xref: /openssh-portable/configure.ac (revision f812a36c)
1#
2# Copyright (c) 1999-2004 Damien Miller
3#
4# Permission to use, copy, modify, and distribute this software for any
5# purpose with or without fee is hereby granted, provided that the above
6# copyright notice and this permission notice appear in all copies.
7#
8# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15
16AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org])
17AC_CONFIG_MACRO_DIR([m4])
18AC_CONFIG_SRCDIR([ssh.c])
19AC_LANG([C])
20
21AC_CONFIG_HEADER([config.h])
22AC_PROG_CC([cc gcc])
23AC_CANONICAL_HOST
24AC_C_BIGENDIAN
25AC_PROG_CC_C99
26
27# XXX relax this after reimplementing logit() etc.
28if test "x$ac_cv_prog_cc_c99" = "xno" ; then
29	AC_MSG_ERROR([*** OpenSSH requires a C99 capable compiler ***])
30fi
31
32# Checks for programs.
33AC_PROG_AWK
34AC_PROG_CPP
35AC_PROG_RANLIB
36AC_PROG_INSTALL
37AC_PROG_EGREP
38AC_PROG_MKDIR_P
39AC_CHECK_TOOLS([AR], [ar])
40AC_PATH_PROG([CAT], [cat])
41AC_PATH_PROG([KILL], [kill])
42AC_PATH_PROG([SED], [sed])
43AC_PATH_PROG([TEST_MINUS_S_SH], [bash])
44AC_PATH_PROG([TEST_MINUS_S_SH], [ksh])
45AC_PATH_PROG([TEST_MINUS_S_SH], [sh])
46AC_PATH_PROG([SH], [sh])
47AC_PATH_PROG([GROFF], [groff])
48AC_PATH_PROG([NROFF], [nroff awf])
49AC_PATH_PROG([MANDOC], [mandoc])
50AC_SUBST([TEST_SHELL], [sh])
51
52dnl select manpage formatter to be used to build "cat" format pages.
53if test "x$MANDOC" != "x" ; then
54	MANFMT="$MANDOC"
55elif test "x$NROFF" != "x" ; then
56	MANFMT="$NROFF -mandoc"
57elif test "x$GROFF" != "x" ; then
58	MANFMT="$GROFF -mandoc -Tascii"
59else
60	AC_MSG_WARN([no manpage formatter found])
61	MANFMT="false"
62fi
63AC_SUBST([MANFMT])
64
65dnl for buildpkg.sh
66AC_PATH_PROG([PATH_GROUPADD_PROG], [groupadd], [groupadd],
67	[/usr/sbin${PATH_SEPARATOR}/etc])
68AC_PATH_PROG([PATH_USERADD_PROG], [useradd], [useradd],
69	[/usr/sbin${PATH_SEPARATOR}/etc])
70AC_CHECK_PROG([MAKE_PACKAGE_SUPPORTED], [pkgmk], [yes], [no])
71if test -x /sbin/sh; then
72	AC_SUBST([STARTUP_SCRIPT_SHELL], [/sbin/sh])
73else
74	AC_SUBST([STARTUP_SCRIPT_SHELL], [/bin/sh])
75fi
76
77# System features
78AC_SYS_LARGEFILE
79
80if test -z "$AR" ; then
81	AC_MSG_ERROR([*** 'ar' missing, please install or fix your \$PATH ***])
82fi
83
84AC_PATH_PROG([PATH_PASSWD_PROG], [passwd])
85if test ! -z "$PATH_PASSWD_PROG" ; then
86	AC_DEFINE_UNQUOTED([_PATH_PASSWD_PROG], ["$PATH_PASSWD_PROG"],
87		[Full path of your "passwd" program])
88fi
89
90dnl Since autoconf doesn't support it very well,  we no longer allow users to
91dnl override LD, however keeping the hook here for now in case there's a use
92dnl use case we overlooked and someone needs to re-enable it.  Unless a good
93dnl reason is found we'll be removing this in future.
94LD="$CC"
95AC_SUBST([LD])
96
97AC_C_INLINE
98
99AC_CHECK_DECL([LLONG_MAX], [have_llong_max=1], , [#include <limits.h>])
100AC_CHECK_DECL([LONG_LONG_MAX], [have_long_long_max=1], , [#include <limits.h>])
101AC_CHECK_DECL([SYSTR_POLICY_KILL], [have_systr_policy_kill=1], , [
102	#include <sys/types.h>
103	#include <sys/param.h>
104	#include <dev/systrace.h>
105])
106AC_CHECK_DECL([RLIMIT_NPROC],
107    [AC_DEFINE([HAVE_RLIMIT_NPROC], [], [sys/resource.h has RLIMIT_NPROC])], , [
108	#include <sys/types.h>
109	#include <sys/resource.h>
110])
111AC_CHECK_DECL([PR_SET_NO_NEW_PRIVS], [have_linux_no_new_privs=1], , [
112	#include <sys/types.h>
113	#include <linux/prctl.h>
114])
115
116openssl=yes
117AC_ARG_WITH([openssl],
118	[  --without-openssl       Disable use of OpenSSL; use only limited internal crypto **EXPERIMENTAL** ],
119	[  if test "x$withval" = "xno" ; then
120		openssl=no
121	   fi
122	]
123)
124AC_MSG_CHECKING([whether OpenSSL will be used for cryptography])
125if test "x$openssl" = "xyes" ; then
126	AC_MSG_RESULT([yes])
127	AC_DEFINE_UNQUOTED([WITH_OPENSSL], [1], [use libcrypto for cryptography])
128else
129	AC_MSG_RESULT([no])
130fi
131
132use_stack_protector=1
133use_toolchain_hardening=1
134AC_ARG_WITH([stackprotect],
135    [  --without-stackprotect  Don't use compiler's stack protection], [
136    if test "x$withval" = "xno"; then
137	use_stack_protector=0
138    fi ])
139AC_ARG_WITH([hardening],
140    [  --without-hardening     Don't use toolchain hardening flags], [
141    if test "x$withval" = "xno"; then
142	use_toolchain_hardening=0
143    fi ])
144
145# We use -Werror for the tests only so that we catch warnings like "this is
146# on by default" for things like -fPIE.
147AC_MSG_CHECKING([if $CC supports -Werror])
148saved_CFLAGS="$CFLAGS"
149CFLAGS="$CFLAGS -Werror"
150AC_COMPILE_IFELSE([AC_LANG_SOURCE([[int main(void) { return 0; }]])],
151	[ AC_MSG_RESULT([yes])
152	  WERROR="-Werror"],
153	[ AC_MSG_RESULT([no])
154	  WERROR="" ]
155)
156CFLAGS="$saved_CFLAGS"
157
158if test "$GCC" = "yes" || test "$GCC" = "egcs"; then
159	OSSH_CHECK_CFLAG_COMPILE([-pipe])
160	OSSH_CHECK_CFLAG_COMPILE([-Wunknown-warning-option])
161	OSSH_CHECK_CFLAG_COMPILE([-Wno-error=format-truncation])
162	OSSH_CHECK_CFLAG_COMPILE([-Qunused-arguments])
163	OSSH_CHECK_CFLAG_COMPILE([-Wall])
164	OSSH_CHECK_CFLAG_COMPILE([-Wextra])
165	OSSH_CHECK_CFLAG_COMPILE([-Wpointer-arith])
166	OSSH_CHECK_CFLAG_COMPILE([-Wuninitialized])
167	OSSH_CHECK_CFLAG_COMPILE([-Wsign-compare])
168	OSSH_CHECK_CFLAG_COMPILE([-Wformat-security])
169	OSSH_CHECK_CFLAG_COMPILE([-Wsizeof-pointer-memaccess])
170	OSSH_CHECK_CFLAG_COMPILE([-Wpointer-sign], [-Wno-pointer-sign])
171	OSSH_CHECK_CFLAG_COMPILE([-Wunused-parameter], [-Wno-unused-parameter])
172	OSSH_CHECK_CFLAG_COMPILE([-Wunused-result], [-Wno-unused-result])
173	OSSH_CHECK_CFLAG_COMPILE([-Wimplicit-fallthrough])
174	OSSH_CHECK_CFLAG_COMPILE([-fno-strict-aliasing])
175    if test "x$use_toolchain_hardening" = "x1"; then
176	OSSH_CHECK_CFLAG_COMPILE([-mretpoline]) # clang
177	OSSH_CHECK_LDFLAG_LINK([-Wl,-z,retpolineplt])
178	OSSH_CHECK_CFLAG_COMPILE([-D_FORTIFY_SOURCE=2])
179	OSSH_CHECK_LDFLAG_LINK([-Wl,-z,relro])
180	OSSH_CHECK_LDFLAG_LINK([-Wl,-z,now])
181	OSSH_CHECK_LDFLAG_LINK([-Wl,-z,noexecstack])
182	# NB. -ftrapv expects certain support functions to be present in
183	# the compiler library (libgcc or similar) to detect integer operations
184	# that can overflow. We must check that the result of enabling it
185	# actually links. The test program compiled/linked includes a number
186	# of integer operations that should exercise this.
187	OSSH_CHECK_CFLAG_LINK([-ftrapv])
188    fi
189	AC_MSG_CHECKING([gcc version])
190	GCC_VER=`$CC -v 2>&1 | $AWK '/gcc version /{print $3}'`
191	case $GCC_VER in
192		1.*) no_attrib_nonnull=1 ;;
193		2.8* | 2.9*)
194		     no_attrib_nonnull=1
195		     ;;
196		2.*) no_attrib_nonnull=1 ;;
197		*) ;;
198	esac
199	AC_MSG_RESULT([$GCC_VER])
200
201	AC_MSG_CHECKING([if $CC accepts -fno-builtin-memset])
202	saved_CFLAGS="$CFLAGS"
203	CFLAGS="$CFLAGS -fno-builtin-memset"
204	AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include <string.h> ]],
205			[[ char b[10]; memset(b, 0, sizeof(b)); ]])],
206		[ AC_MSG_RESULT([yes]) ],
207		[ AC_MSG_RESULT([no])
208		  CFLAGS="$saved_CFLAGS" ]
209	)
210
211	# -fstack-protector-all doesn't always work for some GCC versions
212	# and/or platforms, so we test if we can.  If it's not supported
213	# on a given platform gcc will emit a warning so we use -Werror.
214	if test "x$use_stack_protector" = "x1"; then
215	    for t in -fstack-protector-strong -fstack-protector-all \
216		    -fstack-protector; do
217		AC_MSG_CHECKING([if $CC supports $t])
218		saved_CFLAGS="$CFLAGS"
219		saved_LDFLAGS="$LDFLAGS"
220		CFLAGS="$CFLAGS $t -Werror"
221		LDFLAGS="$LDFLAGS $t -Werror"
222		AC_LINK_IFELSE(
223			[AC_LANG_PROGRAM([[
224	#include <stdio.h>
225	int func (int t) {char b[100]; snprintf(b,sizeof b,"%d",t); return t;}
226			 ]],
227			[[
228	char x[256];
229	snprintf(x, sizeof(x), "XXX%d", func(1));
230			 ]])],
231		    [ AC_MSG_RESULT([yes])
232		      CFLAGS="$saved_CFLAGS $t"
233		      LDFLAGS="$saved_LDFLAGS $t"
234		      AC_MSG_CHECKING([if $t works])
235		      AC_RUN_IFELSE(
236			[AC_LANG_PROGRAM([[
237	#include <stdio.h>
238	int func (int t) {char b[100]; snprintf(b,sizeof b,"%d",t); return t;}
239			]],
240			[[
241	char x[256];
242	snprintf(x, sizeof(x), "XXX%d", func(1));
243			]])],
244			[ AC_MSG_RESULT([yes])
245			  break ],
246			[ AC_MSG_RESULT([no]) ],
247			[ AC_MSG_WARN([cross compiling: cannot test])
248			  break ]
249		      )
250		    ],
251		    [ AC_MSG_RESULT([no]) ]
252		)
253		CFLAGS="$saved_CFLAGS"
254		LDFLAGS="$saved_LDFLAGS"
255	    done
256	fi
257
258	if test -z "$have_llong_max"; then
259		# retry LLONG_MAX with -std=gnu99, needed on some Linuxes
260		unset ac_cv_have_decl_LLONG_MAX
261		saved_CFLAGS="$CFLAGS"
262		CFLAGS="$CFLAGS -std=gnu99"
263		AC_CHECK_DECL([LLONG_MAX],
264		    [have_llong_max=1],
265		    [CFLAGS="$saved_CFLAGS"],
266		    [#include <limits.h>]
267		)
268	fi
269fi
270
271AC_MSG_CHECKING([if compiler allows __attribute__ on return types])
272AC_COMPILE_IFELSE(
273    [AC_LANG_PROGRAM([[
274#include <stdlib.h>
275__attribute__((__unused__)) static void foo(void){return;}]],
276    [[ exit(0); ]])],
277    [ AC_MSG_RESULT([yes]) ],
278    [ AC_MSG_RESULT([no])
279      AC_DEFINE(NO_ATTRIBUTE_ON_RETURN_TYPE, 1,
280	 [compiler does not accept __attribute__ on return types]) ]
281)
282
283AC_MSG_CHECKING([if compiler allows __attribute__ prototype args])
284AC_COMPILE_IFELSE(
285    [AC_LANG_PROGRAM([[
286#include <stdlib.h>
287typedef void foo(const char *, ...) __attribute__((format(printf, 1, 2)));]],
288    [[ exit(0); ]])],
289    [ AC_MSG_RESULT([yes]) ],
290    [ AC_MSG_RESULT([no])
291      AC_DEFINE(NO_ATTRIBUTE_ON_PROTOTYPE_ARGS, 1,
292	 [compiler does not accept __attribute__ on prototype args]) ]
293)
294
295if test "x$no_attrib_nonnull" != "x1" ; then
296	AC_DEFINE([HAVE_ATTRIBUTE__NONNULL__], [1], [Have attribute nonnull])
297fi
298
299AC_ARG_WITH([rpath],
300	[  --without-rpath         Disable auto-added -R linker paths],
301	[
302		if test "x$withval" = "xno" ; then
303			rpath_opt=""
304		elif test "x$withval" = "xyes" ; then
305			rpath_opt="-R"
306		else
307			rpath_opt="$withval"
308		fi
309	]
310)
311
312# Allow user to specify flags
313AC_ARG_WITH([cflags],
314	[  --with-cflags           Specify additional flags to pass to compiler],
315	[
316		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
317		    test "x${withval}" != "xyes"; then
318			CFLAGS="$CFLAGS $withval"
319		fi
320	]
321)
322
323AC_ARG_WITH([cflags-after],
324	[  --with-cflags-after     Specify additional flags to pass to compiler after configure],
325	[
326		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
327		    test "x${withval}" != "xyes"; then
328			CFLAGS_AFTER="$withval"
329		fi
330	]
331)
332AC_ARG_WITH([cppflags],
333	[  --with-cppflags         Specify additional flags to pass to preprocessor] ,
334	[
335		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
336		    test "x${withval}" != "xyes"; then
337			CPPFLAGS="$CPPFLAGS $withval"
338		fi
339	]
340)
341AC_ARG_WITH([ldflags],
342	[  --with-ldflags          Specify additional flags to pass to linker],
343	[
344		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
345		    test "x${withval}" != "xyes"; then
346			LDFLAGS="$LDFLAGS $withval"
347		fi
348	]
349)
350AC_ARG_WITH([ldflags-after],
351	[  --with-ldflags-after    Specify additional flags to pass to linker after configure],
352	[
353		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
354		    test "x${withval}" != "xyes"; then
355			LDFLAGS_AFTER="$withval"
356		fi
357	]
358)
359AC_ARG_WITH([libs],
360	[  --with-libs             Specify additional libraries to link with],
361	[
362		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
363		    test "x${withval}" != "xyes"; then
364			LIBS="$LIBS $withval"
365		fi
366	]
367)
368AC_ARG_WITH([Werror],
369	[  --with-Werror           Build main code with -Werror],
370	[
371		if test -n "$withval"  &&  test "x$withval" != "xno"; then
372			werror_flags="-Werror"
373			if test "x${withval}" != "xyes"; then
374				werror_flags="$withval"
375			fi
376		fi
377	]
378)
379
380AC_CHECK_HEADERS([ \
381	blf.h \
382	bstring.h \
383	crypt.h \
384	crypto/sha2.h \
385	dirent.h \
386	endian.h \
387	elf.h \
388	err.h \
389	features.h \
390	fcntl.h \
391	floatingpoint.h \
392	fnmatch.h \
393	getopt.h \
394	glob.h \
395	ia.h \
396	iaf.h \
397	ifaddrs.h \
398	inttypes.h \
399	langinfo.h \
400	limits.h \
401	locale.h \
402	login.h \
403	maillock.h \
404	ndir.h \
405	net/if_tun.h \
406	netdb.h \
407	netgroup.h \
408	pam/pam_appl.h \
409	paths.h \
410	poll.h \
411	pty.h \
412	readpassphrase.h \
413	rpc/types.h \
414	security/pam_appl.h \
415	sha2.h \
416	shadow.h \
417	stddef.h \
418	stdint.h \
419	string.h \
420	strings.h \
421	sys/bitypes.h \
422	sys/byteorder.h \
423	sys/bsdtty.h \
424	sys/cdefs.h \
425	sys/dir.h \
426	sys/file.h \
427	sys/mman.h \
428	sys/label.h \
429	sys/ndir.h \
430	sys/poll.h \
431	sys/prctl.h \
432	sys/pstat.h \
433	sys/ptrace.h \
434	sys/random.h \
435	sys/select.h \
436	sys/stat.h \
437	sys/stream.h \
438	sys/stropts.h \
439	sys/strtio.h \
440	sys/statvfs.h \
441	sys/sysmacros.h \
442	sys/time.h \
443	sys/timers.h \
444	sys/vfs.h \
445	time.h \
446	tmpdir.h \
447	ttyent.h \
448	ucred.h \
449	unistd.h \
450	usersec.h \
451	util.h \
452	utime.h \
453	utmp.h \
454	utmpx.h \
455	vis.h \
456	wchar.h \
457])
458
459# On some platforms (eg SunOS4) sys/audit.h requires sys/[time|types|label.h]
460# to be included first.
461AC_CHECK_HEADERS([sys/audit.h], [], [], [
462#ifdef HAVE_SYS_TIME_H
463# include <sys/time.h>
464#endif
465#ifdef HAVE_SYS_TYPES_H
466# include <sys/types.h>
467#endif
468#ifdef HAVE_SYS_LABEL_H
469# include <sys/label.h>
470#endif
471])
472
473# sys/capsicum.h requires sys/types.h
474AC_CHECK_HEADERS([sys/capsicum.h], [], [], [
475#ifdef HAVE_SYS_TYPES_H
476# include <sys/types.h>
477#endif
478])
479
480# net/route.h requires sys/socket.h and sys/types.h.
481# sys/sysctl.h also requires sys/param.h
482AC_CHECK_HEADERS([net/route.h sys/sysctl.h], [], [], [
483#ifdef HAVE_SYS_TYPES_H
484# include <sys/types.h>
485#endif
486#include <sys/param.h>
487#include <sys/socket.h>
488])
489
490# lastlog.h requires sys/time.h to be included first on Solaris
491AC_CHECK_HEADERS([lastlog.h], [], [], [
492#ifdef HAVE_SYS_TIME_H
493# include <sys/time.h>
494#endif
495])
496
497# sys/ptms.h requires sys/stream.h to be included first on Solaris
498AC_CHECK_HEADERS([sys/ptms.h], [], [], [
499#ifdef HAVE_SYS_STREAM_H
500# include <sys/stream.h>
501#endif
502])
503
504# login_cap.h requires sys/types.h on NetBSD
505AC_CHECK_HEADERS([login_cap.h], [], [], [
506#include <sys/types.h>
507])
508
509# older BSDs need sys/param.h before sys/mount.h
510AC_CHECK_HEADERS([sys/mount.h], [], [], [
511#include <sys/param.h>
512])
513
514# Android requires sys/socket.h to be included before sys/un.h
515AC_CHECK_HEADERS([sys/un.h], [], [], [
516#include <sys/types.h>
517#include <sys/socket.h>
518])
519
520# Messages for features tested for in target-specific section
521SIA_MSG="no"
522SPC_MSG="no"
523SP_MSG="no"
524SPP_MSG="no"
525
526# Support for Solaris/Illumos privileges (this test is used by both
527# the --with-solaris-privs option and --with-sandbox=solaris).
528SOLARIS_PRIVS="no"
529
530AC_CHECK_SIZEOF([size_t])
531
532# Check for some target-specific stuff
533case "$host" in
534*-*-aix*)
535	# Some versions of VAC won't allow macro redefinitions at
536	# -qlanglevel=ansi, and autoconf 2.60 sometimes insists on using that
537	# particularly with older versions of vac or xlc.
538	# It also throws errors about null macro arguments, but these are
539	# not fatal.
540	AC_MSG_CHECKING([if compiler allows macro redefinitions])
541	AC_COMPILE_IFELSE(
542	    [AC_LANG_PROGRAM([[
543#define testmacro foo
544#define testmacro bar]],
545	    [[ exit(0); ]])],
546	    [ AC_MSG_RESULT([yes]) ],
547	    [ AC_MSG_RESULT([no])
548	      CC="`echo $CC | sed 's/-qlanglvl\=ansi//g'`"
549	      CFLAGS="`echo $CFLAGS | sed 's/-qlanglvl\=ansi//g'`"
550	      CPPFLAGS="`echo $CPPFLAGS | sed 's/-qlanglvl\=ansi//g'`"
551	    ]
552	)
553
554	AC_MSG_CHECKING([how to specify blibpath for linker ($LD)])
555	if (test -z "$blibpath"); then
556		blibpath="/usr/lib:/lib"
557	fi
558	saved_LDFLAGS="$LDFLAGS"
559	if test "$GCC" = "yes"; then
560		flags="-Wl,-blibpath: -Wl,-rpath, -blibpath:"
561	else
562		flags="-blibpath: -Wl,-blibpath: -Wl,-rpath,"
563	fi
564	for tryflags in $flags ;do
565		if (test -z "$blibflags"); then
566			LDFLAGS="$saved_LDFLAGS $tryflags$blibpath"
567			AC_LINK_IFELSE([AC_LANG_PROGRAM([[]], [[]])],
568			[blibflags=$tryflags], [])
569		fi
570	done
571	if (test -z "$blibflags"); then
572		AC_MSG_RESULT([not found])
573		AC_MSG_ERROR([*** must be able to specify blibpath on AIX - check config.log])
574	else
575		AC_MSG_RESULT([$blibflags])
576	fi
577	LDFLAGS="$saved_LDFLAGS"
578	dnl Check for authenticate.  Might be in libs.a on older AIXes
579	AC_CHECK_FUNC([authenticate], [AC_DEFINE([WITH_AIXAUTHENTICATE], [1],
580		[Define if you want to enable AIX4's authenticate function])],
581		[AC_CHECK_LIB([s], [authenticate],
582			[ AC_DEFINE([WITH_AIXAUTHENTICATE])
583				LIBS="$LIBS -ls"
584			])
585		])
586	dnl Check for various auth function declarations in headers.
587	AC_CHECK_DECLS([authenticate, loginrestrictions, loginsuccess,
588	    passwdexpired, setauthdb], , , [#include <usersec.h>])
589	dnl Check if loginfailed is declared and takes 4 arguments (AIX >= 5.2)
590	AC_CHECK_DECLS([loginfailed],
591	    [AC_MSG_CHECKING([if loginfailed takes 4 arguments])
592	    AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <usersec.h> ]],
593		[[ (void)loginfailed("user","host","tty",0); ]])],
594		[AC_MSG_RESULT([yes])
595		AC_DEFINE([AIX_LOGINFAILED_4ARG], [1],
596			[Define if your AIX loginfailed() function
597			takes 4 arguments (AIX >= 5.2)])], [AC_MSG_RESULT([no])
598	    ])],
599	    [],
600	    [#include <usersec.h>]
601	)
602	AC_CHECK_FUNCS([getgrset setauthdb])
603	AC_CHECK_DECL([F_CLOSEM],
604	    AC_DEFINE([HAVE_FCNTL_CLOSEM], [1], [Use F_CLOSEM fcntl for closefrom]),
605	    [],
606	    [ #include <limits.h>
607	      #include <fcntl.h> ]
608	)
609	check_for_aix_broken_getaddrinfo=1
610	AC_DEFINE([SETEUID_BREAKS_SETUID], [1],
611	    [Define if your platform breaks doing a seteuid before a setuid])
612	AC_DEFINE([BROKEN_SETREUID], [1], [Define if your setreuid() is broken])
613	AC_DEFINE([BROKEN_SETREGID], [1], [Define if your setregid() is broken])
614	dnl AIX handles lastlog as part of its login message
615	AC_DEFINE([DISABLE_LASTLOG], [1], [Define if you don't want to use lastlog])
616	AC_DEFINE([LOGIN_NEEDS_UTMPX], [1],
617		[Some systems need a utmpx entry for /bin/login to work])
618	AC_DEFINE([SPT_TYPE], [SPT_REUSEARGV],
619		[Define to a Set Process Title type if your system is
620		supported by bsd-setproctitle.c])
621	AC_DEFINE([SSHPAM_CHAUTHTOK_NEEDS_RUID], [1],
622	    [AIX 5.2 and 5.3 (and presumably newer) require this])
623	AC_DEFINE([PTY_ZEROREAD], [1], [read(1) can return 0 for a non-closed fd])
624	AC_DEFINE([PLATFORM_SYS_DIR_UID], 2, [System dirs owned by bin (uid 2)])
625	AC_DEFINE([BROKEN_STRNDUP], 1, [strndup broken, see APAR IY61211])
626	AC_DEFINE([BROKEN_STRNLEN], 1, [strnlen broken, see APAR IY62551])
627	;;
628*-*-android*)
629	AC_DEFINE([DISABLE_UTMP], [1], [Define if you don't want to use utmp])
630	AC_DEFINE([DISABLE_WTMP], [1], [Define if you don't want to use wtmp])
631	;;
632*-*-cygwin*)
633	check_for_libcrypt_later=1
634	LIBS="$LIBS /usr/lib/textreadmode.o"
635	AC_DEFINE([HAVE_CYGWIN], [1], [Define if you are on Cygwin])
636	AC_DEFINE([USE_PIPES], [1], [Use PIPES instead of a socketpair()])
637	AC_DEFINE([NO_UID_RESTORATION_TEST], [1],
638		[Define to disable UID restoration test])
639	AC_DEFINE([DISABLE_SHADOW], [1],
640		[Define if you want to disable shadow passwords])
641	AC_DEFINE([NO_X11_UNIX_SOCKETS], [1],
642		[Define if X11 doesn't support AF_UNIX sockets on that system])
643	AC_DEFINE([DISABLE_FD_PASSING], [1],
644		[Define if your platform needs to skip post auth
645		file descriptor passing])
646	AC_DEFINE([SSH_IOBUFSZ], [65535], [Windows is sensitive to read buffer size])
647	AC_DEFINE([FILESYSTEM_NO_BACKSLASH], [1], [File names may not contain backslash characters])
648	# Cygwin defines optargs, optargs as declspec(dllimport) for historical
649	# reasons which cause compile warnings, so we disable those warnings.
650	OSSH_CHECK_CFLAG_COMPILE([-Wno-attributes])
651	;;
652*-*-dgux*)
653	AC_DEFINE([IP_TOS_IS_BROKEN], [1],
654		[Define if your system choked on IP TOS setting])
655	AC_DEFINE([SETEUID_BREAKS_SETUID])
656	AC_DEFINE([BROKEN_SETREUID])
657	AC_DEFINE([BROKEN_SETREGID])
658	;;
659*-*-darwin*)
660	use_pie=auto
661	AC_MSG_CHECKING([if we have working getaddrinfo])
662	AC_RUN_IFELSE([AC_LANG_SOURCE([[
663#include <mach-o/dyld.h>
664#include <stdlib.h>
665main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
666		exit(0);
667	else
668		exit(1);
669}
670			]])],
671	[AC_MSG_RESULT([working])],
672	[AC_MSG_RESULT([buggy])
673	AC_DEFINE([BROKEN_GETADDRINFO], [1],
674		[getaddrinfo is broken (if present)])
675	],
676	[AC_MSG_RESULT([assume it is working])])
677	AC_DEFINE([SETEUID_BREAKS_SETUID])
678	AC_DEFINE([BROKEN_SETREUID])
679	AC_DEFINE([BROKEN_SETREGID])
680	AC_DEFINE([BROKEN_GLOB], [1], [OS X glob does not do what we expect])
681	AC_DEFINE_UNQUOTED([BIND_8_COMPAT], [1],
682		[Define if your resolver libs need this for getrrsetbyname])
683	AC_DEFINE([SSH_TUN_FREEBSD], [1], [Open tunnel devices the FreeBSD way])
684	AC_DEFINE([SSH_TUN_COMPAT_AF], [1],
685	    [Use tunnel device compatibility to OpenBSD])
686	AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
687	    [Prepend the address family to IP tunnel traffic])
688	m4_pattern_allow([AU_IPv])
689	AC_CHECK_DECL([AU_IPv4], [],
690	    AC_DEFINE([AU_IPv4], [0], [System only supports IPv4 audit records])
691	    [#include <bsm/audit.h>]
692	AC_DEFINE([LASTLOG_WRITE_PUTUTXLINE], [1],
693	    [Define if pututxline updates lastlog too])
694	)
695	AC_DEFINE([SPT_TYPE], [SPT_REUSEARGV],
696		[Define to a Set Process Title type if your system is
697		supported by bsd-setproctitle.c])
698	AC_CHECK_FUNCS([sandbox_init])
699	AC_CHECK_HEADERS([sandbox.h])
700	AC_CHECK_LIB([sandbox], [sandbox_apply], [
701	    SSHDLIBS="$SSHDLIBS -lsandbox"
702	])
703	# proc_pidinfo()-based closefrom() replacement.
