etc/default/login
1005	# hardwire lastlog location (can't detect it on some versions)
1006	conf_lastlog_location="/var/adm/lastlog"
1007	AC_MSG_CHECKING([for obsolete utmp and wtmp in solaris2.x])
1008	sol2ver=`echo "$host"| sed -e 's/.*[[0-9]]\.//'`
1009	if test "$sol2ver" -ge 8; then
1010		AC_MSG_RESULT([yes])
1011		AC_DEFINE([DISABLE_UTMP])
1012		AC_DEFINE([DISABLE_WTMP], [1],
1013			[Define if you don't want to use wtmp])
1014	else
1015		AC_MSG_RESULT([no])
1016	fi
1017	AC_CHECK_FUNCS([setpflags])
1018	AC_CHECK_FUNCS([setppriv])
1019	AC_CHECK_FUNCS([priv_basicset])
1020	AC_CHECK_HEADERS([priv.h])
1021	AC_ARG_WITH([solaris-contracts],
1022		[  --with-solaris-contracts Enable Solaris process contracts (experimental)],
1023		[
1024		AC_CHECK_LIB([contract], [ct_tmpl_activate],
1025			[ AC_DEFINE([USE_SOLARIS_PROCESS_CONTRACTS], [1],
1026				[Define if you have Solaris process contracts])
1027			  LIBS="$LIBS -lcontract"
1028			  SPC_MSG="yes" ], )
1029		],
1030	)
1031	AC_ARG_WITH([solaris-projects],
1032		[  --with-solaris-projects Enable Solaris projects (experimental)],
1033		[
1034		AC_CHECK_LIB([project], [setproject],
1035			[ AC_DEFINE([USE_SOLARIS_PROJECTS], [1],
1036				[Define if you have Solaris projects])
1037			LIBS="$LIBS -lproject"
1038			SP_MSG="yes" ], )
1039		],
1040	)
1041	AC_ARG_WITH([solaris-privs],
1042		[  --with-solaris-privs    Enable Solaris/Illumos privileges (experimental)],
1043		[
1044		AC_MSG_CHECKING([for Solaris/Illumos privilege support])
1045		if test "x$ac_cv_func_setppriv" = "xyes" -a \
1046			"x$ac_cv_header_priv_h" = "xyes" ; then
1047			SOLARIS_PRIVS=yes
1048			AC_MSG_RESULT([found])
1049			AC_DEFINE([NO_UID_RESTORATION_TEST], [1],
1050				[Define to disable UID restoration test])
1051			AC_DEFINE([USE_SOLARIS_PRIVS], [1],
1052				[Define if you have Solaris privileges])
1053			SPP_MSG="yes"
1054		else
1055			AC_MSG_RESULT([not found])
1056			AC_MSG_ERROR([*** must have support for Solaris privileges to use --with-solaris-privs])
1057		fi
1058		],
1059	)
1060	TEST_SHELL=$SHELL	# let configure find us a capable shell
1061	;;
1062*-*-sunos4*)
1063	CPPFLAGS="$CPPFLAGS -DSUNOS4"
1064	AC_CHECK_FUNCS([getpwanam])
1065	AC_DEFINE([PAM_SUN_CODEBASE])
1066	conf_utmp_location=/etc/utmp
1067	conf_wtmp_location=/var/adm/wtmp
1068	conf_lastlog_location=/var/adm/lastlog
1069	AC_DEFINE([USE_PIPES])
1070	AC_DEFINE([DISABLE_UTMPX], [1], [no utmpx])
1071	;;
1072*-ncr-sysv*)
1073	LIBS="$LIBS -lc89"
1074	AC_DEFINE([USE_PIPES])
1075	AC_DEFINE([SSHD_ACQUIRES_CTTY])
1076	AC_DEFINE([SETEUID_BREAKS_SETUID])
1077	AC_DEFINE([BROKEN_SETREUID])
1078	AC_DEFINE([BROKEN_SETREGID])
1079	;;
1080*-sni-sysv*)
1081	# /usr/ucblib MUST NOT be searched on ReliantUNIX
1082	AC_CHECK_LIB([dl], [dlsym], ,)
1083	# -lresolv needs to be at the end of LIBS or DNS lookups break
1084	AC_CHECK_LIB([resolv], [res_query], [ LIBS="$LIBS -lresolv" ])
1085	IPADDR_IN_DISPLAY=yes
1086	AC_DEFINE([USE_PIPES])
1087	AC_DEFINE([IP_TOS_IS_BROKEN])
1088	AC_DEFINE([SETEUID_BREAKS_SETUID])
1089	AC_DEFINE([BROKEN_SETREUID])
1090	AC_DEFINE([BROKEN_SETREGID])
1091	AC_DEFINE([SSHD_ACQUIRES_CTTY])
1092	external_path_file=/etc/default/login
1093	# /usr/ucblib/libucb.a no longer needed on ReliantUNIX
1094	# Attention: always take care to bind libsocket and libnsl before libc,
1095	# otherwise you will find lots of "SIOCGPGRP errno 22" on syslog
1096	;;
1097# UnixWare 1.x, UnixWare 2.x, and others based on code from Univel.
1098*-*-sysv4.2*)
1099	AC_DEFINE([USE_PIPES])
1100	AC_DEFINE([SETEUID_BREAKS_SETUID])
1101	AC_DEFINE([BROKEN_SETREUID])
1102	AC_DEFINE([BROKEN_SETREGID])
1103	AC_DEFINE([PASSWD_NEEDS_USERNAME], [1], [must supply username to passwd])
1104	AC_DEFINE([LOCKED_PASSWD_STRING], ["*LK*"])
1105	TEST_SHELL=$SHELL	# let configure find us a capable shell
1106	;;
1107# UnixWare 7.x, OpenUNIX 8
1108*-*-sysv5*)
1109	CPPFLAGS="$CPPFLAGS -Dvsnprintf=_xvsnprintf -Dsnprintf=_xsnprintf"
1110	AC_DEFINE([UNIXWARE_LONG_PASSWORDS], [1], [Support passwords > 8 chars])
1111	AC_DEFINE([USE_PIPES])
1112	AC_DEFINE([SETEUID_BREAKS_SETUID])
1113	AC_DEFINE([BROKEN_GETADDRINFO])
1114	AC_DEFINE([BROKEN_SETREUID])
1115	AC_DEFINE([BROKEN_SETREGID])
1116	AC_DEFINE([PASSWD_NEEDS_USERNAME])
1117	AC_DEFINE([BROKEN_TCGETATTR_ICANON])
1118	TEST_SHELL=$SHELL	# let configure find us a capable shell
1119	check_for_libcrypt_later=1
1120	case "$host" in
1121	*-*-sysv5SCO_SV*)	# SCO OpenServer 6.x
1122		maildir=/var/spool/mail
1123		AC_DEFINE([BROKEN_UPDWTMPX])
1124		AC_CHECK_LIB([prot], [getluid], [ LIBS="$LIBS -lprot"
1125			AC_CHECK_FUNCS([getluid setluid], , , [-lprot])
1126			], , )
1127		;;
1128	*)	AC_DEFINE([LOCKED_PASSWD_STRING], ["*LK*"])
1129		;;
1130	esac
1131	;;
1132*-*-sysv*)
1133	;;
1134# SCO UNIX and OEM versions of SCO UNIX
1135*-*-sco3.2v4*)
1136	AC_MSG_ERROR("This Platform is no longer supported.")
1137	;;
1138# SCO OpenServer 5.x
1139*-*-sco3.2v5*)
1140	if test -z "$GCC"; then
1141		CFLAGS="$CFLAGS -belf"
1142	fi
1143	LIBS="$LIBS -lprot -lx -ltinfo -lm"
1144	no_dev_ptmx=1
1145	AC_DEFINE([USE_PIPES])
1146	AC_DEFINE([HAVE_SECUREWARE])
1147	AC_DEFINE([DISABLE_SHADOW])
1148	AC_DEFINE([DISABLE_FD_PASSING])
1149	AC_DEFINE([SETEUID_BREAKS_SETUID])
1150	AC_DEFINE([BROKEN_GETADDRINFO])
1151	AC_DEFINE([BROKEN_SETREUID])
1152	AC_DEFINE([BROKEN_SETREGID])
1153	AC_DEFINE([WITH_ABBREV_NO_TTY])
1154	AC_DEFINE([BROKEN_UPDWTMPX])
1155	AC_DEFINE([PASSWD_NEEDS_USERNAME])
1156	AC_CHECK_FUNCS([getluid setluid])
1157	MANTYPE=man
1158	TEST_SHELL=$SHELL	# let configure find us a capable shell
1159	SKIP_DISABLE_LASTLOG_DEFINE=yes
1160	;;
1161*-dec-osf*)
1162	AC_MSG_CHECKING([for Digital Unix SIA])
1163	no_osfsia=""
1164	AC_ARG_WITH([osfsia],
1165		[  --with-osfsia           Enable Digital Unix SIA],
1166		[
1167			if test "x$withval" = "xno" ; then
1168				AC_MSG_RESULT([disabled])
1169				no_osfsia=1
1170			fi
1171		],
1172	)
1173	if test -z "$no_osfsia" ; then
1174		if test -f /etc/sia/matrix.conf; then
1175			AC_MSG_RESULT([yes])
1176			AC_DEFINE([HAVE_OSF_SIA], [1],
1177				[Define if you have Digital Unix Security
1178				Integration Architecture])
1179			AC_DEFINE([DISABLE_LOGIN], [1],
1180				[Define if you don't want to use your
1181				system's login() call])
1182			AC_DEFINE([DISABLE_FD_PASSING])
1183			LIBS="$LIBS -lsecurity -ldb -lm -laud"
1184			SIA_MSG="yes"
1185		else
1186			AC_MSG_RESULT([no])
1187			AC_DEFINE([LOCKED_PASSWD_SUBSTR], ["Nologin"],
1188			  [String used in /etc/passwd to denote locked account])
1189		fi
1190	fi
1191	AC_DEFINE([BROKEN_GETADDRINFO])
1192	AC_DEFINE([SETEUID_BREAKS_SETUID])
1193	AC_DEFINE([BROKEN_SETREUID])
1194	AC_DEFINE([BROKEN_SETREGID])
1195	AC_DEFINE([BROKEN_READV_COMPARISON], [1], [Can't do comparisons on readv])
1196	;;
1197
1198*-*-nto-qnx*)
1199	AC_DEFINE([USE_PIPES])
1200	AC_DEFINE([NO_X11_UNIX_SOCKETS])
1201	AC_DEFINE([DISABLE_LASTLOG])
1202	AC_DEFINE([SSHD_ACQUIRES_CTTY])
1203	AC_DEFINE([BROKEN_SHADOW_EXPIRE], [1], [QNX shadow support is broken])
1204	enable_etc_default_login=no	# has incompatible /etc/default/login
1205	case "$host" in
1206	*-*-nto-qnx6*)
1207		AC_DEFINE([DISABLE_FD_PASSING])
1208		;;
1209	esac
1210	;;
1211
1212*-*-ultrix*)
1213	AC_DEFINE([BROKEN_GETGROUPS], [1], [getgroups(0,NULL) will return -1])
1214	AC_DEFINE([NEED_SETPGRP], [1], [Need setpgrp to for controlling tty])
1215	AC_DEFINE([HAVE_SYS_SYSLOG_H], [1], [Force use of sys/syslog.h on Ultrix])
1216	AC_DEFINE([DISABLE_UTMPX], [1], [Disable utmpx])
1217	# DISABLE_FD_PASSING so that we call setpgrp as root, otherwise we
1218	# don't get a controlling tty.
1219	AC_DEFINE([DISABLE_FD_PASSING], [1], [Need to call setpgrp as root])
1220	# On Ultrix some headers are not protected against multiple includes,
1221	# so we create wrappers and put it where the compiler will find it.
1222	AC_MSG_WARN([creating compat wrappers for headers])
1223	mkdir -p netinet
1224	for header in netinet/ip.h netdb.h resolv.h; do
1225		name=`echo $header | tr 'a-z/.' 'A-Z__'`
1226		cat >$header <<EOD
1227#ifndef _SSH_COMPAT_${name}
1228#define _SSH_COMPAT_${name}
1229#include "/usr/include/${header}"
1230#endif
1231EOD
1232	done
1233	;;
1234
1235*-*-lynxos)
1236	CFLAGS="$CFLAGS -D__NO_INCLUDE_WARN__"
1237	AC_DEFINE([BROKEN_SETVBUF], [1],
1238	    [LynxOS has broken setvbuf() implementation])
1239	;;
1240esac
1241
1242AC_MSG_CHECKING([compiler and flags for sanity])
1243AC_RUN_IFELSE([AC_LANG_PROGRAM([[ #include <stdio.h> ]], [[ exit(0); ]])],
1244	[	AC_MSG_RESULT([yes]) ],
1245	[
1246		AC_MSG_RESULT([no])
1247		AC_MSG_ERROR([*** compiler cannot create working executables, check config.log ***])
1248	],
1249	[	AC_MSG_WARN([cross compiling: not checking compiler sanity]) ]
1250)
1251
1252dnl Checks for header files.
1253# Checks for libraries.
1254AC_CHECK_FUNC([setsockopt], , [AC_CHECK_LIB([socket], [setsockopt])])
1255
1256dnl IRIX and Solaris 2.5.1 have dirname() in libgen
1257AC_CHECK_FUNCS([dirname], [AC_CHECK_HEADERS([libgen.h])] , [
1258	AC_CHECK_LIB([gen], [dirname], [
1259		AC_CACHE_CHECK([for broken dirname],
1260			ac_cv_have_broken_dirname, [
1261			save_LIBS="$LIBS"
1262			LIBS="$LIBS -lgen"
1263			AC_RUN_IFELSE(
1264				[AC_LANG_SOURCE([[
1265#include <libgen.h>
1266#include <string.h>
1267
1268int main(int argc, char **argv) {
1269    char *s, buf[32];
1270
1271    strncpy(buf,"/etc", 32);
1272    s = dirname(buf);
1273    if (!s || strncmp(s, "/", 32) != 0) {
1274	exit(1);
1275    } else {
1276	exit(0);
1277    }
1278}
1279				]])],
1280				[ ac_cv_have_broken_dirname="no" ],
1281				[ ac_cv_have_broken_dirname="yes" ],
1282				[ ac_cv_have_broken_dirname="no" ],
1283			)
1284			LIBS="$save_LIBS"
1285		])
1286		if test "x$ac_cv_have_broken_dirname" = "xno" ; then
1287			LIBS="$LIBS -lgen"
1288			AC_DEFINE([HAVE_DIRNAME])
1289			AC_CHECK_HEADERS([libgen.h])
1290		fi
1291	])
1292])
1293
1294AC_CHECK_FUNC([getspnam], ,
1295	[AC_CHECK_LIB([gen], [getspnam], [LIBS="$LIBS -lgen"])])
1296AC_SEARCH_LIBS([basename], [gen], [AC_DEFINE([HAVE_BASENAME], [1],
1297	[Define if you have the basename function.])])
1298
1299dnl zlib defaults to enabled
1300zlib=yes
1301AC_ARG_WITH([zlib],
1302	[  --with-zlib=PATH        Use zlib in PATH],
1303	[ if test "x$withval" = "xno" ; then
1304		zlib=no
1305	  elif test "x$withval" != "xyes"; then
1306		if test -d "$withval/lib"; then
1307			if test -n "${rpath_opt}"; then
1308				LDFLAGS="-L${withval}/lib ${rpath_opt}${withval}/lib ${LDFLAGS}"
1309			else
1310				LDFLAGS="-L${withval}/lib ${LDFLAGS}"
1311			fi
1312		else
1313			if test -n "${rpath_opt}"; then
1314				LDFLAGS="-L${withval} ${rpath_opt}${withval} ${LDFLAGS}"
1315			else
1316				LDFLAGS="-L${withval} ${LDFLAGS}"
1317			fi
1318		fi
1319		if test -d "$withval/include"; then
1320			CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
1321		else
1322			CPPFLAGS="-I${withval} ${CPPFLAGS}"
1323		fi
1324	fi ]
1325)
1326
1327AC_MSG_CHECKING([for zlib])
1328if test "x${zlib}" = "xno"; then
1329	AC_MSG_RESULT([no])
1330else
1331	AC_MSG_RESULT([yes])
1332	AC_DEFINE([WITH_ZLIB], [1], [Enable zlib])
1333    AC_CHECK_HEADER([zlib.h], ,[AC_MSG_ERROR([*** zlib.h missing - please install first or check config.log ***])])
1334    AC_CHECK_LIB([z], [deflate], ,
1335	[
1336		saved_CPPFLAGS="$CPPFLAGS"
1337		saved_LDFLAGS="$LDFLAGS"
1338		save_LIBS="$LIBS"
1339		dnl Check default zlib install dir
1340		if test -n "${rpath_opt}"; then
1341			LDFLAGS="-L/usr/local/lib ${rpath_opt}/usr/local/lib ${saved_LDFLAGS}"
1342		else
1343			LDFLAGS="-L/usr/local/lib ${saved_LDFLAGS}"
1344		fi
1345		CPPFLAGS="-I/usr/local/include ${saved_CPPFLAGS}"
1346		LIBS="$LIBS -lz"
1347		AC_TRY_LINK_FUNC([deflate], [AC_DEFINE([HAVE_LIBZ])],
1348			[
1349				AC_MSG_ERROR([*** zlib missing - please install first or check config.log ***])
1350			]
1351		)
1352	]
1353    )
1354
1355    AC_ARG_WITH([zlib-version-check],
1356	[  --without-zlib-version-check Disable zlib version check],
1357	[  if test "x$withval" = "xno" ; then
1358		zlib_check_nonfatal=1
1359	   fi
1360	]
1361    )
1362
1363    AC_MSG_CHECKING([for possibly buggy zlib])
1364    AC_RUN_IFELSE([AC_LANG_PROGRAM([[
1365#include <stdio.h>
1366#include <stdlib.h>
1367#include <zlib.h>
1368	]],
1369	[[
1370	int a=0, b=0, c=0, d=0, n, v;
1371	n = sscanf(ZLIB_VERSION, "%d.%d.%d.%d", &a, &b, &c, &d);
1372	if (n != 3 && n != 4)
1373		exit(1);
1374	v = a*1000000 + b*10000 + c*100 + d;
1375	fprintf(stderr, "found zlib version %s (%d)\n", ZLIB_VERSION, v);
1376
1377	/* 1.1.4 is OK */
1378	if (a == 1 && b == 1 && c >= 4)
1379		exit(0);
1380
1381	/* 1.2.3 and up are OK */
1382	if (v >= 1020300)
1383		exit(0);
1384
1385	exit(2);
1386	]])],
1387	AC_MSG_RESULT([no]),
1388	[ AC_MSG_RESULT([yes])
1389	  if test -z "$zlib_check_nonfatal" ; then
1390		AC_MSG_ERROR([*** zlib too old - check config.log ***
1391Your reported zlib version has known security problems.  It's possible your
1392vendor has fixed these problems without changing the version number.  If you
1393are sure this is the case, you can disable the check by running
1394"./configure --without-zlib-version-check".
1395If you are in doubt, upgrade zlib to version 1.2.3 or greater.
1396See http://www.gzip.org/zlib/ for details.])
1397	  else
1398		AC_MSG_WARN([zlib version may have security problems])
1399	  fi
1400	],
1401	[	AC_MSG_WARN([cross compiling: not checking zlib version]) ]
1402    )
1403fi
1404
1405dnl UnixWare 2.x
1406AC_CHECK_FUNC([strcasecmp],
1407	[], [ AC_CHECK_LIB([resolv], [strcasecmp], [LIBS="$LIBS -lresolv"]) ]
1408)
1409AC_CHECK_FUNCS([utimes],
1410	[], [ AC_CHECK_LIB([c89], [utimes], [AC_DEFINE([HAVE_UTIMES])
1411					LIBS="$LIBS -lc89"]) ]
1412)
1413
1414dnl    Checks for libutil functions
1415AC_CHECK_HEADERS([bsd/libutil.h libutil.h])
1416AC_SEARCH_LIBS([fmt_scaled], [util bsd])
1417AC_SEARCH_LIBS([scan_scaled], [util bsd])
1418AC_SEARCH_LIBS([login], [util bsd])
1419AC_SEARCH_LIBS([logout], [util bsd])
1420AC_SEARCH_LIBS([logwtmp], [util bsd])
1421AC_SEARCH_LIBS([openpty], [util bsd])
1422AC_SEARCH_LIBS([updwtmp], [util bsd])
1423AC_CHECK_FUNCS([fmt_scaled scan_scaled login logout openpty updwtmp logwtmp])
1424
1425# On some platforms, inet_ntop and gethostbyname may be found in libresolv
1426# or libnsl.
1427AC_SEARCH_LIBS([inet_ntop], [resolv nsl])
1428AC_SEARCH_LIBS([gethostbyname], [resolv nsl])
1429
1430# "Particular Function Checks"
1431# see https://www.gnu.org/software/autoconf/manual/autoconf-2.69/html_node/Particular-Functions.html
1432AC_FUNC_STRFTIME
1433AC_FUNC_MALLOC
1434AC_FUNC_REALLOC
1435# autoconf doesn't have AC_FUNC_CALLOC so fake it if malloc returns NULL;
1436AC_MSG_CHECKING([if calloc(0, N) returns non-null])
1437AC_RUN_IFELSE(
1438	[AC_LANG_PROGRAM(
1439		[[ #include <stdlib.h> ]],
1440		[[ void *p = calloc(0, 1); exit(p == NULL); ]]
1441	)],
1442	[ func_calloc_0_nonnull=yes ],
1443	[ func_calloc_0_nonnull=no ],
1444	[ AC_MSG_WARN([cross compiling: assuming same as malloc])
1445	  func_calloc_0_nonnull="$ac_cv_func_malloc_0_nonnull"]
1446)
1447AC_MSG_RESULT([$func_calloc_0_nonnull])
1448
1449if test "x$func_calloc_0_nonnull" = "xyes"; then
1450	AC_DEFINE(HAVE_CALLOC, 1, [calloc(0, x) returns non-null])
1451else
1452	AC_DEFINE(HAVE_CALLOC, 0, [calloc(0, x) returns NULL])
1453	AC_DEFINE(calloc, rpl_calloc,
1454	    [Define to rpl_calloc if the replacement function should be used.])
