xref: /freebsd/crypto/openssh/configure.ac (revision 0ae642c7dd0c2cfd965a22bf73876cd26cceadd2)
1#
2# Copyright (c) 1999-2004 Damien Miller
3#
4# Permission to use, copy, modify, and distribute this software for any
5# purpose with or without fee is hereby granted, provided that the above
6# copyright notice and this permission notice appear in all copies.
7#
8# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15
16AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org])
17AC_CONFIG_MACRO_DIR([m4])
18AC_CONFIG_SRCDIR([ssh.c])
19
20# Check for stale configure as early as possible.
21for i in $srcdir/configure.ac $srcdir/m4/*.m4; do
22	if test "$i" -nt "$srcdir/configure"; then
23		AC_MSG_ERROR([$i newer than configure, run autoreconf])
24	fi
25done
26
27AC_LANG([C])
28
29AC_CONFIG_HEADERS([config.h])
30AC_PROG_CC([cc gcc clang])
31
32# XXX relax this after reimplementing logit() etc.
33AC_MSG_CHECKING([if $CC supports C99-style variadic macros])
34AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
35int f(int a, int b, int c) { return a + b + c; }
36#define F(a, ...) f(a, __VA_ARGS__)
37]], [[return F(1, 2, -3);]])],
38	[ AC_MSG_RESULT([yes]) ],
39	[ AC_MSG_ERROR([*** OpenSSH requires support for C99-style variadic macros]) ]
40)
41
42AC_CANONICAL_HOST
43AC_C_BIGENDIAN
44
45# Checks for programs.
46AC_PROG_AWK
47AC_PROG_CPP
48AC_PROG_RANLIB
49AC_PROG_INSTALL
50AC_PROG_EGREP
51AC_PROG_MKDIR_P
52AC_CHECK_TOOLS([AR], [ar])
53AC_PATH_PROG([CAT], [cat])
54AC_PATH_PROG([KILL], [kill])
55AC_PATH_PROG([SED], [sed])
56AC_PATH_PROG([TEST_MINUS_S_SH], [bash])
57AC_PATH_PROG([TEST_MINUS_S_SH], [ksh])
58AC_PATH_PROG([TEST_MINUS_S_SH], [sh])
59AC_PATH_PROG([SH], [bash])
60AC_PATH_PROG([SH], [ksh])
61AC_PATH_PROG([SH], [sh])
62AC_PATH_PROG([GROFF], [groff])
63AC_PATH_PROG([NROFF], [nroff awf])
64AC_PATH_PROG([MANDOC], [mandoc])
65AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no])
66AC_SUBST([TEST_SHELL], [sh])
67
68dnl select manpage formatter to be used to build "cat" format pages.
69if test "x$MANDOC" != "x" ; then
70	MANFMT="$MANDOC"
71elif test "x$NROFF" != "x" ; then
72	MANFMT="$NROFF -mandoc"
73elif test "x$GROFF" != "x" ; then
74	MANFMT="$GROFF -mandoc -Tascii"
75else
76	AC_MSG_WARN([no manpage formatter found])
77	MANFMT="false"
78fi
79AC_SUBST([MANFMT])
80
81dnl for buildpkg.sh
82AC_PATH_PROG([PATH_GROUPADD_PROG], [groupadd], [groupadd],
83	[/usr/sbin${PATH_SEPARATOR}/etc])
84AC_PATH_PROG([PATH_USERADD_PROG], [useradd], [useradd],
85	[/usr/sbin${PATH_SEPARATOR}/etc])
86AC_CHECK_PROG([MAKE_PACKAGE_SUPPORTED], [pkgmk], [yes], [no])
87if test -x /sbin/sh; then
88	AC_SUBST([STARTUP_SCRIPT_SHELL], [/sbin/sh])
89else
90	AC_SUBST([STARTUP_SCRIPT_SHELL], [/bin/sh])
91fi
92
93# System features
94AC_SYS_LARGEFILE
95
96if test -z "$AR" ; then
97	AC_MSG_ERROR([*** 'ar' missing, please install or fix your \$PATH ***])
98fi
99
100AC_PATH_PROG([PATH_PASSWD_PROG], [passwd])
101if test ! -z "$PATH_PASSWD_PROG" ; then
102	AC_DEFINE_UNQUOTED([_PATH_PASSWD_PROG], ["$PATH_PASSWD_PROG"],
103		[Full path of your "passwd" program])
104fi
105
106dnl Since autoconf doesn't support it very well,  we no longer allow users to
107dnl override LD, however keeping the hook here for now in case there's a use
108dnl use case we overlooked and someone needs to re-enable it.  Unless a good
109dnl reason is found we'll be removing this in future.
110LD="$CC"
111AC_SUBST([LD])
112
113AC_C_INLINE
114
115AC_CHECK_DECL([LLONG_MAX], [have_llong_max=1], , [#include <limits.h>])
116AC_CHECK_DECL([LONG_LONG_MAX], [have_long_long_max=1], , [#include <limits.h>])
117AC_CHECK_DECL([SYSTR_POLICY_KILL], [have_systr_policy_kill=1], , [
118	#include <sys/types.h>
119	#include <sys/param.h>
120	#include <dev/systrace.h>
121])
122AC_CHECK_DECL([RLIMIT_NPROC],
123    [AC_DEFINE([HAVE_RLIMIT_NPROC], [], [sys/resource.h has RLIMIT_NPROC])], , [
124	#include <sys/types.h>
125	#include <sys/resource.h>
126])
127AC_CHECK_DECL([PR_SET_NO_NEW_PRIVS], [have_linux_no_new_privs=1], , [
128	#include <sys/types.h>
129	#include <linux/prctl.h>
130])
131
132openssl=yes
133openssl_bin=openssl
134AC_ARG_WITH([openssl],
135	[  --without-openssl       Disable use of OpenSSL; use only limited internal crypto **EXPERIMENTAL** ],
136	[  if test "x$withval" = "xno" ; then
137		openssl=no
138		openssl_bin=""
139	   fi
140	]
141)
142AC_MSG_CHECKING([whether OpenSSL will be used for cryptography])
143if test "x$openssl" = "xyes" ; then
144	AC_MSG_RESULT([yes])
145	AC_DEFINE_UNQUOTED([WITH_OPENSSL], [1], [use libcrypto for cryptography])
146else
147	AC_MSG_RESULT([no])
148fi
149
150use_stack_protector=1
151use_toolchain_hardening=1
152use_retpoline=1
153AC_ARG_WITH([stackprotect],
154    [  --without-stackprotect  Don't use compiler's stack protection], [
155    if test "x$withval" = "xno"; then
156	use_stack_protector=0
157    fi ])
158AC_ARG_WITH([hardening],
159    [  --without-hardening     Don't use toolchain hardening flags], [
160    if test "x$withval" = "xno"; then
161	use_toolchain_hardening=0
162    fi ])
163AC_ARG_WITH([retpoline],
164    [  --without-retpoline     Enable retpoline spectre mitigation], [
165    if test "x$withval" = "xno"; then
166	use_retpoline=0
167    fi ])
168
169# We use -Werror for the tests only so that we catch warnings like "this is
170# on by default" for things like -fPIE.
171AC_MSG_CHECKING([if $CC supports -Werror])
172saved_CFLAGS="$CFLAGS"
173CFLAGS="$CFLAGS -Werror"
174AC_COMPILE_IFELSE([AC_LANG_SOURCE([[int main(void) { return 0; }]])],
175	[ AC_MSG_RESULT([yes])
176	  WERROR="-Werror"],
177	[ AC_MSG_RESULT([no])
178	  WERROR="" ]
179)
180CFLAGS="$saved_CFLAGS"
181
182if test "$GCC" = "yes" || test "$GCC" = "egcs"; then
183	AC_MSG_CHECKING([gcc version])
184	GCC_VER=`$CC -v 2>&1 | $AWK '/gcc version /{print $3}'`
185	case "$GCC_VER" in
186		1.*) no_attrib_nonnull=1 ;;
187		2.8* | 2.9*)
188		     no_attrib_nonnull=1
189		     ;;
190		2.*) no_attrib_nonnull=1 ;;
191		*) ;;
192	esac
193	AC_MSG_RESULT([$GCC_VER])
194
195	AC_MSG_CHECKING([clang version])
196	ver="`$CC -v 2>&1`"
197	if echo "$ver" | grep "Apple" >/dev/null; then
198		CLANG_VER=apple-`echo "$ver" | grep 'clang version' | \
199		    $SED 's/.*clang version //g' | $AWK '{print $1}'`
200	else
201		CLANG_VER=`echo "$ver" | grep 'clang version' | \
202		    $SED 's/.*clang version //g' | $AWK '{print $1}'`
203	fi
204	AC_MSG_RESULT([$CLANG_VER])
205
206	OSSH_CHECK_CFLAG_COMPILE([-pipe])
207	OSSH_CHECK_CFLAG_COMPILE([-Wunknown-warning-option])
208	OSSH_CHECK_CFLAG_COMPILE([-Wno-error=format-truncation])
209	OSSH_CHECK_CFLAG_COMPILE([-Qunused-arguments])
210	OSSH_CHECK_CFLAG_COMPILE([-Wall])
211	OSSH_CHECK_CFLAG_COMPILE([-Wextra])
212	OSSH_CHECK_CFLAG_COMPILE([-Wpointer-arith])
213	OSSH_CHECK_CFLAG_COMPILE([-Wuninitialized])
214	OSSH_CHECK_CFLAG_COMPILE([-Wsign-compare])
215	OSSH_CHECK_CFLAG_COMPILE([-Wformat-security])
216	OSSH_CHECK_CFLAG_COMPILE([-Wsizeof-pointer-memaccess])
217	OSSH_CHECK_CFLAG_COMPILE([-Wpointer-sign], [-Wno-pointer-sign])
218	OSSH_CHECK_CFLAG_COMPILE([-Wunused-parameter], [-Wno-unused-parameter])
219	OSSH_CHECK_CFLAG_COMPILE([-Wunused-result], [-Wno-unused-result])
220	OSSH_CHECK_CFLAG_COMPILE([-Wimplicit-fallthrough])
221	OSSH_CHECK_CFLAG_COMPILE([-Wmisleading-indentation])
222	OSSH_CHECK_CFLAG_COMPILE([-Wbitwise-instead-of-logical])
223	OSSH_CHECK_CFLAG_COMPILE([-fno-strict-aliasing])
224    if test "x$use_toolchain_hardening" = "x1"; then
225	OSSH_CHECK_CFLAG_COMPILE([-D_FORTIFY_SOURCE=2])
226	OSSH_CHECK_LDFLAG_LINK([-Wl,-z,relro])
227	OSSH_CHECK_LDFLAG_LINK([-Wl,-z,now])
228	OSSH_CHECK_LDFLAG_LINK([-Wl,-z,noexecstack])
229	# NB. -ftrapv expects certain support functions to be present in
230	# the compiler library (libgcc or similar) to detect integer operations
231	# that can overflow. We must check that the result of enabling it
232	# actually links. The test program compiled/linked includes a number
233	# of integer operations that should exercise this.
234	OSSH_CHECK_CFLAG_LINK([-ftrapv])
235	# clang 15 seems to have a bug in -fzero-call-used-regs=all.  See
236	# https://bugzilla.mindrot.org/show_bug.cgi?id=3475 and
237	# https://github.com/llvm/llvm-project/issues/59242
238	# clang 17 has a different bug that causes an ICE when using this
239	# flag at all (https://bugzilla.mindrot.org/show_bug.cgi?id=3629)
240	case "$CLANG_VER" in
241	apple-15*) OSSH_CHECK_CFLAG_LINK([-fzero-call-used-regs=used]) ;;
242	17*)	;;
243	*)	OSSH_CHECK_CFLAG_LINK([-fzero-call-used-regs=used]) ;;
244	esac
245	OSSH_CHECK_CFLAG_COMPILE([-ftrivial-auto-var-init=zero])
246    fi
247    if test "x$use_retpoline" = "x1"; then
248	OSSH_CHECK_CFLAG_COMPILE([-mretpoline]) # clang
249	OSSH_CHECK_LDFLAG_LINK([-Wl,-z,retpolineplt])
250    fi
251
252	AC_MSG_CHECKING([if $CC accepts -fno-builtin-memset])
253	saved_CFLAGS="$CFLAGS"
254	CFLAGS="$CFLAGS -fno-builtin-memset"
255	AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include <string.h> ]],
256			[[ char b[10]; memset(b, 0, sizeof(b)); ]])],
257		[ AC_MSG_RESULT([yes]) ],
258		[ AC_MSG_RESULT([no])
259		  CFLAGS="$saved_CFLAGS" ]
260	)
261
262	# -fstack-protector-all doesn't always work for some GCC versions
263	# and/or platforms, so we test if we can.  If it's not supported
264	# on a given platform gcc will emit a warning so we use -Werror.
265	if test "x$use_stack_protector" = "x1"; then
266	    for t in -fstack-protector-strong -fstack-protector-all \
267		    -fstack-protector; do
268		AC_MSG_CHECKING([if $CC supports $t])
269		saved_CFLAGS="$CFLAGS"
270		saved_LDFLAGS="$LDFLAGS"
271		CFLAGS="$CFLAGS $t -Werror"
272		LDFLAGS="$LDFLAGS $t -Werror"
273		AC_LINK_IFELSE(
274			[AC_LANG_PROGRAM([[
275	#include <stdio.h>
276	int func (int t) {char b[100]; snprintf(b,sizeof b,"%d",t); return t;}
277			 ]],
278			[[
279	char x[256];
280	snprintf(x, sizeof(x), "XXX%d", func(1));
281			 ]])],
282		    [ AC_MSG_RESULT([yes])
283		      CFLAGS="$saved_CFLAGS $t"
284		      LDFLAGS="$saved_LDFLAGS $t"
285		      AC_MSG_CHECKING([if $t works])
286		      AC_RUN_IFELSE(
287			[AC_LANG_PROGRAM([[
288	#include <stdio.h>
289	int func (int t) {char b[100]; snprintf(b,sizeof b,"%d",t); return t;}
290			]],
291			[[
292	char x[256];
293	snprintf(x, sizeof(x), "XXX%d", func(1));
294			]])],
295			[ AC_MSG_RESULT([yes])
296			  break ],
297			[ AC_MSG_RESULT([no]) ],
298			[ AC_MSG_WARN([cross compiling: cannot test])
299			  break ]
300		      )
301		    ],
302		    [ AC_MSG_RESULT([no]) ]
303		)
304		CFLAGS="$saved_CFLAGS"
305		LDFLAGS="$saved_LDFLAGS"
306	    done
307	fi
308
309	if test -z "$have_llong_max"; then
310		# retry LLONG_MAX with -std=gnu99, needed on some Linuxes
311		unset ac_cv_have_decl_LLONG_MAX
312		saved_CFLAGS="$CFLAGS"
313		CFLAGS="$CFLAGS -std=gnu99"
314		AC_CHECK_DECL([LLONG_MAX],
315		    [have_llong_max=1],
316		    [CFLAGS="$saved_CFLAGS"],
317		    [#include <limits.h>]
318		)
319	fi
320fi
321
322AC_MSG_CHECKING([if compiler allows __attribute__ on return types])
323AC_COMPILE_IFELSE(
324    [AC_LANG_PROGRAM([[
325#include <stdlib.h>
326__attribute__((__unused__)) static void foo(void){return;}]],
327    [[ exit(0); ]])],
328    [ AC_MSG_RESULT([yes]) ],
329    [ AC_MSG_RESULT([no])
330      AC_DEFINE(NO_ATTRIBUTE_ON_RETURN_TYPE, 1,
331	 [compiler does not accept __attribute__ on return types]) ]
332)
333
334AC_MSG_CHECKING([if compiler allows __attribute__ prototype args])
335AC_COMPILE_IFELSE(
336    [AC_LANG_PROGRAM([[
337#include <stdlib.h>
338typedef void foo(const char *, ...) __attribute__((format(printf, 1, 2)));]],
339    [[ exit(0); ]])],
340    [ AC_MSG_RESULT([yes]) ],
341    [ AC_MSG_RESULT([no])
342      AC_DEFINE(NO_ATTRIBUTE_ON_PROTOTYPE_ARGS, 1,
343	 [compiler does not accept __attribute__ on prototype args]) ]
344)
345
346AC_MSG_CHECKING([if compiler supports variable length arrays])
347AC_COMPILE_IFELSE(
348    [AC_LANG_PROGRAM([[#include <stdlib.h>]],
349    [[ int i; for (i=0; i<3; i++){int a[i]; a[i-1]=0;} exit(0); ]])],
350    [ AC_MSG_RESULT([yes])
351      AC_DEFINE(VARIABLE_LENGTH_ARRAYS, [1],
352	 [compiler supports variable length arrays]) ],
353    [ AC_MSG_RESULT([no]) ]
354)
355
356AC_MSG_CHECKING([if compiler accepts variable declarations after code])
357AC_COMPILE_IFELSE(
358    [AC_LANG_PROGRAM([[#include <stdlib.h>]],
359    [[ int a; a = 1; int b = 1; exit(a-b); ]])],
360    [ AC_MSG_RESULT([yes])
361      AC_DEFINE(VARIABLE_DECLARATION_AFTER_CODE, [1],
362	 [compiler variable declarations after code]) ],
363    [ AC_MSG_RESULT([no]) ]
364)
365
366if test "x$no_attrib_nonnull" != "x1" ; then
367	AC_DEFINE([HAVE_ATTRIBUTE__NONNULL__], [1], [Have attribute nonnull])
368fi
369
370AC_ARG_WITH([rpath],
371	[  --without-rpath         Disable auto-added -R linker paths],
372	[
373		if test "x$withval" = "xno" ; then
374			rpath_opt=""
375		elif test "x$withval" = "xyes" ; then
376			rpath_opt="-R"
377		else
378			rpath_opt="$withval"
379		fi
380	]
381)
382
383# Allow user to specify flags
384AC_ARG_WITH([cflags],
385	[  --with-cflags           Specify additional flags to pass to compiler],
386	[
387		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
388		    test "x${withval}" != "xyes"; then
389			CFLAGS="$CFLAGS $withval"
390		fi
391	]
392)
393
394AC_ARG_WITH([cflags-after],
395	[  --with-cflags-after     Specify additional flags to pass to compiler after configure],
396	[
397		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
398		    test "x${withval}" != "xyes"; then
399			CFLAGS_AFTER="$withval"
400		fi
401	]
402)
403AC_ARG_WITH([cppflags],
404	[  --with-cppflags         Specify additional flags to pass to preprocessor] ,
405	[
406		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
407		    test "x${withval}" != "xyes"; then
408			CPPFLAGS="$CPPFLAGS $withval"
409		fi
410	]
411)
412AC_ARG_WITH([ldflags],
413	[  --with-ldflags          Specify additional flags to pass to linker],
414	[
415		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
416		    test "x${withval}" != "xyes"; then
417			LDFLAGS="$LDFLAGS $withval"
418		fi
419	]
420)
421AC_ARG_WITH([ldflags-after],
422	[  --with-ldflags-after    Specify additional flags to pass to linker after configure],
423	[
424		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
425		    test "x${withval}" != "xyes"; then
426			LDFLAGS_AFTER="$withval"
427		fi
428	]
429)
430AC_ARG_WITH([libs],
431	[  --with-libs             Specify additional libraries to link with],
432	[
433		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
434		    test "x${withval}" != "xyes"; then
435			LIBS="$LIBS $withval"
436		fi
437	]
438)
439AC_ARG_WITH([Werror],
440	[  --with-Werror           Build main code with -Werror],
441	[
442		if test -n "$withval"  &&  test "x$withval" != "xno"; then
443			werror_flags="-Werror"
444			if test "x${withval}" != "xyes"; then
445				werror_flags="$withval"
446			fi
447		fi
448	]
449)
450
451dnl On some old platforms, sys/stat.h requires sys/types.h, but autoconf-2.71's
452dnl AC_CHECK_INCLUDES_DEFAULT checks for them in the opposite order.  If we
453dnl haven't detected it, recheck.
454if test "x$ac_cv_header_sys_stat_h" != "xyes"; then
455	unset ac_cv_header_sys_stat_h
456	AC_CHECK_HEADERS([sys/stat.h])
457fi
458
459AC_CHECK_HEADERS([ \
460	blf.h \
461	bstring.h \
462	crypt.h \
463	crypto/sha2.h \
464	dirent.h \
465	endian.h \
466	elf.h \
467	err.h \
468	features.h \
469	fcntl.h \
470	floatingpoint.h \
471	fnmatch.h \
472	getopt.h \
473	glob.h \
474	ia.h \
475	iaf.h \
476	ifaddrs.h \
477	inttypes.h \
478	langinfo.h \
479	limits.h \
480	locale.h \
481	login.h \
482	maillock.h \
483	ndir.h \
484	net/if_tun.h \
485	netdb.h \
486	netgroup.h \
487	pam/pam_appl.h \
488	paths.h \
489	poll.h \
490	pty.h \
491	readpassphrase.h \
492	rpc/types.h \
493	security/pam_appl.h \
494	sha2.h \
495	shadow.h \
496	stddef.h \
497	stdint.h \
498	string.h \
499	strings.h \
500	sys/bitypes.h \
501	sys/byteorder.h \
502	sys/bsdtty.h \
503	sys/cdefs.h \
504	sys/dir.h \
505	sys/file.h \
506	sys/mman.h \
507	sys/label.h \
508	sys/ndir.h \
509	sys/param.h \
510	sys/poll.h \
511	sys/prctl.h \
512	sys/procctl.h \
513	sys/pstat.h \
514	sys/ptrace.h \
515	sys/random.h \
516	sys/select.h \
517	sys/stream.h \
518	sys/stropts.h \
519	sys/strtio.h \
520	sys/statvfs.h \
521	sys/sysmacros.h \
522	sys/time.h \
523	sys/timers.h \
524	sys/vfs.h \
525	time.h \
526	tmpdir.h \
527	ttyent.h \
528	ucred.h \
529	unistd.h \
530	usersec.h \
531	util.h \
532	utime.h \
533	utmp.h \
534	utmpx.h \
535	vis.h \
536	wchar.h \
537])
538
539# On some platforms (eg SunOS4) sys/audit.h requires sys/[time|types|label.h]
540# to be included first.
541AC_CHECK_HEADERS([sys/audit.h], [], [], [
542#ifdef HAVE_SYS_TIME_H
543# include <sys/time.h>
544#endif
545#ifdef HAVE_SYS_TYPES_H
546# include <sys/types.h>
547#endif
548#ifdef HAVE_SYS_LABEL_H
549# include <sys/label.h>
550#endif
551])
552
553# sys/capsicum.h requires sys/types.h
554AC_CHECK_HEADERS([sys/capsicum.h capsicum_helpers.h], [], [], [
555#ifdef HAVE_SYS_TYPES_H
556# include <sys/types.h>
557#endif
558])
559
560AC_MSG_CHECKING([for caph_cache_tzdata])
561AC_LINK_IFELSE(
562    [AC_LANG_PROGRAM([[ #include <capsicum_helpers.h> ]],
563	[[caph_cache_tzdata();]])],
564    [
565	AC_MSG_RESULT([yes])
566	AC_DEFINE([HAVE_CAPH_CACHE_TZDATA], [1],
567	    [Define if you have caph_cache_tzdata])
568    ],
569    [ AC_MSG_RESULT([no]) ]
570)
571
572# net/route.h requires sys/socket.h and sys/types.h.
573# sys/sysctl.h also requires sys/param.h
574AC_CHECK_HEADERS([net/route.h sys/sysctl.h], [], [], [
575#ifdef HAVE_SYS_TYPES_H
576# include <sys/types.h>
577#endif
578#include <sys/param.h>
579#include <sys/socket.h>
580])
581
582# lastlog.h requires sys/time.h to be included first on Solaris
583AC_CHECK_HEADERS([lastlog.h], [], [], [
584#ifdef HAVE_SYS_TIME_H
585# include <sys/time.h>
586#endif
587])
588
589# sys/ptms.h requires sys/stream.h to be included first on Solaris
590AC_CHECK_HEADERS([sys/ptms.h], [], [], [
591#ifdef HAVE_SYS_STREAM_H
592# include <sys/stream.h>
593#endif
594])
595
596# login_cap.h requires sys/types.h on NetBSD
597AC_CHECK_HEADERS([login_cap.h], [], [], [
598#include <sys/types.h>
599])
600
601# older BSDs need sys/param.h before sys/mount.h
602AC_CHECK_HEADERS([sys/mount.h], [], [], [
603#include <sys/param.h>
604])
605
606# Android requires sys/socket.h to be included before sys/un.h
607AC_CHECK_HEADERS([sys/un.h], [], [], [
608#include <sys/types.h>
609#include <sys/socket.h>
610])
611
612# Messages for features tested for in target-specific section
613SIA_MSG="no"
614SPC_MSG="no"
615SP_MSG="no"
616SPP_MSG="no"
617
618# Support for Solaris/Illumos privileges (this test is used by both
619# the --with-solaris-privs option and --with-sandbox=solaris).
620SOLARIS_PRIVS="no"
621
622# Check for some target-specific stuff
623case "$host" in
624*-*-aix*)
625	# Some versions of VAC won't allow macro redefinitions at
626	# -qlanglevel=ansi, and autoconf 2.60 sometimes insists on using that
627	# particularly with older versions of vac or xlc.
628	# It also throws errors about null macro arguments, but these are
629	# not fatal.
630	AC_MSG_CHECKING([if compiler allows macro redefinitions])
631	AC_COMPILE_IFELSE(
632	    [AC_LANG_PROGRAM([[
633#define testmacro foo
634#define testmacro bar]],
635	    [[ exit(0); ]])],
636	    [ AC_MSG_RESULT([yes]) ],
637	    [ AC_MSG_RESULT([no])
638	      CC="`echo $CC | sed 's/-qlanglvl\=ansi//g'`"
639	      CFLAGS="`echo $CFLAGS | sed 's/-qlanglvl\=ansi//g'`"
640	      CPPFLAGS="`echo $CPPFLAGS | sed 's/-qlanglvl\=ansi//g'`"
641	    ]
642	)
643
644	AC_MSG_CHECKING([how to specify blibpath for linker ($LD)])
645	if (test -z "$blibpath"); then
646		blibpath="/usr/lib:/lib"
647	fi
648	saved_LDFLAGS="$LDFLAGS"
649	if test "$GCC" = "yes"; then
650		flags="-Wl,-blibpath: -Wl,-rpath, -blibpath:"
651	else
652		flags="-blibpath: -Wl,-blibpath: -Wl,-rpath,"
653	fi
654	for tryflags in $flags ;do
655		if (test -z "$blibflags"); then
656			LDFLAGS="$saved_LDFLAGS $tryflags$blibpath"
657			AC_LINK_IFELSE([AC_LANG_PROGRAM([[]], [[]])],
658			[blibflags=$tryflags], [])
659		fi
660	done
661	if (test -z "$blibflags"); then
662		AC_MSG_RESULT([not found])
663		AC_MSG_ERROR([*** must be able to specify blibpath on AIX - check config.log])
664	else
665		AC_MSG_RESULT([$blibflags])
666	fi
667	LDFLAGS="$saved_LDFLAGS"
668	dnl Check for authenticate.  Might be in libs.a on older AIXes
669	AC_CHECK_FUNC([authenticate], [AC_DEFINE([WITH_AIXAUTHENTICATE], [1],
670		[Define if you want to enable AIX4's authenticate function])],
671		[AC_CHECK_LIB([s], [authenticate],
672			[ AC_DEFINE([WITH_AIXAUTHENTICATE])
673				LIBS="$LIBS -ls"
674			])
675		])
676	dnl Check for various auth function declarations in headers.
677	AC_CHECK_DECLS([authenticate, loginrestrictions, loginsuccess,
678	    passwdexpired, setauthdb], , , [#include <usersec.h>])
679	dnl Check if loginfailed is declared and takes 4 arguments (AIX >= 5.2)
680	AC_CHECK_DECLS([loginfailed],
681	    [AC_MSG_CHECKING([if loginfailed takes 4 arguments])
682	    AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <usersec.h> ]],
683		[[ (void)loginfailed("user","host","tty",0); ]])],
684		[AC_MSG_RESULT([yes])
685		AC_DEFINE([AIX_LOGINFAILED_4ARG], [1],
686			[Define if your AIX loginfailed() function
687			takes 4 arguments (AIX >= 5.2)])], [AC_MSG_RESULT([no])
688	    ])],
689	    [],
690	    [#include <usersec.h>]
691	)
692	AC_CHECK_FUNCS([getgrset setauthdb])
693	AC_CHECK_DECL([F_CLOSEM],
694	    AC_DEFINE([HAVE_FCNTL_CLOSEM], [1], [Use F_CLOSEM fcntl for closefrom]),
695	    [],
696	    [ #include <limits.h>
697	      #include <fcntl.h> ]
698	)
699	check_for_aix_broken_getaddrinfo=1
700	AC_DEFINE([SETEUID_BREAKS_SETUID], [1],
701	    [Define if your platform breaks doing a seteuid before a setuid])
702	AC_DEFINE([BROKEN_SETREUID], [1], [Define if your setreuid() is broken])
703	AC_DEFINE([BROKEN_SETREGID], [1], [Define if your setregid() is broken])
704	dnl AIX handles lastlog as part of its login message
705	AC_DEFINE([DISABLE_LASTLOG], [1], [Define if you don't want to use lastlog])
706	AC_DEFINE([LOGIN_NEEDS_UTMPX], [1],
707		[Some systems need a utmpx entry for /bin/login to work])
708	AC_DEFINE([SPT_TYPE], [SPT_REUSEARGV],
709		[Define to a Set Process Title type if your system is
710		supported by bsd-setproctitle.c])
711	AC_DEFINE([SSHPAM_CHAUTHTOK_NEEDS_RUID], [1],
712	    [AIX 5.2 and 5.3 (and presumably newer) require this])
713	AC_DEFINE([PTY_ZEROREAD], [1], [read(1) can return 0 for a non-closed fd])
714	AC_DEFINE([PLATFORM_SYS_DIR_UID], 2, [System dirs owned by bin (uid 2)])
715	AC_DEFINE([BROKEN_STRNDUP], 1, [strndup broken, see APAR IY61211])
716	AC_DEFINE([BROKEN_STRNLEN], 1, [strnlen broken, see APAR IY62551])
717	;;
718*-*-android*)
719	AC_DEFINE([DISABLE_UTMP], [1], [Define if you don't want to use utmp])
720	AC_DEFINE([DISABLE_WTMP], [1], [Define if you don't want to use wtmp])
721	;;
722*-*-cygwin*)
723	LIBS="$LIBS /usr/lib/textreadmode.o"
724	AC_DEFINE([HAVE_CYGWIN], [1], [Define if you are on Cygwin])
725	AC_DEFINE([USE_PIPES], [1], [Use PIPES instead of a socketpair()])
726	AC_DEFINE([NO_UID_RESTORATION_TEST], [1],
727		[Define to disable UID restoration test])
728	AC_DEFINE([DISABLE_SHADOW], [1],
729		[Define if you want to disable shadow passwords])
730	AC_DEFINE([NO_X11_UNIX_SOCKETS], [1],
731		[Define if X11 doesn't support AF_UNIX sockets on that system])
732	AC_DEFINE([DISABLE_FD_PASSING], [1],
733		[Define if your platform needs to skip post auth
734		file descriptor passing])
735	AC_DEFINE([SSH_IOBUFSZ], [65535], [Windows is sensitive to read buffer size])
736	AC_DEFINE([FILESYSTEM_NO_BACKSLASH], [1], [File names may not contain backslash characters])
737	# Cygwin defines optargs, optargs as declspec(dllimport) for historical
738	# reasons which cause compile warnings, so we disable those warnings.
