xref: /freebsd/crypto/openssh/configure.ac (revision e2eeea75eb8b6dd50c1298067a0655880d186734)
1#
2# Copyright (c) 1999-2004 Damien Miller
3#
4# Permission to use, copy, modify, and distribute this software for any
5# purpose with or without fee is hereby granted, provided that the above
6# copyright notice and this permission notice appear in all copies.
7#
8# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15
16AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org])
17AC_REVISION($Revision: 1.583 $)
18AC_CONFIG_SRCDIR([ssh.c])
19AC_LANG([C])
20
21AC_CONFIG_HEADER([config.h])
22AC_PROG_CC
23AC_CANONICAL_HOST
24AC_C_BIGENDIAN
25
26# Checks for programs.
27AC_PROG_AWK
28AC_PROG_CPP
29AC_PROG_RANLIB
30AC_PROG_INSTALL
31AC_PROG_EGREP
32AC_PROG_MKDIR_P
33AC_CHECK_TOOLS([AR], [ar])
34AC_PATH_PROG([CAT], [cat])
35AC_PATH_PROG([KILL], [kill])
36AC_PATH_PROG([SED], [sed])
37AC_PATH_PROG([ENT], [ent])
38AC_SUBST([ENT])
39AC_PATH_PROG([TEST_MINUS_S_SH], [bash])
40AC_PATH_PROG([TEST_MINUS_S_SH], [ksh])
41AC_PATH_PROG([TEST_MINUS_S_SH], [sh])
42AC_PATH_PROG([SH], [sh])
43AC_PATH_PROG([GROFF], [groff])
44AC_PATH_PROG([NROFF], [nroff])
45AC_PATH_PROG([MANDOC], [mandoc])
46AC_SUBST([TEST_SHELL], [sh])
47
48dnl select manpage formatter
49if test "x$MANDOC" != "x" ; then
50	MANFMT="$MANDOC"
51elif test "x$NROFF" != "x" ; then
52	MANFMT="$NROFF -mandoc"
53elif test "x$GROFF" != "x" ; then
54	MANFMT="$GROFF -mandoc -Tascii"
55else
56	AC_MSG_WARN([no manpage formatted found])
57	MANFMT="false"
58fi
59AC_SUBST([MANFMT])
60
61dnl for buildpkg.sh
62AC_PATH_PROG([PATH_GROUPADD_PROG], [groupadd], [groupadd],
63	[/usr/sbin${PATH_SEPARATOR}/etc])
64AC_PATH_PROG([PATH_USERADD_PROG], [useradd], [useradd],
65	[/usr/sbin${PATH_SEPARATOR}/etc])
66AC_CHECK_PROG([MAKE_PACKAGE_SUPPORTED], [pkgmk], [yes], [no])
67if test -x /sbin/sh; then
68	AC_SUBST([STARTUP_SCRIPT_SHELL], [/sbin/sh])
69else
70	AC_SUBST([STARTUP_SCRIPT_SHELL], [/bin/sh])
71fi
72
73# System features
74AC_SYS_LARGEFILE
75
76if test -z "$AR" ; then
77	AC_MSG_ERROR([*** 'ar' missing, please install or fix your \$PATH ***])
78fi
79
80AC_PATH_PROG([PATH_PASSWD_PROG], [passwd])
81if test ! -z "$PATH_PASSWD_PROG" ; then
82	AC_DEFINE_UNQUOTED([_PATH_PASSWD_PROG], ["$PATH_PASSWD_PROG"],
83		[Full path of your "passwd" program])
84fi
85
86dnl Since autoconf doesn't support it very well,  we no longer allow users to
87dnl override LD, however keeping the hook here for now in case there's a use
88dnl use case we overlooked and someone needs to re-enable it.  Unless a good
89dnl reason is found we'll be removing this in future.
90LD="$CC"
91AC_SUBST([LD])
92
93AC_C_INLINE
94
95AC_CHECK_DECL([LLONG_MAX], [have_llong_max=1], , [#include <limits.h>])
96AC_CHECK_DECL([SYSTR_POLICY_KILL], [have_systr_policy_kill=1], , [
97	#include <sys/types.h>
98	#include <sys/param.h>
99	#include <dev/systrace.h>
100])
101AC_CHECK_DECL([RLIMIT_NPROC],
102    [AC_DEFINE([HAVE_RLIMIT_NPROC], [], [sys/resource.h has RLIMIT_NPROC])], , [
103	#include <sys/types.h>
104	#include <sys/resource.h>
105])
106AC_CHECK_DECL([PR_SET_NO_NEW_PRIVS], [have_linux_no_new_privs=1], , [
107	#include <sys/types.h>
108	#include <linux/prctl.h>
109])
110
111openssl=yes
112AC_ARG_WITH([openssl],
113	[  --without-openssl       Disable use of OpenSSL; use only limited internal crypto **EXPERIMENTAL** ],
114	[  if test "x$withval" = "xno" ; then
115		openssl=no
116	   fi
117	]
118)
119AC_MSG_CHECKING([whether OpenSSL will be used for cryptography])
120if test "x$openssl" = "xyes" ; then
121	AC_MSG_RESULT([yes])
122	AC_DEFINE_UNQUOTED([WITH_OPENSSL], [1], [use libcrypto for cryptography])
123else
124	AC_MSG_RESULT([no])
125fi
126
127use_stack_protector=1
128use_toolchain_hardening=1
129AC_ARG_WITH([stackprotect],
130    [  --without-stackprotect  Don't use compiler's stack protection], [
131    if test "x$withval" = "xno"; then
132	use_stack_protector=0
133    fi ])
134AC_ARG_WITH([hardening],
135    [  --without-hardening     Don't use toolchain hardening flags], [
136    if test "x$withval" = "xno"; then
137	use_toolchain_hardening=0
138    fi ])
139
140# We use -Werror for the tests only so that we catch warnings like "this is
141# on by default" for things like -fPIE.
142AC_MSG_CHECKING([if $CC supports -Werror])
143saved_CFLAGS="$CFLAGS"
144CFLAGS="$CFLAGS -Werror"
145AC_COMPILE_IFELSE([AC_LANG_SOURCE([[int main(void) { return 0; }]])],
146	[ AC_MSG_RESULT([yes])
147	  WERROR="-Werror"],
148	[ AC_MSG_RESULT([no])
149	  WERROR="" ]
150)
151CFLAGS="$saved_CFLAGS"
152
153if test "$GCC" = "yes" || test "$GCC" = "egcs"; then
154	OSSH_CHECK_CFLAG_COMPILE([-pipe])
155	OSSH_CHECK_CFLAG_COMPILE([-Qunused-arguments])
156	OSSH_CHECK_CFLAG_COMPILE([-Wunknown-warning-option])
157	OSSH_CHECK_CFLAG_COMPILE([-Wall])
158	OSSH_CHECK_CFLAG_COMPILE([-Wpointer-arith])
159	OSSH_CHECK_CFLAG_COMPILE([-Wuninitialized])
160	OSSH_CHECK_CFLAG_COMPILE([-Wsign-compare])
161	OSSH_CHECK_CFLAG_COMPILE([-Wformat-security])
162	OSSH_CHECK_CFLAG_COMPILE([-Wsizeof-pointer-memaccess])
163	OSSH_CHECK_CFLAG_COMPILE([-Wpointer-sign], [-Wno-pointer-sign])
164	OSSH_CHECK_CFLAG_COMPILE([-Wunused-result], [-Wno-unused-result])
165	OSSH_CHECK_CFLAG_COMPILE([-fno-strict-aliasing])
166    if test "x$use_toolchain_hardening" = "x1"; then
167	OSSH_CHECK_CFLAG_COMPILE([-mretpoline]) # clang
168	OSSH_CHECK_LDFLAG_LINK([-Wl,-z,retpolineplt])
169	OSSH_CHECK_CFLAG_COMPILE([-D_FORTIFY_SOURCE=2])
170	OSSH_CHECK_LDFLAG_LINK([-Wl,-z,relro])
171	OSSH_CHECK_LDFLAG_LINK([-Wl,-z,now])
172	OSSH_CHECK_LDFLAG_LINK([-Wl,-z,noexecstack])
173	# NB. -ftrapv expects certain support functions to be present in
174	# the compiler library (libgcc or similar) to detect integer operations
175	# that can overflow. We must check that the result of enabling it
176	# actually links. The test program compiled/linked includes a number
177	# of integer operations that should exercise this.
178	OSSH_CHECK_CFLAG_LINK([-ftrapv])
179    fi
180	AC_MSG_CHECKING([gcc version])
181	GCC_VER=`$CC -v 2>&1 | $AWK '/gcc version /{print $3}'`
182	case $GCC_VER in
183		1.*) no_attrib_nonnull=1 ;;
184		2.8* | 2.9*)
185		     no_attrib_nonnull=1
186		     ;;
187		2.*) no_attrib_nonnull=1 ;;
188		*) ;;
189	esac
190	AC_MSG_RESULT([$GCC_VER])
191
192	AC_MSG_CHECKING([if $CC accepts -fno-builtin-memset])
193	saved_CFLAGS="$CFLAGS"
194	CFLAGS="$CFLAGS -fno-builtin-memset"
195	AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include <string.h> ]],
196			[[ char b[10]; memset(b, 0, sizeof(b)); ]])],
197		[ AC_MSG_RESULT([yes]) ],
198		[ AC_MSG_RESULT([no])
199		  CFLAGS="$saved_CFLAGS" ]
200	)
201
202	# -fstack-protector-all doesn't always work for some GCC versions
203	# and/or platforms, so we test if we can.  If it's not supported
204	# on a given platform gcc will emit a warning so we use -Werror.
205	if test "x$use_stack_protector" = "x1"; then
206	    for t in -fstack-protector-strong -fstack-protector-all \
207		    -fstack-protector; do
208		AC_MSG_CHECKING([if $CC supports $t])
209		saved_CFLAGS="$CFLAGS"
210		saved_LDFLAGS="$LDFLAGS"
211		CFLAGS="$CFLAGS $t -Werror"
212		LDFLAGS="$LDFLAGS $t -Werror"
213		AC_LINK_IFELSE(
214			[AC_LANG_PROGRAM([[ #include <stdio.h> ]],
215			[[
216	char x[256];
217	snprintf(x, sizeof(x), "XXX");
218			 ]])],
219		    [ AC_MSG_RESULT([yes])
220		      CFLAGS="$saved_CFLAGS $t"
221		      LDFLAGS="$saved_LDFLAGS $t"
222		      AC_MSG_CHECKING([if $t works])
223		      AC_RUN_IFELSE(
224			[AC_LANG_PROGRAM([[ #include <stdio.h> ]],
225			[[
226	char x[256];
227	snprintf(x, sizeof(x), "XXX");
228			]])],
229			[ AC_MSG_RESULT([yes])
230			  break ],
231			[ AC_MSG_RESULT([no]) ],
232			[ AC_MSG_WARN([cross compiling: cannot test])
233			  break ]
234		      )
235		    ],
236		    [ AC_MSG_RESULT([no]) ]
237		)
238		CFLAGS="$saved_CFLAGS"
239		LDFLAGS="$saved_LDFLAGS"
240	    done
241	fi
242
243	if test -z "$have_llong_max"; then
244		# retry LLONG_MAX with -std=gnu99, needed on some Linuxes
245		unset ac_cv_have_decl_LLONG_MAX
246		saved_CFLAGS="$CFLAGS"
247		CFLAGS="$CFLAGS -std=gnu99"
248		AC_CHECK_DECL([LLONG_MAX],
249		    [have_llong_max=1],
250		    [CFLAGS="$saved_CFLAGS"],
251		    [#include <limits.h>]
252		)
253	fi
254fi
255
256AC_MSG_CHECKING([if compiler allows __attribute__ on return types])
257AC_COMPILE_IFELSE(
258    [AC_LANG_PROGRAM([[
259#include <stdlib.h>
260__attribute__((__unused__)) static void foo(void){return;}]],
261    [[ exit(0); ]])],
262    [ AC_MSG_RESULT([yes]) ],
263    [ AC_MSG_RESULT([no])
264      AC_DEFINE(NO_ATTRIBUTE_ON_RETURN_TYPE, 1,
265	 [compiler does not accept __attribute__ on return types]) ]
266)
267
268AC_MSG_CHECKING([if compiler allows __attribute__ prototype args])
269AC_COMPILE_IFELSE(
270    [AC_LANG_PROGRAM([[
271#include <stdlib.h>
272typedef void foo(const char *, ...) __attribute__((format(printf, 1, 2)));]],
273    [[ exit(0); ]])],
274    [ AC_MSG_RESULT([yes]) ],
275    [ AC_MSG_RESULT([no])
276      AC_DEFINE(NO_ATTRIBUTE_ON_PROTOTYPE_ARGS, 1,
277	 [compiler does not accept __attribute__ on prototype args]) ]
278)
279
280if test "x$no_attrib_nonnull" != "x1" ; then
281	AC_DEFINE([HAVE_ATTRIBUTE__NONNULL__], [1], [Have attribute nonnull])
282fi
283
284AC_ARG_WITH([rpath],
285	[  --without-rpath         Disable auto-added -R linker paths],
286	[
287		if test "x$withval" = "xno" ; then
288			need_dash_r=""
289		fi
290		if test "x$withval" = "xyes" ; then
291			need_dash_r=1
292		fi
293	]
294)
295
296# Allow user to specify flags
297AC_ARG_WITH([cflags],
298	[  --with-cflags           Specify additional flags to pass to compiler],
299	[
300		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
301		    test "x${withval}" != "xyes"; then
302			CFLAGS="$CFLAGS $withval"
303		fi
304	]
305)
306
307AC_ARG_WITH([cflags-after],
308	[  --with-cflags-after     Specify additional flags to pass to compiler after configure],
309	[
310		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
311		    test "x${withval}" != "xyes"; then
312			CFLAGS_AFTER="$withval"
313		fi
314	]
315)
316AC_ARG_WITH([cppflags],
317	[  --with-cppflags         Specify additional flags to pass to preprocessor] ,
318	[
319		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
320		    test "x${withval}" != "xyes"; then
321			CPPFLAGS="$CPPFLAGS $withval"
322		fi
323	]
324)
325AC_ARG_WITH([ldflags],
326	[  --with-ldflags          Specify additional flags to pass to linker],
327	[
328		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
329		    test "x${withval}" != "xyes"; then
330			LDFLAGS="$LDFLAGS $withval"
331		fi
332	]
333)
334AC_ARG_WITH([ldflags-after],
335	[  --with-ldflags-after    Specify additional flags to pass to linker after configure],
336	[
337		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
338		    test "x${withval}" != "xyes"; then
339			LDFLAGS_AFTER="$withval"
340		fi
341	]
342)
343AC_ARG_WITH([libs],
344	[  --with-libs             Specify additional libraries to link with],
345	[
346		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
347		    test "x${withval}" != "xyes"; then
348			LIBS="$LIBS $withval"
349		fi
350	]
351)
352AC_ARG_WITH([Werror],
353	[  --with-Werror           Build main code with -Werror],
354	[
355		if test -n "$withval"  &&  test "x$withval" != "xno"; then
356			werror_flags="-Werror"
357			if test "x${withval}" != "xyes"; then
358				werror_flags="$withval"
359			fi
360		fi
361	]
362)
363
364AC_CHECK_HEADERS([ \
365	blf.h \
366	bstring.h \
367	crypt.h \
368	crypto/sha2.h \
369	dirent.h \
370	endian.h \
371	elf.h \
372	err.h \
373	features.h \
374	fcntl.h \
375	floatingpoint.h \
376	getopt.h \
377	glob.h \
378	ia.h \
379	iaf.h \
380	ifaddrs.h \
381	inttypes.h \
382	langinfo.h \
383	limits.h \
384	locale.h \
385	login.h \
386	maillock.h \
387	ndir.h \
388	net/if_tun.h \
389	netdb.h \
390	netgroup.h \
391	pam/pam_appl.h \
392	paths.h \
393	poll.h \
394	pty.h \
395	readpassphrase.h \
396	rpc/types.h \
397	security/pam_appl.h \
398	sha2.h \
399	shadow.h \
400	stddef.h \
401	stdint.h \
402	string.h \
403	strings.h \
404	sys/bitypes.h \
405	sys/bsdtty.h \
406	sys/cdefs.h \
407	sys/dir.h \
408	sys/file.h \
409	sys/mman.h \
410	sys/label.h \
411	sys/ndir.h \
412	sys/poll.h \
413	sys/prctl.h \
414	sys/pstat.h \
415	sys/ptrace.h \
416	sys/random.h \
417	sys/select.h \
418	sys/stat.h \
419	sys/stream.h \
420	sys/stropts.h \
421	sys/strtio.h \
422	sys/statvfs.h \
423	sys/sysmacros.h \
424	sys/time.h \
425	sys/timers.h \
426	sys/vfs.h \
427	time.h \
428	tmpdir.h \
429	ttyent.h \
430	ucred.h \
431	unistd.h \
432	usersec.h \
433	util.h \
434	utime.h \
435	utmp.h \
436	utmpx.h \
437	vis.h \
438	wchar.h \
439])
440
441# On some platforms (eg SunOS4) sys/audit.h requires sys/[time|types|label.h]
442# to be included first.
443AC_CHECK_HEADERS([sys/audit.h], [], [], [
444#ifdef HAVE_SYS_TIME_H
445# include <sys/time.h>
446#endif
447#ifdef HAVE_SYS_TYPES_H
448# include <sys/types.h>
449#endif
450#ifdef HAVE_SYS_LABEL_H
451# include <sys/label.h>
452#endif
453])
454
455# sys/capsicum.h requires sys/types.h
456AC_CHECK_HEADERS([sys/capsicum.h], [], [], [
457#ifdef HAVE_SYS_TYPES_H
458# include <sys/types.h>
459#endif
460])
461
462# net/route.h requires sys/socket.h and sys/types.h.
463# sys/sysctl.h also requires sys/param.h
464AC_CHECK_HEADERS([net/route.h sys/sysctl.h], [], [], [
465#ifdef HAVE_SYS_TYPES_H
466# include <sys/types.h>
467#endif
468#include <sys/param.h>
469#include <sys/socket.h>
470])
471
472# lastlog.h requires sys/time.h to be included first on Solaris
473AC_CHECK_HEADERS([lastlog.h], [], [], [
474#ifdef HAVE_SYS_TIME_H
475# include <sys/time.h>
476#endif
477])
478
479# sys/ptms.h requires sys/stream.h to be included first on Solaris
480AC_CHECK_HEADERS([sys/ptms.h], [], [], [
481#ifdef HAVE_SYS_STREAM_H
482# include <sys/stream.h>
483#endif
484])
485
486# login_cap.h requires sys/types.h on NetBSD
487AC_CHECK_HEADERS([login_cap.h], [], [], [
488#include <sys/types.h>
489])
490
491# older BSDs need sys/param.h before sys/mount.h
492AC_CHECK_HEADERS([sys/mount.h], [], [], [
493#include <sys/param.h>
494])
495
496# Android requires sys/socket.h to be included before sys/un.h
497AC_CHECK_HEADERS([sys/un.h], [], [], [
498#include <sys/types.h>
499#include <sys/socket.h>
500])
501
502# Messages for features tested for in target-specific section
503SIA_MSG="no"
504SPC_MSG="no"
505SP_MSG="no"
506SPP_MSG="no"
507
508# Support for Solaris/Illumos privileges (this test is used by both
509# the --with-solaris-privs option and --with-sandbox=solaris).
510SOLARIS_PRIVS="no"
511
512# Check for some target-specific stuff
513case "$host" in
514*-*-aix*)
515	# Some versions of VAC won't allow macro redefinitions at
516	# -qlanglevel=ansi, and autoconf 2.60 sometimes insists on using that
517	# particularly with older versions of vac or xlc.
518	# It also throws errors about null macro arguments, but these are
519	# not fatal.
520	AC_MSG_CHECKING([if compiler allows macro redefinitions])
521	AC_COMPILE_IFELSE(
522	    [AC_LANG_PROGRAM([[
523#define testmacro foo
524#define testmacro bar]],
525	    [[ exit(0); ]])],
526	    [ AC_MSG_RESULT([yes]) ],
527	    [ AC_MSG_RESULT([no])
528	      CC="`echo $CC | sed 's/-qlanglvl\=ansi//g'`"
529	      CFLAGS="`echo $CFLAGS | sed 's/-qlanglvl\=ansi//g'`"
530	      CPPFLAGS="`echo $CPPFLAGS | sed 's/-qlanglvl\=ansi//g'`"
531	    ]
532	)
533
534	AC_MSG_CHECKING([how to specify blibpath for linker ($LD)])
535	if (test -z "$blibpath"); then
536		blibpath="/usr/lib:/lib"
537	fi
538	saved_LDFLAGS="$LDFLAGS"
539	if test "$GCC" = "yes"; then
540		flags="-Wl,-blibpath: -Wl,-rpath, -blibpath:"
541	else
542		flags="-blibpath: -Wl,-blibpath: -Wl,-rpath,"
543	fi
544	for tryflags in $flags ;do
545		if (test -z "$blibflags"); then
546			LDFLAGS="$saved_LDFLAGS $tryflags$blibpath"
547			AC_LINK_IFELSE([AC_LANG_PROGRAM([[]], [[]])],
548			[blibflags=$tryflags], [])
549		fi
550	done
551	if (test -z "$blibflags"); then
552		AC_MSG_RESULT([not found])
553		AC_MSG_ERROR([*** must be able to specify blibpath on AIX - check config.log])
554	else
555		AC_MSG_RESULT([$blibflags])
556	fi
557	LDFLAGS="$saved_LDFLAGS"
558	dnl Check for authenticate.  Might be in libs.a on older AIXes
559	AC_CHECK_FUNC([authenticate], [AC_DEFINE([WITH_AIXAUTHENTICATE], [1],
560		[Define if you want to enable AIX4's authenticate function])],
561		[AC_CHECK_LIB([s], [authenticate],
562			[ AC_DEFINE([WITH_AIXAUTHENTICATE])
563				LIBS="$LIBS -ls"
564			])
565		])
566	dnl Check for various auth function declarations in headers.
567	AC_CHECK_DECLS([authenticate, loginrestrictions, loginsuccess,
568	    passwdexpired, setauthdb], , , [#include <usersec.h>])
569	dnl Check if loginfailed is declared and takes 4 arguments (AIX >= 5.2)
570	AC_CHECK_DECLS([loginfailed],
571	    [AC_MSG_CHECKING([if loginfailed takes 4 arguments])
572	    AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <usersec.h> ]],
573		[[ (void)loginfailed("user","host","tty",0); ]])],
574		[AC_MSG_RESULT([yes])
575		AC_DEFINE([AIX_LOGINFAILED_4ARG], [1],
576			[Define if your AIX loginfailed() function
577			takes 4 arguments (AIX >= 5.2)])], [AC_MSG_RESULT([no])
578	    ])],
579	    [],
580	    [#include <usersec.h>]
581	)
582	AC_CHECK_FUNCS([getgrset setauthdb])
583	AC_CHECK_DECL([F_CLOSEM],
584	    AC_DEFINE([HAVE_FCNTL_CLOSEM], [1], [Use F_CLOSEM fcntl for closefrom]),
585	    [],
586	    [ #include <limits.h>
587	      #include <fcntl.h> ]
588	)
589	check_for_aix_broken_getaddrinfo=1
590	AC_DEFINE([BROKEN_REALPATH], [1], [Define if you have a broken realpath.])
591	AC_DEFINE([SETEUID_BREAKS_SETUID], [1],
592	    [Define if your platform breaks doing a seteuid before a setuid])
593	AC_DEFINE([BROKEN_SETREUID], [1], [Define if your setreuid() is broken])
594	AC_DEFINE([BROKEN_SETREGID], [1], [Define if your setregid() is broken])
595	dnl AIX handles lastlog as part of its login message
596	AC_DEFINE([DISABLE_LASTLOG], [1], [Define if you don't want to use lastlog])
597	AC_DEFINE([LOGIN_NEEDS_UTMPX], [1],
598		[Some systems need a utmpx entry for /bin/login to work])
599	AC_DEFINE([SPT_TYPE], [SPT_REUSEARGV],
600		[Define to a Set Process Title type if your system is
601		supported by bsd-setproctitle.c])
602	AC_DEFINE([SSHPAM_CHAUTHTOK_NEEDS_RUID], [1],
603	    [AIX 5.2 and 5.3 (and presumably newer) require this])
604	AC_DEFINE([PTY_ZEROREAD], [1], [read(1) can return 0 for a non-closed fd])
605	AC_DEFINE([PLATFORM_SYS_DIR_UID], 2, [System dirs owned by bin (uid 2)])
606	AC_DEFINE([BROKEN_STRNDUP], 1, [strndup broken, see APAR IY61211])
607	AC_DEFINE([BROKEN_STRNLEN], 1, [strnlen broken, see APAR IY62551])
608	;;
609*-*-android*)
610	AC_DEFINE([DISABLE_UTMP], [1], [Define if you don't want to use utmp])
611	AC_DEFINE([DISABLE_WTMP], [1], [Define if you don't want to use wtmp])
612	;;
613*-*-cygwin*)
614	check_for_libcrypt_later=1
615	LIBS="$LIBS /usr/lib/textreadmode.o"
616	AC_DEFINE([HAVE_CYGWIN], [1], [Define if you are on Cygwin])
617	AC_DEFINE([USE_PIPES], [1], [Use PIPES instead of a socketpair()])
618	AC_DEFINE([NO_UID_RESTORATION_TEST], [1],
619		[Define to disable UID restoration test])
620	AC_DEFINE([DISABLE_SHADOW], [1],
621		[Define if you want to disable shadow passwords])
622	AC_DEFINE([NO_X11_UNIX_SOCKETS], [1],
623		[Define if X11 doesn't support AF_UNIX sockets on that system])
624	AC_DEFINE([DISABLE_FD_PASSING], [1],
625		[Define if your platform needs to skip post auth
626		file descriptor passing])
627	AC_DEFINE([SSH_IOBUFSZ], [65535], [Windows is sensitive to read buffer size])
628	AC_DEFINE([FILESYSTEM_NO_BACKSLASH], [1], [File names may not contain backslash characters])
629	# Cygwin defines optargs, optargs as declspec(dllimport) for historical
630	# reasons which cause compile warnings, so we disable those warnings.
