xref: /freebsd/crypto/openssh/configure.ac (revision f126d349810fdb512c0b01e101342d430b947488)
1#
2# Copyright (c) 1999-2004 Damien Miller
3#
4# Permission to use, copy, modify, and distribute this software for any
5# purpose with or without fee is hereby granted, provided that the above
6# copyright notice and this permission notice appear in all copies.
7#
8# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15
16AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org])
17AC_CONFIG_MACRO_DIR([m4])
18AC_CONFIG_SRCDIR([ssh.c])
19
20# Check for stale configure as early as possible.
21for i in $srcdir/configure.ac $srcdir/m4/*.m4; do
22	if test "$i" -nt "$srcdir/configure"; then
23		AC_MSG_ERROR([$i newer than configure, run autoreconf])
24	fi
25done
26
27AC_LANG([C])
28
29AC_CONFIG_HEADERS([config.h])
30AC_PROG_CC([cc gcc clang])
31
32# XXX relax this after reimplementing logit() etc.
33AC_MSG_CHECKING([if $CC supports C99-style variadic macros])
34AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
35int f(int a, int b, int c) { return a + b + c; }
36#define F(a, ...) f(a, __VA_ARGS__)
37]], [[return F(1, 2, -3);]])],
38	[ AC_MSG_RESULT([yes]) ],
39	[ AC_MSG_ERROR([*** OpenSSH requires support for C99-style variadic macros]) ]
40)
41
42AC_CANONICAL_HOST
43AC_C_BIGENDIAN
44
45# Checks for programs.
46AC_PROG_AWK
47AC_PROG_CPP
48AC_PROG_RANLIB
49AC_PROG_INSTALL
50AC_PROG_EGREP
51AC_PROG_MKDIR_P
52AC_CHECK_TOOLS([AR], [ar])
53AC_PATH_PROG([CAT], [cat])
54AC_PATH_PROG([KILL], [kill])
55AC_PATH_PROG([SED], [sed])
56AC_PATH_PROG([TEST_MINUS_S_SH], [bash])
57AC_PATH_PROG([TEST_MINUS_S_SH], [ksh])
58AC_PATH_PROG([TEST_MINUS_S_SH], [sh])
59AC_PATH_PROG([SH], [bash])
60AC_PATH_PROG([SH], [ksh])
61AC_PATH_PROG([SH], [sh])
62AC_PATH_PROG([GROFF], [groff])
63AC_PATH_PROG([NROFF], [nroff awf])
64AC_PATH_PROG([MANDOC], [mandoc])
65AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no])
66AC_SUBST([TEST_SHELL], [sh])
67
68dnl select manpage formatter to be used to build "cat" format pages.
69if test "x$MANDOC" != "x" ; then
70	MANFMT="$MANDOC"
71elif test "x$NROFF" != "x" ; then
72	MANFMT="$NROFF -mandoc"
73elif test "x$GROFF" != "x" ; then
74	MANFMT="$GROFF -mandoc -Tascii"
75else
76	AC_MSG_WARN([no manpage formatter found])
77	MANFMT="false"
78fi
79AC_SUBST([MANFMT])
80
81dnl for buildpkg.sh
82AC_PATH_PROG([PATH_GROUPADD_PROG], [groupadd], [groupadd],
83	[/usr/sbin${PATH_SEPARATOR}/etc])
84AC_PATH_PROG([PATH_USERADD_PROG], [useradd], [useradd],
85	[/usr/sbin${PATH_SEPARATOR}/etc])
86AC_CHECK_PROG([MAKE_PACKAGE_SUPPORTED], [pkgmk], [yes], [no])
87if test -x /sbin/sh; then
88	AC_SUBST([STARTUP_SCRIPT_SHELL], [/sbin/sh])
89else
90	AC_SUBST([STARTUP_SCRIPT_SHELL], [/bin/sh])
91fi
92
93# System features
94AC_SYS_LARGEFILE
95
96if test -z "$AR" ; then
97	AC_MSG_ERROR([*** 'ar' missing, please install or fix your \$PATH ***])
98fi
99
100AC_PATH_PROG([PATH_PASSWD_PROG], [passwd])
101if test ! -z "$PATH_PASSWD_PROG" ; then
102	AC_DEFINE_UNQUOTED([_PATH_PASSWD_PROG], ["$PATH_PASSWD_PROG"],
103		[Full path of your "passwd" program])
104fi
105
106dnl Since autoconf doesn't support it very well,  we no longer allow users to
107dnl override LD, however keeping the hook here for now in case there's a use
108dnl use case we overlooked and someone needs to re-enable it.  Unless a good
109dnl reason is found we'll be removing this in future.
110LD="$CC"
111AC_SUBST([LD])
112
113AC_C_INLINE
114
115AC_CHECK_DECL([LLONG_MAX], [have_llong_max=1], , [#include <limits.h>])
116AC_CHECK_DECL([LONG_LONG_MAX], [have_long_long_max=1], , [#include <limits.h>])
117AC_CHECK_DECL([SYSTR_POLICY_KILL], [have_systr_policy_kill=1], , [
118	#include <sys/types.h>
119	#include <sys/param.h>
120	#include <dev/systrace.h>
121])
122AC_CHECK_DECL([RLIMIT_NPROC],
123    [AC_DEFINE([HAVE_RLIMIT_NPROC], [], [sys/resource.h has RLIMIT_NPROC])], , [
124	#include <sys/types.h>
125	#include <sys/resource.h>
126])
127AC_CHECK_DECL([PR_SET_NO_NEW_PRIVS], [have_linux_no_new_privs=1], , [
128	#include <sys/types.h>
129	#include <linux/prctl.h>
130])
131
132openssl=yes
133AC_ARG_WITH([openssl],
134	[  --without-openssl       Disable use of OpenSSL; use only limited internal crypto **EXPERIMENTAL** ],
135	[  if test "x$withval" = "xno" ; then
136		openssl=no
137	   fi
138	]
139)
140AC_MSG_CHECKING([whether OpenSSL will be used for cryptography])
141if test "x$openssl" = "xyes" ; then
142	AC_MSG_RESULT([yes])
143	AC_DEFINE_UNQUOTED([WITH_OPENSSL], [1], [use libcrypto for cryptography])
144else
145	AC_MSG_RESULT([no])
146fi
147
148use_stack_protector=1
149use_toolchain_hardening=1
150AC_ARG_WITH([stackprotect],
151    [  --without-stackprotect  Don't use compiler's stack protection], [
152    if test "x$withval" = "xno"; then
153	use_stack_protector=0
154    fi ])
155AC_ARG_WITH([hardening],
156    [  --without-hardening     Don't use toolchain hardening flags], [
157    if test "x$withval" = "xno"; then
158	use_toolchain_hardening=0
159    fi ])
160
161# We use -Werror for the tests only so that we catch warnings like "this is
162# on by default" for things like -fPIE.
163AC_MSG_CHECKING([if $CC supports -Werror])
164saved_CFLAGS="$CFLAGS"
165CFLAGS="$CFLAGS -Werror"
166AC_COMPILE_IFELSE([AC_LANG_SOURCE([[int main(void) { return 0; }]])],
167	[ AC_MSG_RESULT([yes])
168	  WERROR="-Werror"],
169	[ AC_MSG_RESULT([no])
170	  WERROR="" ]
171)
172CFLAGS="$saved_CFLAGS"
173
174if test "$GCC" = "yes" || test "$GCC" = "egcs"; then
175	OSSH_CHECK_CFLAG_COMPILE([-pipe])
176	OSSH_CHECK_CFLAG_COMPILE([-Wunknown-warning-option])
177	OSSH_CHECK_CFLAG_COMPILE([-Wno-error=format-truncation])
178	OSSH_CHECK_CFLAG_COMPILE([-Qunused-arguments])
179	OSSH_CHECK_CFLAG_COMPILE([-Wall])
180	OSSH_CHECK_CFLAG_COMPILE([-Wextra])
181	OSSH_CHECK_CFLAG_COMPILE([-Wpointer-arith])
182	OSSH_CHECK_CFLAG_COMPILE([-Wuninitialized])
183	OSSH_CHECK_CFLAG_COMPILE([-Wsign-compare])
184	OSSH_CHECK_CFLAG_COMPILE([-Wformat-security])
185	OSSH_CHECK_CFLAG_COMPILE([-Wsizeof-pointer-memaccess])
186	OSSH_CHECK_CFLAG_COMPILE([-Wpointer-sign], [-Wno-pointer-sign])
187	OSSH_CHECK_CFLAG_COMPILE([-Wunused-parameter], [-Wno-unused-parameter])
188	OSSH_CHECK_CFLAG_COMPILE([-Wunused-result], [-Wno-unused-result])
189	OSSH_CHECK_CFLAG_COMPILE([-Wimplicit-fallthrough])
190	OSSH_CHECK_CFLAG_COMPILE([-Wmisleading-indentation])
191	OSSH_CHECK_CFLAG_COMPILE([-Wbitwise-instead-of-logical])
192	OSSH_CHECK_CFLAG_COMPILE([-fno-strict-aliasing])
193    if test "x$use_toolchain_hardening" = "x1"; then
194	OSSH_CHECK_CFLAG_COMPILE([-mretpoline]) # clang
195	OSSH_CHECK_LDFLAG_LINK([-Wl,-z,retpolineplt])
196	OSSH_CHECK_CFLAG_COMPILE([-D_FORTIFY_SOURCE=2])
197	OSSH_CHECK_LDFLAG_LINK([-Wl,-z,relro])
198	OSSH_CHECK_LDFLAG_LINK([-Wl,-z,now])
199	OSSH_CHECK_LDFLAG_LINK([-Wl,-z,noexecstack])
200	# NB. -ftrapv expects certain support functions to be present in
201	# the compiler library (libgcc or similar) to detect integer operations
202	# that can overflow. We must check that the result of enabling it
203	# actually links. The test program compiled/linked includes a number
204	# of integer operations that should exercise this.
205	OSSH_CHECK_CFLAG_LINK([-ftrapv])
206	OSSH_CHECK_CFLAG_COMPILE([-fzero-call-used-regs=all])
207	OSSH_CHECK_CFLAG_COMPILE([-ftrivial-auto-var-init=zero])
208    fi
209	AC_MSG_CHECKING([gcc version])
210	GCC_VER=`$CC -v 2>&1 | $AWK '/gcc version /{print $3}'`
211	case $GCC_VER in
212		1.*) no_attrib_nonnull=1 ;;
213		2.8* | 2.9*)
214		     no_attrib_nonnull=1
215		     ;;
216		2.*) no_attrib_nonnull=1 ;;
217		*) ;;
218	esac
219	AC_MSG_RESULT([$GCC_VER])
220
221	AC_MSG_CHECKING([if $CC accepts -fno-builtin-memset])
222	saved_CFLAGS="$CFLAGS"
223	CFLAGS="$CFLAGS -fno-builtin-memset"
224	AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include <string.h> ]],
225			[[ char b[10]; memset(b, 0, sizeof(b)); ]])],
226		[ AC_MSG_RESULT([yes]) ],
227		[ AC_MSG_RESULT([no])
228		  CFLAGS="$saved_CFLAGS" ]
229	)
230
231	# -fstack-protector-all doesn't always work for some GCC versions
232	# and/or platforms, so we test if we can.  If it's not supported
233	# on a given platform gcc will emit a warning so we use -Werror.
234	if test "x$use_stack_protector" = "x1"; then
235	    for t in -fstack-protector-strong -fstack-protector-all \
236		    -fstack-protector; do
237		AC_MSG_CHECKING([if $CC supports $t])
238		saved_CFLAGS="$CFLAGS"
239		saved_LDFLAGS="$LDFLAGS"
240		CFLAGS="$CFLAGS $t -Werror"
241		LDFLAGS="$LDFLAGS $t -Werror"
242		AC_LINK_IFELSE(
243			[AC_LANG_PROGRAM([[
244	#include <stdio.h>
245	int func (int t) {char b[100]; snprintf(b,sizeof b,"%d",t); return t;}
246			 ]],
247			[[
248	char x[256];
249	snprintf(x, sizeof(x), "XXX%d", func(1));
250			 ]])],
251		    [ AC_MSG_RESULT([yes])
252		      CFLAGS="$saved_CFLAGS $t"
253		      LDFLAGS="$saved_LDFLAGS $t"
254		      AC_MSG_CHECKING([if $t works])
255		      AC_RUN_IFELSE(
256			[AC_LANG_PROGRAM([[
257	#include <stdio.h>
258	int func (int t) {char b[100]; snprintf(b,sizeof b,"%d",t); return t;}
259			]],
260			[[
261	char x[256];
262	snprintf(x, sizeof(x), "XXX%d", func(1));
263			]])],
264			[ AC_MSG_RESULT([yes])
265			  break ],
266			[ AC_MSG_RESULT([no]) ],
267			[ AC_MSG_WARN([cross compiling: cannot test])
268			  break ]
269		      )
270		    ],
271		    [ AC_MSG_RESULT([no]) ]
272		)
273		CFLAGS="$saved_CFLAGS"
274		LDFLAGS="$saved_LDFLAGS"
275	    done
276	fi
277
278	if test -z "$have_llong_max"; then
279		# retry LLONG_MAX with -std=gnu99, needed on some Linuxes
280		unset ac_cv_have_decl_LLONG_MAX
281		saved_CFLAGS="$CFLAGS"
282		CFLAGS="$CFLAGS -std=gnu99"
283		AC_CHECK_DECL([LLONG_MAX],
284		    [have_llong_max=1],
285		    [CFLAGS="$saved_CFLAGS"],
286		    [#include <limits.h>]
287		)
288	fi
289fi
290
291AC_MSG_CHECKING([if compiler allows __attribute__ on return types])
292AC_COMPILE_IFELSE(
293    [AC_LANG_PROGRAM([[
294#include <stdlib.h>
295__attribute__((__unused__)) static void foo(void){return;}]],
296    [[ exit(0); ]])],
297    [ AC_MSG_RESULT([yes]) ],
298    [ AC_MSG_RESULT([no])
299      AC_DEFINE(NO_ATTRIBUTE_ON_RETURN_TYPE, 1,
300	 [compiler does not accept __attribute__ on return types]) ]
301)
302
303AC_MSG_CHECKING([if compiler allows __attribute__ prototype args])
304AC_COMPILE_IFELSE(
305    [AC_LANG_PROGRAM([[
306#include <stdlib.h>
307typedef void foo(const char *, ...) __attribute__((format(printf, 1, 2)));]],
308    [[ exit(0); ]])],
309    [ AC_MSG_RESULT([yes]) ],
310    [ AC_MSG_RESULT([no])
311      AC_DEFINE(NO_ATTRIBUTE_ON_PROTOTYPE_ARGS, 1,
312	 [compiler does not accept __attribute__ on prototype args]) ]
313)
314
315AC_MSG_CHECKING([if compiler supports variable length arrays])
316AC_COMPILE_IFELSE(
317    [AC_LANG_PROGRAM([[#include <stdlib.h>]],
318    [[ int i; for (i=0; i<3; i++){int a[i]; a[i-1]=0;} exit(0); ]])],
319    [ AC_MSG_RESULT([yes])
320      AC_DEFINE(VARIABLE_LENGTH_ARRAYS, [1],
321	 [compiler supports variable length arrays]) ],
322    [ AC_MSG_RESULT([no]) ]
323)
324
325AC_MSG_CHECKING([if compiler accepts variable declarations after code])
326AC_COMPILE_IFELSE(
327    [AC_LANG_PROGRAM([[#include <stdlib.h>]],
328    [[ int a; a = 1; int b = 1; exit(a-b); ]])],
329    [ AC_MSG_RESULT([yes])
330      AC_DEFINE(VARIABLE_DECLARATION_AFTER_CODE, [1],
331	 [compiler variable declarations after code]) ],
332    [ AC_MSG_RESULT([no]) ]
333)
334
335if test "x$no_attrib_nonnull" != "x1" ; then
336	AC_DEFINE([HAVE_ATTRIBUTE__NONNULL__], [1], [Have attribute nonnull])
337fi
338
339AC_ARG_WITH([rpath],
340	[  --without-rpath         Disable auto-added -R linker paths],
341	[
342		if test "x$withval" = "xno" ; then
343			rpath_opt=""
344		elif test "x$withval" = "xyes" ; then
345			rpath_opt="-R"
346		else
347			rpath_opt="$withval"
348		fi
349	]
350)
351
352# Allow user to specify flags
353AC_ARG_WITH([cflags],
354	[  --with-cflags           Specify additional flags to pass to compiler],
355	[
356		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
357		    test "x${withval}" != "xyes"; then
358			CFLAGS="$CFLAGS $withval"
359		fi
360	]
361)
362
363AC_ARG_WITH([cflags-after],
364	[  --with-cflags-after     Specify additional flags to pass to compiler after configure],
365	[
366		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
367		    test "x${withval}" != "xyes"; then
368			CFLAGS_AFTER="$withval"
369		fi
370	]
371)
372AC_ARG_WITH([cppflags],
373	[  --with-cppflags         Specify additional flags to pass to preprocessor] ,
374	[
375		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
376		    test "x${withval}" != "xyes"; then
377			CPPFLAGS="$CPPFLAGS $withval"
378		fi
379	]
380)
381AC_ARG_WITH([ldflags],
382	[  --with-ldflags          Specify additional flags to pass to linker],
383	[
384		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
385		    test "x${withval}" != "xyes"; then
386			LDFLAGS="$LDFLAGS $withval"
387		fi
388	]
389)
390AC_ARG_WITH([ldflags-after],
391	[  --with-ldflags-after    Specify additional flags to pass to linker after configure],
392	[
393		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
394		    test "x${withval}" != "xyes"; then
395			LDFLAGS_AFTER="$withval"
396		fi
397	]
398)
399AC_ARG_WITH([libs],
400	[  --with-libs             Specify additional libraries to link with],
401	[
402		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
403		    test "x${withval}" != "xyes"; then
404			LIBS="$LIBS $withval"
405		fi
406	]
407)
408AC_ARG_WITH([Werror],
409	[  --with-Werror           Build main code with -Werror],
410	[
411		if test -n "$withval"  &&  test "x$withval" != "xno"; then
412			werror_flags="-Werror"
413			if test "x${withval}" != "xyes"; then
414				werror_flags="$withval"
415			fi
416		fi
417	]
418)
419
420AC_CHECK_HEADERS([ \
421	blf.h \
422	bstring.h \
423	crypt.h \
424	crypto/sha2.h \
425	dirent.h \
426	endian.h \
427	elf.h \
428	err.h \
429	features.h \
430	fcntl.h \
431	floatingpoint.h \
432	fnmatch.h \
433	getopt.h \
434	glob.h \
435	ia.h \
436	iaf.h \
437	ifaddrs.h \
438	inttypes.h \
439	langinfo.h \
440	limits.h \
441	locale.h \
442	login.h \
443	maillock.h \
444	ndir.h \
445	net/if_tun.h \
446	netdb.h \
447	netgroup.h \
448	pam/pam_appl.h \
449	paths.h \
450	poll.h \
451	pty.h \
452	readpassphrase.h \
453	rpc/types.h \
454	security/pam_appl.h \
455	sha2.h \
456	shadow.h \
457	stddef.h \
458	stdint.h \
459	string.h \
460	strings.h \
461	sys/bitypes.h \
462	sys/byteorder.h \
463	sys/bsdtty.h \
464	sys/cdefs.h \
465	sys/dir.h \
466	sys/file.h \
467	sys/mman.h \
468	sys/label.h \
469	sys/ndir.h \
470	sys/param.h \
471	sys/poll.h \
472	sys/prctl.h \
473	sys/procctl.h \
474	sys/pstat.h \
475	sys/ptrace.h \
476	sys/random.h \
477	sys/select.h \
478	sys/stat.h \
479	sys/stream.h \
480	sys/stropts.h \
481	sys/strtio.h \
482	sys/statvfs.h \
483	sys/sysmacros.h \
484	sys/time.h \
485	sys/timers.h \
486	sys/vfs.h \
487	time.h \
488	tmpdir.h \
489	ttyent.h \
490	ucred.h \
491	unistd.h \
492	usersec.h \
493	util.h \
494	utime.h \
495	utmp.h \
496	utmpx.h \
497	vis.h \
498	wchar.h \
499])
500
501# On some platforms (eg SunOS4) sys/audit.h requires sys/[time|types|label.h]
502# to be included first.
503AC_CHECK_HEADERS([sys/audit.h], [], [], [
504#ifdef HAVE_SYS_TIME_H
505# include <sys/time.h>
506#endif
507#ifdef HAVE_SYS_TYPES_H
508# include <sys/types.h>
509#endif
510#ifdef HAVE_SYS_LABEL_H
511# include <sys/label.h>
512#endif
513])
514
515# sys/capsicum.h requires sys/types.h
516AC_CHECK_HEADERS([sys/capsicum.h capsicum_helpers.h], [], [], [
517#ifdef HAVE_SYS_TYPES_H
518# include <sys/types.h>
519#endif
520])
521
522AC_MSG_CHECKING([for caph_cache_tzdata])
523AC_LINK_IFELSE(
524    [AC_LANG_PROGRAM([[ #include <capsicum_helpers.h> ]],
525	[[caph_cache_tzdata();]])],
526    [
527	AC_MSG_RESULT([yes])
528	AC_DEFINE([HAVE_CAPH_CACHE_TZDATA], [1],
529	    [Define if you have caph_cache_tzdata])
530    ],
531    [ AC_MSG_RESULT([no]) ]
532)
533
534# net/route.h requires sys/socket.h and sys/types.h.
535# sys/sysctl.h also requires sys/param.h
536AC_CHECK_HEADERS([net/route.h sys/sysctl.h], [], [], [
537#ifdef HAVE_SYS_TYPES_H
538# include <sys/types.h>
539#endif
540#include <sys/param.h>
541#include <sys/socket.h>
542])
543
544# lastlog.h requires sys/time.h to be included first on Solaris
545AC_CHECK_HEADERS([lastlog.h], [], [], [
546#ifdef HAVE_SYS_TIME_H
547# include <sys/time.h>
548#endif
549])
550
551# sys/ptms.h requires sys/stream.h to be included first on Solaris
552AC_CHECK_HEADERS([sys/ptms.h], [], [], [
553#ifdef HAVE_SYS_STREAM_H
554# include <sys/stream.h>
555#endif
556])
557
558# login_cap.h requires sys/types.h on NetBSD
559AC_CHECK_HEADERS([login_cap.h], [], [], [
560#include <sys/types.h>
561])
562
563# older BSDs need sys/param.h before sys/mount.h
564AC_CHECK_HEADERS([sys/mount.h], [], [], [
565#include <sys/param.h>
566])
567
568# Android requires sys/socket.h to be included before sys/un.h
569AC_CHECK_HEADERS([sys/un.h], [], [], [
570#include <sys/types.h>
571#include <sys/socket.h>
572])
573
574# Messages for features tested for in target-specific section
575SIA_MSG="no"
576SPC_MSG="no"
577SP_MSG="no"
578SPP_MSG="no"
579
580# Support for Solaris/Illumos privileges (this test is used by both
581# the --with-solaris-privs option and --with-sandbox=solaris).
582SOLARIS_PRIVS="no"
583
584# Check for some target-specific stuff
585case "$host" in
586*-*-aix*)
587	# Some versions of VAC won't allow macro redefinitions at
588	# -qlanglevel=ansi, and autoconf 2.60 sometimes insists on using that
589	# particularly with older versions of vac or xlc.
590	# It also throws errors about null macro arguments, but these are
591	# not fatal.
592	AC_MSG_CHECKING([if compiler allows macro redefinitions])
593	AC_COMPILE_IFELSE(
594	    [AC_LANG_PROGRAM([[
595#define testmacro foo
596#define testmacro bar]],
597	    [[ exit(0); ]])],
598	    [ AC_MSG_RESULT([yes]) ],
599	    [ AC_MSG_RESULT([no])
600	      CC="`echo $CC | sed 's/-qlanglvl\=ansi//g'`"
601	      CFLAGS="`echo $CFLAGS | sed 's/-qlanglvl\=ansi//g'`"
602	      CPPFLAGS="`echo $CPPFLAGS | sed 's/-qlanglvl\=ansi//g'`"
603	    ]
604	)
605
606	AC_MSG_CHECKING([how to specify blibpath for linker ($LD)])
607	if (test -z "$blibpath"); then
608		blibpath="/usr/lib:/lib"
609	fi
610	saved_LDFLAGS="$LDFLAGS"
611	if test "$GCC" = "yes"; then
612		flags="-Wl,-blibpath: -Wl,-rpath, -blibpath:"
613	else
614		flags="-blibpath: -Wl,-blibpath: -Wl,-rpath,"
615	fi
616	for tryflags in $flags ;do
617		if (test -z "$blibflags"); then
618			LDFLAGS="$saved_LDFLAGS $tryflags$blibpath"
619			AC_LINK_IFELSE([AC_LANG_PROGRAM([[]], [[]])],
620			[blibflags=$tryflags], [])
621		fi
622	done
623	if (test -z "$blibflags"); then
624		AC_MSG_RESULT([not found])
625		AC_MSG_ERROR([*** must be able to specify blibpath on AIX - check config.log])
626	else
627		AC_MSG_RESULT([$blibflags])
628	fi
629	LDFLAGS="$saved_LDFLAGS"
630	dnl Check for authenticate.  Might be in libs.a on older AIXes
631	AC_CHECK_FUNC([authenticate], [AC_DEFINE([WITH_AIXAUTHENTICATE], [1],
632		[Define if you want to enable AIX4's authenticate function])],
633		[AC_CHECK_LIB([s], [authenticate],
634			[ AC_DEFINE([WITH_AIXAUTHENTICATE])
635				LIBS="$LIBS -ls"
636			])
637		])
638	dnl Check for various auth function declarations in headers.
639	AC_CHECK_DECLS([authenticate, loginrestrictions, loginsuccess,
640	    passwdexpired, setauthdb], , , [#include <usersec.h>])
641	dnl Check if loginfailed is declared and takes 4 arguments (AIX >= 5.2)
642	AC_CHECK_DECLS([loginfailed],
643	    [AC_MSG_CHECKING([if loginfailed takes 4 arguments])
644	    AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <usersec.h> ]],
645		[[ (void)loginfailed("user","host","tty",0); ]])],
646		[AC_MSG_RESULT([yes])
647		AC_DEFINE([AIX_LOGINFAILED_4ARG], [1],
648			[Define if your AIX loginfailed() function
649			takes 4 arguments (AIX >= 5.2)])], [AC_MSG_RESULT([no])
650	    ])],
651	    [],
652	    [#include <usersec.h>]
653	)
654	AC_CHECK_FUNCS([getgrset setauthdb])
655	AC_CHECK_DECL([F_CLOSEM],
656	    AC_DEFINE([HAVE_FCNTL_CLOSEM], [1], [Use F_CLOSEM fcntl for closefrom]),
657	    [],
658	    [ #include <limits.h>
659	      #include <fcntl.h> ]
660	)
661	check_for_aix_broken_getaddrinfo=1
662	AC_DEFINE([SETEUID_BREAKS_SETUID], [1],
663	    [Define if your platform breaks doing a seteuid before a setuid])
664	AC_DEFINE([BROKEN_SETREUID], [1], [Define if your setreuid() is broken])
665	AC_DEFINE([BROKEN_SETREGID], [1], [Define if your setregid() is broken])
666	dnl AIX handles lastlog as part of its login message
667	AC_DEFINE([DISABLE_LASTLOG], [1], [Define if you don't want to use lastlog])
668	AC_DEFINE([LOGIN_NEEDS_UTMPX], [1],
669		[Some systems need a utmpx entry for /bin/login to work])
670	AC_DEFINE([SPT_TYPE], [SPT_REUSEARGV],
671		[Define to a Set Process Title type if your system is
672		supported by bsd-setproctitle.c])
673	AC_DEFINE([SSHPAM_CHAUTHTOK_NEEDS_RUID], [1],
674	    [AIX 5.2 and 5.3 (and presumably newer) require this])
675	AC_DEFINE([PTY_ZEROREAD], [1], [read(1) can return 0 for a non-closed fd])
676	AC_DEFINE([PLATFORM_SYS_DIR_UID], 2, [System dirs owned by bin (uid 2)])
677	AC_DEFINE([BROKEN_STRNDUP], 1, [strndup broken, see APAR IY61211])
678	AC_DEFINE([BROKEN_STRNLEN], 1, [strnlen broken, see APAR IY62551])
679	;;
680*-*-android*)
681	AC_DEFINE([DISABLE_UTMP], [1], [Define if you don't want to use utmp])
682	AC_DEFINE([DISABLE_WTMP], [1], [Define if you don't want to use wtmp])
683	;;
684*-*-cygwin*)
685	LIBS="$LIBS /usr/lib/textreadmode.o"
686	AC_DEFINE([HAVE_CYGWIN], [1], [Define if you are on Cygwin])
687	AC_DEFINE([USE_PIPES], [1], [Use PIPES instead of a socketpair()])
688	AC_DEFINE([NO_UID_RESTORATION_TEST], [1],
689		[Define to disable UID restoration test])
690	AC_DEFINE([DISABLE_SHADOW], [1],
691		[Define if you want to disable shadow passwords])
692	AC_DEFINE([NO_X11_UNIX_SOCKETS], [1],
693		[Define if X11 doesn't support AF_UNIX sockets on that system])
694	AC_DEFINE([DISABLE_FD_PASSING], [1],
695		[Define if your platform needs to skip post auth
696		file descriptor passing])
697	AC_DEFINE([SSH_IOBUFSZ], [65535], [Windows is sensitive to read buffer size])
698	AC_DEFINE([FILESYSTEM_NO_BACKSLASH], [1], [File names may not contain backslash characters])
699	# Cygwin defines optargs, optargs as declspec(dllimport) for historical
700	# reasons which cause compile warnings, so we disable those warnings.
