1#
2# Copyright (c) 1999-2004 Damien Miller
3#
4# Permission to use, copy, modify, and distribute this software for any
5# purpose with or without fee is hereby granted, provided that the above
6# copyright notice and this permission notice appear in all copies.
7#
8# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15
16AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org])
17AC_CONFIG_MACRO_DIR([m4])
18AC_CONFIG_SRCDIR([ssh.c])
19
20# Check for stale configure as early as possible.
21for i in $srcdir/configure.ac $srcdir/m4/*.m4; do
22	if test "$i" -nt "$srcdir/configure"; then
23		AC_MSG_ERROR([$i newer than configure, run autoreconf])
24	fi
25done
26
27AC_LANG([C])
28
29AC_CONFIG_HEADERS([config.h])
30AC_PROG_CC([cc gcc clang])
31
32# XXX relax this after reimplementing logit() etc.
33AC_MSG_CHECKING([if $CC supports C99-style variadic macros])
34AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
35int f(int a, int b, int c) { return a + b + c; }
36#define F(a, ...) f(a, __VA_ARGS__)
37]], [[return F(1, 2, -3);]])],
38	[ AC_MSG_RESULT([yes]) ],
39	[ AC_MSG_ERROR([*** OpenSSH requires support for C99-style variadic macros]) ]
40)
41
42AC_CANONICAL_HOST
43AC_C_BIGENDIAN
44
45# Checks for programs.
46AC_PROG_AWK
47AC_PROG_CPP
48AC_PROG_RANLIB
49AC_PROG_INSTALL
50AC_PROG_EGREP
51AC_PROG_MKDIR_P
52AC_CHECK_TOOLS([AR], [ar])
53AC_PATH_PROG([CAT], [cat])
54AC_PATH_PROG([KILL], [kill])
55AC_PATH_PROG([SED], [sed])
56AC_PATH_PROG([TEST_MINUS_S_SH], [bash])
57AC_PATH_PROG([TEST_MINUS_S_SH], [ksh])
58AC_PATH_PROG([TEST_MINUS_S_SH], [sh])
59AC_PATH_PROG([SH], [bash])
60AC_PATH_PROG([SH], [ksh])
61AC_PATH_PROG([SH], [sh])
62AC_PATH_PROG([GROFF], [groff])
63AC_PATH_PROG([NROFF], [nroff awf])
64AC_PATH_PROG([MANDOC], [mandoc])
65AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no])
66AC_SUBST([TEST_SHELL], [sh])
67
68dnl select manpage formatter to be used to build "cat" format pages.
69if test "x$MANDOC" != "x" ; then
70	MANFMT="$MANDOC"
71elif test "x$NROFF" != "x" ; then
72	MANFMT="$NROFF -mandoc"
73elif test "x$GROFF" != "x" ; then
74	MANFMT="$GROFF -mandoc -Tascii"
75else
76	AC_MSG_WARN([no manpage formatter found])
77	MANFMT="false"
78fi
79AC_SUBST([MANFMT])
80
81dnl for buildpkg.sh
82AC_PATH_PROG([PATH_GROUPADD_PROG], [groupadd], [groupadd],
83	[/usr/sbin${PATH_SEPARATOR}/etc])
84AC_PATH_PROG([PATH_USERADD_PROG], [useradd], [useradd],
85	[/usr/sbin${PATH_SEPARATOR}/etc])
86AC_CHECK_PROG([MAKE_PACKAGE_SUPPORTED], [pkgmk], [yes], [no])
87if test -x /sbin/sh; then
88	AC_SUBST([STARTUP_SCRIPT_SHELL], [/sbin/sh])
89else
90	AC_SUBST([STARTUP_SCRIPT_SHELL], [/bin/sh])
91fi
92
93# System features
94AC_SYS_LARGEFILE
95
96if test -z "$AR" ; then
97	AC_MSG_ERROR([*** 'ar' missing, please install or fix your \$PATH ***])
98fi
99
100AC_PATH_PROG([PATH_PASSWD_PROG], [passwd])
101if test ! -z "$PATH_PASSWD_PROG" ; then
102	AC_DEFINE_UNQUOTED([_PATH_PASSWD_PROG], ["$PATH_PASSWD_PROG"],
103		[Full path of your "passwd" program])
104fi
105
106dnl Since autoconf doesn't support it very well,  we no longer allow users to
107dnl override LD, however keeping the hook here for now in case there's a use
108dnl use case we overlooked and someone needs to re-enable it.  Unless a good
109dnl reason is found we'll be removing this in future.
110LD="$CC"
111AC_SUBST([LD])
112
113AC_C_INLINE
114
115AC_CHECK_DECL([LLONG_MAX], [have_llong_max=1], , [#include <limits.h>])
116AC_CHECK_DECL([LONG_LONG_MAX], [have_long_long_max=1], , [#include <limits.h>])
117AC_CHECK_DECL([SYSTR_POLICY_KILL], [have_systr_policy_kill=1], , [
118	#include <sys/types.h>
119	#include <sys/param.h>
120	#include <dev/systrace.h>
121])
122AC_CHECK_DECL([RLIMIT_NPROC],
123    [AC_DEFINE([HAVE_RLIMIT_NPROC], [], [sys/resource.h has RLIMIT_NPROC])], , [
124	#include <sys/types.h>
125	#include <sys/resource.h>
126])
127AC_CHECK_DECL([PR_SET_NO_NEW_PRIVS], [have_linux_no_new_privs=1], , [
128	#include <sys/types.h>
129	#include <linux/prctl.h>
130])
131
132openssl=yes
133AC_ARG_WITH([openssl],
134	[  --without-openssl       Disable use of OpenSSL; use only limited internal crypto **EXPERIMENTAL** ],
135	[  if test "x$withval" = "xno" ; then
136		openssl=no
137	   fi
138	]
139)
140AC_MSG_CHECKING([whether OpenSSL will be used for cryptography])
141if test "x$openssl" = "xyes" ; then
142	AC_MSG_RESULT([yes])
143	AC_DEFINE_UNQUOTED([WITH_OPENSSL], [1], [use libcrypto for cryptography])
144else
145	AC_MSG_RESULT([no])
146fi
147
148use_stack_protector=1
149use_toolchain_hardening=1
150AC_ARG_WITH([stackprotect],
151    [  --without-stackprotect  Don't use compiler's stack protection], [
152    if test "x$withval" = "xno"; then
153	use_stack_protector=0
154    fi ])
155AC_ARG_WITH([hardening],
156    [  --without-hardening     Don't use toolchain hardening flags], [
157    if test "x$withval" = "xno"; then
158	use_toolchain_hardening=0
159    fi ])
160
161# We use -Werror for the tests only so that we catch warnings like "this is
162# on by default" for things like -fPIE.
163AC_MSG_CHECKING([if $CC supports -Werror])
164saved_CFLAGS="$CFLAGS"
165CFLAGS="$CFLAGS -Werror"
166AC_COMPILE_IFELSE([AC_LANG_SOURCE([[int main(void) { return 0; }]])],
167	[ AC_MSG_RESULT([yes])
168	  WERROR="-Werror"],
169	[ AC_MSG_RESULT([no])
170	  WERROR="" ]
171)
172CFLAGS="$saved_CFLAGS"
173
174if test "$GCC" = "yes" || test "$GCC" = "egcs"; then
175	OSSH_CHECK_CFLAG_COMPILE([-pipe])
176	OSSH_CHECK_CFLAG_COMPILE([-Wunknown-warning-option])
177	OSSH_CHECK_CFLAG_COMPILE([-Wno-error=format-truncation])
178	OSSH_CHECK_CFLAG_COMPILE([-Qunused-arguments])
179	OSSH_CHECK_CFLAG_COMPILE([-Wall])
180	OSSH_CHECK_CFLAG_COMPILE([-Wextra])
181	OSSH_CHECK_CFLAG_COMPILE([-Wpointer-arith])
182	OSSH_CHECK_CFLAG_COMPILE([-Wuninitialized])
183	OSSH_CHECK_CFLAG_COMPILE([-Wsign-compare])
184	OSSH_CHECK_CFLAG_COMPILE([-Wformat-security])
185	OSSH_CHECK_CFLAG_COMPILE([-Wsizeof-pointer-memaccess])
186	OSSH_CHECK_CFLAG_COMPILE([-Wpointer-sign], [-Wno-pointer-sign])
187	OSSH_CHECK_CFLAG_COMPILE([-Wunused-parameter], [-Wno-unused-parameter])
188	OSSH_CHECK_CFLAG_COMPILE([-Wunused-result], [-Wno-unused-result])
189	OSSH_CHECK_CFLAG_COMPILE([-Wimplicit-fallthrough])
190	OSSH_CHECK_CFLAG_COMPILE([-Wmisleading-indentation])
191	OSSH_CHECK_CFLAG_COMPILE([-Wbitwise-instead-of-logical])
192	OSSH_CHECK_CFLAG_COMPILE([-fno-strict-aliasing])
193    if test "x$use_toolchain_hardening" = "x1"; then
194	OSSH_CHECK_CFLAG_COMPILE([-mretpoline]) # clang
195	OSSH_CHECK_LDFLAG_LINK([-Wl,-z,retpolineplt])
196	OSSH_CHECK_CFLAG_COMPILE([-D_FORTIFY_SOURCE=2])
197	OSSH_CHECK_LDFLAG_LINK([-Wl,-z,relro])
198	OSSH_CHECK_LDFLAG_LINK([-Wl,-z,now])
199	OSSH_CHECK_LDFLAG_LINK([-Wl,-z,noexecstack])
200	# NB. -ftrapv expects certain support functions to be present in
201	# the compiler library (libgcc or similar) to detect integer operations
202	# that can overflow. We must check that the result of enabling it
203	# actually links. The test program compiled/linked includes a number
204	# of integer operations that should exercise this.
205	OSSH_CHECK_CFLAG_LINK([-ftrapv])
206	OSSH_CHECK_CFLAG_COMPILE([-fzero-call-used-regs=all])
207	OSSH_CHECK_CFLAG_COMPILE([-ftrivial-auto-var-init=zero])
208    fi
209	AC_MSG_CHECKING([gcc version])
210	GCC_VER=`$CC -v 2>&1 | $AWK '/gcc version /{print $3}'`
211	case $GCC_VER in
212		1.*) no_attrib_nonnull=1 ;;
213		2.8* | 2.9*)
214		     no_attrib_nonnull=1
215		     ;;
216		2.*) no_attrib_nonnull=1 ;;
217		*) ;;
218	esac
219	AC_MSG_RESULT([$GCC_VER])
220
221	AC_MSG_CHECKING([if $CC accepts -fno-builtin-memset])
222	saved_CFLAGS="$CFLAGS"
223	CFLAGS="$CFLAGS -fno-builtin-memset"
224	AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include <string.h> ]],
225			[[ char b[10]; memset(b, 0, sizeof(b)); ]])],
226		[ AC_MSG_RESULT([yes]) ],
227		[ AC_MSG_RESULT([no])
228		  CFLAGS="$saved_CFLAGS" ]
229	)
230
231	# -fstack-protector-all doesn't always work for some GCC versions
232	# and/or platforms, so we test if we can.  If it's not supported
233	# on a given platform gcc will emit a warning so we use -Werror.
234	if test "x$use_stack_protector" = "x1"; then
235	    for t in -fstack-protector-strong -fstack-protector-all \
236		    -fstack-protector; do
237		AC_MSG_CHECKING([if $CC supports $t])
238		saved_CFLAGS="$CFLAGS"
239		saved_LDFLAGS="$LDFLAGS"
240		CFLAGS="$CFLAGS $t -Werror"
241		LDFLAGS="$LDFLAGS $t -Werror"
242		AC_LINK_IFELSE(
243			[AC_LANG_PROGRAM([[
244	#include <stdio.h>
245	int func (int t) {char b[100]; snprintf(b,sizeof b,"%d",t); return t;}
246			 ]],
247			[[
248	char x[256];
249	snprintf(x, sizeof(x), "XXX%d", func(1));
250			 ]])],
251		    [ AC_MSG_RESULT([yes])
252		      CFLAGS="$saved_CFLAGS $t"
253		      LDFLAGS="$saved_LDFLAGS $t"
254		      AC_MSG_CHECKING([if $t works])
255		      AC_RUN_IFELSE(
256			[AC_LANG_PROGRAM([[
257	#include <stdio.h>
258	int func (int t) {char b[100]; snprintf(b,sizeof b,"%d",t); return t;}
259			]],
260			[[
261	char x[256];
262	snprintf(x, sizeof(x), "XXX%d", func(1));
263			]])],
264			[ AC_MSG_RESULT([yes])
265			  break ],
266			[ AC_MSG_RESULT([no]) ],
267			[ AC_MSG_WARN([cross compiling: cannot test])
268			  break ]
269		      )
270		    ],
271		    [ AC_MSG_RESULT([no]) ]
272		)
273		CFLAGS="$saved_CFLAGS"
274		LDFLAGS="$saved_LDFLAGS"
275	    done
276	fi
277
278	if test -z "$have_llong_max"; then
279		# retry LLONG_MAX with -std=gnu99, needed on some Linuxes
280		unset ac_cv_have_decl_LLONG_MAX
281		saved_CFLAGS="$CFLAGS"
282		CFLAGS="$CFLAGS -std=gnu99"
283		AC_CHECK_DECL([LLONG_MAX],
284		    [have_llong_max=1],
285		    [CFLAGS="$saved_CFLAGS"],
286		    [#include <limits.h>]
287		)
288	fi
289fi
290
291AC_MSG_CHECKING([if compiler allows __attribute__ on return types])
292AC_COMPILE_IFELSE(
293    [AC_LANG_PROGRAM([[
294#include <stdlib.h>
295__attribute__((__unused__)) static void foo(void){return;}]],
296    [[ exit(0); ]])],
297    [ AC_MSG_RESULT([yes]) ],
298    [ AC_MSG_RESULT([no])
299      AC_DEFINE(NO_ATTRIBUTE_ON_RETURN_TYPE, 1,
300	 [compiler does not accept __attribute__ on return types]) ]
301)
302
303AC_MSG_CHECKING([if compiler allows __attribute__ prototype args])
304AC_COMPILE_IFELSE(
305    [AC_LANG_PROGRAM([[
306#include <stdlib.h>
307typedef void foo(const char *, ...) __attribute__((format(printf, 1, 2)));]],
308    [[ exit(0); ]])],
309    [ AC_MSG_RESULT([yes]) ],
310    [ AC_MSG_RESULT([no])
311      AC_DEFINE(NO_ATTRIBUTE_ON_PROTOTYPE_ARGS, 1,
312	 [compiler does not accept __attribute__ on prototype args]) ]
313)
314
315AC_MSG_CHECKING([if compiler supports variable length arrays])
316AC_COMPILE_IFELSE(
317    [AC_LANG_PROGRAM([[#include <stdlib.h>]],
318    [[ int i; for (i=0; i<3; i++){int a[i]; a[i-1]=0;} exit(0); ]])],
319    [ AC_MSG_RESULT([yes])
320      AC_DEFINE(VARIABLE_LENGTH_ARRAYS, [1],
321	 [compiler supports variable length arrays]) ],
322    [ AC_MSG_RESULT([no]) ]
323)
324
325AC_MSG_CHECKING([if compiler accepts variable declarations after code])
326AC_COMPILE_IFELSE(
327    [AC_LANG_PROGRAM([[#include <stdlib.h>]],
328    [[ int a; a = 1; int b = 1; exit(a-b); ]])],
329    [ AC_MSG_RESULT([yes])
330      AC_DEFINE(VARIABLE_DECLARATION_AFTER_CODE, [1],
331	 [compiler variable declarations after code]) ],
332    [ AC_MSG_RESULT([no]) ]
333)
334
335if test "x$no_attrib_nonnull" != "x1" ; then
336	AC_DEFINE([HAVE_ATTRIBUTE__NONNULL__], [1], [Have attribute nonnull])
337fi
338
339AC_ARG_WITH([rpath],
340	[  --without-rpath         Disable auto-added -R linker paths],
341	[
342		if test "x$withval" = "xno" ; then
343			rpath_opt=""
344		elif test "x$withval" = "xyes" ; then
345			rpath_opt="-R"
346		else
347			rpath_opt="$withval"
348		fi
349	]
350)
351
352# Allow user to specify flags
353AC_ARG_WITH([cflags],
354	[  --with-cflags           Specify additional flags to pass to compiler],
355	[
356		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
357		    test "x${withval}" != "xyes"; then
358			CFLAGS="$CFLAGS $withval"
359		fi
360	]
361)
362
363AC_ARG_WITH([cflags-after],
364	[  --with-cflags-after     Specify additional flags to pass to compiler after configure],
365	[
366		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
367		    test "x${withval}" != "xyes"; then
368			CFLAGS_AFTER="$withval"
369		fi
370	]
371)
372AC_ARG_WITH([cppflags],
373	[  --with-cppflags         Specify additional flags to pass to preprocessor] ,
374	[
375		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
376		    test "x${withval}" != "xyes"; then
377			CPPFLAGS="$CPPFLAGS $withval"
378		fi
379	]
380)
381AC_ARG_WITH([ldflags],
382	[  --with-ldflags          Specify additional flags to pass to linker],
383	[
384		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
385		    test "x${withval}" != "xyes"; then
386			LDFLAGS="$LDFLAGS $withval"
387		fi
388	]
389)
390AC_ARG_WITH([ldflags-after],
391	[  --with-ldflags-after    Specify additional flags to pass to linker after configure],
392	[
393		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
394		    test "x${withval}" != "xyes"; then
395			LDFLAGS_AFTER="$withval"
396		fi
397	]
398)
399AC_ARG_WITH([libs],
400	[  --with-libs             Specify additional libraries to link with],
401	[
402		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
403		    test "x${withval}" != "xyes"; then
404			LIBS="$LIBS $withval"
405		fi
406	]
407)
408AC_ARG_WITH([Werror],
409	[  --with-Werror           Build main code with -Werror],
410	[
411		if test -n "$withval"  &&  test "x$withval" != "xno"; then
412			werror_flags="-Werror"
413			if test "x${withval}" != "xyes"; then
414				werror_flags="$withval"
415			fi
416		fi
417	]
418)
419
420AC_CHECK_HEADERS([ \
421	blf.h \
422	bstring.h \
423	crypt.h \
424	crypto/sha2.h \
425	dirent.h \
426	endian.h \
427	elf.h \
428	err.h \
429	features.h \
430	fcntl.h \
431	floatingpoint.h \
432	fnmatch.h \
433	getopt.h \
434	glob.h \
435	ia.h \
436	iaf.h \
437	ifaddrs.h \
438	inttypes.h \
439	langinfo.h \
440	limits.h \
441	locale.h \
442	login.h \
443	maillock.h \
444	ndir.h \
445	net/if_tun.h \
446	netdb.h \
447	netgroup.h \
448	pam/pam_appl.h \
449	paths.h \
450	poll.h \
451	pty.h \
452	readpassphrase.h \
453	rpc/types.h \
454	security/pam_appl.h \
455	sha2.h \
456	shadow.h \
457	stddef.h \
458	stdint.h \
459	string.h \
460	strings.h \
461	sys/bitypes.h \
462	sys/byteorder.h \
463	sys/bsdtty.h \
464	sys/cdefs.h \
465	sys/dir.h \
466	sys/file.h \
467	sys/mman.h \
468	sys/label.h \
469	sys/ndir.h \
470	sys/param.h \
471	sys/poll.h \
472	sys/prctl.h \
473	sys/procctl.h \
474	sys/pstat.h \
475	sys/ptrace.h \
476	sys/random.h \
477	sys/select.h \
478	sys/stat.h \
479	sys/stream.h \
480	sys/stropts.h \
481	sys/strtio.h \
482	sys/statvfs.h \
483	sys/sysmacros.h \
484	sys/time.h \
485	sys/timers.h \
486	sys/vfs.h \
487	time.h \
488	tmpdir.h \
489	ttyent.h \
490	ucred.h \
491	unistd.h \
492	usersec.h \
493	util.h \
494	utime.h \
495	utmp.h \
496	utmpx.h \
497	vis.h \
498	wchar.h \
499])
500
501# On some platforms (eg SunOS4) sys/audit.h requires sys/[time|types|label.h]
502# to be included first.
503AC_CHECK_HEADERS([sys/audit.h], [], [], [
504#ifdef HAVE_SYS_TIME_H
505# include <sys/time.h>
506#endif
507#ifdef HAVE_SYS_TYPES_H
508# include <sys/types.h>
509#endif
510#ifdef HAVE_SYS_LABEL_H
511# include <sys/label.h>
512#endif
513])
514
515# sys/capsicum.h requires sys/types.h
516AC_CHECK_HEADERS([sys/capsicum.h capsicum_helpers.h], [], [], [
517#ifdef HAVE_SYS_TYPES_H
518# include <sys/types.h>
519#endif
520])
521
522AC_MSG_CHECKING([for caph_cache_tzdata])
523AC_LINK_IFELSE(
524    [AC_LANG_PROGRAM([[ #include <capsicum_helpers.h> ]],
525	[[caph_cache_tzdata();]])],
526    [
527	AC_MSG_RESULT([yes])
528	AC_DEFINE([HAVE_CAPH_CACHE_TZDATA], [1],
529	    [Define if you have caph_cache_tzdata])
530    ],
531    [ AC_MSG_RESULT([no]) ]
532)
533
534# net/route.h requires sys/socket.h and sys/types.h.
535# sys/sysctl.h also requires sys/param.h
536AC_CHECK_HEADERS([net/route.h sys/sysctl.h], [], [], [
537#ifdef HAVE_SYS_TYPES_H
538# include <sys/types.h>
539#endif
540#include <sys/param.h>
541#include <sys/socket.h>
542])
543
544# lastlog.h requires sys/time.h to be included first on Solaris
545AC_CHECK_HEADERS([lastlog.h], [], [], [
546#ifdef HAVE_SYS_TIME_H
547# include <sys/time.h>
548#endif
549])
550
551# sys/ptms.h requires sys/stream.h to be included first on Solaris
552AC_CHECK_HEADERS([sys/ptms.h], [], [], [
553#ifdef HAVE_SYS_STREAM_H
554# include <sys/stream.h>
555#endif
556])
557
558# login_cap.h requires sys/types.h on NetBSD
559AC_CHECK_HEADERS([login_cap.h], [], [], [
560#include <sys/types.h>
561])
562
563# older BSDs need sys/param.h before sys/mount.h
564AC_CHECK_HEADERS([sys/mount.h], [], [], [
565#include <sys/param.h>
566])
567
568# Android requires sys/socket.h to be included before sys/un.h
569AC_CHECK_HEADERS([sys/un.h], [], [], [
570#include <sys/types.h>
571#include <sys/socket.h>
572])
573
574# Messages for features tested for in target-specific section
575SIA_MSG="no"
576SPC_MSG="no"
577SP_MSG="no"
578SPP_MSG="no"
579
580# Support for Solaris/Illumos privileges (this test is used by both
581# the --with-solaris-privs option and --with-sandbox=solaris).
582SOLARIS_PRIVS="no"
583
584# Check for some target-specific stuff
585case "$host" in
586*-*-aix*)
587	# Some versions of VAC won't allow macro redefinitions at
588	# -qlanglevel=ansi, and autoconf 2.60 sometimes insists on using that
589	# particularly with older versions of vac or xlc.
590	# It also throws errors about null macro arguments, but these are
591	# not fatal.
592	AC_MSG_CHECKING([if compiler allows macro redefinitions])
593	AC_COMPILE_IFELSE(
594	    [AC_LANG_PROGRAM([[
595#define testmacro foo
596#define testmacro bar]],
597	    [[ exit(0); ]])],
598	    [ AC_MSG_RESULT([yes]) ],
599	    [ AC_MSG_RESULT([no])
600	      CC="`echo $CC | sed 's/-qlanglvl\=ansi//g'`"
601	      CFLAGS="`echo $CFLAGS | sed 's/-qlanglvl\=ansi//g'`"
602	      CPPFLAGS="`echo $CPPFLAGS | sed 's/-qlanglvl\=ansi//g'`"
603	    ]
604	)
605
606	AC_MSG_CHECKING([how to specify blibpath for linker ($LD)])
607	if (test -z "$blibpath"); then
608		blibpath="/usr/lib:/lib"
609	fi
610	saved_LDFLAGS="$LDFLAGS"
611	if test "$GCC" = "yes"; then
612		flags="-Wl,-blibpath: -Wl,-rpath, -blibpath:"
613	else
614		flags="-blibpath: -Wl,-blibpath: -Wl,-rpath,"
615	fi
616	for tryflags in $flags ;do
617		if (test -z "$blibflags"); then
618			LDFLAGS="$saved_LDFLAGS $tryflags$blibpath"
619			AC_LINK_IFELSE([AC_LANG_PROGRAM([[]], [[]])],
620			[blibflags=$tryflags], [])
621		fi
622	done
623	if (test -z "$blibflags"); then
624		AC_MSG_RESULT([not found])
625		AC_MSG_ERROR([*** must be able to specify blibpath on AIX - check config.log])
626	else
627		AC_MSG_RESULT([$blibflags])
628	fi
629	LDFLAGS="$saved_LDFLAGS"
630	dnl Check for authenticate.  Might be in libs.a on older AIXes
631	AC_CHECK_FUNC([authenticate], [AC_DEFINE([WITH_AIXAUTHENTICATE], [1],
632		[Define if you want to enable AIX4's authenticate function])],
633		[AC_CHECK_LIB([s], [authenticate],
634			[ AC_DEFINE([WITH_AIXAUTHENTICATE])
635				LIBS="$LIBS -ls"
636			])
637		])
638	dnl Check for various auth function declarations in headers.
639	AC_CHECK_DECLS([authenticate, loginrestrictions, loginsuccess,
640	    passwdexpired, setauthdb], , , [#include <usersec.h>])
641	dnl Check if loginfailed is declared and takes 4 arguments (AIX >= 5.2)
642	AC_CHECK_DECLS([loginfailed],
643	    [AC_MSG_CHECKING([if loginfailed takes 4 arguments])
644	    AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <usersec.h> ]],
645		[[ (void)loginfailed("user","host","tty",0); ]])],
646		[AC_MSG_RESULT([yes])
647		AC_DEFINE([AIX_LOGINFAILED_4ARG], [1],
648			[Define if your AIX loginfailed() function
649			takes 4 arguments (AIX >= 5.2)])], [AC_MSG_RESULT([no])
650	    ])],
651	    [],
652	    [#include <usersec.h>]
653	)
654	AC_CHECK_FUNCS([getgrset setauthdb])
655	AC_CHECK_DECL([F_CLOSEM],
656	    AC_DEFINE([HAVE_FCNTL_CLOSEM], [1], [Use F_CLOSEM fcntl for closefrom]),
657	    [],
658	    [ #include <limits.h>
659	      #include <fcntl.h> ]
660	)
661	check_for_aix_broken_getaddrinfo=1
662	AC_DEFINE([SETEUID_BREAKS_SETUID], [1],
663	    [Define if your platform breaks doing a seteuid before a setuid])
664	AC_DEFINE([BROKEN_SETREUID], [1], [Define if your setreuid() is broken])
665	AC_DEFINE([BROKEN_SETREGID], [1], [Define if your setregid() is broken])
666	dnl AIX handles lastlog as part of its login message
667	AC_DEFINE([DISABLE_LASTLOG], [1], [Define if you don't want to use lastlog])
668	AC_DEFINE([LOGIN_NEEDS_UTMPX], [1],
669		[Some systems need a utmpx entry for /bin/login to work])
670	AC_DEFINE([SPT_TYPE], [SPT_REUSEARGV],
671		[Define to a Set Process Title type if your system is
672		supported by bsd-setproctitle.c])
673	AC_DEFINE([SSHPAM_CHAUTHTOK_NEEDS_RUID], [1],
674	    [AIX 5.2 and 5.3 (and presumably newer) require this])
675	AC_DEFINE([PTY_ZEROREAD], [1], [read(1) can return 0 for a non-closed fd])
676	AC_DEFINE([PLATFORM_SYS_DIR_UID], 2, [System dirs owned by bin (uid 2)])
677	AC_DEFINE([BROKEN_STRNDUP], 1, [strndup broken, see APAR IY61211])
678	AC_DEFINE([BROKEN_STRNLEN], 1, [strnlen broken, see APAR IY62551])
679	;;
680*-*-android*)
681	AC_DEFINE([DISABLE_UTMP], [1], [Define if you don't want to use utmp])
682	AC_DEFINE([DISABLE_WTMP], [1], [Define if you don't want to use wtmp])
683	;;
684*-*-cygwin*)
685	LIBS="$LIBS /usr/lib/textreadmode.o"
686	AC_DEFINE([HAVE_CYGWIN], [1], [Define if you are on Cygwin])
687	AC_DEFINE([USE_PIPES], [1], [Use PIPES instead of a socketpair()])
688	AC_DEFINE([NO_UID_RESTORATION_TEST], [1],
689		[Define to disable UID restoration test])
690	AC_DEFINE([DISABLE_SHADOW], [1],
691		[Define if you want to disable shadow passwords])
692	AC_DEFINE([NO_X11_UNIX_SOCKETS], [1],
693		[Define if X11 doesn't support AF_UNIX sockets on that system])
694	AC_DEFINE([DISABLE_FD_PASSING], [1],
695		[Define if your platform needs to skip post auth
696		file descriptor passing])
697	AC_DEFINE([SSH_IOBUFSZ], [65535], [Windows is sensitive to read buffer size])
698	AC_DEFINE([FILESYSTEM_NO_BACKSLASH], [1], [File names may not contain backslash characters])
699	# Cygwin defines optargs, optargs as declspec(dllimport) for historical
700	# reasons which cause compile warnings, so we disable those warnings.
