xref: /freebsd/crypto/openssh/configure.ac (revision 3332f1b444d4a73238e9f59cca27bfc95fe936bd)
1#
2# Copyright (c) 1999-2004 Damien Miller
3#
4# Permission to use, copy, modify, and distribute this software for any
5# purpose with or without fee is hereby granted, provided that the above
6# copyright notice and this permission notice appear in all copies.
7#
8# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15
16AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org])
17AC_CONFIG_MACRO_DIR([m4])
18AC_CONFIG_SRCDIR([ssh.c])
19AC_LANG([C])
20
21AC_CONFIG_HEADERS([config.h])
22AC_PROG_CC([cc gcc])
23
24# XXX relax this after reimplementing logit() etc.
25AC_MSG_CHECKING([if $CC supports C99-style variadic macros])
26AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
27int f(int a, int b, int c) { return a + b + c; }
28#define F(a, ...) f(a, __VA_ARGS__)
29]], [[return F(1, 2, -3);]])],
30	[ AC_MSG_RESULT([yes]) ],
31	[ AC_MSG_ERROR([*** OpenSSH requires support for C99-style variadic macros]) ]
32)
33
34AC_CANONICAL_HOST
35AC_C_BIGENDIAN
36
37# Checks for programs.
38AC_PROG_AWK
39AC_PROG_CPP
40AC_PROG_RANLIB
41AC_PROG_INSTALL
42AC_PROG_EGREP
43AC_PROG_MKDIR_P
44AC_CHECK_TOOLS([AR], [ar])
45AC_PATH_PROG([CAT], [cat])
46AC_PATH_PROG([KILL], [kill])
47AC_PATH_PROG([SED], [sed])
48AC_PATH_PROG([TEST_MINUS_S_SH], [bash])
49AC_PATH_PROG([TEST_MINUS_S_SH], [ksh])
50AC_PATH_PROG([TEST_MINUS_S_SH], [sh])
51AC_PATH_PROG([SH], [sh])
52AC_PATH_PROG([GROFF], [groff])
53AC_PATH_PROG([NROFF], [nroff awf])
54AC_PATH_PROG([MANDOC], [mandoc])
55AC_SUBST([TEST_SHELL], [sh])
56
57dnl select manpage formatter to be used to build "cat" format pages.
58if test "x$MANDOC" != "x" ; then
59	MANFMT="$MANDOC"
60elif test "x$NROFF" != "x" ; then
61	MANFMT="$NROFF -mandoc"
62elif test "x$GROFF" != "x" ; then
63	MANFMT="$GROFF -mandoc -Tascii"
64else
65	AC_MSG_WARN([no manpage formatter found])
66	MANFMT="false"
67fi
68AC_SUBST([MANFMT])
69
70dnl for buildpkg.sh
71AC_PATH_PROG([PATH_GROUPADD_PROG], [groupadd], [groupadd],
72	[/usr/sbin${PATH_SEPARATOR}/etc])
73AC_PATH_PROG([PATH_USERADD_PROG], [useradd], [useradd],
74	[/usr/sbin${PATH_SEPARATOR}/etc])
75AC_CHECK_PROG([MAKE_PACKAGE_SUPPORTED], [pkgmk], [yes], [no])
76if test -x /sbin/sh; then
77	AC_SUBST([STARTUP_SCRIPT_SHELL], [/sbin/sh])
78else
79	AC_SUBST([STARTUP_SCRIPT_SHELL], [/bin/sh])
80fi
81
82# System features
83AC_SYS_LARGEFILE
84
85if test -z "$AR" ; then
86	AC_MSG_ERROR([*** 'ar' missing, please install or fix your \$PATH ***])
87fi
88
89AC_PATH_PROG([PATH_PASSWD_PROG], [passwd])
90if test ! -z "$PATH_PASSWD_PROG" ; then
91	AC_DEFINE_UNQUOTED([_PATH_PASSWD_PROG], ["$PATH_PASSWD_PROG"],
92		[Full path of your "passwd" program])
93fi
94
95dnl Since autoconf doesn't support it very well,  we no longer allow users to
96dnl override LD, however keeping the hook here for now in case there's a use
97dnl use case we overlooked and someone needs to re-enable it.  Unless a good
98dnl reason is found we'll be removing this in future.
99LD="$CC"
100AC_SUBST([LD])
101
102AC_C_INLINE
103
104AC_CHECK_DECL([LLONG_MAX], [have_llong_max=1], , [#include <limits.h>])
105AC_CHECK_DECL([LONG_LONG_MAX], [have_long_long_max=1], , [#include <limits.h>])
106AC_CHECK_DECL([SYSTR_POLICY_KILL], [have_systr_policy_kill=1], , [
107	#include <sys/types.h>
108	#include <sys/param.h>
109	#include <dev/systrace.h>
110])
111AC_CHECK_DECL([RLIMIT_NPROC],
112    [AC_DEFINE([HAVE_RLIMIT_NPROC], [], [sys/resource.h has RLIMIT_NPROC])], , [
113	#include <sys/types.h>
114	#include <sys/resource.h>
115])
116AC_CHECK_DECL([PR_SET_NO_NEW_PRIVS], [have_linux_no_new_privs=1], , [
117	#include <sys/types.h>
118	#include <linux/prctl.h>
119])
120
121openssl=yes
122AC_ARG_WITH([openssl],
123	[  --without-openssl       Disable use of OpenSSL; use only limited internal crypto **EXPERIMENTAL** ],
124	[  if test "x$withval" = "xno" ; then
125		openssl=no
126	   fi
127	]
128)
129AC_MSG_CHECKING([whether OpenSSL will be used for cryptography])
130if test "x$openssl" = "xyes" ; then
131	AC_MSG_RESULT([yes])
132	AC_DEFINE_UNQUOTED([WITH_OPENSSL], [1], [use libcrypto for cryptography])
133else
134	AC_MSG_RESULT([no])
135fi
136
137use_stack_protector=1
138use_toolchain_hardening=1
139AC_ARG_WITH([stackprotect],
140    [  --without-stackprotect  Don't use compiler's stack protection], [
141    if test "x$withval" = "xno"; then
142	use_stack_protector=0
143    fi ])
144AC_ARG_WITH([hardening],
145    [  --without-hardening     Don't use toolchain hardening flags], [
146    if test "x$withval" = "xno"; then
147	use_toolchain_hardening=0
148    fi ])
149
150# We use -Werror for the tests only so that we catch warnings like "this is
151# on by default" for things like -fPIE.
152AC_MSG_CHECKING([if $CC supports -Werror])
153saved_CFLAGS="$CFLAGS"
154CFLAGS="$CFLAGS -Werror"
155AC_COMPILE_IFELSE([AC_LANG_SOURCE([[int main(void) { return 0; }]])],
156	[ AC_MSG_RESULT([yes])
157	  WERROR="-Werror"],
158	[ AC_MSG_RESULT([no])
159	  WERROR="" ]
160)
161CFLAGS="$saved_CFLAGS"
162
163if test "$GCC" = "yes" || test "$GCC" = "egcs"; then
164	OSSH_CHECK_CFLAG_COMPILE([-pipe])
165	OSSH_CHECK_CFLAG_COMPILE([-Wunknown-warning-option])
166	OSSH_CHECK_CFLAG_COMPILE([-Wno-error=format-truncation])
167	OSSH_CHECK_CFLAG_COMPILE([-Qunused-arguments])
168	OSSH_CHECK_CFLAG_COMPILE([-Wall])
169	OSSH_CHECK_CFLAG_COMPILE([-Wextra])
170	OSSH_CHECK_CFLAG_COMPILE([-Wpointer-arith])
171	OSSH_CHECK_CFLAG_COMPILE([-Wuninitialized])
172	OSSH_CHECK_CFLAG_COMPILE([-Wsign-compare])
173	OSSH_CHECK_CFLAG_COMPILE([-Wformat-security])
174	OSSH_CHECK_CFLAG_COMPILE([-Wsizeof-pointer-memaccess])
175	OSSH_CHECK_CFLAG_COMPILE([-Wpointer-sign], [-Wno-pointer-sign])
176	OSSH_CHECK_CFLAG_COMPILE([-Wunused-parameter], [-Wno-unused-parameter])
177	OSSH_CHECK_CFLAG_COMPILE([-Wunused-result], [-Wno-unused-result])
178	OSSH_CHECK_CFLAG_COMPILE([-Wimplicit-fallthrough])
179	OSSH_CHECK_CFLAG_COMPILE([-fno-strict-aliasing])
180    if test "x$use_toolchain_hardening" = "x1"; then
181	OSSH_CHECK_CFLAG_COMPILE([-mretpoline]) # clang
182	OSSH_CHECK_LDFLAG_LINK([-Wl,-z,retpolineplt])
183	OSSH_CHECK_CFLAG_COMPILE([-D_FORTIFY_SOURCE=2])
184	OSSH_CHECK_LDFLAG_LINK([-Wl,-z,relro])
185	OSSH_CHECK_LDFLAG_LINK([-Wl,-z,now])
186	OSSH_CHECK_LDFLAG_LINK([-Wl,-z,noexecstack])
187	# NB. -ftrapv expects certain support functions to be present in
188	# the compiler library (libgcc or similar) to detect integer operations
189	# that can overflow. We must check that the result of enabling it
190	# actually links. The test program compiled/linked includes a number
191	# of integer operations that should exercise this.
192	OSSH_CHECK_CFLAG_LINK([-ftrapv])
193    fi
194	AC_MSG_CHECKING([gcc version])
195	GCC_VER=`$CC -v 2>&1 | $AWK '/gcc version /{print $3}'`
196	case $GCC_VER in
197		1.*) no_attrib_nonnull=1 ;;
198		2.8* | 2.9*)
199		     no_attrib_nonnull=1
200		     ;;
201		2.*) no_attrib_nonnull=1 ;;
202		*) ;;
203	esac
204	AC_MSG_RESULT([$GCC_VER])
205
206	AC_MSG_CHECKING([if $CC accepts -fno-builtin-memset])
207	saved_CFLAGS="$CFLAGS"
208	CFLAGS="$CFLAGS -fno-builtin-memset"
209	AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include <string.h> ]],
210			[[ char b[10]; memset(b, 0, sizeof(b)); ]])],
211		[ AC_MSG_RESULT([yes]) ],
212		[ AC_MSG_RESULT([no])
213		  CFLAGS="$saved_CFLAGS" ]
214	)
215
216	# -fstack-protector-all doesn't always work for some GCC versions
217	# and/or platforms, so we test if we can.  If it's not supported
218	# on a given platform gcc will emit a warning so we use -Werror.
219	if test "x$use_stack_protector" = "x1"; then
220	    for t in -fstack-protector-strong -fstack-protector-all \
221		    -fstack-protector; do
222		AC_MSG_CHECKING([if $CC supports $t])
223		saved_CFLAGS="$CFLAGS"
224		saved_LDFLAGS="$LDFLAGS"
225		CFLAGS="$CFLAGS $t -Werror"
226		LDFLAGS="$LDFLAGS $t -Werror"
227		AC_LINK_IFELSE(
228			[AC_LANG_PROGRAM([[
229	#include <stdio.h>
230	int func (int t) {char b[100]; snprintf(b,sizeof b,"%d",t); return t;}
231			 ]],
232			[[
233	char x[256];
234	snprintf(x, sizeof(x), "XXX%d", func(1));
235			 ]])],
236		    [ AC_MSG_RESULT([yes])
237		      CFLAGS="$saved_CFLAGS $t"
238		      LDFLAGS="$saved_LDFLAGS $t"
239		      AC_MSG_CHECKING([if $t works])
240		      AC_RUN_IFELSE(
241			[AC_LANG_PROGRAM([[
242	#include <stdio.h>
243	int func (int t) {char b[100]; snprintf(b,sizeof b,"%d",t); return t;}
244			]],
245			[[
246	char x[256];
247	snprintf(x, sizeof(x), "XXX%d", func(1));
248			]])],
249			[ AC_MSG_RESULT([yes])
250			  break ],
251			[ AC_MSG_RESULT([no]) ],
252			[ AC_MSG_WARN([cross compiling: cannot test])
253			  break ]
254		      )
255		    ],
256		    [ AC_MSG_RESULT([no]) ]
257		)
258		CFLAGS="$saved_CFLAGS"
259		LDFLAGS="$saved_LDFLAGS"
260	    done
261	fi
262
263	if test -z "$have_llong_max"; then
264		# retry LLONG_MAX with -std=gnu99, needed on some Linuxes
265		unset ac_cv_have_decl_LLONG_MAX
266		saved_CFLAGS="$CFLAGS"
267		CFLAGS="$CFLAGS -std=gnu99"
268		AC_CHECK_DECL([LLONG_MAX],
269		    [have_llong_max=1],
270		    [CFLAGS="$saved_CFLAGS"],
271		    [#include <limits.h>]
272		)
273	fi
274fi
275
276AC_MSG_CHECKING([if compiler allows __attribute__ on return types])
277AC_COMPILE_IFELSE(
278    [AC_LANG_PROGRAM([[
279#include <stdlib.h>
280__attribute__((__unused__)) static void foo(void){return;}]],
281    [[ exit(0); ]])],
282    [ AC_MSG_RESULT([yes]) ],
283    [ AC_MSG_RESULT([no])
284      AC_DEFINE(NO_ATTRIBUTE_ON_RETURN_TYPE, 1,
285	 [compiler does not accept __attribute__ on return types]) ]
286)
287
288AC_MSG_CHECKING([if compiler allows __attribute__ prototype args])
289AC_COMPILE_IFELSE(
290    [AC_LANG_PROGRAM([[
291#include <stdlib.h>
292typedef void foo(const char *, ...) __attribute__((format(printf, 1, 2)));]],
293    [[ exit(0); ]])],
294    [ AC_MSG_RESULT([yes]) ],
295    [ AC_MSG_RESULT([no])
296      AC_DEFINE(NO_ATTRIBUTE_ON_PROTOTYPE_ARGS, 1,
297	 [compiler does not accept __attribute__ on prototype args]) ]
298)
299
300AC_MSG_CHECKING([if compiler supports variable length arrays])
301AC_COMPILE_IFELSE(
302    [AC_LANG_PROGRAM([[#include <stdlib.h>]],
303    [[ int i; for (i=0; i<3; i++){int a[i]; a[i-1]=0;} exit(0); ]])],
304    [ AC_MSG_RESULT([yes])
305      AC_DEFINE(VARIABLE_LENGTH_ARRAYS, [1],
306	 [compiler supports variable length arrays]) ],
307    [ AC_MSG_RESULT([no]) ]
308)
309
310AC_MSG_CHECKING([if compiler accepts variable declarations after code])
311AC_COMPILE_IFELSE(
312    [AC_LANG_PROGRAM([[#include <stdlib.h>]],
313    [[ int a; a = 1; int b = 1; exit(a-b); ]])],
314    [ AC_MSG_RESULT([yes])
315      AC_DEFINE(VARIABLE_DECLARATION_AFTER_CODE, [1],
316	 [compiler variable declarations after code]) ],
317    [ AC_MSG_RESULT([no]) ]
318)
319
320if test "x$no_attrib_nonnull" != "x1" ; then
321	AC_DEFINE([HAVE_ATTRIBUTE__NONNULL__], [1], [Have attribute nonnull])
322fi
323
324AC_ARG_WITH([rpath],
325	[  --without-rpath         Disable auto-added -R linker paths],
326	[
327		if test "x$withval" = "xno" ; then
328			rpath_opt=""
329		elif test "x$withval" = "xyes" ; then
330			rpath_opt="-R"
331		else
332			rpath_opt="$withval"
333		fi
334	]
335)
336
337# Allow user to specify flags
338AC_ARG_WITH([cflags],
339	[  --with-cflags           Specify additional flags to pass to compiler],
340	[
341		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
342		    test "x${withval}" != "xyes"; then
343			CFLAGS="$CFLAGS $withval"
344		fi
345	]
346)
347
348AC_ARG_WITH([cflags-after],
349	[  --with-cflags-after     Specify additional flags to pass to compiler after configure],
350	[
351		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
352		    test "x${withval}" != "xyes"; then
353			CFLAGS_AFTER="$withval"
354		fi
355	]
356)
357AC_ARG_WITH([cppflags],
358	[  --with-cppflags         Specify additional flags to pass to preprocessor] ,
359	[
360		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
361		    test "x${withval}" != "xyes"; then
362			CPPFLAGS="$CPPFLAGS $withval"
363		fi
364	]
365)
366AC_ARG_WITH([ldflags],
367	[  --with-ldflags          Specify additional flags to pass to linker],
368	[
369		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
370		    test "x${withval}" != "xyes"; then
371			LDFLAGS="$LDFLAGS $withval"
372		fi
373	]
374)
375AC_ARG_WITH([ldflags-after],
376	[  --with-ldflags-after    Specify additional flags to pass to linker after configure],
377	[
378		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
379		    test "x${withval}" != "xyes"; then
380			LDFLAGS_AFTER="$withval"
381		fi
382	]
383)
384AC_ARG_WITH([libs],
385	[  --with-libs             Specify additional libraries to link with],
386	[
387		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
388		    test "x${withval}" != "xyes"; then
389			LIBS="$LIBS $withval"
390		fi
391	]
392)
393AC_ARG_WITH([Werror],
394	[  --with-Werror           Build main code with -Werror],
395	[
396		if test -n "$withval"  &&  test "x$withval" != "xno"; then
397			werror_flags="-Werror"
398			if test "x${withval}" != "xyes"; then
399				werror_flags="$withval"
400			fi
401		fi
402	]
403)
404
405AC_CHECK_HEADERS([ \
406	blf.h \
407	bstring.h \
408	crypt.h \
409	crypto/sha2.h \
410	dirent.h \
411	endian.h \
412	elf.h \
413	err.h \
414	features.h \
415	fcntl.h \
416	floatingpoint.h \
417	fnmatch.h \
418	getopt.h \
419	glob.h \
420	ia.h \
421	iaf.h \
422	ifaddrs.h \
423	inttypes.h \
424	langinfo.h \
425	limits.h \
426	locale.h \
427	login.h \
428	maillock.h \
429	ndir.h \
430	net/if_tun.h \
431	netdb.h \
432	netgroup.h \
433	pam/pam_appl.h \
434	paths.h \
435	poll.h \
436	pty.h \
437	readpassphrase.h \
438	rpc/types.h \
439	security/pam_appl.h \
440	sha2.h \
441	shadow.h \
442	stddef.h \
443	stdint.h \
444	string.h \
445	strings.h \
446	sys/bitypes.h \
447	sys/byteorder.h \
448	sys/bsdtty.h \
449	sys/cdefs.h \
450	sys/dir.h \
451	sys/file.h \
452	sys/mman.h \
453	sys/label.h \
454	sys/ndir.h \
455	sys/poll.h \
456	sys/prctl.h \
457	sys/pstat.h \
458	sys/ptrace.h \
459	sys/random.h \
460	sys/select.h \
461	sys/stat.h \
462	sys/stream.h \
463	sys/stropts.h \
464	sys/strtio.h \
465	sys/statvfs.h \
466	sys/sysmacros.h \
467	sys/time.h \
468	sys/timers.h \
469	sys/vfs.h \
470	time.h \
471	tmpdir.h \
472	ttyent.h \
473	ucred.h \
474	unistd.h \
475	usersec.h \
476	util.h \
477	utime.h \
478	utmp.h \
479	utmpx.h \
480	vis.h \
481	wchar.h \
482])
483
484# On some platforms (eg SunOS4) sys/audit.h requires sys/[time|types|label.h]
485# to be included first.
486AC_CHECK_HEADERS([sys/audit.h], [], [], [
487#ifdef HAVE_SYS_TIME_H
488# include <sys/time.h>
489#endif
490#ifdef HAVE_SYS_TYPES_H
491# include <sys/types.h>
492#endif
493#ifdef HAVE_SYS_LABEL_H
494# include <sys/label.h>
495#endif
496])
497
498# sys/capsicum.h requires sys/types.h
499AC_CHECK_HEADERS([sys/capsicum.h], [], [], [
500#ifdef HAVE_SYS_TYPES_H
501# include <sys/types.h>
502#endif
503])
504
505# net/route.h requires sys/socket.h and sys/types.h.
506# sys/sysctl.h also requires sys/param.h
507AC_CHECK_HEADERS([net/route.h sys/sysctl.h], [], [], [
508#ifdef HAVE_SYS_TYPES_H
509# include <sys/types.h>
510#endif
511#include <sys/param.h>
512#include <sys/socket.h>
513])
514
515# lastlog.h requires sys/time.h to be included first on Solaris
516AC_CHECK_HEADERS([lastlog.h], [], [], [
517#ifdef HAVE_SYS_TIME_H
518# include <sys/time.h>
519#endif
520])
521
522# sys/ptms.h requires sys/stream.h to be included first on Solaris
523AC_CHECK_HEADERS([sys/ptms.h], [], [], [
524#ifdef HAVE_SYS_STREAM_H
525# include <sys/stream.h>
526#endif
527])
528
529# login_cap.h requires sys/types.h on NetBSD
530AC_CHECK_HEADERS([login_cap.h], [], [], [
531#include <sys/types.h>
532])
533
534# older BSDs need sys/param.h before sys/mount.h
535AC_CHECK_HEADERS([sys/mount.h], [], [], [
536#include <sys/param.h>
537])
538
539# Android requires sys/socket.h to be included before sys/un.h
540AC_CHECK_HEADERS([sys/un.h], [], [], [
541#include <sys/types.h>
542#include <sys/socket.h>
543])
544
545# Messages for features tested for in target-specific section
546SIA_MSG="no"
547SPC_MSG="no"
548SP_MSG="no"
549SPP_MSG="no"
550
551# Support for Solaris/Illumos privileges (this test is used by both
552# the --with-solaris-privs option and --with-sandbox=solaris).
553SOLARIS_PRIVS="no"
554
555# Check for some target-specific stuff
556case "$host" in
557*-*-aix*)
558	# Some versions of VAC won't allow macro redefinitions at
559	# -qlanglevel=ansi, and autoconf 2.60 sometimes insists on using that
560	# particularly with older versions of vac or xlc.
561	# It also throws errors about null macro arguments, but these are
562	# not fatal.
563	AC_MSG_CHECKING([if compiler allows macro redefinitions])
564	AC_COMPILE_IFELSE(
565	    [AC_LANG_PROGRAM([[
566#define testmacro foo
567#define testmacro bar]],
568	    [[ exit(0); ]])],
569	    [ AC_MSG_RESULT([yes]) ],
570	    [ AC_MSG_RESULT([no])
571	      CC="`echo $CC | sed 's/-qlanglvl\=ansi//g'`"
572	      CFLAGS="`echo $CFLAGS | sed 's/-qlanglvl\=ansi//g'`"
573	      CPPFLAGS="`echo $CPPFLAGS | sed 's/-qlanglvl\=ansi//g'`"
574	    ]
575	)
576
577	AC_MSG_CHECKING([how to specify blibpath for linker ($LD)])
578	if (test -z "$blibpath"); then
579		blibpath="/usr/lib:/lib"
580	fi
581	saved_LDFLAGS="$LDFLAGS"
582	if test "$GCC" = "yes"; then
583		flags="-Wl,-blibpath: -Wl,-rpath, -blibpath:"
584	else
585		flags="-blibpath: -Wl,-blibpath: -Wl,-rpath,"
586	fi
587	for tryflags in $flags ;do
588		if (test -z "$blibflags"); then
589			LDFLAGS="$saved_LDFLAGS $tryflags$blibpath"
590			AC_LINK_IFELSE([AC_LANG_PROGRAM([[]], [[]])],
591			[blibflags=$tryflags], [])
592		fi
593	done
594	if (test -z "$blibflags"); then
595		AC_MSG_RESULT([not found])
596		AC_MSG_ERROR([*** must be able to specify blibpath on AIX - check config.log])
597	else
598		AC_MSG_RESULT([$blibflags])
599	fi
600	LDFLAGS="$saved_LDFLAGS"
601	dnl Check for authenticate.  Might be in libs.a on older AIXes
602	AC_CHECK_FUNC([authenticate], [AC_DEFINE([WITH_AIXAUTHENTICATE], [1],
603		[Define if you want to enable AIX4's authenticate function])],
604		[AC_CHECK_LIB([s], [authenticate],
605			[ AC_DEFINE([WITH_AIXAUTHENTICATE])
606				LIBS="$LIBS -ls"
607			])
608		])
609	dnl Check for various auth function declarations in headers.
610	AC_CHECK_DECLS([authenticate, loginrestrictions, loginsuccess,
611	    passwdexpired, setauthdb], , , [#include <usersec.h>])
612	dnl Check if loginfailed is declared and takes 4 arguments (AIX >= 5.2)
613	AC_CHECK_DECLS([loginfailed],
614	    [AC_MSG_CHECKING([if loginfailed takes 4 arguments])
615	    AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <usersec.h> ]],
616		[[ (void)loginfailed("user","host","tty",0); ]])],
617		[AC_MSG_RESULT([yes])
618		AC_DEFINE([AIX_LOGINFAILED_4ARG], [1],
619			[Define if your AIX loginfailed() function
620			takes 4 arguments (AIX >= 5.2)])], [AC_MSG_RESULT([no])
621	    ])],
622	    [],
623	    [#include <usersec.h>]
624	)
625	AC_CHECK_FUNCS([getgrset setauthdb])
626	AC_CHECK_DECL([F_CLOSEM],
627	    AC_DEFINE([HAVE_FCNTL_CLOSEM], [1], [Use F_CLOSEM fcntl for closefrom]),
628	    [],
629	    [ #include <limits.h>
630	      #include <fcntl.h> ]
631	)
632	check_for_aix_broken_getaddrinfo=1
633	AC_DEFINE([SETEUID_BREAKS_SETUID], [1],
634	    [Define if your platform breaks doing a seteuid before a setuid])
635	AC_DEFINE([BROKEN_SETREUID], [1], [Define if your setreuid() is broken])
636	AC_DEFINE([BROKEN_SETREGID], [1], [Define if your setregid() is broken])
637	dnl AIX handles lastlog as part of its login message
638	AC_DEFINE([DISABLE_LASTLOG], [1], [Define if you don't want to use lastlog])
639	AC_DEFINE([LOGIN_NEEDS_UTMPX], [1],
640		[Some systems need a utmpx entry for /bin/login to work])
641	AC_DEFINE([SPT_TYPE], [SPT_REUSEARGV],
642		[Define to a Set Process Title type if your system is
643		supported by bsd-setproctitle.c])
644	AC_DEFINE([SSHPAM_CHAUTHTOK_NEEDS_RUID], [1],
645	    [AIX 5.2 and 5.3 (and presumably newer) require this])
646	AC_DEFINE([PTY_ZEROREAD], [1], [read(1) can return 0 for a non-closed fd])
647	AC_DEFINE([PLATFORM_SYS_DIR_UID], 2, [System dirs owned by bin (uid 2)])
648	AC_DEFINE([BROKEN_STRNDUP], 1, [strndup broken, see APAR IY61211])
649	AC_DEFINE([BROKEN_STRNLEN], 1, [strnlen broken, see APAR IY62551])
650	;;
651*-*-android*)
652	AC_DEFINE([DISABLE_UTMP], [1], [Define if you don't want to use utmp])
653	AC_DEFINE([DISABLE_WTMP], [1], [Define if you don't want to use wtmp])
654	;;
655*-*-cygwin*)
656	check_for_libcrypt_later=1
657	LIBS="$LIBS /usr/lib/textreadmode.o"
658	AC_DEFINE([HAVE_CYGWIN], [1], [Define if you are on Cygwin])
659	AC_DEFINE([USE_PIPES], [1], [Use PIPES instead of a socketpair()])
660	AC_DEFINE([NO_UID_RESTORATION_TEST], [1],
661		[Define to disable UID restoration test])
662	AC_DEFINE([DISABLE_SHADOW], [1],
663		[Define if you want to disable shadow passwords])
664	AC_DEFINE([NO_X11_UNIX_SOCKETS], [1],
665		[Define if X11 doesn't support AF_UNIX sockets on that system])
666	AC_DEFINE([DISABLE_FD_PASSING], [1],
667		[Define if your platform needs to skip post auth
668		file descriptor passing])
669	AC_DEFINE([SSH_IOBUFSZ], [65535], [Windows is sensitive to read buffer size])
670	AC_DEFINE([FILESYSTEM_NO_BACKSLASH], [1], [File names may not contain backslash characters])
671	# Cygwin defines optargs, optargs as declspec(dllimport) for historical
672	# reasons which cause compile warnings, so we disable those warnings.
673	OSSH_CHECK_CFLAG_COMPILE([-Wno-attributes])
674	;;
675*-*-dgux*)
676	AC_DEFINE([IP_TOS_IS_BROKEN], [1],
677		[Define if your system choked on IP TOS setting])
678	AC_DEFINE([SETEUID_BREAKS_SETUID])
679	AC_DEFINE([BROKEN_SETREUID])
680	AC_DEFINE([BROKEN_SETREGID])
681	;;
682*-*-darwin*)
683	use_pie=auto
684	AC_MSG_CHECKING([if we have working getaddrinfo])
685	AC_RUN_IFELSE([AC_LANG_SOURCE([[
686#include <mach-o/dyld.h>
687#include <stdlib.h>
688main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
689		exit(0);
690	else
691		exit(1);
692}
693			]])],
694	[AC_MSG_RESULT([working])],
695	[AC_MSG_RESULT([buggy])
696	AC_DEFINE([BROKEN_GETADDRINFO], [1],
697		[getaddrinfo is broken (if present)])
698	],
699	[AC_MSG_RESULT([assume it is working])])
700	AC_DEFINE([SETEUID_BREAKS_SETUID])
701	AC_DEFINE([BROKEN_SETREUID])
702	AC_DEFINE([BROKEN_SETREGID])
703	AC_DEFINE([BROKEN_GLOB], [1], [OS X glob does not do what we expect])
704	AC_DEFINE_UNQUOTED([BIND_8_COMPAT], [1],
705		[Define if your resolver libs need this for getrrsetbyname])
706	AC_DEFINE([SSH_TUN_FREEBSD], [1], [Open tunnel devices the FreeBSD way])
707	AC_DEFINE([SSH_TUN_COMPAT_AF], [1],
708	    [Use tunnel device compatibility to OpenBSD])
709	AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
710	    [Prepend the address family to IP tunnel traffic])
711	m4_pattern_allow([AU_IPv])
712	AC_CHECK_DECL([AU_IPv4], [],
713	    AC_DEFINE([AU_IPv4], [0], [System only supports IPv4 audit records])
714	    [#include <bsm/audit.h>]
715	AC_DEFINE([LASTLOG_WRITE_PUTUTXLINE], [1],
716	    [Define if pututxline updates lastlog too])
717	)
718	AC_DEFINE([SPT_TYPE], [SPT_REUSEARGV],
719		[Define to a Set Process Title type if your system is
720		supported by bsd-setproctitle.c])
721	AC_CHECK_FUNCS([sandbox_init])
722	AC_CHECK_HEADERS([sandbox.h])
723	AC_CHECK_LIB([sandbox], [sandbox_apply], [
724	    SSHDLIBS="$SSHDLIBS -lsandbox"
725	])
726	# proc_pidinfo()-based closefrom() replacement.
