xref: /openssh-portable/configure.ac (revision dc098405)
1#
2# Copyright (c) 1999-2004 Damien Miller
3#
4# Permission to use, copy, modify, and distribute this software for any
5# purpose with or without fee is hereby granted, provided that the above
6# copyright notice and this permission notice appear in all copies.
7#
8# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15
16AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org])
17AC_CONFIG_MACRO_DIR([m4])
18AC_CONFIG_SRCDIR([ssh.c])
19AC_LANG([C])
20
21AC_CONFIG_HEADER([config.h])
22AC_PROG_CC([cc gcc])
23AC_CANONICAL_HOST
24AC_C_BIGENDIAN
25
26# Checks for programs.
27AC_PROG_AWK
28AC_PROG_CPP
29AC_PROG_RANLIB
30AC_PROG_INSTALL
31AC_PROG_EGREP
32AC_PROG_MKDIR_P
33AC_CHECK_TOOLS([AR], [ar])
34AC_PATH_PROG([CAT], [cat])
35AC_PATH_PROG([KILL], [kill])
36AC_PATH_PROG([SED], [sed])
37AC_PATH_PROG([TEST_MINUS_S_SH], [bash])
38AC_PATH_PROG([TEST_MINUS_S_SH], [ksh])
39AC_PATH_PROG([TEST_MINUS_S_SH], [sh])
40AC_PATH_PROG([SH], [sh])
41AC_PATH_PROG([GROFF], [groff])
42AC_PATH_PROG([NROFF], [nroff awf])
43AC_PATH_PROG([MANDOC], [mandoc])
44AC_SUBST([TEST_SHELL], [sh])
45
46dnl select manpage formatter to be used to build "cat" format pages.
47if test "x$MANDOC" != "x" ; then
48	MANFMT="$MANDOC"
49elif test "x$NROFF" != "x" ; then
50	MANFMT="$NROFF -mandoc"
51elif test "x$GROFF" != "x" ; then
52	MANFMT="$GROFF -mandoc -Tascii"
53else
54	AC_MSG_WARN([no manpage formatter found])
55	MANFMT="false"
56fi
57AC_SUBST([MANFMT])
58
59dnl for buildpkg.sh
60AC_PATH_PROG([PATH_GROUPADD_PROG], [groupadd], [groupadd],
61	[/usr/sbin${PATH_SEPARATOR}/etc])
62AC_PATH_PROG([PATH_USERADD_PROG], [useradd], [useradd],
63	[/usr/sbin${PATH_SEPARATOR}/etc])
64AC_CHECK_PROG([MAKE_PACKAGE_SUPPORTED], [pkgmk], [yes], [no])
65if test -x /sbin/sh; then
66	AC_SUBST([STARTUP_SCRIPT_SHELL], [/sbin/sh])
67else
68	AC_SUBST([STARTUP_SCRIPT_SHELL], [/bin/sh])
69fi
70
71# System features
72AC_SYS_LARGEFILE
73
74if test -z "$AR" ; then
75	AC_MSG_ERROR([*** 'ar' missing, please install or fix your \$PATH ***])
76fi
77
78AC_PATH_PROG([PATH_PASSWD_PROG], [passwd])
79if test ! -z "$PATH_PASSWD_PROG" ; then
80	AC_DEFINE_UNQUOTED([_PATH_PASSWD_PROG], ["$PATH_PASSWD_PROG"],
81		[Full path of your "passwd" program])
82fi
83
84dnl Since autoconf doesn't support it very well,  we no longer allow users to
85dnl override LD, however keeping the hook here for now in case there's a use
86dnl use case we overlooked and someone needs to re-enable it.  Unless a good
87dnl reason is found we'll be removing this in future.
88LD="$CC"
89AC_SUBST([LD])
90
91AC_C_INLINE
92
93AC_CHECK_DECL([LLONG_MAX], [have_llong_max=1], , [#include <limits.h>])
94AC_CHECK_DECL([LONG_LONG_MAX], [have_long_long_max=1], , [#include <limits.h>])
95AC_CHECK_DECL([SYSTR_POLICY_KILL], [have_systr_policy_kill=1], , [
96	#include <sys/types.h>
97	#include <sys/param.h>
98	#include <dev/systrace.h>
99])
100AC_CHECK_DECL([RLIMIT_NPROC],
101    [AC_DEFINE([HAVE_RLIMIT_NPROC], [], [sys/resource.h has RLIMIT_NPROC])], , [
102	#include <sys/types.h>
103	#include <sys/resource.h>
104])
105AC_CHECK_DECL([PR_SET_NO_NEW_PRIVS], [have_linux_no_new_privs=1], , [
106	#include <sys/types.h>
107	#include <linux/prctl.h>
108])
109
110openssl=yes
111AC_ARG_WITH([openssl],
112	[  --without-openssl       Disable use of OpenSSL; use only limited internal crypto **EXPERIMENTAL** ],
113	[  if test "x$withval" = "xno" ; then
114		openssl=no
115	   fi
116	]
117)
118AC_MSG_CHECKING([whether OpenSSL will be used for cryptography])
119if test "x$openssl" = "xyes" ; then
120	AC_MSG_RESULT([yes])
121	AC_DEFINE_UNQUOTED([WITH_OPENSSL], [1], [use libcrypto for cryptography])
122else
123	AC_MSG_RESULT([no])
124fi
125
126use_stack_protector=1
127use_toolchain_hardening=1
128AC_ARG_WITH([stackprotect],
129    [  --without-stackprotect  Don't use compiler's stack protection], [
130    if test "x$withval" = "xno"; then
131	use_stack_protector=0
132    fi ])
133AC_ARG_WITH([hardening],
134    [  --without-hardening     Don't use toolchain hardening flags], [
135    if test "x$withval" = "xno"; then
136	use_toolchain_hardening=0
137    fi ])
138
139# We use -Werror for the tests only so that we catch warnings like "this is
140# on by default" for things like -fPIE.
141AC_MSG_CHECKING([if $CC supports -Werror])
142saved_CFLAGS="$CFLAGS"
143CFLAGS="$CFLAGS -Werror"
144AC_COMPILE_IFELSE([AC_LANG_SOURCE([[int main(void) { return 0; }]])],
145	[ AC_MSG_RESULT([yes])
146	  WERROR="-Werror"],
147	[ AC_MSG_RESULT([no])
148	  WERROR="" ]
149)
150CFLAGS="$saved_CFLAGS"
151
152if test "$GCC" = "yes" || test "$GCC" = "egcs"; then
153	OSSH_CHECK_CFLAG_COMPILE([-pipe])
154	OSSH_CHECK_CFLAG_COMPILE([-Wunknown-warning-option])
155	OSSH_CHECK_CFLAG_COMPILE([-Wno-error=format-truncation])
156	OSSH_CHECK_CFLAG_COMPILE([-Qunused-arguments])
157	OSSH_CHECK_CFLAG_COMPILE([-Wall])
158	OSSH_CHECK_CFLAG_COMPILE([-Wextra])
159	OSSH_CHECK_CFLAG_COMPILE([-Wpointer-arith])
160	OSSH_CHECK_CFLAG_COMPILE([-Wuninitialized])
161	OSSH_CHECK_CFLAG_COMPILE([-Wsign-compare])
162	OSSH_CHECK_CFLAG_COMPILE([-Wformat-security])
163	OSSH_CHECK_CFLAG_COMPILE([-Wsizeof-pointer-memaccess])
164	OSSH_CHECK_CFLAG_COMPILE([-Wpointer-sign], [-Wno-pointer-sign])
165	OSSH_CHECK_CFLAG_COMPILE([-Wunused-parameter], [-Wno-unused-parameter])
166	OSSH_CHECK_CFLAG_COMPILE([-Wunused-result], [-Wno-unused-result])
167	OSSH_CHECK_CFLAG_COMPILE([-Wimplicit-fallthrough])
168	OSSH_CHECK_CFLAG_COMPILE([-fno-strict-aliasing])
169    if test "x$use_toolchain_hardening" = "x1"; then
170	OSSH_CHECK_CFLAG_COMPILE([-mretpoline]) # clang
171	OSSH_CHECK_LDFLAG_LINK([-Wl,-z,retpolineplt])
172	OSSH_CHECK_CFLAG_COMPILE([-D_FORTIFY_SOURCE=2])
173	OSSH_CHECK_LDFLAG_LINK([-Wl,-z,relro])
174	OSSH_CHECK_LDFLAG_LINK([-Wl,-z,now])
175	OSSH_CHECK_LDFLAG_LINK([-Wl,-z,noexecstack])
176	# NB. -ftrapv expects certain support functions to be present in
177	# the compiler library (libgcc or similar) to detect integer operations
178	# that can overflow. We must check that the result of enabling it
179	# actually links. The test program compiled/linked includes a number
180	# of integer operations that should exercise this.
181	OSSH_CHECK_CFLAG_LINK([-ftrapv])
182    fi
183	AC_MSG_CHECKING([gcc version])
184	GCC_VER=`$CC -v 2>&1 | $AWK '/gcc version /{print $3}'`
185	case $GCC_VER in
186		1.*) no_attrib_nonnull=1 ;;
187		2.8* | 2.9*)
188		     no_attrib_nonnull=1
189		     ;;
190		2.*) no_attrib_nonnull=1 ;;
191		*) ;;
192	esac
193	AC_MSG_RESULT([$GCC_VER])
194
195	AC_MSG_CHECKING([if $CC accepts -fno-builtin-memset])
196	saved_CFLAGS="$CFLAGS"
197	CFLAGS="$CFLAGS -fno-builtin-memset"
198	AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include <string.h> ]],
199			[[ char b[10]; memset(b, 0, sizeof(b)); ]])],
200		[ AC_MSG_RESULT([yes]) ],
201		[ AC_MSG_RESULT([no])
202		  CFLAGS="$saved_CFLAGS" ]
203	)
204
205	# -fstack-protector-all doesn't always work for some GCC versions
206	# and/or platforms, so we test if we can.  If it's not supported
207	# on a given platform gcc will emit a warning so we use -Werror.
208	if test "x$use_stack_protector" = "x1"; then
209	    for t in -fstack-protector-strong -fstack-protector-all \
210		    -fstack-protector; do
211		AC_MSG_CHECKING([if $CC supports $t])
212		saved_CFLAGS="$CFLAGS"
213		saved_LDFLAGS="$LDFLAGS"
214		CFLAGS="$CFLAGS $t -Werror"
215		LDFLAGS="$LDFLAGS $t -Werror"
216		AC_LINK_IFELSE(
217			[AC_LANG_PROGRAM([[
218	#include <stdio.h>
219	int func (int t) {char b[100]; snprintf(b,sizeof b,"%d",t); return t;}
220			 ]],
221			[[
222	char x[256];
223	snprintf(x, sizeof(x), "XXX%d", func(1));
224			 ]])],
225		    [ AC_MSG_RESULT([yes])
226		      CFLAGS="$saved_CFLAGS $t"
227		      LDFLAGS="$saved_LDFLAGS $t"
228		      AC_MSG_CHECKING([if $t works])
229		      AC_RUN_IFELSE(
230			[AC_LANG_PROGRAM([[
231	#include <stdio.h>
232	int func (int t) {char b[100]; snprintf(b,sizeof b,"%d",t); return t;}
233			]],
234			[[
235	char x[256];
236	snprintf(x, sizeof(x), "XXX%d", func(1));
237			]])],
238			[ AC_MSG_RESULT([yes])
239			  break ],
240			[ AC_MSG_RESULT([no]) ],
241			[ AC_MSG_WARN([cross compiling: cannot test])
242			  break ]
243		      )
244		    ],
245		    [ AC_MSG_RESULT([no]) ]
246		)
247		CFLAGS="$saved_CFLAGS"
248		LDFLAGS="$saved_LDFLAGS"
249	    done
250	fi
251
252	if test -z "$have_llong_max"; then
253		# retry LLONG_MAX with -std=gnu99, needed on some Linuxes
254		unset ac_cv_have_decl_LLONG_MAX
255		saved_CFLAGS="$CFLAGS"
256		CFLAGS="$CFLAGS -std=gnu99"
257		AC_CHECK_DECL([LLONG_MAX],
258		    [have_llong_max=1],
259		    [CFLAGS="$saved_CFLAGS"],
260		    [#include <limits.h>]
261		)
262	fi
263fi
264
265AC_MSG_CHECKING([if compiler allows __attribute__ on return types])
266AC_COMPILE_IFELSE(
267    [AC_LANG_PROGRAM([[
268#include <stdlib.h>
269__attribute__((__unused__)) static void foo(void){return;}]],
270    [[ exit(0); ]])],
271    [ AC_MSG_RESULT([yes]) ],
272    [ AC_MSG_RESULT([no])
273      AC_DEFINE(NO_ATTRIBUTE_ON_RETURN_TYPE, 1,
274	 [compiler does not accept __attribute__ on return types]) ]
275)
276
277AC_MSG_CHECKING([if compiler allows __attribute__ prototype args])
278AC_COMPILE_IFELSE(
279    [AC_LANG_PROGRAM([[
280#include <stdlib.h>
281typedef void foo(const char *, ...) __attribute__((format(printf, 1, 2)));]],
282    [[ exit(0); ]])],
283    [ AC_MSG_RESULT([yes]) ],
284    [ AC_MSG_RESULT([no])
285      AC_DEFINE(NO_ATTRIBUTE_ON_PROTOTYPE_ARGS, 1,
286	 [compiler does not accept __attribute__ on prototype args]) ]
287)
288
289if test "x$no_attrib_nonnull" != "x1" ; then
290	AC_DEFINE([HAVE_ATTRIBUTE__NONNULL__], [1], [Have attribute nonnull])
291fi
292
293AC_ARG_WITH([rpath],
294	[  --without-rpath         Disable auto-added -R linker paths],
295	[
296		if test "x$withval" = "xno" ; then
297			rpath_opt=""
298		elif test "x$withval" = "xyes" ; then
299			rpath_opt="-R"
300		else
301			rpath_opt="$withval"
302		fi
303	]
304)
305
306# Allow user to specify flags
307AC_ARG_WITH([cflags],
308	[  --with-cflags           Specify additional flags to pass to compiler],
309	[
310		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
311		    test "x${withval}" != "xyes"; then
312			CFLAGS="$CFLAGS $withval"
313		fi
314	]
315)
316
317AC_ARG_WITH([cflags-after],
318	[  --with-cflags-after     Specify additional flags to pass to compiler after configure],
319	[
320		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
321		    test "x${withval}" != "xyes"; then
322			CFLAGS_AFTER="$withval"
323		fi
324	]
325)
326AC_ARG_WITH([cppflags],
327	[  --with-cppflags         Specify additional flags to pass to preprocessor] ,
328	[
329		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
330		    test "x${withval}" != "xyes"; then
331			CPPFLAGS="$CPPFLAGS $withval"
332		fi
333	]
334)
335AC_ARG_WITH([ldflags],
336	[  --with-ldflags          Specify additional flags to pass to linker],
337	[
338		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
339		    test "x${withval}" != "xyes"; then
340			LDFLAGS="$LDFLAGS $withval"
341		fi
342	]
343)
344AC_ARG_WITH([ldflags-after],
345	[  --with-ldflags-after    Specify additional flags to pass to linker after configure],
346	[
347		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
348		    test "x${withval}" != "xyes"; then
349			LDFLAGS_AFTER="$withval"
350		fi
351	]
352)
353AC_ARG_WITH([libs],
354	[  --with-libs             Specify additional libraries to link with],
355	[
356		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
357		    test "x${withval}" != "xyes"; then
358			LIBS="$LIBS $withval"
359		fi
360	]
361)
362AC_ARG_WITH([Werror],
363	[  --with-Werror           Build main code with -Werror],
364	[
365		if test -n "$withval"  &&  test "x$withval" != "xno"; then
366			werror_flags="-Werror"
367			if test "x${withval}" != "xyes"; then
368				werror_flags="$withval"
369			fi
370		fi
371	]
372)
373
374AC_CHECK_HEADERS([ \
375	blf.h \
376	bstring.h \
377	crypt.h \
378	crypto/sha2.h \
379	dirent.h \
380	endian.h \
381	elf.h \
382	err.h \
383	features.h \
384	fcntl.h \
385	floatingpoint.h \
386	fnmatch.h \
387	getopt.h \
388	glob.h \
389	ia.h \
390	iaf.h \
391	ifaddrs.h \
392	inttypes.h \
393	langinfo.h \
394	limits.h \
395	locale.h \
396	login.h \
397	maillock.h \
398	ndir.h \
399	net/if_tun.h \
400	netdb.h \
401	netgroup.h \
402	pam/pam_appl.h \
403	paths.h \
404	poll.h \
405	pty.h \
406	readpassphrase.h \
407	rpc/types.h \
408	security/pam_appl.h \
409	sha2.h \
410	shadow.h \
411	stddef.h \
412	stdint.h \
413	string.h \
414	strings.h \
415	sys/bitypes.h \
416	sys/byteorder.h \
417	sys/bsdtty.h \
418	sys/cdefs.h \
419	sys/dir.h \
420	sys/file.h \
421	sys/mman.h \
422	sys/label.h \
423	sys/ndir.h \
424	sys/poll.h \
425	sys/prctl.h \
426	sys/pstat.h \
427	sys/ptrace.h \
428	sys/random.h \
429	sys/select.h \
430	sys/stat.h \
431	sys/stream.h \
432	sys/stropts.h \
433	sys/strtio.h \
434	sys/statvfs.h \
435	sys/sysmacros.h \
436	sys/time.h \
437	sys/timers.h \
438	sys/vfs.h \
439	time.h \
440	tmpdir.h \
441	ttyent.h \
442	ucred.h \
443	unistd.h \
444	usersec.h \
445	util.h \
446	utime.h \
447	utmp.h \
448	utmpx.h \
449	vis.h \
450	wchar.h \
451])
452
453# On some platforms (eg SunOS4) sys/audit.h requires sys/[time|types|label.h]
454# to be included first.
455AC_CHECK_HEADERS([sys/audit.h], [], [], [
456#ifdef HAVE_SYS_TIME_H
457# include <sys/time.h>
458#endif
459#ifdef HAVE_SYS_TYPES_H
460# include <sys/types.h>
461#endif
462#ifdef HAVE_SYS_LABEL_H
463# include <sys/label.h>
464#endif
465])
466
467# sys/capsicum.h requires sys/types.h
468AC_CHECK_HEADERS([sys/capsicum.h], [], [], [
469#ifdef HAVE_SYS_TYPES_H
470# include <sys/types.h>
471#endif
472])
473
474# net/route.h requires sys/socket.h and sys/types.h.
475# sys/sysctl.h also requires sys/param.h
476AC_CHECK_HEADERS([net/route.h sys/sysctl.h], [], [], [
477#ifdef HAVE_SYS_TYPES_H
478# include <sys/types.h>
479#endif
480#include <sys/param.h>
481#include <sys/socket.h>
482])
483
484# lastlog.h requires sys/time.h to be included first on Solaris
485AC_CHECK_HEADERS([lastlog.h], [], [], [
486#ifdef HAVE_SYS_TIME_H
487# include <sys/time.h>
488#endif
489])
490
491# sys/ptms.h requires sys/stream.h to be included first on Solaris
492AC_CHECK_HEADERS([sys/ptms.h], [], [], [
493#ifdef HAVE_SYS_STREAM_H
494# include <sys/stream.h>
495#endif
496])
497
498# login_cap.h requires sys/types.h on NetBSD
499AC_CHECK_HEADERS([login_cap.h], [], [], [
500#include <sys/types.h>
501])
502
503# older BSDs need sys/param.h before sys/mount.h
504AC_CHECK_HEADERS([sys/mount.h], [], [], [
505#include <sys/param.h>
506])
507
508# Android requires sys/socket.h to be included before sys/un.h
509AC_CHECK_HEADERS([sys/un.h], [], [], [
510#include <sys/types.h>
511#include <sys/socket.h>
512])
513
514# Messages for features tested for in target-specific section
515SIA_MSG="no"
516SPC_MSG="no"
517SP_MSG="no"
518SPP_MSG="no"
519
520# Support for Solaris/Illumos privileges (this test is used by both
521# the --with-solaris-privs option and --with-sandbox=solaris).
522SOLARIS_PRIVS="no"
523
524AC_CHECK_SIZEOF([size_t])
525
526# Check for some target-specific stuff
527case "$host" in
528*-*-aix*)
529	# Some versions of VAC won't allow macro redefinitions at
530	# -qlanglevel=ansi, and autoconf 2.60 sometimes insists on using that
531	# particularly with older versions of vac or xlc.
532	# It also throws errors about null macro arguments, but these are
533	# not fatal.
534	AC_MSG_CHECKING([if compiler allows macro redefinitions])
535	AC_COMPILE_IFELSE(
536	    [AC_LANG_PROGRAM([[
537#define testmacro foo
538#define testmacro bar]],
539	    [[ exit(0); ]])],
540	    [ AC_MSG_RESULT([yes]) ],
541	    [ AC_MSG_RESULT([no])
542	      CC="`echo $CC | sed 's/-qlanglvl\=ansi//g'`"
543	      CFLAGS="`echo $CFLAGS | sed 's/-qlanglvl\=ansi//g'`"
544	      CPPFLAGS="`echo $CPPFLAGS | sed 's/-qlanglvl\=ansi//g'`"
545	    ]
546	)
547
548	AC_MSG_CHECKING([how to specify blibpath for linker ($LD)])
549	if (test -z "$blibpath"); then
550		blibpath="/usr/lib:/lib"
551	fi
552	saved_LDFLAGS="$LDFLAGS"
553	if test "$GCC" = "yes"; then
554		flags="-Wl,-blibpath: -Wl,-rpath, -blibpath:"
555	else
556		flags="-blibpath: -Wl,-blibpath: -Wl,-rpath,"
557	fi
558	for tryflags in $flags ;do
559		if (test -z "$blibflags"); then
560			LDFLAGS="$saved_LDFLAGS $tryflags$blibpath"
561			AC_LINK_IFELSE([AC_LANG_PROGRAM([[]], [[]])],
562			[blibflags=$tryflags], [])
563		fi
564	done
565	if (test -z "$blibflags"); then
566		AC_MSG_RESULT([not found])
567		AC_MSG_ERROR([*** must be able to specify blibpath on AIX - check config.log])
568	else
569		AC_MSG_RESULT([$blibflags])
570	fi
571	LDFLAGS="$saved_LDFLAGS"
572	dnl Check for authenticate.  Might be in libs.a on older AIXes
573	AC_CHECK_FUNC([authenticate], [AC_DEFINE([WITH_AIXAUTHENTICATE], [1],
574		[Define if you want to enable AIX4's authenticate function])],
575		[AC_CHECK_LIB([s], [authenticate],
576			[ AC_DEFINE([WITH_AIXAUTHENTICATE])
577				LIBS="$LIBS -ls"
578			])
579		])
580	dnl Check for various auth function declarations in headers.
581	AC_CHECK_DECLS([authenticate, loginrestrictions, loginsuccess,
582	    passwdexpired, setauthdb], , , [#include <usersec.h>])
583	dnl Check if loginfailed is declared and takes 4 arguments (AIX >= 5.2)
584	AC_CHECK_DECLS([loginfailed],
585	    [AC_MSG_CHECKING([if loginfailed takes 4 arguments])
586	    AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <usersec.h> ]],
587		[[ (void)loginfailed("user","host","tty",0); ]])],
588		[AC_MSG_RESULT([yes])
589		AC_DEFINE([AIX_LOGINFAILED_4ARG], [1],
590			[Define if your AIX loginfailed() function
591			takes 4 arguments (AIX >= 5.2)])], [AC_MSG_RESULT([no])
592	    ])],
593	    [],
594	    [#include <usersec.h>]
595	)
596	AC_CHECK_FUNCS([getgrset setauthdb])
597	AC_CHECK_DECL([F_CLOSEM],
598	    AC_DEFINE([HAVE_FCNTL_CLOSEM], [1], [Use F_CLOSEM fcntl for closefrom]),
599	    [],
600	    [ #include <limits.h>
601	      #include <fcntl.h> ]
602	)
603	check_for_aix_broken_getaddrinfo=1
604	AC_DEFINE([SETEUID_BREAKS_SETUID], [1],
605	    [Define if your platform breaks doing a seteuid before a setuid])
606	AC_DEFINE([BROKEN_SETREUID], [1], [Define if your setreuid() is broken])
607	AC_DEFINE([BROKEN_SETREGID], [1], [Define if your setregid() is broken])
608	dnl AIX handles lastlog as part of its login message
609	AC_DEFINE([DISABLE_LASTLOG], [1], [Define if you don't want to use lastlog])
610	AC_DEFINE([LOGIN_NEEDS_UTMPX], [1],
611		[Some systems need a utmpx entry for /bin/login to work])
612	AC_DEFINE([SPT_TYPE], [SPT_REUSEARGV],
613		[Define to a Set Process Title type if your system is
614		supported by bsd-setproctitle.c])
615	AC_DEFINE([SSHPAM_CHAUTHTOK_NEEDS_RUID], [1],
616	    [AIX 5.2 and 5.3 (and presumably newer) require this])
617	AC_DEFINE([PTY_ZEROREAD], [1], [read(1) can return 0 for a non-closed fd])
618	AC_DEFINE([PLATFORM_SYS_DIR_UID], 2, [System dirs owned by bin (uid 2)])
619	AC_DEFINE([BROKEN_STRNDUP], 1, [strndup broken, see APAR IY61211])
620	AC_DEFINE([BROKEN_STRNLEN], 1, [strnlen broken, see APAR IY62551])
621	;;
622*-*-android*)
623	AC_DEFINE([DISABLE_UTMP], [1], [Define if you don't want to use utmp])
624	AC_DEFINE([DISABLE_WTMP], [1], [Define if you don't want to use wtmp])
625	;;
626*-*-cygwin*)
627	check_for_libcrypt_later=1
628	LIBS="$LIBS /usr/lib/textreadmode.o"
629	AC_DEFINE([HAVE_CYGWIN], [1], [Define if you are on Cygwin])
630	AC_DEFINE([USE_PIPES], [1], [Use PIPES instead of a socketpair()])
631	AC_DEFINE([NO_UID_RESTORATION_TEST], [1],
632		[Define to disable UID restoration test])
633	AC_DEFINE([DISABLE_SHADOW], [1],
634		[Define if you want to disable shadow passwords])
635	AC_DEFINE([NO_X11_UNIX_SOCKETS], [1],
636		[Define if X11 doesn't support AF_UNIX sockets on that system])
637	AC_DEFINE([DISABLE_FD_PASSING], [1],
638		[Define if your platform needs to skip post auth
639		file descriptor passing])
640	AC_DEFINE([SSH_IOBUFSZ], [65535], [Windows is sensitive to read buffer size])
641	AC_DEFINE([FILESYSTEM_NO_BACKSLASH], [1], [File names may not contain backslash characters])
642	# Cygwin defines optargs, optargs as declspec(dllimport) for historical
643	# reasons which cause compile warnings, so we disable those warnings.
644	OSSH_CHECK_CFLAG_COMPILE([-Wno-attributes])
645	;;
646*-*-dgux*)
647	AC_DEFINE([IP_TOS_IS_BROKEN], [1],
648		[Define if your system choked on IP TOS setting])
649	AC_DEFINE([SETEUID_BREAKS_SETUID])
650	AC_DEFINE([BROKEN_SETREUID])
651	AC_DEFINE([BROKEN_SETREGID])
652	;;
653*-*-darwin*)
654	use_pie=auto
655	AC_MSG_CHECKING([if we have working getaddrinfo])
656	AC_RUN_IFELSE([AC_LANG_SOURCE([[
657#include <mach-o/dyld.h>
658#include <stdlib.h>
659main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
660		exit(0);
661	else
662		exit(1);
663}
664			]])],
665	[AC_MSG_RESULT([working])],
666	[AC_MSG_RESULT([buggy])
667	AC_DEFINE([BROKEN_GETADDRINFO], [1],
668		[getaddrinfo is broken (if present)])
669	],
670	[AC_MSG_RESULT([assume it is working])])
671	AC_DEFINE([SETEUID_BREAKS_SETUID])
672	AC_DEFINE([BROKEN_SETREUID])
673	AC_DEFINE([BROKEN_SETREGID])
674	AC_DEFINE([BROKEN_GLOB], [1], [OS X glob does not do what we expect])
675	AC_DEFINE_UNQUOTED([BIND_8_COMPAT], [1],
676		[Define if your resolver libs need this for getrrsetbyname])
677	AC_DEFINE([SSH_TUN_FREEBSD], [1], [Open tunnel devices the FreeBSD way])
678	AC_DEFINE([SSH_TUN_COMPAT_AF], [1],
679	    [Use tunnel device compatibility to OpenBSD])
680	AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
681	    [Prepend the address family to IP tunnel traffic])
682	m4_pattern_allow([AU_IPv])
683	AC_CHECK_DECL([AU_IPv4], [],
684	    AC_DEFINE([AU_IPv4], [0], [System only supports IPv4 audit records])
685	    [#include <bsm/audit.h>]
686	AC_DEFINE([LASTLOG_WRITE_PUTUTXLINE], [1],
687	    [Define if pututxline updates lastlog too])
688	)
689	AC_DEFINE([SPT_TYPE], [SPT_REUSEARGV],
690		[Define to a Set Process Title type if your system is
691		supported by bsd-setproctitle.c])
692	AC_CHECK_FUNCS([sandbox_init])
693	AC_CHECK_HEADERS([sandbox.h])
694	AC_CHECK_LIB([sandbox], [sandbox_apply], [
695	    SSHDLIBS="$SSHDLIBS -lsandbox"
696	])
697	# proc_pidinfo()-based closefrom() replacement.
