xref: /openssh-portable/configure.ac (revision e5591161)
1#
2# Copyright (c) 1999-2004 Damien Miller
3#
4# Permission to use, copy, modify, and distribute this software for any
5# purpose with or without fee is hereby granted, provided that the above
6# copyright notice and this permission notice appear in all copies.
7#
8# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15
16AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org])
17AC_CONFIG_MACRO_DIR([m4])
18AC_CONFIG_SRCDIR([ssh.c])
19AC_LANG([C])
20
21AC_CONFIG_HEADERS([config.h])
22AC_PROG_CC([cc gcc])
23AC_CANONICAL_HOST
24AC_C_BIGENDIAN
25AC_PROG_CC_C99
26
27# XXX relax this after reimplementing logit() etc.
28if test "x$ac_cv_prog_cc_c99" = "xno" ; then
29	AC_MSG_ERROR([*** OpenSSH requires a C99 capable compiler ***])
30fi
31
32# Checks for programs.
33AC_PROG_AWK
34AC_PROG_CPP
35AC_PROG_RANLIB
36AC_PROG_INSTALL
37AC_PROG_EGREP
38AC_PROG_MKDIR_P
39AC_CHECK_TOOLS([AR], [ar])
40AC_PATH_PROG([CAT], [cat])
41AC_PATH_PROG([KILL], [kill])
42AC_PATH_PROG([SED], [sed])
43AC_PATH_PROG([TEST_MINUS_S_SH], [bash])
44AC_PATH_PROG([TEST_MINUS_S_SH], [ksh])
45AC_PATH_PROG([TEST_MINUS_S_SH], [sh])
46AC_PATH_PROG([SH], [sh])
47AC_PATH_PROG([GROFF], [groff])
48AC_PATH_PROG([NROFF], [nroff awf])
49AC_PATH_PROG([MANDOC], [mandoc])
50AC_SUBST([TEST_SHELL], [sh])
51
52dnl select manpage formatter to be used to build "cat" format pages.
53if test "x$MANDOC" != "x" ; then
54	MANFMT="$MANDOC"
55elif test "x$NROFF" != "x" ; then
56	MANFMT="$NROFF -mandoc"
57elif test "x$GROFF" != "x" ; then
58	MANFMT="$GROFF -mandoc -Tascii"
59else
60	AC_MSG_WARN([no manpage formatter found])
61	MANFMT="false"
62fi
63AC_SUBST([MANFMT])
64
65dnl for buildpkg.sh
66AC_PATH_PROG([PATH_GROUPADD_PROG], [groupadd], [groupadd],
67	[/usr/sbin${PATH_SEPARATOR}/etc])
68AC_PATH_PROG([PATH_USERADD_PROG], [useradd], [useradd],
69	[/usr/sbin${PATH_SEPARATOR}/etc])
70AC_CHECK_PROG([MAKE_PACKAGE_SUPPORTED], [pkgmk], [yes], [no])
71if test -x /sbin/sh; then
72	AC_SUBST([STARTUP_SCRIPT_SHELL], [/sbin/sh])
73else
74	AC_SUBST([STARTUP_SCRIPT_SHELL], [/bin/sh])
75fi
76
77# System features
78AC_SYS_LARGEFILE
79
80if test -z "$AR" ; then
81	AC_MSG_ERROR([*** 'ar' missing, please install or fix your \$PATH ***])
82fi
83
84AC_PATH_PROG([PATH_PASSWD_PROG], [passwd])
85if test ! -z "$PATH_PASSWD_PROG" ; then
86	AC_DEFINE_UNQUOTED([_PATH_PASSWD_PROG], ["$PATH_PASSWD_PROG"],
87		[Full path of your "passwd" program])
88fi
89
90dnl Since autoconf doesn't support it very well,  we no longer allow users to
91dnl override LD, however keeping the hook here for now in case there's a use
92dnl use case we overlooked and someone needs to re-enable it.  Unless a good
93dnl reason is found we'll be removing this in future.
94LD="$CC"
95AC_SUBST([LD])
96
97AC_C_INLINE
98
99AC_CHECK_DECL([LLONG_MAX], [have_llong_max=1], , [#include <limits.h>])
100AC_CHECK_DECL([LONG_LONG_MAX], [have_long_long_max=1], , [#include <limits.h>])
101AC_CHECK_DECL([SYSTR_POLICY_KILL], [have_systr_policy_kill=1], , [
102	#include <sys/types.h>
103	#include <sys/param.h>
104	#include <dev/systrace.h>
105])
106AC_CHECK_DECL([RLIMIT_NPROC],
107    [AC_DEFINE([HAVE_RLIMIT_NPROC], [], [sys/resource.h has RLIMIT_NPROC])], , [
108	#include <sys/types.h>
109	#include <sys/resource.h>
110])
111AC_CHECK_DECL([PR_SET_NO_NEW_PRIVS], [have_linux_no_new_privs=1], , [
112	#include <sys/types.h>
113	#include <linux/prctl.h>
114])
115
116openssl=yes
117AC_ARG_WITH([openssl],
118	[  --without-openssl       Disable use of OpenSSL; use only limited internal crypto **EXPERIMENTAL** ],
119	[  if test "x$withval" = "xno" ; then
120		openssl=no
121	   fi
122	]
123)
124AC_MSG_CHECKING([whether OpenSSL will be used for cryptography])
125if test "x$openssl" = "xyes" ; then
126	AC_MSG_RESULT([yes])
127	AC_DEFINE_UNQUOTED([WITH_OPENSSL], [1], [use libcrypto for cryptography])
128else
129	AC_MSG_RESULT([no])
130fi
131
132use_stack_protector=1
133use_toolchain_hardening=1
134AC_ARG_WITH([stackprotect],
135    [  --without-stackprotect  Don't use compiler's stack protection], [
136    if test "x$withval" = "xno"; then
137	use_stack_protector=0
138    fi ])
139AC_ARG_WITH([hardening],
140    [  --without-hardening     Don't use toolchain hardening flags], [
141    if test "x$withval" = "xno"; then
142	use_toolchain_hardening=0
143    fi ])
144
145# We use -Werror for the tests only so that we catch warnings like "this is
146# on by default" for things like -fPIE.
147AC_MSG_CHECKING([if $CC supports -Werror])
148saved_CFLAGS="$CFLAGS"
149CFLAGS="$CFLAGS -Werror"
150AC_COMPILE_IFELSE([AC_LANG_SOURCE([[int main(void) { return 0; }]])],
151	[ AC_MSG_RESULT([yes])
152	  WERROR="-Werror"],
153	[ AC_MSG_RESULT([no])
154	  WERROR="" ]
155)
156CFLAGS="$saved_CFLAGS"
157
158if test "$GCC" = "yes" || test "$GCC" = "egcs"; then
159	OSSH_CHECK_CFLAG_COMPILE([-pipe])
160	OSSH_CHECK_CFLAG_COMPILE([-Wunknown-warning-option])
161	OSSH_CHECK_CFLAG_COMPILE([-Wno-error=format-truncation])
162	OSSH_CHECK_CFLAG_COMPILE([-Qunused-arguments])
163	OSSH_CHECK_CFLAG_COMPILE([-Wall])
164	OSSH_CHECK_CFLAG_COMPILE([-Wextra])
165	OSSH_CHECK_CFLAG_COMPILE([-Wpointer-arith])
166	OSSH_CHECK_CFLAG_COMPILE([-Wuninitialized])
167	OSSH_CHECK_CFLAG_COMPILE([-Wsign-compare])
168	OSSH_CHECK_CFLAG_COMPILE([-Wformat-security])
169	OSSH_CHECK_CFLAG_COMPILE([-Wsizeof-pointer-memaccess])
170	OSSH_CHECK_CFLAG_COMPILE([-Wpointer-sign], [-Wno-pointer-sign])
171	OSSH_CHECK_CFLAG_COMPILE([-Wunused-parameter], [-Wno-unused-parameter])
172	OSSH_CHECK_CFLAG_COMPILE([-Wunused-result], [-Wno-unused-result])
173	OSSH_CHECK_CFLAG_COMPILE([-Wimplicit-fallthrough])
174	OSSH_CHECK_CFLAG_COMPILE([-fno-strict-aliasing])
175    if test "x$use_toolchain_hardening" = "x1"; then
176	OSSH_CHECK_CFLAG_COMPILE([-mretpoline]) # clang
177	OSSH_CHECK_LDFLAG_LINK([-Wl,-z,retpolineplt])
178	OSSH_CHECK_CFLAG_COMPILE([-D_FORTIFY_SOURCE=2])
179	OSSH_CHECK_LDFLAG_LINK([-Wl,-z,relro])
180	OSSH_CHECK_LDFLAG_LINK([-Wl,-z,now])
181	OSSH_CHECK_LDFLAG_LINK([-Wl,-z,noexecstack])
182	# NB. -ftrapv expects certain support functions to be present in
183	# the compiler library (libgcc or similar) to detect integer operations
184	# that can overflow. We must check that the result of enabling it
185	# actually links. The test program compiled/linked includes a number
186	# of integer operations that should exercise this.
187	OSSH_CHECK_CFLAG_LINK([-ftrapv])
188    fi
189	AC_MSG_CHECKING([gcc version])
190	GCC_VER=`$CC -v 2>&1 | $AWK '/gcc version /{print $3}'`
191	case $GCC_VER in
192		1.*) no_attrib_nonnull=1 ;;
193		2.8* | 2.9*)
194		     no_attrib_nonnull=1
195		     ;;
196		2.*) no_attrib_nonnull=1 ;;
197		*) ;;
198	esac
199	AC_MSG_RESULT([$GCC_VER])
200
201	AC_MSG_CHECKING([if $CC accepts -fno-builtin-memset])
202	saved_CFLAGS="$CFLAGS"
203	CFLAGS="$CFLAGS -fno-builtin-memset"
204	AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include <string.h> ]],
205			[[ char b[10]; memset(b, 0, sizeof(b)); ]])],
206		[ AC_MSG_RESULT([yes]) ],
207		[ AC_MSG_RESULT([no])
208		  CFLAGS="$saved_CFLAGS" ]
209	)
210
211	# -fstack-protector-all doesn't always work for some GCC versions
212	# and/or platforms, so we test if we can.  If it's not supported
213	# on a given platform gcc will emit a warning so we use -Werror.
214	if test "x$use_stack_protector" = "x1"; then
215	    for t in -fstack-protector-strong -fstack-protector-all \
216		    -fstack-protector; do
217		AC_MSG_CHECKING([if $CC supports $t])
218		saved_CFLAGS="$CFLAGS"
219		saved_LDFLAGS="$LDFLAGS"
220		CFLAGS="$CFLAGS $t -Werror"
221		LDFLAGS="$LDFLAGS $t -Werror"
222		AC_LINK_IFELSE(
223			[AC_LANG_PROGRAM([[
224	#include <stdio.h>
225	int func (int t) {char b[100]; snprintf(b,sizeof b,"%d",t); return t;}
226			 ]],
227			[[
228	char x[256];
229	snprintf(x, sizeof(x), "XXX%d", func(1));
230			 ]])],
231		    [ AC_MSG_RESULT([yes])
232		      CFLAGS="$saved_CFLAGS $t"
233		      LDFLAGS="$saved_LDFLAGS $t"
234		      AC_MSG_CHECKING([if $t works])
235		      AC_RUN_IFELSE(
236			[AC_LANG_PROGRAM([[
237	#include <stdio.h>
238	int func (int t) {char b[100]; snprintf(b,sizeof b,"%d",t); return t;}
239			]],
240			[[
241	char x[256];
242	snprintf(x, sizeof(x), "XXX%d", func(1));
243			]])],
244			[ AC_MSG_RESULT([yes])
245			  break ],
246			[ AC_MSG_RESULT([no]) ],
247			[ AC_MSG_WARN([cross compiling: cannot test])
248			  break ]
249		      )
250		    ],
251		    [ AC_MSG_RESULT([no]) ]
252		)
253		CFLAGS="$saved_CFLAGS"
254		LDFLAGS="$saved_LDFLAGS"
255	    done
256	fi
257
258	if test -z "$have_llong_max"; then
259		# retry LLONG_MAX with -std=gnu99, needed on some Linuxes
260		unset ac_cv_have_decl_LLONG_MAX
261		saved_CFLAGS="$CFLAGS"
262		CFLAGS="$CFLAGS -std=gnu99"
263		AC_CHECK_DECL([LLONG_MAX],
264		    [have_llong_max=1],
265		    [CFLAGS="$saved_CFLAGS"],
266		    [#include <limits.h>]
267		)
268	fi
269fi
270
271AC_MSG_CHECKING([if compiler allows __attribute__ on return types])
272AC_COMPILE_IFELSE(
273    [AC_LANG_PROGRAM([[
274#include <stdlib.h>
275__attribute__((__unused__)) static void foo(void){return;}]],
276    [[ exit(0); ]])],
277    [ AC_MSG_RESULT([yes]) ],
278    [ AC_MSG_RESULT([no])
279      AC_DEFINE(NO_ATTRIBUTE_ON_RETURN_TYPE, 1,
280	 [compiler does not accept __attribute__ on return types]) ]
281)
282
283AC_MSG_CHECKING([if compiler allows __attribute__ prototype args])
284AC_COMPILE_IFELSE(
285    [AC_LANG_PROGRAM([[
286#include <stdlib.h>
287typedef void foo(const char *, ...) __attribute__((format(printf, 1, 2)));]],
288    [[ exit(0); ]])],
289    [ AC_MSG_RESULT([yes]) ],
290    [ AC_MSG_RESULT([no])
291      AC_DEFINE(NO_ATTRIBUTE_ON_PROTOTYPE_ARGS, 1,
292	 [compiler does not accept __attribute__ on prototype args]) ]
293)
294
295if test "x$no_attrib_nonnull" != "x1" ; then
296	AC_DEFINE([HAVE_ATTRIBUTE__NONNULL__], [1], [Have attribute nonnull])
297fi
298
299AC_ARG_WITH([rpath],
300	[  --without-rpath         Disable auto-added -R linker paths],
301	[
302		if test "x$withval" = "xno" ; then
303			rpath_opt=""
304		elif test "x$withval" = "xyes" ; then
305			rpath_opt="-R"
306		else
307			rpath_opt="$withval"
308		fi
309	]
310)
311
312# Allow user to specify flags
313AC_ARG_WITH([cflags],
314	[  --with-cflags           Specify additional flags to pass to compiler],
315	[
316		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
317		    test "x${withval}" != "xyes"; then
318			CFLAGS="$CFLAGS $withval"
319		fi
320	]
321)
322
323AC_ARG_WITH([cflags-after],
324	[  --with-cflags-after     Specify additional flags to pass to compiler after configure],
325	[
326		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
327		    test "x${withval}" != "xyes"; then
328			CFLAGS_AFTER="$withval"
329		fi
330	]
331)
332AC_ARG_WITH([cppflags],
333	[  --with-cppflags         Specify additional flags to pass to preprocessor] ,
334	[
335		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
336		    test "x${withval}" != "xyes"; then
337			CPPFLAGS="$CPPFLAGS $withval"
338		fi
339	]
340)
341AC_ARG_WITH([ldflags],
342	[  --with-ldflags          Specify additional flags to pass to linker],
343	[
344		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
345		    test "x${withval}" != "xyes"; then
346			LDFLAGS="$LDFLAGS $withval"
347		fi
348	]
349)
350AC_ARG_WITH([ldflags-after],
351	[  --with-ldflags-after    Specify additional flags to pass to linker after configure],
352	[
353		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
354		    test "x${withval}" != "xyes"; then
355			LDFLAGS_AFTER="$withval"
356		fi
357	]
358)
359AC_ARG_WITH([libs],
360	[  --with-libs             Specify additional libraries to link with],
361	[
362		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
363		    test "x${withval}" != "xyes"; then
364			LIBS="$LIBS $withval"
365		fi
366	]
367)
368AC_ARG_WITH([Werror],
369	[  --with-Werror           Build main code with -Werror],
370	[
371		if test -n "$withval"  &&  test "x$withval" != "xno"; then
372			werror_flags="-Werror"
373			if test "x${withval}" != "xyes"; then
374				werror_flags="$withval"
375			fi
376		fi
377	]
378)
379
380AC_CHECK_HEADERS([ \
381	blf.h \
382	bstring.h \
383	crypt.h \
384	crypto/sha2.h \
385	dirent.h \
386	endian.h \
387	elf.h \
388	err.h \
389	features.h \
390	fcntl.h \
391	floatingpoint.h \
392	fnmatch.h \
393	getopt.h \
394	glob.h \
395	ia.h \
396	iaf.h \
397	ifaddrs.h \
398	inttypes.h \
399	langinfo.h \
400	limits.h \
401	locale.h \
402	login.h \
403	maillock.h \
404	ndir.h \
405	net/if_tun.h \
406	netdb.h \
407	netgroup.h \
408	pam/pam_appl.h \
409	paths.h \
410	poll.h \
411	pty.h \
412	readpassphrase.h \
413	rpc/types.h \
414	security/pam_appl.h \
415	sha2.h \
416	shadow.h \
417	stddef.h \
418	stdint.h \
419	string.h \
420	strings.h \
421	sys/bitypes.h \
422	sys/byteorder.h \
423	sys/bsdtty.h \
424	sys/cdefs.h \
425	sys/dir.h \
426	sys/file.h \
427	sys/mman.h \
428	sys/label.h \
429	sys/ndir.h \
430	sys/poll.h \
431	sys/prctl.h \
432	sys/pstat.h \
433	sys/ptrace.h \
434	sys/random.h \
435	sys/select.h \
436	sys/stat.h \
437	sys/stream.h \
438	sys/stropts.h \
439	sys/strtio.h \
440	sys/statvfs.h \
441	sys/sysmacros.h \
442	sys/time.h \
443	sys/timers.h \
444	sys/vfs.h \
445	time.h \
446	tmpdir.h \
447	ttyent.h \
448	ucred.h \
449	unistd.h \
450	usersec.h \
451	util.h \
452	utime.h \
453	utmp.h \
454	utmpx.h \
455	vis.h \
456	wchar.h \
457])
458
459# On some platforms (eg SunOS4) sys/audit.h requires sys/[time|types|label.h]
460# to be included first.
461AC_CHECK_HEADERS([sys/audit.h], [], [], [
462#ifdef HAVE_SYS_TIME_H
463# include <sys/time.h>
464#endif
465#ifdef HAVE_SYS_TYPES_H
466# include <sys/types.h>
467#endif
468#ifdef HAVE_SYS_LABEL_H
469# include <sys/label.h>
470#endif
471])
472
473# sys/capsicum.h requires sys/types.h
474AC_CHECK_HEADERS([sys/capsicum.h], [], [], [
475#ifdef HAVE_SYS_TYPES_H
476# include <sys/types.h>
477#endif
478])
479
480# net/route.h requires sys/socket.h and sys/types.h.
481# sys/sysctl.h also requires sys/param.h
482AC_CHECK_HEADERS([net/route.h sys/sysctl.h], [], [], [
483#ifdef HAVE_SYS_TYPES_H
484# include <sys/types.h>
485#endif
486#include <sys/param.h>
487#include <sys/socket.h>
488])
489
490# lastlog.h requires sys/time.h to be included first on Solaris
491AC_CHECK_HEADERS([lastlog.h], [], [], [
492#ifdef HAVE_SYS_TIME_H
493# include <sys/time.h>
494#endif
495])
496
497# sys/ptms.h requires sys/stream.h to be included first on Solaris
498AC_CHECK_HEADERS([sys/ptms.h], [], [], [
499#ifdef HAVE_SYS_STREAM_H
500# include <sys/stream.h>
501#endif
502])
503
504# login_cap.h requires sys/types.h on NetBSD
505AC_CHECK_HEADERS([login_cap.h], [], [], [
506#include <sys/types.h>
507])
508
509# older BSDs need sys/param.h before sys/mount.h
510AC_CHECK_HEADERS([sys/mount.h], [], [], [
511#include <sys/param.h>
512])
513
514# Android requires sys/socket.h to be included before sys/un.h
515AC_CHECK_HEADERS([sys/un.h], [], [], [
516#include <sys/types.h>
517#include <sys/socket.h>
518])
519
520# Messages for features tested for in target-specific section
521SIA_MSG="no"
522SPC_MSG="no"
523SP_MSG="no"
524SPP_MSG="no"
525
526# Support for Solaris/Illumos privileges (this test is used by both
527# the --with-solaris-privs option and --with-sandbox=solaris).
528SOLARIS_PRIVS="no"
529
530AC_CHECK_SIZEOF([size_t])
531
532# Check for some target-specific stuff
533case "$host" in
534*-*-aix*)
535	# Some versions of VAC won't allow macro redefinitions at
536	# -qlanglevel=ansi, and autoconf 2.60 sometimes insists on using that
537	# particularly with older versions of vac or xlc.
538	# It also throws errors about null macro arguments, but these are
539	# not fatal.
540	AC_MSG_CHECKING([if compiler allows macro redefinitions])
541	AC_COMPILE_IFELSE(
542	    [AC_LANG_PROGRAM([[
543#define testmacro foo
544#define testmacro bar]],
545	    [[ exit(0); ]])],
546	    [ AC_MSG_RESULT([yes]) ],
547	    [ AC_MSG_RESULT([no])
548	      CC="`echo $CC | sed 's/-qlanglvl\=ansi//g'`"
549	      CFLAGS="`echo $CFLAGS | sed 's/-qlanglvl\=ansi//g'`"
550	      CPPFLAGS="`echo $CPPFLAGS | sed 's/-qlanglvl\=ansi//g'`"
551	    ]
552	)
553
554	AC_MSG_CHECKING([how to specify blibpath for linker ($LD)])
555	if (test -z "$blibpath"); then
556		blibpath="/usr/lib:/lib"
557	fi
558	saved_LDFLAGS="$LDFLAGS"
559	if test "$GCC" = "yes"; then
560		flags="-Wl,-blibpath: -Wl,-rpath, -blibpath:"
561	else
562		flags="-blibpath: -Wl,-blibpath: -Wl,-rpath,"
563	fi
564	for tryflags in $flags ;do
565		if (test -z "$blibflags"); then
566			LDFLAGS="$saved_LDFLAGS $tryflags$blibpath"
567			AC_LINK_IFELSE([AC_LANG_PROGRAM([[]], [[]])],
568			[blibflags=$tryflags], [])
569		fi
570	done
571	if (test -z "$blibflags"); then
572		AC_MSG_RESULT([not found])
573		AC_MSG_ERROR([*** must be able to specify blibpath on AIX - check config.log])
574	else
575		AC_MSG_RESULT([$blibflags])
576	fi
577	LDFLAGS="$saved_LDFLAGS"
578	dnl Check for authenticate.  Might be in libs.a on older AIXes
579	AC_CHECK_FUNC([authenticate], [AC_DEFINE([WITH_AIXAUTHENTICATE], [1],
580		[Define if you want to enable AIX4's authenticate function])],
581		[AC_CHECK_LIB([s], [authenticate],
582			[ AC_DEFINE([WITH_AIXAUTHENTICATE])
583				LIBS="$LIBS -ls"
584			])
585		])
586	dnl Check for various auth function declarations in headers.
587	AC_CHECK_DECLS([authenticate, loginrestrictions, loginsuccess,
588	    passwdexpired, setauthdb], , , [#include <usersec.h>])
589	dnl Check if loginfailed is declared and takes 4 arguments (AIX >= 5.2)
590	AC_CHECK_DECLS([loginfailed],
591	    [AC_MSG_CHECKING([if loginfailed takes 4 arguments])
592	    AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <usersec.h> ]],
593		[[ (void)loginfailed("user","host","tty",0); ]])],
594		[AC_MSG_RESULT([yes])
595		AC_DEFINE([AIX_LOGINFAILED_4ARG], [1],
596			[Define if your AIX loginfailed() function
597			takes 4 arguments (AIX >= 5.2)])], [AC_MSG_RESULT([no])
598	    ])],
599	    [],
600	    [#include <usersec.h>]
601	)
602	AC_CHECK_FUNCS([getgrset setauthdb])
603	AC_CHECK_DECL([F_CLOSEM],
604	    AC_DEFINE([HAVE_FCNTL_CLOSEM], [1], [Use F_CLOSEM fcntl for closefrom]),
605	    [],
606	    [ #include <limits.h>
607	      #include <fcntl.h> ]
608	)
609	check_for_aix_broken_getaddrinfo=1
610	AC_DEFINE([SETEUID_BREAKS_SETUID], [1],
611	    [Define if your platform breaks doing a seteuid before a setuid])
612	AC_DEFINE([BROKEN_SETREUID], [1], [Define if your setreuid() is broken])
613	AC_DEFINE([BROKEN_SETREGID], [1], [Define if your setregid() is broken])
614	dnl AIX handles lastlog as part of its login message
615	AC_DEFINE([DISABLE_LASTLOG], [1], [Define if you don't want to use lastlog])
616	AC_DEFINE([LOGIN_NEEDS_UTMPX], [1],
617		[Some systems need a utmpx entry for /bin/login to work])
618	AC_DEFINE([SPT_TYPE], [SPT_REUSEARGV],
619		[Define to a Set Process Title type if your system is
620		supported by bsd-setproctitle.c])
621	AC_DEFINE([SSHPAM_CHAUTHTOK_NEEDS_RUID], [1],
622	    [AIX 5.2 and 5.3 (and presumably newer) require this])
623	AC_DEFINE([PTY_ZEROREAD], [1], [read(1) can return 0 for a non-closed fd])
624	AC_DEFINE([PLATFORM_SYS_DIR_UID], 2, [System dirs owned by bin (uid 2)])
625	AC_DEFINE([BROKEN_STRNDUP], 1, [strndup broken, see APAR IY61211])
626	AC_DEFINE([BROKEN_STRNLEN], 1, [strnlen broken, see APAR IY62551])
627	;;
628*-*-android*)
629	AC_DEFINE([DISABLE_UTMP], [1], [Define if you don't want to use utmp])
630	AC_DEFINE([DISABLE_WTMP], [1], [Define if you don't want to use wtmp])
631	;;
632*-*-cygwin*)
633	check_for_libcrypt_later=1
634	LIBS="$LIBS /usr/lib/textreadmode.o"
635	AC_DEFINE([HAVE_CYGWIN], [1], [Define if you are on Cygwin])
636	AC_DEFINE([USE_PIPES], [1], [Use PIPES instead of a socketpair()])
637	AC_DEFINE([NO_UID_RESTORATION_TEST], [1],
638		[Define to disable UID restoration test])
639	AC_DEFINE([DISABLE_SHADOW], [1],
640		[Define if you want to disable shadow passwords])
641	AC_DEFINE([NO_X11_UNIX_SOCKETS], [1],
642		[Define if X11 doesn't support AF_UNIX sockets on that system])
643	AC_DEFINE([DISABLE_FD_PASSING], [1],
644		[Define if your platform needs to skip post auth
645		file descriptor passing])
646	AC_DEFINE([SSH_IOBUFSZ], [65535], [Windows is sensitive to read buffer size])
647	AC_DEFINE([FILESYSTEM_NO_BACKSLASH], [1], [File names may not contain backslash characters])
648	# Cygwin defines optargs, optargs as declspec(dllimport) for historical
649	# reasons which cause compile warnings, so we disable those warnings.
650	OSSH_CHECK_CFLAG_COMPILE([-Wno-attributes])
651	;;
652*-*-dgux*)
653	AC_DEFINE([IP_TOS_IS_BROKEN], [1],
654		[Define if your system choked on IP TOS setting])
655	AC_DEFINE([SETEUID_BREAKS_SETUID])
656	AC_DEFINE([BROKEN_SETREUID])
657	AC_DEFINE([BROKEN_SETREGID])
658	;;
659*-*-darwin*)
660	use_pie=auto
661	AC_MSG_CHECKING([if we have working getaddrinfo])
662	AC_RUN_IFELSE([AC_LANG_SOURCE([[
663#include <mach-o/dyld.h>
664#include <stdlib.h>
665main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
666		exit(0);
667	else
668		exit(1);
669}
670			]])],
671	[AC_MSG_RESULT([working])],
672	[AC_MSG_RESULT([buggy])
673	AC_DEFINE([BROKEN_GETADDRINFO], [1],
674		[getaddrinfo is broken (if present)])
675	],
676	[AC_MSG_RESULT([assume it is working])])
677	AC_DEFINE([SETEUID_BREAKS_SETUID])
678	AC_DEFINE([BROKEN_SETREUID])
679	AC_DEFINE([BROKEN_SETREGID])
680	AC_DEFINE([BROKEN_GLOB], [1], [OS X glob does not do what we expect])
681	AC_DEFINE_UNQUOTED([BIND_8_COMPAT], [1],
682		[Define if your resolver libs need this for getrrsetbyname])
683	AC_DEFINE([SSH_TUN_FREEBSD], [1], [Open tunnel devices the FreeBSD way])
684	AC_DEFINE([SSH_TUN_COMPAT_AF], [1],
685	    [Use tunnel device compatibility to OpenBSD])
686	AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
687	    [Prepend the address family to IP tunnel traffic])
688	m4_pattern_allow([AU_IPv])
689	AC_CHECK_DECL([AU_IPv4], [],
690	    AC_DEFINE([AU_IPv4], [0], [System only supports IPv4 audit records])
691	    [#include <bsm/audit.h>]
692	AC_DEFINE([LASTLOG_WRITE_PUTUTXLINE], [1],
693	    [Define if pututxline updates lastlog too])
694	)
695	AC_DEFINE([SPT_TYPE], [SPT_REUSEARGV],
696		[Define to a Set Process Title type if your system is
697		supported by bsd-setproctitle.c])
698	AC_CHECK_FUNCS([sandbox_init])
699	AC_CHECK_HEADERS([sandbox.h])
700	AC_CHECK_LIB([sandbox], [sandbox_apply], [
701	    SSHDLIBS="$SSHDLIBS -lsandbox"
702	])
703	# proc_pidinfo()-based closefrom() replacement.