701	OSSH_CHECK_CFLAG_COMPILE([-Wno-attributes])
702	;;
703*-*-dgux*)
704	AC_DEFINE([IP_TOS_IS_BROKEN], [1],
705		[Define if your system choked on IP TOS setting])
706	AC_DEFINE([SETEUID_BREAKS_SETUID])
707	AC_DEFINE([BROKEN_SETREUID])
708	AC_DEFINE([BROKEN_SETREGID])
709	;;
710*-*-darwin*)
711	use_pie=auto
712	AC_MSG_CHECKING([if we have working getaddrinfo])
713	AC_RUN_IFELSE([AC_LANG_SOURCE([[
714#include <mach-o/dyld.h>
715#include <stdlib.h>
716main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
717		exit(0);
718	else
719		exit(1);
720}
721			]])],
722	[AC_MSG_RESULT([working])],
723	[AC_MSG_RESULT([buggy])
724	AC_DEFINE([BROKEN_GETADDRINFO], [1],
725		[getaddrinfo is broken (if present)])
726	],
727	[AC_MSG_RESULT([assume it is working])])
728	AC_DEFINE([SETEUID_BREAKS_SETUID])
729	AC_DEFINE([BROKEN_SETREUID])
730	AC_DEFINE([BROKEN_SETREGID])
731	AC_DEFINE([BROKEN_GLOB], [1], [OS X glob does not do what we expect])
732	AC_DEFINE_UNQUOTED([BIND_8_COMPAT], [1],
733		[Define if your resolver libs need this for getrrsetbyname])
734	AC_DEFINE([SSH_TUN_FREEBSD], [1], [Open tunnel devices the FreeBSD way])
735	AC_DEFINE([SSH_TUN_COMPAT_AF], [1],
736	    [Use tunnel device compatibility to OpenBSD])
737	AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
738	    [Prepend the address family to IP tunnel traffic])
739	m4_pattern_allow([AU_IPv])
740	AC_CHECK_DECL([AU_IPv4], [],
741	    AC_DEFINE([AU_IPv4], [0], [System only supports IPv4 audit records])
742	    [#include <bsm/audit.h>]
743	AC_DEFINE([LASTLOG_WRITE_PUTUTXLINE], [1],
744	    [Define if pututxline updates lastlog too])
745	)
746	AC_DEFINE([SPT_TYPE], [SPT_REUSEARGV],
747		[Define to a Set Process Title type if your system is
748		supported by bsd-setproctitle.c])
749	AC_CHECK_FUNCS([sandbox_init])
750	AC_CHECK_HEADERS([sandbox.h])
751	AC_CHECK_LIB([sandbox], [sandbox_apply], [
752	    SSHDLIBS="$SSHDLIBS -lsandbox"
753	])
754	# proc_pidinfo()-based closefrom() replacement.
755	AC_CHECK_HEADERS([libproc.h])
756	AC_CHECK_FUNCS([proc_pidinfo])
757	# poll(2) is broken for character-special devices (at least).
758	# cf. Apple bug 3710161 (not public, but searchable)
759	AC_DEFINE([BROKEN_POLL], [1],
760	    [System poll(2) implementation is broken])
761	;;
762*-*-dragonfly*)
763	SSHDLIBS="$SSHDLIBS"
764	TEST_MALLOC_OPTIONS="AFGJPRX"
765	;;
766*-*-haiku*)
767	LIBS="$LIBS -lbsd "
768	CFLAGS="$CFLAGS -D_BSD_SOURCE"
769	AC_CHECK_LIB([network], [socket])
770	AC_DEFINE([HAVE_U_INT64_T])
771	AC_DEFINE([DISABLE_UTMPX], [1], [no utmpx])
772	MANTYPE=man
773	;;
774*-*-hpux*)
775	# first we define all of the options common to all HP-UX releases
776	CPPFLAGS="$CPPFLAGS -D_HPUX_SOURCE -D_XOPEN_SOURCE -D_XOPEN_SOURCE_EXTENDED=1"
777	IPADDR_IN_DISPLAY=yes
778	AC_DEFINE([USE_PIPES])
779	AC_DEFINE([LOGIN_NEEDS_UTMPX])
780	AC_DEFINE([LOCKED_PASSWD_STRING], ["*"],
781		[String used in /etc/passwd to denote locked account])
782	AC_DEFINE([SPT_TYPE], [SPT_PSTAT])
783	AC_DEFINE([PLATFORM_SYS_DIR_UID], 2, [System dirs owned by bin (uid 2)])
784	maildir="/var/mail"
785	LIBS="$LIBS -lsec"
786	AC_CHECK_LIB([xnet], [t_error], ,
787	    [AC_MSG_ERROR([*** -lxnet needed on HP-UX - check config.log ***])])
788
789	# next, we define all of the options specific to major releases
790	case "$host" in
791	*-*-hpux10*)
792		if test -z "$GCC"; then
793			CFLAGS="$CFLAGS -Ae"
794		fi
795		AC_DEFINE([BROKEN_GETLINE], [1], [getline is not what we expect])
796		;;
797	*-*-hpux11*)
798		AC_DEFINE([PAM_SUN_CODEBASE], [1],
799			[Define if you are using Solaris-derived PAM which
800			passes pam_messages to the conversation function
801			with an extra level of indirection])
802		AC_DEFINE([DISABLE_UTMP], [1],
803			[Define if you don't want to use utmp])
804		AC_DEFINE([USE_BTMP], [1], [Use btmp to log bad logins])
805		check_for_hpux_broken_getaddrinfo=1
806		check_for_conflicting_getspnam=1
807		;;
808	esac
809
810	# lastly, we define options specific to minor releases
811	case "$host" in
812	*-*-hpux10.26)
813		AC_DEFINE([HAVE_SECUREWARE], [1],
814			[Define if you have SecureWare-based
815			protected password database])
816		disable_ptmx_check=yes
817		LIBS="$LIBS -lsecpw"
818		;;
819	esac
820	;;
821*-*-irix5*)
822	PATH="$PATH:/usr/etc"
823	AC_DEFINE([BROKEN_INET_NTOA], [1],
824		[Define if you system's inet_ntoa is busted
825		(e.g. Irix gcc issue)])
826	AC_DEFINE([SETEUID_BREAKS_SETUID])
827	AC_DEFINE([BROKEN_SETREUID])
828	AC_DEFINE([BROKEN_SETREGID])
829	AC_DEFINE([WITH_ABBREV_NO_TTY], [1],
830		[Define if you shouldn't strip 'tty' from your
831		ttyname in [uw]tmp])
832	AC_DEFINE([LOCKED_PASSWD_STRING], ["*LK*"])
833	;;
834*-*-irix6*)
835	PATH="$PATH:/usr/etc"
836	AC_DEFINE([WITH_IRIX_ARRAY], [1],
837		[Define if you have/want arrays
838		(cluster-wide session management, not C arrays)])
839	AC_DEFINE([WITH_IRIX_PROJECT], [1],
840		[Define if you want IRIX project management])
841	AC_DEFINE([WITH_IRIX_AUDIT], [1],
842		[Define if you want IRIX audit trails])
843	AC_CHECK_FUNC([jlimit_startjob], [AC_DEFINE([WITH_IRIX_JOBS], [1],
844		[Define if you want IRIX kernel jobs])])
845	AC_DEFINE([BROKEN_INET_NTOA])
846	AC_DEFINE([SETEUID_BREAKS_SETUID])
847	AC_DEFINE([BROKEN_SETREUID])
848	AC_DEFINE([BROKEN_SETREGID])
849	AC_DEFINE([BROKEN_UPDWTMPX], [1], [updwtmpx is broken (if present)])
850	AC_DEFINE([WITH_ABBREV_NO_TTY])
851	AC_DEFINE([LOCKED_PASSWD_STRING], ["*LK*"])
852	;;
853*-*-k*bsd*-gnu | *-*-kopensolaris*-gnu)
854	AC_DEFINE([PAM_TTY_KLUDGE])
855	AC_DEFINE([LOCKED_PASSWD_PREFIX], ["!"])
856	AC_DEFINE([SPT_TYPE], [SPT_REUSEARGV])
857	AC_DEFINE([_PATH_BTMP], ["/var/log/btmp"], [log for bad login attempts])
858	AC_DEFINE([USE_BTMP], [1], [Use btmp to log bad logins])
859	;;
860*-*-linux*)
861	no_dev_ptmx=1
862	use_pie=auto
863	check_for_openpty_ctty_bug=1
864	dnl Target SUSv3/POSIX.1-2001 plus BSD specifics.
865	dnl _DEFAULT_SOURCE is the new name for _BSD_SOURCE
866	CPPFLAGS="$CPPFLAGS -D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCE"
867	AC_DEFINE([BROKEN_CLOSEFROM], [1], [broken in chroots on older kernels])
868	AC_DEFINE([PAM_TTY_KLUDGE], [1],
869		[Work around problematic Linux PAM modules handling of PAM_TTY])
870	AC_DEFINE([LOCKED_PASSWD_PREFIX], ["!"],
871		[String used in /etc/passwd to denote locked account])
872	AC_DEFINE([SPT_TYPE], [SPT_REUSEARGV])
873	AC_DEFINE([LINK_OPNOTSUPP_ERRNO], [EPERM],
874		[Define to whatever link() returns for "not supported"
875		if it doesn't return EOPNOTSUPP.])
876	AC_DEFINE([_PATH_BTMP], ["/var/log/btmp"], [log for bad login attempts])
877	AC_DEFINE([USE_BTMP])
878	AC_DEFINE([LINUX_OOM_ADJUST], [1], [Adjust Linux out-of-memory killer])
879	inet6_default_4in6=yes
880	case `uname -r` in
881	1.*|2.0.*)
882		AC_DEFINE([BROKEN_CMSG_TYPE], [1],
883			[Define if cmsg_type is not passed correctly])
884		;;
885	esac
886	# tun(4) forwarding compat code
887	AC_CHECK_HEADERS([linux/if_tun.h])
888	if test "x$ac_cv_header_linux_if_tun_h" = "xyes" ; then
889		AC_DEFINE([SSH_TUN_LINUX], [1],
890		    [Open tunnel devices the Linux tun/tap way])
891		AC_DEFINE([SSH_TUN_COMPAT_AF], [1],
892		    [Use tunnel device compatibility to OpenBSD])
893		AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
894		    [Prepend the address family to IP tunnel traffic])
895	fi
896	AC_CHECK_HEADER([linux/if.h],
897	    AC_DEFINE([SYS_RDOMAIN_LINUX], [1],
898		[Support routing domains using Linux VRF]), [], [
899#ifdef HAVE_SYS_TYPES_H
900# include <sys/types.h>
901#endif
902	    ])
903	AC_CHECK_HEADERS([linux/seccomp.h linux/filter.h linux/audit.h], [],
904	    [], [#include <linux/types.h>])
905	# Obtain MIPS ABI
906	case "$host" in
907	mips*)
908		AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
909#if _MIPS_SIM != _ABIO32
910#error
911#endif
912			]])],[mips_abi="o32"],[AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
913#if _MIPS_SIM != _ABIN32
914#error
915#endif
916				]])],[mips_abi="n32"],[AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
917#if _MIPS_SIM != _ABI64
918#error
919#endif
920					]])],[mips_abi="n64"],[AC_MSG_ERROR([unknown MIPS ABI])
921				])
922			])
923		])
924		;;
925	esac
926	AC_MSG_CHECKING([for seccomp architecture])
927	seccomp_audit_arch=
928	case "$host" in
929	x86_64-*)
930		seccomp_audit_arch=AUDIT_ARCH_X86_64
931		;;
932	i*86-*)
933		seccomp_audit_arch=AUDIT_ARCH_I386
934		;;
935	arm*-*)
936		seccomp_audit_arch=AUDIT_ARCH_ARM
937		;;
938	aarch64*-*)
939		seccomp_audit_arch=AUDIT_ARCH_AARCH64
940		;;
941	s390x-*)
942		seccomp_audit_arch=AUDIT_ARCH_S390X
943		;;
944	s390-*)
945		seccomp_audit_arch=AUDIT_ARCH_S390
946		;;
947	powerpc-*)
948		seccomp_audit_arch=AUDIT_ARCH_PPC
949		;;
950	powerpc64-*)
951		seccomp_audit_arch=AUDIT_ARCH_PPC64
952		;;
953	powerpc64le-*)
954		seccomp_audit_arch=AUDIT_ARCH_PPC64LE
955		;;
956	mips-*)
957		seccomp_audit_arch=AUDIT_ARCH_MIPS
958		;;
959	mipsel-*)
960		seccomp_audit_arch=AUDIT_ARCH_MIPSEL
961		;;
962	mips64-*)
963		case "$mips_abi" in
964		"n32")
965			seccomp_audit_arch=AUDIT_ARCH_MIPS64N32
966			;;
967		"n64")
968			seccomp_audit_arch=AUDIT_ARCH_MIPS64
969			;;
970		esac
971		;;
972	mips64el-*)
973		case "$mips_abi" in
974		"n32")
975			seccomp_audit_arch=AUDIT_ARCH_MIPSEL64N32
976			;;
977		"n64")
978			seccomp_audit_arch=AUDIT_ARCH_MIPSEL64
979			;;
980		esac
981		;;
982	riscv64-*)
983		seccomp_audit_arch=AUDIT_ARCH_RISCV64
984		;;
985	esac
986	if test "x$seccomp_audit_arch" != "x" ; then
987		AC_MSG_RESULT(["$seccomp_audit_arch"])
988		AC_DEFINE_UNQUOTED([SECCOMP_AUDIT_ARCH], [$seccomp_audit_arch],
989		    [Specify the system call convention in use])
990	else
991		AC_MSG_RESULT([architecture not supported])
992	fi
993	;;
994*-*-minix)
995	AC_DEFINE([SETEUID_BREAKS_SETUID])
996	# poll(2) seems to choke on /dev/null; "Bad file descriptor"
997	AC_DEFINE([BROKEN_POLL], [1],
998	    [System poll(2) implementation is broken])
999	;;
1000mips-sony-bsd|mips-sony-newsos4)
1001	AC_DEFINE([NEED_SETPGRP], [1], [Need setpgrp to acquire controlling tty])
1002	SONY=1
1003	;;
1004*-*-netbsd*)
1005	if test "x$withval" != "xno" ; then
1006		rpath_opt="-R"
1007	fi
1008	CPPFLAGS="$CPPFLAGS -D_OPENBSD_SOURCE"
1009	AC_DEFINE([SSH_TUN_FREEBSD], [1], [Open tunnel devices the FreeBSD way])
1010	AC_CHECK_HEADER([net/if_tap.h], ,
1011	    AC_DEFINE([SSH_TUN_NO_L2], [1], [No layer 2 tunnel support]))
1012	AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
1013	    [Prepend the address family to IP tunnel traffic])
1014	TEST_MALLOC_OPTIONS="AJRX"
1015	AC_DEFINE([BROKEN_READ_COMPARISON], [1],
1016	    [NetBSD read function is sometimes redirected, breaking atomicio comparisons against it])
1017	;;
1018*-*-freebsd*)
1019	AC_DEFINE([LOCKED_PASSWD_PREFIX], ["*LOCKED*"], [Account locked with pw(1)])
1020	AC_DEFINE([SSH_TUN_FREEBSD], [1], [Open tunnel devices the FreeBSD way])
1021	AC_CHECK_HEADER([net/if_tap.h], ,
1022	    AC_DEFINE([SSH_TUN_NO_L2], [1], [No layer 2 tunnel support]))
1023	AC_DEFINE([BROKEN_GLOB], [1], [FreeBSD glob does not do what we need])
1024	TEST_MALLOC_OPTIONS="AJRX"
1025	# Preauth crypto occasionally uses file descriptors for crypto offload
1026	# and will crash if they cannot be opened.
1027	AC_DEFINE([SANDBOX_SKIP_RLIMIT_NOFILE], [1],
1028	    [define if setrlimit RLIMIT_NOFILE breaks things])
1029	case "$host" in
1030	*-*-freebsd9.*|*-*-freebsd10.*)
1031		# Capsicum on 9 and 10 do not allow ppoll() so don't auto-enable.
1032		disable_capsicum=yes
1033	esac
1034	;;
1035*-*-bsdi*)
1036	AC_DEFINE([SETEUID_BREAKS_SETUID])
1037	AC_DEFINE([BROKEN_SETREUID])
1038	AC_DEFINE([BROKEN_SETREGID])
1039	;;
1040*-next-*)
1041	conf_lastlog_location="/usr/adm/lastlog"
1042	conf_utmp_location=/etc/utmp
1043	conf_wtmp_location=/usr/adm/wtmp
1044	maildir=/usr/spool/mail
1045	AC_DEFINE([HAVE_NEXT], [1], [Define if you are on NeXT])
1046	AC_DEFINE([USE_PIPES])
1047	AC_DEFINE([BROKEN_SAVED_UIDS], [1], [Needed for NeXT])
1048	;;
1049*-*-openbsd*)
1050	use_pie=auto
1051	AC_DEFINE([HAVE_ATTRIBUTE__SENTINEL__], [1], [OpenBSD's gcc has sentinel])
1052	AC_DEFINE([HAVE_ATTRIBUTE__BOUNDED__], [1], [OpenBSD's gcc has bounded])
1053	AC_DEFINE([SSH_TUN_OPENBSD], [1], [Open tunnel devices the OpenBSD way])
1054	AC_DEFINE([SYSLOG_R_SAFE_IN_SIGHAND], [1],
1055	    [syslog_r function is safe to use in in a signal handler])
1056	TEST_MALLOC_OPTIONS="AFGJPRX"
1057	;;
1058*-*-solaris*)
1059	if test "x$withval" != "xno" ; then
1060		rpath_opt="-R"
1061	fi
1062	AC_DEFINE([PAM_SUN_CODEBASE])
1063	AC_DEFINE([LOGIN_NEEDS_UTMPX])
1064	AC_DEFINE([PAM_TTY_KLUDGE])
1065	AC_DEFINE([SSHPAM_CHAUTHTOK_NEEDS_RUID], [1],
1066		[Define if pam_chauthtok wants real uid set
1067		to the unpriv'ed user])
1068	AC_DEFINE([LOCKED_PASSWD_STRING], ["*LK*"])
1069	# Pushing STREAMS modules will cause sshd to acquire a controlling tty.
1070	AC_DEFINE([SSHD_ACQUIRES_CTTY], [1],
1071		[Define if sshd somehow reacquires a controlling TTY
1072		after setsid()])
1073	AC_DEFINE([PASSWD_NEEDS_USERNAME], [1], [must supply username to passwd
1074		in case the name is longer than 8 chars])
1075	AC_DEFINE([BROKEN_TCGETATTR_ICANON], [1], [tcgetattr with ICANON may hang])
1076	external_path_file=/etc/default/login
1077	# hardwire lastlog location (can't detect it on some versions)
1078	conf_lastlog_location="/var/adm/lastlog"
1079	AC_MSG_CHECKING([for obsolete utmp and wtmp in solaris2.x])
1080	sol2ver=`echo "$host"| sed -e 's/.*[[0-9]]\.//'`
1081	if test "$sol2ver" -ge 8; then
1082		AC_MSG_RESULT([yes])
1083		AC_DEFINE([DISABLE_UTMP])
1084		AC_DEFINE([DISABLE_WTMP], [1],
1085			[Define if you don't want to use wtmp])
1086	else
1087		AC_MSG_RESULT([no])
1088	fi
1089	AC_CHECK_FUNCS([setpflags])
1090	AC_CHECK_FUNCS([setppriv])
1091	AC_CHECK_FUNCS([priv_basicset])
1092	AC_CHECK_HEADERS([priv.h])
1093	AC_ARG_WITH([solaris-contracts],
1094		[  --with-solaris-contracts Enable Solaris process contracts (experimental)],
1095		[
1096		AC_CHECK_LIB([contract], [ct_tmpl_activate],
1097			[ AC_DEFINE([USE_SOLARIS_PROCESS_CONTRACTS], [1],
1098				[Define if you have Solaris process contracts])
1099			  LIBS="$LIBS -lcontract"
1100			  SPC_MSG="yes" ], )
1101		],
1102	)
1103	AC_ARG_WITH([solaris-projects],
1104		[  --with-solaris-projects Enable Solaris projects (experimental)],
1105		[
1106		AC_CHECK_LIB([project], [setproject],
1107			[ AC_DEFINE([USE_SOLARIS_PROJECTS], [1],
1108				[Define if you have Solaris projects])
1109			LIBS="$LIBS -lproject"
1110			SP_MSG="yes" ], )
1111		],
1112	)
1113	AC_ARG_WITH([solaris-privs],
1114		[  --with-solaris-privs    Enable Solaris/Illumos privileges (experimental)],
1115		[
1116		AC_MSG_CHECKING([for Solaris/Illumos privilege support])
1117		if test "x$ac_cv_func_setppriv" = "xyes" -a \
1118			"x$ac_cv_header_priv_h" = "xyes" ; then
1119			SOLARIS_PRIVS=yes
1120			AC_MSG_RESULT([found])
1121			AC_DEFINE([NO_UID_RESTORATION_TEST], [1],
1122				[Define to disable UID restoration test])
1123			AC_DEFINE([USE_SOLARIS_PRIVS], [1],
1124				[Define if you have Solaris privileges])
1125			SPP_MSG="yes"
1126		else
1127			AC_MSG_RESULT([not found])
1128			AC_MSG_ERROR([*** must have support for Solaris privileges to use --with-solaris-privs])
1129		fi
1130		],
1131	)
1132	TEST_SHELL=$SHELL	# let configure find us a capable shell
1133	;;
1134*-*-sunos4*)
1135	CPPFLAGS="$CPPFLAGS -DSUNOS4"
1136	AC_CHECK_FUNCS([getpwanam])
1137	AC_DEFINE([PAM_SUN_CODEBASE])
1138	conf_utmp_location=/etc/utmp
1139	conf_wtmp_location=/var/adm/wtmp
1140	conf_lastlog_location=/var/adm/lastlog
1141	AC_DEFINE([USE_PIPES])
1142	AC_DEFINE([DISABLE_UTMPX], [1], [no utmpx])
1143	;;
1144*-ncr-sysv*)
1145	LIBS="$LIBS -lc89"
1146	AC_DEFINE([USE_PIPES])
1147	AC_DEFINE([SSHD_ACQUIRES_CTTY])
1148	AC_DEFINE([SETEUID_BREAKS_SETUID])
1149	AC_DEFINE([BROKEN_SETREUID])
1150	AC_DEFINE([BROKEN_SETREGID])
1151	;;
1152*-sni-sysv*)
1153	# /usr/ucblib MUST NOT be searched on ReliantUNIX
1154	AC_CHECK_LIB([dl], [dlsym], ,)
1155	# -lresolv needs to be at the end of LIBS or DNS lookups break
1156	AC_CHECK_LIB([resolv], [res_query], [ LIBS="$LIBS -lresolv" ])
1157	IPADDR_IN_DISPLAY=yes
1158	AC_DEFINE([USE_PIPES])
1159	AC_DEFINE([IP_TOS_IS_BROKEN])
1160	AC_DEFINE([SETEUID_BREAKS_SETUID])
1161	AC_DEFINE([BROKEN_SETREUID])
1162	AC_DEFINE([BROKEN_SETREGID])
1163	AC_DEFINE([SSHD_ACQUIRES_CTTY])
1164	external_path_file=/etc/default/login
1165	# /usr/ucblib/libucb.a no longer needed on ReliantUNIX
1166	# Attention: always take care to bind libsocket and libnsl before libc,
1167	# otherwise you will find lots of "SIOCGPGRP errno 22" on syslog
1168	;;
1169# UnixWare 1.x, UnixWare 2.x, and others based on code from Univel.
1170*-*-sysv4.2*)
1171	AC_DEFINE([USE_PIPES])
1172	AC_DEFINE([SETEUID_BREAKS_SETUID])
1173	AC_DEFINE([BROKEN_SETREUID])
1174	AC_DEFINE([BROKEN_SETREGID])
1175	AC_DEFINE([PASSWD_NEEDS_USERNAME], [1], [must supply username to passwd])
1176	AC_DEFINE([LOCKED_PASSWD_STRING], ["*LK*"])
1177	TEST_SHELL=$SHELL	# let configure find us a capable shell
1178	;;
1179# UnixWare 7.x, OpenUNIX 8
1180*-*-sysv5*)
1181	CPPFLAGS="$CPPFLAGS -Dvsnprintf=_xvsnprintf -Dsnprintf=_xsnprintf"
1182	AC_DEFINE([UNIXWARE_LONG_PASSWORDS], [1], [Support passwords > 8 chars])
1183	AC_DEFINE([USE_PIPES])
1184	AC_DEFINE([SETEUID_BREAKS_SETUID])
1185	AC_DEFINE([BROKEN_GETADDRINFO])
1186	AC_DEFINE([BROKEN_SETREUID])
1187	AC_DEFINE([BROKEN_SETREGID])
1188	AC_DEFINE([PASSWD_NEEDS_USERNAME])
1189	AC_DEFINE([BROKEN_TCGETATTR_ICANON])
1190	TEST_SHELL=$SHELL	# let configure find us a capable shell
1191	case "$host" in
1192	*-*-sysv5SCO_SV*)	# SCO OpenServer 6.x
1193		maildir=/var/spool/mail
1194		AC_DEFINE([BROKEN_UPDWTMPX])
1195		AC_CHECK_LIB([prot], [getluid], [ LIBS="$LIBS -lprot"
1196			AC_CHECK_FUNCS([getluid setluid], , , [-lprot])
1197			], , )
1198		;;
1199	*)	AC_DEFINE([LOCKED_PASSWD_STRING], ["*LK*"])
1200		;;
1201	esac
1202	;;
1203*-*-sysv*)
1204	;;
1205# SCO UNIX and OEM versions of SCO UNIX
1206*-*-sco3.2v4*)
1207	AC_MSG_ERROR("This Platform is no longer supported.")
1208	;;
1209# SCO OpenServer 5.x
1210*-*-sco3.2v5*)
1211	if test -z "$GCC"; then
1212		CFLAGS="$CFLAGS -belf"
1213	fi
1214	LIBS="$LIBS -lprot -lx -ltinfo -lm"
1215	no_dev_ptmx=1
1216	AC_DEFINE([USE_PIPES])
1217	AC_DEFINE([HAVE_SECUREWARE])
1218	AC_DEFINE([DISABLE_SHADOW])
1219	AC_DEFINE([DISABLE_FD_PASSING])
1220	AC_DEFINE([SETEUID_BREAKS_SETUID])
1221	AC_DEFINE([BROKEN_GETADDRINFO])
1222	AC_DEFINE([BROKEN_SETREUID])
1223	AC_DEFINE([BROKEN_SETREGID])
1224	AC_DEFINE([WITH_ABBREV_NO_TTY])
1225	AC_DEFINE([BROKEN_UPDWTMPX])
1226	AC_DEFINE([PASSWD_NEEDS_USERNAME])
1227	AC_CHECK_FUNCS([getluid setluid])
1228	MANTYPE=man
1229	TEST_SHELL=$SHELL	# let configure find us a capable shell
1230	SKIP_DISABLE_LASTLOG_DEFINE=yes
1231	;;
1232*-dec-osf*)
1233	AC_MSG_CHECKING([for Digital Unix SIA])
1234	no_osfsia=""
1235	AC_ARG_WITH([osfsia],
1236		[  --with-osfsia           Enable Digital Unix SIA],
1237		[
1238			if test "x$withval" = "xno" ; then
1239				AC_MSG_RESULT([disabled])
1240				no_osfsia=1
1241			fi
1242		],
1243	)
1244	if test -z "$no_osfsia" ; then
1245		if test -f /etc/sia/matrix.conf; then
1246			AC_MSG_RESULT([yes])
1247			AC_DEFINE([HAVE_OSF_SIA], [1],
1248				[Define if you have Digital Unix Security
1249				Integration Architecture])
1250			AC_DEFINE([DISABLE_LOGIN], [1],
1251				[Define if you don't want to use your
1252				system's login() call])
1253			AC_DEFINE([DISABLE_FD_PASSING])
1254			LIBS="$LIBS -lsecurity -ldb -lm -laud"
1255			SIA_MSG="yes"
1256		else
1257			AC_MSG_RESULT([no])
1258			AC_DEFINE([LOCKED_PASSWD_SUBSTR], ["Nologin"],
1259			  [String used in /etc/passwd to denote locked account])
1260		fi
1261	fi
1262	AC_DEFINE([BROKEN_GETADDRINFO])
1263	AC_DEFINE([SETEUID_BREAKS_SETUID])
1264	AC_DEFINE([BROKEN_SETREUID])
1265	AC_DEFINE([BROKEN_SETREGID])
1266	AC_DEFINE([BROKEN_READV_COMPARISON], [1], [Can't do comparisons on readv])
1267	;;
1268
1269*-*-nto-qnx*)
1270	AC_DEFINE([USE_PIPES])
1271	AC_DEFINE([NO_X11_UNIX_SOCKETS])
1272	AC_DEFINE([DISABLE_LASTLOG])
1273	AC_DEFINE([SSHD_ACQUIRES_CTTY])
1274	AC_DEFINE([BROKEN_SHADOW_EXPIRE], [1], [QNX shadow support is broken])
1275	enable_etc_default_login=no	# has incompatible /etc/default/login
1276	case "$host" in
1277	*-*-nto-qnx6*)
1278		AC_DEFINE([DISABLE_FD_PASSING])
1279		;;
1280	esac
1281	;;
1282
1283*-*-ultrix*)
1284	AC_DEFINE([BROKEN_GETGROUPS], [1], [getgroups(0,NULL) will return -1])
1285	AC_DEFINE([NEED_SETPGRP], [1], [Need setpgrp to for controlling tty])
1286	AC_DEFINE([HAVE_SYS_SYSLOG_H], [1], [Force use of sys/syslog.h on Ultrix])
1287	AC_DEFINE([DISABLE_UTMPX], [1], [Disable utmpx])
1288	# DISABLE_FD_PASSING so that we call setpgrp as root, otherwise we
1289	# don't get a controlling tty.
1290	AC_DEFINE([DISABLE_FD_PASSING], [1], [Need to call setpgrp as root])
1291	# On Ultrix some headers are not protected against multiple includes,
1292	# so we create wrappers and put it where the compiler will find it.
1293	AC_MSG_WARN([creating compat wrappers for headers])
1294	mkdir -p netinet
1295	for header in netinet/ip.h netdb.h resolv.h; do
1296		name=`echo $header | tr 'a-z/.' 'A-Z__'`
1297		cat >$header <<EOD
1298#ifndef _SSH_COMPAT_${name}
1299#define _SSH_COMPAT_${name}
1300#include "/usr/include/${header}"
1301#endif
1302EOD
1303	done
1304	;;
1305
1306*-*-lynxos)
1307	CFLAGS="$CFLAGS -D__NO_INCLUDE_WARN__"
1308	AC_DEFINE([BROKEN_SETVBUF], [1],
1309	    [LynxOS has broken setvbuf() implementation])
1310	;;
1311esac
1312
1313AC_MSG_CHECKING([compiler and flags for sanity])
1314AC_RUN_IFELSE([AC_LANG_PROGRAM([[ #include <stdlib.h> ]], [[ exit(0); ]])],
1315	[	AC_MSG_RESULT([yes]) ],
1316	[
1317		AC_MSG_RESULT([no])
1318		AC_MSG_ERROR([*** compiler cannot create working executables, check config.log ***])
1319	],
1320	[	AC_MSG_WARN([cross compiling: not checking compiler sanity]) ]
1321)
1322
1323dnl Checks for header files.