727	AC_CHECK_HEADERS([libproc.h])
728	AC_CHECK_FUNCS([proc_pidinfo])
729	;;
730*-*-dragonfly*)
731	SSHDLIBS="$SSHDLIBS -lcrypt"
732	TEST_MALLOC_OPTIONS="AFGJPRX"
733	;;
734*-*-haiku*)
735	LIBS="$LIBS -lbsd "
736	CFLAGS="$CFLAGS -D_BSD_SOURCE"
737	AC_CHECK_LIB([network], [socket])
738	AC_DEFINE([HAVE_U_INT64_T])
739	AC_DEFINE([DISABLE_UTMPX], [1], [no utmpx])
740	MANTYPE=man
741	;;
742*-*-hpux*)
743	# first we define all of the options common to all HP-UX releases
744	CPPFLAGS="$CPPFLAGS -D_HPUX_SOURCE -D_XOPEN_SOURCE -D_XOPEN_SOURCE_EXTENDED=1"
745	IPADDR_IN_DISPLAY=yes
746	AC_DEFINE([USE_PIPES])
747	AC_DEFINE([LOGIN_NEEDS_UTMPX])
748	AC_DEFINE([LOCKED_PASSWD_STRING], ["*"],
749		[String used in /etc/passwd to denote locked account])
750	AC_DEFINE([SPT_TYPE], [SPT_PSTAT])
751	AC_DEFINE([PLATFORM_SYS_DIR_UID], 2, [System dirs owned by bin (uid 2)])
752	maildir="/var/mail"
753	LIBS="$LIBS -lsec"
754	AC_CHECK_LIB([xnet], [t_error], ,
755	    [AC_MSG_ERROR([*** -lxnet needed on HP-UX - check config.log ***])])
756
757	# next, we define all of the options specific to major releases
758	case "$host" in
759	*-*-hpux10*)
760		if test -z "$GCC"; then
761			CFLAGS="$CFLAGS -Ae"
762		fi
763		;;
764	*-*-hpux11*)
765		AC_DEFINE([PAM_SUN_CODEBASE], [1],
766			[Define if you are using Solaris-derived PAM which
767			passes pam_messages to the conversation function
768			with an extra level of indirection])
769		AC_DEFINE([DISABLE_UTMP], [1],
770			[Define if you don't want to use utmp])
771		AC_DEFINE([USE_BTMP], [1], [Use btmp to log bad logins])
772		check_for_hpux_broken_getaddrinfo=1
773		check_for_conflicting_getspnam=1
774		;;
775	esac
776
777	# lastly, we define options specific to minor releases
778	case "$host" in
779	*-*-hpux10.26)
780		AC_DEFINE([HAVE_SECUREWARE], [1],
781			[Define if you have SecureWare-based
782			protected password database])
783		disable_ptmx_check=yes
784		LIBS="$LIBS -lsecpw"
785		;;
786	esac
787	;;
788*-*-irix5*)
789	PATH="$PATH:/usr/etc"
790	AC_DEFINE([BROKEN_INET_NTOA], [1],
791		[Define if you system's inet_ntoa is busted
792		(e.g. Irix gcc issue)])
793	AC_DEFINE([SETEUID_BREAKS_SETUID])
794	AC_DEFINE([BROKEN_SETREUID])
795	AC_DEFINE([BROKEN_SETREGID])
796	AC_DEFINE([WITH_ABBREV_NO_TTY], [1],
797		[Define if you shouldn't strip 'tty' from your
798		ttyname in [uw]tmp])
799	AC_DEFINE([LOCKED_PASSWD_STRING], ["*LK*"])
800	;;
801*-*-irix6*)
802	PATH="$PATH:/usr/etc"
803	AC_DEFINE([WITH_IRIX_ARRAY], [1],
804		[Define if you have/want arrays
805		(cluster-wide session management, not C arrays)])
806	AC_DEFINE([WITH_IRIX_PROJECT], [1],
807		[Define if you want IRIX project management])
808	AC_DEFINE([WITH_IRIX_AUDIT], [1],
809		[Define if you want IRIX audit trails])
810	AC_CHECK_FUNC([jlimit_startjob], [AC_DEFINE([WITH_IRIX_JOBS], [1],
811		[Define if you want IRIX kernel jobs])])
812	AC_DEFINE([BROKEN_INET_NTOA])
813	AC_DEFINE([SETEUID_BREAKS_SETUID])
814	AC_DEFINE([BROKEN_SETREUID])
815	AC_DEFINE([BROKEN_SETREGID])
816	AC_DEFINE([BROKEN_UPDWTMPX], [1], [updwtmpx is broken (if present)])
817	AC_DEFINE([WITH_ABBREV_NO_TTY])
818	AC_DEFINE([LOCKED_PASSWD_STRING], ["*LK*"])
819	;;
820*-*-k*bsd*-gnu | *-*-kopensolaris*-gnu)
821	check_for_libcrypt_later=1
822	AC_DEFINE([PAM_TTY_KLUDGE])
823	AC_DEFINE([LOCKED_PASSWD_PREFIX], ["!"])
824	AC_DEFINE([SPT_TYPE], [SPT_REUSEARGV])
825	AC_DEFINE([_PATH_BTMP], ["/var/log/btmp"], [log for bad login attempts])
826	AC_DEFINE([USE_BTMP], [1], [Use btmp to log bad logins])
827	;;
828*-*-linux*)
829	no_dev_ptmx=1
830	use_pie=auto
831	check_for_libcrypt_later=1
832	check_for_openpty_ctty_bug=1
833	dnl Target SUSv3/POSIX.1-2001 plus BSD specifics.
834	dnl _DEFAULT_SOURCE is the new name for _BSD_SOURCE
835	CPPFLAGS="$CPPFLAGS -D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCE"
836	AC_DEFINE([PAM_TTY_KLUDGE], [1],
837		[Work around problematic Linux PAM modules handling of PAM_TTY])
838	AC_DEFINE([LOCKED_PASSWD_PREFIX], ["!"],
839		[String used in /etc/passwd to denote locked account])
840	AC_DEFINE([SPT_TYPE], [SPT_REUSEARGV])
841	AC_DEFINE([LINK_OPNOTSUPP_ERRNO], [EPERM],
842		[Define to whatever link() returns for "not supported"
843		if it doesn't return EOPNOTSUPP.])
844	AC_DEFINE([_PATH_BTMP], ["/var/log/btmp"], [log for bad login attempts])
845	AC_DEFINE([USE_BTMP])
846	AC_DEFINE([LINUX_OOM_ADJUST], [1], [Adjust Linux out-of-memory killer])
847	inet6_default_4in6=yes
848	case `uname -r` in
849	1.*|2.0.*)
850		AC_DEFINE([BROKEN_CMSG_TYPE], [1],
851			[Define if cmsg_type is not passed correctly])
852		;;
853	esac
854	# tun(4) forwarding compat code
855	AC_CHECK_HEADERS([linux/if_tun.h])
856	if test "x$ac_cv_header_linux_if_tun_h" = "xyes" ; then
857		AC_DEFINE([SSH_TUN_LINUX], [1],
858		    [Open tunnel devices the Linux tun/tap way])
859		AC_DEFINE([SSH_TUN_COMPAT_AF], [1],
860		    [Use tunnel device compatibility to OpenBSD])
861		AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
862		    [Prepend the address family to IP tunnel traffic])
863	fi
864	AC_CHECK_HEADER([linux/if.h],
865	    AC_DEFINE([SYS_RDOMAIN_LINUX], [1],
866		[Support routing domains using Linux VRF]), [], [
867#ifdef HAVE_SYS_TYPES_H
868# include <sys/types.h>
869#endif
870	    ])
871	AC_CHECK_HEADERS([linux/seccomp.h linux/filter.h linux/audit.h], [],
872	    [], [#include <linux/types.h>])
873	# Obtain MIPS ABI
874	case "$host" in
875	mips*)
876		AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
877#if _MIPS_SIM != _ABIO32
878#error
879#endif
880			]])],[mips_abi="o32"],[AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
881#if _MIPS_SIM != _ABIN32
882#error
883#endif
884				]])],[mips_abi="n32"],[AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
885#if _MIPS_SIM != _ABI64
886#error
887#endif
888					]])],[mips_abi="n64"],[AC_MSG_ERROR([unknown MIPS ABI])
889				])
890			])
891		])
892		;;
893	esac
894	AC_MSG_CHECKING([for seccomp architecture])
895	seccomp_audit_arch=
896	case "$host" in
897	x86_64-*)
898		seccomp_audit_arch=AUDIT_ARCH_X86_64
899		;;
900	i*86-*)
901		seccomp_audit_arch=AUDIT_ARCH_I386
902		;;
903	arm*-*)
904		seccomp_audit_arch=AUDIT_ARCH_ARM
905		;;
906	aarch64*-*)
907		seccomp_audit_arch=AUDIT_ARCH_AARCH64
908		;;
909	s390x-*)
910		seccomp_audit_arch=AUDIT_ARCH_S390X
911		;;
912	s390-*)
913		seccomp_audit_arch=AUDIT_ARCH_S390
914		;;
915	powerpc64-*)
916		seccomp_audit_arch=AUDIT_ARCH_PPC64
917		;;
918	powerpc64le-*)
919		seccomp_audit_arch=AUDIT_ARCH_PPC64LE
920		;;
921	mips-*)
922		seccomp_audit_arch=AUDIT_ARCH_MIPS
923		;;
924	mipsel-*)
925		seccomp_audit_arch=AUDIT_ARCH_MIPSEL
926		;;
927	mips64-*)
928		case "$mips_abi" in
929		"n32")
930			seccomp_audit_arch=AUDIT_ARCH_MIPS64N32
931			;;
932		"n64")
933			seccomp_audit_arch=AUDIT_ARCH_MIPS64
934			;;
935		esac
936		;;
937	mips64el-*)
938		case "$mips_abi" in
939		"n32")
940			seccomp_audit_arch=AUDIT_ARCH_MIPSEL64N32
941			;;
942		"n64")
943			seccomp_audit_arch=AUDIT_ARCH_MIPSEL64
944			;;
945		esac
946		;;
947	riscv64-*)
948		seccomp_audit_arch=AUDIT_ARCH_RISCV64
949		;;
950	esac
951	if test "x$seccomp_audit_arch" != "x" ; then
952		AC_MSG_RESULT(["$seccomp_audit_arch"])
953		AC_DEFINE_UNQUOTED([SECCOMP_AUDIT_ARCH], [$seccomp_audit_arch],
954		    [Specify the system call convention in use])
955	else
956		AC_MSG_RESULT([architecture not supported])
957	fi
958	;;
959mips-sony-bsd|mips-sony-newsos4)
960	AC_DEFINE([NEED_SETPGRP], [1], [Need setpgrp to acquire controlling tty])
961	SONY=1
962	;;
963*-*-netbsd*)
964	check_for_libcrypt_before=1
965	if test "x$withval" != "xno" ; then
966		rpath_opt="-R"
967	fi
968	CPPFLAGS="$CPPFLAGS -D_OPENBSD_SOURCE"
969	AC_DEFINE([SSH_TUN_FREEBSD], [1], [Open tunnel devices the FreeBSD way])
970	AC_CHECK_HEADER([net/if_tap.h], ,
971	    AC_DEFINE([SSH_TUN_NO_L2], [1], [No layer 2 tunnel support]))
972	AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
973	    [Prepend the address family to IP tunnel traffic])
974	TEST_MALLOC_OPTIONS="AJRX"
975	AC_DEFINE([BROKEN_READ_COMPARISON], [1],
976	    [NetBSD read function is sometimes redirected, breaking atomicio comparisons against it])
977	;;
978*-*-freebsd*)
979	check_for_libcrypt_later=1
980	AC_DEFINE([LOCKED_PASSWD_PREFIX], ["*LOCKED*"], [Account locked with pw(1)])
981	AC_DEFINE([SSH_TUN_FREEBSD], [1], [Open tunnel devices the FreeBSD way])
982	AC_CHECK_HEADER([net/if_tap.h], ,
983	    AC_DEFINE([SSH_TUN_NO_L2], [1], [No layer 2 tunnel support]))
984	AC_DEFINE([BROKEN_GLOB], [1], [FreeBSD glob does not do what we need])
985	TEST_MALLOC_OPTIONS="AJRX"
986	# Preauth crypto occasionally uses file descriptors for crypto offload
987	# and will crash if they cannot be opened.
988	AC_DEFINE([SANDBOX_SKIP_RLIMIT_NOFILE], [1],
989	    [define if setrlimit RLIMIT_NOFILE breaks things])
990	;;
991*-*-bsdi*)
992	AC_DEFINE([SETEUID_BREAKS_SETUID])
993	AC_DEFINE([BROKEN_SETREUID])
994	AC_DEFINE([BROKEN_SETREGID])
995	;;
996*-next-*)
997	conf_lastlog_location="/usr/adm/lastlog"
998	conf_utmp_location=/etc/utmp
999	conf_wtmp_location=/usr/adm/wtmp
1000	maildir=/usr/spool/mail
1001	AC_DEFINE([HAVE_NEXT], [1], [Define if you are on NeXT])
1002	AC_DEFINE([USE_PIPES])
1003	AC_DEFINE([BROKEN_SAVED_UIDS], [1], [Needed for NeXT])
1004	;;
1005*-*-openbsd*)
1006	use_pie=auto
1007	AC_DEFINE([HAVE_ATTRIBUTE__SENTINEL__], [1], [OpenBSD's gcc has sentinel])
1008	AC_DEFINE([HAVE_ATTRIBUTE__BOUNDED__], [1], [OpenBSD's gcc has bounded])
1009	AC_DEFINE([SSH_TUN_OPENBSD], [1], [Open tunnel devices the OpenBSD way])
1010	AC_DEFINE([SYSLOG_R_SAFE_IN_SIGHAND], [1],
1011	    [syslog_r function is safe to use in in a signal handler])
1012	TEST_MALLOC_OPTIONS="AFGJPRX"
1013	;;
1014*-*-solaris*)
1015	if test "x$withval" != "xno" ; then
1016		rpath_opt="-R"
1017	fi
1018	AC_DEFINE([PAM_SUN_CODEBASE])
1019	AC_DEFINE([LOGIN_NEEDS_UTMPX])
1020	AC_DEFINE([PAM_TTY_KLUDGE])
1021	AC_DEFINE([SSHPAM_CHAUTHTOK_NEEDS_RUID], [1],
1022		[Define if pam_chauthtok wants real uid set
1023		to the unpriv'ed user])
1024	AC_DEFINE([LOCKED_PASSWD_STRING], ["*LK*"])
1025	# Pushing STREAMS modules will cause sshd to acquire a controlling tty.
1026	AC_DEFINE([SSHD_ACQUIRES_CTTY], [1],
1027		[Define if sshd somehow reacquires a controlling TTY
1028		after setsid()])
1029	AC_DEFINE([PASSWD_NEEDS_USERNAME], [1], [must supply username to passwd
1030		in case the name is longer than 8 chars])
1031	AC_DEFINE([BROKEN_TCGETATTR_ICANON], [1], [tcgetattr with ICANON may hang])
1032	external_path_file=/etc/default/login
1033	# hardwire lastlog location (can't detect it on some versions)
1034	conf_lastlog_location="/var/adm/lastlog"
1035	AC_MSG_CHECKING([for obsolete utmp and wtmp in solaris2.x])
1036	sol2ver=`echo "$host"| sed -e 's/.*[[0-9]]\.//'`
1037	if test "$sol2ver" -ge 8; then
1038		AC_MSG_RESULT([yes])
1039		AC_DEFINE([DISABLE_UTMP])
1040		AC_DEFINE([DISABLE_WTMP], [1],
1041			[Define if you don't want to use wtmp])
1042	else
1043		AC_MSG_RESULT([no])
1044	fi
1045	AC_CHECK_FUNCS([setpflags])
1046	AC_CHECK_FUNCS([setppriv])
1047	AC_CHECK_FUNCS([priv_basicset])
1048	AC_CHECK_HEADERS([priv.h])
1049	AC_ARG_WITH([solaris-contracts],
1050		[  --with-solaris-contracts Enable Solaris process contracts (experimental)],
1051		[
1052		AC_CHECK_LIB([contract], [ct_tmpl_activate],
1053			[ AC_DEFINE([USE_SOLARIS_PROCESS_CONTRACTS], [1],
1054				[Define if you have Solaris process contracts])
1055			  LIBS="$LIBS -lcontract"
1056			  SPC_MSG="yes" ], )
1057		],
1058	)
1059	AC_ARG_WITH([solaris-projects],
1060		[  --with-solaris-projects Enable Solaris projects (experimental)],
1061		[
1062		AC_CHECK_LIB([project], [setproject],
1063			[ AC_DEFINE([USE_SOLARIS_PROJECTS], [1],
1064				[Define if you have Solaris projects])
1065			LIBS="$LIBS -lproject"
1066			SP_MSG="yes" ], )
1067		],
1068	)
1069	AC_ARG_WITH([solaris-privs],
1070		[  --with-solaris-privs    Enable Solaris/Illumos privileges (experimental)],
1071		[
1072		AC_MSG_CHECKING([for Solaris/Illumos privilege support])
1073		if test "x$ac_cv_func_setppriv" = "xyes" -a \
1074			"x$ac_cv_header_priv_h" = "xyes" ; then
1075			SOLARIS_PRIVS=yes
1076			AC_MSG_RESULT([found])
1077			AC_DEFINE([NO_UID_RESTORATION_TEST], [1],
1078				[Define to disable UID restoration test])
1079			AC_DEFINE([USE_SOLARIS_PRIVS], [1],
1080				[Define if you have Solaris privileges])
1081			SPP_MSG="yes"
1082		else
1083			AC_MSG_RESULT([not found])
1084			AC_MSG_ERROR([*** must have support for Solaris privileges to use --with-solaris-privs])
1085		fi
1086		],
1087	)
1088	TEST_SHELL=$SHELL	# let configure find us a capable shell
1089	;;
1090*-*-sunos4*)
1091	CPPFLAGS="$CPPFLAGS -DSUNOS4"
1092	AC_CHECK_FUNCS([getpwanam])
1093	AC_DEFINE([PAM_SUN_CODEBASE])
1094	conf_utmp_location=/etc/utmp
1095	conf_wtmp_location=/var/adm/wtmp
1096	conf_lastlog_location=/var/adm/lastlog
1097	AC_DEFINE([USE_PIPES])
1098	AC_DEFINE([DISABLE_UTMPX], [1], [no utmpx])
1099	;;
1100*-ncr-sysv*)
1101	LIBS="$LIBS -lc89"
1102	AC_DEFINE([USE_PIPES])
1103	AC_DEFINE([SSHD_ACQUIRES_CTTY])
1104	AC_DEFINE([SETEUID_BREAKS_SETUID])
1105	AC_DEFINE([BROKEN_SETREUID])
1106	AC_DEFINE([BROKEN_SETREGID])
1107	;;
1108*-sni-sysv*)
1109	# /usr/ucblib MUST NOT be searched on ReliantUNIX
1110	AC_CHECK_LIB([dl], [dlsym], ,)
1111	# -lresolv needs to be at the end of LIBS or DNS lookups break
1112	AC_CHECK_LIB([resolv], [res_query], [ LIBS="$LIBS -lresolv" ])
1113	IPADDR_IN_DISPLAY=yes
1114	AC_DEFINE([USE_PIPES])
1115	AC_DEFINE([IP_TOS_IS_BROKEN])
1116	AC_DEFINE([SETEUID_BREAKS_SETUID])
1117	AC_DEFINE([BROKEN_SETREUID])
1118	AC_DEFINE([BROKEN_SETREGID])
1119	AC_DEFINE([SSHD_ACQUIRES_CTTY])
1120	external_path_file=/etc/default/login
1121	# /usr/ucblib/libucb.a no longer needed on ReliantUNIX
1122	# Attention: always take care to bind libsocket and libnsl before libc,
1123	# otherwise you will find lots of "SIOCGPGRP errno 22" on syslog
1124	;;
1125# UnixWare 1.x, UnixWare 2.x, and others based on code from Univel.
1126*-*-sysv4.2*)
1127	AC_DEFINE([USE_PIPES])
1128	AC_DEFINE([SETEUID_BREAKS_SETUID])
1129	AC_DEFINE([BROKEN_SETREUID])
1130	AC_DEFINE([BROKEN_SETREGID])
1131	AC_DEFINE([PASSWD_NEEDS_USERNAME], [1], [must supply username to passwd])
1132	AC_DEFINE([LOCKED_PASSWD_STRING], ["*LK*"])
1133	TEST_SHELL=$SHELL	# let configure find us a capable shell
1134	;;
1135# UnixWare 7.x, OpenUNIX 8
1136*-*-sysv5*)
1137	CPPFLAGS="$CPPFLAGS -Dvsnprintf=_xvsnprintf -Dsnprintf=_xsnprintf"
1138	AC_DEFINE([UNIXWARE_LONG_PASSWORDS], [1], [Support passwords > 8 chars])
1139	AC_DEFINE([USE_PIPES])
1140	AC_DEFINE([SETEUID_BREAKS_SETUID])
1141	AC_DEFINE([BROKEN_GETADDRINFO])
1142	AC_DEFINE([BROKEN_SETREUID])
1143	AC_DEFINE([BROKEN_SETREGID])
1144	AC_DEFINE([PASSWD_NEEDS_USERNAME])
1145	AC_DEFINE([BROKEN_TCGETATTR_ICANON])
1146	TEST_SHELL=$SHELL	# let configure find us a capable shell
1147	check_for_libcrypt_later=1
1148	case "$host" in
1149	*-*-sysv5SCO_SV*)	# SCO OpenServer 6.x
1150		maildir=/var/spool/mail
1151		AC_DEFINE([BROKEN_UPDWTMPX])
1152		AC_CHECK_LIB([prot], [getluid], [ LIBS="$LIBS -lprot"
1153			AC_CHECK_FUNCS([getluid setluid], , , [-lprot])
1154			], , )
1155		;;
1156	*)	AC_DEFINE([LOCKED_PASSWD_STRING], ["*LK*"])
1157		;;
1158	esac
1159	;;
1160*-*-sysv*)
1161	;;
1162# SCO UNIX and OEM versions of SCO UNIX
1163*-*-sco3.2v4*)
1164	AC_MSG_ERROR("This Platform is no longer supported.")
1165	;;
1166# SCO OpenServer 5.x
1167*-*-sco3.2v5*)
1168	if test -z "$GCC"; then
1169		CFLAGS="$CFLAGS -belf"
1170	fi
1171	LIBS="$LIBS -lprot -lx -ltinfo -lm"
1172	no_dev_ptmx=1
1173	AC_DEFINE([USE_PIPES])
1174	AC_DEFINE([HAVE_SECUREWARE])
1175	AC_DEFINE([DISABLE_SHADOW])
1176	AC_DEFINE([DISABLE_FD_PASSING])
1177	AC_DEFINE([SETEUID_BREAKS_SETUID])
1178	AC_DEFINE([BROKEN_GETADDRINFO])
1179	AC_DEFINE([BROKEN_SETREUID])
1180	AC_DEFINE([BROKEN_SETREGID])
1181	AC_DEFINE([WITH_ABBREV_NO_TTY])
1182	AC_DEFINE([BROKEN_UPDWTMPX])
1183	AC_DEFINE([PASSWD_NEEDS_USERNAME])
1184	AC_CHECK_FUNCS([getluid setluid])
1185	MANTYPE=man
1186	TEST_SHELL=$SHELL	# let configure find us a capable shell
1187	SKIP_DISABLE_LASTLOG_DEFINE=yes
1188	;;
1189*-dec-osf*)
1190	AC_MSG_CHECKING([for Digital Unix SIA])
1191	no_osfsia=""
1192	AC_ARG_WITH([osfsia],
1193		[  --with-osfsia           Enable Digital Unix SIA],
1194		[
1195			if test "x$withval" = "xno" ; then
1196				AC_MSG_RESULT([disabled])
1197				no_osfsia=1
1198			fi
1199		],
1200	)
1201	if test -z "$no_osfsia" ; then
1202		if test -f /etc/sia/matrix.conf; then
1203			AC_MSG_RESULT([yes])
1204			AC_DEFINE([HAVE_OSF_SIA], [1],
1205				[Define if you have Digital Unix Security
1206				Integration Architecture])
1207			AC_DEFINE([DISABLE_LOGIN], [1],
1208				[Define if you don't want to use your
1209				system's login() call])
1210			AC_DEFINE([DISABLE_FD_PASSING])
1211			LIBS="$LIBS -lsecurity -ldb -lm -laud"
1212			SIA_MSG="yes"
1213		else
1214			AC_MSG_RESULT([no])
1215			AC_DEFINE([LOCKED_PASSWD_SUBSTR], ["Nologin"],
1216			  [String used in /etc/passwd to denote locked account])
1217		fi
1218	fi
1219	AC_DEFINE([BROKEN_GETADDRINFO])
1220	AC_DEFINE([SETEUID_BREAKS_SETUID])
1221	AC_DEFINE([BROKEN_SETREUID])
1222	AC_DEFINE([BROKEN_SETREGID])
1223	AC_DEFINE([BROKEN_READV_COMPARISON], [1], [Can't do comparisons on readv])
1224	;;
1225
1226*-*-nto-qnx*)
1227	AC_DEFINE([USE_PIPES])
1228	AC_DEFINE([NO_X11_UNIX_SOCKETS])
1229	AC_DEFINE([DISABLE_LASTLOG])
1230	AC_DEFINE([SSHD_ACQUIRES_CTTY])
1231	AC_DEFINE([BROKEN_SHADOW_EXPIRE], [1], [QNX shadow support is broken])
1232	enable_etc_default_login=no	# has incompatible /etc/default/login
1233	case "$host" in
1234	*-*-nto-qnx6*)
1235		AC_DEFINE([DISABLE_FD_PASSING])
1236		;;
1237	esac
1238	;;
1239
1240*-*-ultrix*)
1241	AC_DEFINE([BROKEN_GETGROUPS], [1], [getgroups(0,NULL) will return -1])
1242	AC_DEFINE([NEED_SETPGRP], [1], [Need setpgrp to for controlling tty])
1243	AC_DEFINE([HAVE_SYS_SYSLOG_H], [1], [Force use of sys/syslog.h on Ultrix])
1244	AC_DEFINE([DISABLE_UTMPX], [1], [Disable utmpx])
1245	# DISABLE_FD_PASSING so that we call setpgrp as root, otherwise we
1246	# don't get a controlling tty.
1247	AC_DEFINE([DISABLE_FD_PASSING], [1], [Need to call setpgrp as root])
1248	# On Ultrix some headers are not protected against multiple includes,
1249	# so we create wrappers and put it where the compiler will find it.
1250	AC_MSG_WARN([creating compat wrappers for headers])
1251	mkdir -p netinet
1252	for header in netinet/ip.h netdb.h resolv.h; do
1253		name=`echo $header | tr 'a-z/.' 'A-Z__'`
1254		cat >$header <<EOD
1255#ifndef _SSH_COMPAT_${name}
1256#define _SSH_COMPAT_${name}
1257#include "/usr/include/${header}"
1258#endif
1259EOD
1260	done
1261	;;
1262
1263*-*-lynxos)
1264	CFLAGS="$CFLAGS -D__NO_INCLUDE_WARN__"
1265	AC_DEFINE([BROKEN_SETVBUF], [1],
1266	    [LynxOS has broken setvbuf() implementation])
1267	;;
1268esac
1269
1270AC_MSG_CHECKING([compiler and flags for sanity])
1271AC_RUN_IFELSE([AC_LANG_PROGRAM([[ #include <stdlib.h> ]], [[ exit(0); ]])],
1272	[	AC_MSG_RESULT([yes]) ],
1273	[
1274		AC_MSG_RESULT([no])
1275		AC_MSG_ERROR([*** compiler cannot create working executables, check config.log ***])
1276	],
1277	[	AC_MSG_WARN([cross compiling: not checking compiler sanity]) ]
1278)
1279
1280dnl Checks for header files.
1281# Checks for libraries.
1282AC_CHECK_FUNC([setsockopt], , [AC_CHECK_LIB([socket], [setsockopt])])
1283
1284dnl IRIX and Solaris 2.5.1 have dirname() in libgen
1285AC_CHECK_FUNCS([dirname], [AC_CHECK_HEADERS([libgen.h])] , [
1286	AC_CHECK_LIB([gen], [dirname], [
1287		AC_CACHE_CHECK([for broken dirname],
1288			ac_cv_have_broken_dirname, [
1289			save_LIBS="$LIBS"
1290			LIBS="$LIBS -lgen"
1291			AC_RUN_IFELSE(
1292				[AC_LANG_SOURCE([[
1293#include <libgen.h>
1294#include <string.h>
1295#include <stdlib.h>
1296
1297int main(int argc, char **argv) {
1298    char *s, buf[32];
1299
1300    strncpy(buf,"/etc", 32);
1301    s = dirname(buf);
1302    if (!s || strncmp(s, "/", 32) != 0) {
1303	exit(1);
1304    } else {
1305	exit(0);
1306    }
1307}
1308				]])],
1309				[ ac_cv_have_broken_dirname="no" ],
1310				[ ac_cv_have_broken_dirname="yes" ],
1311				[ ac_cv_have_broken_dirname="no" ],
1312			)
1313			LIBS="$save_LIBS"
1314		])
1315		if test "x$ac_cv_have_broken_dirname" = "xno" ; then
1316			LIBS="$LIBS -lgen"
1317			AC_DEFINE([HAVE_DIRNAME])
1318			AC_CHECK_HEADERS([libgen.h])
1319		fi
1320	])
1321])
1322
1323AC_CHECK_FUNC([getspnam], ,
1324	[AC_CHECK_LIB([gen], [getspnam], [LIBS="$LIBS -lgen"])])
1325AC_SEARCH_LIBS([basename], [gen], [AC_DEFINE([HAVE_BASENAME], [1],
1326	[Define if you have the basename function.])])