698	AC_CHECK_HEADERS([libproc.h])
699	AC_CHECK_FUNCS([proc_pidinfo])
700	;;
701*-*-dragonfly*)
702	SSHDLIBS="$SSHDLIBS -lcrypt"
703	TEST_MALLOC_OPTIONS="AFGJPRX"
704	;;
705*-*-haiku*)
706	LIBS="$LIBS -lbsd "
707	CFLAGS="$CFLAGS -D_BSD_SOURCE"
708	AC_CHECK_LIB([network], [socket])
709	AC_DEFINE([HAVE_U_INT64_T])
710	AC_DEFINE([DISABLE_UTMPX], [1], [no utmpx])
711	MANTYPE=man
712	;;
713*-*-hpux*)
714	# first we define all of the options common to all HP-UX releases
715	CPPFLAGS="$CPPFLAGS -D_HPUX_SOURCE -D_XOPEN_SOURCE -D_XOPEN_SOURCE_EXTENDED=1"
716	IPADDR_IN_DISPLAY=yes
717	AC_DEFINE([USE_PIPES])
718	AC_DEFINE([LOGIN_NEEDS_UTMPX])
719	AC_DEFINE([LOCKED_PASSWD_STRING], ["*"],
720		[String used in /etc/passwd to denote locked account])
721	AC_DEFINE([SPT_TYPE], [SPT_PSTAT])
722	AC_DEFINE([PLATFORM_SYS_DIR_UID], 2, [System dirs owned by bin (uid 2)])
723	maildir="/var/mail"
724	LIBS="$LIBS -lsec"
725	AC_CHECK_LIB([xnet], [t_error], ,
726	    [AC_MSG_ERROR([*** -lxnet needed on HP-UX - check config.log ***])])
727
728	# next, we define all of the options specific to major releases
729	case "$host" in
730	*-*-hpux10*)
731		if test -z "$GCC"; then
732			CFLAGS="$CFLAGS -Ae"
733		fi
734		;;
735	*-*-hpux11*)
736		AC_DEFINE([PAM_SUN_CODEBASE], [1],
737			[Define if you are using Solaris-derived PAM which
738			passes pam_messages to the conversation function
739			with an extra level of indirection])
740		AC_DEFINE([DISABLE_UTMP], [1],
741			[Define if you don't want to use utmp])
742		AC_DEFINE([USE_BTMP], [1], [Use btmp to log bad logins])
743		check_for_hpux_broken_getaddrinfo=1
744		check_for_conflicting_getspnam=1
745		;;
746	esac
747
748	# lastly, we define options specific to minor releases
749	case "$host" in
750	*-*-hpux10.26)
751		AC_DEFINE([HAVE_SECUREWARE], [1],
752			[Define if you have SecureWare-based
753			protected password database])
754		disable_ptmx_check=yes
755		LIBS="$LIBS -lsecpw"
756		;;
757	esac
758	;;
759*-*-irix5*)
760	PATH="$PATH:/usr/etc"
761	AC_DEFINE([BROKEN_INET_NTOA], [1],
762		[Define if you system's inet_ntoa is busted
763		(e.g. Irix gcc issue)])
764	AC_DEFINE([SETEUID_BREAKS_SETUID])
765	AC_DEFINE([BROKEN_SETREUID])
766	AC_DEFINE([BROKEN_SETREGID])
767	AC_DEFINE([WITH_ABBREV_NO_TTY], [1],
768		[Define if you shouldn't strip 'tty' from your
769		ttyname in [uw]tmp])
770	AC_DEFINE([LOCKED_PASSWD_STRING], ["*LK*"])
771	;;
772*-*-irix6*)
773	PATH="$PATH:/usr/etc"
774	AC_DEFINE([WITH_IRIX_ARRAY], [1],
775		[Define if you have/want arrays
776		(cluster-wide session management, not C arrays)])
777	AC_DEFINE([WITH_IRIX_PROJECT], [1],
778		[Define if you want IRIX project management])
779	AC_DEFINE([WITH_IRIX_AUDIT], [1],
780		[Define if you want IRIX audit trails])
781	AC_CHECK_FUNC([jlimit_startjob], [AC_DEFINE([WITH_IRIX_JOBS], [1],
782		[Define if you want IRIX kernel jobs])])
783	AC_DEFINE([BROKEN_INET_NTOA])
784	AC_DEFINE([SETEUID_BREAKS_SETUID])
785	AC_DEFINE([BROKEN_SETREUID])
786	AC_DEFINE([BROKEN_SETREGID])
787	AC_DEFINE([BROKEN_UPDWTMPX], [1], [updwtmpx is broken (if present)])
788	AC_DEFINE([WITH_ABBREV_NO_TTY])
789	AC_DEFINE([LOCKED_PASSWD_STRING], ["*LK*"])
790	;;
791*-*-k*bsd*-gnu | *-*-kopensolaris*-gnu)
792	check_for_libcrypt_later=1
793	AC_DEFINE([PAM_TTY_KLUDGE])
794	AC_DEFINE([LOCKED_PASSWD_PREFIX], ["!"])
795	AC_DEFINE([SPT_TYPE], [SPT_REUSEARGV])
796	AC_DEFINE([_PATH_BTMP], ["/var/log/btmp"], [log for bad login attempts])
797	AC_DEFINE([USE_BTMP], [1], [Use btmp to log bad logins])
798	;;
799*-*-linux*)
800	no_dev_ptmx=1
801	use_pie=auto
802	check_for_libcrypt_later=1
803	check_for_openpty_ctty_bug=1
804	dnl Target SUSv3/POSIX.1-2001 plus BSD specifics.
805	dnl _DEFAULT_SOURCE is the new name for _BSD_SOURCE
806	CPPFLAGS="$CPPFLAGS -D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCE"
807	AC_DEFINE([PAM_TTY_KLUDGE], [1],
808		[Work around problematic Linux PAM modules handling of PAM_TTY])
809	AC_DEFINE([LOCKED_PASSWD_PREFIX], ["!"],
810		[String used in /etc/passwd to denote locked account])
811	AC_DEFINE([SPT_TYPE], [SPT_REUSEARGV])
812	AC_DEFINE([LINK_OPNOTSUPP_ERRNO], [EPERM],
813		[Define to whatever link() returns for "not supported"
814		if it doesn't return EOPNOTSUPP.])
815	AC_DEFINE([_PATH_BTMP], ["/var/log/btmp"], [log for bad login attempts])
816	AC_DEFINE([USE_BTMP])
817	AC_DEFINE([LINUX_OOM_ADJUST], [1], [Adjust Linux out-of-memory killer])
818	inet6_default_4in6=yes
819	case `uname -r` in
820	1.*|2.0.*)
821		AC_DEFINE([BROKEN_CMSG_TYPE], [1],
822			[Define if cmsg_type is not passed correctly])
823		;;
824	esac
825	# tun(4) forwarding compat code
826	AC_CHECK_HEADERS([linux/if_tun.h])
827	if test "x$ac_cv_header_linux_if_tun_h" = "xyes" ; then
828		AC_DEFINE([SSH_TUN_LINUX], [1],
829		    [Open tunnel devices the Linux tun/tap way])
830		AC_DEFINE([SSH_TUN_COMPAT_AF], [1],
831		    [Use tunnel device compatibility to OpenBSD])
832		AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
833		    [Prepend the address family to IP tunnel traffic])
834	fi
835	AC_CHECK_HEADER([linux/if.h],
836	    AC_DEFINE([SYS_RDOMAIN_LINUX], [1],
837		[Support routing domains using Linux VRF]), [], [
838#ifdef HAVE_SYS_TYPES_H
839# include <sys/types.h>
840#endif
841	    ])
842	AC_CHECK_HEADERS([linux/seccomp.h linux/filter.h linux/audit.h], [],
843	    [], [#include <linux/types.h>])
844	# Obtain MIPS ABI
845	case "$host" in
846	mips*)
847		AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
848#if _MIPS_SIM != _ABIO32
849#error
850#endif
851			]])],[mips_abi="o32"],[AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
852#if _MIPS_SIM != _ABIN32
853#error
854#endif
855				]])],[mips_abi="n32"],[AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
856#if _MIPS_SIM != _ABI64
857#error
858#endif
859					]])],[mips_abi="n64"],[AC_MSG_ERROR([unknown MIPS ABI])
860				])
861			])
862		])
863		;;
864	esac
865	AC_MSG_CHECKING([for seccomp architecture])
866	seccomp_audit_arch=
867	case "$host" in
868	x86_64-*)
869		seccomp_audit_arch=AUDIT_ARCH_X86_64
870		# X32: AMD64 instructions in 32bit address space.
871		if test "x$ac_cv_sizeof_size_t" = "x4" ; then
872			seccomp_audit_arch=AUDIT_ARCH_I386
873		fi
874		;;
875	i*86-*)
876		seccomp_audit_arch=AUDIT_ARCH_I386
877		;;
878	arm*-*)
879		seccomp_audit_arch=AUDIT_ARCH_ARM
880		;;
881	aarch64*-*)
882		seccomp_audit_arch=AUDIT_ARCH_AARCH64
883		;;
884	s390x-*)
885		seccomp_audit_arch=AUDIT_ARCH_S390X
886		;;
887	s390-*)
888		seccomp_audit_arch=AUDIT_ARCH_S390
889		;;
890	powerpc64-*)
891		seccomp_audit_arch=AUDIT_ARCH_PPC64
892		;;
893	powerpc64le-*)
894		seccomp_audit_arch=AUDIT_ARCH_PPC64LE
895		;;
896	mips-*)
897		seccomp_audit_arch=AUDIT_ARCH_MIPS
898		;;
899	mipsel-*)
900		seccomp_audit_arch=AUDIT_ARCH_MIPSEL
901		;;
902	mips64-*)
903		case "$mips_abi" in
904		"n32")
905			seccomp_audit_arch=AUDIT_ARCH_MIPS64N32
906			;;
907		"n64")
908			seccomp_audit_arch=AUDIT_ARCH_MIPS64
909			;;
910		esac
911		;;
912	mips64el-*)
913		case "$mips_abi" in
914		"n32")
915			seccomp_audit_arch=AUDIT_ARCH_MIPSEL64N32
916			;;
917		"n64")
918			seccomp_audit_arch=AUDIT_ARCH_MIPSEL64
919			;;
920		esac
921		;;
922	riscv64-*)
923		seccomp_audit_arch=AUDIT_ARCH_RISCV64
924		;;
925	esac
926	if test "x$seccomp_audit_arch" != "x" ; then
927		AC_MSG_RESULT(["$seccomp_audit_arch"])
928		AC_DEFINE_UNQUOTED([SECCOMP_AUDIT_ARCH], [$seccomp_audit_arch],
929		    [Specify the system call convention in use])
930	else
931		AC_MSG_RESULT([architecture not supported])
932	fi
933	;;
934mips-sony-bsd|mips-sony-newsos4)
935	AC_DEFINE([NEED_SETPGRP], [1], [Need setpgrp to acquire controlling tty])
936	SONY=1
937	;;
938*-*-netbsd*)
939	check_for_libcrypt_before=1
940	if test "x$withval" != "xno" ; then
941		rpath_opt="-R"
942	fi
943	CPPFLAGS="$CPPFLAGS -D_OPENBSD_SOURCE"
944	AC_DEFINE([SSH_TUN_FREEBSD], [1], [Open tunnel devices the FreeBSD way])
945	AC_CHECK_HEADER([net/if_tap.h], ,
946	    AC_DEFINE([SSH_TUN_NO_L2], [1], [No layer 2 tunnel support]))
947	AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
948	    [Prepend the address family to IP tunnel traffic])
949	TEST_MALLOC_OPTIONS="AJRX"
950	AC_DEFINE([BROKEN_READ_COMPARISON], [1],
951	    [NetBSD read function is sometimes redirected, breaking atomicio comparisons against it])
952	;;
953*-*-freebsd*)
954	check_for_libcrypt_later=1
955	AC_DEFINE([LOCKED_PASSWD_PREFIX], ["*LOCKED*"], [Account locked with pw(1)])
956	AC_DEFINE([SSH_TUN_FREEBSD], [1], [Open tunnel devices the FreeBSD way])
957	AC_CHECK_HEADER([net/if_tap.h], ,
958	    AC_DEFINE([SSH_TUN_NO_L2], [1], [No layer 2 tunnel support]))
959	AC_DEFINE([BROKEN_GLOB], [1], [FreeBSD glob does not do what we need])
960	TEST_MALLOC_OPTIONS="AJRX"
961	# Preauth crypto occasionally uses file descriptors for crypto offload
962	# and will crash if they cannot be opened.
963	AC_DEFINE([SANDBOX_SKIP_RLIMIT_NOFILE], [1],
964	    [define if setrlimit RLIMIT_NOFILE breaks things])
965	;;
966*-*-bsdi*)
967	AC_DEFINE([SETEUID_BREAKS_SETUID])
968	AC_DEFINE([BROKEN_SETREUID])
969	AC_DEFINE([BROKEN_SETREGID])
970	;;
971*-next-*)
972	conf_lastlog_location="/usr/adm/lastlog"
973	conf_utmp_location=/etc/utmp
974	conf_wtmp_location=/usr/adm/wtmp
975	maildir=/usr/spool/mail
976	AC_DEFINE([HAVE_NEXT], [1], [Define if you are on NeXT])
977	AC_DEFINE([USE_PIPES])
978	AC_DEFINE([BROKEN_SAVED_UIDS], [1], [Needed for NeXT])
979	;;
980*-*-openbsd*)
981	use_pie=auto
982	AC_DEFINE([HAVE_ATTRIBUTE__SENTINEL__], [1], [OpenBSD's gcc has sentinel])
983	AC_DEFINE([HAVE_ATTRIBUTE__BOUNDED__], [1], [OpenBSD's gcc has bounded])
984	AC_DEFINE([SSH_TUN_OPENBSD], [1], [Open tunnel devices the OpenBSD way])
985	AC_DEFINE([SYSLOG_R_SAFE_IN_SIGHAND], [1],
986	    [syslog_r function is safe to use in in a signal handler])
987	TEST_MALLOC_OPTIONS="AFGJPRX"
988	;;
989*-*-solaris*)
990	if test "x$withval" != "xno" ; then
991		rpath_opt="-R"
992	fi
993	AC_DEFINE([PAM_SUN_CODEBASE])
994	AC_DEFINE([LOGIN_NEEDS_UTMPX])
995	AC_DEFINE([PAM_TTY_KLUDGE])
996	AC_DEFINE([SSHPAM_CHAUTHTOK_NEEDS_RUID], [1],
997		[Define if pam_chauthtok wants real uid set
998		to the unpriv'ed user])
999	AC_DEFINE([LOCKED_PASSWD_STRING], ["*LK*"])
1000	# Pushing STREAMS modules will cause sshd to acquire a controlling tty.
1001	AC_DEFINE([SSHD_ACQUIRES_CTTY], [1],
1002		[Define if sshd somehow reacquires a controlling TTY
1003		after setsid()])
1004	AC_DEFINE([PASSWD_NEEDS_USERNAME], [1], [must supply username to passwd
1005		in case the name is longer than 8 chars])
1006	AC_DEFINE([BROKEN_TCGETATTR_ICANON], [1], [tcgetattr with ICANON may hang])
1007	external_path_file=/etc/default/login
1008	# hardwire lastlog location (can't detect it on some versions)
1009	conf_lastlog_location="/var/adm/lastlog"
1010	AC_MSG_CHECKING([for obsolete utmp and wtmp in solaris2.x])
1011	sol2ver=`echo "$host"| sed -e 's/.*[[0-9]]\.//'`
1012	if test "$sol2ver" -ge 8; then
1013		AC_MSG_RESULT([yes])
1014		AC_DEFINE([DISABLE_UTMP])
1015		AC_DEFINE([DISABLE_WTMP], [1],
1016			[Define if you don't want to use wtmp])
1017	else
1018		AC_MSG_RESULT([no])
1019	fi
1020	AC_CHECK_FUNCS([setpflags])
1021	AC_CHECK_FUNCS([setppriv])
1022	AC_CHECK_FUNCS([priv_basicset])
1023	AC_CHECK_HEADERS([priv.h])
1024	AC_ARG_WITH([solaris-contracts],
1025		[  --with-solaris-contracts Enable Solaris process contracts (experimental)],
1026		[
1027		AC_CHECK_LIB([contract], [ct_tmpl_activate],
1028			[ AC_DEFINE([USE_SOLARIS_PROCESS_CONTRACTS], [1],
1029				[Define if you have Solaris process contracts])
1030			  LIBS="$LIBS -lcontract"
1031			  SPC_MSG="yes" ], )
1032		],
1033	)
1034	AC_ARG_WITH([solaris-projects],
1035		[  --with-solaris-projects Enable Solaris projects (experimental)],
1036		[
1037		AC_CHECK_LIB([project], [setproject],
1038			[ AC_DEFINE([USE_SOLARIS_PROJECTS], [1],
1039				[Define if you have Solaris projects])
1040			LIBS="$LIBS -lproject"
1041			SP_MSG="yes" ], )
1042		],
1043	)
1044	AC_ARG_WITH([solaris-privs],
1045		[  --with-solaris-privs    Enable Solaris/Illumos privileges (experimental)],
1046		[
1047		AC_MSG_CHECKING([for Solaris/Illumos privilege support])
1048		if test "x$ac_cv_func_setppriv" = "xyes" -a \
1049			"x$ac_cv_header_priv_h" = "xyes" ; then
1050			SOLARIS_PRIVS=yes
1051			AC_MSG_RESULT([found])
1052			AC_DEFINE([NO_UID_RESTORATION_TEST], [1],
1053				[Define to disable UID restoration test])
1054			AC_DEFINE([USE_SOLARIS_PRIVS], [1],
1055				[Define if you have Solaris privileges])
1056			SPP_MSG="yes"
1057		else
1058			AC_MSG_RESULT([not found])
1059			AC_MSG_ERROR([*** must have support for Solaris privileges to use --with-solaris-privs])
1060		fi
1061		],
1062	)
1063	TEST_SHELL=$SHELL	# let configure find us a capable shell
1064	;;
1065*-*-sunos4*)
1066	CPPFLAGS="$CPPFLAGS -DSUNOS4"
1067	AC_CHECK_FUNCS([getpwanam])
1068	AC_DEFINE([PAM_SUN_CODEBASE])
1069	conf_utmp_location=/etc/utmp
1070	conf_wtmp_location=/var/adm/wtmp
1071	conf_lastlog_location=/var/adm/lastlog
1072	AC_DEFINE([USE_PIPES])
1073	AC_DEFINE([DISABLE_UTMPX], [1], [no utmpx])
1074	;;
1075*-ncr-sysv*)
1076	LIBS="$LIBS -lc89"
1077	AC_DEFINE([USE_PIPES])
1078	AC_DEFINE([SSHD_ACQUIRES_CTTY])
1079	AC_DEFINE([SETEUID_BREAKS_SETUID])
1080	AC_DEFINE([BROKEN_SETREUID])
1081	AC_DEFINE([BROKEN_SETREGID])
1082	;;
1083*-sni-sysv*)
1084	# /usr/ucblib MUST NOT be searched on ReliantUNIX
1085	AC_CHECK_LIB([dl], [dlsym], ,)
1086	# -lresolv needs to be at the end of LIBS or DNS lookups break
1087	AC_CHECK_LIB([resolv], [res_query], [ LIBS="$LIBS -lresolv" ])
1088	IPADDR_IN_DISPLAY=yes
1089	AC_DEFINE([USE_PIPES])
1090	AC_DEFINE([IP_TOS_IS_BROKEN])
1091	AC_DEFINE([SETEUID_BREAKS_SETUID])
1092	AC_DEFINE([BROKEN_SETREUID])
1093	AC_DEFINE([BROKEN_SETREGID])
1094	AC_DEFINE([SSHD_ACQUIRES_CTTY])
1095	external_path_file=/etc/default/login
1096	# /usr/ucblib/libucb.a no longer needed on ReliantUNIX
1097	# Attention: always take care to bind libsocket and libnsl before libc,
1098	# otherwise you will find lots of "SIOCGPGRP errno 22" on syslog
1099	;;
1100# UnixWare 1.x, UnixWare 2.x, and others based on code from Univel.
1101*-*-sysv4.2*)
1102	AC_DEFINE([USE_PIPES])
1103	AC_DEFINE([SETEUID_BREAKS_SETUID])
1104	AC_DEFINE([BROKEN_SETREUID])
1105	AC_DEFINE([BROKEN_SETREGID])
1106	AC_DEFINE([PASSWD_NEEDS_USERNAME], [1], [must supply username to passwd])
1107	AC_DEFINE([LOCKED_PASSWD_STRING], ["*LK*"])
1108	TEST_SHELL=$SHELL	# let configure find us a capable shell
1109	;;
1110# UnixWare 7.x, OpenUNIX 8
1111*-*-sysv5*)
1112	CPPFLAGS="$CPPFLAGS -Dvsnprintf=_xvsnprintf -Dsnprintf=_xsnprintf"
1113	AC_DEFINE([UNIXWARE_LONG_PASSWORDS], [1], [Support passwords > 8 chars])
1114	AC_DEFINE([USE_PIPES])
1115	AC_DEFINE([SETEUID_BREAKS_SETUID])
1116	AC_DEFINE([BROKEN_GETADDRINFO])
1117	AC_DEFINE([BROKEN_SETREUID])
1118	AC_DEFINE([BROKEN_SETREGID])
1119	AC_DEFINE([PASSWD_NEEDS_USERNAME])
1120	AC_DEFINE([BROKEN_TCGETATTR_ICANON])
1121	TEST_SHELL=$SHELL	# let configure find us a capable shell
1122	check_for_libcrypt_later=1
1123	case "$host" in
1124	*-*-sysv5SCO_SV*)	# SCO OpenServer 6.x
1125		maildir=/var/spool/mail
1126		AC_DEFINE([BROKEN_UPDWTMPX])
1127		AC_CHECK_LIB([prot], [getluid], [ LIBS="$LIBS -lprot"
1128			AC_CHECK_FUNCS([getluid setluid], , , [-lprot])
1129			], , )
1130		;;
1131	*)	AC_DEFINE([LOCKED_PASSWD_STRING], ["*LK*"])
1132		;;
1133	esac
1134	;;
1135*-*-sysv*)
1136	;;
1137# SCO UNIX and OEM versions of SCO UNIX
1138*-*-sco3.2v4*)
1139	AC_MSG_ERROR("This Platform is no longer supported.")
1140	;;
1141# SCO OpenServer 5.x
1142*-*-sco3.2v5*)
1143	if test -z "$GCC"; then
1144		CFLAGS="$CFLAGS -belf"
1145	fi
1146	LIBS="$LIBS -lprot -lx -ltinfo -lm"
1147	no_dev_ptmx=1
1148	AC_DEFINE([USE_PIPES])
1149	AC_DEFINE([HAVE_SECUREWARE])
1150	AC_DEFINE([DISABLE_SHADOW])
1151	AC_DEFINE([DISABLE_FD_PASSING])
1152	AC_DEFINE([SETEUID_BREAKS_SETUID])
1153	AC_DEFINE([BROKEN_GETADDRINFO])
1154	AC_DEFINE([BROKEN_SETREUID])
1155	AC_DEFINE([BROKEN_SETREGID])
1156	AC_DEFINE([WITH_ABBREV_NO_TTY])
1157	AC_DEFINE([BROKEN_UPDWTMPX])
1158	AC_DEFINE([PASSWD_NEEDS_USERNAME])
1159	AC_CHECK_FUNCS([getluid setluid])
1160	MANTYPE=man
1161	TEST_SHELL=$SHELL	# let configure find us a capable shell
1162	SKIP_DISABLE_LASTLOG_DEFINE=yes
1163	;;
1164*-dec-osf*)
1165	AC_MSG_CHECKING([for Digital Unix SIA])
1166	no_osfsia=""
1167	AC_ARG_WITH([osfsia],
1168		[  --with-osfsia           Enable Digital Unix SIA],
1169		[
1170			if test "x$withval" = "xno" ; then
1171				AC_MSG_RESULT([disabled])
1172				no_osfsia=1
1173			fi
1174		],
1175	)
1176	if test -z "$no_osfsia" ; then
1177		if test -f /etc/sia/matrix.conf; then
1178			AC_MSG_RESULT([yes])
1179			AC_DEFINE([HAVE_OSF_SIA], [1],
1180				[Define if you have Digital Unix Security
1181				Integration Architecture])
1182			AC_DEFINE([DISABLE_LOGIN], [1],
1183				[Define if you don't want to use your
1184				system's login() call])
1185			AC_DEFINE([DISABLE_FD_PASSING])
1186			LIBS="$LIBS -lsecurity -ldb -lm -laud"
1187			SIA_MSG="yes"
1188		else
1189			AC_MSG_RESULT([no])
1190			AC_DEFINE([LOCKED_PASSWD_SUBSTR], ["Nologin"],
1191			  [String used in /etc/passwd to denote locked account])
1192		fi
1193	fi
1194	AC_DEFINE([BROKEN_GETADDRINFO])
1195	AC_DEFINE([SETEUID_BREAKS_SETUID])
1196	AC_DEFINE([BROKEN_SETREUID])
1197	AC_DEFINE([BROKEN_SETREGID])
1198	AC_DEFINE([BROKEN_READV_COMPARISON], [1], [Can't do comparisons on readv])
1199	;;
1200
1201*-*-nto-qnx*)
1202	AC_DEFINE([USE_PIPES])
1203	AC_DEFINE([NO_X11_UNIX_SOCKETS])
1204	AC_DEFINE([DISABLE_LASTLOG])
1205	AC_DEFINE([SSHD_ACQUIRES_CTTY])
1206	AC_DEFINE([BROKEN_SHADOW_EXPIRE], [1], [QNX shadow support is broken])
1207	enable_etc_default_login=no	# has incompatible /etc/default/login
1208	case "$host" in
1209	*-*-nto-qnx6*)
1210		AC_DEFINE([DISABLE_FD_PASSING])
1211		;;
1212	esac
1213	;;
1214
1215*-*-ultrix*)
1216	AC_DEFINE([BROKEN_GETGROUPS], [1], [getgroups(0,NULL) will return -1])
1217	AC_DEFINE([NEED_SETPGRP], [1], [Need setpgrp to for controlling tty])
1218	AC_DEFINE([HAVE_SYS_SYSLOG_H], [1], [Force use of sys/syslog.h on Ultrix])
1219	AC_DEFINE([DISABLE_UTMPX], [1], [Disable utmpx])
1220	# DISABLE_FD_PASSING so that we call setpgrp as root, otherwise we
1221	# don't get a controlling tty.
1222	AC_DEFINE([DISABLE_FD_PASSING], [1], [Need to call setpgrp as root])
1223	# On Ultrix some headers are not protected against multiple includes,
1224	# so we create wrappers and put it where the compiler will find it.
1225	AC_MSG_WARN([creating compat wrappers for headers])
1226	mkdir -p netinet
1227	for header in netinet/ip.h netdb.h resolv.h; do
1228		name=`echo $header | tr 'a-z/.' 'A-Z__'`
1229		cat >$header <<EOD
1230#ifndef _SSH_COMPAT_${name}
1231#define _SSH_COMPAT_${name}
1232#include "/usr/include/${header}"
1233#endif
1234EOD
1235	done
1236	;;
1237
1238*-*-lynxos)
1239	CFLAGS="$CFLAGS -D__NO_INCLUDE_WARN__"
1240	AC_DEFINE([BROKEN_SETVBUF], [1],
1241	    [LynxOS has broken setvbuf() implementation])
1242	;;
1243esac
1244
1245AC_MSG_CHECKING([compiler and flags for sanity])
1246AC_RUN_IFELSE([AC_LANG_PROGRAM([[ #include <stdlib.h> ]], [[ exit(0); ]])],
1247	[	AC_MSG_RESULT([yes]) ],
1248	[
1249		AC_MSG_RESULT([no])
1250		AC_MSG_ERROR([*** compiler cannot create working executables, check config.log ***])
1251	],
1252	[	AC_MSG_WARN([cross compiling: not checking compiler sanity]) ]
1253)
1254
1255dnl Checks for header files.
1256# Checks for libraries.
1257AC_CHECK_FUNC([setsockopt], , [AC_CHECK_LIB([socket], [setsockopt])])
1258
1259dnl IRIX and Solaris 2.5.1 have dirname() in libgen
1260AC_CHECK_FUNCS([dirname], [AC_CHECK_HEADERS([libgen.h])] , [
1261	AC_CHECK_LIB([gen], [dirname], [
1262		AC_CACHE_CHECK([for broken dirname],
1263			ac_cv_have_broken_dirname, [
1264			save_LIBS="$LIBS"
1265			LIBS="$LIBS -lgen"
1266			AC_RUN_IFELSE(
1267				[AC_LANG_SOURCE([[
1268#include <libgen.h>
1269#include <string.h>
1270#include <stdlib.h>
1271
1272int main(int argc, char **argv) {
1273    char *s, buf[32];
1274
1275    strncpy(buf,"/etc", 32);
1276    s = dirname(buf);
1277    if (!s || strncmp(s, "/", 32) != 0) {
1278	exit(1);
1279    } else {
1280	exit(0);
1281    }
1282}
1283				]])],
1284				[ ac_cv_have_broken_dirname="no" ],
1285				[ ac_cv_have_broken_dirname="yes" ],
1286				[ ac_cv_have_broken_dirname="no" ],
1287			)
1288			LIBS="$save_LIBS"
1289		])
1290		if test "x$ac_cv_have_broken_dirname" = "xno" ; then
1291			LIBS="$LIBS -lgen"
1292			AC_DEFINE([HAVE_DIRNAME])
1293			AC_CHECK_HEADERS([libgen.h])
1294		fi
1295	])
1296])
1297
1298AC_CHECK_FUNC([getspnam], ,
1299	[AC_CHECK_LIB([gen], [getspnam], [LIBS="$LIBS -lgen"])])
1300AC_SEARCH_LIBS([basename], [gen], [AC_DEFINE([HAVE_BASENAME], [1],
1301	[Define if you have the basename function.])])