1324# Checks for libraries.
1325AC_CHECK_FUNC([setsockopt], , [AC_CHECK_LIB([socket], [setsockopt])])
1326
1327dnl IRIX and Solaris 2.5.1 have dirname() in libgen
1328AC_CHECK_FUNCS([dirname], [AC_CHECK_HEADERS([libgen.h])] , [
1329	AC_CHECK_LIB([gen], [dirname], [
1330		AC_CACHE_CHECK([for broken dirname],
1331			ac_cv_have_broken_dirname, [
1332			save_LIBS="$LIBS"
1333			LIBS="$LIBS -lgen"
1334			AC_RUN_IFELSE(
1335				[AC_LANG_SOURCE([[
1336#include <libgen.h>
1337#include <string.h>
1338#include <stdlib.h>
1339
1340int main(int argc, char **argv) {
1341    char *s, buf[32];
1342
1343    strncpy(buf,"/etc", 32);
1344    s = dirname(buf);
1345    if (!s || strncmp(s, "/", 32) != 0) {
1346	exit(1);
1347    } else {
1348	exit(0);
1349    }
1350}
1351				]])],
1352				[ ac_cv_have_broken_dirname="no" ],
1353				[ ac_cv_have_broken_dirname="yes" ],
1354				[ ac_cv_have_broken_dirname="no" ],
1355			)
1356			LIBS="$save_LIBS"
1357		])
1358		if test "x$ac_cv_have_broken_dirname" = "xno" ; then
1359			LIBS="$LIBS -lgen"
1360			AC_DEFINE([HAVE_DIRNAME])
1361			AC_CHECK_HEADERS([libgen.h])
1362		fi
1363	])
1364])
1365
1366AC_CHECK_FUNC([getspnam], ,
1367	[AC_CHECK_LIB([gen], [getspnam], [LIBS="$LIBS -lgen"])])
1368AC_SEARCH_LIBS([basename], [gen], [AC_DEFINE([HAVE_BASENAME], [1],
1369	[Define if you have the basename function.])])
1370
1371dnl zlib defaults to enabled
1372zlib=yes
1373AC_ARG_WITH([zlib],
1374	[  --with-zlib=PATH        Use zlib in PATH],
1375	[ if test "x$withval" = "xno" ; then
1376		zlib=no
1377	  elif test "x$withval" != "xyes"; then
1378		if test -d "$withval/lib"; then
1379			if test -n "${rpath_opt}"; then
1380				LDFLAGS="-L${withval}/lib ${rpath_opt}${withval}/lib ${LDFLAGS}"
1381			else
1382				LDFLAGS="-L${withval}/lib ${LDFLAGS}"
1383			fi
1384		else
1385			if test -n "${rpath_opt}"; then
1386				LDFLAGS="-L${withval} ${rpath_opt}${withval} ${LDFLAGS}"
1387			else
1388				LDFLAGS="-L${withval} ${LDFLAGS}"
1389			fi
1390		fi
1391		if test -d "$withval/include"; then
1392			CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
1393		else
1394			CPPFLAGS="-I${withval} ${CPPFLAGS}"
1395		fi
1396	fi ]
1397)
1398
1399# These libraries are needed for anything that links in the channel code.
1400CHANNELLIBS=""
1401AC_MSG_CHECKING([for zlib])
1402if test "x${zlib}" = "xno"; then
1403	AC_MSG_RESULT([no])
1404else
1405    saved_LIBS="$LIBS"
1406    CHANNELLIBS="$CHANNELLIBS -lz"
1407    AC_MSG_RESULT([yes])
1408    AC_DEFINE([WITH_ZLIB], [1], [Enable zlib])
1409    AC_CHECK_HEADER([zlib.h], ,[AC_MSG_ERROR([*** zlib.h missing - please install first or check config.log ***])])
1410    AC_CHECK_LIB([z], [deflate], [],
1411	[
1412		saved_CPPFLAGS="$CPPFLAGS"
1413		saved_LDFLAGS="$LDFLAGS"
1414		dnl Check default zlib install dir
1415		if test -n "${rpath_opt}"; then
1416			LDFLAGS="-L/usr/local/lib ${rpath_opt}/usr/local/lib ${saved_LDFLAGS}"
1417		else
1418			LDFLAGS="-L/usr/local/lib ${saved_LDFLAGS}"
1419		fi
1420		CPPFLAGS="-I/usr/local/include ${saved_CPPFLAGS}"
1421		AC_TRY_LINK_FUNC([deflate], [AC_DEFINE([HAVE_LIBZ])],
1422			[
1423				AC_MSG_ERROR([*** zlib missing - please install first or check config.log ***])
1424			]
1425		)
1426	]
1427    )
1428
1429    AC_ARG_WITH([zlib-version-check],
1430	[  --without-zlib-version-check Disable zlib version check],
1431	[  if test "x$withval" = "xno" ; then
1432		zlib_check_nonfatal=1
1433	   fi
1434	]
1435    )
1436
1437    AC_MSG_CHECKING([for possibly buggy zlib])
1438    AC_RUN_IFELSE([AC_LANG_PROGRAM([[
1439#include <stdio.h>
1440#include <stdlib.h>
1441#include <zlib.h>
1442	]],
1443	[[
1444	int a=0, b=0, c=0, d=0, n, v;
1445	n = sscanf(ZLIB_VERSION, "%d.%d.%d.%d", &a, &b, &c, &d);
1446	if (n != 3 && n != 4)
1447		exit(1);
1448	v = a*1000000 + b*10000 + c*100 + d;
1449	fprintf(stderr, "found zlib version %s (%d)\n", ZLIB_VERSION, v);
1450
1451	/* 1.1.4 is OK */
1452	if (a == 1 && b == 1 && c >= 4)
1453		exit(0);
1454
1455	/* 1.2.3 and up are OK */
1456	if (v >= 1020300)
1457		exit(0);
1458
1459	exit(2);
1460	]])],
1461	AC_MSG_RESULT([no]),
1462	[ AC_MSG_RESULT([yes])
1463	  if test -z "$zlib_check_nonfatal" ; then
1464		AC_MSG_ERROR([*** zlib too old - check config.log ***
1465Your reported zlib version has known security problems.  It's possible your
1466vendor has fixed these problems without changing the version number.  If you
1467are sure this is the case, you can disable the check by running
1468"./configure --without-zlib-version-check".
1469If you are in doubt, upgrade zlib to version 1.2.3 or greater.
1470See http://www.gzip.org/zlib/ for details.])
1471	  else
1472		AC_MSG_WARN([zlib version may have security problems])
1473	  fi
1474	],
1475	[	AC_MSG_WARN([cross compiling: not checking zlib version]) ]
1476    )
1477    LIBS="$saved_LIBS"
1478fi
1479
1480dnl UnixWare 2.x
1481AC_CHECK_FUNC([strcasecmp],
1482	[], [ AC_CHECK_LIB([resolv], [strcasecmp], [LIBS="$LIBS -lresolv"]) ]
1483)
1484AC_CHECK_FUNCS([utimes],
1485	[], [ AC_CHECK_LIB([c89], [utimes], [AC_DEFINE([HAVE_UTIMES])
1486					LIBS="$LIBS -lc89"]) ]
1487)
1488
1489dnl    Checks for libutil functions
1490AC_CHECK_HEADERS([bsd/libutil.h libutil.h])
1491AC_SEARCH_LIBS([fmt_scaled], [util bsd])
1492AC_SEARCH_LIBS([scan_scaled], [util bsd])
1493AC_SEARCH_LIBS([login], [util bsd])
1494AC_SEARCH_LIBS([logout], [util bsd])
1495AC_SEARCH_LIBS([logwtmp], [util bsd])
1496AC_SEARCH_LIBS([openpty], [util bsd])
1497AC_SEARCH_LIBS([updwtmp], [util bsd])
1498AC_CHECK_FUNCS([fmt_scaled scan_scaled login logout openpty updwtmp logwtmp])
1499
1500# On some platforms, inet_ntop and gethostbyname may be found in libresolv
1501# or libnsl.
1502AC_SEARCH_LIBS([inet_ntop], [resolv nsl])
1503AC_SEARCH_LIBS([gethostbyname], [resolv nsl])
1504
1505# Some Linux distribtions ship the BSD libc hashing functions in
1506# separate libraries.
1507AC_SEARCH_LIBS([SHA256Update], [md bsd])
1508
1509# "Particular Function Checks"
1510# see https://www.gnu.org/software/autoconf/manual/autoconf-2.69/html_node/Particular-Functions.html
1511AC_FUNC_STRFTIME
1512AC_FUNC_MALLOC
1513AC_FUNC_REALLOC
1514# autoconf doesn't have AC_FUNC_CALLOC so fake it if malloc returns NULL;
1515AC_MSG_CHECKING([if calloc(0, N) returns non-null])
1516AC_RUN_IFELSE(
1517	[AC_LANG_PROGRAM(
1518		[[ #include <stdlib.h> ]],
1519		[[ void *p = calloc(0, 1); exit(p == NULL); ]]
1520	)],
1521	[ func_calloc_0_nonnull=yes ],
1522	[ func_calloc_0_nonnull=no ],
1523	[ AC_MSG_WARN([cross compiling: assuming same as malloc])
1524	  func_calloc_0_nonnull="$ac_cv_func_malloc_0_nonnull"]
1525)
1526AC_MSG_RESULT([$func_calloc_0_nonnull])
1527
1528if test "x$func_calloc_0_nonnull" = "xyes"; then
1529	AC_DEFINE(HAVE_CALLOC, 1, [calloc(0, x) returns non-null])
1530else
1531	AC_DEFINE(HAVE_CALLOC, 0, [calloc(0, x) returns NULL])
1532	AC_DEFINE(calloc, rpl_calloc,
1533	    [Define to rpl_calloc if the replacement function should be used.])
1534fi
1535
1536# Check for ALTDIRFUNC glob() extension
1537AC_MSG_CHECKING([for GLOB_ALTDIRFUNC support])
1538AC_EGREP_CPP([FOUNDIT],
1539	[
1540		#include <glob.h>
1541		#ifdef GLOB_ALTDIRFUNC
1542		FOUNDIT
1543		#endif
1544	],
1545	[
1546		AC_DEFINE([GLOB_HAS_ALTDIRFUNC], [1],
1547			[Define if your system glob() function has
1548			the GLOB_ALTDIRFUNC extension])
1549		AC_MSG_RESULT([yes])
1550	],
1551	[
1552		AC_MSG_RESULT([no])
1553	]
1554)
1555
1556# Check for g.gl_matchc glob() extension
1557AC_MSG_CHECKING([for gl_matchc field in glob_t])
1558AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <glob.h> ]],
1559	[[ glob_t g; g.gl_matchc = 1; ]])],
1560	[
1561		AC_DEFINE([GLOB_HAS_GL_MATCHC], [1],
1562			[Define if your system glob() function has
1563			gl_matchc options in glob_t])
1564		AC_MSG_RESULT([yes])
1565	], [
1566		AC_MSG_RESULT([no])
1567])
1568
1569# Check for g.gl_statv glob() extension
1570AC_MSG_CHECKING([for gl_statv and GLOB_KEEPSTAT extensions for glob])
1571AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <glob.h> ]], [[
1572#ifndef GLOB_KEEPSTAT
1573#error "glob does not support GLOB_KEEPSTAT extension"
1574#endif
1575glob_t g;
1576g.gl_statv = NULL;
1577]])],
1578	[
1579		AC_DEFINE([GLOB_HAS_GL_STATV], [1],
1580			[Define if your system glob() function has
1581			gl_statv options in glob_t])
1582		AC_MSG_RESULT([yes])
1583	], [
1584		AC_MSG_RESULT([no])
1585
1586])
1587
1588AC_CHECK_DECLS([GLOB_NOMATCH], , , [#include <glob.h>])
1589
1590AC_CHECK_DECL([VIS_ALL], ,
1591    AC_DEFINE(BROKEN_STRNVIS, 1, [missing VIS_ALL]), [#include <vis.h>])
1592
1593AC_MSG_CHECKING([whether struct dirent allocates space for d_name])
1594AC_RUN_IFELSE(
1595	[AC_LANG_PROGRAM([[
1596#include <sys/types.h>
1597#include <dirent.h>
1598#include <stdlib.h>
1599	]],
1600	[[
1601	struct dirent d;
1602	exit(sizeof(d.d_name)<=sizeof(char));
1603	]])],
1604	[AC_MSG_RESULT([yes])],
1605	[
1606		AC_MSG_RESULT([no])
1607		AC_DEFINE([BROKEN_ONE_BYTE_DIRENT_D_NAME], [1],
1608			[Define if your struct dirent expects you to
1609			allocate extra space for d_name])
1610	],
1611	[
1612		AC_MSG_WARN([cross compiling: assuming BROKEN_ONE_BYTE_DIRENT_D_NAME])
1613		AC_DEFINE([BROKEN_ONE_BYTE_DIRENT_D_NAME])
1614	]
1615)
1616
1617AC_MSG_CHECKING([for /proc/pid/fd directory])
1618if test -d "/proc/$$/fd" ; then
1619	AC_DEFINE([HAVE_PROC_PID], [1], [Define if you have /proc/$pid/fd])
1620	AC_MSG_RESULT([yes])
1621else
1622	AC_MSG_RESULT([no])
1623fi
1624
1625# Check whether user wants TCP wrappers support
1626TCPW_MSG="no"
1627AC_ARG_WITH([tcp-wrappers],
1628	[  --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)],
1629	[
1630		if test "x$withval" != "xno" ; then
1631			saved_LIBS="$LIBS"
1632			saved_LDFLAGS="$LDFLAGS"
1633			saved_CPPFLAGS="$CPPFLAGS"
1634			if test -n "${withval}" && \
1635			    test "x${withval}" != "xyes"; then
1636				if test -d "${withval}/lib"; then
1637					if test -n "${need_dash_r}"; then
1638						LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
1639					else
1640						LDFLAGS="-L${withval}/lib ${LDFLAGS}"
1641					fi
1642				else
1643					if test -n "${need_dash_r}"; then
1644						LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"
1645					else
1646						LDFLAGS="-L${withval} ${LDFLAGS}"
1647					fi
1648				fi
1649				if test -d "${withval}/include"; then
1650					CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
1651				else
1652					CPPFLAGS="-I${withval} ${CPPFLAGS}"
1653				fi
1654			fi
1655			LIBS="-lwrap $LIBS"
1656			AC_MSG_CHECKING([for libwrap])
1657			AC_LINK_IFELSE([AC_LANG_PROGRAM([[
1658#include <sys/types.h>
1659#include <sys/socket.h>
1660#include <netinet/in.h>
1661#include <tcpd.h>
1662int deny_severity = 0, allow_severity = 0;
1663				]], [[
1664	hosts_access(0);
1665				]])], [
1666					AC_MSG_RESULT([yes])
1667					AC_DEFINE([LIBWRAP], [1],
1668						[Define if you want
1669						TCP Wrappers support])
1670					SSHDLIBS="$SSHDLIBS -lwrap"
1671					TCPW_MSG="yes"
1672				], [
1673					AC_MSG_ERROR([*** libwrap missing])
1674			])
1675			LIBS="$saved_LIBS"
1676		fi
1677	]
1678)
1679
1680# Check whether user wants to use ldns
1681LDNS_MSG="no"
1682AC_ARG_WITH(ldns,
1683	[  --with-ldns[[=PATH]]      Use ldns for DNSSEC support (optionally in PATH)],
1684	[
1685	ldns=""
1686	if test "x$withval" = "xyes" ; then
1687		AC_PATH_TOOL([LDNSCONFIG], [ldns-config], [no])
1688		if test "x$LDNSCONFIG" = "xno"; then
1689			LIBS="-lldns $LIBS"
1690			ldns=yes
1691		else
1692			LIBS="$LIBS `$LDNSCONFIG --libs`"
1693			CPPFLAGS="$CPPFLAGS `$LDNSCONFIG --cflags`"
1694			ldns=yes
1695		fi
1696	elif test "x$withval" != "xno" ; then
1697			CPPFLAGS="$CPPFLAGS -I${withval}/include"
1698			LDFLAGS="$LDFLAGS -L${withval}/lib"
1699			LIBS="-lldns $LIBS"
1700			ldns=yes
1701	fi
1702
1703	# Verify that it works.
1704	if test "x$ldns" = "xyes" ; then
1705		AC_DEFINE(HAVE_LDNS, 1, [Define if you want ldns support])
1706		LDNS_MSG="yes"
1707		AC_MSG_CHECKING([for ldns support])
1708		AC_LINK_IFELSE(
1709			[AC_LANG_SOURCE([[
1710#include <stdio.h>
1711#include <stdlib.h>
1712#ifdef HAVE_STDINT_H
1713# include <stdint.h>
1714#endif
1715#include <ldns/ldns.h>
1716int main() { ldns_status status = ldns_verify_trusted(NULL, NULL, NULL, NULL); status=LDNS_STATUS_OK; exit(0); }
1717			]])
1718		],
1719			[AC_MSG_RESULT(yes)],
1720				[
1721					AC_MSG_RESULT(no)
1722					AC_MSG_ERROR([** Incomplete or missing ldns libraries.])
1723				])
1724	fi
1725])
1726
1727# Check whether user wants libedit support
1728LIBEDIT_MSG="no"
1729AC_ARG_WITH([libedit],
1730	[  --with-libedit[[=PATH]]   Enable libedit support for sftp],
1731	[ if test "x$withval" != "xno" ; then
1732		if test "x$withval" = "xyes" ; then
1733			if test "x$PKGCONFIG" != "xno"; then
1734				AC_MSG_CHECKING([if $PKGCONFIG knows about libedit])
1735				if "$PKGCONFIG" libedit; then
1736					AC_MSG_RESULT([yes])
1737					use_pkgconfig_for_libedit=yes
1738				else
1739					AC_MSG_RESULT([no])
1740				fi
1741			fi
1742		else
1743			CPPFLAGS="$CPPFLAGS -I${withval}/include"
1744			if test -n "${rpath_opt}"; then
1745				LDFLAGS="-L${withval}/lib ${rpath_opt}${withval}/lib ${LDFLAGS}"
1746			else
1747				LDFLAGS="-L${withval}/lib ${LDFLAGS}"
1748			fi
1749		fi
1750		if test "x$use_pkgconfig_for_libedit" = "xyes"; then
1751			LIBEDIT=`$PKGCONFIG --libs libedit`
1752			CPPFLAGS="$CPPFLAGS `$PKGCONFIG --cflags libedit`"
1753		else
1754			LIBEDIT="-ledit -lcurses"
1755		fi
1756		OTHERLIBS=`echo $LIBEDIT | sed 's/-ledit//'`
1757		AC_CHECK_LIB([edit], [el_init],
1758			[ AC_DEFINE([USE_LIBEDIT], [1], [Use libedit for sftp])
1759			  LIBEDIT_MSG="yes"
1760			  AC_SUBST([LIBEDIT])
1761			],
1762			[ AC_MSG_ERROR([libedit not found]) ],
1763			[ $OTHERLIBS ]
1764		)
1765		AC_MSG_CHECKING([if libedit version is compatible])
1766		AC_COMPILE_IFELSE(
1767		    [AC_LANG_PROGRAM([[
1768#include <histedit.h>
1769#include <stdlib.h>
1770		    ]],
1771		    [[
1772	int i = H_SETSIZE;
1773	el_init("", NULL, NULL, NULL);
1774	exit(0);
1775		    ]])],
1776		    [ AC_MSG_RESULT([yes]) ],
1777		    [ AC_MSG_RESULT([no])
1778		      AC_MSG_ERROR([libedit version is not compatible]) ]
1779		)
1780	fi ]
1781)
1782
1783AUDIT_MODULE=none
1784AC_ARG_WITH([audit],
1785	[  --with-audit=module     Enable audit support (modules=debug,bsm,linux)],
1786	[
1787	  AC_MSG_CHECKING([for supported audit module])
1788	  case "$withval" in
1789	  bsm)
1790		AC_MSG_RESULT([bsm])
1791		AUDIT_MODULE=bsm
1792		dnl    Checks for headers, libs and functions
1793		AC_CHECK_HEADERS([bsm/audit.h], [],
1794		    [AC_MSG_ERROR([BSM enabled and bsm/audit.h not found])],
1795		    [
1796#ifdef HAVE_TIME_H
1797# include <time.h>
1798#endif
1799		    ]
1800)
1801		AC_CHECK_LIB([bsm], [getaudit], [],
1802		    [AC_MSG_ERROR([BSM enabled and required library not found])])
1803		AC_CHECK_FUNCS([getaudit], [],
1804		    [AC_MSG_ERROR([BSM enabled and required function not found])])
1805		# These are optional
1806		AC_CHECK_FUNCS([getaudit_addr aug_get_machine])
1807		AC_DEFINE([USE_BSM_AUDIT], [1], [Use BSM audit module])
1808		if test "$sol2ver" -ge 11; then
1809			SSHDLIBS="$SSHDLIBS -lscf"
1810			AC_DEFINE([BROKEN_BSM_API], [1],
1811				[The system has incomplete BSM API])
1812		fi
1813		;;
1814	  linux)
1815		AC_MSG_RESULT([linux])
1816		AUDIT_MODULE=linux
1817		dnl    Checks for headers, libs and functions
1818		AC_CHECK_HEADERS([libaudit.h])
1819		SSHDLIBS="$SSHDLIBS -laudit"
1820		AC_DEFINE([USE_LINUX_AUDIT], [1], [Use Linux audit module])
1821		;;
1822	  debug)
1823		AUDIT_MODULE=debug
1824		AC_MSG_RESULT([debug])
1825		AC_DEFINE([SSH_AUDIT_EVENTS], [1], [Use audit debugging module])
1826		;;
1827	  no)
1828		AC_MSG_RESULT([no])
1829		;;
1830	  *)
1831		AC_MSG_ERROR([Unknown audit module $withval])
1832		;;
1833	esac ]
1834)
1835
1836AC_ARG_WITH([pie],
1837    [  --with-pie              Build Position Independent Executables if possible], [
1838	if test "x$withval" = "xno"; then
1839		use_pie=no
1840	fi
1841	if test "x$withval" = "xyes"; then
1842		use_pie=yes
1843	fi
1844    ]
1845)
1846if test "x$use_pie" = "x"; then
1847	use_pie=no
1848fi
1849if test "x$use_toolchain_hardening" != "x1" && test "x$use_pie" = "xauto"; then
1850	# Turn off automatic PIE when toolchain hardening is off.
1851	use_pie=no
1852fi
1853if test "x$use_pie" = "xauto"; then
1854	# Automatic PIE requires gcc >= 4.x
1855	AC_MSG_CHECKING([for gcc >= 4.x])
1856	AC_COMPILE_IFELSE([AC_LANG_SOURCE([[
1857#if !defined(__GNUC__) || __GNUC__ < 4
1858#error gcc is too old
1859#endif
1860]])],
1861	[ AC_MSG_RESULT([yes]) ],
1862	[ AC_MSG_RESULT([no])
1863	  use_pie=no ]
1864)
1865fi
1866if test "x$use_pie" != "xno"; then
1867	SAVED_CFLAGS="$CFLAGS"
1868	SAVED_LDFLAGS="$LDFLAGS"
1869	OSSH_CHECK_CFLAG_COMPILE([-fPIE])
1870	OSSH_CHECK_LDFLAG_LINK([-pie])
1871	# We use both -fPIE and -pie or neither.
1872	AC_MSG_CHECKING([whether both -fPIE and -pie are supported])
1873	if echo "x $CFLAGS"  | grep ' -fPIE' >/dev/null 2>&1 && \
1874	   echo "x $LDFLAGS" | grep ' -pie'  >/dev/null 2>&1 ; then
1875		AC_MSG_RESULT([yes])
1876	else
1877		AC_MSG_RESULT([no])
1878		CFLAGS="$SAVED_CFLAGS"
1879		LDFLAGS="$SAVED_LDFLAGS"
1880	fi
1881fi
1882
1883AC_MSG_CHECKING([whether -fPIC is accepted])
1884SAVED_CFLAGS="$CFLAGS"
1885CFLAGS="$CFLAGS -fPIC"
1886AC_COMPILE_IFELSE(
1887	[AC_LANG_PROGRAM( [[ #include <stdlib.h> ]], [[ exit(0); ]] )],
1888   [AC_MSG_RESULT([yes])
1889    PICFLAG="-fPIC"; ],
1890   [AC_MSG_RESULT([no])
1891    PICFLAG=""; ])
1892CFLAGS="$SAVED_CFLAGS"
1893AC_SUBST([PICFLAG])
1894
1895dnl    Checks for library functions. Please keep in alphabetical order
1896AC_CHECK_FUNCS([ \
1897	auth_hostok \
1898	auth_timeok \
1899	Blowfish_initstate \
1900	Blowfish_expandstate \
1901	Blowfish_expand0state \
1902	Blowfish_stream2word \
1903	SHA256Update \
1904	SHA384Update \
1905	SHA512Update \
1906	asprintf \
1907	b64_ntop \
1908	__b64_ntop \
1909	b64_pton \
1910	__b64_pton \
1911	bcopy \
1912	bcrypt_pbkdf \
1913	bindresvport_sa \
1914	blf_enc \
1915	bzero \
1916	cap_rights_limit \
1917	clock \
1918	closefrom \
1919	close_range \
1920	dirfd \
1921	endgrent \
1922	err \
1923	errx \
1924	explicit_bzero \
1925	explicit_memset \
1926	fchmod \
1927	fchmodat \
1928	fchown \
1929	fchownat \
1930	flock \
1931	fnmatch \
1932	freeaddrinfo \
1933	freezero \
1934	fstatfs \
1935	fstatvfs \
1936	futimes \
1937	getaddrinfo \
1938	getcwd \
1939	getentropy \
1940	getgrouplist \
1941	getline \
1942	getnameinfo \
1943	getopt \
1944	getpagesize \
1945	getpeereid \
1946	getpeerucred \
1947	getpgid \
1948	_getpty \
1949	getrlimit \
1950	getrandom \
1951	getsid \
1952	getttyent \
1953	glob \
1954	group_from_gid \
1955	inet_aton \
1956	inet_ntoa \
1957	inet_ntop \
1958	innetgr \
1959	killpg \
1960	llabs \
1961	localtime_r \
1962	login_getcapbool \
1963	login_getpwclass \
1964	memmem \
1965	memmove \
1966	memset_s \
1967	mkdtemp \
1968	ngetaddrinfo \
1969	nsleep \
1970	ogetaddrinfo \
1971	openlog_r \
1972	pledge \
1973	poll \
1974	ppoll \
1975	prctl \
1976	procctl \
1977	pselect \
1978	pstat \
1979	raise \
1980	readpassphrase \
1981	reallocarray \
1982	realpath \
1983	recvmsg \
1984	recallocarray \
1985	rresvport_af \
1986	sendmsg \
1987	setdtablesize \
1988	setegid \
1989	setenv \
1990	seteuid \
1991	setgroupent \
1992	setgroups \
1993	setlinebuf \
1994	setlogin \
1995	setpassent\
1996	setpcred \
1997	setproctitle \
1998	setregid \
1999	setreuid \
2000	setrlimit \
2001	setsid \
2002	setvbuf \
2003	sigaction \
2004	sigvec \
2005	snprintf \
2006	socketpair \
2007	statfs \
2008	statvfs \
2009	strcasestr \
2010	strdup \
2011	strerror \
2012	strlcat \
2013	strlcpy \
2014	strmode \
2015	strndup \
2016	strnlen \
2017	strnvis \
2018	strptime \
2019	strsignal \
2020	strtonum \
2021	strtoll \
2022	strtoul \
2023	strtoull \
2024	swap32 \
2025	sysconf \
2026	tcgetpgrp \
2027	timegm \
2028	timingsafe_bcmp \
2029	truncate \
2030	unsetenv \
2031	updwtmpx \
2032	utimensat \
2033	user_from_uid \
2034	usleep \
2035	vasprintf \
2036	vsnprintf \
2037	waitpid \
2038	warn \
2039])
2040
2041AC_CHECK_DECLS([bzero, memmem])
2042
2043dnl Wide character support.
2044AC_CHECK_FUNCS([mblen mbtowc nl_langinfo wcwidth])
2045
2046TEST_SSH_UTF8=${TEST_SSH_UTF8:=yes}
2047AC_MSG_CHECKING([for utf8 locale support])
2048AC_RUN_IFELSE(
2049	[AC_LANG_PROGRAM([[
2050#include <locale.h>
2051#include <stdlib.h>
2052	]], [[
2053	char *loc = setlocale(LC_CTYPE, "en_US.UTF-8");
2054	if (loc != NULL)
2055		exit(0);
2056	exit(1);
2057	]])],
2058	AC_MSG_RESULT(yes),
2059	[AC_MSG_RESULT(no)
2060	 TEST_SSH_UTF8=no],
2061	AC_MSG_WARN([cross compiling: assuming yes])
2062)
2063
2064AC_LINK_IFELSE(
2065        [AC_LANG_PROGRAM(
2066           [[ #include <ctype.h> ]],
2067           [[ return (isblank('a')); ]])],
2068	[AC_DEFINE([HAVE_ISBLANK], [1], [Define if you have isblank(3C).])
2069])
2070
2071disable_pkcs11=
2072AC_ARG_ENABLE([pkcs11],
2073	[  --disable-pkcs11        disable PKCS#11 support code [no]],
2074	[
2075		if test "x$enableval" = "xno" ; then
2076			disable_pkcs11=1
2077		fi
2078	]
2079)
2080
2081disable_sk=
2082AC_ARG_ENABLE([security-key],
2083	[  --disable-security-key  disable U2F/FIDO support code [no]],
2084	[
2085		if test "x$enableval" = "xno" ; then
2086			disable_sk=1
2087		fi
2088	]
2089)
2090enable_sk_internal=
2091AC_ARG_WITH([security-key-builtin],
2092	[  --with-security-key-builtin include builtin U2F/FIDO support],
2093	[ enable_sk_internal=$withval ]
2094)
2095
2096AC_SEARCH_LIBS([dlopen], [dl])
2097AC_CHECK_FUNCS([dlopen])
2098AC_CHECK_DECL([RTLD_NOW], [], [], [#include <dlfcn.h>])
2099
2100# IRIX has a const char return value for gai_strerror()
2101AC_CHECK_FUNCS([gai_strerror], [
2102	AC_DEFINE([HAVE_GAI_STRERROR])
2103	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
2104#include <sys/types.h>
2105#include <sys/socket.h>
2106#include <netdb.h>
2107
2108const char *gai_strerror(int);
2109			]], [[
2110	char *str;
2111	str = gai_strerror(0);
2112			]])], [
2113		AC_DEFINE([HAVE_CONST_GAI_STRERROR_PROTO], [1],
2114		[Define if gai_strerror() returns const char *])], [])])
2115
2116AC_SEARCH_LIBS([nanosleep], [rt posix4], [AC_DEFINE([HAVE_NANOSLEEP], [1],
2117	[Some systems put nanosleep outside of libc])])
2118
2119AC_SEARCH_LIBS([clock_gettime], [rt],
2120	[AC_DEFINE([HAVE_CLOCK_GETTIME], [1], [Have clock_gettime])])
2121
2122dnl check if we need -D_REENTRANT for localtime_r declaration.