631	OSSH_CHECK_CFLAG_COMPILE([-Wno-attributes])
632	;;
633*-*-dgux*)
634	AC_DEFINE([IP_TOS_IS_BROKEN], [1],
635		[Define if your system choked on IP TOS setting])
636	AC_DEFINE([SETEUID_BREAKS_SETUID])
637	AC_DEFINE([BROKEN_SETREUID])
638	AC_DEFINE([BROKEN_SETREGID])
639	;;
640*-*-darwin*)
641	use_pie=auto
642	AC_MSG_CHECKING([if we have working getaddrinfo])
643	AC_RUN_IFELSE([AC_LANG_SOURCE([[ #include <mach-o/dyld.h>
644main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
645		exit(0);
646	else
647		exit(1);
648}
649			]])],
650	[AC_MSG_RESULT([working])],
651	[AC_MSG_RESULT([buggy])
652	AC_DEFINE([BROKEN_GETADDRINFO], [1],
653		[getaddrinfo is broken (if present)])
654	],
655	[AC_MSG_RESULT([assume it is working])])
656	AC_DEFINE([SETEUID_BREAKS_SETUID])
657	AC_DEFINE([BROKEN_SETREUID])
658	AC_DEFINE([BROKEN_SETREGID])
659	AC_DEFINE([BROKEN_GLOB], [1], [OS X glob does not do what we expect])
660	AC_DEFINE_UNQUOTED([BIND_8_COMPAT], [1],
661		[Define if your resolver libs need this for getrrsetbyname])
662	AC_DEFINE([SSH_TUN_FREEBSD], [1], [Open tunnel devices the FreeBSD way])
663	AC_DEFINE([SSH_TUN_COMPAT_AF], [1],
664	    [Use tunnel device compatibility to OpenBSD])
665	AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
666	    [Prepend the address family to IP tunnel traffic])
667	m4_pattern_allow([AU_IPv])
668	AC_CHECK_DECL([AU_IPv4], [],
669	    AC_DEFINE([AU_IPv4], [0], [System only supports IPv4 audit records])
670	    [#include <bsm/audit.h>]
671	AC_DEFINE([LASTLOG_WRITE_PUTUTXLINE], [1],
672	    [Define if pututxline updates lastlog too])
673	)
674	AC_DEFINE([SPT_TYPE], [SPT_REUSEARGV],
675		[Define to a Set Process Title type if your system is
676		supported by bsd-setproctitle.c])
677	AC_CHECK_FUNCS([sandbox_init])
678	AC_CHECK_HEADERS([sandbox.h])
679	AC_CHECK_LIB([sandbox], [sandbox_apply], [
680	    SSHDLIBS="$SSHDLIBS -lsandbox"
681	])
682	;;
683*-*-dragonfly*)
684	SSHDLIBS="$SSHDLIBS -lcrypt"
685	TEST_MALLOC_OPTIONS="AFGJPRX"
686	;;
687*-*-haiku*)
688	LIBS="$LIBS -lbsd "
689	AC_CHECK_LIB([network], [socket])
690	AC_DEFINE([HAVE_U_INT64_T])
691	MANTYPE=man
692	;;
693*-*-hpux*)
694	# first we define all of the options common to all HP-UX releases
695	CPPFLAGS="$CPPFLAGS -D_HPUX_SOURCE -D_XOPEN_SOURCE -D_XOPEN_SOURCE_EXTENDED=1"
696	IPADDR_IN_DISPLAY=yes
697	AC_DEFINE([USE_PIPES])
698	AC_DEFINE([LOGIN_NEEDS_UTMPX])
699	AC_DEFINE([LOCKED_PASSWD_STRING], ["*"],
700		[String used in /etc/passwd to denote locked account])
701	AC_DEFINE([SPT_TYPE], [SPT_PSTAT])
702	AC_DEFINE([PLATFORM_SYS_DIR_UID], 2, [System dirs owned by bin (uid 2)])
703	maildir="/var/mail"
704	LIBS="$LIBS -lsec"
705	AC_CHECK_LIB([xnet], [t_error], ,
706	    [AC_MSG_ERROR([*** -lxnet needed on HP-UX - check config.log ***])])
707
708	# next, we define all of the options specific to major releases
709	case "$host" in
710	*-*-hpux10*)
711		if test -z "$GCC"; then
712			CFLAGS="$CFLAGS -Ae"
713		fi
714		;;
715	*-*-hpux11*)
716		AC_DEFINE([PAM_SUN_CODEBASE], [1],
717			[Define if you are using Solaris-derived PAM which
718			passes pam_messages to the conversation function
719			with an extra level of indirection])
720		AC_DEFINE([DISABLE_UTMP], [1],
721			[Define if you don't want to use utmp])
722		AC_DEFINE([USE_BTMP], [1], [Use btmp to log bad logins])
723		check_for_hpux_broken_getaddrinfo=1
724		check_for_conflicting_getspnam=1
725		;;
726	esac
727
728	# lastly, we define options specific to minor releases
729	case "$host" in
730	*-*-hpux10.26)
731		AC_DEFINE([HAVE_SECUREWARE], [1],
732			[Define if you have SecureWare-based
733			protected password database])
734		disable_ptmx_check=yes
735		LIBS="$LIBS -lsecpw"
736		;;
737	esac
738	;;
739*-*-irix5*)
740	PATH="$PATH:/usr/etc"
741	AC_DEFINE([BROKEN_INET_NTOA], [1],
742		[Define if you system's inet_ntoa is busted
743		(e.g. Irix gcc issue)])
744	AC_DEFINE([SETEUID_BREAKS_SETUID])
745	AC_DEFINE([BROKEN_SETREUID])
746	AC_DEFINE([BROKEN_SETREGID])
747	AC_DEFINE([WITH_ABBREV_NO_TTY], [1],
748		[Define if you shouldn't strip 'tty' from your
749		ttyname in [uw]tmp])
750	AC_DEFINE([LOCKED_PASSWD_STRING], ["*LK*"])
751	;;
752*-*-irix6*)
753	PATH="$PATH:/usr/etc"
754	AC_DEFINE([WITH_IRIX_ARRAY], [1],
755		[Define if you have/want arrays
756		(cluster-wide session management, not C arrays)])
757	AC_DEFINE([WITH_IRIX_PROJECT], [1],
758		[Define if you want IRIX project management])
759	AC_DEFINE([WITH_IRIX_AUDIT], [1],
760		[Define if you want IRIX audit trails])
761	AC_CHECK_FUNC([jlimit_startjob], [AC_DEFINE([WITH_IRIX_JOBS], [1],
762		[Define if you want IRIX kernel jobs])])
763	AC_DEFINE([BROKEN_INET_NTOA])
764	AC_DEFINE([SETEUID_BREAKS_SETUID])
765	AC_DEFINE([BROKEN_SETREUID])
766	AC_DEFINE([BROKEN_SETREGID])
767	AC_DEFINE([BROKEN_UPDWTMPX], [1], [updwtmpx is broken (if present)])
768	AC_DEFINE([WITH_ABBREV_NO_TTY])
769	AC_DEFINE([LOCKED_PASSWD_STRING], ["*LK*"])
770	;;
771*-*-k*bsd*-gnu | *-*-kopensolaris*-gnu)
772	check_for_libcrypt_later=1
773	AC_DEFINE([PAM_TTY_KLUDGE])
774	AC_DEFINE([LOCKED_PASSWD_PREFIX], ["!"])
775	AC_DEFINE([SPT_TYPE], [SPT_REUSEARGV])
776	AC_DEFINE([_PATH_BTMP], ["/var/log/btmp"], [log for bad login attempts])
777	AC_DEFINE([USE_BTMP], [1], [Use btmp to log bad logins])
778	;;
779*-*-linux*)
780	no_dev_ptmx=1
781	use_pie=auto
782	check_for_libcrypt_later=1
783	check_for_openpty_ctty_bug=1
784	dnl Target SUSv3/POSIX.1-2001 plus BSD specifics.
785	dnl _DEFAULT_SOURCE is the new name for _BSD_SOURCE
786	CPPFLAGS="$CPPFLAGS -D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCE"
787	AC_DEFINE([PAM_TTY_KLUDGE], [1],
788		[Work around problematic Linux PAM modules handling of PAM_TTY])
789	AC_DEFINE([LOCKED_PASSWD_PREFIX], ["!"],
790		[String used in /etc/passwd to denote locked account])
791	AC_DEFINE([SPT_TYPE], [SPT_REUSEARGV])
792	AC_DEFINE([LINK_OPNOTSUPP_ERRNO], [EPERM],
793		[Define to whatever link() returns for "not supported"
794		if it doesn't return EOPNOTSUPP.])
795	AC_DEFINE([_PATH_BTMP], ["/var/log/btmp"], [log for bad login attempts])
796	AC_DEFINE([USE_BTMP])
797	AC_DEFINE([LINUX_OOM_ADJUST], [1], [Adjust Linux out-of-memory killer])
798	inet6_default_4in6=yes
799	case `uname -r` in
800	1.*|2.0.*)
801		AC_DEFINE([BROKEN_CMSG_TYPE], [1],
802			[Define if cmsg_type is not passed correctly])
803		;;
804	esac
805	# tun(4) forwarding compat code
806	AC_CHECK_HEADERS([linux/if_tun.h])
807	if test "x$ac_cv_header_linux_if_tun_h" = "xyes" ; then
808		AC_DEFINE([SSH_TUN_LINUX], [1],
809		    [Open tunnel devices the Linux tun/tap way])
810		AC_DEFINE([SSH_TUN_COMPAT_AF], [1],
811		    [Use tunnel device compatibility to OpenBSD])
812		AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
813		    [Prepend the address family to IP tunnel traffic])
814	fi
815	AC_CHECK_HEADER([linux/if.h],
816	    AC_DEFINE([SYS_RDOMAIN_LINUX], [1],
817		[Support routing domains using Linux VRF]), [], [
818#ifdef HAVE_SYS_TYPES_H
819# include <sys/types.H>
820#endif
821	    ])
822	AC_CHECK_HEADERS([linux/seccomp.h linux/filter.h linux/audit.h], [],
823	    [], [#include <linux/types.h>])
824	# Obtain MIPS ABI
825	case "$host" in
826	mips*)
827		AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
828#if _MIPS_SIM != _ABIO32
829#error
830#endif
831			]])],[mips_abi="o32"],[AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
832#if _MIPS_SIM != _ABIN32
833#error
834#endif
835				]])],[mips_abi="n32"],[AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
836#if _MIPS_SIM != _ABI64
837#error
838#endif
839					]])],[mips_abi="n64"],[AC_MSG_ERROR([unknown MIPS ABI])
840				])
841			])
842		])
843		;;
844	esac
845	AC_MSG_CHECKING([for seccomp architecture])
846	seccomp_audit_arch=
847	case "$host" in
848	x86_64-*)
849		seccomp_audit_arch=AUDIT_ARCH_X86_64
850		;;
851	i*86-*)
852		seccomp_audit_arch=AUDIT_ARCH_I386
853		;;
854	arm*-*)
855		seccomp_audit_arch=AUDIT_ARCH_ARM
856		;;
857	aarch64*-*)
858		seccomp_audit_arch=AUDIT_ARCH_AARCH64
859		;;
860	s390x-*)
861		seccomp_audit_arch=AUDIT_ARCH_S390X
862		;;
863	s390-*)
864		seccomp_audit_arch=AUDIT_ARCH_S390
865		;;
866	powerpc64-*)
867		seccomp_audit_arch=AUDIT_ARCH_PPC64
868		;;
869	powerpc64le-*)
870		seccomp_audit_arch=AUDIT_ARCH_PPC64LE
871		;;
872	mips-*)
873		seccomp_audit_arch=AUDIT_ARCH_MIPS
874		;;
875	mipsel-*)
876		seccomp_audit_arch=AUDIT_ARCH_MIPSEL
877		;;
878	mips64-*)
879		case "$mips_abi" in
880		"n32")
881			seccomp_audit_arch=AUDIT_ARCH_MIPS64N32
882			;;
883		"n64")
884			seccomp_audit_arch=AUDIT_ARCH_MIPS64
885			;;
886		esac
887		;;
888	mips64el-*)
889		case "$mips_abi" in
890		"n32")
891			seccomp_audit_arch=AUDIT_ARCH_MIPSEL64N32
892			;;
893		"n64")
894			seccomp_audit_arch=AUDIT_ARCH_MIPSEL64
895			;;
896		esac
897		;;
898	esac
899	if test "x$seccomp_audit_arch" != "x" ; then
900		AC_MSG_RESULT(["$seccomp_audit_arch"])
901		AC_DEFINE_UNQUOTED([SECCOMP_AUDIT_ARCH], [$seccomp_audit_arch],
902		    [Specify the system call convention in use])
903	else
904		AC_MSG_RESULT([architecture not supported])
905	fi
906	;;
907mips-sony-bsd|mips-sony-newsos4)
908	AC_DEFINE([NEED_SETPGRP], [1], [Need setpgrp to acquire controlling tty])
909	SONY=1
910	;;
911*-*-netbsd*)
912	check_for_libcrypt_before=1
913	if test "x$withval" != "xno" ; then
914		need_dash_r=1
915	fi
916	CPPFLAGS="$CPPFLAGS -D_OPENBSD_SOURCE"
917	AC_DEFINE([SSH_TUN_FREEBSD], [1], [Open tunnel devices the FreeBSD way])
918	AC_CHECK_HEADER([net/if_tap.h], ,
919	    AC_DEFINE([SSH_TUN_NO_L2], [1], [No layer 2 tunnel support]))
920	AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
921	    [Prepend the address family to IP tunnel traffic])
922	TEST_MALLOC_OPTIONS="AJRX"
923	AC_DEFINE([BROKEN_READ_COMPARISON], [1],
924	    [NetBSD read function is sometimes redirected, breaking atomicio comparisons against it])
925	;;
926*-*-freebsd*)
927	check_for_libcrypt_later=1
928	AC_DEFINE([LOCKED_PASSWD_PREFIX], ["*LOCKED*"], [Account locked with pw(1)])
929	AC_DEFINE([SSH_TUN_FREEBSD], [1], [Open tunnel devices the FreeBSD way])
930	AC_CHECK_HEADER([net/if_tap.h], ,
931	    AC_DEFINE([SSH_TUN_NO_L2], [1], [No layer 2 tunnel support]))
932	AC_DEFINE([BROKEN_GLOB], [1], [FreeBSD glob does not do what we need])
933	TEST_MALLOC_OPTIONS="AJRX"
934	# Preauth crypto occasionally uses file descriptors for crypto offload
935	# and will crash if they cannot be opened.
936	AC_DEFINE([SANDBOX_SKIP_RLIMIT_NOFILE], [1],
937	    [define if setrlimit RLIMIT_NOFILE breaks things])
938	;;
939*-*-bsdi*)
940	AC_DEFINE([SETEUID_BREAKS_SETUID])
941	AC_DEFINE([BROKEN_SETREUID])
942	AC_DEFINE([BROKEN_SETREGID])
943	;;
944*-next-*)
945	conf_lastlog_location="/usr/adm/lastlog"
946	conf_utmp_location=/etc/utmp
947	conf_wtmp_location=/usr/adm/wtmp
948	maildir=/usr/spool/mail
949	AC_DEFINE([HAVE_NEXT], [1], [Define if you are on NeXT])
950	AC_DEFINE([BROKEN_REALPATH])
951	AC_DEFINE([USE_PIPES])
952	AC_DEFINE([BROKEN_SAVED_UIDS], [1], [Needed for NeXT])
953	;;
954*-*-openbsd*)
955	use_pie=auto
956	AC_DEFINE([HAVE_ATTRIBUTE__SENTINEL__], [1], [OpenBSD's gcc has sentinel])
957	AC_DEFINE([HAVE_ATTRIBUTE__BOUNDED__], [1], [OpenBSD's gcc has bounded])
958	AC_DEFINE([SSH_TUN_OPENBSD], [1], [Open tunnel devices the OpenBSD way])
959	AC_DEFINE([SYSLOG_R_SAFE_IN_SIGHAND], [1],
960	    [syslog_r function is safe to use in in a signal handler])
961	TEST_MALLOC_OPTIONS="AFGJPRX"
962	;;
963*-*-solaris*)
964	if test "x$withval" != "xno" ; then
965		need_dash_r=1
966	fi
967	AC_DEFINE([PAM_SUN_CODEBASE])
968	AC_DEFINE([LOGIN_NEEDS_UTMPX])
969	AC_DEFINE([PAM_TTY_KLUDGE])
970	AC_DEFINE([SSHPAM_CHAUTHTOK_NEEDS_RUID], [1],
971		[Define if pam_chauthtok wants real uid set
972		to the unpriv'ed user])
973	AC_DEFINE([LOCKED_PASSWD_STRING], ["*LK*"])
974	# Pushing STREAMS modules will cause sshd to acquire a controlling tty.
975	AC_DEFINE([SSHD_ACQUIRES_CTTY], [1],
976		[Define if sshd somehow reacquires a controlling TTY
977		after setsid()])
978	AC_DEFINE([PASSWD_NEEDS_USERNAME], [1], [must supply username to passwd
979		in case the name is longer than 8 chars])
980	AC_DEFINE([BROKEN_TCGETATTR_ICANON], [1], [tcgetattr with ICANON may hang])
981	external_path_file=/etc/default/login
982	# hardwire lastlog location (can't detect it on some versions)
983	conf_lastlog_location="/var/adm/lastlog"
984	AC_MSG_CHECKING([for obsolete utmp and wtmp in solaris2.x])
985	sol2ver=`echo "$host"| sed -e 's/.*[[0-9]]\.//'`
986	if test "$sol2ver" -ge 8; then
987		AC_MSG_RESULT([yes])
988		AC_DEFINE([DISABLE_UTMP])
989		AC_DEFINE([DISABLE_WTMP], [1],
990			[Define if you don't want to use wtmp])
991	else
992		AC_MSG_RESULT([no])
993	fi
994	AC_CHECK_FUNCS([setpflags])
995	AC_CHECK_FUNCS([setppriv])
996	AC_CHECK_FUNCS([priv_basicset])
997	AC_CHECK_HEADERS([priv.h])
998	AC_ARG_WITH([solaris-contracts],
999		[  --with-solaris-contracts Enable Solaris process contracts (experimental)],
1000		[
1001		AC_CHECK_LIB([contract], [ct_tmpl_activate],
1002			[ AC_DEFINE([USE_SOLARIS_PROCESS_CONTRACTS], [1],
1003				[Define if you have Solaris process contracts])
1004			  LIBS="$LIBS -lcontract"
1005			  SPC_MSG="yes" ], )
1006		],
1007	)
1008	AC_ARG_WITH([solaris-projects],
1009		[  --with-solaris-projects Enable Solaris projects (experimental)],
1010		[
1011		AC_CHECK_LIB([project], [setproject],
1012			[ AC_DEFINE([USE_SOLARIS_PROJECTS], [1],
1013				[Define if you have Solaris projects])
1014			LIBS="$LIBS -lproject"
1015			SP_MSG="yes" ], )
1016		],
1017	)
1018	AC_ARG_WITH([solaris-privs],
1019		[  --with-solaris-privs    Enable Solaris/Illumos privileges (experimental)],
1020		[
1021		AC_MSG_CHECKING([for Solaris/Illumos privilege support])
1022		if test "x$ac_cv_func_setppriv" = "xyes" -a \
1023			"x$ac_cv_header_priv_h" = "xyes" ; then
1024			SOLARIS_PRIVS=yes
1025			AC_MSG_RESULT([found])
1026			AC_DEFINE([NO_UID_RESTORATION_TEST], [1],
1027				[Define to disable UID restoration test])
1028			AC_DEFINE([USE_SOLARIS_PRIVS], [1],
1029				[Define if you have Solaris privileges])
1030			SPP_MSG="yes"
1031		else
1032			AC_MSG_RESULT([not found])
1033			AC_MSG_ERROR([*** must have support for Solaris privileges to use --with-solaris-privs])
1034		fi
1035		],
1036	)
1037	TEST_SHELL=$SHELL	# let configure find us a capable shell
1038	;;
1039*-*-sunos4*)
1040	CPPFLAGS="$CPPFLAGS -DSUNOS4"
1041	AC_CHECK_FUNCS([getpwanam])
1042	AC_DEFINE([PAM_SUN_CODEBASE])
1043	conf_utmp_location=/etc/utmp
1044	conf_wtmp_location=/var/adm/wtmp
1045	conf_lastlog_location=/var/adm/lastlog
1046	AC_DEFINE([USE_PIPES])
1047	AC_DEFINE([DISABLE_UTMPX], [1], [no utmpx])
1048	;;
1049*-ncr-sysv*)
1050	LIBS="$LIBS -lc89"
1051	AC_DEFINE([USE_PIPES])
1052	AC_DEFINE([SSHD_ACQUIRES_CTTY])
1053	AC_DEFINE([SETEUID_BREAKS_SETUID])
1054	AC_DEFINE([BROKEN_SETREUID])
1055	AC_DEFINE([BROKEN_SETREGID])
1056	;;
1057*-sni-sysv*)
1058	# /usr/ucblib MUST NOT be searched on ReliantUNIX
1059	AC_CHECK_LIB([dl], [dlsym], ,)
1060	# -lresolv needs to be at the end of LIBS or DNS lookups break
1061	AC_CHECK_LIB([resolv], [res_query], [ LIBS="$LIBS -lresolv" ])
1062	IPADDR_IN_DISPLAY=yes
1063	AC_DEFINE([USE_PIPES])
1064	AC_DEFINE([IP_TOS_IS_BROKEN])
1065	AC_DEFINE([SETEUID_BREAKS_SETUID])
1066	AC_DEFINE([BROKEN_SETREUID])
1067	AC_DEFINE([BROKEN_SETREGID])
1068	AC_DEFINE([SSHD_ACQUIRES_CTTY])
1069	external_path_file=/etc/default/login
1070	# /usr/ucblib/libucb.a no longer needed on ReliantUNIX
1071	# Attention: always take care to bind libsocket and libnsl before libc,
1072	# otherwise you will find lots of "SIOCGPGRP errno 22" on syslog
1073	;;
1074# UnixWare 1.x, UnixWare 2.x, and others based on code from Univel.
1075*-*-sysv4.2*)
1076	AC_DEFINE([USE_PIPES])
1077	AC_DEFINE([SETEUID_BREAKS_SETUID])
1078	AC_DEFINE([BROKEN_SETREUID])
1079	AC_DEFINE([BROKEN_SETREGID])
1080	AC_DEFINE([PASSWD_NEEDS_USERNAME], [1], [must supply username to passwd])
1081	AC_DEFINE([LOCKED_PASSWD_STRING], ["*LK*"])
1082	TEST_SHELL=$SHELL	# let configure find us a capable shell
1083	;;
1084# UnixWare 7.x, OpenUNIX 8
1085*-*-sysv5*)
1086	CPPFLAGS="$CPPFLAGS -Dvsnprintf=_xvsnprintf -Dsnprintf=_xsnprintf"
1087	AC_DEFINE([UNIXWARE_LONG_PASSWORDS], [1], [Support passwords > 8 chars])
1088	AC_DEFINE([USE_PIPES])
1089	AC_DEFINE([SETEUID_BREAKS_SETUID])
1090	AC_DEFINE([BROKEN_GETADDRINFO])
1091	AC_DEFINE([BROKEN_SETREUID])
1092	AC_DEFINE([BROKEN_SETREGID])
1093	AC_DEFINE([PASSWD_NEEDS_USERNAME])
1094	AC_DEFINE([BROKEN_TCGETATTR_ICANON])
1095	TEST_SHELL=$SHELL	# let configure find us a capable shell
1096	check_for_libcrypt_later=1
1097	case "$host" in
1098	*-*-sysv5SCO_SV*)	# SCO OpenServer 6.x
1099		maildir=/var/spool/mail
1100		AC_DEFINE([BROKEN_UPDWTMPX])
1101		AC_CHECK_LIB([prot], [getluid], [ LIBS="$LIBS -lprot"
1102			AC_CHECK_FUNCS([getluid setluid], , , [-lprot])
1103			], , )
1104		;;
1105	*)	AC_DEFINE([LOCKED_PASSWD_STRING], ["*LK*"])
1106		;;
1107	esac
1108	;;
1109*-*-sysv*)
1110	;;
1111# SCO UNIX and OEM versions of SCO UNIX
1112*-*-sco3.2v4*)
1113	AC_MSG_ERROR("This Platform is no longer supported.")
1114	;;
1115# SCO OpenServer 5.x
1116*-*-sco3.2v5*)
1117	if test -z "$GCC"; then
1118		CFLAGS="$CFLAGS -belf"
1119	fi
1120	LIBS="$LIBS -lprot -lx -ltinfo -lm"
1121	no_dev_ptmx=1
1122	AC_DEFINE([USE_PIPES])
1123	AC_DEFINE([HAVE_SECUREWARE])
1124	AC_DEFINE([DISABLE_SHADOW])
1125	AC_DEFINE([DISABLE_FD_PASSING])
1126	AC_DEFINE([SETEUID_BREAKS_SETUID])
1127	AC_DEFINE([BROKEN_GETADDRINFO])
1128	AC_DEFINE([BROKEN_SETREUID])
1129	AC_DEFINE([BROKEN_SETREGID])
1130	AC_DEFINE([WITH_ABBREV_NO_TTY])
1131	AC_DEFINE([BROKEN_UPDWTMPX])
1132	AC_DEFINE([PASSWD_NEEDS_USERNAME])
1133	AC_CHECK_FUNCS([getluid setluid])
1134	MANTYPE=man
1135	TEST_SHELL=$SHELL	# let configure find us a capable shell
1136	SKIP_DISABLE_LASTLOG_DEFINE=yes
1137	;;
1138*-dec-osf*)
1139	AC_MSG_CHECKING([for Digital Unix SIA])
1140	no_osfsia=""
1141	AC_ARG_WITH([osfsia],
1142		[  --with-osfsia           Enable Digital Unix SIA],
1143		[
1144			if test "x$withval" = "xno" ; then
1145				AC_MSG_RESULT([disabled])
1146				no_osfsia=1
1147			fi
1148		],
1149	)
1150	if test -z "$no_osfsia" ; then
1151		if test -f /etc/sia/matrix.conf; then
1152			AC_MSG_RESULT([yes])
1153			AC_DEFINE([HAVE_OSF_SIA], [1],
1154				[Define if you have Digital Unix Security
1155				Integration Architecture])
1156			AC_DEFINE([DISABLE_LOGIN], [1],
1157				[Define if you don't want to use your
1158				system's login() call])
1159			AC_DEFINE([DISABLE_FD_PASSING])
1160			LIBS="$LIBS -lsecurity -ldb -lm -laud"
1161			SIA_MSG="yes"
1162		else
1163			AC_MSG_RESULT([no])
1164			AC_DEFINE([LOCKED_PASSWD_SUBSTR], ["Nologin"],
1165			  [String used in /etc/passwd to denote locked account])
1166		fi
1167	fi
1168	AC_DEFINE([BROKEN_GETADDRINFO])
1169	AC_DEFINE([SETEUID_BREAKS_SETUID])
1170	AC_DEFINE([BROKEN_SETREUID])
1171	AC_DEFINE([BROKEN_SETREGID])
1172	AC_DEFINE([BROKEN_READV_COMPARISON], [1], [Can't do comparisons on readv])
1173	;;
1174
1175*-*-nto-qnx*)
1176	AC_DEFINE([USE_PIPES])
1177	AC_DEFINE([NO_X11_UNIX_SOCKETS])
1178	AC_DEFINE([DISABLE_LASTLOG])
1179	AC_DEFINE([SSHD_ACQUIRES_CTTY])
1180	AC_DEFINE([BROKEN_SHADOW_EXPIRE], [1], [QNX shadow support is broken])
1181	enable_etc_default_login=no	# has incompatible /etc/default/login
1182	case "$host" in
1183	*-*-nto-qnx6*)
1184		AC_DEFINE([DISABLE_FD_PASSING])
1185		;;
1186	esac
1187	;;
1188
1189*-*-ultrix*)
1190	AC_DEFINE([BROKEN_GETGROUPS], [1], [getgroups(0,NULL) will return -1])
1191	AC_DEFINE([NEED_SETPGRP])
1192	AC_DEFINE([HAVE_SYS_SYSLOG_H], [1], [Force use of sys/syslog.h on Ultrix])
1193	;;
1194
1195*-*-lynxos)
1196	CFLAGS="$CFLAGS -D__NO_INCLUDE_WARN__"
1197	AC_DEFINE([BROKEN_SETVBUF], [1],
1198	    [LynxOS has broken setvbuf() implementation])
1199	;;
1200esac
1201
1202AC_MSG_CHECKING([compiler and flags for sanity])
1203AC_RUN_IFELSE([AC_LANG_PROGRAM([[ #include <stdio.h> ]], [[ exit(0); ]])],
1204	[	AC_MSG_RESULT([yes]) ],
1205	[
1206		AC_MSG_RESULT([no])
1207		AC_MSG_ERROR([*** compiler cannot create working executables, check config.log ***])
1208	],
1209	[	AC_MSG_WARN([cross compiling: not checking compiler sanity]) ]
1210)
1211
1212dnl Checks for header files.
1213# Checks for libraries.
1214AC_CHECK_FUNC([setsockopt], , [AC_CHECK_LIB([socket], [setsockopt])])
1215
1216dnl IRIX and Solaris 2.5.1 have dirname() in libgen
1217AC_CHECK_FUNCS([dirname], [AC_CHECK_HEADERS([libgen.h])] , [
1218	AC_CHECK_LIB([gen], [dirname], [
1219		AC_CACHE_CHECK([for broken dirname],
1220			ac_cv_have_broken_dirname, [
1221			save_LIBS="$LIBS"
1222			LIBS="$LIBS -lgen"
1223			AC_RUN_IFELSE(
1224				[AC_LANG_SOURCE([[
1225#include <libgen.h>
1226#include <string.h>
1227
1228int main(int argc, char **argv) {
1229    char *s, buf[32];
1230
1231    strncpy(buf,"/etc", 32);
1232    s = dirname(buf);
1233    if (!s || strncmp(s, "/", 32) != 0) {
1234	exit(1);
1235    } else {
1236	exit(0);
1237    }
1238}
1239				]])],
1240				[ ac_cv_have_broken_dirname="no" ],
1241				[ ac_cv_have_broken_dirname="yes" ],
1242				[ ac_cv_have_broken_dirname="no" ],
1243			)
1244			LIBS="$save_LIBS"
1245		])
1246		if test "x$ac_cv_have_broken_dirname" = "xno" ; then
1247			LIBS="$LIBS -lgen"
1248			AC_DEFINE([HAVE_DIRNAME])
1249			AC_CHECK_HEADERS([libgen.h])
1250		fi
1251	])
1252])
1253
1254AC_CHECK_FUNC([getspnam], ,
1255	[AC_CHECK_LIB([gen], [getspnam], [LIBS="$LIBS -lgen"])])
1256AC_SEARCH_LIBS([basename], [gen], [AC_DEFINE([HAVE_BASENAME], [1],
1257	[Define if you have the basename function.])])
