2 # Copyright (c) 1999-2004 Damien Miller
4 # Permission to use, copy, modify, and distribute this software for any
5 # purpose with or without fee is hereby granted, provided that the above
6 # copyright notice and this permission notice appear in all copies.
8 # THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9 # WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10 # MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11 # ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12 # WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13 # ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14 # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16 AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org])
17 AC_REVISION($Revision: 1.583 $)
18 AC_CONFIG_SRCDIR([ssh.c])
21 AC_CONFIG_HEADER([config.h])
26 # Checks for programs.
33 AC_CHECK_TOOLS([AR], [ar])
34 AC_PATH_PROG([CAT], [cat])
35 AC_PATH_PROG([KILL], [kill])
36 AC_PATH_PROG([SED], [sed])
37 AC_PATH_PROG([ENT], [ent])
39 AC_PATH_PROG([TEST_MINUS_S_SH], [bash])
40 AC_PATH_PROG([TEST_MINUS_S_SH], [ksh])
41 AC_PATH_PROG([TEST_MINUS_S_SH], [sh])
42 AC_PATH_PROG([SH], [sh])
43 AC_PATH_PROG([GROFF], [groff])
44 AC_PATH_PROG([NROFF], [nroff])
45 AC_PATH_PROG([MANDOC], [mandoc])
46 AC_SUBST([TEST_SHELL], [sh])
48 dnl select manpage formatter
49 if test "x$MANDOC" != "x" ; then
51 elif test "x$NROFF" != "x" ; then
52 MANFMT="$NROFF -mandoc"
53 elif test "x$GROFF" != "x" ; then
54 MANFMT="$GROFF -mandoc -Tascii"
56 AC_MSG_WARN([no manpage formatted found])
62 AC_PATH_PROG([PATH_GROUPADD_PROG], [groupadd], [groupadd],
63 [/usr/sbin${PATH_SEPARATOR}/etc])
64 AC_PATH_PROG([PATH_USERADD_PROG], [useradd], [useradd],
65 [/usr/sbin${PATH_SEPARATOR}/etc])
66 AC_CHECK_PROG([MAKE_PACKAGE_SUPPORTED], [pkgmk], [yes], [no])
67 if test -x /sbin/sh; then
68 AC_SUBST([STARTUP_SCRIPT_SHELL], [/sbin/sh])
70 AC_SUBST([STARTUP_SCRIPT_SHELL], [/bin/sh])
76 if test -z "$AR" ; then
77 AC_MSG_ERROR([*** 'ar' missing, please install or fix your \$PATH ***])
80 AC_PATH_PROG([PATH_PASSWD_PROG], [passwd])
81 if test ! -z "$PATH_PASSWD_PROG" ; then
82 AC_DEFINE_UNQUOTED([_PATH_PASSWD_PROG], ["$PATH_PASSWD_PROG"],
83 [Full path of your "passwd" program])
86 dnl Since autoconf doesn't support it very well, we no longer allow users to
87 dnl override LD, however keeping the hook here for now in case there's a use
88 dnl use case we overlooked and someone needs to re-enable it. Unless a good
89 dnl reason is found we'll be removing this in future.
95 AC_CHECK_DECL([LLONG_MAX], [have_llong_max=1], , [#include <limits.h>])
96 AC_CHECK_DECL([SYSTR_POLICY_KILL], [have_systr_policy_kill=1], , [
97 #include <sys/types.h>
98 #include <sys/param.h>
99 #include <dev/systrace.h>
101 AC_CHECK_DECL([RLIMIT_NPROC],
102 [AC_DEFINE([HAVE_RLIMIT_NPROC], [], [sys/resource.h has RLIMIT_NPROC])], , [
103 #include <sys/types.h>
104 #include <sys/resource.h>
106 AC_CHECK_DECL([PR_SET_NO_NEW_PRIVS], [have_linux_no_new_privs=1], , [
107 #include <sys/types.h>
108 #include <linux/prctl.h>
112 AC_ARG_WITH([openssl],
113 [ --without-openssl Disable use of OpenSSL; use only limited internal crypto **EXPERIMENTAL** ],
114 [ if test "x$withval" = "xno" ; then
119 AC_MSG_CHECKING([whether OpenSSL will be used for cryptography])
120 if test "x$openssl" = "xyes" ; then
122 AC_DEFINE_UNQUOTED([WITH_OPENSSL], [1], [use libcrypto for cryptography])
127 use_stack_protector=1
128 use_toolchain_hardening=1
129 AC_ARG_WITH([stackprotect],
130 [ --without-stackprotect Don't use compiler's stack protection], [
131 if test "x$withval" = "xno"; then
132 use_stack_protector=0
134 AC_ARG_WITH([hardening],
135 [ --without-hardening Don't use toolchain hardening flags], [
136 if test "x$withval" = "xno"; then
137 use_toolchain_hardening=0
140 # We use -Werror for the tests only so that we catch warnings like "this is
141 # on by default" for things like -fPIE.
142 AC_MSG_CHECKING([if $CC supports -Werror])
143 saved_CFLAGS="$CFLAGS"
144 CFLAGS="$CFLAGS -Werror"
145 AC_COMPILE_IFELSE([AC_LANG_SOURCE([[int main(void) { return 0; }]])],
146 [ AC_MSG_RESULT([yes])
148 [ AC_MSG_RESULT([no])
151 CFLAGS="$saved_CFLAGS"
153 if test "$GCC" = "yes" || test "$GCC" = "egcs"; then
154 OSSH_CHECK_CFLAG_COMPILE([-pipe])
155 OSSH_CHECK_CFLAG_COMPILE([-Qunused-arguments])
156 OSSH_CHECK_CFLAG_COMPILE([-Wunknown-warning-option])
157 OSSH_CHECK_CFLAG_COMPILE([-Wall])
158 OSSH_CHECK_CFLAG_COMPILE([-Wpointer-arith])
159 OSSH_CHECK_CFLAG_COMPILE([-Wuninitialized])
160 OSSH_CHECK_CFLAG_COMPILE([-Wsign-compare])
161 OSSH_CHECK_CFLAG_COMPILE([-Wformat-security])
162 OSSH_CHECK_CFLAG_COMPILE([-Wsizeof-pointer-memaccess])
163 OSSH_CHECK_CFLAG_COMPILE([-Wpointer-sign], [-Wno-pointer-sign])
164 OSSH_CHECK_CFLAG_COMPILE([-Wunused-result], [-Wno-unused-result])
165 OSSH_CHECK_CFLAG_COMPILE([-fno-strict-aliasing])
166 if test "x$use_toolchain_hardening" = "x1"; then
167 # Cygwin GCC 7.x allows thunking on the CLI, but produces non-working
168 # code. Unfortunately you only notice this at link time.
172 OSSH_CHECK_CFLAG_COMPILE([-mfunction-return=thunk]) # gcc
173 OSSH_CHECK_CFLAG_COMPILE([-mindirect-branch=thunk]) # gcc
176 OSSH_CHECK_CFLAG_COMPILE([-mretpoline]) # clang
177 OSSH_CHECK_LDFLAG_LINK([-Wl,-z,retpolineplt])
178 OSSH_CHECK_CFLAG_COMPILE([-D_FORTIFY_SOURCE=2])
179 OSSH_CHECK_LDFLAG_LINK([-Wl,-z,relro])
180 OSSH_CHECK_LDFLAG_LINK([-Wl,-z,now])
181 OSSH_CHECK_LDFLAG_LINK([-Wl,-z,noexecstack])
182 # NB. -ftrapv expects certain support functions to be present in
183 # the compiler library (libgcc or similar) to detect integer operations
184 # that can overflow. We must check that the result of enabling it
185 # actually links. The test program compiled/linked includes a number
186 # of integer operations that should exercise this.
187 OSSH_CHECK_CFLAG_LINK([-ftrapv])
189 AC_MSG_CHECKING([gcc version])
190 GCC_VER=`$CC -v 2>&1 | $AWK '/gcc version /{print $3}'`
192 1.*) no_attrib_nonnull=1 ;;
196 2.*) no_attrib_nonnull=1 ;;
199 AC_MSG_RESULT([$GCC_VER])
201 AC_MSG_CHECKING([if $CC accepts -fno-builtin-memset])
202 saved_CFLAGS="$CFLAGS"
203 CFLAGS="$CFLAGS -fno-builtin-memset"
204 AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include <string.h> ]],
205 [[ char b[10]; memset(b, 0, sizeof(b)); ]])],
206 [ AC_MSG_RESULT([yes]) ],
207 [ AC_MSG_RESULT([no])
208 CFLAGS="$saved_CFLAGS" ]
211 # -fstack-protector-all doesn't always work for some GCC versions
212 # and/or platforms, so we test if we can. If it's not supported
213 # on a given platform gcc will emit a warning so we use -Werror.
214 if test "x$use_stack_protector" = "x1"; then
215 for t in -fstack-protector-strong -fstack-protector-all \
216 -fstack-protector; do
217 AC_MSG_CHECKING([if $CC supports $t])
218 saved_CFLAGS="$CFLAGS"
219 saved_LDFLAGS="$LDFLAGS"
220 CFLAGS="$CFLAGS $t -Werror"
221 LDFLAGS="$LDFLAGS $t -Werror"
223 [AC_LANG_PROGRAM([[ #include <stdio.h> ]],
226 snprintf(x, sizeof(x), "XXX");
228 [ AC_MSG_RESULT([yes])
229 CFLAGS="$saved_CFLAGS $t"
230 LDFLAGS="$saved_LDFLAGS $t"
231 AC_MSG_CHECKING([if $t works])
233 [AC_LANG_PROGRAM([[ #include <stdio.h> ]],
236 snprintf(x, sizeof(x), "XXX");
238 [ AC_MSG_RESULT([yes])
240 [ AC_MSG_RESULT([no]) ],
241 [ AC_MSG_WARN([cross compiling: cannot test])
245 [ AC_MSG_RESULT([no]) ]
247 CFLAGS="$saved_CFLAGS"
248 LDFLAGS="$saved_LDFLAGS"
252 if test -z "$have_llong_max"; then
253 # retry LLONG_MAX with -std=gnu99, needed on some Linuxes
254 unset ac_cv_have_decl_LLONG_MAX
255 saved_CFLAGS="$CFLAGS"
256 CFLAGS="$CFLAGS -std=gnu99"
257 AC_CHECK_DECL([LLONG_MAX],
259 [CFLAGS="$saved_CFLAGS"],
260 [#include <limits.h>]
265 AC_MSG_CHECKING([if compiler allows __attribute__ on return types])
269 __attribute__((__unused__)) static void foo(void){return;}]],
271 [ AC_MSG_RESULT([yes]) ],
272 [ AC_MSG_RESULT([no])
273 AC_DEFINE(NO_ATTRIBUTE_ON_RETURN_TYPE, 1,
274 [compiler does not accept __attribute__ on return types]) ]
277 AC_MSG_CHECKING([if compiler allows __attribute__ prototype args])
281 typedef void foo(const char *, ...) __attribute__((format(printf, 1, 2)));]],
283 [ AC_MSG_RESULT([yes]) ],
284 [ AC_MSG_RESULT([no])
285 AC_DEFINE(NO_ATTRIBUTE_ON_PROTOTYPE_ARGS, 1,
286 [compiler does not accept __attribute__ on prototype args]) ]
289 if test "x$no_attrib_nonnull" != "x1" ; then
290 AC_DEFINE([HAVE_ATTRIBUTE__NONNULL__], [1], [Have attribute nonnull])
294 [ --without-rpath Disable auto-added -R linker paths],
296 if test "x$withval" = "xno" ; then
299 if test "x$withval" = "xyes" ; then
305 # Allow user to specify flags
306 AC_ARG_WITH([cflags],
307 [ --with-cflags Specify additional flags to pass to compiler],
309 if test -n "$withval" && test "x$withval" != "xno" && \
310 test "x${withval}" != "xyes"; then
311 CFLAGS="$CFLAGS $withval"
316 AC_ARG_WITH([cflags-after],
317 [ --with-cflags-after Specify additional flags to pass to compiler after configure],
319 if test -n "$withval" && test "x$withval" != "xno" && \
320 test "x${withval}" != "xyes"; then
321 CFLAGS_AFTER="$withval"
325 AC_ARG_WITH([cppflags],
326 [ --with-cppflags Specify additional flags to pass to preprocessor] ,
328 if test -n "$withval" && test "x$withval" != "xno" && \
329 test "x${withval}" != "xyes"; then
330 CPPFLAGS="$CPPFLAGS $withval"
334 AC_ARG_WITH([ldflags],
335 [ --with-ldflags Specify additional flags to pass to linker],
337 if test -n "$withval" && test "x$withval" != "xno" && \
338 test "x${withval}" != "xyes"; then
339 LDFLAGS="$LDFLAGS $withval"
343 AC_ARG_WITH([ldflags-after],
344 [ --with-ldflags-after Specify additional flags to pass to linker after configure],
346 if test -n "$withval" && test "x$withval" != "xno" && \
347 test "x${withval}" != "xyes"; then
348 LDFLAGS_AFTER="$withval"
353 [ --with-libs Specify additional libraries to link with],
355 if test -n "$withval" && test "x$withval" != "xno" && \
356 test "x${withval}" != "xyes"; then
357 LIBS="$LIBS $withval"
361 AC_ARG_WITH([Werror],
362 [ --with-Werror Build main code with -Werror],
364 if test -n "$withval" && test "x$withval" != "xno"; then
365 werror_flags="-Werror"
366 if test "x${withval}" != "xyes"; then
367 werror_flags="$withval"
406 security/pam_appl.h \
450 # On some platforms (eg SunOS4) sys/audit.h requires sys/[time|types|label.h]
451 # to be included first.