704	AC_CHECK_HEADERS([libproc.h])
705	AC_CHECK_FUNCS([proc_pidinfo])
706	;;
707*-*-dragonfly*)
708	SSHDLIBS="$SSHDLIBS -lcrypt"
709	TEST_MALLOC_OPTIONS="AFGJPRX"
710	;;
711*-*-haiku*)
712	LIBS="$LIBS -lbsd "
713	CFLAGS="$CFLAGS -D_BSD_SOURCE"
714	AC_CHECK_LIB([network], [socket])
715	AC_DEFINE([HAVE_U_INT64_T])
716	AC_DEFINE([DISABLE_UTMPX], [1], [no utmpx])
717	MANTYPE=man
718	;;
719*-*-hpux*)
720	# first we define all of the options common to all HP-UX releases
721	CPPFLAGS="$CPPFLAGS -D_HPUX_SOURCE -D_XOPEN_SOURCE -D_XOPEN_SOURCE_EXTENDED=1"
722	IPADDR_IN_DISPLAY=yes
723	AC_DEFINE([USE_PIPES])
724	AC_DEFINE([LOGIN_NEEDS_UTMPX])
725	AC_DEFINE([LOCKED_PASSWD_STRING], ["*"],
726		[String used in /etc/passwd to denote locked account])
727	AC_DEFINE([SPT_TYPE], [SPT_PSTAT])
728	AC_DEFINE([PLATFORM_SYS_DIR_UID], 2, [System dirs owned by bin (uid 2)])
729	maildir="/var/mail"
730	LIBS="$LIBS -lsec"
731	AC_CHECK_LIB([xnet], [t_error], ,
732	    [AC_MSG_ERROR([*** -lxnet needed on HP-UX - check config.log ***])])
733
734	# next, we define all of the options specific to major releases
735	case "$host" in
736	*-*-hpux10*)
737		if test -z "$GCC"; then
738			CFLAGS="$CFLAGS -Ae"
739		fi
740		;;
741	*-*-hpux11*)
742		AC_DEFINE([PAM_SUN_CODEBASE], [1],
743			[Define if you are using Solaris-derived PAM which
744			passes pam_messages to the conversation function
745			with an extra level of indirection])
746		AC_DEFINE([DISABLE_UTMP], [1],
747			[Define if you don't want to use utmp])
748		AC_DEFINE([USE_BTMP], [1], [Use btmp to log bad logins])
749		check_for_hpux_broken_getaddrinfo=1
750		check_for_conflicting_getspnam=1
751		;;
752	esac
753
754	# lastly, we define options specific to minor releases
755	case "$host" in
756	*-*-hpux10.26)
757		AC_DEFINE([HAVE_SECUREWARE], [1],
758			[Define if you have SecureWare-based
759			protected password database])
760		disable_ptmx_check=yes
761		LIBS="$LIBS -lsecpw"
762		;;
763	esac
764	;;
765*-*-irix5*)
766	PATH="$PATH:/usr/etc"
767	AC_DEFINE([BROKEN_INET_NTOA], [1],
768		[Define if you system's inet_ntoa is busted
769		(e.g. Irix gcc issue)])
770	AC_DEFINE([SETEUID_BREAKS_SETUID])
771	AC_DEFINE([BROKEN_SETREUID])
772	AC_DEFINE([BROKEN_SETREGID])
773	AC_DEFINE([WITH_ABBREV_NO_TTY], [1],
774		[Define if you shouldn't strip 'tty' from your
775		ttyname in [uw]tmp])
776	AC_DEFINE([LOCKED_PASSWD_STRING], ["*LK*"])
777	;;
778*-*-irix6*)
779	PATH="$PATH:/usr/etc"
780	AC_DEFINE([WITH_IRIX_ARRAY], [1],
781		[Define if you have/want arrays
782		(cluster-wide session management, not C arrays)])
783	AC_DEFINE([WITH_IRIX_PROJECT], [1],
784		[Define if you want IRIX project management])
785	AC_DEFINE([WITH_IRIX_AUDIT], [1],
786		[Define if you want IRIX audit trails])
787	AC_CHECK_FUNC([jlimit_startjob], [AC_DEFINE([WITH_IRIX_JOBS], [1],
788		[Define if you want IRIX kernel jobs])])
789	AC_DEFINE([BROKEN_INET_NTOA])
790	AC_DEFINE([SETEUID_BREAKS_SETUID])
791	AC_DEFINE([BROKEN_SETREUID])
792	AC_DEFINE([BROKEN_SETREGID])
793	AC_DEFINE([BROKEN_UPDWTMPX], [1], [updwtmpx is broken (if present)])
794	AC_DEFINE([WITH_ABBREV_NO_TTY])
795	AC_DEFINE([LOCKED_PASSWD_STRING], ["*LK*"])
796	;;
797*-*-k*bsd*-gnu | *-*-kopensolaris*-gnu)
798	check_for_libcrypt_later=1
799	AC_DEFINE([PAM_TTY_KLUDGE])
800	AC_DEFINE([LOCKED_PASSWD_PREFIX], ["!"])
801	AC_DEFINE([SPT_TYPE], [SPT_REUSEARGV])
802	AC_DEFINE([_PATH_BTMP], ["/var/log/btmp"], [log for bad login attempts])
803	AC_DEFINE([USE_BTMP], [1], [Use btmp to log bad logins])
804	;;
805*-*-linux*)
806	no_dev_ptmx=1
807	use_pie=auto
808	check_for_libcrypt_later=1
809	check_for_openpty_ctty_bug=1
810	dnl Target SUSv3/POSIX.1-2001 plus BSD specifics.
811	dnl _DEFAULT_SOURCE is the new name for _BSD_SOURCE
812	CPPFLAGS="$CPPFLAGS -D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCE"
813	AC_DEFINE([PAM_TTY_KLUDGE], [1],
814		[Work around problematic Linux PAM modules handling of PAM_TTY])
815	AC_DEFINE([LOCKED_PASSWD_PREFIX], ["!"],
816		[String used in /etc/passwd to denote locked account])
817	AC_DEFINE([SPT_TYPE], [SPT_REUSEARGV])
818	AC_DEFINE([LINK_OPNOTSUPP_ERRNO], [EPERM],
819		[Define to whatever link() returns for "not supported"
820		if it doesn't return EOPNOTSUPP.])
821	AC_DEFINE([_PATH_BTMP], ["/var/log/btmp"], [log for bad login attempts])
822	AC_DEFINE([USE_BTMP])
823	AC_DEFINE([LINUX_OOM_ADJUST], [1], [Adjust Linux out-of-memory killer])
824	inet6_default_4in6=yes
825	case `uname -r` in
826	1.*|2.0.*)
827		AC_DEFINE([BROKEN_CMSG_TYPE], [1],
828			[Define if cmsg_type is not passed correctly])
829		;;
830	esac
831	# tun(4) forwarding compat code
832	AC_CHECK_HEADERS([linux/if_tun.h])
833	if test "x$ac_cv_header_linux_if_tun_h" = "xyes" ; then
834		AC_DEFINE([SSH_TUN_LINUX], [1],
835		    [Open tunnel devices the Linux tun/tap way])
836		AC_DEFINE([SSH_TUN_COMPAT_AF], [1],
837		    [Use tunnel device compatibility to OpenBSD])
838		AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
839		    [Prepend the address family to IP tunnel traffic])
840	fi
841	AC_CHECK_HEADER([linux/if.h],
842	    AC_DEFINE([SYS_RDOMAIN_LINUX], [1],
843		[Support routing domains using Linux VRF]), [], [
844#ifdef HAVE_SYS_TYPES_H
845# include <sys/types.h>
846#endif
847	    ])
848	AC_CHECK_HEADERS([linux/seccomp.h linux/filter.h linux/audit.h], [],
849	    [], [#include <linux/types.h>])
850	# Obtain MIPS ABI
851	case "$host" in
852	mips*)
853		AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
854#if _MIPS_SIM != _ABIO32
855#error
856#endif
857			]])],[mips_abi="o32"],[AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
858#if _MIPS_SIM != _ABIN32
859#error
860#endif
861				]])],[mips_abi="n32"],[AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
862#if _MIPS_SIM != _ABI64
863#error
864#endif
865					]])],[mips_abi="n64"],[AC_MSG_ERROR([unknown MIPS ABI])
866				])
867			])
868		])
869		;;
870	esac
871	AC_MSG_CHECKING([for seccomp architecture])
872	seccomp_audit_arch=
873	case "$host" in
874	x86_64-*)
875		seccomp_audit_arch=AUDIT_ARCH_X86_64
876		# X32: AMD64 instructions in 32bit address space.
877		if test "x$ac_cv_sizeof_size_t" = "x4" ; then
878			seccomp_audit_arch=AUDIT_ARCH_I386
879		fi
880		;;
881	i*86-*)
882		seccomp_audit_arch=AUDIT_ARCH_I386
883		;;
884	arm*-*)
885		seccomp_audit_arch=AUDIT_ARCH_ARM
886		;;
887	aarch64*-*)
888		seccomp_audit_arch=AUDIT_ARCH_AARCH64
889		;;
890	s390x-*)
891		seccomp_audit_arch=AUDIT_ARCH_S390X
892		;;
893	s390-*)
894		seccomp_audit_arch=AUDIT_ARCH_S390
895		;;
896	powerpc64-*)
897		seccomp_audit_arch=AUDIT_ARCH_PPC64
898		;;
899	powerpc64le-*)
900		seccomp_audit_arch=AUDIT_ARCH_PPC64LE
901		;;
902	mips-*)
903		seccomp_audit_arch=AUDIT_ARCH_MIPS
904		;;
905	mipsel-*)
906		seccomp_audit_arch=AUDIT_ARCH_MIPSEL
907		;;
908	mips64-*)
909		case "$mips_abi" in
910		"n32")
911			seccomp_audit_arch=AUDIT_ARCH_MIPS64N32
912			;;
913		"n64")
914			seccomp_audit_arch=AUDIT_ARCH_MIPS64
915			;;
916		esac
917		;;
918	mips64el-*)
919		case "$mips_abi" in
920		"n32")
921			seccomp_audit_arch=AUDIT_ARCH_MIPSEL64N32
922			;;
923		"n64")
924			seccomp_audit_arch=AUDIT_ARCH_MIPSEL64
925			;;
926		esac
927		;;
928	riscv64-*)
929		seccomp_audit_arch=AUDIT_ARCH_RISCV64
930		;;
931	esac
932	if test "x$seccomp_audit_arch" != "x" ; then
933		AC_MSG_RESULT(["$seccomp_audit_arch"])
934		AC_DEFINE_UNQUOTED([SECCOMP_AUDIT_ARCH], [$seccomp_audit_arch],
935		    [Specify the system call convention in use])
936	else
937		AC_MSG_RESULT([architecture not supported])
938	fi
939	;;
940mips-sony-bsd|mips-sony-newsos4)
941	AC_DEFINE([NEED_SETPGRP], [1], [Need setpgrp to acquire controlling tty])
942	SONY=1
943	;;
944*-*-netbsd*)
945	check_for_libcrypt_before=1
946	if test "x$withval" != "xno" ; then
947		rpath_opt="-R"
948	fi
949	CPPFLAGS="$CPPFLAGS -D_OPENBSD_SOURCE"
950	AC_DEFINE([SSH_TUN_FREEBSD], [1], [Open tunnel devices the FreeBSD way])
951	AC_CHECK_HEADER([net/if_tap.h], ,
952	    AC_DEFINE([SSH_TUN_NO_L2], [1], [No layer 2 tunnel support]))
953	AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
954	    [Prepend the address family to IP tunnel traffic])
955	TEST_MALLOC_OPTIONS="AJRX"
956	AC_DEFINE([BROKEN_READ_COMPARISON], [1],
957	    [NetBSD read function is sometimes redirected, breaking atomicio comparisons against it])
958	;;
959*-*-freebsd*)
960	check_for_libcrypt_later=1
961	AC_DEFINE([LOCKED_PASSWD_PREFIX], ["*LOCKED*"], [Account locked with pw(1)])
962	AC_DEFINE([SSH_TUN_FREEBSD], [1], [Open tunnel devices the FreeBSD way])
963	AC_CHECK_HEADER([net/if_tap.h], ,
964	    AC_DEFINE([SSH_TUN_NO_L2], [1], [No layer 2 tunnel support]))
965	AC_DEFINE([BROKEN_GLOB], [1], [FreeBSD glob does not do what we need])
966	TEST_MALLOC_OPTIONS="AJRX"
967	# Preauth crypto occasionally uses file descriptors for crypto offload
968	# and will crash if they cannot be opened.
969	AC_DEFINE([SANDBOX_SKIP_RLIMIT_NOFILE], [1],
970	    [define if setrlimit RLIMIT_NOFILE breaks things])
971	;;
972*-*-bsdi*)
973	AC_DEFINE([SETEUID_BREAKS_SETUID])
974	AC_DEFINE([BROKEN_SETREUID])
975	AC_DEFINE([BROKEN_SETREGID])
976	;;
977*-next-*)
978	conf_lastlog_location="/usr/adm/lastlog"
979	conf_utmp_location=/etc/utmp
980	conf_wtmp_location=/usr/adm/wtmp
981	maildir=/usr/spool/mail
982	AC_DEFINE([HAVE_NEXT], [1], [Define if you are on NeXT])
983	AC_DEFINE([USE_PIPES])
984	AC_DEFINE([BROKEN_SAVED_UIDS], [1], [Needed for NeXT])
985	;;
986*-*-openbsd*)
987	use_pie=auto
988	AC_DEFINE([HAVE_ATTRIBUTE__SENTINEL__], [1], [OpenBSD's gcc has sentinel])
989	AC_DEFINE([HAVE_ATTRIBUTE__BOUNDED__], [1], [OpenBSD's gcc has bounded])
990	AC_DEFINE([SSH_TUN_OPENBSD], [1], [Open tunnel devices the OpenBSD way])
991	AC_DEFINE([SYSLOG_R_SAFE_IN_SIGHAND], [1],
992	    [syslog_r function is safe to use in in a signal handler])
993	TEST_MALLOC_OPTIONS="AFGJPRX"
994	;;
995*-*-solaris*)
996	if test "x$withval" != "xno" ; then
997		rpath_opt="-R"
998	fi
999	AC_DEFINE([PAM_SUN_CODEBASE])
1000	AC_DEFINE([LOGIN_NEEDS_UTMPX])
1001	AC_DEFINE([PAM_TTY_KLUDGE])
1002	AC_DEFINE([SSHPAM_CHAUTHTOK_NEEDS_RUID], [1],
1003		[Define if pam_chauthtok wants real uid set
1004		to the unpriv'ed user])
1005	AC_DEFINE([LOCKED_PASSWD_STRING], ["*LK*"])
1006	# Pushing STREAMS modules will cause sshd to acquire a controlling tty.
1007	AC_DEFINE([SSHD_ACQUIRES_CTTY], [1],
1008		[Define if sshd somehow reacquires a controlling TTY
1009		after setsid()])
1010	AC_DEFINE([PASSWD_NEEDS_USERNAME], [1], [must supply username to passwd
1011		in case the name is longer than 8 chars])
1012	AC_DEFINE([BROKEN_TCGETATTR_ICANON], [1], [tcgetattr with ICANON may hang])
1013	external_path_file=/etc/default/login
1014	# hardwire lastlog location (can't detect it on some versions)
1015	conf_lastlog_location="/var/adm/lastlog"
1016	AC_MSG_CHECKING([for obsolete utmp and wtmp in solaris2.x])
1017	sol2ver=`echo "$host"| sed -e 's/.*[[0-9]]\.//'`
1018	if test "$sol2ver" -ge 8; then
1019		AC_MSG_RESULT([yes])
1020		AC_DEFINE([DISABLE_UTMP])
1021		AC_DEFINE([DISABLE_WTMP], [1],
1022			[Define if you don't want to use wtmp])
1023	else
1024		AC_MSG_RESULT([no])
1025	fi
1026	AC_CHECK_FUNCS([setpflags])
1027	AC_CHECK_FUNCS([setppriv])
1028	AC_CHECK_FUNCS([priv_basicset])
1029	AC_CHECK_HEADERS([priv.h])
1030	AC_ARG_WITH([solaris-contracts],
1031		[  --with-solaris-contracts Enable Solaris process contracts (experimental)],
1032		[
1033		AC_CHECK_LIB([contract], [ct_tmpl_activate],
1034			[ AC_DEFINE([USE_SOLARIS_PROCESS_CONTRACTS], [1],
1035				[Define if you have Solaris process contracts])
1036			  LIBS="$LIBS -lcontract"
1037			  SPC_MSG="yes" ], )
1038		],
1039	)
1040	AC_ARG_WITH([solaris-projects],
1041		[  --with-solaris-projects Enable Solaris projects (experimental)],
1042		[
1043		AC_CHECK_LIB([project], [setproject],
1044			[ AC_DEFINE([USE_SOLARIS_PROJECTS], [1],
1045				[Define if you have Solaris projects])
1046			LIBS="$LIBS -lproject"
1047			SP_MSG="yes" ], )
1048		],
1049	)
1050	AC_ARG_WITH([solaris-privs],
1051		[  --with-solaris-privs    Enable Solaris/Illumos privileges (experimental)],
1052		[
1053		AC_MSG_CHECKING([for Solaris/Illumos privilege support])
1054		if test "x$ac_cv_func_setppriv" = "xyes" -a \
1055			"x$ac_cv_header_priv_h" = "xyes" ; then
1056			SOLARIS_PRIVS=yes
1057			AC_MSG_RESULT([found])
1058			AC_DEFINE([NO_UID_RESTORATION_TEST], [1],
1059				[Define to disable UID restoration test])
1060			AC_DEFINE([USE_SOLARIS_PRIVS], [1],
1061				[Define if you have Solaris privileges])
1062			SPP_MSG="yes"
1063		else
1064			AC_MSG_RESULT([not found])
1065			AC_MSG_ERROR([*** must have support for Solaris privileges to use --with-solaris-privs])
1066		fi
1067		],
1068	)
1069	TEST_SHELL=$SHELL	# let configure find us a capable shell
1070	;;
1071*-*-sunos4*)
1072	CPPFLAGS="$CPPFLAGS -DSUNOS4"
1073	AC_CHECK_FUNCS([getpwanam])
1074	AC_DEFINE([PAM_SUN_CODEBASE])
1075	conf_utmp_location=/etc/utmp
1076	conf_wtmp_location=/var/adm/wtmp
1077	conf_lastlog_location=/var/adm/lastlog
1078	AC_DEFINE([USE_PIPES])
1079	AC_DEFINE([DISABLE_UTMPX], [1], [no utmpx])
1080	;;
1081*-ncr-sysv*)
1082	LIBS="$LIBS -lc89"
1083	AC_DEFINE([USE_PIPES])
1084	AC_DEFINE([SSHD_ACQUIRES_CTTY])
1085	AC_DEFINE([SETEUID_BREAKS_SETUID])
1086	AC_DEFINE([BROKEN_SETREUID])
1087	AC_DEFINE([BROKEN_SETREGID])
1088	;;
1089*-sni-sysv*)
1090	# /usr/ucblib MUST NOT be searched on ReliantUNIX
1091	AC_CHECK_LIB([dl], [dlsym], ,)
1092	# -lresolv needs to be at the end of LIBS or DNS lookups break
1093	AC_CHECK_LIB([resolv], [res_query], [ LIBS="$LIBS -lresolv" ])
1094	IPADDR_IN_DISPLAY=yes
1095	AC_DEFINE([USE_PIPES])
1096	AC_DEFINE([IP_TOS_IS_BROKEN])
1097	AC_DEFINE([SETEUID_BREAKS_SETUID])
1098	AC_DEFINE([BROKEN_SETREUID])
1099	AC_DEFINE([BROKEN_SETREGID])
1100	AC_DEFINE([SSHD_ACQUIRES_CTTY])
1101	external_path_file=/etc/default/login
1102	# /usr/ucblib/libucb.a no longer needed on ReliantUNIX
1103	# Attention: always take care to bind libsocket and libnsl before libc,
1104	# otherwise you will find lots of "SIOCGPGRP errno 22" on syslog
1105	;;
1106# UnixWare 1.x, UnixWare 2.x, and others based on code from Univel.
1107*-*-sysv4.2*)
1108	AC_DEFINE([USE_PIPES])
1109	AC_DEFINE([SETEUID_BREAKS_SETUID])
1110	AC_DEFINE([BROKEN_SETREUID])
1111	AC_DEFINE([BROKEN_SETREGID])
1112	AC_DEFINE([PASSWD_NEEDS_USERNAME], [1], [must supply username to passwd])
1113	AC_DEFINE([LOCKED_PASSWD_STRING], ["*LK*"])
1114	TEST_SHELL=$SHELL	# let configure find us a capable shell
1115	;;
1116# UnixWare 7.x, OpenUNIX 8
1117*-*-sysv5*)
1118	CPPFLAGS="$CPPFLAGS -Dvsnprintf=_xvsnprintf -Dsnprintf=_xsnprintf"
1119	AC_DEFINE([UNIXWARE_LONG_PASSWORDS], [1], [Support passwords > 8 chars])
1120	AC_DEFINE([USE_PIPES])
1121	AC_DEFINE([SETEUID_BREAKS_SETUID])
1122	AC_DEFINE([BROKEN_GETADDRINFO])
1123	AC_DEFINE([BROKEN_SETREUID])
1124	AC_DEFINE([BROKEN_SETREGID])
1125	AC_DEFINE([PASSWD_NEEDS_USERNAME])
1126	AC_DEFINE([BROKEN_TCGETATTR_ICANON])
1127	TEST_SHELL=$SHELL	# let configure find us a capable shell
1128	check_for_libcrypt_later=1
1129	case "$host" in
1130	*-*-sysv5SCO_SV*)	# SCO OpenServer 6.x
1131		maildir=/var/spool/mail
1132		AC_DEFINE([BROKEN_UPDWTMPX])
1133		AC_CHECK_LIB([prot], [getluid], [ LIBS="$LIBS -lprot"
1134			AC_CHECK_FUNCS([getluid setluid], , , [-lprot])
1135			], , )
1136		;;
1137	*)	AC_DEFINE([LOCKED_PASSWD_STRING], ["*LK*"])
1138		;;
1139	esac
1140	;;
1141*-*-sysv*)
1142	;;
1143# SCO UNIX and OEM versions of SCO UNIX
1144*-*-sco3.2v4*)
1145	AC_MSG_ERROR("This Platform is no longer supported.")
1146	;;
1147# SCO OpenServer 5.x
1148*-*-sco3.2v5*)
1149	if test -z "$GCC"; then
1150		CFLAGS="$CFLAGS -belf"
1151	fi
1152	LIBS="$LIBS -lprot -lx -ltinfo -lm"
1153	no_dev_ptmx=1
1154	AC_DEFINE([USE_PIPES])
1155	AC_DEFINE([HAVE_SECUREWARE])
1156	AC_DEFINE([DISABLE_SHADOW])
1157	AC_DEFINE([DISABLE_FD_PASSING])
1158	AC_DEFINE([SETEUID_BREAKS_SETUID])
1159	AC_DEFINE([BROKEN_GETADDRINFO])
1160	AC_DEFINE([BROKEN_SETREUID])
1161	AC_DEFINE([BROKEN_SETREGID])
1162	AC_DEFINE([WITH_ABBREV_NO_TTY])
1163	AC_DEFINE([BROKEN_UPDWTMPX])
1164	AC_DEFINE([PASSWD_NEEDS_USERNAME])
1165	AC_CHECK_FUNCS([getluid setluid])
1166	MANTYPE=man
1167	TEST_SHELL=$SHELL	# let configure find us a capable shell
1168	SKIP_DISABLE_LASTLOG_DEFINE=yes
1169	;;
1170*-dec-osf*)
1171	AC_MSG_CHECKING([for Digital Unix SIA])
1172	no_osfsia=""
1173	AC_ARG_WITH([osfsia],
1174		[  --with-osfsia           Enable Digital Unix SIA],
1175		[
1176			if test "x$withval" = "xno" ; then
1177				AC_MSG_RESULT([disabled])
1178				no_osfsia=1
1179			fi
1180		],
1181	)
1182	if test -z "$no_osfsia" ; then
1183		if test -f /etc/sia/matrix.conf; then
1184			AC_MSG_RESULT([yes])
1185			AC_DEFINE([HAVE_OSF_SIA], [1],
1186				[Define if you have Digital Unix Security
1187				Integration Architecture])
1188			AC_DEFINE([DISABLE_LOGIN], [1],
1189				[Define if you don't want to use your
1190				system's login() call])
1191			AC_DEFINE([DISABLE_FD_PASSING])
1192			LIBS="$LIBS -lsecurity -ldb -lm -laud"
1193			SIA_MSG="yes"
1194		else
1195			AC_MSG_RESULT([no])
1196			AC_DEFINE([LOCKED_PASSWD_SUBSTR], ["Nologin"],
1197			  [String used in /etc/passwd to denote locked account])
1198		fi
1199	fi
1200	AC_DEFINE([BROKEN_GETADDRINFO])
1201	AC_DEFINE([SETEUID_BREAKS_SETUID])
1202	AC_DEFINE([BROKEN_SETREUID])
1203	AC_DEFINE([BROKEN_SETREGID])
1204	AC_DEFINE([BROKEN_READV_COMPARISON], [1], [Can't do comparisons on readv])
1205	;;
1206
1207*-*-nto-qnx*)
1208	AC_DEFINE([USE_PIPES])
1209	AC_DEFINE([NO_X11_UNIX_SOCKETS])
1210	AC_DEFINE([DISABLE_LASTLOG])
1211	AC_DEFINE([SSHD_ACQUIRES_CTTY])
1212	AC_DEFINE([BROKEN_SHADOW_EXPIRE], [1], [QNX shadow support is broken])
1213	enable_etc_default_login=no	# has incompatible /etc/default/login
1214	case "$host" in
1215	*-*-nto-qnx6*)
1216		AC_DEFINE([DISABLE_FD_PASSING])
1217		;;
1218	esac
1219	;;
1220
1221*-*-ultrix*)
1222	AC_DEFINE([BROKEN_GETGROUPS], [1], [getgroups(0,NULL) will return -1])
1223	AC_DEFINE([NEED_SETPGRP], [1], [Need setpgrp to for controlling tty])
1224	AC_DEFINE([HAVE_SYS_SYSLOG_H], [1], [Force use of sys/syslog.h on Ultrix])
1225	AC_DEFINE([DISABLE_UTMPX], [1], [Disable utmpx])
1226	# DISABLE_FD_PASSING so that we call setpgrp as root, otherwise we
1227	# don't get a controlling tty.
1228	AC_DEFINE([DISABLE_FD_PASSING], [1], [Need to call setpgrp as root])
1229	# On Ultrix some headers are not protected against multiple includes,
1230	# so we create wrappers and put it where the compiler will find it.
1231	AC_MSG_WARN([creating compat wrappers for headers])
1232	mkdir -p netinet
1233	for header in netinet/ip.h netdb.h resolv.h; do
1234		name=`echo $header | tr 'a-z/.' 'A-Z__'`
1235		cat >$header <<EOD
1236#ifndef _SSH_COMPAT_${name}
1237#define _SSH_COMPAT_${name}
1238#include "/usr/include/${header}"
1239#endif
1240EOD
1241	done
1242	;;
1243
1244*-*-lynxos)
1245	CFLAGS="$CFLAGS -D__NO_INCLUDE_WARN__"
1246	AC_DEFINE([BROKEN_SETVBUF], [1],
1247	    [LynxOS has broken setvbuf() implementation])
1248	;;
1249esac
1250
1251AC_MSG_CHECKING([compiler and flags for sanity])
1252AC_RUN_IFELSE([AC_LANG_PROGRAM([[ #include <stdlib.h> ]], [[ exit(0); ]])],
1253	[	AC_MSG_RESULT([yes]) ],
1254	[
1255		AC_MSG_RESULT([no])
1256		AC_MSG_ERROR([*** compiler cannot create working executables, check config.log ***])
1257	],
1258	[	AC_MSG_WARN([cross compiling: not checking compiler sanity]) ]
1259)
1260
1261dnl Checks for header files.
1262# Checks for libraries.
1263AC_CHECK_FUNC([setsockopt], , [AC_CHECK_LIB([socket], [setsockopt])])
1264
1265dnl IRIX and Solaris 2.5.1 have dirname() in libgen
1266AC_CHECK_FUNCS([dirname], [AC_CHECK_HEADERS([libgen.h])] , [
1267	AC_CHECK_LIB([gen], [dirname], [
1268		AC_CACHE_CHECK([for broken dirname],
1269			ac_cv_have_broken_dirname, [
1270			save_LIBS="$LIBS"
1271			LIBS="$LIBS -lgen"
1272			AC_RUN_IFELSE(
1273				[AC_LANG_SOURCE([[
1274#include <libgen.h>
1275#include <string.h>
1276#include <stdlib.h>
1277
1278int main(int argc, char **argv) {
1279    char *s, buf[32];
1280
1281    strncpy(buf,"/etc", 32);
1282    s = dirname(buf);
1283    if (!s || strncmp(s, "/", 32) != 0) {
1284	exit(1);
1285    } else {
1286	exit(0);
1287    }
1288}
1289				]])],
1290				[ ac_cv_have_broken_dirname="no" ],
1291				[ ac_cv_have_broken_dirname="yes" ],
1292				[ ac_cv_have_broken_dirname="no" ],
1293			)
1294			LIBS="$save_LIBS"
1295		])
1296		if test "x$ac_cv_have_broken_dirname" = "xno" ; then
1297			LIBS="$LIBS -lgen"
1298			AC_DEFINE([HAVE_DIRNAME])
1299			AC_CHECK_HEADERS([libgen.h])
1300		fi
1301	])
1302])
1303
1304AC_CHECK_FUNC([getspnam], ,
1305	[AC_CHECK_LIB([gen], [getspnam], [LIBS="$LIBS -lgen"])])
1306AC_SEARCH_LIBS([basename], [gen], [AC_DEFINE([HAVE_BASENAME], [1],
1307	[Define if you have the basename function.])])
