xref: /openssh-portable/configure.ac (revision ce178be0)
1#
2# Copyright (c) 1999-2004 Damien Miller
3#
4# Permission to use, copy, modify, and distribute this software for any
5# purpose with or without fee is hereby granted, provided that the above
6# copyright notice and this permission notice appear in all copies.
7#
8# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15
16AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org])
17AC_CONFIG_SRCDIR([ssh.c])
18AC_LANG([C])
19
20AC_CONFIG_HEADER([config.h])
21AC_PROG_CC([cc gcc])
22AC_CANONICAL_HOST
23AC_C_BIGENDIAN
24
25# Checks for programs.
26AC_PROG_AWK
27AC_PROG_CPP
28AC_PROG_RANLIB
29AC_PROG_INSTALL
30AC_PROG_EGREP
31AC_PROG_MKDIR_P
32AC_CHECK_TOOLS([AR], [ar])
33AC_PATH_PROG([CAT], [cat])
34AC_PATH_PROG([KILL], [kill])
35AC_PATH_PROG([SED], [sed])
36AC_PATH_PROG([TEST_MINUS_S_SH], [bash])
37AC_PATH_PROG([TEST_MINUS_S_SH], [ksh])
38AC_PATH_PROG([TEST_MINUS_S_SH], [sh])
39AC_PATH_PROG([SH], [sh])
40AC_PATH_PROG([GROFF], [groff])
41AC_PATH_PROG([NROFF], [nroff awf])
42AC_PATH_PROG([MANDOC], [mandoc])
43AC_SUBST([TEST_SHELL], [sh])
44
45dnl select manpage formatter to be used to build "cat" format pages.
46if test "x$MANDOC" != "x" ; then
47	MANFMT="$MANDOC"
48elif test "x$NROFF" != "x" ; then
49	MANFMT="$NROFF -mandoc"
50elif test "x$GROFF" != "x" ; then
51	MANFMT="$GROFF -mandoc -Tascii"
52else
53	AC_MSG_WARN([no manpage formatter found])
54	MANFMT="false"
55fi
56AC_SUBST([MANFMT])
57
58dnl for buildpkg.sh
59AC_PATH_PROG([PATH_GROUPADD_PROG], [groupadd], [groupadd],
60	[/usr/sbin${PATH_SEPARATOR}/etc])
61AC_PATH_PROG([PATH_USERADD_PROG], [useradd], [useradd],
62	[/usr/sbin${PATH_SEPARATOR}/etc])
63AC_CHECK_PROG([MAKE_PACKAGE_SUPPORTED], [pkgmk], [yes], [no])
64if test -x /sbin/sh; then
65	AC_SUBST([STARTUP_SCRIPT_SHELL], [/sbin/sh])
66else
67	AC_SUBST([STARTUP_SCRIPT_SHELL], [/bin/sh])
68fi
69
70# System features
71AC_SYS_LARGEFILE
72
73if test -z "$AR" ; then
74	AC_MSG_ERROR([*** 'ar' missing, please install or fix your \$PATH ***])
75fi
76
77AC_PATH_PROG([PATH_PASSWD_PROG], [passwd])
78if test ! -z "$PATH_PASSWD_PROG" ; then
79	AC_DEFINE_UNQUOTED([_PATH_PASSWD_PROG], ["$PATH_PASSWD_PROG"],
80		[Full path of your "passwd" program])
81fi
82
83dnl Since autoconf doesn't support it very well,  we no longer allow users to
84dnl override LD, however keeping the hook here for now in case there's a use
85dnl use case we overlooked and someone needs to re-enable it.  Unless a good
86dnl reason is found we'll be removing this in future.
87LD="$CC"
88AC_SUBST([LD])
89
90AC_C_INLINE
91
92AC_CHECK_DECL([LLONG_MAX], [have_llong_max=1], , [#include <limits.h>])
93AC_CHECK_DECL([LONG_LONG_MAX], [have_long_long_max=1], , [#include <limits.h>])
94AC_CHECK_DECL([SYSTR_POLICY_KILL], [have_systr_policy_kill=1], , [
95	#include <sys/types.h>
96	#include <sys/param.h>
97	#include <dev/systrace.h>
98])
99AC_CHECK_DECL([RLIMIT_NPROC],
100    [AC_DEFINE([HAVE_RLIMIT_NPROC], [], [sys/resource.h has RLIMIT_NPROC])], , [
101	#include <sys/types.h>
102	#include <sys/resource.h>
103])
104AC_CHECK_DECL([PR_SET_NO_NEW_PRIVS], [have_linux_no_new_privs=1], , [
105	#include <sys/types.h>
106	#include <linux/prctl.h>
107])
108
109openssl=yes
110AC_ARG_WITH([openssl],
111	[  --without-openssl       Disable use of OpenSSL; use only limited internal crypto **EXPERIMENTAL** ],
112	[  if test "x$withval" = "xno" ; then
113		openssl=no
114	   fi
115	]
116)
117AC_MSG_CHECKING([whether OpenSSL will be used for cryptography])
118if test "x$openssl" = "xyes" ; then
119	AC_MSG_RESULT([yes])
120	AC_DEFINE_UNQUOTED([WITH_OPENSSL], [1], [use libcrypto for cryptography])
121else
122	AC_MSG_RESULT([no])
123fi
124
125use_stack_protector=1
126use_toolchain_hardening=1
127AC_ARG_WITH([stackprotect],
128    [  --without-stackprotect  Don't use compiler's stack protection], [
129    if test "x$withval" = "xno"; then
130	use_stack_protector=0
131    fi ])
132AC_ARG_WITH([hardening],
133    [  --without-hardening     Don't use toolchain hardening flags], [
134    if test "x$withval" = "xno"; then
135	use_toolchain_hardening=0
136    fi ])
137
138# We use -Werror for the tests only so that we catch warnings like "this is
139# on by default" for things like -fPIE.
140AC_MSG_CHECKING([if $CC supports -Werror])
141saved_CFLAGS="$CFLAGS"
142CFLAGS="$CFLAGS -Werror"
143AC_COMPILE_IFELSE([AC_LANG_SOURCE([[int main(void) { return 0; }]])],
144	[ AC_MSG_RESULT([yes])
145	  WERROR="-Werror"],
146	[ AC_MSG_RESULT([no])
147	  WERROR="" ]
148)
149CFLAGS="$saved_CFLAGS"
150
151if test "$GCC" = "yes" || test "$GCC" = "egcs"; then
152	OSSH_CHECK_CFLAG_COMPILE([-pipe])
153	OSSH_CHECK_CFLAG_COMPILE([-Wunknown-warning-option])
154	OSSH_CHECK_CFLAG_COMPILE([-Wno-error=format-truncation])
155	OSSH_CHECK_CFLAG_COMPILE([-Qunused-arguments])
156	OSSH_CHECK_CFLAG_COMPILE([-Wall])
157	OSSH_CHECK_CFLAG_COMPILE([-Wextra])
158	OSSH_CHECK_CFLAG_COMPILE([-Wpointer-arith])
159	OSSH_CHECK_CFLAG_COMPILE([-Wuninitialized])
160	OSSH_CHECK_CFLAG_COMPILE([-Wsign-compare])
161	OSSH_CHECK_CFLAG_COMPILE([-Wformat-security])
162	OSSH_CHECK_CFLAG_COMPILE([-Wsizeof-pointer-memaccess])
163	OSSH_CHECK_CFLAG_COMPILE([-Wpointer-sign], [-Wno-pointer-sign])
164	OSSH_CHECK_CFLAG_COMPILE([-Wunused-parameter], [-Wno-unused-parameter])
165	OSSH_CHECK_CFLAG_COMPILE([-Wunused-result], [-Wno-unused-result])
166	OSSH_CHECK_CFLAG_COMPILE([-Wimplicit-fallthrough])
167	OSSH_CHECK_CFLAG_COMPILE([-fno-strict-aliasing])
168    if test "x$use_toolchain_hardening" = "x1"; then
169	OSSH_CHECK_CFLAG_COMPILE([-mretpoline]) # clang
170	OSSH_CHECK_LDFLAG_LINK([-Wl,-z,retpolineplt])
171	OSSH_CHECK_CFLAG_COMPILE([-D_FORTIFY_SOURCE=2])
172	OSSH_CHECK_LDFLAG_LINK([-Wl,-z,relro])
173	OSSH_CHECK_LDFLAG_LINK([-Wl,-z,now])
174	OSSH_CHECK_LDFLAG_LINK([-Wl,-z,noexecstack])
175	# NB. -ftrapv expects certain support functions to be present in
176	# the compiler library (libgcc or similar) to detect integer operations
177	# that can overflow. We must check that the result of enabling it
178	# actually links. The test program compiled/linked includes a number
179	# of integer operations that should exercise this.
180	OSSH_CHECK_CFLAG_LINK([-ftrapv])
181    fi
182	AC_MSG_CHECKING([gcc version])
183	GCC_VER=`$CC -v 2>&1 | $AWK '/gcc version /{print $3}'`
184	case $GCC_VER in
185		1.*) no_attrib_nonnull=1 ;;
186		2.8* | 2.9*)
187		     no_attrib_nonnull=1
188		     ;;
189		2.*) no_attrib_nonnull=1 ;;
190		*) ;;
191	esac
192	AC_MSG_RESULT([$GCC_VER])
193
194	AC_MSG_CHECKING([if $CC accepts -fno-builtin-memset])
195	saved_CFLAGS="$CFLAGS"
196	CFLAGS="$CFLAGS -fno-builtin-memset"
197	AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include <string.h> ]],
198			[[ char b[10]; memset(b, 0, sizeof(b)); ]])],
199		[ AC_MSG_RESULT([yes]) ],
200		[ AC_MSG_RESULT([no])
201		  CFLAGS="$saved_CFLAGS" ]
202	)
203
204	# -fstack-protector-all doesn't always work for some GCC versions
205	# and/or platforms, so we test if we can.  If it's not supported
206	# on a given platform gcc will emit a warning so we use -Werror.
207	if test "x$use_stack_protector" = "x1"; then
208	    for t in -fstack-protector-strong -fstack-protector-all \
209		    -fstack-protector; do
210		AC_MSG_CHECKING([if $CC supports $t])
211		saved_CFLAGS="$CFLAGS"
212		saved_LDFLAGS="$LDFLAGS"
213		CFLAGS="$CFLAGS $t -Werror"
214		LDFLAGS="$LDFLAGS $t -Werror"
215		AC_LINK_IFELSE(
216			[AC_LANG_PROGRAM([[
217	#include <stdio.h>
218	int func (int t) {char b[100]; snprintf(b,sizeof b,"%d",t); return t;}
219			 ]],
220			[[
221	char x[256];
222	snprintf(x, sizeof(x), "XXX%d", func(1));
223			 ]])],
224		    [ AC_MSG_RESULT([yes])
225		      CFLAGS="$saved_CFLAGS $t"
226		      LDFLAGS="$saved_LDFLAGS $t"
227		      AC_MSG_CHECKING([if $t works])
228		      AC_RUN_IFELSE(
229			[AC_LANG_PROGRAM([[
230	#include <stdio.h>
231	int func (int t) {char b[100]; snprintf(b,sizeof b,"%d",t); return t;}
232			]],
233			[[
234	char x[256];
235	snprintf(x, sizeof(x), "XXX%d", func(1));
236			]])],
237			[ AC_MSG_RESULT([yes])
238			  break ],
239			[ AC_MSG_RESULT([no]) ],
240			[ AC_MSG_WARN([cross compiling: cannot test])
241			  break ]
242		      )
243		    ],
244		    [ AC_MSG_RESULT([no]) ]
245		)
246		CFLAGS="$saved_CFLAGS"
247		LDFLAGS="$saved_LDFLAGS"
248	    done
249	fi
250
251	if test -z "$have_llong_max"; then
252		# retry LLONG_MAX with -std=gnu99, needed on some Linuxes
253		unset ac_cv_have_decl_LLONG_MAX
254		saved_CFLAGS="$CFLAGS"
255		CFLAGS="$CFLAGS -std=gnu99"
256		AC_CHECK_DECL([LLONG_MAX],
257		    [have_llong_max=1],
258		    [CFLAGS="$saved_CFLAGS"],
259		    [#include <limits.h>]
260		)
261	fi
262fi
263
264AC_MSG_CHECKING([if compiler allows __attribute__ on return types])
265AC_COMPILE_IFELSE(
266    [AC_LANG_PROGRAM([[
267#include <stdlib.h>
268__attribute__((__unused__)) static void foo(void){return;}]],
269    [[ exit(0); ]])],
270    [ AC_MSG_RESULT([yes]) ],
271    [ AC_MSG_RESULT([no])
272      AC_DEFINE(NO_ATTRIBUTE_ON_RETURN_TYPE, 1,
273	 [compiler does not accept __attribute__ on return types]) ]
274)
275
276AC_MSG_CHECKING([if compiler allows __attribute__ prototype args])
277AC_COMPILE_IFELSE(
278    [AC_LANG_PROGRAM([[
279#include <stdlib.h>
280typedef void foo(const char *, ...) __attribute__((format(printf, 1, 2)));]],
281    [[ exit(0); ]])],
282    [ AC_MSG_RESULT([yes]) ],
283    [ AC_MSG_RESULT([no])
284      AC_DEFINE(NO_ATTRIBUTE_ON_PROTOTYPE_ARGS, 1,
285	 [compiler does not accept __attribute__ on prototype args]) ]
286)
287
288if test "x$no_attrib_nonnull" != "x1" ; then
289	AC_DEFINE([HAVE_ATTRIBUTE__NONNULL__], [1], [Have attribute nonnull])
290fi
291
292AC_ARG_WITH([rpath],
293	[  --without-rpath         Disable auto-added -R linker paths],
294	[
295		if test "x$withval" = "xno" ; then
296			rpath_opt=""
297		elif test "x$withval" = "xyes" ; then
298			rpath_opt="-R"
299		else
300			rpath_opt="$withval"
301		fi
302	]
303)
304
305# Allow user to specify flags
306AC_ARG_WITH([cflags],
307	[  --with-cflags           Specify additional flags to pass to compiler],
308	[
309		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
310		    test "x${withval}" != "xyes"; then
311			CFLAGS="$CFLAGS $withval"
312		fi
313	]
314)
315
316AC_ARG_WITH([cflags-after],
317	[  --with-cflags-after     Specify additional flags to pass to compiler after configure],
318	[
319		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
320		    test "x${withval}" != "xyes"; then
321			CFLAGS_AFTER="$withval"
322		fi
323	]
324)
325AC_ARG_WITH([cppflags],
326	[  --with-cppflags         Specify additional flags to pass to preprocessor] ,
327	[
328		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
329		    test "x${withval}" != "xyes"; then
330			CPPFLAGS="$CPPFLAGS $withval"
331		fi
332	]
333)
334AC_ARG_WITH([ldflags],
335	[  --with-ldflags          Specify additional flags to pass to linker],
336	[
337		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
338		    test "x${withval}" != "xyes"; then
339			LDFLAGS="$LDFLAGS $withval"
340		fi
341	]
342)
343AC_ARG_WITH([ldflags-after],
344	[  --with-ldflags-after    Specify additional flags to pass to linker after configure],
345	[
346		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
347		    test "x${withval}" != "xyes"; then
348			LDFLAGS_AFTER="$withval"
349		fi
350	]
351)
352AC_ARG_WITH([libs],
353	[  --with-libs             Specify additional libraries to link with],
354	[
355		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
356		    test "x${withval}" != "xyes"; then
357			LIBS="$LIBS $withval"
358		fi
359	]
360)
361AC_ARG_WITH([Werror],
362	[  --with-Werror           Build main code with -Werror],
363	[
364		if test -n "$withval"  &&  test "x$withval" != "xno"; then
365			werror_flags="-Werror"
366			if test "x${withval}" != "xyes"; then
367				werror_flags="$withval"
368			fi
369		fi
370	]
371)
372
373AC_CHECK_HEADERS([ \
374	blf.h \
375	bstring.h \
376	crypt.h \
377	crypto/sha2.h \
378	dirent.h \
379	endian.h \
380	elf.h \
381	err.h \
382	features.h \
383	fcntl.h \
384	floatingpoint.h \
385	fnmatch.h \
386	getopt.h \
387	glob.h \
388	ia.h \
389	iaf.h \
390	ifaddrs.h \
391	inttypes.h \
392	langinfo.h \
393	limits.h \
394	locale.h \
395	login.h \
396	maillock.h \
397	ndir.h \
398	net/if_tun.h \
399	netdb.h \
400	netgroup.h \
401	pam/pam_appl.h \
402	paths.h \
403	poll.h \
404	pty.h \
405	readpassphrase.h \
406	rpc/types.h \
407	security/pam_appl.h \
408	sha2.h \
409	shadow.h \
410	stddef.h \
411	stdint.h \
412	string.h \
413	strings.h \
414	sys/bitypes.h \
415	sys/byteorder.h \
416	sys/bsdtty.h \
417	sys/cdefs.h \
418	sys/dir.h \
419	sys/file.h \
420	sys/mman.h \
421	sys/label.h \
422	sys/ndir.h \
423	sys/poll.h \
424	sys/prctl.h \
425	sys/pstat.h \
426	sys/ptrace.h \
427	sys/random.h \
428	sys/select.h \
429	sys/stat.h \
430	sys/stream.h \
431	sys/stropts.h \
432	sys/strtio.h \
433	sys/statvfs.h \
434	sys/sysmacros.h \
435	sys/time.h \
436	sys/timers.h \
437	sys/vfs.h \
438	time.h \
439	tmpdir.h \
440	ttyent.h \
441	ucred.h \
442	unistd.h \
443	usersec.h \
444	util.h \
445	utime.h \
446	utmp.h \
447	utmpx.h \
448	vis.h \
449	wchar.h \
450])
451
452# On some platforms (eg SunOS4) sys/audit.h requires sys/[time|types|label.h]
453# to be included first.
454AC_CHECK_HEADERS([sys/audit.h], [], [], [
455#ifdef HAVE_SYS_TIME_H
456# include <sys/time.h>
457#endif
458#ifdef HAVE_SYS_TYPES_H
459# include <sys/types.h>
460#endif
461#ifdef HAVE_SYS_LABEL_H
462# include <sys/label.h>
463#endif
464])
465
466# sys/capsicum.h requires sys/types.h
467AC_CHECK_HEADERS([sys/capsicum.h], [], [], [
468#ifdef HAVE_SYS_TYPES_H
469# include <sys/types.h>
470#endif
471])
472
473# net/route.h requires sys/socket.h and sys/types.h.
474# sys/sysctl.h also requires sys/param.h
475AC_CHECK_HEADERS([net/route.h sys/sysctl.h], [], [], [
476#ifdef HAVE_SYS_TYPES_H
477# include <sys/types.h>
478#endif
479#include <sys/param.h>
480#include <sys/socket.h>
481])
482
483# lastlog.h requires sys/time.h to be included first on Solaris
484AC_CHECK_HEADERS([lastlog.h], [], [], [
485#ifdef HAVE_SYS_TIME_H
486# include <sys/time.h>
487#endif
488])
489
490# sys/ptms.h requires sys/stream.h to be included first on Solaris
491AC_CHECK_HEADERS([sys/ptms.h], [], [], [
492#ifdef HAVE_SYS_STREAM_H
493# include <sys/stream.h>
494#endif
495])
496
497# login_cap.h requires sys/types.h on NetBSD
498AC_CHECK_HEADERS([login_cap.h], [], [], [
499#include <sys/types.h>
500])
501
502# older BSDs need sys/param.h before sys/mount.h
503AC_CHECK_HEADERS([sys/mount.h], [], [], [
504#include <sys/param.h>
505])
506
507# Android requires sys/socket.h to be included before sys/un.h
508AC_CHECK_HEADERS([sys/un.h], [], [], [
509#include <sys/types.h>
510#include <sys/socket.h>
511])
512
513# Messages for features tested for in target-specific section
514SIA_MSG="no"
515SPC_MSG="no"
516SP_MSG="no"
517SPP_MSG="no"
518
519# Support for Solaris/Illumos privileges (this test is used by both
520# the --with-solaris-privs option and --with-sandbox=solaris).
521SOLARIS_PRIVS="no"
522
523AC_CHECK_SIZEOF([size_t])
524
525# Check for some target-specific stuff
526case "$host" in
527*-*-aix*)
528	# Some versions of VAC won't allow macro redefinitions at
529	# -qlanglevel=ansi, and autoconf 2.60 sometimes insists on using that
530	# particularly with older versions of vac or xlc.
531	# It also throws errors about null macro arguments, but these are
532	# not fatal.
533	AC_MSG_CHECKING([if compiler allows macro redefinitions])
534	AC_COMPILE_IFELSE(
535	    [AC_LANG_PROGRAM([[
536#define testmacro foo
537#define testmacro bar]],
538	    [[ exit(0); ]])],
539	    [ AC_MSG_RESULT([yes]) ],
540	    [ AC_MSG_RESULT([no])
541	      CC="`echo $CC | sed 's/-qlanglvl\=ansi//g'`"
542	      CFLAGS="`echo $CFLAGS | sed 's/-qlanglvl\=ansi//g'`"
543	      CPPFLAGS="`echo $CPPFLAGS | sed 's/-qlanglvl\=ansi//g'`"
544	    ]
545	)
546
547	AC_MSG_CHECKING([how to specify blibpath for linker ($LD)])
548	if (test -z "$blibpath"); then
549		blibpath="/usr/lib:/lib"
550	fi
551	saved_LDFLAGS="$LDFLAGS"
552	if test "$GCC" = "yes"; then
553		flags="-Wl,-blibpath: -Wl,-rpath, -blibpath:"
554	else
555		flags="-blibpath: -Wl,-blibpath: -Wl,-rpath,"
556	fi
557	for tryflags in $flags ;do
558		if (test -z "$blibflags"); then
559			LDFLAGS="$saved_LDFLAGS $tryflags$blibpath"
560			AC_LINK_IFELSE([AC_LANG_PROGRAM([[]], [[]])],
561			[blibflags=$tryflags], [])
562		fi
563	done
564	if (test -z "$blibflags"); then
565		AC_MSG_RESULT([not found])
566		AC_MSG_ERROR([*** must be able to specify blibpath on AIX - check config.log])
567	else
568		AC_MSG_RESULT([$blibflags])
569	fi
570	LDFLAGS="$saved_LDFLAGS"
571	dnl Check for authenticate.  Might be in libs.a on older AIXes
572	AC_CHECK_FUNC([authenticate], [AC_DEFINE([WITH_AIXAUTHENTICATE], [1],
573		[Define if you want to enable AIX4's authenticate function])],
574		[AC_CHECK_LIB([s], [authenticate],
575			[ AC_DEFINE([WITH_AIXAUTHENTICATE])
576				LIBS="$LIBS -ls"
577			])
578		])
579	dnl Check for various auth function declarations in headers.
580	AC_CHECK_DECLS([authenticate, loginrestrictions, loginsuccess,
581	    passwdexpired, setauthdb], , , [#include <usersec.h>])
582	dnl Check if loginfailed is declared and takes 4 arguments (AIX >= 5.2)
583	AC_CHECK_DECLS([loginfailed],
584	    [AC_MSG_CHECKING([if loginfailed takes 4 arguments])
585	    AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <usersec.h> ]],
586		[[ (void)loginfailed("user","host","tty",0); ]])],
587		[AC_MSG_RESULT([yes])
588		AC_DEFINE([AIX_LOGINFAILED_4ARG], [1],
589			[Define if your AIX loginfailed() function
590			takes 4 arguments (AIX >= 5.2)])], [AC_MSG_RESULT([no])
591	    ])],
592	    [],
593	    [#include <usersec.h>]
594	)
595	AC_CHECK_FUNCS([getgrset setauthdb])
596	AC_CHECK_DECL([F_CLOSEM],
597	    AC_DEFINE([HAVE_FCNTL_CLOSEM], [1], [Use F_CLOSEM fcntl for closefrom]),
598	    [],
599	    [ #include <limits.h>
600	      #include <fcntl.h> ]
601	)
602	check_for_aix_broken_getaddrinfo=1
603	AC_DEFINE([SETEUID_BREAKS_SETUID], [1],
604	    [Define if your platform breaks doing a seteuid before a setuid])
605	AC_DEFINE([BROKEN_SETREUID], [1], [Define if your setreuid() is broken])
606	AC_DEFINE([BROKEN_SETREGID], [1], [Define if your setregid() is broken])
607	dnl AIX handles lastlog as part of its login message
608	AC_DEFINE([DISABLE_LASTLOG], [1], [Define if you don't want to use lastlog])
609	AC_DEFINE([LOGIN_NEEDS_UTMPX], [1],
610		[Some systems need a utmpx entry for /bin/login to work])
611	AC_DEFINE([SPT_TYPE], [SPT_REUSEARGV],
612		[Define to a Set Process Title type if your system is
613		supported by bsd-setproctitle.c])
614	AC_DEFINE([SSHPAM_CHAUTHTOK_NEEDS_RUID], [1],
615	    [AIX 5.2 and 5.3 (and presumably newer) require this])
616	AC_DEFINE([PTY_ZEROREAD], [1], [read(1) can return 0 for a non-closed fd])
617	AC_DEFINE([PLATFORM_SYS_DIR_UID], 2, [System dirs owned by bin (uid 2)])
618	AC_DEFINE([BROKEN_STRNDUP], 1, [strndup broken, see APAR IY61211])
619	AC_DEFINE([BROKEN_STRNLEN], 1, [strnlen broken, see APAR IY62551])
620	;;
621*-*-android*)
622	AC_DEFINE([DISABLE_UTMP], [1], [Define if you don't want to use utmp])
623	AC_DEFINE([DISABLE_WTMP], [1], [Define if you don't want to use wtmp])
624	;;
625*-*-cygwin*)
626	check_for_libcrypt_later=1
627	LIBS="$LIBS /usr/lib/textreadmode.o"
628	AC_DEFINE([HAVE_CYGWIN], [1], [Define if you are on Cygwin])
629	AC_DEFINE([USE_PIPES], [1], [Use PIPES instead of a socketpair()])
630	AC_DEFINE([NO_UID_RESTORATION_TEST], [1],
631		[Define to disable UID restoration test])
632	AC_DEFINE([DISABLE_SHADOW], [1],
633		[Define if you want to disable shadow passwords])
634	AC_DEFINE([NO_X11_UNIX_SOCKETS], [1],
635		[Define if X11 doesn't support AF_UNIX sockets on that system])
636	AC_DEFINE([DISABLE_FD_PASSING], [1],
637		[Define if your platform needs to skip post auth
638		file descriptor passing])
639	AC_DEFINE([SSH_IOBUFSZ], [65535], [Windows is sensitive to read buffer size])
640	AC_DEFINE([FILESYSTEM_NO_BACKSLASH], [1], [File names may not contain backslash characters])
641	# Cygwin defines optargs, optargs as declspec(dllimport) for historical
642	# reasons which cause compile warnings, so we disable those warnings.
643	OSSH_CHECK_CFLAG_COMPILE([-Wno-attributes])
644	;;
645*-*-dgux*)
646	AC_DEFINE([IP_TOS_IS_BROKEN], [1],
647		[Define if your system choked on IP TOS setting])
648	AC_DEFINE([SETEUID_BREAKS_SETUID])
649	AC_DEFINE([BROKEN_SETREUID])
650	AC_DEFINE([BROKEN_SETREGID])
651	;;
652*-*-darwin*)
653	use_pie=auto
654	AC_MSG_CHECKING([if we have working getaddrinfo])
655	AC_RUN_IFELSE([AC_LANG_SOURCE([[ #include <mach-o/dyld.h>
656main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
657		exit(0);
658	else
659		exit(1);
660}
661			]])],
662	[AC_MSG_RESULT([working])],
663	[AC_MSG_RESULT([buggy])
664	AC_DEFINE([BROKEN_GETADDRINFO], [1],
665		[getaddrinfo is broken (if present)])
666	],
667	[AC_MSG_RESULT([assume it is working])])
668	AC_DEFINE([SETEUID_BREAKS_SETUID])
669	AC_DEFINE([BROKEN_SETREUID])
670	AC_DEFINE([BROKEN_SETREGID])
671	AC_DEFINE([BROKEN_GLOB], [1], [OS X glob does not do what we expect])
672	AC_DEFINE_UNQUOTED([BIND_8_COMPAT], [1],
673		[Define if your resolver libs need this for getrrsetbyname])
674	AC_DEFINE([SSH_TUN_FREEBSD], [1], [Open tunnel devices the FreeBSD way])
675	AC_DEFINE([SSH_TUN_COMPAT_AF], [1],
676	    [Use tunnel device compatibility to OpenBSD])
677	AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
678	    [Prepend the address family to IP tunnel traffic])
679	m4_pattern_allow([AU_IPv])
680	AC_CHECK_DECL([AU_IPv4], [],
681	    AC_DEFINE([AU_IPv4], [0], [System only supports IPv4 audit records])
682	    [#include <bsm/audit.h>]
683	AC_DEFINE([LASTLOG_WRITE_PUTUTXLINE], [1],
684	    [Define if pututxline updates lastlog too])
685	)
686	AC_DEFINE([SPT_TYPE], [SPT_REUSEARGV],
687		[Define to a Set Process Title type if your system is
688		supported by bsd-setproctitle.c])
689	AC_CHECK_FUNCS([sandbox_init])
690	AC_CHECK_HEADERS([sandbox.h])
691	AC_CHECK_LIB([sandbox], [sandbox_apply], [
692	    SSHDLIBS="$SSHDLIBS -lsandbox"
693	])
694	# proc_pidinfo()-based closefrom() replacement.