701	OSSH_CHECK_CFLAG_COMPILE([-Wno-attributes])
702	;;
703*-*-dgux*)
704	AC_DEFINE([IP_TOS_IS_BROKEN], [1],
705		[Define if your system choked on IP TOS setting])
706	AC_DEFINE([SETEUID_BREAKS_SETUID])
707	AC_DEFINE([BROKEN_SETREUID])
708	AC_DEFINE([BROKEN_SETREGID])
709	;;
710*-*-darwin*)
711	use_pie=auto
712	AC_MSG_CHECKING([if we have working getaddrinfo])
713	AC_RUN_IFELSE([AC_LANG_SOURCE([[
714#include <mach-o/dyld.h>
715#include <stdlib.h>
716main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
717		exit(0);
718	else
719		exit(1);
720}
721			]])],
722	[AC_MSG_RESULT([working])],
723	[AC_MSG_RESULT([buggy])
724	AC_DEFINE([BROKEN_GETADDRINFO], [1],
725		[getaddrinfo is broken (if present)])
726	],
727	[AC_MSG_RESULT([assume it is working])])
728	AC_DEFINE([SETEUID_BREAKS_SETUID])
729	AC_DEFINE([BROKEN_SETREUID])
730	AC_DEFINE([BROKEN_SETREGID])
731	AC_DEFINE([BROKEN_GLOB], [1], [OS X glob does not do what we expect])
732	AC_DEFINE_UNQUOTED([BIND_8_COMPAT], [1],
733		[Define if your resolver libs need this for getrrsetbyname])
734	AC_DEFINE([SSH_TUN_FREEBSD], [1], [Open tunnel devices the FreeBSD way])
735	AC_DEFINE([SSH_TUN_COMPAT_AF], [1],
736	    [Use tunnel device compatibility to OpenBSD])
737	AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
738	    [Prepend the address family to IP tunnel traffic])
739	m4_pattern_allow([AU_IPv])
740	AC_CHECK_DECL([AU_IPv4], [],
741	    AC_DEFINE([AU_IPv4], [0], [System only supports IPv4 audit records])
742	    [#include <bsm/audit.h>]
743	AC_DEFINE([LASTLOG_WRITE_PUTUTXLINE], [1],
744	    [Define if pututxline updates lastlog too])
745	)
746	AC_DEFINE([SPT_TYPE], [SPT_REUSEARGV],
747		[Define to a Set Process Title type if your system is
748		supported by bsd-setproctitle.c])
749	AC_CHECK_FUNCS([sandbox_init])
750	AC_CHECK_HEADERS([sandbox.h])
751	AC_CHECK_LIB([sandbox], [sandbox_apply], [
752	    SSHDLIBS="$SSHDLIBS -lsandbox"
753	])
754	# proc_pidinfo()-based closefrom() replacement.
755	AC_CHECK_HEADERS([libproc.h])
756	AC_CHECK_FUNCS([proc_pidinfo])
757	# poll(2) is broken for character-special devices (at least).
758	# cf. Apple bug 3710161 (not public, but searchable)
759	AC_DEFINE([BROKEN_POLL], [1],
760	    [System poll(2) implementation is broken])
761	;;
762*-*-dragonfly*)
763	SSHDLIBS="$SSHDLIBS"
764	TEST_MALLOC_OPTIONS="AFGJPRX"
765	;;
766*-*-haiku*)
767	LIBS="$LIBS -lbsd "
768	CFLAGS="$CFLAGS -D_BSD_SOURCE"
769	AC_CHECK_LIB([network], [socket])
770	AC_DEFINE([HAVE_U_INT64_T])
771	AC_DEFINE([DISABLE_UTMPX], [1], [no utmpx])
772	MANTYPE=man
773	;;
774*-*-hpux*)
775	# first we define all of the options common to all HP-UX releases
776	CPPFLAGS="$CPPFLAGS -D_HPUX_SOURCE -D_XOPEN_SOURCE -D_XOPEN_SOURCE_EXTENDED=1"
777	IPADDR_IN_DISPLAY=yes
778	AC_DEFINE([USE_PIPES])
779	AC_DEFINE([LOGIN_NEEDS_UTMPX])
780	AC_DEFINE([LOCKED_PASSWD_STRING], ["*"],
781		[String used in /etc/passwd to denote locked account])
782	AC_DEFINE([SPT_TYPE], [SPT_PSTAT])
783	AC_DEFINE([PLATFORM_SYS_DIR_UID], 2, [System dirs owned by bin (uid 2)])
784	maildir="/var/mail"
785	LIBS="$LIBS -lsec"
786	AC_CHECK_LIB([xnet], [t_error], ,
787	    [AC_MSG_ERROR([*** -lxnet needed on HP-UX - check config.log ***])])
788
789	# next, we define all of the options specific to major releases
790	case "$host" in
791	*-*-hpux10*)
792		if test -z "$GCC"; then
793			CFLAGS="$CFLAGS -Ae"
794		fi
795		AC_DEFINE([BROKEN_GETLINE], [1], [getline is not what we expect])
796		;;
797	*-*-hpux11*)
798		AC_DEFINE([PAM_SUN_CODEBASE], [1],
799			[Define if you are using Solaris-derived PAM which
800			passes pam_messages to the conversation function
801			with an extra level of indirection])
802		AC_DEFINE([DISABLE_UTMP], [1],
803			[Define if you don't want to use utmp])
804		AC_DEFINE([USE_BTMP], [1], [Use btmp to log bad logins])
805		check_for_hpux_broken_getaddrinfo=1
806		check_for_conflicting_getspnam=1
807		;;
808	esac
809
810	# lastly, we define options specific to minor releases
811	case "$host" in
812	*-*-hpux10.26)
813		AC_DEFINE([HAVE_SECUREWARE], [1],
814			[Define if you have SecureWare-based
815			protected password database])
816		disable_ptmx_check=yes
817		LIBS="$LIBS -lsecpw"
818		;;
819	esac
820	;;
821*-*-irix5*)
822	PATH="$PATH:/usr/etc"
823	AC_DEFINE([BROKEN_INET_NTOA], [1],
824		[Define if you system's inet_ntoa is busted
825		(e.g. Irix gcc issue)])
826	AC_DEFINE([SETEUID_BREAKS_SETUID])
827	AC_DEFINE([BROKEN_SETREUID])
828	AC_DEFINE([BROKEN_SETREGID])
829	AC_DEFINE([WITH_ABBREV_NO_TTY], [1],
830		[Define if you shouldn't strip 'tty' from your
831		ttyname in [uw]tmp])
832	AC_DEFINE([LOCKED_PASSWD_STRING], ["*LK*"])
833	;;
834*-*-irix6*)
835	PATH="$PATH:/usr/etc"
836	AC_DEFINE([WITH_IRIX_ARRAY], [1],
837		[Define if you have/want arrays
838		(cluster-wide session management, not C arrays)])
839	AC_DEFINE([WITH_IRIX_PROJECT], [1],
840		[Define if you want IRIX project management])
841	AC_DEFINE([WITH_IRIX_AUDIT], [1],
842		[Define if you want IRIX audit trails])
843	AC_CHECK_FUNC([jlimit_startjob], [AC_DEFINE([WITH_IRIX_JOBS], [1],
844		[Define if you want IRIX kernel jobs])])
845	AC_DEFINE([BROKEN_INET_NTOA])
846	AC_DEFINE([SETEUID_BREAKS_SETUID])
847	AC_DEFINE([BROKEN_SETREUID])
848	AC_DEFINE([BROKEN_SETREGID])
849	AC_DEFINE([BROKEN_UPDWTMPX], [1], [updwtmpx is broken (if present)])
850	AC_DEFINE([WITH_ABBREV_NO_TTY])
851	AC_DEFINE([LOCKED_PASSWD_STRING], ["*LK*"])
852	;;
853*-*-k*bsd*-gnu | *-*-kopensolaris*-gnu)
854	AC_DEFINE([PAM_TTY_KLUDGE])
855	AC_DEFINE([LOCKED_PASSWD_PREFIX], ["!"])
856	AC_DEFINE([SPT_TYPE], [SPT_REUSEARGV])
857	AC_DEFINE([_PATH_BTMP], ["/var/log/btmp"], [log for bad login attempts])
858	AC_DEFINE([USE_BTMP], [1], [Use btmp to log bad logins])
859	;;
860*-*-linux*)
861	no_dev_ptmx=1
862	use_pie=auto
863	check_for_openpty_ctty_bug=1
864	dnl Target SUSv3/POSIX.1-2001 plus BSD specifics.
865	dnl _DEFAULT_SOURCE is the new name for _BSD_SOURCE
866	CPPFLAGS="$CPPFLAGS -D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCE"
867	AC_DEFINE([BROKEN_CLOSEFROM], [1], [broken in chroots on older kernels])
868	AC_DEFINE([PAM_TTY_KLUDGE], [1],
869		[Work around problematic Linux PAM modules handling of PAM_TTY])
870	AC_DEFINE([LOCKED_PASSWD_PREFIX], ["!"],
871		[String used in /etc/passwd to denote locked account])
872	AC_DEFINE([SPT_TYPE], [SPT_REUSEARGV])
873	AC_DEFINE([LINK_OPNOTSUPP_ERRNO], [EPERM],
874		[Define to whatever link() returns for "not supported"
875		if it doesn't return EOPNOTSUPP.])
876	AC_DEFINE([_PATH_BTMP], ["/var/log/btmp"], [log for bad login attempts])
877	AC_DEFINE([USE_BTMP])
878	AC_DEFINE([LINUX_OOM_ADJUST], [1], [Adjust Linux out-of-memory killer])
879	inet6_default_4in6=yes
880	case `uname -r` in
881	1.*|2.0.*)
882		AC_DEFINE([BROKEN_CMSG_TYPE], [1],
883			[Define if cmsg_type is not passed correctly])
884		;;
885	esac
886	# tun(4) forwarding compat code
887	AC_CHECK_HEADERS([linux/if_tun.h])
888	if test "x$ac_cv_header_linux_if_tun_h" = "xyes" ; then
889		AC_DEFINE([SSH_TUN_LINUX], [1],
890		    [Open tunnel devices the Linux tun/tap way])
891		AC_DEFINE([SSH_TUN_COMPAT_AF], [1],
892		    [Use tunnel device compatibility to OpenBSD])
893		AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
894		    [Prepend the address family to IP tunnel traffic])
895	fi
896	AC_CHECK_HEADER([linux/if.h],
897	    AC_DEFINE([SYS_RDOMAIN_LINUX], [1],
898		[Support routing domains using Linux VRF]), [], [
899#ifdef HAVE_SYS_TYPES_H
900# include <sys/types.h>
901#endif
902	    ])
903	AC_CHECK_HEADERS([linux/seccomp.h linux/filter.h linux/audit.h], [],
904	    [], [#include <linux/types.h>])
905	# Obtain MIPS ABI
906	case "$host" in
907	mips*)
908		AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
909#if _MIPS_SIM != _ABIO32
910#error
911#endif
912			]])],[mips_abi="o32"],[AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
913#if _MIPS_SIM != _ABIN32
914#error
915#endif
916				]])],[mips_abi="n32"],[AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
917#if _MIPS_SIM != _ABI64
918#error
919#endif
920					]])],[mips_abi="n64"],[AC_MSG_ERROR([unknown MIPS ABI])
921				])
922			])
923		])
924		;;
925	esac
926	AC_MSG_CHECKING([for seccomp architecture])
927	seccomp_audit_arch=
928	case "$host" in
929	x86_64-*)
930		seccomp_audit_arch=AUDIT_ARCH_X86_64
931		;;
932	i*86-*)
933		seccomp_audit_arch=AUDIT_ARCH_I386
934		;;
935	arm*-*)
936		seccomp_audit_arch=AUDIT_ARCH_ARM
937		;;
938	aarch64*-*)
939		seccomp_audit_arch=AUDIT_ARCH_AARCH64
940		;;
941	s390x-*)
942		seccomp_audit_arch=AUDIT_ARCH_S390X
943		;;
944	s390-*)
945		seccomp_audit_arch=AUDIT_ARCH_S390
946		;;
947	powerpc-*)
948		seccomp_audit_arch=AUDIT_ARCH_PPC
949		;;
950	powerpc64-*)
951		seccomp_audit_arch=AUDIT_ARCH_PPC64
952		;;
953	powerpc64le-*)
954		seccomp_audit_arch=AUDIT_ARCH_PPC64LE
955		;;
956	mips-*)
957		seccomp_audit_arch=AUDIT_ARCH_MIPS
958		;;
959	mipsel-*)
960		seccomp_audit_arch=AUDIT_ARCH_MIPSEL
961		;;
962	mips64-*)
963		case "$mips_abi" in
964		"n32")
965			seccomp_audit_arch=AUDIT_ARCH_MIPS64N32
966			;;
967		"n64")
968			seccomp_audit_arch=AUDIT_ARCH_MIPS64
969			;;
970		esac
971		;;
972	mips64el-*)
973		case "$mips_abi" in
974		"n32")
975			seccomp_audit_arch=AUDIT_ARCH_MIPSEL64N32
976			;;
977		"n64")
978			seccomp_audit_arch=AUDIT_ARCH_MIPSEL64
979			;;
980		esac
981		;;
982	riscv64-*)
983		seccomp_audit_arch=AUDIT_ARCH_RISCV64
984		;;
985	esac
986	if test "x$seccomp_audit_arch" != "x" ; then
987		AC_MSG_RESULT(["$seccomp_audit_arch"])
988		AC_DEFINE_UNQUOTED([SECCOMP_AUDIT_ARCH], [$seccomp_audit_arch],
989		    [Specify the system call convention in use])
990	else
991		AC_MSG_RESULT([architecture not supported])
992	fi
993	;;
994*-*-minix)
995	AC_DEFINE([SETEUID_BREAKS_SETUID])
996	# poll(2) seems to choke on /dev/null; "Bad file descriptor"
997	AC_DEFINE([BROKEN_POLL], [1],
998	    [System poll(2) implementation is broken])
999	;;
1000mips-sony-bsd|mips-sony-newsos4)
1001	AC_DEFINE([NEED_SETPGRP], [1], [Need setpgrp to acquire controlling tty])
1002	SONY=1
1003	;;
1004*-*-netbsd*)
1005	if test "x$withval" != "xno" ; then
1006		rpath_opt="-R"
1007	fi
1008	CPPFLAGS="$CPPFLAGS -D_OPENBSD_SOURCE"
1009	AC_DEFINE([SSH_TUN_FREEBSD], [1], [Open tunnel devices the FreeBSD way])
1010	AC_CHECK_HEADER([net/if_tap.h], ,
1011	    AC_DEFINE([SSH_TUN_NO_L2], [1], [No layer 2 tunnel support]))
1012	AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
1013	    [Prepend the address family to IP tunnel traffic])
1014	TEST_MALLOC_OPTIONS="AJRX"
1015	AC_DEFINE([BROKEN_READ_COMPARISON], [1],
1016	    [NetBSD read function is sometimes redirected, breaking atomicio comparisons against it])
1017	;;
1018*-*-freebsd*)
1019	SKIP_DISABLE_LASTLOG_DEFINE=yes
1020	AC_DEFINE([LOCKED_PASSWD_PREFIX], ["*LOCKED*"], [Account locked with pw(1)])
1021	AC_DEFINE([SSH_TUN_FREEBSD], [1], [Open tunnel devices the FreeBSD way])
1022	AC_CHECK_HEADER([net/if_tap.h], ,
1023	    AC_DEFINE([SSH_TUN_NO_L2], [1], [No layer 2 tunnel support]))
1024	AC_DEFINE([BROKEN_GLOB], [1], [FreeBSD glob does not do what we need])
1025	TEST_MALLOC_OPTIONS="AJRX"
1026	# Preauth crypto occasionally uses file descriptors for crypto offload
1027	# and will crash if they cannot be opened.
1028	AC_DEFINE([SANDBOX_SKIP_RLIMIT_NOFILE], [1],
1029	    [define if setrlimit RLIMIT_NOFILE breaks things])
1030	case "$host" in
1031	*-*-freebsd9.*|*-*-freebsd10.*)
1032		# Capsicum on 9 and 10 do not allow ppoll() so don't auto-enable.
1033		disable_capsicum=yes
1034	esac
1035	;;
1036*-*-bsdi*)
1037	AC_DEFINE([SETEUID_BREAKS_SETUID])
1038	AC_DEFINE([BROKEN_SETREUID])
1039	AC_DEFINE([BROKEN_SETREGID])
1040	;;
1041*-next-*)
1042	conf_lastlog_location="/usr/adm/lastlog"
1043	conf_utmp_location=/etc/utmp
1044	conf_wtmp_location=/usr/adm/wtmp
1045	maildir=/usr/spool/mail
1046	AC_DEFINE([HAVE_NEXT], [1], [Define if you are on NeXT])
1047	AC_DEFINE([USE_PIPES])
1048	AC_DEFINE([BROKEN_SAVED_UIDS], [1], [Needed for NeXT])
1049	;;
1050*-*-openbsd*)
1051	use_pie=auto
1052	AC_DEFINE([HAVE_ATTRIBUTE__SENTINEL__], [1], [OpenBSD's gcc has sentinel])
1053	AC_DEFINE([HAVE_ATTRIBUTE__BOUNDED__], [1], [OpenBSD's gcc has bounded])
1054	AC_DEFINE([SSH_TUN_OPENBSD], [1], [Open tunnel devices the OpenBSD way])
1055	AC_DEFINE([SYSLOG_R_SAFE_IN_SIGHAND], [1],
1056	    [syslog_r function is safe to use in in a signal handler])
1057	TEST_MALLOC_OPTIONS="AFGJPRX"
1058	;;
1059*-*-solaris*)
1060	if test "x$withval" != "xno" ; then
1061		rpath_opt="-R"
1062	fi
1063	AC_DEFINE([PAM_SUN_CODEBASE])
1064	AC_DEFINE([LOGIN_NEEDS_UTMPX])
1065	AC_DEFINE([PAM_TTY_KLUDGE])
1066	AC_DEFINE([SSHPAM_CHAUTHTOK_NEEDS_RUID], [1],
1067		[Define if pam_chauthtok wants real uid set
1068		to the unpriv'ed user])
1069	AC_DEFINE([LOCKED_PASSWD_STRING], ["*LK*"])
1070	# Pushing STREAMS modules will cause sshd to acquire a controlling tty.
1071	AC_DEFINE([SSHD_ACQUIRES_CTTY], [1],
1072		[Define if sshd somehow reacquires a controlling TTY
1073		after setsid()])
1074	AC_DEFINE([PASSWD_NEEDS_USERNAME], [1], [must supply username to passwd
1075		in case the name is longer than 8 chars])
1076	AC_DEFINE([BROKEN_TCGETATTR_ICANON], [1], [tcgetattr with ICANON may hang])
1077	external_path_file=/etc/default/login
1078	# hardwire lastlog location (can't detect it on some versions)
1079	conf_lastlog_location="/var/adm/lastlog"
1080	AC_MSG_CHECKING([for obsolete utmp and wtmp in solaris2.x])
1081	sol2ver=`echo "$host"| sed -e 's/.*[[0-9]]\.//'`
1082	if test "$sol2ver" -ge 8; then
1083		AC_MSG_RESULT([yes])
1084		AC_DEFINE([DISABLE_UTMP])
1085		AC_DEFINE([DISABLE_WTMP], [1],
1086			[Define if you don't want to use wtmp])
1087	else
1088		AC_MSG_RESULT([no])
1089	fi
1090	AC_CHECK_FUNCS([setpflags])
1091	AC_CHECK_FUNCS([setppriv])
1092	AC_CHECK_FUNCS([priv_basicset])
1093	AC_CHECK_HEADERS([priv.h])
1094	AC_ARG_WITH([solaris-contracts],
1095		[  --with-solaris-contracts Enable Solaris process contracts (experimental)],
1096		[
1097		AC_CHECK_LIB([contract], [ct_tmpl_activate],
1098			[ AC_DEFINE([USE_SOLARIS_PROCESS_CONTRACTS], [1],
1099				[Define if you have Solaris process contracts])
1100			  LIBS="$LIBS -lcontract"
1101			  SPC_MSG="yes" ], )
1102		],
1103	)
1104	AC_ARG_WITH([solaris-projects],
1105		[  --with-solaris-projects Enable Solaris projects (experimental)],
1106		[
1107		AC_CHECK_LIB([project], [setproject],
1108			[ AC_DEFINE([USE_SOLARIS_PROJECTS], [1],
1109				[Define if you have Solaris projects])
1110			LIBS="$LIBS -lproject"
1111			SP_MSG="yes" ], )
1112		],
1113	)
1114	AC_ARG_WITH([solaris-privs],
1115		[  --with-solaris-privs    Enable Solaris/Illumos privileges (experimental)],
1116		[
1117		AC_MSG_CHECKING([for Solaris/Illumos privilege support])
1118		if test "x$ac_cv_func_setppriv" = "xyes" -a \
1119			"x$ac_cv_header_priv_h" = "xyes" ; then
1120			SOLARIS_PRIVS=yes
1121			AC_MSG_RESULT([found])
1122			AC_DEFINE([NO_UID_RESTORATION_TEST], [1],
1123				[Define to disable UID restoration test])
1124			AC_DEFINE([USE_SOLARIS_PRIVS], [1],
1125				[Define if you have Solaris privileges])
1126			SPP_MSG="yes"
1127		else
1128			AC_MSG_RESULT([not found])
1129			AC_MSG_ERROR([*** must have support for Solaris privileges to use --with-solaris-privs])
1130		fi
1131		],
1132	)
1133	TEST_SHELL=$SHELL	# let configure find us a capable shell
1134	;;
1135*-*-sunos4*)
1136	CPPFLAGS="$CPPFLAGS -DSUNOS4"
1137	AC_CHECK_FUNCS([getpwanam])
1138	AC_DEFINE([PAM_SUN_CODEBASE])
1139	conf_utmp_location=/etc/utmp
1140	conf_wtmp_location=/var/adm/wtmp
1141	conf_lastlog_location=/var/adm/lastlog
1142	AC_DEFINE([USE_PIPES])
1143	AC_DEFINE([DISABLE_UTMPX], [1], [no utmpx])
1144	;;
1145*-ncr-sysv*)
1146	LIBS="$LIBS -lc89"
1147	AC_DEFINE([USE_PIPES])
1148	AC_DEFINE([SSHD_ACQUIRES_CTTY])
1149	AC_DEFINE([SETEUID_BREAKS_SETUID])
1150	AC_DEFINE([BROKEN_SETREUID])
1151	AC_DEFINE([BROKEN_SETREGID])
1152	;;
1153*-sni-sysv*)
1154	# /usr/ucblib MUST NOT be searched on ReliantUNIX
1155	AC_CHECK_LIB([dl], [dlsym], ,)
1156	# -lresolv needs to be at the end of LIBS or DNS lookups break
1157	AC_CHECK_LIB([resolv], [res_query], [ LIBS="$LIBS -lresolv" ])
1158	IPADDR_IN_DISPLAY=yes
1159	AC_DEFINE([USE_PIPES])
1160	AC_DEFINE([IP_TOS_IS_BROKEN])
1161	AC_DEFINE([SETEUID_BREAKS_SETUID])
1162	AC_DEFINE([BROKEN_SETREUID])
1163	AC_DEFINE([BROKEN_SETREGID])
1164	AC_DEFINE([SSHD_ACQUIRES_CTTY])
1165	external_path_file=/etc/default/login
1166	# /usr/ucblib/libucb.a no longer needed on ReliantUNIX
1167	# Attention: always take care to bind libsocket and libnsl before libc,
1168	# otherwise you will find lots of "SIOCGPGRP errno 22" on syslog
1169	;;
1170# UnixWare 1.x, UnixWare 2.x, and others based on code from Univel.
1171*-*-sysv4.2*)
1172	AC_DEFINE([USE_PIPES])
1173	AC_DEFINE([SETEUID_BREAKS_SETUID])
1174	AC_DEFINE([BROKEN_SETREUID])
1175	AC_DEFINE([BROKEN_SETREGID])
1176	AC_DEFINE([PASSWD_NEEDS_USERNAME], [1], [must supply username to passwd])
1177	AC_DEFINE([LOCKED_PASSWD_STRING], ["*LK*"])
1178	TEST_SHELL=$SHELL	# let configure find us a capable shell
1179	;;
1180# UnixWare 7.x, OpenUNIX 8
1181*-*-sysv5*)
1182	CPPFLAGS="$CPPFLAGS -Dvsnprintf=_xvsnprintf -Dsnprintf=_xsnprintf"
1183	AC_DEFINE([UNIXWARE_LONG_PASSWORDS], [1], [Support passwords > 8 chars])
1184	AC_DEFINE([USE_PIPES])
1185	AC_DEFINE([SETEUID_BREAKS_SETUID])
1186	AC_DEFINE([BROKEN_GETADDRINFO])
1187	AC_DEFINE([BROKEN_SETREUID])
1188	AC_DEFINE([BROKEN_SETREGID])
1189	AC_DEFINE([PASSWD_NEEDS_USERNAME])
1190	AC_DEFINE([BROKEN_TCGETATTR_ICANON])
1191	TEST_SHELL=$SHELL	# let configure find us a capable shell
1192	case "$host" in
1193	*-*-sysv5SCO_SV*)	# SCO OpenServer 6.x
1194		maildir=/var/spool/mail
1195		AC_DEFINE([BROKEN_UPDWTMPX])
1196		AC_CHECK_LIB([prot], [getluid], [ LIBS="$LIBS -lprot"
1197			AC_CHECK_FUNCS([getluid setluid], , , [-lprot])
1198			], , )
1199		;;
1200	*)	AC_DEFINE([LOCKED_PASSWD_STRING], ["*LK*"])
1201		;;
1202	esac
1203	;;
1204*-*-sysv*)
1205	;;
1206# SCO UNIX and OEM versions of SCO UNIX
1207*-*-sco3.2v4*)
1208	AC_MSG_ERROR("This Platform is no longer supported.")
1209	;;
1210# SCO OpenServer 5.x
1211*-*-sco3.2v5*)
1212	if test -z "$GCC"; then
1213		CFLAGS="$CFLAGS -belf"
1214	fi
1215	LIBS="$LIBS -lprot -lx -ltinfo -lm"
1216	no_dev_ptmx=1
1217	AC_DEFINE([USE_PIPES])
1218	AC_DEFINE([HAVE_SECUREWARE])
1219	AC_DEFINE([DISABLE_SHADOW])
1220	AC_DEFINE([DISABLE_FD_PASSING])
1221	AC_DEFINE([SETEUID_BREAKS_SETUID])
1222	AC_DEFINE([BROKEN_GETADDRINFO])
1223	AC_DEFINE([BROKEN_SETREUID])
1224	AC_DEFINE([BROKEN_SETREGID])
1225	AC_DEFINE([WITH_ABBREV_NO_TTY])
1226	AC_DEFINE([BROKEN_UPDWTMPX])
1227	AC_DEFINE([PASSWD_NEEDS_USERNAME])
1228	AC_CHECK_FUNCS([getluid setluid])
1229	MANTYPE=man
1230	TEST_SHELL=$SHELL	# let configure find us a capable shell
1231	SKIP_DISABLE_LASTLOG_DEFINE=yes
1232	;;
1233*-dec-osf*)
1234	AC_MSG_CHECKING([for Digital Unix SIA])
1235	no_osfsia=""
1236	AC_ARG_WITH([osfsia],
1237		[  --with-osfsia           Enable Digital Unix SIA],
1238		[
1239			if test "x$withval" = "xno" ; then
1240				AC_MSG_RESULT([disabled])
1241				no_osfsia=1
1242			fi
1243		],
1244	)
1245	if test -z "$no_osfsia" ; then
1246		if test -f /etc/sia/matrix.conf; then
1247			AC_MSG_RESULT([yes])
1248			AC_DEFINE([HAVE_OSF_SIA], [1],
1249				[Define if you have Digital Unix Security
1250				Integration Architecture])
1251			AC_DEFINE([DISABLE_LOGIN], [1],
1252				[Define if you don't want to use your
1253				system's login() call])
1254			AC_DEFINE([DISABLE_FD_PASSING])
1255			LIBS="$LIBS -lsecurity -ldb -lm -laud"
1256			SIA_MSG="yes"
1257		else
1258			AC_MSG_RESULT([no])
1259			AC_DEFINE([LOCKED_PASSWD_SUBSTR], ["Nologin"],
1260			  [String used in /etc/passwd to denote locked account])
1261		fi
1262	fi
1263	AC_DEFINE([BROKEN_GETADDRINFO])
1264	AC_DEFINE([SETEUID_BREAKS_SETUID])
1265	AC_DEFINE([BROKEN_SETREUID])
1266	AC_DEFINE([BROKEN_SETREGID])
1267	AC_DEFINE([BROKEN_READV_COMPARISON], [1], [Can't do comparisons on readv])
1268	;;
1269
1270*-*-nto-qnx*)
1271	AC_DEFINE([USE_PIPES])
1272	AC_DEFINE([NO_X11_UNIX_SOCKETS])
1273	AC_DEFINE([DISABLE_LASTLOG])
1274	AC_DEFINE([SSHD_ACQUIRES_CTTY])
1275	AC_DEFINE([BROKEN_SHADOW_EXPIRE], [1], [QNX shadow support is broken])
1276	enable_etc_default_login=no	# has incompatible /etc/default/login
1277	case "$host" in
1278	*-*-nto-qnx6*)
1279		AC_DEFINE([DISABLE_FD_PASSING])
1280		;;
1281	esac
1282	;;
1283
1284*-*-ultrix*)
1285	AC_DEFINE([BROKEN_GETGROUPS], [1], [getgroups(0,NULL) will return -1])
1286	AC_DEFINE([NEED_SETPGRP], [1], [Need setpgrp to for controlling tty])
1287	AC_DEFINE([HAVE_SYS_SYSLOG_H], [1], [Force use of sys/syslog.h on Ultrix])
1288	AC_DEFINE([DISABLE_UTMPX], [1], [Disable utmpx])
1289	# DISABLE_FD_PASSING so that we call setpgrp as root, otherwise we
1290	# don't get a controlling tty.
1291	AC_DEFINE([DISABLE_FD_PASSING], [1], [Need to call setpgrp as root])
1292	# On Ultrix some headers are not protected against multiple includes,
1293	# so we create wrappers and put it where the compiler will find it.
1294	AC_MSG_WARN([creating compat wrappers for headers])
1295	mkdir -p netinet
1296	for header in netinet/ip.h netdb.h resolv.h; do
1297		name=`echo $header | tr 'a-z/.' 'A-Z__'`
1298		cat >$header <<EOD
1299#ifndef _SSH_COMPAT_${name}
1300#define _SSH_COMPAT_${name}
1301#include "/usr/include/${header}"
1302#endif
1303EOD
1304	done
1305	;;
1306
1307*-*-lynxos)
1308	CFLAGS="$CFLAGS -D__NO_INCLUDE_WARN__"
1309	AC_DEFINE([BROKEN_SETVBUF], [1],
1310	    [LynxOS has broken setvbuf() implementation])
1311	;;
1312esac
1313
1314AC_MSG_CHECKING([compiler and flags for sanity])
1315AC_RUN_IFELSE([AC_LANG_PROGRAM([[ #include <stdlib.h> ]], [[ exit(0); ]])],
1316	[	AC_MSG_RESULT([yes]) ],
1317	[
1318		AC_MSG_RESULT([no])
1319		AC_MSG_ERROR([*** compiler cannot create working executables, check config.log ***])
1320	],
1321	[	AC_MSG_WARN([cross compiling: not checking compiler sanity]) ]
1322)
1323
1324dnl Checks for header files.