1455fi
1456
1457# Check for ALTDIRFUNC glob() extension
1458AC_MSG_CHECKING([for GLOB_ALTDIRFUNC support])
1459AC_EGREP_CPP([FOUNDIT],
1460	[
1461		#include <glob.h>
1462		#ifdef GLOB_ALTDIRFUNC
1463		FOUNDIT
1464		#endif
1465	],
1466	[
1467		AC_DEFINE([GLOB_HAS_ALTDIRFUNC], [1],
1468			[Define if your system glob() function has
1469			the GLOB_ALTDIRFUNC extension])
1470		AC_MSG_RESULT([yes])
1471	],
1472	[
1473		AC_MSG_RESULT([no])
1474	]
1475)
1476
1477# Check for g.gl_matchc glob() extension
1478AC_MSG_CHECKING([for gl_matchc field in glob_t])
1479AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <glob.h> ]],
1480	[[ glob_t g; g.gl_matchc = 1; ]])],
1481	[
1482		AC_DEFINE([GLOB_HAS_GL_MATCHC], [1],
1483			[Define if your system glob() function has
1484			gl_matchc options in glob_t])
1485		AC_MSG_RESULT([yes])
1486	], [
1487		AC_MSG_RESULT([no])
1488])
1489
1490# Check for g.gl_statv glob() extension
1491AC_MSG_CHECKING([for gl_statv and GLOB_KEEPSTAT extensions for glob])
1492AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <glob.h> ]], [[
1493#ifndef GLOB_KEEPSTAT
1494#error "glob does not support GLOB_KEEPSTAT extension"
1495#endif
1496glob_t g;
1497g.gl_statv = NULL;
1498]])],
1499	[
1500		AC_DEFINE([GLOB_HAS_GL_STATV], [1],
1501			[Define if your system glob() function has
1502			gl_statv options in glob_t])
1503		AC_MSG_RESULT([yes])
1504	], [
1505		AC_MSG_RESULT([no])
1506
1507])
1508
1509AC_CHECK_DECLS([GLOB_NOMATCH], , , [#include <glob.h>])
1510
1511AC_CHECK_DECL([VIS_ALL], ,
1512    AC_DEFINE(BROKEN_STRNVIS, 1, [missing VIS_ALL]), [#include <vis.h>])
1513
1514AC_MSG_CHECKING([whether struct dirent allocates space for d_name])
1515AC_RUN_IFELSE(
1516	[AC_LANG_PROGRAM([[
1517#include <sys/types.h>
1518#include <dirent.h>]],
1519	[[
1520	struct dirent d;
1521	exit(sizeof(d.d_name)<=sizeof(char));
1522	]])],
1523	[AC_MSG_RESULT([yes])],
1524	[
1525		AC_MSG_RESULT([no])
1526		AC_DEFINE([BROKEN_ONE_BYTE_DIRENT_D_NAME], [1],
1527			[Define if your struct dirent expects you to
1528			allocate extra space for d_name])
1529	],
1530	[
1531		AC_MSG_WARN([cross compiling: assuming BROKEN_ONE_BYTE_DIRENT_D_NAME])
1532		AC_DEFINE([BROKEN_ONE_BYTE_DIRENT_D_NAME])
1533	]
1534)
1535
1536AC_MSG_CHECKING([for /proc/pid/fd directory])
1537if test -d "/proc/$$/fd" ; then
1538	AC_DEFINE([HAVE_PROC_PID], [1], [Define if you have /proc/$pid/fd])
1539	AC_MSG_RESULT([yes])
1540else
1541	AC_MSG_RESULT([no])
1542fi
1543
1544# Check whether user wants to use ldns
1545LDNS_MSG="no"
1546AC_ARG_WITH(ldns,
1547	[  --with-ldns[[=PATH]]      Use ldns for DNSSEC support (optionally in PATH)],
1548	[
1549	ldns=""
1550	if test "x$withval" = "xyes" ; then
1551		AC_PATH_TOOL([LDNSCONFIG], [ldns-config], [no])
1552		if test "x$LDNSCONFIG" = "xno"; then
1553			LIBS="-lldns $LIBS"
1554			ldns=yes
1555		else
1556			LIBS="$LIBS `$LDNSCONFIG --libs`"
1557			CPPFLAGS="$CPPFLAGS `$LDNSCONFIG --cflags`"
1558			ldns=yes
1559		fi
1560	elif test "x$withval" != "xno" ; then
1561			CPPFLAGS="$CPPFLAGS -I${withval}/include"
1562			LDFLAGS="$LDFLAGS -L${withval}/lib"
1563			LIBS="-lldns $LIBS"
1564			ldns=yes
1565	fi
1566
1567	# Verify that it works.
1568	if test "x$ldns" = "xyes" ; then
1569		AC_DEFINE(HAVE_LDNS, 1, [Define if you want ldns support])
1570		LDNS_MSG="yes"
1571		AC_MSG_CHECKING([for ldns support])
1572		AC_LINK_IFELSE(
1573			[AC_LANG_SOURCE([[
1574#include <stdio.h>
1575#include <stdlib.h>
1576#ifdef HAVE_STDINT_H
1577# include <stdint.h>
1578#endif
1579#include <ldns/ldns.h>
1580int main() { ldns_status status = ldns_verify_trusted(NULL, NULL, NULL, NULL); status=LDNS_STATUS_OK; exit(0); }
1581			]])
1582		],
1583			[AC_MSG_RESULT(yes)],
1584				[
1585					AC_MSG_RESULT(no)
1586					AC_MSG_ERROR([** Incomplete or missing ldns libraries.])
1587				])
1588	fi
1589])
1590
1591# Check whether user wants libedit support
1592LIBEDIT_MSG="no"
1593AC_ARG_WITH([libedit],
1594	[  --with-libedit[[=PATH]]   Enable libedit support for sftp],
1595	[ if test "x$withval" != "xno" ; then
1596		if test "x$withval" = "xyes" ; then
1597			AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no])
1598			if test "x$PKGCONFIG" != "xno"; then
1599				AC_MSG_CHECKING([if $PKGCONFIG knows about libedit])
1600				if "$PKGCONFIG" libedit; then
1601					AC_MSG_RESULT([yes])
1602					use_pkgconfig_for_libedit=yes
1603				else
1604					AC_MSG_RESULT([no])
1605				fi
1606			fi
1607		else
1608			CPPFLAGS="$CPPFLAGS -I${withval}/include"
1609			if test -n "${rpath_opt}"; then
1610				LDFLAGS="-L${withval}/lib ${rpath_opt}${withval}/lib ${LDFLAGS}"
1611			else
1612				LDFLAGS="-L${withval}/lib ${LDFLAGS}"
1613			fi
1614		fi
1615		if test "x$use_pkgconfig_for_libedit" = "xyes"; then
1616			LIBEDIT=`$PKGCONFIG --libs libedit`
1617			CPPFLAGS="$CPPFLAGS `$PKGCONFIG --cflags libedit`"
1618		else
1619			LIBEDIT="-ledit -lcurses"
1620		fi
1621		OTHERLIBS=`echo $LIBEDIT | sed 's/-ledit//'`
1622		AC_CHECK_LIB([edit], [el_init],
1623			[ AC_DEFINE([USE_LIBEDIT], [1], [Use libedit for sftp])
1624			  LIBEDIT_MSG="yes"
1625			  AC_SUBST([LIBEDIT])
1626			],
1627			[ AC_MSG_ERROR([libedit not found]) ],
1628			[ $OTHERLIBS ]
1629		)
1630		AC_MSG_CHECKING([if libedit version is compatible])
1631		AC_COMPILE_IFELSE(
1632		    [AC_LANG_PROGRAM([[ #include <histedit.h> ]],
1633		    [[
1634	int i = H_SETSIZE;
1635	el_init("", NULL, NULL, NULL);
1636	exit(0);
1637		    ]])],
1638		    [ AC_MSG_RESULT([yes]) ],
1639		    [ AC_MSG_RESULT([no])
1640		      AC_MSG_ERROR([libedit version is not compatible]) ]
1641		)
1642	fi ]
1643)
1644
1645AUDIT_MODULE=none
1646AC_ARG_WITH([audit],
1647	[  --with-audit=module     Enable audit support (modules=debug,bsm,linux)],
1648	[
1649	  AC_MSG_CHECKING([for supported audit module])
1650	  case "$withval" in
1651	  bsm)
1652		AC_MSG_RESULT([bsm])
1653		AUDIT_MODULE=bsm
1654		dnl    Checks for headers, libs and functions
1655		AC_CHECK_HEADERS([bsm/audit.h], [],
1656		    [AC_MSG_ERROR([BSM enabled and bsm/audit.h not found])],
1657		    [
1658#ifdef HAVE_TIME_H
1659# include <time.h>
1660#endif
1661		    ]
1662)
1663		AC_CHECK_LIB([bsm], [getaudit], [],
1664		    [AC_MSG_ERROR([BSM enabled and required library not found])])
1665		AC_CHECK_FUNCS([getaudit], [],
1666		    [AC_MSG_ERROR([BSM enabled and required function not found])])
1667		# These are optional
1668		AC_CHECK_FUNCS([getaudit_addr aug_get_machine])
1669		AC_DEFINE([USE_BSM_AUDIT], [1], [Use BSM audit module])
1670		if test "$sol2ver" -ge 11; then
1671			SSHDLIBS="$SSHDLIBS -lscf"
1672			AC_DEFINE([BROKEN_BSM_API], [1],
1673				[The system has incomplete BSM API])
1674		fi
1675		;;
1676	  linux)
1677		AC_MSG_RESULT([linux])
1678		AUDIT_MODULE=linux
1679		dnl    Checks for headers, libs and functions
1680		AC_CHECK_HEADERS([libaudit.h])
1681		SSHDLIBS="$SSHDLIBS -laudit"
1682		AC_DEFINE([USE_LINUX_AUDIT], [1], [Use Linux audit module])
1683		;;
1684	  debug)
1685		AUDIT_MODULE=debug
1686		AC_MSG_RESULT([debug])
1687		AC_DEFINE([SSH_AUDIT_EVENTS], [1], [Use audit debugging module])
1688		;;
1689	  no)
1690		AC_MSG_RESULT([no])
1691		;;
1692	  *)
1693		AC_MSG_ERROR([Unknown audit module $withval])
1694		;;
1695	esac ]
1696)
1697
1698AC_ARG_WITH([pie],
1699    [  --with-pie              Build Position Independent Executables if possible], [
1700	if test "x$withval" = "xno"; then
1701		use_pie=no
1702	fi
1703	if test "x$withval" = "xyes"; then
1704		use_pie=yes
1705	fi
1706    ]
1707)
1708if test "x$use_pie" = "x"; then
1709	use_pie=no
1710fi
1711if test "x$use_toolchain_hardening" != "x1" && test "x$use_pie" = "xauto"; then
1712	# Turn off automatic PIE when toolchain hardening is off.
1713	use_pie=no
1714fi
1715if test "x$use_pie" = "xauto"; then
1716	# Automatic PIE requires gcc >= 4.x
1717	AC_MSG_CHECKING([for gcc >= 4.x])
1718	AC_COMPILE_IFELSE([AC_LANG_SOURCE([[
1719#if !defined(__GNUC__) || __GNUC__ < 4
1720#error gcc is too old
1721#endif
1722]])],
1723	[ AC_MSG_RESULT([yes]) ],
1724	[ AC_MSG_RESULT([no])
1725	  use_pie=no ]
1726)
1727fi
1728if test "x$use_pie" != "xno"; then
1729	SAVED_CFLAGS="$CFLAGS"
1730	SAVED_LDFLAGS="$LDFLAGS"
1731	OSSH_CHECK_CFLAG_COMPILE([-fPIE])
1732	OSSH_CHECK_LDFLAG_LINK([-pie])
1733	# We use both -fPIE and -pie or neither.
1734	AC_MSG_CHECKING([whether both -fPIE and -pie are supported])
1735	if echo "x $CFLAGS"  | grep ' -fPIE' >/dev/null 2>&1 && \
1736	   echo "x $LDFLAGS" | grep ' -pie'  >/dev/null 2>&1 ; then
1737		AC_MSG_RESULT([yes])
1738	else
1739		AC_MSG_RESULT([no])
1740		CFLAGS="$SAVED_CFLAGS"
1741		LDFLAGS="$SAVED_LDFLAGS"
1742	fi
1743fi
1744
1745AC_MSG_CHECKING([whether -fPIC is accepted])
1746SAVED_CFLAGS="$CFLAGS"
1747CFLAGS="$CFLAGS -fPIC"
1748AC_COMPILE_IFELSE(
1749	[AC_LANG_PROGRAM( [[ #include <stdlib.h> ]], [[ exit(0); ]] )],
1750   [AC_MSG_RESULT([yes])
1751    PICFLAG="-fPIC"; ],
1752   [AC_MSG_RESULT([no])
1753    PICFLAG=""; ])
1754CFLAGS="$SAVED_CFLAGS"
1755AC_SUBST([PICFLAG])
1756
1757dnl    Checks for library functions. Please keep in alphabetical order
1758AC_CHECK_FUNCS([ \
1759	Blowfish_initstate \
1760	Blowfish_expandstate \
1761	Blowfish_expand0state \
1762	Blowfish_stream2word \
1763	SHA256Update \
1764	SHA384Update \
1765	SHA512Update \
1766	asprintf \
1767	b64_ntop \
1768	__b64_ntop \
1769	b64_pton \
1770	__b64_pton \
1771	bcopy \
1772	bcrypt_pbkdf \
1773	bindresvport_sa \
1774	blf_enc \
1775	bzero \
1776	cap_rights_limit \
1777	clock \
1778	closefrom \
1779	dirfd \
1780	endgrent \
1781	err \
1782	errx \
1783	explicit_bzero \
1784	fchmod \
1785	fchmodat \
1786	fchown \
1787	fchownat \
1788	flock \
1789	fnmatch \
1790	freeaddrinfo \
1791	freezero \
1792	fstatfs \
1793	fstatvfs \
1794	futimes \
1795	getaddrinfo \
1796	getcwd \
1797	getgrouplist \
1798	getline \
1799	getnameinfo \
1800	getopt \
1801	getpagesize \
1802	getpeereid \
1803	getpeerucred \
1804	getpgid \
1805	_getpty \
1806	getrlimit \
1807	getrandom \
1808	getsid \
1809	getttyent \
1810	glob \
1811	group_from_gid \
1812	inet_aton \
1813	inet_ntoa \
1814	inet_ntop \
1815	innetgr \
1816	llabs \
1817	localtime_r \
1818	login_getcapbool \
1819	md5_crypt \
1820	memmem \
1821	memmove \
1822	memset_s \
1823	mkdtemp \
1824	ngetaddrinfo \
1825	nsleep \
1826	ogetaddrinfo \
1827	openlog_r \
1828	pledge \
1829	poll \
1830	prctl \
1831	pstat \
1832	raise \
1833	readpassphrase \
1834	reallocarray \
1835	realpath \
1836	recvmsg \
1837	recallocarray \
1838	rresvport_af \
1839	sendmsg \
1840	setdtablesize \
1841	setegid \
1842	setenv \
1843	seteuid \
1844	setgroupent \
1845	setgroups \
1846	setlinebuf \
1847	setlogin \
1848	setpassent\
1849	setpcred \
1850	setproctitle \
1851	setregid \
1852	setreuid \
1853	setrlimit \
1854	setsid \
1855	setvbuf \
1856	sigaction \
1857	sigvec \
1858	snprintf \
1859	socketpair \
1860	statfs \
1861	statvfs \
1862	strcasestr \
1863	strdup \
1864	strerror \
1865	strlcat \
1866	strlcpy \
1867	strmode \
1868	strndup \
1869	strnlen \
1870	strnvis \
1871	strptime \
1872	strsignal \
1873	strtonum \
1874	strtoll \
1875	strtoul \
1876	strtoull \
1877	swap32 \
1878	sysconf \
1879	tcgetpgrp \
1880	timingsafe_bcmp \
1881	truncate \
1882	unsetenv \
1883	updwtmpx \
1884	utimensat \
1885	user_from_uid \
1886	usleep \
1887	vasprintf \
1888	vsnprintf \
1889	waitpid \
1890	warn \
1891])
1892
1893AC_CHECK_DECLS([bzero, memmem])
1894
1895dnl Wide character support.
1896AC_CHECK_FUNCS([mblen mbtowc nl_langinfo wcwidth])
1897
1898TEST_SSH_UTF8=${TEST_SSH_UTF8:=yes}
1899AC_MSG_CHECKING([for utf8 locale support])
1900AC_RUN_IFELSE(
1901	[AC_LANG_PROGRAM([[
1902#include <locale.h>
1903#include <stdlib.h>
1904	]], [[
1905	char *loc = setlocale(LC_CTYPE, "en_US.UTF-8");
1906	if (loc != NULL)
1907		exit(0);
1908	exit(1);
1909	]])],
1910	AC_MSG_RESULT(yes),
1911	[AC_MSG_RESULT(no)
1912	 TEST_SSH_UTF8=no],
1913	AC_MSG_WARN([cross compiling: assuming yes])
1914)
1915
1916AC_LINK_IFELSE(
1917        [AC_LANG_PROGRAM(
1918           [[ #include <ctype.h> ]],
1919           [[ return (isblank('a')); ]])],
1920	[AC_DEFINE([HAVE_ISBLANK], [1], [Define if you have isblank(3C).])
1921])
1922
1923disable_pkcs11=
1924AC_ARG_ENABLE([pkcs11],
1925	[  --disable-pkcs11        disable PKCS#11 support code [no]],
1926	[
1927		if test "x$enableval" = "xno" ; then
1928			disable_pkcs11=1
1929		fi
1930	]
1931)
1932
1933disable_sk=
1934AC_ARG_ENABLE([security-key],
1935	[  --disable-security-key  disable U2F/FIDO support code [no]],
1936	[
1937		if test "x$enableval" = "xno" ; then
1938			disable_sk=1
1939		fi
1940	]
1941)
1942enable_sk_internal=
1943AC_ARG_WITH([security-key-builtin],
1944	[  --with-security-key-builtin include builtin U2F/FIDO support],
1945	[
1946		if test "x$withval" != "xno" ; then
1947			enable_sk_internal=yes
1948		fi
1949	]
1950)
1951test "x$disable_sk" != "x" && enable_sk_internal=""
1952
1953AC_SEARCH_LIBS([dlopen], [dl])
1954AC_CHECK_FUNCS([dlopen])
1955AC_CHECK_DECL([RTLD_NOW], [], [], [#include <dlfcn.h>])
1956
1957# IRIX has a const char return value for gai_strerror()
1958AC_CHECK_FUNCS([gai_strerror], [
1959	AC_DEFINE([HAVE_GAI_STRERROR])
1960	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
1961#include <sys/types.h>
1962#include <sys/socket.h>
1963#include <netdb.h>
1964
1965const char *gai_strerror(int);
1966			]], [[
1967	char *str;
1968	str = gai_strerror(0);
1969			]])], [
1970		AC_DEFINE([HAVE_CONST_GAI_STRERROR_PROTO], [1],
1971		[Define if gai_strerror() returns const char *])], [])])
1972
1973AC_SEARCH_LIBS([nanosleep], [rt posix4], [AC_DEFINE([HAVE_NANOSLEEP], [1],
1974	[Some systems put nanosleep outside of libc])])
1975
1976AC_SEARCH_LIBS([clock_gettime], [rt],
1977	[AC_DEFINE([HAVE_CLOCK_GETTIME], [1], [Have clock_gettime])])
1978
1979dnl check if we need -D_REENTRANT for localtime_r declaration.
1980AC_CHECK_DECL([localtime_r], [],
1981	[ saved_CPPFLAGS="$CFLAGS"
1982	  CPPFLAGS="$CPPFLAGS -D_REENTRANT"
1983	  unset ac_cv_have_decl_localtime_r
1984	  AC_CHECK_DECL([localtime_r], [],
1985		[ CPPFLAGS="$saved_CPPFLAGS" ],
1986		[ #include <time.h> ]
1987	  )
1988	],
1989	[ #include <time.h> ]
1990)
1991
1992dnl Make sure prototypes are defined for these before using them.
1993AC_CHECK_DECL([strsep],
1994	[AC_CHECK_FUNCS([strsep])],
1995	[],
1996	[
1997#ifdef HAVE_STRING_H
1998# include <string.h>
1999#endif
2000	])
2001
2002dnl tcsendbreak might be a macro
2003AC_CHECK_DECL([tcsendbreak],
2004	[AC_DEFINE([HAVE_TCSENDBREAK])],
2005	[AC_CHECK_FUNCS([tcsendbreak])],
2006	[#include <termios.h>]
2007)
2008
2009AC_CHECK_DECLS([h_errno], , ,[#include <netdb.h>])
2010
2011AC_CHECK_DECLS([SHUT_RD, getpeereid], , ,
2012	[
2013#include <sys/types.h>
2014#include <sys/socket.h>
2015#include <unistd.h>
2016	])
2017
2018AC_CHECK_DECLS([O_NONBLOCK], , ,
2019	[
2020#include <sys/types.h>
2021#ifdef HAVE_SYS_STAT_H
2022# include <sys/stat.h>
2023#endif
2024#ifdef HAVE_FCNTL_H
2025# include <fcntl.h>
2026#endif
2027	])
2028
2029AC_CHECK_DECLS([readv, writev], , , [
2030#include <sys/types.h>
2031#include <sys/uio.h>
2032#include <unistd.h>
2033	])
2034
2035AC_CHECK_DECLS([MAXSYMLINKS], , , [
2036#include <sys/param.h>
2037	])
2038
2039AC_CHECK_DECLS([offsetof], , , [
2040#include <stddef.h>
2041	])
2042
2043# extra bits for select(2)
2044AC_CHECK_DECLS([howmany, NFDBITS], [], [], [[
2045#include <sys/param.h>
2046#include <sys/types.h>
2047#ifdef HAVE_SYS_SYSMACROS_H
2048#include <sys/sysmacros.h>
2049#endif
2050#ifdef HAVE_SYS_SELECT_H
2051#include <sys/select.h>
2052#endif
2053#ifdef HAVE_SYS_TIME_H
2054#include <sys/time.h>
2055#endif
2056#ifdef HAVE_UNISTD_H
2057#include <unistd.h>
2058#endif
2059	]])
2060AC_CHECK_TYPES([fd_mask], [], [], [[
2061#include <sys/param.h>
2062#include <sys/types.h>
2063#ifdef HAVE_SYS_SELECT_H
2064#include <sys/select.h>
2065#endif
2066#ifdef HAVE_SYS_TIME_H
2067#include <sys/time.h>
2068#endif
2069#ifdef HAVE_UNISTD_H
2070#include <unistd.h>
2071#endif
2072	]])
2073
2074AC_CHECK_FUNCS([setresuid], [
2075	dnl Some platorms have setresuid that isn't implemented, test for this
2076	AC_MSG_CHECKING([if setresuid seems to work])
2077	AC_RUN_IFELSE(
2078		[AC_LANG_PROGRAM([[
2079#include <stdlib.h>
2080#include <errno.h>
2081		]], [[
2082	errno=0;
2083	setresuid(0,0,0);
2084	if (errno==ENOSYS)
2085		exit(1);
2086	else
2087		exit(0);
2088		]])],
2089		[AC_MSG_RESULT([yes])],
2090		[AC_DEFINE([BROKEN_SETRESUID], [1],
2091			[Define if your setresuid() is broken])
2092		 AC_MSG_RESULT([not implemented])],
2093		[AC_MSG_WARN([cross compiling: not checking setresuid])]
2094	)
2095])
2096
2097AC_CHECK_FUNCS([setresgid], [
2098	dnl Some platorms have setresgid that isn't implemented, test for this
2099	AC_MSG_CHECKING([if setresgid seems to work])
2100	AC_RUN_IFELSE(
2101		[AC_LANG_PROGRAM([[
2102#include <stdlib.h>
2103#include <errno.h>
2104		]], [[
2105	errno=0;
2106	setresgid(0,0,0);
2107	if (errno==ENOSYS)
2108		exit(1);
2109	else
2110		exit(0);
2111		]])],
2112		[AC_MSG_RESULT([yes])],
2113		[AC_DEFINE([BROKEN_SETRESGID], [1],
2114			[Define if your setresgid() is broken])
2115		 AC_MSG_RESULT([not implemented])],
2116		[AC_MSG_WARN([cross compiling: not checking setresuid])]
2117	)
2118])
2119
2120AC_MSG_CHECKING([for working fflush(NULL)])
2121AC_RUN_IFELSE(
2122	[AC_LANG_PROGRAM([[#include <stdio.h>]], [[fflush(NULL); exit(0);]])],
2123	AC_MSG_RESULT([yes]),
2124	[AC_MSG_RESULT([no])
2125	 AC_DEFINE([FFLUSH_NULL_BUG], [1],
2126	    [define if fflush(NULL) does not work])],
2127	AC_MSG_WARN([cross compiling: assuming working])
2128)
2129
2130dnl    Checks for time functions
2131AC_CHECK_FUNCS([gettimeofday time])
2132dnl    Checks for utmp functions
2133AC_CHECK_FUNCS([endutent getutent getutid getutline pututline setutent])
2134AC_CHECK_FUNCS([utmpname])
2135dnl    Checks for utmpx functions
2136AC_CHECK_FUNCS([endutxent getutxent getutxid getutxline getutxuser pututxline])
2137AC_CHECK_FUNCS([setutxdb setutxent utmpxname])
2138dnl    Checks for lastlog functions
2139AC_CHECK_FUNCS([getlastlogxbyname])
2140
2141AC_CHECK_FUNC([daemon],
2142	[AC_DEFINE([HAVE_DAEMON], [1], [Define if your libraries define daemon()])],
2143	[AC_CHECK_LIB([bsd], [daemon],
2144		[LIBS="$LIBS -lbsd"; AC_DEFINE([HAVE_DAEMON])])]
2145)
2146
2147AC_CHECK_FUNC([getpagesize],
2148	[AC_DEFINE([HAVE_GETPAGESIZE], [1],
2149		[Define if your libraries define getpagesize()])],
2150	[AC_CHECK_LIB([ucb], [getpagesize],
2151		[LIBS="$LIBS -lucb"; AC_DEFINE([HAVE_GETPAGESIZE])])]
2152)
2153
2154# Check for broken snprintf
2155if test "x$ac_cv_func_snprintf" = "xyes" ; then
2156	AC_MSG_CHECKING([whether snprintf correctly terminates long strings])
2157	AC_RUN_IFELSE(
2158		[AC_LANG_PROGRAM([[ #include <stdio.h> ]],
2159		[[
2160	char b[5];
2161	snprintf(b,5,"123456789");
2162	exit(b[4]!='\0');
2163		]])],
2164		[AC_MSG_RESULT([yes])],
2165		[
2166			AC_MSG_RESULT([no])
2167			AC_DEFINE([BROKEN_SNPRINTF], [1],
2168				[Define if your snprintf is busted])
2169			AC_MSG_WARN([****** Your snprintf() function is broken, complain to your vendor])
2170		],
2171		[ AC_MSG_WARN([cross compiling: Assuming working snprintf()]) ]
2172	)
2173fi
2174
2175if test "x$ac_cv_func_snprintf" = "xyes" ; then
2176	AC_MSG_CHECKING([whether snprintf understands %zu])
2177	AC_RUN_IFELSE(
2178		[AC_LANG_PROGRAM([[
2179#include <sys/types.h>
2180#include <stdio.h>
2181		]],
2182		[[
2183	size_t a = 1, b = 2;
2184	char z[128];
2185	snprintf(z, sizeof z, "%zu%zu", a, b);
2186	exit(strcmp(z, "12"));
2187		]])],
2188		[AC_MSG_RESULT([yes])],
2189		[
2190			AC_MSG_RESULT([no])
2191			AC_DEFINE([BROKEN_SNPRINTF], [1],
2192				[snprintf does not understand %zu])
2193		],
2194		[ AC_MSG_WARN([cross compiling: Assuming working snprintf()]) ]
2195	)
2196fi
2197
2198# We depend on vsnprintf returning the right thing on overflow: the
2199# number of characters it tried to create (as per SUSv3)
2200if test "x$ac_cv_func_vsnprintf" = "xyes" ; then
2201	AC_MSG_CHECKING([whether vsnprintf returns correct values on overflow])
2202	AC_RUN_IFELSE(
2203		[AC_LANG_PROGRAM([[
2204#include <sys/types.h>
2205#include <stdio.h>
2206#include <stdarg.h>
2207
2208int x_snprintf(char *str, size_t count, const char *fmt, ...)