695	AC_CHECK_HEADERS([libproc.h])
696	AC_CHECK_FUNCS([proc_pidinfo])
697	;;
698*-*-dragonfly*)
699	SSHDLIBS="$SSHDLIBS -lcrypt"
700	TEST_MALLOC_OPTIONS="AFGJPRX"
701	;;
702*-*-haiku*)
703	LIBS="$LIBS -lbsd "
704	CFLAGS="$CFLAGS -D_BSD_SOURCE"
705	AC_CHECK_LIB([network], [socket])
706	AC_DEFINE([HAVE_U_INT64_T])
707	AC_DEFINE([DISABLE_UTMPX], [1], [no utmpx])
708	MANTYPE=man
709	;;
710*-*-hpux*)
711	# first we define all of the options common to all HP-UX releases
712	CPPFLAGS="$CPPFLAGS -D_HPUX_SOURCE -D_XOPEN_SOURCE -D_XOPEN_SOURCE_EXTENDED=1"
713	IPADDR_IN_DISPLAY=yes
714	AC_DEFINE([USE_PIPES])
715	AC_DEFINE([LOGIN_NEEDS_UTMPX])
716	AC_DEFINE([LOCKED_PASSWD_STRING], ["*"],
717		[String used in /etc/passwd to denote locked account])
718	AC_DEFINE([SPT_TYPE], [SPT_PSTAT])
719	AC_DEFINE([PLATFORM_SYS_DIR_UID], 2, [System dirs owned by bin (uid 2)])
720	maildir="/var/mail"
721	LIBS="$LIBS -lsec"
722	AC_CHECK_LIB([xnet], [t_error], ,
723	    [AC_MSG_ERROR([*** -lxnet needed on HP-UX - check config.log ***])])
724
725	# next, we define all of the options specific to major releases
726	case "$host" in
727	*-*-hpux10*)
728		if test -z "$GCC"; then
729			CFLAGS="$CFLAGS -Ae"
730		fi
731		;;
732	*-*-hpux11*)
733		AC_DEFINE([PAM_SUN_CODEBASE], [1],
734			[Define if you are using Solaris-derived PAM which
735			passes pam_messages to the conversation function
736			with an extra level of indirection])
737		AC_DEFINE([DISABLE_UTMP], [1],
738			[Define if you don't want to use utmp])
739		AC_DEFINE([USE_BTMP], [1], [Use btmp to log bad logins])
740		check_for_hpux_broken_getaddrinfo=1
741		check_for_conflicting_getspnam=1
742		;;
743	esac
744
745	# lastly, we define options specific to minor releases
746	case "$host" in
747	*-*-hpux10.26)
748		AC_DEFINE([HAVE_SECUREWARE], [1],
749			[Define if you have SecureWare-based
750			protected password database])
751		disable_ptmx_check=yes
752		LIBS="$LIBS -lsecpw"
753		;;
754	esac
755	;;
756*-*-irix5*)
757	PATH="$PATH:/usr/etc"
758	AC_DEFINE([BROKEN_INET_NTOA], [1],
759		[Define if you system's inet_ntoa is busted
760		(e.g. Irix gcc issue)])
761	AC_DEFINE([SETEUID_BREAKS_SETUID])
762	AC_DEFINE([BROKEN_SETREUID])
763	AC_DEFINE([BROKEN_SETREGID])
764	AC_DEFINE([WITH_ABBREV_NO_TTY], [1],
765		[Define if you shouldn't strip 'tty' from your
766		ttyname in [uw]tmp])
767	AC_DEFINE([LOCKED_PASSWD_STRING], ["*LK*"])
768	;;
769*-*-irix6*)
770	PATH="$PATH:/usr/etc"
771	AC_DEFINE([WITH_IRIX_ARRAY], [1],
772		[Define if you have/want arrays
773		(cluster-wide session management, not C arrays)])
774	AC_DEFINE([WITH_IRIX_PROJECT], [1],
775		[Define if you want IRIX project management])
776	AC_DEFINE([WITH_IRIX_AUDIT], [1],
777		[Define if you want IRIX audit trails])
778	AC_CHECK_FUNC([jlimit_startjob], [AC_DEFINE([WITH_IRIX_JOBS], [1],
779		[Define if you want IRIX kernel jobs])])
780	AC_DEFINE([BROKEN_INET_NTOA])
781	AC_DEFINE([SETEUID_BREAKS_SETUID])
782	AC_DEFINE([BROKEN_SETREUID])
783	AC_DEFINE([BROKEN_SETREGID])
784	AC_DEFINE([BROKEN_UPDWTMPX], [1], [updwtmpx is broken (if present)])
785	AC_DEFINE([WITH_ABBREV_NO_TTY])
786	AC_DEFINE([LOCKED_PASSWD_STRING], ["*LK*"])
787	;;
788*-*-k*bsd*-gnu | *-*-kopensolaris*-gnu)
789	check_for_libcrypt_later=1
790	AC_DEFINE([PAM_TTY_KLUDGE])
791	AC_DEFINE([LOCKED_PASSWD_PREFIX], ["!"])
792	AC_DEFINE([SPT_TYPE], [SPT_REUSEARGV])
793	AC_DEFINE([_PATH_BTMP], ["/var/log/btmp"], [log for bad login attempts])
794	AC_DEFINE([USE_BTMP], [1], [Use btmp to log bad logins])
795	;;
796*-*-linux*)
797	no_dev_ptmx=1
798	use_pie=auto
799	check_for_libcrypt_later=1
800	check_for_openpty_ctty_bug=1
801	dnl Target SUSv3/POSIX.1-2001 plus BSD specifics.
802	dnl _DEFAULT_SOURCE is the new name for _BSD_SOURCE
803	CPPFLAGS="$CPPFLAGS -D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCE"
804	AC_DEFINE([PAM_TTY_KLUDGE], [1],
805		[Work around problematic Linux PAM modules handling of PAM_TTY])
806	AC_DEFINE([LOCKED_PASSWD_PREFIX], ["!"],
807		[String used in /etc/passwd to denote locked account])
808	AC_DEFINE([SPT_TYPE], [SPT_REUSEARGV])
809	AC_DEFINE([LINK_OPNOTSUPP_ERRNO], [EPERM],
810		[Define to whatever link() returns for "not supported"
811		if it doesn't return EOPNOTSUPP.])
812	AC_DEFINE([_PATH_BTMP], ["/var/log/btmp"], [log for bad login attempts])
813	AC_DEFINE([USE_BTMP])
814	AC_DEFINE([LINUX_OOM_ADJUST], [1], [Adjust Linux out-of-memory killer])
815	inet6_default_4in6=yes
816	case `uname -r` in
817	1.*|2.0.*)
818		AC_DEFINE([BROKEN_CMSG_TYPE], [1],
819			[Define if cmsg_type is not passed correctly])
820		;;
821	esac
822	# tun(4) forwarding compat code
823	AC_CHECK_HEADERS([linux/if_tun.h])
824	if test "x$ac_cv_header_linux_if_tun_h" = "xyes" ; then
825		AC_DEFINE([SSH_TUN_LINUX], [1],
826		    [Open tunnel devices the Linux tun/tap way])
827		AC_DEFINE([SSH_TUN_COMPAT_AF], [1],
828		    [Use tunnel device compatibility to OpenBSD])
829		AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
830		    [Prepend the address family to IP tunnel traffic])
831	fi
832	AC_CHECK_HEADER([linux/if.h],
833	    AC_DEFINE([SYS_RDOMAIN_LINUX], [1],
834		[Support routing domains using Linux VRF]), [], [
835#ifdef HAVE_SYS_TYPES_H
836# include <sys/types.h>
837#endif
838	    ])
839	AC_CHECK_HEADERS([linux/seccomp.h linux/filter.h linux/audit.h], [],
840	    [], [#include <linux/types.h>])
841	# Obtain MIPS ABI
842	case "$host" in
843	mips*)
844		AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
845#if _MIPS_SIM != _ABIO32
846#error
847#endif
848			]])],[mips_abi="o32"],[AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
849#if _MIPS_SIM != _ABIN32
850#error
851#endif
852				]])],[mips_abi="n32"],[AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
853#if _MIPS_SIM != _ABI64
854#error
855#endif
856					]])],[mips_abi="n64"],[AC_MSG_ERROR([unknown MIPS ABI])
857				])
858			])
859		])
860		;;
861	esac
862	AC_MSG_CHECKING([for seccomp architecture])
863	seccomp_audit_arch=
864	case "$host" in
865	x86_64-*)
866		seccomp_audit_arch=AUDIT_ARCH_X86_64
867		# X32: AMD64 instructions in 32bit address space.
868		if test "x$ac_cv_sizeof_size_t" = "x4" ; then
869			seccomp_audit_arch=AUDIT_ARCH_I386
870		fi
871		;;
872	i*86-*)
873		seccomp_audit_arch=AUDIT_ARCH_I386
874		;;
875	arm*-*)
876		seccomp_audit_arch=AUDIT_ARCH_ARM
877		;;
878	aarch64*-*)
879		seccomp_audit_arch=AUDIT_ARCH_AARCH64
880		;;
881	s390x-*)
882		seccomp_audit_arch=AUDIT_ARCH_S390X
883		;;
884	s390-*)
885		seccomp_audit_arch=AUDIT_ARCH_S390
886		;;
887	powerpc64-*)
888		seccomp_audit_arch=AUDIT_ARCH_PPC64
889		;;
890	powerpc64le-*)
891		seccomp_audit_arch=AUDIT_ARCH_PPC64LE
892		;;
893	mips-*)
894		seccomp_audit_arch=AUDIT_ARCH_MIPS
895		;;
896	mipsel-*)
897		seccomp_audit_arch=AUDIT_ARCH_MIPSEL
898		;;
899	mips64-*)
900		case "$mips_abi" in
901		"n32")
902			seccomp_audit_arch=AUDIT_ARCH_MIPS64N32
903			;;
904		"n64")
905			seccomp_audit_arch=AUDIT_ARCH_MIPS64
906			;;
907		esac
908		;;
909	mips64el-*)
910		case "$mips_abi" in
911		"n32")
912			seccomp_audit_arch=AUDIT_ARCH_MIPSEL64N32
913			;;
914		"n64")
915			seccomp_audit_arch=AUDIT_ARCH_MIPSEL64
916			;;
917		esac
918		;;
919	riscv64-*)
920		seccomp_audit_arch=AUDIT_ARCH_RISCV64
921		;;
922	esac
923	if test "x$seccomp_audit_arch" != "x" ; then
924		AC_MSG_RESULT(["$seccomp_audit_arch"])
925		AC_DEFINE_UNQUOTED([SECCOMP_AUDIT_ARCH], [$seccomp_audit_arch],
926		    [Specify the system call convention in use])
927	else
928		AC_MSG_RESULT([architecture not supported])
929	fi
930	;;
931mips-sony-bsd|mips-sony-newsos4)
932	AC_DEFINE([NEED_SETPGRP], [1], [Need setpgrp to acquire controlling tty])
933	SONY=1
934	;;
935*-*-netbsd*)
936	check_for_libcrypt_before=1
937	if test "x$withval" != "xno" ; then
938		rpath_opt="-R"
939	fi
940	CPPFLAGS="$CPPFLAGS -D_OPENBSD_SOURCE"
941	AC_DEFINE([SSH_TUN_FREEBSD], [1], [Open tunnel devices the FreeBSD way])
942	AC_CHECK_HEADER([net/if_tap.h], ,
943	    AC_DEFINE([SSH_TUN_NO_L2], [1], [No layer 2 tunnel support]))
944	AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
945	    [Prepend the address family to IP tunnel traffic])
946	TEST_MALLOC_OPTIONS="AJRX"
947	AC_DEFINE([BROKEN_READ_COMPARISON], [1],
948	    [NetBSD read function is sometimes redirected, breaking atomicio comparisons against it])
949	;;
950*-*-freebsd*)
951	check_for_libcrypt_later=1
952	AC_DEFINE([LOCKED_PASSWD_PREFIX], ["*LOCKED*"], [Account locked with pw(1)])
953	AC_DEFINE([SSH_TUN_FREEBSD], [1], [Open tunnel devices the FreeBSD way])
954	AC_CHECK_HEADER([net/if_tap.h], ,
955	    AC_DEFINE([SSH_TUN_NO_L2], [1], [No layer 2 tunnel support]))
956	AC_DEFINE([BROKEN_GLOB], [1], [FreeBSD glob does not do what we need])
957	TEST_MALLOC_OPTIONS="AJRX"
958	# Preauth crypto occasionally uses file descriptors for crypto offload
959	# and will crash if they cannot be opened.
960	AC_DEFINE([SANDBOX_SKIP_RLIMIT_NOFILE], [1],
961	    [define if setrlimit RLIMIT_NOFILE breaks things])
962	;;
963*-*-bsdi*)
964	AC_DEFINE([SETEUID_BREAKS_SETUID])
965	AC_DEFINE([BROKEN_SETREUID])
966	AC_DEFINE([BROKEN_SETREGID])
967	;;
968*-next-*)
969	conf_lastlog_location="/usr/adm/lastlog"
970	conf_utmp_location=/etc/utmp
971	conf_wtmp_location=/usr/adm/wtmp
972	maildir=/usr/spool/mail
973	AC_DEFINE([HAVE_NEXT], [1], [Define if you are on NeXT])
974	AC_DEFINE([USE_PIPES])
975	AC_DEFINE([BROKEN_SAVED_UIDS], [1], [Needed for NeXT])
976	;;
977*-*-openbsd*)
978	use_pie=auto
979	AC_DEFINE([HAVE_ATTRIBUTE__SENTINEL__], [1], [OpenBSD's gcc has sentinel])
980	AC_DEFINE([HAVE_ATTRIBUTE__BOUNDED__], [1], [OpenBSD's gcc has bounded])
981	AC_DEFINE([SSH_TUN_OPENBSD], [1], [Open tunnel devices the OpenBSD way])
982	AC_DEFINE([SYSLOG_R_SAFE_IN_SIGHAND], [1],
983	    [syslog_r function is safe to use in in a signal handler])
984	TEST_MALLOC_OPTIONS="AFGJPRX"
985	;;
986*-*-solaris*)
987	if test "x$withval" != "xno" ; then
988		rpath_opt="-R"
989	fi
990	AC_DEFINE([PAM_SUN_CODEBASE])
991	AC_DEFINE([LOGIN_NEEDS_UTMPX])
992	AC_DEFINE([PAM_TTY_KLUDGE])
993	AC_DEFINE([SSHPAM_CHAUTHTOK_NEEDS_RUID], [1],
994		[Define if pam_chauthtok wants real uid set
995		to the unpriv'ed user])
996	AC_DEFINE([LOCKED_PASSWD_STRING], ["*LK*"])
997	# Pushing STREAMS modules will cause sshd to acquire a controlling tty.
998	AC_DEFINE([SSHD_ACQUIRES_CTTY], [1],
999		[Define if sshd somehow reacquires a controlling TTY
1000		after setsid()])
1001	AC_DEFINE([PASSWD_NEEDS_USERNAME], [1], [must supply username to passwd
1002		in case the name is longer than 8 chars])
1003	AC_DEFINE([BROKEN_TCGETATTR_ICANON], [1], [tcgetattr with ICANON may hang])
1004	external_path_file=/etc/default/login
1005	# hardwire lastlog location (can't detect it on some versions)
1006	conf_lastlog_location="/var/adm/lastlog"
1007	AC_MSG_CHECKING([for obsolete utmp and wtmp in solaris2.x])
1008	sol2ver=`echo "$host"| sed -e 's/.*[[0-9]]\.//'`
1009	if test "$sol2ver" -ge 8; then
1010		AC_MSG_RESULT([yes])
1011		AC_DEFINE([DISABLE_UTMP])
1012		AC_DEFINE([DISABLE_WTMP], [1],
1013			[Define if you don't want to use wtmp])
1014	else
1015		AC_MSG_RESULT([no])
1016	fi
1017	AC_CHECK_FUNCS([setpflags])
1018	AC_CHECK_FUNCS([setppriv])
1019	AC_CHECK_FUNCS([priv_basicset])
1020	AC_CHECK_HEADERS([priv.h])
1021	AC_ARG_WITH([solaris-contracts],
1022		[  --with-solaris-contracts Enable Solaris process contracts (experimental)],
1023		[
1024		AC_CHECK_LIB([contract], [ct_tmpl_activate],
1025			[ AC_DEFINE([USE_SOLARIS_PROCESS_CONTRACTS], [1],
1026				[Define if you have Solaris process contracts])
1027			  LIBS="$LIBS -lcontract"
1028			  SPC_MSG="yes" ], )
1029		],
1030	)
1031	AC_ARG_WITH([solaris-projects],
1032		[  --with-solaris-projects Enable Solaris projects (experimental)],
1033		[
1034		AC_CHECK_LIB([project], [setproject],
1035			[ AC_DEFINE([USE_SOLARIS_PROJECTS], [1],
1036				[Define if you have Solaris projects])
1037			LIBS="$LIBS -lproject"
1038			SP_MSG="yes" ], )
1039		],
1040	)
1041	AC_ARG_WITH([solaris-privs],
1042		[  --with-solaris-privs    Enable Solaris/Illumos privileges (experimental)],
1043		[
1044		AC_MSG_CHECKING([for Solaris/Illumos privilege support])
1045		if test "x$ac_cv_func_setppriv" = "xyes" -a \
1046			"x$ac_cv_header_priv_h" = "xyes" ; then
1047			SOLARIS_PRIVS=yes
1048			AC_MSG_RESULT([found])
1049			AC_DEFINE([NO_UID_RESTORATION_TEST], [1],
1050				[Define to disable UID restoration test])
1051			AC_DEFINE([USE_SOLARIS_PRIVS], [1],
1052				[Define if you have Solaris privileges])
1053			SPP_MSG="yes"
1054		else
1055			AC_MSG_RESULT([not found])
1056			AC_MSG_ERROR([*** must have support for Solaris privileges to use --with-solaris-privs])
1057		fi
1058		],
1059	)
1060	TEST_SHELL=$SHELL	# let configure find us a capable shell
1061	;;
1062*-*-sunos4*)
1063	CPPFLAGS="$CPPFLAGS -DSUNOS4"
1064	AC_CHECK_FUNCS([getpwanam])
1065	AC_DEFINE([PAM_SUN_CODEBASE])
1066	conf_utmp_location=/etc/utmp
1067	conf_wtmp_location=/var/adm/wtmp
1068	conf_lastlog_location=/var/adm/lastlog
1069	AC_DEFINE([USE_PIPES])
1070	AC_DEFINE([DISABLE_UTMPX], [1], [no utmpx])
1071	;;
1072*-ncr-sysv*)
1073	LIBS="$LIBS -lc89"
1074	AC_DEFINE([USE_PIPES])
1075	AC_DEFINE([SSHD_ACQUIRES_CTTY])
1076	AC_DEFINE([SETEUID_BREAKS_SETUID])
1077	AC_DEFINE([BROKEN_SETREUID])
1078	AC_DEFINE([BROKEN_SETREGID])
1079	;;
1080*-sni-sysv*)
1081	# /usr/ucblib MUST NOT be searched on ReliantUNIX
1082	AC_CHECK_LIB([dl], [dlsym], ,)
1083	# -lresolv needs to be at the end of LIBS or DNS lookups break
1084	AC_CHECK_LIB([resolv], [res_query], [ LIBS="$LIBS -lresolv" ])
1085	IPADDR_IN_DISPLAY=yes
1086	AC_DEFINE([USE_PIPES])
1087	AC_DEFINE([IP_TOS_IS_BROKEN])
1088	AC_DEFINE([SETEUID_BREAKS_SETUID])
1089	AC_DEFINE([BROKEN_SETREUID])
1090	AC_DEFINE([BROKEN_SETREGID])
1091	AC_DEFINE([SSHD_ACQUIRES_CTTY])
1092	external_path_file=/etc/default/login
1093	# /usr/ucblib/libucb.a no longer needed on ReliantUNIX
1094	# Attention: always take care to bind libsocket and libnsl before libc,
1095	# otherwise you will find lots of "SIOCGPGRP errno 22" on syslog
1096	;;
1097# UnixWare 1.x, UnixWare 2.x, and others based on code from Univel.
1098*-*-sysv4.2*)
1099	AC_DEFINE([USE_PIPES])
1100	AC_DEFINE([SETEUID_BREAKS_SETUID])
1101	AC_DEFINE([BROKEN_SETREUID])
1102	AC_DEFINE([BROKEN_SETREGID])
1103	AC_DEFINE([PASSWD_NEEDS_USERNAME], [1], [must supply username to passwd])
1104	AC_DEFINE([LOCKED_PASSWD_STRING], ["*LK*"])
1105	TEST_SHELL=$SHELL	# let configure find us a capable shell
1106	;;
1107# UnixWare 7.x, OpenUNIX 8
1108*-*-sysv5*)
1109	CPPFLAGS="$CPPFLAGS -Dvsnprintf=_xvsnprintf -Dsnprintf=_xsnprintf"
1110	AC_DEFINE([UNIXWARE_LONG_PASSWORDS], [1], [Support passwords > 8 chars])
1111	AC_DEFINE([USE_PIPES])
1112	AC_DEFINE([SETEUID_BREAKS_SETUID])
1113	AC_DEFINE([BROKEN_GETADDRINFO])
1114	AC_DEFINE([BROKEN_SETREUID])
1115	AC_DEFINE([BROKEN_SETREGID])
1116	AC_DEFINE([PASSWD_NEEDS_USERNAME])
1117	AC_DEFINE([BROKEN_TCGETATTR_ICANON])
1118	TEST_SHELL=$SHELL	# let configure find us a capable shell
1119	check_for_libcrypt_later=1
1120	case "$host" in
1121	*-*-sysv5SCO_SV*)	# SCO OpenServer 6.x
1122		maildir=/var/spool/mail
1123		AC_DEFINE([BROKEN_UPDWTMPX])
1124		AC_CHECK_LIB([prot], [getluid], [ LIBS="$LIBS -lprot"
1125			AC_CHECK_FUNCS([getluid setluid], , , [-lprot])
1126			], , )
1127		;;
1128	*)	AC_DEFINE([LOCKED_PASSWD_STRING], ["*LK*"])
1129		;;
1130	esac
1131	;;
1132*-*-sysv*)
1133	;;
1134# SCO UNIX and OEM versions of SCO UNIX
1135*-*-sco3.2v4*)
1136	AC_MSG_ERROR("This Platform is no longer supported.")
1137	;;
1138# SCO OpenServer 5.x
1139*-*-sco3.2v5*)
1140	if test -z "$GCC"; then
1141		CFLAGS="$CFLAGS -belf"
1142	fi
1143	LIBS="$LIBS -lprot -lx -ltinfo -lm"
1144	no_dev_ptmx=1
1145	AC_DEFINE([USE_PIPES])
1146	AC_DEFINE([HAVE_SECUREWARE])
1147	AC_DEFINE([DISABLE_SHADOW])
1148	AC_DEFINE([DISABLE_FD_PASSING])
1149	AC_DEFINE([SETEUID_BREAKS_SETUID])
1150	AC_DEFINE([BROKEN_GETADDRINFO])
1151	AC_DEFINE([BROKEN_SETREUID])
1152	AC_DEFINE([BROKEN_SETREGID])
1153	AC_DEFINE([WITH_ABBREV_NO_TTY])
1154	AC_DEFINE([BROKEN_UPDWTMPX])
1155	AC_DEFINE([PASSWD_NEEDS_USERNAME])
1156	AC_CHECK_FUNCS([getluid setluid])
1157	MANTYPE=man
1158	TEST_SHELL=$SHELL	# let configure find us a capable shell
1159	SKIP_DISABLE_LASTLOG_DEFINE=yes
1160	;;
1161*-dec-osf*)
1162	AC_MSG_CHECKING([for Digital Unix SIA])
1163	no_osfsia=""
1164	AC_ARG_WITH([osfsia],
1165		[  --with-osfsia           Enable Digital Unix SIA],
1166		[
1167			if test "x$withval" = "xno" ; then
1168				AC_MSG_RESULT([disabled])
1169				no_osfsia=1
1170			fi
1171		],
1172	)
1173	if test -z "$no_osfsia" ; then
1174		if test -f /etc/sia/matrix.conf; then
1175			AC_MSG_RESULT([yes])
1176			AC_DEFINE([HAVE_OSF_SIA], [1],
1177				[Define if you have Digital Unix Security
1178				Integration Architecture])
1179			AC_DEFINE([DISABLE_LOGIN], [1],
1180				[Define if you don't want to use your
1181				system's login() call])
1182			AC_DEFINE([DISABLE_FD_PASSING])
1183			LIBS="$LIBS -lsecurity -ldb -lm -laud"
1184			SIA_MSG="yes"
1185		else
1186			AC_MSG_RESULT([no])
1187			AC_DEFINE([LOCKED_PASSWD_SUBSTR], ["Nologin"],
1188			  [String used in /etc/passwd to denote locked account])
1189		fi
1190	fi
1191	AC_DEFINE([BROKEN_GETADDRINFO])
1192	AC_DEFINE([SETEUID_BREAKS_SETUID])
1193	AC_DEFINE([BROKEN_SETREUID])
1194	AC_DEFINE([BROKEN_SETREGID])
1195	AC_DEFINE([BROKEN_READV_COMPARISON], [1], [Can't do comparisons on readv])
1196	;;
1197
1198*-*-nto-qnx*)
1199	AC_DEFINE([USE_PIPES])
1200	AC_DEFINE([NO_X11_UNIX_SOCKETS])
1201	AC_DEFINE([DISABLE_LASTLOG])
1202	AC_DEFINE([SSHD_ACQUIRES_CTTY])
1203	AC_DEFINE([BROKEN_SHADOW_EXPIRE], [1], [QNX shadow support is broken])
1204	enable_etc_default_login=no	# has incompatible /etc/default/login
1205	case "$host" in
1206	*-*-nto-qnx6*)
1207		AC_DEFINE([DISABLE_FD_PASSING])
1208		;;
1209	esac
1210	;;
1211
1212*-*-ultrix*)
1213	AC_DEFINE([BROKEN_GETGROUPS], [1], [getgroups(0,NULL) will return -1])
1214	AC_DEFINE([NEED_SETPGRP], [1], [Need setpgrp to for controlling tty])
1215	AC_DEFINE([HAVE_SYS_SYSLOG_H], [1], [Force use of sys/syslog.h on Ultrix])
1216	AC_DEFINE([DISABLE_UTMPX], [1], [Disable utmpx])
1217	# DISABLE_FD_PASSING so that we call setpgrp as root, otherwise we
1218	# don't get a controlling tty.
1219	AC_DEFINE([DISABLE_FD_PASSING], [1], [Need to call setpgrp as root])
1220	# On Ultrix some headers are not protected against multiple includes,
1221	# so we create wrappers and put it where the compiler will find it.
1222	AC_MSG_WARN([creating compat wrappers for headers])
1223	mkdir -p netinet
1224	for header in netinet/ip.h netdb.h resolv.h; do
1225		name=`echo $header | tr 'a-z/.' 'A-Z__'`
1226		cat >$header <<EOD
1227#ifndef _SSH_COMPAT_${name}
1228#define _SSH_COMPAT_${name}
1229#include "/usr/include/${header}"
1230#endif
1231EOD
1232	done
1233	;;
1234
1235*-*-lynxos)
1236	CFLAGS="$CFLAGS -D__NO_INCLUDE_WARN__"
1237	AC_DEFINE([BROKEN_SETVBUF], [1],
1238	    [LynxOS has broken setvbuf() implementation])
1239	;;
1240esac
1241
1242AC_MSG_CHECKING([compiler and flags for sanity])
1243AC_RUN_IFELSE([AC_LANG_PROGRAM([[ #include <stdio.h> ]], [[ exit(0); ]])],
1244	[	AC_MSG_RESULT([yes]) ],
1245	[
1246		AC_MSG_RESULT([no])
1247		AC_MSG_ERROR([*** compiler cannot create working executables, check config.log ***])
1248	],
1249	[	AC_MSG_WARN([cross compiling: not checking compiler sanity]) ]
1250)
1251
1252dnl Checks for header files.
1253# Checks for libraries.
1254AC_CHECK_FUNC([setsockopt], , [AC_CHECK_LIB([socket], [setsockopt])])
1255
1256dnl IRIX and Solaris 2.5.1 have dirname() in libgen
1257AC_CHECK_FUNCS([dirname], [AC_CHECK_HEADERS([libgen.h])] , [
1258	AC_CHECK_LIB([gen], [dirname], [
1259		AC_CACHE_CHECK([for broken dirname],
1260			ac_cv_have_broken_dirname, [
1261			save_LIBS="$LIBS"
1262			LIBS="$LIBS -lgen"
1263			AC_RUN_IFELSE(
1264				[AC_LANG_SOURCE([[
1265#include <libgen.h>
1266#include <string.h>
1267
1268int main(int argc, char **argv) {
1269    char *s, buf[32];
1270
1271    strncpy(buf,"/etc", 32);
1272    s = dirname(buf);
1273    if (!s || strncmp(s, "/", 32) != 0) {
1274	exit(1);
1275    } else {
1276	exit(0);
1277    }
1278}
1279				]])],
1280				[ ac_cv_have_broken_dirname="no" ],
1281				[ ac_cv_have_broken_dirname="yes" ],
1282				[ ac_cv_have_broken_dirname="no" ],
1283			)
1284			LIBS="$save_LIBS"
1285		])
1286		if test "x$ac_cv_have_broken_dirname" = "xno" ; then
1287			LIBS="$LIBS -lgen"
1288			AC_DEFINE([HAVE_DIRNAME])
1289			AC_CHECK_HEADERS([libgen.h])
1290		fi
1291	])
1292])
1293
1294AC_CHECK_FUNC([getspnam], ,
1295	[AC_CHECK_LIB([gen], [getspnam], [LIBS="$LIBS -lgen"])])
1296AC_SEARCH_LIBS([basename], [gen], [AC_DEFINE([HAVE_BASENAME], [1],
1297	[Define if you have the basename function.])])
