xref: /openssh-portable/configure.ac (revision c1c44eee)
1#
2# Copyright (c) 1999-2004 Damien Miller
3#
4# Permission to use, copy, modify, and distribute this software for any
5# purpose with or without fee is hereby granted, provided that the above
6# copyright notice and this permission notice appear in all copies.
7#
8# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15
16AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org])
17AC_CONFIG_SRCDIR([ssh.c])
18AC_LANG([C])
19
20AC_CONFIG_HEADER([config.h])
21AC_PROG_CC([cc gcc])
22AC_CANONICAL_HOST
23AC_C_BIGENDIAN
24
25# Checks for programs.
26AC_PROG_AWK
27AC_PROG_CPP
28AC_PROG_RANLIB
29AC_PROG_INSTALL
30AC_PROG_EGREP
31AC_PROG_MKDIR_P
32AC_CHECK_TOOLS([AR], [ar])
33AC_PATH_PROG([CAT], [cat])
34AC_PATH_PROG([KILL], [kill])
35AC_PATH_PROG([SED], [sed])
36AC_PATH_PROG([TEST_MINUS_S_SH], [bash])
37AC_PATH_PROG([TEST_MINUS_S_SH], [ksh])
38AC_PATH_PROG([TEST_MINUS_S_SH], [sh])
39AC_PATH_PROG([SH], [sh])
40AC_PATH_PROG([GROFF], [groff])
41AC_PATH_PROG([NROFF], [nroff awf])
42AC_PATH_PROG([MANDOC], [mandoc])
43AC_SUBST([TEST_SHELL], [sh])
44
45dnl select manpage formatter to be used to build "cat" format pages.
46if test "x$MANDOC" != "x" ; then
47	MANFMT="$MANDOC"
48elif test "x$NROFF" != "x" ; then
49	MANFMT="$NROFF -mandoc"
50elif test "x$GROFF" != "x" ; then
51	MANFMT="$GROFF -mandoc -Tascii"
52else
53	AC_MSG_WARN([no manpage formatter found])
54	MANFMT="false"
55fi
56AC_SUBST([MANFMT])
57
58dnl for buildpkg.sh
59AC_PATH_PROG([PATH_GROUPADD_PROG], [groupadd], [groupadd],
60	[/usr/sbin${PATH_SEPARATOR}/etc])
61AC_PATH_PROG([PATH_USERADD_PROG], [useradd], [useradd],
62	[/usr/sbin${PATH_SEPARATOR}/etc])
63AC_CHECK_PROG([MAKE_PACKAGE_SUPPORTED], [pkgmk], [yes], [no])
64if test -x /sbin/sh; then
65	AC_SUBST([STARTUP_SCRIPT_SHELL], [/sbin/sh])
66else
67	AC_SUBST([STARTUP_SCRIPT_SHELL], [/bin/sh])
68fi
69
70# System features
71AC_SYS_LARGEFILE
72
73if test -z "$AR" ; then
74	AC_MSG_ERROR([*** 'ar' missing, please install or fix your \$PATH ***])
75fi
76
77AC_PATH_PROG([PATH_PASSWD_PROG], [passwd])
78if test ! -z "$PATH_PASSWD_PROG" ; then
79	AC_DEFINE_UNQUOTED([_PATH_PASSWD_PROG], ["$PATH_PASSWD_PROG"],
80		[Full path of your "passwd" program])
81fi
82
83dnl Since autoconf doesn't support it very well,  we no longer allow users to
84dnl override LD, however keeping the hook here for now in case there's a use
85dnl use case we overlooked and someone needs to re-enable it.  Unless a good
86dnl reason is found we'll be removing this in future.
87LD="$CC"
88AC_SUBST([LD])
89
90AC_C_INLINE
91
92AC_CHECK_DECL([LLONG_MAX], [have_llong_max=1], , [#include <limits.h>])
93AC_CHECK_DECL([LONG_LONG_MAX], [have_long_long_max=1], , [#include <limits.h>])
94AC_CHECK_DECL([SYSTR_POLICY_KILL], [have_systr_policy_kill=1], , [
95	#include <sys/types.h>
96	#include <sys/param.h>
97	#include <dev/systrace.h>
98])
99AC_CHECK_DECL([RLIMIT_NPROC],
100    [AC_DEFINE([HAVE_RLIMIT_NPROC], [], [sys/resource.h has RLIMIT_NPROC])], , [
101	#include <sys/types.h>
102	#include <sys/resource.h>
103])
104AC_CHECK_DECL([PR_SET_NO_NEW_PRIVS], [have_linux_no_new_privs=1], , [
105	#include <sys/types.h>
106	#include <linux/prctl.h>
107])
108
109openssl=yes
110AC_ARG_WITH([openssl],
111	[  --without-openssl       Disable use of OpenSSL; use only limited internal crypto **EXPERIMENTAL** ],
112	[  if test "x$withval" = "xno" ; then
113		openssl=no
114	   fi
115	]
116)
117AC_MSG_CHECKING([whether OpenSSL will be used for cryptography])
118if test "x$openssl" = "xyes" ; then
119	AC_MSG_RESULT([yes])
120	AC_DEFINE_UNQUOTED([WITH_OPENSSL], [1], [use libcrypto for cryptography])
121else
122	AC_MSG_RESULT([no])
123fi
124
125use_stack_protector=1
126use_toolchain_hardening=1
127AC_ARG_WITH([stackprotect],
128    [  --without-stackprotect  Don't use compiler's stack protection], [
129    if test "x$withval" = "xno"; then
130	use_stack_protector=0
131    fi ])
132AC_ARG_WITH([hardening],
133    [  --without-hardening     Don't use toolchain hardening flags], [
134    if test "x$withval" = "xno"; then
135	use_toolchain_hardening=0
136    fi ])
137
138# We use -Werror for the tests only so that we catch warnings like "this is
139# on by default" for things like -fPIE.
140AC_MSG_CHECKING([if $CC supports -Werror])
141saved_CFLAGS="$CFLAGS"
142CFLAGS="$CFLAGS -Werror"
143AC_COMPILE_IFELSE([AC_LANG_SOURCE([[int main(void) { return 0; }]])],
144	[ AC_MSG_RESULT([yes])
145	  WERROR="-Werror"],
146	[ AC_MSG_RESULT([no])
147	  WERROR="" ]
148)
149CFLAGS="$saved_CFLAGS"
150
151if test "$GCC" = "yes" || test "$GCC" = "egcs"; then
152	OSSH_CHECK_CFLAG_COMPILE([-pipe])
153	OSSH_CHECK_CFLAG_COMPILE([-Wunknown-warning-option])
154	OSSH_CHECK_CFLAG_COMPILE([-Wno-error=format-truncation])
155	OSSH_CHECK_CFLAG_COMPILE([-Qunused-arguments])
156	OSSH_CHECK_CFLAG_COMPILE([-Wall])
157	OSSH_CHECK_CFLAG_COMPILE([-Wextra])
158	OSSH_CHECK_CFLAG_COMPILE([-Wpointer-arith])
159	OSSH_CHECK_CFLAG_COMPILE([-Wuninitialized])
160	OSSH_CHECK_CFLAG_COMPILE([-Wsign-compare])
161	OSSH_CHECK_CFLAG_COMPILE([-Wformat-security])
162	OSSH_CHECK_CFLAG_COMPILE([-Wsizeof-pointer-memaccess])
163	OSSH_CHECK_CFLAG_COMPILE([-Wpointer-sign], [-Wno-pointer-sign])
164	OSSH_CHECK_CFLAG_COMPILE([-Wunused-parameter], [-Wno-unused-parameter])
165	OSSH_CHECK_CFLAG_COMPILE([-Wunused-result], [-Wno-unused-result])
166	OSSH_CHECK_CFLAG_COMPILE([-Wimplicit-fallthrough])
167	OSSH_CHECK_CFLAG_COMPILE([-fno-strict-aliasing])
168    if test "x$use_toolchain_hardening" = "x1"; then
169	OSSH_CHECK_CFLAG_COMPILE([-mretpoline]) # clang
170	OSSH_CHECK_LDFLAG_LINK([-Wl,-z,retpolineplt])
171	OSSH_CHECK_CFLAG_COMPILE([-D_FORTIFY_SOURCE=2])
172	OSSH_CHECK_LDFLAG_LINK([-Wl,-z,relro])
173	OSSH_CHECK_LDFLAG_LINK([-Wl,-z,now])
174	OSSH_CHECK_LDFLAG_LINK([-Wl,-z,noexecstack])
175	# NB. -ftrapv expects certain support functions to be present in
176	# the compiler library (libgcc or similar) to detect integer operations
177	# that can overflow. We must check that the result of enabling it
178	# actually links. The test program compiled/linked includes a number
179	# of integer operations that should exercise this.
180	OSSH_CHECK_CFLAG_LINK([-ftrapv])
181    fi
182	AC_MSG_CHECKING([gcc version])
183	GCC_VER=`$CC -v 2>&1 | $AWK '/gcc version /{print $3}'`
184	case $GCC_VER in
185		1.*) no_attrib_nonnull=1 ;;
186		2.8* | 2.9*)
187		     no_attrib_nonnull=1
188		     ;;
189		2.*) no_attrib_nonnull=1 ;;
190		*) ;;
191	esac
192	AC_MSG_RESULT([$GCC_VER])
193
194	AC_MSG_CHECKING([if $CC accepts -fno-builtin-memset])
195	saved_CFLAGS="$CFLAGS"
196	CFLAGS="$CFLAGS -fno-builtin-memset"
197	AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include <string.h> ]],
198			[[ char b[10]; memset(b, 0, sizeof(b)); ]])],
199		[ AC_MSG_RESULT([yes]) ],
200		[ AC_MSG_RESULT([no])
201		  CFLAGS="$saved_CFLAGS" ]
202	)
203
204	# -fstack-protector-all doesn't always work for some GCC versions
205	# and/or platforms, so we test if we can.  If it's not supported
206	# on a given platform gcc will emit a warning so we use -Werror.
207	if test "x$use_stack_protector" = "x1"; then
208	    for t in -fstack-protector-strong -fstack-protector-all \
209		    -fstack-protector; do
210		AC_MSG_CHECKING([if $CC supports $t])
211		saved_CFLAGS="$CFLAGS"
212		saved_LDFLAGS="$LDFLAGS"
213		CFLAGS="$CFLAGS $t -Werror"
214		LDFLAGS="$LDFLAGS $t -Werror"
215		AC_LINK_IFELSE(
216			[AC_LANG_PROGRAM([[
217	#include <stdio.h>
218	int func (int t) {char b[100]; snprintf(b,sizeof b,"%d",t); return t;}
219			 ]],
220			[[
221	char x[256];
222	snprintf(x, sizeof(x), "XXX%d", func(1));
223			 ]])],
224		    [ AC_MSG_RESULT([yes])
225		      CFLAGS="$saved_CFLAGS $t"
226		      LDFLAGS="$saved_LDFLAGS $t"
227		      AC_MSG_CHECKING([if $t works])
228		      AC_RUN_IFELSE(
229			[AC_LANG_PROGRAM([[
230	#include <stdio.h>
231	int func (int t) {char b[100]; snprintf(b,sizeof b,"%d",t); return t;}
232			]],
233			[[
234	char x[256];
235	snprintf(x, sizeof(x), "XXX%d", func(1));
236			]])],
237			[ AC_MSG_RESULT([yes])
238			  break ],
239			[ AC_MSG_RESULT([no]) ],
240			[ AC_MSG_WARN([cross compiling: cannot test])
241			  break ]
242		      )
243		    ],
244		    [ AC_MSG_RESULT([no]) ]
245		)
246		CFLAGS="$saved_CFLAGS"
247		LDFLAGS="$saved_LDFLAGS"
248	    done
249	fi
250
251	if test -z "$have_llong_max"; then
252		# retry LLONG_MAX with -std=gnu99, needed on some Linuxes
253		unset ac_cv_have_decl_LLONG_MAX
254		saved_CFLAGS="$CFLAGS"
255		CFLAGS="$CFLAGS -std=gnu99"
256		AC_CHECK_DECL([LLONG_MAX],
257		    [have_llong_max=1],
258		    [CFLAGS="$saved_CFLAGS"],
259		    [#include <limits.h>]
260		)
261	fi
262fi
263
264AC_MSG_CHECKING([if compiler allows __attribute__ on return types])
265AC_COMPILE_IFELSE(
266    [AC_LANG_PROGRAM([[
267#include <stdlib.h>
268__attribute__((__unused__)) static void foo(void){return;}]],
269    [[ exit(0); ]])],
270    [ AC_MSG_RESULT([yes]) ],
271    [ AC_MSG_RESULT([no])
272      AC_DEFINE(NO_ATTRIBUTE_ON_RETURN_TYPE, 1,
273	 [compiler does not accept __attribute__ on return types]) ]
274)
275
276AC_MSG_CHECKING([if compiler allows __attribute__ prototype args])
277AC_COMPILE_IFELSE(
278    [AC_LANG_PROGRAM([[
279#include <stdlib.h>
280typedef void foo(const char *, ...) __attribute__((format(printf, 1, 2)));]],
281    [[ exit(0); ]])],
282    [ AC_MSG_RESULT([yes]) ],
283    [ AC_MSG_RESULT([no])
284      AC_DEFINE(NO_ATTRIBUTE_ON_PROTOTYPE_ARGS, 1,
285	 [compiler does not accept __attribute__ on prototype args]) ]
286)
287
288if test "x$no_attrib_nonnull" != "x1" ; then
289	AC_DEFINE([HAVE_ATTRIBUTE__NONNULL__], [1], [Have attribute nonnull])
290fi
291
292AC_ARG_WITH([rpath],
293	[  --without-rpath         Disable auto-added -R linker paths],
294	[
295		if test "x$withval" = "xno" ; then
296			rpath_opt=""
297		elif test "x$withval" = "xyes" ; then
298			rpath_opt="-R"
299		else
300			rpath_opt="$withval"
301		fi
302	]
303)
304
305# Allow user to specify flags
306AC_ARG_WITH([cflags],
307	[  --with-cflags           Specify additional flags to pass to compiler],
308	[
309		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
310		    test "x${withval}" != "xyes"; then
311			CFLAGS="$CFLAGS $withval"
312		fi
313	]
314)
315
316AC_ARG_WITH([cflags-after],
317	[  --with-cflags-after     Specify additional flags to pass to compiler after configure],
318	[
319		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
320		    test "x${withval}" != "xyes"; then
321			CFLAGS_AFTER="$withval"
322		fi
323	]
324)
325AC_ARG_WITH([cppflags],
326	[  --with-cppflags         Specify additional flags to pass to preprocessor] ,
327	[
328		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
329		    test "x${withval}" != "xyes"; then
330			CPPFLAGS="$CPPFLAGS $withval"
331		fi
332	]
333)
334AC_ARG_WITH([ldflags],
335	[  --with-ldflags          Specify additional flags to pass to linker],
336	[
337		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
338		    test "x${withval}" != "xyes"; then
339			LDFLAGS="$LDFLAGS $withval"
340		fi
341	]
342)
343AC_ARG_WITH([ldflags-after],
344	[  --with-ldflags-after    Specify additional flags to pass to linker after configure],
345	[
346		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
347		    test "x${withval}" != "xyes"; then
348			LDFLAGS_AFTER="$withval"
349		fi
350	]
351)
352AC_ARG_WITH([libs],
353	[  --with-libs             Specify additional libraries to link with],
354	[
355		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
356		    test "x${withval}" != "xyes"; then
357			LIBS="$LIBS $withval"
358		fi
359	]
360)
361AC_ARG_WITH([Werror],
362	[  --with-Werror           Build main code with -Werror],
363	[
364		if test -n "$withval"  &&  test "x$withval" != "xno"; then
365			werror_flags="-Werror"
366			if test "x${withval}" != "xyes"; then
367				werror_flags="$withval"
368			fi
369		fi
370	]
371)
372
373AC_CHECK_HEADERS([ \
374	blf.h \
375	bstring.h \
376	crypt.h \
377	crypto/sha2.h \
378	dirent.h \
379	endian.h \
380	elf.h \
381	err.h \
382	features.h \
383	fcntl.h \
384	floatingpoint.h \
385	fnmatch.h \
386	getopt.h \
387	glob.h \
388	ia.h \
389	iaf.h \
390	ifaddrs.h \
391	inttypes.h \
392	langinfo.h \
393	limits.h \
394	locale.h \
395	login.h \
396	maillock.h \
397	ndir.h \
398	net/if_tun.h \
399	netdb.h \
400	netgroup.h \
401	pam/pam_appl.h \
402	paths.h \
403	poll.h \
404	pty.h \
405	readpassphrase.h \
406	rpc/types.h \
407	security/pam_appl.h \
408	sha2.h \
409	shadow.h \
410	stddef.h \
411	stdint.h \
412	string.h \
413	strings.h \
414	sys/bitypes.h \
415	sys/byteorder.h \
416	sys/bsdtty.h \
417	sys/cdefs.h \
418	sys/dir.h \
419	sys/file.h \
420	sys/mman.h \
421	sys/label.h \
422	sys/ndir.h \
423	sys/poll.h \
424	sys/prctl.h \
425	sys/pstat.h \
426	sys/ptrace.h \
427	sys/random.h \
428	sys/select.h \
429	sys/stat.h \
430	sys/stream.h \
431	sys/stropts.h \
432	sys/strtio.h \
433	sys/statvfs.h \
434	sys/sysmacros.h \
435	sys/time.h \
436	sys/timers.h \
437	sys/vfs.h \
438	time.h \
439	tmpdir.h \
440	ttyent.h \
441	ucred.h \
442	unistd.h \
443	usersec.h \
444	util.h \
445	utime.h \
446	utmp.h \
447	utmpx.h \
448	vis.h \
449	wchar.h \
450])
451
452# On some platforms (eg SunOS4) sys/audit.h requires sys/[time|types|label.h]
453# to be included first.
454AC_CHECK_HEADERS([sys/audit.h], [], [], [
455#ifdef HAVE_SYS_TIME_H
456# include <sys/time.h>
457#endif
458#ifdef HAVE_SYS_TYPES_H
459# include <sys/types.h>
460#endif
461#ifdef HAVE_SYS_LABEL_H
462# include <sys/label.h>
463#endif
464])
465
466# sys/capsicum.h requires sys/types.h
467AC_CHECK_HEADERS([sys/capsicum.h], [], [], [
468#ifdef HAVE_SYS_TYPES_H
469# include <sys/types.h>
470#endif
471])
472
473# net/route.h requires sys/socket.h and sys/types.h.
474# sys/sysctl.h also requires sys/param.h
475AC_CHECK_HEADERS([net/route.h sys/sysctl.h], [], [], [
476#ifdef HAVE_SYS_TYPES_H
477# include <sys/types.h>
478#endif
479#include <sys/param.h>
480#include <sys/socket.h>
481])
482
483# lastlog.h requires sys/time.h to be included first on Solaris
484AC_CHECK_HEADERS([lastlog.h], [], [], [
485#ifdef HAVE_SYS_TIME_H
486# include <sys/time.h>
487#endif
488])
489
490# sys/ptms.h requires sys/stream.h to be included first on Solaris
491AC_CHECK_HEADERS([sys/ptms.h], [], [], [
492#ifdef HAVE_SYS_STREAM_H
493# include <sys/stream.h>
494#endif
495])
496
497# login_cap.h requires sys/types.h on NetBSD
498AC_CHECK_HEADERS([login_cap.h], [], [], [
499#include <sys/types.h>
500])
501
502# older BSDs need sys/param.h before sys/mount.h
503AC_CHECK_HEADERS([sys/mount.h], [], [], [
504#include <sys/param.h>
505])
506
507# Android requires sys/socket.h to be included before sys/un.h
508AC_CHECK_HEADERS([sys/un.h], [], [], [
509#include <sys/types.h>
510#include <sys/socket.h>
511])
512
513# Messages for features tested for in target-specific section
514SIA_MSG="no"
515SPC_MSG="no"
516SP_MSG="no"
517SPP_MSG="no"
518
519# Support for Solaris/Illumos privileges (this test is used by both
520# the --with-solaris-privs option and --with-sandbox=solaris).
521SOLARIS_PRIVS="no"
522
523AC_CHECK_SIZEOF([size_t])
524
525# Check for some target-specific stuff
526case "$host" in
527*-*-aix*)
528	# Some versions of VAC won't allow macro redefinitions at
529	# -qlanglevel=ansi, and autoconf 2.60 sometimes insists on using that
530	# particularly with older versions of vac or xlc.
531	# It also throws errors about null macro arguments, but these are
532	# not fatal.
533	AC_MSG_CHECKING([if compiler allows macro redefinitions])
534	AC_COMPILE_IFELSE(
535	    [AC_LANG_PROGRAM([[
536#define testmacro foo
537#define testmacro bar]],
538	    [[ exit(0); ]])],
539	    [ AC_MSG_RESULT([yes]) ],
540	    [ AC_MSG_RESULT([no])
541	      CC="`echo $CC | sed 's/-qlanglvl\=ansi//g'`"
542	      CFLAGS="`echo $CFLAGS | sed 's/-qlanglvl\=ansi//g'`"
543	      CPPFLAGS="`echo $CPPFLAGS | sed 's/-qlanglvl\=ansi//g'`"
544	    ]
545	)
546
547	AC_MSG_CHECKING([how to specify blibpath for linker ($LD)])
548	if (test -z "$blibpath"); then
549		blibpath="/usr/lib:/lib"
550	fi
551	saved_LDFLAGS="$LDFLAGS"
552	if test "$GCC" = "yes"; then
553		flags="-Wl,-blibpath: -Wl,-rpath, -blibpath:"
554	else
555		flags="-blibpath: -Wl,-blibpath: -Wl,-rpath,"
556	fi
557	for tryflags in $flags ;do
558		if (test -z "$blibflags"); then
559			LDFLAGS="$saved_LDFLAGS $tryflags$blibpath"
560			AC_LINK_IFELSE([AC_LANG_PROGRAM([[]], [[]])],
561			[blibflags=$tryflags], [])
562		fi
563	done
564	if (test -z "$blibflags"); then
565		AC_MSG_RESULT([not found])
566		AC_MSG_ERROR([*** must be able to specify blibpath on AIX - check config.log])
567	else
568		AC_MSG_RESULT([$blibflags])
569	fi
570	LDFLAGS="$saved_LDFLAGS"
571	dnl Check for authenticate.  Might be in libs.a on older AIXes
572	AC_CHECK_FUNC([authenticate], [AC_DEFINE([WITH_AIXAUTHENTICATE], [1],
573		[Define if you want to enable AIX4's authenticate function])],
574		[AC_CHECK_LIB([s], [authenticate],
575			[ AC_DEFINE([WITH_AIXAUTHENTICATE])
576				LIBS="$LIBS -ls"
577			])
578		])
579	dnl Check for various auth function declarations in headers.
580	AC_CHECK_DECLS([authenticate, loginrestrictions, loginsuccess,
581	    passwdexpired, setauthdb], , , [#include <usersec.h>])
582	dnl Check if loginfailed is declared and takes 4 arguments (AIX >= 5.2)
583	AC_CHECK_DECLS([loginfailed],
584	    [AC_MSG_CHECKING([if loginfailed takes 4 arguments])
585	    AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <usersec.h> ]],
586		[[ (void)loginfailed("user","host","tty",0); ]])],
587		[AC_MSG_RESULT([yes])
588		AC_DEFINE([AIX_LOGINFAILED_4ARG], [1],
589			[Define if your AIX loginfailed() function
590			takes 4 arguments (AIX >= 5.2)])], [AC_MSG_RESULT([no])
591	    ])],
592	    [],
593	    [#include <usersec.h>]
594	)
595	AC_CHECK_FUNCS([getgrset setauthdb])
596	AC_CHECK_DECL([F_CLOSEM],
597	    AC_DEFINE([HAVE_FCNTL_CLOSEM], [1], [Use F_CLOSEM fcntl for closefrom]),
598	    [],
599	    [ #include <limits.h>
600	      #include <fcntl.h> ]
601	)
602	check_for_aix_broken_getaddrinfo=1
603	AC_DEFINE([SETEUID_BREAKS_SETUID], [1],
604	    [Define if your platform breaks doing a seteuid before a setuid])
605	AC_DEFINE([BROKEN_SETREUID], [1], [Define if your setreuid() is broken])
606	AC_DEFINE([BROKEN_SETREGID], [1], [Define if your setregid() is broken])
607	dnl AIX handles lastlog as part of its login message
608	AC_DEFINE([DISABLE_LASTLOG], [1], [Define if you don't want to use lastlog])
609	AC_DEFINE([LOGIN_NEEDS_UTMPX], [1],
610		[Some systems need a utmpx entry for /bin/login to work])
611	AC_DEFINE([SPT_TYPE], [SPT_REUSEARGV],
612		[Define to a Set Process Title type if your system is
613		supported by bsd-setproctitle.c])
614	AC_DEFINE([SSHPAM_CHAUTHTOK_NEEDS_RUID], [1],
615	    [AIX 5.2 and 5.3 (and presumably newer) require this])
616	AC_DEFINE([PTY_ZEROREAD], [1], [read(1) can return 0 for a non-closed fd])
617	AC_DEFINE([PLATFORM_SYS_DIR_UID], 2, [System dirs owned by bin (uid 2)])
618	AC_DEFINE([BROKEN_STRNDUP], 1, [strndup broken, see APAR IY61211])
619	AC_DEFINE([BROKEN_STRNLEN], 1, [strnlen broken, see APAR IY62551])
620	;;
621*-*-android*)
622	AC_DEFINE([DISABLE_UTMP], [1], [Define if you don't want to use utmp])
623	AC_DEFINE([DISABLE_WTMP], [1], [Define if you don't want to use wtmp])
624	;;
625*-*-cygwin*)
626	check_for_libcrypt_later=1
627	LIBS="$LIBS /usr/lib/textreadmode.o"
628	AC_DEFINE([HAVE_CYGWIN], [1], [Define if you are on Cygwin])
629	AC_DEFINE([USE_PIPES], [1], [Use PIPES instead of a socketpair()])
630	AC_DEFINE([NO_UID_RESTORATION_TEST], [1],
631		[Define to disable UID restoration test])
632	AC_DEFINE([DISABLE_SHADOW], [1],
633		[Define if you want to disable shadow passwords])
634	AC_DEFINE([NO_X11_UNIX_SOCKETS], [1],
635		[Define if X11 doesn't support AF_UNIX sockets on that system])
636	AC_DEFINE([DISABLE_FD_PASSING], [1],
637		[Define if your platform needs to skip post auth
638		file descriptor passing])
639	AC_DEFINE([SSH_IOBUFSZ], [65535], [Windows is sensitive to read buffer size])
640	AC_DEFINE([FILESYSTEM_NO_BACKSLASH], [1], [File names may not contain backslash characters])
641	# Cygwin defines optargs, optargs as declspec(dllimport) for historical
642	# reasons which cause compile warnings, so we disable those warnings.
643	OSSH_CHECK_CFLAG_COMPILE([-Wno-attributes])
644	;;
645*-*-dgux*)
646	AC_DEFINE([IP_TOS_IS_BROKEN], [1],
647		[Define if your system choked on IP TOS setting])
648	AC_DEFINE([SETEUID_BREAKS_SETUID])
649	AC_DEFINE([BROKEN_SETREUID])
650	AC_DEFINE([BROKEN_SETREGID])
651	;;
652*-*-darwin*)
653	use_pie=auto
654	AC_MSG_CHECKING([if we have working getaddrinfo])
655	AC_RUN_IFELSE([AC_LANG_SOURCE([[ #include <mach-o/dyld.h>
656main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
657		exit(0);
658	else
659		exit(1);
660}
661			]])],
662	[AC_MSG_RESULT([working])],
663	[AC_MSG_RESULT([buggy])
664	AC_DEFINE([BROKEN_GETADDRINFO], [1],
665		[getaddrinfo is broken (if present)])
666	],
667	[AC_MSG_RESULT([assume it is working])])
668	AC_DEFINE([SETEUID_BREAKS_SETUID])
669	AC_DEFINE([BROKEN_SETREUID])
670	AC_DEFINE([BROKEN_SETREGID])
671	AC_DEFINE([BROKEN_GLOB], [1], [OS X glob does not do what we expect])
672	AC_DEFINE_UNQUOTED([BIND_8_COMPAT], [1],
673		[Define if your resolver libs need this for getrrsetbyname])
674	AC_DEFINE([SSH_TUN_FREEBSD], [1], [Open tunnel devices the FreeBSD way])
675	AC_DEFINE([SSH_TUN_COMPAT_AF], [1],
676	    [Use tunnel device compatibility to OpenBSD])
677	AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
678	    [Prepend the address family to IP tunnel traffic])
679	m4_pattern_allow([AU_IPv])
680	AC_CHECK_DECL([AU_IPv4], [],
681	    AC_DEFINE([AU_IPv4], [0], [System only supports IPv4 audit records])
682	    [#include <bsm/audit.h>]
683	AC_DEFINE([LASTLOG_WRITE_PUTUTXLINE], [1],
684	    [Define if pututxline updates lastlog too])
685	)
686	AC_DEFINE([SPT_TYPE], [SPT_REUSEARGV],
687		[Define to a Set Process Title type if your system is
688		supported by bsd-setproctitle.c])
689	AC_CHECK_FUNCS([sandbox_init])
690	AC_CHECK_HEADERS([sandbox.h])
691	AC_CHECK_LIB([sandbox], [sandbox_apply], [
692	    SSHDLIBS="$SSHDLIBS -lsandbox"
693	])
694	# proc_pidinfo()-based closefrom() replacement.