1308
1309dnl zlib defaults to enabled
1310zlib=yes
1311AC_ARG_WITH([zlib],
1312	[  --with-zlib=PATH        Use zlib in PATH],
1313	[ if test "x$withval" = "xno" ; then
1314		zlib=no
1315	  elif test "x$withval" != "xyes"; then
1316		if test -d "$withval/lib"; then
1317			if test -n "${rpath_opt}"; then
1318				LDFLAGS="-L${withval}/lib ${rpath_opt}${withval}/lib ${LDFLAGS}"
1319			else
1320				LDFLAGS="-L${withval}/lib ${LDFLAGS}"
1321			fi
1322		else
1323			if test -n "${rpath_opt}"; then
1324				LDFLAGS="-L${withval} ${rpath_opt}${withval} ${LDFLAGS}"
1325			else
1326				LDFLAGS="-L${withval} ${LDFLAGS}"
1327			fi
1328		fi
1329		if test -d "$withval/include"; then
1330			CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
1331		else
1332			CPPFLAGS="-I${withval} ${CPPFLAGS}"
1333		fi
1334	fi ]
1335)
1336
1337AC_MSG_CHECKING([for zlib])
1338if test "x${zlib}" = "xno"; then
1339	AC_MSG_RESULT([no])
1340else
1341	AC_MSG_RESULT([yes])
1342	AC_DEFINE([WITH_ZLIB], [1], [Enable zlib])
1343    AC_CHECK_HEADER([zlib.h], ,[AC_MSG_ERROR([*** zlib.h missing - please install first or check config.log ***])])
1344    AC_CHECK_LIB([z], [deflate], ,
1345	[
1346		saved_CPPFLAGS="$CPPFLAGS"
1347		saved_LDFLAGS="$LDFLAGS"
1348		save_LIBS="$LIBS"
1349		dnl Check default zlib install dir
1350		if test -n "${rpath_opt}"; then
1351			LDFLAGS="-L/usr/local/lib ${rpath_opt}/usr/local/lib ${saved_LDFLAGS}"
1352		else
1353			LDFLAGS="-L/usr/local/lib ${saved_LDFLAGS}"
1354		fi
1355		CPPFLAGS="-I/usr/local/include ${saved_CPPFLAGS}"
1356		LIBS="$LIBS -lz"
1357		AC_TRY_LINK_FUNC([deflate], [AC_DEFINE([HAVE_LIBZ])],
1358			[
1359				AC_MSG_ERROR([*** zlib missing - please install first or check config.log ***])
1360			]
1361		)
1362	]
1363    )
1364
1365    AC_ARG_WITH([zlib-version-check],
1366	[  --without-zlib-version-check Disable zlib version check],
1367	[  if test "x$withval" = "xno" ; then
1368		zlib_check_nonfatal=1
1369	   fi
1370	]
1371    )
1372
1373    AC_MSG_CHECKING([for possibly buggy zlib])
1374    AC_RUN_IFELSE([AC_LANG_PROGRAM([[
1375#include <stdio.h>
1376#include <stdlib.h>
1377#include <zlib.h>
1378	]],
1379	[[
1380	int a=0, b=0, c=0, d=0, n, v;
1381	n = sscanf(ZLIB_VERSION, "%d.%d.%d.%d", &a, &b, &c, &d);
1382	if (n != 3 && n != 4)
1383		exit(1);
1384	v = a*1000000 + b*10000 + c*100 + d;
1385	fprintf(stderr, "found zlib version %s (%d)\n", ZLIB_VERSION, v);
1386
1387	/* 1.1.4 is OK */
1388	if (a == 1 && b == 1 && c >= 4)
1389		exit(0);
1390
1391	/* 1.2.3 and up are OK */
1392	if (v >= 1020300)
1393		exit(0);
1394
1395	exit(2);
1396	]])],
1397	AC_MSG_RESULT([no]),
1398	[ AC_MSG_RESULT([yes])
1399	  if test -z "$zlib_check_nonfatal" ; then
1400		AC_MSG_ERROR([*** zlib too old - check config.log ***
1401Your reported zlib version has known security problems.  It's possible your
1402vendor has fixed these problems without changing the version number.  If you
1403are sure this is the case, you can disable the check by running
1404"./configure --without-zlib-version-check".
1405If you are in doubt, upgrade zlib to version 1.2.3 or greater.
1406See http://www.gzip.org/zlib/ for details.])
1407	  else
1408		AC_MSG_WARN([zlib version may have security problems])
1409	  fi
1410	],
1411	[	AC_MSG_WARN([cross compiling: not checking zlib version]) ]
1412    )
1413fi
1414
1415dnl UnixWare 2.x
1416AC_CHECK_FUNC([strcasecmp],
1417	[], [ AC_CHECK_LIB([resolv], [strcasecmp], [LIBS="$LIBS -lresolv"]) ]
1418)
1419AC_CHECK_FUNCS([utimes],
1420	[], [ AC_CHECK_LIB([c89], [utimes], [AC_DEFINE([HAVE_UTIMES])
1421					LIBS="$LIBS -lc89"]) ]
1422)
1423
1424dnl    Checks for libutil functions
1425AC_CHECK_HEADERS([bsd/libutil.h libutil.h])
1426AC_SEARCH_LIBS([fmt_scaled], [util bsd])
1427AC_SEARCH_LIBS([scan_scaled], [util bsd])
1428AC_SEARCH_LIBS([login], [util bsd])
1429AC_SEARCH_LIBS([logout], [util bsd])
1430AC_SEARCH_LIBS([logwtmp], [util bsd])
1431AC_SEARCH_LIBS([openpty], [util bsd])
1432AC_SEARCH_LIBS([updwtmp], [util bsd])
1433AC_CHECK_FUNCS([fmt_scaled scan_scaled login logout openpty updwtmp logwtmp])
1434
1435# On some platforms, inet_ntop and gethostbyname may be found in libresolv
1436# or libnsl.
1437AC_SEARCH_LIBS([inet_ntop], [resolv nsl])
1438AC_SEARCH_LIBS([gethostbyname], [resolv nsl])
1439
1440# "Particular Function Checks"
1441# see https://www.gnu.org/software/autoconf/manual/autoconf-2.69/html_node/Particular-Functions.html
1442AC_FUNC_STRFTIME
1443AC_FUNC_MALLOC
1444AC_FUNC_REALLOC
1445# autoconf doesn't have AC_FUNC_CALLOC so fake it if malloc returns NULL;
1446AC_MSG_CHECKING([if calloc(0, N) returns non-null])
1447AC_RUN_IFELSE(
1448	[AC_LANG_PROGRAM(
1449		[[ #include <stdlib.h> ]],
1450		[[ void *p = calloc(0, 1); exit(p == NULL); ]]
1451	)],
1452	[ func_calloc_0_nonnull=yes ],
1453	[ func_calloc_0_nonnull=no ],
1454	[ AC_MSG_WARN([cross compiling: assuming same as malloc])
1455	  func_calloc_0_nonnull="$ac_cv_func_malloc_0_nonnull"]
1456)
1457AC_MSG_RESULT([$func_calloc_0_nonnull])
1458
1459if test "x$func_calloc_0_nonnull" = "xyes"; then
1460	AC_DEFINE(HAVE_CALLOC, 1, [calloc(0, x) returns non-null])
1461else
1462	AC_DEFINE(HAVE_CALLOC, 0, [calloc(0, x) returns NULL])
1463	AC_DEFINE(calloc, rpl_calloc,
1464	    [Define to rpl_calloc if the replacement function should be used.])
1465fi
1466
1467# Check for ALTDIRFUNC glob() extension
1468AC_MSG_CHECKING([for GLOB_ALTDIRFUNC support])
1469AC_EGREP_CPP([FOUNDIT],
1470	[
1471		#include <glob.h>
1472		#ifdef GLOB_ALTDIRFUNC
1473		FOUNDIT
1474		#endif
1475	],
1476	[
1477		AC_DEFINE([GLOB_HAS_ALTDIRFUNC], [1],
1478			[Define if your system glob() function has
1479			the GLOB_ALTDIRFUNC extension])
1480		AC_MSG_RESULT([yes])
1481	],
1482	[
1483		AC_MSG_RESULT([no])
1484	]
1485)
1486
1487# Check for g.gl_matchc glob() extension
1488AC_MSG_CHECKING([for gl_matchc field in glob_t])
1489AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <glob.h> ]],
1490	[[ glob_t g; g.gl_matchc = 1; ]])],
1491	[
1492		AC_DEFINE([GLOB_HAS_GL_MATCHC], [1],
1493			[Define if your system glob() function has
1494			gl_matchc options in glob_t])
1495		AC_MSG_RESULT([yes])
1496	], [
1497		AC_MSG_RESULT([no])
1498])
1499
1500# Check for g.gl_statv glob() extension
1501AC_MSG_CHECKING([for gl_statv and GLOB_KEEPSTAT extensions for glob])
1502AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <glob.h> ]], [[
1503#ifndef GLOB_KEEPSTAT
1504#error "glob does not support GLOB_KEEPSTAT extension"
1505#endif
1506glob_t g;
1507g.gl_statv = NULL;
1508]])],
1509	[
1510		AC_DEFINE([GLOB_HAS_GL_STATV], [1],
1511			[Define if your system glob() function has
1512			gl_statv options in glob_t])
1513		AC_MSG_RESULT([yes])
1514	], [
1515		AC_MSG_RESULT([no])
1516
1517])
1518
1519AC_CHECK_DECLS([GLOB_NOMATCH], , , [#include <glob.h>])
1520
1521AC_CHECK_DECL([VIS_ALL], ,
1522    AC_DEFINE(BROKEN_STRNVIS, 1, [missing VIS_ALL]), [#include <vis.h>])
1523
1524AC_MSG_CHECKING([whether struct dirent allocates space for d_name])
1525AC_RUN_IFELSE(
1526	[AC_LANG_PROGRAM([[
1527#include <sys/types.h>
1528#include <dirent.h>
1529#include <stdlib.h>
1530	]],
1531	[[
1532	struct dirent d;
1533	exit(sizeof(d.d_name)<=sizeof(char));
1534	]])],
1535	[AC_MSG_RESULT([yes])],
1536	[
1537		AC_MSG_RESULT([no])
1538		AC_DEFINE([BROKEN_ONE_BYTE_DIRENT_D_NAME], [1],
1539			[Define if your struct dirent expects you to
1540			allocate extra space for d_name])
1541	],
1542	[
1543		AC_MSG_WARN([cross compiling: assuming BROKEN_ONE_BYTE_DIRENT_D_NAME])
1544		AC_DEFINE([BROKEN_ONE_BYTE_DIRENT_D_NAME])
1545	]
1546)
1547
1548AC_MSG_CHECKING([for /proc/pid/fd directory])
1549if test -d "/proc/$$/fd" ; then
1550	AC_DEFINE([HAVE_PROC_PID], [1], [Define if you have /proc/$pid/fd])
1551	AC_MSG_RESULT([yes])
1552else
1553	AC_MSG_RESULT([no])
1554fi
1555
1556# Check whether user wants to use ldns
1557LDNS_MSG="no"
1558AC_ARG_WITH(ldns,
1559	[  --with-ldns[[=PATH]]      Use ldns for DNSSEC support (optionally in PATH)],
1560	[
1561	ldns=""
1562	if test "x$withval" = "xyes" ; then
1563		AC_PATH_TOOL([LDNSCONFIG], [ldns-config], [no])
1564		if test "x$LDNSCONFIG" = "xno"; then
1565			LIBS="-lldns $LIBS"
1566			ldns=yes
1567		else
1568			LIBS="$LIBS `$LDNSCONFIG --libs`"
1569			CPPFLAGS="$CPPFLAGS `$LDNSCONFIG --cflags`"
1570			ldns=yes
1571		fi
1572	elif test "x$withval" != "xno" ; then
1573			CPPFLAGS="$CPPFLAGS -I${withval}/include"
1574			LDFLAGS="$LDFLAGS -L${withval}/lib"
1575			LIBS="-lldns $LIBS"
1576			ldns=yes
1577	fi
1578
1579	# Verify that it works.
1580	if test "x$ldns" = "xyes" ; then
1581		AC_DEFINE(HAVE_LDNS, 1, [Define if you want ldns support])
1582		LDNS_MSG="yes"
1583		AC_MSG_CHECKING([for ldns support])
1584		AC_LINK_IFELSE(
1585			[AC_LANG_SOURCE([[
1586#include <stdio.h>
1587#include <stdlib.h>
1588#ifdef HAVE_STDINT_H
1589# include <stdint.h>
1590#endif
1591#include <ldns/ldns.h>
1592int main() { ldns_status status = ldns_verify_trusted(NULL, NULL, NULL, NULL); status=LDNS_STATUS_OK; exit(0); }
1593			]])
1594		],
1595			[AC_MSG_RESULT(yes)],
1596				[
1597					AC_MSG_RESULT(no)
1598					AC_MSG_ERROR([** Incomplete or missing ldns libraries.])
1599				])
1600	fi
1601])
1602
1603# Check whether user wants libedit support
1604LIBEDIT_MSG="no"
1605AC_ARG_WITH([libedit],
1606	[  --with-libedit[[=PATH]]   Enable libedit support for sftp],
1607	[ if test "x$withval" != "xno" ; then
1608		if test "x$withval" = "xyes" ; then
1609			AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no])
1610			if test "x$PKGCONFIG" != "xno"; then
1611				AC_MSG_CHECKING([if $PKGCONFIG knows about libedit])
1612				if "$PKGCONFIG" libedit; then
1613					AC_MSG_RESULT([yes])
1614					use_pkgconfig_for_libedit=yes
1615				else
1616					AC_MSG_RESULT([no])
1617				fi
1618			fi
1619		else
1620			CPPFLAGS="$CPPFLAGS -I${withval}/include"
1621			if test -n "${rpath_opt}"; then
1622				LDFLAGS="-L${withval}/lib ${rpath_opt}${withval}/lib ${LDFLAGS}"
1623			else
1624				LDFLAGS="-L${withval}/lib ${LDFLAGS}"
1625			fi
1626		fi
1627		if test "x$use_pkgconfig_for_libedit" = "xyes"; then
1628			LIBEDIT=`$PKGCONFIG --libs libedit`
1629			CPPFLAGS="$CPPFLAGS `$PKGCONFIG --cflags libedit`"
1630		else
1631			LIBEDIT="-ledit -lcurses"
1632		fi
1633		OTHERLIBS=`echo $LIBEDIT | sed 's/-ledit//'`
1634		AC_CHECK_LIB([edit], [el_init],
1635			[ AC_DEFINE([USE_LIBEDIT], [1], [Use libedit for sftp])
1636			  LIBEDIT_MSG="yes"
1637			  AC_SUBST([LIBEDIT])
1638			],
1639			[ AC_MSG_ERROR([libedit not found]) ],
1640			[ $OTHERLIBS ]
1641		)
1642		AC_MSG_CHECKING([if libedit version is compatible])
1643		AC_COMPILE_IFELSE(
1644		    [AC_LANG_PROGRAM([[
1645#include <histedit.h>
1646#include <stdlib.h>
1647		    ]],
1648		    [[
1649	int i = H_SETSIZE;
1650	el_init("", NULL, NULL, NULL);
1651	exit(0);
1652		    ]])],
1653		    [ AC_MSG_RESULT([yes]) ],
1654		    [ AC_MSG_RESULT([no])
1655		      AC_MSG_ERROR([libedit version is not compatible]) ]
1656		)
1657	fi ]
1658)
1659
1660AUDIT_MODULE=none
1661AC_ARG_WITH([audit],
1662	[  --with-audit=module     Enable audit support (modules=debug,bsm,linux)],
1663	[
1664	  AC_MSG_CHECKING([for supported audit module])
1665	  case "$withval" in
1666	  bsm)
1667		AC_MSG_RESULT([bsm])
1668		AUDIT_MODULE=bsm
1669		dnl    Checks for headers, libs and functions
1670		AC_CHECK_HEADERS([bsm/audit.h], [],
1671		    [AC_MSG_ERROR([BSM enabled and bsm/audit.h not found])],
1672		    [
1673#ifdef HAVE_TIME_H
1674# include <time.h>
1675#endif
1676		    ]
1677)
1678		AC_CHECK_LIB([bsm], [getaudit], [],
1679		    [AC_MSG_ERROR([BSM enabled and required library not found])])
1680		AC_CHECK_FUNCS([getaudit], [],
1681		    [AC_MSG_ERROR([BSM enabled and required function not found])])
1682		# These are optional
1683		AC_CHECK_FUNCS([getaudit_addr aug_get_machine])
1684		AC_DEFINE([USE_BSM_AUDIT], [1], [Use BSM audit module])
1685		if test "$sol2ver" -ge 11; then
1686			SSHDLIBS="$SSHDLIBS -lscf"
1687			AC_DEFINE([BROKEN_BSM_API], [1],
1688				[The system has incomplete BSM API])
1689		fi
1690		;;
1691	  linux)
1692		AC_MSG_RESULT([linux])
1693		AUDIT_MODULE=linux
1694		dnl    Checks for headers, libs and functions
1695		AC_CHECK_HEADERS([libaudit.h])
1696		SSHDLIBS="$SSHDLIBS -laudit"
1697		AC_DEFINE([USE_LINUX_AUDIT], [1], [Use Linux audit module])
1698		;;
1699	  debug)
1700		AUDIT_MODULE=debug
1701		AC_MSG_RESULT([debug])
1702		AC_DEFINE([SSH_AUDIT_EVENTS], [1], [Use audit debugging module])
1703		;;
1704	  no)
1705		AC_MSG_RESULT([no])
1706		;;
1707	  *)
1708		AC_MSG_ERROR([Unknown audit module $withval])
1709		;;
1710	esac ]
1711)
1712
1713AC_ARG_WITH([pie],
1714    [  --with-pie              Build Position Independent Executables if possible], [
1715	if test "x$withval" = "xno"; then
1716		use_pie=no
1717	fi
1718	if test "x$withval" = "xyes"; then
1719		use_pie=yes
1720	fi
1721    ]
1722)
1723if test "x$use_pie" = "x"; then
1724	use_pie=no
1725fi
1726if test "x$use_toolchain_hardening" != "x1" && test "x$use_pie" = "xauto"; then
1727	# Turn off automatic PIE when toolchain hardening is off.
1728	use_pie=no
1729fi
1730if test "x$use_pie" = "xauto"; then
1731	# Automatic PIE requires gcc >= 4.x
1732	AC_MSG_CHECKING([for gcc >= 4.x])
1733	AC_COMPILE_IFELSE([AC_LANG_SOURCE([[
1734#if !defined(__GNUC__) || __GNUC__ < 4
1735#error gcc is too old
1736#endif
1737]])],
1738	[ AC_MSG_RESULT([yes]) ],
1739	[ AC_MSG_RESULT([no])
1740	  use_pie=no ]
1741)
1742fi
1743if test "x$use_pie" != "xno"; then
1744	SAVED_CFLAGS="$CFLAGS"
1745	SAVED_LDFLAGS="$LDFLAGS"
1746	OSSH_CHECK_CFLAG_COMPILE([-fPIE])
1747	OSSH_CHECK_LDFLAG_LINK([-pie])
1748	# We use both -fPIE and -pie or neither.
1749	AC_MSG_CHECKING([whether both -fPIE and -pie are supported])
1750	if echo "x $CFLAGS"  | grep ' -fPIE' >/dev/null 2>&1 && \
1751	   echo "x $LDFLAGS" | grep ' -pie'  >/dev/null 2>&1 ; then
1752		AC_MSG_RESULT([yes])
1753	else
1754		AC_MSG_RESULT([no])
1755		CFLAGS="$SAVED_CFLAGS"
1756		LDFLAGS="$SAVED_LDFLAGS"
1757	fi
1758fi
1759
1760AC_MSG_CHECKING([whether -fPIC is accepted])
1761SAVED_CFLAGS="$CFLAGS"
1762CFLAGS="$CFLAGS -fPIC"
1763AC_COMPILE_IFELSE(
1764	[AC_LANG_PROGRAM( [[ #include <stdlib.h> ]], [[ exit(0); ]] )],
1765   [AC_MSG_RESULT([yes])
1766    PICFLAG="-fPIC"; ],
1767   [AC_MSG_RESULT([no])
1768    PICFLAG=""; ])
1769CFLAGS="$SAVED_CFLAGS"
1770AC_SUBST([PICFLAG])
1771
1772dnl    Checks for library functions. Please keep in alphabetical order
1773AC_CHECK_FUNCS([ \
1774	Blowfish_initstate \
1775	Blowfish_expandstate \
1776	Blowfish_expand0state \
1777	Blowfish_stream2word \
1778	SHA256Update \
1779	SHA384Update \
1780	SHA512Update \
1781	asprintf \
1782	b64_ntop \
1783	__b64_ntop \
1784	b64_pton \
1785	__b64_pton \
1786	bcopy \
1787	bcrypt_pbkdf \
1788	bindresvport_sa \
1789	blf_enc \
1790	bzero \
1791	cap_rights_limit \
1792	clock \
1793	closefrom \
1794	dirfd \
1795	endgrent \
1796	err \
1797	errx \
1798	explicit_bzero \
1799	fchmod \
1800	fchmodat \
1801	fchown \
1802	fchownat \
1803	flock \
1804	fnmatch \
1805	freeaddrinfo \
1806	freezero \
1807	fstatfs \
1808	fstatvfs \
1809	futimes \
1810	getaddrinfo \
1811	getcwd \
1812	getgrouplist \
1813	getline \
1814	getnameinfo \
1815	getopt \
1816	getpagesize \
1817	getpeereid \
1818	getpeerucred \
1819	getpgid \
1820	_getpty \
1821	getrlimit \
1822	getrandom \
1823	getsid \
1824	getttyent \
1825	glob \
1826	group_from_gid \
1827	inet_aton \
1828	inet_ntoa \
1829	inet_ntop \
1830	innetgr \
1831	llabs \
1832	localtime_r \
1833	login_getcapbool \
1834	md5_crypt \
1835	memmem \
1836	memmove \
1837	memset_s \
1838	mkdtemp \
1839	ngetaddrinfo \
1840	nsleep \
1841	ogetaddrinfo \
1842	openlog_r \
1843	pledge \
1844	poll \
1845	prctl \
1846	pstat \
1847	raise \
1848	readpassphrase \
1849	reallocarray \
1850	realpath \
1851	recvmsg \
1852	recallocarray \
1853	rresvport_af \
1854	sendmsg \
1855	setdtablesize \
1856	setegid \
1857	setenv \
1858	seteuid \
1859	setgroupent \
1860	setgroups \
1861	setlinebuf \
1862	setlogin \
1863	setpassent\
1864	setpcred \
1865	setproctitle \
1866	setregid \
1867	setreuid \
1868	setrlimit \
1869	setsid \
1870	setvbuf \
1871	sigaction \
1872	sigvec \
1873	snprintf \
1874	socketpair \
1875	statfs \
1876	statvfs \
1877	strcasestr \
1878	strdup \
1879	strerror \
1880	strlcat \
1881	strlcpy \
1882	strmode \
1883	strndup \
1884	strnlen \
1885	strnvis \
1886	strptime \
1887	strsignal \
1888	strtonum \
1889	strtoll \
1890	strtoul \
1891	strtoull \
1892	swap32 \
1893	sysconf \
1894	tcgetpgrp \
1895	timingsafe_bcmp \
1896	truncate \
1897	unsetenv \
1898	updwtmpx \
1899	utimensat \
1900	user_from_uid \
1901	usleep \
1902	vasprintf \
1903	vsnprintf \
1904	waitpid \
1905	warn \
1906])
1907
1908AC_CHECK_DECLS([bzero, memmem])
1909
1910dnl Wide character support.
1911AC_CHECK_FUNCS([mblen mbtowc nl_langinfo wcwidth])
1912
1913TEST_SSH_UTF8=${TEST_SSH_UTF8:=yes}
1914AC_MSG_CHECKING([for utf8 locale support])
1915AC_RUN_IFELSE(
1916	[AC_LANG_PROGRAM([[
1917#include <locale.h>
1918#include <stdlib.h>
1919	]], [[
1920	char *loc = setlocale(LC_CTYPE, "en_US.UTF-8");
1921	if (loc != NULL)
1922		exit(0);
1923	exit(1);
1924	]])],
1925	AC_MSG_RESULT(yes),
1926	[AC_MSG_RESULT(no)
1927	 TEST_SSH_UTF8=no],
1928	AC_MSG_WARN([cross compiling: assuming yes])
1929)
1930
1931AC_LINK_IFELSE(
1932        [AC_LANG_PROGRAM(
1933           [[ #include <ctype.h> ]],
1934           [[ return (isblank('a')); ]])],
1935	[AC_DEFINE([HAVE_ISBLANK], [1], [Define if you have isblank(3C).])
1936])
1937
1938disable_pkcs11=
1939AC_ARG_ENABLE([pkcs11],
1940	[  --disable-pkcs11        disable PKCS#11 support code [no]],
1941	[
1942		if test "x$enableval" = "xno" ; then
1943			disable_pkcs11=1
1944		fi
1945	]
1946)
1947
1948disable_sk=
1949AC_ARG_ENABLE([security-key],
1950	[  --disable-security-key  disable U2F/FIDO support code [no]],
1951	[
1952		if test "x$enableval" = "xno" ; then
1953			disable_sk=1
1954		fi
1955	]
1956)
1957enable_sk_internal=
1958AC_ARG_WITH([security-key-builtin],
1959	[  --with-security-key-builtin include builtin U2F/FIDO support],
1960	[
1961		if test "x$withval" != "xno" ; then
1962			enable_sk_internal=yes
1963		fi
1964	]
1965)
1966test "x$disable_sk" != "x" && enable_sk_internal=""
1967
1968AC_SEARCH_LIBS([dlopen], [dl])
1969AC_CHECK_FUNCS([dlopen])
1970AC_CHECK_DECL([RTLD_NOW], [], [], [#include <dlfcn.h>])
1971
1972# IRIX has a const char return value for gai_strerror()
1973AC_CHECK_FUNCS([gai_strerror], [
1974	AC_DEFINE([HAVE_GAI_STRERROR])
1975	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
1976#include <sys/types.h>
1977#include <sys/socket.h>
1978#include <netdb.h>
1979
1980const char *gai_strerror(int);
1981			]], [[
1982	char *str;
1983	str = gai_strerror(0);
1984			]])], [
1985		AC_DEFINE([HAVE_CONST_GAI_STRERROR_PROTO], [1],
1986		[Define if gai_strerror() returns const char *])], [])])
1987
1988AC_SEARCH_LIBS([nanosleep], [rt posix4], [AC_DEFINE([HAVE_NANOSLEEP], [1],
1989	[Some systems put nanosleep outside of libc])])
1990
1991AC_SEARCH_LIBS([clock_gettime], [rt],
1992	[AC_DEFINE([HAVE_CLOCK_GETTIME], [1], [Have clock_gettime])])
1993
1994dnl check if we need -D_REENTRANT for localtime_r declaration.
1995AC_CHECK_DECL([localtime_r], [],
1996	[ saved_CPPFLAGS="$CFLAGS"
1997	  CPPFLAGS="$CPPFLAGS -D_REENTRANT"
1998	  unset ac_cv_have_decl_localtime_r
1999	  AC_CHECK_DECL([localtime_r], [],
2000		[ CPPFLAGS="$saved_CPPFLAGS" ],
2001		[ #include <time.h> ]
2002	  )
2003	],
2004	[ #include <time.h> ]
2005)
2006
2007dnl Make sure prototypes are defined for these before using them.