1302
1303dnl zlib defaults to enabled
1304zlib=yes
1305AC_ARG_WITH([zlib],
1306	[  --with-zlib=PATH        Use zlib in PATH],
1307	[ if test "x$withval" = "xno" ; then
1308		zlib=no
1309	  elif test "x$withval" != "xyes"; then
1310		if test -d "$withval/lib"; then
1311			if test -n "${rpath_opt}"; then
1312				LDFLAGS="-L${withval}/lib ${rpath_opt}${withval}/lib ${LDFLAGS}"
1313			else
1314				LDFLAGS="-L${withval}/lib ${LDFLAGS}"
1315			fi
1316		else
1317			if test -n "${rpath_opt}"; then
1318				LDFLAGS="-L${withval} ${rpath_opt}${withval} ${LDFLAGS}"
1319			else
1320				LDFLAGS="-L${withval} ${LDFLAGS}"
1321			fi
1322		fi
1323		if test -d "$withval/include"; then
1324			CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
1325		else
1326			CPPFLAGS="-I${withval} ${CPPFLAGS}"
1327		fi
1328	fi ]
1329)
1330
1331AC_MSG_CHECKING([for zlib])
1332if test "x${zlib}" = "xno"; then
1333	AC_MSG_RESULT([no])
1334else
1335	AC_MSG_RESULT([yes])
1336	AC_DEFINE([WITH_ZLIB], [1], [Enable zlib])
1337    AC_CHECK_HEADER([zlib.h], ,[AC_MSG_ERROR([*** zlib.h missing - please install first or check config.log ***])])
1338    AC_CHECK_LIB([z], [deflate], ,
1339	[
1340		saved_CPPFLAGS="$CPPFLAGS"
1341		saved_LDFLAGS="$LDFLAGS"
1342		save_LIBS="$LIBS"
1343		dnl Check default zlib install dir
1344		if test -n "${rpath_opt}"; then
1345			LDFLAGS="-L/usr/local/lib ${rpath_opt}/usr/local/lib ${saved_LDFLAGS}"
1346		else
1347			LDFLAGS="-L/usr/local/lib ${saved_LDFLAGS}"
1348		fi
1349		CPPFLAGS="-I/usr/local/include ${saved_CPPFLAGS}"
1350		LIBS="$LIBS -lz"
1351		AC_TRY_LINK_FUNC([deflate], [AC_DEFINE([HAVE_LIBZ])],
1352			[
1353				AC_MSG_ERROR([*** zlib missing - please install first or check config.log ***])
1354			]
1355		)
1356	]
1357    )
1358
1359    AC_ARG_WITH([zlib-version-check],
1360	[  --without-zlib-version-check Disable zlib version check],
1361	[  if test "x$withval" = "xno" ; then
1362		zlib_check_nonfatal=1
1363	   fi
1364	]
1365    )
1366
1367    AC_MSG_CHECKING([for possibly buggy zlib])
1368    AC_RUN_IFELSE([AC_LANG_PROGRAM([[
1369#include <stdio.h>
1370#include <stdlib.h>
1371#include <zlib.h>
1372	]],
1373	[[
1374	int a=0, b=0, c=0, d=0, n, v;
1375	n = sscanf(ZLIB_VERSION, "%d.%d.%d.%d", &a, &b, &c, &d);
1376	if (n != 3 && n != 4)
1377		exit(1);
1378	v = a*1000000 + b*10000 + c*100 + d;
1379	fprintf(stderr, "found zlib version %s (%d)\n", ZLIB_VERSION, v);
1380
1381	/* 1.1.4 is OK */
1382	if (a == 1 && b == 1 && c >= 4)
1383		exit(0);
1384
1385	/* 1.2.3 and up are OK */
1386	if (v >= 1020300)
1387		exit(0);
1388
1389	exit(2);
1390	]])],
1391	AC_MSG_RESULT([no]),
1392	[ AC_MSG_RESULT([yes])
1393	  if test -z "$zlib_check_nonfatal" ; then
1394		AC_MSG_ERROR([*** zlib too old - check config.log ***
1395Your reported zlib version has known security problems.  It's possible your
1396vendor has fixed these problems without changing the version number.  If you
1397are sure this is the case, you can disable the check by running
1398"./configure --without-zlib-version-check".
1399If you are in doubt, upgrade zlib to version 1.2.3 or greater.
1400See http://www.gzip.org/zlib/ for details.])
1401	  else
1402		AC_MSG_WARN([zlib version may have security problems])
1403	  fi
1404	],
1405	[	AC_MSG_WARN([cross compiling: not checking zlib version]) ]
1406    )
1407fi
1408
1409dnl UnixWare 2.x
1410AC_CHECK_FUNC([strcasecmp],
1411	[], [ AC_CHECK_LIB([resolv], [strcasecmp], [LIBS="$LIBS -lresolv"]) ]
1412)
1413AC_CHECK_FUNCS([utimes],
1414	[], [ AC_CHECK_LIB([c89], [utimes], [AC_DEFINE([HAVE_UTIMES])
1415					LIBS="$LIBS -lc89"]) ]
1416)
1417
1418dnl    Checks for libutil functions
1419AC_CHECK_HEADERS([bsd/libutil.h libutil.h])
1420AC_SEARCH_LIBS([fmt_scaled], [util bsd])
1421AC_SEARCH_LIBS([scan_scaled], [util bsd])
1422AC_SEARCH_LIBS([login], [util bsd])
1423AC_SEARCH_LIBS([logout], [util bsd])
1424AC_SEARCH_LIBS([logwtmp], [util bsd])
1425AC_SEARCH_LIBS([openpty], [util bsd])
1426AC_SEARCH_LIBS([updwtmp], [util bsd])
1427AC_CHECK_FUNCS([fmt_scaled scan_scaled login logout openpty updwtmp logwtmp])
1428
1429# On some platforms, inet_ntop and gethostbyname may be found in libresolv
1430# or libnsl.
1431AC_SEARCH_LIBS([inet_ntop], [resolv nsl])
1432AC_SEARCH_LIBS([gethostbyname], [resolv nsl])
1433
1434# "Particular Function Checks"
1435# see https://www.gnu.org/software/autoconf/manual/autoconf-2.69/html_node/Particular-Functions.html
1436AC_FUNC_STRFTIME
1437AC_FUNC_MALLOC
1438AC_FUNC_REALLOC
1439# autoconf doesn't have AC_FUNC_CALLOC so fake it if malloc returns NULL;
1440AC_MSG_CHECKING([if calloc(0, N) returns non-null])
1441AC_RUN_IFELSE(
1442	[AC_LANG_PROGRAM(
1443		[[ #include <stdlib.h> ]],
1444		[[ void *p = calloc(0, 1); exit(p == NULL); ]]
1445	)],
1446	[ func_calloc_0_nonnull=yes ],
1447	[ func_calloc_0_nonnull=no ],
1448	[ AC_MSG_WARN([cross compiling: assuming same as malloc])
1449	  func_calloc_0_nonnull="$ac_cv_func_malloc_0_nonnull"]
1450)
1451AC_MSG_RESULT([$func_calloc_0_nonnull])
1452
1453if test "x$func_calloc_0_nonnull" = "xyes"; then
1454	AC_DEFINE(HAVE_CALLOC, 1, [calloc(0, x) returns non-null])
1455else
1456	AC_DEFINE(HAVE_CALLOC, 0, [calloc(0, x) returns NULL])
1457	AC_DEFINE(calloc, rpl_calloc,
1458	    [Define to rpl_calloc if the replacement function should be used.])
1459fi
1460
1461# Check for ALTDIRFUNC glob() extension
1462AC_MSG_CHECKING([for GLOB_ALTDIRFUNC support])
1463AC_EGREP_CPP([FOUNDIT],
1464	[
1465		#include <glob.h>
1466		#ifdef GLOB_ALTDIRFUNC
1467		FOUNDIT
1468		#endif
1469	],
1470	[
1471		AC_DEFINE([GLOB_HAS_ALTDIRFUNC], [1],
1472			[Define if your system glob() function has
1473			the GLOB_ALTDIRFUNC extension])
1474		AC_MSG_RESULT([yes])
1475	],
1476	[
1477		AC_MSG_RESULT([no])
1478	]
1479)
1480
1481# Check for g.gl_matchc glob() extension
1482AC_MSG_CHECKING([for gl_matchc field in glob_t])
1483AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <glob.h> ]],
1484	[[ glob_t g; g.gl_matchc = 1; ]])],
1485	[
1486		AC_DEFINE([GLOB_HAS_GL_MATCHC], [1],
1487			[Define if your system glob() function has
1488			gl_matchc options in glob_t])
1489		AC_MSG_RESULT([yes])
1490	], [
1491		AC_MSG_RESULT([no])
1492])
1493
1494# Check for g.gl_statv glob() extension
1495AC_MSG_CHECKING([for gl_statv and GLOB_KEEPSTAT extensions for glob])
1496AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <glob.h> ]], [[
1497#ifndef GLOB_KEEPSTAT
1498#error "glob does not support GLOB_KEEPSTAT extension"
1499#endif
1500glob_t g;
1501g.gl_statv = NULL;
1502]])],
1503	[
1504		AC_DEFINE([GLOB_HAS_GL_STATV], [1],
1505			[Define if your system glob() function has
1506			gl_statv options in glob_t])
1507		AC_MSG_RESULT([yes])
1508	], [
1509		AC_MSG_RESULT([no])
1510
1511])
1512
1513AC_CHECK_DECLS([GLOB_NOMATCH], , , [#include <glob.h>])
1514
1515AC_CHECK_DECL([VIS_ALL], ,
1516    AC_DEFINE(BROKEN_STRNVIS, 1, [missing VIS_ALL]), [#include <vis.h>])
1517
1518AC_MSG_CHECKING([whether struct dirent allocates space for d_name])
1519AC_RUN_IFELSE(
1520	[AC_LANG_PROGRAM([[
1521#include <sys/types.h>
1522#include <dirent.h>
1523#include <stdlib.h>
1524	]],
1525	[[
1526	struct dirent d;
1527	exit(sizeof(d.d_name)<=sizeof(char));
1528	]])],
1529	[AC_MSG_RESULT([yes])],
1530	[
1531		AC_MSG_RESULT([no])
1532		AC_DEFINE([BROKEN_ONE_BYTE_DIRENT_D_NAME], [1],
1533			[Define if your struct dirent expects you to
1534			allocate extra space for d_name])
1535	],
1536	[
1537		AC_MSG_WARN([cross compiling: assuming BROKEN_ONE_BYTE_DIRENT_D_NAME])
1538		AC_DEFINE([BROKEN_ONE_BYTE_DIRENT_D_NAME])
1539	]
1540)
1541
1542AC_MSG_CHECKING([for /proc/pid/fd directory])
1543if test -d "/proc/$$/fd" ; then
1544	AC_DEFINE([HAVE_PROC_PID], [1], [Define if you have /proc/$pid/fd])
1545	AC_MSG_RESULT([yes])
1546else
1547	AC_MSG_RESULT([no])
1548fi
1549
1550# Check whether user wants to use ldns
1551LDNS_MSG="no"
1552AC_ARG_WITH(ldns,
1553	[  --with-ldns[[=PATH]]      Use ldns for DNSSEC support (optionally in PATH)],
1554	[
1555	ldns=""
1556	if test "x$withval" = "xyes" ; then
1557		AC_PATH_TOOL([LDNSCONFIG], [ldns-config], [no])
1558		if test "x$LDNSCONFIG" = "xno"; then
1559			LIBS="-lldns $LIBS"
1560			ldns=yes
1561		else
1562			LIBS="$LIBS `$LDNSCONFIG --libs`"
1563			CPPFLAGS="$CPPFLAGS `$LDNSCONFIG --cflags`"
1564			ldns=yes
1565		fi
1566	elif test "x$withval" != "xno" ; then
1567			CPPFLAGS="$CPPFLAGS -I${withval}/include"
1568			LDFLAGS="$LDFLAGS -L${withval}/lib"
1569			LIBS="-lldns $LIBS"
1570			ldns=yes
1571	fi
1572
1573	# Verify that it works.
1574	if test "x$ldns" = "xyes" ; then
1575		AC_DEFINE(HAVE_LDNS, 1, [Define if you want ldns support])
1576		LDNS_MSG="yes"
1577		AC_MSG_CHECKING([for ldns support])
1578		AC_LINK_IFELSE(
1579			[AC_LANG_SOURCE([[
1580#include <stdio.h>
1581#include <stdlib.h>
1582#ifdef HAVE_STDINT_H
1583# include <stdint.h>
1584#endif
1585#include <ldns/ldns.h>
1586int main() { ldns_status status = ldns_verify_trusted(NULL, NULL, NULL, NULL); status=LDNS_STATUS_OK; exit(0); }
1587			]])
1588		],
1589			[AC_MSG_RESULT(yes)],
1590				[
1591					AC_MSG_RESULT(no)
1592					AC_MSG_ERROR([** Incomplete or missing ldns libraries.])
1593				])
1594	fi
1595])
1596
1597# Check whether user wants libedit support
1598LIBEDIT_MSG="no"
1599AC_ARG_WITH([libedit],
1600	[  --with-libedit[[=PATH]]   Enable libedit support for sftp],
1601	[ if test "x$withval" != "xno" ; then
1602		if test "x$withval" = "xyes" ; then
1603			AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no])
1604			if test "x$PKGCONFIG" != "xno"; then
1605				AC_MSG_CHECKING([if $PKGCONFIG knows about libedit])
1606				if "$PKGCONFIG" libedit; then
1607					AC_MSG_RESULT([yes])
1608					use_pkgconfig_for_libedit=yes
1609				else
1610					AC_MSG_RESULT([no])
1611				fi
1612			fi
1613		else
1614			CPPFLAGS="$CPPFLAGS -I${withval}/include"
1615			if test -n "${rpath_opt}"; then
1616				LDFLAGS="-L${withval}/lib ${rpath_opt}${withval}/lib ${LDFLAGS}"
1617			else
1618				LDFLAGS="-L${withval}/lib ${LDFLAGS}"
1619			fi
1620		fi
1621		if test "x$use_pkgconfig_for_libedit" = "xyes"; then
1622			LIBEDIT=`$PKGCONFIG --libs libedit`
1623			CPPFLAGS="$CPPFLAGS `$PKGCONFIG --cflags libedit`"
1624		else
1625			LIBEDIT="-ledit -lcurses"
1626		fi
1627		OTHERLIBS=`echo $LIBEDIT | sed 's/-ledit//'`
1628		AC_CHECK_LIB([edit], [el_init],
1629			[ AC_DEFINE([USE_LIBEDIT], [1], [Use libedit for sftp])
1630			  LIBEDIT_MSG="yes"
1631			  AC_SUBST([LIBEDIT])
1632			],
1633			[ AC_MSG_ERROR([libedit not found]) ],
1634			[ $OTHERLIBS ]
1635		)
1636		AC_MSG_CHECKING([if libedit version is compatible])
1637		AC_COMPILE_IFELSE(
1638		    [AC_LANG_PROGRAM([[
1639#include <histedit.h>
1640#include <stdlib.h>
1641		    ]],
1642		    [[
1643	int i = H_SETSIZE;
1644	el_init("", NULL, NULL, NULL);
1645	exit(0);
1646		    ]])],
1647		    [ AC_MSG_RESULT([yes]) ],
1648		    [ AC_MSG_RESULT([no])
1649		      AC_MSG_ERROR([libedit version is not compatible]) ]
1650		)
1651	fi ]
1652)
1653
1654AUDIT_MODULE=none
1655AC_ARG_WITH([audit],
1656	[  --with-audit=module     Enable audit support (modules=debug,bsm,linux)],
1657	[
1658	  AC_MSG_CHECKING([for supported audit module])
1659	  case "$withval" in
1660	  bsm)
1661		AC_MSG_RESULT([bsm])
1662		AUDIT_MODULE=bsm
1663		dnl    Checks for headers, libs and functions
1664		AC_CHECK_HEADERS([bsm/audit.h], [],
1665		    [AC_MSG_ERROR([BSM enabled and bsm/audit.h not found])],
1666		    [
1667#ifdef HAVE_TIME_H
1668# include <time.h>
1669#endif
1670		    ]
1671)
1672		AC_CHECK_LIB([bsm], [getaudit], [],
1673		    [AC_MSG_ERROR([BSM enabled and required library not found])])
1674		AC_CHECK_FUNCS([getaudit], [],
1675		    [AC_MSG_ERROR([BSM enabled and required function not found])])
1676		# These are optional
1677		AC_CHECK_FUNCS([getaudit_addr aug_get_machine])
1678		AC_DEFINE([USE_BSM_AUDIT], [1], [Use BSM audit module])
1679		if test "$sol2ver" -ge 11; then
1680			SSHDLIBS="$SSHDLIBS -lscf"
1681			AC_DEFINE([BROKEN_BSM_API], [1],
1682				[The system has incomplete BSM API])
1683		fi
1684		;;
1685	  linux)
1686		AC_MSG_RESULT([linux])
1687		AUDIT_MODULE=linux
1688		dnl    Checks for headers, libs and functions
1689		AC_CHECK_HEADERS([libaudit.h])
1690		SSHDLIBS="$SSHDLIBS -laudit"
1691		AC_DEFINE([USE_LINUX_AUDIT], [1], [Use Linux audit module])
1692		;;
1693	  debug)
1694		AUDIT_MODULE=debug
1695		AC_MSG_RESULT([debug])
1696		AC_DEFINE([SSH_AUDIT_EVENTS], [1], [Use audit debugging module])
1697		;;
1698	  no)
1699		AC_MSG_RESULT([no])
1700		;;
1701	  *)
1702		AC_MSG_ERROR([Unknown audit module $withval])
1703		;;
1704	esac ]
1705)
1706
1707AC_ARG_WITH([pie],
1708    [  --with-pie              Build Position Independent Executables if possible], [
1709	if test "x$withval" = "xno"; then
1710		use_pie=no
1711	fi
1712	if test "x$withval" = "xyes"; then
1713		use_pie=yes
1714	fi
1715    ]
1716)
1717if test "x$use_pie" = "x"; then
1718	use_pie=no
1719fi
1720if test "x$use_toolchain_hardening" != "x1" && test "x$use_pie" = "xauto"; then
1721	# Turn off automatic PIE when toolchain hardening is off.
1722	use_pie=no
1723fi
1724if test "x$use_pie" = "xauto"; then
1725	# Automatic PIE requires gcc >= 4.x
1726	AC_MSG_CHECKING([for gcc >= 4.x])
1727	AC_COMPILE_IFELSE([AC_LANG_SOURCE([[
1728#if !defined(__GNUC__) || __GNUC__ < 4
1729#error gcc is too old
1730#endif
1731]])],
1732	[ AC_MSG_RESULT([yes]) ],
1733	[ AC_MSG_RESULT([no])
1734	  use_pie=no ]
1735)
1736fi
1737if test "x$use_pie" != "xno"; then
1738	SAVED_CFLAGS="$CFLAGS"
1739	SAVED_LDFLAGS="$LDFLAGS"
1740	OSSH_CHECK_CFLAG_COMPILE([-fPIE])
1741	OSSH_CHECK_LDFLAG_LINK([-pie])
1742	# We use both -fPIE and -pie or neither.
1743	AC_MSG_CHECKING([whether both -fPIE and -pie are supported])
1744	if echo "x $CFLAGS"  | grep ' -fPIE' >/dev/null 2>&1 && \
1745	   echo "x $LDFLAGS" | grep ' -pie'  >/dev/null 2>&1 ; then
1746		AC_MSG_RESULT([yes])
1747	else
1748		AC_MSG_RESULT([no])
1749		CFLAGS="$SAVED_CFLAGS"
1750		LDFLAGS="$SAVED_LDFLAGS"
1751	fi
1752fi
1753
1754AC_MSG_CHECKING([whether -fPIC is accepted])
1755SAVED_CFLAGS="$CFLAGS"
1756CFLAGS="$CFLAGS -fPIC"
1757AC_COMPILE_IFELSE(
1758	[AC_LANG_PROGRAM( [[ #include <stdlib.h> ]], [[ exit(0); ]] )],
1759   [AC_MSG_RESULT([yes])
1760    PICFLAG="-fPIC"; ],
1761   [AC_MSG_RESULT([no])
1762    PICFLAG=""; ])
1763CFLAGS="$SAVED_CFLAGS"
1764AC_SUBST([PICFLAG])
1765
1766dnl    Checks for library functions. Please keep in alphabetical order
1767AC_CHECK_FUNCS([ \
1768	Blowfish_initstate \
1769	Blowfish_expandstate \
1770	Blowfish_expand0state \
1771	Blowfish_stream2word \
1772	SHA256Update \
1773	SHA384Update \
1774	SHA512Update \
1775	asprintf \
1776	b64_ntop \
1777	__b64_ntop \
1778	b64_pton \
1779	__b64_pton \
1780	bcopy \
1781	bcrypt_pbkdf \
1782	bindresvport_sa \
1783	blf_enc \
1784	bzero \
1785	cap_rights_limit \
1786	clock \
1787	closefrom \
1788	dirfd \
1789	endgrent \
1790	err \
1791	errx \
1792	explicit_bzero \
1793	fchmod \
1794	fchmodat \
1795	fchown \
1796	fchownat \
1797	flock \
1798	fnmatch \
1799	freeaddrinfo \
1800	freezero \
1801	fstatfs \
1802	fstatvfs \
1803	futimes \
1804	getaddrinfo \
1805	getcwd \
1806	getgrouplist \
1807	getline \
1808	getnameinfo \
1809	getopt \
1810	getpagesize \
1811	getpeereid \
1812	getpeerucred \
1813	getpgid \
1814	_getpty \
1815	getrlimit \
1816	getrandom \
1817	getsid \
1818	getttyent \
1819	glob \
1820	group_from_gid \
1821	inet_aton \
1822	inet_ntoa \
1823	inet_ntop \
1824	innetgr \
1825	llabs \
1826	localtime_r \
1827	login_getcapbool \
1828	md5_crypt \
1829	memmem \
1830	memmove \
1831	memset_s \
1832	mkdtemp \
1833	ngetaddrinfo \
1834	nsleep \
1835	ogetaddrinfo \
1836	openlog_r \
1837	pledge \
1838	poll \
1839	prctl \
1840	pstat \
1841	raise \
1842	readpassphrase \
1843	reallocarray \
1844	realpath \
1845	recvmsg \
1846	recallocarray \
1847	rresvport_af \
1848	sendmsg \
1849	setdtablesize \
1850	setegid \
1851	setenv \
1852	seteuid \
1853	setgroupent \
1854	setgroups \
1855	setlinebuf \
1856	setlogin \
1857	setpassent\
1858	setpcred \
1859	setproctitle \
1860	setregid \
1861	setreuid \
1862	setrlimit \
1863	setsid \
1864	setvbuf \
1865	sigaction \
1866	sigvec \
1867	snprintf \
1868	socketpair \
1869	statfs \
1870	statvfs \
1871	strcasestr \
1872	strdup \
1873	strerror \
1874	strlcat \
1875	strlcpy \
1876	strmode \
1877	strndup \
1878	strnlen \
1879	strnvis \
1880	strptime \
1881	strsignal \
1882	strtonum \
1883	strtoll \
1884	strtoul \
1885	strtoull \
1886	swap32 \
1887	sysconf \
1888	tcgetpgrp \
1889	timingsafe_bcmp \
1890	truncate \
1891	unsetenv \
1892	updwtmpx \
1893	utimensat \
1894	user_from_uid \
1895	usleep \
1896	vasprintf \
1897	vsnprintf \
1898	waitpid \
1899	warn \
1900])
1901
1902AC_CHECK_DECLS([bzero, memmem])
1903
1904dnl Wide character support.
1905AC_CHECK_FUNCS([mblen mbtowc nl_langinfo wcwidth])
1906
1907TEST_SSH_UTF8=${TEST_SSH_UTF8:=yes}
1908AC_MSG_CHECKING([for utf8 locale support])
1909AC_RUN_IFELSE(
1910	[AC_LANG_PROGRAM([[
1911#include <locale.h>
1912#include <stdlib.h>
1913	]], [[
1914	char *loc = setlocale(LC_CTYPE, "en_US.UTF-8");
1915	if (loc != NULL)
1916		exit(0);
1917	exit(1);
1918	]])],
1919	AC_MSG_RESULT(yes),
1920	[AC_MSG_RESULT(no)
1921	 TEST_SSH_UTF8=no],
1922	AC_MSG_WARN([cross compiling: assuming yes])
1923)
1924
1925AC_LINK_IFELSE(
1926        [AC_LANG_PROGRAM(
1927           [[ #include <ctype.h> ]],
1928           [[ return (isblank('a')); ]])],
1929	[AC_DEFINE([HAVE_ISBLANK], [1], [Define if you have isblank(3C).])
1930])
1931
1932disable_pkcs11=
1933AC_ARG_ENABLE([pkcs11],
1934	[  --disable-pkcs11        disable PKCS#11 support code [no]],
1935	[
1936		if test "x$enableval" = "xno" ; then
1937			disable_pkcs11=1
1938		fi
1939	]
1940)
1941
1942disable_sk=
1943AC_ARG_ENABLE([security-key],
1944	[  --disable-security-key  disable U2F/FIDO support code [no]],
1945	[
1946		if test "x$enableval" = "xno" ; then
1947			disable_sk=1
1948		fi
1949	]
1950)
1951enable_sk_internal=
1952AC_ARG_WITH([security-key-builtin],
1953	[  --with-security-key-builtin include builtin U2F/FIDO support],
1954	[
1955		if test "x$withval" != "xno" ; then
1956			enable_sk_internal=yes
1957		fi
1958	]
1959)
1960test "x$disable_sk" != "x" && enable_sk_internal=""
1961
1962AC_SEARCH_LIBS([dlopen], [dl])
1963AC_CHECK_FUNCS([dlopen])
1964AC_CHECK_DECL([RTLD_NOW], [], [], [#include <dlfcn.h>])
1965
1966# IRIX has a const char return value for gai_strerror()
1967AC_CHECK_FUNCS([gai_strerror], [
1968	AC_DEFINE([HAVE_GAI_STRERROR])
1969	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
1970#include <sys/types.h>
1971#include <sys/socket.h>
1972#include <netdb.h>
1973
1974const char *gai_strerror(int);
1975			]], [[
1976	char *str;
1977	str = gai_strerror(0);
1978			]])], [
1979		AC_DEFINE([HAVE_CONST_GAI_STRERROR_PROTO], [1],
1980		[Define if gai_strerror() returns const char *])], [])])
1981
1982AC_SEARCH_LIBS([nanosleep], [rt posix4], [AC_DEFINE([HAVE_NANOSLEEP], [1],
1983	[Some systems put nanosleep outside of libc])])
1984
1985AC_SEARCH_LIBS([clock_gettime], [rt],
1986	[AC_DEFINE([HAVE_CLOCK_GETTIME], [1], [Have clock_gettime])])
1987
1988dnl check if we need -D_REENTRANT for localtime_r declaration.
1989AC_CHECK_DECL([localtime_r], [],
1990	[ saved_CPPFLAGS="$CFLAGS"
1991	  CPPFLAGS="$CPPFLAGS -D_REENTRANT"
1992	  unset ac_cv_have_decl_localtime_r
1993	  AC_CHECK_DECL([localtime_r], [],
1994		[ CPPFLAGS="$saved_CPPFLAGS" ],
1995		[ #include <time.h> ]
1996	  )
1997	],
1998	[ #include <time.h> ]
1999)
2000
2001dnl Make sure prototypes are defined for these before using them.