2209{
2210	size_t ret;
2211	va_list ap;
2212
2213	va_start(ap, fmt);
2214	ret = vsnprintf(str, count, fmt, ap);
2215	va_end(ap);
2216	return ret;
2217}
2218		]], [[
2219char x[1];
2220if (x_snprintf(x, 1, "%s %d", "hello", 12345) != 11)
2221	return 1;
2222if (x_snprintf(NULL, 0, "%s %d", "hello", 12345) != 11)
2223	return 1;
2224return 0;
2225		]])],
2226		[AC_MSG_RESULT([yes])],
2227		[
2228			AC_MSG_RESULT([no])
2229			AC_DEFINE([BROKEN_SNPRINTF], [1],
2230				[Define if your snprintf is busted])
2231			AC_MSG_WARN([****** Your vsnprintf() function is broken, complain to your vendor])
2232		],
2233		[ AC_MSG_WARN([cross compiling: Assuming working vsnprintf()]) ]
2234	)
2235fi
2236
2237# On systems where [v]snprintf is broken, but is declared in stdio,
2238# check that the fmt argument is const char * or just char *.
2239# This is only useful for when BROKEN_SNPRINTF
2240AC_MSG_CHECKING([whether snprintf can declare const char *fmt])
2241AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
2242#include <stdio.h>
2243int snprintf(char *a, size_t b, const char *c, ...) { return 0; }
2244		]], [[
2245	snprintf(0, 0, 0);
2246		]])],
2247   [AC_MSG_RESULT([yes])
2248    AC_DEFINE([SNPRINTF_CONST], [const],
2249              [Define as const if snprintf() can declare const char *fmt])],
2250   [AC_MSG_RESULT([no])
2251    AC_DEFINE([SNPRINTF_CONST], [/* not const */])])
2252
2253# Check for missing getpeereid (or equiv) support
2254NO_PEERCHECK=""
2255if test "x$ac_cv_func_getpeereid" != "xyes" -a "x$ac_cv_func_getpeerucred" != "xyes"; then
2256	AC_MSG_CHECKING([whether system supports SO_PEERCRED getsockopt])
2257	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
2258#include <sys/types.h>
2259#include <sys/socket.h>]], [[int i = SO_PEERCRED;]])],
2260		[ AC_MSG_RESULT([yes])
2261		  AC_DEFINE([HAVE_SO_PEERCRED], [1], [Have PEERCRED socket option])
2262		], [AC_MSG_RESULT([no])
2263		NO_PEERCHECK=1
2264        ])
2265fi
2266
2267dnl see whether mkstemp() requires XXXXXX
2268if test "x$ac_cv_func_mkdtemp" = "xyes" ; then
2269AC_MSG_CHECKING([for (overly) strict mkstemp])
2270AC_RUN_IFELSE(
2271	[AC_LANG_PROGRAM([[
2272#include <stdlib.h>
2273	]], [[
2274	char template[]="conftest.mkstemp-test";
2275	if (mkstemp(template) == -1)
2276		exit(1);
2277	unlink(template);
2278	exit(0);
2279	]])],
2280	[
2281		AC_MSG_RESULT([no])
2282	],
2283	[
2284		AC_MSG_RESULT([yes])
2285		AC_DEFINE([HAVE_STRICT_MKSTEMP], [1], [Silly mkstemp()])
2286	],
2287	[
2288		AC_MSG_RESULT([yes])
2289		AC_DEFINE([HAVE_STRICT_MKSTEMP])
2290	]
2291)
2292fi
2293
2294dnl make sure that openpty does not reacquire controlling terminal
2295if test ! -z "$check_for_openpty_ctty_bug"; then
2296	AC_MSG_CHECKING([if openpty correctly handles controlling tty])
2297	AC_RUN_IFELSE(
2298		[AC_LANG_PROGRAM([[
2299#include <stdio.h>
2300#include <sys/fcntl.h>
2301#include <sys/types.h>
2302#include <sys/wait.h>
2303		]], [[
2304	pid_t pid;
2305	int fd, ptyfd, ttyfd, status;
2306
2307	pid = fork();
2308	if (pid < 0) {		/* failed */
2309		exit(1);
2310	} else if (pid > 0) {	/* parent */
2311		waitpid(pid, &status, 0);
2312		if (WIFEXITED(status))
2313			exit(WEXITSTATUS(status));
2314		else
2315			exit(2);
2316	} else {		/* child */
2317		close(0); close(1); close(2);
2318		setsid();
2319		openpty(&ptyfd, &ttyfd, NULL, NULL, NULL);
2320		fd = open("/dev/tty", O_RDWR | O_NOCTTY);
2321		if (fd >= 0)
2322			exit(3);	/* Acquired ctty: broken */
2323		else
2324			exit(0);	/* Did not acquire ctty: OK */
2325	}
2326		]])],
2327		[
2328			AC_MSG_RESULT([yes])
2329		],
2330		[
2331			AC_MSG_RESULT([no])
2332			AC_DEFINE([SSHD_ACQUIRES_CTTY])
2333		],
2334		[
2335			AC_MSG_RESULT([cross-compiling, assuming yes])
2336		]
2337	)
2338fi
2339
2340if test "x$ac_cv_func_getaddrinfo" = "xyes" && \
2341    test "x$check_for_hpux_broken_getaddrinfo" = "x1"; then
2342	AC_MSG_CHECKING([if getaddrinfo seems to work])
2343	AC_RUN_IFELSE(
2344		[AC_LANG_PROGRAM([[
2345#include <stdio.h>
2346#include <sys/socket.h>
2347#include <netdb.h>
2348#include <errno.h>
2349#include <netinet/in.h>
2350
2351#define TEST_PORT "2222"
2352		]], [[
2353	int err, sock;
2354	struct addrinfo *gai_ai, *ai, hints;
2355	char ntop[NI_MAXHOST], strport[NI_MAXSERV], *name = NULL;
2356
2357	memset(&hints, 0, sizeof(hints));
2358	hints.ai_family = PF_UNSPEC;
2359	hints.ai_socktype = SOCK_STREAM;
2360	hints.ai_flags = AI_PASSIVE;
2361
2362	err = getaddrinfo(name, TEST_PORT, &hints, &gai_ai);
2363	if (err != 0) {
2364		fprintf(stderr, "getaddrinfo failed (%s)", gai_strerror(err));
2365		exit(1);
2366	}
2367
2368	for (ai = gai_ai; ai != NULL; ai = ai->ai_next) {
2369		if (ai->ai_family != AF_INET6)
2370			continue;
2371
2372		err = getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop,
2373		    sizeof(ntop), strport, sizeof(strport),
2374		    NI_NUMERICHOST|NI_NUMERICSERV);
2375
2376		if (err != 0) {
2377			if (err == EAI_SYSTEM)
2378				perror("getnameinfo EAI_SYSTEM");
2379			else
2380				fprintf(stderr, "getnameinfo failed: %s\n",
2381				    gai_strerror(err));
2382			exit(2);
2383		}
2384
2385		sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol);
2386		if (sock < 0)
2387			perror("socket");
2388		if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) {
2389			if (errno == EBADF)
2390				exit(3);
2391		}
2392	}
2393	exit(0);
2394		]])],
2395		[
2396			AC_MSG_RESULT([yes])
2397		],
2398		[
2399			AC_MSG_RESULT([no])
2400			AC_DEFINE([BROKEN_GETADDRINFO])
2401		],
2402		[
2403			AC_MSG_RESULT([cross-compiling, assuming yes])
2404		]
2405	)
2406fi
2407
2408if test "x$ac_cv_func_getaddrinfo" = "xyes" && \
2409    test "x$check_for_aix_broken_getaddrinfo" = "x1"; then
2410	AC_MSG_CHECKING([if getaddrinfo seems to work])
2411	AC_RUN_IFELSE(
2412		[AC_LANG_PROGRAM([[
2413#include <stdio.h>
2414#include <sys/socket.h>
2415#include <netdb.h>
2416#include <errno.h>
2417#include <netinet/in.h>
2418
2419#define TEST_PORT "2222"
2420		]], [[
2421	int err, sock;
2422	struct addrinfo *gai_ai, *ai, hints;
2423	char ntop[NI_MAXHOST], strport[NI_MAXSERV], *name = NULL;
2424
2425	memset(&hints, 0, sizeof(hints));
2426	hints.ai_family = PF_UNSPEC;
2427	hints.ai_socktype = SOCK_STREAM;
2428	hints.ai_flags = AI_PASSIVE;
2429
2430	err = getaddrinfo(name, TEST_PORT, &hints, &gai_ai);
2431	if (err != 0) {
2432		fprintf(stderr, "getaddrinfo failed (%s)", gai_strerror(err));
2433		exit(1);
2434	}
2435
2436	for (ai = gai_ai; ai != NULL; ai = ai->ai_next) {
2437		if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
2438			continue;
2439
2440		err = getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop,
2441		    sizeof(ntop), strport, sizeof(strport),
2442		    NI_NUMERICHOST|NI_NUMERICSERV);
2443
2444		if (ai->ai_family == AF_INET && err != 0) {
2445			perror("getnameinfo");
2446			exit(2);
2447		}
2448	}
2449	exit(0);
2450		]])],
2451		[
2452			AC_MSG_RESULT([yes])
2453			AC_DEFINE([AIX_GETNAMEINFO_HACK], [1],
2454				[Define if you have a getaddrinfo that fails
2455				for the all-zeros IPv6 address])
2456		],
2457		[
2458			AC_MSG_RESULT([no])
2459			AC_DEFINE([BROKEN_GETADDRINFO])
2460		],
2461		[
2462			AC_MSG_RESULT([cross-compiling, assuming no])
2463		]
2464	)
2465fi
2466
2467if test "x$ac_cv_func_getaddrinfo" = "xyes"; then
2468	AC_CHECK_DECLS(AI_NUMERICSERV, , ,
2469	    [#include <sys/types.h>
2470	     #include <sys/socket.h>
2471	     #include <netdb.h>])
2472fi
2473
2474if test "x$check_for_conflicting_getspnam" = "x1"; then
2475	AC_MSG_CHECKING([for conflicting getspnam in shadow.h])
2476	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <shadow.h> ]],
2477		[[ exit(0); ]])],
2478		[
2479			AC_MSG_RESULT([no])
2480		],
2481		[
2482			AC_MSG_RESULT([yes])
2483			AC_DEFINE([GETSPNAM_CONFLICTING_DEFS], [1],
2484			    [Conflicting defs for getspnam])
2485		]
2486	)
2487fi
2488
2489dnl NetBSD added an strnvis and unfortunately made it incompatible with the
2490dnl existing one in OpenBSD and Linux's libbsd (the former having existed
2491dnl for over ten years). Despite this incompatibility being reported during
2492dnl development (see http://gnats.netbsd.org/44977) they still shipped it.
2493dnl Even more unfortunately FreeBSD and later MacOS picked up this incompatible
2494dnl implementation.  Try to detect this mess, and assume the only safe option
2495dnl if we're cross compiling.
2496dnl
2497dnl OpenBSD, 2001: strnvis(char *dst, const char *src, size_t dlen, int flag);
2498dnl NetBSD: 2012,  strnvis(char *dst, size_t dlen, const char *src, int flag);
2499if test "x$ac_cv_func_strnvis" = "xyes"; then
2500	AC_MSG_CHECKING([for working strnvis])
2501	AC_RUN_IFELSE(
2502		[AC_LANG_PROGRAM([[
2503#include <signal.h>
2504#include <stdlib.h>
2505#include <string.h>
2506#include <vis.h>
2507static void sighandler(int sig) { _exit(1); }
2508		]], [[
2509	char dst[16];
2510
2511	signal(SIGSEGV, sighandler);
2512	if (strnvis(dst, "src", 4, 0) && strcmp(dst, "src") == 0)
2513		exit(0);
2514	exit(1)
2515		]])],
2516		[AC_MSG_RESULT([yes])],
2517		[AC_MSG_RESULT([no])
2518		 AC_DEFINE([BROKEN_STRNVIS], [1], [strnvis detected broken])],
2519		[AC_MSG_WARN([cross compiling: assuming broken])
2520		 AC_DEFINE([BROKEN_STRNVIS], [1], [strnvis assumed broken])]
2521	)
2522fi
2523
2524AC_MSG_CHECKING([if SA_RESTARTed signals interrupt select()])
2525AC_RUN_IFELSE(
2526	[AC_LANG_PROGRAM([[
2527#ifdef HAVE_SYS_SELECT
2528# include <sys/select.h>
2529#endif
2530#include <sys/types.h>
2531#include <sys/time.h>
2532#include <stdlib.h>
2533#include <signal.h>
2534static void sighandler(int sig) { }
2535		]], [[
2536	int r;
2537	pid_t pid;
2538	struct sigaction sa;
2539
2540	sa.sa_handler = sighandler;
2541	sa.sa_flags = SA_RESTART;
2542	(void)sigaction(SIGTERM, &sa, NULL);
2543	if ((pid = fork()) == 0) { /* child */
2544		pid = getppid();
2545		sleep(1);
2546		kill(pid, SIGTERM);
2547		sleep(1);
2548		if (getppid() == pid) /* if parent did not exit, shoot it */
2549			kill(pid, SIGKILL);
2550		exit(0);
2551	} else { /* parent */
2552		r = select(0, NULL, NULL, NULL, NULL);
2553	}
2554	exit(r == -1 ? 0 : 1);
2555	]])],
2556	[AC_MSG_RESULT([yes])],
2557	[AC_MSG_RESULT([no])
2558	 AC_DEFINE([NO_SA_RESTART], [1],
2559	    [SA_RESTARTed signals do no interrupt select])],
2560	[AC_MSG_WARN([cross compiling: assuming yes])]
2561)
2562
2563AC_CHECK_FUNCS([getpgrp],[
2564	AC_MSG_CHECKING([if getpgrp accepts zero args])
2565	AC_COMPILE_IFELSE(
2566		[AC_LANG_PROGRAM([[$ac_includes_default]], [[ getpgrp(); ]])],
2567		[ AC_MSG_RESULT([yes])
2568		  AC_DEFINE([GETPGRP_VOID], [1], [getpgrp takes zero args])],
2569		[ AC_MSG_RESULT([no])
2570		  AC_DEFINE([GETPGRP_VOID], [0], [getpgrp takes one arg])]
2571	)
2572])
2573
2574# Search for OpenSSL
2575saved_CPPFLAGS="$CPPFLAGS"
2576saved_LDFLAGS="$LDFLAGS"
2577AC_ARG_WITH([ssl-dir],
2578	[  --with-ssl-dir=PATH     Specify path to OpenSSL installation ],
2579	[
2580		if test "x$openssl" = "xno" ; then
2581			AC_MSG_ERROR([cannot use --with-ssl-dir when OpenSSL disabled])
2582		fi
2583		if test "x$withval" != "xno" ; then
2584			case "$withval" in
2585				# Relative paths
2586				./*|../*)	withval="`pwd`/$withval"
2587			esac
2588			if test -d "$withval/lib"; then
2589				if test -n "${rpath_opt}"; then
2590					LDFLAGS="-L${withval}/lib ${rpath_opt}${withval}/lib ${LDFLAGS}"
2591				else
2592					LDFLAGS="-L${withval}/lib ${LDFLAGS}"
2593				fi
2594			elif test -d "$withval/lib64"; then
2595				if test -n "${rpath_opt}"; then
2596					LDFLAGS="-L${withval}/lib64 ${rpath_opt}${withval}/lib64 ${LDFLAGS}"
2597				else
2598					LDFLAGS="-L${withval}/lib64 ${LDFLAGS}"
2599				fi
2600			else
2601				if test -n "${rpath_opt}"; then
2602					LDFLAGS="-L${withval} ${rpath_opt}${withval} ${LDFLAGS}"
2603				else
2604					LDFLAGS="-L${withval} ${LDFLAGS}"
2605				fi
2606			fi
2607			if test -d "$withval/include"; then
2608				CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
2609			else
2610				CPPFLAGS="-I${withval} ${CPPFLAGS}"
2611			fi
2612		fi
2613	]
2614)
2615
2616AC_ARG_WITH([openssl-header-check],
2617	[  --without-openssl-header-check Disable OpenSSL version consistency check],
2618	[
2619		if test "x$withval" = "xno" ; then
2620			openssl_check_nonfatal=1
2621		fi
2622	]
2623)
2624
2625openssl_engine=no
2626AC_ARG_WITH([ssl-engine],
2627	[  --with-ssl-engine       Enable OpenSSL (hardware) ENGINE support ],
2628	[
2629		if test "x$withval" != "xno" ; then
2630			if test "x$openssl" = "xno" ; then
2631				AC_MSG_ERROR([cannot use --with-ssl-engine when OpenSSL disabled])
2632			fi
2633			openssl_engine=yes
2634		fi
2635	]
2636)
2637
2638if test "x$openssl" = "xyes" ; then
2639	LIBS="-lcrypto $LIBS"
2640	AC_TRY_LINK_FUNC([RAND_add], ,
2641	    [AC_MSG_ERROR([*** working libcrypto not found, check config.log])])
2642	AC_CHECK_HEADER([openssl/opensslv.h], ,
2643	    [AC_MSG_ERROR([*** OpenSSL headers missing - please install first or check config.log ***])])
2644
2645	# Determine OpenSSL header version
2646	AC_MSG_CHECKING([OpenSSL header version])
2647	AC_RUN_IFELSE(
2648		[AC_LANG_PROGRAM([[
2649	#include <stdlib.h>
2650	#include <stdio.h>
2651	#include <string.h>
2652	#include <openssl/opensslv.h>
2653	#define DATA "conftest.sslincver"
2654		]], [[
2655		FILE *fd;
2656		int rc;
2657
2658		fd = fopen(DATA,"w");
2659		if(fd == NULL)
2660			exit(1);
2661
2662		if ((rc = fprintf(fd, "%08lx (%s)\n",
2663		    (unsigned long)OPENSSL_VERSION_NUMBER,
2664		     OPENSSL_VERSION_TEXT)) < 0)
2665			exit(1);
2666
2667		exit(0);
2668		]])],
2669		[
2670			ssl_header_ver=`cat conftest.sslincver`
2671			AC_MSG_RESULT([$ssl_header_ver])
2672		],
2673		[
2674			AC_MSG_RESULT([not found])
2675			AC_MSG_ERROR([OpenSSL version header not found.])
2676		],
2677		[
2678			AC_MSG_WARN([cross compiling: not checking])
2679		]
2680	)
2681
2682	# Determining OpenSSL library version is version dependent.
2683	AC_CHECK_FUNCS([OpenSSL_version OpenSSL_version_num])
2684
2685	# Determine OpenSSL library version
2686	AC_MSG_CHECKING([OpenSSL library version])
2687	AC_RUN_IFELSE(
2688		[AC_LANG_PROGRAM([[
2689	#include <stdio.h>
2690	#include <string.h>
2691	#include <openssl/opensslv.h>
2692	#include <openssl/crypto.h>
2693	#define DATA "conftest.ssllibver"
2694		]], [[
2695		FILE *fd;
2696		int rc;
2697
2698		fd = fopen(DATA,"w");
2699		if(fd == NULL)
2700			exit(1);
2701#ifndef OPENSSL_VERSION
2702# define OPENSSL_VERSION SSLEAY_VERSION
2703#endif
2704#ifndef HAVE_OPENSSL_VERSION
2705# define OpenSSL_version	SSLeay_version
2706#endif
2707#ifndef HAVE_OPENSSL_VERSION_NUM
2708# define OpenSSL_version_num	SSLeay
2709#endif
2710		if ((rc = fprintf(fd, "%08lx (%s)\n",
2711		    (unsigned long)OpenSSL_version_num(),
2712		    OpenSSL_version(OPENSSL_VERSION))) < 0)
2713			exit(1);
2714
2715		exit(0);
2716		]])],
2717		[
2718			ssl_library_ver=`cat conftest.ssllibver`
2719			# Check version is supported.
2720			case "$ssl_library_ver" in
2721			10000*|0*)
2722				AC_MSG_ERROR([OpenSSL >= 1.0.1 required (have "$ssl_library_ver")])
2723		                ;;
2724			100*)   ;; # 1.0.x
2725			101000[[0123456]]*)
2726				# https://github.com/openssl/openssl/pull/4613
2727				AC_MSG_ERROR([OpenSSL 1.1.x versions prior to 1.1.0g have a bug that breaks their use with OpenSSH (have "$ssl_library_ver")])
2728				;;
2729			101*)   ;; # 1.1.x
2730			200*)   ;; # LibreSSL
2731			300*)   ;; # OpenSSL development branch.
2732		        *)
2733				AC_MSG_ERROR([Unknown/unsupported OpenSSL version ("$ssl_library_ver")])
2734		                ;;
2735			esac
2736			AC_MSG_RESULT([$ssl_library_ver])
2737		],
2738		[
2739			AC_MSG_RESULT([not found])
2740			AC_MSG_ERROR([OpenSSL library not found.])
2741		],
2742		[
2743			AC_MSG_WARN([cross compiling: not checking])
2744		]
2745	)
2746
2747	# Sanity check OpenSSL headers
2748	AC_MSG_CHECKING([whether OpenSSL's headers match the library])
2749	AC_RUN_IFELSE(
2750		[AC_LANG_PROGRAM([[
2751	#include <string.h>
2752	#include <openssl/opensslv.h>
2753	#include <openssl/crypto.h>
2754		]], [[
2755#ifndef HAVE_OPENSSL_VERSION_NUM
2756# define OpenSSL_version_num	SSLeay
2757#endif
2758		exit(OpenSSL_version_num() == OPENSSL_VERSION_NUMBER ? 0 : 1);
2759		]])],
2760		[
2761			AC_MSG_RESULT([yes])
2762		],
2763		[
2764			AC_MSG_RESULT([no])
2765			if test "x$openssl_check_nonfatal" = "x"; then
2766				AC_MSG_ERROR([Your OpenSSL headers do not match your
2767	library. Check config.log for details.