739	OSSH_CHECK_CFLAG_COMPILE([-Wno-attributes])
740	;;
741*-*-dgux*)
742	AC_DEFINE([IP_TOS_IS_BROKEN], [1],
743		[Define if your system choked on IP TOS setting])
744	AC_DEFINE([SETEUID_BREAKS_SETUID])
745	AC_DEFINE([BROKEN_SETREUID])
746	AC_DEFINE([BROKEN_SETREGID])
747	;;
748*-*-darwin*)
749	use_pie=auto
750	AC_MSG_CHECKING([if we have working getaddrinfo])
751	AC_RUN_IFELSE([AC_LANG_SOURCE([[
752#include <mach-o/dyld.h>
753#include <stdlib.h>
754int main(void) { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
755		exit(0);
756	else
757		exit(1);
758}
759			]])],
760	[AC_MSG_RESULT([working])],
761	[AC_MSG_RESULT([buggy])
762	AC_DEFINE([BROKEN_GETADDRINFO], [1],
763		[getaddrinfo is broken (if present)])
764	],
765	[AC_MSG_RESULT([assume it is working])])
766	AC_DEFINE([SETEUID_BREAKS_SETUID])
767	AC_DEFINE([BROKEN_SETREUID])
768	AC_DEFINE([BROKEN_SETREGID])
769	AC_DEFINE([BROKEN_GLOB], [1], [OS X glob does not do what we expect])
770	AC_DEFINE_UNQUOTED([BIND_8_COMPAT], [1],
771		[Define if your resolver libs need this for getrrsetbyname])
772	AC_DEFINE([SSH_TUN_FREEBSD], [1], [Open tunnel devices the FreeBSD way])
773	AC_DEFINE([SSH_TUN_COMPAT_AF], [1],
774	    [Use tunnel device compatibility to OpenBSD])
775	AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
776	    [Prepend the address family to IP tunnel traffic])
777	m4_pattern_allow([AU_IPv])
778	AC_CHECK_DECL([AU_IPv4], [],
779	    AC_DEFINE([AU_IPv4], [0], [System only supports IPv4 audit records])
780	    [#include <bsm/audit.h>]
781	AC_DEFINE([LASTLOG_WRITE_PUTUTXLINE], [1],
782	    [Define if pututxline updates lastlog too])
783	)
784	AC_DEFINE([SPT_TYPE], [SPT_REUSEARGV],
785		[Define to a Set Process Title type if your system is
786		supported by bsd-setproctitle.c])
787	AC_CHECK_FUNCS([sandbox_init])
788	AC_CHECK_HEADERS([sandbox.h])
789	AC_CHECK_LIB([sandbox], [sandbox_apply], [
790	    SSHDLIBS="$SSHDLIBS -lsandbox"
791	])
792	# proc_pidinfo()-based closefrom() replacement.
793	AC_CHECK_HEADERS([libproc.h])
794	AC_CHECK_FUNCS([proc_pidinfo])
795	# poll(2) is broken for character-special devices (at least).
796	# cf. Apple bug 3710161 (not public, but searchable)
797	AC_DEFINE([BROKEN_POLL], [1],
798	    [System poll(2) implementation is broken])
799	;;
800*-*-dragonfly*)
801	SSHDLIBS="$SSHDLIBS"
802	TEST_MALLOC_OPTIONS="AFGJPRX"
803	;;
804*-*-haiku*)
805	LIBS="$LIBS -lbsd "
806	CFLAGS="$CFLAGS -D_BSD_SOURCE"
807	AC_CHECK_LIB([network], [socket])
808	AC_DEFINE([HAVE_U_INT64_T])
809	AC_DEFINE([DISABLE_UTMPX], [1], [no utmpx])
810	MANTYPE=man
811	;;
812*-*-hpux*)
813	# first we define all of the options common to all HP-UX releases
814	CPPFLAGS="$CPPFLAGS -D_HPUX_SOURCE -D_XOPEN_SOURCE -D_XOPEN_SOURCE_EXTENDED=1"
815	IPADDR_IN_DISPLAY=yes
816	AC_DEFINE([USE_PIPES])
817	AC_DEFINE([LOGIN_NEEDS_UTMPX])
818	AC_DEFINE([LOCKED_PASSWD_STRING], ["*"],
819		[String used in /etc/passwd to denote locked account])
820	AC_DEFINE([SPT_TYPE], [SPT_PSTAT])
821	AC_DEFINE([PLATFORM_SYS_DIR_UID], 2, [System dirs owned by bin (uid 2)])
822	maildir="/var/mail"
823	LIBS="$LIBS -lsec"
824	AC_CHECK_LIB([xnet], [t_error], ,
825	    [AC_MSG_ERROR([*** -lxnet needed on HP-UX - check config.log ***])])
826
827	# next, we define all of the options specific to major releases
828	case "$host" in
829	*-*-hpux10*)
830		if test -z "$GCC"; then
831			CFLAGS="$CFLAGS -Ae"
832		fi
833		AC_DEFINE([BROKEN_GETLINE], [1], [getline is not what we expect])
834		;;
835	*-*-hpux11*)
836		AC_DEFINE([PAM_SUN_CODEBASE], [1],
837			[Define if you are using Solaris-derived PAM which
838			passes pam_messages to the conversation function
839			with an extra level of indirection])
840		AC_DEFINE([DISABLE_UTMP], [1],
841			[Define if you don't want to use utmp])
842		AC_DEFINE([USE_BTMP], [1], [Use btmp to log bad logins])
843		check_for_hpux_broken_getaddrinfo=1
844		check_for_conflicting_getspnam=1
845		;;
846	esac
847
848	# lastly, we define options specific to minor releases
849	case "$host" in
850	*-*-hpux10.26)
851		AC_DEFINE([HAVE_SECUREWARE], [1],
852			[Define if you have SecureWare-based
853			protected password database])
854		disable_ptmx_check=yes
855		LIBS="$LIBS -lsecpw"
856		;;
857	esac
858	;;
859*-*-irix5*)
860	PATH="$PATH:/usr/etc"
861	AC_DEFINE([BROKEN_INET_NTOA], [1],
862		[Define if you system's inet_ntoa is busted
863		(e.g. Irix gcc issue)])
864	AC_DEFINE([SETEUID_BREAKS_SETUID])
865	AC_DEFINE([BROKEN_SETREUID])
866	AC_DEFINE([BROKEN_SETREGID])
867	AC_DEFINE([WITH_ABBREV_NO_TTY], [1],
868		[Define if you shouldn't strip 'tty' from your
869		ttyname in [uw]tmp])
870	AC_DEFINE([LOCKED_PASSWD_STRING], ["*LK*"])
871	;;
872*-*-irix6*)
873	PATH="$PATH:/usr/etc"
874	AC_DEFINE([WITH_IRIX_ARRAY], [1],
875		[Define if you have/want arrays
876		(cluster-wide session management, not C arrays)])
877	AC_DEFINE([WITH_IRIX_PROJECT], [1],
878		[Define if you want IRIX project management])
879	AC_DEFINE([WITH_IRIX_AUDIT], [1],
880		[Define if you want IRIX audit trails])
881	AC_CHECK_FUNC([jlimit_startjob], [AC_DEFINE([WITH_IRIX_JOBS], [1],
882		[Define if you want IRIX kernel jobs])])
883	AC_DEFINE([BROKEN_INET_NTOA])
884	AC_DEFINE([SETEUID_BREAKS_SETUID])
885	AC_DEFINE([BROKEN_SETREUID])
886	AC_DEFINE([BROKEN_SETREGID])
887	AC_DEFINE([BROKEN_UPDWTMPX], [1], [updwtmpx is broken (if present)])
888	AC_DEFINE([WITH_ABBREV_NO_TTY])
889	AC_DEFINE([LOCKED_PASSWD_STRING], ["*LK*"])
890	;;
891*-*-k*bsd*-gnu | *-*-kopensolaris*-gnu)
892	AC_DEFINE([PAM_TTY_KLUDGE])
893	AC_DEFINE([LOCKED_PASSWD_PREFIX], ["!"])
894	AC_DEFINE([SPT_TYPE], [SPT_REUSEARGV])
895	AC_DEFINE([_PATH_BTMP], ["/var/log/btmp"], [log for bad login attempts])
896	AC_DEFINE([USE_BTMP], [1], [Use btmp to log bad logins])
897	;;
898*-*-linux*)
899	no_dev_ptmx=1
900	use_pie=auto
901	check_for_openpty_ctty_bug=1
902	dnl Target SUSv3/POSIX.1-2001 plus BSD specifics.
903	dnl _DEFAULT_SOURCE is the new name for _BSD_SOURCE
904	dnl _GNU_SOURCE is needed for setres*id prototypes.
905	CPPFLAGS="$CPPFLAGS -D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCE -D_GNU_SOURCE"
906	AC_DEFINE([BROKEN_CLOSEFROM], [1], [broken in chroots on older kernels])
907	AC_DEFINE([PAM_TTY_KLUDGE], [1],
908		[Work around problematic Linux PAM modules handling of PAM_TTY])
909	AC_DEFINE([LOCKED_PASSWD_PREFIX], ["!"],
910		[String used in /etc/passwd to denote locked account])
911	AC_DEFINE([SPT_TYPE], [SPT_REUSEARGV])
912	AC_DEFINE([LINK_OPNOTSUPP_ERRNO], [EPERM],
913		[Define to whatever link() returns for "not supported"
914		if it doesn't return EOPNOTSUPP.])
915	AC_DEFINE([_PATH_BTMP], ["/var/log/btmp"], [log for bad login attempts])
916	AC_DEFINE([USE_BTMP])
917	AC_DEFINE([LINUX_OOM_ADJUST], [1], [Adjust Linux out-of-memory killer])
918	AC_DEFINE([SYSTEMD_NOTIFY], [1], [Have sshd notify systemd on start/reload])
919	inet6_default_4in6=yes
920	case `uname -r` in
921	1.*|2.0.*)
922		AC_DEFINE([BROKEN_CMSG_TYPE], [1],
923			[Define if cmsg_type is not passed correctly])
924		;;
925	esac
926	# tun(4) forwarding compat code
927	AC_CHECK_HEADERS([linux/if_tun.h])
928	if test "x$ac_cv_header_linux_if_tun_h" = "xyes" ; then
929		AC_DEFINE([SSH_TUN_LINUX], [1],
930		    [Open tunnel devices the Linux tun/tap way])
931		AC_DEFINE([SSH_TUN_COMPAT_AF], [1],
932		    [Use tunnel device compatibility to OpenBSD])
933		AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
934		    [Prepend the address family to IP tunnel traffic])
935	fi
936	AC_CHECK_HEADER([linux/if.h],
937	    AC_DEFINE([SYS_RDOMAIN_LINUX], [1],
938		[Support routing domains using Linux VRF]), [], [
939#ifdef HAVE_SYS_TYPES_H
940# include <sys/types.h>
941#endif
942	    ])
943	AC_CHECK_HEADERS([linux/seccomp.h linux/filter.h linux/audit.h], [],
944	    [], [#include <linux/types.h>])
945	# Obtain MIPS ABI
946	case "$host" in
947	mips*)
948		AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
949#if _MIPS_SIM != _ABIO32
950#error
951#endif
952			]])],[mips_abi="o32"],[AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
953#if _MIPS_SIM != _ABIN32
954#error
955#endif
956				]])],[mips_abi="n32"],[AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
957#if _MIPS_SIM != _ABI64
958#error
959#endif
960					]])],[mips_abi="n64"],[AC_MSG_ERROR([unknown MIPS ABI])
961				])
962			])
963		])
964		;;
965	esac
966	AC_MSG_CHECKING([for seccomp architecture])
967	seccomp_audit_arch=
968	case "$host" in
969	x86_64-*)
970		seccomp_audit_arch=AUDIT_ARCH_X86_64
971		;;
972	i*86-*)
973		seccomp_audit_arch=AUDIT_ARCH_I386
974		;;
975	arm*-*)
976		seccomp_audit_arch=AUDIT_ARCH_ARM
977		;;
978	aarch64*-*)
979		seccomp_audit_arch=AUDIT_ARCH_AARCH64
980		;;
981	s390x-*)
982		seccomp_audit_arch=AUDIT_ARCH_S390X
983		;;
984	s390-*)
985		seccomp_audit_arch=AUDIT_ARCH_S390
986		;;
987	powerpc-*)
988		seccomp_audit_arch=AUDIT_ARCH_PPC
989		;;
990	powerpc64-*)
991		seccomp_audit_arch=AUDIT_ARCH_PPC64
992		;;
993	powerpc64le-*)
994		seccomp_audit_arch=AUDIT_ARCH_PPC64LE
995		;;
996	mips-*)
997		seccomp_audit_arch=AUDIT_ARCH_MIPS
998		;;
999	mipsel-*)
1000		seccomp_audit_arch=AUDIT_ARCH_MIPSEL
1001		;;
1002	mips64-*)
1003		case "$mips_abi" in
1004		"n32")
1005			seccomp_audit_arch=AUDIT_ARCH_MIPS64N32
1006			;;
1007		"n64")
1008			seccomp_audit_arch=AUDIT_ARCH_MIPS64
1009			;;
1010		esac
1011		;;
1012	mips64el-*)
1013		case "$mips_abi" in
1014		"n32")
1015			seccomp_audit_arch=AUDIT_ARCH_MIPSEL64N32
1016			;;
1017		"n64")
1018			seccomp_audit_arch=AUDIT_ARCH_MIPSEL64
1019			;;
1020		esac
1021		;;
1022	riscv64-*)
1023		seccomp_audit_arch=AUDIT_ARCH_RISCV64
1024		;;
1025	esac
1026	if test "x$seccomp_audit_arch" != "x" ; then
1027		AC_MSG_RESULT(["$seccomp_audit_arch"])
1028		AC_DEFINE_UNQUOTED([SECCOMP_AUDIT_ARCH], [$seccomp_audit_arch],
1029		    [Specify the system call convention in use])
1030	else
1031		AC_MSG_RESULT([architecture not supported])
1032	fi
1033	;;
1034*-*-minix)
1035	AC_DEFINE([SETEUID_BREAKS_SETUID])
1036	# poll(2) seems to choke on /dev/null; "Bad file descriptor"
1037	AC_DEFINE([BROKEN_POLL], [1],
1038	    [System poll(2) implementation is broken])
1039	;;
1040mips-sony-bsd|mips-sony-newsos4)
1041	AC_DEFINE([NEED_SETPGRP], [1], [Need setpgrp to acquire controlling tty])
1042	SONY=1
1043	;;
1044*-*-netbsd*)
1045	if test "x$withval" != "xno" ; then
1046		rpath_opt="-R"
1047	fi
1048	CPPFLAGS="$CPPFLAGS -D_OPENBSD_SOURCE"
1049	AC_DEFINE([SSH_TUN_FREEBSD], [1], [Open tunnel devices the FreeBSD way])
1050	AC_CHECK_HEADER([net/if_tap.h], ,
1051	    AC_DEFINE([SSH_TUN_NO_L2], [1], [No layer 2 tunnel support]))
1052	AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
1053	    [Prepend the address family to IP tunnel traffic])
1054	TEST_MALLOC_OPTIONS="AJRX"
1055	AC_DEFINE([BROKEN_READ_COMPARISON], [1],
1056	    [NetBSD read function is sometimes redirected, breaking atomicio comparisons against it])
1057	;;
1058*-*-freebsd*)
1059	SKIP_DISABLE_LASTLOG_DEFINE=yes
1060	AC_DEFINE([LOCKED_PASSWD_PREFIX], ["*LOCKED*"], [Account locked with pw(1)])
1061	AC_DEFINE([SSH_TUN_FREEBSD], [1], [Open tunnel devices the FreeBSD way])
1062	AC_CHECK_HEADER([net/if_tap.h], ,
1063	    AC_DEFINE([SSH_TUN_NO_L2], [1], [No layer 2 tunnel support]))
1064	AC_DEFINE([BROKEN_GLOB], [1], [FreeBSD glob does not do what we need])
1065	TEST_MALLOC_OPTIONS="AJRX"
1066	# Preauth crypto occasionally uses file descriptors for crypto offload
1067	# and will crash if they cannot be opened.
1068	AC_DEFINE([SANDBOX_SKIP_RLIMIT_NOFILE], [1],
1069	    [define if setrlimit RLIMIT_NOFILE breaks things])
1070	case "$host" in
1071	*-*-freebsd9.*|*-*-freebsd10.*)
1072		# Capsicum on 9 and 10 do not allow ppoll() so don't auto-enable.
1073		disable_capsicum=yes
1074	esac
1075	;;
1076*-*-bsdi*)
1077	AC_DEFINE([SETEUID_BREAKS_SETUID])
1078	AC_DEFINE([BROKEN_SETREUID])
1079	AC_DEFINE([BROKEN_SETREGID])
1080	;;
1081*-next-*)
1082	conf_lastlog_location="/usr/adm/lastlog"
1083	conf_utmp_location=/etc/utmp
1084	conf_wtmp_location=/usr/adm/wtmp
1085	maildir=/usr/spool/mail
1086	AC_DEFINE([HAVE_NEXT], [1], [Define if you are on NeXT])
1087	AC_DEFINE([USE_PIPES])
1088	AC_DEFINE([BROKEN_SAVED_UIDS], [1], [Needed for NeXT])
1089	;;
1090*-*-openbsd*)
1091	use_pie=auto
1092	AC_DEFINE([HAVE_ATTRIBUTE__SENTINEL__], [1], [OpenBSD's gcc has sentinel])
1093	AC_DEFINE([HAVE_ATTRIBUTE__BOUNDED__], [1], [OpenBSD's gcc has bounded])
1094	AC_DEFINE([SSH_TUN_OPENBSD], [1], [Open tunnel devices the OpenBSD way])
1095	AC_DEFINE([SYSLOG_R_SAFE_IN_SIGHAND], [1],
1096	    [syslog_r function is safe to use in in a signal handler])
1097	TEST_MALLOC_OPTIONS="SJRU"
1098	;;
1099*-*-solaris*)
1100	if test "x$withval" != "xno" ; then
1101		rpath_opt="-R"
1102	fi
1103	AC_DEFINE([PAM_SUN_CODEBASE])
1104	AC_DEFINE([LOGIN_NEEDS_UTMPX])
1105	AC_DEFINE([PAM_TTY_KLUDGE])
1106	AC_DEFINE([SSHPAM_CHAUTHTOK_NEEDS_RUID], [1],
1107		[Define if pam_chauthtok wants real uid set
1108		to the unpriv'ed user])
1109	AC_DEFINE([LOCKED_PASSWD_STRING], ["*LK*"])
1110	# Pushing STREAMS modules will cause sshd to acquire a controlling tty.
1111	AC_DEFINE([SSHD_ACQUIRES_CTTY], [1],
1112		[Define if sshd somehow reacquires a controlling TTY
1113		after setsid()])
1114	AC_DEFINE([PASSWD_NEEDS_USERNAME], [1], [must supply username to passwd
1115		in case the name is longer than 8 chars])
1116	AC_DEFINE([BROKEN_TCGETATTR_ICANON], [1], [tcgetattr with ICANON may hang])
1117	external_path_file=/etc/default/login
1118	# hardwire lastlog location (can't detect it on some versions)
1119	conf_lastlog_location="/var/adm/lastlog"
1120	AC_MSG_CHECKING([for obsolete utmp and wtmp in solaris2.x])
1121	sol2ver=`echo "$host"| sed -e 's/.*[[0-9]]\.//'`
1122	if test "$sol2ver" -ge 8; then
1123		AC_MSG_RESULT([yes])
1124		AC_DEFINE([DISABLE_UTMP])
1125		AC_DEFINE([DISABLE_WTMP], [1],
1126			[Define if you don't want to use wtmp])
1127	else
1128		AC_MSG_RESULT([no])
1129	fi
1130	AC_CHECK_FUNCS([setpflags])
1131	AC_CHECK_FUNCS([setppriv])
1132	AC_CHECK_FUNCS([priv_basicset])
1133	AC_CHECK_HEADERS([priv.h])
1134	AC_ARG_WITH([solaris-contracts],
1135		[  --with-solaris-contracts Enable Solaris process contracts (experimental)],
1136		[
1137		AC_CHECK_LIB([contract], [ct_tmpl_activate],
1138			[ AC_DEFINE([USE_SOLARIS_PROCESS_CONTRACTS], [1],
1139				[Define if you have Solaris process contracts])
1140			  LIBS="$LIBS -lcontract"
1141			  SPC_MSG="yes" ], )
1142		],
1143	)
1144	AC_ARG_WITH([solaris-projects],
1145		[  --with-solaris-projects Enable Solaris projects (experimental)],
1146		[
1147		AC_CHECK_LIB([project], [setproject],
1148			[ AC_DEFINE([USE_SOLARIS_PROJECTS], [1],
1149				[Define if you have Solaris projects])
1150			LIBS="$LIBS -lproject"
1151			SP_MSG="yes" ], )
1152		],
1153	)
1154	AC_ARG_WITH([solaris-privs],
1155		[  --with-solaris-privs    Enable Solaris/Illumos privileges (experimental)],
1156		[
1157		AC_MSG_CHECKING([for Solaris/Illumos privilege support])
1158		if test "x$ac_cv_func_setppriv" = "xyes" -a \
1159			"x$ac_cv_header_priv_h" = "xyes" ; then
1160			SOLARIS_PRIVS=yes
1161			AC_MSG_RESULT([found])
1162			AC_DEFINE([NO_UID_RESTORATION_TEST], [1],
1163				[Define to disable UID restoration test])
1164			AC_DEFINE([USE_SOLARIS_PRIVS], [1],
1165				[Define if you have Solaris privileges])
1166			SPP_MSG="yes"
1167		else
1168			AC_MSG_RESULT([not found])
1169			AC_MSG_ERROR([*** must have support for Solaris privileges to use --with-solaris-privs])
1170		fi
1171		],
1172	)
1173	TEST_SHELL=$SHELL	# let configure find us a capable shell
1174	;;
1175*-*-sunos4*)
1176	CPPFLAGS="$CPPFLAGS -DSUNOS4"
1177	AC_CHECK_FUNCS([getpwanam])
1178	AC_DEFINE([PAM_SUN_CODEBASE])
1179	conf_utmp_location=/etc/utmp
1180	conf_wtmp_location=/var/adm/wtmp
1181	conf_lastlog_location=/var/adm/lastlog
1182	AC_DEFINE([USE_PIPES])
1183	AC_DEFINE([DISABLE_UTMPX], [1], [no utmpx])
1184	;;
1185*-ncr-sysv*)
1186	LIBS="$LIBS -lc89"
1187	AC_DEFINE([USE_PIPES])
1188	AC_DEFINE([SSHD_ACQUIRES_CTTY])
1189	AC_DEFINE([SETEUID_BREAKS_SETUID])
1190	AC_DEFINE([BROKEN_SETREUID])
1191	AC_DEFINE([BROKEN_SETREGID])
1192	;;
1193*-sni-sysv*)
1194	# /usr/ucblib MUST NOT be searched on ReliantUNIX
1195	AC_CHECK_LIB([dl], [dlsym], ,)
1196	# -lresolv needs to be at the end of LIBS or DNS lookups break
1197	AC_CHECK_LIB([resolv], [res_query], [ LIBS="$LIBS -lresolv" ])
1198	IPADDR_IN_DISPLAY=yes
1199	AC_DEFINE([USE_PIPES])
1200	AC_DEFINE([IP_TOS_IS_BROKEN])
1201	AC_DEFINE([SETEUID_BREAKS_SETUID])
1202	AC_DEFINE([BROKEN_SETREUID])
1203	AC_DEFINE([BROKEN_SETREGID])
1204	AC_DEFINE([SSHD_ACQUIRES_CTTY])
1205	external_path_file=/etc/default/login
1206	# /usr/ucblib/libucb.a no longer needed on ReliantUNIX
1207	# Attention: always take care to bind libsocket and libnsl before libc,
1208	# otherwise you will find lots of "SIOCGPGRP errno 22" on syslog
1209	;;
1210# UnixWare 1.x, UnixWare 2.x, and others based on code from Univel.
1211*-*-sysv4.2*)
1212	AC_DEFINE([USE_PIPES])
1213	AC_DEFINE([SETEUID_BREAKS_SETUID])
1214	AC_DEFINE([BROKEN_SETREUID])
1215	AC_DEFINE([BROKEN_SETREGID])
1216	AC_DEFINE([PASSWD_NEEDS_USERNAME], [1], [must supply username to passwd])
1217	AC_DEFINE([LOCKED_PASSWD_STRING], ["*LK*"])
1218	TEST_SHELL=$SHELL	# let configure find us a capable shell
1219	;;
1220# UnixWare 7.x, OpenUNIX 8
1221*-*-sysv5*)
1222	CPPFLAGS="$CPPFLAGS -Dvsnprintf=_xvsnprintf -Dsnprintf=_xsnprintf"
1223	AC_DEFINE([UNIXWARE_LONG_PASSWORDS], [1], [Support passwords > 8 chars])
1224	AC_DEFINE([USE_PIPES])
1225	AC_DEFINE([SETEUID_BREAKS_SETUID])
1226	AC_DEFINE([BROKEN_GETADDRINFO])
1227	AC_DEFINE([BROKEN_SETREUID])
1228	AC_DEFINE([BROKEN_SETREGID])
1229	AC_DEFINE([PASSWD_NEEDS_USERNAME])
1230	AC_DEFINE([BROKEN_TCGETATTR_ICANON])
1231	TEST_SHELL=$SHELL	# let configure find us a capable shell
1232	case "$host" in
1233	*-*-sysv5SCO_SV*)	# SCO OpenServer 6.x
1234		maildir=/var/spool/mail
1235		AC_DEFINE([BROKEN_UPDWTMPX])
1236		AC_CHECK_LIB([prot], [getluid], [ LIBS="$LIBS -lprot"
1237			AC_CHECK_FUNCS([getluid setluid], , , [-lprot])
1238			], , )
1239		;;
1240	*)	AC_DEFINE([LOCKED_PASSWD_STRING], ["*LK*"])
1241		;;
1242	esac
1243	;;
1244*-*-sysv*)
1245	;;
1246# SCO UNIX and OEM versions of SCO UNIX
1247*-*-sco3.2v4*)
1248	AC_MSG_ERROR("This Platform is no longer supported.")
1249	;;
1250# SCO OpenServer 5.x
1251*-*-sco3.2v5*)
1252	if test -z "$GCC"; then
1253		CFLAGS="$CFLAGS -belf"
1254	fi
1255	LIBS="$LIBS -lprot -lx -ltinfo -lm"
1256	no_dev_ptmx=1
1257	AC_DEFINE([USE_PIPES])
1258	AC_DEFINE([HAVE_SECUREWARE])
1259	AC_DEFINE([DISABLE_SHADOW])
1260	AC_DEFINE([DISABLE_FD_PASSING])
1261	AC_DEFINE([SETEUID_BREAKS_SETUID])
1262	AC_DEFINE([BROKEN_GETADDRINFO])
1263	AC_DEFINE([BROKEN_SETREUID])
1264	AC_DEFINE([BROKEN_SETREGID])
1265	AC_DEFINE([WITH_ABBREV_NO_TTY])
1266	AC_DEFINE([BROKEN_UPDWTMPX])
1267	AC_DEFINE([PASSWD_NEEDS_USERNAME])
1268	AC_CHECK_FUNCS([getluid setluid])
1269	MANTYPE=man
1270	TEST_SHELL=$SHELL	# let configure find us a capable shell
1271	SKIP_DISABLE_LASTLOG_DEFINE=yes
1272	;;
1273*-dec-osf*)
1274	AC_MSG_CHECKING([for Digital Unix SIA])
1275	no_osfsia=""
1276	AC_ARG_WITH([osfsia],
1277		[  --with-osfsia           Enable Digital Unix SIA],
1278		[
1279			if test "x$withval" = "xno" ; then
1280				AC_MSG_RESULT([disabled])
1281				no_osfsia=1
1282			fi
1283		],
1284	)
1285	if test -z "$no_osfsia" ; then
1286		if test -f /etc/sia/matrix.conf; then
1287			AC_MSG_RESULT([yes])
1288			AC_DEFINE([HAVE_OSF_SIA], [1],
1289				[Define if you have Digital Unix Security
1290				Integration Architecture])
1291			AC_DEFINE([DISABLE_LOGIN], [1],
1292				[Define if you don't want to use your
1293				system's login() call])
1294			AC_DEFINE([DISABLE_FD_PASSING])
1295			LIBS="$LIBS -lsecurity -ldb -lm -laud"
1296			SIA_MSG="yes"
1297		else
1298			AC_MSG_RESULT([no])
1299			AC_DEFINE([LOCKED_PASSWD_SUBSTR], ["Nologin"],
1300			  [String used in /etc/passwd to denote locked account])
1301		fi
1302	fi
1303	AC_DEFINE([BROKEN_GETADDRINFO])
1304	AC_DEFINE([SETEUID_BREAKS_SETUID])
1305	AC_DEFINE([BROKEN_SETREUID])
1306	AC_DEFINE([BROKEN_SETREGID])
1307	AC_DEFINE([BROKEN_READV_COMPARISON], [1], [Can't do comparisons on readv])
1308	;;
1309
1310*-*-nto-qnx*)
1311	AC_DEFINE([USE_PIPES])
1312	AC_DEFINE([NO_X11_UNIX_SOCKETS])
1313	AC_DEFINE([DISABLE_LASTLOG])
1314	AC_DEFINE([SSHD_ACQUIRES_CTTY])
1315	AC_DEFINE([BROKEN_SHADOW_EXPIRE], [1], [QNX shadow support is broken])
1316	enable_etc_default_login=no	# has incompatible /etc/default/login
1317	case "$host" in
1318	*-*-nto-qnx6*)
1319		AC_DEFINE([DISABLE_FD_PASSING])
1320		;;
1321	esac
1322	;;
1323
1324*-*-ultrix*)
1325	AC_DEFINE([BROKEN_GETGROUPS], [1], [getgroups(0,NULL) will return -1])
1326	AC_DEFINE([NEED_SETPGRP], [1], [Need setpgrp to for controlling tty])
1327	AC_DEFINE([HAVE_SYS_SYSLOG_H], [1], [Force use of sys/syslog.h on Ultrix])
1328	AC_DEFINE([DISABLE_UTMPX], [1], [Disable utmpx])
1329	# DISABLE_FD_PASSING so that we call setpgrp as root, otherwise we
1330	# don't get a controlling tty.
1331	AC_DEFINE([DISABLE_FD_PASSING], [1], [Need to call setpgrp as root])
1332	# On Ultrix some headers are not protected against multiple includes,
1333	# so we create wrappers and put it where the compiler will find it.