1298
1299dnl zlib defaults to enabled
1300zlib=yes
1301AC_ARG_WITH([zlib],
1302	[  --with-zlib=PATH        Use zlib in PATH],
1303	[ if test "x$withval" = "xno" ; then
1304		zlib=no
1305	  elif test "x$withval" != "xyes"; then
1306		if test -d "$withval/lib"; then
1307			if test -n "${rpath_opt}"; then
1308				LDFLAGS="-L${withval}/lib ${rpath_opt}${withval}/lib ${LDFLAGS}"
1309			else
1310				LDFLAGS="-L${withval}/lib ${LDFLAGS}"
1311			fi
1312		else
1313			if test -n "${rpath_opt}"; then
1314				LDFLAGS="-L${withval} ${rpath_opt}${withval} ${LDFLAGS}"
1315			else
1316				LDFLAGS="-L${withval} ${LDFLAGS}"
1317			fi
1318		fi
1319		if test -d "$withval/include"; then
1320			CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
1321		else
1322			CPPFLAGS="-I${withval} ${CPPFLAGS}"
1323		fi
1324	fi ]
1325)
1326
1327AC_MSG_CHECKING([for zlib])
1328if test "x${zlib}" = "xno"; then
1329	AC_MSG_RESULT([no])
1330else
1331	AC_MSG_RESULT([yes])
1332	AC_DEFINE([WITH_ZLIB], [1], [Enable zlib])
1333    AC_CHECK_HEADER([zlib.h], ,[AC_MSG_ERROR([*** zlib.h missing - please install first or check config.log ***])])
1334    AC_CHECK_LIB([z], [deflate], ,
1335	[
1336		saved_CPPFLAGS="$CPPFLAGS"
1337		saved_LDFLAGS="$LDFLAGS"
1338		save_LIBS="$LIBS"
1339		dnl Check default zlib install dir
1340		if test -n "${rpath_opt}"; then
1341			LDFLAGS="-L/usr/local/lib ${rpath_opt}/usr/local/lib ${saved_LDFLAGS}"
1342		else
1343			LDFLAGS="-L/usr/local/lib ${saved_LDFLAGS}"
1344		fi
1345		CPPFLAGS="-I/usr/local/include ${saved_CPPFLAGS}"
1346		LIBS="$LIBS -lz"
1347		AC_TRY_LINK_FUNC([deflate], [AC_DEFINE([HAVE_LIBZ])],
1348			[
1349				AC_MSG_ERROR([*** zlib missing - please install first or check config.log ***])
1350			]
1351		)
1352	]
1353    )
1354
1355    AC_ARG_WITH([zlib-version-check],
1356	[  --without-zlib-version-check Disable zlib version check],
1357	[  if test "x$withval" = "xno" ; then
1358		zlib_check_nonfatal=1
1359	   fi
1360	]
1361    )
1362
1363    AC_MSG_CHECKING([for possibly buggy zlib])
1364    AC_RUN_IFELSE([AC_LANG_PROGRAM([[
1365#include <stdio.h>
1366#include <stdlib.h>
1367#include <zlib.h>
1368	]],
1369	[[
1370	int a=0, b=0, c=0, d=0, n, v;
1371	n = sscanf(ZLIB_VERSION, "%d.%d.%d.%d", &a, &b, &c, &d);
1372	if (n != 3 && n != 4)
1373		exit(1);
1374	v = a*1000000 + b*10000 + c*100 + d;
1375	fprintf(stderr, "found zlib version %s (%d)\n", ZLIB_VERSION, v);
1376
1377	/* 1.1.4 is OK */
1378	if (a == 1 && b == 1 && c >= 4)
1379		exit(0);
1380
1381	/* 1.2.3 and up are OK */
1382	if (v >= 1020300)
1383		exit(0);
1384
1385	exit(2);
1386	]])],
1387	AC_MSG_RESULT([no]),
1388	[ AC_MSG_RESULT([yes])
1389	  if test -z "$zlib_check_nonfatal" ; then
1390		AC_MSG_ERROR([*** zlib too old - check config.log ***
1391Your reported zlib version has known security problems.  It's possible your
1392vendor has fixed these problems without changing the version number.  If you
1393are sure this is the case, you can disable the check by running
1394"./configure --without-zlib-version-check".
1395If you are in doubt, upgrade zlib to version 1.2.3 or greater.
1396See http://www.gzip.org/zlib/ for details.])
1397	  else
1398		AC_MSG_WARN([zlib version may have security problems])
1399	  fi
1400	],
1401	[	AC_MSG_WARN([cross compiling: not checking zlib version]) ]
1402    )
1403fi
1404
1405dnl UnixWare 2.x
1406AC_CHECK_FUNC([strcasecmp],
1407	[], [ AC_CHECK_LIB([resolv], [strcasecmp], [LIBS="$LIBS -lresolv"]) ]
1408)
1409AC_CHECK_FUNCS([utimes],
1410	[], [ AC_CHECK_LIB([c89], [utimes], [AC_DEFINE([HAVE_UTIMES])
1411					LIBS="$LIBS -lc89"]) ]
1412)
1413
1414dnl    Checks for libutil functions
1415AC_CHECK_HEADERS([bsd/libutil.h libutil.h])
1416AC_SEARCH_LIBS([fmt_scaled], [util bsd])
1417AC_SEARCH_LIBS([scan_scaled], [util bsd])
1418AC_SEARCH_LIBS([login], [util bsd])
1419AC_SEARCH_LIBS([logout], [util bsd])
1420AC_SEARCH_LIBS([logwtmp], [util bsd])
1421AC_SEARCH_LIBS([openpty], [util bsd])
1422AC_SEARCH_LIBS([updwtmp], [util bsd])
1423AC_CHECK_FUNCS([fmt_scaled scan_scaled login logout openpty updwtmp logwtmp])
1424
1425# On some platforms, inet_ntop and gethostbyname may be found in libresolv
1426# or libnsl.
1427AC_SEARCH_LIBS([inet_ntop], [resolv nsl])
1428AC_SEARCH_LIBS([gethostbyname], [resolv nsl])
1429
1430# "Particular Function Checks"
1431# see https://www.gnu.org/software/autoconf/manual/autoconf-2.69/html_node/Particular-Functions.html
1432AC_FUNC_STRFTIME
1433AC_FUNC_MALLOC
1434AC_FUNC_REALLOC
1435# autoconf doesn't have AC_FUNC_CALLOC so fake it if malloc returns NULL;
1436AC_MSG_CHECKING([if calloc(0, N) returns non-null])
1437AC_RUN_IFELSE(
1438	[AC_LANG_PROGRAM(
1439		[[ #include <stdlib.h> ]],
1440		[[ void *p = calloc(0, 1); exit(p == NULL); ]]
1441	)],
1442	[ func_calloc_0_nonnull=yes ],
1443	[ func_calloc_0_nonnull=no ],
1444	[ AC_MSG_WARN([cross compiling: assuming same as malloc])
1445	  func_calloc_0_nonnull="$ac_cv_func_malloc_0_nonnull"]
1446)
1447AC_MSG_RESULT([$func_calloc_0_nonnull])
1448
1449if test "x$func_calloc_0_nonnull" = "xyes"; then
1450	AC_DEFINE(HAVE_CALLOC, 1, [calloc(0, x) returns non-null])
1451else
1452	AC_DEFINE(HAVE_CALLOC, 0, [calloc(0, x) returns NULL])
1453	AC_DEFINE(calloc, rpl_calloc,
1454	    [Define to rpl_calloc if the replacement function should be used.])
1455fi
1456
1457# Check for ALTDIRFUNC glob() extension
1458AC_MSG_CHECKING([for GLOB_ALTDIRFUNC support])
1459AC_EGREP_CPP([FOUNDIT],
1460	[
1461		#include <glob.h>
1462		#ifdef GLOB_ALTDIRFUNC
1463		FOUNDIT
1464		#endif
1465	],
1466	[
1467		AC_DEFINE([GLOB_HAS_ALTDIRFUNC], [1],
1468			[Define if your system glob() function has
1469			the GLOB_ALTDIRFUNC extension])
1470		AC_MSG_RESULT([yes])
1471	],
1472	[
1473		AC_MSG_RESULT([no])
1474	]
1475)
1476
1477# Check for g.gl_matchc glob() extension
1478AC_MSG_CHECKING([for gl_matchc field in glob_t])
1479AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <glob.h> ]],
1480	[[ glob_t g; g.gl_matchc = 1; ]])],
1481	[
1482		AC_DEFINE([GLOB_HAS_GL_MATCHC], [1],
1483			[Define if your system glob() function has
1484			gl_matchc options in glob_t])
1485		AC_MSG_RESULT([yes])
1486	], [
1487		AC_MSG_RESULT([no])
1488])
1489
1490# Check for g.gl_statv glob() extension
1491AC_MSG_CHECKING([for gl_statv and GLOB_KEEPSTAT extensions for glob])
1492AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <glob.h> ]], [[
1493#ifndef GLOB_KEEPSTAT
1494#error "glob does not support GLOB_KEEPSTAT extension"
1495#endif
1496glob_t g;
1497g.gl_statv = NULL;
1498]])],
1499	[
1500		AC_DEFINE([GLOB_HAS_GL_STATV], [1],
1501			[Define if your system glob() function has
1502			gl_statv options in glob_t])
1503		AC_MSG_RESULT([yes])
1504	], [
1505		AC_MSG_RESULT([no])
1506
1507])
1508
1509AC_CHECK_DECLS([GLOB_NOMATCH], , , [#include <glob.h>])
1510
1511AC_CHECK_DECL([VIS_ALL], ,
1512    AC_DEFINE(BROKEN_STRNVIS, 1, [missing VIS_ALL]), [#include <vis.h>])
1513
1514AC_MSG_CHECKING([whether struct dirent allocates space for d_name])
1515AC_RUN_IFELSE(
1516	[AC_LANG_PROGRAM([[
1517#include <sys/types.h>
1518#include <dirent.h>]],
1519	[[
1520	struct dirent d;
1521	exit(sizeof(d.d_name)<=sizeof(char));
1522	]])],
1523	[AC_MSG_RESULT([yes])],
1524	[
1525		AC_MSG_RESULT([no])
1526		AC_DEFINE([BROKEN_ONE_BYTE_DIRENT_D_NAME], [1],
1527			[Define if your struct dirent expects you to
1528			allocate extra space for d_name])
1529	],
1530	[
1531		AC_MSG_WARN([cross compiling: assuming BROKEN_ONE_BYTE_DIRENT_D_NAME])
1532		AC_DEFINE([BROKEN_ONE_BYTE_DIRENT_D_NAME])
1533	]
1534)
1535
1536AC_MSG_CHECKING([for /proc/pid/fd directory])
1537if test -d "/proc/$$/fd" ; then
1538	AC_DEFINE([HAVE_PROC_PID], [1], [Define if you have /proc/$pid/fd])
1539	AC_MSG_RESULT([yes])
1540else
1541	AC_MSG_RESULT([no])
1542fi
1543
1544# Check whether user wants to use ldns
1545LDNS_MSG="no"
1546AC_ARG_WITH(ldns,
1547	[  --with-ldns[[=PATH]]      Use ldns for DNSSEC support (optionally in PATH)],
1548	[
1549	ldns=""
1550	if test "x$withval" = "xyes" ; then
1551		AC_PATH_TOOL([LDNSCONFIG], [ldns-config], [no])
1552		if test "x$LDNSCONFIG" = "xno"; then
1553			LIBS="-lldns $LIBS"
1554			ldns=yes
1555		else
1556			LIBS="$LIBS `$LDNSCONFIG --libs`"
1557			CPPFLAGS="$CPPFLAGS `$LDNSCONFIG --cflags`"
1558			ldns=yes
1559		fi
1560	elif test "x$withval" != "xno" ; then
1561			CPPFLAGS="$CPPFLAGS -I${withval}/include"
1562			LDFLAGS="$LDFLAGS -L${withval}/lib"
1563			LIBS="-lldns $LIBS"
1564			ldns=yes
1565	fi
1566
1567	# Verify that it works.
1568	if test "x$ldns" = "xyes" ; then
1569		AC_DEFINE(HAVE_LDNS, 1, [Define if you want ldns support])
1570		LDNS_MSG="yes"
1571		AC_MSG_CHECKING([for ldns support])
1572		AC_LINK_IFELSE(
1573			[AC_LANG_SOURCE([[
1574#include <stdio.h>
1575#include <stdlib.h>
1576#ifdef HAVE_STDINT_H
1577# include <stdint.h>
1578#endif
1579#include <ldns/ldns.h>
1580int main() { ldns_status status = ldns_verify_trusted(NULL, NULL, NULL, NULL); status=LDNS_STATUS_OK; exit(0); }
1581			]])
1582		],
1583			[AC_MSG_RESULT(yes)],
1584				[
1585					AC_MSG_RESULT(no)
1586					AC_MSG_ERROR([** Incomplete or missing ldns libraries.])
1587				])
1588	fi
1589])
1590
1591# Check whether user wants libedit support
1592LIBEDIT_MSG="no"
1593AC_ARG_WITH([libedit],
1594	[  --with-libedit[[=PATH]]   Enable libedit support for sftp],
1595	[ if test "x$withval" != "xno" ; then
1596		if test "x$withval" = "xyes" ; then
1597			AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no])
1598			if test "x$PKGCONFIG" != "xno"; then
1599				AC_MSG_CHECKING([if $PKGCONFIG knows about libedit])
1600				if "$PKGCONFIG" libedit; then
1601					AC_MSG_RESULT([yes])
1602					use_pkgconfig_for_libedit=yes
1603				else
1604					AC_MSG_RESULT([no])
1605				fi
1606			fi
1607		else
1608			CPPFLAGS="$CPPFLAGS -I${withval}/include"
1609			if test -n "${rpath_opt}"; then
1610				LDFLAGS="-L${withval}/lib ${rpath_opt}${withval}/lib ${LDFLAGS}"
1611			else
1612				LDFLAGS="-L${withval}/lib ${LDFLAGS}"
1613			fi
1614		fi
1615		if test "x$use_pkgconfig_for_libedit" = "xyes"; then
1616			LIBEDIT=`$PKGCONFIG --libs libedit`
1617			CPPFLAGS="$CPPFLAGS `$PKGCONFIG --cflags libedit`"
1618		else
1619			LIBEDIT="-ledit -lcurses"
1620		fi
1621		OTHERLIBS=`echo $LIBEDIT | sed 's/-ledit//'`
1622		AC_CHECK_LIB([edit], [el_init],
1623			[ AC_DEFINE([USE_LIBEDIT], [1], [Use libedit for sftp])
1624			  LIBEDIT_MSG="yes"
1625			  AC_SUBST([LIBEDIT])
1626			],
1627			[ AC_MSG_ERROR([libedit not found]) ],
1628			[ $OTHERLIBS ]
1629		)
1630		AC_MSG_CHECKING([if libedit version is compatible])
1631		AC_COMPILE_IFELSE(
1632		    [AC_LANG_PROGRAM([[ #include <histedit.h> ]],
1633		    [[
1634	int i = H_SETSIZE;
1635	el_init("", NULL, NULL, NULL);
1636	exit(0);
1637		    ]])],
1638		    [ AC_MSG_RESULT([yes]) ],
1639		    [ AC_MSG_RESULT([no])
1640		      AC_MSG_ERROR([libedit version is not compatible]) ]
1641		)
1642	fi ]
1643)
1644
1645AUDIT_MODULE=none
1646AC_ARG_WITH([audit],
1647	[  --with-audit=module     Enable audit support (modules=debug,bsm,linux)],
1648	[
1649	  AC_MSG_CHECKING([for supported audit module])
1650	  case "$withval" in
1651	  bsm)
1652		AC_MSG_RESULT([bsm])
1653		AUDIT_MODULE=bsm
1654		dnl    Checks for headers, libs and functions
1655		AC_CHECK_HEADERS([bsm/audit.h], [],
1656		    [AC_MSG_ERROR([BSM enabled and bsm/audit.h not found])],
1657		    [
1658#ifdef HAVE_TIME_H
1659# include <time.h>
1660#endif
1661		    ]
1662)
1663		AC_CHECK_LIB([bsm], [getaudit], [],
1664		    [AC_MSG_ERROR([BSM enabled and required library not found])])
1665		AC_CHECK_FUNCS([getaudit], [],
1666		    [AC_MSG_ERROR([BSM enabled and required function not found])])
1667		# These are optional
1668		AC_CHECK_FUNCS([getaudit_addr aug_get_machine])
1669		AC_DEFINE([USE_BSM_AUDIT], [1], [Use BSM audit module])
1670		if test "$sol2ver" -ge 11; then
1671			SSHDLIBS="$SSHDLIBS -lscf"
1672			AC_DEFINE([BROKEN_BSM_API], [1],
1673				[The system has incomplete BSM API])
1674		fi
1675		;;
1676	  linux)
1677		AC_MSG_RESULT([linux])
1678		AUDIT_MODULE=linux
1679		dnl    Checks for headers, libs and functions
1680		AC_CHECK_HEADERS([libaudit.h])
1681		SSHDLIBS="$SSHDLIBS -laudit"
1682		AC_DEFINE([USE_LINUX_AUDIT], [1], [Use Linux audit module])
1683		;;
1684	  debug)
1685		AUDIT_MODULE=debug
1686		AC_MSG_RESULT([debug])
1687		AC_DEFINE([SSH_AUDIT_EVENTS], [1], [Use audit debugging module])
1688		;;
1689	  no)
1690		AC_MSG_RESULT([no])
1691		;;
1692	  *)
1693		AC_MSG_ERROR([Unknown audit module $withval])
1694		;;
1695	esac ]
1696)
1697
1698AC_ARG_WITH([pie],
1699    [  --with-pie              Build Position Independent Executables if possible], [
1700	if test "x$withval" = "xno"; then
1701		use_pie=no
1702	fi
1703	if test "x$withval" = "xyes"; then
1704		use_pie=yes
1705	fi
1706    ]
1707)
1708if test "x$use_pie" = "x"; then
1709	use_pie=no
1710fi
1711if test "x$use_toolchain_hardening" != "x1" && test "x$use_pie" = "xauto"; then
1712	# Turn off automatic PIE when toolchain hardening is off.
1713	use_pie=no
1714fi
1715if test "x$use_pie" = "xauto"; then
1716	# Automatic PIE requires gcc >= 4.x
1717	AC_MSG_CHECKING([for gcc >= 4.x])
1718	AC_COMPILE_IFELSE([AC_LANG_SOURCE([[
1719#if !defined(__GNUC__) || __GNUC__ < 4
1720#error gcc is too old
1721#endif
1722]])],
1723	[ AC_MSG_RESULT([yes]) ],
1724	[ AC_MSG_RESULT([no])
1725	  use_pie=no ]
1726)
1727fi
1728if test "x$use_pie" != "xno"; then
1729	SAVED_CFLAGS="$CFLAGS"
1730	SAVED_LDFLAGS="$LDFLAGS"
1731	OSSH_CHECK_CFLAG_COMPILE([-fPIE])
1732	OSSH_CHECK_LDFLAG_LINK([-pie])
1733	# We use both -fPIE and -pie or neither.
1734	AC_MSG_CHECKING([whether both -fPIE and -pie are supported])
1735	if echo "x $CFLAGS"  | grep ' -fPIE' >/dev/null 2>&1 && \
1736	   echo "x $LDFLAGS" | grep ' -pie'  >/dev/null 2>&1 ; then
1737		AC_MSG_RESULT([yes])
1738	else
1739		AC_MSG_RESULT([no])
1740		CFLAGS="$SAVED_CFLAGS"
1741		LDFLAGS="$SAVED_LDFLAGS"
1742	fi
1743fi
1744
1745AC_MSG_CHECKING([whether -fPIC is accepted])
1746SAVED_CFLAGS="$CFLAGS"
1747CFLAGS="$CFLAGS -fPIC"
1748AC_COMPILE_IFELSE(
1749	[AC_LANG_PROGRAM( [[ #include <stdlib.h> ]], [[ exit(0); ]] )],
1750   [AC_MSG_RESULT([yes])
1751    PICFLAG="-fPIC"; ],
1752   [AC_MSG_RESULT([no])
1753    PICFLAG=""; ])
1754CFLAGS="$SAVED_CFLAGS"
1755AC_SUBST([PICFLAG])
1756
1757dnl    Checks for library functions. Please keep in alphabetical order
1758AC_CHECK_FUNCS([ \
1759	Blowfish_initstate \
1760	Blowfish_expandstate \
1761	Blowfish_expand0state \
1762	Blowfish_stream2word \
1763	SHA256Update \
1764	SHA384Update \
1765	SHA512Update \
1766	asprintf \
1767	b64_ntop \
1768	__b64_ntop \
1769	b64_pton \
1770	__b64_pton \
1771	bcopy \
1772	bcrypt_pbkdf \
1773	bindresvport_sa \
1774	blf_enc \
1775	bzero \
1776	cap_rights_limit \
1777	clock \
1778	closefrom \
1779	dirfd \
1780	endgrent \
1781	err \
1782	errx \
1783	explicit_bzero \
1784	fchmod \
1785	fchmodat \
1786	fchown \
1787	fchownat \
1788	flock \
1789	fnmatch \
1790	freeaddrinfo \
1791	freezero \
1792	fstatfs \
1793	fstatvfs \
1794	futimes \
1795	getaddrinfo \
1796	getcwd \
1797	getgrouplist \
1798	getline \
1799	getnameinfo \
1800	getopt \
1801	getpagesize \
1802	getpeereid \
1803	getpeerucred \
1804	getpgid \
1805	_getpty \
1806	getrlimit \
1807	getrandom \
1808	getsid \
1809	getttyent \
1810	glob \
1811	group_from_gid \
1812	inet_aton \
1813	inet_ntoa \
1814	inet_ntop \
1815	innetgr \
1816	llabs \
1817	localtime_r \
1818	login_getcapbool \
1819	md5_crypt \
1820	memmem \
1821	memmove \
1822	memset_s \
1823	mkdtemp \
1824	ngetaddrinfo \
1825	nsleep \
1826	ogetaddrinfo \
1827	openlog_r \
1828	pledge \
1829	poll \
1830	prctl \
1831	pstat \
1832	raise \
1833	readpassphrase \
1834	reallocarray \
1835	realpath \
1836	recvmsg \
1837	recallocarray \
1838	rresvport_af \
1839	sendmsg \
1840	setdtablesize \
1841	setegid \
1842	setenv \
1843	seteuid \
1844	setgroupent \
1845	setgroups \
1846	setlinebuf \
1847	setlogin \
1848	setpassent\
1849	setpcred \
1850	setproctitle \
1851	setregid \
1852	setreuid \
1853	setrlimit \
1854	setsid \
1855	setvbuf \
1856	sigaction \
1857	sigvec \
1858	snprintf \
1859	socketpair \
1860	statfs \
1861	statvfs \
1862	strcasestr \
1863	strdup \
1864	strerror \
1865	strlcat \
1866	strlcpy \
1867	strmode \
1868	strndup \
1869	strnlen \
1870	strnvis \
1871	strptime \
1872	strsignal \
1873	strtonum \
1874	strtoll \
1875	strtoul \
1876	strtoull \
1877	swap32 \
1878	sysconf \
1879	tcgetpgrp \
1880	timingsafe_bcmp \
1881	truncate \
1882	unsetenv \
1883	updwtmpx \
1884	utimensat \
1885	user_from_uid \
1886	usleep \
1887	vasprintf \
1888	vsnprintf \
1889	waitpid \
1890	warn \
1891])
1892
1893AC_CHECK_DECLS([bzero, memmem])
1894
1895dnl Wide character support.
1896AC_CHECK_FUNCS([mblen mbtowc nl_langinfo wcwidth])
1897
1898TEST_SSH_UTF8=${TEST_SSH_UTF8:=yes}
1899AC_MSG_CHECKING([for utf8 locale support])
1900AC_RUN_IFELSE(
1901	[AC_LANG_PROGRAM([[
1902#include <locale.h>
1903#include <stdlib.h>
1904	]], [[
1905	char *loc = setlocale(LC_CTYPE, "en_US.UTF-8");
1906	if (loc != NULL)
1907		exit(0);
1908	exit(1);
1909	]])],
1910	AC_MSG_RESULT(yes),
1911	[AC_MSG_RESULT(no)
1912	 TEST_SSH_UTF8=no],
1913	AC_MSG_WARN([cross compiling: assuming yes])
1914)
1915
1916AC_LINK_IFELSE(
1917        [AC_LANG_PROGRAM(
1918           [[ #include <ctype.h> ]],
1919           [[ return (isblank('a')); ]])],
1920	[AC_DEFINE([HAVE_ISBLANK], [1], [Define if you have isblank(3C).])
1921])
1922
1923disable_pkcs11=
1924AC_ARG_ENABLE([pkcs11],
1925	[  --disable-pkcs11        disable PKCS#11 support code [no]],
1926	[
1927		if test "x$enableval" = "xno" ; then
1928			disable_pkcs11=1
1929		fi
1930	]
1931)
1932
1933disable_sk=
1934AC_ARG_ENABLE([security-key],
1935	[  --disable-security-key  disable U2F/FIDO support code [no]],
1936	[
1937		if test "x$enableval" = "xno" ; then
1938			disable_sk=1
1939		fi
1940	]
1941)
1942enable_sk_internal=
1943AC_ARG_WITH([security-key-builtin],
1944	[  --with-security-key-builtin include builtin U2F/FIDO support],
1945	[
1946		if test "x$withval" != "xno" ; then
1947			enable_sk_internal=yes
1948		fi
1949	]
1950)
1951test "x$disable_sk" != "x" && enable_sk_internal=""
1952
1953AC_SEARCH_LIBS([dlopen], [dl])
1954AC_CHECK_FUNCS([dlopen])
1955AC_CHECK_DECL([RTLD_NOW], [], [], [#include <dlfcn.h>])
1956
1957# IRIX has a const char return value for gai_strerror()
1958AC_CHECK_FUNCS([gai_strerror], [
1959	AC_DEFINE([HAVE_GAI_STRERROR])
1960	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
1961#include <sys/types.h>
1962#include <sys/socket.h>
1963#include <netdb.h>
1964
1965const char *gai_strerror(int);
1966			]], [[
1967	char *str;
1968	str = gai_strerror(0);
1969			]])], [
1970		AC_DEFINE([HAVE_CONST_GAI_STRERROR_PROTO], [1],
1971		[Define if gai_strerror() returns const char *])], [])])
1972
1973AC_SEARCH_LIBS([nanosleep], [rt posix4], [AC_DEFINE([HAVE_NANOSLEEP], [1],
1974	[Some systems put nanosleep outside of libc])])
1975
1976AC_SEARCH_LIBS([clock_gettime], [rt],
1977	[AC_DEFINE([HAVE_CLOCK_GETTIME], [1], [Have clock_gettime])])
1978
1979dnl check if we need -D_REENTRANT for localtime_r declaration.
1980AC_CHECK_DECL([localtime_r], [],
1981	[ saved_CPPFLAGS="$CFLAGS"
1982	  CPPFLAGS="$CPPFLAGS -D_REENTRANT"
1983	  unset ac_cv_have_decl_localtime_r
1984	  AC_CHECK_DECL([localtime_r], [],
1985		[ CPPFLAGS="$saved_CPPFLAGS" ],
1986		[ #include <time.h> ]
1987	  )
1988	],
1989	[ #include <time.h> ]
1990)
1991
1992dnl Make sure prototypes are defined for these before using them.