2002AC_CHECK_DECL([strsep],
2003	[AC_CHECK_FUNCS([strsep])],
2004	[],
2005	[
2006#ifdef HAVE_STRING_H
2007# include <string.h>
2008#endif
2009	])
2010
2011dnl tcsendbreak might be a macro
2012AC_CHECK_DECL([tcsendbreak],
2013	[AC_DEFINE([HAVE_TCSENDBREAK])],
2014	[AC_CHECK_FUNCS([tcsendbreak])],
2015	[#include <termios.h>]
2016)
2017
2018AC_CHECK_DECLS([h_errno], , ,[#include <netdb.h>])
2019
2020AC_CHECK_DECLS([SHUT_RD, getpeereid], , ,
2021	[
2022#include <sys/types.h>
2023#include <sys/socket.h>
2024#include <unistd.h>
2025	])
2026
2027AC_CHECK_DECLS([O_NONBLOCK], , ,
2028	[
2029#include <sys/types.h>
2030#ifdef HAVE_SYS_STAT_H
2031# include <sys/stat.h>
2032#endif
2033#ifdef HAVE_FCNTL_H
2034# include <fcntl.h>
2035#endif
2036	])
2037
2038AC_CHECK_DECLS([readv, writev], , , [
2039#include <sys/types.h>
2040#include <sys/uio.h>
2041#include <unistd.h>
2042	])
2043
2044AC_CHECK_DECLS([MAXSYMLINKS], , , [
2045#include <sys/param.h>
2046	])
2047
2048AC_CHECK_DECLS([offsetof], , , [
2049#include <stddef.h>
2050	])
2051
2052# extra bits for select(2)
2053AC_CHECK_DECLS([howmany, NFDBITS], [], [], [[
2054#include <sys/param.h>
2055#include <sys/types.h>
2056#ifdef HAVE_SYS_SYSMACROS_H
2057#include <sys/sysmacros.h>
2058#endif
2059#ifdef HAVE_SYS_SELECT_H
2060#include <sys/select.h>
2061#endif
2062#ifdef HAVE_SYS_TIME_H
2063#include <sys/time.h>
2064#endif
2065#ifdef HAVE_UNISTD_H
2066#include <unistd.h>
2067#endif
2068	]])
2069AC_CHECK_TYPES([fd_mask], [], [], [[
2070#include <sys/param.h>
2071#include <sys/types.h>
2072#ifdef HAVE_SYS_SELECT_H
2073#include <sys/select.h>
2074#endif
2075#ifdef HAVE_SYS_TIME_H
2076#include <sys/time.h>
2077#endif
2078#ifdef HAVE_UNISTD_H
2079#include <unistd.h>
2080#endif
2081	]])
2082
2083AC_CHECK_FUNCS([setresuid], [
2084	dnl Some platorms have setresuid that isn't implemented, test for this
2085	AC_MSG_CHECKING([if setresuid seems to work])
2086	AC_RUN_IFELSE(
2087		[AC_LANG_PROGRAM([[
2088#include <stdlib.h>
2089#include <errno.h>
2090		]], [[
2091	errno=0;
2092	setresuid(0,0,0);
2093	if (errno==ENOSYS)
2094		exit(1);
2095	else
2096		exit(0);
2097		]])],
2098		[AC_MSG_RESULT([yes])],
2099		[AC_DEFINE([BROKEN_SETRESUID], [1],
2100			[Define if your setresuid() is broken])
2101		 AC_MSG_RESULT([not implemented])],
2102		[AC_MSG_WARN([cross compiling: not checking setresuid])]
2103	)
2104])
2105
2106AC_CHECK_FUNCS([setresgid], [
2107	dnl Some platorms have setresgid that isn't implemented, test for this
2108	AC_MSG_CHECKING([if setresgid seems to work])
2109	AC_RUN_IFELSE(
2110		[AC_LANG_PROGRAM([[
2111#include <stdlib.h>
2112#include <errno.h>
2113		]], [[
2114	errno=0;
2115	setresgid(0,0,0);
2116	if (errno==ENOSYS)
2117		exit(1);
2118	else
2119		exit(0);
2120		]])],
2121		[AC_MSG_RESULT([yes])],
2122		[AC_DEFINE([BROKEN_SETRESGID], [1],
2123			[Define if your setresgid() is broken])
2124		 AC_MSG_RESULT([not implemented])],
2125		[AC_MSG_WARN([cross compiling: not checking setresuid])]
2126	)
2127])
2128
2129AC_MSG_CHECKING([for working fflush(NULL)])
2130AC_RUN_IFELSE(
2131	[AC_LANG_PROGRAM([[
2132#include <stdio.h>
2133#include <stdlib.h>
2134	]],
2135	[[fflush(NULL); exit(0);]])],
2136	AC_MSG_RESULT([yes]),
2137	[AC_MSG_RESULT([no])
2138	 AC_DEFINE([FFLUSH_NULL_BUG], [1],
2139	    [define if fflush(NULL) does not work])],
2140	AC_MSG_WARN([cross compiling: assuming working])
2141)
2142
2143dnl    Checks for time functions
2144AC_CHECK_FUNCS([gettimeofday time])
2145dnl    Checks for utmp functions
2146AC_CHECK_FUNCS([endutent getutent getutid getutline pututline setutent])
2147AC_CHECK_FUNCS([utmpname])
2148dnl    Checks for utmpx functions
2149AC_CHECK_FUNCS([endutxent getutxent getutxid getutxline getutxuser pututxline])
2150AC_CHECK_FUNCS([setutxdb setutxent utmpxname])
2151dnl    Checks for lastlog functions
2152AC_CHECK_FUNCS([getlastlogxbyname])
2153
2154AC_CHECK_FUNC([daemon],
2155	[AC_DEFINE([HAVE_DAEMON], [1], [Define if your libraries define daemon()])],
2156	[AC_CHECK_LIB([bsd], [daemon],
2157		[LIBS="$LIBS -lbsd"; AC_DEFINE([HAVE_DAEMON])])]
2158)
2159
2160AC_CHECK_FUNC([getpagesize],
2161	[AC_DEFINE([HAVE_GETPAGESIZE], [1],
2162		[Define if your libraries define getpagesize()])],
2163	[AC_CHECK_LIB([ucb], [getpagesize],
2164		[LIBS="$LIBS -lucb"; AC_DEFINE([HAVE_GETPAGESIZE])])]
2165)
2166
2167# Check for broken snprintf
2168if test "x$ac_cv_func_snprintf" = "xyes" ; then
2169	AC_MSG_CHECKING([whether snprintf correctly terminates long strings])
2170	AC_RUN_IFELSE(
2171		[AC_LANG_PROGRAM([[
2172#include <stdio.h>
2173#include <stdlib.h>
2174		]],
2175		[[
2176	char b[5];
2177	snprintf(b,5,"123456789");
2178	exit(b[4]!='\0');
2179		]])],
2180		[AC_MSG_RESULT([yes])],
2181		[
2182			AC_MSG_RESULT([no])
2183			AC_DEFINE([BROKEN_SNPRINTF], [1],
2184				[Define if your snprintf is busted])
2185			AC_MSG_WARN([****** Your snprintf() function is broken, complain to your vendor])
2186		],
2187		[ AC_MSG_WARN([cross compiling: Assuming working snprintf()]) ]
2188	)
2189fi
2190
2191if test "x$ac_cv_func_snprintf" = "xyes" ; then
2192	AC_MSG_CHECKING([whether snprintf understands %zu])
2193	AC_RUN_IFELSE(
2194		[AC_LANG_PROGRAM([[
2195#include <sys/types.h>
2196#include <stdio.h>
2197#include <stdlib.h>
2198#include <string.h>
2199		]],
2200		[[
2201	size_t a = 1, b = 2;
2202	char z[128];
2203	snprintf(z, sizeof z, "%zu%zu", a, b);
2204	exit(strcmp(z, "12"));
2205		]])],
2206		[AC_MSG_RESULT([yes])],
2207		[
2208			AC_MSG_RESULT([no])
2209			AC_DEFINE([BROKEN_SNPRINTF], [1],
2210				[snprintf does not understand %zu])
2211		],
2212		[ AC_MSG_WARN([cross compiling: Assuming working snprintf()]) ]
2213	)
2214fi
2215
2216# We depend on vsnprintf returning the right thing on overflow: the
2217# number of characters it tried to create (as per SUSv3)
2218if test "x$ac_cv_func_vsnprintf" = "xyes" ; then
2219	AC_MSG_CHECKING([whether vsnprintf returns correct values on overflow])
2220	AC_RUN_IFELSE(
2221		[AC_LANG_PROGRAM([[
2222#include <sys/types.h>
2223#include <stdio.h>
2224#include <stdarg.h>
2225
2226int x_snprintf(char *str, size_t count, const char *fmt, ...)
2227{
2228	size_t ret;
2229	va_list ap;
2230
2231	va_start(ap, fmt);
2232	ret = vsnprintf(str, count, fmt, ap);
2233	va_end(ap);
2234	return ret;
2235}
2236		]], [[
2237char x[1];
2238if (x_snprintf(x, 1, "%s %d", "hello", 12345) != 11)
2239	return 1;
2240if (x_snprintf(NULL, 0, "%s %d", "hello", 12345) != 11)
2241	return 1;
2242return 0;
2243		]])],
2244		[AC_MSG_RESULT([yes])],
2245		[
2246			AC_MSG_RESULT([no])
2247			AC_DEFINE([BROKEN_SNPRINTF], [1],
2248				[Define if your snprintf is busted])
2249			AC_MSG_WARN([****** Your vsnprintf() function is broken, complain to your vendor])
2250		],
2251		[ AC_MSG_WARN([cross compiling: Assuming working vsnprintf()]) ]
2252	)
2253fi
2254
2255# On systems where [v]snprintf is broken, but is declared in stdio,
2256# check that the fmt argument is const char * or just char *.
2257# This is only useful for when BROKEN_SNPRINTF
2258AC_MSG_CHECKING([whether snprintf can declare const char *fmt])
2259AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
2260#include <stdio.h>
2261int snprintf(char *a, size_t b, const char *c, ...) { return 0; }
2262		]], [[
2263	snprintf(0, 0, 0);
2264		]])],
2265   [AC_MSG_RESULT([yes])
2266    AC_DEFINE([SNPRINTF_CONST], [const],
2267              [Define as const if snprintf() can declare const char *fmt])],
2268   [AC_MSG_RESULT([no])
2269    AC_DEFINE([SNPRINTF_CONST], [/* not const */])])
2270
2271# Check for missing getpeereid (or equiv) support
2272NO_PEERCHECK=""
2273if test "x$ac_cv_func_getpeereid" != "xyes" -a "x$ac_cv_func_getpeerucred" != "xyes"; then
2274	AC_MSG_CHECKING([whether system supports SO_PEERCRED getsockopt])
2275	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
2276#include <sys/types.h>
2277#include <sys/socket.h>]], [[int i = SO_PEERCRED;]])],
2278		[ AC_MSG_RESULT([yes])
2279		  AC_DEFINE([HAVE_SO_PEERCRED], [1], [Have PEERCRED socket option])
2280		], [AC_MSG_RESULT([no])
2281		NO_PEERCHECK=1
2282        ])
2283fi
2284
2285dnl see whether mkstemp() requires XXXXXX
2286if test "x$ac_cv_func_mkdtemp" = "xyes" ; then
2287AC_MSG_CHECKING([for (overly) strict mkstemp])
2288AC_RUN_IFELSE(
2289	[AC_LANG_PROGRAM([[
2290#include <stdlib.h>
2291#include <unistd.h>
2292	]], [[
2293	char template[]="conftest.mkstemp-test";
2294	if (mkstemp(template) == -1)
2295		exit(1);
2296	unlink(template);
2297	exit(0);
2298	]])],
2299	[
2300		AC_MSG_RESULT([no])
2301	],
2302	[
2303		AC_MSG_RESULT([yes])
2304		AC_DEFINE([HAVE_STRICT_MKSTEMP], [1], [Silly mkstemp()])
2305	],
2306	[
2307		AC_MSG_RESULT([yes])
2308		AC_DEFINE([HAVE_STRICT_MKSTEMP])
2309	]
2310)
2311fi
2312
2313dnl make sure that openpty does not reacquire controlling terminal
2314if test ! -z "$check_for_openpty_ctty_bug"; then
2315	AC_MSG_CHECKING([if openpty correctly handles controlling tty])
2316	AC_RUN_IFELSE(
2317		[AC_LANG_PROGRAM([[
2318#include <stdio.h>
2319#include <stdlib.h>
2320#include <unistd.h>
2321#include <sys/fcntl.h>
2322#include <sys/types.h>
2323#include <sys/wait.h>
2324		]], [[
2325	pid_t pid;
2326	int fd, ptyfd, ttyfd, status;
2327
2328	pid = fork();
2329	if (pid < 0) {		/* failed */
2330		exit(1);
2331	} else if (pid > 0) {	/* parent */
2332		waitpid(pid, &status, 0);
2333		if (WIFEXITED(status))
2334			exit(WEXITSTATUS(status));
2335		else
2336			exit(2);
2337	} else {		/* child */
2338		close(0); close(1); close(2);
2339		setsid();
2340		openpty(&ptyfd, &ttyfd, NULL, NULL, NULL);
2341		fd = open("/dev/tty", O_RDWR | O_NOCTTY);
2342		if (fd >= 0)
2343			exit(3);	/* Acquired ctty: broken */
2344		else
2345			exit(0);	/* Did not acquire ctty: OK */
2346	}
2347		]])],
2348		[
2349			AC_MSG_RESULT([yes])
2350		],
2351		[
2352			AC_MSG_RESULT([no])
2353			AC_DEFINE([SSHD_ACQUIRES_CTTY])
2354		],
2355		[
2356			AC_MSG_RESULT([cross-compiling, assuming yes])
2357		]
2358	)
2359fi
2360
2361if test "x$ac_cv_func_getaddrinfo" = "xyes" && \
2362    test "x$check_for_hpux_broken_getaddrinfo" = "x1"; then
2363	AC_MSG_CHECKING([if getaddrinfo seems to work])
2364	AC_RUN_IFELSE(
2365		[AC_LANG_PROGRAM([[
2366#include <stdio.h>
2367#include <stdlib.h>
2368#include <sys/socket.h>
2369#include <netdb.h>
2370#include <errno.h>
2371#include <netinet/in.h>
2372
2373#define TEST_PORT "2222"
2374		]], [[
2375	int err, sock;
2376	struct addrinfo *gai_ai, *ai, hints;
2377	char ntop[NI_MAXHOST], strport[NI_MAXSERV], *name = NULL;
2378
2379	memset(&hints, 0, sizeof(hints));
2380	hints.ai_family = PF_UNSPEC;
2381	hints.ai_socktype = SOCK_STREAM;
2382	hints.ai_flags = AI_PASSIVE;
2383
2384	err = getaddrinfo(name, TEST_PORT, &hints, &gai_ai);
2385	if (err != 0) {
2386		fprintf(stderr, "getaddrinfo failed (%s)", gai_strerror(err));
2387		exit(1);
2388	}
2389
2390	for (ai = gai_ai; ai != NULL; ai = ai->ai_next) {
2391		if (ai->ai_family != AF_INET6)
2392			continue;
2393
2394		err = getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop,
2395		    sizeof(ntop), strport, sizeof(strport),
2396		    NI_NUMERICHOST|NI_NUMERICSERV);
2397
2398		if (err != 0) {
2399			if (err == EAI_SYSTEM)
2400				perror("getnameinfo EAI_SYSTEM");
2401			else
2402				fprintf(stderr, "getnameinfo failed: %s\n",
2403				    gai_strerror(err));
2404			exit(2);
2405		}
2406
2407		sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol);
2408		if (sock < 0)
2409			perror("socket");
2410		if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) {
2411			if (errno == EBADF)
2412				exit(3);
2413		}
2414	}
2415	exit(0);
2416		]])],
2417		[
2418			AC_MSG_RESULT([yes])
2419		],
2420		[
2421			AC_MSG_RESULT([no])
2422			AC_DEFINE([BROKEN_GETADDRINFO])
2423		],
2424		[
2425			AC_MSG_RESULT([cross-compiling, assuming yes])
2426		]
2427	)
2428fi
2429
2430if test "x$ac_cv_func_getaddrinfo" = "xyes" && \
2431    test "x$check_for_aix_broken_getaddrinfo" = "x1"; then
2432	AC_MSG_CHECKING([if getaddrinfo seems to work])
2433	AC_RUN_IFELSE(
2434		[AC_LANG_PROGRAM([[
2435#include <stdio.h>
2436#include <stdlib.h>
2437#include <sys/socket.h>
2438#include <netdb.h>
2439#include <errno.h>
2440#include <netinet/in.h>
2441
2442#define TEST_PORT "2222"
2443		]], [[
2444	int err, sock;
2445	struct addrinfo *gai_ai, *ai, hints;
2446	char ntop[NI_MAXHOST], strport[NI_MAXSERV], *name = NULL;
2447
2448	memset(&hints, 0, sizeof(hints));
2449	hints.ai_family = PF_UNSPEC;
2450	hints.ai_socktype = SOCK_STREAM;
2451	hints.ai_flags = AI_PASSIVE;
2452
2453	err = getaddrinfo(name, TEST_PORT, &hints, &gai_ai);
2454	if (err != 0) {
2455		fprintf(stderr, "getaddrinfo failed (%s)", gai_strerror(err));
2456		exit(1);
2457	}
2458
2459	for (ai = gai_ai; ai != NULL; ai = ai->ai_next) {
2460		if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
2461			continue;
2462
2463		err = getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop,
2464		    sizeof(ntop), strport, sizeof(strport),
2465		    NI_NUMERICHOST|NI_NUMERICSERV);
2466
2467		if (ai->ai_family == AF_INET && err != 0) {
2468			perror("getnameinfo");
2469			exit(2);
2470		}
2471	}
2472	exit(0);
2473		]])],
2474		[
2475			AC_MSG_RESULT([yes])
2476			AC_DEFINE([AIX_GETNAMEINFO_HACK], [1],
2477				[Define if you have a getaddrinfo that fails
2478				for the all-zeros IPv6 address])
2479		],
2480		[
2481			AC_MSG_RESULT([no])
2482			AC_DEFINE([BROKEN_GETADDRINFO])
2483		],
2484		[
2485			AC_MSG_RESULT([cross-compiling, assuming no])
2486		]
2487	)
2488fi
2489
2490if test "x$ac_cv_func_getaddrinfo" = "xyes"; then
2491	AC_CHECK_DECLS(AI_NUMERICSERV, , ,
2492	    [#include <sys/types.h>
2493	     #include <sys/socket.h>
2494	     #include <netdb.h>])
2495fi
2496
2497if test "x$check_for_conflicting_getspnam" = "x1"; then
2498	AC_MSG_CHECKING([for conflicting getspnam in shadow.h])
2499	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
2500#include <shadow.h>
2501#include <stdlib.h>
2502		]],
2503		[[ exit(0); ]])],
2504		[
2505			AC_MSG_RESULT([no])
2506		],
2507		[
2508			AC_MSG_RESULT([yes])
2509			AC_DEFINE([GETSPNAM_CONFLICTING_DEFS], [1],
2510			    [Conflicting defs for getspnam])
2511		]
2512	)
2513fi
2514
2515dnl NetBSD added an strnvis and unfortunately made it incompatible with the
2516dnl existing one in OpenBSD and Linux's libbsd (the former having existed
2517dnl for over ten years). Despite this incompatibility being reported during
2518dnl development (see http://gnats.netbsd.org/44977) they still shipped it.
2519dnl Even more unfortunately FreeBSD and later MacOS picked up this incompatible
2520dnl implementation.  Try to detect this mess, and assume the only safe option
2521dnl if we're cross compiling.
2522dnl
2523dnl OpenBSD, 2001: strnvis(char *dst, const char *src, size_t dlen, int flag);
2524dnl NetBSD: 2012,  strnvis(char *dst, size_t dlen, const char *src, int flag);
2525if test "x$ac_cv_func_strnvis" = "xyes"; then
2526	AC_MSG_CHECKING([for working strnvis])
2527	AC_RUN_IFELSE(
2528		[AC_LANG_PROGRAM([[
2529#include <signal.h>
2530#include <stdlib.h>
2531#include <string.h>
2532#include <unistd.h>
2533#include <vis.h>
2534static void sighandler(int sig) { _exit(1); }
2535		]], [[
2536	char dst[16];
2537
2538	signal(SIGSEGV, sighandler);
2539	if (strnvis(dst, "src", 4, 0) && strcmp(dst, "src") == 0)
2540		exit(0);
2541	exit(1)
2542		]])],
2543		[AC_MSG_RESULT([yes])],
2544		[AC_MSG_RESULT([no])
2545		 AC_DEFINE([BROKEN_STRNVIS], [1], [strnvis detected broken])],
2546		[AC_MSG_WARN([cross compiling: assuming broken])
2547		 AC_DEFINE([BROKEN_STRNVIS], [1], [strnvis assumed broken])]
2548	)
2549fi
2550
2551AC_MSG_CHECKING([if SA_RESTARTed signals interrupt select()])
2552AC_RUN_IFELSE(
2553	[AC_LANG_PROGRAM([[
2554#ifdef HAVE_SYS_SELECT
2555# include <sys/select.h>
2556#endif
2557#include <sys/types.h>
2558#include <sys/time.h>
2559#include <stdlib.h>
2560#include <signal.h>
2561#include <unistd.h>
2562static void sighandler(int sig) { }
2563		]], [[
2564	int r;
2565	pid_t pid;
2566	struct sigaction sa;
2567
2568	sa.sa_handler = sighandler;
2569	sa.sa_flags = SA_RESTART;
2570	(void)sigaction(SIGTERM, &sa, NULL);
2571	if ((pid = fork()) == 0) { /* child */
2572		pid = getppid();
2573		sleep(1);
2574		kill(pid, SIGTERM);
2575		sleep(1);
2576		if (getppid() == pid) /* if parent did not exit, shoot it */
2577			kill(pid, SIGKILL);
2578		exit(0);
2579	} else { /* parent */
2580		r = select(0, NULL, NULL, NULL, NULL);
2581	}
2582	exit(r == -1 ? 0 : 1);
2583	]])],
2584	[AC_MSG_RESULT([yes])],
2585	[AC_MSG_RESULT([no])
2586	 AC_DEFINE([NO_SA_RESTART], [1],
2587	    [SA_RESTARTed signals do no interrupt select])],
2588	[AC_MSG_WARN([cross compiling: assuming yes])]
2589)
2590
2591AC_CHECK_FUNCS([getpgrp],[
2592	AC_MSG_CHECKING([if getpgrp accepts zero args])
2593	AC_COMPILE_IFELSE(
2594		[AC_LANG_PROGRAM([[$ac_includes_default]], [[ getpgrp(); ]])],
2595		[ AC_MSG_RESULT([yes])
2596		  AC_DEFINE([GETPGRP_VOID], [1], [getpgrp takes zero args])],
2597		[ AC_MSG_RESULT([no])
2598		  AC_DEFINE([GETPGRP_VOID], [0], [getpgrp takes one arg])]
2599	)
2600])
2601
2602# Search for OpenSSL
2603saved_CPPFLAGS="$CPPFLAGS"
2604saved_LDFLAGS="$LDFLAGS"
2605AC_ARG_WITH([ssl-dir],
2606	[  --with-ssl-dir=PATH     Specify path to OpenSSL installation ],
2607	[
2608		if test "x$openssl" = "xno" ; then
2609			AC_MSG_ERROR([cannot use --with-ssl-dir when OpenSSL disabled])
2610		fi
2611		if test "x$withval" != "xno" ; then
2612			case "$withval" in
2613				# Relative paths
2614				./*|../*)	withval="`pwd`/$withval"
2615			esac
2616			if test -d "$withval/lib"; then
2617				if test -n "${rpath_opt}"; then
2618					LDFLAGS="-L${withval}/lib ${rpath_opt}${withval}/lib ${LDFLAGS}"
2619				else
2620					LDFLAGS="-L${withval}/lib ${LDFLAGS}"
2621				fi
2622			elif test -d "$withval/lib64"; then
2623				if test -n "${rpath_opt}"; then
2624					LDFLAGS="-L${withval}/lib64 ${rpath_opt}${withval}/lib64 ${LDFLAGS}"
2625				else
2626					LDFLAGS="-L${withval}/lib64 ${LDFLAGS}"
2627				fi
2628			else
2629				if test -n "${rpath_opt}"; then
2630					LDFLAGS="-L${withval} ${rpath_opt}${withval} ${LDFLAGS}"
2631				else
2632					LDFLAGS="-L${withval} ${LDFLAGS}"
2633				fi
2634			fi
2635			if test -d "$withval/include"; then
2636				CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
2637			else
2638				CPPFLAGS="-I${withval} ${CPPFLAGS}"
2639			fi
2640		fi
2641	]
2642)
2643
2644AC_ARG_WITH([openssl-header-check],
2645	[  --without-openssl-header-check Disable OpenSSL version consistency check],
2646	[
2647		if test "x$withval" = "xno" ; then
2648			openssl_check_nonfatal=1
2649		fi
2650	]
2651)
2652
2653openssl_engine=no
2654AC_ARG_WITH([ssl-engine],
2655	[  --with-ssl-engine       Enable OpenSSL (hardware) ENGINE support ],
2656	[
2657		if test "x$withval" != "xno" ; then
2658			if test "x$openssl" = "xno" ; then
2659				AC_MSG_ERROR([cannot use --with-ssl-engine when OpenSSL disabled])
2660			fi
2661			openssl_engine=yes
2662		fi
2663	]
2664)
2665
2666if test "x$openssl" = "xyes" ; then
2667	LIBS="-lcrypto $LIBS"
2668	AC_TRY_LINK_FUNC([RAND_add], ,
2669	    [AC_MSG_ERROR([*** working libcrypto not found, check config.log])])
2670	AC_CHECK_HEADER([openssl/opensslv.h], ,
2671	    [AC_MSG_ERROR([*** OpenSSL headers missing - please install first or check config.log ***])])
2672
2673	# Determine OpenSSL header version
2674	AC_MSG_CHECKING([OpenSSL header version])
2675	AC_RUN_IFELSE(
2676		[AC_LANG_PROGRAM([[
2677	#include <stdlib.h>
2678	#include <stdio.h>
2679	#include <string.h>
2680	#include <openssl/opensslv.h>
2681	#define DATA "conftest.sslincver"
2682		]], [[
2683		FILE *fd;
2684		int rc;
2685
2686		fd = fopen(DATA,"w");
2687		if(fd == NULL)
2688			exit(1);
2689
2690		if ((rc = fprintf(fd, "%08lx (%s)\n",
2691		    (unsigned long)OPENSSL_VERSION_NUMBER,
2692		     OPENSSL_VERSION_TEXT)) < 0)
2693			exit(1);
2694
2695		exit(0);
2696		]])],
2697		[
2698			ssl_header_ver=`cat conftest.sslincver`
2699			AC_MSG_RESULT([$ssl_header_ver])
2700		],
2701		[
2702			AC_MSG_RESULT([not found])
2703			AC_MSG_ERROR([OpenSSL version header not found.])
2704		],
2705		[
2706			AC_MSG_WARN([cross compiling: not checking])
2707		]
2708	)
2709
2710	# Determining OpenSSL library version is version dependent.
2711	AC_CHECK_FUNCS([OpenSSL_version OpenSSL_version_num])
2712
2713	# Determine OpenSSL library version
2714	AC_MSG_CHECKING([OpenSSL library version])
2715	AC_RUN_IFELSE(
2716		[AC_LANG_PROGRAM([[
2717	#include <stdio.h>
2718	#include <stdlib.h>
2719	#include <string.h>
2720	#include <openssl/opensslv.h>
2721	#include <openssl/crypto.h>
2722	#define DATA "conftest.ssllibver"
2723		]], [[
2724		FILE *fd;
2725		int rc;
2726
2727		fd = fopen(DATA,"w");
2728		if(fd == NULL)
2729			exit(1);
2730#ifndef OPENSSL_VERSION
2731# define OPENSSL_VERSION SSLEAY_VERSION
2732#endif
2733#ifndef HAVE_OPENSSL_VERSION
2734# define OpenSSL_version	SSLeay_version
2735#endif
2736#ifndef HAVE_OPENSSL_VERSION_NUM
2737# define OpenSSL_version_num	SSLeay
2738#endif
2739		if ((rc = fprintf(fd, "%08lx (%s)\n",
2740		    (unsigned long)OpenSSL_version_num(),
2741		    OpenSSL_version(OPENSSL_VERSION))) < 0)
2742			exit(1);
2743
2744		exit(0);
2745		]])],
2746		[
2747			ssl_library_ver=`cat conftest.ssllibver`
2748			# Check version is supported.
2749			case "$ssl_library_ver" in
2750			10000*|0*)
2751				AC_MSG_ERROR([OpenSSL >= 1.0.1 required (have "$ssl_library_ver")])
2752		                ;;
2753			100*)   ;; # 1.0.x
2754			101000[[0123456]]*)
2755				# https://github.com/openssl/openssl/pull/4613
2756				AC_MSG_ERROR([OpenSSL 1.1.x versions prior to 1.1.0g have a bug that breaks their use with OpenSSH (have "$ssl_library_ver")])
2757				;;
2758			101*)   ;; # 1.1.x
2759			200*)   ;; # LibreSSL
2760			300*)   ;; # OpenSSL development branch.
2761		        *)
2762				AC_MSG_ERROR([Unknown/unsupported OpenSSL version ("$ssl_library_ver")])
2763		                ;;
2764			esac
2765			AC_MSG_RESULT([$ssl_library_ver])
2766		],
2767		[
2768			AC_MSG_RESULT([not found])
2769			AC_MSG_ERROR([OpenSSL library not found.])
2770		],
2771		[
2772			AC_MSG_WARN([cross compiling: not checking])
2773		]
2774	)
2775
2776	# Sanity check OpenSSL headers
2777	AC_MSG_CHECKING([whether OpenSSL's headers match the library])
2778	AC_RUN_IFELSE(
2779		[AC_LANG_PROGRAM([[
2780	#include <stdlib.h>
2781	#include <string.h>
2782	#include <openssl/opensslv.h>
2783	#include <openssl/crypto.h>
2784		]], [[
2785#ifndef HAVE_OPENSSL_VERSION_NUM
2786# define OpenSSL_version_num	SSLeay
2787#endif
2788		exit(OpenSSL_version_num() == OPENSSL_VERSION_NUMBER ? 0 : 1);
2789		]])],
2790		[
2791			AC_MSG_RESULT([yes])
2792		],
2793		[
2794			AC_MSG_RESULT([no])
2795			if test "x$openssl_check_nonfatal" = "x"; then
2796				AC_MSG_ERROR([Your OpenSSL headers do not match your
2797	library. Check config.log for details.
2798	If you are sure your installation is consistent, you can disable the check
2799	by running "./configure --without-openssl-header-check".
2800	Also see contrib/findssl.sh for help identifying header/library mismatches.
2801	])
2802			else
2803				AC_MSG_WARN([Your OpenSSL headers do not match your
2804	library. Check config.log for details.
2805	Also see contrib/findssl.sh for help identifying header/library mismatches.])
2806			fi
2807		],
2808		[
2809			AC_MSG_WARN([cross compiling: not checking])
2810		]
2811	)
2812
2813	AC_MSG_CHECKING([if programs using OpenSSL functions will link])
2814	AC_LINK_IFELSE(
2815		[AC_LANG_PROGRAM([[ #include <openssl/err.h> ]],
2816		[[ ERR_load_crypto_strings(); ]])],
2817		[
2818			AC_MSG_RESULT([yes])
2819		],
2820		[
2821			AC_MSG_RESULT([no])
2822			saved_LIBS="$LIBS"
2823			LIBS="$LIBS -ldl"
2824			AC_MSG_CHECKING([if programs using OpenSSL need -ldl])
2825			AC_LINK_IFELSE(
2826				[AC_LANG_PROGRAM([[ #include <openssl/err.h> ]],
2827				[[ ERR_load_crypto_strings(); ]])],
2828				[
2829					AC_MSG_RESULT([yes])
2830				],
2831				[
2832					AC_MSG_RESULT([no])
2833					LIBS="$saved_LIBS"
2834				]
2835			)
2836		]
2837	)
2838
2839	AC_CHECK_FUNCS([ \
2840		BN_is_prime_ex \
2841		DSA_generate_parameters_ex \
2842		EVP_CIPHER_CTX_ctrl \
2843		EVP_DigestFinal_ex \
2844		EVP_DigestInit_ex \
2845		EVP_MD_CTX_cleanup \
2846		EVP_MD_CTX_copy_ex \
2847		EVP_MD_CTX_init \
2848		HMAC_CTX_init \
2849		RSA_generate_key_ex \
2850		RSA_get_default_method \
2851	])
2852
2853	# OpenSSL_add_all_algorithms may be a macro.