2008AC_CHECK_DECL([strsep],
2009	[AC_CHECK_FUNCS([strsep])],
2010	[],
2011	[
2012#ifdef HAVE_STRING_H
2013# include <string.h>
2014#endif
2015	])
2016
2017dnl tcsendbreak might be a macro
2018AC_CHECK_DECL([tcsendbreak],
2019	[AC_DEFINE([HAVE_TCSENDBREAK])],
2020	[AC_CHECK_FUNCS([tcsendbreak])],
2021	[#include <termios.h>]
2022)
2023
2024AC_CHECK_DECLS([h_errno], , ,[#include <netdb.h>])
2025
2026AC_CHECK_DECLS([SHUT_RD, getpeereid], , ,
2027	[
2028#include <sys/types.h>
2029#include <sys/socket.h>
2030#include <unistd.h>
2031	])
2032
2033AC_CHECK_DECLS([O_NONBLOCK], , ,
2034	[
2035#include <sys/types.h>
2036#ifdef HAVE_SYS_STAT_H
2037# include <sys/stat.h>
2038#endif
2039#ifdef HAVE_FCNTL_H
2040# include <fcntl.h>
2041#endif
2042	])
2043
2044AC_CHECK_DECLS([readv, writev], , , [
2045#include <sys/types.h>
2046#include <sys/uio.h>
2047#include <unistd.h>
2048	])
2049
2050AC_CHECK_DECLS([MAXSYMLINKS], , , [
2051#include <sys/param.h>
2052	])
2053
2054AC_CHECK_DECLS([offsetof], , , [
2055#include <stddef.h>
2056	])
2057
2058# extra bits for select(2)
2059AC_CHECK_DECLS([howmany, NFDBITS], [], [], [[
2060#include <sys/param.h>
2061#include <sys/types.h>
2062#ifdef HAVE_SYS_SYSMACROS_H
2063#include <sys/sysmacros.h>
2064#endif
2065#ifdef HAVE_SYS_SELECT_H
2066#include <sys/select.h>
2067#endif
2068#ifdef HAVE_SYS_TIME_H
2069#include <sys/time.h>
2070#endif
2071#ifdef HAVE_UNISTD_H
2072#include <unistd.h>
2073#endif
2074	]])
2075AC_CHECK_TYPES([fd_mask], [], [], [[
2076#include <sys/param.h>
2077#include <sys/types.h>
2078#ifdef HAVE_SYS_SELECT_H
2079#include <sys/select.h>
2080#endif
2081#ifdef HAVE_SYS_TIME_H
2082#include <sys/time.h>
2083#endif
2084#ifdef HAVE_UNISTD_H
2085#include <unistd.h>
2086#endif
2087	]])
2088
2089AC_CHECK_FUNCS([setresuid], [
2090	dnl Some platorms have setresuid that isn't implemented, test for this
2091	AC_MSG_CHECKING([if setresuid seems to work])
2092	AC_RUN_IFELSE(
2093		[AC_LANG_PROGRAM([[
2094#include <stdlib.h>
2095#include <errno.h>
2096		]], [[
2097	errno=0;
2098	setresuid(0,0,0);
2099	if (errno==ENOSYS)
2100		exit(1);
2101	else
2102		exit(0);
2103		]])],
2104		[AC_MSG_RESULT([yes])],
2105		[AC_DEFINE([BROKEN_SETRESUID], [1],
2106			[Define if your setresuid() is broken])
2107		 AC_MSG_RESULT([not implemented])],
2108		[AC_MSG_WARN([cross compiling: not checking setresuid])]
2109	)
2110])
2111
2112AC_CHECK_FUNCS([setresgid], [
2113	dnl Some platorms have setresgid that isn't implemented, test for this
2114	AC_MSG_CHECKING([if setresgid seems to work])
2115	AC_RUN_IFELSE(
2116		[AC_LANG_PROGRAM([[
2117#include <stdlib.h>
2118#include <errno.h>
2119		]], [[
2120	errno=0;
2121	setresgid(0,0,0);
2122	if (errno==ENOSYS)
2123		exit(1);
2124	else
2125		exit(0);
2126		]])],
2127		[AC_MSG_RESULT([yes])],
2128		[AC_DEFINE([BROKEN_SETRESGID], [1],
2129			[Define if your setresgid() is broken])
2130		 AC_MSG_RESULT([not implemented])],
2131		[AC_MSG_WARN([cross compiling: not checking setresuid])]
2132	)
2133])
2134
2135AC_MSG_CHECKING([for working fflush(NULL)])
2136AC_RUN_IFELSE(
2137	[AC_LANG_PROGRAM([[
2138#include <stdio.h>
2139#include <stdlib.h>
2140	]],
2141	[[fflush(NULL); exit(0);]])],
2142	AC_MSG_RESULT([yes]),
2143	[AC_MSG_RESULT([no])
2144	 AC_DEFINE([FFLUSH_NULL_BUG], [1],
2145	    [define if fflush(NULL) does not work])],
2146	AC_MSG_WARN([cross compiling: assuming working])
2147)
2148
2149dnl    Checks for time functions
2150AC_CHECK_FUNCS([gettimeofday time])
2151dnl    Checks for utmp functions
2152AC_CHECK_FUNCS([endutent getutent getutid getutline pututline setutent])
2153AC_CHECK_FUNCS([utmpname])
2154dnl    Checks for utmpx functions
2155AC_CHECK_FUNCS([endutxent getutxent getutxid getutxline getutxuser pututxline])
2156AC_CHECK_FUNCS([setutxdb setutxent utmpxname])
2157dnl    Checks for lastlog functions
2158AC_CHECK_FUNCS([getlastlogxbyname])
2159
2160AC_CHECK_FUNC([daemon],
2161	[AC_DEFINE([HAVE_DAEMON], [1], [Define if your libraries define daemon()])],
2162	[AC_CHECK_LIB([bsd], [daemon],
2163		[LIBS="$LIBS -lbsd"; AC_DEFINE([HAVE_DAEMON])])]
2164)
2165
2166AC_CHECK_FUNC([getpagesize],
2167	[AC_DEFINE([HAVE_GETPAGESIZE], [1],
2168		[Define if your libraries define getpagesize()])],
2169	[AC_CHECK_LIB([ucb], [getpagesize],
2170		[LIBS="$LIBS -lucb"; AC_DEFINE([HAVE_GETPAGESIZE])])]
2171)
2172
2173# Check for broken snprintf
2174if test "x$ac_cv_func_snprintf" = "xyes" ; then
2175	AC_MSG_CHECKING([whether snprintf correctly terminates long strings])
2176	AC_RUN_IFELSE(
2177		[AC_LANG_PROGRAM([[
2178#include <stdio.h>
2179#include <stdlib.h>
2180		]],
2181		[[
2182	char b[5];
2183	snprintf(b,5,"123456789");
2184	exit(b[4]!='\0');
2185		]])],
2186		[AC_MSG_RESULT([yes])],
2187		[
2188			AC_MSG_RESULT([no])
2189			AC_DEFINE([BROKEN_SNPRINTF], [1],
2190				[Define if your snprintf is busted])
2191			AC_MSG_WARN([****** Your snprintf() function is broken, complain to your vendor])
2192		],
2193		[ AC_MSG_WARN([cross compiling: Assuming working snprintf()]) ]
2194	)
2195fi
2196
2197if test "x$ac_cv_func_snprintf" = "xyes" ; then
2198	AC_MSG_CHECKING([whether snprintf understands %zu])
2199	AC_RUN_IFELSE(
2200		[AC_LANG_PROGRAM([[
2201#include <sys/types.h>
2202#include <stdio.h>
2203#include <stdlib.h>
2204#include <string.h>
2205		]],
2206		[[
2207	size_t a = 1, b = 2;
2208	char z[128];
2209	snprintf(z, sizeof z, "%zu%zu", a, b);
2210	exit(strcmp(z, "12"));
2211		]])],
2212		[AC_MSG_RESULT([yes])],
2213		[
2214			AC_MSG_RESULT([no])
2215			AC_DEFINE([BROKEN_SNPRINTF], [1],
2216				[snprintf does not understand %zu])
2217		],
2218		[ AC_MSG_WARN([cross compiling: Assuming working snprintf()]) ]
2219	)
2220fi
2221
2222# We depend on vsnprintf returning the right thing on overflow: the
2223# number of characters it tried to create (as per SUSv3)
2224if test "x$ac_cv_func_vsnprintf" = "xyes" ; then
2225	AC_MSG_CHECKING([whether vsnprintf returns correct values on overflow])
2226	AC_RUN_IFELSE(
2227		[AC_LANG_PROGRAM([[
2228#include <sys/types.h>
2229#include <stdio.h>
2230#include <stdarg.h>
2231
2232int x_snprintf(char *str, size_t count, const char *fmt, ...)
2233{
2234	size_t ret;
2235	va_list ap;
2236
2237	va_start(ap, fmt);
2238	ret = vsnprintf(str, count, fmt, ap);
2239	va_end(ap);
2240	return ret;
2241}
2242		]], [[
2243char x[1];
2244if (x_snprintf(x, 1, "%s %d", "hello", 12345) != 11)
2245	return 1;
2246if (x_snprintf(NULL, 0, "%s %d", "hello", 12345) != 11)
2247	return 1;
2248return 0;
2249		]])],
2250		[AC_MSG_RESULT([yes])],
2251		[
2252			AC_MSG_RESULT([no])
2253			AC_DEFINE([BROKEN_SNPRINTF], [1],
2254				[Define if your snprintf is busted])
2255			AC_MSG_WARN([****** Your vsnprintf() function is broken, complain to your vendor])
2256		],
2257		[ AC_MSG_WARN([cross compiling: Assuming working vsnprintf()]) ]
2258	)
2259fi
2260
2261# On systems where [v]snprintf is broken, but is declared in stdio,
2262# check that the fmt argument is const char * or just char *.
2263# This is only useful for when BROKEN_SNPRINTF
2264AC_MSG_CHECKING([whether snprintf can declare const char *fmt])
2265AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
2266#include <stdio.h>
2267int snprintf(char *a, size_t b, const char *c, ...) { return 0; }
2268		]], [[
2269	snprintf(0, 0, 0);
2270		]])],
2271   [AC_MSG_RESULT([yes])
2272    AC_DEFINE([SNPRINTF_CONST], [const],
2273              [Define as const if snprintf() can declare const char *fmt])],
2274   [AC_MSG_RESULT([no])
2275    AC_DEFINE([SNPRINTF_CONST], [/* not const */])])
2276
2277# Check for missing getpeereid (or equiv) support
2278NO_PEERCHECK=""
2279if test "x$ac_cv_func_getpeereid" != "xyes" -a "x$ac_cv_func_getpeerucred" != "xyes"; then
2280	AC_MSG_CHECKING([whether system supports SO_PEERCRED getsockopt])
2281	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
2282#include <sys/types.h>
2283#include <sys/socket.h>]], [[int i = SO_PEERCRED;]])],
2284		[ AC_MSG_RESULT([yes])
2285		  AC_DEFINE([HAVE_SO_PEERCRED], [1], [Have PEERCRED socket option])
2286		], [AC_MSG_RESULT([no])
2287		NO_PEERCHECK=1
2288        ])
2289fi
2290
2291dnl see whether mkstemp() requires XXXXXX
2292if test "x$ac_cv_func_mkdtemp" = "xyes" ; then
2293AC_MSG_CHECKING([for (overly) strict mkstemp])
2294AC_RUN_IFELSE(
2295	[AC_LANG_PROGRAM([[
2296#include <stdlib.h>
2297#include <unistd.h>
2298	]], [[
2299	char template[]="conftest.mkstemp-test";
2300	if (mkstemp(template) == -1)
2301		exit(1);
2302	unlink(template);
2303	exit(0);
2304	]])],
2305	[
2306		AC_MSG_RESULT([no])
2307	],
2308	[
2309		AC_MSG_RESULT([yes])
2310		AC_DEFINE([HAVE_STRICT_MKSTEMP], [1], [Silly mkstemp()])
2311	],
2312	[
2313		AC_MSG_RESULT([yes])
2314		AC_DEFINE([HAVE_STRICT_MKSTEMP])
2315	]
2316)
2317fi
2318
2319dnl make sure that openpty does not reacquire controlling terminal
2320if test ! -z "$check_for_openpty_ctty_bug"; then
2321	AC_MSG_CHECKING([if openpty correctly handles controlling tty])
2322	AC_RUN_IFELSE(
2323		[AC_LANG_PROGRAM([[
2324#include <stdio.h>
2325#include <stdlib.h>
2326#include <unistd.h>
2327#include <sys/fcntl.h>
2328#include <sys/types.h>
2329#include <sys/wait.h>
2330		]], [[
2331	pid_t pid;
2332	int fd, ptyfd, ttyfd, status;
2333
2334	pid = fork();
2335	if (pid < 0) {		/* failed */
2336		exit(1);
2337	} else if (pid > 0) {	/* parent */
2338		waitpid(pid, &status, 0);
2339		if (WIFEXITED(status))
2340			exit(WEXITSTATUS(status));
2341		else
2342			exit(2);
2343	} else {		/* child */
2344		close(0); close(1); close(2);
2345		setsid();
2346		openpty(&ptyfd, &ttyfd, NULL, NULL, NULL);
2347		fd = open("/dev/tty", O_RDWR | O_NOCTTY);
2348		if (fd >= 0)
2349			exit(3);	/* Acquired ctty: broken */
2350		else
2351			exit(0);	/* Did not acquire ctty: OK */
2352	}
2353		]])],
2354		[
2355			AC_MSG_RESULT([yes])
2356		],
2357		[
2358			AC_MSG_RESULT([no])
2359			AC_DEFINE([SSHD_ACQUIRES_CTTY])
2360		],
2361		[
2362			AC_MSG_RESULT([cross-compiling, assuming yes])
2363		]
2364	)
2365fi
2366
2367if test "x$ac_cv_func_getaddrinfo" = "xyes" && \
2368    test "x$check_for_hpux_broken_getaddrinfo" = "x1"; then
2369	AC_MSG_CHECKING([if getaddrinfo seems to work])
2370	AC_RUN_IFELSE(
2371		[AC_LANG_PROGRAM([[
2372#include <stdio.h>
2373#include <stdlib.h>
2374#include <sys/socket.h>
2375#include <netdb.h>
2376#include <errno.h>
2377#include <netinet/in.h>
2378
2379#define TEST_PORT "2222"
2380		]], [[
2381	int err, sock;
2382	struct addrinfo *gai_ai, *ai, hints;
2383	char ntop[NI_MAXHOST], strport[NI_MAXSERV], *name = NULL;
2384
2385	memset(&hints, 0, sizeof(hints));
2386	hints.ai_family = PF_UNSPEC;
2387	hints.ai_socktype = SOCK_STREAM;
2388	hints.ai_flags = AI_PASSIVE;
2389
2390	err = getaddrinfo(name, TEST_PORT, &hints, &gai_ai);
2391	if (err != 0) {
2392		fprintf(stderr, "getaddrinfo failed (%s)", gai_strerror(err));
2393		exit(1);
2394	}
2395
2396	for (ai = gai_ai; ai != NULL; ai = ai->ai_next) {
2397		if (ai->ai_family != AF_INET6)
2398			continue;
2399
2400		err = getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop,
2401		    sizeof(ntop), strport, sizeof(strport),
2402		    NI_NUMERICHOST|NI_NUMERICSERV);
2403
2404		if (err != 0) {
2405			if (err == EAI_SYSTEM)
2406				perror("getnameinfo EAI_SYSTEM");
2407			else
2408				fprintf(stderr, "getnameinfo failed: %s\n",
2409				    gai_strerror(err));
2410			exit(2);
2411		}
2412
2413		sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol);
2414		if (sock < 0)
2415			perror("socket");
2416		if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) {
2417			if (errno == EBADF)
2418				exit(3);
2419		}
2420	}
2421	exit(0);
2422		]])],
2423		[
2424			AC_MSG_RESULT([yes])
2425		],
2426		[
2427			AC_MSG_RESULT([no])
2428			AC_DEFINE([BROKEN_GETADDRINFO])
2429		],
2430		[
2431			AC_MSG_RESULT([cross-compiling, assuming yes])
2432		]
2433	)
2434fi
2435
2436if test "x$ac_cv_func_getaddrinfo" = "xyes" && \
2437    test "x$check_for_aix_broken_getaddrinfo" = "x1"; then
2438	AC_MSG_CHECKING([if getaddrinfo seems to work])
2439	AC_RUN_IFELSE(
2440		[AC_LANG_PROGRAM([[
2441#include <stdio.h>
2442#include <stdlib.h>
2443#include <sys/socket.h>
2444#include <netdb.h>
2445#include <errno.h>
2446#include <netinet/in.h>
2447
2448#define TEST_PORT "2222"
2449		]], [[
2450	int err, sock;
2451	struct addrinfo *gai_ai, *ai, hints;
2452	char ntop[NI_MAXHOST], strport[NI_MAXSERV], *name = NULL;
2453
2454	memset(&hints, 0, sizeof(hints));
2455	hints.ai_family = PF_UNSPEC;
2456	hints.ai_socktype = SOCK_STREAM;
2457	hints.ai_flags = AI_PASSIVE;
2458
2459	err = getaddrinfo(name, TEST_PORT, &hints, &gai_ai);
2460	if (err != 0) {
2461		fprintf(stderr, "getaddrinfo failed (%s)", gai_strerror(err));
2462		exit(1);
2463	}
2464
2465	for (ai = gai_ai; ai != NULL; ai = ai->ai_next) {
2466		if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
2467			continue;
2468
2469		err = getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop,
2470		    sizeof(ntop), strport, sizeof(strport),
2471		    NI_NUMERICHOST|NI_NUMERICSERV);
2472
2473		if (ai->ai_family == AF_INET && err != 0) {
2474			perror("getnameinfo");
2475			exit(2);
2476		}
2477	}
2478	exit(0);
2479		]])],
2480		[
2481			AC_MSG_RESULT([yes])
2482			AC_DEFINE([AIX_GETNAMEINFO_HACK], [1],
2483				[Define if you have a getaddrinfo that fails
2484				for the all-zeros IPv6 address])
2485		],
2486		[
2487			AC_MSG_RESULT([no])
2488			AC_DEFINE([BROKEN_GETADDRINFO])
2489		],
2490		[
2491			AC_MSG_RESULT([cross-compiling, assuming no])
2492		]
2493	)
2494fi
2495
2496if test "x$ac_cv_func_getaddrinfo" = "xyes"; then
2497	AC_CHECK_DECLS(AI_NUMERICSERV, , ,
2498	    [#include <sys/types.h>
2499	     #include <sys/socket.h>
2500	     #include <netdb.h>])
2501fi
2502
2503if test "x$check_for_conflicting_getspnam" = "x1"; then
2504	AC_MSG_CHECKING([for conflicting getspnam in shadow.h])
2505	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
2506#include <shadow.h>
2507#include <stdlib.h>
2508		]],
2509		[[ exit(0); ]])],
2510		[
2511			AC_MSG_RESULT([no])
2512		],
2513		[
2514			AC_MSG_RESULT([yes])
2515			AC_DEFINE([GETSPNAM_CONFLICTING_DEFS], [1],
2516			    [Conflicting defs for getspnam])
2517		]
2518	)
2519fi
2520
2521dnl NetBSD added an strnvis and unfortunately made it incompatible with the
2522dnl existing one in OpenBSD and Linux's libbsd (the former having existed
2523dnl for over ten years). Despite this incompatibility being reported during
2524dnl development (see http://gnats.netbsd.org/44977) they still shipped it.
2525dnl Even more unfortunately FreeBSD and later MacOS picked up this incompatible
2526dnl implementation.  Try to detect this mess, and assume the only safe option
2527dnl if we're cross compiling.
2528dnl
2529dnl OpenBSD, 2001: strnvis(char *dst, const char *src, size_t dlen, int flag);
2530dnl NetBSD: 2012,  strnvis(char *dst, size_t dlen, const char *src, int flag);
2531if test "x$ac_cv_func_strnvis" = "xyes"; then
2532	AC_MSG_CHECKING([for working strnvis])
2533	AC_RUN_IFELSE(
2534		[AC_LANG_PROGRAM([[
2535#include <signal.h>
2536#include <stdlib.h>
2537#include <string.h>
2538#include <unistd.h>
2539#include <vis.h>
2540static void sighandler(int sig) { _exit(1); }
2541		]], [[
2542	char dst[16];
2543
2544	signal(SIGSEGV, sighandler);
2545	if (strnvis(dst, "src", 4, 0) && strcmp(dst, "src") == 0)
2546		exit(0);
2547	exit(1)
2548		]])],
2549		[AC_MSG_RESULT([yes])],
2550		[AC_MSG_RESULT([no])
2551		 AC_DEFINE([BROKEN_STRNVIS], [1], [strnvis detected broken])],
2552		[AC_MSG_WARN([cross compiling: assuming broken])
2553		 AC_DEFINE([BROKEN_STRNVIS], [1], [strnvis assumed broken])]
2554	)
2555fi
2556
2557AC_MSG_CHECKING([if SA_RESTARTed signals interrupt select()])
2558AC_RUN_IFELSE(
2559	[AC_LANG_PROGRAM([[
2560#ifdef HAVE_SYS_SELECT
2561# include <sys/select.h>
2562#endif
2563#include <sys/types.h>
2564#include <sys/time.h>
2565#include <stdlib.h>
2566#include <signal.h>
2567#include <unistd.h>
2568static void sighandler(int sig) { }
2569		]], [[
2570	int r;
2571	pid_t pid;
2572	struct sigaction sa;
2573
2574	sa.sa_handler = sighandler;
2575	sa.sa_flags = SA_RESTART;
2576	(void)sigaction(SIGTERM, &sa, NULL);
2577	if ((pid = fork()) == 0) { /* child */
2578		pid = getppid();
2579		sleep(1);
2580		kill(pid, SIGTERM);
2581		sleep(1);
2582		if (getppid() == pid) /* if parent did not exit, shoot it */
2583			kill(pid, SIGKILL);
2584		exit(0);
2585	} else { /* parent */
2586		r = select(0, NULL, NULL, NULL, NULL);
2587	}
2588	exit(r == -1 ? 0 : 1);
2589	]])],
2590	[AC_MSG_RESULT([yes])],
2591	[AC_MSG_RESULT([no])
2592	 AC_DEFINE([NO_SA_RESTART], [1],
2593	    [SA_RESTARTed signals do no interrupt select])],
2594	[AC_MSG_WARN([cross compiling: assuming yes])]
2595)
2596
2597AC_CHECK_FUNCS([getpgrp],[
2598	AC_MSG_CHECKING([if getpgrp accepts zero args])
2599	AC_COMPILE_IFELSE(
2600		[AC_LANG_PROGRAM([[$ac_includes_default]], [[ getpgrp(); ]])],
2601		[ AC_MSG_RESULT([yes])
2602		  AC_DEFINE([GETPGRP_VOID], [1], [getpgrp takes zero args])],
2603		[ AC_MSG_RESULT([no])
2604		  AC_DEFINE([GETPGRP_VOID], [0], [getpgrp takes one arg])]
2605	)
2606])
2607
2608# Search for OpenSSL
2609saved_CPPFLAGS="$CPPFLAGS"
2610saved_LDFLAGS="$LDFLAGS"
2611AC_ARG_WITH([ssl-dir],
2612	[  --with-ssl-dir=PATH     Specify path to OpenSSL installation ],
2613	[
2614		if test "x$openssl" = "xno" ; then
2615			AC_MSG_ERROR([cannot use --with-ssl-dir when OpenSSL disabled])
2616		fi
2617		if test "x$withval" != "xno" ; then
2618			case "$withval" in
2619				# Relative paths
2620				./*|../*)	withval="`pwd`/$withval"
2621			esac
2622			if test -d "$withval/lib"; then
2623				if test -n "${rpath_opt}"; then
2624					LDFLAGS="-L${withval}/lib ${rpath_opt}${withval}/lib ${LDFLAGS}"
2625				else
2626					LDFLAGS="-L${withval}/lib ${LDFLAGS}"
2627				fi
2628			elif test -d "$withval/lib64"; then
2629				if test -n "${rpath_opt}"; then
2630					LDFLAGS="-L${withval}/lib64 ${rpath_opt}${withval}/lib64 ${LDFLAGS}"
2631				else
2632					LDFLAGS="-L${withval}/lib64 ${LDFLAGS}"
2633				fi
2634			else
2635				if test -n "${rpath_opt}"; then
2636					LDFLAGS="-L${withval} ${rpath_opt}${withval} ${LDFLAGS}"
2637				else
2638					LDFLAGS="-L${withval} ${LDFLAGS}"
2639				fi
2640			fi
2641			if test -d "$withval/include"; then
2642				CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
2643			else
2644				CPPFLAGS="-I${withval} ${CPPFLAGS}"
2645			fi
2646		fi
2647	]
2648)
2649
2650AC_ARG_WITH([openssl-header-check],
2651	[  --without-openssl-header-check Disable OpenSSL version consistency check],
2652	[
2653		if test "x$withval" = "xno" ; then
2654			openssl_check_nonfatal=1
2655		fi
2656	]
2657)
2658
2659openssl_engine=no
2660AC_ARG_WITH([ssl-engine],
2661	[  --with-ssl-engine       Enable OpenSSL (hardware) ENGINE support ],
2662	[
2663		if test "x$withval" != "xno" ; then
2664			if test "x$openssl" = "xno" ; then
2665				AC_MSG_ERROR([cannot use --with-ssl-engine when OpenSSL disabled])
2666			fi
2667			openssl_engine=yes
2668		fi
2669	]
2670)
2671
2672if test "x$openssl" = "xyes" ; then
2673	LIBS="-lcrypto $LIBS"
2674	AC_TRY_LINK_FUNC([RAND_add], ,
2675	    [AC_MSG_ERROR([*** working libcrypto not found, check config.log])])
2676	AC_CHECK_HEADER([openssl/opensslv.h], ,
2677	    [AC_MSG_ERROR([*** OpenSSL headers missing - please install first or check config.log ***])])
2678
2679	# Determine OpenSSL header version
2680	AC_MSG_CHECKING([OpenSSL header version])
2681	AC_RUN_IFELSE(
2682		[AC_LANG_PROGRAM([[
2683	#include <stdlib.h>
2684	#include <stdio.h>
2685	#include <string.h>
2686	#include <openssl/opensslv.h>
2687	#define DATA "conftest.sslincver"
2688		]], [[
2689		FILE *fd;
2690		int rc;
2691
2692		fd = fopen(DATA,"w");
2693		if(fd == NULL)
2694			exit(1);
2695
2696		if ((rc = fprintf(fd, "%08lx (%s)\n",
2697		    (unsigned long)OPENSSL_VERSION_NUMBER,
2698		     OPENSSL_VERSION_TEXT)) < 0)
2699			exit(1);
2700
2701		exit(0);
2702		]])],
2703		[
2704			ssl_header_ver=`cat conftest.sslincver`
2705			AC_MSG_RESULT([$ssl_header_ver])
2706		],
2707		[
2708			AC_MSG_RESULT([not found])
2709			AC_MSG_ERROR([OpenSSL version header not found.])
2710		],
2711		[
2712			AC_MSG_WARN([cross compiling: not checking])
2713		]
2714	)
2715
2716	# Determining OpenSSL library version is version dependent.
2717	AC_CHECK_FUNCS([OpenSSL_version OpenSSL_version_num])
2718
2719	# Determine OpenSSL library version
2720	AC_MSG_CHECKING([OpenSSL library version])
2721	AC_RUN_IFELSE(
2722		[AC_LANG_PROGRAM([[
2723	#include <stdio.h>
2724	#include <stdlib.h>
2725	#include <string.h>
2726	#include <openssl/opensslv.h>
2727	#include <openssl/crypto.h>
2728	#define DATA "conftest.ssllibver"
2729		]], [[
2730		FILE *fd;
2731		int rc;
2732
2733		fd = fopen(DATA,"w");
2734		if(fd == NULL)
2735			exit(1);
2736#ifndef OPENSSL_VERSION
2737# define OPENSSL_VERSION SSLEAY_VERSION
2738#endif
2739#ifndef HAVE_OPENSSL_VERSION
2740# define OpenSSL_version	SSLeay_version
2741#endif
2742#ifndef HAVE_OPENSSL_VERSION_NUM
2743# define OpenSSL_version_num	SSLeay
2744#endif
2745		if ((rc = fprintf(fd, "%08lx (%s)\n",
2746		    (unsigned long)OpenSSL_version_num(),
2747		    OpenSSL_version(OPENSSL_VERSION))) < 0)
2748			exit(1);
2749
2750		exit(0);
2751		]])],
2752		[
2753			ssl_library_ver=`cat conftest.ssllibver`
2754			# Check version is supported.
2755			case "$ssl_library_ver" in
2756			10000*|0*)
2757				AC_MSG_ERROR([OpenSSL >= 1.0.1 required (have "$ssl_library_ver")])
2758		                ;;
2759			100*)   ;; # 1.0.x
2760			101000[[0123456]]*)
2761				# https://github.com/openssl/openssl/pull/4613
2762				AC_MSG_ERROR([OpenSSL 1.1.x versions prior to 1.1.0g have a bug that breaks their use with OpenSSH (have "$ssl_library_ver")])
2763				;;
2764			101*)   ;; # 1.1.x
2765			200*)   ;; # LibreSSL
2766			300*)   ;; # OpenSSL development branch.
2767		        *)
2768				AC_MSG_ERROR([Unknown/unsupported OpenSSL version ("$ssl_library_ver")])
2769		                ;;
2770			esac
2771			AC_MSG_RESULT([$ssl_library_ver])
2772		],
2773		[
2774			AC_MSG_RESULT([not found])
2775			AC_MSG_ERROR([OpenSSL library not found.])
2776		],
2777		[
2778			AC_MSG_WARN([cross compiling: not checking])
2779		]
2780	)
2781
2782	# Sanity check OpenSSL headers
2783	AC_MSG_CHECKING([whether OpenSSL's headers match the library])
2784	AC_RUN_IFELSE(
2785		[AC_LANG_PROGRAM([[
2786	#include <stdlib.h>
2787	#include <string.h>
2788	#include <openssl/opensslv.h>
2789	#include <openssl/crypto.h>
2790		]], [[
2791#ifndef HAVE_OPENSSL_VERSION_NUM
2792# define OpenSSL_version_num	SSLeay
2793#endif
2794		exit(OpenSSL_version_num() == OPENSSL_VERSION_NUMBER ? 0 : 1);
2795		]])],
2796		[
2797			AC_MSG_RESULT([yes])
2798		],
2799		[
2800			AC_MSG_RESULT([no])
2801			if test "x$openssl_check_nonfatal" = "x"; then
2802				AC_MSG_ERROR([Your OpenSSL headers do not match your
2803	library. Check config.log for details.
2804	If you are sure your installation is consistent, you can disable the check
2805	by running "./configure --without-openssl-header-check".
2806	Also see contrib/findssl.sh for help identifying header/library mismatches.
2807	])
2808			else
2809				AC_MSG_WARN([Your OpenSSL headers do not match your
2810	library. Check config.log for details.
2811	Also see contrib/findssl.sh for help identifying header/library mismatches.])
2812			fi
2813		],
2814		[
2815			AC_MSG_WARN([cross compiling: not checking])
2816		]
2817	)
2818
2819	AC_MSG_CHECKING([if programs using OpenSSL functions will link])
2820	AC_LINK_IFELSE(
2821		[AC_LANG_PROGRAM([[ #include <openssl/err.h> ]],
2822		[[ ERR_load_crypto_strings(); ]])],
2823		[
2824			AC_MSG_RESULT([yes])
2825		],
2826		[
2827			AC_MSG_RESULT([no])
2828			saved_LIBS="$LIBS"
2829			LIBS="$LIBS -ldl"
2830			AC_MSG_CHECKING([if programs using OpenSSL need -ldl])
2831			AC_LINK_IFELSE(
2832				[AC_LANG_PROGRAM([[ #include <openssl/err.h> ]],
2833				[[ ERR_load_crypto_strings(); ]])],
2834				[
2835					AC_MSG_RESULT([yes])
2836				],
2837				[
2838					AC_MSG_RESULT([no])
2839					LIBS="$saved_LIBS"
2840				]
2841			)
2842		]
2843	)
2844
2845	AC_CHECK_FUNCS([ \
2846		BN_is_prime_ex \
2847		DSA_generate_parameters_ex \
2848		EVP_CIPHER_CTX_ctrl \
2849		EVP_DigestFinal_ex \
2850		EVP_DigestInit_ex \
2851		EVP_MD_CTX_cleanup \
2852		EVP_MD_CTX_copy_ex \
2853		EVP_MD_CTX_init \
2854		HMAC_CTX_init \
2855		RSA_generate_key_ex \
2856		RSA_get_default_method \
2857	])
2858
2859	# OpenSSL_add_all_algorithms may be a macro.