1334	AC_MSG_WARN([creating compat wrappers for headers])
1335	mkdir -p netinet
1336	for header in netinet/ip.h netdb.h resolv.h; do
1337		name=`echo $header | tr 'a-z/.' 'A-Z__'`
1338		cat >$header <<EOD
1339#ifndef _SSH_COMPAT_${name}
1340#define _SSH_COMPAT_${name}
1341#include "/usr/include/${header}"
1342#endif
1343EOD
1344	done
1345	;;
1346
1347*-*-lynxos)
1348	CFLAGS="$CFLAGS -D__NO_INCLUDE_WARN__"
1349	AC_DEFINE([BROKEN_SETVBUF], [1],
1350	    [LynxOS has broken setvbuf() implementation])
1351	;;
1352*-*-gnu*)
1353	dnl GNU Hurd.  Needs to be after the linux and the other *-gnu entries.
1354	dnl Target SUSv3/POSIX.1-2001 plus BSD specifics.
1355	dnl _DEFAULT_SOURCE is the new name for _BSD_SOURCE
1356	dnl _GNU_SOURCE is needed for setres*id prototypes.
1357	CPPFLAGS="$CPPFLAGS -D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCE -D_GNU_SOURCE"
1358	;;
1359esac
1360
1361AC_MSG_CHECKING([compiler and flags for sanity])
1362AC_RUN_IFELSE([AC_LANG_PROGRAM([[ #include <stdlib.h> ]], [[ exit(0); ]])],
1363	[	AC_MSG_RESULT([yes]) ],
1364	[
1365		AC_MSG_RESULT([no])
1366		AC_MSG_ERROR([*** compiler cannot create working executables, check config.log ***])
1367	],
1368	[	AC_MSG_WARN([cross compiling: not checking compiler sanity]) ]
1369)
1370
1371dnl Checks for header files.
1372# Checks for libraries.
1373AC_CHECK_FUNC([setsockopt], , [AC_CHECK_LIB([socket], [setsockopt])])
1374
1375dnl IRIX and Solaris 2.5.1 have dirname() in libgen
1376AC_CHECK_FUNCS([dirname], [AC_CHECK_HEADERS([libgen.h])] , [
1377	AC_CHECK_LIB([gen], [dirname], [
1378		AC_CACHE_CHECK([for broken dirname],
1379			ac_cv_have_broken_dirname, [
1380			save_LIBS="$LIBS"
1381			LIBS="$LIBS -lgen"
1382			AC_RUN_IFELSE(
1383				[AC_LANG_SOURCE([[
1384#include <libgen.h>
1385#include <string.h>
1386#include <stdlib.h>
1387
1388int main(int argc, char **argv) {
1389    char *s, buf[32];
1390
1391    strncpy(buf,"/etc", 32);
1392    s = dirname(buf);
1393    if (!s || strncmp(s, "/", 32) != 0) {
1394	exit(1);
1395    } else {
1396	exit(0);
1397    }
1398}
1399				]])],
1400				[ ac_cv_have_broken_dirname="no" ],
1401				[ ac_cv_have_broken_dirname="yes" ],
1402				[ ac_cv_have_broken_dirname="no" ],
1403			)
1404			LIBS="$save_LIBS"
1405		])
1406		if test "x$ac_cv_have_broken_dirname" = "xno" ; then
1407			LIBS="$LIBS -lgen"
1408			AC_DEFINE([HAVE_DIRNAME])
1409			AC_CHECK_HEADERS([libgen.h])
1410		fi
1411	])
1412])
1413
1414AC_CHECK_FUNC([getspnam], ,
1415	[AC_CHECK_LIB([gen], [getspnam], [LIBS="$LIBS -lgen"])])
1416AC_SEARCH_LIBS([basename], [gen], [AC_DEFINE([HAVE_BASENAME], [1],
1417	[Define if you have the basename function.])])
1418
1419dnl zlib defaults to enabled
1420zlib=yes
1421AC_ARG_WITH([zlib],
1422	[  --with-zlib=PATH        Use zlib in PATH],
1423	[ if test "x$withval" = "xno" ; then
1424		zlib=no
1425	  elif test "x$withval" != "xyes"; then
1426		if test -d "$withval/lib"; then
1427			if test -n "${rpath_opt}"; then
1428				LDFLAGS="-L${withval}/lib ${rpath_opt}${withval}/lib ${LDFLAGS}"
1429			else
1430				LDFLAGS="-L${withval}/lib ${LDFLAGS}"
1431			fi
1432		else
1433			if test -n "${rpath_opt}"; then
1434				LDFLAGS="-L${withval} ${rpath_opt}${withval} ${LDFLAGS}"
1435			else
1436				LDFLAGS="-L${withval} ${LDFLAGS}"
1437			fi
1438		fi
1439		if test -d "$withval/include"; then
1440			CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
1441		else
1442			CPPFLAGS="-I${withval} ${CPPFLAGS}"
1443		fi
1444	fi ]
1445)
1446
1447# These libraries are needed for anything that links in the channel code.
1448CHANNELLIBS=""
1449AC_MSG_CHECKING([for zlib])
1450if test "x${zlib}" = "xno"; then
1451	AC_MSG_RESULT([no])
1452else
1453    saved_LIBS="$LIBS"
1454    CHANNELLIBS="$CHANNELLIBS -lz"
1455    AC_MSG_RESULT([yes])
1456    AC_DEFINE([WITH_ZLIB], [1], [Enable zlib])
1457    AC_CHECK_HEADER([zlib.h], ,[AC_MSG_ERROR([*** zlib.h missing - please install first or check config.log ***])])
1458    AC_CHECK_LIB([z], [deflate], [],
1459	[
1460		saved_CPPFLAGS="$CPPFLAGS"
1461		saved_LDFLAGS="$LDFLAGS"
1462		dnl Check default zlib install dir
1463		if test -n "${rpath_opt}"; then
1464			LDFLAGS="-L/usr/local/lib ${rpath_opt}/usr/local/lib ${saved_LDFLAGS}"
1465		else
1466			LDFLAGS="-L/usr/local/lib ${saved_LDFLAGS}"
1467		fi
1468		CPPFLAGS="-I/usr/local/include ${saved_CPPFLAGS}"
1469		AC_TRY_LINK_FUNC([deflate], [AC_DEFINE([HAVE_LIBZ])],
1470			[
1471				AC_MSG_ERROR([*** zlib missing - please install first or check config.log ***])
1472			]
1473		)
1474	]
1475    )
1476
1477    AC_ARG_WITH([zlib-version-check],
1478	[  --without-zlib-version-check Disable zlib version check],
1479	[  if test "x$withval" = "xno" ; then
1480		zlib_check_nonfatal=1
1481	   fi
1482	]
1483    )
1484
1485    AC_MSG_CHECKING([for possibly buggy zlib])
1486    AC_RUN_IFELSE([AC_LANG_PROGRAM([[
1487#include <stdio.h>
1488#include <stdlib.h>
1489#include <zlib.h>
1490	]],
1491	[[
1492	int a=0, b=0, c=0, d=0, n, v;
1493	n = sscanf(ZLIB_VERSION, "%d.%d.%d.%d", &a, &b, &c, &d);
1494	if (n < 1)
1495		exit(1);
1496	v = a*1000000 + b*10000 + c*100 + d;
1497	fprintf(stderr, "found zlib version %s (%d)\n", ZLIB_VERSION, v);
1498
1499	/* 1.1.4 is OK */
1500	if (a == 1 && b == 1 && c >= 4)
1501		exit(0);
1502
1503	/* 1.2.3 and up are OK */
1504	if (v >= 1020300)
1505		exit(0);
1506
1507	exit(2);
1508	]])],
1509	AC_MSG_RESULT([no]),
1510	[ AC_MSG_RESULT([yes])
1511	  if test -z "$zlib_check_nonfatal" ; then
1512		AC_MSG_ERROR([*** zlib too old - check config.log ***
1513Your reported zlib version has known security problems.  It's possible your
1514vendor has fixed these problems without changing the version number.  If you
1515are sure this is the case, you can disable the check by running
1516"./configure --without-zlib-version-check".
1517If you are in doubt, upgrade zlib to version 1.2.3 or greater.
1518See http://www.gzip.org/zlib/ for details.])
1519	  else
1520		AC_MSG_WARN([zlib version may have security problems])
1521	  fi
1522	],
1523	[	AC_MSG_WARN([cross compiling: not checking zlib version]) ]
1524    )
1525    LIBS="$saved_LIBS"
1526fi
1527
1528dnl UnixWare 2.x
1529AC_CHECK_FUNC([strcasecmp],
1530	[], [ AC_CHECK_LIB([resolv], [strcasecmp], [LIBS="$LIBS -lresolv"]) ]
1531)
1532AC_CHECK_FUNCS([utimes],
1533	[], [ AC_CHECK_LIB([c89], [utimes], [AC_DEFINE([HAVE_UTIMES])
1534					LIBS="$LIBS -lc89"]) ]
1535)
1536
1537dnl    Checks for libutil functions
1538AC_CHECK_HEADERS([bsd/libutil.h libutil.h])
1539AC_SEARCH_LIBS([fmt_scaled], [util bsd])
1540AC_SEARCH_LIBS([scan_scaled], [util bsd])
1541AC_SEARCH_LIBS([login], [util bsd])
1542AC_SEARCH_LIBS([logout], [util bsd])
1543AC_SEARCH_LIBS([logwtmp], [util bsd])
1544AC_SEARCH_LIBS([openpty], [util bsd])
1545AC_SEARCH_LIBS([updwtmp], [util bsd])
1546AC_CHECK_FUNCS([fmt_scaled scan_scaled login logout openpty updwtmp logwtmp])
1547
1548# On some platforms, inet_ntop and gethostbyname may be found in libresolv
1549# or libnsl.
1550AC_SEARCH_LIBS([inet_ntop], [resolv nsl])
1551AC_SEARCH_LIBS([gethostbyname], [resolv nsl])
1552
1553# Some Linux distribtions ship the BSD libc hashing functions in
1554# separate libraries.
1555AC_SEARCH_LIBS([SHA256Update], [md bsd])
1556
1557# "Particular Function Checks"
1558# see https://www.gnu.org/software/autoconf/manual/autoconf-2.69/html_node/Particular-Functions.html
1559AC_FUNC_STRFTIME
1560AC_FUNC_MALLOC
1561AC_FUNC_REALLOC
1562# autoconf doesn't have AC_FUNC_CALLOC so fake it if malloc returns NULL;
1563AC_MSG_CHECKING([if calloc(0, N) returns non-null])
1564AC_RUN_IFELSE(
1565	[AC_LANG_PROGRAM(
1566		[[ #include <stdlib.h> ]],
1567		[[ void *p = calloc(0, 1); exit(p == NULL); ]]
1568	)],
1569	[ func_calloc_0_nonnull=yes ],
1570	[ func_calloc_0_nonnull=no ],
1571	[ AC_MSG_WARN([cross compiling: assuming same as malloc])
1572	  func_calloc_0_nonnull="$ac_cv_func_malloc_0_nonnull"]
1573)
1574AC_MSG_RESULT([$func_calloc_0_nonnull])
1575
1576if test "x$func_calloc_0_nonnull" = "xyes"; then
1577	AC_DEFINE(HAVE_CALLOC, 1, [calloc(0, x) returns non-null])
1578else
1579	AC_DEFINE(HAVE_CALLOC, 0, [calloc(0, x) returns NULL])
1580	AC_DEFINE(calloc, rpl_calloc,
1581	    [Define to rpl_calloc if the replacement function should be used.])
1582fi
1583
1584# Check for ALTDIRFUNC glob() extension
1585AC_MSG_CHECKING([for GLOB_ALTDIRFUNC support])
1586AC_EGREP_CPP([FOUNDIT],
1587	[
1588		#include <glob.h>
1589		#ifdef GLOB_ALTDIRFUNC
1590		FOUNDIT
1591		#endif
1592	],
1593	[
1594		AC_DEFINE([GLOB_HAS_ALTDIRFUNC], [1],
1595			[Define if your system glob() function has
1596			the GLOB_ALTDIRFUNC extension])
1597		AC_MSG_RESULT([yes])
1598	],
1599	[
1600		AC_MSG_RESULT([no])
1601	]
1602)
1603
1604# Check for g.gl_matchc glob() extension
1605AC_MSG_CHECKING([for gl_matchc field in glob_t])
1606AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <glob.h> ]],
1607	[[ glob_t g; g.gl_matchc = 1; ]])],
1608	[
1609		AC_DEFINE([GLOB_HAS_GL_MATCHC], [1],
1610			[Define if your system glob() function has
1611			gl_matchc options in glob_t])
1612		AC_MSG_RESULT([yes])
1613	], [
1614		AC_MSG_RESULT([no])
1615])
1616
1617# Check for g.gl_statv glob() extension
1618AC_MSG_CHECKING([for gl_statv and GLOB_KEEPSTAT extensions for glob])
1619AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <glob.h> ]], [[
1620#ifndef GLOB_KEEPSTAT
1621#error "glob does not support GLOB_KEEPSTAT extension"
1622#endif
1623glob_t g;
1624g.gl_statv = NULL;
1625]])],
1626	[
1627		AC_DEFINE([GLOB_HAS_GL_STATV], [1],
1628			[Define if your system glob() function has
1629			gl_statv options in glob_t])
1630		AC_MSG_RESULT([yes])
1631	], [
1632		AC_MSG_RESULT([no])
1633
1634])
1635
1636AC_CHECK_DECLS([GLOB_NOMATCH], , , [#include <glob.h>])
1637
1638AC_CHECK_DECL([VIS_ALL], ,
1639    AC_DEFINE(BROKEN_STRNVIS, 1, [missing VIS_ALL]), [#include <vis.h>])
1640
1641AC_MSG_CHECKING([whether struct dirent allocates space for d_name])
1642AC_RUN_IFELSE(
1643	[AC_LANG_PROGRAM([[
1644#include <sys/types.h>
1645#include <dirent.h>
1646#include <stdlib.h>
1647	]],
1648	[[
1649	struct dirent d;
1650	exit(sizeof(d.d_name)<=sizeof(char));
1651	]])],
1652	[AC_MSG_RESULT([yes])],
1653	[
1654		AC_MSG_RESULT([no])
1655		AC_DEFINE([BROKEN_ONE_BYTE_DIRENT_D_NAME], [1],
1656			[Define if your struct dirent expects you to
1657			allocate extra space for d_name])
1658	],
1659	[
1660		AC_MSG_WARN([cross compiling: assuming BROKEN_ONE_BYTE_DIRENT_D_NAME])
1661		AC_DEFINE([BROKEN_ONE_BYTE_DIRENT_D_NAME])
1662	]
1663)
1664
1665AC_MSG_CHECKING([for /proc/pid/fd directory])
1666if test -d "/proc/$$/fd" ; then
1667	AC_DEFINE([HAVE_PROC_PID], [1], [Define if you have /proc/$pid/fd])
1668	AC_MSG_RESULT([yes])
1669else
1670	AC_MSG_RESULT([no])
1671fi
1672
1673# Check whether user wants TCP wrappers support
1674TCPW_MSG="no"
1675AC_ARG_WITH([tcp-wrappers],
1676	[  --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)],
1677	[
1678		if test "x$withval" != "xno" ; then
1679			saved_LIBS="$LIBS"
1680			saved_LDFLAGS="$LDFLAGS"
1681			saved_CPPFLAGS="$CPPFLAGS"
1682			if test -n "${withval}" && \
1683			    test "x${withval}" != "xyes"; then
1684				if test -d "${withval}/lib"; then
1685					if test -n "${need_dash_r}"; then
1686						LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
1687					else
1688						LDFLAGS="-L${withval}/lib ${LDFLAGS}"
1689					fi
1690				else
1691					if test -n "${need_dash_r}"; then
1692						LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"
1693					else
1694						LDFLAGS="-L${withval} ${LDFLAGS}"
1695					fi
1696				fi
1697				if test -d "${withval}/include"; then
1698					CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
1699				else
1700					CPPFLAGS="-I${withval} ${CPPFLAGS}"
1701				fi
1702			fi
1703			LIBS="-lwrap $LIBS"
1704			AC_MSG_CHECKING([for libwrap])
1705			AC_LINK_IFELSE([AC_LANG_PROGRAM([[
1706#include <sys/types.h>
1707#include <sys/socket.h>
1708#include <netinet/in.h>
1709#include <tcpd.h>
1710int deny_severity = 0, allow_severity = 0;
1711				]], [[
1712	hosts_access(0);
1713				]])], [
1714					AC_MSG_RESULT([yes])
1715					AC_DEFINE([LIBWRAP], [1],
1716						[Define if you want
1717						TCP Wrappers support])
1718					SSHDLIBS="$SSHDLIBS -lwrap"
1719					TCPW_MSG="yes"
1720				], [
1721					AC_MSG_ERROR([*** libwrap missing])
1722			])
1723			LIBS="$saved_LIBS"
1724		fi
1725	]
1726)
1727
1728# Check whether user wants to use ldns
1729LDNS_MSG="no"
1730AC_ARG_WITH(ldns,
1731	[  --with-ldns[[=PATH]]      Use ldns for DNSSEC support (optionally in PATH)],
1732	[
1733	ldns=""
1734	if test "x$withval" = "xyes" ; then
1735		AC_PATH_TOOL([LDNSCONFIG], [ldns-config], [no])
1736		if test "x$LDNSCONFIG" = "xno"; then
1737			LIBS="-lldns $LIBS"
1738			ldns=yes
1739		else
1740			LIBS="$LIBS `$LDNSCONFIG --libs`"
1741			CPPFLAGS="$CPPFLAGS `$LDNSCONFIG --cflags`"
1742			ldns=yes
1743		fi
1744	elif test "x$withval" != "xno" ; then
1745			CPPFLAGS="$CPPFLAGS -I${withval}/include"
1746			LDFLAGS="$LDFLAGS -L${withval}/lib"
1747			LIBS="-lldns $LIBS"
1748			ldns=yes
1749	fi
1750
1751	# Verify that it works.
1752	if test "x$ldns" = "xyes" ; then
1753		AC_DEFINE(HAVE_LDNS, 1, [Define if you want ldns support])
1754		LDNS_MSG="yes"
1755		AC_MSG_CHECKING([for ldns support])
1756		AC_LINK_IFELSE(
1757			[AC_LANG_SOURCE([[
1758#include <stdio.h>
1759#include <stdlib.h>
1760#ifdef HAVE_STDINT_H
1761# include <stdint.h>
1762#endif
1763#include <ldns/ldns.h>
1764int main(void) { ldns_status status = ldns_verify_trusted(NULL, NULL, NULL, NULL); status=LDNS_STATUS_OK; exit(0); }
1765			]])
1766		],
1767			[AC_MSG_RESULT(yes)],
1768				[
1769					AC_MSG_RESULT(no)
1770					AC_MSG_ERROR([** Incomplete or missing ldns libraries.])
1771				])
1772	fi
1773])
1774
1775# Check whether user wants libedit support
1776LIBEDIT_MSG="no"
1777AC_ARG_WITH([libedit],
1778	[  --with-libedit[[=PATH]]   Enable libedit support for sftp],
1779	[ if test "x$withval" != "xno" ; then
1780		if test "x$withval" = "xyes" ; then
1781			if test "x$PKGCONFIG" != "xno"; then
1782				AC_MSG_CHECKING([if $PKGCONFIG knows about libedit])
1783				if "$PKGCONFIG" libedit; then
1784					AC_MSG_RESULT([yes])
1785					use_pkgconfig_for_libedit=yes
1786				else
1787					AC_MSG_RESULT([no])
1788				fi
1789			fi
1790		else
1791			CPPFLAGS="$CPPFLAGS -I${withval}/include"
1792			if test -n "${rpath_opt}"; then
1793				LDFLAGS="-L${withval}/lib ${rpath_opt}${withval}/lib ${LDFLAGS}"
1794			else
1795				LDFLAGS="-L${withval}/lib ${LDFLAGS}"
1796			fi
1797		fi
1798		if test "x$use_pkgconfig_for_libedit" = "xyes"; then
1799			LIBEDIT=`$PKGCONFIG --libs libedit`
1800			CPPFLAGS="$CPPFLAGS `$PKGCONFIG --cflags libedit`"
1801		else
1802			LIBEDIT="-ledit -lcurses"
1803		fi
1804		OTHERLIBS=`echo $LIBEDIT | sed 's/-ledit//'`
1805		AC_CHECK_LIB([edit], [el_init],
1806			[ AC_DEFINE([USE_LIBEDIT], [1], [Use libedit for sftp])
1807			  LIBEDIT_MSG="yes"
1808			  AC_SUBST([LIBEDIT])
1809			],
1810			[ AC_MSG_ERROR([libedit not found]) ],
1811			[ $OTHERLIBS ]
1812		)
1813		AC_MSG_CHECKING([if libedit version is compatible])
1814		AC_COMPILE_IFELSE(
1815		    [AC_LANG_PROGRAM([[
1816#include <histedit.h>
1817#include <stdlib.h>
1818		    ]],
1819		    [[
1820	int i = H_SETSIZE;
1821	el_init("", NULL, NULL, NULL);
1822	exit(0);
1823		    ]])],
1824		    [ AC_MSG_RESULT([yes]) ],
1825		    [ AC_MSG_RESULT([no])
1826		      AC_MSG_ERROR([libedit version is not compatible]) ]
1827		)
1828	fi ]
1829)
1830
1831AUDIT_MODULE=none
1832AC_ARG_WITH([audit],
1833	[  --with-audit=module     Enable audit support (modules=debug,bsm,linux)],
1834	[
1835	  AC_MSG_CHECKING([for supported audit module])
1836	  case "$withval" in
1837	  bsm)
1838		AC_MSG_RESULT([bsm])
1839		AUDIT_MODULE=bsm
1840		dnl    Checks for headers, libs and functions
1841		AC_CHECK_HEADERS([bsm/audit.h], [],
1842		    [AC_MSG_ERROR([BSM enabled and bsm/audit.h not found])],
1843		    [
1844#ifdef HAVE_TIME_H
1845# include <time.h>
1846#endif
1847		    ]
1848)
1849		AC_CHECK_LIB([bsm], [getaudit], [],
1850		    [AC_MSG_ERROR([BSM enabled and required library not found])])
1851		AC_CHECK_FUNCS([getaudit], [],
1852		    [AC_MSG_ERROR([BSM enabled and required function not found])])
1853		# These are optional
1854		AC_CHECK_FUNCS([getaudit_addr aug_get_machine])
1855		AC_DEFINE([USE_BSM_AUDIT], [1], [Use BSM audit module])
1856		if test "$sol2ver" -ge 11; then
1857			SSHDLIBS="$SSHDLIBS -lscf"
1858			AC_DEFINE([BROKEN_BSM_API], [1],
1859				[The system has incomplete BSM API])
1860		fi
1861		;;
1862	  linux)
1863		AC_MSG_RESULT([linux])
1864		AUDIT_MODULE=linux
1865		dnl    Checks for headers, libs and functions
1866		AC_CHECK_HEADERS([libaudit.h])
1867		SSHDLIBS="$SSHDLIBS -laudit"
1868		AC_DEFINE([USE_LINUX_AUDIT], [1], [Use Linux audit module])
1869		;;
1870	  debug)
1871		AUDIT_MODULE=debug
1872		AC_MSG_RESULT([debug])
1873		AC_DEFINE([SSH_AUDIT_EVENTS], [1], [Use audit debugging module])
1874		;;
1875	  no)
1876		AC_MSG_RESULT([no])
1877		;;
1878	  *)
1879		AC_MSG_ERROR([Unknown audit module $withval])
1880		;;
1881	esac ]
1882)
1883
1884AC_ARG_WITH([pie],
1885    [  --with-pie              Build Position Independent Executables if possible], [
1886	if test "x$withval" = "xno"; then
1887		use_pie=no
1888	fi
1889	if test "x$withval" = "xyes"; then
1890		use_pie=yes
1891	fi
1892    ]
1893)
1894if test "x$use_pie" = "x"; then
1895	use_pie=no
1896fi
1897if test "x$use_toolchain_hardening" != "x1" && test "x$use_pie" = "xauto"; then
1898	# Turn off automatic PIE when toolchain hardening is off.
1899	use_pie=no
1900fi
1901if test "x$use_pie" = "xauto"; then
1902	# Automatic PIE requires gcc >= 4.x
1903	AC_MSG_CHECKING([for gcc >= 4.x])
1904	AC_COMPILE_IFELSE([AC_LANG_SOURCE([[
1905#if !defined(__GNUC__) || __GNUC__ < 4
1906#error gcc is too old
1907#endif
1908]])],
1909	[ AC_MSG_RESULT([yes]) ],
1910	[ AC_MSG_RESULT([no])
1911	  use_pie=no ]
1912)
1913fi
1914if test "x$use_pie" != "xno"; then
1915	SAVED_CFLAGS="$CFLAGS"
1916	SAVED_LDFLAGS="$LDFLAGS"
1917	OSSH_CHECK_CFLAG_COMPILE([-fPIE])
1918	OSSH_CHECK_LDFLAG_LINK([-pie])
1919	# We use both -fPIE and -pie or neither.
1920	AC_MSG_CHECKING([whether both -fPIE and -pie are supported])
1921	if echo "x $CFLAGS"  | grep ' -fPIE' >/dev/null 2>&1 && \
1922	   echo "x $LDFLAGS" | grep ' -pie'  >/dev/null 2>&1 ; then
1923		AC_MSG_RESULT([yes])
1924	else
1925		AC_MSG_RESULT([no])
1926		CFLAGS="$SAVED_CFLAGS"
1927		LDFLAGS="$SAVED_LDFLAGS"
1928	fi
1929fi
1930
1931AC_MSG_CHECKING([whether -fPIC is accepted])
1932SAVED_CFLAGS="$CFLAGS"
1933CFLAGS="$CFLAGS -fPIC"
1934AC_COMPILE_IFELSE(
1935	[AC_LANG_PROGRAM( [[ #include <stdlib.h> ]], [[ exit(0); ]] )],
1936   [AC_MSG_RESULT([yes])
1937    PICFLAG="-fPIC"; ],
1938   [AC_MSG_RESULT([no])
1939    PICFLAG=""; ])
1940CFLAGS="$SAVED_CFLAGS"
1941AC_SUBST([PICFLAG])
1942
1943dnl    Checks for library functions. Please keep in alphabetical order
1944AC_CHECK_FUNCS([ \
1945	auth_hostok \
1946	auth_timeok \
1947	Blowfish_initstate \
1948	Blowfish_expandstate \
1949	Blowfish_expand0state \
1950	Blowfish_stream2word \
1951	SHA256Update \
1952	SHA384Update \
1953	SHA512Update \
1954	asprintf \
1955	b64_ntop \
1956	__b64_ntop \
1957	b64_pton \
1958	__b64_pton \
1959	bcopy \
1960	bcrypt_pbkdf \
1961	bindresvport_sa \
1962	blf_enc \
1963	bzero \
1964	cap_rights_limit \
1965	clock \
1966	closefrom \
1967	close_range \
1968	dirfd \
1969	endgrent \
1970	err \
1971	errx \
1972	explicit_bzero \
1973	explicit_memset \
1974	fchmod \
1975	fchmodat \
1976	fchown \
1977	fchownat \
1978	flock \
1979	fnmatch \
1980	freeaddrinfo \
1981	freezero \
1982	fstatfs \
1983	fstatvfs \
1984	futimes \
1985	getaddrinfo \
1986	getcwd \
1987	getentropy \
1988	getgrouplist \
1989	getline \
1990	getnameinfo \
1991	getopt \
1992	getpagesize \
1993	getpeereid \
1994	getpeerucred \
1995	getpgid \
1996	_getpty \
1997	getrlimit \
1998	getrandom \
1999	getsid \
2000	getttyent \
2001	glob \
2002	group_from_gid \
2003	inet_aton \
2004	inet_ntoa \
2005	inet_ntop \
2006	innetgr \
2007	killpg \
2008	llabs \
2009	localtime_r \
2010	login_getcapbool \
2011	login_getpwclass \
2012	memmem \
2013	memmove \
2014	memset_s \
2015	mkdtemp \
2016	ngetaddrinfo \
2017	nsleep \
2018	ogetaddrinfo \
2019	openlog_r \
2020	pledge \
2021	poll \
2022	ppoll \
2023	prctl \
2024	procctl \
2025	pselect \
2026	pstat \
2027	raise \
2028	readpassphrase \
2029	reallocarray \
2030	realpath \
2031	recvmsg \
2032	recallocarray \
2033	rresvport_af \
2034	sendmsg \
2035	setdtablesize \
2036	setegid \
2037	setenv \
2038	seteuid \
2039	setgroupent \
2040	setgroups \
2041	setlinebuf \
2042	setlogin \
2043	setpassent\
2044	setpcred \
2045	setproctitle \
2046	setregid \
2047	setreuid \
2048	setrlimit \
2049	setsid \
2050	setvbuf \
2051	sigaction \
2052	sigvec \
2053	snprintf \
2054	socketpair \
2055	statfs \
2056	statvfs \
2057	strcasestr \
2058	strdup \
2059	strerror \
2060	strlcat \
2061	strlcpy \
2062	strmode \
2063	strndup \
2064	strnlen \
2065	strnvis \
2066	strptime \
2067	strsignal \
2068	strtonum \
2069	strtoll \
2070	strtoul \
2071	strtoull \
2072	sysconf \
2073	tcgetpgrp \
2074	timegm \
2075	timingsafe_bcmp \
2076	truncate \
2077	unsetenv \
2078	updwtmpx \
2079	utimensat \
2080	user_from_uid \
2081	usleep \
2082	vasprintf \
2083	vsnprintf \
2084	waitpid \
2085	warn \
2086])
2087
2088AC_CHECK_DECLS([bzero, memmem])
2089
2090dnl Wide character support.
2091AC_CHECK_FUNCS([mblen mbtowc nl_langinfo wcwidth])
2092
2093TEST_SSH_UTF8=${TEST_SSH_UTF8:=yes}
2094AC_MSG_CHECKING([for utf8 locale support])
2095AC_RUN_IFELSE(
2096	[AC_LANG_PROGRAM([[
2097#include <locale.h>
2098#include <stdlib.h>
2099	]], [[
2100	char *loc = setlocale(LC_CTYPE, "en_US.UTF-8");
2101	if (loc != NULL)
2102		exit(0);
2103	exit(1);
2104	]])],
2105	AC_MSG_RESULT(yes),
2106	[AC_MSG_RESULT(no)
2107	 TEST_SSH_UTF8=no],
2108	AC_MSG_WARN([cross compiling: assuming yes])
2109)
2110
2111AC_LINK_IFELSE(
2112        [AC_LANG_PROGRAM(
2113           [[ #include <ctype.h> ]],
2114           [[ return (isblank('a')); ]])],
2115	[AC_DEFINE([HAVE_ISBLANK], [1], [Define if you have isblank(3C).])