695	AC_CHECK_HEADERS([libproc.h])
696	AC_CHECK_FUNCS([proc_pidinfo])
697	;;
698*-*-dragonfly*)
699	SSHDLIBS="$SSHDLIBS -lcrypt"
700	TEST_MALLOC_OPTIONS="AFGJPRX"
701	;;
702*-*-haiku*)
703	LIBS="$LIBS -lbsd "
704	CFLAGS="$CFLAGS -D_BSD_SOURCE"
705	AC_CHECK_LIB([network], [socket])
706	AC_DEFINE([HAVE_U_INT64_T])
707	AC_DEFINE([DISABLE_UTMPX], [1], [no utmpx])
708	MANTYPE=man
709	;;
710*-*-hpux*)
711	# first we define all of the options common to all HP-UX releases
712	CPPFLAGS="$CPPFLAGS -D_HPUX_SOURCE -D_XOPEN_SOURCE -D_XOPEN_SOURCE_EXTENDED=1"
713	IPADDR_IN_DISPLAY=yes
714	AC_DEFINE([USE_PIPES])
715	AC_DEFINE([LOGIN_NEEDS_UTMPX])
716	AC_DEFINE([LOCKED_PASSWD_STRING], ["*"],
717		[String used in /etc/passwd to denote locked account])
718	AC_DEFINE([SPT_TYPE], [SPT_PSTAT])
719	AC_DEFINE([PLATFORM_SYS_DIR_UID], 2, [System dirs owned by bin (uid 2)])
720	maildir="/var/mail"
721	LIBS="$LIBS -lsec"
722	AC_CHECK_LIB([xnet], [t_error], ,
723	    [AC_MSG_ERROR([*** -lxnet needed on HP-UX - check config.log ***])])
724
725	# next, we define all of the options specific to major releases
726	case "$host" in
727	*-*-hpux10*)
728		if test -z "$GCC"; then
729			CFLAGS="$CFLAGS -Ae"
730		fi
731		;;
732	*-*-hpux11*)
733		AC_DEFINE([PAM_SUN_CODEBASE], [1],
734			[Define if you are using Solaris-derived PAM which
735			passes pam_messages to the conversation function
736			with an extra level of indirection])
737		AC_DEFINE([DISABLE_UTMP], [1],
738			[Define if you don't want to use utmp])
739		AC_DEFINE([USE_BTMP], [1], [Use btmp to log bad logins])
740		check_for_hpux_broken_getaddrinfo=1
741		check_for_conflicting_getspnam=1
742		;;
743	esac
744
745	# lastly, we define options specific to minor releases
746	case "$host" in
747	*-*-hpux10.26)
748		AC_DEFINE([HAVE_SECUREWARE], [1],
749			[Define if you have SecureWare-based
750			protected password database])
751		disable_ptmx_check=yes
752		LIBS="$LIBS -lsecpw"
753		;;
754	esac
755	;;
756*-*-irix5*)
757	PATH="$PATH:/usr/etc"
758	AC_DEFINE([BROKEN_INET_NTOA], [1],
759		[Define if you system's inet_ntoa is busted
760		(e.g. Irix gcc issue)])
761	AC_DEFINE([SETEUID_BREAKS_SETUID])
762	AC_DEFINE([BROKEN_SETREUID])
763	AC_DEFINE([BROKEN_SETREGID])
764	AC_DEFINE([WITH_ABBREV_NO_TTY], [1],
765		[Define if you shouldn't strip 'tty' from your
766		ttyname in [uw]tmp])
767	AC_DEFINE([LOCKED_PASSWD_STRING], ["*LK*"])
768	;;
769*-*-irix6*)
770	PATH="$PATH:/usr/etc"
771	AC_DEFINE([WITH_IRIX_ARRAY], [1],
772		[Define if you have/want arrays
773		(cluster-wide session management, not C arrays)])
774	AC_DEFINE([WITH_IRIX_PROJECT], [1],
775		[Define if you want IRIX project management])
776	AC_DEFINE([WITH_IRIX_AUDIT], [1],
777		[Define if you want IRIX audit trails])
778	AC_CHECK_FUNC([jlimit_startjob], [AC_DEFINE([WITH_IRIX_JOBS], [1],
779		[Define if you want IRIX kernel jobs])])
780	AC_DEFINE([BROKEN_INET_NTOA])
781	AC_DEFINE([SETEUID_BREAKS_SETUID])
782	AC_DEFINE([BROKEN_SETREUID])
783	AC_DEFINE([BROKEN_SETREGID])
784	AC_DEFINE([BROKEN_UPDWTMPX], [1], [updwtmpx is broken (if present)])
785	AC_DEFINE([WITH_ABBREV_NO_TTY])
786	AC_DEFINE([LOCKED_PASSWD_STRING], ["*LK*"])
787	;;
788*-*-k*bsd*-gnu | *-*-kopensolaris*-gnu)
789	check_for_libcrypt_later=1
790	AC_DEFINE([PAM_TTY_KLUDGE])
791	AC_DEFINE([LOCKED_PASSWD_PREFIX], ["!"])
792	AC_DEFINE([SPT_TYPE], [SPT_REUSEARGV])
793	AC_DEFINE([_PATH_BTMP], ["/var/log/btmp"], [log for bad login attempts])
794	AC_DEFINE([USE_BTMP], [1], [Use btmp to log bad logins])
795	;;
796*-*-linux*)
797	no_dev_ptmx=1
798	use_pie=auto
799	check_for_libcrypt_later=1
800	check_for_openpty_ctty_bug=1
801	dnl Target SUSv3/POSIX.1-2001 plus BSD specifics.
802	dnl _DEFAULT_SOURCE is the new name for _BSD_SOURCE
803	CPPFLAGS="$CPPFLAGS -D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCE"
804	AC_DEFINE([PAM_TTY_KLUDGE], [1],
805		[Work around problematic Linux PAM modules handling of PAM_TTY])
806	AC_DEFINE([LOCKED_PASSWD_PREFIX], ["!"],
807		[String used in /etc/passwd to denote locked account])
808	AC_DEFINE([SPT_TYPE], [SPT_REUSEARGV])
809	AC_DEFINE([LINK_OPNOTSUPP_ERRNO], [EPERM],
810		[Define to whatever link() returns for "not supported"
811		if it doesn't return EOPNOTSUPP.])
812	AC_DEFINE([_PATH_BTMP], ["/var/log/btmp"], [log for bad login attempts])
813	AC_DEFINE([USE_BTMP])
814	AC_DEFINE([LINUX_OOM_ADJUST], [1], [Adjust Linux out-of-memory killer])
815	inet6_default_4in6=yes
816	case `uname -r` in
817	1.*|2.0.*)
818		AC_DEFINE([BROKEN_CMSG_TYPE], [1],
819			[Define if cmsg_type is not passed correctly])
820		;;
821	esac
822	# tun(4) forwarding compat code
823	AC_CHECK_HEADERS([linux/if_tun.h])
824	if test "x$ac_cv_header_linux_if_tun_h" = "xyes" ; then
825		AC_DEFINE([SSH_TUN_LINUX], [1],
826		    [Open tunnel devices the Linux tun/tap way])
827		AC_DEFINE([SSH_TUN_COMPAT_AF], [1],
828		    [Use tunnel device compatibility to OpenBSD])
829		AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
830		    [Prepend the address family to IP tunnel traffic])
831	fi
832	AC_CHECK_HEADER([linux/if.h],
833	    AC_DEFINE([SYS_RDOMAIN_LINUX], [1],
834		[Support routing domains using Linux VRF]), [], [
835#ifdef HAVE_SYS_TYPES_H
836# include <sys/types.h>
837#endif
838	    ])
839	AC_CHECK_HEADERS([linux/seccomp.h linux/filter.h linux/audit.h], [],
840	    [], [#include <linux/types.h>])
841	# Obtain MIPS ABI
842	case "$host" in
843	mips*)
844		AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
845#if _MIPS_SIM != _ABIO32
846#error
847#endif
848			]])],[mips_abi="o32"],[AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
849#if _MIPS_SIM != _ABIN32
850#error
851#endif
852				]])],[mips_abi="n32"],[AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
853#if _MIPS_SIM != _ABI64
854#error
855#endif
856					]])],[mips_abi="n64"],[AC_MSG_ERROR([unknown MIPS ABI])
857				])
858			])
859		])
860		;;
861	esac
862	AC_MSG_CHECKING([for seccomp architecture])
863	seccomp_audit_arch=
864	case "$host" in
865	x86_64-*)
866		seccomp_audit_arch=AUDIT_ARCH_X86_64
867		# X32: AMD64 instructions in 32bit address space.
868		if test "x$ac_cv_sizeof_size_t" = "x4" ; then
869			seccomp_audit_arch=AUDIT_ARCH_I386
870		fi
871		;;
872	i*86-*)
873		seccomp_audit_arch=AUDIT_ARCH_I386
874		;;
875	arm*-*)
876		seccomp_audit_arch=AUDIT_ARCH_ARM
877		;;
878	aarch64*-*)
879		seccomp_audit_arch=AUDIT_ARCH_AARCH64
880		;;
881	s390x-*)
882		seccomp_audit_arch=AUDIT_ARCH_S390X
883		;;
884	s390-*)
885		seccomp_audit_arch=AUDIT_ARCH_S390
886		;;
887	powerpc64-*)
888		seccomp_audit_arch=AUDIT_ARCH_PPC64
889		;;
890	powerpc64le-*)
891		seccomp_audit_arch=AUDIT_ARCH_PPC64LE
892		;;
893	mips-*)
894		seccomp_audit_arch=AUDIT_ARCH_MIPS
895		;;
896	mipsel-*)
897		seccomp_audit_arch=AUDIT_ARCH_MIPSEL
898		;;
899	mips64-*)
900		case "$mips_abi" in
901		"n32")
902			seccomp_audit_arch=AUDIT_ARCH_MIPS64N32
903			;;
904		"n64")
905			seccomp_audit_arch=AUDIT_ARCH_MIPS64
906			;;
907		esac
908		;;
909	mips64el-*)
910		case "$mips_abi" in
911		"n32")
912			seccomp_audit_arch=AUDIT_ARCH_MIPSEL64N32
913			;;
914		"n64")
915			seccomp_audit_arch=AUDIT_ARCH_MIPSEL64
916			;;
917		esac
918		;;
919	riscv64-*)
920		seccomp_audit_arch=AUDIT_ARCH_RISCV64
921		;;
922	esac
923	if test "x$seccomp_audit_arch" != "x" ; then
924		AC_MSG_RESULT(["$seccomp_audit_arch"])
925		AC_DEFINE_UNQUOTED([SECCOMP_AUDIT_ARCH], [$seccomp_audit_arch],
926		    [Specify the system call convention in use])
927	else
928		AC_MSG_RESULT([architecture not supported])
929	fi
930	;;
931mips-sony-bsd|mips-sony-newsos4)
932	AC_DEFINE([NEED_SETPGRP], [1], [Need setpgrp to acquire controlling tty])
933	SONY=1
934	;;
935*-*-netbsd*)
936	check_for_libcrypt_before=1
937	if test "x$withval" != "xno" ; then
938		rpath_opt="-R"
939	fi
940	CPPFLAGS="$CPPFLAGS -D_OPENBSD_SOURCE"
941	AC_DEFINE([SSH_TUN_FREEBSD], [1], [Open tunnel devices the FreeBSD way])
942	AC_CHECK_HEADER([net/if_tap.h], ,
943	    AC_DEFINE([SSH_TUN_NO_L2], [1], [No layer 2 tunnel support]))
944	AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
945	    [Prepend the address family to IP tunnel traffic])
946	TEST_MALLOC_OPTIONS="AJRX"
947	AC_DEFINE([BROKEN_READ_COMPARISON], [1],
948	    [NetBSD read function is sometimes redirected, breaking atomicio comparisons against it])
949	;;
950*-*-freebsd*)
951	check_for_libcrypt_later=1
952	AC_DEFINE([LOCKED_PASSWD_PREFIX], ["*LOCKED*"], [Account locked with pw(1)])
953	AC_DEFINE([SSH_TUN_FREEBSD], [1], [Open tunnel devices the FreeBSD way])
954	AC_CHECK_HEADER([net/if_tap.h], ,
955	    AC_DEFINE([SSH_TUN_NO_L2], [1], [No layer 2 tunnel support]))
956	AC_DEFINE([BROKEN_GLOB], [1], [FreeBSD glob does not do what we need])
957	TEST_MALLOC_OPTIONS="AJRX"
958	# Preauth crypto occasionally uses file descriptors for crypto offload
959	# and will crash if they cannot be opened.
960	AC_DEFINE([SANDBOX_SKIP_RLIMIT_NOFILE], [1],
961	    [define if setrlimit RLIMIT_NOFILE breaks things])
962	;;
963*-*-bsdi*)
964	AC_DEFINE([SETEUID_BREAKS_SETUID])
965	AC_DEFINE([BROKEN_SETREUID])
966	AC_DEFINE([BROKEN_SETREGID])
967	;;
968*-next-*)
969	conf_lastlog_location="/usr/adm/lastlog"
970	conf_utmp_location=/etc/utmp
971	conf_wtmp_location=/usr/adm/wtmp
972	maildir=/usr/spool/mail
973	AC_DEFINE([HAVE_NEXT], [1], [Define if you are on NeXT])
974	AC_DEFINE([USE_PIPES])
975	AC_DEFINE([BROKEN_SAVED_UIDS], [1], [Needed for NeXT])
976	;;
977*-*-openbsd*)
978	use_pie=auto
979	AC_DEFINE([HAVE_ATTRIBUTE__SENTINEL__], [1], [OpenBSD's gcc has sentinel])
980	AC_DEFINE([HAVE_ATTRIBUTE__BOUNDED__], [1], [OpenBSD's gcc has bounded])
981	AC_DEFINE([SSH_TUN_OPENBSD], [1], [Open tunnel devices the OpenBSD way])
982	AC_DEFINE([SYSLOG_R_SAFE_IN_SIGHAND], [1],
983	    [syslog_r function is safe to use in in a signal handler])
984	TEST_MALLOC_OPTIONS="AFGJPRX"
985	;;
986*-*-solaris*)
987	if test "x$withval" != "xno" ; then
988		rpath_opt="-R"
989	fi
990	AC_DEFINE([PAM_SUN_CODEBASE])
991	AC_DEFINE([LOGIN_NEEDS_UTMPX])
992	AC_DEFINE([PAM_TTY_KLUDGE])
993	AC_DEFINE([SSHPAM_CHAUTHTOK_NEEDS_RUID], [1],
994		[Define if pam_chauthtok wants real uid set
995		to the unpriv'ed user])
996	AC_DEFINE([LOCKED_PASSWD_STRING], ["*LK*"])
997	# Pushing STREAMS modules will cause sshd to acquire a controlling tty.
998	AC_DEFINE([SSHD_ACQUIRES_CTTY], [1],
999		[Define if sshd somehow reacquires a controlling TTY
1000		after setsid()])
1001	AC_DEFINE([PASSWD_NEEDS_USERNAME], [1], [must supply username to passwd
1002		in case the name is longer than 8 chars])
1003	AC_DEFINE([BROKEN_TCGETATTR_ICANON], [1], [tcgetattr with ICANON may hang])
1004	external_path_file=/etc/default/login
1005	# hardwire lastlog location (can't detect it on some versions)
1006	conf_lastlog_location="/var/adm/lastlog"
1007	AC_MSG_CHECKING([for obsolete utmp and wtmp in solaris2.x])
1008	sol2ver=`echo "$host"| sed -e 's/.*[[0-9]]\.//'`
1009	if test "$sol2ver" -ge 8; then
1010		AC_MSG_RESULT([yes])
1011		AC_DEFINE([DISABLE_UTMP])
1012		AC_DEFINE([DISABLE_WTMP], [1],
1013			[Define if you don't want to use wtmp])
1014	else
1015		AC_MSG_RESULT([no])
1016	fi
1017	AC_CHECK_FUNCS([setpflags])
1018	AC_CHECK_FUNCS([setppriv])
1019	AC_CHECK_FUNCS([priv_basicset])
1020	AC_CHECK_HEADERS([priv.h])
1021	AC_ARG_WITH([solaris-contracts],
1022		[  --with-solaris-contracts Enable Solaris process contracts (experimental)],
1023		[
1024		AC_CHECK_LIB([contract], [ct_tmpl_activate],
1025			[ AC_DEFINE([USE_SOLARIS_PROCESS_CONTRACTS], [1],
1026				[Define if you have Solaris process contracts])
1027			  LIBS="$LIBS -lcontract"
1028			  SPC_MSG="yes" ], )
1029		],
1030	)
1031	AC_ARG_WITH([solaris-projects],
1032		[  --with-solaris-projects Enable Solaris projects (experimental)],
1033		[
1034		AC_CHECK_LIB([project], [setproject],
1035			[ AC_DEFINE([USE_SOLARIS_PROJECTS], [1],
1036				[Define if you have Solaris projects])
1037			LIBS="$LIBS -lproject"
1038			SP_MSG="yes" ], )
1039		],
1040	)
1041	AC_ARG_WITH([solaris-privs],
1042		[  --with-solaris-privs    Enable Solaris/Illumos privileges (experimental)],
1043		[
1044		AC_MSG_CHECKING([for Solaris/Illumos privilege support])
1045		if test "x$ac_cv_func_setppriv" = "xyes" -a \
1046			"x$ac_cv_header_priv_h" = "xyes" ; then
1047			SOLARIS_PRIVS=yes
1048			AC_MSG_RESULT([found])
1049			AC_DEFINE([NO_UID_RESTORATION_TEST], [1],
1050				[Define to disable UID restoration test])
1051			AC_DEFINE([USE_SOLARIS_PRIVS], [1],
1052				[Define if you have Solaris privileges])
1053			SPP_MSG="yes"
1054		else
1055			AC_MSG_RESULT([not found])
1056			AC_MSG_ERROR([*** must have support for Solaris privileges to use --with-solaris-privs])
1057		fi
1058		],
1059	)
1060	TEST_SHELL=$SHELL	# let configure find us a capable shell
1061	;;
1062*-*-sunos4*)
1063	CPPFLAGS="$CPPFLAGS -DSUNOS4"
1064	AC_CHECK_FUNCS([getpwanam])
1065	AC_DEFINE([PAM_SUN_CODEBASE])
1066	conf_utmp_location=/etc/utmp
1067	conf_wtmp_location=/var/adm/wtmp
1068	conf_lastlog_location=/var/adm/lastlog
1069	AC_DEFINE([USE_PIPES])
1070	AC_DEFINE([DISABLE_UTMPX], [1], [no utmpx])
1071	;;
1072*-ncr-sysv*)
1073	LIBS="$LIBS -lc89"
1074	AC_DEFINE([USE_PIPES])
1075	AC_DEFINE([SSHD_ACQUIRES_CTTY])
1076	AC_DEFINE([SETEUID_BREAKS_SETUID])
1077	AC_DEFINE([BROKEN_SETREUID])
1078	AC_DEFINE([BROKEN_SETREGID])
1079	;;
1080*-sni-sysv*)
1081	# /usr/ucblib MUST NOT be searched on ReliantUNIX
1082	AC_CHECK_LIB([dl], [dlsym], ,)
1083	# -lresolv needs to be at the end of LIBS or DNS lookups break
1084	AC_CHECK_LIB([resolv], [res_query], [ LIBS="$LIBS -lresolv" ])
1085	IPADDR_IN_DISPLAY=yes
1086	AC_DEFINE([USE_PIPES])
1087	AC_DEFINE([IP_TOS_IS_BROKEN])
1088	AC_DEFINE([SETEUID_BREAKS_SETUID])
1089	AC_DEFINE([BROKEN_SETREUID])
1090	AC_DEFINE([BROKEN_SETREGID])
1091	AC_DEFINE([SSHD_ACQUIRES_CTTY])
1092	external_path_file=/etc/default/login
1093	# /usr/ucblib/libucb.a no longer needed on ReliantUNIX
1094	# Attention: always take care to bind libsocket and libnsl before libc,
1095	# otherwise you will find lots of "SIOCGPGRP errno 22" on syslog
1096	;;
1097# UnixWare 1.x, UnixWare 2.x, and others based on code from Univel.
1098*-*-sysv4.2*)
1099	AC_DEFINE([USE_PIPES])
1100	AC_DEFINE([SETEUID_BREAKS_SETUID])
1101	AC_DEFINE([BROKEN_SETREUID])
1102	AC_DEFINE([BROKEN_SETREGID])
1103	AC_DEFINE([PASSWD_NEEDS_USERNAME], [1], [must supply username to passwd])
1104	AC_DEFINE([LOCKED_PASSWD_STRING], ["*LK*"])
1105	TEST_SHELL=$SHELL	# let configure find us a capable shell
1106	;;
1107# UnixWare 7.x, OpenUNIX 8
1108*-*-sysv5*)
1109	CPPFLAGS="$CPPFLAGS -Dvsnprintf=_xvsnprintf -Dsnprintf=_xsnprintf"
1110	AC_DEFINE([UNIXWARE_LONG_PASSWORDS], [1], [Support passwords > 8 chars])
1111	AC_DEFINE([USE_PIPES])
1112	AC_DEFINE([SETEUID_BREAKS_SETUID])
1113	AC_DEFINE([BROKEN_GETADDRINFO])
1114	AC_DEFINE([BROKEN_SETREUID])
1115	AC_DEFINE([BROKEN_SETREGID])
1116	AC_DEFINE([PASSWD_NEEDS_USERNAME])
1117	AC_DEFINE([BROKEN_TCGETATTR_ICANON])
1118	TEST_SHELL=$SHELL	# let configure find us a capable shell
1119	check_for_libcrypt_later=1
1120	case "$host" in
1121	*-*-sysv5SCO_SV*)	# SCO OpenServer 6.x
1122		maildir=/var/spool/mail
1123		AC_DEFINE([BROKEN_UPDWTMPX])
1124		AC_CHECK_LIB([prot], [getluid], [ LIBS="$LIBS -lprot"
1125			AC_CHECK_FUNCS([getluid setluid], , , [-lprot])
1126			], , )
1127		;;
1128	*)	AC_DEFINE([LOCKED_PASSWD_STRING], ["*LK*"])
1129		;;
1130	esac
1131	;;
1132*-*-sysv*)
1133	;;
1134# SCO UNIX and OEM versions of SCO UNIX
1135*-*-sco3.2v4*)
1136	AC_MSG_ERROR("This Platform is no longer supported.")
1137	;;
1138# SCO OpenServer 5.x
1139*-*-sco3.2v5*)
1140	if test -z "$GCC"; then
1141		CFLAGS="$CFLAGS -belf"
1142	fi
1143	LIBS="$LIBS -lprot -lx -ltinfo -lm"
1144	no_dev_ptmx=1
1145	AC_DEFINE([USE_PIPES])
1146	AC_DEFINE([HAVE_SECUREWARE])
1147	AC_DEFINE([DISABLE_SHADOW])
1148	AC_DEFINE([DISABLE_FD_PASSING])
1149	AC_DEFINE([SETEUID_BREAKS_SETUID])
1150	AC_DEFINE([BROKEN_GETADDRINFO])
1151	AC_DEFINE([BROKEN_SETREUID])
1152	AC_DEFINE([BROKEN_SETREGID])
1153	AC_DEFINE([WITH_ABBREV_NO_TTY])
1154	AC_DEFINE([BROKEN_UPDWTMPX])
1155	AC_DEFINE([PASSWD_NEEDS_USERNAME])
1156	AC_CHECK_FUNCS([getluid setluid])
1157	MANTYPE=man
1158	TEST_SHELL=$SHELL	# let configure find us a capable shell
1159	SKIP_DISABLE_LASTLOG_DEFINE=yes
1160	;;
1161*-dec-osf*)
1162	AC_MSG_CHECKING([for Digital Unix SIA])
1163	no_osfsia=""
1164	AC_ARG_WITH([osfsia],
1165		[  --with-osfsia           Enable Digital Unix SIA],
1166		[
1167			if test "x$withval" = "xno" ; then
1168				AC_MSG_RESULT([disabled])
1169				no_osfsia=1
1170			fi
1171		],
1172	)
1173	if test -z "$no_osfsia" ; then
1174		if test -f /etc/sia/matrix.conf; then
1175			AC_MSG_RESULT([yes])
1176			AC_DEFINE([HAVE_OSF_SIA], [1],
1177				[Define if you have Digital Unix Security
1178				Integration Architecture])
1179			AC_DEFINE([DISABLE_LOGIN], [1],
1180				[Define if you don't want to use your
1181				system's login() call])
1182			AC_DEFINE([DISABLE_FD_PASSING])
1183			LIBS="$LIBS -lsecurity -ldb -lm -laud"
1184			SIA_MSG="yes"
1185		else
1186			AC_MSG_RESULT([no])
1187			AC_DEFINE([LOCKED_PASSWD_SUBSTR], ["Nologin"],
1188			  [String used in /etc/passwd to denote locked account])
1189		fi
1190	fi
1191	AC_DEFINE([BROKEN_GETADDRINFO])
1192	AC_DEFINE([SETEUID_BREAKS_SETUID])
1193	AC_DEFINE([BROKEN_SETREUID])
1194	AC_DEFINE([BROKEN_SETREGID])
1195	AC_DEFINE([BROKEN_READV_COMPARISON], [1], [Can't do comparisons on readv])
1196	;;
1197
1198*-*-nto-qnx*)
1199	AC_DEFINE([USE_PIPES])
1200	AC_DEFINE([NO_X11_UNIX_SOCKETS])
1201	AC_DEFINE([DISABLE_LASTLOG])
1202	AC_DEFINE([SSHD_ACQUIRES_CTTY])
1203	AC_DEFINE([BROKEN_SHADOW_EXPIRE], [1], [QNX shadow support is broken])
1204	enable_etc_default_login=no	# has incompatible /etc/default/login
1205	case "$host" in
1206	*-*-nto-qnx6*)
1207		AC_DEFINE([DISABLE_FD_PASSING])
1208		;;
1209	esac
1210	;;
1211
1212*-*-ultrix*)
1213	AC_DEFINE([BROKEN_GETGROUPS], [1], [getgroups(0,NULL) will return -1])
1214	AC_DEFINE([NEED_SETPGRP], [1], [Need setpgrp to for controlling tty])
1215	AC_DEFINE([HAVE_SYS_SYSLOG_H], [1], [Force use of sys/syslog.h on Ultrix])
1216	AC_DEFINE([DISABLE_UTMPX], [1], [Disable utmpx])
1217	# DISABLE_FD_PASSING so that we call setpgrp as root, otherwise we
1218	# don't get a controlling tty.
1219	AC_DEFINE([DISABLE_FD_PASSING], [1], [Need to call setpgrp as root])
1220	# On Ultrix some headers are not protected against multiple includes,
1221	# so we create wrappers and put it where the compiler will find it.
1222	AC_MSG_WARN([creating compat wrappers for headers])
1223	mkdir -p netinet
1224	for header in netinet/ip.h netdb.h resolv.h; do
1225		name=`echo $header | tr 'a-z/.' 'A-Z__'`
1226		cat >$header <<EOD
1227#ifndef _SSH_COMPAT_${name}
1228#define _SSH_COMPAT_${name}
1229#include "/usr/include/${header}"
1230#endif
1231EOD
1232	done
1233	;;
1234
1235*-*-lynxos)
1236	CFLAGS="$CFLAGS -D__NO_INCLUDE_WARN__"
1237	AC_DEFINE([BROKEN_SETVBUF], [1],
1238	    [LynxOS has broken setvbuf() implementation])
1239	;;
1240esac
1241
1242AC_MSG_CHECKING([compiler and flags for sanity])
1243AC_RUN_IFELSE([AC_LANG_PROGRAM([[ #include <stdio.h> ]], [[ exit(0); ]])],
1244	[	AC_MSG_RESULT([yes]) ],
1245	[
1246		AC_MSG_RESULT([no])
1247		AC_MSG_ERROR([*** compiler cannot create working executables, check config.log ***])
1248	],
1249	[	AC_MSG_WARN([cross compiling: not checking compiler sanity]) ]
1250)
1251
1252dnl Checks for header files.
1253# Checks for libraries.
1254AC_CHECK_FUNC([setsockopt], , [AC_CHECK_LIB([socket], [setsockopt])])
1255
1256dnl IRIX and Solaris 2.5.1 have dirname() in libgen
1257AC_CHECK_FUNCS([dirname], [AC_CHECK_HEADERS([libgen.h])] , [
1258	AC_CHECK_LIB([gen], [dirname], [
1259		AC_CACHE_CHECK([for broken dirname],
1260			ac_cv_have_broken_dirname, [
1261			save_LIBS="$LIBS"
1262			LIBS="$LIBS -lgen"
1263			AC_RUN_IFELSE(
1264				[AC_LANG_SOURCE([[
1265#include <libgen.h>
1266#include <string.h>
1267
1268int main(int argc, char **argv) {
1269    char *s, buf[32];
1270
1271    strncpy(buf,"/etc", 32);
1272    s = dirname(buf);
1273    if (!s || strncmp(s, "/", 32) != 0) {
1274	exit(1);
1275    } else {
1276	exit(0);
1277    }
1278}
1279				]])],
1280				[ ac_cv_have_broken_dirname="no" ],
1281				[ ac_cv_have_broken_dirname="yes" ],
1282				[ ac_cv_have_broken_dirname="no" ],
1283			)
1284			LIBS="$save_LIBS"
1285		])
1286		if test "x$ac_cv_have_broken_dirname" = "xno" ; then
1287			LIBS="$LIBS -lgen"
1288			AC_DEFINE([HAVE_DIRNAME])
1289			AC_CHECK_HEADERS([libgen.h])
1290		fi
1291	])
1292])
1293
1294AC_CHECK_FUNC([getspnam], ,
1295	[AC_CHECK_LIB([gen], [getspnam], [LIBS="$LIBS -lgen"])])
1296AC_SEARCH_LIBS([basename], [gen], [AC_DEFINE([HAVE_BASENAME], [1],
1297	[Define if you have the basename function.])])