2860	AC_CHECK_FUNC(OpenSSL_add_all_algorithms,
2861	    AC_DEFINE(HAVE_OPENSSL_ADD_ALL_ALGORITHMS, 1, [as a function]),
2862	    AC_CHECK_DECL(OpenSSL_add_all_algorithms,
2863		AC_DEFINE(HAVE_OPENSSL_ADD_ALL_ALGORITHMS, 1, [as a macro]), ,
2864		[[#include <openssl/evp.h>]]
2865	    )
2866	)
2867
2868	# LibreSSL/OpenSSL 1.1x API
2869	AC_CHECK_FUNCS([ \
2870		OPENSSL_init_crypto \
2871		DH_get0_key \
2872		DH_get0_pqg \
2873		DH_set0_key \
2874		DH_set_length \
2875		DH_set0_pqg \
2876		DSA_get0_key \
2877		DSA_get0_pqg \
2878		DSA_set0_key \
2879		DSA_set0_pqg \
2880		DSA_SIG_get0 \
2881		DSA_SIG_set0 \
2882		ECDSA_SIG_get0 \
2883		ECDSA_SIG_set0 \
2884		EVP_CIPHER_CTX_iv \
2885		EVP_CIPHER_CTX_iv_noconst \
2886		EVP_CIPHER_CTX_get_iv \
2887		EVP_CIPHER_CTX_set_iv \
2888		RSA_get0_crt_params \
2889		RSA_get0_factors \
2890		RSA_get0_key \
2891		RSA_set0_crt_params \
2892		RSA_set0_factors \
2893		RSA_set0_key \
2894		RSA_meth_free \
2895		RSA_meth_dup \
2896		RSA_meth_set1_name \
2897		RSA_meth_get_finish \
2898		RSA_meth_set_priv_enc \
2899		RSA_meth_set_priv_dec \
2900		RSA_meth_set_finish \
2901		EVP_PKEY_get0_RSA \
2902		EVP_MD_CTX_new \
2903		EVP_MD_CTX_free \
2904		EVP_chacha20 \
2905	])
2906
2907	if test "x$openssl_engine" = "xyes" ; then
2908		AC_MSG_CHECKING([for OpenSSL ENGINE support])
2909		AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
2910	#include <openssl/engine.h>
2911			]], [[
2912				ENGINE_load_builtin_engines();
2913				ENGINE_register_all_complete();
2914			]])],
2915			[ AC_MSG_RESULT([yes])
2916			  AC_DEFINE([USE_OPENSSL_ENGINE], [1],
2917			     [Enable OpenSSL engine support])
2918			], [ AC_MSG_ERROR([OpenSSL ENGINE support not found])
2919		])
2920	fi
2921
2922	# Check for OpenSSL without EVP_aes_{192,256}_cbc
2923	AC_MSG_CHECKING([whether OpenSSL has crippled AES support])
2924	AC_LINK_IFELSE(
2925		[AC_LANG_PROGRAM([[
2926	#include <stdlib.h>
2927	#include <string.h>
2928	#include <openssl/evp.h>
2929		]], [[
2930		exit(EVP_aes_192_cbc() == NULL || EVP_aes_256_cbc() == NULL);
2931		]])],
2932		[
2933			AC_MSG_RESULT([no])
2934		],
2935		[
2936			AC_MSG_RESULT([yes])
2937			AC_DEFINE([OPENSSL_LOBOTOMISED_AES], [1],
2938			    [libcrypto is missing AES 192 and 256 bit functions])
2939		]
2940	)
2941
2942	# Check for OpenSSL with EVP_aes_*ctr
2943	AC_MSG_CHECKING([whether OpenSSL has AES CTR via EVP])
2944	AC_LINK_IFELSE(
2945		[AC_LANG_PROGRAM([[
2946	#include <stdlib.h>
2947	#include <string.h>
2948	#include <openssl/evp.h>
2949		]], [[
2950		exit(EVP_aes_128_ctr() == NULL ||
2951		    EVP_aes_192_cbc() == NULL ||
2952		    EVP_aes_256_cbc() == NULL);
2953		]])],
2954		[
2955			AC_MSG_RESULT([yes])
2956			AC_DEFINE([OPENSSL_HAVE_EVPCTR], [1],
2957			    [libcrypto has EVP AES CTR])
2958		],
2959		[
2960			AC_MSG_RESULT([no])
2961		]
2962	)
2963
2964	# Check for OpenSSL with EVP_aes_*gcm
2965	AC_MSG_CHECKING([whether OpenSSL has AES GCM via EVP])
2966	AC_LINK_IFELSE(
2967		[AC_LANG_PROGRAM([[
2968	#include <stdlib.h>
2969	#include <string.h>
2970	#include <openssl/evp.h>
2971		]], [[
2972		exit(EVP_aes_128_gcm() == NULL ||
2973		    EVP_aes_256_gcm() == NULL ||
2974		    EVP_CTRL_GCM_SET_IV_FIXED == 0 ||
2975		    EVP_CTRL_GCM_IV_GEN == 0 ||
2976		    EVP_CTRL_GCM_SET_TAG == 0 ||
2977		    EVP_CTRL_GCM_GET_TAG == 0 ||
2978		    EVP_CIPHER_CTX_ctrl(NULL, 0, 0, NULL) == 0);
2979		]])],
2980		[
2981			AC_MSG_RESULT([yes])
2982			AC_DEFINE([OPENSSL_HAVE_EVPGCM], [1],
2983			    [libcrypto has EVP AES GCM])
2984		],
2985		[
2986			AC_MSG_RESULT([no])
2987			unsupported_algorithms="$unsupported_cipers \
2988			   aes128-gcm@openssh.com \
2989			   aes256-gcm@openssh.com"
2990		]
2991	)
2992
2993	AC_MSG_CHECKING([if EVP_DigestUpdate returns an int])
2994	AC_LINK_IFELSE(
2995		[AC_LANG_PROGRAM([[
2996	#include <stdlib.h>
2997	#include <string.h>
2998	#include <openssl/evp.h>
2999		]], [[
3000		if(EVP_DigestUpdate(NULL, NULL,0))
3001			exit(0);
3002		]])],
3003		[
3004			AC_MSG_RESULT([yes])
3005		],
3006		[
3007			AC_MSG_RESULT([no])
3008			AC_DEFINE([OPENSSL_EVP_DIGESTUPDATE_VOID], [1],
3009			    [Define if EVP_DigestUpdate returns void])
3010		]
3011	)
3012
3013	# Some systems want crypt() from libcrypt, *not* the version in OpenSSL,
3014	# because the system crypt() is more featureful.
3015	if test "x$check_for_libcrypt_before" = "x1"; then
3016		AC_CHECK_LIB([crypt], [crypt])
3017	fi
3018
3019	# Some Linux systems (Slackware) need crypt() from libcrypt, *not* the
3020	# version in OpenSSL.
3021	if test "x$check_for_libcrypt_later" = "x1"; then
3022		AC_CHECK_LIB([crypt], [crypt], [LIBS="$LIBS -lcrypt"])
3023	fi
3024	AC_CHECK_FUNCS([crypt DES_crypt])
3025
3026	# Check for SHA256, SHA384 and SHA512 support in OpenSSL
3027	AC_CHECK_FUNCS([EVP_sha256 EVP_sha384 EVP_sha512])
3028
3029	# Check complete ECC support in OpenSSL
3030	AC_MSG_CHECKING([whether OpenSSL has NID_X9_62_prime256v1])
3031	AC_LINK_IFELSE(
3032		[AC_LANG_PROGRAM([[
3033	#include <openssl/ec.h>
3034	#include <openssl/ecdh.h>
3035	#include <openssl/ecdsa.h>
3036	#include <openssl/evp.h>
3037	#include <openssl/objects.h>
3038	#include <openssl/opensslv.h>
3039		]], [[
3040		EC_KEY *e = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
3041		const EVP_MD *m = EVP_sha256(); /* We need this too */
3042		]])],
3043		[ AC_MSG_RESULT([yes])
3044		  enable_nistp256=1 ],
3045		[ AC_MSG_RESULT([no]) ]
3046	)
3047
3048	AC_MSG_CHECKING([whether OpenSSL has NID_secp384r1])
3049	AC_LINK_IFELSE(
3050		[AC_LANG_PROGRAM([[
3051	#include <openssl/ec.h>
3052	#include <openssl/ecdh.h>
3053	#include <openssl/ecdsa.h>
3054	#include <openssl/evp.h>
3055	#include <openssl/objects.h>
3056	#include <openssl/opensslv.h>
3057		]], [[
3058		EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp384r1);
3059		const EVP_MD *m = EVP_sha384(); /* We need this too */
3060		]])],
3061		[ AC_MSG_RESULT([yes])
3062		  enable_nistp384=1 ],
3063		[ AC_MSG_RESULT([no]) ]
3064	)
3065
3066	AC_MSG_CHECKING([whether OpenSSL has NID_secp521r1])
3067	AC_LINK_IFELSE(
3068		[AC_LANG_PROGRAM([[
3069	#include <openssl/ec.h>
3070	#include <openssl/ecdh.h>
3071	#include <openssl/ecdsa.h>
3072	#include <openssl/evp.h>
3073	#include <openssl/objects.h>
3074	#include <openssl/opensslv.h>
3075		]], [[
3076		EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp521r1);
3077		const EVP_MD *m = EVP_sha512(); /* We need this too */
3078		]])],
3079		[ AC_MSG_RESULT([yes])
3080		  AC_MSG_CHECKING([if OpenSSL's NID_secp521r1 is functional])
3081		  AC_RUN_IFELSE(
3082			[AC_LANG_PROGRAM([[
3083	#include <stdlib.h>
3084	#include <openssl/ec.h>
3085	#include <openssl/ecdh.h>
3086	#include <openssl/ecdsa.h>
3087	#include <openssl/evp.h>
3088	#include <openssl/objects.h>
3089	#include <openssl/opensslv.h>
3090			]],[[
3091			EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp521r1);
3092			const EVP_MD *m = EVP_sha512(); /* We need this too */
3093			exit(e == NULL || m == NULL);
3094			]])],
3095			[ AC_MSG_RESULT([yes])
3096			  enable_nistp521=1 ],
3097			[ AC_MSG_RESULT([no]) ],
3098			[ AC_MSG_WARN([cross-compiling: assuming yes])
3099			  enable_nistp521=1 ]
3100		  )],
3101		AC_MSG_RESULT([no])
3102	)
3103
3104	COMMENT_OUT_ECC="#no ecc#"
3105	TEST_SSH_ECC=no
3106
3107	if test x$enable_nistp256 = x1 || test x$enable_nistp384 = x1 || \
3108	    test x$enable_nistp521 = x1; then
3109		AC_DEFINE(OPENSSL_HAS_ECC, [1], [OpenSSL has ECC])
3110		AC_CHECK_FUNCS([EC_KEY_METHOD_new])
3111		openssl_ecc=yes
3112	else
3113		openssl_ecc=no
3114	fi
3115	if test x$enable_nistp256 = x1; then
3116		AC_DEFINE([OPENSSL_HAS_NISTP256], [1],
3117		    [libcrypto has NID_X9_62_prime256v1])
3118		TEST_SSH_ECC=yes
3119		COMMENT_OUT_ECC=""
3120	else
3121		unsupported_algorithms="$unsupported_algorithms \
3122			ecdsa-sha2-nistp256 \
3123			ecdh-sha2-nistp256 \
3124			ecdsa-sha2-nistp256-cert-v01@openssh.com"
3125	fi
3126	if test x$enable_nistp384 = x1; then
3127		AC_DEFINE([OPENSSL_HAS_NISTP384], [1], [libcrypto has NID_secp384r1])
3128		TEST_SSH_ECC=yes
3129		COMMENT_OUT_ECC=""
3130	else
3131		unsupported_algorithms="$unsupported_algorithms \
3132			ecdsa-sha2-nistp384 \
3133			ecdh-sha2-nistp384 \
3134			ecdsa-sha2-nistp384-cert-v01@openssh.com"
3135	fi
3136	if test x$enable_nistp521 = x1; then
3137		AC_DEFINE([OPENSSL_HAS_NISTP521], [1], [libcrypto has NID_secp521r1])
3138		TEST_SSH_ECC=yes
3139		COMMENT_OUT_ECC=""
3140	else
3141		unsupported_algorithms="$unsupported_algorithms \
3142			ecdh-sha2-nistp521 \
3143			ecdsa-sha2-nistp521 \
3144			ecdsa-sha2-nistp521-cert-v01@openssh.com"
3145	fi
3146
3147	AC_SUBST([TEST_SSH_ECC])
3148	AC_SUBST([COMMENT_OUT_ECC])
3149else
3150	AC_CHECK_LIB([crypt], [crypt], [LIBS="$LIBS -lcrypt"])
3151	AC_CHECK_FUNCS([crypt])
3152fi
3153
3154# PKCS11/U2F depend on OpenSSL and dlopen().
3155enable_pkcs11=yes
3156enable_sk=yes
3157if test "x$openssl" != "xyes" ; then
3158	enable_pkcs11="disabled; missing libcrypto"
3159	enable_sk="disabled; missing libcrypto"
3160fi
3161if test "x$openssl_ecc" != "xyes" ; then
3162	enable_sk="disabled; OpenSSL has no ECC support"
3163fi
3164if test "x$ac_cv_func_dlopen" != "xyes" ; then
3165	enable_pkcs11="disabled; missing dlopen(3)"
3166	enable_sk="disabled; missing dlopen(3)"
3167fi
3168if test "x$ac_cv_have_decl_RTLD_NOW" != "xyes" ; then
3169	enable_pkcs11="disabled; missing RTLD_NOW"
3170	enable_sk="disabled; missing RTLD_NOW"
3171fi
3172if test ! -z "$disable_pkcs11" ; then
3173	enable_pkcs11="disabled by user"
3174fi
3175if test ! -z "$disable_sk" ; then
3176	enable_sk="disabled by user"
3177fi
3178
3179AC_MSG_CHECKING([whether to enable PKCS11])
3180if test "x$enable_pkcs11" = "xyes" ; then
3181	AC_DEFINE([ENABLE_PKCS11], [], [Enable for PKCS#11 support])
3182fi
3183AC_MSG_RESULT([$enable_pkcs11])
3184
3185AC_MSG_CHECKING([whether to enable U2F])
3186if test "x$enable_sk" = "xyes" ; then
3187	AC_DEFINE([ENABLE_SK], [], [Enable for U2F/FIDO support])
3188	AC_SUBST(SK_DUMMY_LIBRARY, [regress/misc/sk-dummy/sk-dummy.so])
3189else
3190	# Do not try to build sk-dummy library.
3191	AC_SUBST(SK_DUMMY_LIBRARY, [""])
3192fi
3193AC_MSG_RESULT([$enable_sk])
3194
3195# Now check for built-in security key support.
3196if test "x$enable_sk" = "xyes" -a "x$enable_sk_internal" = "xyes" ; then
3197	AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no])
3198	use_pkgconfig_for_libfido2=
3199	if test "x$PKGCONFIG" != "xno"; then
3200		AC_MSG_CHECKING([if $PKGCONFIG knows about libfido2])
3201		if "$PKGCONFIG" libfido2; then
3202			AC_MSG_RESULT([yes])
3203			use_pkgconfig_for_libfido2=yes
3204		else
3205			AC_MSG_RESULT([no])
3206		fi
3207	fi
3208	if test "x$use_pkgconfig_for_libfido2" = "xyes"; then
3209		LIBFIDO2=`$PKGCONFIG --libs libfido2`
3210		CPPFLAGS="$CPPFLAGS `$PKGCONFIG --cflags libfido2`"
3211	else
3212		LIBFIDO2="-lfido2 -lcbor"
3213	fi
3214	OTHERLIBS=`echo $LIBFIDO2 | sed 's/-lfido2//'`
3215	AC_CHECK_LIB([fido2], [fido_init],
3216		[
3217			AC_SUBST([LIBFIDO2])
3218			AC_DEFINE([ENABLE_SK_INTERNAL], [],
3219			    [Enable for built-in U2F/FIDO support])
3220			enable_sk="built-in"
3221		], [ AC_MSG_ERROR([no usable libfido2 found]) ],
3222		[ $OTHERLIBS ]
3223	)
3224	saved_LIBS="$LIBS"
3225	LIBS="$LIBS $LIBFIDO2"
3226	AC_CHECK_FUNCS([ \
3227		fido_cred_prot \
3228		fido_cred_set_prot \
3229		fido_dev_get_touch_begin \
3230		fido_dev_get_touch_status \
3231		fido_dev_supports_cred_prot \
3232	])
3233	LIBS="$saved_LIBS"
3234	AC_CHECK_HEADER([fido.h], [],
3235		AC_MSG_ERROR([missing fido.h from libfido2]))
3236	AC_CHECK_HEADER([fido/credman.h], [],
3237		AC_MSG_ERROR([missing fido/credman.h from libfido2]),
3238		[#include <fido.h>]
3239	)
3240fi
3241
3242AC_CHECK_FUNCS([ \
3243	arc4random \
3244	arc4random_buf \
3245	arc4random_stir \
3246	arc4random_uniform \
3247])
3248
3249saved_LIBS="$LIBS"
3250AC_CHECK_LIB([iaf], [ia_openinfo], [
3251	LIBS="$LIBS -liaf"
3252	AC_CHECK_FUNCS([set_id], [SSHDLIBS="$SSHDLIBS -liaf"
3253				AC_DEFINE([HAVE_LIBIAF], [1],
3254			[Define if system has libiaf that supports set_id])
3255				])
3256])
3257LIBS="$saved_LIBS"
3258
3259### Configure cryptographic random number support
3260
3261# Check whether OpenSSL seeds itself
3262if test "x$openssl" = "xyes" ; then
3263	AC_MSG_CHECKING([whether OpenSSL's PRNG is internally seeded])
3264	AC_RUN_IFELSE(
3265		[AC_LANG_PROGRAM([[
3266	#include <stdlib.h>
3267	#include <string.h>
3268	#include <openssl/rand.h>
3269		]], [[
3270		exit(RAND_status() == 1 ? 0 : 1);
3271		]])],
3272		[
3273			OPENSSL_SEEDS_ITSELF=yes
3274			AC_MSG_RESULT([yes])
3275		],
3276		[
3277			AC_MSG_RESULT([no])
3278		],
3279		[
3280			AC_MSG_WARN([cross compiling: assuming yes])
3281			# This is safe, since we will fatal() at runtime if
3282			# OpenSSL is not seeded correctly.
3283			OPENSSL_SEEDS_ITSELF=yes
3284		]
3285	)
3286fi
3287
3288# PRNGD TCP socket
3289AC_ARG_WITH([prngd-port],
3290	[  --with-prngd-port=PORT  read entropy from PRNGD/EGD TCP localhost:PORT],
3291	[
3292		case "$withval" in
3293		no)
3294			withval=""
3295			;;
3296		[[0-9]]*)
3297			;;
3298		*)
3299			AC_MSG_ERROR([You must specify a numeric port number for --with-prngd-port])
3300			;;
3301		esac
3302		if test ! -z "$withval" ; then
3303			PRNGD_PORT="$withval"
3304			AC_DEFINE_UNQUOTED([PRNGD_PORT], [$PRNGD_PORT],
3305				[Port number of PRNGD/EGD random number socket])
3306		fi
3307	]
3308)
3309
3310# PRNGD Unix domain socket
3311AC_ARG_WITH([prngd-socket],
3312	[  --with-prngd-socket=FILE read entropy from PRNGD/EGD socket FILE (default=/var/run/egd-pool)],
3313	[
3314		case "$withval" in
3315		yes)
3316			withval="/var/run/egd-pool"
3317			;;
3318		no)
3319			withval=""
3320			;;
3321		/*)
3322			;;
3323		*)
3324			AC_MSG_ERROR([You must specify an absolute path to the entropy socket])
3325			;;
3326		esac
3327
3328		if test ! -z "$withval" ; then
3329			if test ! -z "$PRNGD_PORT" ; then
3330				AC_MSG_ERROR([You may not specify both a PRNGD/EGD port and socket])
3331			fi
3332			if test ! -r "$withval" ; then
3333				AC_MSG_WARN([Entropy socket is not readable])
3334			fi
3335			PRNGD_SOCKET="$withval"
3336			AC_DEFINE_UNQUOTED([PRNGD_SOCKET], ["$PRNGD_SOCKET"],
3337				[Location of PRNGD/EGD random number socket])
3338		fi
3339	],
3340	[
3341		# Check for existing socket only if we don't have a random device already
3342		if test "x$OPENSSL_SEEDS_ITSELF" != "xyes" ; then
3343			AC_MSG_CHECKING([for PRNGD/EGD socket])
3344			# Insert other locations here
3345			for sock in /var/run/egd-pool /dev/egd-pool /etc/entropy; do
3346				if test -r $sock && $TEST_MINUS_S_SH -c "test -S $sock -o -p $sock" ; then
3347					PRNGD_SOCKET="$sock"
3348					AC_DEFINE_UNQUOTED([PRNGD_SOCKET], ["$PRNGD_SOCKET"])
3349					break;
3350				fi
3351			done
3352			if test ! -z "$PRNGD_SOCKET" ; then
3353				AC_MSG_RESULT([$PRNGD_SOCKET])
3354			else
3355				AC_MSG_RESULT([not found])
3356			fi
3357		fi
3358	]
3359)
3360
3361# Which randomness source do we use?
3362if test ! -z "$PRNGD_PORT" ; then
3363	RAND_MSG="PRNGd port $PRNGD_PORT"
3364elif test ! -z "$PRNGD_SOCKET" ; then
3365	RAND_MSG="PRNGd socket $PRNGD_SOCKET"
3366elif test ! -z "$OPENSSL_SEEDS_ITSELF" ; then
3367	AC_DEFINE([OPENSSL_PRNG_ONLY], [1],
3368		[Define if you want the OpenSSL internally seeded PRNG only])
3369	RAND_MSG="OpenSSL internal ONLY"
3370elif test "x$openssl" = "xno" ; then
3371	AC_MSG_WARN([OpenSSH will use /dev/urandom as a source of random numbers. It will fail if this device is not supported or accessible])
3372else
3373	AC_MSG_ERROR([OpenSSH has no source of random numbers. Please configure OpenSSL with an entropy source or re-run configure using one of the --with-prngd-port or --with-prngd-socket options])
3374fi
3375
3376# Check for PAM libs
3377PAM_MSG="no"
3378AC_ARG_WITH([pam],
3379	[  --with-pam              Enable PAM support ],
3380	[
3381		if test "x$withval" != "xno" ; then
3382			if test "x$ac_cv_header_security_pam_appl_h" != "xyes" && \
3383			   test "x$ac_cv_header_pam_pam_appl_h" != "xyes" ; then
3384				AC_MSG_ERROR([PAM headers not found])
3385			fi
3386
3387			saved_LIBS="$LIBS"
3388			AC_CHECK_LIB([dl], [dlopen], , )
3389			AC_CHECK_LIB([pam], [pam_set_item], , [AC_MSG_ERROR([*** libpam missing])])
3390			AC_CHECK_FUNCS([pam_getenvlist])
3391			AC_CHECK_FUNCS([pam_putenv])
3392			LIBS="$saved_LIBS"
3393
3394			PAM_MSG="yes"
3395
3396			SSHDLIBS="$SSHDLIBS -lpam"
3397			AC_DEFINE([USE_PAM], [1],
3398				[Define if you want to enable PAM support])
3399
3400			if test $ac_cv_lib_dl_dlopen = yes; then
3401				case "$LIBS" in
3402				*-ldl*)
3403					# libdl already in LIBS
3404					;;
3405				*)
3406					SSHDLIBS="$SSHDLIBS -ldl"
3407					;;
3408				esac
3409			fi
3410		fi
3411	]
3412)
3413
3414AC_ARG_WITH([pam-service],
3415	[  --with-pam-service=name Specify PAM service name ],
3416	[
3417		if test "x$withval" != "xno" && \
3418		   test "x$withval" != "xyes" ; then
3419			AC_DEFINE_UNQUOTED([SSHD_PAM_SERVICE],
3420				["$withval"], [sshd PAM service name])
3421		fi
3422	]
3423)
3424
3425# Check for older PAM
3426if test "x$PAM_MSG" = "xyes" ; then
3427	# Check PAM strerror arguments (old PAM)
3428	AC_MSG_CHECKING([whether pam_strerror takes only one argument])
3429	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
3430#include <stdlib.h>
3431#if defined(HAVE_SECURITY_PAM_APPL_H)
3432#include <security/pam_appl.h>
3433#elif defined (HAVE_PAM_PAM_APPL_H)
3434#include <pam/pam_appl.h>
3435#endif
3436		]], [[
3437(void)pam_strerror((pam_handle_t *)NULL, -1);
3438		]])], [AC_MSG_RESULT([no])], [
3439			AC_DEFINE([HAVE_OLD_PAM], [1],
3440				[Define if you have an old version of PAM
3441				which takes only one argument to pam_strerror])
3442			AC_MSG_RESULT([yes])
3443			PAM_MSG="yes (old library)"
3444
3445	])
3446fi
3447
3448case "$host" in
3449*-*-cygwin*)
3450	SSH_PRIVSEP_USER=CYGWIN_SSH_PRIVSEP_USER
3451	;;
3452*)
3453	SSH_PRIVSEP_USER=sshd
3454	;;
3455esac
3456AC_ARG_WITH([privsep-user],
3457	[  --with-privsep-user=user Specify non-privileged user for privilege separation],
3458	[
3459		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
3460		    test "x${withval}" != "xyes"; then
3461			SSH_PRIVSEP_USER=$withval
3462		fi
3463	]
3464)
3465if test "x$SSH_PRIVSEP_USER" = "xCYGWIN_SSH_PRIVSEP_USER" ; then
3466	AC_DEFINE_UNQUOTED([SSH_PRIVSEP_USER], [CYGWIN_SSH_PRIVSEP_USER],
3467		[Cygwin function to fetch non-privileged user for privilege separation])
3468else
3469	AC_DEFINE_UNQUOTED([SSH_PRIVSEP_USER], ["$SSH_PRIVSEP_USER"],
3470		[non-privileged user for privilege separation])
3471fi
3472AC_SUBST([SSH_PRIVSEP_USER])
3473
3474if test "x$have_linux_no_new_privs" = "x1" ; then
3475AC_CHECK_DECL([SECCOMP_MODE_FILTER], [have_seccomp_filter=1], , [
3476	#include <sys/types.h>
3477	#include <linux/seccomp.h>
3478])
3479fi
3480if test "x$have_seccomp_filter" = "x1" ; then
3481AC_MSG_CHECKING([kernel for seccomp_filter support])
3482AC_LINK_IFELSE([AC_LANG_PROGRAM([[
3483		#include <errno.h>
3484		#include <elf.h>
3485		#include <linux/audit.h>
3486		#include <linux/seccomp.h>
3487		#include <stdlib.h>
3488		#include <sys/prctl.h>
3489	]],
3490	[[ int i = $seccomp_audit_arch;
3491	   errno = 0;
3492	   prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, NULL, 0, 0);
3493	   exit(errno == EFAULT ? 0 : 1); ]])],
3494	[ AC_MSG_RESULT([yes]) ], [
3495		AC_MSG_RESULT([no])
3496		# Disable seccomp filter as a target
3497		have_seccomp_filter=0
3498	]
3499)
3500fi
3501
3502# Decide which sandbox style to use
3503sandbox_arg=""
3504AC_ARG_WITH([sandbox],
3505	[  --with-sandbox=style    Specify privilege separation sandbox (no, capsicum, darwin, rlimit, seccomp_filter, systrace, pledge)],
3506	[
3507		if test "x$withval" = "xyes" ; then
3508			sandbox_arg=""
3509		else
3510			sandbox_arg="$withval"
3511		fi
3512	]
3513)
3514
3515# Some platforms (seems to be the ones that have a kernel poll(2)-type
3516# function with which they implement select(2)) use an extra file descriptor
3517# when calling select(2), which means we can't use the rlimit sandbox.
