xref: /freebsd/crypto/openssh/configure.ac (revision 68d75eff68281c1b445e3010bb975eae07aac225)
1#
2# Copyright (c) 1999-2004 Damien Miller
3#
4# Permission to use, copy, modify, and distribute this software for any
5# purpose with or without fee is hereby granted, provided that the above
6# copyright notice and this permission notice appear in all copies.
7#
8# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15
16AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org])
17AC_REVISION($Revision: 1.583 $)
18AC_CONFIG_SRCDIR([ssh.c])
19AC_LANG([C])
20
21AC_CONFIG_HEADER([config.h])
22AC_PROG_CC
23AC_CANONICAL_HOST
24AC_C_BIGENDIAN
25
26# Checks for programs.
27AC_PROG_AWK
28AC_PROG_CPP
29AC_PROG_RANLIB
30AC_PROG_INSTALL
31AC_PROG_EGREP
32AC_PROG_MKDIR_P
33AC_CHECK_TOOLS([AR], [ar])
34AC_PATH_PROG([CAT], [cat])
35AC_PATH_PROG([KILL], [kill])
36AC_PATH_PROG([SED], [sed])
37AC_PATH_PROG([ENT], [ent])
38AC_SUBST([ENT])
39AC_PATH_PROG([TEST_MINUS_S_SH], [bash])
40AC_PATH_PROG([TEST_MINUS_S_SH], [ksh])
41AC_PATH_PROG([TEST_MINUS_S_SH], [sh])
42AC_PATH_PROG([SH], [sh])
43AC_PATH_PROG([GROFF], [groff])
44AC_PATH_PROG([NROFF], [nroff])
45AC_PATH_PROG([MANDOC], [mandoc])
46AC_SUBST([TEST_SHELL], [sh])
47
48dnl select manpage formatter
49if test "x$MANDOC" != "x" ; then
50	MANFMT="$MANDOC"
51elif test "x$NROFF" != "x" ; then
52	MANFMT="$NROFF -mandoc"
53elif test "x$GROFF" != "x" ; then
54	MANFMT="$GROFF -mandoc -Tascii"
55else
56	AC_MSG_WARN([no manpage formatted found])
57	MANFMT="false"
58fi
59AC_SUBST([MANFMT])
60
61dnl for buildpkg.sh
62AC_PATH_PROG([PATH_GROUPADD_PROG], [groupadd], [groupadd],
63	[/usr/sbin${PATH_SEPARATOR}/etc])
64AC_PATH_PROG([PATH_USERADD_PROG], [useradd], [useradd],
65	[/usr/sbin${PATH_SEPARATOR}/etc])
66AC_CHECK_PROG([MAKE_PACKAGE_SUPPORTED], [pkgmk], [yes], [no])
67if test -x /sbin/sh; then
68	AC_SUBST([STARTUP_SCRIPT_SHELL], [/sbin/sh])
69else
70	AC_SUBST([STARTUP_SCRIPT_SHELL], [/bin/sh])
71fi
72
73# System features
74AC_SYS_LARGEFILE
75
76if test -z "$AR" ; then
77	AC_MSG_ERROR([*** 'ar' missing, please install or fix your \$PATH ***])
78fi
79
80AC_PATH_PROG([PATH_PASSWD_PROG], [passwd])
81if test ! -z "$PATH_PASSWD_PROG" ; then
82	AC_DEFINE_UNQUOTED([_PATH_PASSWD_PROG], ["$PATH_PASSWD_PROG"],
83		[Full path of your "passwd" program])
84fi
85
86dnl Since autoconf doesn't support it very well,  we no longer allow users to
87dnl override LD, however keeping the hook here for now in case there's a use
88dnl use case we overlooked and someone needs to re-enable it.  Unless a good
89dnl reason is found we'll be removing this in future.
90LD="$CC"
91AC_SUBST([LD])
92
93AC_C_INLINE
94
95AC_CHECK_DECL([LLONG_MAX], [have_llong_max=1], , [#include <limits.h>])
96AC_CHECK_DECL([SYSTR_POLICY_KILL], [have_systr_policy_kill=1], , [
97	#include <sys/types.h>
98	#include <sys/param.h>
99	#include <dev/systrace.h>
100])
101AC_CHECK_DECL([RLIMIT_NPROC],
102    [AC_DEFINE([HAVE_RLIMIT_NPROC], [], [sys/resource.h has RLIMIT_NPROC])], , [
103	#include <sys/types.h>
104	#include <sys/resource.h>
105])
106AC_CHECK_DECL([PR_SET_NO_NEW_PRIVS], [have_linux_no_new_privs=1], , [
107	#include <sys/types.h>
108	#include <linux/prctl.h>
109])
110
111openssl=yes
112AC_ARG_WITH([openssl],
113	[  --without-openssl       Disable use of OpenSSL; use only limited internal crypto **EXPERIMENTAL** ],
114	[  if test "x$withval" = "xno" ; then
115		openssl=no
116	   fi
117	]
118)
119AC_MSG_CHECKING([whether OpenSSL will be used for cryptography])
120if test "x$openssl" = "xyes" ; then
121	AC_MSG_RESULT([yes])
122	AC_DEFINE_UNQUOTED([WITH_OPENSSL], [1], [use libcrypto for cryptography])
123else
124	AC_MSG_RESULT([no])
125fi
126
127use_stack_protector=1
128use_toolchain_hardening=1
129AC_ARG_WITH([stackprotect],
130    [  --without-stackprotect  Don't use compiler's stack protection], [
131    if test "x$withval" = "xno"; then
132	use_stack_protector=0
133    fi ])
134AC_ARG_WITH([hardening],
135    [  --without-hardening     Don't use toolchain hardening flags], [
136    if test "x$withval" = "xno"; then
137	use_toolchain_hardening=0
138    fi ])
139
140# We use -Werror for the tests only so that we catch warnings like "this is
141# on by default" for things like -fPIE.
142AC_MSG_CHECKING([if $CC supports -Werror])
143saved_CFLAGS="$CFLAGS"
144CFLAGS="$CFLAGS -Werror"
145AC_COMPILE_IFELSE([AC_LANG_SOURCE([[int main(void) { return 0; }]])],
146	[ AC_MSG_RESULT([yes])
147	  WERROR="-Werror"],
148	[ AC_MSG_RESULT([no])
149	  WERROR="" ]
150)
151CFLAGS="$saved_CFLAGS"
152
153if test "$GCC" = "yes" || test "$GCC" = "egcs"; then
154	OSSH_CHECK_CFLAG_COMPILE([-pipe])
155	OSSH_CHECK_CFLAG_COMPILE([-Qunused-arguments])
156	OSSH_CHECK_CFLAG_COMPILE([-Wunknown-warning-option])
157	OSSH_CHECK_CFLAG_COMPILE([-Wall])
158	OSSH_CHECK_CFLAG_COMPILE([-Wpointer-arith])
159	OSSH_CHECK_CFLAG_COMPILE([-Wuninitialized])
160	OSSH_CHECK_CFLAG_COMPILE([-Wsign-compare])
161	OSSH_CHECK_CFLAG_COMPILE([-Wformat-security])
162	OSSH_CHECK_CFLAG_COMPILE([-Wsizeof-pointer-memaccess])
163	OSSH_CHECK_CFLAG_COMPILE([-Wpointer-sign], [-Wno-pointer-sign])
164	OSSH_CHECK_CFLAG_COMPILE([-Wunused-result], [-Wno-unused-result])
165	OSSH_CHECK_CFLAG_COMPILE([-fno-strict-aliasing])
166    if test "x$use_toolchain_hardening" = "x1"; then
167	# Cygwin GCC 7.x allows thunking on the CLI, but produces non-working
168	# code.  Unfortunately you only notice this at link time.
169	case "$host" in
170	*-*-cygwin*) ;;
171	*)
172	    OSSH_CHECK_CFLAG_COMPILE([-mfunction-return=thunk]) # gcc
173	    OSSH_CHECK_CFLAG_COMPILE([-mindirect-branch=thunk]) # gcc
174	    ;;
175	esac
176	OSSH_CHECK_CFLAG_COMPILE([-mretpoline]) # clang
177	OSSH_CHECK_LDFLAG_LINK([-Wl,-z,retpolineplt])
178	OSSH_CHECK_CFLAG_COMPILE([-D_FORTIFY_SOURCE=2])
179	OSSH_CHECK_LDFLAG_LINK([-Wl,-z,relro])
180	OSSH_CHECK_LDFLAG_LINK([-Wl,-z,now])
181	OSSH_CHECK_LDFLAG_LINK([-Wl,-z,noexecstack])
182	# NB. -ftrapv expects certain support functions to be present in
183	# the compiler library (libgcc or similar) to detect integer operations
184	# that can overflow. We must check that the result of enabling it
185	# actually links. The test program compiled/linked includes a number
186	# of integer operations that should exercise this.
187	OSSH_CHECK_CFLAG_LINK([-ftrapv])
188    fi
189	AC_MSG_CHECKING([gcc version])
190	GCC_VER=`$CC -v 2>&1 | $AWK '/gcc version /{print $3}'`
191	case $GCC_VER in
192		1.*) no_attrib_nonnull=1 ;;
193		2.8* | 2.9*)
194		     no_attrib_nonnull=1
195		     ;;
196		2.*) no_attrib_nonnull=1 ;;
197		*) ;;
198	esac
199	AC_MSG_RESULT([$GCC_VER])
200
201	AC_MSG_CHECKING([if $CC accepts -fno-builtin-memset])
202	saved_CFLAGS="$CFLAGS"
203	CFLAGS="$CFLAGS -fno-builtin-memset"
204	AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include <string.h> ]],
205			[[ char b[10]; memset(b, 0, sizeof(b)); ]])],
206		[ AC_MSG_RESULT([yes]) ],
207		[ AC_MSG_RESULT([no])
208		  CFLAGS="$saved_CFLAGS" ]
209	)
210
211	# -fstack-protector-all doesn't always work for some GCC versions
212	# and/or platforms, so we test if we can.  If it's not supported
213	# on a given platform gcc will emit a warning so we use -Werror.
214	if test "x$use_stack_protector" = "x1"; then
215	    for t in -fstack-protector-strong -fstack-protector-all \
216		    -fstack-protector; do
217		AC_MSG_CHECKING([if $CC supports $t])
218		saved_CFLAGS="$CFLAGS"
219		saved_LDFLAGS="$LDFLAGS"
220		CFLAGS="$CFLAGS $t -Werror"
221		LDFLAGS="$LDFLAGS $t -Werror"
222		AC_LINK_IFELSE(
223			[AC_LANG_PROGRAM([[ #include <stdio.h> ]],
224			[[
225	char x[256];
226	snprintf(x, sizeof(x), "XXX");
227			 ]])],
228		    [ AC_MSG_RESULT([yes])
229		      CFLAGS="$saved_CFLAGS $t"
230		      LDFLAGS="$saved_LDFLAGS $t"
231		      AC_MSG_CHECKING([if $t works])
232		      AC_RUN_IFELSE(
233			[AC_LANG_PROGRAM([[ #include <stdio.h> ]],
234			[[
235	char x[256];
236	snprintf(x, sizeof(x), "XXX");
237			]])],
238			[ AC_MSG_RESULT([yes])
239			  break ],
240			[ AC_MSG_RESULT([no]) ],
241			[ AC_MSG_WARN([cross compiling: cannot test])
242			  break ]
243		      )
244		    ],
245		    [ AC_MSG_RESULT([no]) ]
246		)
247		CFLAGS="$saved_CFLAGS"
248		LDFLAGS="$saved_LDFLAGS"
249	    done
250	fi
251
252	if test -z "$have_llong_max"; then
253		# retry LLONG_MAX with -std=gnu99, needed on some Linuxes
254		unset ac_cv_have_decl_LLONG_MAX
255		saved_CFLAGS="$CFLAGS"
256		CFLAGS="$CFLAGS -std=gnu99"
257		AC_CHECK_DECL([LLONG_MAX],
258		    [have_llong_max=1],
259		    [CFLAGS="$saved_CFLAGS"],
260		    [#include <limits.h>]
261		)
262	fi
263fi
264
265AC_MSG_CHECKING([if compiler allows __attribute__ on return types])
266AC_COMPILE_IFELSE(
267    [AC_LANG_PROGRAM([[
268#include <stdlib.h>
269__attribute__((__unused__)) static void foo(void){return;}]],
270    [[ exit(0); ]])],
271    [ AC_MSG_RESULT([yes]) ],
272    [ AC_MSG_RESULT([no])
273      AC_DEFINE(NO_ATTRIBUTE_ON_RETURN_TYPE, 1,
274	 [compiler does not accept __attribute__ on return types]) ]
275)
276
277AC_MSG_CHECKING([if compiler allows __attribute__ prototype args])
278AC_COMPILE_IFELSE(
279    [AC_LANG_PROGRAM([[
280#include <stdlib.h>
281typedef void foo(const char *, ...) __attribute__((format(printf, 1, 2)));]],
282    [[ exit(0); ]])],
283    [ AC_MSG_RESULT([yes]) ],
284    [ AC_MSG_RESULT([no])
285      AC_DEFINE(NO_ATTRIBUTE_ON_PROTOTYPE_ARGS, 1,
286	 [compiler does not accept __attribute__ on prototype args]) ]
287)
288
289if test "x$no_attrib_nonnull" != "x1" ; then
290	AC_DEFINE([HAVE_ATTRIBUTE__NONNULL__], [1], [Have attribute nonnull])
291fi
292
293AC_ARG_WITH([rpath],
294	[  --without-rpath         Disable auto-added -R linker paths],
295	[
296		if test "x$withval" = "xno" ; then
297			need_dash_r=""
298		fi
299		if test "x$withval" = "xyes" ; then
300			need_dash_r=1
301		fi
302	]
303)
304
305# Allow user to specify flags
306AC_ARG_WITH([cflags],
307	[  --with-cflags           Specify additional flags to pass to compiler],
308	[
309		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
310		    test "x${withval}" != "xyes"; then
311			CFLAGS="$CFLAGS $withval"
312		fi
313	]
314)
315
316AC_ARG_WITH([cflags-after],
317	[  --with-cflags-after     Specify additional flags to pass to compiler after configure],
318	[
319		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
320		    test "x${withval}" != "xyes"; then
321			CFLAGS_AFTER="$withval"
322		fi
323	]
324)
325AC_ARG_WITH([cppflags],
326	[  --with-cppflags         Specify additional flags to pass to preprocessor] ,
327	[
328		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
329		    test "x${withval}" != "xyes"; then
330			CPPFLAGS="$CPPFLAGS $withval"
331		fi
332	]
333)
334AC_ARG_WITH([ldflags],
335	[  --with-ldflags          Specify additional flags to pass to linker],
336	[
337		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
338		    test "x${withval}" != "xyes"; then
339			LDFLAGS="$LDFLAGS $withval"
340		fi
341	]
342)
343AC_ARG_WITH([ldflags-after],
344	[  --with-ldflags-after    Specify additional flags to pass to linker after configure],
345	[
346		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
347		    test "x${withval}" != "xyes"; then
348			LDFLAGS_AFTER="$withval"
349		fi
350	]
351)
352AC_ARG_WITH([libs],
353	[  --with-libs             Specify additional libraries to link with],
354	[
355		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
356		    test "x${withval}" != "xyes"; then
357			LIBS="$LIBS $withval"
358		fi
359	]
360)
361AC_ARG_WITH([Werror],
362	[  --with-Werror           Build main code with -Werror],
363	[
364		if test -n "$withval"  &&  test "x$withval" != "xno"; then
365			werror_flags="-Werror"
366			if test "x${withval}" != "xyes"; then
367				werror_flags="$withval"
368			fi
369		fi
370	]
371)
372
373AC_CHECK_HEADERS([ \
374	blf.h \
375	bstring.h \
376	crypt.h \
377	crypto/sha2.h \
378	dirent.h \
379	endian.h \
380	elf.h \
381	err.h \
382	features.h \
383	fcntl.h \
384	floatingpoint.h \
385	getopt.h \
386	glob.h \
387	ia.h \
388	iaf.h \
389	ifaddrs.h \
390	inttypes.h \
391	langinfo.h \
392	limits.h \
393	locale.h \
394	login.h \
395	maillock.h \
396	ndir.h \
397	net/if_tun.h \
398	netdb.h \
399	netgroup.h \
400	pam/pam_appl.h \
401	paths.h \
402	poll.h \
403	pty.h \
404	readpassphrase.h \
405	rpc/types.h \
406	security/pam_appl.h \
407	sha2.h \
408	shadow.h \
409	stddef.h \
410	stdint.h \
411	string.h \
412	strings.h \
413	sys/bitypes.h \
414	sys/bsdtty.h \
415	sys/cdefs.h \
416	sys/dir.h \
417	sys/file.h \
418	sys/mman.h \
419	sys/label.h \
420	sys/ndir.h \
421	sys/poll.h \
422	sys/prctl.h \
423	sys/pstat.h \
424	sys/ptrace.h \
425	sys/random.h \
426	sys/select.h \
427	sys/stat.h \
428	sys/stream.h \
429	sys/stropts.h \
430	sys/strtio.h \
431	sys/statvfs.h \
432	sys/sysmacros.h \
433	sys/time.h \
434	sys/timers.h \
435	sys/vfs.h \
436	time.h \
437	tmpdir.h \
438	ttyent.h \
439	ucred.h \
440	unistd.h \
441	usersec.h \
442	util.h \
443	utime.h \
444	utmp.h \
445	utmpx.h \
446	vis.h \
447	wchar.h \
448])
449
450# On some platforms (eg SunOS4) sys/audit.h requires sys/[time|types|label.h]
451# to be included first.
452AC_CHECK_HEADERS([sys/audit.h], [], [], [
453#ifdef HAVE_SYS_TIME_H
454# include <sys/time.h>
455#endif
456#ifdef HAVE_SYS_TYPES_H
457# include <sys/types.h>
458#endif
459#ifdef HAVE_SYS_LABEL_H
460# include <sys/label.h>
461#endif
462])
463
464# sys/capsicum.h requires sys/types.h
465AC_CHECK_HEADERS([sys/capsicum.h], [], [], [
466#ifdef HAVE_SYS_TYPES_H
467# include <sys/types.h>
468#endif
469])
470
471# net/route.h requires sys/socket.h and sys/types.h.
472# sys/sysctl.h also requires sys/param.h
473AC_CHECK_HEADERS([net/route.h sys/sysctl.h], [], [], [
474#ifdef HAVE_SYS_TYPES_H
475# include <sys/types.h>
476#endif
477#include <sys/param.h>
478#include <sys/socket.h>
479])
480
481# lastlog.h requires sys/time.h to be included first on Solaris
482AC_CHECK_HEADERS([lastlog.h], [], [], [
483#ifdef HAVE_SYS_TIME_H
484# include <sys/time.h>
485#endif
486])
487
488# sys/ptms.h requires sys/stream.h to be included first on Solaris
489AC_CHECK_HEADERS([sys/ptms.h], [], [], [
490#ifdef HAVE_SYS_STREAM_H
491# include <sys/stream.h>
492#endif
493])
494
495# login_cap.h requires sys/types.h on NetBSD
496AC_CHECK_HEADERS([login_cap.h], [], [], [
497#include <sys/types.h>
498])
499
500# older BSDs need sys/param.h before sys/mount.h
501AC_CHECK_HEADERS([sys/mount.h], [], [], [
502#include <sys/param.h>
503])
504
505# Android requires sys/socket.h to be included before sys/un.h
506AC_CHECK_HEADERS([sys/un.h], [], [], [
507#include <sys/types.h>
508#include <sys/socket.h>
509])
510
511# Messages for features tested for in target-specific section
512SIA_MSG="no"
513SPC_MSG="no"
514SP_MSG="no"
515SPP_MSG="no"
516
517# Support for Solaris/Illumos privileges (this test is used by both
518# the --with-solaris-privs option and --with-sandbox=solaris).
519SOLARIS_PRIVS="no"
520
521# Check for some target-specific stuff
522case "$host" in
523*-*-aix*)
524	# Some versions of VAC won't allow macro redefinitions at
525	# -qlanglevel=ansi, and autoconf 2.60 sometimes insists on using that
526	# particularly with older versions of vac or xlc.
527	# It also throws errors about null macro arguments, but these are
528	# not fatal.
529	AC_MSG_CHECKING([if compiler allows macro redefinitions])
530	AC_COMPILE_IFELSE(
531	    [AC_LANG_PROGRAM([[
532#define testmacro foo
533#define testmacro bar]],
534	    [[ exit(0); ]])],
535	    [ AC_MSG_RESULT([yes]) ],
536	    [ AC_MSG_RESULT([no])
537	      CC="`echo $CC | sed 's/-qlanglvl\=ansi//g'`"
538	      CFLAGS="`echo $CFLAGS | sed 's/-qlanglvl\=ansi//g'`"
539	      CPPFLAGS="`echo $CPPFLAGS | sed 's/-qlanglvl\=ansi//g'`"
540	    ]
541	)
542
543	AC_MSG_CHECKING([how to specify blibpath for linker ($LD)])
544	if (test -z "$blibpath"); then
545		blibpath="/usr/lib:/lib"
546	fi
547	saved_LDFLAGS="$LDFLAGS"
548	if test "$GCC" = "yes"; then
549		flags="-Wl,-blibpath: -Wl,-rpath, -blibpath:"
550	else
551		flags="-blibpath: -Wl,-blibpath: -Wl,-rpath,"
552	fi
553	for tryflags in $flags ;do
554		if (test -z "$blibflags"); then
555			LDFLAGS="$saved_LDFLAGS $tryflags$blibpath"
556			AC_LINK_IFELSE([AC_LANG_PROGRAM([[]], [[]])],
557			[blibflags=$tryflags], [])
558		fi
559	done
560	if (test -z "$blibflags"); then
561		AC_MSG_RESULT([not found])
562		AC_MSG_ERROR([*** must be able to specify blibpath on AIX - check config.log])
563	else
564		AC_MSG_RESULT([$blibflags])
565	fi
566	LDFLAGS="$saved_LDFLAGS"
567	dnl Check for authenticate.  Might be in libs.a on older AIXes
568	AC_CHECK_FUNC([authenticate], [AC_DEFINE([WITH_AIXAUTHENTICATE], [1],
569		[Define if you want to enable AIX4's authenticate function])],
570		[AC_CHECK_LIB([s], [authenticate],
571			[ AC_DEFINE([WITH_AIXAUTHENTICATE])
572				LIBS="$LIBS -ls"
573			])
574		])
575	dnl Check for various auth function declarations in headers.
576	AC_CHECK_DECLS([authenticate, loginrestrictions, loginsuccess,
577	    passwdexpired, setauthdb], , , [#include <usersec.h>])
578	dnl Check if loginfailed is declared and takes 4 arguments (AIX >= 5.2)
579	AC_CHECK_DECLS([loginfailed],
580	    [AC_MSG_CHECKING([if loginfailed takes 4 arguments])
581	    AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <usersec.h> ]],
582		[[ (void)loginfailed("user","host","tty",0); ]])],
583		[AC_MSG_RESULT([yes])
584		AC_DEFINE([AIX_LOGINFAILED_4ARG], [1],
585			[Define if your AIX loginfailed() function
586			takes 4 arguments (AIX >= 5.2)])], [AC_MSG_RESULT([no])
587	    ])],
588	    [],
589	    [#include <usersec.h>]
590	)
591	AC_CHECK_FUNCS([getgrset setauthdb])
592	AC_CHECK_DECL([F_CLOSEM],
593	    AC_DEFINE([HAVE_FCNTL_CLOSEM], [1], [Use F_CLOSEM fcntl for closefrom]),
594	    [],
595	    [ #include <limits.h>
596	      #include <fcntl.h> ]
597	)
598	check_for_aix_broken_getaddrinfo=1
599	AC_DEFINE([BROKEN_REALPATH], [1], [Define if you have a broken realpath.])
600	AC_DEFINE([SETEUID_BREAKS_SETUID], [1],
601	    [Define if your platform breaks doing a seteuid before a setuid])
602	AC_DEFINE([BROKEN_SETREUID], [1], [Define if your setreuid() is broken])
603	AC_DEFINE([BROKEN_SETREGID], [1], [Define if your setregid() is broken])
604	dnl AIX handles lastlog as part of its login message
605	AC_DEFINE([DISABLE_LASTLOG], [1], [Define if you don't want to use lastlog])
606	AC_DEFINE([LOGIN_NEEDS_UTMPX], [1],
607		[Some systems need a utmpx entry for /bin/login to work])
608	AC_DEFINE([SPT_TYPE], [SPT_REUSEARGV],
609		[Define to a Set Process Title type if your system is
610		supported by bsd-setproctitle.c])
611	AC_DEFINE([SSHPAM_CHAUTHTOK_NEEDS_RUID], [1],
612	    [AIX 5.2 and 5.3 (and presumably newer) require this])
613	AC_DEFINE([PTY_ZEROREAD], [1], [read(1) can return 0 for a non-closed fd])
614	AC_DEFINE([PLATFORM_SYS_DIR_UID], 2, [System dirs owned by bin (uid 2)])
615	AC_DEFINE([BROKEN_STRNDUP], 1, [strndup broken, see APAR IY61211])
616	AC_DEFINE([BROKEN_STRNLEN], 1, [strnlen broken, see APAR IY62551])
617	;;
618*-*-android*)
619	AC_DEFINE([DISABLE_UTMP], [1], [Define if you don't want to use utmp])
620	AC_DEFINE([DISABLE_WTMP], [1], [Define if you don't want to use wtmp])
621	;;
622*-*-cygwin*)
623	check_for_libcrypt_later=1
624	LIBS="$LIBS /usr/lib/textreadmode.o"
625	AC_DEFINE([HAVE_CYGWIN], [1], [Define if you are on Cygwin])
626	AC_DEFINE([USE_PIPES], [1], [Use PIPES instead of a socketpair()])
627	AC_DEFINE([NO_UID_RESTORATION_TEST], [1],
628		[Define to disable UID restoration test])
629	AC_DEFINE([DISABLE_SHADOW], [1],
630		[Define if you want to disable shadow passwords])
631	AC_DEFINE([NO_X11_UNIX_SOCKETS], [1],
632		[Define if X11 doesn't support AF_UNIX sockets on that system])
633	AC_DEFINE([DISABLE_FD_PASSING], [1],
634		[Define if your platform needs to skip post auth
635		file descriptor passing])
636	AC_DEFINE([SSH_IOBUFSZ], [65535], [Windows is sensitive to read buffer size])
637	AC_DEFINE([FILESYSTEM_NO_BACKSLASH], [1], [File names may not contain backslash characters])
638	# Cygwin defines optargs, optargs as declspec(dllimport) for historical
639	# reasons which cause compile warnings, so we disable those warnings.