2768	If you are sure your installation is consistent, you can disable the check
2769	by running "./configure --without-openssl-header-check".
2770	Also see contrib/findssl.sh for help identifying header/library mismatches.
2771	])
2772			else
2773				AC_MSG_WARN([Your OpenSSL headers do not match your
2774	library. Check config.log for details.
2775	Also see contrib/findssl.sh for help identifying header/library mismatches.])
2776			fi
2777		],
2778		[
2779			AC_MSG_WARN([cross compiling: not checking])
2780		]
2781	)
2782
2783	AC_MSG_CHECKING([if programs using OpenSSL functions will link])
2784	AC_LINK_IFELSE(
2785		[AC_LANG_PROGRAM([[ #include <openssl/err.h> ]],
2786		[[ ERR_load_crypto_strings(); ]])],
2787		[
2788			AC_MSG_RESULT([yes])
2789		],
2790		[
2791			AC_MSG_RESULT([no])
2792			saved_LIBS="$LIBS"
2793			LIBS="$LIBS -ldl"
2794			AC_MSG_CHECKING([if programs using OpenSSL need -ldl])
2795			AC_LINK_IFELSE(
2796				[AC_LANG_PROGRAM([[ #include <openssl/err.h> ]],
2797				[[ ERR_load_crypto_strings(); ]])],
2798				[
2799					AC_MSG_RESULT([yes])
2800				],
2801				[
2802					AC_MSG_RESULT([no])
2803					LIBS="$saved_LIBS"
2804				]
2805			)
2806		]
2807	)
2808
2809	AC_CHECK_FUNCS([ \
2810		BN_is_prime_ex \
2811		DSA_generate_parameters_ex \
2812		EVP_CIPHER_CTX_ctrl \
2813		EVP_DigestFinal_ex \
2814		EVP_DigestInit_ex \
2815		EVP_MD_CTX_cleanup \
2816		EVP_MD_CTX_copy_ex \
2817		EVP_MD_CTX_init \
2818		HMAC_CTX_init \
2819		RSA_generate_key_ex \
2820		RSA_get_default_method \
2821	])
2822
2823	# OpenSSL_add_all_algorithms may be a macro.
2824	AC_CHECK_FUNC(OpenSSL_add_all_algorithms,
2825	    AC_DEFINE(HAVE_OPENSSL_ADD_ALL_ALGORITHMS, 1, [as a function]),
2826	    AC_CHECK_DECL(OpenSSL_add_all_algorithms,
2827		AC_DEFINE(HAVE_OPENSSL_ADD_ALL_ALGORITHMS, 1, [as a macro]), ,
2828		[[#include <openssl/evp.h>]]
2829	    )
2830	)
2831
2832	# LibreSSL/OpenSSL 1.1x API
2833	AC_CHECK_FUNCS([ \
2834		OPENSSL_init_crypto \
2835		DH_get0_key \
2836		DH_get0_pqg \
2837		DH_set0_key \
2838		DH_set_length \
2839		DH_set0_pqg \
2840		DSA_get0_key \
2841		DSA_get0_pqg \
2842		DSA_set0_key \
2843		DSA_set0_pqg \
2844		DSA_SIG_get0 \
2845		DSA_SIG_set0 \
2846		ECDSA_SIG_get0 \
2847		ECDSA_SIG_set0 \
2848		EVP_CIPHER_CTX_iv \
2849		EVP_CIPHER_CTX_iv_noconst \
2850		EVP_CIPHER_CTX_get_iv \
2851		EVP_CIPHER_CTX_set_iv \
2852		RSA_get0_crt_params \
2853		RSA_get0_factors \
2854		RSA_get0_key \
2855		RSA_set0_crt_params \
2856		RSA_set0_factors \
2857		RSA_set0_key \
2858		RSA_meth_free \
2859		RSA_meth_dup \
2860		RSA_meth_set1_name \
2861		RSA_meth_get_finish \
2862		RSA_meth_set_priv_enc \
2863		RSA_meth_set_priv_dec \
2864		RSA_meth_set_finish \
2865		EVP_PKEY_get0_RSA \
2866		EVP_MD_CTX_new \
2867		EVP_MD_CTX_free \
2868		EVP_chacha20 \
2869	])
2870
2871	if test "x$openssl_engine" = "xyes" ; then
2872		AC_MSG_CHECKING([for OpenSSL ENGINE support])
2873		AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
2874	#include <openssl/engine.h>
2875			]], [[
2876				ENGINE_load_builtin_engines();
2877				ENGINE_register_all_complete();
2878			]])],
2879			[ AC_MSG_RESULT([yes])
2880			  AC_DEFINE([USE_OPENSSL_ENGINE], [1],
2881			     [Enable OpenSSL engine support])
2882			], [ AC_MSG_ERROR([OpenSSL ENGINE support not found])
2883		])
2884	fi
2885
2886	# Check for OpenSSL without EVP_aes_{192,256}_cbc
2887	AC_MSG_CHECKING([whether OpenSSL has crippled AES support])
2888	AC_LINK_IFELSE(
2889		[AC_LANG_PROGRAM([[
2890	#include <string.h>
2891	#include <openssl/evp.h>
2892		]], [[
2893		exit(EVP_aes_192_cbc() == NULL || EVP_aes_256_cbc() == NULL);
2894		]])],
2895		[
2896			AC_MSG_RESULT([no])
2897		],
2898		[
2899			AC_MSG_RESULT([yes])
2900			AC_DEFINE([OPENSSL_LOBOTOMISED_AES], [1],
2901			    [libcrypto is missing AES 192 and 256 bit functions])
2902		]
2903	)
2904
2905	# Check for OpenSSL with EVP_aes_*ctr
2906	AC_MSG_CHECKING([whether OpenSSL has AES CTR via EVP])
2907	AC_LINK_IFELSE(
2908		[AC_LANG_PROGRAM([[
2909	#include <string.h>
2910	#include <openssl/evp.h>
2911		]], [[
2912		exit(EVP_aes_128_ctr() == NULL ||
2913		    EVP_aes_192_cbc() == NULL ||
2914		    EVP_aes_256_cbc() == NULL);
2915		]])],
2916		[
2917			AC_MSG_RESULT([yes])
2918			AC_DEFINE([OPENSSL_HAVE_EVPCTR], [1],
2919			    [libcrypto has EVP AES CTR])
2920		],
2921		[
2922			AC_MSG_RESULT([no])
2923		]
2924	)
2925
2926	# Check for OpenSSL with EVP_aes_*gcm
2927	AC_MSG_CHECKING([whether OpenSSL has AES GCM via EVP])
2928	AC_LINK_IFELSE(
2929		[AC_LANG_PROGRAM([[
2930	#include <string.h>
2931	#include <openssl/evp.h>
2932		]], [[
2933		exit(EVP_aes_128_gcm() == NULL ||
2934		    EVP_aes_256_gcm() == NULL ||
2935		    EVP_CTRL_GCM_SET_IV_FIXED == 0 ||
2936		    EVP_CTRL_GCM_IV_GEN == 0 ||
2937		    EVP_CTRL_GCM_SET_TAG == 0 ||
2938		    EVP_CTRL_GCM_GET_TAG == 0 ||
2939		    EVP_CIPHER_CTX_ctrl(NULL, 0, 0, NULL) == 0);
2940		]])],
2941		[
2942			AC_MSG_RESULT([yes])
2943			AC_DEFINE([OPENSSL_HAVE_EVPGCM], [1],
2944			    [libcrypto has EVP AES GCM])
2945		],
2946		[
2947			AC_MSG_RESULT([no])
2948			unsupported_algorithms="$unsupported_cipers \
2949			   aes128-gcm@openssh.com \
2950			   aes256-gcm@openssh.com"
2951		]
2952	)
2953
2954	AC_MSG_CHECKING([if EVP_DigestUpdate returns an int])
2955	AC_LINK_IFELSE(
2956		[AC_LANG_PROGRAM([[
2957	#include <string.h>
2958	#include <openssl/evp.h>
2959		]], [[
2960		if(EVP_DigestUpdate(NULL, NULL,0))
2961			exit(0);
2962		]])],
2963		[
2964			AC_MSG_RESULT([yes])
2965		],
2966		[
2967			AC_MSG_RESULT([no])
2968			AC_DEFINE([OPENSSL_EVP_DIGESTUPDATE_VOID], [1],
2969			    [Define if EVP_DigestUpdate returns void])
2970		]
2971	)
2972
2973	# Some systems want crypt() from libcrypt, *not* the version in OpenSSL,
2974	# because the system crypt() is more featureful.
2975	if test "x$check_for_libcrypt_before" = "x1"; then
2976		AC_CHECK_LIB([crypt], [crypt])
2977	fi
2978
2979	# Some Linux systems (Slackware) need crypt() from libcrypt, *not* the
2980	# version in OpenSSL.
2981	if test "x$check_for_libcrypt_later" = "x1"; then
2982		AC_CHECK_LIB([crypt], [crypt], [LIBS="$LIBS -lcrypt"])
2983	fi
2984	AC_CHECK_FUNCS([crypt DES_crypt])
2985
2986	# Check for SHA256, SHA384 and SHA512 support in OpenSSL
2987	AC_CHECK_FUNCS([EVP_sha256 EVP_sha384 EVP_sha512])
2988
2989	# Check complete ECC support in OpenSSL
2990	AC_MSG_CHECKING([whether OpenSSL has NID_X9_62_prime256v1])
2991	AC_LINK_IFELSE(
2992		[AC_LANG_PROGRAM([[
2993	#include <openssl/ec.h>
2994	#include <openssl/ecdh.h>
2995	#include <openssl/ecdsa.h>
2996	#include <openssl/evp.h>
2997	#include <openssl/objects.h>
2998	#include <openssl/opensslv.h>
2999		]], [[
3000		EC_KEY *e = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
3001		const EVP_MD *m = EVP_sha256(); /* We need this too */
3002		]])],
3003		[ AC_MSG_RESULT([yes])
3004		  enable_nistp256=1 ],
3005		[ AC_MSG_RESULT([no]) ]
3006	)
3007
3008	AC_MSG_CHECKING([whether OpenSSL has NID_secp384r1])
3009	AC_LINK_IFELSE(
3010		[AC_LANG_PROGRAM([[
3011	#include <openssl/ec.h>
3012	#include <openssl/ecdh.h>
3013	#include <openssl/ecdsa.h>
3014	#include <openssl/evp.h>
3015	#include <openssl/objects.h>
3016	#include <openssl/opensslv.h>
3017		]], [[
3018		EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp384r1);
3019		const EVP_MD *m = EVP_sha384(); /* We need this too */
3020		]])],
3021		[ AC_MSG_RESULT([yes])
3022		  enable_nistp384=1 ],
3023		[ AC_MSG_RESULT([no]) ]
3024	)
3025
3026	AC_MSG_CHECKING([whether OpenSSL has NID_secp521r1])
3027	AC_LINK_IFELSE(
3028		[AC_LANG_PROGRAM([[
3029	#include <openssl/ec.h>
3030	#include <openssl/ecdh.h>
3031	#include <openssl/ecdsa.h>
3032	#include <openssl/evp.h>
3033	#include <openssl/objects.h>
3034	#include <openssl/opensslv.h>
3035		]], [[
3036		EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp521r1);
3037		const EVP_MD *m = EVP_sha512(); /* We need this too */
3038		]])],
3039		[ AC_MSG_RESULT([yes])
3040		  AC_MSG_CHECKING([if OpenSSL's NID_secp521r1 is functional])
3041		  AC_RUN_IFELSE(
3042			[AC_LANG_PROGRAM([[
3043	#include <openssl/ec.h>
3044	#include <openssl/ecdh.h>
3045	#include <openssl/ecdsa.h>
3046	#include <openssl/evp.h>
3047	#include <openssl/objects.h>
3048	#include <openssl/opensslv.h>
3049			]],[[
3050			EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp521r1);
3051			const EVP_MD *m = EVP_sha512(); /* We need this too */
3052			exit(e == NULL || m == NULL);
3053			]])],
3054			[ AC_MSG_RESULT([yes])
3055			  enable_nistp521=1 ],
3056			[ AC_MSG_RESULT([no]) ],
3057			[ AC_MSG_WARN([cross-compiling: assuming yes])
3058			  enable_nistp521=1 ]
3059		  )],
3060		AC_MSG_RESULT([no])
3061	)
3062
3063	COMMENT_OUT_ECC="#no ecc#"
3064	TEST_SSH_ECC=no
3065
3066	if test x$enable_nistp256 = x1 || test x$enable_nistp384 = x1 || \
3067	    test x$enable_nistp521 = x1; then
3068		AC_DEFINE(OPENSSL_HAS_ECC, [1], [OpenSSL has ECC])
3069		AC_CHECK_FUNCS([EC_KEY_METHOD_new])
3070		openssl_ecc=yes
3071	else
3072		openssl_ecc=no
3073	fi
3074	if test x$enable_nistp256 = x1; then
3075		AC_DEFINE([OPENSSL_HAS_NISTP256], [1],
3076		    [libcrypto has NID_X9_62_prime256v1])
3077		TEST_SSH_ECC=yes
3078		COMMENT_OUT_ECC=""
3079	else
3080		unsupported_algorithms="$unsupported_algorithms \
3081			ecdsa-sha2-nistp256 \
3082			ecdh-sha2-nistp256 \
3083			ecdsa-sha2-nistp256-cert-v01@openssh.com"
3084	fi
3085	if test x$enable_nistp384 = x1; then
3086		AC_DEFINE([OPENSSL_HAS_NISTP384], [1], [libcrypto has NID_secp384r1])
3087		TEST_SSH_ECC=yes
3088		COMMENT_OUT_ECC=""
3089	else
3090		unsupported_algorithms="$unsupported_algorithms \
3091			ecdsa-sha2-nistp384 \
3092			ecdh-sha2-nistp384 \
3093			ecdsa-sha2-nistp384-cert-v01@openssh.com"
3094	fi
3095	if test x$enable_nistp521 = x1; then
3096		AC_DEFINE([OPENSSL_HAS_NISTP521], [1], [libcrypto has NID_secp521r1])
3097		TEST_SSH_ECC=yes
3098		COMMENT_OUT_ECC=""
3099	else
3100		unsupported_algorithms="$unsupported_algorithms \
3101			ecdh-sha2-nistp521 \
3102			ecdsa-sha2-nistp521 \
3103			ecdsa-sha2-nistp521-cert-v01@openssh.com"
3104	fi
3105
3106	AC_SUBST([TEST_SSH_ECC])
3107	AC_SUBST([COMMENT_OUT_ECC])
3108else
3109	AC_CHECK_LIB([crypt], [crypt], [LIBS="$LIBS -lcrypt"])
3110	AC_CHECK_FUNCS([crypt])
3111fi
3112
3113# PKCS11/U2F depend on OpenSSL and dlopen().
3114enable_pkcs11=yes
3115enable_sk=yes
3116if test "x$openssl" != "xyes" ; then
3117	enable_pkcs11="disabled; missing libcrypto"
3118	enable_sk="disabled; missing libcrypto"
3119fi
3120if test "x$openssl_ecc" != "xyes" ; then
3121	enable_sk="disabled; OpenSSL has no ECC support"
3122fi
3123if test "x$ac_cv_func_dlopen" != "xyes" ; then
3124	enable_pkcs11="disabled; missing dlopen(3)"
3125	enable_sk="disabled; missing dlopen(3)"
3126fi
3127if test "x$ac_cv_have_decl_RTLD_NOW" != "xyes" ; then
3128	enable_pkcs11="disabled; missing RTLD_NOW"
3129	enable_sk="disabled; missing RTLD_NOW"
3130fi
3131if test ! -z "$disable_pkcs11" ; then
3132	enable_pkcs11="disabled by user"
3133fi
3134if test ! -z "$disable_sk" ; then
3135	enable_sk="disabled by user"
3136fi
3137
3138AC_MSG_CHECKING([whether to enable PKCS11])
3139if test "x$enable_pkcs11" = "xyes" ; then
3140	AC_DEFINE([ENABLE_PKCS11], [], [Enable for PKCS#11 support])
3141fi
3142AC_MSG_RESULT([$enable_pkcs11])
3143
3144AC_MSG_CHECKING([whether to enable U2F])
3145if test "x$enable_sk" = "xyes" ; then
3146	AC_DEFINE([ENABLE_SK], [], [Enable for U2F/FIDO support])
3147	AC_SUBST(SK_DUMMY_LIBRARY, [regress/misc/sk-dummy/sk-dummy.so])
3148else
3149	# Do not try to build sk-dummy library.
3150	AC_SUBST(SK_DUMMY_LIBRARY, [""])
3151fi
3152AC_MSG_RESULT([$enable_sk])
3153
3154# Now check for built-in security key support.
3155if test "x$enable_sk" = "xyes" -a "x$enable_sk_internal" = "xyes" ; then
3156	AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no])
3157	use_pkgconfig_for_libfido2=
3158	if test "x$PKGCONFIG" != "xno"; then
3159		AC_MSG_CHECKING([if $PKGCONFIG knows about libfido2])
3160		if "$PKGCONFIG" libfido2; then
3161			AC_MSG_RESULT([yes])
3162			use_pkgconfig_for_libfido2=yes
3163		else
3164			AC_MSG_RESULT([no])
3165		fi
3166	fi
3167	if test "x$use_pkgconfig_for_libfido2" = "xyes"; then
3168		LIBFIDO2=`$PKGCONFIG --libs libfido2`
3169		CPPFLAGS="$CPPFLAGS `$PKGCONFIG --cflags libfido2`"
3170	else
3171		LIBFIDO2="-lfido2 -lcbor"
3172	fi
3173	OTHERLIBS=`echo $LIBFIDO2 | sed 's/-lfido2//'`
3174	AC_CHECK_LIB([fido2], [fido_init],
3175		[
3176			AC_SUBST([LIBFIDO2])
3177			AC_DEFINE([ENABLE_SK_INTERNAL], [],
3178			    [Enable for built-in U2F/FIDO support])
3179			enable_sk="built-in"
3180		], [ AC_MSG_ERROR([no usable libfido2 found]) ],
3181		[ $OTHERLIBS ]
3182	)
3183	saved_LIBS="$LIBS"
3184	LIBS="$LIBS $LIBFIDO2"
3185	AC_CHECK_FUNCS([ \
3186		fido_cred_set_prot \
3187		fido_dev_get_touch_status \
3188		fido_dev_supports_cred_prot \
3189	])
3190	LIBS="$saved_LIBS"
3191	AC_CHECK_HEADER([fido.h], [],
3192		AC_MSG_ERROR([missing fido.h from libfido2]))
3193	AC_CHECK_HEADER([fido/credman.h], [],
3194		AC_MSG_ERROR([missing fido/credman.h from libfido2]),
3195		[#include <fido.h>]
3196	)
3197fi
3198
3199AC_CHECK_FUNCS([ \
3200	arc4random \
3201	arc4random_buf \
3202	arc4random_stir \
3203	arc4random_uniform \
3204])
3205
3206saved_LIBS="$LIBS"
3207AC_CHECK_LIB([iaf], [ia_openinfo], [
3208	LIBS="$LIBS -liaf"
3209	AC_CHECK_FUNCS([set_id], [SSHDLIBS="$SSHDLIBS -liaf"
3210				AC_DEFINE([HAVE_LIBIAF], [1],
3211			[Define if system has libiaf that supports set_id])
3212				])
3213])
3214LIBS="$saved_LIBS"
3215
3216### Configure cryptographic random number support
3217
3218# Check whether OpenSSL seeds itself
3219if test "x$openssl" = "xyes" ; then
3220	AC_MSG_CHECKING([whether OpenSSL's PRNG is internally seeded])
3221	AC_RUN_IFELSE(
3222		[AC_LANG_PROGRAM([[
3223	#include <string.h>
3224	#include <openssl/rand.h>
3225		]], [[
3226		exit(RAND_status() == 1 ? 0 : 1);
3227		]])],
3228		[
3229			OPENSSL_SEEDS_ITSELF=yes
3230			AC_MSG_RESULT([yes])
3231		],
3232		[
3233			AC_MSG_RESULT([no])
3234		],
3235		[
3236			AC_MSG_WARN([cross compiling: assuming yes])
3237			# This is safe, since we will fatal() at runtime if
3238			# OpenSSL is not seeded correctly.
3239			OPENSSL_SEEDS_ITSELF=yes
3240		]
3241	)
3242fi
3243
3244# PRNGD TCP socket
3245AC_ARG_WITH([prngd-port],
3246	[  --with-prngd-port=PORT  read entropy from PRNGD/EGD TCP localhost:PORT],
3247	[
3248		case "$withval" in
3249		no)
3250			withval=""
3251			;;
3252		[[0-9]]*)
3253			;;
3254		*)
3255			AC_MSG_ERROR([You must specify a numeric port number for --with-prngd-port])
3256			;;
3257		esac
3258		if test ! -z "$withval" ; then
3259			PRNGD_PORT="$withval"
3260			AC_DEFINE_UNQUOTED([PRNGD_PORT], [$PRNGD_PORT],
3261				[Port number of PRNGD/EGD random number socket])
3262		fi
3263	]
3264)
3265
3266# PRNGD Unix domain socket
3267AC_ARG_WITH([prngd-socket],
3268	[  --with-prngd-socket=FILE read entropy from PRNGD/EGD socket FILE (default=/var/run/egd-pool)],
3269	[
3270		case "$withval" in
3271		yes)
3272			withval="/var/run/egd-pool"
3273			;;
3274		no)
3275			withval=""
3276			;;
3277		/*)
3278			;;
3279		*)
3280			AC_MSG_ERROR([You must specify an absolute path to the entropy socket])
3281			;;
3282		esac
3283
3284		if test ! -z "$withval" ; then
3285			if test ! -z "$PRNGD_PORT" ; then
3286				AC_MSG_ERROR([You may not specify both a PRNGD/EGD port and socket])
3287			fi
3288			if test ! -r "$withval" ; then
3289				AC_MSG_WARN([Entropy socket is not readable])
3290			fi
3291			PRNGD_SOCKET="$withval"
3292			AC_DEFINE_UNQUOTED([PRNGD_SOCKET], ["$PRNGD_SOCKET"],
3293				[Location of PRNGD/EGD random number socket])
3294		fi
3295	],
3296	[
3297		# Check for existing socket only if we don't have a random device already
3298		if test "x$OPENSSL_SEEDS_ITSELF" != "xyes" ; then
3299			AC_MSG_CHECKING([for PRNGD/EGD socket])
3300			# Insert other locations here
3301			for sock in /var/run/egd-pool /dev/egd-pool /etc/entropy; do
3302				if test -r $sock && $TEST_MINUS_S_SH -c "test -S $sock -o -p $sock" ; then
3303					PRNGD_SOCKET="$sock"
3304					AC_DEFINE_UNQUOTED([PRNGD_SOCKET], ["$PRNGD_SOCKET"])
3305					break;
3306				fi
3307			done
3308			if test ! -z "$PRNGD_SOCKET" ; then
3309				AC_MSG_RESULT([$PRNGD_SOCKET])
3310			else
3311				AC_MSG_RESULT([not found])
3312			fi
3313		fi
3314	]
3315)
3316
3317# Which randomness source do we use?