3518AC_MSG_CHECKING([if select works with descriptor rlimit])
3519AC_RUN_IFELSE(
3520	[AC_LANG_PROGRAM([[
3521#include <sys/types.h>
3522#ifdef HAVE_SYS_TIME_H
3523# include <sys/time.h>
3524#endif
3525#include <sys/resource.h>
3526#ifdef HAVE_SYS_SELECT_H
3527# include <sys/select.h>
3528#endif
3529#include <errno.h>
3530#include <fcntl.h>
3531#include <stdlib.h>
3532	]],[[
3533	struct rlimit rl_zero;
3534	int fd, r;
3535	fd_set fds;
3536	struct timeval tv;
3537
3538	fd = open("/dev/null", O_RDONLY);
3539	FD_ZERO(&fds);
3540	FD_SET(fd, &fds);
3541	rl_zero.rlim_cur = rl_zero.rlim_max = 0;
3542	setrlimit(RLIMIT_FSIZE, &rl_zero);
3543	setrlimit(RLIMIT_NOFILE, &rl_zero);
3544	tv.tv_sec = 1;
3545	tv.tv_usec = 0;
3546	r = select(fd+1, &fds, NULL, NULL, &tv);
3547	exit (r == -1 ? 1 : 0);
3548	]])],
3549	[AC_MSG_RESULT([yes])
3550	 select_works_with_rlimit=yes],
3551	[AC_MSG_RESULT([no])
3552	 select_works_with_rlimit=no],
3553	[AC_MSG_WARN([cross compiling: assuming yes])
3554	 select_works_with_rlimit=yes]
3555)
3556
3557AC_MSG_CHECKING([if setrlimit(RLIMIT_NOFILE,{0,0}) works])
3558AC_RUN_IFELSE(
3559	[AC_LANG_PROGRAM([[
3560#include <sys/types.h>
3561#ifdef HAVE_SYS_TIME_H
3562# include <sys/time.h>
3563#endif
3564#include <sys/resource.h>
3565#include <errno.h>
3566#include <stdlib.h>
3567	]],[[
3568	struct rlimit rl_zero;
3569	int r;
3570
3571	rl_zero.rlim_cur = rl_zero.rlim_max = 0;
3572	r = setrlimit(RLIMIT_NOFILE, &rl_zero);
3573	exit (r == -1 ? 1 : 0);
3574	]])],
3575	[AC_MSG_RESULT([yes])
3576	 rlimit_nofile_zero_works=yes],
3577	[AC_MSG_RESULT([no])
3578	 rlimit_nofile_zero_works=no],
3579	[AC_MSG_WARN([cross compiling: assuming yes])
3580	 rlimit_nofile_zero_works=yes]
3581)
3582
3583AC_MSG_CHECKING([if setrlimit RLIMIT_FSIZE works])
3584AC_RUN_IFELSE(
3585	[AC_LANG_PROGRAM([[
3586#include <sys/types.h>
3587#include <sys/resource.h>
3588#include <stdlib.h>
3589	]],[[
3590		struct rlimit rl_zero;
3591
3592		rl_zero.rlim_cur = rl_zero.rlim_max = 0;
3593		exit(setrlimit(RLIMIT_FSIZE, &rl_zero) != 0);
3594	]])],
3595	[AC_MSG_RESULT([yes])],
3596	[AC_MSG_RESULT([no])
3597	 AC_DEFINE(SANDBOX_SKIP_RLIMIT_FSIZE, 1,
3598	    [setrlimit RLIMIT_FSIZE works])],
3599	[AC_MSG_WARN([cross compiling: assuming yes])]
3600)
3601
3602if test "x$sandbox_arg" = "xpledge" || \
3603   ( test -z "$sandbox_arg" && test "x$ac_cv_func_pledge" = "xyes" ) ; then
3604	test "x$ac_cv_func_pledge" != "xyes" && \
3605		AC_MSG_ERROR([pledge sandbox requires pledge(2) support])
3606	SANDBOX_STYLE="pledge"
3607	AC_DEFINE([SANDBOX_PLEDGE], [1], [Sandbox using pledge(2)])
3608elif test "x$sandbox_arg" = "xsystrace" || \
3609   ( test -z "$sandbox_arg" && test "x$have_systr_policy_kill" = "x1" ) ; then
3610	test "x$have_systr_policy_kill" != "x1" && \
3611		AC_MSG_ERROR([systrace sandbox requires systrace headers and SYSTR_POLICY_KILL support])
3612	SANDBOX_STYLE="systrace"
3613	AC_DEFINE([SANDBOX_SYSTRACE], [1], [Sandbox using systrace(4)])
3614elif test "x$sandbox_arg" = "xdarwin" || \
3615     ( test -z "$sandbox_arg" && test "x$ac_cv_func_sandbox_init" = "xyes" && \
3616       test "x$ac_cv_header_sandbox_h" = "xyes") ; then
3617	test "x$ac_cv_func_sandbox_init" != "xyes" -o \
3618	     "x$ac_cv_header_sandbox_h" != "xyes" && \
3619		AC_MSG_ERROR([Darwin seatbelt sandbox requires sandbox.h and sandbox_init function])
3620	SANDBOX_STYLE="darwin"
3621	AC_DEFINE([SANDBOX_DARWIN], [1], [Sandbox using Darwin sandbox_init(3)])
3622elif test "x$sandbox_arg" = "xseccomp_filter" || \
3623     ( test -z "$sandbox_arg" && \
3624       test "x$have_seccomp_filter" = "x1" && \
3625       test "x$ac_cv_header_elf_h" = "xyes" && \
3626       test "x$ac_cv_header_linux_audit_h" = "xyes" && \
3627       test "x$ac_cv_header_linux_filter_h" = "xyes" && \
3628       test "x$seccomp_audit_arch" != "x" && \
3629       test "x$have_linux_no_new_privs" = "x1" && \
3630       test "x$ac_cv_func_prctl" = "xyes" ) ; then
3631	test "x$seccomp_audit_arch" = "x" && \
3632		AC_MSG_ERROR([seccomp_filter sandbox not supported on $host])
3633	test "x$have_linux_no_new_privs" != "x1" && \
3634		AC_MSG_ERROR([seccomp_filter sandbox requires PR_SET_NO_NEW_PRIVS])
3635	test "x$have_seccomp_filter" != "x1" && \
3636		AC_MSG_ERROR([seccomp_filter sandbox requires seccomp headers])
3637	test "x$ac_cv_func_prctl" != "xyes" && \
3638		AC_MSG_ERROR([seccomp_filter sandbox requires prctl function])
3639	SANDBOX_STYLE="seccomp_filter"
3640	AC_DEFINE([SANDBOX_SECCOMP_FILTER], [1], [Sandbox using seccomp filter])
3641elif test "x$sandbox_arg" = "xcapsicum" || \
3642     ( test -z "$sandbox_arg" && \
3643       test "x$ac_cv_header_sys_capsicum_h" = "xyes" && \
3644       test "x$ac_cv_func_cap_rights_limit" = "xyes") ; then
3645       test "x$ac_cv_header_sys_capsicum_h" != "xyes" && \
3646		AC_MSG_ERROR([capsicum sandbox requires sys/capsicum.h header])
3647       test "x$ac_cv_func_cap_rights_limit" != "xyes" && \
3648		AC_MSG_ERROR([capsicum sandbox requires cap_rights_limit function])
3649       SANDBOX_STYLE="capsicum"
3650       AC_DEFINE([SANDBOX_CAPSICUM], [1], [Sandbox using capsicum])
3651elif test "x$sandbox_arg" = "xrlimit" || \
3652     ( test -z "$sandbox_arg" && test "x$ac_cv_func_setrlimit" = "xyes" && \
3653       test "x$select_works_with_rlimit" = "xyes" && \
3654       test "x$rlimit_nofile_zero_works" = "xyes" ) ; then
3655	test "x$ac_cv_func_setrlimit" != "xyes" && \
3656		AC_MSG_ERROR([rlimit sandbox requires setrlimit function])
3657	test "x$select_works_with_rlimit" != "xyes" && \
3658		AC_MSG_ERROR([rlimit sandbox requires select to work with rlimit])
3659	SANDBOX_STYLE="rlimit"
3660	AC_DEFINE([SANDBOX_RLIMIT], [1], [Sandbox using setrlimit(2)])
3661elif test "x$sandbox_arg" = "xsolaris" || \
3662   ( test -z "$sandbox_arg" && test "x$SOLARIS_PRIVS" = "xyes" ) ; then
3663	SANDBOX_STYLE="solaris"
3664	AC_DEFINE([SANDBOX_SOLARIS], [1], [Sandbox using Solaris/Illumos privileges])
3665elif test -z "$sandbox_arg" || test "x$sandbox_arg" = "xno" || \
3666     test "x$sandbox_arg" = "xnone" || test "x$sandbox_arg" = "xnull" ; then
3667	SANDBOX_STYLE="none"
3668	AC_DEFINE([SANDBOX_NULL], [1], [no privsep sandboxing])
3669else
3670	AC_MSG_ERROR([unsupported --with-sandbox])
3671fi
3672
3673# Cheap hack to ensure NEWS-OS libraries are arranged right.
3674if test ! -z "$SONY" ; then
3675  LIBS="$LIBS -liberty";
3676fi
3677
3678# Check for  long long datatypes
3679AC_CHECK_TYPES([long long, unsigned long long, long double])
3680
3681# Check datatype sizes
3682AC_CHECK_SIZEOF([short int])
3683AC_CHECK_SIZEOF([int])
3684AC_CHECK_SIZEOF([long int])
3685AC_CHECK_SIZEOF([long long int])
3686
3687# Sanity check long long for some platforms (AIX)
3688if test "x$ac_cv_sizeof_long_long_int" = "x4" ; then
3689	ac_cv_sizeof_long_long_int=0
3690fi
3691
3692# compute LLONG_MIN and LLONG_MAX if we don't know them.
3693if test -z "$have_llong_max" && test -z "$have_long_long_max"; then
3694	AC_MSG_CHECKING([for max value of long long])
3695	AC_RUN_IFELSE(
3696		[AC_LANG_PROGRAM([[
3697#include <stdio.h>
3698#include <stdlib.h>
3699/* Why is this so damn hard? */
3700#ifdef __GNUC__
3701# undef __GNUC__
3702#endif
3703#define __USE_ISOC99
3704#include <limits.h>
3705#define DATA "conftest.llminmax"
3706#define my_abs(a) ((a) < 0 ? ((a) * -1) : (a))
3707
3708/*
3709 * printf in libc on some platforms (eg old Tru64) does not understand %lld so
3710 * we do this the hard way.
3711 */
3712static int
3713fprint_ll(FILE *f, long long n)
3714{
3715	unsigned int i;
3716	int l[sizeof(long long) * 8];
3717
3718	if (n < 0)
3719		if (fprintf(f, "-") < 0)
3720			return -1;
3721	for (i = 0; n != 0; i++) {
3722		l[i] = my_abs(n % 10);
3723		n /= 10;
3724	}
3725	do {
3726		if (fprintf(f, "%d", l[--i]) < 0)
3727			return -1;
3728	} while (i != 0);
3729	if (fprintf(f, " ") < 0)
3730		return -1;
3731	return 0;
3732}
3733		]], [[
3734	FILE *f;
3735	long long i, llmin, llmax = 0;
3736
3737	if((f = fopen(DATA,"w")) == NULL)
3738		exit(1);
3739
3740#if defined(LLONG_MIN) && defined(LLONG_MAX)
3741	fprintf(stderr, "Using system header for LLONG_MIN and LLONG_MAX\n");
3742	llmin = LLONG_MIN;
3743	llmax = LLONG_MAX;
3744#else
3745	fprintf(stderr, "Calculating  LLONG_MIN and LLONG_MAX\n");
3746	/* This will work on one's complement and two's complement */
3747	for (i = 1; i > llmax; i <<= 1, i++)
3748		llmax = i;
3749	llmin = llmax + 1LL;	/* wrap */
3750#endif
3751
3752	/* Sanity check */
3753	if (llmin + 1 < llmin || llmin - 1 < llmin || llmax + 1 > llmax
3754	    || llmax - 1 > llmax || llmin == llmax || llmin == 0
3755	    || llmax == 0 || llmax < LONG_MAX || llmin > LONG_MIN) {
3756		fprintf(f, "unknown unknown\n");
3757		exit(2);
3758	}
3759
3760	if (fprint_ll(f, llmin) < 0)
3761		exit(3);
3762	if (fprint_ll(f, llmax) < 0)
3763		exit(4);
3764	if (fclose(f) < 0)
3765		exit(5);
3766	exit(0);
3767		]])],
3768		[
3769			llong_min=`$AWK '{print $1}' conftest.llminmax`
3770			llong_max=`$AWK '{print $2}' conftest.llminmax`
3771
3772			AC_MSG_RESULT([$llong_max])
3773			AC_DEFINE_UNQUOTED([LLONG_MAX], [${llong_max}LL],
3774			    [max value of long long calculated by configure])
3775			AC_MSG_CHECKING([for min value of long long])
3776			AC_MSG_RESULT([$llong_min])
3777			AC_DEFINE_UNQUOTED([LLONG_MIN], [${llong_min}LL],
3778			    [min value of long long calculated by configure])
3779		],
3780		[
3781			AC_MSG_RESULT([not found])
3782		],
3783		[
3784			AC_MSG_WARN([cross compiling: not checking])
3785		]
3786	)
3787fi
3788
3789AC_CHECK_DECLS([UINT32_MAX], , , [[
3790#ifdef HAVE_SYS_LIMITS_H
3791# include <sys/limits.h>
3792#endif
3793#ifdef HAVE_LIMITS_H
3794# include <limits.h>
3795#endif
3796#ifdef HAVE_STDINT_H
3797# include <stdint.h>
3798#endif
3799]])
3800
3801# More checks for data types
3802AC_CACHE_CHECK([for u_int type], ac_cv_have_u_int, [
3803	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
3804	[[ u_int a; a = 1;]])],
3805	[ ac_cv_have_u_int="yes" ], [ ac_cv_have_u_int="no"
3806	])
3807])
3808if test "x$ac_cv_have_u_int" = "xyes" ; then
3809	AC_DEFINE([HAVE_U_INT], [1], [define if you have u_int data type])
3810	have_u_int=1
3811fi
3812
3813AC_CACHE_CHECK([for intXX_t types], ac_cv_have_intxx_t, [
3814	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
3815	[[ int8_t a; int16_t b; int32_t c; a = b = c = 1;]])],
3816	[ ac_cv_have_intxx_t="yes" ], [ ac_cv_have_intxx_t="no"
3817	])
3818])
3819if test "x$ac_cv_have_intxx_t" = "xyes" ; then
3820	AC_DEFINE([HAVE_INTXX_T], [1], [define if you have intxx_t data type])
3821	have_intxx_t=1
3822fi
3823
3824if (test -z "$have_intxx_t" && \
3825	   test "x$ac_cv_header_stdint_h" = "xyes")
3826then
3827    AC_MSG_CHECKING([for intXX_t types in stdint.h])
3828	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <stdint.h> ]],
3829	[[ int8_t a; int16_t b; int32_t c; a = b = c = 1;]])],
3830		[
3831			AC_DEFINE([HAVE_INTXX_T])
3832			AC_MSG_RESULT([yes])
3833		], [ AC_MSG_RESULT([no])
3834	])
3835fi
3836
3837AC_CACHE_CHECK([for int64_t type], ac_cv_have_int64_t, [
3838	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
3839#include <sys/types.h>
3840#ifdef HAVE_STDINT_H
3841# include <stdint.h>
3842#endif
3843#include <sys/socket.h>
3844#ifdef HAVE_SYS_BITYPES_H
3845# include <sys/bitypes.h>
3846#endif
3847		]], [[
3848int64_t a; a = 1;
3849		]])],
3850	[ ac_cv_have_int64_t="yes" ], [ ac_cv_have_int64_t="no"
3851	])
3852])
3853if test "x$ac_cv_have_int64_t" = "xyes" ; then
3854	AC_DEFINE([HAVE_INT64_T], [1], [define if you have int64_t data type])
3855fi
3856
3857AC_CACHE_CHECK([for u_intXX_t types], ac_cv_have_u_intxx_t, [
3858	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
3859	[[ u_int8_t a; u_int16_t b; u_int32_t c; a = b = c = 1;]])],
3860	[ ac_cv_have_u_intxx_t="yes" ], [ ac_cv_have_u_intxx_t="no"
3861	])
3862])
3863if test "x$ac_cv_have_u_intxx_t" = "xyes" ; then
3864	AC_DEFINE([HAVE_U_INTXX_T], [1], [define if you have u_intxx_t data type])
3865	have_u_intxx_t=1
3866fi
3867
3868if test -z "$have_u_intxx_t" ; then
3869    AC_MSG_CHECKING([for u_intXX_t types in sys/socket.h])
3870	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/socket.h> ]],
3871	[[ u_int8_t a; u_int16_t b; u_int32_t c; a = b = c = 1;]])],
3872		[
3873			AC_DEFINE([HAVE_U_INTXX_T])
3874			AC_MSG_RESULT([yes])
3875		], [ AC_MSG_RESULT([no])
3876	])
3877fi
3878
3879AC_CACHE_CHECK([for u_int64_t types], ac_cv_have_u_int64_t, [
3880	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
3881	[[ u_int64_t a; a = 1;]])],
3882	[ ac_cv_have_u_int64_t="yes" ], [ ac_cv_have_u_int64_t="no"
3883	])
3884])
3885if test "x$ac_cv_have_u_int64_t" = "xyes" ; then
3886	AC_DEFINE([HAVE_U_INT64_T], [1], [define if you have u_int64_t data type])
3887	have_u_int64_t=1
3888fi
3889
3890if (test -z "$have_u_int64_t" && \
3891	   test "x$ac_cv_header_sys_bitypes_h" = "xyes")
3892then
3893    AC_MSG_CHECKING([for u_int64_t type in sys/bitypes.h])
3894	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/bitypes.h> ]],
3895	[[ u_int64_t a; a = 1]])],
3896		[
3897			AC_DEFINE([HAVE_U_INT64_T])
3898			AC_MSG_RESULT([yes])
3899		], [ AC_MSG_RESULT([no])
3900	])
3901fi
3902
3903if test -z "$have_u_intxx_t" ; then
3904	AC_CACHE_CHECK([for uintXX_t types], ac_cv_have_uintxx_t, [
3905		AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
3906#include <sys/types.h>
3907			]], [[
3908	uint8_t a;
3909	uint16_t b;
3910	uint32_t c;
3911	a = b = c = 1;
3912			]])],
3913		[ ac_cv_have_uintxx_t="yes" ], [ ac_cv_have_uintxx_t="no"
3914		])
3915	])
3916	if test "x$ac_cv_have_uintxx_t" = "xyes" ; then
3917		AC_DEFINE([HAVE_UINTXX_T], [1],
3918			[define if you have uintxx_t data type])
3919	fi
3920fi
3921
3922if (test -z "$have_uintxx_t" && \
3923	   test "x$ac_cv_header_stdint_h" = "xyes")
3924then
3925    AC_MSG_CHECKING([for uintXX_t types in stdint.h])
3926	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <stdint.h> ]],
3927	[[ uint8_t a; uint16_t b; uint32_t c; a = b = c = 1;]])],
3928		[
3929			AC_DEFINE([HAVE_UINTXX_T])
3930			AC_MSG_RESULT([yes])
3931		], [ AC_MSG_RESULT([no])
3932	])
3933fi
3934
3935if (test -z "$have_uintxx_t" && \
3936	   test "x$ac_cv_header_inttypes_h" = "xyes")
3937then
3938    AC_MSG_CHECKING([for uintXX_t types in inttypes.h])
3939	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <inttypes.h> ]],
3940	[[ uint8_t a; uint16_t b; uint32_t c; a = b = c = 1;]])],
3941		[
3942			AC_DEFINE([HAVE_UINTXX_T])
3943			AC_MSG_RESULT([yes])
3944		], [ AC_MSG_RESULT([no])
3945	])
3946fi
3947
3948if (test -z "$have_u_intxx_t" || test -z "$have_intxx_t" && \
3949	   test "x$ac_cv_header_sys_bitypes_h" = "xyes")
3950then
3951	AC_MSG_CHECKING([for intXX_t and u_intXX_t types in sys/bitypes.h])
3952	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
3953#include <sys/bitypes.h>
3954		]], [[
3955			int8_t a; int16_t b; int32_t c;
3956			u_int8_t e; u_int16_t f; u_int32_t g;
3957			a = b = c = e = f = g = 1;
3958		]])],
3959		[
3960			AC_DEFINE([HAVE_U_INTXX_T])
3961			AC_DEFINE([HAVE_INTXX_T])
3962			AC_MSG_RESULT([yes])
3963		], [AC_MSG_RESULT([no])
3964	])
3965fi
3966
3967
3968AC_CACHE_CHECK([for u_char], ac_cv_have_u_char, [
3969	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
3970	[[ u_char foo; foo = 125; ]])],
3971	[ ac_cv_have_u_char="yes" ], [ ac_cv_have_u_char="no"
3972	])
3973])
3974if test "x$ac_cv_have_u_char" = "xyes" ; then
3975	AC_DEFINE([HAVE_U_CHAR], [1], [define if you have u_char data type])
3976fi
3977
3978AC_CHECK_TYPES([intmax_t, uintmax_t], , , [
3979#include <sys/types.h>
3980#ifdef HAVE_STDINT_H
3981# include <stdint.h>
3982#endif
3983])
3984
3985TYPE_SOCKLEN_T
3986
3987AC_CHECK_TYPES([sig_atomic_t], , , [#include <signal.h>])
3988AC_CHECK_TYPES([fsblkcnt_t, fsfilcnt_t], , , [
3989#include <sys/types.h>
3990#ifdef HAVE_SYS_BITYPES_H
3991#include <sys/bitypes.h>
3992#endif
3993#ifdef HAVE_SYS_STATFS_H
3994#include <sys/statfs.h>
3995#endif
3996#ifdef HAVE_SYS_STATVFS_H
3997#include <sys/statvfs.h>
3998#endif
3999])
4000
4001AC_CHECK_MEMBERS([struct statfs.f_files, struct statfs.f_flags], [], [], [[
4002#include <sys/param.h>
4003#include <sys/types.h>
4004#ifdef HAVE_SYS_BITYPES_H
4005#include <sys/bitypes.h>
4006#endif
4007#ifdef HAVE_SYS_STATFS_H
4008#include <sys/statfs.h>
4009#endif
4010#ifdef HAVE_SYS_STATVFS_H
4011#include <sys/statvfs.h>
4012#endif
4013#ifdef HAVE_SYS_VFS_H
4014#include <sys/vfs.h>
4015#endif
4016#ifdef HAVE_SYS_MOUNT_H
4017#include <sys/mount.h>
4018#endif
4019]])
4020
4021
4022AC_CHECK_TYPES([in_addr_t, in_port_t], , ,
4023[#include <sys/types.h>
4024#include <netinet/in.h>])
4025
4026AC_CACHE_CHECK([for size_t], ac_cv_have_size_t, [
4027	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
4028	[[ size_t foo; foo = 1235; ]])],
4029	[ ac_cv_have_size_t="yes" ], [ ac_cv_have_size_t="no"
4030	])
4031])
4032if test "x$ac_cv_have_size_t" = "xyes" ; then
4033	AC_DEFINE([HAVE_SIZE_T], [1], [define if you have size_t data type])
4034fi
4035
4036AC_CACHE_CHECK([for ssize_t], ac_cv_have_ssize_t, [
4037	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
4038	[[ ssize_t foo; foo = 1235; ]])],
4039	[ ac_cv_have_ssize_t="yes" ], [ ac_cv_have_ssize_t="no"
4040	])
4041])
4042if test "x$ac_cv_have_ssize_t" = "xyes" ; then
4043	AC_DEFINE([HAVE_SSIZE_T], [1], [define if you have ssize_t data type])
4044fi
4045
4046AC_CACHE_CHECK([for clock_t], ac_cv_have_clock_t, [
4047	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <time.h> ]],
4048	[[ clock_t foo; foo = 1235; ]])],
4049	[ ac_cv_have_clock_t="yes" ], [ ac_cv_have_clock_t="no"
4050	])
4051])
4052if test "x$ac_cv_have_clock_t" = "xyes" ; then
4053	AC_DEFINE([HAVE_CLOCK_T], [1], [define if you have clock_t data type])
4054fi
4055
4056AC_CACHE_CHECK([for sa_family_t], ac_cv_have_sa_family_t, [
4057	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4058#include <sys/types.h>
4059#include <sys/socket.h>
4060		]], [[ sa_family_t foo; foo = 1235; ]])],
4061	[ ac_cv_have_sa_family_t="yes" ],
4062	[ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4063#include <sys/types.h>
4064#include <sys/socket.h>
4065#include <netinet/in.h>
4066		]], [[ sa_family_t foo; foo = 1235; ]])],
4067		[ ac_cv_have_sa_family_t="yes" ],
4068		[ ac_cv_have_sa_family_t="no" ]
4069	)
4070	])
4071])
4072if test "x$ac_cv_have_sa_family_t" = "xyes" ; then
4073	AC_DEFINE([HAVE_SA_FAMILY_T], [1],
4074		[define if you have sa_family_t data type])
4075fi
4076
4077AC_CACHE_CHECK([for pid_t], ac_cv_have_pid_t, [
4078	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
4079	[[ pid_t foo; foo = 1235; ]])],
4080	[ ac_cv_have_pid_t="yes" ], [ ac_cv_have_pid_t="no"
4081	])
4082])
4083if test "x$ac_cv_have_pid_t" = "xyes" ; then
4084	AC_DEFINE([HAVE_PID_T], [1], [define if you have pid_t data type])
4085fi
4086
4087AC_CACHE_CHECK([for mode_t], ac_cv_have_mode_t, [
4088	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
4089	[[ mode_t foo; foo = 1235; ]])],
4090	[ ac_cv_have_mode_t="yes" ], [ ac_cv_have_mode_t="no"
4091	])
4092])
4093if test "x$ac_cv_have_mode_t" = "xyes" ; then
4094	AC_DEFINE([HAVE_MODE_T], [1], [define if you have mode_t data type])
4095fi
4096
4097
4098AC_CACHE_CHECK([for struct sockaddr_storage], ac_cv_have_struct_sockaddr_storage, [
4099	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4100#include <sys/types.h>
4101#include <sys/socket.h>
4102		]], [[ struct sockaddr_storage s; ]])],
4103	[ ac_cv_have_struct_sockaddr_storage="yes" ],
4104	[ ac_cv_have_struct_sockaddr_storage="no"
4105	])
4106])
4107if test "x$ac_cv_have_struct_sockaddr_storage" = "xyes" ; then
4108	AC_DEFINE([HAVE_STRUCT_SOCKADDR_STORAGE], [1],
4109		[define if you have struct sockaddr_storage data type])
4110fi
4111
4112AC_CACHE_CHECK([for struct sockaddr_in6], ac_cv_have_struct_sockaddr_in6, [
4113	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4114#include <sys/types.h>
4115#include <netinet/in.h>
4116		]], [[ struct sockaddr_in6 s; s.sin6_family = 0; ]])],
4117	[ ac_cv_have_struct_sockaddr_in6="yes" ],
4118	[ ac_cv_have_struct_sockaddr_in6="no"
4119	])
4120])
4121if test "x$ac_cv_have_struct_sockaddr_in6" = "xyes" ; then
4122	AC_DEFINE([HAVE_STRUCT_SOCKADDR_IN6], [1],
4123		[define if you have struct sockaddr_in6 data type])
4124fi
4125
4126AC_CACHE_CHECK([for struct in6_addr], ac_cv_have_struct_in6_addr, [
4127	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4128#include <sys/types.h>
4129#include <netinet/in.h>
4130		]], [[ struct in6_addr s; s.s6_addr[0] = 0; ]])],
4131	[ ac_cv_have_struct_in6_addr="yes" ],
4132	[ ac_cv_have_struct_in6_addr="no"
4133	])
4134])
4135if test "x$ac_cv_have_struct_in6_addr" = "xyes" ; then
4136	AC_DEFINE([HAVE_STRUCT_IN6_ADDR], [1],
4137		[define if you have struct in6_addr data type])
4138
4139dnl Now check for sin6_scope_id
4140	AC_CHECK_MEMBERS([struct sockaddr_in6.sin6_scope_id], , ,
4141		[
4142#ifdef HAVE_SYS_TYPES_H
4143#include <sys/types.h>
4144#endif
4145#include <netinet/in.h>
4146		])
4147fi
4148
4149AC_CACHE_CHECK([for struct addrinfo], ac_cv_have_struct_addrinfo, [
4150	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4151#include <sys/types.h>
4152#include <sys/socket.h>
4153#include <netdb.h>
4154		]], [[ struct addrinfo s; s.ai_flags = AI_PASSIVE; ]])],
4155	[ ac_cv_have_struct_addrinfo="yes" ],
4156	[ ac_cv_have_struct_addrinfo="no"
4157	])
4158])
4159if test "x$ac_cv_have_struct_addrinfo" = "xyes" ; then
4160	AC_DEFINE([HAVE_STRUCT_ADDRINFO], [1],
4161		[define if you have struct addrinfo data type])
4162fi
4163
4164AC_HEADER_TIME
4165
4166AC_CACHE_CHECK([for struct timeval], ac_cv_have_struct_timeval, [
4167	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/time.h> ]],
4168	[[ struct timeval tv; tv.tv_sec = 1;]])],
4169	[ ac_cv_have_struct_timeval="yes" ],
4170	[ ac_cv_have_struct_timeval="no"
4171	])
4172])
4173if test "x$ac_cv_have_struct_timeval" = "xyes" ; then
4174	AC_DEFINE([HAVE_STRUCT_TIMEVAL], [1], [define if you have struct timeval])
4175	have_struct_timeval=1
4176fi
4177
4178AC_CACHE_CHECK([for struct timespec], ac_cv_have_struct_timespec, [
4179	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4180    #ifdef TIME_WITH_SYS_TIME
4181    # include <sys/time.h>
4182    # include <time.h>
4183    #else
4184    # ifdef HAVE_SYS_TIME_H
4185    #  include <sys/time.h>
4186    # else
4187    #  include <time.h>
4188    # endif
4189    #endif
4190	]],
4191	[[ struct timespec ts; ts.tv_sec = 1;]])],
4192	[ ac_cv_have_struct_timespec="yes" ],
4193	[ ac_cv_have_struct_timespec="no"
4194	])
4195])
4196if test "x$ac_cv_have_struct_timespec" = "xyes" ; then
4197	AC_DEFINE([HAVE_STRUCT_TIMESPEC], [1], [define if you have struct timespec])
4198	have_struct_timespec=1
4199fi
4200
4201# We need int64_t or else certain parts of the compile will fail.