640	OSSH_CHECK_CFLAG_COMPILE([-Wno-attributes])
641	;;
642*-*-dgux*)
643	AC_DEFINE([IP_TOS_IS_BROKEN], [1],
644		[Define if your system choked on IP TOS setting])
645	AC_DEFINE([SETEUID_BREAKS_SETUID])
646	AC_DEFINE([BROKEN_SETREUID])
647	AC_DEFINE([BROKEN_SETREGID])
648	;;
649*-*-darwin*)
650	use_pie=auto
651	AC_MSG_CHECKING([if we have working getaddrinfo])
652	AC_RUN_IFELSE([AC_LANG_SOURCE([[ #include <mach-o/dyld.h>
653main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
654		exit(0);
655	else
656		exit(1);
657}
658			]])],
659	[AC_MSG_RESULT([working])],
660	[AC_MSG_RESULT([buggy])
661	AC_DEFINE([BROKEN_GETADDRINFO], [1],
662		[getaddrinfo is broken (if present)])
663	],
664	[AC_MSG_RESULT([assume it is working])])
665	AC_DEFINE([SETEUID_BREAKS_SETUID])
666	AC_DEFINE([BROKEN_SETREUID])
667	AC_DEFINE([BROKEN_SETREGID])
668	AC_DEFINE([BROKEN_GLOB], [1], [OS X glob does not do what we expect])
669	AC_DEFINE_UNQUOTED([BIND_8_COMPAT], [1],
670		[Define if your resolver libs need this for getrrsetbyname])
671	AC_DEFINE([SSH_TUN_FREEBSD], [1], [Open tunnel devices the FreeBSD way])
672	AC_DEFINE([SSH_TUN_COMPAT_AF], [1],
673	    [Use tunnel device compatibility to OpenBSD])
674	AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
675	    [Prepend the address family to IP tunnel traffic])
676	m4_pattern_allow([AU_IPv])
677	AC_CHECK_DECL([AU_IPv4], [],
678	    AC_DEFINE([AU_IPv4], [0], [System only supports IPv4 audit records])
679	    [#include <bsm/audit.h>]
680	AC_DEFINE([LASTLOG_WRITE_PUTUTXLINE], [1],
681	    [Define if pututxline updates lastlog too])
682	)
683	AC_DEFINE([SPT_TYPE], [SPT_REUSEARGV],
684		[Define to a Set Process Title type if your system is
685		supported by bsd-setproctitle.c])
686	AC_CHECK_FUNCS([sandbox_init])
687	AC_CHECK_HEADERS([sandbox.h])
688	AC_CHECK_LIB([sandbox], [sandbox_apply], [
689	    SSHDLIBS="$SSHDLIBS -lsandbox"
690	])
691	;;
692*-*-dragonfly*)
693	SSHDLIBS="$SSHDLIBS -lcrypt"
694	TEST_MALLOC_OPTIONS="AFGJPRX"
695	;;
696*-*-haiku*)
697	LIBS="$LIBS -lbsd "
698	AC_CHECK_LIB([network], [socket])
699	AC_DEFINE([HAVE_U_INT64_T])
700	MANTYPE=man
701	;;
702*-*-hpux*)
703	# first we define all of the options common to all HP-UX releases
704	CPPFLAGS="$CPPFLAGS -D_HPUX_SOURCE -D_XOPEN_SOURCE -D_XOPEN_SOURCE_EXTENDED=1"
705	IPADDR_IN_DISPLAY=yes
706	AC_DEFINE([USE_PIPES])
707	AC_DEFINE([LOGIN_NEEDS_UTMPX])
708	AC_DEFINE([LOCKED_PASSWD_STRING], ["*"],
709		[String used in /etc/passwd to denote locked account])
710	AC_DEFINE([SPT_TYPE], [SPT_PSTAT])
711	AC_DEFINE([PLATFORM_SYS_DIR_UID], 2, [System dirs owned by bin (uid 2)])
712	maildir="/var/mail"
713	LIBS="$LIBS -lsec"
714	AC_CHECK_LIB([xnet], [t_error], ,
715	    [AC_MSG_ERROR([*** -lxnet needed on HP-UX - check config.log ***])])
716
717	# next, we define all of the options specific to major releases
718	case "$host" in
719	*-*-hpux10*)
720		if test -z "$GCC"; then
721			CFLAGS="$CFLAGS -Ae"
722		fi
723		;;
724	*-*-hpux11*)
725		AC_DEFINE([PAM_SUN_CODEBASE], [1],
726			[Define if you are using Solaris-derived PAM which
727			passes pam_messages to the conversation function
728			with an extra level of indirection])
729		AC_DEFINE([DISABLE_UTMP], [1],
730			[Define if you don't want to use utmp])
731		AC_DEFINE([USE_BTMP], [1], [Use btmp to log bad logins])
732		check_for_hpux_broken_getaddrinfo=1
733		check_for_conflicting_getspnam=1
734		;;
735	esac
736
737	# lastly, we define options specific to minor releases
738	case "$host" in
739	*-*-hpux10.26)
740		AC_DEFINE([HAVE_SECUREWARE], [1],
741			[Define if you have SecureWare-based
742			protected password database])
743		disable_ptmx_check=yes
744		LIBS="$LIBS -lsecpw"
745		;;
746	esac
747	;;
748*-*-irix5*)
749	PATH="$PATH:/usr/etc"
750	AC_DEFINE([BROKEN_INET_NTOA], [1],
751		[Define if you system's inet_ntoa is busted
752		(e.g. Irix gcc issue)])
753	AC_DEFINE([SETEUID_BREAKS_SETUID])
754	AC_DEFINE([BROKEN_SETREUID])
755	AC_DEFINE([BROKEN_SETREGID])
756	AC_DEFINE([WITH_ABBREV_NO_TTY], [1],
757		[Define if you shouldn't strip 'tty' from your
758		ttyname in [uw]tmp])
759	AC_DEFINE([LOCKED_PASSWD_STRING], ["*LK*"])
760	;;
761*-*-irix6*)
762	PATH="$PATH:/usr/etc"
763	AC_DEFINE([WITH_IRIX_ARRAY], [1],
764		[Define if you have/want arrays
765		(cluster-wide session management, not C arrays)])
766	AC_DEFINE([WITH_IRIX_PROJECT], [1],
767		[Define if you want IRIX project management])
768	AC_DEFINE([WITH_IRIX_AUDIT], [1],
769		[Define if you want IRIX audit trails])
770	AC_CHECK_FUNC([jlimit_startjob], [AC_DEFINE([WITH_IRIX_JOBS], [1],
771		[Define if you want IRIX kernel jobs])])
772	AC_DEFINE([BROKEN_INET_NTOA])
773	AC_DEFINE([SETEUID_BREAKS_SETUID])
774	AC_DEFINE([BROKEN_SETREUID])
775	AC_DEFINE([BROKEN_SETREGID])
776	AC_DEFINE([BROKEN_UPDWTMPX], [1], [updwtmpx is broken (if present)])
777	AC_DEFINE([WITH_ABBREV_NO_TTY])
778	AC_DEFINE([LOCKED_PASSWD_STRING], ["*LK*"])
779	;;
780*-*-k*bsd*-gnu | *-*-kopensolaris*-gnu)
781	check_for_libcrypt_later=1
782	AC_DEFINE([PAM_TTY_KLUDGE])
783	AC_DEFINE([LOCKED_PASSWD_PREFIX], ["!"])
784	AC_DEFINE([SPT_TYPE], [SPT_REUSEARGV])
785	AC_DEFINE([_PATH_BTMP], ["/var/log/btmp"], [log for bad login attempts])
786	AC_DEFINE([USE_BTMP], [1], [Use btmp to log bad logins])
787	;;
788*-*-linux*)
789	no_dev_ptmx=1
790	use_pie=auto
791	check_for_libcrypt_later=1
792	check_for_openpty_ctty_bug=1
793	dnl Target SUSv3/POSIX.1-2001 plus BSD specifics.
794	dnl _DEFAULT_SOURCE is the new name for _BSD_SOURCE
795	CPPFLAGS="$CPPFLAGS -D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCE"
796	AC_DEFINE([PAM_TTY_KLUDGE], [1],
797		[Work around problematic Linux PAM modules handling of PAM_TTY])
798	AC_DEFINE([LOCKED_PASSWD_PREFIX], ["!"],
799		[String used in /etc/passwd to denote locked account])
800	AC_DEFINE([SPT_TYPE], [SPT_REUSEARGV])
801	AC_DEFINE([LINK_OPNOTSUPP_ERRNO], [EPERM],
802		[Define to whatever link() returns for "not supported"
803		if it doesn't return EOPNOTSUPP.])
804	AC_DEFINE([_PATH_BTMP], ["/var/log/btmp"], [log for bad login attempts])
805	AC_DEFINE([USE_BTMP])
806	AC_DEFINE([LINUX_OOM_ADJUST], [1], [Adjust Linux out-of-memory killer])
807	inet6_default_4in6=yes
808	case `uname -r` in
809	1.*|2.0.*)
810		AC_DEFINE([BROKEN_CMSG_TYPE], [1],
811			[Define if cmsg_type is not passed correctly])
812		;;
813	esac
814	# tun(4) forwarding compat code
815	AC_CHECK_HEADERS([linux/if_tun.h])
816	if test "x$ac_cv_header_linux_if_tun_h" = "xyes" ; then
817		AC_DEFINE([SSH_TUN_LINUX], [1],
818		    [Open tunnel devices the Linux tun/tap way])
819		AC_DEFINE([SSH_TUN_COMPAT_AF], [1],
820		    [Use tunnel device compatibility to OpenBSD])
821		AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
822		    [Prepend the address family to IP tunnel traffic])
823	fi
824	AC_CHECK_HEADER([linux/if.h],
825	    AC_DEFINE([SYS_RDOMAIN_LINUX], [1],
826		[Support routing domains using Linux VRF]), [], [
827#ifdef HAVE_SYS_TYPES_H
828# include <sys/types.H>
829#endif
830	    ])
831	AC_CHECK_HEADERS([linux/seccomp.h linux/filter.h linux/audit.h], [],
832	    [], [#include <linux/types.h>])
833	# Obtain MIPS ABI
834	case "$host" in
835	mips*)
836		AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
837#if _MIPS_SIM != _ABIO32
838#error
839#endif
840			]])],[mips_abi="o32"],[AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
841#if _MIPS_SIM != _ABIN32
842#error
843#endif
844				]])],[mips_abi="n32"],[AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
845#if _MIPS_SIM != _ABI64
846#error
847#endif
848					]])],[mips_abi="n64"],[AC_MSG_ERROR([unknown MIPS ABI])
849				])
850			])
851		])
852		;;
853	esac
854	AC_MSG_CHECKING([for seccomp architecture])
855	seccomp_audit_arch=
856	case "$host" in
857	x86_64-*)
858		seccomp_audit_arch=AUDIT_ARCH_X86_64
859		;;
860	i*86-*)
861		seccomp_audit_arch=AUDIT_ARCH_I386
862		;;
863	arm*-*)
864		seccomp_audit_arch=AUDIT_ARCH_ARM
865		;;
866	aarch64*-*)
867		seccomp_audit_arch=AUDIT_ARCH_AARCH64
868		;;
869	s390x-*)
870		seccomp_audit_arch=AUDIT_ARCH_S390X
871		;;
872	s390-*)
873		seccomp_audit_arch=AUDIT_ARCH_S390
874		;;
875	powerpc64-*)
876		seccomp_audit_arch=AUDIT_ARCH_PPC64
877		;;
878	powerpc64le-*)
879		seccomp_audit_arch=AUDIT_ARCH_PPC64LE
880		;;
881	mips-*)
882		seccomp_audit_arch=AUDIT_ARCH_MIPS
883		;;
884	mipsel-*)
885		seccomp_audit_arch=AUDIT_ARCH_MIPSEL
886		;;
887	mips64-*)
888		case "$mips_abi" in
889		"n32")
890			seccomp_audit_arch=AUDIT_ARCH_MIPS64N32
891			;;
892		"n64")
893			seccomp_audit_arch=AUDIT_ARCH_MIPS64
894			;;
895		esac
896		;;
897	mips64el-*)
898		case "$mips_abi" in
899		"n32")
900			seccomp_audit_arch=AUDIT_ARCH_MIPSEL64N32
901			;;
902		"n64")
903			seccomp_audit_arch=AUDIT_ARCH_MIPSEL64
904			;;
905		esac
906		;;
907	esac
908	if test "x$seccomp_audit_arch" != "x" ; then
909		AC_MSG_RESULT(["$seccomp_audit_arch"])
910		AC_DEFINE_UNQUOTED([SECCOMP_AUDIT_ARCH], [$seccomp_audit_arch],
911		    [Specify the system call convention in use])
912	else
913		AC_MSG_RESULT([architecture not supported])
914	fi
915	;;
916mips-sony-bsd|mips-sony-newsos4)
917	AC_DEFINE([NEED_SETPGRP], [1], [Need setpgrp to acquire controlling tty])
918	SONY=1
919	;;
920*-*-netbsd*)
921	check_for_libcrypt_before=1
922	if test "x$withval" != "xno" ; then
923		need_dash_r=1
924	fi
925	CPPFLAGS="$CPPFLAGS -D_OPENBSD_SOURCE"
926	AC_DEFINE([SSH_TUN_FREEBSD], [1], [Open tunnel devices the FreeBSD way])
927	AC_CHECK_HEADER([net/if_tap.h], ,
928	    AC_DEFINE([SSH_TUN_NO_L2], [1], [No layer 2 tunnel support]))
929	AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
930	    [Prepend the address family to IP tunnel traffic])
931	TEST_MALLOC_OPTIONS="AJRX"
932	AC_DEFINE([BROKEN_READ_COMPARISON], [1],
933	    [NetBSD read function is sometimes redirected, breaking atomicio comparisons against it])
934	;;
935*-*-freebsd*)
936	check_for_libcrypt_later=1
937	AC_DEFINE([LOCKED_PASSWD_PREFIX], ["*LOCKED*"], [Account locked with pw(1)])
938	AC_DEFINE([SSH_TUN_FREEBSD], [1], [Open tunnel devices the FreeBSD way])
939	AC_CHECK_HEADER([net/if_tap.h], ,
940	    AC_DEFINE([SSH_TUN_NO_L2], [1], [No layer 2 tunnel support]))
941	AC_DEFINE([BROKEN_GLOB], [1], [FreeBSD glob does not do what we need])
942	TEST_MALLOC_OPTIONS="AJRX"
943	# Preauth crypto occasionally uses file descriptors for crypto offload
944	# and will crash if they cannot be opened.
945	AC_DEFINE([SANDBOX_SKIP_RLIMIT_NOFILE], [1],
946	    [define if setrlimit RLIMIT_NOFILE breaks things])
947	;;
948*-*-bsdi*)
949	AC_DEFINE([SETEUID_BREAKS_SETUID])
950	AC_DEFINE([BROKEN_SETREUID])
951	AC_DEFINE([BROKEN_SETREGID])
952	;;
953*-next-*)
954	conf_lastlog_location="/usr/adm/lastlog"
955	conf_utmp_location=/etc/utmp
956	conf_wtmp_location=/usr/adm/wtmp
957	maildir=/usr/spool/mail
958	AC_DEFINE([HAVE_NEXT], [1], [Define if you are on NeXT])
959	AC_DEFINE([BROKEN_REALPATH])
960	AC_DEFINE([USE_PIPES])
961	AC_DEFINE([BROKEN_SAVED_UIDS], [1], [Needed for NeXT])
962	;;
963*-*-openbsd*)
964	use_pie=auto
965	AC_DEFINE([HAVE_ATTRIBUTE__SENTINEL__], [1], [OpenBSD's gcc has sentinel])
966	AC_DEFINE([HAVE_ATTRIBUTE__BOUNDED__], [1], [OpenBSD's gcc has bounded])
967	AC_DEFINE([SSH_TUN_OPENBSD], [1], [Open tunnel devices the OpenBSD way])
968	AC_DEFINE([SYSLOG_R_SAFE_IN_SIGHAND], [1],
969	    [syslog_r function is safe to use in in a signal handler])
970	TEST_MALLOC_OPTIONS="AFGJPRX"
971	;;
972*-*-solaris*)
973	if test "x$withval" != "xno" ; then
974		need_dash_r=1
975	fi
976	AC_DEFINE([PAM_SUN_CODEBASE])
977	AC_DEFINE([LOGIN_NEEDS_UTMPX])
978	AC_DEFINE([PAM_TTY_KLUDGE])
979	AC_DEFINE([SSHPAM_CHAUTHTOK_NEEDS_RUID], [1],
980		[Define if pam_chauthtok wants real uid set
981		to the unpriv'ed user])
982	AC_DEFINE([LOCKED_PASSWD_STRING], ["*LK*"])
983	# Pushing STREAMS modules will cause sshd to acquire a controlling tty.
984	AC_DEFINE([SSHD_ACQUIRES_CTTY], [1],
985		[Define if sshd somehow reacquires a controlling TTY
986		after setsid()])
987	AC_DEFINE([PASSWD_NEEDS_USERNAME], [1], [must supply username to passwd
988		in case the name is longer than 8 chars])
989	AC_DEFINE([BROKEN_TCGETATTR_ICANON], [1], [tcgetattr with ICANON may hang])
990	external_path_file=/etc/default/login
991	# hardwire lastlog location (can't detect it on some versions)
992	conf_lastlog_location="/var/adm/lastlog"
993	AC_MSG_CHECKING([for obsolete utmp and wtmp in solaris2.x])
994	sol2ver=`echo "$host"| sed -e 's/.*[[0-9]]\.//'`
995	if test "$sol2ver" -ge 8; then
996		AC_MSG_RESULT([yes])
997		AC_DEFINE([DISABLE_UTMP])
998		AC_DEFINE([DISABLE_WTMP], [1],
999			[Define if you don't want to use wtmp])
1000	else
1001		AC_MSG_RESULT([no])
1002	fi
1003	AC_CHECK_FUNCS([setpflags])
1004	AC_CHECK_FUNCS([setppriv])
1005	AC_CHECK_FUNCS([priv_basicset])
1006	AC_CHECK_HEADERS([priv.h])
1007	AC_ARG_WITH([solaris-contracts],
1008		[  --with-solaris-contracts Enable Solaris process contracts (experimental)],
1009		[
1010		AC_CHECK_LIB([contract], [ct_tmpl_activate],
1011			[ AC_DEFINE([USE_SOLARIS_PROCESS_CONTRACTS], [1],
1012				[Define if you have Solaris process contracts])
1013			  LIBS="$LIBS -lcontract"
1014			  SPC_MSG="yes" ], )
1015		],
1016	)
1017	AC_ARG_WITH([solaris-projects],
1018		[  --with-solaris-projects Enable Solaris projects (experimental)],
1019		[
1020		AC_CHECK_LIB([project], [setproject],
1021			[ AC_DEFINE([USE_SOLARIS_PROJECTS], [1],
1022				[Define if you have Solaris projects])
1023			LIBS="$LIBS -lproject"
1024			SP_MSG="yes" ], )
1025		],
1026	)
1027	AC_ARG_WITH([solaris-privs],
1028		[  --with-solaris-privs    Enable Solaris/Illumos privileges (experimental)],
1029		[
1030		AC_MSG_CHECKING([for Solaris/Illumos privilege support])
1031		if test "x$ac_cv_func_setppriv" = "xyes" -a \
1032			"x$ac_cv_header_priv_h" = "xyes" ; then
1033			SOLARIS_PRIVS=yes
1034			AC_MSG_RESULT([found])
1035			AC_DEFINE([NO_UID_RESTORATION_TEST], [1],
1036				[Define to disable UID restoration test])
1037			AC_DEFINE([USE_SOLARIS_PRIVS], [1],
1038				[Define if you have Solaris privileges])
1039			SPP_MSG="yes"
1040		else
1041			AC_MSG_RESULT([not found])
1042			AC_MSG_ERROR([*** must have support for Solaris privileges to use --with-solaris-privs])
1043		fi
1044		],
1045	)
1046	TEST_SHELL=$SHELL	# let configure find us a capable shell
1047	;;
1048*-*-sunos4*)
1049	CPPFLAGS="$CPPFLAGS -DSUNOS4"
1050	AC_CHECK_FUNCS([getpwanam])
1051	AC_DEFINE([PAM_SUN_CODEBASE])
1052	conf_utmp_location=/etc/utmp
1053	conf_wtmp_location=/var/adm/wtmp
1054	conf_lastlog_location=/var/adm/lastlog
1055	AC_DEFINE([USE_PIPES])
1056	AC_DEFINE([DISABLE_UTMPX], [1], [no utmpx])
1057	;;
1058*-ncr-sysv*)
1059	LIBS="$LIBS -lc89"
1060	AC_DEFINE([USE_PIPES])
1061	AC_DEFINE([SSHD_ACQUIRES_CTTY])
1062	AC_DEFINE([SETEUID_BREAKS_SETUID])
1063	AC_DEFINE([BROKEN_SETREUID])
1064	AC_DEFINE([BROKEN_SETREGID])
1065	;;
1066*-sni-sysv*)
1067	# /usr/ucblib MUST NOT be searched on ReliantUNIX
1068	AC_CHECK_LIB([dl], [dlsym], ,)
1069	# -lresolv needs to be at the end of LIBS or DNS lookups break
1070	AC_CHECK_LIB([resolv], [res_query], [ LIBS="$LIBS -lresolv" ])
1071	IPADDR_IN_DISPLAY=yes
1072	AC_DEFINE([USE_PIPES])
1073	AC_DEFINE([IP_TOS_IS_BROKEN])
1074	AC_DEFINE([SETEUID_BREAKS_SETUID])
1075	AC_DEFINE([BROKEN_SETREUID])
1076	AC_DEFINE([BROKEN_SETREGID])
1077	AC_DEFINE([SSHD_ACQUIRES_CTTY])
1078	external_path_file=/etc/default/login
1079	# /usr/ucblib/libucb.a no longer needed on ReliantUNIX
1080	# Attention: always take care to bind libsocket and libnsl before libc,
1081	# otherwise you will find lots of "SIOCGPGRP errno 22" on syslog
1082	;;
1083# UnixWare 1.x, UnixWare 2.x, and others based on code from Univel.
1084*-*-sysv4.2*)
1085	AC_DEFINE([USE_PIPES])
1086	AC_DEFINE([SETEUID_BREAKS_SETUID])
1087	AC_DEFINE([BROKEN_SETREUID])
1088	AC_DEFINE([BROKEN_SETREGID])
1089	AC_DEFINE([PASSWD_NEEDS_USERNAME], [1], [must supply username to passwd])
1090	AC_DEFINE([LOCKED_PASSWD_STRING], ["*LK*"])
1091	TEST_SHELL=$SHELL	# let configure find us a capable shell
1092	;;
1093# UnixWare 7.x, OpenUNIX 8
1094*-*-sysv5*)
1095	CPPFLAGS="$CPPFLAGS -Dvsnprintf=_xvsnprintf -Dsnprintf=_xsnprintf"
1096	AC_DEFINE([UNIXWARE_LONG_PASSWORDS], [1], [Support passwords > 8 chars])
1097	AC_DEFINE([USE_PIPES])
1098	AC_DEFINE([SETEUID_BREAKS_SETUID])
1099	AC_DEFINE([BROKEN_GETADDRINFO])
1100	AC_DEFINE([BROKEN_SETREUID])
1101	AC_DEFINE([BROKEN_SETREGID])
1102	AC_DEFINE([PASSWD_NEEDS_USERNAME])
1103	AC_DEFINE([BROKEN_TCGETATTR_ICANON])
1104	TEST_SHELL=$SHELL	# let configure find us a capable shell
1105	check_for_libcrypt_later=1
1106	case "$host" in
1107	*-*-sysv5SCO_SV*)	# SCO OpenServer 6.x
1108		maildir=/var/spool/mail
1109		AC_DEFINE([BROKEN_UPDWTMPX])
1110		AC_CHECK_LIB([prot], [getluid], [ LIBS="$LIBS -lprot"
1111			AC_CHECK_FUNCS([getluid setluid], , , [-lprot])
1112			], , )
1113		;;
1114	*)	AC_DEFINE([LOCKED_PASSWD_STRING], ["*LK*"])
1115		;;
1116	esac
1117	;;
1118*-*-sysv*)
1119	;;
1120# SCO UNIX and OEM versions of SCO UNIX
1121*-*-sco3.2v4*)
1122	AC_MSG_ERROR("This Platform is no longer supported.")
1123	;;
1124# SCO OpenServer 5.x
1125*-*-sco3.2v5*)
1126	if test -z "$GCC"; then
1127		CFLAGS="$CFLAGS -belf"
1128	fi
1129	LIBS="$LIBS -lprot -lx -ltinfo -lm"
1130	no_dev_ptmx=1
1131	AC_DEFINE([USE_PIPES])
1132	AC_DEFINE([HAVE_SECUREWARE])
1133	AC_DEFINE([DISABLE_SHADOW])
1134	AC_DEFINE([DISABLE_FD_PASSING])
1135	AC_DEFINE([SETEUID_BREAKS_SETUID])
1136	AC_DEFINE([BROKEN_GETADDRINFO])
1137	AC_DEFINE([BROKEN_SETREUID])
1138	AC_DEFINE([BROKEN_SETREGID])
1139	AC_DEFINE([WITH_ABBREV_NO_TTY])
1140	AC_DEFINE([BROKEN_UPDWTMPX])
1141	AC_DEFINE([PASSWD_NEEDS_USERNAME])
1142	AC_CHECK_FUNCS([getluid setluid])
1143	MANTYPE=man
1144	TEST_SHELL=$SHELL	# let configure find us a capable shell
1145	SKIP_DISABLE_LASTLOG_DEFINE=yes
1146	;;
1147*-dec-osf*)
1148	AC_MSG_CHECKING([for Digital Unix SIA])
1149	no_osfsia=""
1150	AC_ARG_WITH([osfsia],
1151		[  --with-osfsia           Enable Digital Unix SIA],
1152		[
1153			if test "x$withval" = "xno" ; then
1154				AC_MSG_RESULT([disabled])
1155				no_osfsia=1
1156			fi
1157		],
1158	)
1159	if test -z "$no_osfsia" ; then
1160		if test -f /etc/sia/matrix.conf; then
1161			AC_MSG_RESULT([yes])
1162			AC_DEFINE([HAVE_OSF_SIA], [1],
1163				[Define if you have Digital Unix Security
1164				Integration Architecture])
1165			AC_DEFINE([DISABLE_LOGIN], [1],
1166				[Define if you don't want to use your
1167				system's login() call])
1168			AC_DEFINE([DISABLE_FD_PASSING])
1169			LIBS="$LIBS -lsecurity -ldb -lm -laud"
1170			SIA_MSG="yes"
1171		else
1172			AC_MSG_RESULT([no])
1173			AC_DEFINE([LOCKED_PASSWD_SUBSTR], ["Nologin"],
1174			  [String used in /etc/passwd to denote locked account])
1175		fi
1176	fi
1177	AC_DEFINE([BROKEN_GETADDRINFO])
1178	AC_DEFINE([SETEUID_BREAKS_SETUID])
1179	AC_DEFINE([BROKEN_SETREUID])
1180	AC_DEFINE([BROKEN_SETREGID])
1181	AC_DEFINE([BROKEN_READV_COMPARISON], [1], [Can't do comparisons on readv])
1182	;;
1183
1184*-*-nto-qnx*)
1185	AC_DEFINE([USE_PIPES])
1186	AC_DEFINE([NO_X11_UNIX_SOCKETS])
1187	AC_DEFINE([DISABLE_LASTLOG])
1188	AC_DEFINE([SSHD_ACQUIRES_CTTY])
1189	AC_DEFINE([BROKEN_SHADOW_EXPIRE], [1], [QNX shadow support is broken])
1190	enable_etc_default_login=no	# has incompatible /etc/default/login
1191	case "$host" in
1192	*-*-nto-qnx6*)
1193		AC_DEFINE([DISABLE_FD_PASSING])
1194		;;
1195	esac
1196	;;
1197
1198*-*-ultrix*)
1199	AC_DEFINE([BROKEN_GETGROUPS], [1], [getgroups(0,NULL) will return -1])
1200	AC_DEFINE([NEED_SETPGRP])
1201	AC_DEFINE([HAVE_SYS_SYSLOG_H], [1], [Force use of sys/syslog.h on Ultrix])
1202	;;
1203
1204*-*-lynxos)
1205	CFLAGS="$CFLAGS -D__NO_INCLUDE_WARN__"
1206	AC_DEFINE([BROKEN_SETVBUF], [1],
1207	    [LynxOS has broken setvbuf() implementation])
1208	;;
1209esac
1210
1211AC_MSG_CHECKING([compiler and flags for sanity])
1212AC_RUN_IFELSE([AC_LANG_PROGRAM([[ #include <stdio.h> ]], [[ exit(0); ]])],
1213	[	AC_MSG_RESULT([yes]) ],
1214	[
1215		AC_MSG_RESULT([no])
1216		AC_MSG_ERROR([*** compiler cannot create working executables, check config.log ***])
1217	],
1218	[	AC_MSG_WARN([cross compiling: not checking compiler sanity]) ]
1219)
1220
1221dnl Checks for header files.
1222# Checks for libraries.
1223AC_CHECK_FUNC([setsockopt], , [AC_CHECK_LIB([socket], [setsockopt])])
1224
1225dnl IRIX and Solaris 2.5.1 have dirname() in libgen
1226AC_CHECK_FUNCS([dirname], [AC_CHECK_HEADERS([libgen.h])] , [
1227	AC_CHECK_LIB([gen], [dirname], [
1228		AC_CACHE_CHECK([for broken dirname],
1229			ac_cv_have_broken_dirname, [
1230			save_LIBS="$LIBS"
1231			LIBS="$LIBS -lgen"
1232			AC_RUN_IFELSE(
1233				[AC_LANG_SOURCE([[
1234#include <libgen.h>
1235#include <string.h>
1236
1237int main(int argc, char **argv) {
1238    char *s, buf[32];
1239
1240    strncpy(buf,"/etc", 32);
1241    s = dirname(buf);
1242    if (!s || strncmp(s, "/", 32) != 0) {
1243	exit(1);
1244    } else {
1245	exit(0);
1246    }
1247}
1248				]])],
1249				[ ac_cv_have_broken_dirname="no" ],
1250				[ ac_cv_have_broken_dirname="yes" ],
1251				[ ac_cv_have_broken_dirname="no" ],
1252			)
1253			LIBS="$save_LIBS"
1254		])
1255		if test "x$ac_cv_have_broken_dirname" = "xno" ; then
1256			LIBS="$LIBS -lgen"
1257			AC_DEFINE([HAVE_DIRNAME])
1258			AC_CHECK_HEADERS([libgen.h])
1259		fi
1260	])
1261])
1262
1263AC_CHECK_FUNC([getspnam], ,
1264	[AC_CHECK_LIB([gen], [getspnam], [LIBS="$LIBS -lgen"])])
1265AC_SEARCH_LIBS([basename], [gen], [AC_DEFINE([HAVE_BASENAME], [1],
1266	[Define if you have the basename function.])])