1325# Checks for libraries.
1326AC_CHECK_FUNC([setsockopt], , [AC_CHECK_LIB([socket], [setsockopt])])
1327
1328dnl IRIX and Solaris 2.5.1 have dirname() in libgen
1329AC_CHECK_FUNCS([dirname], [AC_CHECK_HEADERS([libgen.h])] , [
1330	AC_CHECK_LIB([gen], [dirname], [
1331		AC_CACHE_CHECK([for broken dirname],
1332			ac_cv_have_broken_dirname, [
1333			save_LIBS="$LIBS"
1334			LIBS="$LIBS -lgen"
1335			AC_RUN_IFELSE(
1336				[AC_LANG_SOURCE([[
1337#include <libgen.h>
1338#include <string.h>
1339#include <stdlib.h>
1340
1341int main(int argc, char **argv) {
1342    char *s, buf[32];
1343
1344    strncpy(buf,"/etc", 32);
1345    s = dirname(buf);
1346    if (!s || strncmp(s, "/", 32) != 0) {
1347	exit(1);
1348    } else {
1349	exit(0);
1350    }
1351}
1352				]])],
1353				[ ac_cv_have_broken_dirname="no" ],
1354				[ ac_cv_have_broken_dirname="yes" ],
1355				[ ac_cv_have_broken_dirname="no" ],
1356			)
1357			LIBS="$save_LIBS"
1358		])
1359		if test "x$ac_cv_have_broken_dirname" = "xno" ; then
1360			LIBS="$LIBS -lgen"
1361			AC_DEFINE([HAVE_DIRNAME])
1362			AC_CHECK_HEADERS([libgen.h])
1363		fi
1364	])
1365])
1366
1367AC_CHECK_FUNC([getspnam], ,
1368	[AC_CHECK_LIB([gen], [getspnam], [LIBS="$LIBS -lgen"])])
1369AC_SEARCH_LIBS([basename], [gen], [AC_DEFINE([HAVE_BASENAME], [1],
1370	[Define if you have the basename function.])])
1371
1372dnl zlib defaults to enabled
1373zlib=yes
1374AC_ARG_WITH([zlib],
1375	[  --with-zlib=PATH        Use zlib in PATH],
1376	[ if test "x$withval" = "xno" ; then
1377		zlib=no
1378	  elif test "x$withval" != "xyes"; then
1379		if test -d "$withval/lib"; then
1380			if test -n "${rpath_opt}"; then
1381				LDFLAGS="-L${withval}/lib ${rpath_opt}${withval}/lib ${LDFLAGS}"
1382			else
1383				LDFLAGS="-L${withval}/lib ${LDFLAGS}"
1384			fi
1385		else
1386			if test -n "${rpath_opt}"; then
1387				LDFLAGS="-L${withval} ${rpath_opt}${withval} ${LDFLAGS}"
1388			else
1389				LDFLAGS="-L${withval} ${LDFLAGS}"
1390			fi
1391		fi
1392		if test -d "$withval/include"; then
1393			CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
1394		else
1395			CPPFLAGS="-I${withval} ${CPPFLAGS}"
1396		fi
1397	fi ]
1398)
1399
1400# These libraries are needed for anything that links in the channel code.
1401CHANNELLIBS=""
1402AC_MSG_CHECKING([for zlib])
1403if test "x${zlib}" = "xno"; then
1404	AC_MSG_RESULT([no])
1405else
1406    saved_LIBS="$LIBS"
1407    CHANNELLIBS="$CHANNELLIBS -lz"
1408    AC_MSG_RESULT([yes])
1409    AC_DEFINE([WITH_ZLIB], [1], [Enable zlib])
1410    AC_CHECK_HEADER([zlib.h], ,[AC_MSG_ERROR([*** zlib.h missing - please install first or check config.log ***])])
1411    AC_CHECK_LIB([z], [deflate], [],
1412	[
1413		saved_CPPFLAGS="$CPPFLAGS"
1414		saved_LDFLAGS="$LDFLAGS"
1415		dnl Check default zlib install dir
1416		if test -n "${rpath_opt}"; then
1417			LDFLAGS="-L/usr/local/lib ${rpath_opt}/usr/local/lib ${saved_LDFLAGS}"
1418		else
1419			LDFLAGS="-L/usr/local/lib ${saved_LDFLAGS}"
1420		fi
1421		CPPFLAGS="-I/usr/local/include ${saved_CPPFLAGS}"
1422		AC_TRY_LINK_FUNC([deflate], [AC_DEFINE([HAVE_LIBZ])],
1423			[
1424				AC_MSG_ERROR([*** zlib missing - please install first or check config.log ***])
1425			]
1426		)
1427	]
1428    )
1429
1430    AC_ARG_WITH([zlib-version-check],
1431	[  --without-zlib-version-check Disable zlib version check],
1432	[  if test "x$withval" = "xno" ; then
1433		zlib_check_nonfatal=1
1434	   fi
1435	]
1436    )
1437
1438    AC_MSG_CHECKING([for possibly buggy zlib])
1439    AC_RUN_IFELSE([AC_LANG_PROGRAM([[
1440#include <stdio.h>
1441#include <stdlib.h>
1442#include <zlib.h>
1443	]],
1444	[[
1445	int a=0, b=0, c=0, d=0, n, v;
1446	n = sscanf(ZLIB_VERSION, "%d.%d.%d.%d", &a, &b, &c, &d);
1447	if (n != 3 && n != 4)
1448		exit(1);
1449	v = a*1000000 + b*10000 + c*100 + d;
1450	fprintf(stderr, "found zlib version %s (%d)\n", ZLIB_VERSION, v);
1451
1452	/* 1.1.4 is OK */
1453	if (a == 1 && b == 1 && c >= 4)
1454		exit(0);
1455
1456	/* 1.2.3 and up are OK */
1457	if (v >= 1020300)
1458		exit(0);
1459
1460	exit(2);
1461	]])],
1462	AC_MSG_RESULT([no]),
1463	[ AC_MSG_RESULT([yes])
1464	  if test -z "$zlib_check_nonfatal" ; then
1465		AC_MSG_ERROR([*** zlib too old - check config.log ***
1466Your reported zlib version has known security problems.  It's possible your
1467vendor has fixed these problems without changing the version number.  If you
1468are sure this is the case, you can disable the check by running
1469"./configure --without-zlib-version-check".
1470If you are in doubt, upgrade zlib to version 1.2.3 or greater.
1471See http://www.gzip.org/zlib/ for details.])
1472	  else
1473		AC_MSG_WARN([zlib version may have security problems])
1474	  fi
1475	],
1476	[	AC_MSG_WARN([cross compiling: not checking zlib version]) ]
1477    )
1478    LIBS="$saved_LIBS"
1479fi
1480
1481dnl UnixWare 2.x
1482AC_CHECK_FUNC([strcasecmp],
1483	[], [ AC_CHECK_LIB([resolv], [strcasecmp], [LIBS="$LIBS -lresolv"]) ]
1484)
1485AC_CHECK_FUNCS([utimes],
1486	[], [ AC_CHECK_LIB([c89], [utimes], [AC_DEFINE([HAVE_UTIMES])
1487					LIBS="$LIBS -lc89"]) ]
1488)
1489
1490dnl    Checks for libutil functions
1491AC_CHECK_HEADERS([bsd/libutil.h libutil.h])
1492AC_SEARCH_LIBS([fmt_scaled], [util bsd])
1493AC_SEARCH_LIBS([scan_scaled], [util bsd])
1494AC_SEARCH_LIBS([login], [util bsd])
1495AC_SEARCH_LIBS([logout], [util bsd])
1496AC_SEARCH_LIBS([logwtmp], [util bsd])
1497AC_SEARCH_LIBS([openpty], [util bsd])
1498AC_SEARCH_LIBS([updwtmp], [util bsd])
1499AC_CHECK_FUNCS([fmt_scaled scan_scaled login logout openpty updwtmp logwtmp])
1500
1501# On some platforms, inet_ntop and gethostbyname may be found in libresolv
1502# or libnsl.
1503AC_SEARCH_LIBS([inet_ntop], [resolv nsl])
1504AC_SEARCH_LIBS([gethostbyname], [resolv nsl])
1505
1506# Some Linux distribtions ship the BSD libc hashing functions in
1507# separate libraries.
1508AC_SEARCH_LIBS([SHA256Update], [md bsd])
1509
1510# "Particular Function Checks"
1511# see https://www.gnu.org/software/autoconf/manual/autoconf-2.69/html_node/Particular-Functions.html
1512AC_FUNC_STRFTIME
1513AC_FUNC_MALLOC
1514AC_FUNC_REALLOC
1515# autoconf doesn't have AC_FUNC_CALLOC so fake it if malloc returns NULL;
1516AC_MSG_CHECKING([if calloc(0, N) returns non-null])
1517AC_RUN_IFELSE(
1518	[AC_LANG_PROGRAM(
1519		[[ #include <stdlib.h> ]],
1520		[[ void *p = calloc(0, 1); exit(p == NULL); ]]
1521	)],
1522	[ func_calloc_0_nonnull=yes ],
1523	[ func_calloc_0_nonnull=no ],
1524	[ AC_MSG_WARN([cross compiling: assuming same as malloc])
1525	  func_calloc_0_nonnull="$ac_cv_func_malloc_0_nonnull"]
1526)
1527AC_MSG_RESULT([$func_calloc_0_nonnull])
1528
1529if test "x$func_calloc_0_nonnull" = "xyes"; then
1530	AC_DEFINE(HAVE_CALLOC, 1, [calloc(0, x) returns non-null])
1531else
1532	AC_DEFINE(HAVE_CALLOC, 0, [calloc(0, x) returns NULL])
1533	AC_DEFINE(calloc, rpl_calloc,
1534	    [Define to rpl_calloc if the replacement function should be used.])
1535fi
1536
1537# Check for ALTDIRFUNC glob() extension
1538AC_MSG_CHECKING([for GLOB_ALTDIRFUNC support])
1539AC_EGREP_CPP([FOUNDIT],
1540	[
1541		#include <glob.h>
1542		#ifdef GLOB_ALTDIRFUNC
1543		FOUNDIT
1544		#endif
1545	],
1546	[
1547		AC_DEFINE([GLOB_HAS_ALTDIRFUNC], [1],
1548			[Define if your system glob() function has
1549			the GLOB_ALTDIRFUNC extension])
1550		AC_MSG_RESULT([yes])
1551	],
1552	[
1553		AC_MSG_RESULT([no])
1554	]
1555)
1556
1557# Check for g.gl_matchc glob() extension
1558AC_MSG_CHECKING([for gl_matchc field in glob_t])
1559AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <glob.h> ]],
1560	[[ glob_t g; g.gl_matchc = 1; ]])],
1561	[
1562		AC_DEFINE([GLOB_HAS_GL_MATCHC], [1],
1563			[Define if your system glob() function has
1564			gl_matchc options in glob_t])
1565		AC_MSG_RESULT([yes])
1566	], [
1567		AC_MSG_RESULT([no])
1568])
1569
1570# Check for g.gl_statv glob() extension
1571AC_MSG_CHECKING([for gl_statv and GLOB_KEEPSTAT extensions for glob])
1572AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <glob.h> ]], [[
1573#ifndef GLOB_KEEPSTAT
1574#error "glob does not support GLOB_KEEPSTAT extension"
1575#endif
1576glob_t g;
1577g.gl_statv = NULL;
1578]])],
1579	[
1580		AC_DEFINE([GLOB_HAS_GL_STATV], [1],
1581			[Define if your system glob() function has
1582			gl_statv options in glob_t])
1583		AC_MSG_RESULT([yes])
1584	], [
1585		AC_MSG_RESULT([no])
1586
1587])
1588
1589AC_CHECK_DECLS([GLOB_NOMATCH], , , [#include <glob.h>])
1590
1591AC_CHECK_DECL([VIS_ALL], ,
1592    AC_DEFINE(BROKEN_STRNVIS, 1, [missing VIS_ALL]), [#include <vis.h>])
1593
1594AC_MSG_CHECKING([whether struct dirent allocates space for d_name])
1595AC_RUN_IFELSE(
1596	[AC_LANG_PROGRAM([[
1597#include <sys/types.h>
1598#include <dirent.h>
1599#include <stdlib.h>
1600	]],
1601	[[
1602	struct dirent d;
1603	exit(sizeof(d.d_name)<=sizeof(char));
1604	]])],
1605	[AC_MSG_RESULT([yes])],
1606	[
1607		AC_MSG_RESULT([no])
1608		AC_DEFINE([BROKEN_ONE_BYTE_DIRENT_D_NAME], [1],
1609			[Define if your struct dirent expects you to
1610			allocate extra space for d_name])
1611	],
1612	[
1613		AC_MSG_WARN([cross compiling: assuming BROKEN_ONE_BYTE_DIRENT_D_NAME])
1614		AC_DEFINE([BROKEN_ONE_BYTE_DIRENT_D_NAME])
1615	]
1616)
1617
1618AC_MSG_CHECKING([for /proc/pid/fd directory])
1619if test -d "/proc/$$/fd" ; then
1620	AC_DEFINE([HAVE_PROC_PID], [1], [Define if you have /proc/$pid/fd])
1621	AC_MSG_RESULT([yes])
1622else
1623	AC_MSG_RESULT([no])
1624fi
1625
1626# Check whether user wants TCP wrappers support
1627TCPW_MSG="no"
1628AC_ARG_WITH([tcp-wrappers],
1629	[  --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)],
1630	[
1631		if test "x$withval" != "xno" ; then
1632			saved_LIBS="$LIBS"
1633			saved_LDFLAGS="$LDFLAGS"
1634			saved_CPPFLAGS="$CPPFLAGS"
1635			if test -n "${withval}" && \
1636			    test "x${withval}" != "xyes"; then
1637				if test -d "${withval}/lib"; then
1638					if test -n "${need_dash_r}"; then
1639						LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
1640					else
1641						LDFLAGS="-L${withval}/lib ${LDFLAGS}"
1642					fi
1643				else
1644					if test -n "${need_dash_r}"; then
1645						LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"
1646					else
1647						LDFLAGS="-L${withval} ${LDFLAGS}"
1648					fi
1649				fi
1650				if test -d "${withval}/include"; then
1651					CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
1652				else
1653					CPPFLAGS="-I${withval} ${CPPFLAGS}"
1654				fi
1655			fi
1656			LIBS="-lwrap $LIBS"
1657			AC_MSG_CHECKING([for libwrap])
1658			AC_LINK_IFELSE([AC_LANG_PROGRAM([[
1659#include <sys/types.h>
1660#include <sys/socket.h>
1661#include <netinet/in.h>
1662#include <tcpd.h>
1663int deny_severity = 0, allow_severity = 0;
1664				]], [[
1665	hosts_access(0);
1666				]])], [
1667					AC_MSG_RESULT([yes])
1668					AC_DEFINE([LIBWRAP], [1],
1669						[Define if you want
1670						TCP Wrappers support])
1671					SSHDLIBS="$SSHDLIBS -lwrap"
1672					TCPW_MSG="yes"
1673				], [
1674					AC_MSG_ERROR([*** libwrap missing])
1675			])
1676			LIBS="$saved_LIBS"
1677		fi
1678	]
1679)
1680
1681# Check whether user wants to use ldns
1682LDNS_MSG="no"
1683AC_ARG_WITH(ldns,
1684	[  --with-ldns[[=PATH]]      Use ldns for DNSSEC support (optionally in PATH)],
1685	[
1686	ldns=""
1687	if test "x$withval" = "xyes" ; then
1688		AC_PATH_TOOL([LDNSCONFIG], [ldns-config], [no])
1689		if test "x$LDNSCONFIG" = "xno"; then
1690			LIBS="-lldns $LIBS"
1691			ldns=yes
1692		else
1693			LIBS="$LIBS `$LDNSCONFIG --libs`"
1694			CPPFLAGS="$CPPFLAGS `$LDNSCONFIG --cflags`"
1695			ldns=yes
1696		fi
1697	elif test "x$withval" != "xno" ; then
1698			CPPFLAGS="$CPPFLAGS -I${withval}/include"
1699			LDFLAGS="$LDFLAGS -L${withval}/lib"
1700			LIBS="-lldns $LIBS"
1701			ldns=yes
1702	fi
1703
1704	# Verify that it works.
1705	if test "x$ldns" = "xyes" ; then
1706		AC_DEFINE(HAVE_LDNS, 1, [Define if you want ldns support])
1707		LDNS_MSG="yes"
1708		AC_MSG_CHECKING([for ldns support])
1709		AC_LINK_IFELSE(
1710			[AC_LANG_SOURCE([[
1711#include <stdio.h>
1712#include <stdlib.h>
1713#ifdef HAVE_STDINT_H
1714# include <stdint.h>
1715#endif
1716#include <ldns/ldns.h>
1717int main() { ldns_status status = ldns_verify_trusted(NULL, NULL, NULL, NULL); status=LDNS_STATUS_OK; exit(0); }
1718			]])
1719		],
1720			[AC_MSG_RESULT(yes)],
1721				[
1722					AC_MSG_RESULT(no)
1723					AC_MSG_ERROR([** Incomplete or missing ldns libraries.])
1724				])
1725	fi
1726])
1727
1728# Check whether user wants libedit support
1729LIBEDIT_MSG="no"
1730AC_ARG_WITH([libedit],
1731	[  --with-libedit[[=PATH]]   Enable libedit support for sftp],
1732	[ if test "x$withval" != "xno" ; then
1733		if test "x$withval" = "xyes" ; then
1734			if test "x$PKGCONFIG" != "xno"; then
1735				AC_MSG_CHECKING([if $PKGCONFIG knows about libedit])
1736				if "$PKGCONFIG" libedit; then
1737					AC_MSG_RESULT([yes])
1738					use_pkgconfig_for_libedit=yes
1739				else
1740					AC_MSG_RESULT([no])
1741				fi
1742			fi
1743		else
1744			CPPFLAGS="$CPPFLAGS -I${withval}/include"
1745			if test -n "${rpath_opt}"; then
1746				LDFLAGS="-L${withval}/lib ${rpath_opt}${withval}/lib ${LDFLAGS}"
1747			else
1748				LDFLAGS="-L${withval}/lib ${LDFLAGS}"
1749			fi
1750		fi
1751		if test "x$use_pkgconfig_for_libedit" = "xyes"; then
1752			LIBEDIT=`$PKGCONFIG --libs libedit`
1753			CPPFLAGS="$CPPFLAGS `$PKGCONFIG --cflags libedit`"
1754		else
1755			LIBEDIT="-ledit -lcurses"
1756		fi
1757		OTHERLIBS=`echo $LIBEDIT | sed 's/-ledit//'`
1758		AC_CHECK_LIB([edit], [el_init],
1759			[ AC_DEFINE([USE_LIBEDIT], [1], [Use libedit for sftp])
1760			  LIBEDIT_MSG="yes"
1761			  AC_SUBST([LIBEDIT])
1762			],
1763			[ AC_MSG_ERROR([libedit not found]) ],
1764			[ $OTHERLIBS ]
1765		)
1766		AC_MSG_CHECKING([if libedit version is compatible])
1767		AC_COMPILE_IFELSE(
1768		    [AC_LANG_PROGRAM([[
1769#include <histedit.h>
1770#include <stdlib.h>
1771		    ]],
1772		    [[
1773	int i = H_SETSIZE;
1774	el_init("", NULL, NULL, NULL);
1775	exit(0);
1776		    ]])],
1777		    [ AC_MSG_RESULT([yes]) ],
1778		    [ AC_MSG_RESULT([no])
1779		      AC_MSG_ERROR([libedit version is not compatible]) ]
1780		)
1781	fi ]
1782)
1783
1784AUDIT_MODULE=none
1785AC_ARG_WITH([audit],
1786	[  --with-audit=module     Enable audit support (modules=debug,bsm,linux)],
1787	[
1788	  AC_MSG_CHECKING([for supported audit module])
1789	  case "$withval" in
1790	  bsm)
1791		AC_MSG_RESULT([bsm])
1792		AUDIT_MODULE=bsm
1793		dnl    Checks for headers, libs and functions
1794		AC_CHECK_HEADERS([bsm/audit.h], [],
1795		    [AC_MSG_ERROR([BSM enabled and bsm/audit.h not found])],
1796		    [
1797#ifdef HAVE_TIME_H
1798# include <time.h>
1799#endif
1800		    ]
1801)
1802		AC_CHECK_LIB([bsm], [getaudit], [],
1803		    [AC_MSG_ERROR([BSM enabled and required library not found])])
1804		AC_CHECK_FUNCS([getaudit], [],
1805		    [AC_MSG_ERROR([BSM enabled and required function not found])])
1806		# These are optional
1807		AC_CHECK_FUNCS([getaudit_addr aug_get_machine])
1808		AC_DEFINE([USE_BSM_AUDIT], [1], [Use BSM audit module])
1809		if test "$sol2ver" -ge 11; then
1810			SSHDLIBS="$SSHDLIBS -lscf"
1811			AC_DEFINE([BROKEN_BSM_API], [1],
1812				[The system has incomplete BSM API])
1813		fi
1814		;;
1815	  linux)
1816		AC_MSG_RESULT([linux])
1817		AUDIT_MODULE=linux
1818		dnl    Checks for headers, libs and functions
1819		AC_CHECK_HEADERS([libaudit.h])
1820		SSHDLIBS="$SSHDLIBS -laudit"
1821		AC_DEFINE([USE_LINUX_AUDIT], [1], [Use Linux audit module])
1822		;;
1823	  debug)
1824		AUDIT_MODULE=debug
1825		AC_MSG_RESULT([debug])
1826		AC_DEFINE([SSH_AUDIT_EVENTS], [1], [Use audit debugging module])
1827		;;
1828	  no)
1829		AC_MSG_RESULT([no])
1830		;;
1831	  *)
1832		AC_MSG_ERROR([Unknown audit module $withval])
1833		;;
1834	esac ]
1835)
1836
1837AC_ARG_WITH([pie],
1838    [  --with-pie              Build Position Independent Executables if possible], [
1839	if test "x$withval" = "xno"; then
1840		use_pie=no
1841	fi
1842	if test "x$withval" = "xyes"; then
1843		use_pie=yes
1844	fi
1845    ]
1846)
1847if test "x$use_pie" = "x"; then
1848	use_pie=no
1849fi
1850if test "x$use_toolchain_hardening" != "x1" && test "x$use_pie" = "xauto"; then
1851	# Turn off automatic PIE when toolchain hardening is off.
1852	use_pie=no
1853fi
1854if test "x$use_pie" = "xauto"; then
1855	# Automatic PIE requires gcc >= 4.x
1856	AC_MSG_CHECKING([for gcc >= 4.x])
1857	AC_COMPILE_IFELSE([AC_LANG_SOURCE([[
1858#if !defined(__GNUC__) || __GNUC__ < 4
1859#error gcc is too old
1860#endif
1861]])],
1862	[ AC_MSG_RESULT([yes]) ],
1863	[ AC_MSG_RESULT([no])
1864	  use_pie=no ]
1865)
1866fi
1867if test "x$use_pie" != "xno"; then
1868	SAVED_CFLAGS="$CFLAGS"
1869	SAVED_LDFLAGS="$LDFLAGS"
1870	OSSH_CHECK_CFLAG_COMPILE([-fPIE])
1871	OSSH_CHECK_LDFLAG_LINK([-pie])
1872	# We use both -fPIE and -pie or neither.
1873	AC_MSG_CHECKING([whether both -fPIE and -pie are supported])
1874	if echo "x $CFLAGS"  | grep ' -fPIE' >/dev/null 2>&1 && \
1875	   echo "x $LDFLAGS" | grep ' -pie'  >/dev/null 2>&1 ; then
1876		AC_MSG_RESULT([yes])
1877	else
1878		AC_MSG_RESULT([no])
1879		CFLAGS="$SAVED_CFLAGS"
1880		LDFLAGS="$SAVED_LDFLAGS"
1881	fi
1882fi
1883
1884AC_MSG_CHECKING([whether -fPIC is accepted])
1885SAVED_CFLAGS="$CFLAGS"
1886CFLAGS="$CFLAGS -fPIC"
1887AC_COMPILE_IFELSE(
1888	[AC_LANG_PROGRAM( [[ #include <stdlib.h> ]], [[ exit(0); ]] )],
1889   [AC_MSG_RESULT([yes])
1890    PICFLAG="-fPIC"; ],
1891   [AC_MSG_RESULT([no])
1892    PICFLAG=""; ])
1893CFLAGS="$SAVED_CFLAGS"
1894AC_SUBST([PICFLAG])
1895
1896dnl    Checks for library functions. Please keep in alphabetical order
1897AC_CHECK_FUNCS([ \
1898	auth_hostok \
1899	auth_timeok \
1900	Blowfish_initstate \
1901	Blowfish_expandstate \
1902	Blowfish_expand0state \
1903	Blowfish_stream2word \
1904	SHA256Update \
1905	SHA384Update \
1906	SHA512Update \
1907	asprintf \
1908	b64_ntop \
1909	__b64_ntop \
1910	b64_pton \
1911	__b64_pton \
1912	bcopy \
1913	bcrypt_pbkdf \
1914	bindresvport_sa \
1915	blf_enc \
1916	bzero \
1917	cap_rights_limit \
1918	clock \
1919	closefrom \
1920	close_range \
1921	dirfd \
1922	endgrent \
1923	err \
1924	errx \
1925	explicit_bzero \
1926	explicit_memset \
1927	fchmod \
1928	fchmodat \
1929	fchown \
1930	fchownat \
1931	flock \
1932	fnmatch \
1933	freeaddrinfo \
1934	freezero \
1935	fstatfs \
1936	fstatvfs \
1937	futimes \
1938	getaddrinfo \
1939	getcwd \
1940	getentropy \
1941	getgrouplist \
1942	getline \
1943	getnameinfo \
1944	getopt \
1945	getpagesize \
1946	getpeereid \
1947	getpeerucred \
1948	getpgid \
1949	_getpty \
1950	getrlimit \
1951	getrandom \
1952	getsid \
1953	getttyent \
1954	glob \
1955	group_from_gid \
1956	inet_aton \
1957	inet_ntoa \
1958	inet_ntop \
1959	innetgr \
1960	killpg \
1961	llabs \
1962	localtime_r \
1963	login_getcapbool \
1964	login_getpwclass \
1965	memmem \
1966	memmove \
1967	memset_s \
1968	mkdtemp \
1969	ngetaddrinfo \
1970	nsleep \
1971	ogetaddrinfo \
1972	openlog_r \
1973	pledge \
1974	poll \
1975	ppoll \
1976	prctl \
1977	procctl \
1978	pselect \
1979	pstat \
1980	raise \
1981	readpassphrase \
1982	reallocarray \
1983	realpath \
1984	recvmsg \
1985	recallocarray \
1986	rresvport_af \
1987	sendmsg \
1988	setdtablesize \
1989	setegid \
1990	setenv \
1991	seteuid \
1992	setgroupent \
1993	setgroups \
1994	setlinebuf \
1995	setlogin \
1996	setpassent\
1997	setpcred \
1998	setproctitle \
1999	setregid \
2000	setreuid \
2001	setrlimit \
2002	setsid \
2003	setvbuf \
2004	sigaction \
2005	sigvec \
2006	snprintf \
2007	socketpair \
2008	statfs \
2009	statvfs \
2010	strcasestr \
2011	strdup \
2012	strerror \
2013	strlcat \
2014	strlcpy \
2015	strmode \
2016	strndup \
2017	strnlen \
2018	strnvis \
2019	strptime \
2020	strsignal \
2021	strtonum \
2022	strtoll \
2023	strtoul \
2024	strtoull \
2025	swap32 \
2026	sysconf \
2027	tcgetpgrp \
2028	timegm \
2029	timingsafe_bcmp \
2030	truncate \
2031	unsetenv \
2032	updwtmpx \
2033	utimensat \
2034	user_from_uid \
2035	usleep \
2036	vasprintf \
2037	vsnprintf \
2038	waitpid \
2039	warn \
2040])
2041
2042AC_CHECK_DECLS([bzero, memmem])
2043
2044dnl Wide character support.
2045AC_CHECK_FUNCS([mblen mbtowc nl_langinfo wcwidth])
2046
2047TEST_SSH_UTF8=${TEST_SSH_UTF8:=yes}
2048AC_MSG_CHECKING([for utf8 locale support])
2049AC_RUN_IFELSE(
2050	[AC_LANG_PROGRAM([[
2051#include <locale.h>
2052#include <stdlib.h>
2053	]], [[
2054	char *loc = setlocale(LC_CTYPE, "en_US.UTF-8");
2055	if (loc != NULL)
2056		exit(0);
2057	exit(1);
2058	]])],
2059	AC_MSG_RESULT(yes),
2060	[AC_MSG_RESULT(no)
2061	 TEST_SSH_UTF8=no],
2062	AC_MSG_WARN([cross compiling: assuming yes])
2063)
2064
2065AC_LINK_IFELSE(
2066        [AC_LANG_PROGRAM(
2067           [[ #include <ctype.h> ]],
2068           [[ return (isblank('a')); ]])],
2069	[AC_DEFINE([HAVE_ISBLANK], [1], [Define if you have isblank(3C).])
2070])
2071
2072disable_pkcs11=
2073AC_ARG_ENABLE([pkcs11],
2074	[  --disable-pkcs11        disable PKCS#11 support code [no]],
2075	[
2076		if test "x$enableval" = "xno" ; then
2077			disable_pkcs11=1
2078		fi
2079	]
2080)
2081
2082disable_sk=
2083AC_ARG_ENABLE([security-key],
2084	[  --disable-security-key  disable U2F/FIDO support code [no]],
2085	[
2086		if test "x$enableval" = "xno" ; then
2087			disable_sk=1
2088		fi
2089	]
2090)
2091enable_sk_internal=
2092AC_ARG_WITH([security-key-builtin],
2093	[  --with-security-key-builtin include builtin U2F/FIDO support],
2094	[ enable_sk_internal=$withval ]
2095)
2096
2097AC_SEARCH_LIBS([dlopen], [dl])
2098AC_CHECK_FUNCS([dlopen])
2099AC_CHECK_DECL([RTLD_NOW], [], [], [#include <dlfcn.h>])
2100
2101# IRIX has a const char return value for gai_strerror()
2102AC_CHECK_FUNCS([gai_strerror], [
2103	AC_DEFINE([HAVE_GAI_STRERROR])
2104	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
2105#include <sys/types.h>
2106#include <sys/socket.h>
2107#include <netdb.h>
2108
2109const char *gai_strerror(int);
2110			]], [[
2111	char *str;
2112	str = gai_strerror(0);
2113			]])], [
2114		AC_DEFINE([HAVE_CONST_GAI_STRERROR_PROTO], [1],
2115		[Define if gai_strerror() returns const char *])], [])])
2116
2117AC_SEARCH_LIBS([nanosleep], [rt posix4], [AC_DEFINE([HAVE_NANOSLEEP], [1],
2118	[Some systems put nanosleep outside of libc])])
2119
2120AC_SEARCH_LIBS([clock_gettime], [rt],
2121	[AC_DEFINE([HAVE_CLOCK_GETTIME], [1], [Have clock_gettime])])
2122
2123dnl check if we need -D_REENTRANT for localtime_r declaration.