704	AC_CHECK_HEADERS([libproc.h])
705	AC_CHECK_FUNCS([proc_pidinfo])
706	;;
707*-*-dragonfly*)
708	SSHDLIBS="$SSHDLIBS -lcrypt"
709	TEST_MALLOC_OPTIONS="AFGJPRX"
710	;;
711*-*-haiku*)
712	LIBS="$LIBS -lbsd "
713	CFLAGS="$CFLAGS -D_BSD_SOURCE"
714	AC_CHECK_LIB([network], [socket])
715	AC_DEFINE([HAVE_U_INT64_T])
716	AC_DEFINE([DISABLE_UTMPX], [1], [no utmpx])
717	MANTYPE=man
718	;;
719*-*-hpux*)
720	# first we define all of the options common to all HP-UX releases
721	CPPFLAGS="$CPPFLAGS -D_HPUX_SOURCE -D_XOPEN_SOURCE -D_XOPEN_SOURCE_EXTENDED=1"
722	IPADDR_IN_DISPLAY=yes
723	AC_DEFINE([USE_PIPES])
724	AC_DEFINE([LOGIN_NEEDS_UTMPX])
725	AC_DEFINE([LOCKED_PASSWD_STRING], ["*"],
726		[String used in /etc/passwd to denote locked account])
727	AC_DEFINE([SPT_TYPE], [SPT_PSTAT])
728	AC_DEFINE([PLATFORM_SYS_DIR_UID], 2, [System dirs owned by bin (uid 2)])
729	maildir="/var/mail"
730	LIBS="$LIBS -lsec"
731	AC_CHECK_LIB([xnet], [t_error], ,
732	    [AC_MSG_ERROR([*** -lxnet needed on HP-UX - check config.log ***])])
733
734	# next, we define all of the options specific to major releases
735	case "$host" in
736	*-*-hpux10*)
737		if test -z "$GCC"; then
738			CFLAGS="$CFLAGS -Ae"
739		fi
740		;;
741	*-*-hpux11*)
742		AC_DEFINE([PAM_SUN_CODEBASE], [1],
743			[Define if you are using Solaris-derived PAM which
744			passes pam_messages to the conversation function
745			with an extra level of indirection])
746		AC_DEFINE([DISABLE_UTMP], [1],
747			[Define if you don't want to use utmp])
748		AC_DEFINE([USE_BTMP], [1], [Use btmp to log bad logins])
749		check_for_hpux_broken_getaddrinfo=1
750		check_for_conflicting_getspnam=1
751		;;
752	esac
753
754	# lastly, we define options specific to minor releases
755	case "$host" in
756	*-*-hpux10.26)
757		AC_DEFINE([HAVE_SECUREWARE], [1],
758			[Define if you have SecureWare-based
759			protected password database])
760		disable_ptmx_check=yes
761		LIBS="$LIBS -lsecpw"
762		;;
763	esac
764	;;
765*-*-irix5*)
766	PATH="$PATH:/usr/etc"
767	AC_DEFINE([BROKEN_INET_NTOA], [1],
768		[Define if you system's inet_ntoa is busted
769		(e.g. Irix gcc issue)])
770	AC_DEFINE([SETEUID_BREAKS_SETUID])
771	AC_DEFINE([BROKEN_SETREUID])
772	AC_DEFINE([BROKEN_SETREGID])
773	AC_DEFINE([WITH_ABBREV_NO_TTY], [1],
774		[Define if you shouldn't strip 'tty' from your
775		ttyname in [uw]tmp])
776	AC_DEFINE([LOCKED_PASSWD_STRING], ["*LK*"])
777	;;
778*-*-irix6*)
779	PATH="$PATH:/usr/etc"
780	AC_DEFINE([WITH_IRIX_ARRAY], [1],
781		[Define if you have/want arrays
782		(cluster-wide session management, not C arrays)])
783	AC_DEFINE([WITH_IRIX_PROJECT], [1],
784		[Define if you want IRIX project management])
785	AC_DEFINE([WITH_IRIX_AUDIT], [1],
786		[Define if you want IRIX audit trails])
787	AC_CHECK_FUNC([jlimit_startjob], [AC_DEFINE([WITH_IRIX_JOBS], [1],
788		[Define if you want IRIX kernel jobs])])
789	AC_DEFINE([BROKEN_INET_NTOA])
790	AC_DEFINE([SETEUID_BREAKS_SETUID])
791	AC_DEFINE([BROKEN_SETREUID])
792	AC_DEFINE([BROKEN_SETREGID])
793	AC_DEFINE([BROKEN_UPDWTMPX], [1], [updwtmpx is broken (if present)])
794	AC_DEFINE([WITH_ABBREV_NO_TTY])
795	AC_DEFINE([LOCKED_PASSWD_STRING], ["*LK*"])
796	;;
797*-*-k*bsd*-gnu | *-*-kopensolaris*-gnu)
798	check_for_libcrypt_later=1
799	AC_DEFINE([PAM_TTY_KLUDGE])
800	AC_DEFINE([LOCKED_PASSWD_PREFIX], ["!"])
801	AC_DEFINE([SPT_TYPE], [SPT_REUSEARGV])
802	AC_DEFINE([_PATH_BTMP], ["/var/log/btmp"], [log for bad login attempts])
803	AC_DEFINE([USE_BTMP], [1], [Use btmp to log bad logins])
804	;;
805*-*-linux*)
806	no_dev_ptmx=1
807	use_pie=auto
808	check_for_libcrypt_later=1
809	check_for_openpty_ctty_bug=1
810	dnl Target SUSv3/POSIX.1-2001 plus BSD specifics.
811	dnl _DEFAULT_SOURCE is the new name for _BSD_SOURCE
812	CPPFLAGS="$CPPFLAGS -D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCE"
813	AC_DEFINE([PAM_TTY_KLUDGE], [1],
814		[Work around problematic Linux PAM modules handling of PAM_TTY])
815	AC_DEFINE([LOCKED_PASSWD_PREFIX], ["!"],
816		[String used in /etc/passwd to denote locked account])
817	AC_DEFINE([SPT_TYPE], [SPT_REUSEARGV])
818	AC_DEFINE([LINK_OPNOTSUPP_ERRNO], [EPERM],
819		[Define to whatever link() returns for "not supported"
820		if it doesn't return EOPNOTSUPP.])
821	AC_DEFINE([_PATH_BTMP], ["/var/log/btmp"], [log for bad login attempts])
822	AC_DEFINE([USE_BTMP])
823	AC_DEFINE([LINUX_OOM_ADJUST], [1], [Adjust Linux out-of-memory killer])
824	inet6_default_4in6=yes
825	case `uname -r` in
826	1.*|2.0.*)
827		AC_DEFINE([BROKEN_CMSG_TYPE], [1],
828			[Define if cmsg_type is not passed correctly])
829		;;
830	esac
831	# tun(4) forwarding compat code
832	AC_CHECK_HEADERS([linux/if_tun.h])
833	if test "x$ac_cv_header_linux_if_tun_h" = "xyes" ; then
834		AC_DEFINE([SSH_TUN_LINUX], [1],
835		    [Open tunnel devices the Linux tun/tap way])
836		AC_DEFINE([SSH_TUN_COMPAT_AF], [1],
837		    [Use tunnel device compatibility to OpenBSD])
838		AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
839		    [Prepend the address family to IP tunnel traffic])
840	fi
841	AC_CHECK_HEADER([linux/if.h],
842	    AC_DEFINE([SYS_RDOMAIN_LINUX], [1],
843		[Support routing domains using Linux VRF]), [], [
844#ifdef HAVE_SYS_TYPES_H
845# include <sys/types.h>
846#endif
847	    ])
848	AC_CHECK_HEADERS([linux/seccomp.h linux/filter.h linux/audit.h], [],
849	    [], [#include <linux/types.h>])
850	# Obtain MIPS ABI
851	case "$host" in
852	mips*)
853		AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
854#if _MIPS_SIM != _ABIO32
855#error
856#endif
857			]])],[mips_abi="o32"],[AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
858#if _MIPS_SIM != _ABIN32
859#error
860#endif
861				]])],[mips_abi="n32"],[AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
862#if _MIPS_SIM != _ABI64
863#error
864#endif
865					]])],[mips_abi="n64"],[AC_MSG_ERROR([unknown MIPS ABI])
866				])
867			])
868		])
869		;;
870	esac
871	AC_MSG_CHECKING([for seccomp architecture])
872	seccomp_audit_arch=
873	case "$host" in
874	x86_64-*)
875		seccomp_audit_arch=AUDIT_ARCH_X86_64
876		# X32: AMD64 instructions in 32bit address space.
877		if test "x$ac_cv_sizeof_size_t" = "x4" ; then
878			seccomp_audit_arch=AUDIT_ARCH_I386
879		fi
880		;;
881	i*86-*)
882		seccomp_audit_arch=AUDIT_ARCH_I386
883		;;
884	arm*-*)
885		seccomp_audit_arch=AUDIT_ARCH_ARM
886		;;
887	aarch64*-*)
888		seccomp_audit_arch=AUDIT_ARCH_AARCH64
889		;;
890	s390x-*)
891		seccomp_audit_arch=AUDIT_ARCH_S390X
892		;;
893	s390-*)
894		seccomp_audit_arch=AUDIT_ARCH_S390
895		;;
896	powerpc64-*)
897		seccomp_audit_arch=AUDIT_ARCH_PPC64
898		;;
899	powerpc64le-*)
900		seccomp_audit_arch=AUDIT_ARCH_PPC64LE
901		;;
902	mips-*)
903		seccomp_audit_arch=AUDIT_ARCH_MIPS
904		;;
905	mipsel-*)
906		seccomp_audit_arch=AUDIT_ARCH_MIPSEL
907		;;
908	mips64-*)
909		case "$mips_abi" in
910		"n32")
911			seccomp_audit_arch=AUDIT_ARCH_MIPS64N32
912			;;
913		"n64")
914			seccomp_audit_arch=AUDIT_ARCH_MIPS64
915			;;
916		esac
917		;;
918	mips64el-*)
919		case "$mips_abi" in
920		"n32")
921			seccomp_audit_arch=AUDIT_ARCH_MIPSEL64N32
922			;;
923		"n64")
924			seccomp_audit_arch=AUDIT_ARCH_MIPSEL64
925			;;
926		esac
927		;;
928	riscv64-*)
929		seccomp_audit_arch=AUDIT_ARCH_RISCV64
930		;;
931	esac
932	if test "x$seccomp_audit_arch" != "x" ; then
933		AC_MSG_RESULT(["$seccomp_audit_arch"])
934		AC_DEFINE_UNQUOTED([SECCOMP_AUDIT_ARCH], [$seccomp_audit_arch],
935		    [Specify the system call convention in use])
936	else
937		AC_MSG_RESULT([architecture not supported])
938	fi
939	;;
940mips-sony-bsd|mips-sony-newsos4)
941	AC_DEFINE([NEED_SETPGRP], [1], [Need setpgrp to acquire controlling tty])
942	SONY=1
943	;;
944*-*-netbsd*)
945	check_for_libcrypt_before=1
946	if test "x$withval" != "xno" ; then
947		rpath_opt="-R"
948	fi
949	CPPFLAGS="$CPPFLAGS -D_OPENBSD_SOURCE"
950	AC_DEFINE([SSH_TUN_FREEBSD], [1], [Open tunnel devices the FreeBSD way])
951	AC_CHECK_HEADER([net/if_tap.h], ,
952	    AC_DEFINE([SSH_TUN_NO_L2], [1], [No layer 2 tunnel support]))
953	AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
954	    [Prepend the address family to IP tunnel traffic])
955	TEST_MALLOC_OPTIONS="AJRX"
956	AC_DEFINE([BROKEN_READ_COMPARISON], [1],
957	    [NetBSD read function is sometimes redirected, breaking atomicio comparisons against it])
958	;;
959*-*-freebsd*)
960	check_for_libcrypt_later=1
961	AC_DEFINE([LOCKED_PASSWD_PREFIX], ["*LOCKED*"], [Account locked with pw(1)])
962	AC_DEFINE([SSH_TUN_FREEBSD], [1], [Open tunnel devices the FreeBSD way])
963	AC_CHECK_HEADER([net/if_tap.h], ,
964	    AC_DEFINE([SSH_TUN_NO_L2], [1], [No layer 2 tunnel support]))
965	AC_DEFINE([BROKEN_GLOB], [1], [FreeBSD glob does not do what we need])
966	TEST_MALLOC_OPTIONS="AJRX"
967	# Preauth crypto occasionally uses file descriptors for crypto offload
968	# and will crash if they cannot be opened.
969	AC_DEFINE([SANDBOX_SKIP_RLIMIT_NOFILE], [1],
970	    [define if setrlimit RLIMIT_NOFILE breaks things])
971	;;
972*-*-bsdi*)
973	AC_DEFINE([SETEUID_BREAKS_SETUID])
974	AC_DEFINE([BROKEN_SETREUID])
975	AC_DEFINE([BROKEN_SETREGID])
976	;;
977*-next-*)
978	conf_lastlog_location="/usr/adm/lastlog"
979	conf_utmp_location=/etc/utmp
980	conf_wtmp_location=/usr/adm/wtmp
981	maildir=/usr/spool/mail
982	AC_DEFINE([HAVE_NEXT], [1], [Define if you are on NeXT])
983	AC_DEFINE([USE_PIPES])
984	AC_DEFINE([BROKEN_SAVED_UIDS], [1], [Needed for NeXT])
985	;;
986*-*-openbsd*)
987	use_pie=auto
988	AC_DEFINE([HAVE_ATTRIBUTE__SENTINEL__], [1], [OpenBSD's gcc has sentinel])
989	AC_DEFINE([HAVE_ATTRIBUTE__BOUNDED__], [1], [OpenBSD's gcc has bounded])
990	AC_DEFINE([SSH_TUN_OPENBSD], [1], [Open tunnel devices the OpenBSD way])
991	AC_DEFINE([SYSLOG_R_SAFE_IN_SIGHAND], [1],
992	    [syslog_r function is safe to use in in a signal handler])
993	TEST_MALLOC_OPTIONS="AFGJPRX"
994	;;
995*-*-solaris*)
996	if test "x$withval" != "xno" ; then
997		rpath_opt="-R"
998	fi
999	AC_DEFINE([PAM_SUN_CODEBASE])
1000	AC_DEFINE([LOGIN_NEEDS_UTMPX])
1001	AC_DEFINE([PAM_TTY_KLUDGE])
1002	AC_DEFINE([SSHPAM_CHAUTHTOK_NEEDS_RUID], [1],
1003		[Define if pam_chauthtok wants real uid set
1004		to the unpriv'ed user])
1005	AC_DEFINE([LOCKED_PASSWD_STRING], ["*LK*"])
1006	# Pushing STREAMS modules will cause sshd to acquire a controlling tty.
1007	AC_DEFINE([SSHD_ACQUIRES_CTTY], [1],
1008		[Define if sshd somehow reacquires a controlling TTY
1009		after setsid()])
1010	AC_DEFINE([PASSWD_NEEDS_USERNAME], [1], [must supply username to passwd
1011		in case the name is longer than 8 chars])
1012	AC_DEFINE([BROKEN_TCGETATTR_ICANON], [1], [tcgetattr with ICANON may hang])
1013	external_path_file=/etc/default/login
1014	# hardwire lastlog location (can't detect it on some versions)
1015	conf_lastlog_location="/var/adm/lastlog"
1016	AC_MSG_CHECKING([for obsolete utmp and wtmp in solaris2.x])
1017	sol2ver=`echo "$host"| sed -e 's/.*[[0-9]]\.//'`
1018	if test "$sol2ver" -ge 8; then
1019		AC_MSG_RESULT([yes])
1020		AC_DEFINE([DISABLE_UTMP])
1021		AC_DEFINE([DISABLE_WTMP], [1],
1022			[Define if you don't want to use wtmp])
1023	else
1024		AC_MSG_RESULT([no])
1025	fi
1026	AC_CHECK_FUNCS([setpflags])
1027	AC_CHECK_FUNCS([setppriv])
1028	AC_CHECK_FUNCS([priv_basicset])
1029	AC_CHECK_HEADERS([priv.h])
1030	AC_ARG_WITH([solaris-contracts],
1031		[  --with-solaris-contracts Enable Solaris process contracts (experimental)],
1032		[
1033		AC_CHECK_LIB([contract], [ct_tmpl_activate],
1034			[ AC_DEFINE([USE_SOLARIS_PROCESS_CONTRACTS], [1],
1035				[Define if you have Solaris process contracts])
1036			  LIBS="$LIBS -lcontract"
1037			  SPC_MSG="yes" ], )
1038		],
1039	)
1040	AC_ARG_WITH([solaris-projects],
1041		[  --with-solaris-projects Enable Solaris projects (experimental)],
1042		[
1043		AC_CHECK_LIB([project], [setproject],
1044			[ AC_DEFINE([USE_SOLARIS_PROJECTS], [1],
1045				[Define if you have Solaris projects])
1046			LIBS="$LIBS -lproject"
1047			SP_MSG="yes" ], )
1048		],
1049	)
1050	AC_ARG_WITH([solaris-privs],
1051		[  --with-solaris-privs    Enable Solaris/Illumos privileges (experimental)],
1052		[
1053		AC_MSG_CHECKING([for Solaris/Illumos privilege support])
1054		if test "x$ac_cv_func_setppriv" = "xyes" -a \
1055			"x$ac_cv_header_priv_h" = "xyes" ; then
1056			SOLARIS_PRIVS=yes
1057			AC_MSG_RESULT([found])
1058			AC_DEFINE([NO_UID_RESTORATION_TEST], [1],
1059				[Define to disable UID restoration test])
1060			AC_DEFINE([USE_SOLARIS_PRIVS], [1],
1061				[Define if you have Solaris privileges])
1062			SPP_MSG="yes"
1063		else
1064			AC_MSG_RESULT([not found])
1065			AC_MSG_ERROR([*** must have support for Solaris privileges to use --with-solaris-privs])
1066		fi
1067		],
1068	)
1069	TEST_SHELL=$SHELL	# let configure find us a capable shell
1070	;;
1071*-*-sunos4*)
1072	CPPFLAGS="$CPPFLAGS -DSUNOS4"
1073	AC_CHECK_FUNCS([getpwanam])
1074	AC_DEFINE([PAM_SUN_CODEBASE])
1075	conf_utmp_location=/etc/utmp
1076	conf_wtmp_location=/var/adm/wtmp
1077	conf_lastlog_location=/var/adm/lastlog
1078	AC_DEFINE([USE_PIPES])
1079	AC_DEFINE([DISABLE_UTMPX], [1], [no utmpx])
1080	;;
1081*-ncr-sysv*)
1082	LIBS="$LIBS -lc89"
1083	AC_DEFINE([USE_PIPES])
1084	AC_DEFINE([SSHD_ACQUIRES_CTTY])
1085	AC_DEFINE([SETEUID_BREAKS_SETUID])
1086	AC_DEFINE([BROKEN_SETREUID])
1087	AC_DEFINE([BROKEN_SETREGID])
1088	;;
1089*-sni-sysv*)
1090	# /usr/ucblib MUST NOT be searched on ReliantUNIX
1091	AC_CHECK_LIB([dl], [dlsym], ,)
1092	# -lresolv needs to be at the end of LIBS or DNS lookups break
1093	AC_CHECK_LIB([resolv], [res_query], [ LIBS="$LIBS -lresolv" ])
1094	IPADDR_IN_DISPLAY=yes
1095	AC_DEFINE([USE_PIPES])
1096	AC_DEFINE([IP_TOS_IS_BROKEN])
1097	AC_DEFINE([SETEUID_BREAKS_SETUID])
1098	AC_DEFINE([BROKEN_SETREUID])
1099	AC_DEFINE([BROKEN_SETREGID])
1100	AC_DEFINE([SSHD_ACQUIRES_CTTY])
1101	external_path_file=/etc/default/login
1102	# /usr/ucblib/libucb.a no longer needed on ReliantUNIX
1103	# Attention: always take care to bind libsocket and libnsl before libc,
1104	# otherwise you will find lots of "SIOCGPGRP errno 22" on syslog
1105	;;
1106# UnixWare 1.x, UnixWare 2.x, and others based on code from Univel.
1107*-*-sysv4.2*)
1108	AC_DEFINE([USE_PIPES])
1109	AC_DEFINE([SETEUID_BREAKS_SETUID])
1110	AC_DEFINE([BROKEN_SETREUID])
1111	AC_DEFINE([BROKEN_SETREGID])
1112	AC_DEFINE([PASSWD_NEEDS_USERNAME], [1], [must supply username to passwd])
1113	AC_DEFINE([LOCKED_PASSWD_STRING], ["*LK*"])
1114	TEST_SHELL=$SHELL	# let configure find us a capable shell
1115	;;
1116# UnixWare 7.x, OpenUNIX 8
1117*-*-sysv5*)
1118	CPPFLAGS="$CPPFLAGS -Dvsnprintf=_xvsnprintf -Dsnprintf=_xsnprintf"
1119	AC_DEFINE([UNIXWARE_LONG_PASSWORDS], [1], [Support passwords > 8 chars])
1120	AC_DEFINE([USE_PIPES])
1121	AC_DEFINE([SETEUID_BREAKS_SETUID])
1122	AC_DEFINE([BROKEN_GETADDRINFO])
1123	AC_DEFINE([BROKEN_SETREUID])
1124	AC_DEFINE([BROKEN_SETREGID])
1125	AC_DEFINE([PASSWD_NEEDS_USERNAME])
1126	AC_DEFINE([BROKEN_TCGETATTR_ICANON])
1127	TEST_SHELL=$SHELL	# let configure find us a capable shell
1128	check_for_libcrypt_later=1
1129	case "$host" in
1130	*-*-sysv5SCO_SV*)	# SCO OpenServer 6.x
1131		maildir=/var/spool/mail
1132		AC_DEFINE([BROKEN_UPDWTMPX])
1133		AC_CHECK_LIB([prot], [getluid], [ LIBS="$LIBS -lprot"
1134			AC_CHECK_FUNCS([getluid setluid], , , [-lprot])
1135			], , )
1136		;;
1137	*)	AC_DEFINE([LOCKED_PASSWD_STRING], ["*LK*"])
1138		;;
1139	esac
1140	;;
1141*-*-sysv*)
1142	;;
1143# SCO UNIX and OEM versions of SCO UNIX
1144*-*-sco3.2v4*)
1145	AC_MSG_ERROR("This Platform is no longer supported.")
1146	;;
1147# SCO OpenServer 5.x
1148*-*-sco3.2v5*)
1149	if test -z "$GCC"; then
1150		CFLAGS="$CFLAGS -belf"
1151	fi
1152	LIBS="$LIBS -lprot -lx -ltinfo -lm"
1153	no_dev_ptmx=1
1154	AC_DEFINE([USE_PIPES])
1155	AC_DEFINE([HAVE_SECUREWARE])
1156	AC_DEFINE([DISABLE_SHADOW])
1157	AC_DEFINE([DISABLE_FD_PASSING])
1158	AC_DEFINE([SETEUID_BREAKS_SETUID])
1159	AC_DEFINE([BROKEN_GETADDRINFO])
1160	AC_DEFINE([BROKEN_SETREUID])
1161	AC_DEFINE([BROKEN_SETREGID])
1162	AC_DEFINE([WITH_ABBREV_NO_TTY])
1163	AC_DEFINE([BROKEN_UPDWTMPX])
1164	AC_DEFINE([PASSWD_NEEDS_USERNAME])
1165	AC_CHECK_FUNCS([getluid setluid])
1166	MANTYPE=man
1167	TEST_SHELL=$SHELL	# let configure find us a capable shell
1168	SKIP_DISABLE_LASTLOG_DEFINE=yes
1169	;;
1170*-dec-osf*)
1171	AC_MSG_CHECKING([for Digital Unix SIA])
1172	no_osfsia=""
1173	AC_ARG_WITH([osfsia],
1174		[  --with-osfsia           Enable Digital Unix SIA],
1175		[
1176			if test "x$withval" = "xno" ; then
1177				AC_MSG_RESULT([disabled])
1178				no_osfsia=1
1179			fi
1180		],
1181	)
1182	if test -z "$no_osfsia" ; then
1183		if test -f /etc/sia/matrix.conf; then
1184			AC_MSG_RESULT([yes])
1185			AC_DEFINE([HAVE_OSF_SIA], [1],
1186				[Define if you have Digital Unix Security
1187				Integration Architecture])
1188			AC_DEFINE([DISABLE_LOGIN], [1],
1189				[Define if you don't want to use your
1190				system's login() call])
1191			AC_DEFINE([DISABLE_FD_PASSING])
1192			LIBS="$LIBS -lsecurity -ldb -lm -laud"
1193			SIA_MSG="yes"
1194		else
1195			AC_MSG_RESULT([no])
1196			AC_DEFINE([LOCKED_PASSWD_SUBSTR], ["Nologin"],
1197			  [String used in /etc/passwd to denote locked account])
1198		fi
1199	fi
1200	AC_DEFINE([BROKEN_GETADDRINFO])
1201	AC_DEFINE([SETEUID_BREAKS_SETUID])
1202	AC_DEFINE([BROKEN_SETREUID])
1203	AC_DEFINE([BROKEN_SETREGID])
1204	AC_DEFINE([BROKEN_READV_COMPARISON], [1], [Can't do comparisons on readv])
1205	;;
1206
1207*-*-nto-qnx*)
1208	AC_DEFINE([USE_PIPES])
1209	AC_DEFINE([NO_X11_UNIX_SOCKETS])
1210	AC_DEFINE([DISABLE_LASTLOG])
1211	AC_DEFINE([SSHD_ACQUIRES_CTTY])
1212	AC_DEFINE([BROKEN_SHADOW_EXPIRE], [1], [QNX shadow support is broken])
1213	enable_etc_default_login=no	# has incompatible /etc/default/login
1214	case "$host" in
1215	*-*-nto-qnx6*)
1216		AC_DEFINE([DISABLE_FD_PASSING])
1217		;;
1218	esac
1219	;;
1220
1221*-*-ultrix*)
1222	AC_DEFINE([BROKEN_GETGROUPS], [1], [getgroups(0,NULL) will return -1])
1223	AC_DEFINE([NEED_SETPGRP], [1], [Need setpgrp to for controlling tty])
1224	AC_DEFINE([HAVE_SYS_SYSLOG_H], [1], [Force use of sys/syslog.h on Ultrix])
1225	AC_DEFINE([DISABLE_UTMPX], [1], [Disable utmpx])
1226	# DISABLE_FD_PASSING so that we call setpgrp as root, otherwise we
1227	# don't get a controlling tty.
1228	AC_DEFINE([DISABLE_FD_PASSING], [1], [Need to call setpgrp as root])
1229	# On Ultrix some headers are not protected against multiple includes,
1230	# so we create wrappers and put it where the compiler will find it.
1231	AC_MSG_WARN([creating compat wrappers for headers])
1232	mkdir -p netinet
1233	for header in netinet/ip.h netdb.h resolv.h; do
1234		name=`echo $header | tr 'a-z/.' 'A-Z__'`
1235		cat >$header <<EOD
1236#ifndef _SSH_COMPAT_${name}
1237#define _SSH_COMPAT_${name}
1238#include "/usr/include/${header}"
1239#endif
1240EOD
1241	done
1242	;;
1243
1244*-*-lynxos)
1245	CFLAGS="$CFLAGS -D__NO_INCLUDE_WARN__"
1246	AC_DEFINE([BROKEN_SETVBUF], [1],
1247	    [LynxOS has broken setvbuf() implementation])
1248	;;
1249esac
1250
1251AC_MSG_CHECKING([compiler and flags for sanity])
1252AC_RUN_IFELSE([AC_LANG_PROGRAM([[ #include <stdlib.h> ]], [[ exit(0); ]])],
1253	[	AC_MSG_RESULT([yes]) ],
1254	[
1255		AC_MSG_RESULT([no])
1256		AC_MSG_ERROR([*** compiler cannot create working executables, check config.log ***])
1257	],
1258	[	AC_MSG_WARN([cross compiling: not checking compiler sanity]) ]
1259)
1260
1261dnl Checks for header files.
1262# Checks for libraries.
1263AC_CHECK_FUNC([setsockopt], , [AC_CHECK_LIB([socket], [setsockopt])])
1264
1265dnl IRIX and Solaris 2.5.1 have dirname() in libgen
1266AC_CHECK_FUNCS([dirname], [AC_CHECK_HEADERS([libgen.h])] , [
1267	AC_CHECK_LIB([gen], [dirname], [
1268		AC_CACHE_CHECK([for broken dirname],
1269			ac_cv_have_broken_dirname, [
1270			save_LIBS="$LIBS"
1271			LIBS="$LIBS -lgen"
1272			AC_RUN_IFELSE(
1273				[AC_LANG_SOURCE([[
1274#include <libgen.h>
1275#include <string.h>
1276#include <stdlib.h>
1277
1278int main(int argc, char **argv) {
1279    char *s, buf[32];
1280
1281    strncpy(buf,"/etc", 32);
1282    s = dirname(buf);
1283    if (!s || strncmp(s, "/", 32) != 0) {
1284	exit(1);
1285    } else {
1286	exit(0);
1287    }
1288}
1289				]])],
1290				[ ac_cv_have_broken_dirname="no" ],
1291				[ ac_cv_have_broken_dirname="yes" ],
1292				[ ac_cv_have_broken_dirname="no" ],
1293			)
1294			LIBS="$save_LIBS"
1295		])
1296		if test "x$ac_cv_have_broken_dirname" = "xno" ; then
1297			LIBS="$LIBS -lgen"
1298			AC_DEFINE([HAVE_DIRNAME])
1299			AC_CHECK_HEADERS([libgen.h])
1300		fi
1301	])
1302])
1303
1304AC_CHECK_FUNC([getspnam], ,
1305	[AC_CHECK_LIB([gen], [getspnam], [LIBS="$LIBS -lgen"])])
1306AC_SEARCH_LIBS([basename], [gen], [AC_DEFINE([HAVE_BASENAME], [1],
1307	[Define if you have the basename function.])])