2116])
2117
2118disable_pkcs11=
2119AC_ARG_ENABLE([pkcs11],
2120	[  --disable-pkcs11        disable PKCS#11 support code [no]],
2121	[
2122		if test "x$enableval" = "xno" ; then
2123			disable_pkcs11=1
2124		fi
2125	]
2126)
2127
2128disable_sk=
2129AC_ARG_ENABLE([security-key],
2130	[  --disable-security-key  disable U2F/FIDO support code [no]],
2131	[
2132		if test "x$enableval" = "xno" ; then
2133			disable_sk=1
2134		fi
2135	]
2136)
2137enable_sk_internal=
2138AC_ARG_WITH([security-key-builtin],
2139	[  --with-security-key-builtin include builtin U2F/FIDO support],
2140	[ enable_sk_internal=$withval ]
2141)
2142
2143enable_dsa=
2144AC_ARG_ENABLE([dsa-keys],
2145	[  --enable-dsa-keys       enable DSA key support [no]],
2146	[
2147		if test "x$enableval" != "xno" ; then
2148			enable_dsa=1
2149		fi
2150	]
2151)
2152
2153AC_SEARCH_LIBS([dlopen], [dl])
2154AC_CHECK_FUNCS([dlopen])
2155AC_CHECK_DECL([RTLD_NOW], [], [], [#include <dlfcn.h>])
2156
2157# IRIX has a const char return value for gai_strerror()
2158AC_CHECK_FUNCS([gai_strerror], [
2159	AC_DEFINE([HAVE_GAI_STRERROR])
2160	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
2161#include <sys/types.h>
2162#include <sys/socket.h>
2163#include <netdb.h>
2164
2165const char *gai_strerror(int);
2166			]], [[
2167	char *str;
2168	str = gai_strerror(0);
2169			]])], [
2170		AC_DEFINE([HAVE_CONST_GAI_STRERROR_PROTO], [1],
2171		[Define if gai_strerror() returns const char *])], [])])
2172
2173AC_SEARCH_LIBS([nanosleep], [rt posix4], [AC_DEFINE([HAVE_NANOSLEEP], [1],
2174	[Some systems put nanosleep outside of libc])])
2175
2176AC_SEARCH_LIBS([clock_gettime], [rt],
2177	[AC_DEFINE([HAVE_CLOCK_GETTIME], [1], [Have clock_gettime])])
2178
2179dnl check if we need -D_REENTRANT for localtime_r declaration.
2180AC_CHECK_DECL([localtime_r], [],
2181	[ saved_CPPFLAGS="$CPPFLAGS"
2182	  CPPFLAGS="$CPPFLAGS -D_REENTRANT"
2183	  unset ac_cv_have_decl_localtime_r
2184	  AC_CHECK_DECL([localtime_r], [],
2185		[ CPPFLAGS="$saved_CPPFLAGS" ],
2186		[ #include <time.h> ]
2187	  )
2188	],
2189	[ #include <time.h> ]
2190)
2191
2192dnl Make sure prototypes are defined for these before using them.
2193AC_CHECK_DECL([strsep],
2194	[AC_CHECK_FUNCS([strsep])],
2195	[],
2196	[
2197#ifdef HAVE_STRING_H
2198# include <string.h>
2199#endif
2200	])
2201
2202dnl tcsendbreak might be a macro
2203AC_CHECK_DECL([tcsendbreak],
2204	[AC_DEFINE([HAVE_TCSENDBREAK])],
2205	[AC_CHECK_FUNCS([tcsendbreak])],
2206	[#include <termios.h>]
2207)
2208
2209AC_CHECK_DECLS([h_errno], , ,[#include <netdb.h>])
2210
2211AC_CHECK_DECLS([SHUT_RD, getpeereid], , ,
2212	[
2213#include <sys/types.h>
2214#include <sys/socket.h>
2215#include <unistd.h>
2216	])
2217
2218AC_CHECK_DECLS([O_NONBLOCK], , ,
2219	[
2220#include <sys/types.h>
2221#ifdef HAVE_SYS_STAT_H
2222# include <sys/stat.h>
2223#endif
2224#ifdef HAVE_FCNTL_H
2225# include <fcntl.h>
2226#endif
2227	])
2228
2229AC_CHECK_DECLS([ftruncate, getentropy], , ,
2230	[
2231#include <sys/types.h>
2232#include <unistd.h>
2233	])
2234
2235AC_CHECK_DECLS([readv, writev], , , [
2236#include <sys/types.h>
2237#include <sys/uio.h>
2238#include <unistd.h>
2239	])
2240
2241AC_CHECK_DECLS([MAXSYMLINKS], , , [
2242#include <sys/param.h>
2243	])
2244
2245AC_CHECK_DECLS([offsetof], , , [
2246#include <stddef.h>
2247	])
2248
2249# extra bits for select(2)
2250AC_CHECK_DECLS([howmany, NFDBITS], [], [], [[
2251#include <sys/param.h>
2252#include <sys/types.h>
2253#ifdef HAVE_SYS_SYSMACROS_H
2254#include <sys/sysmacros.h>
2255#endif
2256#ifdef HAVE_SYS_SELECT_H
2257#include <sys/select.h>
2258#endif
2259#ifdef HAVE_SYS_TIME_H
2260#include <sys/time.h>
2261#endif
2262#ifdef HAVE_UNISTD_H
2263#include <unistd.h>
2264#endif
2265	]])
2266AC_CHECK_TYPES([fd_mask], [], [], [[
2267#include <sys/param.h>
2268#include <sys/types.h>
2269#ifdef HAVE_SYS_SELECT_H
2270#include <sys/select.h>
2271#endif
2272#ifdef HAVE_SYS_TIME_H
2273#include <sys/time.h>
2274#endif
2275#ifdef HAVE_UNISTD_H
2276#include <unistd.h>
2277#endif
2278	]])
2279
2280AC_CHECK_FUNCS([setresuid], [
2281	dnl Some platorms have setresuid that isn't implemented, test for this
2282	AC_MSG_CHECKING([if setresuid seems to work])
2283	AC_RUN_IFELSE(
2284		[AC_LANG_PROGRAM([[
2285#include <errno.h>
2286#include <stdlib.h>
2287#include <unistd.h>
2288		]], [[
2289	errno=0;
2290	setresuid(0,0,0);
2291	if (errno==ENOSYS)
2292		exit(1);
2293	else
2294		exit(0);
2295		]])],
2296		[AC_MSG_RESULT([yes])],
2297		[AC_DEFINE([BROKEN_SETRESUID], [1],
2298			[Define if your setresuid() is broken])
2299		 AC_MSG_RESULT([not implemented])],
2300		[AC_MSG_WARN([cross compiling: not checking setresuid])]
2301	)
2302])
2303
2304AC_CHECK_FUNCS([setresgid], [
2305	dnl Some platorms have setresgid that isn't implemented, test for this
2306	AC_MSG_CHECKING([if setresgid seems to work])
2307	AC_RUN_IFELSE(
2308		[AC_LANG_PROGRAM([[
2309#include <errno.h>
2310#include <stdlib.h>
2311#include <unistd.h>
2312		]], [[
2313	errno=0;
2314	setresgid(0,0,0);
2315	if (errno==ENOSYS)
2316		exit(1);
2317	else
2318		exit(0);
2319		]])],
2320		[AC_MSG_RESULT([yes])],
2321		[AC_DEFINE([BROKEN_SETRESGID], [1],
2322			[Define if your setresgid() is broken])
2323		 AC_MSG_RESULT([not implemented])],
2324		[AC_MSG_WARN([cross compiling: not checking setresuid])]
2325	)
2326])
2327
2328AC_MSG_CHECKING([for working fflush(NULL)])
2329AC_RUN_IFELSE(
2330	[AC_LANG_PROGRAM([[
2331#include <stdio.h>
2332#include <stdlib.h>
2333	]],
2334	[[fflush(NULL); exit(0);]])],
2335	AC_MSG_RESULT([yes]),
2336	[AC_MSG_RESULT([no])
2337	 AC_DEFINE([FFLUSH_NULL_BUG], [1],
2338	    [define if fflush(NULL) does not work])],
2339	AC_MSG_WARN([cross compiling: assuming working])
2340)
2341
2342dnl    Checks for time functions
2343AC_CHECK_FUNCS([gettimeofday time])
2344dnl    Checks for utmp functions
2345AC_CHECK_FUNCS([endutent getutent getutid getutline pututline setutent])
2346AC_CHECK_FUNCS([utmpname])
2347dnl    Checks for utmpx functions
2348AC_CHECK_FUNCS([endutxent getutxent getutxid getutxline getutxuser pututxline])
2349AC_CHECK_FUNCS([setutxdb setutxent utmpxname])
2350dnl    Checks for lastlog functions
2351AC_CHECK_FUNCS([getlastlogxbyname])
2352
2353AC_CHECK_FUNC([daemon],
2354	[AC_DEFINE([HAVE_DAEMON], [1], [Define if your libraries define daemon()])],
2355	[AC_CHECK_LIB([bsd], [daemon],
2356		[LIBS="$LIBS -lbsd"; AC_DEFINE([HAVE_DAEMON])])]
2357)
2358
2359AC_CHECK_FUNC([getpagesize],
2360	[AC_DEFINE([HAVE_GETPAGESIZE], [1],
2361		[Define if your libraries define getpagesize()])],
2362	[AC_CHECK_LIB([ucb], [getpagesize],
2363		[LIBS="$LIBS -lucb"; AC_DEFINE([HAVE_GETPAGESIZE])])]
2364)
2365
2366# Check for broken snprintf
2367if test "x$ac_cv_func_snprintf" = "xyes" ; then
2368	AC_MSG_CHECKING([whether snprintf correctly terminates long strings])
2369	AC_RUN_IFELSE(
2370		[AC_LANG_PROGRAM([[
2371#include <stdio.h>
2372#include <stdlib.h>
2373		]],
2374		[[
2375	char b[5];
2376	snprintf(b,5,"123456789");
2377	exit(b[4]!='\0');
2378		]])],
2379		[AC_MSG_RESULT([yes])],
2380		[
2381			AC_MSG_RESULT([no])
2382			AC_DEFINE([BROKEN_SNPRINTF], [1],
2383				[Define if your snprintf is busted])
2384			AC_MSG_WARN([****** Your snprintf() function is broken, complain to your vendor])
2385		],
2386		[ AC_MSG_WARN([cross compiling: Assuming working snprintf()]) ]
2387	)
2388fi
2389
2390if test "x$ac_cv_func_snprintf" = "xyes" ; then
2391	AC_MSG_CHECKING([whether snprintf understands %zu])
2392	AC_RUN_IFELSE(
2393		[AC_LANG_PROGRAM([[
2394#include <sys/types.h>
2395#include <stdio.h>
2396#include <stdlib.h>
2397#include <string.h>
2398		]],
2399		[[
2400	size_t a = 1, b = 2;
2401	char z[128];
2402	snprintf(z, sizeof z, "%zu%zu", a, b);
2403	exit(strcmp(z, "12"));
2404		]])],
2405		[AC_MSG_RESULT([yes])],
2406		[
2407			AC_MSG_RESULT([no])
2408			AC_DEFINE([BROKEN_SNPRINTF], [1],
2409				[snprintf does not understand %zu])
2410		],
2411		[ AC_MSG_WARN([cross compiling: Assuming working snprintf()]) ]
2412	)
2413fi
2414
2415# We depend on vsnprintf returning the right thing on overflow: the
2416# number of characters it tried to create (as per SUSv3)
2417if test "x$ac_cv_func_vsnprintf" = "xyes" ; then
2418	AC_MSG_CHECKING([whether vsnprintf returns correct values on overflow])
2419	AC_RUN_IFELSE(
2420		[AC_LANG_PROGRAM([[
2421#include <sys/types.h>
2422#include <stdio.h>
2423#include <stdarg.h>
2424
2425int x_snprintf(char *str, size_t count, const char *fmt, ...)
2426{
2427	size_t ret;
2428	va_list ap;
2429
2430	va_start(ap, fmt);
2431	ret = vsnprintf(str, count, fmt, ap);
2432	va_end(ap);
2433	return ret;
2434}
2435		]], [[
2436char x[1];
2437if (x_snprintf(x, 1, "%s %d", "hello", 12345) != 11)
2438	return 1;
2439if (x_snprintf(NULL, 0, "%s %d", "hello", 12345) != 11)
2440	return 1;
2441return 0;
2442		]])],
2443		[AC_MSG_RESULT([yes])],
2444		[
2445			AC_MSG_RESULT([no])
2446			AC_DEFINE([BROKEN_SNPRINTF], [1],
2447				[Define if your snprintf is busted])
2448			AC_MSG_WARN([****** Your vsnprintf() function is broken, complain to your vendor])
2449		],
2450		[ AC_MSG_WARN([cross compiling: Assuming working vsnprintf()]) ]
2451	)
2452fi
2453
2454# On systems where [v]snprintf is broken, but is declared in stdio,
2455# check that the fmt argument is const char * or just char *.
2456# This is only useful for when BROKEN_SNPRINTF
2457AC_MSG_CHECKING([whether snprintf can declare const char *fmt])
2458AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
2459#include <stdio.h>
2460int snprintf(char *a, size_t b, const char *c, ...) { return 0; }
2461		]], [[
2462	snprintf(0, 0, 0);
2463		]])],
2464   [AC_MSG_RESULT([yes])
2465    AC_DEFINE([SNPRINTF_CONST], [const],
2466              [Define as const if snprintf() can declare const char *fmt])],
2467   [AC_MSG_RESULT([no])
2468    AC_DEFINE([SNPRINTF_CONST], [/* not const */])])
2469
2470# Check for missing getpeereid (or equiv) support
2471NO_PEERCHECK=""
2472if test "x$ac_cv_func_getpeereid" != "xyes" -a "x$ac_cv_func_getpeerucred" != "xyes"; then
2473	AC_MSG_CHECKING([whether system supports SO_PEERCRED getsockopt])
2474	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
2475#include <sys/types.h>
2476#include <sys/socket.h>]], [[int i = SO_PEERCRED;]])],
2477		[ AC_MSG_RESULT([yes])
2478		  AC_DEFINE([HAVE_SO_PEERCRED], [1], [Have PEERCRED socket option])
2479		], [AC_MSG_RESULT([no])
2480		NO_PEERCHECK=1
2481        ])
2482fi
2483
2484dnl make sure that openpty does not reacquire controlling terminal
2485if test ! -z "$check_for_openpty_ctty_bug"; then
2486	AC_MSG_CHECKING([if openpty correctly handles controlling tty])
2487	AC_RUN_IFELSE(
2488		[AC_LANG_PROGRAM([[
2489#include <stdio.h>
2490#include <stdlib.h>
2491#include <unistd.h>
2492#ifdef HAVE_PTY_H
2493# include <pty.h>
2494#endif
2495#include <sys/fcntl.h>
2496#include <sys/types.h>
2497#include <sys/wait.h>
2498		]], [[
2499	pid_t pid;
2500	int fd, ptyfd, ttyfd, status;
2501
2502	pid = fork();
2503	if (pid < 0) {		/* failed */
2504		exit(1);
2505	} else if (pid > 0) {	/* parent */
2506		waitpid(pid, &status, 0);
2507		if (WIFEXITED(status))
2508			exit(WEXITSTATUS(status));
2509		else
2510			exit(2);
2511	} else {		/* child */
2512		close(0); close(1); close(2);
2513		setsid();
2514		openpty(&ptyfd, &ttyfd, NULL, NULL, NULL);
2515		fd = open("/dev/tty", O_RDWR | O_NOCTTY);
2516		if (fd >= 0)
2517			exit(3);	/* Acquired ctty: broken */
2518		else
2519			exit(0);	/* Did not acquire ctty: OK */
2520	}
2521		]])],
2522		[
2523			AC_MSG_RESULT([yes])
2524		],
2525		[
2526			AC_MSG_RESULT([no])
2527			AC_DEFINE([SSHD_ACQUIRES_CTTY])
2528		],
2529		[
2530			AC_MSG_RESULT([cross-compiling, assuming yes])
2531		]
2532	)
2533fi
2534
2535if test "x$ac_cv_func_getaddrinfo" = "xyes" && \
2536    test "x$check_for_hpux_broken_getaddrinfo" = "x1"; then
2537	AC_MSG_CHECKING([if getaddrinfo seems to work])
2538	AC_RUN_IFELSE(
2539		[AC_LANG_PROGRAM([[
2540#include <stdio.h>
2541#include <stdlib.h>
2542#include <sys/socket.h>
2543#include <netdb.h>
2544#include <errno.h>
2545#include <netinet/in.h>
2546
2547#define TEST_PORT "2222"
2548		]], [[
2549	int err, sock;
2550	struct addrinfo *gai_ai, *ai, hints;
2551	char ntop[NI_MAXHOST], strport[NI_MAXSERV], *name = NULL;
2552
2553	memset(&hints, 0, sizeof(hints));
2554	hints.ai_family = PF_UNSPEC;
2555	hints.ai_socktype = SOCK_STREAM;
2556	hints.ai_flags = AI_PASSIVE;
2557
2558	err = getaddrinfo(name, TEST_PORT, &hints, &gai_ai);
2559	if (err != 0) {
2560		fprintf(stderr, "getaddrinfo failed (%s)", gai_strerror(err));
2561		exit(1);
2562	}
2563
2564	for (ai = gai_ai; ai != NULL; ai = ai->ai_next) {
2565		if (ai->ai_family != AF_INET6)
2566			continue;
2567
2568		err = getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop,
2569		    sizeof(ntop), strport, sizeof(strport),
2570		    NI_NUMERICHOST|NI_NUMERICSERV);
2571
2572		if (err != 0) {
2573			if (err == EAI_SYSTEM)
2574				perror("getnameinfo EAI_SYSTEM");
2575			else
2576				fprintf(stderr, "getnameinfo failed: %s\n",
2577				    gai_strerror(err));
2578			exit(2);
2579		}
2580
2581		sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol);
2582		if (sock < 0)
2583			perror("socket");
2584		if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) {
2585			if (errno == EBADF)
2586				exit(3);
2587		}
2588	}
2589	exit(0);
2590		]])],
2591		[
2592			AC_MSG_RESULT([yes])
2593		],
2594		[
2595			AC_MSG_RESULT([no])
2596			AC_DEFINE([BROKEN_GETADDRINFO])
2597		],
2598		[
2599			AC_MSG_RESULT([cross-compiling, assuming yes])
2600		]
2601	)
2602fi
2603
2604if test "x$ac_cv_func_getaddrinfo" = "xyes" && \
2605    test "x$check_for_aix_broken_getaddrinfo" = "x1"; then
2606	AC_MSG_CHECKING([if getaddrinfo seems to work])
2607	AC_RUN_IFELSE(
2608		[AC_LANG_PROGRAM([[
2609#include <stdio.h>
2610#include <stdlib.h>
2611#include <sys/socket.h>
2612#include <netdb.h>
2613#include <errno.h>
2614#include <netinet/in.h>
2615
2616#define TEST_PORT "2222"
2617		]], [[
2618	int err, sock;
2619	struct addrinfo *gai_ai, *ai, hints;
2620	char ntop[NI_MAXHOST], strport[NI_MAXSERV], *name = NULL;
2621
2622	memset(&hints, 0, sizeof(hints));
2623	hints.ai_family = PF_UNSPEC;
2624	hints.ai_socktype = SOCK_STREAM;
2625	hints.ai_flags = AI_PASSIVE;
2626
2627	err = getaddrinfo(name, TEST_PORT, &hints, &gai_ai);
2628	if (err != 0) {
2629		fprintf(stderr, "getaddrinfo failed (%s)", gai_strerror(err));
2630		exit(1);
2631	}
2632
2633	for (ai = gai_ai; ai != NULL; ai = ai->ai_next) {
2634		if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
2635			continue;
2636
2637		err = getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop,
2638		    sizeof(ntop), strport, sizeof(strport),
2639		    NI_NUMERICHOST|NI_NUMERICSERV);
2640
2641		if (ai->ai_family == AF_INET && err != 0) {
2642			perror("getnameinfo");
2643			exit(2);
2644		}
2645	}
2646	exit(0);
2647		]])],
2648		[
2649			AC_MSG_RESULT([yes])
2650			AC_DEFINE([AIX_GETNAMEINFO_HACK], [1],
2651				[Define if you have a getaddrinfo that fails
2652				for the all-zeros IPv6 address])
2653		],
2654		[
2655			AC_MSG_RESULT([no])
2656			AC_DEFINE([BROKEN_GETADDRINFO])
2657		],
2658		[
2659			AC_MSG_RESULT([cross-compiling, assuming no])
2660		]
2661	)
2662fi
2663
2664if test "x$ac_cv_func_getaddrinfo" = "xyes"; then
2665	AC_CHECK_DECLS(AI_NUMERICSERV, , ,
2666	    [#include <sys/types.h>
2667	     #include <sys/socket.h>
2668	     #include <netdb.h>])
2669fi
2670
2671if test "x$check_for_conflicting_getspnam" = "x1"; then
2672	AC_MSG_CHECKING([for conflicting getspnam in shadow.h])
2673	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
2674#include <shadow.h>
2675#include <stdlib.h>
2676		]],
2677		[[ exit(0); ]])],
2678		[
2679			AC_MSG_RESULT([no])
2680		],
2681		[
2682			AC_MSG_RESULT([yes])
2683			AC_DEFINE([GETSPNAM_CONFLICTING_DEFS], [1],
2684			    [Conflicting defs for getspnam])
2685		]
2686	)
2687fi
2688
2689dnl NetBSD added an strnvis and unfortunately made it incompatible with the
2690dnl existing one in OpenBSD and Linux's libbsd (the former having existed
2691dnl for over ten years). Despite this incompatibility being reported during
2692dnl development (see http://gnats.netbsd.org/44977) they still shipped it.
2693dnl Even more unfortunately FreeBSD and later MacOS picked up this incompatible
2694dnl implementation.  Try to detect this mess, and assume the only safe option
2695dnl if we're cross compiling.
2696dnl
2697dnl OpenBSD, 2001: strnvis(char *dst, const char *src, size_t dlen, int flag);
2698dnl NetBSD: 2012,  strnvis(char *dst, size_t dlen, const char *src, int flag);
2699if test "x$ac_cv_func_strnvis" = "xyes"; then
2700	AC_MSG_CHECKING([for working strnvis])
2701	AC_RUN_IFELSE(
2702		[AC_LANG_PROGRAM([[
2703#include <signal.h>
2704#include <stdlib.h>
2705#include <string.h>
2706#include <unistd.h>
2707#include <vis.h>
2708static void sighandler(int sig) { _exit(1); }
2709		]], [[
2710	char dst[16];
2711
2712	signal(SIGSEGV, sighandler);
2713	if (strnvis(dst, "src", 4, 0) && strcmp(dst, "src") == 0)
2714		exit(0);
2715	exit(1)
2716		]])],
2717		[AC_MSG_RESULT([yes])],
2718		[AC_MSG_RESULT([no])
2719		 AC_DEFINE([BROKEN_STRNVIS], [1], [strnvis detected broken])],
2720		[AC_MSG_WARN([cross compiling: assuming broken])
2721		 AC_DEFINE([BROKEN_STRNVIS], [1], [strnvis assumed broken])]
2722	)
2723fi
2724
2725AC_MSG_CHECKING([if SA_RESTARTed signals interrupt select()])
2726AC_RUN_IFELSE(
2727	[AC_LANG_PROGRAM([[
2728#ifdef HAVE_SYS_SELECT
2729# include <sys/select.h>
2730#endif
2731#include <sys/types.h>
2732#include <sys/time.h>
2733#include <stdlib.h>
2734#include <signal.h>
2735#include <unistd.h>
2736static void sighandler(int sig) { }
2737		]], [[
2738	int r;
2739	pid_t pid;
2740	struct sigaction sa;
2741
2742	sa.sa_handler = sighandler;
2743	sa.sa_flags = SA_RESTART;
2744	(void)sigaction(SIGTERM, &sa, NULL);
2745	if ((pid = fork()) == 0) { /* child */
2746		pid = getppid();
2747		sleep(1);
2748		kill(pid, SIGTERM);
2749		sleep(1);
2750		if (getppid() == pid) /* if parent did not exit, shoot it */
2751			kill(pid, SIGKILL);
2752		exit(0);
2753	} else { /* parent */
2754		r = select(0, NULL, NULL, NULL, NULL);
2755	}
2756	exit(r == -1 ? 0 : 1);
2757	]])],
2758	[AC_MSG_RESULT([yes])],
2759	[AC_MSG_RESULT([no])
2760	 AC_DEFINE([NO_SA_RESTART], [1],
2761	    [SA_RESTARTed signals do no interrupt select])],
2762	[AC_MSG_WARN([cross compiling: assuming yes])]
2763)
2764
2765AC_CHECK_FUNCS([getpgrp],[
2766	AC_MSG_CHECKING([if getpgrp accepts zero args])
2767	AC_COMPILE_IFELSE(
2768		[AC_LANG_PROGRAM([[$ac_includes_default]], [[ getpgrp(); ]])],
2769		[ AC_MSG_RESULT([yes])
2770		  AC_DEFINE([GETPGRP_VOID], [1], [getpgrp takes zero args])],
2771		[ AC_MSG_RESULT([no])
2772		  AC_DEFINE([GETPGRP_VOID], [0], [getpgrp takes one arg])]
2773	)
2774])
2775
2776# Search for OpenSSL
2777saved_CPPFLAGS="$CPPFLAGS"
2778saved_LDFLAGS="$LDFLAGS"
2779openssl_bin_PATH="$PATH"
2780AC_ARG_WITH([ssl-dir],
2781	[  --with-ssl-dir=PATH     Specify path to OpenSSL installation ],
2782	[
2783		if test "x$openssl" = "xno" ; then
2784			AC_MSG_ERROR([cannot use --with-ssl-dir when OpenSSL disabled])
2785		fi
2786		if test "x$withval" != "xno" ; then
2787			case "$withval" in
2788				# Relative paths
2789				./*|../*)	withval="`pwd`/$withval"
2790			esac
2791			if test -d "$withval/lib"; then
2792				libcrypto_path="${withval}/lib"
2793			elif test -d "$withval/lib64"; then
2794				libcrypto_path="$withval/lib64"
2795			else
2796				# Built but not installed
2797				libcrypto_path="${withval}"
2798			fi
2799			if test -n "${rpath_opt}"; then
2800				LDFLAGS="-L${libcrypto_path} ${rpath_opt}${libcrypto_path} ${LDFLAGS}"
2801			else
2802				LDFLAGS="-L${libcrypto_path} ${LDFLAGS}"
2803			fi
2804			if test -d "$withval/include"; then
2805				CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
2806			else
2807				CPPFLAGS="-I${withval} ${CPPFLAGS}"
2808			fi
2809			dnl Ensure specified openssl binary works, eg it can
2810			dnl find its runtime libraries, before trying to use.
2811			if test -x "${withval}/bin/openssl" && \
2812			    "${withval}/bin/openssl" version >/dev/null 2>&1; then
2813				openssl_bin_PATH="${withval}/bin${PATH_SEPARATOR}${PATH}"
2814			elif test -x "${withval}/apps/openssl" && \
2815			    "${withval}/apps/openssl" version >/dev/null 2>&1; then
2816				openssl_bin_PATH="${withval}/apps${PATH_SEPARATOR}${PATH}"
2817			fi
2818		fi
2819	]
2820)
2821AC_PATH_PROGS([openssl_bin], openssl, [], [$openssl_bin_PATH])
2822AC_SUBST(OPENSSL_BIN, [${openssl_bin}])
2823
2824AC_ARG_WITH([openssl-header-check],
2825	[  --without-openssl-header-check Disable OpenSSL version consistency check],
2826	[
2827		if test "x$withval" = "xno" ; then
2828			openssl_check_nonfatal=1
2829		fi
2830	]
2831)
2832
2833openssl_engine=no
2834AC_ARG_WITH([ssl-engine],
2835	[  --with-ssl-engine       Enable OpenSSL (hardware) ENGINE support ],
2836	[
2837		if test "x$withval" != "xno" ; then
2838			if test "x$openssl" = "xno" ; then
2839				AC_MSG_ERROR([cannot use --with-ssl-engine when OpenSSL disabled])
2840			fi
2841			openssl_engine=yes
2842		fi
2843	]
2844)
2845
2846nocrypto_saved_LIBS="$LIBS"
2847if test "x$openssl" = "xyes" ; then
2848	LIBS="-lcrypto $LIBS"
2849	CHANNELLIBS="-lcrypto $CHANNELLIBS"
2850	AC_TRY_LINK_FUNC([RAND_add], ,
2851	    [AC_MSG_ERROR([*** working libcrypto not found, check config.log])])
2852	AC_CHECK_HEADER([openssl/opensslv.h], ,
2853	    [AC_MSG_ERROR([*** OpenSSL headers missing - please install first or check config.log ***])])
2854
2855	# Determine OpenSSL header version
2856	AC_MSG_CHECKING([OpenSSL header version])
2857	AC_RUN_IFELSE(
2858		[AC_LANG_PROGRAM([[
2859	#include <stdlib.h>
2860	#include <stdio.h>
2861	#include <string.h>
2862	#include <openssl/opensslv.h>
2863	#define DATA "conftest.sslincver"
2864		]], [[
2865		FILE *fd;
2866		int rc;
2867
2868		fd = fopen(DATA,"w");
2869		if(fd == NULL)
2870			exit(1);
2871
2872		if ((rc = fprintf(fd, "%08lx (%s)\n",
2873		    (unsigned long)OPENSSL_VERSION_NUMBER,
2874		     OPENSSL_VERSION_TEXT)) < 0)
2875			exit(1);
2876
2877		exit(0);
2878		]])],
2879		[
2880			ssl_header_ver=`cat conftest.sslincver`
2881			AC_MSG_RESULT([$ssl_header_ver])
2882		],
2883		[
2884			AC_MSG_RESULT([failed])
2885			AC_MSG_ERROR([OpenSSL version test program failed.])
2886		],
2887		[
2888			AC_MSG_WARN([cross compiling: not checking])
2889		]
2890	)
2891
2892	# Determining OpenSSL library version is version dependent.
2893	AC_CHECK_FUNCS([OpenSSL_version OpenSSL_version_num])
2894
2895	# Determine OpenSSL library version
2896	AC_MSG_CHECKING([OpenSSL library version])
2897	AC_RUN_IFELSE(
2898		[AC_LANG_PROGRAM([[
2899	#include <stdio.h>
2900	#include <stdlib.h>
2901	#include <string.h>
2902	#include <openssl/opensslv.h>
2903	#include <openssl/crypto.h>
2904	#define DATA "conftest.ssllibver"
2905		]], [[
2906		FILE *f;
2907		/* We need these legacy bits to warn for old libcrypto */
2908		#ifndef OPENSSL_VERSION
2909		# define OPENSSL_VERSION SSLEAY_VERSION
2910		#endif
2911		#ifndef HAVE_OPENSSL_VERSION
2912		# define OpenSSL_version       SSLeay_version
2913		#endif
2914		#ifndef HAVE_OPENSSL_VERSION_NUM
2915		# define OpenSSL_version_num   SSLeay
2916		#endif
2917		if ((f = fopen(DATA, "w")) == NULL)
2918			exit(1);
2919		if (fprintf(f, "%08lx (%s)",
2920		    (unsigned long)OpenSSL_version_num(),
2921		    OpenSSL_version(OPENSSL_VERSION)) < 0)
2922			exit(1);
2923#ifdef LIBRESSL_VERSION_NUMBER
2924		if (fprintf(f, " libressl-%08lx", LIBRESSL_VERSION_NUMBER) < 0)
2925			exit(1);
2926#endif
2927		if (fputc('\n', f) == EOF || fclose(f) == EOF)
2928			exit(1);
2929		exit(0);
2930		]])],
2931		[
2932			sslver=`cat conftest.ssllibver`
2933			ssl_showver=`echo "$sslver" | sed 's/ libressl-.*//'`
2934			# Check version is supported.