2854	AC_CHECK_FUNC(OpenSSL_add_all_algorithms,
2855	    AC_DEFINE(HAVE_OPENSSL_ADD_ALL_ALGORITHMS, 1, [as a function]),
2856	    AC_CHECK_DECL(OpenSSL_add_all_algorithms,
2857		AC_DEFINE(HAVE_OPENSSL_ADD_ALL_ALGORITHMS, 1, [as a macro]), ,
2858		[[#include <openssl/evp.h>]]
2859	    )
2860	)
2861
2862	# LibreSSL/OpenSSL 1.1x API
2863	AC_CHECK_FUNCS([ \
2864		OPENSSL_init_crypto \
2865		DH_get0_key \
2866		DH_get0_pqg \
2867		DH_set0_key \
2868		DH_set_length \
2869		DH_set0_pqg \
2870		DSA_get0_key \
2871		DSA_get0_pqg \
2872		DSA_set0_key \
2873		DSA_set0_pqg \
2874		DSA_SIG_get0 \
2875		DSA_SIG_set0 \
2876		ECDSA_SIG_get0 \
2877		ECDSA_SIG_set0 \
2878		EVP_CIPHER_CTX_iv \
2879		EVP_CIPHER_CTX_iv_noconst \
2880		EVP_CIPHER_CTX_get_iv \
2881		EVP_CIPHER_CTX_set_iv \
2882		RSA_get0_crt_params \
2883		RSA_get0_factors \
2884		RSA_get0_key \
2885		RSA_set0_crt_params \
2886		RSA_set0_factors \
2887		RSA_set0_key \
2888		RSA_meth_free \
2889		RSA_meth_dup \
2890		RSA_meth_set1_name \
2891		RSA_meth_get_finish \
2892		RSA_meth_set_priv_enc \
2893		RSA_meth_set_priv_dec \
2894		RSA_meth_set_finish \
2895		EVP_PKEY_get0_RSA \
2896		EVP_MD_CTX_new \
2897		EVP_MD_CTX_free \
2898		EVP_chacha20 \
2899	])
2900
2901	if test "x$openssl_engine" = "xyes" ; then
2902		AC_MSG_CHECKING([for OpenSSL ENGINE support])
2903		AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
2904	#include <openssl/engine.h>
2905			]], [[
2906				ENGINE_load_builtin_engines();
2907				ENGINE_register_all_complete();
2908			]])],
2909			[ AC_MSG_RESULT([yes])
2910			  AC_DEFINE([USE_OPENSSL_ENGINE], [1],
2911			     [Enable OpenSSL engine support])
2912			], [ AC_MSG_ERROR([OpenSSL ENGINE support not found])
2913		])
2914	fi
2915
2916	# Check for OpenSSL without EVP_aes_{192,256}_cbc
2917	AC_MSG_CHECKING([whether OpenSSL has crippled AES support])
2918	AC_LINK_IFELSE(
2919		[AC_LANG_PROGRAM([[
2920	#include <stdlib.h>
2921	#include <string.h>
2922	#include <openssl/evp.h>
2923		]], [[
2924		exit(EVP_aes_192_cbc() == NULL || EVP_aes_256_cbc() == NULL);
2925		]])],
2926		[
2927			AC_MSG_RESULT([no])
2928		],
2929		[
2930			AC_MSG_RESULT([yes])
2931			AC_DEFINE([OPENSSL_LOBOTOMISED_AES], [1],
2932			    [libcrypto is missing AES 192 and 256 bit functions])
2933		]
2934	)
2935
2936	# Check for OpenSSL with EVP_aes_*ctr
2937	AC_MSG_CHECKING([whether OpenSSL has AES CTR via EVP])
2938	AC_LINK_IFELSE(
2939		[AC_LANG_PROGRAM([[
2940	#include <stdlib.h>
2941	#include <string.h>
2942	#include <openssl/evp.h>
2943		]], [[
2944		exit(EVP_aes_128_ctr() == NULL ||
2945		    EVP_aes_192_cbc() == NULL ||
2946		    EVP_aes_256_cbc() == NULL);
2947		]])],
2948		[
2949			AC_MSG_RESULT([yes])
2950			AC_DEFINE([OPENSSL_HAVE_EVPCTR], [1],
2951			    [libcrypto has EVP AES CTR])
2952		],
2953		[
2954			AC_MSG_RESULT([no])
2955		]
2956	)
2957
2958	# Check for OpenSSL with EVP_aes_*gcm
2959	AC_MSG_CHECKING([whether OpenSSL has AES GCM via EVP])
2960	AC_LINK_IFELSE(
2961		[AC_LANG_PROGRAM([[
2962	#include <stdlib.h>
2963	#include <string.h>
2964	#include <openssl/evp.h>
2965		]], [[
2966		exit(EVP_aes_128_gcm() == NULL ||
2967		    EVP_aes_256_gcm() == NULL ||
2968		    EVP_CTRL_GCM_SET_IV_FIXED == 0 ||
2969		    EVP_CTRL_GCM_IV_GEN == 0 ||
2970		    EVP_CTRL_GCM_SET_TAG == 0 ||
2971		    EVP_CTRL_GCM_GET_TAG == 0 ||
2972		    EVP_CIPHER_CTX_ctrl(NULL, 0, 0, NULL) == 0);
2973		]])],
2974		[
2975			AC_MSG_RESULT([yes])
2976			AC_DEFINE([OPENSSL_HAVE_EVPGCM], [1],
2977			    [libcrypto has EVP AES GCM])
2978		],
2979		[
2980			AC_MSG_RESULT([no])
2981			unsupported_algorithms="$unsupported_cipers \
2982			   aes128-gcm@openssh.com \
2983			   aes256-gcm@openssh.com"
2984		]
2985	)
2986
2987	AC_MSG_CHECKING([if EVP_DigestUpdate returns an int])
2988	AC_LINK_IFELSE(
2989		[AC_LANG_PROGRAM([[
2990	#include <stdlib.h>
2991	#include <string.h>
2992	#include <openssl/evp.h>
2993		]], [[
2994		if(EVP_DigestUpdate(NULL, NULL,0))
2995			exit(0);
2996		]])],
2997		[
2998			AC_MSG_RESULT([yes])
2999		],
3000		[
3001			AC_MSG_RESULT([no])
3002			AC_DEFINE([OPENSSL_EVP_DIGESTUPDATE_VOID], [1],
3003			    [Define if EVP_DigestUpdate returns void])
3004		]
3005	)
3006
3007	# Some systems want crypt() from libcrypt, *not* the version in OpenSSL,
3008	# because the system crypt() is more featureful.
3009	if test "x$check_for_libcrypt_before" = "x1"; then
3010		AC_CHECK_LIB([crypt], [crypt])
3011	fi
3012
3013	# Some Linux systems (Slackware) need crypt() from libcrypt, *not* the
3014	# version in OpenSSL.
3015	if test "x$check_for_libcrypt_later" = "x1"; then
3016		AC_CHECK_LIB([crypt], [crypt], [LIBS="$LIBS -lcrypt"])
3017	fi
3018	AC_CHECK_FUNCS([crypt DES_crypt])
3019
3020	# Check for SHA256, SHA384 and SHA512 support in OpenSSL
3021	AC_CHECK_FUNCS([EVP_sha256 EVP_sha384 EVP_sha512])
3022
3023	# Check complete ECC support in OpenSSL
3024	AC_MSG_CHECKING([whether OpenSSL has NID_X9_62_prime256v1])
3025	AC_LINK_IFELSE(
3026		[AC_LANG_PROGRAM([[
3027	#include <openssl/ec.h>
3028	#include <openssl/ecdh.h>
3029	#include <openssl/ecdsa.h>
3030	#include <openssl/evp.h>
3031	#include <openssl/objects.h>
3032	#include <openssl/opensslv.h>
3033		]], [[
3034		EC_KEY *e = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
3035		const EVP_MD *m = EVP_sha256(); /* We need this too */
3036		]])],
3037		[ AC_MSG_RESULT([yes])
3038		  enable_nistp256=1 ],
3039		[ AC_MSG_RESULT([no]) ]
3040	)
3041
3042	AC_MSG_CHECKING([whether OpenSSL has NID_secp384r1])
3043	AC_LINK_IFELSE(
3044		[AC_LANG_PROGRAM([[
3045	#include <openssl/ec.h>
3046	#include <openssl/ecdh.h>
3047	#include <openssl/ecdsa.h>
3048	#include <openssl/evp.h>
3049	#include <openssl/objects.h>
3050	#include <openssl/opensslv.h>
3051		]], [[
3052		EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp384r1);
3053		const EVP_MD *m = EVP_sha384(); /* We need this too */
3054		]])],
3055		[ AC_MSG_RESULT([yes])
3056		  enable_nistp384=1 ],
3057		[ AC_MSG_RESULT([no]) ]
3058	)
3059
3060	AC_MSG_CHECKING([whether OpenSSL has NID_secp521r1])
3061	AC_LINK_IFELSE(
3062		[AC_LANG_PROGRAM([[
3063	#include <openssl/ec.h>
3064	#include <openssl/ecdh.h>
3065	#include <openssl/ecdsa.h>
3066	#include <openssl/evp.h>
3067	#include <openssl/objects.h>
3068	#include <openssl/opensslv.h>
3069		]], [[
3070		EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp521r1);
3071		const EVP_MD *m = EVP_sha512(); /* We need this too */
3072		]])],
3073		[ AC_MSG_RESULT([yes])
3074		  AC_MSG_CHECKING([if OpenSSL's NID_secp521r1 is functional])
3075		  AC_RUN_IFELSE(
3076			[AC_LANG_PROGRAM([[
3077	#include <stdlib.h>
3078	#include <openssl/ec.h>
3079	#include <openssl/ecdh.h>
3080	#include <openssl/ecdsa.h>
3081	#include <openssl/evp.h>
3082	#include <openssl/objects.h>
3083	#include <openssl/opensslv.h>
3084			]],[[
3085			EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp521r1);
3086			const EVP_MD *m = EVP_sha512(); /* We need this too */
3087			exit(e == NULL || m == NULL);
3088			]])],
3089			[ AC_MSG_RESULT([yes])
3090			  enable_nistp521=1 ],
3091			[ AC_MSG_RESULT([no]) ],
3092			[ AC_MSG_WARN([cross-compiling: assuming yes])
3093			  enable_nistp521=1 ]
3094		  )],
3095		AC_MSG_RESULT([no])
3096	)
3097
3098	COMMENT_OUT_ECC="#no ecc#"
3099	TEST_SSH_ECC=no
3100
3101	if test x$enable_nistp256 = x1 || test x$enable_nistp384 = x1 || \
3102	    test x$enable_nistp521 = x1; then
3103		AC_DEFINE(OPENSSL_HAS_ECC, [1], [OpenSSL has ECC])
3104		AC_CHECK_FUNCS([EC_KEY_METHOD_new])
3105		openssl_ecc=yes
3106	else
3107		openssl_ecc=no
3108	fi
3109	if test x$enable_nistp256 = x1; then
3110		AC_DEFINE([OPENSSL_HAS_NISTP256], [1],
3111		    [libcrypto has NID_X9_62_prime256v1])
3112		TEST_SSH_ECC=yes
3113		COMMENT_OUT_ECC=""
3114	else
3115		unsupported_algorithms="$unsupported_algorithms \
3116			ecdsa-sha2-nistp256 \
3117			ecdh-sha2-nistp256 \
3118			ecdsa-sha2-nistp256-cert-v01@openssh.com"
3119	fi
3120	if test x$enable_nistp384 = x1; then
3121		AC_DEFINE([OPENSSL_HAS_NISTP384], [1], [libcrypto has NID_secp384r1])
3122		TEST_SSH_ECC=yes
3123		COMMENT_OUT_ECC=""
3124	else
3125		unsupported_algorithms="$unsupported_algorithms \
3126			ecdsa-sha2-nistp384 \
3127			ecdh-sha2-nistp384 \
3128			ecdsa-sha2-nistp384-cert-v01@openssh.com"
3129	fi
3130	if test x$enable_nistp521 = x1; then
3131		AC_DEFINE([OPENSSL_HAS_NISTP521], [1], [libcrypto has NID_secp521r1])
3132		TEST_SSH_ECC=yes
3133		COMMENT_OUT_ECC=""
3134	else
3135		unsupported_algorithms="$unsupported_algorithms \
3136			ecdh-sha2-nistp521 \
3137			ecdsa-sha2-nistp521 \
3138			ecdsa-sha2-nistp521-cert-v01@openssh.com"
3139	fi
3140
3141	AC_SUBST([TEST_SSH_ECC])
3142	AC_SUBST([COMMENT_OUT_ECC])
3143else
3144	AC_CHECK_LIB([crypt], [crypt], [LIBS="$LIBS -lcrypt"])
3145	AC_CHECK_FUNCS([crypt])
3146fi
3147
3148# PKCS11/U2F depend on OpenSSL and dlopen().
3149enable_pkcs11=yes
3150enable_sk=yes
3151if test "x$openssl" != "xyes" ; then
3152	enable_pkcs11="disabled; missing libcrypto"
3153	enable_sk="disabled; missing libcrypto"
3154fi
3155if test "x$openssl_ecc" != "xyes" ; then
3156	enable_sk="disabled; OpenSSL has no ECC support"
3157fi
3158if test "x$ac_cv_func_dlopen" != "xyes" ; then
3159	enable_pkcs11="disabled; missing dlopen(3)"
3160	enable_sk="disabled; missing dlopen(3)"
3161fi
3162if test "x$ac_cv_have_decl_RTLD_NOW" != "xyes" ; then
3163	enable_pkcs11="disabled; missing RTLD_NOW"
3164	enable_sk="disabled; missing RTLD_NOW"
3165fi
3166if test ! -z "$disable_pkcs11" ; then
3167	enable_pkcs11="disabled by user"
3168fi
3169if test ! -z "$disable_sk" ; then
3170	enable_sk="disabled by user"
3171fi
3172
3173AC_MSG_CHECKING([whether to enable PKCS11])
3174if test "x$enable_pkcs11" = "xyes" ; then
3175	AC_DEFINE([ENABLE_PKCS11], [], [Enable for PKCS#11 support])
3176fi
3177AC_MSG_RESULT([$enable_pkcs11])
3178
3179AC_MSG_CHECKING([whether to enable U2F])
3180if test "x$enable_sk" = "xyes" ; then
3181	AC_DEFINE([ENABLE_SK], [], [Enable for U2F/FIDO support])
3182	AC_SUBST(SK_DUMMY_LIBRARY, [regress/misc/sk-dummy/sk-dummy.so])
3183else
3184	# Do not try to build sk-dummy library.
3185	AC_SUBST(SK_DUMMY_LIBRARY, [""])
3186fi
3187AC_MSG_RESULT([$enable_sk])
3188
3189# Now check for built-in security key support.
3190if test "x$enable_sk" = "xyes" -a "x$enable_sk_internal" = "xyes" ; then
3191	AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no])
3192	use_pkgconfig_for_libfido2=
3193	if test "x$PKGCONFIG" != "xno"; then
3194		AC_MSG_CHECKING([if $PKGCONFIG knows about libfido2])
3195		if "$PKGCONFIG" libfido2; then
3196			AC_MSG_RESULT([yes])
3197			use_pkgconfig_for_libfido2=yes
3198		else
3199			AC_MSG_RESULT([no])
3200		fi
3201	fi
3202	if test "x$use_pkgconfig_for_libfido2" = "xyes"; then
3203		LIBFIDO2=`$PKGCONFIG --libs libfido2`
3204		CPPFLAGS="$CPPFLAGS `$PKGCONFIG --cflags libfido2`"
3205	else
3206		LIBFIDO2="-lfido2 -lcbor"
3207	fi
3208	OTHERLIBS=`echo $LIBFIDO2 | sed 's/-lfido2//'`
3209	AC_CHECK_LIB([fido2], [fido_init],
3210		[
3211			AC_SUBST([LIBFIDO2])
3212			AC_DEFINE([ENABLE_SK_INTERNAL], [],
3213			    [Enable for built-in U2F/FIDO support])
3214			enable_sk="built-in"
3215		], [ AC_MSG_ERROR([no usable libfido2 found]) ],
3216		[ $OTHERLIBS ]
3217	)
3218	saved_LIBS="$LIBS"
3219	LIBS="$LIBS $LIBFIDO2"
3220	AC_CHECK_FUNCS([ \
3221		fido_cred_prot \
3222		fido_cred_set_prot \
3223		fido_dev_get_touch_begin \
3224		fido_dev_get_touch_status \
3225		fido_dev_supports_cred_prot \
3226	])
3227	LIBS="$saved_LIBS"
3228	AC_CHECK_HEADER([fido.h], [],
3229		AC_MSG_ERROR([missing fido.h from libfido2]))
3230	AC_CHECK_HEADER([fido/credman.h], [],
3231		AC_MSG_ERROR([missing fido/credman.h from libfido2]),
3232		[#include <fido.h>]
3233	)
3234fi
3235
3236AC_CHECK_FUNCS([ \
3237	arc4random \
3238	arc4random_buf \
3239	arc4random_stir \
3240	arc4random_uniform \
3241])
3242
3243saved_LIBS="$LIBS"
3244AC_CHECK_LIB([iaf], [ia_openinfo], [
3245	LIBS="$LIBS -liaf"
3246	AC_CHECK_FUNCS([set_id], [SSHDLIBS="$SSHDLIBS -liaf"
3247				AC_DEFINE([HAVE_LIBIAF], [1],
3248			[Define if system has libiaf that supports set_id])
3249				])
3250])
3251LIBS="$saved_LIBS"
3252
3253### Configure cryptographic random number support
3254
3255# Check whether OpenSSL seeds itself
3256if test "x$openssl" = "xyes" ; then
3257	AC_MSG_CHECKING([whether OpenSSL's PRNG is internally seeded])
3258	AC_RUN_IFELSE(
3259		[AC_LANG_PROGRAM([[
3260	#include <stdlib.h>
3261	#include <string.h>
3262	#include <openssl/rand.h>
3263		]], [[
3264		exit(RAND_status() == 1 ? 0 : 1);
3265		]])],
3266		[
3267			OPENSSL_SEEDS_ITSELF=yes
3268			AC_MSG_RESULT([yes])
3269		],
3270		[
3271			AC_MSG_RESULT([no])
3272		],
3273		[
3274			AC_MSG_WARN([cross compiling: assuming yes])
3275			# This is safe, since we will fatal() at runtime if
3276			# OpenSSL is not seeded correctly.
3277			OPENSSL_SEEDS_ITSELF=yes
3278		]
3279	)
3280fi
3281
3282# PRNGD TCP socket
3283AC_ARG_WITH([prngd-port],
3284	[  --with-prngd-port=PORT  read entropy from PRNGD/EGD TCP localhost:PORT],
3285	[
3286		case "$withval" in
3287		no)
3288			withval=""
3289			;;
3290		[[0-9]]*)
3291			;;
3292		*)
3293			AC_MSG_ERROR([You must specify a numeric port number for --with-prngd-port])
3294			;;
3295		esac
3296		if test ! -z "$withval" ; then
3297			PRNGD_PORT="$withval"
3298			AC_DEFINE_UNQUOTED([PRNGD_PORT], [$PRNGD_PORT],
3299				[Port number of PRNGD/EGD random number socket])
3300		fi
3301	]
3302)
3303
3304# PRNGD Unix domain socket
3305AC_ARG_WITH([prngd-socket],
3306	[  --with-prngd-socket=FILE read entropy from PRNGD/EGD socket FILE (default=/var/run/egd-pool)],
3307	[
3308		case "$withval" in
3309		yes)
3310			withval="/var/run/egd-pool"
3311			;;
3312		no)
3313			withval=""
3314			;;
3315		/*)
3316			;;
3317		*)
3318			AC_MSG_ERROR([You must specify an absolute path to the entropy socket])
3319			;;
3320		esac
3321
3322		if test ! -z "$withval" ; then
3323			if test ! -z "$PRNGD_PORT" ; then
3324				AC_MSG_ERROR([You may not specify both a PRNGD/EGD port and socket])
3325			fi
3326			if test ! -r "$withval" ; then
3327				AC_MSG_WARN([Entropy socket is not readable])
3328			fi
3329			PRNGD_SOCKET="$withval"
3330			AC_DEFINE_UNQUOTED([PRNGD_SOCKET], ["$PRNGD_SOCKET"],
3331				[Location of PRNGD/EGD random number socket])
3332		fi
3333	],
3334	[
3335		# Check for existing socket only if we don't have a random device already
3336		if test "x$OPENSSL_SEEDS_ITSELF" != "xyes" ; then
3337			AC_MSG_CHECKING([for PRNGD/EGD socket])
3338			# Insert other locations here
3339			for sock in /var/run/egd-pool /dev/egd-pool /etc/entropy; do
3340				if test -r $sock && $TEST_MINUS_S_SH -c "test -S $sock -o -p $sock" ; then
3341					PRNGD_SOCKET="$sock"
3342					AC_DEFINE_UNQUOTED([PRNGD_SOCKET], ["$PRNGD_SOCKET"])
3343					break;
3344				fi
3345			done
3346			if test ! -z "$PRNGD_SOCKET" ; then
3347				AC_MSG_RESULT([$PRNGD_SOCKET])
3348			else
3349				AC_MSG_RESULT([not found])
3350			fi
3351		fi
3352	]
3353)
3354
3355# Which randomness source do we use?
3356if test ! -z "$PRNGD_PORT" ; then
3357	RAND_MSG="PRNGd port $PRNGD_PORT"
3358elif test ! -z "$PRNGD_SOCKET" ; then
3359	RAND_MSG="PRNGd socket $PRNGD_SOCKET"
3360elif test ! -z "$OPENSSL_SEEDS_ITSELF" ; then
3361	AC_DEFINE([OPENSSL_PRNG_ONLY], [1],
3362		[Define if you want the OpenSSL internally seeded PRNG only])
3363	RAND_MSG="OpenSSL internal ONLY"
3364elif test "x$openssl" = "xno" ; then
3365	AC_MSG_WARN([OpenSSH will use /dev/urandom as a source of random numbers. It will fail if this device is not supported or accessible])
3366else
3367	AC_MSG_ERROR([OpenSSH has no source of random numbers. Please configure OpenSSL with an entropy source or re-run configure using one of the --with-prngd-port or --with-prngd-socket options])
3368fi
3369
3370# Check for PAM libs
3371PAM_MSG="no"
3372AC_ARG_WITH([pam],
3373	[  --with-pam              Enable PAM support ],
3374	[
3375		if test "x$withval" != "xno" ; then
3376			if test "x$ac_cv_header_security_pam_appl_h" != "xyes" && \
3377			   test "x$ac_cv_header_pam_pam_appl_h" != "xyes" ; then
3378				AC_MSG_ERROR([PAM headers not found])
3379			fi
3380
3381			saved_LIBS="$LIBS"
3382			AC_CHECK_LIB([dl], [dlopen], , )
3383			AC_CHECK_LIB([pam], [pam_set_item], , [AC_MSG_ERROR([*** libpam missing])])
3384			AC_CHECK_FUNCS([pam_getenvlist])
3385			AC_CHECK_FUNCS([pam_putenv])
3386			LIBS="$saved_LIBS"
3387
3388			PAM_MSG="yes"
3389
3390			SSHDLIBS="$SSHDLIBS -lpam"
3391			AC_DEFINE([USE_PAM], [1],
3392				[Define if you want to enable PAM support])
3393
3394			if test $ac_cv_lib_dl_dlopen = yes; then
3395				case "$LIBS" in
3396				*-ldl*)
3397					# libdl already in LIBS
3398					;;
3399				*)
3400					SSHDLIBS="$SSHDLIBS -ldl"
3401					;;
3402				esac
3403			fi
3404		fi
3405	]
3406)
3407
3408AC_ARG_WITH([pam-service],
3409	[  --with-pam-service=name Specify PAM service name ],
3410	[
3411		if test "x$withval" != "xno" && \
3412		   test "x$withval" != "xyes" ; then
3413			AC_DEFINE_UNQUOTED([SSHD_PAM_SERVICE],
3414				["$withval"], [sshd PAM service name])
3415		fi
3416	]
3417)
3418
3419# Check for older PAM
3420if test "x$PAM_MSG" = "xyes" ; then
3421	# Check PAM strerror arguments (old PAM)
3422	AC_MSG_CHECKING([whether pam_strerror takes only one argument])
3423	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
3424#include <stdlib.h>
3425#if defined(HAVE_SECURITY_PAM_APPL_H)
3426#include <security/pam_appl.h>
3427#elif defined (HAVE_PAM_PAM_APPL_H)
3428#include <pam/pam_appl.h>
3429#endif
3430		]], [[
3431(void)pam_strerror((pam_handle_t *)NULL, -1);
3432		]])], [AC_MSG_RESULT([no])], [
3433			AC_DEFINE([HAVE_OLD_PAM], [1],
3434				[Define if you have an old version of PAM
3435				which takes only one argument to pam_strerror])
3436			AC_MSG_RESULT([yes])
3437			PAM_MSG="yes (old library)"
3438
3439	])
3440fi
3441
3442case "$host" in
3443*-*-cygwin*)
3444	SSH_PRIVSEP_USER=CYGWIN_SSH_PRIVSEP_USER
3445	;;
3446*)
3447	SSH_PRIVSEP_USER=sshd
3448	;;
3449esac
3450AC_ARG_WITH([privsep-user],
3451	[  --with-privsep-user=user Specify non-privileged user for privilege separation],
3452	[
3453		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
3454		    test "x${withval}" != "xyes"; then
3455			SSH_PRIVSEP_USER=$withval
3456		fi
3457	]
3458)
3459if test "x$SSH_PRIVSEP_USER" = "xCYGWIN_SSH_PRIVSEP_USER" ; then
3460	AC_DEFINE_UNQUOTED([SSH_PRIVSEP_USER], [CYGWIN_SSH_PRIVSEP_USER],
3461		[Cygwin function to fetch non-privileged user for privilege separation])
3462else
3463	AC_DEFINE_UNQUOTED([SSH_PRIVSEP_USER], ["$SSH_PRIVSEP_USER"],
3464		[non-privileged user for privilege separation])
3465fi
3466AC_SUBST([SSH_PRIVSEP_USER])
3467
3468if test "x$have_linux_no_new_privs" = "x1" ; then
3469AC_CHECK_DECL([SECCOMP_MODE_FILTER], [have_seccomp_filter=1], , [
3470	#include <sys/types.h>
3471	#include <linux/seccomp.h>
3472])
3473fi
3474if test "x$have_seccomp_filter" = "x1" ; then
3475AC_MSG_CHECKING([kernel for seccomp_filter support])
3476AC_LINK_IFELSE([AC_LANG_PROGRAM([[
3477		#include <errno.h>
3478		#include <elf.h>
3479		#include <linux/audit.h>
3480		#include <linux/seccomp.h>
3481		#include <stdlib.h>
3482		#include <sys/prctl.h>
3483	]],
3484	[[ int i = $seccomp_audit_arch;
3485	   errno = 0;
3486	   prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, NULL, 0, 0);
3487	   exit(errno == EFAULT ? 0 : 1); ]])],
3488	[ AC_MSG_RESULT([yes]) ], [
3489		AC_MSG_RESULT([no])
3490		# Disable seccomp filter as a target
3491		have_seccomp_filter=0
3492	]
3493)
3494fi
3495
3496# Decide which sandbox style to use
3497sandbox_arg=""
3498AC_ARG_WITH([sandbox],
3499	[  --with-sandbox=style    Specify privilege separation sandbox (no, capsicum, darwin, rlimit, seccomp_filter, systrace, pledge)],
3500	[
3501		if test "x$withval" = "xyes" ; then
3502			sandbox_arg=""
3503		else
3504			sandbox_arg="$withval"
3505		fi
3506	]
3507)
3508
3509# Some platforms (seems to be the ones that have a kernel poll(2)-type
3510# function with which they implement select(2)) use an extra file descriptor
3511# when calling select(2), which means we can't use the rlimit sandbox.