1308
1309dnl zlib defaults to enabled
1310zlib=yes
1311AC_ARG_WITH([zlib],
1312	[  --with-zlib=PATH        Use zlib in PATH],
1313	[ if test "x$withval" = "xno" ; then
1314		zlib=no
1315	  elif test "x$withval" != "xyes"; then
1316		if test -d "$withval/lib"; then
1317			if test -n "${rpath_opt}"; then
1318				LDFLAGS="-L${withval}/lib ${rpath_opt}${withval}/lib ${LDFLAGS}"
1319			else
1320				LDFLAGS="-L${withval}/lib ${LDFLAGS}"
1321			fi
1322		else
1323			if test -n "${rpath_opt}"; then
1324				LDFLAGS="-L${withval} ${rpath_opt}${withval} ${LDFLAGS}"
1325			else
1326				LDFLAGS="-L${withval} ${LDFLAGS}"
1327			fi
1328		fi
1329		if test -d "$withval/include"; then
1330			CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
1331		else
1332			CPPFLAGS="-I${withval} ${CPPFLAGS}"
1333		fi
1334	fi ]
1335)
1336
1337AC_MSG_CHECKING([for zlib])
1338if test "x${zlib}" = "xno"; then
1339	AC_MSG_RESULT([no])
1340else
1341	AC_MSG_RESULT([yes])
1342	AC_DEFINE([WITH_ZLIB], [1], [Enable zlib])
1343    AC_CHECK_HEADER([zlib.h], ,[AC_MSG_ERROR([*** zlib.h missing - please install first or check config.log ***])])
1344    AC_CHECK_LIB([z], [deflate], ,
1345	[
1346		saved_CPPFLAGS="$CPPFLAGS"
1347		saved_LDFLAGS="$LDFLAGS"
1348		save_LIBS="$LIBS"
1349		dnl Check default zlib install dir
1350		if test -n "${rpath_opt}"; then
1351			LDFLAGS="-L/usr/local/lib ${rpath_opt}/usr/local/lib ${saved_LDFLAGS}"
1352		else
1353			LDFLAGS="-L/usr/local/lib ${saved_LDFLAGS}"
1354		fi
1355		CPPFLAGS="-I/usr/local/include ${saved_CPPFLAGS}"
1356		LIBS="$LIBS -lz"
1357		AC_TRY_LINK_FUNC([deflate], [AC_DEFINE([HAVE_LIBZ])],
1358			[
1359				AC_MSG_ERROR([*** zlib missing - please install first or check config.log ***])
1360			]
1361		)
1362	]
1363    )
1364
1365    AC_ARG_WITH([zlib-version-check],
1366	[  --without-zlib-version-check Disable zlib version check],
1367	[  if test "x$withval" = "xno" ; then
1368		zlib_check_nonfatal=1
1369	   fi
1370	]
1371    )
1372
1373    AC_MSG_CHECKING([for possibly buggy zlib])
1374    AC_RUN_IFELSE([AC_LANG_PROGRAM([[
1375#include <stdio.h>
1376#include <stdlib.h>
1377#include <zlib.h>
1378	]],
1379	[[
1380	int a=0, b=0, c=0, d=0, n, v;
1381	n = sscanf(ZLIB_VERSION, "%d.%d.%d.%d", &a, &b, &c, &d);
1382	if (n != 3 && n != 4)
1383		exit(1);
1384	v = a*1000000 + b*10000 + c*100 + d;
1385	fprintf(stderr, "found zlib version %s (%d)\n", ZLIB_VERSION, v);
1386
1387	/* 1.1.4 is OK */
1388	if (a == 1 && b == 1 && c >= 4)
1389		exit(0);
1390
1391	/* 1.2.3 and up are OK */
1392	if (v >= 1020300)
1393		exit(0);
1394
1395	exit(2);
1396	]])],
1397	AC_MSG_RESULT([no]),
1398	[ AC_MSG_RESULT([yes])
1399	  if test -z "$zlib_check_nonfatal" ; then
1400		AC_MSG_ERROR([*** zlib too old - check config.log ***
1401Your reported zlib version has known security problems.  It's possible your
1402vendor has fixed these problems without changing the version number.  If you
1403are sure this is the case, you can disable the check by running
1404"./configure --without-zlib-version-check".
1405If you are in doubt, upgrade zlib to version 1.2.3 or greater.
1406See http://www.gzip.org/zlib/ for details.])
1407	  else
1408		AC_MSG_WARN([zlib version may have security problems])
1409	  fi
1410	],
1411	[	AC_MSG_WARN([cross compiling: not checking zlib version]) ]
1412    )
1413fi
1414
1415dnl UnixWare 2.x
1416AC_CHECK_FUNC([strcasecmp],
1417	[], [ AC_CHECK_LIB([resolv], [strcasecmp], [LIBS="$LIBS -lresolv"]) ]
1418)
1419AC_CHECK_FUNCS([utimes],
1420	[], [ AC_CHECK_LIB([c89], [utimes], [AC_DEFINE([HAVE_UTIMES])
1421					LIBS="$LIBS -lc89"]) ]
1422)
1423
1424dnl    Checks for libutil functions
1425AC_CHECK_HEADERS([bsd/libutil.h libutil.h])
1426AC_SEARCH_LIBS([fmt_scaled], [util bsd])
1427AC_SEARCH_LIBS([scan_scaled], [util bsd])
1428AC_SEARCH_LIBS([login], [util bsd])
1429AC_SEARCH_LIBS([logout], [util bsd])
1430AC_SEARCH_LIBS([logwtmp], [util bsd])
1431AC_SEARCH_LIBS([openpty], [util bsd])
1432AC_SEARCH_LIBS([updwtmp], [util bsd])
1433AC_CHECK_FUNCS([fmt_scaled scan_scaled login logout openpty updwtmp logwtmp])
1434
1435# On some platforms, inet_ntop and gethostbyname may be found in libresolv
1436# or libnsl.
1437AC_SEARCH_LIBS([inet_ntop], [resolv nsl])
1438AC_SEARCH_LIBS([gethostbyname], [resolv nsl])
1439
1440# "Particular Function Checks"
1441# see https://www.gnu.org/software/autoconf/manual/autoconf-2.69/html_node/Particular-Functions.html
1442AC_FUNC_STRFTIME
1443AC_FUNC_MALLOC
1444AC_FUNC_REALLOC
1445# autoconf doesn't have AC_FUNC_CALLOC so fake it if malloc returns NULL;
1446AC_MSG_CHECKING([if calloc(0, N) returns non-null])
1447AC_RUN_IFELSE(
1448	[AC_LANG_PROGRAM(
1449		[[ #include <stdlib.h> ]],
1450		[[ void *p = calloc(0, 1); exit(p == NULL); ]]
1451	)],
1452	[ func_calloc_0_nonnull=yes ],
1453	[ func_calloc_0_nonnull=no ],
1454	[ AC_MSG_WARN([cross compiling: assuming same as malloc])
1455	  func_calloc_0_nonnull="$ac_cv_func_malloc_0_nonnull"]
1456)
1457AC_MSG_RESULT([$func_calloc_0_nonnull])
1458
1459if test "x$func_calloc_0_nonnull" = "xyes"; then
1460	AC_DEFINE(HAVE_CALLOC, 1, [calloc(0, x) returns non-null])
1461else
1462	AC_DEFINE(HAVE_CALLOC, 0, [calloc(0, x) returns NULL])
1463	AC_DEFINE(calloc, rpl_calloc,
1464	    [Define to rpl_calloc if the replacement function should be used.])
1465fi
1466
1467# Check for ALTDIRFUNC glob() extension
1468AC_MSG_CHECKING([for GLOB_ALTDIRFUNC support])
1469AC_EGREP_CPP([FOUNDIT],
1470	[
1471		#include <glob.h>
1472		#ifdef GLOB_ALTDIRFUNC
1473		FOUNDIT
1474		#endif
1475	],
1476	[
1477		AC_DEFINE([GLOB_HAS_ALTDIRFUNC], [1],
1478			[Define if your system glob() function has
1479			the GLOB_ALTDIRFUNC extension])
1480		AC_MSG_RESULT([yes])
1481	],
1482	[
1483		AC_MSG_RESULT([no])
1484	]
1485)
1486
1487# Check for g.gl_matchc glob() extension
1488AC_MSG_CHECKING([for gl_matchc field in glob_t])
1489AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <glob.h> ]],
1490	[[ glob_t g; g.gl_matchc = 1; ]])],
1491	[
1492		AC_DEFINE([GLOB_HAS_GL_MATCHC], [1],
1493			[Define if your system glob() function has
1494			gl_matchc options in glob_t])
1495		AC_MSG_RESULT([yes])
1496	], [
1497		AC_MSG_RESULT([no])
1498])
1499
1500# Check for g.gl_statv glob() extension
1501AC_MSG_CHECKING([for gl_statv and GLOB_KEEPSTAT extensions for glob])
1502AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <glob.h> ]], [[
1503#ifndef GLOB_KEEPSTAT
1504#error "glob does not support GLOB_KEEPSTAT extension"
1505#endif
1506glob_t g;
1507g.gl_statv = NULL;
1508]])],
1509	[
1510		AC_DEFINE([GLOB_HAS_GL_STATV], [1],
1511			[Define if your system glob() function has
1512			gl_statv options in glob_t])
1513		AC_MSG_RESULT([yes])
1514	], [
1515		AC_MSG_RESULT([no])
1516
1517])
1518
1519AC_CHECK_DECLS([GLOB_NOMATCH], , , [#include <glob.h>])
1520
1521AC_CHECK_DECL([VIS_ALL], ,
1522    AC_DEFINE(BROKEN_STRNVIS, 1, [missing VIS_ALL]), [#include <vis.h>])
1523
1524AC_MSG_CHECKING([whether struct dirent allocates space for d_name])
1525AC_RUN_IFELSE(
1526	[AC_LANG_PROGRAM([[
1527#include <sys/types.h>
1528#include <dirent.h>
1529#include <stdlib.h>
1530	]],
1531	[[
1532	struct dirent d;
1533	exit(sizeof(d.d_name)<=sizeof(char));
1534	]])],
1535	[AC_MSG_RESULT([yes])],
1536	[
1537		AC_MSG_RESULT([no])
1538		AC_DEFINE([BROKEN_ONE_BYTE_DIRENT_D_NAME], [1],
1539			[Define if your struct dirent expects you to
1540			allocate extra space for d_name])
1541	],
1542	[
1543		AC_MSG_WARN([cross compiling: assuming BROKEN_ONE_BYTE_DIRENT_D_NAME])
1544		AC_DEFINE([BROKEN_ONE_BYTE_DIRENT_D_NAME])
1545	]
1546)
1547
1548AC_MSG_CHECKING([for /proc/pid/fd directory])
1549if test -d "/proc/$$/fd" ; then
1550	AC_DEFINE([HAVE_PROC_PID], [1], [Define if you have /proc/$pid/fd])
1551	AC_MSG_RESULT([yes])
1552else
1553	AC_MSG_RESULT([no])
1554fi
1555
1556# Check whether user wants to use ldns
1557LDNS_MSG="no"
1558AC_ARG_WITH(ldns,
1559	[  --with-ldns[[=PATH]]      Use ldns for DNSSEC support (optionally in PATH)],
1560	[
1561	ldns=""
1562	if test "x$withval" = "xyes" ; then
1563		AC_PATH_TOOL([LDNSCONFIG], [ldns-config], [no])
1564		if test "x$LDNSCONFIG" = "xno"; then
1565			LIBS="-lldns $LIBS"
1566			ldns=yes
1567		else
1568			LIBS="$LIBS `$LDNSCONFIG --libs`"
1569			CPPFLAGS="$CPPFLAGS `$LDNSCONFIG --cflags`"
1570			ldns=yes
1571		fi
1572	elif test "x$withval" != "xno" ; then
1573			CPPFLAGS="$CPPFLAGS -I${withval}/include"
1574			LDFLAGS="$LDFLAGS -L${withval}/lib"
1575			LIBS="-lldns $LIBS"
1576			ldns=yes
1577	fi
1578
1579	# Verify that it works.
1580	if test "x$ldns" = "xyes" ; then
1581		AC_DEFINE(HAVE_LDNS, 1, [Define if you want ldns support])
1582		LDNS_MSG="yes"
1583		AC_MSG_CHECKING([for ldns support])
1584		AC_LINK_IFELSE(
1585			[AC_LANG_SOURCE([[
1586#include <stdio.h>
1587#include <stdlib.h>
1588#ifdef HAVE_STDINT_H
1589# include <stdint.h>
1590#endif
1591#include <ldns/ldns.h>
1592int main() { ldns_status status = ldns_verify_trusted(NULL, NULL, NULL, NULL); status=LDNS_STATUS_OK; exit(0); }
1593			]])
1594		],
1595			[AC_MSG_RESULT(yes)],
1596				[
1597					AC_MSG_RESULT(no)
1598					AC_MSG_ERROR([** Incomplete or missing ldns libraries.])
1599				])
1600	fi
1601])
1602
1603# Check whether user wants libedit support
1604LIBEDIT_MSG="no"
1605AC_ARG_WITH([libedit],
1606	[  --with-libedit[[=PATH]]   Enable libedit support for sftp],
1607	[ if test "x$withval" != "xno" ; then
1608		if test "x$withval" = "xyes" ; then
1609			AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no])
1610			if test "x$PKGCONFIG" != "xno"; then
1611				AC_MSG_CHECKING([if $PKGCONFIG knows about libedit])
1612				if "$PKGCONFIG" libedit; then
1613					AC_MSG_RESULT([yes])
1614					use_pkgconfig_for_libedit=yes
1615				else
1616					AC_MSG_RESULT([no])
1617				fi
1618			fi
1619		else
1620			CPPFLAGS="$CPPFLAGS -I${withval}/include"
1621			if test -n "${rpath_opt}"; then
1622				LDFLAGS="-L${withval}/lib ${rpath_opt}${withval}/lib ${LDFLAGS}"
1623			else
1624				LDFLAGS="-L${withval}/lib ${LDFLAGS}"
1625			fi
1626		fi
1627		if test "x$use_pkgconfig_for_libedit" = "xyes"; then
1628			LIBEDIT=`$PKGCONFIG --libs libedit`
1629			CPPFLAGS="$CPPFLAGS `$PKGCONFIG --cflags libedit`"
1630		else
1631			LIBEDIT="-ledit -lcurses"
1632		fi
1633		OTHERLIBS=`echo $LIBEDIT | sed 's/-ledit//'`
1634		AC_CHECK_LIB([edit], [el_init],
1635			[ AC_DEFINE([USE_LIBEDIT], [1], [Use libedit for sftp])
1636			  LIBEDIT_MSG="yes"
1637			  AC_SUBST([LIBEDIT])
1638			],
1639			[ AC_MSG_ERROR([libedit not found]) ],
1640			[ $OTHERLIBS ]
1641		)
1642		AC_MSG_CHECKING([if libedit version is compatible])
1643		AC_COMPILE_IFELSE(
1644		    [AC_LANG_PROGRAM([[
1645#include <histedit.h>
1646#include <stdlib.h>
1647		    ]],
1648		    [[
1649	int i = H_SETSIZE;
1650	el_init("", NULL, NULL, NULL);
1651	exit(0);
1652		    ]])],
1653		    [ AC_MSG_RESULT([yes]) ],
1654		    [ AC_MSG_RESULT([no])
1655		      AC_MSG_ERROR([libedit version is not compatible]) ]
1656		)
1657	fi ]
1658)
1659
1660AUDIT_MODULE=none
1661AC_ARG_WITH([audit],
1662	[  --with-audit=module     Enable audit support (modules=debug,bsm,linux)],
1663	[
1664	  AC_MSG_CHECKING([for supported audit module])
1665	  case "$withval" in
1666	  bsm)
1667		AC_MSG_RESULT([bsm])
1668		AUDIT_MODULE=bsm
1669		dnl    Checks for headers, libs and functions
1670		AC_CHECK_HEADERS([bsm/audit.h], [],
1671		    [AC_MSG_ERROR([BSM enabled and bsm/audit.h not found])],
1672		    [
1673#ifdef HAVE_TIME_H
1674# include <time.h>
1675#endif
1676		    ]
1677)
1678		AC_CHECK_LIB([bsm], [getaudit], [],
1679		    [AC_MSG_ERROR([BSM enabled and required library not found])])
1680		AC_CHECK_FUNCS([getaudit], [],
1681		    [AC_MSG_ERROR([BSM enabled and required function not found])])
1682		# These are optional
1683		AC_CHECK_FUNCS([getaudit_addr aug_get_machine])
1684		AC_DEFINE([USE_BSM_AUDIT], [1], [Use BSM audit module])
1685		if test "$sol2ver" -ge 11; then
1686			SSHDLIBS="$SSHDLIBS -lscf"
1687			AC_DEFINE([BROKEN_BSM_API], [1],
1688				[The system has incomplete BSM API])
1689		fi
1690		;;
1691	  linux)
1692		AC_MSG_RESULT([linux])
1693		AUDIT_MODULE=linux
1694		dnl    Checks for headers, libs and functions
1695		AC_CHECK_HEADERS([libaudit.h])
1696		SSHDLIBS="$SSHDLIBS -laudit"
1697		AC_DEFINE([USE_LINUX_AUDIT], [1], [Use Linux audit module])
1698		;;
1699	  debug)
1700		AUDIT_MODULE=debug
1701		AC_MSG_RESULT([debug])
1702		AC_DEFINE([SSH_AUDIT_EVENTS], [1], [Use audit debugging module])
1703		;;
1704	  no)
1705		AC_MSG_RESULT([no])
1706		;;
1707	  *)
1708		AC_MSG_ERROR([Unknown audit module $withval])
1709		;;
1710	esac ]
1711)
1712
1713AC_ARG_WITH([pie],
1714    [  --with-pie              Build Position Independent Executables if possible], [
1715	if test "x$withval" = "xno"; then
1716		use_pie=no
1717	fi
1718	if test "x$withval" = "xyes"; then
1719		use_pie=yes
1720	fi
1721    ]
1722)
1723if test "x$use_pie" = "x"; then
1724	use_pie=no
1725fi
1726if test "x$use_toolchain_hardening" != "x1" && test "x$use_pie" = "xauto"; then
1727	# Turn off automatic PIE when toolchain hardening is off.
1728	use_pie=no
1729fi
1730if test "x$use_pie" = "xauto"; then
1731	# Automatic PIE requires gcc >= 4.x
1732	AC_MSG_CHECKING([for gcc >= 4.x])
1733	AC_COMPILE_IFELSE([AC_LANG_SOURCE([[
1734#if !defined(__GNUC__) || __GNUC__ < 4
1735#error gcc is too old
1736#endif
1737]])],
1738	[ AC_MSG_RESULT([yes]) ],
1739	[ AC_MSG_RESULT([no])
1740	  use_pie=no ]
1741)
1742fi
1743if test "x$use_pie" != "xno"; then
1744	SAVED_CFLAGS="$CFLAGS"
1745	SAVED_LDFLAGS="$LDFLAGS"
1746	OSSH_CHECK_CFLAG_COMPILE([-fPIE])
1747	OSSH_CHECK_LDFLAG_LINK([-pie])
1748	# We use both -fPIE and -pie or neither.
1749	AC_MSG_CHECKING([whether both -fPIE and -pie are supported])
1750	if echo "x $CFLAGS"  | grep ' -fPIE' >/dev/null 2>&1 && \
1751	   echo "x $LDFLAGS" | grep ' -pie'  >/dev/null 2>&1 ; then
1752		AC_MSG_RESULT([yes])
1753	else
1754		AC_MSG_RESULT([no])
1755		CFLAGS="$SAVED_CFLAGS"
1756		LDFLAGS="$SAVED_LDFLAGS"
1757	fi
1758fi
1759
1760AC_MSG_CHECKING([whether -fPIC is accepted])
1761SAVED_CFLAGS="$CFLAGS"
1762CFLAGS="$CFLAGS -fPIC"
1763AC_COMPILE_IFELSE(
1764	[AC_LANG_PROGRAM( [[ #include <stdlib.h> ]], [[ exit(0); ]] )],
1765   [AC_MSG_RESULT([yes])
1766    PICFLAG="-fPIC"; ],
1767   [AC_MSG_RESULT([no])
1768    PICFLAG=""; ])
1769CFLAGS="$SAVED_CFLAGS"
1770AC_SUBST([PICFLAG])
1771
1772dnl    Checks for library functions. Please keep in alphabetical order
1773AC_CHECK_FUNCS([ \
1774	Blowfish_initstate \
1775	Blowfish_expandstate \
1776	Blowfish_expand0state \
1777	Blowfish_stream2word \
1778	SHA256Update \
1779	SHA384Update \
1780	SHA512Update \
1781	asprintf \
1782	b64_ntop \
1783	__b64_ntop \
1784	b64_pton \
1785	__b64_pton \
1786	bcopy \
1787	bcrypt_pbkdf \
1788	bindresvport_sa \
1789	blf_enc \
1790	bzero \
1791	cap_rights_limit \
1792	clock \
1793	closefrom \
1794	dirfd \
1795	endgrent \
1796	err \
1797	errx \
1798	explicit_bzero \
1799	fchmod \
1800	fchmodat \
1801	fchown \
1802	fchownat \
1803	flock \
1804	fnmatch \
1805	freeaddrinfo \
1806	freezero \
1807	fstatfs \
1808	fstatvfs \
1809	futimes \
1810	getaddrinfo \
1811	getcwd \
1812	getgrouplist \
1813	getline \
1814	getnameinfo \
1815	getopt \
1816	getpagesize \
1817	getpeereid \
1818	getpeerucred \
1819	getpgid \
1820	_getpty \
1821	getrlimit \
1822	getrandom \
1823	getsid \
1824	getttyent \
1825	glob \
1826	group_from_gid \
1827	inet_aton \
1828	inet_ntoa \
1829	inet_ntop \
1830	innetgr \
1831	llabs \
1832	localtime_r \
1833	login_getcapbool \
1834	md5_crypt \
1835	memmem \
1836	memmove \
1837	memset_s \
1838	mkdtemp \
1839	ngetaddrinfo \
1840	nsleep \
1841	ogetaddrinfo \
1842	openlog_r \
1843	pledge \
1844	poll \
1845	prctl \
1846	pstat \
1847	raise \
1848	readpassphrase \
1849	reallocarray \
1850	realpath \
1851	recvmsg \
1852	recallocarray \
1853	rresvport_af \
1854	sendmsg \
1855	setdtablesize \
1856	setegid \
1857	setenv \
1858	seteuid \
1859	setgroupent \
1860	setgroups \
1861	setlinebuf \
1862	setlogin \
1863	setpassent\
1864	setpcred \
1865	setproctitle \
1866	setregid \
1867	setreuid \
1868	setrlimit \
1869	setsid \
1870	setvbuf \
1871	sigaction \
1872	sigvec \
1873	snprintf \
1874	socketpair \
1875	statfs \
1876	statvfs \
1877	strcasestr \
1878	strdup \
1879	strerror \
1880	strlcat \
1881	strlcpy \
1882	strmode \
1883	strndup \
1884	strnlen \
1885	strnvis \
1886	strptime \
1887	strsignal \
1888	strtonum \
1889	strtoll \
1890	strtoul \
1891	strtoull \
1892	swap32 \
1893	sysconf \
1894	tcgetpgrp \
1895	timingsafe_bcmp \
1896	truncate \
1897	unsetenv \
1898	updwtmpx \
1899	utimensat \
1900	user_from_uid \
1901	usleep \
1902	vasprintf \
1903	vsnprintf \
1904	waitpid \
1905	warn \
1906])
1907
1908AC_CHECK_DECLS([bzero, memmem])
1909
1910dnl Wide character support.
1911AC_CHECK_FUNCS([mblen mbtowc nl_langinfo wcwidth])
1912
1913TEST_SSH_UTF8=${TEST_SSH_UTF8:=yes}
1914AC_MSG_CHECKING([for utf8 locale support])
1915AC_RUN_IFELSE(
1916	[AC_LANG_PROGRAM([[
1917#include <locale.h>
1918#include <stdlib.h>
1919	]], [[
1920	char *loc = setlocale(LC_CTYPE, "en_US.UTF-8");
1921	if (loc != NULL)
1922		exit(0);
1923	exit(1);
1924	]])],
1925	AC_MSG_RESULT(yes),
1926	[AC_MSG_RESULT(no)
1927	 TEST_SSH_UTF8=no],
1928	AC_MSG_WARN([cross compiling: assuming yes])
1929)
1930
1931AC_LINK_IFELSE(
1932        [AC_LANG_PROGRAM(
1933           [[ #include <ctype.h> ]],
1934           [[ return (isblank('a')); ]])],
1935	[AC_DEFINE([HAVE_ISBLANK], [1], [Define if you have isblank(3C).])
1936])
1937
1938disable_pkcs11=
1939AC_ARG_ENABLE([pkcs11],
1940	[  --disable-pkcs11        disable PKCS#11 support code [no]],
1941	[
1942		if test "x$enableval" = "xno" ; then
1943			disable_pkcs11=1
1944		fi
1945	]
1946)
1947
1948disable_sk=
1949AC_ARG_ENABLE([security-key],
1950	[  --disable-security-key  disable U2F/FIDO support code [no]],
1951	[
1952		if test "x$enableval" = "xno" ; then
1953			disable_sk=1
1954		fi
1955	]
1956)
1957enable_sk_internal=
1958AC_ARG_WITH([security-key-builtin],
1959	[  --with-security-key-builtin include builtin U2F/FIDO support],
1960	[
1961		if test "x$withval" != "xno" ; then
1962			enable_sk_internal=yes
1963		fi
1964	]
1965)
1966test "x$disable_sk" != "x" && enable_sk_internal=""
1967
1968AC_SEARCH_LIBS([dlopen], [dl])
1969AC_CHECK_FUNCS([dlopen])
1970AC_CHECK_DECL([RTLD_NOW], [], [], [#include <dlfcn.h>])
1971
1972# IRIX has a const char return value for gai_strerror()
1973AC_CHECK_FUNCS([gai_strerror], [
1974	AC_DEFINE([HAVE_GAI_STRERROR])
1975	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
1976#include <sys/types.h>
1977#include <sys/socket.h>
1978#include <netdb.h>
1979
1980const char *gai_strerror(int);
1981			]], [[
1982	char *str;
1983	str = gai_strerror(0);
1984			]])], [
1985		AC_DEFINE([HAVE_CONST_GAI_STRERROR_PROTO], [1],
1986		[Define if gai_strerror() returns const char *])], [])])
1987
1988AC_SEARCH_LIBS([nanosleep], [rt posix4], [AC_DEFINE([HAVE_NANOSLEEP], [1],
1989	[Some systems put nanosleep outside of libc])])
1990
1991AC_SEARCH_LIBS([clock_gettime], [rt],
1992	[AC_DEFINE([HAVE_CLOCK_GETTIME], [1], [Have clock_gettime])])
1993
1994dnl check if we need -D_REENTRANT for localtime_r declaration.
1995AC_CHECK_DECL([localtime_r], [],
1996	[ saved_CPPFLAGS="$CFLAGS"
1997	  CPPFLAGS="$CPPFLAGS -D_REENTRANT"
1998	  unset ac_cv_have_decl_localtime_r
1999	  AC_CHECK_DECL([localtime_r], [],
2000		[ CPPFLAGS="$saved_CPPFLAGS" ],
2001		[ #include <time.h> ]
2002	  )
2003	],
2004	[ #include <time.h> ]
2005)
2006
2007dnl Make sure prototypes are defined for these before using them.