1258
1259dnl zlib is required
1260AC_ARG_WITH([zlib],
1261	[  --with-zlib=PATH        Use zlib in PATH],
1262	[ if test "x$withval" = "xno" ; then
1263		AC_MSG_ERROR([*** zlib is required ***])
1264	  elif test "x$withval" != "xyes"; then
1265		if test -d "$withval/lib"; then
1266			if test -n "${need_dash_r}"; then
1267				LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
1268			else
1269				LDFLAGS="-L${withval}/lib ${LDFLAGS}"
1270			fi
1271		else
1272			if test -n "${need_dash_r}"; then
1273				LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"
1274			else
1275				LDFLAGS="-L${withval} ${LDFLAGS}"
1276			fi
1277		fi
1278		if test -d "$withval/include"; then
1279			CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
1280		else
1281			CPPFLAGS="-I${withval} ${CPPFLAGS}"
1282		fi
1283	fi ]
1284)
1285
1286AC_CHECK_HEADER([zlib.h], ,[AC_MSG_ERROR([*** zlib.h missing - please install first or check config.log ***])])
1287AC_CHECK_LIB([z], [deflate], ,
1288	[
1289		saved_CPPFLAGS="$CPPFLAGS"
1290		saved_LDFLAGS="$LDFLAGS"
1291		save_LIBS="$LIBS"
1292		dnl Check default zlib install dir
1293		if test -n "${need_dash_r}"; then
1294			LDFLAGS="-L/usr/local/lib -R/usr/local/lib ${saved_LDFLAGS}"
1295		else
1296			LDFLAGS="-L/usr/local/lib ${saved_LDFLAGS}"
1297		fi
1298		CPPFLAGS="-I/usr/local/include ${saved_CPPFLAGS}"
1299		LIBS="$LIBS -lz"
1300		AC_TRY_LINK_FUNC([deflate], [AC_DEFINE([HAVE_LIBZ])],
1301			[
1302				AC_MSG_ERROR([*** zlib missing - please install first or check config.log ***])
1303			]
1304		)
1305	]
1306)
1307
1308AC_ARG_WITH([zlib-version-check],
1309	[  --without-zlib-version-check Disable zlib version check],
1310	[  if test "x$withval" = "xno" ; then
1311		zlib_check_nonfatal=1
1312	   fi
1313	]
1314)
1315
1316AC_MSG_CHECKING([for possibly buggy zlib])
1317AC_RUN_IFELSE([AC_LANG_PROGRAM([[
1318#include <stdio.h>
1319#include <stdlib.h>
1320#include <zlib.h>
1321	]],
1322	[[
1323	int a=0, b=0, c=0, d=0, n, v;
1324	n = sscanf(ZLIB_VERSION, "%d.%d.%d.%d", &a, &b, &c, &d);
1325	if (n != 3 && n != 4)
1326		exit(1);
1327	v = a*1000000 + b*10000 + c*100 + d;
1328	fprintf(stderr, "found zlib version %s (%d)\n", ZLIB_VERSION, v);
1329
1330	/* 1.1.4 is OK */
1331	if (a == 1 && b == 1 && c >= 4)
1332		exit(0);
1333
1334	/* 1.2.3 and up are OK */
1335	if (v >= 1020300)
1336		exit(0);
1337
1338	exit(2);
1339	]])],
1340	AC_MSG_RESULT([no]),
1341	[ AC_MSG_RESULT([yes])
1342	  if test -z "$zlib_check_nonfatal" ; then
1343		AC_MSG_ERROR([*** zlib too old - check config.log ***
1344Your reported zlib version has known security problems.  It's possible your
1345vendor has fixed these problems without changing the version number.  If you
1346are sure this is the case, you can disable the check by running
1347"./configure --without-zlib-version-check".
1348If you are in doubt, upgrade zlib to version 1.2.3 or greater.
1349See http://www.gzip.org/zlib/ for details.])
1350	  else
1351		AC_MSG_WARN([zlib version may have security problems])
1352	  fi
1353	],
1354	[	AC_MSG_WARN([cross compiling: not checking zlib version]) ]
1355)
1356
1357dnl UnixWare 2.x
1358AC_CHECK_FUNC([strcasecmp],
1359	[], [ AC_CHECK_LIB([resolv], [strcasecmp], [LIBS="$LIBS -lresolv"]) ]
1360)
1361AC_CHECK_FUNCS([utimes],
1362	[], [ AC_CHECK_LIB([c89], [utimes], [AC_DEFINE([HAVE_UTIMES])
1363					LIBS="$LIBS -lc89"]) ]
1364)
1365
1366dnl    Checks for libutil functions
1367AC_CHECK_HEADERS([bsd/libutil.h libutil.h])
1368AC_SEARCH_LIBS([fmt_scaled], [util bsd])
1369AC_SEARCH_LIBS([scan_scaled], [util bsd])
1370AC_SEARCH_LIBS([login], [util bsd])
1371AC_SEARCH_LIBS([logout], [util bsd])
1372AC_SEARCH_LIBS([logwtmp], [util bsd])
1373AC_SEARCH_LIBS([openpty], [util bsd])
1374AC_SEARCH_LIBS([updwtmp], [util bsd])
1375AC_CHECK_FUNCS([fmt_scaled scan_scaled login logout openpty updwtmp logwtmp])
1376
1377# On some platforms, inet_ntop and gethostbyname may be found in libresolv
1378# or libnsl.
1379AC_SEARCH_LIBS([inet_ntop], [resolv nsl])
1380AC_SEARCH_LIBS([gethostbyname], [resolv nsl])
1381
1382# "Particular Function Checks"
1383# see https://www.gnu.org/software/autoconf/manual/autoconf-2.69/html_node/Particular-Functions.html
1384AC_FUNC_STRFTIME
1385AC_FUNC_MALLOC
1386AC_FUNC_REALLOC
1387# autoconf doesn't have AC_FUNC_CALLOC so fake it if malloc returns NULL;
1388AC_MSG_CHECKING([if calloc(0, N) returns non-null])
1389AC_RUN_IFELSE(
1390	[AC_LANG_PROGRAM(
1391		[[ #include <stdlib.h> ]],
1392		[[ void *p = calloc(0, 1); exit(p == NULL); ]]
1393	)],
1394	[ func_calloc_0_nonnull=yes ],
1395	[ func_calloc_0_nonnull=no ],
1396	[ AC_MSG_WARN([cross compiling: assuming same as malloc])
1397	  func_calloc_0_nonnull="$ac_cv_func_malloc_0_nonnull"]
1398)
1399AC_MSG_RESULT([$func_calloc_0_nonnull])
1400
1401if test "x$func_calloc_0_nonnull" = "xyes"; then
1402	AC_DEFINE(HAVE_CALLOC, 1, [calloc(0, x) returns non-null])
1403else
1404	AC_DEFINE(HAVE_CALLOC, 0, [calloc(0, x) returns NULL])
1405	AC_DEFINE(calloc, rpl_calloc,
1406	    [Define to rpl_calloc if the replacement function should be used.])
1407fi
1408
1409# Check for ALTDIRFUNC glob() extension
1410AC_MSG_CHECKING([for GLOB_ALTDIRFUNC support])
1411AC_EGREP_CPP([FOUNDIT],
1412	[
1413		#include <glob.h>
1414		#ifdef GLOB_ALTDIRFUNC
1415		FOUNDIT
1416		#endif
1417	],
1418	[
1419		AC_DEFINE([GLOB_HAS_ALTDIRFUNC], [1],
1420			[Define if your system glob() function has
1421			the GLOB_ALTDIRFUNC extension])
1422		AC_MSG_RESULT([yes])
1423	],
1424	[
1425		AC_MSG_RESULT([no])
1426	]
1427)
1428
1429# Check for g.gl_matchc glob() extension
1430AC_MSG_CHECKING([for gl_matchc field in glob_t])
1431AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <glob.h> ]],
1432	[[ glob_t g; g.gl_matchc = 1; ]])],
1433	[
1434		AC_DEFINE([GLOB_HAS_GL_MATCHC], [1],
1435			[Define if your system glob() function has
1436			gl_matchc options in glob_t])
1437		AC_MSG_RESULT([yes])
1438	], [
1439		AC_MSG_RESULT([no])
1440])
1441
1442# Check for g.gl_statv glob() extension
1443AC_MSG_CHECKING([for gl_statv and GLOB_KEEPSTAT extensions for glob])
1444AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <glob.h> ]], [[
1445#ifndef GLOB_KEEPSTAT
1446#error "glob does not support GLOB_KEEPSTAT extension"
1447#endif
1448glob_t g;
1449g.gl_statv = NULL;
1450]])],
1451	[
1452		AC_DEFINE([GLOB_HAS_GL_STATV], [1],
1453			[Define if your system glob() function has
1454			gl_statv options in glob_t])
1455		AC_MSG_RESULT([yes])
1456	], [
1457		AC_MSG_RESULT([no])
1458
1459])
1460
1461AC_CHECK_DECLS([GLOB_NOMATCH], , , [#include <glob.h>])
1462
1463AC_CHECK_DECL([VIS_ALL], ,
1464    AC_DEFINE(BROKEN_STRNVIS, 1, [missing VIS_ALL]), [#include <vis.h>])
1465
1466AC_MSG_CHECKING([whether struct dirent allocates space for d_name])
1467AC_RUN_IFELSE(
1468	[AC_LANG_PROGRAM([[
1469#include <sys/types.h>
1470#include <dirent.h>]],
1471	[[
1472	struct dirent d;
1473	exit(sizeof(d.d_name)<=sizeof(char));
1474	]])],
1475	[AC_MSG_RESULT([yes])],
1476	[
1477		AC_MSG_RESULT([no])
1478		AC_DEFINE([BROKEN_ONE_BYTE_DIRENT_D_NAME], [1],
1479			[Define if your struct dirent expects you to
1480			allocate extra space for d_name])
1481	],
1482	[
1483		AC_MSG_WARN([cross compiling: assuming BROKEN_ONE_BYTE_DIRENT_D_NAME])
1484		AC_DEFINE([BROKEN_ONE_BYTE_DIRENT_D_NAME])
1485	]
1486)
1487
1488AC_MSG_CHECKING([for /proc/pid/fd directory])
1489if test -d "/proc/$$/fd" ; then
1490	AC_DEFINE([HAVE_PROC_PID], [1], [Define if you have /proc/$pid/fd])
1491	AC_MSG_RESULT([yes])
1492else
1493	AC_MSG_RESULT([no])
1494fi
1495
1496# Check whether user wants TCP wrappers support
1497TCPW_MSG="no"
1498AC_ARG_WITH([tcp-wrappers],
1499	[  --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)],
1500	[
1501		if test "x$withval" != "xno" ; then
1502			saved_LIBS="$LIBS"
1503			saved_LDFLAGS="$LDFLAGS"
1504			saved_CPPFLAGS="$CPPFLAGS"
1505			if test -n "${withval}" && \
1506			    test "x${withval}" != "xyes"; then
1507				if test -d "${withval}/lib"; then
1508					if test -n "${need_dash_r}"; then
1509						LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
1510					else
1511						LDFLAGS="-L${withval}/lib ${LDFLAGS}"
1512					fi
1513				else
1514					if test -n "${need_dash_r}"; then
1515						LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"
1516					else
1517						LDFLAGS="-L${withval} ${LDFLAGS}"
1518					fi
1519				fi
1520				if test -d "${withval}/include"; then
1521					CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
1522				else
1523					CPPFLAGS="-I${withval} ${CPPFLAGS}"
1524				fi
1525			fi
1526			LIBS="-lwrap $LIBS"
1527			AC_MSG_CHECKING([for libwrap])
1528			AC_LINK_IFELSE([AC_LANG_PROGRAM([[
1529#include <sys/types.h>
1530#include <sys/socket.h>
1531#include <netinet/in.h>
1532#include <tcpd.h>
1533int deny_severity = 0, allow_severity = 0;
1534				]], [[
1535	hosts_access(0);
1536				]])], [
1537					AC_MSG_RESULT([yes])
1538					AC_DEFINE([LIBWRAP], [1],
1539						[Define if you want
1540						TCP Wrappers support])
1541					SSHDLIBS="$SSHDLIBS -lwrap"
1542					TCPW_MSG="yes"
1543				], [
1544					AC_MSG_ERROR([*** libwrap missing])
1545			])
1546			LIBS="$saved_LIBS"
1547		fi
1548	]
1549)
1550
1551# Check whether user wants to use ldns
1552LDNS_MSG="no"
1553AC_ARG_WITH(ldns,
1554	[  --with-ldns[[=PATH]]      Use ldns for DNSSEC support (optionally in PATH)],
1555	[
1556	ldns=""
1557	if test "x$withval" = "xyes" ; then
1558		AC_PATH_TOOL([LDNSCONFIG], [ldns-config], [no])
1559		if test "x$LDNSCONFIG" = "xno"; then
1560			CPPFLAGS="$CPPFLAGS -I${withval}/include"
1561			LDFLAGS="$LDFLAGS -L${withval}/lib"
1562			LIBS="-lldns $LIBS"
1563			ldns=yes
1564		else
1565			LIBS="$LIBS `$LDNSCONFIG --libs`"
1566			CPPFLAGS="$CPPFLAGS `$LDNSCONFIG --cflags`"
1567			ldns=yes
1568		fi
1569	elif test "x$withval" != "xno" ; then
1570			CPPFLAGS="$CPPFLAGS -I${withval}/include"
1571			LDFLAGS="$LDFLAGS -L${withval}/lib"
1572			LIBS="-lldns $LIBS"
1573			ldns=yes
1574	fi
1575
1576	# Verify that it works.
1577	if test "x$ldns" = "xyes" ; then
1578		AC_DEFINE(HAVE_LDNS, 1, [Define if you want ldns support])
1579		LDNS_MSG="yes"
1580		AC_MSG_CHECKING([for ldns support])
1581		AC_LINK_IFELSE(
1582			[AC_LANG_SOURCE([[
1583#include <stdio.h>
1584#include <stdlib.h>
1585#include <stdint.h>
1586#include <ldns/ldns.h>
1587int main() { ldns_status status = ldns_verify_trusted(NULL, NULL, NULL, NULL); status=LDNS_STATUS_OK; exit(0); }
1588			]])
1589		],
1590			[AC_MSG_RESULT(yes)],
1591				[
1592					AC_MSG_RESULT(no)
1593					AC_MSG_ERROR([** Incomplete or missing ldns libraries.])
1594				])
1595	fi
1596])
1597
1598# Check whether user wants libedit support
1599LIBEDIT_MSG="no"
1600AC_ARG_WITH([libedit],
1601	[  --with-libedit[[=PATH]]   Enable libedit support for sftp],
1602	[ if test "x$withval" != "xno" ; then
1603		if test "x$withval" = "xyes" ; then
1604			AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no])
1605			if test "x$PKGCONFIG" != "xno"; then
1606				AC_MSG_CHECKING([if $PKGCONFIG knows about libedit])
1607				if "$PKGCONFIG" libedit; then
1608					AC_MSG_RESULT([yes])
1609					use_pkgconfig_for_libedit=yes
1610				else
1611					AC_MSG_RESULT([no])
1612				fi
1613			fi
1614		else
1615			CPPFLAGS="$CPPFLAGS -I${withval}/include"
1616			if test -n "${need_dash_r}"; then
1617				LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
1618			else
1619				LDFLAGS="-L${withval}/lib ${LDFLAGS}"
1620			fi
1621		fi
1622		if test "x$use_pkgconfig_for_libedit" = "xyes"; then
1623			LIBEDIT=`$PKGCONFIG --libs libedit`
1624			CPPFLAGS="$CPPFLAGS `$PKGCONFIG --cflags libedit`"
1625		else
1626			LIBEDIT="-ledit -lcurses"
1627		fi
1628		OTHERLIBS=`echo $LIBEDIT | sed 's/-ledit//'`
1629		AC_CHECK_LIB([edit], [el_init],
1630			[ AC_DEFINE([USE_LIBEDIT], [1], [Use libedit for sftp])
1631			  LIBEDIT_MSG="yes"
1632			  AC_SUBST([LIBEDIT])
1633			],
1634			[ AC_MSG_ERROR([libedit not found]) ],
1635			[ $OTHERLIBS ]
1636		)
1637		AC_MSG_CHECKING([if libedit version is compatible])
1638		AC_COMPILE_IFELSE(
1639		    [AC_LANG_PROGRAM([[ #include <histedit.h> ]],
1640		    [[
1641	int i = H_SETSIZE;
1642	el_init("", NULL, NULL, NULL);
1643	exit(0);
1644		    ]])],
1645		    [ AC_MSG_RESULT([yes]) ],
1646		    [ AC_MSG_RESULT([no])
1647		      AC_MSG_ERROR([libedit version is not compatible]) ]
1648		)
1649	fi ]
1650)
1651
1652AUDIT_MODULE=none
1653AC_ARG_WITH([audit],
1654	[  --with-audit=module     Enable audit support (modules=debug,bsm,linux)],
1655	[
1656	  AC_MSG_CHECKING([for supported audit module])
1657	  case "$withval" in
1658	  bsm)
1659		AC_MSG_RESULT([bsm])
1660		AUDIT_MODULE=bsm
1661		dnl    Checks for headers, libs and functions
1662		AC_CHECK_HEADERS([bsm/audit.h], [],
1663		    [AC_MSG_ERROR([BSM enabled and bsm/audit.h not found])],
1664		    [
1665#ifdef HAVE_TIME_H
1666# include <time.h>
1667#endif
1668		    ]
1669)
1670		AC_CHECK_LIB([bsm], [getaudit], [],
1671		    [AC_MSG_ERROR([BSM enabled and required library not found])])
1672		AC_CHECK_FUNCS([getaudit], [],
1673		    [AC_MSG_ERROR([BSM enabled and required function not found])])
1674		# These are optional
1675		AC_CHECK_FUNCS([getaudit_addr aug_get_machine])
1676		AC_DEFINE([USE_BSM_AUDIT], [1], [Use BSM audit module])
1677		if test "$sol2ver" -ge 11; then
1678			SSHDLIBS="$SSHDLIBS -lscf"
1679			AC_DEFINE([BROKEN_BSM_API], [1],
1680				[The system has incomplete BSM API])
1681		fi
1682		;;
1683	  linux)
1684		AC_MSG_RESULT([linux])
1685		AUDIT_MODULE=linux
1686		dnl    Checks for headers, libs and functions
1687		AC_CHECK_HEADERS([libaudit.h])
1688		SSHDLIBS="$SSHDLIBS -laudit"
1689		AC_DEFINE([USE_LINUX_AUDIT], [1], [Use Linux audit module])
1690		;;
1691	  debug)
1692		AUDIT_MODULE=debug
1693		AC_MSG_RESULT([debug])
1694		AC_DEFINE([SSH_AUDIT_EVENTS], [1], [Use audit debugging module])
1695		;;
1696	  no)
1697		AC_MSG_RESULT([no])
1698		;;
1699	  *)
1700		AC_MSG_ERROR([Unknown audit module $withval])
1701		;;
1702	esac ]
1703)
1704
1705AC_ARG_WITH([pie],
1706    [  --with-pie              Build Position Independent Executables if possible], [
1707	if test "x$withval" = "xno"; then
1708		use_pie=no
1709	fi
1710	if test "x$withval" = "xyes"; then
1711		use_pie=yes
1712	fi
1713    ]
1714)
1715if test "x$use_pie" = "x"; then
1716	use_pie=no
1717fi
1718if test "x$use_toolchain_hardening" != "x1" && test "x$use_pie" = "xauto"; then
1719	# Turn off automatic PIE when toolchain hardening is off.
1720	use_pie=no
1721fi
1722if test "x$use_pie" = "xauto"; then
1723	# Automatic PIE requires gcc >= 4.x
1724	AC_MSG_CHECKING([for gcc >= 4.x])
1725	AC_COMPILE_IFELSE([AC_LANG_SOURCE([[
1726#if !defined(__GNUC__) || __GNUC__ < 4
1727#error gcc is too old
1728#endif
1729]])],
1730	[ AC_MSG_RESULT([yes]) ],
1731	[ AC_MSG_RESULT([no])
1732	  use_pie=no ]
1733)
1734fi
1735if test "x$use_pie" != "xno"; then
1736	SAVED_CFLAGS="$CFLAGS"
1737	SAVED_LDFLAGS="$LDFLAGS"
1738	OSSH_CHECK_CFLAG_COMPILE([-fPIE])
1739	OSSH_CHECK_LDFLAG_LINK([-pie])
1740	# We use both -fPIE and -pie or neither.
1741	AC_MSG_CHECKING([whether both -fPIE and -pie are supported])
1742	if echo "x $CFLAGS"  | grep ' -fPIE' >/dev/null 2>&1 && \
1743	   echo "x $LDFLAGS" | grep ' -pie'  >/dev/null 2>&1 ; then
1744		AC_MSG_RESULT([yes])
1745	else
1746		AC_MSG_RESULT([no])
1747		CFLAGS="$SAVED_CFLAGS"
1748		LDFLAGS="$SAVED_LDFLAGS"
1749	fi
1750fi
1751
1752dnl    Checks for library functions. Please keep in alphabetical order
1753AC_CHECK_FUNCS([ \
1754	Blowfish_initstate \
1755	Blowfish_expandstate \
1756	Blowfish_expand0state \
1757	Blowfish_stream2word \
1758	asprintf \
1759	b64_ntop \
1760	__b64_ntop \
1761	b64_pton \
1762	__b64_pton \
1763	bcopy \
1764	bcrypt_pbkdf \
1765	bindresvport_sa \
1766	blf_enc \
1767	bzero \
1768	cap_rights_limit \
1769	clock \
1770	closefrom \
1771	dirfd \
1772	endgrent \
1773	err \
1774	errx \
1775	explicit_bzero \
1776	fchmod \
1777	fchown \
1778	flock \
1779	freeaddrinfo \
1780	freezero \
1781	fstatfs \
1782	fstatvfs \
1783	futimes \
1784	getaddrinfo \
1785	getcwd \
1786	getgrouplist \
1787	getline \
1788	getnameinfo \
1789	getopt \
1790	getpagesize \
1791	getpeereid \
1792	getpeerucred \
1793	getpgid \
1794	_getpty \
1795	getrlimit \
1796	getrandom \
1797	getsid \
1798	getttyent \
1799	glob \
1800	group_from_gid \
1801	inet_aton \
1802	inet_ntoa \
1803	inet_ntop \
1804	innetgr \
1805	llabs \
1806	login_getcapbool \
1807	md5_crypt \
1808	memmove \
1809	memset_s \
1810	mkdtemp \
1811	ngetaddrinfo \
1812	nsleep \
1813	ogetaddrinfo \
1814	openlog_r \
1815	pledge \
1816	poll \
1817	prctl \
1818	pstat \
1819	raise \
1820	readpassphrase \
1821	reallocarray \
1822	recvmsg \
1823	recallocarray \
1824	rresvport_af \
1825	sendmsg \
1826	setdtablesize \
1827	setegid \
1828	setenv \
1829	seteuid \
1830	setgroupent \
1831	setgroups \
1832	setlinebuf \
1833	setlogin \
1834	setpassent\
1835	setpcred \
1836	setproctitle \
1837	setregid \
1838	setreuid \
1839	setrlimit \
1840	setsid \
1841	setvbuf \
1842	sigaction \
1843	sigvec \
1844	snprintf \
1845	socketpair \
1846	statfs \
1847	statvfs \
1848	strcasestr \
1849	strdup \
1850	strerror \
1851	strlcat \
1852	strlcpy \
1853	strmode \
1854	strndup \
1855	strnlen \
1856	strnvis \
1857	strptime \
1858	strsignal \
1859	strtonum \
1860	strtoll \
1861	strtoul \
1862	strtoull \
1863	swap32 \
1864	sysconf \
1865	tcgetpgrp \
1866	timingsafe_bcmp \
1867	truncate \
1868	unsetenv \
1869	updwtmpx \
1870	user_from_uid \
1871	usleep \
1872	vasprintf \
1873	vsnprintf \
1874	waitpid \
1875	warn \
1876])
1877
1878AC_CHECK_DECLS([bzero])
1879
1880dnl Wide character support.
1881AC_CHECK_FUNCS([mblen mbtowc nl_langinfo wcwidth])
1882
1883TEST_SSH_UTF8=${TEST_SSH_UTF8:=yes}
1884AC_MSG_CHECKING([for utf8 locale support])
1885AC_RUN_IFELSE(
1886	[AC_LANG_PROGRAM([[
1887#include <locale.h>
1888#include <stdlib.h>
1889	]], [[
1890	char *loc = setlocale(LC_CTYPE, "en_US.UTF-8");
1891	if (loc != NULL)
1892		exit(0);
1893	exit(1);
1894	]])],
1895	AC_MSG_RESULT(yes),
1896	[AC_MSG_RESULT(no)
1897	 TEST_SSH_UTF8=no],
1898	AC_MSG_WARN([cross compiling: assuming yes])
1899)
1900
1901AC_LINK_IFELSE(
1902        [AC_LANG_PROGRAM(
1903           [[ #include <ctype.h> ]],
1904           [[ return (isblank('a')); ]])],
1905	[AC_DEFINE([HAVE_ISBLANK], [1], [Define if you have isblank(3C).])
1906])
1907
1908disable_pkcs11=
1909AC_ARG_ENABLE([pkcs11],
1910	[  --disable-pkcs11        disable PKCS#11 support code [no]],
1911	[
1912		if test "x$enableval" = "xno" ; then
1913			disable_pkcs11=1
1914		fi
1915	]
1916)
1917
1918# PKCS11 depends on OpenSSL.
1919if test "x$openssl" = "xyes" && test "x$disable_pkcs11" = "x"; then
1920	# PKCS#11 support requires dlopen() and co
1921	AC_SEARCH_LIBS([dlopen], [dl],
1922	    AC_CHECK_DECL([RTLD_NOW],
1923		AC_DEFINE([ENABLE_PKCS11], [], [Enable for PKCS#11 support]),
1924		[], [#include <dlfcn.h>]
1925	    )
1926	)
1927fi
1928
1929# IRIX has a const char return value for gai_strerror()
1930AC_CHECK_FUNCS([gai_strerror], [
1931	AC_DEFINE([HAVE_GAI_STRERROR])
1932	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
1933#include <sys/types.h>
1934#include <sys/socket.h>
1935#include <netdb.h>
1936
1937const char *gai_strerror(int);
1938			]], [[
1939	char *str;
1940	str = gai_strerror(0);
1941			]])], [
1942		AC_DEFINE([HAVE_CONST_GAI_STRERROR_PROTO], [1],
1943		[Define if gai_strerror() returns const char *])], [])])
1944
1945AC_SEARCH_LIBS([nanosleep], [rt posix4], [AC_DEFINE([HAVE_NANOSLEEP], [1],
1946	[Some systems put nanosleep outside of libc])])
1947
1948AC_SEARCH_LIBS([clock_gettime], [rt],
1949	[AC_DEFINE([HAVE_CLOCK_GETTIME], [1], [Have clock_gettime])])
1950
1951dnl Make sure prototypes are defined for these before using them.
1952AC_CHECK_DECL([strsep],
1953	[AC_CHECK_FUNCS([strsep])],
1954	[],
1955	[
1956#ifdef HAVE_STRING_H
1957# include <string.h>
1958#endif
1959	])
1960
1961dnl tcsendbreak might be a macro
1962AC_CHECK_DECL([tcsendbreak],
1963	[AC_DEFINE([HAVE_TCSENDBREAK])],
1964	[AC_CHECK_FUNCS([tcsendbreak])],
1965	[#include <termios.h>]
1966)
1967
1968AC_CHECK_DECLS([h_errno], , ,[#include <netdb.h>])
1969
1970AC_CHECK_DECLS([SHUT_RD], , ,
1971	[
1972#include <sys/types.h>
1973#include <sys/socket.h>
1974	])
1975
1976AC_CHECK_DECLS([O_NONBLOCK], , ,
1977	[
1978#include <sys/types.h>
1979#ifdef HAVE_SYS_STAT_H
1980# include <sys/stat.h>
1981#endif
1982#ifdef HAVE_FCNTL_H
1983# include <fcntl.h>
1984#endif
1985	])
1986
1987AC_CHECK_DECLS([readv, writev], , , [
1988#include <sys/types.h>
1989#include <sys/uio.h>
1990#include <unistd.h>
1991	])
1992
1993AC_CHECK_DECLS([MAXSYMLINKS], , , [
1994#include <sys/param.h>
1995	])
1996
1997AC_CHECK_DECLS([offsetof], , , [
1998#include <stddef.h>
1999	])
2000
2001# extra bits for select(2)
2002AC_CHECK_DECLS([howmany, NFDBITS], [], [], [[
2003#include <sys/param.h>
2004#include <sys/types.h>
2005#ifdef HAVE_SYS_SYSMACROS_H
2006#include <sys/sysmacros.h>
2007#endif
2008#ifdef HAVE_SYS_SELECT_H
2009#include <sys/select.h>
2010#endif
2011#ifdef HAVE_SYS_TIME_H
2012#include <sys/time.h>
2013#endif
2014#ifdef HAVE_UNISTD_H
2015#include <unistd.h>
2016#endif
2017	]])
2018AC_CHECK_TYPES([fd_mask], [], [], [[
2019#include <sys/param.h>
2020#include <sys/types.h>
2021#ifdef HAVE_SYS_SELECT_H
2022#include <sys/select.h>
2023#endif
2024#ifdef HAVE_SYS_TIME_H
2025#include <sys/time.h>
2026#endif
2027#ifdef HAVE_UNISTD_H
2028#include <unistd.h>
2029#endif
2030	]])
2031
2032AC_CHECK_FUNCS([setresuid], [
2033	dnl Some platorms have setresuid that isn't implemented, test for this
2034	AC_MSG_CHECKING([if setresuid seems to work])
2035	AC_RUN_IFELSE(
2036		[AC_LANG_PROGRAM([[
2037#include <stdlib.h>
2038#include <errno.h>
2039		]], [[
2040	errno=0;
2041	setresuid(0,0,0);
2042	if (errno==ENOSYS)
2043		exit(1);
2044	else
2045		exit(0);
2046		]])],
2047		[AC_MSG_RESULT([yes])],
2048		[AC_DEFINE([BROKEN_SETRESUID], [1],
2049			[Define if your setresuid() is broken])
2050		 AC_MSG_RESULT([not implemented])],
2051		[AC_MSG_WARN([cross compiling: not checking setresuid])]
2052	)
2053])
2054
2055AC_CHECK_FUNCS([setresgid], [
2056	dnl Some platorms have setresgid that isn't implemented, test for this
2057	AC_MSG_CHECKING([if setresgid seems to work])
2058	AC_RUN_IFELSE(
2059		[AC_LANG_PROGRAM([[
2060#include <stdlib.h>
2061#include <errno.h>
2062		]], [[
2063	errno=0;
2064	setresgid(0,0,0);
2065	if (errno==ENOSYS)
2066		exit(1);
2067	else
2068		exit(0);
2069		]])],
2070		[AC_MSG_RESULT([yes])],
2071		[AC_DEFINE([BROKEN_SETRESGID], [1],
2072			[Define if your setresgid() is broken])
2073		 AC_MSG_RESULT([not implemented])],
2074		[AC_MSG_WARN([cross compiling: not checking setresuid])]
2075	)
2076])
2077
2078AC_CHECK_FUNCS([realpath], [
2079	dnl the sftp v3 spec says SSH_FXP_REALPATH will "canonicalize any given
2080	dnl path name", however some implementations of realpath (and some
2081	dnl versions of the POSIX spec) do not work on non-existent files,
2082	dnl so we use the OpenBSD implementation on those platforms.