1327
1328dnl zlib defaults to enabled
1329zlib=yes
1330AC_ARG_WITH([zlib],
1331	[  --with-zlib=PATH        Use zlib in PATH],
1332	[ if test "x$withval" = "xno" ; then
1333		zlib=no
1334	  elif test "x$withval" != "xyes"; then
1335		if test -d "$withval/lib"; then
1336			if test -n "${rpath_opt}"; then
1337				LDFLAGS="-L${withval}/lib ${rpath_opt}${withval}/lib ${LDFLAGS}"
1338			else
1339				LDFLAGS="-L${withval}/lib ${LDFLAGS}"
1340			fi
1341		else
1342			if test -n "${rpath_opt}"; then
1343				LDFLAGS="-L${withval} ${rpath_opt}${withval} ${LDFLAGS}"
1344			else
1345				LDFLAGS="-L${withval} ${LDFLAGS}"
1346			fi
1347		fi
1348		if test -d "$withval/include"; then
1349			CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
1350		else
1351			CPPFLAGS="-I${withval} ${CPPFLAGS}"
1352		fi
1353	fi ]
1354)
1355
1356AC_MSG_CHECKING([for zlib])
1357if test "x${zlib}" = "xno"; then
1358	AC_MSG_RESULT([no])
1359else
1360	AC_MSG_RESULT([yes])
1361	AC_DEFINE([WITH_ZLIB], [1], [Enable zlib])
1362    AC_CHECK_HEADER([zlib.h], ,[AC_MSG_ERROR([*** zlib.h missing - please install first or check config.log ***])])
1363    AC_CHECK_LIB([z], [deflate], ,
1364	[
1365		saved_CPPFLAGS="$CPPFLAGS"
1366		saved_LDFLAGS="$LDFLAGS"
1367		save_LIBS="$LIBS"
1368		dnl Check default zlib install dir
1369		if test -n "${rpath_opt}"; then
1370			LDFLAGS="-L/usr/local/lib ${rpath_opt}/usr/local/lib ${saved_LDFLAGS}"
1371		else
1372			LDFLAGS="-L/usr/local/lib ${saved_LDFLAGS}"
1373		fi
1374		CPPFLAGS="-I/usr/local/include ${saved_CPPFLAGS}"
1375		LIBS="$LIBS -lz"
1376		AC_TRY_LINK_FUNC([deflate], [AC_DEFINE([HAVE_LIBZ])],
1377			[
1378				AC_MSG_ERROR([*** zlib missing - please install first or check config.log ***])
1379			]
1380		)
1381	]
1382    )
1383
1384    AC_ARG_WITH([zlib-version-check],
1385	[  --without-zlib-version-check Disable zlib version check],
1386	[  if test "x$withval" = "xno" ; then
1387		zlib_check_nonfatal=1
1388	   fi
1389	]
1390    )
1391
1392    AC_MSG_CHECKING([for possibly buggy zlib])
1393    AC_RUN_IFELSE([AC_LANG_PROGRAM([[
1394#include <stdio.h>
1395#include <stdlib.h>
1396#include <zlib.h>
1397	]],
1398	[[
1399	int a=0, b=0, c=0, d=0, n, v;
1400	n = sscanf(ZLIB_VERSION, "%d.%d.%d.%d", &a, &b, &c, &d);
1401	if (n != 3 && n != 4)
1402		exit(1);
1403	v = a*1000000 + b*10000 + c*100 + d;
1404	fprintf(stderr, "found zlib version %s (%d)\n", ZLIB_VERSION, v);
1405
1406	/* 1.1.4 is OK */
1407	if (a == 1 && b == 1 && c >= 4)
1408		exit(0);
1409
1410	/* 1.2.3 and up are OK */
1411	if (v >= 1020300)
1412		exit(0);
1413
1414	exit(2);
1415	]])],
1416	AC_MSG_RESULT([no]),
1417	[ AC_MSG_RESULT([yes])
1418	  if test -z "$zlib_check_nonfatal" ; then
1419		AC_MSG_ERROR([*** zlib too old - check config.log ***
1420Your reported zlib version has known security problems.  It's possible your
1421vendor has fixed these problems without changing the version number.  If you
1422are sure this is the case, you can disable the check by running
1423"./configure --without-zlib-version-check".
1424If you are in doubt, upgrade zlib to version 1.2.3 or greater.
1425See http://www.gzip.org/zlib/ for details.])
1426	  else
1427		AC_MSG_WARN([zlib version may have security problems])
1428	  fi
1429	],
1430	[	AC_MSG_WARN([cross compiling: not checking zlib version]) ]
1431    )
1432fi
1433
1434dnl UnixWare 2.x
1435AC_CHECK_FUNC([strcasecmp],
1436	[], [ AC_CHECK_LIB([resolv], [strcasecmp], [LIBS="$LIBS -lresolv"]) ]
1437)
1438AC_CHECK_FUNCS([utimes],
1439	[], [ AC_CHECK_LIB([c89], [utimes], [AC_DEFINE([HAVE_UTIMES])
1440					LIBS="$LIBS -lc89"]) ]
1441)
1442
1443dnl    Checks for libutil functions
1444AC_CHECK_HEADERS([bsd/libutil.h libutil.h])
1445AC_SEARCH_LIBS([fmt_scaled], [util bsd])
1446AC_SEARCH_LIBS([scan_scaled], [util bsd])
1447AC_SEARCH_LIBS([login], [util bsd])
1448AC_SEARCH_LIBS([logout], [util bsd])
1449AC_SEARCH_LIBS([logwtmp], [util bsd])
1450AC_SEARCH_LIBS([openpty], [util bsd])
1451AC_SEARCH_LIBS([updwtmp], [util bsd])
1452AC_CHECK_FUNCS([fmt_scaled scan_scaled login logout openpty updwtmp logwtmp])
1453
1454# On some platforms, inet_ntop and gethostbyname may be found in libresolv
1455# or libnsl.
1456AC_SEARCH_LIBS([inet_ntop], [resolv nsl])
1457AC_SEARCH_LIBS([gethostbyname], [resolv nsl])
1458
1459# Some Linux distribtions ship the BSD libc hashing functions in
1460# separate libraries.
1461AC_SEARCH_LIBS([SHA256Update], [md bsd])
1462
1463# "Particular Function Checks"
1464# see https://www.gnu.org/software/autoconf/manual/autoconf-2.69/html_node/Particular-Functions.html
1465AC_FUNC_STRFTIME
1466AC_FUNC_MALLOC
1467AC_FUNC_REALLOC
1468# autoconf doesn't have AC_FUNC_CALLOC so fake it if malloc returns NULL;
1469AC_MSG_CHECKING([if calloc(0, N) returns non-null])
1470AC_RUN_IFELSE(
1471	[AC_LANG_PROGRAM(
1472		[[ #include <stdlib.h> ]],
1473		[[ void *p = calloc(0, 1); exit(p == NULL); ]]
1474	)],
1475	[ func_calloc_0_nonnull=yes ],
1476	[ func_calloc_0_nonnull=no ],
1477	[ AC_MSG_WARN([cross compiling: assuming same as malloc])
1478	  func_calloc_0_nonnull="$ac_cv_func_malloc_0_nonnull"]
1479)
1480AC_MSG_RESULT([$func_calloc_0_nonnull])
1481
1482if test "x$func_calloc_0_nonnull" = "xyes"; then
1483	AC_DEFINE(HAVE_CALLOC, 1, [calloc(0, x) returns non-null])
1484else
1485	AC_DEFINE(HAVE_CALLOC, 0, [calloc(0, x) returns NULL])
1486	AC_DEFINE(calloc, rpl_calloc,
1487	    [Define to rpl_calloc if the replacement function should be used.])
1488fi
1489
1490# Check for ALTDIRFUNC glob() extension
1491AC_MSG_CHECKING([for GLOB_ALTDIRFUNC support])
1492AC_EGREP_CPP([FOUNDIT],
1493	[
1494		#include <glob.h>
1495		#ifdef GLOB_ALTDIRFUNC
1496		FOUNDIT
1497		#endif
1498	],
1499	[
1500		AC_DEFINE([GLOB_HAS_ALTDIRFUNC], [1],
1501			[Define if your system glob() function has
1502			the GLOB_ALTDIRFUNC extension])
1503		AC_MSG_RESULT([yes])
1504	],
1505	[
1506		AC_MSG_RESULT([no])
1507	]
1508)
1509
1510# Check for g.gl_matchc glob() extension
1511AC_MSG_CHECKING([for gl_matchc field in glob_t])
1512AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <glob.h> ]],
1513	[[ glob_t g; g.gl_matchc = 1; ]])],
1514	[
1515		AC_DEFINE([GLOB_HAS_GL_MATCHC], [1],
1516			[Define if your system glob() function has
1517			gl_matchc options in glob_t])
1518		AC_MSG_RESULT([yes])
1519	], [
1520		AC_MSG_RESULT([no])
1521])
1522
1523# Check for g.gl_statv glob() extension
1524AC_MSG_CHECKING([for gl_statv and GLOB_KEEPSTAT extensions for glob])
1525AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <glob.h> ]], [[
1526#ifndef GLOB_KEEPSTAT
1527#error "glob does not support GLOB_KEEPSTAT extension"
1528#endif
1529glob_t g;
1530g.gl_statv = NULL;
1531]])],
1532	[
1533		AC_DEFINE([GLOB_HAS_GL_STATV], [1],
1534			[Define if your system glob() function has
1535			gl_statv options in glob_t])
1536		AC_MSG_RESULT([yes])
1537	], [
1538		AC_MSG_RESULT([no])
1539
1540])
1541
1542AC_CHECK_DECLS([GLOB_NOMATCH], , , [#include <glob.h>])
1543
1544AC_CHECK_DECL([VIS_ALL], ,
1545    AC_DEFINE(BROKEN_STRNVIS, 1, [missing VIS_ALL]), [#include <vis.h>])
1546
1547AC_MSG_CHECKING([whether struct dirent allocates space for d_name])
1548AC_RUN_IFELSE(
1549	[AC_LANG_PROGRAM([[
1550#include <sys/types.h>
1551#include <dirent.h>
1552#include <stdlib.h>
1553	]],
1554	[[
1555	struct dirent d;
1556	exit(sizeof(d.d_name)<=sizeof(char));
1557	]])],
1558	[AC_MSG_RESULT([yes])],
1559	[
1560		AC_MSG_RESULT([no])
1561		AC_DEFINE([BROKEN_ONE_BYTE_DIRENT_D_NAME], [1],
1562			[Define if your struct dirent expects you to
1563			allocate extra space for d_name])
1564	],
1565	[
1566		AC_MSG_WARN([cross compiling: assuming BROKEN_ONE_BYTE_DIRENT_D_NAME])
1567		AC_DEFINE([BROKEN_ONE_BYTE_DIRENT_D_NAME])
1568	]
1569)
1570
1571AC_MSG_CHECKING([for /proc/pid/fd directory])
1572if test -d "/proc/$$/fd" ; then
1573	AC_DEFINE([HAVE_PROC_PID], [1], [Define if you have /proc/$pid/fd])
1574	AC_MSG_RESULT([yes])
1575else
1576	AC_MSG_RESULT([no])
1577fi
1578
1579# Check whether user wants TCP wrappers support
1580TCPW_MSG="no"
1581AC_ARG_WITH([tcp-wrappers],
1582	[  --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)],
1583	[
1584		if test "x$withval" != "xno" ; then
1585			saved_LIBS="$LIBS"
1586			saved_LDFLAGS="$LDFLAGS"
1587			saved_CPPFLAGS="$CPPFLAGS"
1588			if test -n "${withval}" && \
1589			    test "x${withval}" != "xyes"; then
1590				if test -d "${withval}/lib"; then
1591					if test -n "${need_dash_r}"; then
1592						LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
1593					else
1594						LDFLAGS="-L${withval}/lib ${LDFLAGS}"
1595					fi
1596				else
1597					if test -n "${need_dash_r}"; then
1598						LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"
1599					else
1600						LDFLAGS="-L${withval} ${LDFLAGS}"
1601					fi
1602				fi
1603				if test -d "${withval}/include"; then
1604					CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
1605				else
1606					CPPFLAGS="-I${withval} ${CPPFLAGS}"
1607				fi
1608			fi
1609			LIBS="-lwrap $LIBS"
1610			AC_MSG_CHECKING([for libwrap])
1611			AC_LINK_IFELSE([AC_LANG_PROGRAM([[
1612#include <sys/types.h>
1613#include <sys/socket.h>
1614#include <netinet/in.h>
1615#include <tcpd.h>
1616int deny_severity = 0, allow_severity = 0;
1617				]], [[
1618	hosts_access(0);
1619				]])], [
1620					AC_MSG_RESULT([yes])
1621					AC_DEFINE([LIBWRAP], [1],
1622						[Define if you want
1623						TCP Wrappers support])
1624					SSHDLIBS="$SSHDLIBS -lwrap"
1625					TCPW_MSG="yes"
1626				], [
1627					AC_MSG_ERROR([*** libwrap missing])
1628			])
1629			LIBS="$saved_LIBS"
1630		fi
1631	]
1632)
1633
1634# Check whether user wants to use ldns
1635LDNS_MSG="no"
1636AC_ARG_WITH(ldns,
1637	[  --with-ldns[[=PATH]]      Use ldns for DNSSEC support (optionally in PATH)],
1638	[
1639	ldns=""
1640	if test "x$withval" = "xyes" ; then
1641		AC_PATH_TOOL([LDNSCONFIG], [ldns-config], [no])
1642		if test "x$LDNSCONFIG" = "xno"; then
1643			LIBS="-lldns $LIBS"
1644			ldns=yes
1645		else
1646			LIBS="$LIBS `$LDNSCONFIG --libs`"
1647			CPPFLAGS="$CPPFLAGS `$LDNSCONFIG --cflags`"
1648			ldns=yes
1649		fi
1650	elif test "x$withval" != "xno" ; then
1651			CPPFLAGS="$CPPFLAGS -I${withval}/include"
1652			LDFLAGS="$LDFLAGS -L${withval}/lib"
1653			LIBS="-lldns $LIBS"
1654			ldns=yes
1655	fi
1656
1657	# Verify that it works.
1658	if test "x$ldns" = "xyes" ; then
1659		AC_DEFINE(HAVE_LDNS, 1, [Define if you want ldns support])
1660		LDNS_MSG="yes"
1661		AC_MSG_CHECKING([for ldns support])
1662		AC_LINK_IFELSE(
1663			[AC_LANG_SOURCE([[
1664#include <stdio.h>
1665#include <stdlib.h>
1666#ifdef HAVE_STDINT_H
1667# include <stdint.h>
1668#endif
1669#include <ldns/ldns.h>
1670int main() { ldns_status status = ldns_verify_trusted(NULL, NULL, NULL, NULL); status=LDNS_STATUS_OK; exit(0); }
1671			]])
1672		],
1673			[AC_MSG_RESULT(yes)],
1674				[
1675					AC_MSG_RESULT(no)
1676					AC_MSG_ERROR([** Incomplete or missing ldns libraries.])
1677				])
1678	fi
1679])
1680
1681# Check whether user wants libedit support
1682LIBEDIT_MSG="no"
1683AC_ARG_WITH([libedit],
1684	[  --with-libedit[[=PATH]]   Enable libedit support for sftp],
1685	[ if test "x$withval" != "xno" ; then
1686		if test "x$withval" = "xyes" ; then
1687			AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no])
1688			if test "x$PKGCONFIG" != "xno"; then
1689				AC_MSG_CHECKING([if $PKGCONFIG knows about libedit])
1690				if "$PKGCONFIG" libedit; then
1691					AC_MSG_RESULT([yes])
1692					use_pkgconfig_for_libedit=yes
1693				else
1694					AC_MSG_RESULT([no])
1695				fi
1696			fi
1697		else
1698			CPPFLAGS="$CPPFLAGS -I${withval}/include"
1699			if test -n "${rpath_opt}"; then
1700				LDFLAGS="-L${withval}/lib ${rpath_opt}${withval}/lib ${LDFLAGS}"
1701			else
1702				LDFLAGS="-L${withval}/lib ${LDFLAGS}"
1703			fi
1704		fi
1705		if test "x$use_pkgconfig_for_libedit" = "xyes"; then
1706			LIBEDIT=`$PKGCONFIG --libs libedit`
1707			CPPFLAGS="$CPPFLAGS `$PKGCONFIG --cflags libedit`"
1708		else
1709			LIBEDIT="-ledit -lcurses"
1710		fi
1711		OTHERLIBS=`echo $LIBEDIT | sed 's/-ledit//'`
1712		AC_CHECK_LIB([edit], [el_init],
1713			[ AC_DEFINE([USE_LIBEDIT], [1], [Use libedit for sftp])
1714			  LIBEDIT_MSG="yes"
1715			  AC_SUBST([LIBEDIT])
1716			],
1717			[ AC_MSG_ERROR([libedit not found]) ],
1718			[ $OTHERLIBS ]
1719		)
1720		AC_MSG_CHECKING([if libedit version is compatible])
1721		AC_COMPILE_IFELSE(
1722		    [AC_LANG_PROGRAM([[
1723#include <histedit.h>
1724#include <stdlib.h>
1725		    ]],
1726		    [[
1727	int i = H_SETSIZE;
1728	el_init("", NULL, NULL, NULL);
1729	exit(0);
1730		    ]])],
1731		    [ AC_MSG_RESULT([yes]) ],
1732		    [ AC_MSG_RESULT([no])
1733		      AC_MSG_ERROR([libedit version is not compatible]) ]
1734		)
1735	fi ]
1736)
1737
1738AUDIT_MODULE=none
1739AC_ARG_WITH([audit],
1740	[  --with-audit=module     Enable audit support (modules=debug,bsm,linux)],
1741	[
1742	  AC_MSG_CHECKING([for supported audit module])
1743	  case "$withval" in
1744	  bsm)
1745		AC_MSG_RESULT([bsm])
1746		AUDIT_MODULE=bsm
1747		dnl    Checks for headers, libs and functions
1748		AC_CHECK_HEADERS([bsm/audit.h], [],
1749		    [AC_MSG_ERROR([BSM enabled and bsm/audit.h not found])],
1750		    [
1751#ifdef HAVE_TIME_H
1752# include <time.h>
1753#endif
1754		    ]
1755)
1756		AC_CHECK_LIB([bsm], [getaudit], [],
1757		    [AC_MSG_ERROR([BSM enabled and required library not found])])
1758		AC_CHECK_FUNCS([getaudit], [],
1759		    [AC_MSG_ERROR([BSM enabled and required function not found])])
1760		# These are optional
1761		AC_CHECK_FUNCS([getaudit_addr aug_get_machine])
1762		AC_DEFINE([USE_BSM_AUDIT], [1], [Use BSM audit module])
1763		if test "$sol2ver" -ge 11; then
1764			SSHDLIBS="$SSHDLIBS -lscf"
1765			AC_DEFINE([BROKEN_BSM_API], [1],
1766				[The system has incomplete BSM API])
1767		fi
1768		;;
1769	  linux)
1770		AC_MSG_RESULT([linux])
1771		AUDIT_MODULE=linux
1772		dnl    Checks for headers, libs and functions
1773		AC_CHECK_HEADERS([libaudit.h])
1774		SSHDLIBS="$SSHDLIBS -laudit"
1775		AC_DEFINE([USE_LINUX_AUDIT], [1], [Use Linux audit module])
1776		;;
1777	  debug)
1778		AUDIT_MODULE=debug
1779		AC_MSG_RESULT([debug])
1780		AC_DEFINE([SSH_AUDIT_EVENTS], [1], [Use audit debugging module])
1781		;;
1782	  no)
1783		AC_MSG_RESULT([no])
1784		;;
1785	  *)
1786		AC_MSG_ERROR([Unknown audit module $withval])
1787		;;
1788	esac ]
1789)
1790
1791AC_ARG_WITH([pie],
1792    [  --with-pie              Build Position Independent Executables if possible], [
1793	if test "x$withval" = "xno"; then
1794		use_pie=no
1795	fi
1796	if test "x$withval" = "xyes"; then
1797		use_pie=yes
1798	fi
1799    ]
1800)
1801if test "x$use_pie" = "x"; then
1802	use_pie=no
1803fi
1804if test "x$use_toolchain_hardening" != "x1" && test "x$use_pie" = "xauto"; then
1805	# Turn off automatic PIE when toolchain hardening is off.
1806	use_pie=no
1807fi
1808if test "x$use_pie" = "xauto"; then
1809	# Automatic PIE requires gcc >= 4.x
1810	AC_MSG_CHECKING([for gcc >= 4.x])
1811	AC_COMPILE_IFELSE([AC_LANG_SOURCE([[
1812#if !defined(__GNUC__) || __GNUC__ < 4
1813#error gcc is too old
1814#endif
1815]])],
1816	[ AC_MSG_RESULT([yes]) ],
1817	[ AC_MSG_RESULT([no])
1818	  use_pie=no ]
1819)
1820fi
1821if test "x$use_pie" != "xno"; then
1822	SAVED_CFLAGS="$CFLAGS"
1823	SAVED_LDFLAGS="$LDFLAGS"
1824	OSSH_CHECK_CFLAG_COMPILE([-fPIE])
1825	OSSH_CHECK_LDFLAG_LINK([-pie])
1826	# We use both -fPIE and -pie or neither.
1827	AC_MSG_CHECKING([whether both -fPIE and -pie are supported])
1828	if echo "x $CFLAGS"  | grep ' -fPIE' >/dev/null 2>&1 && \
1829	   echo "x $LDFLAGS" | grep ' -pie'  >/dev/null 2>&1 ; then
1830		AC_MSG_RESULT([yes])
1831	else
1832		AC_MSG_RESULT([no])
1833		CFLAGS="$SAVED_CFLAGS"
1834		LDFLAGS="$SAVED_LDFLAGS"
1835	fi
1836fi
1837
1838AC_MSG_CHECKING([whether -fPIC is accepted])
1839SAVED_CFLAGS="$CFLAGS"
1840CFLAGS="$CFLAGS -fPIC"
1841AC_COMPILE_IFELSE(
1842	[AC_LANG_PROGRAM( [[ #include <stdlib.h> ]], [[ exit(0); ]] )],
1843   [AC_MSG_RESULT([yes])
1844    PICFLAG="-fPIC"; ],
1845   [AC_MSG_RESULT([no])
1846    PICFLAG=""; ])
1847CFLAGS="$SAVED_CFLAGS"
1848AC_SUBST([PICFLAG])
1849
1850dnl    Checks for library functions. Please keep in alphabetical order
1851AC_CHECK_FUNCS([ \
1852	auth_hostok \
1853	auth_timeok \
1854	Blowfish_initstate \
1855	Blowfish_expandstate \
1856	Blowfish_expand0state \
1857	Blowfish_stream2word \
1858	SHA256Update \
1859	SHA384Update \
1860	SHA512Update \
1861	asprintf \
1862	b64_ntop \
1863	__b64_ntop \
1864	b64_pton \
1865	__b64_pton \
1866	bcopy \
1867	bcrypt_pbkdf \
1868	bindresvport_sa \
1869	blf_enc \
1870	bzero \
1871	cap_rights_limit \
1872	clock \
1873	closefrom \
1874	dirfd \
1875	endgrent \
1876	err \
1877	errx \
1878	explicit_bzero \
1879	explicit_memset \
1880	fchmod \
1881	fchmodat \
1882	fchown \
1883	fchownat \
1884	flock \
1885	fnmatch \
1886	freeaddrinfo \
1887	freezero \
1888	fstatfs \
1889	fstatvfs \
1890	futimes \
1891	getaddrinfo \
1892	getcwd \
1893	getgrouplist \
1894	getline \
1895	getnameinfo \
1896	getopt \
1897	getpagesize \
1898	getpeereid \
1899	getpeerucred \
1900	getpgid \
1901	_getpty \
1902	getrlimit \
1903	getrandom \
1904	getsid \
1905	getttyent \
1906	glob \
1907	group_from_gid \
1908	inet_aton \
1909	inet_ntoa \
1910	inet_ntop \
1911	innetgr \
1912	llabs \
1913	localtime_r \
1914	login_getcapbool \
1915	login_getpwclass \
1916	md5_crypt \
1917	memmem \
1918	memmove \
1919	memset_s \
1920	mkdtemp \
1921	ngetaddrinfo \
1922	nsleep \
1923	ogetaddrinfo \
1924	openlog_r \
1925	pledge \
1926	poll \
1927	prctl \
1928	pselect \
1929	pstat \
1930	raise \
1931	readpassphrase \
1932	reallocarray \
1933	realpath \
1934	recvmsg \
1935	recallocarray \
1936	rresvport_af \
1937	sendmsg \
1938	setdtablesize \
1939	setegid \
1940	setenv \
1941	seteuid \
1942	setgroupent \
1943	setgroups \
1944	setlinebuf \
1945	setlogin \
1946	setpassent\
1947	setpcred \
1948	setproctitle \
1949	setregid \
1950	setreuid \
1951	setrlimit \
1952	setsid \
1953	setvbuf \
1954	sigaction \
1955	sigvec \
1956	snprintf \
1957	socketpair \
1958	statfs \
1959	statvfs \
1960	strcasestr \
1961	strdup \
1962	strerror \
1963	strlcat \
1964	strlcpy \
1965	strmode \
1966	strndup \
1967	strnlen \
1968	strnvis \
1969	strptime \
1970	strsignal \
1971	strtonum \
1972	strtoll \
1973	strtoul \
1974	strtoull \
1975	swap32 \
1976	sysconf \
1977	tcgetpgrp \
1978	timingsafe_bcmp \
1979	truncate \
1980	unsetenv \
1981	updwtmpx \
1982	utimensat \
1983	user_from_uid \
1984	usleep \
1985	vasprintf \
1986	vsnprintf \
1987	waitpid \
1988	warn \
1989])
1990
1991AC_CHECK_DECLS([bzero, memmem])
1992
1993dnl Wide character support.
1994AC_CHECK_FUNCS([mblen mbtowc nl_langinfo wcwidth])
1995
1996TEST_SSH_UTF8=${TEST_SSH_UTF8:=yes}
1997AC_MSG_CHECKING([for utf8 locale support])
1998AC_RUN_IFELSE(
1999	[AC_LANG_PROGRAM([[
2000#include <locale.h>
2001#include <stdlib.h>
2002	]], [[
2003	char *loc = setlocale(LC_CTYPE, "en_US.UTF-8");
2004	if (loc != NULL)
2005		exit(0);
2006	exit(1);
2007	]])],
2008	AC_MSG_RESULT(yes),
2009	[AC_MSG_RESULT(no)
2010	 TEST_SSH_UTF8=no],
2011	AC_MSG_WARN([cross compiling: assuming yes])
2012)
2013
2014AC_LINK_IFELSE(
2015        [AC_LANG_PROGRAM(
2016           [[ #include <ctype.h> ]],
2017           [[ return (isblank('a')); ]])],
2018	[AC_DEFINE([HAVE_ISBLANK], [1], [Define if you have isblank(3C).])
2019])
2020
2021disable_pkcs11=
2022AC_ARG_ENABLE([pkcs11],
2023	[  --disable-pkcs11        disable PKCS#11 support code [no]],
2024	[
2025		if test "x$enableval" = "xno" ; then
2026			disable_pkcs11=1
2027		fi
2028	]
2029)
2030
2031disable_sk=
2032AC_ARG_ENABLE([security-key],
2033	[  --disable-security-key  disable U2F/FIDO support code [no]],
2034	[
2035		if test "x$enableval" = "xno" ; then
2036			disable_sk=1
2037		fi
2038	]
2039)
2040enable_sk_internal=
2041AC_ARG_WITH([security-key-builtin],
2042	[  --with-security-key-builtin include builtin U2F/FIDO support],
2043	[
2044		if test "x$withval" != "xno" ; then
2045			enable_sk_internal=yes
2046		fi
2047	]
2048)
2049test "x$disable_sk" != "x" && enable_sk_internal=""
2050
2051AC_SEARCH_LIBS([dlopen], [dl])
2052AC_CHECK_FUNCS([dlopen])
2053AC_CHECK_DECL([RTLD_NOW], [], [], [#include <dlfcn.h>])
2054
2055# IRIX has a const char return value for gai_strerror()
2056AC_CHECK_FUNCS([gai_strerror], [
2057	AC_DEFINE([HAVE_GAI_STRERROR])
2058	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
2059#include <sys/types.h>
2060#include <sys/socket.h>
2061#include <netdb.h>
2062
2063const char *gai_strerror(int);
2064			]], [[
2065	char *str;
2066	str = gai_strerror(0);
2067			]])], [
2068		AC_DEFINE([HAVE_CONST_GAI_STRERROR_PROTO], [1],
2069		[Define if gai_strerror() returns const char *])], [])])
2070
2071AC_SEARCH_LIBS([nanosleep], [rt posix4], [AC_DEFINE([HAVE_NANOSLEEP], [1],
2072	[Some systems put nanosleep outside of libc])])
2073
2074AC_SEARCH_LIBS([clock_gettime], [rt],
2075	[AC_DEFINE([HAVE_CLOCK_GETTIME], [1], [Have clock_gettime])])
2076
2077dnl check if we need -D_REENTRANT for localtime_r declaration.
2078AC_CHECK_DECL([localtime_r], [],
2079	[ saved_CPPFLAGS="$CPPFLAGS"
2080	  CPPFLAGS="$CPPFLAGS -D_REENTRANT"
2081	  unset ac_cv_have_decl_localtime_r
2082	  AC_CHECK_DECL([localtime_r], [],
2083		[ CPPFLAGS="$saved_CPPFLAGS" ],
2084		[ #include <time.h> ]
2085	  )
2086	],
2087	[ #include <time.h> ]
2088)
2089
2090dnl Make sure prototypes are defined for these before using them.