2008AC_CHECK_DECL([strsep],
2009	[AC_CHECK_FUNCS([strsep])],
2010	[],
2011	[
2012#ifdef HAVE_STRING_H
2013# include <string.h>
2014#endif
2015	])
2016
2017dnl tcsendbreak might be a macro
2018AC_CHECK_DECL([tcsendbreak],
2019	[AC_DEFINE([HAVE_TCSENDBREAK])],
2020	[AC_CHECK_FUNCS([tcsendbreak])],
2021	[#include <termios.h>]
2022)
2023
2024AC_CHECK_DECLS([h_errno], , ,[#include <netdb.h>])
2025
2026AC_CHECK_DECLS([SHUT_RD, getpeereid], , ,
2027	[
2028#include <sys/types.h>
2029#include <sys/socket.h>
2030#include <unistd.h>
2031	])
2032
2033AC_CHECK_DECLS([O_NONBLOCK], , ,
2034	[
2035#include <sys/types.h>
2036#ifdef HAVE_SYS_STAT_H
2037# include <sys/stat.h>
2038#endif
2039#ifdef HAVE_FCNTL_H
2040# include <fcntl.h>
2041#endif
2042	])
2043
2044AC_CHECK_DECLS([readv, writev], , , [
2045#include <sys/types.h>
2046#include <sys/uio.h>
2047#include <unistd.h>
2048	])
2049
2050AC_CHECK_DECLS([MAXSYMLINKS], , , [
2051#include <sys/param.h>
2052	])
2053
2054AC_CHECK_DECLS([offsetof], , , [
2055#include <stddef.h>
2056	])
2057
2058# extra bits for select(2)
2059AC_CHECK_DECLS([howmany, NFDBITS], [], [], [[
2060#include <sys/param.h>
2061#include <sys/types.h>
2062#ifdef HAVE_SYS_SYSMACROS_H
2063#include <sys/sysmacros.h>
2064#endif
2065#ifdef HAVE_SYS_SELECT_H
2066#include <sys/select.h>
2067#endif
2068#ifdef HAVE_SYS_TIME_H
2069#include <sys/time.h>
2070#endif
2071#ifdef HAVE_UNISTD_H
2072#include <unistd.h>
2073#endif
2074	]])
2075AC_CHECK_TYPES([fd_mask], [], [], [[
2076#include <sys/param.h>
2077#include <sys/types.h>
2078#ifdef HAVE_SYS_SELECT_H
2079#include <sys/select.h>
2080#endif
2081#ifdef HAVE_SYS_TIME_H
2082#include <sys/time.h>
2083#endif
2084#ifdef HAVE_UNISTD_H
2085#include <unistd.h>
2086#endif
2087	]])
2088
2089AC_CHECK_FUNCS([setresuid], [
2090	dnl Some platorms have setresuid that isn't implemented, test for this
2091	AC_MSG_CHECKING([if setresuid seems to work])
2092	AC_RUN_IFELSE(
2093		[AC_LANG_PROGRAM([[
2094#include <stdlib.h>
2095#include <errno.h>
2096		]], [[
2097	errno=0;
2098	setresuid(0,0,0);
2099	if (errno==ENOSYS)
2100		exit(1);
2101	else
2102		exit(0);
2103		]])],
2104		[AC_MSG_RESULT([yes])],
2105		[AC_DEFINE([BROKEN_SETRESUID], [1],
2106			[Define if your setresuid() is broken])
2107		 AC_MSG_RESULT([not implemented])],
2108		[AC_MSG_WARN([cross compiling: not checking setresuid])]
2109	)
2110])
2111
2112AC_CHECK_FUNCS([setresgid], [
2113	dnl Some platorms have setresgid that isn't implemented, test for this
2114	AC_MSG_CHECKING([if setresgid seems to work])
2115	AC_RUN_IFELSE(
2116		[AC_LANG_PROGRAM([[
2117#include <stdlib.h>
2118#include <errno.h>
2119		]], [[
2120	errno=0;
2121	setresgid(0,0,0);
2122	if (errno==ENOSYS)
2123		exit(1);
2124	else
2125		exit(0);
2126		]])],
2127		[AC_MSG_RESULT([yes])],
2128		[AC_DEFINE([BROKEN_SETRESGID], [1],
2129			[Define if your setresgid() is broken])
2130		 AC_MSG_RESULT([not implemented])],
2131		[AC_MSG_WARN([cross compiling: not checking setresuid])]
2132	)
2133])
2134
2135AC_MSG_CHECKING([for working fflush(NULL)])
2136AC_RUN_IFELSE(
2137	[AC_LANG_PROGRAM([[
2138#include <stdio.h>
2139#include <stdlib.h>
2140	]],
2141	[[fflush(NULL); exit(0);]])],
2142	AC_MSG_RESULT([yes]),
2143	[AC_MSG_RESULT([no])
2144	 AC_DEFINE([FFLUSH_NULL_BUG], [1],
2145	    [define if fflush(NULL) does not work])],
2146	AC_MSG_WARN([cross compiling: assuming working])
2147)
2148
2149dnl    Checks for time functions
2150AC_CHECK_FUNCS([gettimeofday time])
2151dnl    Checks for utmp functions
2152AC_CHECK_FUNCS([endutent getutent getutid getutline pututline setutent])
2153AC_CHECK_FUNCS([utmpname])
2154dnl    Checks for utmpx functions
2155AC_CHECK_FUNCS([endutxent getutxent getutxid getutxline getutxuser pututxline])
2156AC_CHECK_FUNCS([setutxdb setutxent utmpxname])
2157dnl    Checks for lastlog functions
2158AC_CHECK_FUNCS([getlastlogxbyname])
2159
2160AC_CHECK_FUNC([daemon],
2161	[AC_DEFINE([HAVE_DAEMON], [1], [Define if your libraries define daemon()])],
2162	[AC_CHECK_LIB([bsd], [daemon],
2163		[LIBS="$LIBS -lbsd"; AC_DEFINE([HAVE_DAEMON])])]
2164)
2165
2166AC_CHECK_FUNC([getpagesize],
2167	[AC_DEFINE([HAVE_GETPAGESIZE], [1],
2168		[Define if your libraries define getpagesize()])],
2169	[AC_CHECK_LIB([ucb], [getpagesize],
2170		[LIBS="$LIBS -lucb"; AC_DEFINE([HAVE_GETPAGESIZE])])]
2171)
2172
2173# Check for broken snprintf
2174if test "x$ac_cv_func_snprintf" = "xyes" ; then
2175	AC_MSG_CHECKING([whether snprintf correctly terminates long strings])
2176	AC_RUN_IFELSE(
2177		[AC_LANG_PROGRAM([[
2178#include <stdio.h>
2179#include <stdlib.h>
2180		]],
2181		[[
2182	char b[5];
2183	snprintf(b,5,"123456789");
2184	exit(b[4]!='\0');
2185		]])],
2186		[AC_MSG_RESULT([yes])],
2187		[
2188			AC_MSG_RESULT([no])
2189			AC_DEFINE([BROKEN_SNPRINTF], [1],
2190				[Define if your snprintf is busted])
2191			AC_MSG_WARN([****** Your snprintf() function is broken, complain to your vendor])
2192		],
2193		[ AC_MSG_WARN([cross compiling: Assuming working snprintf()]) ]
2194	)
2195fi
2196
2197if test "x$ac_cv_func_snprintf" = "xyes" ; then
2198	AC_MSG_CHECKING([whether snprintf understands %zu])
2199	AC_RUN_IFELSE(
2200		[AC_LANG_PROGRAM([[
2201#include <sys/types.h>
2202#include <stdio.h>
2203#include <stdlib.h>
2204#include <string.h>
2205		]],
2206		[[
2207	size_t a = 1, b = 2;
2208	char z[128];
2209	snprintf(z, sizeof z, "%zu%zu", a, b);
2210	exit(strcmp(z, "12"));
2211		]])],
2212		[AC_MSG_RESULT([yes])],
2213		[
2214			AC_MSG_RESULT([no])
2215			AC_DEFINE([BROKEN_SNPRINTF], [1],
2216				[snprintf does not understand %zu])
2217		],
2218		[ AC_MSG_WARN([cross compiling: Assuming working snprintf()]) ]
2219	)
2220fi
2221
2222# We depend on vsnprintf returning the right thing on overflow: the
2223# number of characters it tried to create (as per SUSv3)
2224if test "x$ac_cv_func_vsnprintf" = "xyes" ; then
2225	AC_MSG_CHECKING([whether vsnprintf returns correct values on overflow])
2226	AC_RUN_IFELSE(
2227		[AC_LANG_PROGRAM([[
2228#include <sys/types.h>
2229#include <stdio.h>
2230#include <stdarg.h>
2231
2232int x_snprintf(char *str, size_t count, const char *fmt, ...)
2233{
2234	size_t ret;
2235	va_list ap;
2236
2237	va_start(ap, fmt);
2238	ret = vsnprintf(str, count, fmt, ap);
2239	va_end(ap);
2240	return ret;
2241}
2242		]], [[
2243char x[1];
2244if (x_snprintf(x, 1, "%s %d", "hello", 12345) != 11)
2245	return 1;
2246if (x_snprintf(NULL, 0, "%s %d", "hello", 12345) != 11)
2247	return 1;
2248return 0;
2249		]])],
2250		[AC_MSG_RESULT([yes])],
2251		[
2252			AC_MSG_RESULT([no])
2253			AC_DEFINE([BROKEN_SNPRINTF], [1],
2254				[Define if your snprintf is busted])
2255			AC_MSG_WARN([****** Your vsnprintf() function is broken, complain to your vendor])
2256		],
2257		[ AC_MSG_WARN([cross compiling: Assuming working vsnprintf()]) ]
2258	)
2259fi
2260
2261# On systems where [v]snprintf is broken, but is declared in stdio,
2262# check that the fmt argument is const char * or just char *.
2263# This is only useful for when BROKEN_SNPRINTF
2264AC_MSG_CHECKING([whether snprintf can declare const char *fmt])
2265AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
2266#include <stdio.h>
2267int snprintf(char *a, size_t b, const char *c, ...) { return 0; }
2268		]], [[
2269	snprintf(0, 0, 0);
2270		]])],
2271   [AC_MSG_RESULT([yes])
2272    AC_DEFINE([SNPRINTF_CONST], [const],
2273              [Define as const if snprintf() can declare const char *fmt])],
2274   [AC_MSG_RESULT([no])
2275    AC_DEFINE([SNPRINTF_CONST], [/* not const */])])
2276
2277# Check for missing getpeereid (or equiv) support
2278NO_PEERCHECK=""
2279if test "x$ac_cv_func_getpeereid" != "xyes" -a "x$ac_cv_func_getpeerucred" != "xyes"; then
2280	AC_MSG_CHECKING([whether system supports SO_PEERCRED getsockopt])
2281	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
2282#include <sys/types.h>
2283#include <sys/socket.h>]], [[int i = SO_PEERCRED;]])],
2284		[ AC_MSG_RESULT([yes])
2285		  AC_DEFINE([HAVE_SO_PEERCRED], [1], [Have PEERCRED socket option])
2286		], [AC_MSG_RESULT([no])
2287		NO_PEERCHECK=1
2288        ])
2289fi
2290
2291dnl make sure that openpty does not reacquire controlling terminal
2292if test ! -z "$check_for_openpty_ctty_bug"; then
2293	AC_MSG_CHECKING([if openpty correctly handles controlling tty])
2294	AC_RUN_IFELSE(
2295		[AC_LANG_PROGRAM([[
2296#include <stdio.h>
2297#include <stdlib.h>
2298#include <unistd.h>
2299#include <sys/fcntl.h>
2300#include <sys/types.h>
2301#include <sys/wait.h>
2302		]], [[
2303	pid_t pid;
2304	int fd, ptyfd, ttyfd, status;
2305
2306	pid = fork();
2307	if (pid < 0) {		/* failed */
2308		exit(1);
2309	} else if (pid > 0) {	/* parent */
2310		waitpid(pid, &status, 0);
2311		if (WIFEXITED(status))
2312			exit(WEXITSTATUS(status));
2313		else
2314			exit(2);
2315	} else {		/* child */
2316		close(0); close(1); close(2);
2317		setsid();
2318		openpty(&ptyfd, &ttyfd, NULL, NULL, NULL);
2319		fd = open("/dev/tty", O_RDWR | O_NOCTTY);
2320		if (fd >= 0)
2321			exit(3);	/* Acquired ctty: broken */
2322		else
2323			exit(0);	/* Did not acquire ctty: OK */
2324	}
2325		]])],
2326		[
2327			AC_MSG_RESULT([yes])
2328		],
2329		[
2330			AC_MSG_RESULT([no])
2331			AC_DEFINE([SSHD_ACQUIRES_CTTY])
2332		],
2333		[
2334			AC_MSG_RESULT([cross-compiling, assuming yes])
2335		]
2336	)
2337fi
2338
2339if test "x$ac_cv_func_getaddrinfo" = "xyes" && \
2340    test "x$check_for_hpux_broken_getaddrinfo" = "x1"; then
2341	AC_MSG_CHECKING([if getaddrinfo seems to work])
2342	AC_RUN_IFELSE(
2343		[AC_LANG_PROGRAM([[
2344#include <stdio.h>
2345#include <stdlib.h>
2346#include <sys/socket.h>
2347#include <netdb.h>
2348#include <errno.h>
2349#include <netinet/in.h>
2350
2351#define TEST_PORT "2222"
2352		]], [[
2353	int err, sock;
2354	struct addrinfo *gai_ai, *ai, hints;
2355	char ntop[NI_MAXHOST], strport[NI_MAXSERV], *name = NULL;
2356
2357	memset(&hints, 0, sizeof(hints));
2358	hints.ai_family = PF_UNSPEC;
2359	hints.ai_socktype = SOCK_STREAM;
2360	hints.ai_flags = AI_PASSIVE;
2361
2362	err = getaddrinfo(name, TEST_PORT, &hints, &gai_ai);
2363	if (err != 0) {
2364		fprintf(stderr, "getaddrinfo failed (%s)", gai_strerror(err));
2365		exit(1);
2366	}
2367
2368	for (ai = gai_ai; ai != NULL; ai = ai->ai_next) {
2369		if (ai->ai_family != AF_INET6)
2370			continue;
2371
2372		err = getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop,
2373		    sizeof(ntop), strport, sizeof(strport),
2374		    NI_NUMERICHOST|NI_NUMERICSERV);
2375
2376		if (err != 0) {
2377			if (err == EAI_SYSTEM)
2378				perror("getnameinfo EAI_SYSTEM");
2379			else
2380				fprintf(stderr, "getnameinfo failed: %s\n",
2381				    gai_strerror(err));
2382			exit(2);
2383		}
2384
2385		sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol);
2386		if (sock < 0)
2387			perror("socket");
2388		if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) {
2389			if (errno == EBADF)
2390				exit(3);
2391		}
2392	}
2393	exit(0);
2394		]])],
2395		[
2396			AC_MSG_RESULT([yes])
2397		],
2398		[
2399			AC_MSG_RESULT([no])
2400			AC_DEFINE([BROKEN_GETADDRINFO])
2401		],
2402		[
2403			AC_MSG_RESULT([cross-compiling, assuming yes])
2404		]
2405	)
2406fi
2407
2408if test "x$ac_cv_func_getaddrinfo" = "xyes" && \
2409    test "x$check_for_aix_broken_getaddrinfo" = "x1"; then
2410	AC_MSG_CHECKING([if getaddrinfo seems to work])
2411	AC_RUN_IFELSE(
2412		[AC_LANG_PROGRAM([[
2413#include <stdio.h>
2414#include <stdlib.h>
2415#include <sys/socket.h>
2416#include <netdb.h>
2417#include <errno.h>
2418#include <netinet/in.h>
2419
2420#define TEST_PORT "2222"
2421		]], [[
2422	int err, sock;
2423	struct addrinfo *gai_ai, *ai, hints;
2424	char ntop[NI_MAXHOST], strport[NI_MAXSERV], *name = NULL;
2425
2426	memset(&hints, 0, sizeof(hints));
2427	hints.ai_family = PF_UNSPEC;
2428	hints.ai_socktype = SOCK_STREAM;
2429	hints.ai_flags = AI_PASSIVE;
2430
2431	err = getaddrinfo(name, TEST_PORT, &hints, &gai_ai);
2432	if (err != 0) {
2433		fprintf(stderr, "getaddrinfo failed (%s)", gai_strerror(err));
2434		exit(1);
2435	}
2436
2437	for (ai = gai_ai; ai != NULL; ai = ai->ai_next) {
2438		if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
2439			continue;
2440
2441		err = getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop,
2442		    sizeof(ntop), strport, sizeof(strport),
2443		    NI_NUMERICHOST|NI_NUMERICSERV);
2444
2445		if (ai->ai_family == AF_INET && err != 0) {
2446			perror("getnameinfo");
2447			exit(2);
2448		}
2449	}
2450	exit(0);
2451		]])],
2452		[
2453			AC_MSG_RESULT([yes])
2454			AC_DEFINE([AIX_GETNAMEINFO_HACK], [1],
2455				[Define if you have a getaddrinfo that fails
2456				for the all-zeros IPv6 address])
2457		],
2458		[
2459			AC_MSG_RESULT([no])
2460			AC_DEFINE([BROKEN_GETADDRINFO])
2461		],
2462		[
2463			AC_MSG_RESULT([cross-compiling, assuming no])
2464		]
2465	)
2466fi
2467
2468if test "x$ac_cv_func_getaddrinfo" = "xyes"; then
2469	AC_CHECK_DECLS(AI_NUMERICSERV, , ,
2470	    [#include <sys/types.h>
2471	     #include <sys/socket.h>
2472	     #include <netdb.h>])
2473fi
2474
2475if test "x$check_for_conflicting_getspnam" = "x1"; then
2476	AC_MSG_CHECKING([for conflicting getspnam in shadow.h])
2477	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
2478#include <shadow.h>
2479#include <stdlib.h>
2480		]],
2481		[[ exit(0); ]])],
2482		[
2483			AC_MSG_RESULT([no])
2484		],
2485		[
2486			AC_MSG_RESULT([yes])
2487			AC_DEFINE([GETSPNAM_CONFLICTING_DEFS], [1],
2488			    [Conflicting defs for getspnam])
2489		]
2490	)
2491fi
2492
2493dnl NetBSD added an strnvis and unfortunately made it incompatible with the
2494dnl existing one in OpenBSD and Linux's libbsd (the former having existed
2495dnl for over ten years). Despite this incompatibility being reported during
2496dnl development (see http://gnats.netbsd.org/44977) they still shipped it.
2497dnl Even more unfortunately FreeBSD and later MacOS picked up this incompatible
2498dnl implementation.  Try to detect this mess, and assume the only safe option
2499dnl if we're cross compiling.
2500dnl
2501dnl OpenBSD, 2001: strnvis(char *dst, const char *src, size_t dlen, int flag);
2502dnl NetBSD: 2012,  strnvis(char *dst, size_t dlen, const char *src, int flag);
2503if test "x$ac_cv_func_strnvis" = "xyes"; then
2504	AC_MSG_CHECKING([for working strnvis])
2505	AC_RUN_IFELSE(
2506		[AC_LANG_PROGRAM([[
2507#include <signal.h>
2508#include <stdlib.h>
2509#include <string.h>
2510#include <unistd.h>
2511#include <vis.h>
2512static void sighandler(int sig) { _exit(1); }
2513		]], [[
2514	char dst[16];
2515
2516	signal(SIGSEGV, sighandler);
2517	if (strnvis(dst, "src", 4, 0) && strcmp(dst, "src") == 0)
2518		exit(0);
2519	exit(1)
2520		]])],
2521		[AC_MSG_RESULT([yes])],
2522		[AC_MSG_RESULT([no])
2523		 AC_DEFINE([BROKEN_STRNVIS], [1], [strnvis detected broken])],
2524		[AC_MSG_WARN([cross compiling: assuming broken])
2525		 AC_DEFINE([BROKEN_STRNVIS], [1], [strnvis assumed broken])]
2526	)
2527fi
2528
2529AC_MSG_CHECKING([if SA_RESTARTed signals interrupt select()])
2530AC_RUN_IFELSE(
2531	[AC_LANG_PROGRAM([[
2532#ifdef HAVE_SYS_SELECT
2533# include <sys/select.h>
2534#endif
2535#include <sys/types.h>
2536#include <sys/time.h>
2537#include <stdlib.h>
2538#include <signal.h>
2539#include <unistd.h>
2540static void sighandler(int sig) { }
2541		]], [[
2542	int r;
2543	pid_t pid;
2544	struct sigaction sa;
2545
2546	sa.sa_handler = sighandler;
2547	sa.sa_flags = SA_RESTART;
2548	(void)sigaction(SIGTERM, &sa, NULL);
2549	if ((pid = fork()) == 0) { /* child */
2550		pid = getppid();
2551		sleep(1);
2552		kill(pid, SIGTERM);
2553		sleep(1);
2554		if (getppid() == pid) /* if parent did not exit, shoot it */
2555			kill(pid, SIGKILL);
2556		exit(0);
2557	} else { /* parent */
2558		r = select(0, NULL, NULL, NULL, NULL);
2559	}
2560	exit(r == -1 ? 0 : 1);
2561	]])],
2562	[AC_MSG_RESULT([yes])],
2563	[AC_MSG_RESULT([no])
2564	 AC_DEFINE([NO_SA_RESTART], [1],
2565	    [SA_RESTARTed signals do no interrupt select])],
2566	[AC_MSG_WARN([cross compiling: assuming yes])]
2567)
2568
2569AC_CHECK_FUNCS([getpgrp],[
2570	AC_MSG_CHECKING([if getpgrp accepts zero args])
2571	AC_COMPILE_IFELSE(
2572		[AC_LANG_PROGRAM([[$ac_includes_default]], [[ getpgrp(); ]])],
2573		[ AC_MSG_RESULT([yes])
2574		  AC_DEFINE([GETPGRP_VOID], [1], [getpgrp takes zero args])],
2575		[ AC_MSG_RESULT([no])
2576		  AC_DEFINE([GETPGRP_VOID], [0], [getpgrp takes one arg])]
2577	)
2578])
2579
2580# Search for OpenSSL
2581saved_CPPFLAGS="$CPPFLAGS"
2582saved_LDFLAGS="$LDFLAGS"
2583AC_ARG_WITH([ssl-dir],
2584	[  --with-ssl-dir=PATH     Specify path to OpenSSL installation ],
2585	[
2586		if test "x$openssl" = "xno" ; then
2587			AC_MSG_ERROR([cannot use --with-ssl-dir when OpenSSL disabled])
2588		fi
2589		if test "x$withval" != "xno" ; then
2590			case "$withval" in
2591				# Relative paths
2592				./*|../*)	withval="`pwd`/$withval"
2593			esac
2594			if test -d "$withval/lib"; then
2595				if test -n "${rpath_opt}"; then
2596					LDFLAGS="-L${withval}/lib ${rpath_opt}${withval}/lib ${LDFLAGS}"
2597				else
2598					LDFLAGS="-L${withval}/lib ${LDFLAGS}"
2599				fi
2600			elif test -d "$withval/lib64"; then
2601				if test -n "${rpath_opt}"; then
2602					LDFLAGS="-L${withval}/lib64 ${rpath_opt}${withval}/lib64 ${LDFLAGS}"
2603				else
2604					LDFLAGS="-L${withval}/lib64 ${LDFLAGS}"
2605				fi
2606			else
2607				if test -n "${rpath_opt}"; then
2608					LDFLAGS="-L${withval} ${rpath_opt}${withval} ${LDFLAGS}"
2609				else
2610					LDFLAGS="-L${withval} ${LDFLAGS}"
2611				fi
2612			fi
2613			if test -d "$withval/include"; then
2614				CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
2615			else
2616				CPPFLAGS="-I${withval} ${CPPFLAGS}"
2617			fi
2618		fi
2619	]
2620)
2621
2622AC_ARG_WITH([openssl-header-check],
2623	[  --without-openssl-header-check Disable OpenSSL version consistency check],
2624	[
2625		if test "x$withval" = "xno" ; then
2626			openssl_check_nonfatal=1
2627		fi
2628	]
2629)
2630
2631openssl_engine=no
2632AC_ARG_WITH([ssl-engine],
2633	[  --with-ssl-engine       Enable OpenSSL (hardware) ENGINE support ],
2634	[
2635		if test "x$withval" != "xno" ; then
2636			if test "x$openssl" = "xno" ; then
2637				AC_MSG_ERROR([cannot use --with-ssl-engine when OpenSSL disabled])
2638			fi
2639			openssl_engine=yes
2640		fi
2641	]
2642)
2643
2644if test "x$openssl" = "xyes" ; then
2645	LIBS="-lcrypto $LIBS"
2646	AC_TRY_LINK_FUNC([RAND_add], ,
2647	    [AC_MSG_ERROR([*** working libcrypto not found, check config.log])])
2648	AC_CHECK_HEADER([openssl/opensslv.h], ,
2649	    [AC_MSG_ERROR([*** OpenSSL headers missing - please install first or check config.log ***])])
2650
2651	# Determine OpenSSL header version
2652	AC_MSG_CHECKING([OpenSSL header version])
2653	AC_RUN_IFELSE(
2654		[AC_LANG_PROGRAM([[
2655	#include <stdlib.h>
2656	#include <stdio.h>
2657	#include <string.h>
2658	#include <openssl/opensslv.h>
2659	#define DATA "conftest.sslincver"
2660		]], [[
2661		FILE *fd;
2662		int rc;
2663
2664		fd = fopen(DATA,"w");
2665		if(fd == NULL)
2666			exit(1);
2667
2668		if ((rc = fprintf(fd, "%08lx (%s)\n",
2669		    (unsigned long)OPENSSL_VERSION_NUMBER,
2670		     OPENSSL_VERSION_TEXT)) < 0)
2671			exit(1);
2672
2673		exit(0);
2674		]])],
2675		[
2676			ssl_header_ver=`cat conftest.sslincver`
2677			AC_MSG_RESULT([$ssl_header_ver])
2678		],
2679		[
2680			AC_MSG_RESULT([not found])
2681			AC_MSG_ERROR([OpenSSL version header not found.])
2682		],
2683		[
2684			AC_MSG_WARN([cross compiling: not checking])
2685		]
2686	)
2687
2688	# Determining OpenSSL library version is version dependent.
2689	AC_CHECK_FUNCS([OpenSSL_version OpenSSL_version_num])
2690
2691	# Determine OpenSSL library version
2692	AC_MSG_CHECKING([OpenSSL library version])
2693	AC_RUN_IFELSE(
2694		[AC_LANG_PROGRAM([[
2695	#include <stdio.h>
2696	#include <stdlib.h>
2697	#include <string.h>
2698	#include <openssl/opensslv.h>
2699	#include <openssl/crypto.h>
2700	#define DATA "conftest.ssllibver"
2701		]], [[
2702		FILE *fd;
2703		int rc;
2704
2705		fd = fopen(DATA,"w");
2706		if(fd == NULL)
2707			exit(1);
2708#ifndef OPENSSL_VERSION
2709# define OPENSSL_VERSION SSLEAY_VERSION
2710#endif
2711#ifndef HAVE_OPENSSL_VERSION
2712# define OpenSSL_version	SSLeay_version
2713#endif
2714#ifndef HAVE_OPENSSL_VERSION_NUM
2715# define OpenSSL_version_num	SSLeay
2716#endif
2717		if ((rc = fprintf(fd, "%08lx (%s)\n",
2718		    (unsigned long)OpenSSL_version_num(),
2719		    OpenSSL_version(OPENSSL_VERSION))) < 0)
2720			exit(1);
2721
2722		exit(0);
2723		]])],
2724		[
2725			ssl_library_ver=`cat conftest.ssllibver`
2726			# Check version is supported.
2727			case "$ssl_library_ver" in
2728			10000*|0*)
2729				AC_MSG_ERROR([OpenSSL >= 1.0.1 required (have "$ssl_library_ver")])
2730		                ;;
2731			100*)   ;; # 1.0.x
2732			101000[[0123456]]*)
2733				# https://github.com/openssl/openssl/pull/4613
2734				AC_MSG_ERROR([OpenSSL 1.1.x versions prior to 1.1.0g have a bug that breaks their use with OpenSSH (have "$ssl_library_ver")])
2735				;;
2736			101*)   ;; # 1.1.x
2737			200*)   ;; # LibreSSL
2738			300*)   ;; # OpenSSL development branch.
2739		        *)
2740				AC_MSG_ERROR([Unknown/unsupported OpenSSL version ("$ssl_library_ver")])
2741		                ;;
2742			esac
2743			AC_MSG_RESULT([$ssl_library_ver])
2744		],
2745		[
2746			AC_MSG_RESULT([not found])
2747			AC_MSG_ERROR([OpenSSL library not found.])
2748		],
2749		[
2750			AC_MSG_WARN([cross compiling: not checking])
2751		]
2752	)
2753
2754	# Sanity check OpenSSL headers
2755	AC_MSG_CHECKING([whether OpenSSL's headers match the library])
2756	AC_RUN_IFELSE(
2757		[AC_LANG_PROGRAM([[
2758	#include <stdlib.h>
2759	#include <string.h>
2760	#include <openssl/opensslv.h>
2761	#include <openssl/crypto.h>
2762		]], [[
2763#ifndef HAVE_OPENSSL_VERSION_NUM
2764# define OpenSSL_version_num	SSLeay
2765#endif
2766		exit(OpenSSL_version_num() == OPENSSL_VERSION_NUMBER ? 0 : 1);
2767		]])],
2768		[
2769			AC_MSG_RESULT([yes])
2770		],
2771		[
2772			AC_MSG_RESULT([no])
2773			if test "x$openssl_check_nonfatal" = "x"; then
2774				AC_MSG_ERROR([Your OpenSSL headers do not match your
2775	library. Check config.log for details.
2776	If you are sure your installation is consistent, you can disable the check
2777	by running "./configure --without-openssl-header-check".
2778	Also see contrib/findssl.sh for help identifying header/library mismatches.
2779	])
2780			else
2781				AC_MSG_WARN([Your OpenSSL headers do not match your
2782	library. Check config.log for details.
2783	Also see contrib/findssl.sh for help identifying header/library mismatches.])
2784			fi
2785		],
2786		[
2787			AC_MSG_WARN([cross compiling: not checking])
2788		]
2789	)
2790
2791	AC_MSG_CHECKING([if programs using OpenSSL functions will link])
2792	AC_LINK_IFELSE(
2793		[AC_LANG_PROGRAM([[ #include <openssl/err.h> ]],
2794		[[ ERR_load_crypto_strings(); ]])],
2795		[
2796			AC_MSG_RESULT([yes])
2797		],
2798		[
2799			AC_MSG_RESULT([no])
2800			saved_LIBS="$LIBS"
2801			LIBS="$LIBS -ldl"
2802			AC_MSG_CHECKING([if programs using OpenSSL need -ldl])
2803			AC_LINK_IFELSE(
2804				[AC_LANG_PROGRAM([[ #include <openssl/err.h> ]],
2805				[[ ERR_load_crypto_strings(); ]])],
2806				[
2807					AC_MSG_RESULT([yes])
2808				],
2809				[
2810					AC_MSG_RESULT([no])
2811					LIBS="$saved_LIBS"
2812				]
2813			)
2814		]
2815	)
2816
2817	AC_CHECK_FUNCS([ \
2818		BN_is_prime_ex \
2819		DSA_generate_parameters_ex \
2820		EVP_CIPHER_CTX_ctrl \
2821		EVP_DigestFinal_ex \
2822		EVP_DigestInit_ex \
2823		EVP_MD_CTX_cleanup \
2824		EVP_MD_CTX_copy_ex \
2825		EVP_MD_CTX_init \
2826		HMAC_CTX_init \
2827		RSA_generate_key_ex \
2828		RSA_get_default_method \
2829	])
2830
2831	# OpenSSL_add_all_algorithms may be a macro.