2123AC_CHECK_DECL([localtime_r], [],
2124	[ saved_CPPFLAGS="$CPPFLAGS"
2125	  CPPFLAGS="$CPPFLAGS -D_REENTRANT"
2126	  unset ac_cv_have_decl_localtime_r
2127	  AC_CHECK_DECL([localtime_r], [],
2128		[ CPPFLAGS="$saved_CPPFLAGS" ],
2129		[ #include <time.h> ]
2130	  )
2131	],
2132	[ #include <time.h> ]
2133)
2134
2135dnl Make sure prototypes are defined for these before using them.
2136AC_CHECK_DECL([strsep],
2137	[AC_CHECK_FUNCS([strsep])],
2138	[],
2139	[
2140#ifdef HAVE_STRING_H
2141# include <string.h>
2142#endif
2143	])
2144
2145dnl tcsendbreak might be a macro
2146AC_CHECK_DECL([tcsendbreak],
2147	[AC_DEFINE([HAVE_TCSENDBREAK])],
2148	[AC_CHECK_FUNCS([tcsendbreak])],
2149	[#include <termios.h>]
2150)
2151
2152AC_CHECK_DECLS([h_errno], , ,[#include <netdb.h>])
2153
2154AC_CHECK_DECLS([SHUT_RD, getpeereid], , ,
2155	[
2156#include <sys/types.h>
2157#include <sys/socket.h>
2158#include <unistd.h>
2159	])
2160
2161AC_CHECK_DECLS([O_NONBLOCK], , ,
2162	[
2163#include <sys/types.h>
2164#ifdef HAVE_SYS_STAT_H
2165# include <sys/stat.h>
2166#endif
2167#ifdef HAVE_FCNTL_H
2168# include <fcntl.h>
2169#endif
2170	])
2171
2172AC_CHECK_DECLS([ftruncate, getentropy], , ,
2173	[
2174#include <sys/types.h>
2175#include <unistd.h>
2176	])
2177
2178AC_CHECK_DECLS([readv, writev], , , [
2179#include <sys/types.h>
2180#include <sys/uio.h>
2181#include <unistd.h>
2182	])
2183
2184AC_CHECK_DECLS([MAXSYMLINKS], , , [
2185#include <sys/param.h>
2186	])
2187
2188AC_CHECK_DECLS([offsetof], , , [
2189#include <stddef.h>
2190	])
2191
2192# extra bits for select(2)
2193AC_CHECK_DECLS([howmany, NFDBITS], [], [], [[
2194#include <sys/param.h>
2195#include <sys/types.h>
2196#ifdef HAVE_SYS_SYSMACROS_H
2197#include <sys/sysmacros.h>
2198#endif
2199#ifdef HAVE_SYS_SELECT_H
2200#include <sys/select.h>
2201#endif
2202#ifdef HAVE_SYS_TIME_H
2203#include <sys/time.h>
2204#endif
2205#ifdef HAVE_UNISTD_H
2206#include <unistd.h>
2207#endif
2208	]])
2209AC_CHECK_TYPES([fd_mask], [], [], [[
2210#include <sys/param.h>
2211#include <sys/types.h>
2212#ifdef HAVE_SYS_SELECT_H
2213#include <sys/select.h>
2214#endif
2215#ifdef HAVE_SYS_TIME_H
2216#include <sys/time.h>
2217#endif
2218#ifdef HAVE_UNISTD_H
2219#include <unistd.h>
2220#endif
2221	]])
2222
2223AC_CHECK_FUNCS([setresuid], [
2224	dnl Some platorms have setresuid that isn't implemented, test for this
2225	AC_MSG_CHECKING([if setresuid seems to work])
2226	AC_RUN_IFELSE(
2227		[AC_LANG_PROGRAM([[
2228#include <stdlib.h>
2229#include <errno.h>
2230		]], [[
2231	errno=0;
2232	setresuid(0,0,0);
2233	if (errno==ENOSYS)
2234		exit(1);
2235	else
2236		exit(0);
2237		]])],
2238		[AC_MSG_RESULT([yes])],
2239		[AC_DEFINE([BROKEN_SETRESUID], [1],
2240			[Define if your setresuid() is broken])
2241		 AC_MSG_RESULT([not implemented])],
2242		[AC_MSG_WARN([cross compiling: not checking setresuid])]
2243	)
2244])
2245
2246AC_CHECK_FUNCS([setresgid], [
2247	dnl Some platorms have setresgid that isn't implemented, test for this
2248	AC_MSG_CHECKING([if setresgid seems to work])
2249	AC_RUN_IFELSE(
2250		[AC_LANG_PROGRAM([[
2251#include <stdlib.h>
2252#include <errno.h>
2253		]], [[
2254	errno=0;
2255	setresgid(0,0,0);
2256	if (errno==ENOSYS)
2257		exit(1);
2258	else
2259		exit(0);
2260		]])],
2261		[AC_MSG_RESULT([yes])],
2262		[AC_DEFINE([BROKEN_SETRESGID], [1],
2263			[Define if your setresgid() is broken])
2264		 AC_MSG_RESULT([not implemented])],
2265		[AC_MSG_WARN([cross compiling: not checking setresuid])]
2266	)
2267])
2268
2269AC_MSG_CHECKING([for working fflush(NULL)])
2270AC_RUN_IFELSE(
2271	[AC_LANG_PROGRAM([[
2272#include <stdio.h>
2273#include <stdlib.h>
2274	]],
2275	[[fflush(NULL); exit(0);]])],
2276	AC_MSG_RESULT([yes]),
2277	[AC_MSG_RESULT([no])
2278	 AC_DEFINE([FFLUSH_NULL_BUG], [1],
2279	    [define if fflush(NULL) does not work])],
2280	AC_MSG_WARN([cross compiling: assuming working])
2281)
2282
2283dnl    Checks for time functions
2284AC_CHECK_FUNCS([gettimeofday time])
2285dnl    Checks for utmp functions
2286AC_CHECK_FUNCS([endutent getutent getutid getutline pututline setutent])
2287AC_CHECK_FUNCS([utmpname])
2288dnl    Checks for utmpx functions
2289AC_CHECK_FUNCS([endutxent getutxent getutxid getutxline getutxuser pututxline])
2290AC_CHECK_FUNCS([setutxdb setutxent utmpxname])
2291dnl    Checks for lastlog functions
2292AC_CHECK_FUNCS([getlastlogxbyname])
2293
2294AC_CHECK_FUNC([daemon],
2295	[AC_DEFINE([HAVE_DAEMON], [1], [Define if your libraries define daemon()])],
2296	[AC_CHECK_LIB([bsd], [daemon],
2297		[LIBS="$LIBS -lbsd"; AC_DEFINE([HAVE_DAEMON])])]
2298)
2299
2300AC_CHECK_FUNC([getpagesize],
2301	[AC_DEFINE([HAVE_GETPAGESIZE], [1],
2302		[Define if your libraries define getpagesize()])],
2303	[AC_CHECK_LIB([ucb], [getpagesize],
2304		[LIBS="$LIBS -lucb"; AC_DEFINE([HAVE_GETPAGESIZE])])]
2305)
2306
2307# Check for broken snprintf
2308if test "x$ac_cv_func_snprintf" = "xyes" ; then
2309	AC_MSG_CHECKING([whether snprintf correctly terminates long strings])
2310	AC_RUN_IFELSE(
2311		[AC_LANG_PROGRAM([[
2312#include <stdio.h>
2313#include <stdlib.h>
2314		]],
2315		[[
2316	char b[5];
2317	snprintf(b,5,"123456789");
2318	exit(b[4]!='\0');
2319		]])],
2320		[AC_MSG_RESULT([yes])],
2321		[
2322			AC_MSG_RESULT([no])
2323			AC_DEFINE([BROKEN_SNPRINTF], [1],
2324				[Define if your snprintf is busted])
2325			AC_MSG_WARN([****** Your snprintf() function is broken, complain to your vendor])
2326		],
2327		[ AC_MSG_WARN([cross compiling: Assuming working snprintf()]) ]
2328	)
2329fi
2330
2331if test "x$ac_cv_func_snprintf" = "xyes" ; then
2332	AC_MSG_CHECKING([whether snprintf understands %zu])
2333	AC_RUN_IFELSE(
2334		[AC_LANG_PROGRAM([[
2335#include <sys/types.h>
2336#include <stdio.h>
2337#include <stdlib.h>
2338#include <string.h>
2339		]],
2340		[[
2341	size_t a = 1, b = 2;
2342	char z[128];
2343	snprintf(z, sizeof z, "%zu%zu", a, b);
2344	exit(strcmp(z, "12"));
2345		]])],
2346		[AC_MSG_RESULT([yes])],
2347		[
2348			AC_MSG_RESULT([no])
2349			AC_DEFINE([BROKEN_SNPRINTF], [1],
2350				[snprintf does not understand %zu])
2351		],
2352		[ AC_MSG_WARN([cross compiling: Assuming working snprintf()]) ]
2353	)
2354fi
2355
2356# We depend on vsnprintf returning the right thing on overflow: the
2357# number of characters it tried to create (as per SUSv3)
2358if test "x$ac_cv_func_vsnprintf" = "xyes" ; then
2359	AC_MSG_CHECKING([whether vsnprintf returns correct values on overflow])
2360	AC_RUN_IFELSE(
2361		[AC_LANG_PROGRAM([[
2362#include <sys/types.h>
2363#include <stdio.h>
2364#include <stdarg.h>
2365
2366int x_snprintf(char *str, size_t count, const char *fmt, ...)
2367{
2368	size_t ret;
2369	va_list ap;
2370
2371	va_start(ap, fmt);
2372	ret = vsnprintf(str, count, fmt, ap);
2373	va_end(ap);
2374	return ret;
2375}
2376		]], [[
2377char x[1];
2378if (x_snprintf(x, 1, "%s %d", "hello", 12345) != 11)
2379	return 1;
2380if (x_snprintf(NULL, 0, "%s %d", "hello", 12345) != 11)
2381	return 1;
2382return 0;
2383		]])],
2384		[AC_MSG_RESULT([yes])],
2385		[
2386			AC_MSG_RESULT([no])
2387			AC_DEFINE([BROKEN_SNPRINTF], [1],
2388				[Define if your snprintf is busted])
2389			AC_MSG_WARN([****** Your vsnprintf() function is broken, complain to your vendor])
2390		],
2391		[ AC_MSG_WARN([cross compiling: Assuming working vsnprintf()]) ]
2392	)
2393fi
2394
2395# On systems where [v]snprintf is broken, but is declared in stdio,
2396# check that the fmt argument is const char * or just char *.
2397# This is only useful for when BROKEN_SNPRINTF
2398AC_MSG_CHECKING([whether snprintf can declare const char *fmt])
2399AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
2400#include <stdio.h>
2401int snprintf(char *a, size_t b, const char *c, ...) { return 0; }
2402		]], [[
2403	snprintf(0, 0, 0);
2404		]])],
2405   [AC_MSG_RESULT([yes])
2406    AC_DEFINE([SNPRINTF_CONST], [const],
2407              [Define as const if snprintf() can declare const char *fmt])],
2408   [AC_MSG_RESULT([no])
2409    AC_DEFINE([SNPRINTF_CONST], [/* not const */])])
2410
2411# Check for missing getpeereid (or equiv) support
2412NO_PEERCHECK=""
2413if test "x$ac_cv_func_getpeereid" != "xyes" -a "x$ac_cv_func_getpeerucred" != "xyes"; then
2414	AC_MSG_CHECKING([whether system supports SO_PEERCRED getsockopt])
2415	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
2416#include <sys/types.h>
2417#include <sys/socket.h>]], [[int i = SO_PEERCRED;]])],
2418		[ AC_MSG_RESULT([yes])
2419		  AC_DEFINE([HAVE_SO_PEERCRED], [1], [Have PEERCRED socket option])
2420		], [AC_MSG_RESULT([no])
2421		NO_PEERCHECK=1
2422        ])
2423fi
2424
2425dnl make sure that openpty does not reacquire controlling terminal
2426if test ! -z "$check_for_openpty_ctty_bug"; then
2427	AC_MSG_CHECKING([if openpty correctly handles controlling tty])
2428	AC_RUN_IFELSE(
2429		[AC_LANG_PROGRAM([[
2430#include <stdio.h>
2431#include <stdlib.h>
2432#include <unistd.h>
2433#include <sys/fcntl.h>
2434#include <sys/types.h>
2435#include <sys/wait.h>
2436		]], [[
2437	pid_t pid;
2438	int fd, ptyfd, ttyfd, status;
2439
2440	pid = fork();
2441	if (pid < 0) {		/* failed */
2442		exit(1);
2443	} else if (pid > 0) {	/* parent */
2444		waitpid(pid, &status, 0);
2445		if (WIFEXITED(status))
2446			exit(WEXITSTATUS(status));
2447		else
2448			exit(2);
2449	} else {		/* child */
2450		close(0); close(1); close(2);
2451		setsid();
2452		openpty(&ptyfd, &ttyfd, NULL, NULL, NULL);
2453		fd = open("/dev/tty", O_RDWR | O_NOCTTY);
2454		if (fd >= 0)
2455			exit(3);	/* Acquired ctty: broken */
2456		else
2457			exit(0);	/* Did not acquire ctty: OK */
2458	}
2459		]])],
2460		[
2461			AC_MSG_RESULT([yes])
2462		],
2463		[
2464			AC_MSG_RESULT([no])
2465			AC_DEFINE([SSHD_ACQUIRES_CTTY])
2466		],
2467		[
2468			AC_MSG_RESULT([cross-compiling, assuming yes])
2469		]
2470	)
2471fi
2472
2473if test "x$ac_cv_func_getaddrinfo" = "xyes" && \
2474    test "x$check_for_hpux_broken_getaddrinfo" = "x1"; then
2475	AC_MSG_CHECKING([if getaddrinfo seems to work])
2476	AC_RUN_IFELSE(
2477		[AC_LANG_PROGRAM([[
2478#include <stdio.h>
2479#include <stdlib.h>
2480#include <sys/socket.h>
2481#include <netdb.h>
2482#include <errno.h>
2483#include <netinet/in.h>
2484
2485#define TEST_PORT "2222"
2486		]], [[
2487	int err, sock;
2488	struct addrinfo *gai_ai, *ai, hints;
2489	char ntop[NI_MAXHOST], strport[NI_MAXSERV], *name = NULL;
2490
2491	memset(&hints, 0, sizeof(hints));
2492	hints.ai_family = PF_UNSPEC;
2493	hints.ai_socktype = SOCK_STREAM;
2494	hints.ai_flags = AI_PASSIVE;
2495
2496	err = getaddrinfo(name, TEST_PORT, &hints, &gai_ai);
2497	if (err != 0) {
2498		fprintf(stderr, "getaddrinfo failed (%s)", gai_strerror(err));
2499		exit(1);
2500	}
2501
2502	for (ai = gai_ai; ai != NULL; ai = ai->ai_next) {
2503		if (ai->ai_family != AF_INET6)
2504			continue;
2505
2506		err = getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop,
2507		    sizeof(ntop), strport, sizeof(strport),
2508		    NI_NUMERICHOST|NI_NUMERICSERV);
2509
2510		if (err != 0) {
2511			if (err == EAI_SYSTEM)
2512				perror("getnameinfo EAI_SYSTEM");
2513			else
2514				fprintf(stderr, "getnameinfo failed: %s\n",
2515				    gai_strerror(err));
2516			exit(2);
2517		}
2518
2519		sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol);
2520		if (sock < 0)
2521			perror("socket");
2522		if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) {
2523			if (errno == EBADF)
2524				exit(3);
2525		}
2526	}
2527	exit(0);
2528		]])],
2529		[
2530			AC_MSG_RESULT([yes])
2531		],
2532		[
2533			AC_MSG_RESULT([no])
2534			AC_DEFINE([BROKEN_GETADDRINFO])
2535		],
2536		[
2537			AC_MSG_RESULT([cross-compiling, assuming yes])
2538		]
2539	)
2540fi
2541
2542if test "x$ac_cv_func_getaddrinfo" = "xyes" && \
2543    test "x$check_for_aix_broken_getaddrinfo" = "x1"; then
2544	AC_MSG_CHECKING([if getaddrinfo seems to work])
2545	AC_RUN_IFELSE(
2546		[AC_LANG_PROGRAM([[
2547#include <stdio.h>
2548#include <stdlib.h>
2549#include <sys/socket.h>
2550#include <netdb.h>
2551#include <errno.h>
2552#include <netinet/in.h>
2553
2554#define TEST_PORT "2222"
2555		]], [[
2556	int err, sock;
2557	struct addrinfo *gai_ai, *ai, hints;
2558	char ntop[NI_MAXHOST], strport[NI_MAXSERV], *name = NULL;
2559
2560	memset(&hints, 0, sizeof(hints));
2561	hints.ai_family = PF_UNSPEC;
2562	hints.ai_socktype = SOCK_STREAM;
2563	hints.ai_flags = AI_PASSIVE;
2564
2565	err = getaddrinfo(name, TEST_PORT, &hints, &gai_ai);
2566	if (err != 0) {
2567		fprintf(stderr, "getaddrinfo failed (%s)", gai_strerror(err));
2568		exit(1);
2569	}
2570
2571	for (ai = gai_ai; ai != NULL; ai = ai->ai_next) {
2572		if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
2573			continue;
2574
2575		err = getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop,
2576		    sizeof(ntop), strport, sizeof(strport),
2577		    NI_NUMERICHOST|NI_NUMERICSERV);
2578
2579		if (ai->ai_family == AF_INET && err != 0) {
2580			perror("getnameinfo");
2581			exit(2);
2582		}
2583	}
2584	exit(0);
2585		]])],
2586		[
2587			AC_MSG_RESULT([yes])
2588			AC_DEFINE([AIX_GETNAMEINFO_HACK], [1],
2589				[Define if you have a getaddrinfo that fails
2590				for the all-zeros IPv6 address])
2591		],
2592		[
2593			AC_MSG_RESULT([no])
2594			AC_DEFINE([BROKEN_GETADDRINFO])
2595		],
2596		[
2597			AC_MSG_RESULT([cross-compiling, assuming no])
2598		]
2599	)
2600fi
2601
2602if test "x$ac_cv_func_getaddrinfo" = "xyes"; then
2603	AC_CHECK_DECLS(AI_NUMERICSERV, , ,
2604	    [#include <sys/types.h>
2605	     #include <sys/socket.h>
2606	     #include <netdb.h>])
2607fi
2608
2609if test "x$check_for_conflicting_getspnam" = "x1"; then
2610	AC_MSG_CHECKING([for conflicting getspnam in shadow.h])
2611	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
2612#include <shadow.h>
2613#include <stdlib.h>
2614		]],
2615		[[ exit(0); ]])],
2616		[
2617			AC_MSG_RESULT([no])
2618		],
2619		[
2620			AC_MSG_RESULT([yes])
2621			AC_DEFINE([GETSPNAM_CONFLICTING_DEFS], [1],
2622			    [Conflicting defs for getspnam])
2623		]
2624	)
2625fi
2626
2627dnl NetBSD added an strnvis and unfortunately made it incompatible with the
2628dnl existing one in OpenBSD and Linux's libbsd (the former having existed
2629dnl for over ten years). Despite this incompatibility being reported during
2630dnl development (see http://gnats.netbsd.org/44977) they still shipped it.
2631dnl Even more unfortunately FreeBSD and later MacOS picked up this incompatible
2632dnl implementation.  Try to detect this mess, and assume the only safe option
2633dnl if we're cross compiling.
2634dnl
2635dnl OpenBSD, 2001: strnvis(char *dst, const char *src, size_t dlen, int flag);
2636dnl NetBSD: 2012,  strnvis(char *dst, size_t dlen, const char *src, int flag);
2637if test "x$ac_cv_func_strnvis" = "xyes"; then
2638	AC_MSG_CHECKING([for working strnvis])
2639	AC_RUN_IFELSE(
2640		[AC_LANG_PROGRAM([[
2641#include <signal.h>
2642#include <stdlib.h>
2643#include <string.h>
2644#include <unistd.h>
2645#include <vis.h>
2646static void sighandler(int sig) { _exit(1); }
2647		]], [[
2648	char dst[16];
2649
2650	signal(SIGSEGV, sighandler);
2651	if (strnvis(dst, "src", 4, 0) && strcmp(dst, "src") == 0)
2652		exit(0);
2653	exit(1)
2654		]])],
2655		[AC_MSG_RESULT([yes])],
2656		[AC_MSG_RESULT([no])
2657		 AC_DEFINE([BROKEN_STRNVIS], [1], [strnvis detected broken])],
2658		[AC_MSG_WARN([cross compiling: assuming broken])
2659		 AC_DEFINE([BROKEN_STRNVIS], [1], [strnvis assumed broken])]
2660	)
2661fi
2662
2663AC_MSG_CHECKING([if SA_RESTARTed signals interrupt select()])
2664AC_RUN_IFELSE(
2665	[AC_LANG_PROGRAM([[
2666#ifdef HAVE_SYS_SELECT
2667# include <sys/select.h>
2668#endif
2669#include <sys/types.h>
2670#include <sys/time.h>
2671#include <stdlib.h>
2672#include <signal.h>
2673#include <unistd.h>
2674static void sighandler(int sig) { }
2675		]], [[
2676	int r;
2677	pid_t pid;
2678	struct sigaction sa;
2679
2680	sa.sa_handler = sighandler;
2681	sa.sa_flags = SA_RESTART;
2682	(void)sigaction(SIGTERM, &sa, NULL);
2683	if ((pid = fork()) == 0) { /* child */
2684		pid = getppid();
2685		sleep(1);
2686		kill(pid, SIGTERM);
2687		sleep(1);
2688		if (getppid() == pid) /* if parent did not exit, shoot it */
2689			kill(pid, SIGKILL);
2690		exit(0);
2691	} else { /* parent */
2692		r = select(0, NULL, NULL, NULL, NULL);
2693	}
2694	exit(r == -1 ? 0 : 1);
2695	]])],
2696	[AC_MSG_RESULT([yes])],
2697	[AC_MSG_RESULT([no])
2698	 AC_DEFINE([NO_SA_RESTART], [1],
2699	    [SA_RESTARTed signals do no interrupt select])],
2700	[AC_MSG_WARN([cross compiling: assuming yes])]
2701)
2702
2703AC_CHECK_FUNCS([getpgrp],[
2704	AC_MSG_CHECKING([if getpgrp accepts zero args])
2705	AC_COMPILE_IFELSE(
2706		[AC_LANG_PROGRAM([[$ac_includes_default]], [[ getpgrp(); ]])],
2707		[ AC_MSG_RESULT([yes])
2708		  AC_DEFINE([GETPGRP_VOID], [1], [getpgrp takes zero args])],
2709		[ AC_MSG_RESULT([no])
2710		  AC_DEFINE([GETPGRP_VOID], [0], [getpgrp takes one arg])]
2711	)
2712])
2713
2714# Search for OpenSSL
2715saved_CPPFLAGS="$CPPFLAGS"
2716saved_LDFLAGS="$LDFLAGS"
2717AC_ARG_WITH([ssl-dir],
2718	[  --with-ssl-dir=PATH     Specify path to OpenSSL installation ],
2719	[
2720		if test "x$openssl" = "xno" ; then
2721			AC_MSG_ERROR([cannot use --with-ssl-dir when OpenSSL disabled])
2722		fi
2723		if test "x$withval" != "xno" ; then
2724			case "$withval" in
2725				# Relative paths
2726				./*|../*)	withval="`pwd`/$withval"
2727			esac
2728			if test -d "$withval/lib"; then
2729				libcrypto_path="${withval}/lib"
2730			elif test -d "$withval/lib64"; then
2731				libcrypto_path="$withval/lib64"
2732			else
2733				# Built but not installed
2734				libcrypto_path="${withval}"
2735			fi
2736			if test -n "${rpath_opt}"; then
2737				LDFLAGS="-L${libcrypto_path} ${rpath_opt}${libcrypto_path} ${LDFLAGS}"
2738			else
2739				LDFLAGS="-L${libcrypto_path} ${LDFLAGS}"
2740			fi
2741			if test -d "$withval/include"; then
2742				CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
2743			else
2744				CPPFLAGS="-I${withval} ${CPPFLAGS}"
2745			fi
2746		fi
2747	]
2748)
2749
2750AC_ARG_WITH([openssl-header-check],
2751	[  --without-openssl-header-check Disable OpenSSL version consistency check],
2752	[
2753		if test "x$withval" = "xno" ; then
2754			openssl_check_nonfatal=1
2755		fi
2756	]
2757)
2758
2759openssl_engine=no
2760AC_ARG_WITH([ssl-engine],
2761	[  --with-ssl-engine       Enable OpenSSL (hardware) ENGINE support ],
2762	[
2763		if test "x$withval" != "xno" ; then
2764			if test "x$openssl" = "xno" ; then
2765				AC_MSG_ERROR([cannot use --with-ssl-engine when OpenSSL disabled])
2766			fi
2767			openssl_engine=yes
2768		fi
2769	]
2770)
2771
2772nocrypto_saved_LIBS="$LIBS"
2773if test "x$openssl" = "xyes" ; then
2774	LIBS="-lcrypto $LIBS"
2775	CHANNELLIBS="-lcrypto $CHANNELLIBS"
2776	AC_TRY_LINK_FUNC([RAND_add], ,
2777	    [AC_MSG_ERROR([*** working libcrypto not found, check config.log])])
2778	AC_CHECK_HEADER([openssl/opensslv.h], ,
2779	    [AC_MSG_ERROR([*** OpenSSL headers missing - please install first or check config.log ***])])
2780
2781	# Determine OpenSSL header version
2782	AC_MSG_CHECKING([OpenSSL header version])
2783	AC_RUN_IFELSE(
2784		[AC_LANG_PROGRAM([[
2785	#include <stdlib.h>
2786	#include <stdio.h>
2787	#include <string.h>
2788	#include <openssl/opensslv.h>
2789	#define DATA "conftest.sslincver"
2790		]], [[
2791		FILE *fd;
2792		int rc;
2793
2794		fd = fopen(DATA,"w");
2795		if(fd == NULL)
2796			exit(1);
2797
2798		if ((rc = fprintf(fd, "%08lx (%s)\n",
2799		    (unsigned long)OPENSSL_VERSION_NUMBER,
2800		     OPENSSL_VERSION_TEXT)) < 0)
2801			exit(1);
2802
2803		exit(0);
2804		]])],
2805		[
2806			ssl_header_ver=`cat conftest.sslincver`
2807			AC_MSG_RESULT([$ssl_header_ver])
2808		],
2809		[
2810			AC_MSG_RESULT([not found])
2811			AC_MSG_ERROR([OpenSSL version header not found.])
2812		],
2813		[
2814			AC_MSG_WARN([cross compiling: not checking])
2815		]
2816	)
2817
2818	# Determining OpenSSL library version is version dependent.
2819	AC_CHECK_FUNCS([OpenSSL_version OpenSSL_version_num])
2820
2821	# Determine OpenSSL library version
2822	AC_MSG_CHECKING([OpenSSL library version])
2823	AC_RUN_IFELSE(
2824		[AC_LANG_PROGRAM([[
2825	#include <stdio.h>
2826	#include <stdlib.h>
2827	#include <string.h>
2828	#include <openssl/opensslv.h>
2829	#include <openssl/crypto.h>
2830	#define DATA "conftest.ssllibver"
2831		]], [[
2832		FILE *fd;
2833		int rc;
2834
2835		fd = fopen(DATA,"w");
2836		if(fd == NULL)
2837			exit(1);
2838#ifndef OPENSSL_VERSION
2839# define OPENSSL_VERSION SSLEAY_VERSION
2840#endif
2841#ifndef HAVE_OPENSSL_VERSION
2842# define OpenSSL_version	SSLeay_version
2843#endif
2844#ifndef HAVE_OPENSSL_VERSION_NUM
2845# define OpenSSL_version_num	SSLeay
2846#endif
2847		if ((rc = fprintf(fd, "%08lx (%s)\n",
2848		    (unsigned long)OpenSSL_version_num(),
2849		    OpenSSL_version(OPENSSL_VERSION))) < 0)
2850			exit(1);
2851
2852		exit(0);
2853		]])],
2854		[
2855			ssl_library_ver=`cat conftest.ssllibver`
2856			# Check version is supported.
2857			case "$ssl_library_ver" in
2858			10000*|0*)
2859				AC_MSG_ERROR([OpenSSL >= 1.0.1 required (have "$ssl_library_ver")])
2860		                ;;
2861			100*)   ;; # 1.0.x
2862			101000[[0123456]]*)
2863				# https://github.com/openssl/openssl/pull/4613
2864				AC_MSG_ERROR([OpenSSL 1.1.x versions prior to 1.1.0g have a bug that breaks their use with OpenSSH (have "$ssl_library_ver")])
2865				;;
2866			101*)   ;; # 1.1.x
2867			200*)   ;; # LibreSSL
2868			300*)
2869				# OpenSSL 3; we use the 1.1x API
2870				CPPFLAGS="$CPPFLAGS -DOPENSSL_API_COMPAT=0x10100000L"
2871				;;
2872			301*)
2873				# OpenSSL development branch; request 1.1x API
2874				CPPFLAGS="$CPPFLAGS -DOPENSSL_API_COMPAT=0x10100000L"
2875				;;
2876		        *)
2877				AC_MSG_ERROR([Unknown/unsupported OpenSSL version ("$ssl_library_ver")])
2878		                ;;
2879			esac
2880			AC_MSG_RESULT([$ssl_library_ver])
2881		],
2882		[
2883			AC_MSG_RESULT([not found])
2884			AC_MSG_ERROR([OpenSSL library not found.])
2885		],
2886		[
2887			AC_MSG_WARN([cross compiling: not checking])
2888		]
2889	)
2890
2891	case "$host" in
2892	x86_64-*)
2893		case "$ssl_library_ver" in
2894		3000004*)
2895			AC_MSG_ERROR([OpenSSL 3.0.4 has a potential RCE in its RSA implementation (CVE-2022-2274)])
2896			;;
2897		esac
2898	esac
2899
2900	# Sanity check OpenSSL headers
2901	AC_MSG_CHECKING([whether OpenSSL's headers match the library])
2902	AC_RUN_IFELSE(
2903		[AC_LANG_PROGRAM([[
2904	#include <stdlib.h>
2905	#include <string.h>
2906	#include <openssl/opensslv.h>
2907	#include <openssl/crypto.h>
2908		]], [[
2909#ifndef HAVE_OPENSSL_VERSION_NUM
2910# define OpenSSL_version_num	SSLeay
2911#endif
2912		exit(OpenSSL_version_num() == OPENSSL_VERSION_NUMBER ? 0 : 1);
2913		]])],
2914		[
2915			AC_MSG_RESULT([yes])
2916		],
2917		[
2918			AC_MSG_RESULT([no])
2919			if test "x$openssl_check_nonfatal" = "x"; then
2920				AC_MSG_ERROR([Your OpenSSL headers do not match your
2921	library. Check config.log for details.