2935			case "$sslver" in
2936			100*|10100*) # 1.0.x, 1.1.0x
2937				AC_MSG_ERROR([OpenSSL >= 1.1.1 required (have "$ssl_showver")])
2938				;;
2939			101*)   ;; # 1.1.x
2940			200*)   # LibreSSL
2941				lver=`echo "$sslver" | sed 's/.*libressl-//'`
2942				case "$lver" in
2943				2*|300*) # 2.x, 3.0.0
2944					AC_MSG_ERROR([LibreSSL >= 3.1.0 required (have "$ssl_showver")])
2945					;;
2946				*) ;;	# Assume all other versions are good.
2947				esac
2948				;;
2949			30*)
2950				# OpenSSL 3; we use the 1.1x API
2951				# https://openssl.org/policies/general/versioning-policy.html
2952				CPPFLAGS="$CPPFLAGS -DOPENSSL_API_COMPAT=0x10100000L"
2953				;;
2954		        *)
2955				AC_MSG_ERROR([Unknown/unsupported OpenSSL version ("$ssl_showver")])
2956		                ;;
2957			esac
2958			AC_MSG_RESULT([$ssl_showver])
2959		],
2960		[
2961			AC_MSG_RESULT([not found])
2962			AC_MSG_ERROR([OpenSSL library not found.])
2963		],
2964		[
2965			AC_MSG_WARN([cross compiling: not checking])
2966		]
2967	)
2968
2969	case "$host" in
2970	x86_64-*)
2971		case "$sslver" in
2972		3000004*)
2973			AC_MSG_ERROR([OpenSSL 3.0.4 has a potential RCE in its RSA implementation (CVE-2022-2274)])
2974			;;
2975		esac
2976	esac
2977
2978	# Sanity check OpenSSL headers
2979	AC_MSG_CHECKING([whether OpenSSL's headers match the library])
2980	AC_RUN_IFELSE(
2981		[AC_LANG_PROGRAM([[
2982	#include <stdlib.h>
2983	#include <string.h>
2984	#include <openssl/opensslv.h>
2985	#include <openssl/crypto.h>
2986		]], [[
2987		exit(OpenSSL_version_num() == OPENSSL_VERSION_NUMBER ? 0 : 1);
2988		]])],
2989		[
2990			AC_MSG_RESULT([yes])
2991		],
2992		[
2993			AC_MSG_RESULT([no])
2994			if test "x$openssl_check_nonfatal" = "x"; then
2995				AC_MSG_ERROR([Your OpenSSL headers do not match your
2996	library. Check config.log for details.
2997	If you are sure your installation is consistent, you can disable the check
2998	by running "./configure --without-openssl-header-check".
2999	Also see contrib/findssl.sh for help identifying header/library mismatches.
3000	])
3001			else
3002				AC_MSG_WARN([Your OpenSSL headers do not match your
3003	library. Check config.log for details.
3004	Also see contrib/findssl.sh for help identifying header/library mismatches.])
3005			fi
3006		],
3007		[
3008			AC_MSG_WARN([cross compiling: not checking])
3009		]
3010	)
3011
3012	AC_MSG_CHECKING([if programs using OpenSSL functions will link])
3013	AC_LINK_IFELSE(
3014		[AC_LANG_PROGRAM([[ #include <openssl/err.h> ]],
3015		[[ ERR_load_crypto_strings(); ]])],
3016		[
3017			AC_MSG_RESULT([yes])
3018		],
3019		[
3020			AC_MSG_RESULT([no])
3021			LIBS="$LIBS -ldl"
3022			AC_MSG_CHECKING([if programs using OpenSSL need -ldl])
3023			AC_LINK_IFELSE(
3024				[AC_LANG_PROGRAM([[ #include <openssl/err.h> ]],
3025				[[ ERR_load_crypto_strings(); ]])],
3026				[
3027					AC_MSG_RESULT([yes])
3028					CHANNELLIBS="$CHANNELLIBS -ldl"
3029				],
3030				[
3031					AC_MSG_RESULT([no])
3032				]
3033			)
3034		]
3035	)
3036
3037	AC_CHECK_FUNCS([ \
3038		BN_is_prime_ex \
3039		DES_crypt \
3040		DSA_generate_parameters_ex \
3041		EVP_DigestSign \
3042		EVP_DigestVerify \
3043		EVP_DigestFinal_ex \
3044		EVP_DigestInit_ex \
3045		EVP_MD_CTX_cleanup \
3046		EVP_MD_CTX_copy_ex \
3047		EVP_MD_CTX_init \
3048		HMAC_CTX_init \
3049		RSA_generate_key_ex \
3050		RSA_get_default_method \
3051	])
3052
3053	# OpenSSL_add_all_algorithms may be a macro.
3054	AC_CHECK_FUNC(OpenSSL_add_all_algorithms,
3055	    AC_DEFINE(HAVE_OPENSSL_ADD_ALL_ALGORITHMS, 1, [as a function]),
3056	    AC_CHECK_DECL(OpenSSL_add_all_algorithms,
3057		AC_DEFINE(HAVE_OPENSSL_ADD_ALL_ALGORITHMS, 1, [as a macro]), ,
3058		[[#include <openssl/evp.h>]]
3059	    )
3060	)
3061
3062	# LibreSSL/OpenSSL API differences
3063	AC_CHECK_FUNCS([ \
3064		EVP_CIPHER_CTX_iv \
3065		EVP_CIPHER_CTX_iv_noconst \
3066		EVP_CIPHER_CTX_get_iv \
3067		EVP_CIPHER_CTX_get_updated_iv \
3068		EVP_CIPHER_CTX_set_iv \
3069	])
3070
3071	if test "x$openssl_engine" = "xyes" ; then
3072		AC_MSG_CHECKING([for OpenSSL ENGINE support])
3073		AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
3074	#include <openssl/engine.h>
3075			]], [[
3076				ENGINE_load_builtin_engines();
3077				ENGINE_register_all_complete();
3078			]])],
3079			[ AC_MSG_RESULT([yes])
3080			  AC_DEFINE([USE_OPENSSL_ENGINE], [1],
3081			     [Enable OpenSSL engine support])
3082			], [ AC_MSG_ERROR([OpenSSL ENGINE support not found])
3083		])
3084	fi
3085
3086	# Check for OpenSSL without EVP_aes_{192,256}_cbc
3087	AC_MSG_CHECKING([whether OpenSSL lacks support for AES 192/256])
3088	AC_LINK_IFELSE(
3089		[AC_LANG_PROGRAM([[
3090	#include <stdlib.h>
3091	#include <string.h>
3092	#include <openssl/evp.h>
3093		]], [[
3094		exit(EVP_aes_192_cbc() == NULL || EVP_aes_256_cbc() == NULL);
3095		]])],
3096		[
3097			AC_MSG_RESULT([no])
3098		],
3099		[
3100			AC_MSG_RESULT([yes])
3101			AC_DEFINE([OPENSSL_LOBOTOMISED_AES], [1],
3102			    [libcrypto is missing AES 192 and 256 bit functions])
3103		]
3104	)
3105
3106	AC_MSG_CHECKING([if EVP_DigestUpdate returns an int])
3107	AC_LINK_IFELSE(
3108		[AC_LANG_PROGRAM([[
3109	#include <stdlib.h>
3110	#include <string.h>
3111	#include <openssl/evp.h>
3112		]], [[
3113		if(EVP_DigestUpdate(NULL, NULL,0))
3114			exit(0);
3115		]])],
3116		[
3117			AC_MSG_RESULT([yes])
3118		],
3119		[
3120			AC_MSG_RESULT([no])
3121			AC_DEFINE([OPENSSL_EVP_DIGESTUPDATE_VOID], [1],
3122			    [Define if EVP_DigestUpdate returns void])
3123		]
3124	)
3125
3126	# Check for various EVP support in OpenSSL
3127	AC_CHECK_FUNCS([EVP_sha256 EVP_sha384 EVP_sha512 EVP_chacha20])
3128
3129	# Check complete ECC support in OpenSSL
3130	AC_MSG_CHECKING([whether OpenSSL has NID_X9_62_prime256v1])
3131	AC_LINK_IFELSE(
3132		[AC_LANG_PROGRAM([[
3133	#include <openssl/ec.h>
3134	#include <openssl/ecdh.h>
3135	#include <openssl/ecdsa.h>
3136	#include <openssl/evp.h>
3137	#include <openssl/objects.h>
3138	#include <openssl/opensslv.h>
3139		]], [[
3140		EC_KEY *e = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
3141		const EVP_MD *m = EVP_sha256(); /* We need this too */
3142		]])],
3143		[ AC_MSG_RESULT([yes])
3144		  enable_nistp256=1 ],
3145		[ AC_MSG_RESULT([no]) ]
3146	)
3147
3148	AC_MSG_CHECKING([whether OpenSSL has NID_secp384r1])
3149	AC_LINK_IFELSE(
3150		[AC_LANG_PROGRAM([[
3151	#include <openssl/ec.h>
3152	#include <openssl/ecdh.h>
3153	#include <openssl/ecdsa.h>
3154	#include <openssl/evp.h>
3155	#include <openssl/objects.h>
3156	#include <openssl/opensslv.h>
3157		]], [[
3158		EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp384r1);
3159		const EVP_MD *m = EVP_sha384(); /* We need this too */
3160		]])],
3161		[ AC_MSG_RESULT([yes])
3162		  enable_nistp384=1 ],
3163		[ AC_MSG_RESULT([no]) ]
3164	)
3165
3166	AC_MSG_CHECKING([whether OpenSSL has NID_secp521r1])
3167	AC_LINK_IFELSE(
3168		[AC_LANG_PROGRAM([[
3169	#include <openssl/ec.h>
3170	#include <openssl/ecdh.h>
3171	#include <openssl/ecdsa.h>
3172	#include <openssl/evp.h>
3173	#include <openssl/objects.h>
3174	#include <openssl/opensslv.h>
3175		]], [[
3176		EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp521r1);
3177		const EVP_MD *m = EVP_sha512(); /* We need this too */
3178		]])],
3179		[ AC_MSG_RESULT([yes])
3180		  AC_MSG_CHECKING([if OpenSSL's NID_secp521r1 is functional])
3181		  AC_RUN_IFELSE(
3182			[AC_LANG_PROGRAM([[
3183	#include <stdlib.h>
3184	#include <openssl/ec.h>
3185	#include <openssl/ecdh.h>
3186	#include <openssl/ecdsa.h>
3187	#include <openssl/evp.h>
3188	#include <openssl/objects.h>
3189	#include <openssl/opensslv.h>
3190			]],[[
3191			EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp521r1);
3192			const EVP_MD *m = EVP_sha512(); /* We need this too */
3193			exit(e == NULL || m == NULL);
3194			]])],
3195			[ AC_MSG_RESULT([yes])
3196			  enable_nistp521=1 ],
3197			[ AC_MSG_RESULT([no]) ],
3198			[ AC_MSG_WARN([cross-compiling: assuming yes])
3199			  enable_nistp521=1 ]
3200		  )],
3201		AC_MSG_RESULT([no])
3202	)
3203
3204	if test x$enable_nistp256 = x1 || test x$enable_nistp384 = x1 || \
3205	    test x$enable_nistp521 = x1; then
3206		AC_DEFINE(OPENSSL_HAS_ECC, [1], [OpenSSL has ECC])
3207		AC_CHECK_FUNCS([EC_KEY_METHOD_new])
3208		openssl_ecc=yes
3209	else
3210		openssl_ecc=no
3211	fi
3212	if test x$enable_nistp256 = x1; then
3213		AC_DEFINE([OPENSSL_HAS_NISTP256], [1],
3214		    [libcrypto has NID_X9_62_prime256v1])
3215	else
3216		unsupported_algorithms="$unsupported_algorithms \
3217			ecdsa-sha2-nistp256 \
3218			ecdh-sha2-nistp256 \
3219			ecdsa-sha2-nistp256-cert-v01@openssh.com"
3220	fi
3221	if test x$enable_nistp384 = x1; then
3222		AC_DEFINE([OPENSSL_HAS_NISTP384], [1], [libcrypto has NID_secp384r1])
3223	else
3224		unsupported_algorithms="$unsupported_algorithms \
3225			ecdsa-sha2-nistp384 \
3226			ecdh-sha2-nistp384 \
3227			ecdsa-sha2-nistp384-cert-v01@openssh.com"
3228	fi
3229	if test x$enable_nistp521 = x1; then
3230		AC_DEFINE([OPENSSL_HAS_NISTP521], [1], [libcrypto has NID_secp521r1])
3231	else
3232		unsupported_algorithms="$unsupported_algorithms \
3233			ecdh-sha2-nistp521 \
3234			ecdsa-sha2-nistp521 \
3235			ecdsa-sha2-nistp521-cert-v01@openssh.com"
3236	fi
3237
3238	# Check libcrypto ED25519 support
3239	AC_CHECK_FUNCS([EVP_PKEY_get_raw_public_key])
3240	AC_CHECK_FUNCS([EVP_PKEY_get_raw_private_key])
3241	AC_MSG_CHECKING([whether OpenSSL has ED25519 support])
3242	AC_LINK_IFELSE(
3243		[AC_LANG_PROGRAM([[
3244	#include <string.h>
3245	#include <openssl/evp.h>
3246		]], [[
3247		unsigned char buf[64];
3248		memset(buf, 0, sizeof(buf));
3249		exit(EVP_PKEY_new_raw_private_key(EVP_PKEY_ED25519, NULL,
3250		    buf, sizeof(buf)) == NULL);
3251		]])],
3252		[
3253			AC_MSG_RESULT([yes])
3254			AC_DEFINE([OPENSSL_HAS_ED25519], [1],
3255			    [libcrypto has ed25519 support])
3256		],
3257		[
3258			AC_MSG_RESULT([no])
3259		]
3260	)
3261
3262	openssl_dsa=no
3263	if test ! -z "$enable_dsa" ; then
3264		AC_CHECK_DECLS([OPENSSL_NO_DSA], [], [
3265			AC_CHECK_DECLS([OPENSSL_IS_BORINGSSL], [],
3266			    [ openssl_dsa=yes ],
3267			    [ #include <openssl/opensslconf.h> ]
3268			)
3269		    ],
3270		    [ #include <openssl/opensslconf.h> ]
3271		)
3272		AC_MSG_CHECKING([whether to enable DSA key support])
3273		if test "x$openssl_dsa" = "xno"; then
3274			AC_MSG_ERROR([DSA requested but not supported by OpenSSL])
3275		else
3276			AC_MSG_RESULT([yes])
3277			AC_DEFINE([WITH_DSA], [1],
3278			   [DSA keys explicitly enabled])
3279		fi
3280	fi
3281fi
3282
3283# PKCS11/U2F depend on OpenSSL and dlopen().
3284enable_pkcs11=yes
3285enable_sk=yes
3286if test "x$openssl" != "xyes" ; then
3287	enable_pkcs11="disabled; missing libcrypto"
3288fi
3289if test "x$ac_cv_func_dlopen" != "xyes" ; then
3290	enable_pkcs11="disabled; missing dlopen(3)"
3291	enable_sk="disabled; missing dlopen(3)"
3292fi
3293if test "x$ac_cv_have_decl_RTLD_NOW" != "xyes" ; then
3294	enable_pkcs11="disabled; missing RTLD_NOW"
3295	enable_sk="disabled; missing RTLD_NOW"
3296fi
3297if test ! -z "$disable_pkcs11" ; then
3298	enable_pkcs11="disabled by user"
3299fi
3300if test ! -z "$disable_sk" ; then
3301	enable_sk="disabled by user"
3302fi
3303
3304AC_MSG_CHECKING([whether to enable PKCS11])
3305if test "x$enable_pkcs11" = "xyes" ; then
3306	AC_DEFINE([ENABLE_PKCS11], [], [Enable for PKCS#11 support])
3307fi
3308AC_MSG_RESULT([$enable_pkcs11])
3309
3310AC_MSG_CHECKING([whether to enable U2F])
3311if test "x$enable_sk" = "xyes" ; then
3312	AC_DEFINE([ENABLE_SK], [], [Enable for U2F/FIDO support])
3313	AC_SUBST(SK_DUMMY_LIBRARY, [regress/misc/sk-dummy/sk-dummy.so])
3314else
3315	# Do not try to build sk-dummy library.
3316	AC_SUBST(SK_DUMMY_LIBRARY, [""])
3317fi
3318AC_MSG_RESULT([$enable_sk])
3319
3320# Now check for built-in security key support.
3321if test "x$enable_sk" = "xyes" -a "x$enable_sk_internal" != "xno" ; then
3322	use_pkgconfig_for_libfido2=
3323	if test "x$PKGCONFIG" != "xno"; then
3324		AC_MSG_CHECKING([if $PKGCONFIG knows about libfido2])
3325		if "$PKGCONFIG" libfido2; then
3326			AC_MSG_RESULT([yes])
3327			use_pkgconfig_for_libfido2=yes
3328		else
3329			AC_MSG_RESULT([no])
3330		fi
3331	fi
3332	if test "x$use_pkgconfig_for_libfido2" = "xyes"; then
3333		LIBFIDO2=`$PKGCONFIG --libs libfido2`
3334		CPPFLAGS="$CPPFLAGS `$PKGCONFIG --cflags libfido2`"
3335	else
3336		LIBFIDO2="-lprivatefido2 -lprivatecbor"
3337	fi
3338	OTHERLIBS=`echo $LIBFIDO2 | sed 's/-lfido2//'`
3339	fido2_error=
3340	AC_CHECK_LIB([privatefido2], [fido_init],
3341		[ ],
3342		[ fido2_error="missing/unusable libfido2" ],
3343		[ $OTHERLIBS ]
3344	)
3345	AC_CHECK_HEADER([fido.h], [],
3346		[ fido2_error="missing fido.h from libfido2" ])
3347	AC_CHECK_HEADER([fido/credman.h], [],
3348		[ fido2_error="missing fido/credman.h from libfido2" ],
3349		[ #include <fido.h> ]
3350	)
3351	AC_MSG_CHECKING([for usable libfido2 installation])
3352	if test ! -z "$fido2_error" ; then
3353		AC_MSG_RESULT([$fido2_error])
3354		if test "x$enable_sk_internal" = "xyes" ; then
3355			AC_MSG_ERROR([No usable libfido2 library/headers found])
3356		fi
3357		LIBFIDO2=""
3358	else
3359		AC_MSG_RESULT([yes])
3360		AC_SUBST([LIBFIDO2])
3361		AC_DEFINE([ENABLE_SK_INTERNAL], [],
3362		    [Enable for built-in U2F/FIDO support])
3363		enable_sk="built-in"
3364		saved_LIBS="$LIBS"
3365		LIBS="$LIBFIDO2 $LIBS"
3366		AC_CHECK_FUNCS([ \
3367			fido_assert_set_clientdata \
3368			fido_cred_prot \
3369			fido_cred_set_prot \
3370			fido_cred_set_clientdata \
3371			fido_dev_get_touch_begin \
3372			fido_dev_get_touch_status \
3373			fido_dev_supports_cred_prot \
3374			fido_dev_is_winhello \
3375		])
3376		LIBS="$saved_LIBS"
3377	fi
3378fi
3379
3380AC_CHECK_FUNCS([ \
3381	arc4random \
3382	arc4random_buf \
3383	arc4random_stir \
3384	arc4random_uniform \
3385])
3386### Configure cryptographic random number support
3387
3388# Check whether OpenSSL seeds itself
3389if test "x$openssl" = "xyes" ; then
3390	AC_MSG_CHECKING([whether OpenSSL's PRNG is internally seeded])
3391	AC_RUN_IFELSE(
3392		[AC_LANG_PROGRAM([[
3393	#include <stdlib.h>
3394	#include <string.h>
3395	#include <openssl/rand.h>
3396		]], [[
3397		exit(RAND_status() == 1 ? 0 : 1);
3398		]])],
3399		[
3400			OPENSSL_SEEDS_ITSELF=yes
3401			AC_MSG_RESULT([yes])
3402		],
3403		[
3404			AC_MSG_RESULT([no])
3405		],
3406		[
3407			AC_MSG_WARN([cross compiling: assuming yes])
3408			# This is safe, since we will fatal() at runtime if
3409			# OpenSSL is not seeded correctly.
3410			OPENSSL_SEEDS_ITSELF=yes
3411		]
3412	)
3413fi
3414
3415# PRNGD TCP socket
3416AC_ARG_WITH([prngd-port],
3417	[  --with-prngd-port=PORT  read entropy from PRNGD/EGD TCP localhost:PORT],
3418	[
3419		case "$withval" in
3420		no)
3421			withval=""
3422			;;
3423		[[0-9]]*)
3424			;;
3425		*)
3426			AC_MSG_ERROR([You must specify a numeric port number for --with-prngd-port])
3427			;;
3428		esac
3429		if test ! -z "$withval" ; then
3430			PRNGD_PORT="$withval"
3431			AC_DEFINE_UNQUOTED([PRNGD_PORT], [$PRNGD_PORT],
3432				[Port number of PRNGD/EGD random number socket])
3433		fi
3434	]
3435)
3436
3437# PRNGD Unix domain socket
3438AC_ARG_WITH([prngd-socket],
3439	[  --with-prngd-socket=FILE read entropy from PRNGD/EGD socket FILE (default=/var/run/egd-pool)],
3440	[
3441		case "$withval" in
3442		yes)
3443			withval="/var/run/egd-pool"
3444			;;
3445		no)
3446			withval=""
3447			;;
3448		/*)
3449			;;
3450		*)
3451			AC_MSG_ERROR([You must specify an absolute path to the entropy socket])
3452			;;
3453		esac
3454
3455		if test ! -z "$withval" ; then
3456			if test ! -z "$PRNGD_PORT" ; then
3457				AC_MSG_ERROR([You may not specify both a PRNGD/EGD port and socket])
3458			fi
3459			if test ! -r "$withval" ; then
3460				AC_MSG_WARN([Entropy socket is not readable])
3461			fi
3462			PRNGD_SOCKET="$withval"
3463			AC_DEFINE_UNQUOTED([PRNGD_SOCKET], ["$PRNGD_SOCKET"],
3464				[Location of PRNGD/EGD random number socket])
3465		fi
3466	],
3467	[
3468		# Check for existing socket only if we don't have a random device already
3469		if test "x$OPENSSL_SEEDS_ITSELF" != "xyes" ; then
3470			AC_MSG_CHECKING([for PRNGD/EGD socket])
3471			# Insert other locations here
3472			for sock in /var/run/egd-pool /dev/egd-pool /etc/entropy; do
3473				if test -r $sock && $TEST_MINUS_S_SH -c "test -S $sock -o -p $sock" ; then
3474					PRNGD_SOCKET="$sock"
3475					AC_DEFINE_UNQUOTED([PRNGD_SOCKET], ["$PRNGD_SOCKET"])
3476					break;
3477				fi
3478			done
3479			if test ! -z "$PRNGD_SOCKET" ; then
3480				AC_MSG_RESULT([$PRNGD_SOCKET])
3481			else
3482				AC_MSG_RESULT([not found])
3483			fi
3484		fi
3485	]
3486)
3487
3488# Which randomness source do we use?
3489if test ! -z "$PRNGD_PORT" ; then
3490	RAND_MSG="PRNGd port $PRNGD_PORT"
3491elif test ! -z "$PRNGD_SOCKET" ; then
3492	RAND_MSG="PRNGd socket $PRNGD_SOCKET"
3493elif test ! -z "$OPENSSL_SEEDS_ITSELF" ; then
3494	AC_DEFINE([OPENSSL_PRNG_ONLY], [1],
3495		[Define if you want the OpenSSL internally seeded PRNG only])
3496	RAND_MSG="OpenSSL internal ONLY"
3497elif test "x$openssl" = "xno" ; then
3498	AC_MSG_WARN([OpenSSH will use /dev/urandom as a source of random numbers. It will fail if this device is not supported or accessible])
3499else
3500	AC_MSG_ERROR([OpenSSH has no source of random numbers. Please configure OpenSSL with an entropy source or re-run configure using one of the --with-prngd-port or --with-prngd-socket options])
3501fi
3502LIBS="$nocrypto_saved_LIBS"
3503
3504saved_LIBS="$LIBS"
3505AC_CHECK_LIB([iaf], [ia_openinfo], [
3506	LIBS="$LIBS -liaf"
3507	AC_CHECK_FUNCS([set_id], [SSHDLIBS="$SSHDLIBS -liaf"
3508				AC_DEFINE([HAVE_LIBIAF], [1],
3509			[Define if system has libiaf that supports set_id])
3510				])
3511])
3512LIBS="$saved_LIBS"
3513
3514# Check for crypt() in libcrypt.  If we have it, we only need it for sshd.
3515saved_LIBS="$LIBS"
3516AC_CHECK_LIB([crypt], [crypt], [
3517	LIBS="-lcrypt $LIBS"
3518	SSHDLIBS="-lcrypt $SSHDLIBS"
3519])
3520AC_CHECK_FUNCS([crypt])
3521LIBS="$saved_LIBS"
3522
3523# Check for PAM libs
3524PAM_MSG="no"
3525AC_ARG_WITH([pam],
3526	[  --with-pam              Enable PAM support ],
3527	[
3528		if test "x$withval" != "xno" ; then
3529			if test "x$ac_cv_header_security_pam_appl_h" != "xyes" && \
3530			   test "x$ac_cv_header_pam_pam_appl_h" != "xyes" ; then
3531				AC_MSG_ERROR([PAM headers not found])
3532			fi
3533
3534			saved_LIBS="$LIBS"
3535			AC_CHECK_LIB([dl], [dlopen], , )
3536			AC_CHECK_LIB([pam], [pam_set_item], , [AC_MSG_ERROR([*** libpam missing])])
3537			AC_CHECK_FUNCS([pam_getenvlist])
3538			AC_CHECK_FUNCS([pam_putenv])
3539			LIBS="$saved_LIBS"
3540
3541			PAM_MSG="yes"
3542
3543			SSHDLIBS="$SSHDLIBS -lpam"
3544			AC_DEFINE([USE_PAM], [1],
3545				[Define if you want to enable PAM support])
3546
3547			if test $ac_cv_lib_dl_dlopen = yes; then
3548				case "$LIBS" in
3549				*-ldl*)
3550					# libdl already in LIBS
3551					;;
3552				*)
3553					SSHDLIBS="$SSHDLIBS -ldl"
3554					;;
3555				esac
3556			fi
3557		fi
3558	]
3559)
3560
3561AC_ARG_WITH([pam-service],
3562	[  --with-pam-service=name Specify PAM service name ],
3563	[
3564		if test "x$withval" != "xno" && \
3565		   test "x$withval" != "xyes" ; then
3566			AC_DEFINE_UNQUOTED([SSHD_PAM_SERVICE],
3567				["$withval"], [sshd PAM service name])
3568		fi
3569	]
3570)
3571
3572# Check for older PAM
3573if test "x$PAM_MSG" = "xyes" ; then
3574	# Check PAM strerror arguments (old PAM)
3575	AC_MSG_CHECKING([whether pam_strerror takes only one argument])
3576	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
3577#include <stdlib.h>
3578#if defined(HAVE_SECURITY_PAM_APPL_H)
3579#include <security/pam_appl.h>
3580#elif defined (HAVE_PAM_PAM_APPL_H)
3581#include <pam/pam_appl.h>
3582#endif
3583		]], [[
3584(void)pam_strerror((pam_handle_t *)NULL, -1);
3585		]])], [AC_MSG_RESULT([no])], [
3586			AC_DEFINE([HAVE_OLD_PAM], [1],
3587				[Define if you have an old version of PAM
3588				which takes only one argument to pam_strerror])
3589			AC_MSG_RESULT([yes])
3590			PAM_MSG="yes (old library)"
3591
3592	])
3593fi
3594
3595case "$host" in
3596*-*-cygwin*)
3597	SSH_PRIVSEP_USER=CYGWIN_SSH_PRIVSEP_USER
3598	;;
3599*)
3600	SSH_PRIVSEP_USER=sshd
3601	;;
3602esac
3603AC_ARG_WITH([privsep-user],
3604	[  --with-privsep-user=user Specify non-privileged user for privilege separation],
3605	[
3606		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
3607		    test "x${withval}" != "xyes"; then
3608			SSH_PRIVSEP_USER=$withval
3609		fi
3610	]
3611)
3612if test "x$SSH_PRIVSEP_USER" = "xCYGWIN_SSH_PRIVSEP_USER" ; then
3613	AC_DEFINE_UNQUOTED([SSH_PRIVSEP_USER], [CYGWIN_SSH_PRIVSEP_USER],
3614		[Cygwin function to fetch non-privileged user for privilege separation])
3615else
3616	AC_DEFINE_UNQUOTED([SSH_PRIVSEP_USER], ["$SSH_PRIVSEP_USER"],
3617		[non-privileged user for privilege separation])
3618fi
3619AC_SUBST([SSH_PRIVSEP_USER])
3620
3621if test "x$have_linux_no_new_privs" = "x1" ; then
3622AC_CHECK_DECL([SECCOMP_MODE_FILTER], [have_seccomp_filter=1], , [
3623	#include <sys/types.h>
3624	#include <linux/seccomp.h>
3625])
3626fi
3627if test "x$have_seccomp_filter" = "x1" ; then
3628AC_MSG_CHECKING([kernel for seccomp_filter support])
3629AC_LINK_IFELSE([AC_LANG_PROGRAM([[
3630		#include <errno.h>
3631		#include <elf.h>
3632		#include <linux/audit.h>
3633		#include <linux/seccomp.h>
3634		#include <stdlib.h>
3635		#include <sys/prctl.h>
3636	]],
3637	[[ int i = $seccomp_audit_arch;
3638	   errno = 0;
3639	   prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, NULL, 0, 0);
3640	   exit(errno == EFAULT ? 0 : 1); ]])],
3641	[ AC_MSG_RESULT([yes]) ], [
3642		AC_MSG_RESULT([no])
3643		# Disable seccomp filter as a target
3644		have_seccomp_filter=0
3645	]
3646)
3647fi
3648
3649AC_CHECK_MEMBERS([struct pollfd.fd], [], [], [[
3650#include <sys/types.h>
3651#ifdef HAVE_POLL_H
3652#include <poll.h>
3653#endif
3654#ifdef HAVE_SYS_POLL_H
3655#include <sys/poll.h>
3656#endif
3657]])
3658
3659AC_CHECK_TYPES([nfds_t], , , [
3660#include <sys/types.h>
3661#ifdef HAVE_POLL_H
3662#include <poll.h>
3663#endif
3664#ifdef HAVE_SYS_POLL_H
3665#include <sys/poll.h>
3666#endif
3667])
3668
3669# Decide which sandbox style to use
3670sandbox_arg=""
3671AC_ARG_WITH([sandbox],
3672	[  --with-sandbox=style    Specify privilege separation sandbox (no, capsicum, darwin, rlimit, seccomp_filter, systrace, pledge)],
3673	[
3674		if test "x$withval" = "xyes" ; then
3675			sandbox_arg=""
3676		else
3677			sandbox_arg="$withval"
3678		fi
3679	]
3680)
3681
3682if test "x$sandbox_arg" != "xno"; then
3683# POSIX specifies that poll() "shall fail with EINVAL if the nfds argument
3684# is greater than OPEN_MAX".  On some platforms that includes implementions
3685# of select in userspace on top of poll() so check both work with rlimit
3686# NOFILES so check that both work before enabling the rlimit sandbox.