1993AC_CHECK_DECL([strsep],
1994	[AC_CHECK_FUNCS([strsep])],
1995	[],
1996	[
1997#ifdef HAVE_STRING_H
1998# include <string.h>
1999#endif
2000	])
2001
2002dnl tcsendbreak might be a macro
2003AC_CHECK_DECL([tcsendbreak],
2004	[AC_DEFINE([HAVE_TCSENDBREAK])],
2005	[AC_CHECK_FUNCS([tcsendbreak])],
2006	[#include <termios.h>]
2007)
2008
2009AC_CHECK_DECLS([h_errno], , ,[#include <netdb.h>])
2010
2011AC_CHECK_DECLS([SHUT_RD, getpeereid], , ,
2012	[
2013#include <sys/types.h>
2014#include <sys/socket.h>
2015#include <unistd.h>
2016	])
2017
2018AC_CHECK_DECLS([O_NONBLOCK], , ,
2019	[
2020#include <sys/types.h>
2021#ifdef HAVE_SYS_STAT_H
2022# include <sys/stat.h>
2023#endif
2024#ifdef HAVE_FCNTL_H
2025# include <fcntl.h>
2026#endif
2027	])
2028
2029AC_CHECK_DECLS([readv, writev], , , [
2030#include <sys/types.h>
2031#include <sys/uio.h>
2032#include <unistd.h>
2033	])
2034
2035AC_CHECK_DECLS([MAXSYMLINKS], , , [
2036#include <sys/param.h>
2037	])
2038
2039AC_CHECK_DECLS([offsetof], , , [
2040#include <stddef.h>
2041	])
2042
2043# extra bits for select(2)
2044AC_CHECK_DECLS([howmany, NFDBITS], [], [], [[
2045#include <sys/param.h>
2046#include <sys/types.h>
2047#ifdef HAVE_SYS_SYSMACROS_H
2048#include <sys/sysmacros.h>
2049#endif
2050#ifdef HAVE_SYS_SELECT_H
2051#include <sys/select.h>
2052#endif
2053#ifdef HAVE_SYS_TIME_H
2054#include <sys/time.h>
2055#endif
2056#ifdef HAVE_UNISTD_H
2057#include <unistd.h>
2058#endif
2059	]])
2060AC_CHECK_TYPES([fd_mask], [], [], [[
2061#include <sys/param.h>
2062#include <sys/types.h>
2063#ifdef HAVE_SYS_SELECT_H
2064#include <sys/select.h>
2065#endif
2066#ifdef HAVE_SYS_TIME_H
2067#include <sys/time.h>
2068#endif
2069#ifdef HAVE_UNISTD_H
2070#include <unistd.h>
2071#endif
2072	]])
2073
2074AC_CHECK_FUNCS([setresuid], [
2075	dnl Some platorms have setresuid that isn't implemented, test for this
2076	AC_MSG_CHECKING([if setresuid seems to work])
2077	AC_RUN_IFELSE(
2078		[AC_LANG_PROGRAM([[
2079#include <stdlib.h>
2080#include <errno.h>
2081		]], [[
2082	errno=0;
2083	setresuid(0,0,0);
2084	if (errno==ENOSYS)
2085		exit(1);
2086	else
2087		exit(0);
2088		]])],
2089		[AC_MSG_RESULT([yes])],
2090		[AC_DEFINE([BROKEN_SETRESUID], [1],
2091			[Define if your setresuid() is broken])
2092		 AC_MSG_RESULT([not implemented])],
2093		[AC_MSG_WARN([cross compiling: not checking setresuid])]
2094	)
2095])
2096
2097AC_CHECK_FUNCS([setresgid], [
2098	dnl Some platorms have setresgid that isn't implemented, test for this
2099	AC_MSG_CHECKING([if setresgid seems to work])
2100	AC_RUN_IFELSE(
2101		[AC_LANG_PROGRAM([[
2102#include <stdlib.h>
2103#include <errno.h>
2104		]], [[
2105	errno=0;
2106	setresgid(0,0,0);
2107	if (errno==ENOSYS)
2108		exit(1);
2109	else
2110		exit(0);
2111		]])],
2112		[AC_MSG_RESULT([yes])],
2113		[AC_DEFINE([BROKEN_SETRESGID], [1],
2114			[Define if your setresgid() is broken])
2115		 AC_MSG_RESULT([not implemented])],
2116		[AC_MSG_WARN([cross compiling: not checking setresuid])]
2117	)
2118])
2119
2120AC_MSG_CHECKING([for working fflush(NULL)])
2121AC_RUN_IFELSE(
2122	[AC_LANG_PROGRAM([[#include <stdio.h>]], [[fflush(NULL); exit(0);]])],
2123	AC_MSG_RESULT([yes]),
2124	[AC_MSG_RESULT([no])
2125	 AC_DEFINE([FFLUSH_NULL_BUG], [1],
2126	    [define if fflush(NULL) does not work])],
2127	AC_MSG_WARN([cross compiling: assuming working])
2128)
2129
2130dnl    Checks for time functions
2131AC_CHECK_FUNCS([gettimeofday time])
2132dnl    Checks for utmp functions
2133AC_CHECK_FUNCS([endutent getutent getutid getutline pututline setutent])
2134AC_CHECK_FUNCS([utmpname])
2135dnl    Checks for utmpx functions
2136AC_CHECK_FUNCS([endutxent getutxent getutxid getutxline getutxuser pututxline])
2137AC_CHECK_FUNCS([setutxdb setutxent utmpxname])
2138dnl    Checks for lastlog functions
2139AC_CHECK_FUNCS([getlastlogxbyname])
2140
2141AC_CHECK_FUNC([daemon],
2142	[AC_DEFINE([HAVE_DAEMON], [1], [Define if your libraries define daemon()])],
2143	[AC_CHECK_LIB([bsd], [daemon],
2144		[LIBS="$LIBS -lbsd"; AC_DEFINE([HAVE_DAEMON])])]
2145)
2146
2147AC_CHECK_FUNC([getpagesize],
2148	[AC_DEFINE([HAVE_GETPAGESIZE], [1],
2149		[Define if your libraries define getpagesize()])],
2150	[AC_CHECK_LIB([ucb], [getpagesize],
2151		[LIBS="$LIBS -lucb"; AC_DEFINE([HAVE_GETPAGESIZE])])]
2152)
2153
2154# Check for broken snprintf
2155if test "x$ac_cv_func_snprintf" = "xyes" ; then
2156	AC_MSG_CHECKING([whether snprintf correctly terminates long strings])
2157	AC_RUN_IFELSE(
2158		[AC_LANG_PROGRAM([[ #include <stdio.h> ]],
2159		[[
2160	char b[5];
2161	snprintf(b,5,"123456789");
2162	exit(b[4]!='\0');
2163		]])],
2164		[AC_MSG_RESULT([yes])],
2165		[
2166			AC_MSG_RESULT([no])
2167			AC_DEFINE([BROKEN_SNPRINTF], [1],
2168				[Define if your snprintf is busted])
2169			AC_MSG_WARN([****** Your snprintf() function is broken, complain to your vendor])
2170		],
2171		[ AC_MSG_WARN([cross compiling: Assuming working snprintf()]) ]
2172	)
2173fi
2174
2175if test "x$ac_cv_func_snprintf" = "xyes" ; then
2176	AC_MSG_CHECKING([whether snprintf understands %zu])
2177	AC_RUN_IFELSE(
2178		[AC_LANG_PROGRAM([[
2179#include <sys/types.h>
2180#include <stdio.h>
2181		]],
2182		[[
2183	size_t a = 1, b = 2;
2184	char z[128];
2185	snprintf(z, sizeof z, "%zu%zu", a, b);
2186	exit(strcmp(z, "12"));
2187		]])],
2188		[AC_MSG_RESULT([yes])],
2189		[
2190			AC_MSG_RESULT([no])
2191			AC_DEFINE([BROKEN_SNPRINTF], [1],
2192				[snprintf does not understand %zu])
2193		],
2194		[ AC_MSG_WARN([cross compiling: Assuming working snprintf()]) ]
2195	)
2196fi
2197
2198# We depend on vsnprintf returning the right thing on overflow: the
2199# number of characters it tried to create (as per SUSv3)
2200if test "x$ac_cv_func_vsnprintf" = "xyes" ; then
2201	AC_MSG_CHECKING([whether vsnprintf returns correct values on overflow])
2202	AC_RUN_IFELSE(
2203		[AC_LANG_PROGRAM([[
2204#include <sys/types.h>
2205#include <stdio.h>
2206#include <stdarg.h>
2207
2208int x_snprintf(char *str, size_t count, const char *fmt, ...)
2209{
2210	size_t ret;
2211	va_list ap;
2212
2213	va_start(ap, fmt);
2214	ret = vsnprintf(str, count, fmt, ap);
2215	va_end(ap);
2216	return ret;
2217}
2218		]], [[
2219char x[1];
2220if (x_snprintf(x, 1, "%s %d", "hello", 12345) != 11)
2221	return 1;
2222if (x_snprintf(NULL, 0, "%s %d", "hello", 12345) != 11)
2223	return 1;
2224return 0;
2225		]])],
2226		[AC_MSG_RESULT([yes])],
2227		[
2228			AC_MSG_RESULT([no])
2229			AC_DEFINE([BROKEN_SNPRINTF], [1],
2230				[Define if your snprintf is busted])
2231			AC_MSG_WARN([****** Your vsnprintf() function is broken, complain to your vendor])
2232		],
2233		[ AC_MSG_WARN([cross compiling: Assuming working vsnprintf()]) ]
2234	)
2235fi
2236
2237# On systems where [v]snprintf is broken, but is declared in stdio,
2238# check that the fmt argument is const char * or just char *.
2239# This is only useful for when BROKEN_SNPRINTF
2240AC_MSG_CHECKING([whether snprintf can declare const char *fmt])
2241AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
2242#include <stdio.h>
2243int snprintf(char *a, size_t b, const char *c, ...) { return 0; }
2244		]], [[
2245	snprintf(0, 0, 0);
2246		]])],
2247   [AC_MSG_RESULT([yes])
2248    AC_DEFINE([SNPRINTF_CONST], [const],
2249              [Define as const if snprintf() can declare const char *fmt])],
2250   [AC_MSG_RESULT([no])
2251    AC_DEFINE([SNPRINTF_CONST], [/* not const */])])
2252
2253# Check for missing getpeereid (or equiv) support
2254NO_PEERCHECK=""
2255if test "x$ac_cv_func_getpeereid" != "xyes" -a "x$ac_cv_func_getpeerucred" != "xyes"; then
2256	AC_MSG_CHECKING([whether system supports SO_PEERCRED getsockopt])
2257	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
2258#include <sys/types.h>
2259#include <sys/socket.h>]], [[int i = SO_PEERCRED;]])],
2260		[ AC_MSG_RESULT([yes])
2261		  AC_DEFINE([HAVE_SO_PEERCRED], [1], [Have PEERCRED socket option])
2262		], [AC_MSG_RESULT([no])
2263		NO_PEERCHECK=1
2264        ])
2265fi
2266
2267dnl see whether mkstemp() requires XXXXXX
2268if test "x$ac_cv_func_mkdtemp" = "xyes" ; then
2269AC_MSG_CHECKING([for (overly) strict mkstemp])
2270AC_RUN_IFELSE(
2271	[AC_LANG_PROGRAM([[
2272#include <stdlib.h>
2273	]], [[
2274	char template[]="conftest.mkstemp-test";
2275	if (mkstemp(template) == -1)
2276		exit(1);
2277	unlink(template);
2278	exit(0);
2279	]])],
2280	[
2281		AC_MSG_RESULT([no])
2282	],
2283	[
2284		AC_MSG_RESULT([yes])
2285		AC_DEFINE([HAVE_STRICT_MKSTEMP], [1], [Silly mkstemp()])
2286	],
2287	[
2288		AC_MSG_RESULT([yes])
2289		AC_DEFINE([HAVE_STRICT_MKSTEMP])
2290	]
2291)
2292fi
2293
2294dnl make sure that openpty does not reacquire controlling terminal
2295if test ! -z "$check_for_openpty_ctty_bug"; then
2296	AC_MSG_CHECKING([if openpty correctly handles controlling tty])
2297	AC_RUN_IFELSE(
2298		[AC_LANG_PROGRAM([[
2299#include <stdio.h>
2300#include <sys/fcntl.h>
2301#include <sys/types.h>
2302#include <sys/wait.h>
2303		]], [[
2304	pid_t pid;
2305	int fd, ptyfd, ttyfd, status;
2306
2307	pid = fork();
2308	if (pid < 0) {		/* failed */
2309		exit(1);
2310	} else if (pid > 0) {	/* parent */
2311		waitpid(pid, &status, 0);
2312		if (WIFEXITED(status))
2313			exit(WEXITSTATUS(status));
2314		else
2315			exit(2);
2316	} else {		/* child */
2317		close(0); close(1); close(2);
2318		setsid();
2319		openpty(&ptyfd, &ttyfd, NULL, NULL, NULL);
2320		fd = open("/dev/tty", O_RDWR | O_NOCTTY);
2321		if (fd >= 0)
2322			exit(3);	/* Acquired ctty: broken */
2323		else
2324			exit(0);	/* Did not acquire ctty: OK */
2325	}
2326		]])],
2327		[
2328			AC_MSG_RESULT([yes])
2329		],
2330		[
2331			AC_MSG_RESULT([no])
2332			AC_DEFINE([SSHD_ACQUIRES_CTTY])
2333		],
2334		[
2335			AC_MSG_RESULT([cross-compiling, assuming yes])
2336		]
2337	)
2338fi
2339
2340if test "x$ac_cv_func_getaddrinfo" = "xyes" && \
2341    test "x$check_for_hpux_broken_getaddrinfo" = "x1"; then
2342	AC_MSG_CHECKING([if getaddrinfo seems to work])
2343	AC_RUN_IFELSE(
2344		[AC_LANG_PROGRAM([[
2345#include <stdio.h>
2346#include <sys/socket.h>
2347#include <netdb.h>
2348#include <errno.h>
2349#include <netinet/in.h>
2350
2351#define TEST_PORT "2222"
2352		]], [[
2353	int err, sock;
2354	struct addrinfo *gai_ai, *ai, hints;
2355	char ntop[NI_MAXHOST], strport[NI_MAXSERV], *name = NULL;
2356
2357	memset(&hints, 0, sizeof(hints));
2358	hints.ai_family = PF_UNSPEC;
2359	hints.ai_socktype = SOCK_STREAM;
2360	hints.ai_flags = AI_PASSIVE;
2361
2362	err = getaddrinfo(name, TEST_PORT, &hints, &gai_ai);
2363	if (err != 0) {
2364		fprintf(stderr, "getaddrinfo failed (%s)", gai_strerror(err));
2365		exit(1);
2366	}
2367
2368	for (ai = gai_ai; ai != NULL; ai = ai->ai_next) {
2369		if (ai->ai_family != AF_INET6)
2370			continue;
2371
2372		err = getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop,
2373		    sizeof(ntop), strport, sizeof(strport),
2374		    NI_NUMERICHOST|NI_NUMERICSERV);
2375
2376		if (err != 0) {
2377			if (err == EAI_SYSTEM)
2378				perror("getnameinfo EAI_SYSTEM");
2379			else
2380				fprintf(stderr, "getnameinfo failed: %s\n",
2381				    gai_strerror(err));
2382			exit(2);
2383		}
2384
2385		sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol);
2386		if (sock < 0)
2387			perror("socket");
2388		if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) {
2389			if (errno == EBADF)
2390				exit(3);
2391		}
2392	}
2393	exit(0);
2394		]])],
2395		[
2396			AC_MSG_RESULT([yes])
2397		],
2398		[
2399			AC_MSG_RESULT([no])
2400			AC_DEFINE([BROKEN_GETADDRINFO])
2401		],
2402		[
2403			AC_MSG_RESULT([cross-compiling, assuming yes])
2404		]
2405	)
2406fi
2407
2408if test "x$ac_cv_func_getaddrinfo" = "xyes" && \
2409    test "x$check_for_aix_broken_getaddrinfo" = "x1"; then
2410	AC_MSG_CHECKING([if getaddrinfo seems to work])
2411	AC_RUN_IFELSE(
2412		[AC_LANG_PROGRAM([[
2413#include <stdio.h>
2414#include <sys/socket.h>
2415#include <netdb.h>
2416#include <errno.h>
2417#include <netinet/in.h>
2418
2419#define TEST_PORT "2222"
2420		]], [[
2421	int err, sock;
2422	struct addrinfo *gai_ai, *ai, hints;
2423	char ntop[NI_MAXHOST], strport[NI_MAXSERV], *name = NULL;
2424
2425	memset(&hints, 0, sizeof(hints));
2426	hints.ai_family = PF_UNSPEC;
2427	hints.ai_socktype = SOCK_STREAM;
2428	hints.ai_flags = AI_PASSIVE;
2429
2430	err = getaddrinfo(name, TEST_PORT, &hints, &gai_ai);
2431	if (err != 0) {
2432		fprintf(stderr, "getaddrinfo failed (%s)", gai_strerror(err));
2433		exit(1);
2434	}
2435
2436	for (ai = gai_ai; ai != NULL; ai = ai->ai_next) {
2437		if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
2438			continue;
2439
2440		err = getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop,
2441		    sizeof(ntop), strport, sizeof(strport),
2442		    NI_NUMERICHOST|NI_NUMERICSERV);
2443
2444		if (ai->ai_family == AF_INET && err != 0) {
2445			perror("getnameinfo");
2446			exit(2);
2447		}
2448	}
2449	exit(0);
2450		]])],
2451		[
2452			AC_MSG_RESULT([yes])
2453			AC_DEFINE([AIX_GETNAMEINFO_HACK], [1],
2454				[Define if you have a getaddrinfo that fails
2455				for the all-zeros IPv6 address])
2456		],
2457		[
2458			AC_MSG_RESULT([no])
2459			AC_DEFINE([BROKEN_GETADDRINFO])
2460		],
2461		[
2462			AC_MSG_RESULT([cross-compiling, assuming no])
2463		]
2464	)
2465fi
2466
2467if test "x$ac_cv_func_getaddrinfo" = "xyes"; then
2468	AC_CHECK_DECLS(AI_NUMERICSERV, , ,
2469	    [#include <sys/types.h>
2470	     #include <sys/socket.h>
2471	     #include <netdb.h>])
2472fi
2473
2474if test "x$check_for_conflicting_getspnam" = "x1"; then
2475	AC_MSG_CHECKING([for conflicting getspnam in shadow.h])
2476	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <shadow.h> ]],
2477		[[ exit(0); ]])],
2478		[
2479			AC_MSG_RESULT([no])
2480		],
2481		[
2482			AC_MSG_RESULT([yes])
2483			AC_DEFINE([GETSPNAM_CONFLICTING_DEFS], [1],
2484			    [Conflicting defs for getspnam])
2485		]
2486	)
2487fi
2488
2489dnl NetBSD added an strnvis and unfortunately made it incompatible with the
2490dnl existing one in OpenBSD and Linux's libbsd (the former having existed
2491dnl for over ten years). Despite this incompatibility being reported during
2492dnl development (see http://gnats.netbsd.org/44977) they still shipped it.
2493dnl Even more unfortunately FreeBSD and later MacOS picked up this incompatible
2494dnl implementation.  Try to detect this mess, and assume the only safe option
2495dnl if we're cross compiling.
2496dnl
2497dnl OpenBSD, 2001: strnvis(char *dst, const char *src, size_t dlen, int flag);
2498dnl NetBSD: 2012,  strnvis(char *dst, size_t dlen, const char *src, int flag);
2499if test "x$ac_cv_func_strnvis" = "xyes"; then
2500	AC_MSG_CHECKING([for working strnvis])
2501	AC_RUN_IFELSE(
2502		[AC_LANG_PROGRAM([[
2503#include <signal.h>
2504#include <stdlib.h>
2505#include <string.h>
2506#include <vis.h>
2507static void sighandler(int sig) { _exit(1); }
2508		]], [[
2509	char dst[16];
2510
2511	signal(SIGSEGV, sighandler);
2512	if (strnvis(dst, "src", 4, 0) && strcmp(dst, "src") == 0)
2513		exit(0);
2514	exit(1)
2515		]])],
2516		[AC_MSG_RESULT([yes])],
2517		[AC_MSG_RESULT([no])
2518		 AC_DEFINE([BROKEN_STRNVIS], [1], [strnvis detected broken])],
2519		[AC_MSG_WARN([cross compiling: assuming broken])
2520		 AC_DEFINE([BROKEN_STRNVIS], [1], [strnvis assumed broken])]
2521	)
2522fi
2523
2524AC_MSG_CHECKING([if SA_RESTARTed signals interrupt select()])
2525AC_RUN_IFELSE(
2526	[AC_LANG_PROGRAM([[
2527#ifdef HAVE_SYS_SELECT
2528# include <sys/select.h>
2529#endif
2530#include <sys/types.h>
2531#include <sys/time.h>
2532#include <stdlib.h>
2533#include <signal.h>
2534static void sighandler(int sig) { }
2535		]], [[
2536	int r;
2537	pid_t pid;
2538	struct sigaction sa;
2539
2540	sa.sa_handler = sighandler;
2541	sa.sa_flags = SA_RESTART;
2542	(void)sigaction(SIGTERM, &sa, NULL);
2543	if ((pid = fork()) == 0) { /* child */
2544		pid = getppid();
2545		sleep(1);
2546		kill(pid, SIGTERM);
2547		sleep(1);
2548		if (getppid() == pid) /* if parent did not exit, shoot it */
2549			kill(pid, SIGKILL);
2550		exit(0);
2551	} else { /* parent */
2552		r = select(0, NULL, NULL, NULL, NULL);
2553	}
2554	exit(r == -1 ? 0 : 1);
2555	]])],
2556	[AC_MSG_RESULT([yes])],
2557	[AC_MSG_RESULT([no])
2558	 AC_DEFINE([NO_SA_RESTART], [1],
2559	    [SA_RESTARTed signals do no interrupt select])],
2560	[AC_MSG_WARN([cross compiling: assuming yes])]
2561)
2562
2563AC_CHECK_FUNCS([getpgrp],[
2564	AC_MSG_CHECKING([if getpgrp accepts zero args])
2565	AC_COMPILE_IFELSE(
2566		[AC_LANG_PROGRAM([[$ac_includes_default]], [[ getpgrp(); ]])],
2567		[ AC_MSG_RESULT([yes])
2568		  AC_DEFINE([GETPGRP_VOID], [1], [getpgrp takes zero args])],
2569		[ AC_MSG_RESULT([no])
2570		  AC_DEFINE([GETPGRP_VOID], [0], [getpgrp takes one arg])]
2571	)
2572])
2573
2574# Search for OpenSSL
2575saved_CPPFLAGS="$CPPFLAGS"
2576saved_LDFLAGS="$LDFLAGS"
2577AC_ARG_WITH([ssl-dir],
2578	[  --with-ssl-dir=PATH     Specify path to OpenSSL installation ],
2579	[
2580		if test "x$openssl" = "xno" ; then
2581			AC_MSG_ERROR([cannot use --with-ssl-dir when OpenSSL disabled])
2582		fi
2583		if test "x$withval" != "xno" ; then
2584			case "$withval" in
2585				# Relative paths
2586				./*|../*)	withval="`pwd`/$withval"
2587			esac
2588			if test -d "$withval/lib"; then
2589				if test -n "${rpath_opt}"; then
2590					LDFLAGS="-L${withval}/lib ${rpath_opt}${withval}/lib ${LDFLAGS}"
2591				else
2592					LDFLAGS="-L${withval}/lib ${LDFLAGS}"
2593				fi
2594			elif test -d "$withval/lib64"; then
2595				if test -n "${rpath_opt}"; then
2596					LDFLAGS="-L${withval}/lib64 ${rpath_opt}${withval}/lib64 ${LDFLAGS}"
2597				else
2598					LDFLAGS="-L${withval}/lib64 ${LDFLAGS}"
2599				fi
2600			else
2601				if test -n "${rpath_opt}"; then
2602					LDFLAGS="-L${withval} ${rpath_opt}${withval} ${LDFLAGS}"
2603				else
2604					LDFLAGS="-L${withval} ${LDFLAGS}"
2605				fi
2606			fi
2607			if test -d "$withval/include"; then
2608				CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
2609			else
2610				CPPFLAGS="-I${withval} ${CPPFLAGS}"
2611			fi
2612		fi
2613	]
2614)
2615
2616AC_ARG_WITH([openssl-header-check],
2617	[  --without-openssl-header-check Disable OpenSSL version consistency check],
2618	[
2619		if test "x$withval" = "xno" ; then
2620			openssl_check_nonfatal=1
2621		fi
2622	]
2623)
2624
2625openssl_engine=no
2626AC_ARG_WITH([ssl-engine],
2627	[  --with-ssl-engine       Enable OpenSSL (hardware) ENGINE support ],
2628	[
2629		if test "x$withval" != "xno" ; then
2630			if test "x$openssl" = "xno" ; then
2631				AC_MSG_ERROR([cannot use --with-ssl-engine when OpenSSL disabled])
2632			fi
2633			openssl_engine=yes
2634		fi
2635	]
2636)
2637
2638if test "x$openssl" = "xyes" ; then
2639	LIBS="-lcrypto $LIBS"
2640	AC_TRY_LINK_FUNC([RAND_add], ,
2641	    [AC_MSG_ERROR([*** working libcrypto not found, check config.log])])
2642	AC_CHECK_HEADER([openssl/opensslv.h], ,
2643	    [AC_MSG_ERROR([*** OpenSSL headers missing - please install first or check config.log ***])])
2644
2645	# Determine OpenSSL header version
2646	AC_MSG_CHECKING([OpenSSL header version])
2647	AC_RUN_IFELSE(
2648		[AC_LANG_PROGRAM([[
2649	#include <stdlib.h>
2650	#include <stdio.h>
2651	#include <string.h>
2652	#include <openssl/opensslv.h>
2653	#define DATA "conftest.sslincver"
2654		]], [[
2655		FILE *fd;
2656		int rc;
2657
2658		fd = fopen(DATA,"w");
2659		if(fd == NULL)
2660			exit(1);
2661
2662		if ((rc = fprintf(fd, "%08lx (%s)\n",
2663		    (unsigned long)OPENSSL_VERSION_NUMBER,
2664		     OPENSSL_VERSION_TEXT)) < 0)
2665			exit(1);
2666
2667		exit(0);
2668		]])],
2669		[
2670			ssl_header_ver=`cat conftest.sslincver`
2671			AC_MSG_RESULT([$ssl_header_ver])
2672		],
2673		[
2674			AC_MSG_RESULT([not found])
2675			AC_MSG_ERROR([OpenSSL version header not found.])
2676		],
2677		[
2678			AC_MSG_WARN([cross compiling: not checking])
2679		]
2680	)
2681
2682	# Determining OpenSSL library version is version dependent.
2683	AC_CHECK_FUNCS([OpenSSL_version OpenSSL_version_num])
2684
2685	# Determine OpenSSL library version
2686	AC_MSG_CHECKING([OpenSSL library version])
2687	AC_RUN_IFELSE(
2688		[AC_LANG_PROGRAM([[
2689	#include <stdio.h>
2690	#include <string.h>
2691	#include <openssl/opensslv.h>
2692	#include <openssl/crypto.h>
2693	#define DATA "conftest.ssllibver"
2694		]], [[
2695		FILE *fd;
2696		int rc;
2697
2698		fd = fopen(DATA,"w");
2699		if(fd == NULL)
2700			exit(1);
2701#ifndef OPENSSL_VERSION
2702# define OPENSSL_VERSION SSLEAY_VERSION
2703#endif
2704#ifndef HAVE_OPENSSL_VERSION
2705# define OpenSSL_version	SSLeay_version
2706#endif
2707#ifndef HAVE_OPENSSL_VERSION_NUM
2708# define OpenSSL_version_num	SSLeay
2709#endif
2710		if ((rc = fprintf(fd, "%08lx (%s)\n",
2711		    (unsigned long)OpenSSL_version_num(),
2712		    OpenSSL_version(OPENSSL_VERSION))) < 0)
2713			exit(1);
2714
2715		exit(0);
2716		]])],
2717		[
2718			ssl_library_ver=`cat conftest.ssllibver`
2719			# Check version is supported.
2720			case "$ssl_library_ver" in
2721			10000*|0*)
2722				AC_MSG_ERROR([OpenSSL >= 1.0.1 required (have "$ssl_library_ver")])
2723		                ;;
2724			100*)   ;; # 1.0.x
2725			101000[[0123456]]*)
2726				# https://github.com/openssl/openssl/pull/4613
2727				AC_MSG_ERROR([OpenSSL 1.1.x versions prior to 1.1.0g have a bug that breaks their use with OpenSSH (have "$ssl_library_ver")])
2728				;;
2729			101*)   ;; # 1.1.x
2730			200*)   ;; # LibreSSL
2731			300*)   ;; # OpenSSL development branch.
2732		        *)
2733				AC_MSG_ERROR([Unknown/unsupported OpenSSL version ("$ssl_library_ver")])
2734		                ;;
2735			esac
2736			AC_MSG_RESULT([$ssl_library_ver])
2737		],
2738		[
2739			AC_MSG_RESULT([not found])
2740			AC_MSG_ERROR([OpenSSL library not found.])
2741		],
2742		[
2743			AC_MSG_WARN([cross compiling: not checking])
2744		]
2745	)
2746
2747	# Sanity check OpenSSL headers
2748	AC_MSG_CHECKING([whether OpenSSL's headers match the library])
2749	AC_RUN_IFELSE(
2750		[AC_LANG_PROGRAM([[
2751	#include <string.h>
2752	#include <openssl/opensslv.h>
2753	#include <openssl/crypto.h>
2754		]], [[
2755#ifndef HAVE_OPENSSL_VERSION_NUM
2756# define OpenSSL_version_num	SSLeay
2757#endif
2758		exit(OpenSSL_version_num() == OPENSSL_VERSION_NUMBER ? 0 : 1);
2759		]])],
2760		[
2761			AC_MSG_RESULT([yes])
2762		],
2763		[
2764			AC_MSG_RESULT([no])
2765			if test "x$openssl_check_nonfatal" = "x"; then
2766				AC_MSG_ERROR([Your OpenSSL headers do not match your
2767	library. Check config.log for details.
2768	If you are sure your installation is consistent, you can disable the check
2769	by running "./configure --without-openssl-header-check".
2770	Also see contrib/findssl.sh for help identifying header/library mismatches.
2771	])
2772			else
2773				AC_MSG_WARN([Your OpenSSL headers do not match your
2774	library. Check config.log for details.
2775	Also see contrib/findssl.sh for help identifying header/library mismatches.])
2776			fi
2777		],
2778		[
2779			AC_MSG_WARN([cross compiling: not checking])
2780		]
2781	)
2782
2783	AC_MSG_CHECKING([if programs using OpenSSL functions will link])
2784	AC_LINK_IFELSE(
2785		[AC_LANG_PROGRAM([[ #include <openssl/err.h> ]],
2786		[[ ERR_load_crypto_strings(); ]])],
2787		[
2788			AC_MSG_RESULT([yes])
2789		],
2790		[
2791			AC_MSG_RESULT([no])
2792			saved_LIBS="$LIBS"
2793			LIBS="$LIBS -ldl"
2794			AC_MSG_CHECKING([if programs using OpenSSL need -ldl])
2795			AC_LINK_IFELSE(
2796				[AC_LANG_PROGRAM([[ #include <openssl/err.h> ]],
2797				[[ ERR_load_crypto_strings(); ]])],
2798				[
2799					AC_MSG_RESULT([yes])
2800				],
2801				[
2802					AC_MSG_RESULT([no])
2803					LIBS="$saved_LIBS"
2804				]
2805			)
2806		]
2807	)
2808
2809	AC_CHECK_FUNCS([ \
2810		BN_is_prime_ex \
2811		DSA_generate_parameters_ex \
2812		EVP_CIPHER_CTX_ctrl \
2813		EVP_DigestFinal_ex \
2814		EVP_DigestInit_ex \
2815		EVP_MD_CTX_cleanup \
2816		EVP_MD_CTX_copy_ex \
2817		EVP_MD_CTX_init \
2818		HMAC_CTX_init \
2819		RSA_generate_key_ex \
2820		RSA_get_default_method \
2821	])
2822
2823	# OpenSSL_add_all_algorithms may be a macro.