2091AC_CHECK_DECL([strsep],
2092	[AC_CHECK_FUNCS([strsep])],
2093	[],
2094	[
2095#ifdef HAVE_STRING_H
2096# include <string.h>
2097#endif
2098	])
2099
2100dnl tcsendbreak might be a macro
2101AC_CHECK_DECL([tcsendbreak],
2102	[AC_DEFINE([HAVE_TCSENDBREAK])],
2103	[AC_CHECK_FUNCS([tcsendbreak])],
2104	[#include <termios.h>]
2105)
2106
2107AC_CHECK_DECLS([h_errno], , ,[#include <netdb.h>])
2108
2109AC_CHECK_DECLS([SHUT_RD, getpeereid], , ,
2110	[
2111#include <sys/types.h>
2112#include <sys/socket.h>
2113#include <unistd.h>
2114	])
2115
2116AC_CHECK_DECLS([O_NONBLOCK], , ,
2117	[
2118#include <sys/types.h>
2119#ifdef HAVE_SYS_STAT_H
2120# include <sys/stat.h>
2121#endif
2122#ifdef HAVE_FCNTL_H
2123# include <fcntl.h>
2124#endif
2125	])
2126
2127AC_CHECK_DECLS([readv, writev], , , [
2128#include <sys/types.h>
2129#include <sys/uio.h>
2130#include <unistd.h>
2131	])
2132
2133AC_CHECK_DECLS([MAXSYMLINKS], , , [
2134#include <sys/param.h>
2135	])
2136
2137AC_CHECK_DECLS([offsetof], , , [
2138#include <stddef.h>
2139	])
2140
2141# extra bits for select(2)
2142AC_CHECK_DECLS([howmany, NFDBITS], [], [], [[
2143#include <sys/param.h>
2144#include <sys/types.h>
2145#ifdef HAVE_SYS_SYSMACROS_H
2146#include <sys/sysmacros.h>
2147#endif
2148#ifdef HAVE_SYS_SELECT_H
2149#include <sys/select.h>
2150#endif
2151#ifdef HAVE_SYS_TIME_H
2152#include <sys/time.h>
2153#endif
2154#ifdef HAVE_UNISTD_H
2155#include <unistd.h>
2156#endif
2157	]])
2158AC_CHECK_TYPES([fd_mask], [], [], [[
2159#include <sys/param.h>
2160#include <sys/types.h>
2161#ifdef HAVE_SYS_SELECT_H
2162#include <sys/select.h>
2163#endif
2164#ifdef HAVE_SYS_TIME_H
2165#include <sys/time.h>
2166#endif
2167#ifdef HAVE_UNISTD_H
2168#include <unistd.h>
2169#endif
2170	]])
2171
2172AC_CHECK_FUNCS([setresuid], [
2173	dnl Some platorms have setresuid that isn't implemented, test for this
2174	AC_MSG_CHECKING([if setresuid seems to work])
2175	AC_RUN_IFELSE(
2176		[AC_LANG_PROGRAM([[
2177#include <stdlib.h>
2178#include <errno.h>
2179		]], [[
2180	errno=0;
2181	setresuid(0,0,0);
2182	if (errno==ENOSYS)
2183		exit(1);
2184	else
2185		exit(0);
2186		]])],
2187		[AC_MSG_RESULT([yes])],
2188		[AC_DEFINE([BROKEN_SETRESUID], [1],
2189			[Define if your setresuid() is broken])
2190		 AC_MSG_RESULT([not implemented])],
2191		[AC_MSG_WARN([cross compiling: not checking setresuid])]
2192	)
2193])
2194
2195AC_CHECK_FUNCS([setresgid], [
2196	dnl Some platorms have setresgid that isn't implemented, test for this
2197	AC_MSG_CHECKING([if setresgid seems to work])
2198	AC_RUN_IFELSE(
2199		[AC_LANG_PROGRAM([[
2200#include <stdlib.h>
2201#include <errno.h>
2202		]], [[
2203	errno=0;
2204	setresgid(0,0,0);
2205	if (errno==ENOSYS)
2206		exit(1);
2207	else
2208		exit(0);
2209		]])],
2210		[AC_MSG_RESULT([yes])],
2211		[AC_DEFINE([BROKEN_SETRESGID], [1],
2212			[Define if your setresgid() is broken])
2213		 AC_MSG_RESULT([not implemented])],
2214		[AC_MSG_WARN([cross compiling: not checking setresuid])]
2215	)
2216])
2217
2218AC_MSG_CHECKING([for working fflush(NULL)])
2219AC_RUN_IFELSE(
2220	[AC_LANG_PROGRAM([[
2221#include <stdio.h>
2222#include <stdlib.h>
2223	]],
2224	[[fflush(NULL); exit(0);]])],
2225	AC_MSG_RESULT([yes]),
2226	[AC_MSG_RESULT([no])
2227	 AC_DEFINE([FFLUSH_NULL_BUG], [1],
2228	    [define if fflush(NULL) does not work])],
2229	AC_MSG_WARN([cross compiling: assuming working])
2230)
2231
2232dnl    Checks for time functions
2233AC_CHECK_FUNCS([gettimeofday time])
2234dnl    Checks for utmp functions
2235AC_CHECK_FUNCS([endutent getutent getutid getutline pututline setutent])
2236AC_CHECK_FUNCS([utmpname])
2237dnl    Checks for utmpx functions
2238AC_CHECK_FUNCS([endutxent getutxent getutxid getutxline getutxuser pututxline])
2239AC_CHECK_FUNCS([setutxdb setutxent utmpxname])
2240dnl    Checks for lastlog functions
2241AC_CHECK_FUNCS([getlastlogxbyname])
2242
2243AC_CHECK_FUNC([daemon],
2244	[AC_DEFINE([HAVE_DAEMON], [1], [Define if your libraries define daemon()])],
2245	[AC_CHECK_LIB([bsd], [daemon],
2246		[LIBS="$LIBS -lbsd"; AC_DEFINE([HAVE_DAEMON])])]
2247)
2248
2249AC_CHECK_FUNC([getpagesize],
2250	[AC_DEFINE([HAVE_GETPAGESIZE], [1],
2251		[Define if your libraries define getpagesize()])],
2252	[AC_CHECK_LIB([ucb], [getpagesize],
2253		[LIBS="$LIBS -lucb"; AC_DEFINE([HAVE_GETPAGESIZE])])]
2254)
2255
2256# Check for broken snprintf
2257if test "x$ac_cv_func_snprintf" = "xyes" ; then
2258	AC_MSG_CHECKING([whether snprintf correctly terminates long strings])
2259	AC_RUN_IFELSE(
2260		[AC_LANG_PROGRAM([[
2261#include <stdio.h>
2262#include <stdlib.h>
2263		]],
2264		[[
2265	char b[5];
2266	snprintf(b,5,"123456789");
2267	exit(b[4]!='\0');
2268		]])],
2269		[AC_MSG_RESULT([yes])],
2270		[
2271			AC_MSG_RESULT([no])
2272			AC_DEFINE([BROKEN_SNPRINTF], [1],
2273				[Define if your snprintf is busted])
2274			AC_MSG_WARN([****** Your snprintf() function is broken, complain to your vendor])
2275		],
2276		[ AC_MSG_WARN([cross compiling: Assuming working snprintf()]) ]
2277	)
2278fi
2279
2280if test "x$ac_cv_func_snprintf" = "xyes" ; then
2281	AC_MSG_CHECKING([whether snprintf understands %zu])
2282	AC_RUN_IFELSE(
2283		[AC_LANG_PROGRAM([[
2284#include <sys/types.h>
2285#include <stdio.h>
2286#include <stdlib.h>
2287#include <string.h>
2288		]],
2289		[[
2290	size_t a = 1, b = 2;
2291	char z[128];
2292	snprintf(z, sizeof z, "%zu%zu", a, b);
2293	exit(strcmp(z, "12"));
2294		]])],
2295		[AC_MSG_RESULT([yes])],
2296		[
2297			AC_MSG_RESULT([no])
2298			AC_DEFINE([BROKEN_SNPRINTF], [1],
2299				[snprintf does not understand %zu])
2300		],
2301		[ AC_MSG_WARN([cross compiling: Assuming working snprintf()]) ]
2302	)
2303fi
2304
2305# We depend on vsnprintf returning the right thing on overflow: the
2306# number of characters it tried to create (as per SUSv3)
2307if test "x$ac_cv_func_vsnprintf" = "xyes" ; then
2308	AC_MSG_CHECKING([whether vsnprintf returns correct values on overflow])
2309	AC_RUN_IFELSE(
2310		[AC_LANG_PROGRAM([[
2311#include <sys/types.h>
2312#include <stdio.h>
2313#include <stdarg.h>
2314
2315int x_snprintf(char *str, size_t count, const char *fmt, ...)
2316{
2317	size_t ret;
2318	va_list ap;
2319
2320	va_start(ap, fmt);
2321	ret = vsnprintf(str, count, fmt, ap);
2322	va_end(ap);
2323	return ret;
2324}
2325		]], [[
2326char x[1];
2327if (x_snprintf(x, 1, "%s %d", "hello", 12345) != 11)
2328	return 1;
2329if (x_snprintf(NULL, 0, "%s %d", "hello", 12345) != 11)
2330	return 1;
2331return 0;
2332		]])],
2333		[AC_MSG_RESULT([yes])],
2334		[
2335			AC_MSG_RESULT([no])
2336			AC_DEFINE([BROKEN_SNPRINTF], [1],
2337				[Define if your snprintf is busted])
2338			AC_MSG_WARN([****** Your vsnprintf() function is broken, complain to your vendor])
2339		],
2340		[ AC_MSG_WARN([cross compiling: Assuming working vsnprintf()]) ]
2341	)
2342fi
2343
2344# On systems where [v]snprintf is broken, but is declared in stdio,
2345# check that the fmt argument is const char * or just char *.
2346# This is only useful for when BROKEN_SNPRINTF
2347AC_MSG_CHECKING([whether snprintf can declare const char *fmt])
2348AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
2349#include <stdio.h>
2350int snprintf(char *a, size_t b, const char *c, ...) { return 0; }
2351		]], [[
2352	snprintf(0, 0, 0);
2353		]])],
2354   [AC_MSG_RESULT([yes])
2355    AC_DEFINE([SNPRINTF_CONST], [const],
2356              [Define as const if snprintf() can declare const char *fmt])],
2357   [AC_MSG_RESULT([no])
2358    AC_DEFINE([SNPRINTF_CONST], [/* not const */])])
2359
2360# Check for missing getpeereid (or equiv) support
2361NO_PEERCHECK=""
2362if test "x$ac_cv_func_getpeereid" != "xyes" -a "x$ac_cv_func_getpeerucred" != "xyes"; then
2363	AC_MSG_CHECKING([whether system supports SO_PEERCRED getsockopt])
2364	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
2365#include <sys/types.h>
2366#include <sys/socket.h>]], [[int i = SO_PEERCRED;]])],
2367		[ AC_MSG_RESULT([yes])
2368		  AC_DEFINE([HAVE_SO_PEERCRED], [1], [Have PEERCRED socket option])
2369		], [AC_MSG_RESULT([no])
2370		NO_PEERCHECK=1
2371        ])
2372fi
2373
2374dnl make sure that openpty does not reacquire controlling terminal
2375if test ! -z "$check_for_openpty_ctty_bug"; then
2376	AC_MSG_CHECKING([if openpty correctly handles controlling tty])
2377	AC_RUN_IFELSE(
2378		[AC_LANG_PROGRAM([[
2379#include <stdio.h>
2380#include <stdlib.h>
2381#include <unistd.h>
2382#include <sys/fcntl.h>
2383#include <sys/types.h>
2384#include <sys/wait.h>
2385		]], [[
2386	pid_t pid;
2387	int fd, ptyfd, ttyfd, status;
2388
2389	pid = fork();
2390	if (pid < 0) {		/* failed */
2391		exit(1);
2392	} else if (pid > 0) {	/* parent */
2393		waitpid(pid, &status, 0);
2394		if (WIFEXITED(status))
2395			exit(WEXITSTATUS(status));
2396		else
2397			exit(2);
2398	} else {		/* child */
2399		close(0); close(1); close(2);
2400		setsid();
2401		openpty(&ptyfd, &ttyfd, NULL, NULL, NULL);
2402		fd = open("/dev/tty", O_RDWR | O_NOCTTY);
2403		if (fd >= 0)
2404			exit(3);	/* Acquired ctty: broken */
2405		else
2406			exit(0);	/* Did not acquire ctty: OK */
2407	}
2408		]])],
2409		[
2410			AC_MSG_RESULT([yes])
2411		],
2412		[
2413			AC_MSG_RESULT([no])
2414			AC_DEFINE([SSHD_ACQUIRES_CTTY])
2415		],
2416		[
2417			AC_MSG_RESULT([cross-compiling, assuming yes])
2418		]
2419	)
2420fi
2421
2422if test "x$ac_cv_func_getaddrinfo" = "xyes" && \
2423    test "x$check_for_hpux_broken_getaddrinfo" = "x1"; then
2424	AC_MSG_CHECKING([if getaddrinfo seems to work])
2425	AC_RUN_IFELSE(
2426		[AC_LANG_PROGRAM([[
2427#include <stdio.h>
2428#include <stdlib.h>
2429#include <sys/socket.h>
2430#include <netdb.h>
2431#include <errno.h>
2432#include <netinet/in.h>
2433
2434#define TEST_PORT "2222"
2435		]], [[
2436	int err, sock;
2437	struct addrinfo *gai_ai, *ai, hints;
2438	char ntop[NI_MAXHOST], strport[NI_MAXSERV], *name = NULL;
2439
2440	memset(&hints, 0, sizeof(hints));
2441	hints.ai_family = PF_UNSPEC;
2442	hints.ai_socktype = SOCK_STREAM;
2443	hints.ai_flags = AI_PASSIVE;
2444
2445	err = getaddrinfo(name, TEST_PORT, &hints, &gai_ai);
2446	if (err != 0) {
2447		fprintf(stderr, "getaddrinfo failed (%s)", gai_strerror(err));
2448		exit(1);
2449	}
2450
2451	for (ai = gai_ai; ai != NULL; ai = ai->ai_next) {
2452		if (ai->ai_family != AF_INET6)
2453			continue;
2454
2455		err = getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop,
2456		    sizeof(ntop), strport, sizeof(strport),
2457		    NI_NUMERICHOST|NI_NUMERICSERV);
2458
2459		if (err != 0) {
2460			if (err == EAI_SYSTEM)
2461				perror("getnameinfo EAI_SYSTEM");
2462			else
2463				fprintf(stderr, "getnameinfo failed: %s\n",
2464				    gai_strerror(err));
2465			exit(2);
2466		}
2467
2468		sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol);
2469		if (sock < 0)
2470			perror("socket");
2471		if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) {
2472			if (errno == EBADF)
2473				exit(3);
2474		}
2475	}
2476	exit(0);
2477		]])],
2478		[
2479			AC_MSG_RESULT([yes])
2480		],
2481		[
2482			AC_MSG_RESULT([no])
2483			AC_DEFINE([BROKEN_GETADDRINFO])
2484		],
2485		[
2486			AC_MSG_RESULT([cross-compiling, assuming yes])
2487		]
2488	)
2489fi
2490
2491if test "x$ac_cv_func_getaddrinfo" = "xyes" && \
2492    test "x$check_for_aix_broken_getaddrinfo" = "x1"; then
2493	AC_MSG_CHECKING([if getaddrinfo seems to work])
2494	AC_RUN_IFELSE(
2495		[AC_LANG_PROGRAM([[
2496#include <stdio.h>
2497#include <stdlib.h>
2498#include <sys/socket.h>
2499#include <netdb.h>
2500#include <errno.h>
2501#include <netinet/in.h>
2502
2503#define TEST_PORT "2222"
2504		]], [[
2505	int err, sock;
2506	struct addrinfo *gai_ai, *ai, hints;
2507	char ntop[NI_MAXHOST], strport[NI_MAXSERV], *name = NULL;
2508
2509	memset(&hints, 0, sizeof(hints));
2510	hints.ai_family = PF_UNSPEC;
2511	hints.ai_socktype = SOCK_STREAM;
2512	hints.ai_flags = AI_PASSIVE;
2513
2514	err = getaddrinfo(name, TEST_PORT, &hints, &gai_ai);
2515	if (err != 0) {
2516		fprintf(stderr, "getaddrinfo failed (%s)", gai_strerror(err));
2517		exit(1);
2518	}
2519
2520	for (ai = gai_ai; ai != NULL; ai = ai->ai_next) {
2521		if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
2522			continue;
2523
2524		err = getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop,
2525		    sizeof(ntop), strport, sizeof(strport),
2526		    NI_NUMERICHOST|NI_NUMERICSERV);
2527
2528		if (ai->ai_family == AF_INET && err != 0) {
2529			perror("getnameinfo");
2530			exit(2);
2531		}
2532	}
2533	exit(0);
2534		]])],
2535		[
2536			AC_MSG_RESULT([yes])
2537			AC_DEFINE([AIX_GETNAMEINFO_HACK], [1],
2538				[Define if you have a getaddrinfo that fails
2539				for the all-zeros IPv6 address])
2540		],
2541		[
2542			AC_MSG_RESULT([no])
2543			AC_DEFINE([BROKEN_GETADDRINFO])
2544		],
2545		[
2546			AC_MSG_RESULT([cross-compiling, assuming no])
2547		]
2548	)
2549fi
2550
2551if test "x$ac_cv_func_getaddrinfo" = "xyes"; then
2552	AC_CHECK_DECLS(AI_NUMERICSERV, , ,
2553	    [#include <sys/types.h>
2554	     #include <sys/socket.h>
2555	     #include <netdb.h>])
2556fi
2557
2558if test "x$check_for_conflicting_getspnam" = "x1"; then
2559	AC_MSG_CHECKING([for conflicting getspnam in shadow.h])
2560	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
2561#include <shadow.h>
2562#include <stdlib.h>
2563		]],
2564		[[ exit(0); ]])],
2565		[
2566			AC_MSG_RESULT([no])
2567		],
2568		[
2569			AC_MSG_RESULT([yes])
2570			AC_DEFINE([GETSPNAM_CONFLICTING_DEFS], [1],
2571			    [Conflicting defs for getspnam])
2572		]
2573	)
2574fi
2575
2576dnl NetBSD added an strnvis and unfortunately made it incompatible with the
2577dnl existing one in OpenBSD and Linux's libbsd (the former having existed
2578dnl for over ten years). Despite this incompatibility being reported during
2579dnl development (see http://gnats.netbsd.org/44977) they still shipped it.
2580dnl Even more unfortunately FreeBSD and later MacOS picked up this incompatible
2581dnl implementation.  Try to detect this mess, and assume the only safe option
2582dnl if we're cross compiling.
2583dnl
2584dnl OpenBSD, 2001: strnvis(char *dst, const char *src, size_t dlen, int flag);
2585dnl NetBSD: 2012,  strnvis(char *dst, size_t dlen, const char *src, int flag);
2586if test "x$ac_cv_func_strnvis" = "xyes"; then
2587	AC_MSG_CHECKING([for working strnvis])
2588	AC_RUN_IFELSE(
2589		[AC_LANG_PROGRAM([[
2590#include <signal.h>
2591#include <stdlib.h>
2592#include <string.h>
2593#include <unistd.h>
2594#include <vis.h>
2595static void sighandler(int sig) { _exit(1); }
2596		]], [[
2597	char dst[16];
2598
2599	signal(SIGSEGV, sighandler);
2600	if (strnvis(dst, "src", 4, 0) && strcmp(dst, "src") == 0)
2601		exit(0);
2602	exit(1)
2603		]])],
2604		[AC_MSG_RESULT([yes])],
2605		[AC_MSG_RESULT([no])
2606		 AC_DEFINE([BROKEN_STRNVIS], [1], [strnvis detected broken])],
2607		[AC_MSG_WARN([cross compiling: assuming broken])
2608		 AC_DEFINE([BROKEN_STRNVIS], [1], [strnvis assumed broken])]
2609	)
2610fi
2611
2612AC_MSG_CHECKING([if SA_RESTARTed signals interrupt select()])
2613AC_RUN_IFELSE(
2614	[AC_LANG_PROGRAM([[
2615#ifdef HAVE_SYS_SELECT
2616# include <sys/select.h>
2617#endif
2618#include <sys/types.h>
2619#include <sys/time.h>
2620#include <stdlib.h>
2621#include <signal.h>
2622#include <unistd.h>
2623static void sighandler(int sig) { }
2624		]], [[
2625	int r;
2626	pid_t pid;
2627	struct sigaction sa;
2628
2629	sa.sa_handler = sighandler;
2630	sa.sa_flags = SA_RESTART;
2631	(void)sigaction(SIGTERM, &sa, NULL);
2632	if ((pid = fork()) == 0) { /* child */
2633		pid = getppid();
2634		sleep(1);
2635		kill(pid, SIGTERM);
2636		sleep(1);
2637		if (getppid() == pid) /* if parent did not exit, shoot it */
2638			kill(pid, SIGKILL);
2639		exit(0);
2640	} else { /* parent */
2641		r = select(0, NULL, NULL, NULL, NULL);
2642	}
2643	exit(r == -1 ? 0 : 1);
2644	]])],
2645	[AC_MSG_RESULT([yes])],
2646	[AC_MSG_RESULT([no])
2647	 AC_DEFINE([NO_SA_RESTART], [1],
2648	    [SA_RESTARTed signals do no interrupt select])],
2649	[AC_MSG_WARN([cross compiling: assuming yes])]
2650)
2651
2652AC_CHECK_FUNCS([getpgrp],[
2653	AC_MSG_CHECKING([if getpgrp accepts zero args])
2654	AC_COMPILE_IFELSE(
2655		[AC_LANG_PROGRAM([[$ac_includes_default]], [[ getpgrp(); ]])],
2656		[ AC_MSG_RESULT([yes])
2657		  AC_DEFINE([GETPGRP_VOID], [1], [getpgrp takes zero args])],
2658		[ AC_MSG_RESULT([no])
2659		  AC_DEFINE([GETPGRP_VOID], [0], [getpgrp takes one arg])]
2660	)
2661])
2662
2663# Search for OpenSSL
2664saved_CPPFLAGS="$CPPFLAGS"
2665saved_LDFLAGS="$LDFLAGS"
2666AC_ARG_WITH([ssl-dir],
2667	[  --with-ssl-dir=PATH     Specify path to OpenSSL installation ],
2668	[
2669		if test "x$openssl" = "xno" ; then
2670			AC_MSG_ERROR([cannot use --with-ssl-dir when OpenSSL disabled])
2671		fi
2672		if test "x$withval" != "xno" ; then
2673			case "$withval" in
2674				# Relative paths
2675				./*|../*)	withval="`pwd`/$withval"
2676			esac
2677			if test -d "$withval/lib"; then
2678				if test -n "${rpath_opt}"; then
2679					LDFLAGS="-L${withval}/lib ${rpath_opt}${withval}/lib ${LDFLAGS}"
2680				else
2681					LDFLAGS="-L${withval}/lib ${LDFLAGS}"
2682				fi
2683			elif test -d "$withval/lib64"; then
2684				if test -n "${rpath_opt}"; then
2685					LDFLAGS="-L${withval}/lib64 ${rpath_opt}${withval}/lib64 ${LDFLAGS}"
2686				else
2687					LDFLAGS="-L${withval}/lib64 ${LDFLAGS}"
2688				fi
2689			else
2690				if test -n "${rpath_opt}"; then
2691					LDFLAGS="-L${withval} ${rpath_opt}${withval} ${LDFLAGS}"
2692				else
2693					LDFLAGS="-L${withval} ${LDFLAGS}"
2694				fi
2695			fi
2696			if test -d "$withval/include"; then
2697				CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
2698			else
2699				CPPFLAGS="-I${withval} ${CPPFLAGS}"
2700			fi
2701		fi
2702	]
2703)
2704
2705AC_ARG_WITH([openssl-header-check],
2706	[  --without-openssl-header-check Disable OpenSSL version consistency check],
2707	[
2708		if test "x$withval" = "xno" ; then
2709			openssl_check_nonfatal=1
2710		fi
2711	]
2712)
2713
2714openssl_engine=no
2715AC_ARG_WITH([ssl-engine],
2716	[  --with-ssl-engine       Enable OpenSSL (hardware) ENGINE support ],
2717	[
2718		if test "x$withval" != "xno" ; then
2719			if test "x$openssl" = "xno" ; then
2720				AC_MSG_ERROR([cannot use --with-ssl-engine when OpenSSL disabled])
2721			fi
2722			openssl_engine=yes
2723		fi
2724	]
2725)
2726
2727if test "x$openssl" = "xyes" ; then
2728	LIBS="-lcrypto $LIBS"
2729	AC_TRY_LINK_FUNC([RAND_add], ,
2730	    [AC_MSG_ERROR([*** working libcrypto not found, check config.log])])
2731	AC_CHECK_HEADER([openssl/opensslv.h], ,
2732	    [AC_MSG_ERROR([*** OpenSSL headers missing - please install first or check config.log ***])])
2733
2734	# Determine OpenSSL header version
2735	AC_MSG_CHECKING([OpenSSL header version])
2736	AC_RUN_IFELSE(
2737		[AC_LANG_PROGRAM([[
2738	#include <stdlib.h>
2739	#include <stdio.h>
2740	#include <string.h>
2741	#include <openssl/opensslv.h>
2742	#define DATA "conftest.sslincver"
2743		]], [[
2744		FILE *fd;
2745		int rc;
2746
2747		fd = fopen(DATA,"w");
2748		if(fd == NULL)
2749			exit(1);
2750
2751		if ((rc = fprintf(fd, "%08lx (%s)\n",
2752		    (unsigned long)OPENSSL_VERSION_NUMBER,
2753		     OPENSSL_VERSION_TEXT)) < 0)
2754			exit(1);
2755
2756		exit(0);
2757		]])],
2758		[
2759			ssl_header_ver=`cat conftest.sslincver`
2760			AC_MSG_RESULT([$ssl_header_ver])
2761		],
2762		[
2763			AC_MSG_RESULT([not found])
2764			AC_MSG_ERROR([OpenSSL version header not found.])
2765		],
2766		[
2767			AC_MSG_WARN([cross compiling: not checking])
2768		]
2769	)
2770
2771	# Determining OpenSSL library version is version dependent.
2772	AC_CHECK_FUNCS([OpenSSL_version OpenSSL_version_num])
2773
2774	# Determine OpenSSL library version
2775	AC_MSG_CHECKING([OpenSSL library version])
2776	AC_RUN_IFELSE(
2777		[AC_LANG_PROGRAM([[
2778	#include <stdio.h>
2779	#include <stdlib.h>
2780	#include <string.h>
2781	#include <openssl/opensslv.h>
2782	#include <openssl/crypto.h>
2783	#define DATA "conftest.ssllibver"
2784		]], [[
2785		FILE *fd;
2786		int rc;
2787
2788		fd = fopen(DATA,"w");
2789		if(fd == NULL)
2790			exit(1);
2791#ifndef OPENSSL_VERSION
2792# define OPENSSL_VERSION SSLEAY_VERSION
2793#endif
2794#ifndef HAVE_OPENSSL_VERSION
2795# define OpenSSL_version	SSLeay_version
2796#endif
2797#ifndef HAVE_OPENSSL_VERSION_NUM
2798# define OpenSSL_version_num	SSLeay
2799#endif
2800		if ((rc = fprintf(fd, "%08lx (%s)\n",
2801		    (unsigned long)OpenSSL_version_num(),
2802		    OpenSSL_version(OPENSSL_VERSION))) < 0)
2803			exit(1);
2804
2805		exit(0);
2806		]])],
2807		[
2808			ssl_library_ver=`cat conftest.ssllibver`
2809			# Check version is supported.
2810			case "$ssl_library_ver" in
2811			10000*|0*)
2812				AC_MSG_ERROR([OpenSSL >= 1.0.1 required (have "$ssl_library_ver")])
2813		                ;;
2814			100*)   ;; # 1.0.x
2815			101000[[0123456]]*)
2816				# https://github.com/openssl/openssl/pull/4613
2817				AC_MSG_ERROR([OpenSSL 1.1.x versions prior to 1.1.0g have a bug that breaks their use with OpenSSH (have "$ssl_library_ver")])
2818				;;
2819			101*)   ;; # 1.1.x
2820			200*)   ;; # LibreSSL
2821			300*)   ;; # OpenSSL development branch.
2822		        *)
2823				AC_MSG_ERROR([Unknown/unsupported OpenSSL version ("$ssl_library_ver")])
2824		                ;;
2825			esac
2826			AC_MSG_RESULT([$ssl_library_ver])
2827		],
2828		[
2829			AC_MSG_RESULT([not found])
2830			AC_MSG_ERROR([OpenSSL library not found.])
2831		],
2832		[
2833			AC_MSG_WARN([cross compiling: not checking])
2834		]
2835	)
2836
2837	# Sanity check OpenSSL headers
2838	AC_MSG_CHECKING([whether OpenSSL's headers match the library])
2839	AC_RUN_IFELSE(
2840		[AC_LANG_PROGRAM([[
2841	#include <stdlib.h>
2842	#include <string.h>
2843	#include <openssl/opensslv.h>
2844	#include <openssl/crypto.h>
2845		]], [[
2846#ifndef HAVE_OPENSSL_VERSION_NUM
2847# define OpenSSL_version_num	SSLeay
2848#endif
2849		exit(OpenSSL_version_num() == OPENSSL_VERSION_NUMBER ? 0 : 1);
2850		]])],
2851		[
2852			AC_MSG_RESULT([yes])
2853		],
2854		[
2855			AC_MSG_RESULT([no])
2856			if test "x$openssl_check_nonfatal" = "x"; then
2857				AC_MSG_ERROR([Your OpenSSL headers do not match your
2858	library. Check config.log for details.
2859	If you are sure your installation is consistent, you can disable the check
2860	by running "./configure --without-openssl-header-check".
2861	Also see contrib/findssl.sh for help identifying header/library mismatches.
2862	])
2863			else
2864				AC_MSG_WARN([Your OpenSSL headers do not match your
2865	library. Check config.log for details.