3687    AC_MSG_CHECKING([if select and/or poll works with descriptor rlimit])
3688    AC_RUN_IFELSE(
3689	[AC_LANG_PROGRAM([[
3690#include <sys/types.h>
3691#ifdef HAVE_SYS_TIME_H
3692# include <sys/time.h>
3693#endif
3694#include <sys/resource.h>
3695#ifdef HAVE_SYS_SELECT_H
3696# include <sys/select.h>
3697#endif
3698#ifdef HAVE_POLL_H
3699# include <poll.h>
3700#elif HAVE_SYS_POLL_H
3701# include <sys/poll.h>
3702#endif
3703#include <errno.h>
3704#include <fcntl.h>
3705#include <stdlib.h>
3706	]],[[
3707	struct rlimit rl_zero;
3708	int fd, r;
3709	fd_set fds;
3710	struct timeval tv;
3711#ifdef HAVE_POLL
3712	struct pollfd pfd;
3713#endif
3714
3715	fd = open("/dev/null", O_RDONLY);
3716	FD_ZERO(&fds);
3717	FD_SET(fd, &fds);
3718	rl_zero.rlim_cur = rl_zero.rlim_max = 0;
3719	setrlimit(RLIMIT_FSIZE, &rl_zero);
3720	setrlimit(RLIMIT_NOFILE, &rl_zero);
3721	tv.tv_sec = 1;
3722	tv.tv_usec = 0;
3723	r = select(fd+1, &fds, NULL, NULL, &tv);
3724	if (r == -1)
3725		exit(1);
3726#ifdef HAVE_POLL
3727	pfd.fd = fd;
3728	pfd.events = POLLIN;
3729	r = poll(&pfd, 1, 1);
3730	if (r == -1)
3731		exit(2);
3732#endif
3733	exit(0);
3734	]])],
3735	[AC_MSG_RESULT([yes])
3736	 select_works_with_rlimit=yes],
3737	[AC_MSG_RESULT([no])
3738	 select_works_with_rlimit=no],
3739	[AC_MSG_WARN([cross compiling: assuming no])
3740	 select_works_with_rlimit=no]
3741    )
3742
3743    AC_MSG_CHECKING([if setrlimit(RLIMIT_NOFILE,{0,0}) works])
3744    AC_RUN_IFELSE(
3745	[AC_LANG_PROGRAM([[
3746#include <sys/types.h>
3747#ifdef HAVE_SYS_TIME_H
3748# include <sys/time.h>
3749#endif
3750#include <sys/resource.h>
3751#include <errno.h>
3752#include <stdlib.h>
3753	]],[[
3754	struct rlimit rl_zero;
3755	int r;
3756
3757	rl_zero.rlim_cur = rl_zero.rlim_max = 0;
3758	r = setrlimit(RLIMIT_NOFILE, &rl_zero);
3759	exit (r == -1 ? 1 : 0);
3760	]])],
3761	[AC_MSG_RESULT([yes])
3762	 rlimit_nofile_zero_works=yes],
3763	[AC_MSG_RESULT([no])
3764	 rlimit_nofile_zero_works=no],
3765	[AC_MSG_WARN([cross compiling: assuming yes])
3766	 rlimit_nofile_zero_works=yes]
3767    )
3768
3769    AC_MSG_CHECKING([if setrlimit RLIMIT_FSIZE works])
3770    AC_RUN_IFELSE(
3771	[AC_LANG_PROGRAM([[
3772#include <sys/types.h>
3773#include <sys/resource.h>
3774#include <stdlib.h>
3775	]],[[
3776		struct rlimit rl_zero;
3777
3778		rl_zero.rlim_cur = rl_zero.rlim_max = 0;
3779		exit(setrlimit(RLIMIT_FSIZE, &rl_zero) != 0);
3780	]])],
3781	[AC_MSG_RESULT([yes])],
3782	[AC_MSG_RESULT([no])
3783	 AC_DEFINE(SANDBOX_SKIP_RLIMIT_FSIZE, 1,
3784	    [setrlimit RLIMIT_FSIZE works])],
3785	[AC_MSG_WARN([cross compiling: assuming yes])]
3786    )
3787fi
3788
3789if test "x$sandbox_arg" = "xpledge" || \
3790   ( test -z "$sandbox_arg" && test "x$ac_cv_func_pledge" = "xyes" ) ; then
3791	test "x$ac_cv_func_pledge" != "xyes" && \
3792		AC_MSG_ERROR([pledge sandbox requires pledge(2) support])
3793	SANDBOX_STYLE="pledge"
3794	AC_DEFINE([SANDBOX_PLEDGE], [1], [Sandbox using pledge(2)])
3795elif test "x$sandbox_arg" = "xsystrace" || \
3796   ( test -z "$sandbox_arg" && test "x$have_systr_policy_kill" = "x1" ) ; then
3797	test "x$have_systr_policy_kill" != "x1" && \
3798		AC_MSG_ERROR([systrace sandbox requires systrace headers and SYSTR_POLICY_KILL support])
3799	SANDBOX_STYLE="systrace"
3800	AC_DEFINE([SANDBOX_SYSTRACE], [1], [Sandbox using systrace(4)])
3801elif test "x$sandbox_arg" = "xdarwin" || \
3802     ( test -z "$sandbox_arg" && test "x$ac_cv_func_sandbox_init" = "xyes" && \
3803       test "x$ac_cv_header_sandbox_h" = "xyes") ; then
3804	test "x$ac_cv_func_sandbox_init" != "xyes" -o \
3805	     "x$ac_cv_header_sandbox_h" != "xyes" && \
3806		AC_MSG_ERROR([Darwin seatbelt sandbox requires sandbox.h and sandbox_init function])
3807	SANDBOX_STYLE="darwin"
3808	AC_DEFINE([SANDBOX_DARWIN], [1], [Sandbox using Darwin sandbox_init(3)])
3809elif test "x$sandbox_arg" = "xseccomp_filter" || \
3810     ( test -z "$sandbox_arg" && \
3811       test "x$have_seccomp_filter" = "x1" && \
3812       test "x$ac_cv_header_elf_h" = "xyes" && \
3813       test "x$ac_cv_header_linux_audit_h" = "xyes" && \
3814       test "x$ac_cv_header_linux_filter_h" = "xyes" && \
3815       test "x$seccomp_audit_arch" != "x" && \
3816       test "x$have_linux_no_new_privs" = "x1" && \
3817       test "x$ac_cv_func_prctl" = "xyes" ) ; then
3818	test "x$seccomp_audit_arch" = "x" && \
3819		AC_MSG_ERROR([seccomp_filter sandbox not supported on $host])
3820	test "x$have_linux_no_new_privs" != "x1" && \
3821		AC_MSG_ERROR([seccomp_filter sandbox requires PR_SET_NO_NEW_PRIVS])
3822	test "x$have_seccomp_filter" != "x1" && \
3823		AC_MSG_ERROR([seccomp_filter sandbox requires seccomp headers])
3824	test "x$ac_cv_func_prctl" != "xyes" && \
3825		AC_MSG_ERROR([seccomp_filter sandbox requires prctl function])
3826	SANDBOX_STYLE="seccomp_filter"
3827	AC_DEFINE([SANDBOX_SECCOMP_FILTER], [1], [Sandbox using seccomp filter])
3828elif test "x$sandbox_arg" = "xcapsicum" || \
3829     ( test -z "$sandbox_arg" && \
3830       test "x$disable_capsicum" != "xyes" && \
3831       test "x$ac_cv_header_sys_capsicum_h" = "xyes" && \
3832       test "x$ac_cv_func_cap_rights_limit" = "xyes") ; then
3833       test "x$ac_cv_header_sys_capsicum_h" != "xyes" && \
3834		AC_MSG_ERROR([capsicum sandbox requires sys/capsicum.h header])
3835       test "x$ac_cv_func_cap_rights_limit" != "xyes" && \
3836		AC_MSG_ERROR([capsicum sandbox requires cap_rights_limit function])
3837       SANDBOX_STYLE="capsicum"
3838       AC_DEFINE([SANDBOX_CAPSICUM], [1], [Sandbox using capsicum])
3839elif test "x$sandbox_arg" = "xrlimit" || \
3840     ( test -z "$sandbox_arg" && test "x$ac_cv_func_setrlimit" = "xyes" && \
3841       test "x$select_works_with_rlimit" = "xyes" && \
3842       test "x$rlimit_nofile_zero_works" = "xyes" ) ; then
3843	test "x$ac_cv_func_setrlimit" != "xyes" && \
3844		AC_MSG_ERROR([rlimit sandbox requires setrlimit function])
3845	test "x$select_works_with_rlimit" != "xyes" && \
3846		AC_MSG_ERROR([rlimit sandbox requires select to work with rlimit])
3847	SANDBOX_STYLE="rlimit"
3848	AC_DEFINE([SANDBOX_RLIMIT], [1], [Sandbox using setrlimit(2)])
3849elif test "x$sandbox_arg" = "xsolaris" || \
3850   ( test -z "$sandbox_arg" && test "x$SOLARIS_PRIVS" = "xyes" ) ; then
3851	SANDBOX_STYLE="solaris"
3852	AC_DEFINE([SANDBOX_SOLARIS], [1], [Sandbox using Solaris/Illumos privileges])
3853elif test -z "$sandbox_arg" || test "x$sandbox_arg" = "xno" || \
3854     test "x$sandbox_arg" = "xnone" || test "x$sandbox_arg" = "xnull" ; then
3855	SANDBOX_STYLE="none"
3856	AC_DEFINE([SANDBOX_NULL], [1], [no privsep sandboxing])
3857else
3858	AC_MSG_ERROR([unsupported --with-sandbox])
3859fi
3860
3861# Cheap hack to ensure NEWS-OS libraries are arranged right.
3862if test ! -z "$SONY" ; then
3863  LIBS="$LIBS -liberty";
3864fi
3865
3866# Check for long long datatypes
3867AC_CHECK_TYPES([long long, unsigned long long, long double])
3868
3869# Check datatype sizes
3870AC_CHECK_SIZEOF([short int])
3871AC_CHECK_SIZEOF([int])
3872AC_CHECK_SIZEOF([long int])
3873AC_CHECK_SIZEOF([long long int])
3874AC_CHECK_SIZEOF([time_t], [], [[
3875    #include <sys/types.h>
3876    #ifdef HAVE_SYS_TIME_H
3877    # include <sys/time.h>
3878    #endif
3879    #ifdef HAVE_TIME_H
3880    # include <time.h>
3881    #endif
3882	]]
3883)
3884
3885# Sanity check long long for some platforms (AIX)
3886if test "x$ac_cv_sizeof_long_long_int" = "x4" ; then
3887	ac_cv_sizeof_long_long_int=0
3888fi
3889
3890# compute LLONG_MIN and LLONG_MAX if we don't know them.
3891if test -z "$have_llong_max" && test -z "$have_long_long_max"; then
3892	AC_MSG_CHECKING([for max value of long long])
3893	AC_RUN_IFELSE(
3894		[AC_LANG_PROGRAM([[
3895#include <stdio.h>
3896#include <stdlib.h>
3897/* Why is this so damn hard? */
3898#ifdef __GNUC__
3899# undef __GNUC__
3900#endif
3901#define __USE_ISOC99
3902#include <limits.h>
3903#define DATA "conftest.llminmax"
3904#define my_abs(a) ((a) < 0 ? ((a) * -1) : (a))
3905
3906/*
3907 * printf in libc on some platforms (eg old Tru64) does not understand %lld so
3908 * we do this the hard way.
3909 */
3910static int
3911fprint_ll(FILE *f, long long n)
3912{
3913	unsigned int i;
3914	int l[sizeof(long long) * 8];
3915
3916	if (n < 0)
3917		if (fprintf(f, "-") < 0)
3918			return -1;
3919	for (i = 0; n != 0; i++) {
3920		l[i] = my_abs(n % 10);
3921		n /= 10;
3922	}
3923	do {
3924		if (fprintf(f, "%d", l[--i]) < 0)
3925			return -1;
3926	} while (i != 0);
3927	if (fprintf(f, " ") < 0)
3928		return -1;
3929	return 0;
3930}
3931		]], [[
3932	FILE *f;
3933	long long i, llmin, llmax = 0;
3934
3935	if((f = fopen(DATA,"w")) == NULL)
3936		exit(1);
3937
3938#if defined(LLONG_MIN) && defined(LLONG_MAX)
3939	fprintf(stderr, "Using system header for LLONG_MIN and LLONG_MAX\n");
3940	llmin = LLONG_MIN;
3941	llmax = LLONG_MAX;
3942#else
3943	fprintf(stderr, "Calculating  LLONG_MIN and LLONG_MAX\n");
3944	/* This will work on one's complement and two's complement */
3945	for (i = 1; i > llmax; i <<= 1, i++)
3946		llmax = i;
3947	llmin = llmax + 1LL;	/* wrap */
3948#endif
3949
3950	/* Sanity check */
3951	if (llmin + 1 < llmin || llmin - 1 < llmin || llmax + 1 > llmax
3952	    || llmax - 1 > llmax || llmin == llmax || llmin == 0
3953	    || llmax == 0 || llmax < LONG_MAX || llmin > LONG_MIN) {
3954		fprintf(f, "unknown unknown\n");
3955		exit(2);
3956	}
3957
3958	if (fprint_ll(f, llmin) < 0)
3959		exit(3);
3960	if (fprint_ll(f, llmax) < 0)
3961		exit(4);
3962	if (fclose(f) < 0)
3963		exit(5);
3964	exit(0);
3965		]])],
3966		[
3967			llong_min=`$AWK '{print $1}' conftest.llminmax`
3968			llong_max=`$AWK '{print $2}' conftest.llminmax`
3969
3970			AC_MSG_RESULT([$llong_max])
3971			AC_DEFINE_UNQUOTED([LLONG_MAX], [${llong_max}LL],
3972			    [max value of long long calculated by configure])
3973			AC_MSG_CHECKING([for min value of long long])
3974			AC_MSG_RESULT([$llong_min])
3975			AC_DEFINE_UNQUOTED([LLONG_MIN], [${llong_min}LL],
3976			    [min value of long long calculated by configure])
3977		],
3978		[
3979			AC_MSG_RESULT([not found])
3980		],
3981		[
3982			AC_MSG_WARN([cross compiling: not checking])
3983		]
3984	)
3985fi
3986
3987AC_CHECK_DECLS([UINT32_MAX], , , [[
3988#ifdef HAVE_SYS_LIMITS_H
3989# include <sys/limits.h>
3990#endif
3991#ifdef HAVE_LIMITS_H
3992# include <limits.h>
3993#endif
3994#ifdef HAVE_STDINT_H
3995# include <stdint.h>
3996#endif
3997]])
3998
3999# More checks for data types
4000AC_CACHE_CHECK([for u_int type], ac_cv_have_u_int, [
4001	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
4002	[[ u_int a; a = 1;]])],
4003	[ ac_cv_have_u_int="yes" ], [ ac_cv_have_u_int="no"
4004	])
4005])
4006if test "x$ac_cv_have_u_int" = "xyes" ; then
4007	AC_DEFINE([HAVE_U_INT], [1], [define if you have u_int data type])
4008	have_u_int=1
4009fi
4010
4011AC_CACHE_CHECK([for intXX_t types], ac_cv_have_intxx_t, [
4012	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
4013	[[ int8_t a; int16_t b; int32_t c; a = b = c = 1;]])],
4014	[ ac_cv_have_intxx_t="yes" ], [ ac_cv_have_intxx_t="no"
4015	])
4016])
4017if test "x$ac_cv_have_intxx_t" = "xyes" ; then
4018	AC_DEFINE([HAVE_INTXX_T], [1], [define if you have intxx_t data type])
4019	have_intxx_t=1
4020fi
4021
4022if (test -z "$have_intxx_t" && \
4023	   test "x$ac_cv_header_stdint_h" = "xyes")
4024then
4025    AC_MSG_CHECKING([for intXX_t types in stdint.h])
4026	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <stdint.h> ]],
4027	[[ int8_t a; int16_t b; int32_t c; a = b = c = 1;]])],
4028		[
4029			AC_DEFINE([HAVE_INTXX_T])
4030			AC_MSG_RESULT([yes])
4031		], [ AC_MSG_RESULT([no])
4032	])
4033fi
4034
4035AC_CACHE_CHECK([for int64_t type], ac_cv_have_int64_t, [
4036	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4037#include <sys/types.h>
4038#ifdef HAVE_STDINT_H
4039# include <stdint.h>
4040#endif
4041#include <sys/socket.h>
4042#ifdef HAVE_SYS_BITYPES_H
4043# include <sys/bitypes.h>
4044#endif
4045		]], [[
4046int64_t a; a = 1;
4047		]])],
4048	[ ac_cv_have_int64_t="yes" ], [ ac_cv_have_int64_t="no"
4049	])
4050])
4051if test "x$ac_cv_have_int64_t" = "xyes" ; then
4052	AC_DEFINE([HAVE_INT64_T], [1], [define if you have int64_t data type])
4053fi
4054
4055AC_CACHE_CHECK([for u_intXX_t types], ac_cv_have_u_intxx_t, [
4056	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
4057	[[ u_int8_t a; u_int16_t b; u_int32_t c; a = b = c = 1;]])],
4058	[ ac_cv_have_u_intxx_t="yes" ], [ ac_cv_have_u_intxx_t="no"
4059	])
4060])
4061if test "x$ac_cv_have_u_intxx_t" = "xyes" ; then
4062	AC_DEFINE([HAVE_U_INTXX_T], [1], [define if you have u_intxx_t data type])
4063	have_u_intxx_t=1
4064fi
4065
4066if test -z "$have_u_intxx_t" ; then
4067    AC_MSG_CHECKING([for u_intXX_t types in sys/socket.h])
4068	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/socket.h> ]],
4069	[[ u_int8_t a; u_int16_t b; u_int32_t c; a = b = c = 1;]])],
4070		[
4071			AC_DEFINE([HAVE_U_INTXX_T])
4072			AC_MSG_RESULT([yes])
4073		], [ AC_MSG_RESULT([no])
4074	])
4075fi
4076
4077AC_CACHE_CHECK([for u_int64_t types], ac_cv_have_u_int64_t, [
4078	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
4079	[[ u_int64_t a; a = 1;]])],
4080	[ ac_cv_have_u_int64_t="yes" ], [ ac_cv_have_u_int64_t="no"
4081	])
4082])
4083if test "x$ac_cv_have_u_int64_t" = "xyes" ; then
4084	AC_DEFINE([HAVE_U_INT64_T], [1], [define if you have u_int64_t data type])
4085	have_u_int64_t=1
4086fi
4087
4088if (test -z "$have_u_int64_t" && \
4089	   test "x$ac_cv_header_sys_bitypes_h" = "xyes")
4090then
4091    AC_MSG_CHECKING([for u_int64_t type in sys/bitypes.h])
4092	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/bitypes.h> ]],
4093	[[ u_int64_t a; a = 1]])],
4094		[
4095			AC_DEFINE([HAVE_U_INT64_T])
4096			AC_MSG_RESULT([yes])
4097		], [ AC_MSG_RESULT([no])
4098	])
4099fi
4100
4101if test -z "$have_u_intxx_t" ; then
4102	AC_CACHE_CHECK([for uintXX_t types], ac_cv_have_uintxx_t, [
4103		AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4104#include <sys/types.h>
4105			]], [[
4106	uint8_t a;
4107	uint16_t b;
4108	uint32_t c;
4109	a = b = c = 1;
4110			]])],
4111		[ ac_cv_have_uintxx_t="yes" ], [ ac_cv_have_uintxx_t="no"
4112		])
4113	])
4114	if test "x$ac_cv_have_uintxx_t" = "xyes" ; then
4115		AC_DEFINE([HAVE_UINTXX_T], [1],
4116			[define if you have uintxx_t data type])
4117	fi
4118fi
4119
4120if (test -z "$have_uintxx_t" && \
4121	   test "x$ac_cv_header_stdint_h" = "xyes")
4122then
4123    AC_MSG_CHECKING([for uintXX_t types in stdint.h])
4124	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <stdint.h> ]],
4125	[[ uint8_t a; uint16_t b; uint32_t c; a = b = c = 1;]])],
4126		[
4127			AC_DEFINE([HAVE_UINTXX_T])
4128			AC_MSG_RESULT([yes])
4129		], [ AC_MSG_RESULT([no])
4130	])
4131fi
4132
4133if (test -z "$have_uintxx_t" && \
4134	   test "x$ac_cv_header_inttypes_h" = "xyes")
4135then
4136    AC_MSG_CHECKING([for uintXX_t types in inttypes.h])
4137	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <inttypes.h> ]],
4138	[[ uint8_t a; uint16_t b; uint32_t c; a = b = c = 1;]])],
4139		[
4140			AC_DEFINE([HAVE_UINTXX_T])
4141			AC_MSG_RESULT([yes])
4142		], [ AC_MSG_RESULT([no])
4143	])
4144fi
4145
4146if (test -z "$have_u_intxx_t" || test -z "$have_intxx_t" && \
4147	   test "x$ac_cv_header_sys_bitypes_h" = "xyes")
4148then
4149	AC_MSG_CHECKING([for intXX_t and u_intXX_t types in sys/bitypes.h])
4150	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4151#include <sys/bitypes.h>
4152		]], [[
4153			int8_t a; int16_t b; int32_t c;
4154			u_int8_t e; u_int16_t f; u_int32_t g;
4155			a = b = c = e = f = g = 1;
4156		]])],
4157		[
4158			AC_DEFINE([HAVE_U_INTXX_T])
4159			AC_DEFINE([HAVE_INTXX_T])
4160			AC_MSG_RESULT([yes])
4161		], [AC_MSG_RESULT([no])
4162	])
4163fi
4164
4165
4166AC_CACHE_CHECK([for u_char], ac_cv_have_u_char, [
4167	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
4168	[[ u_char foo; foo = 125; ]])],
4169	[ ac_cv_have_u_char="yes" ], [ ac_cv_have_u_char="no"
4170	])
4171])
4172if test "x$ac_cv_have_u_char" = "xyes" ; then
4173	AC_DEFINE([HAVE_U_CHAR], [1], [define if you have u_char data type])
4174fi
4175
4176AC_CHECK_TYPES([intmax_t, uintmax_t], , , [
4177#include <sys/types.h>
4178#ifdef HAVE_STDINT_H
4179# include <stdint.h>
4180#endif
4181])
4182
4183TYPE_SOCKLEN_T
4184
4185AC_CHECK_TYPES([sig_atomic_t, sighandler_t], , , [#include <signal.h>])
4186AC_CHECK_TYPES([fsblkcnt_t, fsfilcnt_t], , , [
4187#include <sys/types.h>
4188#ifdef HAVE_SYS_BITYPES_H
4189#include <sys/bitypes.h>
4190#endif
4191#ifdef HAVE_SYS_STATFS_H
4192#include <sys/statfs.h>
4193#endif
4194#ifdef HAVE_SYS_STATVFS_H
4195#include <sys/statvfs.h>
4196#endif
4197])
4198
4199AC_CHECK_MEMBERS([struct statfs.f_files, struct statfs.f_flags], [], [], [[
4200#include <sys/param.h>
4201#include <sys/types.h>
4202#ifdef HAVE_SYS_BITYPES_H
4203#include <sys/bitypes.h>
4204#endif
4205#ifdef HAVE_SYS_STATFS_H
4206#include <sys/statfs.h>
4207#endif
4208#ifdef HAVE_SYS_STATVFS_H
4209#include <sys/statvfs.h>
4210#endif
4211#ifdef HAVE_SYS_VFS_H
4212#include <sys/vfs.h>
4213#endif
4214#ifdef HAVE_SYS_MOUNT_H
4215#include <sys/mount.h>
4216#endif
4217]])
4218
4219
4220AC_CHECK_TYPES([in_addr_t, in_port_t], , ,
4221[#include <sys/types.h>
4222#include <netinet/in.h>])
4223
4224AC_CACHE_CHECK([for size_t], ac_cv_have_size_t, [
4225	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
4226	[[ size_t foo; foo = 1235; ]])],
4227	[ ac_cv_have_size_t="yes" ], [ ac_cv_have_size_t="no"
4228	])
4229])
4230if test "x$ac_cv_have_size_t" = "xyes" ; then
4231	AC_DEFINE([HAVE_SIZE_T], [1], [define if you have size_t data type])
4232fi
4233
4234AC_CACHE_CHECK([for ssize_t], ac_cv_have_ssize_t, [
4235	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
4236	[[ ssize_t foo; foo = 1235; ]])],
4237	[ ac_cv_have_ssize_t="yes" ], [ ac_cv_have_ssize_t="no"
4238	])
4239])
4240if test "x$ac_cv_have_ssize_t" = "xyes" ; then
4241	AC_DEFINE([HAVE_SSIZE_T], [1], [define if you have ssize_t data type])
4242fi
4243
4244AC_CACHE_CHECK([for clock_t], ac_cv_have_clock_t, [
4245	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <time.h> ]],
4246	[[ clock_t foo; foo = 1235; ]])],
4247	[ ac_cv_have_clock_t="yes" ], [ ac_cv_have_clock_t="no"
4248	])
4249])
4250if test "x$ac_cv_have_clock_t" = "xyes" ; then
4251	AC_DEFINE([HAVE_CLOCK_T], [1], [define if you have clock_t data type])
4252fi
4253
4254AC_CACHE_CHECK([for sa_family_t], ac_cv_have_sa_family_t, [
4255	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4256#include <sys/types.h>
4257#include <sys/socket.h>
4258		]], [[ sa_family_t foo; foo = 1235; ]])],
4259	[ ac_cv_have_sa_family_t="yes" ],
4260	[ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4261#include <sys/types.h>
4262#include <sys/socket.h>
4263#include <netinet/in.h>
4264		]], [[ sa_family_t foo; foo = 1235; ]])],
4265		[ ac_cv_have_sa_family_t="yes" ],
4266		[ ac_cv_have_sa_family_t="no" ]
4267	)
4268	])
4269])
4270if test "x$ac_cv_have_sa_family_t" = "xyes" ; then
4271	AC_DEFINE([HAVE_SA_FAMILY_T], [1],
4272		[define if you have sa_family_t data type])
4273fi
4274
4275AC_CACHE_CHECK([for pid_t], ac_cv_have_pid_t, [
4276	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
4277	[[ pid_t foo; foo = 1235; ]])],
4278	[ ac_cv_have_pid_t="yes" ], [ ac_cv_have_pid_t="no"
4279	])
4280])
4281if test "x$ac_cv_have_pid_t" = "xyes" ; then
4282	AC_DEFINE([HAVE_PID_T], [1], [define if you have pid_t data type])
4283fi
4284
4285AC_CACHE_CHECK([for mode_t], ac_cv_have_mode_t, [
4286	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
4287	[[ mode_t foo; foo = 1235; ]])],
4288	[ ac_cv_have_mode_t="yes" ], [ ac_cv_have_mode_t="no"
4289	])
4290])
4291if test "x$ac_cv_have_mode_t" = "xyes" ; then
4292	AC_DEFINE([HAVE_MODE_T], [1], [define if you have mode_t data type])
4293fi
4294
4295
4296AC_CACHE_CHECK([for struct sockaddr_storage], ac_cv_have_struct_sockaddr_storage, [
4297	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4298#include <sys/types.h>
4299#include <sys/socket.h>
4300		]], [[ struct sockaddr_storage s; ]])],
4301	[ ac_cv_have_struct_sockaddr_storage="yes" ],
4302	[ ac_cv_have_struct_sockaddr_storage="no"
4303	])
4304])
4305if test "x$ac_cv_have_struct_sockaddr_storage" = "xyes" ; then
4306	AC_DEFINE([HAVE_STRUCT_SOCKADDR_STORAGE], [1],
4307		[define if you have struct sockaddr_storage data type])
4308fi
4309
4310AC_CACHE_CHECK([for struct sockaddr_in6], ac_cv_have_struct_sockaddr_in6, [
4311	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4312#include <sys/types.h>
4313#include <netinet/in.h>
4314		]], [[ struct sockaddr_in6 s; s.sin6_family = 0; ]])],
4315	[ ac_cv_have_struct_sockaddr_in6="yes" ],
4316	[ ac_cv_have_struct_sockaddr_in6="no"
4317	])
4318])
4319if test "x$ac_cv_have_struct_sockaddr_in6" = "xyes" ; then
4320	AC_DEFINE([HAVE_STRUCT_SOCKADDR_IN6], [1],
4321		[define if you have struct sockaddr_in6 data type])
4322fi
4323
4324AC_CACHE_CHECK([for struct in6_addr], ac_cv_have_struct_in6_addr, [
4325	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4326#include <sys/types.h>
4327#include <netinet/in.h>
4328		]], [[ struct in6_addr s; s.s6_addr[0] = 0; ]])],
4329	[ ac_cv_have_struct_in6_addr="yes" ],
4330	[ ac_cv_have_struct_in6_addr="no"
4331	])
4332])
4333if test "x$ac_cv_have_struct_in6_addr" = "xyes" ; then
4334	AC_DEFINE([HAVE_STRUCT_IN6_ADDR], [1],
4335		[define if you have struct in6_addr data type])
4336
4337dnl Now check for sin6_scope_id
4338	AC_CHECK_MEMBERS([struct sockaddr_in6.sin6_scope_id], , ,
4339		[
4340#ifdef HAVE_SYS_TYPES_H
4341#include <sys/types.h>
4342#endif
4343#include <netinet/in.h>
4344		])
4345fi
4346
4347AC_CACHE_CHECK([for struct addrinfo], ac_cv_have_struct_addrinfo, [
4348	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4349#include <sys/types.h>
4350#include <sys/socket.h>
4351#include <netdb.h>
4352		]], [[ struct addrinfo s; s.ai_flags = AI_PASSIVE; ]])],
4353	[ ac_cv_have_struct_addrinfo="yes" ],
4354	[ ac_cv_have_struct_addrinfo="no"
4355	])
4356])
4357if test "x$ac_cv_have_struct_addrinfo" = "xyes" ; then
4358	AC_DEFINE([HAVE_STRUCT_ADDRINFO], [1],
4359		[define if you have struct addrinfo data type])
4360fi
4361
4362AC_CACHE_CHECK([for struct timeval], ac_cv_have_struct_timeval, [
4363	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/time.h> ]],
4364	[[ struct timeval tv; tv.tv_sec = 1;]])],
4365	[ ac_cv_have_struct_timeval="yes" ],
4366	[ ac_cv_have_struct_timeval="no"
4367	])
4368])
4369if test "x$ac_cv_have_struct_timeval" = "xyes" ; then
4370	AC_DEFINE([HAVE_STRUCT_TIMEVAL], [1], [define if you have struct timeval])
4371	have_struct_timeval=1
4372fi
4373
4374AC_CACHE_CHECK([for struct timespec], ac_cv_have_struct_timespec, [
4375	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4376    #ifdef HAVE_SYS_TIME_H
4377    # include <sys/time.h>
4378    #endif
4379    #ifdef HAVE_TIME_H
4380    # include <time.h>
4381    #endif
4382	]],
4383	[[ struct timespec ts; ts.tv_sec = 1;]])],
4384	[ ac_cv_have_struct_timespec="yes" ],
4385	[ ac_cv_have_struct_timespec="no"
4386	])
4387])
4388if test "x$ac_cv_have_struct_timespec" = "xyes" ; then
4389	AC_DEFINE([HAVE_STRUCT_TIMESPEC], [1], [define if you have struct timespec])
4390	have_struct_timespec=1
4391fi
4392
4393# We need int64_t or else certain parts of the compile will fail.