3318if test ! -z "$PRNGD_PORT" ; then
3319	RAND_MSG="PRNGd port $PRNGD_PORT"
3320elif test ! -z "$PRNGD_SOCKET" ; then
3321	RAND_MSG="PRNGd socket $PRNGD_SOCKET"
3322elif test ! -z "$OPENSSL_SEEDS_ITSELF" ; then
3323	AC_DEFINE([OPENSSL_PRNG_ONLY], [1],
3324		[Define if you want the OpenSSL internally seeded PRNG only])
3325	RAND_MSG="OpenSSL internal ONLY"
3326elif test "x$openssl" = "xno" ; then
3327	AC_MSG_WARN([OpenSSH will use /dev/urandom as a source of random numbers. It will fail if this device is not supported or accessible])
3328else
3329	AC_MSG_ERROR([OpenSSH has no source of random numbers. Please configure OpenSSL with an entropy source or re-run configure using one of the --with-prngd-port or --with-prngd-socket options])
3330fi
3331
3332# Check for PAM libs
3333PAM_MSG="no"
3334AC_ARG_WITH([pam],
3335	[  --with-pam              Enable PAM support ],
3336	[
3337		if test "x$withval" != "xno" ; then
3338			if test "x$ac_cv_header_security_pam_appl_h" != "xyes" && \
3339			   test "x$ac_cv_header_pam_pam_appl_h" != "xyes" ; then
3340				AC_MSG_ERROR([PAM headers not found])
3341			fi
3342
3343			saved_LIBS="$LIBS"
3344			AC_CHECK_LIB([dl], [dlopen], , )
3345			AC_CHECK_LIB([pam], [pam_set_item], , [AC_MSG_ERROR([*** libpam missing])])
3346			AC_CHECK_FUNCS([pam_getenvlist])
3347			AC_CHECK_FUNCS([pam_putenv])
3348			LIBS="$saved_LIBS"
3349
3350			PAM_MSG="yes"
3351
3352			SSHDLIBS="$SSHDLIBS -lpam"
3353			AC_DEFINE([USE_PAM], [1],
3354				[Define if you want to enable PAM support])
3355
3356			if test $ac_cv_lib_dl_dlopen = yes; then
3357				case "$LIBS" in
3358				*-ldl*)
3359					# libdl already in LIBS
3360					;;
3361				*)
3362					SSHDLIBS="$SSHDLIBS -ldl"
3363					;;
3364				esac
3365			fi
3366		fi
3367	]
3368)
3369
3370AC_ARG_WITH([pam-service],
3371	[  --with-pam-service=name Specify PAM service name ],
3372	[
3373		if test "x$withval" != "xno" && \
3374		   test "x$withval" != "xyes" ; then
3375			AC_DEFINE_UNQUOTED([SSHD_PAM_SERVICE],
3376				["$withval"], [sshd PAM service name])
3377		fi
3378	]
3379)
3380
3381# Check for older PAM
3382if test "x$PAM_MSG" = "xyes" ; then
3383	# Check PAM strerror arguments (old PAM)
3384	AC_MSG_CHECKING([whether pam_strerror takes only one argument])
3385	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
3386#include <stdlib.h>
3387#if defined(HAVE_SECURITY_PAM_APPL_H)
3388#include <security/pam_appl.h>
3389#elif defined (HAVE_PAM_PAM_APPL_H)
3390#include <pam/pam_appl.h>
3391#endif
3392		]], [[
3393(void)pam_strerror((pam_handle_t *)NULL, -1);
3394		]])], [AC_MSG_RESULT([no])], [
3395			AC_DEFINE([HAVE_OLD_PAM], [1],
3396				[Define if you have an old version of PAM
3397				which takes only one argument to pam_strerror])
3398			AC_MSG_RESULT([yes])
3399			PAM_MSG="yes (old library)"
3400
3401	])
3402fi
3403
3404case "$host" in
3405*-*-cygwin*)
3406	SSH_PRIVSEP_USER=CYGWIN_SSH_PRIVSEP_USER
3407	;;
3408*)
3409	SSH_PRIVSEP_USER=sshd
3410	;;
3411esac
3412AC_ARG_WITH([privsep-user],
3413	[  --with-privsep-user=user Specify non-privileged user for privilege separation],
3414	[
3415		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
3416		    test "x${withval}" != "xyes"; then
3417			SSH_PRIVSEP_USER=$withval
3418		fi
3419	]
3420)
3421if test "x$SSH_PRIVSEP_USER" = "xCYGWIN_SSH_PRIVSEP_USER" ; then
3422	AC_DEFINE_UNQUOTED([SSH_PRIVSEP_USER], [CYGWIN_SSH_PRIVSEP_USER],
3423		[Cygwin function to fetch non-privileged user for privilege separation])
3424else
3425	AC_DEFINE_UNQUOTED([SSH_PRIVSEP_USER], ["$SSH_PRIVSEP_USER"],
3426		[non-privileged user for privilege separation])
3427fi
3428AC_SUBST([SSH_PRIVSEP_USER])
3429
3430if test "x$have_linux_no_new_privs" = "x1" ; then
3431AC_CHECK_DECL([SECCOMP_MODE_FILTER], [have_seccomp_filter=1], , [
3432	#include <sys/types.h>
3433	#include <linux/seccomp.h>
3434])
3435fi
3436if test "x$have_seccomp_filter" = "x1" ; then
3437AC_MSG_CHECKING([kernel for seccomp_filter support])
3438AC_LINK_IFELSE([AC_LANG_PROGRAM([[
3439		#include <errno.h>
3440		#include <elf.h>
3441		#include <linux/audit.h>
3442		#include <linux/seccomp.h>
3443		#include <stdlib.h>
3444		#include <sys/prctl.h>
3445	]],
3446	[[ int i = $seccomp_audit_arch;
3447	   errno = 0;
3448	   prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, NULL, 0, 0);
3449	   exit(errno == EFAULT ? 0 : 1); ]])],
3450	[ AC_MSG_RESULT([yes]) ], [
3451		AC_MSG_RESULT([no])
3452		# Disable seccomp filter as a target
3453		have_seccomp_filter=0
3454	]
3455)
3456fi
3457
3458# Decide which sandbox style to use
3459sandbox_arg=""
3460AC_ARG_WITH([sandbox],
3461	[  --with-sandbox=style    Specify privilege separation sandbox (no, capsicum, darwin, rlimit, seccomp_filter, systrace, pledge)],
3462	[
3463		if test "x$withval" = "xyes" ; then
3464			sandbox_arg=""
3465		else
3466			sandbox_arg="$withval"
3467		fi
3468	]
3469)
3470
3471# Some platforms (seems to be the ones that have a kernel poll(2)-type
3472# function with which they implement select(2)) use an extra file descriptor
3473# when calling select(2), which means we can't use the rlimit sandbox.
3474AC_MSG_CHECKING([if select works with descriptor rlimit])
3475AC_RUN_IFELSE(
3476	[AC_LANG_PROGRAM([[
3477#include <sys/types.h>
3478#ifdef HAVE_SYS_TIME_H
3479# include <sys/time.h>
3480#endif
3481#include <sys/resource.h>
3482#ifdef HAVE_SYS_SELECT_H
3483# include <sys/select.h>
3484#endif
3485#include <errno.h>
3486#include <fcntl.h>
3487#include <stdlib.h>
3488	]],[[
3489	struct rlimit rl_zero;
3490	int fd, r;
3491	fd_set fds;
3492	struct timeval tv;
3493
3494	fd = open("/dev/null", O_RDONLY);
3495	FD_ZERO(&fds);
3496	FD_SET(fd, &fds);
3497	rl_zero.rlim_cur = rl_zero.rlim_max = 0;
3498	setrlimit(RLIMIT_FSIZE, &rl_zero);
3499	setrlimit(RLIMIT_NOFILE, &rl_zero);
3500	tv.tv_sec = 1;
3501	tv.tv_usec = 0;
3502	r = select(fd+1, &fds, NULL, NULL, &tv);
3503	exit (r == -1 ? 1 : 0);
3504	]])],
3505	[AC_MSG_RESULT([yes])
3506	 select_works_with_rlimit=yes],
3507	[AC_MSG_RESULT([no])
3508	 select_works_with_rlimit=no],
3509	[AC_MSG_WARN([cross compiling: assuming yes])
3510	 select_works_with_rlimit=yes]
3511)
3512
3513AC_MSG_CHECKING([if setrlimit(RLIMIT_NOFILE,{0,0}) works])
3514AC_RUN_IFELSE(
3515	[AC_LANG_PROGRAM([[
3516#include <sys/types.h>
3517#ifdef HAVE_SYS_TIME_H
3518# include <sys/time.h>
3519#endif
3520#include <sys/resource.h>
3521#include <errno.h>
3522#include <stdlib.h>
3523	]],[[
3524	struct rlimit rl_zero;
3525	int r;
3526
3527	rl_zero.rlim_cur = rl_zero.rlim_max = 0;
3528	r = setrlimit(RLIMIT_NOFILE, &rl_zero);
3529	exit (r == -1 ? 1 : 0);
3530	]])],
3531	[AC_MSG_RESULT([yes])
3532	 rlimit_nofile_zero_works=yes],
3533	[AC_MSG_RESULT([no])
3534	 rlimit_nofile_zero_works=no],
3535	[AC_MSG_WARN([cross compiling: assuming yes])
3536	 rlimit_nofile_zero_works=yes]
3537)
3538
3539AC_MSG_CHECKING([if setrlimit RLIMIT_FSIZE works])
3540AC_RUN_IFELSE(
3541	[AC_LANG_PROGRAM([[
3542#include <sys/types.h>
3543#include <sys/resource.h>
3544#include <stdlib.h>
3545	]],[[
3546		struct rlimit rl_zero;
3547
3548		rl_zero.rlim_cur = rl_zero.rlim_max = 0;
3549		exit(setrlimit(RLIMIT_FSIZE, &rl_zero) != 0);
3550	]])],
3551	[AC_MSG_RESULT([yes])],
3552	[AC_MSG_RESULT([no])
3553	 AC_DEFINE(SANDBOX_SKIP_RLIMIT_FSIZE, 1,
3554	    [setrlimit RLIMIT_FSIZE works])],
3555	[AC_MSG_WARN([cross compiling: assuming yes])]
3556)
3557
3558if test "x$sandbox_arg" = "xpledge" || \
3559   ( test -z "$sandbox_arg" && test "x$ac_cv_func_pledge" = "xyes" ) ; then
3560	test "x$ac_cv_func_pledge" != "xyes" && \
3561		AC_MSG_ERROR([pledge sandbox requires pledge(2) support])
3562	SANDBOX_STYLE="pledge"
3563	AC_DEFINE([SANDBOX_PLEDGE], [1], [Sandbox using pledge(2)])
3564elif test "x$sandbox_arg" = "xsystrace" || \
3565   ( test -z "$sandbox_arg" && test "x$have_systr_policy_kill" = "x1" ) ; then
3566	test "x$have_systr_policy_kill" != "x1" && \
3567		AC_MSG_ERROR([systrace sandbox requires systrace headers and SYSTR_POLICY_KILL support])
3568	SANDBOX_STYLE="systrace"
3569	AC_DEFINE([SANDBOX_SYSTRACE], [1], [Sandbox using systrace(4)])
3570elif test "x$sandbox_arg" = "xdarwin" || \
3571     ( test -z "$sandbox_arg" && test "x$ac_cv_func_sandbox_init" = "xyes" && \
3572       test "x$ac_cv_header_sandbox_h" = "xyes") ; then
3573	test "x$ac_cv_func_sandbox_init" != "xyes" -o \
3574	     "x$ac_cv_header_sandbox_h" != "xyes" && \
3575		AC_MSG_ERROR([Darwin seatbelt sandbox requires sandbox.h and sandbox_init function])
3576	SANDBOX_STYLE="darwin"
3577	AC_DEFINE([SANDBOX_DARWIN], [1], [Sandbox using Darwin sandbox_init(3)])
3578elif test "x$sandbox_arg" = "xseccomp_filter" || \
3579     ( test -z "$sandbox_arg" && \
3580       test "x$have_seccomp_filter" = "x1" && \
3581       test "x$ac_cv_header_elf_h" = "xyes" && \
3582       test "x$ac_cv_header_linux_audit_h" = "xyes" && \
3583       test "x$ac_cv_header_linux_filter_h" = "xyes" && \
3584       test "x$seccomp_audit_arch" != "x" && \
3585       test "x$have_linux_no_new_privs" = "x1" && \
3586       test "x$ac_cv_func_prctl" = "xyes" ) ; then
3587	test "x$seccomp_audit_arch" = "x" && \
3588		AC_MSG_ERROR([seccomp_filter sandbox not supported on $host])
3589	test "x$have_linux_no_new_privs" != "x1" && \
3590		AC_MSG_ERROR([seccomp_filter sandbox requires PR_SET_NO_NEW_PRIVS])
3591	test "x$have_seccomp_filter" != "x1" && \
3592		AC_MSG_ERROR([seccomp_filter sandbox requires seccomp headers])
3593	test "x$ac_cv_func_prctl" != "xyes" && \
3594		AC_MSG_ERROR([seccomp_filter sandbox requires prctl function])
3595	SANDBOX_STYLE="seccomp_filter"
3596	AC_DEFINE([SANDBOX_SECCOMP_FILTER], [1], [Sandbox using seccomp filter])
3597elif test "x$sandbox_arg" = "xcapsicum" || \
3598     ( test -z "$sandbox_arg" && \
3599       test "x$ac_cv_header_sys_capsicum_h" = "xyes" && \
3600       test "x$ac_cv_func_cap_rights_limit" = "xyes") ; then
3601       test "x$ac_cv_header_sys_capsicum_h" != "xyes" && \
3602		AC_MSG_ERROR([capsicum sandbox requires sys/capsicum.h header])
3603       test "x$ac_cv_func_cap_rights_limit" != "xyes" && \
3604		AC_MSG_ERROR([capsicum sandbox requires cap_rights_limit function])
3605       SANDBOX_STYLE="capsicum"
3606       AC_DEFINE([SANDBOX_CAPSICUM], [1], [Sandbox using capsicum])
3607elif test "x$sandbox_arg" = "xrlimit" || \
3608     ( test -z "$sandbox_arg" && test "x$ac_cv_func_setrlimit" = "xyes" && \
3609       test "x$select_works_with_rlimit" = "xyes" && \
3610       test "x$rlimit_nofile_zero_works" = "xyes" ) ; then
3611	test "x$ac_cv_func_setrlimit" != "xyes" && \
3612		AC_MSG_ERROR([rlimit sandbox requires setrlimit function])
3613	test "x$select_works_with_rlimit" != "xyes" && \
3614		AC_MSG_ERROR([rlimit sandbox requires select to work with rlimit])
3615	SANDBOX_STYLE="rlimit"
3616	AC_DEFINE([SANDBOX_RLIMIT], [1], [Sandbox using setrlimit(2)])
3617elif test "x$sandbox_arg" = "xsolaris" || \
3618   ( test -z "$sandbox_arg" && test "x$SOLARIS_PRIVS" = "xyes" ) ; then
3619	SANDBOX_STYLE="solaris"
3620	AC_DEFINE([SANDBOX_SOLARIS], [1], [Sandbox using Solaris/Illumos privileges])
3621elif test -z "$sandbox_arg" || test "x$sandbox_arg" = "xno" || \
3622     test "x$sandbox_arg" = "xnone" || test "x$sandbox_arg" = "xnull" ; then
3623	SANDBOX_STYLE="none"
3624	AC_DEFINE([SANDBOX_NULL], [1], [no privsep sandboxing])
3625else
3626	AC_MSG_ERROR([unsupported --with-sandbox])
3627fi
3628
3629# Cheap hack to ensure NEWS-OS libraries are arranged right.
3630if test ! -z "$SONY" ; then
3631  LIBS="$LIBS -liberty";
3632fi
3633
3634# Check for  long long datatypes
3635AC_CHECK_TYPES([long long, unsigned long long, long double])
3636
3637# Check datatype sizes
3638AC_CHECK_SIZEOF([short int])
3639AC_CHECK_SIZEOF([int])
3640AC_CHECK_SIZEOF([long int])
3641AC_CHECK_SIZEOF([long long int])
3642
3643# Sanity check long long for some platforms (AIX)
3644if test "x$ac_cv_sizeof_long_long_int" = "x4" ; then
3645	ac_cv_sizeof_long_long_int=0
3646fi
3647
3648# compute LLONG_MIN and LLONG_MAX if we don't know them.
3649if test -z "$have_llong_max" && test -z "$have_long_long_max"; then
3650	AC_MSG_CHECKING([for max value of long long])
3651	AC_RUN_IFELSE(
3652		[AC_LANG_PROGRAM([[
3653#include <stdio.h>
3654/* Why is this so damn hard? */
3655#ifdef __GNUC__
3656# undef __GNUC__
3657#endif
3658#define __USE_ISOC99
3659#include <limits.h>
3660#define DATA "conftest.llminmax"
3661#define my_abs(a) ((a) < 0 ? ((a) * -1) : (a))
3662
3663/*
3664 * printf in libc on some platforms (eg old Tru64) does not understand %lld so
3665 * we do this the hard way.
3666 */
3667static int
3668fprint_ll(FILE *f, long long n)
3669{
3670	unsigned int i;
3671	int l[sizeof(long long) * 8];
3672
3673	if (n < 0)
3674		if (fprintf(f, "-") < 0)
3675			return -1;
3676	for (i = 0; n != 0; i++) {
3677		l[i] = my_abs(n % 10);
3678		n /= 10;
3679	}
3680	do {
3681		if (fprintf(f, "%d", l[--i]) < 0)
3682			return -1;
3683	} while (i != 0);
3684	if (fprintf(f, " ") < 0)
3685		return -1;
3686	return 0;
3687}
3688		]], [[
3689	FILE *f;
3690	long long i, llmin, llmax = 0;
3691
3692	if((f = fopen(DATA,"w")) == NULL)
3693		exit(1);
3694
3695#if defined(LLONG_MIN) && defined(LLONG_MAX)
3696	fprintf(stderr, "Using system header for LLONG_MIN and LLONG_MAX\n");
3697	llmin = LLONG_MIN;
3698	llmax = LLONG_MAX;
3699#else
3700	fprintf(stderr, "Calculating  LLONG_MIN and LLONG_MAX\n");
3701	/* This will work on one's complement and two's complement */
3702	for (i = 1; i > llmax; i <<= 1, i++)
3703		llmax = i;
3704	llmin = llmax + 1LL;	/* wrap */
3705#endif
3706
3707	/* Sanity check */
3708	if (llmin + 1 < llmin || llmin - 1 < llmin || llmax + 1 > llmax
3709	    || llmax - 1 > llmax || llmin == llmax || llmin == 0
3710	    || llmax == 0 || llmax < LONG_MAX || llmin > LONG_MIN) {
3711		fprintf(f, "unknown unknown\n");
3712		exit(2);
3713	}
3714
3715	if (fprint_ll(f, llmin) < 0)
3716		exit(3);
3717	if (fprint_ll(f, llmax) < 0)
3718		exit(4);
3719	if (fclose(f) < 0)
3720		exit(5);
3721	exit(0);
3722		]])],
3723		[
3724			llong_min=`$AWK '{print $1}' conftest.llminmax`
3725			llong_max=`$AWK '{print $2}' conftest.llminmax`
3726
3727			AC_MSG_RESULT([$llong_max])
3728			AC_DEFINE_UNQUOTED([LLONG_MAX], [${llong_max}LL],
3729			    [max value of long long calculated by configure])
3730			AC_MSG_CHECKING([for min value of long long])
3731			AC_MSG_RESULT([$llong_min])
3732			AC_DEFINE_UNQUOTED([LLONG_MIN], [${llong_min}LL],
3733			    [min value of long long calculated by configure])
3734		],
3735		[
3736			AC_MSG_RESULT([not found])
3737		],
3738		[
3739			AC_MSG_WARN([cross compiling: not checking])
3740		]
3741	)
3742fi
3743
3744AC_CHECK_DECLS([UINT32_MAX], , , [[
3745#ifdef HAVE_SYS_LIMITS_H
3746# include <sys/limits.h>
3747#endif
3748#ifdef HAVE_LIMITS_H
3749# include <limits.h>
3750#endif
3751#ifdef HAVE_STDINT_H
3752# include <stdint.h>
3753#endif
3754]])
3755
3756# More checks for data types
3757AC_CACHE_CHECK([for u_int type], ac_cv_have_u_int, [
3758	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
3759	[[ u_int a; a = 1;]])],
3760	[ ac_cv_have_u_int="yes" ], [ ac_cv_have_u_int="no"
3761	])
3762])
3763if test "x$ac_cv_have_u_int" = "xyes" ; then
3764	AC_DEFINE([HAVE_U_INT], [1], [define if you have u_int data type])
3765	have_u_int=1
3766fi
3767
3768AC_CACHE_CHECK([for intXX_t types], ac_cv_have_intxx_t, [
3769	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
3770	[[ int8_t a; int16_t b; int32_t c; a = b = c = 1;]])],
3771	[ ac_cv_have_intxx_t="yes" ], [ ac_cv_have_intxx_t="no"
3772	])
3773])
3774if test "x$ac_cv_have_intxx_t" = "xyes" ; then
3775	AC_DEFINE([HAVE_INTXX_T], [1], [define if you have intxx_t data type])
3776	have_intxx_t=1
3777fi
3778
3779if (test -z "$have_intxx_t" && \
3780	   test "x$ac_cv_header_stdint_h" = "xyes")
3781then
3782    AC_MSG_CHECKING([for intXX_t types in stdint.h])
3783	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <stdint.h> ]],
3784	[[ int8_t a; int16_t b; int32_t c; a = b = c = 1;]])],
3785		[
3786			AC_DEFINE([HAVE_INTXX_T])
3787			AC_MSG_RESULT([yes])
3788		], [ AC_MSG_RESULT([no])
3789	])
3790fi
3791
3792AC_CACHE_CHECK([for int64_t type], ac_cv_have_int64_t, [
3793	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
3794#include <sys/types.h>
3795#ifdef HAVE_STDINT_H
3796# include <stdint.h>
3797#endif
3798#include <sys/socket.h>
3799#ifdef HAVE_SYS_BITYPES_H
3800# include <sys/bitypes.h>
3801#endif
3802		]], [[
3803int64_t a; a = 1;
3804		]])],
3805	[ ac_cv_have_int64_t="yes" ], [ ac_cv_have_int64_t="no"
3806	])
3807])
3808if test "x$ac_cv_have_int64_t" = "xyes" ; then
3809	AC_DEFINE([HAVE_INT64_T], [1], [define if you have int64_t data type])
3810fi
3811
3812AC_CACHE_CHECK([for u_intXX_t types], ac_cv_have_u_intxx_t, [
3813	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
3814	[[ u_int8_t a; u_int16_t b; u_int32_t c; a = b = c = 1;]])],
3815	[ ac_cv_have_u_intxx_t="yes" ], [ ac_cv_have_u_intxx_t="no"
3816	])
3817])
3818if test "x$ac_cv_have_u_intxx_t" = "xyes" ; then
3819	AC_DEFINE([HAVE_U_INTXX_T], [1], [define if you have u_intxx_t data type])
3820	have_u_intxx_t=1
3821fi
3822
3823if test -z "$have_u_intxx_t" ; then
3824    AC_MSG_CHECKING([for u_intXX_t types in sys/socket.h])
3825	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/socket.h> ]],
3826	[[ u_int8_t a; u_int16_t b; u_int32_t c; a = b = c = 1;]])],
3827		[
3828			AC_DEFINE([HAVE_U_INTXX_T])
3829			AC_MSG_RESULT([yes])
3830		], [ AC_MSG_RESULT([no])
3831	])
3832fi
3833
3834AC_CACHE_CHECK([for u_int64_t types], ac_cv_have_u_int64_t, [
3835	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
3836	[[ u_int64_t a; a = 1;]])],
3837	[ ac_cv_have_u_int64_t="yes" ], [ ac_cv_have_u_int64_t="no"
3838	])
3839])
3840if test "x$ac_cv_have_u_int64_t" = "xyes" ; then
3841	AC_DEFINE([HAVE_U_INT64_T], [1], [define if you have u_int64_t data type])
3842	have_u_int64_t=1
3843fi
3844
3845if (test -z "$have_u_int64_t" && \
3846	   test "x$ac_cv_header_sys_bitypes_h" = "xyes")
3847then
3848    AC_MSG_CHECKING([for u_int64_t type in sys/bitypes.h])
3849	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/bitypes.h> ]],
3850	[[ u_int64_t a; a = 1]])],
3851		[
3852			AC_DEFINE([HAVE_U_INT64_T])
3853			AC_MSG_RESULT([yes])
3854		], [ AC_MSG_RESULT([no])
3855	])
3856fi
3857
3858if test -z "$have_u_intxx_t" ; then
3859	AC_CACHE_CHECK([for uintXX_t types], ac_cv_have_uintxx_t, [
3860		AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
3861#include <sys/types.h>
3862			]], [[
3863	uint8_t a;
3864	uint16_t b;
3865	uint32_t c;
3866	a = b = c = 1;
3867			]])],
3868		[ ac_cv_have_uintxx_t="yes" ], [ ac_cv_have_uintxx_t="no"
3869		])
3870	])
3871	if test "x$ac_cv_have_uintxx_t" = "xyes" ; then
3872		AC_DEFINE([HAVE_UINTXX_T], [1],
3873			[define if you have uintxx_t data type])
3874	fi
3875fi
3876
3877if (test -z "$have_uintxx_t" && \
3878	   test "x$ac_cv_header_stdint_h" = "xyes")
3879then
3880    AC_MSG_CHECKING([for uintXX_t types in stdint.h])
3881	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <stdint.h> ]],
3882	[[ uint8_t a; uint16_t b; uint32_t c; a = b = c = 1;]])],
3883		[
3884			AC_DEFINE([HAVE_UINTXX_T])
3885			AC_MSG_RESULT([yes])
3886		], [ AC_MSG_RESULT([no])
3887	])
3888fi
3889
3890if (test -z "$have_uintxx_t" && \
3891	   test "x$ac_cv_header_inttypes_h" = "xyes")
3892then
3893    AC_MSG_CHECKING([for uintXX_t types in inttypes.h])
3894	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <inttypes.h> ]],
3895	[[ uint8_t a; uint16_t b; uint32_t c; a = b = c = 1;]])],
3896		[
3897			AC_DEFINE([HAVE_UINTXX_T])
3898			AC_MSG_RESULT([yes])
3899		], [ AC_MSG_RESULT([no])
3900	])
3901fi
3902
3903if (test -z "$have_u_intxx_t" || test -z "$have_intxx_t" && \
3904	   test "x$ac_cv_header_sys_bitypes_h" = "xyes")
3905then
3906	AC_MSG_CHECKING([for intXX_t and u_intXX_t types in sys/bitypes.h])
3907	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
3908#include <sys/bitypes.h>
3909		]], [[
3910			int8_t a; int16_t b; int32_t c;
3911			u_int8_t e; u_int16_t f; u_int32_t g;
3912			a = b = c = e = f = g = 1;
3913		]])],
3914		[
3915			AC_DEFINE([HAVE_U_INTXX_T])
3916			AC_DEFINE([HAVE_INTXX_T])
3917			AC_MSG_RESULT([yes])
3918		], [AC_MSG_RESULT([no])
3919	])
3920fi
3921
3922
3923AC_CACHE_CHECK([for u_char], ac_cv_have_u_char, [
3924	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
3925	[[ u_char foo; foo = 125; ]])],
3926	[ ac_cv_have_u_char="yes" ], [ ac_cv_have_u_char="no"
3927	])
3928])