2922	If you are sure your installation is consistent, you can disable the check
2923	by running "./configure --without-openssl-header-check".
2924	Also see contrib/findssl.sh for help identifying header/library mismatches.
2925	])
2926			else
2927				AC_MSG_WARN([Your OpenSSL headers do not match your
2928	library. Check config.log for details.
2929	Also see contrib/findssl.sh for help identifying header/library mismatches.])
2930			fi
2931		],
2932		[
2933			AC_MSG_WARN([cross compiling: not checking])
2934		]
2935	)
2936
2937	AC_MSG_CHECKING([if programs using OpenSSL functions will link])
2938	AC_LINK_IFELSE(
2939		[AC_LANG_PROGRAM([[ #include <openssl/err.h> ]],
2940		[[ ERR_load_crypto_strings(); ]])],
2941		[
2942			AC_MSG_RESULT([yes])
2943		],
2944		[
2945			AC_MSG_RESULT([no])
2946			LIBS="$LIBS -ldl"
2947			AC_MSG_CHECKING([if programs using OpenSSL need -ldl])
2948			AC_LINK_IFELSE(
2949				[AC_LANG_PROGRAM([[ #include <openssl/err.h> ]],
2950				[[ ERR_load_crypto_strings(); ]])],
2951				[
2952					AC_MSG_RESULT([yes])
2953					CHANNELLIBS="$CHANNELLIBS -ldl"
2954				],
2955				[
2956					AC_MSG_RESULT([no])
2957				]
2958			)
2959		]
2960	)
2961
2962	AC_CHECK_FUNCS([ \
2963		BN_is_prime_ex \
2964		DES_crypt \
2965		DSA_generate_parameters_ex \
2966		EVP_DigestFinal_ex \
2967		EVP_DigestInit_ex \
2968		EVP_MD_CTX_cleanup \
2969		EVP_MD_CTX_copy_ex \
2970		EVP_MD_CTX_init \
2971		HMAC_CTX_init \
2972		RSA_generate_key_ex \
2973		RSA_get_default_method \
2974	])
2975
2976	# OpenSSL_add_all_algorithms may be a macro.
2977	AC_CHECK_FUNC(OpenSSL_add_all_algorithms,
2978	    AC_DEFINE(HAVE_OPENSSL_ADD_ALL_ALGORITHMS, 1, [as a function]),
2979	    AC_CHECK_DECL(OpenSSL_add_all_algorithms,
2980		AC_DEFINE(HAVE_OPENSSL_ADD_ALL_ALGORITHMS, 1, [as a macro]), ,
2981		[[#include <openssl/evp.h>]]
2982	    )
2983	)
2984
2985	# LibreSSL/OpenSSL 1.1x API
2986	AC_CHECK_FUNCS([ \
2987		OPENSSL_init_crypto \
2988		DH_get0_key \
2989		DH_get0_pqg \
2990		DH_set0_key \
2991		DH_set_length \
2992		DH_set0_pqg \
2993		DSA_get0_key \
2994		DSA_get0_pqg \
2995		DSA_set0_key \
2996		DSA_set0_pqg \
2997		DSA_SIG_get0 \
2998		DSA_SIG_set0 \
2999		ECDSA_SIG_get0 \
3000		ECDSA_SIG_set0 \
3001		EVP_CIPHER_CTX_iv \
3002		EVP_CIPHER_CTX_iv_noconst \
3003		EVP_CIPHER_CTX_get_iv \
3004		EVP_CIPHER_CTX_get_updated_iv \
3005		EVP_CIPHER_CTX_set_iv \
3006		RSA_get0_crt_params \
3007		RSA_get0_factors \
3008		RSA_get0_key \
3009		RSA_set0_crt_params \
3010		RSA_set0_factors \
3011		RSA_set0_key \
3012		RSA_meth_free \
3013		RSA_meth_dup \
3014		RSA_meth_set1_name \
3015		RSA_meth_get_finish \
3016		RSA_meth_set_priv_enc \
3017		RSA_meth_set_priv_dec \
3018		RSA_meth_set_finish \
3019		EVP_PKEY_get0_RSA \
3020		EVP_MD_CTX_new \
3021		EVP_MD_CTX_free \
3022		EVP_chacha20 \
3023	])
3024
3025	if test "x$openssl_engine" = "xyes" ; then
3026		AC_MSG_CHECKING([for OpenSSL ENGINE support])
3027		AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
3028	#include <openssl/engine.h>
3029			]], [[
3030				ENGINE_load_builtin_engines();
3031				ENGINE_register_all_complete();
3032			]])],
3033			[ AC_MSG_RESULT([yes])
3034			  AC_DEFINE([USE_OPENSSL_ENGINE], [1],
3035			     [Enable OpenSSL engine support])
3036			], [ AC_MSG_ERROR([OpenSSL ENGINE support not found])
3037		])
3038	fi
3039
3040	# Check for OpenSSL without EVP_aes_{192,256}_cbc
3041	AC_MSG_CHECKING([whether OpenSSL has crippled AES support])
3042	AC_LINK_IFELSE(
3043		[AC_LANG_PROGRAM([[
3044	#include <stdlib.h>
3045	#include <string.h>
3046	#include <openssl/evp.h>
3047		]], [[
3048		exit(EVP_aes_192_cbc() == NULL || EVP_aes_256_cbc() == NULL);
3049		]])],
3050		[
3051			AC_MSG_RESULT([no])
3052		],
3053		[
3054			AC_MSG_RESULT([yes])
3055			AC_DEFINE([OPENSSL_LOBOTOMISED_AES], [1],
3056			    [libcrypto is missing AES 192 and 256 bit functions])
3057		]
3058	)
3059
3060	AC_MSG_CHECKING([if EVP_DigestUpdate returns an int])
3061	AC_LINK_IFELSE(
3062		[AC_LANG_PROGRAM([[
3063	#include <stdlib.h>
3064	#include <string.h>
3065	#include <openssl/evp.h>
3066		]], [[
3067		if(EVP_DigestUpdate(NULL, NULL,0))
3068			exit(0);
3069		]])],
3070		[
3071			AC_MSG_RESULT([yes])
3072		],
3073		[
3074			AC_MSG_RESULT([no])
3075			AC_DEFINE([OPENSSL_EVP_DIGESTUPDATE_VOID], [1],
3076			    [Define if EVP_DigestUpdate returns void])
3077		]
3078	)
3079
3080	# Check for SHA256, SHA384 and SHA512 support in OpenSSL
3081	AC_CHECK_FUNCS([EVP_sha256 EVP_sha384 EVP_sha512])
3082
3083	# Check complete ECC support in OpenSSL
3084	AC_MSG_CHECKING([whether OpenSSL has NID_X9_62_prime256v1])
3085	AC_LINK_IFELSE(
3086		[AC_LANG_PROGRAM([[
3087	#include <openssl/ec.h>
3088	#include <openssl/ecdh.h>
3089	#include <openssl/ecdsa.h>
3090	#include <openssl/evp.h>
3091	#include <openssl/objects.h>
3092	#include <openssl/opensslv.h>
3093		]], [[
3094		EC_KEY *e = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
3095		const EVP_MD *m = EVP_sha256(); /* We need this too */
3096		]])],
3097		[ AC_MSG_RESULT([yes])
3098		  enable_nistp256=1 ],
3099		[ AC_MSG_RESULT([no]) ]
3100	)
3101
3102	AC_MSG_CHECKING([whether OpenSSL has NID_secp384r1])
3103	AC_LINK_IFELSE(
3104		[AC_LANG_PROGRAM([[
3105	#include <openssl/ec.h>
3106	#include <openssl/ecdh.h>
3107	#include <openssl/ecdsa.h>
3108	#include <openssl/evp.h>
3109	#include <openssl/objects.h>
3110	#include <openssl/opensslv.h>
3111		]], [[
3112		EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp384r1);
3113		const EVP_MD *m = EVP_sha384(); /* We need this too */
3114		]])],
3115		[ AC_MSG_RESULT([yes])
3116		  enable_nistp384=1 ],
3117		[ AC_MSG_RESULT([no]) ]
3118	)
3119
3120	AC_MSG_CHECKING([whether OpenSSL has NID_secp521r1])
3121	AC_LINK_IFELSE(
3122		[AC_LANG_PROGRAM([[
3123	#include <openssl/ec.h>
3124	#include <openssl/ecdh.h>
3125	#include <openssl/ecdsa.h>
3126	#include <openssl/evp.h>
3127	#include <openssl/objects.h>
3128	#include <openssl/opensslv.h>
3129		]], [[
3130		EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp521r1);
3131		const EVP_MD *m = EVP_sha512(); /* We need this too */
3132		]])],
3133		[ AC_MSG_RESULT([yes])
3134		  AC_MSG_CHECKING([if OpenSSL's NID_secp521r1 is functional])
3135		  AC_RUN_IFELSE(
3136			[AC_LANG_PROGRAM([[
3137	#include <stdlib.h>
3138	#include <openssl/ec.h>
3139	#include <openssl/ecdh.h>
3140	#include <openssl/ecdsa.h>
3141	#include <openssl/evp.h>
3142	#include <openssl/objects.h>
3143	#include <openssl/opensslv.h>
3144			]],[[
3145			EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp521r1);
3146			const EVP_MD *m = EVP_sha512(); /* We need this too */
3147			exit(e == NULL || m == NULL);
3148			]])],
3149			[ AC_MSG_RESULT([yes])
3150			  enable_nistp521=1 ],
3151			[ AC_MSG_RESULT([no]) ],
3152			[ AC_MSG_WARN([cross-compiling: assuming yes])
3153			  enable_nistp521=1 ]
3154		  )],
3155		AC_MSG_RESULT([no])
3156	)
3157
3158	if test x$enable_nistp256 = x1 || test x$enable_nistp384 = x1 || \
3159	    test x$enable_nistp521 = x1; then
3160		AC_DEFINE(OPENSSL_HAS_ECC, [1], [OpenSSL has ECC])
3161		AC_CHECK_FUNCS([EC_KEY_METHOD_new])
3162		openssl_ecc=yes
3163	else
3164		openssl_ecc=no
3165	fi
3166	if test x$enable_nistp256 = x1; then
3167		AC_DEFINE([OPENSSL_HAS_NISTP256], [1],
3168		    [libcrypto has NID_X9_62_prime256v1])
3169	else
3170		unsupported_algorithms="$unsupported_algorithms \
3171			ecdsa-sha2-nistp256 \
3172			ecdh-sha2-nistp256 \
3173			ecdsa-sha2-nistp256-cert-v01@openssh.com"
3174	fi
3175	if test x$enable_nistp384 = x1; then
3176		AC_DEFINE([OPENSSL_HAS_NISTP384], [1], [libcrypto has NID_secp384r1])
3177	else
3178		unsupported_algorithms="$unsupported_algorithms \
3179			ecdsa-sha2-nistp384 \
3180			ecdh-sha2-nistp384 \
3181			ecdsa-sha2-nistp384-cert-v01@openssh.com"
3182	fi
3183	if test x$enable_nistp521 = x1; then
3184		AC_DEFINE([OPENSSL_HAS_NISTP521], [1], [libcrypto has NID_secp521r1])
3185	else
3186		unsupported_algorithms="$unsupported_algorithms \
3187			ecdh-sha2-nistp521 \
3188			ecdsa-sha2-nistp521 \
3189			ecdsa-sha2-nistp521-cert-v01@openssh.com"
3190	fi
3191fi
3192
3193# PKCS11/U2F depend on OpenSSL and dlopen().
3194enable_pkcs11=yes
3195enable_sk=yes
3196if test "x$openssl" != "xyes" ; then
3197	enable_pkcs11="disabled; missing libcrypto"
3198fi
3199if test "x$ac_cv_func_dlopen" != "xyes" ; then
3200	enable_pkcs11="disabled; missing dlopen(3)"
3201	enable_sk="disabled; missing dlopen(3)"
3202fi
3203if test "x$ac_cv_have_decl_RTLD_NOW" != "xyes" ; then
3204	enable_pkcs11="disabled; missing RTLD_NOW"
3205	enable_sk="disabled; missing RTLD_NOW"
3206fi
3207if test ! -z "$disable_pkcs11" ; then
3208	enable_pkcs11="disabled by user"
3209fi
3210if test ! -z "$disable_sk" ; then
3211	enable_sk="disabled by user"
3212fi
3213
3214AC_MSG_CHECKING([whether to enable PKCS11])
3215if test "x$enable_pkcs11" = "xyes" ; then
3216	AC_DEFINE([ENABLE_PKCS11], [], [Enable for PKCS#11 support])
3217fi
3218AC_MSG_RESULT([$enable_pkcs11])
3219
3220AC_MSG_CHECKING([whether to enable U2F])
3221if test "x$enable_sk" = "xyes" ; then
3222	AC_DEFINE([ENABLE_SK], [], [Enable for U2F/FIDO support])
3223	AC_SUBST(SK_DUMMY_LIBRARY, [regress/misc/sk-dummy/sk-dummy.so])
3224else
3225	# Do not try to build sk-dummy library.
3226	AC_SUBST(SK_DUMMY_LIBRARY, [""])
3227fi
3228AC_MSG_RESULT([$enable_sk])
3229
3230# Now check for built-in security key support.
3231if test "x$enable_sk" = "xyes" -a "x$enable_sk_internal" != "xno" ; then
3232	use_pkgconfig_for_libfido2=
3233	if test "x$PKGCONFIG" != "xno"; then
3234		AC_MSG_CHECKING([if $PKGCONFIG knows about libfido2])
3235		if "$PKGCONFIG" libfido2; then
3236			AC_MSG_RESULT([yes])
3237			use_pkgconfig_for_libfido2=yes
3238		else
3239			AC_MSG_RESULT([no])
3240		fi
3241	fi
3242	if test "x$use_pkgconfig_for_libfido2" = "xyes"; then
3243		LIBFIDO2=`$PKGCONFIG --libs libfido2`
3244		CPPFLAGS="$CPPFLAGS `$PKGCONFIG --cflags libfido2`"
3245	else
3246		LIBFIDO2="-lprivatefido2 -lprivatecbor"
3247	fi
3248	OTHERLIBS=`echo $LIBFIDO2 | sed 's/-lfido2//'`
3249	fido2_error=
3250	AC_CHECK_LIB([privatefido2], [fido_init],
3251		[ ],
3252		[ fido2_error="missing/unusable libfido2" ],
3253		[ $OTHERLIBS ]
3254	)
3255	AC_CHECK_HEADER([fido.h], [],
3256		[ fido2_error="missing fido.h from libfido2" ])
3257	AC_CHECK_HEADER([fido/credman.h], [],
3258		[ fido2_error="missing fido/credman.h from libfido2" ],
3259		[ #include <fido.h> ]
3260	)
3261	AC_MSG_CHECKING([for usable libfido2 installation])
3262	if test ! -z "$fido2_error" ; then
3263		AC_MSG_RESULT([$fido2_error])
3264		if test "x$enable_sk_internal" = "xyes" ; then
3265			AC_MSG_ERROR([No usable libfido2 library/headers found])
3266		fi
3267		LIBFIDO2=""
3268	else
3269		AC_MSG_RESULT([yes])
3270		AC_SUBST([LIBFIDO2])
3271		AC_DEFINE([ENABLE_SK_INTERNAL], [],
3272		    [Enable for built-in U2F/FIDO support])
3273		enable_sk="built-in"
3274		saved_LIBS="$LIBS"
3275		LIBS="$LIBS $LIBFIDO2"
3276		AC_CHECK_FUNCS([ \
3277			fido_assert_set_clientdata \
3278			fido_cred_prot \
3279			fido_cred_set_prot \
3280			fido_cred_set_clientdata \
3281			fido_dev_get_touch_begin \
3282			fido_dev_get_touch_status \
3283			fido_dev_supports_cred_prot \
3284			fido_dev_is_winhello \
3285		])
3286		LIBS="$saved_LIBS"
3287	fi
3288fi
3289
3290AC_CHECK_FUNCS([ \
3291	arc4random \
3292	arc4random_buf \
3293	arc4random_stir \
3294	arc4random_uniform \
3295])
3296### Configure cryptographic random number support
3297
3298# Check whether OpenSSL seeds itself
3299if test "x$openssl" = "xyes" ; then
3300	AC_MSG_CHECKING([whether OpenSSL's PRNG is internally seeded])
3301	AC_RUN_IFELSE(
3302		[AC_LANG_PROGRAM([[
3303	#include <stdlib.h>
3304	#include <string.h>
3305	#include <openssl/rand.h>
3306		]], [[
3307		exit(RAND_status() == 1 ? 0 : 1);
3308		]])],
3309		[
3310			OPENSSL_SEEDS_ITSELF=yes
3311			AC_MSG_RESULT([yes])
3312		],
3313		[
3314			AC_MSG_RESULT([no])
3315		],
3316		[
3317			AC_MSG_WARN([cross compiling: assuming yes])
3318			# This is safe, since we will fatal() at runtime if
3319			# OpenSSL is not seeded correctly.
3320			OPENSSL_SEEDS_ITSELF=yes
3321		]
3322	)
3323fi
3324
3325# PRNGD TCP socket
3326AC_ARG_WITH([prngd-port],
3327	[  --with-prngd-port=PORT  read entropy from PRNGD/EGD TCP localhost:PORT],
3328	[
3329		case "$withval" in
3330		no)
3331			withval=""
3332			;;
3333		[[0-9]]*)
3334			;;
3335		*)
3336			AC_MSG_ERROR([You must specify a numeric port number for --with-prngd-port])
3337			;;
3338		esac
3339		if test ! -z "$withval" ; then
3340			PRNGD_PORT="$withval"
3341			AC_DEFINE_UNQUOTED([PRNGD_PORT], [$PRNGD_PORT],
3342				[Port number of PRNGD/EGD random number socket])
3343		fi
3344	]
3345)
3346
3347# PRNGD Unix domain socket
3348AC_ARG_WITH([prngd-socket],
3349	[  --with-prngd-socket=FILE read entropy from PRNGD/EGD socket FILE (default=/var/run/egd-pool)],
3350	[
3351		case "$withval" in
3352		yes)
3353			withval="/var/run/egd-pool"
3354			;;
3355		no)
3356			withval=""
3357			;;
3358		/*)
3359			;;
3360		*)
3361			AC_MSG_ERROR([You must specify an absolute path to the entropy socket])
3362			;;
3363		esac
3364
3365		if test ! -z "$withval" ; then
3366			if test ! -z "$PRNGD_PORT" ; then
3367				AC_MSG_ERROR([You may not specify both a PRNGD/EGD port and socket])
3368			fi
3369			if test ! -r "$withval" ; then
3370				AC_MSG_WARN([Entropy socket is not readable])
3371			fi
3372			PRNGD_SOCKET="$withval"
3373			AC_DEFINE_UNQUOTED([PRNGD_SOCKET], ["$PRNGD_SOCKET"],
3374				[Location of PRNGD/EGD random number socket])
3375		fi
3376	],
3377	[
3378		# Check for existing socket only if we don't have a random device already
3379		if test "x$OPENSSL_SEEDS_ITSELF" != "xyes" ; then
3380			AC_MSG_CHECKING([for PRNGD/EGD socket])
3381			# Insert other locations here
3382			for sock in /var/run/egd-pool /dev/egd-pool /etc/entropy; do
3383				if test -r $sock && $TEST_MINUS_S_SH -c "test -S $sock -o -p $sock" ; then
3384					PRNGD_SOCKET="$sock"
3385					AC_DEFINE_UNQUOTED([PRNGD_SOCKET], ["$PRNGD_SOCKET"])
3386					break;
3387				fi
3388			done
3389			if test ! -z "$PRNGD_SOCKET" ; then
3390				AC_MSG_RESULT([$PRNGD_SOCKET])
3391			else
3392				AC_MSG_RESULT([not found])
3393			fi
3394		fi
3395	]
3396)
3397
3398# Which randomness source do we use?
3399if test ! -z "$PRNGD_PORT" ; then
3400	RAND_MSG="PRNGd port $PRNGD_PORT"
3401elif test ! -z "$PRNGD_SOCKET" ; then
3402	RAND_MSG="PRNGd socket $PRNGD_SOCKET"
3403elif test ! -z "$OPENSSL_SEEDS_ITSELF" ; then
3404	AC_DEFINE([OPENSSL_PRNG_ONLY], [1],
3405		[Define if you want the OpenSSL internally seeded PRNG only])
3406	RAND_MSG="OpenSSL internal ONLY"
3407elif test "x$openssl" = "xno" ; then
3408	AC_MSG_WARN([OpenSSH will use /dev/urandom as a source of random numbers. It will fail if this device is not supported or accessible])
3409else
3410	AC_MSG_ERROR([OpenSSH has no source of random numbers. Please configure OpenSSL with an entropy source or re-run configure using one of the --with-prngd-port or --with-prngd-socket options])
3411fi
3412LIBS="$nocrypto_saved_LIBS"
3413
3414saved_LIBS="$LIBS"
3415AC_CHECK_LIB([iaf], [ia_openinfo], [
3416	LIBS="$LIBS -liaf"
3417	AC_CHECK_FUNCS([set_id], [SSHDLIBS="$SSHDLIBS -liaf"
3418				AC_DEFINE([HAVE_LIBIAF], [1],
3419			[Define if system has libiaf that supports set_id])
3420				])
3421])
3422LIBS="$saved_LIBS"
3423
3424# Check for crypt() in libcrypt.  If we have it, we only need it for sshd.
3425saved_LIBS="$LIBS"
3426AC_CHECK_LIB([crypt], [crypt], [
3427	LIBS="-lcrypt $LIBS"
3428	SSHDLIBS="-lcrypt $SSHDLIBS"
3429])
3430AC_CHECK_FUNCS([crypt])
3431LIBS="$saved_LIBS"
3432
3433# Check for PAM libs
3434PAM_MSG="no"
3435AC_ARG_WITH([pam],
3436	[  --with-pam              Enable PAM support ],
3437	[
3438		if test "x$withval" != "xno" ; then
3439			if test "x$ac_cv_header_security_pam_appl_h" != "xyes" && \
3440			   test "x$ac_cv_header_pam_pam_appl_h" != "xyes" ; then
3441				AC_MSG_ERROR([PAM headers not found])
3442			fi
3443
3444			saved_LIBS="$LIBS"
3445			AC_CHECK_LIB([dl], [dlopen], , )
3446			AC_CHECK_LIB([pam], [pam_set_item], , [AC_MSG_ERROR([*** libpam missing])])
3447			AC_CHECK_FUNCS([pam_getenvlist])
3448			AC_CHECK_FUNCS([pam_putenv])
3449			LIBS="$saved_LIBS"
3450
3451			PAM_MSG="yes"
3452
3453			SSHDLIBS="$SSHDLIBS -lpam"
3454			AC_DEFINE([USE_PAM], [1],
3455				[Define if you want to enable PAM support])
3456
3457			if test $ac_cv_lib_dl_dlopen = yes; then
3458				case "$LIBS" in
3459				*-ldl*)
3460					# libdl already in LIBS
3461					;;
3462				*)
3463					SSHDLIBS="$SSHDLIBS -ldl"
3464					;;
3465				esac
3466			fi
3467		fi
3468	]
3469)
3470
3471AC_ARG_WITH([pam-service],
3472	[  --with-pam-service=name Specify PAM service name ],
3473	[
3474		if test "x$withval" != "xno" && \
3475		   test "x$withval" != "xyes" ; then
3476			AC_DEFINE_UNQUOTED([SSHD_PAM_SERVICE],
3477				["$withval"], [sshd PAM service name])
3478		fi
3479	]
3480)
3481
3482# Check for older PAM
3483if test "x$PAM_MSG" = "xyes" ; then
3484	# Check PAM strerror arguments (old PAM)
3485	AC_MSG_CHECKING([whether pam_strerror takes only one argument])
3486	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
3487#include <stdlib.h>
3488#if defined(HAVE_SECURITY_PAM_APPL_H)
3489#include <security/pam_appl.h>
3490#elif defined (HAVE_PAM_PAM_APPL_H)
3491#include <pam/pam_appl.h>
3492#endif
3493		]], [[
3494(void)pam_strerror((pam_handle_t *)NULL, -1);
3495		]])], [AC_MSG_RESULT([no])], [
3496			AC_DEFINE([HAVE_OLD_PAM], [1],
3497				[Define if you have an old version of PAM
3498				which takes only one argument to pam_strerror])
3499			AC_MSG_RESULT([yes])
3500			PAM_MSG="yes (old library)"
3501
3502	])
3503fi
3504
3505case "$host" in
3506*-*-cygwin*)
3507	SSH_PRIVSEP_USER=CYGWIN_SSH_PRIVSEP_USER
3508	;;
3509*)
3510	SSH_PRIVSEP_USER=sshd
3511	;;
3512esac
3513AC_ARG_WITH([privsep-user],
3514	[  --with-privsep-user=user Specify non-privileged user for privilege separation],
3515	[
3516		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
3517		    test "x${withval}" != "xyes"; then
3518			SSH_PRIVSEP_USER=$withval
3519		fi
3520	]
3521)
3522if test "x$SSH_PRIVSEP_USER" = "xCYGWIN_SSH_PRIVSEP_USER" ; then
3523	AC_DEFINE_UNQUOTED([SSH_PRIVSEP_USER], [CYGWIN_SSH_PRIVSEP_USER],
3524		[Cygwin function to fetch non-privileged user for privilege separation])
3525else
3526	AC_DEFINE_UNQUOTED([SSH_PRIVSEP_USER], ["$SSH_PRIVSEP_USER"],
3527		[non-privileged user for privilege separation])
3528fi
3529AC_SUBST([SSH_PRIVSEP_USER])
3530
3531if test "x$have_linux_no_new_privs" = "x1" ; then
3532AC_CHECK_DECL([SECCOMP_MODE_FILTER], [have_seccomp_filter=1], , [
3533	#include <sys/types.h>
3534	#include <linux/seccomp.h>
3535])
3536fi
3537if test "x$have_seccomp_filter" = "x1" ; then
3538AC_MSG_CHECKING([kernel for seccomp_filter support])
3539AC_LINK_IFELSE([AC_LANG_PROGRAM([[
3540		#include <errno.h>
3541		#include <elf.h>
3542		#include <linux/audit.h>
3543		#include <linux/seccomp.h>
3544		#include <stdlib.h>
3545		#include <sys/prctl.h>
3546	]],
3547	[[ int i = $seccomp_audit_arch;
3548	   errno = 0;
3549	   prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, NULL, 0, 0);
3550	   exit(errno == EFAULT ? 0 : 1); ]])],
3551	[ AC_MSG_RESULT([yes]) ], [
3552		AC_MSG_RESULT([no])
3553		# Disable seccomp filter as a target
3554		have_seccomp_filter=0
3555	]
3556)
3557fi
3558
3559AC_CHECK_MEMBERS([struct pollfd.fd], [], [], [[
3560#include <sys/types.h>
3561#ifdef HAVE_POLL_H
3562#include <poll.h>
3563#endif
3564#ifdef HAVE_SYS_POLL_H
3565#include <sys/poll.h>
3566#endif
3567]])
3568
3569AC_CHECK_TYPES([nfds_t], , , [
3570#include <sys/types.h>
3571#ifdef HAVE_POLL_H
3572#include <poll.h>
3573#endif
3574#ifdef HAVE_SYS_POLL_H
3575#include <sys/poll.h>
3576#endif
3577])
3578
3579# Decide which sandbox style to use
3580sandbox_arg=""
3581AC_ARG_WITH([sandbox],
3582	[  --with-sandbox=style    Specify privilege separation sandbox (no, capsicum, darwin, rlimit, seccomp_filter, systrace, pledge)],
3583	[
3584		if test "x$withval" = "xyes" ; then
3585			sandbox_arg=""
3586		else
3587			sandbox_arg="$withval"
3588		fi
3589	]
3590)
3591
3592if test "x$sandbox_arg" != "xno"; then
3593# POSIX specifies that poll() "shall fail with EINVAL if the nfds argument
3594# is greater than OPEN_MAX".  On some platforms that includes implementions
3595# of select in userspace on top of poll() so check both work with rlimit
3596# NOFILES so check that both work before enabling the rlimit sandbox.