2824	AC_CHECK_FUNC(OpenSSL_add_all_algorithms,
2825	    AC_DEFINE(HAVE_OPENSSL_ADD_ALL_ALGORITHMS, 1, [as a function]),
2826	    AC_CHECK_DECL(OpenSSL_add_all_algorithms,
2827		AC_DEFINE(HAVE_OPENSSL_ADD_ALL_ALGORITHMS, 1, [as a macro]), ,
2828		[[#include <openssl/evp.h>]]
2829	    )
2830	)
2831
2832	# LibreSSL/OpenSSL 1.1x API
2833	AC_CHECK_FUNCS([ \
2834		OPENSSL_init_crypto \
2835		DH_get0_key \
2836		DH_get0_pqg \
2837		DH_set0_key \
2838		DH_set_length \
2839		DH_set0_pqg \
2840		DSA_get0_key \
2841		DSA_get0_pqg \
2842		DSA_set0_key \
2843		DSA_set0_pqg \
2844		DSA_SIG_get0 \
2845		DSA_SIG_set0 \
2846		ECDSA_SIG_get0 \
2847		ECDSA_SIG_set0 \
2848		EVP_CIPHER_CTX_iv \
2849		EVP_CIPHER_CTX_iv_noconst \
2850		EVP_CIPHER_CTX_get_iv \
2851		EVP_CIPHER_CTX_set_iv \
2852		RSA_get0_crt_params \
2853		RSA_get0_factors \
2854		RSA_get0_key \
2855		RSA_set0_crt_params \
2856		RSA_set0_factors \
2857		RSA_set0_key \
2858		RSA_meth_free \
2859		RSA_meth_dup \
2860		RSA_meth_set1_name \
2861		RSA_meth_get_finish \
2862		RSA_meth_set_priv_enc \
2863		RSA_meth_set_priv_dec \
2864		RSA_meth_set_finish \
2865		EVP_PKEY_get0_RSA \
2866		EVP_MD_CTX_new \
2867		EVP_MD_CTX_free \
2868		EVP_chacha20 \
2869	])
2870
2871	if test "x$openssl_engine" = "xyes" ; then
2872		AC_MSG_CHECKING([for OpenSSL ENGINE support])
2873		AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
2874	#include <openssl/engine.h>
2875			]], [[
2876				ENGINE_load_builtin_engines();
2877				ENGINE_register_all_complete();
2878			]])],
2879			[ AC_MSG_RESULT([yes])
2880			  AC_DEFINE([USE_OPENSSL_ENGINE], [1],
2881			     [Enable OpenSSL engine support])
2882			], [ AC_MSG_ERROR([OpenSSL ENGINE support not found])
2883		])
2884	fi
2885
2886	# Check for OpenSSL without EVP_aes_{192,256}_cbc
2887	AC_MSG_CHECKING([whether OpenSSL has crippled AES support])
2888	AC_LINK_IFELSE(
2889		[AC_LANG_PROGRAM([[
2890	#include <string.h>
2891	#include <openssl/evp.h>
2892		]], [[
2893		exit(EVP_aes_192_cbc() == NULL || EVP_aes_256_cbc() == NULL);
2894		]])],
2895		[
2896			AC_MSG_RESULT([no])
2897		],
2898		[
2899			AC_MSG_RESULT([yes])
2900			AC_DEFINE([OPENSSL_LOBOTOMISED_AES], [1],
2901			    [libcrypto is missing AES 192 and 256 bit functions])
2902		]
2903	)
2904
2905	# Check for OpenSSL with EVP_aes_*ctr
2906	AC_MSG_CHECKING([whether OpenSSL has AES CTR via EVP])
2907	AC_LINK_IFELSE(
2908		[AC_LANG_PROGRAM([[
2909	#include <string.h>
2910	#include <openssl/evp.h>
2911		]], [[
2912		exit(EVP_aes_128_ctr() == NULL ||
2913		    EVP_aes_192_cbc() == NULL ||
2914		    EVP_aes_256_cbc() == NULL);
2915		]])],
2916		[
2917			AC_MSG_RESULT([yes])
2918			AC_DEFINE([OPENSSL_HAVE_EVPCTR], [1],
2919			    [libcrypto has EVP AES CTR])
2920		],
2921		[
2922			AC_MSG_RESULT([no])
2923		]
2924	)
2925
2926	# Check for OpenSSL with EVP_aes_*gcm
2927	AC_MSG_CHECKING([whether OpenSSL has AES GCM via EVP])
2928	AC_LINK_IFELSE(
2929		[AC_LANG_PROGRAM([[
2930	#include <string.h>
2931	#include <openssl/evp.h>
2932		]], [[
2933		exit(EVP_aes_128_gcm() == NULL ||
2934		    EVP_aes_256_gcm() == NULL ||
2935		    EVP_CTRL_GCM_SET_IV_FIXED == 0 ||
2936		    EVP_CTRL_GCM_IV_GEN == 0 ||
2937		    EVP_CTRL_GCM_SET_TAG == 0 ||
2938		    EVP_CTRL_GCM_GET_TAG == 0 ||
2939		    EVP_CIPHER_CTX_ctrl(NULL, 0, 0, NULL) == 0);
2940		]])],
2941		[
2942			AC_MSG_RESULT([yes])
2943			AC_DEFINE([OPENSSL_HAVE_EVPGCM], [1],
2944			    [libcrypto has EVP AES GCM])
2945		],
2946		[
2947			AC_MSG_RESULT([no])
2948			unsupported_algorithms="$unsupported_cipers \
2949			   aes128-gcm@openssh.com \
2950			   aes256-gcm@openssh.com"
2951		]
2952	)
2953
2954	AC_MSG_CHECKING([if EVP_DigestUpdate returns an int])
2955	AC_LINK_IFELSE(
2956		[AC_LANG_PROGRAM([[
2957	#include <string.h>
2958	#include <openssl/evp.h>
2959		]], [[
2960		if(EVP_DigestUpdate(NULL, NULL,0))
2961			exit(0);
2962		]])],
2963		[
2964			AC_MSG_RESULT([yes])
2965		],
2966		[
2967			AC_MSG_RESULT([no])
2968			AC_DEFINE([OPENSSL_EVP_DIGESTUPDATE_VOID], [1],
2969			    [Define if EVP_DigestUpdate returns void])
2970		]
2971	)
2972
2973	# Some systems want crypt() from libcrypt, *not* the version in OpenSSL,
2974	# because the system crypt() is more featureful.
2975	if test "x$check_for_libcrypt_before" = "x1"; then
2976		AC_CHECK_LIB([crypt], [crypt])
2977	fi
2978
2979	# Some Linux systems (Slackware) need crypt() from libcrypt, *not* the
2980	# version in OpenSSL.
2981	if test "x$check_for_libcrypt_later" = "x1"; then
2982		AC_CHECK_LIB([crypt], [crypt], [LIBS="$LIBS -lcrypt"])
2983	fi
2984	AC_CHECK_FUNCS([crypt DES_crypt])
2985
2986	# Check for SHA256, SHA384 and SHA512 support in OpenSSL
2987	AC_CHECK_FUNCS([EVP_sha256 EVP_sha384 EVP_sha512])
2988
2989	# Check complete ECC support in OpenSSL
2990	AC_MSG_CHECKING([whether OpenSSL has NID_X9_62_prime256v1])
2991	AC_LINK_IFELSE(
2992		[AC_LANG_PROGRAM([[
2993	#include <openssl/ec.h>
2994	#include <openssl/ecdh.h>
2995	#include <openssl/ecdsa.h>
2996	#include <openssl/evp.h>
2997	#include <openssl/objects.h>
2998	#include <openssl/opensslv.h>
2999		]], [[
3000		EC_KEY *e = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
3001		const EVP_MD *m = EVP_sha256(); /* We need this too */
3002		]])],
3003		[ AC_MSG_RESULT([yes])
3004		  enable_nistp256=1 ],
3005		[ AC_MSG_RESULT([no]) ]
3006	)
3007
3008	AC_MSG_CHECKING([whether OpenSSL has NID_secp384r1])
3009	AC_LINK_IFELSE(
3010		[AC_LANG_PROGRAM([[
3011	#include <openssl/ec.h>
3012	#include <openssl/ecdh.h>
3013	#include <openssl/ecdsa.h>
3014	#include <openssl/evp.h>
3015	#include <openssl/objects.h>
3016	#include <openssl/opensslv.h>
3017		]], [[
3018		EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp384r1);
3019		const EVP_MD *m = EVP_sha384(); /* We need this too */
3020		]])],
3021		[ AC_MSG_RESULT([yes])
3022		  enable_nistp384=1 ],
3023		[ AC_MSG_RESULT([no]) ]
3024	)
3025
3026	AC_MSG_CHECKING([whether OpenSSL has NID_secp521r1])
3027	AC_LINK_IFELSE(
3028		[AC_LANG_PROGRAM([[
3029	#include <openssl/ec.h>
3030	#include <openssl/ecdh.h>
3031	#include <openssl/ecdsa.h>
3032	#include <openssl/evp.h>
3033	#include <openssl/objects.h>
3034	#include <openssl/opensslv.h>
3035		]], [[
3036		EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp521r1);
3037		const EVP_MD *m = EVP_sha512(); /* We need this too */
3038		]])],
3039		[ AC_MSG_RESULT([yes])
3040		  AC_MSG_CHECKING([if OpenSSL's NID_secp521r1 is functional])
3041		  AC_RUN_IFELSE(
3042			[AC_LANG_PROGRAM([[
3043	#include <openssl/ec.h>
3044	#include <openssl/ecdh.h>
3045	#include <openssl/ecdsa.h>
3046	#include <openssl/evp.h>
3047	#include <openssl/objects.h>
3048	#include <openssl/opensslv.h>
3049			]],[[
3050			EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp521r1);
3051			const EVP_MD *m = EVP_sha512(); /* We need this too */
3052			exit(e == NULL || m == NULL);
3053			]])],
3054			[ AC_MSG_RESULT([yes])
3055			  enable_nistp521=1 ],
3056			[ AC_MSG_RESULT([no]) ],
3057			[ AC_MSG_WARN([cross-compiling: assuming yes])
3058			  enable_nistp521=1 ]
3059		  )],
3060		AC_MSG_RESULT([no])
3061	)
3062
3063	COMMENT_OUT_ECC="#no ecc#"
3064	TEST_SSH_ECC=no
3065
3066	if test x$enable_nistp256 = x1 || test x$enable_nistp384 = x1 || \
3067	    test x$enable_nistp521 = x1; then
3068		AC_DEFINE(OPENSSL_HAS_ECC, [1], [OpenSSL has ECC])
3069		AC_CHECK_FUNCS([EC_KEY_METHOD_new])
3070		openssl_ecc=yes
3071	else
3072		openssl_ecc=no
3073	fi
3074	if test x$enable_nistp256 = x1; then
3075		AC_DEFINE([OPENSSL_HAS_NISTP256], [1],
3076		    [libcrypto has NID_X9_62_prime256v1])
3077		TEST_SSH_ECC=yes
3078		COMMENT_OUT_ECC=""
3079	else
3080		unsupported_algorithms="$unsupported_algorithms \
3081			ecdsa-sha2-nistp256 \
3082			ecdh-sha2-nistp256 \
3083			ecdsa-sha2-nistp256-cert-v01@openssh.com"
3084	fi
3085	if test x$enable_nistp384 = x1; then
3086		AC_DEFINE([OPENSSL_HAS_NISTP384], [1], [libcrypto has NID_secp384r1])
3087		TEST_SSH_ECC=yes
3088		COMMENT_OUT_ECC=""
3089	else
3090		unsupported_algorithms="$unsupported_algorithms \
3091			ecdsa-sha2-nistp384 \
3092			ecdh-sha2-nistp384 \
3093			ecdsa-sha2-nistp384-cert-v01@openssh.com"
3094	fi
3095	if test x$enable_nistp521 = x1; then
3096		AC_DEFINE([OPENSSL_HAS_NISTP521], [1], [libcrypto has NID_secp521r1])
3097		TEST_SSH_ECC=yes
3098		COMMENT_OUT_ECC=""
3099	else
3100		unsupported_algorithms="$unsupported_algorithms \
3101			ecdh-sha2-nistp521 \
3102			ecdsa-sha2-nistp521 \
3103			ecdsa-sha2-nistp521-cert-v01@openssh.com"
3104	fi
3105
3106	AC_SUBST([TEST_SSH_ECC])
3107	AC_SUBST([COMMENT_OUT_ECC])
3108else
3109	AC_CHECK_LIB([crypt], [crypt], [LIBS="$LIBS -lcrypt"])
3110	AC_CHECK_FUNCS([crypt])
3111fi
3112
3113# PKCS11/U2F depend on OpenSSL and dlopen().
3114enable_pkcs11=yes
3115enable_sk=yes
3116if test "x$openssl" != "xyes" ; then
3117	enable_pkcs11="disabled; missing libcrypto"
3118	enable_sk="disabled; missing libcrypto"
3119fi
3120if test "x$openssl_ecc" != "xyes" ; then
3121	enable_sk="disabled; OpenSSL has no ECC support"
3122fi
3123if test "x$ac_cv_func_dlopen" != "xyes" ; then
3124	enable_pkcs11="disabled; missing dlopen(3)"
3125	enable_sk="disabled; missing dlopen(3)"
3126fi
3127if test "x$ac_cv_have_decl_RTLD_NOW" != "xyes" ; then
3128	enable_pkcs11="disabled; missing RTLD_NOW"
3129	enable_sk="disabled; missing RTLD_NOW"
3130fi
3131if test ! -z "$disable_pkcs11" ; then
3132	enable_pkcs11="disabled by user"
3133fi
3134if test ! -z "$disable_sk" ; then
3135	enable_sk="disabled by user"
3136fi
3137
3138AC_MSG_CHECKING([whether to enable PKCS11])
3139if test "x$enable_pkcs11" = "xyes" ; then
3140	AC_DEFINE([ENABLE_PKCS11], [], [Enable for PKCS#11 support])
3141fi
3142AC_MSG_RESULT([$enable_pkcs11])
3143
3144AC_MSG_CHECKING([whether to enable U2F])
3145if test "x$enable_sk" = "xyes" ; then
3146	AC_DEFINE([ENABLE_SK], [], [Enable for U2F/FIDO support])
3147	AC_SUBST(SK_DUMMY_LIBRARY, [regress/misc/sk-dummy/sk-dummy.so])
3148else
3149	# Do not try to build sk-dummy library.
3150	AC_SUBST(SK_DUMMY_LIBRARY, [""])
3151fi
3152AC_MSG_RESULT([$enable_sk])
3153
3154# Now check for built-in security key support.
3155if test "x$enable_sk" = "xyes" -a "x$enable_sk_internal" = "xyes" ; then
3156	AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no])
3157	use_pkgconfig_for_libfido2=
3158	if test "x$PKGCONFIG" != "xno"; then
3159		AC_MSG_CHECKING([if $PKGCONFIG knows about libfido2])
3160		if "$PKGCONFIG" libfido2; then
3161			AC_MSG_RESULT([yes])
3162			use_pkgconfig_for_libfido2=yes
3163		else
3164			AC_MSG_RESULT([no])
3165		fi
3166	fi
3167	if test "x$use_pkgconfig_for_libfido2" = "xyes"; then
3168		LIBFIDO2=`$PKGCONFIG --libs libfido2`
3169		CPPFLAGS="$CPPFLAGS `$PKGCONFIG --cflags libfido2`"
3170	else
3171		LIBFIDO2="-lfido2 -lcbor"
3172	fi
3173	OTHERLIBS=`echo $LIBFIDO2 | sed 's/-lfido2//'`
3174	AC_CHECK_LIB([fido2], [fido_init],
3175		[
3176			AC_SUBST([LIBFIDO2])
3177			AC_DEFINE([ENABLE_SK_INTERNAL], [],
3178			    [Enable for built-in U2F/FIDO support])
3179			enable_sk="built-in"
3180		], [ AC_MSG_ERROR([no usable libfido2 found]) ],
3181		[ $OTHERLIBS ]
3182	)
3183	saved_LIBS="$LIBS"
3184	LIBS="$LIBS $LIBFIDO2"
3185	AC_CHECK_FUNCS([ \
3186		fido_cred_prot \
3187		fido_cred_set_prot \
3188		fido_dev_get_touch_status \
3189		fido_dev_supports_cred_prot \
3190	])
3191	LIBS="$saved_LIBS"
3192	AC_CHECK_HEADER([fido.h], [],
3193		AC_MSG_ERROR([missing fido.h from libfido2]))
3194	AC_CHECK_HEADER([fido/credman.h], [],
3195		AC_MSG_ERROR([missing fido/credman.h from libfido2]),
3196		[#include <fido.h>]
3197	)
3198fi
3199
3200AC_CHECK_FUNCS([ \
3201	arc4random \
3202	arc4random_buf \
3203	arc4random_stir \
3204	arc4random_uniform \
3205])
3206
3207saved_LIBS="$LIBS"
3208AC_CHECK_LIB([iaf], [ia_openinfo], [
3209	LIBS="$LIBS -liaf"
3210	AC_CHECK_FUNCS([set_id], [SSHDLIBS="$SSHDLIBS -liaf"
3211				AC_DEFINE([HAVE_LIBIAF], [1],
3212			[Define if system has libiaf that supports set_id])
3213				])
3214])
3215LIBS="$saved_LIBS"
3216
3217### Configure cryptographic random number support
3218
3219# Check whether OpenSSL seeds itself
3220if test "x$openssl" = "xyes" ; then
3221	AC_MSG_CHECKING([whether OpenSSL's PRNG is internally seeded])
3222	AC_RUN_IFELSE(
3223		[AC_LANG_PROGRAM([[
3224	#include <string.h>
3225	#include <openssl/rand.h>
3226		]], [[
3227		exit(RAND_status() == 1 ? 0 : 1);
3228		]])],
3229		[
3230			OPENSSL_SEEDS_ITSELF=yes
3231			AC_MSG_RESULT([yes])
3232		],
3233		[
3234			AC_MSG_RESULT([no])
3235		],
3236		[
3237			AC_MSG_WARN([cross compiling: assuming yes])
3238			# This is safe, since we will fatal() at runtime if
3239			# OpenSSL is not seeded correctly.
3240			OPENSSL_SEEDS_ITSELF=yes
3241		]
3242	)
3243fi
3244
3245# PRNGD TCP socket
3246AC_ARG_WITH([prngd-port],
3247	[  --with-prngd-port=PORT  read entropy from PRNGD/EGD TCP localhost:PORT],
3248	[
3249		case "$withval" in
3250		no)
3251			withval=""
3252			;;
3253		[[0-9]]*)
3254			;;
3255		*)
3256			AC_MSG_ERROR([You must specify a numeric port number for --with-prngd-port])
3257			;;
3258		esac
3259		if test ! -z "$withval" ; then
3260			PRNGD_PORT="$withval"
3261			AC_DEFINE_UNQUOTED([PRNGD_PORT], [$PRNGD_PORT],
3262				[Port number of PRNGD/EGD random number socket])
3263		fi
3264	]
3265)
3266
3267# PRNGD Unix domain socket
3268AC_ARG_WITH([prngd-socket],
3269	[  --with-prngd-socket=FILE read entropy from PRNGD/EGD socket FILE (default=/var/run/egd-pool)],
3270	[
3271		case "$withval" in
3272		yes)
3273			withval="/var/run/egd-pool"
3274			;;
3275		no)
3276			withval=""
3277			;;
3278		/*)
3279			;;
3280		*)
3281			AC_MSG_ERROR([You must specify an absolute path to the entropy socket])
3282			;;
3283		esac
3284
3285		if test ! -z "$withval" ; then
3286			if test ! -z "$PRNGD_PORT" ; then
3287				AC_MSG_ERROR([You may not specify both a PRNGD/EGD port and socket])
3288			fi
3289			if test ! -r "$withval" ; then
3290				AC_MSG_WARN([Entropy socket is not readable])
3291			fi
3292			PRNGD_SOCKET="$withval"
3293			AC_DEFINE_UNQUOTED([PRNGD_SOCKET], ["$PRNGD_SOCKET"],
3294				[Location of PRNGD/EGD random number socket])
3295		fi
3296	],
3297	[
3298		# Check for existing socket only if we don't have a random device already
3299		if test "x$OPENSSL_SEEDS_ITSELF" != "xyes" ; then
3300			AC_MSG_CHECKING([for PRNGD/EGD socket])
3301			# Insert other locations here
3302			for sock in /var/run/egd-pool /dev/egd-pool /etc/entropy; do
3303				if test -r $sock && $TEST_MINUS_S_SH -c "test -S $sock -o -p $sock" ; then
3304					PRNGD_SOCKET="$sock"
3305					AC_DEFINE_UNQUOTED([PRNGD_SOCKET], ["$PRNGD_SOCKET"])
3306					break;
3307				fi
3308			done
3309			if test ! -z "$PRNGD_SOCKET" ; then
3310				AC_MSG_RESULT([$PRNGD_SOCKET])
3311			else
3312				AC_MSG_RESULT([not found])
3313			fi
3314		fi
3315	]
3316)
3317
3318# Which randomness source do we use?
3319if test ! -z "$PRNGD_PORT" ; then
3320	RAND_MSG="PRNGd port $PRNGD_PORT"
3321elif test ! -z "$PRNGD_SOCKET" ; then
3322	RAND_MSG="PRNGd socket $PRNGD_SOCKET"
3323elif test ! -z "$OPENSSL_SEEDS_ITSELF" ; then
3324	AC_DEFINE([OPENSSL_PRNG_ONLY], [1],
3325		[Define if you want the OpenSSL internally seeded PRNG only])
3326	RAND_MSG="OpenSSL internal ONLY"
3327elif test "x$openssl" = "xno" ; then
3328	AC_MSG_WARN([OpenSSH will use /dev/urandom as a source of random numbers. It will fail if this device is not supported or accessible])
3329else
3330	AC_MSG_ERROR([OpenSSH has no source of random numbers. Please configure OpenSSL with an entropy source or re-run configure using one of the --with-prngd-port or --with-prngd-socket options])
3331fi
3332
3333# Check for PAM libs
3334PAM_MSG="no"
3335AC_ARG_WITH([pam],
3336	[  --with-pam              Enable PAM support ],
3337	[
3338		if test "x$withval" != "xno" ; then
3339			if test "x$ac_cv_header_security_pam_appl_h" != "xyes" && \
3340			   test "x$ac_cv_header_pam_pam_appl_h" != "xyes" ; then
3341				AC_MSG_ERROR([PAM headers not found])
3342			fi
3343
3344			saved_LIBS="$LIBS"
3345			AC_CHECK_LIB([dl], [dlopen], , )
3346			AC_CHECK_LIB([pam], [pam_set_item], , [AC_MSG_ERROR([*** libpam missing])])
3347			AC_CHECK_FUNCS([pam_getenvlist])
3348			AC_CHECK_FUNCS([pam_putenv])
3349			LIBS="$saved_LIBS"
3350
3351			PAM_MSG="yes"
3352
3353			SSHDLIBS="$SSHDLIBS -lpam"
3354			AC_DEFINE([USE_PAM], [1],
3355				[Define if you want to enable PAM support])
3356
3357			if test $ac_cv_lib_dl_dlopen = yes; then
3358				case "$LIBS" in
3359				*-ldl*)
3360					# libdl already in LIBS
3361					;;
3362				*)
3363					SSHDLIBS="$SSHDLIBS -ldl"
3364					;;
3365				esac
3366			fi
3367		fi
3368	]
3369)
3370
3371AC_ARG_WITH([pam-service],
3372	[  --with-pam-service=name Specify PAM service name ],
3373	[
3374		if test "x$withval" != "xno" && \
3375		   test "x$withval" != "xyes" ; then
3376			AC_DEFINE_UNQUOTED([SSHD_PAM_SERVICE],
3377				["$withval"], [sshd PAM service name])
3378		fi
3379	]
3380)
3381
3382# Check for older PAM
3383if test "x$PAM_MSG" = "xyes" ; then
3384	# Check PAM strerror arguments (old PAM)
3385	AC_MSG_CHECKING([whether pam_strerror takes only one argument])
3386	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
3387#include <stdlib.h>
3388#if defined(HAVE_SECURITY_PAM_APPL_H)
3389#include <security/pam_appl.h>
3390#elif defined (HAVE_PAM_PAM_APPL_H)
3391#include <pam/pam_appl.h>
3392#endif
3393		]], [[
3394(void)pam_strerror((pam_handle_t *)NULL, -1);
3395		]])], [AC_MSG_RESULT([no])], [
3396			AC_DEFINE([HAVE_OLD_PAM], [1],
3397				[Define if you have an old version of PAM
3398				which takes only one argument to pam_strerror])
3399			AC_MSG_RESULT([yes])
3400			PAM_MSG="yes (old library)"
3401
3402	])
3403fi
3404
3405case "$host" in
3406*-*-cygwin*)
3407	SSH_PRIVSEP_USER=CYGWIN_SSH_PRIVSEP_USER
3408	;;
3409*)
3410	SSH_PRIVSEP_USER=sshd
3411	;;
3412esac
3413AC_ARG_WITH([privsep-user],
3414	[  --with-privsep-user=user Specify non-privileged user for privilege separation],
3415	[
3416		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
3417		    test "x${withval}" != "xyes"; then
3418			SSH_PRIVSEP_USER=$withval
3419		fi
3420	]
3421)
3422if test "x$SSH_PRIVSEP_USER" = "xCYGWIN_SSH_PRIVSEP_USER" ; then
3423	AC_DEFINE_UNQUOTED([SSH_PRIVSEP_USER], [CYGWIN_SSH_PRIVSEP_USER],
3424		[Cygwin function to fetch non-privileged user for privilege separation])
3425else
3426	AC_DEFINE_UNQUOTED([SSH_PRIVSEP_USER], ["$SSH_PRIVSEP_USER"],
3427		[non-privileged user for privilege separation])
3428fi
3429AC_SUBST([SSH_PRIVSEP_USER])
3430
3431if test "x$have_linux_no_new_privs" = "x1" ; then
3432AC_CHECK_DECL([SECCOMP_MODE_FILTER], [have_seccomp_filter=1], , [
3433	#include <sys/types.h>
3434	#include <linux/seccomp.h>
3435])
3436fi
3437if test "x$have_seccomp_filter" = "x1" ; then
3438AC_MSG_CHECKING([kernel for seccomp_filter support])
3439AC_LINK_IFELSE([AC_LANG_PROGRAM([[
3440		#include <errno.h>
3441		#include <elf.h>
3442		#include <linux/audit.h>
3443		#include <linux/seccomp.h>
3444		#include <stdlib.h>
3445		#include <sys/prctl.h>
3446	]],
3447	[[ int i = $seccomp_audit_arch;
3448	   errno = 0;
3449	   prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, NULL, 0, 0);
3450	   exit(errno == EFAULT ? 0 : 1); ]])],
3451	[ AC_MSG_RESULT([yes]) ], [
3452		AC_MSG_RESULT([no])
3453		# Disable seccomp filter as a target
3454		have_seccomp_filter=0
3455	]
3456)
3457fi
3458
3459# Decide which sandbox style to use
3460sandbox_arg=""
3461AC_ARG_WITH([sandbox],
3462	[  --with-sandbox=style    Specify privilege separation sandbox (no, capsicum, darwin, rlimit, seccomp_filter, systrace, pledge)],
3463	[
3464		if test "x$withval" = "xyes" ; then
3465			sandbox_arg=""
3466		else
3467			sandbox_arg="$withval"
3468		fi
3469	]
3470)
3471
3472# Some platforms (seems to be the ones that have a kernel poll(2)-type
3473# function with which they implement select(2)) use an extra file descriptor
3474# when calling select(2), which means we can't use the rlimit sandbox.