452 AC_CHECK_HEADERS([sys/audit.h], [], [], [
453 #ifdef HAVE_SYS_TIME_H
454 # include <sys/time.h>
456 #ifdef HAVE_SYS_TYPES_H
457 # include <sys/types.h>
459 #ifdef HAVE_SYS_LABEL_H
460 # include <sys/label.h>
464 # sys/capsicum.h requires sys/types.h
465 AC_CHECK_HEADERS([sys/capsicum.h], [], [], [
466 #ifdef HAVE_SYS_TYPES_H
467 # include <sys/types.h>
471 # net/route.h requires sys/socket.h and sys/types.h.
472 # sys/sysctl.h also requires sys/param.h
473 AC_CHECK_HEADERS([net/route.h sys/sysctl.h], [], [], [
474 #ifdef HAVE_SYS_TYPES_H
475 # include <sys/types.h>
477 #include <sys/param.h>
478 #include <sys/socket.h>
481 # lastlog.h requires sys/time.h to be included first on Solaris
482 AC_CHECK_HEADERS([lastlog.h], [], [], [
483 #ifdef HAVE_SYS_TIME_H
484 # include <sys/time.h>
488 # sys/ptms.h requires sys/stream.h to be included first on Solaris
489 AC_CHECK_HEADERS([sys/ptms.h], [], [], [
490 #ifdef HAVE_SYS_STREAM_H
491 # include <sys/stream.h>
495 # login_cap.h requires sys/types.h on NetBSD
496 AC_CHECK_HEADERS([login_cap.h], [], [], [
497 #include <sys/types.h>
500 # older BSDs need sys/param.h before sys/mount.h
501 AC_CHECK_HEADERS([sys/mount.h], [], [], [
502 #include <sys/param.h>
505 # Android requires sys/socket.h to be included before sys/un.h
506 AC_CHECK_HEADERS([sys/un.h], [], [], [
507 #include <sys/types.h>
508 #include <sys/socket.h>
511 # Messages for features tested for in target-specific section
517 # Support for Solaris/Illumos privileges (this test is used by both
518 # the --with-solaris-privs option and --with-sandbox=solaris).
521 # Check for some target-specific stuff
524 # Some versions of VAC won't allow macro redefinitions at
525 # -qlanglevel=ansi, and autoconf 2.60 sometimes insists on using that
526 # particularly with older versions of vac or xlc.
527 # It also throws errors about null macro arguments, but these are
529 AC_MSG_CHECKING([if compiler allows macro redefinitions])
532 #define testmacro foo
533 #define testmacro bar]],
535 [ AC_MSG_RESULT([yes]) ],
536 [ AC_MSG_RESULT([no])
537 CC="`echo $CC | sed 's/-qlanglvl\=ansi//g'`"
538 CFLAGS="`echo $CFLAGS | sed 's/-qlanglvl\=ansi//g'`"
539 CPPFLAGS="`echo $CPPFLAGS | sed 's/-qlanglvl\=ansi//g'`"
543 AC_MSG_CHECKING([how to specify blibpath for linker ($LD)])
544 if (test -z "$blibpath"); then
545 blibpath="/usr/lib:/lib"
547 saved_LDFLAGS="$LDFLAGS"
548 if test "$GCC" = "yes"; then
549 flags="-Wl,-blibpath: -Wl,-rpath, -blibpath:"
551 flags="-blibpath: -Wl,-blibpath: -Wl,-rpath,"
553 for tryflags in $flags ;do
554 if (test -z "$blibflags"); then
555 LDFLAGS="$saved_LDFLAGS $tryflags$blibpath"
556 AC_LINK_IFELSE([AC_LANG_PROGRAM([[]], [[]])],
557 [blibflags=$tryflags], [])
560 if (test -z "$blibflags"); then
561 AC_MSG_RESULT([not found])
562 AC_MSG_ERROR([*** must be able to specify blibpath on AIX - check config.log])
564 AC_MSG_RESULT([$blibflags])
566 LDFLAGS="$saved_LDFLAGS"
567 dnl Check for authenticate. Might be in libs.a on older AIXes
568 AC_CHECK_FUNC([authenticate], [AC_DEFINE([WITH_AIXAUTHENTICATE], [1],
569 [Define if you want to enable AIX4's authenticate function])],
570 [AC_CHECK_LIB([s], [authenticate],
571 [ AC_DEFINE([WITH_AIXAUTHENTICATE])
575 dnl Check for various auth function declarations in headers.
576 AC_CHECK_DECLS([authenticate, loginrestrictions, loginsuccess,
577 passwdexpired, setauthdb], , , [#include <usersec.h>])
578 dnl Check if loginfailed is declared and takes 4 arguments (AIX >= 5.2)
579 AC_CHECK_DECLS([loginfailed],
580 [AC_MSG_CHECKING([if loginfailed takes 4 arguments])
581 AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <usersec.h> ]],
582 [[ (void)loginfailed("user","host","tty",0); ]])],
583 [AC_MSG_RESULT([yes])
584 AC_DEFINE([AIX_LOGINFAILED_4ARG], [1],
585 [Define if your AIX loginfailed() function
586 takes 4 arguments (AIX >= 5.2)])], [AC_MSG_RESULT([no])
589 [#include <usersec.h>]
591 AC_CHECK_FUNCS([getgrset setauthdb])
592 AC_CHECK_DECL([F_CLOSEM],
593 AC_DEFINE([HAVE_FCNTL_CLOSEM], [1], [Use F_CLOSEM fcntl for closefrom]),
595 [ #include <limits.h>
598 check_for_aix_broken_getaddrinfo=1
599 AC_DEFINE([BROKEN_REALPATH], [1], [Define if you have a broken realpath.])
600 AC_DEFINE([SETEUID_BREAKS_SETUID], [1],
601 [Define if your platform breaks doing a seteuid before a setuid])
602 AC_DEFINE([BROKEN_SETREUID], [1], [Define if your setreuid() is broken])
603 AC_DEFINE([BROKEN_SETREGID], [1], [Define if your setregid() is broken])
604 dnl AIX handles lastlog as part of its login message
605 AC_DEFINE([DISABLE_LASTLOG], [1], [Define if you don't want to use lastlog])
606 AC_DEFINE([LOGIN_NEEDS_UTMPX], [1],
607 [Some systems need a utmpx entry for /bin/login to work])
608 AC_DEFINE([SPT_TYPE], [SPT_REUSEARGV],
609 [Define to a Set Process Title type if your system is
610 supported by bsd-setproctitle.c])
611 AC_DEFINE([SSHPAM_CHAUTHTOK_NEEDS_RUID], [1],
612 [AIX 5.2 and 5.3 (and presumably newer) require this])
613 AC_DEFINE([PTY_ZEROREAD], [1], [read(1) can return 0 for a non-closed fd])
614 AC_DEFINE([PLATFORM_SYS_DIR_UID], 2, [System dirs owned by bin (uid 2)])
615 AC_DEFINE([BROKEN_STRNDUP], 1, [strndup broken, see APAR IY61211])
616 AC_DEFINE([BROKEN_STRNLEN], 1, [strnlen broken, see APAR IY62551])
619 AC_DEFINE([DISABLE_UTMP], [1], [Define if you don't want to use utmp])
620 AC_DEFINE([DISABLE_WTMP], [1], [Define if you don't want to use wtmp])
623 check_for_libcrypt_later=1
624 LIBS="$LIBS /usr/lib/textreadmode.o"
625 AC_DEFINE([HAVE_CYGWIN], [1], [Define if you are on Cygwin])
626 AC_DEFINE([USE_PIPES], [1], [Use PIPES instead of a socketpair()])
627 AC_DEFINE([NO_UID_RESTORATION_TEST], [1],
628 [Define to disable UID restoration test])
629 AC_DEFINE([DISABLE_SHADOW], [1],
630 [Define if you want to disable shadow passwords])
631 AC_DEFINE([NO_X11_UNIX_SOCKETS], [1],
632 [Define if X11 doesn't support AF_UNIX sockets on that system])
633 AC_DEFINE([DISABLE_FD_PASSING], [1],
634 [Define if your platform needs to skip post auth
635 file descriptor passing])
636 AC_DEFINE([SSH_IOBUFSZ], [65535], [Windows is sensitive to read buffer size])
637 AC_DEFINE([FILESYSTEM_NO_BACKSLASH], [1], [File names may not contain backslash characters])
638 # Cygwin defines optargs, optargs as declspec(dllimport) for historical
639 # reasons which cause compile warnings, so we disable those warnings.
640 OSSH_CHECK_CFLAG_COMPILE([-Wno-attributes])
643 AC_DEFINE([IP_TOS_IS_BROKEN], [1],
644 [Define if your system choked on IP TOS setting])
645 AC_DEFINE([SETEUID_BREAKS_SETUID])
646 AC_DEFINE([BROKEN_SETREUID])
647 AC_DEFINE([BROKEN_SETREGID])
651 AC_MSG_CHECKING([if we have working getaddrinfo])
652 AC_RUN_IFELSE([AC_LANG_SOURCE([[ #include <mach-o/dyld.h>
653 main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
659 [AC_MSG_RESULT([working])],
660 [AC_MSG_RESULT([buggy])
661 AC_DEFINE([BROKEN_GETADDRINFO], [1],
662 [getaddrinfo is broken (if present)])
664 [AC_MSG_RESULT([assume it is working])])
665 AC_DEFINE([SETEUID_BREAKS_SETUID])
666 AC_DEFINE([BROKEN_SETREUID])
667 AC_DEFINE([BROKEN_SETREGID])
668 AC_DEFINE([BROKEN_GLOB], [1], [OS X glob does not do what we expect])
669 AC_DEFINE_UNQUOTED([BIND_8_COMPAT], [1],
670 [Define if your resolver libs need this for getrrsetbyname])
671 AC_DEFINE([SSH_TUN_FREEBSD], [1], [Open tunnel devices the FreeBSD way])
672 AC_DEFINE([SSH_TUN_COMPAT_AF], [1],
673 [Use tunnel device compatibility to OpenBSD])
674 AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
675 [Prepend the address family to IP tunnel traffic])
676 m4_pattern_allow([AU_IPv])
677 AC_CHECK_DECL([AU_IPv4], [],
678 AC_DEFINE([AU_IPv4], [0], [System only supports IPv4 audit records])
679 [#include <bsm/audit.h>]
680 AC_DEFINE([LASTLOG_WRITE_PUTUTXLINE], [1],
681 [Define if pututxline updates lastlog too])
683 AC_DEFINE([SPT_TYPE], [SPT_REUSEARGV],
684 [Define to a Set Process Title type if your system is
685 supported by bsd-setproctitle.c])
686 AC_CHECK_FUNCS([sandbox_init])
687 AC_CHECK_HEADERS([sandbox.h])
688 AC_CHECK_LIB([sandbox], [sandbox_apply], [
689 SSHDLIBS="$SSHDLIBS -lsandbox"
693 SSHDLIBS="$SSHDLIBS -lcrypt"
694 TEST_MALLOC_OPTIONS="AFGJPRX"
698 AC_CHECK_LIB([network], [socket])
699 AC_DEFINE([HAVE_U_INT64_T])
703 # first we define all of the options common to all HP-UX releases
704 CPPFLAGS="$CPPFLAGS -D_HPUX_SOURCE -D_XOPEN_SOURCE -D_XOPEN_SOURCE_EXTENDED=1"
705 IPADDR_IN_DISPLAY=yes
706 AC_DEFINE([USE_PIPES])
707 AC_DEFINE([LOGIN_NEEDS_UTMPX])
708 AC_DEFINE([LOCKED_PASSWD_STRING], ["*"],
709 [String used in /etc/passwd to denote locked account])
710 AC_DEFINE([SPT_TYPE], [SPT_PSTAT])
711 AC_DEFINE([PLATFORM_SYS_DIR_UID], 2, [System dirs owned by bin (uid 2)])
714 AC_CHECK_LIB([xnet], [t_error], ,
715 [AC_MSG_ERROR([*** -lxnet needed on HP-UX - check config.log ***])])
717 # next, we define all of the options specific to major releases
720 if test -z "$GCC"; then
725 AC_DEFINE([PAM_SUN_CODEBASE], [1],
726 [Define if you are using Solaris-derived PAM which
727 passes pam_messages to the conversation function
728 with an extra level of indirection])
729 AC_DEFINE([DISABLE_UTMP], [1],
730 [Define if you don't want to use utmp])
731 AC_DEFINE([USE_BTMP], [1], [Use btmp to log bad logins])
732 check_for_hpux_broken_getaddrinfo=1
733 check_for_conflicting_getspnam=1
737 # lastly, we define options specific to minor releases
740 AC_DEFINE([HAVE_SECUREWARE], [1],
741 [Define if you have SecureWare-based
742 protected password database])
743 disable_ptmx_check=yes
749 PATH="$PATH:/usr/etc"
750 AC_DEFINE([BROKEN_INET_NTOA], [1],
751 [Define if you system's inet_ntoa is busted
752 (e.g. Irix gcc issue)])
753 AC_DEFINE([SETEUID_BREAKS_SETUID])
754 AC_DEFINE([BROKEN_SETREUID])
755 AC_DEFINE([BROKEN_SETREGID])
756 AC_DEFINE([WITH_ABBREV_NO_TTY], [1],
757 [Define if you shouldn't strip 'tty' from your
759 AC_DEFINE([LOCKED_PASSWD_STRING], ["*LK*"])
762 PATH="$PATH:/usr/etc"
763 AC_DEFINE([WITH_IRIX_ARRAY], [1],
764 [Define if you have/want arrays
765 (cluster-wide session management, not C arrays)])
766 AC_DEFINE([WITH_IRIX_PROJECT], [1],
767 [Define if you want IRIX project management])
768 AC_DEFINE([WITH_IRIX_AUDIT], [1],
769 [Define if you want IRIX audit trails])
770 AC_CHECK_FUNC([jlimit_startjob], [AC_DEFINE([WITH_IRIX_JOBS], [1],
771 [Define if you want IRIX kernel jobs])])
772 AC_DEFINE([BROKEN_INET_NTOA])
773 AC_DEFINE([SETEUID_BREAKS_SETUID])
774 AC_DEFINE([BROKEN_SETREUID])
775 AC_DEFINE([BROKEN_SETREGID])
776 AC_DEFINE([BROKEN_UPDWTMPX], [1], [updwtmpx is broken (if present)])
777 AC_DEFINE([WITH_ABBREV_NO_TTY])
778 AC_DEFINE([LOCKED_PASSWD_STRING], ["*LK*"])
780 *-*-k*bsd*-gnu | *-*-kopensolaris*-gnu)
781 check_for_libcrypt_later=1
782 AC_DEFINE([PAM_TTY_KLUDGE])
783 AC_DEFINE([LOCKED_PASSWD_PREFIX], ["!"])
784 AC_DEFINE([SPT_TYPE], [SPT_REUSEARGV])
785 AC_DEFINE([_PATH_BTMP], ["/var/log/btmp"], [log for bad login attempts])
786 AC_DEFINE([USE_BTMP], [1], [Use btmp to log bad logins])
791 check_for_libcrypt_later=1
792 check_for_openpty_ctty_bug=1
793 dnl Target SUSv3/POSIX.1-2001 plus BSD specifics.