1298
1299dnl zlib defaults to enabled
1300zlib=yes
1301AC_ARG_WITH([zlib],
1302	[  --with-zlib=PATH        Use zlib in PATH],
1303	[ if test "x$withval" = "xno" ; then
1304		zlib=no
1305	  elif test "x$withval" != "xyes"; then
1306		if test -d "$withval/lib"; then
1307			if test -n "${rpath_opt}"; then
1308				LDFLAGS="-L${withval}/lib ${rpath_opt}${withval}/lib ${LDFLAGS}"
1309			else
1310				LDFLAGS="-L${withval}/lib ${LDFLAGS}"
1311			fi
1312		else
1313			if test -n "${rpath_opt}"; then
1314				LDFLAGS="-L${withval} ${rpath_opt}${withval} ${LDFLAGS}"
1315			else
1316				LDFLAGS="-L${withval} ${LDFLAGS}"
1317			fi
1318		fi
1319		if test -d "$withval/include"; then
1320			CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
1321		else
1322			CPPFLAGS="-I${withval} ${CPPFLAGS}"
1323		fi
1324	fi ]
1325)
1326
1327AC_MSG_CHECKING([for zlib])
1328if test "x${zlib}" = "xno"; then
1329	AC_MSG_RESULT([no])
1330else
1331	AC_MSG_RESULT([yes])
1332	AC_DEFINE([WITH_ZLIB], [1], [Enable zlib])
1333    AC_CHECK_HEADER([zlib.h], ,[AC_MSG_ERROR([*** zlib.h missing - please install first or check config.log ***])])
1334    AC_CHECK_LIB([z], [deflate], ,
1335	[
1336		saved_CPPFLAGS="$CPPFLAGS"
1337		saved_LDFLAGS="$LDFLAGS"
1338		save_LIBS="$LIBS"
1339		dnl Check default zlib install dir
1340		if test -n "${rpath_opt}"; then
1341			LDFLAGS="-L/usr/local/lib ${rpath_opt}/usr/local/lib ${saved_LDFLAGS}"
1342		else
1343			LDFLAGS="-L/usr/local/lib ${saved_LDFLAGS}"
1344		fi
1345		CPPFLAGS="-I/usr/local/include ${saved_CPPFLAGS}"
1346		LIBS="$LIBS -lz"
1347		AC_TRY_LINK_FUNC([deflate], [AC_DEFINE([HAVE_LIBZ])],
1348			[
1349				AC_MSG_ERROR([*** zlib missing - please install first or check config.log ***])
1350			]
1351		)
1352	]
1353    )
1354
1355    AC_ARG_WITH([zlib-version-check],
1356	[  --without-zlib-version-check Disable zlib version check],
1357	[  if test "x$withval" = "xno" ; then
1358		zlib_check_nonfatal=1
1359	   fi
1360	]
1361    )
1362
1363    AC_MSG_CHECKING([for possibly buggy zlib])
1364    AC_RUN_IFELSE([AC_LANG_PROGRAM([[
1365#include <stdio.h>
1366#include <stdlib.h>
1367#include <zlib.h>
1368	]],
1369	[[
1370	int a=0, b=0, c=0, d=0, n, v;
1371	n = sscanf(ZLIB_VERSION, "%d.%d.%d.%d", &a, &b, &c, &d);
1372	if (n != 3 && n != 4)
1373		exit(1);
1374	v = a*1000000 + b*10000 + c*100 + d;
1375	fprintf(stderr, "found zlib version %s (%d)\n", ZLIB_VERSION, v);
1376
1377	/* 1.1.4 is OK */
1378	if (a == 1 && b == 1 && c >= 4)
1379		exit(0);
1380
1381	/* 1.2.3 and up are OK */
1382	if (v >= 1020300)
1383		exit(0);
1384
1385	exit(2);
1386	]])],
1387	AC_MSG_RESULT([no]),
1388	[ AC_MSG_RESULT([yes])
1389	  if test -z "$zlib_check_nonfatal" ; then
1390		AC_MSG_ERROR([*** zlib too old - check config.log ***
1391Your reported zlib version has known security problems.  It's possible your
1392vendor has fixed these problems without changing the version number.  If you
1393are sure this is the case, you can disable the check by running
1394"./configure --without-zlib-version-check".
1395If you are in doubt, upgrade zlib to version 1.2.3 or greater.
1396See http://www.gzip.org/zlib/ for details.])
1397	  else
1398		AC_MSG_WARN([zlib version may have security problems])
1399	  fi
1400	],
1401	[	AC_MSG_WARN([cross compiling: not checking zlib version]) ]
1402    )
1403fi
1404
1405dnl UnixWare 2.x
1406AC_CHECK_FUNC([strcasecmp],
1407	[], [ AC_CHECK_LIB([resolv], [strcasecmp], [LIBS="$LIBS -lresolv"]) ]
1408)
1409AC_CHECK_FUNCS([utimes],
1410	[], [ AC_CHECK_LIB([c89], [utimes], [AC_DEFINE([HAVE_UTIMES])
1411					LIBS="$LIBS -lc89"]) ]
1412)
1413
1414dnl    Checks for libutil functions
1415AC_CHECK_HEADERS([bsd/libutil.h libutil.h])
1416AC_SEARCH_LIBS([fmt_scaled], [util bsd])
1417AC_SEARCH_LIBS([scan_scaled], [util bsd])
1418AC_SEARCH_LIBS([login], [util bsd])
1419AC_SEARCH_LIBS([logout], [util bsd])
1420AC_SEARCH_LIBS([logwtmp], [util bsd])
1421AC_SEARCH_LIBS([openpty], [util bsd])
1422AC_SEARCH_LIBS([updwtmp], [util bsd])
1423AC_CHECK_FUNCS([fmt_scaled scan_scaled login logout openpty updwtmp logwtmp])
1424
1425# On some platforms, inet_ntop and gethostbyname may be found in libresolv
1426# or libnsl.
1427AC_SEARCH_LIBS([inet_ntop], [resolv nsl])
1428AC_SEARCH_LIBS([gethostbyname], [resolv nsl])
1429
1430# "Particular Function Checks"
1431# see https://www.gnu.org/software/autoconf/manual/autoconf-2.69/html_node/Particular-Functions.html
1432AC_FUNC_STRFTIME
1433AC_FUNC_MALLOC
1434AC_FUNC_REALLOC
1435# autoconf doesn't have AC_FUNC_CALLOC so fake it if malloc returns NULL;
1436AC_MSG_CHECKING([if calloc(0, N) returns non-null])
1437AC_RUN_IFELSE(
1438	[AC_LANG_PROGRAM(
1439		[[ #include <stdlib.h> ]],
1440		[[ void *p = calloc(0, 1); exit(p == NULL); ]]
1441	)],
1442	[ func_calloc_0_nonnull=yes ],
1443	[ func_calloc_0_nonnull=no ],
1444	[ AC_MSG_WARN([cross compiling: assuming same as malloc])
1445	  func_calloc_0_nonnull="$ac_cv_func_malloc_0_nonnull"]
1446)
1447AC_MSG_RESULT([$func_calloc_0_nonnull])
1448
1449if test "x$func_calloc_0_nonnull" = "xyes"; then
1450	AC_DEFINE(HAVE_CALLOC, 1, [calloc(0, x) returns non-null])
1451else
1452	AC_DEFINE(HAVE_CALLOC, 0, [calloc(0, x) returns NULL])
1453	AC_DEFINE(calloc, rpl_calloc,
1454	    [Define to rpl_calloc if the replacement function should be used.])
1455fi
1456
1457# Check for ALTDIRFUNC glob() extension
1458AC_MSG_CHECKING([for GLOB_ALTDIRFUNC support])
1459AC_EGREP_CPP([FOUNDIT],
1460	[
1461		#include <glob.h>
1462		#ifdef GLOB_ALTDIRFUNC
1463		FOUNDIT
1464		#endif
1465	],
1466	[
1467		AC_DEFINE([GLOB_HAS_ALTDIRFUNC], [1],
1468			[Define if your system glob() function has
1469			the GLOB_ALTDIRFUNC extension])
1470		AC_MSG_RESULT([yes])
1471	],
1472	[
1473		AC_MSG_RESULT([no])
1474	]
1475)
1476
1477# Check for g.gl_matchc glob() extension
1478AC_MSG_CHECKING([for gl_matchc field in glob_t])
1479AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <glob.h> ]],
1480	[[ glob_t g; g.gl_matchc = 1; ]])],
1481	[
1482		AC_DEFINE([GLOB_HAS_GL_MATCHC], [1],
1483			[Define if your system glob() function has
1484			gl_matchc options in glob_t])
1485		AC_MSG_RESULT([yes])
1486	], [
1487		AC_MSG_RESULT([no])
1488])
1489
1490# Check for g.gl_statv glob() extension
1491AC_MSG_CHECKING([for gl_statv and GLOB_KEEPSTAT extensions for glob])
1492AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <glob.h> ]], [[
1493#ifndef GLOB_KEEPSTAT
1494#error "glob does not support GLOB_KEEPSTAT extension"
1495#endif
1496glob_t g;
1497g.gl_statv = NULL;
1498]])],
1499	[
1500		AC_DEFINE([GLOB_HAS_GL_STATV], [1],
1501			[Define if your system glob() function has
1502			gl_statv options in glob_t])
1503		AC_MSG_RESULT([yes])
1504	], [
1505		AC_MSG_RESULT([no])
1506
1507])
1508
1509AC_CHECK_DECLS([GLOB_NOMATCH], , , [#include <glob.h>])
1510
1511AC_CHECK_DECL([VIS_ALL], ,
1512    AC_DEFINE(BROKEN_STRNVIS, 1, [missing VIS_ALL]), [#include <vis.h>])
1513
1514AC_MSG_CHECKING([whether struct dirent allocates space for d_name])
1515AC_RUN_IFELSE(
1516	[AC_LANG_PROGRAM([[
1517#include <sys/types.h>
1518#include <dirent.h>]],
1519	[[
1520	struct dirent d;
1521	exit(sizeof(d.d_name)<=sizeof(char));
1522	]])],
1523	[AC_MSG_RESULT([yes])],
1524	[
1525		AC_MSG_RESULT([no])
1526		AC_DEFINE([BROKEN_ONE_BYTE_DIRENT_D_NAME], [1],
1527			[Define if your struct dirent expects you to
1528			allocate extra space for d_name])
1529	],
1530	[
1531		AC_MSG_WARN([cross compiling: assuming BROKEN_ONE_BYTE_DIRENT_D_NAME])
1532		AC_DEFINE([BROKEN_ONE_BYTE_DIRENT_D_NAME])
1533	]
1534)
1535
1536AC_MSG_CHECKING([for /proc/pid/fd directory])
1537if test -d "/proc/$$/fd" ; then
1538	AC_DEFINE([HAVE_PROC_PID], [1], [Define if you have /proc/$pid/fd])
1539	AC_MSG_RESULT([yes])
1540else
1541	AC_MSG_RESULT([no])
1542fi
1543
1544# Check whether user wants to use ldns
1545LDNS_MSG="no"
1546AC_ARG_WITH(ldns,
1547	[  --with-ldns[[=PATH]]      Use ldns for DNSSEC support (optionally in PATH)],
1548	[
1549	ldns=""
1550	if test "x$withval" = "xyes" ; then
1551		AC_PATH_TOOL([LDNSCONFIG], [ldns-config], [no])
1552		if test "x$LDNSCONFIG" = "xno"; then
1553			LIBS="-lldns $LIBS"
1554			ldns=yes
1555		else
1556			LIBS="$LIBS `$LDNSCONFIG --libs`"
1557			CPPFLAGS="$CPPFLAGS `$LDNSCONFIG --cflags`"
1558			ldns=yes
1559		fi
1560	elif test "x$withval" != "xno" ; then
1561			CPPFLAGS="$CPPFLAGS -I${withval}/include"
1562			LDFLAGS="$LDFLAGS -L${withval}/lib"
1563			LIBS="-lldns $LIBS"
1564			ldns=yes
1565	fi
1566
1567	# Verify that it works.
1568	if test "x$ldns" = "xyes" ; then
1569		AC_DEFINE(HAVE_LDNS, 1, [Define if you want ldns support])
1570		LDNS_MSG="yes"
1571		AC_MSG_CHECKING([for ldns support])
1572		AC_LINK_IFELSE(
1573			[AC_LANG_SOURCE([[
1574#include <stdio.h>
1575#include <stdlib.h>
1576#ifdef HAVE_STDINT_H
1577# include <stdint.h>
1578#endif
1579#include <ldns/ldns.h>
1580int main() { ldns_status status = ldns_verify_trusted(NULL, NULL, NULL, NULL); status=LDNS_STATUS_OK; exit(0); }
1581			]])
1582		],
1583			[AC_MSG_RESULT(yes)],
1584				[
1585					AC_MSG_RESULT(no)
1586					AC_MSG_ERROR([** Incomplete or missing ldns libraries.])
1587				])
1588	fi
1589])
1590
1591# Check whether user wants libedit support
1592LIBEDIT_MSG="no"
1593AC_ARG_WITH([libedit],
1594	[  --with-libedit[[=PATH]]   Enable libedit support for sftp],
1595	[ if test "x$withval" != "xno" ; then
1596		if test "x$withval" = "xyes" ; then
1597			AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no])
1598			if test "x$PKGCONFIG" != "xno"; then
1599				AC_MSG_CHECKING([if $PKGCONFIG knows about libedit])
1600				if "$PKGCONFIG" libedit; then
1601					AC_MSG_RESULT([yes])
1602					use_pkgconfig_for_libedit=yes
1603				else
1604					AC_MSG_RESULT([no])
1605				fi
1606			fi
1607		else
1608			CPPFLAGS="$CPPFLAGS -I${withval}/include"
1609			if test -n "${rpath_opt}"; then
1610				LDFLAGS="-L${withval}/lib ${rpath_opt}${withval}/lib ${LDFLAGS}"
1611			else
1612				LDFLAGS="-L${withval}/lib ${LDFLAGS}"
1613			fi
1614		fi
1615		if test "x$use_pkgconfig_for_libedit" = "xyes"; then
1616			LIBEDIT=`$PKGCONFIG --libs libedit`
1617			CPPFLAGS="$CPPFLAGS `$PKGCONFIG --cflags libedit`"
1618		else
1619			LIBEDIT="-ledit -lcurses"
1620		fi
1621		OTHERLIBS=`echo $LIBEDIT | sed 's/-ledit//'`
1622		AC_CHECK_LIB([edit], [el_init],
1623			[ AC_DEFINE([USE_LIBEDIT], [1], [Use libedit for sftp])
1624			  LIBEDIT_MSG="yes"
1625			  AC_SUBST([LIBEDIT])
1626			],
1627			[ AC_MSG_ERROR([libedit not found]) ],
1628			[ $OTHERLIBS ]
1629		)
1630		AC_MSG_CHECKING([if libedit version is compatible])
1631		AC_COMPILE_IFELSE(
1632		    [AC_LANG_PROGRAM([[ #include <histedit.h> ]],
1633		    [[
1634	int i = H_SETSIZE;
1635	el_init("", NULL, NULL, NULL);
1636	exit(0);
1637		    ]])],
1638		    [ AC_MSG_RESULT([yes]) ],
1639		    [ AC_MSG_RESULT([no])
1640		      AC_MSG_ERROR([libedit version is not compatible]) ]
1641		)
1642	fi ]
1643)
1644
1645AUDIT_MODULE=none
1646AC_ARG_WITH([audit],
1647	[  --with-audit=module     Enable audit support (modules=debug,bsm,linux)],
1648	[
1649	  AC_MSG_CHECKING([for supported audit module])
1650	  case "$withval" in
1651	  bsm)
1652		AC_MSG_RESULT([bsm])
1653		AUDIT_MODULE=bsm
1654		dnl    Checks for headers, libs and functions
1655		AC_CHECK_HEADERS([bsm/audit.h], [],
1656		    [AC_MSG_ERROR([BSM enabled and bsm/audit.h not found])],
1657		    [
1658#ifdef HAVE_TIME_H
1659# include <time.h>
1660#endif
1661		    ]
1662)
1663		AC_CHECK_LIB([bsm], [getaudit], [],
1664		    [AC_MSG_ERROR([BSM enabled and required library not found])])
1665		AC_CHECK_FUNCS([getaudit], [],
1666		    [AC_MSG_ERROR([BSM enabled and required function not found])])
1667		# These are optional
1668		AC_CHECK_FUNCS([getaudit_addr aug_get_machine])
1669		AC_DEFINE([USE_BSM_AUDIT], [1], [Use BSM audit module])
1670		if test "$sol2ver" -ge 11; then
1671			SSHDLIBS="$SSHDLIBS -lscf"
1672			AC_DEFINE([BROKEN_BSM_API], [1],
1673				[The system has incomplete BSM API])
1674		fi
1675		;;
1676	  linux)
1677		AC_MSG_RESULT([linux])
1678		AUDIT_MODULE=linux
1679		dnl    Checks for headers, libs and functions
1680		AC_CHECK_HEADERS([libaudit.h])
1681		SSHDLIBS="$SSHDLIBS -laudit"
1682		AC_DEFINE([USE_LINUX_AUDIT], [1], [Use Linux audit module])
1683		;;
1684	  debug)
1685		AUDIT_MODULE=debug
1686		AC_MSG_RESULT([debug])
1687		AC_DEFINE([SSH_AUDIT_EVENTS], [1], [Use audit debugging module])
1688		;;
1689	  no)
1690		AC_MSG_RESULT([no])
1691		;;
1692	  *)
1693		AC_MSG_ERROR([Unknown audit module $withval])
1694		;;
1695	esac ]
1696)
1697
1698AC_ARG_WITH([pie],
1699    [  --with-pie              Build Position Independent Executables if possible], [
1700	if test "x$withval" = "xno"; then
1701		use_pie=no
1702	fi
1703	if test "x$withval" = "xyes"; then
1704		use_pie=yes
1705	fi
1706    ]
1707)
1708if test "x$use_pie" = "x"; then
1709	use_pie=no
1710fi
1711if test "x$use_toolchain_hardening" != "x1" && test "x$use_pie" = "xauto"; then
1712	# Turn off automatic PIE when toolchain hardening is off.
1713	use_pie=no
1714fi
1715if test "x$use_pie" = "xauto"; then
1716	# Automatic PIE requires gcc >= 4.x
1717	AC_MSG_CHECKING([for gcc >= 4.x])
1718	AC_COMPILE_IFELSE([AC_LANG_SOURCE([[
1719#if !defined(__GNUC__) || __GNUC__ < 4
1720#error gcc is too old
1721#endif
1722]])],
1723	[ AC_MSG_RESULT([yes]) ],
1724	[ AC_MSG_RESULT([no])
1725	  use_pie=no ]
1726)
1727fi
1728if test "x$use_pie" != "xno"; then
1729	SAVED_CFLAGS="$CFLAGS"
1730	SAVED_LDFLAGS="$LDFLAGS"
1731	OSSH_CHECK_CFLAG_COMPILE([-fPIE])
1732	OSSH_CHECK_LDFLAG_LINK([-pie])
1733	# We use both -fPIE and -pie or neither.
1734	AC_MSG_CHECKING([whether both -fPIE and -pie are supported])
1735	if echo "x $CFLAGS"  | grep ' -fPIE' >/dev/null 2>&1 && \
1736	   echo "x $LDFLAGS" | grep ' -pie'  >/dev/null 2>&1 ; then
1737		AC_MSG_RESULT([yes])
1738	else
1739		AC_MSG_RESULT([no])
1740		CFLAGS="$SAVED_CFLAGS"
1741		LDFLAGS="$SAVED_LDFLAGS"
1742	fi
1743fi
1744
1745AC_MSG_CHECKING([whether -fPIC is accepted])
1746SAVED_CFLAGS="$CFLAGS"
1747CFLAGS="$CFLAGS -fPIC"
1748AC_COMPILE_IFELSE(
1749	[AC_LANG_PROGRAM( [[ #include <stdlib.h> ]], [[ exit(0); ]] )],
1750   [AC_MSG_RESULT([yes])
1751    PICFLAG="-fPIC"; ],
1752   [AC_MSG_RESULT([no])
1753    PICFLAG=""; ])
1754CFLAGS="$SAVED_CFLAGS"
1755AC_SUBST([PICFLAG])
1756
1757dnl    Checks for library functions. Please keep in alphabetical order
1758AC_CHECK_FUNCS([ \
1759	Blowfish_initstate \
1760	Blowfish_expandstate \
1761	Blowfish_expand0state \
1762	Blowfish_stream2word \
1763	SHA256Update \
1764	SHA384Update \
1765	SHA512Update \
1766	asprintf \
1767	b64_ntop \
1768	__b64_ntop \
1769	b64_pton \
1770	__b64_pton \
1771	bcopy \
1772	bcrypt_pbkdf \
1773	bindresvport_sa \
1774	blf_enc \
1775	bzero \
1776	cap_rights_limit \
1777	clock \
1778	closefrom \
1779	dirfd \
1780	endgrent \
1781	err \
1782	errx \
1783	explicit_bzero \
1784	fchmod \
1785	fchmodat \
1786	fchown \
1787	fchownat \
1788	flock \
1789	fnmatch \
1790	freeaddrinfo \
1791	freezero \
1792	fstatfs \
1793	fstatvfs \
1794	futimes \
1795	getaddrinfo \
1796	getcwd \
1797	getgrouplist \
1798	getline \
1799	getnameinfo \
1800	getopt \
1801	getpagesize \
1802	getpeereid \
1803	getpeerucred \
1804	getpgid \
1805	_getpty \
1806	getrlimit \
1807	getrandom \
1808	getsid \
1809	getttyent \
1810	glob \
1811	group_from_gid \
1812	inet_aton \
1813	inet_ntoa \
1814	inet_ntop \
1815	innetgr \
1816	llabs \
1817	localtime_r \
1818	login_getcapbool \
1819	md5_crypt \
1820	memmem \
1821	memmove \
1822	memset_s \
1823	mkdtemp \
1824	ngetaddrinfo \
1825	nsleep \
1826	ogetaddrinfo \
1827	openlog_r \
1828	pledge \
1829	poll \
1830	prctl \
1831	pstat \
1832	raise \
1833	readpassphrase \
1834	reallocarray \
1835	realpath \
1836	recvmsg \
1837	recallocarray \
1838	rresvport_af \
1839	sendmsg \
1840	setdtablesize \
1841	setegid \
1842	setenv \
1843	seteuid \
1844	setgroupent \
1845	setgroups \
1846	setlinebuf \
1847	setlogin \
1848	setpassent\
1849	setpcred \
1850	setproctitle \
1851	setregid \
1852	setreuid \
1853	setrlimit \
1854	setsid \
1855	setvbuf \
1856	sigaction \
1857	sigvec \
1858	snprintf \
1859	socketpair \
1860	statfs \
1861	statvfs \
1862	strcasestr \
1863	strdup \
1864	strerror \
1865	strlcat \
1866	strlcpy \
1867	strmode \
1868	strndup \
1869	strnlen \
1870	strnvis \
1871	strptime \
1872	strsignal \
1873	strtonum \
1874	strtoll \
1875	strtoul \
1876	strtoull \
1877	swap32 \
1878	sysconf \
1879	tcgetpgrp \
1880	timingsafe_bcmp \
1881	truncate \
1882	unsetenv \
1883	updwtmpx \
1884	utimensat \
1885	user_from_uid \
1886	usleep \
1887	vasprintf \
1888	vsnprintf \
1889	waitpid \
1890	warn \
1891])
1892
1893AC_CHECK_DECLS([bzero, memmem])
1894
1895dnl Wide character support.
1896AC_CHECK_FUNCS([mblen mbtowc nl_langinfo wcwidth])
1897
1898TEST_SSH_UTF8=${TEST_SSH_UTF8:=yes}
1899AC_MSG_CHECKING([for utf8 locale support])
1900AC_RUN_IFELSE(
1901	[AC_LANG_PROGRAM([[
1902#include <locale.h>
1903#include <stdlib.h>
1904	]], [[
1905	char *loc = setlocale(LC_CTYPE, "en_US.UTF-8");
1906	if (loc != NULL)
1907		exit(0);
1908	exit(1);
1909	]])],
1910	AC_MSG_RESULT(yes),
1911	[AC_MSG_RESULT(no)
1912	 TEST_SSH_UTF8=no],
1913	AC_MSG_WARN([cross compiling: assuming yes])
1914)
1915
1916AC_LINK_IFELSE(
1917        [AC_LANG_PROGRAM(
1918           [[ #include <ctype.h> ]],
1919           [[ return (isblank('a')); ]])],
1920	[AC_DEFINE([HAVE_ISBLANK], [1], [Define if you have isblank(3C).])
1921])
1922
1923disable_pkcs11=
1924AC_ARG_ENABLE([pkcs11],
1925	[  --disable-pkcs11        disable PKCS#11 support code [no]],
1926	[
1927		if test "x$enableval" = "xno" ; then
1928			disable_pkcs11=1
1929		fi
1930	]
1931)
1932
1933disable_sk=
1934AC_ARG_ENABLE([security-key],
1935	[  --disable-security-key  disable U2F/FIDO support code [no]],
1936	[
1937		if test "x$enableval" = "xno" ; then
1938			disable_sk=1
1939		fi
1940	]
1941)
1942enable_sk_internal=
1943AC_ARG_WITH([security-key-builtin],
1944	[  --with-security-key-builtin include builtin U2F/FIDO support],
1945	[
1946		if test "x$withval" != "xno" ; then
1947			enable_sk_internal=yes
1948		fi
1949	]
1950)
1951test "x$disable_sk" != "x" && enable_sk_internal=""
1952
1953AC_SEARCH_LIBS([dlopen], [dl])
1954AC_CHECK_FUNCS([dlopen])
1955AC_CHECK_DECL([RTLD_NOW], [], [], [#include <dlfcn.h>])
1956
1957# IRIX has a const char return value for gai_strerror()
1958AC_CHECK_FUNCS([gai_strerror], [
1959	AC_DEFINE([HAVE_GAI_STRERROR])
1960	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
1961#include <sys/types.h>
1962#include <sys/socket.h>
1963#include <netdb.h>
1964
1965const char *gai_strerror(int);
1966			]], [[
1967	char *str;
1968	str = gai_strerror(0);
1969			]])], [
1970		AC_DEFINE([HAVE_CONST_GAI_STRERROR_PROTO], [1],
1971		[Define if gai_strerror() returns const char *])], [])])
1972
1973AC_SEARCH_LIBS([nanosleep], [rt posix4], [AC_DEFINE([HAVE_NANOSLEEP], [1],
1974	[Some systems put nanosleep outside of libc])])
1975
1976AC_SEARCH_LIBS([clock_gettime], [rt],
1977	[AC_DEFINE([HAVE_CLOCK_GETTIME], [1], [Have clock_gettime])])
1978
1979dnl check if we need -D_REENTRANT for localtime_r declaration.
1980AC_CHECK_DECL([localtime_r], [],
1981	[ saved_CPPFLAGS="$CFLAGS"
1982	  CPPFLAGS="$CPPFLAGS -D_REENTRANT"
1983	  unset ac_cv_have_decl_localtime_r
1984	  AC_CHECK_DECL([localtime_r], [],
1985		[ CPPFLAGS="$saved_CPPFLAGS" ],
1986		[ #include <time.h> ]
1987	  )
1988	],
1989	[ #include <time.h> ]
1990)
1991
1992dnl Make sure prototypes are defined for these before using them.