4202if test "x$ac_cv_have_int64_t" = "xno" && \
4203	test "x$ac_cv_sizeof_long_int" != "x8" && \
4204	test "x$ac_cv_sizeof_long_long_int" = "x0" ; then
4205	echo "OpenSSH requires int64_t support.  Contact your vendor or install"
4206	echo "an alternative compiler (I.E., GCC) before continuing."
4207	echo ""
4208	exit 1;
4209else
4210dnl test snprintf (broken on SCO w/gcc)
4211	AC_RUN_IFELSE(
4212		[AC_LANG_SOURCE([[
4213#include <stdio.h>
4214#include <stdlib.h>
4215#include <string.h>
4216#ifdef HAVE_SNPRINTF
4217main()
4218{
4219	char buf[50];
4220	char expected_out[50];
4221	int mazsize = 50 ;
4222#if (SIZEOF_LONG_INT == 8)
4223	long int num = 0x7fffffffffffffff;
4224#else
4225	long long num = 0x7fffffffffffffffll;
4226#endif
4227	strcpy(expected_out, "9223372036854775807");
4228	snprintf(buf, mazsize, "%lld", num);
4229	if(strcmp(buf, expected_out) != 0)
4230		exit(1);
4231	exit(0);
4232}
4233#else
4234main() { exit(0); }
4235#endif
4236		]])], [ true ], [ AC_DEFINE([BROKEN_SNPRINTF]) ],
4237		AC_MSG_WARN([cross compiling: Assuming working snprintf()])
4238	)
4239fi
4240
4241dnl Checks for structure members
4242OSSH_CHECK_HEADER_FOR_FIELD([ut_host], [utmp.h], [HAVE_HOST_IN_UTMP])
4243OSSH_CHECK_HEADER_FOR_FIELD([ut_host], [utmpx.h], [HAVE_HOST_IN_UTMPX])
4244OSSH_CHECK_HEADER_FOR_FIELD([syslen], [utmpx.h], [HAVE_SYSLEN_IN_UTMPX])
4245OSSH_CHECK_HEADER_FOR_FIELD([ut_pid], [utmp.h], [HAVE_PID_IN_UTMP])
4246OSSH_CHECK_HEADER_FOR_FIELD([ut_type], [utmp.h], [HAVE_TYPE_IN_UTMP])
4247OSSH_CHECK_HEADER_FOR_FIELD([ut_type], [utmpx.h], [HAVE_TYPE_IN_UTMPX])
4248OSSH_CHECK_HEADER_FOR_FIELD([ut_tv], [utmp.h], [HAVE_TV_IN_UTMP])
4249OSSH_CHECK_HEADER_FOR_FIELD([ut_id], [utmp.h], [HAVE_ID_IN_UTMP])
4250OSSH_CHECK_HEADER_FOR_FIELD([ut_id], [utmpx.h], [HAVE_ID_IN_UTMPX])
4251OSSH_CHECK_HEADER_FOR_FIELD([ut_addr], [utmp.h], [HAVE_ADDR_IN_UTMP])
4252OSSH_CHECK_HEADER_FOR_FIELD([ut_addr], [utmpx.h], [HAVE_ADDR_IN_UTMPX])
4253OSSH_CHECK_HEADER_FOR_FIELD([ut_addr_v6], [utmp.h], [HAVE_ADDR_V6_IN_UTMP])
4254OSSH_CHECK_HEADER_FOR_FIELD([ut_addr_v6], [utmpx.h], [HAVE_ADDR_V6_IN_UTMPX])
4255OSSH_CHECK_HEADER_FOR_FIELD([ut_exit], [utmp.h], [HAVE_EXIT_IN_UTMP])
4256OSSH_CHECK_HEADER_FOR_FIELD([ut_time], [utmp.h], [HAVE_TIME_IN_UTMP])
4257OSSH_CHECK_HEADER_FOR_FIELD([ut_time], [utmpx.h], [HAVE_TIME_IN_UTMPX])
4258OSSH_CHECK_HEADER_FOR_FIELD([ut_tv], [utmpx.h], [HAVE_TV_IN_UTMPX])
4259OSSH_CHECK_HEADER_FOR_FIELD([ut_ss], [utmpx.h], [HAVE_SS_IN_UTMPX])
4260
4261AC_CHECK_MEMBERS([struct stat.st_blksize])
4262AC_CHECK_MEMBERS([struct stat.st_mtim])
4263AC_CHECK_MEMBERS([struct stat.st_mtime])
4264AC_CHECK_MEMBERS([struct passwd.pw_gecos, struct passwd.pw_class,
4265struct passwd.pw_change, struct passwd.pw_expire],
4266[], [], [[
4267#include <sys/types.h>
4268#include <pwd.h>
4269]])
4270
4271AC_CHECK_MEMBER([struct __res_state.retrans], [], [AC_DEFINE([__res_state], [state],
4272	[Define if we don't have struct __res_state in resolv.h])],
4273[[
4274#include <stdio.h>
4275#if HAVE_SYS_TYPES_H
4276# include <sys/types.h>
4277#endif
4278#include <netinet/in.h>
4279#include <arpa/nameser.h>
4280#include <resolv.h>
4281]])
4282
4283AC_CACHE_CHECK([for ss_family field in struct sockaddr_storage],
4284		ac_cv_have_ss_family_in_struct_ss, [
4285	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4286#include <sys/types.h>
4287#include <sys/socket.h>
4288		]], [[ struct sockaddr_storage s; s.ss_family = 1; ]])],
4289	[ ac_cv_have_ss_family_in_struct_ss="yes" ],
4290	[ ac_cv_have_ss_family_in_struct_ss="no" ])
4291])
4292if test "x$ac_cv_have_ss_family_in_struct_ss" = "xyes" ; then
4293	AC_DEFINE([HAVE_SS_FAMILY_IN_SS], [1], [Fields in struct sockaddr_storage])
4294fi
4295
4296AC_CACHE_CHECK([for __ss_family field in struct sockaddr_storage],
4297		ac_cv_have___ss_family_in_struct_ss, [
4298	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4299#include <sys/types.h>
4300#include <sys/socket.h>
4301		]], [[ struct sockaddr_storage s; s.__ss_family = 1; ]])],
4302	[ ac_cv_have___ss_family_in_struct_ss="yes" ],
4303	[ ac_cv_have___ss_family_in_struct_ss="no"
4304	])
4305])
4306if test "x$ac_cv_have___ss_family_in_struct_ss" = "xyes" ; then
4307	AC_DEFINE([HAVE___SS_FAMILY_IN_SS], [1],
4308		[Fields in struct sockaddr_storage])
4309fi
4310
4311dnl make sure we're using the real structure members and not defines
4312AC_CACHE_CHECK([for msg_accrights field in struct msghdr],
4313		ac_cv_have_accrights_in_msghdr, [
4314	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4315#include <sys/types.h>
4316#include <sys/socket.h>
4317#include <sys/uio.h>
4318#include <stdlib.h>
4319		]], [[
4320#ifdef msg_accrights
4321#error "msg_accrights is a macro"
4322exit(1);
4323#endif
4324struct msghdr m;
4325m.msg_accrights = 0;
4326exit(0);
4327		]])],
4328		[ ac_cv_have_accrights_in_msghdr="yes" ],
4329		[ ac_cv_have_accrights_in_msghdr="no" ]
4330	)
4331])
4332if test "x$ac_cv_have_accrights_in_msghdr" = "xyes" ; then
4333	AC_DEFINE([HAVE_ACCRIGHTS_IN_MSGHDR], [1],
4334		[Define if your system uses access rights style
4335		file descriptor passing])
4336fi
4337
4338AC_MSG_CHECKING([if struct statvfs.f_fsid is integral type])
4339AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4340#include <sys/param.h>
4341#include <sys/stat.h>
4342#ifdef HAVE_SYS_TIME_H
4343# include <sys/time.h>
4344#endif
4345#ifdef HAVE_SYS_MOUNT_H
4346#include <sys/mount.h>
4347#endif
4348#ifdef HAVE_SYS_STATVFS_H
4349#include <sys/statvfs.h>
4350#endif
4351	]], [[ struct statvfs s; s.f_fsid = 0; ]])],
4352	[ AC_MSG_RESULT([yes]) ],
4353	[ AC_MSG_RESULT([no])
4354
4355	AC_MSG_CHECKING([if fsid_t has member val])
4356	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4357#include <sys/types.h>
4358#include <sys/statvfs.h>
4359	]], [[ fsid_t t; t.val[0] = 0; ]])],
4360	[ AC_MSG_RESULT([yes])
4361	  AC_DEFINE([FSID_HAS_VAL], [1], [fsid_t has member val]) ],
4362	[ AC_MSG_RESULT([no]) ])
4363
4364	AC_MSG_CHECKING([if f_fsid has member __val])
4365	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4366#include <sys/types.h>
4367#include <sys/statvfs.h>
4368	]], [[ fsid_t t; t.__val[0] = 0; ]])],
4369	[ AC_MSG_RESULT([yes])
4370	  AC_DEFINE([FSID_HAS___VAL], [1], [fsid_t has member __val]) ],
4371	[ AC_MSG_RESULT([no]) ])
4372])
4373
4374AC_CACHE_CHECK([for msg_control field in struct msghdr],
4375		ac_cv_have_control_in_msghdr, [
4376	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4377#include <sys/types.h>
4378#include <sys/socket.h>
4379#include <sys/uio.h>
4380#include <stdlib.h>
4381		]], [[
4382#ifdef msg_control
4383#error "msg_control is a macro"
4384exit(1);
4385#endif
4386struct msghdr m;
4387m.msg_control = 0;
4388exit(0);
4389		]])],
4390		[ ac_cv_have_control_in_msghdr="yes" ],
4391		[ ac_cv_have_control_in_msghdr="no" ]
4392	)
4393])
4394if test "x$ac_cv_have_control_in_msghdr" = "xyes" ; then
4395	AC_DEFINE([HAVE_CONTROL_IN_MSGHDR], [1],
4396		[Define if your system uses ancillary data style
4397		file descriptor passing])
4398fi
4399
4400AC_CACHE_CHECK([if libc defines __progname], ac_cv_libc_defines___progname, [
4401	AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include <stdio.h> ]],
4402		[[ extern char *__progname; printf("%s", __progname); ]])],
4403	[ ac_cv_libc_defines___progname="yes" ],
4404	[ ac_cv_libc_defines___progname="no"
4405	])
4406])
4407if test "x$ac_cv_libc_defines___progname" = "xyes" ; then
4408	AC_DEFINE([HAVE___PROGNAME], [1], [Define if libc defines __progname])
4409fi
4410
4411AC_CACHE_CHECK([whether $CC implements __FUNCTION__], ac_cv_cc_implements___FUNCTION__, [
4412	AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include <stdio.h> ]],
4413		[[ printf("%s", __FUNCTION__); ]])],
4414	[ ac_cv_cc_implements___FUNCTION__="yes" ],
4415	[ ac_cv_cc_implements___FUNCTION__="no"
4416	])
4417])
4418if test "x$ac_cv_cc_implements___FUNCTION__" = "xyes" ; then
4419	AC_DEFINE([HAVE___FUNCTION__], [1],
4420		[Define if compiler implements __FUNCTION__])
4421fi
4422
4423AC_CACHE_CHECK([whether $CC implements __func__], ac_cv_cc_implements___func__, [
4424	AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include <stdio.h> ]],
4425		[[ printf("%s", __func__); ]])],
4426	[ ac_cv_cc_implements___func__="yes" ],
4427	[ ac_cv_cc_implements___func__="no"
4428	])
4429])
4430if test "x$ac_cv_cc_implements___func__" = "xyes" ; then
4431	AC_DEFINE([HAVE___func__], [1], [Define if compiler implements __func__])
4432fi
4433
4434AC_CACHE_CHECK([whether va_copy exists], ac_cv_have_va_copy, [
4435	AC_LINK_IFELSE([AC_LANG_PROGRAM([[
4436#include <stdarg.h>
4437va_list x,y;
4438		]], [[ va_copy(x,y); ]])],
4439	[ ac_cv_have_va_copy="yes" ],
4440	[ ac_cv_have_va_copy="no"
4441	])
4442])
4443if test "x$ac_cv_have_va_copy" = "xyes" ; then
4444	AC_DEFINE([HAVE_VA_COPY], [1], [Define if va_copy exists])
4445fi
4446
4447AC_CACHE_CHECK([whether __va_copy exists], ac_cv_have___va_copy, [
4448	AC_LINK_IFELSE([AC_LANG_PROGRAM([[
4449#include <stdarg.h>
4450va_list x,y;
4451		]], [[ __va_copy(x,y); ]])],
4452	[ ac_cv_have___va_copy="yes" ], [ ac_cv_have___va_copy="no"
4453	])
4454])
4455if test "x$ac_cv_have___va_copy" = "xyes" ; then
4456	AC_DEFINE([HAVE___VA_COPY], [1], [Define if __va_copy exists])
4457fi
4458
4459AC_CACHE_CHECK([whether getopt has optreset support],
4460		ac_cv_have_getopt_optreset, [
4461	AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include <getopt.h> ]],
4462		[[ extern int optreset; optreset = 0; ]])],
4463	[ ac_cv_have_getopt_optreset="yes" ],
4464	[ ac_cv_have_getopt_optreset="no"
4465	])
4466])
4467if test "x$ac_cv_have_getopt_optreset" = "xyes" ; then
4468	AC_DEFINE([HAVE_GETOPT_OPTRESET], [1],
4469		[Define if your getopt(3) defines and uses optreset])
4470fi
4471
4472AC_CACHE_CHECK([if libc defines sys_errlist], ac_cv_libc_defines_sys_errlist, [
4473	AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include <stdio.h> ]],
4474[[ extern const char *const sys_errlist[]; printf("%s", sys_errlist[0]);]])],
4475	[ ac_cv_libc_defines_sys_errlist="yes" ],
4476	[ ac_cv_libc_defines_sys_errlist="no"
4477	])
4478])
4479if test "x$ac_cv_libc_defines_sys_errlist" = "xyes" ; then
4480	AC_DEFINE([HAVE_SYS_ERRLIST], [1],
4481		[Define if your system defines sys_errlist[]])
4482fi
4483
4484
4485AC_CACHE_CHECK([if libc defines sys_nerr], ac_cv_libc_defines_sys_nerr, [
4486	AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include <stdio.h> ]],
4487[[ extern int sys_nerr; printf("%i", sys_nerr);]])],
4488	[ ac_cv_libc_defines_sys_nerr="yes" ],
4489	[ ac_cv_libc_defines_sys_nerr="no"
4490	])
4491])
4492if test "x$ac_cv_libc_defines_sys_nerr" = "xyes" ; then
4493	AC_DEFINE([HAVE_SYS_NERR], [1], [Define if your system defines sys_nerr])
4494fi
4495
4496# Check libraries needed by DNS fingerprint support
4497AC_SEARCH_LIBS([getrrsetbyname], [resolv],
4498	[AC_DEFINE([HAVE_GETRRSETBYNAME], [1],
4499		[Define if getrrsetbyname() exists])],
4500	[
4501		# Needed by our getrrsetbyname()
4502		AC_SEARCH_LIBS([res_query], [resolv])
4503		AC_SEARCH_LIBS([dn_expand], [resolv])
4504		AC_MSG_CHECKING([if res_query will link])
4505		AC_LINK_IFELSE([AC_LANG_PROGRAM([[
4506#include <sys/types.h>
4507#include <netinet/in.h>
4508#include <arpa/nameser.h>
4509#include <netdb.h>
4510#include <resolv.h>
4511				]], [[
4512	res_query (0, 0, 0, 0, 0);
4513				]])],
4514		    AC_MSG_RESULT([yes]),
4515		   [AC_MSG_RESULT([no])
4516		    saved_LIBS="$LIBS"
4517		    LIBS="$LIBS -lresolv"
4518		    AC_MSG_CHECKING([for res_query in -lresolv])
4519		    AC_LINK_IFELSE([AC_LANG_PROGRAM([[
4520#include <sys/types.h>
4521#include <netinet/in.h>
4522#include <arpa/nameser.h>
4523#include <netdb.h>
4524#include <resolv.h>
4525				]], [[
4526	res_query (0, 0, 0, 0, 0);
4527				]])],
4528			[AC_MSG_RESULT([yes])],
4529			[LIBS="$saved_LIBS"
4530			 AC_MSG_RESULT([no])])
4531		    ])
4532		AC_CHECK_FUNCS([_getshort _getlong])
4533		AC_CHECK_DECLS([_getshort, _getlong], , ,
4534		    [#include <sys/types.h>
4535		    #include <arpa/nameser.h>])
4536		AC_CHECK_MEMBER([HEADER.ad],
4537			[AC_DEFINE([HAVE_HEADER_AD], [1],
4538			    [Define if HEADER.ad exists in arpa/nameser.h])], ,
4539			[#include <arpa/nameser.h>])
4540	])
4541
4542AC_MSG_CHECKING([if struct __res_state _res is an extern])
4543AC_LINK_IFELSE([AC_LANG_PROGRAM([[
4544#include <stdio.h>
4545#if HAVE_SYS_TYPES_H
4546# include <sys/types.h>
4547#endif
4548#include <netinet/in.h>
4549#include <arpa/nameser.h>
4550#include <resolv.h>
4551extern struct __res_state _res;
4552		]], [[
4553struct __res_state *volatile p = &_res;  /* force resolution of _res */
4554return 0;
4555		]],)],
4556		[AC_MSG_RESULT([yes])
4557		 AC_DEFINE([HAVE__RES_EXTERN], [1],
4558		    [Define if you have struct __res_state _res as an extern])
4559		],
4560		[ AC_MSG_RESULT([no]) ]
4561)
4562
4563# Check whether user wants SELinux support
4564SELINUX_MSG="no"
4565LIBSELINUX=""
4566AC_ARG_WITH([selinux],
4567	[  --with-selinux          Enable SELinux support],
4568	[ if test "x$withval" != "xno" ; then
4569		save_LIBS="$LIBS"
4570		AC_DEFINE([WITH_SELINUX], [1],
4571			[Define if you want SELinux support.])
4572		SELINUX_MSG="yes"
4573		AC_CHECK_HEADER([selinux/selinux.h], ,
4574			AC_MSG_ERROR([SELinux support requires selinux.h header]))
4575		AC_CHECK_LIB([selinux], [setexeccon],
4576			[ LIBSELINUX="-lselinux"
4577			  LIBS="$LIBS -lselinux"
4578			],
4579			AC_MSG_ERROR([SELinux support requires libselinux library]))
4580		AC_CHECK_FUNCS([getseuserbyname get_default_context_with_level])
4581		LIBS="$save_LIBS $LIBSELINUX"
4582	fi ]
4583)
4584AC_SUBST([SSHDLIBS])
4585
4586# Check whether user wants Kerberos 5 support
4587KRB5_MSG="no"
4588AC_ARG_WITH([kerberos5],
4589	[  --with-kerberos5=PATH   Enable Kerberos 5 support],
4590	[ if test "x$withval" != "xno" ; then
4591		if test "x$withval" = "xyes" ; then
4592			KRB5ROOT="/usr/local"
4593		else
4594			KRB5ROOT=${withval}
4595		fi
4596
4597		AC_DEFINE([KRB5], [1], [Define if you want Kerberos 5 support])
4598		KRB5_MSG="yes"
4599
4600		AC_PATH_TOOL([KRB5CONF], [krb5-config],
4601			     [$KRB5ROOT/bin/krb5-config],
4602			     [$KRB5ROOT/bin:$PATH])
4603		if test -x $KRB5CONF ; then
4604			K5CFLAGS="`$KRB5CONF --cflags`"
4605			K5LIBS="`$KRB5CONF --libs`"
4606			CPPFLAGS="$CPPFLAGS $K5CFLAGS"
4607
4608			AC_MSG_CHECKING([for gssapi support])
4609			if $KRB5CONF | grep gssapi >/dev/null ; then
4610				AC_MSG_RESULT([yes])
4611				AC_DEFINE([GSSAPI], [1],
4612					[Define this if you want GSSAPI
4613					support in the version 2 protocol])
4614				GSSCFLAGS="`$KRB5CONF --cflags gssapi`"
4615				GSSLIBS="`$KRB5CONF --libs gssapi`"
4616				CPPFLAGS="$CPPFLAGS $GSSCFLAGS"
4617			else
4618				AC_MSG_RESULT([no])
4619			fi
4620			AC_MSG_CHECKING([whether we are using Heimdal])
4621			AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <krb5.h>
4622				]], [[ char *tmp = heimdal_version; ]])],
4623				[ AC_MSG_RESULT([yes])
4624				AC_DEFINE([HEIMDAL], [1],
4625				[Define this if you are using the Heimdal
4626				version of Kerberos V5]) ],
4627				[AC_MSG_RESULT([no])
4628			])
4629		else
4630			CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include"
4631			LDFLAGS="$LDFLAGS -L${KRB5ROOT}/lib"
4632			AC_MSG_CHECKING([whether we are using Heimdal])
4633			AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <krb5.h>
4634				]], [[ char *tmp = heimdal_version; ]])],
4635					[ AC_MSG_RESULT([yes])
4636					 AC_DEFINE([HEIMDAL])
4637					 K5LIBS="-lkrb5"
4638					 K5LIBS="$K5LIBS -lcom_err -lasn1"
4639					 AC_CHECK_LIB([roken], [net_write],
4640					   [K5LIBS="$K5LIBS -lroken"])
4641					 AC_CHECK_LIB([des], [des_cbc_encrypt],
4642					   [K5LIBS="$K5LIBS -ldes"])
4643				       ], [ AC_MSG_RESULT([no])
4644					 K5LIBS="-lkrb5 -lk5crypto -lcom_err"
4645			])
4646			AC_SEARCH_LIBS([dn_expand], [resolv])
4647
4648			AC_CHECK_LIB([gssapi_krb5], [gss_init_sec_context],
4649				[ AC_DEFINE([GSSAPI])
4650				  GSSLIBS="-lgssapi_krb5" ],
4651				[ AC_CHECK_LIB([gssapi], [gss_init_sec_context],
4652					[ AC_DEFINE([GSSAPI])
4653					  GSSLIBS="-lgssapi" ],
4654					[ AC_CHECK_LIB([gss], [gss_init_sec_context],
4655						[ AC_DEFINE([GSSAPI])
4656						  GSSLIBS="-lgss" ],
4657						AC_MSG_WARN([Cannot find any suitable gss-api library - build may fail]))
4658					])
4659				])
4660
4661			AC_CHECK_HEADER([gssapi.h], ,
4662				[ unset ac_cv_header_gssapi_h
4663				  CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include/gssapi"
4664				  AC_CHECK_HEADERS([gssapi.h], ,
4665					AC_MSG_WARN([Cannot find any suitable gss-api header - build may fail])
4666				  )
4667				]
4668			)
4669
4670			oldCPP="$CPPFLAGS"
4671			CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include/gssapi"
4672			AC_CHECK_HEADER([gssapi_krb5.h], ,
4673					[ CPPFLAGS="$oldCPP" ])
4674
4675		fi
4676		if test -n "${rpath_opt}" ; then
4677			LDFLAGS="$LDFLAGS ${rpath_opt}${KRB5ROOT}/lib"
4678		fi
4679		if test ! -z "$blibpath" ; then
4680			blibpath="$blibpath:${KRB5ROOT}/lib"
4681		fi
4682
4683		AC_CHECK_HEADERS([gssapi.h gssapi/gssapi.h])
4684		AC_CHECK_HEADERS([gssapi_krb5.h gssapi/gssapi_krb5.h])
4685		AC_CHECK_HEADERS([gssapi_generic.h gssapi/gssapi_generic.h])
4686
4687		AC_SEARCH_LIBS([k_hasafs], [kafs], [AC_DEFINE([USE_AFS], [1],
4688			[Define this if you want to use libkafs' AFS support])])
4689
4690		AC_CHECK_DECLS([GSS_C_NT_HOSTBASED_SERVICE], [], [], [[
4691#ifdef HAVE_GSSAPI_H
4692# include <gssapi.h>
4693#elif defined(HAVE_GSSAPI_GSSAPI_H)
4694# include <gssapi/gssapi.h>
4695#endif
4696
4697#ifdef HAVE_GSSAPI_GENERIC_H
4698# include <gssapi_generic.h>
4699#elif defined(HAVE_GSSAPI_GSSAPI_GENERIC_H)
4700# include <gssapi/gssapi_generic.h>
4701#endif
4702		]])
4703		saved_LIBS="$LIBS"
4704		LIBS="$LIBS $K5LIBS"
4705		AC_CHECK_FUNCS([krb5_cc_new_unique krb5_get_error_message krb5_free_error_message])
4706		LIBS="$saved_LIBS"
4707
4708	fi
4709	]
4710)
4711AC_SUBST([GSSLIBS])
4712AC_SUBST([K5LIBS])
4713
4714# Looking for programs, paths and files
4715
4716PRIVSEP_PATH=/var/empty
4717AC_ARG_WITH([privsep-path],
4718	[  --with-privsep-path=xxx Path for privilege separation chroot (default=/var/empty)],
4719	[
4720		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
4721		    test "x${withval}" != "xyes"; then
4722			PRIVSEP_PATH=$withval
4723		fi
4724	]
4725)
4726AC_SUBST([PRIVSEP_PATH])
4727
4728AC_ARG_WITH([xauth],
4729	[  --with-xauth=PATH       Specify path to xauth program ],
4730	[
4731		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
4732		    test "x${withval}" != "xyes"; then
4733			xauth_path=$withval
4734		fi
4735	],
4736	[
4737		TestPath="$PATH"
4738		TestPath="${TestPath}${PATH_SEPARATOR}/usr/X/bin"
4739		TestPath="${TestPath}${PATH_SEPARATOR}/usr/bin/X11"
4740		TestPath="${TestPath}${PATH_SEPARATOR}/usr/X11R6/bin"
4741		TestPath="${TestPath}${PATH_SEPARATOR}/usr/openwin/bin"
4742		AC_PATH_PROG([xauth_path], [xauth], , [$TestPath])
4743		if (test ! -z "$xauth_path" && test -x "/usr/openwin/bin/xauth") ; then
4744			xauth_path="/usr/openwin/bin/xauth"
4745		fi
4746	]
4747)
4748
4749STRIP_OPT=-s
4750AC_ARG_ENABLE([strip],
4751	[  --disable-strip         Disable calling strip(1) on install],
4752	[
4753		if test "x$enableval" = "xno" ; then
4754			STRIP_OPT=
4755		fi
4756	]
4757)
4758AC_SUBST([STRIP_OPT])
4759
4760if test -z "$xauth_path" ; then
4761	XAUTH_PATH="undefined"
4762	AC_SUBST([XAUTH_PATH])
4763else
4764	AC_DEFINE_UNQUOTED([XAUTH_PATH], ["$xauth_path"],
4765		[Define if xauth is found in your path])
4766	XAUTH_PATH=$xauth_path
4767	AC_SUBST([XAUTH_PATH])
4768fi
4769
4770dnl # --with-maildir=/path/to/mail gets top priority.
4771dnl # if maildir is set in the platform case statement above we use that.
4772dnl # Otherwise we run a program to get the dir from system headers.
4773dnl # We first look for _PATH_MAILDIR then MAILDIR then _PATH_MAIL
4774dnl # If we find _PATH_MAILDIR we do nothing because that is what
4775dnl # session.c expects anyway. Otherwise we set to the value found
4776dnl # stripping any trailing slash. If for some strage reason our program
4777dnl # does not find what it needs, we default to /var/spool/mail.