1267
1268dnl zlib is required
1269AC_ARG_WITH([zlib],
1270	[  --with-zlib=PATH        Use zlib in PATH],
1271	[ if test "x$withval" = "xno" ; then
1272		AC_MSG_ERROR([*** zlib is required ***])
1273	  elif test "x$withval" != "xyes"; then
1274		if test -d "$withval/lib"; then
1275			if test -n "${need_dash_r}"; then
1276				LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
1277			else
1278				LDFLAGS="-L${withval}/lib ${LDFLAGS}"
1279			fi
1280		else
1281			if test -n "${need_dash_r}"; then
1282				LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"
1283			else
1284				LDFLAGS="-L${withval} ${LDFLAGS}"
1285			fi
1286		fi
1287		if test -d "$withval/include"; then
1288			CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
1289		else
1290			CPPFLAGS="-I${withval} ${CPPFLAGS}"
1291		fi
1292	fi ]
1293)
1294
1295AC_CHECK_HEADER([zlib.h], ,[AC_MSG_ERROR([*** zlib.h missing - please install first or check config.log ***])])
1296AC_CHECK_LIB([z], [deflate], ,
1297	[
1298		saved_CPPFLAGS="$CPPFLAGS"
1299		saved_LDFLAGS="$LDFLAGS"
1300		save_LIBS="$LIBS"
1301		dnl Check default zlib install dir
1302		if test -n "${need_dash_r}"; then
1303			LDFLAGS="-L/usr/local/lib -R/usr/local/lib ${saved_LDFLAGS}"
1304		else
1305			LDFLAGS="-L/usr/local/lib ${saved_LDFLAGS}"
1306		fi
1307		CPPFLAGS="-I/usr/local/include ${saved_CPPFLAGS}"
1308		LIBS="$LIBS -lz"
1309		AC_TRY_LINK_FUNC([deflate], [AC_DEFINE([HAVE_LIBZ])],
1310			[
1311				AC_MSG_ERROR([*** zlib missing - please install first or check config.log ***])
1312			]
1313		)
1314	]
1315)
1316
1317AC_ARG_WITH([zlib-version-check],
1318	[  --without-zlib-version-check Disable zlib version check],
1319	[  if test "x$withval" = "xno" ; then
1320		zlib_check_nonfatal=1
1321	   fi
1322	]
1323)
1324
1325AC_MSG_CHECKING([for possibly buggy zlib])
1326AC_RUN_IFELSE([AC_LANG_PROGRAM([[
1327#include <stdio.h>
1328#include <stdlib.h>
1329#include <zlib.h>
1330	]],
1331	[[
1332	int a=0, b=0, c=0, d=0, n, v;
1333	n = sscanf(ZLIB_VERSION, "%d.%d.%d.%d", &a, &b, &c, &d);
1334	if (n != 3 && n != 4)
1335		exit(1);
1336	v = a*1000000 + b*10000 + c*100 + d;
1337	fprintf(stderr, "found zlib version %s (%d)\n", ZLIB_VERSION, v);
1338
1339	/* 1.1.4 is OK */
1340	if (a == 1 && b == 1 && c >= 4)
1341		exit(0);
1342
1343	/* 1.2.3 and up are OK */
1344	if (v >= 1020300)
1345		exit(0);
1346
1347	exit(2);
1348	]])],
1349	AC_MSG_RESULT([no]),
1350	[ AC_MSG_RESULT([yes])
1351	  if test -z "$zlib_check_nonfatal" ; then
1352		AC_MSG_ERROR([*** zlib too old - check config.log ***
1353Your reported zlib version has known security problems.  It's possible your
1354vendor has fixed these problems without changing the version number.  If you
1355are sure this is the case, you can disable the check by running
1356"./configure --without-zlib-version-check".
1357If you are in doubt, upgrade zlib to version 1.2.3 or greater.
1358See http://www.gzip.org/zlib/ for details.])
1359	  else
1360		AC_MSG_WARN([zlib version may have security problems])
1361	  fi
1362	],
1363	[	AC_MSG_WARN([cross compiling: not checking zlib version]) ]
1364)
1365
1366dnl UnixWare 2.x
1367AC_CHECK_FUNC([strcasecmp],
1368	[], [ AC_CHECK_LIB([resolv], [strcasecmp], [LIBS="$LIBS -lresolv"]) ]
1369)
1370AC_CHECK_FUNCS([utimes],
1371	[], [ AC_CHECK_LIB([c89], [utimes], [AC_DEFINE([HAVE_UTIMES])
1372					LIBS="$LIBS -lc89"]) ]
1373)
1374
1375dnl    Checks for libutil functions
1376AC_CHECK_HEADERS([bsd/libutil.h libutil.h])
1377AC_SEARCH_LIBS([fmt_scaled], [util bsd])
1378AC_SEARCH_LIBS([scan_scaled], [util bsd])
1379AC_SEARCH_LIBS([login], [util bsd])
1380AC_SEARCH_LIBS([logout], [util bsd])
1381AC_SEARCH_LIBS([logwtmp], [util bsd])
1382AC_SEARCH_LIBS([openpty], [util bsd])
1383AC_SEARCH_LIBS([updwtmp], [util bsd])
1384AC_CHECK_FUNCS([fmt_scaled scan_scaled login logout openpty updwtmp logwtmp])
1385
1386# On some platforms, inet_ntop and gethostbyname may be found in libresolv
1387# or libnsl.
1388AC_SEARCH_LIBS([inet_ntop], [resolv nsl])
1389AC_SEARCH_LIBS([gethostbyname], [resolv nsl])
1390
1391# "Particular Function Checks"
1392# see https://www.gnu.org/software/autoconf/manual/autoconf-2.69/html_node/Particular-Functions.html
1393AC_FUNC_STRFTIME
1394AC_FUNC_MALLOC
1395AC_FUNC_REALLOC
1396# autoconf doesn't have AC_FUNC_CALLOC so fake it if malloc returns NULL;
1397AC_MSG_CHECKING([if calloc(0, N) returns non-null])
1398AC_RUN_IFELSE(
1399	[AC_LANG_PROGRAM(
1400		[[ #include <stdlib.h> ]],
1401		[[ void *p = calloc(0, 1); exit(p == NULL); ]]
1402	)],
1403	[ func_calloc_0_nonnull=yes ],
1404	[ func_calloc_0_nonnull=no ],
1405	[ AC_MSG_WARN([cross compiling: assuming same as malloc])
1406	  func_calloc_0_nonnull="$ac_cv_func_malloc_0_nonnull"]
1407)
1408AC_MSG_RESULT([$func_calloc_0_nonnull])
1409
1410if test "x$func_calloc_0_nonnull" = "xyes"; then
1411	AC_DEFINE(HAVE_CALLOC, 1, [calloc(0, x) returns non-null])
1412else
1413	AC_DEFINE(HAVE_CALLOC, 0, [calloc(0, x) returns NULL])
1414	AC_DEFINE(calloc, rpl_calloc,
1415	    [Define to rpl_calloc if the replacement function should be used.])
1416fi
1417
1418# Check for ALTDIRFUNC glob() extension
1419AC_MSG_CHECKING([for GLOB_ALTDIRFUNC support])
1420AC_EGREP_CPP([FOUNDIT],
1421	[
1422		#include <glob.h>
1423		#ifdef GLOB_ALTDIRFUNC
1424		FOUNDIT
1425		#endif
1426	],
1427	[
1428		AC_DEFINE([GLOB_HAS_ALTDIRFUNC], [1],
1429			[Define if your system glob() function has
1430			the GLOB_ALTDIRFUNC extension])
1431		AC_MSG_RESULT([yes])
1432	],
1433	[
1434		AC_MSG_RESULT([no])
1435	]
1436)
1437
1438# Check for g.gl_matchc glob() extension
1439AC_MSG_CHECKING([for gl_matchc field in glob_t])
1440AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <glob.h> ]],
1441	[[ glob_t g; g.gl_matchc = 1; ]])],
1442	[
1443		AC_DEFINE([GLOB_HAS_GL_MATCHC], [1],
1444			[Define if your system glob() function has
1445			gl_matchc options in glob_t])
1446		AC_MSG_RESULT([yes])
1447	], [
1448		AC_MSG_RESULT([no])
1449])
1450
1451# Check for g.gl_statv glob() extension
1452AC_MSG_CHECKING([for gl_statv and GLOB_KEEPSTAT extensions for glob])
1453AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <glob.h> ]], [[
1454#ifndef GLOB_KEEPSTAT
1455#error "glob does not support GLOB_KEEPSTAT extension"
1456#endif
1457glob_t g;
1458g.gl_statv = NULL;
1459]])],
1460	[
1461		AC_DEFINE([GLOB_HAS_GL_STATV], [1],
1462			[Define if your system glob() function has
1463			gl_statv options in glob_t])
1464		AC_MSG_RESULT([yes])
1465	], [
1466		AC_MSG_RESULT([no])
1467
1468])
1469
1470AC_CHECK_DECLS([GLOB_NOMATCH], , , [#include <glob.h>])
1471
1472AC_CHECK_DECL([VIS_ALL], ,
1473    AC_DEFINE(BROKEN_STRNVIS, 1, [missing VIS_ALL]), [#include <vis.h>])
1474
1475AC_MSG_CHECKING([whether struct dirent allocates space for d_name])
1476AC_RUN_IFELSE(
1477	[AC_LANG_PROGRAM([[
1478#include <sys/types.h>
1479#include <dirent.h>]],
1480	[[
1481	struct dirent d;
1482	exit(sizeof(d.d_name)<=sizeof(char));
1483	]])],
1484	[AC_MSG_RESULT([yes])],
1485	[
1486		AC_MSG_RESULT([no])
1487		AC_DEFINE([BROKEN_ONE_BYTE_DIRENT_D_NAME], [1],
1488			[Define if your struct dirent expects you to
1489			allocate extra space for d_name])
1490	],
1491	[
1492		AC_MSG_WARN([cross compiling: assuming BROKEN_ONE_BYTE_DIRENT_D_NAME])
1493		AC_DEFINE([BROKEN_ONE_BYTE_DIRENT_D_NAME])
1494	]
1495)
1496
1497AC_MSG_CHECKING([for /proc/pid/fd directory])
1498if test -d "/proc/$$/fd" ; then
1499	AC_DEFINE([HAVE_PROC_PID], [1], [Define if you have /proc/$pid/fd])
1500	AC_MSG_RESULT([yes])
1501else
1502	AC_MSG_RESULT([no])
1503fi
1504
1505# Check whether user wants TCP wrappers support
1506TCPW_MSG="no"
1507AC_ARG_WITH([tcp-wrappers],
1508	[  --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)],
1509	[
1510		if test "x$withval" != "xno" ; then
1511			saved_LIBS="$LIBS"
1512			saved_LDFLAGS="$LDFLAGS"
1513			saved_CPPFLAGS="$CPPFLAGS"
1514			if test -n "${withval}" && \
1515			    test "x${withval}" != "xyes"; then
1516				if test -d "${withval}/lib"; then
1517					if test -n "${need_dash_r}"; then
1518						LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
1519					else
1520						LDFLAGS="-L${withval}/lib ${LDFLAGS}"
1521					fi
1522				else
1523					if test -n "${need_dash_r}"; then
1524						LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"
1525					else
1526						LDFLAGS="-L${withval} ${LDFLAGS}"
1527					fi
1528				fi
1529				if test -d "${withval}/include"; then
1530					CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
1531				else
1532					CPPFLAGS="-I${withval} ${CPPFLAGS}"
1533				fi
1534			fi
1535			LIBS="-lwrap $LIBS"
1536			AC_MSG_CHECKING([for libwrap])
1537			AC_LINK_IFELSE([AC_LANG_PROGRAM([[
1538#include <sys/types.h>
1539#include <sys/socket.h>
1540#include <netinet/in.h>
1541#include <tcpd.h>
1542int deny_severity = 0, allow_severity = 0;
1543				]], [[
1544	hosts_access(0);
1545				]])], [
1546					AC_MSG_RESULT([yes])
1547					AC_DEFINE([LIBWRAP], [1],
1548						[Define if you want
1549						TCP Wrappers support])
1550					SSHDLIBS="$SSHDLIBS -lwrap"
1551					TCPW_MSG="yes"
1552				], [
1553					AC_MSG_ERROR([*** libwrap missing])
1554			])
1555			LIBS="$saved_LIBS"
1556		fi
1557	]
1558)
1559
1560# Check whether user wants to use ldns
1561LDNS_MSG="no"
1562AC_ARG_WITH(ldns,
1563	[  --with-ldns[[=PATH]]      Use ldns for DNSSEC support (optionally in PATH)],
1564	[
1565	ldns=""
1566	if test "x$withval" = "xyes" ; then
1567		AC_PATH_TOOL([LDNSCONFIG], [ldns-config], [no])
1568		if test "x$LDNSCONFIG" = "xno"; then
1569			CPPFLAGS="$CPPFLAGS -I${withval}/include"
1570			LDFLAGS="$LDFLAGS -L${withval}/lib"
1571			LIBS="-lldns $LIBS"
1572			ldns=yes
1573		else
1574			LIBS="$LIBS `$LDNSCONFIG --libs`"
1575			CPPFLAGS="$CPPFLAGS `$LDNSCONFIG --cflags`"
1576			ldns=yes
1577		fi
1578	elif test "x$withval" != "xno" ; then
1579			CPPFLAGS="$CPPFLAGS -I${withval}/include"
1580			LDFLAGS="$LDFLAGS -L${withval}/lib"
1581			LIBS="-lldns $LIBS"
1582			ldns=yes
1583	fi
1584
1585	# Verify that it works.
1586	if test "x$ldns" = "xyes" ; then
1587		AC_DEFINE(HAVE_LDNS, 1, [Define if you want ldns support])
1588		LDNS_MSG="yes"
1589		AC_MSG_CHECKING([for ldns support])
1590		AC_LINK_IFELSE(
1591			[AC_LANG_SOURCE([[
1592#include <stdio.h>
1593#include <stdlib.h>
1594#include <stdint.h>
1595#include <ldns/ldns.h>
1596int main() { ldns_status status = ldns_verify_trusted(NULL, NULL, NULL, NULL); status=LDNS_STATUS_OK; exit(0); }
1597			]])
1598		],
1599			[AC_MSG_RESULT(yes)],
1600				[
1601					AC_MSG_RESULT(no)
1602					AC_MSG_ERROR([** Incomplete or missing ldns libraries.])
1603				])
1604	fi
1605])
1606
1607# Check whether user wants libedit support
1608LIBEDIT_MSG="no"
1609AC_ARG_WITH([libedit],
1610	[  --with-libedit[[=PATH]]   Enable libedit support for sftp],
1611	[ if test "x$withval" != "xno" ; then
1612		if test "x$withval" = "xyes" ; then
1613			AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no])
1614			if test "x$PKGCONFIG" != "xno"; then
1615				AC_MSG_CHECKING([if $PKGCONFIG knows about libedit])
1616				if "$PKGCONFIG" libedit; then
1617					AC_MSG_RESULT([yes])
1618					use_pkgconfig_for_libedit=yes
1619				else
1620					AC_MSG_RESULT([no])
1621				fi
1622			fi
1623		else
1624			CPPFLAGS="$CPPFLAGS -I${withval}/include"
1625			if test -n "${need_dash_r}"; then
1626				LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
1627			else
1628				LDFLAGS="-L${withval}/lib ${LDFLAGS}"
1629			fi
1630		fi
1631		if test "x$use_pkgconfig_for_libedit" = "xyes"; then
1632			LIBEDIT=`$PKGCONFIG --libs libedit`
1633			CPPFLAGS="$CPPFLAGS `$PKGCONFIG --cflags libedit`"
1634		else
1635			LIBEDIT="-ledit -lcurses"
1636		fi
1637		OTHERLIBS=`echo $LIBEDIT | sed 's/-ledit//'`
1638		AC_CHECK_LIB([edit], [el_init],
1639			[ AC_DEFINE([USE_LIBEDIT], [1], [Use libedit for sftp])
1640			  LIBEDIT_MSG="yes"
1641			  AC_SUBST([LIBEDIT])
1642			],
1643			[ AC_MSG_ERROR([libedit not found]) ],
1644			[ $OTHERLIBS ]
1645		)
1646		AC_MSG_CHECKING([if libedit version is compatible])
1647		AC_COMPILE_IFELSE(
1648		    [AC_LANG_PROGRAM([[ #include <histedit.h> ]],
1649		    [[
1650	int i = H_SETSIZE;
1651	el_init("", NULL, NULL, NULL);
1652	exit(0);
1653		    ]])],
1654		    [ AC_MSG_RESULT([yes]) ],
1655		    [ AC_MSG_RESULT([no])
1656		      AC_MSG_ERROR([libedit version is not compatible]) ]
1657		)
1658	fi ]
1659)
1660
1661AUDIT_MODULE=none
1662AC_ARG_WITH([audit],
1663	[  --with-audit=module     Enable audit support (modules=debug,bsm,linux)],
1664	[
1665	  AC_MSG_CHECKING([for supported audit module])
1666	  case "$withval" in
1667	  bsm)
1668		AC_MSG_RESULT([bsm])
1669		AUDIT_MODULE=bsm
1670		dnl    Checks for headers, libs and functions
1671		AC_CHECK_HEADERS([bsm/audit.h], [],
1672		    [AC_MSG_ERROR([BSM enabled and bsm/audit.h not found])],
1673		    [
1674#ifdef HAVE_TIME_H
1675# include <time.h>
1676#endif
1677		    ]
1678)
1679		AC_CHECK_LIB([bsm], [getaudit], [],
1680		    [AC_MSG_ERROR([BSM enabled and required library not found])])
1681		AC_CHECK_FUNCS([getaudit], [],
1682		    [AC_MSG_ERROR([BSM enabled and required function not found])])
1683		# These are optional
1684		AC_CHECK_FUNCS([getaudit_addr aug_get_machine])
1685		AC_DEFINE([USE_BSM_AUDIT], [1], [Use BSM audit module])
1686		if test "$sol2ver" -ge 11; then
1687			SSHDLIBS="$SSHDLIBS -lscf"
1688			AC_DEFINE([BROKEN_BSM_API], [1],
1689				[The system has incomplete BSM API])
1690		fi
1691		;;
1692	  linux)
1693		AC_MSG_RESULT([linux])
1694		AUDIT_MODULE=linux
1695		dnl    Checks for headers, libs and functions
1696		AC_CHECK_HEADERS([libaudit.h])
1697		SSHDLIBS="$SSHDLIBS -laudit"
1698		AC_DEFINE([USE_LINUX_AUDIT], [1], [Use Linux audit module])
1699		;;
1700	  debug)
1701		AUDIT_MODULE=debug
1702		AC_MSG_RESULT([debug])
1703		AC_DEFINE([SSH_AUDIT_EVENTS], [1], [Use audit debugging module])
1704		;;
1705	  no)
1706		AC_MSG_RESULT([no])
1707		;;
1708	  *)
1709		AC_MSG_ERROR([Unknown audit module $withval])
1710		;;
1711	esac ]
1712)
1713
1714AC_ARG_WITH([pie],
1715    [  --with-pie              Build Position Independent Executables if possible], [
1716	if test "x$withval" = "xno"; then
1717		use_pie=no
1718	fi
1719	if test "x$withval" = "xyes"; then
1720		use_pie=yes
1721	fi
1722    ]
1723)
1724if test "x$use_pie" = "x"; then
1725	use_pie=no
1726fi
1727if test "x$use_toolchain_hardening" != "x1" && test "x$use_pie" = "xauto"; then
1728	# Turn off automatic PIE when toolchain hardening is off.
1729	use_pie=no
1730fi
1731if test "x$use_pie" = "xauto"; then
1732	# Automatic PIE requires gcc >= 4.x
1733	AC_MSG_CHECKING([for gcc >= 4.x])
1734	AC_COMPILE_IFELSE([AC_LANG_SOURCE([[
1735#if !defined(__GNUC__) || __GNUC__ < 4
1736#error gcc is too old
1737#endif
1738]])],
1739	[ AC_MSG_RESULT([yes]) ],
1740	[ AC_MSG_RESULT([no])
1741	  use_pie=no ]
1742)
1743fi
1744if test "x$use_pie" != "xno"; then
1745	SAVED_CFLAGS="$CFLAGS"
1746	SAVED_LDFLAGS="$LDFLAGS"
1747	OSSH_CHECK_CFLAG_COMPILE([-fPIE])
1748	OSSH_CHECK_LDFLAG_LINK([-pie])
1749	# We use both -fPIE and -pie or neither.
1750	AC_MSG_CHECKING([whether both -fPIE and -pie are supported])
1751	if echo "x $CFLAGS"  | grep ' -fPIE' >/dev/null 2>&1 && \
1752	   echo "x $LDFLAGS" | grep ' -pie'  >/dev/null 2>&1 ; then
1753		AC_MSG_RESULT([yes])
1754	else
1755		AC_MSG_RESULT([no])
1756		CFLAGS="$SAVED_CFLAGS"
1757		LDFLAGS="$SAVED_LDFLAGS"
1758	fi
1759fi
1760
1761dnl    Checks for library functions. Please keep in alphabetical order
1762AC_CHECK_FUNCS([ \
1763	Blowfish_initstate \
1764	Blowfish_expandstate \
1765	Blowfish_expand0state \
1766	Blowfish_stream2word \
1767	asprintf \
1768	b64_ntop \
1769	__b64_ntop \
1770	b64_pton \
1771	__b64_pton \
1772	bcopy \
1773	bcrypt_pbkdf \
1774	bindresvport_sa \
1775	blf_enc \
1776	bzero \
1777	cap_rights_limit \
1778	clock \
1779	closefrom \
1780	dirfd \
1781	endgrent \
1782	err \
1783	errx \
1784	explicit_bzero \
1785	fchmod \
1786	fchown \
1787	flock \
1788	freeaddrinfo \
1789	freezero \
1790	fstatfs \
1791	fstatvfs \
1792	futimes \
1793	getaddrinfo \
1794	getcwd \
1795	getgrouplist \
1796	getline \
1797	getnameinfo \
1798	getopt \
1799	getpagesize \
1800	getpeereid \
1801	getpeerucred \
1802	getpgid \
1803	_getpty \
1804	getrlimit \
1805	getrandom \
1806	getsid \
1807	getttyent \
1808	glob \
1809	group_from_gid \
1810	inet_aton \
1811	inet_ntoa \
1812	inet_ntop \
1813	innetgr \
1814	llabs \
1815	login_getcapbool \
1816	md5_crypt \
1817	memmove \
1818	memset_s \
1819	mkdtemp \
1820	ngetaddrinfo \
1821	nsleep \
1822	ogetaddrinfo \
1823	openlog_r \
1824	pledge \
1825	poll \
1826	prctl \
1827	pstat \
1828	raise \
1829	readpassphrase \
1830	reallocarray \
1831	recvmsg \
1832	recallocarray \
1833	rresvport_af \
1834	sendmsg \
1835	setdtablesize \
1836	setegid \
1837	setenv \
1838	seteuid \
1839	setgroupent \
1840	setgroups \
1841	setlinebuf \
1842	setlogin \
1843	setpassent\
1844	setpcred \
1845	setproctitle \
1846	setregid \
1847	setreuid \
1848	setrlimit \
1849	setsid \
1850	setvbuf \
1851	sigaction \
1852	sigvec \
1853	snprintf \
1854	socketpair \
1855	statfs \
1856	statvfs \
1857	strcasestr \
1858	strdup \
1859	strerror \
1860	strlcat \
1861	strlcpy \
1862	strmode \
1863	strndup \
1864	strnlen \
1865	strnvis \
1866	strptime \
1867	strsignal \
1868	strtonum \
1869	strtoll \
1870	strtoul \
1871	strtoull \
1872	swap32 \
1873	sysconf \
1874	tcgetpgrp \
1875	timingsafe_bcmp \
1876	truncate \
1877	unsetenv \
1878	updwtmpx \
1879	user_from_uid \
1880	usleep \
1881	vasprintf \
1882	vsnprintf \
1883	waitpid \
1884	warn \
1885])
1886
1887AC_CHECK_DECLS([bzero])
1888
1889dnl Wide character support.
1890AC_CHECK_FUNCS([mblen mbtowc nl_langinfo wcwidth])
1891
1892TEST_SSH_UTF8=${TEST_SSH_UTF8:=yes}
1893AC_MSG_CHECKING([for utf8 locale support])
1894AC_RUN_IFELSE(
1895	[AC_LANG_PROGRAM([[
1896#include <locale.h>
1897#include <stdlib.h>
1898	]], [[
1899	char *loc = setlocale(LC_CTYPE, "en_US.UTF-8");
1900	if (loc != NULL)
1901		exit(0);
1902	exit(1);
1903	]])],
1904	AC_MSG_RESULT(yes),
1905	[AC_MSG_RESULT(no)
1906	 TEST_SSH_UTF8=no],
1907	AC_MSG_WARN([cross compiling: assuming yes])
1908)
1909
1910AC_LINK_IFELSE(
1911        [AC_LANG_PROGRAM(
1912           [[ #include <ctype.h> ]],
1913           [[ return (isblank('a')); ]])],
1914	[AC_DEFINE([HAVE_ISBLANK], [1], [Define if you have isblank(3C).])
1915])
1916
1917disable_pkcs11=
1918AC_ARG_ENABLE([pkcs11],
1919	[  --disable-pkcs11        disable PKCS#11 support code [no]],
1920	[
1921		if test "x$enableval" = "xno" ; then
1922			disable_pkcs11=1
1923		fi
1924	]
1925)
1926
1927# PKCS11 depends on OpenSSL.
1928if test "x$openssl" = "xyes" && test "x$disable_pkcs11" = "x"; then
1929	# PKCS#11 support requires dlopen() and co
1930	AC_SEARCH_LIBS([dlopen], [dl],
1931	    AC_CHECK_DECL([RTLD_NOW],
1932		AC_DEFINE([ENABLE_PKCS11], [], [Enable for PKCS#11 support]),
1933		[], [#include <dlfcn.h>]
1934	    )
1935	)
1936fi
1937
1938# IRIX has a const char return value for gai_strerror()
1939AC_CHECK_FUNCS([gai_strerror], [
1940	AC_DEFINE([HAVE_GAI_STRERROR])
1941	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
1942#include <sys/types.h>
1943#include <sys/socket.h>
1944#include <netdb.h>
1945
1946const char *gai_strerror(int);
1947			]], [[
1948	char *str;
1949	str = gai_strerror(0);
1950			]])], [
1951		AC_DEFINE([HAVE_CONST_GAI_STRERROR_PROTO], [1],
1952		[Define if gai_strerror() returns const char *])], [])])
1953
1954AC_SEARCH_LIBS([nanosleep], [rt posix4], [AC_DEFINE([HAVE_NANOSLEEP], [1],
1955	[Some systems put nanosleep outside of libc])])
1956
1957AC_SEARCH_LIBS([clock_gettime], [rt],
1958	[AC_DEFINE([HAVE_CLOCK_GETTIME], [1], [Have clock_gettime])])
1959
1960dnl Make sure prototypes are defined for these before using them.
1961AC_CHECK_DECL([strsep],
1962	[AC_CHECK_FUNCS([strsep])],
1963	[],
1964	[
1965#ifdef HAVE_STRING_H
1966# include <string.h>
1967#endif
1968	])
1969
1970dnl tcsendbreak might be a macro
1971AC_CHECK_DECL([tcsendbreak],
1972	[AC_DEFINE([HAVE_TCSENDBREAK])],
1973	[AC_CHECK_FUNCS([tcsendbreak])],
1974	[#include <termios.h>]
1975)
1976
1977AC_CHECK_DECLS([h_errno], , ,[#include <netdb.h>])
1978
1979AC_CHECK_DECLS([SHUT_RD], , ,
1980	[
1981#include <sys/types.h>
1982#include <sys/socket.h>
1983	])
1984
1985AC_CHECK_DECLS([O_NONBLOCK], , ,
1986	[
1987#include <sys/types.h>
1988#ifdef HAVE_SYS_STAT_H
1989# include <sys/stat.h>
1990#endif
1991#ifdef HAVE_FCNTL_H
1992# include <fcntl.h>
1993#endif
1994	])
1995
1996AC_CHECK_DECLS([readv, writev], , , [
1997#include <sys/types.h>
1998#include <sys/uio.h>
1999#include <unistd.h>
2000	])
2001
2002AC_CHECK_DECLS([MAXSYMLINKS], , , [
2003#include <sys/param.h>
2004	])
2005
2006AC_CHECK_DECLS([offsetof], , , [
2007#include <stddef.h>
2008	])
2009
2010# extra bits for select(2)
2011AC_CHECK_DECLS([howmany, NFDBITS], [], [], [[
2012#include <sys/param.h>
2013#include <sys/types.h>
2014#ifdef HAVE_SYS_SYSMACROS_H
2015#include <sys/sysmacros.h>
2016#endif
2017#ifdef HAVE_SYS_SELECT_H
2018#include <sys/select.h>
2019#endif
2020#ifdef HAVE_SYS_TIME_H
2021#include <sys/time.h>
2022#endif
2023#ifdef HAVE_UNISTD_H
2024#include <unistd.h>
2025#endif
2026	]])
2027AC_CHECK_TYPES([fd_mask], [], [], [[
2028#include <sys/param.h>
2029#include <sys/types.h>
2030#ifdef HAVE_SYS_SELECT_H
2031#include <sys/select.h>
2032#endif
2033#ifdef HAVE_SYS_TIME_H
2034#include <sys/time.h>
2035#endif
2036#ifdef HAVE_UNISTD_H
2037#include <unistd.h>
2038#endif
2039	]])
2040
2041AC_CHECK_FUNCS([setresuid], [
2042	dnl Some platorms have setresuid that isn't implemented, test for this
2043	AC_MSG_CHECKING([if setresuid seems to work])
2044	AC_RUN_IFELSE(
2045		[AC_LANG_PROGRAM([[
2046#include <stdlib.h>
2047#include <errno.h>
2048		]], [[
2049	errno=0;
2050	setresuid(0,0,0);
2051	if (errno==ENOSYS)
2052		exit(1);
2053	else
2054		exit(0);
2055		]])],
2056		[AC_MSG_RESULT([yes])],
2057		[AC_DEFINE([BROKEN_SETRESUID], [1],
2058			[Define if your setresuid() is broken])
2059		 AC_MSG_RESULT([not implemented])],
2060		[AC_MSG_WARN([cross compiling: not checking setresuid])]
2061	)
2062])
2063
2064AC_CHECK_FUNCS([setresgid], [
2065	dnl Some platorms have setresgid that isn't implemented, test for this
2066	AC_MSG_CHECKING([if setresgid seems to work])
2067	AC_RUN_IFELSE(
2068		[AC_LANG_PROGRAM([[
2069#include <stdlib.h>
2070#include <errno.h>
2071		]], [[
2072	errno=0;
2073	setresgid(0,0,0);
2074	if (errno==ENOSYS)
2075		exit(1);
2076	else
2077		exit(0);
2078		]])],
2079		[AC_MSG_RESULT([yes])],
2080		[AC_DEFINE([BROKEN_SETRESGID], [1],
2081			[Define if your setresgid() is broken])
2082		 AC_MSG_RESULT([not implemented])],
2083		[AC_MSG_WARN([cross compiling: not checking setresuid])]
2084	)
2085])
2086
2087AC_CHECK_FUNCS([realpath], [
2088	dnl the sftp v3 spec says SSH_FXP_REALPATH will "canonicalize any given
2089	dnl path name", however some implementations of realpath (and some
2090	dnl versions of the POSIX spec) do not work on non-existent files,
2091	dnl so we use the OpenBSD implementation on those platforms.