3512AC_MSG_CHECKING([if select works with descriptor rlimit])
3513AC_RUN_IFELSE(
3514	[AC_LANG_PROGRAM([[
3515#include <sys/types.h>
3516#ifdef HAVE_SYS_TIME_H
3517# include <sys/time.h>
3518#endif
3519#include <sys/resource.h>
3520#ifdef HAVE_SYS_SELECT_H
3521# include <sys/select.h>
3522#endif
3523#include <errno.h>
3524#include <fcntl.h>
3525#include <stdlib.h>
3526	]],[[
3527	struct rlimit rl_zero;
3528	int fd, r;
3529	fd_set fds;
3530	struct timeval tv;
3531
3532	fd = open("/dev/null", O_RDONLY);
3533	FD_ZERO(&fds);
3534	FD_SET(fd, &fds);
3535	rl_zero.rlim_cur = rl_zero.rlim_max = 0;
3536	setrlimit(RLIMIT_FSIZE, &rl_zero);
3537	setrlimit(RLIMIT_NOFILE, &rl_zero);
3538	tv.tv_sec = 1;
3539	tv.tv_usec = 0;
3540	r = select(fd+1, &fds, NULL, NULL, &tv);
3541	exit (r == -1 ? 1 : 0);
3542	]])],
3543	[AC_MSG_RESULT([yes])
3544	 select_works_with_rlimit=yes],
3545	[AC_MSG_RESULT([no])
3546	 select_works_with_rlimit=no],
3547	[AC_MSG_WARN([cross compiling: assuming yes])
3548	 select_works_with_rlimit=yes]
3549)
3550
3551AC_MSG_CHECKING([if setrlimit(RLIMIT_NOFILE,{0,0}) works])
3552AC_RUN_IFELSE(
3553	[AC_LANG_PROGRAM([[
3554#include <sys/types.h>
3555#ifdef HAVE_SYS_TIME_H
3556# include <sys/time.h>
3557#endif
3558#include <sys/resource.h>
3559#include <errno.h>
3560#include <stdlib.h>
3561	]],[[
3562	struct rlimit rl_zero;
3563	int r;
3564
3565	rl_zero.rlim_cur = rl_zero.rlim_max = 0;
3566	r = setrlimit(RLIMIT_NOFILE, &rl_zero);
3567	exit (r == -1 ? 1 : 0);
3568	]])],
3569	[AC_MSG_RESULT([yes])
3570	 rlimit_nofile_zero_works=yes],
3571	[AC_MSG_RESULT([no])
3572	 rlimit_nofile_zero_works=no],
3573	[AC_MSG_WARN([cross compiling: assuming yes])
3574	 rlimit_nofile_zero_works=yes]
3575)
3576
3577AC_MSG_CHECKING([if setrlimit RLIMIT_FSIZE works])
3578AC_RUN_IFELSE(
3579	[AC_LANG_PROGRAM([[
3580#include <sys/types.h>
3581#include <sys/resource.h>
3582#include <stdlib.h>
3583	]],[[
3584		struct rlimit rl_zero;
3585
3586		rl_zero.rlim_cur = rl_zero.rlim_max = 0;
3587		exit(setrlimit(RLIMIT_FSIZE, &rl_zero) != 0);
3588	]])],
3589	[AC_MSG_RESULT([yes])],
3590	[AC_MSG_RESULT([no])
3591	 AC_DEFINE(SANDBOX_SKIP_RLIMIT_FSIZE, 1,
3592	    [setrlimit RLIMIT_FSIZE works])],
3593	[AC_MSG_WARN([cross compiling: assuming yes])]
3594)
3595
3596if test "x$sandbox_arg" = "xpledge" || \
3597   ( test -z "$sandbox_arg" && test "x$ac_cv_func_pledge" = "xyes" ) ; then
3598	test "x$ac_cv_func_pledge" != "xyes" && \
3599		AC_MSG_ERROR([pledge sandbox requires pledge(2) support])
3600	SANDBOX_STYLE="pledge"
3601	AC_DEFINE([SANDBOX_PLEDGE], [1], [Sandbox using pledge(2)])
3602elif test "x$sandbox_arg" = "xsystrace" || \
3603   ( test -z "$sandbox_arg" && test "x$have_systr_policy_kill" = "x1" ) ; then
3604	test "x$have_systr_policy_kill" != "x1" && \
3605		AC_MSG_ERROR([systrace sandbox requires systrace headers and SYSTR_POLICY_KILL support])
3606	SANDBOX_STYLE="systrace"
3607	AC_DEFINE([SANDBOX_SYSTRACE], [1], [Sandbox using systrace(4)])
3608elif test "x$sandbox_arg" = "xdarwin" || \
3609     ( test -z "$sandbox_arg" && test "x$ac_cv_func_sandbox_init" = "xyes" && \
3610       test "x$ac_cv_header_sandbox_h" = "xyes") ; then
3611	test "x$ac_cv_func_sandbox_init" != "xyes" -o \
3612	     "x$ac_cv_header_sandbox_h" != "xyes" && \
3613		AC_MSG_ERROR([Darwin seatbelt sandbox requires sandbox.h and sandbox_init function])
3614	SANDBOX_STYLE="darwin"
3615	AC_DEFINE([SANDBOX_DARWIN], [1], [Sandbox using Darwin sandbox_init(3)])
3616elif test "x$sandbox_arg" = "xseccomp_filter" || \
3617     ( test -z "$sandbox_arg" && \
3618       test "x$have_seccomp_filter" = "x1" && \
3619       test "x$ac_cv_header_elf_h" = "xyes" && \
3620       test "x$ac_cv_header_linux_audit_h" = "xyes" && \
3621       test "x$ac_cv_header_linux_filter_h" = "xyes" && \
3622       test "x$seccomp_audit_arch" != "x" && \
3623       test "x$have_linux_no_new_privs" = "x1" && \
3624       test "x$ac_cv_func_prctl" = "xyes" ) ; then
3625	test "x$seccomp_audit_arch" = "x" && \
3626		AC_MSG_ERROR([seccomp_filter sandbox not supported on $host])
3627	test "x$have_linux_no_new_privs" != "x1" && \
3628		AC_MSG_ERROR([seccomp_filter sandbox requires PR_SET_NO_NEW_PRIVS])
3629	test "x$have_seccomp_filter" != "x1" && \
3630		AC_MSG_ERROR([seccomp_filter sandbox requires seccomp headers])
3631	test "x$ac_cv_func_prctl" != "xyes" && \
3632		AC_MSG_ERROR([seccomp_filter sandbox requires prctl function])
3633	SANDBOX_STYLE="seccomp_filter"
3634	AC_DEFINE([SANDBOX_SECCOMP_FILTER], [1], [Sandbox using seccomp filter])
3635elif test "x$sandbox_arg" = "xcapsicum" || \
3636     ( test -z "$sandbox_arg" && \
3637       test "x$ac_cv_header_sys_capsicum_h" = "xyes" && \
3638       test "x$ac_cv_func_cap_rights_limit" = "xyes") ; then
3639       test "x$ac_cv_header_sys_capsicum_h" != "xyes" && \
3640		AC_MSG_ERROR([capsicum sandbox requires sys/capsicum.h header])
3641       test "x$ac_cv_func_cap_rights_limit" != "xyes" && \
3642		AC_MSG_ERROR([capsicum sandbox requires cap_rights_limit function])
3643       SANDBOX_STYLE="capsicum"
3644       AC_DEFINE([SANDBOX_CAPSICUM], [1], [Sandbox using capsicum])
3645elif test "x$sandbox_arg" = "xrlimit" || \
3646     ( test -z "$sandbox_arg" && test "x$ac_cv_func_setrlimit" = "xyes" && \
3647       test "x$select_works_with_rlimit" = "xyes" && \
3648       test "x$rlimit_nofile_zero_works" = "xyes" ) ; then
3649	test "x$ac_cv_func_setrlimit" != "xyes" && \
3650		AC_MSG_ERROR([rlimit sandbox requires setrlimit function])
3651	test "x$select_works_with_rlimit" != "xyes" && \
3652		AC_MSG_ERROR([rlimit sandbox requires select to work with rlimit])
3653	SANDBOX_STYLE="rlimit"
3654	AC_DEFINE([SANDBOX_RLIMIT], [1], [Sandbox using setrlimit(2)])
3655elif test "x$sandbox_arg" = "xsolaris" || \
3656   ( test -z "$sandbox_arg" && test "x$SOLARIS_PRIVS" = "xyes" ) ; then
3657	SANDBOX_STYLE="solaris"
3658	AC_DEFINE([SANDBOX_SOLARIS], [1], [Sandbox using Solaris/Illumos privileges])
3659elif test -z "$sandbox_arg" || test "x$sandbox_arg" = "xno" || \
3660     test "x$sandbox_arg" = "xnone" || test "x$sandbox_arg" = "xnull" ; then
3661	SANDBOX_STYLE="none"
3662	AC_DEFINE([SANDBOX_NULL], [1], [no privsep sandboxing])
3663else
3664	AC_MSG_ERROR([unsupported --with-sandbox])
3665fi
3666
3667# Cheap hack to ensure NEWS-OS libraries are arranged right.
3668if test ! -z "$SONY" ; then
3669  LIBS="$LIBS -liberty";
3670fi
3671
3672# Check for  long long datatypes
3673AC_CHECK_TYPES([long long, unsigned long long, long double])
3674
3675# Check datatype sizes
3676AC_CHECK_SIZEOF([short int])
3677AC_CHECK_SIZEOF([int])
3678AC_CHECK_SIZEOF([long int])
3679AC_CHECK_SIZEOF([long long int])
3680
3681# Sanity check long long for some platforms (AIX)
3682if test "x$ac_cv_sizeof_long_long_int" = "x4" ; then
3683	ac_cv_sizeof_long_long_int=0
3684fi
3685
3686# compute LLONG_MIN and LLONG_MAX if we don't know them.
3687if test -z "$have_llong_max" && test -z "$have_long_long_max"; then
3688	AC_MSG_CHECKING([for max value of long long])
3689	AC_RUN_IFELSE(
3690		[AC_LANG_PROGRAM([[
3691#include <stdio.h>
3692#include <stdlib.h>
3693/* Why is this so damn hard? */
3694#ifdef __GNUC__
3695# undef __GNUC__
3696#endif
3697#define __USE_ISOC99
3698#include <limits.h>
3699#define DATA "conftest.llminmax"
3700#define my_abs(a) ((a) < 0 ? ((a) * -1) : (a))
3701
3702/*
3703 * printf in libc on some platforms (eg old Tru64) does not understand %lld so
3704 * we do this the hard way.
3705 */
3706static int
3707fprint_ll(FILE *f, long long n)
3708{
3709	unsigned int i;
3710	int l[sizeof(long long) * 8];
3711
3712	if (n < 0)
3713		if (fprintf(f, "-") < 0)
3714			return -1;
3715	for (i = 0; n != 0; i++) {
3716		l[i] = my_abs(n % 10);
3717		n /= 10;
3718	}
3719	do {
3720		if (fprintf(f, "%d", l[--i]) < 0)
3721			return -1;
3722	} while (i != 0);
3723	if (fprintf(f, " ") < 0)
3724		return -1;
3725	return 0;
3726}
3727		]], [[
3728	FILE *f;
3729	long long i, llmin, llmax = 0;
3730
3731	if((f = fopen(DATA,"w")) == NULL)
3732		exit(1);
3733
3734#if defined(LLONG_MIN) && defined(LLONG_MAX)
3735	fprintf(stderr, "Using system header for LLONG_MIN and LLONG_MAX\n");
3736	llmin = LLONG_MIN;
3737	llmax = LLONG_MAX;
3738#else
3739	fprintf(stderr, "Calculating  LLONG_MIN and LLONG_MAX\n");
3740	/* This will work on one's complement and two's complement */
3741	for (i = 1; i > llmax; i <<= 1, i++)
3742		llmax = i;
3743	llmin = llmax + 1LL;	/* wrap */
3744#endif
3745
3746	/* Sanity check */
3747	if (llmin + 1 < llmin || llmin - 1 < llmin || llmax + 1 > llmax
3748	    || llmax - 1 > llmax || llmin == llmax || llmin == 0
3749	    || llmax == 0 || llmax < LONG_MAX || llmin > LONG_MIN) {
3750		fprintf(f, "unknown unknown\n");
3751		exit(2);
3752	}
3753
3754	if (fprint_ll(f, llmin) < 0)
3755		exit(3);
3756	if (fprint_ll(f, llmax) < 0)
3757		exit(4);
3758	if (fclose(f) < 0)
3759		exit(5);
3760	exit(0);
3761		]])],
3762		[
3763			llong_min=`$AWK '{print $1}' conftest.llminmax`
3764			llong_max=`$AWK '{print $2}' conftest.llminmax`
3765
3766			AC_MSG_RESULT([$llong_max])
3767			AC_DEFINE_UNQUOTED([LLONG_MAX], [${llong_max}LL],
3768			    [max value of long long calculated by configure])
3769			AC_MSG_CHECKING([for min value of long long])
3770			AC_MSG_RESULT([$llong_min])
3771			AC_DEFINE_UNQUOTED([LLONG_MIN], [${llong_min}LL],
3772			    [min value of long long calculated by configure])
3773		],
3774		[
3775			AC_MSG_RESULT([not found])
3776		],
3777		[
3778			AC_MSG_WARN([cross compiling: not checking])
3779		]
3780	)
3781fi
3782
3783AC_CHECK_DECLS([UINT32_MAX], , , [[
3784#ifdef HAVE_SYS_LIMITS_H
3785# include <sys/limits.h>
3786#endif
3787#ifdef HAVE_LIMITS_H
3788# include <limits.h>
3789#endif
3790#ifdef HAVE_STDINT_H
3791# include <stdint.h>
3792#endif
3793]])
3794
3795# More checks for data types
3796AC_CACHE_CHECK([for u_int type], ac_cv_have_u_int, [
3797	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
3798	[[ u_int a; a = 1;]])],
3799	[ ac_cv_have_u_int="yes" ], [ ac_cv_have_u_int="no"
3800	])
3801])
3802if test "x$ac_cv_have_u_int" = "xyes" ; then
3803	AC_DEFINE([HAVE_U_INT], [1], [define if you have u_int data type])
3804	have_u_int=1
3805fi
3806
3807AC_CACHE_CHECK([for intXX_t types], ac_cv_have_intxx_t, [
3808	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
3809	[[ int8_t a; int16_t b; int32_t c; a = b = c = 1;]])],
3810	[ ac_cv_have_intxx_t="yes" ], [ ac_cv_have_intxx_t="no"
3811	])
3812])
3813if test "x$ac_cv_have_intxx_t" = "xyes" ; then
3814	AC_DEFINE([HAVE_INTXX_T], [1], [define if you have intxx_t data type])
3815	have_intxx_t=1
3816fi
3817
3818if (test -z "$have_intxx_t" && \
3819	   test "x$ac_cv_header_stdint_h" = "xyes")
3820then
3821    AC_MSG_CHECKING([for intXX_t types in stdint.h])
3822	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <stdint.h> ]],
3823	[[ int8_t a; int16_t b; int32_t c; a = b = c = 1;]])],
3824		[
3825			AC_DEFINE([HAVE_INTXX_T])
3826			AC_MSG_RESULT([yes])
3827		], [ AC_MSG_RESULT([no])
3828	])
3829fi
3830
3831AC_CACHE_CHECK([for int64_t type], ac_cv_have_int64_t, [
3832	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
3833#include <sys/types.h>
3834#ifdef HAVE_STDINT_H
3835# include <stdint.h>
3836#endif
3837#include <sys/socket.h>
3838#ifdef HAVE_SYS_BITYPES_H
3839# include <sys/bitypes.h>
3840#endif
3841		]], [[
3842int64_t a; a = 1;
3843		]])],
3844	[ ac_cv_have_int64_t="yes" ], [ ac_cv_have_int64_t="no"
3845	])
3846])
3847if test "x$ac_cv_have_int64_t" = "xyes" ; then
3848	AC_DEFINE([HAVE_INT64_T], [1], [define if you have int64_t data type])
3849fi
3850
3851AC_CACHE_CHECK([for u_intXX_t types], ac_cv_have_u_intxx_t, [
3852	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
3853	[[ u_int8_t a; u_int16_t b; u_int32_t c; a = b = c = 1;]])],
3854	[ ac_cv_have_u_intxx_t="yes" ], [ ac_cv_have_u_intxx_t="no"
3855	])
3856])
3857if test "x$ac_cv_have_u_intxx_t" = "xyes" ; then
3858	AC_DEFINE([HAVE_U_INTXX_T], [1], [define if you have u_intxx_t data type])
3859	have_u_intxx_t=1
3860fi
3861
3862if test -z "$have_u_intxx_t" ; then
3863    AC_MSG_CHECKING([for u_intXX_t types in sys/socket.h])
3864	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/socket.h> ]],
3865	[[ u_int8_t a; u_int16_t b; u_int32_t c; a = b = c = 1;]])],
3866		[
3867			AC_DEFINE([HAVE_U_INTXX_T])
3868			AC_MSG_RESULT([yes])
3869		], [ AC_MSG_RESULT([no])
3870	])
3871fi
3872
3873AC_CACHE_CHECK([for u_int64_t types], ac_cv_have_u_int64_t, [
3874	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
3875	[[ u_int64_t a; a = 1;]])],
3876	[ ac_cv_have_u_int64_t="yes" ], [ ac_cv_have_u_int64_t="no"
3877	])
3878])
3879if test "x$ac_cv_have_u_int64_t" = "xyes" ; then
3880	AC_DEFINE([HAVE_U_INT64_T], [1], [define if you have u_int64_t data type])
3881	have_u_int64_t=1
3882fi
3883
3884if (test -z "$have_u_int64_t" && \
3885	   test "x$ac_cv_header_sys_bitypes_h" = "xyes")
3886then
3887    AC_MSG_CHECKING([for u_int64_t type in sys/bitypes.h])
3888	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/bitypes.h> ]],
3889	[[ u_int64_t a; a = 1]])],
3890		[
3891			AC_DEFINE([HAVE_U_INT64_T])
3892			AC_MSG_RESULT([yes])
3893		], [ AC_MSG_RESULT([no])
3894	])
3895fi
3896
3897if test -z "$have_u_intxx_t" ; then
3898	AC_CACHE_CHECK([for uintXX_t types], ac_cv_have_uintxx_t, [
3899		AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
3900#include <sys/types.h>
3901			]], [[
3902	uint8_t a;
3903	uint16_t b;
3904	uint32_t c;
3905	a = b = c = 1;
3906			]])],
3907		[ ac_cv_have_uintxx_t="yes" ], [ ac_cv_have_uintxx_t="no"
3908		])
3909	])
3910	if test "x$ac_cv_have_uintxx_t" = "xyes" ; then
3911		AC_DEFINE([HAVE_UINTXX_T], [1],
3912			[define if you have uintxx_t data type])
3913	fi
3914fi
3915
3916if (test -z "$have_uintxx_t" && \
3917	   test "x$ac_cv_header_stdint_h" = "xyes")
3918then
3919    AC_MSG_CHECKING([for uintXX_t types in stdint.h])
3920	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <stdint.h> ]],
3921	[[ uint8_t a; uint16_t b; uint32_t c; a = b = c = 1;]])],
3922		[
3923			AC_DEFINE([HAVE_UINTXX_T])
3924			AC_MSG_RESULT([yes])
3925		], [ AC_MSG_RESULT([no])
3926	])
3927fi
3928
3929if (test -z "$have_uintxx_t" && \
3930	   test "x$ac_cv_header_inttypes_h" = "xyes")
3931then
3932    AC_MSG_CHECKING([for uintXX_t types in inttypes.h])
3933	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <inttypes.h> ]],
3934	[[ uint8_t a; uint16_t b; uint32_t c; a = b = c = 1;]])],
3935		[
3936			AC_DEFINE([HAVE_UINTXX_T])
3937			AC_MSG_RESULT([yes])
3938		], [ AC_MSG_RESULT([no])
3939	])
3940fi
3941
3942if (test -z "$have_u_intxx_t" || test -z "$have_intxx_t" && \
3943	   test "x$ac_cv_header_sys_bitypes_h" = "xyes")
3944then
3945	AC_MSG_CHECKING([for intXX_t and u_intXX_t types in sys/bitypes.h])
3946	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
3947#include <sys/bitypes.h>
3948		]], [[
3949			int8_t a; int16_t b; int32_t c;
3950			u_int8_t e; u_int16_t f; u_int32_t g;
3951			a = b = c = e = f = g = 1;
3952		]])],
3953		[
3954			AC_DEFINE([HAVE_U_INTXX_T])
3955			AC_DEFINE([HAVE_INTXX_T])
3956			AC_MSG_RESULT([yes])
3957		], [AC_MSG_RESULT([no])
3958	])
3959fi
3960
3961
3962AC_CACHE_CHECK([for u_char], ac_cv_have_u_char, [
3963	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
3964	[[ u_char foo; foo = 125; ]])],
3965	[ ac_cv_have_u_char="yes" ], [ ac_cv_have_u_char="no"
3966	])
3967])
3968if test "x$ac_cv_have_u_char" = "xyes" ; then
3969	AC_DEFINE([HAVE_U_CHAR], [1], [define if you have u_char data type])
3970fi
3971
3972AC_CHECK_TYPES([intmax_t, uintmax_t], , , [
3973#include <sys/types.h>
3974#ifdef HAVE_STDINT_H
3975# include <stdint.h>
3976#endif
3977])
3978
3979TYPE_SOCKLEN_T
3980
3981AC_CHECK_TYPES([sig_atomic_t], , , [#include <signal.h>])
3982AC_CHECK_TYPES([fsblkcnt_t, fsfilcnt_t], , , [
3983#include <sys/types.h>
3984#ifdef HAVE_SYS_BITYPES_H
3985#include <sys/bitypes.h>
3986#endif
3987#ifdef HAVE_SYS_STATFS_H
3988#include <sys/statfs.h>
3989#endif
3990#ifdef HAVE_SYS_STATVFS_H
3991#include <sys/statvfs.h>
3992#endif
3993])
3994
3995AC_CHECK_MEMBERS([struct statfs.f_files, struct statfs.f_flags], [], [], [[
3996#include <sys/param.h>
3997#include <sys/types.h>
3998#ifdef HAVE_SYS_BITYPES_H
3999#include <sys/bitypes.h>
4000#endif
4001#ifdef HAVE_SYS_STATFS_H
4002#include <sys/statfs.h>
4003#endif
4004#ifdef HAVE_SYS_STATVFS_H
4005#include <sys/statvfs.h>
4006#endif
4007#ifdef HAVE_SYS_VFS_H
4008#include <sys/vfs.h>
4009#endif
4010#ifdef HAVE_SYS_MOUNT_H
4011#include <sys/mount.h>
4012#endif
4013]])
4014
4015
4016AC_CHECK_TYPES([in_addr_t, in_port_t], , ,
4017[#include <sys/types.h>
4018#include <netinet/in.h>])
4019
4020AC_CACHE_CHECK([for size_t], ac_cv_have_size_t, [
4021	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
4022	[[ size_t foo; foo = 1235; ]])],
4023	[ ac_cv_have_size_t="yes" ], [ ac_cv_have_size_t="no"
4024	])
4025])
4026if test "x$ac_cv_have_size_t" = "xyes" ; then
4027	AC_DEFINE([HAVE_SIZE_T], [1], [define if you have size_t data type])
4028fi
4029
4030AC_CACHE_CHECK([for ssize_t], ac_cv_have_ssize_t, [
4031	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
4032	[[ ssize_t foo; foo = 1235; ]])],
4033	[ ac_cv_have_ssize_t="yes" ], [ ac_cv_have_ssize_t="no"
4034	])
4035])
4036if test "x$ac_cv_have_ssize_t" = "xyes" ; then
4037	AC_DEFINE([HAVE_SSIZE_T], [1], [define if you have ssize_t data type])
4038fi
4039
4040AC_CACHE_CHECK([for clock_t], ac_cv_have_clock_t, [
4041	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <time.h> ]],
4042	[[ clock_t foo; foo = 1235; ]])],
4043	[ ac_cv_have_clock_t="yes" ], [ ac_cv_have_clock_t="no"
4044	])
4045])
4046if test "x$ac_cv_have_clock_t" = "xyes" ; then
4047	AC_DEFINE([HAVE_CLOCK_T], [1], [define if you have clock_t data type])
4048fi
4049
4050AC_CACHE_CHECK([for sa_family_t], ac_cv_have_sa_family_t, [
4051	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4052#include <sys/types.h>
4053#include <sys/socket.h>
4054		]], [[ sa_family_t foo; foo = 1235; ]])],
4055	[ ac_cv_have_sa_family_t="yes" ],
4056	[ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4057#include <sys/types.h>
4058#include <sys/socket.h>
4059#include <netinet/in.h>
4060		]], [[ sa_family_t foo; foo = 1235; ]])],
4061		[ ac_cv_have_sa_family_t="yes" ],
4062		[ ac_cv_have_sa_family_t="no" ]
4063	)
4064	])
4065])
4066if test "x$ac_cv_have_sa_family_t" = "xyes" ; then
4067	AC_DEFINE([HAVE_SA_FAMILY_T], [1],
4068		[define if you have sa_family_t data type])
4069fi
4070
4071AC_CACHE_CHECK([for pid_t], ac_cv_have_pid_t, [
4072	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
4073	[[ pid_t foo; foo = 1235; ]])],
4074	[ ac_cv_have_pid_t="yes" ], [ ac_cv_have_pid_t="no"
4075	])
4076])
4077if test "x$ac_cv_have_pid_t" = "xyes" ; then
4078	AC_DEFINE([HAVE_PID_T], [1], [define if you have pid_t data type])
4079fi
4080
4081AC_CACHE_CHECK([for mode_t], ac_cv_have_mode_t, [
4082	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
4083	[[ mode_t foo; foo = 1235; ]])],
4084	[ ac_cv_have_mode_t="yes" ], [ ac_cv_have_mode_t="no"
4085	])
4086])
4087if test "x$ac_cv_have_mode_t" = "xyes" ; then
4088	AC_DEFINE([HAVE_MODE_T], [1], [define if you have mode_t data type])
4089fi
4090
4091
4092AC_CACHE_CHECK([for struct sockaddr_storage], ac_cv_have_struct_sockaddr_storage, [
4093	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4094#include <sys/types.h>
4095#include <sys/socket.h>
4096		]], [[ struct sockaddr_storage s; ]])],
4097	[ ac_cv_have_struct_sockaddr_storage="yes" ],
4098	[ ac_cv_have_struct_sockaddr_storage="no"
4099	])
4100])
4101if test "x$ac_cv_have_struct_sockaddr_storage" = "xyes" ; then
4102	AC_DEFINE([HAVE_STRUCT_SOCKADDR_STORAGE], [1],
4103		[define if you have struct sockaddr_storage data type])
4104fi
4105
4106AC_CACHE_CHECK([for struct sockaddr_in6], ac_cv_have_struct_sockaddr_in6, [
4107	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4108#include <sys/types.h>
4109#include <netinet/in.h>
4110		]], [[ struct sockaddr_in6 s; s.sin6_family = 0; ]])],
4111	[ ac_cv_have_struct_sockaddr_in6="yes" ],
4112	[ ac_cv_have_struct_sockaddr_in6="no"
4113	])
4114])
4115if test "x$ac_cv_have_struct_sockaddr_in6" = "xyes" ; then
4116	AC_DEFINE([HAVE_STRUCT_SOCKADDR_IN6], [1],
4117		[define if you have struct sockaddr_in6 data type])
4118fi
4119
4120AC_CACHE_CHECK([for struct in6_addr], ac_cv_have_struct_in6_addr, [
4121	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4122#include <sys/types.h>
4123#include <netinet/in.h>
4124		]], [[ struct in6_addr s; s.s6_addr[0] = 0; ]])],
4125	[ ac_cv_have_struct_in6_addr="yes" ],
4126	[ ac_cv_have_struct_in6_addr="no"
4127	])
4128])
4129if test "x$ac_cv_have_struct_in6_addr" = "xyes" ; then
4130	AC_DEFINE([HAVE_STRUCT_IN6_ADDR], [1],
4131		[define if you have struct in6_addr data type])
4132
4133dnl Now check for sin6_scope_id
4134	AC_CHECK_MEMBERS([struct sockaddr_in6.sin6_scope_id], , ,
4135		[
4136#ifdef HAVE_SYS_TYPES_H
4137#include <sys/types.h>
4138#endif
4139#include <netinet/in.h>
4140		])
4141fi
4142
4143AC_CACHE_CHECK([for struct addrinfo], ac_cv_have_struct_addrinfo, [
4144	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4145#include <sys/types.h>
4146#include <sys/socket.h>
4147#include <netdb.h>
4148		]], [[ struct addrinfo s; s.ai_flags = AI_PASSIVE; ]])],
4149	[ ac_cv_have_struct_addrinfo="yes" ],
4150	[ ac_cv_have_struct_addrinfo="no"
4151	])
4152])
4153if test "x$ac_cv_have_struct_addrinfo" = "xyes" ; then
4154	AC_DEFINE([HAVE_STRUCT_ADDRINFO], [1],
4155		[define if you have struct addrinfo data type])
4156fi
4157
4158AC_HEADER_TIME
4159
4160AC_CACHE_CHECK([for struct timeval], ac_cv_have_struct_timeval, [
4161	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/time.h> ]],
4162	[[ struct timeval tv; tv.tv_sec = 1;]])],
4163	[ ac_cv_have_struct_timeval="yes" ],
4164	[ ac_cv_have_struct_timeval="no"
4165	])
4166])
4167if test "x$ac_cv_have_struct_timeval" = "xyes" ; then
4168	AC_DEFINE([HAVE_STRUCT_TIMEVAL], [1], [define if you have struct timeval])
4169	have_struct_timeval=1
4170fi
4171
4172AC_CACHE_CHECK([for struct timespec], ac_cv_have_struct_timespec, [
4173	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4174    #ifdef TIME_WITH_SYS_TIME
4175    # include <sys/time.h>
4176    # include <time.h>
4177    #else
4178    # ifdef HAVE_SYS_TIME_H
4179    #  include <sys/time.h>
4180    # else
4181    #  include <time.h>
4182    # endif
4183    #endif
4184	]],
4185	[[ struct timespec ts; ts.tv_sec = 1;]])],
4186	[ ac_cv_have_struct_timespec="yes" ],
4187	[ ac_cv_have_struct_timespec="no"
4188	])
4189])
4190if test "x$ac_cv_have_struct_timespec" = "xyes" ; then
4191	AC_DEFINE([HAVE_STRUCT_TIMESPEC], [1], [define if you have struct timespec])
4192	have_struct_timespec=1
4193fi
4194
4195# We need int64_t or else certain parts of the compile will fail.
4196if test "x$ac_cv_have_int64_t" = "xno" && \
4197	test "x$ac_cv_sizeof_long_int" != "x8" && \
4198	test "x$ac_cv_sizeof_long_long_int" = "x0" ; then
4199	echo "OpenSSH requires int64_t support.  Contact your vendor or install"
4200	echo "an alternative compiler (I.E., GCC) before continuing."