2832	AC_CHECK_FUNC(OpenSSL_add_all_algorithms,
2833	    AC_DEFINE(HAVE_OPENSSL_ADD_ALL_ALGORITHMS, 1, [as a function]),
2834	    AC_CHECK_DECL(OpenSSL_add_all_algorithms,
2835		AC_DEFINE(HAVE_OPENSSL_ADD_ALL_ALGORITHMS, 1, [as a macro]), ,
2836		[[#include <openssl/evp.h>]]
2837	    )
2838	)
2839
2840	# LibreSSL/OpenSSL 1.1x API
2841	AC_CHECK_FUNCS([ \
2842		OPENSSL_init_crypto \
2843		DH_get0_key \
2844		DH_get0_pqg \
2845		DH_set0_key \
2846		DH_set_length \
2847		DH_set0_pqg \
2848		DSA_get0_key \
2849		DSA_get0_pqg \
2850		DSA_set0_key \
2851		DSA_set0_pqg \
2852		DSA_SIG_get0 \
2853		DSA_SIG_set0 \
2854		ECDSA_SIG_get0 \
2855		ECDSA_SIG_set0 \
2856		EVP_CIPHER_CTX_iv \
2857		EVP_CIPHER_CTX_iv_noconst \
2858		EVP_CIPHER_CTX_get_iv \
2859		EVP_CIPHER_CTX_set_iv \
2860		RSA_get0_crt_params \
2861		RSA_get0_factors \
2862		RSA_get0_key \
2863		RSA_set0_crt_params \
2864		RSA_set0_factors \
2865		RSA_set0_key \
2866		RSA_meth_free \
2867		RSA_meth_dup \
2868		RSA_meth_set1_name \
2869		RSA_meth_get_finish \
2870		RSA_meth_set_priv_enc \
2871		RSA_meth_set_priv_dec \
2872		RSA_meth_set_finish \
2873		EVP_PKEY_get0_RSA \
2874		EVP_MD_CTX_new \
2875		EVP_MD_CTX_free \
2876		EVP_chacha20 \
2877	])
2878
2879	if test "x$openssl_engine" = "xyes" ; then
2880		AC_MSG_CHECKING([for OpenSSL ENGINE support])
2881		AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
2882	#include <openssl/engine.h>
2883			]], [[
2884				ENGINE_load_builtin_engines();
2885				ENGINE_register_all_complete();
2886			]])],
2887			[ AC_MSG_RESULT([yes])
2888			  AC_DEFINE([USE_OPENSSL_ENGINE], [1],
2889			     [Enable OpenSSL engine support])
2890			], [ AC_MSG_ERROR([OpenSSL ENGINE support not found])
2891		])
2892	fi
2893
2894	# Check for OpenSSL without EVP_aes_{192,256}_cbc
2895	AC_MSG_CHECKING([whether OpenSSL has crippled AES support])
2896	AC_LINK_IFELSE(
2897		[AC_LANG_PROGRAM([[
2898	#include <stdlib.h>
2899	#include <string.h>
2900	#include <openssl/evp.h>
2901		]], [[
2902		exit(EVP_aes_192_cbc() == NULL || EVP_aes_256_cbc() == NULL);
2903		]])],
2904		[
2905			AC_MSG_RESULT([no])
2906		],
2907		[
2908			AC_MSG_RESULT([yes])
2909			AC_DEFINE([OPENSSL_LOBOTOMISED_AES], [1],
2910			    [libcrypto is missing AES 192 and 256 bit functions])
2911		]
2912	)
2913
2914	# Check for OpenSSL with EVP_aes_*ctr
2915	AC_MSG_CHECKING([whether OpenSSL has AES CTR via EVP])
2916	AC_LINK_IFELSE(
2917		[AC_LANG_PROGRAM([[
2918	#include <stdlib.h>
2919	#include <string.h>
2920	#include <openssl/evp.h>
2921		]], [[
2922		exit(EVP_aes_128_ctr() == NULL ||
2923		    EVP_aes_192_cbc() == NULL ||
2924		    EVP_aes_256_cbc() == NULL);
2925		]])],
2926		[
2927			AC_MSG_RESULT([yes])
2928			AC_DEFINE([OPENSSL_HAVE_EVPCTR], [1],
2929			    [libcrypto has EVP AES CTR])
2930		],
2931		[
2932			AC_MSG_RESULT([no])
2933		]
2934	)
2935
2936	# Check for OpenSSL with EVP_aes_*gcm
2937	AC_MSG_CHECKING([whether OpenSSL has AES GCM via EVP])
2938	AC_LINK_IFELSE(
2939		[AC_LANG_PROGRAM([[
2940	#include <stdlib.h>
2941	#include <string.h>
2942	#include <openssl/evp.h>
2943		]], [[
2944		exit(EVP_aes_128_gcm() == NULL ||
2945		    EVP_aes_256_gcm() == NULL ||
2946		    EVP_CTRL_GCM_SET_IV_FIXED == 0 ||
2947		    EVP_CTRL_GCM_IV_GEN == 0 ||
2948		    EVP_CTRL_GCM_SET_TAG == 0 ||
2949		    EVP_CTRL_GCM_GET_TAG == 0 ||
2950		    EVP_CIPHER_CTX_ctrl(NULL, 0, 0, NULL) == 0);
2951		]])],
2952		[
2953			AC_MSG_RESULT([yes])
2954			AC_DEFINE([OPENSSL_HAVE_EVPGCM], [1],
2955			    [libcrypto has EVP AES GCM])
2956		],
2957		[
2958			AC_MSG_RESULT([no])
2959			unsupported_algorithms="$unsupported_cipers \
2960			   aes128-gcm@openssh.com \
2961			   aes256-gcm@openssh.com"
2962		]
2963	)
2964
2965	AC_MSG_CHECKING([if EVP_DigestUpdate returns an int])
2966	AC_LINK_IFELSE(
2967		[AC_LANG_PROGRAM([[
2968	#include <stdlib.h>
2969	#include <string.h>
2970	#include <openssl/evp.h>
2971		]], [[
2972		if(EVP_DigestUpdate(NULL, NULL,0))
2973			exit(0);
2974		]])],
2975		[
2976			AC_MSG_RESULT([yes])
2977		],
2978		[
2979			AC_MSG_RESULT([no])
2980			AC_DEFINE([OPENSSL_EVP_DIGESTUPDATE_VOID], [1],
2981			    [Define if EVP_DigestUpdate returns void])
2982		]
2983	)
2984
2985	# Some systems want crypt() from libcrypt, *not* the version in OpenSSL,
2986	# because the system crypt() is more featureful.
2987	if test "x$check_for_libcrypt_before" = "x1"; then
2988		AC_CHECK_LIB([crypt], [crypt])
2989	fi
2990
2991	# Some Linux systems (Slackware) need crypt() from libcrypt, *not* the
2992	# version in OpenSSL.
2993	if test "x$check_for_libcrypt_later" = "x1"; then
2994		AC_CHECK_LIB([crypt], [crypt], [LIBS="$LIBS -lcrypt"])
2995	fi
2996	AC_CHECK_FUNCS([crypt DES_crypt])
2997
2998	# Check for SHA256, SHA384 and SHA512 support in OpenSSL
2999	AC_CHECK_FUNCS([EVP_sha256 EVP_sha384 EVP_sha512])
3000
3001	# Check complete ECC support in OpenSSL
3002	AC_MSG_CHECKING([whether OpenSSL has NID_X9_62_prime256v1])
3003	AC_LINK_IFELSE(
3004		[AC_LANG_PROGRAM([[
3005	#include <openssl/ec.h>
3006	#include <openssl/ecdh.h>
3007	#include <openssl/ecdsa.h>
3008	#include <openssl/evp.h>
3009	#include <openssl/objects.h>
3010	#include <openssl/opensslv.h>
3011		]], [[
3012		EC_KEY *e = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
3013		const EVP_MD *m = EVP_sha256(); /* We need this too */
3014		]])],
3015		[ AC_MSG_RESULT([yes])
3016		  enable_nistp256=1 ],
3017		[ AC_MSG_RESULT([no]) ]
3018	)
3019
3020	AC_MSG_CHECKING([whether OpenSSL has NID_secp384r1])
3021	AC_LINK_IFELSE(
3022		[AC_LANG_PROGRAM([[
3023	#include <openssl/ec.h>
3024	#include <openssl/ecdh.h>
3025	#include <openssl/ecdsa.h>
3026	#include <openssl/evp.h>
3027	#include <openssl/objects.h>
3028	#include <openssl/opensslv.h>
3029		]], [[
3030		EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp384r1);
3031		const EVP_MD *m = EVP_sha384(); /* We need this too */
3032		]])],
3033		[ AC_MSG_RESULT([yes])
3034		  enable_nistp384=1 ],
3035		[ AC_MSG_RESULT([no]) ]
3036	)
3037
3038	AC_MSG_CHECKING([whether OpenSSL has NID_secp521r1])
3039	AC_LINK_IFELSE(
3040		[AC_LANG_PROGRAM([[
3041	#include <openssl/ec.h>
3042	#include <openssl/ecdh.h>
3043	#include <openssl/ecdsa.h>
3044	#include <openssl/evp.h>
3045	#include <openssl/objects.h>
3046	#include <openssl/opensslv.h>
3047		]], [[
3048		EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp521r1);
3049		const EVP_MD *m = EVP_sha512(); /* We need this too */
3050		]])],
3051		[ AC_MSG_RESULT([yes])
3052		  AC_MSG_CHECKING([if OpenSSL's NID_secp521r1 is functional])
3053		  AC_RUN_IFELSE(
3054			[AC_LANG_PROGRAM([[
3055	#include <stdlib.h>
3056	#include <openssl/ec.h>
3057	#include <openssl/ecdh.h>
3058	#include <openssl/ecdsa.h>
3059	#include <openssl/evp.h>
3060	#include <openssl/objects.h>
3061	#include <openssl/opensslv.h>
3062			]],[[
3063			EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp521r1);
3064			const EVP_MD *m = EVP_sha512(); /* We need this too */
3065			exit(e == NULL || m == NULL);
3066			]])],
3067			[ AC_MSG_RESULT([yes])
3068			  enable_nistp521=1 ],
3069			[ AC_MSG_RESULT([no]) ],
3070			[ AC_MSG_WARN([cross-compiling: assuming yes])
3071			  enable_nistp521=1 ]
3072		  )],
3073		AC_MSG_RESULT([no])
3074	)
3075
3076	COMMENT_OUT_ECC="#no ecc#"
3077	TEST_SSH_ECC=no
3078
3079	if test x$enable_nistp256 = x1 || test x$enable_nistp384 = x1 || \
3080	    test x$enable_nistp521 = x1; then
3081		AC_DEFINE(OPENSSL_HAS_ECC, [1], [OpenSSL has ECC])
3082		AC_CHECK_FUNCS([EC_KEY_METHOD_new])
3083		openssl_ecc=yes
3084	else
3085		openssl_ecc=no
3086	fi
3087	if test x$enable_nistp256 = x1; then
3088		AC_DEFINE([OPENSSL_HAS_NISTP256], [1],
3089		    [libcrypto has NID_X9_62_prime256v1])
3090		TEST_SSH_ECC=yes
3091		COMMENT_OUT_ECC=""
3092	else
3093		unsupported_algorithms="$unsupported_algorithms \
3094			ecdsa-sha2-nistp256 \
3095			ecdh-sha2-nistp256 \
3096			ecdsa-sha2-nistp256-cert-v01@openssh.com"
3097	fi
3098	if test x$enable_nistp384 = x1; then
3099		AC_DEFINE([OPENSSL_HAS_NISTP384], [1], [libcrypto has NID_secp384r1])
3100		TEST_SSH_ECC=yes
3101		COMMENT_OUT_ECC=""
3102	else
3103		unsupported_algorithms="$unsupported_algorithms \
3104			ecdsa-sha2-nistp384 \
3105			ecdh-sha2-nistp384 \
3106			ecdsa-sha2-nistp384-cert-v01@openssh.com"
3107	fi
3108	if test x$enable_nistp521 = x1; then
3109		AC_DEFINE([OPENSSL_HAS_NISTP521], [1], [libcrypto has NID_secp521r1])
3110		TEST_SSH_ECC=yes
3111		COMMENT_OUT_ECC=""
3112	else
3113		unsupported_algorithms="$unsupported_algorithms \
3114			ecdh-sha2-nistp521 \
3115			ecdsa-sha2-nistp521 \
3116			ecdsa-sha2-nistp521-cert-v01@openssh.com"
3117	fi
3118
3119	AC_SUBST([TEST_SSH_ECC])
3120	AC_SUBST([COMMENT_OUT_ECC])
3121else
3122	AC_CHECK_LIB([crypt], [crypt], [LIBS="$LIBS -lcrypt"])
3123	AC_CHECK_FUNCS([crypt])
3124fi
3125
3126# PKCS11/U2F depend on OpenSSL and dlopen().
3127enable_pkcs11=yes
3128enable_sk=yes
3129if test "x$openssl" != "xyes" ; then
3130	enable_pkcs11="disabled; missing libcrypto"
3131	enable_sk="disabled; missing libcrypto"
3132fi
3133if test "x$openssl_ecc" != "xyes" ; then
3134	enable_sk="disabled; OpenSSL has no ECC support"
3135fi
3136if test "x$ac_cv_func_dlopen" != "xyes" ; then
3137	enable_pkcs11="disabled; missing dlopen(3)"
3138	enable_sk="disabled; missing dlopen(3)"
3139fi
3140if test "x$ac_cv_have_decl_RTLD_NOW" != "xyes" ; then
3141	enable_pkcs11="disabled; missing RTLD_NOW"
3142	enable_sk="disabled; missing RTLD_NOW"
3143fi
3144if test ! -z "$disable_pkcs11" ; then
3145	enable_pkcs11="disabled by user"
3146fi
3147if test ! -z "$disable_sk" ; then
3148	enable_sk="disabled by user"
3149fi
3150
3151AC_MSG_CHECKING([whether to enable PKCS11])
3152if test "x$enable_pkcs11" = "xyes" ; then
3153	AC_DEFINE([ENABLE_PKCS11], [], [Enable for PKCS#11 support])
3154fi
3155AC_MSG_RESULT([$enable_pkcs11])
3156
3157AC_MSG_CHECKING([whether to enable U2F])
3158if test "x$enable_sk" = "xyes" ; then
3159	AC_DEFINE([ENABLE_SK], [], [Enable for U2F/FIDO support])
3160	AC_SUBST(SK_DUMMY_LIBRARY, [regress/misc/sk-dummy/sk-dummy.so])
3161else
3162	# Do not try to build sk-dummy library.
3163	AC_SUBST(SK_DUMMY_LIBRARY, [""])
3164fi
3165AC_MSG_RESULT([$enable_sk])
3166
3167# Now check for built-in security key support.
3168if test "x$enable_sk" = "xyes" -a "x$enable_sk_internal" = "xyes" ; then
3169	AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no])
3170	use_pkgconfig_for_libfido2=
3171	if test "x$PKGCONFIG" != "xno"; then
3172		AC_MSG_CHECKING([if $PKGCONFIG knows about libfido2])
3173		if "$PKGCONFIG" libfido2; then
3174			AC_MSG_RESULT([yes])
3175			use_pkgconfig_for_libfido2=yes
3176		else
3177			AC_MSG_RESULT([no])
3178		fi
3179	fi
3180	if test "x$use_pkgconfig_for_libfido2" = "xyes"; then
3181		LIBFIDO2=`$PKGCONFIG --libs libfido2`
3182		CPPFLAGS="$CPPFLAGS `$PKGCONFIG --cflags libfido2`"
3183	else
3184		LIBFIDO2="-lfido2 -lcbor"
3185	fi
3186	OTHERLIBS=`echo $LIBFIDO2 | sed 's/-lfido2//'`
3187	AC_CHECK_LIB([fido2], [fido_init],
3188		[
3189			AC_SUBST([LIBFIDO2])
3190			AC_DEFINE([ENABLE_SK_INTERNAL], [],
3191			    [Enable for built-in U2F/FIDO support])
3192			enable_sk="built-in"
3193		], [ AC_MSG_ERROR([no usable libfido2 found]) ],
3194		[ $OTHERLIBS ]
3195	)
3196	saved_LIBS="$LIBS"
3197	LIBS="$LIBS $LIBFIDO2"
3198	AC_CHECK_FUNCS([ \
3199		fido_cred_prot \
3200		fido_cred_set_prot \
3201		fido_dev_get_touch_begin \
3202		fido_dev_get_touch_status \
3203		fido_dev_supports_cred_prot \
3204	])
3205	LIBS="$saved_LIBS"
3206	AC_CHECK_HEADER([fido.h], [],
3207		AC_MSG_ERROR([missing fido.h from libfido2]))
3208	AC_CHECK_HEADER([fido/credman.h], [],
3209		AC_MSG_ERROR([missing fido/credman.h from libfido2]),
3210		[#include <fido.h>]
3211	)
3212fi
3213
3214AC_CHECK_FUNCS([ \
3215	arc4random \
3216	arc4random_buf \
3217	arc4random_stir \
3218	arc4random_uniform \
3219])
3220
3221saved_LIBS="$LIBS"
3222AC_CHECK_LIB([iaf], [ia_openinfo], [
3223	LIBS="$LIBS -liaf"
3224	AC_CHECK_FUNCS([set_id], [SSHDLIBS="$SSHDLIBS -liaf"
3225				AC_DEFINE([HAVE_LIBIAF], [1],
3226			[Define if system has libiaf that supports set_id])
3227				])
3228])
3229LIBS="$saved_LIBS"
3230
3231### Configure cryptographic random number support
3232
3233# Check whether OpenSSL seeds itself
3234if test "x$openssl" = "xyes" ; then
3235	AC_MSG_CHECKING([whether OpenSSL's PRNG is internally seeded])
3236	AC_RUN_IFELSE(
3237		[AC_LANG_PROGRAM([[
3238	#include <stdlib.h>
3239	#include <string.h>
3240	#include <openssl/rand.h>
3241		]], [[
3242		exit(RAND_status() == 1 ? 0 : 1);
3243		]])],
3244		[
3245			OPENSSL_SEEDS_ITSELF=yes
3246			AC_MSG_RESULT([yes])
3247		],
3248		[
3249			AC_MSG_RESULT([no])
3250		],
3251		[
3252			AC_MSG_WARN([cross compiling: assuming yes])
3253			# This is safe, since we will fatal() at runtime if
3254			# OpenSSL is not seeded correctly.
3255			OPENSSL_SEEDS_ITSELF=yes
3256		]
3257	)
3258fi
3259
3260# PRNGD TCP socket
3261AC_ARG_WITH([prngd-port],
3262	[  --with-prngd-port=PORT  read entropy from PRNGD/EGD TCP localhost:PORT],
3263	[
3264		case "$withval" in
3265		no)
3266			withval=""
3267			;;
3268		[[0-9]]*)
3269			;;
3270		*)
3271			AC_MSG_ERROR([You must specify a numeric port number for --with-prngd-port])
3272			;;
3273		esac
3274		if test ! -z "$withval" ; then
3275			PRNGD_PORT="$withval"
3276			AC_DEFINE_UNQUOTED([PRNGD_PORT], [$PRNGD_PORT],
3277				[Port number of PRNGD/EGD random number socket])
3278		fi
3279	]
3280)
3281
3282# PRNGD Unix domain socket
3283AC_ARG_WITH([prngd-socket],
3284	[  --with-prngd-socket=FILE read entropy from PRNGD/EGD socket FILE (default=/var/run/egd-pool)],
3285	[
3286		case "$withval" in
3287		yes)
3288			withval="/var/run/egd-pool"
3289			;;
3290		no)
3291			withval=""
3292			;;
3293		/*)
3294			;;
3295		*)
3296			AC_MSG_ERROR([You must specify an absolute path to the entropy socket])
3297			;;
3298		esac
3299
3300		if test ! -z "$withval" ; then
3301			if test ! -z "$PRNGD_PORT" ; then
3302				AC_MSG_ERROR([You may not specify both a PRNGD/EGD port and socket])
3303			fi
3304			if test ! -r "$withval" ; then
3305				AC_MSG_WARN([Entropy socket is not readable])
3306			fi
3307			PRNGD_SOCKET="$withval"
3308			AC_DEFINE_UNQUOTED([PRNGD_SOCKET], ["$PRNGD_SOCKET"],
3309				[Location of PRNGD/EGD random number socket])
3310		fi
3311	],
3312	[
3313		# Check for existing socket only if we don't have a random device already
3314		if test "x$OPENSSL_SEEDS_ITSELF" != "xyes" ; then
3315			AC_MSG_CHECKING([for PRNGD/EGD socket])
3316			# Insert other locations here
3317			for sock in /var/run/egd-pool /dev/egd-pool /etc/entropy; do
3318				if test -r $sock && $TEST_MINUS_S_SH -c "test -S $sock -o -p $sock" ; then
3319					PRNGD_SOCKET="$sock"
3320					AC_DEFINE_UNQUOTED([PRNGD_SOCKET], ["$PRNGD_SOCKET"])
3321					break;
3322				fi
3323			done
3324			if test ! -z "$PRNGD_SOCKET" ; then
3325				AC_MSG_RESULT([$PRNGD_SOCKET])
3326			else
3327				AC_MSG_RESULT([not found])
3328			fi
3329		fi
3330	]
3331)
3332
3333# Which randomness source do we use?
3334if test ! -z "$PRNGD_PORT" ; then
3335	RAND_MSG="PRNGd port $PRNGD_PORT"
3336elif test ! -z "$PRNGD_SOCKET" ; then
3337	RAND_MSG="PRNGd socket $PRNGD_SOCKET"
3338elif test ! -z "$OPENSSL_SEEDS_ITSELF" ; then
3339	AC_DEFINE([OPENSSL_PRNG_ONLY], [1],
3340		[Define if you want the OpenSSL internally seeded PRNG only])
3341	RAND_MSG="OpenSSL internal ONLY"
3342elif test "x$openssl" = "xno" ; then
3343	AC_MSG_WARN([OpenSSH will use /dev/urandom as a source of random numbers. It will fail if this device is not supported or accessible])
3344else
3345	AC_MSG_ERROR([OpenSSH has no source of random numbers. Please configure OpenSSL with an entropy source or re-run configure using one of the --with-prngd-port or --with-prngd-socket options])
3346fi
3347
3348# Check for PAM libs
3349PAM_MSG="no"
3350AC_ARG_WITH([pam],
3351	[  --with-pam              Enable PAM support ],
3352	[
3353		if test "x$withval" != "xno" ; then
3354			if test "x$ac_cv_header_security_pam_appl_h" != "xyes" && \
3355			   test "x$ac_cv_header_pam_pam_appl_h" != "xyes" ; then
3356				AC_MSG_ERROR([PAM headers not found])
3357			fi
3358
3359			saved_LIBS="$LIBS"
3360			AC_CHECK_LIB([dl], [dlopen], , )
3361			AC_CHECK_LIB([pam], [pam_set_item], , [AC_MSG_ERROR([*** libpam missing])])
3362			AC_CHECK_FUNCS([pam_getenvlist])
3363			AC_CHECK_FUNCS([pam_putenv])
3364			LIBS="$saved_LIBS"
3365
3366			PAM_MSG="yes"
3367
3368			SSHDLIBS="$SSHDLIBS -lpam"
3369			AC_DEFINE([USE_PAM], [1],
3370				[Define if you want to enable PAM support])
3371
3372			if test $ac_cv_lib_dl_dlopen = yes; then
3373				case "$LIBS" in
3374				*-ldl*)
3375					# libdl already in LIBS
3376					;;
3377				*)
3378					SSHDLIBS="$SSHDLIBS -ldl"
3379					;;
3380				esac
3381			fi
3382		fi
3383	]
3384)
3385
3386AC_ARG_WITH([pam-service],
3387	[  --with-pam-service=name Specify PAM service name ],
3388	[
3389		if test "x$withval" != "xno" && \
3390		   test "x$withval" != "xyes" ; then
3391			AC_DEFINE_UNQUOTED([SSHD_PAM_SERVICE],
3392				["$withval"], [sshd PAM service name])
3393		fi
3394	]
3395)
3396
3397# Check for older PAM
3398if test "x$PAM_MSG" = "xyes" ; then
3399	# Check PAM strerror arguments (old PAM)
3400	AC_MSG_CHECKING([whether pam_strerror takes only one argument])
3401	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
3402#include <stdlib.h>
3403#if defined(HAVE_SECURITY_PAM_APPL_H)
3404#include <security/pam_appl.h>
3405#elif defined (HAVE_PAM_PAM_APPL_H)
3406#include <pam/pam_appl.h>
3407#endif
3408		]], [[
3409(void)pam_strerror((pam_handle_t *)NULL, -1);
3410		]])], [AC_MSG_RESULT([no])], [
3411			AC_DEFINE([HAVE_OLD_PAM], [1],
3412				[Define if you have an old version of PAM
3413				which takes only one argument to pam_strerror])
3414			AC_MSG_RESULT([yes])
3415			PAM_MSG="yes (old library)"
3416
3417	])
3418fi
3419
3420case "$host" in
3421*-*-cygwin*)
3422	SSH_PRIVSEP_USER=CYGWIN_SSH_PRIVSEP_USER
3423	;;
3424*)
3425	SSH_PRIVSEP_USER=sshd
3426	;;
3427esac
3428AC_ARG_WITH([privsep-user],
3429	[  --with-privsep-user=user Specify non-privileged user for privilege separation],
3430	[
3431		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
3432		    test "x${withval}" != "xyes"; then
3433			SSH_PRIVSEP_USER=$withval
3434		fi
3435	]
3436)
3437if test "x$SSH_PRIVSEP_USER" = "xCYGWIN_SSH_PRIVSEP_USER" ; then
3438	AC_DEFINE_UNQUOTED([SSH_PRIVSEP_USER], [CYGWIN_SSH_PRIVSEP_USER],
3439		[Cygwin function to fetch non-privileged user for privilege separation])
3440else
3441	AC_DEFINE_UNQUOTED([SSH_PRIVSEP_USER], ["$SSH_PRIVSEP_USER"],
3442		[non-privileged user for privilege separation])
3443fi
3444AC_SUBST([SSH_PRIVSEP_USER])
3445
3446if test "x$have_linux_no_new_privs" = "x1" ; then
3447AC_CHECK_DECL([SECCOMP_MODE_FILTER], [have_seccomp_filter=1], , [
3448	#include <sys/types.h>
3449	#include <linux/seccomp.h>
3450])
3451fi
3452if test "x$have_seccomp_filter" = "x1" ; then
3453AC_MSG_CHECKING([kernel for seccomp_filter support])
3454AC_LINK_IFELSE([AC_LANG_PROGRAM([[
3455		#include <errno.h>
3456		#include <elf.h>
3457		#include <linux/audit.h>
3458		#include <linux/seccomp.h>
3459		#include <stdlib.h>
3460		#include <sys/prctl.h>
3461	]],
3462	[[ int i = $seccomp_audit_arch;
3463	   errno = 0;
3464	   prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, NULL, 0, 0);
3465	   exit(errno == EFAULT ? 0 : 1); ]])],
3466	[ AC_MSG_RESULT([yes]) ], [
3467		AC_MSG_RESULT([no])
3468		# Disable seccomp filter as a target
3469		have_seccomp_filter=0
3470	]
3471)
3472fi
3473
3474# Decide which sandbox style to use
3475sandbox_arg=""
3476AC_ARG_WITH([sandbox],
3477	[  --with-sandbox=style    Specify privilege separation sandbox (no, capsicum, darwin, rlimit, seccomp_filter, systrace, pledge)],
3478	[
3479		if test "x$withval" = "xyes" ; then
3480			sandbox_arg=""
3481		else
3482			sandbox_arg="$withval"
3483		fi
3484	]
3485)
3486
3487# Some platforms (seems to be the ones that have a kernel poll(2)-type
3488# function with which they implement select(2)) use an extra file descriptor
3489# when calling select(2), which means we can't use the rlimit sandbox.