3929if test "x$ac_cv_have_u_char" = "xyes" ; then
3930	AC_DEFINE([HAVE_U_CHAR], [1], [define if you have u_char data type])
3931fi
3932
3933AC_CHECK_TYPES([intmax_t, uintmax_t], , , [
3934#include <sys/types.h>
3935#ifdef HAVE_STDINT_H
3936# include <stdint.h>
3937#endif
3938])
3939
3940TYPE_SOCKLEN_T
3941
3942AC_CHECK_TYPES([sig_atomic_t], , , [#include <signal.h>])
3943AC_CHECK_TYPES([fsblkcnt_t, fsfilcnt_t], , , [
3944#include <sys/types.h>
3945#ifdef HAVE_SYS_BITYPES_H
3946#include <sys/bitypes.h>
3947#endif
3948#ifdef HAVE_SYS_STATFS_H
3949#include <sys/statfs.h>
3950#endif
3951#ifdef HAVE_SYS_STATVFS_H
3952#include <sys/statvfs.h>
3953#endif
3954])
3955
3956AC_CHECK_MEMBERS([struct statfs.f_files, struct statfs.f_flags], [], [], [[
3957#include <sys/param.h>
3958#include <sys/types.h>
3959#ifdef HAVE_SYS_BITYPES_H
3960#include <sys/bitypes.h>
3961#endif
3962#ifdef HAVE_SYS_STATFS_H
3963#include <sys/statfs.h>
3964#endif
3965#ifdef HAVE_SYS_STATVFS_H
3966#include <sys/statvfs.h>
3967#endif
3968#ifdef HAVE_SYS_VFS_H
3969#include <sys/vfs.h>
3970#endif
3971#ifdef HAVE_SYS_MOUNT_H
3972#include <sys/mount.h>
3973#endif
3974]])
3975
3976
3977AC_CHECK_TYPES([in_addr_t, in_port_t], , ,
3978[#include <sys/types.h>
3979#include <netinet/in.h>])
3980
3981AC_CACHE_CHECK([for size_t], ac_cv_have_size_t, [
3982	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
3983	[[ size_t foo; foo = 1235; ]])],
3984	[ ac_cv_have_size_t="yes" ], [ ac_cv_have_size_t="no"
3985	])
3986])
3987if test "x$ac_cv_have_size_t" = "xyes" ; then
3988	AC_DEFINE([HAVE_SIZE_T], [1], [define if you have size_t data type])
3989fi
3990
3991AC_CACHE_CHECK([for ssize_t], ac_cv_have_ssize_t, [
3992	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
3993	[[ ssize_t foo; foo = 1235; ]])],
3994	[ ac_cv_have_ssize_t="yes" ], [ ac_cv_have_ssize_t="no"
3995	])
3996])
3997if test "x$ac_cv_have_ssize_t" = "xyes" ; then
3998	AC_DEFINE([HAVE_SSIZE_T], [1], [define if you have ssize_t data type])
3999fi
4000
4001AC_CACHE_CHECK([for clock_t], ac_cv_have_clock_t, [
4002	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <time.h> ]],
4003	[[ clock_t foo; foo = 1235; ]])],
4004	[ ac_cv_have_clock_t="yes" ], [ ac_cv_have_clock_t="no"
4005	])
4006])
4007if test "x$ac_cv_have_clock_t" = "xyes" ; then
4008	AC_DEFINE([HAVE_CLOCK_T], [1], [define if you have clock_t data type])
4009fi
4010
4011AC_CACHE_CHECK([for sa_family_t], ac_cv_have_sa_family_t, [
4012	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4013#include <sys/types.h>
4014#include <sys/socket.h>
4015		]], [[ sa_family_t foo; foo = 1235; ]])],
4016	[ ac_cv_have_sa_family_t="yes" ],
4017	[ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4018#include <sys/types.h>
4019#include <sys/socket.h>
4020#include <netinet/in.h>
4021		]], [[ sa_family_t foo; foo = 1235; ]])],
4022		[ ac_cv_have_sa_family_t="yes" ],
4023		[ ac_cv_have_sa_family_t="no" ]
4024	)
4025	])
4026])
4027if test "x$ac_cv_have_sa_family_t" = "xyes" ; then
4028	AC_DEFINE([HAVE_SA_FAMILY_T], [1],
4029		[define if you have sa_family_t data type])
4030fi
4031
4032AC_CACHE_CHECK([for pid_t], ac_cv_have_pid_t, [
4033	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
4034	[[ pid_t foo; foo = 1235; ]])],
4035	[ ac_cv_have_pid_t="yes" ], [ ac_cv_have_pid_t="no"
4036	])
4037])
4038if test "x$ac_cv_have_pid_t" = "xyes" ; then
4039	AC_DEFINE([HAVE_PID_T], [1], [define if you have pid_t data type])
4040fi
4041
4042AC_CACHE_CHECK([for mode_t], ac_cv_have_mode_t, [
4043	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
4044	[[ mode_t foo; foo = 1235; ]])],
4045	[ ac_cv_have_mode_t="yes" ], [ ac_cv_have_mode_t="no"
4046	])
4047])
4048if test "x$ac_cv_have_mode_t" = "xyes" ; then
4049	AC_DEFINE([HAVE_MODE_T], [1], [define if you have mode_t data type])
4050fi
4051
4052
4053AC_CACHE_CHECK([for struct sockaddr_storage], ac_cv_have_struct_sockaddr_storage, [
4054	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4055#include <sys/types.h>
4056#include <sys/socket.h>
4057		]], [[ struct sockaddr_storage s; ]])],
4058	[ ac_cv_have_struct_sockaddr_storage="yes" ],
4059	[ ac_cv_have_struct_sockaddr_storage="no"
4060	])
4061])
4062if test "x$ac_cv_have_struct_sockaddr_storage" = "xyes" ; then
4063	AC_DEFINE([HAVE_STRUCT_SOCKADDR_STORAGE], [1],
4064		[define if you have struct sockaddr_storage data type])
4065fi
4066
4067AC_CACHE_CHECK([for struct sockaddr_in6], ac_cv_have_struct_sockaddr_in6, [
4068	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4069#include <sys/types.h>
4070#include <netinet/in.h>
4071		]], [[ struct sockaddr_in6 s; s.sin6_family = 0; ]])],
4072	[ ac_cv_have_struct_sockaddr_in6="yes" ],
4073	[ ac_cv_have_struct_sockaddr_in6="no"
4074	])
4075])
4076if test "x$ac_cv_have_struct_sockaddr_in6" = "xyes" ; then
4077	AC_DEFINE([HAVE_STRUCT_SOCKADDR_IN6], [1],
4078		[define if you have struct sockaddr_in6 data type])
4079fi
4080
4081AC_CACHE_CHECK([for struct in6_addr], ac_cv_have_struct_in6_addr, [
4082	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4083#include <sys/types.h>
4084#include <netinet/in.h>
4085		]], [[ struct in6_addr s; s.s6_addr[0] = 0; ]])],
4086	[ ac_cv_have_struct_in6_addr="yes" ],
4087	[ ac_cv_have_struct_in6_addr="no"
4088	])
4089])
4090if test "x$ac_cv_have_struct_in6_addr" = "xyes" ; then
4091	AC_DEFINE([HAVE_STRUCT_IN6_ADDR], [1],
4092		[define if you have struct in6_addr data type])
4093
4094dnl Now check for sin6_scope_id
4095	AC_CHECK_MEMBERS([struct sockaddr_in6.sin6_scope_id], , ,
4096		[
4097#ifdef HAVE_SYS_TYPES_H
4098#include <sys/types.h>
4099#endif
4100#include <netinet/in.h>
4101		])
4102fi
4103
4104AC_CACHE_CHECK([for struct addrinfo], ac_cv_have_struct_addrinfo, [
4105	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4106#include <sys/types.h>
4107#include <sys/socket.h>
4108#include <netdb.h>
4109		]], [[ struct addrinfo s; s.ai_flags = AI_PASSIVE; ]])],
4110	[ ac_cv_have_struct_addrinfo="yes" ],
4111	[ ac_cv_have_struct_addrinfo="no"
4112	])
4113])
4114if test "x$ac_cv_have_struct_addrinfo" = "xyes" ; then
4115	AC_DEFINE([HAVE_STRUCT_ADDRINFO], [1],
4116		[define if you have struct addrinfo data type])
4117fi
4118
4119AC_HEADER_TIME
4120
4121AC_CACHE_CHECK([for struct timeval], ac_cv_have_struct_timeval, [
4122	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/time.h> ]],
4123	[[ struct timeval tv; tv.tv_sec = 1;]])],
4124	[ ac_cv_have_struct_timeval="yes" ],
4125	[ ac_cv_have_struct_timeval="no"
4126	])
4127])
4128if test "x$ac_cv_have_struct_timeval" = "xyes" ; then
4129	AC_DEFINE([HAVE_STRUCT_TIMEVAL], [1], [define if you have struct timeval])
4130	have_struct_timeval=1
4131fi
4132
4133AC_CACHE_CHECK([for struct timespec], ac_cv_have_struct_timespec, [
4134	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4135    #ifdef TIME_WITH_SYS_TIME
4136    # include <sys/time.h>
4137    # include <time.h>
4138    #else
4139    # ifdef HAVE_SYS_TIME_H
4140    #  include <sys/time.h>
4141    # else
4142    #  include <time.h>
4143    # endif
4144    #endif
4145	]],
4146	[[ struct timespec ts; ts.tv_sec = 1;]])],
4147	[ ac_cv_have_struct_timespec="yes" ],
4148	[ ac_cv_have_struct_timespec="no"
4149	])
4150])
4151if test "x$ac_cv_have_struct_timespec" = "xyes" ; then
4152	AC_DEFINE([HAVE_STRUCT_TIMESPEC], [1], [define if you have struct timespec])
4153	have_struct_timespec=1
4154fi
4155
4156# We need int64_t or else certain parts of the compile will fail.
4157if test "x$ac_cv_have_int64_t" = "xno" && \
4158	test "x$ac_cv_sizeof_long_int" != "x8" && \
4159	test "x$ac_cv_sizeof_long_long_int" = "x0" ; then
4160	echo "OpenSSH requires int64_t support.  Contact your vendor or install"
4161	echo "an alternative compiler (I.E., GCC) before continuing."
4162	echo ""
4163	exit 1;
4164else
4165dnl test snprintf (broken on SCO w/gcc)
4166	AC_RUN_IFELSE(
4167		[AC_LANG_SOURCE([[
4168#include <stdio.h>
4169#include <string.h>
4170#ifdef HAVE_SNPRINTF
4171main()
4172{
4173	char buf[50];
4174	char expected_out[50];
4175	int mazsize = 50 ;
4176#if (SIZEOF_LONG_INT == 8)
4177	long int num = 0x7fffffffffffffff;
4178#else
4179	long long num = 0x7fffffffffffffffll;
4180#endif
4181	strcpy(expected_out, "9223372036854775807");
4182	snprintf(buf, mazsize, "%lld", num);
4183	if(strcmp(buf, expected_out) != 0)
4184		exit(1);
4185	exit(0);
4186}
4187#else
4188main() { exit(0); }
4189#endif
4190		]])], [ true ], [ AC_DEFINE([BROKEN_SNPRINTF]) ],
4191		AC_MSG_WARN([cross compiling: Assuming working snprintf()])
4192	)
4193fi
4194
4195dnl Checks for structure members
4196OSSH_CHECK_HEADER_FOR_FIELD([ut_host], [utmp.h], [HAVE_HOST_IN_UTMP])
4197OSSH_CHECK_HEADER_FOR_FIELD([ut_host], [utmpx.h], [HAVE_HOST_IN_UTMPX])
4198OSSH_CHECK_HEADER_FOR_FIELD([syslen], [utmpx.h], [HAVE_SYSLEN_IN_UTMPX])
4199OSSH_CHECK_HEADER_FOR_FIELD([ut_pid], [utmp.h], [HAVE_PID_IN_UTMP])
4200OSSH_CHECK_HEADER_FOR_FIELD([ut_type], [utmp.h], [HAVE_TYPE_IN_UTMP])
4201OSSH_CHECK_HEADER_FOR_FIELD([ut_type], [utmpx.h], [HAVE_TYPE_IN_UTMPX])
4202OSSH_CHECK_HEADER_FOR_FIELD([ut_tv], [utmp.h], [HAVE_TV_IN_UTMP])
4203OSSH_CHECK_HEADER_FOR_FIELD([ut_id], [utmp.h], [HAVE_ID_IN_UTMP])
4204OSSH_CHECK_HEADER_FOR_FIELD([ut_id], [utmpx.h], [HAVE_ID_IN_UTMPX])
4205OSSH_CHECK_HEADER_FOR_FIELD([ut_addr], [utmp.h], [HAVE_ADDR_IN_UTMP])
4206OSSH_CHECK_HEADER_FOR_FIELD([ut_addr], [utmpx.h], [HAVE_ADDR_IN_UTMPX])
4207OSSH_CHECK_HEADER_FOR_FIELD([ut_addr_v6], [utmp.h], [HAVE_ADDR_V6_IN_UTMP])
4208OSSH_CHECK_HEADER_FOR_FIELD([ut_addr_v6], [utmpx.h], [HAVE_ADDR_V6_IN_UTMPX])
4209OSSH_CHECK_HEADER_FOR_FIELD([ut_exit], [utmp.h], [HAVE_EXIT_IN_UTMP])
4210OSSH_CHECK_HEADER_FOR_FIELD([ut_time], [utmp.h], [HAVE_TIME_IN_UTMP])
4211OSSH_CHECK_HEADER_FOR_FIELD([ut_time], [utmpx.h], [HAVE_TIME_IN_UTMPX])
4212OSSH_CHECK_HEADER_FOR_FIELD([ut_tv], [utmpx.h], [HAVE_TV_IN_UTMPX])
4213OSSH_CHECK_HEADER_FOR_FIELD([ut_ss], [utmpx.h], [HAVE_SS_IN_UTMPX])
4214
4215AC_CHECK_MEMBERS([struct stat.st_blksize])
4216AC_CHECK_MEMBERS([struct stat.st_mtim])
4217AC_CHECK_MEMBERS([struct stat.st_mtime])
4218AC_CHECK_MEMBERS([struct passwd.pw_gecos, struct passwd.pw_class,
4219struct passwd.pw_change, struct passwd.pw_expire],
4220[], [], [[
4221#include <sys/types.h>
4222#include <pwd.h>
4223]])
4224
4225AC_CHECK_MEMBER([struct __res_state.retrans], [], [AC_DEFINE([__res_state], [state],
4226	[Define if we don't have struct __res_state in resolv.h])],
4227[[
4228#include <stdio.h>
4229#if HAVE_SYS_TYPES_H
4230# include <sys/types.h>
4231#endif
4232#include <netinet/in.h>
4233#include <arpa/nameser.h>
4234#include <resolv.h>
4235]])
4236
4237AC_CACHE_CHECK([for ss_family field in struct sockaddr_storage],
4238		ac_cv_have_ss_family_in_struct_ss, [
4239	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4240#include <sys/types.h>
4241#include <sys/socket.h>
4242		]], [[ struct sockaddr_storage s; s.ss_family = 1; ]])],
4243	[ ac_cv_have_ss_family_in_struct_ss="yes" ],
4244	[ ac_cv_have_ss_family_in_struct_ss="no" ])
4245])
4246if test "x$ac_cv_have_ss_family_in_struct_ss" = "xyes" ; then
4247	AC_DEFINE([HAVE_SS_FAMILY_IN_SS], [1], [Fields in struct sockaddr_storage])
4248fi
4249
4250AC_CACHE_CHECK([for __ss_family field in struct sockaddr_storage],
4251		ac_cv_have___ss_family_in_struct_ss, [
4252	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4253#include <sys/types.h>
4254#include <sys/socket.h>
4255		]], [[ struct sockaddr_storage s; s.__ss_family = 1; ]])],
4256	[ ac_cv_have___ss_family_in_struct_ss="yes" ],
4257	[ ac_cv_have___ss_family_in_struct_ss="no"
4258	])
4259])
4260if test "x$ac_cv_have___ss_family_in_struct_ss" = "xyes" ; then
4261	AC_DEFINE([HAVE___SS_FAMILY_IN_SS], [1],
4262		[Fields in struct sockaddr_storage])
4263fi
4264
4265dnl make sure we're using the real structure members and not defines
4266AC_CACHE_CHECK([for msg_accrights field in struct msghdr],
4267		ac_cv_have_accrights_in_msghdr, [
4268	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4269#include <sys/types.h>
4270#include <sys/socket.h>
4271#include <sys/uio.h>
4272		]], [[
4273#ifdef msg_accrights
4274#error "msg_accrights is a macro"
4275exit(1);
4276#endif
4277struct msghdr m;
4278m.msg_accrights = 0;
4279exit(0);
4280		]])],
4281		[ ac_cv_have_accrights_in_msghdr="yes" ],
4282		[ ac_cv_have_accrights_in_msghdr="no" ]
4283	)
4284])
4285if test "x$ac_cv_have_accrights_in_msghdr" = "xyes" ; then
4286	AC_DEFINE([HAVE_ACCRIGHTS_IN_MSGHDR], [1],
4287		[Define if your system uses access rights style
4288		file descriptor passing])
4289fi
4290
4291AC_MSG_CHECKING([if struct statvfs.f_fsid is integral type])
4292AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4293#include <sys/param.h>
4294#include <sys/stat.h>
4295#ifdef HAVE_SYS_TIME_H
4296# include <sys/time.h>
4297#endif
4298#ifdef HAVE_SYS_MOUNT_H
4299#include <sys/mount.h>
4300#endif
4301#ifdef HAVE_SYS_STATVFS_H
4302#include <sys/statvfs.h>
4303#endif
4304	]], [[ struct statvfs s; s.f_fsid = 0; ]])],
4305	[ AC_MSG_RESULT([yes]) ],
4306	[ AC_MSG_RESULT([no])
4307
4308	AC_MSG_CHECKING([if fsid_t has member val])
4309	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4310#include <sys/types.h>
4311#include <sys/statvfs.h>
4312	]], [[ fsid_t t; t.val[0] = 0; ]])],
4313	[ AC_MSG_RESULT([yes])
4314	  AC_DEFINE([FSID_HAS_VAL], [1], [fsid_t has member val]) ],
4315	[ AC_MSG_RESULT([no]) ])
4316
4317	AC_MSG_CHECKING([if f_fsid has member __val])
4318	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4319#include <sys/types.h>
4320#include <sys/statvfs.h>
4321	]], [[ fsid_t t; t.__val[0] = 0; ]])],
4322	[ AC_MSG_RESULT([yes])
4323	  AC_DEFINE([FSID_HAS___VAL], [1], [fsid_t has member __val]) ],
4324	[ AC_MSG_RESULT([no]) ])
4325])
4326
4327AC_CACHE_CHECK([for msg_control field in struct msghdr],
4328		ac_cv_have_control_in_msghdr, [
4329	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4330#include <sys/types.h>
4331#include <sys/socket.h>
4332#include <sys/uio.h>
4333		]], [[
4334#ifdef msg_control
4335#error "msg_control is a macro"
4336exit(1);
4337#endif
4338struct msghdr m;
4339m.msg_control = 0;
4340exit(0);
4341		]])],
4342		[ ac_cv_have_control_in_msghdr="yes" ],
4343		[ ac_cv_have_control_in_msghdr="no" ]
4344	)
4345])
4346if test "x$ac_cv_have_control_in_msghdr" = "xyes" ; then
4347	AC_DEFINE([HAVE_CONTROL_IN_MSGHDR], [1],
4348		[Define if your system uses ancillary data style
4349		file descriptor passing])
4350fi
4351
4352AC_CACHE_CHECK([if libc defines __progname], ac_cv_libc_defines___progname, [
4353	AC_LINK_IFELSE([AC_LANG_PROGRAM([[]],
4354		[[ extern char *__progname; printf("%s", __progname); ]])],
4355	[ ac_cv_libc_defines___progname="yes" ],
4356	[ ac_cv_libc_defines___progname="no"
4357	])
4358])
4359if test "x$ac_cv_libc_defines___progname" = "xyes" ; then
4360	AC_DEFINE([HAVE___PROGNAME], [1], [Define if libc defines __progname])
4361fi
4362
4363AC_CACHE_CHECK([whether $CC implements __FUNCTION__], ac_cv_cc_implements___FUNCTION__, [
4364	AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include <stdio.h> ]],
4365		[[ printf("%s", __FUNCTION__); ]])],
4366	[ ac_cv_cc_implements___FUNCTION__="yes" ],
4367	[ ac_cv_cc_implements___FUNCTION__="no"
4368	])
4369])
4370if test "x$ac_cv_cc_implements___FUNCTION__" = "xyes" ; then
4371	AC_DEFINE([HAVE___FUNCTION__], [1],
4372		[Define if compiler implements __FUNCTION__])
4373fi
4374
4375AC_CACHE_CHECK([whether $CC implements __func__], ac_cv_cc_implements___func__, [
4376	AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include <stdio.h> ]],
4377		[[ printf("%s", __func__); ]])],
4378	[ ac_cv_cc_implements___func__="yes" ],
4379	[ ac_cv_cc_implements___func__="no"
4380	])
4381])
4382if test "x$ac_cv_cc_implements___func__" = "xyes" ; then
4383	AC_DEFINE([HAVE___func__], [1], [Define if compiler implements __func__])
4384fi
4385
4386AC_CACHE_CHECK([whether va_copy exists], ac_cv_have_va_copy, [
4387	AC_LINK_IFELSE([AC_LANG_PROGRAM([[
4388#include <stdarg.h>
4389va_list x,y;
4390		]], [[ va_copy(x,y); ]])],
4391	[ ac_cv_have_va_copy="yes" ],
4392	[ ac_cv_have_va_copy="no"
4393	])
4394])
4395if test "x$ac_cv_have_va_copy" = "xyes" ; then
4396	AC_DEFINE([HAVE_VA_COPY], [1], [Define if va_copy exists])
4397fi
4398
4399AC_CACHE_CHECK([whether __va_copy exists], ac_cv_have___va_copy, [
4400	AC_LINK_IFELSE([AC_LANG_PROGRAM([[
4401#include <stdarg.h>
4402va_list x,y;
4403		]], [[ __va_copy(x,y); ]])],
4404	[ ac_cv_have___va_copy="yes" ], [ ac_cv_have___va_copy="no"
4405	])
4406])
4407if test "x$ac_cv_have___va_copy" = "xyes" ; then
4408	AC_DEFINE([HAVE___VA_COPY], [1], [Define if __va_copy exists])
4409fi
4410
4411AC_CACHE_CHECK([whether getopt has optreset support],
4412		ac_cv_have_getopt_optreset, [
4413	AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include <getopt.h> ]],
4414		[[ extern int optreset; optreset = 0; ]])],
4415	[ ac_cv_have_getopt_optreset="yes" ],
4416	[ ac_cv_have_getopt_optreset="no"
4417	])
4418])
4419if test "x$ac_cv_have_getopt_optreset" = "xyes" ; then
4420	AC_DEFINE([HAVE_GETOPT_OPTRESET], [1],
4421		[Define if your getopt(3) defines and uses optreset])
4422fi
4423
4424AC_CACHE_CHECK([if libc defines sys_errlist], ac_cv_libc_defines_sys_errlist, [
4425	AC_LINK_IFELSE([AC_LANG_PROGRAM([[]],
4426[[ extern const char *const sys_errlist[]; printf("%s", sys_errlist[0]);]])],
4427	[ ac_cv_libc_defines_sys_errlist="yes" ],
4428	[ ac_cv_libc_defines_sys_errlist="no"
4429	])
4430])
4431if test "x$ac_cv_libc_defines_sys_errlist" = "xyes" ; then
4432	AC_DEFINE([HAVE_SYS_ERRLIST], [1],
4433		[Define if your system defines sys_errlist[]])
4434fi
4435
4436
4437AC_CACHE_CHECK([if libc defines sys_nerr], ac_cv_libc_defines_sys_nerr, [
4438	AC_LINK_IFELSE([AC_LANG_PROGRAM([[]],
4439[[ extern int sys_nerr; printf("%i", sys_nerr);]])],
4440	[ ac_cv_libc_defines_sys_nerr="yes" ],
4441	[ ac_cv_libc_defines_sys_nerr="no"
4442	])
4443])
4444if test "x$ac_cv_libc_defines_sys_nerr" = "xyes" ; then
4445	AC_DEFINE([HAVE_SYS_NERR], [1], [Define if your system defines sys_nerr])
4446fi
4447
4448# Check libraries needed by DNS fingerprint support
4449AC_SEARCH_LIBS([getrrsetbyname], [resolv],
4450	[AC_DEFINE([HAVE_GETRRSETBYNAME], [1],
4451		[Define if getrrsetbyname() exists])],
4452	[
4453		# Needed by our getrrsetbyname()
4454		AC_SEARCH_LIBS([res_query], [resolv])
4455		AC_SEARCH_LIBS([dn_expand], [resolv])
4456		AC_MSG_CHECKING([if res_query will link])
4457		AC_LINK_IFELSE([AC_LANG_PROGRAM([[
4458#include <sys/types.h>
4459#include <netinet/in.h>
4460#include <arpa/nameser.h>
4461#include <netdb.h>
4462#include <resolv.h>
4463				]], [[
4464	res_query (0, 0, 0, 0, 0);
4465				]])],
4466		    AC_MSG_RESULT([yes]),
4467		   [AC_MSG_RESULT([no])
4468		    saved_LIBS="$LIBS"
4469		    LIBS="$LIBS -lresolv"
4470		    AC_MSG_CHECKING([for res_query in -lresolv])
4471		    AC_LINK_IFELSE([AC_LANG_PROGRAM([[
4472#include <sys/types.h>
4473#include <netinet/in.h>
4474#include <arpa/nameser.h>
4475#include <netdb.h>
4476#include <resolv.h>
4477				]], [[
4478	res_query (0, 0, 0, 0, 0);
4479				]])],
4480			[AC_MSG_RESULT([yes])],
4481			[LIBS="$saved_LIBS"
4482			 AC_MSG_RESULT([no])])
4483		    ])
4484		AC_CHECK_FUNCS([_getshort _getlong])
4485		AC_CHECK_DECLS([_getshort, _getlong], , ,
4486		    [#include <sys/types.h>
4487		    #include <arpa/nameser.h>])
4488		AC_CHECK_MEMBER([HEADER.ad],
4489			[AC_DEFINE([HAVE_HEADER_AD], [1],
4490			    [Define if HEADER.ad exists in arpa/nameser.h])], ,
4491			[#include <arpa/nameser.h>])
4492	])
4493
4494AC_MSG_CHECKING([if struct __res_state _res is an extern])
4495AC_LINK_IFELSE([AC_LANG_PROGRAM([[
4496#include <stdio.h>
4497#if HAVE_SYS_TYPES_H
4498# include <sys/types.h>
4499#endif
4500#include <netinet/in.h>
4501#include <arpa/nameser.h>
4502#include <resolv.h>
4503extern struct __res_state _res;
4504		]], [[
4505struct __res_state *volatile p = &_res;  /* force resolution of _res */
4506return 0;
4507		]],)],
4508		[AC_MSG_RESULT([yes])
4509		 AC_DEFINE([HAVE__RES_EXTERN], [1],
4510		    [Define if you have struct __res_state _res as an extern])
4511		],
4512		[ AC_MSG_RESULT([no]) ]
4513)
4514
4515# Check whether user wants SELinux support
4516SELINUX_MSG="no"
4517LIBSELINUX=""
4518AC_ARG_WITH([selinux],
4519	[  --with-selinux          Enable SELinux support],
4520	[ if test "x$withval" != "xno" ; then
4521		save_LIBS="$LIBS"
4522		AC_DEFINE([WITH_SELINUX], [1],
4523			[Define if you want SELinux support.])