2124AC_CHECK_DECL([localtime_r], [],
2125	[ saved_CPPFLAGS="$CPPFLAGS"
2126	  CPPFLAGS="$CPPFLAGS -D_REENTRANT"
2127	  unset ac_cv_have_decl_localtime_r
2128	  AC_CHECK_DECL([localtime_r], [],
2129		[ CPPFLAGS="$saved_CPPFLAGS" ],
2130		[ #include <time.h> ]
2131	  )
2132	],
2133	[ #include <time.h> ]
2134)
2135
2136dnl Make sure prototypes are defined for these before using them.
2137AC_CHECK_DECL([strsep],
2138	[AC_CHECK_FUNCS([strsep])],
2139	[],
2140	[
2141#ifdef HAVE_STRING_H
2142# include <string.h>
2143#endif
2144	])
2145
2146dnl tcsendbreak might be a macro
2147AC_CHECK_DECL([tcsendbreak],
2148	[AC_DEFINE([HAVE_TCSENDBREAK])],
2149	[AC_CHECK_FUNCS([tcsendbreak])],
2150	[#include <termios.h>]
2151)
2152
2153AC_CHECK_DECLS([h_errno], , ,[#include <netdb.h>])
2154
2155AC_CHECK_DECLS([SHUT_RD, getpeereid], , ,
2156	[
2157#include <sys/types.h>
2158#include <sys/socket.h>
2159#include <unistd.h>
2160	])
2161
2162AC_CHECK_DECLS([O_NONBLOCK], , ,
2163	[
2164#include <sys/types.h>
2165#ifdef HAVE_SYS_STAT_H
2166# include <sys/stat.h>
2167#endif
2168#ifdef HAVE_FCNTL_H
2169# include <fcntl.h>
2170#endif
2171	])
2172
2173AC_CHECK_DECLS([ftruncate, getentropy], , ,
2174	[
2175#include <sys/types.h>
2176#include <unistd.h>
2177	])
2178
2179AC_CHECK_DECLS([readv, writev], , , [
2180#include <sys/types.h>
2181#include <sys/uio.h>
2182#include <unistd.h>
2183	])
2184
2185AC_CHECK_DECLS([MAXSYMLINKS], , , [
2186#include <sys/param.h>
2187	])
2188
2189AC_CHECK_DECLS([offsetof], , , [
2190#include <stddef.h>
2191	])
2192
2193# extra bits for select(2)
2194AC_CHECK_DECLS([howmany, NFDBITS], [], [], [[
2195#include <sys/param.h>
2196#include <sys/types.h>
2197#ifdef HAVE_SYS_SYSMACROS_H
2198#include <sys/sysmacros.h>
2199#endif
2200#ifdef HAVE_SYS_SELECT_H
2201#include <sys/select.h>
2202#endif
2203#ifdef HAVE_SYS_TIME_H
2204#include <sys/time.h>
2205#endif
2206#ifdef HAVE_UNISTD_H
2207#include <unistd.h>
2208#endif
2209	]])
2210AC_CHECK_TYPES([fd_mask], [], [], [[
2211#include <sys/param.h>
2212#include <sys/types.h>
2213#ifdef HAVE_SYS_SELECT_H
2214#include <sys/select.h>
2215#endif
2216#ifdef HAVE_SYS_TIME_H
2217#include <sys/time.h>
2218#endif
2219#ifdef HAVE_UNISTD_H
2220#include <unistd.h>
2221#endif
2222	]])
2223
2224AC_CHECK_FUNCS([setresuid], [
2225	dnl Some platorms have setresuid that isn't implemented, test for this
2226	AC_MSG_CHECKING([if setresuid seems to work])
2227	AC_RUN_IFELSE(
2228		[AC_LANG_PROGRAM([[
2229#include <stdlib.h>
2230#include <errno.h>
2231		]], [[
2232	errno=0;
2233	setresuid(0,0,0);
2234	if (errno==ENOSYS)
2235		exit(1);
2236	else
2237		exit(0);
2238		]])],
2239		[AC_MSG_RESULT([yes])],
2240		[AC_DEFINE([BROKEN_SETRESUID], [1],
2241			[Define if your setresuid() is broken])
2242		 AC_MSG_RESULT([not implemented])],
2243		[AC_MSG_WARN([cross compiling: not checking setresuid])]
2244	)
2245])
2246
2247AC_CHECK_FUNCS([setresgid], [
2248	dnl Some platorms have setresgid that isn't implemented, test for this
2249	AC_MSG_CHECKING([if setresgid seems to work])
2250	AC_RUN_IFELSE(
2251		[AC_LANG_PROGRAM([[
2252#include <stdlib.h>
2253#include <errno.h>
2254		]], [[
2255	errno=0;
2256	setresgid(0,0,0);
2257	if (errno==ENOSYS)
2258		exit(1);
2259	else
2260		exit(0);
2261		]])],
2262		[AC_MSG_RESULT([yes])],
2263		[AC_DEFINE([BROKEN_SETRESGID], [1],
2264			[Define if your setresgid() is broken])
2265		 AC_MSG_RESULT([not implemented])],
2266		[AC_MSG_WARN([cross compiling: not checking setresuid])]
2267	)
2268])
2269
2270AC_MSG_CHECKING([for working fflush(NULL)])
2271AC_RUN_IFELSE(
2272	[AC_LANG_PROGRAM([[
2273#include <stdio.h>
2274#include <stdlib.h>
2275	]],
2276	[[fflush(NULL); exit(0);]])],
2277	AC_MSG_RESULT([yes]),
2278	[AC_MSG_RESULT([no])
2279	 AC_DEFINE([FFLUSH_NULL_BUG], [1],
2280	    [define if fflush(NULL) does not work])],
2281	AC_MSG_WARN([cross compiling: assuming working])
2282)
2283
2284dnl    Checks for time functions
2285AC_CHECK_FUNCS([gettimeofday time])
2286dnl    Checks for utmp functions
2287AC_CHECK_FUNCS([endutent getutent getutid getutline pututline setutent])
2288AC_CHECK_FUNCS([utmpname])
2289dnl    Checks for utmpx functions
2290AC_CHECK_FUNCS([endutxent getutxent getutxid getutxline getutxuser pututxline])
2291AC_CHECK_FUNCS([setutxdb setutxent utmpxname])
2292dnl    Checks for lastlog functions
2293AC_CHECK_FUNCS([getlastlogxbyname])
2294
2295AC_CHECK_FUNC([daemon],
2296	[AC_DEFINE([HAVE_DAEMON], [1], [Define if your libraries define daemon()])],
2297	[AC_CHECK_LIB([bsd], [daemon],
2298		[LIBS="$LIBS -lbsd"; AC_DEFINE([HAVE_DAEMON])])]
2299)
2300
2301AC_CHECK_FUNC([getpagesize],
2302	[AC_DEFINE([HAVE_GETPAGESIZE], [1],
2303		[Define if your libraries define getpagesize()])],
2304	[AC_CHECK_LIB([ucb], [getpagesize],
2305		[LIBS="$LIBS -lucb"; AC_DEFINE([HAVE_GETPAGESIZE])])]
2306)
2307
2308# Check for broken snprintf
2309if test "x$ac_cv_func_snprintf" = "xyes" ; then
2310	AC_MSG_CHECKING([whether snprintf correctly terminates long strings])
2311	AC_RUN_IFELSE(
2312		[AC_LANG_PROGRAM([[
2313#include <stdio.h>
2314#include <stdlib.h>
2315		]],
2316		[[
2317	char b[5];
2318	snprintf(b,5,"123456789");
2319	exit(b[4]!='\0');
2320		]])],
2321		[AC_MSG_RESULT([yes])],
2322		[
2323			AC_MSG_RESULT([no])
2324			AC_DEFINE([BROKEN_SNPRINTF], [1],
2325				[Define if your snprintf is busted])
2326			AC_MSG_WARN([****** Your snprintf() function is broken, complain to your vendor])
2327		],
2328		[ AC_MSG_WARN([cross compiling: Assuming working snprintf()]) ]
2329	)
2330fi
2331
2332if test "x$ac_cv_func_snprintf" = "xyes" ; then
2333	AC_MSG_CHECKING([whether snprintf understands %zu])
2334	AC_RUN_IFELSE(
2335		[AC_LANG_PROGRAM([[
2336#include <sys/types.h>
2337#include <stdio.h>
2338#include <stdlib.h>
2339#include <string.h>
2340		]],
2341		[[
2342	size_t a = 1, b = 2;
2343	char z[128];
2344	snprintf(z, sizeof z, "%zu%zu", a, b);
2345	exit(strcmp(z, "12"));
2346		]])],
2347		[AC_MSG_RESULT([yes])],
2348		[
2349			AC_MSG_RESULT([no])
2350			AC_DEFINE([BROKEN_SNPRINTF], [1],
2351				[snprintf does not understand %zu])
2352		],
2353		[ AC_MSG_WARN([cross compiling: Assuming working snprintf()]) ]
2354	)
2355fi
2356
2357# We depend on vsnprintf returning the right thing on overflow: the
2358# number of characters it tried to create (as per SUSv3)
2359if test "x$ac_cv_func_vsnprintf" = "xyes" ; then
2360	AC_MSG_CHECKING([whether vsnprintf returns correct values on overflow])
2361	AC_RUN_IFELSE(
2362		[AC_LANG_PROGRAM([[
2363#include <sys/types.h>
2364#include <stdio.h>
2365#include <stdarg.h>
2366
2367int x_snprintf(char *str, size_t count, const char *fmt, ...)
2368{
2369	size_t ret;
2370	va_list ap;
2371
2372	va_start(ap, fmt);
2373	ret = vsnprintf(str, count, fmt, ap);
2374	va_end(ap);
2375	return ret;
2376}
2377		]], [[
2378char x[1];
2379if (x_snprintf(x, 1, "%s %d", "hello", 12345) != 11)
2380	return 1;
2381if (x_snprintf(NULL, 0, "%s %d", "hello", 12345) != 11)
2382	return 1;
2383return 0;
2384		]])],
2385		[AC_MSG_RESULT([yes])],
2386		[
2387			AC_MSG_RESULT([no])
2388			AC_DEFINE([BROKEN_SNPRINTF], [1],
2389				[Define if your snprintf is busted])
2390			AC_MSG_WARN([****** Your vsnprintf() function is broken, complain to your vendor])
2391		],
2392		[ AC_MSG_WARN([cross compiling: Assuming working vsnprintf()]) ]
2393	)
2394fi
2395
2396# On systems where [v]snprintf is broken, but is declared in stdio,
2397# check that the fmt argument is const char * or just char *.
2398# This is only useful for when BROKEN_SNPRINTF
2399AC_MSG_CHECKING([whether snprintf can declare const char *fmt])
2400AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
2401#include <stdio.h>
2402int snprintf(char *a, size_t b, const char *c, ...) { return 0; }
2403		]], [[
2404	snprintf(0, 0, 0);
2405		]])],
2406   [AC_MSG_RESULT([yes])
2407    AC_DEFINE([SNPRINTF_CONST], [const],
2408              [Define as const if snprintf() can declare const char *fmt])],
2409   [AC_MSG_RESULT([no])
2410    AC_DEFINE([SNPRINTF_CONST], [/* not const */])])
2411
2412# Check for missing getpeereid (or equiv) support
2413NO_PEERCHECK=""
2414if test "x$ac_cv_func_getpeereid" != "xyes" -a "x$ac_cv_func_getpeerucred" != "xyes"; then
2415	AC_MSG_CHECKING([whether system supports SO_PEERCRED getsockopt])
2416	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
2417#include <sys/types.h>
2418#include <sys/socket.h>]], [[int i = SO_PEERCRED;]])],
2419		[ AC_MSG_RESULT([yes])
2420		  AC_DEFINE([HAVE_SO_PEERCRED], [1], [Have PEERCRED socket option])
2421		], [AC_MSG_RESULT([no])
2422		NO_PEERCHECK=1
2423        ])
2424fi
2425
2426dnl make sure that openpty does not reacquire controlling terminal
2427if test ! -z "$check_for_openpty_ctty_bug"; then
2428	AC_MSG_CHECKING([if openpty correctly handles controlling tty])
2429	AC_RUN_IFELSE(
2430		[AC_LANG_PROGRAM([[
2431#include <stdio.h>
2432#include <stdlib.h>
2433#include <unistd.h>
2434#include <sys/fcntl.h>
2435#include <sys/types.h>
2436#include <sys/wait.h>
2437		]], [[
2438	pid_t pid;
2439	int fd, ptyfd, ttyfd, status;
2440
2441	pid = fork();
2442	if (pid < 0) {		/* failed */
2443		exit(1);
2444	} else if (pid > 0) {	/* parent */
2445		waitpid(pid, &status, 0);
2446		if (WIFEXITED(status))
2447			exit(WEXITSTATUS(status));
2448		else
2449			exit(2);
2450	} else {		/* child */
2451		close(0); close(1); close(2);
2452		setsid();
2453		openpty(&ptyfd, &ttyfd, NULL, NULL, NULL);
2454		fd = open("/dev/tty", O_RDWR | O_NOCTTY);
2455		if (fd >= 0)
2456			exit(3);	/* Acquired ctty: broken */
2457		else
2458			exit(0);	/* Did not acquire ctty: OK */
2459	}
2460		]])],
2461		[
2462			AC_MSG_RESULT([yes])
2463		],
2464		[
2465			AC_MSG_RESULT([no])
2466			AC_DEFINE([SSHD_ACQUIRES_CTTY])
2467		],
2468		[
2469			AC_MSG_RESULT([cross-compiling, assuming yes])
2470		]
2471	)
2472fi
2473
2474if test "x$ac_cv_func_getaddrinfo" = "xyes" && \
2475    test "x$check_for_hpux_broken_getaddrinfo" = "x1"; then
2476	AC_MSG_CHECKING([if getaddrinfo seems to work])
2477	AC_RUN_IFELSE(
2478		[AC_LANG_PROGRAM([[
2479#include <stdio.h>
2480#include <stdlib.h>
2481#include <sys/socket.h>
2482#include <netdb.h>
2483#include <errno.h>
2484#include <netinet/in.h>
2485
2486#define TEST_PORT "2222"
2487		]], [[
2488	int err, sock;
2489	struct addrinfo *gai_ai, *ai, hints;
2490	char ntop[NI_MAXHOST], strport[NI_MAXSERV], *name = NULL;
2491
2492	memset(&hints, 0, sizeof(hints));
2493	hints.ai_family = PF_UNSPEC;
2494	hints.ai_socktype = SOCK_STREAM;
2495	hints.ai_flags = AI_PASSIVE;
2496
2497	err = getaddrinfo(name, TEST_PORT, &hints, &gai_ai);
2498	if (err != 0) {
2499		fprintf(stderr, "getaddrinfo failed (%s)", gai_strerror(err));
2500		exit(1);
2501	}
2502
2503	for (ai = gai_ai; ai != NULL; ai = ai->ai_next) {
2504		if (ai->ai_family != AF_INET6)
2505			continue;
2506
2507		err = getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop,
2508		    sizeof(ntop), strport, sizeof(strport),
2509		    NI_NUMERICHOST|NI_NUMERICSERV);
2510
2511		if (err != 0) {
2512			if (err == EAI_SYSTEM)
2513				perror("getnameinfo EAI_SYSTEM");
2514			else
2515				fprintf(stderr, "getnameinfo failed: %s\n",
2516				    gai_strerror(err));
2517			exit(2);
2518		}
2519
2520		sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol);
2521		if (sock < 0)
2522			perror("socket");
2523		if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) {
2524			if (errno == EBADF)
2525				exit(3);
2526		}
2527	}
2528	exit(0);
2529		]])],
2530		[
2531			AC_MSG_RESULT([yes])
2532		],
2533		[
2534			AC_MSG_RESULT([no])
2535			AC_DEFINE([BROKEN_GETADDRINFO])
2536		],
2537		[
2538			AC_MSG_RESULT([cross-compiling, assuming yes])
2539		]
2540	)
2541fi
2542
2543if test "x$ac_cv_func_getaddrinfo" = "xyes" && \
2544    test "x$check_for_aix_broken_getaddrinfo" = "x1"; then
2545	AC_MSG_CHECKING([if getaddrinfo seems to work])
2546	AC_RUN_IFELSE(
2547		[AC_LANG_PROGRAM([[
2548#include <stdio.h>
2549#include <stdlib.h>
2550#include <sys/socket.h>
2551#include <netdb.h>
2552#include <errno.h>
2553#include <netinet/in.h>
2554
2555#define TEST_PORT "2222"
2556		]], [[
2557	int err, sock;
2558	struct addrinfo *gai_ai, *ai, hints;
2559	char ntop[NI_MAXHOST], strport[NI_MAXSERV], *name = NULL;
2560
2561	memset(&hints, 0, sizeof(hints));
2562	hints.ai_family = PF_UNSPEC;
2563	hints.ai_socktype = SOCK_STREAM;
2564	hints.ai_flags = AI_PASSIVE;
2565
2566	err = getaddrinfo(name, TEST_PORT, &hints, &gai_ai);
2567	if (err != 0) {
2568		fprintf(stderr, "getaddrinfo failed (%s)", gai_strerror(err));
2569		exit(1);
2570	}
2571
2572	for (ai = gai_ai; ai != NULL; ai = ai->ai_next) {
2573		if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
2574			continue;
2575
2576		err = getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop,
2577		    sizeof(ntop), strport, sizeof(strport),
2578		    NI_NUMERICHOST|NI_NUMERICSERV);
2579
2580		if (ai->ai_family == AF_INET && err != 0) {
2581			perror("getnameinfo");
2582			exit(2);
2583		}
2584	}
2585	exit(0);
2586		]])],
2587		[
2588			AC_MSG_RESULT([yes])
2589			AC_DEFINE([AIX_GETNAMEINFO_HACK], [1],
2590				[Define if you have a getaddrinfo that fails
2591				for the all-zeros IPv6 address])
2592		],
2593		[
2594			AC_MSG_RESULT([no])
2595			AC_DEFINE([BROKEN_GETADDRINFO])
2596		],
2597		[
2598			AC_MSG_RESULT([cross-compiling, assuming no])
2599		]
2600	)
2601fi
2602
2603if test "x$ac_cv_func_getaddrinfo" = "xyes"; then
2604	AC_CHECK_DECLS(AI_NUMERICSERV, , ,
2605	    [#include <sys/types.h>
2606	     #include <sys/socket.h>
2607	     #include <netdb.h>])
2608fi
2609
2610if test "x$check_for_conflicting_getspnam" = "x1"; then
2611	AC_MSG_CHECKING([for conflicting getspnam in shadow.h])
2612	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
2613#include <shadow.h>
2614#include <stdlib.h>
2615		]],
2616		[[ exit(0); ]])],
2617		[
2618			AC_MSG_RESULT([no])
2619		],
2620		[
2621			AC_MSG_RESULT([yes])
2622			AC_DEFINE([GETSPNAM_CONFLICTING_DEFS], [1],
2623			    [Conflicting defs for getspnam])
2624		]
2625	)
2626fi
2627
2628dnl NetBSD added an strnvis and unfortunately made it incompatible with the
2629dnl existing one in OpenBSD and Linux's libbsd (the former having existed
2630dnl for over ten years). Despite this incompatibility being reported during
2631dnl development (see http://gnats.netbsd.org/44977) they still shipped it.
2632dnl Even more unfortunately FreeBSD and later MacOS picked up this incompatible
2633dnl implementation.  Try to detect this mess, and assume the only safe option
2634dnl if we're cross compiling.
2635dnl
2636dnl OpenBSD, 2001: strnvis(char *dst, const char *src, size_t dlen, int flag);
2637dnl NetBSD: 2012,  strnvis(char *dst, size_t dlen, const char *src, int flag);
2638if test "x$ac_cv_func_strnvis" = "xyes"; then
2639	AC_MSG_CHECKING([for working strnvis])
2640	AC_RUN_IFELSE(
2641		[AC_LANG_PROGRAM([[
2642#include <signal.h>
2643#include <stdlib.h>
2644#include <string.h>
2645#include <unistd.h>
2646#include <vis.h>
2647static void sighandler(int sig) { _exit(1); }
2648		]], [[
2649	char dst[16];
2650
2651	signal(SIGSEGV, sighandler);
2652	if (strnvis(dst, "src", 4, 0) && strcmp(dst, "src") == 0)
2653		exit(0);
2654	exit(1)
2655		]])],
2656		[AC_MSG_RESULT([yes])],
2657		[AC_MSG_RESULT([no])
2658		 AC_DEFINE([BROKEN_STRNVIS], [1], [strnvis detected broken])],
2659		[AC_MSG_WARN([cross compiling: assuming broken])
2660		 AC_DEFINE([BROKEN_STRNVIS], [1], [strnvis assumed broken])]
2661	)
2662fi
2663
2664AC_MSG_CHECKING([if SA_RESTARTed signals interrupt select()])
2665AC_RUN_IFELSE(
2666	[AC_LANG_PROGRAM([[
2667#ifdef HAVE_SYS_SELECT
2668# include <sys/select.h>
2669#endif
2670#include <sys/types.h>
2671#include <sys/time.h>
2672#include <stdlib.h>
2673#include <signal.h>
2674#include <unistd.h>
2675static void sighandler(int sig) { }
2676		]], [[
2677	int r;
2678	pid_t pid;
2679	struct sigaction sa;
2680
2681	sa.sa_handler = sighandler;
2682	sa.sa_flags = SA_RESTART;
2683	(void)sigaction(SIGTERM, &sa, NULL);
2684	if ((pid = fork()) == 0) { /* child */
2685		pid = getppid();
2686		sleep(1);
2687		kill(pid, SIGTERM);
2688		sleep(1);
2689		if (getppid() == pid) /* if parent did not exit, shoot it */
2690			kill(pid, SIGKILL);
2691		exit(0);
2692	} else { /* parent */
2693		r = select(0, NULL, NULL, NULL, NULL);
2694	}
2695	exit(r == -1 ? 0 : 1);
2696	]])],
2697	[AC_MSG_RESULT([yes])],
2698	[AC_MSG_RESULT([no])
2699	 AC_DEFINE([NO_SA_RESTART], [1],
2700	    [SA_RESTARTed signals do no interrupt select])],
2701	[AC_MSG_WARN([cross compiling: assuming yes])]
2702)
2703
2704AC_CHECK_FUNCS([getpgrp],[
2705	AC_MSG_CHECKING([if getpgrp accepts zero args])
2706	AC_COMPILE_IFELSE(
2707		[AC_LANG_PROGRAM([[$ac_includes_default]], [[ getpgrp(); ]])],
2708		[ AC_MSG_RESULT([yes])
2709		  AC_DEFINE([GETPGRP_VOID], [1], [getpgrp takes zero args])],
2710		[ AC_MSG_RESULT([no])
2711		  AC_DEFINE([GETPGRP_VOID], [0], [getpgrp takes one arg])]
2712	)
2713])
2714
2715# Search for OpenSSL
2716saved_CPPFLAGS="$CPPFLAGS"
2717saved_LDFLAGS="$LDFLAGS"
2718AC_ARG_WITH([ssl-dir],
2719	[  --with-ssl-dir=PATH     Specify path to OpenSSL installation ],
2720	[
2721		if test "x$openssl" = "xno" ; then
2722			AC_MSG_ERROR([cannot use --with-ssl-dir when OpenSSL disabled])
2723		fi
2724		if test "x$withval" != "xno" ; then
2725			case "$withval" in
2726				# Relative paths
2727				./*|../*)	withval="`pwd`/$withval"
2728			esac
2729			if test -d "$withval/lib"; then
2730				libcrypto_path="${withval}/lib"
2731			elif test -d "$withval/lib64"; then
2732				libcrypto_path="$withval/lib64"
2733			else
2734				# Built but not installed
2735				libcrypto_path="${withval}"
2736			fi
2737			if test -n "${rpath_opt}"; then
2738				LDFLAGS="-L${libcrypto_path} ${rpath_opt}${libcrypto_path} ${LDFLAGS}"
2739			else
2740				LDFLAGS="-L${libcrypto_path} ${LDFLAGS}"
2741			fi
2742			if test -d "$withval/include"; then
2743				CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
2744			else
2745				CPPFLAGS="-I${withval} ${CPPFLAGS}"
2746			fi
2747		fi
2748	]
2749)
2750
2751AC_ARG_WITH([openssl-header-check],
2752	[  --without-openssl-header-check Disable OpenSSL version consistency check],
2753	[
2754		if test "x$withval" = "xno" ; then
2755			openssl_check_nonfatal=1
2756		fi
2757	]
2758)
2759
2760openssl_engine=no
2761AC_ARG_WITH([ssl-engine],
2762	[  --with-ssl-engine       Enable OpenSSL (hardware) ENGINE support ],
2763	[
2764		if test "x$withval" != "xno" ; then
2765			if test "x$openssl" = "xno" ; then
2766				AC_MSG_ERROR([cannot use --with-ssl-engine when OpenSSL disabled])
2767			fi
2768			openssl_engine=yes
2769		fi
2770	]
2771)
2772
2773nocrypto_saved_LIBS="$LIBS"
2774if test "x$openssl" = "xyes" ; then
2775	LIBS="-lcrypto $LIBS"
2776	CHANNELLIBS="-lcrypto $CHANNELLIBS"
2777	AC_TRY_LINK_FUNC([RAND_add], ,
2778	    [AC_MSG_ERROR([*** working libcrypto not found, check config.log])])
2779	AC_CHECK_HEADER([openssl/opensslv.h], ,
2780	    [AC_MSG_ERROR([*** OpenSSL headers missing - please install first or check config.log ***])])
2781
2782	# Determine OpenSSL header version
2783	AC_MSG_CHECKING([OpenSSL header version])
2784	AC_RUN_IFELSE(
2785		[AC_LANG_PROGRAM([[
2786	#include <stdlib.h>
2787	#include <stdio.h>
2788	#include <string.h>
2789	#include <openssl/opensslv.h>
2790	#define DATA "conftest.sslincver"
2791		]], [[
2792		FILE *fd;
2793		int rc;
2794
2795		fd = fopen(DATA,"w");
2796		if(fd == NULL)
2797			exit(1);
2798
2799		if ((rc = fprintf(fd, "%08lx (%s)\n",
2800		    (unsigned long)OPENSSL_VERSION_NUMBER,
2801		     OPENSSL_VERSION_TEXT)) < 0)
2802			exit(1);
2803
2804		exit(0);
2805		]])],
2806		[
2807			ssl_header_ver=`cat conftest.sslincver`
2808			AC_MSG_RESULT([$ssl_header_ver])
2809		],
2810		[
2811			AC_MSG_RESULT([not found])
2812			AC_MSG_ERROR([OpenSSL version header not found.])
2813		],
2814		[
2815			AC_MSG_WARN([cross compiling: not checking])
2816		]
2817	)
2818
2819	# Determining OpenSSL library version is version dependent.
2820	AC_CHECK_FUNCS([OpenSSL_version OpenSSL_version_num])
2821
2822	# Determine OpenSSL library version
2823	AC_MSG_CHECKING([OpenSSL library version])
2824	AC_RUN_IFELSE(
2825		[AC_LANG_PROGRAM([[
2826	#include <stdio.h>
2827	#include <stdlib.h>
2828	#include <string.h>
2829	#include <openssl/opensslv.h>
2830	#include <openssl/crypto.h>
2831	#define DATA "conftest.ssllibver"
2832		]], [[
2833		FILE *fd;
2834		int rc;
2835
2836		fd = fopen(DATA,"w");
2837		if(fd == NULL)
2838			exit(1);
2839#ifndef OPENSSL_VERSION
2840# define OPENSSL_VERSION SSLEAY_VERSION
2841#endif
2842#ifndef HAVE_OPENSSL_VERSION
2843# define OpenSSL_version	SSLeay_version
2844#endif
2845#ifndef HAVE_OPENSSL_VERSION_NUM
2846# define OpenSSL_version_num	SSLeay
2847#endif
2848		if ((rc = fprintf(fd, "%08lx (%s)\n",
2849		    (unsigned long)OpenSSL_version_num(),
2850		    OpenSSL_version(OPENSSL_VERSION))) < 0)
2851			exit(1);
2852
2853		exit(0);
2854		]])],
2855		[
2856			ssl_library_ver=`cat conftest.ssllibver`
2857			# Check version is supported.
2858			case "$ssl_library_ver" in
2859			10000*|0*)
2860				AC_MSG_ERROR([OpenSSL >= 1.0.1 required (have "$ssl_library_ver")])
2861		                ;;
2862			100*)   ;; # 1.0.x
2863			101000[[0123456]]*)
2864				# https://github.com/openssl/openssl/pull/4613
2865				AC_MSG_ERROR([OpenSSL 1.1.x versions prior to 1.1.0g have a bug that breaks their use with OpenSSH (have "$ssl_library_ver")])
2866				;;
2867			101*)   ;; # 1.1.x
2868			200*)   ;; # LibreSSL
2869			300*)
2870				# OpenSSL 3; we use the 1.1x API
2871				CPPFLAGS="$CPPFLAGS -DOPENSSL_API_COMPAT=0x10100000L"
2872				;;
2873			301*)
2874				# OpenSSL development branch; request 1.1x API
2875				CPPFLAGS="$CPPFLAGS -DOPENSSL_API_COMPAT=0x10100000L"
2876				;;
2877		        *)
2878				AC_MSG_ERROR([Unknown/unsupported OpenSSL version ("$ssl_library_ver")])
2879		                ;;
2880			esac
2881			AC_MSG_RESULT([$ssl_library_ver])
2882		],
2883		[
2884			AC_MSG_RESULT([not found])
2885			AC_MSG_ERROR([OpenSSL library not found.])
2886		],
2887		[
2888			AC_MSG_WARN([cross compiling: not checking])
2889		]
2890	)
2891
2892	case "$host" in
2893	x86_64-*)
2894		case "$ssl_library_ver" in
2895		3000004*)
2896			AC_MSG_ERROR([OpenSSL 3.0.4 has a potential RCE in its RSA implementation (CVE-2022-2274)])
2897			;;
2898		esac
2899	esac
2900
2901	# Sanity check OpenSSL headers
2902	AC_MSG_CHECKING([whether OpenSSL's headers match the library])
2903	AC_RUN_IFELSE(
2904		[AC_LANG_PROGRAM([[
2905	#include <stdlib.h>
2906	#include <string.h>
2907	#include <openssl/opensslv.h>
2908	#include <openssl/crypto.h>
2909		]], [[
2910#ifndef HAVE_OPENSSL_VERSION_NUM
2911# define OpenSSL_version_num	SSLeay
2912#endif
2913		exit(OpenSSL_version_num() == OPENSSL_VERSION_NUMBER ? 0 : 1);
2914		]])],
2915		[
2916			AC_MSG_RESULT([yes])
2917		],
2918		[
2919			AC_MSG_RESULT([no])
2920			if test "x$openssl_check_nonfatal" = "x"; then
2921				AC_MSG_ERROR([Your OpenSSL headers do not match your
2922	library. Check config.log for details.