2083	AC_MSG_CHECKING([if realpath works with non-existent files])
2084	AC_RUN_IFELSE(
2085		[AC_LANG_PROGRAM([[
2086#include <limits.h>
2087#include <stdlib.h>
2088#include <errno.h>
2089		]], [[
2090		char buf[PATH_MAX];
2091		if (realpath("/opensshnonexistentfilename1234", buf) == NULL)
2092			if (errno == ENOENT)
2093				exit(1);
2094		exit(0);
2095		]])],
2096		[AC_MSG_RESULT([yes])],
2097		[AC_DEFINE([BROKEN_REALPATH], [1],
2098			[realpath does not work with nonexistent files])
2099		 AC_MSG_RESULT([no])],
2100		[AC_MSG_WARN([cross compiling: assuming working])]
2101	)
2102])
2103
2104AC_MSG_CHECKING([for working fflush(NULL)])
2105AC_RUN_IFELSE(
2106	[AC_LANG_PROGRAM([[#include <stdio.h>]], [[fflush(NULL); exit(0);]])],
2107	AC_MSG_RESULT([yes]),
2108	[AC_MSG_RESULT([no])
2109	 AC_DEFINE([FFLUSH_NULL_BUG], [1],
2110	    [define if fflush(NULL) does not work])],
2111	AC_MSG_WARN([cross compiling: assuming working])
2112)
2113
2114dnl    Checks for time functions
2115AC_CHECK_FUNCS([gettimeofday time])
2116dnl    Checks for utmp functions
2117AC_CHECK_FUNCS([endutent getutent getutid getutline pututline setutent])
2118AC_CHECK_FUNCS([utmpname])
2119dnl    Checks for utmpx functions
2120AC_CHECK_FUNCS([endutxent getutxent getutxid getutxline getutxuser pututxline])
2121AC_CHECK_FUNCS([setutxdb setutxent utmpxname])
2122dnl    Checks for lastlog functions
2123AC_CHECK_FUNCS([getlastlogxbyname])
2124
2125AC_CHECK_FUNC([daemon],
2126	[AC_DEFINE([HAVE_DAEMON], [1], [Define if your libraries define daemon()])],
2127	[AC_CHECK_LIB([bsd], [daemon],
2128		[LIBS="$LIBS -lbsd"; AC_DEFINE([HAVE_DAEMON])])]
2129)
2130
2131AC_CHECK_FUNC([getpagesize],
2132	[AC_DEFINE([HAVE_GETPAGESIZE], [1],
2133		[Define if your libraries define getpagesize()])],
2134	[AC_CHECK_LIB([ucb], [getpagesize],
2135		[LIBS="$LIBS -lucb"; AC_DEFINE([HAVE_GETPAGESIZE])])]
2136)
2137
2138# Check for broken snprintf
2139if test "x$ac_cv_func_snprintf" = "xyes" ; then
2140	AC_MSG_CHECKING([whether snprintf correctly terminates long strings])
2141	AC_RUN_IFELSE(
2142		[AC_LANG_PROGRAM([[ #include <stdio.h> ]],
2143		[[
2144	char b[5];
2145	snprintf(b,5,"123456789");
2146	exit(b[4]!='\0');
2147		]])],
2148		[AC_MSG_RESULT([yes])],
2149		[
2150			AC_MSG_RESULT([no])
2151			AC_DEFINE([BROKEN_SNPRINTF], [1],
2152				[Define if your snprintf is busted])
2153			AC_MSG_WARN([****** Your snprintf() function is broken, complain to your vendor])
2154		],
2155		[ AC_MSG_WARN([cross compiling: Assuming working snprintf()]) ]
2156	)
2157fi
2158
2159if test "x$ac_cv_func_snprintf" = "xyes" ; then
2160	AC_MSG_CHECKING([whether snprintf understands %zu])
2161	AC_RUN_IFELSE(
2162		[AC_LANG_PROGRAM([[
2163#include <sys/types.h>
2164#include <stdio.h>
2165		]],
2166		[[
2167	size_t a = 1, b = 2;
2168	char z[128];
2169	snprintf(z, sizeof z, "%zu%zu", a, b);
2170	exit(strcmp(z, "12"));
2171		]])],
2172		[AC_MSG_RESULT([yes])],
2173		[
2174			AC_MSG_RESULT([no])
2175			AC_DEFINE([BROKEN_SNPRINTF], [1],
2176				[snprintf does not understand %zu])
2177		],
2178		[ AC_MSG_WARN([cross compiling: Assuming working snprintf()]) ]
2179	)
2180fi
2181
2182# We depend on vsnprintf returning the right thing on overflow: the
2183# number of characters it tried to create (as per SUSv3)
2184if test "x$ac_cv_func_vsnprintf" = "xyes" ; then
2185	AC_MSG_CHECKING([whether vsnprintf returns correct values on overflow])
2186	AC_RUN_IFELSE(
2187		[AC_LANG_PROGRAM([[
2188#include <sys/types.h>
2189#include <stdio.h>
2190#include <stdarg.h>
2191
2192int x_snprintf(char *str, size_t count, const char *fmt, ...)
2193{
2194	size_t ret;
2195	va_list ap;
2196
2197	va_start(ap, fmt);
2198	ret = vsnprintf(str, count, fmt, ap);
2199	va_end(ap);
2200	return ret;
2201}
2202		]], [[
2203char x[1];
2204if (x_snprintf(x, 1, "%s %d", "hello", 12345) != 11)
2205	return 1;
2206if (x_snprintf(NULL, 0, "%s %d", "hello", 12345) != 11)
2207	return 1;
2208return 0;
2209		]])],
2210		[AC_MSG_RESULT([yes])],
2211		[
2212			AC_MSG_RESULT([no])
2213			AC_DEFINE([BROKEN_SNPRINTF], [1],
2214				[Define if your snprintf is busted])
2215			AC_MSG_WARN([****** Your vsnprintf() function is broken, complain to your vendor])
2216		],
2217		[ AC_MSG_WARN([cross compiling: Assuming working vsnprintf()]) ]
2218	)
2219fi
2220
2221# On systems where [v]snprintf is broken, but is declared in stdio,
2222# check that the fmt argument is const char * or just char *.
2223# This is only useful for when BROKEN_SNPRINTF
2224AC_MSG_CHECKING([whether snprintf can declare const char *fmt])
2225AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
2226#include <stdio.h>
2227int snprintf(char *a, size_t b, const char *c, ...) { return 0; }
2228		]], [[
2229	snprintf(0, 0, 0);
2230		]])],
2231   [AC_MSG_RESULT([yes])
2232    AC_DEFINE([SNPRINTF_CONST], [const],
2233              [Define as const if snprintf() can declare const char *fmt])],
2234   [AC_MSG_RESULT([no])
2235    AC_DEFINE([SNPRINTF_CONST], [/* not const */])])
2236
2237# Check for missing getpeereid (or equiv) support
2238NO_PEERCHECK=""
2239if test "x$ac_cv_func_getpeereid" != "xyes" -a "x$ac_cv_func_getpeerucred" != "xyes"; then
2240	AC_MSG_CHECKING([whether system supports SO_PEERCRED getsockopt])
2241	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
2242#include <sys/types.h>
2243#include <sys/socket.h>]], [[int i = SO_PEERCRED;]])],
2244		[ AC_MSG_RESULT([yes])
2245		  AC_DEFINE([HAVE_SO_PEERCRED], [1], [Have PEERCRED socket option])
2246		], [AC_MSG_RESULT([no])
2247		NO_PEERCHECK=1
2248        ])
2249fi
2250
2251dnl see whether mkstemp() requires XXXXXX
2252if test "x$ac_cv_func_mkdtemp" = "xyes" ; then
2253AC_MSG_CHECKING([for (overly) strict mkstemp])
2254AC_RUN_IFELSE(
2255	[AC_LANG_PROGRAM([[
2256#include <stdlib.h>
2257	]], [[
2258	char template[]="conftest.mkstemp-test";
2259	if (mkstemp(template) == -1)
2260		exit(1);
2261	unlink(template);
2262	exit(0);
2263	]])],
2264	[
2265		AC_MSG_RESULT([no])
2266	],
2267	[
2268		AC_MSG_RESULT([yes])
2269		AC_DEFINE([HAVE_STRICT_MKSTEMP], [1], [Silly mkstemp()])
2270	],
2271	[
2272		AC_MSG_RESULT([yes])
2273		AC_DEFINE([HAVE_STRICT_MKSTEMP])
2274	]
2275)
2276fi
2277
2278dnl make sure that openpty does not reacquire controlling terminal
2279if test ! -z "$check_for_openpty_ctty_bug"; then
2280	AC_MSG_CHECKING([if openpty correctly handles controlling tty])
2281	AC_RUN_IFELSE(
2282		[AC_LANG_PROGRAM([[
2283#include <stdio.h>
2284#include <sys/fcntl.h>
2285#include <sys/types.h>
2286#include <sys/wait.h>
2287		]], [[
2288	pid_t pid;
2289	int fd, ptyfd, ttyfd, status;
2290
2291	pid = fork();
2292	if (pid < 0) {		/* failed */
2293		exit(1);
2294	} else if (pid > 0) {	/* parent */
2295		waitpid(pid, &status, 0);
2296		if (WIFEXITED(status))
2297			exit(WEXITSTATUS(status));
2298		else
2299			exit(2);
2300	} else {		/* child */
2301		close(0); close(1); close(2);
2302		setsid();
2303		openpty(&ptyfd, &ttyfd, NULL, NULL, NULL);
2304		fd = open("/dev/tty", O_RDWR | O_NOCTTY);
2305		if (fd >= 0)
2306			exit(3);	/* Acquired ctty: broken */
2307		else
2308			exit(0);	/* Did not acquire ctty: OK */
2309	}
2310		]])],
2311		[
2312			AC_MSG_RESULT([yes])
2313		],
2314		[
2315			AC_MSG_RESULT([no])
2316			AC_DEFINE([SSHD_ACQUIRES_CTTY])
2317		],
2318		[
2319			AC_MSG_RESULT([cross-compiling, assuming yes])
2320		]
2321	)
2322fi
2323
2324if test "x$ac_cv_func_getaddrinfo" = "xyes" && \
2325    test "x$check_for_hpux_broken_getaddrinfo" = "x1"; then
2326	AC_MSG_CHECKING([if getaddrinfo seems to work])
2327	AC_RUN_IFELSE(
2328		[AC_LANG_PROGRAM([[
2329#include <stdio.h>
2330#include <sys/socket.h>
2331#include <netdb.h>
2332#include <errno.h>
2333#include <netinet/in.h>
2334
2335#define TEST_PORT "2222"
2336		]], [[
2337	int err, sock;
2338	struct addrinfo *gai_ai, *ai, hints;
2339	char ntop[NI_MAXHOST], strport[NI_MAXSERV], *name = NULL;
2340
2341	memset(&hints, 0, sizeof(hints));
2342	hints.ai_family = PF_UNSPEC;
2343	hints.ai_socktype = SOCK_STREAM;
2344	hints.ai_flags = AI_PASSIVE;
2345
2346	err = getaddrinfo(name, TEST_PORT, &hints, &gai_ai);
2347	if (err != 0) {
2348		fprintf(stderr, "getaddrinfo failed (%s)", gai_strerror(err));
2349		exit(1);
2350	}
2351
2352	for (ai = gai_ai; ai != NULL; ai = ai->ai_next) {
2353		if (ai->ai_family != AF_INET6)
2354			continue;
2355
2356		err = getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop,
2357		    sizeof(ntop), strport, sizeof(strport),
2358		    NI_NUMERICHOST|NI_NUMERICSERV);
2359
2360		if (err != 0) {
2361			if (err == EAI_SYSTEM)
2362				perror("getnameinfo EAI_SYSTEM");
2363			else
2364				fprintf(stderr, "getnameinfo failed: %s\n",
2365				    gai_strerror(err));
2366			exit(2);
2367		}
2368
2369		sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol);
2370		if (sock < 0)
2371			perror("socket");
2372		if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) {
2373			if (errno == EBADF)
2374				exit(3);
2375		}
2376	}
2377	exit(0);
2378		]])],
2379		[
2380			AC_MSG_RESULT([yes])
2381		],
2382		[
2383			AC_MSG_RESULT([no])
2384			AC_DEFINE([BROKEN_GETADDRINFO])
2385		],
2386		[
2387			AC_MSG_RESULT([cross-compiling, assuming yes])
2388		]
2389	)
2390fi
2391
2392if test "x$ac_cv_func_getaddrinfo" = "xyes" && \
2393    test "x$check_for_aix_broken_getaddrinfo" = "x1"; then
2394	AC_MSG_CHECKING([if getaddrinfo seems to work])
2395	AC_RUN_IFELSE(
2396		[AC_LANG_PROGRAM([[
2397#include <stdio.h>
2398#include <sys/socket.h>
2399#include <netdb.h>
2400#include <errno.h>
2401#include <netinet/in.h>
2402
2403#define TEST_PORT "2222"
2404		]], [[
2405	int err, sock;
2406	struct addrinfo *gai_ai, *ai, hints;
2407	char ntop[NI_MAXHOST], strport[NI_MAXSERV], *name = NULL;
2408
2409	memset(&hints, 0, sizeof(hints));
2410	hints.ai_family = PF_UNSPEC;
2411	hints.ai_socktype = SOCK_STREAM;
2412	hints.ai_flags = AI_PASSIVE;
2413
2414	err = getaddrinfo(name, TEST_PORT, &hints, &gai_ai);
2415	if (err != 0) {
2416		fprintf(stderr, "getaddrinfo failed (%s)", gai_strerror(err));
2417		exit(1);
2418	}
2419
2420	for (ai = gai_ai; ai != NULL; ai = ai->ai_next) {
2421		if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
2422			continue;
2423
2424		err = getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop,
2425		    sizeof(ntop), strport, sizeof(strport),
2426		    NI_NUMERICHOST|NI_NUMERICSERV);
2427
2428		if (ai->ai_family == AF_INET && err != 0) {
2429			perror("getnameinfo");
2430			exit(2);
2431		}
2432	}
2433	exit(0);
2434		]])],
2435		[
2436			AC_MSG_RESULT([yes])
2437			AC_DEFINE([AIX_GETNAMEINFO_HACK], [1],
2438				[Define if you have a getaddrinfo that fails
2439				for the all-zeros IPv6 address])
2440		],
2441		[
2442			AC_MSG_RESULT([no])
2443			AC_DEFINE([BROKEN_GETADDRINFO])
2444		],
2445		[
2446			AC_MSG_RESULT([cross-compiling, assuming no])
2447		]
2448	)
2449fi
2450
2451if test "x$ac_cv_func_getaddrinfo" = "xyes"; then
2452	AC_CHECK_DECLS(AI_NUMERICSERV, , ,
2453	    [#include <sys/types.h>
2454	     #include <sys/socket.h>
2455	     #include <netdb.h>])
2456fi
2457
2458if test "x$check_for_conflicting_getspnam" = "x1"; then
2459	AC_MSG_CHECKING([for conflicting getspnam in shadow.h])
2460	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <shadow.h> ]],
2461		[[ exit(0); ]])],
2462		[
2463			AC_MSG_RESULT([no])
2464		],
2465		[
2466			AC_MSG_RESULT([yes])
2467			AC_DEFINE([GETSPNAM_CONFLICTING_DEFS], [1],
2468			    [Conflicting defs for getspnam])
2469		]
2470	)
2471fi
2472
2473dnl NetBSD added an strnvis and unfortunately made it incompatible with the
2474dnl existing one in OpenBSD and Linux's libbsd (the former having existed
2475dnl for over ten years). Despite this incompatibility being reported during
2476dnl development (see http://gnats.netbsd.org/44977) they still shipped it.
2477dnl Even more unfortunately FreeBSD and later MacOS picked up this incompatible
2478dnl implementation.  Try to detect this mess, and assume the only safe option
2479dnl if we're cross compiling.
2480dnl
2481dnl OpenBSD, 2001: strnvis(char *dst, const char *src, size_t dlen, int flag);
2482dnl NetBSD: 2012,  strnvis(char *dst, size_t dlen, const char *src, int flag);
2483if test "x$ac_cv_func_strnvis" = "xyes"; then
2484	AC_MSG_CHECKING([for working strnvis])
2485	AC_RUN_IFELSE(
2486		[AC_LANG_PROGRAM([[
2487#include <signal.h>
2488#include <stdlib.h>
2489#include <string.h>
2490#include <vis.h>
2491static void sighandler(int sig) { _exit(1); }
2492		]], [[
2493	char dst[16];
2494
2495	signal(SIGSEGV, sighandler);
2496	if (strnvis(dst, "src", 4, 0) && strcmp(dst, "src") == 0)
2497		exit(0);
2498	exit(1)
2499		]])],
2500		[AC_MSG_RESULT([yes])],
2501		[AC_MSG_RESULT([no])
2502		 AC_DEFINE([BROKEN_STRNVIS], [1], [strnvis detected broken])],
2503		[AC_MSG_WARN([cross compiling: assuming broken])
2504		 AC_DEFINE([BROKEN_STRNVIS], [1], [strnvis assumed broken])]
2505	)
2506fi
2507
2508AC_CHECK_FUNCS([getpgrp],[
2509	AC_MSG_CHECKING([if getpgrp accepts zero args])
2510	AC_COMPILE_IFELSE(
2511		[AC_LANG_PROGRAM([[$ac_includes_default]], [[ getpgrp(); ]])],
2512		[ AC_MSG_RESULT([yes])
2513		  AC_DEFINE([GETPGRP_VOID], [1], [getpgrp takes zero args])],
2514		[ AC_MSG_RESULT([no])
2515		  AC_DEFINE([GETPGRP_VOID], [0], [getpgrp takes one arg])]
2516	)
2517])
2518
2519# Search for OpenSSL
2520saved_CPPFLAGS="$CPPFLAGS"
2521saved_LDFLAGS="$LDFLAGS"
2522AC_ARG_WITH([ssl-dir],
2523	[  --with-ssl-dir=PATH     Specify path to OpenSSL installation ],
2524	[
2525		if test "x$openssl" = "xno" ; then
2526			AC_MSG_ERROR([cannot use --with-ssl-dir when OpenSSL disabled])
2527		fi
2528		if test "x$withval" != "xno" ; then
2529			case "$withval" in
2530				# Relative paths
2531				./*|../*)	withval="`pwd`/$withval"
2532			esac
2533			if test -d "$withval/lib"; then
2534				if test -n "${need_dash_r}"; then
2535					LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
2536				else
2537					LDFLAGS="-L${withval}/lib ${LDFLAGS}"
2538				fi
2539			elif test -d "$withval/lib64"; then
2540				if test -n "${need_dash_r}"; then
2541					LDFLAGS="-L${withval}/lib64 -R${withval}/lib64 ${LDFLAGS}"
2542				else
2543					LDFLAGS="-L${withval}/lib64 ${LDFLAGS}"
2544				fi
2545			else
2546				if test -n "${need_dash_r}"; then
2547					LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"
2548				else
2549					LDFLAGS="-L${withval} ${LDFLAGS}"
2550				fi
2551			fi
2552			if test -d "$withval/include"; then
2553				CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
2554			else
2555				CPPFLAGS="-I${withval} ${CPPFLAGS}"
2556			fi
2557		fi
2558	]
2559)
2560
2561AC_ARG_WITH([openssl-header-check],
2562	[  --without-openssl-header-check Disable OpenSSL version consistency check],
2563	[
2564		if test "x$withval" = "xno" ; then
2565			openssl_check_nonfatal=1
2566		fi
2567	]
2568)
2569
2570openssl_engine=no
2571AC_ARG_WITH([ssl-engine],
2572	[  --with-ssl-engine       Enable OpenSSL (hardware) ENGINE support ],
2573	[
2574		if test "x$withval" != "xno" ; then
2575			if test "x$openssl" = "xno" ; then
2576				AC_MSG_ERROR([cannot use --with-ssl-engine when OpenSSL disabled])
2577			fi
2578			openssl_engine=yes
2579		fi
2580	]
2581)
2582
2583if test "x$openssl" = "xyes" ; then
2584	LIBS="-lcrypto $LIBS"
2585	AC_TRY_LINK_FUNC([RAND_add], [AC_DEFINE([HAVE_OPENSSL], [1],
2586		[Define if your ssl headers are included
2587		with #include <openssl/header.h>])],
2588		[
2589			dnl Check default openssl install dir
2590			if test -n "${need_dash_r}"; then
2591				LDFLAGS="-L/usr/local/ssl/lib -R/usr/local/ssl/lib ${saved_LDFLAGS}"
2592			else
2593				LDFLAGS="-L/usr/local/ssl/lib ${saved_LDFLAGS}"
2594			fi
2595			CPPFLAGS="-I/usr/local/ssl/include ${saved_CPPFLAGS}"
2596			AC_CHECK_HEADER([openssl/opensslv.h], ,
2597			    [AC_MSG_ERROR([*** OpenSSL headers missing - please install first or check config.log ***])])
2598			AC_TRY_LINK_FUNC([RAND_add], [AC_DEFINE([HAVE_OPENSSL])],
2599				[
2600					AC_MSG_ERROR([*** Can't find recent OpenSSL libcrypto (see config.log for details) ***])
2601				]
2602			)
2603		]
2604	)
2605
2606	# Determine OpenSSL header version
2607	AC_MSG_CHECKING([OpenSSL header version])
2608	AC_RUN_IFELSE(
2609		[AC_LANG_PROGRAM([[
2610	#include <stdlib.h>
2611	#include <stdio.h>
2612	#include <string.h>
2613	#include <openssl/opensslv.h>
2614	#define DATA "conftest.sslincver"
2615		]], [[
2616		FILE *fd;
2617		int rc;
2618
2619		fd = fopen(DATA,"w");
2620		if(fd == NULL)
2621			exit(1);
2622
2623		if ((rc = fprintf(fd, "%08lx (%s)\n",
2624		    (unsigned long)OPENSSL_VERSION_NUMBER,
2625		     OPENSSL_VERSION_TEXT)) < 0)
2626			exit(1);
2627
2628		exit(0);
2629		]])],
2630		[
2631			ssl_header_ver=`cat conftest.sslincver`
2632			AC_MSG_RESULT([$ssl_header_ver])
2633		],
2634		[
2635			AC_MSG_RESULT([not found])
2636			AC_MSG_ERROR([OpenSSL version header not found.])
2637		],
2638		[
2639			AC_MSG_WARN([cross compiling: not checking])
2640		]
2641	)
2642
2643	# Determine OpenSSL library version
2644	AC_MSG_CHECKING([OpenSSL library version])
2645	AC_RUN_IFELSE(
2646		[AC_LANG_PROGRAM([[
2647	#include <stdio.h>
2648	#include <string.h>
2649	#include <openssl/opensslv.h>
2650	#include <openssl/crypto.h>
2651	#define DATA "conftest.ssllibver"
2652		]], [[
2653		FILE *fd;
2654		int rc;
2655
2656		fd = fopen(DATA,"w");
2657		if(fd == NULL)
2658			exit(1);
2659
2660		if ((rc = fprintf(fd, "%08lx (%s)\n", (unsigned long)SSLeay(),
2661		    SSLeay_version(SSLEAY_VERSION))) < 0)
2662			exit(1);
2663
2664		exit(0);
2665		]])],
2666		[
2667			ssl_library_ver=`cat conftest.ssllibver`
2668			# Check version is supported.
2669			case "$ssl_library_ver" in
2670			10000*|0*)
2671				AC_MSG_ERROR([OpenSSL >= 1.0.1 required (have "$ssl_library_ver")])
2672		                ;;
2673			100*)   ;; # 1.0.x
2674			101000[0123456]*)
2675				# https://github.com/openssl/openssl/pull/4613
2676				AC_MSG_ERROR([OpenSSL 1.1.x versions prior to 1.1.0g have a bug that breaks their use with OpenSSH (have "$ssl_library_ver")])
2677				;;
2678			101*)   ;; # 1.1.x
2679			200*)   ;; # LibreSSL
2680		        *)
2681				AC_MSG_ERROR([OpenSSL > 1.1.x is not yet supported (have "$ssl_library_ver")])
2682		                ;;
2683			esac
2684			AC_MSG_RESULT([$ssl_library_ver])
2685		],
2686		[
2687			AC_MSG_RESULT([not found])
2688			AC_MSG_ERROR([OpenSSL library not found.])
2689		],
2690		[
2691			AC_MSG_WARN([cross compiling: not checking])
2692		]
2693	)
2694
2695	# Sanity check OpenSSL headers
2696	AC_MSG_CHECKING([whether OpenSSL's headers match the library])
2697	AC_RUN_IFELSE(
2698		[AC_LANG_PROGRAM([[
2699	#include <string.h>
2700	#include <openssl/opensslv.h>
2701	#include <openssl/crypto.h>
2702		]], [[
2703		exit(SSLeay() == OPENSSL_VERSION_NUMBER ? 0 : 1);
2704		]])],
2705		[
2706			AC_MSG_RESULT([yes])
2707		],
2708		[
2709			AC_MSG_RESULT([no])
2710			if test "x$openssl_check_nonfatal" = "x"; then
2711				AC_MSG_ERROR([Your OpenSSL headers do not match your
2712	library. Check config.log for details.
2713	If you are sure your installation is consistent, you can disable the check
2714	by running "./configure --without-openssl-header-check".
2715	Also see contrib/findssl.sh for help identifying header/library mismatches.
2716	])
2717			else
2718				AC_MSG_WARN([Your OpenSSL headers do not match your
2719	library. Check config.log for details.