4201	echo ""
4202	exit 1;
4203else
4204dnl test snprintf (broken on SCO w/gcc)
4205	AC_RUN_IFELSE(
4206		[AC_LANG_SOURCE([[
4207#include <stdio.h>
4208#include <stdlib.h>
4209#include <string.h>
4210#ifdef HAVE_SNPRINTF
4211main()
4212{
4213	char buf[50];
4214	char expected_out[50];
4215	int mazsize = 50 ;
4216#if (SIZEOF_LONG_INT == 8)
4217	long int num = 0x7fffffffffffffff;
4218#else
4219	long long num = 0x7fffffffffffffffll;
4220#endif
4221	strcpy(expected_out, "9223372036854775807");
4222	snprintf(buf, mazsize, "%lld", num);
4223	if(strcmp(buf, expected_out) != 0)
4224		exit(1);
4225	exit(0);
4226}
4227#else
4228main() { exit(0); }
4229#endif
4230		]])], [ true ], [ AC_DEFINE([BROKEN_SNPRINTF]) ],
4231		AC_MSG_WARN([cross compiling: Assuming working snprintf()])
4232	)
4233fi
4234
4235dnl Checks for structure members
4236OSSH_CHECK_HEADER_FOR_FIELD([ut_host], [utmp.h], [HAVE_HOST_IN_UTMP])
4237OSSH_CHECK_HEADER_FOR_FIELD([ut_host], [utmpx.h], [HAVE_HOST_IN_UTMPX])
4238OSSH_CHECK_HEADER_FOR_FIELD([syslen], [utmpx.h], [HAVE_SYSLEN_IN_UTMPX])
4239OSSH_CHECK_HEADER_FOR_FIELD([ut_pid], [utmp.h], [HAVE_PID_IN_UTMP])
4240OSSH_CHECK_HEADER_FOR_FIELD([ut_type], [utmp.h], [HAVE_TYPE_IN_UTMP])
4241OSSH_CHECK_HEADER_FOR_FIELD([ut_type], [utmpx.h], [HAVE_TYPE_IN_UTMPX])
4242OSSH_CHECK_HEADER_FOR_FIELD([ut_tv], [utmp.h], [HAVE_TV_IN_UTMP])
4243OSSH_CHECK_HEADER_FOR_FIELD([ut_id], [utmp.h], [HAVE_ID_IN_UTMP])
4244OSSH_CHECK_HEADER_FOR_FIELD([ut_id], [utmpx.h], [HAVE_ID_IN_UTMPX])
4245OSSH_CHECK_HEADER_FOR_FIELD([ut_addr], [utmp.h], [HAVE_ADDR_IN_UTMP])
4246OSSH_CHECK_HEADER_FOR_FIELD([ut_addr], [utmpx.h], [HAVE_ADDR_IN_UTMPX])
4247OSSH_CHECK_HEADER_FOR_FIELD([ut_addr_v6], [utmp.h], [HAVE_ADDR_V6_IN_UTMP])
4248OSSH_CHECK_HEADER_FOR_FIELD([ut_addr_v6], [utmpx.h], [HAVE_ADDR_V6_IN_UTMPX])
4249OSSH_CHECK_HEADER_FOR_FIELD([ut_exit], [utmp.h], [HAVE_EXIT_IN_UTMP])
4250OSSH_CHECK_HEADER_FOR_FIELD([ut_time], [utmp.h], [HAVE_TIME_IN_UTMP])
4251OSSH_CHECK_HEADER_FOR_FIELD([ut_time], [utmpx.h], [HAVE_TIME_IN_UTMPX])
4252OSSH_CHECK_HEADER_FOR_FIELD([ut_tv], [utmpx.h], [HAVE_TV_IN_UTMPX])
4253OSSH_CHECK_HEADER_FOR_FIELD([ut_ss], [utmpx.h], [HAVE_SS_IN_UTMPX])
4254
4255AC_CHECK_MEMBERS([struct stat.st_blksize])
4256AC_CHECK_MEMBERS([struct stat.st_mtim])
4257AC_CHECK_MEMBERS([struct stat.st_mtime])
4258AC_CHECK_MEMBERS([struct passwd.pw_gecos, struct passwd.pw_class,
4259struct passwd.pw_change, struct passwd.pw_expire],
4260[], [], [[
4261#include <sys/types.h>
4262#include <pwd.h>
4263]])
4264
4265AC_CHECK_MEMBER([struct __res_state.retrans], [], [AC_DEFINE([__res_state], [state],
4266	[Define if we don't have struct __res_state in resolv.h])],
4267[[
4268#include <stdio.h>
4269#if HAVE_SYS_TYPES_H
4270# include <sys/types.h>
4271#endif
4272#include <netinet/in.h>
4273#include <arpa/nameser.h>
4274#include <resolv.h>
4275]])
4276
4277AC_CACHE_CHECK([for ss_family field in struct sockaddr_storage],
4278		ac_cv_have_ss_family_in_struct_ss, [
4279	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4280#include <sys/types.h>
4281#include <sys/socket.h>
4282		]], [[ struct sockaddr_storage s; s.ss_family = 1; ]])],
4283	[ ac_cv_have_ss_family_in_struct_ss="yes" ],
4284	[ ac_cv_have_ss_family_in_struct_ss="no" ])
4285])
4286if test "x$ac_cv_have_ss_family_in_struct_ss" = "xyes" ; then
4287	AC_DEFINE([HAVE_SS_FAMILY_IN_SS], [1], [Fields in struct sockaddr_storage])
4288fi
4289
4290AC_CACHE_CHECK([for __ss_family field in struct sockaddr_storage],
4291		ac_cv_have___ss_family_in_struct_ss, [
4292	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4293#include <sys/types.h>
4294#include <sys/socket.h>
4295		]], [[ struct sockaddr_storage s; s.__ss_family = 1; ]])],
4296	[ ac_cv_have___ss_family_in_struct_ss="yes" ],
4297	[ ac_cv_have___ss_family_in_struct_ss="no"
4298	])
4299])
4300if test "x$ac_cv_have___ss_family_in_struct_ss" = "xyes" ; then
4301	AC_DEFINE([HAVE___SS_FAMILY_IN_SS], [1],
4302		[Fields in struct sockaddr_storage])
4303fi
4304
4305dnl make sure we're using the real structure members and not defines
4306AC_CACHE_CHECK([for msg_accrights field in struct msghdr],
4307		ac_cv_have_accrights_in_msghdr, [
4308	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4309#include <sys/types.h>
4310#include <sys/socket.h>
4311#include <sys/uio.h>
4312#include <stdlib.h>
4313		]], [[
4314#ifdef msg_accrights
4315#error "msg_accrights is a macro"
4316exit(1);
4317#endif
4318struct msghdr m;
4319m.msg_accrights = 0;
4320exit(0);
4321		]])],
4322		[ ac_cv_have_accrights_in_msghdr="yes" ],
4323		[ ac_cv_have_accrights_in_msghdr="no" ]
4324	)
4325])
4326if test "x$ac_cv_have_accrights_in_msghdr" = "xyes" ; then
4327	AC_DEFINE([HAVE_ACCRIGHTS_IN_MSGHDR], [1],
4328		[Define if your system uses access rights style
4329		file descriptor passing])
4330fi
4331
4332AC_MSG_CHECKING([if struct statvfs.f_fsid is integral type])
4333AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4334#include <sys/param.h>
4335#include <sys/stat.h>
4336#ifdef HAVE_SYS_TIME_H
4337# include <sys/time.h>
4338#endif
4339#ifdef HAVE_SYS_MOUNT_H
4340#include <sys/mount.h>
4341#endif
4342#ifdef HAVE_SYS_STATVFS_H
4343#include <sys/statvfs.h>
4344#endif
4345	]], [[ struct statvfs s; s.f_fsid = 0; ]])],
4346	[ AC_MSG_RESULT([yes]) ],
4347	[ AC_MSG_RESULT([no])
4348
4349	AC_MSG_CHECKING([if fsid_t has member val])
4350	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4351#include <sys/types.h>
4352#include <sys/statvfs.h>
4353	]], [[ fsid_t t; t.val[0] = 0; ]])],
4354	[ AC_MSG_RESULT([yes])
4355	  AC_DEFINE([FSID_HAS_VAL], [1], [fsid_t has member val]) ],
4356	[ AC_MSG_RESULT([no]) ])
4357
4358	AC_MSG_CHECKING([if f_fsid has member __val])
4359	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4360#include <sys/types.h>
4361#include <sys/statvfs.h>
4362	]], [[ fsid_t t; t.__val[0] = 0; ]])],
4363	[ AC_MSG_RESULT([yes])
4364	  AC_DEFINE([FSID_HAS___VAL], [1], [fsid_t has member __val]) ],
4365	[ AC_MSG_RESULT([no]) ])
4366])
4367
4368AC_CACHE_CHECK([for msg_control field in struct msghdr],
4369		ac_cv_have_control_in_msghdr, [
4370	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4371#include <sys/types.h>
4372#include <sys/socket.h>
4373#include <sys/uio.h>
4374#include <stdlib.h>
4375		]], [[
4376#ifdef msg_control
4377#error "msg_control is a macro"
4378exit(1);
4379#endif
4380struct msghdr m;
4381m.msg_control = 0;
4382exit(0);
4383		]])],
4384		[ ac_cv_have_control_in_msghdr="yes" ],
4385		[ ac_cv_have_control_in_msghdr="no" ]
4386	)
4387])
4388if test "x$ac_cv_have_control_in_msghdr" = "xyes" ; then
4389	AC_DEFINE([HAVE_CONTROL_IN_MSGHDR], [1],
4390		[Define if your system uses ancillary data style
4391		file descriptor passing])
4392fi
4393
4394AC_CACHE_CHECK([if libc defines __progname], ac_cv_libc_defines___progname, [
4395	AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include <stdio.h> ]],
4396		[[ extern char *__progname; printf("%s", __progname); ]])],
4397	[ ac_cv_libc_defines___progname="yes" ],
4398	[ ac_cv_libc_defines___progname="no"
4399	])
4400])
4401if test "x$ac_cv_libc_defines___progname" = "xyes" ; then
4402	AC_DEFINE([HAVE___PROGNAME], [1], [Define if libc defines __progname])
4403fi
4404
4405AC_CACHE_CHECK([whether $CC implements __FUNCTION__], ac_cv_cc_implements___FUNCTION__, [
4406	AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include <stdio.h> ]],
4407		[[ printf("%s", __FUNCTION__); ]])],
4408	[ ac_cv_cc_implements___FUNCTION__="yes" ],
4409	[ ac_cv_cc_implements___FUNCTION__="no"
4410	])
4411])
4412if test "x$ac_cv_cc_implements___FUNCTION__" = "xyes" ; then
4413	AC_DEFINE([HAVE___FUNCTION__], [1],
4414		[Define if compiler implements __FUNCTION__])
4415fi
4416
4417AC_CACHE_CHECK([whether $CC implements __func__], ac_cv_cc_implements___func__, [
4418	AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include <stdio.h> ]],
4419		[[ printf("%s", __func__); ]])],
4420	[ ac_cv_cc_implements___func__="yes" ],
4421	[ ac_cv_cc_implements___func__="no"
4422	])
4423])
4424if test "x$ac_cv_cc_implements___func__" = "xyes" ; then
4425	AC_DEFINE([HAVE___func__], [1], [Define if compiler implements __func__])
4426fi
4427
4428AC_CACHE_CHECK([whether va_copy exists], ac_cv_have_va_copy, [
4429	AC_LINK_IFELSE([AC_LANG_PROGRAM([[
4430#include <stdarg.h>
4431va_list x,y;
4432		]], [[ va_copy(x,y); ]])],
4433	[ ac_cv_have_va_copy="yes" ],
4434	[ ac_cv_have_va_copy="no"
4435	])
4436])
4437if test "x$ac_cv_have_va_copy" = "xyes" ; then
4438	AC_DEFINE([HAVE_VA_COPY], [1], [Define if va_copy exists])
4439fi
4440
4441AC_CACHE_CHECK([whether __va_copy exists], ac_cv_have___va_copy, [
4442	AC_LINK_IFELSE([AC_LANG_PROGRAM([[
4443#include <stdarg.h>
4444va_list x,y;
4445		]], [[ __va_copy(x,y); ]])],
4446	[ ac_cv_have___va_copy="yes" ], [ ac_cv_have___va_copy="no"
4447	])
4448])
4449if test "x$ac_cv_have___va_copy" = "xyes" ; then
4450	AC_DEFINE([HAVE___VA_COPY], [1], [Define if __va_copy exists])
4451fi
4452
4453AC_CACHE_CHECK([whether getopt has optreset support],
4454		ac_cv_have_getopt_optreset, [
4455	AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include <getopt.h> ]],
4456		[[ extern int optreset; optreset = 0; ]])],
4457	[ ac_cv_have_getopt_optreset="yes" ],
4458	[ ac_cv_have_getopt_optreset="no"
4459	])
4460])
4461if test "x$ac_cv_have_getopt_optreset" = "xyes" ; then
4462	AC_DEFINE([HAVE_GETOPT_OPTRESET], [1],
4463		[Define if your getopt(3) defines and uses optreset])
4464fi
4465
4466AC_CACHE_CHECK([if libc defines sys_errlist], ac_cv_libc_defines_sys_errlist, [
4467	AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include <stdio.h> ]],
4468[[ extern const char *const sys_errlist[]; printf("%s", sys_errlist[0]);]])],
4469	[ ac_cv_libc_defines_sys_errlist="yes" ],
4470	[ ac_cv_libc_defines_sys_errlist="no"
4471	])
4472])
4473if test "x$ac_cv_libc_defines_sys_errlist" = "xyes" ; then
4474	AC_DEFINE([HAVE_SYS_ERRLIST], [1],
4475		[Define if your system defines sys_errlist[]])
4476fi
4477
4478
4479AC_CACHE_CHECK([if libc defines sys_nerr], ac_cv_libc_defines_sys_nerr, [
4480	AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include <stdio.h> ]],
4481[[ extern int sys_nerr; printf("%i", sys_nerr);]])],
4482	[ ac_cv_libc_defines_sys_nerr="yes" ],
4483	[ ac_cv_libc_defines_sys_nerr="no"
4484	])
4485])
4486if test "x$ac_cv_libc_defines_sys_nerr" = "xyes" ; then
4487	AC_DEFINE([HAVE_SYS_NERR], [1], [Define if your system defines sys_nerr])
4488fi
4489
4490# Check libraries needed by DNS fingerprint support
4491AC_SEARCH_LIBS([getrrsetbyname], [resolv],
4492	[AC_DEFINE([HAVE_GETRRSETBYNAME], [1],
4493		[Define if getrrsetbyname() exists])],
4494	[
4495		# Needed by our getrrsetbyname()
4496		AC_SEARCH_LIBS([res_query], [resolv])
4497		AC_SEARCH_LIBS([dn_expand], [resolv])
4498		AC_MSG_CHECKING([if res_query will link])
4499		AC_LINK_IFELSE([AC_LANG_PROGRAM([[
4500#include <sys/types.h>
4501#include <netinet/in.h>
4502#include <arpa/nameser.h>
4503#include <netdb.h>
4504#include <resolv.h>
4505				]], [[
4506	res_query (0, 0, 0, 0, 0);
4507				]])],
4508		    AC_MSG_RESULT([yes]),
4509		   [AC_MSG_RESULT([no])
4510		    saved_LIBS="$LIBS"
4511		    LIBS="$LIBS -lresolv"
4512		    AC_MSG_CHECKING([for res_query in -lresolv])
4513		    AC_LINK_IFELSE([AC_LANG_PROGRAM([[
4514#include <sys/types.h>
4515#include <netinet/in.h>
4516#include <arpa/nameser.h>
4517#include <netdb.h>
4518#include <resolv.h>
4519				]], [[
4520	res_query (0, 0, 0, 0, 0);
4521				]])],
4522			[AC_MSG_RESULT([yes])],
4523			[LIBS="$saved_LIBS"
4524			 AC_MSG_RESULT([no])])
4525		    ])
4526		AC_CHECK_FUNCS([_getshort _getlong])
4527		AC_CHECK_DECLS([_getshort, _getlong], , ,
4528		    [#include <sys/types.h>
4529		    #include <arpa/nameser.h>])
4530		AC_CHECK_MEMBER([HEADER.ad],
4531			[AC_DEFINE([HAVE_HEADER_AD], [1],
4532			    [Define if HEADER.ad exists in arpa/nameser.h])], ,
4533			[#include <arpa/nameser.h>])
4534	])
4535
4536AC_MSG_CHECKING([if struct __res_state _res is an extern])
4537AC_LINK_IFELSE([AC_LANG_PROGRAM([[
4538#include <stdio.h>
4539#if HAVE_SYS_TYPES_H
4540# include <sys/types.h>
4541#endif
4542#include <netinet/in.h>
4543#include <arpa/nameser.h>
4544#include <resolv.h>
4545extern struct __res_state _res;
4546		]], [[
4547struct __res_state *volatile p = &_res;  /* force resolution of _res */
4548return 0;
4549		]],)],
4550		[AC_MSG_RESULT([yes])
4551		 AC_DEFINE([HAVE__RES_EXTERN], [1],
4552		    [Define if you have struct __res_state _res as an extern])
4553		],
4554		[ AC_MSG_RESULT([no]) ]
4555)
4556
4557# Check whether user wants SELinux support
4558SELINUX_MSG="no"
4559LIBSELINUX=""
4560AC_ARG_WITH([selinux],
4561	[  --with-selinux          Enable SELinux support],
4562	[ if test "x$withval" != "xno" ; then
4563		save_LIBS="$LIBS"
4564		AC_DEFINE([WITH_SELINUX], [1],
4565			[Define if you want SELinux support.])
4566		SELINUX_MSG="yes"
4567		AC_CHECK_HEADER([selinux/selinux.h], ,
4568			AC_MSG_ERROR([SELinux support requires selinux.h header]))
4569		AC_CHECK_LIB([selinux], [setexeccon],
4570			[ LIBSELINUX="-lselinux"
4571			  LIBS="$LIBS -lselinux"
4572			],
4573			AC_MSG_ERROR([SELinux support requires libselinux library]))
4574		AC_CHECK_FUNCS([getseuserbyname get_default_context_with_level])
4575		LIBS="$save_LIBS $LIBSELINUX"
4576	fi ]
4577)
4578AC_SUBST([SSHDLIBS])
4579
4580# Check whether user wants Kerberos 5 support
4581KRB5_MSG="no"
4582AC_ARG_WITH([kerberos5],
4583	[  --with-kerberos5=PATH   Enable Kerberos 5 support],
4584	[ if test "x$withval" != "xno" ; then
4585		if test "x$withval" = "xyes" ; then
4586			KRB5ROOT="/usr/local"
4587		else
4588			KRB5ROOT=${withval}
4589		fi
4590
4591		AC_DEFINE([KRB5], [1], [Define if you want Kerberos 5 support])
4592		KRB5_MSG="yes"
4593
4594		AC_PATH_TOOL([KRB5CONF], [krb5-config],
4595			     [$KRB5ROOT/bin/krb5-config],
4596			     [$KRB5ROOT/bin:$PATH])
4597		if test -x $KRB5CONF ; then
4598			K5CFLAGS="`$KRB5CONF --cflags`"
4599			K5LIBS="`$KRB5CONF --libs`"
4600			CPPFLAGS="$CPPFLAGS $K5CFLAGS"
4601
4602			AC_MSG_CHECKING([for gssapi support])
4603			if $KRB5CONF | grep gssapi >/dev/null ; then
4604				AC_MSG_RESULT([yes])
4605				AC_DEFINE([GSSAPI], [1],
4606					[Define this if you want GSSAPI
4607					support in the version 2 protocol])
4608				GSSCFLAGS="`$KRB5CONF --cflags gssapi`"
4609				GSSLIBS="`$KRB5CONF --libs gssapi`"
4610				CPPFLAGS="$CPPFLAGS $GSSCFLAGS"
4611			else
4612				AC_MSG_RESULT([no])
4613			fi
4614			AC_MSG_CHECKING([whether we are using Heimdal])
4615			AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <krb5.h>
4616				]], [[ char *tmp = heimdal_version; ]])],
4617				[ AC_MSG_RESULT([yes])
4618				AC_DEFINE([HEIMDAL], [1],
4619				[Define this if you are using the Heimdal
4620				version of Kerberos V5]) ],
4621				[AC_MSG_RESULT([no])
4622			])
4623		else
4624			CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include"
4625			LDFLAGS="$LDFLAGS -L${KRB5ROOT}/lib"
4626			AC_MSG_CHECKING([whether we are using Heimdal])
4627			AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <krb5.h>
4628				]], [[ char *tmp = heimdal_version; ]])],
4629					[ AC_MSG_RESULT([yes])
4630					 AC_DEFINE([HEIMDAL])
4631					 K5LIBS="-lkrb5"
4632					 K5LIBS="$K5LIBS -lcom_err -lasn1"
4633					 AC_CHECK_LIB([roken], [net_write],
4634					   [K5LIBS="$K5LIBS -lroken"])
4635					 AC_CHECK_LIB([des], [des_cbc_encrypt],
4636					   [K5LIBS="$K5LIBS -ldes"])
4637				       ], [ AC_MSG_RESULT([no])
4638					 K5LIBS="-lkrb5 -lk5crypto -lcom_err"
4639			])
4640			AC_SEARCH_LIBS([dn_expand], [resolv])
4641
4642			AC_CHECK_LIB([gssapi_krb5], [gss_init_sec_context],
4643				[ AC_DEFINE([GSSAPI])
4644				  GSSLIBS="-lgssapi_krb5" ],
4645				[ AC_CHECK_LIB([gssapi], [gss_init_sec_context],
4646					[ AC_DEFINE([GSSAPI])
4647					  GSSLIBS="-lgssapi" ],
4648					[ AC_CHECK_LIB([gss], [gss_init_sec_context],
4649						[ AC_DEFINE([GSSAPI])
4650						  GSSLIBS="-lgss" ],
4651						AC_MSG_WARN([Cannot find any suitable gss-api library - build may fail]))
4652					])
4653				])
4654
4655			AC_CHECK_HEADER([gssapi.h], ,
4656				[ unset ac_cv_header_gssapi_h
4657				  CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include/gssapi"
4658				  AC_CHECK_HEADERS([gssapi.h], ,
4659					AC_MSG_WARN([Cannot find any suitable gss-api header - build may fail])
4660				  )
4661				]
4662			)
4663
4664			oldCPP="$CPPFLAGS"
4665			CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include/gssapi"
4666			AC_CHECK_HEADER([gssapi_krb5.h], ,
4667					[ CPPFLAGS="$oldCPP" ])
4668
4669		fi
4670		if test -n "${rpath_opt}" ; then
4671			LDFLAGS="$LDFLAGS ${rpath_opt}${KRB5ROOT}/lib"
4672		fi
4673		if test ! -z "$blibpath" ; then
4674			blibpath="$blibpath:${KRB5ROOT}/lib"
4675		fi
4676
4677		AC_CHECK_HEADERS([gssapi.h gssapi/gssapi.h])
4678		AC_CHECK_HEADERS([gssapi_krb5.h gssapi/gssapi_krb5.h])
4679		AC_CHECK_HEADERS([gssapi_generic.h gssapi/gssapi_generic.h])
4680
4681		AC_SEARCH_LIBS([k_hasafs], [kafs], [AC_DEFINE([USE_AFS], [1],
4682			[Define this if you want to use libkafs' AFS support])])
4683
4684		AC_CHECK_DECLS([GSS_C_NT_HOSTBASED_SERVICE], [], [], [[
4685#ifdef HAVE_GSSAPI_H
4686# include <gssapi.h>
4687#elif defined(HAVE_GSSAPI_GSSAPI_H)
4688# include <gssapi/gssapi.h>
4689#endif
4690
4691#ifdef HAVE_GSSAPI_GENERIC_H
4692# include <gssapi_generic.h>
4693#elif defined(HAVE_GSSAPI_GSSAPI_GENERIC_H)
4694# include <gssapi/gssapi_generic.h>
4695#endif
4696		]])
4697		saved_LIBS="$LIBS"
4698		LIBS="$LIBS $K5LIBS"
4699		AC_CHECK_FUNCS([krb5_cc_new_unique krb5_get_error_message krb5_free_error_message])
4700		LIBS="$saved_LIBS"
4701
4702	fi
4703	]
4704)
4705AC_SUBST([GSSLIBS])
4706AC_SUBST([K5LIBS])
4707
4708# Looking for programs, paths and files
4709
4710PRIVSEP_PATH=/var/empty
4711AC_ARG_WITH([privsep-path],
4712	[  --with-privsep-path=xxx Path for privilege separation chroot (default=/var/empty)],
4713	[
4714		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
4715		    test "x${withval}" != "xyes"; then
4716			PRIVSEP_PATH=$withval
4717		fi
4718	]
4719)
4720AC_SUBST([PRIVSEP_PATH])
4721
4722AC_ARG_WITH([xauth],
4723	[  --with-xauth=PATH       Specify path to xauth program ],
4724	[
4725		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
4726		    test "x${withval}" != "xyes"; then
4727			xauth_path=$withval
4728		fi
4729	],
4730	[
4731		TestPath="$PATH"
4732		TestPath="${TestPath}${PATH_SEPARATOR}/usr/X/bin"
4733		TestPath="${TestPath}${PATH_SEPARATOR}/usr/bin/X11"
4734		TestPath="${TestPath}${PATH_SEPARATOR}/usr/X11R6/bin"
4735		TestPath="${TestPath}${PATH_SEPARATOR}/usr/openwin/bin"
4736		AC_PATH_PROG([xauth_path], [xauth], , [$TestPath])
4737		if (test ! -z "$xauth_path" && test -x "/usr/openwin/bin/xauth") ; then
4738			xauth_path="/usr/openwin/bin/xauth"
4739		fi
4740	]
4741)
4742
4743STRIP_OPT=-s
4744AC_ARG_ENABLE([strip],
4745	[  --disable-strip         Disable calling strip(1) on install],
4746	[
4747		if test "x$enableval" = "xno" ; then
4748			STRIP_OPT=
4749		fi
4750	]
4751)
4752AC_SUBST([STRIP_OPT])
4753
4754if test -z "$xauth_path" ; then
4755	XAUTH_PATH="undefined"
4756	AC_SUBST([XAUTH_PATH])
4757else
4758	AC_DEFINE_UNQUOTED([XAUTH_PATH], ["$xauth_path"],
4759		[Define if xauth is found in your path])
4760	XAUTH_PATH=$xauth_path
4761	AC_SUBST([XAUTH_PATH])
4762fi
4763
4764dnl # --with-maildir=/path/to/mail gets top priority.
4765dnl # if maildir is set in the platform case statement above we use that.
4766dnl # Otherwise we run a program to get the dir from system headers.
4767dnl # We first look for _PATH_MAILDIR then MAILDIR then _PATH_MAIL
4768dnl # If we find _PATH_MAILDIR we do nothing because that is what
4769dnl # session.c expects anyway. Otherwise we set to the value found
4770dnl # stripping any trailing slash. If for some strage reason our program
4771dnl # does not find what it needs, we default to /var/spool/mail.