2866	Also see contrib/findssl.sh for help identifying header/library mismatches.])
2867			fi
2868		],
2869		[
2870			AC_MSG_WARN([cross compiling: not checking])
2871		]
2872	)
2873
2874	AC_MSG_CHECKING([if programs using OpenSSL functions will link])
2875	AC_LINK_IFELSE(
2876		[AC_LANG_PROGRAM([[ #include <openssl/err.h> ]],
2877		[[ ERR_load_crypto_strings(); ]])],
2878		[
2879			AC_MSG_RESULT([yes])
2880		],
2881		[
2882			AC_MSG_RESULT([no])
2883			saved_LIBS="$LIBS"
2884			LIBS="$LIBS -ldl"
2885			AC_MSG_CHECKING([if programs using OpenSSL need -ldl])
2886			AC_LINK_IFELSE(
2887				[AC_LANG_PROGRAM([[ #include <openssl/err.h> ]],
2888				[[ ERR_load_crypto_strings(); ]])],
2889				[
2890					AC_MSG_RESULT([yes])
2891				],
2892				[
2893					AC_MSG_RESULT([no])
2894					LIBS="$saved_LIBS"
2895				]
2896			)
2897		]
2898	)
2899
2900	AC_CHECK_FUNCS([ \
2901		BN_is_prime_ex \
2902		DSA_generate_parameters_ex \
2903		EVP_CIPHER_CTX_ctrl \
2904		EVP_DigestFinal_ex \
2905		EVP_DigestInit_ex \
2906		EVP_MD_CTX_cleanup \
2907		EVP_MD_CTX_copy_ex \
2908		EVP_MD_CTX_init \
2909		HMAC_CTX_init \
2910		RSA_generate_key_ex \
2911		RSA_get_default_method \
2912	])
2913
2914	# OpenSSL_add_all_algorithms may be a macro.
2915	AC_CHECK_FUNC(OpenSSL_add_all_algorithms,
2916	    AC_DEFINE(HAVE_OPENSSL_ADD_ALL_ALGORITHMS, 1, [as a function]),
2917	    AC_CHECK_DECL(OpenSSL_add_all_algorithms,
2918		AC_DEFINE(HAVE_OPENSSL_ADD_ALL_ALGORITHMS, 1, [as a macro]), ,
2919		[[#include <openssl/evp.h>]]
2920	    )
2921	)
2922
2923	# LibreSSL/OpenSSL 1.1x API
2924	AC_CHECK_FUNCS([ \
2925		OPENSSL_init_crypto \
2926		DH_get0_key \
2927		DH_get0_pqg \
2928		DH_set0_key \
2929		DH_set_length \
2930		DH_set0_pqg \
2931		DSA_get0_key \
2932		DSA_get0_pqg \
2933		DSA_set0_key \
2934		DSA_set0_pqg \
2935		DSA_SIG_get0 \
2936		DSA_SIG_set0 \
2937		ECDSA_SIG_get0 \
2938		ECDSA_SIG_set0 \
2939		EVP_CIPHER_CTX_iv \
2940		EVP_CIPHER_CTX_iv_noconst \
2941		EVP_CIPHER_CTX_get_iv \
2942		EVP_CIPHER_CTX_get_updated_iv \
2943		EVP_CIPHER_CTX_set_iv \
2944		RSA_get0_crt_params \
2945		RSA_get0_factors \
2946		RSA_get0_key \
2947		RSA_set0_crt_params \
2948		RSA_set0_factors \
2949		RSA_set0_key \
2950		RSA_meth_free \
2951		RSA_meth_dup \
2952		RSA_meth_set1_name \
2953		RSA_meth_get_finish \
2954		RSA_meth_set_priv_enc \
2955		RSA_meth_set_priv_dec \
2956		RSA_meth_set_finish \
2957		EVP_PKEY_get0_RSA \
2958		EVP_MD_CTX_new \
2959		EVP_MD_CTX_free \
2960		EVP_chacha20 \
2961	])
2962
2963	if test "x$openssl_engine" = "xyes" ; then
2964		AC_MSG_CHECKING([for OpenSSL ENGINE support])
2965		AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
2966	#include <openssl/engine.h>
2967			]], [[
2968				ENGINE_load_builtin_engines();
2969				ENGINE_register_all_complete();
2970			]])],
2971			[ AC_MSG_RESULT([yes])
2972			  AC_DEFINE([USE_OPENSSL_ENGINE], [1],
2973			     [Enable OpenSSL engine support])
2974			], [ AC_MSG_ERROR([OpenSSL ENGINE support not found])
2975		])
2976	fi
2977
2978	# Check for OpenSSL without EVP_aes_{192,256}_cbc
2979	AC_MSG_CHECKING([whether OpenSSL has crippled AES support])
2980	AC_LINK_IFELSE(
2981		[AC_LANG_PROGRAM([[
2982	#include <stdlib.h>
2983	#include <string.h>
2984	#include <openssl/evp.h>
2985		]], [[
2986		exit(EVP_aes_192_cbc() == NULL || EVP_aes_256_cbc() == NULL);
2987		]])],
2988		[
2989			AC_MSG_RESULT([no])
2990		],
2991		[
2992			AC_MSG_RESULT([yes])
2993			AC_DEFINE([OPENSSL_LOBOTOMISED_AES], [1],
2994			    [libcrypto is missing AES 192 and 256 bit functions])
2995		]
2996	)
2997
2998	# Check for OpenSSL with EVP_aes_*ctr
2999	AC_MSG_CHECKING([whether OpenSSL has AES CTR via EVP])
3000	AC_LINK_IFELSE(
3001		[AC_LANG_PROGRAM([[
3002	#include <stdlib.h>
3003	#include <string.h>
3004	#include <openssl/evp.h>
3005		]], [[
3006		exit(EVP_aes_128_ctr() == NULL ||
3007		    EVP_aes_192_cbc() == NULL ||
3008		    EVP_aes_256_cbc() == NULL);
3009		]])],
3010		[
3011			AC_MSG_RESULT([yes])
3012			AC_DEFINE([OPENSSL_HAVE_EVPCTR], [1],
3013			    [libcrypto has EVP AES CTR])
3014		],
3015		[
3016			AC_MSG_RESULT([no])
3017		]
3018	)
3019
3020	# Check for OpenSSL with EVP_aes_*gcm
3021	AC_MSG_CHECKING([whether OpenSSL has AES GCM via EVP])
3022	AC_LINK_IFELSE(
3023		[AC_LANG_PROGRAM([[
3024	#include <stdlib.h>
3025	#include <string.h>
3026	#include <openssl/evp.h>
3027		]], [[
3028		exit(EVP_aes_128_gcm() == NULL ||
3029		    EVP_aes_256_gcm() == NULL ||
3030		    EVP_CTRL_GCM_SET_IV_FIXED == 0 ||
3031		    EVP_CTRL_GCM_IV_GEN == 0 ||
3032		    EVP_CTRL_GCM_SET_TAG == 0 ||
3033		    EVP_CTRL_GCM_GET_TAG == 0 ||
3034		    EVP_CIPHER_CTX_ctrl(NULL, 0, 0, NULL) == 0);
3035		]])],
3036		[
3037			AC_MSG_RESULT([yes])
3038			AC_DEFINE([OPENSSL_HAVE_EVPGCM], [1],
3039			    [libcrypto has EVP AES GCM])
3040		],
3041		[
3042			AC_MSG_RESULT([no])
3043			unsupported_algorithms="$unsupported_cipers \
3044			   aes128-gcm@openssh.com \
3045			   aes256-gcm@openssh.com"
3046		]
3047	)
3048
3049	AC_MSG_CHECKING([if EVP_DigestUpdate returns an int])
3050	AC_LINK_IFELSE(
3051		[AC_LANG_PROGRAM([[
3052	#include <stdlib.h>
3053	#include <string.h>
3054	#include <openssl/evp.h>
3055		]], [[
3056		if(EVP_DigestUpdate(NULL, NULL,0))
3057			exit(0);
3058		]])],
3059		[
3060			AC_MSG_RESULT([yes])
3061		],
3062		[
3063			AC_MSG_RESULT([no])
3064			AC_DEFINE([OPENSSL_EVP_DIGESTUPDATE_VOID], [1],
3065			    [Define if EVP_DigestUpdate returns void])
3066		]
3067	)
3068
3069	# Some systems want crypt() from libcrypt, *not* the version in OpenSSL,
3070	# because the system crypt() is more featureful.
3071	if test "x$check_for_libcrypt_before" = "x1"; then
3072		AC_CHECK_LIB([crypt], [crypt])
3073	fi
3074
3075	# Some Linux systems (Slackware) need crypt() from libcrypt, *not* the
3076	# version in OpenSSL.
3077	if test "x$check_for_libcrypt_later" = "x1"; then
3078		AC_CHECK_LIB([crypt], [crypt], [LIBS="$LIBS -lcrypt"])
3079	fi
3080	AC_CHECK_FUNCS([crypt DES_crypt])
3081
3082	# Check for SHA256, SHA384 and SHA512 support in OpenSSL
3083	AC_CHECK_FUNCS([EVP_sha256 EVP_sha384 EVP_sha512])
3084
3085	# Check complete ECC support in OpenSSL
3086	AC_MSG_CHECKING([whether OpenSSL has NID_X9_62_prime256v1])
3087	AC_LINK_IFELSE(
3088		[AC_LANG_PROGRAM([[
3089	#include <openssl/ec.h>
3090	#include <openssl/ecdh.h>
3091	#include <openssl/ecdsa.h>
3092	#include <openssl/evp.h>
3093	#include <openssl/objects.h>
3094	#include <openssl/opensslv.h>
3095		]], [[
3096		EC_KEY *e = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
3097		const EVP_MD *m = EVP_sha256(); /* We need this too */
3098		]])],
3099		[ AC_MSG_RESULT([yes])
3100		  enable_nistp256=1 ],
3101		[ AC_MSG_RESULT([no]) ]
3102	)
3103
3104	AC_MSG_CHECKING([whether OpenSSL has NID_secp384r1])
3105	AC_LINK_IFELSE(
3106		[AC_LANG_PROGRAM([[
3107	#include <openssl/ec.h>
3108	#include <openssl/ecdh.h>
3109	#include <openssl/ecdsa.h>
3110	#include <openssl/evp.h>
3111	#include <openssl/objects.h>
3112	#include <openssl/opensslv.h>
3113		]], [[
3114		EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp384r1);
3115		const EVP_MD *m = EVP_sha384(); /* We need this too */
3116		]])],
3117		[ AC_MSG_RESULT([yes])
3118		  enable_nistp384=1 ],
3119		[ AC_MSG_RESULT([no]) ]
3120	)
3121
3122	AC_MSG_CHECKING([whether OpenSSL has NID_secp521r1])
3123	AC_LINK_IFELSE(
3124		[AC_LANG_PROGRAM([[
3125	#include <openssl/ec.h>
3126	#include <openssl/ecdh.h>
3127	#include <openssl/ecdsa.h>
3128	#include <openssl/evp.h>
3129	#include <openssl/objects.h>
3130	#include <openssl/opensslv.h>
3131		]], [[
3132		EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp521r1);
3133		const EVP_MD *m = EVP_sha512(); /* We need this too */
3134		]])],
3135		[ AC_MSG_RESULT([yes])
3136		  AC_MSG_CHECKING([if OpenSSL's NID_secp521r1 is functional])
3137		  AC_RUN_IFELSE(
3138			[AC_LANG_PROGRAM([[
3139	#include <stdlib.h>
3140	#include <openssl/ec.h>
3141	#include <openssl/ecdh.h>
3142	#include <openssl/ecdsa.h>
3143	#include <openssl/evp.h>
3144	#include <openssl/objects.h>
3145	#include <openssl/opensslv.h>
3146			]],[[
3147			EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp521r1);
3148			const EVP_MD *m = EVP_sha512(); /* We need this too */
3149			exit(e == NULL || m == NULL);
3150			]])],
3151			[ AC_MSG_RESULT([yes])
3152			  enable_nistp521=1 ],
3153			[ AC_MSG_RESULT([no]) ],
3154			[ AC_MSG_WARN([cross-compiling: assuming yes])
3155			  enable_nistp521=1 ]
3156		  )],
3157		AC_MSG_RESULT([no])
3158	)
3159
3160	COMMENT_OUT_ECC="#no ecc#"
3161	TEST_SSH_ECC=no
3162
3163	if test x$enable_nistp256 = x1 || test x$enable_nistp384 = x1 || \
3164	    test x$enable_nistp521 = x1; then
3165		AC_DEFINE(OPENSSL_HAS_ECC, [1], [OpenSSL has ECC])
3166		AC_CHECK_FUNCS([EC_KEY_METHOD_new])
3167		openssl_ecc=yes
3168	else
3169		openssl_ecc=no
3170	fi
3171	if test x$enable_nistp256 = x1; then
3172		AC_DEFINE([OPENSSL_HAS_NISTP256], [1],
3173		    [libcrypto has NID_X9_62_prime256v1])
3174		TEST_SSH_ECC=yes
3175		COMMENT_OUT_ECC=""
3176	else
3177		unsupported_algorithms="$unsupported_algorithms \
3178			ecdsa-sha2-nistp256 \
3179			ecdh-sha2-nistp256 \
3180			ecdsa-sha2-nistp256-cert-v01@openssh.com"
3181	fi
3182	if test x$enable_nistp384 = x1; then
3183		AC_DEFINE([OPENSSL_HAS_NISTP384], [1], [libcrypto has NID_secp384r1])
3184		TEST_SSH_ECC=yes
3185		COMMENT_OUT_ECC=""
3186	else
3187		unsupported_algorithms="$unsupported_algorithms \
3188			ecdsa-sha2-nistp384 \
3189			ecdh-sha2-nistp384 \
3190			ecdsa-sha2-nistp384-cert-v01@openssh.com"
3191	fi
3192	if test x$enable_nistp521 = x1; then
3193		AC_DEFINE([OPENSSL_HAS_NISTP521], [1], [libcrypto has NID_secp521r1])
3194		TEST_SSH_ECC=yes
3195		COMMENT_OUT_ECC=""
3196	else
3197		unsupported_algorithms="$unsupported_algorithms \
3198			ecdh-sha2-nistp521 \
3199			ecdsa-sha2-nistp521 \
3200			ecdsa-sha2-nistp521-cert-v01@openssh.com"
3201	fi
3202
3203	AC_SUBST([TEST_SSH_ECC])
3204	AC_SUBST([COMMENT_OUT_ECC])
3205else
3206	AC_CHECK_LIB([crypt], [crypt], [LIBS="$LIBS -lcrypt"])
3207	AC_CHECK_FUNCS([crypt])
3208fi
3209
3210# PKCS11/U2F depend on OpenSSL and dlopen().
3211enable_pkcs11=yes
3212enable_sk=yes
3213if test "x$openssl" != "xyes" ; then
3214	enable_pkcs11="disabled; missing libcrypto"
3215	enable_sk="disabled; missing libcrypto"
3216fi
3217if test "x$openssl_ecc" != "xyes" ; then
3218	enable_sk="disabled; OpenSSL has no ECC support"
3219fi
3220if test "x$ac_cv_func_dlopen" != "xyes" ; then
3221	enable_pkcs11="disabled; missing dlopen(3)"
3222	enable_sk="disabled; missing dlopen(3)"
3223fi
3224if test "x$ac_cv_have_decl_RTLD_NOW" != "xyes" ; then
3225	enable_pkcs11="disabled; missing RTLD_NOW"
3226	enable_sk="disabled; missing RTLD_NOW"
3227fi
3228if test ! -z "$disable_pkcs11" ; then
3229	enable_pkcs11="disabled by user"
3230fi
3231if test ! -z "$disable_sk" ; then
3232	enable_sk="disabled by user"
3233fi
3234
3235AC_MSG_CHECKING([whether to enable PKCS11])
3236if test "x$enable_pkcs11" = "xyes" ; then
3237	AC_DEFINE([ENABLE_PKCS11], [], [Enable for PKCS#11 support])
3238fi
3239AC_MSG_RESULT([$enable_pkcs11])
3240
3241AC_MSG_CHECKING([whether to enable U2F])
3242if test "x$enable_sk" = "xyes" ; then
3243	AC_DEFINE([ENABLE_SK], [], [Enable for U2F/FIDO support])
3244	AC_SUBST(SK_DUMMY_LIBRARY, [regress/misc/sk-dummy/sk-dummy.so])
3245else
3246	# Do not try to build sk-dummy library.
3247	AC_SUBST(SK_DUMMY_LIBRARY, [""])
3248fi
3249AC_MSG_RESULT([$enable_sk])
3250
3251# Now check for built-in security key support.
3252if test "x$enable_sk" = "xyes" -a "x$enable_sk_internal" = "xyes" ; then
3253	AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no])
3254	use_pkgconfig_for_libfido2=
3255	if test "x$PKGCONFIG" != "xno"; then
3256		AC_MSG_CHECKING([if $PKGCONFIG knows about libfido2])
3257		if "$PKGCONFIG" libfido2; then
3258			AC_MSG_RESULT([yes])
3259			use_pkgconfig_for_libfido2=yes
3260		else
3261			AC_MSG_RESULT([no])
3262		fi
3263	fi
3264	if test "x$use_pkgconfig_for_libfido2" = "xyes"; then
3265		LIBFIDO2=`$PKGCONFIG --libs libfido2`
3266		CPPFLAGS="$CPPFLAGS `$PKGCONFIG --cflags libfido2`"
3267	else
3268		LIBFIDO2="-lfido2 -lcbor"
3269	fi
3270	OTHERLIBS=`echo $LIBFIDO2 | sed 's/-lfido2//'`
3271	AC_CHECK_LIB([fido2], [fido_init],
3272		[
3273			AC_SUBST([LIBFIDO2])
3274			AC_DEFINE([ENABLE_SK_INTERNAL], [],
3275			    [Enable for built-in U2F/FIDO support])
3276			enable_sk="built-in"
3277		], [ AC_MSG_ERROR([no usable libfido2 found]) ],
3278		[ $OTHERLIBS ]
3279	)
3280	saved_LIBS="$LIBS"
3281	LIBS="$LIBS $LIBFIDO2"
3282	AC_CHECK_FUNCS([ \
3283		fido_cred_prot \
3284		fido_cred_set_prot \
3285		fido_dev_get_touch_begin \
3286		fido_dev_get_touch_status \
3287		fido_dev_supports_cred_prot \
3288	])
3289	LIBS="$saved_LIBS"
3290	AC_CHECK_HEADER([fido.h], [],
3291		AC_MSG_ERROR([missing fido.h from libfido2]))
3292	AC_CHECK_HEADER([fido/credman.h], [],
3293		AC_MSG_ERROR([missing fido/credman.h from libfido2]),
3294		[#include <fido.h>]
3295	)
3296fi
3297
3298AC_CHECK_FUNCS([ \
3299	arc4random \
3300	arc4random_buf \
3301	arc4random_stir \
3302	arc4random_uniform \
3303])
3304
3305saved_LIBS="$LIBS"
3306AC_CHECK_LIB([iaf], [ia_openinfo], [
3307	LIBS="$LIBS -liaf"
3308	AC_CHECK_FUNCS([set_id], [SSHDLIBS="$SSHDLIBS -liaf"
3309				AC_DEFINE([HAVE_LIBIAF], [1],
3310			[Define if system has libiaf that supports set_id])
3311				])
3312])
3313LIBS="$saved_LIBS"
3314
3315### Configure cryptographic random number support
3316
3317# Check whether OpenSSL seeds itself
3318if test "x$openssl" = "xyes" ; then
3319	AC_MSG_CHECKING([whether OpenSSL's PRNG is internally seeded])
3320	AC_RUN_IFELSE(
3321		[AC_LANG_PROGRAM([[
3322	#include <stdlib.h>
3323	#include <string.h>
3324	#include <openssl/rand.h>
3325		]], [[
3326		exit(RAND_status() == 1 ? 0 : 1);
3327		]])],
3328		[
3329			OPENSSL_SEEDS_ITSELF=yes
3330			AC_MSG_RESULT([yes])
3331		],
3332		[
3333			AC_MSG_RESULT([no])
3334		],
3335		[
3336			AC_MSG_WARN([cross compiling: assuming yes])
3337			# This is safe, since we will fatal() at runtime if
3338			# OpenSSL is not seeded correctly.
3339			OPENSSL_SEEDS_ITSELF=yes
3340		]
3341	)
3342fi
3343
3344# PRNGD TCP socket
3345AC_ARG_WITH([prngd-port],
3346	[  --with-prngd-port=PORT  read entropy from PRNGD/EGD TCP localhost:PORT],
3347	[
3348		case "$withval" in
3349		no)
3350			withval=""
3351			;;
3352		[[0-9]]*)
3353			;;
3354		*)
3355			AC_MSG_ERROR([You must specify a numeric port number for --with-prngd-port])
3356			;;
3357		esac
3358		if test ! -z "$withval" ; then
3359			PRNGD_PORT="$withval"
3360			AC_DEFINE_UNQUOTED([PRNGD_PORT], [$PRNGD_PORT],
3361				[Port number of PRNGD/EGD random number socket])
3362		fi
3363	]
3364)
3365
3366# PRNGD Unix domain socket
3367AC_ARG_WITH([prngd-socket],
3368	[  --with-prngd-socket=FILE read entropy from PRNGD/EGD socket FILE (default=/var/run/egd-pool)],
3369	[
3370		case "$withval" in
3371		yes)
3372			withval="/var/run/egd-pool"
3373			;;
3374		no)
3375			withval=""
3376			;;
3377		/*)
3378			;;
3379		*)
3380			AC_MSG_ERROR([You must specify an absolute path to the entropy socket])
3381			;;
3382		esac
3383
3384		if test ! -z "$withval" ; then
3385			if test ! -z "$PRNGD_PORT" ; then
3386				AC_MSG_ERROR([You may not specify both a PRNGD/EGD port and socket])
3387			fi
3388			if test ! -r "$withval" ; then
3389				AC_MSG_WARN([Entropy socket is not readable])
3390			fi
3391			PRNGD_SOCKET="$withval"
3392			AC_DEFINE_UNQUOTED([PRNGD_SOCKET], ["$PRNGD_SOCKET"],
3393				[Location of PRNGD/EGD random number socket])
3394		fi
3395	],
3396	[
3397		# Check for existing socket only if we don't have a random device already
3398		if test "x$OPENSSL_SEEDS_ITSELF" != "xyes" ; then
3399			AC_MSG_CHECKING([for PRNGD/EGD socket])
3400			# Insert other locations here
3401			for sock in /var/run/egd-pool /dev/egd-pool /etc/entropy; do
3402				if test -r $sock && $TEST_MINUS_S_SH -c "test -S $sock -o -p $sock" ; then
3403					PRNGD_SOCKET="$sock"
3404					AC_DEFINE_UNQUOTED([PRNGD_SOCKET], ["$PRNGD_SOCKET"])
3405					break;
3406				fi
3407			done
3408			if test ! -z "$PRNGD_SOCKET" ; then
3409				AC_MSG_RESULT([$PRNGD_SOCKET])
3410			else
3411				AC_MSG_RESULT([not found])
3412			fi
3413		fi
3414	]
3415)
3416
3417# Which randomness source do we use?
3418if test ! -z "$PRNGD_PORT" ; then
3419	RAND_MSG="PRNGd port $PRNGD_PORT"
3420elif test ! -z "$PRNGD_SOCKET" ; then
3421	RAND_MSG="PRNGd socket $PRNGD_SOCKET"
3422elif test ! -z "$OPENSSL_SEEDS_ITSELF" ; then
3423	AC_DEFINE([OPENSSL_PRNG_ONLY], [1],
3424		[Define if you want the OpenSSL internally seeded PRNG only])
3425	RAND_MSG="OpenSSL internal ONLY"
3426elif test "x$openssl" = "xno" ; then
3427	AC_MSG_WARN([OpenSSH will use /dev/urandom as a source of random numbers. It will fail if this device is not supported or accessible])
3428else
3429	AC_MSG_ERROR([OpenSSH has no source of random numbers. Please configure OpenSSL with an entropy source or re-run configure using one of the --with-prngd-port or --with-prngd-socket options])
3430fi
3431
3432# Check for PAM libs
3433PAM_MSG="no"
3434AC_ARG_WITH([pam],
3435	[  --with-pam              Enable PAM support ],
3436	[
3437		if test "x$withval" != "xno" ; then
3438			if test "x$ac_cv_header_security_pam_appl_h" != "xyes" && \
3439			   test "x$ac_cv_header_pam_pam_appl_h" != "xyes" ; then
3440				AC_MSG_ERROR([PAM headers not found])
3441			fi
3442
3443			saved_LIBS="$LIBS"
3444			AC_CHECK_LIB([dl], [dlopen], , )
3445			AC_CHECK_LIB([pam], [pam_set_item], , [AC_MSG_ERROR([*** libpam missing])])
3446			AC_CHECK_FUNCS([pam_getenvlist])
3447			AC_CHECK_FUNCS([pam_putenv])
3448			LIBS="$saved_LIBS"
3449
3450			PAM_MSG="yes"
3451
3452			SSHDLIBS="$SSHDLIBS -lpam"
3453			AC_DEFINE([USE_PAM], [1],
3454				[Define if you want to enable PAM support])
3455
3456			if test $ac_cv_lib_dl_dlopen = yes; then
3457				case "$LIBS" in
3458				*-ldl*)
3459					# libdl already in LIBS
3460					;;
3461				*)
3462					SSHDLIBS="$SSHDLIBS -ldl"
3463					;;
3464				esac
3465			fi
3466		fi
3467	]
3468)
3469
3470AC_ARG_WITH([pam-service],
3471	[  --with-pam-service=name Specify PAM service name ],
3472	[
3473		if test "x$withval" != "xno" && \
3474		   test "x$withval" != "xyes" ; then
3475			AC_DEFINE_UNQUOTED([SSHD_PAM_SERVICE],
3476				["$withval"], [sshd PAM service name])
3477		fi
3478	]
3479)
3480
3481# Check for older PAM
3482if test "x$PAM_MSG" = "xyes" ; then
3483	# Check PAM strerror arguments (old PAM)
3484	AC_MSG_CHECKING([whether pam_strerror takes only one argument])
3485	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
3486#include <stdlib.h>
3487#if defined(HAVE_SECURITY_PAM_APPL_H)
3488#include <security/pam_appl.h>
3489#elif defined (HAVE_PAM_PAM_APPL_H)
3490#include <pam/pam_appl.h>
3491#endif
3492		]], [[
3493(void)pam_strerror((pam_handle_t *)NULL, -1);
3494		]])], [AC_MSG_RESULT([no])], [
3495			AC_DEFINE([HAVE_OLD_PAM], [1],
3496				[Define if you have an old version of PAM
3497				which takes only one argument to pam_strerror])
3498			AC_MSG_RESULT([yes])
3499			PAM_MSG="yes (old library)"
3500
3501	])
3502fi
3503
3504case "$host" in
3505*-*-cygwin*)
3506	SSH_PRIVSEP_USER=CYGWIN_SSH_PRIVSEP_USER
3507	;;
3508*)
3509	SSH_PRIVSEP_USER=sshd
3510	;;
3511esac
3512AC_ARG_WITH([privsep-user],
3513	[  --with-privsep-user=user Specify non-privileged user for privilege separation],
3514	[
3515		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
3516		    test "x${withval}" != "xyes"; then
3517			SSH_PRIVSEP_USER=$withval
3518		fi
3519	]
3520)
3521if test "x$SSH_PRIVSEP_USER" = "xCYGWIN_SSH_PRIVSEP_USER" ; then
3522	AC_DEFINE_UNQUOTED([SSH_PRIVSEP_USER], [CYGWIN_SSH_PRIVSEP_USER],
3523		[Cygwin function to fetch non-privileged user for privilege separation])
3524else
3525	AC_DEFINE_UNQUOTED([SSH_PRIVSEP_USER], ["$SSH_PRIVSEP_USER"],
3526		[non-privileged user for privilege separation])
3527fi
3528AC_SUBST([SSH_PRIVSEP_USER])
3529
3530if test "x$have_linux_no_new_privs" = "x1" ; then
3531AC_CHECK_DECL([SECCOMP_MODE_FILTER], [have_seccomp_filter=1], , [
3532	#include <sys/types.h>
3533	#include <linux/seccomp.h>
3534])
3535fi
3536if test "x$have_seccomp_filter" = "x1" ; then
3537AC_MSG_CHECKING([kernel for seccomp_filter support])
3538AC_LINK_IFELSE([AC_LANG_PROGRAM([[
3539		#include <errno.h>
3540		#include <elf.h>
3541		#include <linux/audit.h>
3542		#include <linux/seccomp.h>
3543		#include <stdlib.h>
3544		#include <sys/prctl.h>
3545	]],
3546	[[ int i = $seccomp_audit_arch;
3547	   errno = 0;
3548	   prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, NULL, 0, 0);
3549	   exit(errno == EFAULT ? 0 : 1); ]])],
3550	[ AC_MSG_RESULT([yes]) ], [
3551		AC_MSG_RESULT([no])
3552		# Disable seccomp filter as a target
3553		have_seccomp_filter=0
3554	]
3555)
3556fi
3557
3558# Decide which sandbox style to use
3559sandbox_arg=""
3560AC_ARG_WITH([sandbox],
3561	[  --with-sandbox=style    Specify privilege separation sandbox (no, capsicum, darwin, rlimit, seccomp_filter, systrace, pledge)],
3562	[
3563		if test "x$withval" = "xyes" ; then
3564			sandbox_arg=""
3565		else
3566			sandbox_arg="$withval"
3567		fi
3568	]
3569)
3570
3571# Some platforms (seems to be the ones that have a kernel poll(2)-type
3572# function with which they implement select(2)) use an extra file descriptor
3573# when calling select(2), which means we can't use the rlimit sandbox.