2720	Also see contrib/findssl.sh for help identifying header/library mismatches.])
2721			fi
2722		],
2723		[
2724			AC_MSG_WARN([cross compiling: not checking])
2725		]
2726	)
2727
2728	AC_MSG_CHECKING([if programs using OpenSSL functions will link])
2729	AC_LINK_IFELSE(
2730		[AC_LANG_PROGRAM([[ #include <openssl/evp.h> ]],
2731		[[ SSLeay_add_all_algorithms(); ]])],
2732		[
2733			AC_MSG_RESULT([yes])
2734		],
2735		[
2736			AC_MSG_RESULT([no])
2737			saved_LIBS="$LIBS"
2738			LIBS="$LIBS -ldl"
2739			AC_MSG_CHECKING([if programs using OpenSSL need -ldl])
2740			AC_LINK_IFELSE(
2741				[AC_LANG_PROGRAM([[ #include <openssl/evp.h> ]],
2742				[[ SSLeay_add_all_algorithms(); ]])],
2743				[
2744					AC_MSG_RESULT([yes])
2745				],
2746				[
2747					AC_MSG_RESULT([no])
2748					LIBS="$saved_LIBS"
2749				]
2750			)
2751		]
2752	)
2753
2754	AC_CHECK_FUNCS([ \
2755		BN_is_prime_ex \
2756		DSA_generate_parameters_ex \
2757		EVP_DigestInit_ex \
2758		EVP_DigestFinal_ex \
2759		EVP_MD_CTX_init \
2760		EVP_MD_CTX_cleanup \
2761		EVP_MD_CTX_copy_ex \
2762		HMAC_CTX_init \
2763		RSA_generate_key_ex \
2764		RSA_get_default_method \
2765	])
2766
2767	if test "x$openssl_engine" = "xyes" ; then
2768		AC_MSG_CHECKING([for OpenSSL ENGINE support])
2769		AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
2770	#include <openssl/engine.h>
2771			]], [[
2772				ENGINE_load_builtin_engines();
2773				ENGINE_register_all_complete();
2774			]])],
2775			[ AC_MSG_RESULT([yes])
2776			  AC_DEFINE([USE_OPENSSL_ENGINE], [1],
2777			     [Enable OpenSSL engine support])
2778			], [ AC_MSG_ERROR([OpenSSL ENGINE support not found])
2779		])
2780	fi
2781
2782	# Check for OpenSSL without EVP_aes_{192,256}_cbc
2783	AC_MSG_CHECKING([whether OpenSSL has crippled AES support])
2784	AC_LINK_IFELSE(
2785		[AC_LANG_PROGRAM([[
2786	#include <string.h>
2787	#include <openssl/evp.h>
2788		]], [[
2789		exit(EVP_aes_192_cbc() == NULL || EVP_aes_256_cbc() == NULL);
2790		]])],
2791		[
2792			AC_MSG_RESULT([no])
2793		],
2794		[
2795			AC_MSG_RESULT([yes])
2796			AC_DEFINE([OPENSSL_LOBOTOMISED_AES], [1],
2797			    [libcrypto is missing AES 192 and 256 bit functions])
2798		]
2799	)
2800
2801	# Check for OpenSSL with EVP_aes_*ctr
2802	AC_MSG_CHECKING([whether OpenSSL has AES CTR via EVP])
2803	AC_LINK_IFELSE(
2804		[AC_LANG_PROGRAM([[
2805	#include <string.h>
2806	#include <openssl/evp.h>
2807		]], [[
2808		exit(EVP_aes_128_ctr() == NULL ||
2809		    EVP_aes_192_cbc() == NULL ||
2810		    EVP_aes_256_cbc() == NULL);
2811		]])],
2812		[
2813			AC_MSG_RESULT([yes])
2814			AC_DEFINE([OPENSSL_HAVE_EVPCTR], [1],
2815			    [libcrypto has EVP AES CTR])
2816		],
2817		[
2818			AC_MSG_RESULT([no])
2819		]
2820	)
2821
2822	# Check for OpenSSL with EVP_aes_*gcm
2823	AC_MSG_CHECKING([whether OpenSSL has AES GCM via EVP])
2824	AC_LINK_IFELSE(
2825		[AC_LANG_PROGRAM([[
2826	#include <string.h>
2827	#include <openssl/evp.h>
2828		]], [[
2829		exit(EVP_aes_128_gcm() == NULL ||
2830		    EVP_aes_256_gcm() == NULL ||
2831		    EVP_CTRL_GCM_SET_IV_FIXED == 0 ||
2832		    EVP_CTRL_GCM_IV_GEN == 0 ||
2833		    EVP_CTRL_GCM_SET_TAG == 0 ||
2834		    EVP_CTRL_GCM_GET_TAG == 0 ||
2835		    EVP_CIPHER_CTX_ctrl(NULL, 0, 0, NULL) == 0);
2836		]])],
2837		[
2838			AC_MSG_RESULT([yes])
2839			AC_DEFINE([OPENSSL_HAVE_EVPGCM], [1],
2840			    [libcrypto has EVP AES GCM])
2841		],
2842		[
2843			AC_MSG_RESULT([no])
2844			unsupported_algorithms="$unsupported_cipers \
2845			   aes128-gcm@openssh.com \
2846			   aes256-gcm@openssh.com"
2847		]
2848	)
2849
2850	AC_SEARCH_LIBS([EVP_CIPHER_CTX_ctrl], [crypto],
2851		[AC_DEFINE([HAVE_EVP_CIPHER_CTX_CTRL], [1],
2852		    [Define if libcrypto has EVP_CIPHER_CTX_ctrl])])
2853
2854	# LibreSSL/OpenSSL 1.1x API
2855	AC_SEARCH_LIBS([DH_get0_key], [crypto],
2856		[AC_DEFINE([HAVE_DH_GET0_KEY], [1],
2857		    [Define if libcrypto has DH_get0_key])])
2858	AC_SEARCH_LIBS([DH_get0_pqg], [crypto],
2859		[AC_DEFINE([HAVE_DH_GET0_PQG], [1],
2860		    [Define if libcrypto has DH_get0_pqg])])
2861	AC_SEARCH_LIBS([DH_set0_key], [crypto],
2862		[AC_DEFINE([HAVE_DH_SET0_KEY], [1],
2863		    [Define if libcrypto has DH_set0_key])])
2864	AC_SEARCH_LIBS([DH_set_length], [crypto],
2865		[AC_DEFINE([HAVE_DH_SET_LENGTH], [1],
2866		    [Define if libcrypto has DH_set_length])])
2867	AC_SEARCH_LIBS([DH_set0_pqg], [crypto],
2868		[AC_DEFINE([HAVE_DH_SET0_PQG], [1],
2869		    [Define if libcrypto has DH_set0_pqg])])
2870
2871	AC_SEARCH_LIBS([DSA_get0_key], [crypto],
2872		[AC_DEFINE([HAVE_DSA_GET0_KEY], [1],
2873		    [Define if libcrypto has DSA_get0_key])])
2874	AC_SEARCH_LIBS([DSA_get0_pqg], [crypto],
2875		[AC_DEFINE([HAVE_DSA_GET0_PQG], [1],
2876		    [Define if libcrypto has DSA_get0_pqg])])
2877	AC_SEARCH_LIBS([DSA_set0_key], [crypto],
2878		[AC_DEFINE([HAVE_DSA_SET0_KEY], [1],
2879		    [Define if libcrypto has DSA_set0_key])])
2880	AC_SEARCH_LIBS([DSA_set0_pqg], [crypto],
2881		[AC_DEFINE([HAVE_DSA_SET0_PQG], [1],
2882		    [Define if libcrypto has DSA_set0_pqg])])
2883
2884	AC_SEARCH_LIBS([DSA_SIG_get0], [crypto],
2885		[AC_DEFINE([HAVE_DSA_SIG_GET0], [1],
2886		    [Define if libcrypto has DSA_SIG_get0])])
2887	AC_SEARCH_LIBS([DSA_SIG_set0], [crypto],
2888		[AC_DEFINE([HAVE_DSA_SIG_SET0], [1],
2889		    [Define if libcrypto has DSA_SIG_set0])])
2890
2891	AC_SEARCH_LIBS([ECDSA_SIG_get0], [crypto],
2892		[AC_DEFINE([HAVE_ECDSA_SIG_GET0], [1],
2893		    [Define if libcrypto has ECDSA_SIG_get0])])
2894	AC_SEARCH_LIBS([ECDSA_SIG_set0], [crypto],
2895		[AC_DEFINE([HAVE_ECDSA_SIG_SET0], [1],
2896		    [Define if libcrypto has ECDSA_SIG_set0])])
2897
2898	AC_SEARCH_LIBS([EVP_CIPHER_CTX_iv], [crypto],
2899		[AC_DEFINE([HAVE_EVP_CIPHER_CTX_IV], [1],
2900		    [Define if libcrypto has EVP_CIPHER_CTX_iv])])
2901	AC_SEARCH_LIBS([EVP_CIPHER_CTX_iv_noconst], [crypto],
2902		[AC_DEFINE([HAVE_EVP_CIPHER_CTX_IV_NOCONST], [1],
2903		    [Define if libcrypto has EVP_CIPHER_CTX_iv_noconst])])
2904	AC_SEARCH_LIBS([EVP_CIPHER_CTX_get_iv], [crypto],
2905		[AC_DEFINE([HAVE_EVP_CIPHER_CTX_GET_IV], [1],
2906		    [Define if libcrypto has EVP_CIPHER_CTX_get_iv])])
2907	AC_SEARCH_LIBS([EVP_CIPHER_CTX_set_iv], [crypto],
2908		[AC_DEFINE([HAVE_EVP_CIPHER_CTX_GET_IV], [1],
2909		    [Define if libcrypto has EVP_CIPHER_CTX_set_iv])])
2910
2911	AC_SEARCH_LIBS([RSA_get0_crt_params], [crypto],
2912		[AC_DEFINE([HAVE_RSA_GET0_CRT_PARAMS], [1],
2913		    [Define if libcrypto has RSA_get0_crt_params])])
2914	AC_SEARCH_LIBS([RSA_get0_factors], [crypto],
2915		[AC_DEFINE([HAVE_RSA_GET0_FACTORS], [1],
2916		    [Define if libcrypto has RSA_get0_factors])])
2917	AC_SEARCH_LIBS([RSA_get0_key], [crypto],
2918		[AC_DEFINE([HAVE_RSA_GET0_KEY], [1],
2919		    [Define if libcrypto has RSA_get0_key])])
2920	AC_SEARCH_LIBS([RSA_set0_crt_params], [crypto],
2921		[AC_DEFINE([HAVE_RSA_SET0_CRT_PARAMS], [1],
2922		    [Define if libcrypto has RSA_get0_srt_params])])
2923	AC_SEARCH_LIBS([RSA_set0_factors], [crypto],
2924		[AC_DEFINE([HAVE_RSA_SET0_FACTORS], [1],
2925		    [Define if libcrypto has RSA_set0_factors])])
2926	AC_SEARCH_LIBS([RSA_set0_key], [crypto],
2927		[AC_DEFINE([HAVE_RSA_SET0_KEY], [1],
2928		    [Define if libcrypto has RSA_set0_key])])
2929
2930	AC_SEARCH_LIBS([RSA_meth_free], [crypto],
2931		[AC_DEFINE([HAVE_RSA_METH_FREE], [1],
2932		    [Define if libcrypto has RSA_meth_free])])
2933	AC_SEARCH_LIBS([RSA_meth_dup], [crypto],
2934		[AC_DEFINE([HAVE_RSA_METH_DUP], [1],
2935		    [Define if libcrypto has RSA_meth_dup])])
2936	AC_SEARCH_LIBS([RSA_meth_set1_name], [crypto],
2937		[AC_DEFINE([HAVE_RSA_METH_SET1_NAME], [1],
2938		    [Define if libcrypto has RSA_meth_set1_name])])
2939	AC_SEARCH_LIBS([RSA_meth_get_finish], [crypto],
2940		[AC_DEFINE([HAVE_RSA_METH_GET_FINISH], [1],
2941		    [Define if libcrypto has RSA_meth_get_finish])])
2942	AC_SEARCH_LIBS([RSA_meth_set_priv_enc], [crypto],
2943		[AC_DEFINE([HAVE_RSA_METH_SET_PRIV_ENC], [1],
2944		    [Define if libcrypto has RSA_meth_set_priv_enc])])
2945	AC_SEARCH_LIBS([RSA_meth_set_priv_dec], [crypto],
2946		[AC_DEFINE([HAVE_RSA_METH_SET_PRIV_DEC], [1],
2947		    [Define if libcrypto has RSA_meth_set_priv_dec])])
2948	AC_SEARCH_LIBS([RSA_meth_set_finish], [crypto],
2949		[AC_DEFINE([HAVE_RSA_METH_SET_FINISH], [1],
2950		    [Define if libcrypto has RSA_meth_set_finish])])
2951
2952	AC_SEARCH_LIBS([EVP_PKEY_get0_RSA], [crypto],
2953		[AC_DEFINE([HAVE_EVP_PKEY_GET0_RSA], [1],
2954		    [Define if libcrypto has EVP_PKEY_get0_RSA])])
2955
2956	AC_SEARCH_LIBS([EVP_MD_CTX_new], [crypto],
2957		[AC_DEFINE([HAVE_EVP_MD_CTX_NEW], [1],
2958		    [Define if libcrypto has EVP_MD_CTX_new])])
2959	AC_SEARCH_LIBS([EVP_MD_CTX_free], [crypto],
2960		[AC_DEFINE([HAVE_EVP_MD_CTX_FREE], [1],
2961		    [Define if libcrypto has EVP_MD_CTX_free])])
2962
2963	AC_MSG_CHECKING([if EVP_DigestUpdate returns an int])
2964	AC_LINK_IFELSE(
2965		[AC_LANG_PROGRAM([[
2966	#include <string.h>
2967	#include <openssl/evp.h>
2968		]], [[
2969		if(EVP_DigestUpdate(NULL, NULL,0))
2970			exit(0);
2971		]])],
2972		[
2973			AC_MSG_RESULT([yes])
2974		],
2975		[
2976			AC_MSG_RESULT([no])
2977			AC_DEFINE([OPENSSL_EVP_DIGESTUPDATE_VOID], [1],
2978			    [Define if EVP_DigestUpdate returns void])
2979		]
2980	)
2981
2982	# Some systems want crypt() from libcrypt, *not* the version in OpenSSL,
2983	# because the system crypt() is more featureful.
2984	if test "x$check_for_libcrypt_before" = "x1"; then
2985		AC_CHECK_LIB([crypt], [crypt])
2986	fi
2987
2988	# Some Linux systems (Slackware) need crypt() from libcrypt, *not* the
2989	# version in OpenSSL.
2990	if test "x$check_for_libcrypt_later" = "x1"; then
2991		AC_CHECK_LIB([crypt], [crypt], [LIBS="$LIBS -lcrypt"])
2992	fi
2993	AC_CHECK_FUNCS([crypt DES_crypt])
2994
2995	# Search for SHA256 support in libc and/or OpenSSL
2996	AC_CHECK_FUNCS([SHA256_Update EVP_sha256], ,
2997	    [unsupported_algorithms="$unsupported_algorithms \
2998		hmac-sha2-256 \
2999		hmac-sha2-512 \
3000		diffie-hellman-group-exchange-sha256 \
3001		hmac-sha2-256-etm@openssh.com \
3002		hmac-sha2-512-etm@openssh.com"
3003	     ]
3004	)
3005	# Search for RIPE-MD support in OpenSSL
3006	AC_CHECK_FUNCS([EVP_ripemd160], ,
3007	    [unsupported_algorithms="$unsupported_algorithms \
3008		hmac-ripemd160 \
3009		hmac-ripemd160@openssh.com \
3010		hmac-ripemd160-etm@openssh.com"
3011	     ]
3012	)
3013
3014	# Check complete ECC support in OpenSSL
3015	AC_MSG_CHECKING([whether OpenSSL has NID_X9_62_prime256v1])
3016	AC_LINK_IFELSE(
3017		[AC_LANG_PROGRAM([[
3018	#include <openssl/ec.h>
3019	#include <openssl/ecdh.h>
3020	#include <openssl/ecdsa.h>
3021	#include <openssl/evp.h>
3022	#include <openssl/objects.h>
3023	#include <openssl/opensslv.h>
3024		]], [[
3025		EC_KEY *e = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
3026		const EVP_MD *m = EVP_sha256(); /* We need this too */
3027		]])],
3028		[ AC_MSG_RESULT([yes])
3029		  enable_nistp256=1 ],
3030		[ AC_MSG_RESULT([no]) ]
3031	)
3032
3033	AC_MSG_CHECKING([whether OpenSSL has NID_secp384r1])
3034	AC_LINK_IFELSE(
3035		[AC_LANG_PROGRAM([[
3036	#include <openssl/ec.h>
3037	#include <openssl/ecdh.h>
3038	#include <openssl/ecdsa.h>
3039	#include <openssl/evp.h>
3040	#include <openssl/objects.h>
3041	#include <openssl/opensslv.h>
3042		]], [[
3043		EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp384r1);
3044		const EVP_MD *m = EVP_sha384(); /* We need this too */
3045		]])],
3046		[ AC_MSG_RESULT([yes])
3047		  enable_nistp384=1 ],
3048		[ AC_MSG_RESULT([no]) ]
3049	)
3050
3051	AC_MSG_CHECKING([whether OpenSSL has NID_secp521r1])
3052	AC_LINK_IFELSE(
3053		[AC_LANG_PROGRAM([[
3054	#include <openssl/ec.h>
3055	#include <openssl/ecdh.h>
3056	#include <openssl/ecdsa.h>
3057	#include <openssl/evp.h>
3058	#include <openssl/objects.h>
3059	#include <openssl/opensslv.h>
3060		]], [[
3061		EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp521r1);
3062		const EVP_MD *m = EVP_sha512(); /* We need this too */
3063		]])],
3064		[ AC_MSG_RESULT([yes])
3065		  AC_MSG_CHECKING([if OpenSSL's NID_secp521r1 is functional])
3066		  AC_RUN_IFELSE(
3067			[AC_LANG_PROGRAM([[
3068	#include <openssl/ec.h>
3069	#include <openssl/ecdh.h>
3070	#include <openssl/ecdsa.h>
3071	#include <openssl/evp.h>
3072	#include <openssl/objects.h>
3073	#include <openssl/opensslv.h>
3074			]],[[
3075			EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp521r1);
3076			const EVP_MD *m = EVP_sha512(); /* We need this too */
3077			exit(e == NULL || m == NULL);
3078			]])],
3079			[ AC_MSG_RESULT([yes])
3080			  enable_nistp521=1 ],
3081			[ AC_MSG_RESULT([no]) ],
3082			[ AC_MSG_WARN([cross-compiling: assuming yes])
3083			  enable_nistp521=1 ]
3084		  )],
3085		AC_MSG_RESULT([no])
3086	)
3087
3088	COMMENT_OUT_ECC="#no ecc#"
3089	TEST_SSH_ECC=no
3090
3091	if test x$enable_nistp256 = x1 || test x$enable_nistp384 = x1 || \
3092	    test x$enable_nistp521 = x1; then
3093		AC_DEFINE(OPENSSL_HAS_ECC, [1], [OpenSSL has ECC])
3094	fi
3095	if test x$enable_nistp256 = x1; then
3096		AC_DEFINE([OPENSSL_HAS_NISTP256], [1],
3097		    [libcrypto has NID_X9_62_prime256v1])
3098		TEST_SSH_ECC=yes
3099		COMMENT_OUT_ECC=""
3100	else
3101		unsupported_algorithms="$unsupported_algorithms \
3102			ecdsa-sha2-nistp256 \
3103			ecdh-sha2-nistp256 \
3104			ecdsa-sha2-nistp256-cert-v01@openssh.com"
3105	fi
3106	if test x$enable_nistp384 = x1; then
3107		AC_DEFINE([OPENSSL_HAS_NISTP384], [1], [libcrypto has NID_secp384r1])
3108		TEST_SSH_ECC=yes
3109		COMMENT_OUT_ECC=""
3110	else
3111		unsupported_algorithms="$unsupported_algorithms \
3112			ecdsa-sha2-nistp384 \
3113			ecdh-sha2-nistp384 \
3114			ecdsa-sha2-nistp384-cert-v01@openssh.com"
3115	fi
3116	if test x$enable_nistp521 = x1; then
3117		AC_DEFINE([OPENSSL_HAS_NISTP521], [1], [libcrypto has NID_secp521r1])
3118		TEST_SSH_ECC=yes
3119		COMMENT_OUT_ECC=""
3120	else
3121		unsupported_algorithms="$unsupported_algorithms \
3122			ecdh-sha2-nistp521 \
3123			ecdsa-sha2-nistp521 \
3124			ecdsa-sha2-nistp521-cert-v01@openssh.com"
3125	fi
3126
3127	AC_SUBST([TEST_SSH_ECC])
3128	AC_SUBST([COMMENT_OUT_ECC])
3129else
3130	AC_CHECK_LIB([crypt], [crypt], [LIBS="$LIBS -lcrypt"])
3131	AC_CHECK_FUNCS([crypt])
3132fi
3133
3134AC_CHECK_FUNCS([ \
3135	arc4random \
3136	arc4random_buf \
3137	arc4random_stir \
3138	arc4random_uniform \
3139])
3140
3141saved_LIBS="$LIBS"
3142AC_CHECK_LIB([iaf], [ia_openinfo], [
3143	LIBS="$LIBS -liaf"
3144	AC_CHECK_FUNCS([set_id], [SSHDLIBS="$SSHDLIBS -liaf"
3145				AC_DEFINE([HAVE_LIBIAF], [1],
3146			[Define if system has libiaf that supports set_id])
3147				])
3148])
3149LIBS="$saved_LIBS"
3150
3151### Configure cryptographic random number support
3152
3153# Check whether OpenSSL seeds itself
3154if test "x$openssl" = "xyes" ; then
3155	AC_MSG_CHECKING([whether OpenSSL's PRNG is internally seeded])
3156	AC_RUN_IFELSE(
3157		[AC_LANG_PROGRAM([[
3158	#include <string.h>
3159	#include <openssl/rand.h>
3160		]], [[
3161		exit(RAND_status() == 1 ? 0 : 1);
3162		]])],
3163		[
3164			OPENSSL_SEEDS_ITSELF=yes
3165			AC_MSG_RESULT([yes])
3166		],
3167		[
3168			AC_MSG_RESULT([no])
3169		],
3170		[
3171			AC_MSG_WARN([cross compiling: assuming yes])
3172			# This is safe, since we will fatal() at runtime if
3173			# OpenSSL is not seeded correctly.
3174			OPENSSL_SEEDS_ITSELF=yes
3175		]
3176	)
3177fi
3178
3179# PRNGD TCP socket
3180AC_ARG_WITH([prngd-port],
3181	[  --with-prngd-port=PORT  read entropy from PRNGD/EGD TCP localhost:PORT],
3182	[
3183		case "$withval" in
3184		no)
3185			withval=""
3186			;;
3187		[[0-9]]*)
3188			;;
3189		*)
3190			AC_MSG_ERROR([You must specify a numeric port number for --with-prngd-port])
3191			;;
3192		esac
3193		if test ! -z "$withval" ; then
3194			PRNGD_PORT="$withval"
3195			AC_DEFINE_UNQUOTED([PRNGD_PORT], [$PRNGD_PORT],
3196				[Port number of PRNGD/EGD random number socket])
3197		fi
3198	]
3199)
3200
3201# PRNGD Unix domain socket
3202AC_ARG_WITH([prngd-socket],
3203	[  --with-prngd-socket=FILE read entropy from PRNGD/EGD socket FILE (default=/var/run/egd-pool)],
3204	[
3205		case "$withval" in
3206		yes)
3207			withval="/var/run/egd-pool"
3208			;;
3209		no)
3210			withval=""
3211			;;
3212		/*)
3213			;;
3214		*)
3215			AC_MSG_ERROR([You must specify an absolute path to the entropy socket])
3216			;;
3217		esac
3218
3219		if test ! -z "$withval" ; then
3220			if test ! -z "$PRNGD_PORT" ; then
3221				AC_MSG_ERROR([You may not specify both a PRNGD/EGD port and socket])
3222			fi
3223			if test ! -r "$withval" ; then
3224				AC_MSG_WARN([Entropy socket is not readable])
3225			fi
3226			PRNGD_SOCKET="$withval"
3227			AC_DEFINE_UNQUOTED([PRNGD_SOCKET], ["$PRNGD_SOCKET"],
3228				[Location of PRNGD/EGD random number socket])
3229		fi
3230	],
3231	[
3232		# Check for existing socket only if we don't have a random device already
3233		if test "x$OPENSSL_SEEDS_ITSELF" != "xyes" ; then
3234			AC_MSG_CHECKING([for PRNGD/EGD socket])
3235			# Insert other locations here
3236			for sock in /var/run/egd-pool /dev/egd-pool /etc/entropy; do
3237				if test -r $sock && $TEST_MINUS_S_SH -c "test -S $sock -o -p $sock" ; then
3238					PRNGD_SOCKET="$sock"
3239					AC_DEFINE_UNQUOTED([PRNGD_SOCKET], ["$PRNGD_SOCKET"])
3240					break;
3241				fi
3242			done
3243			if test ! -z "$PRNGD_SOCKET" ; then
3244				AC_MSG_RESULT([$PRNGD_SOCKET])
3245			else
3246				AC_MSG_RESULT([not found])
3247			fi
3248		fi
3249	]
3250)
3251
3252# Which randomness source do we use?
3253if test ! -z "$PRNGD_PORT" ; then
3254	RAND_MSG="PRNGd port $PRNGD_PORT"
3255elif test ! -z "$PRNGD_SOCKET" ; then
3256	RAND_MSG="PRNGd socket $PRNGD_SOCKET"
3257elif test ! -z "$OPENSSL_SEEDS_ITSELF" ; then
3258	AC_DEFINE([OPENSSL_PRNG_ONLY], [1],
3259		[Define if you want the OpenSSL internally seeded PRNG only])
3260	RAND_MSG="OpenSSL internal ONLY"
3261elif test "x$openssl" = "xno" ; then
3262	AC_MSG_WARN([OpenSSH will use /dev/urandom as a source of random numbers. It will fail if this device is not supported or accessible])
3263else
3264	AC_MSG_ERROR([OpenSSH has no source of random numbers. Please configure OpenSSL with an entropy source or re-run configure using one of the --with-prngd-port or --with-prngd-socket options])
3265fi
3266
3267# Check for PAM libs
3268PAM_MSG="no"
3269AC_ARG_WITH([pam],
3270	[  --with-pam              Enable PAM support ],
3271	[
3272		if test "x$withval" != "xno" ; then
3273			if test "x$ac_cv_header_security_pam_appl_h" != "xyes" && \
3274			   test "x$ac_cv_header_pam_pam_appl_h" != "xyes" ; then
3275				AC_MSG_ERROR([PAM headers not found])
3276			fi
3277
3278			saved_LIBS="$LIBS"
3279			AC_CHECK_LIB([dl], [dlopen], , )
3280			AC_CHECK_LIB([pam], [pam_set_item], , [AC_MSG_ERROR([*** libpam missing])])
3281			AC_CHECK_FUNCS([pam_getenvlist])
3282			AC_CHECK_FUNCS([pam_putenv])
3283			LIBS="$saved_LIBS"
3284
3285			PAM_MSG="yes"
3286
3287			SSHDLIBS="$SSHDLIBS -lpam"
3288			AC_DEFINE([USE_PAM], [1],
3289				[Define if you want to enable PAM support])
3290
3291			if test $ac_cv_lib_dl_dlopen = yes; then
3292				case "$LIBS" in
3293				*-ldl*)
3294					# libdl already in LIBS
3295					;;
3296				*)
3297					SSHDLIBS="$SSHDLIBS -ldl"
3298					;;
3299				esac
3300			fi
3301		fi
3302	]
3303)
3304
3305AC_ARG_WITH([pam-service],
3306	[  --with-pam-service=name Specify PAM service name ],
3307	[
3308		if test "x$withval" != "xno" && \
3309		   test "x$withval" != "xyes" ; then
3310			AC_DEFINE_UNQUOTED([SSHD_PAM_SERVICE],
3311				["$withval"], [sshd PAM service name])
3312		fi
3313	]
3314)
3315
3316# Check for older PAM
3317if test "x$PAM_MSG" = "xyes" ; then
3318	# Check PAM strerror arguments (old PAM)
3319	AC_MSG_CHECKING([whether pam_strerror takes only one argument])
3320	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
3321#include <stdlib.h>
3322#if defined(HAVE_SECURITY_PAM_APPL_H)
3323#include <security/pam_appl.h>
3324#elif defined (HAVE_PAM_PAM_APPL_H)
3325#include <pam/pam_appl.h>
3326#endif
3327		]], [[
3328(void)pam_strerror((pam_handle_t *)NULL, -1);
3329		]])], [AC_MSG_RESULT([no])], [
3330			AC_DEFINE([HAVE_OLD_PAM], [1],
3331				[Define if you have an old version of PAM
3332				which takes only one argument to pam_strerror])
3333			AC_MSG_RESULT([yes])
3334			PAM_MSG="yes (old library)"
3335
3336	])
3337fi
3338
3339case "$host" in
3340*-*-cygwin*)
3341	SSH_PRIVSEP_USER=CYGWIN_SSH_PRIVSEP_USER
3342	;;
3343*)
3344	SSH_PRIVSEP_USER=sshd
3345	;;
3346esac
3347AC_ARG_WITH([privsep-user],
3348	[  --with-privsep-user=user Specify non-privileged user for privilege separation],
3349	[
3350		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
3351		    test "x${withval}" != "xyes"; then
3352			SSH_PRIVSEP_USER=$withval
3353		fi
3354	]
3355)
3356if test "x$SSH_PRIVSEP_USER" = "xCYGWIN_SSH_PRIVSEP_USER" ; then
3357	AC_DEFINE_UNQUOTED([SSH_PRIVSEP_USER], [CYGWIN_SSH_PRIVSEP_USER],
3358		[Cygwin function to fetch non-privileged user for privilege separation])
3359else
3360	AC_DEFINE_UNQUOTED([SSH_PRIVSEP_USER], ["$SSH_PRIVSEP_USER"],
3361		[non-privileged user for privilege separation])
3362fi
3363AC_SUBST([SSH_PRIVSEP_USER])
3364
3365if test "x$have_linux_no_new_privs" = "x1" ; then
3366AC_CHECK_DECL([SECCOMP_MODE_FILTER], [have_seccomp_filter=1], , [
3367	#include <sys/types.h>
3368	#include <linux/seccomp.h>
3369])
3370fi
3371if test "x$have_seccomp_filter" = "x1" ; then
3372AC_MSG_CHECKING([kernel for seccomp_filter support])
3373AC_LINK_IFELSE([AC_LANG_PROGRAM([[
3374		#include <errno.h>
3375		#include <elf.h>
3376		#include <linux/audit.h>
3377		#include <linux/seccomp.h>
3378		#include <stdlib.h>
3379		#include <sys/prctl.h>
3380	]],
3381	[[ int i = $seccomp_audit_arch;
3382	   errno = 0;
3383	   prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, NULL, 0, 0);
3384	   exit(errno == EFAULT ? 0 : 1); ]])],
3385	[ AC_MSG_RESULT([yes]) ], [
3386		AC_MSG_RESULT([no])
3387		# Disable seccomp filter as a target
3388		have_seccomp_filter=0
3389	]
3390)
3391fi
3392
3393# Decide which sandbox style to use
3394sandbox_arg=""
3395AC_ARG_WITH([sandbox],
3396	[  --with-sandbox=style    Specify privilege separation sandbox (no, capsicum, darwin, rlimit, seccomp_filter, systrace, pledge)],
3397	[
3398		if test "x$withval" = "xyes" ; then
3399			sandbox_arg=""
3400		else
3401			sandbox_arg="$withval"
3402		fi
3403	]
3404)
3405
3406# Some platforms (seems to be the ones that have a kernel poll(2)-type
3407# function with which they implement select(2)) use an extra file descriptor
3408# when calling select(2), which means we can't use the rlimit sandbox.