794 dnl _DEFAULT_SOURCE is the new name for _BSD_SOURCE
795 CPPFLAGS="$CPPFLAGS -D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCE"
796 AC_DEFINE([PAM_TTY_KLUDGE], [1],
797 [Work around problematic Linux PAM modules handling of PAM_TTY])
798 AC_DEFINE([LOCKED_PASSWD_PREFIX], ["!"],
799 [String used in /etc/passwd to denote locked account])
800 AC_DEFINE([SPT_TYPE], [SPT_REUSEARGV])
801 AC_DEFINE([LINK_OPNOTSUPP_ERRNO], [EPERM],
802 [Define to whatever link() returns for "not supported"
803 if it doesn't return EOPNOTSUPP.])
804 AC_DEFINE([_PATH_BTMP], ["/var/log/btmp"], [log for bad login attempts])
805 AC_DEFINE([USE_BTMP])
806 AC_DEFINE([LINUX_OOM_ADJUST], [1], [Adjust Linux out-of-memory killer])
807 inet6_default_4in6=yes
810 AC_DEFINE([BROKEN_CMSG_TYPE], [1],
811 [Define if cmsg_type is not passed correctly])
814 # tun(4) forwarding compat code
815 AC_CHECK_HEADERS([linux/if_tun.h])
816 if test "x$ac_cv_header_linux_if_tun_h" = "xyes" ; then
817 AC_DEFINE([SSH_TUN_LINUX], [1],
818 [Open tunnel devices the Linux tun/tap way])
819 AC_DEFINE([SSH_TUN_COMPAT_AF], [1],
820 [Use tunnel device compatibility to OpenBSD])
821 AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
822 [Prepend the address family to IP tunnel traffic])
824 AC_CHECK_HEADER([linux/if.h],
825 AC_DEFINE([SYS_RDOMAIN_LINUX], [1],
826 [Support routing domains using Linux VRF]), [], [
827 #ifdef HAVE_SYS_TYPES_H
828 # include <sys/types.H>
831 AC_CHECK_HEADERS([linux/seccomp.h linux/filter.h linux/audit.h], [],
832 [], [#include <linux/types.h>])
836 AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
837 #if _MIPS_SIM != _ABIO32
840 ]])],[mips_abi="o32"],[AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
841 #if _MIPS_SIM != _ABIN32
844 ]])],[mips_abi="n32"],[AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
845 #if _MIPS_SIM != _ABI64
848 ]])],[mips_abi="n64"],[AC_MSG_ERROR([unknown MIPS ABI])
854 AC_MSG_CHECKING([for seccomp architecture])
858 seccomp_audit_arch=AUDIT_ARCH_X86_64
861 seccomp_audit_arch=AUDIT_ARCH_I386
864 seccomp_audit_arch=AUDIT_ARCH_ARM
867 seccomp_audit_arch=AUDIT_ARCH_AARCH64
870 seccomp_audit_arch=AUDIT_ARCH_S390X
873 seccomp_audit_arch=AUDIT_ARCH_S390
876 seccomp_audit_arch=AUDIT_ARCH_PPC64
879 seccomp_audit_arch=AUDIT_ARCH_PPC64LE
882 seccomp_audit_arch=AUDIT_ARCH_MIPS
885 seccomp_audit_arch=AUDIT_ARCH_MIPSEL
890 seccomp_audit_arch=AUDIT_ARCH_MIPS64N32
893 seccomp_audit_arch=AUDIT_ARCH_MIPS64
900 seccomp_audit_arch=AUDIT_ARCH_MIPSEL64N32
903 seccomp_audit_arch=AUDIT_ARCH_MIPSEL64
908 if test "x$seccomp_audit_arch" != "x" ; then
909 AC_MSG_RESULT(["$seccomp_audit_arch"])
910 AC_DEFINE_UNQUOTED([SECCOMP_AUDIT_ARCH], [$seccomp_audit_arch],
911 [Specify the system call convention in use])
913 AC_MSG_RESULT([architecture not supported])
916 mips-sony-bsd|mips-sony-newsos4)
917 AC_DEFINE([NEED_SETPGRP], [1], [Need setpgrp to acquire controlling tty])
921 check_for_libcrypt_before=1
922 if test "x$withval" != "xno" ; then
925 CPPFLAGS="$CPPFLAGS -D_OPENBSD_SOURCE"
926 AC_DEFINE([SSH_TUN_FREEBSD], [1], [Open tunnel devices the FreeBSD way])
927 AC_CHECK_HEADER([net/if_tap.h], ,
928 AC_DEFINE([SSH_TUN_NO_L2], [1], [No layer 2 tunnel support]))
929 AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
930 [Prepend the address family to IP tunnel traffic])
931 TEST_MALLOC_OPTIONS="AJRX"
932 AC_DEFINE([BROKEN_READ_COMPARISON], [1],
933 [NetBSD read function is sometimes redirected, breaking atomicio comparisons against it])
936 check_for_libcrypt_later=1
937 AC_DEFINE([LOCKED_PASSWD_PREFIX], ["*LOCKED*"], [Account locked with pw(1)])
938 AC_DEFINE([SSH_TUN_FREEBSD], [1], [Open tunnel devices the FreeBSD way])
939 AC_CHECK_HEADER([net/if_tap.h], ,
940 AC_DEFINE([SSH_TUN_NO_L2], [1], [No layer 2 tunnel support]))
941 AC_DEFINE([BROKEN_GLOB], [1], [FreeBSD glob does not do what we need])
942 TEST_MALLOC_OPTIONS="AJRX"
943 # Preauth crypto occasionally uses file descriptors for crypto offload
944 # and will crash if they cannot be opened.
945 AC_DEFINE([SANDBOX_SKIP_RLIMIT_NOFILE], [1],
946 [define if setrlimit RLIMIT_NOFILE breaks things])
949 AC_DEFINE([SETEUID_BREAKS_SETUID])
950 AC_DEFINE([BROKEN_SETREUID])
951 AC_DEFINE([BROKEN_SETREGID])
954 conf_lastlog_location="/usr/adm/lastlog"
955 conf_utmp_location=/etc/utmp
956 conf_wtmp_location=/usr/adm/wtmp
957 maildir=/usr/spool/mail
958 AC_DEFINE([HAVE_NEXT], [1], [Define if you are on NeXT])
959 AC_DEFINE([BROKEN_REALPATH])
960 AC_DEFINE([USE_PIPES])
961 AC_DEFINE([BROKEN_SAVED_UIDS], [1], [Needed for NeXT])
965 AC_DEFINE([HAVE_ATTRIBUTE__SENTINEL__], [1], [OpenBSD's gcc has sentinel])
966 AC_DEFINE([HAVE_ATTRIBUTE__BOUNDED__], [1], [OpenBSD's gcc has bounded])
967 AC_DEFINE([SSH_TUN_OPENBSD], [1], [Open tunnel devices the OpenBSD way])
968 AC_DEFINE([SYSLOG_R_SAFE_IN_SIGHAND], [1],
969 [syslog_r function is safe to use in in a signal handler])
970 TEST_MALLOC_OPTIONS="AFGJPRX"
973 if test "x$withval" != "xno" ; then
976 AC_DEFINE([PAM_SUN_CODEBASE])
977 AC_DEFINE([LOGIN_NEEDS_UTMPX])
978 AC_DEFINE([PAM_TTY_KLUDGE])
979 AC_DEFINE([SSHPAM_CHAUTHTOK_NEEDS_RUID], [1],
980 [Define if pam_chauthtok wants real uid set
981 to the unpriv'ed user])
982 AC_DEFINE([LOCKED_PASSWD_STRING], ["*LK*"])
983 # Pushing STREAMS modules will cause sshd to acquire a controlling tty.
984 AC_DEFINE([SSHD_ACQUIRES_CTTY], [1],
985 [Define if sshd somehow reacquires a controlling TTY
987 AC_DEFINE([PASSWD_NEEDS_USERNAME], [1], [must supply username to passwd
988 in case the name is longer than 8 chars])
989 AC_DEFINE([BROKEN_TCGETATTR_ICANON], [1], [tcgetattr with ICANON may hang])
990 external_path_file=/etc/default/login
991 # hardwire lastlog location (can't detect it on some versions)
992 conf_lastlog_location="/var/adm/lastlog"
993 AC_MSG_CHECKING([for obsolete utmp and wtmp in solaris2.x])
994 sol2ver=`echo "$host"| sed -e 's/.*[[0-9]]\.//'`
995 if test "$sol2ver" -ge 8; then
997 AC_DEFINE([DISABLE_UTMP])
998 AC_DEFINE([DISABLE_WTMP], [1],
999 [Define if you don't want to use wtmp])
1003 AC_CHECK_FUNCS([setpflags])
1004 AC_CHECK_FUNCS([setppriv])
1005 AC_CHECK_FUNCS([priv_basicset])
1006 AC_CHECK_HEADERS([priv.h])
1007 AC_ARG_WITH([solaris-contracts],
1008 [ --with-solaris-contracts Enable Solaris process contracts (experimental)],
1010 AC_CHECK_LIB([contract], [ct_tmpl_activate],
1011 [ AC_DEFINE([USE_SOLARIS_PROCESS_CONTRACTS], [1],
1012 [Define if you have Solaris process contracts])
1013 LIBS="$LIBS -lcontract"
1017 AC_ARG_WITH([solaris-projects],
1018 [ --with-solaris-projects Enable Solaris projects (experimental)],
1020 AC_CHECK_LIB([project], [setproject],
1021 [ AC_DEFINE([USE_SOLARIS_PROJECTS], [1],
1022 [Define if you have Solaris projects])
1023 LIBS="$LIBS -lproject"
1027 AC_ARG_WITH([solaris-privs],
1028 [ --with-solaris-privs Enable Solaris/Illumos privileges (experimental)],
1030 AC_MSG_CHECKING([for Solaris/Illumos privilege support])
1031 if test "x$ac_cv_func_setppriv" = "xyes" -a \
1032 "x$ac_cv_header_priv_h" = "xyes" ; then
1034 AC_MSG_RESULT([found])
1035 AC_DEFINE([NO_UID_RESTORATION_TEST], [1],
1036 [Define to disable UID restoration test])
1037 AC_DEFINE([USE_SOLARIS_PRIVS], [1],
1038 [Define if you have Solaris privileges])
1041 AC_MSG_RESULT([not found])
1042 AC_MSG_ERROR([*** must have support for Solaris privileges to use --with-solaris-privs])
1046 TEST_SHELL=$SHELL # let configure find us a capable shell
1049 CPPFLAGS="$CPPFLAGS -DSUNOS4"
1050 AC_CHECK_FUNCS([getpwanam])
1051 AC_DEFINE([PAM_SUN_CODEBASE])
1052 conf_utmp_location=/etc/utmp
1053 conf_wtmp_location=/var/adm/wtmp
1054 conf_lastlog_location=/var/adm/lastlog
1055 AC_DEFINE([USE_PIPES])
1056 AC_DEFINE([DISABLE_UTMPX], [1], [no utmpx])
1060 AC_DEFINE([USE_PIPES])
1061 AC_DEFINE([SSHD_ACQUIRES_CTTY])
1062 AC_DEFINE([SETEUID_BREAKS_SETUID])
1063 AC_DEFINE([BROKEN_SETREUID])
1064 AC_DEFINE([BROKEN_SETREGID])
1067 # /usr/ucblib MUST NOT be searched on ReliantUNIX
1068 AC_CHECK_LIB([dl], [dlsym], ,)
1069 # -lresolv needs to be at the end of LIBS or DNS lookups break
1070 AC_CHECK_LIB([resolv], [res_query], [ LIBS="$LIBS -lresolv" ])
1071 IPADDR_IN_DISPLAY=yes
1072 AC_DEFINE([USE_PIPES])
1073 AC_DEFINE([IP_TOS_IS_BROKEN])
1074 AC_DEFINE([SETEUID_BREAKS_SETUID])
1075 AC_DEFINE([BROKEN_SETREUID])
1076 AC_DEFINE([BROKEN_SETREGID])
1077 AC_DEFINE([SSHD_ACQUIRES_CTTY])
1078 external_path_file=/etc/default/login
1079 # /usr/ucblib/libucb.a no longer needed on ReliantUNIX
1080 # Attention: always take care to bind libsocket and libnsl before libc,
1081 # otherwise you will find lots of "SIOCGPGRP errno 22" on syslog
1083 # UnixWare 1.x, UnixWare 2.x, and others based on code from Univel.