3574AC_MSG_CHECKING([if select works with descriptor rlimit])
3575AC_RUN_IFELSE(
3576	[AC_LANG_PROGRAM([[
3577#include <sys/types.h>
3578#ifdef HAVE_SYS_TIME_H
3579# include <sys/time.h>
3580#endif
3581#include <sys/resource.h>
3582#ifdef HAVE_SYS_SELECT_H
3583# include <sys/select.h>
3584#endif
3585#include <errno.h>
3586#include <fcntl.h>
3587#include <stdlib.h>
3588	]],[[
3589	struct rlimit rl_zero;
3590	int fd, r;
3591	fd_set fds;
3592	struct timeval tv;
3593
3594	fd = open("/dev/null", O_RDONLY);
3595	FD_ZERO(&fds);
3596	FD_SET(fd, &fds);
3597	rl_zero.rlim_cur = rl_zero.rlim_max = 0;
3598	setrlimit(RLIMIT_FSIZE, &rl_zero);
3599	setrlimit(RLIMIT_NOFILE, &rl_zero);
3600	tv.tv_sec = 1;
3601	tv.tv_usec = 0;
3602	r = select(fd+1, &fds, NULL, NULL, &tv);
3603	exit (r == -1 ? 1 : 0);
3604	]])],
3605	[AC_MSG_RESULT([yes])
3606	 select_works_with_rlimit=yes],
3607	[AC_MSG_RESULT([no])
3608	 select_works_with_rlimit=no],
3609	[AC_MSG_WARN([cross compiling: assuming yes])
3610	 select_works_with_rlimit=yes]
3611)
3612
3613AC_MSG_CHECKING([if setrlimit(RLIMIT_NOFILE,{0,0}) works])
3614AC_RUN_IFELSE(
3615	[AC_LANG_PROGRAM([[
3616#include <sys/types.h>
3617#ifdef HAVE_SYS_TIME_H
3618# include <sys/time.h>
3619#endif
3620#include <sys/resource.h>
3621#include <errno.h>
3622#include <stdlib.h>
3623	]],[[
3624	struct rlimit rl_zero;
3625	int r;
3626
3627	rl_zero.rlim_cur = rl_zero.rlim_max = 0;
3628	r = setrlimit(RLIMIT_NOFILE, &rl_zero);
3629	exit (r == -1 ? 1 : 0);
3630	]])],
3631	[AC_MSG_RESULT([yes])
3632	 rlimit_nofile_zero_works=yes],
3633	[AC_MSG_RESULT([no])
3634	 rlimit_nofile_zero_works=no],
3635	[AC_MSG_WARN([cross compiling: assuming yes])
3636	 rlimit_nofile_zero_works=yes]
3637)
3638
3639AC_MSG_CHECKING([if setrlimit RLIMIT_FSIZE works])
3640AC_RUN_IFELSE(
3641	[AC_LANG_PROGRAM([[
3642#include <sys/types.h>
3643#include <sys/resource.h>
3644#include <stdlib.h>
3645	]],[[
3646		struct rlimit rl_zero;
3647
3648		rl_zero.rlim_cur = rl_zero.rlim_max = 0;
3649		exit(setrlimit(RLIMIT_FSIZE, &rl_zero) != 0);
3650	]])],
3651	[AC_MSG_RESULT([yes])],
3652	[AC_MSG_RESULT([no])
3653	 AC_DEFINE(SANDBOX_SKIP_RLIMIT_FSIZE, 1,
3654	    [setrlimit RLIMIT_FSIZE works])],
3655	[AC_MSG_WARN([cross compiling: assuming yes])]
3656)
3657
3658if test "x$sandbox_arg" = "xpledge" || \
3659   ( test -z "$sandbox_arg" && test "x$ac_cv_func_pledge" = "xyes" ) ; then
3660	test "x$ac_cv_func_pledge" != "xyes" && \
3661		AC_MSG_ERROR([pledge sandbox requires pledge(2) support])
3662	SANDBOX_STYLE="pledge"
3663	AC_DEFINE([SANDBOX_PLEDGE], [1], [Sandbox using pledge(2)])
3664elif test "x$sandbox_arg" = "xsystrace" || \
3665   ( test -z "$sandbox_arg" && test "x$have_systr_policy_kill" = "x1" ) ; then
3666	test "x$have_systr_policy_kill" != "x1" && \
3667		AC_MSG_ERROR([systrace sandbox requires systrace headers and SYSTR_POLICY_KILL support])
3668	SANDBOX_STYLE="systrace"
3669	AC_DEFINE([SANDBOX_SYSTRACE], [1], [Sandbox using systrace(4)])
3670elif test "x$sandbox_arg" = "xdarwin" || \
3671     ( test -z "$sandbox_arg" && test "x$ac_cv_func_sandbox_init" = "xyes" && \
3672       test "x$ac_cv_header_sandbox_h" = "xyes") ; then
3673	test "x$ac_cv_func_sandbox_init" != "xyes" -o \
3674	     "x$ac_cv_header_sandbox_h" != "xyes" && \
3675		AC_MSG_ERROR([Darwin seatbelt sandbox requires sandbox.h and sandbox_init function])
3676	SANDBOX_STYLE="darwin"
3677	AC_DEFINE([SANDBOX_DARWIN], [1], [Sandbox using Darwin sandbox_init(3)])
3678elif test "x$sandbox_arg" = "xseccomp_filter" || \
3679     ( test -z "$sandbox_arg" && \
3680       test "x$have_seccomp_filter" = "x1" && \
3681       test "x$ac_cv_header_elf_h" = "xyes" && \
3682       test "x$ac_cv_header_linux_audit_h" = "xyes" && \
3683       test "x$ac_cv_header_linux_filter_h" = "xyes" && \
3684       test "x$seccomp_audit_arch" != "x" && \
3685       test "x$have_linux_no_new_privs" = "x1" && \
3686       test "x$ac_cv_func_prctl" = "xyes" ) ; then
3687	test "x$seccomp_audit_arch" = "x" && \
3688		AC_MSG_ERROR([seccomp_filter sandbox not supported on $host])
3689	test "x$have_linux_no_new_privs" != "x1" && \
3690		AC_MSG_ERROR([seccomp_filter sandbox requires PR_SET_NO_NEW_PRIVS])
3691	test "x$have_seccomp_filter" != "x1" && \
3692		AC_MSG_ERROR([seccomp_filter sandbox requires seccomp headers])
3693	test "x$ac_cv_func_prctl" != "xyes" && \
3694		AC_MSG_ERROR([seccomp_filter sandbox requires prctl function])
3695	SANDBOX_STYLE="seccomp_filter"
3696	AC_DEFINE([SANDBOX_SECCOMP_FILTER], [1], [Sandbox using seccomp filter])
3697elif test "x$sandbox_arg" = "xcapsicum" || \
3698     ( test -z "$sandbox_arg" && \
3699       test "x$ac_cv_header_sys_capsicum_h" = "xyes" && \
3700       test "x$ac_cv_func_cap_rights_limit" = "xyes") ; then
3701       test "x$ac_cv_header_sys_capsicum_h" != "xyes" && \
3702		AC_MSG_ERROR([capsicum sandbox requires sys/capsicum.h header])
3703       test "x$ac_cv_func_cap_rights_limit" != "xyes" && \
3704		AC_MSG_ERROR([capsicum sandbox requires cap_rights_limit function])
3705       SANDBOX_STYLE="capsicum"
3706       AC_DEFINE([SANDBOX_CAPSICUM], [1], [Sandbox using capsicum])
3707elif test "x$sandbox_arg" = "xrlimit" || \
3708     ( test -z "$sandbox_arg" && test "x$ac_cv_func_setrlimit" = "xyes" && \
3709       test "x$select_works_with_rlimit" = "xyes" && \
3710       test "x$rlimit_nofile_zero_works" = "xyes" ) ; then
3711	test "x$ac_cv_func_setrlimit" != "xyes" && \
3712		AC_MSG_ERROR([rlimit sandbox requires setrlimit function])
3713	test "x$select_works_with_rlimit" != "xyes" && \
3714		AC_MSG_ERROR([rlimit sandbox requires select to work with rlimit])
3715	SANDBOX_STYLE="rlimit"
3716	AC_DEFINE([SANDBOX_RLIMIT], [1], [Sandbox using setrlimit(2)])
3717elif test "x$sandbox_arg" = "xsolaris" || \
3718   ( test -z "$sandbox_arg" && test "x$SOLARIS_PRIVS" = "xyes" ) ; then
3719	SANDBOX_STYLE="solaris"
3720	AC_DEFINE([SANDBOX_SOLARIS], [1], [Sandbox using Solaris/Illumos privileges])
3721elif test -z "$sandbox_arg" || test "x$sandbox_arg" = "xno" || \
3722     test "x$sandbox_arg" = "xnone" || test "x$sandbox_arg" = "xnull" ; then
3723	SANDBOX_STYLE="none"
3724	AC_DEFINE([SANDBOX_NULL], [1], [no privsep sandboxing])
3725else
3726	AC_MSG_ERROR([unsupported --with-sandbox])
3727fi
3728
3729# Cheap hack to ensure NEWS-OS libraries are arranged right.
3730if test ! -z "$SONY" ; then
3731  LIBS="$LIBS -liberty";
3732fi
3733
3734# Check for long long datatypes
3735AC_CHECK_TYPES([long long, unsigned long long, long double])
3736
3737# Check datatype sizes
3738AC_CHECK_SIZEOF([short int])
3739AC_CHECK_SIZEOF([int])
3740AC_CHECK_SIZEOF([long int])
3741AC_CHECK_SIZEOF([long long int])
3742AC_CHECK_SIZEOF([time_t], [], [[
3743    #include <sys/types.h>
3744    #ifdef HAVE_SYS_TIME_H
3745    # include <sys/time.h>
3746    #endif
3747    #ifdef HAVE_TIME_H
3748    # include <time.h>
3749    #endif
3750	]]
3751)
3752
3753# Sanity check long long for some platforms (AIX)
3754if test "x$ac_cv_sizeof_long_long_int" = "x4" ; then
3755	ac_cv_sizeof_long_long_int=0
3756fi
3757
3758# compute LLONG_MIN and LLONG_MAX if we don't know them.
3759if test -z "$have_llong_max" && test -z "$have_long_long_max"; then
3760	AC_MSG_CHECKING([for max value of long long])
3761	AC_RUN_IFELSE(
3762		[AC_LANG_PROGRAM([[
3763#include <stdio.h>
3764#include <stdlib.h>
3765/* Why is this so damn hard? */
3766#ifdef __GNUC__
3767# undef __GNUC__
3768#endif
3769#define __USE_ISOC99
3770#include <limits.h>
3771#define DATA "conftest.llminmax"
3772#define my_abs(a) ((a) < 0 ? ((a) * -1) : (a))
3773
3774/*
3775 * printf in libc on some platforms (eg old Tru64) does not understand %lld so
3776 * we do this the hard way.
3777 */
3778static int
3779fprint_ll(FILE *f, long long n)
3780{
3781	unsigned int i;
3782	int l[sizeof(long long) * 8];
3783
3784	if (n < 0)
3785		if (fprintf(f, "-") < 0)
3786			return -1;
3787	for (i = 0; n != 0; i++) {
3788		l[i] = my_abs(n % 10);
3789		n /= 10;
3790	}
3791	do {
3792		if (fprintf(f, "%d", l[--i]) < 0)
3793			return -1;
3794	} while (i != 0);
3795	if (fprintf(f, " ") < 0)
3796		return -1;
3797	return 0;
3798}
3799		]], [[
3800	FILE *f;
3801	long long i, llmin, llmax = 0;
3802
3803	if((f = fopen(DATA,"w")) == NULL)
3804		exit(1);
3805
3806#if defined(LLONG_MIN) && defined(LLONG_MAX)
3807	fprintf(stderr, "Using system header for LLONG_MIN and LLONG_MAX\n");
3808	llmin = LLONG_MIN;
3809	llmax = LLONG_MAX;
3810#else
3811	fprintf(stderr, "Calculating  LLONG_MIN and LLONG_MAX\n");
3812	/* This will work on one's complement and two's complement */
3813	for (i = 1; i > llmax; i <<= 1, i++)
3814		llmax = i;
3815	llmin = llmax + 1LL;	/* wrap */
3816#endif
3817
3818	/* Sanity check */
3819	if (llmin + 1 < llmin || llmin - 1 < llmin || llmax + 1 > llmax
3820	    || llmax - 1 > llmax || llmin == llmax || llmin == 0
3821	    || llmax == 0 || llmax < LONG_MAX || llmin > LONG_MIN) {
3822		fprintf(f, "unknown unknown\n");
3823		exit(2);
3824	}
3825
3826	if (fprint_ll(f, llmin) < 0)
3827		exit(3);
3828	if (fprint_ll(f, llmax) < 0)
3829		exit(4);
3830	if (fclose(f) < 0)
3831		exit(5);
3832	exit(0);
3833		]])],
3834		[
3835			llong_min=`$AWK '{print $1}' conftest.llminmax`
3836			llong_max=`$AWK '{print $2}' conftest.llminmax`
3837
3838			AC_MSG_RESULT([$llong_max])
3839			AC_DEFINE_UNQUOTED([LLONG_MAX], [${llong_max}LL],
3840			    [max value of long long calculated by configure])
3841			AC_MSG_CHECKING([for min value of long long])
3842			AC_MSG_RESULT([$llong_min])
3843			AC_DEFINE_UNQUOTED([LLONG_MIN], [${llong_min}LL],
3844			    [min value of long long calculated by configure])
3845		],
3846		[
3847			AC_MSG_RESULT([not found])
3848		],
3849		[
3850			AC_MSG_WARN([cross compiling: not checking])
3851		]
3852	)
3853fi
3854
3855AC_CHECK_DECLS([UINT32_MAX], , , [[
3856#ifdef HAVE_SYS_LIMITS_H
3857# include <sys/limits.h>
3858#endif
3859#ifdef HAVE_LIMITS_H
3860# include <limits.h>
3861#endif
3862#ifdef HAVE_STDINT_H
3863# include <stdint.h>
3864#endif
3865]])
3866
3867# More checks for data types
3868AC_CACHE_CHECK([for u_int type], ac_cv_have_u_int, [
3869	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
3870	[[ u_int a; a = 1;]])],
3871	[ ac_cv_have_u_int="yes" ], [ ac_cv_have_u_int="no"
3872	])
3873])
3874if test "x$ac_cv_have_u_int" = "xyes" ; then
3875	AC_DEFINE([HAVE_U_INT], [1], [define if you have u_int data type])
3876	have_u_int=1
3877fi
3878
3879AC_CACHE_CHECK([for intXX_t types], ac_cv_have_intxx_t, [
3880	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
3881	[[ int8_t a; int16_t b; int32_t c; a = b = c = 1;]])],
3882	[ ac_cv_have_intxx_t="yes" ], [ ac_cv_have_intxx_t="no"
3883	])
3884])
3885if test "x$ac_cv_have_intxx_t" = "xyes" ; then
3886	AC_DEFINE([HAVE_INTXX_T], [1], [define if you have intxx_t data type])
3887	have_intxx_t=1
3888fi
3889
3890if (test -z "$have_intxx_t" && \
3891	   test "x$ac_cv_header_stdint_h" = "xyes")
3892then
3893    AC_MSG_CHECKING([for intXX_t types in stdint.h])
3894	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <stdint.h> ]],
3895	[[ int8_t a; int16_t b; int32_t c; a = b = c = 1;]])],
3896		[
3897			AC_DEFINE([HAVE_INTXX_T])
3898			AC_MSG_RESULT([yes])
3899		], [ AC_MSG_RESULT([no])
3900	])
3901fi
3902
3903AC_CACHE_CHECK([for int64_t type], ac_cv_have_int64_t, [
3904	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
3905#include <sys/types.h>
3906#ifdef HAVE_STDINT_H
3907# include <stdint.h>
3908#endif
3909#include <sys/socket.h>
3910#ifdef HAVE_SYS_BITYPES_H
3911# include <sys/bitypes.h>
3912#endif
3913		]], [[
3914int64_t a; a = 1;
3915		]])],
3916	[ ac_cv_have_int64_t="yes" ], [ ac_cv_have_int64_t="no"
3917	])
3918])
3919if test "x$ac_cv_have_int64_t" = "xyes" ; then
3920	AC_DEFINE([HAVE_INT64_T], [1], [define if you have int64_t data type])
3921fi
3922
3923AC_CACHE_CHECK([for u_intXX_t types], ac_cv_have_u_intxx_t, [
3924	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
3925	[[ u_int8_t a; u_int16_t b; u_int32_t c; a = b = c = 1;]])],
3926	[ ac_cv_have_u_intxx_t="yes" ], [ ac_cv_have_u_intxx_t="no"
3927	])
3928])
3929if test "x$ac_cv_have_u_intxx_t" = "xyes" ; then
3930	AC_DEFINE([HAVE_U_INTXX_T], [1], [define if you have u_intxx_t data type])
3931	have_u_intxx_t=1
3932fi
3933
3934if test -z "$have_u_intxx_t" ; then
3935    AC_MSG_CHECKING([for u_intXX_t types in sys/socket.h])
3936	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/socket.h> ]],
3937	[[ u_int8_t a; u_int16_t b; u_int32_t c; a = b = c = 1;]])],
3938		[
3939			AC_DEFINE([HAVE_U_INTXX_T])
3940			AC_MSG_RESULT([yes])
3941		], [ AC_MSG_RESULT([no])
3942	])
3943fi
3944
3945AC_CACHE_CHECK([for u_int64_t types], ac_cv_have_u_int64_t, [
3946	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
3947	[[ u_int64_t a; a = 1;]])],
3948	[ ac_cv_have_u_int64_t="yes" ], [ ac_cv_have_u_int64_t="no"
3949	])
3950])
3951if test "x$ac_cv_have_u_int64_t" = "xyes" ; then
3952	AC_DEFINE([HAVE_U_INT64_T], [1], [define if you have u_int64_t data type])
3953	have_u_int64_t=1
3954fi
3955
3956if (test -z "$have_u_int64_t" && \
3957	   test "x$ac_cv_header_sys_bitypes_h" = "xyes")
3958then
3959    AC_MSG_CHECKING([for u_int64_t type in sys/bitypes.h])
3960	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/bitypes.h> ]],
3961	[[ u_int64_t a; a = 1]])],
3962		[
3963			AC_DEFINE([HAVE_U_INT64_T])
3964			AC_MSG_RESULT([yes])
3965		], [ AC_MSG_RESULT([no])
3966	])
3967fi
3968
3969if test -z "$have_u_intxx_t" ; then
3970	AC_CACHE_CHECK([for uintXX_t types], ac_cv_have_uintxx_t, [
3971		AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
3972#include <sys/types.h>
3973			]], [[
3974	uint8_t a;
3975	uint16_t b;
3976	uint32_t c;
3977	a = b = c = 1;
3978			]])],
3979		[ ac_cv_have_uintxx_t="yes" ], [ ac_cv_have_uintxx_t="no"
3980		])
3981	])
3982	if test "x$ac_cv_have_uintxx_t" = "xyes" ; then
3983		AC_DEFINE([HAVE_UINTXX_T], [1],
3984			[define if you have uintxx_t data type])
3985	fi
3986fi
3987
3988if (test -z "$have_uintxx_t" && \
3989	   test "x$ac_cv_header_stdint_h" = "xyes")
3990then
3991    AC_MSG_CHECKING([for uintXX_t types in stdint.h])
3992	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <stdint.h> ]],
3993	[[ uint8_t a; uint16_t b; uint32_t c; a = b = c = 1;]])],
3994		[
3995			AC_DEFINE([HAVE_UINTXX_T])
3996			AC_MSG_RESULT([yes])
3997		], [ AC_MSG_RESULT([no])
3998	])
3999fi
4000
4001if (test -z "$have_uintxx_t" && \
4002	   test "x$ac_cv_header_inttypes_h" = "xyes")
4003then
4004    AC_MSG_CHECKING([for uintXX_t types in inttypes.h])
4005	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <inttypes.h> ]],
4006	[[ uint8_t a; uint16_t b; uint32_t c; a = b = c = 1;]])],
4007		[
4008			AC_DEFINE([HAVE_UINTXX_T])
4009			AC_MSG_RESULT([yes])
4010		], [ AC_MSG_RESULT([no])
4011	])
4012fi
4013
4014if (test -z "$have_u_intxx_t" || test -z "$have_intxx_t" && \
4015	   test "x$ac_cv_header_sys_bitypes_h" = "xyes")
4016then
4017	AC_MSG_CHECKING([for intXX_t and u_intXX_t types in sys/bitypes.h])
4018	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4019#include <sys/bitypes.h>
4020		]], [[
4021			int8_t a; int16_t b; int32_t c;
4022			u_int8_t e; u_int16_t f; u_int32_t g;
4023			a = b = c = e = f = g = 1;
4024		]])],
4025		[
4026			AC_DEFINE([HAVE_U_INTXX_T])
4027			AC_DEFINE([HAVE_INTXX_T])
4028			AC_MSG_RESULT([yes])
4029		], [AC_MSG_RESULT([no])
4030	])
4031fi
4032
4033
4034AC_CACHE_CHECK([for u_char], ac_cv_have_u_char, [
4035	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
4036	[[ u_char foo; foo = 125; ]])],
4037	[ ac_cv_have_u_char="yes" ], [ ac_cv_have_u_char="no"
4038	])
4039])
4040if test "x$ac_cv_have_u_char" = "xyes" ; then
4041	AC_DEFINE([HAVE_U_CHAR], [1], [define if you have u_char data type])
4042fi
4043
4044AC_CHECK_TYPES([intmax_t, uintmax_t], , , [
4045#include <sys/types.h>
4046#ifdef HAVE_STDINT_H
4047# include <stdint.h>
4048#endif
4049])
4050
4051TYPE_SOCKLEN_T
4052
4053AC_CHECK_TYPES([sig_atomic_t, sighandler_t], , , [#include <signal.h>])
4054AC_CHECK_TYPES([fsblkcnt_t, fsfilcnt_t], , , [
4055#include <sys/types.h>
4056#ifdef HAVE_SYS_BITYPES_H
4057#include <sys/bitypes.h>
4058#endif
4059#ifdef HAVE_SYS_STATFS_H
4060#include <sys/statfs.h>
4061#endif
4062#ifdef HAVE_SYS_STATVFS_H
4063#include <sys/statvfs.h>
4064#endif
4065])
4066
4067AC_CHECK_MEMBERS([struct statfs.f_files, struct statfs.f_flags], [], [], [[
4068#include <sys/param.h>
4069#include <sys/types.h>
4070#ifdef HAVE_SYS_BITYPES_H
4071#include <sys/bitypes.h>
4072#endif
4073#ifdef HAVE_SYS_STATFS_H
4074#include <sys/statfs.h>
4075#endif
4076#ifdef HAVE_SYS_STATVFS_H
4077#include <sys/statvfs.h>
4078#endif
4079#ifdef HAVE_SYS_VFS_H
4080#include <sys/vfs.h>
4081#endif
4082#ifdef HAVE_SYS_MOUNT_H
4083#include <sys/mount.h>
4084#endif
4085]])
4086
4087
4088AC_CHECK_TYPES([in_addr_t, in_port_t], , ,
4089[#include <sys/types.h>
4090#include <netinet/in.h>])
4091
4092AC_CACHE_CHECK([for size_t], ac_cv_have_size_t, [
4093	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
4094	[[ size_t foo; foo = 1235; ]])],
4095	[ ac_cv_have_size_t="yes" ], [ ac_cv_have_size_t="no"
4096	])
4097])
4098if test "x$ac_cv_have_size_t" = "xyes" ; then
4099	AC_DEFINE([HAVE_SIZE_T], [1], [define if you have size_t data type])
4100fi
4101
4102AC_CACHE_CHECK([for ssize_t], ac_cv_have_ssize_t, [
4103	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
4104	[[ ssize_t foo; foo = 1235; ]])],
4105	[ ac_cv_have_ssize_t="yes" ], [ ac_cv_have_ssize_t="no"
4106	])
4107])
4108if test "x$ac_cv_have_ssize_t" = "xyes" ; then
4109	AC_DEFINE([HAVE_SSIZE_T], [1], [define if you have ssize_t data type])
4110fi
4111
4112AC_CACHE_CHECK([for clock_t], ac_cv_have_clock_t, [
4113	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <time.h> ]],
4114	[[ clock_t foo; foo = 1235; ]])],
4115	[ ac_cv_have_clock_t="yes" ], [ ac_cv_have_clock_t="no"
4116	])
4117])
4118if test "x$ac_cv_have_clock_t" = "xyes" ; then
4119	AC_DEFINE([HAVE_CLOCK_T], [1], [define if you have clock_t data type])
4120fi
4121
4122AC_CACHE_CHECK([for sa_family_t], ac_cv_have_sa_family_t, [
4123	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4124#include <sys/types.h>
4125#include <sys/socket.h>
4126		]], [[ sa_family_t foo; foo = 1235; ]])],
4127	[ ac_cv_have_sa_family_t="yes" ],
4128	[ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4129#include <sys/types.h>
4130#include <sys/socket.h>
4131#include <netinet/in.h>
4132		]], [[ sa_family_t foo; foo = 1235; ]])],
4133		[ ac_cv_have_sa_family_t="yes" ],
4134		[ ac_cv_have_sa_family_t="no" ]
4135	)
4136	])
4137])
4138if test "x$ac_cv_have_sa_family_t" = "xyes" ; then
4139	AC_DEFINE([HAVE_SA_FAMILY_T], [1],
4140		[define if you have sa_family_t data type])
4141fi
4142
4143AC_CACHE_CHECK([for pid_t], ac_cv_have_pid_t, [
4144	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
4145	[[ pid_t foo; foo = 1235; ]])],
4146	[ ac_cv_have_pid_t="yes" ], [ ac_cv_have_pid_t="no"
4147	])
4148])
4149if test "x$ac_cv_have_pid_t" = "xyes" ; then
4150	AC_DEFINE([HAVE_PID_T], [1], [define if you have pid_t data type])
4151fi
4152
4153AC_CACHE_CHECK([for mode_t], ac_cv_have_mode_t, [
4154	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
4155	[[ mode_t foo; foo = 1235; ]])],
4156	[ ac_cv_have_mode_t="yes" ], [ ac_cv_have_mode_t="no"
4157	])
4158])
4159if test "x$ac_cv_have_mode_t" = "xyes" ; then
4160	AC_DEFINE([HAVE_MODE_T], [1], [define if you have mode_t data type])
4161fi
4162
4163
4164AC_CACHE_CHECK([for struct sockaddr_storage], ac_cv_have_struct_sockaddr_storage, [
4165	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4166#include <sys/types.h>
4167#include <sys/socket.h>
4168		]], [[ struct sockaddr_storage s; ]])],
4169	[ ac_cv_have_struct_sockaddr_storage="yes" ],
4170	[ ac_cv_have_struct_sockaddr_storage="no"
4171	])
4172])
4173if test "x$ac_cv_have_struct_sockaddr_storage" = "xyes" ; then
4174	AC_DEFINE([HAVE_STRUCT_SOCKADDR_STORAGE], [1],
4175		[define if you have struct sockaddr_storage data type])
4176fi
4177
4178AC_CACHE_CHECK([for struct sockaddr_in6], ac_cv_have_struct_sockaddr_in6, [
4179	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4180#include <sys/types.h>
4181#include <netinet/in.h>
4182		]], [[ struct sockaddr_in6 s; s.sin6_family = 0; ]])],
4183	[ ac_cv_have_struct_sockaddr_in6="yes" ],
4184	[ ac_cv_have_struct_sockaddr_in6="no"
4185	])
4186])
4187if test "x$ac_cv_have_struct_sockaddr_in6" = "xyes" ; then
4188	AC_DEFINE([HAVE_STRUCT_SOCKADDR_IN6], [1],
4189		[define if you have struct sockaddr_in6 data type])
4190fi
4191
4192AC_CACHE_CHECK([for struct in6_addr], ac_cv_have_struct_in6_addr, [
4193	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4194#include <sys/types.h>
4195#include <netinet/in.h>
4196		]], [[ struct in6_addr s; s.s6_addr[0] = 0; ]])],
4197	[ ac_cv_have_struct_in6_addr="yes" ],
4198	[ ac_cv_have_struct_in6_addr="no"
4199	])
4200])
4201if test "x$ac_cv_have_struct_in6_addr" = "xyes" ; then
4202	AC_DEFINE([HAVE_STRUCT_IN6_ADDR], [1],
4203		[define if you have struct in6_addr data type])
4204
4205dnl Now check for sin6_scope_id
4206	AC_CHECK_MEMBERS([struct sockaddr_in6.sin6_scope_id], , ,
4207		[
4208#ifdef HAVE_SYS_TYPES_H
4209#include <sys/types.h>
4210#endif
4211#include <netinet/in.h>
4212		])
4213fi
4214
4215AC_CACHE_CHECK([for struct addrinfo], ac_cv_have_struct_addrinfo, [
4216	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4217#include <sys/types.h>
4218#include <sys/socket.h>
4219#include <netdb.h>
4220		]], [[ struct addrinfo s; s.ai_flags = AI_PASSIVE; ]])],
4221	[ ac_cv_have_struct_addrinfo="yes" ],
4222	[ ac_cv_have_struct_addrinfo="no"
4223	])
4224])
4225if test "x$ac_cv_have_struct_addrinfo" = "xyes" ; then
4226	AC_DEFINE([HAVE_STRUCT_ADDRINFO], [1],
4227		[define if you have struct addrinfo data type])
4228fi
4229
4230AC_CACHE_CHECK([for struct timeval], ac_cv_have_struct_timeval, [
4231	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/time.h> ]],
4232	[[ struct timeval tv; tv.tv_sec = 1;]])],
4233	[ ac_cv_have_struct_timeval="yes" ],
4234	[ ac_cv_have_struct_timeval="no"
4235	])
4236])
4237if test "x$ac_cv_have_struct_timeval" = "xyes" ; then
4238	AC_DEFINE([HAVE_STRUCT_TIMEVAL], [1], [define if you have struct timeval])
4239	have_struct_timeval=1
4240fi
4241
4242AC_CACHE_CHECK([for struct timespec], ac_cv_have_struct_timespec, [
4243	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4244    #ifdef HAVE_SYS_TIME_H
4245    # include <sys/time.h>
4246    #endif
4247    #ifdef HAVE_TIME_H
4248    # include <time.h>
4249    #endif
4250	]],
4251	[[ struct timespec ts; ts.tv_sec = 1;]])],
4252	[ ac_cv_have_struct_timespec="yes" ],
4253	[ ac_cv_have_struct_timespec="no"
4254	])
4255])
4256if test "x$ac_cv_have_struct_timespec" = "xyes" ; then
4257	AC_DEFINE([HAVE_STRUCT_TIMESPEC], [1], [define if you have struct timespec])
4258	have_struct_timespec=1
4259fi
4260
4261# We need int64_t or else certain parts of the compile will fail.
4262if test "x$ac_cv_have_int64_t" = "xno" && \
4263	test "x$ac_cv_sizeof_long_int" != "x8" && \
4264	test "x$ac_cv_sizeof_long_long_int" = "x0" ; then
4265	echo "OpenSSH requires int64_t support.  Contact your vendor or install"
4266	echo "an alternative compiler (I.E., GCC) before continuing."