2092	AC_MSG_CHECKING([if realpath works with non-existent files])
2093	AC_RUN_IFELSE(
2094		[AC_LANG_PROGRAM([[
2095#include <limits.h>
2096#include <stdlib.h>
2097#include <errno.h>
2098		]], [[
2099		char buf[PATH_MAX];
2100		if (realpath("/opensshnonexistentfilename1234", buf) == NULL)
2101			if (errno == ENOENT)
2102				exit(1);
2103		exit(0);
2104		]])],
2105		[AC_MSG_RESULT([yes])],
2106		[AC_DEFINE([BROKEN_REALPATH], [1],
2107			[realpath does not work with nonexistent files])
2108		 AC_MSG_RESULT([no])],
2109		[AC_MSG_WARN([cross compiling: assuming working])]
2110	)
2111])
2112
2113AC_MSG_CHECKING([for working fflush(NULL)])
2114AC_RUN_IFELSE(
2115	[AC_LANG_PROGRAM([[#include <stdio.h>]], [[fflush(NULL); exit(0);]])],
2116	AC_MSG_RESULT([yes]),
2117	[AC_MSG_RESULT([no])
2118	 AC_DEFINE([FFLUSH_NULL_BUG], [1],
2119	    [define if fflush(NULL) does not work])],
2120	AC_MSG_WARN([cross compiling: assuming working])
2121)
2122
2123dnl    Checks for time functions
2124AC_CHECK_FUNCS([gettimeofday time])
2125dnl    Checks for utmp functions
2126AC_CHECK_FUNCS([endutent getutent getutid getutline pututline setutent])
2127AC_CHECK_FUNCS([utmpname])
2128dnl    Checks for utmpx functions
2129AC_CHECK_FUNCS([endutxent getutxent getutxid getutxline getutxuser pututxline])
2130AC_CHECK_FUNCS([setutxdb setutxent utmpxname])
2131dnl    Checks for lastlog functions
2132AC_CHECK_FUNCS([getlastlogxbyname])
2133
2134AC_CHECK_FUNC([daemon],
2135	[AC_DEFINE([HAVE_DAEMON], [1], [Define if your libraries define daemon()])],
2136	[AC_CHECK_LIB([bsd], [daemon],
2137		[LIBS="$LIBS -lbsd"; AC_DEFINE([HAVE_DAEMON])])]
2138)
2139
2140AC_CHECK_FUNC([getpagesize],
2141	[AC_DEFINE([HAVE_GETPAGESIZE], [1],
2142		[Define if your libraries define getpagesize()])],
2143	[AC_CHECK_LIB([ucb], [getpagesize],
2144		[LIBS="$LIBS -lucb"; AC_DEFINE([HAVE_GETPAGESIZE])])]
2145)
2146
2147# Check for broken snprintf
2148if test "x$ac_cv_func_snprintf" = "xyes" ; then
2149	AC_MSG_CHECKING([whether snprintf correctly terminates long strings])
2150	AC_RUN_IFELSE(
2151		[AC_LANG_PROGRAM([[ #include <stdio.h> ]],
2152		[[
2153	char b[5];
2154	snprintf(b,5,"123456789");
2155	exit(b[4]!='\0');
2156		]])],
2157		[AC_MSG_RESULT([yes])],
2158		[
2159			AC_MSG_RESULT([no])
2160			AC_DEFINE([BROKEN_SNPRINTF], [1],
2161				[Define if your snprintf is busted])
2162			AC_MSG_WARN([****** Your snprintf() function is broken, complain to your vendor])
2163		],
2164		[ AC_MSG_WARN([cross compiling: Assuming working snprintf()]) ]
2165	)
2166fi
2167
2168# We depend on vsnprintf returning the right thing on overflow: the
2169# number of characters it tried to create (as per SUSv3)
2170if test "x$ac_cv_func_vsnprintf" = "xyes" ; then
2171	AC_MSG_CHECKING([whether vsnprintf returns correct values on overflow])
2172	AC_RUN_IFELSE(
2173		[AC_LANG_PROGRAM([[
2174#include <sys/types.h>
2175#include <stdio.h>
2176#include <stdarg.h>
2177
2178int x_snprintf(char *str, size_t count, const char *fmt, ...)
2179{
2180	size_t ret;
2181	va_list ap;
2182
2183	va_start(ap, fmt);
2184	ret = vsnprintf(str, count, fmt, ap);
2185	va_end(ap);
2186	return ret;
2187}
2188		]], [[
2189char x[1];
2190if (x_snprintf(x, 1, "%s %d", "hello", 12345) != 11)
2191	return 1;
2192if (x_snprintf(NULL, 0, "%s %d", "hello", 12345) != 11)
2193	return 1;
2194return 0;
2195		]])],
2196		[AC_MSG_RESULT([yes])],
2197		[
2198			AC_MSG_RESULT([no])
2199			AC_DEFINE([BROKEN_SNPRINTF], [1],
2200				[Define if your snprintf is busted])
2201			AC_MSG_WARN([****** Your vsnprintf() function is broken, complain to your vendor])
2202		],
2203		[ AC_MSG_WARN([cross compiling: Assuming working vsnprintf()]) ]
2204	)
2205fi
2206
2207# On systems where [v]snprintf is broken, but is declared in stdio,
2208# check that the fmt argument is const char * or just char *.
2209# This is only useful for when BROKEN_SNPRINTF
2210AC_MSG_CHECKING([whether snprintf can declare const char *fmt])
2211AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
2212#include <stdio.h>
2213int snprintf(char *a, size_t b, const char *c, ...) { return 0; }
2214		]], [[
2215	snprintf(0, 0, 0);
2216		]])],
2217   [AC_MSG_RESULT([yes])
2218    AC_DEFINE([SNPRINTF_CONST], [const],
2219              [Define as const if snprintf() can declare const char *fmt])],
2220   [AC_MSG_RESULT([no])
2221    AC_DEFINE([SNPRINTF_CONST], [/* not const */])])
2222
2223# Check for missing getpeereid (or equiv) support
2224NO_PEERCHECK=""
2225if test "x$ac_cv_func_getpeereid" != "xyes" -a "x$ac_cv_func_getpeerucred" != "xyes"; then
2226	AC_MSG_CHECKING([whether system supports SO_PEERCRED getsockopt])
2227	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
2228#include <sys/types.h>
2229#include <sys/socket.h>]], [[int i = SO_PEERCRED;]])],
2230		[ AC_MSG_RESULT([yes])
2231		  AC_DEFINE([HAVE_SO_PEERCRED], [1], [Have PEERCRED socket option])
2232		], [AC_MSG_RESULT([no])
2233		NO_PEERCHECK=1
2234        ])
2235fi
2236
2237dnl see whether mkstemp() requires XXXXXX
2238if test "x$ac_cv_func_mkdtemp" = "xyes" ; then
2239AC_MSG_CHECKING([for (overly) strict mkstemp])
2240AC_RUN_IFELSE(
2241	[AC_LANG_PROGRAM([[
2242#include <stdlib.h>
2243	]], [[
2244	char template[]="conftest.mkstemp-test";
2245	if (mkstemp(template) == -1)
2246		exit(1);
2247	unlink(template);
2248	exit(0);
2249	]])],
2250	[
2251		AC_MSG_RESULT([no])
2252	],
2253	[
2254		AC_MSG_RESULT([yes])
2255		AC_DEFINE([HAVE_STRICT_MKSTEMP], [1], [Silly mkstemp()])
2256	],
2257	[
2258		AC_MSG_RESULT([yes])
2259		AC_DEFINE([HAVE_STRICT_MKSTEMP])
2260	]
2261)
2262fi
2263
2264dnl make sure that openpty does not reacquire controlling terminal
2265if test ! -z "$check_for_openpty_ctty_bug"; then
2266	AC_MSG_CHECKING([if openpty correctly handles controlling tty])
2267	AC_RUN_IFELSE(
2268		[AC_LANG_PROGRAM([[
2269#include <stdio.h>
2270#include <sys/fcntl.h>
2271#include <sys/types.h>
2272#include <sys/wait.h>
2273		]], [[
2274	pid_t pid;
2275	int fd, ptyfd, ttyfd, status;
2276
2277	pid = fork();
2278	if (pid < 0) {		/* failed */
2279		exit(1);
2280	} else if (pid > 0) {	/* parent */
2281		waitpid(pid, &status, 0);
2282		if (WIFEXITED(status))
2283			exit(WEXITSTATUS(status));
2284		else
2285			exit(2);
2286	} else {		/* child */
2287		close(0); close(1); close(2);
2288		setsid();
2289		openpty(&ptyfd, &ttyfd, NULL, NULL, NULL);
2290		fd = open("/dev/tty", O_RDWR | O_NOCTTY);
2291		if (fd >= 0)
2292			exit(3);	/* Acquired ctty: broken */
2293		else
2294			exit(0);	/* Did not acquire ctty: OK */
2295	}
2296		]])],
2297		[
2298			AC_MSG_RESULT([yes])
2299		],
2300		[
2301			AC_MSG_RESULT([no])
2302			AC_DEFINE([SSHD_ACQUIRES_CTTY])
2303		],
2304		[
2305			AC_MSG_RESULT([cross-compiling, assuming yes])
2306		]
2307	)
2308fi
2309
2310if test "x$ac_cv_func_getaddrinfo" = "xyes" && \
2311    test "x$check_for_hpux_broken_getaddrinfo" = "x1"; then
2312	AC_MSG_CHECKING([if getaddrinfo seems to work])
2313	AC_RUN_IFELSE(
2314		[AC_LANG_PROGRAM([[
2315#include <stdio.h>
2316#include <sys/socket.h>
2317#include <netdb.h>
2318#include <errno.h>
2319#include <netinet/in.h>
2320
2321#define TEST_PORT "2222"
2322		]], [[
2323	int err, sock;
2324	struct addrinfo *gai_ai, *ai, hints;
2325	char ntop[NI_MAXHOST], strport[NI_MAXSERV], *name = NULL;
2326
2327	memset(&hints, 0, sizeof(hints));
2328	hints.ai_family = PF_UNSPEC;
2329	hints.ai_socktype = SOCK_STREAM;
2330	hints.ai_flags = AI_PASSIVE;
2331
2332	err = getaddrinfo(name, TEST_PORT, &hints, &gai_ai);
2333	if (err != 0) {
2334		fprintf(stderr, "getaddrinfo failed (%s)", gai_strerror(err));
2335		exit(1);
2336	}
2337
2338	for (ai = gai_ai; ai != NULL; ai = ai->ai_next) {
2339		if (ai->ai_family != AF_INET6)
2340			continue;
2341
2342		err = getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop,
2343		    sizeof(ntop), strport, sizeof(strport),
2344		    NI_NUMERICHOST|NI_NUMERICSERV);
2345
2346		if (err != 0) {
2347			if (err == EAI_SYSTEM)
2348				perror("getnameinfo EAI_SYSTEM");
2349			else
2350				fprintf(stderr, "getnameinfo failed: %s\n",
2351				    gai_strerror(err));
2352			exit(2);
2353		}
2354
2355		sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol);
2356		if (sock < 0)
2357			perror("socket");
2358		if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) {
2359			if (errno == EBADF)
2360				exit(3);
2361		}
2362	}
2363	exit(0);
2364		]])],
2365		[
2366			AC_MSG_RESULT([yes])
2367		],
2368		[
2369			AC_MSG_RESULT([no])
2370			AC_DEFINE([BROKEN_GETADDRINFO])
2371		],
2372		[
2373			AC_MSG_RESULT([cross-compiling, assuming yes])
2374		]
2375	)
2376fi
2377
2378if test "x$ac_cv_func_getaddrinfo" = "xyes" && \
2379    test "x$check_for_aix_broken_getaddrinfo" = "x1"; then
2380	AC_MSG_CHECKING([if getaddrinfo seems to work])
2381	AC_RUN_IFELSE(
2382		[AC_LANG_PROGRAM([[
2383#include <stdio.h>
2384#include <sys/socket.h>
2385#include <netdb.h>
2386#include <errno.h>
2387#include <netinet/in.h>
2388
2389#define TEST_PORT "2222"
2390		]], [[
2391	int err, sock;
2392	struct addrinfo *gai_ai, *ai, hints;
2393	char ntop[NI_MAXHOST], strport[NI_MAXSERV], *name = NULL;
2394
2395	memset(&hints, 0, sizeof(hints));
2396	hints.ai_family = PF_UNSPEC;
2397	hints.ai_socktype = SOCK_STREAM;
2398	hints.ai_flags = AI_PASSIVE;
2399
2400	err = getaddrinfo(name, TEST_PORT, &hints, &gai_ai);
2401	if (err != 0) {
2402		fprintf(stderr, "getaddrinfo failed (%s)", gai_strerror(err));
2403		exit(1);
2404	}
2405
2406	for (ai = gai_ai; ai != NULL; ai = ai->ai_next) {
2407		if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
2408			continue;
2409
2410		err = getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop,
2411		    sizeof(ntop), strport, sizeof(strport),
2412		    NI_NUMERICHOST|NI_NUMERICSERV);
2413
2414		if (ai->ai_family == AF_INET && err != 0) {
2415			perror("getnameinfo");
2416			exit(2);
2417		}
2418	}
2419	exit(0);
2420		]])],
2421		[
2422			AC_MSG_RESULT([yes])
2423			AC_DEFINE([AIX_GETNAMEINFO_HACK], [1],
2424				[Define if you have a getaddrinfo that fails
2425				for the all-zeros IPv6 address])
2426		],
2427		[
2428			AC_MSG_RESULT([no])
2429			AC_DEFINE([BROKEN_GETADDRINFO])
2430		],
2431		[
2432			AC_MSG_RESULT([cross-compiling, assuming no])
2433		]
2434	)
2435fi
2436
2437if test "x$ac_cv_func_getaddrinfo" = "xyes"; then
2438	AC_CHECK_DECLS(AI_NUMERICSERV, , ,
2439	    [#include <sys/types.h>
2440	     #include <sys/socket.h>
2441	     #include <netdb.h>])
2442fi
2443
2444if test "x$check_for_conflicting_getspnam" = "x1"; then
2445	AC_MSG_CHECKING([for conflicting getspnam in shadow.h])
2446	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <shadow.h> ]],
2447		[[ exit(0); ]])],
2448		[
2449			AC_MSG_RESULT([no])
2450		],
2451		[
2452			AC_MSG_RESULT([yes])
2453			AC_DEFINE([GETSPNAM_CONFLICTING_DEFS], [1],
2454			    [Conflicting defs for getspnam])
2455		]
2456	)
2457fi
2458
2459dnl NetBSD added an strnvis and unfortunately made it incompatible with the
2460dnl existing one in OpenBSD and Linux's libbsd (the former having existed
2461dnl for over ten years). Despite this incompatibility being reported during
2462dnl development (see http://gnats.netbsd.org/44977) they still shipped it.
2463dnl Even more unfortunately FreeBSD and later MacOS picked up this incompatible
2464dnl implementation.  Try to detect this mess, and assume the only safe option
2465dnl if we're cross compiling.
2466dnl
2467dnl OpenBSD, 2001: strnvis(char *dst, const char *src, size_t dlen, int flag);
2468dnl NetBSD: 2012,  strnvis(char *dst, size_t dlen, const char *src, int flag);
2469if test "x$ac_cv_func_strnvis" = "xyes"; then
2470	AC_MSG_CHECKING([for working strnvis])
2471	AC_RUN_IFELSE(
2472		[AC_LANG_PROGRAM([[
2473#include <signal.h>
2474#include <stdlib.h>
2475#include <string.h>
2476#include <vis.h>
2477static void sighandler(int sig) { _exit(1); }
2478		]], [[
2479	char dst[16];
2480
2481	signal(SIGSEGV, sighandler);
2482	if (strnvis(dst, "src", 4, 0) && strcmp(dst, "src") == 0)
2483		exit(0);
2484	exit(1)
2485		]])],
2486		[AC_MSG_RESULT([yes])],
2487		[AC_MSG_RESULT([no])
2488		 AC_DEFINE([BROKEN_STRNVIS], [1], [strnvis detected broken])],
2489		[AC_MSG_WARN([cross compiling: assuming broken])
2490		 AC_DEFINE([BROKEN_STRNVIS], [1], [strnvis assumed broken])]
2491	)
2492fi
2493
2494AC_CHECK_FUNCS([getpgrp],[
2495	AC_MSG_CHECKING([if getpgrp accepts zero args])
2496	AC_COMPILE_IFELSE(
2497		[AC_LANG_PROGRAM([[$ac_includes_default]], [[ getpgrp(); ]])],
2498		[ AC_MSG_RESULT([yes])
2499		  AC_DEFINE([GETPGRP_VOID], [1], [getpgrp takes zero args])],
2500		[ AC_MSG_RESULT([no])
2501		  AC_DEFINE([GETPGRP_VOID], [0], [getpgrp takes one arg])]
2502	)
2503])
2504
2505# Search for OpenSSL
2506saved_CPPFLAGS="$CPPFLAGS"
2507saved_LDFLAGS="$LDFLAGS"
2508AC_ARG_WITH([ssl-dir],
2509	[  --with-ssl-dir=PATH     Specify path to OpenSSL installation ],
2510	[
2511		if test "x$openssl" = "xno" ; then
2512			AC_MSG_ERROR([cannot use --with-ssl-dir when OpenSSL disabled])
2513		fi
2514		if test "x$withval" != "xno" ; then
2515			case "$withval" in
2516				# Relative paths
2517				./*|../*)	withval="`pwd`/$withval"
2518			esac
2519			if test -d "$withval/lib"; then
2520				if test -n "${need_dash_r}"; then
2521					LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
2522				else
2523					LDFLAGS="-L${withval}/lib ${LDFLAGS}"
2524				fi
2525			elif test -d "$withval/lib64"; then
2526				if test -n "${need_dash_r}"; then
2527					LDFLAGS="-L${withval}/lib64 -R${withval}/lib64 ${LDFLAGS}"
2528				else
2529					LDFLAGS="-L${withval}/lib64 ${LDFLAGS}"
2530				fi
2531			else
2532				if test -n "${need_dash_r}"; then
2533					LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"
2534				else
2535					LDFLAGS="-L${withval} ${LDFLAGS}"
2536				fi
2537			fi
2538			if test -d "$withval/include"; then
2539				CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
2540			else
2541				CPPFLAGS="-I${withval} ${CPPFLAGS}"
2542			fi
2543		fi
2544	]
2545)
2546
2547AC_ARG_WITH([openssl-header-check],
2548	[  --without-openssl-header-check Disable OpenSSL version consistency check],
2549	[
2550		if test "x$withval" = "xno" ; then
2551			openssl_check_nonfatal=1
2552		fi
2553	]
2554)
2555
2556openssl_engine=no
2557AC_ARG_WITH([ssl-engine],
2558	[  --with-ssl-engine       Enable OpenSSL (hardware) ENGINE support ],
2559	[
2560		if test "x$withval" != "xno" ; then
2561			if test "x$openssl" = "xno" ; then
2562				AC_MSG_ERROR([cannot use --with-ssl-engine when OpenSSL disabled])
2563			fi
2564			openssl_engine=yes
2565		fi
2566	]
2567)
2568
2569if test "x$openssl" = "xyes" ; then
2570	LIBS="-lcrypto $LIBS"
2571	AC_TRY_LINK_FUNC([RAND_add], [AC_DEFINE([HAVE_OPENSSL], [1],
2572		[Define if your ssl headers are included
2573		with #include <openssl/header.h>])],
2574		[
2575			dnl Check default openssl install dir
2576			if test -n "${need_dash_r}"; then
2577				LDFLAGS="-L/usr/local/ssl/lib -R/usr/local/ssl/lib ${saved_LDFLAGS}"
2578			else
2579				LDFLAGS="-L/usr/local/ssl/lib ${saved_LDFLAGS}"
2580			fi
2581			CPPFLAGS="-I/usr/local/ssl/include ${saved_CPPFLAGS}"
2582			AC_CHECK_HEADER([openssl/opensslv.h], ,
2583			    [AC_MSG_ERROR([*** OpenSSL headers missing - please install first or check config.log ***])])
2584			AC_TRY_LINK_FUNC([RAND_add], [AC_DEFINE([HAVE_OPENSSL])],
2585				[
2586					AC_MSG_ERROR([*** Can't find recent OpenSSL libcrypto (see config.log for details) ***])
2587				]
2588			)
2589		]
2590	)
2591
2592	# Determine OpenSSL header version
2593	AC_MSG_CHECKING([OpenSSL header version])
2594	AC_RUN_IFELSE(
2595		[AC_LANG_PROGRAM([[
2596	#include <stdlib.h>
2597	#include <stdio.h>
2598	#include <string.h>
2599	#include <openssl/opensslv.h>
2600	#define DATA "conftest.sslincver"
2601		]], [[
2602		FILE *fd;
2603		int rc;
2604
2605		fd = fopen(DATA,"w");
2606		if(fd == NULL)
2607			exit(1);
2608
2609		if ((rc = fprintf(fd, "%08lx (%s)\n",
2610		    (unsigned long)OPENSSL_VERSION_NUMBER,
2611		     OPENSSL_VERSION_TEXT)) < 0)
2612			exit(1);
2613
2614		exit(0);
2615		]])],
2616		[
2617			ssl_header_ver=`cat conftest.sslincver`
2618			AC_MSG_RESULT([$ssl_header_ver])
2619		],
2620		[
2621			AC_MSG_RESULT([not found])
2622			AC_MSG_ERROR([OpenSSL version header not found.])
2623		],
2624		[
2625			AC_MSG_WARN([cross compiling: not checking])
2626		]
2627	)
2628
2629	# Determine OpenSSL library version
2630	AC_MSG_CHECKING([OpenSSL library version])
2631	AC_RUN_IFELSE(
2632		[AC_LANG_PROGRAM([[
2633	#include <stdio.h>
2634	#include <string.h>
2635	#include <openssl/opensslv.h>
2636	#include <openssl/crypto.h>
2637	#define DATA "conftest.ssllibver"
2638		]], [[
2639		FILE *fd;
2640		int rc;
2641
2642		fd = fopen(DATA,"w");
2643		if(fd == NULL)
2644			exit(1);
2645
2646		if ((rc = fprintf(fd, "%08lx (%s)\n", (unsigned long)SSLeay(),
2647		    SSLeay_version(SSLEAY_VERSION))) < 0)
2648			exit(1);
2649
2650		exit(0);
2651		]])],
2652		[
2653			ssl_library_ver=`cat conftest.ssllibver`
2654			# Check version is supported.
2655			case "$ssl_library_ver" in
2656				10000*|0*)
2657					AC_MSG_ERROR([OpenSSL >= 1.0.1 required (have "$ssl_library_ver")])
2658			                ;;
2659				100*)   ;; # 1.0.x
2660				101*)   ;; # 1.1.x
2661				200*)   ;; # LibreSSL
2662			        *)
2663					AC_MSG_ERROR([OpenSSL > 1.1.x is not yet supported (have "$ssl_library_ver")])
2664			                ;;
2665			esac
2666			AC_MSG_RESULT([$ssl_library_ver])
2667		],
2668		[
2669			AC_MSG_RESULT([not found])
2670			AC_MSG_ERROR([OpenSSL library not found.])
2671		],
2672		[
2673			AC_MSG_WARN([cross compiling: not checking])
2674		]
2675	)
2676
2677	# Sanity check OpenSSL headers
2678	AC_MSG_CHECKING([whether OpenSSL's headers match the library])
2679	AC_RUN_IFELSE(
2680		[AC_LANG_PROGRAM([[
2681	#include <string.h>
2682	#include <openssl/opensslv.h>
2683	#include <openssl/crypto.h>
2684		]], [[
2685		exit(SSLeay() == OPENSSL_VERSION_NUMBER ? 0 : 1);
2686		]])],
2687		[
2688			AC_MSG_RESULT([yes])
2689		],
2690		[
2691			AC_MSG_RESULT([no])
2692			if test "x$openssl_check_nonfatal" = "x"; then
2693				AC_MSG_ERROR([Your OpenSSL headers do not match your
2694	library. Check config.log for details.
2695	If you are sure your installation is consistent, you can disable the check
2696	by running "./configure --without-openssl-header-check".
2697	Also see contrib/findssl.sh for help identifying header/library mismatches.
2698	])
2699			else
2700				AC_MSG_WARN([Your OpenSSL headers do not match your
2701	library. Check config.log for details.