3597    AC_MSG_CHECKING([if select and/or poll works with descriptor rlimit])
3598    AC_RUN_IFELSE(
3599	[AC_LANG_PROGRAM([[
3600#include <sys/types.h>
3601#ifdef HAVE_SYS_TIME_H
3602# include <sys/time.h>
3603#endif
3604#include <sys/resource.h>
3605#ifdef HAVE_SYS_SELECT_H
3606# include <sys/select.h>
3607#endif
3608#ifdef HAVE_POLL_H
3609# include <poll.h>
3610#elif HAVE_SYS_POLL_H
3611# include <sys/poll.h>
3612#endif
3613#include <errno.h>
3614#include <fcntl.h>
3615#include <stdlib.h>
3616	]],[[
3617	struct rlimit rl_zero;
3618	int fd, r;
3619	fd_set fds;
3620	struct timeval tv;
3621#ifdef HAVE_POLL
3622	struct pollfd pfd;
3623#endif
3624
3625	fd = open("/dev/null", O_RDONLY);
3626	FD_ZERO(&fds);
3627	FD_SET(fd, &fds);
3628	rl_zero.rlim_cur = rl_zero.rlim_max = 0;
3629	setrlimit(RLIMIT_FSIZE, &rl_zero);
3630	setrlimit(RLIMIT_NOFILE, &rl_zero);
3631	tv.tv_sec = 1;
3632	tv.tv_usec = 0;
3633	r = select(fd+1, &fds, NULL, NULL, &tv);
3634	if (r == -1)
3635		exit(1);
3636#ifdef HAVE_POLL
3637	pfd.fd = fd;
3638	pfd.events = POLLIN;
3639	r = poll(&pfd, 1, 1);
3640	if (r == -1)
3641		exit(2);
3642#endif
3643	exit(0);
3644	]])],
3645	[AC_MSG_RESULT([yes])
3646	 select_works_with_rlimit=yes],
3647	[AC_MSG_RESULT([no])
3648	 select_works_with_rlimit=no],
3649	[AC_MSG_WARN([cross compiling: assuming no])
3650	 select_works_with_rlimit=no]
3651    )
3652
3653    AC_MSG_CHECKING([if setrlimit(RLIMIT_NOFILE,{0,0}) works])
3654    AC_RUN_IFELSE(
3655	[AC_LANG_PROGRAM([[
3656#include <sys/types.h>
3657#ifdef HAVE_SYS_TIME_H
3658# include <sys/time.h>
3659#endif
3660#include <sys/resource.h>
3661#include <errno.h>
3662#include <stdlib.h>
3663	]],[[
3664	struct rlimit rl_zero;
3665	int r;
3666
3667	rl_zero.rlim_cur = rl_zero.rlim_max = 0;
3668	r = setrlimit(RLIMIT_NOFILE, &rl_zero);
3669	exit (r == -1 ? 1 : 0);
3670	]])],
3671	[AC_MSG_RESULT([yes])
3672	 rlimit_nofile_zero_works=yes],
3673	[AC_MSG_RESULT([no])
3674	 rlimit_nofile_zero_works=no],
3675	[AC_MSG_WARN([cross compiling: assuming yes])
3676	 rlimit_nofile_zero_works=yes]
3677    )
3678
3679    AC_MSG_CHECKING([if setrlimit RLIMIT_FSIZE works])
3680    AC_RUN_IFELSE(
3681	[AC_LANG_PROGRAM([[
3682#include <sys/types.h>
3683#include <sys/resource.h>
3684#include <stdlib.h>
3685	]],[[
3686		struct rlimit rl_zero;
3687
3688		rl_zero.rlim_cur = rl_zero.rlim_max = 0;
3689		exit(setrlimit(RLIMIT_FSIZE, &rl_zero) != 0);
3690	]])],
3691	[AC_MSG_RESULT([yes])],
3692	[AC_MSG_RESULT([no])
3693	 AC_DEFINE(SANDBOX_SKIP_RLIMIT_FSIZE, 1,
3694	    [setrlimit RLIMIT_FSIZE works])],
3695	[AC_MSG_WARN([cross compiling: assuming yes])]
3696    )
3697fi
3698
3699if test "x$sandbox_arg" = "xpledge" || \
3700   ( test -z "$sandbox_arg" && test "x$ac_cv_func_pledge" = "xyes" ) ; then
3701	test "x$ac_cv_func_pledge" != "xyes" && \
3702		AC_MSG_ERROR([pledge sandbox requires pledge(2) support])
3703	SANDBOX_STYLE="pledge"
3704	AC_DEFINE([SANDBOX_PLEDGE], [1], [Sandbox using pledge(2)])
3705elif test "x$sandbox_arg" = "xsystrace" || \
3706   ( test -z "$sandbox_arg" && test "x$have_systr_policy_kill" = "x1" ) ; then
3707	test "x$have_systr_policy_kill" != "x1" && \
3708		AC_MSG_ERROR([systrace sandbox requires systrace headers and SYSTR_POLICY_KILL support])
3709	SANDBOX_STYLE="systrace"
3710	AC_DEFINE([SANDBOX_SYSTRACE], [1], [Sandbox using systrace(4)])
3711elif test "x$sandbox_arg" = "xdarwin" || \
3712     ( test -z "$sandbox_arg" && test "x$ac_cv_func_sandbox_init" = "xyes" && \
3713       test "x$ac_cv_header_sandbox_h" = "xyes") ; then
3714	test "x$ac_cv_func_sandbox_init" != "xyes" -o \
3715	     "x$ac_cv_header_sandbox_h" != "xyes" && \
3716		AC_MSG_ERROR([Darwin seatbelt sandbox requires sandbox.h and sandbox_init function])
3717	SANDBOX_STYLE="darwin"
3718	AC_DEFINE([SANDBOX_DARWIN], [1], [Sandbox using Darwin sandbox_init(3)])
3719elif test "x$sandbox_arg" = "xseccomp_filter" || \
3720     ( test -z "$sandbox_arg" && \
3721       test "x$have_seccomp_filter" = "x1" && \
3722       test "x$ac_cv_header_elf_h" = "xyes" && \
3723       test "x$ac_cv_header_linux_audit_h" = "xyes" && \
3724       test "x$ac_cv_header_linux_filter_h" = "xyes" && \
3725       test "x$seccomp_audit_arch" != "x" && \
3726       test "x$have_linux_no_new_privs" = "x1" && \
3727       test "x$ac_cv_func_prctl" = "xyes" ) ; then
3728	test "x$seccomp_audit_arch" = "x" && \
3729		AC_MSG_ERROR([seccomp_filter sandbox not supported on $host])
3730	test "x$have_linux_no_new_privs" != "x1" && \
3731		AC_MSG_ERROR([seccomp_filter sandbox requires PR_SET_NO_NEW_PRIVS])
3732	test "x$have_seccomp_filter" != "x1" && \
3733		AC_MSG_ERROR([seccomp_filter sandbox requires seccomp headers])
3734	test "x$ac_cv_func_prctl" != "xyes" && \
3735		AC_MSG_ERROR([seccomp_filter sandbox requires prctl function])
3736	SANDBOX_STYLE="seccomp_filter"
3737	AC_DEFINE([SANDBOX_SECCOMP_FILTER], [1], [Sandbox using seccomp filter])
3738elif test "x$sandbox_arg" = "xcapsicum" || \
3739     ( test -z "$sandbox_arg" && \
3740       test "x$disable_capsicum" != "xyes" && \
3741       test "x$ac_cv_header_sys_capsicum_h" = "xyes" && \
3742       test "x$ac_cv_func_cap_rights_limit" = "xyes") ; then
3743       test "x$ac_cv_header_sys_capsicum_h" != "xyes" && \
3744		AC_MSG_ERROR([capsicum sandbox requires sys/capsicum.h header])
3745       test "x$ac_cv_func_cap_rights_limit" != "xyes" && \
3746		AC_MSG_ERROR([capsicum sandbox requires cap_rights_limit function])
3747       SANDBOX_STYLE="capsicum"
3748       AC_DEFINE([SANDBOX_CAPSICUM], [1], [Sandbox using capsicum])
3749elif test "x$sandbox_arg" = "xrlimit" || \
3750     ( test -z "$sandbox_arg" && test "x$ac_cv_func_setrlimit" = "xyes" && \
3751       test "x$select_works_with_rlimit" = "xyes" && \
3752       test "x$rlimit_nofile_zero_works" = "xyes" ) ; then
3753	test "x$ac_cv_func_setrlimit" != "xyes" && \
3754		AC_MSG_ERROR([rlimit sandbox requires setrlimit function])
3755	test "x$select_works_with_rlimit" != "xyes" && \
3756		AC_MSG_ERROR([rlimit sandbox requires select to work with rlimit])
3757	SANDBOX_STYLE="rlimit"
3758	AC_DEFINE([SANDBOX_RLIMIT], [1], [Sandbox using setrlimit(2)])
3759elif test "x$sandbox_arg" = "xsolaris" || \
3760   ( test -z "$sandbox_arg" && test "x$SOLARIS_PRIVS" = "xyes" ) ; then
3761	SANDBOX_STYLE="solaris"
3762	AC_DEFINE([SANDBOX_SOLARIS], [1], [Sandbox using Solaris/Illumos privileges])
3763elif test -z "$sandbox_arg" || test "x$sandbox_arg" = "xno" || \
3764     test "x$sandbox_arg" = "xnone" || test "x$sandbox_arg" = "xnull" ; then
3765	SANDBOX_STYLE="none"
3766	AC_DEFINE([SANDBOX_NULL], [1], [no privsep sandboxing])
3767else
3768	AC_MSG_ERROR([unsupported --with-sandbox])
3769fi
3770
3771# Cheap hack to ensure NEWS-OS libraries are arranged right.
3772if test ! -z "$SONY" ; then
3773  LIBS="$LIBS -liberty";
3774fi
3775
3776# Check for long long datatypes
3777AC_CHECK_TYPES([long long, unsigned long long, long double])
3778
3779# Check datatype sizes
3780AC_CHECK_SIZEOF([short int])
3781AC_CHECK_SIZEOF([int])
3782AC_CHECK_SIZEOF([long int])
3783AC_CHECK_SIZEOF([long long int])
3784AC_CHECK_SIZEOF([time_t], [], [[
3785    #include <sys/types.h>
3786    #ifdef HAVE_SYS_TIME_H
3787    # include <sys/time.h>
3788    #endif
3789    #ifdef HAVE_TIME_H
3790    # include <time.h>
3791    #endif
3792	]]
3793)
3794
3795# Sanity check long long for some platforms (AIX)
3796if test "x$ac_cv_sizeof_long_long_int" = "x4" ; then
3797	ac_cv_sizeof_long_long_int=0
3798fi
3799
3800# compute LLONG_MIN and LLONG_MAX if we don't know them.
3801if test -z "$have_llong_max" && test -z "$have_long_long_max"; then
3802	AC_MSG_CHECKING([for max value of long long])
3803	AC_RUN_IFELSE(
3804		[AC_LANG_PROGRAM([[
3805#include <stdio.h>
3806#include <stdlib.h>
3807/* Why is this so damn hard? */
3808#ifdef __GNUC__
3809# undef __GNUC__
3810#endif
3811#define __USE_ISOC99
3812#include <limits.h>
3813#define DATA "conftest.llminmax"
3814#define my_abs(a) ((a) < 0 ? ((a) * -1) : (a))
3815
3816/*
3817 * printf in libc on some platforms (eg old Tru64) does not understand %lld so
3818 * we do this the hard way.
3819 */
3820static int
3821fprint_ll(FILE *f, long long n)
3822{
3823	unsigned int i;
3824	int l[sizeof(long long) * 8];
3825
3826	if (n < 0)
3827		if (fprintf(f, "-") < 0)
3828			return -1;
3829	for (i = 0; n != 0; i++) {
3830		l[i] = my_abs(n % 10);
3831		n /= 10;
3832	}
3833	do {
3834		if (fprintf(f, "%d", l[--i]) < 0)
3835			return -1;
3836	} while (i != 0);
3837	if (fprintf(f, " ") < 0)
3838		return -1;
3839	return 0;
3840}
3841		]], [[
3842	FILE *f;
3843	long long i, llmin, llmax = 0;
3844
3845	if((f = fopen(DATA,"w")) == NULL)
3846		exit(1);
3847
3848#if defined(LLONG_MIN) && defined(LLONG_MAX)
3849	fprintf(stderr, "Using system header for LLONG_MIN and LLONG_MAX\n");
3850	llmin = LLONG_MIN;
3851	llmax = LLONG_MAX;
3852#else
3853	fprintf(stderr, "Calculating  LLONG_MIN and LLONG_MAX\n");
3854	/* This will work on one's complement and two's complement */
3855	for (i = 1; i > llmax; i <<= 1, i++)
3856		llmax = i;
3857	llmin = llmax + 1LL;	/* wrap */
3858#endif
3859
3860	/* Sanity check */
3861	if (llmin + 1 < llmin || llmin - 1 < llmin || llmax + 1 > llmax
3862	    || llmax - 1 > llmax || llmin == llmax || llmin == 0
3863	    || llmax == 0 || llmax < LONG_MAX || llmin > LONG_MIN) {
3864		fprintf(f, "unknown unknown\n");
3865		exit(2);
3866	}
3867
3868	if (fprint_ll(f, llmin) < 0)
3869		exit(3);
3870	if (fprint_ll(f, llmax) < 0)
3871		exit(4);
3872	if (fclose(f) < 0)
3873		exit(5);
3874	exit(0);
3875		]])],
3876		[
3877			llong_min=`$AWK '{print $1}' conftest.llminmax`
3878			llong_max=`$AWK '{print $2}' conftest.llminmax`
3879
3880			AC_MSG_RESULT([$llong_max])
3881			AC_DEFINE_UNQUOTED([LLONG_MAX], [${llong_max}LL],
3882			    [max value of long long calculated by configure])
3883			AC_MSG_CHECKING([for min value of long long])
3884			AC_MSG_RESULT([$llong_min])
3885			AC_DEFINE_UNQUOTED([LLONG_MIN], [${llong_min}LL],
3886			    [min value of long long calculated by configure])
3887		],
3888		[
3889			AC_MSG_RESULT([not found])
3890		],
3891		[
3892			AC_MSG_WARN([cross compiling: not checking])
3893		]
3894	)
3895fi
3896
3897AC_CHECK_DECLS([UINT32_MAX], , , [[
3898#ifdef HAVE_SYS_LIMITS_H
3899# include <sys/limits.h>
3900#endif
3901#ifdef HAVE_LIMITS_H
3902# include <limits.h>
3903#endif
3904#ifdef HAVE_STDINT_H
3905# include <stdint.h>
3906#endif
3907]])
3908
3909# More checks for data types
3910AC_CACHE_CHECK([for u_int type], ac_cv_have_u_int, [
3911	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
3912	[[ u_int a; a = 1;]])],
3913	[ ac_cv_have_u_int="yes" ], [ ac_cv_have_u_int="no"
3914	])
3915])
3916if test "x$ac_cv_have_u_int" = "xyes" ; then
3917	AC_DEFINE([HAVE_U_INT], [1], [define if you have u_int data type])
3918	have_u_int=1
3919fi
3920
3921AC_CACHE_CHECK([for intXX_t types], ac_cv_have_intxx_t, [
3922	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
3923	[[ int8_t a; int16_t b; int32_t c; a = b = c = 1;]])],
3924	[ ac_cv_have_intxx_t="yes" ], [ ac_cv_have_intxx_t="no"
3925	])
3926])
3927if test "x$ac_cv_have_intxx_t" = "xyes" ; then
3928	AC_DEFINE([HAVE_INTXX_T], [1], [define if you have intxx_t data type])
3929	have_intxx_t=1
3930fi
3931
3932if (test -z "$have_intxx_t" && \
3933	   test "x$ac_cv_header_stdint_h" = "xyes")
3934then
3935    AC_MSG_CHECKING([for intXX_t types in stdint.h])
3936	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <stdint.h> ]],
3937	[[ int8_t a; int16_t b; int32_t c; a = b = c = 1;]])],
3938		[
3939			AC_DEFINE([HAVE_INTXX_T])
3940			AC_MSG_RESULT([yes])
3941		], [ AC_MSG_RESULT([no])
3942	])
3943fi
3944
3945AC_CACHE_CHECK([for int64_t type], ac_cv_have_int64_t, [
3946	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
3947#include <sys/types.h>
3948#ifdef HAVE_STDINT_H
3949# include <stdint.h>
3950#endif
3951#include <sys/socket.h>
3952#ifdef HAVE_SYS_BITYPES_H
3953# include <sys/bitypes.h>
3954#endif
3955		]], [[
3956int64_t a; a = 1;
3957		]])],
3958	[ ac_cv_have_int64_t="yes" ], [ ac_cv_have_int64_t="no"
3959	])
3960])
3961if test "x$ac_cv_have_int64_t" = "xyes" ; then
3962	AC_DEFINE([HAVE_INT64_T], [1], [define if you have int64_t data type])
3963fi
3964
3965AC_CACHE_CHECK([for u_intXX_t types], ac_cv_have_u_intxx_t, [
3966	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
3967	[[ u_int8_t a; u_int16_t b; u_int32_t c; a = b = c = 1;]])],
3968	[ ac_cv_have_u_intxx_t="yes" ], [ ac_cv_have_u_intxx_t="no"
3969	])
3970])
3971if test "x$ac_cv_have_u_intxx_t" = "xyes" ; then
3972	AC_DEFINE([HAVE_U_INTXX_T], [1], [define if you have u_intxx_t data type])
3973	have_u_intxx_t=1
3974fi
3975
3976if test -z "$have_u_intxx_t" ; then
3977    AC_MSG_CHECKING([for u_intXX_t types in sys/socket.h])
3978	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/socket.h> ]],
3979	[[ u_int8_t a; u_int16_t b; u_int32_t c; a = b = c = 1;]])],
3980		[
3981			AC_DEFINE([HAVE_U_INTXX_T])
3982			AC_MSG_RESULT([yes])
3983		], [ AC_MSG_RESULT([no])
3984	])
3985fi
3986
3987AC_CACHE_CHECK([for u_int64_t types], ac_cv_have_u_int64_t, [
3988	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
3989	[[ u_int64_t a; a = 1;]])],
3990	[ ac_cv_have_u_int64_t="yes" ], [ ac_cv_have_u_int64_t="no"
3991	])
3992])
3993if test "x$ac_cv_have_u_int64_t" = "xyes" ; then
3994	AC_DEFINE([HAVE_U_INT64_T], [1], [define if you have u_int64_t data type])
3995	have_u_int64_t=1
3996fi
3997
3998if (test -z "$have_u_int64_t" && \
3999	   test "x$ac_cv_header_sys_bitypes_h" = "xyes")
4000then
4001    AC_MSG_CHECKING([for u_int64_t type in sys/bitypes.h])
4002	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/bitypes.h> ]],
4003	[[ u_int64_t a; a = 1]])],
4004		[
4005			AC_DEFINE([HAVE_U_INT64_T])
4006			AC_MSG_RESULT([yes])
4007		], [ AC_MSG_RESULT([no])
4008	])
4009fi
4010
4011if test -z "$have_u_intxx_t" ; then
4012	AC_CACHE_CHECK([for uintXX_t types], ac_cv_have_uintxx_t, [
4013		AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4014#include <sys/types.h>
4015			]], [[
4016	uint8_t a;
4017	uint16_t b;
4018	uint32_t c;
4019	a = b = c = 1;
4020			]])],
4021		[ ac_cv_have_uintxx_t="yes" ], [ ac_cv_have_uintxx_t="no"
4022		])
4023	])
4024	if test "x$ac_cv_have_uintxx_t" = "xyes" ; then
4025		AC_DEFINE([HAVE_UINTXX_T], [1],
4026			[define if you have uintxx_t data type])
4027	fi
4028fi
4029
4030if (test -z "$have_uintxx_t" && \
4031	   test "x$ac_cv_header_stdint_h" = "xyes")
4032then
4033    AC_MSG_CHECKING([for uintXX_t types in stdint.h])
4034	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <stdint.h> ]],
4035	[[ uint8_t a; uint16_t b; uint32_t c; a = b = c = 1;]])],
4036		[
4037			AC_DEFINE([HAVE_UINTXX_T])
4038			AC_MSG_RESULT([yes])
4039		], [ AC_MSG_RESULT([no])
4040	])
4041fi
4042
4043if (test -z "$have_uintxx_t" && \
4044	   test "x$ac_cv_header_inttypes_h" = "xyes")
4045then
4046    AC_MSG_CHECKING([for uintXX_t types in inttypes.h])
4047	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <inttypes.h> ]],
4048	[[ uint8_t a; uint16_t b; uint32_t c; a = b = c = 1;]])],
4049		[
4050			AC_DEFINE([HAVE_UINTXX_T])
4051			AC_MSG_RESULT([yes])
4052		], [ AC_MSG_RESULT([no])
4053	])
4054fi
4055
4056if (test -z "$have_u_intxx_t" || test -z "$have_intxx_t" && \
4057	   test "x$ac_cv_header_sys_bitypes_h" = "xyes")
4058then
4059	AC_MSG_CHECKING([for intXX_t and u_intXX_t types in sys/bitypes.h])
4060	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4061#include <sys/bitypes.h>
4062		]], [[
4063			int8_t a; int16_t b; int32_t c;
4064			u_int8_t e; u_int16_t f; u_int32_t g;
4065			a = b = c = e = f = g = 1;
4066		]])],
4067		[
4068			AC_DEFINE([HAVE_U_INTXX_T])
4069			AC_DEFINE([HAVE_INTXX_T])
4070			AC_MSG_RESULT([yes])
4071		], [AC_MSG_RESULT([no])
4072	])
4073fi
4074
4075
4076AC_CACHE_CHECK([for u_char], ac_cv_have_u_char, [
4077	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
4078	[[ u_char foo; foo = 125; ]])],
4079	[ ac_cv_have_u_char="yes" ], [ ac_cv_have_u_char="no"
4080	])
4081])
4082if test "x$ac_cv_have_u_char" = "xyes" ; then
4083	AC_DEFINE([HAVE_U_CHAR], [1], [define if you have u_char data type])
4084fi
4085
4086AC_CHECK_TYPES([intmax_t, uintmax_t], , , [
4087#include <sys/types.h>
4088#ifdef HAVE_STDINT_H
4089# include <stdint.h>
4090#endif
4091])
4092
4093TYPE_SOCKLEN_T
4094
4095AC_CHECK_TYPES([sig_atomic_t, sighandler_t], , , [#include <signal.h>])
4096AC_CHECK_TYPES([fsblkcnt_t, fsfilcnt_t], , , [
4097#include <sys/types.h>
4098#ifdef HAVE_SYS_BITYPES_H
4099#include <sys/bitypes.h>
4100#endif
4101#ifdef HAVE_SYS_STATFS_H
4102#include <sys/statfs.h>
4103#endif
4104#ifdef HAVE_SYS_STATVFS_H
4105#include <sys/statvfs.h>
4106#endif
4107])
4108
4109AC_CHECK_MEMBERS([struct statfs.f_files, struct statfs.f_flags], [], [], [[
4110#include <sys/param.h>
4111#include <sys/types.h>
4112#ifdef HAVE_SYS_BITYPES_H
4113#include <sys/bitypes.h>
4114#endif
4115#ifdef HAVE_SYS_STATFS_H
4116#include <sys/statfs.h>
4117#endif
4118#ifdef HAVE_SYS_STATVFS_H
4119#include <sys/statvfs.h>
4120#endif
4121#ifdef HAVE_SYS_VFS_H
4122#include <sys/vfs.h>
4123#endif
4124#ifdef HAVE_SYS_MOUNT_H
4125#include <sys/mount.h>
4126#endif
4127]])
4128
4129
4130AC_CHECK_TYPES([in_addr_t, in_port_t], , ,
4131[#include <sys/types.h>
4132#include <netinet/in.h>])
4133
4134AC_CACHE_CHECK([for size_t], ac_cv_have_size_t, [
4135	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
4136	[[ size_t foo; foo = 1235; ]])],
4137	[ ac_cv_have_size_t="yes" ], [ ac_cv_have_size_t="no"
4138	])
4139])
4140if test "x$ac_cv_have_size_t" = "xyes" ; then
4141	AC_DEFINE([HAVE_SIZE_T], [1], [define if you have size_t data type])
4142fi
4143
4144AC_CACHE_CHECK([for ssize_t], ac_cv_have_ssize_t, [
4145	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
4146	[[ ssize_t foo; foo = 1235; ]])],
4147	[ ac_cv_have_ssize_t="yes" ], [ ac_cv_have_ssize_t="no"
4148	])
4149])
4150if test "x$ac_cv_have_ssize_t" = "xyes" ; then
4151	AC_DEFINE([HAVE_SSIZE_T], [1], [define if you have ssize_t data type])
4152fi
4153
4154AC_CACHE_CHECK([for clock_t], ac_cv_have_clock_t, [
4155	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <time.h> ]],
4156	[[ clock_t foo; foo = 1235; ]])],
4157	[ ac_cv_have_clock_t="yes" ], [ ac_cv_have_clock_t="no"
4158	])
4159])
4160if test "x$ac_cv_have_clock_t" = "xyes" ; then
4161	AC_DEFINE([HAVE_CLOCK_T], [1], [define if you have clock_t data type])
4162fi
4163
4164AC_CACHE_CHECK([for sa_family_t], ac_cv_have_sa_family_t, [
4165	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4166#include <sys/types.h>
4167#include <sys/socket.h>
4168		]], [[ sa_family_t foo; foo = 1235; ]])],
4169	[ ac_cv_have_sa_family_t="yes" ],
4170	[ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4171#include <sys/types.h>
4172#include <sys/socket.h>
4173#include <netinet/in.h>
4174		]], [[ sa_family_t foo; foo = 1235; ]])],
4175		[ ac_cv_have_sa_family_t="yes" ],
4176		[ ac_cv_have_sa_family_t="no" ]
4177	)
4178	])
4179])
4180if test "x$ac_cv_have_sa_family_t" = "xyes" ; then
4181	AC_DEFINE([HAVE_SA_FAMILY_T], [1],
4182		[define if you have sa_family_t data type])
4183fi
4184
4185AC_CACHE_CHECK([for pid_t], ac_cv_have_pid_t, [
4186	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
4187	[[ pid_t foo; foo = 1235; ]])],
4188	[ ac_cv_have_pid_t="yes" ], [ ac_cv_have_pid_t="no"
4189	])
4190])
4191if test "x$ac_cv_have_pid_t" = "xyes" ; then
4192	AC_DEFINE([HAVE_PID_T], [1], [define if you have pid_t data type])
4193fi
4194
4195AC_CACHE_CHECK([for mode_t], ac_cv_have_mode_t, [
4196	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
4197	[[ mode_t foo; foo = 1235; ]])],
4198	[ ac_cv_have_mode_t="yes" ], [ ac_cv_have_mode_t="no"
4199	])
4200])
4201if test "x$ac_cv_have_mode_t" = "xyes" ; then
4202	AC_DEFINE([HAVE_MODE_T], [1], [define if you have mode_t data type])
4203fi
4204
4205
4206AC_CACHE_CHECK([for struct sockaddr_storage], ac_cv_have_struct_sockaddr_storage, [
4207	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4208#include <sys/types.h>
4209#include <sys/socket.h>
4210		]], [[ struct sockaddr_storage s; ]])],
4211	[ ac_cv_have_struct_sockaddr_storage="yes" ],
4212	[ ac_cv_have_struct_sockaddr_storage="no"
4213	])
4214])
4215if test "x$ac_cv_have_struct_sockaddr_storage" = "xyes" ; then
4216	AC_DEFINE([HAVE_STRUCT_SOCKADDR_STORAGE], [1],
4217		[define if you have struct sockaddr_storage data type])
4218fi
4219
4220AC_CACHE_CHECK([for struct sockaddr_in6], ac_cv_have_struct_sockaddr_in6, [
4221	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4222#include <sys/types.h>
4223#include <netinet/in.h>
4224		]], [[ struct sockaddr_in6 s; s.sin6_family = 0; ]])],
4225	[ ac_cv_have_struct_sockaddr_in6="yes" ],
4226	[ ac_cv_have_struct_sockaddr_in6="no"
4227	])
4228])
4229if test "x$ac_cv_have_struct_sockaddr_in6" = "xyes" ; then
4230	AC_DEFINE([HAVE_STRUCT_SOCKADDR_IN6], [1],
4231		[define if you have struct sockaddr_in6 data type])
4232fi
4233
4234AC_CACHE_CHECK([for struct in6_addr], ac_cv_have_struct_in6_addr, [
4235	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4236#include <sys/types.h>
4237#include <netinet/in.h>
4238		]], [[ struct in6_addr s; s.s6_addr[0] = 0; ]])],
4239	[ ac_cv_have_struct_in6_addr="yes" ],
4240	[ ac_cv_have_struct_in6_addr="no"
4241	])
4242])
4243if test "x$ac_cv_have_struct_in6_addr" = "xyes" ; then
4244	AC_DEFINE([HAVE_STRUCT_IN6_ADDR], [1],
4245		[define if you have struct in6_addr data type])
4246
4247dnl Now check for sin6_scope_id
4248	AC_CHECK_MEMBERS([struct sockaddr_in6.sin6_scope_id], , ,
4249		[
4250#ifdef HAVE_SYS_TYPES_H
4251#include <sys/types.h>
4252#endif
4253#include <netinet/in.h>
4254		])
4255fi
4256
4257AC_CACHE_CHECK([for struct addrinfo], ac_cv_have_struct_addrinfo, [
4258	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4259#include <sys/types.h>
4260#include <sys/socket.h>
4261#include <netdb.h>
4262		]], [[ struct addrinfo s; s.ai_flags = AI_PASSIVE; ]])],
4263	[ ac_cv_have_struct_addrinfo="yes" ],
4264	[ ac_cv_have_struct_addrinfo="no"
4265	])
4266])
4267if test "x$ac_cv_have_struct_addrinfo" = "xyes" ; then
4268	AC_DEFINE([HAVE_STRUCT_ADDRINFO], [1],
4269		[define if you have struct addrinfo data type])
4270fi
4271
4272AC_CACHE_CHECK([for struct timeval], ac_cv_have_struct_timeval, [
4273	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/time.h> ]],
4274	[[ struct timeval tv; tv.tv_sec = 1;]])],
4275	[ ac_cv_have_struct_timeval="yes" ],
4276	[ ac_cv_have_struct_timeval="no"
4277	])
4278])
4279if test "x$ac_cv_have_struct_timeval" = "xyes" ; then
4280	AC_DEFINE([HAVE_STRUCT_TIMEVAL], [1], [define if you have struct timeval])
4281	have_struct_timeval=1
4282fi
4283
4284AC_CACHE_CHECK([for struct timespec], ac_cv_have_struct_timespec, [
4285	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4286    #ifdef HAVE_SYS_TIME_H
4287    # include <sys/time.h>
4288    #endif
4289    #ifdef HAVE_TIME_H
4290    # include <time.h>
4291    #endif
4292	]],
4293	[[ struct timespec ts; ts.tv_sec = 1;]])],
4294	[ ac_cv_have_struct_timespec="yes" ],
4295	[ ac_cv_have_struct_timespec="no"
4296	])
4297])
4298if test "x$ac_cv_have_struct_timespec" = "xyes" ; then
4299	AC_DEFINE([HAVE_STRUCT_TIMESPEC], [1], [define if you have struct timespec])
4300	have_struct_timespec=1
4301fi
4302
4303# We need int64_t or else certain parts of the compile will fail.
4304if test "x$ac_cv_have_int64_t" = "xno" && \
4305	test "x$ac_cv_sizeof_long_int" != "x8" && \
4306	test "x$ac_cv_sizeof_long_long_int" = "x0" ; then
4307	echo "OpenSSH requires int64_t support.  Contact your vendor or install"
4308	echo "an alternative compiler (I.E., GCC) before continuing."