1085 AC_DEFINE([USE_PIPES])
1086 AC_DEFINE([SETEUID_BREAKS_SETUID])
1087 AC_DEFINE([BROKEN_SETREUID])
1088 AC_DEFINE([BROKEN_SETREGID])
1089 AC_DEFINE([PASSWD_NEEDS_USERNAME], [1], [must supply username to passwd])
1090 AC_DEFINE([LOCKED_PASSWD_STRING], ["*LK*"])
1091 TEST_SHELL=$SHELL # let configure find us a capable shell
1093 # UnixWare 7.x, OpenUNIX 8
1095 CPPFLAGS="$CPPFLAGS -Dvsnprintf=_xvsnprintf -Dsnprintf=_xsnprintf"
1096 AC_DEFINE([UNIXWARE_LONG_PASSWORDS], [1], [Support passwords > 8 chars])
1097 AC_DEFINE([USE_PIPES])
1098 AC_DEFINE([SETEUID_BREAKS_SETUID])
1099 AC_DEFINE([BROKEN_GETADDRINFO])
1100 AC_DEFINE([BROKEN_SETREUID])
1101 AC_DEFINE([BROKEN_SETREGID])
1102 AC_DEFINE([PASSWD_NEEDS_USERNAME])
1103 AC_DEFINE([BROKEN_TCGETATTR_ICANON])
1104 TEST_SHELL=$SHELL # let configure find us a capable shell
1105 check_for_libcrypt_later=1
1107 *-*-sysv5SCO_SV*) # SCO OpenServer 6.x
1108 maildir=/var/spool/mail
1109 AC_DEFINE([BROKEN_UPDWTMPX])
1110 AC_CHECK_LIB([prot], [getluid], [ LIBS="$LIBS -lprot"
1111 AC_CHECK_FUNCS([getluid setluid], , , [-lprot])
1114 *) AC_DEFINE([LOCKED_PASSWD_STRING], ["*LK*"])
1120 # SCO UNIX and OEM versions of SCO UNIX
1122 AC_MSG_ERROR("This Platform is no longer supported.")
1124 # SCO OpenServer 5.x
1126 if test -z "$GCC"; then
1127 CFLAGS="$CFLAGS -belf"
1129 LIBS="$LIBS -lprot -lx -ltinfo -lm"
1131 AC_DEFINE([USE_PIPES])
1132 AC_DEFINE([HAVE_SECUREWARE])
1133 AC_DEFINE([DISABLE_SHADOW])
1134 AC_DEFINE([DISABLE_FD_PASSING])
1135 AC_DEFINE([SETEUID_BREAKS_SETUID])
1136 AC_DEFINE([BROKEN_GETADDRINFO])
1137 AC_DEFINE([BROKEN_SETREUID])
1138 AC_DEFINE([BROKEN_SETREGID])
1139 AC_DEFINE([WITH_ABBREV_NO_TTY])
1140 AC_DEFINE([BROKEN_UPDWTMPX])
1141 AC_DEFINE([PASSWD_NEEDS_USERNAME])
1142 AC_CHECK_FUNCS([getluid setluid])
1144 TEST_SHELL=$SHELL # let configure find us a capable shell
1145 SKIP_DISABLE_LASTLOG_DEFINE=yes
1148 AC_MSG_CHECKING([for Digital Unix SIA])
1150 AC_ARG_WITH([osfsia],
1151 [ --with-osfsia Enable Digital Unix SIA],
1153 if test "x$withval" = "xno" ; then
1154 AC_MSG_RESULT([disabled])
1159 if test -z "$no_osfsia" ; then
1160 if test -f /etc/sia/matrix.conf; then
1161 AC_MSG_RESULT([yes])
1162 AC_DEFINE([HAVE_OSF_SIA], [1],
1163 [Define if you have Digital Unix Security
1164 Integration Architecture])
1165 AC_DEFINE([DISABLE_LOGIN], [1],
1166 [Define if you don't want to use your
1167 system's login() call])
1168 AC_DEFINE([DISABLE_FD_PASSING])
1169 LIBS="$LIBS -lsecurity -ldb -lm -laud"
1173 AC_DEFINE([LOCKED_PASSWD_SUBSTR], ["Nologin"],
1174 [String used in /etc/passwd to denote locked account])
1177 AC_DEFINE([BROKEN_GETADDRINFO])
1178 AC_DEFINE([SETEUID_BREAKS_SETUID])
1179 AC_DEFINE([BROKEN_SETREUID])
1180 AC_DEFINE([BROKEN_SETREGID])
1181 AC_DEFINE([BROKEN_READV_COMPARISON], [1], [Can't do comparisons on readv])
1185 AC_DEFINE([USE_PIPES])
1186 AC_DEFINE([NO_X11_UNIX_SOCKETS])
1187 AC_DEFINE([DISABLE_LASTLOG])
1188 AC_DEFINE([SSHD_ACQUIRES_CTTY])
1189 AC_DEFINE([BROKEN_SHADOW_EXPIRE], [1], [QNX shadow support is broken])
1190 enable_etc_default_login=no # has incompatible /etc/default/login
1193 AC_DEFINE([DISABLE_FD_PASSING])
1199 AC_DEFINE([BROKEN_GETGROUPS], [1], [getgroups(0,NULL) will return -1])
1200 AC_DEFINE([NEED_SETPGRP])
1201 AC_DEFINE([HAVE_SYS_SYSLOG_H], [1], [Force use of sys/syslog.h on Ultrix])
1205 CFLAGS="$CFLAGS -D__NO_INCLUDE_WARN__"
1206 AC_DEFINE([BROKEN_SETVBUF], [1],
1207 [LynxOS has broken setvbuf() implementation])
1211 AC_MSG_CHECKING([compiler and flags for sanity])
1212 AC_RUN_IFELSE([AC_LANG_PROGRAM([[ #include <stdio.h> ]], [[ exit(0); ]])],
1213 [ AC_MSG_RESULT([yes]) ],
1216 AC_MSG_ERROR([*** compiler cannot create working executables, check config.log ***])
1218 [ AC_MSG_WARN([cross compiling: not checking compiler sanity]) ]
1221 dnl Checks for header files.
1222 # Checks for libraries.
1223 AC_CHECK_FUNC([setsockopt], , [AC_CHECK_LIB([socket], [setsockopt])])
1225 dnl IRIX and Solaris 2.5.1 have dirname() in libgen
1226 AC_CHECK_FUNCS([dirname], [AC_CHECK_HEADERS([libgen.h])] , [
1227 AC_CHECK_LIB([gen], [dirname], [
1228 AC_CACHE_CHECK([for broken dirname],
1229 ac_cv_have_broken_dirname, [
1237 int main(int argc, char **argv) {
1240 strncpy(buf,"/etc", 32);
1242 if (!s || strncmp(s, "/", 32) != 0) {
1249 [ ac_cv_have_broken_dirname="no" ],
1250 [ ac_cv_have_broken_dirname="yes" ],
1251 [ ac_cv_have_broken_dirname="no" ],
1255 if test "x$ac_cv_have_broken_dirname" = "xno" ; then
1257 AC_DEFINE([HAVE_DIRNAME])
1258 AC_CHECK_HEADERS([libgen.h])
1263 AC_CHECK_FUNC([getspnam], ,
1264 [AC_CHECK_LIB([gen], [getspnam], [LIBS="$LIBS -lgen"])])
1265 AC_SEARCH_LIBS([basename], [gen], [AC_DEFINE([HAVE_BASENAME], [1],
1266 [Define if you have the basename function.])])
1268 dnl zlib is required
1270 [ --with-zlib=PATH Use zlib in PATH],
1271 [ if test "x$withval" = "xno" ; then
1272 AC_MSG_ERROR([*** zlib is required ***])
1273 elif test "x$withval" != "xyes"; then
1274 if test -d "$withval/lib"; then
1275 if test -n "${need_dash_r}"; then
1276 LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
1278 LDFLAGS="-L${withval}/lib ${LDFLAGS}"
1281 if test -n "${need_dash_r}"; then
1282 LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"
1284 LDFLAGS="-L${withval} ${LDFLAGS}"
1287 if test -d "$withval/include"; then
1288 CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
1290 CPPFLAGS="-I${withval} ${CPPFLAGS}"
1295 AC_CHECK_HEADER([zlib.h], ,[AC_MSG_ERROR([*** zlib.h missing - please install first or check config.log ***])])
1296 AC_CHECK_LIB([z], [deflate], ,
1298 saved_CPPFLAGS="$CPPFLAGS"
1299 saved_LDFLAGS="$LDFLAGS"
1301 dnl Check default zlib install dir
1302 if test -n "${need_dash_r}"; then
1303 LDFLAGS="-L/usr/local/lib -R/usr/local/lib ${saved_LDFLAGS}"
1305 LDFLAGS="-L/usr/local/lib ${saved_LDFLAGS}"
1307 CPPFLAGS="-I/usr/local/include ${saved_CPPFLAGS}"
1309 AC_TRY_LINK_FUNC([deflate], [AC_DEFINE([HAVE_LIBZ])],
1311 AC_MSG_ERROR([*** zlib missing - please install first or check config.log ***])
1317 AC_ARG_WITH([zlib-version-check],
1318 [ --without-zlib-version-check Disable zlib version check],
1319 [ if test "x$withval" = "xno" ; then
1320 zlib_check_nonfatal=1
1325 AC_MSG_CHECKING([for possibly buggy zlib])
1326 AC_RUN_IFELSE([AC_LANG_PROGRAM([[
1332 int a=0, b=0, c=0, d=0, n, v;
1333 n = sscanf(ZLIB_VERSION, "%d.%d.%d.%d", &a, &b, &c, &d);
1334 if (n != 3 && n != 4)
1336 v = a*1000000 + b*10000 + c*100 + d;
1337 fprintf(stderr, "found zlib version %s (%d)\n", ZLIB_VERSION, v);
1340 if (a == 1 && b == 1 && c >= 4)
1343 /* 1.2.3 and up are OK */
1349 AC_MSG_RESULT([no]),
1350 [ AC_MSG_RESULT([yes])
1351 if test -z "$zlib_check_nonfatal" ; then
1352 AC_MSG_ERROR([*** zlib too old - check config.log ***
1353 Your reported zlib version has known security problems. It's possible your
1354 vendor has fixed these problems without changing the version number. If you
1355 are sure this is the case, you can disable the check by running
1356 "./configure --without-zlib-version-check".
1357 If you are in doubt, upgrade zlib to version 1.2.3 or greater.
1358 See http://www.gzip.org/zlib/ for details.])
1360 AC_MSG_WARN([zlib version may have security problems])
1363 [ AC_MSG_WARN([cross compiling: not checking zlib version]) ]
1367 AC_CHECK_FUNC([strcasecmp],
1368 [], [ AC_CHECK_LIB([resolv], [strcasecmp], [LIBS="$LIBS -lresolv"]) ]
1370 AC_CHECK_FUNCS([utimes],
1371 [], [ AC_CHECK_LIB([c89], [utimes], [AC_DEFINE([HAVE_UTIMES])
1372 LIBS="$LIBS -lc89"]) ]
1375 dnl Checks for libutil functions
1376 AC_CHECK_HEADERS([bsd/libutil.h libutil.h])
1377 AC_SEARCH_LIBS([fmt_scaled], [util bsd])
1378 AC_SEARCH_LIBS([scan_scaled], [util bsd])
1379 AC_SEARCH_LIBS([login], [util bsd])
1380 AC_SEARCH_LIBS([logout], [util bsd])
1381 AC_SEARCH_LIBS([logwtmp], [util bsd])
1382 AC_SEARCH_LIBS([openpty], [util bsd])
1383 AC_SEARCH_LIBS([updwtmp], [util bsd])
1384 AC_CHECK_FUNCS([fmt_scaled scan_scaled login logout openpty updwtmp logwtmp])
1386 # On some platforms, inet_ntop and gethostbyname may be found in libresolv
1388 AC_SEARCH_LIBS([inet_ntop], [resolv nsl])
1389 AC_SEARCH_LIBS([gethostbyname], [resolv nsl])
1391 # "Particular Function Checks"
1392 # see https://www.gnu.org/software/autoconf/manual/autoconf-2.69/html_node/Particular-Functions.html
1396 # autoconf doesn't have AC_FUNC_CALLOC so fake it if malloc returns NULL;
1397 AC_MSG_CHECKING([if calloc(0, N) returns non-null])
1400 [[ #include <stdlib.h> ]],
1401 [[ void *p = calloc(0, 1); exit(p == NULL); ]]
1403 [ func_calloc_0_nonnull=yes ],
1404 [ func_calloc_0_nonnull=no ],
1405 [ AC_MSG_WARN([cross compiling: assuming same as malloc])
1406 func_calloc_0_nonnull="$ac_cv_func_malloc_0_nonnull"]
1408 AC_MSG_RESULT([$func_calloc_0_nonnull])
1410 if test "x$func_calloc_0_nonnull" = "xyes"; then
1411 AC_DEFINE(HAVE_CALLOC, 1, [calloc(0, x) returns non-null])
1413 AC_DEFINE(HAVE_CALLOC, 0, [calloc(0, x) returns NULL])
1414 AC_DEFINE(calloc, rpl_calloc,
1415 [Define to rpl_calloc if the replacement function should be used.])