2702	Also see contrib/findssl.sh for help identifying header/library mismatches.])
2703			fi
2704		],
2705		[
2706			AC_MSG_WARN([cross compiling: not checking])
2707		]
2708	)
2709
2710	AC_MSG_CHECKING([if programs using OpenSSL functions will link])
2711	AC_LINK_IFELSE(
2712		[AC_LANG_PROGRAM([[ #include <openssl/evp.h> ]],
2713		[[ SSLeay_add_all_algorithms(); ]])],
2714		[
2715			AC_MSG_RESULT([yes])
2716		],
2717		[
2718			AC_MSG_RESULT([no])
2719			saved_LIBS="$LIBS"
2720			LIBS="$LIBS -ldl"
2721			AC_MSG_CHECKING([if programs using OpenSSL need -ldl])
2722			AC_LINK_IFELSE(
2723				[AC_LANG_PROGRAM([[ #include <openssl/evp.h> ]],
2724				[[ SSLeay_add_all_algorithms(); ]])],
2725				[
2726					AC_MSG_RESULT([yes])
2727				],
2728				[
2729					AC_MSG_RESULT([no])
2730					LIBS="$saved_LIBS"
2731				]
2732			)
2733		]
2734	)
2735
2736	AC_CHECK_FUNCS([ \
2737		BN_is_prime_ex \
2738		DSA_generate_parameters_ex \
2739		EVP_DigestInit_ex \
2740		EVP_DigestFinal_ex \
2741		EVP_MD_CTX_init \
2742		EVP_MD_CTX_cleanup \
2743		EVP_MD_CTX_copy_ex \
2744		HMAC_CTX_init \
2745		RSA_generate_key_ex \
2746		RSA_get_default_method \
2747	])
2748
2749	if test "x$openssl_engine" = "xyes" ; then
2750		AC_MSG_CHECKING([for OpenSSL ENGINE support])
2751		AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
2752	#include <openssl/engine.h>
2753			]], [[
2754				ENGINE_load_builtin_engines();
2755				ENGINE_register_all_complete();
2756			]])],
2757			[ AC_MSG_RESULT([yes])
2758			  AC_DEFINE([USE_OPENSSL_ENGINE], [1],
2759			     [Enable OpenSSL engine support])
2760			], [ AC_MSG_ERROR([OpenSSL ENGINE support not found])
2761		])
2762	fi
2763
2764	# Check for OpenSSL without EVP_aes_{192,256}_cbc
2765	AC_MSG_CHECKING([whether OpenSSL has crippled AES support])
2766	AC_LINK_IFELSE(
2767		[AC_LANG_PROGRAM([[
2768	#include <string.h>
2769	#include <openssl/evp.h>
2770		]], [[
2771		exit(EVP_aes_192_cbc() == NULL || EVP_aes_256_cbc() == NULL);
2772		]])],
2773		[
2774			AC_MSG_RESULT([no])
2775		],
2776		[
2777			AC_MSG_RESULT([yes])
2778			AC_DEFINE([OPENSSL_LOBOTOMISED_AES], [1],
2779			    [libcrypto is missing AES 192 and 256 bit functions])
2780		]
2781	)
2782
2783	# Check for OpenSSL with EVP_aes_*ctr
2784	AC_MSG_CHECKING([whether OpenSSL has AES CTR via EVP])
2785	AC_LINK_IFELSE(
2786		[AC_LANG_PROGRAM([[
2787	#include <string.h>
2788	#include <openssl/evp.h>
2789		]], [[
2790		exit(EVP_aes_128_ctr() == NULL ||
2791		    EVP_aes_192_cbc() == NULL ||
2792		    EVP_aes_256_cbc() == NULL);
2793		]])],
2794		[
2795			AC_MSG_RESULT([yes])
2796			AC_DEFINE([OPENSSL_HAVE_EVPCTR], [1],
2797			    [libcrypto has EVP AES CTR])
2798		],
2799		[
2800			AC_MSG_RESULT([no])
2801		]
2802	)
2803
2804	# Check for OpenSSL with EVP_aes_*gcm
2805	AC_MSG_CHECKING([whether OpenSSL has AES GCM via EVP])
2806	AC_LINK_IFELSE(
2807		[AC_LANG_PROGRAM([[
2808	#include <string.h>
2809	#include <openssl/evp.h>
2810		]], [[
2811		exit(EVP_aes_128_gcm() == NULL ||
2812		    EVP_aes_256_gcm() == NULL ||
2813		    EVP_CTRL_GCM_SET_IV_FIXED == 0 ||
2814		    EVP_CTRL_GCM_IV_GEN == 0 ||
2815		    EVP_CTRL_GCM_SET_TAG == 0 ||
2816		    EVP_CTRL_GCM_GET_TAG == 0 ||
2817		    EVP_CIPHER_CTX_ctrl(NULL, 0, 0, NULL) == 0);
2818		]])],
2819		[
2820			AC_MSG_RESULT([yes])
2821			AC_DEFINE([OPENSSL_HAVE_EVPGCM], [1],
2822			    [libcrypto has EVP AES GCM])
2823		],
2824		[
2825			AC_MSG_RESULT([no])
2826			unsupported_algorithms="$unsupported_cipers \
2827			   aes128-gcm@openssh.com \
2828			   aes256-gcm@openssh.com"
2829		]
2830	)
2831
2832	AC_SEARCH_LIBS([EVP_CIPHER_CTX_ctrl], [crypto],
2833		[AC_DEFINE([HAVE_EVP_CIPHER_CTX_CTRL], [1],
2834		    [Define if libcrypto has EVP_CIPHER_CTX_ctrl])])
2835
2836	# LibreSSL/OpenSSL 1.1x API
2837	AC_SEARCH_LIBS([DH_get0_key], [crypto],
2838		[AC_DEFINE([HAVE_DH_GET0_KEY], [1],
2839		    [Define if libcrypto has DH_get0_key])])
2840	AC_SEARCH_LIBS([DH_get0_pqg], [crypto],
2841		[AC_DEFINE([HAVE_DH_GET0_PQG], [1],
2842		    [Define if libcrypto has DH_get0_pqg])])
2843	AC_SEARCH_LIBS([DH_set0_key], [crypto],
2844		[AC_DEFINE([HAVE_DH_SET0_KEY], [1],
2845		    [Define if libcrypto has DH_set0_key])])
2846	AC_SEARCH_LIBS([DH_set_length], [crypto],
2847		[AC_DEFINE([HAVE_DH_SET_LENGTH], [1],
2848		    [Define if libcrypto has DH_set_length])])
2849	AC_SEARCH_LIBS([DH_set0_pqg], [crypto],
2850		[AC_DEFINE([HAVE_DH_SET0_PQG], [1],
2851		    [Define if libcrypto has DH_set0_pqg])])
2852
2853	AC_SEARCH_LIBS([DSA_get0_key], [crypto],
2854		[AC_DEFINE([HAVE_DSA_GET0_KEY], [1],
2855		    [Define if libcrypto has DSA_get0_key])])
2856	AC_SEARCH_LIBS([DSA_get0_pqg], [crypto],
2857		[AC_DEFINE([HAVE_DSA_GET0_PQG], [1],
2858		    [Define if libcrypto has DSA_get0_pqg])])
2859	AC_SEARCH_LIBS([DSA_set0_key], [crypto],
2860		[AC_DEFINE([HAVE_DSA_SET0_KEY], [1],
2861		    [Define if libcrypto has DSA_set0_key])])
2862	AC_SEARCH_LIBS([DSA_set0_pqg], [crypto],
2863		[AC_DEFINE([HAVE_DSA_SET0_PQG], [1],
2864		    [Define if libcrypto has DSA_set0_pqg])])
2865
2866	AC_SEARCH_LIBS([DSA_SIG_get0], [crypto],
2867		[AC_DEFINE([HAVE_DSA_SIG_GET0], [1],
2868		    [Define if libcrypto has DSA_SIG_get0])])
2869	AC_SEARCH_LIBS([DSA_SIG_set0], [crypto],
2870		[AC_DEFINE([HAVE_DSA_SIG_SET0], [1],
2871		    [Define if libcrypto has DSA_SIG_set0])])
2872
2873	AC_SEARCH_LIBS([ECDSA_SIG_get0], [crypto],
2874		[AC_DEFINE([HAVE_ECDSA_SIG_GET0], [1],
2875		    [Define if libcrypto has ECDSA_SIG_get0])])
2876	AC_SEARCH_LIBS([ECDSA_SIG_set0], [crypto],
2877		[AC_DEFINE([HAVE_ECDSA_SIG_SET0], [1],
2878		    [Define if libcrypto has ECDSA_SIG_set0])])
2879
2880	AC_SEARCH_LIBS([EVP_CIPHER_CTX_iv], [crypto],
2881		[AC_DEFINE([HAVE_EVP_CIPHER_CTX_IV], [1],
2882		    [Define if libcrypto has EVP_CIPHER_CTX_iv])])
2883	AC_SEARCH_LIBS([EVP_CIPHER_CTX_iv_noconst], [crypto],
2884		[AC_DEFINE([HAVE_EVP_CIPHER_CTX_IV_NOCONST], [1],
2885		    [Define if libcrypto has EVP_CIPHER_CTX_iv_noconst])])
2886	AC_SEARCH_LIBS([EVP_CIPHER_CTX_get_iv], [crypto],
2887		[AC_DEFINE([HAVE_EVP_CIPHER_CTX_GET_IV], [1],
2888		    [Define if libcrypto has EVP_CIPHER_CTX_get_iv])])
2889	AC_SEARCH_LIBS([EVP_CIPHER_CTX_set_iv], [crypto],
2890		[AC_DEFINE([HAVE_EVP_CIPHER_CTX_GET_IV], [1],
2891		    [Define if libcrypto has EVP_CIPHER_CTX_set_iv])])
2892
2893	AC_SEARCH_LIBS([RSA_get0_crt_params], [crypto],
2894		[AC_DEFINE([HAVE_RSA_GET0_CRT_PARAMS], [1],
2895		    [Define if libcrypto has RSA_get0_crt_params])])
2896	AC_SEARCH_LIBS([RSA_get0_factors], [crypto],
2897		[AC_DEFINE([HAVE_RSA_GET0_FACTORS], [1],
2898		    [Define if libcrypto has RSA_get0_factors])])
2899	AC_SEARCH_LIBS([RSA_get0_key], [crypto],
2900		[AC_DEFINE([HAVE_RSA_GET0_KEY], [1],
2901		    [Define if libcrypto has RSA_get0_key])])
2902	AC_SEARCH_LIBS([RSA_set0_crt_params], [crypto],
2903		[AC_DEFINE([HAVE_RSA_SET0_CRT_PARAMS], [1],
2904		    [Define if libcrypto has RSA_get0_srt_params])])
2905	AC_SEARCH_LIBS([RSA_set0_factors], [crypto],
2906		[AC_DEFINE([HAVE_RSA_SET0_FACTORS], [1],
2907		    [Define if libcrypto has RSA_set0_factors])])
2908	AC_SEARCH_LIBS([RSA_set0_key], [crypto],
2909		[AC_DEFINE([HAVE_RSA_SET0_KEY], [1],
2910		    [Define if libcrypto has RSA_set0_key])])
2911
2912	AC_SEARCH_LIBS([RSA_meth_free], [crypto],
2913		[AC_DEFINE([HAVE_RSA_METH_FREE], [1],
2914		    [Define if libcrypto has RSA_meth_free])])
2915	AC_SEARCH_LIBS([RSA_meth_dup], [crypto],
2916		[AC_DEFINE([HAVE_RSA_METH_DUP], [1],
2917		    [Define if libcrypto has RSA_meth_dup])])
2918	AC_SEARCH_LIBS([RSA_meth_set1_name], [crypto],
2919		[AC_DEFINE([HAVE_RSA_METH_SET1_NAME], [1],
2920		    [Define if libcrypto has RSA_meth_set1_name])])
2921	AC_SEARCH_LIBS([RSA_meth_get_finish], [crypto],
2922		[AC_DEFINE([HAVE_RSA_METH_GET_FINISH], [1],
2923		    [Define if libcrypto has RSA_meth_get_finish])])
2924	AC_SEARCH_LIBS([RSA_meth_set_priv_enc], [crypto],
2925		[AC_DEFINE([HAVE_RSA_METH_SET_PRIV_ENC], [1],
2926		    [Define if libcrypto has RSA_meth_set_priv_enc])])
2927	AC_SEARCH_LIBS([RSA_meth_set_priv_dec], [crypto],
2928		[AC_DEFINE([HAVE_RSA_METH_SET_PRIV_DEC], [1],
2929		    [Define if libcrypto has RSA_meth_set_priv_dec])])
2930	AC_SEARCH_LIBS([RSA_meth_set_finish], [crypto],
2931		[AC_DEFINE([HAVE_RSA_METH_SET_FINISH], [1],
2932		    [Define if libcrypto has RSA_meth_set_finish])])
2933
2934	AC_SEARCH_LIBS([EVP_PKEY_get0_RSA], [crypto],
2935		[AC_DEFINE([HAVE_EVP_PKEY_GET0_RSA], [1],
2936		    [Define if libcrypto has EVP_PKEY_get0_RSA])])
2937
2938	AC_SEARCH_LIBS([EVP_MD_CTX_new], [crypto],
2939		[AC_DEFINE([HAVE_EVP_MD_CTX_NEW], [1],
2940		    [Define if libcrypto has EVP_MD_CTX_new])])
2941	AC_SEARCH_LIBS([EVP_MD_CTX_free], [crypto],
2942		[AC_DEFINE([HAVE_EVP_MD_CTX_FREE], [1],
2943		    [Define if libcrypto has EVP_MD_CTX_free])])
2944
2945	AC_MSG_CHECKING([if EVP_DigestUpdate returns an int])
2946	AC_LINK_IFELSE(
2947		[AC_LANG_PROGRAM([[
2948	#include <string.h>
2949	#include <openssl/evp.h>
2950		]], [[
2951		if(EVP_DigestUpdate(NULL, NULL,0))
2952			exit(0);
2953		]])],
2954		[
2955			AC_MSG_RESULT([yes])
2956		],
2957		[
2958			AC_MSG_RESULT([no])
2959			AC_DEFINE([OPENSSL_EVP_DIGESTUPDATE_VOID], [1],
2960			    [Define if EVP_DigestUpdate returns void])
2961		]
2962	)
2963
2964	# Some systems want crypt() from libcrypt, *not* the version in OpenSSL,
2965	# because the system crypt() is more featureful.
2966	if test "x$check_for_libcrypt_before" = "x1"; then
2967		AC_CHECK_LIB([crypt], [crypt])
2968	fi
2969
2970	# Some Linux systems (Slackware) need crypt() from libcrypt, *not* the
2971	# version in OpenSSL.
2972	if test "x$check_for_libcrypt_later" = "x1"; then
2973		AC_CHECK_LIB([crypt], [crypt], [LIBS="$LIBS -lcrypt"])
2974	fi
2975	AC_CHECK_FUNCS([crypt DES_crypt])
2976
2977	# Search for SHA256 support in libc and/or OpenSSL
2978	AC_CHECK_FUNCS([SHA256_Update EVP_sha256], ,
2979	    [unsupported_algorithms="$unsupported_algorithms \
2980		hmac-sha2-256 \
2981		hmac-sha2-512 \
2982		diffie-hellman-group-exchange-sha256 \
2983		hmac-sha2-256-etm@openssh.com \
2984		hmac-sha2-512-etm@openssh.com"
2985	     ]
2986	)
2987	# Search for RIPE-MD support in OpenSSL
2988	AC_CHECK_FUNCS([EVP_ripemd160], ,
2989	    [unsupported_algorithms="$unsupported_algorithms \
2990		hmac-ripemd160 \
2991		hmac-ripemd160@openssh.com \
2992		hmac-ripemd160-etm@openssh.com"
2993	     ]
2994	)
2995
2996	# Check complete ECC support in OpenSSL
2997	AC_MSG_CHECKING([whether OpenSSL has NID_X9_62_prime256v1])
2998	AC_LINK_IFELSE(
2999		[AC_LANG_PROGRAM([[
3000	#include <openssl/ec.h>
3001	#include <openssl/ecdh.h>
3002	#include <openssl/ecdsa.h>
3003	#include <openssl/evp.h>
3004	#include <openssl/objects.h>
3005	#include <openssl/opensslv.h>
3006		]], [[
3007		EC_KEY *e = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
3008		const EVP_MD *m = EVP_sha256(); /* We need this too */
3009		]])],
3010		[ AC_MSG_RESULT([yes])
3011		  enable_nistp256=1 ],
3012		[ AC_MSG_RESULT([no]) ]
3013	)
3014
3015	AC_MSG_CHECKING([whether OpenSSL has NID_secp384r1])
3016	AC_LINK_IFELSE(
3017		[AC_LANG_PROGRAM([[
3018	#include <openssl/ec.h>
3019	#include <openssl/ecdh.h>
3020	#include <openssl/ecdsa.h>
3021	#include <openssl/evp.h>
3022	#include <openssl/objects.h>
3023	#include <openssl/opensslv.h>
3024		]], [[
3025		EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp384r1);
3026		const EVP_MD *m = EVP_sha384(); /* We need this too */
3027		]])],
3028		[ AC_MSG_RESULT([yes])
3029		  enable_nistp384=1 ],
3030		[ AC_MSG_RESULT([no]) ]
3031	)
3032
3033	AC_MSG_CHECKING([whether OpenSSL has NID_secp521r1])
3034	AC_LINK_IFELSE(
3035		[AC_LANG_PROGRAM([[
3036	#include <openssl/ec.h>
3037	#include <openssl/ecdh.h>
3038	#include <openssl/ecdsa.h>
3039	#include <openssl/evp.h>
3040	#include <openssl/objects.h>
3041	#include <openssl/opensslv.h>
3042		]], [[
3043		EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp521r1);
3044		const EVP_MD *m = EVP_sha512(); /* We need this too */
3045		]])],
3046		[ AC_MSG_RESULT([yes])
3047		  AC_MSG_CHECKING([if OpenSSL's NID_secp521r1 is functional])
3048		  AC_RUN_IFELSE(
3049			[AC_LANG_PROGRAM([[
3050	#include <openssl/ec.h>
3051	#include <openssl/ecdh.h>
3052	#include <openssl/ecdsa.h>
3053	#include <openssl/evp.h>
3054	#include <openssl/objects.h>
3055	#include <openssl/opensslv.h>
3056			]],[[
3057			EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp521r1);
3058			const EVP_MD *m = EVP_sha512(); /* We need this too */
3059			exit(e == NULL || m == NULL);
3060			]])],
3061			[ AC_MSG_RESULT([yes])
3062			  enable_nistp521=1 ],
3063			[ AC_MSG_RESULT([no]) ],
3064			[ AC_MSG_WARN([cross-compiling: assuming yes])
3065			  enable_nistp521=1 ]
3066		  )],
3067		AC_MSG_RESULT([no])
3068	)
3069
3070	COMMENT_OUT_ECC="#no ecc#"
3071	TEST_SSH_ECC=no
3072
3073	if test x$enable_nistp256 = x1 || test x$enable_nistp384 = x1 || \
3074	    test x$enable_nistp521 = x1; then
3075		AC_DEFINE(OPENSSL_HAS_ECC, [1], [OpenSSL has ECC])
3076	fi
3077	if test x$enable_nistp256 = x1; then
3078		AC_DEFINE([OPENSSL_HAS_NISTP256], [1],
3079		    [libcrypto has NID_X9_62_prime256v1])
3080		TEST_SSH_ECC=yes
3081		COMMENT_OUT_ECC=""
3082	else
3083		unsupported_algorithms="$unsupported_algorithms \
3084			ecdsa-sha2-nistp256 \
3085			ecdh-sha2-nistp256 \
3086			ecdsa-sha2-nistp256-cert-v01@openssh.com"
3087	fi
3088	if test x$enable_nistp384 = x1; then
3089		AC_DEFINE([OPENSSL_HAS_NISTP384], [1], [libcrypto has NID_secp384r1])
3090		TEST_SSH_ECC=yes
3091		COMMENT_OUT_ECC=""
3092	else
3093		unsupported_algorithms="$unsupported_algorithms \
3094			ecdsa-sha2-nistp384 \
3095			ecdh-sha2-nistp384 \
3096			ecdsa-sha2-nistp384-cert-v01@openssh.com"
3097	fi
3098	if test x$enable_nistp521 = x1; then
3099		AC_DEFINE([OPENSSL_HAS_NISTP521], [1], [libcrypto has NID_secp521r1])
3100		TEST_SSH_ECC=yes
3101		COMMENT_OUT_ECC=""
3102	else
3103		unsupported_algorithms="$unsupported_algorithms \
3104			ecdh-sha2-nistp521 \
3105			ecdsa-sha2-nistp521 \
3106			ecdsa-sha2-nistp521-cert-v01@openssh.com"
3107	fi
3108
3109	AC_SUBST([TEST_SSH_ECC])
3110	AC_SUBST([COMMENT_OUT_ECC])
3111else
3112	AC_CHECK_LIB([crypt], [crypt], [LIBS="$LIBS -lcrypt"])
3113	AC_CHECK_FUNCS([crypt])
3114fi
3115
3116AC_CHECK_FUNCS([ \
3117	arc4random \
3118	arc4random_buf \
3119	arc4random_stir \
3120	arc4random_uniform \
3121])
3122
3123saved_LIBS="$LIBS"
3124AC_CHECK_LIB([iaf], [ia_openinfo], [
3125	LIBS="$LIBS -liaf"
3126	AC_CHECK_FUNCS([set_id], [SSHDLIBS="$SSHDLIBS -liaf"
3127				AC_DEFINE([HAVE_LIBIAF], [1],
3128			[Define if system has libiaf that supports set_id])
3129				])
3130])
3131LIBS="$saved_LIBS"
3132
3133### Configure cryptographic random number support
3134
3135# Check whether OpenSSL seeds itself
3136if test "x$openssl" = "xyes" ; then
3137	AC_MSG_CHECKING([whether OpenSSL's PRNG is internally seeded])
3138	AC_RUN_IFELSE(
3139		[AC_LANG_PROGRAM([[
3140	#include <string.h>
3141	#include <openssl/rand.h>
3142		]], [[
3143		exit(RAND_status() == 1 ? 0 : 1);
3144		]])],
3145		[
3146			OPENSSL_SEEDS_ITSELF=yes
3147			AC_MSG_RESULT([yes])
3148		],
3149		[
3150			AC_MSG_RESULT([no])
3151		],
3152		[
3153			AC_MSG_WARN([cross compiling: assuming yes])
3154			# This is safe, since we will fatal() at runtime if
3155			# OpenSSL is not seeded correctly.
3156			OPENSSL_SEEDS_ITSELF=yes
3157		]
3158	)
3159fi
3160
3161# PRNGD TCP socket
3162AC_ARG_WITH([prngd-port],
3163	[  --with-prngd-port=PORT  read entropy from PRNGD/EGD TCP localhost:PORT],
3164	[
3165		case "$withval" in
3166		no)
3167			withval=""
3168			;;
3169		[[0-9]]*)
3170			;;
3171		*)
3172			AC_MSG_ERROR([You must specify a numeric port number for --with-prngd-port])
3173			;;
3174		esac
3175		if test ! -z "$withval" ; then
3176			PRNGD_PORT="$withval"
3177			AC_DEFINE_UNQUOTED([PRNGD_PORT], [$PRNGD_PORT],
3178				[Port number of PRNGD/EGD random number socket])
3179		fi
3180	]
3181)
3182
3183# PRNGD Unix domain socket
3184AC_ARG_WITH([prngd-socket],
3185	[  --with-prngd-socket=FILE read entropy from PRNGD/EGD socket FILE (default=/var/run/egd-pool)],
3186	[
3187		case "$withval" in
3188		yes)
3189			withval="/var/run/egd-pool"
3190			;;
3191		no)
3192			withval=""
3193			;;
3194		/*)
3195			;;
3196		*)
3197			AC_MSG_ERROR([You must specify an absolute path to the entropy socket])
3198			;;
3199		esac
3200
3201		if test ! -z "$withval" ; then
3202			if test ! -z "$PRNGD_PORT" ; then
3203				AC_MSG_ERROR([You may not specify both a PRNGD/EGD port and socket])
3204			fi
3205			if test ! -r "$withval" ; then
3206				AC_MSG_WARN([Entropy socket is not readable])
3207			fi
3208			PRNGD_SOCKET="$withval"
3209			AC_DEFINE_UNQUOTED([PRNGD_SOCKET], ["$PRNGD_SOCKET"],
3210				[Location of PRNGD/EGD random number socket])
3211		fi
3212	],
3213	[
3214		# Check for existing socket only if we don't have a random device already
3215		if test "x$OPENSSL_SEEDS_ITSELF" != "xyes" ; then
3216			AC_MSG_CHECKING([for PRNGD/EGD socket])
3217			# Insert other locations here
3218			for sock in /var/run/egd-pool /dev/egd-pool /etc/entropy; do
3219				if test -r $sock && $TEST_MINUS_S_SH -c "test -S $sock -o -p $sock" ; then
3220					PRNGD_SOCKET="$sock"
3221					AC_DEFINE_UNQUOTED([PRNGD_SOCKET], ["$PRNGD_SOCKET"])
3222					break;
3223				fi
3224			done
3225			if test ! -z "$PRNGD_SOCKET" ; then
3226				AC_MSG_RESULT([$PRNGD_SOCKET])
3227			else
3228				AC_MSG_RESULT([not found])
3229			fi
3230		fi
3231	]
3232)
3233
3234# Which randomness source do we use?
3235if test ! -z "$PRNGD_PORT" ; then
3236	RAND_MSG="PRNGd port $PRNGD_PORT"
3237elif test ! -z "$PRNGD_SOCKET" ; then
3238	RAND_MSG="PRNGd socket $PRNGD_SOCKET"
3239elif test ! -z "$OPENSSL_SEEDS_ITSELF" ; then
3240	AC_DEFINE([OPENSSL_PRNG_ONLY], [1],
3241		[Define if you want the OpenSSL internally seeded PRNG only])
3242	RAND_MSG="OpenSSL internal ONLY"
3243elif test "x$openssl" = "xno" ; then
3244	AC_MSG_WARN([OpenSSH will use /dev/urandom as a source of random numbers. It will fail if this device is not supported or accessible])
3245else
3246	AC_MSG_ERROR([OpenSSH has no source of random numbers. Please configure OpenSSL with an entropy source or re-run configure using one of the --with-prngd-port or --with-prngd-socket options])
3247fi
3248
3249# Check for PAM libs
3250PAM_MSG="no"
3251AC_ARG_WITH([pam],
3252	[  --with-pam              Enable PAM support ],
3253	[
3254		if test "x$withval" != "xno" ; then
3255			if test "x$ac_cv_header_security_pam_appl_h" != "xyes" && \
3256			   test "x$ac_cv_header_pam_pam_appl_h" != "xyes" ; then
3257				AC_MSG_ERROR([PAM headers not found])
3258			fi
3259
3260			saved_LIBS="$LIBS"
3261			AC_CHECK_LIB([dl], [dlopen], , )
3262			AC_CHECK_LIB([pam], [pam_set_item], , [AC_MSG_ERROR([*** libpam missing])])
3263			AC_CHECK_FUNCS([pam_getenvlist])
3264			AC_CHECK_FUNCS([pam_putenv])
3265			LIBS="$saved_LIBS"
3266
3267			PAM_MSG="yes"
3268
3269			SSHDLIBS="$SSHDLIBS -lpam"
3270			AC_DEFINE([USE_PAM], [1],
3271				[Define if you want to enable PAM support])
3272
3273			if test $ac_cv_lib_dl_dlopen = yes; then
3274				case "$LIBS" in
3275				*-ldl*)
3276					# libdl already in LIBS
3277					;;
3278				*)
3279					SSHDLIBS="$SSHDLIBS -ldl"
3280					;;
3281				esac
3282			fi
3283		fi
3284	]
3285)
3286
3287AC_ARG_WITH([pam-service],
3288	[  --with-pam-service=name Specify PAM service name ],
3289	[
3290		if test "x$withval" != "xno" && \
3291		   test "x$withval" != "xyes" ; then
3292			AC_DEFINE_UNQUOTED([SSHD_PAM_SERVICE],
3293				["$withval"], [sshd PAM service name])
3294		fi
3295	]
3296)
3297
3298# Check for older PAM
3299if test "x$PAM_MSG" = "xyes" ; then
3300	# Check PAM strerror arguments (old PAM)
3301	AC_MSG_CHECKING([whether pam_strerror takes only one argument])
3302	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
3303#include <stdlib.h>
3304#if defined(HAVE_SECURITY_PAM_APPL_H)
3305#include <security/pam_appl.h>
3306#elif defined (HAVE_PAM_PAM_APPL_H)
3307#include <pam/pam_appl.h>
3308#endif
3309		]], [[
3310(void)pam_strerror((pam_handle_t *)NULL, -1);
3311		]])], [AC_MSG_RESULT([no])], [
3312			AC_DEFINE([HAVE_OLD_PAM], [1],
3313				[Define if you have an old version of PAM
3314				which takes only one argument to pam_strerror])
3315			AC_MSG_RESULT([yes])
3316			PAM_MSG="yes (old library)"
3317
3318	])
3319fi
3320
3321case "$host" in
3322*-*-cygwin*)
3323	SSH_PRIVSEP_USER=CYGWIN_SSH_PRIVSEP_USER
3324	;;
3325*)
3326	SSH_PRIVSEP_USER=sshd
3327	;;
3328esac
3329AC_ARG_WITH([privsep-user],
3330	[  --with-privsep-user=user Specify non-privileged user for privilege separation],
3331	[
3332		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
3333		    test "x${withval}" != "xyes"; then
3334			SSH_PRIVSEP_USER=$withval
3335		fi
3336	]
3337)
3338if test "x$SSH_PRIVSEP_USER" = "xCYGWIN_SSH_PRIVSEP_USER" ; then
3339	AC_DEFINE_UNQUOTED([SSH_PRIVSEP_USER], [CYGWIN_SSH_PRIVSEP_USER],
3340		[Cygwin function to fetch non-privileged user for privilege separation])
3341else
3342	AC_DEFINE_UNQUOTED([SSH_PRIVSEP_USER], ["$SSH_PRIVSEP_USER"],
3343		[non-privileged user for privilege separation])
3344fi
3345AC_SUBST([SSH_PRIVSEP_USER])
3346
3347if test "x$have_linux_no_new_privs" = "x1" ; then
3348AC_CHECK_DECL([SECCOMP_MODE_FILTER], [have_seccomp_filter=1], , [
3349	#include <sys/types.h>
3350	#include <linux/seccomp.h>
3351])
3352fi
3353if test "x$have_seccomp_filter" = "x1" ; then
3354AC_MSG_CHECKING([kernel for seccomp_filter support])
3355AC_LINK_IFELSE([AC_LANG_PROGRAM([[
3356		#include <errno.h>
3357		#include <elf.h>
3358		#include <linux/audit.h>
3359		#include <linux/seccomp.h>
3360		#include <stdlib.h>
3361		#include <sys/prctl.h>
3362	]],
3363	[[ int i = $seccomp_audit_arch;
3364	   errno = 0;
3365	   prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, NULL, 0, 0);
3366	   exit(errno == EFAULT ? 0 : 1); ]])],
3367	[ AC_MSG_RESULT([yes]) ], [
3368		AC_MSG_RESULT([no])
3369		# Disable seccomp filter as a target
3370		have_seccomp_filter=0
3371	]
3372)
3373fi
3374
3375# Decide which sandbox style to use
3376sandbox_arg=""
3377AC_ARG_WITH([sandbox],
3378	[  --with-sandbox=style    Specify privilege separation sandbox (no, capsicum, darwin, rlimit, seccomp_filter, systrace, pledge)],
3379	[
3380		if test "x$withval" = "xyes" ; then
3381			sandbox_arg=""
3382		else
3383			sandbox_arg="$withval"
3384		fi
3385	]
3386)
3387
3388# Some platforms (seems to be the ones that have a kernel poll(2)-type
3389# function with which they implement select(2)) use an extra file descriptor
3390# when calling select(2), which means we can't use the rlimit sandbox.