4524		SELINUX_MSG="yes"
4525		AC_CHECK_HEADER([selinux/selinux.h], ,
4526			AC_MSG_ERROR([SELinux support requires selinux.h header]))
4527		AC_CHECK_LIB([selinux], [setexeccon],
4528			[ LIBSELINUX="-lselinux"
4529			  LIBS="$LIBS -lselinux"
4530			],
4531			AC_MSG_ERROR([SELinux support requires libselinux library]))
4532		AC_CHECK_FUNCS([getseuserbyname get_default_context_with_level])
4533		LIBS="$save_LIBS $LIBSELINUX"
4534	fi ]
4535)
4536AC_SUBST([SSHDLIBS])
4537
4538# Check whether user wants Kerberos 5 support
4539KRB5_MSG="no"
4540AC_ARG_WITH([kerberos5],
4541	[  --with-kerberos5=PATH   Enable Kerberos 5 support],
4542	[ if test "x$withval" != "xno" ; then
4543		if test "x$withval" = "xyes" ; then
4544			KRB5ROOT="/usr/local"
4545		else
4546			KRB5ROOT=${withval}
4547		fi
4548
4549		AC_DEFINE([KRB5], [1], [Define if you want Kerberos 5 support])
4550		KRB5_MSG="yes"
4551
4552		AC_PATH_TOOL([KRB5CONF], [krb5-config],
4553			     [$KRB5ROOT/bin/krb5-config],
4554			     [$KRB5ROOT/bin:$PATH])
4555		if test -x $KRB5CONF ; then
4556			K5CFLAGS="`$KRB5CONF --cflags`"
4557			K5LIBS="`$KRB5CONF --libs`"
4558			CPPFLAGS="$CPPFLAGS $K5CFLAGS"
4559
4560			AC_MSG_CHECKING([for gssapi support])
4561			if $KRB5CONF | grep gssapi >/dev/null ; then
4562				AC_MSG_RESULT([yes])
4563				AC_DEFINE([GSSAPI], [1],
4564					[Define this if you want GSSAPI
4565					support in the version 2 protocol])
4566				GSSCFLAGS="`$KRB5CONF --cflags gssapi`"
4567				GSSLIBS="`$KRB5CONF --libs gssapi`"
4568				CPPFLAGS="$CPPFLAGS $GSSCFLAGS"
4569			else
4570				AC_MSG_RESULT([no])
4571			fi
4572			AC_MSG_CHECKING([whether we are using Heimdal])
4573			AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <krb5.h>
4574				]], [[ char *tmp = heimdal_version; ]])],
4575				[ AC_MSG_RESULT([yes])
4576				AC_DEFINE([HEIMDAL], [1],
4577				[Define this if you are using the Heimdal
4578				version of Kerberos V5]) ],
4579				[AC_MSG_RESULT([no])
4580			])
4581		else
4582			CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include"
4583			LDFLAGS="$LDFLAGS -L${KRB5ROOT}/lib"
4584			AC_MSG_CHECKING([whether we are using Heimdal])
4585			AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <krb5.h>
4586				]], [[ char *tmp = heimdal_version; ]])],
4587					[ AC_MSG_RESULT([yes])
4588					 AC_DEFINE([HEIMDAL])
4589					 K5LIBS="-lkrb5"
4590					 K5LIBS="$K5LIBS -lcom_err -lasn1"
4591					 AC_CHECK_LIB([roken], [net_write],
4592					   [K5LIBS="$K5LIBS -lroken"])
4593					 AC_CHECK_LIB([des], [des_cbc_encrypt],
4594					   [K5LIBS="$K5LIBS -ldes"])
4595				       ], [ AC_MSG_RESULT([no])
4596					 K5LIBS="-lkrb5 -lk5crypto -lcom_err"
4597			])
4598			AC_SEARCH_LIBS([dn_expand], [resolv])
4599
4600			AC_CHECK_LIB([gssapi_krb5], [gss_init_sec_context],
4601				[ AC_DEFINE([GSSAPI])
4602				  GSSLIBS="-lgssapi_krb5" ],
4603				[ AC_CHECK_LIB([gssapi], [gss_init_sec_context],
4604					[ AC_DEFINE([GSSAPI])
4605					  GSSLIBS="-lgssapi" ],
4606					[ AC_CHECK_LIB([gss], [gss_init_sec_context],
4607						[ AC_DEFINE([GSSAPI])
4608						  GSSLIBS="-lgss" ],
4609						AC_MSG_WARN([Cannot find any suitable gss-api library - build may fail]))
4610					])
4611				])
4612
4613			AC_CHECK_HEADER([gssapi.h], ,
4614				[ unset ac_cv_header_gssapi_h
4615				  CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include/gssapi"
4616				  AC_CHECK_HEADERS([gssapi.h], ,
4617					AC_MSG_WARN([Cannot find any suitable gss-api header - build may fail])
4618				  )
4619				]
4620			)
4621
4622			oldCPP="$CPPFLAGS"
4623			CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include/gssapi"
4624			AC_CHECK_HEADER([gssapi_krb5.h], ,
4625					[ CPPFLAGS="$oldCPP" ])
4626
4627		fi
4628		if test -n "${rpath_opt}" ; then
4629			LDFLAGS="$LDFLAGS ${rpath_opt}${KRB5ROOT}/lib"
4630		fi
4631		if test ! -z "$blibpath" ; then
4632			blibpath="$blibpath:${KRB5ROOT}/lib"
4633		fi
4634
4635		AC_CHECK_HEADERS([gssapi.h gssapi/gssapi.h])
4636		AC_CHECK_HEADERS([gssapi_krb5.h gssapi/gssapi_krb5.h])
4637		AC_CHECK_HEADERS([gssapi_generic.h gssapi/gssapi_generic.h])
4638
4639		AC_SEARCH_LIBS([k_hasafs], [kafs], [AC_DEFINE([USE_AFS], [1],
4640			[Define this if you want to use libkafs' AFS support])])
4641
4642		AC_CHECK_DECLS([GSS_C_NT_HOSTBASED_SERVICE], [], [], [[
4643#ifdef HAVE_GSSAPI_H
4644# include <gssapi.h>
4645#elif defined(HAVE_GSSAPI_GSSAPI_H)
4646# include <gssapi/gssapi.h>
4647#endif
4648
4649#ifdef HAVE_GSSAPI_GENERIC_H
4650# include <gssapi_generic.h>
4651#elif defined(HAVE_GSSAPI_GSSAPI_GENERIC_H)
4652# include <gssapi/gssapi_generic.h>
4653#endif
4654		]])
4655		saved_LIBS="$LIBS"
4656		LIBS="$LIBS $K5LIBS"
4657		AC_CHECK_FUNCS([krb5_cc_new_unique krb5_get_error_message krb5_free_error_message])
4658		LIBS="$saved_LIBS"
4659
4660	fi
4661	]
4662)
4663AC_SUBST([GSSLIBS])
4664AC_SUBST([K5LIBS])
4665
4666# Looking for programs, paths and files
4667
4668PRIVSEP_PATH=/var/empty
4669AC_ARG_WITH([privsep-path],
4670	[  --with-privsep-path=xxx Path for privilege separation chroot (default=/var/empty)],
4671	[
4672		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
4673		    test "x${withval}" != "xyes"; then
4674			PRIVSEP_PATH=$withval
4675		fi
4676	]
4677)
4678AC_SUBST([PRIVSEP_PATH])
4679
4680AC_ARG_WITH([xauth],
4681	[  --with-xauth=PATH       Specify path to xauth program ],
4682	[
4683		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
4684		    test "x${withval}" != "xyes"; then
4685			xauth_path=$withval
4686		fi
4687	],
4688	[
4689		TestPath="$PATH"
4690		TestPath="${TestPath}${PATH_SEPARATOR}/usr/X/bin"
4691		TestPath="${TestPath}${PATH_SEPARATOR}/usr/bin/X11"
4692		TestPath="${TestPath}${PATH_SEPARATOR}/usr/X11R6/bin"
4693		TestPath="${TestPath}${PATH_SEPARATOR}/usr/openwin/bin"
4694		AC_PATH_PROG([xauth_path], [xauth], , [$TestPath])
4695		if (test ! -z "$xauth_path" && test -x "/usr/openwin/bin/xauth") ; then
4696			xauth_path="/usr/openwin/bin/xauth"
4697		fi
4698	]
4699)
4700
4701STRIP_OPT=-s
4702AC_ARG_ENABLE([strip],
4703	[  --disable-strip         Disable calling strip(1) on install],
4704	[
4705		if test "x$enableval" = "xno" ; then
4706			STRIP_OPT=
4707		fi
4708	]
4709)
4710AC_SUBST([STRIP_OPT])
4711
4712if test -z "$xauth_path" ; then
4713	XAUTH_PATH="undefined"
4714	AC_SUBST([XAUTH_PATH])
4715else
4716	AC_DEFINE_UNQUOTED([XAUTH_PATH], ["$xauth_path"],
4717		[Define if xauth is found in your path])
4718	XAUTH_PATH=$xauth_path
4719	AC_SUBST([XAUTH_PATH])
4720fi
4721
4722dnl # --with-maildir=/path/to/mail gets top priority.
4723dnl # if maildir is set in the platform case statement above we use that.
4724dnl # Otherwise we run a program to get the dir from system headers.
4725dnl # We first look for _PATH_MAILDIR then MAILDIR then _PATH_MAIL
4726dnl # If we find _PATH_MAILDIR we do nothing because that is what
4727dnl # session.c expects anyway. Otherwise we set to the value found
4728dnl # stripping any trailing slash. If for some strage reason our program
4729dnl # does not find what it needs, we default to /var/spool/mail.
4730# Check for mail directory
4731AC_ARG_WITH([maildir],
4732    [  --with-maildir=/path/to/mail    Specify your system mail directory],
4733    [
4734	if test "X$withval" != X  &&  test "x$withval" != xno  &&  \
4735	    test "x${withval}" != xyes; then
4736		AC_DEFINE_UNQUOTED([MAIL_DIRECTORY], ["$withval"],
4737            [Set this to your mail directory if you do not have _PATH_MAILDIR])
4738	    fi
4739     ],[
4740	if test "X$maildir" != "X"; then
4741	    AC_DEFINE_UNQUOTED([MAIL_DIRECTORY], ["$maildir"])
4742	else
4743	    AC_MSG_CHECKING([Discovering system mail directory])
4744	    AC_RUN_IFELSE(
4745		[AC_LANG_PROGRAM([[
4746#include <stdio.h>
4747#include <string.h>
4748#ifdef HAVE_PATHS_H
4749#include <paths.h>
4750#endif
4751#ifdef HAVE_MAILLOCK_H
4752#include <maillock.h>
4753#endif
4754#define DATA "conftest.maildir"
4755	]], [[
4756	FILE *fd;
4757	int rc;
4758
4759	fd = fopen(DATA,"w");
4760	if(fd == NULL)
4761		exit(1);
4762
4763#if defined (_PATH_MAILDIR)
4764	if ((rc = fprintf(fd ,"_PATH_MAILDIR:%s\n", _PATH_MAILDIR)) <0)
4765		exit(1);
4766#elif defined (MAILDIR)
4767	if ((rc = fprintf(fd ,"MAILDIR:%s\n", MAILDIR)) <0)
4768		exit(1);
4769#elif defined (_PATH_MAIL)
4770	if ((rc = fprintf(fd ,"_PATH_MAIL:%s\n", _PATH_MAIL)) <0)
4771		exit(1);
4772#else
4773	exit (2);
4774#endif
4775
4776	exit(0);
4777		]])],
4778		[
4779		    maildir_what=`awk -F: '{print $1}' conftest.maildir`
4780		    maildir=`awk -F: '{print $2}' conftest.maildir \
4781			| sed 's|/$||'`
4782		    AC_MSG_RESULT([Using: $maildir from $maildir_what])
4783		    if test "x$maildir_what" != "x_PATH_MAILDIR"; then
4784			AC_DEFINE_UNQUOTED([MAIL_DIRECTORY], ["$maildir"])
4785		    fi
4786		],
4787		[
4788		    if test "X$ac_status" = "X2";then
4789# our test program didn't find it. Default to /var/spool/mail
4790			AC_MSG_RESULT([Using: default value of /var/spool/mail])
4791			AC_DEFINE_UNQUOTED([MAIL_DIRECTORY], ["/var/spool/mail"])
4792		     else
4793			AC_MSG_RESULT([*** not found ***])
4794		     fi
4795		],
4796		[
4797			AC_MSG_WARN([cross compiling: use --with-maildir=/path/to/mail])
4798		]
4799	    )
4800	fi
4801    ]
4802) # maildir
4803
4804if test ! -z "$cross_compiling" && test "x$cross_compiling" = "xyes"; then
4805	AC_MSG_WARN([cross compiling: Disabling /dev/ptmx test])
4806	disable_ptmx_check=yes
4807fi
4808if test -z "$no_dev_ptmx" ; then
4809	if test "x$disable_ptmx_check" != "xyes" ; then
4810		AC_CHECK_FILE(["/dev/ptmx"],
4811			[
4812				AC_DEFINE_UNQUOTED([HAVE_DEV_PTMX], [1],
4813					[Define if you have /dev/ptmx])
4814				have_dev_ptmx=1
4815			]
4816		)
4817	fi
4818fi
4819
4820if test ! -z "$cross_compiling" && test "x$cross_compiling" != "xyes"; then
4821	AC_CHECK_FILE(["/dev/ptc"],
4822		[
4823			AC_DEFINE_UNQUOTED([HAVE_DEV_PTS_AND_PTC], [1],
4824				[Define if you have /dev/ptc])
4825			have_dev_ptc=1
4826		]
4827	)
4828else
4829	AC_MSG_WARN([cross compiling: Disabling /dev/ptc test])
4830fi
4831
4832# Options from here on. Some of these are preset by platform above
4833AC_ARG_WITH([mantype],
4834	[  --with-mantype=man|cat|doc  Set man page type],
4835	[
4836		case "$withval" in
4837		man|cat|doc)
4838			MANTYPE=$withval
4839			;;
4840		*)
4841			AC_MSG_ERROR([invalid man type: $withval])
4842			;;
4843		esac
4844	]
4845)
4846if test -z "$MANTYPE"; then
4847	if ${MANDOC} ${srcdir}/ssh.1 >/dev/null 2>&1; then
4848		MANTYPE=doc
4849	elif ${NROFF} -mdoc ${srcdir}/ssh.1 >/dev/null 2>&1; then
4850		MANTYPE=doc
4851	elif ${NROFF} -man ${srcdir}/ssh.1 >/dev/null 2>&1; then
4852		MANTYPE=man
4853	else
4854		MANTYPE=cat
4855	fi
4856fi
4857AC_SUBST([MANTYPE])
4858if test "$MANTYPE" = "doc"; then
4859	mansubdir=man;
4860else
4861	mansubdir=$MANTYPE;
4862fi
4863AC_SUBST([mansubdir])
4864
4865# Check whether to enable MD5 passwords
4866MD5_MSG="no"
4867AC_ARG_WITH([md5-passwords],
4868	[  --with-md5-passwords    Enable use of MD5 passwords],
4869	[
4870		if test "x$withval" != "xno" ; then
4871			AC_DEFINE([HAVE_MD5_PASSWORDS], [1],
4872				[Define if you want to allow MD5 passwords])
4873			MD5_MSG="yes"
4874		fi
4875	]
4876)
4877
4878# Whether to disable shadow password support
4879AC_ARG_WITH([shadow],
4880	[  --without-shadow        Disable shadow password support],
4881	[
4882		if test "x$withval" = "xno" ; then
4883			AC_DEFINE([DISABLE_SHADOW])
4884			disable_shadow=yes
4885		fi
4886	]
4887)
4888
4889if test -z "$disable_shadow" ; then
4890	AC_MSG_CHECKING([if the systems has expire shadow information])
4891	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4892#include <sys/types.h>
4893#include <shadow.h>
4894struct spwd sp;
4895		]], [[ sp.sp_expire = sp.sp_lstchg = sp.sp_inact = 0; ]])],
4896		[ sp_expire_available=yes ], [
4897	])
4898
4899	if test "x$sp_expire_available" = "xyes" ; then
4900		AC_MSG_RESULT([yes])
4901		AC_DEFINE([HAS_SHADOW_EXPIRE], [1],
4902		    [Define if you want to use shadow password expire field])
4903	else
4904		AC_MSG_RESULT([no])
4905	fi
4906fi
4907
4908# Use ip address instead of hostname in $DISPLAY
4909if test ! -z "$IPADDR_IN_DISPLAY" ; then
4910	DISPLAY_HACK_MSG="yes"
4911	AC_DEFINE([IPADDR_IN_DISPLAY], [1],
4912		[Define if you need to use IP address
4913		instead of hostname in $DISPLAY])
4914else
4915	DISPLAY_HACK_MSG="no"
4916	AC_ARG_WITH([ipaddr-display],
4917		[  --with-ipaddr-display   Use ip address instead of hostname in $DISPLAY],
4918		[
4919			if test "x$withval" != "xno" ; then
4920				AC_DEFINE([IPADDR_IN_DISPLAY])
4921				DISPLAY_HACK_MSG="yes"
4922			fi
4923		]
4924	)
4925fi
4926
4927# check for /etc/default/login and use it if present.