3409AC_MSG_CHECKING([if select works with descriptor rlimit])
3410AC_RUN_IFELSE(
3411	[AC_LANG_PROGRAM([[
3412#include <sys/types.h>
3413#ifdef HAVE_SYS_TIME_H
3414# include <sys/time.h>
3415#endif
3416#include <sys/resource.h>
3417#ifdef HAVE_SYS_SELECT_H
3418# include <sys/select.h>
3419#endif
3420#include <errno.h>
3421#include <fcntl.h>
3422#include <stdlib.h>
3423	]],[[
3424	struct rlimit rl_zero;
3425	int fd, r;
3426	fd_set fds;
3427	struct timeval tv;
3428
3429	fd = open("/dev/null", O_RDONLY);
3430	FD_ZERO(&fds);
3431	FD_SET(fd, &fds);
3432	rl_zero.rlim_cur = rl_zero.rlim_max = 0;
3433	setrlimit(RLIMIT_FSIZE, &rl_zero);
3434	setrlimit(RLIMIT_NOFILE, &rl_zero);
3435	tv.tv_sec = 1;
3436	tv.tv_usec = 0;
3437	r = select(fd+1, &fds, NULL, NULL, &tv);
3438	exit (r == -1 ? 1 : 0);
3439	]])],
3440	[AC_MSG_RESULT([yes])
3441	 select_works_with_rlimit=yes],
3442	[AC_MSG_RESULT([no])
3443	 select_works_with_rlimit=no],
3444	[AC_MSG_WARN([cross compiling: assuming yes])
3445	 select_works_with_rlimit=yes]
3446)
3447
3448AC_MSG_CHECKING([if setrlimit(RLIMIT_NOFILE,{0,0}) works])
3449AC_RUN_IFELSE(
3450	[AC_LANG_PROGRAM([[
3451#include <sys/types.h>
3452#ifdef HAVE_SYS_TIME_H
3453# include <sys/time.h>
3454#endif
3455#include <sys/resource.h>
3456#include <errno.h>
3457#include <stdlib.h>
3458	]],[[
3459	struct rlimit rl_zero;
3460	int fd, r;
3461	fd_set fds;
3462
3463	rl_zero.rlim_cur = rl_zero.rlim_max = 0;
3464	r = setrlimit(RLIMIT_NOFILE, &rl_zero);
3465	exit (r == -1 ? 1 : 0);
3466	]])],
3467	[AC_MSG_RESULT([yes])
3468	 rlimit_nofile_zero_works=yes],
3469	[AC_MSG_RESULT([no])
3470	 rlimit_nofile_zero_works=no],
3471	[AC_MSG_WARN([cross compiling: assuming yes])
3472	 rlimit_nofile_zero_works=yes]
3473)
3474
3475AC_MSG_CHECKING([if setrlimit RLIMIT_FSIZE works])
3476AC_RUN_IFELSE(
3477	[AC_LANG_PROGRAM([[
3478#include <sys/types.h>
3479#include <sys/resource.h>
3480#include <stdlib.h>
3481	]],[[
3482		struct rlimit rl_zero;
3483
3484		rl_zero.rlim_cur = rl_zero.rlim_max = 0;
3485		exit(setrlimit(RLIMIT_FSIZE, &rl_zero) != 0);
3486	]])],
3487	[AC_MSG_RESULT([yes])],
3488	[AC_MSG_RESULT([no])
3489	 AC_DEFINE(SANDBOX_SKIP_RLIMIT_FSIZE, 1,
3490	    [setrlimit RLIMIT_FSIZE works])],
3491	[AC_MSG_WARN([cross compiling: assuming yes])]
3492)
3493
3494if test "x$sandbox_arg" = "xpledge" || \
3495   ( test -z "$sandbox_arg" && test "x$ac_cv_func_pledge" = "xyes" ) ; then
3496	test "x$ac_cv_func_pledge" != "xyes" && \
3497		AC_MSG_ERROR([pledge sandbox requires pledge(2) support])
3498	SANDBOX_STYLE="pledge"
3499	AC_DEFINE([SANDBOX_PLEDGE], [1], [Sandbox using pledge(2)])
3500elif test "x$sandbox_arg" = "xsystrace" || \
3501   ( test -z "$sandbox_arg" && test "x$have_systr_policy_kill" = "x1" ) ; then
3502	test "x$have_systr_policy_kill" != "x1" && \
3503		AC_MSG_ERROR([systrace sandbox requires systrace headers and SYSTR_POLICY_KILL support])
3504	SANDBOX_STYLE="systrace"
3505	AC_DEFINE([SANDBOX_SYSTRACE], [1], [Sandbox using systrace(4)])
3506elif test "x$sandbox_arg" = "xdarwin" || \
3507     ( test -z "$sandbox_arg" && test "x$ac_cv_func_sandbox_init" = "xyes" && \
3508       test "x$ac_cv_header_sandbox_h" = "xyes") ; then
3509	test "x$ac_cv_func_sandbox_init" != "xyes" -o \
3510	     "x$ac_cv_header_sandbox_h" != "xyes" && \
3511		AC_MSG_ERROR([Darwin seatbelt sandbox requires sandbox.h and sandbox_init function])
3512	SANDBOX_STYLE="darwin"
3513	AC_DEFINE([SANDBOX_DARWIN], [1], [Sandbox using Darwin sandbox_init(3)])
3514elif test "x$sandbox_arg" = "xseccomp_filter" || \
3515     ( test -z "$sandbox_arg" && \
3516       test "x$have_seccomp_filter" = "x1" && \
3517       test "x$ac_cv_header_elf_h" = "xyes" && \
3518       test "x$ac_cv_header_linux_audit_h" = "xyes" && \
3519       test "x$ac_cv_header_linux_filter_h" = "xyes" && \
3520       test "x$seccomp_audit_arch" != "x" && \
3521       test "x$have_linux_no_new_privs" = "x1" && \
3522       test "x$ac_cv_func_prctl" = "xyes" ) ; then
3523	test "x$seccomp_audit_arch" = "x" && \
3524		AC_MSG_ERROR([seccomp_filter sandbox not supported on $host])
3525	test "x$have_linux_no_new_privs" != "x1" && \
3526		AC_MSG_ERROR([seccomp_filter sandbox requires PR_SET_NO_NEW_PRIVS])
3527	test "x$have_seccomp_filter" != "x1" && \
3528		AC_MSG_ERROR([seccomp_filter sandbox requires seccomp headers])
3529	test "x$ac_cv_func_prctl" != "xyes" && \
3530		AC_MSG_ERROR([seccomp_filter sandbox requires prctl function])
3531	SANDBOX_STYLE="seccomp_filter"
3532	AC_DEFINE([SANDBOX_SECCOMP_FILTER], [1], [Sandbox using seccomp filter])
3533elif test "x$sandbox_arg" = "xcapsicum" || \
3534     ( test -z "$sandbox_arg" && \
3535       test "x$ac_cv_header_sys_capsicum_h" = "xyes" && \
3536       test "x$ac_cv_func_cap_rights_limit" = "xyes") ; then
3537       test "x$ac_cv_header_sys_capsicum_h" != "xyes" && \
3538		AC_MSG_ERROR([capsicum sandbox requires sys/capsicum.h header])
3539       test "x$ac_cv_func_cap_rights_limit" != "xyes" && \
3540		AC_MSG_ERROR([capsicum sandbox requires cap_rights_limit function])
3541       SANDBOX_STYLE="capsicum"
3542       AC_DEFINE([SANDBOX_CAPSICUM], [1], [Sandbox using capsicum])
3543elif test "x$sandbox_arg" = "xrlimit" || \
3544     ( test -z "$sandbox_arg" && test "x$ac_cv_func_setrlimit" = "xyes" && \
3545       test "x$select_works_with_rlimit" = "xyes" && \
3546       test "x$rlimit_nofile_zero_works" = "xyes" ) ; then
3547	test "x$ac_cv_func_setrlimit" != "xyes" && \
3548		AC_MSG_ERROR([rlimit sandbox requires setrlimit function])
3549	test "x$select_works_with_rlimit" != "xyes" && \
3550		AC_MSG_ERROR([rlimit sandbox requires select to work with rlimit])
3551	SANDBOX_STYLE="rlimit"
3552	AC_DEFINE([SANDBOX_RLIMIT], [1], [Sandbox using setrlimit(2)])
3553elif test "x$sandbox_arg" = "xsolaris" || \
3554   ( test -z "$sandbox_arg" && test "x$SOLARIS_PRIVS" = "xyes" ) ; then
3555	SANDBOX_STYLE="solaris"
3556	AC_DEFINE([SANDBOX_SOLARIS], [1], [Sandbox using Solaris/Illumos privileges])
3557elif test -z "$sandbox_arg" || test "x$sandbox_arg" = "xno" || \
3558     test "x$sandbox_arg" = "xnone" || test "x$sandbox_arg" = "xnull" ; then
3559	SANDBOX_STYLE="none"
3560	AC_DEFINE([SANDBOX_NULL], [1], [no privsep sandboxing])
3561else
3562	AC_MSG_ERROR([unsupported --with-sandbox])
3563fi
3564
3565# Cheap hack to ensure NEWS-OS libraries are arranged right.
3566if test ! -z "$SONY" ; then
3567  LIBS="$LIBS -liberty";
3568fi
3569
3570# Check for  long long datatypes
3571AC_CHECK_TYPES([long long, unsigned long long, long double])
3572
3573# Check datatype sizes
3574AC_CHECK_SIZEOF([short int], [2])
3575AC_CHECK_SIZEOF([int], [4])
3576AC_CHECK_SIZEOF([long int], [4])
3577AC_CHECK_SIZEOF([long long int], [8])
3578
3579# Sanity check long long for some platforms (AIX)
3580if test "x$ac_cv_sizeof_long_long_int" = "x4" ; then
3581	ac_cv_sizeof_long_long_int=0
3582fi
3583
3584# compute LLONG_MIN and LLONG_MAX if we don't know them.
3585if test -z "$have_llong_max"; then
3586	AC_MSG_CHECKING([for max value of long long])
3587	AC_RUN_IFELSE(
3588		[AC_LANG_PROGRAM([[
3589#include <stdio.h>
3590/* Why is this so damn hard? */
3591#ifdef __GNUC__
3592# undef __GNUC__
3593#endif
3594#define __USE_ISOC99
3595#include <limits.h>
3596#define DATA "conftest.llminmax"
3597#define my_abs(a) ((a) < 0 ? ((a) * -1) : (a))
3598
3599/*
3600 * printf in libc on some platforms (eg old Tru64) does not understand %lld so
3601 * we do this the hard way.
3602 */
3603static int
3604fprint_ll(FILE *f, long long n)
3605{
3606	unsigned int i;
3607	int l[sizeof(long long) * 8];
3608
3609	if (n < 0)
3610		if (fprintf(f, "-") < 0)
3611			return -1;
3612	for (i = 0; n != 0; i++) {
3613		l[i] = my_abs(n % 10);
3614		n /= 10;
3615	}
3616	do {
3617		if (fprintf(f, "%d", l[--i]) < 0)
3618			return -1;
3619	} while (i != 0);
3620	if (fprintf(f, " ") < 0)
3621		return -1;
3622	return 0;
3623}
3624		]], [[
3625	FILE *f;
3626	long long i, llmin, llmax = 0;
3627
3628	if((f = fopen(DATA,"w")) == NULL)
3629		exit(1);
3630
3631#if defined(LLONG_MIN) && defined(LLONG_MAX)
3632	fprintf(stderr, "Using system header for LLONG_MIN and LLONG_MAX\n");
3633	llmin = LLONG_MIN;
3634	llmax = LLONG_MAX;
3635#else
3636	fprintf(stderr, "Calculating  LLONG_MIN and LLONG_MAX\n");
3637	/* This will work on one's complement and two's complement */
3638	for (i = 1; i > llmax; i <<= 1, i++)
3639		llmax = i;
3640	llmin = llmax + 1LL;	/* wrap */
3641#endif
3642
3643	/* Sanity check */
3644	if (llmin + 1 < llmin || llmin - 1 < llmin || llmax + 1 > llmax
3645	    || llmax - 1 > llmax || llmin == llmax || llmin == 0
3646	    || llmax == 0 || llmax < LONG_MAX || llmin > LONG_MIN) {
3647		fprintf(f, "unknown unknown\n");
3648		exit(2);
3649	}
3650
3651	if (fprint_ll(f, llmin) < 0)
3652		exit(3);
3653	if (fprint_ll(f, llmax) < 0)
3654		exit(4);
3655	if (fclose(f) < 0)
3656		exit(5);
3657	exit(0);
3658		]])],
3659		[
3660			llong_min=`$AWK '{print $1}' conftest.llminmax`
3661			llong_max=`$AWK '{print $2}' conftest.llminmax`
3662
3663			AC_MSG_RESULT([$llong_max])
3664			AC_DEFINE_UNQUOTED([LLONG_MAX], [${llong_max}LL],
3665			    [max value of long long calculated by configure])
3666			AC_MSG_CHECKING([for min value of long long])
3667			AC_MSG_RESULT([$llong_min])
3668			AC_DEFINE_UNQUOTED([LLONG_MIN], [${llong_min}LL],
3669			    [min value of long long calculated by configure])
3670		],
3671		[
3672			AC_MSG_RESULT([not found])
3673		],
3674		[
3675			AC_MSG_WARN([cross compiling: not checking])
3676		]
3677	)
3678fi
3679
3680
3681# More checks for data types
3682AC_CACHE_CHECK([for u_int type], ac_cv_have_u_int, [
3683	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
3684	[[ u_int a; a = 1;]])],
3685	[ ac_cv_have_u_int="yes" ], [ ac_cv_have_u_int="no"
3686	])
3687])
3688if test "x$ac_cv_have_u_int" = "xyes" ; then
3689	AC_DEFINE([HAVE_U_INT], [1], [define if you have u_int data type])
3690	have_u_int=1
3691fi
3692
3693AC_CACHE_CHECK([for intXX_t types], ac_cv_have_intxx_t, [
3694	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
3695	[[ int8_t a; int16_t b; int32_t c; a = b = c = 1;]])],
3696	[ ac_cv_have_intxx_t="yes" ], [ ac_cv_have_intxx_t="no"
3697	])
3698])
3699if test "x$ac_cv_have_intxx_t" = "xyes" ; then
3700	AC_DEFINE([HAVE_INTXX_T], [1], [define if you have intxx_t data type])
3701	have_intxx_t=1
3702fi
3703
3704if (test -z "$have_intxx_t" && \
3705	   test "x$ac_cv_header_stdint_h" = "xyes")
3706then
3707    AC_MSG_CHECKING([for intXX_t types in stdint.h])
3708	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <stdint.h> ]],
3709	[[ int8_t a; int16_t b; int32_t c; a = b = c = 1;]])],
3710		[
3711			AC_DEFINE([HAVE_INTXX_T])
3712			AC_MSG_RESULT([yes])
3713		], [ AC_MSG_RESULT([no])
3714	])
3715fi
3716
3717AC_CACHE_CHECK([for int64_t type], ac_cv_have_int64_t, [
3718	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
3719#include <sys/types.h>
3720#ifdef HAVE_STDINT_H
3721# include <stdint.h>
3722#endif
3723#include <sys/socket.h>
3724#ifdef HAVE_SYS_BITYPES_H
3725# include <sys/bitypes.h>
3726#endif
3727		]], [[
3728int64_t a; a = 1;
3729		]])],
3730	[ ac_cv_have_int64_t="yes" ], [ ac_cv_have_int64_t="no"
3731	])
3732])
3733if test "x$ac_cv_have_int64_t" = "xyes" ; then
3734	AC_DEFINE([HAVE_INT64_T], [1], [define if you have int64_t data type])
3735fi
3736
3737AC_CACHE_CHECK([for u_intXX_t types], ac_cv_have_u_intxx_t, [
3738	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
3739	[[ u_int8_t a; u_int16_t b; u_int32_t c; a = b = c = 1;]])],
3740	[ ac_cv_have_u_intxx_t="yes" ], [ ac_cv_have_u_intxx_t="no"
3741	])
3742])
3743if test "x$ac_cv_have_u_intxx_t" = "xyes" ; then
3744	AC_DEFINE([HAVE_U_INTXX_T], [1], [define if you have u_intxx_t data type])
3745	have_u_intxx_t=1
3746fi
3747
3748if test -z "$have_u_intxx_t" ; then
3749    AC_MSG_CHECKING([for u_intXX_t types in sys/socket.h])
3750	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/socket.h> ]],
3751	[[ u_int8_t a; u_int16_t b; u_int32_t c; a = b = c = 1;]])],
3752		[
3753			AC_DEFINE([HAVE_U_INTXX_T])
3754			AC_MSG_RESULT([yes])
3755		], [ AC_MSG_RESULT([no])
3756	])
3757fi
3758
3759AC_CACHE_CHECK([for u_int64_t types], ac_cv_have_u_int64_t, [
3760	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
3761	[[ u_int64_t a; a = 1;]])],
3762	[ ac_cv_have_u_int64_t="yes" ], [ ac_cv_have_u_int64_t="no"
3763	])
3764])
3765if test "x$ac_cv_have_u_int64_t" = "xyes" ; then
3766	AC_DEFINE([HAVE_U_INT64_T], [1], [define if you have u_int64_t data type])
3767	have_u_int64_t=1
3768fi
3769
3770if (test -z "$have_u_int64_t" && \
3771	   test "x$ac_cv_header_sys_bitypes_h" = "xyes")
3772then
3773    AC_MSG_CHECKING([for u_int64_t type in sys/bitypes.h])
3774	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/bitypes.h> ]],
3775	[[ u_int64_t a; a = 1]])],
3776		[
3777			AC_DEFINE([HAVE_U_INT64_T])
3778			AC_MSG_RESULT([yes])
3779		], [ AC_MSG_RESULT([no])
3780	])
3781fi
3782
3783if test -z "$have_u_intxx_t" ; then
3784	AC_CACHE_CHECK([for uintXX_t types], ac_cv_have_uintxx_t, [
3785		AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
3786#include <sys/types.h>
3787			]], [[
3788	uint8_t a;
3789	uint16_t b;
3790	uint32_t c;
3791	a = b = c = 1;
3792			]])],
3793		[ ac_cv_have_uintxx_t="yes" ], [ ac_cv_have_uintxx_t="no"
3794		])
3795	])
3796	if test "x$ac_cv_have_uintxx_t" = "xyes" ; then
3797		AC_DEFINE([HAVE_UINTXX_T], [1],
3798			[define if you have uintxx_t data type])
3799	fi
3800fi
3801
3802if (test -z "$have_uintxx_t" && \
3803	   test "x$ac_cv_header_stdint_h" = "xyes")
3804then
3805    AC_MSG_CHECKING([for uintXX_t types in stdint.h])
3806	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <stdint.h> ]],
3807	[[ uint8_t a; uint16_t b; uint32_t c; a = b = c = 1;]])],
3808		[
3809			AC_DEFINE([HAVE_UINTXX_T])
3810			AC_MSG_RESULT([yes])
3811		], [ AC_MSG_RESULT([no])
3812	])
3813fi
3814
3815if (test -z "$have_uintxx_t" && \
3816	   test "x$ac_cv_header_inttypes_h" = "xyes")
3817then
3818    AC_MSG_CHECKING([for uintXX_t types in inttypes.h])
3819	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <inttypes.h> ]],
3820	[[ uint8_t a; uint16_t b; uint32_t c; a = b = c = 1;]])],
3821		[
3822			AC_DEFINE([HAVE_UINTXX_T])
3823			AC_MSG_RESULT([yes])
3824		], [ AC_MSG_RESULT([no])
3825	])
3826fi
3827
3828if (test -z "$have_u_intxx_t" || test -z "$have_intxx_t" && \
3829	   test "x$ac_cv_header_sys_bitypes_h" = "xyes")
3830then
3831	AC_MSG_CHECKING([for intXX_t and u_intXX_t types in sys/bitypes.h])
3832	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
3833#include <sys/bitypes.h>
3834		]], [[
3835			int8_t a; int16_t b; int32_t c;
3836			u_int8_t e; u_int16_t f; u_int32_t g;
3837			a = b = c = e = f = g = 1;
3838		]])],
3839		[
3840			AC_DEFINE([HAVE_U_INTXX_T])
3841			AC_DEFINE([HAVE_INTXX_T])
3842			AC_MSG_RESULT([yes])
3843		], [AC_MSG_RESULT([no])
3844	])
3845fi
3846
3847
3848AC_CACHE_CHECK([for u_char], ac_cv_have_u_char, [
3849	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
3850	[[ u_char foo; foo = 125; ]])],
3851	[ ac_cv_have_u_char="yes" ], [ ac_cv_have_u_char="no"
3852	])
3853])
3854if test "x$ac_cv_have_u_char" = "xyes" ; then
3855	AC_DEFINE([HAVE_U_CHAR], [1], [define if you have u_char data type])
3856fi
3857
3858AC_CHECK_TYPES([intmax_t, uintmax_t], , , [
3859#include <sys/types.h>
3860#include <stdint.h>
3861])
3862
3863TYPE_SOCKLEN_T
3864
3865AC_CHECK_TYPES([sig_atomic_t], , , [#include <signal.h>])
3866AC_CHECK_TYPES([fsblkcnt_t, fsfilcnt_t], , , [
3867#include <sys/types.h>
3868#ifdef HAVE_SYS_BITYPES_H
3869#include <sys/bitypes.h>
3870#endif
3871#ifdef HAVE_SYS_STATFS_H
3872#include <sys/statfs.h>
3873#endif
3874#ifdef HAVE_SYS_STATVFS_H
3875#include <sys/statvfs.h>
3876#endif
3877])
3878
3879AC_CHECK_MEMBERS([struct statfs.f_flags], [], [], [[
3880#include <sys/types.h>
3881#ifdef HAVE_SYS_BITYPES_H
3882#include <sys/bitypes.h>
3883#endif
3884#ifdef HAVE_SYS_STATFS_H
3885#include <sys/statfs.h>
3886#endif
3887#ifdef HAVE_SYS_STATVFS_H
3888#include <sys/statvfs.h>
3889#endif
3890#ifdef HAVE_SYS_VFS_H
3891#include <sys/vfs.h>
3892#endif
3893]])
3894
3895
3896AC_CHECK_TYPES([in_addr_t, in_port_t], , ,
3897[#include <sys/types.h>
3898#include <netinet/in.h>])
3899
3900AC_CACHE_CHECK([for size_t], ac_cv_have_size_t, [
3901	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
3902	[[ size_t foo; foo = 1235; ]])],
3903	[ ac_cv_have_size_t="yes" ], [ ac_cv_have_size_t="no"
3904	])
3905])
3906if test "x$ac_cv_have_size_t" = "xyes" ; then
3907	AC_DEFINE([HAVE_SIZE_T], [1], [define if you have size_t data type])
3908fi
3909
3910AC_CACHE_CHECK([for ssize_t], ac_cv_have_ssize_t, [
3911	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
3912	[[ ssize_t foo; foo = 1235; ]])],
3913	[ ac_cv_have_ssize_t="yes" ], [ ac_cv_have_ssize_t="no"
3914	])
3915])
3916if test "x$ac_cv_have_ssize_t" = "xyes" ; then
3917	AC_DEFINE([HAVE_SSIZE_T], [1], [define if you have ssize_t data type])
3918fi
3919
3920AC_CACHE_CHECK([for clock_t], ac_cv_have_clock_t, [
3921	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <time.h> ]],
3922	[[ clock_t foo; foo = 1235; ]])],
3923	[ ac_cv_have_clock_t="yes" ], [ ac_cv_have_clock_t="no"
3924	])
3925])
3926if test "x$ac_cv_have_clock_t" = "xyes" ; then
3927	AC_DEFINE([HAVE_CLOCK_T], [1], [define if you have clock_t data type])
3928fi
3929
3930AC_CACHE_CHECK([for sa_family_t], ac_cv_have_sa_family_t, [
3931	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
3932#include <sys/types.h>
3933#include <sys/socket.h>
3934		]], [[ sa_family_t foo; foo = 1235; ]])],
3935	[ ac_cv_have_sa_family_t="yes" ],
3936	[ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
3937#include <sys/types.h>
3938#include <sys/socket.h>
3939#include <netinet/in.h>
3940		]], [[ sa_family_t foo; foo = 1235; ]])],
3941		[ ac_cv_have_sa_family_t="yes" ],
3942		[ ac_cv_have_sa_family_t="no" ]
3943	)
3944	])
3945])
3946if test "x$ac_cv_have_sa_family_t" = "xyes" ; then
3947	AC_DEFINE([HAVE_SA_FAMILY_T], [1],
3948		[define if you have sa_family_t data type])
3949fi
3950
3951AC_CACHE_CHECK([for pid_t], ac_cv_have_pid_t, [
3952	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
3953	[[ pid_t foo; foo = 1235; ]])],
3954	[ ac_cv_have_pid_t="yes" ], [ ac_cv_have_pid_t="no"
3955	])
3956])
3957if test "x$ac_cv_have_pid_t" = "xyes" ; then
3958	AC_DEFINE([HAVE_PID_T], [1], [define if you have pid_t data type])
3959fi
3960
3961AC_CACHE_CHECK([for mode_t], ac_cv_have_mode_t, [
3962	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
3963	[[ mode_t foo; foo = 1235; ]])],
3964	[ ac_cv_have_mode_t="yes" ], [ ac_cv_have_mode_t="no"
3965	])
3966])
3967if test "x$ac_cv_have_mode_t" = "xyes" ; then
3968	AC_DEFINE([HAVE_MODE_T], [1], [define if you have mode_t data type])
3969fi
3970
3971
3972AC_CACHE_CHECK([for struct sockaddr_storage], ac_cv_have_struct_sockaddr_storage, [
3973	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
3974#include <sys/types.h>
3975#include <sys/socket.h>
3976		]], [[ struct sockaddr_storage s; ]])],
3977	[ ac_cv_have_struct_sockaddr_storage="yes" ],
3978	[ ac_cv_have_struct_sockaddr_storage="no"
3979	])
3980])
3981if test "x$ac_cv_have_struct_sockaddr_storage" = "xyes" ; then
3982	AC_DEFINE([HAVE_STRUCT_SOCKADDR_STORAGE], [1],
3983		[define if you have struct sockaddr_storage data type])
3984fi
3985
3986AC_CACHE_CHECK([for struct sockaddr_in6], ac_cv_have_struct_sockaddr_in6, [
3987	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
3988#include <sys/types.h>
3989#include <netinet/in.h>
3990		]], [[ struct sockaddr_in6 s; s.sin6_family = 0; ]])],
3991	[ ac_cv_have_struct_sockaddr_in6="yes" ],
3992	[ ac_cv_have_struct_sockaddr_in6="no"
3993	])
3994])
3995if test "x$ac_cv_have_struct_sockaddr_in6" = "xyes" ; then
3996	AC_DEFINE([HAVE_STRUCT_SOCKADDR_IN6], [1],
3997		[define if you have struct sockaddr_in6 data type])
3998fi
3999
4000AC_CACHE_CHECK([for struct in6_addr], ac_cv_have_struct_in6_addr, [
4001	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4002#include <sys/types.h>
4003#include <netinet/in.h>
4004		]], [[ struct in6_addr s; s.s6_addr[0] = 0; ]])],
4005	[ ac_cv_have_struct_in6_addr="yes" ],
4006	[ ac_cv_have_struct_in6_addr="no"
4007	])
4008])
4009if test "x$ac_cv_have_struct_in6_addr" = "xyes" ; then
4010	AC_DEFINE([HAVE_STRUCT_IN6_ADDR], [1],
4011		[define if you have struct in6_addr data type])
4012
4013dnl Now check for sin6_scope_id
4014	AC_CHECK_MEMBERS([struct sockaddr_in6.sin6_scope_id], , ,
4015		[
4016#ifdef HAVE_SYS_TYPES_H
4017#include <sys/types.h>
4018#endif
4019#include <netinet/in.h>
4020		])
4021fi
4022
4023AC_CACHE_CHECK([for struct addrinfo], ac_cv_have_struct_addrinfo, [
4024	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4025#include <sys/types.h>
4026#include <sys/socket.h>
4027#include <netdb.h>
4028		]], [[ struct addrinfo s; s.ai_flags = AI_PASSIVE; ]])],
4029	[ ac_cv_have_struct_addrinfo="yes" ],
4030	[ ac_cv_have_struct_addrinfo="no"
4031	])
4032])
4033if test "x$ac_cv_have_struct_addrinfo" = "xyes" ; then
4034	AC_DEFINE([HAVE_STRUCT_ADDRINFO], [1],
4035		[define if you have struct addrinfo data type])
4036fi
4037
4038AC_CACHE_CHECK([for struct timeval], ac_cv_have_struct_timeval, [
4039	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/time.h> ]],
4040	[[ struct timeval tv; tv.tv_sec = 1;]])],
4041	[ ac_cv_have_struct_timeval="yes" ],
4042	[ ac_cv_have_struct_timeval="no"
4043	])
4044])
4045if test "x$ac_cv_have_struct_timeval" = "xyes" ; then
4046	AC_DEFINE([HAVE_STRUCT_TIMEVAL], [1], [define if you have struct timeval])
4047	have_struct_timeval=1
4048fi
4049
4050AC_CHECK_TYPES([struct timespec])
4051
4052# We need int64_t or else certain parts of the compile will fail.
4053if test "x$ac_cv_have_int64_t" = "xno" && \
4054	test "x$ac_cv_sizeof_long_int" != "x8" && \
4055	test "x$ac_cv_sizeof_long_long_int" = "x0" ; then
4056	echo "OpenSSH requires int64_t support.  Contact your vendor or install"
4057	echo "an alternative compiler (I.E., GCC) before continuing."