1993AC_CHECK_DECL([strsep],
1994	[AC_CHECK_FUNCS([strsep])],
1995	[],
1996	[
1997#ifdef HAVE_STRING_H
1998# include <string.h>
1999#endif
2000	])
2001
2002dnl tcsendbreak might be a macro
2003AC_CHECK_DECL([tcsendbreak],
2004	[AC_DEFINE([HAVE_TCSENDBREAK])],
2005	[AC_CHECK_FUNCS([tcsendbreak])],
2006	[#include <termios.h>]
2007)
2008
2009AC_CHECK_DECLS([h_errno], , ,[#include <netdb.h>])
2010
2011AC_CHECK_DECLS([SHUT_RD, getpeereid], , ,
2012	[
2013#include <sys/types.h>
2014#include <sys/socket.h>
2015#include <unistd.h>
2016	])
2017
2018AC_CHECK_DECLS([O_NONBLOCK], , ,
2019	[
2020#include <sys/types.h>
2021#ifdef HAVE_SYS_STAT_H
2022# include <sys/stat.h>
2023#endif
2024#ifdef HAVE_FCNTL_H
2025# include <fcntl.h>
2026#endif
2027	])
2028
2029AC_CHECK_DECLS([readv, writev], , , [
2030#include <sys/types.h>
2031#include <sys/uio.h>
2032#include <unistd.h>
2033	])
2034
2035AC_CHECK_DECLS([MAXSYMLINKS], , , [
2036#include <sys/param.h>
2037	])
2038
2039AC_CHECK_DECLS([offsetof], , , [
2040#include <stddef.h>
2041	])
2042
2043# extra bits for select(2)
2044AC_CHECK_DECLS([howmany, NFDBITS], [], [], [[
2045#include <sys/param.h>
2046#include <sys/types.h>
2047#ifdef HAVE_SYS_SYSMACROS_H
2048#include <sys/sysmacros.h>
2049#endif
2050#ifdef HAVE_SYS_SELECT_H
2051#include <sys/select.h>
2052#endif
2053#ifdef HAVE_SYS_TIME_H
2054#include <sys/time.h>
2055#endif
2056#ifdef HAVE_UNISTD_H
2057#include <unistd.h>
2058#endif
2059	]])
2060AC_CHECK_TYPES([fd_mask], [], [], [[
2061#include <sys/param.h>
2062#include <sys/types.h>
2063#ifdef HAVE_SYS_SELECT_H
2064#include <sys/select.h>
2065#endif
2066#ifdef HAVE_SYS_TIME_H
2067#include <sys/time.h>
2068#endif
2069#ifdef HAVE_UNISTD_H
2070#include <unistd.h>
2071#endif
2072	]])
2073
2074AC_CHECK_FUNCS([setresuid], [
2075	dnl Some platorms have setresuid that isn't implemented, test for this
2076	AC_MSG_CHECKING([if setresuid seems to work])
2077	AC_RUN_IFELSE(
2078		[AC_LANG_PROGRAM([[
2079#include <stdlib.h>
2080#include <errno.h>
2081		]], [[
2082	errno=0;
2083	setresuid(0,0,0);
2084	if (errno==ENOSYS)
2085		exit(1);
2086	else
2087		exit(0);
2088		]])],
2089		[AC_MSG_RESULT([yes])],
2090		[AC_DEFINE([BROKEN_SETRESUID], [1],
2091			[Define if your setresuid() is broken])
2092		 AC_MSG_RESULT([not implemented])],
2093		[AC_MSG_WARN([cross compiling: not checking setresuid])]
2094	)
2095])
2096
2097AC_CHECK_FUNCS([setresgid], [
2098	dnl Some platorms have setresgid that isn't implemented, test for this
2099	AC_MSG_CHECKING([if setresgid seems to work])
2100	AC_RUN_IFELSE(
2101		[AC_LANG_PROGRAM([[
2102#include <stdlib.h>
2103#include <errno.h>
2104		]], [[
2105	errno=0;
2106	setresgid(0,0,0);
2107	if (errno==ENOSYS)
2108		exit(1);
2109	else
2110		exit(0);
2111		]])],
2112		[AC_MSG_RESULT([yes])],
2113		[AC_DEFINE([BROKEN_SETRESGID], [1],
2114			[Define if your setresgid() is broken])
2115		 AC_MSG_RESULT([not implemented])],
2116		[AC_MSG_WARN([cross compiling: not checking setresuid])]
2117	)
2118])
2119
2120AC_MSG_CHECKING([for working fflush(NULL)])
2121AC_RUN_IFELSE(
2122	[AC_LANG_PROGRAM([[#include <stdio.h>]], [[fflush(NULL); exit(0);]])],
2123	AC_MSG_RESULT([yes]),
2124	[AC_MSG_RESULT([no])
2125	 AC_DEFINE([FFLUSH_NULL_BUG], [1],
2126	    [define if fflush(NULL) does not work])],
2127	AC_MSG_WARN([cross compiling: assuming working])
2128)
2129
2130dnl    Checks for time functions
2131AC_CHECK_FUNCS([gettimeofday time])
2132dnl    Checks for utmp functions
2133AC_CHECK_FUNCS([endutent getutent getutid getutline pututline setutent])
2134AC_CHECK_FUNCS([utmpname])
2135dnl    Checks for utmpx functions
2136AC_CHECK_FUNCS([endutxent getutxent getutxid getutxline getutxuser pututxline])
2137AC_CHECK_FUNCS([setutxdb setutxent utmpxname])
2138dnl    Checks for lastlog functions
2139AC_CHECK_FUNCS([getlastlogxbyname])
2140
2141AC_CHECK_FUNC([daemon],
2142	[AC_DEFINE([HAVE_DAEMON], [1], [Define if your libraries define daemon()])],
2143	[AC_CHECK_LIB([bsd], [daemon],
2144		[LIBS="$LIBS -lbsd"; AC_DEFINE([HAVE_DAEMON])])]
2145)
2146
2147AC_CHECK_FUNC([getpagesize],
2148	[AC_DEFINE([HAVE_GETPAGESIZE], [1],
2149		[Define if your libraries define getpagesize()])],
2150	[AC_CHECK_LIB([ucb], [getpagesize],
2151		[LIBS="$LIBS -lucb"; AC_DEFINE([HAVE_GETPAGESIZE])])]
2152)
2153
2154# Check for broken snprintf
2155if test "x$ac_cv_func_snprintf" = "xyes" ; then
2156	AC_MSG_CHECKING([whether snprintf correctly terminates long strings])
2157	AC_RUN_IFELSE(
2158		[AC_LANG_PROGRAM([[ #include <stdio.h> ]],
2159		[[
2160	char b[5];
2161	snprintf(b,5,"123456789");
2162	exit(b[4]!='\0');
2163		]])],
2164		[AC_MSG_RESULT([yes])],
2165		[
2166			AC_MSG_RESULT([no])
2167			AC_DEFINE([BROKEN_SNPRINTF], [1],
2168				[Define if your snprintf is busted])
2169			AC_MSG_WARN([****** Your snprintf() function is broken, complain to your vendor])
2170		],
2171		[ AC_MSG_WARN([cross compiling: Assuming working snprintf()]) ]
2172	)
2173fi
2174
2175if test "x$ac_cv_func_snprintf" = "xyes" ; then
2176	AC_MSG_CHECKING([whether snprintf understands %zu])
2177	AC_RUN_IFELSE(
2178		[AC_LANG_PROGRAM([[
2179#include <sys/types.h>
2180#include <stdio.h>
2181		]],
2182		[[
2183	size_t a = 1, b = 2;
2184	char z[128];
2185	snprintf(z, sizeof z, "%zu%zu", a, b);
2186	exit(strcmp(z, "12"));
2187		]])],
2188		[AC_MSG_RESULT([yes])],
2189		[
2190			AC_MSG_RESULT([no])
2191			AC_DEFINE([BROKEN_SNPRINTF], [1],
2192				[snprintf does not understand %zu])
2193		],
2194		[ AC_MSG_WARN([cross compiling: Assuming working snprintf()]) ]
2195	)
2196fi
2197
2198# We depend on vsnprintf returning the right thing on overflow: the
2199# number of characters it tried to create (as per SUSv3)
2200if test "x$ac_cv_func_vsnprintf" = "xyes" ; then
2201	AC_MSG_CHECKING([whether vsnprintf returns correct values on overflow])
2202	AC_RUN_IFELSE(
2203		[AC_LANG_PROGRAM([[
2204#include <sys/types.h>
2205#include <stdio.h>
2206#include <stdarg.h>
2207
2208int x_snprintf(char *str, size_t count, const char *fmt, ...)
2209{
2210	size_t ret;
2211	va_list ap;
2212
2213	va_start(ap, fmt);
2214	ret = vsnprintf(str, count, fmt, ap);
2215	va_end(ap);
2216	return ret;
2217}
2218		]], [[
2219char x[1];
2220if (x_snprintf(x, 1, "%s %d", "hello", 12345) != 11)
2221	return 1;
2222if (x_snprintf(NULL, 0, "%s %d", "hello", 12345) != 11)
2223	return 1;
2224return 0;
2225		]])],
2226		[AC_MSG_RESULT([yes])],
2227		[
2228			AC_MSG_RESULT([no])
2229			AC_DEFINE([BROKEN_SNPRINTF], [1],
2230				[Define if your snprintf is busted])
2231			AC_MSG_WARN([****** Your vsnprintf() function is broken, complain to your vendor])
2232		],
2233		[ AC_MSG_WARN([cross compiling: Assuming working vsnprintf()]) ]
2234	)
2235fi
2236
2237# On systems where [v]snprintf is broken, but is declared in stdio,
2238# check that the fmt argument is const char * or just char *.
2239# This is only useful for when BROKEN_SNPRINTF
2240AC_MSG_CHECKING([whether snprintf can declare const char *fmt])
2241AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
2242#include <stdio.h>
2243int snprintf(char *a, size_t b, const char *c, ...) { return 0; }
2244		]], [[
2245	snprintf(0, 0, 0);
2246		]])],
2247   [AC_MSG_RESULT([yes])
2248    AC_DEFINE([SNPRINTF_CONST], [const],
2249              [Define as const if snprintf() can declare const char *fmt])],
2250   [AC_MSG_RESULT([no])
2251    AC_DEFINE([SNPRINTF_CONST], [/* not const */])])
2252
2253# Check for missing getpeereid (or equiv) support
2254NO_PEERCHECK=""
2255if test "x$ac_cv_func_getpeereid" != "xyes" -a "x$ac_cv_func_getpeerucred" != "xyes"; then
2256	AC_MSG_CHECKING([whether system supports SO_PEERCRED getsockopt])
2257	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
2258#include <sys/types.h>
2259#include <sys/socket.h>]], [[int i = SO_PEERCRED;]])],
2260		[ AC_MSG_RESULT([yes])
2261		  AC_DEFINE([HAVE_SO_PEERCRED], [1], [Have PEERCRED socket option])
2262		], [AC_MSG_RESULT([no])
2263		NO_PEERCHECK=1
2264        ])
2265fi
2266
2267dnl see whether mkstemp() requires XXXXXX
2268if test "x$ac_cv_func_mkdtemp" = "xyes" ; then
2269AC_MSG_CHECKING([for (overly) strict mkstemp])
2270AC_RUN_IFELSE(
2271	[AC_LANG_PROGRAM([[
2272#include <stdlib.h>
2273	]], [[
2274	char template[]="conftest.mkstemp-test";
2275	if (mkstemp(template) == -1)
2276		exit(1);
2277	unlink(template);
2278	exit(0);
2279	]])],
2280	[
2281		AC_MSG_RESULT([no])
2282	],
2283	[
2284		AC_MSG_RESULT([yes])
2285		AC_DEFINE([HAVE_STRICT_MKSTEMP], [1], [Silly mkstemp()])
2286	],
2287	[
2288		AC_MSG_RESULT([yes])
2289		AC_DEFINE([HAVE_STRICT_MKSTEMP])
2290	]
2291)
2292fi
2293
2294dnl make sure that openpty does not reacquire controlling terminal
2295if test ! -z "$check_for_openpty_ctty_bug"; then
2296	AC_MSG_CHECKING([if openpty correctly handles controlling tty])
2297	AC_RUN_IFELSE(
2298		[AC_LANG_PROGRAM([[
2299#include <stdio.h>
2300#include <sys/fcntl.h>
2301#include <sys/types.h>
2302#include <sys/wait.h>
2303		]], [[
2304	pid_t pid;
2305	int fd, ptyfd, ttyfd, status;
2306
2307	pid = fork();
2308	if (pid < 0) {		/* failed */
2309		exit(1);
2310	} else if (pid > 0) {	/* parent */
2311		waitpid(pid, &status, 0);
2312		if (WIFEXITED(status))
2313			exit(WEXITSTATUS(status));
2314		else
2315			exit(2);
2316	} else {		/* child */
2317		close(0); close(1); close(2);
2318		setsid();
2319		openpty(&ptyfd, &ttyfd, NULL, NULL, NULL);
2320		fd = open("/dev/tty", O_RDWR | O_NOCTTY);
2321		if (fd >= 0)
2322			exit(3);	/* Acquired ctty: broken */
2323		else
2324			exit(0);	/* Did not acquire ctty: OK */
2325	}
2326		]])],
2327		[
2328			AC_MSG_RESULT([yes])
2329		],
2330		[
2331			AC_MSG_RESULT([no])
2332			AC_DEFINE([SSHD_ACQUIRES_CTTY])
2333		],
2334		[
2335			AC_MSG_RESULT([cross-compiling, assuming yes])
2336		]
2337	)
2338fi
2339
2340if test "x$ac_cv_func_getaddrinfo" = "xyes" && \
2341    test "x$check_for_hpux_broken_getaddrinfo" = "x1"; then
2342	AC_MSG_CHECKING([if getaddrinfo seems to work])
2343	AC_RUN_IFELSE(
2344		[AC_LANG_PROGRAM([[
2345#include <stdio.h>
2346#include <sys/socket.h>
2347#include <netdb.h>
2348#include <errno.h>
2349#include <netinet/in.h>
2350
2351#define TEST_PORT "2222"
2352		]], [[
2353	int err, sock;
2354	struct addrinfo *gai_ai, *ai, hints;
2355	char ntop[NI_MAXHOST], strport[NI_MAXSERV], *name = NULL;
2356
2357	memset(&hints, 0, sizeof(hints));
2358	hints.ai_family = PF_UNSPEC;
2359	hints.ai_socktype = SOCK_STREAM;
2360	hints.ai_flags = AI_PASSIVE;
2361
2362	err = getaddrinfo(name, TEST_PORT, &hints, &gai_ai);
2363	if (err != 0) {
2364		fprintf(stderr, "getaddrinfo failed (%s)", gai_strerror(err));
2365		exit(1);
2366	}
2367
2368	for (ai = gai_ai; ai != NULL; ai = ai->ai_next) {
2369		if (ai->ai_family != AF_INET6)
2370			continue;
2371
2372		err = getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop,
2373		    sizeof(ntop), strport, sizeof(strport),
2374		    NI_NUMERICHOST|NI_NUMERICSERV);
2375
2376		if (err != 0) {
2377			if (err == EAI_SYSTEM)
2378				perror("getnameinfo EAI_SYSTEM");
2379			else
2380				fprintf(stderr, "getnameinfo failed: %s\n",
2381				    gai_strerror(err));
2382			exit(2);
2383		}
2384
2385		sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol);
2386		if (sock < 0)
2387			perror("socket");
2388		if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) {
2389			if (errno == EBADF)
2390				exit(3);
2391		}
2392	}
2393	exit(0);
2394		]])],
2395		[
2396			AC_MSG_RESULT([yes])
2397		],
2398		[
2399			AC_MSG_RESULT([no])
2400			AC_DEFINE([BROKEN_GETADDRINFO])
2401		],
2402		[
2403			AC_MSG_RESULT([cross-compiling, assuming yes])
2404		]
2405	)
2406fi
2407
2408if test "x$ac_cv_func_getaddrinfo" = "xyes" && \
2409    test "x$check_for_aix_broken_getaddrinfo" = "x1"; then
2410	AC_MSG_CHECKING([if getaddrinfo seems to work])
2411	AC_RUN_IFELSE(
2412		[AC_LANG_PROGRAM([[
2413#include <stdio.h>
2414#include <sys/socket.h>
2415#include <netdb.h>
2416#include <errno.h>
2417#include <netinet/in.h>
2418
2419#define TEST_PORT "2222"
2420		]], [[
2421	int err, sock;
2422	struct addrinfo *gai_ai, *ai, hints;
2423	char ntop[NI_MAXHOST], strport[NI_MAXSERV], *name = NULL;
2424
2425	memset(&hints, 0, sizeof(hints));
2426	hints.ai_family = PF_UNSPEC;
2427	hints.ai_socktype = SOCK_STREAM;
2428	hints.ai_flags = AI_PASSIVE;
2429
2430	err = getaddrinfo(name, TEST_PORT, &hints, &gai_ai);
2431	if (err != 0) {
2432		fprintf(stderr, "getaddrinfo failed (%s)", gai_strerror(err));
2433		exit(1);
2434	}
2435
2436	for (ai = gai_ai; ai != NULL; ai = ai->ai_next) {
2437		if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
2438			continue;
2439
2440		err = getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop,
2441		    sizeof(ntop), strport, sizeof(strport),
2442		    NI_NUMERICHOST|NI_NUMERICSERV);
2443
2444		if (ai->ai_family == AF_INET && err != 0) {
2445			perror("getnameinfo");
2446			exit(2);
2447		}
2448	}
2449	exit(0);
2450		]])],
2451		[
2452			AC_MSG_RESULT([yes])
2453			AC_DEFINE([AIX_GETNAMEINFO_HACK], [1],
2454				[Define if you have a getaddrinfo that fails
2455				for the all-zeros IPv6 address])
2456		],
2457		[
2458			AC_MSG_RESULT([no])
2459			AC_DEFINE([BROKEN_GETADDRINFO])
2460		],
2461		[
2462			AC_MSG_RESULT([cross-compiling, assuming no])
2463		]
2464	)
2465fi
2466
2467if test "x$ac_cv_func_getaddrinfo" = "xyes"; then
2468	AC_CHECK_DECLS(AI_NUMERICSERV, , ,
2469	    [#include <sys/types.h>
2470	     #include <sys/socket.h>
2471	     #include <netdb.h>])
2472fi
2473
2474if test "x$check_for_conflicting_getspnam" = "x1"; then
2475	AC_MSG_CHECKING([for conflicting getspnam in shadow.h])
2476	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <shadow.h> ]],
2477		[[ exit(0); ]])],
2478		[
2479			AC_MSG_RESULT([no])
2480		],
2481		[
2482			AC_MSG_RESULT([yes])
2483			AC_DEFINE([GETSPNAM_CONFLICTING_DEFS], [1],
2484			    [Conflicting defs for getspnam])
2485		]
2486	)
2487fi
2488
2489dnl NetBSD added an strnvis and unfortunately made it incompatible with the
2490dnl existing one in OpenBSD and Linux's libbsd (the former having existed
2491dnl for over ten years). Despite this incompatibility being reported during
2492dnl development (see http://gnats.netbsd.org/44977) they still shipped it.
2493dnl Even more unfortunately FreeBSD and later MacOS picked up this incompatible
2494dnl implementation.  Try to detect this mess, and assume the only safe option
2495dnl if we're cross compiling.
2496dnl
2497dnl OpenBSD, 2001: strnvis(char *dst, const char *src, size_t dlen, int flag);
2498dnl NetBSD: 2012,  strnvis(char *dst, size_t dlen, const char *src, int flag);
2499if test "x$ac_cv_func_strnvis" = "xyes"; then
2500	AC_MSG_CHECKING([for working strnvis])
2501	AC_RUN_IFELSE(
2502		[AC_LANG_PROGRAM([[
2503#include <signal.h>
2504#include <stdlib.h>
2505#include <string.h>
2506#include <vis.h>
2507static void sighandler(int sig) { _exit(1); }
2508		]], [[
2509	char dst[16];
2510
2511	signal(SIGSEGV, sighandler);
2512	if (strnvis(dst, "src", 4, 0) && strcmp(dst, "src") == 0)
2513		exit(0);
2514	exit(1)
2515		]])],
2516		[AC_MSG_RESULT([yes])],
2517		[AC_MSG_RESULT([no])
2518		 AC_DEFINE([BROKEN_STRNVIS], [1], [strnvis detected broken])],
2519		[AC_MSG_WARN([cross compiling: assuming broken])
2520		 AC_DEFINE([BROKEN_STRNVIS], [1], [strnvis assumed broken])]
2521	)
2522fi
2523
2524AC_MSG_CHECKING([if SA_RESTARTed signals interrupt select()])
2525AC_RUN_IFELSE(
2526	[AC_LANG_PROGRAM([[
2527#ifdef HAVE_SYS_SELECT
2528# include <sys/select.h>
2529#endif
2530#include <sys/types.h>
2531#include <sys/time.h>
2532#include <stdlib.h>
2533#include <signal.h>
2534static void sighandler(int sig) { }
2535		]], [[
2536	int r;
2537	pid_t pid;
2538	struct sigaction sa;
2539
2540	sa.sa_handler = sighandler;
2541	sa.sa_flags = SA_RESTART;
2542	(void)sigaction(SIGTERM, &sa, NULL);
2543	if ((pid = fork()) == 0) { /* child */
2544		pid = getppid();
2545		sleep(1);
2546		kill(pid, SIGTERM);
2547		sleep(1);
2548		if (getppid() == pid) /* if parent did not exit, shoot it */
2549			kill(pid, SIGKILL);
2550		exit(0);
2551	} else { /* parent */
2552		r = select(0, NULL, NULL, NULL, NULL);
2553	}
2554	exit(r == -1 ? 0 : 1);
2555	]])],
2556	[AC_MSG_RESULT([yes])],
2557	[AC_MSG_RESULT([no])
2558	 AC_DEFINE([NO_SA_RESTART], [1],
2559	    [SA_RESTARTed signals do no interrupt select])],
2560	[AC_MSG_WARN([cross compiling: assuming yes])]
2561)
2562
2563AC_CHECK_FUNCS([getpgrp],[
2564	AC_MSG_CHECKING([if getpgrp accepts zero args])
2565	AC_COMPILE_IFELSE(
2566		[AC_LANG_PROGRAM([[$ac_includes_default]], [[ getpgrp(); ]])],
2567		[ AC_MSG_RESULT([yes])
2568		  AC_DEFINE([GETPGRP_VOID], [1], [getpgrp takes zero args])],
2569		[ AC_MSG_RESULT([no])
2570		  AC_DEFINE([GETPGRP_VOID], [0], [getpgrp takes one arg])]
2571	)
2572])
2573
2574# Search for OpenSSL
2575saved_CPPFLAGS="$CPPFLAGS"
2576saved_LDFLAGS="$LDFLAGS"
2577AC_ARG_WITH([ssl-dir],
2578	[  --with-ssl-dir=PATH     Specify path to OpenSSL installation ],
2579	[
2580		if test "x$openssl" = "xno" ; then
2581			AC_MSG_ERROR([cannot use --with-ssl-dir when OpenSSL disabled])
2582		fi
2583		if test "x$withval" != "xno" ; then
2584			case "$withval" in
2585				# Relative paths
2586				./*|../*)	withval="`pwd`/$withval"
2587			esac
2588			if test -d "$withval/lib"; then
2589				if test -n "${rpath_opt}"; then
2590					LDFLAGS="-L${withval}/lib ${rpath_opt}${withval}/lib ${LDFLAGS}"
2591				else
2592					LDFLAGS="-L${withval}/lib ${LDFLAGS}"
2593				fi
2594			elif test -d "$withval/lib64"; then
2595				if test -n "${rpath_opt}"; then
2596					LDFLAGS="-L${withval}/lib64 ${rpath_opt}${withval}/lib64 ${LDFLAGS}"
2597				else
2598					LDFLAGS="-L${withval}/lib64 ${LDFLAGS}"
2599				fi
2600			else
2601				if test -n "${rpath_opt}"; then
2602					LDFLAGS="-L${withval} ${rpath_opt}${withval} ${LDFLAGS}"
2603				else
2604					LDFLAGS="-L${withval} ${LDFLAGS}"
2605				fi
2606			fi
2607			if test -d "$withval/include"; then
2608				CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
2609			else
2610				CPPFLAGS="-I${withval} ${CPPFLAGS}"
2611			fi
2612		fi
2613	]
2614)
2615
2616AC_ARG_WITH([openssl-header-check],
2617	[  --without-openssl-header-check Disable OpenSSL version consistency check],
2618	[
2619		if test "x$withval" = "xno" ; then
2620			openssl_check_nonfatal=1
2621		fi
2622	]
2623)
2624
2625openssl_engine=no
2626AC_ARG_WITH([ssl-engine],
2627	[  --with-ssl-engine       Enable OpenSSL (hardware) ENGINE support ],
2628	[
2629		if test "x$withval" != "xno" ; then
2630			if test "x$openssl" = "xno" ; then
2631				AC_MSG_ERROR([cannot use --with-ssl-engine when OpenSSL disabled])
2632			fi
2633			openssl_engine=yes
2634		fi
2635	]
2636)
2637
2638if test "x$openssl" = "xyes" ; then
2639	LIBS="-lcrypto $LIBS"
2640	AC_TRY_LINK_FUNC([RAND_add], ,
2641	    [AC_MSG_ERROR([*** working libcrypto not found, check config.log])])
2642	AC_CHECK_HEADER([openssl/opensslv.h], ,
2643	    [AC_MSG_ERROR([*** OpenSSL headers missing - please install first or check config.log ***])])
2644
2645	# Determine OpenSSL header version
2646	AC_MSG_CHECKING([OpenSSL header version])
2647	AC_RUN_IFELSE(
2648		[AC_LANG_PROGRAM([[
2649	#include <stdlib.h>
2650	#include <stdio.h>
2651	#include <string.h>
2652	#include <openssl/opensslv.h>
2653	#define DATA "conftest.sslincver"
2654		]], [[
2655		FILE *fd;
2656		int rc;
2657
2658		fd = fopen(DATA,"w");
2659		if(fd == NULL)
2660			exit(1);
2661
2662		if ((rc = fprintf(fd, "%08lx (%s)\n",
2663		    (unsigned long)OPENSSL_VERSION_NUMBER,
2664		     OPENSSL_VERSION_TEXT)) < 0)
2665			exit(1);
2666
2667		exit(0);
2668		]])],
2669		[
2670			ssl_header_ver=`cat conftest.sslincver`
2671			AC_MSG_RESULT([$ssl_header_ver])
2672		],
2673		[
2674			AC_MSG_RESULT([not found])
2675			AC_MSG_ERROR([OpenSSL version header not found.])
2676		],
2677		[
2678			AC_MSG_WARN([cross compiling: not checking])
2679		]
2680	)
2681
2682	# Determining OpenSSL library version is version dependent.
2683	AC_CHECK_FUNCS([OpenSSL_version OpenSSL_version_num])
2684
2685	# Determine OpenSSL library version
2686	AC_MSG_CHECKING([OpenSSL library version])
2687	AC_RUN_IFELSE(
2688		[AC_LANG_PROGRAM([[
2689	#include <stdio.h>
2690	#include <string.h>
2691	#include <openssl/opensslv.h>
2692	#include <openssl/crypto.h>
2693	#define DATA "conftest.ssllibver"
2694		]], [[
2695		FILE *fd;
2696		int rc;
2697
2698		fd = fopen(DATA,"w");
2699		if(fd == NULL)
2700			exit(1);
2701#ifndef OPENSSL_VERSION
2702# define OPENSSL_VERSION SSLEAY_VERSION
2703#endif
2704#ifndef HAVE_OPENSSL_VERSION
2705# define OpenSSL_version	SSLeay_version
2706#endif
2707#ifndef HAVE_OPENSSL_VERSION_NUM
2708# define OpenSSL_version_num	SSLeay
2709#endif
2710		if ((rc = fprintf(fd, "%08lx (%s)\n",
2711		    (unsigned long)OpenSSL_version_num(),
2712		    OpenSSL_version(OPENSSL_VERSION))) < 0)
2713			exit(1);
2714
2715		exit(0);
2716		]])],
2717		[
2718			ssl_library_ver=`cat conftest.ssllibver`
2719			# Check version is supported.
2720			case "$ssl_library_ver" in
2721			10000*|0*)
2722				AC_MSG_ERROR([OpenSSL >= 1.0.1 required (have "$ssl_library_ver")])
2723		                ;;
2724			100*)   ;; # 1.0.x
2725			101000[[0123456]]*)
2726				# https://github.com/openssl/openssl/pull/4613
2727				AC_MSG_ERROR([OpenSSL 1.1.x versions prior to 1.1.0g have a bug that breaks their use with OpenSSH (have "$ssl_library_ver")])
2728				;;
2729			101*)   ;; # 1.1.x
2730			200*)   ;; # LibreSSL
2731			300*)   ;; # OpenSSL development branch.
2732		        *)
2733				AC_MSG_ERROR([Unknown/unsupported OpenSSL version ("$ssl_library_ver")])
2734		                ;;
2735			esac
2736			AC_MSG_RESULT([$ssl_library_ver])
2737		],
2738		[
2739			AC_MSG_RESULT([not found])
2740			AC_MSG_ERROR([OpenSSL library not found.])
2741		],
2742		[
2743			AC_MSG_WARN([cross compiling: not checking])
2744		]
2745	)
2746
2747	# Sanity check OpenSSL headers
2748	AC_MSG_CHECKING([whether OpenSSL's headers match the library])
2749	AC_RUN_IFELSE(
2750		[AC_LANG_PROGRAM([[
2751	#include <string.h>
2752	#include <openssl/opensslv.h>
2753	#include <openssl/crypto.h>
2754		]], [[
2755#ifndef HAVE_OPENSSL_VERSION_NUM
2756# define OpenSSL_version_num	SSLeay
2757#endif
2758		exit(OpenSSL_version_num() == OPENSSL_VERSION_NUMBER ? 0 : 1);
2759		]])],
2760		[
2761			AC_MSG_RESULT([yes])
2762		],
2763		[
2764			AC_MSG_RESULT([no])
2765			if test "x$openssl_check_nonfatal" = "x"; then
2766				AC_MSG_ERROR([Your OpenSSL headers do not match your
2767	library. Check config.log for details.
2768	If you are sure your installation is consistent, you can disable the check
2769	by running "./configure --without-openssl-header-check".
2770	Also see contrib/findssl.sh for help identifying header/library mismatches.
2771	])
2772			else
2773				AC_MSG_WARN([Your OpenSSL headers do not match your
2774	library. Check config.log for details.
2775	Also see contrib/findssl.sh for help identifying header/library mismatches.])
2776			fi
2777		],
2778		[
2779			AC_MSG_WARN([cross compiling: not checking])
2780		]
2781	)
2782
2783	AC_MSG_CHECKING([if programs using OpenSSL functions will link])
2784	AC_LINK_IFELSE(
2785		[AC_LANG_PROGRAM([[ #include <openssl/err.h> ]],
2786		[[ ERR_load_crypto_strings(); ]])],
2787		[
2788			AC_MSG_RESULT([yes])
2789		],
2790		[
2791			AC_MSG_RESULT([no])
2792			saved_LIBS="$LIBS"
2793			LIBS="$LIBS -ldl"
2794			AC_MSG_CHECKING([if programs using OpenSSL need -ldl])
2795			AC_LINK_IFELSE(
2796				[AC_LANG_PROGRAM([[ #include <openssl/err.h> ]],
2797				[[ ERR_load_crypto_strings(); ]])],
2798				[
2799					AC_MSG_RESULT([yes])
2800				],
2801				[
2802					AC_MSG_RESULT([no])
2803					LIBS="$saved_LIBS"
2804				]
2805			)
2806		]
2807	)
2808
2809	AC_CHECK_FUNCS([ \
2810		BN_is_prime_ex \
2811		DSA_generate_parameters_ex \
2812		EVP_CIPHER_CTX_ctrl \
2813		EVP_DigestFinal_ex \
2814		EVP_DigestInit_ex \
2815		EVP_MD_CTX_cleanup \
2816		EVP_MD_CTX_copy_ex \
2817		EVP_MD_CTX_init \
2818		HMAC_CTX_init \
2819		RSA_generate_key_ex \
2820		RSA_get_default_method \
2821	])
2822
2823	# OpenSSL_add_all_algorithms may be a macro.