3475AC_MSG_CHECKING([if select works with descriptor rlimit])
3476AC_RUN_IFELSE(
3477	[AC_LANG_PROGRAM([[
3478#include <sys/types.h>
3479#ifdef HAVE_SYS_TIME_H
3480# include <sys/time.h>
3481#endif
3482#include <sys/resource.h>
3483#ifdef HAVE_SYS_SELECT_H
3484# include <sys/select.h>
3485#endif
3486#include <errno.h>
3487#include <fcntl.h>
3488#include <stdlib.h>
3489	]],[[
3490	struct rlimit rl_zero;
3491	int fd, r;
3492	fd_set fds;
3493	struct timeval tv;
3494
3495	fd = open("/dev/null", O_RDONLY);
3496	FD_ZERO(&fds);
3497	FD_SET(fd, &fds);
3498	rl_zero.rlim_cur = rl_zero.rlim_max = 0;
3499	setrlimit(RLIMIT_FSIZE, &rl_zero);
3500	setrlimit(RLIMIT_NOFILE, &rl_zero);
3501	tv.tv_sec = 1;
3502	tv.tv_usec = 0;
3503	r = select(fd+1, &fds, NULL, NULL, &tv);
3504	exit (r == -1 ? 1 : 0);
3505	]])],
3506	[AC_MSG_RESULT([yes])
3507	 select_works_with_rlimit=yes],
3508	[AC_MSG_RESULT([no])
3509	 select_works_with_rlimit=no],
3510	[AC_MSG_WARN([cross compiling: assuming yes])
3511	 select_works_with_rlimit=yes]
3512)
3513
3514AC_MSG_CHECKING([if setrlimit(RLIMIT_NOFILE,{0,0}) works])
3515AC_RUN_IFELSE(
3516	[AC_LANG_PROGRAM([[
3517#include <sys/types.h>
3518#ifdef HAVE_SYS_TIME_H
3519# include <sys/time.h>
3520#endif
3521#include <sys/resource.h>
3522#include <errno.h>
3523#include <stdlib.h>
3524	]],[[
3525	struct rlimit rl_zero;
3526	int r;
3527
3528	rl_zero.rlim_cur = rl_zero.rlim_max = 0;
3529	r = setrlimit(RLIMIT_NOFILE, &rl_zero);
3530	exit (r == -1 ? 1 : 0);
3531	]])],
3532	[AC_MSG_RESULT([yes])
3533	 rlimit_nofile_zero_works=yes],
3534	[AC_MSG_RESULT([no])
3535	 rlimit_nofile_zero_works=no],
3536	[AC_MSG_WARN([cross compiling: assuming yes])
3537	 rlimit_nofile_zero_works=yes]
3538)
3539
3540AC_MSG_CHECKING([if setrlimit RLIMIT_FSIZE works])
3541AC_RUN_IFELSE(
3542	[AC_LANG_PROGRAM([[
3543#include <sys/types.h>
3544#include <sys/resource.h>
3545#include <stdlib.h>
3546	]],[[
3547		struct rlimit rl_zero;
3548
3549		rl_zero.rlim_cur = rl_zero.rlim_max = 0;
3550		exit(setrlimit(RLIMIT_FSIZE, &rl_zero) != 0);
3551	]])],
3552	[AC_MSG_RESULT([yes])],
3553	[AC_MSG_RESULT([no])
3554	 AC_DEFINE(SANDBOX_SKIP_RLIMIT_FSIZE, 1,
3555	    [setrlimit RLIMIT_FSIZE works])],
3556	[AC_MSG_WARN([cross compiling: assuming yes])]
3557)
3558
3559if test "x$sandbox_arg" = "xpledge" || \
3560   ( test -z "$sandbox_arg" && test "x$ac_cv_func_pledge" = "xyes" ) ; then
3561	test "x$ac_cv_func_pledge" != "xyes" && \
3562		AC_MSG_ERROR([pledge sandbox requires pledge(2) support])
3563	SANDBOX_STYLE="pledge"
3564	AC_DEFINE([SANDBOX_PLEDGE], [1], [Sandbox using pledge(2)])
3565elif test "x$sandbox_arg" = "xsystrace" || \
3566   ( test -z "$sandbox_arg" && test "x$have_systr_policy_kill" = "x1" ) ; then
3567	test "x$have_systr_policy_kill" != "x1" && \
3568		AC_MSG_ERROR([systrace sandbox requires systrace headers and SYSTR_POLICY_KILL support])
3569	SANDBOX_STYLE="systrace"
3570	AC_DEFINE([SANDBOX_SYSTRACE], [1], [Sandbox using systrace(4)])
3571elif test "x$sandbox_arg" = "xdarwin" || \
3572     ( test -z "$sandbox_arg" && test "x$ac_cv_func_sandbox_init" = "xyes" && \
3573       test "x$ac_cv_header_sandbox_h" = "xyes") ; then
3574	test "x$ac_cv_func_sandbox_init" != "xyes" -o \
3575	     "x$ac_cv_header_sandbox_h" != "xyes" && \
3576		AC_MSG_ERROR([Darwin seatbelt sandbox requires sandbox.h and sandbox_init function])
3577	SANDBOX_STYLE="darwin"
3578	AC_DEFINE([SANDBOX_DARWIN], [1], [Sandbox using Darwin sandbox_init(3)])
3579elif test "x$sandbox_arg" = "xseccomp_filter" || \
3580     ( test -z "$sandbox_arg" && \
3581       test "x$have_seccomp_filter" = "x1" && \
3582       test "x$ac_cv_header_elf_h" = "xyes" && \
3583       test "x$ac_cv_header_linux_audit_h" = "xyes" && \
3584       test "x$ac_cv_header_linux_filter_h" = "xyes" && \
3585       test "x$seccomp_audit_arch" != "x" && \
3586       test "x$have_linux_no_new_privs" = "x1" && \
3587       test "x$ac_cv_func_prctl" = "xyes" ) ; then
3588	test "x$seccomp_audit_arch" = "x" && \
3589		AC_MSG_ERROR([seccomp_filter sandbox not supported on $host])
3590	test "x$have_linux_no_new_privs" != "x1" && \
3591		AC_MSG_ERROR([seccomp_filter sandbox requires PR_SET_NO_NEW_PRIVS])
3592	test "x$have_seccomp_filter" != "x1" && \
3593		AC_MSG_ERROR([seccomp_filter sandbox requires seccomp headers])
3594	test "x$ac_cv_func_prctl" != "xyes" && \
3595		AC_MSG_ERROR([seccomp_filter sandbox requires prctl function])
3596	SANDBOX_STYLE="seccomp_filter"
3597	AC_DEFINE([SANDBOX_SECCOMP_FILTER], [1], [Sandbox using seccomp filter])
3598elif test "x$sandbox_arg" = "xcapsicum" || \
3599     ( test -z "$sandbox_arg" && \
3600       test "x$ac_cv_header_sys_capsicum_h" = "xyes" && \
3601       test "x$ac_cv_func_cap_rights_limit" = "xyes") ; then
3602       test "x$ac_cv_header_sys_capsicum_h" != "xyes" && \
3603		AC_MSG_ERROR([capsicum sandbox requires sys/capsicum.h header])
3604       test "x$ac_cv_func_cap_rights_limit" != "xyes" && \
3605		AC_MSG_ERROR([capsicum sandbox requires cap_rights_limit function])
3606       SANDBOX_STYLE="capsicum"
3607       AC_DEFINE([SANDBOX_CAPSICUM], [1], [Sandbox using capsicum])
3608elif test "x$sandbox_arg" = "xrlimit" || \
3609     ( test -z "$sandbox_arg" && test "x$ac_cv_func_setrlimit" = "xyes" && \
3610       test "x$select_works_with_rlimit" = "xyes" && \
3611       test "x$rlimit_nofile_zero_works" = "xyes" ) ; then
3612	test "x$ac_cv_func_setrlimit" != "xyes" && \
3613		AC_MSG_ERROR([rlimit sandbox requires setrlimit function])
3614	test "x$select_works_with_rlimit" != "xyes" && \
3615		AC_MSG_ERROR([rlimit sandbox requires select to work with rlimit])
3616	SANDBOX_STYLE="rlimit"
3617	AC_DEFINE([SANDBOX_RLIMIT], [1], [Sandbox using setrlimit(2)])
3618elif test "x$sandbox_arg" = "xsolaris" || \
3619   ( test -z "$sandbox_arg" && test "x$SOLARIS_PRIVS" = "xyes" ) ; then
3620	SANDBOX_STYLE="solaris"
3621	AC_DEFINE([SANDBOX_SOLARIS], [1], [Sandbox using Solaris/Illumos privileges])
3622elif test -z "$sandbox_arg" || test "x$sandbox_arg" = "xno" || \
3623     test "x$sandbox_arg" = "xnone" || test "x$sandbox_arg" = "xnull" ; then
3624	SANDBOX_STYLE="none"
3625	AC_DEFINE([SANDBOX_NULL], [1], [no privsep sandboxing])
3626else
3627	AC_MSG_ERROR([unsupported --with-sandbox])
3628fi
3629
3630# Cheap hack to ensure NEWS-OS libraries are arranged right.
3631if test ! -z "$SONY" ; then
3632  LIBS="$LIBS -liberty";
3633fi
3634
3635# Check for  long long datatypes
3636AC_CHECK_TYPES([long long, unsigned long long, long double])
3637
3638# Check datatype sizes
3639AC_CHECK_SIZEOF([short int])
3640AC_CHECK_SIZEOF([int])
3641AC_CHECK_SIZEOF([long int])
3642AC_CHECK_SIZEOF([long long int])
3643
3644# Sanity check long long for some platforms (AIX)
3645if test "x$ac_cv_sizeof_long_long_int" = "x4" ; then
3646	ac_cv_sizeof_long_long_int=0
3647fi
3648
3649# compute LLONG_MIN and LLONG_MAX if we don't know them.
3650if test -z "$have_llong_max" && test -z "$have_long_long_max"; then
3651	AC_MSG_CHECKING([for max value of long long])
3652	AC_RUN_IFELSE(
3653		[AC_LANG_PROGRAM([[
3654#include <stdio.h>
3655/* Why is this so damn hard? */
3656#ifdef __GNUC__
3657# undef __GNUC__
3658#endif
3659#define __USE_ISOC99
3660#include <limits.h>
3661#define DATA "conftest.llminmax"
3662#define my_abs(a) ((a) < 0 ? ((a) * -1) : (a))
3663
3664/*
3665 * printf in libc on some platforms (eg old Tru64) does not understand %lld so
3666 * we do this the hard way.
3667 */
3668static int
3669fprint_ll(FILE *f, long long n)
3670{
3671	unsigned int i;
3672	int l[sizeof(long long) * 8];
3673
3674	if (n < 0)
3675		if (fprintf(f, "-") < 0)
3676			return -1;
3677	for (i = 0; n != 0; i++) {
3678		l[i] = my_abs(n % 10);
3679		n /= 10;
3680	}
3681	do {
3682		if (fprintf(f, "%d", l[--i]) < 0)
3683			return -1;
3684	} while (i != 0);
3685	if (fprintf(f, " ") < 0)
3686		return -1;
3687	return 0;
3688}
3689		]], [[
3690	FILE *f;
3691	long long i, llmin, llmax = 0;
3692
3693	if((f = fopen(DATA,"w")) == NULL)
3694		exit(1);
3695
3696#if defined(LLONG_MIN) && defined(LLONG_MAX)
3697	fprintf(stderr, "Using system header for LLONG_MIN and LLONG_MAX\n");
3698	llmin = LLONG_MIN;
3699	llmax = LLONG_MAX;
3700#else
3701	fprintf(stderr, "Calculating  LLONG_MIN and LLONG_MAX\n");
3702	/* This will work on one's complement and two's complement */
3703	for (i = 1; i > llmax; i <<= 1, i++)
3704		llmax = i;
3705	llmin = llmax + 1LL;	/* wrap */
3706#endif
3707
3708	/* Sanity check */
3709	if (llmin + 1 < llmin || llmin - 1 < llmin || llmax + 1 > llmax
3710	    || llmax - 1 > llmax || llmin == llmax || llmin == 0
3711	    || llmax == 0 || llmax < LONG_MAX || llmin > LONG_MIN) {
3712		fprintf(f, "unknown unknown\n");
3713		exit(2);
3714	}
3715
3716	if (fprint_ll(f, llmin) < 0)
3717		exit(3);
3718	if (fprint_ll(f, llmax) < 0)
3719		exit(4);
3720	if (fclose(f) < 0)
3721		exit(5);
3722	exit(0);
3723		]])],
3724		[
3725			llong_min=`$AWK '{print $1}' conftest.llminmax`
3726			llong_max=`$AWK '{print $2}' conftest.llminmax`
3727
3728			AC_MSG_RESULT([$llong_max])
3729			AC_DEFINE_UNQUOTED([LLONG_MAX], [${llong_max}LL],
3730			    [max value of long long calculated by configure])
3731			AC_MSG_CHECKING([for min value of long long])
3732			AC_MSG_RESULT([$llong_min])
3733			AC_DEFINE_UNQUOTED([LLONG_MIN], [${llong_min}LL],
3734			    [min value of long long calculated by configure])
3735		],
3736		[
3737			AC_MSG_RESULT([not found])
3738		],
3739		[
3740			AC_MSG_WARN([cross compiling: not checking])
3741		]
3742	)
3743fi
3744
3745AC_CHECK_DECLS([UINT32_MAX], , , [[
3746#ifdef HAVE_SYS_LIMITS_H
3747# include <sys/limits.h>
3748#endif
3749#ifdef HAVE_LIMITS_H
3750# include <limits.h>
3751#endif
3752#ifdef HAVE_STDINT_H
3753# include <stdint.h>
3754#endif
3755]])
3756
3757# More checks for data types
3758AC_CACHE_CHECK([for u_int type], ac_cv_have_u_int, [
3759	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
3760	[[ u_int a; a = 1;]])],
3761	[ ac_cv_have_u_int="yes" ], [ ac_cv_have_u_int="no"
3762	])
3763])
3764if test "x$ac_cv_have_u_int" = "xyes" ; then
3765	AC_DEFINE([HAVE_U_INT], [1], [define if you have u_int data type])
3766	have_u_int=1
3767fi
3768
3769AC_CACHE_CHECK([for intXX_t types], ac_cv_have_intxx_t, [
3770	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
3771	[[ int8_t a; int16_t b; int32_t c; a = b = c = 1;]])],
3772	[ ac_cv_have_intxx_t="yes" ], [ ac_cv_have_intxx_t="no"
3773	])
3774])
3775if test "x$ac_cv_have_intxx_t" = "xyes" ; then
3776	AC_DEFINE([HAVE_INTXX_T], [1], [define if you have intxx_t data type])
3777	have_intxx_t=1
3778fi
3779
3780if (test -z "$have_intxx_t" && \
3781	   test "x$ac_cv_header_stdint_h" = "xyes")
3782then
3783    AC_MSG_CHECKING([for intXX_t types in stdint.h])
3784	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <stdint.h> ]],
3785	[[ int8_t a; int16_t b; int32_t c; a = b = c = 1;]])],
3786		[
3787			AC_DEFINE([HAVE_INTXX_T])
3788			AC_MSG_RESULT([yes])
3789		], [ AC_MSG_RESULT([no])
3790	])
3791fi
3792
3793AC_CACHE_CHECK([for int64_t type], ac_cv_have_int64_t, [
3794	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
3795#include <sys/types.h>
3796#ifdef HAVE_STDINT_H
3797# include <stdint.h>
3798#endif
3799#include <sys/socket.h>
3800#ifdef HAVE_SYS_BITYPES_H
3801# include <sys/bitypes.h>
3802#endif
3803		]], [[
3804int64_t a; a = 1;
3805		]])],
3806	[ ac_cv_have_int64_t="yes" ], [ ac_cv_have_int64_t="no"
3807	])
3808])
3809if test "x$ac_cv_have_int64_t" = "xyes" ; then
3810	AC_DEFINE([HAVE_INT64_T], [1], [define if you have int64_t data type])
3811fi
3812
3813AC_CACHE_CHECK([for u_intXX_t types], ac_cv_have_u_intxx_t, [
3814	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
3815	[[ u_int8_t a; u_int16_t b; u_int32_t c; a = b = c = 1;]])],
3816	[ ac_cv_have_u_intxx_t="yes" ], [ ac_cv_have_u_intxx_t="no"
3817	])
3818])
3819if test "x$ac_cv_have_u_intxx_t" = "xyes" ; then
3820	AC_DEFINE([HAVE_U_INTXX_T], [1], [define if you have u_intxx_t data type])
3821	have_u_intxx_t=1
3822fi
3823
3824if test -z "$have_u_intxx_t" ; then
3825    AC_MSG_CHECKING([for u_intXX_t types in sys/socket.h])
3826	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/socket.h> ]],
3827	[[ u_int8_t a; u_int16_t b; u_int32_t c; a = b = c = 1;]])],
3828		[
3829			AC_DEFINE([HAVE_U_INTXX_T])
3830			AC_MSG_RESULT([yes])
3831		], [ AC_MSG_RESULT([no])
3832	])
3833fi
3834
3835AC_CACHE_CHECK([for u_int64_t types], ac_cv_have_u_int64_t, [
3836	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
3837	[[ u_int64_t a; a = 1;]])],
3838	[ ac_cv_have_u_int64_t="yes" ], [ ac_cv_have_u_int64_t="no"
3839	])
3840])
3841if test "x$ac_cv_have_u_int64_t" = "xyes" ; then
3842	AC_DEFINE([HAVE_U_INT64_T], [1], [define if you have u_int64_t data type])
3843	have_u_int64_t=1
3844fi
3845
3846if (test -z "$have_u_int64_t" && \
3847	   test "x$ac_cv_header_sys_bitypes_h" = "xyes")
3848then
3849    AC_MSG_CHECKING([for u_int64_t type in sys/bitypes.h])
3850	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/bitypes.h> ]],
3851	[[ u_int64_t a; a = 1]])],
3852		[
3853			AC_DEFINE([HAVE_U_INT64_T])
3854			AC_MSG_RESULT([yes])
3855		], [ AC_MSG_RESULT([no])
3856	])
3857fi
3858
3859if test -z "$have_u_intxx_t" ; then
3860	AC_CACHE_CHECK([for uintXX_t types], ac_cv_have_uintxx_t, [
3861		AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
3862#include <sys/types.h>
3863			]], [[
3864	uint8_t a;
3865	uint16_t b;
3866	uint32_t c;
3867	a = b = c = 1;
3868			]])],
3869		[ ac_cv_have_uintxx_t="yes" ], [ ac_cv_have_uintxx_t="no"
3870		])
3871	])
3872	if test "x$ac_cv_have_uintxx_t" = "xyes" ; then
3873		AC_DEFINE([HAVE_UINTXX_T], [1],
3874			[define if you have uintxx_t data type])
3875	fi
3876fi
3877
3878if (test -z "$have_uintxx_t" && \
3879	   test "x$ac_cv_header_stdint_h" = "xyes")
3880then
3881    AC_MSG_CHECKING([for uintXX_t types in stdint.h])
3882	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <stdint.h> ]],
3883	[[ uint8_t a; uint16_t b; uint32_t c; a = b = c = 1;]])],
3884		[
3885			AC_DEFINE([HAVE_UINTXX_T])
3886			AC_MSG_RESULT([yes])
3887		], [ AC_MSG_RESULT([no])
3888	])
3889fi
3890
3891if (test -z "$have_uintxx_t" && \
3892	   test "x$ac_cv_header_inttypes_h" = "xyes")
3893then
3894    AC_MSG_CHECKING([for uintXX_t types in inttypes.h])
3895	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <inttypes.h> ]],
3896	[[ uint8_t a; uint16_t b; uint32_t c; a = b = c = 1;]])],
3897		[
3898			AC_DEFINE([HAVE_UINTXX_T])
3899			AC_MSG_RESULT([yes])
3900		], [ AC_MSG_RESULT([no])
3901	])
3902fi
3903
3904if (test -z "$have_u_intxx_t" || test -z "$have_intxx_t" && \
3905	   test "x$ac_cv_header_sys_bitypes_h" = "xyes")
3906then
3907	AC_MSG_CHECKING([for intXX_t and u_intXX_t types in sys/bitypes.h])
3908	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
3909#include <sys/bitypes.h>
3910		]], [[
3911			int8_t a; int16_t b; int32_t c;
3912			u_int8_t e; u_int16_t f; u_int32_t g;
3913			a = b = c = e = f = g = 1;
3914		]])],
3915		[
3916			AC_DEFINE([HAVE_U_INTXX_T])
3917			AC_DEFINE([HAVE_INTXX_T])
3918			AC_MSG_RESULT([yes])
3919		], [AC_MSG_RESULT([no])
3920	])
3921fi
3922
3923
3924AC_CACHE_CHECK([for u_char], ac_cv_have_u_char, [
3925	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
3926	[[ u_char foo; foo = 125; ]])],
3927	[ ac_cv_have_u_char="yes" ], [ ac_cv_have_u_char="no"
3928	])
3929])
3930if test "x$ac_cv_have_u_char" = "xyes" ; then
3931	AC_DEFINE([HAVE_U_CHAR], [1], [define if you have u_char data type])
3932fi
3933
3934AC_CHECK_TYPES([intmax_t, uintmax_t], , , [
3935#include <sys/types.h>
3936#ifdef HAVE_STDINT_H
3937# include <stdint.h>
3938#endif
3939])
3940
3941TYPE_SOCKLEN_T
3942
3943AC_CHECK_TYPES([sig_atomic_t], , , [#include <signal.h>])
3944AC_CHECK_TYPES([fsblkcnt_t, fsfilcnt_t], , , [
3945#include <sys/types.h>
3946#ifdef HAVE_SYS_BITYPES_H
3947#include <sys/bitypes.h>
3948#endif
3949#ifdef HAVE_SYS_STATFS_H
3950#include <sys/statfs.h>
3951#endif
3952#ifdef HAVE_SYS_STATVFS_H
3953#include <sys/statvfs.h>
3954#endif
3955])
3956
3957AC_CHECK_MEMBERS([struct statfs.f_files, struct statfs.f_flags], [], [], [[
3958#include <sys/param.h>
3959#include <sys/types.h>
3960#ifdef HAVE_SYS_BITYPES_H
3961#include <sys/bitypes.h>
3962#endif
3963#ifdef HAVE_SYS_STATFS_H
3964#include <sys/statfs.h>
3965#endif
3966#ifdef HAVE_SYS_STATVFS_H
3967#include <sys/statvfs.h>
3968#endif
3969#ifdef HAVE_SYS_VFS_H
3970#include <sys/vfs.h>
3971#endif
3972#ifdef HAVE_SYS_MOUNT_H
3973#include <sys/mount.h>
3974#endif
3975]])
3976
3977
3978AC_CHECK_TYPES([in_addr_t, in_port_t], , ,
3979[#include <sys/types.h>
3980#include <netinet/in.h>])
3981
3982AC_CACHE_CHECK([for size_t], ac_cv_have_size_t, [
3983	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
3984	[[ size_t foo; foo = 1235; ]])],
3985	[ ac_cv_have_size_t="yes" ], [ ac_cv_have_size_t="no"
3986	])
3987])
3988if test "x$ac_cv_have_size_t" = "xyes" ; then
3989	AC_DEFINE([HAVE_SIZE_T], [1], [define if you have size_t data type])
3990fi
3991
3992AC_CACHE_CHECK([for ssize_t], ac_cv_have_ssize_t, [
3993	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
3994	[[ ssize_t foo; foo = 1235; ]])],
3995	[ ac_cv_have_ssize_t="yes" ], [ ac_cv_have_ssize_t="no"
3996	])
3997])
3998if test "x$ac_cv_have_ssize_t" = "xyes" ; then
3999	AC_DEFINE([HAVE_SSIZE_T], [1], [define if you have ssize_t data type])
4000fi
4001
4002AC_CACHE_CHECK([for clock_t], ac_cv_have_clock_t, [
4003	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <time.h> ]],
4004	[[ clock_t foo; foo = 1235; ]])],
4005	[ ac_cv_have_clock_t="yes" ], [ ac_cv_have_clock_t="no"
4006	])
4007])
4008if test "x$ac_cv_have_clock_t" = "xyes" ; then
4009	AC_DEFINE([HAVE_CLOCK_T], [1], [define if you have clock_t data type])
4010fi
4011
4012AC_CACHE_CHECK([for sa_family_t], ac_cv_have_sa_family_t, [
4013	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4014#include <sys/types.h>
4015#include <sys/socket.h>
4016		]], [[ sa_family_t foo; foo = 1235; ]])],
4017	[ ac_cv_have_sa_family_t="yes" ],
4018	[ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4019#include <sys/types.h>
4020#include <sys/socket.h>
4021#include <netinet/in.h>
4022		]], [[ sa_family_t foo; foo = 1235; ]])],
4023		[ ac_cv_have_sa_family_t="yes" ],
4024		[ ac_cv_have_sa_family_t="no" ]
4025	)
4026	])
4027])
4028if test "x$ac_cv_have_sa_family_t" = "xyes" ; then
4029	AC_DEFINE([HAVE_SA_FAMILY_T], [1],
4030		[define if you have sa_family_t data type])
4031fi
4032
4033AC_CACHE_CHECK([for pid_t], ac_cv_have_pid_t, [
4034	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
4035	[[ pid_t foo; foo = 1235; ]])],
4036	[ ac_cv_have_pid_t="yes" ], [ ac_cv_have_pid_t="no"
4037	])
4038])
4039if test "x$ac_cv_have_pid_t" = "xyes" ; then
4040	AC_DEFINE([HAVE_PID_T], [1], [define if you have pid_t data type])
4041fi
4042
4043AC_CACHE_CHECK([for mode_t], ac_cv_have_mode_t, [
4044	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
4045	[[ mode_t foo; foo = 1235; ]])],
4046	[ ac_cv_have_mode_t="yes" ], [ ac_cv_have_mode_t="no"
4047	])
4048])
4049if test "x$ac_cv_have_mode_t" = "xyes" ; then
4050	AC_DEFINE([HAVE_MODE_T], [1], [define if you have mode_t data type])
4051fi
4052
4053
4054AC_CACHE_CHECK([for struct sockaddr_storage], ac_cv_have_struct_sockaddr_storage, [
4055	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4056#include <sys/types.h>
4057#include <sys/socket.h>
4058		]], [[ struct sockaddr_storage s; ]])],
4059	[ ac_cv_have_struct_sockaddr_storage="yes" ],
4060	[ ac_cv_have_struct_sockaddr_storage="no"
4061	])
4062])
4063if test "x$ac_cv_have_struct_sockaddr_storage" = "xyes" ; then
4064	AC_DEFINE([HAVE_STRUCT_SOCKADDR_STORAGE], [1],
4065		[define if you have struct sockaddr_storage data type])
4066fi
4067
4068AC_CACHE_CHECK([for struct sockaddr_in6], ac_cv_have_struct_sockaddr_in6, [
4069	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4070#include <sys/types.h>
4071#include <netinet/in.h>
4072		]], [[ struct sockaddr_in6 s; s.sin6_family = 0; ]])],
4073	[ ac_cv_have_struct_sockaddr_in6="yes" ],
4074	[ ac_cv_have_struct_sockaddr_in6="no"
4075	])
4076])
4077if test "x$ac_cv_have_struct_sockaddr_in6" = "xyes" ; then
4078	AC_DEFINE([HAVE_STRUCT_SOCKADDR_IN6], [1],
4079		[define if you have struct sockaddr_in6 data type])
4080fi
4081
4082AC_CACHE_CHECK([for struct in6_addr], ac_cv_have_struct_in6_addr, [
4083	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4084#include <sys/types.h>
4085#include <netinet/in.h>
4086		]], [[ struct in6_addr s; s.s6_addr[0] = 0; ]])],
4087	[ ac_cv_have_struct_in6_addr="yes" ],
4088	[ ac_cv_have_struct_in6_addr="no"
4089	])
4090])
4091if test "x$ac_cv_have_struct_in6_addr" = "xyes" ; then
4092	AC_DEFINE([HAVE_STRUCT_IN6_ADDR], [1],
4093		[define if you have struct in6_addr data type])
4094
4095dnl Now check for sin6_scope_id
4096	AC_CHECK_MEMBERS([struct sockaddr_in6.sin6_scope_id], , ,
4097		[
4098#ifdef HAVE_SYS_TYPES_H
4099#include <sys/types.h>
4100#endif
4101#include <netinet/in.h>
4102		])
4103fi
4104
4105AC_CACHE_CHECK([for struct addrinfo], ac_cv_have_struct_addrinfo, [
4106	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4107#include <sys/types.h>
4108#include <sys/socket.h>
4109#include <netdb.h>
4110		]], [[ struct addrinfo s; s.ai_flags = AI_PASSIVE; ]])],
4111	[ ac_cv_have_struct_addrinfo="yes" ],
4112	[ ac_cv_have_struct_addrinfo="no"
4113	])
4114])
4115if test "x$ac_cv_have_struct_addrinfo" = "xyes" ; then
4116	AC_DEFINE([HAVE_STRUCT_ADDRINFO], [1],
4117		[define if you have struct addrinfo data type])
4118fi
4119
4120AC_HEADER_TIME
4121
4122AC_CACHE_CHECK([for struct timeval], ac_cv_have_struct_timeval, [
4123	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/time.h> ]],
4124	[[ struct timeval tv; tv.tv_sec = 1;]])],
4125	[ ac_cv_have_struct_timeval="yes" ],
4126	[ ac_cv_have_struct_timeval="no"
4127	])
4128])
4129if test "x$ac_cv_have_struct_timeval" = "xyes" ; then
4130	AC_DEFINE([HAVE_STRUCT_TIMEVAL], [1], [define if you have struct timeval])
4131	have_struct_timeval=1
4132fi
4133
4134AC_CACHE_CHECK([for struct timespec], ac_cv_have_struct_timespec, [
4135	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4136    #ifdef TIME_WITH_SYS_TIME
4137    # include <sys/time.h>
4138    # include <time.h>
4139    #else
4140    # ifdef HAVE_SYS_TIME_H
4141    #  include <sys/time.h>
4142    # else
4143    #  include <time.h>
4144    # endif
4145    #endif
4146	]],
4147	[[ struct timespec ts; ts.tv_sec = 1;]])],
4148	[ ac_cv_have_struct_timespec="yes" ],
4149	[ ac_cv_have_struct_timespec="no"
4150	])
4151])
4152if test "x$ac_cv_have_struct_timespec" = "xyes" ; then
4153	AC_DEFINE([HAVE_STRUCT_TIMESPEC], [1], [define if you have struct timespec])
4154	have_struct_timespec=1
4155fi
4156
4157# We need int64_t or else certain parts of the compile will fail.
4158if test "x$ac_cv_have_int64_t" = "xno" && \
4159	test "x$ac_cv_sizeof_long_int" != "x8" && \
4160	test "x$ac_cv_sizeof_long_long_int" = "x0" ; then
4161	echo "OpenSSH requires int64_t support.  Contact your vendor or install"
4162	echo "an alternative compiler (I.E., GCC) before continuing."