1418 # Check for ALTDIRFUNC glob() extension
1419 AC_MSG_CHECKING([for GLOB_ALTDIRFUNC support])
1420 AC_EGREP_CPP([FOUNDIT],
1423 #ifdef GLOB_ALTDIRFUNC
1428 AC_DEFINE([GLOB_HAS_ALTDIRFUNC], [1],
1429 [Define if your system glob() function has
1430 the GLOB_ALTDIRFUNC extension])
1431 AC_MSG_RESULT([yes])
1438 # Check for g.gl_matchc glob() extension
1439 AC_MSG_CHECKING([for gl_matchc field in glob_t])
1440 AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <glob.h> ]],
1441 [[ glob_t g; g.gl_matchc = 1; ]])],
1443 AC_DEFINE([GLOB_HAS_GL_MATCHC], [1],
1444 [Define if your system glob() function has
1445 gl_matchc options in glob_t])
1446 AC_MSG_RESULT([yes])
1451 # Check for g.gl_statv glob() extension
1452 AC_MSG_CHECKING([for gl_statv and GLOB_KEEPSTAT extensions for glob])
1453 AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <glob.h> ]], [[
1454 #ifndef GLOB_KEEPSTAT
1455 #error "glob does not support GLOB_KEEPSTAT extension"
1461 AC_DEFINE([GLOB_HAS_GL_STATV], [1],
1462 [Define if your system glob() function has
1463 gl_statv options in glob_t])
1464 AC_MSG_RESULT([yes])
1470 AC_CHECK_DECLS([GLOB_NOMATCH], , , [#include <glob.h>])
1472 AC_CHECK_DECL([VIS_ALL], ,
1473 AC_DEFINE(BROKEN_STRNVIS, 1, [missing VIS_ALL]), [#include <vis.h>])
1475 AC_MSG_CHECKING([whether struct dirent allocates space for d_name])
1478 #include <sys/types.h>
1479 #include <dirent.h>]],
1482 exit(sizeof(d.d_name)<=sizeof(char));
1484 [AC_MSG_RESULT([yes])],
1487 AC_DEFINE([BROKEN_ONE_BYTE_DIRENT_D_NAME], [1],
1488 [Define if your struct dirent expects you to
1489 allocate extra space for d_name])
1492 AC_MSG_WARN([cross compiling: assuming BROKEN_ONE_BYTE_DIRENT_D_NAME])
1493 AC_DEFINE([BROKEN_ONE_BYTE_DIRENT_D_NAME])
1497 AC_MSG_CHECKING([for /proc/pid/fd directory])
1498 if test -d "/proc/$$/fd" ; then
1499 AC_DEFINE([HAVE_PROC_PID], [1], [Define if you have /proc/$pid/fd])
1500 AC_MSG_RESULT([yes])
1505 # Check whether user wants TCP wrappers support
1507 AC_ARG_WITH([tcp-wrappers],
1508 [ --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)],
1510 if test "x$withval" != "xno" ; then
1512 saved_LDFLAGS="$LDFLAGS"
1513 saved_CPPFLAGS="$CPPFLAGS"
1514 if test -n "${withval}" && \
1515 test "x${withval}" != "xyes"; then
1516 if test -d "${withval}/lib"; then
1517 if test -n "${need_dash_r}"; then
1518 LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
1520 LDFLAGS="-L${withval}/lib ${LDFLAGS}"
1523 if test -n "${need_dash_r}"; then
1524 LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"
1526 LDFLAGS="-L${withval} ${LDFLAGS}"
1529 if test -d "${withval}/include"; then
1530 CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
1532 CPPFLAGS="-I${withval} ${CPPFLAGS}"
1536 AC_MSG_CHECKING([for libwrap])
1537 AC_LINK_IFELSE([AC_LANG_PROGRAM([[
1538 #include <sys/types.h>
1539 #include <sys/socket.h>
1540 #include <netinet/in.h>
1542 int deny_severity = 0, allow_severity = 0;
1546 AC_MSG_RESULT([yes])
1547 AC_DEFINE([LIBWRAP], [1],
1549 TCP Wrappers support])
1550 SSHDLIBS="$SSHDLIBS -lwrap"
1553 AC_MSG_ERROR([*** libwrap missing])
1560 # Check whether user wants to use ldns
1563 [ --with-ldns[[=PATH]] Use ldns for DNSSEC support (optionally in PATH)],
1566 if test "x$withval" = "xyes" ; then
1567 AC_PATH_TOOL([LDNSCONFIG], [ldns-config], [no])
1568 if test "x$LDNSCONFIG" = "xno"; then
1569 CPPFLAGS="$CPPFLAGS -I${withval}/include"
1570 LDFLAGS="$LDFLAGS -L${withval}/lib"
1574 LIBS="$LIBS `$LDNSCONFIG --libs`"
1575 CPPFLAGS="$CPPFLAGS `$LDNSCONFIG --cflags`"
1578 elif test "x$withval" != "xno" ; then
1579 CPPFLAGS="$CPPFLAGS -I${withval}/include"
1580 LDFLAGS="$LDFLAGS -L${withval}/lib"
1585 # Verify that it works.
1586 if test "x$ldns" = "xyes" ; then
1587 AC_DEFINE(HAVE_LDNS, 1, [Define if you want ldns support])
1589 AC_MSG_CHECKING([for ldns support])
1595 #include <ldns/ldns.h>
1596 int main() { ldns_status status = ldns_verify_trusted(NULL, NULL, NULL, NULL); status=LDNS_STATUS_OK; exit(0); }
1599 [AC_MSG_RESULT(yes)],
1602 AC_MSG_ERROR([** Incomplete or missing ldns libraries.])
1607 # Check whether user wants libedit support
1609 AC_ARG_WITH([libedit],
1610 [ --with-libedit[[=PATH]] Enable libedit support for sftp],
1611 [ if test "x$withval" != "xno" ; then
1612 if test "x$withval" = "xyes" ; then
1613 AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no])
1614 if test "x$PKGCONFIG" != "xno"; then
1615 AC_MSG_CHECKING([if $PKGCONFIG knows about libedit])
1616 if "$PKGCONFIG" libedit; then
1617 AC_MSG_RESULT([yes])
1618 use_pkgconfig_for_libedit=yes
1624 CPPFLAGS="$CPPFLAGS -I${withval}/include"
1625 if test -n "${need_dash_r}"; then
1626 LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
1628 LDFLAGS="-L${withval}/lib ${LDFLAGS}"
1631 if test "x$use_pkgconfig_for_libedit" = "xyes"; then
1632 LIBEDIT=`$PKGCONFIG --libs libedit`
1633 CPPFLAGS="$CPPFLAGS `$PKGCONFIG --cflags libedit`"
1635 LIBEDIT="-ledit -lcurses"
1637 OTHERLIBS=`echo $LIBEDIT | sed 's/-ledit//'`
1638 AC_CHECK_LIB([edit], [el_init],
1639 [ AC_DEFINE([USE_LIBEDIT], [1], [Use libedit for sftp])
1643 [ AC_MSG_ERROR([libedit not found]) ],
1646 AC_MSG_CHECKING([if libedit version is compatible])
1648 [AC_LANG_PROGRAM([[ #include <histedit.h> ]],
1651 el_init("", NULL, NULL, NULL);
1654 [ AC_MSG_RESULT([yes]) ],
1655 [ AC_MSG_RESULT([no])
1656 AC_MSG_ERROR([libedit version is not compatible]) ]
1662 AC_ARG_WITH([audit],
1663 [ --with-audit=module Enable audit support (modules=debug,bsm,linux)],
1665 AC_MSG_CHECKING([for supported audit module])
1668 AC_MSG_RESULT([bsm])
1670 dnl Checks for headers, libs and functions
1671 AC_CHECK_HEADERS([bsm/audit.h], [],
1672 [AC_MSG_ERROR([BSM enabled and bsm/audit.h not found])],
1679 AC_CHECK_LIB([bsm], [getaudit], [],
1680 [AC_MSG_ERROR([BSM enabled and required library not found])])
1681 AC_CHECK_FUNCS([getaudit], [],
1682 [AC_MSG_ERROR([BSM enabled and required function not found])])
1683 # These are optional
1684 AC_CHECK_FUNCS([getaudit_addr aug_get_machine])
1685 AC_DEFINE([USE_BSM_AUDIT], [1], [Use BSM audit module])
1686 if test "$sol2ver" -ge 11; then
1687 SSHDLIBS="$SSHDLIBS -lscf"
1688 AC_DEFINE([BROKEN_BSM_API], [1],
1689 [The system has incomplete BSM API])
1693 AC_MSG_RESULT([linux])
1695 dnl Checks for headers, libs and functions
1696 AC_CHECK_HEADERS([libaudit.h])
1697 SSHDLIBS="$SSHDLIBS -laudit"
1698 AC_DEFINE([USE_LINUX_AUDIT], [1], [Use Linux audit module])
1702 AC_MSG_RESULT([debug])
1703 AC_DEFINE([SSH_AUDIT_EVENTS], [1], [Use audit debugging module])
1709 AC_MSG_ERROR([Unknown audit module $withval])
1715 [ --with-pie Build Position Independent Executables if possible], [
1716 if test "x$withval" = "xno"; then
1719 if test "x$withval" = "xyes"; then
1724 if test "x$use_pie" = "x"; then
1727 if test "x$use_toolchain_hardening" != "x1" && test "x$use_pie" = "xauto"; then
1728 # Turn off automatic PIE when toolchain hardening is off.
1731 if test "x$use_pie" = "xauto"; then
1732 # Automatic PIE requires gcc >= 4.x
1733 AC_MSG_CHECKING([for gcc >= 4.x])
1734 AC_COMPILE_IFELSE([AC_LANG_SOURCE([[
1735 #if !defined(__GNUC__) || __GNUC__ < 4
1736 #error gcc is too old
1739 [ AC_MSG_RESULT([yes]) ],
1740 [ AC_MSG_RESULT([no])
1744 if test "x$use_pie" != "xno"; then
1745 SAVED_CFLAGS="$CFLAGS"
1746 SAVED_LDFLAGS="$LDFLAGS"
1747 OSSH_CHECK_CFLAG_COMPILE([-fPIE])
1748 OSSH_CHECK_LDFLAG_LINK([-pie])
1749 # We use both -fPIE and -pie or neither.
1750 AC_MSG_CHECKING([whether both -fPIE and -pie are supported])
1751 if echo "x $CFLAGS" | grep ' -fPIE' >/dev/null 2>&1 && \
1752 echo "x $LDFLAGS" | grep ' -pie' >/dev/null 2>&1 ; then
1753 AC_MSG_RESULT([yes])
1756 CFLAGS="$SAVED_CFLAGS"
1757 LDFLAGS="$SAVED_LDFLAGS"
1761 dnl Checks for library functions. Please keep in alphabetical order
1763 Blowfish_initstate \
1764 Blowfish_expandstate \
1765 Blowfish_expand0state \
1766 Blowfish_stream2word \
1887 AC_CHECK_DECLS([bzero])
1889 dnl Wide character support.
1890 AC_CHECK_FUNCS([mblen mbtowc nl_langinfo wcwidth])
1892 TEST_SSH_UTF8=${TEST_SSH_UTF8:=yes}
1893 AC_MSG_CHECKING([for utf8 locale support])
1899 char *loc = setlocale(LC_CTYPE, "en_US.UTF-8");
1907 AC_MSG_WARN([cross compiling: assuming yes])
1912 [[ #include <ctype.h> ]],
1913 [[ return (isblank('a')); ]])],
1914 [AC_DEFINE([HAVE_ISBLANK], [1], [Define if you have isblank(3C).])
1918 AC_ARG_ENABLE([pkcs11],
1919 [ --disable-pkcs11 disable PKCS#11 support code [no]],
1921 if test "x$enableval" = "xno" ; then
1927 # PKCS11 depends on OpenSSL.
1928 if test "x$openssl" = "xyes" && test "x$disable_pkcs11" = "x"; then
1929 # PKCS#11 support requires dlopen() and co
1930 AC_SEARCH_LIBS([dlopen], [dl],
1931 AC_CHECK_DECL([RTLD_NOW],
1932 AC_DEFINE([ENABLE_PKCS11], [], [Enable for PKCS#11 support]),
1933 [], [#include <dlfcn.h>]
1938 # IRIX has a const char return value for gai_strerror()
1939 AC_CHECK_FUNCS([gai_strerror], [
1940 AC_DEFINE([HAVE_GAI_STRERROR])
1941 AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
1942 #include <sys/types.h>
1943 #include <sys/socket.h>
1946 const char *gai_strerror(int);
1949 str = gai_strerror(0);
1951 AC_DEFINE([HAVE_CONST_GAI_STRERROR_PROTO], [1],
1952 [Define if gai_strerror() returns const char *])], [])])
1954 AC_SEARCH_LIBS([nanosleep], [rt posix4], [AC_DEFINE([HAVE_NANOSLEEP], [1],
1955 [Some systems put nanosleep outside of libc])])
1957 AC_SEARCH_LIBS([clock_gettime], [rt],
1958 [AC_DEFINE([HAVE_CLOCK_GETTIME], [1], [Have clock_gettime])])
1960 dnl Make sure prototypes are defined for these before using them.
1961 AC_CHECK_DECL([strsep],
1962 [AC_CHECK_FUNCS([strsep])],
1965 #ifdef HAVE_STRING_H
1966 # include <string.h>
1970 dnl tcsendbreak might be a macro
1971 AC_CHECK_DECL([tcsendbreak],
1972 [AC_DEFINE([HAVE_TCSENDBREAK])],
1973 [AC_CHECK_FUNCS([tcsendbreak])],
1974 [#include <termios.h>]
1977 AC_CHECK_DECLS([h_errno], , ,[#include <netdb.h>])
1979 AC_CHECK_DECLS([SHUT_RD], , ,
1981 #include <sys/types.h>
1982 #include <sys/socket.h>
1985 AC_CHECK_DECLS([O_NONBLOCK], , ,
1987 #include <sys/types.h>
1988 #ifdef HAVE_SYS_STAT_H
1989 # include <sys/stat.h>
1996 AC_CHECK_DECLS([readv, writev], , , [
1997 #include <sys/types.h>
1998 #include <sys/uio.h>
2002 AC_CHECK_DECLS([MAXSYMLINKS], , , [
2003 #include <sys/param.h>
2006 AC_CHECK_DECLS([offsetof], , , [
2010 # extra bits for select(2)
2011 AC_CHECK_DECLS([howmany, NFDBITS], [], [], [[
2012 #include <sys/param.h>
2013 #include <sys/types.h>
2014 #ifdef HAVE_SYS_SYSMACROS_H
2015 #include <sys/sysmacros.h>
2017 #ifdef HAVE_SYS_SELECT_H
2018 #include <sys/select.h>
2020 #ifdef HAVE_SYS_TIME_H
2021 #include <sys/time.h>
2023 #ifdef HAVE_UNISTD_H
2027 AC_CHECK_TYPES([fd_mask], [], [], [[
2028 #include <sys/param.h>
2029 #include <sys/types.h>
2030 #ifdef HAVE_SYS_SELECT_H
2031 #include <sys/select.h>
2033 #ifdef HAVE_SYS_TIME_H
2034 #include <sys/time.h>
2036 #ifdef HAVE_UNISTD_H
2041 AC_CHECK_FUNCS([setresuid], [
2042 dnl Some platorms have setresuid that isn't implemented, test for this
2043 AC_MSG_CHECKING([if setresuid seems to work])
2056 [AC_MSG_RESULT([yes])],
2057 [AC_DEFINE([BROKEN_SETRESUID], [1],
2058 [Define if your setresuid() is broken])
2059 AC_MSG_RESULT([not implemented])],
2060 [AC_MSG_WARN([cross compiling: not checking setresuid])]
2064 AC_CHECK_FUNCS([setresgid], [
2065 dnl Some platorms have setresgid that isn't implemented, test for this
2066 AC_MSG_CHECKING([if setresgid seems to work])
2079 [AC_MSG_RESULT([yes])],
2080 [AC_DEFINE([BROKEN_SETRESGID], [1],
2081 [Define if your setresgid() is broken])
2082 AC_MSG_RESULT([not implemented])],
2083 [AC_MSG_WARN([cross compiling: not checking setresuid])]
2087 AC_CHECK_FUNCS([realpath], [
2088 dnl the sftp v3 spec says SSH_FXP_REALPATH will "canonicalize any given
2089 dnl path name", however some implementations of realpath (and some
2090 dnl versions of the POSIX spec) do not work on non-existent files,
2091 dnl so we use the OpenBSD implementation on those platforms.