4394if test "x$ac_cv_have_int64_t" = "xno" && \
4395	test "x$ac_cv_sizeof_long_int" != "x8" && \
4396	test "x$ac_cv_sizeof_long_long_int" = "x0" ; then
4397	echo "OpenSSH requires int64_t support.  Contact your vendor or install"
4398	echo "an alternative compiler (I.E., GCC) before continuing."
4399	echo ""
4400	exit 1;
4401else
4402dnl test snprintf (broken on SCO w/gcc)
4403	AC_RUN_IFELSE(
4404		[AC_LANG_SOURCE([[
4405#include <stdio.h>
4406#include <stdlib.h>
4407#include <string.h>
4408#ifdef HAVE_SNPRINTF
4409int main(void)
4410{
4411	char buf[50];
4412	char expected_out[50];
4413	int mazsize = 50 ;
4414#if (SIZEOF_LONG_INT == 8)
4415	long int num = 0x7fffffffffffffff;
4416#else
4417	long long num = 0x7fffffffffffffffll;
4418#endif
4419	strcpy(expected_out, "9223372036854775807");
4420	snprintf(buf, mazsize, "%lld", num);
4421	if(strcmp(buf, expected_out) != 0)
4422		exit(1);
4423	exit(0);
4424}
4425#else
4426int main(void) { exit(0); }
4427#endif
4428		]])], [ true ], [ AC_DEFINE([BROKEN_SNPRINTF]) ],
4429		AC_MSG_WARN([cross compiling: Assuming working snprintf()])
4430	)
4431fi
4432
4433dnl Checks for structure members
4434OSSH_CHECK_HEADER_FOR_FIELD([ut_host], [utmp.h], [HAVE_HOST_IN_UTMP])
4435OSSH_CHECK_HEADER_FOR_FIELD([ut_host], [utmpx.h], [HAVE_HOST_IN_UTMPX])
4436OSSH_CHECK_HEADER_FOR_FIELD([syslen], [utmpx.h], [HAVE_SYSLEN_IN_UTMPX])
4437OSSH_CHECK_HEADER_FOR_FIELD([ut_pid], [utmp.h], [HAVE_PID_IN_UTMP])
4438OSSH_CHECK_HEADER_FOR_FIELD([ut_type], [utmp.h], [HAVE_TYPE_IN_UTMP])
4439OSSH_CHECK_HEADER_FOR_FIELD([ut_type], [utmpx.h], [HAVE_TYPE_IN_UTMPX])
4440OSSH_CHECK_HEADER_FOR_FIELD([ut_tv], [utmp.h], [HAVE_TV_IN_UTMP])
4441OSSH_CHECK_HEADER_FOR_FIELD([ut_id], [utmp.h], [HAVE_ID_IN_UTMP])
4442OSSH_CHECK_HEADER_FOR_FIELD([ut_id], [utmpx.h], [HAVE_ID_IN_UTMPX])
4443OSSH_CHECK_HEADER_FOR_FIELD([ut_addr], [utmp.h], [HAVE_ADDR_IN_UTMP])
4444OSSH_CHECK_HEADER_FOR_FIELD([ut_addr], [utmpx.h], [HAVE_ADDR_IN_UTMPX])
4445OSSH_CHECK_HEADER_FOR_FIELD([ut_addr_v6], [utmp.h], [HAVE_ADDR_V6_IN_UTMP])
4446OSSH_CHECK_HEADER_FOR_FIELD([ut_addr_v6], [utmpx.h], [HAVE_ADDR_V6_IN_UTMPX])
4447OSSH_CHECK_HEADER_FOR_FIELD([ut_exit], [utmp.h], [HAVE_EXIT_IN_UTMP])
4448OSSH_CHECK_HEADER_FOR_FIELD([ut_time], [utmp.h], [HAVE_TIME_IN_UTMP])
4449OSSH_CHECK_HEADER_FOR_FIELD([ut_time], [utmpx.h], [HAVE_TIME_IN_UTMPX])
4450OSSH_CHECK_HEADER_FOR_FIELD([ut_tv], [utmpx.h], [HAVE_TV_IN_UTMPX])
4451OSSH_CHECK_HEADER_FOR_FIELD([ut_ss], [utmpx.h], [HAVE_SS_IN_UTMPX])
4452
4453AC_CHECK_MEMBERS([struct stat.st_blksize])
4454AC_CHECK_MEMBERS([struct stat.st_mtim])
4455AC_CHECK_MEMBERS([struct stat.st_mtime])
4456AC_CHECK_MEMBERS([struct passwd.pw_gecos, struct passwd.pw_class,
4457struct passwd.pw_change, struct passwd.pw_expire],
4458[], [], [[
4459#include <sys/types.h>
4460#include <pwd.h>
4461]])
4462
4463AC_CHECK_MEMBER([struct __res_state.retrans], [], [AC_DEFINE([__res_state], [state],
4464	[Define if we don't have struct __res_state in resolv.h])],
4465[[
4466#include <stdio.h>
4467#if HAVE_SYS_TYPES_H
4468# include <sys/types.h>
4469#endif
4470#include <netinet/in.h>
4471#include <arpa/nameser.h>
4472#include <resolv.h>
4473]])
4474
4475AC_CHECK_MEMBER([struct sockaddr_in.sin_len],
4476    [AC_DEFINE([SOCK_HAS_LEN], [1], [sockaddr_in has sin_len])],
4477    [],
4478    [AC_LANG_SOURCE([[
4479#include <sys/types.h>
4480#include <sys/socket.h>
4481#include <netinet/in.h>
4482    ]])]
4483)
4484
4485AC_CACHE_CHECK([for ss_family field in struct sockaddr_storage],
4486		ac_cv_have_ss_family_in_struct_ss, [
4487	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4488#include <sys/types.h>
4489#include <sys/socket.h>
4490		]], [[ struct sockaddr_storage s; s.ss_family = 1; ]])],
4491	[ ac_cv_have_ss_family_in_struct_ss="yes" ],
4492	[ ac_cv_have_ss_family_in_struct_ss="no" ])
4493])
4494if test "x$ac_cv_have_ss_family_in_struct_ss" = "xyes" ; then
4495	AC_DEFINE([HAVE_SS_FAMILY_IN_SS], [1], [Fields in struct sockaddr_storage])
4496fi
4497
4498AC_CACHE_CHECK([for __ss_family field in struct sockaddr_storage],
4499		ac_cv_have___ss_family_in_struct_ss, [
4500	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4501#include <sys/types.h>
4502#include <sys/socket.h>
4503		]], [[ struct sockaddr_storage s; s.__ss_family = 1; ]])],
4504	[ ac_cv_have___ss_family_in_struct_ss="yes" ],
4505	[ ac_cv_have___ss_family_in_struct_ss="no"
4506	])
4507])
4508if test "x$ac_cv_have___ss_family_in_struct_ss" = "xyes" ; then
4509	AC_DEFINE([HAVE___SS_FAMILY_IN_SS], [1],
4510		[Fields in struct sockaddr_storage])
4511fi
4512
4513dnl make sure we're using the real structure members and not defines
4514AC_CACHE_CHECK([for msg_accrights field in struct msghdr],
4515		ac_cv_have_accrights_in_msghdr, [
4516	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4517#include <sys/types.h>
4518#include <sys/socket.h>
4519#include <sys/uio.h>
4520#include <stdlib.h>
4521		]], [[
4522#ifdef msg_accrights
4523#error "msg_accrights is a macro"
4524exit(1);
4525#endif
4526struct msghdr m;
4527m.msg_accrights = 0;
4528exit(0);
4529		]])],
4530		[ ac_cv_have_accrights_in_msghdr="yes" ],
4531		[ ac_cv_have_accrights_in_msghdr="no" ]
4532	)
4533])
4534if test "x$ac_cv_have_accrights_in_msghdr" = "xyes" ; then
4535	AC_DEFINE([HAVE_ACCRIGHTS_IN_MSGHDR], [1],
4536		[Define if your system uses access rights style
4537		file descriptor passing])
4538fi
4539
4540AC_MSG_CHECKING([if struct statvfs.f_fsid is integral type])
4541AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4542#include <sys/param.h>
4543#include <sys/stat.h>
4544#ifdef HAVE_SYS_TIME_H
4545# include <sys/time.h>
4546#endif
4547#ifdef HAVE_SYS_MOUNT_H
4548#include <sys/mount.h>
4549#endif
4550#ifdef HAVE_SYS_STATVFS_H
4551#include <sys/statvfs.h>
4552#endif
4553	]], [[ struct statvfs s; s.f_fsid = 0; ]])],
4554	[ AC_MSG_RESULT([yes]) ],
4555	[ AC_MSG_RESULT([no])
4556
4557	AC_MSG_CHECKING([if fsid_t has member val])
4558	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4559#include <sys/types.h>
4560#include <sys/statvfs.h>
4561	]], [[ fsid_t t; t.val[0] = 0; ]])],
4562	[ AC_MSG_RESULT([yes])
4563	  AC_DEFINE([FSID_HAS_VAL], [1], [fsid_t has member val]) ],
4564	[ AC_MSG_RESULT([no]) ])
4565
4566	AC_MSG_CHECKING([if f_fsid has member __val])
4567	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4568#include <sys/types.h>
4569#include <sys/statvfs.h>
4570	]], [[ fsid_t t; t.__val[0] = 0; ]])],
4571	[ AC_MSG_RESULT([yes])
4572	  AC_DEFINE([FSID_HAS___VAL], [1], [fsid_t has member __val]) ],
4573	[ AC_MSG_RESULT([no]) ])
4574])
4575
4576AC_CACHE_CHECK([for msg_control field in struct msghdr],
4577		ac_cv_have_control_in_msghdr, [
4578	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4579#include <sys/types.h>
4580#include <sys/socket.h>
4581#include <sys/uio.h>
4582#include <stdlib.h>
4583		]], [[
4584#ifdef msg_control
4585#error "msg_control is a macro"
4586exit(1);
4587#endif
4588struct msghdr m;
4589m.msg_control = 0;
4590exit(0);
4591		]])],
4592		[ ac_cv_have_control_in_msghdr="yes" ],
4593		[ ac_cv_have_control_in_msghdr="no" ]
4594	)
4595])
4596if test "x$ac_cv_have_control_in_msghdr" = "xyes" ; then
4597	AC_DEFINE([HAVE_CONTROL_IN_MSGHDR], [1],
4598		[Define if your system uses ancillary data style
4599		file descriptor passing])
4600fi
4601
4602AC_CACHE_CHECK([if libc defines __progname], ac_cv_libc_defines___progname, [
4603	AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include <stdio.h> ]],
4604		[[ extern char *__progname; printf("%s", __progname); ]])],
4605	[ ac_cv_libc_defines___progname="yes" ],
4606	[ ac_cv_libc_defines___progname="no"
4607	])
4608])
4609if test "x$ac_cv_libc_defines___progname" = "xyes" ; then
4610	AC_DEFINE([HAVE___PROGNAME], [1], [Define if libc defines __progname])
4611fi
4612
4613AC_CACHE_CHECK([whether $CC implements __FUNCTION__], ac_cv_cc_implements___FUNCTION__, [
4614	AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include <stdio.h> ]],
4615		[[ printf("%s", __FUNCTION__); ]])],
4616	[ ac_cv_cc_implements___FUNCTION__="yes" ],
4617	[ ac_cv_cc_implements___FUNCTION__="no"
4618	])
4619])
4620if test "x$ac_cv_cc_implements___FUNCTION__" = "xyes" ; then
4621	AC_DEFINE([HAVE___FUNCTION__], [1],
4622		[Define if compiler implements __FUNCTION__])
4623fi
4624
4625AC_CACHE_CHECK([whether $CC implements __func__], ac_cv_cc_implements___func__, [
4626	AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include <stdio.h> ]],
4627		[[ printf("%s", __func__); ]])],
4628	[ ac_cv_cc_implements___func__="yes" ],
4629	[ ac_cv_cc_implements___func__="no"
4630	])
4631])
4632if test "x$ac_cv_cc_implements___func__" = "xyes" ; then
4633	AC_DEFINE([HAVE___func__], [1], [Define if compiler implements __func__])
4634fi
4635
4636AC_CACHE_CHECK([whether va_copy exists], ac_cv_have_va_copy, [
4637	AC_LINK_IFELSE([AC_LANG_PROGRAM([[
4638#include <stdarg.h>
4639va_list x,y;
4640		]], [[ va_copy(x,y); ]])],
4641	[ ac_cv_have_va_copy="yes" ],
4642	[ ac_cv_have_va_copy="no"
4643	])
4644])
4645if test "x$ac_cv_have_va_copy" = "xyes" ; then
4646	AC_DEFINE([HAVE_VA_COPY], [1], [Define if va_copy exists])
4647fi
4648
4649AC_CACHE_CHECK([whether __va_copy exists], ac_cv_have___va_copy, [
4650	AC_LINK_IFELSE([AC_LANG_PROGRAM([[
4651#include <stdarg.h>
4652va_list x,y;
4653		]], [[ __va_copy(x,y); ]])],
4654	[ ac_cv_have___va_copy="yes" ], [ ac_cv_have___va_copy="no"
4655	])
4656])
4657if test "x$ac_cv_have___va_copy" = "xyes" ; then
4658	AC_DEFINE([HAVE___VA_COPY], [1], [Define if __va_copy exists])
4659fi
4660
4661AC_CACHE_CHECK([whether getopt has optreset support],
4662		ac_cv_have_getopt_optreset, [
4663	AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include <getopt.h> ]],
4664		[[ extern int optreset; optreset = 0; ]])],
4665	[ ac_cv_have_getopt_optreset="yes" ],
4666	[ ac_cv_have_getopt_optreset="no"
4667	])
4668])
4669if test "x$ac_cv_have_getopt_optreset" = "xyes" ; then
4670	AC_DEFINE([HAVE_GETOPT_OPTRESET], [1],
4671		[Define if your getopt(3) defines and uses optreset])
4672fi
4673
4674AC_CACHE_CHECK([if libc defines sys_errlist], ac_cv_libc_defines_sys_errlist, [
4675	AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include <stdio.h> ]],
4676[[ extern const char *const sys_errlist[]; printf("%s", sys_errlist[0]);]])],
4677	[ ac_cv_libc_defines_sys_errlist="yes" ],
4678	[ ac_cv_libc_defines_sys_errlist="no"
4679	])
4680])
4681if test "x$ac_cv_libc_defines_sys_errlist" = "xyes" ; then
4682	AC_DEFINE([HAVE_SYS_ERRLIST], [1],
4683		[Define if your system defines sys_errlist[]])
4684fi
4685
4686
4687AC_CACHE_CHECK([if libc defines sys_nerr], ac_cv_libc_defines_sys_nerr, [
4688	AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include <stdio.h> ]],
4689[[ extern int sys_nerr; printf("%i", sys_nerr);]])],
4690	[ ac_cv_libc_defines_sys_nerr="yes" ],
4691	[ ac_cv_libc_defines_sys_nerr="no"
4692	])
4693])
4694if test "x$ac_cv_libc_defines_sys_nerr" = "xyes" ; then
4695	AC_DEFINE([HAVE_SYS_NERR], [1], [Define if your system defines sys_nerr])
4696fi
4697
4698# Check libraries needed by DNS fingerprint support
4699AC_SEARCH_LIBS([getrrsetbyname], [resolv],
4700	[AC_DEFINE([HAVE_GETRRSETBYNAME], [1],
4701		[Define if getrrsetbyname() exists])],
4702	[
4703		# Needed by our getrrsetbyname()
4704		AC_SEARCH_LIBS([res_query], [resolv])
4705		AC_SEARCH_LIBS([dn_expand], [resolv])
4706		AC_MSG_CHECKING([if res_query will link])
4707		AC_LINK_IFELSE([AC_LANG_PROGRAM([[
4708#include <sys/types.h>
4709#include <netinet/in.h>
4710#include <arpa/nameser.h>
4711#include <netdb.h>
4712#include <resolv.h>
4713				]], [[
4714	res_query (0, 0, 0, 0, 0);
4715				]])],
4716		    AC_MSG_RESULT([yes]),
4717		   [AC_MSG_RESULT([no])
4718		    saved_LIBS="$LIBS"
4719		    LIBS="$LIBS -lresolv"
4720		    AC_MSG_CHECKING([for res_query in -lresolv])
4721		    AC_LINK_IFELSE([AC_LANG_PROGRAM([[
4722#include <sys/types.h>
4723#include <netinet/in.h>
4724#include <arpa/nameser.h>
4725#include <netdb.h>
4726#include <resolv.h>
4727				]], [[
4728	res_query (0, 0, 0, 0, 0);
4729				]])],
4730			[AC_MSG_RESULT([yes])],
4731			[LIBS="$saved_LIBS"
4732			 AC_MSG_RESULT([no])])
4733		    ])
4734		AC_CHECK_FUNCS([_getshort _getlong])
4735		AC_CHECK_DECLS([_getshort, _getlong], , ,
4736		    [#include <sys/types.h>
4737		    #include <arpa/nameser.h>])
4738		AC_CHECK_MEMBER([HEADER.ad],
4739			[AC_DEFINE([HAVE_HEADER_AD], [1],
4740			    [Define if HEADER.ad exists in arpa/nameser.h])], ,
4741			[#include <arpa/nameser.h>])
4742	])
4743
4744AC_MSG_CHECKING([if struct __res_state _res is an extern])
4745AC_LINK_IFELSE([AC_LANG_PROGRAM([[
4746#include <stdio.h>
4747#if HAVE_SYS_TYPES_H
4748# include <sys/types.h>
4749#endif
4750#include <netinet/in.h>
4751#include <arpa/nameser.h>
4752#include <resolv.h>
4753extern struct __res_state _res;
4754		]], [[
4755struct __res_state *volatile p = &_res;  /* force resolution of _res */
4756return 0;
4757		]],)],
4758		[AC_MSG_RESULT([yes])
4759		 AC_DEFINE([HAVE__RES_EXTERN], [1],
4760		    [Define if you have struct __res_state _res as an extern])
4761		],
4762		[ AC_MSG_RESULT([no]) ]
4763)
4764
4765# Check whether user wants SELinux support
4766SELINUX_MSG="no"
4767LIBSELINUX=""
4768AC_ARG_WITH([selinux],
4769	[  --with-selinux          Enable SELinux support],
4770	[ if test "x$withval" != "xno" ; then
4771		save_LIBS="$LIBS"
4772		AC_DEFINE([WITH_SELINUX], [1],
4773			[Define if you want SELinux support.])
4774		SELINUX_MSG="yes"
4775		AC_CHECK_HEADER([selinux/selinux.h], ,
4776			AC_MSG_ERROR([SELinux support requires selinux.h header]))
4777		AC_CHECK_LIB([selinux], [setexeccon],
4778			[ LIBSELINUX="-lselinux"
4779			  LIBS="$LIBS -lselinux"
4780			],
4781			AC_MSG_ERROR([SELinux support requires libselinux library]))
4782		AC_CHECK_FUNCS([getseuserbyname get_default_context_with_level])
4783		LIBS="$save_LIBS $LIBSELINUX"
4784	fi ]
4785)
4786AC_SUBST([SSHDLIBS])
4787
4788# Check whether user wants Kerberos 5 support
4789KRB5_MSG="no"
4790AC_ARG_WITH([kerberos5],
4791	[  --with-kerberos5=PATH   Enable Kerberos 5 support],
4792	[ if test "x$withval" != "xno" ; then
4793		if test "x$withval" = "xyes" ; then
4794			KRB5ROOT="/usr/local"
4795		else
4796			KRB5ROOT=${withval}
4797		fi
4798
4799		AC_DEFINE([KRB5], [1], [Define if you want Kerberos 5 support])
4800		KRB5_MSG="yes"
4801
4802		use_pkgconfig_for_krb5=
4803		if test "x$PKGCONFIG" != "xno"; then
4804			AC_MSG_CHECKING([if $PKGCONFIG knows about kerberos5])
4805			if "$PKGCONFIG" krb5; then
4806				AC_MSG_RESULT([yes])
4807				use_pkgconfig_for_krb5=yes
4808			else
4809				AC_MSG_RESULT([no])
4810			fi
4811		fi
4812		if test "x$use_pkgconfig_for_krb5" = "xyes"; then
4813			K5CFLAGS=`$PKGCONFIG --cflags krb5`
4814			K5LIBS=`$PKGCONFIG --libs krb5`
4815			CPPFLAGS="$CPPFLAGS $K5CFLAGS"
4816
4817			AC_MSG_CHECKING([for gssapi support])
4818			if "$PKGCONFIG" krb5-gssapi; then
4819				AC_MSG_RESULT([yes])
4820				AC_DEFINE([GSSAPI], [1],
4821					[Define this if you want GSSAPI
4822					support in the version 2 protocol])
4823				GSSCFLAGS="`$PKGCONFIG --cflags krb5-gssapi`"
4824				GSSLIBS="`$PKGCONFIG --libs krb5-gssapi`"
4825				CPPFLAGS="$CPPFLAGS $GSSCFLAGS"
4826			else
4827				AC_MSG_RESULT([no])
4828			fi
4829			AC_MSG_CHECKING([whether we are using Heimdal])
4830			AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <krb5.h>
4831				]], [[ char *tmp = heimdal_version; ]])],
4832				[ AC_MSG_RESULT([yes])
4833				AC_DEFINE([HEIMDAL], [1],
4834				[Define this if you are using the Heimdal
4835				version of Kerberos V5]) ],
4836				[AC_MSG_RESULT([no])
4837			])
4838		else
4839			AC_PATH_TOOL([KRB5CONF], [krb5-config],
4840				     [$KRB5ROOT/bin/krb5-config],
4841				     [$KRB5ROOT/bin:$PATH])
4842			if test -x $KRB5CONF ; then
4843				K5CFLAGS="`$KRB5CONF --cflags`"
4844				K5LIBS="`$KRB5CONF --libs`"
4845				CPPFLAGS="$CPPFLAGS $K5CFLAGS"
4846
4847				AC_MSG_CHECKING([for gssapi support])
4848				if $KRB5CONF | grep gssapi >/dev/null ; then
4849					AC_MSG_RESULT([yes])
4850					AC_DEFINE([GSSAPI], [1],
4851						[Define this if you want GSSAPI
4852						support in the version 2 protocol])
4853					GSSCFLAGS="`$KRB5CONF --cflags gssapi`"
4854					GSSLIBS="`$KRB5CONF --libs gssapi`"
4855					CPPFLAGS="$CPPFLAGS $GSSCFLAGS"
4856				else
4857					AC_MSG_RESULT([no])
4858				fi
4859				AC_MSG_CHECKING([whether we are using Heimdal])
4860				AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <krb5.h>
4861					]], [[ char *tmp = heimdal_version; ]])],
4862					[ AC_MSG_RESULT([yes])
4863					AC_DEFINE([HEIMDAL], [1],
4864					[Define this if you are using the Heimdal
4865					version of Kerberos V5]) ],
4866					[AC_MSG_RESULT([no])
4867				])
4868			else
4869				CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include"
4870				LDFLAGS="$LDFLAGS -L${KRB5ROOT}/lib"
4871				AC_MSG_CHECKING([whether we are using Heimdal])
4872				AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <krb5.h>
4873					]], [[ char *tmp = heimdal_version; ]])],
4874						[ AC_MSG_RESULT([yes])
4875						 AC_DEFINE([HEIMDAL])
4876						 K5LIBS="-lkrb5"
4877						 K5LIBS="$K5LIBS -lcom_err -lasn1"
4878						 AC_CHECK_LIB([roken], [net_write],
4879						   [K5LIBS="$K5LIBS -lroken"])
4880						 AC_CHECK_LIB([des], [des_cbc_encrypt],
4881						   [K5LIBS="$K5LIBS -ldes"])
4882					       ], [ AC_MSG_RESULT([no])
4883						 K5LIBS="-lkrb5 -lk5crypto -lcom_err"
4884				])
4885				AC_SEARCH_LIBS([dn_expand], [resolv])
4886
4887				AC_CHECK_LIB([gssapi_krb5], [gss_init_sec_context],
4888					[ AC_DEFINE([GSSAPI])
4889					  GSSLIBS="-lgssapi_krb5" ],
4890					[ AC_CHECK_LIB([gssapi], [gss_init_sec_context],
4891						[ AC_DEFINE([GSSAPI])
4892						  GSSLIBS="-lgssapi" ],
4893						[ AC_CHECK_LIB([gss], [gss_init_sec_context],
4894							[ AC_DEFINE([GSSAPI])
4895							  GSSLIBS="-lgss" ],
4896							AC_MSG_WARN([Cannot find any suitable gss-api library - build may fail]))
4897						])
4898					])
4899
4900				AC_CHECK_HEADER([gssapi.h], ,
4901					[ unset ac_cv_header_gssapi_h
4902					  CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include/gssapi"
4903					  AC_CHECK_HEADERS([gssapi.h], ,
4904						AC_MSG_WARN([Cannot find any suitable gss-api header - build may fail])
4905					  )
4906					]
4907				)
4908
4909				oldCPP="$CPPFLAGS"
4910				CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include/gssapi"
4911				AC_CHECK_HEADER([gssapi_krb5.h], ,
4912						[ CPPFLAGS="$oldCPP" ])
4913
4914			fi
4915		fi
4916		if test -n "${rpath_opt}" ; then
4917			LDFLAGS="$LDFLAGS ${rpath_opt}${KRB5ROOT}/lib"
4918		fi
4919		if test ! -z "$blibpath" ; then
4920			blibpath="$blibpath:${KRB5ROOT}/lib"
4921		fi
4922
4923		AC_CHECK_HEADERS([gssapi.h gssapi/gssapi.h])
4924		AC_CHECK_HEADERS([gssapi_krb5.h gssapi/gssapi_krb5.h])
4925		AC_CHECK_HEADERS([gssapi_generic.h gssapi/gssapi_generic.h])
4926
4927		AC_SEARCH_LIBS([k_hasafs], [kafs], [AC_DEFINE([USE_AFS], [1],
4928			[Define this if you want to use libkafs' AFS support])])
4929
4930		AC_CHECK_DECLS([GSS_C_NT_HOSTBASED_SERVICE], [], [], [[
4931#ifdef HAVE_GSSAPI_H
4932# include <gssapi.h>
4933#elif defined(HAVE_GSSAPI_GSSAPI_H)
4934# include <gssapi/gssapi.h>
4935#endif
4936
4937#ifdef HAVE_GSSAPI_GENERIC_H
4938# include <gssapi_generic.h>
4939#elif defined(HAVE_GSSAPI_GSSAPI_GENERIC_H)
4940# include <gssapi/gssapi_generic.h>
4941#endif
4942		]])
4943		saved_LIBS="$LIBS"
4944		LIBS="$LIBS $K5LIBS"
4945		AC_CHECK_FUNCS([krb5_cc_new_unique krb5_get_error_message krb5_free_error_message])
4946		LIBS="$saved_LIBS"
4947
4948	fi
4949	]
4950)
4951AC_SUBST([GSSLIBS])
4952AC_SUBST([K5LIBS])
4953AC_SUBST([CHANNELLIBS])
4954
4955# Looking for programs, paths and files
4956
4957PRIVSEP_PATH=/var/empty
4958AC_ARG_WITH([privsep-path],
4959	[  --with-privsep-path=xxx Path for privilege separation chroot (default=/var/empty)],
4960	[
4961		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
4962		    test "x${withval}" != "xyes"; then
4963			PRIVSEP_PATH=$withval
4964		fi
4965	]
4966)
4967AC_SUBST([PRIVSEP_PATH])
4968
4969AC_ARG_WITH([xauth],
4970	[  --with-xauth=PATH       Specify path to xauth program ],
4971	[
4972		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
4973		    test "x${withval}" != "xyes"; then
4974			xauth_path=$withval
4975		fi
4976	],
4977	[
4978		TestPath="$PATH"
4979		TestPath="${TestPath}${PATH_SEPARATOR}/usr/X/bin"
4980		TestPath="${TestPath}${PATH_SEPARATOR}/usr/bin/X11"
4981		TestPath="${TestPath}${PATH_SEPARATOR}/usr/X11R6/bin"
4982		TestPath="${TestPath}${PATH_SEPARATOR}/usr/openwin/bin"
4983		AC_PATH_PROG([xauth_path], [xauth], , [$TestPath])
4984		if (test ! -z "$xauth_path" && test -x "/usr/openwin/bin/xauth") ; then
4985			xauth_path="/usr/openwin/bin/xauth"
4986		fi
4987	]
4988)
4989
4990STRIP_OPT=-s
4991AC_ARG_ENABLE([strip],
4992	[  --disable-strip         Disable calling strip(1) on install],
4993	[
4994		if test "x$enableval" = "xno" ; then
4995			STRIP_OPT=
4996		fi
4997	]
4998)
4999AC_SUBST([STRIP_OPT])
5000
5001if test -z "$xauth_path" ; then
5002	XAUTH_PATH="undefined"
5003	AC_SUBST([XAUTH_PATH])
5004else
5005	AC_DEFINE_UNQUOTED([XAUTH_PATH], ["$xauth_path"],
5006		[Define if xauth is found in your path])
5007	XAUTH_PATH=$xauth_path
5008	AC_SUBST([XAUTH_PATH])
5009fi
5010
5011dnl # --with-maildir=/path/to/mail gets top priority.
5012dnl # if maildir is set in the platform case statement above we use that.
5013dnl # Otherwise we run a program to get the dir from system headers.
5014dnl # We first look for _PATH_MAILDIR then MAILDIR then _PATH_MAIL
5015dnl # If we find _PATH_MAILDIR we do nothing because that is what
5016dnl # session.c expects anyway. Otherwise we set to the value found
5017dnl # stripping any trailing slash. If for some strage reason our program
5018dnl # does not find what it needs, we default to /var/spool/mail.