4163	echo ""
4164	exit 1;
4165else
4166dnl test snprintf (broken on SCO w/gcc)
4167	AC_RUN_IFELSE(
4168		[AC_LANG_SOURCE([[
4169#include <stdio.h>
4170#include <string.h>
4171#ifdef HAVE_SNPRINTF
4172main()
4173{
4174	char buf[50];
4175	char expected_out[50];
4176	int mazsize = 50 ;
4177#if (SIZEOF_LONG_INT == 8)
4178	long int num = 0x7fffffffffffffff;
4179#else
4180	long long num = 0x7fffffffffffffffll;
4181#endif
4182	strcpy(expected_out, "9223372036854775807");
4183	snprintf(buf, mazsize, "%lld", num);
4184	if(strcmp(buf, expected_out) != 0)
4185		exit(1);
4186	exit(0);
4187}
4188#else
4189main() { exit(0); }
4190#endif
4191		]])], [ true ], [ AC_DEFINE([BROKEN_SNPRINTF]) ],
4192		AC_MSG_WARN([cross compiling: Assuming working snprintf()])
4193	)
4194fi
4195
4196dnl Checks for structure members
4197OSSH_CHECK_HEADER_FOR_FIELD([ut_host], [utmp.h], [HAVE_HOST_IN_UTMP])
4198OSSH_CHECK_HEADER_FOR_FIELD([ut_host], [utmpx.h], [HAVE_HOST_IN_UTMPX])
4199OSSH_CHECK_HEADER_FOR_FIELD([syslen], [utmpx.h], [HAVE_SYSLEN_IN_UTMPX])
4200OSSH_CHECK_HEADER_FOR_FIELD([ut_pid], [utmp.h], [HAVE_PID_IN_UTMP])
4201OSSH_CHECK_HEADER_FOR_FIELD([ut_type], [utmp.h], [HAVE_TYPE_IN_UTMP])
4202OSSH_CHECK_HEADER_FOR_FIELD([ut_type], [utmpx.h], [HAVE_TYPE_IN_UTMPX])
4203OSSH_CHECK_HEADER_FOR_FIELD([ut_tv], [utmp.h], [HAVE_TV_IN_UTMP])
4204OSSH_CHECK_HEADER_FOR_FIELD([ut_id], [utmp.h], [HAVE_ID_IN_UTMP])
4205OSSH_CHECK_HEADER_FOR_FIELD([ut_id], [utmpx.h], [HAVE_ID_IN_UTMPX])
4206OSSH_CHECK_HEADER_FOR_FIELD([ut_addr], [utmp.h], [HAVE_ADDR_IN_UTMP])
4207OSSH_CHECK_HEADER_FOR_FIELD([ut_addr], [utmpx.h], [HAVE_ADDR_IN_UTMPX])
4208OSSH_CHECK_HEADER_FOR_FIELD([ut_addr_v6], [utmp.h], [HAVE_ADDR_V6_IN_UTMP])
4209OSSH_CHECK_HEADER_FOR_FIELD([ut_addr_v6], [utmpx.h], [HAVE_ADDR_V6_IN_UTMPX])
4210OSSH_CHECK_HEADER_FOR_FIELD([ut_exit], [utmp.h], [HAVE_EXIT_IN_UTMP])
4211OSSH_CHECK_HEADER_FOR_FIELD([ut_time], [utmp.h], [HAVE_TIME_IN_UTMP])
4212OSSH_CHECK_HEADER_FOR_FIELD([ut_time], [utmpx.h], [HAVE_TIME_IN_UTMPX])
4213OSSH_CHECK_HEADER_FOR_FIELD([ut_tv], [utmpx.h], [HAVE_TV_IN_UTMPX])
4214OSSH_CHECK_HEADER_FOR_FIELD([ut_ss], [utmpx.h], [HAVE_SS_IN_UTMPX])
4215
4216AC_CHECK_MEMBERS([struct stat.st_blksize])
4217AC_CHECK_MEMBERS([struct stat.st_mtim])
4218AC_CHECK_MEMBERS([struct stat.st_mtime])
4219AC_CHECK_MEMBERS([struct passwd.pw_gecos, struct passwd.pw_class,
4220struct passwd.pw_change, struct passwd.pw_expire],
4221[], [], [[
4222#include <sys/types.h>
4223#include <pwd.h>
4224]])
4225
4226AC_CHECK_MEMBER([struct __res_state.retrans], [], [AC_DEFINE([__res_state], [state],
4227	[Define if we don't have struct __res_state in resolv.h])],
4228[[
4229#include <stdio.h>
4230#if HAVE_SYS_TYPES_H
4231# include <sys/types.h>
4232#endif
4233#include <netinet/in.h>
4234#include <arpa/nameser.h>
4235#include <resolv.h>
4236]])
4237
4238AC_CACHE_CHECK([for ss_family field in struct sockaddr_storage],
4239		ac_cv_have_ss_family_in_struct_ss, [
4240	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4241#include <sys/types.h>
4242#include <sys/socket.h>
4243		]], [[ struct sockaddr_storage s; s.ss_family = 1; ]])],
4244	[ ac_cv_have_ss_family_in_struct_ss="yes" ],
4245	[ ac_cv_have_ss_family_in_struct_ss="no" ])
4246])
4247if test "x$ac_cv_have_ss_family_in_struct_ss" = "xyes" ; then
4248	AC_DEFINE([HAVE_SS_FAMILY_IN_SS], [1], [Fields in struct sockaddr_storage])
4249fi
4250
4251AC_CACHE_CHECK([for __ss_family field in struct sockaddr_storage],
4252		ac_cv_have___ss_family_in_struct_ss, [
4253	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4254#include <sys/types.h>
4255#include <sys/socket.h>
4256		]], [[ struct sockaddr_storage s; s.__ss_family = 1; ]])],
4257	[ ac_cv_have___ss_family_in_struct_ss="yes" ],
4258	[ ac_cv_have___ss_family_in_struct_ss="no"
4259	])
4260])
4261if test "x$ac_cv_have___ss_family_in_struct_ss" = "xyes" ; then
4262	AC_DEFINE([HAVE___SS_FAMILY_IN_SS], [1],
4263		[Fields in struct sockaddr_storage])
4264fi
4265
4266dnl make sure we're using the real structure members and not defines
4267AC_CACHE_CHECK([for msg_accrights field in struct msghdr],
4268		ac_cv_have_accrights_in_msghdr, [
4269	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4270#include <sys/types.h>
4271#include <sys/socket.h>
4272#include <sys/uio.h>
4273		]], [[
4274#ifdef msg_accrights
4275#error "msg_accrights is a macro"
4276exit(1);
4277#endif
4278struct msghdr m;
4279m.msg_accrights = 0;
4280exit(0);
4281		]])],
4282		[ ac_cv_have_accrights_in_msghdr="yes" ],
4283		[ ac_cv_have_accrights_in_msghdr="no" ]
4284	)
4285])
4286if test "x$ac_cv_have_accrights_in_msghdr" = "xyes" ; then
4287	AC_DEFINE([HAVE_ACCRIGHTS_IN_MSGHDR], [1],
4288		[Define if your system uses access rights style
4289		file descriptor passing])
4290fi
4291
4292AC_MSG_CHECKING([if struct statvfs.f_fsid is integral type])
4293AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4294#include <sys/param.h>
4295#include <sys/stat.h>
4296#ifdef HAVE_SYS_TIME_H
4297# include <sys/time.h>
4298#endif
4299#ifdef HAVE_SYS_MOUNT_H
4300#include <sys/mount.h>
4301#endif
4302#ifdef HAVE_SYS_STATVFS_H
4303#include <sys/statvfs.h>
4304#endif
4305	]], [[ struct statvfs s; s.f_fsid = 0; ]])],
4306	[ AC_MSG_RESULT([yes]) ],
4307	[ AC_MSG_RESULT([no])
4308
4309	AC_MSG_CHECKING([if fsid_t has member val])
4310	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4311#include <sys/types.h>
4312#include <sys/statvfs.h>
4313	]], [[ fsid_t t; t.val[0] = 0; ]])],
4314	[ AC_MSG_RESULT([yes])
4315	  AC_DEFINE([FSID_HAS_VAL], [1], [fsid_t has member val]) ],
4316	[ AC_MSG_RESULT([no]) ])
4317
4318	AC_MSG_CHECKING([if f_fsid has member __val])
4319	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4320#include <sys/types.h>
4321#include <sys/statvfs.h>
4322	]], [[ fsid_t t; t.__val[0] = 0; ]])],
4323	[ AC_MSG_RESULT([yes])
4324	  AC_DEFINE([FSID_HAS___VAL], [1], [fsid_t has member __val]) ],
4325	[ AC_MSG_RESULT([no]) ])
4326])
4327
4328AC_CACHE_CHECK([for msg_control field in struct msghdr],
4329		ac_cv_have_control_in_msghdr, [
4330	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4331#include <sys/types.h>
4332#include <sys/socket.h>
4333#include <sys/uio.h>
4334		]], [[
4335#ifdef msg_control
4336#error "msg_control is a macro"
4337exit(1);
4338#endif
4339struct msghdr m;
4340m.msg_control = 0;
4341exit(0);
4342		]])],
4343		[ ac_cv_have_control_in_msghdr="yes" ],
4344		[ ac_cv_have_control_in_msghdr="no" ]
4345	)
4346])
4347if test "x$ac_cv_have_control_in_msghdr" = "xyes" ; then
4348	AC_DEFINE([HAVE_CONTROL_IN_MSGHDR], [1],
4349		[Define if your system uses ancillary data style
4350		file descriptor passing])
4351fi
4352
4353AC_CACHE_CHECK([if libc defines __progname], ac_cv_libc_defines___progname, [
4354	AC_LINK_IFELSE([AC_LANG_PROGRAM([[]],
4355		[[ extern char *__progname; printf("%s", __progname); ]])],
4356	[ ac_cv_libc_defines___progname="yes" ],
4357	[ ac_cv_libc_defines___progname="no"
4358	])
4359])
4360if test "x$ac_cv_libc_defines___progname" = "xyes" ; then
4361	AC_DEFINE([HAVE___PROGNAME], [1], [Define if libc defines __progname])
4362fi
4363
4364AC_CACHE_CHECK([whether $CC implements __FUNCTION__], ac_cv_cc_implements___FUNCTION__, [
4365	AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include <stdio.h> ]],
4366		[[ printf("%s", __FUNCTION__); ]])],
4367	[ ac_cv_cc_implements___FUNCTION__="yes" ],
4368	[ ac_cv_cc_implements___FUNCTION__="no"
4369	])
4370])
4371if test "x$ac_cv_cc_implements___FUNCTION__" = "xyes" ; then
4372	AC_DEFINE([HAVE___FUNCTION__], [1],
4373		[Define if compiler implements __FUNCTION__])
4374fi
4375
4376AC_CACHE_CHECK([whether $CC implements __func__], ac_cv_cc_implements___func__, [
4377	AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include <stdio.h> ]],
4378		[[ printf("%s", __func__); ]])],
4379	[ ac_cv_cc_implements___func__="yes" ],
4380	[ ac_cv_cc_implements___func__="no"
4381	])
4382])
4383if test "x$ac_cv_cc_implements___func__" = "xyes" ; then
4384	AC_DEFINE([HAVE___func__], [1], [Define if compiler implements __func__])
4385fi
4386
4387AC_CACHE_CHECK([whether va_copy exists], ac_cv_have_va_copy, [
4388	AC_LINK_IFELSE([AC_LANG_PROGRAM([[
4389#include <stdarg.h>
4390va_list x,y;
4391		]], [[ va_copy(x,y); ]])],
4392	[ ac_cv_have_va_copy="yes" ],
4393	[ ac_cv_have_va_copy="no"
4394	])
4395])
4396if test "x$ac_cv_have_va_copy" = "xyes" ; then
4397	AC_DEFINE([HAVE_VA_COPY], [1], [Define if va_copy exists])
4398fi
4399
4400AC_CACHE_CHECK([whether __va_copy exists], ac_cv_have___va_copy, [
4401	AC_LINK_IFELSE([AC_LANG_PROGRAM([[
4402#include <stdarg.h>
4403va_list x,y;
4404		]], [[ __va_copy(x,y); ]])],
4405	[ ac_cv_have___va_copy="yes" ], [ ac_cv_have___va_copy="no"
4406	])
4407])
4408if test "x$ac_cv_have___va_copy" = "xyes" ; then
4409	AC_DEFINE([HAVE___VA_COPY], [1], [Define if __va_copy exists])
4410fi
4411
4412AC_CACHE_CHECK([whether getopt has optreset support],
4413		ac_cv_have_getopt_optreset, [
4414	AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include <getopt.h> ]],
4415		[[ extern int optreset; optreset = 0; ]])],
4416	[ ac_cv_have_getopt_optreset="yes" ],
4417	[ ac_cv_have_getopt_optreset="no"
4418	])
4419])
4420if test "x$ac_cv_have_getopt_optreset" = "xyes" ; then
4421	AC_DEFINE([HAVE_GETOPT_OPTRESET], [1],
4422		[Define if your getopt(3) defines and uses optreset])
4423fi
4424
4425AC_CACHE_CHECK([if libc defines sys_errlist], ac_cv_libc_defines_sys_errlist, [
4426	AC_LINK_IFELSE([AC_LANG_PROGRAM([[]],
4427[[ extern const char *const sys_errlist[]; printf("%s", sys_errlist[0]);]])],
4428	[ ac_cv_libc_defines_sys_errlist="yes" ],
4429	[ ac_cv_libc_defines_sys_errlist="no"
4430	])
4431])
4432if test "x$ac_cv_libc_defines_sys_errlist" = "xyes" ; then
4433	AC_DEFINE([HAVE_SYS_ERRLIST], [1],
4434		[Define if your system defines sys_errlist[]])
4435fi
4436
4437
4438AC_CACHE_CHECK([if libc defines sys_nerr], ac_cv_libc_defines_sys_nerr, [
4439	AC_LINK_IFELSE([AC_LANG_PROGRAM([[]],
4440[[ extern int sys_nerr; printf("%i", sys_nerr);]])],
4441	[ ac_cv_libc_defines_sys_nerr="yes" ],
4442	[ ac_cv_libc_defines_sys_nerr="no"
4443	])
4444])
4445if test "x$ac_cv_libc_defines_sys_nerr" = "xyes" ; then
4446	AC_DEFINE([HAVE_SYS_NERR], [1], [Define if your system defines sys_nerr])
4447fi
4448
4449# Check libraries needed by DNS fingerprint support
4450AC_SEARCH_LIBS([getrrsetbyname], [resolv],
4451	[AC_DEFINE([HAVE_GETRRSETBYNAME], [1],
4452		[Define if getrrsetbyname() exists])],
4453	[
4454		# Needed by our getrrsetbyname()
4455		AC_SEARCH_LIBS([res_query], [resolv])
4456		AC_SEARCH_LIBS([dn_expand], [resolv])
4457		AC_MSG_CHECKING([if res_query will link])
4458		AC_LINK_IFELSE([AC_LANG_PROGRAM([[
4459#include <sys/types.h>
4460#include <netinet/in.h>
4461#include <arpa/nameser.h>
4462#include <netdb.h>
4463#include <resolv.h>
4464				]], [[
4465	res_query (0, 0, 0, 0, 0);
4466				]])],
4467		    AC_MSG_RESULT([yes]),
4468		   [AC_MSG_RESULT([no])
4469		    saved_LIBS="$LIBS"
4470		    LIBS="$LIBS -lresolv"
4471		    AC_MSG_CHECKING([for res_query in -lresolv])
4472		    AC_LINK_IFELSE([AC_LANG_PROGRAM([[
4473#include <sys/types.h>
4474#include <netinet/in.h>
4475#include <arpa/nameser.h>
4476#include <netdb.h>
4477#include <resolv.h>
4478				]], [[
4479	res_query (0, 0, 0, 0, 0);
4480				]])],
4481			[AC_MSG_RESULT([yes])],
4482			[LIBS="$saved_LIBS"
4483			 AC_MSG_RESULT([no])])
4484		    ])
4485		AC_CHECK_FUNCS([_getshort _getlong])
4486		AC_CHECK_DECLS([_getshort, _getlong], , ,
4487		    [#include <sys/types.h>
4488		    #include <arpa/nameser.h>])
4489		AC_CHECK_MEMBER([HEADER.ad],
4490			[AC_DEFINE([HAVE_HEADER_AD], [1],
4491			    [Define if HEADER.ad exists in arpa/nameser.h])], ,
4492			[#include <arpa/nameser.h>])
4493	])
4494
4495AC_MSG_CHECKING([if struct __res_state _res is an extern])
4496AC_LINK_IFELSE([AC_LANG_PROGRAM([[
4497#include <stdio.h>
4498#if HAVE_SYS_TYPES_H
4499# include <sys/types.h>
4500#endif
4501#include <netinet/in.h>
4502#include <arpa/nameser.h>
4503#include <resolv.h>
4504extern struct __res_state _res;
4505		]], [[
4506struct __res_state *volatile p = &_res;  /* force resolution of _res */
4507return 0;
4508		]],)],
4509		[AC_MSG_RESULT([yes])
4510		 AC_DEFINE([HAVE__RES_EXTERN], [1],
4511		    [Define if you have struct __res_state _res as an extern])
4512		],
4513		[ AC_MSG_RESULT([no]) ]
4514)
4515
4516# Check whether user wants SELinux support
4517SELINUX_MSG="no"
4518LIBSELINUX=""
4519AC_ARG_WITH([selinux],
4520	[  --with-selinux          Enable SELinux support],
4521	[ if test "x$withval" != "xno" ; then
4522		save_LIBS="$LIBS"
4523		AC_DEFINE([WITH_SELINUX], [1],
4524			[Define if you want SELinux support.])
4525		SELINUX_MSG="yes"
4526		AC_CHECK_HEADER([selinux/selinux.h], ,
4527			AC_MSG_ERROR([SELinux support requires selinux.h header]))
4528		AC_CHECK_LIB([selinux], [setexeccon],
4529			[ LIBSELINUX="-lselinux"
4530			  LIBS="$LIBS -lselinux"
4531			],
4532			AC_MSG_ERROR([SELinux support requires libselinux library]))
4533		AC_CHECK_FUNCS([getseuserbyname get_default_context_with_level])
4534		LIBS="$save_LIBS $LIBSELINUX"
4535	fi ]
4536)
4537AC_SUBST([SSHDLIBS])
4538
4539# Check whether user wants Kerberos 5 support
4540KRB5_MSG="no"
4541AC_ARG_WITH([kerberos5],
4542	[  --with-kerberos5=PATH   Enable Kerberos 5 support],
4543	[ if test "x$withval" != "xno" ; then
4544		if test "x$withval" = "xyes" ; then
4545			KRB5ROOT="/usr/local"
4546		else
4547			KRB5ROOT=${withval}
4548		fi
4549
4550		AC_DEFINE([KRB5], [1], [Define if you want Kerberos 5 support])
4551		KRB5_MSG="yes"
4552
4553		AC_PATH_TOOL([KRB5CONF], [krb5-config],
4554			     [$KRB5ROOT/bin/krb5-config],
4555			     [$KRB5ROOT/bin:$PATH])
4556		if test -x $KRB5CONF ; then
4557			K5CFLAGS="`$KRB5CONF --cflags`"
4558			K5LIBS="`$KRB5CONF --libs`"
4559			CPPFLAGS="$CPPFLAGS $K5CFLAGS"
4560
4561			AC_MSG_CHECKING([for gssapi support])
4562			if $KRB5CONF | grep gssapi >/dev/null ; then
4563				AC_MSG_RESULT([yes])
4564				AC_DEFINE([GSSAPI], [1],
4565					[Define this if you want GSSAPI
4566					support in the version 2 protocol])
4567				GSSCFLAGS="`$KRB5CONF --cflags gssapi`"
4568				GSSLIBS="`$KRB5CONF --libs gssapi`"
4569				CPPFLAGS="$CPPFLAGS $GSSCFLAGS"
4570			else
4571				AC_MSG_RESULT([no])
4572			fi
4573			AC_MSG_CHECKING([whether we are using Heimdal])
4574			AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <krb5.h>
4575				]], [[ char *tmp = heimdal_version; ]])],
4576				[ AC_MSG_RESULT([yes])
4577				AC_DEFINE([HEIMDAL], [1],
4578				[Define this if you are using the Heimdal
4579				version of Kerberos V5]) ],
4580				[AC_MSG_RESULT([no])
4581			])
4582		else
4583			CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include"
4584			LDFLAGS="$LDFLAGS -L${KRB5ROOT}/lib"
4585			AC_MSG_CHECKING([whether we are using Heimdal])
4586			AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <krb5.h>
4587				]], [[ char *tmp = heimdal_version; ]])],
4588					[ AC_MSG_RESULT([yes])
4589					 AC_DEFINE([HEIMDAL])
4590					 K5LIBS="-lkrb5"
4591					 K5LIBS="$K5LIBS -lcom_err -lasn1"
4592					 AC_CHECK_LIB([roken], [net_write],
4593					   [K5LIBS="$K5LIBS -lroken"])
4594					 AC_CHECK_LIB([des], [des_cbc_encrypt],
4595					   [K5LIBS="$K5LIBS -ldes"])
4596				       ], [ AC_MSG_RESULT([no])
4597					 K5LIBS="-lkrb5 -lk5crypto -lcom_err"
4598			])
4599			AC_SEARCH_LIBS([dn_expand], [resolv])
4600
4601			AC_CHECK_LIB([gssapi_krb5], [gss_init_sec_context],
4602				[ AC_DEFINE([GSSAPI])
4603				  GSSLIBS="-lgssapi_krb5" ],
4604				[ AC_CHECK_LIB([gssapi], [gss_init_sec_context],
4605					[ AC_DEFINE([GSSAPI])
4606					  GSSLIBS="-lgssapi" ],
4607					[ AC_CHECK_LIB([gss], [gss_init_sec_context],
4608						[ AC_DEFINE([GSSAPI])
4609						  GSSLIBS="-lgss" ],
4610						AC_MSG_WARN([Cannot find any suitable gss-api library - build may fail]))
4611					])
4612				])
4613
4614			AC_CHECK_HEADER([gssapi.h], ,
4615				[ unset ac_cv_header_gssapi_h
4616				  CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include/gssapi"
4617				  AC_CHECK_HEADERS([gssapi.h], ,
4618					AC_MSG_WARN([Cannot find any suitable gss-api header - build may fail])
4619				  )
4620				]
4621			)
4622
4623			oldCPP="$CPPFLAGS"
4624			CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include/gssapi"
4625			AC_CHECK_HEADER([gssapi_krb5.h], ,
4626					[ CPPFLAGS="$oldCPP" ])
4627
4628		fi
4629		if test -n "${rpath_opt}" ; then
4630			LDFLAGS="$LDFLAGS ${rpath_opt}${KRB5ROOT}/lib"
4631		fi
4632		if test ! -z "$blibpath" ; then
4633			blibpath="$blibpath:${KRB5ROOT}/lib"
4634		fi
4635
4636		AC_CHECK_HEADERS([gssapi.h gssapi/gssapi.h])
4637		AC_CHECK_HEADERS([gssapi_krb5.h gssapi/gssapi_krb5.h])
4638		AC_CHECK_HEADERS([gssapi_generic.h gssapi/gssapi_generic.h])
4639
4640		AC_SEARCH_LIBS([k_hasafs], [kafs], [AC_DEFINE([USE_AFS], [1],
4641			[Define this if you want to use libkafs' AFS support])])
4642
4643		AC_CHECK_DECLS([GSS_C_NT_HOSTBASED_SERVICE], [], [], [[
4644#ifdef HAVE_GSSAPI_H
4645# include <gssapi.h>
4646#elif defined(HAVE_GSSAPI_GSSAPI_H)
4647# include <gssapi/gssapi.h>
4648#endif
4649
4650#ifdef HAVE_GSSAPI_GENERIC_H
4651# include <gssapi_generic.h>
4652#elif defined(HAVE_GSSAPI_GSSAPI_GENERIC_H)
4653# include <gssapi/gssapi_generic.h>
4654#endif
4655		]])
4656		saved_LIBS="$LIBS"
4657		LIBS="$LIBS $K5LIBS"
4658		AC_CHECK_FUNCS([krb5_cc_new_unique krb5_get_error_message krb5_free_error_message])
4659		LIBS="$saved_LIBS"
4660
4661	fi
4662	]
4663)
4664AC_SUBST([GSSLIBS])
4665AC_SUBST([K5LIBS])
4666
4667# Looking for programs, paths and files
4668
4669PRIVSEP_PATH=/var/empty
4670AC_ARG_WITH([privsep-path],
4671	[  --with-privsep-path=xxx Path for privilege separation chroot (default=/var/empty)],
4672	[
4673		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
4674		    test "x${withval}" != "xyes"; then
4675			PRIVSEP_PATH=$withval
4676		fi
4677	]
4678)
4679AC_SUBST([PRIVSEP_PATH])
4680
4681AC_ARG_WITH([xauth],
4682	[  --with-xauth=PATH       Specify path to xauth program ],
4683	[
4684		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
4685		    test "x${withval}" != "xyes"; then
4686			xauth_path=$withval
4687		fi
4688	],
4689	[
4690		TestPath="$PATH"
4691		TestPath="${TestPath}${PATH_SEPARATOR}/usr/X/bin"
4692		TestPath="${TestPath}${PATH_SEPARATOR}/usr/bin/X11"
4693		TestPath="${TestPath}${PATH_SEPARATOR}/usr/X11R6/bin"
4694		TestPath="${TestPath}${PATH_SEPARATOR}/usr/openwin/bin"
4695		AC_PATH_PROG([xauth_path], [xauth], , [$TestPath])
4696		if (test ! -z "$xauth_path" && test -x "/usr/openwin/bin/xauth") ; then
4697			xauth_path="/usr/openwin/bin/xauth"
4698		fi
4699	]
4700)
4701
4702STRIP_OPT=-s
4703AC_ARG_ENABLE([strip],
4704	[  --disable-strip         Disable calling strip(1) on install],
4705	[
4706		if test "x$enableval" = "xno" ; then
4707			STRIP_OPT=
4708		fi
4709	]
4710)
4711AC_SUBST([STRIP_OPT])
4712
4713if test -z "$xauth_path" ; then
4714	XAUTH_PATH="undefined"
4715	AC_SUBST([XAUTH_PATH])
4716else
4717	AC_DEFINE_UNQUOTED([XAUTH_PATH], ["$xauth_path"],
4718		[Define if xauth is found in your path])
4719	XAUTH_PATH=$xauth_path
4720	AC_SUBST([XAUTH_PATH])
4721fi
4722
4723dnl # --with-maildir=/path/to/mail gets top priority.
4724dnl # if maildir is set in the platform case statement above we use that.
4725dnl # Otherwise we run a program to get the dir from system headers.
4726dnl # We first look for _PATH_MAILDIR then MAILDIR then _PATH_MAIL
4727dnl # If we find _PATH_MAILDIR we do nothing because that is what
4728dnl # session.c expects anyway. Otherwise we set to the value found
4729dnl # stripping any trailing slash. If for some strage reason our program
4730dnl # does not find what it needs, we default to /var/spool/mail.