3490AC_MSG_CHECKING([if select works with descriptor rlimit])
3491AC_RUN_IFELSE(
3492	[AC_LANG_PROGRAM([[
3493#include <sys/types.h>
3494#ifdef HAVE_SYS_TIME_H
3495# include <sys/time.h>
3496#endif
3497#include <sys/resource.h>
3498#ifdef HAVE_SYS_SELECT_H
3499# include <sys/select.h>
3500#endif
3501#include <errno.h>
3502#include <fcntl.h>
3503#include <stdlib.h>
3504	]],[[
3505	struct rlimit rl_zero;
3506	int fd, r;
3507	fd_set fds;
3508	struct timeval tv;
3509
3510	fd = open("/dev/null", O_RDONLY);
3511	FD_ZERO(&fds);
3512	FD_SET(fd, &fds);
3513	rl_zero.rlim_cur = rl_zero.rlim_max = 0;
3514	setrlimit(RLIMIT_FSIZE, &rl_zero);
3515	setrlimit(RLIMIT_NOFILE, &rl_zero);
3516	tv.tv_sec = 1;
3517	tv.tv_usec = 0;
3518	r = select(fd+1, &fds, NULL, NULL, &tv);
3519	exit (r == -1 ? 1 : 0);
3520	]])],
3521	[AC_MSG_RESULT([yes])
3522	 select_works_with_rlimit=yes],
3523	[AC_MSG_RESULT([no])
3524	 select_works_with_rlimit=no],
3525	[AC_MSG_WARN([cross compiling: assuming yes])
3526	 select_works_with_rlimit=yes]
3527)
3528
3529AC_MSG_CHECKING([if setrlimit(RLIMIT_NOFILE,{0,0}) works])
3530AC_RUN_IFELSE(
3531	[AC_LANG_PROGRAM([[
3532#include <sys/types.h>
3533#ifdef HAVE_SYS_TIME_H
3534# include <sys/time.h>
3535#endif
3536#include <sys/resource.h>
3537#include <errno.h>
3538#include <stdlib.h>
3539	]],[[
3540	struct rlimit rl_zero;
3541	int r;
3542
3543	rl_zero.rlim_cur = rl_zero.rlim_max = 0;
3544	r = setrlimit(RLIMIT_NOFILE, &rl_zero);
3545	exit (r == -1 ? 1 : 0);
3546	]])],
3547	[AC_MSG_RESULT([yes])
3548	 rlimit_nofile_zero_works=yes],
3549	[AC_MSG_RESULT([no])
3550	 rlimit_nofile_zero_works=no],
3551	[AC_MSG_WARN([cross compiling: assuming yes])
3552	 rlimit_nofile_zero_works=yes]
3553)
3554
3555AC_MSG_CHECKING([if setrlimit RLIMIT_FSIZE works])
3556AC_RUN_IFELSE(
3557	[AC_LANG_PROGRAM([[
3558#include <sys/types.h>
3559#include <sys/resource.h>
3560#include <stdlib.h>
3561	]],[[
3562		struct rlimit rl_zero;
3563
3564		rl_zero.rlim_cur = rl_zero.rlim_max = 0;
3565		exit(setrlimit(RLIMIT_FSIZE, &rl_zero) != 0);
3566	]])],
3567	[AC_MSG_RESULT([yes])],
3568	[AC_MSG_RESULT([no])
3569	 AC_DEFINE(SANDBOX_SKIP_RLIMIT_FSIZE, 1,
3570	    [setrlimit RLIMIT_FSIZE works])],
3571	[AC_MSG_WARN([cross compiling: assuming yes])]
3572)
3573
3574if test "x$sandbox_arg" = "xpledge" || \
3575   ( test -z "$sandbox_arg" && test "x$ac_cv_func_pledge" = "xyes" ) ; then
3576	test "x$ac_cv_func_pledge" != "xyes" && \
3577		AC_MSG_ERROR([pledge sandbox requires pledge(2) support])
3578	SANDBOX_STYLE="pledge"
3579	AC_DEFINE([SANDBOX_PLEDGE], [1], [Sandbox using pledge(2)])
3580elif test "x$sandbox_arg" = "xsystrace" || \
3581   ( test -z "$sandbox_arg" && test "x$have_systr_policy_kill" = "x1" ) ; then
3582	test "x$have_systr_policy_kill" != "x1" && \
3583		AC_MSG_ERROR([systrace sandbox requires systrace headers and SYSTR_POLICY_KILL support])
3584	SANDBOX_STYLE="systrace"
3585	AC_DEFINE([SANDBOX_SYSTRACE], [1], [Sandbox using systrace(4)])
3586elif test "x$sandbox_arg" = "xdarwin" || \
3587     ( test -z "$sandbox_arg" && test "x$ac_cv_func_sandbox_init" = "xyes" && \
3588       test "x$ac_cv_header_sandbox_h" = "xyes") ; then
3589	test "x$ac_cv_func_sandbox_init" != "xyes" -o \
3590	     "x$ac_cv_header_sandbox_h" != "xyes" && \
3591		AC_MSG_ERROR([Darwin seatbelt sandbox requires sandbox.h and sandbox_init function])
3592	SANDBOX_STYLE="darwin"
3593	AC_DEFINE([SANDBOX_DARWIN], [1], [Sandbox using Darwin sandbox_init(3)])
3594elif test "x$sandbox_arg" = "xseccomp_filter" || \
3595     ( test -z "$sandbox_arg" && \
3596       test "x$have_seccomp_filter" = "x1" && \
3597       test "x$ac_cv_header_elf_h" = "xyes" && \
3598       test "x$ac_cv_header_linux_audit_h" = "xyes" && \
3599       test "x$ac_cv_header_linux_filter_h" = "xyes" && \
3600       test "x$seccomp_audit_arch" != "x" && \
3601       test "x$have_linux_no_new_privs" = "x1" && \
3602       test "x$ac_cv_func_prctl" = "xyes" ) ; then
3603	test "x$seccomp_audit_arch" = "x" && \
3604		AC_MSG_ERROR([seccomp_filter sandbox not supported on $host])
3605	test "x$have_linux_no_new_privs" != "x1" && \
3606		AC_MSG_ERROR([seccomp_filter sandbox requires PR_SET_NO_NEW_PRIVS])
3607	test "x$have_seccomp_filter" != "x1" && \
3608		AC_MSG_ERROR([seccomp_filter sandbox requires seccomp headers])
3609	test "x$ac_cv_func_prctl" != "xyes" && \
3610		AC_MSG_ERROR([seccomp_filter sandbox requires prctl function])
3611	SANDBOX_STYLE="seccomp_filter"
3612	AC_DEFINE([SANDBOX_SECCOMP_FILTER], [1], [Sandbox using seccomp filter])
3613elif test "x$sandbox_arg" = "xcapsicum" || \
3614     ( test -z "$sandbox_arg" && \
3615       test "x$ac_cv_header_sys_capsicum_h" = "xyes" && \
3616       test "x$ac_cv_func_cap_rights_limit" = "xyes") ; then
3617       test "x$ac_cv_header_sys_capsicum_h" != "xyes" && \
3618		AC_MSG_ERROR([capsicum sandbox requires sys/capsicum.h header])
3619       test "x$ac_cv_func_cap_rights_limit" != "xyes" && \
3620		AC_MSG_ERROR([capsicum sandbox requires cap_rights_limit function])
3621       SANDBOX_STYLE="capsicum"
3622       AC_DEFINE([SANDBOX_CAPSICUM], [1], [Sandbox using capsicum])
3623elif test "x$sandbox_arg" = "xrlimit" || \
3624     ( test -z "$sandbox_arg" && test "x$ac_cv_func_setrlimit" = "xyes" && \
3625       test "x$select_works_with_rlimit" = "xyes" && \
3626       test "x$rlimit_nofile_zero_works" = "xyes" ) ; then
3627	test "x$ac_cv_func_setrlimit" != "xyes" && \
3628		AC_MSG_ERROR([rlimit sandbox requires setrlimit function])
3629	test "x$select_works_with_rlimit" != "xyes" && \
3630		AC_MSG_ERROR([rlimit sandbox requires select to work with rlimit])
3631	SANDBOX_STYLE="rlimit"
3632	AC_DEFINE([SANDBOX_RLIMIT], [1], [Sandbox using setrlimit(2)])
3633elif test "x$sandbox_arg" = "xsolaris" || \
3634   ( test -z "$sandbox_arg" && test "x$SOLARIS_PRIVS" = "xyes" ) ; then
3635	SANDBOX_STYLE="solaris"
3636	AC_DEFINE([SANDBOX_SOLARIS], [1], [Sandbox using Solaris/Illumos privileges])
3637elif test -z "$sandbox_arg" || test "x$sandbox_arg" = "xno" || \
3638     test "x$sandbox_arg" = "xnone" || test "x$sandbox_arg" = "xnull" ; then
3639	SANDBOX_STYLE="none"
3640	AC_DEFINE([SANDBOX_NULL], [1], [no privsep sandboxing])
3641else
3642	AC_MSG_ERROR([unsupported --with-sandbox])
3643fi
3644
3645# Cheap hack to ensure NEWS-OS libraries are arranged right.
3646if test ! -z "$SONY" ; then
3647  LIBS="$LIBS -liberty";
3648fi
3649
3650# Check for  long long datatypes
3651AC_CHECK_TYPES([long long, unsigned long long, long double])
3652
3653# Check datatype sizes
3654AC_CHECK_SIZEOF([short int])
3655AC_CHECK_SIZEOF([int])
3656AC_CHECK_SIZEOF([long int])
3657AC_CHECK_SIZEOF([long long int])
3658
3659# Sanity check long long for some platforms (AIX)
3660if test "x$ac_cv_sizeof_long_long_int" = "x4" ; then
3661	ac_cv_sizeof_long_long_int=0
3662fi
3663
3664# compute LLONG_MIN and LLONG_MAX if we don't know them.
3665if test -z "$have_llong_max" && test -z "$have_long_long_max"; then
3666	AC_MSG_CHECKING([for max value of long long])
3667	AC_RUN_IFELSE(
3668		[AC_LANG_PROGRAM([[
3669#include <stdio.h>
3670#include <stdlib.h>
3671/* Why is this so damn hard? */
3672#ifdef __GNUC__
3673# undef __GNUC__
3674#endif
3675#define __USE_ISOC99
3676#include <limits.h>
3677#define DATA "conftest.llminmax"
3678#define my_abs(a) ((a) < 0 ? ((a) * -1) : (a))
3679
3680/*
3681 * printf in libc on some platforms (eg old Tru64) does not understand %lld so
3682 * we do this the hard way.
3683 */
3684static int
3685fprint_ll(FILE *f, long long n)
3686{
3687	unsigned int i;
3688	int l[sizeof(long long) * 8];
3689
3690	if (n < 0)
3691		if (fprintf(f, "-") < 0)
3692			return -1;
3693	for (i = 0; n != 0; i++) {
3694		l[i] = my_abs(n % 10);
3695		n /= 10;
3696	}
3697	do {
3698		if (fprintf(f, "%d", l[--i]) < 0)
3699			return -1;
3700	} while (i != 0);
3701	if (fprintf(f, " ") < 0)
3702		return -1;
3703	return 0;
3704}
3705		]], [[
3706	FILE *f;
3707	long long i, llmin, llmax = 0;
3708
3709	if((f = fopen(DATA,"w")) == NULL)
3710		exit(1);
3711
3712#if defined(LLONG_MIN) && defined(LLONG_MAX)
3713	fprintf(stderr, "Using system header for LLONG_MIN and LLONG_MAX\n");
3714	llmin = LLONG_MIN;
3715	llmax = LLONG_MAX;
3716#else
3717	fprintf(stderr, "Calculating  LLONG_MIN and LLONG_MAX\n");
3718	/* This will work on one's complement and two's complement */
3719	for (i = 1; i > llmax; i <<= 1, i++)
3720		llmax = i;
3721	llmin = llmax + 1LL;	/* wrap */
3722#endif
3723
3724	/* Sanity check */
3725	if (llmin + 1 < llmin || llmin - 1 < llmin || llmax + 1 > llmax
3726	    || llmax - 1 > llmax || llmin == llmax || llmin == 0
3727	    || llmax == 0 || llmax < LONG_MAX || llmin > LONG_MIN) {
3728		fprintf(f, "unknown unknown\n");
3729		exit(2);
3730	}
3731
3732	if (fprint_ll(f, llmin) < 0)
3733		exit(3);
3734	if (fprint_ll(f, llmax) < 0)
3735		exit(4);
3736	if (fclose(f) < 0)
3737		exit(5);
3738	exit(0);
3739		]])],
3740		[
3741			llong_min=`$AWK '{print $1}' conftest.llminmax`
3742			llong_max=`$AWK '{print $2}' conftest.llminmax`
3743
3744			AC_MSG_RESULT([$llong_max])
3745			AC_DEFINE_UNQUOTED([LLONG_MAX], [${llong_max}LL],
3746			    [max value of long long calculated by configure])
3747			AC_MSG_CHECKING([for min value of long long])
3748			AC_MSG_RESULT([$llong_min])
3749			AC_DEFINE_UNQUOTED([LLONG_MIN], [${llong_min}LL],
3750			    [min value of long long calculated by configure])
3751		],
3752		[
3753			AC_MSG_RESULT([not found])
3754		],
3755		[
3756			AC_MSG_WARN([cross compiling: not checking])
3757		]
3758	)
3759fi
3760
3761AC_CHECK_DECLS([UINT32_MAX], , , [[
3762#ifdef HAVE_SYS_LIMITS_H
3763# include <sys/limits.h>
3764#endif
3765#ifdef HAVE_LIMITS_H
3766# include <limits.h>
3767#endif
3768#ifdef HAVE_STDINT_H
3769# include <stdint.h>
3770#endif
3771]])
3772
3773# More checks for data types
3774AC_CACHE_CHECK([for u_int type], ac_cv_have_u_int, [
3775	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
3776	[[ u_int a; a = 1;]])],
3777	[ ac_cv_have_u_int="yes" ], [ ac_cv_have_u_int="no"
3778	])
3779])
3780if test "x$ac_cv_have_u_int" = "xyes" ; then
3781	AC_DEFINE([HAVE_U_INT], [1], [define if you have u_int data type])
3782	have_u_int=1
3783fi
3784
3785AC_CACHE_CHECK([for intXX_t types], ac_cv_have_intxx_t, [
3786	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
3787	[[ int8_t a; int16_t b; int32_t c; a = b = c = 1;]])],
3788	[ ac_cv_have_intxx_t="yes" ], [ ac_cv_have_intxx_t="no"
3789	])
3790])
3791if test "x$ac_cv_have_intxx_t" = "xyes" ; then
3792	AC_DEFINE([HAVE_INTXX_T], [1], [define if you have intxx_t data type])
3793	have_intxx_t=1
3794fi
3795
3796if (test -z "$have_intxx_t" && \
3797	   test "x$ac_cv_header_stdint_h" = "xyes")
3798then
3799    AC_MSG_CHECKING([for intXX_t types in stdint.h])
3800	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <stdint.h> ]],
3801	[[ int8_t a; int16_t b; int32_t c; a = b = c = 1;]])],
3802		[
3803			AC_DEFINE([HAVE_INTXX_T])
3804			AC_MSG_RESULT([yes])
3805		], [ AC_MSG_RESULT([no])
3806	])
3807fi
3808
3809AC_CACHE_CHECK([for int64_t type], ac_cv_have_int64_t, [
3810	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
3811#include <sys/types.h>
3812#ifdef HAVE_STDINT_H
3813# include <stdint.h>
3814#endif
3815#include <sys/socket.h>
3816#ifdef HAVE_SYS_BITYPES_H
3817# include <sys/bitypes.h>
3818#endif
3819		]], [[
3820int64_t a; a = 1;
3821		]])],
3822	[ ac_cv_have_int64_t="yes" ], [ ac_cv_have_int64_t="no"
3823	])
3824])
3825if test "x$ac_cv_have_int64_t" = "xyes" ; then
3826	AC_DEFINE([HAVE_INT64_T], [1], [define if you have int64_t data type])
3827fi
3828
3829AC_CACHE_CHECK([for u_intXX_t types], ac_cv_have_u_intxx_t, [
3830	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
3831	[[ u_int8_t a; u_int16_t b; u_int32_t c; a = b = c = 1;]])],
3832	[ ac_cv_have_u_intxx_t="yes" ], [ ac_cv_have_u_intxx_t="no"
3833	])
3834])
3835if test "x$ac_cv_have_u_intxx_t" = "xyes" ; then
3836	AC_DEFINE([HAVE_U_INTXX_T], [1], [define if you have u_intxx_t data type])
3837	have_u_intxx_t=1
3838fi
3839
3840if test -z "$have_u_intxx_t" ; then
3841    AC_MSG_CHECKING([for u_intXX_t types in sys/socket.h])
3842	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/socket.h> ]],
3843	[[ u_int8_t a; u_int16_t b; u_int32_t c; a = b = c = 1;]])],
3844		[
3845			AC_DEFINE([HAVE_U_INTXX_T])
3846			AC_MSG_RESULT([yes])
3847		], [ AC_MSG_RESULT([no])
3848	])
3849fi
3850
3851AC_CACHE_CHECK([for u_int64_t types], ac_cv_have_u_int64_t, [
3852	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
3853	[[ u_int64_t a; a = 1;]])],
3854	[ ac_cv_have_u_int64_t="yes" ], [ ac_cv_have_u_int64_t="no"
3855	])
3856])
3857if test "x$ac_cv_have_u_int64_t" = "xyes" ; then
3858	AC_DEFINE([HAVE_U_INT64_T], [1], [define if you have u_int64_t data type])
3859	have_u_int64_t=1
3860fi
3861
3862if (test -z "$have_u_int64_t" && \
3863	   test "x$ac_cv_header_sys_bitypes_h" = "xyes")
3864then
3865    AC_MSG_CHECKING([for u_int64_t type in sys/bitypes.h])
3866	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/bitypes.h> ]],
3867	[[ u_int64_t a; a = 1]])],
3868		[
3869			AC_DEFINE([HAVE_U_INT64_T])
3870			AC_MSG_RESULT([yes])
3871		], [ AC_MSG_RESULT([no])
3872	])
3873fi
3874
3875if test -z "$have_u_intxx_t" ; then
3876	AC_CACHE_CHECK([for uintXX_t types], ac_cv_have_uintxx_t, [
3877		AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
3878#include <sys/types.h>
3879			]], [[
3880	uint8_t a;
3881	uint16_t b;
3882	uint32_t c;
3883	a = b = c = 1;
3884			]])],
3885		[ ac_cv_have_uintxx_t="yes" ], [ ac_cv_have_uintxx_t="no"
3886		])
3887	])
3888	if test "x$ac_cv_have_uintxx_t" = "xyes" ; then
3889		AC_DEFINE([HAVE_UINTXX_T], [1],
3890			[define if you have uintxx_t data type])
3891	fi
3892fi
3893
3894if (test -z "$have_uintxx_t" && \
3895	   test "x$ac_cv_header_stdint_h" = "xyes")
3896then
3897    AC_MSG_CHECKING([for uintXX_t types in stdint.h])
3898	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <stdint.h> ]],
3899	[[ uint8_t a; uint16_t b; uint32_t c; a = b = c = 1;]])],
3900		[
3901			AC_DEFINE([HAVE_UINTXX_T])
3902			AC_MSG_RESULT([yes])
3903		], [ AC_MSG_RESULT([no])
3904	])
3905fi
3906
3907if (test -z "$have_uintxx_t" && \
3908	   test "x$ac_cv_header_inttypes_h" = "xyes")
3909then
3910    AC_MSG_CHECKING([for uintXX_t types in inttypes.h])
3911	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <inttypes.h> ]],
3912	[[ uint8_t a; uint16_t b; uint32_t c; a = b = c = 1;]])],
3913		[
3914			AC_DEFINE([HAVE_UINTXX_T])
3915			AC_MSG_RESULT([yes])
3916		], [ AC_MSG_RESULT([no])
3917	])
3918fi
3919
3920if (test -z "$have_u_intxx_t" || test -z "$have_intxx_t" && \
3921	   test "x$ac_cv_header_sys_bitypes_h" = "xyes")
3922then
3923	AC_MSG_CHECKING([for intXX_t and u_intXX_t types in sys/bitypes.h])
3924	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
3925#include <sys/bitypes.h>
3926		]], [[
3927			int8_t a; int16_t b; int32_t c;
3928			u_int8_t e; u_int16_t f; u_int32_t g;
3929			a = b = c = e = f = g = 1;
3930		]])],
3931		[
3932			AC_DEFINE([HAVE_U_INTXX_T])
3933			AC_DEFINE([HAVE_INTXX_T])
3934			AC_MSG_RESULT([yes])
3935		], [AC_MSG_RESULT([no])
3936	])
3937fi
3938
3939
3940AC_CACHE_CHECK([for u_char], ac_cv_have_u_char, [
3941	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
3942	[[ u_char foo; foo = 125; ]])],
3943	[ ac_cv_have_u_char="yes" ], [ ac_cv_have_u_char="no"
3944	])
3945])
3946if test "x$ac_cv_have_u_char" = "xyes" ; then
3947	AC_DEFINE([HAVE_U_CHAR], [1], [define if you have u_char data type])
3948fi
3949
3950AC_CHECK_TYPES([intmax_t, uintmax_t], , , [
3951#include <sys/types.h>
3952#ifdef HAVE_STDINT_H
3953# include <stdint.h>
3954#endif
3955])
3956
3957TYPE_SOCKLEN_T
3958
3959AC_CHECK_TYPES([sig_atomic_t], , , [#include <signal.h>])
3960AC_CHECK_TYPES([fsblkcnt_t, fsfilcnt_t], , , [
3961#include <sys/types.h>
3962#ifdef HAVE_SYS_BITYPES_H
3963#include <sys/bitypes.h>
3964#endif
3965#ifdef HAVE_SYS_STATFS_H
3966#include <sys/statfs.h>
3967#endif
3968#ifdef HAVE_SYS_STATVFS_H
3969#include <sys/statvfs.h>
3970#endif
3971])
3972
3973AC_CHECK_MEMBERS([struct statfs.f_files, struct statfs.f_flags], [], [], [[
3974#include <sys/param.h>
3975#include <sys/types.h>
3976#ifdef HAVE_SYS_BITYPES_H
3977#include <sys/bitypes.h>
3978#endif
3979#ifdef HAVE_SYS_STATFS_H
3980#include <sys/statfs.h>
3981#endif
3982#ifdef HAVE_SYS_STATVFS_H
3983#include <sys/statvfs.h>
3984#endif
3985#ifdef HAVE_SYS_VFS_H
3986#include <sys/vfs.h>
3987#endif
3988#ifdef HAVE_SYS_MOUNT_H
3989#include <sys/mount.h>
3990#endif
3991]])
3992
3993
3994AC_CHECK_TYPES([in_addr_t, in_port_t], , ,
3995[#include <sys/types.h>
3996#include <netinet/in.h>])
3997
3998AC_CACHE_CHECK([for size_t], ac_cv_have_size_t, [
3999	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
4000	[[ size_t foo; foo = 1235; ]])],
4001	[ ac_cv_have_size_t="yes" ], [ ac_cv_have_size_t="no"
4002	])
4003])
4004if test "x$ac_cv_have_size_t" = "xyes" ; then
4005	AC_DEFINE([HAVE_SIZE_T], [1], [define if you have size_t data type])
4006fi
4007
4008AC_CACHE_CHECK([for ssize_t], ac_cv_have_ssize_t, [
4009	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
4010	[[ ssize_t foo; foo = 1235; ]])],
4011	[ ac_cv_have_ssize_t="yes" ], [ ac_cv_have_ssize_t="no"
4012	])
4013])
4014if test "x$ac_cv_have_ssize_t" = "xyes" ; then
4015	AC_DEFINE([HAVE_SSIZE_T], [1], [define if you have ssize_t data type])
4016fi
4017
4018AC_CACHE_CHECK([for clock_t], ac_cv_have_clock_t, [
4019	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <time.h> ]],
4020	[[ clock_t foo; foo = 1235; ]])],
4021	[ ac_cv_have_clock_t="yes" ], [ ac_cv_have_clock_t="no"
4022	])
4023])
4024if test "x$ac_cv_have_clock_t" = "xyes" ; then
4025	AC_DEFINE([HAVE_CLOCK_T], [1], [define if you have clock_t data type])
4026fi
4027
4028AC_CACHE_CHECK([for sa_family_t], ac_cv_have_sa_family_t, [
4029	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4030#include <sys/types.h>
4031#include <sys/socket.h>
4032		]], [[ sa_family_t foo; foo = 1235; ]])],
4033	[ ac_cv_have_sa_family_t="yes" ],
4034	[ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4035#include <sys/types.h>
4036#include <sys/socket.h>
4037#include <netinet/in.h>
4038		]], [[ sa_family_t foo; foo = 1235; ]])],
4039		[ ac_cv_have_sa_family_t="yes" ],
4040		[ ac_cv_have_sa_family_t="no" ]
4041	)
4042	])
4043])
4044if test "x$ac_cv_have_sa_family_t" = "xyes" ; then
4045	AC_DEFINE([HAVE_SA_FAMILY_T], [1],
4046		[define if you have sa_family_t data type])
4047fi
4048
4049AC_CACHE_CHECK([for pid_t], ac_cv_have_pid_t, [
4050	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
4051	[[ pid_t foo; foo = 1235; ]])],
4052	[ ac_cv_have_pid_t="yes" ], [ ac_cv_have_pid_t="no"
4053	])
4054])
4055if test "x$ac_cv_have_pid_t" = "xyes" ; then
4056	AC_DEFINE([HAVE_PID_T], [1], [define if you have pid_t data type])
4057fi
4058
4059AC_CACHE_CHECK([for mode_t], ac_cv_have_mode_t, [
4060	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
4061	[[ mode_t foo; foo = 1235; ]])],
4062	[ ac_cv_have_mode_t="yes" ], [ ac_cv_have_mode_t="no"
4063	])
4064])
4065if test "x$ac_cv_have_mode_t" = "xyes" ; then
4066	AC_DEFINE([HAVE_MODE_T], [1], [define if you have mode_t data type])
4067fi
4068
4069
4070AC_CACHE_CHECK([for struct sockaddr_storage], ac_cv_have_struct_sockaddr_storage, [
4071	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4072#include <sys/types.h>
4073#include <sys/socket.h>
4074		]], [[ struct sockaddr_storage s; ]])],
4075	[ ac_cv_have_struct_sockaddr_storage="yes" ],
4076	[ ac_cv_have_struct_sockaddr_storage="no"
4077	])
4078])
4079if test "x$ac_cv_have_struct_sockaddr_storage" = "xyes" ; then
4080	AC_DEFINE([HAVE_STRUCT_SOCKADDR_STORAGE], [1],
4081		[define if you have struct sockaddr_storage data type])
4082fi
4083
4084AC_CACHE_CHECK([for struct sockaddr_in6], ac_cv_have_struct_sockaddr_in6, [
4085	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4086#include <sys/types.h>
4087#include <netinet/in.h>
4088		]], [[ struct sockaddr_in6 s; s.sin6_family = 0; ]])],
4089	[ ac_cv_have_struct_sockaddr_in6="yes" ],
4090	[ ac_cv_have_struct_sockaddr_in6="no"
4091	])
4092])
4093if test "x$ac_cv_have_struct_sockaddr_in6" = "xyes" ; then
4094	AC_DEFINE([HAVE_STRUCT_SOCKADDR_IN6], [1],
4095		[define if you have struct sockaddr_in6 data type])
4096fi
4097
4098AC_CACHE_CHECK([for struct in6_addr], ac_cv_have_struct_in6_addr, [
4099	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4100#include <sys/types.h>
4101#include <netinet/in.h>
4102		]], [[ struct in6_addr s; s.s6_addr[0] = 0; ]])],
4103	[ ac_cv_have_struct_in6_addr="yes" ],
4104	[ ac_cv_have_struct_in6_addr="no"
4105	])
4106])
4107if test "x$ac_cv_have_struct_in6_addr" = "xyes" ; then
4108	AC_DEFINE([HAVE_STRUCT_IN6_ADDR], [1],
4109		[define if you have struct in6_addr data type])
4110
4111dnl Now check for sin6_scope_id
4112	AC_CHECK_MEMBERS([struct sockaddr_in6.sin6_scope_id], , ,
4113		[
4114#ifdef HAVE_SYS_TYPES_H
4115#include <sys/types.h>
4116#endif
4117#include <netinet/in.h>
4118		])
4119fi
4120
4121AC_CACHE_CHECK([for struct addrinfo], ac_cv_have_struct_addrinfo, [
4122	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4123#include <sys/types.h>
4124#include <sys/socket.h>
4125#include <netdb.h>
4126		]], [[ struct addrinfo s; s.ai_flags = AI_PASSIVE; ]])],
4127	[ ac_cv_have_struct_addrinfo="yes" ],
4128	[ ac_cv_have_struct_addrinfo="no"
4129	])
4130])
4131if test "x$ac_cv_have_struct_addrinfo" = "xyes" ; then
4132	AC_DEFINE([HAVE_STRUCT_ADDRINFO], [1],
4133		[define if you have struct addrinfo data type])
4134fi
4135
4136AC_HEADER_TIME
4137
4138AC_CACHE_CHECK([for struct timeval], ac_cv_have_struct_timeval, [
4139	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/time.h> ]],
4140	[[ struct timeval tv; tv.tv_sec = 1;]])],
4141	[ ac_cv_have_struct_timeval="yes" ],
4142	[ ac_cv_have_struct_timeval="no"
4143	])
4144])
4145if test "x$ac_cv_have_struct_timeval" = "xyes" ; then
4146	AC_DEFINE([HAVE_STRUCT_TIMEVAL], [1], [define if you have struct timeval])
4147	have_struct_timeval=1
4148fi
4149
4150AC_CACHE_CHECK([for struct timespec], ac_cv_have_struct_timespec, [
4151	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4152    #ifdef TIME_WITH_SYS_TIME
4153    # include <sys/time.h>
4154    # include <time.h>
4155    #else
4156    # ifdef HAVE_SYS_TIME_H
4157    #  include <sys/time.h>
4158    # else
4159    #  include <time.h>
4160    # endif
4161    #endif
4162	]],
4163	[[ struct timespec ts; ts.tv_sec = 1;]])],
4164	[ ac_cv_have_struct_timespec="yes" ],
4165	[ ac_cv_have_struct_timespec="no"
4166	])
4167])
4168if test "x$ac_cv_have_struct_timespec" = "xyes" ; then
4169	AC_DEFINE([HAVE_STRUCT_TIMESPEC], [1], [define if you have struct timespec])
4170	have_struct_timespec=1
4171fi
4172
4173# We need int64_t or else certain parts of the compile will fail.
4174if test "x$ac_cv_have_int64_t" = "xno" && \
4175	test "x$ac_cv_sizeof_long_int" != "x8" && \
4176	test "x$ac_cv_sizeof_long_long_int" = "x0" ; then
4177	echo "OpenSSH requires int64_t support.  Contact your vendor or install"
4178	echo "an alternative compiler (I.E., GCC) before continuing."