2923	If you are sure your installation is consistent, you can disable the check
2924	by running "./configure --without-openssl-header-check".
2925	Also see contrib/findssl.sh for help identifying header/library mismatches.
2926	])
2927			else
2928				AC_MSG_WARN([Your OpenSSL headers do not match your
2929	library. Check config.log for details.
2930	Also see contrib/findssl.sh for help identifying header/library mismatches.])
2931			fi
2932		],
2933		[
2934			AC_MSG_WARN([cross compiling: not checking])
2935		]
2936	)
2937
2938	AC_MSG_CHECKING([if programs using OpenSSL functions will link])
2939	AC_LINK_IFELSE(
2940		[AC_LANG_PROGRAM([[ #include <openssl/err.h> ]],
2941		[[ ERR_load_crypto_strings(); ]])],
2942		[
2943			AC_MSG_RESULT([yes])
2944		],
2945		[
2946			AC_MSG_RESULT([no])
2947			LIBS="$LIBS -ldl"
2948			AC_MSG_CHECKING([if programs using OpenSSL need -ldl])
2949			AC_LINK_IFELSE(
2950				[AC_LANG_PROGRAM([[ #include <openssl/err.h> ]],
2951				[[ ERR_load_crypto_strings(); ]])],
2952				[
2953					AC_MSG_RESULT([yes])
2954					CHANNELLIBS="$CHANNELLIBS -ldl"
2955				],
2956				[
2957					AC_MSG_RESULT([no])
2958				]
2959			)
2960		]
2961	)
2962
2963	AC_CHECK_FUNCS([ \
2964		BN_is_prime_ex \
2965		DES_crypt \
2966		DSA_generate_parameters_ex \
2967		EVP_DigestFinal_ex \
2968		EVP_DigestInit_ex \
2969		EVP_MD_CTX_cleanup \
2970		EVP_MD_CTX_copy_ex \
2971		EVP_MD_CTX_init \
2972		HMAC_CTX_init \
2973		RSA_generate_key_ex \
2974		RSA_get_default_method \
2975	])
2976
2977	# OpenSSL_add_all_algorithms may be a macro.
2978	AC_CHECK_FUNC(OpenSSL_add_all_algorithms,
2979	    AC_DEFINE(HAVE_OPENSSL_ADD_ALL_ALGORITHMS, 1, [as a function]),
2980	    AC_CHECK_DECL(OpenSSL_add_all_algorithms,
2981		AC_DEFINE(HAVE_OPENSSL_ADD_ALL_ALGORITHMS, 1, [as a macro]), ,
2982		[[#include <openssl/evp.h>]]
2983	    )
2984	)
2985
2986	# LibreSSL/OpenSSL 1.1x API
2987	AC_CHECK_FUNCS([ \
2988		OPENSSL_init_crypto \
2989		DH_get0_key \
2990		DH_get0_pqg \
2991		DH_set0_key \
2992		DH_set_length \
2993		DH_set0_pqg \
2994		DSA_get0_key \
2995		DSA_get0_pqg \
2996		DSA_set0_key \
2997		DSA_set0_pqg \
2998		DSA_SIG_get0 \
2999		DSA_SIG_set0 \
3000		ECDSA_SIG_get0 \
3001		ECDSA_SIG_set0 \
3002		EVP_CIPHER_CTX_iv \
3003		EVP_CIPHER_CTX_iv_noconst \
3004		EVP_CIPHER_CTX_get_iv \
3005		EVP_CIPHER_CTX_get_updated_iv \
3006		EVP_CIPHER_CTX_set_iv \
3007		RSA_get0_crt_params \
3008		RSA_get0_factors \
3009		RSA_get0_key \
3010		RSA_set0_crt_params \
3011		RSA_set0_factors \
3012		RSA_set0_key \
3013		RSA_meth_free \
3014		RSA_meth_dup \
3015		RSA_meth_set1_name \
3016		RSA_meth_get_finish \
3017		RSA_meth_set_priv_enc \
3018		RSA_meth_set_priv_dec \
3019		RSA_meth_set_finish \
3020		EVP_PKEY_get0_RSA \
3021		EVP_MD_CTX_new \
3022		EVP_MD_CTX_free \
3023		EVP_chacha20 \
3024	])
3025
3026	if test "x$openssl_engine" = "xyes" ; then
3027		AC_MSG_CHECKING([for OpenSSL ENGINE support])
3028		AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
3029	#include <openssl/engine.h>
3030			]], [[
3031				ENGINE_load_builtin_engines();
3032				ENGINE_register_all_complete();
3033			]])],
3034			[ AC_MSG_RESULT([yes])
3035			  AC_DEFINE([USE_OPENSSL_ENGINE], [1],
3036			     [Enable OpenSSL engine support])
3037			], [ AC_MSG_ERROR([OpenSSL ENGINE support not found])
3038		])
3039	fi
3040
3041	# Check for OpenSSL without EVP_aes_{192,256}_cbc
3042	AC_MSG_CHECKING([whether OpenSSL has crippled AES support])
3043	AC_LINK_IFELSE(
3044		[AC_LANG_PROGRAM([[
3045	#include <stdlib.h>
3046	#include <string.h>
3047	#include <openssl/evp.h>
3048		]], [[
3049		exit(EVP_aes_192_cbc() == NULL || EVP_aes_256_cbc() == NULL);
3050		]])],
3051		[
3052			AC_MSG_RESULT([no])
3053		],
3054		[
3055			AC_MSG_RESULT([yes])
3056			AC_DEFINE([OPENSSL_LOBOTOMISED_AES], [1],
3057			    [libcrypto is missing AES 192 and 256 bit functions])
3058		]
3059	)
3060
3061	AC_MSG_CHECKING([if EVP_DigestUpdate returns an int])
3062	AC_LINK_IFELSE(
3063		[AC_LANG_PROGRAM([[
3064	#include <stdlib.h>
3065	#include <string.h>
3066	#include <openssl/evp.h>
3067		]], [[
3068		if(EVP_DigestUpdate(NULL, NULL,0))
3069			exit(0);
3070		]])],
3071		[
3072			AC_MSG_RESULT([yes])
3073		],
3074		[
3075			AC_MSG_RESULT([no])
3076			AC_DEFINE([OPENSSL_EVP_DIGESTUPDATE_VOID], [1],
3077			    [Define if EVP_DigestUpdate returns void])
3078		]
3079	)
3080
3081	# Check for SHA256, SHA384 and SHA512 support in OpenSSL
3082	AC_CHECK_FUNCS([EVP_sha256 EVP_sha384 EVP_sha512])
3083
3084	# Check complete ECC support in OpenSSL
3085	AC_MSG_CHECKING([whether OpenSSL has NID_X9_62_prime256v1])
3086	AC_LINK_IFELSE(
3087		[AC_LANG_PROGRAM([[
3088	#include <openssl/ec.h>
3089	#include <openssl/ecdh.h>
3090	#include <openssl/ecdsa.h>
3091	#include <openssl/evp.h>
3092	#include <openssl/objects.h>
3093	#include <openssl/opensslv.h>
3094		]], [[
3095		EC_KEY *e = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
3096		const EVP_MD *m = EVP_sha256(); /* We need this too */
3097		]])],
3098		[ AC_MSG_RESULT([yes])
3099		  enable_nistp256=1 ],
3100		[ AC_MSG_RESULT([no]) ]
3101	)
3102
3103	AC_MSG_CHECKING([whether OpenSSL has NID_secp384r1])
3104	AC_LINK_IFELSE(
3105		[AC_LANG_PROGRAM([[
3106	#include <openssl/ec.h>
3107	#include <openssl/ecdh.h>
3108	#include <openssl/ecdsa.h>
3109	#include <openssl/evp.h>
3110	#include <openssl/objects.h>
3111	#include <openssl/opensslv.h>
3112		]], [[
3113		EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp384r1);
3114		const EVP_MD *m = EVP_sha384(); /* We need this too */
3115		]])],
3116		[ AC_MSG_RESULT([yes])
3117		  enable_nistp384=1 ],
3118		[ AC_MSG_RESULT([no]) ]
3119	)
3120
3121	AC_MSG_CHECKING([whether OpenSSL has NID_secp521r1])
3122	AC_LINK_IFELSE(
3123		[AC_LANG_PROGRAM([[
3124	#include <openssl/ec.h>
3125	#include <openssl/ecdh.h>
3126	#include <openssl/ecdsa.h>
3127	#include <openssl/evp.h>
3128	#include <openssl/objects.h>
3129	#include <openssl/opensslv.h>
3130		]], [[
3131		EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp521r1);
3132		const EVP_MD *m = EVP_sha512(); /* We need this too */
3133		]])],
3134		[ AC_MSG_RESULT([yes])
3135		  AC_MSG_CHECKING([if OpenSSL's NID_secp521r1 is functional])
3136		  AC_RUN_IFELSE(
3137			[AC_LANG_PROGRAM([[
3138	#include <stdlib.h>
3139	#include <openssl/ec.h>
3140	#include <openssl/ecdh.h>
3141	#include <openssl/ecdsa.h>
3142	#include <openssl/evp.h>
3143	#include <openssl/objects.h>
3144	#include <openssl/opensslv.h>
3145			]],[[
3146			EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp521r1);
3147			const EVP_MD *m = EVP_sha512(); /* We need this too */
3148			exit(e == NULL || m == NULL);
3149			]])],
3150			[ AC_MSG_RESULT([yes])
3151			  enable_nistp521=1 ],
3152			[ AC_MSG_RESULT([no]) ],
3153			[ AC_MSG_WARN([cross-compiling: assuming yes])
3154			  enable_nistp521=1 ]
3155		  )],
3156		AC_MSG_RESULT([no])
3157	)
3158
3159	if test x$enable_nistp256 = x1 || test x$enable_nistp384 = x1 || \
3160	    test x$enable_nistp521 = x1; then
3161		AC_DEFINE(OPENSSL_HAS_ECC, [1], [OpenSSL has ECC])
3162		AC_CHECK_FUNCS([EC_KEY_METHOD_new])
3163		openssl_ecc=yes
3164	else
3165		openssl_ecc=no
3166	fi
3167	if test x$enable_nistp256 = x1; then
3168		AC_DEFINE([OPENSSL_HAS_NISTP256], [1],
3169		    [libcrypto has NID_X9_62_prime256v1])
3170	else
3171		unsupported_algorithms="$unsupported_algorithms \
3172			ecdsa-sha2-nistp256 \
3173			ecdh-sha2-nistp256 \
3174			ecdsa-sha2-nistp256-cert-v01@openssh.com"
3175	fi
3176	if test x$enable_nistp384 = x1; then
3177		AC_DEFINE([OPENSSL_HAS_NISTP384], [1], [libcrypto has NID_secp384r1])
3178	else
3179		unsupported_algorithms="$unsupported_algorithms \
3180			ecdsa-sha2-nistp384 \
3181			ecdh-sha2-nistp384 \
3182			ecdsa-sha2-nistp384-cert-v01@openssh.com"
3183	fi
3184	if test x$enable_nistp521 = x1; then
3185		AC_DEFINE([OPENSSL_HAS_NISTP521], [1], [libcrypto has NID_secp521r1])
3186	else
3187		unsupported_algorithms="$unsupported_algorithms \
3188			ecdh-sha2-nistp521 \
3189			ecdsa-sha2-nistp521 \
3190			ecdsa-sha2-nistp521-cert-v01@openssh.com"
3191	fi
3192fi
3193
3194# PKCS11/U2F depend on OpenSSL and dlopen().
3195enable_pkcs11=yes
3196enable_sk=yes
3197if test "x$openssl" != "xyes" ; then
3198	enable_pkcs11="disabled; missing libcrypto"
3199fi
3200if test "x$ac_cv_func_dlopen" != "xyes" ; then
3201	enable_pkcs11="disabled; missing dlopen(3)"
3202	enable_sk="disabled; missing dlopen(3)"
3203fi
3204if test "x$ac_cv_have_decl_RTLD_NOW" != "xyes" ; then
3205	enable_pkcs11="disabled; missing RTLD_NOW"
3206	enable_sk="disabled; missing RTLD_NOW"
3207fi
3208if test ! -z "$disable_pkcs11" ; then
3209	enable_pkcs11="disabled by user"
3210fi
3211if test ! -z "$disable_sk" ; then
3212	enable_sk="disabled by user"
3213fi
3214
3215AC_MSG_CHECKING([whether to enable PKCS11])
3216if test "x$enable_pkcs11" = "xyes" ; then
3217	AC_DEFINE([ENABLE_PKCS11], [], [Enable for PKCS#11 support])
3218fi
3219AC_MSG_RESULT([$enable_pkcs11])
3220
3221AC_MSG_CHECKING([whether to enable U2F])
3222if test "x$enable_sk" = "xyes" ; then
3223	AC_DEFINE([ENABLE_SK], [], [Enable for U2F/FIDO support])
3224	AC_SUBST(SK_DUMMY_LIBRARY, [regress/misc/sk-dummy/sk-dummy.so])
3225else
3226	# Do not try to build sk-dummy library.
3227	AC_SUBST(SK_DUMMY_LIBRARY, [""])
3228fi
3229AC_MSG_RESULT([$enable_sk])
3230
3231# Now check for built-in security key support.
3232if test "x$enable_sk" = "xyes" -a "x$enable_sk_internal" != "xno" ; then
3233	use_pkgconfig_for_libfido2=
3234	if test "x$PKGCONFIG" != "xno"; then
3235		AC_MSG_CHECKING([if $PKGCONFIG knows about libfido2])
3236		if "$PKGCONFIG" libfido2; then
3237			AC_MSG_RESULT([yes])
3238			use_pkgconfig_for_libfido2=yes
3239		else
3240			AC_MSG_RESULT([no])
3241		fi
3242	fi
3243	if test "x$use_pkgconfig_for_libfido2" = "xyes"; then
3244		LIBFIDO2=`$PKGCONFIG --libs libfido2`
3245		CPPFLAGS="$CPPFLAGS `$PKGCONFIG --cflags libfido2`"
3246	else
3247		LIBFIDO2="-lprivatefido2 -lprivatecbor"
3248	fi
3249	OTHERLIBS=`echo $LIBFIDO2 | sed 's/-lfido2//'`
3250	fido2_error=
3251	AC_CHECK_LIB([privatefido2], [fido_init],
3252		[ ],
3253		[ fido2_error="missing/unusable libfido2" ],
3254		[ $OTHERLIBS ]
3255	)
3256	AC_CHECK_HEADER([fido.h], [],
3257		[ fido2_error="missing fido.h from libfido2" ])
3258	AC_CHECK_HEADER([fido/credman.h], [],
3259		[ fido2_error="missing fido/credman.h from libfido2" ],
3260		[ #include <fido.h> ]
3261	)
3262	AC_MSG_CHECKING([for usable libfido2 installation])
3263	if test ! -z "$fido2_error" ; then
3264		AC_MSG_RESULT([$fido2_error])
3265		if test "x$enable_sk_internal" = "xyes" ; then
3266			AC_MSG_ERROR([No usable libfido2 library/headers found])
3267		fi
3268		LIBFIDO2=""
3269	else
3270		AC_MSG_RESULT([yes])
3271		AC_SUBST([LIBFIDO2])
3272		AC_DEFINE([ENABLE_SK_INTERNAL], [],
3273		    [Enable for built-in U2F/FIDO support])
3274		enable_sk="built-in"
3275		saved_LIBS="$LIBS"
3276		LIBS="$LIBS $LIBFIDO2"
3277		AC_CHECK_FUNCS([ \
3278			fido_assert_set_clientdata \
3279			fido_cred_prot \
3280			fido_cred_set_prot \
3281			fido_cred_set_clientdata \
3282			fido_dev_get_touch_begin \
3283			fido_dev_get_touch_status \
3284			fido_dev_supports_cred_prot \
3285			fido_dev_is_winhello \
3286		])
3287		LIBS="$saved_LIBS"
3288	fi
3289fi
3290
3291AC_CHECK_FUNCS([ \
3292	arc4random \
3293	arc4random_buf \
3294	arc4random_stir \
3295	arc4random_uniform \
3296])
3297### Configure cryptographic random number support
3298
3299# Check whether OpenSSL seeds itself
3300if test "x$openssl" = "xyes" ; then
3301	AC_MSG_CHECKING([whether OpenSSL's PRNG is internally seeded])
3302	AC_RUN_IFELSE(
3303		[AC_LANG_PROGRAM([[
3304	#include <stdlib.h>
3305	#include <string.h>
3306	#include <openssl/rand.h>
3307		]], [[
3308		exit(RAND_status() == 1 ? 0 : 1);
3309		]])],
3310		[
3311			OPENSSL_SEEDS_ITSELF=yes
3312			AC_MSG_RESULT([yes])
3313		],
3314		[
3315			AC_MSG_RESULT([no])
3316		],
3317		[
3318			AC_MSG_WARN([cross compiling: assuming yes])
3319			# This is safe, since we will fatal() at runtime if
3320			# OpenSSL is not seeded correctly.
3321			OPENSSL_SEEDS_ITSELF=yes
3322		]
3323	)
3324fi
3325
3326# PRNGD TCP socket
3327AC_ARG_WITH([prngd-port],
3328	[  --with-prngd-port=PORT  read entropy from PRNGD/EGD TCP localhost:PORT],
3329	[
3330		case "$withval" in
3331		no)
3332			withval=""
3333			;;
3334		[[0-9]]*)
3335			;;
3336		*)
3337			AC_MSG_ERROR([You must specify a numeric port number for --with-prngd-port])
3338			;;
3339		esac
3340		if test ! -z "$withval" ; then
3341			PRNGD_PORT="$withval"
3342			AC_DEFINE_UNQUOTED([PRNGD_PORT], [$PRNGD_PORT],
3343				[Port number of PRNGD/EGD random number socket])
3344		fi
3345	]
3346)
3347
3348# PRNGD Unix domain socket
3349AC_ARG_WITH([prngd-socket],
3350	[  --with-prngd-socket=FILE read entropy from PRNGD/EGD socket FILE (default=/var/run/egd-pool)],
3351	[
3352		case "$withval" in
3353		yes)
3354			withval="/var/run/egd-pool"
3355			;;
3356		no)
3357			withval=""
3358			;;
3359		/*)
3360			;;
3361		*)
3362			AC_MSG_ERROR([You must specify an absolute path to the entropy socket])
3363			;;
3364		esac
3365
3366		if test ! -z "$withval" ; then
3367			if test ! -z "$PRNGD_PORT" ; then
3368				AC_MSG_ERROR([You may not specify both a PRNGD/EGD port and socket])
3369			fi
3370			if test ! -r "$withval" ; then
3371				AC_MSG_WARN([Entropy socket is not readable])
3372			fi
3373			PRNGD_SOCKET="$withval"
3374			AC_DEFINE_UNQUOTED([PRNGD_SOCKET], ["$PRNGD_SOCKET"],
3375				[Location of PRNGD/EGD random number socket])
3376		fi
3377	],
3378	[
3379		# Check for existing socket only if we don't have a random device already
3380		if test "x$OPENSSL_SEEDS_ITSELF" != "xyes" ; then
3381			AC_MSG_CHECKING([for PRNGD/EGD socket])
3382			# Insert other locations here
3383			for sock in /var/run/egd-pool /dev/egd-pool /etc/entropy; do
3384				if test -r $sock && $TEST_MINUS_S_SH -c "test -S $sock -o -p $sock" ; then
3385					PRNGD_SOCKET="$sock"
3386					AC_DEFINE_UNQUOTED([PRNGD_SOCKET], ["$PRNGD_SOCKET"])
3387					break;
3388				fi
3389			done
3390			if test ! -z "$PRNGD_SOCKET" ; then
3391				AC_MSG_RESULT([$PRNGD_SOCKET])
3392			else
3393				AC_MSG_RESULT([not found])
3394			fi
3395		fi
3396	]
3397)
3398
3399# Which randomness source do we use?
3400if test ! -z "$PRNGD_PORT" ; then
3401	RAND_MSG="PRNGd port $PRNGD_PORT"
3402elif test ! -z "$PRNGD_SOCKET" ; then
3403	RAND_MSG="PRNGd socket $PRNGD_SOCKET"
3404elif test ! -z "$OPENSSL_SEEDS_ITSELF" ; then
3405	AC_DEFINE([OPENSSL_PRNG_ONLY], [1],
3406		[Define if you want the OpenSSL internally seeded PRNG only])
3407	RAND_MSG="OpenSSL internal ONLY"
3408elif test "x$openssl" = "xno" ; then
3409	AC_MSG_WARN([OpenSSH will use /dev/urandom as a source of random numbers. It will fail if this device is not supported or accessible])
3410else
3411	AC_MSG_ERROR([OpenSSH has no source of random numbers. Please configure OpenSSL with an entropy source or re-run configure using one of the --with-prngd-port or --with-prngd-socket options])
3412fi
3413LIBS="$nocrypto_saved_LIBS"
3414
3415saved_LIBS="$LIBS"
3416AC_CHECK_LIB([iaf], [ia_openinfo], [
3417	LIBS="$LIBS -liaf"
3418	AC_CHECK_FUNCS([set_id], [SSHDLIBS="$SSHDLIBS -liaf"
3419				AC_DEFINE([HAVE_LIBIAF], [1],
3420			[Define if system has libiaf that supports set_id])
3421				])
3422])
3423LIBS="$saved_LIBS"
3424
3425# Check for crypt() in libcrypt.  If we have it, we only need it for sshd.
3426saved_LIBS="$LIBS"
3427AC_CHECK_LIB([crypt], [crypt], [
3428	LIBS="-lcrypt $LIBS"
3429	SSHDLIBS="-lcrypt $SSHDLIBS"
3430])
3431AC_CHECK_FUNCS([crypt])
3432LIBS="$saved_LIBS"
3433
3434# Check for PAM libs
3435PAM_MSG="no"
3436AC_ARG_WITH([pam],
3437	[  --with-pam              Enable PAM support ],
3438	[
3439		if test "x$withval" != "xno" ; then
3440			if test "x$ac_cv_header_security_pam_appl_h" != "xyes" && \
3441			   test "x$ac_cv_header_pam_pam_appl_h" != "xyes" ; then
3442				AC_MSG_ERROR([PAM headers not found])
3443			fi
3444
3445			saved_LIBS="$LIBS"
3446			AC_CHECK_LIB([dl], [dlopen], , )
3447			AC_CHECK_LIB([pam], [pam_set_item], , [AC_MSG_ERROR([*** libpam missing])])
3448			AC_CHECK_FUNCS([pam_getenvlist])
3449			AC_CHECK_FUNCS([pam_putenv])
3450			LIBS="$saved_LIBS"
3451
3452			PAM_MSG="yes"
3453
3454			SSHDLIBS="$SSHDLIBS -lpam"
3455			AC_DEFINE([USE_PAM], [1],
3456				[Define if you want to enable PAM support])
3457
3458			if test $ac_cv_lib_dl_dlopen = yes; then
3459				case "$LIBS" in
3460				*-ldl*)
3461					# libdl already in LIBS
3462					;;
3463				*)
3464					SSHDLIBS="$SSHDLIBS -ldl"
3465					;;
3466				esac
3467			fi
3468		fi
3469	]
3470)
3471
3472AC_ARG_WITH([pam-service],
3473	[  --with-pam-service=name Specify PAM service name ],
3474	[
3475		if test "x$withval" != "xno" && \
3476		   test "x$withval" != "xyes" ; then
3477			AC_DEFINE_UNQUOTED([SSHD_PAM_SERVICE],
3478				["$withval"], [sshd PAM service name])
3479		fi
3480	]
3481)
3482
3483# Check for older PAM
3484if test "x$PAM_MSG" = "xyes" ; then
3485	# Check PAM strerror arguments (old PAM)
3486	AC_MSG_CHECKING([whether pam_strerror takes only one argument])
3487	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
3488#include <stdlib.h>
3489#if defined(HAVE_SECURITY_PAM_APPL_H)
3490#include <security/pam_appl.h>
3491#elif defined (HAVE_PAM_PAM_APPL_H)
3492#include <pam/pam_appl.h>
3493#endif
3494		]], [[
3495(void)pam_strerror((pam_handle_t *)NULL, -1);
3496		]])], [AC_MSG_RESULT([no])], [
3497			AC_DEFINE([HAVE_OLD_PAM], [1],
3498				[Define if you have an old version of PAM
3499				which takes only one argument to pam_strerror])
3500			AC_MSG_RESULT([yes])
3501			PAM_MSG="yes (old library)"
3502
3503	])
3504fi
3505
3506case "$host" in
3507*-*-cygwin*)
3508	SSH_PRIVSEP_USER=CYGWIN_SSH_PRIVSEP_USER
3509	;;
3510*)
3511	SSH_PRIVSEP_USER=sshd
3512	;;
3513esac
3514AC_ARG_WITH([privsep-user],
3515	[  --with-privsep-user=user Specify non-privileged user for privilege separation],
3516	[
3517		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
3518		    test "x${withval}" != "xyes"; then
3519			SSH_PRIVSEP_USER=$withval
3520		fi
3521	]
3522)
3523if test "x$SSH_PRIVSEP_USER" = "xCYGWIN_SSH_PRIVSEP_USER" ; then
3524	AC_DEFINE_UNQUOTED([SSH_PRIVSEP_USER], [CYGWIN_SSH_PRIVSEP_USER],
3525		[Cygwin function to fetch non-privileged user for privilege separation])
3526else
3527	AC_DEFINE_UNQUOTED([SSH_PRIVSEP_USER], ["$SSH_PRIVSEP_USER"],
3528		[non-privileged user for privilege separation])
3529fi
3530AC_SUBST([SSH_PRIVSEP_USER])
3531
3532if test "x$have_linux_no_new_privs" = "x1" ; then
3533AC_CHECK_DECL([SECCOMP_MODE_FILTER], [have_seccomp_filter=1], , [
3534	#include <sys/types.h>
3535	#include <linux/seccomp.h>
3536])
3537fi
3538if test "x$have_seccomp_filter" = "x1" ; then
3539AC_MSG_CHECKING([kernel for seccomp_filter support])
3540AC_LINK_IFELSE([AC_LANG_PROGRAM([[
3541		#include <errno.h>
3542		#include <elf.h>
3543		#include <linux/audit.h>
3544		#include <linux/seccomp.h>
3545		#include <stdlib.h>
3546		#include <sys/prctl.h>
3547	]],
3548	[[ int i = $seccomp_audit_arch;
3549	   errno = 0;
3550	   prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, NULL, 0, 0);
3551	   exit(errno == EFAULT ? 0 : 1); ]])],
3552	[ AC_MSG_RESULT([yes]) ], [
3553		AC_MSG_RESULT([no])
3554		# Disable seccomp filter as a target
3555		have_seccomp_filter=0
3556	]
3557)
3558fi
3559
3560AC_CHECK_MEMBERS([struct pollfd.fd], [], [], [[
3561#include <sys/types.h>
3562#ifdef HAVE_POLL_H
3563#include <poll.h>
3564#endif
3565#ifdef HAVE_SYS_POLL_H
3566#include <sys/poll.h>
3567#endif
3568]])
3569
3570AC_CHECK_TYPES([nfds_t], , , [
3571#include <sys/types.h>
3572#ifdef HAVE_POLL_H
3573#include <poll.h>
3574#endif
3575#ifdef HAVE_SYS_POLL_H
3576#include <sys/poll.h>
3577#endif
3578])
3579
3580# Decide which sandbox style to use
3581sandbox_arg=""
3582AC_ARG_WITH([sandbox],
3583	[  --with-sandbox=style    Specify privilege separation sandbox (no, capsicum, darwin, rlimit, seccomp_filter, systrace, pledge)],
3584	[
3585		if test "x$withval" = "xyes" ; then
3586			sandbox_arg=""
3587		else
3588			sandbox_arg="$withval"
3589		fi
3590	]
3591)
3592
3593if test "x$sandbox_arg" != "xno"; then
3594# POSIX specifies that poll() "shall fail with EINVAL if the nfds argument
3595# is greater than OPEN_MAX".  On some platforms that includes implementions
3596# of select in userspace on top of poll() so check both work with rlimit
3597# NOFILES so check that both work before enabling the rlimit sandbox.