2092 AC_MSG_CHECKING([if realpath works with non-existent files])
2100 if (realpath("/opensshnonexistentfilename1234", buf) == NULL)
2101 if (errno == ENOENT)
2105 [AC_MSG_RESULT([yes])],
2106 [AC_DEFINE([BROKEN_REALPATH], [1],
2107 [realpath does not work with nonexistent files])
2108 AC_MSG_RESULT([no])],
2109 [AC_MSG_WARN([cross compiling: assuming working])]
2113 AC_MSG_CHECKING([for working fflush(NULL)])
2115 [AC_LANG_PROGRAM([[#include <stdio.h>]], [[fflush(NULL); exit(0);]])],
2116 AC_MSG_RESULT([yes]),
2117 [AC_MSG_RESULT([no])
2118 AC_DEFINE([FFLUSH_NULL_BUG], [1],
2119 [define if fflush(NULL) does not work])],
2120 AC_MSG_WARN([cross compiling: assuming working])
2123 dnl Checks for time functions
2124 AC_CHECK_FUNCS([gettimeofday time])
2125 dnl Checks for utmp functions
2126 AC_CHECK_FUNCS([endutent getutent getutid getutline pututline setutent])
2127 AC_CHECK_FUNCS([utmpname])
2128 dnl Checks for utmpx functions
2129 AC_CHECK_FUNCS([endutxent getutxent getutxid getutxline getutxuser pututxline])
2130 AC_CHECK_FUNCS([setutxdb setutxent utmpxname])
2131 dnl Checks for lastlog functions
2132 AC_CHECK_FUNCS([getlastlogxbyname])
2134 AC_CHECK_FUNC([daemon],
2135 [AC_DEFINE([HAVE_DAEMON], [1], [Define if your libraries define daemon()])],
2136 [AC_CHECK_LIB([bsd], [daemon],
2137 [LIBS="$LIBS -lbsd"; AC_DEFINE([HAVE_DAEMON])])]
2140 AC_CHECK_FUNC([getpagesize],
2141 [AC_DEFINE([HAVE_GETPAGESIZE], [1],
2142 [Define if your libraries define getpagesize()])],
2143 [AC_CHECK_LIB([ucb], [getpagesize],
2144 [LIBS="$LIBS -lucb"; AC_DEFINE([HAVE_GETPAGESIZE])])]
2147 # Check for broken snprintf
2148 if test "x$ac_cv_func_snprintf" = "xyes" ; then
2149 AC_MSG_CHECKING([whether snprintf correctly terminates long strings])
2151 [AC_LANG_PROGRAM([[ #include <stdio.h> ]],
2154 snprintf(b,5,"123456789");
2157 [AC_MSG_RESULT([yes])],
2160 AC_DEFINE([BROKEN_SNPRINTF], [1],
2161 [Define if your snprintf is busted])
2162 AC_MSG_WARN([****** Your snprintf() function is broken, complain to your vendor])
2164 [ AC_MSG_WARN([cross compiling: Assuming working snprintf()]) ]
2168 # We depend on vsnprintf returning the right thing on overflow: the
2169 # number of characters it tried to create (as per SUSv3)
2170 if test "x$ac_cv_func_vsnprintf" = "xyes" ; then
2171 AC_MSG_CHECKING([whether vsnprintf returns correct values on overflow])
2174 #include <sys/types.h>
2178 int x_snprintf(char *str, size_t count, const char *fmt, ...)
2184 ret = vsnprintf(str, count, fmt, ap);
2190 if (x_snprintf(x, 1, "%s %d", "hello", 12345) != 11)
2192 if (x_snprintf(NULL, 0, "%s %d", "hello", 12345) != 11)
2196 [AC_MSG_RESULT([yes])],
2199 AC_DEFINE([BROKEN_SNPRINTF], [1],
2200 [Define if your snprintf is busted])
2201 AC_MSG_WARN([****** Your vsnprintf() function is broken, complain to your vendor])
2203 [ AC_MSG_WARN([cross compiling: Assuming working vsnprintf()]) ]
2207 # On systems where [v]snprintf is broken, but is declared in stdio,
2208 # check that the fmt argument is const char * or just char *.
2209 # This is only useful for when BROKEN_SNPRINTF
2210 AC_MSG_CHECKING([whether snprintf can declare const char *fmt])
2211 AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
2213 int snprintf(char *a, size_t b, const char *c, ...) { return 0; }
2217 [AC_MSG_RESULT([yes])
2218 AC_DEFINE([SNPRINTF_CONST], [const],
2219 [Define as const if snprintf() can declare const char *fmt])],
2220 [AC_MSG_RESULT([no])
2221 AC_DEFINE([SNPRINTF_CONST], [/* not const */])])
2223 # Check for missing getpeereid (or equiv) support
2225 if test "x$ac_cv_func_getpeereid" != "xyes" -a "x$ac_cv_func_getpeerucred" != "xyes"; then
2226 AC_MSG_CHECKING([whether system supports SO_PEERCRED getsockopt])
2227 AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
2228 #include <sys/types.h>
2229 #include <sys/socket.h>]], [[int i = SO_PEERCRED;]])],
2230 [ AC_MSG_RESULT([yes])
2231 AC_DEFINE([HAVE_SO_PEERCRED], [1], [Have PEERCRED socket option])
2232 ], [AC_MSG_RESULT([no])
2237 dnl see whether mkstemp() requires XXXXXX
2238 if test "x$ac_cv_func_mkdtemp" = "xyes" ; then
2239 AC_MSG_CHECKING([for (overly) strict mkstemp])
2244 char template[]="conftest.mkstemp-test";
2245 if (mkstemp(template) == -1)
2254 AC_MSG_RESULT([yes])
2255 AC_DEFINE([HAVE_STRICT_MKSTEMP], [1], [Silly mkstemp()])
2258 AC_MSG_RESULT([yes])
2259 AC_DEFINE([HAVE_STRICT_MKSTEMP])
2264 dnl make sure that openpty does not reacquire controlling terminal
2265 if test ! -z "$check_for_openpty_ctty_bug"; then
2266 AC_MSG_CHECKING([if openpty correctly handles controlling tty])
2270 #include <sys/fcntl.h>
2271 #include <sys/types.h>
2272 #include <sys/wait.h>
2275 int fd, ptyfd, ttyfd, status;
2278 if (pid < 0) { /* failed */
2280 } else if (pid > 0) { /* parent */
2281 waitpid(pid, &status, 0);
2282 if (WIFEXITED(status))
2283 exit(WEXITSTATUS(status));
2286 } else { /* child */
2287 close(0); close(1); close(2);
2289 openpty(&ptyfd, &ttyfd, NULL, NULL, NULL);
2290 fd = open("/dev/tty", O_RDWR | O_NOCTTY);
2292 exit(3); /* Acquired ctty: broken */
2294 exit(0); /* Did not acquire ctty: OK */
2298 AC_MSG_RESULT([yes])
2302 AC_DEFINE([SSHD_ACQUIRES_CTTY])
2305 AC_MSG_RESULT([cross-compiling, assuming yes])
2310 if test "x$ac_cv_func_getaddrinfo" = "xyes" && \
2311 test "x$check_for_hpux_broken_getaddrinfo" = "x1"; then
2312 AC_MSG_CHECKING([if getaddrinfo seems to work])
2316 #include <sys/socket.h>
2319 #include <netinet/in.h>
2321 #define TEST_PORT "2222"
2324 struct addrinfo *gai_ai, *ai, hints;
2325 char ntop[NI_MAXHOST], strport[NI_MAXSERV], *name = NULL;
2327 memset(&hints, 0, sizeof(hints));
2328 hints.ai_family = PF_UNSPEC;
2329 hints.ai_socktype = SOCK_STREAM;
2330 hints.ai_flags = AI_PASSIVE;
2332 err = getaddrinfo(name, TEST_PORT, &hints, &gai_ai);
2334 fprintf(stderr, "getaddrinfo failed (%s)", gai_strerror(err));
2338 for (ai = gai_ai; ai != NULL; ai = ai->ai_next) {
2339 if (ai->ai_family != AF_INET6)
2342 err = getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop,
2343 sizeof(ntop), strport, sizeof(strport),
2344 NI_NUMERICHOST|NI_NUMERICSERV);
2347 if (err == EAI_SYSTEM)
2348 perror("getnameinfo EAI_SYSTEM");
2350 fprintf(stderr, "getnameinfo failed: %s\n",
2355 sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol);
2358 if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) {
2366 AC_MSG_RESULT([yes])
2370 AC_DEFINE([BROKEN_GETADDRINFO])
2373 AC_MSG_RESULT([cross-compiling, assuming yes])
2378 if test "x$ac_cv_func_getaddrinfo" = "xyes" && \
2379 test "x$check_for_aix_broken_getaddrinfo" = "x1"; then
2380 AC_MSG_CHECKING([if getaddrinfo seems to work])
2384 #include <sys/socket.h>
2387 #include <netinet/in.h>
2389 #define TEST_PORT "2222"
2392 struct addrinfo *gai_ai, *ai, hints;
2393 char ntop[NI_MAXHOST], strport[NI_MAXSERV], *name = NULL;
2395 memset(&hints, 0, sizeof(hints));
2396 hints.ai_family = PF_UNSPEC;
2397 hints.ai_socktype = SOCK_STREAM;
2398 hints.ai_flags = AI_PASSIVE;
2400 err = getaddrinfo(name, TEST_PORT, &hints, &gai_ai);
2402 fprintf(stderr, "getaddrinfo failed (%s)", gai_strerror(err));
2406 for (ai = gai_ai; ai != NULL; ai = ai->ai_next) {
2407 if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
2410 err = getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop,
2411 sizeof(ntop), strport, sizeof(strport),
2412 NI_NUMERICHOST|NI_NUMERICSERV);
2414 if (ai->ai_family == AF_INET && err != 0) {
2415 perror("getnameinfo");
2422 AC_MSG_RESULT([yes])
2423 AC_DEFINE([AIX_GETNAMEINFO_HACK], [1],
2424 [Define if you have a getaddrinfo that fails
2425 for the all-zeros IPv6 address])
2429 AC_DEFINE([BROKEN_GETADDRINFO])
2432 AC_MSG_RESULT([cross-compiling, assuming no])
2437 if test "x$ac_cv_func_getaddrinfo" = "xyes"; then
2438 AC_CHECK_DECLS(AI_NUMERICSERV, , ,
2439 [#include <sys/types.h>
2440 #include <sys/socket.h>
2441 #include <netdb.h>])
2444 if test "x$check_for_conflicting_getspnam" = "x1"; then
2445 AC_MSG_CHECKING([for conflicting getspnam in shadow.h])
2446 AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <shadow.h> ]],
2452 AC_MSG_RESULT([yes])
2453 AC_DEFINE([GETSPNAM_CONFLICTING_DEFS], [1],
2454 [Conflicting defs for getspnam])
2459 dnl NetBSD added an strnvis and unfortunately made it incompatible with the
2460 dnl existing one in OpenBSD and Linux's libbsd (the former having existed
2461 dnl for over ten years). Despite this incompatibility being reported during
2462 dnl development (see http://gnats.netbsd.org/44977) they still shipped it.
2463 dnl Even more unfortunately FreeBSD and later MacOS picked up this incompatible
2464 dnl implementation. Try to detect this mess, and assume the only safe option
2465 dnl if we're cross compiling.