4179	echo ""
4180	exit 1;
4181else
4182dnl test snprintf (broken on SCO w/gcc)
4183	AC_RUN_IFELSE(
4184		[AC_LANG_SOURCE([[
4185#include <stdio.h>
4186#include <stdlib.h>
4187#include <string.h>
4188#ifdef HAVE_SNPRINTF
4189main()
4190{
4191	char buf[50];
4192	char expected_out[50];
4193	int mazsize = 50 ;
4194#if (SIZEOF_LONG_INT == 8)
4195	long int num = 0x7fffffffffffffff;
4196#else
4197	long long num = 0x7fffffffffffffffll;
4198#endif
4199	strcpy(expected_out, "9223372036854775807");
4200	snprintf(buf, mazsize, "%lld", num);
4201	if(strcmp(buf, expected_out) != 0)
4202		exit(1);
4203	exit(0);
4204}
4205#else
4206main() { exit(0); }
4207#endif
4208		]])], [ true ], [ AC_DEFINE([BROKEN_SNPRINTF]) ],
4209		AC_MSG_WARN([cross compiling: Assuming working snprintf()])
4210	)
4211fi
4212
4213dnl Checks for structure members
4214OSSH_CHECK_HEADER_FOR_FIELD([ut_host], [utmp.h], [HAVE_HOST_IN_UTMP])
4215OSSH_CHECK_HEADER_FOR_FIELD([ut_host], [utmpx.h], [HAVE_HOST_IN_UTMPX])
4216OSSH_CHECK_HEADER_FOR_FIELD([syslen], [utmpx.h], [HAVE_SYSLEN_IN_UTMPX])
4217OSSH_CHECK_HEADER_FOR_FIELD([ut_pid], [utmp.h], [HAVE_PID_IN_UTMP])
4218OSSH_CHECK_HEADER_FOR_FIELD([ut_type], [utmp.h], [HAVE_TYPE_IN_UTMP])
4219OSSH_CHECK_HEADER_FOR_FIELD([ut_type], [utmpx.h], [HAVE_TYPE_IN_UTMPX])
4220OSSH_CHECK_HEADER_FOR_FIELD([ut_tv], [utmp.h], [HAVE_TV_IN_UTMP])
4221OSSH_CHECK_HEADER_FOR_FIELD([ut_id], [utmp.h], [HAVE_ID_IN_UTMP])
4222OSSH_CHECK_HEADER_FOR_FIELD([ut_id], [utmpx.h], [HAVE_ID_IN_UTMPX])
4223OSSH_CHECK_HEADER_FOR_FIELD([ut_addr], [utmp.h], [HAVE_ADDR_IN_UTMP])
4224OSSH_CHECK_HEADER_FOR_FIELD([ut_addr], [utmpx.h], [HAVE_ADDR_IN_UTMPX])
4225OSSH_CHECK_HEADER_FOR_FIELD([ut_addr_v6], [utmp.h], [HAVE_ADDR_V6_IN_UTMP])
4226OSSH_CHECK_HEADER_FOR_FIELD([ut_addr_v6], [utmpx.h], [HAVE_ADDR_V6_IN_UTMPX])
4227OSSH_CHECK_HEADER_FOR_FIELD([ut_exit], [utmp.h], [HAVE_EXIT_IN_UTMP])
4228OSSH_CHECK_HEADER_FOR_FIELD([ut_time], [utmp.h], [HAVE_TIME_IN_UTMP])
4229OSSH_CHECK_HEADER_FOR_FIELD([ut_time], [utmpx.h], [HAVE_TIME_IN_UTMPX])
4230OSSH_CHECK_HEADER_FOR_FIELD([ut_tv], [utmpx.h], [HAVE_TV_IN_UTMPX])
4231OSSH_CHECK_HEADER_FOR_FIELD([ut_ss], [utmpx.h], [HAVE_SS_IN_UTMPX])
4232
4233AC_CHECK_MEMBERS([struct stat.st_blksize])
4234AC_CHECK_MEMBERS([struct stat.st_mtim])
4235AC_CHECK_MEMBERS([struct stat.st_mtime])
4236AC_CHECK_MEMBERS([struct passwd.pw_gecos, struct passwd.pw_class,
4237struct passwd.pw_change, struct passwd.pw_expire],
4238[], [], [[
4239#include <sys/types.h>
4240#include <pwd.h>
4241]])
4242
4243AC_CHECK_MEMBER([struct __res_state.retrans], [], [AC_DEFINE([__res_state], [state],
4244	[Define if we don't have struct __res_state in resolv.h])],
4245[[
4246#include <stdio.h>
4247#if HAVE_SYS_TYPES_H
4248# include <sys/types.h>
4249#endif
4250#include <netinet/in.h>
4251#include <arpa/nameser.h>
4252#include <resolv.h>
4253]])
4254
4255AC_CACHE_CHECK([for ss_family field in struct sockaddr_storage],
4256		ac_cv_have_ss_family_in_struct_ss, [
4257	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4258#include <sys/types.h>
4259#include <sys/socket.h>
4260		]], [[ struct sockaddr_storage s; s.ss_family = 1; ]])],
4261	[ ac_cv_have_ss_family_in_struct_ss="yes" ],
4262	[ ac_cv_have_ss_family_in_struct_ss="no" ])
4263])
4264if test "x$ac_cv_have_ss_family_in_struct_ss" = "xyes" ; then
4265	AC_DEFINE([HAVE_SS_FAMILY_IN_SS], [1], [Fields in struct sockaddr_storage])
4266fi
4267
4268AC_CACHE_CHECK([for __ss_family field in struct sockaddr_storage],
4269		ac_cv_have___ss_family_in_struct_ss, [
4270	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4271#include <sys/types.h>
4272#include <sys/socket.h>
4273		]], [[ struct sockaddr_storage s; s.__ss_family = 1; ]])],
4274	[ ac_cv_have___ss_family_in_struct_ss="yes" ],
4275	[ ac_cv_have___ss_family_in_struct_ss="no"
4276	])
4277])
4278if test "x$ac_cv_have___ss_family_in_struct_ss" = "xyes" ; then
4279	AC_DEFINE([HAVE___SS_FAMILY_IN_SS], [1],
4280		[Fields in struct sockaddr_storage])
4281fi
4282
4283dnl make sure we're using the real structure members and not defines
4284AC_CACHE_CHECK([for msg_accrights field in struct msghdr],
4285		ac_cv_have_accrights_in_msghdr, [
4286	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4287#include <sys/types.h>
4288#include <sys/socket.h>
4289#include <sys/uio.h>
4290#include <stdlib.h>
4291		]], [[
4292#ifdef msg_accrights
4293#error "msg_accrights is a macro"
4294exit(1);
4295#endif
4296struct msghdr m;
4297m.msg_accrights = 0;
4298exit(0);
4299		]])],
4300		[ ac_cv_have_accrights_in_msghdr="yes" ],
4301		[ ac_cv_have_accrights_in_msghdr="no" ]
4302	)
4303])
4304if test "x$ac_cv_have_accrights_in_msghdr" = "xyes" ; then
4305	AC_DEFINE([HAVE_ACCRIGHTS_IN_MSGHDR], [1],
4306		[Define if your system uses access rights style
4307		file descriptor passing])
4308fi
4309
4310AC_MSG_CHECKING([if struct statvfs.f_fsid is integral type])
4311AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4312#include <sys/param.h>
4313#include <sys/stat.h>
4314#ifdef HAVE_SYS_TIME_H
4315# include <sys/time.h>
4316#endif
4317#ifdef HAVE_SYS_MOUNT_H
4318#include <sys/mount.h>
4319#endif
4320#ifdef HAVE_SYS_STATVFS_H
4321#include <sys/statvfs.h>
4322#endif
4323	]], [[ struct statvfs s; s.f_fsid = 0; ]])],
4324	[ AC_MSG_RESULT([yes]) ],
4325	[ AC_MSG_RESULT([no])
4326
4327	AC_MSG_CHECKING([if fsid_t has member val])
4328	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4329#include <sys/types.h>
4330#include <sys/statvfs.h>
4331	]], [[ fsid_t t; t.val[0] = 0; ]])],
4332	[ AC_MSG_RESULT([yes])
4333	  AC_DEFINE([FSID_HAS_VAL], [1], [fsid_t has member val]) ],
4334	[ AC_MSG_RESULT([no]) ])
4335
4336	AC_MSG_CHECKING([if f_fsid has member __val])
4337	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4338#include <sys/types.h>
4339#include <sys/statvfs.h>
4340	]], [[ fsid_t t; t.__val[0] = 0; ]])],
4341	[ AC_MSG_RESULT([yes])
4342	  AC_DEFINE([FSID_HAS___VAL], [1], [fsid_t has member __val]) ],
4343	[ AC_MSG_RESULT([no]) ])
4344])
4345
4346AC_CACHE_CHECK([for msg_control field in struct msghdr],
4347		ac_cv_have_control_in_msghdr, [
4348	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4349#include <sys/types.h>
4350#include <sys/socket.h>
4351#include <sys/uio.h>
4352#include <stdlib.h>
4353		]], [[
4354#ifdef msg_control
4355#error "msg_control is a macro"
4356exit(1);
4357#endif
4358struct msghdr m;
4359m.msg_control = 0;
4360exit(0);
4361		]])],
4362		[ ac_cv_have_control_in_msghdr="yes" ],
4363		[ ac_cv_have_control_in_msghdr="no" ]
4364	)
4365])
4366if test "x$ac_cv_have_control_in_msghdr" = "xyes" ; then
4367	AC_DEFINE([HAVE_CONTROL_IN_MSGHDR], [1],
4368		[Define if your system uses ancillary data style
4369		file descriptor passing])
4370fi
4371
4372AC_CACHE_CHECK([if libc defines __progname], ac_cv_libc_defines___progname, [
4373	AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include <stdio.h> ]],
4374		[[ extern char *__progname; printf("%s", __progname); ]])],
4375	[ ac_cv_libc_defines___progname="yes" ],
4376	[ ac_cv_libc_defines___progname="no"
4377	])
4378])
4379if test "x$ac_cv_libc_defines___progname" = "xyes" ; then
4380	AC_DEFINE([HAVE___PROGNAME], [1], [Define if libc defines __progname])
4381fi
4382
4383AC_CACHE_CHECK([whether $CC implements __FUNCTION__], ac_cv_cc_implements___FUNCTION__, [
4384	AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include <stdio.h> ]],
4385		[[ printf("%s", __FUNCTION__); ]])],
4386	[ ac_cv_cc_implements___FUNCTION__="yes" ],
4387	[ ac_cv_cc_implements___FUNCTION__="no"
4388	])
4389])
4390if test "x$ac_cv_cc_implements___FUNCTION__" = "xyes" ; then
4391	AC_DEFINE([HAVE___FUNCTION__], [1],
4392		[Define if compiler implements __FUNCTION__])
4393fi
4394
4395AC_CACHE_CHECK([whether $CC implements __func__], ac_cv_cc_implements___func__, [
4396	AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include <stdio.h> ]],
4397		[[ printf("%s", __func__); ]])],
4398	[ ac_cv_cc_implements___func__="yes" ],
4399	[ ac_cv_cc_implements___func__="no"
4400	])
4401])
4402if test "x$ac_cv_cc_implements___func__" = "xyes" ; then
4403	AC_DEFINE([HAVE___func__], [1], [Define if compiler implements __func__])
4404fi
4405
4406AC_CACHE_CHECK([whether va_copy exists], ac_cv_have_va_copy, [
4407	AC_LINK_IFELSE([AC_LANG_PROGRAM([[
4408#include <stdarg.h>
4409va_list x,y;
4410		]], [[ va_copy(x,y); ]])],
4411	[ ac_cv_have_va_copy="yes" ],
4412	[ ac_cv_have_va_copy="no"
4413	])
4414])
4415if test "x$ac_cv_have_va_copy" = "xyes" ; then
4416	AC_DEFINE([HAVE_VA_COPY], [1], [Define if va_copy exists])
4417fi
4418
4419AC_CACHE_CHECK([whether __va_copy exists], ac_cv_have___va_copy, [
4420	AC_LINK_IFELSE([AC_LANG_PROGRAM([[
4421#include <stdarg.h>
4422va_list x,y;
4423		]], [[ __va_copy(x,y); ]])],
4424	[ ac_cv_have___va_copy="yes" ], [ ac_cv_have___va_copy="no"
4425	])
4426])
4427if test "x$ac_cv_have___va_copy" = "xyes" ; then
4428	AC_DEFINE([HAVE___VA_COPY], [1], [Define if __va_copy exists])
4429fi
4430
4431AC_CACHE_CHECK([whether getopt has optreset support],
4432		ac_cv_have_getopt_optreset, [
4433	AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include <getopt.h> ]],
4434		[[ extern int optreset; optreset = 0; ]])],
4435	[ ac_cv_have_getopt_optreset="yes" ],
4436	[ ac_cv_have_getopt_optreset="no"
4437	])
4438])
4439if test "x$ac_cv_have_getopt_optreset" = "xyes" ; then
4440	AC_DEFINE([HAVE_GETOPT_OPTRESET], [1],
4441		[Define if your getopt(3) defines and uses optreset])
4442fi
4443
4444AC_CACHE_CHECK([if libc defines sys_errlist], ac_cv_libc_defines_sys_errlist, [
4445	AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include <stdio.h> ]],
4446[[ extern const char *const sys_errlist[]; printf("%s", sys_errlist[0]);]])],
4447	[ ac_cv_libc_defines_sys_errlist="yes" ],
4448	[ ac_cv_libc_defines_sys_errlist="no"
4449	])
4450])
4451if test "x$ac_cv_libc_defines_sys_errlist" = "xyes" ; then
4452	AC_DEFINE([HAVE_SYS_ERRLIST], [1],
4453		[Define if your system defines sys_errlist[]])
4454fi
4455
4456
4457AC_CACHE_CHECK([if libc defines sys_nerr], ac_cv_libc_defines_sys_nerr, [
4458	AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include <stdio.h> ]],
4459[[ extern int sys_nerr; printf("%i", sys_nerr);]])],
4460	[ ac_cv_libc_defines_sys_nerr="yes" ],
4461	[ ac_cv_libc_defines_sys_nerr="no"
4462	])
4463])
4464if test "x$ac_cv_libc_defines_sys_nerr" = "xyes" ; then
4465	AC_DEFINE([HAVE_SYS_NERR], [1], [Define if your system defines sys_nerr])
4466fi
4467
4468# Check libraries needed by DNS fingerprint support
4469AC_SEARCH_LIBS([getrrsetbyname], [resolv],
4470	[AC_DEFINE([HAVE_GETRRSETBYNAME], [1],
4471		[Define if getrrsetbyname() exists])],
4472	[
4473		# Needed by our getrrsetbyname()
4474		AC_SEARCH_LIBS([res_query], [resolv])
4475		AC_SEARCH_LIBS([dn_expand], [resolv])
4476		AC_MSG_CHECKING([if res_query will link])
4477		AC_LINK_IFELSE([AC_LANG_PROGRAM([[
4478#include <sys/types.h>
4479#include <netinet/in.h>
4480#include <arpa/nameser.h>
4481#include <netdb.h>
4482#include <resolv.h>
4483				]], [[
4484	res_query (0, 0, 0, 0, 0);
4485				]])],
4486		    AC_MSG_RESULT([yes]),
4487		   [AC_MSG_RESULT([no])
4488		    saved_LIBS="$LIBS"
4489		    LIBS="$LIBS -lresolv"
4490		    AC_MSG_CHECKING([for res_query in -lresolv])
4491		    AC_LINK_IFELSE([AC_LANG_PROGRAM([[
4492#include <sys/types.h>
4493#include <netinet/in.h>
4494#include <arpa/nameser.h>
4495#include <netdb.h>
4496#include <resolv.h>
4497				]], [[
4498	res_query (0, 0, 0, 0, 0);
4499				]])],
4500			[AC_MSG_RESULT([yes])],
4501			[LIBS="$saved_LIBS"
4502			 AC_MSG_RESULT([no])])
4503		    ])
4504		AC_CHECK_FUNCS([_getshort _getlong])
4505		AC_CHECK_DECLS([_getshort, _getlong], , ,
4506		    [#include <sys/types.h>
4507		    #include <arpa/nameser.h>])
4508		AC_CHECK_MEMBER([HEADER.ad],
4509			[AC_DEFINE([HAVE_HEADER_AD], [1],
4510			    [Define if HEADER.ad exists in arpa/nameser.h])], ,
4511			[#include <arpa/nameser.h>])
4512	])
4513
4514AC_MSG_CHECKING([if struct __res_state _res is an extern])
4515AC_LINK_IFELSE([AC_LANG_PROGRAM([[
4516#include <stdio.h>
4517#if HAVE_SYS_TYPES_H
4518# include <sys/types.h>
4519#endif
4520#include <netinet/in.h>
4521#include <arpa/nameser.h>
4522#include <resolv.h>
4523extern struct __res_state _res;
4524		]], [[
4525struct __res_state *volatile p = &_res;  /* force resolution of _res */
4526return 0;
4527		]],)],
4528		[AC_MSG_RESULT([yes])
4529		 AC_DEFINE([HAVE__RES_EXTERN], [1],
4530		    [Define if you have struct __res_state _res as an extern])
4531		],
4532		[ AC_MSG_RESULT([no]) ]
4533)
4534
4535# Check whether user wants SELinux support
4536SELINUX_MSG="no"
4537LIBSELINUX=""
4538AC_ARG_WITH([selinux],
4539	[  --with-selinux          Enable SELinux support],
4540	[ if test "x$withval" != "xno" ; then
4541		save_LIBS="$LIBS"
4542		AC_DEFINE([WITH_SELINUX], [1],
4543			[Define if you want SELinux support.])
4544		SELINUX_MSG="yes"
4545		AC_CHECK_HEADER([selinux/selinux.h], ,
4546			AC_MSG_ERROR([SELinux support requires selinux.h header]))
4547		AC_CHECK_LIB([selinux], [setexeccon],
4548			[ LIBSELINUX="-lselinux"
4549			  LIBS="$LIBS -lselinux"
4550			],
4551			AC_MSG_ERROR([SELinux support requires libselinux library]))
4552		AC_CHECK_FUNCS([getseuserbyname get_default_context_with_level])
4553		LIBS="$save_LIBS $LIBSELINUX"
4554	fi ]
4555)
4556AC_SUBST([SSHDLIBS])
4557
4558# Check whether user wants Kerberos 5 support
4559KRB5_MSG="no"
4560AC_ARG_WITH([kerberos5],
4561	[  --with-kerberos5=PATH   Enable Kerberos 5 support],
4562	[ if test "x$withval" != "xno" ; then
4563		if test "x$withval" = "xyes" ; then
4564			KRB5ROOT="/usr/local"
4565		else
4566			KRB5ROOT=${withval}
4567		fi
4568
4569		AC_DEFINE([KRB5], [1], [Define if you want Kerberos 5 support])
4570		KRB5_MSG="yes"
4571
4572		AC_PATH_TOOL([KRB5CONF], [krb5-config],
4573			     [$KRB5ROOT/bin/krb5-config],
4574			     [$KRB5ROOT/bin:$PATH])
4575		if test -x $KRB5CONF ; then
4576			K5CFLAGS="`$KRB5CONF --cflags`"
4577			K5LIBS="`$KRB5CONF --libs`"
4578			CPPFLAGS="$CPPFLAGS $K5CFLAGS"
4579
4580			AC_MSG_CHECKING([for gssapi support])
4581			if $KRB5CONF | grep gssapi >/dev/null ; then
4582				AC_MSG_RESULT([yes])
4583				AC_DEFINE([GSSAPI], [1],
4584					[Define this if you want GSSAPI
4585					support in the version 2 protocol])
4586				GSSCFLAGS="`$KRB5CONF --cflags gssapi`"
4587				GSSLIBS="`$KRB5CONF --libs gssapi`"
4588				CPPFLAGS="$CPPFLAGS $GSSCFLAGS"
4589			else
4590				AC_MSG_RESULT([no])
4591			fi
4592			AC_MSG_CHECKING([whether we are using Heimdal])
4593			AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <krb5.h>
4594				]], [[ char *tmp = heimdal_version; ]])],
4595				[ AC_MSG_RESULT([yes])
4596				AC_DEFINE([HEIMDAL], [1],
4597				[Define this if you are using the Heimdal
4598				version of Kerberos V5]) ],
4599				[AC_MSG_RESULT([no])
4600			])
4601		else
4602			CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include"
4603			LDFLAGS="$LDFLAGS -L${KRB5ROOT}/lib"
4604			AC_MSG_CHECKING([whether we are using Heimdal])
4605			AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <krb5.h>
4606				]], [[ char *tmp = heimdal_version; ]])],
4607					[ AC_MSG_RESULT([yes])
4608					 AC_DEFINE([HEIMDAL])
4609					 K5LIBS="-lkrb5"
4610					 K5LIBS="$K5LIBS -lcom_err -lasn1"
4611					 AC_CHECK_LIB([roken], [net_write],
4612					   [K5LIBS="$K5LIBS -lroken"])
4613					 AC_CHECK_LIB([des], [des_cbc_encrypt],
4614					   [K5LIBS="$K5LIBS -ldes"])
4615				       ], [ AC_MSG_RESULT([no])
4616					 K5LIBS="-lkrb5 -lk5crypto -lcom_err"
4617			])
4618			AC_SEARCH_LIBS([dn_expand], [resolv])
4619
4620			AC_CHECK_LIB([gssapi_krb5], [gss_init_sec_context],
4621				[ AC_DEFINE([GSSAPI])
4622				  GSSLIBS="-lgssapi_krb5" ],
4623				[ AC_CHECK_LIB([gssapi], [gss_init_sec_context],
4624					[ AC_DEFINE([GSSAPI])
4625					  GSSLIBS="-lgssapi" ],
4626					[ AC_CHECK_LIB([gss], [gss_init_sec_context],
4627						[ AC_DEFINE([GSSAPI])
4628						  GSSLIBS="-lgss" ],
4629						AC_MSG_WARN([Cannot find any suitable gss-api library - build may fail]))
4630					])
4631				])
4632
4633			AC_CHECK_HEADER([gssapi.h], ,
4634				[ unset ac_cv_header_gssapi_h
4635				  CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include/gssapi"
4636				  AC_CHECK_HEADERS([gssapi.h], ,
4637					AC_MSG_WARN([Cannot find any suitable gss-api header - build may fail])
4638				  )
4639				]
4640			)
4641
4642			oldCPP="$CPPFLAGS"
4643			CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include/gssapi"
4644			AC_CHECK_HEADER([gssapi_krb5.h], ,
4645					[ CPPFLAGS="$oldCPP" ])
4646
4647		fi
4648		if test -n "${rpath_opt}" ; then
4649			LDFLAGS="$LDFLAGS ${rpath_opt}${KRB5ROOT}/lib"
4650		fi
4651		if test ! -z "$blibpath" ; then
4652			blibpath="$blibpath:${KRB5ROOT}/lib"
4653		fi
4654
4655		AC_CHECK_HEADERS([gssapi.h gssapi/gssapi.h])
4656		AC_CHECK_HEADERS([gssapi_krb5.h gssapi/gssapi_krb5.h])
4657		AC_CHECK_HEADERS([gssapi_generic.h gssapi/gssapi_generic.h])
4658
4659		AC_SEARCH_LIBS([k_hasafs], [kafs], [AC_DEFINE([USE_AFS], [1],
4660			[Define this if you want to use libkafs' AFS support])])
4661
4662		AC_CHECK_DECLS([GSS_C_NT_HOSTBASED_SERVICE], [], [], [[
4663#ifdef HAVE_GSSAPI_H
4664# include <gssapi.h>
4665#elif defined(HAVE_GSSAPI_GSSAPI_H)
4666# include <gssapi/gssapi.h>
4667#endif
4668
4669#ifdef HAVE_GSSAPI_GENERIC_H
4670# include <gssapi_generic.h>
4671#elif defined(HAVE_GSSAPI_GSSAPI_GENERIC_H)
4672# include <gssapi/gssapi_generic.h>
4673#endif
4674		]])
4675		saved_LIBS="$LIBS"
4676		LIBS="$LIBS $K5LIBS"
4677		AC_CHECK_FUNCS([krb5_cc_new_unique krb5_get_error_message krb5_free_error_message])
4678		LIBS="$saved_LIBS"
4679
4680	fi
4681	]
4682)
4683AC_SUBST([GSSLIBS])
4684AC_SUBST([K5LIBS])
4685
4686# Looking for programs, paths and files
4687
4688PRIVSEP_PATH=/var/empty
4689AC_ARG_WITH([privsep-path],
4690	[  --with-privsep-path=xxx Path for privilege separation chroot (default=/var/empty)],
4691	[
4692		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
4693		    test "x${withval}" != "xyes"; then
4694			PRIVSEP_PATH=$withval
4695		fi
4696	]
4697)
4698AC_SUBST([PRIVSEP_PATH])
4699
4700AC_ARG_WITH([xauth],
4701	[  --with-xauth=PATH       Specify path to xauth program ],
4702	[
4703		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
4704		    test "x${withval}" != "xyes"; then
4705			xauth_path=$withval
4706		fi
4707	],
4708	[
4709		TestPath="$PATH"
4710		TestPath="${TestPath}${PATH_SEPARATOR}/usr/X/bin"
4711		TestPath="${TestPath}${PATH_SEPARATOR}/usr/bin/X11"
4712		TestPath="${TestPath}${PATH_SEPARATOR}/usr/X11R6/bin"
4713		TestPath="${TestPath}${PATH_SEPARATOR}/usr/openwin/bin"
4714		AC_PATH_PROG([xauth_path], [xauth], , [$TestPath])
4715		if (test ! -z "$xauth_path" && test -x "/usr/openwin/bin/xauth") ; then
4716			xauth_path="/usr/openwin/bin/xauth"
4717		fi
4718	]
4719)
4720
4721STRIP_OPT=-s
4722AC_ARG_ENABLE([strip],
4723	[  --disable-strip         Disable calling strip(1) on install],
4724	[
4725		if test "x$enableval" = "xno" ; then
4726			STRIP_OPT=
4727		fi
4728	]
4729)
4730AC_SUBST([STRIP_OPT])
4731
4732if test -z "$xauth_path" ; then
4733	XAUTH_PATH="undefined"
4734	AC_SUBST([XAUTH_PATH])
4735else
4736	AC_DEFINE_UNQUOTED([XAUTH_PATH], ["$xauth_path"],
4737		[Define if xauth is found in your path])
4738	XAUTH_PATH=$xauth_path
4739	AC_SUBST([XAUTH_PATH])
4740fi
4741
4742dnl # --with-maildir=/path/to/mail gets top priority.
4743dnl # if maildir is set in the platform case statement above we use that.
4744dnl # Otherwise we run a program to get the dir from system headers.
4745dnl # We first look for _PATH_MAILDIR then MAILDIR then _PATH_MAIL
4746dnl # If we find _PATH_MAILDIR we do nothing because that is what
4747dnl # session.c expects anyway. Otherwise we set to the value found
4748dnl # stripping any trailing slash. If for some strage reason our program
4749dnl # does not find what it needs, we default to /var/spool/mail.