3598    AC_MSG_CHECKING([if select and/or poll works with descriptor rlimit])
3599    AC_RUN_IFELSE(
3600	[AC_LANG_PROGRAM([[
3601#include <sys/types.h>
3602#ifdef HAVE_SYS_TIME_H
3603# include <sys/time.h>
3604#endif
3605#include <sys/resource.h>
3606#ifdef HAVE_SYS_SELECT_H
3607# include <sys/select.h>
3608#endif
3609#ifdef HAVE_POLL_H
3610# include <poll.h>
3611#elif HAVE_SYS_POLL_H
3612# include <sys/poll.h>
3613#endif
3614#include <errno.h>
3615#include <fcntl.h>
3616#include <stdlib.h>
3617	]],[[
3618	struct rlimit rl_zero;
3619	int fd, r;
3620	fd_set fds;
3621	struct timeval tv;
3622#ifdef HAVE_POLL
3623	struct pollfd pfd;
3624#endif
3625
3626	fd = open("/dev/null", O_RDONLY);
3627	FD_ZERO(&fds);
3628	FD_SET(fd, &fds);
3629	rl_zero.rlim_cur = rl_zero.rlim_max = 0;
3630	setrlimit(RLIMIT_FSIZE, &rl_zero);
3631	setrlimit(RLIMIT_NOFILE, &rl_zero);
3632	tv.tv_sec = 1;
3633	tv.tv_usec = 0;
3634	r = select(fd+1, &fds, NULL, NULL, &tv);
3635	if (r == -1)
3636		exit(1);
3637#ifdef HAVE_POLL
3638	pfd.fd = fd;
3639	pfd.events = POLLIN;
3640	r = poll(&pfd, 1, 1);
3641	if (r == -1)
3642		exit(2);
3643#endif
3644	exit(0);
3645	]])],
3646	[AC_MSG_RESULT([yes])
3647	 select_works_with_rlimit=yes],
3648	[AC_MSG_RESULT([no])
3649	 select_works_with_rlimit=no],
3650	[AC_MSG_WARN([cross compiling: assuming no])
3651	 select_works_with_rlimit=no]
3652    )
3653
3654    AC_MSG_CHECKING([if setrlimit(RLIMIT_NOFILE,{0,0}) works])
3655    AC_RUN_IFELSE(
3656	[AC_LANG_PROGRAM([[
3657#include <sys/types.h>
3658#ifdef HAVE_SYS_TIME_H
3659# include <sys/time.h>
3660#endif
3661#include <sys/resource.h>
3662#include <errno.h>
3663#include <stdlib.h>
3664	]],[[
3665	struct rlimit rl_zero;
3666	int r;
3667
3668	rl_zero.rlim_cur = rl_zero.rlim_max = 0;
3669	r = setrlimit(RLIMIT_NOFILE, &rl_zero);
3670	exit (r == -1 ? 1 : 0);
3671	]])],
3672	[AC_MSG_RESULT([yes])
3673	 rlimit_nofile_zero_works=yes],
3674	[AC_MSG_RESULT([no])
3675	 rlimit_nofile_zero_works=no],
3676	[AC_MSG_WARN([cross compiling: assuming yes])
3677	 rlimit_nofile_zero_works=yes]
3678    )
3679
3680    AC_MSG_CHECKING([if setrlimit RLIMIT_FSIZE works])
3681    AC_RUN_IFELSE(
3682	[AC_LANG_PROGRAM([[
3683#include <sys/types.h>
3684#include <sys/resource.h>
3685#include <stdlib.h>
3686	]],[[
3687		struct rlimit rl_zero;
3688
3689		rl_zero.rlim_cur = rl_zero.rlim_max = 0;
3690		exit(setrlimit(RLIMIT_FSIZE, &rl_zero) != 0);
3691	]])],
3692	[AC_MSG_RESULT([yes])],
3693	[AC_MSG_RESULT([no])
3694	 AC_DEFINE(SANDBOX_SKIP_RLIMIT_FSIZE, 1,
3695	    [setrlimit RLIMIT_FSIZE works])],
3696	[AC_MSG_WARN([cross compiling: assuming yes])]
3697    )
3698fi
3699
3700if test "x$sandbox_arg" = "xpledge" || \
3701   ( test -z "$sandbox_arg" && test "x$ac_cv_func_pledge" = "xyes" ) ; then
3702	test "x$ac_cv_func_pledge" != "xyes" && \
3703		AC_MSG_ERROR([pledge sandbox requires pledge(2) support])
3704	SANDBOX_STYLE="pledge"
3705	AC_DEFINE([SANDBOX_PLEDGE], [1], [Sandbox using pledge(2)])
3706elif test "x$sandbox_arg" = "xsystrace" || \
3707   ( test -z "$sandbox_arg" && test "x$have_systr_policy_kill" = "x1" ) ; then
3708	test "x$have_systr_policy_kill" != "x1" && \
3709		AC_MSG_ERROR([systrace sandbox requires systrace headers and SYSTR_POLICY_KILL support])
3710	SANDBOX_STYLE="systrace"
3711	AC_DEFINE([SANDBOX_SYSTRACE], [1], [Sandbox using systrace(4)])
3712elif test "x$sandbox_arg" = "xdarwin" || \
3713     ( test -z "$sandbox_arg" && test "x$ac_cv_func_sandbox_init" = "xyes" && \
3714       test "x$ac_cv_header_sandbox_h" = "xyes") ; then
3715	test "x$ac_cv_func_sandbox_init" != "xyes" -o \
3716	     "x$ac_cv_header_sandbox_h" != "xyes" && \
3717		AC_MSG_ERROR([Darwin seatbelt sandbox requires sandbox.h and sandbox_init function])
3718	SANDBOX_STYLE="darwin"
3719	AC_DEFINE([SANDBOX_DARWIN], [1], [Sandbox using Darwin sandbox_init(3)])
3720elif test "x$sandbox_arg" = "xseccomp_filter" || \
3721     ( test -z "$sandbox_arg" && \
3722       test "x$have_seccomp_filter" = "x1" && \
3723       test "x$ac_cv_header_elf_h" = "xyes" && \
3724       test "x$ac_cv_header_linux_audit_h" = "xyes" && \
3725       test "x$ac_cv_header_linux_filter_h" = "xyes" && \
3726       test "x$seccomp_audit_arch" != "x" && \
3727       test "x$have_linux_no_new_privs" = "x1" && \
3728       test "x$ac_cv_func_prctl" = "xyes" ) ; then
3729	test "x$seccomp_audit_arch" = "x" && \
3730		AC_MSG_ERROR([seccomp_filter sandbox not supported on $host])
3731	test "x$have_linux_no_new_privs" != "x1" && \
3732		AC_MSG_ERROR([seccomp_filter sandbox requires PR_SET_NO_NEW_PRIVS])
3733	test "x$have_seccomp_filter" != "x1" && \
3734		AC_MSG_ERROR([seccomp_filter sandbox requires seccomp headers])
3735	test "x$ac_cv_func_prctl" != "xyes" && \
3736		AC_MSG_ERROR([seccomp_filter sandbox requires prctl function])
3737	SANDBOX_STYLE="seccomp_filter"
3738	AC_DEFINE([SANDBOX_SECCOMP_FILTER], [1], [Sandbox using seccomp filter])
3739elif test "x$sandbox_arg" = "xcapsicum" || \
3740     ( test -z "$sandbox_arg" && \
3741       test "x$disable_capsicum" != "xyes" && \
3742       test "x$ac_cv_header_sys_capsicum_h" = "xyes" && \
3743       test "x$ac_cv_func_cap_rights_limit" = "xyes") ; then
3744       test "x$ac_cv_header_sys_capsicum_h" != "xyes" && \
3745		AC_MSG_ERROR([capsicum sandbox requires sys/capsicum.h header])
3746       test "x$ac_cv_func_cap_rights_limit" != "xyes" && \
3747		AC_MSG_ERROR([capsicum sandbox requires cap_rights_limit function])
3748       SANDBOX_STYLE="capsicum"
3749       AC_DEFINE([SANDBOX_CAPSICUM], [1], [Sandbox using capsicum])
3750elif test "x$sandbox_arg" = "xrlimit" || \
3751     ( test -z "$sandbox_arg" && test "x$ac_cv_func_setrlimit" = "xyes" && \
3752       test "x$select_works_with_rlimit" = "xyes" && \
3753       test "x$rlimit_nofile_zero_works" = "xyes" ) ; then
3754	test "x$ac_cv_func_setrlimit" != "xyes" && \
3755		AC_MSG_ERROR([rlimit sandbox requires setrlimit function])
3756	test "x$select_works_with_rlimit" != "xyes" && \
3757		AC_MSG_ERROR([rlimit sandbox requires select to work with rlimit])
3758	SANDBOX_STYLE="rlimit"
3759	AC_DEFINE([SANDBOX_RLIMIT], [1], [Sandbox using setrlimit(2)])
3760elif test "x$sandbox_arg" = "xsolaris" || \
3761   ( test -z "$sandbox_arg" && test "x$SOLARIS_PRIVS" = "xyes" ) ; then
3762	SANDBOX_STYLE="solaris"
3763	AC_DEFINE([SANDBOX_SOLARIS], [1], [Sandbox using Solaris/Illumos privileges])
3764elif test -z "$sandbox_arg" || test "x$sandbox_arg" = "xno" || \
3765     test "x$sandbox_arg" = "xnone" || test "x$sandbox_arg" = "xnull" ; then
3766	SANDBOX_STYLE="none"
3767	AC_DEFINE([SANDBOX_NULL], [1], [no privsep sandboxing])
3768else
3769	AC_MSG_ERROR([unsupported --with-sandbox])
3770fi
3771
3772# Cheap hack to ensure NEWS-OS libraries are arranged right.
3773if test ! -z "$SONY" ; then
3774  LIBS="$LIBS -liberty";
3775fi
3776
3777# Check for long long datatypes
3778AC_CHECK_TYPES([long long, unsigned long long, long double])
3779
3780# Check datatype sizes
3781AC_CHECK_SIZEOF([short int])
3782AC_CHECK_SIZEOF([int])
3783AC_CHECK_SIZEOF([long int])
3784AC_CHECK_SIZEOF([long long int])
3785AC_CHECK_SIZEOF([time_t], [], [[
3786    #include <sys/types.h>
3787    #ifdef HAVE_SYS_TIME_H
3788    # include <sys/time.h>
3789    #endif
3790    #ifdef HAVE_TIME_H
3791    # include <time.h>
3792    #endif
3793	]]
3794)
3795
3796# Sanity check long long for some platforms (AIX)
3797if test "x$ac_cv_sizeof_long_long_int" = "x4" ; then
3798	ac_cv_sizeof_long_long_int=0
3799fi
3800
3801# compute LLONG_MIN and LLONG_MAX if we don't know them.
3802if test -z "$have_llong_max" && test -z "$have_long_long_max"; then
3803	AC_MSG_CHECKING([for max value of long long])
3804	AC_RUN_IFELSE(
3805		[AC_LANG_PROGRAM([[
3806#include <stdio.h>
3807#include <stdlib.h>
3808/* Why is this so damn hard? */
3809#ifdef __GNUC__
3810# undef __GNUC__
3811#endif
3812#define __USE_ISOC99
3813#include <limits.h>
3814#define DATA "conftest.llminmax"
3815#define my_abs(a) ((a) < 0 ? ((a) * -1) : (a))
3816
3817/*
3818 * printf in libc on some platforms (eg old Tru64) does not understand %lld so
3819 * we do this the hard way.
3820 */
3821static int
3822fprint_ll(FILE *f, long long n)
3823{
3824	unsigned int i;
3825	int l[sizeof(long long) * 8];
3826
3827	if (n < 0)
3828		if (fprintf(f, "-") < 0)
3829			return -1;
3830	for (i = 0; n != 0; i++) {
3831		l[i] = my_abs(n % 10);
3832		n /= 10;
3833	}
3834	do {
3835		if (fprintf(f, "%d", l[--i]) < 0)
3836			return -1;
3837	} while (i != 0);
3838	if (fprintf(f, " ") < 0)
3839		return -1;
3840	return 0;
3841}
3842		]], [[
3843	FILE *f;
3844	long long i, llmin, llmax = 0;
3845
3846	if((f = fopen(DATA,"w")) == NULL)
3847		exit(1);
3848
3849#if defined(LLONG_MIN) && defined(LLONG_MAX)
3850	fprintf(stderr, "Using system header for LLONG_MIN and LLONG_MAX\n");
3851	llmin = LLONG_MIN;
3852	llmax = LLONG_MAX;
3853#else
3854	fprintf(stderr, "Calculating  LLONG_MIN and LLONG_MAX\n");
3855	/* This will work on one's complement and two's complement */
3856	for (i = 1; i > llmax; i <<= 1, i++)
3857		llmax = i;
3858	llmin = llmax + 1LL;	/* wrap */
3859#endif
3860
3861	/* Sanity check */
3862	if (llmin + 1 < llmin || llmin - 1 < llmin || llmax + 1 > llmax
3863	    || llmax - 1 > llmax || llmin == llmax || llmin == 0
3864	    || llmax == 0 || llmax < LONG_MAX || llmin > LONG_MIN) {
3865		fprintf(f, "unknown unknown\n");
3866		exit(2);
3867	}
3868
3869	if (fprint_ll(f, llmin) < 0)
3870		exit(3);
3871	if (fprint_ll(f, llmax) < 0)
3872		exit(4);
3873	if (fclose(f) < 0)
3874		exit(5);
3875	exit(0);
3876		]])],
3877		[
3878			llong_min=`$AWK '{print $1}' conftest.llminmax`
3879			llong_max=`$AWK '{print $2}' conftest.llminmax`
3880
3881			AC_MSG_RESULT([$llong_max])
3882			AC_DEFINE_UNQUOTED([LLONG_MAX], [${llong_max}LL],
3883			    [max value of long long calculated by configure])
3884			AC_MSG_CHECKING([for min value of long long])
3885			AC_MSG_RESULT([$llong_min])
3886			AC_DEFINE_UNQUOTED([LLONG_MIN], [${llong_min}LL],
3887			    [min value of long long calculated by configure])
3888		],
3889		[
3890			AC_MSG_RESULT([not found])
3891		],
3892		[
3893			AC_MSG_WARN([cross compiling: not checking])
3894		]
3895	)
3896fi
3897
3898AC_CHECK_DECLS([UINT32_MAX], , , [[
3899#ifdef HAVE_SYS_LIMITS_H
3900# include <sys/limits.h>
3901#endif
3902#ifdef HAVE_LIMITS_H
3903# include <limits.h>
3904#endif
3905#ifdef HAVE_STDINT_H
3906# include <stdint.h>
3907#endif
3908]])
3909
3910# More checks for data types
3911AC_CACHE_CHECK([for u_int type], ac_cv_have_u_int, [
3912	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
3913	[[ u_int a; a = 1;]])],
3914	[ ac_cv_have_u_int="yes" ], [ ac_cv_have_u_int="no"
3915	])
3916])
3917if test "x$ac_cv_have_u_int" = "xyes" ; then
3918	AC_DEFINE([HAVE_U_INT], [1], [define if you have u_int data type])
3919	have_u_int=1
3920fi
3921
3922AC_CACHE_CHECK([for intXX_t types], ac_cv_have_intxx_t, [
3923	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
3924	[[ int8_t a; int16_t b; int32_t c; a = b = c = 1;]])],
3925	[ ac_cv_have_intxx_t="yes" ], [ ac_cv_have_intxx_t="no"
3926	])
3927])
3928if test "x$ac_cv_have_intxx_t" = "xyes" ; then
3929	AC_DEFINE([HAVE_INTXX_T], [1], [define if you have intxx_t data type])
3930	have_intxx_t=1
3931fi
3932
3933if (test -z "$have_intxx_t" && \
3934	   test "x$ac_cv_header_stdint_h" = "xyes")
3935then
3936    AC_MSG_CHECKING([for intXX_t types in stdint.h])
3937	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <stdint.h> ]],
3938	[[ int8_t a; int16_t b; int32_t c; a = b = c = 1;]])],
3939		[
3940			AC_DEFINE([HAVE_INTXX_T])
3941			AC_MSG_RESULT([yes])
3942		], [ AC_MSG_RESULT([no])
3943	])
3944fi
3945
3946AC_CACHE_CHECK([for int64_t type], ac_cv_have_int64_t, [
3947	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
3948#include <sys/types.h>
3949#ifdef HAVE_STDINT_H
3950# include <stdint.h>
3951#endif
3952#include <sys/socket.h>
3953#ifdef HAVE_SYS_BITYPES_H
3954# include <sys/bitypes.h>
3955#endif
3956		]], [[
3957int64_t a; a = 1;
3958		]])],
3959	[ ac_cv_have_int64_t="yes" ], [ ac_cv_have_int64_t="no"
3960	])
3961])
3962if test "x$ac_cv_have_int64_t" = "xyes" ; then
3963	AC_DEFINE([HAVE_INT64_T], [1], [define if you have int64_t data type])
3964fi
3965
3966AC_CACHE_CHECK([for u_intXX_t types], ac_cv_have_u_intxx_t, [
3967	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
3968	[[ u_int8_t a; u_int16_t b; u_int32_t c; a = b = c = 1;]])],
3969	[ ac_cv_have_u_intxx_t="yes" ], [ ac_cv_have_u_intxx_t="no"
3970	])
3971])
3972if test "x$ac_cv_have_u_intxx_t" = "xyes" ; then
3973	AC_DEFINE([HAVE_U_INTXX_T], [1], [define if you have u_intxx_t data type])
3974	have_u_intxx_t=1
3975fi
3976
3977if test -z "$have_u_intxx_t" ; then
3978    AC_MSG_CHECKING([for u_intXX_t types in sys/socket.h])
3979	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/socket.h> ]],
3980	[[ u_int8_t a; u_int16_t b; u_int32_t c; a = b = c = 1;]])],
3981		[
3982			AC_DEFINE([HAVE_U_INTXX_T])
3983			AC_MSG_RESULT([yes])
3984		], [ AC_MSG_RESULT([no])
3985	])
3986fi
3987
3988AC_CACHE_CHECK([for u_int64_t types], ac_cv_have_u_int64_t, [
3989	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
3990	[[ u_int64_t a; a = 1;]])],
3991	[ ac_cv_have_u_int64_t="yes" ], [ ac_cv_have_u_int64_t="no"
3992	])
3993])
3994if test "x$ac_cv_have_u_int64_t" = "xyes" ; then
3995	AC_DEFINE([HAVE_U_INT64_T], [1], [define if you have u_int64_t data type])
3996	have_u_int64_t=1
3997fi
3998
3999if (test -z "$have_u_int64_t" && \
4000	   test "x$ac_cv_header_sys_bitypes_h" = "xyes")
4001then
4002    AC_MSG_CHECKING([for u_int64_t type in sys/bitypes.h])
4003	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/bitypes.h> ]],
4004	[[ u_int64_t a; a = 1]])],
4005		[
4006			AC_DEFINE([HAVE_U_INT64_T])
4007			AC_MSG_RESULT([yes])
4008		], [ AC_MSG_RESULT([no])
4009	])
4010fi
4011
4012if test -z "$have_u_intxx_t" ; then
4013	AC_CACHE_CHECK([for uintXX_t types], ac_cv_have_uintxx_t, [
4014		AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4015#include <sys/types.h>
4016			]], [[
4017	uint8_t a;
4018	uint16_t b;
4019	uint32_t c;
4020	a = b = c = 1;
4021			]])],
4022		[ ac_cv_have_uintxx_t="yes" ], [ ac_cv_have_uintxx_t="no"
4023		])
4024	])
4025	if test "x$ac_cv_have_uintxx_t" = "xyes" ; then
4026		AC_DEFINE([HAVE_UINTXX_T], [1],
4027			[define if you have uintxx_t data type])
4028	fi
4029fi
4030
4031if (test -z "$have_uintxx_t" && \
4032	   test "x$ac_cv_header_stdint_h" = "xyes")
4033then
4034    AC_MSG_CHECKING([for uintXX_t types in stdint.h])
4035	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <stdint.h> ]],
4036	[[ uint8_t a; uint16_t b; uint32_t c; a = b = c = 1;]])],
4037		[
4038			AC_DEFINE([HAVE_UINTXX_T])
4039			AC_MSG_RESULT([yes])
4040		], [ AC_MSG_RESULT([no])
4041	])
4042fi
4043
4044if (test -z "$have_uintxx_t" && \
4045	   test "x$ac_cv_header_inttypes_h" = "xyes")
4046then
4047    AC_MSG_CHECKING([for uintXX_t types in inttypes.h])
4048	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <inttypes.h> ]],
4049	[[ uint8_t a; uint16_t b; uint32_t c; a = b = c = 1;]])],
4050		[
4051			AC_DEFINE([HAVE_UINTXX_T])
4052			AC_MSG_RESULT([yes])
4053		], [ AC_MSG_RESULT([no])
4054	])
4055fi
4056
4057if (test -z "$have_u_intxx_t" || test -z "$have_intxx_t" && \
4058	   test "x$ac_cv_header_sys_bitypes_h" = "xyes")
4059then
4060	AC_MSG_CHECKING([for intXX_t and u_intXX_t types in sys/bitypes.h])
4061	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4062#include <sys/bitypes.h>
4063		]], [[
4064			int8_t a; int16_t b; int32_t c;
4065			u_int8_t e; u_int16_t f; u_int32_t g;
4066			a = b = c = e = f = g = 1;
4067		]])],
4068		[
4069			AC_DEFINE([HAVE_U_INTXX_T])
4070			AC_DEFINE([HAVE_INTXX_T])
4071			AC_MSG_RESULT([yes])
4072		], [AC_MSG_RESULT([no])
4073	])
4074fi
4075
4076
4077AC_CACHE_CHECK([for u_char], ac_cv_have_u_char, [
4078	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
4079	[[ u_char foo; foo = 125; ]])],
4080	[ ac_cv_have_u_char="yes" ], [ ac_cv_have_u_char="no"
4081	])
4082])
4083if test "x$ac_cv_have_u_char" = "xyes" ; then
4084	AC_DEFINE([HAVE_U_CHAR], [1], [define if you have u_char data type])
4085fi
4086
4087AC_CHECK_TYPES([intmax_t, uintmax_t], , , [
4088#include <sys/types.h>
4089#ifdef HAVE_STDINT_H
4090# include <stdint.h>
4091#endif
4092])
4093
4094TYPE_SOCKLEN_T
4095
4096AC_CHECK_TYPES([sig_atomic_t, sighandler_t], , , [#include <signal.h>])
4097AC_CHECK_TYPES([fsblkcnt_t, fsfilcnt_t], , , [
4098#include <sys/types.h>
4099#ifdef HAVE_SYS_BITYPES_H
4100#include <sys/bitypes.h>
4101#endif
4102#ifdef HAVE_SYS_STATFS_H
4103#include <sys/statfs.h>
4104#endif
4105#ifdef HAVE_SYS_STATVFS_H
4106#include <sys/statvfs.h>
4107#endif
4108])
4109
4110AC_CHECK_MEMBERS([struct statfs.f_files, struct statfs.f_flags], [], [], [[
4111#include <sys/param.h>
4112#include <sys/types.h>
4113#ifdef HAVE_SYS_BITYPES_H
4114#include <sys/bitypes.h>
4115#endif
4116#ifdef HAVE_SYS_STATFS_H
4117#include <sys/statfs.h>
4118#endif
4119#ifdef HAVE_SYS_STATVFS_H
4120#include <sys/statvfs.h>
4121#endif
4122#ifdef HAVE_SYS_VFS_H
4123#include <sys/vfs.h>
4124#endif
4125#ifdef HAVE_SYS_MOUNT_H
4126#include <sys/mount.h>
4127#endif
4128]])
4129
4130
4131AC_CHECK_TYPES([in_addr_t, in_port_t], , ,
4132[#include <sys/types.h>
4133#include <netinet/in.h>])
4134
4135AC_CACHE_CHECK([for size_t], ac_cv_have_size_t, [
4136	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
4137	[[ size_t foo; foo = 1235; ]])],
4138	[ ac_cv_have_size_t="yes" ], [ ac_cv_have_size_t="no"
4139	])
4140])
4141if test "x$ac_cv_have_size_t" = "xyes" ; then
4142	AC_DEFINE([HAVE_SIZE_T], [1], [define if you have size_t data type])
4143fi
4144
4145AC_CACHE_CHECK([for ssize_t], ac_cv_have_ssize_t, [
4146	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
4147	[[ ssize_t foo; foo = 1235; ]])],
4148	[ ac_cv_have_ssize_t="yes" ], [ ac_cv_have_ssize_t="no"
4149	])
4150])
4151if test "x$ac_cv_have_ssize_t" = "xyes" ; then
4152	AC_DEFINE([HAVE_SSIZE_T], [1], [define if you have ssize_t data type])
4153fi
4154
4155AC_CACHE_CHECK([for clock_t], ac_cv_have_clock_t, [
4156	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <time.h> ]],
4157	[[ clock_t foo; foo = 1235; ]])],
4158	[ ac_cv_have_clock_t="yes" ], [ ac_cv_have_clock_t="no"
4159	])
4160])
4161if test "x$ac_cv_have_clock_t" = "xyes" ; then
4162	AC_DEFINE([HAVE_CLOCK_T], [1], [define if you have clock_t data type])
4163fi
4164
4165AC_CACHE_CHECK([for sa_family_t], ac_cv_have_sa_family_t, [
4166	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4167#include <sys/types.h>
4168#include <sys/socket.h>
4169		]], [[ sa_family_t foo; foo = 1235; ]])],
4170	[ ac_cv_have_sa_family_t="yes" ],
4171	[ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4172#include <sys/types.h>
4173#include <sys/socket.h>
4174#include <netinet/in.h>
4175		]], [[ sa_family_t foo; foo = 1235; ]])],
4176		[ ac_cv_have_sa_family_t="yes" ],
4177		[ ac_cv_have_sa_family_t="no" ]
4178	)
4179	])
4180])
4181if test "x$ac_cv_have_sa_family_t" = "xyes" ; then
4182	AC_DEFINE([HAVE_SA_FAMILY_T], [1],
4183		[define if you have sa_family_t data type])
4184fi
4185
4186AC_CACHE_CHECK([for pid_t], ac_cv_have_pid_t, [
4187	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
4188	[[ pid_t foo; foo = 1235; ]])],
4189	[ ac_cv_have_pid_t="yes" ], [ ac_cv_have_pid_t="no"
4190	])
4191])
4192if test "x$ac_cv_have_pid_t" = "xyes" ; then
4193	AC_DEFINE([HAVE_PID_T], [1], [define if you have pid_t data type])
4194fi
4195
4196AC_CACHE_CHECK([for mode_t], ac_cv_have_mode_t, [
4197	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
4198	[[ mode_t foo; foo = 1235; ]])],
4199	[ ac_cv_have_mode_t="yes" ], [ ac_cv_have_mode_t="no"
4200	])
4201])
4202if test "x$ac_cv_have_mode_t" = "xyes" ; then
4203	AC_DEFINE([HAVE_MODE_T], [1], [define if you have mode_t data type])
4204fi
4205
4206
4207AC_CACHE_CHECK([for struct sockaddr_storage], ac_cv_have_struct_sockaddr_storage, [
4208	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4209#include <sys/types.h>
4210#include <sys/socket.h>
4211		]], [[ struct sockaddr_storage s; ]])],
4212	[ ac_cv_have_struct_sockaddr_storage="yes" ],
4213	[ ac_cv_have_struct_sockaddr_storage="no"
4214	])
4215])
4216if test "x$ac_cv_have_struct_sockaddr_storage" = "xyes" ; then
4217	AC_DEFINE([HAVE_STRUCT_SOCKADDR_STORAGE], [1],
4218		[define if you have struct sockaddr_storage data type])
4219fi
4220
4221AC_CACHE_CHECK([for struct sockaddr_in6], ac_cv_have_struct_sockaddr_in6, [
4222	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4223#include <sys/types.h>
4224#include <netinet/in.h>
4225		]], [[ struct sockaddr_in6 s; s.sin6_family = 0; ]])],
4226	[ ac_cv_have_struct_sockaddr_in6="yes" ],
4227	[ ac_cv_have_struct_sockaddr_in6="no"
4228	])
4229])
4230if test "x$ac_cv_have_struct_sockaddr_in6" = "xyes" ; then
4231	AC_DEFINE([HAVE_STRUCT_SOCKADDR_IN6], [1],
4232		[define if you have struct sockaddr_in6 data type])
4233fi
4234
4235AC_CACHE_CHECK([for struct in6_addr], ac_cv_have_struct_in6_addr, [
4236	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4237#include <sys/types.h>
4238#include <netinet/in.h>
4239		]], [[ struct in6_addr s; s.s6_addr[0] = 0; ]])],
4240	[ ac_cv_have_struct_in6_addr="yes" ],
4241	[ ac_cv_have_struct_in6_addr="no"
4242	])
4243])
4244if test "x$ac_cv_have_struct_in6_addr" = "xyes" ; then
4245	AC_DEFINE([HAVE_STRUCT_IN6_ADDR], [1],
4246		[define if you have struct in6_addr data type])
4247
4248dnl Now check for sin6_scope_id
4249	AC_CHECK_MEMBERS([struct sockaddr_in6.sin6_scope_id], , ,
4250		[
4251#ifdef HAVE_SYS_TYPES_H
4252#include <sys/types.h>
4253#endif
4254#include <netinet/in.h>
4255		])
4256fi
4257
4258AC_CACHE_CHECK([for struct addrinfo], ac_cv_have_struct_addrinfo, [
4259	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4260#include <sys/types.h>
4261#include <sys/socket.h>
4262#include <netdb.h>
4263		]], [[ struct addrinfo s; s.ai_flags = AI_PASSIVE; ]])],
4264	[ ac_cv_have_struct_addrinfo="yes" ],
4265	[ ac_cv_have_struct_addrinfo="no"
4266	])
4267])
4268if test "x$ac_cv_have_struct_addrinfo" = "xyes" ; then
4269	AC_DEFINE([HAVE_STRUCT_ADDRINFO], [1],
4270		[define if you have struct addrinfo data type])
4271fi
4272
4273AC_CACHE_CHECK([for struct timeval], ac_cv_have_struct_timeval, [
4274	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/time.h> ]],
4275	[[ struct timeval tv; tv.tv_sec = 1;]])],
4276	[ ac_cv_have_struct_timeval="yes" ],
4277	[ ac_cv_have_struct_timeval="no"
4278	])
4279])
4280if test "x$ac_cv_have_struct_timeval" = "xyes" ; then
4281	AC_DEFINE([HAVE_STRUCT_TIMEVAL], [1], [define if you have struct timeval])
4282	have_struct_timeval=1
4283fi
4284
4285AC_CACHE_CHECK([for struct timespec], ac_cv_have_struct_timespec, [
4286	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4287    #ifdef HAVE_SYS_TIME_H
4288    # include <sys/time.h>
4289    #endif
4290    #ifdef HAVE_TIME_H
4291    # include <time.h>
4292    #endif
4293	]],
4294	[[ struct timespec ts; ts.tv_sec = 1;]])],
4295	[ ac_cv_have_struct_timespec="yes" ],
4296	[ ac_cv_have_struct_timespec="no"
4297	])
4298])
4299if test "x$ac_cv_have_struct_timespec" = "xyes" ; then
4300	AC_DEFINE([HAVE_STRUCT_TIMESPEC], [1], [define if you have struct timespec])
4301	have_struct_timespec=1
4302fi
4303
4304# We need int64_t or else certain parts of the compile will fail.
4305if test "x$ac_cv_have_int64_t" = "xno" && \
4306	test "x$ac_cv_sizeof_long_int" != "x8" && \
4307	test "x$ac_cv_sizeof_long_long_int" = "x0" ; then
4308	echo "OpenSSH requires int64_t support.  Contact your vendor or install"
4309	echo "an alternative compiler (I.E., GCC) before continuing."