4928AC_ARG_ENABLE([etc-default-login],
4929	[  --disable-etc-default-login Disable using PATH from /etc/default/login [no]],
4930	[ if test "x$enableval" = "xno"; then
4931		AC_MSG_NOTICE([/etc/default/login handling disabled])
4932		etc_default_login=no
4933	  else
4934		etc_default_login=yes
4935	  fi ],
4936	[ if test ! -z "$cross_compiling" && test "x$cross_compiling" = "xyes";
4937	  then
4938		AC_MSG_WARN([cross compiling: not checking /etc/default/login])
4939		etc_default_login=no
4940	  else
4941		etc_default_login=yes
4942	  fi ]
4943)
4944
4945if test "x$etc_default_login" != "xno"; then
4946	AC_CHECK_FILE(["/etc/default/login"],
4947	    [ external_path_file=/etc/default/login ])
4948	if test "x$external_path_file" = "x/etc/default/login"; then
4949		AC_DEFINE([HAVE_ETC_DEFAULT_LOGIN], [1],
4950			[Define if your system has /etc/default/login])
4951	fi
4952fi
4953
4954dnl BSD systems use /etc/login.conf so --with-default-path= has no effect
4955if test $ac_cv_func_login_getcapbool = "yes" && \
4956	test $ac_cv_header_login_cap_h = "yes" ; then
4957	external_path_file=/etc/login.conf
4958fi
4959
4960# Whether to mess with the default path
4961SERVER_PATH_MSG="(default)"
4962AC_ARG_WITH([default-path],
4963	[  --with-default-path=    Specify default $PATH environment for server],
4964	[
4965		if test "x$external_path_file" = "x/etc/login.conf" ; then
4966			AC_MSG_WARN([
4967--with-default-path=PATH has no effect on this system.
4968Edit /etc/login.conf instead.])
4969		elif test "x$withval" != "xno" ; then
4970			if test ! -z "$external_path_file" ; then
4971				AC_MSG_WARN([
4972--with-default-path=PATH will only be used if PATH is not defined in
4973$external_path_file .])
4974			fi
4975			user_path="$withval"
4976			SERVER_PATH_MSG="$withval"
4977		fi
4978	],
4979	[ if test "x$external_path_file" = "x/etc/login.conf" ; then
4980		AC_MSG_WARN([Make sure the path to scp is in /etc/login.conf])
4981	else
4982		if test ! -z "$external_path_file" ; then
4983			AC_MSG_WARN([
4984If PATH is defined in $external_path_file, ensure the path to scp is included,
4985otherwise scp will not work.])
4986		fi
4987		AC_RUN_IFELSE(
4988			[AC_LANG_PROGRAM([[
4989/* find out what STDPATH is */
4990#include <stdio.h>
4991#ifdef HAVE_PATHS_H
4992# include <paths.h>
4993#endif
4994#ifndef _PATH_STDPATH
4995# ifdef _PATH_USERPATH	/* Irix */
4996#  define _PATH_STDPATH _PATH_USERPATH
4997# else
4998#  define _PATH_STDPATH "/usr/bin:/bin:/usr/sbin:/sbin"
4999# endif
5000#endif
5001#include <sys/types.h>
5002#include <sys/stat.h>
5003#include <fcntl.h>
5004#define DATA "conftest.stdpath"
5005			]], [[
5006	FILE *fd;
5007	int rc;
5008
5009	fd = fopen(DATA,"w");
5010	if(fd == NULL)
5011		exit(1);
5012
5013	if ((rc = fprintf(fd,"%s", _PATH_STDPATH)) < 0)
5014		exit(1);
5015
5016	exit(0);
5017		]])],
5018		[ user_path=`cat conftest.stdpath` ],
5019		[ user_path="/usr/bin:/bin:/usr/sbin:/sbin" ],
5020		[ user_path="/usr/bin:/bin:/usr/sbin:/sbin" ]
5021	)
5022# make sure $bindir is in USER_PATH so scp will work
5023		t_bindir="${bindir}"
5024		while echo "${t_bindir}" | egrep '\$\{|NONE/' >/dev/null 2>&1; do
5025			t_bindir=`eval echo ${t_bindir}`
5026			case $t_bindir in
5027				NONE/*) t_bindir=`echo $t_bindir | sed "s~NONE~$prefix~"` ;;
5028			esac
5029			case $t_bindir in
5030				NONE/*) t_bindir=`echo $t_bindir | sed "s~NONE~$ac_default_prefix~"` ;;
5031			esac
5032		done
5033		echo $user_path | grep ":$t_bindir"  > /dev/null 2>&1
5034		if test $? -ne 0  ; then
5035			echo $user_path | grep "^$t_bindir"  > /dev/null 2>&1
5036			if test $? -ne 0  ; then
5037				user_path=$user_path:$t_bindir
5038				AC_MSG_RESULT([Adding $t_bindir to USER_PATH so scp will work])
5039			fi
5040		fi
5041	fi ]
5042)
5043if test "x$external_path_file" != "x/etc/login.conf" ; then
5044	AC_DEFINE_UNQUOTED([USER_PATH], ["$user_path"], [Specify default $PATH])
5045	AC_SUBST([user_path])
5046fi
5047
5048# Set superuser path separately to user path
5049AC_ARG_WITH([superuser-path],
5050	[  --with-superuser-path=  Specify different path for super-user],
5051	[
5052		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
5053		    test "x${withval}" != "xyes"; then
5054			AC_DEFINE_UNQUOTED([SUPERUSER_PATH], ["$withval"],
5055				[Define if you want a different $PATH
5056				for the superuser])
5057			superuser_path=$withval
5058		fi
5059	]
5060)
5061
5062
5063AC_MSG_CHECKING([if we need to convert IPv4 in IPv6-mapped addresses])
5064IPV4_IN6_HACK_MSG="no"
5065AC_ARG_WITH(4in6,
5066	[  --with-4in6             Check for and convert IPv4 in IPv6 mapped addresses],
5067	[
5068		if test "x$withval" != "xno" ; then
5069			AC_MSG_RESULT([yes])
5070			AC_DEFINE([IPV4_IN_IPV6], [1],
5071				[Detect IPv4 in IPv6 mapped addresses
5072				and treat as IPv4])
5073			IPV4_IN6_HACK_MSG="yes"
5074		else
5075			AC_MSG_RESULT([no])
5076		fi
5077	], [
5078		if test "x$inet6_default_4in6" = "xyes"; then
5079			AC_MSG_RESULT([yes (default)])
5080			AC_DEFINE([IPV4_IN_IPV6])
5081			IPV4_IN6_HACK_MSG="yes"
5082		else
5083			AC_MSG_RESULT([no (default)])
5084		fi
5085	]
5086)
5087
5088# Whether to enable BSD auth support
5089BSD_AUTH_MSG=no
5090AC_ARG_WITH([bsd-auth],
5091	[  --with-bsd-auth         Enable BSD auth support],
5092	[
5093		if test "x$withval" != "xno" ; then
5094			AC_DEFINE([BSD_AUTH], [1],
5095				[Define if you have BSD auth support])
5096			BSD_AUTH_MSG=yes
5097		fi
5098	]
5099)
5100
5101# Where to place sshd.pid
5102piddir=/var/run
5103# make sure the directory exists
5104if test ! -d $piddir ; then
5105	piddir=`eval echo ${sysconfdir}`
5106	case $piddir in
5107		NONE/*) piddir=`echo $piddir | sed "s~NONE~$ac_default_prefix~"` ;;
5108	esac
5109fi
5110
5111AC_ARG_WITH([pid-dir],
5112	[  --with-pid-dir=PATH     Specify location of sshd.pid file],
5113	[
5114		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
5115		    test "x${withval}" != "xyes"; then
5116			piddir=$withval
5117			if test ! -d $piddir ; then
5118			AC_MSG_WARN([** no $piddir directory on this system **])
5119			fi
5120		fi
5121	]
5122)
5123
5124AC_DEFINE_UNQUOTED([_PATH_SSH_PIDDIR], ["$piddir"],
5125	[Specify location of ssh.pid])
5126AC_SUBST([piddir])
5127
5128dnl allow user to disable some login recording features
5129AC_ARG_ENABLE([lastlog],
5130	[  --disable-lastlog       disable use of lastlog even if detected [no]],
5131	[
5132		if test "x$enableval" = "xno" ; then
5133			AC_DEFINE([DISABLE_LASTLOG])
5134		fi
5135	]
5136)
5137AC_ARG_ENABLE([utmp],
5138	[  --disable-utmp          disable use of utmp even if detected [no]],
5139	[
5140		if test "x$enableval" = "xno" ; then
5141			AC_DEFINE([DISABLE_UTMP])
5142		fi
5143	]
5144)
5145AC_ARG_ENABLE([utmpx],
5146	[  --disable-utmpx         disable use of utmpx even if detected [no]],
5147	[
5148		if test "x$enableval" = "xno" ; then
5149			AC_DEFINE([DISABLE_UTMPX], [1],
5150				[Define if you don't want to use utmpx])
5151		fi
5152	]
5153)
5154AC_ARG_ENABLE([wtmp],
5155	[  --disable-wtmp          disable use of wtmp even if detected [no]],
5156	[
5157		if test "x$enableval" = "xno" ; then
5158			AC_DEFINE([DISABLE_WTMP])
5159		fi
5160	]
5161)
5162AC_ARG_ENABLE([wtmpx],
5163	[  --disable-wtmpx         disable use of wtmpx even if detected [no]],
5164	[
5165		if test "x$enableval" = "xno" ; then
5166			AC_DEFINE([DISABLE_WTMPX], [1],
5167				[Define if you don't want to use wtmpx])
5168		fi
5169	]
5170)
5171AC_ARG_ENABLE([libutil],
5172	[  --disable-libutil       disable use of libutil (login() etc.) [no]],
5173	[
5174		if test "x$enableval" = "xno" ; then
5175			AC_DEFINE([DISABLE_LOGIN])
5176		fi
5177	]
5178)
5179AC_ARG_ENABLE([pututline],
5180	[  --disable-pututline     disable use of pututline() etc. ([uw]tmp) [no]],
5181	[
5182		if test "x$enableval" = "xno" ; then
5183			AC_DEFINE([DISABLE_PUTUTLINE], [1],
5184				[Define if you don't want to use pututline()
5185				etc. to write [uw]tmp])
5186		fi
5187	]
5188)
5189AC_ARG_ENABLE([pututxline],
5190	[  --disable-pututxline    disable use of pututxline() etc. ([uw]tmpx) [no]],
5191	[
5192		if test "x$enableval" = "xno" ; then
5193			AC_DEFINE([DISABLE_PUTUTXLINE], [1],
5194				[Define if you don't want to use pututxline()
5195				etc. to write [uw]tmpx])
5196		fi
5197	]
5198)
5199AC_ARG_WITH([lastlog],
5200  [  --with-lastlog=FILE|DIR specify lastlog location [common locations]],
5201	[
5202		if test "x$withval" = "xno" ; then
5203			AC_DEFINE([DISABLE_LASTLOG])
5204		elif test -n "$withval"  &&  test "x${withval}" != "xyes"; then
5205			conf_lastlog_location=$withval
5206		fi
5207	]
5208)
5209
5210dnl lastlog, [uw]tmpx? detection
5211dnl  NOTE: set the paths in the platform section to avoid the
5212dnl   need for command-line parameters
5213dnl lastlog and [uw]tmp are subject to a file search if all else fails
5214
5215dnl lastlog detection
5216dnl  NOTE: the code itself will detect if lastlog is a directory
5217AC_MSG_CHECKING([if your system defines LASTLOG_FILE])
5218AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
5219#include <sys/types.h>
5220#include <utmp.h>
5221#ifdef HAVE_LASTLOG_H
5222#  include <lastlog.h>
5223#endif
5224#ifdef HAVE_PATHS_H
5225#  include <paths.h>
5226#endif
5227#ifdef HAVE_LOGIN_H
5228# include <login.h>
5229#endif
5230	]], [[ char *lastlog = LASTLOG_FILE; ]])],
5231		[ AC_MSG_RESULT([yes]) ],
5232		[
5233		AC_MSG_RESULT([no])
5234		AC_MSG_CHECKING([if your system defines _PATH_LASTLOG])
5235		AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
5236#include <sys/types.h>
5237#include <utmp.h>
5238#ifdef HAVE_LASTLOG_H
5239#  include <lastlog.h>
5240#endif
5241#ifdef HAVE_PATHS_H
5242#  include <paths.h>
5243#endif
5244		]], [[ char *lastlog = _PATH_LASTLOG; ]])],
5245		[ AC_MSG_RESULT([yes]) ],
5246		[
5247			AC_MSG_RESULT([no])
5248			system_lastlog_path=no
5249		])
5250])
5251
5252if test -z "$conf_lastlog_location"; then
5253	if test x"$system_lastlog_path" = x"no" ; then
5254		for f in /var/log/lastlog /usr/adm/lastlog /var/adm/lastlog /etc/security/lastlog ; do
5255				if (test -d "$f" || test -f "$f") ; then
5256					conf_lastlog_location=$f
5257				fi
5258		done
5259		if test -z "$conf_lastlog_location"; then
5260			AC_MSG_WARN([** Cannot find lastlog **])
5261			dnl Don't define DISABLE_LASTLOG - that means we don't try wtmp/wtmpx
5262		fi
5263	fi
5264fi
5265
5266if test -n "$conf_lastlog_location"; then
5267	AC_DEFINE_UNQUOTED([CONF_LASTLOG_FILE], ["$conf_lastlog_location"],
5268		[Define if you want to specify the path to your lastlog file])
5269fi
5270
5271dnl utmp detection
5272AC_MSG_CHECKING([if your system defines UTMP_FILE])
5273AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
5274#include <sys/types.h>
5275#include <utmp.h>
5276#ifdef HAVE_PATHS_H
5277#  include <paths.h>
5278#endif
5279	]], [[ char *utmp = UTMP_FILE; ]])],
5280	[ AC_MSG_RESULT([yes]) ],
5281	[ AC_MSG_RESULT([no])
5282	  system_utmp_path=no
5283])
5284if test -z "$conf_utmp_location"; then
5285	if test x"$system_utmp_path" = x"no" ; then
5286		for f in /etc/utmp /usr/adm/utmp /var/run/utmp; do
5287			if test -f $f ; then
5288				conf_utmp_location=$f
5289			fi
5290		done
5291		if test -z "$conf_utmp_location"; then
5292			AC_DEFINE([DISABLE_UTMP])
5293		fi
5294	fi
5295fi
5296if test -n "$conf_utmp_location"; then
5297	AC_DEFINE_UNQUOTED([CONF_UTMP_FILE], ["$conf_utmp_location"],
5298		[Define if you want to specify the path to your utmp file])
5299fi
5300
5301dnl wtmp detection
5302AC_MSG_CHECKING([if your system defines WTMP_FILE])
5303AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
5304#include <sys/types.h>
5305#include <utmp.h>
5306#ifdef HAVE_PATHS_H
5307#  include <paths.h>
5308#endif
5309	]], [[ char *wtmp = WTMP_FILE; ]])],
5310	[ AC_MSG_RESULT([yes]) ],
5311	[ AC_MSG_RESULT([no])
5312	  system_wtmp_path=no
5313])
5314if test -z "$conf_wtmp_location"; then
5315	if test x"$system_wtmp_path" = x"no" ; then
5316		for f in /usr/adm/wtmp /var/log/wtmp; do
5317			if test -f $f ; then
5318				conf_wtmp_location=$f
5319			fi
5320		done
5321		if test -z "$conf_wtmp_location"; then
5322			AC_DEFINE([DISABLE_WTMP])
5323		fi
5324	fi
5325fi
5326if test -n "$conf_wtmp_location"; then
5327	AC_DEFINE_UNQUOTED([CONF_WTMP_FILE], ["$conf_wtmp_location"],
5328		[Define if you want to specify the path to your wtmp file])
5329fi
5330
5331dnl wtmpx detection
5332AC_MSG_CHECKING([if your system defines WTMPX_FILE])
5333AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
5334#include <sys/types.h>
5335#include <utmp.h>
5336#ifdef HAVE_UTMPX_H
5337#include <utmpx.h>
5338#endif
5339#ifdef HAVE_PATHS_H
5340#  include <paths.h>
5341#endif
5342	]], [[ char *wtmpx = WTMPX_FILE; ]])],
5343	[ AC_MSG_RESULT([yes]) ],
5344	[ AC_MSG_RESULT([no])
5345	  system_wtmpx_path=no
5346])
5347if test -z "$conf_wtmpx_location"; then
5348	if test x"$system_wtmpx_path" = x"no" ; then
5349		AC_DEFINE([DISABLE_WTMPX])
5350	fi
5351else
5352	AC_DEFINE_UNQUOTED([CONF_WTMPX_FILE], ["$conf_wtmpx_location"],
5353		[Define if you want to specify the path to your wtmpx file])
5354fi
5355
5356
5357if test ! -z "$blibpath" ; then
5358	LDFLAGS="$LDFLAGS $blibflags$blibpath"
5359	AC_MSG_WARN([Please check and edit blibpath in LDFLAGS in Makefile])
5360fi
5361
5362AC_CHECK_MEMBER([struct lastlog.ll_line], [], [
5363    if test x$SKIP_DISABLE_LASTLOG_DEFINE != "xyes" ; then
5364	AC_DEFINE([DISABLE_LASTLOG])
5365    fi
5366	], [
5367#ifdef HAVE_SYS_TYPES_H
5368#include <sys/types.h>
5369#endif
5370#ifdef HAVE_UTMP_H
5371#include <utmp.h>
5372#endif
5373#ifdef HAVE_UTMPX_H
5374#include <utmpx.h>
5375#endif
5376#ifdef HAVE_LASTLOG_H
5377#include <lastlog.h>
5378#endif
5379	])
5380
5381AC_CHECK_MEMBER([struct utmp.ut_line], [], [
5382	AC_DEFINE([DISABLE_UTMP])
5383	AC_DEFINE([DISABLE_WTMP])
5384	], [
5385#ifdef HAVE_SYS_TYPES_H
5386#include <sys/types.h>
5387#endif
5388#ifdef HAVE_UTMP_H
5389#include <utmp.h>
5390#endif
5391#ifdef HAVE_UTMPX_H
5392#include <utmpx.h>
5393#endif
5394#ifdef HAVE_LASTLOG_H
5395#include <lastlog.h>
5396#endif
5397	])
5398
5399dnl Adding -Werror to CFLAGS early prevents configure tests from running.
5400dnl Add now.
5401CFLAGS="$CFLAGS $werror_flags"
5402
5403if test "x$ac_cv_func_getaddrinfo" != "xyes" ; then
5404	TEST_SSH_IPV6=no
5405else
5406	TEST_SSH_IPV6=yes
5407fi
5408AC_CHECK_DECL([BROKEN_GETADDRINFO],  [TEST_SSH_IPV6=no])
5409AC_SUBST([TEST_SSH_IPV6], [$TEST_SSH_IPV6])
5410AC_SUBST([TEST_SSH_UTF8], [$TEST_SSH_UTF8])
5411AC_SUBST([TEST_MALLOC_OPTIONS], [$TEST_MALLOC_OPTIONS])
5412AC_SUBST([UNSUPPORTED_ALGORITHMS], [$unsupported_algorithms])
5413AC_SUBST([DEPEND], [$(cat $srcdir/.depend)])
5414
5415CFLAGS="${CFLAGS} ${CFLAGS_AFTER}"
5416LDFLAGS="${LDFLAGS} ${LDFLAGS_AFTER}"
5417
5418# Make a copy of CFLAGS/LDFLAGS without PIE options.
5419LDFLAGS_NOPIE=`echo "$LDFLAGS" | sed 's/ -pie//'`
5420CFLAGS_NOPIE=`echo "$CFLAGS" | sed 's/ -fPIE//'`
5421AC_SUBST([LDFLAGS_NOPIE])
5422AC_SUBST([CFLAGS_NOPIE])
5423
5424AC_EXEEXT
5425AC_CONFIG_FILES([Makefile buildpkg.sh opensshd.init openssh.xml \
5426	openbsd-compat/Makefile openbsd-compat/regress/Makefile \
5427	survey.sh])
5428AC_OUTPUT
5429
5430# Print summary of options
5431
5432# Someone please show me a better way :)
5433A=`eval echo ${prefix}` ; A=`eval echo ${A}`
5434B=`eval echo ${bindir}` ; B=`eval echo ${B}`
5435C=`eval echo ${sbindir}` ; C=`eval echo ${C}`
5436D=`eval echo ${sysconfdir}` ; D=`eval echo ${D}`
5437E=`eval echo ${libexecdir}/ssh-askpass` ; E=`eval echo ${E}`
5438F=`eval echo ${mandir}/${mansubdir}X` ; F=`eval echo ${F}`
5439G=`eval echo ${piddir}` ; G=`eval echo ${G}`
5440H=`eval echo ${PRIVSEP_PATH}` ; H=`eval echo ${H}`
5441I=`eval echo ${user_path}` ; I=`eval echo ${I}`
5442J=`eval echo ${superuser_path}` ; J=`eval echo ${J}`
5443
5444echo ""
5445echo "OpenSSH has been configured with the following options:"
5446echo "                     User binaries: $B"
5447echo "                   System binaries: $C"
5448echo "               Configuration files: $D"
5449echo "                   Askpass program: $E"
5450echo "                      Manual pages: $F"
5451echo "                          PID file: $G"
5452echo "  Privilege separation chroot path: $H"
5453if test "x$external_path_file" = "x/etc/login.conf" ; then
5454echo "   At runtime, sshd will use the path defined in $external_path_file"
5455echo "   Make sure the path to scp is present, otherwise scp will not work"
5456else
5457echo "            sshd default user PATH: $I"
5458	if test ! -z "$external_path_file"; then
5459echo "   (If PATH is set in $external_path_file it will be used instead. If"
5460echo "   used, ensure the path to scp is present, otherwise scp will not work.)"
5461	fi
5462fi
5463if test ! -z "$superuser_path" ; then
5464echo "          sshd superuser user PATH: $J"
5465fi
5466echo "                    Manpage format: $MANTYPE"
5467echo "                       PAM support: $PAM_MSG"
5468echo "                   OSF SIA support: $SIA_MSG"
5469echo "                 KerberosV support: $KRB5_MSG"
5470echo "                   SELinux support: $SELINUX_MSG"
5471echo "              MD5 password support: $MD5_MSG"
5472echo "                   libedit support: $LIBEDIT_MSG"
5473echo "                   libldns support: $LDNS_MSG"
5474echo "  Solaris process contract support: $SPC_MSG"
5475echo "           Solaris project support: $SP_MSG"
5476echo "         Solaris privilege support: $SPP_MSG"
5477echo "       IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG"
5478echo "           Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
5479echo "                  BSD Auth support: $BSD_AUTH_MSG"
5480echo "              Random number source: $RAND_MSG"
5481echo "             Privsep sandbox style: $SANDBOX_STYLE"
5482echo "                   PKCS#11 support: $enable_pkcs11"
5483echo "                  U2F/FIDO support: $enable_sk"
5484
5485echo ""
5486
5487echo "              Host: ${host}"
5488echo "          Compiler: ${CC}"
5489echo "    Compiler flags: ${CFLAGS}"
5490echo "Preprocessor flags: ${CPPFLAGS}"
5491echo "      Linker flags: ${LDFLAGS}"
5492echo "         Libraries: ${LIBS}"
5493if test ! -z "${SSHDLIBS}"; then
5494echo "         +for sshd: ${SSHDLIBS}"
5495fi
5496
5497echo ""
5498
5499if test "x$MAKE_PACKAGE_SUPPORTED" = "xyes" ; then
5500	echo "SVR4 style packages are supported with \"make package\""
5501	echo ""
5502fi
5503
5504if test "x$PAM_MSG" = "xyes" ; then
5505	echo "PAM is enabled. You may need to install a PAM control file "
5506	echo "for sshd, otherwise password authentication may fail. "
5507	echo "Example PAM control files can be found in the contrib/ "
5508	echo "subdirectory"
5509	echo ""
5510fi
5511
5512if test ! -z "$NO_PEERCHECK" ; then
5513	echo "WARNING: the operating system that you are using does not"
5514	echo "appear to support getpeereid(), getpeerucred() or the"
5515	echo "SO_PEERCRED getsockopt() option. These facilities are used to"
5516	echo "enforce security checks to prevent unauthorised connections to"
5517	echo "ssh-agent. Their absence increases the risk that a malicious"
5518	echo "user can connect to your agent."
5519	echo ""
5520fi
5521
5522if test "$AUDIT_MODULE" = "bsm" ; then
5523	echo "WARNING: BSM audit support is currently considered EXPERIMENTAL."
5524	echo "See the Solaris section in README.platform for details."
5525fi
5526