2824	AC_CHECK_FUNC(OpenSSL_add_all_algorithms,
2825	    AC_DEFINE(HAVE_OPENSSL_ADD_ALL_ALGORITHMS, 1, [as a function]),
2826	    AC_CHECK_DECL(OpenSSL_add_all_algorithms,
2827		AC_DEFINE(HAVE_OPENSSL_ADD_ALL_ALGORITHMS, 1, [as a macro]), ,
2828		[[#include <openssl/evp.h>]]
2829	    )
2830	)
2831
2832	# LibreSSL/OpenSSL 1.1x API
2833	AC_CHECK_FUNCS([ \
2834		OPENSSL_init_crypto \
2835		DH_get0_key \
2836		DH_get0_pqg \
2837		DH_set0_key \
2838		DH_set_length \
2839		DH_set0_pqg \
2840		DSA_get0_key \
2841		DSA_get0_pqg \
2842		DSA_set0_key \
2843		DSA_set0_pqg \
2844		DSA_SIG_get0 \
2845		DSA_SIG_set0 \
2846		ECDSA_SIG_get0 \
2847		ECDSA_SIG_set0 \
2848		EVP_CIPHER_CTX_iv \
2849		EVP_CIPHER_CTX_iv_noconst \
2850		EVP_CIPHER_CTX_get_iv \
2851		EVP_CIPHER_CTX_set_iv \
2852		RSA_get0_crt_params \
2853		RSA_get0_factors \
2854		RSA_get0_key \
2855		RSA_set0_crt_params \
2856		RSA_set0_factors \
2857		RSA_set0_key \
2858		RSA_meth_free \
2859		RSA_meth_dup \
2860		RSA_meth_set1_name \
2861		RSA_meth_get_finish \
2862		RSA_meth_set_priv_enc \
2863		RSA_meth_set_priv_dec \
2864		RSA_meth_set_finish \
2865		EVP_PKEY_get0_RSA \
2866		EVP_MD_CTX_new \
2867		EVP_MD_CTX_free \
2868		EVP_chacha20 \
2869	])
2870
2871	if test "x$openssl_engine" = "xyes" ; then
2872		AC_MSG_CHECKING([for OpenSSL ENGINE support])
2873		AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
2874	#include <openssl/engine.h>
2875			]], [[
2876				ENGINE_load_builtin_engines();
2877				ENGINE_register_all_complete();
2878			]])],
2879			[ AC_MSG_RESULT([yes])
2880			  AC_DEFINE([USE_OPENSSL_ENGINE], [1],
2881			     [Enable OpenSSL engine support])
2882			], [ AC_MSG_ERROR([OpenSSL ENGINE support not found])
2883		])
2884	fi
2885
2886	# Check for OpenSSL without EVP_aes_{192,256}_cbc
2887	AC_MSG_CHECKING([whether OpenSSL has crippled AES support])
2888	AC_LINK_IFELSE(
2889		[AC_LANG_PROGRAM([[
2890	#include <string.h>
2891	#include <openssl/evp.h>
2892		]], [[
2893		exit(EVP_aes_192_cbc() == NULL || EVP_aes_256_cbc() == NULL);
2894		]])],
2895		[
2896			AC_MSG_RESULT([no])
2897		],
2898		[
2899			AC_MSG_RESULT([yes])
2900			AC_DEFINE([OPENSSL_LOBOTOMISED_AES], [1],
2901			    [libcrypto is missing AES 192 and 256 bit functions])
2902		]
2903	)
2904
2905	# Check for OpenSSL with EVP_aes_*ctr
2906	AC_MSG_CHECKING([whether OpenSSL has AES CTR via EVP])
2907	AC_LINK_IFELSE(
2908		[AC_LANG_PROGRAM([[
2909	#include <string.h>
2910	#include <openssl/evp.h>
2911		]], [[
2912		exit(EVP_aes_128_ctr() == NULL ||
2913		    EVP_aes_192_cbc() == NULL ||
2914		    EVP_aes_256_cbc() == NULL);
2915		]])],
2916		[
2917			AC_MSG_RESULT([yes])
2918			AC_DEFINE([OPENSSL_HAVE_EVPCTR], [1],
2919			    [libcrypto has EVP AES CTR])
2920		],
2921		[
2922			AC_MSG_RESULT([no])
2923		]
2924	)
2925
2926	# Check for OpenSSL with EVP_aes_*gcm
2927	AC_MSG_CHECKING([whether OpenSSL has AES GCM via EVP])
2928	AC_LINK_IFELSE(
2929		[AC_LANG_PROGRAM([[
2930	#include <string.h>
2931	#include <openssl/evp.h>
2932		]], [[
2933		exit(EVP_aes_128_gcm() == NULL ||
2934		    EVP_aes_256_gcm() == NULL ||
2935		    EVP_CTRL_GCM_SET_IV_FIXED == 0 ||
2936		    EVP_CTRL_GCM_IV_GEN == 0 ||
2937		    EVP_CTRL_GCM_SET_TAG == 0 ||
2938		    EVP_CTRL_GCM_GET_TAG == 0 ||
2939		    EVP_CIPHER_CTX_ctrl(NULL, 0, 0, NULL) == 0);
2940		]])],
2941		[
2942			AC_MSG_RESULT([yes])
2943			AC_DEFINE([OPENSSL_HAVE_EVPGCM], [1],
2944			    [libcrypto has EVP AES GCM])
2945		],
2946		[
2947			AC_MSG_RESULT([no])
2948			unsupported_algorithms="$unsupported_cipers \
2949			   aes128-gcm@openssh.com \
2950			   aes256-gcm@openssh.com"
2951		]
2952	)
2953
2954	AC_MSG_CHECKING([if EVP_DigestUpdate returns an int])
2955	AC_LINK_IFELSE(
2956		[AC_LANG_PROGRAM([[
2957	#include <string.h>
2958	#include <openssl/evp.h>
2959		]], [[
2960		if(EVP_DigestUpdate(NULL, NULL,0))
2961			exit(0);
2962		]])],
2963		[
2964			AC_MSG_RESULT([yes])
2965		],
2966		[
2967			AC_MSG_RESULT([no])
2968			AC_DEFINE([OPENSSL_EVP_DIGESTUPDATE_VOID], [1],
2969			    [Define if EVP_DigestUpdate returns void])
2970		]
2971	)
2972
2973	# Some systems want crypt() from libcrypt, *not* the version in OpenSSL,
2974	# because the system crypt() is more featureful.
2975	if test "x$check_for_libcrypt_before" = "x1"; then
2976		AC_CHECK_LIB([crypt], [crypt])
2977	fi
2978
2979	# Some Linux systems (Slackware) need crypt() from libcrypt, *not* the
2980	# version in OpenSSL.
2981	if test "x$check_for_libcrypt_later" = "x1"; then
2982		AC_CHECK_LIB([crypt], [crypt], [LIBS="$LIBS -lcrypt"])
2983	fi
2984	AC_CHECK_FUNCS([crypt DES_crypt])
2985
2986	# Check for SHA256, SHA384 and SHA512 support in OpenSSL
2987	AC_CHECK_FUNCS([EVP_sha256 EVP_sha384 EVP_sha512])
2988
2989	# Check complete ECC support in OpenSSL
2990	AC_MSG_CHECKING([whether OpenSSL has NID_X9_62_prime256v1])
2991	AC_LINK_IFELSE(
2992		[AC_LANG_PROGRAM([[
2993	#include <openssl/ec.h>
2994	#include <openssl/ecdh.h>
2995	#include <openssl/ecdsa.h>
2996	#include <openssl/evp.h>
2997	#include <openssl/objects.h>
2998	#include <openssl/opensslv.h>
2999		]], [[
3000		EC_KEY *e = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
3001		const EVP_MD *m = EVP_sha256(); /* We need this too */
3002		]])],
3003		[ AC_MSG_RESULT([yes])
3004		  enable_nistp256=1 ],
3005		[ AC_MSG_RESULT([no]) ]
3006	)
3007
3008	AC_MSG_CHECKING([whether OpenSSL has NID_secp384r1])
3009	AC_LINK_IFELSE(
3010		[AC_LANG_PROGRAM([[
3011	#include <openssl/ec.h>
3012	#include <openssl/ecdh.h>
3013	#include <openssl/ecdsa.h>
3014	#include <openssl/evp.h>
3015	#include <openssl/objects.h>
3016	#include <openssl/opensslv.h>
3017		]], [[
3018		EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp384r1);
3019		const EVP_MD *m = EVP_sha384(); /* We need this too */
3020		]])],
3021		[ AC_MSG_RESULT([yes])
3022		  enable_nistp384=1 ],
3023		[ AC_MSG_RESULT([no]) ]
3024	)
3025
3026	AC_MSG_CHECKING([whether OpenSSL has NID_secp521r1])
3027	AC_LINK_IFELSE(
3028		[AC_LANG_PROGRAM([[
3029	#include <openssl/ec.h>
3030	#include <openssl/ecdh.h>
3031	#include <openssl/ecdsa.h>
3032	#include <openssl/evp.h>
3033	#include <openssl/objects.h>
3034	#include <openssl/opensslv.h>
3035		]], [[
3036		EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp521r1);
3037		const EVP_MD *m = EVP_sha512(); /* We need this too */
3038		]])],
3039		[ AC_MSG_RESULT([yes])
3040		  AC_MSG_CHECKING([if OpenSSL's NID_secp521r1 is functional])
3041		  AC_RUN_IFELSE(
3042			[AC_LANG_PROGRAM([[
3043	#include <openssl/ec.h>
3044	#include <openssl/ecdh.h>
3045	#include <openssl/ecdsa.h>
3046	#include <openssl/evp.h>
3047	#include <openssl/objects.h>
3048	#include <openssl/opensslv.h>
3049			]],[[
3050			EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp521r1);
3051			const EVP_MD *m = EVP_sha512(); /* We need this too */
3052			exit(e == NULL || m == NULL);
3053			]])],
3054			[ AC_MSG_RESULT([yes])
3055			  enable_nistp521=1 ],
3056			[ AC_MSG_RESULT([no]) ],
3057			[ AC_MSG_WARN([cross-compiling: assuming yes])
3058			  enable_nistp521=1 ]
3059		  )],
3060		AC_MSG_RESULT([no])
3061	)
3062
3063	COMMENT_OUT_ECC="#no ecc#"
3064	TEST_SSH_ECC=no
3065
3066	if test x$enable_nistp256 = x1 || test x$enable_nistp384 = x1 || \
3067	    test x$enable_nistp521 = x1; then
3068		AC_DEFINE(OPENSSL_HAS_ECC, [1], [OpenSSL has ECC])
3069		AC_CHECK_FUNCS([EC_KEY_METHOD_new])
3070		openssl_ecc=yes
3071	else
3072		openssl_ecc=no
3073	fi
3074	if test x$enable_nistp256 = x1; then
3075		AC_DEFINE([OPENSSL_HAS_NISTP256], [1],
3076		    [libcrypto has NID_X9_62_prime256v1])
3077		TEST_SSH_ECC=yes
3078		COMMENT_OUT_ECC=""
3079	else
3080		unsupported_algorithms="$unsupported_algorithms \
3081			ecdsa-sha2-nistp256 \
3082			ecdh-sha2-nistp256 \
3083			ecdsa-sha2-nistp256-cert-v01@openssh.com"
3084	fi
3085	if test x$enable_nistp384 = x1; then
3086		AC_DEFINE([OPENSSL_HAS_NISTP384], [1], [libcrypto has NID_secp384r1])
3087		TEST_SSH_ECC=yes
3088		COMMENT_OUT_ECC=""
3089	else
3090		unsupported_algorithms="$unsupported_algorithms \
3091			ecdsa-sha2-nistp384 \
3092			ecdh-sha2-nistp384 \
3093			ecdsa-sha2-nistp384-cert-v01@openssh.com"
3094	fi
3095	if test x$enable_nistp521 = x1; then
3096		AC_DEFINE([OPENSSL_HAS_NISTP521], [1], [libcrypto has NID_secp521r1])
3097		TEST_SSH_ECC=yes
3098		COMMENT_OUT_ECC=""
3099	else
3100		unsupported_algorithms="$unsupported_algorithms \
3101			ecdh-sha2-nistp521 \
3102			ecdsa-sha2-nistp521 \
3103			ecdsa-sha2-nistp521-cert-v01@openssh.com"
3104	fi
3105
3106	AC_SUBST([TEST_SSH_ECC])
3107	AC_SUBST([COMMENT_OUT_ECC])
3108else
3109	AC_CHECK_LIB([crypt], [crypt], [LIBS="$LIBS -lcrypt"])
3110	AC_CHECK_FUNCS([crypt])
3111fi
3112
3113# PKCS11/U2F depend on OpenSSL and dlopen().
3114enable_pkcs11=yes
3115enable_sk=yes
3116if test "x$openssl" != "xyes" ; then
3117	enable_pkcs11="disabled; missing libcrypto"
3118	enable_sk="disabled; missing libcrypto"
3119fi
3120if test "x$openssl_ecc" != "xyes" ; then
3121	enable_sk="disabled; OpenSSL has no ECC support"
3122fi
3123if test "x$ac_cv_func_dlopen" != "xyes" ; then
3124	enable_pkcs11="disabled; missing dlopen(3)"
3125	enable_sk="disabled; missing dlopen(3)"
3126fi
3127if test "x$ac_cv_have_decl_RTLD_NOW" != "xyes" ; then
3128	enable_pkcs11="disabled; missing RTLD_NOW"
3129	enable_sk="disabled; missing RTLD_NOW"
3130fi
3131if test ! -z "$disable_pkcs11" ; then
3132	enable_pkcs11="disabled by user"
3133fi
3134if test ! -z "$disable_sk" ; then
3135	enable_sk="disabled by user"
3136fi
3137
3138AC_MSG_CHECKING([whether to enable PKCS11])
3139if test "x$enable_pkcs11" = "xyes" ; then
3140	AC_DEFINE([ENABLE_PKCS11], [], [Enable for PKCS#11 support])
3141fi
3142AC_MSG_RESULT([$enable_pkcs11])
3143
3144AC_MSG_CHECKING([whether to enable U2F])
3145if test "x$enable_sk" = "xyes" ; then
3146	AC_DEFINE([ENABLE_SK], [], [Enable for U2F/FIDO support])
3147	AC_SUBST(SK_DUMMY_LIBRARY, [regress/misc/sk-dummy/sk-dummy.so])
3148else
3149	# Do not try to build sk-dummy library.
3150	AC_SUBST(SK_DUMMY_LIBRARY, [""])
3151fi
3152AC_MSG_RESULT([$enable_sk])
3153
3154# Now check for built-in security key support.
3155if test "x$enable_sk" = "xyes" -a "x$enable_sk_internal" = "xyes" ; then
3156	AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no])
3157	use_pkgconfig_for_libfido2=
3158	if test "x$PKGCONFIG" != "xno"; then
3159		AC_MSG_CHECKING([if $PKGCONFIG knows about libfido2])
3160		if "$PKGCONFIG" libfido2; then
3161			AC_MSG_RESULT([yes])
3162			use_pkgconfig_for_libfido2=yes
3163		else
3164			AC_MSG_RESULT([no])
3165		fi
3166	fi
3167	if test "x$use_pkgconfig_for_libfido2" = "xyes"; then
3168		LIBFIDO2=`$PKGCONFIG --libs libfido2`
3169		CPPFLAGS="$CPPFLAGS `$PKGCONFIG --cflags libfido2`"
3170	else
3171		LIBFIDO2="-lfido2 -lcbor"
3172	fi
3173	OTHERLIBS=`echo $LIBFIDO2 | sed 's/-lfido2//'`
3174	AC_CHECK_LIB([fido2], [fido_init],
3175		[
3176			AC_SUBST([LIBFIDO2])
3177			AC_DEFINE([ENABLE_SK_INTERNAL], [],
3178			    [Enable for built-in U2F/FIDO support])
3179			enable_sk="built-in"
3180		], [ AC_MSG_ERROR([no usable libfido2 found]) ],
3181		[ $OTHERLIBS ]
3182	)
3183	saved_LIBS="$LIBS"
3184	LIBS="$LIBS $LIBFIDO2"
3185	AC_CHECK_FUNCS([ \
3186		fido_cred_prot \
3187		fido_cred_set_prot \
3188		fido_dev_get_touch_begin \
3189		fido_dev_get_touch_status \
3190		fido_dev_supports_cred_prot \
3191	])
3192	LIBS="$saved_LIBS"
3193	AC_CHECK_HEADER([fido.h], [],
3194		AC_MSG_ERROR([missing fido.h from libfido2]))
3195	AC_CHECK_HEADER([fido/credman.h], [],
3196		AC_MSG_ERROR([missing fido/credman.h from libfido2]),
3197		[#include <fido.h>]
3198	)
3199fi
3200
3201AC_CHECK_FUNCS([ \
3202	arc4random \
3203	arc4random_buf \
3204	arc4random_stir \
3205	arc4random_uniform \
3206])
3207
3208saved_LIBS="$LIBS"
3209AC_CHECK_LIB([iaf], [ia_openinfo], [
3210	LIBS="$LIBS -liaf"
3211	AC_CHECK_FUNCS([set_id], [SSHDLIBS="$SSHDLIBS -liaf"
3212				AC_DEFINE([HAVE_LIBIAF], [1],
3213			[Define if system has libiaf that supports set_id])
3214				])
3215])
3216LIBS="$saved_LIBS"
3217
3218### Configure cryptographic random number support
3219
3220# Check whether OpenSSL seeds itself
3221if test "x$openssl" = "xyes" ; then
3222	AC_MSG_CHECKING([whether OpenSSL's PRNG is internally seeded])
3223	AC_RUN_IFELSE(
3224		[AC_LANG_PROGRAM([[
3225	#include <string.h>
3226	#include <openssl/rand.h>
3227		]], [[
3228		exit(RAND_status() == 1 ? 0 : 1);
3229		]])],
3230		[
3231			OPENSSL_SEEDS_ITSELF=yes
3232			AC_MSG_RESULT([yes])
3233		],
3234		[
3235			AC_MSG_RESULT([no])
3236		],
3237		[
3238			AC_MSG_WARN([cross compiling: assuming yes])
3239			# This is safe, since we will fatal() at runtime if
3240			# OpenSSL is not seeded correctly.
3241			OPENSSL_SEEDS_ITSELF=yes
3242		]
3243	)
3244fi
3245
3246# PRNGD TCP socket
3247AC_ARG_WITH([prngd-port],
3248	[  --with-prngd-port=PORT  read entropy from PRNGD/EGD TCP localhost:PORT],
3249	[
3250		case "$withval" in
3251		no)
3252			withval=""
3253			;;
3254		[[0-9]]*)
3255			;;
3256		*)
3257			AC_MSG_ERROR([You must specify a numeric port number for --with-prngd-port])
3258			;;
3259		esac
3260		if test ! -z "$withval" ; then
3261			PRNGD_PORT="$withval"
3262			AC_DEFINE_UNQUOTED([PRNGD_PORT], [$PRNGD_PORT],
3263				[Port number of PRNGD/EGD random number socket])
3264		fi
3265	]
3266)
3267
3268# PRNGD Unix domain socket
3269AC_ARG_WITH([prngd-socket],
3270	[  --with-prngd-socket=FILE read entropy from PRNGD/EGD socket FILE (default=/var/run/egd-pool)],
3271	[
3272		case "$withval" in
3273		yes)
3274			withval="/var/run/egd-pool"
3275			;;
3276		no)
3277			withval=""
3278			;;
3279		/*)
3280			;;
3281		*)
3282			AC_MSG_ERROR([You must specify an absolute path to the entropy socket])
3283			;;
3284		esac
3285
3286		if test ! -z "$withval" ; then
3287			if test ! -z "$PRNGD_PORT" ; then
3288				AC_MSG_ERROR([You may not specify both a PRNGD/EGD port and socket])
3289			fi
3290			if test ! -r "$withval" ; then
3291				AC_MSG_WARN([Entropy socket is not readable])
3292			fi
3293			PRNGD_SOCKET="$withval"
3294			AC_DEFINE_UNQUOTED([PRNGD_SOCKET], ["$PRNGD_SOCKET"],
3295				[Location of PRNGD/EGD random number socket])
3296		fi
3297	],
3298	[
3299		# Check for existing socket only if we don't have a random device already
3300		if test "x$OPENSSL_SEEDS_ITSELF" != "xyes" ; then
3301			AC_MSG_CHECKING([for PRNGD/EGD socket])
3302			# Insert other locations here
3303			for sock in /var/run/egd-pool /dev/egd-pool /etc/entropy; do
3304				if test -r $sock && $TEST_MINUS_S_SH -c "test -S $sock -o -p $sock" ; then
3305					PRNGD_SOCKET="$sock"
3306					AC_DEFINE_UNQUOTED([PRNGD_SOCKET], ["$PRNGD_SOCKET"])
3307					break;
3308				fi
3309			done
3310			if test ! -z "$PRNGD_SOCKET" ; then
3311				AC_MSG_RESULT([$PRNGD_SOCKET])
3312			else
3313				AC_MSG_RESULT([not found])
3314			fi
3315		fi
3316	]
3317)
3318
3319# Which randomness source do we use?
3320if test ! -z "$PRNGD_PORT" ; then
3321	RAND_MSG="PRNGd port $PRNGD_PORT"
3322elif test ! -z "$PRNGD_SOCKET" ; then
3323	RAND_MSG="PRNGd socket $PRNGD_SOCKET"
3324elif test ! -z "$OPENSSL_SEEDS_ITSELF" ; then
3325	AC_DEFINE([OPENSSL_PRNG_ONLY], [1],
3326		[Define if you want the OpenSSL internally seeded PRNG only])
3327	RAND_MSG="OpenSSL internal ONLY"
3328elif test "x$openssl" = "xno" ; then
3329	AC_MSG_WARN([OpenSSH will use /dev/urandom as a source of random numbers. It will fail if this device is not supported or accessible])
3330else
3331	AC_MSG_ERROR([OpenSSH has no source of random numbers. Please configure OpenSSL with an entropy source or re-run configure using one of the --with-prngd-port or --with-prngd-socket options])
3332fi
3333
3334# Check for PAM libs
3335PAM_MSG="no"
3336AC_ARG_WITH([pam],
3337	[  --with-pam              Enable PAM support ],
3338	[
3339		if test "x$withval" != "xno" ; then
3340			if test "x$ac_cv_header_security_pam_appl_h" != "xyes" && \
3341			   test "x$ac_cv_header_pam_pam_appl_h" != "xyes" ; then
3342				AC_MSG_ERROR([PAM headers not found])
3343			fi
3344
3345			saved_LIBS="$LIBS"
3346			AC_CHECK_LIB([dl], [dlopen], , )
3347			AC_CHECK_LIB([pam], [pam_set_item], , [AC_MSG_ERROR([*** libpam missing])])
3348			AC_CHECK_FUNCS([pam_getenvlist])
3349			AC_CHECK_FUNCS([pam_putenv])
3350			LIBS="$saved_LIBS"
3351
3352			PAM_MSG="yes"
3353
3354			SSHDLIBS="$SSHDLIBS -lpam"
3355			AC_DEFINE([USE_PAM], [1],
3356				[Define if you want to enable PAM support])
3357
3358			if test $ac_cv_lib_dl_dlopen = yes; then
3359				case "$LIBS" in
3360				*-ldl*)
3361					# libdl already in LIBS
3362					;;
3363				*)
3364					SSHDLIBS="$SSHDLIBS -ldl"
3365					;;
3366				esac
3367			fi
3368		fi
3369	]
3370)
3371
3372AC_ARG_WITH([pam-service],
3373	[  --with-pam-service=name Specify PAM service name ],
3374	[
3375		if test "x$withval" != "xno" && \
3376		   test "x$withval" != "xyes" ; then
3377			AC_DEFINE_UNQUOTED([SSHD_PAM_SERVICE],
3378				["$withval"], [sshd PAM service name])
3379		fi
3380	]
3381)
3382
3383# Check for older PAM
3384if test "x$PAM_MSG" = "xyes" ; then
3385	# Check PAM strerror arguments (old PAM)
3386	AC_MSG_CHECKING([whether pam_strerror takes only one argument])
3387	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
3388#include <stdlib.h>
3389#if defined(HAVE_SECURITY_PAM_APPL_H)
3390#include <security/pam_appl.h>
3391#elif defined (HAVE_PAM_PAM_APPL_H)
3392#include <pam/pam_appl.h>
3393#endif
3394		]], [[
3395(void)pam_strerror((pam_handle_t *)NULL, -1);
3396		]])], [AC_MSG_RESULT([no])], [
3397			AC_DEFINE([HAVE_OLD_PAM], [1],
3398				[Define if you have an old version of PAM
3399				which takes only one argument to pam_strerror])
3400			AC_MSG_RESULT([yes])
3401			PAM_MSG="yes (old library)"
3402
3403	])
3404fi
3405
3406case "$host" in
3407*-*-cygwin*)
3408	SSH_PRIVSEP_USER=CYGWIN_SSH_PRIVSEP_USER
3409	;;
3410*)
3411	SSH_PRIVSEP_USER=sshd
3412	;;
3413esac
3414AC_ARG_WITH([privsep-user],
3415	[  --with-privsep-user=user Specify non-privileged user for privilege separation],
3416	[
3417		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
3418		    test "x${withval}" != "xyes"; then
3419			SSH_PRIVSEP_USER=$withval
3420		fi
3421	]
3422)
3423if test "x$SSH_PRIVSEP_USER" = "xCYGWIN_SSH_PRIVSEP_USER" ; then
3424	AC_DEFINE_UNQUOTED([SSH_PRIVSEP_USER], [CYGWIN_SSH_PRIVSEP_USER],
3425		[Cygwin function to fetch non-privileged user for privilege separation])
3426else
3427	AC_DEFINE_UNQUOTED([SSH_PRIVSEP_USER], ["$SSH_PRIVSEP_USER"],
3428		[non-privileged user for privilege separation])
3429fi
3430AC_SUBST([SSH_PRIVSEP_USER])
3431
3432if test "x$have_linux_no_new_privs" = "x1" ; then
3433AC_CHECK_DECL([SECCOMP_MODE_FILTER], [have_seccomp_filter=1], , [
3434	#include <sys/types.h>
3435	#include <linux/seccomp.h>
3436])
3437fi
3438if test "x$have_seccomp_filter" = "x1" ; then
3439AC_MSG_CHECKING([kernel for seccomp_filter support])
3440AC_LINK_IFELSE([AC_LANG_PROGRAM([[
3441		#include <errno.h>
3442		#include <elf.h>
3443		#include <linux/audit.h>
3444		#include <linux/seccomp.h>
3445		#include <stdlib.h>
3446		#include <sys/prctl.h>
3447	]],
3448	[[ int i = $seccomp_audit_arch;
3449	   errno = 0;
3450	   prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, NULL, 0, 0);
3451	   exit(errno == EFAULT ? 0 : 1); ]])],
3452	[ AC_MSG_RESULT([yes]) ], [
3453		AC_MSG_RESULT([no])
3454		# Disable seccomp filter as a target
3455		have_seccomp_filter=0
3456	]
3457)
3458fi
3459
3460# Decide which sandbox style to use
3461sandbox_arg=""
3462AC_ARG_WITH([sandbox],
3463	[  --with-sandbox=style    Specify privilege separation sandbox (no, capsicum, darwin, rlimit, seccomp_filter, systrace, pledge)],
3464	[
3465		if test "x$withval" = "xyes" ; then
3466			sandbox_arg=""
3467		else
3468			sandbox_arg="$withval"
3469		fi
3470	]
3471)
3472
3473# Some platforms (seems to be the ones that have a kernel poll(2)-type
3474# function with which they implement select(2)) use an extra file descriptor
3475# when calling select(2), which means we can't use the rlimit sandbox.