4310	echo ""
4311	exit 1;
4312else
4313dnl test snprintf (broken on SCO w/gcc)
4314	AC_RUN_IFELSE(
4315		[AC_LANG_SOURCE([[
4316#include <stdio.h>
4317#include <stdlib.h>
4318#include <string.h>
4319#ifdef HAVE_SNPRINTF
4320main()
4321{
4322	char buf[50];
4323	char expected_out[50];
4324	int mazsize = 50 ;
4325#if (SIZEOF_LONG_INT == 8)
4326	long int num = 0x7fffffffffffffff;
4327#else
4328	long long num = 0x7fffffffffffffffll;
4329#endif
4330	strcpy(expected_out, "9223372036854775807");
4331	snprintf(buf, mazsize, "%lld", num);
4332	if(strcmp(buf, expected_out) != 0)
4333		exit(1);
4334	exit(0);
4335}
4336#else
4337main() { exit(0); }
4338#endif
4339		]])], [ true ], [ AC_DEFINE([BROKEN_SNPRINTF]) ],
4340		AC_MSG_WARN([cross compiling: Assuming working snprintf()])
4341	)
4342fi
4343
4344dnl Checks for structure members
4345OSSH_CHECK_HEADER_FOR_FIELD([ut_host], [utmp.h], [HAVE_HOST_IN_UTMP])
4346OSSH_CHECK_HEADER_FOR_FIELD([ut_host], [utmpx.h], [HAVE_HOST_IN_UTMPX])
4347OSSH_CHECK_HEADER_FOR_FIELD([syslen], [utmpx.h], [HAVE_SYSLEN_IN_UTMPX])
4348OSSH_CHECK_HEADER_FOR_FIELD([ut_pid], [utmp.h], [HAVE_PID_IN_UTMP])
4349OSSH_CHECK_HEADER_FOR_FIELD([ut_type], [utmp.h], [HAVE_TYPE_IN_UTMP])
4350OSSH_CHECK_HEADER_FOR_FIELD([ut_type], [utmpx.h], [HAVE_TYPE_IN_UTMPX])
4351OSSH_CHECK_HEADER_FOR_FIELD([ut_tv], [utmp.h], [HAVE_TV_IN_UTMP])
4352OSSH_CHECK_HEADER_FOR_FIELD([ut_id], [utmp.h], [HAVE_ID_IN_UTMP])
4353OSSH_CHECK_HEADER_FOR_FIELD([ut_id], [utmpx.h], [HAVE_ID_IN_UTMPX])
4354OSSH_CHECK_HEADER_FOR_FIELD([ut_addr], [utmp.h], [HAVE_ADDR_IN_UTMP])
4355OSSH_CHECK_HEADER_FOR_FIELD([ut_addr], [utmpx.h], [HAVE_ADDR_IN_UTMPX])
4356OSSH_CHECK_HEADER_FOR_FIELD([ut_addr_v6], [utmp.h], [HAVE_ADDR_V6_IN_UTMP])
4357OSSH_CHECK_HEADER_FOR_FIELD([ut_addr_v6], [utmpx.h], [HAVE_ADDR_V6_IN_UTMPX])
4358OSSH_CHECK_HEADER_FOR_FIELD([ut_exit], [utmp.h], [HAVE_EXIT_IN_UTMP])
4359OSSH_CHECK_HEADER_FOR_FIELD([ut_time], [utmp.h], [HAVE_TIME_IN_UTMP])
4360OSSH_CHECK_HEADER_FOR_FIELD([ut_time], [utmpx.h], [HAVE_TIME_IN_UTMPX])
4361OSSH_CHECK_HEADER_FOR_FIELD([ut_tv], [utmpx.h], [HAVE_TV_IN_UTMPX])
4362OSSH_CHECK_HEADER_FOR_FIELD([ut_ss], [utmpx.h], [HAVE_SS_IN_UTMPX])
4363
4364AC_CHECK_MEMBERS([struct stat.st_blksize])
4365AC_CHECK_MEMBERS([struct stat.st_mtim])
4366AC_CHECK_MEMBERS([struct stat.st_mtime])
4367AC_CHECK_MEMBERS([struct passwd.pw_gecos, struct passwd.pw_class,
4368struct passwd.pw_change, struct passwd.pw_expire],
4369[], [], [[
4370#include <sys/types.h>
4371#include <pwd.h>
4372]])
4373
4374AC_CHECK_MEMBER([struct __res_state.retrans], [], [AC_DEFINE([__res_state], [state],
4375	[Define if we don't have struct __res_state in resolv.h])],
4376[[
4377#include <stdio.h>
4378#if HAVE_SYS_TYPES_H
4379# include <sys/types.h>
4380#endif
4381#include <netinet/in.h>
4382#include <arpa/nameser.h>
4383#include <resolv.h>
4384]])
4385
4386AC_CACHE_CHECK([for ss_family field in struct sockaddr_storage],
4387		ac_cv_have_ss_family_in_struct_ss, [
4388	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4389#include <sys/types.h>
4390#include <sys/socket.h>
4391		]], [[ struct sockaddr_storage s; s.ss_family = 1; ]])],
4392	[ ac_cv_have_ss_family_in_struct_ss="yes" ],
4393	[ ac_cv_have_ss_family_in_struct_ss="no" ])
4394])
4395if test "x$ac_cv_have_ss_family_in_struct_ss" = "xyes" ; then
4396	AC_DEFINE([HAVE_SS_FAMILY_IN_SS], [1], [Fields in struct sockaddr_storage])
4397fi
4398
4399AC_CACHE_CHECK([for __ss_family field in struct sockaddr_storage],
4400		ac_cv_have___ss_family_in_struct_ss, [
4401	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4402#include <sys/types.h>
4403#include <sys/socket.h>
4404		]], [[ struct sockaddr_storage s; s.__ss_family = 1; ]])],
4405	[ ac_cv_have___ss_family_in_struct_ss="yes" ],
4406	[ ac_cv_have___ss_family_in_struct_ss="no"
4407	])
4408])
4409if test "x$ac_cv_have___ss_family_in_struct_ss" = "xyes" ; then
4410	AC_DEFINE([HAVE___SS_FAMILY_IN_SS], [1],
4411		[Fields in struct sockaddr_storage])
4412fi
4413
4414dnl make sure we're using the real structure members and not defines
4415AC_CACHE_CHECK([for msg_accrights field in struct msghdr],
4416		ac_cv_have_accrights_in_msghdr, [
4417	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4418#include <sys/types.h>
4419#include <sys/socket.h>
4420#include <sys/uio.h>
4421#include <stdlib.h>
4422		]], [[
4423#ifdef msg_accrights
4424#error "msg_accrights is a macro"
4425exit(1);
4426#endif
4427struct msghdr m;
4428m.msg_accrights = 0;
4429exit(0);
4430		]])],
4431		[ ac_cv_have_accrights_in_msghdr="yes" ],
4432		[ ac_cv_have_accrights_in_msghdr="no" ]
4433	)
4434])
4435if test "x$ac_cv_have_accrights_in_msghdr" = "xyes" ; then
4436	AC_DEFINE([HAVE_ACCRIGHTS_IN_MSGHDR], [1],
4437		[Define if your system uses access rights style
4438		file descriptor passing])
4439fi
4440
4441AC_MSG_CHECKING([if struct statvfs.f_fsid is integral type])
4442AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4443#include <sys/param.h>
4444#include <sys/stat.h>
4445#ifdef HAVE_SYS_TIME_H
4446# include <sys/time.h>
4447#endif
4448#ifdef HAVE_SYS_MOUNT_H
4449#include <sys/mount.h>
4450#endif
4451#ifdef HAVE_SYS_STATVFS_H
4452#include <sys/statvfs.h>
4453#endif
4454	]], [[ struct statvfs s; s.f_fsid = 0; ]])],
4455	[ AC_MSG_RESULT([yes]) ],
4456	[ AC_MSG_RESULT([no])
4457
4458	AC_MSG_CHECKING([if fsid_t has member val])
4459	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4460#include <sys/types.h>
4461#include <sys/statvfs.h>
4462	]], [[ fsid_t t; t.val[0] = 0; ]])],
4463	[ AC_MSG_RESULT([yes])
4464	  AC_DEFINE([FSID_HAS_VAL], [1], [fsid_t has member val]) ],
4465	[ AC_MSG_RESULT([no]) ])
4466
4467	AC_MSG_CHECKING([if f_fsid has member __val])
4468	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4469#include <sys/types.h>
4470#include <sys/statvfs.h>
4471	]], [[ fsid_t t; t.__val[0] = 0; ]])],
4472	[ AC_MSG_RESULT([yes])
4473	  AC_DEFINE([FSID_HAS___VAL], [1], [fsid_t has member __val]) ],
4474	[ AC_MSG_RESULT([no]) ])
4475])
4476
4477AC_CACHE_CHECK([for msg_control field in struct msghdr],
4478		ac_cv_have_control_in_msghdr, [
4479	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4480#include <sys/types.h>
4481#include <sys/socket.h>
4482#include <sys/uio.h>
4483#include <stdlib.h>
4484		]], [[
4485#ifdef msg_control
4486#error "msg_control is a macro"
4487exit(1);
4488#endif
4489struct msghdr m;
4490m.msg_control = 0;
4491exit(0);
4492		]])],
4493		[ ac_cv_have_control_in_msghdr="yes" ],
4494		[ ac_cv_have_control_in_msghdr="no" ]
4495	)
4496])
4497if test "x$ac_cv_have_control_in_msghdr" = "xyes" ; then
4498	AC_DEFINE([HAVE_CONTROL_IN_MSGHDR], [1],
4499		[Define if your system uses ancillary data style
4500		file descriptor passing])
4501fi
4502
4503AC_CACHE_CHECK([if libc defines __progname], ac_cv_libc_defines___progname, [
4504	AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include <stdio.h> ]],
4505		[[ extern char *__progname; printf("%s", __progname); ]])],
4506	[ ac_cv_libc_defines___progname="yes" ],
4507	[ ac_cv_libc_defines___progname="no"
4508	])
4509])
4510if test "x$ac_cv_libc_defines___progname" = "xyes" ; then
4511	AC_DEFINE([HAVE___PROGNAME], [1], [Define if libc defines __progname])
4512fi
4513
4514AC_CACHE_CHECK([whether $CC implements __FUNCTION__], ac_cv_cc_implements___FUNCTION__, [
4515	AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include <stdio.h> ]],
4516		[[ printf("%s", __FUNCTION__); ]])],
4517	[ ac_cv_cc_implements___FUNCTION__="yes" ],
4518	[ ac_cv_cc_implements___FUNCTION__="no"
4519	])
4520])
4521if test "x$ac_cv_cc_implements___FUNCTION__" = "xyes" ; then
4522	AC_DEFINE([HAVE___FUNCTION__], [1],
4523		[Define if compiler implements __FUNCTION__])
4524fi
4525
4526AC_CACHE_CHECK([whether $CC implements __func__], ac_cv_cc_implements___func__, [
4527	AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include <stdio.h> ]],
4528		[[ printf("%s", __func__); ]])],
4529	[ ac_cv_cc_implements___func__="yes" ],
4530	[ ac_cv_cc_implements___func__="no"
4531	])
4532])
4533if test "x$ac_cv_cc_implements___func__" = "xyes" ; then
4534	AC_DEFINE([HAVE___func__], [1], [Define if compiler implements __func__])
4535fi
4536
4537AC_CACHE_CHECK([whether va_copy exists], ac_cv_have_va_copy, [
4538	AC_LINK_IFELSE([AC_LANG_PROGRAM([[
4539#include <stdarg.h>
4540va_list x,y;
4541		]], [[ va_copy(x,y); ]])],
4542	[ ac_cv_have_va_copy="yes" ],
4543	[ ac_cv_have_va_copy="no"
4544	])
4545])
4546if test "x$ac_cv_have_va_copy" = "xyes" ; then
4547	AC_DEFINE([HAVE_VA_COPY], [1], [Define if va_copy exists])
4548fi
4549
4550AC_CACHE_CHECK([whether __va_copy exists], ac_cv_have___va_copy, [
4551	AC_LINK_IFELSE([AC_LANG_PROGRAM([[
4552#include <stdarg.h>
4553va_list x,y;
4554		]], [[ __va_copy(x,y); ]])],
4555	[ ac_cv_have___va_copy="yes" ], [ ac_cv_have___va_copy="no"
4556	])
4557])
4558if test "x$ac_cv_have___va_copy" = "xyes" ; then
4559	AC_DEFINE([HAVE___VA_COPY], [1], [Define if __va_copy exists])
4560fi
4561
4562AC_CACHE_CHECK([whether getopt has optreset support],
4563		ac_cv_have_getopt_optreset, [
4564	AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include <getopt.h> ]],
4565		[[ extern int optreset; optreset = 0; ]])],
4566	[ ac_cv_have_getopt_optreset="yes" ],
4567	[ ac_cv_have_getopt_optreset="no"
4568	])
4569])
4570if test "x$ac_cv_have_getopt_optreset" = "xyes" ; then
4571	AC_DEFINE([HAVE_GETOPT_OPTRESET], [1],
4572		[Define if your getopt(3) defines and uses optreset])
4573fi
4574
4575AC_CACHE_CHECK([if libc defines sys_errlist], ac_cv_libc_defines_sys_errlist, [
4576	AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include <stdio.h> ]],
4577[[ extern const char *const sys_errlist[]; printf("%s", sys_errlist[0]);]])],
4578	[ ac_cv_libc_defines_sys_errlist="yes" ],
4579	[ ac_cv_libc_defines_sys_errlist="no"
4580	])
4581])
4582if test "x$ac_cv_libc_defines_sys_errlist" = "xyes" ; then
4583	AC_DEFINE([HAVE_SYS_ERRLIST], [1],
4584		[Define if your system defines sys_errlist[]])
4585fi
4586
4587
4588AC_CACHE_CHECK([if libc defines sys_nerr], ac_cv_libc_defines_sys_nerr, [
4589	AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include <stdio.h> ]],
4590[[ extern int sys_nerr; printf("%i", sys_nerr);]])],
4591	[ ac_cv_libc_defines_sys_nerr="yes" ],
4592	[ ac_cv_libc_defines_sys_nerr="no"
4593	])
4594])
4595if test "x$ac_cv_libc_defines_sys_nerr" = "xyes" ; then
4596	AC_DEFINE([HAVE_SYS_NERR], [1], [Define if your system defines sys_nerr])
4597fi
4598
4599# Check libraries needed by DNS fingerprint support
4600AC_SEARCH_LIBS([getrrsetbyname], [resolv],
4601	[AC_DEFINE([HAVE_GETRRSETBYNAME], [1],
4602		[Define if getrrsetbyname() exists])],
4603	[
4604		# Needed by our getrrsetbyname()
4605		AC_SEARCH_LIBS([res_query], [resolv])
4606		AC_SEARCH_LIBS([dn_expand], [resolv])
4607		AC_MSG_CHECKING([if res_query will link])
4608		AC_LINK_IFELSE([AC_LANG_PROGRAM([[
4609#include <sys/types.h>
4610#include <netinet/in.h>
4611#include <arpa/nameser.h>
4612#include <netdb.h>
4613#include <resolv.h>
4614				]], [[
4615	res_query (0, 0, 0, 0, 0);
4616				]])],
4617		    AC_MSG_RESULT([yes]),
4618		   [AC_MSG_RESULT([no])
4619		    saved_LIBS="$LIBS"
4620		    LIBS="$LIBS -lresolv"
4621		    AC_MSG_CHECKING([for res_query in -lresolv])
4622		    AC_LINK_IFELSE([AC_LANG_PROGRAM([[
4623#include <sys/types.h>
4624#include <netinet/in.h>
4625#include <arpa/nameser.h>
4626#include <netdb.h>
4627#include <resolv.h>
4628				]], [[
4629	res_query (0, 0, 0, 0, 0);
4630				]])],
4631			[AC_MSG_RESULT([yes])],
4632			[LIBS="$saved_LIBS"
4633			 AC_MSG_RESULT([no])])
4634		    ])
4635		AC_CHECK_FUNCS([_getshort _getlong])
4636		AC_CHECK_DECLS([_getshort, _getlong], , ,
4637		    [#include <sys/types.h>
4638		    #include <arpa/nameser.h>])
4639		AC_CHECK_MEMBER([HEADER.ad],
4640			[AC_DEFINE([HAVE_HEADER_AD], [1],
4641			    [Define if HEADER.ad exists in arpa/nameser.h])], ,
4642			[#include <arpa/nameser.h>])
4643	])
4644
4645AC_MSG_CHECKING([if struct __res_state _res is an extern])
4646AC_LINK_IFELSE([AC_LANG_PROGRAM([[
4647#include <stdio.h>
4648#if HAVE_SYS_TYPES_H
4649# include <sys/types.h>
4650#endif
4651#include <netinet/in.h>
4652#include <arpa/nameser.h>
4653#include <resolv.h>
4654extern struct __res_state _res;
4655		]], [[
4656struct __res_state *volatile p = &_res;  /* force resolution of _res */
4657return 0;
4658		]],)],
4659		[AC_MSG_RESULT([yes])
4660		 AC_DEFINE([HAVE__RES_EXTERN], [1],
4661		    [Define if you have struct __res_state _res as an extern])
4662		],
4663		[ AC_MSG_RESULT([no]) ]
4664)
4665
4666# Check whether user wants SELinux support
4667SELINUX_MSG="no"
4668LIBSELINUX=""
4669AC_ARG_WITH([selinux],
4670	[  --with-selinux          Enable SELinux support],
4671	[ if test "x$withval" != "xno" ; then
4672		save_LIBS="$LIBS"
4673		AC_DEFINE([WITH_SELINUX], [1],
4674			[Define if you want SELinux support.])
4675		SELINUX_MSG="yes"
4676		AC_CHECK_HEADER([selinux/selinux.h], ,
4677			AC_MSG_ERROR([SELinux support requires selinux.h header]))
4678		AC_CHECK_LIB([selinux], [setexeccon],
4679			[ LIBSELINUX="-lselinux"
4680			  LIBS="$LIBS -lselinux"
4681			],
4682			AC_MSG_ERROR([SELinux support requires libselinux library]))
4683		AC_CHECK_FUNCS([getseuserbyname get_default_context_with_level])
4684		LIBS="$save_LIBS $LIBSELINUX"
4685	fi ]
4686)
4687AC_SUBST([SSHDLIBS])
4688
4689# Check whether user wants Kerberos 5 support
4690KRB5_MSG="no"
4691AC_ARG_WITH([kerberos5],
4692	[  --with-kerberos5=PATH   Enable Kerberos 5 support],
4693	[ if test "x$withval" != "xno" ; then
4694		if test "x$withval" = "xyes" ; then
4695			KRB5ROOT="/usr/local"
4696		else
4697			KRB5ROOT=${withval}
4698		fi
4699
4700		AC_DEFINE([KRB5], [1], [Define if you want Kerberos 5 support])
4701		KRB5_MSG="yes"
4702
4703		use_pkgconfig_for_krb5=
4704		if test "x$PKGCONFIG" != "xno"; then
4705			AC_MSG_CHECKING([if $PKGCONFIG knows about kerberos5])
4706			if "$PKGCONFIG" krb5; then
4707				AC_MSG_RESULT([yes])
4708				use_pkgconfig_for_krb5=yes
4709			else
4710				AC_MSG_RESULT([no])
4711			fi
4712		fi
4713		if test "x$use_pkgconfig_for_krb5" = "xyes"; then
4714			K5CFLAGS=`$PKGCONFIG --cflags krb5`
4715			K5LIBS=`$PKGCONFIG --libs krb5`
4716			CPPFLAGS="$CPPFLAGS $K5CFLAGS"
4717
4718			AC_MSG_CHECKING([for gssapi support])
4719			if "$PKGCONFIG" krb5-gssapi; then
4720				AC_MSG_RESULT([yes])
4721				AC_DEFINE([GSSAPI], [1],
4722					[Define this if you want GSSAPI
4723					support in the version 2 protocol])
4724				GSSCFLAGS="`$PKGCONFIG --cflags krb5-gssapi`"
4725				GSSLIBS="`$PKGCONFIG --libs krb5-gssapi`"
4726				CPPFLAGS="$CPPFLAGS $GSSCFLAGS"
4727			else
4728				AC_MSG_RESULT([no])
4729			fi
4730			AC_MSG_CHECKING([whether we are using Heimdal])
4731			AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <krb5.h>
4732				]], [[ char *tmp = heimdal_version; ]])],
4733				[ AC_MSG_RESULT([yes])
4734				AC_DEFINE([HEIMDAL], [1],
4735				[Define this if you are using the Heimdal
4736				version of Kerberos V5]) ],
4737				[AC_MSG_RESULT([no])
4738			])
4739		else
4740			AC_PATH_TOOL([KRB5CONF], [krb5-config],
4741				     [$KRB5ROOT/bin/krb5-config],
4742				     [$KRB5ROOT/bin:$PATH])
4743			if test -x $KRB5CONF ; then
4744				K5CFLAGS="`$KRB5CONF --cflags`"
4745				K5LIBS="`$KRB5CONF --libs`"
4746				CPPFLAGS="$CPPFLAGS $K5CFLAGS"
4747
4748				AC_MSG_CHECKING([for gssapi support])
4749				if $KRB5CONF | grep gssapi >/dev/null ; then
4750					AC_MSG_RESULT([yes])
4751					AC_DEFINE([GSSAPI], [1],
4752						[Define this if you want GSSAPI
4753						support in the version 2 protocol])
4754					GSSCFLAGS="`$KRB5CONF --cflags gssapi`"
4755					GSSLIBS="`$KRB5CONF --libs gssapi`"
4756					CPPFLAGS="$CPPFLAGS $GSSCFLAGS"
4757				else
4758					AC_MSG_RESULT([no])
4759				fi
4760				AC_MSG_CHECKING([whether we are using Heimdal])
4761				AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <krb5.h>
4762					]], [[ char *tmp = heimdal_version; ]])],
4763					[ AC_MSG_RESULT([yes])
4764					AC_DEFINE([HEIMDAL], [1],
4765					[Define this if you are using the Heimdal
4766					version of Kerberos V5]) ],
4767					[AC_MSG_RESULT([no])
4768				])
4769			else
4770				CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include"
4771				LDFLAGS="$LDFLAGS -L${KRB5ROOT}/lib"
4772				AC_MSG_CHECKING([whether we are using Heimdal])
4773				AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <krb5.h>
4774					]], [[ char *tmp = heimdal_version; ]])],
4775						[ AC_MSG_RESULT([yes])
4776						 AC_DEFINE([HEIMDAL])
4777						 K5LIBS="-lkrb5"
4778						 K5LIBS="$K5LIBS -lcom_err -lasn1"
4779						 AC_CHECK_LIB([roken], [net_write],
4780						   [K5LIBS="$K5LIBS -lroken"])
4781						 AC_CHECK_LIB([des], [des_cbc_encrypt],
4782						   [K5LIBS="$K5LIBS -ldes"])
4783					       ], [ AC_MSG_RESULT([no])
4784						 K5LIBS="-lkrb5 -lk5crypto -lcom_err"
4785				])
4786				AC_SEARCH_LIBS([dn_expand], [resolv])
4787
4788				AC_CHECK_LIB([gssapi_krb5], [gss_init_sec_context],
4789					[ AC_DEFINE([GSSAPI])
4790					  GSSLIBS="-lgssapi_krb5" ],
4791					[ AC_CHECK_LIB([gssapi], [gss_init_sec_context],
4792						[ AC_DEFINE([GSSAPI])
4793						  GSSLIBS="-lgssapi" ],
4794						[ AC_CHECK_LIB([gss], [gss_init_sec_context],
4795							[ AC_DEFINE([GSSAPI])
4796							  GSSLIBS="-lgss" ],
4797							AC_MSG_WARN([Cannot find any suitable gss-api library - build may fail]))
4798						])
4799					])
4800
4801				AC_CHECK_HEADER([gssapi.h], ,
4802					[ unset ac_cv_header_gssapi_h
4803					  CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include/gssapi"
4804					  AC_CHECK_HEADERS([gssapi.h], ,
4805						AC_MSG_WARN([Cannot find any suitable gss-api header - build may fail])
4806					  )
4807					]
4808				)
4809
4810				oldCPP="$CPPFLAGS"
4811				CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include/gssapi"
4812				AC_CHECK_HEADER([gssapi_krb5.h], ,
4813						[ CPPFLAGS="$oldCPP" ])
4814
4815			fi
4816		fi
4817		if test -n "${rpath_opt}" ; then
4818			LDFLAGS="$LDFLAGS ${rpath_opt}${KRB5ROOT}/lib"
4819		fi
4820		if test ! -z "$blibpath" ; then
4821			blibpath="$blibpath:${KRB5ROOT}/lib"
4822		fi
4823
4824		AC_CHECK_HEADERS([gssapi.h gssapi/gssapi.h])
4825		AC_CHECK_HEADERS([gssapi_krb5.h gssapi/gssapi_krb5.h])
4826		AC_CHECK_HEADERS([gssapi_generic.h gssapi/gssapi_generic.h])
4827
4828		AC_SEARCH_LIBS([k_hasafs], [kafs], [AC_DEFINE([USE_AFS], [1],
4829			[Define this if you want to use libkafs' AFS support])])
4830
4831		AC_CHECK_DECLS([GSS_C_NT_HOSTBASED_SERVICE], [], [], [[
4832#ifdef HAVE_GSSAPI_H
4833# include <gssapi.h>
4834#elif defined(HAVE_GSSAPI_GSSAPI_H)
4835# include <gssapi/gssapi.h>
4836#endif
4837
4838#ifdef HAVE_GSSAPI_GENERIC_H
4839# include <gssapi_generic.h>
4840#elif defined(HAVE_GSSAPI_GSSAPI_GENERIC_H)
4841# include <gssapi/gssapi_generic.h>
4842#endif
4843		]])
4844		saved_LIBS="$LIBS"
4845		LIBS="$LIBS $K5LIBS"
4846		AC_CHECK_FUNCS([krb5_cc_new_unique krb5_get_error_message krb5_free_error_message])
4847		LIBS="$saved_LIBS"
4848
4849	fi
4850	]
4851)
4852AC_SUBST([GSSLIBS])
4853AC_SUBST([K5LIBS])
4854AC_SUBST([CHANNELLIBS])
4855
4856# Looking for programs, paths and files
4857
4858PRIVSEP_PATH=/var/empty
4859AC_ARG_WITH([privsep-path],
4860	[  --with-privsep-path=xxx Path for privilege separation chroot (default=/var/empty)],
4861	[
4862		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
4863		    test "x${withval}" != "xyes"; then
4864			PRIVSEP_PATH=$withval
4865		fi
4866	]
4867)
4868AC_SUBST([PRIVSEP_PATH])
4869
4870AC_ARG_WITH([xauth],
4871	[  --with-xauth=PATH       Specify path to xauth program ],
4872	[
4873		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
4874		    test "x${withval}" != "xyes"; then
4875			xauth_path=$withval
4876		fi
4877	],
4878	[
4879		TestPath="$PATH"
4880		TestPath="${TestPath}${PATH_SEPARATOR}/usr/X/bin"
4881		TestPath="${TestPath}${PATH_SEPARATOR}/usr/bin/X11"
4882		TestPath="${TestPath}${PATH_SEPARATOR}/usr/X11R6/bin"
4883		TestPath="${TestPath}${PATH_SEPARATOR}/usr/openwin/bin"
4884		AC_PATH_PROG([xauth_path], [xauth], , [$TestPath])
4885		if (test ! -z "$xauth_path" && test -x "/usr/openwin/bin/xauth") ; then
4886			xauth_path="/usr/openwin/bin/xauth"
4887		fi
4888	]
4889)
4890
4891STRIP_OPT=-s
4892AC_ARG_ENABLE([strip],
4893	[  --disable-strip         Disable calling strip(1) on install],
4894	[
4895		if test "x$enableval" = "xno" ; then
4896			STRIP_OPT=
4897		fi
4898	]
4899)
4900AC_SUBST([STRIP_OPT])
4901
4902if test -z "$xauth_path" ; then
4903	XAUTH_PATH="undefined"
4904	AC_SUBST([XAUTH_PATH])
4905else
4906	AC_DEFINE_UNQUOTED([XAUTH_PATH], ["$xauth_path"],
4907		[Define if xauth is found in your path])
4908	XAUTH_PATH=$xauth_path
4909	AC_SUBST([XAUTH_PATH])
4910fi
4911
4912dnl # --with-maildir=/path/to/mail gets top priority.
4913dnl # if maildir is set in the platform case statement above we use that.
4914dnl # Otherwise we run a program to get the dir from system headers.
4915dnl # We first look for _PATH_MAILDIR then MAILDIR then _PATH_MAIL
4916dnl # If we find _PATH_MAILDIR we do nothing because that is what
4917dnl # session.c expects anyway. Otherwise we set to the value found
4918dnl # stripping any trailing slash. If for some strage reason our program
4919dnl # does not find what it needs, we default to /var/spool/mail.