2467 dnl OpenBSD, 2001: strnvis(char *dst, const char *src, size_t dlen, int flag);
2468 dnl NetBSD: 2012, strnvis(char *dst, size_t dlen, const char *src, int flag);
2469 if test "x$ac_cv_func_strnvis" = "xyes"; then
2470 AC_MSG_CHECKING([for working strnvis])
2477 static void sighandler(int sig) { _exit(1); }
2481 signal(SIGSEGV, sighandler);
2482 if (strnvis(dst, "src", 4, 0) && strcmp(dst, "src") == 0)
2486 [AC_MSG_RESULT([yes])],
2487 [AC_MSG_RESULT([no])
2488 AC_DEFINE([BROKEN_STRNVIS], [1], [strnvis detected broken])],
2489 [AC_MSG_WARN([cross compiling: assuming broken])
2490 AC_DEFINE([BROKEN_STRNVIS], [1], [strnvis assumed broken])]
2494 AC_CHECK_FUNCS([getpgrp],[
2495 AC_MSG_CHECKING([if getpgrp accepts zero args])
2497 [AC_LANG_PROGRAM([[$ac_includes_default]], [[ getpgrp(); ]])],
2498 [ AC_MSG_RESULT([yes])
2499 AC_DEFINE([GETPGRP_VOID], [1], [getpgrp takes zero args])],
2500 [ AC_MSG_RESULT([no])
2501 AC_DEFINE([GETPGRP_VOID], [0], [getpgrp takes one arg])]
2505 # Search for OpenSSL
2506 saved_CPPFLAGS="$CPPFLAGS"
2507 saved_LDFLAGS="$LDFLAGS"
2508 AC_ARG_WITH([ssl-dir],
2509 [ --with-ssl-dir=PATH Specify path to OpenSSL installation ],
2511 if test "x$openssl" = "xno" ; then
2512 AC_MSG_ERROR([cannot use --with-ssl-dir when OpenSSL disabled])
2514 if test "x$withval" != "xno" ; then
2517 ./*|../*) withval="`pwd`/$withval"
2519 if test -d "$withval/lib"; then
2520 if test -n "${need_dash_r}"; then
2521 LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
2523 LDFLAGS="-L${withval}/lib ${LDFLAGS}"
2525 elif test -d "$withval/lib64"; then
2526 if test -n "${need_dash_r}"; then
2527 LDFLAGS="-L${withval}/lib64 -R${withval}/lib64 ${LDFLAGS}"
2529 LDFLAGS="-L${withval}/lib64 ${LDFLAGS}"
2532 if test -n "${need_dash_r}"; then
2533 LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"
2535 LDFLAGS="-L${withval} ${LDFLAGS}"
2538 if test -d "$withval/include"; then
2539 CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
2541 CPPFLAGS="-I${withval} ${CPPFLAGS}"
2547 AC_ARG_WITH([openssl-header-check],
2548 [ --without-openssl-header-check Disable OpenSSL version consistency check],
2550 if test "x$withval" = "xno" ; then
2551 openssl_check_nonfatal=1
2557 AC_ARG_WITH([ssl-engine],
2558 [ --with-ssl-engine Enable OpenSSL (hardware) ENGINE support ],
2560 if test "x$withval" != "xno" ; then
2561 if test "x$openssl" = "xno" ; then
2562 AC_MSG_ERROR([cannot use --with-ssl-engine when OpenSSL disabled])
2569 if test "x$openssl" = "xyes" ; then
2570 LIBS="-lcrypto $LIBS"
2571 AC_TRY_LINK_FUNC([RAND_add], [AC_DEFINE([HAVE_OPENSSL], [1],
2572 [Define if your ssl headers are included
2573 with #include <openssl/header.h>])],
2575 dnl Check default openssl install dir
2576 if test -n "${need_dash_r}"; then
2577 LDFLAGS="-L/usr/local/ssl/lib -R/usr/local/ssl/lib ${saved_LDFLAGS}"
2579 LDFLAGS="-L/usr/local/ssl/lib ${saved_LDFLAGS}"
2581 CPPFLAGS="-I/usr/local/ssl/include ${saved_CPPFLAGS}"
2582 AC_CHECK_HEADER([openssl/opensslv.h], ,
2583 [AC_MSG_ERROR([*** OpenSSL headers missing - please install first or check config.log ***])])
2584 AC_TRY_LINK_FUNC([RAND_add], [AC_DEFINE([HAVE_OPENSSL])],
2586 AC_MSG_ERROR([*** Can't find recent OpenSSL libcrypto (see config.log for details) ***])
2592 # Determine OpenSSL header version
2593 AC_MSG_CHECKING([OpenSSL header version])
2599 #include <openssl/opensslv.h>
2600 #define DATA "conftest.sslincver"
2605 fd = fopen(DATA,"w");
2609 if ((rc = fprintf(fd, "%08lx (%s)\n",
2610 (unsigned long)OPENSSL_VERSION_NUMBER,
2611 OPENSSL_VERSION_TEXT)) < 0)
2617 ssl_header_ver=`cat conftest.sslincver`
2618 AC_MSG_RESULT([$ssl_header_ver])
2621 AC_MSG_RESULT([not found])
2622 AC_MSG_ERROR([OpenSSL version header not found.])
2625 AC_MSG_WARN([cross compiling: not checking])
2629 # Determine OpenSSL library version
2630 AC_MSG_CHECKING([OpenSSL library version])
2635 #include <openssl/opensslv.h>
2636 #include <openssl/crypto.h>
2637 #define DATA "conftest.ssllibver"
2642 fd = fopen(DATA,"w");
2646 if ((rc = fprintf(fd, "%08lx (%s)\n", (unsigned long)SSLeay(),
2647 SSLeay_version(SSLEAY_VERSION))) < 0)
2653 ssl_library_ver=`cat conftest.ssllibver`
2654 # Check version is supported.
2655 case "$ssl_library_ver" in
2657 AC_MSG_ERROR([OpenSSL >= 1.0.1 required (have "$ssl_library_ver")])
2663 AC_MSG_ERROR([OpenSSL > 1.1.x is not yet supported (have "$ssl_library_ver")])
2666 AC_MSG_RESULT([$ssl_library_ver])
2669 AC_MSG_RESULT([not found])
2670 AC_MSG_ERROR([OpenSSL library not found.])
2673 AC_MSG_WARN([cross compiling: not checking])
2677 # Sanity check OpenSSL headers
2678 AC_MSG_CHECKING([whether OpenSSL's headers match the library])
2682 #include <openssl/opensslv.h>
2683 #include <openssl/crypto.h>
2685 exit(SSLeay() == OPENSSL_VERSION_NUMBER ? 0 : 1);
2688 AC_MSG_RESULT([yes])
2692 if test "x$openssl_check_nonfatal" = "x"; then
2693 AC_MSG_ERROR([Your OpenSSL headers do not match your
2694 library. Check config.log for details.
2695 If you are sure your installation is consistent, you can disable the check
2696 by running "./configure --without-openssl-header-check".
2697 Also see contrib/findssl.sh for help identifying header/library mismatches.
2700 AC_MSG_WARN([Your OpenSSL headers do not match your
2701 library. Check config.log for details.
2702 Also see contrib/findssl.sh for help identifying header/library mismatches.])
2706 AC_MSG_WARN([cross compiling: not checking])
2710 AC_MSG_CHECKING([if programs using OpenSSL functions will link])
2712 [AC_LANG_PROGRAM([[ #include <openssl/evp.h> ]],
2713 [[ SSLeay_add_all_algorithms(); ]])],
2715 AC_MSG_RESULT([yes])
2721 AC_MSG_CHECKING([if programs using OpenSSL need -ldl])
2723 [AC_LANG_PROGRAM([[ #include <openssl/evp.h> ]],
2724 [[ SSLeay_add_all_algorithms(); ]])],
2726 AC_MSG_RESULT([yes])
2738 DSA_generate_parameters_ex \
2740 EVP_DigestFinal_ex \
2742 EVP_MD_CTX_cleanup \
2743 EVP_MD_CTX_copy_ex \
2745 RSA_generate_key_ex \
2746 RSA_get_default_method \
2749 if test "x$openssl_engine" = "xyes" ; then
2750 AC_MSG_CHECKING([for OpenSSL ENGINE support])
2751 AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
2752 #include <openssl/engine.h>
2754 ENGINE_load_builtin_engines();
2755 ENGINE_register_all_complete();
2757 [ AC_MSG_RESULT([yes])
2758 AC_DEFINE([USE_OPENSSL_ENGINE], [1],
2759 [Enable OpenSSL engine support])
2760 ], [ AC_MSG_ERROR([OpenSSL ENGINE support not found])
2764 # Check for OpenSSL without EVP_aes_{192,256}_cbc
2765 AC_MSG_CHECKING([whether OpenSSL has crippled AES support])
2769 #include <openssl/evp.h>
2771 exit(EVP_aes_192_cbc() == NULL || EVP_aes_256_cbc() == NULL);
2777 AC_MSG_RESULT([yes])
2778 AC_DEFINE([OPENSSL_LOBOTOMISED_AES], [1],
2779 [libcrypto is missing AES 192 and 256 bit functions])
2783 # Check for OpenSSL with EVP_aes_*ctr
2784 AC_MSG_CHECKING([whether OpenSSL has AES CTR via EVP])
2788 #include <openssl/evp.h>
2790 exit(EVP_aes_128_ctr() == NULL ||
2791 EVP_aes_192_cbc() == NULL ||
2792 EVP_aes_256_cbc() == NULL);
2795 AC_MSG_RESULT([yes])
2796 AC_DEFINE([OPENSSL_HAVE_EVPCTR], [1],
2797 [libcrypto has EVP AES CTR])
2804 # Check for OpenSSL with EVP_aes_*gcm
2805 AC_MSG_CHECKING([whether OpenSSL has AES GCM via EVP])
2809 #include <openssl/evp.h>
2811 exit(EVP_aes_128_gcm() == NULL ||
2812 EVP_aes_256_gcm() == NULL ||
2813 EVP_CTRL_GCM_SET_IV_FIXED == 0 ||
2814 EVP_CTRL_GCM_IV_GEN == 0 ||
2815 EVP_CTRL_GCM_SET_TAG == 0 ||
2816 EVP_CTRL_GCM_GET_TAG == 0 ||
2817 EVP_CIPHER_CTX_ctrl(NULL, 0, 0, NULL) == 0);
2820 AC_MSG_RESULT([yes])
2821 AC_DEFINE([OPENSSL_HAVE_EVPGCM], [1],
2822 [libcrypto has EVP AES GCM])
2826 unsupported_algorithms="$unsupported_cipers \
2827 aes128-gcm@openssh.com \
2828 aes256-gcm@openssh.com"
2832 AC_SEARCH_LIBS([EVP_CIPHER_CTX_ctrl], [crypto],
2833 [AC_DEFINE([HAVE_EVP_CIPHER_CTX_CTRL], [1],
2834 [Define if libcrypto has EVP_CIPHER_CTX_ctrl])])
2836 # LibreSSL/OpenSSL 1.1x API
2837 AC_SEARCH_LIBS([DH_get0_key], [crypto],
2838 [AC_DEFINE([HAVE_DH_GET0_KEY], [1],
2839 [Define if libcrypto has DH_get0_key])])
2840 AC_SEARCH_LIBS([DH_get0_pqg], [crypto],
2841 [AC_DEFINE([HAVE_DH_GET0_PQG], [1],
2842 [Define if libcrypto has DH_get0_pqg])])
2843 AC_SEARCH_LIBS([DH_set0_key], [crypto],
2844 [AC_DEFINE([HAVE_DH_SET0_KEY], [1],
2845 [Define if libcrypto has DH_set0_key])])
2846 AC_SEARCH_LIBS([DH_set_length], [crypto],
2847 [AC_DEFINE([HAVE_DH_SET_LENGTH], [1],
2848 [Define if libcrypto has DH_set_length])])
2849 AC_SEARCH_LIBS([DH_set0_pqg], [crypto],
2850 [AC_DEFINE([HAVE_DH_SET0_PQG], [1],
2851 [Define if libcrypto has DH_set0_pqg])])
2853 AC_SEARCH_LIBS([DSA_get0_key], [crypto],
2854 [AC_DEFINE([HAVE_DSA_GET0_KEY], [1],
2855 [Define if libcrypto has DSA_get0_key])])
2856 AC_SEARCH_LIBS([DSA_get0_pqg], [crypto],
2857 [AC_DEFINE([HAVE_DSA_GET0_PQG], [1],
2858 [Define if libcrypto has DSA_get0_pqg])])
2859 AC_SEARCH_LIBS([DSA_set0_key], [crypto],
2860 [AC_DEFINE([HAVE_DSA_SET0_KEY], [1],
2861 [Define if libcrypto has DSA_set0_key])])
2862 AC_SEARCH_LIBS([DSA_set0_pqg], [crypto],
2863 [AC_DEFINE([HAVE_DSA_SET0_PQG], [1],
2864 [Define if libcrypto has DSA_set0_pqg])])
2866 AC_SEARCH_LIBS([DSA_SIG_get0], [crypto],
2867 [AC_DEFINE([HAVE_DSA_SIG_GET0], [1],
2868 [Define if libcrypto has DSA_SIG_get0])])
2869 AC_SEARCH_LIBS([DSA_SIG_set0], [crypto],
2870 [AC_DEFINE([HAVE_DSA_SIG_SET0], [1],
2871 [Define if libcrypto has DSA_SIG_set0])])
2873 AC_SEARCH_LIBS([ECDSA_SIG_get0], [crypto],
2874 [AC_DEFINE([HAVE_ECDSA_SIG_GET0], [1],
2875 [Define if libcrypto has ECDSA_SIG_get0])])
2876 AC_SEARCH_LIBS([ECDSA_SIG_set0], [crypto],
2877 [AC_DEFINE([HAVE_ECDSA_SIG_SET0], [1],
2878 [Define if libcrypto has ECDSA_SIG_set0])])
2880 AC_SEARCH_LIBS([EVP_CIPHER_CTX_iv], [crypto],
2881 [AC_DEFINE([HAVE_EVP_CIPHER_CTX_IV], [1],
2882 [Define if libcrypto has EVP_CIPHER_CTX_iv])])
2883 AC_SEARCH_LIBS([EVP_CIPHER_CTX_iv_noconst], [crypto],
2884 [AC_DEFINE([HAVE_EVP_CIPHER_CTX_IV_NOCONST], [1],
2885 [Define if libcrypto has EVP_CIPHER_CTX_iv_noconst])])
2886 AC_SEARCH_LIBS([EVP_CIPHER_CTX_get_iv], [crypto],