3391AC_MSG_CHECKING([if select works with descriptor rlimit])
3392AC_RUN_IFELSE(
3393	[AC_LANG_PROGRAM([[
3394#include <sys/types.h>
3395#ifdef HAVE_SYS_TIME_H
3396# include <sys/time.h>
3397#endif
3398#include <sys/resource.h>
3399#ifdef HAVE_SYS_SELECT_H
3400# include <sys/select.h>
3401#endif
3402#include <errno.h>
3403#include <fcntl.h>
3404#include <stdlib.h>
3405	]],[[
3406	struct rlimit rl_zero;
3407	int fd, r;
3408	fd_set fds;
3409	struct timeval tv;
3410
3411	fd = open("/dev/null", O_RDONLY);
3412	FD_ZERO(&fds);
3413	FD_SET(fd, &fds);
3414	rl_zero.rlim_cur = rl_zero.rlim_max = 0;
3415	setrlimit(RLIMIT_FSIZE, &rl_zero);
3416	setrlimit(RLIMIT_NOFILE, &rl_zero);
3417	tv.tv_sec = 1;
3418	tv.tv_usec = 0;
3419	r = select(fd+1, &fds, NULL, NULL, &tv);
3420	exit (r == -1 ? 1 : 0);
3421	]])],
3422	[AC_MSG_RESULT([yes])
3423	 select_works_with_rlimit=yes],
3424	[AC_MSG_RESULT([no])
3425	 select_works_with_rlimit=no],
3426	[AC_MSG_WARN([cross compiling: assuming yes])
3427	 select_works_with_rlimit=yes]
3428)
3429
3430AC_MSG_CHECKING([if setrlimit(RLIMIT_NOFILE,{0,0}) works])
3431AC_RUN_IFELSE(
3432	[AC_LANG_PROGRAM([[
3433#include <sys/types.h>
3434#ifdef HAVE_SYS_TIME_H
3435# include <sys/time.h>
3436#endif
3437#include <sys/resource.h>
3438#include <errno.h>
3439#include <stdlib.h>
3440	]],[[
3441	struct rlimit rl_zero;
3442	int fd, r;
3443	fd_set fds;
3444
3445	rl_zero.rlim_cur = rl_zero.rlim_max = 0;
3446	r = setrlimit(RLIMIT_NOFILE, &rl_zero);
3447	exit (r == -1 ? 1 : 0);
3448	]])],
3449	[AC_MSG_RESULT([yes])
3450	 rlimit_nofile_zero_works=yes],
3451	[AC_MSG_RESULT([no])
3452	 rlimit_nofile_zero_works=no],
3453	[AC_MSG_WARN([cross compiling: assuming yes])
3454	 rlimit_nofile_zero_works=yes]
3455)
3456
3457AC_MSG_CHECKING([if setrlimit RLIMIT_FSIZE works])
3458AC_RUN_IFELSE(
3459	[AC_LANG_PROGRAM([[
3460#include <sys/types.h>
3461#include <sys/resource.h>
3462#include <stdlib.h>
3463	]],[[
3464		struct rlimit rl_zero;
3465
3466		rl_zero.rlim_cur = rl_zero.rlim_max = 0;
3467		exit(setrlimit(RLIMIT_FSIZE, &rl_zero) != 0);
3468	]])],
3469	[AC_MSG_RESULT([yes])],
3470	[AC_MSG_RESULT([no])
3471	 AC_DEFINE(SANDBOX_SKIP_RLIMIT_FSIZE, 1,
3472	    [setrlimit RLIMIT_FSIZE works])],
3473	[AC_MSG_WARN([cross compiling: assuming yes])]
3474)
3475
3476if test "x$sandbox_arg" = "xpledge" || \
3477   ( test -z "$sandbox_arg" && test "x$ac_cv_func_pledge" = "xyes" ) ; then
3478	test "x$ac_cv_func_pledge" != "xyes" && \
3479		AC_MSG_ERROR([pledge sandbox requires pledge(2) support])
3480	SANDBOX_STYLE="pledge"
3481	AC_DEFINE([SANDBOX_PLEDGE], [1], [Sandbox using pledge(2)])
3482elif test "x$sandbox_arg" = "xsystrace" || \
3483   ( test -z "$sandbox_arg" && test "x$have_systr_policy_kill" = "x1" ) ; then
3484	test "x$have_systr_policy_kill" != "x1" && \
3485		AC_MSG_ERROR([systrace sandbox requires systrace headers and SYSTR_POLICY_KILL support])
3486	SANDBOX_STYLE="systrace"
3487	AC_DEFINE([SANDBOX_SYSTRACE], [1], [Sandbox using systrace(4)])
3488elif test "x$sandbox_arg" = "xdarwin" || \
3489     ( test -z "$sandbox_arg" && test "x$ac_cv_func_sandbox_init" = "xyes" && \
3490       test "x$ac_cv_header_sandbox_h" = "xyes") ; then
3491	test "x$ac_cv_func_sandbox_init" != "xyes" -o \
3492	     "x$ac_cv_header_sandbox_h" != "xyes" && \
3493		AC_MSG_ERROR([Darwin seatbelt sandbox requires sandbox.h and sandbox_init function])
3494	SANDBOX_STYLE="darwin"
3495	AC_DEFINE([SANDBOX_DARWIN], [1], [Sandbox using Darwin sandbox_init(3)])
3496elif test "x$sandbox_arg" = "xseccomp_filter" || \
3497     ( test -z "$sandbox_arg" && \
3498       test "x$have_seccomp_filter" = "x1" && \
3499       test "x$ac_cv_header_elf_h" = "xyes" && \
3500       test "x$ac_cv_header_linux_audit_h" = "xyes" && \
3501       test "x$ac_cv_header_linux_filter_h" = "xyes" && \
3502       test "x$seccomp_audit_arch" != "x" && \
3503       test "x$have_linux_no_new_privs" = "x1" && \
3504       test "x$ac_cv_func_prctl" = "xyes" ) ; then
3505	test "x$seccomp_audit_arch" = "x" && \
3506		AC_MSG_ERROR([seccomp_filter sandbox not supported on $host])
3507	test "x$have_linux_no_new_privs" != "x1" && \
3508		AC_MSG_ERROR([seccomp_filter sandbox requires PR_SET_NO_NEW_PRIVS])
3509	test "x$have_seccomp_filter" != "x1" && \
3510		AC_MSG_ERROR([seccomp_filter sandbox requires seccomp headers])
3511	test "x$ac_cv_func_prctl" != "xyes" && \
3512		AC_MSG_ERROR([seccomp_filter sandbox requires prctl function])
3513	SANDBOX_STYLE="seccomp_filter"
3514	AC_DEFINE([SANDBOX_SECCOMP_FILTER], [1], [Sandbox using seccomp filter])
3515elif test "x$sandbox_arg" = "xcapsicum" || \
3516     ( test -z "$sandbox_arg" && \
3517       test "x$ac_cv_header_sys_capsicum_h" = "xyes" && \
3518       test "x$ac_cv_func_cap_rights_limit" = "xyes") ; then
3519       test "x$ac_cv_header_sys_capsicum_h" != "xyes" && \
3520		AC_MSG_ERROR([capsicum sandbox requires sys/capsicum.h header])
3521       test "x$ac_cv_func_cap_rights_limit" != "xyes" && \
3522		AC_MSG_ERROR([capsicum sandbox requires cap_rights_limit function])
3523       SANDBOX_STYLE="capsicum"
3524       AC_DEFINE([SANDBOX_CAPSICUM], [1], [Sandbox using capsicum])
3525elif test "x$sandbox_arg" = "xrlimit" || \
3526     ( test -z "$sandbox_arg" && test "x$ac_cv_func_setrlimit" = "xyes" && \
3527       test "x$select_works_with_rlimit" = "xyes" && \
3528       test "x$rlimit_nofile_zero_works" = "xyes" ) ; then
3529	test "x$ac_cv_func_setrlimit" != "xyes" && \
3530		AC_MSG_ERROR([rlimit sandbox requires setrlimit function])
3531	test "x$select_works_with_rlimit" != "xyes" && \
3532		AC_MSG_ERROR([rlimit sandbox requires select to work with rlimit])
3533	SANDBOX_STYLE="rlimit"
3534	AC_DEFINE([SANDBOX_RLIMIT], [1], [Sandbox using setrlimit(2)])
3535elif test "x$sandbox_arg" = "xsolaris" || \
3536   ( test -z "$sandbox_arg" && test "x$SOLARIS_PRIVS" = "xyes" ) ; then
3537	SANDBOX_STYLE="solaris"
3538	AC_DEFINE([SANDBOX_SOLARIS], [1], [Sandbox using Solaris/Illumos privileges])
3539elif test -z "$sandbox_arg" || test "x$sandbox_arg" = "xno" || \
3540     test "x$sandbox_arg" = "xnone" || test "x$sandbox_arg" = "xnull" ; then
3541	SANDBOX_STYLE="none"
3542	AC_DEFINE([SANDBOX_NULL], [1], [no privsep sandboxing])
3543else
3544	AC_MSG_ERROR([unsupported --with-sandbox])
3545fi
3546
3547# Cheap hack to ensure NEWS-OS libraries are arranged right.
3548if test ! -z "$SONY" ; then
3549  LIBS="$LIBS -liberty";
3550fi
3551
3552# Check for  long long datatypes
3553AC_CHECK_TYPES([long long, unsigned long long, long double])
3554
3555# Check datatype sizes
3556AC_CHECK_SIZEOF([short int], [2])
3557AC_CHECK_SIZEOF([int], [4])
3558AC_CHECK_SIZEOF([long int], [4])
3559AC_CHECK_SIZEOF([long long int], [8])
3560
3561# Sanity check long long for some platforms (AIX)
3562if test "x$ac_cv_sizeof_long_long_int" = "x4" ; then
3563	ac_cv_sizeof_long_long_int=0
3564fi
3565
3566# compute LLONG_MIN and LLONG_MAX if we don't know them.
3567if test -z "$have_llong_max"; then
3568	AC_MSG_CHECKING([for max value of long long])
3569	AC_RUN_IFELSE(
3570		[AC_LANG_PROGRAM([[
3571#include <stdio.h>
3572/* Why is this so damn hard? */
3573#ifdef __GNUC__
3574# undef __GNUC__
3575#endif
3576#define __USE_ISOC99
3577#include <limits.h>
3578#define DATA "conftest.llminmax"
3579#define my_abs(a) ((a) < 0 ? ((a) * -1) : (a))
3580
3581/*
3582 * printf in libc on some platforms (eg old Tru64) does not understand %lld so
3583 * we do this the hard way.
3584 */
3585static int
3586fprint_ll(FILE *f, long long n)
3587{
3588	unsigned int i;
3589	int l[sizeof(long long) * 8];
3590
3591	if (n < 0)
3592		if (fprintf(f, "-") < 0)
3593			return -1;
3594	for (i = 0; n != 0; i++) {
3595		l[i] = my_abs(n % 10);
3596		n /= 10;
3597	}
3598	do {
3599		if (fprintf(f, "%d", l[--i]) < 0)
3600			return -1;
3601	} while (i != 0);
3602	if (fprintf(f, " ") < 0)
3603		return -1;
3604	return 0;
3605}
3606		]], [[
3607	FILE *f;
3608	long long i, llmin, llmax = 0;
3609
3610	if((f = fopen(DATA,"w")) == NULL)
3611		exit(1);
3612
3613#if defined(LLONG_MIN) && defined(LLONG_MAX)
3614	fprintf(stderr, "Using system header for LLONG_MIN and LLONG_MAX\n");
3615	llmin = LLONG_MIN;
3616	llmax = LLONG_MAX;
3617#else
3618	fprintf(stderr, "Calculating  LLONG_MIN and LLONG_MAX\n");
3619	/* This will work on one's complement and two's complement */
3620	for (i = 1; i > llmax; i <<= 1, i++)
3621		llmax = i;
3622	llmin = llmax + 1LL;	/* wrap */
3623#endif
3624
3625	/* Sanity check */
3626	if (llmin + 1 < llmin || llmin - 1 < llmin || llmax + 1 > llmax
3627	    || llmax - 1 > llmax || llmin == llmax || llmin == 0
3628	    || llmax == 0 || llmax < LONG_MAX || llmin > LONG_MIN) {
3629		fprintf(f, "unknown unknown\n");
3630		exit(2);
3631	}
3632
3633	if (fprint_ll(f, llmin) < 0)
3634		exit(3);
3635	if (fprint_ll(f, llmax) < 0)
3636		exit(4);
3637	if (fclose(f) < 0)
3638		exit(5);
3639	exit(0);
3640		]])],
3641		[
3642			llong_min=`$AWK '{print $1}' conftest.llminmax`
3643			llong_max=`$AWK '{print $2}' conftest.llminmax`
3644
3645			AC_MSG_RESULT([$llong_max])
3646			AC_DEFINE_UNQUOTED([LLONG_MAX], [${llong_max}LL],
3647			    [max value of long long calculated by configure])
3648			AC_MSG_CHECKING([for min value of long long])
3649			AC_MSG_RESULT([$llong_min])
3650			AC_DEFINE_UNQUOTED([LLONG_MIN], [${llong_min}LL],
3651			    [min value of long long calculated by configure])
3652		],
3653		[
3654			AC_MSG_RESULT([not found])
3655		],
3656		[
3657			AC_MSG_WARN([cross compiling: not checking])
3658		]
3659	)
3660fi
3661
3662
3663# More checks for data types
3664AC_CACHE_CHECK([for u_int type], ac_cv_have_u_int, [
3665	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
3666	[[ u_int a; a = 1;]])],
3667	[ ac_cv_have_u_int="yes" ], [ ac_cv_have_u_int="no"
3668	])
3669])
3670if test "x$ac_cv_have_u_int" = "xyes" ; then
3671	AC_DEFINE([HAVE_U_INT], [1], [define if you have u_int data type])
3672	have_u_int=1
3673fi
3674
3675AC_CACHE_CHECK([for intXX_t types], ac_cv_have_intxx_t, [
3676	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
3677	[[ int8_t a; int16_t b; int32_t c; a = b = c = 1;]])],
3678	[ ac_cv_have_intxx_t="yes" ], [ ac_cv_have_intxx_t="no"
3679	])
3680])
3681if test "x$ac_cv_have_intxx_t" = "xyes" ; then
3682	AC_DEFINE([HAVE_INTXX_T], [1], [define if you have intxx_t data type])
3683	have_intxx_t=1
3684fi
3685
3686if (test -z "$have_intxx_t" && \
3687	   test "x$ac_cv_header_stdint_h" = "xyes")
3688then
3689    AC_MSG_CHECKING([for intXX_t types in stdint.h])
3690	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <stdint.h> ]],
3691	[[ int8_t a; int16_t b; int32_t c; a = b = c = 1;]])],
3692		[
3693			AC_DEFINE([HAVE_INTXX_T])
3694			AC_MSG_RESULT([yes])
3695		], [ AC_MSG_RESULT([no])
3696	])
3697fi
3698
3699AC_CACHE_CHECK([for int64_t type], ac_cv_have_int64_t, [
3700	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
3701#include <sys/types.h>
3702#ifdef HAVE_STDINT_H
3703# include <stdint.h>
3704#endif
3705#include <sys/socket.h>
3706#ifdef HAVE_SYS_BITYPES_H
3707# include <sys/bitypes.h>
3708#endif
3709		]], [[
3710int64_t a; a = 1;
3711		]])],
3712	[ ac_cv_have_int64_t="yes" ], [ ac_cv_have_int64_t="no"
3713	])
3714])
3715if test "x$ac_cv_have_int64_t" = "xyes" ; then
3716	AC_DEFINE([HAVE_INT64_T], [1], [define if you have int64_t data type])
3717fi
3718
3719AC_CACHE_CHECK([for u_intXX_t types], ac_cv_have_u_intxx_t, [
3720	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
3721	[[ u_int8_t a; u_int16_t b; u_int32_t c; a = b = c = 1;]])],
3722	[ ac_cv_have_u_intxx_t="yes" ], [ ac_cv_have_u_intxx_t="no"
3723	])
3724])
3725if test "x$ac_cv_have_u_intxx_t" = "xyes" ; then
3726	AC_DEFINE([HAVE_U_INTXX_T], [1], [define if you have u_intxx_t data type])
3727	have_u_intxx_t=1
3728fi
3729
3730if test -z "$have_u_intxx_t" ; then
3731    AC_MSG_CHECKING([for u_intXX_t types in sys/socket.h])
3732	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/socket.h> ]],
3733	[[ u_int8_t a; u_int16_t b; u_int32_t c; a = b = c = 1;]])],
3734		[
3735			AC_DEFINE([HAVE_U_INTXX_T])
3736			AC_MSG_RESULT([yes])
3737		], [ AC_MSG_RESULT([no])
3738	])
3739fi
3740
3741AC_CACHE_CHECK([for u_int64_t types], ac_cv_have_u_int64_t, [
3742	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
3743	[[ u_int64_t a; a = 1;]])],
3744	[ ac_cv_have_u_int64_t="yes" ], [ ac_cv_have_u_int64_t="no"
3745	])
3746])
3747if test "x$ac_cv_have_u_int64_t" = "xyes" ; then
3748	AC_DEFINE([HAVE_U_INT64_T], [1], [define if you have u_int64_t data type])
3749	have_u_int64_t=1
3750fi
3751
3752if (test -z "$have_u_int64_t" && \
3753	   test "x$ac_cv_header_sys_bitypes_h" = "xyes")
3754then
3755    AC_MSG_CHECKING([for u_int64_t type in sys/bitypes.h])
3756	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/bitypes.h> ]],
3757	[[ u_int64_t a; a = 1]])],
3758		[
3759			AC_DEFINE([HAVE_U_INT64_T])
3760			AC_MSG_RESULT([yes])
3761		], [ AC_MSG_RESULT([no])
3762	])
3763fi
3764
3765if test -z "$have_u_intxx_t" ; then
3766	AC_CACHE_CHECK([for uintXX_t types], ac_cv_have_uintxx_t, [
3767		AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
3768#include <sys/types.h>
3769			]], [[
3770	uint8_t a;
3771	uint16_t b;
3772	uint32_t c;
3773	a = b = c = 1;
3774			]])],
3775		[ ac_cv_have_uintxx_t="yes" ], [ ac_cv_have_uintxx_t="no"
3776		])
3777	])
3778	if test "x$ac_cv_have_uintxx_t" = "xyes" ; then
3779		AC_DEFINE([HAVE_UINTXX_T], [1],
3780			[define if you have uintxx_t data type])
3781	fi
3782fi
3783
3784if (test -z "$have_uintxx_t" && \
3785	   test "x$ac_cv_header_stdint_h" = "xyes")
3786then
3787    AC_MSG_CHECKING([for uintXX_t types in stdint.h])
3788	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <stdint.h> ]],
3789	[[ uint8_t a; uint16_t b; uint32_t c; a = b = c = 1;]])],
3790		[
3791			AC_DEFINE([HAVE_UINTXX_T])
3792			AC_MSG_RESULT([yes])
3793		], [ AC_MSG_RESULT([no])
3794	])
3795fi
3796
3797if (test -z "$have_uintxx_t" && \
3798	   test "x$ac_cv_header_inttypes_h" = "xyes")
3799then
3800    AC_MSG_CHECKING([for uintXX_t types in inttypes.h])
3801	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <inttypes.h> ]],
3802	[[ uint8_t a; uint16_t b; uint32_t c; a = b = c = 1;]])],
3803		[
3804			AC_DEFINE([HAVE_UINTXX_T])
3805			AC_MSG_RESULT([yes])
3806		], [ AC_MSG_RESULT([no])
3807	])
3808fi
3809
3810if (test -z "$have_u_intxx_t" || test -z "$have_intxx_t" && \
3811	   test "x$ac_cv_header_sys_bitypes_h" = "xyes")
3812then
3813	AC_MSG_CHECKING([for intXX_t and u_intXX_t types in sys/bitypes.h])
3814	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
3815#include <sys/bitypes.h>
3816		]], [[
3817			int8_t a; int16_t b; int32_t c;
3818			u_int8_t e; u_int16_t f; u_int32_t g;
3819			a = b = c = e = f = g = 1;
3820		]])],
3821		[
3822			AC_DEFINE([HAVE_U_INTXX_T])
3823			AC_DEFINE([HAVE_INTXX_T])
3824			AC_MSG_RESULT([yes])
3825		], [AC_MSG_RESULT([no])
3826	])
3827fi
3828
3829
3830AC_CACHE_CHECK([for u_char], ac_cv_have_u_char, [
3831	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
3832	[[ u_char foo; foo = 125; ]])],
3833	[ ac_cv_have_u_char="yes" ], [ ac_cv_have_u_char="no"
3834	])
3835])
3836if test "x$ac_cv_have_u_char" = "xyes" ; then
3837	AC_DEFINE([HAVE_U_CHAR], [1], [define if you have u_char data type])
3838fi
3839
3840AC_CHECK_TYPES([intmax_t, uintmax_t], , , [
3841#include <sys/types.h>
3842#include <stdint.h>
3843])
3844
3845TYPE_SOCKLEN_T
3846
3847AC_CHECK_TYPES([sig_atomic_t], , , [#include <signal.h>])
3848AC_CHECK_TYPES([fsblkcnt_t, fsfilcnt_t], , , [
3849#include <sys/types.h>
3850#ifdef HAVE_SYS_BITYPES_H
3851#include <sys/bitypes.h>
3852#endif
3853#ifdef HAVE_SYS_STATFS_H
3854#include <sys/statfs.h>
3855#endif
3856#ifdef HAVE_SYS_STATVFS_H
3857#include <sys/statvfs.h>
3858#endif
3859])
3860
3861AC_CHECK_MEMBERS([struct statfs.f_flags], [], [], [[
3862#include <sys/types.h>
3863#ifdef HAVE_SYS_BITYPES_H
3864#include <sys/bitypes.h>
3865#endif
3866#ifdef HAVE_SYS_STATFS_H
3867#include <sys/statfs.h>
3868#endif
3869#ifdef HAVE_SYS_STATVFS_H
3870#include <sys/statvfs.h>
3871#endif
3872#ifdef HAVE_SYS_VFS_H
3873#include <sys/vfs.h>
3874#endif
3875]])
3876
3877
3878AC_CHECK_TYPES([in_addr_t, in_port_t], , ,
3879[#include <sys/types.h>
3880#include <netinet/in.h>])
3881
3882AC_CACHE_CHECK([for size_t], ac_cv_have_size_t, [
3883	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
3884	[[ size_t foo; foo = 1235; ]])],
3885	[ ac_cv_have_size_t="yes" ], [ ac_cv_have_size_t="no"
3886	])
3887])
3888if test "x$ac_cv_have_size_t" = "xyes" ; then
3889	AC_DEFINE([HAVE_SIZE_T], [1], [define if you have size_t data type])
3890fi
3891
3892AC_CACHE_CHECK([for ssize_t], ac_cv_have_ssize_t, [
3893	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
3894	[[ ssize_t foo; foo = 1235; ]])],
3895	[ ac_cv_have_ssize_t="yes" ], [ ac_cv_have_ssize_t="no"
3896	])
3897])
3898if test "x$ac_cv_have_ssize_t" = "xyes" ; then
3899	AC_DEFINE([HAVE_SSIZE_T], [1], [define if you have ssize_t data type])
3900fi
3901
3902AC_CACHE_CHECK([for clock_t], ac_cv_have_clock_t, [
3903	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <time.h> ]],
3904	[[ clock_t foo; foo = 1235; ]])],
3905	[ ac_cv_have_clock_t="yes" ], [ ac_cv_have_clock_t="no"
3906	])
3907])
3908if test "x$ac_cv_have_clock_t" = "xyes" ; then
3909	AC_DEFINE([HAVE_CLOCK_T], [1], [define if you have clock_t data type])
3910fi
3911
3912AC_CACHE_CHECK([for sa_family_t], ac_cv_have_sa_family_t, [
3913	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
3914#include <sys/types.h>
3915#include <sys/socket.h>
3916		]], [[ sa_family_t foo; foo = 1235; ]])],
3917	[ ac_cv_have_sa_family_t="yes" ],
3918	[ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
3919#include <sys/types.h>
3920#include <sys/socket.h>
3921#include <netinet/in.h>
3922		]], [[ sa_family_t foo; foo = 1235; ]])],
3923		[ ac_cv_have_sa_family_t="yes" ],
3924		[ ac_cv_have_sa_family_t="no" ]
3925	)
3926	])
3927])
3928if test "x$ac_cv_have_sa_family_t" = "xyes" ; then
3929	AC_DEFINE([HAVE_SA_FAMILY_T], [1],
3930		[define if you have sa_family_t data type])
3931fi
3932
3933AC_CACHE_CHECK([for pid_t], ac_cv_have_pid_t, [
3934	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
3935	[[ pid_t foo; foo = 1235; ]])],
3936	[ ac_cv_have_pid_t="yes" ], [ ac_cv_have_pid_t="no"
3937	])
3938])
3939if test "x$ac_cv_have_pid_t" = "xyes" ; then
3940	AC_DEFINE([HAVE_PID_T], [1], [define if you have pid_t data type])
3941fi
3942
3943AC_CACHE_CHECK([for mode_t], ac_cv_have_mode_t, [
3944	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
3945	[[ mode_t foo; foo = 1235; ]])],
3946	[ ac_cv_have_mode_t="yes" ], [ ac_cv_have_mode_t="no"
3947	])
3948])
3949if test "x$ac_cv_have_mode_t" = "xyes" ; then
3950	AC_DEFINE([HAVE_MODE_T], [1], [define if you have mode_t data type])
3951fi
3952
3953
3954AC_CACHE_CHECK([for struct sockaddr_storage], ac_cv_have_struct_sockaddr_storage, [
3955	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
3956#include <sys/types.h>
3957#include <sys/socket.h>
3958		]], [[ struct sockaddr_storage s; ]])],
3959	[ ac_cv_have_struct_sockaddr_storage="yes" ],
3960	[ ac_cv_have_struct_sockaddr_storage="no"
3961	])
3962])
3963if test "x$ac_cv_have_struct_sockaddr_storage" = "xyes" ; then
3964	AC_DEFINE([HAVE_STRUCT_SOCKADDR_STORAGE], [1],
3965		[define if you have struct sockaddr_storage data type])
3966fi
3967
3968AC_CACHE_CHECK([for struct sockaddr_in6], ac_cv_have_struct_sockaddr_in6, [
3969	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
3970#include <sys/types.h>
3971#include <netinet/in.h>
3972		]], [[ struct sockaddr_in6 s; s.sin6_family = 0; ]])],
3973	[ ac_cv_have_struct_sockaddr_in6="yes" ],
3974	[ ac_cv_have_struct_sockaddr_in6="no"
3975	])
3976])
3977if test "x$ac_cv_have_struct_sockaddr_in6" = "xyes" ; then
3978	AC_DEFINE([HAVE_STRUCT_SOCKADDR_IN6], [1],
3979		[define if you have struct sockaddr_in6 data type])
3980fi
3981
3982AC_CACHE_CHECK([for struct in6_addr], ac_cv_have_struct_in6_addr, [
3983	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
3984#include <sys/types.h>
3985#include <netinet/in.h>
3986		]], [[ struct in6_addr s; s.s6_addr[0] = 0; ]])],
3987	[ ac_cv_have_struct_in6_addr="yes" ],
3988	[ ac_cv_have_struct_in6_addr="no"
3989	])
3990])
3991if test "x$ac_cv_have_struct_in6_addr" = "xyes" ; then
3992	AC_DEFINE([HAVE_STRUCT_IN6_ADDR], [1],
3993		[define if you have struct in6_addr data type])
3994
3995dnl Now check for sin6_scope_id
3996	AC_CHECK_MEMBERS([struct sockaddr_in6.sin6_scope_id], , ,
3997		[
3998#ifdef HAVE_SYS_TYPES_H
3999#include <sys/types.h>
4000#endif
4001#include <netinet/in.h>
4002		])
4003fi
4004
4005AC_CACHE_CHECK([for struct addrinfo], ac_cv_have_struct_addrinfo, [
4006	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4007#include <sys/types.h>
4008#include <sys/socket.h>
4009#include <netdb.h>
4010		]], [[ struct addrinfo s; s.ai_flags = AI_PASSIVE; ]])],
4011	[ ac_cv_have_struct_addrinfo="yes" ],
4012	[ ac_cv_have_struct_addrinfo="no"
4013	])
4014])
4015if test "x$ac_cv_have_struct_addrinfo" = "xyes" ; then
4016	AC_DEFINE([HAVE_STRUCT_ADDRINFO], [1],
4017		[define if you have struct addrinfo data type])
4018fi
4019
4020AC_CACHE_CHECK([for struct timeval], ac_cv_have_struct_timeval, [
4021	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/time.h> ]],
4022	[[ struct timeval tv; tv.tv_sec = 1;]])],
4023	[ ac_cv_have_struct_timeval="yes" ],
4024	[ ac_cv_have_struct_timeval="no"
4025	])
4026])
4027if test "x$ac_cv_have_struct_timeval" = "xyes" ; then
4028	AC_DEFINE([HAVE_STRUCT_TIMEVAL], [1], [define if you have struct timeval])
4029	have_struct_timeval=1
4030fi
4031
4032AC_CHECK_TYPES([struct timespec])
4033
4034# We need int64_t or else certain parts of the compile will fail.
4035if test "x$ac_cv_have_int64_t" = "xno" && \
4036	test "x$ac_cv_sizeof_long_int" != "x8" && \
4037	test "x$ac_cv_sizeof_long_long_int" = "x0" ; then
4038	echo "OpenSSH requires int64_t support.  Contact your vendor or install"
4039	echo "an alternative compiler (I.E., GCC) before continuing."