4778# Check for mail directory
4779AC_ARG_WITH([maildir],
4780    [  --with-maildir=/path/to/mail    Specify your system mail directory],
4781    [
4782	if test "X$withval" != X  &&  test "x$withval" != xno  &&  \
4783	    test "x${withval}" != xyes; then
4784		AC_DEFINE_UNQUOTED([MAIL_DIRECTORY], ["$withval"],
4785            [Set this to your mail directory if you do not have _PATH_MAILDIR])
4786	    fi
4787     ],[
4788	if test "X$maildir" != "X"; then
4789	    AC_DEFINE_UNQUOTED([MAIL_DIRECTORY], ["$maildir"])
4790	else
4791	    AC_MSG_CHECKING([Discovering system mail directory])
4792	    AC_RUN_IFELSE(
4793		[AC_LANG_PROGRAM([[
4794#include <stdio.h>
4795#include <stdlib.h>
4796#include <string.h>
4797#ifdef HAVE_PATHS_H
4798#include <paths.h>
4799#endif
4800#ifdef HAVE_MAILLOCK_H
4801#include <maillock.h>
4802#endif
4803#define DATA "conftest.maildir"
4804	]], [[
4805	FILE *fd;
4806	int rc;
4807
4808	fd = fopen(DATA,"w");
4809	if(fd == NULL)
4810		exit(1);
4811
4812#if defined (_PATH_MAILDIR)
4813	if ((rc = fprintf(fd ,"_PATH_MAILDIR:%s\n", _PATH_MAILDIR)) <0)
4814		exit(1);
4815#elif defined (MAILDIR)
4816	if ((rc = fprintf(fd ,"MAILDIR:%s\n", MAILDIR)) <0)
4817		exit(1);
4818#elif defined (_PATH_MAIL)
4819	if ((rc = fprintf(fd ,"_PATH_MAIL:%s\n", _PATH_MAIL)) <0)
4820		exit(1);
4821#else
4822	exit (2);
4823#endif
4824
4825	exit(0);
4826		]])],
4827		[
4828		    maildir_what=`awk -F: '{print $1}' conftest.maildir`
4829		    maildir=`awk -F: '{print $2}' conftest.maildir \
4830			| sed 's|/$||'`
4831		    AC_MSG_RESULT([Using: $maildir from $maildir_what])
4832		    if test "x$maildir_what" != "x_PATH_MAILDIR"; then
4833			AC_DEFINE_UNQUOTED([MAIL_DIRECTORY], ["$maildir"])
4834		    fi
4835		],
4836		[
4837		    if test "X$ac_status" = "X2";then
4838# our test program didn't find it. Default to /var/spool/mail
4839			AC_MSG_RESULT([Using: default value of /var/spool/mail])
4840			AC_DEFINE_UNQUOTED([MAIL_DIRECTORY], ["/var/spool/mail"])
4841		     else
4842			AC_MSG_RESULT([*** not found ***])
4843		     fi
4844		],
4845		[
4846			AC_MSG_WARN([cross compiling: use --with-maildir=/path/to/mail])
4847		]
4848	    )
4849	fi
4850    ]
4851) # maildir
4852
4853if test ! -z "$cross_compiling" && test "x$cross_compiling" = "xyes"; then
4854	AC_MSG_WARN([cross compiling: Disabling /dev/ptmx test])
4855	disable_ptmx_check=yes
4856fi
4857if test -z "$no_dev_ptmx" ; then
4858	if test "x$disable_ptmx_check" != "xyes" ; then
4859		AC_CHECK_FILE(["/dev/ptmx"],
4860			[
4861				AC_DEFINE_UNQUOTED([HAVE_DEV_PTMX], [1],
4862					[Define if you have /dev/ptmx])
4863				have_dev_ptmx=1
4864			]
4865		)
4866	fi
4867fi
4868
4869if test ! -z "$cross_compiling" && test "x$cross_compiling" != "xyes"; then
4870	AC_CHECK_FILE(["/dev/ptc"],
4871		[
4872			AC_DEFINE_UNQUOTED([HAVE_DEV_PTS_AND_PTC], [1],
4873				[Define if you have /dev/ptc])
4874			have_dev_ptc=1
4875		]
4876	)
4877else
4878	AC_MSG_WARN([cross compiling: Disabling /dev/ptc test])
4879fi
4880
4881# Options from here on. Some of these are preset by platform above
4882AC_ARG_WITH([mantype],
4883	[  --with-mantype=man|cat|doc  Set man page type],
4884	[
4885		case "$withval" in
4886		man|cat|doc)
4887			MANTYPE=$withval
4888			;;
4889		*)
4890			AC_MSG_ERROR([invalid man type: $withval])
4891			;;
4892		esac
4893	]
4894)
4895if test -z "$MANTYPE"; then
4896	if ${MANDOC} ${srcdir}/ssh.1 >/dev/null 2>&1; then
4897		MANTYPE=doc
4898	elif ${NROFF} -mdoc ${srcdir}/ssh.1 >/dev/null 2>&1; then
4899		MANTYPE=doc
4900	elif ${NROFF} -man ${srcdir}/ssh.1 >/dev/null 2>&1; then
4901		MANTYPE=man
4902	else
4903		MANTYPE=cat
4904	fi
4905fi
4906AC_SUBST([MANTYPE])
4907if test "$MANTYPE" = "doc"; then
4908	mansubdir=man;
4909else
4910	mansubdir=$MANTYPE;
4911fi
4912AC_SUBST([mansubdir])
4913
4914# Check whether to enable MD5 passwords
4915MD5_MSG="no"
4916AC_ARG_WITH([md5-passwords],
4917	[  --with-md5-passwords    Enable use of MD5 passwords],
4918	[
4919		if test "x$withval" != "xno" ; then
4920			AC_DEFINE([HAVE_MD5_PASSWORDS], [1],
4921				[Define if you want to allow MD5 passwords])
4922			MD5_MSG="yes"
4923		fi
4924	]
4925)
4926
4927# Whether to disable shadow password support
4928AC_ARG_WITH([shadow],
4929	[  --without-shadow        Disable shadow password support],
4930	[
4931		if test "x$withval" = "xno" ; then
4932			AC_DEFINE([DISABLE_SHADOW])
4933			disable_shadow=yes
4934		fi
4935	]
4936)
4937
4938if test -z "$disable_shadow" ; then
4939	AC_MSG_CHECKING([if the systems has expire shadow information])
4940	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4941#include <sys/types.h>
4942#include <shadow.h>
4943struct spwd sp;
4944		]], [[ sp.sp_expire = sp.sp_lstchg = sp.sp_inact = 0; ]])],
4945		[ sp_expire_available=yes ], [
4946	])
4947
4948	if test "x$sp_expire_available" = "xyes" ; then
4949		AC_MSG_RESULT([yes])
4950		AC_DEFINE([HAS_SHADOW_EXPIRE], [1],
4951		    [Define if you want to use shadow password expire field])
4952	else
4953		AC_MSG_RESULT([no])
4954	fi
4955fi
4956
4957# Use ip address instead of hostname in $DISPLAY
4958if test ! -z "$IPADDR_IN_DISPLAY" ; then
4959	DISPLAY_HACK_MSG="yes"
4960	AC_DEFINE([IPADDR_IN_DISPLAY], [1],
4961		[Define if you need to use IP address
4962		instead of hostname in $DISPLAY])
4963else
4964	DISPLAY_HACK_MSG="no"
4965	AC_ARG_WITH([ipaddr-display],
4966		[  --with-ipaddr-display   Use ip address instead of hostname in $DISPLAY],
4967		[
4968			if test "x$withval" != "xno" ; then
4969				AC_DEFINE([IPADDR_IN_DISPLAY])
4970				DISPLAY_HACK_MSG="yes"
4971			fi
4972		]
4973	)
4974fi
4975
4976# check for /etc/default/login and use it if present.
4977AC_ARG_ENABLE([etc-default-login],
4978	[  --disable-etc-default-login Disable using PATH from /etc/default/login [no]],
4979	[ if test "x$enableval" = "xno"; then
4980		AC_MSG_NOTICE([/etc/default/login handling disabled])
4981		etc_default_login=no
4982	  else
4983		etc_default_login=yes
4984	  fi ],
4985	[ if test ! -z "$cross_compiling" && test "x$cross_compiling" = "xyes";
4986	  then
4987		AC_MSG_WARN([cross compiling: not checking /etc/default/login])
4988		etc_default_login=no
4989	  else
4990		etc_default_login=yes
4991	  fi ]
4992)
4993
4994if test "x$etc_default_login" != "xno"; then
4995	AC_CHECK_FILE(["/etc/default/login"],
4996	    [ external_path_file=/etc/default/login ])
4997	if test "x$external_path_file" = "x/etc/default/login"; then
4998		AC_DEFINE([HAVE_ETC_DEFAULT_LOGIN], [1],
4999			[Define if your system has /etc/default/login])
5000	fi
5001fi
5002
5003dnl BSD systems use /etc/login.conf so --with-default-path= has no effect
5004if test $ac_cv_func_login_getcapbool = "yes" && \
5005	test $ac_cv_header_login_cap_h = "yes" ; then
5006	external_path_file=/etc/login.conf
5007fi
5008
5009# Whether to mess with the default path
5010SERVER_PATH_MSG="(default)"
5011AC_ARG_WITH([default-path],
5012	[  --with-default-path=    Specify default $PATH environment for server],
5013	[
5014		if test "x$external_path_file" = "x/etc/login.conf" ; then
5015			AC_MSG_WARN([
5016--with-default-path=PATH has no effect on this system.
5017Edit /etc/login.conf instead.])
5018		elif test "x$withval" != "xno" ; then
5019			if test ! -z "$external_path_file" ; then
5020				AC_MSG_WARN([
5021--with-default-path=PATH will only be used if PATH is not defined in
5022$external_path_file .])
5023			fi
5024			user_path="$withval"
5025			SERVER_PATH_MSG="$withval"
5026		fi
5027	],
5028	[ if test "x$external_path_file" = "x/etc/login.conf" ; then
5029		AC_MSG_WARN([Make sure the path to scp is in /etc/login.conf])
5030	else
5031		if test ! -z "$external_path_file" ; then
5032			AC_MSG_WARN([
5033If PATH is defined in $external_path_file, ensure the path to scp is included,
5034otherwise scp will not work.])
5035		fi
5036		AC_RUN_IFELSE(
5037			[AC_LANG_PROGRAM([[
5038/* find out what STDPATH is */
5039#include <stdio.h>
5040#include <stdlib.h>
5041#ifdef HAVE_PATHS_H
5042# include <paths.h>
5043#endif
5044#ifndef _PATH_STDPATH
5045# ifdef _PATH_USERPATH	/* Irix */
5046#  define _PATH_STDPATH _PATH_USERPATH
5047# else
5048#  define _PATH_STDPATH "/usr/bin:/bin:/usr/sbin:/sbin"
5049# endif
5050#endif
5051#include <sys/types.h>
5052#include <sys/stat.h>
5053#include <fcntl.h>
5054#define DATA "conftest.stdpath"
5055			]], [[
5056	FILE *fd;
5057	int rc;
5058
5059	fd = fopen(DATA,"w");
5060	if(fd == NULL)
5061		exit(1);
5062
5063	if ((rc = fprintf(fd,"%s", _PATH_STDPATH)) < 0)
5064		exit(1);
5065
5066	exit(0);
5067		]])],
5068		[ user_path=`cat conftest.stdpath` ],
5069		[ user_path="/usr/bin:/bin:/usr/sbin:/sbin" ],
5070		[ user_path="/usr/bin:/bin:/usr/sbin:/sbin" ]
5071	)
5072# make sure $bindir is in USER_PATH so scp will work
5073		t_bindir="${bindir}"
5074		while echo "${t_bindir}" | egrep '\$\{|NONE/' >/dev/null 2>&1; do
5075			t_bindir=`eval echo ${t_bindir}`
5076			case $t_bindir in
5077				NONE/*) t_bindir=`echo $t_bindir | sed "s~NONE~$prefix~"` ;;
5078			esac
5079			case $t_bindir in
5080				NONE/*) t_bindir=`echo $t_bindir | sed "s~NONE~$ac_default_prefix~"` ;;
5081			esac
5082		done
5083		echo $user_path | grep ":$t_bindir"  > /dev/null 2>&1
5084		if test $? -ne 0  ; then
5085			echo $user_path | grep "^$t_bindir"  > /dev/null 2>&1
5086			if test $? -ne 0  ; then
5087				user_path=$user_path:$t_bindir
5088				AC_MSG_RESULT([Adding $t_bindir to USER_PATH so scp will work])
5089			fi
5090		fi
5091	fi ]
5092)
5093if test "x$external_path_file" != "x/etc/login.conf" ; then
5094	AC_DEFINE_UNQUOTED([USER_PATH], ["$user_path"], [Specify default $PATH])
5095	AC_SUBST([user_path])
5096fi
5097
5098# Set superuser path separately to user path
5099AC_ARG_WITH([superuser-path],
5100	[  --with-superuser-path=  Specify different path for super-user],
5101	[
5102		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
5103		    test "x${withval}" != "xyes"; then
5104			AC_DEFINE_UNQUOTED([SUPERUSER_PATH], ["$withval"],
5105				[Define if you want a different $PATH
5106				for the superuser])
5107			superuser_path=$withval
5108		fi
5109	]
5110)
5111
5112
5113AC_MSG_CHECKING([if we need to convert IPv4 in IPv6-mapped addresses])
5114IPV4_IN6_HACK_MSG="no"
5115AC_ARG_WITH(4in6,
5116	[  --with-4in6             Check for and convert IPv4 in IPv6 mapped addresses],
5117	[
5118		if test "x$withval" != "xno" ; then
5119			AC_MSG_RESULT([yes])
5120			AC_DEFINE([IPV4_IN_IPV6], [1],
5121				[Detect IPv4 in IPv6 mapped addresses
5122				and treat as IPv4])
5123			IPV4_IN6_HACK_MSG="yes"
5124		else
5125			AC_MSG_RESULT([no])
5126		fi
5127	], [
5128		if test "x$inet6_default_4in6" = "xyes"; then
5129			AC_MSG_RESULT([yes (default)])
5130			AC_DEFINE([IPV4_IN_IPV6])
5131			IPV4_IN6_HACK_MSG="yes"
5132		else
5133			AC_MSG_RESULT([no (default)])
5134		fi
5135	]
5136)
5137
5138# Whether to enable BSD auth support
5139BSD_AUTH_MSG=no
5140AC_ARG_WITH([bsd-auth],
5141	[  --with-bsd-auth         Enable BSD auth support],
5142	[
5143		if test "x$withval" != "xno" ; then
5144			AC_DEFINE([BSD_AUTH], [1],
5145				[Define if you have BSD auth support])
5146			BSD_AUTH_MSG=yes
5147		fi
5148	]
5149)
5150
5151# Where to place sshd.pid
5152piddir=/var/run
5153# make sure the directory exists
5154if test ! -d $piddir ; then
5155	piddir=`eval echo ${sysconfdir}`
5156	case $piddir in
5157		NONE/*) piddir=`echo $piddir | sed "s~NONE~$ac_default_prefix~"` ;;
5158	esac
5159fi
5160
5161AC_ARG_WITH([pid-dir],
5162	[  --with-pid-dir=PATH     Specify location of sshd.pid file],
5163	[
5164		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
5165		    test "x${withval}" != "xyes"; then
5166			piddir=$withval
5167			if test ! -d $piddir ; then
5168			AC_MSG_WARN([** no $piddir directory on this system **])
5169			fi
5170		fi
5171	]
5172)
5173
5174AC_DEFINE_UNQUOTED([_PATH_SSH_PIDDIR], ["$piddir"],
5175	[Specify location of ssh.pid])
5176AC_SUBST([piddir])
5177
5178dnl allow user to disable some login recording features
5179AC_ARG_ENABLE([lastlog],
5180	[  --disable-lastlog       disable use of lastlog even if detected [no]],
5181	[
5182		if test "x$enableval" = "xno" ; then
5183			AC_DEFINE([DISABLE_LASTLOG])
5184		fi
5185	]
5186)
5187AC_ARG_ENABLE([utmp],
5188	[  --disable-utmp          disable use of utmp even if detected [no]],
5189	[
5190		if test "x$enableval" = "xno" ; then
5191			AC_DEFINE([DISABLE_UTMP])
5192		fi
5193	]
5194)
5195AC_ARG_ENABLE([utmpx],
5196	[  --disable-utmpx         disable use of utmpx even if detected [no]],
5197	[
5198		if test "x$enableval" = "xno" ; then
5199			AC_DEFINE([DISABLE_UTMPX], [1],
5200				[Define if you don't want to use utmpx])
5201		fi
5202	]
5203)
5204AC_ARG_ENABLE([wtmp],
5205	[  --disable-wtmp          disable use of wtmp even if detected [no]],
5206	[
5207		if test "x$enableval" = "xno" ; then
5208			AC_DEFINE([DISABLE_WTMP])
5209		fi
5210	]
5211)
5212AC_ARG_ENABLE([wtmpx],
5213	[  --disable-wtmpx         disable use of wtmpx even if detected [no]],
5214	[
5215		if test "x$enableval" = "xno" ; then
5216			AC_DEFINE([DISABLE_WTMPX], [1],
5217				[Define if you don't want to use wtmpx])
5218		fi
5219	]
5220)
5221AC_ARG_ENABLE([libutil],
5222	[  --disable-libutil       disable use of libutil (login() etc.) [no]],
5223	[
5224		if test "x$enableval" = "xno" ; then
5225			AC_DEFINE([DISABLE_LOGIN])
5226		fi
5227	]
5228)
5229AC_ARG_ENABLE([pututline],
5230	[  --disable-pututline     disable use of pututline() etc. ([uw]tmp) [no]],
5231	[
5232		if test "x$enableval" = "xno" ; then
5233			AC_DEFINE([DISABLE_PUTUTLINE], [1],
5234				[Define if you don't want to use pututline()
5235				etc. to write [uw]tmp])
5236		fi
5237	]
5238)
5239AC_ARG_ENABLE([pututxline],
5240	[  --disable-pututxline    disable use of pututxline() etc. ([uw]tmpx) [no]],
5241	[
5242		if test "x$enableval" = "xno" ; then
5243			AC_DEFINE([DISABLE_PUTUTXLINE], [1],
5244				[Define if you don't want to use pututxline()
5245				etc. to write [uw]tmpx])
5246		fi
5247	]
5248)
5249AC_ARG_WITH([lastlog],
5250  [  --with-lastlog=FILE|DIR specify lastlog location [common locations]],
5251	[
5252		if test "x$withval" = "xno" ; then
5253			AC_DEFINE([DISABLE_LASTLOG])
5254		elif test -n "$withval"  &&  test "x${withval}" != "xyes"; then
5255			conf_lastlog_location=$withval
5256		fi
5257	]
5258)
5259
5260dnl lastlog, [uw]tmpx? detection
5261dnl  NOTE: set the paths in the platform section to avoid the
5262dnl   need for command-line parameters
5263dnl lastlog and [uw]tmp are subject to a file search if all else fails
5264
5265dnl lastlog detection
5266dnl  NOTE: the code itself will detect if lastlog is a directory
5267AC_MSG_CHECKING([if your system defines LASTLOG_FILE])
5268AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
5269#include <sys/types.h>
5270#include <utmp.h>
5271#ifdef HAVE_LASTLOG_H
5272#  include <lastlog.h>
5273#endif
5274#ifdef HAVE_PATHS_H
5275#  include <paths.h>
5276#endif
5277#ifdef HAVE_LOGIN_H
5278# include <login.h>
5279#endif
5280	]], [[ char *lastlog = LASTLOG_FILE; ]])],
5281		[ AC_MSG_RESULT([yes]) ],
5282		[
5283		AC_MSG_RESULT([no])
5284		AC_MSG_CHECKING([if your system defines _PATH_LASTLOG])
5285		AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
5286#include <sys/types.h>
5287#include <utmp.h>
5288#ifdef HAVE_LASTLOG_H
5289#  include <lastlog.h>
5290#endif
5291#ifdef HAVE_PATHS_H
5292#  include <paths.h>
5293#endif
5294		]], [[ char *lastlog = _PATH_LASTLOG; ]])],
5295		[ AC_MSG_RESULT([yes]) ],
5296		[
5297			AC_MSG_RESULT([no])
5298			system_lastlog_path=no
5299		])
5300])
5301
5302if test -z "$conf_lastlog_location"; then
5303	if test x"$system_lastlog_path" = x"no" ; then
5304		for f in /var/log/lastlog /usr/adm/lastlog /var/adm/lastlog /etc/security/lastlog ; do
5305				if (test -d "$f" || test -f "$f") ; then
5306					conf_lastlog_location=$f
5307				fi
5308		done
5309		if test -z "$conf_lastlog_location"; then
5310			AC_MSG_WARN([** Cannot find lastlog **])
5311			dnl Don't define DISABLE_LASTLOG - that means we don't try wtmp/wtmpx
5312		fi
5313	fi
5314fi
5315
5316if test -n "$conf_lastlog_location"; then
5317	AC_DEFINE_UNQUOTED([CONF_LASTLOG_FILE], ["$conf_lastlog_location"],
5318		[Define if you want to specify the path to your lastlog file])
5319fi
5320
5321dnl utmp detection
5322AC_MSG_CHECKING([if your system defines UTMP_FILE])
5323AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
5324#include <sys/types.h>
5325#include <utmp.h>
5326#ifdef HAVE_PATHS_H
5327#  include <paths.h>
5328#endif
5329	]], [[ char *utmp = UTMP_FILE; ]])],
5330	[ AC_MSG_RESULT([yes]) ],
5331	[ AC_MSG_RESULT([no])
5332	  system_utmp_path=no
5333])
5334if test -z "$conf_utmp_location"; then
5335	if test x"$system_utmp_path" = x"no" ; then
5336		for f in /etc/utmp /usr/adm/utmp /var/run/utmp; do
5337			if test -f $f ; then
5338				conf_utmp_location=$f
5339			fi
5340		done
5341		if test -z "$conf_utmp_location"; then
5342			AC_DEFINE([DISABLE_UTMP])
5343		fi
5344	fi
5345fi
5346if test -n "$conf_utmp_location"; then
5347	AC_DEFINE_UNQUOTED([CONF_UTMP_FILE], ["$conf_utmp_location"],
5348		[Define if you want to specify the path to your utmp file])
5349fi
5350
5351dnl wtmp detection
5352AC_MSG_CHECKING([if your system defines WTMP_FILE])
5353AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
5354#include <sys/types.h>
5355#include <utmp.h>
5356#ifdef HAVE_PATHS_H
5357#  include <paths.h>
5358#endif
5359	]], [[ char *wtmp = WTMP_FILE; ]])],
5360	[ AC_MSG_RESULT([yes]) ],
5361	[ AC_MSG_RESULT([no])
5362	  system_wtmp_path=no
5363])
5364if test -z "$conf_wtmp_location"; then
5365	if test x"$system_wtmp_path" = x"no" ; then
5366		for f in /usr/adm/wtmp /var/log/wtmp; do
5367			if test -f $f ; then
5368				conf_wtmp_location=$f
5369			fi
5370		done
5371		if test -z "$conf_wtmp_location"; then
5372			AC_DEFINE([DISABLE_WTMP])
5373		fi
5374	fi
5375fi
5376if test -n "$conf_wtmp_location"; then
5377	AC_DEFINE_UNQUOTED([CONF_WTMP_FILE], ["$conf_wtmp_location"],
5378		[Define if you want to specify the path to your wtmp file])
5379fi
5380
5381dnl wtmpx detection
5382AC_MSG_CHECKING([if your system defines WTMPX_FILE])
5383AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
5384#include <sys/types.h>
5385#include <utmp.h>
5386#ifdef HAVE_UTMPX_H
5387#include <utmpx.h>
5388#endif
5389#ifdef HAVE_PATHS_H
5390#  include <paths.h>
5391#endif
5392	]], [[ char *wtmpx = WTMPX_FILE; ]])],
5393	[ AC_MSG_RESULT([yes]) ],
5394	[ AC_MSG_RESULT([no])
5395	  system_wtmpx_path=no
5396])
5397if test -z "$conf_wtmpx_location"; then
5398	if test x"$system_wtmpx_path" = x"no" ; then
5399		AC_DEFINE([DISABLE_WTMPX])
5400	fi
5401else
5402	AC_DEFINE_UNQUOTED([CONF_WTMPX_FILE], ["$conf_wtmpx_location"],
5403		[Define if you want to specify the path to your wtmpx file])
5404fi
5405
5406
5407if test ! -z "$blibpath" ; then
5408	LDFLAGS="$LDFLAGS $blibflags$blibpath"
5409	AC_MSG_WARN([Please check and edit blibpath in LDFLAGS in Makefile])
5410fi
5411
5412AC_CHECK_MEMBER([struct lastlog.ll_line], [], [
5413    if test x$SKIP_DISABLE_LASTLOG_DEFINE != "xyes" ; then
5414	AC_DEFINE([DISABLE_LASTLOG])
5415    fi
5416	], [
5417#ifdef HAVE_SYS_TYPES_H
5418#include <sys/types.h>
5419#endif
5420#ifdef HAVE_UTMP_H
5421#include <utmp.h>
5422#endif
5423#ifdef HAVE_UTMPX_H
5424#include <utmpx.h>
5425#endif
5426#ifdef HAVE_LASTLOG_H
5427#include <lastlog.h>
5428#endif
5429	])
5430
5431AC_CHECK_MEMBER([struct utmp.ut_line], [], [
5432	AC_DEFINE([DISABLE_UTMP])
5433	AC_DEFINE([DISABLE_WTMP])
5434	], [
5435#ifdef HAVE_SYS_TYPES_H
5436#include <sys/types.h>
5437#endif
5438#ifdef HAVE_UTMP_H
5439#include <utmp.h>
5440#endif
5441#ifdef HAVE_UTMPX_H
5442#include <utmpx.h>
5443#endif
5444#ifdef HAVE_LASTLOG_H
5445#include <lastlog.h>
5446#endif
5447	])
5448
5449dnl Adding -Werror to CFLAGS early prevents configure tests from running.
5450dnl Add now.
5451CFLAGS="$CFLAGS $werror_flags"
5452
5453if test "x$ac_cv_func_getaddrinfo" != "xyes" ; then
5454	TEST_SSH_IPV6=no
5455else
5456	TEST_SSH_IPV6=yes
5457fi
5458AC_CHECK_DECL([BROKEN_GETADDRINFO],  [TEST_SSH_IPV6=no])
5459AC_SUBST([TEST_SSH_IPV6], [$TEST_SSH_IPV6])
5460AC_SUBST([TEST_SSH_UTF8], [$TEST_SSH_UTF8])
5461AC_SUBST([TEST_MALLOC_OPTIONS], [$TEST_MALLOC_OPTIONS])
5462AC_SUBST([UNSUPPORTED_ALGORITHMS], [$unsupported_algorithms])
5463AC_SUBST([DEPEND], [$(cat $srcdir/.depend)])
5464
5465CFLAGS="${CFLAGS} ${CFLAGS_AFTER}"
5466LDFLAGS="${LDFLAGS} ${LDFLAGS_AFTER}"
5467
5468# Make a copy of CFLAGS/LDFLAGS without PIE options.
5469LDFLAGS_NOPIE=`echo "$LDFLAGS" | sed 's/ -pie//'`
5470CFLAGS_NOPIE=`echo "$CFLAGS" | sed 's/ -fPIE//'`
5471AC_SUBST([LDFLAGS_NOPIE])
5472AC_SUBST([CFLAGS_NOPIE])
5473
5474AC_EXEEXT
5475AC_CONFIG_FILES([Makefile buildpkg.sh opensshd.init openssh.xml \
5476	openbsd-compat/Makefile openbsd-compat/regress/Makefile \
5477	survey.sh])
5478AC_OUTPUT
5479
5480# Print summary of options
5481
5482# Someone please show me a better way :)
5483A=`eval echo ${prefix}` ; A=`eval echo ${A}`
5484B=`eval echo ${bindir}` ; B=`eval echo ${B}`
5485C=`eval echo ${sbindir}` ; C=`eval echo ${C}`
5486D=`eval echo ${sysconfdir}` ; D=`eval echo ${D}`
5487E=`eval echo ${libexecdir}/ssh-askpass` ; E=`eval echo ${E}`
5488F=`eval echo ${mandir}/${mansubdir}X` ; F=`eval echo ${F}`
5489G=`eval echo ${piddir}` ; G=`eval echo ${G}`
5490H=`eval echo ${PRIVSEP_PATH}` ; H=`eval echo ${H}`
5491I=`eval echo ${user_path}` ; I=`eval echo ${I}`
5492J=`eval echo ${superuser_path}` ; J=`eval echo ${J}`
5493
5494echo ""
5495echo "OpenSSH has been configured with the following options:"
5496echo "                     User binaries: $B"
5497echo "                   System binaries: $C"
5498echo "               Configuration files: $D"
5499echo "                   Askpass program: $E"
5500echo "                      Manual pages: $F"
5501echo "                          PID file: $G"
5502echo "  Privilege separation chroot path: $H"
5503if test "x$external_path_file" = "x/etc/login.conf" ; then
5504echo "   At runtime, sshd will use the path defined in $external_path_file"
5505echo "   Make sure the path to scp is present, otherwise scp will not work"
5506else
5507echo "            sshd default user PATH: $I"
5508	if test ! -z "$external_path_file"; then
5509echo "   (If PATH is set in $external_path_file it will be used instead. If"
5510echo "   used, ensure the path to scp is present, otherwise scp will not work.)"
5511	fi
5512fi
5513if test ! -z "$superuser_path" ; then
5514echo "          sshd superuser user PATH: $J"
5515fi
5516echo "                    Manpage format: $MANTYPE"
5517echo "                       PAM support: $PAM_MSG"
5518echo "                   OSF SIA support: $SIA_MSG"
5519echo "                 KerberosV support: $KRB5_MSG"
5520echo "                   SELinux support: $SELINUX_MSG"
5521echo "              MD5 password support: $MD5_MSG"
5522echo "                   libedit support: $LIBEDIT_MSG"
5523echo "                   libldns support: $LDNS_MSG"
5524echo "  Solaris process contract support: $SPC_MSG"
5525echo "           Solaris project support: $SP_MSG"
5526echo "         Solaris privilege support: $SPP_MSG"
5527echo "       IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG"
5528echo "           Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
5529echo "                  BSD Auth support: $BSD_AUTH_MSG"
5530echo "              Random number source: $RAND_MSG"
5531echo "             Privsep sandbox style: $SANDBOX_STYLE"
5532echo "                   PKCS#11 support: $enable_pkcs11"
5533echo "                  U2F/FIDO support: $enable_sk"
5534
5535echo ""
5536
5537echo "              Host: ${host}"
5538echo "          Compiler: ${CC}"
5539echo "    Compiler flags: ${CFLAGS}"
5540echo "Preprocessor flags: ${CPPFLAGS}"
5541echo "      Linker flags: ${LDFLAGS}"
5542echo "         Libraries: ${LIBS}"
5543if test ! -z "${SSHDLIBS}"; then
5544echo "         +for sshd: ${SSHDLIBS}"
5545fi
5546
5547echo ""
5548
5549if test "x$MAKE_PACKAGE_SUPPORTED" = "xyes" ; then
5550	echo "SVR4 style packages are supported with \"make package\""
5551	echo ""
5552fi
5553
5554if test "x$PAM_MSG" = "xyes" ; then
5555	echo "PAM is enabled. You may need to install a PAM control file "
5556	echo "for sshd, otherwise password authentication may fail. "
5557	echo "Example PAM control files can be found in the contrib/ "
5558	echo "subdirectory"
5559	echo ""
5560fi
5561
5562if test ! -z "$NO_PEERCHECK" ; then
5563	echo "WARNING: the operating system that you are using does not"
5564	echo "appear to support getpeereid(), getpeerucred() or the"
5565	echo "SO_PEERCRED getsockopt() option. These facilities are used to"
5566	echo "enforce security checks to prevent unauthorised connections to"
5567	echo "ssh-agent. Their absence increases the risk that a malicious"
5568	echo "user can connect to your agent."
5569	echo ""
5570fi
5571
5572if test "$AUDIT_MODULE" = "bsm" ; then
5573	echo "WARNING: BSM audit support is currently considered EXPERIMENTAL."
5574	echo "See the Solaris section in README.platform for details."
5575fi
5576