4731# Check for mail directory
4732AC_ARG_WITH([maildir],
4733    [  --with-maildir=/path/to/mail    Specify your system mail directory],
4734    [
4735	if test "X$withval" != X  &&  test "x$withval" != xno  &&  \
4736	    test "x${withval}" != xyes; then
4737		AC_DEFINE_UNQUOTED([MAIL_DIRECTORY], ["$withval"],
4738            [Set this to your mail directory if you do not have _PATH_MAILDIR])
4739	    fi
4740     ],[
4741	if test "X$maildir" != "X"; then
4742	    AC_DEFINE_UNQUOTED([MAIL_DIRECTORY], ["$maildir"])
4743	else
4744	    AC_MSG_CHECKING([Discovering system mail directory])
4745	    AC_RUN_IFELSE(
4746		[AC_LANG_PROGRAM([[
4747#include <stdio.h>
4748#include <string.h>
4749#ifdef HAVE_PATHS_H
4750#include <paths.h>
4751#endif
4752#ifdef HAVE_MAILLOCK_H
4753#include <maillock.h>
4754#endif
4755#define DATA "conftest.maildir"
4756	]], [[
4757	FILE *fd;
4758	int rc;
4759
4760	fd = fopen(DATA,"w");
4761	if(fd == NULL)
4762		exit(1);
4763
4764#if defined (_PATH_MAILDIR)
4765	if ((rc = fprintf(fd ,"_PATH_MAILDIR:%s\n", _PATH_MAILDIR)) <0)
4766		exit(1);
4767#elif defined (MAILDIR)
4768	if ((rc = fprintf(fd ,"MAILDIR:%s\n", MAILDIR)) <0)
4769		exit(1);
4770#elif defined (_PATH_MAIL)
4771	if ((rc = fprintf(fd ,"_PATH_MAIL:%s\n", _PATH_MAIL)) <0)
4772		exit(1);
4773#else
4774	exit (2);
4775#endif
4776
4777	exit(0);
4778		]])],
4779		[
4780		    maildir_what=`awk -F: '{print $1}' conftest.maildir`
4781		    maildir=`awk -F: '{print $2}' conftest.maildir \
4782			| sed 's|/$||'`
4783		    AC_MSG_RESULT([Using: $maildir from $maildir_what])
4784		    if test "x$maildir_what" != "x_PATH_MAILDIR"; then
4785			AC_DEFINE_UNQUOTED([MAIL_DIRECTORY], ["$maildir"])
4786		    fi
4787		],
4788		[
4789		    if test "X$ac_status" = "X2";then
4790# our test program didn't find it. Default to /var/spool/mail
4791			AC_MSG_RESULT([Using: default value of /var/spool/mail])
4792			AC_DEFINE_UNQUOTED([MAIL_DIRECTORY], ["/var/spool/mail"])
4793		     else
4794			AC_MSG_RESULT([*** not found ***])
4795		     fi
4796		],
4797		[
4798			AC_MSG_WARN([cross compiling: use --with-maildir=/path/to/mail])
4799		]
4800	    )
4801	fi
4802    ]
4803) # maildir
4804
4805if test ! -z "$cross_compiling" && test "x$cross_compiling" = "xyes"; then
4806	AC_MSG_WARN([cross compiling: Disabling /dev/ptmx test])
4807	disable_ptmx_check=yes
4808fi
4809if test -z "$no_dev_ptmx" ; then
4810	if test "x$disable_ptmx_check" != "xyes" ; then
4811		AC_CHECK_FILE(["/dev/ptmx"],
4812			[
4813				AC_DEFINE_UNQUOTED([HAVE_DEV_PTMX], [1],
4814					[Define if you have /dev/ptmx])
4815				have_dev_ptmx=1
4816			]
4817		)
4818	fi
4819fi
4820
4821if test ! -z "$cross_compiling" && test "x$cross_compiling" != "xyes"; then
4822	AC_CHECK_FILE(["/dev/ptc"],
4823		[
4824			AC_DEFINE_UNQUOTED([HAVE_DEV_PTS_AND_PTC], [1],
4825				[Define if you have /dev/ptc])
4826			have_dev_ptc=1
4827		]
4828	)
4829else
4830	AC_MSG_WARN([cross compiling: Disabling /dev/ptc test])
4831fi
4832
4833# Options from here on. Some of these are preset by platform above
4834AC_ARG_WITH([mantype],
4835	[  --with-mantype=man|cat|doc  Set man page type],
4836	[
4837		case "$withval" in
4838		man|cat|doc)
4839			MANTYPE=$withval
4840			;;
4841		*)
4842			AC_MSG_ERROR([invalid man type: $withval])
4843			;;
4844		esac
4845	]
4846)
4847if test -z "$MANTYPE"; then
4848	if ${MANDOC} ${srcdir}/ssh.1 >/dev/null 2>&1; then
4849		MANTYPE=doc
4850	elif ${NROFF} -mdoc ${srcdir}/ssh.1 >/dev/null 2>&1; then
4851		MANTYPE=doc
4852	elif ${NROFF} -man ${srcdir}/ssh.1 >/dev/null 2>&1; then
4853		MANTYPE=man
4854	else
4855		MANTYPE=cat
4856	fi
4857fi
4858AC_SUBST([MANTYPE])
4859if test "$MANTYPE" = "doc"; then
4860	mansubdir=man;
4861else
4862	mansubdir=$MANTYPE;
4863fi
4864AC_SUBST([mansubdir])
4865
4866# Check whether to enable MD5 passwords
4867MD5_MSG="no"
4868AC_ARG_WITH([md5-passwords],
4869	[  --with-md5-passwords    Enable use of MD5 passwords],
4870	[
4871		if test "x$withval" != "xno" ; then
4872			AC_DEFINE([HAVE_MD5_PASSWORDS], [1],
4873				[Define if you want to allow MD5 passwords])
4874			MD5_MSG="yes"
4875		fi
4876	]
4877)
4878
4879# Whether to disable shadow password support
4880AC_ARG_WITH([shadow],
4881	[  --without-shadow        Disable shadow password support],
4882	[
4883		if test "x$withval" = "xno" ; then
4884			AC_DEFINE([DISABLE_SHADOW])
4885			disable_shadow=yes
4886		fi
4887	]
4888)
4889
4890if test -z "$disable_shadow" ; then
4891	AC_MSG_CHECKING([if the systems has expire shadow information])
4892	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4893#include <sys/types.h>
4894#include <shadow.h>
4895struct spwd sp;
4896		]], [[ sp.sp_expire = sp.sp_lstchg = sp.sp_inact = 0; ]])],
4897		[ sp_expire_available=yes ], [
4898	])
4899
4900	if test "x$sp_expire_available" = "xyes" ; then
4901		AC_MSG_RESULT([yes])
4902		AC_DEFINE([HAS_SHADOW_EXPIRE], [1],
4903		    [Define if you want to use shadow password expire field])
4904	else
4905		AC_MSG_RESULT([no])
4906	fi
4907fi
4908
4909# Use ip address instead of hostname in $DISPLAY
4910if test ! -z "$IPADDR_IN_DISPLAY" ; then
4911	DISPLAY_HACK_MSG="yes"
4912	AC_DEFINE([IPADDR_IN_DISPLAY], [1],
4913		[Define if you need to use IP address
4914		instead of hostname in $DISPLAY])
4915else
4916	DISPLAY_HACK_MSG="no"
4917	AC_ARG_WITH([ipaddr-display],
4918		[  --with-ipaddr-display   Use ip address instead of hostname in $DISPLAY],
4919		[
4920			if test "x$withval" != "xno" ; then
4921				AC_DEFINE([IPADDR_IN_DISPLAY])
4922				DISPLAY_HACK_MSG="yes"
4923			fi
4924		]
4925	)
4926fi
4927
4928# check for /etc/default/login and use it if present.
4929AC_ARG_ENABLE([etc-default-login],
4930	[  --disable-etc-default-login Disable using PATH from /etc/default/login [no]],
4931	[ if test "x$enableval" = "xno"; then
4932		AC_MSG_NOTICE([/etc/default/login handling disabled])
4933		etc_default_login=no
4934	  else
4935		etc_default_login=yes
4936	  fi ],
4937	[ if test ! -z "$cross_compiling" && test "x$cross_compiling" = "xyes";
4938	  then
4939		AC_MSG_WARN([cross compiling: not checking /etc/default/login])
4940		etc_default_login=no
4941	  else
4942		etc_default_login=yes
4943	  fi ]
4944)
4945
4946if test "x$etc_default_login" != "xno"; then
4947	AC_CHECK_FILE(["/etc/default/login"],
4948	    [ external_path_file=/etc/default/login ])
4949	if test "x$external_path_file" = "x/etc/default/login"; then
4950		AC_DEFINE([HAVE_ETC_DEFAULT_LOGIN], [1],
4951			[Define if your system has /etc/default/login])
4952	fi
4953fi
4954
4955dnl BSD systems use /etc/login.conf so --with-default-path= has no effect
4956if test $ac_cv_func_login_getcapbool = "yes" && \
4957	test $ac_cv_header_login_cap_h = "yes" ; then
4958	external_path_file=/etc/login.conf
4959fi
4960
4961# Whether to mess with the default path
4962SERVER_PATH_MSG="(default)"
4963AC_ARG_WITH([default-path],
4964	[  --with-default-path=    Specify default $PATH environment for server],
4965	[
4966		if test "x$external_path_file" = "x/etc/login.conf" ; then
4967			AC_MSG_WARN([
4968--with-default-path=PATH has no effect on this system.
4969Edit /etc/login.conf instead.])
4970		elif test "x$withval" != "xno" ; then
4971			if test ! -z "$external_path_file" ; then
4972				AC_MSG_WARN([
4973--with-default-path=PATH will only be used if PATH is not defined in
4974$external_path_file .])
4975			fi
4976			user_path="$withval"
4977			SERVER_PATH_MSG="$withval"
4978		fi
4979	],
4980	[ if test "x$external_path_file" = "x/etc/login.conf" ; then
4981		AC_MSG_WARN([Make sure the path to scp is in /etc/login.conf])
4982	else
4983		if test ! -z "$external_path_file" ; then
4984			AC_MSG_WARN([
4985If PATH is defined in $external_path_file, ensure the path to scp is included,
4986otherwise scp will not work.])
4987		fi
4988		AC_RUN_IFELSE(
4989			[AC_LANG_PROGRAM([[
4990/* find out what STDPATH is */
4991#include <stdio.h>
4992#ifdef HAVE_PATHS_H
4993# include <paths.h>
4994#endif
4995#ifndef _PATH_STDPATH
4996# ifdef _PATH_USERPATH	/* Irix */
4997#  define _PATH_STDPATH _PATH_USERPATH
4998# else
4999#  define _PATH_STDPATH "/usr/bin:/bin:/usr/sbin:/sbin"
5000# endif
5001#endif
5002#include <sys/types.h>
5003#include <sys/stat.h>
5004#include <fcntl.h>
5005#define DATA "conftest.stdpath"
5006			]], [[
5007	FILE *fd;
5008	int rc;
5009
5010	fd = fopen(DATA,"w");
5011	if(fd == NULL)
5012		exit(1);
5013
5014	if ((rc = fprintf(fd,"%s", _PATH_STDPATH)) < 0)
5015		exit(1);
5016
5017	exit(0);
5018		]])],
5019		[ user_path=`cat conftest.stdpath` ],
5020		[ user_path="/usr/bin:/bin:/usr/sbin:/sbin" ],
5021		[ user_path="/usr/bin:/bin:/usr/sbin:/sbin" ]
5022	)
5023# make sure $bindir is in USER_PATH so scp will work
5024		t_bindir="${bindir}"
5025		while echo "${t_bindir}" | egrep '\$\{|NONE/' >/dev/null 2>&1; do
5026			t_bindir=`eval echo ${t_bindir}`
5027			case $t_bindir in
5028				NONE/*) t_bindir=`echo $t_bindir | sed "s~NONE~$prefix~"` ;;
5029			esac
5030			case $t_bindir in
5031				NONE/*) t_bindir=`echo $t_bindir | sed "s~NONE~$ac_default_prefix~"` ;;
5032			esac
5033		done
5034		echo $user_path | grep ":$t_bindir"  > /dev/null 2>&1
5035		if test $? -ne 0  ; then
5036			echo $user_path | grep "^$t_bindir"  > /dev/null 2>&1
5037			if test $? -ne 0  ; then
5038				user_path=$user_path:$t_bindir
5039				AC_MSG_RESULT([Adding $t_bindir to USER_PATH so scp will work])
5040			fi
5041		fi
5042	fi ]
5043)
5044if test "x$external_path_file" != "x/etc/login.conf" ; then
5045	AC_DEFINE_UNQUOTED([USER_PATH], ["$user_path"], [Specify default $PATH])
5046	AC_SUBST([user_path])
5047fi
5048
5049# Set superuser path separately to user path
5050AC_ARG_WITH([superuser-path],
5051	[  --with-superuser-path=  Specify different path for super-user],
5052	[
5053		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
5054		    test "x${withval}" != "xyes"; then
5055			AC_DEFINE_UNQUOTED([SUPERUSER_PATH], ["$withval"],
5056				[Define if you want a different $PATH
5057				for the superuser])
5058			superuser_path=$withval
5059		fi
5060	]
5061)
5062
5063
5064AC_MSG_CHECKING([if we need to convert IPv4 in IPv6-mapped addresses])
5065IPV4_IN6_HACK_MSG="no"
5066AC_ARG_WITH(4in6,
5067	[  --with-4in6             Check for and convert IPv4 in IPv6 mapped addresses],
5068	[
5069		if test "x$withval" != "xno" ; then
5070			AC_MSG_RESULT([yes])
5071			AC_DEFINE([IPV4_IN_IPV6], [1],
5072				[Detect IPv4 in IPv6 mapped addresses
5073				and treat as IPv4])
5074			IPV4_IN6_HACK_MSG="yes"
5075		else
5076			AC_MSG_RESULT([no])
5077		fi
5078	], [
5079		if test "x$inet6_default_4in6" = "xyes"; then
5080			AC_MSG_RESULT([yes (default)])
5081			AC_DEFINE([IPV4_IN_IPV6])
5082			IPV4_IN6_HACK_MSG="yes"
5083		else
5084			AC_MSG_RESULT([no (default)])
5085		fi
5086	]
5087)
5088
5089# Whether to enable BSD auth support
5090BSD_AUTH_MSG=no
5091AC_ARG_WITH([bsd-auth],
5092	[  --with-bsd-auth         Enable BSD auth support],
5093	[
5094		if test "x$withval" != "xno" ; then
5095			AC_DEFINE([BSD_AUTH], [1],
5096				[Define if you have BSD auth support])
5097			BSD_AUTH_MSG=yes
5098		fi
5099	]
5100)
5101
5102# Where to place sshd.pid
5103piddir=/var/run
5104# make sure the directory exists
5105if test ! -d $piddir ; then
5106	piddir=`eval echo ${sysconfdir}`
5107	case $piddir in
5108		NONE/*) piddir=`echo $piddir | sed "s~NONE~$ac_default_prefix~"` ;;
5109	esac
5110fi
5111
5112AC_ARG_WITH([pid-dir],
5113	[  --with-pid-dir=PATH     Specify location of sshd.pid file],
5114	[
5115		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
5116		    test "x${withval}" != "xyes"; then
5117			piddir=$withval
5118			if test ! -d $piddir ; then
5119			AC_MSG_WARN([** no $piddir directory on this system **])
5120			fi
5121		fi
5122	]
5123)
5124
5125AC_DEFINE_UNQUOTED([_PATH_SSH_PIDDIR], ["$piddir"],
5126	[Specify location of ssh.pid])
5127AC_SUBST([piddir])
5128
5129dnl allow user to disable some login recording features
5130AC_ARG_ENABLE([lastlog],
5131	[  --disable-lastlog       disable use of lastlog even if detected [no]],
5132	[
5133		if test "x$enableval" = "xno" ; then
5134			AC_DEFINE([DISABLE_LASTLOG])
5135		fi
5136	]
5137)
5138AC_ARG_ENABLE([utmp],
5139	[  --disable-utmp          disable use of utmp even if detected [no]],
5140	[
5141		if test "x$enableval" = "xno" ; then
5142			AC_DEFINE([DISABLE_UTMP])
5143		fi
5144	]
5145)
5146AC_ARG_ENABLE([utmpx],
5147	[  --disable-utmpx         disable use of utmpx even if detected [no]],
5148	[
5149		if test "x$enableval" = "xno" ; then
5150			AC_DEFINE([DISABLE_UTMPX], [1],
5151				[Define if you don't want to use utmpx])
5152		fi
5153	]
5154)
5155AC_ARG_ENABLE([wtmp],
5156	[  --disable-wtmp          disable use of wtmp even if detected [no]],
5157	[
5158		if test "x$enableval" = "xno" ; then
5159			AC_DEFINE([DISABLE_WTMP])
5160		fi
5161	]
5162)
5163AC_ARG_ENABLE([wtmpx],
5164	[  --disable-wtmpx         disable use of wtmpx even if detected [no]],
5165	[
5166		if test "x$enableval" = "xno" ; then
5167			AC_DEFINE([DISABLE_WTMPX], [1],
5168				[Define if you don't want to use wtmpx])
5169		fi
5170	]
5171)
5172AC_ARG_ENABLE([libutil],
5173	[  --disable-libutil       disable use of libutil (login() etc.) [no]],
5174	[
5175		if test "x$enableval" = "xno" ; then
5176			AC_DEFINE([DISABLE_LOGIN])
5177		fi
5178	]
5179)
5180AC_ARG_ENABLE([pututline],
5181	[  --disable-pututline     disable use of pututline() etc. ([uw]tmp) [no]],
5182	[
5183		if test "x$enableval" = "xno" ; then
5184			AC_DEFINE([DISABLE_PUTUTLINE], [1],
5185				[Define if you don't want to use pututline()
5186				etc. to write [uw]tmp])
5187		fi
5188	]
5189)
5190AC_ARG_ENABLE([pututxline],
5191	[  --disable-pututxline    disable use of pututxline() etc. ([uw]tmpx) [no]],
5192	[
5193		if test "x$enableval" = "xno" ; then
5194			AC_DEFINE([DISABLE_PUTUTXLINE], [1],
5195				[Define if you don't want to use pututxline()
5196				etc. to write [uw]tmpx])
5197		fi
5198	]
5199)
5200AC_ARG_WITH([lastlog],
5201  [  --with-lastlog=FILE|DIR specify lastlog location [common locations]],
5202	[
5203		if test "x$withval" = "xno" ; then
5204			AC_DEFINE([DISABLE_LASTLOG])
5205		elif test -n "$withval"  &&  test "x${withval}" != "xyes"; then
5206			conf_lastlog_location=$withval
5207		fi
5208	]
5209)
5210
5211dnl lastlog, [uw]tmpx? detection
5212dnl  NOTE: set the paths in the platform section to avoid the
5213dnl   need for command-line parameters
5214dnl lastlog and [uw]tmp are subject to a file search if all else fails
5215
5216dnl lastlog detection
5217dnl  NOTE: the code itself will detect if lastlog is a directory
5218AC_MSG_CHECKING([if your system defines LASTLOG_FILE])
5219AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
5220#include <sys/types.h>
5221#include <utmp.h>
5222#ifdef HAVE_LASTLOG_H
5223#  include <lastlog.h>
5224#endif
5225#ifdef HAVE_PATHS_H
5226#  include <paths.h>
5227#endif
5228#ifdef HAVE_LOGIN_H
5229# include <login.h>
5230#endif
5231	]], [[ char *lastlog = LASTLOG_FILE; ]])],
5232		[ AC_MSG_RESULT([yes]) ],
5233		[
5234		AC_MSG_RESULT([no])
5235		AC_MSG_CHECKING([if your system defines _PATH_LASTLOG])
5236		AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
5237#include <sys/types.h>
5238#include <utmp.h>
5239#ifdef HAVE_LASTLOG_H
5240#  include <lastlog.h>
5241#endif
5242#ifdef HAVE_PATHS_H
5243#  include <paths.h>
5244#endif
5245		]], [[ char *lastlog = _PATH_LASTLOG; ]])],
5246		[ AC_MSG_RESULT([yes]) ],
5247		[
5248			AC_MSG_RESULT([no])
5249			system_lastlog_path=no
5250		])
5251])
5252
5253if test -z "$conf_lastlog_location"; then
5254	if test x"$system_lastlog_path" = x"no" ; then
5255		for f in /var/log/lastlog /usr/adm/lastlog /var/adm/lastlog /etc/security/lastlog ; do
5256				if (test -d "$f" || test -f "$f") ; then
5257					conf_lastlog_location=$f
5258				fi
5259		done
5260		if test -z "$conf_lastlog_location"; then
5261			AC_MSG_WARN([** Cannot find lastlog **])
5262			dnl Don't define DISABLE_LASTLOG - that means we don't try wtmp/wtmpx
5263		fi
5264	fi
5265fi
5266
5267if test -n "$conf_lastlog_location"; then
5268	AC_DEFINE_UNQUOTED([CONF_LASTLOG_FILE], ["$conf_lastlog_location"],
5269		[Define if you want to specify the path to your lastlog file])
5270fi
5271
5272dnl utmp detection
5273AC_MSG_CHECKING([if your system defines UTMP_FILE])
5274AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
5275#include <sys/types.h>
5276#include <utmp.h>
5277#ifdef HAVE_PATHS_H
5278#  include <paths.h>
5279#endif
5280	]], [[ char *utmp = UTMP_FILE; ]])],
5281	[ AC_MSG_RESULT([yes]) ],
5282	[ AC_MSG_RESULT([no])
5283	  system_utmp_path=no
5284])
5285if test -z "$conf_utmp_location"; then
5286	if test x"$system_utmp_path" = x"no" ; then
5287		for f in /etc/utmp /usr/adm/utmp /var/run/utmp; do
5288			if test -f $f ; then
5289				conf_utmp_location=$f
5290			fi
5291		done
5292		if test -z "$conf_utmp_location"; then
5293			AC_DEFINE([DISABLE_UTMP])
5294		fi
5295	fi
5296fi
5297if test -n "$conf_utmp_location"; then
5298	AC_DEFINE_UNQUOTED([CONF_UTMP_FILE], ["$conf_utmp_location"],
5299		[Define if you want to specify the path to your utmp file])
5300fi
5301
5302dnl wtmp detection
5303AC_MSG_CHECKING([if your system defines WTMP_FILE])
5304AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
5305#include <sys/types.h>
5306#include <utmp.h>
5307#ifdef HAVE_PATHS_H
5308#  include <paths.h>
5309#endif
5310	]], [[ char *wtmp = WTMP_FILE; ]])],
5311	[ AC_MSG_RESULT([yes]) ],
5312	[ AC_MSG_RESULT([no])
5313	  system_wtmp_path=no
5314])
5315if test -z "$conf_wtmp_location"; then
5316	if test x"$system_wtmp_path" = x"no" ; then
5317		for f in /usr/adm/wtmp /var/log/wtmp; do
5318			if test -f $f ; then
5319				conf_wtmp_location=$f
5320			fi
5321		done
5322		if test -z "$conf_wtmp_location"; then
5323			AC_DEFINE([DISABLE_WTMP])
5324		fi
5325	fi
5326fi
5327if test -n "$conf_wtmp_location"; then
5328	AC_DEFINE_UNQUOTED([CONF_WTMP_FILE], ["$conf_wtmp_location"],
5329		[Define if you want to specify the path to your wtmp file])
5330fi
5331
5332dnl wtmpx detection
5333AC_MSG_CHECKING([if your system defines WTMPX_FILE])
5334AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
5335#include <sys/types.h>
5336#include <utmp.h>
5337#ifdef HAVE_UTMPX_H
5338#include <utmpx.h>
5339#endif
5340#ifdef HAVE_PATHS_H
5341#  include <paths.h>
5342#endif
5343	]], [[ char *wtmpx = WTMPX_FILE; ]])],
5344	[ AC_MSG_RESULT([yes]) ],
5345	[ AC_MSG_RESULT([no])
5346	  system_wtmpx_path=no
5347])
5348if test -z "$conf_wtmpx_location"; then
5349	if test x"$system_wtmpx_path" = x"no" ; then
5350		AC_DEFINE([DISABLE_WTMPX])
5351	fi
5352else
5353	AC_DEFINE_UNQUOTED([CONF_WTMPX_FILE], ["$conf_wtmpx_location"],
5354		[Define if you want to specify the path to your wtmpx file])
5355fi
5356
5357
5358if test ! -z "$blibpath" ; then
5359	LDFLAGS="$LDFLAGS $blibflags$blibpath"
5360	AC_MSG_WARN([Please check and edit blibpath in LDFLAGS in Makefile])
5361fi
5362
5363AC_CHECK_MEMBER([struct lastlog.ll_line], [], [
5364    if test x$SKIP_DISABLE_LASTLOG_DEFINE != "xyes" ; then
5365	AC_DEFINE([DISABLE_LASTLOG])
5366    fi
5367	], [
5368#ifdef HAVE_SYS_TYPES_H
5369#include <sys/types.h>
5370#endif
5371#ifdef HAVE_UTMP_H
5372#include <utmp.h>
5373#endif
5374#ifdef HAVE_UTMPX_H
5375#include <utmpx.h>
5376#endif
5377#ifdef HAVE_LASTLOG_H
5378#include <lastlog.h>
5379#endif
5380	])
5381
5382AC_CHECK_MEMBER([struct utmp.ut_line], [], [
5383	AC_DEFINE([DISABLE_UTMP])
5384	AC_DEFINE([DISABLE_WTMP])
5385	], [
5386#ifdef HAVE_SYS_TYPES_H
5387#include <sys/types.h>
5388#endif
5389#ifdef HAVE_UTMP_H
5390#include <utmp.h>
5391#endif
5392#ifdef HAVE_UTMPX_H
5393#include <utmpx.h>
5394#endif
5395#ifdef HAVE_LASTLOG_H
5396#include <lastlog.h>
5397#endif
5398	])
5399
5400dnl Adding -Werror to CFLAGS early prevents configure tests from running.
5401dnl Add now.
5402CFLAGS="$CFLAGS $werror_flags"
5403
5404if test "x$ac_cv_func_getaddrinfo" != "xyes" ; then
5405	TEST_SSH_IPV6=no
5406else
5407	TEST_SSH_IPV6=yes
5408fi
5409AC_CHECK_DECL([BROKEN_GETADDRINFO],  [TEST_SSH_IPV6=no])
5410AC_SUBST([TEST_SSH_IPV6], [$TEST_SSH_IPV6])
5411AC_SUBST([TEST_SSH_UTF8], [$TEST_SSH_UTF8])
5412AC_SUBST([TEST_MALLOC_OPTIONS], [$TEST_MALLOC_OPTIONS])
5413AC_SUBST([UNSUPPORTED_ALGORITHMS], [$unsupported_algorithms])
5414AC_SUBST([DEPEND], [$(cat $srcdir/.depend)])
5415
5416CFLAGS="${CFLAGS} ${CFLAGS_AFTER}"
5417LDFLAGS="${LDFLAGS} ${LDFLAGS_AFTER}"
5418
5419# Make a copy of CFLAGS/LDFLAGS without PIE options.
5420LDFLAGS_NOPIE=`echo "$LDFLAGS" | sed 's/ -pie//'`
5421CFLAGS_NOPIE=`echo "$CFLAGS" | sed 's/ -fPIE//'`
5422AC_SUBST([LDFLAGS_NOPIE])
5423AC_SUBST([CFLAGS_NOPIE])
5424
5425AC_EXEEXT
5426AC_CONFIG_FILES([Makefile buildpkg.sh opensshd.init openssh.xml \
5427	openbsd-compat/Makefile openbsd-compat/regress/Makefile \
5428	survey.sh])
5429AC_OUTPUT
5430
5431# Print summary of options
5432
5433# Someone please show me a better way :)
5434A=`eval echo ${prefix}` ; A=`eval echo ${A}`
5435B=`eval echo ${bindir}` ; B=`eval echo ${B}`
5436C=`eval echo ${sbindir}` ; C=`eval echo ${C}`
5437D=`eval echo ${sysconfdir}` ; D=`eval echo ${D}`
5438E=`eval echo ${libexecdir}/ssh-askpass` ; E=`eval echo ${E}`
5439F=`eval echo ${mandir}/${mansubdir}X` ; F=`eval echo ${F}`
5440G=`eval echo ${piddir}` ; G=`eval echo ${G}`
5441H=`eval echo ${PRIVSEP_PATH}` ; H=`eval echo ${H}`
5442I=`eval echo ${user_path}` ; I=`eval echo ${I}`
5443J=`eval echo ${superuser_path}` ; J=`eval echo ${J}`
5444
5445echo ""
5446echo "OpenSSH has been configured with the following options:"
5447echo "                     User binaries: $B"
5448echo "                   System binaries: $C"
5449echo "               Configuration files: $D"
5450echo "                   Askpass program: $E"
5451echo "                      Manual pages: $F"
5452echo "                          PID file: $G"
5453echo "  Privilege separation chroot path: $H"
5454if test "x$external_path_file" = "x/etc/login.conf" ; then
5455echo "   At runtime, sshd will use the path defined in $external_path_file"
5456echo "   Make sure the path to scp is present, otherwise scp will not work"
5457else
5458echo "            sshd default user PATH: $I"
5459	if test ! -z "$external_path_file"; then
5460echo "   (If PATH is set in $external_path_file it will be used instead. If"
5461echo "   used, ensure the path to scp is present, otherwise scp will not work.)"
5462	fi
5463fi
5464if test ! -z "$superuser_path" ; then
5465echo "          sshd superuser user PATH: $J"
5466fi
5467echo "                    Manpage format: $MANTYPE"
5468echo "                       PAM support: $PAM_MSG"
5469echo "                   OSF SIA support: $SIA_MSG"
5470echo "                 KerberosV support: $KRB5_MSG"
5471echo "                   SELinux support: $SELINUX_MSG"
5472echo "              MD5 password support: $MD5_MSG"
5473echo "                   libedit support: $LIBEDIT_MSG"
5474echo "                   libldns support: $LDNS_MSG"
5475echo "  Solaris process contract support: $SPC_MSG"
5476echo "           Solaris project support: $SP_MSG"
5477echo "         Solaris privilege support: $SPP_MSG"
5478echo "       IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG"
5479echo "           Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
5480echo "                  BSD Auth support: $BSD_AUTH_MSG"
5481echo "              Random number source: $RAND_MSG"
5482echo "             Privsep sandbox style: $SANDBOX_STYLE"
5483echo "                   PKCS#11 support: $enable_pkcs11"
5484echo "                  U2F/FIDO support: $enable_sk"
5485
5486echo ""
5487
5488echo "              Host: ${host}"
5489echo "          Compiler: ${CC}"
5490echo "    Compiler flags: ${CFLAGS}"
5491echo "Preprocessor flags: ${CPPFLAGS}"
5492echo "      Linker flags: ${LDFLAGS}"
5493echo "         Libraries: ${LIBS}"
5494if test ! -z "${SSHDLIBS}"; then
5495echo "         +for sshd: ${SSHDLIBS}"
5496fi
5497
5498echo ""
5499
5500if test "x$MAKE_PACKAGE_SUPPORTED" = "xyes" ; then
5501	echo "SVR4 style packages are supported with \"make package\""
5502	echo ""
5503fi
5504
5505if test "x$PAM_MSG" = "xyes" ; then
5506	echo "PAM is enabled. You may need to install a PAM control file "
5507	echo "for sshd, otherwise password authentication may fail. "
5508	echo "Example PAM control files can be found in the contrib/ "
5509	echo "subdirectory"
5510	echo ""
5511fi
5512
5513if test ! -z "$NO_PEERCHECK" ; then
5514	echo "WARNING: the operating system that you are using does not"
5515	echo "appear to support getpeereid(), getpeerucred() or the"
5516	echo "SO_PEERCRED getsockopt() option. These facilities are used to"
5517	echo "enforce security checks to prevent unauthorised connections to"
5518	echo "ssh-agent. Their absence increases the risk that a malicious"
5519	echo "user can connect to your agent."
5520	echo ""
5521fi
5522
5523if test "$AUDIT_MODULE" = "bsm" ; then
5524	echo "WARNING: BSM audit support is currently considered EXPERIMENTAL."
5525	echo "See the Solaris section in README.platform for details."
5526fi
5527