4750# Check for mail directory
4751AC_ARG_WITH([maildir],
4752    [  --with-maildir=/path/to/mail    Specify your system mail directory],
4753    [
4754	if test "X$withval" != X  &&  test "x$withval" != xno  &&  \
4755	    test "x${withval}" != xyes; then
4756		AC_DEFINE_UNQUOTED([MAIL_DIRECTORY], ["$withval"],
4757            [Set this to your mail directory if you do not have _PATH_MAILDIR])
4758	    fi
4759     ],[
4760	if test "X$maildir" != "X"; then
4761	    AC_DEFINE_UNQUOTED([MAIL_DIRECTORY], ["$maildir"])
4762	else
4763	    AC_MSG_CHECKING([Discovering system mail directory])
4764	    AC_RUN_IFELSE(
4765		[AC_LANG_PROGRAM([[
4766#include <stdio.h>
4767#include <stdlib.h>
4768#include <string.h>
4769#ifdef HAVE_PATHS_H
4770#include <paths.h>
4771#endif
4772#ifdef HAVE_MAILLOCK_H
4773#include <maillock.h>
4774#endif
4775#define DATA "conftest.maildir"
4776	]], [[
4777	FILE *fd;
4778	int rc;
4779
4780	fd = fopen(DATA,"w");
4781	if(fd == NULL)
4782		exit(1);
4783
4784#if defined (_PATH_MAILDIR)
4785	if ((rc = fprintf(fd ,"_PATH_MAILDIR:%s\n", _PATH_MAILDIR)) <0)
4786		exit(1);
4787#elif defined (MAILDIR)
4788	if ((rc = fprintf(fd ,"MAILDIR:%s\n", MAILDIR)) <0)
4789		exit(1);
4790#elif defined (_PATH_MAIL)
4791	if ((rc = fprintf(fd ,"_PATH_MAIL:%s\n", _PATH_MAIL)) <0)
4792		exit(1);
4793#else
4794	exit (2);
4795#endif
4796
4797	exit(0);
4798		]])],
4799		[
4800		    maildir_what=`awk -F: '{print $1}' conftest.maildir`
4801		    maildir=`awk -F: '{print $2}' conftest.maildir \
4802			| sed 's|/$||'`
4803		    AC_MSG_RESULT([Using: $maildir from $maildir_what])
4804		    if test "x$maildir_what" != "x_PATH_MAILDIR"; then
4805			AC_DEFINE_UNQUOTED([MAIL_DIRECTORY], ["$maildir"])
4806		    fi
4807		],
4808		[
4809		    if test "X$ac_status" = "X2";then
4810# our test program didn't find it. Default to /var/spool/mail
4811			AC_MSG_RESULT([Using: default value of /var/spool/mail])
4812			AC_DEFINE_UNQUOTED([MAIL_DIRECTORY], ["/var/spool/mail"])
4813		     else
4814			AC_MSG_RESULT([*** not found ***])
4815		     fi
4816		],
4817		[
4818			AC_MSG_WARN([cross compiling: use --with-maildir=/path/to/mail])
4819		]
4820	    )
4821	fi
4822    ]
4823) # maildir
4824
4825if test ! -z "$cross_compiling" && test "x$cross_compiling" = "xyes"; then
4826	AC_MSG_WARN([cross compiling: Disabling /dev/ptmx test])
4827	disable_ptmx_check=yes
4828fi
4829if test -z "$no_dev_ptmx" ; then
4830	if test "x$disable_ptmx_check" != "xyes" ; then
4831		AC_CHECK_FILE(["/dev/ptmx"],
4832			[
4833				AC_DEFINE_UNQUOTED([HAVE_DEV_PTMX], [1],
4834					[Define if you have /dev/ptmx])
4835				have_dev_ptmx=1
4836			]
4837		)
4838	fi
4839fi
4840
4841if test ! -z "$cross_compiling" && test "x$cross_compiling" != "xyes"; then
4842	AC_CHECK_FILE(["/dev/ptc"],
4843		[
4844			AC_DEFINE_UNQUOTED([HAVE_DEV_PTS_AND_PTC], [1],
4845				[Define if you have /dev/ptc])
4846			have_dev_ptc=1
4847		]
4848	)
4849else
4850	AC_MSG_WARN([cross compiling: Disabling /dev/ptc test])
4851fi
4852
4853# Options from here on. Some of these are preset by platform above
4854AC_ARG_WITH([mantype],
4855	[  --with-mantype=man|cat|doc  Set man page type],
4856	[
4857		case "$withval" in
4858		man|cat|doc)
4859			MANTYPE=$withval
4860			;;
4861		*)
4862			AC_MSG_ERROR([invalid man type: $withval])
4863			;;
4864		esac
4865	]
4866)
4867if test -z "$MANTYPE"; then
4868	if ${MANDOC} ${srcdir}/ssh.1 >/dev/null 2>&1; then
4869		MANTYPE=doc
4870	elif ${NROFF} -mdoc ${srcdir}/ssh.1 >/dev/null 2>&1; then
4871		MANTYPE=doc
4872	elif ${NROFF} -man ${srcdir}/ssh.1 >/dev/null 2>&1; then
4873		MANTYPE=man
4874	else
4875		MANTYPE=cat
4876	fi
4877fi
4878AC_SUBST([MANTYPE])
4879if test "$MANTYPE" = "doc"; then
4880	mansubdir=man;
4881else
4882	mansubdir=$MANTYPE;
4883fi
4884AC_SUBST([mansubdir])
4885
4886# Check whether to enable MD5 passwords
4887MD5_MSG="no"
4888AC_ARG_WITH([md5-passwords],
4889	[  --with-md5-passwords    Enable use of MD5 passwords],
4890	[
4891		if test "x$withval" != "xno" ; then
4892			AC_DEFINE([HAVE_MD5_PASSWORDS], [1],
4893				[Define if you want to allow MD5 passwords])
4894			MD5_MSG="yes"
4895		fi
4896	]
4897)
4898
4899# Whether to disable shadow password support
4900AC_ARG_WITH([shadow],
4901	[  --without-shadow        Disable shadow password support],
4902	[
4903		if test "x$withval" = "xno" ; then
4904			AC_DEFINE([DISABLE_SHADOW])
4905			disable_shadow=yes
4906		fi
4907	]
4908)
4909
4910if test -z "$disable_shadow" ; then
4911	AC_MSG_CHECKING([if the systems has expire shadow information])
4912	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4913#include <sys/types.h>
4914#include <shadow.h>
4915struct spwd sp;
4916		]], [[ sp.sp_expire = sp.sp_lstchg = sp.sp_inact = 0; ]])],
4917		[ sp_expire_available=yes ], [
4918	])
4919
4920	if test "x$sp_expire_available" = "xyes" ; then
4921		AC_MSG_RESULT([yes])
4922		AC_DEFINE([HAS_SHADOW_EXPIRE], [1],
4923		    [Define if you want to use shadow password expire field])
4924	else
4925		AC_MSG_RESULT([no])
4926	fi
4927fi
4928
4929# Use ip address instead of hostname in $DISPLAY
4930if test ! -z "$IPADDR_IN_DISPLAY" ; then
4931	DISPLAY_HACK_MSG="yes"
4932	AC_DEFINE([IPADDR_IN_DISPLAY], [1],
4933		[Define if you need to use IP address
4934		instead of hostname in $DISPLAY])
4935else
4936	DISPLAY_HACK_MSG="no"
4937	AC_ARG_WITH([ipaddr-display],
4938		[  --with-ipaddr-display   Use ip address instead of hostname in $DISPLAY],
4939		[
4940			if test "x$withval" != "xno" ; then
4941				AC_DEFINE([IPADDR_IN_DISPLAY])
4942				DISPLAY_HACK_MSG="yes"
4943			fi
4944		]
4945	)
4946fi
4947
4948# check for /etc/default/login and use it if present.
4949AC_ARG_ENABLE([etc-default-login],
4950	[  --disable-etc-default-login Disable using PATH from /etc/default/login [no]],
4951	[ if test "x$enableval" = "xno"; then
4952		AC_MSG_NOTICE([/etc/default/login handling disabled])
4953		etc_default_login=no
4954	  else
4955		etc_default_login=yes
4956	  fi ],
4957	[ if test ! -z "$cross_compiling" && test "x$cross_compiling" = "xyes";
4958	  then
4959		AC_MSG_WARN([cross compiling: not checking /etc/default/login])
4960		etc_default_login=no
4961	  else
4962		etc_default_login=yes
4963	  fi ]
4964)
4965
4966if test "x$etc_default_login" != "xno"; then
4967	AC_CHECK_FILE(["/etc/default/login"],
4968	    [ external_path_file=/etc/default/login ])
4969	if test "x$external_path_file" = "x/etc/default/login"; then
4970		AC_DEFINE([HAVE_ETC_DEFAULT_LOGIN], [1],
4971			[Define if your system has /etc/default/login])
4972	fi
4973fi
4974
4975dnl BSD systems use /etc/login.conf so --with-default-path= has no effect
4976if test $ac_cv_func_login_getcapbool = "yes" && \
4977	test $ac_cv_header_login_cap_h = "yes" ; then
4978	external_path_file=/etc/login.conf
4979fi
4980
4981# Whether to mess with the default path
4982SERVER_PATH_MSG="(default)"
4983AC_ARG_WITH([default-path],
4984	[  --with-default-path=    Specify default $PATH environment for server],
4985	[
4986		if test "x$external_path_file" = "x/etc/login.conf" ; then
4987			AC_MSG_WARN([
4988--with-default-path=PATH has no effect on this system.
4989Edit /etc/login.conf instead.])
4990		elif test "x$withval" != "xno" ; then
4991			if test ! -z "$external_path_file" ; then
4992				AC_MSG_WARN([
4993--with-default-path=PATH will only be used if PATH is not defined in
4994$external_path_file .])
4995			fi
4996			user_path="$withval"
4997			SERVER_PATH_MSG="$withval"
4998		fi
4999	],
5000	[ if test "x$external_path_file" = "x/etc/login.conf" ; then
5001		AC_MSG_WARN([Make sure the path to scp is in /etc/login.conf])
5002	else
5003		if test ! -z "$external_path_file" ; then
5004			AC_MSG_WARN([
5005If PATH is defined in $external_path_file, ensure the path to scp is included,
5006otherwise scp will not work.])
5007		fi
5008		AC_RUN_IFELSE(
5009			[AC_LANG_PROGRAM([[
5010/* find out what STDPATH is */
5011#include <stdio.h>
5012#include <stdlib.h>
5013#ifdef HAVE_PATHS_H
5014# include <paths.h>
5015#endif
5016#ifndef _PATH_STDPATH
5017# ifdef _PATH_USERPATH	/* Irix */
5018#  define _PATH_STDPATH _PATH_USERPATH
5019# else
5020#  define _PATH_STDPATH "/usr/bin:/bin:/usr/sbin:/sbin"
5021# endif
5022#endif
5023#include <sys/types.h>
5024#include <sys/stat.h>
5025#include <fcntl.h>
5026#define DATA "conftest.stdpath"
5027			]], [[
5028	FILE *fd;
5029	int rc;
5030
5031	fd = fopen(DATA,"w");
5032	if(fd == NULL)
5033		exit(1);
5034
5035	if ((rc = fprintf(fd,"%s", _PATH_STDPATH)) < 0)
5036		exit(1);
5037
5038	exit(0);
5039		]])],
5040		[ user_path=`cat conftest.stdpath` ],
5041		[ user_path="/usr/bin:/bin:/usr/sbin:/sbin" ],
5042		[ user_path="/usr/bin:/bin:/usr/sbin:/sbin" ]
5043	)
5044# make sure $bindir is in USER_PATH so scp will work
5045		t_bindir="${bindir}"
5046		while echo "${t_bindir}" | egrep '\$\{|NONE/' >/dev/null 2>&1; do
5047			t_bindir=`eval echo ${t_bindir}`
5048			case $t_bindir in
5049				NONE/*) t_bindir=`echo $t_bindir | sed "s~NONE~$prefix~"` ;;
5050			esac
5051			case $t_bindir in
5052				NONE/*) t_bindir=`echo $t_bindir | sed "s~NONE~$ac_default_prefix~"` ;;
5053			esac
5054		done
5055		echo $user_path | grep ":$t_bindir"  > /dev/null 2>&1
5056		if test $? -ne 0  ; then
5057			echo $user_path | grep "^$t_bindir"  > /dev/null 2>&1
5058			if test $? -ne 0  ; then
5059				user_path=$user_path:$t_bindir
5060				AC_MSG_RESULT([Adding $t_bindir to USER_PATH so scp will work])
5061			fi
5062		fi
5063	fi ]
5064)
5065if test "x$external_path_file" != "x/etc/login.conf" ; then
5066	AC_DEFINE_UNQUOTED([USER_PATH], ["$user_path"], [Specify default $PATH])
5067	AC_SUBST([user_path])
5068fi
5069
5070# Set superuser path separately to user path
5071AC_ARG_WITH([superuser-path],
5072	[  --with-superuser-path=  Specify different path for super-user],
5073	[
5074		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
5075		    test "x${withval}" != "xyes"; then
5076			AC_DEFINE_UNQUOTED([SUPERUSER_PATH], ["$withval"],
5077				[Define if you want a different $PATH
5078				for the superuser])
5079			superuser_path=$withval
5080		fi
5081	]
5082)
5083
5084
5085AC_MSG_CHECKING([if we need to convert IPv4 in IPv6-mapped addresses])
5086IPV4_IN6_HACK_MSG="no"
5087AC_ARG_WITH(4in6,
5088	[  --with-4in6             Check for and convert IPv4 in IPv6 mapped addresses],
5089	[
5090		if test "x$withval" != "xno" ; then
5091			AC_MSG_RESULT([yes])
5092			AC_DEFINE([IPV4_IN_IPV6], [1],
5093				[Detect IPv4 in IPv6 mapped addresses
5094				and treat as IPv4])
5095			IPV4_IN6_HACK_MSG="yes"
5096		else
5097			AC_MSG_RESULT([no])
5098		fi
5099	], [
5100		if test "x$inet6_default_4in6" = "xyes"; then
5101			AC_MSG_RESULT([yes (default)])
5102			AC_DEFINE([IPV4_IN_IPV6])
5103			IPV4_IN6_HACK_MSG="yes"
5104		else
5105			AC_MSG_RESULT([no (default)])
5106		fi
5107	]
5108)
5109
5110# Whether to enable BSD auth support
5111BSD_AUTH_MSG=no
5112AC_ARG_WITH([bsd-auth],
5113	[  --with-bsd-auth         Enable BSD auth support],
5114	[
5115		if test "x$withval" != "xno" ; then
5116			AC_DEFINE([BSD_AUTH], [1],
5117				[Define if you have BSD auth support])
5118			BSD_AUTH_MSG=yes
5119		fi
5120	]
5121)
5122
5123# Where to place sshd.pid
5124piddir=/var/run
5125# make sure the directory exists
5126if test ! -d $piddir ; then
5127	piddir=`eval echo ${sysconfdir}`
5128	case $piddir in
5129		NONE/*) piddir=`echo $piddir | sed "s~NONE~$ac_default_prefix~"` ;;
5130	esac
5131fi
5132
5133AC_ARG_WITH([pid-dir],
5134	[  --with-pid-dir=PATH     Specify location of sshd.pid file],
5135	[
5136		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
5137		    test "x${withval}" != "xyes"; then
5138			piddir=$withval
5139			if test ! -d $piddir ; then
5140			AC_MSG_WARN([** no $piddir directory on this system **])
5141			fi
5142		fi
5143	]
5144)
5145
5146AC_DEFINE_UNQUOTED([_PATH_SSH_PIDDIR], ["$piddir"],
5147	[Specify location of ssh.pid])
5148AC_SUBST([piddir])
5149
5150dnl allow user to disable some login recording features
5151AC_ARG_ENABLE([lastlog],
5152	[  --disable-lastlog       disable use of lastlog even if detected [no]],
5153	[
5154		if test "x$enableval" = "xno" ; then
5155			AC_DEFINE([DISABLE_LASTLOG])
5156		fi
5157	]
5158)
5159AC_ARG_ENABLE([utmp],
5160	[  --disable-utmp          disable use of utmp even if detected [no]],
5161	[
5162		if test "x$enableval" = "xno" ; then
5163			AC_DEFINE([DISABLE_UTMP])
5164		fi
5165	]
5166)
5167AC_ARG_ENABLE([utmpx],
5168	[  --disable-utmpx         disable use of utmpx even if detected [no]],
5169	[
5170		if test "x$enableval" = "xno" ; then
5171			AC_DEFINE([DISABLE_UTMPX], [1],
5172				[Define if you don't want to use utmpx])
5173		fi
5174	]
5175)
5176AC_ARG_ENABLE([wtmp],
5177	[  --disable-wtmp          disable use of wtmp even if detected [no]],
5178	[
5179		if test "x$enableval" = "xno" ; then
5180			AC_DEFINE([DISABLE_WTMP])
5181		fi
5182	]
5183)
5184AC_ARG_ENABLE([wtmpx],
5185	[  --disable-wtmpx         disable use of wtmpx even if detected [no]],
5186	[
5187		if test "x$enableval" = "xno" ; then
5188			AC_DEFINE([DISABLE_WTMPX], [1],
5189				[Define if you don't want to use wtmpx])
5190		fi
5191	]
5192)
5193AC_ARG_ENABLE([libutil],
5194	[  --disable-libutil       disable use of libutil (login() etc.) [no]],
5195	[
5196		if test "x$enableval" = "xno" ; then
5197			AC_DEFINE([DISABLE_LOGIN])
5198		fi
5199	]
5200)
5201AC_ARG_ENABLE([pututline],
5202	[  --disable-pututline     disable use of pututline() etc. ([uw]tmp) [no]],
5203	[
5204		if test "x$enableval" = "xno" ; then
5205			AC_DEFINE([DISABLE_PUTUTLINE], [1],
5206				[Define if you don't want to use pututline()
5207				etc. to write [uw]tmp])
5208		fi
5209	]
5210)
5211AC_ARG_ENABLE([pututxline],
5212	[  --disable-pututxline    disable use of pututxline() etc. ([uw]tmpx) [no]],
5213	[
5214		if test "x$enableval" = "xno" ; then
5215			AC_DEFINE([DISABLE_PUTUTXLINE], [1],
5216				[Define if you don't want to use pututxline()
5217				etc. to write [uw]tmpx])
5218		fi
5219	]
5220)
5221AC_ARG_WITH([lastlog],
5222  [  --with-lastlog=FILE|DIR specify lastlog location [common locations]],
5223	[
5224		if test "x$withval" = "xno" ; then
5225			AC_DEFINE([DISABLE_LASTLOG])
5226		elif test -n "$withval"  &&  test "x${withval}" != "xyes"; then
5227			conf_lastlog_location=$withval
5228		fi
5229	]
5230)
5231
5232dnl lastlog, [uw]tmpx? detection
5233dnl  NOTE: set the paths in the platform section to avoid the
5234dnl   need for command-line parameters
5235dnl lastlog and [uw]tmp are subject to a file search if all else fails
5236
5237dnl lastlog detection
5238dnl  NOTE: the code itself will detect if lastlog is a directory
5239AC_MSG_CHECKING([if your system defines LASTLOG_FILE])
5240AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
5241#include <sys/types.h>
5242#include <utmp.h>
5243#ifdef HAVE_LASTLOG_H
5244#  include <lastlog.h>
5245#endif
5246#ifdef HAVE_PATHS_H
5247#  include <paths.h>
5248#endif
5249#ifdef HAVE_LOGIN_H
5250# include <login.h>
5251#endif
5252	]], [[ char *lastlog = LASTLOG_FILE; ]])],
5253		[ AC_MSG_RESULT([yes]) ],
5254		[
5255		AC_MSG_RESULT([no])
5256		AC_MSG_CHECKING([if your system defines _PATH_LASTLOG])
5257		AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
5258#include <sys/types.h>
5259#include <utmp.h>
5260#ifdef HAVE_LASTLOG_H
5261#  include <lastlog.h>
5262#endif
5263#ifdef HAVE_PATHS_H
5264#  include <paths.h>
5265#endif
5266		]], [[ char *lastlog = _PATH_LASTLOG; ]])],
5267		[ AC_MSG_RESULT([yes]) ],
5268		[
5269			AC_MSG_RESULT([no])
5270			system_lastlog_path=no
5271		])
5272])
5273
5274if test -z "$conf_lastlog_location"; then
5275	if test x"$system_lastlog_path" = x"no" ; then
5276		for f in /var/log/lastlog /usr/adm/lastlog /var/adm/lastlog /etc/security/lastlog ; do
5277				if (test -d "$f" || test -f "$f") ; then
5278					conf_lastlog_location=$f
5279				fi
5280		done
5281		if test -z "$conf_lastlog_location"; then
5282			AC_MSG_WARN([** Cannot find lastlog **])
5283			dnl Don't define DISABLE_LASTLOG - that means we don't try wtmp/wtmpx
5284		fi
5285	fi
5286fi
5287
5288if test -n "$conf_lastlog_location"; then
5289	AC_DEFINE_UNQUOTED([CONF_LASTLOG_FILE], ["$conf_lastlog_location"],
5290		[Define if you want to specify the path to your lastlog file])
5291fi
5292
5293dnl utmp detection
5294AC_MSG_CHECKING([if your system defines UTMP_FILE])
5295AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
5296#include <sys/types.h>
5297#include <utmp.h>
5298#ifdef HAVE_PATHS_H
5299#  include <paths.h>
5300#endif
5301	]], [[ char *utmp = UTMP_FILE; ]])],
5302	[ AC_MSG_RESULT([yes]) ],
5303	[ AC_MSG_RESULT([no])
5304	  system_utmp_path=no
5305])
5306if test -z "$conf_utmp_location"; then
5307	if test x"$system_utmp_path" = x"no" ; then
5308		for f in /etc/utmp /usr/adm/utmp /var/run/utmp; do
5309			if test -f $f ; then
5310				conf_utmp_location=$f
5311			fi
5312		done
5313		if test -z "$conf_utmp_location"; then
5314			AC_DEFINE([DISABLE_UTMP])
5315		fi
5316	fi
5317fi
5318if test -n "$conf_utmp_location"; then
5319	AC_DEFINE_UNQUOTED([CONF_UTMP_FILE], ["$conf_utmp_location"],
5320		[Define if you want to specify the path to your utmp file])
5321fi
5322
5323dnl wtmp detection
5324AC_MSG_CHECKING([if your system defines WTMP_FILE])
5325AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
5326#include <sys/types.h>
5327#include <utmp.h>
5328#ifdef HAVE_PATHS_H
5329#  include <paths.h>
5330#endif
5331	]], [[ char *wtmp = WTMP_FILE; ]])],
5332	[ AC_MSG_RESULT([yes]) ],
5333	[ AC_MSG_RESULT([no])
5334	  system_wtmp_path=no
5335])
5336if test -z "$conf_wtmp_location"; then
5337	if test x"$system_wtmp_path" = x"no" ; then
5338		for f in /usr/adm/wtmp /var/log/wtmp; do
5339			if test -f $f ; then
5340				conf_wtmp_location=$f
5341			fi
5342		done
5343		if test -z "$conf_wtmp_location"; then
5344			AC_DEFINE([DISABLE_WTMP])
5345		fi
5346	fi
5347fi
5348if test -n "$conf_wtmp_location"; then
5349	AC_DEFINE_UNQUOTED([CONF_WTMP_FILE], ["$conf_wtmp_location"],
5350		[Define if you want to specify the path to your wtmp file])
5351fi
5352
5353dnl wtmpx detection
5354AC_MSG_CHECKING([if your system defines WTMPX_FILE])
5355AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
5356#include <sys/types.h>
5357#include <utmp.h>
5358#ifdef HAVE_UTMPX_H
5359#include <utmpx.h>
5360#endif
5361#ifdef HAVE_PATHS_H
5362#  include <paths.h>
5363#endif
5364	]], [[ char *wtmpx = WTMPX_FILE; ]])],
5365	[ AC_MSG_RESULT([yes]) ],
5366	[ AC_MSG_RESULT([no])
5367	  system_wtmpx_path=no
5368])
5369if test -z "$conf_wtmpx_location"; then
5370	if test x"$system_wtmpx_path" = x"no" ; then
5371		AC_DEFINE([DISABLE_WTMPX])
5372	fi
5373else
5374	AC_DEFINE_UNQUOTED([CONF_WTMPX_FILE], ["$conf_wtmpx_location"],
5375		[Define if you want to specify the path to your wtmpx file])
5376fi
5377
5378
5379if test ! -z "$blibpath" ; then
5380	LDFLAGS="$LDFLAGS $blibflags$blibpath"
5381	AC_MSG_WARN([Please check and edit blibpath in LDFLAGS in Makefile])
5382fi
5383
5384AC_CHECK_MEMBER([struct lastlog.ll_line], [], [
5385    if test x$SKIP_DISABLE_LASTLOG_DEFINE != "xyes" ; then
5386	AC_DEFINE([DISABLE_LASTLOG])
5387    fi
5388	], [
5389#ifdef HAVE_SYS_TYPES_H
5390#include <sys/types.h>
5391#endif
5392#ifdef HAVE_UTMP_H
5393#include <utmp.h>
5394#endif
5395#ifdef HAVE_UTMPX_H
5396#include <utmpx.h>
5397#endif
5398#ifdef HAVE_LASTLOG_H
5399#include <lastlog.h>
5400#endif
5401	])
5402
5403AC_CHECK_MEMBER([struct utmp.ut_line], [], [
5404	AC_DEFINE([DISABLE_UTMP])
5405	AC_DEFINE([DISABLE_WTMP])
5406	], [
5407#ifdef HAVE_SYS_TYPES_H
5408#include <sys/types.h>
5409#endif
5410#ifdef HAVE_UTMP_H
5411#include <utmp.h>
5412#endif
5413#ifdef HAVE_UTMPX_H
5414#include <utmpx.h>
5415#endif
5416#ifdef HAVE_LASTLOG_H
5417#include <lastlog.h>
5418#endif
5419	])
5420
5421dnl Adding -Werror to CFLAGS early prevents configure tests from running.
5422dnl Add now.
5423CFLAGS="$CFLAGS $werror_flags"
5424
5425if test "x$ac_cv_func_getaddrinfo" != "xyes" ; then
5426	TEST_SSH_IPV6=no
5427else
5428	TEST_SSH_IPV6=yes
5429fi
5430AC_CHECK_DECL([BROKEN_GETADDRINFO],  [TEST_SSH_IPV6=no])
5431AC_SUBST([TEST_SSH_IPV6], [$TEST_SSH_IPV6])
5432AC_SUBST([TEST_SSH_UTF8], [$TEST_SSH_UTF8])
5433AC_SUBST([TEST_MALLOC_OPTIONS], [$TEST_MALLOC_OPTIONS])
5434AC_SUBST([UNSUPPORTED_ALGORITHMS], [$unsupported_algorithms])
5435AC_SUBST([DEPEND], [$(cat $srcdir/.depend)])
5436
5437CFLAGS="${CFLAGS} ${CFLAGS_AFTER}"
5438LDFLAGS="${LDFLAGS} ${LDFLAGS_AFTER}"
5439
5440# Make a copy of CFLAGS/LDFLAGS without PIE options.
5441LDFLAGS_NOPIE=`echo "$LDFLAGS" | sed 's/ -pie//'`
5442CFLAGS_NOPIE=`echo "$CFLAGS" | sed 's/ -fPIE//'`
5443AC_SUBST([LDFLAGS_NOPIE])
5444AC_SUBST([CFLAGS_NOPIE])
5445
5446AC_EXEEXT
5447AC_CONFIG_FILES([Makefile buildpkg.sh opensshd.init openssh.xml \
5448	openbsd-compat/Makefile openbsd-compat/regress/Makefile \
5449	survey.sh])
5450AC_OUTPUT
5451
5452# Print summary of options
5453
5454# Someone please show me a better way :)
5455A=`eval echo ${prefix}` ; A=`eval echo ${A}`
5456B=`eval echo ${bindir}` ; B=`eval echo ${B}`
5457C=`eval echo ${sbindir}` ; C=`eval echo ${C}`
5458D=`eval echo ${sysconfdir}` ; D=`eval echo ${D}`
5459E=`eval echo ${libexecdir}/ssh-askpass` ; E=`eval echo ${E}`
5460F=`eval echo ${mandir}/${mansubdir}X` ; F=`eval echo ${F}`
5461G=`eval echo ${piddir}` ; G=`eval echo ${G}`
5462H=`eval echo ${PRIVSEP_PATH}` ; H=`eval echo ${H}`
5463I=`eval echo ${user_path}` ; I=`eval echo ${I}`
5464J=`eval echo ${superuser_path}` ; J=`eval echo ${J}`
5465
5466echo ""
5467echo "OpenSSH has been configured with the following options:"
5468echo "                     User binaries: $B"
5469echo "                   System binaries: $C"
5470echo "               Configuration files: $D"
5471echo "                   Askpass program: $E"
5472echo "                      Manual pages: $F"
5473echo "                          PID file: $G"
5474echo "  Privilege separation chroot path: $H"
5475if test "x$external_path_file" = "x/etc/login.conf" ; then
5476echo "   At runtime, sshd will use the path defined in $external_path_file"
5477echo "   Make sure the path to scp is present, otherwise scp will not work"
5478else
5479echo "            sshd default user PATH: $I"
5480	if test ! -z "$external_path_file"; then
5481echo "   (If PATH is set in $external_path_file it will be used instead. If"
5482echo "   used, ensure the path to scp is present, otherwise scp will not work.)"
5483	fi
5484fi
5485if test ! -z "$superuser_path" ; then
5486echo "          sshd superuser user PATH: $J"
5487fi
5488echo "                    Manpage format: $MANTYPE"
5489echo "                       PAM support: $PAM_MSG"
5490echo "                   OSF SIA support: $SIA_MSG"
5491echo "                 KerberosV support: $KRB5_MSG"
5492echo "                   SELinux support: $SELINUX_MSG"
5493echo "              MD5 password support: $MD5_MSG"
5494echo "                   libedit support: $LIBEDIT_MSG"
5495echo "                   libldns support: $LDNS_MSG"
5496echo "  Solaris process contract support: $SPC_MSG"
5497echo "           Solaris project support: $SP_MSG"
5498echo "         Solaris privilege support: $SPP_MSG"
5499echo "       IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG"
5500echo "           Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
5501echo "                  BSD Auth support: $BSD_AUTH_MSG"
5502echo "              Random number source: $RAND_MSG"
5503echo "             Privsep sandbox style: $SANDBOX_STYLE"
5504echo "                   PKCS#11 support: $enable_pkcs11"
5505echo "                  U2F/FIDO support: $enable_sk"
5506
5507echo ""
5508
5509echo "              Host: ${host}"
5510echo "          Compiler: ${CC}"
5511echo "    Compiler flags: ${CFLAGS}"
5512echo "Preprocessor flags: ${CPPFLAGS}"
5513echo "      Linker flags: ${LDFLAGS}"
5514echo "         Libraries: ${LIBS}"
5515if test ! -z "${SSHDLIBS}"; then
5516echo "         +for sshd: ${SSHDLIBS}"
5517fi
5518
5519echo ""
5520
5521if test "x$MAKE_PACKAGE_SUPPORTED" = "xyes" ; then
5522	echo "SVR4 style packages are supported with \"make package\""
5523	echo ""
5524fi
5525
5526if test "x$PAM_MSG" = "xyes" ; then
5527	echo "PAM is enabled. You may need to install a PAM control file "
5528	echo "for sshd, otherwise password authentication may fail. "
5529	echo "Example PAM control files can be found in the contrib/ "
5530	echo "subdirectory"
5531	echo ""
5532fi
5533
5534if test ! -z "$NO_PEERCHECK" ; then
5535	echo "WARNING: the operating system that you are using does not"
5536	echo "appear to support getpeereid(), getpeerucred() or the"
5537	echo "SO_PEERCRED getsockopt() option. These facilities are used to"
5538	echo "enforce security checks to prevent unauthorised connections to"
5539	echo "ssh-agent. Their absence increases the risk that a malicious"
5540	echo "user can connect to your agent."
5541	echo ""
5542fi
5543
5544if test "$AUDIT_MODULE" = "bsm" ; then
5545	echo "WARNING: BSM audit support is currently considered EXPERIMENTAL."
5546	echo "See the Solaris section in README.platform for details."
5547fi
5548