3476AC_MSG_CHECKING([if select works with descriptor rlimit])
3477AC_RUN_IFELSE(
3478	[AC_LANG_PROGRAM([[
3479#include <sys/types.h>
3480#ifdef HAVE_SYS_TIME_H
3481# include <sys/time.h>
3482#endif
3483#include <sys/resource.h>
3484#ifdef HAVE_SYS_SELECT_H
3485# include <sys/select.h>
3486#endif
3487#include <errno.h>
3488#include <fcntl.h>
3489#include <stdlib.h>
3490	]],[[
3491	struct rlimit rl_zero;
3492	int fd, r;
3493	fd_set fds;
3494	struct timeval tv;
3495
3496	fd = open("/dev/null", O_RDONLY);
3497	FD_ZERO(&fds);
3498	FD_SET(fd, &fds);
3499	rl_zero.rlim_cur = rl_zero.rlim_max = 0;
3500	setrlimit(RLIMIT_FSIZE, &rl_zero);
3501	setrlimit(RLIMIT_NOFILE, &rl_zero);
3502	tv.tv_sec = 1;
3503	tv.tv_usec = 0;
3504	r = select(fd+1, &fds, NULL, NULL, &tv);
3505	exit (r == -1 ? 1 : 0);
3506	]])],
3507	[AC_MSG_RESULT([yes])
3508	 select_works_with_rlimit=yes],
3509	[AC_MSG_RESULT([no])
3510	 select_works_with_rlimit=no],
3511	[AC_MSG_WARN([cross compiling: assuming yes])
3512	 select_works_with_rlimit=yes]
3513)
3514
3515AC_MSG_CHECKING([if setrlimit(RLIMIT_NOFILE,{0,0}) works])
3516AC_RUN_IFELSE(
3517	[AC_LANG_PROGRAM([[
3518#include <sys/types.h>
3519#ifdef HAVE_SYS_TIME_H
3520# include <sys/time.h>
3521#endif
3522#include <sys/resource.h>
3523#include <errno.h>
3524#include <stdlib.h>
3525	]],[[
3526	struct rlimit rl_zero;
3527	int r;
3528
3529	rl_zero.rlim_cur = rl_zero.rlim_max = 0;
3530	r = setrlimit(RLIMIT_NOFILE, &rl_zero);
3531	exit (r == -1 ? 1 : 0);
3532	]])],
3533	[AC_MSG_RESULT([yes])
3534	 rlimit_nofile_zero_works=yes],
3535	[AC_MSG_RESULT([no])
3536	 rlimit_nofile_zero_works=no],
3537	[AC_MSG_WARN([cross compiling: assuming yes])
3538	 rlimit_nofile_zero_works=yes]
3539)
3540
3541AC_MSG_CHECKING([if setrlimit RLIMIT_FSIZE works])
3542AC_RUN_IFELSE(
3543	[AC_LANG_PROGRAM([[
3544#include <sys/types.h>
3545#include <sys/resource.h>
3546#include <stdlib.h>
3547	]],[[
3548		struct rlimit rl_zero;
3549
3550		rl_zero.rlim_cur = rl_zero.rlim_max = 0;
3551		exit(setrlimit(RLIMIT_FSIZE, &rl_zero) != 0);
3552	]])],
3553	[AC_MSG_RESULT([yes])],
3554	[AC_MSG_RESULT([no])
3555	 AC_DEFINE(SANDBOX_SKIP_RLIMIT_FSIZE, 1,
3556	    [setrlimit RLIMIT_FSIZE works])],
3557	[AC_MSG_WARN([cross compiling: assuming yes])]
3558)
3559
3560if test "x$sandbox_arg" = "xpledge" || \
3561   ( test -z "$sandbox_arg" && test "x$ac_cv_func_pledge" = "xyes" ) ; then
3562	test "x$ac_cv_func_pledge" != "xyes" && \
3563		AC_MSG_ERROR([pledge sandbox requires pledge(2) support])
3564	SANDBOX_STYLE="pledge"
3565	AC_DEFINE([SANDBOX_PLEDGE], [1], [Sandbox using pledge(2)])
3566elif test "x$sandbox_arg" = "xsystrace" || \
3567   ( test -z "$sandbox_arg" && test "x$have_systr_policy_kill" = "x1" ) ; then
3568	test "x$have_systr_policy_kill" != "x1" && \
3569		AC_MSG_ERROR([systrace sandbox requires systrace headers and SYSTR_POLICY_KILL support])
3570	SANDBOX_STYLE="systrace"
3571	AC_DEFINE([SANDBOX_SYSTRACE], [1], [Sandbox using systrace(4)])
3572elif test "x$sandbox_arg" = "xdarwin" || \
3573     ( test -z "$sandbox_arg" && test "x$ac_cv_func_sandbox_init" = "xyes" && \
3574       test "x$ac_cv_header_sandbox_h" = "xyes") ; then
3575	test "x$ac_cv_func_sandbox_init" != "xyes" -o \
3576	     "x$ac_cv_header_sandbox_h" != "xyes" && \
3577		AC_MSG_ERROR([Darwin seatbelt sandbox requires sandbox.h and sandbox_init function])
3578	SANDBOX_STYLE="darwin"
3579	AC_DEFINE([SANDBOX_DARWIN], [1], [Sandbox using Darwin sandbox_init(3)])
3580elif test "x$sandbox_arg" = "xseccomp_filter" || \
3581     ( test -z "$sandbox_arg" && \
3582       test "x$have_seccomp_filter" = "x1" && \
3583       test "x$ac_cv_header_elf_h" = "xyes" && \
3584       test "x$ac_cv_header_linux_audit_h" = "xyes" && \
3585       test "x$ac_cv_header_linux_filter_h" = "xyes" && \
3586       test "x$seccomp_audit_arch" != "x" && \
3587       test "x$have_linux_no_new_privs" = "x1" && \
3588       test "x$ac_cv_func_prctl" = "xyes" ) ; then
3589	test "x$seccomp_audit_arch" = "x" && \
3590		AC_MSG_ERROR([seccomp_filter sandbox not supported on $host])
3591	test "x$have_linux_no_new_privs" != "x1" && \
3592		AC_MSG_ERROR([seccomp_filter sandbox requires PR_SET_NO_NEW_PRIVS])
3593	test "x$have_seccomp_filter" != "x1" && \
3594		AC_MSG_ERROR([seccomp_filter sandbox requires seccomp headers])
3595	test "x$ac_cv_func_prctl" != "xyes" && \
3596		AC_MSG_ERROR([seccomp_filter sandbox requires prctl function])
3597	SANDBOX_STYLE="seccomp_filter"
3598	AC_DEFINE([SANDBOX_SECCOMP_FILTER], [1], [Sandbox using seccomp filter])
3599elif test "x$sandbox_arg" = "xcapsicum" || \
3600     ( test -z "$sandbox_arg" && \
3601       test "x$ac_cv_header_sys_capsicum_h" = "xyes" && \
3602       test "x$ac_cv_func_cap_rights_limit" = "xyes") ; then
3603       test "x$ac_cv_header_sys_capsicum_h" != "xyes" && \
3604		AC_MSG_ERROR([capsicum sandbox requires sys/capsicum.h header])
3605       test "x$ac_cv_func_cap_rights_limit" != "xyes" && \
3606		AC_MSG_ERROR([capsicum sandbox requires cap_rights_limit function])
3607       SANDBOX_STYLE="capsicum"
3608       AC_DEFINE([SANDBOX_CAPSICUM], [1], [Sandbox using capsicum])
3609elif test "x$sandbox_arg" = "xrlimit" || \
3610     ( test -z "$sandbox_arg" && test "x$ac_cv_func_setrlimit" = "xyes" && \
3611       test "x$select_works_with_rlimit" = "xyes" && \
3612       test "x$rlimit_nofile_zero_works" = "xyes" ) ; then
3613	test "x$ac_cv_func_setrlimit" != "xyes" && \
3614		AC_MSG_ERROR([rlimit sandbox requires setrlimit function])
3615	test "x$select_works_with_rlimit" != "xyes" && \
3616		AC_MSG_ERROR([rlimit sandbox requires select to work with rlimit])
3617	SANDBOX_STYLE="rlimit"
3618	AC_DEFINE([SANDBOX_RLIMIT], [1], [Sandbox using setrlimit(2)])
3619elif test "x$sandbox_arg" = "xsolaris" || \
3620   ( test -z "$sandbox_arg" && test "x$SOLARIS_PRIVS" = "xyes" ) ; then
3621	SANDBOX_STYLE="solaris"
3622	AC_DEFINE([SANDBOX_SOLARIS], [1], [Sandbox using Solaris/Illumos privileges])
3623elif test -z "$sandbox_arg" || test "x$sandbox_arg" = "xno" || \
3624     test "x$sandbox_arg" = "xnone" || test "x$sandbox_arg" = "xnull" ; then
3625	SANDBOX_STYLE="none"
3626	AC_DEFINE([SANDBOX_NULL], [1], [no privsep sandboxing])
3627else
3628	AC_MSG_ERROR([unsupported --with-sandbox])
3629fi
3630
3631# Cheap hack to ensure NEWS-OS libraries are arranged right.
3632if test ! -z "$SONY" ; then
3633  LIBS="$LIBS -liberty";
3634fi
3635
3636# Check for  long long datatypes
3637AC_CHECK_TYPES([long long, unsigned long long, long double])
3638
3639# Check datatype sizes
3640AC_CHECK_SIZEOF([short int])
3641AC_CHECK_SIZEOF([int])
3642AC_CHECK_SIZEOF([long int])
3643AC_CHECK_SIZEOF([long long int])
3644
3645# Sanity check long long for some platforms (AIX)
3646if test "x$ac_cv_sizeof_long_long_int" = "x4" ; then
3647	ac_cv_sizeof_long_long_int=0
3648fi
3649
3650# compute LLONG_MIN and LLONG_MAX if we don't know them.
3651if test -z "$have_llong_max" && test -z "$have_long_long_max"; then
3652	AC_MSG_CHECKING([for max value of long long])
3653	AC_RUN_IFELSE(
3654		[AC_LANG_PROGRAM([[
3655#include <stdio.h>
3656/* Why is this so damn hard? */
3657#ifdef __GNUC__
3658# undef __GNUC__
3659#endif
3660#define __USE_ISOC99
3661#include <limits.h>
3662#define DATA "conftest.llminmax"
3663#define my_abs(a) ((a) < 0 ? ((a) * -1) : (a))
3664
3665/*
3666 * printf in libc on some platforms (eg old Tru64) does not understand %lld so
3667 * we do this the hard way.
3668 */
3669static int
3670fprint_ll(FILE *f, long long n)
3671{
3672	unsigned int i;
3673	int l[sizeof(long long) * 8];
3674
3675	if (n < 0)
3676		if (fprintf(f, "-") < 0)
3677			return -1;
3678	for (i = 0; n != 0; i++) {
3679		l[i] = my_abs(n % 10);
3680		n /= 10;
3681	}
3682	do {
3683		if (fprintf(f, "%d", l[--i]) < 0)
3684			return -1;
3685	} while (i != 0);
3686	if (fprintf(f, " ") < 0)
3687		return -1;
3688	return 0;
3689}
3690		]], [[
3691	FILE *f;
3692	long long i, llmin, llmax = 0;
3693
3694	if((f = fopen(DATA,"w")) == NULL)
3695		exit(1);
3696
3697#if defined(LLONG_MIN) && defined(LLONG_MAX)
3698	fprintf(stderr, "Using system header for LLONG_MIN and LLONG_MAX\n");
3699	llmin = LLONG_MIN;
3700	llmax = LLONG_MAX;
3701#else
3702	fprintf(stderr, "Calculating  LLONG_MIN and LLONG_MAX\n");
3703	/* This will work on one's complement and two's complement */
3704	for (i = 1; i > llmax; i <<= 1, i++)
3705		llmax = i;
3706	llmin = llmax + 1LL;	/* wrap */
3707#endif
3708
3709	/* Sanity check */
3710	if (llmin + 1 < llmin || llmin - 1 < llmin || llmax + 1 > llmax
3711	    || llmax - 1 > llmax || llmin == llmax || llmin == 0
3712	    || llmax == 0 || llmax < LONG_MAX || llmin > LONG_MIN) {
3713		fprintf(f, "unknown unknown\n");
3714		exit(2);
3715	}
3716
3717	if (fprint_ll(f, llmin) < 0)
3718		exit(3);
3719	if (fprint_ll(f, llmax) < 0)
3720		exit(4);
3721	if (fclose(f) < 0)
3722		exit(5);
3723	exit(0);
3724		]])],
3725		[
3726			llong_min=`$AWK '{print $1}' conftest.llminmax`
3727			llong_max=`$AWK '{print $2}' conftest.llminmax`
3728
3729			AC_MSG_RESULT([$llong_max])
3730			AC_DEFINE_UNQUOTED([LLONG_MAX], [${llong_max}LL],
3731			    [max value of long long calculated by configure])
3732			AC_MSG_CHECKING([for min value of long long])
3733			AC_MSG_RESULT([$llong_min])
3734			AC_DEFINE_UNQUOTED([LLONG_MIN], [${llong_min}LL],
3735			    [min value of long long calculated by configure])
3736		],
3737		[
3738			AC_MSG_RESULT([not found])
3739		],
3740		[
3741			AC_MSG_WARN([cross compiling: not checking])
3742		]
3743	)
3744fi
3745
3746AC_CHECK_DECLS([UINT32_MAX], , , [[
3747#ifdef HAVE_SYS_LIMITS_H
3748# include <sys/limits.h>
3749#endif
3750#ifdef HAVE_LIMITS_H
3751# include <limits.h>
3752#endif
3753#ifdef HAVE_STDINT_H
3754# include <stdint.h>
3755#endif
3756]])
3757
3758# More checks for data types
3759AC_CACHE_CHECK([for u_int type], ac_cv_have_u_int, [
3760	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
3761	[[ u_int a; a = 1;]])],
3762	[ ac_cv_have_u_int="yes" ], [ ac_cv_have_u_int="no"
3763	])
3764])
3765if test "x$ac_cv_have_u_int" = "xyes" ; then
3766	AC_DEFINE([HAVE_U_INT], [1], [define if you have u_int data type])
3767	have_u_int=1
3768fi
3769
3770AC_CACHE_CHECK([for intXX_t types], ac_cv_have_intxx_t, [
3771	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
3772	[[ int8_t a; int16_t b; int32_t c; a = b = c = 1;]])],
3773	[ ac_cv_have_intxx_t="yes" ], [ ac_cv_have_intxx_t="no"
3774	])
3775])
3776if test "x$ac_cv_have_intxx_t" = "xyes" ; then
3777	AC_DEFINE([HAVE_INTXX_T], [1], [define if you have intxx_t data type])
3778	have_intxx_t=1
3779fi
3780
3781if (test -z "$have_intxx_t" && \
3782	   test "x$ac_cv_header_stdint_h" = "xyes")
3783then
3784    AC_MSG_CHECKING([for intXX_t types in stdint.h])
3785	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <stdint.h> ]],
3786	[[ int8_t a; int16_t b; int32_t c; a = b = c = 1;]])],
3787		[
3788			AC_DEFINE([HAVE_INTXX_T])
3789			AC_MSG_RESULT([yes])
3790		], [ AC_MSG_RESULT([no])
3791	])
3792fi
3793
3794AC_CACHE_CHECK([for int64_t type], ac_cv_have_int64_t, [
3795	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
3796#include <sys/types.h>
3797#ifdef HAVE_STDINT_H
3798# include <stdint.h>
3799#endif
3800#include <sys/socket.h>
3801#ifdef HAVE_SYS_BITYPES_H
3802# include <sys/bitypes.h>
3803#endif
3804		]], [[
3805int64_t a; a = 1;
3806		]])],
3807	[ ac_cv_have_int64_t="yes" ], [ ac_cv_have_int64_t="no"
3808	])
3809])
3810if test "x$ac_cv_have_int64_t" = "xyes" ; then
3811	AC_DEFINE([HAVE_INT64_T], [1], [define if you have int64_t data type])
3812fi
3813
3814AC_CACHE_CHECK([for u_intXX_t types], ac_cv_have_u_intxx_t, [
3815	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
3816	[[ u_int8_t a; u_int16_t b; u_int32_t c; a = b = c = 1;]])],
3817	[ ac_cv_have_u_intxx_t="yes" ], [ ac_cv_have_u_intxx_t="no"
3818	])
3819])
3820if test "x$ac_cv_have_u_intxx_t" = "xyes" ; then
3821	AC_DEFINE([HAVE_U_INTXX_T], [1], [define if you have u_intxx_t data type])
3822	have_u_intxx_t=1
3823fi
3824
3825if test -z "$have_u_intxx_t" ; then
3826    AC_MSG_CHECKING([for u_intXX_t types in sys/socket.h])
3827	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/socket.h> ]],
3828	[[ u_int8_t a; u_int16_t b; u_int32_t c; a = b = c = 1;]])],
3829		[
3830			AC_DEFINE([HAVE_U_INTXX_T])
3831			AC_MSG_RESULT([yes])
3832		], [ AC_MSG_RESULT([no])
3833	])
3834fi
3835
3836AC_CACHE_CHECK([for u_int64_t types], ac_cv_have_u_int64_t, [
3837	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
3838	[[ u_int64_t a; a = 1;]])],
3839	[ ac_cv_have_u_int64_t="yes" ], [ ac_cv_have_u_int64_t="no"
3840	])
3841])
3842if test "x$ac_cv_have_u_int64_t" = "xyes" ; then
3843	AC_DEFINE([HAVE_U_INT64_T], [1], [define if you have u_int64_t data type])
3844	have_u_int64_t=1
3845fi
3846
3847if (test -z "$have_u_int64_t" && \
3848	   test "x$ac_cv_header_sys_bitypes_h" = "xyes")
3849then
3850    AC_MSG_CHECKING([for u_int64_t type in sys/bitypes.h])
3851	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/bitypes.h> ]],
3852	[[ u_int64_t a; a = 1]])],
3853		[
3854			AC_DEFINE([HAVE_U_INT64_T])
3855			AC_MSG_RESULT([yes])
3856		], [ AC_MSG_RESULT([no])
3857	])
3858fi
3859
3860if test -z "$have_u_intxx_t" ; then
3861	AC_CACHE_CHECK([for uintXX_t types], ac_cv_have_uintxx_t, [
3862		AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
3863#include <sys/types.h>
3864			]], [[
3865	uint8_t a;
3866	uint16_t b;
3867	uint32_t c;
3868	a = b = c = 1;
3869			]])],
3870		[ ac_cv_have_uintxx_t="yes" ], [ ac_cv_have_uintxx_t="no"
3871		])
3872	])
3873	if test "x$ac_cv_have_uintxx_t" = "xyes" ; then
3874		AC_DEFINE([HAVE_UINTXX_T], [1],
3875			[define if you have uintxx_t data type])
3876	fi
3877fi
3878
3879if (test -z "$have_uintxx_t" && \
3880	   test "x$ac_cv_header_stdint_h" = "xyes")
3881then
3882    AC_MSG_CHECKING([for uintXX_t types in stdint.h])
3883	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <stdint.h> ]],
3884	[[ uint8_t a; uint16_t b; uint32_t c; a = b = c = 1;]])],
3885		[
3886			AC_DEFINE([HAVE_UINTXX_T])
3887			AC_MSG_RESULT([yes])
3888		], [ AC_MSG_RESULT([no])
3889	])
3890fi
3891
3892if (test -z "$have_uintxx_t" && \
3893	   test "x$ac_cv_header_inttypes_h" = "xyes")
3894then
3895    AC_MSG_CHECKING([for uintXX_t types in inttypes.h])
3896	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <inttypes.h> ]],
3897	[[ uint8_t a; uint16_t b; uint32_t c; a = b = c = 1;]])],
3898		[
3899			AC_DEFINE([HAVE_UINTXX_T])
3900			AC_MSG_RESULT([yes])
3901		], [ AC_MSG_RESULT([no])
3902	])
3903fi
3904
3905if (test -z "$have_u_intxx_t" || test -z "$have_intxx_t" && \
3906	   test "x$ac_cv_header_sys_bitypes_h" = "xyes")
3907then
3908	AC_MSG_CHECKING([for intXX_t and u_intXX_t types in sys/bitypes.h])
3909	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
3910#include <sys/bitypes.h>
3911		]], [[
3912			int8_t a; int16_t b; int32_t c;
3913			u_int8_t e; u_int16_t f; u_int32_t g;
3914			a = b = c = e = f = g = 1;
3915		]])],
3916		[
3917			AC_DEFINE([HAVE_U_INTXX_T])
3918			AC_DEFINE([HAVE_INTXX_T])
3919			AC_MSG_RESULT([yes])
3920		], [AC_MSG_RESULT([no])
3921	])
3922fi
3923
3924
3925AC_CACHE_CHECK([for u_char], ac_cv_have_u_char, [
3926	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
3927	[[ u_char foo; foo = 125; ]])],
3928	[ ac_cv_have_u_char="yes" ], [ ac_cv_have_u_char="no"
3929	])
3930])
3931if test "x$ac_cv_have_u_char" = "xyes" ; then
3932	AC_DEFINE([HAVE_U_CHAR], [1], [define if you have u_char data type])
3933fi
3934
3935AC_CHECK_TYPES([intmax_t, uintmax_t], , , [
3936#include <sys/types.h>
3937#ifdef HAVE_STDINT_H
3938# include <stdint.h>
3939#endif
3940])
3941
3942TYPE_SOCKLEN_T
3943
3944AC_CHECK_TYPES([sig_atomic_t], , , [#include <signal.h>])
3945AC_CHECK_TYPES([fsblkcnt_t, fsfilcnt_t], , , [
3946#include <sys/types.h>
3947#ifdef HAVE_SYS_BITYPES_H
3948#include <sys/bitypes.h>
3949#endif
3950#ifdef HAVE_SYS_STATFS_H
3951#include <sys/statfs.h>
3952#endif
3953#ifdef HAVE_SYS_STATVFS_H
3954#include <sys/statvfs.h>
3955#endif
3956])
3957
3958AC_CHECK_MEMBERS([struct statfs.f_files, struct statfs.f_flags], [], [], [[
3959#include <sys/param.h>
3960#include <sys/types.h>
3961#ifdef HAVE_SYS_BITYPES_H
3962#include <sys/bitypes.h>
3963#endif
3964#ifdef HAVE_SYS_STATFS_H
3965#include <sys/statfs.h>
3966#endif
3967#ifdef HAVE_SYS_STATVFS_H
3968#include <sys/statvfs.h>
3969#endif
3970#ifdef HAVE_SYS_VFS_H
3971#include <sys/vfs.h>
3972#endif
3973#ifdef HAVE_SYS_MOUNT_H
3974#include <sys/mount.h>
3975#endif
3976]])
3977
3978
3979AC_CHECK_TYPES([in_addr_t, in_port_t], , ,
3980[#include <sys/types.h>
3981#include <netinet/in.h>])
3982
3983AC_CACHE_CHECK([for size_t], ac_cv_have_size_t, [
3984	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
3985	[[ size_t foo; foo = 1235; ]])],
3986	[ ac_cv_have_size_t="yes" ], [ ac_cv_have_size_t="no"
3987	])
3988])
3989if test "x$ac_cv_have_size_t" = "xyes" ; then
3990	AC_DEFINE([HAVE_SIZE_T], [1], [define if you have size_t data type])
3991fi
3992
3993AC_CACHE_CHECK([for ssize_t], ac_cv_have_ssize_t, [
3994	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
3995	[[ ssize_t foo; foo = 1235; ]])],
3996	[ ac_cv_have_ssize_t="yes" ], [ ac_cv_have_ssize_t="no"
3997	])
3998])
3999if test "x$ac_cv_have_ssize_t" = "xyes" ; then
4000	AC_DEFINE([HAVE_SSIZE_T], [1], [define if you have ssize_t data type])
4001fi
4002
4003AC_CACHE_CHECK([for clock_t], ac_cv_have_clock_t, [
4004	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <time.h> ]],
4005	[[ clock_t foo; foo = 1235; ]])],
4006	[ ac_cv_have_clock_t="yes" ], [ ac_cv_have_clock_t="no"
4007	])
4008])
4009if test "x$ac_cv_have_clock_t" = "xyes" ; then
4010	AC_DEFINE([HAVE_CLOCK_T], [1], [define if you have clock_t data type])
4011fi
4012
4013AC_CACHE_CHECK([for sa_family_t], ac_cv_have_sa_family_t, [
4014	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4015#include <sys/types.h>
4016#include <sys/socket.h>
4017		]], [[ sa_family_t foo; foo = 1235; ]])],
4018	[ ac_cv_have_sa_family_t="yes" ],
4019	[ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4020#include <sys/types.h>
4021#include <sys/socket.h>
4022#include <netinet/in.h>
4023		]], [[ sa_family_t foo; foo = 1235; ]])],
4024		[ ac_cv_have_sa_family_t="yes" ],
4025		[ ac_cv_have_sa_family_t="no" ]
4026	)
4027	])
4028])
4029if test "x$ac_cv_have_sa_family_t" = "xyes" ; then
4030	AC_DEFINE([HAVE_SA_FAMILY_T], [1],
4031		[define if you have sa_family_t data type])
4032fi
4033
4034AC_CACHE_CHECK([for pid_t], ac_cv_have_pid_t, [
4035	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
4036	[[ pid_t foo; foo = 1235; ]])],
4037	[ ac_cv_have_pid_t="yes" ], [ ac_cv_have_pid_t="no"
4038	])
4039])
4040if test "x$ac_cv_have_pid_t" = "xyes" ; then
4041	AC_DEFINE([HAVE_PID_T], [1], [define if you have pid_t data type])
4042fi
4043
4044AC_CACHE_CHECK([for mode_t], ac_cv_have_mode_t, [
4045	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
4046	[[ mode_t foo; foo = 1235; ]])],
4047	[ ac_cv_have_mode_t="yes" ], [ ac_cv_have_mode_t="no"
4048	])
4049])
4050if test "x$ac_cv_have_mode_t" = "xyes" ; then
4051	AC_DEFINE([HAVE_MODE_T], [1], [define if you have mode_t data type])
4052fi
4053
4054
4055AC_CACHE_CHECK([for struct sockaddr_storage], ac_cv_have_struct_sockaddr_storage, [
4056	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4057#include <sys/types.h>
4058#include <sys/socket.h>
4059		]], [[ struct sockaddr_storage s; ]])],
4060	[ ac_cv_have_struct_sockaddr_storage="yes" ],
4061	[ ac_cv_have_struct_sockaddr_storage="no"
4062	])
4063])
4064if test "x$ac_cv_have_struct_sockaddr_storage" = "xyes" ; then
4065	AC_DEFINE([HAVE_STRUCT_SOCKADDR_STORAGE], [1],
4066		[define if you have struct sockaddr_storage data type])
4067fi
4068
4069AC_CACHE_CHECK([for struct sockaddr_in6], ac_cv_have_struct_sockaddr_in6, [
4070	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4071#include <sys/types.h>
4072#include <netinet/in.h>
4073		]], [[ struct sockaddr_in6 s; s.sin6_family = 0; ]])],
4074	[ ac_cv_have_struct_sockaddr_in6="yes" ],
4075	[ ac_cv_have_struct_sockaddr_in6="no"
4076	])
4077])
4078if test "x$ac_cv_have_struct_sockaddr_in6" = "xyes" ; then
4079	AC_DEFINE([HAVE_STRUCT_SOCKADDR_IN6], [1],
4080		[define if you have struct sockaddr_in6 data type])
4081fi
4082
4083AC_CACHE_CHECK([for struct in6_addr], ac_cv_have_struct_in6_addr, [
4084	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4085#include <sys/types.h>
4086#include <netinet/in.h>
4087		]], [[ struct in6_addr s; s.s6_addr[0] = 0; ]])],
4088	[ ac_cv_have_struct_in6_addr="yes" ],
4089	[ ac_cv_have_struct_in6_addr="no"
4090	])
4091])
4092if test "x$ac_cv_have_struct_in6_addr" = "xyes" ; then
4093	AC_DEFINE([HAVE_STRUCT_IN6_ADDR], [1],
4094		[define if you have struct in6_addr data type])
4095
4096dnl Now check for sin6_scope_id
4097	AC_CHECK_MEMBERS([struct sockaddr_in6.sin6_scope_id], , ,
4098		[
4099#ifdef HAVE_SYS_TYPES_H
4100#include <sys/types.h>
4101#endif
4102#include <netinet/in.h>
4103		])
4104fi
4105
4106AC_CACHE_CHECK([for struct addrinfo], ac_cv_have_struct_addrinfo, [
4107	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4108#include <sys/types.h>
4109#include <sys/socket.h>
4110#include <netdb.h>
4111		]], [[ struct addrinfo s; s.ai_flags = AI_PASSIVE; ]])],
4112	[ ac_cv_have_struct_addrinfo="yes" ],
4113	[ ac_cv_have_struct_addrinfo="no"
4114	])
4115])
4116if test "x$ac_cv_have_struct_addrinfo" = "xyes" ; then
4117	AC_DEFINE([HAVE_STRUCT_ADDRINFO], [1],
4118		[define if you have struct addrinfo data type])
4119fi
4120
4121AC_HEADER_TIME
4122
4123AC_CACHE_CHECK([for struct timeval], ac_cv_have_struct_timeval, [
4124	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/time.h> ]],
4125	[[ struct timeval tv; tv.tv_sec = 1;]])],
4126	[ ac_cv_have_struct_timeval="yes" ],
4127	[ ac_cv_have_struct_timeval="no"
4128	])
4129])
4130if test "x$ac_cv_have_struct_timeval" = "xyes" ; then
4131	AC_DEFINE([HAVE_STRUCT_TIMEVAL], [1], [define if you have struct timeval])
4132	have_struct_timeval=1
4133fi
4134
4135AC_CACHE_CHECK([for struct timespec], ac_cv_have_struct_timespec, [
4136	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4137    #ifdef TIME_WITH_SYS_TIME
4138    # include <sys/time.h>
4139    # include <time.h>
4140    #else
4141    # ifdef HAVE_SYS_TIME_H
4142    #  include <sys/time.h>
4143    # else
4144    #  include <time.h>
4145    # endif
4146    #endif
4147	]],
4148	[[ struct timespec ts; ts.tv_sec = 1;]])],
4149	[ ac_cv_have_struct_timespec="yes" ],
4150	[ ac_cv_have_struct_timespec="no"
4151	])
4152])
4153if test "x$ac_cv_have_struct_timespec" = "xyes" ; then
4154	AC_DEFINE([HAVE_STRUCT_TIMESPEC], [1], [define if you have struct timespec])
4155	have_struct_timespec=1
4156fi
4157
4158# We need int64_t or else certain parts of the compile will fail.
4159if test "x$ac_cv_have_int64_t" = "xno" && \
4160	test "x$ac_cv_sizeof_long_int" != "x8" && \
4161	test "x$ac_cv_sizeof_long_long_int" = "x0" ; then
4162	echo "OpenSSH requires int64_t support.  Contact your vendor or install"
4163	echo "an alternative compiler (I.E., GCC) before continuing."