4267	echo ""
4268	exit 1;
4269else
4270dnl test snprintf (broken on SCO w/gcc)
4271	AC_RUN_IFELSE(
4272		[AC_LANG_SOURCE([[
4273#include <stdio.h>
4274#include <stdlib.h>
4275#include <string.h>
4276#ifdef HAVE_SNPRINTF
4277main()
4278{
4279	char buf[50];
4280	char expected_out[50];
4281	int mazsize = 50 ;
4282#if (SIZEOF_LONG_INT == 8)
4283	long int num = 0x7fffffffffffffff;
4284#else
4285	long long num = 0x7fffffffffffffffll;
4286#endif
4287	strcpy(expected_out, "9223372036854775807");
4288	snprintf(buf, mazsize, "%lld", num);
4289	if(strcmp(buf, expected_out) != 0)
4290		exit(1);
4291	exit(0);
4292}
4293#else
4294main() { exit(0); }
4295#endif
4296		]])], [ true ], [ AC_DEFINE([BROKEN_SNPRINTF]) ],
4297		AC_MSG_WARN([cross compiling: Assuming working snprintf()])
4298	)
4299fi
4300
4301dnl Checks for structure members
4302OSSH_CHECK_HEADER_FOR_FIELD([ut_host], [utmp.h], [HAVE_HOST_IN_UTMP])
4303OSSH_CHECK_HEADER_FOR_FIELD([ut_host], [utmpx.h], [HAVE_HOST_IN_UTMPX])
4304OSSH_CHECK_HEADER_FOR_FIELD([syslen], [utmpx.h], [HAVE_SYSLEN_IN_UTMPX])
4305OSSH_CHECK_HEADER_FOR_FIELD([ut_pid], [utmp.h], [HAVE_PID_IN_UTMP])
4306OSSH_CHECK_HEADER_FOR_FIELD([ut_type], [utmp.h], [HAVE_TYPE_IN_UTMP])
4307OSSH_CHECK_HEADER_FOR_FIELD([ut_type], [utmpx.h], [HAVE_TYPE_IN_UTMPX])
4308OSSH_CHECK_HEADER_FOR_FIELD([ut_tv], [utmp.h], [HAVE_TV_IN_UTMP])
4309OSSH_CHECK_HEADER_FOR_FIELD([ut_id], [utmp.h], [HAVE_ID_IN_UTMP])
4310OSSH_CHECK_HEADER_FOR_FIELD([ut_id], [utmpx.h], [HAVE_ID_IN_UTMPX])
4311OSSH_CHECK_HEADER_FOR_FIELD([ut_addr], [utmp.h], [HAVE_ADDR_IN_UTMP])
4312OSSH_CHECK_HEADER_FOR_FIELD([ut_addr], [utmpx.h], [HAVE_ADDR_IN_UTMPX])
4313OSSH_CHECK_HEADER_FOR_FIELD([ut_addr_v6], [utmp.h], [HAVE_ADDR_V6_IN_UTMP])
4314OSSH_CHECK_HEADER_FOR_FIELD([ut_addr_v6], [utmpx.h], [HAVE_ADDR_V6_IN_UTMPX])
4315OSSH_CHECK_HEADER_FOR_FIELD([ut_exit], [utmp.h], [HAVE_EXIT_IN_UTMP])
4316OSSH_CHECK_HEADER_FOR_FIELD([ut_time], [utmp.h], [HAVE_TIME_IN_UTMP])
4317OSSH_CHECK_HEADER_FOR_FIELD([ut_time], [utmpx.h], [HAVE_TIME_IN_UTMPX])
4318OSSH_CHECK_HEADER_FOR_FIELD([ut_tv], [utmpx.h], [HAVE_TV_IN_UTMPX])
4319OSSH_CHECK_HEADER_FOR_FIELD([ut_ss], [utmpx.h], [HAVE_SS_IN_UTMPX])
4320
4321AC_CHECK_MEMBERS([struct stat.st_blksize])
4322AC_CHECK_MEMBERS([struct stat.st_mtim])
4323AC_CHECK_MEMBERS([struct stat.st_mtime])
4324AC_CHECK_MEMBERS([struct passwd.pw_gecos, struct passwd.pw_class,
4325struct passwd.pw_change, struct passwd.pw_expire],
4326[], [], [[
4327#include <sys/types.h>
4328#include <pwd.h>
4329]])
4330
4331AC_CHECK_MEMBER([struct __res_state.retrans], [], [AC_DEFINE([__res_state], [state],
4332	[Define if we don't have struct __res_state in resolv.h])],
4333[[
4334#include <stdio.h>
4335#if HAVE_SYS_TYPES_H
4336# include <sys/types.h>
4337#endif
4338#include <netinet/in.h>
4339#include <arpa/nameser.h>
4340#include <resolv.h>
4341]])
4342
4343AC_CACHE_CHECK([for ss_family field in struct sockaddr_storage],
4344		ac_cv_have_ss_family_in_struct_ss, [
4345	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4346#include <sys/types.h>
4347#include <sys/socket.h>
4348		]], [[ struct sockaddr_storage s; s.ss_family = 1; ]])],
4349	[ ac_cv_have_ss_family_in_struct_ss="yes" ],
4350	[ ac_cv_have_ss_family_in_struct_ss="no" ])
4351])
4352if test "x$ac_cv_have_ss_family_in_struct_ss" = "xyes" ; then
4353	AC_DEFINE([HAVE_SS_FAMILY_IN_SS], [1], [Fields in struct sockaddr_storage])
4354fi
4355
4356AC_CACHE_CHECK([for __ss_family field in struct sockaddr_storage],
4357		ac_cv_have___ss_family_in_struct_ss, [
4358	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4359#include <sys/types.h>
4360#include <sys/socket.h>
4361		]], [[ struct sockaddr_storage s; s.__ss_family = 1; ]])],
4362	[ ac_cv_have___ss_family_in_struct_ss="yes" ],
4363	[ ac_cv_have___ss_family_in_struct_ss="no"
4364	])
4365])
4366if test "x$ac_cv_have___ss_family_in_struct_ss" = "xyes" ; then
4367	AC_DEFINE([HAVE___SS_FAMILY_IN_SS], [1],
4368		[Fields in struct sockaddr_storage])
4369fi
4370
4371dnl make sure we're using the real structure members and not defines
4372AC_CACHE_CHECK([for msg_accrights field in struct msghdr],
4373		ac_cv_have_accrights_in_msghdr, [
4374	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4375#include <sys/types.h>
4376#include <sys/socket.h>
4377#include <sys/uio.h>
4378#include <stdlib.h>
4379		]], [[
4380#ifdef msg_accrights
4381#error "msg_accrights is a macro"
4382exit(1);
4383#endif
4384struct msghdr m;
4385m.msg_accrights = 0;
4386exit(0);
4387		]])],
4388		[ ac_cv_have_accrights_in_msghdr="yes" ],
4389		[ ac_cv_have_accrights_in_msghdr="no" ]
4390	)
4391])
4392if test "x$ac_cv_have_accrights_in_msghdr" = "xyes" ; then
4393	AC_DEFINE([HAVE_ACCRIGHTS_IN_MSGHDR], [1],
4394		[Define if your system uses access rights style
4395		file descriptor passing])
4396fi
4397
4398AC_MSG_CHECKING([if struct statvfs.f_fsid is integral type])
4399AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4400#include <sys/param.h>
4401#include <sys/stat.h>
4402#ifdef HAVE_SYS_TIME_H
4403# include <sys/time.h>
4404#endif
4405#ifdef HAVE_SYS_MOUNT_H
4406#include <sys/mount.h>
4407#endif
4408#ifdef HAVE_SYS_STATVFS_H
4409#include <sys/statvfs.h>
4410#endif
4411	]], [[ struct statvfs s; s.f_fsid = 0; ]])],
4412	[ AC_MSG_RESULT([yes]) ],
4413	[ AC_MSG_RESULT([no])
4414
4415	AC_MSG_CHECKING([if fsid_t has member val])
4416	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4417#include <sys/types.h>
4418#include <sys/statvfs.h>
4419	]], [[ fsid_t t; t.val[0] = 0; ]])],
4420	[ AC_MSG_RESULT([yes])
4421	  AC_DEFINE([FSID_HAS_VAL], [1], [fsid_t has member val]) ],
4422	[ AC_MSG_RESULT([no]) ])
4423
4424	AC_MSG_CHECKING([if f_fsid has member __val])
4425	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4426#include <sys/types.h>
4427#include <sys/statvfs.h>
4428	]], [[ fsid_t t; t.__val[0] = 0; ]])],
4429	[ AC_MSG_RESULT([yes])
4430	  AC_DEFINE([FSID_HAS___VAL], [1], [fsid_t has member __val]) ],
4431	[ AC_MSG_RESULT([no]) ])
4432])
4433
4434AC_CACHE_CHECK([for msg_control field in struct msghdr],
4435		ac_cv_have_control_in_msghdr, [
4436	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4437#include <sys/types.h>
4438#include <sys/socket.h>
4439#include <sys/uio.h>
4440#include <stdlib.h>
4441		]], [[
4442#ifdef msg_control
4443#error "msg_control is a macro"
4444exit(1);
4445#endif
4446struct msghdr m;
4447m.msg_control = 0;
4448exit(0);
4449		]])],
4450		[ ac_cv_have_control_in_msghdr="yes" ],
4451		[ ac_cv_have_control_in_msghdr="no" ]
4452	)
4453])
4454if test "x$ac_cv_have_control_in_msghdr" = "xyes" ; then
4455	AC_DEFINE([HAVE_CONTROL_IN_MSGHDR], [1],
4456		[Define if your system uses ancillary data style
4457		file descriptor passing])
4458fi
4459
4460AC_CACHE_CHECK([if libc defines __progname], ac_cv_libc_defines___progname, [
4461	AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include <stdio.h> ]],
4462		[[ extern char *__progname; printf("%s", __progname); ]])],
4463	[ ac_cv_libc_defines___progname="yes" ],
4464	[ ac_cv_libc_defines___progname="no"
4465	])
4466])
4467if test "x$ac_cv_libc_defines___progname" = "xyes" ; then
4468	AC_DEFINE([HAVE___PROGNAME], [1], [Define if libc defines __progname])
4469fi
4470
4471AC_CACHE_CHECK([whether $CC implements __FUNCTION__], ac_cv_cc_implements___FUNCTION__, [
4472	AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include <stdio.h> ]],
4473		[[ printf("%s", __FUNCTION__); ]])],
4474	[ ac_cv_cc_implements___FUNCTION__="yes" ],
4475	[ ac_cv_cc_implements___FUNCTION__="no"
4476	])
4477])
4478if test "x$ac_cv_cc_implements___FUNCTION__" = "xyes" ; then
4479	AC_DEFINE([HAVE___FUNCTION__], [1],
4480		[Define if compiler implements __FUNCTION__])
4481fi
4482
4483AC_CACHE_CHECK([whether $CC implements __func__], ac_cv_cc_implements___func__, [
4484	AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include <stdio.h> ]],
4485		[[ printf("%s", __func__); ]])],
4486	[ ac_cv_cc_implements___func__="yes" ],
4487	[ ac_cv_cc_implements___func__="no"
4488	])
4489])
4490if test "x$ac_cv_cc_implements___func__" = "xyes" ; then
4491	AC_DEFINE([HAVE___func__], [1], [Define if compiler implements __func__])
4492fi
4493
4494AC_CACHE_CHECK([whether va_copy exists], ac_cv_have_va_copy, [
4495	AC_LINK_IFELSE([AC_LANG_PROGRAM([[
4496#include <stdarg.h>
4497va_list x,y;
4498		]], [[ va_copy(x,y); ]])],
4499	[ ac_cv_have_va_copy="yes" ],
4500	[ ac_cv_have_va_copy="no"
4501	])
4502])
4503if test "x$ac_cv_have_va_copy" = "xyes" ; then
4504	AC_DEFINE([HAVE_VA_COPY], [1], [Define if va_copy exists])
4505fi
4506
4507AC_CACHE_CHECK([whether __va_copy exists], ac_cv_have___va_copy, [
4508	AC_LINK_IFELSE([AC_LANG_PROGRAM([[
4509#include <stdarg.h>
4510va_list x,y;
4511		]], [[ __va_copy(x,y); ]])],
4512	[ ac_cv_have___va_copy="yes" ], [ ac_cv_have___va_copy="no"
4513	])
4514])
4515if test "x$ac_cv_have___va_copy" = "xyes" ; then
4516	AC_DEFINE([HAVE___VA_COPY], [1], [Define if __va_copy exists])
4517fi
4518
4519AC_CACHE_CHECK([whether getopt has optreset support],
4520		ac_cv_have_getopt_optreset, [
4521	AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include <getopt.h> ]],
4522		[[ extern int optreset; optreset = 0; ]])],
4523	[ ac_cv_have_getopt_optreset="yes" ],
4524	[ ac_cv_have_getopt_optreset="no"
4525	])
4526])
4527if test "x$ac_cv_have_getopt_optreset" = "xyes" ; then
4528	AC_DEFINE([HAVE_GETOPT_OPTRESET], [1],
4529		[Define if your getopt(3) defines and uses optreset])
4530fi
4531
4532AC_CACHE_CHECK([if libc defines sys_errlist], ac_cv_libc_defines_sys_errlist, [
4533	AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include <stdio.h> ]],
4534[[ extern const char *const sys_errlist[]; printf("%s", sys_errlist[0]);]])],
4535	[ ac_cv_libc_defines_sys_errlist="yes" ],
4536	[ ac_cv_libc_defines_sys_errlist="no"
4537	])
4538])
4539if test "x$ac_cv_libc_defines_sys_errlist" = "xyes" ; then
4540	AC_DEFINE([HAVE_SYS_ERRLIST], [1],
4541		[Define if your system defines sys_errlist[]])
4542fi
4543
4544
4545AC_CACHE_CHECK([if libc defines sys_nerr], ac_cv_libc_defines_sys_nerr, [
4546	AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include <stdio.h> ]],
4547[[ extern int sys_nerr; printf("%i", sys_nerr);]])],
4548	[ ac_cv_libc_defines_sys_nerr="yes" ],
4549	[ ac_cv_libc_defines_sys_nerr="no"
4550	])
4551])
4552if test "x$ac_cv_libc_defines_sys_nerr" = "xyes" ; then
4553	AC_DEFINE([HAVE_SYS_NERR], [1], [Define if your system defines sys_nerr])
4554fi
4555
4556# Check libraries needed by DNS fingerprint support
4557AC_SEARCH_LIBS([getrrsetbyname], [resolv],
4558	[AC_DEFINE([HAVE_GETRRSETBYNAME], [1],
4559		[Define if getrrsetbyname() exists])],
4560	[
4561		# Needed by our getrrsetbyname()
4562		AC_SEARCH_LIBS([res_query], [resolv])
4563		AC_SEARCH_LIBS([dn_expand], [resolv])
4564		AC_MSG_CHECKING([if res_query will link])
4565		AC_LINK_IFELSE([AC_LANG_PROGRAM([[
4566#include <sys/types.h>
4567#include <netinet/in.h>
4568#include <arpa/nameser.h>
4569#include <netdb.h>
4570#include <resolv.h>
4571				]], [[
4572	res_query (0, 0, 0, 0, 0);
4573				]])],
4574		    AC_MSG_RESULT([yes]),
4575		   [AC_MSG_RESULT([no])
4576		    saved_LIBS="$LIBS"
4577		    LIBS="$LIBS -lresolv"
4578		    AC_MSG_CHECKING([for res_query in -lresolv])
4579		    AC_LINK_IFELSE([AC_LANG_PROGRAM([[
4580#include <sys/types.h>
4581#include <netinet/in.h>
4582#include <arpa/nameser.h>
4583#include <netdb.h>
4584#include <resolv.h>
4585				]], [[
4586	res_query (0, 0, 0, 0, 0);
4587				]])],
4588			[AC_MSG_RESULT([yes])],
4589			[LIBS="$saved_LIBS"
4590			 AC_MSG_RESULT([no])])
4591		    ])
4592		AC_CHECK_FUNCS([_getshort _getlong])
4593		AC_CHECK_DECLS([_getshort, _getlong], , ,
4594		    [#include <sys/types.h>
4595		    #include <arpa/nameser.h>])
4596		AC_CHECK_MEMBER([HEADER.ad],
4597			[AC_DEFINE([HAVE_HEADER_AD], [1],
4598			    [Define if HEADER.ad exists in arpa/nameser.h])], ,
4599			[#include <arpa/nameser.h>])
4600	])
4601
4602AC_MSG_CHECKING([if struct __res_state _res is an extern])
4603AC_LINK_IFELSE([AC_LANG_PROGRAM([[
4604#include <stdio.h>
4605#if HAVE_SYS_TYPES_H
4606# include <sys/types.h>
4607#endif
4608#include <netinet/in.h>
4609#include <arpa/nameser.h>
4610#include <resolv.h>
4611extern struct __res_state _res;
4612		]], [[
4613struct __res_state *volatile p = &_res;  /* force resolution of _res */
4614return 0;
4615		]],)],
4616		[AC_MSG_RESULT([yes])
4617		 AC_DEFINE([HAVE__RES_EXTERN], [1],
4618		    [Define if you have struct __res_state _res as an extern])
4619		],
4620		[ AC_MSG_RESULT([no]) ]
4621)
4622
4623# Check whether user wants SELinux support
4624SELINUX_MSG="no"
4625LIBSELINUX=""
4626AC_ARG_WITH([selinux],
4627	[  --with-selinux          Enable SELinux support],
4628	[ if test "x$withval" != "xno" ; then
4629		save_LIBS="$LIBS"
4630		AC_DEFINE([WITH_SELINUX], [1],
4631			[Define if you want SELinux support.])
4632		SELINUX_MSG="yes"
4633		AC_CHECK_HEADER([selinux/selinux.h], ,
4634			AC_MSG_ERROR([SELinux support requires selinux.h header]))
4635		AC_CHECK_LIB([selinux], [setexeccon],
4636			[ LIBSELINUX="-lselinux"
4637			  LIBS="$LIBS -lselinux"
4638			],
4639			AC_MSG_ERROR([SELinux support requires libselinux library]))
4640		AC_CHECK_FUNCS([getseuserbyname get_default_context_with_level])
4641		LIBS="$save_LIBS $LIBSELINUX"
4642	fi ]
4643)
4644AC_SUBST([SSHDLIBS])
4645
4646# Check whether user wants Kerberos 5 support
4647KRB5_MSG="no"
4648AC_ARG_WITH([kerberos5],
4649	[  --with-kerberos5=PATH   Enable Kerberos 5 support],
4650	[ if test "x$withval" != "xno" ; then
4651		if test "x$withval" = "xyes" ; then
4652			KRB5ROOT="/usr/local"
4653		else
4654			KRB5ROOT=${withval}
4655		fi
4656
4657		AC_DEFINE([KRB5], [1], [Define if you want Kerberos 5 support])
4658		KRB5_MSG="yes"
4659
4660		AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no])
4661		use_pkgconfig_for_krb5=
4662		if test "x$PKGCONFIG" != "xno"; then
4663			AC_MSG_CHECKING([if $PKGCONFIG knows about kerberos5])
4664			if "$PKGCONFIG" krb5; then
4665				AC_MSG_RESULT([yes])
4666				use_pkgconfig_for_krb5=yes
4667			else
4668				AC_MSG_RESULT([no])
4669			fi
4670		fi
4671		if test "x$use_pkgconfig_for_krb5" = "xyes"; then
4672			K5CFLAGS=`$PKGCONFIG --cflags krb5`
4673			K5LIBS=`$PKGCONFIG --libs krb5`
4674			CPPFLAGS="$CPPFLAGS $K5CFLAGS"
4675
4676			AC_MSG_CHECKING([for gssapi support])
4677			if "$PKGCONFIG" krb5-gssapi; then
4678				AC_MSG_RESULT([yes])
4679				AC_DEFINE([GSSAPI], [1],
4680					[Define this if you want GSSAPI
4681					support in the version 2 protocol])
4682				GSSCFLAGS="`$PKGCONFIG --cflags krb5-gssapi`"
4683				GSSLIBS="`$PKGCONFIG --libs krb5-gssapi`"
4684				CPPFLAGS="$CPPFLAGS $GSSCFLAGS"
4685			else
4686				AC_MSG_RESULT([no])
4687			fi
4688			AC_MSG_CHECKING([whether we are using Heimdal])
4689			AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <krb5.h>
4690				]], [[ char *tmp = heimdal_version; ]])],
4691				[ AC_MSG_RESULT([yes])
4692				AC_DEFINE([HEIMDAL], [1],
4693				[Define this if you are using the Heimdal
4694				version of Kerberos V5]) ],
4695				[AC_MSG_RESULT([no])
4696			])
4697		else
4698			AC_PATH_TOOL([KRB5CONF], [krb5-config],
4699				     [$KRB5ROOT/bin/krb5-config],
4700				     [$KRB5ROOT/bin:$PATH])
4701			if test -x $KRB5CONF ; then
4702				K5CFLAGS="`$KRB5CONF --cflags`"
4703				K5LIBS="`$KRB5CONF --libs`"
4704				CPPFLAGS="$CPPFLAGS $K5CFLAGS"
4705
4706				AC_MSG_CHECKING([for gssapi support])
4707				if $KRB5CONF | grep gssapi >/dev/null ; then
4708					AC_MSG_RESULT([yes])
4709					AC_DEFINE([GSSAPI], [1],
4710						[Define this if you want GSSAPI
4711						support in the version 2 protocol])
4712					GSSCFLAGS="`$KRB5CONF --cflags gssapi`"
4713					GSSLIBS="`$KRB5CONF --libs gssapi`"
4714					CPPFLAGS="$CPPFLAGS $GSSCFLAGS"
4715				else
4716					AC_MSG_RESULT([no])
4717				fi
4718				AC_MSG_CHECKING([whether we are using Heimdal])
4719				AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <krb5.h>
4720					]], [[ char *tmp = heimdal_version; ]])],
4721					[ AC_MSG_RESULT([yes])
4722					AC_DEFINE([HEIMDAL], [1],
4723					[Define this if you are using the Heimdal
4724					version of Kerberos V5]) ],
4725					[AC_MSG_RESULT([no])
4726				])
4727			else
4728				CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include"
4729				LDFLAGS="$LDFLAGS -L${KRB5ROOT}/lib"
4730				AC_MSG_CHECKING([whether we are using Heimdal])
4731				AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <krb5.h>
4732					]], [[ char *tmp = heimdal_version; ]])],
4733						[ AC_MSG_RESULT([yes])
4734						 AC_DEFINE([HEIMDAL])
4735						 K5LIBS="-lkrb5"
4736						 K5LIBS="$K5LIBS -lcom_err -lasn1"
4737						 AC_CHECK_LIB([roken], [net_write],
4738						   [K5LIBS="$K5LIBS -lroken"])
4739						 AC_CHECK_LIB([des], [des_cbc_encrypt],
4740						   [K5LIBS="$K5LIBS -ldes"])
4741					       ], [ AC_MSG_RESULT([no])
4742						 K5LIBS="-lkrb5 -lk5crypto -lcom_err"
4743				])
4744				AC_SEARCH_LIBS([dn_expand], [resolv])
4745
4746				AC_CHECK_LIB([gssapi_krb5], [gss_init_sec_context],
4747					[ AC_DEFINE([GSSAPI])
4748					  GSSLIBS="-lgssapi_krb5" ],
4749					[ AC_CHECK_LIB([gssapi], [gss_init_sec_context],
4750						[ AC_DEFINE([GSSAPI])
4751						  GSSLIBS="-lgssapi" ],
4752						[ AC_CHECK_LIB([gss], [gss_init_sec_context],
4753							[ AC_DEFINE([GSSAPI])
4754							  GSSLIBS="-lgss" ],
4755							AC_MSG_WARN([Cannot find any suitable gss-api library - build may fail]))
4756						])
4757					])
4758
4759				AC_CHECK_HEADER([gssapi.h], ,
4760					[ unset ac_cv_header_gssapi_h
4761					  CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include/gssapi"
4762					  AC_CHECK_HEADERS([gssapi.h], ,
4763						AC_MSG_WARN([Cannot find any suitable gss-api header - build may fail])
4764					  )
4765					]
4766				)
4767
4768				oldCPP="$CPPFLAGS"
4769				CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include/gssapi"
4770				AC_CHECK_HEADER([gssapi_krb5.h], ,
4771						[ CPPFLAGS="$oldCPP" ])
4772
4773			fi
4774		fi
4775		if test -n "${rpath_opt}" ; then
4776			LDFLAGS="$LDFLAGS ${rpath_opt}${KRB5ROOT}/lib"
4777		fi
4778		if test ! -z "$blibpath" ; then
4779			blibpath="$blibpath:${KRB5ROOT}/lib"
4780		fi
4781
4782		AC_CHECK_HEADERS([gssapi.h gssapi/gssapi.h])
4783		AC_CHECK_HEADERS([gssapi_krb5.h gssapi/gssapi_krb5.h])
4784		AC_CHECK_HEADERS([gssapi_generic.h gssapi/gssapi_generic.h])
4785
4786		AC_SEARCH_LIBS([k_hasafs], [kafs], [AC_DEFINE([USE_AFS], [1],
4787			[Define this if you want to use libkafs' AFS support])])
4788
4789		AC_CHECK_DECLS([GSS_C_NT_HOSTBASED_SERVICE], [], [], [[
4790#ifdef HAVE_GSSAPI_H
4791# include <gssapi.h>
4792#elif defined(HAVE_GSSAPI_GSSAPI_H)
4793# include <gssapi/gssapi.h>
4794#endif
4795
4796#ifdef HAVE_GSSAPI_GENERIC_H
4797# include <gssapi_generic.h>
4798#elif defined(HAVE_GSSAPI_GSSAPI_GENERIC_H)
4799# include <gssapi/gssapi_generic.h>
4800#endif
4801		]])
4802		saved_LIBS="$LIBS"
4803		LIBS="$LIBS $K5LIBS"
4804		AC_CHECK_FUNCS([krb5_cc_new_unique krb5_get_error_message krb5_free_error_message])
4805		LIBS="$saved_LIBS"
4806
4807	fi
4808	]
4809)
4810AC_SUBST([GSSLIBS])
4811AC_SUBST([K5LIBS])
4812
4813# Looking for programs, paths and files
4814
4815PRIVSEP_PATH=/var/empty
4816AC_ARG_WITH([privsep-path],
4817	[  --with-privsep-path=xxx Path for privilege separation chroot (default=/var/empty)],
4818	[
4819		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
4820		    test "x${withval}" != "xyes"; then
4821			PRIVSEP_PATH=$withval
4822		fi
4823	]
4824)
4825AC_SUBST([PRIVSEP_PATH])
4826
4827AC_ARG_WITH([xauth],
4828	[  --with-xauth=PATH       Specify path to xauth program ],
4829	[
4830		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
4831		    test "x${withval}" != "xyes"; then
4832			xauth_path=$withval
4833		fi
4834	],
4835	[
4836		TestPath="$PATH"
4837		TestPath="${TestPath}${PATH_SEPARATOR}/usr/X/bin"
4838		TestPath="${TestPath}${PATH_SEPARATOR}/usr/bin/X11"
4839		TestPath="${TestPath}${PATH_SEPARATOR}/usr/X11R6/bin"
4840		TestPath="${TestPath}${PATH_SEPARATOR}/usr/openwin/bin"
4841		AC_PATH_PROG([xauth_path], [xauth], , [$TestPath])
4842		if (test ! -z "$xauth_path" && test -x "/usr/openwin/bin/xauth") ; then
4843			xauth_path="/usr/openwin/bin/xauth"
4844		fi
4845	]
4846)
4847
4848STRIP_OPT=-s
4849AC_ARG_ENABLE([strip],
4850	[  --disable-strip         Disable calling strip(1) on install],
4851	[
4852		if test "x$enableval" = "xno" ; then
4853			STRIP_OPT=
4854		fi
4855	]
4856)
4857AC_SUBST([STRIP_OPT])
4858
4859if test -z "$xauth_path" ; then
4860	XAUTH_PATH="undefined"
4861	AC_SUBST([XAUTH_PATH])
4862else
4863	AC_DEFINE_UNQUOTED([XAUTH_PATH], ["$xauth_path"],
4864		[Define if xauth is found in your path])
4865	XAUTH_PATH=$xauth_path
4866	AC_SUBST([XAUTH_PATH])
4867fi
4868
4869dnl # --with-maildir=/path/to/mail gets top priority.
4870dnl # if maildir is set in the platform case statement above we use that.
4871dnl # Otherwise we run a program to get the dir from system headers.
4872dnl # We first look for _PATH_MAILDIR then MAILDIR then _PATH_MAIL
4873dnl # If we find _PATH_MAILDIR we do nothing because that is what
4874dnl # session.c expects anyway. Otherwise we set to the value found
4875dnl # stripping any trailing slash. If for some strage reason our program
4876dnl # does not find what it needs, we default to /var/spool/mail.