4040	echo ""
4041	exit 1;
4042else
4043dnl test snprintf (broken on SCO w/gcc)
4044	AC_RUN_IFELSE(
4045		[AC_LANG_SOURCE([[
4046#include <stdio.h>
4047#include <string.h>
4048#ifdef HAVE_SNPRINTF
4049main()
4050{
4051	char buf[50];
4052	char expected_out[50];
4053	int mazsize = 50 ;
4054#if (SIZEOF_LONG_INT == 8)
4055	long int num = 0x7fffffffffffffff;
4056#else
4057	long long num = 0x7fffffffffffffffll;
4058#endif
4059	strcpy(expected_out, "9223372036854775807");
4060	snprintf(buf, mazsize, "%lld", num);
4061	if(strcmp(buf, expected_out) != 0)
4062		exit(1);
4063	exit(0);
4064}
4065#else
4066main() { exit(0); }
4067#endif
4068		]])], [ true ], [ AC_DEFINE([BROKEN_SNPRINTF]) ],
4069		AC_MSG_WARN([cross compiling: Assuming working snprintf()])
4070	)
4071fi
4072
4073dnl Checks for structure members
4074OSSH_CHECK_HEADER_FOR_FIELD([ut_host], [utmp.h], [HAVE_HOST_IN_UTMP])
4075OSSH_CHECK_HEADER_FOR_FIELD([ut_host], [utmpx.h], [HAVE_HOST_IN_UTMPX])
4076OSSH_CHECK_HEADER_FOR_FIELD([syslen], [utmpx.h], [HAVE_SYSLEN_IN_UTMPX])
4077OSSH_CHECK_HEADER_FOR_FIELD([ut_pid], [utmp.h], [HAVE_PID_IN_UTMP])
4078OSSH_CHECK_HEADER_FOR_FIELD([ut_type], [utmp.h], [HAVE_TYPE_IN_UTMP])
4079OSSH_CHECK_HEADER_FOR_FIELD([ut_type], [utmpx.h], [HAVE_TYPE_IN_UTMPX])
4080OSSH_CHECK_HEADER_FOR_FIELD([ut_tv], [utmp.h], [HAVE_TV_IN_UTMP])
4081OSSH_CHECK_HEADER_FOR_FIELD([ut_id], [utmp.h], [HAVE_ID_IN_UTMP])
4082OSSH_CHECK_HEADER_FOR_FIELD([ut_id], [utmpx.h], [HAVE_ID_IN_UTMPX])
4083OSSH_CHECK_HEADER_FOR_FIELD([ut_addr], [utmp.h], [HAVE_ADDR_IN_UTMP])
4084OSSH_CHECK_HEADER_FOR_FIELD([ut_addr], [utmpx.h], [HAVE_ADDR_IN_UTMPX])
4085OSSH_CHECK_HEADER_FOR_FIELD([ut_addr_v6], [utmp.h], [HAVE_ADDR_V6_IN_UTMP])
4086OSSH_CHECK_HEADER_FOR_FIELD([ut_addr_v6], [utmpx.h], [HAVE_ADDR_V6_IN_UTMPX])
4087OSSH_CHECK_HEADER_FOR_FIELD([ut_exit], [utmp.h], [HAVE_EXIT_IN_UTMP])
4088OSSH_CHECK_HEADER_FOR_FIELD([ut_time], [utmp.h], [HAVE_TIME_IN_UTMP])
4089OSSH_CHECK_HEADER_FOR_FIELD([ut_time], [utmpx.h], [HAVE_TIME_IN_UTMPX])
4090OSSH_CHECK_HEADER_FOR_FIELD([ut_tv], [utmpx.h], [HAVE_TV_IN_UTMPX])
4091
4092AC_CHECK_MEMBERS([struct stat.st_blksize])
4093AC_CHECK_MEMBERS([struct stat.st_mtim])
4094AC_CHECK_MEMBERS([struct stat.st_mtime])
4095AC_CHECK_MEMBERS([struct passwd.pw_gecos, struct passwd.pw_class,
4096struct passwd.pw_change, struct passwd.pw_expire],
4097[], [], [[
4098#include <sys/types.h>
4099#include <pwd.h>
4100]])
4101
4102AC_CHECK_MEMBER([struct __res_state.retrans], [], [AC_DEFINE([__res_state], [state],
4103	[Define if we don't have struct __res_state in resolv.h])],
4104[[
4105#include <stdio.h>
4106#if HAVE_SYS_TYPES_H
4107# include <sys/types.h>
4108#endif
4109#include <netinet/in.h>
4110#include <arpa/nameser.h>
4111#include <resolv.h>
4112]])
4113
4114AC_CACHE_CHECK([for ss_family field in struct sockaddr_storage],
4115		ac_cv_have_ss_family_in_struct_ss, [
4116	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4117#include <sys/types.h>
4118#include <sys/socket.h>
4119		]], [[ struct sockaddr_storage s; s.ss_family = 1; ]])],
4120	[ ac_cv_have_ss_family_in_struct_ss="yes" ],
4121	[ ac_cv_have_ss_family_in_struct_ss="no" ])
4122])
4123if test "x$ac_cv_have_ss_family_in_struct_ss" = "xyes" ; then
4124	AC_DEFINE([HAVE_SS_FAMILY_IN_SS], [1], [Fields in struct sockaddr_storage])
4125fi
4126
4127AC_CACHE_CHECK([for __ss_family field in struct sockaddr_storage],
4128		ac_cv_have___ss_family_in_struct_ss, [
4129	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4130#include <sys/types.h>
4131#include <sys/socket.h>
4132		]], [[ struct sockaddr_storage s; s.__ss_family = 1; ]])],
4133	[ ac_cv_have___ss_family_in_struct_ss="yes" ],
4134	[ ac_cv_have___ss_family_in_struct_ss="no"
4135	])
4136])
4137if test "x$ac_cv_have___ss_family_in_struct_ss" = "xyes" ; then
4138	AC_DEFINE([HAVE___SS_FAMILY_IN_SS], [1],
4139		[Fields in struct sockaddr_storage])
4140fi
4141
4142dnl make sure we're using the real structure members and not defines
4143AC_CACHE_CHECK([for msg_accrights field in struct msghdr],
4144		ac_cv_have_accrights_in_msghdr, [
4145	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4146#include <sys/types.h>
4147#include <sys/socket.h>
4148#include <sys/uio.h>
4149		]], [[
4150#ifdef msg_accrights
4151#error "msg_accrights is a macro"
4152exit(1);
4153#endif
4154struct msghdr m;
4155m.msg_accrights = 0;
4156exit(0);
4157		]])],
4158		[ ac_cv_have_accrights_in_msghdr="yes" ],
4159		[ ac_cv_have_accrights_in_msghdr="no" ]
4160	)
4161])
4162if test "x$ac_cv_have_accrights_in_msghdr" = "xyes" ; then
4163	AC_DEFINE([HAVE_ACCRIGHTS_IN_MSGHDR], [1],
4164		[Define if your system uses access rights style
4165		file descriptor passing])
4166fi
4167
4168AC_MSG_CHECKING([if struct statvfs.f_fsid is integral type])
4169AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4170#include <sys/param.h>
4171#include <sys/stat.h>
4172#ifdef HAVE_SYS_TIME_H
4173# include <sys/time.h>
4174#endif
4175#ifdef HAVE_SYS_MOUNT_H
4176#include <sys/mount.h>
4177#endif
4178#ifdef HAVE_SYS_STATVFS_H
4179#include <sys/statvfs.h>
4180#endif
4181	]], [[ struct statvfs s; s.f_fsid = 0; ]])],
4182	[ AC_MSG_RESULT([yes]) ],
4183	[ AC_MSG_RESULT([no])
4184
4185	AC_MSG_CHECKING([if fsid_t has member val])
4186	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4187#include <sys/types.h>
4188#include <sys/statvfs.h>
4189	]], [[ fsid_t t; t.val[0] = 0; ]])],
4190	[ AC_MSG_RESULT([yes])
4191	  AC_DEFINE([FSID_HAS_VAL], [1], [fsid_t has member val]) ],
4192	[ AC_MSG_RESULT([no]) ])
4193
4194	AC_MSG_CHECKING([if f_fsid has member __val])
4195	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4196#include <sys/types.h>
4197#include <sys/statvfs.h>
4198	]], [[ fsid_t t; t.__val[0] = 0; ]])],
4199	[ AC_MSG_RESULT([yes])
4200	  AC_DEFINE([FSID_HAS___VAL], [1], [fsid_t has member __val]) ],
4201	[ AC_MSG_RESULT([no]) ])
4202])
4203
4204AC_CACHE_CHECK([for msg_control field in struct msghdr],
4205		ac_cv_have_control_in_msghdr, [
4206	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4207#include <sys/types.h>
4208#include <sys/socket.h>
4209#include <sys/uio.h>
4210		]], [[
4211#ifdef msg_control
4212#error "msg_control is a macro"
4213exit(1);
4214#endif
4215struct msghdr m;
4216m.msg_control = 0;
4217exit(0);
4218		]])],
4219		[ ac_cv_have_control_in_msghdr="yes" ],
4220		[ ac_cv_have_control_in_msghdr="no" ]
4221	)
4222])
4223if test "x$ac_cv_have_control_in_msghdr" = "xyes" ; then
4224	AC_DEFINE([HAVE_CONTROL_IN_MSGHDR], [1],
4225		[Define if your system uses ancillary data style
4226		file descriptor passing])
4227fi
4228
4229AC_CACHE_CHECK([if libc defines __progname], ac_cv_libc_defines___progname, [
4230	AC_LINK_IFELSE([AC_LANG_PROGRAM([[]],
4231		[[ extern char *__progname; printf("%s", __progname); ]])],
4232	[ ac_cv_libc_defines___progname="yes" ],
4233	[ ac_cv_libc_defines___progname="no"
4234	])
4235])
4236if test "x$ac_cv_libc_defines___progname" = "xyes" ; then
4237	AC_DEFINE([HAVE___PROGNAME], [1], [Define if libc defines __progname])
4238fi
4239
4240AC_CACHE_CHECK([whether $CC implements __FUNCTION__], ac_cv_cc_implements___FUNCTION__, [
4241	AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include <stdio.h> ]],
4242		[[ printf("%s", __FUNCTION__); ]])],
4243	[ ac_cv_cc_implements___FUNCTION__="yes" ],
4244	[ ac_cv_cc_implements___FUNCTION__="no"
4245	])
4246])
4247if test "x$ac_cv_cc_implements___FUNCTION__" = "xyes" ; then
4248	AC_DEFINE([HAVE___FUNCTION__], [1],
4249		[Define if compiler implements __FUNCTION__])
4250fi
4251
4252AC_CACHE_CHECK([whether $CC implements __func__], ac_cv_cc_implements___func__, [
4253	AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include <stdio.h> ]],
4254		[[ printf("%s", __func__); ]])],
4255	[ ac_cv_cc_implements___func__="yes" ],
4256	[ ac_cv_cc_implements___func__="no"
4257	])
4258])
4259if test "x$ac_cv_cc_implements___func__" = "xyes" ; then
4260	AC_DEFINE([HAVE___func__], [1], [Define if compiler implements __func__])
4261fi
4262
4263AC_CACHE_CHECK([whether va_copy exists], ac_cv_have_va_copy, [
4264	AC_LINK_IFELSE([AC_LANG_PROGRAM([[
4265#include <stdarg.h>
4266va_list x,y;
4267		]], [[ va_copy(x,y); ]])],
4268	[ ac_cv_have_va_copy="yes" ],
4269	[ ac_cv_have_va_copy="no"
4270	])
4271])
4272if test "x$ac_cv_have_va_copy" = "xyes" ; then
4273	AC_DEFINE([HAVE_VA_COPY], [1], [Define if va_copy exists])
4274fi
4275
4276AC_CACHE_CHECK([whether __va_copy exists], ac_cv_have___va_copy, [
4277	AC_LINK_IFELSE([AC_LANG_PROGRAM([[
4278#include <stdarg.h>
4279va_list x,y;
4280		]], [[ __va_copy(x,y); ]])],
4281	[ ac_cv_have___va_copy="yes" ], [ ac_cv_have___va_copy="no"
4282	])
4283])
4284if test "x$ac_cv_have___va_copy" = "xyes" ; then
4285	AC_DEFINE([HAVE___VA_COPY], [1], [Define if __va_copy exists])
4286fi
4287
4288AC_CACHE_CHECK([whether getopt has optreset support],
4289		ac_cv_have_getopt_optreset, [
4290	AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include <getopt.h> ]],
4291		[[ extern int optreset; optreset = 0; ]])],
4292	[ ac_cv_have_getopt_optreset="yes" ],
4293	[ ac_cv_have_getopt_optreset="no"
4294	])
4295])
4296if test "x$ac_cv_have_getopt_optreset" = "xyes" ; then
4297	AC_DEFINE([HAVE_GETOPT_OPTRESET], [1],
4298		[Define if your getopt(3) defines and uses optreset])
4299fi
4300
4301AC_CACHE_CHECK([if libc defines sys_errlist], ac_cv_libc_defines_sys_errlist, [
4302	AC_LINK_IFELSE([AC_LANG_PROGRAM([[]],
4303[[ extern const char *const sys_errlist[]; printf("%s", sys_errlist[0]);]])],
4304	[ ac_cv_libc_defines_sys_errlist="yes" ],
4305	[ ac_cv_libc_defines_sys_errlist="no"
4306	])
4307])
4308if test "x$ac_cv_libc_defines_sys_errlist" = "xyes" ; then
4309	AC_DEFINE([HAVE_SYS_ERRLIST], [1],
4310		[Define if your system defines sys_errlist[]])
4311fi
4312
4313
4314AC_CACHE_CHECK([if libc defines sys_nerr], ac_cv_libc_defines_sys_nerr, [
4315	AC_LINK_IFELSE([AC_LANG_PROGRAM([[]],
4316[[ extern int sys_nerr; printf("%i", sys_nerr);]])],
4317	[ ac_cv_libc_defines_sys_nerr="yes" ],
4318	[ ac_cv_libc_defines_sys_nerr="no"
4319	])
4320])
4321if test "x$ac_cv_libc_defines_sys_nerr" = "xyes" ; then
4322	AC_DEFINE([HAVE_SYS_NERR], [1], [Define if your system defines sys_nerr])
4323fi
4324
4325# Check libraries needed by DNS fingerprint support
4326AC_SEARCH_LIBS([getrrsetbyname], [resolv],
4327	[AC_DEFINE([HAVE_GETRRSETBYNAME], [1],
4328		[Define if getrrsetbyname() exists])],
4329	[
4330		# Needed by our getrrsetbyname()
4331		AC_SEARCH_LIBS([res_query], [resolv])
4332		AC_SEARCH_LIBS([dn_expand], [resolv])
4333		AC_MSG_CHECKING([if res_query will link])
4334		AC_LINK_IFELSE([AC_LANG_PROGRAM([[
4335#include <sys/types.h>
4336#include <netinet/in.h>
4337#include <arpa/nameser.h>
4338#include <netdb.h>
4339#include <resolv.h>
4340				]], [[
4341	res_query (0, 0, 0, 0, 0);
4342				]])],
4343		    AC_MSG_RESULT([yes]),
4344		   [AC_MSG_RESULT([no])
4345		    saved_LIBS="$LIBS"
4346		    LIBS="$LIBS -lresolv"
4347		    AC_MSG_CHECKING([for res_query in -lresolv])
4348		    AC_LINK_IFELSE([AC_LANG_PROGRAM([[
4349#include <sys/types.h>
4350#include <netinet/in.h>
4351#include <arpa/nameser.h>
4352#include <netdb.h>
4353#include <resolv.h>
4354				]], [[
4355	res_query (0, 0, 0, 0, 0);
4356				]])],
4357			[AC_MSG_RESULT([yes])],
4358			[LIBS="$saved_LIBS"
4359			 AC_MSG_RESULT([no])])
4360		    ])
4361		AC_CHECK_FUNCS([_getshort _getlong])
4362		AC_CHECK_DECLS([_getshort, _getlong], , ,
4363		    [#include <sys/types.h>
4364		    #include <arpa/nameser.h>])
4365		AC_CHECK_MEMBER([HEADER.ad],
4366			[AC_DEFINE([HAVE_HEADER_AD], [1],
4367			    [Define if HEADER.ad exists in arpa/nameser.h])], ,
4368			[#include <arpa/nameser.h>])
4369	])
4370
4371AC_MSG_CHECKING([if struct __res_state _res is an extern])
4372AC_LINK_IFELSE([AC_LANG_PROGRAM([[
4373#include <stdio.h>
4374#if HAVE_SYS_TYPES_H
4375# include <sys/types.h>
4376#endif
4377#include <netinet/in.h>
4378#include <arpa/nameser.h>
4379#include <resolv.h>
4380extern struct __res_state _res;
4381		]], [[
4382struct __res_state *volatile p = &_res;  /* force resolution of _res */
4383return 0;
4384		]],)],
4385		[AC_MSG_RESULT([yes])
4386		 AC_DEFINE([HAVE__RES_EXTERN], [1],
4387		    [Define if you have struct __res_state _res as an extern])
4388		],
4389		[ AC_MSG_RESULT([no]) ]
4390)
4391
4392# Check whether user wants SELinux support
4393SELINUX_MSG="no"
4394LIBSELINUX=""
4395AC_ARG_WITH([selinux],
4396	[  --with-selinux          Enable SELinux support],
4397	[ if test "x$withval" != "xno" ; then
4398		save_LIBS="$LIBS"
4399		AC_DEFINE([WITH_SELINUX], [1],
4400			[Define if you want SELinux support.])
4401		SELINUX_MSG="yes"
4402		AC_CHECK_HEADER([selinux/selinux.h], ,
4403			AC_MSG_ERROR([SELinux support requires selinux.h header]))
4404		AC_CHECK_LIB([selinux], [setexeccon],
4405			[ LIBSELINUX="-lselinux"
4406			  LIBS="$LIBS -lselinux"
4407			],
4408			AC_MSG_ERROR([SELinux support requires libselinux library]))
4409		SSHLIBS="$SSHLIBS $LIBSELINUX"
4410		SSHDLIBS="$SSHDLIBS $LIBSELINUX"
4411		AC_CHECK_FUNCS([getseuserbyname get_default_context_with_level])
4412		LIBS="$save_LIBS"
4413	fi ]
4414)
4415AC_SUBST([SSHLIBS])
4416AC_SUBST([SSHDLIBS])
4417
4418# Check whether user wants Kerberos 5 support
4419KRB5_MSG="no"
4420AC_ARG_WITH([kerberos5],
4421	[  --with-kerberos5=PATH   Enable Kerberos 5 support],
4422	[ if test "x$withval" != "xno" ; then
4423		if test "x$withval" = "xyes" ; then
4424			KRB5ROOT="/usr/local"
4425		else
4426			KRB5ROOT=${withval}
4427		fi
4428
4429		AC_DEFINE([KRB5], [1], [Define if you want Kerberos 5 support])
4430		KRB5_MSG="yes"
4431
4432		AC_PATH_TOOL([KRB5CONF], [krb5-config],
4433			     [$KRB5ROOT/bin/krb5-config],
4434			     [$KRB5ROOT/bin:$PATH])
4435		if test -x $KRB5CONF ; then
4436			K5CFLAGS="`$KRB5CONF --cflags`"
4437			K5LIBS="`$KRB5CONF --libs`"
4438			CPPFLAGS="$CPPFLAGS $K5CFLAGS"
4439
4440			AC_MSG_CHECKING([for gssapi support])
4441			if $KRB5CONF | grep gssapi >/dev/null ; then
4442				AC_MSG_RESULT([yes])
4443				AC_DEFINE([GSSAPI], [1],
4444					[Define this if you want GSSAPI
4445					support in the version 2 protocol])
4446				GSSCFLAGS="`$KRB5CONF --cflags gssapi`"
4447				GSSLIBS="`$KRB5CONF --libs gssapi`"
4448				CPPFLAGS="$CPPFLAGS $GSSCFLAGS"
4449			else
4450				AC_MSG_RESULT([no])
4451			fi
4452			AC_MSG_CHECKING([whether we are using Heimdal])
4453			AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <krb5.h>
4454				]], [[ char *tmp = heimdal_version; ]])],
4455				[ AC_MSG_RESULT([yes])
4456				AC_DEFINE([HEIMDAL], [1],
4457				[Define this if you are using the Heimdal
4458				version of Kerberos V5]) ],
4459				[AC_MSG_RESULT([no])
4460			])
4461		else
4462			CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include"
4463			LDFLAGS="$LDFLAGS -L${KRB5ROOT}/lib"
4464			AC_MSG_CHECKING([whether we are using Heimdal])
4465			AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <krb5.h>
4466				]], [[ char *tmp = heimdal_version; ]])],
4467					[ AC_MSG_RESULT([yes])
4468					 AC_DEFINE([HEIMDAL])
4469					 K5LIBS="-lkrb5"
4470					 K5LIBS="$K5LIBS -lcom_err -lasn1"
4471					 AC_CHECK_LIB([roken], [net_write],
4472					   [K5LIBS="$K5LIBS -lroken"])
4473					 AC_CHECK_LIB([des], [des_cbc_encrypt],
4474					   [K5LIBS="$K5LIBS -ldes"])
4475				       ], [ AC_MSG_RESULT([no])
4476					 K5LIBS="-lkrb5 -lk5crypto -lcom_err"
4477			])
4478			AC_SEARCH_LIBS([dn_expand], [resolv])
4479
4480			AC_CHECK_LIB([gssapi_krb5], [gss_init_sec_context],
4481				[ AC_DEFINE([GSSAPI])
4482				  GSSLIBS="-lgssapi_krb5" ],
4483				[ AC_CHECK_LIB([gssapi], [gss_init_sec_context],
4484					[ AC_DEFINE([GSSAPI])
4485					  GSSLIBS="-lgssapi" ],
4486					[ AC_CHECK_LIB([gss], [gss_init_sec_context],
4487						[ AC_DEFINE([GSSAPI])
4488						  GSSLIBS="-lgss" ],
4489						AC_MSG_WARN([Cannot find any suitable gss-api library - build may fail]))
4490					])
4491				])
4492
4493			AC_CHECK_HEADER([gssapi.h], ,
4494				[ unset ac_cv_header_gssapi_h
4495				  CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include/gssapi"
4496				  AC_CHECK_HEADERS([gssapi.h], ,
4497					AC_MSG_WARN([Cannot find any suitable gss-api header - build may fail])
4498				  )
4499				]
4500			)
4501
4502			oldCPP="$CPPFLAGS"
4503			CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include/gssapi"
4504			AC_CHECK_HEADER([gssapi_krb5.h], ,
4505					[ CPPFLAGS="$oldCPP" ])
4506
4507		fi
4508		if test ! -z "$need_dash_r" ; then
4509			LDFLAGS="$LDFLAGS -R${KRB5ROOT}/lib"
4510		fi
4511		if test ! -z "$blibpath" ; then
4512			blibpath="$blibpath:${KRB5ROOT}/lib"
4513		fi
4514
4515		AC_CHECK_HEADERS([gssapi.h gssapi/gssapi.h])
4516		AC_CHECK_HEADERS([gssapi_krb5.h gssapi/gssapi_krb5.h])
4517		AC_CHECK_HEADERS([gssapi_generic.h gssapi/gssapi_generic.h])
4518
4519		AC_SEARCH_LIBS([k_hasafs], [kafs], [AC_DEFINE([USE_AFS], [1],
4520			[Define this if you want to use libkafs' AFS support])])
4521
4522		AC_CHECK_DECLS([GSS_C_NT_HOSTBASED_SERVICE], [], [], [[
4523#ifdef HAVE_GSSAPI_H
4524# include <gssapi.h>
4525#elif defined(HAVE_GSSAPI_GSSAPI_H)
4526# include <gssapi/gssapi.h>
4527#endif
4528
4529#ifdef HAVE_GSSAPI_GENERIC_H
4530# include <gssapi_generic.h>
4531#elif defined(HAVE_GSSAPI_GSSAPI_GENERIC_H)
4532# include <gssapi/gssapi_generic.h>
4533#endif
4534		]])
4535		saved_LIBS="$LIBS"
4536		LIBS="$LIBS $K5LIBS"
4537		AC_CHECK_FUNCS([krb5_cc_new_unique krb5_get_error_message krb5_free_error_message])
4538		LIBS="$saved_LIBS"
4539
4540	fi
4541	]
4542)
4543AC_SUBST([GSSLIBS])
4544AC_SUBST([K5LIBS])
4545
4546# Looking for programs, paths and files
4547
4548PRIVSEP_PATH=/var/empty
4549AC_ARG_WITH([privsep-path],
4550	[  --with-privsep-path=xxx Path for privilege separation chroot (default=/var/empty)],
4551	[
4552		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
4553		    test "x${withval}" != "xyes"; then
4554			PRIVSEP_PATH=$withval
4555		fi
4556	]
4557)
4558AC_SUBST([PRIVSEP_PATH])
4559
4560AC_ARG_WITH([xauth],
4561	[  --with-xauth=PATH       Specify path to xauth program ],
4562	[
4563		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
4564		    test "x${withval}" != "xyes"; then
4565			xauth_path=$withval
4566		fi
4567	],
4568	[
4569		TestPath="$PATH"
4570		TestPath="${TestPath}${PATH_SEPARATOR}/usr/X/bin"
4571		TestPath="${TestPath}${PATH_SEPARATOR}/usr/bin/X11"
4572		TestPath="${TestPath}${PATH_SEPARATOR}/usr/X11R6/bin"
4573		TestPath="${TestPath}${PATH_SEPARATOR}/usr/openwin/bin"
4574		AC_PATH_PROG([xauth_path], [xauth], , [$TestPath])
4575		if (test ! -z "$xauth_path" && test -x "/usr/openwin/bin/xauth") ; then
4576			xauth_path="/usr/openwin/bin/xauth"
4577		fi
4578	]
4579)
4580
4581STRIP_OPT=-s
4582AC_ARG_ENABLE([strip],
4583	[  --disable-strip         Disable calling strip(1) on install],
4584	[
4585		if test "x$enableval" = "xno" ; then
4586			STRIP_OPT=
4587		fi
4588	]
4589)
4590AC_SUBST([STRIP_OPT])
4591
4592if test -z "$xauth_path" ; then
4593	XAUTH_PATH="undefined"
4594	AC_SUBST([XAUTH_PATH])
4595else
4596	AC_DEFINE_UNQUOTED([XAUTH_PATH], ["$xauth_path"],
4597		[Define if xauth is found in your path])
4598	XAUTH_PATH=$xauth_path
4599	AC_SUBST([XAUTH_PATH])
4600fi
4601
4602dnl # --with-maildir=/path/to/mail gets top priority.
4603dnl # if maildir is set in the platform case statement above we use that.
4604dnl # Otherwise we run a program to get the dir from system headers.
4605dnl # We first look for _PATH_MAILDIR then MAILDIR then _PATH_MAIL
4606dnl # If we find _PATH_MAILDIR we do nothing because that is what
4607dnl # session.c expects anyway. Otherwise we set to the value found
4608dnl # stripping any trailing slash. If for some strage reason our program
4609dnl # does not find what it needs, we default to /var/spool/mail.