4309	echo ""
4310	exit 1;
4311else
4312dnl test snprintf (broken on SCO w/gcc)
4313	AC_RUN_IFELSE(
4314		[AC_LANG_SOURCE([[
4315#include <stdio.h>
4316#include <stdlib.h>
4317#include <string.h>
4318#ifdef HAVE_SNPRINTF
4319main()
4320{
4321	char buf[50];
4322	char expected_out[50];
4323	int mazsize = 50 ;
4324#if (SIZEOF_LONG_INT == 8)
4325	long int num = 0x7fffffffffffffff;
4326#else
4327	long long num = 0x7fffffffffffffffll;
4328#endif
4329	strcpy(expected_out, "9223372036854775807");
4330	snprintf(buf, mazsize, "%lld", num);
4331	if(strcmp(buf, expected_out) != 0)
4332		exit(1);
4333	exit(0);
4334}
4335#else
4336main() { exit(0); }
4337#endif
4338		]])], [ true ], [ AC_DEFINE([BROKEN_SNPRINTF]) ],
4339		AC_MSG_WARN([cross compiling: Assuming working snprintf()])
4340	)
4341fi
4342
4343dnl Checks for structure members
4344OSSH_CHECK_HEADER_FOR_FIELD([ut_host], [utmp.h], [HAVE_HOST_IN_UTMP])
4345OSSH_CHECK_HEADER_FOR_FIELD([ut_host], [utmpx.h], [HAVE_HOST_IN_UTMPX])
4346OSSH_CHECK_HEADER_FOR_FIELD([syslen], [utmpx.h], [HAVE_SYSLEN_IN_UTMPX])
4347OSSH_CHECK_HEADER_FOR_FIELD([ut_pid], [utmp.h], [HAVE_PID_IN_UTMP])
4348OSSH_CHECK_HEADER_FOR_FIELD([ut_type], [utmp.h], [HAVE_TYPE_IN_UTMP])
4349OSSH_CHECK_HEADER_FOR_FIELD([ut_type], [utmpx.h], [HAVE_TYPE_IN_UTMPX])
4350OSSH_CHECK_HEADER_FOR_FIELD([ut_tv], [utmp.h], [HAVE_TV_IN_UTMP])
4351OSSH_CHECK_HEADER_FOR_FIELD([ut_id], [utmp.h], [HAVE_ID_IN_UTMP])
4352OSSH_CHECK_HEADER_FOR_FIELD([ut_id], [utmpx.h], [HAVE_ID_IN_UTMPX])
4353OSSH_CHECK_HEADER_FOR_FIELD([ut_addr], [utmp.h], [HAVE_ADDR_IN_UTMP])
4354OSSH_CHECK_HEADER_FOR_FIELD([ut_addr], [utmpx.h], [HAVE_ADDR_IN_UTMPX])
4355OSSH_CHECK_HEADER_FOR_FIELD([ut_addr_v6], [utmp.h], [HAVE_ADDR_V6_IN_UTMP])
4356OSSH_CHECK_HEADER_FOR_FIELD([ut_addr_v6], [utmpx.h], [HAVE_ADDR_V6_IN_UTMPX])
4357OSSH_CHECK_HEADER_FOR_FIELD([ut_exit], [utmp.h], [HAVE_EXIT_IN_UTMP])
4358OSSH_CHECK_HEADER_FOR_FIELD([ut_time], [utmp.h], [HAVE_TIME_IN_UTMP])
4359OSSH_CHECK_HEADER_FOR_FIELD([ut_time], [utmpx.h], [HAVE_TIME_IN_UTMPX])
4360OSSH_CHECK_HEADER_FOR_FIELD([ut_tv], [utmpx.h], [HAVE_TV_IN_UTMPX])
4361OSSH_CHECK_HEADER_FOR_FIELD([ut_ss], [utmpx.h], [HAVE_SS_IN_UTMPX])
4362
4363AC_CHECK_MEMBERS([struct stat.st_blksize])
4364AC_CHECK_MEMBERS([struct stat.st_mtim])
4365AC_CHECK_MEMBERS([struct stat.st_mtime])
4366AC_CHECK_MEMBERS([struct passwd.pw_gecos, struct passwd.pw_class,
4367struct passwd.pw_change, struct passwd.pw_expire],
4368[], [], [[
4369#include <sys/types.h>
4370#include <pwd.h>
4371]])
4372
4373AC_CHECK_MEMBER([struct __res_state.retrans], [], [AC_DEFINE([__res_state], [state],
4374	[Define if we don't have struct __res_state in resolv.h])],
4375[[
4376#include <stdio.h>
4377#if HAVE_SYS_TYPES_H
4378# include <sys/types.h>
4379#endif
4380#include <netinet/in.h>
4381#include <arpa/nameser.h>
4382#include <resolv.h>
4383]])
4384
4385AC_CACHE_CHECK([for ss_family field in struct sockaddr_storage],
4386		ac_cv_have_ss_family_in_struct_ss, [
4387	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4388#include <sys/types.h>
4389#include <sys/socket.h>
4390		]], [[ struct sockaddr_storage s; s.ss_family = 1; ]])],
4391	[ ac_cv_have_ss_family_in_struct_ss="yes" ],
4392	[ ac_cv_have_ss_family_in_struct_ss="no" ])
4393])
4394if test "x$ac_cv_have_ss_family_in_struct_ss" = "xyes" ; then
4395	AC_DEFINE([HAVE_SS_FAMILY_IN_SS], [1], [Fields in struct sockaddr_storage])
4396fi
4397
4398AC_CACHE_CHECK([for __ss_family field in struct sockaddr_storage],
4399		ac_cv_have___ss_family_in_struct_ss, [
4400	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4401#include <sys/types.h>
4402#include <sys/socket.h>
4403		]], [[ struct sockaddr_storage s; s.__ss_family = 1; ]])],
4404	[ ac_cv_have___ss_family_in_struct_ss="yes" ],
4405	[ ac_cv_have___ss_family_in_struct_ss="no"
4406	])
4407])
4408if test "x$ac_cv_have___ss_family_in_struct_ss" = "xyes" ; then
4409	AC_DEFINE([HAVE___SS_FAMILY_IN_SS], [1],
4410		[Fields in struct sockaddr_storage])
4411fi
4412
4413dnl make sure we're using the real structure members and not defines
4414AC_CACHE_CHECK([for msg_accrights field in struct msghdr],
4415		ac_cv_have_accrights_in_msghdr, [
4416	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4417#include <sys/types.h>
4418#include <sys/socket.h>
4419#include <sys/uio.h>
4420#include <stdlib.h>
4421		]], [[
4422#ifdef msg_accrights
4423#error "msg_accrights is a macro"
4424exit(1);
4425#endif
4426struct msghdr m;
4427m.msg_accrights = 0;
4428exit(0);
4429		]])],
4430		[ ac_cv_have_accrights_in_msghdr="yes" ],
4431		[ ac_cv_have_accrights_in_msghdr="no" ]
4432	)
4433])
4434if test "x$ac_cv_have_accrights_in_msghdr" = "xyes" ; then
4435	AC_DEFINE([HAVE_ACCRIGHTS_IN_MSGHDR], [1],
4436		[Define if your system uses access rights style
4437		file descriptor passing])
4438fi
4439
4440AC_MSG_CHECKING([if struct statvfs.f_fsid is integral type])
4441AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4442#include <sys/param.h>
4443#include <sys/stat.h>
4444#ifdef HAVE_SYS_TIME_H
4445# include <sys/time.h>
4446#endif
4447#ifdef HAVE_SYS_MOUNT_H
4448#include <sys/mount.h>
4449#endif
4450#ifdef HAVE_SYS_STATVFS_H
4451#include <sys/statvfs.h>
4452#endif
4453	]], [[ struct statvfs s; s.f_fsid = 0; ]])],
4454	[ AC_MSG_RESULT([yes]) ],
4455	[ AC_MSG_RESULT([no])
4456
4457	AC_MSG_CHECKING([if fsid_t has member val])
4458	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4459#include <sys/types.h>
4460#include <sys/statvfs.h>
4461	]], [[ fsid_t t; t.val[0] = 0; ]])],
4462	[ AC_MSG_RESULT([yes])
4463	  AC_DEFINE([FSID_HAS_VAL], [1], [fsid_t has member val]) ],
4464	[ AC_MSG_RESULT([no]) ])
4465
4466	AC_MSG_CHECKING([if f_fsid has member __val])
4467	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4468#include <sys/types.h>
4469#include <sys/statvfs.h>
4470	]], [[ fsid_t t; t.__val[0] = 0; ]])],
4471	[ AC_MSG_RESULT([yes])
4472	  AC_DEFINE([FSID_HAS___VAL], [1], [fsid_t has member __val]) ],
4473	[ AC_MSG_RESULT([no]) ])
4474])
4475
4476AC_CACHE_CHECK([for msg_control field in struct msghdr],
4477		ac_cv_have_control_in_msghdr, [
4478	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4479#include <sys/types.h>
4480#include <sys/socket.h>
4481#include <sys/uio.h>
4482#include <stdlib.h>
4483		]], [[
4484#ifdef msg_control
4485#error "msg_control is a macro"
4486exit(1);
4487#endif
4488struct msghdr m;
4489m.msg_control = 0;
4490exit(0);
4491		]])],
4492		[ ac_cv_have_control_in_msghdr="yes" ],
4493		[ ac_cv_have_control_in_msghdr="no" ]
4494	)
4495])
4496if test "x$ac_cv_have_control_in_msghdr" = "xyes" ; then
4497	AC_DEFINE([HAVE_CONTROL_IN_MSGHDR], [1],
4498		[Define if your system uses ancillary data style
4499		file descriptor passing])
4500fi
4501
4502AC_CACHE_CHECK([if libc defines __progname], ac_cv_libc_defines___progname, [
4503	AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include <stdio.h> ]],
4504		[[ extern char *__progname; printf("%s", __progname); ]])],
4505	[ ac_cv_libc_defines___progname="yes" ],
4506	[ ac_cv_libc_defines___progname="no"
4507	])
4508])
4509if test "x$ac_cv_libc_defines___progname" = "xyes" ; then
4510	AC_DEFINE([HAVE___PROGNAME], [1], [Define if libc defines __progname])
4511fi
4512
4513AC_CACHE_CHECK([whether $CC implements __FUNCTION__], ac_cv_cc_implements___FUNCTION__, [
4514	AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include <stdio.h> ]],
4515		[[ printf("%s", __FUNCTION__); ]])],
4516	[ ac_cv_cc_implements___FUNCTION__="yes" ],
4517	[ ac_cv_cc_implements___FUNCTION__="no"
4518	])
4519])
4520if test "x$ac_cv_cc_implements___FUNCTION__" = "xyes" ; then
4521	AC_DEFINE([HAVE___FUNCTION__], [1],
4522		[Define if compiler implements __FUNCTION__])
4523fi
4524
4525AC_CACHE_CHECK([whether $CC implements __func__], ac_cv_cc_implements___func__, [
4526	AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include <stdio.h> ]],
4527		[[ printf("%s", __func__); ]])],
4528	[ ac_cv_cc_implements___func__="yes" ],
4529	[ ac_cv_cc_implements___func__="no"
4530	])
4531])
4532if test "x$ac_cv_cc_implements___func__" = "xyes" ; then
4533	AC_DEFINE([HAVE___func__], [1], [Define if compiler implements __func__])
4534fi
4535
4536AC_CACHE_CHECK([whether va_copy exists], ac_cv_have_va_copy, [
4537	AC_LINK_IFELSE([AC_LANG_PROGRAM([[
4538#include <stdarg.h>
4539va_list x,y;
4540		]], [[ va_copy(x,y); ]])],
4541	[ ac_cv_have_va_copy="yes" ],
4542	[ ac_cv_have_va_copy="no"
4543	])
4544])
4545if test "x$ac_cv_have_va_copy" = "xyes" ; then
4546	AC_DEFINE([HAVE_VA_COPY], [1], [Define if va_copy exists])
4547fi
4548
4549AC_CACHE_CHECK([whether __va_copy exists], ac_cv_have___va_copy, [
4550	AC_LINK_IFELSE([AC_LANG_PROGRAM([[
4551#include <stdarg.h>
4552va_list x,y;
4553		]], [[ __va_copy(x,y); ]])],
4554	[ ac_cv_have___va_copy="yes" ], [ ac_cv_have___va_copy="no"
4555	])
4556])
4557if test "x$ac_cv_have___va_copy" = "xyes" ; then
4558	AC_DEFINE([HAVE___VA_COPY], [1], [Define if __va_copy exists])
4559fi
4560
4561AC_CACHE_CHECK([whether getopt has optreset support],
4562		ac_cv_have_getopt_optreset, [
4563	AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include <getopt.h> ]],
4564		[[ extern int optreset; optreset = 0; ]])],
4565	[ ac_cv_have_getopt_optreset="yes" ],
4566	[ ac_cv_have_getopt_optreset="no"
4567	])
4568])
4569if test "x$ac_cv_have_getopt_optreset" = "xyes" ; then
4570	AC_DEFINE([HAVE_GETOPT_OPTRESET], [1],
4571		[Define if your getopt(3) defines and uses optreset])
4572fi
4573
4574AC_CACHE_CHECK([if libc defines sys_errlist], ac_cv_libc_defines_sys_errlist, [
4575	AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include <stdio.h> ]],
4576[[ extern const char *const sys_errlist[]; printf("%s", sys_errlist[0]);]])],
4577	[ ac_cv_libc_defines_sys_errlist="yes" ],
4578	[ ac_cv_libc_defines_sys_errlist="no"
4579	])
4580])
4581if test "x$ac_cv_libc_defines_sys_errlist" = "xyes" ; then
4582	AC_DEFINE([HAVE_SYS_ERRLIST], [1],
4583		[Define if your system defines sys_errlist[]])
4584fi
4585
4586
4587AC_CACHE_CHECK([if libc defines sys_nerr], ac_cv_libc_defines_sys_nerr, [
4588	AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include <stdio.h> ]],
4589[[ extern int sys_nerr; printf("%i", sys_nerr);]])],
4590	[ ac_cv_libc_defines_sys_nerr="yes" ],
4591	[ ac_cv_libc_defines_sys_nerr="no"
4592	])
4593])
4594if test "x$ac_cv_libc_defines_sys_nerr" = "xyes" ; then
4595	AC_DEFINE([HAVE_SYS_NERR], [1], [Define if your system defines sys_nerr])
4596fi
4597
4598# Check libraries needed by DNS fingerprint support
4599AC_SEARCH_LIBS([getrrsetbyname], [resolv],
4600	[AC_DEFINE([HAVE_GETRRSETBYNAME], [1],
4601		[Define if getrrsetbyname() exists])],
4602	[
4603		# Needed by our getrrsetbyname()
4604		AC_SEARCH_LIBS([res_query], [resolv])
4605		AC_SEARCH_LIBS([dn_expand], [resolv])
4606		AC_MSG_CHECKING([if res_query will link])
4607		AC_LINK_IFELSE([AC_LANG_PROGRAM([[
4608#include <sys/types.h>
4609#include <netinet/in.h>
4610#include <arpa/nameser.h>
4611#include <netdb.h>
4612#include <resolv.h>
4613				]], [[
4614	res_query (0, 0, 0, 0, 0);
4615				]])],
4616		    AC_MSG_RESULT([yes]),
4617		   [AC_MSG_RESULT([no])
4618		    saved_LIBS="$LIBS"
4619		    LIBS="$LIBS -lresolv"
4620		    AC_MSG_CHECKING([for res_query in -lresolv])
4621		    AC_LINK_IFELSE([AC_LANG_PROGRAM([[
4622#include <sys/types.h>
4623#include <netinet/in.h>
4624#include <arpa/nameser.h>
4625#include <netdb.h>
4626#include <resolv.h>
4627				]], [[
4628	res_query (0, 0, 0, 0, 0);
4629				]])],
4630			[AC_MSG_RESULT([yes])],
4631			[LIBS="$saved_LIBS"
4632			 AC_MSG_RESULT([no])])
4633		    ])
4634		AC_CHECK_FUNCS([_getshort _getlong])
4635		AC_CHECK_DECLS([_getshort, _getlong], , ,
4636		    [#include <sys/types.h>
4637		    #include <arpa/nameser.h>])
4638		AC_CHECK_MEMBER([HEADER.ad],
4639			[AC_DEFINE([HAVE_HEADER_AD], [1],
4640			    [Define if HEADER.ad exists in arpa/nameser.h])], ,
4641			[#include <arpa/nameser.h>])
4642	])
4643
4644AC_MSG_CHECKING([if struct __res_state _res is an extern])
4645AC_LINK_IFELSE([AC_LANG_PROGRAM([[
4646#include <stdio.h>
4647#if HAVE_SYS_TYPES_H
4648# include <sys/types.h>
4649#endif
4650#include <netinet/in.h>
4651#include <arpa/nameser.h>
4652#include <resolv.h>
4653extern struct __res_state _res;
4654		]], [[
4655struct __res_state *volatile p = &_res;  /* force resolution of _res */
4656return 0;
4657		]],)],
4658		[AC_MSG_RESULT([yes])
4659		 AC_DEFINE([HAVE__RES_EXTERN], [1],
4660		    [Define if you have struct __res_state _res as an extern])
4661		],
4662		[ AC_MSG_RESULT([no]) ]
4663)
4664
4665# Check whether user wants SELinux support
4666SELINUX_MSG="no"
4667LIBSELINUX=""
4668AC_ARG_WITH([selinux],
4669	[  --with-selinux          Enable SELinux support],
4670	[ if test "x$withval" != "xno" ; then
4671		save_LIBS="$LIBS"
4672		AC_DEFINE([WITH_SELINUX], [1],
4673			[Define if you want SELinux support.])
4674		SELINUX_MSG="yes"
4675		AC_CHECK_HEADER([selinux/selinux.h], ,
4676			AC_MSG_ERROR([SELinux support requires selinux.h header]))
4677		AC_CHECK_LIB([selinux], [setexeccon],
4678			[ LIBSELINUX="-lselinux"
4679			  LIBS="$LIBS -lselinux"
4680			],
4681			AC_MSG_ERROR([SELinux support requires libselinux library]))
4682		AC_CHECK_FUNCS([getseuserbyname get_default_context_with_level])
4683		LIBS="$save_LIBS $LIBSELINUX"
4684	fi ]
4685)
4686AC_SUBST([SSHDLIBS])
4687
4688# Check whether user wants Kerberos 5 support
4689KRB5_MSG="no"
4690AC_ARG_WITH([kerberos5],
4691	[  --with-kerberos5=PATH   Enable Kerberos 5 support],
4692	[ if test "x$withval" != "xno" ; then
4693		if test "x$withval" = "xyes" ; then
4694			KRB5ROOT="/usr/local"
4695		else
4696			KRB5ROOT=${withval}
4697		fi
4698
4699		AC_DEFINE([KRB5], [1], [Define if you want Kerberos 5 support])
4700		KRB5_MSG="yes"
4701
4702		use_pkgconfig_for_krb5=
4703		if test "x$PKGCONFIG" != "xno"; then
4704			AC_MSG_CHECKING([if $PKGCONFIG knows about kerberos5])
4705			if "$PKGCONFIG" krb5; then
4706				AC_MSG_RESULT([yes])
4707				use_pkgconfig_for_krb5=yes
4708			else
4709				AC_MSG_RESULT([no])
4710			fi
4711		fi
4712		if test "x$use_pkgconfig_for_krb5" = "xyes"; then
4713			K5CFLAGS=`$PKGCONFIG --cflags krb5`
4714			K5LIBS=`$PKGCONFIG --libs krb5`
4715			CPPFLAGS="$CPPFLAGS $K5CFLAGS"
4716
4717			AC_MSG_CHECKING([for gssapi support])
4718			if "$PKGCONFIG" krb5-gssapi; then
4719				AC_MSG_RESULT([yes])
4720				AC_DEFINE([GSSAPI], [1],
4721					[Define this if you want GSSAPI
4722					support in the version 2 protocol])
4723				GSSCFLAGS="`$PKGCONFIG --cflags krb5-gssapi`"
4724				GSSLIBS="`$PKGCONFIG --libs krb5-gssapi`"
4725				CPPFLAGS="$CPPFLAGS $GSSCFLAGS"
4726			else
4727				AC_MSG_RESULT([no])
4728			fi
4729			AC_MSG_CHECKING([whether we are using Heimdal])
4730			AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <krb5.h>
4731				]], [[ char *tmp = heimdal_version; ]])],
4732				[ AC_MSG_RESULT([yes])
4733				AC_DEFINE([HEIMDAL], [1],
4734				[Define this if you are using the Heimdal
4735				version of Kerberos V5]) ],
4736				[AC_MSG_RESULT([no])
4737			])
4738		else
4739			AC_PATH_TOOL([KRB5CONF], [krb5-config],
4740				     [$KRB5ROOT/bin/krb5-config],
4741				     [$KRB5ROOT/bin:$PATH])
4742			if test -x $KRB5CONF ; then
4743				K5CFLAGS="`$KRB5CONF --cflags`"
4744				K5LIBS="`$KRB5CONF --libs`"
4745				CPPFLAGS="$CPPFLAGS $K5CFLAGS"
4746
4747				AC_MSG_CHECKING([for gssapi support])
4748				if $KRB5CONF | grep gssapi >/dev/null ; then
4749					AC_MSG_RESULT([yes])
4750					AC_DEFINE([GSSAPI], [1],
4751						[Define this if you want GSSAPI
4752						support in the version 2 protocol])
4753					GSSCFLAGS="`$KRB5CONF --cflags gssapi`"
4754					GSSLIBS="`$KRB5CONF --libs gssapi`"
4755					CPPFLAGS="$CPPFLAGS $GSSCFLAGS"
4756				else
4757					AC_MSG_RESULT([no])
4758				fi
4759				AC_MSG_CHECKING([whether we are using Heimdal])
4760				AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <krb5.h>
4761					]], [[ char *tmp = heimdal_version; ]])],
4762					[ AC_MSG_RESULT([yes])
4763					AC_DEFINE([HEIMDAL], [1],
4764					[Define this if you are using the Heimdal
4765					version of Kerberos V5]) ],
4766					[AC_MSG_RESULT([no])
4767				])
4768			else
4769				CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include"
4770				LDFLAGS="$LDFLAGS -L${KRB5ROOT}/lib"
4771				AC_MSG_CHECKING([whether we are using Heimdal])
4772				AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <krb5.h>
4773					]], [[ char *tmp = heimdal_version; ]])],
4774						[ AC_MSG_RESULT([yes])
4775						 AC_DEFINE([HEIMDAL])
4776						 K5LIBS="-lkrb5"
4777						 K5LIBS="$K5LIBS -lcom_err -lasn1"
4778						 AC_CHECK_LIB([roken], [net_write],
4779						   [K5LIBS="$K5LIBS -lroken"])
4780						 AC_CHECK_LIB([des], [des_cbc_encrypt],
4781						   [K5LIBS="$K5LIBS -ldes"])
4782					       ], [ AC_MSG_RESULT([no])
4783						 K5LIBS="-lkrb5 -lk5crypto -lcom_err"
4784				])
4785				AC_SEARCH_LIBS([dn_expand], [resolv])
4786
4787				AC_CHECK_LIB([gssapi_krb5], [gss_init_sec_context],
4788					[ AC_DEFINE([GSSAPI])
4789					  GSSLIBS="-lgssapi_krb5" ],
4790					[ AC_CHECK_LIB([gssapi], [gss_init_sec_context],
4791						[ AC_DEFINE([GSSAPI])
4792						  GSSLIBS="-lgssapi" ],
4793						[ AC_CHECK_LIB([gss], [gss_init_sec_context],
4794							[ AC_DEFINE([GSSAPI])
4795							  GSSLIBS="-lgss" ],
4796							AC_MSG_WARN([Cannot find any suitable gss-api library - build may fail]))
4797						])
4798					])
4799
4800				AC_CHECK_HEADER([gssapi.h], ,
4801					[ unset ac_cv_header_gssapi_h
4802					  CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include/gssapi"
4803					  AC_CHECK_HEADERS([gssapi.h], ,
4804						AC_MSG_WARN([Cannot find any suitable gss-api header - build may fail])
4805					  )
4806					]
4807				)
4808
4809				oldCPP="$CPPFLAGS"
4810				CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include/gssapi"
4811				AC_CHECK_HEADER([gssapi_krb5.h], ,
4812						[ CPPFLAGS="$oldCPP" ])
4813
4814			fi
4815		fi
4816		if test -n "${rpath_opt}" ; then
4817			LDFLAGS="$LDFLAGS ${rpath_opt}${KRB5ROOT}/lib"
4818		fi
4819		if test ! -z "$blibpath" ; then
4820			blibpath="$blibpath:${KRB5ROOT}/lib"
4821		fi
4822
4823		AC_CHECK_HEADERS([gssapi.h gssapi/gssapi.h])
4824		AC_CHECK_HEADERS([gssapi_krb5.h gssapi/gssapi_krb5.h])
4825		AC_CHECK_HEADERS([gssapi_generic.h gssapi/gssapi_generic.h])
4826
4827		AC_SEARCH_LIBS([k_hasafs], [kafs], [AC_DEFINE([USE_AFS], [1],
4828			[Define this if you want to use libkafs' AFS support])])
4829
4830		AC_CHECK_DECLS([GSS_C_NT_HOSTBASED_SERVICE], [], [], [[
4831#ifdef HAVE_GSSAPI_H
4832# include <gssapi.h>
4833#elif defined(HAVE_GSSAPI_GSSAPI_H)
4834# include <gssapi/gssapi.h>
4835#endif
4836
4837#ifdef HAVE_GSSAPI_GENERIC_H
4838# include <gssapi_generic.h>
4839#elif defined(HAVE_GSSAPI_GSSAPI_GENERIC_H)
4840# include <gssapi/gssapi_generic.h>
4841#endif
4842		]])
4843		saved_LIBS="$LIBS"
4844		LIBS="$LIBS $K5LIBS"
4845		AC_CHECK_FUNCS([krb5_cc_new_unique krb5_get_error_message krb5_free_error_message])
4846		LIBS="$saved_LIBS"
4847
4848	fi
4849	]
4850)
4851AC_SUBST([GSSLIBS])
4852AC_SUBST([K5LIBS])
4853AC_SUBST([CHANNELLIBS])
4854
4855# Looking for programs, paths and files
4856
4857PRIVSEP_PATH=/var/empty
4858AC_ARG_WITH([privsep-path],
4859	[  --with-privsep-path=xxx Path for privilege separation chroot (default=/var/empty)],
4860	[
4861		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
4862		    test "x${withval}" != "xyes"; then
4863			PRIVSEP_PATH=$withval
4864		fi
4865	]
4866)
4867AC_SUBST([PRIVSEP_PATH])
4868
4869AC_ARG_WITH([xauth],
4870	[  --with-xauth=PATH       Specify path to xauth program ],
4871	[
4872		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
4873		    test "x${withval}" != "xyes"; then
4874			xauth_path=$withval
4875		fi
4876	],
4877	[
4878		TestPath="$PATH"
4879		TestPath="${TestPath}${PATH_SEPARATOR}/usr/X/bin"
4880		TestPath="${TestPath}${PATH_SEPARATOR}/usr/bin/X11"
4881		TestPath="${TestPath}${PATH_SEPARATOR}/usr/X11R6/bin"
4882		TestPath="${TestPath}${PATH_SEPARATOR}/usr/openwin/bin"
4883		AC_PATH_PROG([xauth_path], [xauth], , [$TestPath])
4884		if (test ! -z "$xauth_path" && test -x "/usr/openwin/bin/xauth") ; then
4885			xauth_path="/usr/openwin/bin/xauth"
4886		fi
4887	]
4888)
4889
4890STRIP_OPT=-s
4891AC_ARG_ENABLE([strip],
4892	[  --disable-strip         Disable calling strip(1) on install],
4893	[
4894		if test "x$enableval" = "xno" ; then
4895			STRIP_OPT=
4896		fi
4897	]
4898)
4899AC_SUBST([STRIP_OPT])
4900
4901if test -z "$xauth_path" ; then
4902	XAUTH_PATH="undefined"
4903	AC_SUBST([XAUTH_PATH])
4904else
4905	AC_DEFINE_UNQUOTED([XAUTH_PATH], ["$xauth_path"],
4906		[Define if xauth is found in your path])
4907	XAUTH_PATH=$xauth_path
4908	AC_SUBST([XAUTH_PATH])
4909fi
4910
4911dnl # --with-maildir=/path/to/mail gets top priority.
4912dnl # if maildir is set in the platform case statement above we use that.
4913dnl # Otherwise we run a program to get the dir from system headers.
4914dnl # We first look for _PATH_MAILDIR then MAILDIR then _PATH_MAIL
4915dnl # If we find _PATH_MAILDIR we do nothing because that is what
4916dnl # session.c expects anyway. Otherwise we set to the value found
4917dnl # stripping any trailing slash. If for some strage reason our program
4918dnl # does not find what it needs, we default to /var/spool/mail.