4058	echo ""
4059	exit 1;
4060else
4061dnl test snprintf (broken on SCO w/gcc)
4062	AC_RUN_IFELSE(
4063		[AC_LANG_SOURCE([[
4064#include <stdio.h>
4065#include <string.h>
4066#ifdef HAVE_SNPRINTF
4067main()
4068{
4069	char buf[50];
4070	char expected_out[50];
4071	int mazsize = 50 ;
4072#if (SIZEOF_LONG_INT == 8)
4073	long int num = 0x7fffffffffffffff;
4074#else
4075	long long num = 0x7fffffffffffffffll;
4076#endif
4077	strcpy(expected_out, "9223372036854775807");
4078	snprintf(buf, mazsize, "%lld", num);
4079	if(strcmp(buf, expected_out) != 0)
4080		exit(1);
4081	exit(0);
4082}
4083#else
4084main() { exit(0); }
4085#endif
4086		]])], [ true ], [ AC_DEFINE([BROKEN_SNPRINTF]) ],
4087		AC_MSG_WARN([cross compiling: Assuming working snprintf()])
4088	)
4089fi
4090
4091dnl Checks for structure members
4092OSSH_CHECK_HEADER_FOR_FIELD([ut_host], [utmp.h], [HAVE_HOST_IN_UTMP])
4093OSSH_CHECK_HEADER_FOR_FIELD([ut_host], [utmpx.h], [HAVE_HOST_IN_UTMPX])
4094OSSH_CHECK_HEADER_FOR_FIELD([syslen], [utmpx.h], [HAVE_SYSLEN_IN_UTMPX])
4095OSSH_CHECK_HEADER_FOR_FIELD([ut_pid], [utmp.h], [HAVE_PID_IN_UTMP])
4096OSSH_CHECK_HEADER_FOR_FIELD([ut_type], [utmp.h], [HAVE_TYPE_IN_UTMP])
4097OSSH_CHECK_HEADER_FOR_FIELD([ut_type], [utmpx.h], [HAVE_TYPE_IN_UTMPX])
4098OSSH_CHECK_HEADER_FOR_FIELD([ut_tv], [utmp.h], [HAVE_TV_IN_UTMP])
4099OSSH_CHECK_HEADER_FOR_FIELD([ut_id], [utmp.h], [HAVE_ID_IN_UTMP])
4100OSSH_CHECK_HEADER_FOR_FIELD([ut_id], [utmpx.h], [HAVE_ID_IN_UTMPX])
4101OSSH_CHECK_HEADER_FOR_FIELD([ut_addr], [utmp.h], [HAVE_ADDR_IN_UTMP])
4102OSSH_CHECK_HEADER_FOR_FIELD([ut_addr], [utmpx.h], [HAVE_ADDR_IN_UTMPX])
4103OSSH_CHECK_HEADER_FOR_FIELD([ut_addr_v6], [utmp.h], [HAVE_ADDR_V6_IN_UTMP])
4104OSSH_CHECK_HEADER_FOR_FIELD([ut_addr_v6], [utmpx.h], [HAVE_ADDR_V6_IN_UTMPX])
4105OSSH_CHECK_HEADER_FOR_FIELD([ut_exit], [utmp.h], [HAVE_EXIT_IN_UTMP])
4106OSSH_CHECK_HEADER_FOR_FIELD([ut_time], [utmp.h], [HAVE_TIME_IN_UTMP])
4107OSSH_CHECK_HEADER_FOR_FIELD([ut_time], [utmpx.h], [HAVE_TIME_IN_UTMPX])
4108OSSH_CHECK_HEADER_FOR_FIELD([ut_tv], [utmpx.h], [HAVE_TV_IN_UTMPX])
4109
4110AC_CHECK_MEMBERS([struct stat.st_blksize])
4111AC_CHECK_MEMBERS([struct stat.st_mtim])
4112AC_CHECK_MEMBERS([struct stat.st_mtime])
4113AC_CHECK_MEMBERS([struct passwd.pw_gecos, struct passwd.pw_class,
4114struct passwd.pw_change, struct passwd.pw_expire],
4115[], [], [[
4116#include <sys/types.h>
4117#include <pwd.h>
4118]])
4119
4120AC_CHECK_MEMBER([struct __res_state.retrans], [], [AC_DEFINE([__res_state], [state],
4121	[Define if we don't have struct __res_state in resolv.h])],
4122[[
4123#include <stdio.h>
4124#if HAVE_SYS_TYPES_H
4125# include <sys/types.h>
4126#endif
4127#include <netinet/in.h>
4128#include <arpa/nameser.h>
4129#include <resolv.h>
4130]])
4131
4132AC_CACHE_CHECK([for ss_family field in struct sockaddr_storage],
4133		ac_cv_have_ss_family_in_struct_ss, [
4134	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4135#include <sys/types.h>
4136#include <sys/socket.h>
4137		]], [[ struct sockaddr_storage s; s.ss_family = 1; ]])],
4138	[ ac_cv_have_ss_family_in_struct_ss="yes" ],
4139	[ ac_cv_have_ss_family_in_struct_ss="no" ])
4140])
4141if test "x$ac_cv_have_ss_family_in_struct_ss" = "xyes" ; then
4142	AC_DEFINE([HAVE_SS_FAMILY_IN_SS], [1], [Fields in struct sockaddr_storage])
4143fi
4144
4145AC_CACHE_CHECK([for __ss_family field in struct sockaddr_storage],
4146		ac_cv_have___ss_family_in_struct_ss, [
4147	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4148#include <sys/types.h>
4149#include <sys/socket.h>
4150		]], [[ struct sockaddr_storage s; s.__ss_family = 1; ]])],
4151	[ ac_cv_have___ss_family_in_struct_ss="yes" ],
4152	[ ac_cv_have___ss_family_in_struct_ss="no"
4153	])
4154])
4155if test "x$ac_cv_have___ss_family_in_struct_ss" = "xyes" ; then
4156	AC_DEFINE([HAVE___SS_FAMILY_IN_SS], [1],
4157		[Fields in struct sockaddr_storage])
4158fi
4159
4160dnl make sure we're using the real structure members and not defines
4161AC_CACHE_CHECK([for msg_accrights field in struct msghdr],
4162		ac_cv_have_accrights_in_msghdr, [
4163	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4164#include <sys/types.h>
4165#include <sys/socket.h>
4166#include <sys/uio.h>
4167		]], [[
4168#ifdef msg_accrights
4169#error "msg_accrights is a macro"
4170exit(1);
4171#endif
4172struct msghdr m;
4173m.msg_accrights = 0;
4174exit(0);
4175		]])],
4176		[ ac_cv_have_accrights_in_msghdr="yes" ],
4177		[ ac_cv_have_accrights_in_msghdr="no" ]
4178	)
4179])
4180if test "x$ac_cv_have_accrights_in_msghdr" = "xyes" ; then
4181	AC_DEFINE([HAVE_ACCRIGHTS_IN_MSGHDR], [1],
4182		[Define if your system uses access rights style
4183		file descriptor passing])
4184fi
4185
4186AC_MSG_CHECKING([if struct statvfs.f_fsid is integral type])
4187AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4188#include <sys/param.h>
4189#include <sys/stat.h>
4190#ifdef HAVE_SYS_TIME_H
4191# include <sys/time.h>
4192#endif
4193#ifdef HAVE_SYS_MOUNT_H
4194#include <sys/mount.h>
4195#endif
4196#ifdef HAVE_SYS_STATVFS_H
4197#include <sys/statvfs.h>
4198#endif
4199	]], [[ struct statvfs s; s.f_fsid = 0; ]])],
4200	[ AC_MSG_RESULT([yes]) ],
4201	[ AC_MSG_RESULT([no])
4202
4203	AC_MSG_CHECKING([if fsid_t has member val])
4204	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4205#include <sys/types.h>
4206#include <sys/statvfs.h>
4207	]], [[ fsid_t t; t.val[0] = 0; ]])],
4208	[ AC_MSG_RESULT([yes])
4209	  AC_DEFINE([FSID_HAS_VAL], [1], [fsid_t has member val]) ],
4210	[ AC_MSG_RESULT([no]) ])
4211
4212	AC_MSG_CHECKING([if f_fsid has member __val])
4213	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4214#include <sys/types.h>
4215#include <sys/statvfs.h>
4216	]], [[ fsid_t t; t.__val[0] = 0; ]])],
4217	[ AC_MSG_RESULT([yes])
4218	  AC_DEFINE([FSID_HAS___VAL], [1], [fsid_t has member __val]) ],
4219	[ AC_MSG_RESULT([no]) ])
4220])
4221
4222AC_CACHE_CHECK([for msg_control field in struct msghdr],
4223		ac_cv_have_control_in_msghdr, [
4224	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4225#include <sys/types.h>
4226#include <sys/socket.h>
4227#include <sys/uio.h>
4228		]], [[
4229#ifdef msg_control
4230#error "msg_control is a macro"
4231exit(1);
4232#endif
4233struct msghdr m;
4234m.msg_control = 0;
4235exit(0);
4236		]])],
4237		[ ac_cv_have_control_in_msghdr="yes" ],
4238		[ ac_cv_have_control_in_msghdr="no" ]
4239	)
4240])
4241if test "x$ac_cv_have_control_in_msghdr" = "xyes" ; then
4242	AC_DEFINE([HAVE_CONTROL_IN_MSGHDR], [1],
4243		[Define if your system uses ancillary data style
4244		file descriptor passing])
4245fi
4246
4247AC_CACHE_CHECK([if libc defines __progname], ac_cv_libc_defines___progname, [
4248	AC_LINK_IFELSE([AC_LANG_PROGRAM([[]],
4249		[[ extern char *__progname; printf("%s", __progname); ]])],
4250	[ ac_cv_libc_defines___progname="yes" ],
4251	[ ac_cv_libc_defines___progname="no"
4252	])
4253])
4254if test "x$ac_cv_libc_defines___progname" = "xyes" ; then
4255	AC_DEFINE([HAVE___PROGNAME], [1], [Define if libc defines __progname])
4256fi
4257
4258AC_CACHE_CHECK([whether $CC implements __FUNCTION__], ac_cv_cc_implements___FUNCTION__, [
4259	AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include <stdio.h> ]],
4260		[[ printf("%s", __FUNCTION__); ]])],
4261	[ ac_cv_cc_implements___FUNCTION__="yes" ],
4262	[ ac_cv_cc_implements___FUNCTION__="no"
4263	])
4264])
4265if test "x$ac_cv_cc_implements___FUNCTION__" = "xyes" ; then
4266	AC_DEFINE([HAVE___FUNCTION__], [1],
4267		[Define if compiler implements __FUNCTION__])
4268fi
4269
4270AC_CACHE_CHECK([whether $CC implements __func__], ac_cv_cc_implements___func__, [
4271	AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include <stdio.h> ]],
4272		[[ printf("%s", __func__); ]])],
4273	[ ac_cv_cc_implements___func__="yes" ],
4274	[ ac_cv_cc_implements___func__="no"
4275	])
4276])
4277if test "x$ac_cv_cc_implements___func__" = "xyes" ; then
4278	AC_DEFINE([HAVE___func__], [1], [Define if compiler implements __func__])
4279fi
4280
4281AC_CACHE_CHECK([whether va_copy exists], ac_cv_have_va_copy, [
4282	AC_LINK_IFELSE([AC_LANG_PROGRAM([[
4283#include <stdarg.h>
4284va_list x,y;
4285		]], [[ va_copy(x,y); ]])],
4286	[ ac_cv_have_va_copy="yes" ],
4287	[ ac_cv_have_va_copy="no"
4288	])
4289])
4290if test "x$ac_cv_have_va_copy" = "xyes" ; then
4291	AC_DEFINE([HAVE_VA_COPY], [1], [Define if va_copy exists])
4292fi
4293
4294AC_CACHE_CHECK([whether __va_copy exists], ac_cv_have___va_copy, [
4295	AC_LINK_IFELSE([AC_LANG_PROGRAM([[
4296#include <stdarg.h>
4297va_list x,y;
4298		]], [[ __va_copy(x,y); ]])],
4299	[ ac_cv_have___va_copy="yes" ], [ ac_cv_have___va_copy="no"
4300	])
4301])
4302if test "x$ac_cv_have___va_copy" = "xyes" ; then
4303	AC_DEFINE([HAVE___VA_COPY], [1], [Define if __va_copy exists])
4304fi
4305
4306AC_CACHE_CHECK([whether getopt has optreset support],
4307		ac_cv_have_getopt_optreset, [
4308	AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include <getopt.h> ]],
4309		[[ extern int optreset; optreset = 0; ]])],
4310	[ ac_cv_have_getopt_optreset="yes" ],
4311	[ ac_cv_have_getopt_optreset="no"
4312	])
4313])
4314if test "x$ac_cv_have_getopt_optreset" = "xyes" ; then
4315	AC_DEFINE([HAVE_GETOPT_OPTRESET], [1],
4316		[Define if your getopt(3) defines and uses optreset])
4317fi
4318
4319AC_CACHE_CHECK([if libc defines sys_errlist], ac_cv_libc_defines_sys_errlist, [
4320	AC_LINK_IFELSE([AC_LANG_PROGRAM([[]],
4321[[ extern const char *const sys_errlist[]; printf("%s", sys_errlist[0]);]])],
4322	[ ac_cv_libc_defines_sys_errlist="yes" ],
4323	[ ac_cv_libc_defines_sys_errlist="no"
4324	])
4325])
4326if test "x$ac_cv_libc_defines_sys_errlist" = "xyes" ; then
4327	AC_DEFINE([HAVE_SYS_ERRLIST], [1],
4328		[Define if your system defines sys_errlist[]])
4329fi
4330
4331
4332AC_CACHE_CHECK([if libc defines sys_nerr], ac_cv_libc_defines_sys_nerr, [
4333	AC_LINK_IFELSE([AC_LANG_PROGRAM([[]],
4334[[ extern int sys_nerr; printf("%i", sys_nerr);]])],
4335	[ ac_cv_libc_defines_sys_nerr="yes" ],
4336	[ ac_cv_libc_defines_sys_nerr="no"
4337	])
4338])
4339if test "x$ac_cv_libc_defines_sys_nerr" = "xyes" ; then
4340	AC_DEFINE([HAVE_SYS_NERR], [1], [Define if your system defines sys_nerr])
4341fi
4342
4343# Check libraries needed by DNS fingerprint support
4344AC_SEARCH_LIBS([getrrsetbyname], [resolv],
4345	[AC_DEFINE([HAVE_GETRRSETBYNAME], [1],
4346		[Define if getrrsetbyname() exists])],
4347	[
4348		# Needed by our getrrsetbyname()
4349		AC_SEARCH_LIBS([res_query], [resolv])
4350		AC_SEARCH_LIBS([dn_expand], [resolv])
4351		AC_MSG_CHECKING([if res_query will link])
4352		AC_LINK_IFELSE([AC_LANG_PROGRAM([[
4353#include <sys/types.h>
4354#include <netinet/in.h>
4355#include <arpa/nameser.h>
4356#include <netdb.h>
4357#include <resolv.h>
4358				]], [[
4359	res_query (0, 0, 0, 0, 0);
4360				]])],
4361		    AC_MSG_RESULT([yes]),
4362		   [AC_MSG_RESULT([no])
4363		    saved_LIBS="$LIBS"
4364		    LIBS="$LIBS -lresolv"
4365		    AC_MSG_CHECKING([for res_query in -lresolv])
4366		    AC_LINK_IFELSE([AC_LANG_PROGRAM([[
4367#include <sys/types.h>
4368#include <netinet/in.h>
4369#include <arpa/nameser.h>
4370#include <netdb.h>
4371#include <resolv.h>
4372				]], [[
4373	res_query (0, 0, 0, 0, 0);
4374				]])],
4375			[AC_MSG_RESULT([yes])],
4376			[LIBS="$saved_LIBS"
4377			 AC_MSG_RESULT([no])])
4378		    ])
4379		AC_CHECK_FUNCS([_getshort _getlong])
4380		AC_CHECK_DECLS([_getshort, _getlong], , ,
4381		    [#include <sys/types.h>
4382		    #include <arpa/nameser.h>])
4383		AC_CHECK_MEMBER([HEADER.ad],
4384			[AC_DEFINE([HAVE_HEADER_AD], [1],
4385			    [Define if HEADER.ad exists in arpa/nameser.h])], ,
4386			[#include <arpa/nameser.h>])
4387	])
4388
4389AC_MSG_CHECKING([if struct __res_state _res is an extern])
4390AC_LINK_IFELSE([AC_LANG_PROGRAM([[
4391#include <stdio.h>
4392#if HAVE_SYS_TYPES_H
4393# include <sys/types.h>
4394#endif
4395#include <netinet/in.h>
4396#include <arpa/nameser.h>
4397#include <resolv.h>
4398extern struct __res_state _res;
4399		]], [[
4400struct __res_state *volatile p = &_res;  /* force resolution of _res */
4401return 0;
4402		]],)],
4403		[AC_MSG_RESULT([yes])
4404		 AC_DEFINE([HAVE__RES_EXTERN], [1],
4405		    [Define if you have struct __res_state _res as an extern])
4406		],
4407		[ AC_MSG_RESULT([no]) ]
4408)
4409
4410# Check whether user wants SELinux support
4411SELINUX_MSG="no"
4412LIBSELINUX=""
4413AC_ARG_WITH([selinux],
4414	[  --with-selinux          Enable SELinux support],
4415	[ if test "x$withval" != "xno" ; then
4416		save_LIBS="$LIBS"
4417		AC_DEFINE([WITH_SELINUX], [1],
4418			[Define if you want SELinux support.])
4419		SELINUX_MSG="yes"
4420		AC_CHECK_HEADER([selinux/selinux.h], ,
4421			AC_MSG_ERROR([SELinux support requires selinux.h header]))
4422		AC_CHECK_LIB([selinux], [setexeccon],
4423			[ LIBSELINUX="-lselinux"
4424			  LIBS="$LIBS -lselinux"
4425			],
4426			AC_MSG_ERROR([SELinux support requires libselinux library]))
4427		SSHLIBS="$SSHLIBS $LIBSELINUX"
4428		SSHDLIBS="$SSHDLIBS $LIBSELINUX"
4429		AC_CHECK_FUNCS([getseuserbyname get_default_context_with_level])
4430		LIBS="$save_LIBS"
4431	fi ]
4432)
4433AC_SUBST([SSHLIBS])
4434AC_SUBST([SSHDLIBS])
4435
4436# Check whether user wants Kerberos 5 support
4437KRB5_MSG="no"
4438AC_ARG_WITH([kerberos5],
4439	[  --with-kerberos5=PATH   Enable Kerberos 5 support],
4440	[ if test "x$withval" != "xno" ; then
4441		if test "x$withval" = "xyes" ; then
4442			KRB5ROOT="/usr/local"
4443		else
4444			KRB5ROOT=${withval}
4445		fi
4446
4447		AC_DEFINE([KRB5], [1], [Define if you want Kerberos 5 support])
4448		KRB5_MSG="yes"
4449
4450		AC_PATH_TOOL([KRB5CONF], [krb5-config],
4451			     [$KRB5ROOT/bin/krb5-config],
4452			     [$KRB5ROOT/bin:$PATH])
4453		if test -x $KRB5CONF ; then
4454			K5CFLAGS="`$KRB5CONF --cflags`"
4455			K5LIBS="`$KRB5CONF --libs`"
4456			CPPFLAGS="$CPPFLAGS $K5CFLAGS"
4457
4458			AC_MSG_CHECKING([for gssapi support])
4459			if $KRB5CONF | grep gssapi >/dev/null ; then
4460				AC_MSG_RESULT([yes])
4461				AC_DEFINE([GSSAPI], [1],
4462					[Define this if you want GSSAPI
4463					support in the version 2 protocol])
4464				GSSCFLAGS="`$KRB5CONF --cflags gssapi`"
4465				GSSLIBS="`$KRB5CONF --libs gssapi`"
4466				CPPFLAGS="$CPPFLAGS $GSSCFLAGS"
4467			else
4468				AC_MSG_RESULT([no])
4469			fi
4470			AC_MSG_CHECKING([whether we are using Heimdal])
4471			AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <krb5.h>
4472				]], [[ char *tmp = heimdal_version; ]])],
4473				[ AC_MSG_RESULT([yes])
4474				AC_DEFINE([HEIMDAL], [1],
4475				[Define this if you are using the Heimdal
4476				version of Kerberos V5]) ],
4477				[AC_MSG_RESULT([no])
4478			])
4479		else
4480			CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include"
4481			LDFLAGS="$LDFLAGS -L${KRB5ROOT}/lib"
4482			AC_MSG_CHECKING([whether we are using Heimdal])
4483			AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <krb5.h>
4484				]], [[ char *tmp = heimdal_version; ]])],
4485					[ AC_MSG_RESULT([yes])
4486					 AC_DEFINE([HEIMDAL])
4487					 K5LIBS="-lkrb5"
4488					 K5LIBS="$K5LIBS -lcom_err -lasn1"
4489					 AC_CHECK_LIB([roken], [net_write],
4490					   [K5LIBS="$K5LIBS -lroken"])
4491					 AC_CHECK_LIB([des], [des_cbc_encrypt],
4492					   [K5LIBS="$K5LIBS -ldes"])
4493				       ], [ AC_MSG_RESULT([no])
4494					 K5LIBS="-lkrb5 -lk5crypto -lcom_err"
4495			])
4496			AC_SEARCH_LIBS([dn_expand], [resolv])
4497
4498			AC_CHECK_LIB([gssapi_krb5], [gss_init_sec_context],
4499				[ AC_DEFINE([GSSAPI])
4500				  GSSLIBS="-lgssapi_krb5" ],
4501				[ AC_CHECK_LIB([gssapi], [gss_init_sec_context],
4502					[ AC_DEFINE([GSSAPI])
4503					  GSSLIBS="-lgssapi" ],
4504					[ AC_CHECK_LIB([gss], [gss_init_sec_context],
4505						[ AC_DEFINE([GSSAPI])
4506						  GSSLIBS="-lgss" ],
4507						AC_MSG_WARN([Cannot find any suitable gss-api library - build may fail]))
4508					])
4509				])
4510
4511			AC_CHECK_HEADER([gssapi.h], ,
4512				[ unset ac_cv_header_gssapi_h
4513				  CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include/gssapi"
4514				  AC_CHECK_HEADERS([gssapi.h], ,
4515					AC_MSG_WARN([Cannot find any suitable gss-api header - build may fail])
4516				  )
4517				]
4518			)
4519
4520			oldCPP="$CPPFLAGS"
4521			CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include/gssapi"
4522			AC_CHECK_HEADER([gssapi_krb5.h], ,
4523					[ CPPFLAGS="$oldCPP" ])
4524
4525		fi
4526		if test ! -z "$need_dash_r" ; then
4527			LDFLAGS="$LDFLAGS -R${KRB5ROOT}/lib"
4528		fi
4529		if test ! -z "$blibpath" ; then
4530			blibpath="$blibpath:${KRB5ROOT}/lib"
4531		fi
4532
4533		AC_CHECK_HEADERS([gssapi.h gssapi/gssapi.h])
4534		AC_CHECK_HEADERS([gssapi_krb5.h gssapi/gssapi_krb5.h])
4535		AC_CHECK_HEADERS([gssapi_generic.h gssapi/gssapi_generic.h])
4536
4537		AC_SEARCH_LIBS([k_hasafs], [kafs], [AC_DEFINE([USE_AFS], [1],
4538			[Define this if you want to use libkafs' AFS support])])
4539
4540		AC_CHECK_DECLS([GSS_C_NT_HOSTBASED_SERVICE], [], [], [[
4541#ifdef HAVE_GSSAPI_H
4542# include <gssapi.h>
4543#elif defined(HAVE_GSSAPI_GSSAPI_H)
4544# include <gssapi/gssapi.h>
4545#endif
4546
4547#ifdef HAVE_GSSAPI_GENERIC_H
4548# include <gssapi_generic.h>
4549#elif defined(HAVE_GSSAPI_GSSAPI_GENERIC_H)
4550# include <gssapi/gssapi_generic.h>
4551#endif
4552		]])
4553		saved_LIBS="$LIBS"
4554		LIBS="$LIBS $K5LIBS"
4555		AC_CHECK_FUNCS([krb5_cc_new_unique krb5_get_error_message krb5_free_error_message])
4556		LIBS="$saved_LIBS"
4557
4558	fi
4559	]
4560)
4561AC_SUBST([GSSLIBS])
4562AC_SUBST([K5LIBS])
4563
4564# Looking for programs, paths and files
4565
4566PRIVSEP_PATH=/var/empty
4567AC_ARG_WITH([privsep-path],
4568	[  --with-privsep-path=xxx Path for privilege separation chroot (default=/var/empty)],
4569	[
4570		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
4571		    test "x${withval}" != "xyes"; then
4572			PRIVSEP_PATH=$withval
4573		fi
4574	]
4575)
4576AC_SUBST([PRIVSEP_PATH])
4577
4578AC_ARG_WITH([xauth],
4579	[  --with-xauth=PATH       Specify path to xauth program ],
4580	[
4581		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
4582		    test "x${withval}" != "xyes"; then
4583			xauth_path=$withval
4584		fi
4585	],
4586	[
4587		TestPath="$PATH"
4588		TestPath="${TestPath}${PATH_SEPARATOR}/usr/X/bin"
4589		TestPath="${TestPath}${PATH_SEPARATOR}/usr/bin/X11"
4590		TestPath="${TestPath}${PATH_SEPARATOR}/usr/X11R6/bin"
4591		TestPath="${TestPath}${PATH_SEPARATOR}/usr/openwin/bin"
4592		AC_PATH_PROG([xauth_path], [xauth], , [$TestPath])
4593		if (test ! -z "$xauth_path" && test -x "/usr/openwin/bin/xauth") ; then
4594			xauth_path="/usr/openwin/bin/xauth"
4595		fi
4596	]
4597)
4598
4599STRIP_OPT=-s
4600AC_ARG_ENABLE([strip],
4601	[  --disable-strip         Disable calling strip(1) on install],
4602	[
4603		if test "x$enableval" = "xno" ; then
4604			STRIP_OPT=
4605		fi
4606	]
4607)
4608AC_SUBST([STRIP_OPT])
4609
4610if test -z "$xauth_path" ; then
4611	XAUTH_PATH="undefined"
4612	AC_SUBST([XAUTH_PATH])
4613else
4614	AC_DEFINE_UNQUOTED([XAUTH_PATH], ["$xauth_path"],
4615		[Define if xauth is found in your path])
4616	XAUTH_PATH=$xauth_path
4617	AC_SUBST([XAUTH_PATH])
4618fi
4619
4620dnl # --with-maildir=/path/to/mail gets top priority.
4621dnl # if maildir is set in the platform case statement above we use that.
4622dnl # Otherwise we run a program to get the dir from system headers.
4623dnl # We first look for _PATH_MAILDIR then MAILDIR then _PATH_MAIL
4624dnl # If we find _PATH_MAILDIR we do nothing because that is what
4625dnl # session.c expects anyway. Otherwise we set to the value found
4626dnl # stripping any trailing slash. If for some strage reason our program
4627dnl # does not find what it needs, we default to /var/spool/mail.