4877# Check for mail directory
4878AC_ARG_WITH([maildir],
4879    [  --with-maildir=/path/to/mail    Specify your system mail directory],
4880    [
4881	if test "X$withval" != X  &&  test "x$withval" != xno  &&  \
4882	    test "x${withval}" != xyes; then
4883		AC_DEFINE_UNQUOTED([MAIL_DIRECTORY], ["$withval"],
4884            [Set this to your mail directory if you do not have _PATH_MAILDIR])
4885	    fi
4886     ],[
4887	if test "X$maildir" != "X"; then
4888	    AC_DEFINE_UNQUOTED([MAIL_DIRECTORY], ["$maildir"])
4889	else
4890	    AC_MSG_CHECKING([Discovering system mail directory])
4891	    AC_RUN_IFELSE(
4892		[AC_LANG_PROGRAM([[
4893#include <stdio.h>
4894#include <stdlib.h>
4895#include <string.h>
4896#ifdef HAVE_PATHS_H
4897#include <paths.h>
4898#endif
4899#ifdef HAVE_MAILLOCK_H
4900#include <maillock.h>
4901#endif
4902#define DATA "conftest.maildir"
4903	]], [[
4904	FILE *fd;
4905	int rc;
4906
4907	fd = fopen(DATA,"w");
4908	if(fd == NULL)
4909		exit(1);
4910
4911#if defined (_PATH_MAILDIR)
4912	if ((rc = fprintf(fd ,"_PATH_MAILDIR:%s\n", _PATH_MAILDIR)) <0)
4913		exit(1);
4914#elif defined (MAILDIR)
4915	if ((rc = fprintf(fd ,"MAILDIR:%s\n", MAILDIR)) <0)
4916		exit(1);
4917#elif defined (_PATH_MAIL)
4918	if ((rc = fprintf(fd ,"_PATH_MAIL:%s\n", _PATH_MAIL)) <0)
4919		exit(1);
4920#else
4921	exit (2);
4922#endif
4923
4924	exit(0);
4925		]])],
4926		[
4927		    maildir_what=`awk -F: '{print $1}' conftest.maildir`
4928		    maildir=`awk -F: '{print $2}' conftest.maildir \
4929			| sed 's|/$||'`
4930		    AC_MSG_RESULT([Using: $maildir from $maildir_what])
4931		    if test "x$maildir_what" != "x_PATH_MAILDIR"; then
4932			AC_DEFINE_UNQUOTED([MAIL_DIRECTORY], ["$maildir"])
4933		    fi
4934		],
4935		[
4936		    if test "X$ac_status" = "X2";then
4937# our test program didn't find it. Default to /var/spool/mail
4938			AC_MSG_RESULT([Using: default value of /var/spool/mail])
4939			AC_DEFINE_UNQUOTED([MAIL_DIRECTORY], ["/var/spool/mail"])
4940		     else
4941			AC_MSG_RESULT([*** not found ***])
4942		     fi
4943		],
4944		[
4945			AC_MSG_WARN([cross compiling: use --with-maildir=/path/to/mail])
4946		]
4947	    )
4948	fi
4949    ]
4950) # maildir
4951
4952if test ! -z "$cross_compiling" && test "x$cross_compiling" = "xyes"; then
4953	AC_MSG_WARN([cross compiling: Disabling /dev/ptmx test])
4954	disable_ptmx_check=yes
4955fi
4956if test -z "$no_dev_ptmx" ; then
4957	if test "x$disable_ptmx_check" != "xyes" ; then
4958		AC_CHECK_FILE(["/dev/ptmx"],
4959			[
4960				AC_DEFINE_UNQUOTED([HAVE_DEV_PTMX], [1],
4961					[Define if you have /dev/ptmx])
4962				have_dev_ptmx=1
4963			]
4964		)
4965	fi
4966fi
4967
4968if test ! -z "$cross_compiling" && test "x$cross_compiling" != "xyes"; then
4969	AC_CHECK_FILE(["/dev/ptc"],
4970		[
4971			AC_DEFINE_UNQUOTED([HAVE_DEV_PTS_AND_PTC], [1],
4972				[Define if you have /dev/ptc])
4973			have_dev_ptc=1
4974		]
4975	)
4976else
4977	AC_MSG_WARN([cross compiling: Disabling /dev/ptc test])
4978fi
4979
4980# Options from here on. Some of these are preset by platform above
4981AC_ARG_WITH([mantype],
4982	[  --with-mantype=man|cat|doc  Set man page type],
4983	[
4984		case "$withval" in
4985		man|cat|doc)
4986			MANTYPE=$withval
4987			;;
4988		*)
4989			AC_MSG_ERROR([invalid man type: $withval])
4990			;;
4991		esac
4992	]
4993)
4994if test -z "$MANTYPE"; then
4995	if ${MANDOC} ${srcdir}/ssh.1 >/dev/null 2>&1; then
4996		MANTYPE=doc
4997	elif ${NROFF} -mdoc ${srcdir}/ssh.1 >/dev/null 2>&1; then
4998		MANTYPE=doc
4999	elif ${NROFF} -man ${srcdir}/ssh.1 >/dev/null 2>&1; then
5000		MANTYPE=man
5001	else
5002		MANTYPE=cat
5003	fi
5004fi
5005AC_SUBST([MANTYPE])
5006if test "$MANTYPE" = "doc"; then
5007	mansubdir=man;
5008else
5009	mansubdir=$MANTYPE;
5010fi
5011AC_SUBST([mansubdir])
5012
5013# Check whether to enable MD5 passwords
5014MD5_MSG="no"
5015AC_ARG_WITH([md5-passwords],
5016	[  --with-md5-passwords    Enable use of MD5 passwords],
5017	[
5018		if test "x$withval" != "xno" ; then
5019			AC_DEFINE([HAVE_MD5_PASSWORDS], [1],
5020				[Define if you want to allow MD5 passwords])
5021			MD5_MSG="yes"
5022		fi
5023	]
5024)
5025
5026# Whether to disable shadow password support
5027AC_ARG_WITH([shadow],
5028	[  --without-shadow        Disable shadow password support],
5029	[
5030		if test "x$withval" = "xno" ; then
5031			AC_DEFINE([DISABLE_SHADOW])
5032			disable_shadow=yes
5033		fi
5034	]
5035)
5036
5037if test -z "$disable_shadow" ; then
5038	AC_MSG_CHECKING([if the systems has expire shadow information])
5039	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
5040#include <sys/types.h>
5041#include <shadow.h>
5042struct spwd sp;
5043		]], [[ sp.sp_expire = sp.sp_lstchg = sp.sp_inact = 0; ]])],
5044		[ sp_expire_available=yes ], [
5045	])
5046
5047	if test "x$sp_expire_available" = "xyes" ; then
5048		AC_MSG_RESULT([yes])
5049		AC_DEFINE([HAS_SHADOW_EXPIRE], [1],
5050		    [Define if you want to use shadow password expire field])
5051	else
5052		AC_MSG_RESULT([no])
5053	fi
5054fi
5055
5056# Use ip address instead of hostname in $DISPLAY
5057if test ! -z "$IPADDR_IN_DISPLAY" ; then
5058	DISPLAY_HACK_MSG="yes"
5059	AC_DEFINE([IPADDR_IN_DISPLAY], [1],
5060		[Define if you need to use IP address
5061		instead of hostname in $DISPLAY])
5062else
5063	DISPLAY_HACK_MSG="no"
5064	AC_ARG_WITH([ipaddr-display],
5065		[  --with-ipaddr-display   Use ip address instead of hostname in $DISPLAY],
5066		[
5067			if test "x$withval" != "xno" ; then
5068				AC_DEFINE([IPADDR_IN_DISPLAY])
5069				DISPLAY_HACK_MSG="yes"
5070			fi
5071		]
5072	)
5073fi
5074
5075# check for /etc/default/login and use it if present.
5076AC_ARG_ENABLE([etc-default-login],
5077	[  --disable-etc-default-login Disable using PATH from /etc/default/login [no]],
5078	[ if test "x$enableval" = "xno"; then
5079		AC_MSG_NOTICE([/etc/default/login handling disabled])
5080		etc_default_login=no
5081	  else
5082		etc_default_login=yes
5083	  fi ],
5084	[ if test ! -z "$cross_compiling" && test "x$cross_compiling" = "xyes";
5085	  then
5086		AC_MSG_WARN([cross compiling: not checking /etc/default/login])
5087		etc_default_login=no
5088	  else
5089		etc_default_login=yes
5090	  fi ]
5091)
5092
5093if test "x$etc_default_login" != "xno"; then
5094	AC_CHECK_FILE(["/etc/default/login"],
5095	    [ external_path_file=/etc/default/login ])
5096	if test "x$external_path_file" = "x/etc/default/login"; then
5097		AC_DEFINE([HAVE_ETC_DEFAULT_LOGIN], [1],
5098			[Define if your system has /etc/default/login])
5099	fi
5100fi
5101
5102dnl BSD systems use /etc/login.conf so --with-default-path= has no effect
5103if test $ac_cv_func_login_getcapbool = "yes" && \
5104	test $ac_cv_header_login_cap_h = "yes" ; then
5105	external_path_file=/etc/login.conf
5106fi
5107
5108# Whether to mess with the default path
5109SERVER_PATH_MSG="(default)"
5110AC_ARG_WITH([default-path],
5111	[  --with-default-path=    Specify default $PATH environment for server],
5112	[
5113		if test "x$external_path_file" = "x/etc/login.conf" ; then
5114			AC_MSG_WARN([
5115--with-default-path=PATH has no effect on this system.
5116Edit /etc/login.conf instead.])
5117		elif test "x$withval" != "xno" ; then
5118			if test ! -z "$external_path_file" ; then
5119				AC_MSG_WARN([
5120--with-default-path=PATH will only be used if PATH is not defined in
5121$external_path_file .])
5122			fi
5123			user_path="$withval"
5124			SERVER_PATH_MSG="$withval"
5125		fi
5126	],
5127	[ if test "x$external_path_file" = "x/etc/login.conf" ; then
5128		AC_MSG_WARN([Make sure the path to scp is in /etc/login.conf])
5129	else
5130		if test ! -z "$external_path_file" ; then
5131			AC_MSG_WARN([
5132If PATH is defined in $external_path_file, ensure the path to scp is included,
5133otherwise scp will not work.])
5134		fi
5135		AC_RUN_IFELSE(
5136			[AC_LANG_PROGRAM([[
5137/* find out what STDPATH is */
5138#include <stdio.h>
5139#include <stdlib.h>
5140#ifdef HAVE_PATHS_H
5141# include <paths.h>
5142#endif
5143#ifndef _PATH_STDPATH
5144# ifdef _PATH_USERPATH	/* Irix */
5145#  define _PATH_STDPATH _PATH_USERPATH
5146# else
5147#  define _PATH_STDPATH "/usr/bin:/bin:/usr/sbin:/sbin"
5148# endif
5149#endif
5150#include <sys/types.h>
5151#include <sys/stat.h>
5152#include <fcntl.h>
5153#define DATA "conftest.stdpath"
5154			]], [[
5155	FILE *fd;
5156	int rc;
5157
5158	fd = fopen(DATA,"w");
5159	if(fd == NULL)
5160		exit(1);
5161
5162	if ((rc = fprintf(fd,"%s", _PATH_STDPATH)) < 0)
5163		exit(1);
5164
5165	exit(0);
5166		]])],
5167		[ user_path=`cat conftest.stdpath` ],
5168		[ user_path="/usr/bin:/bin:/usr/sbin:/sbin" ],
5169		[ user_path="/usr/bin:/bin:/usr/sbin:/sbin" ]
5170	)
5171# make sure $bindir is in USER_PATH so scp will work
5172		t_bindir="${bindir}"
5173		while echo "${t_bindir}" | egrep '\$\{|NONE/' >/dev/null 2>&1; do
5174			t_bindir=`eval echo ${t_bindir}`
5175			case $t_bindir in
5176				NONE/*) t_bindir=`echo $t_bindir | sed "s~NONE~$prefix~"` ;;
5177			esac
5178			case $t_bindir in
5179				NONE/*) t_bindir=`echo $t_bindir | sed "s~NONE~$ac_default_prefix~"` ;;
5180			esac
5181		done
5182		echo $user_path | grep ":$t_bindir"  > /dev/null 2>&1
5183		if test $? -ne 0  ; then
5184			echo $user_path | grep "^$t_bindir"  > /dev/null 2>&1
5185			if test $? -ne 0  ; then
5186				user_path=$user_path:$t_bindir
5187				AC_MSG_RESULT([Adding $t_bindir to USER_PATH so scp will work])
5188			fi
5189		fi
5190	fi ]
5191)
5192if test "x$external_path_file" != "x/etc/login.conf" ; then
5193	AC_DEFINE_UNQUOTED([USER_PATH], ["$user_path"], [Specify default $PATH])
5194	AC_SUBST([user_path])
5195fi
5196
5197# Set superuser path separately to user path
5198AC_ARG_WITH([superuser-path],
5199	[  --with-superuser-path=  Specify different path for super-user],
5200	[
5201		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
5202		    test "x${withval}" != "xyes"; then
5203			AC_DEFINE_UNQUOTED([SUPERUSER_PATH], ["$withval"],
5204				[Define if you want a different $PATH
5205				for the superuser])
5206			superuser_path=$withval
5207		fi
5208	]
5209)
5210
5211
5212AC_MSG_CHECKING([if we need to convert IPv4 in IPv6-mapped addresses])
5213IPV4_IN6_HACK_MSG="no"
5214AC_ARG_WITH(4in6,
5215	[  --with-4in6             Check for and convert IPv4 in IPv6 mapped addresses],
5216	[
5217		if test "x$withval" != "xno" ; then
5218			AC_MSG_RESULT([yes])
5219			AC_DEFINE([IPV4_IN_IPV6], [1],
5220				[Detect IPv4 in IPv6 mapped addresses
5221				and treat as IPv4])
5222			IPV4_IN6_HACK_MSG="yes"
5223		else
5224			AC_MSG_RESULT([no])
5225		fi
5226	], [
5227		if test "x$inet6_default_4in6" = "xyes"; then
5228			AC_MSG_RESULT([yes (default)])
5229			AC_DEFINE([IPV4_IN_IPV6])
5230			IPV4_IN6_HACK_MSG="yes"
5231		else
5232			AC_MSG_RESULT([no (default)])
5233		fi
5234	]
5235)
5236
5237# Whether to enable BSD auth support
5238BSD_AUTH_MSG=no
5239AC_ARG_WITH([bsd-auth],
5240	[  --with-bsd-auth         Enable BSD auth support],
5241	[
5242		if test "x$withval" != "xno" ; then
5243			AC_DEFINE([BSD_AUTH], [1],
5244				[Define if you have BSD auth support])
5245			BSD_AUTH_MSG=yes
5246		fi
5247	]
5248)
5249
5250# Where to place sshd.pid
5251piddir=/var/run
5252# make sure the directory exists
5253if test ! -d $piddir ; then
5254	piddir=`eval echo ${sysconfdir}`
5255	case $piddir in
5256		NONE/*) piddir=`echo $piddir | sed "s~NONE~$ac_default_prefix~"` ;;
5257	esac
5258fi
5259
5260AC_ARG_WITH([pid-dir],
5261	[  --with-pid-dir=PATH     Specify location of sshd.pid file],
5262	[
5263		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
5264		    test "x${withval}" != "xyes"; then
5265			piddir=$withval
5266			if test ! -d $piddir ; then
5267			AC_MSG_WARN([** no $piddir directory on this system **])
5268			fi
5269		fi
5270	]
5271)
5272
5273AC_DEFINE_UNQUOTED([_PATH_SSH_PIDDIR], ["$piddir"],
5274	[Specify location of ssh.pid])
5275AC_SUBST([piddir])
5276
5277dnl allow user to disable some login recording features
5278AC_ARG_ENABLE([lastlog],
5279	[  --disable-lastlog       disable use of lastlog even if detected [no]],
5280	[
5281		if test "x$enableval" = "xno" ; then
5282			AC_DEFINE([DISABLE_LASTLOG])
5283		fi
5284	]
5285)
5286AC_ARG_ENABLE([utmp],
5287	[  --disable-utmp          disable use of utmp even if detected [no]],
5288	[
5289		if test "x$enableval" = "xno" ; then
5290			AC_DEFINE([DISABLE_UTMP])
5291		fi
5292	]
5293)
5294AC_ARG_ENABLE([utmpx],
5295	[  --disable-utmpx         disable use of utmpx even if detected [no]],
5296	[
5297		if test "x$enableval" = "xno" ; then
5298			AC_DEFINE([DISABLE_UTMPX], [1],
5299				[Define if you don't want to use utmpx])
5300		fi
5301	]
5302)
5303AC_ARG_ENABLE([wtmp],
5304	[  --disable-wtmp          disable use of wtmp even if detected [no]],
5305	[
5306		if test "x$enableval" = "xno" ; then
5307			AC_DEFINE([DISABLE_WTMP])
5308		fi
5309	]
5310)
5311AC_ARG_ENABLE([wtmpx],
5312	[  --disable-wtmpx         disable use of wtmpx even if detected [no]],
5313	[
5314		if test "x$enableval" = "xno" ; then
5315			AC_DEFINE([DISABLE_WTMPX], [1],
5316				[Define if you don't want to use wtmpx])
5317		fi
5318	]
5319)
5320AC_ARG_ENABLE([libutil],
5321	[  --disable-libutil       disable use of libutil (login() etc.) [no]],
5322	[
5323		if test "x$enableval" = "xno" ; then
5324			AC_DEFINE([DISABLE_LOGIN])
5325		fi
5326	]
5327)
5328AC_ARG_ENABLE([pututline],
5329	[  --disable-pututline     disable use of pututline() etc. ([uw]tmp) [no]],
5330	[
5331		if test "x$enableval" = "xno" ; then
5332			AC_DEFINE([DISABLE_PUTUTLINE], [1],
5333				[Define if you don't want to use pututline()
5334				etc. to write [uw]tmp])
5335		fi
5336	]
5337)
5338AC_ARG_ENABLE([pututxline],
5339	[  --disable-pututxline    disable use of pututxline() etc. ([uw]tmpx) [no]],
5340	[
5341		if test "x$enableval" = "xno" ; then
5342			AC_DEFINE([DISABLE_PUTUTXLINE], [1],
5343				[Define if you don't want to use pututxline()
5344				etc. to write [uw]tmpx])
5345		fi
5346	]
5347)
5348AC_ARG_WITH([lastlog],
5349  [  --with-lastlog=FILE|DIR specify lastlog location [common locations]],
5350	[
5351		if test "x$withval" = "xno" ; then
5352			AC_DEFINE([DISABLE_LASTLOG])
5353		elif test -n "$withval"  &&  test "x${withval}" != "xyes"; then
5354			conf_lastlog_location=$withval
5355		fi
5356	]
5357)
5358
5359dnl lastlog, [uw]tmpx? detection
5360dnl  NOTE: set the paths in the platform section to avoid the
5361dnl   need for command-line parameters
5362dnl lastlog and [uw]tmp are subject to a file search if all else fails
5363
5364dnl lastlog detection
5365dnl  NOTE: the code itself will detect if lastlog is a directory
5366AC_MSG_CHECKING([if your system defines LASTLOG_FILE])
5367AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
5368#include <sys/types.h>
5369#include <utmp.h>
5370#ifdef HAVE_LASTLOG_H
5371#  include <lastlog.h>
5372#endif
5373#ifdef HAVE_PATHS_H
5374#  include <paths.h>
5375#endif
5376#ifdef HAVE_LOGIN_H
5377# include <login.h>
5378#endif
5379	]], [[ char *lastlog = LASTLOG_FILE; ]])],
5380		[ AC_MSG_RESULT([yes]) ],
5381		[
5382		AC_MSG_RESULT([no])
5383		AC_MSG_CHECKING([if your system defines _PATH_LASTLOG])
5384		AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
5385#include <sys/types.h>
5386#include <utmp.h>
5387#ifdef HAVE_LASTLOG_H
5388#  include <lastlog.h>
5389#endif
5390#ifdef HAVE_PATHS_H
5391#  include <paths.h>
5392#endif
5393		]], [[ char *lastlog = _PATH_LASTLOG; ]])],
5394		[ AC_MSG_RESULT([yes]) ],
5395		[
5396			AC_MSG_RESULT([no])
5397			system_lastlog_path=no
5398		])
5399])
5400
5401if test -z "$conf_lastlog_location"; then
5402	if test x"$system_lastlog_path" = x"no" ; then
5403		for f in /var/log/lastlog /usr/adm/lastlog /var/adm/lastlog /etc/security/lastlog ; do
5404				if (test -d "$f" || test -f "$f") ; then
5405					conf_lastlog_location=$f
5406				fi
5407		done
5408		if test -z "$conf_lastlog_location"; then
5409			AC_MSG_WARN([** Cannot find lastlog **])
5410			dnl Don't define DISABLE_LASTLOG - that means we don't try wtmp/wtmpx
5411		fi
5412	fi
5413fi
5414
5415if test -n "$conf_lastlog_location"; then
5416	AC_DEFINE_UNQUOTED([CONF_LASTLOG_FILE], ["$conf_lastlog_location"],
5417		[Define if you want to specify the path to your lastlog file])
5418fi
5419
5420dnl utmp detection
5421AC_MSG_CHECKING([if your system defines UTMP_FILE])
5422AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
5423#include <sys/types.h>
5424#include <utmp.h>
5425#ifdef HAVE_PATHS_H
5426#  include <paths.h>
5427#endif
5428	]], [[ char *utmp = UTMP_FILE; ]])],
5429	[ AC_MSG_RESULT([yes]) ],
5430	[ AC_MSG_RESULT([no])
5431	  system_utmp_path=no
5432])
5433if test -z "$conf_utmp_location"; then
5434	if test x"$system_utmp_path" = x"no" ; then
5435		for f in /etc/utmp /usr/adm/utmp /var/run/utmp; do
5436			if test -f $f ; then
5437				conf_utmp_location=$f
5438			fi
5439		done
5440		if test -z "$conf_utmp_location"; then
5441			AC_DEFINE([DISABLE_UTMP])
5442		fi
5443	fi
5444fi
5445if test -n "$conf_utmp_location"; then
5446	AC_DEFINE_UNQUOTED([CONF_UTMP_FILE], ["$conf_utmp_location"],
5447		[Define if you want to specify the path to your utmp file])
5448fi
5449
5450dnl wtmp detection
5451AC_MSG_CHECKING([if your system defines WTMP_FILE])
5452AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
5453#include <sys/types.h>
5454#include <utmp.h>
5455#ifdef HAVE_PATHS_H
5456#  include <paths.h>
5457#endif
5458	]], [[ char *wtmp = WTMP_FILE; ]])],
5459	[ AC_MSG_RESULT([yes]) ],
5460	[ AC_MSG_RESULT([no])
5461	  system_wtmp_path=no
5462])
5463if test -z "$conf_wtmp_location"; then
5464	if test x"$system_wtmp_path" = x"no" ; then
5465		for f in /usr/adm/wtmp /var/log/wtmp; do
5466			if test -f $f ; then
5467				conf_wtmp_location=$f
5468			fi
5469		done
5470		if test -z "$conf_wtmp_location"; then
5471			AC_DEFINE([DISABLE_WTMP])
5472		fi
5473	fi
5474fi
5475if test -n "$conf_wtmp_location"; then
5476	AC_DEFINE_UNQUOTED([CONF_WTMP_FILE], ["$conf_wtmp_location"],
5477		[Define if you want to specify the path to your wtmp file])
5478fi
5479
5480dnl wtmpx detection
5481AC_MSG_CHECKING([if your system defines WTMPX_FILE])
5482AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
5483#include <sys/types.h>
5484#include <utmp.h>
5485#ifdef HAVE_UTMPX_H
5486#include <utmpx.h>
5487#endif
5488#ifdef HAVE_PATHS_H
5489#  include <paths.h>
5490#endif
5491	]], [[ char *wtmpx = WTMPX_FILE; ]])],
5492	[ AC_MSG_RESULT([yes]) ],
5493	[ AC_MSG_RESULT([no])
5494	  system_wtmpx_path=no
5495])
5496if test -z "$conf_wtmpx_location"; then
5497	if test x"$system_wtmpx_path" = x"no" ; then
5498		AC_DEFINE([DISABLE_WTMPX])
5499	fi
5500else
5501	AC_DEFINE_UNQUOTED([CONF_WTMPX_FILE], ["$conf_wtmpx_location"],
5502		[Define if you want to specify the path to your wtmpx file])
5503fi
5504
5505
5506if test ! -z "$blibpath" ; then
5507	LDFLAGS="$LDFLAGS $blibflags$blibpath"
5508	AC_MSG_WARN([Please check and edit blibpath in LDFLAGS in Makefile])
5509fi
5510
5511AC_CHECK_MEMBER([struct lastlog.ll_line], [], [
5512    if test x$SKIP_DISABLE_LASTLOG_DEFINE != "xyes" ; then
5513	AC_DEFINE([DISABLE_LASTLOG])
5514    fi
5515	], [
5516#ifdef HAVE_SYS_TYPES_H
5517#include <sys/types.h>
5518#endif
5519#ifdef HAVE_UTMP_H
5520#include <utmp.h>
5521#endif
5522#ifdef HAVE_UTMPX_H
5523#include <utmpx.h>
5524#endif
5525#ifdef HAVE_LASTLOG_H
5526#include <lastlog.h>
5527#endif
5528	])
5529
5530AC_CHECK_MEMBER([struct utmp.ut_line], [], [
5531	AC_DEFINE([DISABLE_UTMP])
5532	AC_DEFINE([DISABLE_WTMP])
5533	], [
5534#ifdef HAVE_SYS_TYPES_H
5535#include <sys/types.h>
5536#endif
5537#ifdef HAVE_UTMP_H
5538#include <utmp.h>
5539#endif
5540#ifdef HAVE_UTMPX_H
5541#include <utmpx.h>
5542#endif
5543#ifdef HAVE_LASTLOG_H
5544#include <lastlog.h>
5545#endif
5546	])
5547
5548dnl Adding -Werror to CFLAGS early prevents configure tests from running.
5549dnl Add now.
5550CFLAGS="$CFLAGS $werror_flags"
5551
5552if test "x$ac_cv_func_getaddrinfo" != "xyes" ; then
5553	TEST_SSH_IPV6=no
5554else
5555	TEST_SSH_IPV6=yes
5556fi
5557AC_CHECK_DECL([BROKEN_GETADDRINFO],  [TEST_SSH_IPV6=no])
5558AC_SUBST([TEST_SSH_IPV6], [$TEST_SSH_IPV6])
5559AC_SUBST([TEST_SSH_UTF8], [$TEST_SSH_UTF8])
5560AC_SUBST([TEST_MALLOC_OPTIONS], [$TEST_MALLOC_OPTIONS])
5561AC_SUBST([UNSUPPORTED_ALGORITHMS], [$unsupported_algorithms])
5562AC_SUBST([DEPEND], [$(cat $srcdir/.depend)])
5563
5564CFLAGS="${CFLAGS} ${CFLAGS_AFTER}"
5565LDFLAGS="${LDFLAGS} ${LDFLAGS_AFTER}"
5566
5567# Make a copy of CFLAGS/LDFLAGS without PIE options.
5568LDFLAGS_NOPIE=`echo "$LDFLAGS" | sed 's/ -pie//'`
5569CFLAGS_NOPIE=`echo "$CFLAGS" | sed 's/ -fPIE//'`
5570AC_SUBST([LDFLAGS_NOPIE])
5571AC_SUBST([CFLAGS_NOPIE])
5572
5573AC_EXEEXT
5574AC_CONFIG_FILES([Makefile buildpkg.sh opensshd.init openssh.xml \
5575	openbsd-compat/Makefile openbsd-compat/regress/Makefile \
5576	survey.sh])
5577AC_OUTPUT
5578
5579# Print summary of options
5580
5581# Someone please show me a better way :)
5582A=`eval echo ${prefix}` ; A=`eval echo ${A}`
5583B=`eval echo ${bindir}` ; B=`eval echo ${B}`
5584C=`eval echo ${sbindir}` ; C=`eval echo ${C}`
5585D=`eval echo ${sysconfdir}` ; D=`eval echo ${D}`
5586E=`eval echo ${libexecdir}/ssh-askpass` ; E=`eval echo ${E}`
5587F=`eval echo ${mandir}/${mansubdir}X` ; F=`eval echo ${F}`
5588G=`eval echo ${piddir}` ; G=`eval echo ${G}`
5589H=`eval echo ${PRIVSEP_PATH}` ; H=`eval echo ${H}`
5590I=`eval echo ${user_path}` ; I=`eval echo ${I}`
5591J=`eval echo ${superuser_path}` ; J=`eval echo ${J}`
5592
5593echo ""
5594echo "OpenSSH has been configured with the following options:"
5595echo "                     User binaries: $B"
5596echo "                   System binaries: $C"
5597echo "               Configuration files: $D"
5598echo "                   Askpass program: $E"
5599echo "                      Manual pages: $F"
5600echo "                          PID file: $G"
5601echo "  Privilege separation chroot path: $H"
5602if test "x$external_path_file" = "x/etc/login.conf" ; then
5603echo "   At runtime, sshd will use the path defined in $external_path_file"
5604echo "   Make sure the path to scp is present, otherwise scp will not work"
5605else
5606echo "            sshd default user PATH: $I"
5607	if test ! -z "$external_path_file"; then
5608echo "   (If PATH is set in $external_path_file it will be used instead. If"
5609echo "   used, ensure the path to scp is present, otherwise scp will not work.)"
5610	fi
5611fi
5612if test ! -z "$superuser_path" ; then
5613echo "          sshd superuser user PATH: $J"
5614fi
5615echo "                    Manpage format: $MANTYPE"
5616echo "                       PAM support: $PAM_MSG"
5617echo "                   OSF SIA support: $SIA_MSG"
5618echo "                 KerberosV support: $KRB5_MSG"
5619echo "                   SELinux support: $SELINUX_MSG"
5620echo "              TCP Wrappers support: $TCPW_MSG"
5621echo "              MD5 password support: $MD5_MSG"
5622echo "                   libedit support: $LIBEDIT_MSG"
5623echo "                   libldns support: $LDNS_MSG"
5624echo "  Solaris process contract support: $SPC_MSG"
5625echo "           Solaris project support: $SP_MSG"
5626echo "         Solaris privilege support: $SPP_MSG"
5627echo "       IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG"
5628echo "           Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
5629echo "                  BSD Auth support: $BSD_AUTH_MSG"
5630echo "              Random number source: $RAND_MSG"
5631echo "             Privsep sandbox style: $SANDBOX_STYLE"
5632echo "                   PKCS#11 support: $enable_pkcs11"
5633echo "                  U2F/FIDO support: $enable_sk"
5634
5635echo ""
5636
5637echo "              Host: ${host}"
5638echo "          Compiler: ${CC}"
5639echo "    Compiler flags: ${CFLAGS}"
5640echo "Preprocessor flags: ${CPPFLAGS}"
5641echo "      Linker flags: ${LDFLAGS}"
5642echo "         Libraries: ${LIBS}"
5643if test ! -z "${SSHDLIBS}"; then
5644echo "         +for sshd: ${SSHDLIBS}"
5645fi
5646
5647echo ""
5648
5649if test "x$MAKE_PACKAGE_SUPPORTED" = "xyes" ; then
5650	echo "SVR4 style packages are supported with \"make package\""
5651	echo ""
5652fi
5653
5654if test "x$PAM_MSG" = "xyes" ; then
5655	echo "PAM is enabled. You may need to install a PAM control file "
5656	echo "for sshd, otherwise password authentication may fail. "
5657	echo "Example PAM control files can be found in the contrib/ "
5658	echo "subdirectory"
5659	echo ""
5660fi
5661
5662if test ! -z "$NO_PEERCHECK" ; then
5663	echo "WARNING: the operating system that you are using does not"
5664	echo "appear to support getpeereid(), getpeerucred() or the"
5665	echo "SO_PEERCRED getsockopt() option. These facilities are used to"
5666	echo "enforce security checks to prevent unauthorised connections to"
5667	echo "ssh-agent. Their absence increases the risk that a malicious"
5668	echo "user can connect to your agent."
5669	echo ""
5670fi
5671
5672if test "$AUDIT_MODULE" = "bsm" ; then
5673	echo "WARNING: BSM audit support is currently considered EXPERIMENTAL."
5674	echo "See the Solaris section in README.platform for details."
5675fi
5676