4164	echo ""
4165	exit 1;
4166else
4167dnl test snprintf (broken on SCO w/gcc)
4168	AC_RUN_IFELSE(
4169		[AC_LANG_SOURCE([[
4170#include <stdio.h>
4171#include <string.h>
4172#ifdef HAVE_SNPRINTF
4173main()
4174{
4175	char buf[50];
4176	char expected_out[50];
4177	int mazsize = 50 ;
4178#if (SIZEOF_LONG_INT == 8)
4179	long int num = 0x7fffffffffffffff;
4180#else
4181	long long num = 0x7fffffffffffffffll;
4182#endif
4183	strcpy(expected_out, "9223372036854775807");
4184	snprintf(buf, mazsize, "%lld", num);
4185	if(strcmp(buf, expected_out) != 0)
4186		exit(1);
4187	exit(0);
4188}
4189#else
4190main() { exit(0); }
4191#endif
4192		]])], [ true ], [ AC_DEFINE([BROKEN_SNPRINTF]) ],
4193		AC_MSG_WARN([cross compiling: Assuming working snprintf()])
4194	)
4195fi
4196
4197dnl Checks for structure members
4198OSSH_CHECK_HEADER_FOR_FIELD([ut_host], [utmp.h], [HAVE_HOST_IN_UTMP])
4199OSSH_CHECK_HEADER_FOR_FIELD([ut_host], [utmpx.h], [HAVE_HOST_IN_UTMPX])
4200OSSH_CHECK_HEADER_FOR_FIELD([syslen], [utmpx.h], [HAVE_SYSLEN_IN_UTMPX])
4201OSSH_CHECK_HEADER_FOR_FIELD([ut_pid], [utmp.h], [HAVE_PID_IN_UTMP])
4202OSSH_CHECK_HEADER_FOR_FIELD([ut_type], [utmp.h], [HAVE_TYPE_IN_UTMP])
4203OSSH_CHECK_HEADER_FOR_FIELD([ut_type], [utmpx.h], [HAVE_TYPE_IN_UTMPX])
4204OSSH_CHECK_HEADER_FOR_FIELD([ut_tv], [utmp.h], [HAVE_TV_IN_UTMP])
4205OSSH_CHECK_HEADER_FOR_FIELD([ut_id], [utmp.h], [HAVE_ID_IN_UTMP])
4206OSSH_CHECK_HEADER_FOR_FIELD([ut_id], [utmpx.h], [HAVE_ID_IN_UTMPX])
4207OSSH_CHECK_HEADER_FOR_FIELD([ut_addr], [utmp.h], [HAVE_ADDR_IN_UTMP])
4208OSSH_CHECK_HEADER_FOR_FIELD([ut_addr], [utmpx.h], [HAVE_ADDR_IN_UTMPX])
4209OSSH_CHECK_HEADER_FOR_FIELD([ut_addr_v6], [utmp.h], [HAVE_ADDR_V6_IN_UTMP])
4210OSSH_CHECK_HEADER_FOR_FIELD([ut_addr_v6], [utmpx.h], [HAVE_ADDR_V6_IN_UTMPX])
4211OSSH_CHECK_HEADER_FOR_FIELD([ut_exit], [utmp.h], [HAVE_EXIT_IN_UTMP])
4212OSSH_CHECK_HEADER_FOR_FIELD([ut_time], [utmp.h], [HAVE_TIME_IN_UTMP])
4213OSSH_CHECK_HEADER_FOR_FIELD([ut_time], [utmpx.h], [HAVE_TIME_IN_UTMPX])
4214OSSH_CHECK_HEADER_FOR_FIELD([ut_tv], [utmpx.h], [HAVE_TV_IN_UTMPX])
4215OSSH_CHECK_HEADER_FOR_FIELD([ut_ss], [utmpx.h], [HAVE_SS_IN_UTMPX])
4216
4217AC_CHECK_MEMBERS([struct stat.st_blksize])
4218AC_CHECK_MEMBERS([struct stat.st_mtim])
4219AC_CHECK_MEMBERS([struct stat.st_mtime])
4220AC_CHECK_MEMBERS([struct passwd.pw_gecos, struct passwd.pw_class,
4221struct passwd.pw_change, struct passwd.pw_expire],
4222[], [], [[
4223#include <sys/types.h>
4224#include <pwd.h>
4225]])
4226
4227AC_CHECK_MEMBER([struct __res_state.retrans], [], [AC_DEFINE([__res_state], [state],
4228	[Define if we don't have struct __res_state in resolv.h])],
4229[[
4230#include <stdio.h>
4231#if HAVE_SYS_TYPES_H
4232# include <sys/types.h>
4233#endif
4234#include <netinet/in.h>
4235#include <arpa/nameser.h>
4236#include <resolv.h>
4237]])
4238
4239AC_CACHE_CHECK([for ss_family field in struct sockaddr_storage],
4240		ac_cv_have_ss_family_in_struct_ss, [
4241	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4242#include <sys/types.h>
4243#include <sys/socket.h>
4244		]], [[ struct sockaddr_storage s; s.ss_family = 1; ]])],
4245	[ ac_cv_have_ss_family_in_struct_ss="yes" ],
4246	[ ac_cv_have_ss_family_in_struct_ss="no" ])
4247])
4248if test "x$ac_cv_have_ss_family_in_struct_ss" = "xyes" ; then
4249	AC_DEFINE([HAVE_SS_FAMILY_IN_SS], [1], [Fields in struct sockaddr_storage])
4250fi
4251
4252AC_CACHE_CHECK([for __ss_family field in struct sockaddr_storage],
4253		ac_cv_have___ss_family_in_struct_ss, [
4254	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4255#include <sys/types.h>
4256#include <sys/socket.h>
4257		]], [[ struct sockaddr_storage s; s.__ss_family = 1; ]])],
4258	[ ac_cv_have___ss_family_in_struct_ss="yes" ],
4259	[ ac_cv_have___ss_family_in_struct_ss="no"
4260	])
4261])
4262if test "x$ac_cv_have___ss_family_in_struct_ss" = "xyes" ; then
4263	AC_DEFINE([HAVE___SS_FAMILY_IN_SS], [1],
4264		[Fields in struct sockaddr_storage])
4265fi
4266
4267dnl make sure we're using the real structure members and not defines
4268AC_CACHE_CHECK([for msg_accrights field in struct msghdr],
4269		ac_cv_have_accrights_in_msghdr, [
4270	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4271#include <sys/types.h>
4272#include <sys/socket.h>
4273#include <sys/uio.h>
4274		]], [[
4275#ifdef msg_accrights
4276#error "msg_accrights is a macro"
4277exit(1);
4278#endif
4279struct msghdr m;
4280m.msg_accrights = 0;
4281exit(0);
4282		]])],
4283		[ ac_cv_have_accrights_in_msghdr="yes" ],
4284		[ ac_cv_have_accrights_in_msghdr="no" ]
4285	)
4286])
4287if test "x$ac_cv_have_accrights_in_msghdr" = "xyes" ; then
4288	AC_DEFINE([HAVE_ACCRIGHTS_IN_MSGHDR], [1],
4289		[Define if your system uses access rights style
4290		file descriptor passing])
4291fi
4292
4293AC_MSG_CHECKING([if struct statvfs.f_fsid is integral type])
4294AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4295#include <sys/param.h>
4296#include <sys/stat.h>
4297#ifdef HAVE_SYS_TIME_H
4298# include <sys/time.h>
4299#endif
4300#ifdef HAVE_SYS_MOUNT_H
4301#include <sys/mount.h>
4302#endif
4303#ifdef HAVE_SYS_STATVFS_H
4304#include <sys/statvfs.h>
4305#endif
4306	]], [[ struct statvfs s; s.f_fsid = 0; ]])],
4307	[ AC_MSG_RESULT([yes]) ],
4308	[ AC_MSG_RESULT([no])
4309
4310	AC_MSG_CHECKING([if fsid_t has member val])
4311	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4312#include <sys/types.h>
4313#include <sys/statvfs.h>
4314	]], [[ fsid_t t; t.val[0] = 0; ]])],
4315	[ AC_MSG_RESULT([yes])
4316	  AC_DEFINE([FSID_HAS_VAL], [1], [fsid_t has member val]) ],
4317	[ AC_MSG_RESULT([no]) ])
4318
4319	AC_MSG_CHECKING([if f_fsid has member __val])
4320	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4321#include <sys/types.h>
4322#include <sys/statvfs.h>
4323	]], [[ fsid_t t; t.__val[0] = 0; ]])],
4324	[ AC_MSG_RESULT([yes])
4325	  AC_DEFINE([FSID_HAS___VAL], [1], [fsid_t has member __val]) ],
4326	[ AC_MSG_RESULT([no]) ])
4327])
4328
4329AC_CACHE_CHECK([for msg_control field in struct msghdr],
4330		ac_cv_have_control_in_msghdr, [
4331	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4332#include <sys/types.h>
4333#include <sys/socket.h>
4334#include <sys/uio.h>
4335		]], [[
4336#ifdef msg_control
4337#error "msg_control is a macro"
4338exit(1);
4339#endif
4340struct msghdr m;
4341m.msg_control = 0;
4342exit(0);
4343		]])],
4344		[ ac_cv_have_control_in_msghdr="yes" ],
4345		[ ac_cv_have_control_in_msghdr="no" ]
4346	)
4347])
4348if test "x$ac_cv_have_control_in_msghdr" = "xyes" ; then
4349	AC_DEFINE([HAVE_CONTROL_IN_MSGHDR], [1],
4350		[Define if your system uses ancillary data style
4351		file descriptor passing])
4352fi
4353
4354AC_CACHE_CHECK([if libc defines __progname], ac_cv_libc_defines___progname, [
4355	AC_LINK_IFELSE([AC_LANG_PROGRAM([[]],
4356		[[ extern char *__progname; printf("%s", __progname); ]])],
4357	[ ac_cv_libc_defines___progname="yes" ],
4358	[ ac_cv_libc_defines___progname="no"
4359	])
4360])
4361if test "x$ac_cv_libc_defines___progname" = "xyes" ; then
4362	AC_DEFINE([HAVE___PROGNAME], [1], [Define if libc defines __progname])
4363fi
4364
4365AC_CACHE_CHECK([whether $CC implements __FUNCTION__], ac_cv_cc_implements___FUNCTION__, [
4366	AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include <stdio.h> ]],
4367		[[ printf("%s", __FUNCTION__); ]])],
4368	[ ac_cv_cc_implements___FUNCTION__="yes" ],
4369	[ ac_cv_cc_implements___FUNCTION__="no"
4370	])
4371])
4372if test "x$ac_cv_cc_implements___FUNCTION__" = "xyes" ; then
4373	AC_DEFINE([HAVE___FUNCTION__], [1],
4374		[Define if compiler implements __FUNCTION__])
4375fi
4376
4377AC_CACHE_CHECK([whether $CC implements __func__], ac_cv_cc_implements___func__, [
4378	AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include <stdio.h> ]],
4379		[[ printf("%s", __func__); ]])],
4380	[ ac_cv_cc_implements___func__="yes" ],
4381	[ ac_cv_cc_implements___func__="no"
4382	])
4383])
4384if test "x$ac_cv_cc_implements___func__" = "xyes" ; then
4385	AC_DEFINE([HAVE___func__], [1], [Define if compiler implements __func__])
4386fi
4387
4388AC_CACHE_CHECK([whether va_copy exists], ac_cv_have_va_copy, [
4389	AC_LINK_IFELSE([AC_LANG_PROGRAM([[
4390#include <stdarg.h>
4391va_list x,y;
4392		]], [[ va_copy(x,y); ]])],
4393	[ ac_cv_have_va_copy="yes" ],
4394	[ ac_cv_have_va_copy="no"
4395	])
4396])
4397if test "x$ac_cv_have_va_copy" = "xyes" ; then
4398	AC_DEFINE([HAVE_VA_COPY], [1], [Define if va_copy exists])
4399fi
4400
4401AC_CACHE_CHECK([whether __va_copy exists], ac_cv_have___va_copy, [
4402	AC_LINK_IFELSE([AC_LANG_PROGRAM([[
4403#include <stdarg.h>
4404va_list x,y;
4405		]], [[ __va_copy(x,y); ]])],
4406	[ ac_cv_have___va_copy="yes" ], [ ac_cv_have___va_copy="no"
4407	])
4408])
4409if test "x$ac_cv_have___va_copy" = "xyes" ; then
4410	AC_DEFINE([HAVE___VA_COPY], [1], [Define if __va_copy exists])
4411fi
4412
4413AC_CACHE_CHECK([whether getopt has optreset support],
4414		ac_cv_have_getopt_optreset, [
4415	AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include <getopt.h> ]],
4416		[[ extern int optreset; optreset = 0; ]])],
4417	[ ac_cv_have_getopt_optreset="yes" ],
4418	[ ac_cv_have_getopt_optreset="no"
4419	])
4420])
4421if test "x$ac_cv_have_getopt_optreset" = "xyes" ; then
4422	AC_DEFINE([HAVE_GETOPT_OPTRESET], [1],
4423		[Define if your getopt(3) defines and uses optreset])
4424fi
4425
4426AC_CACHE_CHECK([if libc defines sys_errlist], ac_cv_libc_defines_sys_errlist, [
4427	AC_LINK_IFELSE([AC_LANG_PROGRAM([[]],
4428[[ extern const char *const sys_errlist[]; printf("%s", sys_errlist[0]);]])],
4429	[ ac_cv_libc_defines_sys_errlist="yes" ],
4430	[ ac_cv_libc_defines_sys_errlist="no"
4431	])
4432])
4433if test "x$ac_cv_libc_defines_sys_errlist" = "xyes" ; then
4434	AC_DEFINE([HAVE_SYS_ERRLIST], [1],
4435		[Define if your system defines sys_errlist[]])
4436fi
4437
4438
4439AC_CACHE_CHECK([if libc defines sys_nerr], ac_cv_libc_defines_sys_nerr, [
4440	AC_LINK_IFELSE([AC_LANG_PROGRAM([[]],
4441[[ extern int sys_nerr; printf("%i", sys_nerr);]])],
4442	[ ac_cv_libc_defines_sys_nerr="yes" ],
4443	[ ac_cv_libc_defines_sys_nerr="no"
4444	])
4445])
4446if test "x$ac_cv_libc_defines_sys_nerr" = "xyes" ; then
4447	AC_DEFINE([HAVE_SYS_NERR], [1], [Define if your system defines sys_nerr])
4448fi
4449
4450# Check libraries needed by DNS fingerprint support
4451AC_SEARCH_LIBS([getrrsetbyname], [resolv],
4452	[AC_DEFINE([HAVE_GETRRSETBYNAME], [1],
4453		[Define if getrrsetbyname() exists])],
4454	[
4455		# Needed by our getrrsetbyname()
4456		AC_SEARCH_LIBS([res_query], [resolv])
4457		AC_SEARCH_LIBS([dn_expand], [resolv])
4458		AC_MSG_CHECKING([if res_query will link])
4459		AC_LINK_IFELSE([AC_LANG_PROGRAM([[
4460#include <sys/types.h>
4461#include <netinet/in.h>
4462#include <arpa/nameser.h>
4463#include <netdb.h>
4464#include <resolv.h>
4465				]], [[
4466	res_query (0, 0, 0, 0, 0);
4467				]])],
4468		    AC_MSG_RESULT([yes]),
4469		   [AC_MSG_RESULT([no])
4470		    saved_LIBS="$LIBS"
4471		    LIBS="$LIBS -lresolv"
4472		    AC_MSG_CHECKING([for res_query in -lresolv])
4473		    AC_LINK_IFELSE([AC_LANG_PROGRAM([[
4474#include <sys/types.h>
4475#include <netinet/in.h>
4476#include <arpa/nameser.h>
4477#include <netdb.h>
4478#include <resolv.h>
4479				]], [[
4480	res_query (0, 0, 0, 0, 0);
4481				]])],
4482			[AC_MSG_RESULT([yes])],
4483			[LIBS="$saved_LIBS"
4484			 AC_MSG_RESULT([no])])
4485		    ])
4486		AC_CHECK_FUNCS([_getshort _getlong])
4487		AC_CHECK_DECLS([_getshort, _getlong], , ,
4488		    [#include <sys/types.h>
4489		    #include <arpa/nameser.h>])
4490		AC_CHECK_MEMBER([HEADER.ad],
4491			[AC_DEFINE([HAVE_HEADER_AD], [1],
4492			    [Define if HEADER.ad exists in arpa/nameser.h])], ,
4493			[#include <arpa/nameser.h>])
4494	])
4495
4496AC_MSG_CHECKING([if struct __res_state _res is an extern])
4497AC_LINK_IFELSE([AC_LANG_PROGRAM([[
4498#include <stdio.h>
4499#if HAVE_SYS_TYPES_H
4500# include <sys/types.h>
4501#endif
4502#include <netinet/in.h>
4503#include <arpa/nameser.h>
4504#include <resolv.h>
4505extern struct __res_state _res;
4506		]], [[
4507struct __res_state *volatile p = &_res;  /* force resolution of _res */
4508return 0;
4509		]],)],
4510		[AC_MSG_RESULT([yes])
4511		 AC_DEFINE([HAVE__RES_EXTERN], [1],
4512		    [Define if you have struct __res_state _res as an extern])
4513		],
4514		[ AC_MSG_RESULT([no]) ]
4515)
4516
4517# Check whether user wants SELinux support
4518SELINUX_MSG="no"
4519LIBSELINUX=""
4520AC_ARG_WITH([selinux],
4521	[  --with-selinux          Enable SELinux support],
4522	[ if test "x$withval" != "xno" ; then
4523		save_LIBS="$LIBS"
4524		AC_DEFINE([WITH_SELINUX], [1],
4525			[Define if you want SELinux support.])
4526		SELINUX_MSG="yes"
4527		AC_CHECK_HEADER([selinux/selinux.h], ,
4528			AC_MSG_ERROR([SELinux support requires selinux.h header]))
4529		AC_CHECK_LIB([selinux], [setexeccon],
4530			[ LIBSELINUX="-lselinux"
4531			  LIBS="$LIBS -lselinux"
4532			],
4533			AC_MSG_ERROR([SELinux support requires libselinux library]))
4534		AC_CHECK_FUNCS([getseuserbyname get_default_context_with_level])
4535		LIBS="$save_LIBS $LIBSELINUX"
4536	fi ]
4537)
4538AC_SUBST([SSHDLIBS])
4539
4540# Check whether user wants Kerberos 5 support
4541KRB5_MSG="no"
4542AC_ARG_WITH([kerberos5],
4543	[  --with-kerberos5=PATH   Enable Kerberos 5 support],
4544	[ if test "x$withval" != "xno" ; then
4545		if test "x$withval" = "xyes" ; then
4546			KRB5ROOT="/usr/local"
4547		else
4548			KRB5ROOT=${withval}
4549		fi
4550
4551		AC_DEFINE([KRB5], [1], [Define if you want Kerberos 5 support])
4552		KRB5_MSG="yes"
4553
4554		AC_PATH_TOOL([KRB5CONF], [krb5-config],
4555			     [$KRB5ROOT/bin/krb5-config],
4556			     [$KRB5ROOT/bin:$PATH])
4557		if test -x $KRB5CONF ; then
4558			K5CFLAGS="`$KRB5CONF --cflags`"
4559			K5LIBS="`$KRB5CONF --libs`"
4560			CPPFLAGS="$CPPFLAGS $K5CFLAGS"
4561
4562			AC_MSG_CHECKING([for gssapi support])
4563			if $KRB5CONF | grep gssapi >/dev/null ; then
4564				AC_MSG_RESULT([yes])
4565				AC_DEFINE([GSSAPI], [1],
4566					[Define this if you want GSSAPI
4567					support in the version 2 protocol])
4568				GSSCFLAGS="`$KRB5CONF --cflags gssapi`"
4569				GSSLIBS="`$KRB5CONF --libs gssapi`"
4570				CPPFLAGS="$CPPFLAGS $GSSCFLAGS"
4571			else
4572				AC_MSG_RESULT([no])
4573			fi
4574			AC_MSG_CHECKING([whether we are using Heimdal])
4575			AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <krb5.h>
4576				]], [[ char *tmp = heimdal_version; ]])],
4577				[ AC_MSG_RESULT([yes])
4578				AC_DEFINE([HEIMDAL], [1],
4579				[Define this if you are using the Heimdal
4580				version of Kerberos V5]) ],
4581				[AC_MSG_RESULT([no])
4582			])
4583		else
4584			CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include"
4585			LDFLAGS="$LDFLAGS -L${KRB5ROOT}/lib"
4586			AC_MSG_CHECKING([whether we are using Heimdal])
4587			AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <krb5.h>
4588				]], [[ char *tmp = heimdal_version; ]])],
4589					[ AC_MSG_RESULT([yes])
4590					 AC_DEFINE([HEIMDAL])
4591					 K5LIBS="-lkrb5"
4592					 K5LIBS="$K5LIBS -lcom_err -lasn1"
4593					 AC_CHECK_LIB([roken], [net_write],
4594					   [K5LIBS="$K5LIBS -lroken"])
4595					 AC_CHECK_LIB([des], [des_cbc_encrypt],
4596					   [K5LIBS="$K5LIBS -ldes"])
4597				       ], [ AC_MSG_RESULT([no])
4598					 K5LIBS="-lkrb5 -lk5crypto -lcom_err"
4599			])
4600			AC_SEARCH_LIBS([dn_expand], [resolv])
4601
4602			AC_CHECK_LIB([gssapi_krb5], [gss_init_sec_context],
4603				[ AC_DEFINE([GSSAPI])
4604				  GSSLIBS="-lgssapi_krb5" ],
4605				[ AC_CHECK_LIB([gssapi], [gss_init_sec_context],
4606					[ AC_DEFINE([GSSAPI])
4607					  GSSLIBS="-lgssapi" ],
4608					[ AC_CHECK_LIB([gss], [gss_init_sec_context],
4609						[ AC_DEFINE([GSSAPI])
4610						  GSSLIBS="-lgss" ],
4611						AC_MSG_WARN([Cannot find any suitable gss-api library - build may fail]))
4612					])
4613				])
4614
4615			AC_CHECK_HEADER([gssapi.h], ,
4616				[ unset ac_cv_header_gssapi_h
4617				  CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include/gssapi"
4618				  AC_CHECK_HEADERS([gssapi.h], ,
4619					AC_MSG_WARN([Cannot find any suitable gss-api header - build may fail])
4620				  )
4621				]
4622			)
4623
4624			oldCPP="$CPPFLAGS"
4625			CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include/gssapi"
4626			AC_CHECK_HEADER([gssapi_krb5.h], ,
4627					[ CPPFLAGS="$oldCPP" ])
4628
4629		fi
4630		if test -n "${rpath_opt}" ; then
4631			LDFLAGS="$LDFLAGS ${rpath_opt}${KRB5ROOT}/lib"
4632		fi
4633		if test ! -z "$blibpath" ; then
4634			blibpath="$blibpath:${KRB5ROOT}/lib"
4635		fi
4636
4637		AC_CHECK_HEADERS([gssapi.h gssapi/gssapi.h])
4638		AC_CHECK_HEADERS([gssapi_krb5.h gssapi/gssapi_krb5.h])
4639		AC_CHECK_HEADERS([gssapi_generic.h gssapi/gssapi_generic.h])
4640
4641		AC_SEARCH_LIBS([k_hasafs], [kafs], [AC_DEFINE([USE_AFS], [1],
4642			[Define this if you want to use libkafs' AFS support])])
4643
4644		AC_CHECK_DECLS([GSS_C_NT_HOSTBASED_SERVICE], [], [], [[
4645#ifdef HAVE_GSSAPI_H
4646# include <gssapi.h>
4647#elif defined(HAVE_GSSAPI_GSSAPI_H)
4648# include <gssapi/gssapi.h>
4649#endif
4650
4651#ifdef HAVE_GSSAPI_GENERIC_H
4652# include <gssapi_generic.h>
4653#elif defined(HAVE_GSSAPI_GSSAPI_GENERIC_H)
4654# include <gssapi/gssapi_generic.h>
4655#endif
4656		]])
4657		saved_LIBS="$LIBS"
4658		LIBS="$LIBS $K5LIBS"
4659		AC_CHECK_FUNCS([krb5_cc_new_unique krb5_get_error_message krb5_free_error_message])
4660		LIBS="$saved_LIBS"
4661
4662	fi
4663	]
4664)
4665AC_SUBST([GSSLIBS])
4666AC_SUBST([K5LIBS])
4667
4668# Looking for programs, paths and files
4669
4670PRIVSEP_PATH=/var/empty
4671AC_ARG_WITH([privsep-path],
4672	[  --with-privsep-path=xxx Path for privilege separation chroot (default=/var/empty)],
4673	[
4674		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
4675		    test "x${withval}" != "xyes"; then
4676			PRIVSEP_PATH=$withval
4677		fi
4678	]
4679)
4680AC_SUBST([PRIVSEP_PATH])
4681
4682AC_ARG_WITH([xauth],
4683	[  --with-xauth=PATH       Specify path to xauth program ],
4684	[
4685		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
4686		    test "x${withval}" != "xyes"; then
4687			xauth_path=$withval
4688		fi
4689	],
4690	[
4691		TestPath="$PATH"
4692		TestPath="${TestPath}${PATH_SEPARATOR}/usr/X/bin"
4693		TestPath="${TestPath}${PATH_SEPARATOR}/usr/bin/X11"
4694		TestPath="${TestPath}${PATH_SEPARATOR}/usr/X11R6/bin"
4695		TestPath="${TestPath}${PATH_SEPARATOR}/usr/openwin/bin"
4696		AC_PATH_PROG([xauth_path], [xauth], , [$TestPath])
4697		if (test ! -z "$xauth_path" && test -x "/usr/openwin/bin/xauth") ; then
4698			xauth_path="/usr/openwin/bin/xauth"
4699		fi
4700	]
4701)
4702
4703STRIP_OPT=-s
4704AC_ARG_ENABLE([strip],
4705	[  --disable-strip         Disable calling strip(1) on install],
4706	[
4707		if test "x$enableval" = "xno" ; then
4708			STRIP_OPT=
4709		fi
4710	]
4711)
4712AC_SUBST([STRIP_OPT])
4713
4714if test -z "$xauth_path" ; then
4715	XAUTH_PATH="undefined"
4716	AC_SUBST([XAUTH_PATH])
4717else
4718	AC_DEFINE_UNQUOTED([XAUTH_PATH], ["$xauth_path"],
4719		[Define if xauth is found in your path])
4720	XAUTH_PATH=$xauth_path
4721	AC_SUBST([XAUTH_PATH])
4722fi
4723
4724dnl # --with-maildir=/path/to/mail gets top priority.
4725dnl # if maildir is set in the platform case statement above we use that.
4726dnl # Otherwise we run a program to get the dir from system headers.
4727dnl # We first look for _PATH_MAILDIR then MAILDIR then _PATH_MAIL
4728dnl # If we find _PATH_MAILDIR we do nothing because that is what
4729dnl # session.c expects anyway. Otherwise we set to the value found
4730dnl # stripping any trailing slash. If for some strage reason our program
4731dnl # does not find what it needs, we default to /var/spool/mail.