4610# Check for mail directory
4611AC_ARG_WITH([maildir],
4612    [  --with-maildir=/path/to/mail    Specify your system mail directory],
4613    [
4614	if test "X$withval" != X  &&  test "x$withval" != xno  &&  \
4615	    test "x${withval}" != xyes; then
4616		AC_DEFINE_UNQUOTED([MAIL_DIRECTORY], ["$withval"],
4617            [Set this to your mail directory if you do not have _PATH_MAILDIR])
4618	    fi
4619     ],[
4620	if test "X$maildir" != "X"; then
4621	    AC_DEFINE_UNQUOTED([MAIL_DIRECTORY], ["$maildir"])
4622	else
4623	    AC_MSG_CHECKING([Discovering system mail directory])
4624	    AC_RUN_IFELSE(
4625		[AC_LANG_PROGRAM([[
4626#include <stdio.h>
4627#include <string.h>
4628#ifdef HAVE_PATHS_H
4629#include <paths.h>
4630#endif
4631#ifdef HAVE_MAILLOCK_H
4632#include <maillock.h>
4633#endif
4634#define DATA "conftest.maildir"
4635	]], [[
4636	FILE *fd;
4637	int rc;
4638
4639	fd = fopen(DATA,"w");
4640	if(fd == NULL)
4641		exit(1);
4642
4643#if defined (_PATH_MAILDIR)
4644	if ((rc = fprintf(fd ,"_PATH_MAILDIR:%s\n", _PATH_MAILDIR)) <0)
4645		exit(1);
4646#elif defined (MAILDIR)
4647	if ((rc = fprintf(fd ,"MAILDIR:%s\n", MAILDIR)) <0)
4648		exit(1);
4649#elif defined (_PATH_MAIL)
4650	if ((rc = fprintf(fd ,"_PATH_MAIL:%s\n", _PATH_MAIL)) <0)
4651		exit(1);
4652#else
4653	exit (2);
4654#endif
4655
4656	exit(0);
4657		]])],
4658		[
4659		    maildir_what=`awk -F: '{print $1}' conftest.maildir`
4660		    maildir=`awk -F: '{print $2}' conftest.maildir \
4661			| sed 's|/$||'`
4662		    AC_MSG_RESULT([Using: $maildir from $maildir_what])
4663		    if test "x$maildir_what" != "x_PATH_MAILDIR"; then
4664			AC_DEFINE_UNQUOTED([MAIL_DIRECTORY], ["$maildir"])
4665		    fi
4666		],
4667		[
4668		    if test "X$ac_status" = "X2";then
4669# our test program didn't find it. Default to /var/spool/mail
4670			AC_MSG_RESULT([Using: default value of /var/spool/mail])
4671			AC_DEFINE_UNQUOTED([MAIL_DIRECTORY], ["/var/spool/mail"])
4672		     else
4673			AC_MSG_RESULT([*** not found ***])
4674		     fi
4675		],
4676		[
4677			AC_MSG_WARN([cross compiling: use --with-maildir=/path/to/mail])
4678		]
4679	    )
4680	fi
4681    ]
4682) # maildir
4683
4684if test ! -z "$cross_compiling" && test "x$cross_compiling" = "xyes"; then
4685	AC_MSG_WARN([cross compiling: Disabling /dev/ptmx test])
4686	disable_ptmx_check=yes
4687fi
4688if test -z "$no_dev_ptmx" ; then
4689	if test "x$disable_ptmx_check" != "xyes" ; then
4690		AC_CHECK_FILE(["/dev/ptmx"],
4691			[
4692				AC_DEFINE_UNQUOTED([HAVE_DEV_PTMX], [1],
4693					[Define if you have /dev/ptmx])
4694				have_dev_ptmx=1
4695			]
4696		)
4697	fi
4698fi
4699
4700if test ! -z "$cross_compiling" && test "x$cross_compiling" != "xyes"; then
4701	AC_CHECK_FILE(["/dev/ptc"],
4702		[
4703			AC_DEFINE_UNQUOTED([HAVE_DEV_PTS_AND_PTC], [1],
4704				[Define if you have /dev/ptc])
4705			have_dev_ptc=1
4706		]
4707	)
4708else
4709	AC_MSG_WARN([cross compiling: Disabling /dev/ptc test])
4710fi
4711
4712# Options from here on. Some of these are preset by platform above
4713AC_ARG_WITH([mantype],
4714	[  --with-mantype=man|cat|doc  Set man page type],
4715	[
4716		case "$withval" in
4717		man|cat|doc)
4718			MANTYPE=$withval
4719			;;
4720		*)
4721			AC_MSG_ERROR([invalid man type: $withval])
4722			;;
4723		esac
4724	]
4725)
4726if test -z "$MANTYPE"; then
4727	TestPath="/usr/bin${PATH_SEPARATOR}/usr/ucb"
4728	AC_PATH_PROGS([NROFF], [nroff awf], [/bin/false], [$TestPath])
4729	if ${NROFF} -mdoc ${srcdir}/ssh.1 >/dev/null 2>&1; then
4730		MANTYPE=doc
4731	elif ${NROFF} -man ${srcdir}/ssh.1 >/dev/null 2>&1; then
4732		MANTYPE=man
4733	else
4734		MANTYPE=cat
4735	fi
4736fi
4737AC_SUBST([MANTYPE])
4738if test "$MANTYPE" = "doc"; then
4739	mansubdir=man;
4740else
4741	mansubdir=$MANTYPE;
4742fi
4743AC_SUBST([mansubdir])
4744
4745# Check whether to enable MD5 passwords
4746MD5_MSG="no"
4747AC_ARG_WITH([md5-passwords],
4748	[  --with-md5-passwords    Enable use of MD5 passwords],
4749	[
4750		if test "x$withval" != "xno" ; then
4751			AC_DEFINE([HAVE_MD5_PASSWORDS], [1],
4752				[Define if you want to allow MD5 passwords])
4753			MD5_MSG="yes"
4754		fi
4755	]
4756)
4757
4758# Whether to disable shadow password support
4759AC_ARG_WITH([shadow],
4760	[  --without-shadow        Disable shadow password support],
4761	[
4762		if test "x$withval" = "xno" ; then
4763			AC_DEFINE([DISABLE_SHADOW])
4764			disable_shadow=yes
4765		fi
4766	]
4767)
4768
4769if test -z "$disable_shadow" ; then
4770	AC_MSG_CHECKING([if the systems has expire shadow information])
4771	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4772#include <sys/types.h>
4773#include <shadow.h>
4774struct spwd sp;
4775		]], [[ sp.sp_expire = sp.sp_lstchg = sp.sp_inact = 0; ]])],
4776		[ sp_expire_available=yes ], [
4777	])
4778
4779	if test "x$sp_expire_available" = "xyes" ; then
4780		AC_MSG_RESULT([yes])
4781		AC_DEFINE([HAS_SHADOW_EXPIRE], [1],
4782		    [Define if you want to use shadow password expire field])
4783	else
4784		AC_MSG_RESULT([no])
4785	fi
4786fi
4787
4788# Use ip address instead of hostname in $DISPLAY
4789if test ! -z "$IPADDR_IN_DISPLAY" ; then
4790	DISPLAY_HACK_MSG="yes"
4791	AC_DEFINE([IPADDR_IN_DISPLAY], [1],
4792		[Define if you need to use IP address
4793		instead of hostname in $DISPLAY])
4794else
4795	DISPLAY_HACK_MSG="no"
4796	AC_ARG_WITH([ipaddr-display],
4797		[  --with-ipaddr-display   Use ip address instead of hostname in $DISPLAY],
4798		[
4799			if test "x$withval" != "xno" ; then
4800				AC_DEFINE([IPADDR_IN_DISPLAY])
4801				DISPLAY_HACK_MSG="yes"
4802			fi
4803		]
4804	)
4805fi
4806
4807# check for /etc/default/login and use it if present.
4808AC_ARG_ENABLE([etc-default-login],
4809	[  --disable-etc-default-login Disable using PATH from /etc/default/login [no]],
4810	[ if test "x$enableval" = "xno"; then
4811		AC_MSG_NOTICE([/etc/default/login handling disabled])
4812		etc_default_login=no
4813	  else
4814		etc_default_login=yes
4815	  fi ],
4816	[ if test ! -z "$cross_compiling" && test "x$cross_compiling" = "xyes";
4817	  then
4818		AC_MSG_WARN([cross compiling: not checking /etc/default/login])
4819		etc_default_login=no
4820	  else
4821		etc_default_login=yes
4822	  fi ]
4823)
4824
4825if test "x$etc_default_login" != "xno"; then
4826	AC_CHECK_FILE(["/etc/default/login"],
4827	    [ external_path_file=/etc/default/login ])
4828	if test "x$external_path_file" = "x/etc/default/login"; then
4829		AC_DEFINE([HAVE_ETC_DEFAULT_LOGIN], [1],
4830			[Define if your system has /etc/default/login])
4831	fi
4832fi
4833
4834dnl BSD systems use /etc/login.conf so --with-default-path= has no effect
4835if test $ac_cv_func_login_getcapbool = "yes" && \
4836	test $ac_cv_header_login_cap_h = "yes" ; then
4837	external_path_file=/etc/login.conf
4838fi
4839
4840# Whether to mess with the default path
4841SERVER_PATH_MSG="(default)"
4842AC_ARG_WITH([default-path],
4843	[  --with-default-path=    Specify default $PATH environment for server],
4844	[
4845		if test "x$external_path_file" = "x/etc/login.conf" ; then
4846			AC_MSG_WARN([
4847--with-default-path=PATH has no effect on this system.
4848Edit /etc/login.conf instead.])
4849		elif test "x$withval" != "xno" ; then
4850			if test ! -z "$external_path_file" ; then
4851				AC_MSG_WARN([
4852--with-default-path=PATH will only be used if PATH is not defined in
4853$external_path_file .])
4854			fi
4855			user_path="$withval"
4856			SERVER_PATH_MSG="$withval"
4857		fi
4858	],
4859	[ if test "x$external_path_file" = "x/etc/login.conf" ; then
4860		AC_MSG_WARN([Make sure the path to scp is in /etc/login.conf])
4861	else
4862		if test ! -z "$external_path_file" ; then
4863			AC_MSG_WARN([
4864If PATH is defined in $external_path_file, ensure the path to scp is included,
4865otherwise scp will not work.])
4866		fi
4867		AC_RUN_IFELSE(
4868			[AC_LANG_PROGRAM([[
4869/* find out what STDPATH is */
4870#include <stdio.h>
4871#ifdef HAVE_PATHS_H
4872# include <paths.h>
4873#endif
4874#ifndef _PATH_STDPATH
4875# ifdef _PATH_USERPATH	/* Irix */
4876#  define _PATH_STDPATH _PATH_USERPATH
4877# else
4878#  define _PATH_STDPATH "/usr/bin:/bin:/usr/sbin:/sbin"
4879# endif
4880#endif
4881#include <sys/types.h>
4882#include <sys/stat.h>
4883#include <fcntl.h>
4884#define DATA "conftest.stdpath"
4885			]], [[
4886	FILE *fd;
4887	int rc;
4888
4889	fd = fopen(DATA,"w");
4890	if(fd == NULL)
4891		exit(1);
4892
4893	if ((rc = fprintf(fd,"%s", _PATH_STDPATH)) < 0)
4894		exit(1);
4895
4896	exit(0);
4897		]])],
4898		[ user_path=`cat conftest.stdpath` ],
4899		[ user_path="/usr/bin:/bin:/usr/sbin:/sbin" ],
4900		[ user_path="/usr/bin:/bin:/usr/sbin:/sbin" ]
4901	)
4902# make sure $bindir is in USER_PATH so scp will work
4903		t_bindir="${bindir}"
4904		while echo "${t_bindir}" | egrep '\$\{|NONE/' >/dev/null 2>&1; do
4905			t_bindir=`eval echo ${t_bindir}`
4906			case $t_bindir in
4907				NONE/*) t_bindir=`echo $t_bindir | sed "s~NONE~$prefix~"` ;;
4908			esac
4909			case $t_bindir in
4910				NONE/*) t_bindir=`echo $t_bindir | sed "s~NONE~$ac_default_prefix~"` ;;
4911			esac
4912		done
4913		echo $user_path | grep ":$t_bindir"  > /dev/null 2>&1
4914		if test $? -ne 0  ; then
4915			echo $user_path | grep "^$t_bindir"  > /dev/null 2>&1
4916			if test $? -ne 0  ; then
4917				user_path=$user_path:$t_bindir
4918				AC_MSG_RESULT([Adding $t_bindir to USER_PATH so scp will work])
4919			fi
4920		fi
4921	fi ]
4922)
4923if test "x$external_path_file" != "x/etc/login.conf" ; then
4924	AC_DEFINE_UNQUOTED([USER_PATH], ["$user_path"], [Specify default $PATH])
4925	AC_SUBST([user_path])
4926fi
4927
4928# Set superuser path separately to user path
4929AC_ARG_WITH([superuser-path],
4930	[  --with-superuser-path=  Specify different path for super-user],
4931	[
4932		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
4933		    test "x${withval}" != "xyes"; then
4934			AC_DEFINE_UNQUOTED([SUPERUSER_PATH], ["$withval"],
4935				[Define if you want a different $PATH
4936				for the superuser])
4937			superuser_path=$withval
4938		fi
4939	]
4940)
4941
4942
4943AC_MSG_CHECKING([if we need to convert IPv4 in IPv6-mapped addresses])
4944IPV4_IN6_HACK_MSG="no"
4945AC_ARG_WITH(4in6,
4946	[  --with-4in6             Check for and convert IPv4 in IPv6 mapped addresses],
4947	[
4948		if test "x$withval" != "xno" ; then
4949			AC_MSG_RESULT([yes])
4950			AC_DEFINE([IPV4_IN_IPV6], [1],
4951				[Detect IPv4 in IPv6 mapped addresses
4952				and treat as IPv4])
4953			IPV4_IN6_HACK_MSG="yes"
4954		else
4955			AC_MSG_RESULT([no])
4956		fi
4957	], [
4958		if test "x$inet6_default_4in6" = "xyes"; then
4959			AC_MSG_RESULT([yes (default)])
4960			AC_DEFINE([IPV4_IN_IPV6])
4961			IPV4_IN6_HACK_MSG="yes"
4962		else
4963			AC_MSG_RESULT([no (default)])
4964		fi
4965	]
4966)
4967
4968# Whether to enable BSD auth support
4969BSD_AUTH_MSG=no
4970AC_ARG_WITH([bsd-auth],
4971	[  --with-bsd-auth         Enable BSD auth support],
4972	[
4973		if test "x$withval" != "xno" ; then
4974			AC_DEFINE([BSD_AUTH], [1],
4975				[Define if you have BSD auth support])
4976			BSD_AUTH_MSG=yes
4977		fi
4978	]
4979)
4980
4981# Where to place sshd.pid
4982piddir=/var/run
4983# make sure the directory exists
4984if test ! -d $piddir ; then
4985	piddir=`eval echo ${sysconfdir}`
4986	case $piddir in
4987		NONE/*) piddir=`echo $piddir | sed "s~NONE~$ac_default_prefix~"` ;;
4988	esac
4989fi
4990
4991AC_ARG_WITH([pid-dir],
4992	[  --with-pid-dir=PATH     Specify location of sshd.pid file],
4993	[
4994		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
4995		    test "x${withval}" != "xyes"; then
4996			piddir=$withval
4997			if test ! -d $piddir ; then
4998			AC_MSG_WARN([** no $piddir directory on this system **])
4999			fi
5000		fi
5001	]
5002)
5003
5004AC_DEFINE_UNQUOTED([_PATH_SSH_PIDDIR], ["$piddir"],
5005	[Specify location of ssh.pid])
5006AC_SUBST([piddir])
5007
5008dnl allow user to disable some login recording features
5009AC_ARG_ENABLE([lastlog],
5010	[  --disable-lastlog       disable use of lastlog even if detected [no]],
5011	[
5012		if test "x$enableval" = "xno" ; then
5013			AC_DEFINE([DISABLE_LASTLOG])
5014		fi
5015	]
5016)
5017AC_ARG_ENABLE([utmp],
5018	[  --disable-utmp          disable use of utmp even if detected [no]],
5019	[
5020		if test "x$enableval" = "xno" ; then
5021			AC_DEFINE([DISABLE_UTMP])
5022		fi
5023	]
5024)
5025AC_ARG_ENABLE([utmpx],
5026	[  --disable-utmpx         disable use of utmpx even if detected [no]],
5027	[
5028		if test "x$enableval" = "xno" ; then
5029			AC_DEFINE([DISABLE_UTMPX], [1],
5030				[Define if you don't want to use utmpx])
5031		fi
5032	]
5033)
5034AC_ARG_ENABLE([wtmp],
5035	[  --disable-wtmp          disable use of wtmp even if detected [no]],
5036	[
5037		if test "x$enableval" = "xno" ; then
5038			AC_DEFINE([DISABLE_WTMP])
5039		fi
5040	]
5041)
5042AC_ARG_ENABLE([wtmpx],
5043	[  --disable-wtmpx         disable use of wtmpx even if detected [no]],
5044	[
5045		if test "x$enableval" = "xno" ; then
5046			AC_DEFINE([DISABLE_WTMPX], [1],
5047				[Define if you don't want to use wtmpx])
5048		fi
5049	]
5050)
5051AC_ARG_ENABLE([libutil],
5052	[  --disable-libutil       disable use of libutil (login() etc.) [no]],
5053	[
5054		if test "x$enableval" = "xno" ; then
5055			AC_DEFINE([DISABLE_LOGIN])
5056		fi
5057	]
5058)
5059AC_ARG_ENABLE([pututline],
5060	[  --disable-pututline     disable use of pututline() etc. ([uw]tmp) [no]],
5061	[
5062		if test "x$enableval" = "xno" ; then
5063			AC_DEFINE([DISABLE_PUTUTLINE], [1],
5064				[Define if you don't want to use pututline()
5065				etc. to write [uw]tmp])
5066		fi
5067	]
5068)
5069AC_ARG_ENABLE([pututxline],
5070	[  --disable-pututxline    disable use of pututxline() etc. ([uw]tmpx) [no]],
5071	[
5072		if test "x$enableval" = "xno" ; then
5073			AC_DEFINE([DISABLE_PUTUTXLINE], [1],
5074				[Define if you don't want to use pututxline()
5075				etc. to write [uw]tmpx])
5076		fi
5077	]
5078)
5079AC_ARG_WITH([lastlog],
5080  [  --with-lastlog=FILE|DIR specify lastlog location [common locations]],
5081	[
5082		if test "x$withval" = "xno" ; then
5083			AC_DEFINE([DISABLE_LASTLOG])
5084		elif test -n "$withval"  &&  test "x${withval}" != "xyes"; then
5085			conf_lastlog_location=$withval
5086		fi
5087	]
5088)
5089
5090dnl lastlog, [uw]tmpx? detection
5091dnl  NOTE: set the paths in the platform section to avoid the
5092dnl   need for command-line parameters
5093dnl lastlog and [uw]tmp are subject to a file search if all else fails
5094
5095dnl lastlog detection
5096dnl  NOTE: the code itself will detect if lastlog is a directory
5097AC_MSG_CHECKING([if your system defines LASTLOG_FILE])
5098AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
5099#include <sys/types.h>
5100#include <utmp.h>
5101#ifdef HAVE_LASTLOG_H
5102#  include <lastlog.h>
5103#endif
5104#ifdef HAVE_PATHS_H
5105#  include <paths.h>
5106#endif
5107#ifdef HAVE_LOGIN_H
5108# include <login.h>
5109#endif
5110	]], [[ char *lastlog = LASTLOG_FILE; ]])],
5111		[ AC_MSG_RESULT([yes]) ],
5112		[
5113		AC_MSG_RESULT([no])
5114		AC_MSG_CHECKING([if your system defines _PATH_LASTLOG])
5115		AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
5116#include <sys/types.h>
5117#include <utmp.h>
5118#ifdef HAVE_LASTLOG_H
5119#  include <lastlog.h>
5120#endif
5121#ifdef HAVE_PATHS_H
5122#  include <paths.h>
5123#endif
5124		]], [[ char *lastlog = _PATH_LASTLOG; ]])],
5125		[ AC_MSG_RESULT([yes]) ],
5126		[
5127			AC_MSG_RESULT([no])
5128			system_lastlog_path=no
5129		])
5130])
5131
5132if test -z "$conf_lastlog_location"; then
5133	if test x"$system_lastlog_path" = x"no" ; then
5134		for f in /var/log/lastlog /usr/adm/lastlog /var/adm/lastlog /etc/security/lastlog ; do
5135				if (test -d "$f" || test -f "$f") ; then
5136					conf_lastlog_location=$f
5137				fi
5138		done
5139		if test -z "$conf_lastlog_location"; then
5140			AC_MSG_WARN([** Cannot find lastlog **])
5141			dnl Don't define DISABLE_LASTLOG - that means we don't try wtmp/wtmpx
5142		fi
5143	fi
5144fi
5145
5146if test -n "$conf_lastlog_location"; then
5147	AC_DEFINE_UNQUOTED([CONF_LASTLOG_FILE], ["$conf_lastlog_location"],
5148		[Define if you want to specify the path to your lastlog file])
5149fi
5150
5151dnl utmp detection
5152AC_MSG_CHECKING([if your system defines UTMP_FILE])
5153AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
5154#include <sys/types.h>
5155#include <utmp.h>
5156#ifdef HAVE_PATHS_H
5157#  include <paths.h>
5158#endif
5159	]], [[ char *utmp = UTMP_FILE; ]])],
5160	[ AC_MSG_RESULT([yes]) ],
5161	[ AC_MSG_RESULT([no])
5162	  system_utmp_path=no
5163])
5164if test -z "$conf_utmp_location"; then
5165	if test x"$system_utmp_path" = x"no" ; then
5166		for f in /etc/utmp /usr/adm/utmp /var/run/utmp; do
5167			if test -f $f ; then
5168				conf_utmp_location=$f
5169			fi
5170		done
5171		if test -z "$conf_utmp_location"; then
5172			AC_DEFINE([DISABLE_UTMP])
5173		fi
5174	fi
5175fi
5176if test -n "$conf_utmp_location"; then
5177	AC_DEFINE_UNQUOTED([CONF_UTMP_FILE], ["$conf_utmp_location"],
5178		[Define if you want to specify the path to your utmp file])
5179fi
5180
5181dnl wtmp detection
5182AC_MSG_CHECKING([if your system defines WTMP_FILE])
5183AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
5184#include <sys/types.h>
5185#include <utmp.h>
5186#ifdef HAVE_PATHS_H
5187#  include <paths.h>
5188#endif
5189	]], [[ char *wtmp = WTMP_FILE; ]])],
5190	[ AC_MSG_RESULT([yes]) ],
5191	[ AC_MSG_RESULT([no])
5192	  system_wtmp_path=no
5193])
5194if test -z "$conf_wtmp_location"; then
5195	if test x"$system_wtmp_path" = x"no" ; then
5196		for f in /usr/adm/wtmp /var/log/wtmp; do
5197			if test -f $f ; then
5198				conf_wtmp_location=$f
5199			fi
5200		done
5201		if test -z "$conf_wtmp_location"; then
5202			AC_DEFINE([DISABLE_WTMP])
5203		fi
5204	fi
5205fi
5206if test -n "$conf_wtmp_location"; then
5207	AC_DEFINE_UNQUOTED([CONF_WTMP_FILE], ["$conf_wtmp_location"],
5208		[Define if you want to specify the path to your wtmp file])
5209fi
5210
5211dnl wtmpx detection
5212AC_MSG_CHECKING([if your system defines WTMPX_FILE])
5213AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
5214#include <sys/types.h>
5215#include <utmp.h>
5216#ifdef HAVE_UTMPX_H
5217#include <utmpx.h>
5218#endif
5219#ifdef HAVE_PATHS_H
5220#  include <paths.h>
5221#endif
5222	]], [[ char *wtmpx = WTMPX_FILE; ]])],
5223	[ AC_MSG_RESULT([yes]) ],
5224	[ AC_MSG_RESULT([no])
5225	  system_wtmpx_path=no
5226])
5227if test -z "$conf_wtmpx_location"; then
5228	if test x"$system_wtmpx_path" = x"no" ; then
5229		AC_DEFINE([DISABLE_WTMPX])
5230	fi
5231else
5232	AC_DEFINE_UNQUOTED([CONF_WTMPX_FILE], ["$conf_wtmpx_location"],
5233		[Define if you want to specify the path to your wtmpx file])
5234fi
5235
5236
5237if test ! -z "$blibpath" ; then
5238	LDFLAGS="$LDFLAGS $blibflags$blibpath"
5239	AC_MSG_WARN([Please check and edit blibpath in LDFLAGS in Makefile])
5240fi
5241
5242AC_CHECK_MEMBER([struct lastlog.ll_line], [], [
5243    if test x$SKIP_DISABLE_LASTLOG_DEFINE != "xyes" ; then
5244	AC_DEFINE([DISABLE_LASTLOG])
5245    fi
5246	], [
5247#ifdef HAVE_SYS_TYPES_H
5248#include <sys/types.h>
5249#endif
5250#ifdef HAVE_UTMP_H
5251#include <utmp.h>
5252#endif
5253#ifdef HAVE_UTMPX_H
5254#include <utmpx.h>
5255#endif
5256#ifdef HAVE_LASTLOG_H
5257#include <lastlog.h>
5258#endif
5259	])
5260
5261AC_CHECK_MEMBER([struct utmp.ut_line], [], [
5262	AC_DEFINE([DISABLE_UTMP])
5263	AC_DEFINE([DISABLE_WTMP])
5264	], [
5265#ifdef HAVE_SYS_TYPES_H
5266#include <sys/types.h>
5267#endif
5268#ifdef HAVE_UTMP_H
5269#include <utmp.h>
5270#endif
5271#ifdef HAVE_UTMPX_H
5272#include <utmpx.h>
5273#endif
5274#ifdef HAVE_LASTLOG_H
5275#include <lastlog.h>
5276#endif
5277	])
5278
5279dnl Adding -Werror to CFLAGS early prevents configure tests from running.
5280dnl Add now.
5281CFLAGS="$CFLAGS $werror_flags"
5282
5283if test "x$ac_cv_func_getaddrinfo" != "xyes" ; then
5284	TEST_SSH_IPV6=no
5285else
5286	TEST_SSH_IPV6=yes
5287fi
5288AC_CHECK_DECL([BROKEN_GETADDRINFO],  [TEST_SSH_IPV6=no])
5289AC_SUBST([TEST_SSH_IPV6], [$TEST_SSH_IPV6])
5290AC_SUBST([TEST_SSH_UTF8], [$TEST_SSH_UTF8])
5291AC_SUBST([TEST_MALLOC_OPTIONS], [$TEST_MALLOC_OPTIONS])
5292AC_SUBST([UNSUPPORTED_ALGORITHMS], [$unsupported_algorithms])
5293AC_SUBST([DEPEND], [$(cat $srcdir/.depend)])
5294
5295CFLAGS="${CFLAGS} ${CFLAGS_AFTER}"
5296LDFLAGS="${LDFLAGS} ${LDFLAGS_AFTER}"
5297
5298AC_EXEEXT
5299AC_CONFIG_FILES([Makefile buildpkg.sh opensshd.init openssh.xml \
5300	openbsd-compat/Makefile openbsd-compat/regress/Makefile \
5301	survey.sh])
5302AC_OUTPUT
5303
5304# Print summary of options
5305
5306# Someone please show me a better way :)
5307A=`eval echo ${prefix}` ; A=`eval echo ${A}`
5308B=`eval echo ${bindir}` ; B=`eval echo ${B}`
5309C=`eval echo ${sbindir}` ; C=`eval echo ${C}`
5310D=`eval echo ${sysconfdir}` ; D=`eval echo ${D}`
5311E=`eval echo ${libexecdir}/ssh-askpass` ; E=`eval echo ${E}`
5312F=`eval echo ${mandir}/${mansubdir}X` ; F=`eval echo ${F}`
5313G=`eval echo ${piddir}` ; G=`eval echo ${G}`
5314H=`eval echo ${PRIVSEP_PATH}` ; H=`eval echo ${H}`
5315I=`eval echo ${user_path}` ; I=`eval echo ${I}`
5316J=`eval echo ${superuser_path}` ; J=`eval echo ${J}`
5317
5318echo ""
5319echo "OpenSSH has been configured with the following options:"
5320echo "                     User binaries: $B"
5321echo "                   System binaries: $C"
5322echo "               Configuration files: $D"
5323echo "                   Askpass program: $E"
5324echo "                      Manual pages: $F"
5325echo "                          PID file: $G"
5326echo "  Privilege separation chroot path: $H"
5327if test "x$external_path_file" = "x/etc/login.conf" ; then
5328echo "   At runtime, sshd will use the path defined in $external_path_file"
5329echo "   Make sure the path to scp is present, otherwise scp will not work"
5330else
5331echo "            sshd default user PATH: $I"
5332	if test ! -z "$external_path_file"; then
5333echo "   (If PATH is set in $external_path_file it will be used instead. If"
5334echo "   used, ensure the path to scp is present, otherwise scp will not work.)"
5335	fi
5336fi
5337if test ! -z "$superuser_path" ; then
5338echo "          sshd superuser user PATH: $J"
5339fi
5340echo "                    Manpage format: $MANTYPE"
5341echo "                       PAM support: $PAM_MSG"
5342echo "                   OSF SIA support: $SIA_MSG"
5343echo "                 KerberosV support: $KRB5_MSG"
5344echo "                   SELinux support: $SELINUX_MSG"
5345echo "              TCP Wrappers support: $TCPW_MSG"
5346echo "              MD5 password support: $MD5_MSG"
5347echo "                   libedit support: $LIBEDIT_MSG"
5348echo "                   libldns support: $LDNS_MSG"
5349echo "  Solaris process contract support: $SPC_MSG"
5350echo "           Solaris project support: $SP_MSG"
5351echo "         Solaris privilege support: $SPP_MSG"
5352echo "       IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG"
5353echo "           Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
5354echo "                  BSD Auth support: $BSD_AUTH_MSG"
5355echo "              Random number source: $RAND_MSG"
5356echo "             Privsep sandbox style: $SANDBOX_STYLE"
5357
5358echo ""
5359
5360echo "              Host: ${host}"
5361echo "          Compiler: ${CC}"
5362echo "    Compiler flags: ${CFLAGS}"
5363echo "Preprocessor flags: ${CPPFLAGS}"
5364echo "      Linker flags: ${LDFLAGS}"
5365echo "         Libraries: ${LIBS}"
5366if test ! -z "${SSHDLIBS}"; then
5367echo "         +for sshd: ${SSHDLIBS}"
5368fi
5369if test ! -z "${SSHLIBS}"; then
5370echo "          +for ssh: ${SSHLIBS}"
5371fi
5372
5373echo ""
5374
5375if test "x$MAKE_PACKAGE_SUPPORTED" = "xyes" ; then
5376	echo "SVR4 style packages are supported with \"make package\""
5377	echo ""
5378fi
5379
5380if test "x$PAM_MSG" = "xyes" ; then
5381	echo "PAM is enabled. You may need to install a PAM control file "
5382	echo "for sshd, otherwise password authentication may fail. "
5383	echo "Example PAM control files can be found in the contrib/ "
5384	echo "subdirectory"
5385	echo ""
5386fi
5387
5388if test ! -z "$NO_PEERCHECK" ; then
5389	echo "WARNING: the operating system that you are using does not"
5390	echo "appear to support getpeereid(), getpeerucred() or the"
5391	echo "SO_PEERCRED getsockopt() option. These facilities are used to"
5392	echo "enforce security checks to prevent unauthorised connections to"
5393	echo "ssh-agent. Their absence increases the risk that a malicious"
5394	echo "user can connect to your agent."
5395	echo ""
5396fi
5397
5398if test "$AUDIT_MODULE" = "bsm" ; then
5399	echo "WARNING: BSM audit support is currently considered EXPERIMENTAL."
5400	echo "See the Solaris section in README.platform for details."
5401fi
5402