4772# Check for mail directory
4773AC_ARG_WITH([maildir],
4774    [  --with-maildir=/path/to/mail    Specify your system mail directory],
4775    [
4776	if test "X$withval" != X  &&  test "x$withval" != xno  &&  \
4777	    test "x${withval}" != xyes; then
4778		AC_DEFINE_UNQUOTED([MAIL_DIRECTORY], ["$withval"],
4779            [Set this to your mail directory if you do not have _PATH_MAILDIR])
4780	    fi
4781     ],[
4782	if test "X$maildir" != "X"; then
4783	    AC_DEFINE_UNQUOTED([MAIL_DIRECTORY], ["$maildir"])
4784	else
4785	    AC_MSG_CHECKING([Discovering system mail directory])
4786	    AC_RUN_IFELSE(
4787		[AC_LANG_PROGRAM([[
4788#include <stdio.h>
4789#include <stdlib.h>
4790#include <string.h>
4791#ifdef HAVE_PATHS_H
4792#include <paths.h>
4793#endif
4794#ifdef HAVE_MAILLOCK_H
4795#include <maillock.h>
4796#endif
4797#define DATA "conftest.maildir"
4798	]], [[
4799	FILE *fd;
4800	int rc;
4801
4802	fd = fopen(DATA,"w");
4803	if(fd == NULL)
4804		exit(1);
4805
4806#if defined (_PATH_MAILDIR)
4807	if ((rc = fprintf(fd ,"_PATH_MAILDIR:%s\n", _PATH_MAILDIR)) <0)
4808		exit(1);
4809#elif defined (MAILDIR)
4810	if ((rc = fprintf(fd ,"MAILDIR:%s\n", MAILDIR)) <0)
4811		exit(1);
4812#elif defined (_PATH_MAIL)
4813	if ((rc = fprintf(fd ,"_PATH_MAIL:%s\n", _PATH_MAIL)) <0)
4814		exit(1);
4815#else
4816	exit (2);
4817#endif
4818
4819	exit(0);
4820		]])],
4821		[
4822		    maildir_what=`awk -F: '{print $1}' conftest.maildir`
4823		    maildir=`awk -F: '{print $2}' conftest.maildir \
4824			| sed 's|/$||'`
4825		    AC_MSG_RESULT([Using: $maildir from $maildir_what])
4826		    if test "x$maildir_what" != "x_PATH_MAILDIR"; then
4827			AC_DEFINE_UNQUOTED([MAIL_DIRECTORY], ["$maildir"])
4828		    fi
4829		],
4830		[
4831		    if test "X$ac_status" = "X2";then
4832# our test program didn't find it. Default to /var/spool/mail
4833			AC_MSG_RESULT([Using: default value of /var/spool/mail])
4834			AC_DEFINE_UNQUOTED([MAIL_DIRECTORY], ["/var/spool/mail"])
4835		     else
4836			AC_MSG_RESULT([*** not found ***])
4837		     fi
4838		],
4839		[
4840			AC_MSG_WARN([cross compiling: use --with-maildir=/path/to/mail])
4841		]
4842	    )
4843	fi
4844    ]
4845) # maildir
4846
4847if test ! -z "$cross_compiling" && test "x$cross_compiling" = "xyes"; then
4848	AC_MSG_WARN([cross compiling: Disabling /dev/ptmx test])
4849	disable_ptmx_check=yes
4850fi
4851if test -z "$no_dev_ptmx" ; then
4852	if test "x$disable_ptmx_check" != "xyes" ; then
4853		AC_CHECK_FILE(["/dev/ptmx"],
4854			[
4855				AC_DEFINE_UNQUOTED([HAVE_DEV_PTMX], [1],
4856					[Define if you have /dev/ptmx])
4857				have_dev_ptmx=1
4858			]
4859		)
4860	fi
4861fi
4862
4863if test ! -z "$cross_compiling" && test "x$cross_compiling" != "xyes"; then
4864	AC_CHECK_FILE(["/dev/ptc"],
4865		[
4866			AC_DEFINE_UNQUOTED([HAVE_DEV_PTS_AND_PTC], [1],
4867				[Define if you have /dev/ptc])
4868			have_dev_ptc=1
4869		]
4870	)
4871else
4872	AC_MSG_WARN([cross compiling: Disabling /dev/ptc test])
4873fi
4874
4875# Options from here on. Some of these are preset by platform above
4876AC_ARG_WITH([mantype],
4877	[  --with-mantype=man|cat|doc  Set man page type],
4878	[
4879		case "$withval" in
4880		man|cat|doc)
4881			MANTYPE=$withval
4882			;;
4883		*)
4884			AC_MSG_ERROR([invalid man type: $withval])
4885			;;
4886		esac
4887	]
4888)
4889if test -z "$MANTYPE"; then
4890	if ${MANDOC} ${srcdir}/ssh.1 >/dev/null 2>&1; then
4891		MANTYPE=doc
4892	elif ${NROFF} -mdoc ${srcdir}/ssh.1 >/dev/null 2>&1; then
4893		MANTYPE=doc
4894	elif ${NROFF} -man ${srcdir}/ssh.1 >/dev/null 2>&1; then
4895		MANTYPE=man
4896	else
4897		MANTYPE=cat
4898	fi
4899fi
4900AC_SUBST([MANTYPE])
4901if test "$MANTYPE" = "doc"; then
4902	mansubdir=man;
4903else
4904	mansubdir=$MANTYPE;
4905fi
4906AC_SUBST([mansubdir])
4907
4908# Check whether to enable MD5 passwords
4909MD5_MSG="no"
4910AC_ARG_WITH([md5-passwords],
4911	[  --with-md5-passwords    Enable use of MD5 passwords],
4912	[
4913		if test "x$withval" != "xno" ; then
4914			AC_DEFINE([HAVE_MD5_PASSWORDS], [1],
4915				[Define if you want to allow MD5 passwords])
4916			MD5_MSG="yes"
4917		fi
4918	]
4919)
4920
4921# Whether to disable shadow password support
4922AC_ARG_WITH([shadow],
4923	[  --without-shadow        Disable shadow password support],
4924	[
4925		if test "x$withval" = "xno" ; then
4926			AC_DEFINE([DISABLE_SHADOW])
4927			disable_shadow=yes
4928		fi
4929	]
4930)
4931
4932if test -z "$disable_shadow" ; then
4933	AC_MSG_CHECKING([if the systems has expire shadow information])
4934	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4935#include <sys/types.h>
4936#include <shadow.h>
4937struct spwd sp;
4938		]], [[ sp.sp_expire = sp.sp_lstchg = sp.sp_inact = 0; ]])],
4939		[ sp_expire_available=yes ], [
4940	])
4941
4942	if test "x$sp_expire_available" = "xyes" ; then
4943		AC_MSG_RESULT([yes])
4944		AC_DEFINE([HAS_SHADOW_EXPIRE], [1],
4945		    [Define if you want to use shadow password expire field])
4946	else
4947		AC_MSG_RESULT([no])
4948	fi
4949fi
4950
4951# Use ip address instead of hostname in $DISPLAY
4952if test ! -z "$IPADDR_IN_DISPLAY" ; then
4953	DISPLAY_HACK_MSG="yes"
4954	AC_DEFINE([IPADDR_IN_DISPLAY], [1],
4955		[Define if you need to use IP address
4956		instead of hostname in $DISPLAY])
4957else
4958	DISPLAY_HACK_MSG="no"
4959	AC_ARG_WITH([ipaddr-display],
4960		[  --with-ipaddr-display   Use ip address instead of hostname in $DISPLAY],
4961		[
4962			if test "x$withval" != "xno" ; then
4963				AC_DEFINE([IPADDR_IN_DISPLAY])
4964				DISPLAY_HACK_MSG="yes"
4965			fi
4966		]
4967	)
4968fi
4969
4970# check for /etc/default/login and use it if present.
4971AC_ARG_ENABLE([etc-default-login],
4972	[  --disable-etc-default-login Disable using PATH from /etc/default/login [no]],
4973	[ if test "x$enableval" = "xno"; then
4974		AC_MSG_NOTICE([/etc/default/login handling disabled])
4975		etc_default_login=no
4976	  else
4977		etc_default_login=yes
4978	  fi ],
4979	[ if test ! -z "$cross_compiling" && test "x$cross_compiling" = "xyes";
4980	  then
4981		AC_MSG_WARN([cross compiling: not checking /etc/default/login])
4982		etc_default_login=no
4983	  else
4984		etc_default_login=yes
4985	  fi ]
4986)
4987
4988if test "x$etc_default_login" != "xno"; then
4989	AC_CHECK_FILE(["/etc/default/login"],
4990	    [ external_path_file=/etc/default/login ])
4991	if test "x$external_path_file" = "x/etc/default/login"; then
4992		AC_DEFINE([HAVE_ETC_DEFAULT_LOGIN], [1],
4993			[Define if your system has /etc/default/login])
4994	fi
4995fi
4996
4997dnl BSD systems use /etc/login.conf so --with-default-path= has no effect
4998if test $ac_cv_func_login_getcapbool = "yes" && \
4999	test $ac_cv_header_login_cap_h = "yes" ; then
5000	external_path_file=/etc/login.conf
5001fi
5002
5003# Whether to mess with the default path
5004SERVER_PATH_MSG="(default)"
5005AC_ARG_WITH([default-path],
5006	[  --with-default-path=    Specify default $PATH environment for server],
5007	[
5008		if test "x$external_path_file" = "x/etc/login.conf" ; then
5009			AC_MSG_WARN([
5010--with-default-path=PATH has no effect on this system.
5011Edit /etc/login.conf instead.])
5012		elif test "x$withval" != "xno" ; then
5013			if test ! -z "$external_path_file" ; then
5014				AC_MSG_WARN([
5015--with-default-path=PATH will only be used if PATH is not defined in
5016$external_path_file .])
5017			fi
5018			user_path="$withval"
5019			SERVER_PATH_MSG="$withval"
5020		fi
5021	],
5022	[ if test "x$external_path_file" = "x/etc/login.conf" ; then
5023		AC_MSG_WARN([Make sure the path to scp is in /etc/login.conf])
5024	else
5025		if test ! -z "$external_path_file" ; then
5026			AC_MSG_WARN([
5027If PATH is defined in $external_path_file, ensure the path to scp is included,
5028otherwise scp will not work.])
5029		fi
5030		AC_RUN_IFELSE(
5031			[AC_LANG_PROGRAM([[
5032/* find out what STDPATH is */
5033#include <stdio.h>
5034#include <stdlib.h>
5035#ifdef HAVE_PATHS_H
5036# include <paths.h>
5037#endif
5038#ifndef _PATH_STDPATH
5039# ifdef _PATH_USERPATH	/* Irix */
5040#  define _PATH_STDPATH _PATH_USERPATH
5041# else
5042#  define _PATH_STDPATH "/usr/bin:/bin:/usr/sbin:/sbin"
5043# endif
5044#endif
5045#include <sys/types.h>
5046#include <sys/stat.h>
5047#include <fcntl.h>
5048#define DATA "conftest.stdpath"
5049			]], [[
5050	FILE *fd;
5051	int rc;
5052
5053	fd = fopen(DATA,"w");
5054	if(fd == NULL)
5055		exit(1);
5056
5057	if ((rc = fprintf(fd,"%s", _PATH_STDPATH)) < 0)
5058		exit(1);
5059
5060	exit(0);
5061		]])],
5062		[ user_path=`cat conftest.stdpath` ],
5063		[ user_path="/usr/bin:/bin:/usr/sbin:/sbin" ],
5064		[ user_path="/usr/bin:/bin:/usr/sbin:/sbin" ]
5065	)
5066# make sure $bindir is in USER_PATH so scp will work
5067		t_bindir="${bindir}"
5068		while echo "${t_bindir}" | egrep '\$\{|NONE/' >/dev/null 2>&1; do
5069			t_bindir=`eval echo ${t_bindir}`
5070			case $t_bindir in
5071				NONE/*) t_bindir=`echo $t_bindir | sed "s~NONE~$prefix~"` ;;
5072			esac
5073			case $t_bindir in
5074				NONE/*) t_bindir=`echo $t_bindir | sed "s~NONE~$ac_default_prefix~"` ;;
5075			esac
5076		done
5077		echo $user_path | grep ":$t_bindir"  > /dev/null 2>&1
5078		if test $? -ne 0  ; then
5079			echo $user_path | grep "^$t_bindir"  > /dev/null 2>&1
5080			if test $? -ne 0  ; then
5081				user_path=$user_path:$t_bindir
5082				AC_MSG_RESULT([Adding $t_bindir to USER_PATH so scp will work])
5083			fi
5084		fi
5085	fi ]
5086)
5087if test "x$external_path_file" != "x/etc/login.conf" ; then
5088	AC_DEFINE_UNQUOTED([USER_PATH], ["$user_path"], [Specify default $PATH])
5089	AC_SUBST([user_path])
5090fi
5091
5092# Set superuser path separately to user path
5093AC_ARG_WITH([superuser-path],
5094	[  --with-superuser-path=  Specify different path for super-user],
5095	[
5096		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
5097		    test "x${withval}" != "xyes"; then
5098			AC_DEFINE_UNQUOTED([SUPERUSER_PATH], ["$withval"],
5099				[Define if you want a different $PATH
5100				for the superuser])
5101			superuser_path=$withval
5102		fi
5103	]
5104)
5105
5106
5107AC_MSG_CHECKING([if we need to convert IPv4 in IPv6-mapped addresses])
5108IPV4_IN6_HACK_MSG="no"
5109AC_ARG_WITH(4in6,
5110	[  --with-4in6             Check for and convert IPv4 in IPv6 mapped addresses],
5111	[
5112		if test "x$withval" != "xno" ; then
5113			AC_MSG_RESULT([yes])
5114			AC_DEFINE([IPV4_IN_IPV6], [1],
5115				[Detect IPv4 in IPv6 mapped addresses
5116				and treat as IPv4])
5117			IPV4_IN6_HACK_MSG="yes"
5118		else
5119			AC_MSG_RESULT([no])
5120		fi
5121	], [
5122		if test "x$inet6_default_4in6" = "xyes"; then
5123			AC_MSG_RESULT([yes (default)])
5124			AC_DEFINE([IPV4_IN_IPV6])
5125			IPV4_IN6_HACK_MSG="yes"
5126		else
5127			AC_MSG_RESULT([no (default)])
5128		fi
5129	]
5130)
5131
5132# Whether to enable BSD auth support
5133BSD_AUTH_MSG=no
5134AC_ARG_WITH([bsd-auth],
5135	[  --with-bsd-auth         Enable BSD auth support],
5136	[
5137		if test "x$withval" != "xno" ; then
5138			AC_DEFINE([BSD_AUTH], [1],
5139				[Define if you have BSD auth support])
5140			BSD_AUTH_MSG=yes
5141		fi
5142	]
5143)
5144
5145# Where to place sshd.pid
5146piddir=/var/run
5147# make sure the directory exists
5148if test ! -d $piddir ; then
5149	piddir=`eval echo ${sysconfdir}`
5150	case $piddir in
5151		NONE/*) piddir=`echo $piddir | sed "s~NONE~$ac_default_prefix~"` ;;
5152	esac
5153fi
5154
5155AC_ARG_WITH([pid-dir],
5156	[  --with-pid-dir=PATH     Specify location of sshd.pid file],
5157	[
5158		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
5159		    test "x${withval}" != "xyes"; then
5160			piddir=$withval
5161			if test ! -d $piddir ; then
5162			AC_MSG_WARN([** no $piddir directory on this system **])
5163			fi
5164		fi
5165	]
5166)
5167
5168AC_DEFINE_UNQUOTED([_PATH_SSH_PIDDIR], ["$piddir"],
5169	[Specify location of ssh.pid])
5170AC_SUBST([piddir])
5171
5172dnl allow user to disable some login recording features
5173AC_ARG_ENABLE([lastlog],
5174	[  --disable-lastlog       disable use of lastlog even if detected [no]],
5175	[
5176		if test "x$enableval" = "xno" ; then
5177			AC_DEFINE([DISABLE_LASTLOG])
5178		fi
5179	]
5180)
5181AC_ARG_ENABLE([utmp],
5182	[  --disable-utmp          disable use of utmp even if detected [no]],
5183	[
5184		if test "x$enableval" = "xno" ; then
5185			AC_DEFINE([DISABLE_UTMP])
5186		fi
5187	]
5188)
5189AC_ARG_ENABLE([utmpx],
5190	[  --disable-utmpx         disable use of utmpx even if detected [no]],
5191	[
5192		if test "x$enableval" = "xno" ; then
5193			AC_DEFINE([DISABLE_UTMPX], [1],
5194				[Define if you don't want to use utmpx])
5195		fi
5196	]
5197)
5198AC_ARG_ENABLE([wtmp],
5199	[  --disable-wtmp          disable use of wtmp even if detected [no]],
5200	[
5201		if test "x$enableval" = "xno" ; then
5202			AC_DEFINE([DISABLE_WTMP])
5203		fi
5204	]
5205)
5206AC_ARG_ENABLE([wtmpx],
5207	[  --disable-wtmpx         disable use of wtmpx even if detected [no]],
5208	[
5209		if test "x$enableval" = "xno" ; then
5210			AC_DEFINE([DISABLE_WTMPX], [1],
5211				[Define if you don't want to use wtmpx])
5212		fi
5213	]
5214)
5215AC_ARG_ENABLE([libutil],
5216	[  --disable-libutil       disable use of libutil (login() etc.) [no]],
5217	[
5218		if test "x$enableval" = "xno" ; then
5219			AC_DEFINE([DISABLE_LOGIN])
5220		fi
5221	]
5222)
5223AC_ARG_ENABLE([pututline],
5224	[  --disable-pututline     disable use of pututline() etc. ([uw]tmp) [no]],
5225	[
5226		if test "x$enableval" = "xno" ; then
5227			AC_DEFINE([DISABLE_PUTUTLINE], [1],
5228				[Define if you don't want to use pututline()
5229				etc. to write [uw]tmp])
5230		fi
5231	]
5232)
5233AC_ARG_ENABLE([pututxline],
5234	[  --disable-pututxline    disable use of pututxline() etc. ([uw]tmpx) [no]],
5235	[
5236		if test "x$enableval" = "xno" ; then
5237			AC_DEFINE([DISABLE_PUTUTXLINE], [1],
5238				[Define if you don't want to use pututxline()
5239				etc. to write [uw]tmpx])
5240		fi
5241	]
5242)
5243AC_ARG_WITH([lastlog],
5244  [  --with-lastlog=FILE|DIR specify lastlog location [common locations]],
5245	[
5246		if test "x$withval" = "xno" ; then
5247			AC_DEFINE([DISABLE_LASTLOG])
5248		elif test -n "$withval"  &&  test "x${withval}" != "xyes"; then
5249			conf_lastlog_location=$withval
5250		fi
5251	]
5252)
5253
5254dnl lastlog, [uw]tmpx? detection
5255dnl  NOTE: set the paths in the platform section to avoid the
5256dnl   need for command-line parameters
5257dnl lastlog and [uw]tmp are subject to a file search if all else fails
5258
5259dnl lastlog detection
5260dnl  NOTE: the code itself will detect if lastlog is a directory
5261AC_MSG_CHECKING([if your system defines LASTLOG_FILE])
5262AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
5263#include <sys/types.h>
5264#include <utmp.h>
5265#ifdef HAVE_LASTLOG_H
5266#  include <lastlog.h>
5267#endif
5268#ifdef HAVE_PATHS_H
5269#  include <paths.h>
5270#endif
5271#ifdef HAVE_LOGIN_H
5272# include <login.h>
5273#endif
5274	]], [[ char *lastlog = LASTLOG_FILE; ]])],
5275		[ AC_MSG_RESULT([yes]) ],
5276		[
5277		AC_MSG_RESULT([no])
5278		AC_MSG_CHECKING([if your system defines _PATH_LASTLOG])
5279		AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
5280#include <sys/types.h>
5281#include <utmp.h>
5282#ifdef HAVE_LASTLOG_H
5283#  include <lastlog.h>
5284#endif
5285#ifdef HAVE_PATHS_H
5286#  include <paths.h>
5287#endif
5288		]], [[ char *lastlog = _PATH_LASTLOG; ]])],
5289		[ AC_MSG_RESULT([yes]) ],
5290		[
5291			AC_MSG_RESULT([no])
5292			system_lastlog_path=no
5293		])
5294])
5295
5296if test -z "$conf_lastlog_location"; then
5297	if test x"$system_lastlog_path" = x"no" ; then
5298		for f in /var/log/lastlog /usr/adm/lastlog /var/adm/lastlog /etc/security/lastlog ; do
5299				if (test -d "$f" || test -f "$f") ; then
5300					conf_lastlog_location=$f
5301				fi
5302		done
5303		if test -z "$conf_lastlog_location"; then
5304			AC_MSG_WARN([** Cannot find lastlog **])
5305			dnl Don't define DISABLE_LASTLOG - that means we don't try wtmp/wtmpx
5306		fi
5307	fi
5308fi
5309
5310if test -n "$conf_lastlog_location"; then
5311	AC_DEFINE_UNQUOTED([CONF_LASTLOG_FILE], ["$conf_lastlog_location"],
5312		[Define if you want to specify the path to your lastlog file])
5313fi
5314
5315dnl utmp detection
5316AC_MSG_CHECKING([if your system defines UTMP_FILE])
5317AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
5318#include <sys/types.h>
5319#include <utmp.h>
5320#ifdef HAVE_PATHS_H
5321#  include <paths.h>
5322#endif
5323	]], [[ char *utmp = UTMP_FILE; ]])],
5324	[ AC_MSG_RESULT([yes]) ],
5325	[ AC_MSG_RESULT([no])
5326	  system_utmp_path=no
5327])
5328if test -z "$conf_utmp_location"; then
5329	if test x"$system_utmp_path" = x"no" ; then
5330		for f in /etc/utmp /usr/adm/utmp /var/run/utmp; do
5331			if test -f $f ; then
5332				conf_utmp_location=$f
5333			fi
5334		done
5335		if test -z "$conf_utmp_location"; then
5336			AC_DEFINE([DISABLE_UTMP])
5337		fi
5338	fi
5339fi
5340if test -n "$conf_utmp_location"; then
5341	AC_DEFINE_UNQUOTED([CONF_UTMP_FILE], ["$conf_utmp_location"],
5342		[Define if you want to specify the path to your utmp file])
5343fi
5344
5345dnl wtmp detection
5346AC_MSG_CHECKING([if your system defines WTMP_FILE])
5347AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
5348#include <sys/types.h>
5349#include <utmp.h>
5350#ifdef HAVE_PATHS_H
5351#  include <paths.h>
5352#endif
5353	]], [[ char *wtmp = WTMP_FILE; ]])],
5354	[ AC_MSG_RESULT([yes]) ],
5355	[ AC_MSG_RESULT([no])
5356	  system_wtmp_path=no
5357])
5358if test -z "$conf_wtmp_location"; then
5359	if test x"$system_wtmp_path" = x"no" ; then
5360		for f in /usr/adm/wtmp /var/log/wtmp; do
5361			if test -f $f ; then
5362				conf_wtmp_location=$f
5363			fi
5364		done
5365		if test -z "$conf_wtmp_location"; then
5366			AC_DEFINE([DISABLE_WTMP])
5367		fi
5368	fi
5369fi
5370if test -n "$conf_wtmp_location"; then
5371	AC_DEFINE_UNQUOTED([CONF_WTMP_FILE], ["$conf_wtmp_location"],
5372		[Define if you want to specify the path to your wtmp file])
5373fi
5374
5375dnl wtmpx detection
5376AC_MSG_CHECKING([if your system defines WTMPX_FILE])
5377AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
5378#include <sys/types.h>
5379#include <utmp.h>
5380#ifdef HAVE_UTMPX_H
5381#include <utmpx.h>
5382#endif
5383#ifdef HAVE_PATHS_H
5384#  include <paths.h>
5385#endif
5386	]], [[ char *wtmpx = WTMPX_FILE; ]])],
5387	[ AC_MSG_RESULT([yes]) ],
5388	[ AC_MSG_RESULT([no])
5389	  system_wtmpx_path=no
5390])
5391if test -z "$conf_wtmpx_location"; then
5392	if test x"$system_wtmpx_path" = x"no" ; then
5393		AC_DEFINE([DISABLE_WTMPX])
5394	fi
5395else
5396	AC_DEFINE_UNQUOTED([CONF_WTMPX_FILE], ["$conf_wtmpx_location"],
5397		[Define if you want to specify the path to your wtmpx file])
5398fi
5399
5400
5401if test ! -z "$blibpath" ; then
5402	LDFLAGS="$LDFLAGS $blibflags$blibpath"
5403	AC_MSG_WARN([Please check and edit blibpath in LDFLAGS in Makefile])
5404fi
5405
5406AC_CHECK_MEMBER([struct lastlog.ll_line], [], [
5407    if test x$SKIP_DISABLE_LASTLOG_DEFINE != "xyes" ; then
5408	AC_DEFINE([DISABLE_LASTLOG])
5409    fi
5410	], [
5411#ifdef HAVE_SYS_TYPES_H
5412#include <sys/types.h>
5413#endif
5414#ifdef HAVE_UTMP_H
5415#include <utmp.h>
5416#endif
5417#ifdef HAVE_UTMPX_H
5418#include <utmpx.h>
5419#endif
5420#ifdef HAVE_LASTLOG_H
5421#include <lastlog.h>
5422#endif
5423	])
5424
5425AC_CHECK_MEMBER([struct utmp.ut_line], [], [
5426	AC_DEFINE([DISABLE_UTMP])
5427	AC_DEFINE([DISABLE_WTMP])
5428	], [
5429#ifdef HAVE_SYS_TYPES_H
5430#include <sys/types.h>
5431#endif
5432#ifdef HAVE_UTMP_H
5433#include <utmp.h>
5434#endif
5435#ifdef HAVE_UTMPX_H
5436#include <utmpx.h>
5437#endif
5438#ifdef HAVE_LASTLOG_H
5439#include <lastlog.h>
5440#endif
5441	])
5442
5443dnl Adding -Werror to CFLAGS early prevents configure tests from running.
5444dnl Add now.
5445CFLAGS="$CFLAGS $werror_flags"
5446
5447if test "x$ac_cv_func_getaddrinfo" != "xyes" ; then
5448	TEST_SSH_IPV6=no
5449else
5450	TEST_SSH_IPV6=yes
5451fi
5452AC_CHECK_DECL([BROKEN_GETADDRINFO],  [TEST_SSH_IPV6=no])
5453AC_SUBST([TEST_SSH_IPV6], [$TEST_SSH_IPV6])
5454AC_SUBST([TEST_SSH_UTF8], [$TEST_SSH_UTF8])
5455AC_SUBST([TEST_MALLOC_OPTIONS], [$TEST_MALLOC_OPTIONS])
5456AC_SUBST([UNSUPPORTED_ALGORITHMS], [$unsupported_algorithms])
5457AC_SUBST([DEPEND], [$(cat $srcdir/.depend)])
5458
5459CFLAGS="${CFLAGS} ${CFLAGS_AFTER}"
5460LDFLAGS="${LDFLAGS} ${LDFLAGS_AFTER}"
5461
5462# Make a copy of CFLAGS/LDFLAGS without PIE options.
5463LDFLAGS_NOPIE=`echo "$LDFLAGS" | sed 's/ -pie//'`
5464CFLAGS_NOPIE=`echo "$CFLAGS" | sed 's/ -fPIE//'`
5465AC_SUBST([LDFLAGS_NOPIE])
5466AC_SUBST([CFLAGS_NOPIE])
5467
5468AC_EXEEXT
5469AC_CONFIG_FILES([Makefile buildpkg.sh opensshd.init openssh.xml \
5470	openbsd-compat/Makefile openbsd-compat/regress/Makefile \
5471	survey.sh])
5472AC_OUTPUT
5473
5474# Print summary of options
5475
5476# Someone please show me a better way :)
5477A=`eval echo ${prefix}` ; A=`eval echo ${A}`
5478B=`eval echo ${bindir}` ; B=`eval echo ${B}`
5479C=`eval echo ${sbindir}` ; C=`eval echo ${C}`
5480D=`eval echo ${sysconfdir}` ; D=`eval echo ${D}`
5481E=`eval echo ${libexecdir}/ssh-askpass` ; E=`eval echo ${E}`
5482F=`eval echo ${mandir}/${mansubdir}X` ; F=`eval echo ${F}`
5483G=`eval echo ${piddir}` ; G=`eval echo ${G}`
5484H=`eval echo ${PRIVSEP_PATH}` ; H=`eval echo ${H}`
5485I=`eval echo ${user_path}` ; I=`eval echo ${I}`
5486J=`eval echo ${superuser_path}` ; J=`eval echo ${J}`
5487
5488echo ""
5489echo "OpenSSH has been configured with the following options:"
5490echo "                     User binaries: $B"
5491echo "                   System binaries: $C"
5492echo "               Configuration files: $D"
5493echo "                   Askpass program: $E"
5494echo "                      Manual pages: $F"
5495echo "                          PID file: $G"
5496echo "  Privilege separation chroot path: $H"
5497if test "x$external_path_file" = "x/etc/login.conf" ; then
5498echo "   At runtime, sshd will use the path defined in $external_path_file"
5499echo "   Make sure the path to scp is present, otherwise scp will not work"
5500else
5501echo "            sshd default user PATH: $I"
5502	if test ! -z "$external_path_file"; then
5503echo "   (If PATH is set in $external_path_file it will be used instead. If"
5504echo "   used, ensure the path to scp is present, otherwise scp will not work.)"
5505	fi
5506fi
5507if test ! -z "$superuser_path" ; then
5508echo "          sshd superuser user PATH: $J"
5509fi
5510echo "                    Manpage format: $MANTYPE"
5511echo "                       PAM support: $PAM_MSG"
5512echo "                   OSF SIA support: $SIA_MSG"
5513echo "                 KerberosV support: $KRB5_MSG"
5514echo "                   SELinux support: $SELINUX_MSG"
5515echo "              MD5 password support: $MD5_MSG"
5516echo "                   libedit support: $LIBEDIT_MSG"
5517echo "                   libldns support: $LDNS_MSG"
5518echo "  Solaris process contract support: $SPC_MSG"
5519echo "           Solaris project support: $SP_MSG"
5520echo "         Solaris privilege support: $SPP_MSG"
5521echo "       IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG"
5522echo "           Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
5523echo "                  BSD Auth support: $BSD_AUTH_MSG"
5524echo "              Random number source: $RAND_MSG"
5525echo "             Privsep sandbox style: $SANDBOX_STYLE"
5526echo "                   PKCS#11 support: $enable_pkcs11"
5527echo "                  U2F/FIDO support: $enable_sk"
5528
5529echo ""
5530
5531echo "              Host: ${host}"
5532echo "          Compiler: ${CC}"
5533echo "    Compiler flags: ${CFLAGS}"
5534echo "Preprocessor flags: ${CPPFLAGS}"
5535echo "      Linker flags: ${LDFLAGS}"
5536echo "         Libraries: ${LIBS}"
5537if test ! -z "${SSHDLIBS}"; then
5538echo "         +for sshd: ${SSHDLIBS}"
5539fi
5540
5541echo ""
5542
5543if test "x$MAKE_PACKAGE_SUPPORTED" = "xyes" ; then
5544	echo "SVR4 style packages are supported with \"make package\""
5545	echo ""
5546fi
5547
5548if test "x$PAM_MSG" = "xyes" ; then
5549	echo "PAM is enabled. You may need to install a PAM control file "
5550	echo "for sshd, otherwise password authentication may fail. "
5551	echo "Example PAM control files can be found in the contrib/ "
5552	echo "subdirectory"
5553	echo ""
5554fi
5555
5556if test ! -z "$NO_PEERCHECK" ; then
5557	echo "WARNING: the operating system that you are using does not"
5558	echo "appear to support getpeereid(), getpeerucred() or the"
5559	echo "SO_PEERCRED getsockopt() option. These facilities are used to"
5560	echo "enforce security checks to prevent unauthorised connections to"
5561	echo "ssh-agent. Their absence increases the risk that a malicious"
5562	echo "user can connect to your agent."
5563	echo ""
5564fi
5565
5566if test "$AUDIT_MODULE" = "bsm" ; then
5567	echo "WARNING: BSM audit support is currently considered EXPERIMENTAL."
5568	echo "See the Solaris section in README.platform for details."
5569fi
5570