4920# Check for mail directory
4921AC_ARG_WITH([maildir],
4922    [  --with-maildir=/path/to/mail    Specify your system mail directory],
4923    [
4924	if test "X$withval" != X  &&  test "x$withval" != xno  &&  \
4925	    test "x${withval}" != xyes; then
4926		AC_DEFINE_UNQUOTED([MAIL_DIRECTORY], ["$withval"],
4927            [Set this to your mail directory if you do not have _PATH_MAILDIR])
4928	    fi
4929     ],[
4930	if test "X$maildir" != "X"; then
4931	    AC_DEFINE_UNQUOTED([MAIL_DIRECTORY], ["$maildir"])
4932	else
4933	    AC_MSG_CHECKING([Discovering system mail directory])
4934	    AC_RUN_IFELSE(
4935		[AC_LANG_PROGRAM([[
4936#include <stdio.h>
4937#include <stdlib.h>
4938#include <string.h>
4939#ifdef HAVE_PATHS_H
4940#include <paths.h>
4941#endif
4942#ifdef HAVE_MAILLOCK_H
4943#include <maillock.h>
4944#endif
4945#define DATA "conftest.maildir"
4946	]], [[
4947	FILE *fd;
4948	int rc;
4949
4950	fd = fopen(DATA,"w");
4951	if(fd == NULL)
4952		exit(1);
4953
4954#if defined (_PATH_MAILDIR)
4955	if ((rc = fprintf(fd ,"_PATH_MAILDIR:%s\n", _PATH_MAILDIR)) <0)
4956		exit(1);
4957#elif defined (MAILDIR)
4958	if ((rc = fprintf(fd ,"MAILDIR:%s\n", MAILDIR)) <0)
4959		exit(1);
4960#elif defined (_PATH_MAIL)
4961	if ((rc = fprintf(fd ,"_PATH_MAIL:%s\n", _PATH_MAIL)) <0)
4962		exit(1);
4963#else
4964	exit (2);
4965#endif
4966
4967	exit(0);
4968		]])],
4969		[
4970		    maildir_what=`awk -F: '{print $1}' conftest.maildir`
4971		    maildir=`awk -F: '{print $2}' conftest.maildir \
4972			| sed 's|/$||'`
4973		    AC_MSG_RESULT([Using: $maildir from $maildir_what])
4974		    if test "x$maildir_what" != "x_PATH_MAILDIR"; then
4975			AC_DEFINE_UNQUOTED([MAIL_DIRECTORY], ["$maildir"])
4976		    fi
4977		],
4978		[
4979		    if test "X$ac_status" = "X2";then
4980# our test program didn't find it. Default to /var/spool/mail
4981			AC_MSG_RESULT([Using: default value of /var/spool/mail])
4982			AC_DEFINE_UNQUOTED([MAIL_DIRECTORY], ["/var/spool/mail"])
4983		     else
4984			AC_MSG_RESULT([*** not found ***])
4985		     fi
4986		],
4987		[
4988			AC_MSG_WARN([cross compiling: use --with-maildir=/path/to/mail])
4989		]
4990	    )
4991	fi
4992    ]
4993) # maildir
4994
4995if test ! -z "$cross_compiling" && test "x$cross_compiling" = "xyes"; then
4996	AC_MSG_WARN([cross compiling: Disabling /dev/ptmx test])
4997	disable_ptmx_check=yes
4998fi
4999if test -z "$no_dev_ptmx" ; then
5000	if test "x$disable_ptmx_check" != "xyes" ; then
5001		AC_CHECK_FILE(["/dev/ptmx"],
5002			[
5003				AC_DEFINE_UNQUOTED([HAVE_DEV_PTMX], [1],
5004					[Define if you have /dev/ptmx])
5005				have_dev_ptmx=1
5006			]
5007		)
5008	fi
5009fi
5010
5011if test ! -z "$cross_compiling" && test "x$cross_compiling" != "xyes"; then
5012	AC_CHECK_FILE(["/dev/ptc"],
5013		[
5014			AC_DEFINE_UNQUOTED([HAVE_DEV_PTS_AND_PTC], [1],
5015				[Define if you have /dev/ptc])
5016			have_dev_ptc=1
5017		]
5018	)
5019else
5020	AC_MSG_WARN([cross compiling: Disabling /dev/ptc test])
5021fi
5022
5023# Options from here on. Some of these are preset by platform above
5024AC_ARG_WITH([mantype],
5025	[  --with-mantype=man|cat|doc  Set man page type],
5026	[
5027		case "$withval" in
5028		man|cat|doc)
5029			MANTYPE=$withval
5030			;;
5031		*)
5032			AC_MSG_ERROR([invalid man type: $withval])
5033			;;
5034		esac
5035	]
5036)
5037if test -z "$MANTYPE"; then
5038	if ${MANDOC} ${srcdir}/ssh.1 >/dev/null 2>&1; then
5039		MANTYPE=doc
5040	elif ${NROFF} -mdoc ${srcdir}/ssh.1 >/dev/null 2>&1; then
5041		MANTYPE=doc
5042	elif ${NROFF} -man ${srcdir}/ssh.1 >/dev/null 2>&1; then
5043		MANTYPE=man
5044	else
5045		MANTYPE=cat
5046	fi
5047fi
5048AC_SUBST([MANTYPE])
5049if test "$MANTYPE" = "doc"; then
5050	mansubdir=man;
5051else
5052	mansubdir=$MANTYPE;
5053fi
5054AC_SUBST([mansubdir])
5055
5056# Whether to disable shadow password support
5057AC_ARG_WITH([shadow],
5058	[  --without-shadow        Disable shadow password support],
5059	[
5060		if test "x$withval" = "xno" ; then
5061			AC_DEFINE([DISABLE_SHADOW])
5062			disable_shadow=yes
5063		fi
5064	]
5065)
5066
5067if test -z "$disable_shadow" ; then
5068	AC_MSG_CHECKING([if the systems has expire shadow information])
5069	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
5070#include <sys/types.h>
5071#include <shadow.h>
5072struct spwd sp;
5073		]], [[ sp.sp_expire = sp.sp_lstchg = sp.sp_inact = 0; ]])],
5074		[ sp_expire_available=yes ], [
5075	])
5076
5077	if test "x$sp_expire_available" = "xyes" ; then
5078		AC_MSG_RESULT([yes])
5079		AC_DEFINE([HAS_SHADOW_EXPIRE], [1],
5080		    [Define if you want to use shadow password expire field])
5081	else
5082		AC_MSG_RESULT([no])
5083	fi
5084fi
5085
5086# Use ip address instead of hostname in $DISPLAY
5087if test ! -z "$IPADDR_IN_DISPLAY" ; then
5088	DISPLAY_HACK_MSG="yes"
5089	AC_DEFINE([IPADDR_IN_DISPLAY], [1],
5090		[Define if you need to use IP address
5091		instead of hostname in $DISPLAY])
5092else
5093	DISPLAY_HACK_MSG="no"
5094	AC_ARG_WITH([ipaddr-display],
5095		[  --with-ipaddr-display   Use ip address instead of hostname in $DISPLAY],
5096		[
5097			if test "x$withval" != "xno" ; then
5098				AC_DEFINE([IPADDR_IN_DISPLAY])
5099				DISPLAY_HACK_MSG="yes"
5100			fi
5101		]
5102	)
5103fi
5104
5105# check for /etc/default/login and use it if present.
5106AC_ARG_ENABLE([etc-default-login],
5107	[  --disable-etc-default-login Disable using PATH from /etc/default/login [no]],
5108	[ if test "x$enableval" = "xno"; then
5109		AC_MSG_NOTICE([/etc/default/login handling disabled])
5110		etc_default_login=no
5111	  else
5112		etc_default_login=yes
5113	  fi ],
5114	[ if test ! -z "$cross_compiling" && test "x$cross_compiling" = "xyes";
5115	  then
5116		AC_MSG_WARN([cross compiling: not checking /etc/default/login])
5117		etc_default_login=no
5118	  else
5119		etc_default_login=yes
5120	  fi ]
5121)
5122
5123if test "x$etc_default_login" != "xno"; then
5124	AC_CHECK_FILE(["/etc/default/login"],
5125	    [ external_path_file=/etc/default/login ])
5126	if test "x$external_path_file" = "x/etc/default/login"; then
5127		AC_DEFINE([HAVE_ETC_DEFAULT_LOGIN], [1],
5128			[Define if your system has /etc/default/login])
5129	fi
5130fi
5131
5132dnl BSD systems use /etc/login.conf so --with-default-path= has no effect
5133if test $ac_cv_func_login_getcapbool = "yes" && \
5134	test $ac_cv_header_login_cap_h = "yes" ; then
5135	external_path_file=/etc/login.conf
5136fi
5137
5138# Whether to mess with the default path
5139SERVER_PATH_MSG="(default)"
5140AC_ARG_WITH([default-path],
5141	[  --with-default-path=    Specify default $PATH environment for server],
5142	[
5143		if test "x$external_path_file" = "x/etc/login.conf" ; then
5144			AC_MSG_WARN([
5145--with-default-path=PATH has no effect on this system.
5146Edit /etc/login.conf instead.])
5147		elif test "x$withval" != "xno" ; then
5148			if test ! -z "$external_path_file" ; then
5149				AC_MSG_WARN([
5150--with-default-path=PATH will only be used if PATH is not defined in
5151$external_path_file .])
5152			fi
5153			user_path="$withval"
5154			SERVER_PATH_MSG="$withval"
5155		fi
5156	],
5157	[ if test "x$external_path_file" = "x/etc/login.conf" ; then
5158		AC_MSG_WARN([Make sure the path to scp is in /etc/login.conf])
5159	else
5160		if test ! -z "$external_path_file" ; then
5161			AC_MSG_WARN([
5162If PATH is defined in $external_path_file, ensure the path to scp is included,
5163otherwise scp will not work.])
5164		fi
5165		AC_RUN_IFELSE(
5166			[AC_LANG_PROGRAM([[
5167/* find out what STDPATH is */
5168#include <stdio.h>
5169#include <stdlib.h>
5170#ifdef HAVE_PATHS_H
5171# include <paths.h>
5172#endif
5173#ifndef _PATH_STDPATH
5174# ifdef _PATH_USERPATH	/* Irix */
5175#  define _PATH_STDPATH _PATH_USERPATH
5176# else
5177#  define _PATH_STDPATH "/usr/bin:/bin:/usr/sbin:/sbin"
5178# endif
5179#endif
5180#include <sys/types.h>
5181#include <sys/stat.h>
5182#include <fcntl.h>
5183#define DATA "conftest.stdpath"
5184			]], [[
5185	FILE *fd;
5186	int rc;
5187
5188	fd = fopen(DATA,"w");
5189	if(fd == NULL)
5190		exit(1);
5191
5192	if ((rc = fprintf(fd,"%s", _PATH_STDPATH)) < 0)
5193		exit(1);
5194
5195	exit(0);
5196		]])],
5197		[ user_path=`cat conftest.stdpath` ],
5198		[ user_path="/usr/bin:/bin:/usr/sbin:/sbin" ],
5199		[ user_path="/usr/bin:/bin:/usr/sbin:/sbin" ]
5200	)
5201# make sure $bindir is in USER_PATH so scp will work
5202		t_bindir="${bindir}"
5203		while echo "${t_bindir}" | egrep '\$\{|NONE/' >/dev/null 2>&1; do
5204			t_bindir=`eval echo ${t_bindir}`
5205			case $t_bindir in
5206				NONE/*) t_bindir=`echo $t_bindir | sed "s~NONE~$prefix~"` ;;
5207			esac
5208			case $t_bindir in
5209				NONE/*) t_bindir=`echo $t_bindir | sed "s~NONE~$ac_default_prefix~"` ;;
5210			esac
5211		done
5212		echo $user_path | grep ":$t_bindir"  > /dev/null 2>&1
5213		if test $? -ne 0  ; then
5214			echo $user_path | grep "^$t_bindir"  > /dev/null 2>&1
5215			if test $? -ne 0  ; then
5216				user_path=$user_path:$t_bindir
5217				AC_MSG_RESULT([Adding $t_bindir to USER_PATH so scp will work])
5218			fi
5219		fi
5220	fi ]
5221)
5222if test "x$external_path_file" != "x/etc/login.conf" ; then
5223	AC_DEFINE_UNQUOTED([USER_PATH], ["$user_path"], [Specify default $PATH])
5224	AC_SUBST([user_path])
5225fi
5226
5227# Set superuser path separately to user path
5228AC_ARG_WITH([superuser-path],
5229	[  --with-superuser-path=  Specify different path for super-user],
5230	[
5231		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
5232		    test "x${withval}" != "xyes"; then
5233			AC_DEFINE_UNQUOTED([SUPERUSER_PATH], ["$withval"],
5234				[Define if you want a different $PATH
5235				for the superuser])
5236			superuser_path=$withval
5237		fi
5238	]
5239)
5240
5241
5242AC_MSG_CHECKING([if we need to convert IPv4 in IPv6-mapped addresses])
5243IPV4_IN6_HACK_MSG="no"
5244AC_ARG_WITH(4in6,
5245	[  --with-4in6             Check for and convert IPv4 in IPv6 mapped addresses],
5246	[
5247		if test "x$withval" != "xno" ; then
5248			AC_MSG_RESULT([yes])
5249			AC_DEFINE([IPV4_IN_IPV6], [1],
5250				[Detect IPv4 in IPv6 mapped addresses
5251				and treat as IPv4])
5252			IPV4_IN6_HACK_MSG="yes"
5253		else
5254			AC_MSG_RESULT([no])
5255		fi
5256	], [
5257		if test "x$inet6_default_4in6" = "xyes"; then
5258			AC_MSG_RESULT([yes (default)])
5259			AC_DEFINE([IPV4_IN_IPV6])
5260			IPV4_IN6_HACK_MSG="yes"
5261		else
5262			AC_MSG_RESULT([no (default)])
5263		fi
5264	]
5265)
5266
5267# Whether to enable BSD auth support
5268BSD_AUTH_MSG=no
5269AC_ARG_WITH([bsd-auth],
5270	[  --with-bsd-auth         Enable BSD auth support],
5271	[
5272		if test "x$withval" != "xno" ; then
5273			AC_DEFINE([BSD_AUTH], [1],
5274				[Define if you have BSD auth support])
5275			BSD_AUTH_MSG=yes
5276		fi
5277	]
5278)
5279
5280# Where to place sshd.pid
5281piddir=/var/run
5282# make sure the directory exists
5283if test ! -d $piddir ; then
5284	piddir=`eval echo ${sysconfdir}`
5285	case $piddir in
5286		NONE/*) piddir=`echo $piddir | sed "s~NONE~$ac_default_prefix~"` ;;
5287	esac
5288fi
5289
5290AC_ARG_WITH([pid-dir],
5291	[  --with-pid-dir=PATH     Specify location of sshd.pid file],
5292	[
5293		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
5294		    test "x${withval}" != "xyes"; then
5295			piddir=$withval
5296			if test ! -d $piddir ; then
5297			AC_MSG_WARN([** no $piddir directory on this system **])
5298			fi
5299		fi
5300	]
5301)
5302
5303AC_DEFINE_UNQUOTED([_PATH_SSH_PIDDIR], ["$piddir"],
5304	[Specify location of ssh.pid])
5305AC_SUBST([piddir])
5306
5307dnl allow user to disable some login recording features
5308AC_ARG_ENABLE([lastlog],
5309	[  --disable-lastlog       disable use of lastlog even if detected [no]],
5310	[
5311		if test "x$enableval" = "xno" ; then
5312			AC_DEFINE([DISABLE_LASTLOG])
5313		fi
5314	]
5315)
5316AC_ARG_ENABLE([utmp],
5317	[  --disable-utmp          disable use of utmp even if detected [no]],
5318	[
5319		if test "x$enableval" = "xno" ; then
5320			AC_DEFINE([DISABLE_UTMP])
5321		fi
5322	]
5323)
5324AC_ARG_ENABLE([utmpx],
5325	[  --disable-utmpx         disable use of utmpx even if detected [no]],
5326	[
5327		if test "x$enableval" = "xno" ; then
5328			AC_DEFINE([DISABLE_UTMPX], [1],
5329				[Define if you don't want to use utmpx])
5330		fi
5331	]
5332)
5333AC_ARG_ENABLE([wtmp],
5334	[  --disable-wtmp          disable use of wtmp even if detected [no]],
5335	[
5336		if test "x$enableval" = "xno" ; then
5337			AC_DEFINE([DISABLE_WTMP])
5338		fi
5339	]
5340)
5341AC_ARG_ENABLE([wtmpx],
5342	[  --disable-wtmpx         disable use of wtmpx even if detected [no]],
5343	[
5344		if test "x$enableval" = "xno" ; then
5345			AC_DEFINE([DISABLE_WTMPX], [1],
5346				[Define if you don't want to use wtmpx])
5347		fi
5348	]
5349)
5350AC_ARG_ENABLE([libutil],
5351	[  --disable-libutil       disable use of libutil (login() etc.) [no]],
5352	[
5353		if test "x$enableval" = "xno" ; then
5354			AC_DEFINE([DISABLE_LOGIN])
5355		fi
5356	]
5357)
5358AC_ARG_ENABLE([pututline],
5359	[  --disable-pututline     disable use of pututline() etc. ([uw]tmp) [no]],
5360	[
5361		if test "x$enableval" = "xno" ; then
5362			AC_DEFINE([DISABLE_PUTUTLINE], [1],
5363				[Define if you don't want to use pututline()
5364				etc. to write [uw]tmp])
5365		fi
5366	]
5367)
5368AC_ARG_ENABLE([pututxline],
5369	[  --disable-pututxline    disable use of pututxline() etc. ([uw]tmpx) [no]],
5370	[
5371		if test "x$enableval" = "xno" ; then
5372			AC_DEFINE([DISABLE_PUTUTXLINE], [1],
5373				[Define if you don't want to use pututxline()
5374				etc. to write [uw]tmpx])
5375		fi
5376	]
5377)
5378AC_ARG_WITH([lastlog],
5379  [  --with-lastlog=FILE|DIR specify lastlog location [common locations]],
5380	[
5381		if test "x$withval" = "xno" ; then
5382			AC_DEFINE([DISABLE_LASTLOG])
5383		elif test -n "$withval"  &&  test "x${withval}" != "xyes"; then
5384			conf_lastlog_location=$withval
5385		fi
5386	]
5387)
5388
5389dnl lastlog, [uw]tmpx? detection
5390dnl  NOTE: set the paths in the platform section to avoid the
5391dnl   need for command-line parameters
5392dnl lastlog and [uw]tmp are subject to a file search if all else fails
5393
5394dnl lastlog detection
5395dnl  NOTE: the code itself will detect if lastlog is a directory
5396AC_MSG_CHECKING([if your system defines LASTLOG_FILE])
5397AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
5398#include <sys/types.h>
5399#include <utmp.h>
5400#ifdef HAVE_LASTLOG_H
5401#  include <lastlog.h>
5402#endif
5403#ifdef HAVE_PATHS_H
5404#  include <paths.h>
5405#endif
5406#ifdef HAVE_LOGIN_H
5407# include <login.h>
5408#endif
5409	]], [[ char *lastlog = LASTLOG_FILE; ]])],
5410		[ AC_MSG_RESULT([yes]) ],
5411		[
5412		AC_MSG_RESULT([no])
5413		AC_MSG_CHECKING([if your system defines _PATH_LASTLOG])
5414		AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
5415#include <sys/types.h>
5416#include <utmp.h>
5417#ifdef HAVE_LASTLOG_H
5418#  include <lastlog.h>
5419#endif
5420#ifdef HAVE_PATHS_H
5421#  include <paths.h>
5422#endif
5423		]], [[ char *lastlog = _PATH_LASTLOG; ]])],
5424		[ AC_MSG_RESULT([yes]) ],
5425		[
5426			AC_MSG_RESULT([no])
5427			system_lastlog_path=no
5428		])
5429])
5430
5431if test -z "$conf_lastlog_location"; then
5432	if test x"$system_lastlog_path" = x"no" ; then
5433		for f in /var/log/lastlog /usr/adm/lastlog /var/adm/lastlog /etc/security/lastlog ; do
5434				if (test -d "$f" || test -f "$f") ; then
5435					conf_lastlog_location=$f
5436				fi
5437		done
5438		if test -z "$conf_lastlog_location"; then
5439			AC_MSG_WARN([** Cannot find lastlog **])
5440			dnl Don't define DISABLE_LASTLOG - that means we don't try wtmp/wtmpx
5441		fi
5442	fi
5443fi
5444
5445if test -n "$conf_lastlog_location"; then
5446	AC_DEFINE_UNQUOTED([CONF_LASTLOG_FILE], ["$conf_lastlog_location"],
5447		[Define if you want to specify the path to your lastlog file])
5448fi
5449
5450dnl utmp detection
5451AC_MSG_CHECKING([if your system defines UTMP_FILE])
5452AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
5453#include <sys/types.h>
5454#include <utmp.h>
5455#ifdef HAVE_PATHS_H
5456#  include <paths.h>
5457#endif
5458	]], [[ char *utmp = UTMP_FILE; ]])],
5459	[ AC_MSG_RESULT([yes]) ],
5460	[ AC_MSG_RESULT([no])
5461	  system_utmp_path=no
5462])
5463if test -z "$conf_utmp_location"; then
5464	if test x"$system_utmp_path" = x"no" ; then
5465		for f in /etc/utmp /usr/adm/utmp /var/run/utmp; do
5466			if test -f $f ; then
5467				conf_utmp_location=$f
5468			fi
5469		done
5470		if test -z "$conf_utmp_location"; then
5471			AC_DEFINE([DISABLE_UTMP])
5472		fi
5473	fi
5474fi
5475if test -n "$conf_utmp_location"; then
5476	AC_DEFINE_UNQUOTED([CONF_UTMP_FILE], ["$conf_utmp_location"],
5477		[Define if you want to specify the path to your utmp file])
5478fi
5479
5480dnl wtmp detection
5481AC_MSG_CHECKING([if your system defines WTMP_FILE])
5482AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
5483#include <sys/types.h>
5484#include <utmp.h>
5485#ifdef HAVE_PATHS_H
5486#  include <paths.h>
5487#endif
5488	]], [[ char *wtmp = WTMP_FILE; ]])],
5489	[ AC_MSG_RESULT([yes]) ],
5490	[ AC_MSG_RESULT([no])
5491	  system_wtmp_path=no
5492])
5493if test -z "$conf_wtmp_location"; then
5494	if test x"$system_wtmp_path" = x"no" ; then
5495		for f in /usr/adm/wtmp /var/log/wtmp; do
5496			if test -f $f ; then
5497				conf_wtmp_location=$f
5498			fi
5499		done
5500		if test -z "$conf_wtmp_location"; then
5501			AC_DEFINE([DISABLE_WTMP])
5502		fi
5503	fi
5504fi
5505if test -n "$conf_wtmp_location"; then
5506	AC_DEFINE_UNQUOTED([CONF_WTMP_FILE], ["$conf_wtmp_location"],
5507		[Define if you want to specify the path to your wtmp file])
5508fi
5509
5510dnl wtmpx detection
5511AC_MSG_CHECKING([if your system defines WTMPX_FILE])
5512AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
5513#include <sys/types.h>
5514#include <utmp.h>
5515#ifdef HAVE_UTMPX_H
5516#include <utmpx.h>
5517#endif
5518#ifdef HAVE_PATHS_H
5519#  include <paths.h>
5520#endif
5521	]], [[ char *wtmpx = WTMPX_FILE; ]])],
5522	[ AC_MSG_RESULT([yes]) ],
5523	[ AC_MSG_RESULT([no])
5524	  system_wtmpx_path=no
5525])
5526if test -z "$conf_wtmpx_location"; then
5527	if test x"$system_wtmpx_path" = x"no" ; then
5528		AC_DEFINE([DISABLE_WTMPX])
5529	fi
5530else
5531	AC_DEFINE_UNQUOTED([CONF_WTMPX_FILE], ["$conf_wtmpx_location"],
5532		[Define if you want to specify the path to your wtmpx file])
5533fi
5534
5535
5536if test ! -z "$blibpath" ; then
5537	LDFLAGS="$LDFLAGS $blibflags$blibpath"
5538	AC_MSG_WARN([Please check and edit blibpath in LDFLAGS in Makefile])
5539fi
5540
5541AC_CHECK_MEMBER([struct lastlog.ll_line], [], [
5542    if test x$SKIP_DISABLE_LASTLOG_DEFINE != "xyes" ; then
5543	AC_DEFINE([DISABLE_LASTLOG])
5544    fi
5545	], [
5546#ifdef HAVE_SYS_TYPES_H
5547#include <sys/types.h>
5548#endif
5549#ifdef HAVE_UTMP_H
5550#include <utmp.h>
5551#endif
5552#ifdef HAVE_UTMPX_H
5553#include <utmpx.h>
5554#endif
5555#ifdef HAVE_LASTLOG_H
5556#include <lastlog.h>
5557#endif
5558	])
5559
5560AC_CHECK_MEMBER([struct utmp.ut_line], [], [
5561	AC_DEFINE([DISABLE_UTMP])
5562	AC_DEFINE([DISABLE_WTMP])
5563	], [
5564#ifdef HAVE_SYS_TYPES_H
5565#include <sys/types.h>
5566#endif
5567#ifdef HAVE_UTMP_H
5568#include <utmp.h>
5569#endif
5570#ifdef HAVE_UTMPX_H
5571#include <utmpx.h>
5572#endif
5573#ifdef HAVE_LASTLOG_H
5574#include <lastlog.h>
5575#endif
5576	])
5577
5578dnl Adding -Werror to CFLAGS early prevents configure tests from running.
5579dnl Add now.
5580CFLAGS="$CFLAGS $werror_flags"
5581
5582if test "x$ac_cv_func_getaddrinfo" != "xyes" ; then
5583	TEST_SSH_IPV6=no
5584else
5585	TEST_SSH_IPV6=yes
5586fi
5587AC_CHECK_DECL([BROKEN_GETADDRINFO],  [TEST_SSH_IPV6=no])
5588AC_SUBST([TEST_SSH_IPV6], [$TEST_SSH_IPV6])
5589AC_SUBST([TEST_SSH_UTF8], [$TEST_SSH_UTF8])
5590AC_SUBST([TEST_MALLOC_OPTIONS], [$TEST_MALLOC_OPTIONS])
5591AC_SUBST([UNSUPPORTED_ALGORITHMS], [$unsupported_algorithms])
5592AC_SUBST([DEPEND], [$(cat $srcdir/.depend)])
5593
5594CFLAGS="${CFLAGS} ${CFLAGS_AFTER}"
5595LDFLAGS="${LDFLAGS} ${LDFLAGS_AFTER}"
5596
5597# Make a copy of CFLAGS/LDFLAGS without PIE options.
5598LDFLAGS_NOPIE=`echo "$LDFLAGS" | sed 's/ -pie//'`
5599CFLAGS_NOPIE=`echo "$CFLAGS" | sed 's/ -fPIE//'`
5600AC_SUBST([LDFLAGS_NOPIE])
5601AC_SUBST([CFLAGS_NOPIE])
5602
5603AC_EXEEXT
5604AC_CONFIG_FILES([Makefile buildpkg.sh opensshd.init openssh.xml \
5605	openbsd-compat/Makefile openbsd-compat/regress/Makefile \
5606	survey.sh])
5607AC_OUTPUT
5608
5609# Print summary of options
5610
5611# Someone please show me a better way :)
5612A=`eval echo ${prefix}` ; A=`eval echo ${A}`
5613B=`eval echo ${bindir}` ; B=`eval echo ${B}`
5614C=`eval echo ${sbindir}` ; C=`eval echo ${C}`
5615D=`eval echo ${sysconfdir}` ; D=`eval echo ${D}`
5616E=`eval echo ${libexecdir}/ssh-askpass` ; E=`eval echo ${E}`
5617F=`eval echo ${mandir}/${mansubdir}X` ; F=`eval echo ${F}`
5618G=`eval echo ${piddir}` ; G=`eval echo ${G}`
5619H=`eval echo ${PRIVSEP_PATH}` ; H=`eval echo ${H}`
5620I=`eval echo ${user_path}` ; I=`eval echo ${I}`
5621J=`eval echo ${superuser_path}` ; J=`eval echo ${J}`
5622
5623echo ""
5624echo "OpenSSH has been configured with the following options:"
5625echo "                     User binaries: $B"
5626echo "                   System binaries: $C"
5627echo "               Configuration files: $D"
5628echo "                   Askpass program: $E"
5629echo "                      Manual pages: $F"
5630echo "                          PID file: $G"
5631echo "  Privilege separation chroot path: $H"
5632if test "x$external_path_file" = "x/etc/login.conf" ; then
5633echo "   At runtime, sshd will use the path defined in $external_path_file"
5634echo "   Make sure the path to scp is present, otherwise scp will not work"
5635else
5636echo "            sshd default user PATH: $I"
5637	if test ! -z "$external_path_file"; then
5638echo "   (If PATH is set in $external_path_file it will be used instead. If"
5639echo "   used, ensure the path to scp is present, otherwise scp will not work.)"
5640	fi
5641fi
5642if test ! -z "$superuser_path" ; then
5643echo "          sshd superuser user PATH: $J"
5644fi
5645echo "                    Manpage format: $MANTYPE"
5646echo "                       PAM support: $PAM_MSG"
5647echo "                   OSF SIA support: $SIA_MSG"
5648echo "                 KerberosV support: $KRB5_MSG"
5649echo "                   SELinux support: $SELINUX_MSG"
5650echo "              TCP Wrappers support: $TCPW_MSG"
5651echo "                   libedit support: $LIBEDIT_MSG"
5652echo "                   libldns support: $LDNS_MSG"
5653echo "  Solaris process contract support: $SPC_MSG"
5654echo "           Solaris project support: $SP_MSG"
5655echo "         Solaris privilege support: $SPP_MSG"
5656echo "       IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG"
5657echo "           Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
5658echo "                  BSD Auth support: $BSD_AUTH_MSG"
5659echo "              Random number source: $RAND_MSG"
5660echo "             Privsep sandbox style: $SANDBOX_STYLE"
5661echo "                   PKCS#11 support: $enable_pkcs11"
5662echo "                  U2F/FIDO support: $enable_sk"
5663
5664echo ""
5665
5666echo "              Host: ${host}"
5667echo "          Compiler: ${CC}"
5668echo "    Compiler flags: ${CFLAGS}"
5669echo "Preprocessor flags: ${CPPFLAGS}"
5670echo "      Linker flags: ${LDFLAGS}"
5671echo "         Libraries: ${LIBS}"
5672if test ! -z "${CHANNELLIBS}"; then
5673echo "     +for channels: ${CHANNELLIBS}"
5674fi
5675if test ! -z "${LIBFIDO2}"; then
5676echo "        +for FIDO2: ${LIBFIDO2}"
5677fi
5678if test ! -z "${SSHDLIBS}"; then
5679echo "         +for sshd: ${SSHDLIBS}"
5680fi
5681
5682echo ""
5683
5684if test "x$MAKE_PACKAGE_SUPPORTED" = "xyes" ; then
5685	echo "SVR4 style packages are supported with \"make package\""
5686	echo ""
5687fi
5688
5689if test "x$PAM_MSG" = "xyes" ; then
5690	echo "PAM is enabled. You may need to install a PAM control file "
5691	echo "for sshd, otherwise password authentication may fail. "
5692	echo "Example PAM control files can be found in the contrib/ "
5693	echo "subdirectory"
5694	echo ""
5695fi
5696
5697if test ! -z "$NO_PEERCHECK" ; then
5698	echo "WARNING: the operating system that you are using does not"
5699	echo "appear to support getpeereid(), getpeerucred() or the"
5700	echo "SO_PEERCRED getsockopt() option. These facilities are used to"
5701	echo "enforce security checks to prevent unauthorised connections to"
5702	echo "ssh-agent. Their absence increases the risk that a malicious"
5703	echo "user can connect to your agent."
5704	echo ""
5705fi
5706
5707if test "$AUDIT_MODULE" = "bsm" ; then
5708	echo "WARNING: BSM audit support is currently considered EXPERIMENTAL."
5709	echo "See the Solaris section in README.platform for details."
5710fi
5711