5019# Check for mail directory
5020AC_ARG_WITH([maildir],
5021    [  --with-maildir=/path/to/mail    Specify your system mail directory],
5022    [
5023	if test "X$withval" != X  &&  test "x$withval" != xno  &&  \
5024	    test "x${withval}" != xyes; then
5025		AC_DEFINE_UNQUOTED([MAIL_DIRECTORY], ["$withval"],
5026            [Set this to your mail directory if you do not have _PATH_MAILDIR])
5027	    fi
5028     ],[
5029	if test "X$maildir" != "X"; then
5030	    AC_DEFINE_UNQUOTED([MAIL_DIRECTORY], ["$maildir"])
5031	else
5032	    AC_MSG_CHECKING([Discovering system mail directory])
5033	    AC_RUN_IFELSE(
5034		[AC_LANG_PROGRAM([[
5035#include <stdio.h>
5036#include <stdlib.h>
5037#include <string.h>
5038#ifdef HAVE_PATHS_H
5039#include <paths.h>
5040#endif
5041#ifdef HAVE_MAILLOCK_H
5042#include <maillock.h>
5043#endif
5044#define DATA "conftest.maildir"
5045	]], [[
5046	FILE *fd;
5047	int rc;
5048
5049	fd = fopen(DATA,"w");
5050	if(fd == NULL)
5051		exit(1);
5052
5053#if defined (_PATH_MAILDIR)
5054	if ((rc = fprintf(fd ,"_PATH_MAILDIR:%s\n", _PATH_MAILDIR)) <0)
5055		exit(1);
5056#elif defined (MAILDIR)
5057	if ((rc = fprintf(fd ,"MAILDIR:%s\n", MAILDIR)) <0)
5058		exit(1);
5059#elif defined (_PATH_MAIL)
5060	if ((rc = fprintf(fd ,"_PATH_MAIL:%s\n", _PATH_MAIL)) <0)
5061		exit(1);
5062#else
5063	exit (2);
5064#endif
5065
5066	exit(0);
5067		]])],
5068		[
5069		    maildir_what=`awk -F: '{print $1}' conftest.maildir`
5070		    maildir=`awk -F: '{print $2}' conftest.maildir \
5071			| sed 's|/$||'`
5072		    AC_MSG_RESULT([Using: $maildir from $maildir_what])
5073		    if test "x$maildir_what" != "x_PATH_MAILDIR"; then
5074			AC_DEFINE_UNQUOTED([MAIL_DIRECTORY], ["$maildir"])
5075		    fi
5076		],
5077		[
5078		    if test "X$ac_status" = "X2";then
5079# our test program didn't find it. Default to /var/spool/mail
5080			AC_MSG_RESULT([Using: default value of /var/spool/mail])
5081			AC_DEFINE_UNQUOTED([MAIL_DIRECTORY], ["/var/spool/mail"])
5082		     else
5083			AC_MSG_RESULT([*** not found ***])
5084		     fi
5085		],
5086		[
5087			AC_MSG_WARN([cross compiling: use --with-maildir=/path/to/mail])
5088		]
5089	    )
5090	fi
5091    ]
5092) # maildir
5093
5094if test ! -z "$cross_compiling" && test "x$cross_compiling" = "xyes"; then
5095	AC_MSG_WARN([cross compiling: Disabling /dev/ptmx test])
5096	disable_ptmx_check=yes
5097fi
5098if test -z "$no_dev_ptmx" ; then
5099	if test "x$disable_ptmx_check" != "xyes" ; then
5100		AC_CHECK_FILE(["/dev/ptmx"],
5101			[
5102				AC_DEFINE_UNQUOTED([HAVE_DEV_PTMX], [1],
5103					[Define if you have /dev/ptmx])
5104				have_dev_ptmx=1
5105			]
5106		)
5107	fi
5108fi
5109
5110if test ! -z "$cross_compiling" && test "x$cross_compiling" != "xyes"; then
5111	AC_CHECK_FILE(["/dev/ptc"],
5112		[
5113			AC_DEFINE_UNQUOTED([HAVE_DEV_PTS_AND_PTC], [1],
5114				[Define if you have /dev/ptc])
5115			have_dev_ptc=1
5116		]
5117	)
5118else
5119	AC_MSG_WARN([cross compiling: Disabling /dev/ptc test])
5120fi
5121
5122# Options from here on. Some of these are preset by platform above
5123AC_ARG_WITH([mantype],
5124	[  --with-mantype=man|cat|doc  Set man page type],
5125	[
5126		case "$withval" in
5127		man|cat|doc)
5128			MANTYPE=$withval
5129			;;
5130		*)
5131			AC_MSG_ERROR([invalid man type: $withval])
5132			;;
5133		esac
5134	]
5135)
5136if test -z "$MANTYPE"; then
5137	if ${MANDOC} ${srcdir}/ssh.1 >/dev/null 2>&1; then
5138		MANTYPE=doc
5139	elif ${NROFF} -mdoc ${srcdir}/ssh.1 >/dev/null 2>&1; then
5140		MANTYPE=doc
5141	elif ${NROFF} -man ${srcdir}/ssh.1 >/dev/null 2>&1; then
5142		MANTYPE=man
5143	else
5144		MANTYPE=cat
5145	fi
5146fi
5147AC_SUBST([MANTYPE])
5148if test "$MANTYPE" = "doc"; then
5149	mansubdir=man;
5150else
5151	mansubdir=$MANTYPE;
5152fi
5153AC_SUBST([mansubdir])
5154
5155# Whether to disable shadow password support
5156AC_ARG_WITH([shadow],
5157	[  --without-shadow        Disable shadow password support],
5158	[
5159		if test "x$withval" = "xno" ; then
5160			AC_DEFINE([DISABLE_SHADOW])
5161			disable_shadow=yes
5162		fi
5163	]
5164)
5165
5166if test -z "$disable_shadow" ; then
5167	AC_MSG_CHECKING([if the systems has expire shadow information])
5168	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
5169#include <sys/types.h>
5170#include <shadow.h>
5171struct spwd sp;
5172		]], [[ sp.sp_expire = sp.sp_lstchg = sp.sp_inact = 0; ]])],
5173		[ sp_expire_available=yes ], [
5174	])
5175
5176	if test "x$sp_expire_available" = "xyes" ; then
5177		AC_MSG_RESULT([yes])
5178		AC_DEFINE([HAS_SHADOW_EXPIRE], [1],
5179		    [Define if you want to use shadow password expire field])
5180	else
5181		AC_MSG_RESULT([no])
5182	fi
5183fi
5184
5185# Use ip address instead of hostname in $DISPLAY
5186if test ! -z "$IPADDR_IN_DISPLAY" ; then
5187	DISPLAY_HACK_MSG="yes"
5188	AC_DEFINE([IPADDR_IN_DISPLAY], [1],
5189		[Define if you need to use IP address
5190		instead of hostname in $DISPLAY])
5191else
5192	DISPLAY_HACK_MSG="no"
5193	AC_ARG_WITH([ipaddr-display],
5194		[  --with-ipaddr-display   Use ip address instead of hostname in $DISPLAY],
5195		[
5196			if test "x$withval" != "xno" ; then
5197				AC_DEFINE([IPADDR_IN_DISPLAY])
5198				DISPLAY_HACK_MSG="yes"
5199			fi
5200		]
5201	)
5202fi
5203
5204# check for /etc/default/login and use it if present.
5205AC_ARG_ENABLE([etc-default-login],
5206	[  --disable-etc-default-login Disable using PATH from /etc/default/login [no]],
5207	[ if test "x$enableval" = "xno"; then
5208		AC_MSG_NOTICE([/etc/default/login handling disabled])
5209		etc_default_login=no
5210	  else
5211		etc_default_login=yes
5212	  fi ],
5213	[ if test ! -z "$cross_compiling" && test "x$cross_compiling" = "xyes";
5214	  then
5215		AC_MSG_WARN([cross compiling: not checking /etc/default/login])
5216		etc_default_login=no
5217	  else
5218		etc_default_login=yes
5219	  fi ]
5220)
5221
5222if test "x$etc_default_login" != "xno"; then
5223	AC_CHECK_FILE(["/etc/default/login"],
5224	    [ external_path_file=/etc/default/login ])
5225	if test "x$external_path_file" = "x/etc/default/login"; then
5226		AC_DEFINE([HAVE_ETC_DEFAULT_LOGIN], [1],
5227			[Define if your system has /etc/default/login])
5228	fi
5229fi
5230
5231dnl BSD systems use /etc/login.conf so --with-default-path= has no effect
5232if test $ac_cv_func_login_getcapbool = "yes" && \
5233	test $ac_cv_header_login_cap_h = "yes" ; then
5234	external_path_file=/etc/login.conf
5235fi
5236
5237# Whether to mess with the default path
5238SERVER_PATH_MSG="(default)"
5239AC_ARG_WITH([default-path],
5240	[  --with-default-path=    Specify default $PATH environment for server],
5241	[
5242		if test "x$external_path_file" = "x/etc/login.conf" ; then
5243			AC_MSG_WARN([
5244--with-default-path=PATH has no effect on this system.
5245Edit /etc/login.conf instead.])
5246		elif test "x$withval" != "xno" ; then
5247			if test ! -z "$external_path_file" ; then
5248				AC_MSG_WARN([
5249--with-default-path=PATH will only be used if PATH is not defined in
5250$external_path_file .])
5251			fi
5252			user_path="$withval"
5253			SERVER_PATH_MSG="$withval"
5254		fi
5255	],
5256	[ if test "x$external_path_file" = "x/etc/login.conf" ; then
5257		AC_MSG_WARN([Make sure the path to scp is in /etc/login.conf])
5258	else
5259		if test ! -z "$external_path_file" ; then
5260			AC_MSG_WARN([
5261If PATH is defined in $external_path_file, ensure the path to scp is included,
5262otherwise scp will not work.])
5263		fi
5264		AC_RUN_IFELSE(
5265			[AC_LANG_PROGRAM([[
5266/* find out what STDPATH is */
5267#include <stdio.h>
5268#include <stdlib.h>
5269#ifdef HAVE_PATHS_H
5270# include <paths.h>
5271#endif
5272#ifndef _PATH_STDPATH
5273# ifdef _PATH_USERPATH	/* Irix */
5274#  define _PATH_STDPATH _PATH_USERPATH
5275# else
5276#  define _PATH_STDPATH "/usr/bin:/bin:/usr/sbin:/sbin"
5277# endif
5278#endif
5279#include <sys/types.h>
5280#include <sys/stat.h>
5281#include <fcntl.h>
5282#define DATA "conftest.stdpath"
5283			]], [[
5284	FILE *fd;
5285	int rc;
5286
5287	fd = fopen(DATA,"w");
5288	if(fd == NULL)
5289		exit(1);
5290
5291	if ((rc = fprintf(fd,"%s", _PATH_STDPATH)) < 0)
5292		exit(1);
5293
5294	exit(0);
5295		]])],
5296		[ user_path=`cat conftest.stdpath` ],
5297		[ user_path="/usr/bin:/bin:/usr/sbin:/sbin" ],
5298		[ user_path="/usr/bin:/bin:/usr/sbin:/sbin" ]
5299	)
5300# make sure $bindir is in USER_PATH so scp will work
5301		t_bindir="${bindir}"
5302		while echo "${t_bindir}" | egrep '\$\{|NONE/' >/dev/null 2>&1; do
5303			t_bindir=`eval echo ${t_bindir}`
5304			case $t_bindir in
5305				NONE/*) t_bindir=`echo $t_bindir | sed "s~NONE~$prefix~"` ;;
5306			esac
5307			case $t_bindir in
5308				NONE/*) t_bindir=`echo $t_bindir | sed "s~NONE~$ac_default_prefix~"` ;;
5309			esac
5310		done
5311		echo $user_path | grep ":$t_bindir"  > /dev/null 2>&1
5312		if test $? -ne 0  ; then
5313			echo $user_path | grep "^$t_bindir"  > /dev/null 2>&1
5314			if test $? -ne 0  ; then
5315				user_path=$user_path:$t_bindir
5316				AC_MSG_RESULT([Adding $t_bindir to USER_PATH so scp will work])
5317			fi
5318		fi
5319	fi ]
5320)
5321if test "x$external_path_file" != "x/etc/login.conf" ; then
5322	AC_DEFINE_UNQUOTED([USER_PATH], ["$user_path"], [Specify default $PATH])
5323	AC_SUBST([user_path])
5324fi
5325
5326# Set superuser path separately to user path
5327AC_ARG_WITH([superuser-path],
5328	[  --with-superuser-path=  Specify different path for super-user],
5329	[
5330		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
5331		    test "x${withval}" != "xyes"; then
5332			AC_DEFINE_UNQUOTED([SUPERUSER_PATH], ["$withval"],
5333				[Define if you want a different $PATH
5334				for the superuser])
5335			superuser_path=$withval
5336		fi
5337	]
5338)
5339
5340
5341AC_MSG_CHECKING([if we need to convert IPv4 in IPv6-mapped addresses])
5342IPV4_IN6_HACK_MSG="no"
5343AC_ARG_WITH(4in6,
5344	[  --with-4in6             Check for and convert IPv4 in IPv6 mapped addresses],
5345	[
5346		if test "x$withval" != "xno" ; then
5347			AC_MSG_RESULT([yes])
5348			AC_DEFINE([IPV4_IN_IPV6], [1],
5349				[Detect IPv4 in IPv6 mapped addresses
5350				and treat as IPv4])
5351			IPV4_IN6_HACK_MSG="yes"
5352		else
5353			AC_MSG_RESULT([no])
5354		fi
5355	], [
5356		if test "x$inet6_default_4in6" = "xyes"; then
5357			AC_MSG_RESULT([yes (default)])
5358			AC_DEFINE([IPV4_IN_IPV6])
5359			IPV4_IN6_HACK_MSG="yes"
5360		else
5361			AC_MSG_RESULT([no (default)])
5362		fi
5363	]
5364)
5365
5366# Whether to enable BSD auth support
5367BSD_AUTH_MSG=no
5368AC_ARG_WITH([bsd-auth],
5369	[  --with-bsd-auth         Enable BSD auth support],
5370	[
5371		if test "x$withval" != "xno" ; then
5372			AC_DEFINE([BSD_AUTH], [1],
5373				[Define if you have BSD auth support])
5374			BSD_AUTH_MSG=yes
5375		fi
5376	]
5377)
5378
5379# Where to place sshd.pid
5380piddir=/var/run
5381# make sure the directory exists
5382if test ! -d $piddir ; then
5383	piddir=`eval echo ${sysconfdir}`
5384	case $piddir in
5385		NONE/*) piddir=`echo $piddir | sed "s~NONE~$ac_default_prefix~"` ;;
5386	esac
5387fi
5388
5389AC_ARG_WITH([pid-dir],
5390	[  --with-pid-dir=PATH     Specify location of sshd.pid file],
5391	[
5392		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
5393		    test "x${withval}" != "xyes"; then
5394			piddir=$withval
5395			if test ! -d $piddir ; then
5396			AC_MSG_WARN([** no $piddir directory on this system **])
5397			fi
5398		fi
5399	]
5400)
5401
5402AC_DEFINE_UNQUOTED([_PATH_SSH_PIDDIR], ["$piddir"],
5403	[Specify location of ssh.pid])
5404AC_SUBST([piddir])
5405
5406
5407AC_ARG_ENABLE([fd-passing],
5408	[  --disable-fd-passing    disable file descriptor passsing [no]],
5409	[
5410		if test "x$enableval" = "xno" ; then
5411			AC_DEFINE([DISABLE_FD_PASSING])
5412		fi
5413	]
5414)
5415
5416dnl allow user to disable some login recording features
5417AC_ARG_ENABLE([lastlog],
5418	[  --disable-lastlog       disable use of lastlog even if detected [no]],
5419	[
5420		if test "x$enableval" = "xno" ; then
5421			AC_DEFINE([DISABLE_LASTLOG])
5422		fi
5423	]
5424)
5425AC_ARG_ENABLE([utmp],
5426	[  --disable-utmp          disable use of utmp even if detected [no]],
5427	[
5428		if test "x$enableval" = "xno" ; then
5429			AC_DEFINE([DISABLE_UTMP])
5430		fi
5431	]
5432)
5433AC_ARG_ENABLE([utmpx],
5434	[  --disable-utmpx         disable use of utmpx even if detected [no]],
5435	[
5436		if test "x$enableval" = "xno" ; then
5437			AC_DEFINE([DISABLE_UTMPX], [1],
5438				[Define if you don't want to use utmpx])
5439		fi
5440	]
5441)
5442AC_ARG_ENABLE([wtmp],
5443	[  --disable-wtmp          disable use of wtmp even if detected [no]],
5444	[
5445		if test "x$enableval" = "xno" ; then
5446			AC_DEFINE([DISABLE_WTMP])
5447		fi
5448	]
5449)
5450AC_ARG_ENABLE([wtmpx],
5451	[  --disable-wtmpx         disable use of wtmpx even if detected [no]],
5452	[
5453		if test "x$enableval" = "xno" ; then
5454			AC_DEFINE([DISABLE_WTMPX], [1],
5455				[Define if you don't want to use wtmpx])
5456		fi
5457	]
5458)
5459AC_ARG_ENABLE([libutil],
5460	[  --disable-libutil       disable use of libutil (login() etc.) [no]],
5461	[
5462		if test "x$enableval" = "xno" ; then
5463			AC_DEFINE([DISABLE_LOGIN])
5464		fi
5465	]
5466)
5467AC_ARG_ENABLE([pututline],
5468	[  --disable-pututline     disable use of pututline() etc. ([uw]tmp) [no]],
5469	[
5470		if test "x$enableval" = "xno" ; then
5471			AC_DEFINE([DISABLE_PUTUTLINE], [1],
5472				[Define if you don't want to use pututline()
5473				etc. to write [uw]tmp])
5474		fi
5475	]
5476)
5477AC_ARG_ENABLE([pututxline],
5478	[  --disable-pututxline    disable use of pututxline() etc. ([uw]tmpx) [no]],
5479	[
5480		if test "x$enableval" = "xno" ; then
5481			AC_DEFINE([DISABLE_PUTUTXLINE], [1],
5482				[Define if you don't want to use pututxline()
5483				etc. to write [uw]tmpx])
5484		fi
5485	]
5486)
5487AC_ARG_WITH([lastlog],
5488  [  --with-lastlog=FILE|DIR specify lastlog location [common locations]],
5489	[
5490		if test "x$withval" = "xno" ; then
5491			AC_DEFINE([DISABLE_LASTLOG])
5492		elif test -n "$withval"  &&  test "x${withval}" != "xyes"; then
5493			conf_lastlog_location=$withval
5494		fi
5495	]
5496)
5497
5498dnl lastlog, [uw]tmpx? detection
5499dnl  NOTE: set the paths in the platform section to avoid the
5500dnl   need for command-line parameters
5501dnl lastlog and [uw]tmp are subject to a file search if all else fails
5502
5503dnl lastlog detection
5504dnl  NOTE: the code itself will detect if lastlog is a directory
5505AC_MSG_CHECKING([if your system defines LASTLOG_FILE])
5506AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
5507#include <sys/types.h>
5508#include <utmp.h>
5509#ifdef HAVE_LASTLOG_H
5510#  include <lastlog.h>
5511#endif
5512#ifdef HAVE_PATHS_H
5513#  include <paths.h>
5514#endif
5515#ifdef HAVE_LOGIN_H
5516# include <login.h>
5517#endif
5518	]], [[ char *lastlog = LASTLOG_FILE; ]])],
5519		[ AC_MSG_RESULT([yes]) ],
5520		[
5521		AC_MSG_RESULT([no])
5522		AC_MSG_CHECKING([if your system defines _PATH_LASTLOG])
5523		AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
5524#include <sys/types.h>
5525#include <utmp.h>
5526#ifdef HAVE_LASTLOG_H
5527#  include <lastlog.h>
5528#endif
5529#ifdef HAVE_PATHS_H
5530#  include <paths.h>
5531#endif
5532		]], [[ char *lastlog = _PATH_LASTLOG; ]])],
5533		[ AC_MSG_RESULT([yes]) ],
5534		[
5535			AC_MSG_RESULT([no])
5536			system_lastlog_path=no
5537		])
5538])
5539
5540if test -z "$conf_lastlog_location"; then
5541	if test x"$system_lastlog_path" = x"no" ; then
5542		for f in /var/log/lastlog /usr/adm/lastlog /var/adm/lastlog /etc/security/lastlog ; do
5543				if (test -d "$f" || test -f "$f") ; then
5544					conf_lastlog_location=$f
5545				fi
5546		done
5547		if test -z "$conf_lastlog_location"; then
5548			AC_MSG_WARN([** Cannot find lastlog **])
5549			dnl Don't define DISABLE_LASTLOG - that means we don't try wtmp/wtmpx
5550		fi
5551	fi
5552fi
5553
5554if test -n "$conf_lastlog_location"; then
5555	AC_DEFINE_UNQUOTED([CONF_LASTLOG_FILE], ["$conf_lastlog_location"],
5556		[Define if you want to specify the path to your lastlog file])
5557fi
5558
5559dnl utmp detection
5560AC_MSG_CHECKING([if your system defines UTMP_FILE])
5561AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
5562#include <sys/types.h>
5563#include <utmp.h>
5564#ifdef HAVE_PATHS_H
5565#  include <paths.h>
5566#endif
5567	]], [[ char *utmp = UTMP_FILE; ]])],
5568	[ AC_MSG_RESULT([yes]) ],
5569	[ AC_MSG_RESULT([no])
5570	  system_utmp_path=no
5571])
5572if test -z "$conf_utmp_location"; then
5573	if test x"$system_utmp_path" = x"no" ; then
5574		for f in /etc/utmp /usr/adm/utmp /var/run/utmp; do
5575			if test -f $f ; then
5576				conf_utmp_location=$f
5577			fi
5578		done
5579		if test -z "$conf_utmp_location"; then
5580			AC_DEFINE([DISABLE_UTMP])
5581		fi
5582	fi
5583fi
5584if test -n "$conf_utmp_location"; then
5585	AC_DEFINE_UNQUOTED([CONF_UTMP_FILE], ["$conf_utmp_location"],
5586		[Define if you want to specify the path to your utmp file])
5587fi
5588
5589dnl wtmp detection
5590AC_MSG_CHECKING([if your system defines WTMP_FILE])
5591AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
5592#include <sys/types.h>
5593#include <utmp.h>
5594#ifdef HAVE_PATHS_H
5595#  include <paths.h>
5596#endif
5597	]], [[ char *wtmp = WTMP_FILE; ]])],
5598	[ AC_MSG_RESULT([yes]) ],
5599	[ AC_MSG_RESULT([no])
5600	  system_wtmp_path=no
5601])
5602if test -z "$conf_wtmp_location"; then
5603	if test x"$system_wtmp_path" = x"no" ; then
5604		for f in /usr/adm/wtmp /var/log/wtmp; do
5605			if test -f $f ; then
5606				conf_wtmp_location=$f
5607			fi
5608		done
5609		if test -z "$conf_wtmp_location"; then
5610			AC_DEFINE([DISABLE_WTMP])
5611		fi
5612	fi
5613fi
5614if test -n "$conf_wtmp_location"; then
5615	AC_DEFINE_UNQUOTED([CONF_WTMP_FILE], ["$conf_wtmp_location"],
5616		[Define if you want to specify the path to your wtmp file])
5617fi
5618
5619dnl wtmpx detection
5620AC_MSG_CHECKING([if your system defines WTMPX_FILE])
5621AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
5622#include <sys/types.h>
5623#include <utmp.h>
5624#ifdef HAVE_UTMPX_H
5625#include <utmpx.h>
5626#endif
5627#ifdef HAVE_PATHS_H
5628#  include <paths.h>
5629#endif
5630	]], [[ char *wtmpx = WTMPX_FILE; ]])],
5631	[ AC_MSG_RESULT([yes]) ],
5632	[ AC_MSG_RESULT([no])
5633	  system_wtmpx_path=no
5634])
5635if test -z "$conf_wtmpx_location"; then
5636	if test x"$system_wtmpx_path" = x"no" ; then
5637		AC_DEFINE([DISABLE_WTMPX])
5638	fi
5639else
5640	AC_DEFINE_UNQUOTED([CONF_WTMPX_FILE], ["$conf_wtmpx_location"],
5641		[Define if you want to specify the path to your wtmpx file])
5642fi
5643
5644
5645if test ! -z "$blibpath" ; then
5646	LDFLAGS="$LDFLAGS $blibflags$blibpath"
5647	AC_MSG_WARN([Please check and edit blibpath in LDFLAGS in Makefile])
5648fi
5649
5650AC_CHECK_MEMBER([struct lastlog.ll_line], [], [
5651    if test x$SKIP_DISABLE_LASTLOG_DEFINE != "xyes" ; then
5652	AC_DEFINE([DISABLE_LASTLOG])
5653    fi
5654	], [
5655#ifdef HAVE_SYS_TYPES_H
5656#include <sys/types.h>
5657#endif
5658#ifdef HAVE_UTMP_H
5659#include <utmp.h>
5660#endif
5661#ifdef HAVE_UTMPX_H
5662#include <utmpx.h>
5663#endif
5664#ifdef HAVE_LASTLOG_H
5665#include <lastlog.h>
5666#endif
5667	])
5668
5669AC_CHECK_MEMBER([struct utmp.ut_line], [], [
5670	AC_DEFINE([DISABLE_UTMP])
5671	AC_DEFINE([DISABLE_WTMP])
5672	], [
5673#ifdef HAVE_SYS_TYPES_H
5674#include <sys/types.h>
5675#endif
5676#ifdef HAVE_UTMP_H
5677#include <utmp.h>
5678#endif
5679#ifdef HAVE_UTMPX_H
5680#include <utmpx.h>
5681#endif
5682#ifdef HAVE_LASTLOG_H
5683#include <lastlog.h>
5684#endif
5685	])
5686
5687dnl Adding -Werror to CFLAGS early prevents configure tests from running.
5688dnl Add now.
5689CFLAGS="$CFLAGS $werror_flags"
5690
5691if test "x$ac_cv_func_getaddrinfo" != "xyes" ; then
5692	TEST_SSH_IPV6=no
5693else
5694	TEST_SSH_IPV6=yes
5695fi
5696AC_CHECK_DECL([BROKEN_GETADDRINFO],  [TEST_SSH_IPV6=no])
5697AC_SUBST([TEST_SSH_IPV6], [$TEST_SSH_IPV6])
5698AC_SUBST([TEST_SSH_UTF8], [$TEST_SSH_UTF8])
5699AC_SUBST([TEST_MALLOC_OPTIONS], [$TEST_MALLOC_OPTIONS])
5700AC_SUBST([UNSUPPORTED_ALGORITHMS], [$unsupported_algorithms])
5701AC_SUBST([DEPEND], [$(cat $srcdir/.depend)])
5702
5703# Binaries for interop tests.
5704AC_PATH_PROG([PLINK], [plink])
5705AC_PATH_PROG([PUTTYGEN], [puttygen])
5706AC_PATH_PROG([CONCH], [conch])
5707AC_PATH_PROG([DROPBEAR], [dropbear])
5708AC_PATH_PROG([DBCLIENT], [dbclient])
5709AC_PATH_PROG([DROPBEARKEY], [dropbearkey])
5710AC_PATH_PROG([DROPBEARCONVERT], [dropbearconvert])
5711
5712CFLAGS="${CFLAGS} ${CFLAGS_AFTER}"
5713LDFLAGS="${LDFLAGS} ${LDFLAGS_AFTER}"
5714
5715# Make a copy of CFLAGS/LDFLAGS without PIE options.
5716LDFLAGS_NOPIE=`echo "$LDFLAGS" | sed 's/ -pie//'`
5717CFLAGS_NOPIE=`echo "$CFLAGS" | sed 's/ -fPIE//'`
5718AC_SUBST([LDFLAGS_NOPIE])
5719AC_SUBST([CFLAGS_NOPIE])
5720
5721AC_EXEEXT
5722AC_CONFIG_FILES([Makefile buildpkg.sh opensshd.init openssh.xml \
5723	openbsd-compat/Makefile openbsd-compat/regress/Makefile \
5724	survey.sh])
5725AC_OUTPUT
5726
5727# Print summary of options
5728
5729# Someone please show me a better way :)
5730A=`eval echo ${prefix}` ; A=`eval echo ${A}`
5731B=`eval echo ${bindir}` ; B=`eval echo ${B}`
5732C=`eval echo ${sbindir}` ; C=`eval echo ${C}`
5733D=`eval echo ${sysconfdir}` ; D=`eval echo ${D}`
5734E=`eval echo ${libexecdir}/ssh-askpass` ; E=`eval echo ${E}`
5735F=`eval echo ${mandir}/${mansubdir}X` ; F=`eval echo ${F}`
5736G=`eval echo ${piddir}` ; G=`eval echo ${G}`
5737H=`eval echo ${PRIVSEP_PATH}` ; H=`eval echo ${H}`
5738I=`eval echo ${user_path}` ; I=`eval echo ${I}`
5739J=`eval echo ${superuser_path}` ; J=`eval echo ${J}`
5740
5741echo ""
5742echo "OpenSSH has been configured with the following options:"
5743echo "                     User binaries: $B"
5744echo "                   System binaries: $C"
5745echo "               Configuration files: $D"
5746echo "                   Askpass program: $E"
5747echo "                      Manual pages: $F"
5748echo "                          PID file: $G"
5749echo "  Privilege separation chroot path: $H"
5750if test "x$external_path_file" = "x/etc/login.conf" ; then
5751echo "   At runtime, sshd will use the path defined in $external_path_file"
5752echo "   Make sure the path to scp is present, otherwise scp will not work"
5753else
5754echo "            sshd default user PATH: $I"
5755	if test ! -z "$external_path_file"; then
5756echo "   (If PATH is set in $external_path_file it will be used instead. If"
5757echo "   used, ensure the path to scp is present, otherwise scp will not work.)"
5758	fi
5759fi
5760if test ! -z "$superuser_path" ; then
5761echo "          sshd superuser user PATH: $J"
5762fi
5763echo "                    Manpage format: $MANTYPE"
5764echo "                       PAM support: $PAM_MSG"
5765echo "                   OSF SIA support: $SIA_MSG"
5766echo "                 KerberosV support: $KRB5_MSG"
5767echo "                   SELinux support: $SELINUX_MSG"
5768echo "              TCP Wrappers support: $TCPW_MSG"
5769echo "                   libedit support: $LIBEDIT_MSG"
5770echo "                   libldns support: $LDNS_MSG"
5771echo "  Solaris process contract support: $SPC_MSG"
5772echo "           Solaris project support: $SP_MSG"
5773echo "         Solaris privilege support: $SPP_MSG"
5774echo "       IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG"
5775echo "           Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
5776echo "                  BSD Auth support: $BSD_AUTH_MSG"
5777echo "              Random number source: $RAND_MSG"
5778echo "             Privsep sandbox style: $SANDBOX_STYLE"
5779echo "                   PKCS#11 support: $enable_pkcs11"
5780echo "                  U2F/FIDO support: $enable_sk"
5781
5782echo ""
5783
5784echo "              Host: ${host}"
5785echo "          Compiler: ${CC}"
5786echo "    Compiler flags: ${CFLAGS}"
5787echo "Preprocessor flags: ${CPPFLAGS}"
5788echo "      Linker flags: ${LDFLAGS}"
5789echo "         Libraries: ${LIBS}"
5790if test ! -z "${CHANNELLIBS}"; then
5791echo "     +for channels: ${CHANNELLIBS}"
5792fi
5793if test ! -z "${LIBFIDO2}"; then
5794echo "        +for FIDO2: ${LIBFIDO2}"
5795fi
5796if test ! -z "${SSHDLIBS}"; then
5797echo "         +for sshd: ${SSHDLIBS}"
5798fi
5799
5800echo ""
5801
5802if test "x$MAKE_PACKAGE_SUPPORTED" = "xyes" ; then
5803	echo "SVR4 style packages are supported with \"make package\""
5804	echo ""
5805fi
5806
5807if test "x$PAM_MSG" = "xyes" ; then
5808	echo "PAM is enabled. You may need to install a PAM control file "
5809	echo "for sshd, otherwise password authentication may fail. "
5810	echo "Example PAM control files can be found in the contrib/ "
5811	echo "subdirectory"
5812	echo ""
5813fi
5814
5815if test ! -z "$NO_PEERCHECK" ; then
5816	echo "WARNING: the operating system that you are using does not"
5817	echo "appear to support getpeereid(), getpeerucred() or the"
5818	echo "SO_PEERCRED getsockopt() option. These facilities are used to"
5819	echo "enforce security checks to prevent unauthorised connections to"
5820	echo "ssh-agent. Their absence increases the risk that a malicious"
5821	echo "user can connect to your agent."
5822	echo ""
5823fi
5824
5825if test "$AUDIT_MODULE" = "bsm" ; then
5826	echo "WARNING: BSM audit support is currently considered EXPERIMENTAL."
5827	echo "See the Solaris section in README.platform for details."
5828fi
5829