4919# Check for mail directory
4920AC_ARG_WITH([maildir],
4921    [  --with-maildir=/path/to/mail    Specify your system mail directory],
4922    [
4923	if test "X$withval" != X  &&  test "x$withval" != xno  &&  \
4924	    test "x${withval}" != xyes; then
4925		AC_DEFINE_UNQUOTED([MAIL_DIRECTORY], ["$withval"],
4926            [Set this to your mail directory if you do not have _PATH_MAILDIR])
4927	    fi
4928     ],[
4929	if test "X$maildir" != "X"; then
4930	    AC_DEFINE_UNQUOTED([MAIL_DIRECTORY], ["$maildir"])
4931	else
4932	    AC_MSG_CHECKING([Discovering system mail directory])
4933	    AC_RUN_IFELSE(
4934		[AC_LANG_PROGRAM([[
4935#include <stdio.h>
4936#include <stdlib.h>
4937#include <string.h>
4938#ifdef HAVE_PATHS_H
4939#include <paths.h>
4940#endif
4941#ifdef HAVE_MAILLOCK_H
4942#include <maillock.h>
4943#endif
4944#define DATA "conftest.maildir"
4945	]], [[
4946	FILE *fd;
4947	int rc;
4948
4949	fd = fopen(DATA,"w");
4950	if(fd == NULL)
4951		exit(1);
4952
4953#if defined (_PATH_MAILDIR)
4954	if ((rc = fprintf(fd ,"_PATH_MAILDIR:%s\n", _PATH_MAILDIR)) <0)
4955		exit(1);
4956#elif defined (MAILDIR)
4957	if ((rc = fprintf(fd ,"MAILDIR:%s\n", MAILDIR)) <0)
4958		exit(1);
4959#elif defined (_PATH_MAIL)
4960	if ((rc = fprintf(fd ,"_PATH_MAIL:%s\n", _PATH_MAIL)) <0)
4961		exit(1);
4962#else
4963	exit (2);
4964#endif
4965
4966	exit(0);
4967		]])],
4968		[
4969		    maildir_what=`awk -F: '{print $1}' conftest.maildir`
4970		    maildir=`awk -F: '{print $2}' conftest.maildir \
4971			| sed 's|/$||'`
4972		    AC_MSG_RESULT([Using: $maildir from $maildir_what])
4973		    if test "x$maildir_what" != "x_PATH_MAILDIR"; then
4974			AC_DEFINE_UNQUOTED([MAIL_DIRECTORY], ["$maildir"])
4975		    fi
4976		],
4977		[
4978		    if test "X$ac_status" = "X2";then
4979# our test program didn't find it. Default to /var/spool/mail
4980			AC_MSG_RESULT([Using: default value of /var/spool/mail])
4981			AC_DEFINE_UNQUOTED([MAIL_DIRECTORY], ["/var/spool/mail"])
4982		     else
4983			AC_MSG_RESULT([*** not found ***])
4984		     fi
4985		],
4986		[
4987			AC_MSG_WARN([cross compiling: use --with-maildir=/path/to/mail])
4988		]
4989	    )
4990	fi
4991    ]
4992) # maildir
4993
4994if test ! -z "$cross_compiling" && test "x$cross_compiling" = "xyes"; then
4995	AC_MSG_WARN([cross compiling: Disabling /dev/ptmx test])
4996	disable_ptmx_check=yes
4997fi
4998if test -z "$no_dev_ptmx" ; then
4999	if test "x$disable_ptmx_check" != "xyes" ; then
5000		AC_CHECK_FILE(["/dev/ptmx"],
5001			[
5002				AC_DEFINE_UNQUOTED([HAVE_DEV_PTMX], [1],
5003					[Define if you have /dev/ptmx])
5004				have_dev_ptmx=1
5005			]
5006		)
5007	fi
5008fi
5009
5010if test ! -z "$cross_compiling" && test "x$cross_compiling" != "xyes"; then
5011	AC_CHECK_FILE(["/dev/ptc"],
5012		[
5013			AC_DEFINE_UNQUOTED([HAVE_DEV_PTS_AND_PTC], [1],
5014				[Define if you have /dev/ptc])
5015			have_dev_ptc=1
5016		]
5017	)
5018else
5019	AC_MSG_WARN([cross compiling: Disabling /dev/ptc test])
5020fi
5021
5022# Options from here on. Some of these are preset by platform above
5023AC_ARG_WITH([mantype],
5024	[  --with-mantype=man|cat|doc  Set man page type],
5025	[
5026		case "$withval" in
5027		man|cat|doc)
5028			MANTYPE=$withval
5029			;;
5030		*)
5031			AC_MSG_ERROR([invalid man type: $withval])
5032			;;
5033		esac
5034	]
5035)
5036if test -z "$MANTYPE"; then
5037	if ${MANDOC} ${srcdir}/ssh.1 >/dev/null 2>&1; then
5038		MANTYPE=doc
5039	elif ${NROFF} -mdoc ${srcdir}/ssh.1 >/dev/null 2>&1; then
5040		MANTYPE=doc
5041	elif ${NROFF} -man ${srcdir}/ssh.1 >/dev/null 2>&1; then
5042		MANTYPE=man
5043	else
5044		MANTYPE=cat
5045	fi
5046fi
5047AC_SUBST([MANTYPE])
5048if test "$MANTYPE" = "doc"; then
5049	mansubdir=man;
5050else
5051	mansubdir=$MANTYPE;
5052fi
5053AC_SUBST([mansubdir])
5054
5055# Whether to disable shadow password support
5056AC_ARG_WITH([shadow],
5057	[  --without-shadow        Disable shadow password support],
5058	[
5059		if test "x$withval" = "xno" ; then
5060			AC_DEFINE([DISABLE_SHADOW])
5061			disable_shadow=yes
5062		fi
5063	]
5064)
5065
5066if test -z "$disable_shadow" ; then
5067	AC_MSG_CHECKING([if the systems has expire shadow information])
5068	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
5069#include <sys/types.h>
5070#include <shadow.h>
5071struct spwd sp;
5072		]], [[ sp.sp_expire = sp.sp_lstchg = sp.sp_inact = 0; ]])],
5073		[ sp_expire_available=yes ], [
5074	])
5075
5076	if test "x$sp_expire_available" = "xyes" ; then
5077		AC_MSG_RESULT([yes])
5078		AC_DEFINE([HAS_SHADOW_EXPIRE], [1],
5079		    [Define if you want to use shadow password expire field])
5080	else
5081		AC_MSG_RESULT([no])
5082	fi
5083fi
5084
5085# Use ip address instead of hostname in $DISPLAY
5086if test ! -z "$IPADDR_IN_DISPLAY" ; then
5087	DISPLAY_HACK_MSG="yes"
5088	AC_DEFINE([IPADDR_IN_DISPLAY], [1],
5089		[Define if you need to use IP address
5090		instead of hostname in $DISPLAY])
5091else
5092	DISPLAY_HACK_MSG="no"
5093	AC_ARG_WITH([ipaddr-display],
5094		[  --with-ipaddr-display   Use ip address instead of hostname in $DISPLAY],
5095		[
5096			if test "x$withval" != "xno" ; then
5097				AC_DEFINE([IPADDR_IN_DISPLAY])
5098				DISPLAY_HACK_MSG="yes"
5099			fi
5100		]
5101	)
5102fi
5103
5104# check for /etc/default/login and use it if present.
5105AC_ARG_ENABLE([etc-default-login],
5106	[  --disable-etc-default-login Disable using PATH from /etc/default/login [no]],
5107	[ if test "x$enableval" = "xno"; then
5108		AC_MSG_NOTICE([/etc/default/login handling disabled])
5109		etc_default_login=no
5110	  else
5111		etc_default_login=yes
5112	  fi ],
5113	[ if test ! -z "$cross_compiling" && test "x$cross_compiling" = "xyes";
5114	  then
5115		AC_MSG_WARN([cross compiling: not checking /etc/default/login])
5116		etc_default_login=no
5117	  else
5118		etc_default_login=yes
5119	  fi ]
5120)
5121
5122if test "x$etc_default_login" != "xno"; then
5123	AC_CHECK_FILE(["/etc/default/login"],
5124	    [ external_path_file=/etc/default/login ])
5125	if test "x$external_path_file" = "x/etc/default/login"; then
5126		AC_DEFINE([HAVE_ETC_DEFAULT_LOGIN], [1],
5127			[Define if your system has /etc/default/login])
5128	fi
5129fi
5130
5131dnl BSD systems use /etc/login.conf so --with-default-path= has no effect
5132if test $ac_cv_func_login_getcapbool = "yes" && \
5133	test $ac_cv_header_login_cap_h = "yes" ; then
5134	external_path_file=/etc/login.conf
5135fi
5136
5137# Whether to mess with the default path
5138SERVER_PATH_MSG="(default)"
5139AC_ARG_WITH([default-path],
5140	[  --with-default-path=    Specify default $PATH environment for server],
5141	[
5142		if test "x$external_path_file" = "x/etc/login.conf" ; then
5143			AC_MSG_WARN([
5144--with-default-path=PATH has no effect on this system.
5145Edit /etc/login.conf instead.])
5146		elif test "x$withval" != "xno" ; then
5147			if test ! -z "$external_path_file" ; then
5148				AC_MSG_WARN([
5149--with-default-path=PATH will only be used if PATH is not defined in
5150$external_path_file .])
5151			fi
5152			user_path="$withval"
5153			SERVER_PATH_MSG="$withval"
5154		fi
5155	],
5156	[ if test "x$external_path_file" = "x/etc/login.conf" ; then
5157		AC_MSG_WARN([Make sure the path to scp is in /etc/login.conf])
5158	else
5159		if test ! -z "$external_path_file" ; then
5160			AC_MSG_WARN([
5161If PATH is defined in $external_path_file, ensure the path to scp is included,
5162otherwise scp will not work.])
5163		fi
5164		AC_RUN_IFELSE(
5165			[AC_LANG_PROGRAM([[
5166/* find out what STDPATH is */
5167#include <stdio.h>
5168#include <stdlib.h>
5169#ifdef HAVE_PATHS_H
5170# include <paths.h>
5171#endif
5172#ifndef _PATH_STDPATH
5173# ifdef _PATH_USERPATH	/* Irix */
5174#  define _PATH_STDPATH _PATH_USERPATH
5175# else
5176#  define _PATH_STDPATH "/usr/bin:/bin:/usr/sbin:/sbin"
5177# endif
5178#endif
5179#include <sys/types.h>
5180#include <sys/stat.h>
5181#include <fcntl.h>
5182#define DATA "conftest.stdpath"
5183			]], [[
5184	FILE *fd;
5185	int rc;
5186
5187	fd = fopen(DATA,"w");
5188	if(fd == NULL)
5189		exit(1);
5190
5191	if ((rc = fprintf(fd,"%s", _PATH_STDPATH)) < 0)
5192		exit(1);
5193
5194	exit(0);
5195		]])],
5196		[ user_path=`cat conftest.stdpath` ],
5197		[ user_path="/usr/bin:/bin:/usr/sbin:/sbin" ],
5198		[ user_path="/usr/bin:/bin:/usr/sbin:/sbin" ]
5199	)
5200# make sure $bindir is in USER_PATH so scp will work
5201		t_bindir="${bindir}"
5202		while echo "${t_bindir}" | egrep '\$\{|NONE/' >/dev/null 2>&1; do
5203			t_bindir=`eval echo ${t_bindir}`
5204			case $t_bindir in
5205				NONE/*) t_bindir=`echo $t_bindir | sed "s~NONE~$prefix~"` ;;
5206			esac
5207			case $t_bindir in
5208				NONE/*) t_bindir=`echo $t_bindir | sed "s~NONE~$ac_default_prefix~"` ;;
5209			esac
5210		done
5211		echo $user_path | grep ":$t_bindir"  > /dev/null 2>&1
5212		if test $? -ne 0  ; then
5213			echo $user_path | grep "^$t_bindir"  > /dev/null 2>&1
5214			if test $? -ne 0  ; then
5215				user_path=$user_path:$t_bindir
5216				AC_MSG_RESULT([Adding $t_bindir to USER_PATH so scp will work])
5217			fi
5218		fi
5219	fi ]
5220)
5221if test "x$external_path_file" != "x/etc/login.conf" ; then
5222	AC_DEFINE_UNQUOTED([USER_PATH], ["$user_path"], [Specify default $PATH])
5223	AC_SUBST([user_path])
5224fi
5225
5226# Set superuser path separately to user path
5227AC_ARG_WITH([superuser-path],
5228	[  --with-superuser-path=  Specify different path for super-user],
5229	[
5230		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
5231		    test "x${withval}" != "xyes"; then
5232			AC_DEFINE_UNQUOTED([SUPERUSER_PATH], ["$withval"],
5233				[Define if you want a different $PATH
5234				for the superuser])
5235			superuser_path=$withval
5236		fi
5237	]
5238)
5239
5240
5241AC_MSG_CHECKING([if we need to convert IPv4 in IPv6-mapped addresses])
5242IPV4_IN6_HACK_MSG="no"
5243AC_ARG_WITH(4in6,
5244	[  --with-4in6             Check for and convert IPv4 in IPv6 mapped addresses],
5245	[
5246		if test "x$withval" != "xno" ; then
5247			AC_MSG_RESULT([yes])
5248			AC_DEFINE([IPV4_IN_IPV6], [1],
5249				[Detect IPv4 in IPv6 mapped addresses
5250				and treat as IPv4])
5251			IPV4_IN6_HACK_MSG="yes"
5252		else
5253			AC_MSG_RESULT([no])
5254		fi
5255	], [
5256		if test "x$inet6_default_4in6" = "xyes"; then
5257			AC_MSG_RESULT([yes (default)])
5258			AC_DEFINE([IPV4_IN_IPV6])
5259			IPV4_IN6_HACK_MSG="yes"
5260		else
5261			AC_MSG_RESULT([no (default)])
5262		fi
5263	]
5264)
5265
5266# Whether to enable BSD auth support
5267BSD_AUTH_MSG=no
5268AC_ARG_WITH([bsd-auth],
5269	[  --with-bsd-auth         Enable BSD auth support],
5270	[
5271		if test "x$withval" != "xno" ; then
5272			AC_DEFINE([BSD_AUTH], [1],
5273				[Define if you have BSD auth support])
5274			BSD_AUTH_MSG=yes
5275		fi
5276	]
5277)
5278
5279# Where to place sshd.pid
5280piddir=/var/run
5281# make sure the directory exists
5282if test ! -d $piddir ; then
5283	piddir=`eval echo ${sysconfdir}`
5284	case $piddir in
5285		NONE/*) piddir=`echo $piddir | sed "s~NONE~$ac_default_prefix~"` ;;
5286	esac
5287fi
5288
5289AC_ARG_WITH([pid-dir],
5290	[  --with-pid-dir=PATH     Specify location of sshd.pid file],
5291	[
5292		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
5293		    test "x${withval}" != "xyes"; then
5294			piddir=$withval
5295			if test ! -d $piddir ; then
5296			AC_MSG_WARN([** no $piddir directory on this system **])
5297			fi
5298		fi
5299	]
5300)
5301
5302AC_DEFINE_UNQUOTED([_PATH_SSH_PIDDIR], ["$piddir"],
5303	[Specify location of ssh.pid])
5304AC_SUBST([piddir])
5305
5306dnl allow user to disable some login recording features
5307AC_ARG_ENABLE([lastlog],
5308	[  --disable-lastlog       disable use of lastlog even if detected [no]],
5309	[
5310		if test "x$enableval" = "xno" ; then
5311			AC_DEFINE([DISABLE_LASTLOG])
5312		fi
5313	]
5314)
5315AC_ARG_ENABLE([utmp],
5316	[  --disable-utmp          disable use of utmp even if detected [no]],
5317	[
5318		if test "x$enableval" = "xno" ; then
5319			AC_DEFINE([DISABLE_UTMP])
5320		fi
5321	]
5322)
5323AC_ARG_ENABLE([utmpx],
5324	[  --disable-utmpx         disable use of utmpx even if detected [no]],
5325	[
5326		if test "x$enableval" = "xno" ; then
5327			AC_DEFINE([DISABLE_UTMPX], [1],
5328				[Define if you don't want to use utmpx])
5329		fi
5330	]
5331)
5332AC_ARG_ENABLE([wtmp],
5333	[  --disable-wtmp          disable use of wtmp even if detected [no]],
5334	[
5335		if test "x$enableval" = "xno" ; then
5336			AC_DEFINE([DISABLE_WTMP])
5337		fi
5338	]
5339)
5340AC_ARG_ENABLE([wtmpx],
5341	[  --disable-wtmpx         disable use of wtmpx even if detected [no]],
5342	[
5343		if test "x$enableval" = "xno" ; then
5344			AC_DEFINE([DISABLE_WTMPX], [1],
5345				[Define if you don't want to use wtmpx])
5346		fi
5347	]
5348)
5349AC_ARG_ENABLE([libutil],
5350	[  --disable-libutil       disable use of libutil (login() etc.) [no]],
5351	[
5352		if test "x$enableval" = "xno" ; then
5353			AC_DEFINE([DISABLE_LOGIN])
5354		fi
5355	]
5356)
5357AC_ARG_ENABLE([pututline],
5358	[  --disable-pututline     disable use of pututline() etc. ([uw]tmp) [no]],
5359	[
5360		if test "x$enableval" = "xno" ; then
5361			AC_DEFINE([DISABLE_PUTUTLINE], [1],
5362				[Define if you don't want to use pututline()
5363				etc. to write [uw]tmp])
5364		fi
5365	]
5366)
5367AC_ARG_ENABLE([pututxline],
5368	[  --disable-pututxline    disable use of pututxline() etc. ([uw]tmpx) [no]],
5369	[
5370		if test "x$enableval" = "xno" ; then
5371			AC_DEFINE([DISABLE_PUTUTXLINE], [1],
5372				[Define if you don't want to use pututxline()
5373				etc. to write [uw]tmpx])
5374		fi
5375	]
5376)
5377AC_ARG_WITH([lastlog],
5378  [  --with-lastlog=FILE|DIR specify lastlog location [common locations]],
5379	[
5380		if test "x$withval" = "xno" ; then
5381			AC_DEFINE([DISABLE_LASTLOG])
5382		elif test -n "$withval"  &&  test "x${withval}" != "xyes"; then
5383			conf_lastlog_location=$withval
5384		fi
5385	]
5386)
5387
5388dnl lastlog, [uw]tmpx? detection
5389dnl  NOTE: set the paths in the platform section to avoid the
5390dnl   need for command-line parameters
5391dnl lastlog and [uw]tmp are subject to a file search if all else fails
5392
5393dnl lastlog detection
5394dnl  NOTE: the code itself will detect if lastlog is a directory
5395AC_MSG_CHECKING([if your system defines LASTLOG_FILE])
5396AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
5397#include <sys/types.h>
5398#include <utmp.h>
5399#ifdef HAVE_LASTLOG_H
5400#  include <lastlog.h>
5401#endif
5402#ifdef HAVE_PATHS_H
5403#  include <paths.h>
5404#endif
5405#ifdef HAVE_LOGIN_H
5406# include <login.h>
5407#endif
5408	]], [[ char *lastlog = LASTLOG_FILE; ]])],
5409		[ AC_MSG_RESULT([yes]) ],
5410		[
5411		AC_MSG_RESULT([no])
5412		AC_MSG_CHECKING([if your system defines _PATH_LASTLOG])
5413		AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
5414#include <sys/types.h>
5415#include <utmp.h>
5416#ifdef HAVE_LASTLOG_H
5417#  include <lastlog.h>
5418#endif
5419#ifdef HAVE_PATHS_H
5420#  include <paths.h>
5421#endif
5422		]], [[ char *lastlog = _PATH_LASTLOG; ]])],
5423		[ AC_MSG_RESULT([yes]) ],
5424		[
5425			AC_MSG_RESULT([no])
5426			system_lastlog_path=no
5427		])
5428])
5429
5430if test -z "$conf_lastlog_location"; then
5431	if test x"$system_lastlog_path" = x"no" ; then
5432		for f in /var/log/lastlog /usr/adm/lastlog /var/adm/lastlog /etc/security/lastlog ; do
5433				if (test -d "$f" || test -f "$f") ; then
5434					conf_lastlog_location=$f
5435				fi
5436		done
5437		if test -z "$conf_lastlog_location"; then
5438			AC_MSG_WARN([** Cannot find lastlog **])
5439			dnl Don't define DISABLE_LASTLOG - that means we don't try wtmp/wtmpx
5440		fi
5441	fi
5442fi
5443
5444if test -n "$conf_lastlog_location"; then
5445	AC_DEFINE_UNQUOTED([CONF_LASTLOG_FILE], ["$conf_lastlog_location"],
5446		[Define if you want to specify the path to your lastlog file])
5447fi
5448
5449dnl utmp detection
5450AC_MSG_CHECKING([if your system defines UTMP_FILE])
5451AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
5452#include <sys/types.h>
5453#include <utmp.h>
5454#ifdef HAVE_PATHS_H
5455#  include <paths.h>
5456#endif
5457	]], [[ char *utmp = UTMP_FILE; ]])],
5458	[ AC_MSG_RESULT([yes]) ],
5459	[ AC_MSG_RESULT([no])
5460	  system_utmp_path=no
5461])
5462if test -z "$conf_utmp_location"; then
5463	if test x"$system_utmp_path" = x"no" ; then
5464		for f in /etc/utmp /usr/adm/utmp /var/run/utmp; do
5465			if test -f $f ; then
5466				conf_utmp_location=$f
5467			fi
5468		done
5469		if test -z "$conf_utmp_location"; then
5470			AC_DEFINE([DISABLE_UTMP])
5471		fi
5472	fi
5473fi
5474if test -n "$conf_utmp_location"; then
5475	AC_DEFINE_UNQUOTED([CONF_UTMP_FILE], ["$conf_utmp_location"],
5476		[Define if you want to specify the path to your utmp file])
5477fi
5478
5479dnl wtmp detection
5480AC_MSG_CHECKING([if your system defines WTMP_FILE])
5481AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
5482#include <sys/types.h>
5483#include <utmp.h>
5484#ifdef HAVE_PATHS_H
5485#  include <paths.h>
5486#endif
5487	]], [[ char *wtmp = WTMP_FILE; ]])],
5488	[ AC_MSG_RESULT([yes]) ],
5489	[ AC_MSG_RESULT([no])
5490	  system_wtmp_path=no
5491])
5492if test -z "$conf_wtmp_location"; then
5493	if test x"$system_wtmp_path" = x"no" ; then
5494		for f in /usr/adm/wtmp /var/log/wtmp; do
5495			if test -f $f ; then
5496				conf_wtmp_location=$f
5497			fi
5498		done
5499		if test -z "$conf_wtmp_location"; then
5500			AC_DEFINE([DISABLE_WTMP])
5501		fi
5502	fi
5503fi
5504if test -n "$conf_wtmp_location"; then
5505	AC_DEFINE_UNQUOTED([CONF_WTMP_FILE], ["$conf_wtmp_location"],
5506		[Define if you want to specify the path to your wtmp file])
5507fi
5508
5509dnl wtmpx detection
5510AC_MSG_CHECKING([if your system defines WTMPX_FILE])
5511AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
5512#include <sys/types.h>
5513#include <utmp.h>
5514#ifdef HAVE_UTMPX_H
5515#include <utmpx.h>
5516#endif
5517#ifdef HAVE_PATHS_H
5518#  include <paths.h>
5519#endif
5520	]], [[ char *wtmpx = WTMPX_FILE; ]])],
5521	[ AC_MSG_RESULT([yes]) ],
5522	[ AC_MSG_RESULT([no])
5523	  system_wtmpx_path=no
5524])
5525if test -z "$conf_wtmpx_location"; then
5526	if test x"$system_wtmpx_path" = x"no" ; then
5527		AC_DEFINE([DISABLE_WTMPX])
5528	fi
5529else
5530	AC_DEFINE_UNQUOTED([CONF_WTMPX_FILE], ["$conf_wtmpx_location"],
5531		[Define if you want to specify the path to your wtmpx file])
5532fi
5533
5534
5535if test ! -z "$blibpath" ; then
5536	LDFLAGS="$LDFLAGS $blibflags$blibpath"
5537	AC_MSG_WARN([Please check and edit blibpath in LDFLAGS in Makefile])
5538fi
5539
5540AC_CHECK_MEMBER([struct lastlog.ll_line], [], [
5541    if test x$SKIP_DISABLE_LASTLOG_DEFINE != "xyes" ; then
5542	AC_DEFINE([DISABLE_LASTLOG])
5543    fi
5544	], [
5545#ifdef HAVE_SYS_TYPES_H
5546#include <sys/types.h>
5547#endif
5548#ifdef HAVE_UTMP_H
5549#include <utmp.h>
5550#endif
5551#ifdef HAVE_UTMPX_H
5552#include <utmpx.h>
5553#endif
5554#ifdef HAVE_LASTLOG_H
5555#include <lastlog.h>
5556#endif
5557	])
5558
5559AC_CHECK_MEMBER([struct utmp.ut_line], [], [
5560	AC_DEFINE([DISABLE_UTMP])
5561	AC_DEFINE([DISABLE_WTMP])
5562	], [
5563#ifdef HAVE_SYS_TYPES_H
5564#include <sys/types.h>
5565#endif
5566#ifdef HAVE_UTMP_H
5567#include <utmp.h>
5568#endif
5569#ifdef HAVE_UTMPX_H
5570#include <utmpx.h>
5571#endif
5572#ifdef HAVE_LASTLOG_H
5573#include <lastlog.h>
5574#endif
5575	])
5576
5577dnl Adding -Werror to CFLAGS early prevents configure tests from running.
5578dnl Add now.
5579CFLAGS="$CFLAGS $werror_flags"
5580
5581if test "x$ac_cv_func_getaddrinfo" != "xyes" ; then
5582	TEST_SSH_IPV6=no
5583else
5584	TEST_SSH_IPV6=yes
5585fi
5586AC_CHECK_DECL([BROKEN_GETADDRINFO],  [TEST_SSH_IPV6=no])
5587AC_SUBST([TEST_SSH_IPV6], [$TEST_SSH_IPV6])
5588AC_SUBST([TEST_SSH_UTF8], [$TEST_SSH_UTF8])
5589AC_SUBST([TEST_MALLOC_OPTIONS], [$TEST_MALLOC_OPTIONS])
5590AC_SUBST([UNSUPPORTED_ALGORITHMS], [$unsupported_algorithms])
5591AC_SUBST([DEPEND], [$(cat $srcdir/.depend)])
5592
5593CFLAGS="${CFLAGS} ${CFLAGS_AFTER}"
5594LDFLAGS="${LDFLAGS} ${LDFLAGS_AFTER}"
5595
5596# Make a copy of CFLAGS/LDFLAGS without PIE options.
5597LDFLAGS_NOPIE=`echo "$LDFLAGS" | sed 's/ -pie//'`
5598CFLAGS_NOPIE=`echo "$CFLAGS" | sed 's/ -fPIE//'`
5599AC_SUBST([LDFLAGS_NOPIE])
5600AC_SUBST([CFLAGS_NOPIE])
5601
5602AC_EXEEXT
5603AC_CONFIG_FILES([Makefile buildpkg.sh opensshd.init openssh.xml \
5604	openbsd-compat/Makefile openbsd-compat/regress/Makefile \
5605	survey.sh])
5606AC_OUTPUT
5607
5608# Print summary of options
5609
5610# Someone please show me a better way :)
5611A=`eval echo ${prefix}` ; A=`eval echo ${A}`
5612B=`eval echo ${bindir}` ; B=`eval echo ${B}`
5613C=`eval echo ${sbindir}` ; C=`eval echo ${C}`
5614D=`eval echo ${sysconfdir}` ; D=`eval echo ${D}`
5615E=`eval echo ${libexecdir}/ssh-askpass` ; E=`eval echo ${E}`
5616F=`eval echo ${mandir}/${mansubdir}X` ; F=`eval echo ${F}`
5617G=`eval echo ${piddir}` ; G=`eval echo ${G}`
5618H=`eval echo ${PRIVSEP_PATH}` ; H=`eval echo ${H}`
5619I=`eval echo ${user_path}` ; I=`eval echo ${I}`
5620J=`eval echo ${superuser_path}` ; J=`eval echo ${J}`
5621
5622echo ""
5623echo "OpenSSH has been configured with the following options:"
5624echo "                     User binaries: $B"
5625echo "                   System binaries: $C"
5626echo "               Configuration files: $D"
5627echo "                   Askpass program: $E"
5628echo "                      Manual pages: $F"
5629echo "                          PID file: $G"
5630echo "  Privilege separation chroot path: $H"
5631if test "x$external_path_file" = "x/etc/login.conf" ; then
5632echo "   At runtime, sshd will use the path defined in $external_path_file"
5633echo "   Make sure the path to scp is present, otherwise scp will not work"
5634else
5635echo "            sshd default user PATH: $I"
5636	if test ! -z "$external_path_file"; then
5637echo "   (If PATH is set in $external_path_file it will be used instead. If"
5638echo "   used, ensure the path to scp is present, otherwise scp will not work.)"
5639	fi
5640fi
5641if test ! -z "$superuser_path" ; then
5642echo "          sshd superuser user PATH: $J"
5643fi
5644echo "                    Manpage format: $MANTYPE"
5645echo "                       PAM support: $PAM_MSG"
5646echo "                   OSF SIA support: $SIA_MSG"
5647echo "                 KerberosV support: $KRB5_MSG"
5648echo "                   SELinux support: $SELINUX_MSG"
5649echo "              TCP Wrappers support: $TCPW_MSG"
5650echo "                   libedit support: $LIBEDIT_MSG"
5651echo "                   libldns support: $LDNS_MSG"
5652echo "  Solaris process contract support: $SPC_MSG"
5653echo "           Solaris project support: $SP_MSG"
5654echo "         Solaris privilege support: $SPP_MSG"
5655echo "       IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG"
5656echo "           Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
5657echo "                  BSD Auth support: $BSD_AUTH_MSG"
5658echo "              Random number source: $RAND_MSG"
5659echo "             Privsep sandbox style: $SANDBOX_STYLE"
5660echo "                   PKCS#11 support: $enable_pkcs11"
5661echo "                  U2F/FIDO support: $enable_sk"
5662
5663echo ""
5664
5665echo "              Host: ${host}"
5666echo "          Compiler: ${CC}"
5667echo "    Compiler flags: ${CFLAGS}"
5668echo "Preprocessor flags: ${CPPFLAGS}"
5669echo "      Linker flags: ${LDFLAGS}"
5670echo "         Libraries: ${LIBS}"
5671if test ! -z "${CHANNELLIBS}"; then
5672echo "     +for channels: ${CHANNELLIBS}"
5673fi
5674if test ! -z "${LIBFIDO2}"; then
5675echo "        +for FIDO2: ${LIBFIDO2}"
5676fi
5677if test ! -z "${SSHDLIBS}"; then
5678echo "         +for sshd: ${SSHDLIBS}"
5679fi
5680
5681echo ""
5682
5683if test "x$MAKE_PACKAGE_SUPPORTED" = "xyes" ; then
5684	echo "SVR4 style packages are supported with \"make package\""
5685	echo ""
5686fi
5687
5688if test "x$PAM_MSG" = "xyes" ; then
5689	echo "PAM is enabled. You may need to install a PAM control file "
5690	echo "for sshd, otherwise password authentication may fail. "
5691	echo "Example PAM control files can be found in the contrib/ "
5692	echo "subdirectory"
5693	echo ""
5694fi
5695
5696if test ! -z "$NO_PEERCHECK" ; then
5697	echo "WARNING: the operating system that you are using does not"
5698	echo "appear to support getpeereid(), getpeerucred() or the"
5699	echo "SO_PEERCRED getsockopt() option. These facilities are used to"
5700	echo "enforce security checks to prevent unauthorised connections to"
5701	echo "ssh-agent. Their absence increases the risk that a malicious"
5702	echo "user can connect to your agent."
5703	echo ""
5704fi
5705
5706if test "$AUDIT_MODULE" = "bsm" ; then
5707	echo "WARNING: BSM audit support is currently considered EXPERIMENTAL."
5708	echo "See the Solaris section in README.platform for details."
5709fi
5710