4628# Check for mail directory
4629AC_ARG_WITH([maildir],
4630    [  --with-maildir=/path/to/mail    Specify your system mail directory],
4631    [
4632	if test "X$withval" != X  &&  test "x$withval" != xno  &&  \
4633	    test "x${withval}" != xyes; then
4634		AC_DEFINE_UNQUOTED([MAIL_DIRECTORY], ["$withval"],
4635            [Set this to your mail directory if you do not have _PATH_MAILDIR])
4636	    fi
4637     ],[
4638	if test "X$maildir" != "X"; then
4639	    AC_DEFINE_UNQUOTED([MAIL_DIRECTORY], ["$maildir"])
4640	else
4641	    AC_MSG_CHECKING([Discovering system mail directory])
4642	    AC_RUN_IFELSE(
4643		[AC_LANG_PROGRAM([[
4644#include <stdio.h>
4645#include <string.h>
4646#ifdef HAVE_PATHS_H
4647#include <paths.h>
4648#endif
4649#ifdef HAVE_MAILLOCK_H
4650#include <maillock.h>
4651#endif
4652#define DATA "conftest.maildir"
4653	]], [[
4654	FILE *fd;
4655	int rc;
4656
4657	fd = fopen(DATA,"w");
4658	if(fd == NULL)
4659		exit(1);
4660
4661#if defined (_PATH_MAILDIR)
4662	if ((rc = fprintf(fd ,"_PATH_MAILDIR:%s\n", _PATH_MAILDIR)) <0)
4663		exit(1);
4664#elif defined (MAILDIR)
4665	if ((rc = fprintf(fd ,"MAILDIR:%s\n", MAILDIR)) <0)
4666		exit(1);
4667#elif defined (_PATH_MAIL)
4668	if ((rc = fprintf(fd ,"_PATH_MAIL:%s\n", _PATH_MAIL)) <0)
4669		exit(1);
4670#else
4671	exit (2);
4672#endif
4673
4674	exit(0);
4675		]])],
4676		[
4677		    maildir_what=`awk -F: '{print $1}' conftest.maildir`
4678		    maildir=`awk -F: '{print $2}' conftest.maildir \
4679			| sed 's|/$||'`
4680		    AC_MSG_RESULT([Using: $maildir from $maildir_what])
4681		    if test "x$maildir_what" != "x_PATH_MAILDIR"; then
4682			AC_DEFINE_UNQUOTED([MAIL_DIRECTORY], ["$maildir"])
4683		    fi
4684		],
4685		[
4686		    if test "X$ac_status" = "X2";then
4687# our test program didn't find it. Default to /var/spool/mail
4688			AC_MSG_RESULT([Using: default value of /var/spool/mail])
4689			AC_DEFINE_UNQUOTED([MAIL_DIRECTORY], ["/var/spool/mail"])
4690		     else
4691			AC_MSG_RESULT([*** not found ***])
4692		     fi
4693		],
4694		[
4695			AC_MSG_WARN([cross compiling: use --with-maildir=/path/to/mail])
4696		]
4697	    )
4698	fi
4699    ]
4700) # maildir
4701
4702if test ! -z "$cross_compiling" && test "x$cross_compiling" = "xyes"; then
4703	AC_MSG_WARN([cross compiling: Disabling /dev/ptmx test])
4704	disable_ptmx_check=yes
4705fi
4706if test -z "$no_dev_ptmx" ; then
4707	if test "x$disable_ptmx_check" != "xyes" ; then
4708		AC_CHECK_FILE(["/dev/ptmx"],
4709			[
4710				AC_DEFINE_UNQUOTED([HAVE_DEV_PTMX], [1],
4711					[Define if you have /dev/ptmx])
4712				have_dev_ptmx=1
4713			]
4714		)
4715	fi
4716fi
4717
4718if test ! -z "$cross_compiling" && test "x$cross_compiling" != "xyes"; then
4719	AC_CHECK_FILE(["/dev/ptc"],
4720		[
4721			AC_DEFINE_UNQUOTED([HAVE_DEV_PTS_AND_PTC], [1],
4722				[Define if you have /dev/ptc])
4723			have_dev_ptc=1
4724		]
4725	)
4726else
4727	AC_MSG_WARN([cross compiling: Disabling /dev/ptc test])
4728fi
4729
4730# Options from here on. Some of these are preset by platform above
4731AC_ARG_WITH([mantype],
4732	[  --with-mantype=man|cat|doc  Set man page type],
4733	[
4734		case "$withval" in
4735		man|cat|doc)
4736			MANTYPE=$withval
4737			;;
4738		*)
4739			AC_MSG_ERROR([invalid man type: $withval])
4740			;;
4741		esac
4742	]
4743)
4744if test -z "$MANTYPE"; then
4745	TestPath="/usr/bin${PATH_SEPARATOR}/usr/ucb"
4746	AC_PATH_PROGS([NROFF], [nroff awf], [/bin/false], [$TestPath])
4747	if ${NROFF} -mdoc ${srcdir}/ssh.1 >/dev/null 2>&1; then
4748		MANTYPE=doc
4749	elif ${NROFF} -man ${srcdir}/ssh.1 >/dev/null 2>&1; then
4750		MANTYPE=man
4751	else
4752		MANTYPE=cat
4753	fi
4754fi
4755AC_SUBST([MANTYPE])
4756if test "$MANTYPE" = "doc"; then
4757	mansubdir=man;
4758else
4759	mansubdir=$MANTYPE;
4760fi
4761AC_SUBST([mansubdir])
4762
4763# Check whether to enable MD5 passwords
4764MD5_MSG="no"
4765AC_ARG_WITH([md5-passwords],
4766	[  --with-md5-passwords    Enable use of MD5 passwords],
4767	[
4768		if test "x$withval" != "xno" ; then
4769			AC_DEFINE([HAVE_MD5_PASSWORDS], [1],
4770				[Define if you want to allow MD5 passwords])
4771			MD5_MSG="yes"
4772		fi
4773	]
4774)
4775
4776# Whether to disable shadow password support
4777AC_ARG_WITH([shadow],
4778	[  --without-shadow        Disable shadow password support],
4779	[
4780		if test "x$withval" = "xno" ; then
4781			AC_DEFINE([DISABLE_SHADOW])
4782			disable_shadow=yes
4783		fi
4784	]
4785)
4786
4787if test -z "$disable_shadow" ; then
4788	AC_MSG_CHECKING([if the systems has expire shadow information])
4789	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4790#include <sys/types.h>
4791#include <shadow.h>
4792struct spwd sp;
4793		]], [[ sp.sp_expire = sp.sp_lstchg = sp.sp_inact = 0; ]])],
4794		[ sp_expire_available=yes ], [
4795	])
4796
4797	if test "x$sp_expire_available" = "xyes" ; then
4798		AC_MSG_RESULT([yes])
4799		AC_DEFINE([HAS_SHADOW_EXPIRE], [1],
4800		    [Define if you want to use shadow password expire field])
4801	else
4802		AC_MSG_RESULT([no])
4803	fi
4804fi
4805
4806# Use ip address instead of hostname in $DISPLAY
4807if test ! -z "$IPADDR_IN_DISPLAY" ; then
4808	DISPLAY_HACK_MSG="yes"
4809	AC_DEFINE([IPADDR_IN_DISPLAY], [1],
4810		[Define if you need to use IP address
4811		instead of hostname in $DISPLAY])
4812else
4813	DISPLAY_HACK_MSG="no"
4814	AC_ARG_WITH([ipaddr-display],
4815		[  --with-ipaddr-display   Use ip address instead of hostname in $DISPLAY],
4816		[
4817			if test "x$withval" != "xno" ; then
4818				AC_DEFINE([IPADDR_IN_DISPLAY])
4819				DISPLAY_HACK_MSG="yes"
4820			fi
4821		]
4822	)
4823fi
4824
4825# check for /etc/default/login and use it if present.
4826AC_ARG_ENABLE([etc-default-login],
4827	[  --disable-etc-default-login Disable using PATH from /etc/default/login [no]],
4828	[ if test "x$enableval" = "xno"; then
4829		AC_MSG_NOTICE([/etc/default/login handling disabled])
4830		etc_default_login=no
4831	  else
4832		etc_default_login=yes
4833	  fi ],
4834	[ if test ! -z "$cross_compiling" && test "x$cross_compiling" = "xyes";
4835	  then
4836		AC_MSG_WARN([cross compiling: not checking /etc/default/login])
4837		etc_default_login=no
4838	  else
4839		etc_default_login=yes
4840	  fi ]
4841)
4842
4843if test "x$etc_default_login" != "xno"; then
4844	AC_CHECK_FILE(["/etc/default/login"],
4845	    [ external_path_file=/etc/default/login ])
4846	if test "x$external_path_file" = "x/etc/default/login"; then
4847		AC_DEFINE([HAVE_ETC_DEFAULT_LOGIN], [1],
4848			[Define if your system has /etc/default/login])
4849	fi
4850fi
4851
4852dnl BSD systems use /etc/login.conf so --with-default-path= has no effect
4853if test $ac_cv_func_login_getcapbool = "yes" && \
4854	test $ac_cv_header_login_cap_h = "yes" ; then
4855	external_path_file=/etc/login.conf
4856fi
4857
4858# Whether to mess with the default path
4859SERVER_PATH_MSG="(default)"
4860AC_ARG_WITH([default-path],
4861	[  --with-default-path=    Specify default $PATH environment for server],
4862	[
4863		if test "x$external_path_file" = "x/etc/login.conf" ; then
4864			AC_MSG_WARN([
4865--with-default-path=PATH has no effect on this system.
4866Edit /etc/login.conf instead.])
4867		elif test "x$withval" != "xno" ; then
4868			if test ! -z "$external_path_file" ; then
4869				AC_MSG_WARN([
4870--with-default-path=PATH will only be used if PATH is not defined in
4871$external_path_file .])
4872			fi
4873			user_path="$withval"
4874			SERVER_PATH_MSG="$withval"
4875		fi
4876	],
4877	[ if test "x$external_path_file" = "x/etc/login.conf" ; then
4878		AC_MSG_WARN([Make sure the path to scp is in /etc/login.conf])
4879	else
4880		if test ! -z "$external_path_file" ; then
4881			AC_MSG_WARN([
4882If PATH is defined in $external_path_file, ensure the path to scp is included,
4883otherwise scp will not work.])
4884		fi
4885		AC_RUN_IFELSE(
4886			[AC_LANG_PROGRAM([[
4887/* find out what STDPATH is */
4888#include <stdio.h>
4889#ifdef HAVE_PATHS_H
4890# include <paths.h>
4891#endif
4892#ifndef _PATH_STDPATH
4893# ifdef _PATH_USERPATH	/* Irix */
4894#  define _PATH_STDPATH _PATH_USERPATH
4895# else
4896#  define _PATH_STDPATH "/usr/bin:/bin:/usr/sbin:/sbin"
4897# endif
4898#endif
4899#include <sys/types.h>
4900#include <sys/stat.h>
4901#include <fcntl.h>
4902#define DATA "conftest.stdpath"
4903			]], [[
4904	FILE *fd;
4905	int rc;
4906
4907	fd = fopen(DATA,"w");
4908	if(fd == NULL)
4909		exit(1);
4910
4911	if ((rc = fprintf(fd,"%s", _PATH_STDPATH)) < 0)
4912		exit(1);
4913
4914	exit(0);
4915		]])],
4916		[ user_path=`cat conftest.stdpath` ],
4917		[ user_path="/usr/bin:/bin:/usr/sbin:/sbin" ],
4918		[ user_path="/usr/bin:/bin:/usr/sbin:/sbin" ]
4919	)
4920# make sure $bindir is in USER_PATH so scp will work
4921		t_bindir="${bindir}"
4922		while echo "${t_bindir}" | egrep '\$\{|NONE/' >/dev/null 2>&1; do
4923			t_bindir=`eval echo ${t_bindir}`
4924			case $t_bindir in
4925				NONE/*) t_bindir=`echo $t_bindir | sed "s~NONE~$prefix~"` ;;
4926			esac
4927			case $t_bindir in
4928				NONE/*) t_bindir=`echo $t_bindir | sed "s~NONE~$ac_default_prefix~"` ;;
4929			esac
4930		done
4931		echo $user_path | grep ":$t_bindir"  > /dev/null 2>&1
4932		if test $? -ne 0  ; then
4933			echo $user_path | grep "^$t_bindir"  > /dev/null 2>&1
4934			if test $? -ne 0  ; then
4935				user_path=$user_path:$t_bindir
4936				AC_MSG_RESULT([Adding $t_bindir to USER_PATH so scp will work])
4937			fi
4938		fi
4939	fi ]
4940)
4941if test "x$external_path_file" != "x/etc/login.conf" ; then
4942	AC_DEFINE_UNQUOTED([USER_PATH], ["$user_path"], [Specify default $PATH])
4943	AC_SUBST([user_path])
4944fi
4945
4946# Set superuser path separately to user path
4947AC_ARG_WITH([superuser-path],
4948	[  --with-superuser-path=  Specify different path for super-user],
4949	[
4950		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
4951		    test "x${withval}" != "xyes"; then
4952			AC_DEFINE_UNQUOTED([SUPERUSER_PATH], ["$withval"],
4953				[Define if you want a different $PATH
4954				for the superuser])
4955			superuser_path=$withval
4956		fi
4957	]
4958)
4959
4960
4961AC_MSG_CHECKING([if we need to convert IPv4 in IPv6-mapped addresses])
4962IPV4_IN6_HACK_MSG="no"
4963AC_ARG_WITH(4in6,
4964	[  --with-4in6             Check for and convert IPv4 in IPv6 mapped addresses],
4965	[
4966		if test "x$withval" != "xno" ; then
4967			AC_MSG_RESULT([yes])
4968			AC_DEFINE([IPV4_IN_IPV6], [1],
4969				[Detect IPv4 in IPv6 mapped addresses
4970				and treat as IPv4])
4971			IPV4_IN6_HACK_MSG="yes"
4972		else
4973			AC_MSG_RESULT([no])
4974		fi
4975	], [
4976		if test "x$inet6_default_4in6" = "xyes"; then
4977			AC_MSG_RESULT([yes (default)])
4978			AC_DEFINE([IPV4_IN_IPV6])
4979			IPV4_IN6_HACK_MSG="yes"
4980		else
4981			AC_MSG_RESULT([no (default)])
4982		fi
4983	]
4984)
4985
4986# Whether to enable BSD auth support
4987BSD_AUTH_MSG=no
4988AC_ARG_WITH([bsd-auth],
4989	[  --with-bsd-auth         Enable BSD auth support],
4990	[
4991		if test "x$withval" != "xno" ; then
4992			AC_DEFINE([BSD_AUTH], [1],
4993				[Define if you have BSD auth support])
4994			BSD_AUTH_MSG=yes
4995		fi
4996	]
4997)
4998
4999# Where to place sshd.pid
5000piddir=/var/run
5001# make sure the directory exists
5002if test ! -d $piddir ; then
5003	piddir=`eval echo ${sysconfdir}`
5004	case $piddir in
5005		NONE/*) piddir=`echo $piddir | sed "s~NONE~$ac_default_prefix~"` ;;
5006	esac
5007fi
5008
5009AC_ARG_WITH([pid-dir],
5010	[  --with-pid-dir=PATH     Specify location of sshd.pid file],
5011	[
5012		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
5013		    test "x${withval}" != "xyes"; then
5014			piddir=$withval
5015			if test ! -d $piddir ; then
5016			AC_MSG_WARN([** no $piddir directory on this system **])
5017			fi
5018		fi
5019	]
5020)
5021
5022AC_DEFINE_UNQUOTED([_PATH_SSH_PIDDIR], ["$piddir"],
5023	[Specify location of ssh.pid])
5024AC_SUBST([piddir])
5025
5026dnl allow user to disable some login recording features
5027AC_ARG_ENABLE([lastlog],
5028	[  --disable-lastlog       disable use of lastlog even if detected [no]],
5029	[
5030		if test "x$enableval" = "xno" ; then
5031			AC_DEFINE([DISABLE_LASTLOG])
5032		fi
5033	]
5034)
5035AC_ARG_ENABLE([utmp],
5036	[  --disable-utmp          disable use of utmp even if detected [no]],
5037	[
5038		if test "x$enableval" = "xno" ; then
5039			AC_DEFINE([DISABLE_UTMP])
5040		fi
5041	]
5042)
5043AC_ARG_ENABLE([utmpx],
5044	[  --disable-utmpx         disable use of utmpx even if detected [no]],
5045	[
5046		if test "x$enableval" = "xno" ; then
5047			AC_DEFINE([DISABLE_UTMPX], [1],
5048				[Define if you don't want to use utmpx])
5049		fi
5050	]
5051)
5052AC_ARG_ENABLE([wtmp],
5053	[  --disable-wtmp          disable use of wtmp even if detected [no]],
5054	[
5055		if test "x$enableval" = "xno" ; then
5056			AC_DEFINE([DISABLE_WTMP])
5057		fi
5058	]
5059)
5060AC_ARG_ENABLE([wtmpx],
5061	[  --disable-wtmpx         disable use of wtmpx even if detected [no]],
5062	[
5063		if test "x$enableval" = "xno" ; then
5064			AC_DEFINE([DISABLE_WTMPX], [1],
5065				[Define if you don't want to use wtmpx])
5066		fi
5067	]
5068)
5069AC_ARG_ENABLE([libutil],
5070	[  --disable-libutil       disable use of libutil (login() etc.) [no]],
5071	[
5072		if test "x$enableval" = "xno" ; then
5073			AC_DEFINE([DISABLE_LOGIN])
5074		fi
5075	]
5076)
5077AC_ARG_ENABLE([pututline],
5078	[  --disable-pututline     disable use of pututline() etc. ([uw]tmp) [no]],
5079	[
5080		if test "x$enableval" = "xno" ; then
5081			AC_DEFINE([DISABLE_PUTUTLINE], [1],
5082				[Define if you don't want to use pututline()
5083				etc. to write [uw]tmp])
5084		fi
5085	]
5086)
5087AC_ARG_ENABLE([pututxline],
5088	[  --disable-pututxline    disable use of pututxline() etc. ([uw]tmpx) [no]],
5089	[
5090		if test "x$enableval" = "xno" ; then
5091			AC_DEFINE([DISABLE_PUTUTXLINE], [1],
5092				[Define if you don't want to use pututxline()
5093				etc. to write [uw]tmpx])
5094		fi
5095	]
5096)
5097AC_ARG_WITH([lastlog],
5098  [  --with-lastlog=FILE|DIR specify lastlog location [common locations]],
5099	[
5100		if test "x$withval" = "xno" ; then
5101			AC_DEFINE([DISABLE_LASTLOG])
5102		elif test -n "$withval"  &&  test "x${withval}" != "xyes"; then
5103			conf_lastlog_location=$withval
5104		fi
5105	]
5106)
5107
5108dnl lastlog, [uw]tmpx? detection
5109dnl  NOTE: set the paths in the platform section to avoid the
5110dnl   need for command-line parameters
5111dnl lastlog and [uw]tmp are subject to a file search if all else fails
5112
5113dnl lastlog detection
5114dnl  NOTE: the code itself will detect if lastlog is a directory
5115AC_MSG_CHECKING([if your system defines LASTLOG_FILE])
5116AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
5117#include <sys/types.h>
5118#include <utmp.h>
5119#ifdef HAVE_LASTLOG_H
5120#  include <lastlog.h>
5121#endif
5122#ifdef HAVE_PATHS_H
5123#  include <paths.h>
5124#endif
5125#ifdef HAVE_LOGIN_H
5126# include <login.h>
5127#endif
5128	]], [[ char *lastlog = LASTLOG_FILE; ]])],
5129		[ AC_MSG_RESULT([yes]) ],
5130		[
5131		AC_MSG_RESULT([no])
5132		AC_MSG_CHECKING([if your system defines _PATH_LASTLOG])
5133		AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
5134#include <sys/types.h>
5135#include <utmp.h>
5136#ifdef HAVE_LASTLOG_H
5137#  include <lastlog.h>
5138#endif
5139#ifdef HAVE_PATHS_H
5140#  include <paths.h>
5141#endif
5142		]], [[ char *lastlog = _PATH_LASTLOG; ]])],
5143		[ AC_MSG_RESULT([yes]) ],
5144		[
5145			AC_MSG_RESULT([no])
5146			system_lastlog_path=no
5147		])
5148])
5149
5150if test -z "$conf_lastlog_location"; then
5151	if test x"$system_lastlog_path" = x"no" ; then
5152		for f in /var/log/lastlog /usr/adm/lastlog /var/adm/lastlog /etc/security/lastlog ; do
5153				if (test -d "$f" || test -f "$f") ; then
5154					conf_lastlog_location=$f
5155				fi
5156		done
5157		if test -z "$conf_lastlog_location"; then
5158			AC_MSG_WARN([** Cannot find lastlog **])
5159			dnl Don't define DISABLE_LASTLOG - that means we don't try wtmp/wtmpx
5160		fi
5161	fi
5162fi
5163
5164if test -n "$conf_lastlog_location"; then
5165	AC_DEFINE_UNQUOTED([CONF_LASTLOG_FILE], ["$conf_lastlog_location"],
5166		[Define if you want to specify the path to your lastlog file])
5167fi
5168
5169dnl utmp detection
5170AC_MSG_CHECKING([if your system defines UTMP_FILE])
5171AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
5172#include <sys/types.h>
5173#include <utmp.h>
5174#ifdef HAVE_PATHS_H
5175#  include <paths.h>
5176#endif
5177	]], [[ char *utmp = UTMP_FILE; ]])],
5178	[ AC_MSG_RESULT([yes]) ],
5179	[ AC_MSG_RESULT([no])
5180	  system_utmp_path=no
5181])
5182if test -z "$conf_utmp_location"; then
5183	if test x"$system_utmp_path" = x"no" ; then
5184		for f in /etc/utmp /usr/adm/utmp /var/run/utmp; do
5185			if test -f $f ; then
5186				conf_utmp_location=$f
5187			fi
5188		done
5189		if test -z "$conf_utmp_location"; then
5190			AC_DEFINE([DISABLE_UTMP])
5191		fi
5192	fi
5193fi
5194if test -n "$conf_utmp_location"; then
5195	AC_DEFINE_UNQUOTED([CONF_UTMP_FILE], ["$conf_utmp_location"],
5196		[Define if you want to specify the path to your utmp file])
5197fi
5198
5199dnl wtmp detection
5200AC_MSG_CHECKING([if your system defines WTMP_FILE])
5201AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
5202#include <sys/types.h>
5203#include <utmp.h>
5204#ifdef HAVE_PATHS_H
5205#  include <paths.h>
5206#endif
5207	]], [[ char *wtmp = WTMP_FILE; ]])],
5208	[ AC_MSG_RESULT([yes]) ],
5209	[ AC_MSG_RESULT([no])
5210	  system_wtmp_path=no
5211])
5212if test -z "$conf_wtmp_location"; then
5213	if test x"$system_wtmp_path" = x"no" ; then
5214		for f in /usr/adm/wtmp /var/log/wtmp; do
5215			if test -f $f ; then
5216				conf_wtmp_location=$f
5217			fi
5218		done
5219		if test -z "$conf_wtmp_location"; then
5220			AC_DEFINE([DISABLE_WTMP])
5221		fi
5222	fi
5223fi
5224if test -n "$conf_wtmp_location"; then
5225	AC_DEFINE_UNQUOTED([CONF_WTMP_FILE], ["$conf_wtmp_location"],
5226		[Define if you want to specify the path to your wtmp file])
5227fi
5228
5229dnl wtmpx detection
5230AC_MSG_CHECKING([if your system defines WTMPX_FILE])
5231AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
5232#include <sys/types.h>
5233#include <utmp.h>
5234#ifdef HAVE_UTMPX_H
5235#include <utmpx.h>
5236#endif
5237#ifdef HAVE_PATHS_H
5238#  include <paths.h>
5239#endif
5240	]], [[ char *wtmpx = WTMPX_FILE; ]])],
5241	[ AC_MSG_RESULT([yes]) ],
5242	[ AC_MSG_RESULT([no])
5243	  system_wtmpx_path=no
5244])
5245if test -z "$conf_wtmpx_location"; then
5246	if test x"$system_wtmpx_path" = x"no" ; then
5247		AC_DEFINE([DISABLE_WTMPX])
5248	fi
5249else
5250	AC_DEFINE_UNQUOTED([CONF_WTMPX_FILE], ["$conf_wtmpx_location"],
5251		[Define if you want to specify the path to your wtmpx file])
5252fi
5253
5254
5255if test ! -z "$blibpath" ; then
5256	LDFLAGS="$LDFLAGS $blibflags$blibpath"
5257	AC_MSG_WARN([Please check and edit blibpath in LDFLAGS in Makefile])
5258fi
5259
5260AC_CHECK_MEMBER([struct lastlog.ll_line], [], [
5261    if test x$SKIP_DISABLE_LASTLOG_DEFINE != "xyes" ; then
5262	AC_DEFINE([DISABLE_LASTLOG])
5263    fi
5264	], [
5265#ifdef HAVE_SYS_TYPES_H
5266#include <sys/types.h>
5267#endif
5268#ifdef HAVE_UTMP_H
5269#include <utmp.h>
5270#endif
5271#ifdef HAVE_UTMPX_H
5272#include <utmpx.h>
5273#endif
5274#ifdef HAVE_LASTLOG_H
5275#include <lastlog.h>
5276#endif
5277	])
5278
5279AC_CHECK_MEMBER([struct utmp.ut_line], [], [
5280	AC_DEFINE([DISABLE_UTMP])
5281	AC_DEFINE([DISABLE_WTMP])
5282	], [
5283#ifdef HAVE_SYS_TYPES_H
5284#include <sys/types.h>
5285#endif
5286#ifdef HAVE_UTMP_H
5287#include <utmp.h>
5288#endif
5289#ifdef HAVE_UTMPX_H
5290#include <utmpx.h>
5291#endif
5292#ifdef HAVE_LASTLOG_H
5293#include <lastlog.h>
5294#endif
5295	])
5296
5297dnl Adding -Werror to CFLAGS early prevents configure tests from running.
5298dnl Add now.
5299CFLAGS="$CFLAGS $werror_flags"
5300
5301if test "x$ac_cv_func_getaddrinfo" != "xyes" ; then
5302	TEST_SSH_IPV6=no
5303else
5304	TEST_SSH_IPV6=yes
5305fi
5306AC_CHECK_DECL([BROKEN_GETADDRINFO],  [TEST_SSH_IPV6=no])
5307AC_SUBST([TEST_SSH_IPV6], [$TEST_SSH_IPV6])
5308AC_SUBST([TEST_SSH_UTF8], [$TEST_SSH_UTF8])
5309AC_SUBST([TEST_MALLOC_OPTIONS], [$TEST_MALLOC_OPTIONS])
5310AC_SUBST([UNSUPPORTED_ALGORITHMS], [$unsupported_algorithms])
5311AC_SUBST([DEPEND], [$(cat $srcdir/.depend)])
5312
5313CFLAGS="${CFLAGS} ${CFLAGS_AFTER}"
5314LDFLAGS="${LDFLAGS} ${LDFLAGS_AFTER}"
5315
5316AC_EXEEXT
5317AC_CONFIG_FILES([Makefile buildpkg.sh opensshd.init openssh.xml \
5318	openbsd-compat/Makefile openbsd-compat/regress/Makefile \
5319	survey.sh])
5320AC_OUTPUT
5321
5322# Print summary of options
5323
5324# Someone please show me a better way :)
5325A=`eval echo ${prefix}` ; A=`eval echo ${A}`
5326B=`eval echo ${bindir}` ; B=`eval echo ${B}`
5327C=`eval echo ${sbindir}` ; C=`eval echo ${C}`
5328D=`eval echo ${sysconfdir}` ; D=`eval echo ${D}`
5329E=`eval echo ${libexecdir}/ssh-askpass` ; E=`eval echo ${E}`
5330F=`eval echo ${mandir}/${mansubdir}X` ; F=`eval echo ${F}`
5331G=`eval echo ${piddir}` ; G=`eval echo ${G}`
5332H=`eval echo ${PRIVSEP_PATH}` ; H=`eval echo ${H}`
5333I=`eval echo ${user_path}` ; I=`eval echo ${I}`
5334J=`eval echo ${superuser_path}` ; J=`eval echo ${J}`
5335
5336echo ""
5337echo "OpenSSH has been configured with the following options:"
5338echo "                     User binaries: $B"
5339echo "                   System binaries: $C"
5340echo "               Configuration files: $D"
5341echo "                   Askpass program: $E"
5342echo "                      Manual pages: $F"
5343echo "                          PID file: $G"
5344echo "  Privilege separation chroot path: $H"
5345if test "x$external_path_file" = "x/etc/login.conf" ; then
5346echo "   At runtime, sshd will use the path defined in $external_path_file"
5347echo "   Make sure the path to scp is present, otherwise scp will not work"
5348else
5349echo "            sshd default user PATH: $I"
5350	if test ! -z "$external_path_file"; then
5351echo "   (If PATH is set in $external_path_file it will be used instead. If"
5352echo "   used, ensure the path to scp is present, otherwise scp will not work.)"
5353	fi
5354fi
5355if test ! -z "$superuser_path" ; then
5356echo "          sshd superuser user PATH: $J"
5357fi
5358echo "                    Manpage format: $MANTYPE"
5359echo "                       PAM support: $PAM_MSG"
5360echo "                   OSF SIA support: $SIA_MSG"
5361echo "                 KerberosV support: $KRB5_MSG"
5362echo "                   SELinux support: $SELINUX_MSG"
5363echo "              TCP Wrappers support: $TCPW_MSG"
5364echo "              MD5 password support: $MD5_MSG"
5365echo "                   libedit support: $LIBEDIT_MSG"
5366echo "                   libldns support: $LDNS_MSG"
5367echo "  Solaris process contract support: $SPC_MSG"
5368echo "           Solaris project support: $SP_MSG"
5369echo "         Solaris privilege support: $SPP_MSG"
5370echo "       IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG"
5371echo "           Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
5372echo "                  BSD Auth support: $BSD_AUTH_MSG"
5373echo "              Random number source: $RAND_MSG"
5374echo "             Privsep sandbox style: $SANDBOX_STYLE"
5375
5376echo ""
5377
5378echo "              Host: ${host}"
5379echo "          Compiler: ${CC}"
5380echo "    Compiler flags: ${CFLAGS}"
5381echo "Preprocessor flags: ${CPPFLAGS}"
5382echo "      Linker flags: ${LDFLAGS}"
5383echo "         Libraries: ${LIBS}"
5384if test ! -z "${SSHDLIBS}"; then
5385echo "         +for sshd: ${SSHDLIBS}"
5386fi
5387if test ! -z "${SSHLIBS}"; then
5388echo "          +for ssh: ${SSHLIBS}"
5389fi
5390
5391echo ""
5392
5393if test "x$MAKE_PACKAGE_SUPPORTED" = "xyes" ; then
5394	echo "SVR4 style packages are supported with \"make package\""
5395	echo ""
5396fi
5397
5398if test "x$PAM_MSG" = "xyes" ; then
5399	echo "PAM is enabled. You may need to install a PAM control file "
5400	echo "for sshd, otherwise password authentication may fail. "
5401	echo "Example PAM control files can be found in the contrib/ "
5402	echo "subdirectory"
5403	echo ""
5404fi
5405
5406if test ! -z "$NO_PEERCHECK" ; then
5407	echo "WARNING: the operating system that you are using does not"
5408	echo "appear to support getpeereid(), getpeerucred() or the"
5409	echo "SO_PEERCRED getsockopt() option. These facilities are used to"
5410	echo "enforce security checks to prevent unauthorised connections to"
5411	echo "ssh-agent. Their absence increases the risk that a malicious"
5412	echo "user can connect to your agent."
5413	echo ""
5414fi
5415
5416if test "$AUDIT_MODULE" = "bsm" ; then
5417	echo "WARNING: BSM audit support is currently considered EXPERIMENTAL."
5418	echo "See the Solaris section in README.platform for details."
5419fi
5420