4732# Check for mail directory
4733AC_ARG_WITH([maildir],
4734    [  --with-maildir=/path/to/mail    Specify your system mail directory],
4735    [
4736	if test "X$withval" != X  &&  test "x$withval" != xno  &&  \
4737	    test "x${withval}" != xyes; then
4738		AC_DEFINE_UNQUOTED([MAIL_DIRECTORY], ["$withval"],
4739            [Set this to your mail directory if you do not have _PATH_MAILDIR])
4740	    fi
4741     ],[
4742	if test "X$maildir" != "X"; then
4743	    AC_DEFINE_UNQUOTED([MAIL_DIRECTORY], ["$maildir"])
4744	else
4745	    AC_MSG_CHECKING([Discovering system mail directory])
4746	    AC_RUN_IFELSE(
4747		[AC_LANG_PROGRAM([[
4748#include <stdio.h>
4749#include <string.h>
4750#ifdef HAVE_PATHS_H
4751#include <paths.h>
4752#endif
4753#ifdef HAVE_MAILLOCK_H
4754#include <maillock.h>
4755#endif
4756#define DATA "conftest.maildir"
4757	]], [[
4758	FILE *fd;
4759	int rc;
4760
4761	fd = fopen(DATA,"w");
4762	if(fd == NULL)
4763		exit(1);
4764
4765#if defined (_PATH_MAILDIR)
4766	if ((rc = fprintf(fd ,"_PATH_MAILDIR:%s\n", _PATH_MAILDIR)) <0)
4767		exit(1);
4768#elif defined (MAILDIR)
4769	if ((rc = fprintf(fd ,"MAILDIR:%s\n", MAILDIR)) <0)
4770		exit(1);
4771#elif defined (_PATH_MAIL)
4772	if ((rc = fprintf(fd ,"_PATH_MAIL:%s\n", _PATH_MAIL)) <0)
4773		exit(1);
4774#else
4775	exit (2);
4776#endif
4777
4778	exit(0);
4779		]])],
4780		[
4781		    maildir_what=`awk -F: '{print $1}' conftest.maildir`
4782		    maildir=`awk -F: '{print $2}' conftest.maildir \
4783			| sed 's|/$||'`
4784		    AC_MSG_RESULT([Using: $maildir from $maildir_what])
4785		    if test "x$maildir_what" != "x_PATH_MAILDIR"; then
4786			AC_DEFINE_UNQUOTED([MAIL_DIRECTORY], ["$maildir"])
4787		    fi
4788		],
4789		[
4790		    if test "X$ac_status" = "X2";then
4791# our test program didn't find it. Default to /var/spool/mail
4792			AC_MSG_RESULT([Using: default value of /var/spool/mail])
4793			AC_DEFINE_UNQUOTED([MAIL_DIRECTORY], ["/var/spool/mail"])
4794		     else
4795			AC_MSG_RESULT([*** not found ***])
4796		     fi
4797		],
4798		[
4799			AC_MSG_WARN([cross compiling: use --with-maildir=/path/to/mail])
4800		]
4801	    )
4802	fi
4803    ]
4804) # maildir
4805
4806if test ! -z "$cross_compiling" && test "x$cross_compiling" = "xyes"; then
4807	AC_MSG_WARN([cross compiling: Disabling /dev/ptmx test])
4808	disable_ptmx_check=yes
4809fi
4810if test -z "$no_dev_ptmx" ; then
4811	if test "x$disable_ptmx_check" != "xyes" ; then
4812		AC_CHECK_FILE(["/dev/ptmx"],
4813			[
4814				AC_DEFINE_UNQUOTED([HAVE_DEV_PTMX], [1],
4815					[Define if you have /dev/ptmx])
4816				have_dev_ptmx=1
4817			]
4818		)
4819	fi
4820fi
4821
4822if test ! -z "$cross_compiling" && test "x$cross_compiling" != "xyes"; then
4823	AC_CHECK_FILE(["/dev/ptc"],
4824		[
4825			AC_DEFINE_UNQUOTED([HAVE_DEV_PTS_AND_PTC], [1],
4826				[Define if you have /dev/ptc])
4827			have_dev_ptc=1
4828		]
4829	)
4830else
4831	AC_MSG_WARN([cross compiling: Disabling /dev/ptc test])
4832fi
4833
4834# Options from here on. Some of these are preset by platform above
4835AC_ARG_WITH([mantype],
4836	[  --with-mantype=man|cat|doc  Set man page type],
4837	[
4838		case "$withval" in
4839		man|cat|doc)
4840			MANTYPE=$withval
4841			;;
4842		*)
4843			AC_MSG_ERROR([invalid man type: $withval])
4844			;;
4845		esac
4846	]
4847)
4848if test -z "$MANTYPE"; then
4849	if ${MANDOC} ${srcdir}/ssh.1 >/dev/null 2>&1; then
4850		MANTYPE=doc
4851	elif ${NROFF} -mdoc ${srcdir}/ssh.1 >/dev/null 2>&1; then
4852		MANTYPE=doc
4853	elif ${NROFF} -man ${srcdir}/ssh.1 >/dev/null 2>&1; then
4854		MANTYPE=man
4855	else
4856		MANTYPE=cat
4857	fi
4858fi
4859AC_SUBST([MANTYPE])
4860if test "$MANTYPE" = "doc"; then
4861	mansubdir=man;
4862else
4863	mansubdir=$MANTYPE;
4864fi
4865AC_SUBST([mansubdir])
4866
4867# Check whether to enable MD5 passwords
4868MD5_MSG="no"
4869AC_ARG_WITH([md5-passwords],
4870	[  --with-md5-passwords    Enable use of MD5 passwords],
4871	[
4872		if test "x$withval" != "xno" ; then
4873			AC_DEFINE([HAVE_MD5_PASSWORDS], [1],
4874				[Define if you want to allow MD5 passwords])
4875			MD5_MSG="yes"
4876		fi
4877	]
4878)
4879
4880# Whether to disable shadow password support
4881AC_ARG_WITH([shadow],
4882	[  --without-shadow        Disable shadow password support],
4883	[
4884		if test "x$withval" = "xno" ; then
4885			AC_DEFINE([DISABLE_SHADOW])
4886			disable_shadow=yes
4887		fi
4888	]
4889)
4890
4891if test -z "$disable_shadow" ; then
4892	AC_MSG_CHECKING([if the systems has expire shadow information])
4893	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4894#include <sys/types.h>
4895#include <shadow.h>
4896struct spwd sp;
4897		]], [[ sp.sp_expire = sp.sp_lstchg = sp.sp_inact = 0; ]])],
4898		[ sp_expire_available=yes ], [
4899	])
4900
4901	if test "x$sp_expire_available" = "xyes" ; then
4902		AC_MSG_RESULT([yes])
4903		AC_DEFINE([HAS_SHADOW_EXPIRE], [1],
4904		    [Define if you want to use shadow password expire field])
4905	else
4906		AC_MSG_RESULT([no])
4907	fi
4908fi
4909
4910# Use ip address instead of hostname in $DISPLAY
4911if test ! -z "$IPADDR_IN_DISPLAY" ; then
4912	DISPLAY_HACK_MSG="yes"
4913	AC_DEFINE([IPADDR_IN_DISPLAY], [1],
4914		[Define if you need to use IP address
4915		instead of hostname in $DISPLAY])
4916else
4917	DISPLAY_HACK_MSG="no"
4918	AC_ARG_WITH([ipaddr-display],
4919		[  --with-ipaddr-display   Use ip address instead of hostname in $DISPLAY],
4920		[
4921			if test "x$withval" != "xno" ; then
4922				AC_DEFINE([IPADDR_IN_DISPLAY])
4923				DISPLAY_HACK_MSG="yes"
4924			fi
4925		]
4926	)
4927fi
4928
4929# check for /etc/default/login and use it if present.
4930AC_ARG_ENABLE([etc-default-login],
4931	[  --disable-etc-default-login Disable using PATH from /etc/default/login [no]],
4932	[ if test "x$enableval" = "xno"; then
4933		AC_MSG_NOTICE([/etc/default/login handling disabled])
4934		etc_default_login=no
4935	  else
4936		etc_default_login=yes
4937	  fi ],
4938	[ if test ! -z "$cross_compiling" && test "x$cross_compiling" = "xyes";
4939	  then
4940		AC_MSG_WARN([cross compiling: not checking /etc/default/login])
4941		etc_default_login=no
4942	  else
4943		etc_default_login=yes
4944	  fi ]
4945)
4946
4947if test "x$etc_default_login" != "xno"; then
4948	AC_CHECK_FILE(["/etc/default/login"],
4949	    [ external_path_file=/etc/default/login ])
4950	if test "x$external_path_file" = "x/etc/default/login"; then
4951		AC_DEFINE([HAVE_ETC_DEFAULT_LOGIN], [1],
4952			[Define if your system has /etc/default/login])
4953	fi
4954fi
4955
4956dnl BSD systems use /etc/login.conf so --with-default-path= has no effect
4957if test $ac_cv_func_login_getcapbool = "yes" && \
4958	test $ac_cv_header_login_cap_h = "yes" ; then
4959	external_path_file=/etc/login.conf
4960fi
4961
4962# Whether to mess with the default path
4963SERVER_PATH_MSG="(default)"
4964AC_ARG_WITH([default-path],
4965	[  --with-default-path=    Specify default $PATH environment for server],
4966	[
4967		if test "x$external_path_file" = "x/etc/login.conf" ; then
4968			AC_MSG_WARN([
4969--with-default-path=PATH has no effect on this system.
4970Edit /etc/login.conf instead.])
4971		elif test "x$withval" != "xno" ; then
4972			if test ! -z "$external_path_file" ; then
4973				AC_MSG_WARN([
4974--with-default-path=PATH will only be used if PATH is not defined in
4975$external_path_file .])
4976			fi
4977			user_path="$withval"
4978			SERVER_PATH_MSG="$withval"
4979		fi
4980	],
4981	[ if test "x$external_path_file" = "x/etc/login.conf" ; then
4982		AC_MSG_WARN([Make sure the path to scp is in /etc/login.conf])
4983	else
4984		if test ! -z "$external_path_file" ; then
4985			AC_MSG_WARN([
4986If PATH is defined in $external_path_file, ensure the path to scp is included,
4987otherwise scp will not work.])
4988		fi
4989		AC_RUN_IFELSE(
4990			[AC_LANG_PROGRAM([[
4991/* find out what STDPATH is */
4992#include <stdio.h>
4993#ifdef HAVE_PATHS_H
4994# include <paths.h>
4995#endif
4996#ifndef _PATH_STDPATH
4997# ifdef _PATH_USERPATH	/* Irix */
4998#  define _PATH_STDPATH _PATH_USERPATH
4999# else
5000#  define _PATH_STDPATH "/usr/bin:/bin:/usr/sbin:/sbin"
5001# endif
5002#endif
5003#include <sys/types.h>
5004#include <sys/stat.h>
5005#include <fcntl.h>
5006#define DATA "conftest.stdpath"
5007			]], [[
5008	FILE *fd;
5009	int rc;
5010
5011	fd = fopen(DATA,"w");
5012	if(fd == NULL)
5013		exit(1);
5014
5015	if ((rc = fprintf(fd,"%s", _PATH_STDPATH)) < 0)
5016		exit(1);
5017
5018	exit(0);
5019		]])],
5020		[ user_path=`cat conftest.stdpath` ],
5021		[ user_path="/usr/bin:/bin:/usr/sbin:/sbin" ],
5022		[ user_path="/usr/bin:/bin:/usr/sbin:/sbin" ]
5023	)
5024# make sure $bindir is in USER_PATH so scp will work
5025		t_bindir="${bindir}"
5026		while echo "${t_bindir}" | egrep '\$\{|NONE/' >/dev/null 2>&1; do
5027			t_bindir=`eval echo ${t_bindir}`
5028			case $t_bindir in
5029				NONE/*) t_bindir=`echo $t_bindir | sed "s~NONE~$prefix~"` ;;
5030			esac
5031			case $t_bindir in
5032				NONE/*) t_bindir=`echo $t_bindir | sed "s~NONE~$ac_default_prefix~"` ;;
5033			esac
5034		done
5035		echo $user_path | grep ":$t_bindir"  > /dev/null 2>&1
5036		if test $? -ne 0  ; then
5037			echo $user_path | grep "^$t_bindir"  > /dev/null 2>&1
5038			if test $? -ne 0  ; then
5039				user_path=$user_path:$t_bindir
5040				AC_MSG_RESULT([Adding $t_bindir to USER_PATH so scp will work])
5041			fi
5042		fi
5043	fi ]
5044)
5045if test "x$external_path_file" != "x/etc/login.conf" ; then
5046	AC_DEFINE_UNQUOTED([USER_PATH], ["$user_path"], [Specify default $PATH])
5047	AC_SUBST([user_path])
5048fi
5049
5050# Set superuser path separately to user path
5051AC_ARG_WITH([superuser-path],
5052	[  --with-superuser-path=  Specify different path for super-user],
5053	[
5054		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
5055		    test "x${withval}" != "xyes"; then
5056			AC_DEFINE_UNQUOTED([SUPERUSER_PATH], ["$withval"],
5057				[Define if you want a different $PATH
5058				for the superuser])
5059			superuser_path=$withval
5060		fi
5061	]
5062)
5063
5064
5065AC_MSG_CHECKING([if we need to convert IPv4 in IPv6-mapped addresses])
5066IPV4_IN6_HACK_MSG="no"
5067AC_ARG_WITH(4in6,
5068	[  --with-4in6             Check for and convert IPv4 in IPv6 mapped addresses],
5069	[
5070		if test "x$withval" != "xno" ; then
5071			AC_MSG_RESULT([yes])
5072			AC_DEFINE([IPV4_IN_IPV6], [1],
5073				[Detect IPv4 in IPv6 mapped addresses
5074				and treat as IPv4])
5075			IPV4_IN6_HACK_MSG="yes"
5076		else
5077			AC_MSG_RESULT([no])
5078		fi
5079	], [
5080		if test "x$inet6_default_4in6" = "xyes"; then
5081			AC_MSG_RESULT([yes (default)])
5082			AC_DEFINE([IPV4_IN_IPV6])
5083			IPV4_IN6_HACK_MSG="yes"
5084		else
5085			AC_MSG_RESULT([no (default)])
5086		fi
5087	]
5088)
5089
5090# Whether to enable BSD auth support
5091BSD_AUTH_MSG=no
5092AC_ARG_WITH([bsd-auth],
5093	[  --with-bsd-auth         Enable BSD auth support],
5094	[
5095		if test "x$withval" != "xno" ; then
5096			AC_DEFINE([BSD_AUTH], [1],
5097				[Define if you have BSD auth support])
5098			BSD_AUTH_MSG=yes
5099		fi
5100	]
5101)
5102
5103# Where to place sshd.pid
5104piddir=/var/run
5105# make sure the directory exists
5106if test ! -d $piddir ; then
5107	piddir=`eval echo ${sysconfdir}`
5108	case $piddir in
5109		NONE/*) piddir=`echo $piddir | sed "s~NONE~$ac_default_prefix~"` ;;
5110	esac
5111fi
5112
5113AC_ARG_WITH([pid-dir],
5114	[  --with-pid-dir=PATH     Specify location of sshd.pid file],
5115	[
5116		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
5117		    test "x${withval}" != "xyes"; then
5118			piddir=$withval
5119			if test ! -d $piddir ; then
5120			AC_MSG_WARN([** no $piddir directory on this system **])
5121			fi
5122		fi
5123	]
5124)
5125
5126AC_DEFINE_UNQUOTED([_PATH_SSH_PIDDIR], ["$piddir"],
5127	[Specify location of ssh.pid])
5128AC_SUBST([piddir])
5129
5130dnl allow user to disable some login recording features
5131AC_ARG_ENABLE([lastlog],
5132	[  --disable-lastlog       disable use of lastlog even if detected [no]],
5133	[
5134		if test "x$enableval" = "xno" ; then
5135			AC_DEFINE([DISABLE_LASTLOG])
5136		fi
5137	]
5138)
5139AC_ARG_ENABLE([utmp],
5140	[  --disable-utmp          disable use of utmp even if detected [no]],
5141	[
5142		if test "x$enableval" = "xno" ; then
5143			AC_DEFINE([DISABLE_UTMP])
5144		fi
5145	]
5146)
5147AC_ARG_ENABLE([utmpx],
5148	[  --disable-utmpx         disable use of utmpx even if detected [no]],
5149	[
5150		if test "x$enableval" = "xno" ; then
5151			AC_DEFINE([DISABLE_UTMPX], [1],
5152				[Define if you don't want to use utmpx])
5153		fi
5154	]
5155)
5156AC_ARG_ENABLE([wtmp],
5157	[  --disable-wtmp          disable use of wtmp even if detected [no]],
5158	[
5159		if test "x$enableval" = "xno" ; then
5160			AC_DEFINE([DISABLE_WTMP])
5161		fi
5162	]
5163)
5164AC_ARG_ENABLE([wtmpx],
5165	[  --disable-wtmpx         disable use of wtmpx even if detected [no]],
5166	[
5167		if test "x$enableval" = "xno" ; then
5168			AC_DEFINE([DISABLE_WTMPX], [1],
5169				[Define if you don't want to use wtmpx])
5170		fi
5171	]
5172)
5173AC_ARG_ENABLE([libutil],
5174	[  --disable-libutil       disable use of libutil (login() etc.) [no]],
5175	[
5176		if test "x$enableval" = "xno" ; then
5177			AC_DEFINE([DISABLE_LOGIN])
5178		fi
5179	]
5180)
5181AC_ARG_ENABLE([pututline],
5182	[  --disable-pututline     disable use of pututline() etc. ([uw]tmp) [no]],
5183	[
5184		if test "x$enableval" = "xno" ; then
5185			AC_DEFINE([DISABLE_PUTUTLINE], [1],
5186				[Define if you don't want to use pututline()
5187				etc. to write [uw]tmp])
5188		fi
5189	]
5190)
5191AC_ARG_ENABLE([pututxline],
5192	[  --disable-pututxline    disable use of pututxline() etc. ([uw]tmpx) [no]],
5193	[
5194		if test "x$enableval" = "xno" ; then
5195			AC_DEFINE([DISABLE_PUTUTXLINE], [1],
5196				[Define if you don't want to use pututxline()
5197				etc. to write [uw]tmpx])
5198		fi
5199	]
5200)
5201AC_ARG_WITH([lastlog],
5202  [  --with-lastlog=FILE|DIR specify lastlog location [common locations]],
5203	[
5204		if test "x$withval" = "xno" ; then
5205			AC_DEFINE([DISABLE_LASTLOG])
5206		elif test -n "$withval"  &&  test "x${withval}" != "xyes"; then
5207			conf_lastlog_location=$withval
5208		fi
5209	]
5210)
5211
5212dnl lastlog, [uw]tmpx? detection
5213dnl  NOTE: set the paths in the platform section to avoid the
5214dnl   need for command-line parameters
5215dnl lastlog and [uw]tmp are subject to a file search if all else fails
5216
5217dnl lastlog detection
5218dnl  NOTE: the code itself will detect if lastlog is a directory
5219AC_MSG_CHECKING([if your system defines LASTLOG_FILE])
5220AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
5221#include <sys/types.h>
5222#include <utmp.h>
5223#ifdef HAVE_LASTLOG_H
5224#  include <lastlog.h>
5225#endif
5226#ifdef HAVE_PATHS_H
5227#  include <paths.h>
5228#endif
5229#ifdef HAVE_LOGIN_H
5230# include <login.h>
5231#endif
5232	]], [[ char *lastlog = LASTLOG_FILE; ]])],
5233		[ AC_MSG_RESULT([yes]) ],
5234		[
5235		AC_MSG_RESULT([no])
5236		AC_MSG_CHECKING([if your system defines _PATH_LASTLOG])
5237		AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
5238#include <sys/types.h>
5239#include <utmp.h>
5240#ifdef HAVE_LASTLOG_H
5241#  include <lastlog.h>
5242#endif
5243#ifdef HAVE_PATHS_H
5244#  include <paths.h>
5245#endif
5246		]], [[ char *lastlog = _PATH_LASTLOG; ]])],
5247		[ AC_MSG_RESULT([yes]) ],
5248		[
5249			AC_MSG_RESULT([no])
5250			system_lastlog_path=no
5251		])
5252])
5253
5254if test -z "$conf_lastlog_location"; then
5255	if test x"$system_lastlog_path" = x"no" ; then
5256		for f in /var/log/lastlog /usr/adm/lastlog /var/adm/lastlog /etc/security/lastlog ; do
5257				if (test -d "$f" || test -f "$f") ; then
5258					conf_lastlog_location=$f
5259				fi
5260		done
5261		if test -z "$conf_lastlog_location"; then
5262			AC_MSG_WARN([** Cannot find lastlog **])
5263			dnl Don't define DISABLE_LASTLOG - that means we don't try wtmp/wtmpx
5264		fi
5265	fi
5266fi
5267
5268if test -n "$conf_lastlog_location"; then
5269	AC_DEFINE_UNQUOTED([CONF_LASTLOG_FILE], ["$conf_lastlog_location"],
5270		[Define if you want to specify the path to your lastlog file])
5271fi
5272
5273dnl utmp detection
5274AC_MSG_CHECKING([if your system defines UTMP_FILE])
5275AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
5276#include <sys/types.h>
5277#include <utmp.h>
5278#ifdef HAVE_PATHS_H
5279#  include <paths.h>
5280#endif
5281	]], [[ char *utmp = UTMP_FILE; ]])],
5282	[ AC_MSG_RESULT([yes]) ],
5283	[ AC_MSG_RESULT([no])
5284	  system_utmp_path=no
5285])
5286if test -z "$conf_utmp_location"; then
5287	if test x"$system_utmp_path" = x"no" ; then
5288		for f in /etc/utmp /usr/adm/utmp /var/run/utmp; do
5289			if test -f $f ; then
5290				conf_utmp_location=$f
5291			fi
5292		done
5293		if test -z "$conf_utmp_location"; then
5294			AC_DEFINE([DISABLE_UTMP])
5295		fi
5296	fi
5297fi
5298if test -n "$conf_utmp_location"; then
5299	AC_DEFINE_UNQUOTED([CONF_UTMP_FILE], ["$conf_utmp_location"],
5300		[Define if you want to specify the path to your utmp file])
5301fi
5302
5303dnl wtmp detection
5304AC_MSG_CHECKING([if your system defines WTMP_FILE])
5305AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
5306#include <sys/types.h>
5307#include <utmp.h>
5308#ifdef HAVE_PATHS_H
5309#  include <paths.h>
5310#endif
5311	]], [[ char *wtmp = WTMP_FILE; ]])],
5312	[ AC_MSG_RESULT([yes]) ],
5313	[ AC_MSG_RESULT([no])
5314	  system_wtmp_path=no
5315])
5316if test -z "$conf_wtmp_location"; then
5317	if test x"$system_wtmp_path" = x"no" ; then
5318		for f in /usr/adm/wtmp /var/log/wtmp; do
5319			if test -f $f ; then
5320				conf_wtmp_location=$f
5321			fi
5322		done
5323		if test -z "$conf_wtmp_location"; then
5324			AC_DEFINE([DISABLE_WTMP])
5325		fi
5326	fi
5327fi
5328if test -n "$conf_wtmp_location"; then
5329	AC_DEFINE_UNQUOTED([CONF_WTMP_FILE], ["$conf_wtmp_location"],
5330		[Define if you want to specify the path to your wtmp file])
5331fi
5332
5333dnl wtmpx detection
5334AC_MSG_CHECKING([if your system defines WTMPX_FILE])
5335AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
5336#include <sys/types.h>
5337#include <utmp.h>
5338#ifdef HAVE_UTMPX_H
5339#include <utmpx.h>
5340#endif
5341#ifdef HAVE_PATHS_H
5342#  include <paths.h>
5343#endif
5344	]], [[ char *wtmpx = WTMPX_FILE; ]])],
5345	[ AC_MSG_RESULT([yes]) ],
5346	[ AC_MSG_RESULT([no])
5347	  system_wtmpx_path=no
5348])
5349if test -z "$conf_wtmpx_location"; then
5350	if test x"$system_wtmpx_path" = x"no" ; then
5351		AC_DEFINE([DISABLE_WTMPX])
5352	fi
5353else
5354	AC_DEFINE_UNQUOTED([CONF_WTMPX_FILE], ["$conf_wtmpx_location"],
5355		[Define if you want to specify the path to your wtmpx file])
5356fi
5357
5358
5359if test ! -z "$blibpath" ; then
5360	LDFLAGS="$LDFLAGS $blibflags$blibpath"
5361	AC_MSG_WARN([Please check and edit blibpath in LDFLAGS in Makefile])
5362fi
5363
5364AC_CHECK_MEMBER([struct lastlog.ll_line], [], [
5365    if test x$SKIP_DISABLE_LASTLOG_DEFINE != "xyes" ; then
5366	AC_DEFINE([DISABLE_LASTLOG])
5367    fi
5368	], [
5369#ifdef HAVE_SYS_TYPES_H
5370#include <sys/types.h>
5371#endif
5372#ifdef HAVE_UTMP_H
5373#include <utmp.h>
5374#endif
5375#ifdef HAVE_UTMPX_H
5376#include <utmpx.h>
5377#endif
5378#ifdef HAVE_LASTLOG_H
5379#include <lastlog.h>
5380#endif
5381	])
5382
5383AC_CHECK_MEMBER([struct utmp.ut_line], [], [
5384	AC_DEFINE([DISABLE_UTMP])
5385	AC_DEFINE([DISABLE_WTMP])
5386	], [
5387#ifdef HAVE_SYS_TYPES_H
5388#include <sys/types.h>
5389#endif
5390#ifdef HAVE_UTMP_H
5391#include <utmp.h>
5392#endif
5393#ifdef HAVE_UTMPX_H
5394#include <utmpx.h>
5395#endif
5396#ifdef HAVE_LASTLOG_H
5397#include <lastlog.h>
5398#endif
5399	])
5400
5401dnl Adding -Werror to CFLAGS early prevents configure tests from running.
5402dnl Add now.
5403CFLAGS="$CFLAGS $werror_flags"
5404
5405if test "x$ac_cv_func_getaddrinfo" != "xyes" ; then
5406	TEST_SSH_IPV6=no
5407else
5408	TEST_SSH_IPV6=yes
5409fi
5410AC_CHECK_DECL([BROKEN_GETADDRINFO],  [TEST_SSH_IPV6=no])
5411AC_SUBST([TEST_SSH_IPV6], [$TEST_SSH_IPV6])
5412AC_SUBST([TEST_SSH_UTF8], [$TEST_SSH_UTF8])
5413AC_SUBST([TEST_MALLOC_OPTIONS], [$TEST_MALLOC_OPTIONS])
5414AC_SUBST([UNSUPPORTED_ALGORITHMS], [$unsupported_algorithms])
5415AC_SUBST([DEPEND], [$(cat $srcdir/.depend)])
5416
5417CFLAGS="${CFLAGS} ${CFLAGS_AFTER}"
5418LDFLAGS="${LDFLAGS} ${LDFLAGS_AFTER}"
5419
5420# Make a copy of CFLAGS/LDFLAGS without PIE options.
5421LDFLAGS_NOPIE=`echo "$LDFLAGS" | sed 's/ -pie//'`
5422CFLAGS_NOPIE=`echo "$CFLAGS" | sed 's/ -fPIE//'`
5423AC_SUBST([LDFLAGS_NOPIE])
5424AC_SUBST([CFLAGS_NOPIE])
5425
5426AC_EXEEXT
5427AC_CONFIG_FILES([Makefile buildpkg.sh opensshd.init openssh.xml \
5428	openbsd-compat/Makefile openbsd-compat/regress/Makefile \
5429	survey.sh])
5430AC_OUTPUT
5431
5432# Print summary of options
5433
5434# Someone please show me a better way :)
5435A=`eval echo ${prefix}` ; A=`eval echo ${A}`
5436B=`eval echo ${bindir}` ; B=`eval echo ${B}`
5437C=`eval echo ${sbindir}` ; C=`eval echo ${C}`
5438D=`eval echo ${sysconfdir}` ; D=`eval echo ${D}`
5439E=`eval echo ${libexecdir}/ssh-askpass` ; E=`eval echo ${E}`
5440F=`eval echo ${mandir}/${mansubdir}X` ; F=`eval echo ${F}`
5441G=`eval echo ${piddir}` ; G=`eval echo ${G}`
5442H=`eval echo ${PRIVSEP_PATH}` ; H=`eval echo ${H}`
5443I=`eval echo ${user_path}` ; I=`eval echo ${I}`
5444J=`eval echo ${superuser_path}` ; J=`eval echo ${J}`
5445
5446echo ""
5447echo "OpenSSH has been configured with the following options:"
5448echo "                     User binaries: $B"
5449echo "                   System binaries: $C"
5450echo "               Configuration files: $D"
5451echo "                   Askpass program: $E"
5452echo "                      Manual pages: $F"
5453echo "                          PID file: $G"
5454echo "  Privilege separation chroot path: $H"
5455if test "x$external_path_file" = "x/etc/login.conf" ; then
5456echo "   At runtime, sshd will use the path defined in $external_path_file"
5457echo "   Make sure the path to scp is present, otherwise scp will not work"
5458else
5459echo "            sshd default user PATH: $I"
5460	if test ! -z "$external_path_file"; then
5461echo "   (If PATH is set in $external_path_file it will be used instead. If"
5462echo "   used, ensure the path to scp is present, otherwise scp will not work.)"
5463	fi
5464fi
5465if test ! -z "$superuser_path" ; then
5466echo "          sshd superuser user PATH: $J"
5467fi
5468echo "                    Manpage format: $MANTYPE"
5469echo "                       PAM support: $PAM_MSG"
5470echo "                   OSF SIA support: $SIA_MSG"
5471echo "                 KerberosV support: $KRB5_MSG"
5472echo "                   SELinux support: $SELINUX_MSG"
5473echo "              MD5 password support: $MD5_MSG"
5474echo "                   libedit support: $LIBEDIT_MSG"
5475echo "                   libldns support: $LDNS_MSG"
5476echo "  Solaris process contract support: $SPC_MSG"
5477echo "           Solaris project support: $SP_MSG"
5478echo "         Solaris privilege support: $SPP_MSG"
5479echo "       IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG"
5480echo "           Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
5481echo "                  BSD Auth support: $BSD_AUTH_MSG"
5482echo "              Random number source: $RAND_MSG"
5483echo "             Privsep sandbox style: $SANDBOX_STYLE"
5484echo "                   PKCS#11 support: $enable_pkcs11"
5485echo "                  U2F/FIDO support: $enable_sk"
5486
5487echo ""
5488
5489echo "              Host: ${host}"
5490echo "          Compiler: ${CC}"
5491echo "    Compiler flags: ${CFLAGS}"
5492echo "Preprocessor flags: ${CPPFLAGS}"
5493echo "      Linker flags: ${LDFLAGS}"
5494echo "         Libraries: ${LIBS}"
5495if test ! -z "${SSHDLIBS}"; then
5496echo "         +for sshd: ${SSHDLIBS}"
5497fi
5498
5499echo ""
5500
5501if test "x$MAKE_PACKAGE_SUPPORTED" = "xyes" ; then
5502	echo "SVR4 style packages are supported with \"make package\""
5503	echo ""
5504fi
5505
5506if test "x$PAM_MSG" = "xyes" ; then
5507	echo "PAM is enabled. You may need to install a PAM control file "
5508	echo "for sshd, otherwise password authentication may fail. "
5509	echo "Example PAM control files can be found in the contrib/ "
5510	echo "subdirectory"
5511	echo ""
5512fi
5513
5514if test ! -z "$NO_PEERCHECK" ; then
5515	echo "WARNING: the operating system that you are using does not"
5516	echo "appear to support getpeereid(), getpeerucred() or the"
5517	echo "SO_PEERCRED getsockopt() option. These facilities are used to"
5518	echo "enforce security checks to prevent unauthorised connections to"
5519	echo "ssh-agent. Their absence increases the risk that a malicious"
5520	echo "user can connect to your agent."
5521	echo ""
5522fi
5523
5524if test "$AUDIT_MODULE" = "bsm" ; then
5525	echo "WARNING: BSM audit support is currently considered EXPERIMENTAL."
5526	echo "See the Solaris section in README.platform for details."
5527fi
5528