2887 [AC_DEFINE([HAVE_EVP_CIPHER_CTX_GET_IV], [1],
2888 [Define if libcrypto has EVP_CIPHER_CTX_get_iv])])
2889 AC_SEARCH_LIBS([EVP_CIPHER_CTX_set_iv], [crypto],
2890 [AC_DEFINE([HAVE_EVP_CIPHER_CTX_GET_IV], [1],
2891 [Define if libcrypto has EVP_CIPHER_CTX_set_iv])])
2893 AC_SEARCH_LIBS([RSA_get0_crt_params], [crypto],
2894 [AC_DEFINE([HAVE_RSA_GET0_CRT_PARAMS], [1],
2895 [Define if libcrypto has RSA_get0_crt_params])])
2896 AC_SEARCH_LIBS([RSA_get0_factors], [crypto],
2897 [AC_DEFINE([HAVE_RSA_GET0_FACTORS], [1],
2898 [Define if libcrypto has RSA_get0_factors])])
2899 AC_SEARCH_LIBS([RSA_get0_key], [crypto],
2900 [AC_DEFINE([HAVE_RSA_GET0_KEY], [1],
2901 [Define if libcrypto has RSA_get0_key])])
2902 AC_SEARCH_LIBS([RSA_set0_crt_params], [crypto],
2903 [AC_DEFINE([HAVE_RSA_SET0_CRT_PARAMS], [1],
2904 [Define if libcrypto has RSA_get0_srt_params])])
2905 AC_SEARCH_LIBS([RSA_set0_factors], [crypto],
2906 [AC_DEFINE([HAVE_RSA_SET0_FACTORS], [1],
2907 [Define if libcrypto has RSA_set0_factors])])
2908 AC_SEARCH_LIBS([RSA_set0_key], [crypto],
2909 [AC_DEFINE([HAVE_RSA_SET0_KEY], [1],
2910 [Define if libcrypto has RSA_set0_key])])
2912 AC_SEARCH_LIBS([RSA_meth_free], [crypto],
2913 [AC_DEFINE([HAVE_RSA_METH_FREE], [1],
2914 [Define if libcrypto has RSA_meth_free])])
2915 AC_SEARCH_LIBS([RSA_meth_dup], [crypto],
2916 [AC_DEFINE([HAVE_RSA_METH_DUP], [1],
2917 [Define if libcrypto has RSA_meth_dup])])
2918 AC_SEARCH_LIBS([RSA_meth_set1_name], [crypto],
2919 [AC_DEFINE([HAVE_RSA_METH_SET1_NAME], [1],
2920 [Define if libcrypto has RSA_meth_set1_name])])
2921 AC_SEARCH_LIBS([RSA_meth_get_finish], [crypto],
2922 [AC_DEFINE([HAVE_RSA_METH_GET_FINISH], [1],
2923 [Define if libcrypto has RSA_meth_get_finish])])
2924 AC_SEARCH_LIBS([RSA_meth_set_priv_enc], [crypto],
2925 [AC_DEFINE([HAVE_RSA_METH_SET_PRIV_ENC], [1],
2926 [Define if libcrypto has RSA_meth_set_priv_enc])])
2927 AC_SEARCH_LIBS([RSA_meth_set_priv_dec], [crypto],
2928 [AC_DEFINE([HAVE_RSA_METH_SET_PRIV_DEC], [1],
2929 [Define if libcrypto has RSA_meth_set_priv_dec])])
2930 AC_SEARCH_LIBS([RSA_meth_set_finish], [crypto],
2931 [AC_DEFINE([HAVE_RSA_METH_SET_FINISH], [1],
2932 [Define if libcrypto has RSA_meth_set_finish])])
2934 AC_SEARCH_LIBS([EVP_PKEY_get0_RSA], [crypto],
2935 [AC_DEFINE([HAVE_EVP_PKEY_GET0_RSA], [1],
2936 [Define if libcrypto has EVP_PKEY_get0_RSA])])
2938 AC_SEARCH_LIBS([EVP_MD_CTX_new], [crypto],
2939 [AC_DEFINE([HAVE_EVP_MD_CTX_NEW], [1],
2940 [Define if libcrypto has EVP_MD_CTX_new])])
2941 AC_SEARCH_LIBS([EVP_MD_CTX_free], [crypto],
2942 [AC_DEFINE([HAVE_EVP_MD_CTX_FREE], [1],
2943 [Define if libcrypto has EVP_MD_CTX_free])])
2945 AC_MSG_CHECKING([if EVP_DigestUpdate returns an int])
2949 #include <openssl/evp.h>
2951 if(EVP_DigestUpdate(NULL, NULL,0))
2955 AC_MSG_RESULT([yes])
2959 AC_DEFINE([OPENSSL_EVP_DIGESTUPDATE_VOID], [1],
2960 [Define if EVP_DigestUpdate returns void])
2964 # Some systems want crypt() from libcrypt, *not* the version in OpenSSL,
2965 # because the system crypt() is more featureful.
2966 if test "x$check_for_libcrypt_before" = "x1"; then
2967 AC_CHECK_LIB([crypt], [crypt])
2970 # Some Linux systems (Slackware) need crypt() from libcrypt, *not* the
2971 # version in OpenSSL.
2972 if test "x$check_for_libcrypt_later" = "x1"; then
2973 AC_CHECK_LIB([crypt], [crypt], [LIBS="$LIBS -lcrypt"])
2975 AC_CHECK_FUNCS([crypt DES_crypt])
2977 # Search for SHA256 support in libc and/or OpenSSL
2978 AC_CHECK_FUNCS([SHA256_Update EVP_sha256], ,
2979 [unsupported_algorithms="$unsupported_algorithms \
2982 diffie-hellman-group-exchange-sha256 \
2983 hmac-sha2-256-etm@openssh.com \
2984 hmac-sha2-512-etm@openssh.com"
2987 # Search for RIPE-MD support in OpenSSL
2988 AC_CHECK_FUNCS([EVP_ripemd160], ,
2989 [unsupported_algorithms="$unsupported_algorithms \
2991 hmac-ripemd160@openssh.com \
2992 hmac-ripemd160-etm@openssh.com"
2996 # Check complete ECC support in OpenSSL
2997 AC_MSG_CHECKING([whether OpenSSL has NID_X9_62_prime256v1])
3000 #include <openssl/ec.h>
3001 #include <openssl/ecdh.h>
3002 #include <openssl/ecdsa.h>
3003 #include <openssl/evp.h>
3004 #include <openssl/objects.h>
3005 #include <openssl/opensslv.h>
3007 EC_KEY *e = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
3008 const EVP_MD *m = EVP_sha256(); /* We need this too */
3010 [ AC_MSG_RESULT([yes])
3011 enable_nistp256=1 ],
3012 [ AC_MSG_RESULT([no]) ]
3015 AC_MSG_CHECKING([whether OpenSSL has NID_secp384r1])
3018 #include <openssl/ec.h>
3019 #include <openssl/ecdh.h>
3020 #include <openssl/ecdsa.h>
3021 #include <openssl/evp.h>
3022 #include <openssl/objects.h>
3023 #include <openssl/opensslv.h>
3025 EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp384r1);
3026 const EVP_MD *m = EVP_sha384(); /* We need this too */
3028 [ AC_MSG_RESULT([yes])
3029 enable_nistp384=1 ],
3030 [ AC_MSG_RESULT([no]) ]
3033 AC_MSG_CHECKING([whether OpenSSL has NID_secp521r1])
3036 #include <openssl/ec.h>
3037 #include <openssl/ecdh.h>
3038 #include <openssl/ecdsa.h>
3039 #include <openssl/evp.h>
3040 #include <openssl/objects.h>
3041 #include <openssl/opensslv.h>
3043 EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp521r1);
3044 const EVP_MD *m = EVP_sha512(); /* We need this too */
3046 [ AC_MSG_RESULT([yes])
3047 AC_MSG_CHECKING([if OpenSSL's NID_secp521r1 is functional])
3050 #include <openssl/ec.h>
3051 #include <openssl/ecdh.h>
3052 #include <openssl/ecdsa.h>
3053 #include <openssl/evp.h>
3054 #include <openssl/objects.h>
3055 #include <openssl/opensslv.h>
3057 EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp521r1);
3058 const EVP_MD *m = EVP_sha512(); /* We need this too */
3059 exit(e == NULL || m == NULL);
3061 [ AC_MSG_RESULT([yes])
3062 enable_nistp521=1 ],
3063 [ AC_MSG_RESULT([no]) ],
3064 [ AC_MSG_WARN([cross-compiling: assuming yes])
3070 COMMENT_OUT_ECC="#no ecc#"
3073 if test x$enable_nistp256 = x1 || test x$enable_nistp384 = x1 || \
3074 test x$enable_nistp521 = x1; then
3075 AC_DEFINE(OPENSSL_HAS_ECC, [1], [OpenSSL has ECC])
3077 if test x$enable_nistp256 = x1; then
3078 AC_DEFINE([OPENSSL_HAS_NISTP256], [1],
3079 [libcrypto has NID_X9_62_prime256v1])
3083 unsupported_algorithms="$unsupported_algorithms \
3084 ecdsa-sha2-nistp256 \
3085 ecdh-sha2-nistp256 \
3086 ecdsa-sha2-nistp256-cert-v01@openssh.com"
3088 if test x$enable_nistp384 = x1; then
3089 AC_DEFINE([OPENSSL_HAS_NISTP384], [1], [libcrypto has NID_secp384r1])
3093 unsupported_algorithms="$unsupported_algorithms \
3094 ecdsa-sha2-nistp384 \
3095 ecdh-sha2-nistp384 \
3096 ecdsa-sha2-nistp384-cert-v01@openssh.com"
3098 if test x$enable_nistp521 = x1; then
3099 AC_DEFINE([OPENSSL_HAS_NISTP521], [1], [libcrypto has NID_secp521r1])
3103 unsupported_algorithms="$unsupported_algorithms \
3104 ecdh-sha2-nistp521 \
3105 ecdsa-sha2-nistp521 \
3106 ecdsa-sha2-nistp521-cert-v01@openssh.com"
3109 AC_SUBST([TEST_SSH_ECC])
3110 AC_SUBST([COMMENT_OUT_ECC])
3112 AC_CHECK_LIB([crypt], [crypt], [LIBS="$LIBS -lcrypt"])
3113 AC_CHECK_FUNCS([crypt])
3120 arc4random_uniform \
3124 AC_CHECK_LIB([iaf], [ia_openinfo], [
3126 AC_CHECK_FUNCS([set_id], [SSHDLIBS="$SSHDLIBS -liaf"
3127 AC_DEFINE([HAVE_LIBIAF], [1],
3128 [Define if system has libiaf that supports set_id])
3133 ### Configure cryptographic random number support
3135 # Check whether OpenSSL seeds itself
3136 if test "x$openssl" = "xyes" ; then
3137 AC_MSG_CHECKING([whether OpenSSL's PRNG is internally seeded])
3141 #include <openssl/rand.h>
3143 exit(RAND_status() == 1 ? 0 : 1);
3146 OPENSSL_SEEDS_ITSELF=yes
3147 AC_MSG_RESULT([yes])
3153 AC_MSG_WARN([cross compiling: assuming yes])
3154 # This is safe, since we will fatal() at runtime if
3155 # OpenSSL is not seeded correctly.
3156 OPENSSL_SEEDS_ITSELF=yes
3162 AC_ARG_WITH([prngd-port],
3163 [ --with-prngd-port=PORT read entropy from PRNGD/EGD TCP localhost:PORT],
3172 AC_MSG_ERROR([You must specify a numeric port number for --with-prngd-port])
3175 if test ! -z "$withval" ; then
3176 PRNGD_PORT="$withval"
3177 AC_DEFINE_UNQUOTED([PRNGD_PORT], [$PRNGD_PORT],
3178 [Port number of PRNGD/EGD random number socket])
3183 # PRNGD Unix domain socket
3184 AC_ARG_WITH([prngd-socket],
3185 [ --with-prngd-socket=FILE read entropy from PRNGD/EGD socket FILE (default=/var/run/egd-pool)],
3189 withval="/var/run/egd-pool"
3197 AC_MSG_ERROR([You must specify an absolute path to the entropy socket])
3201 if test ! -z "$withval" ; then
3202 if test ! -z "$PRNGD_PORT" ; then
3203 AC_MSG_ERROR([You may not specify both a PRNGD/EGD port and socket])
3205 if test ! -r "$withval" ; then
3206 AC_MSG_WARN([Entropy socket is not readable])
3208 PRNGD_SOCKET="$withval"
3209 AC_DEFINE_UNQUOTED([PRNGD_SOCKET], ["$PRNGD_SOCKET"],
3210 [Location of PRNGD/EGD random number socket])
3214 # Check for existing socket only if we don't have a random device already
3215 if test "x$OPENSSL_SEEDS_ITSELF" != "xyes" ; then
3216 AC_MSG_CHECKING([for PRNGD/EGD socket])
3217 # Insert other locations here
3218 for sock in /var/run/egd-pool /dev/egd-pool /etc/entropy; do
3219 if test -r $sock && $TEST_MINUS_S_SH -c "test -S $sock -o -p $sock" ; then
3220 PRNGD_SOCKET="$sock"
3221 AC_DEFINE_UNQUOTED([PRNGD_SOCKET], ["$PRNGD_SOCKET"])
3225 if test ! -z "$PRNGD_SOCKET" ; then
3226 AC_MSG_RESULT([$PRNGD_SOCKET])
3228 AC_MSG_RESULT([not found])
3234 # Which randomness source do we use?
3235 if test ! -z "$PRNGD_PORT" ; then
3236 RAND_MSG="PRNGd port $PRNGD_PORT"
3237 elif test ! -z "$PRNGD_SOCKET" ; then
3238 RAND_MSG="PRNGd socket $PRNGD_SOCKET"
3239 elif test ! -z "$OPENSSL_SEEDS_ITSELF" ; then
3240 AC_DEFINE([OPENSSL_PRNG_ONLY], [1],
3241 [Define if you want the OpenSSL internally seeded PRNG only])
3242 RAND_MSG="OpenSSL internal ONLY"
3243 elif test "x$openssl" = "xno" ; then
3244 AC_MSG_WARN([OpenSSH will use /dev/urandom as a source of random numbers. It will fail if this device is not supported or accessible])
3246 AC_MSG_ERROR([OpenSSH has no source of random numbers. Please configure OpenSSL with an entropy source or re-run configure using one of the --with-prngd-port or --with-prngd-socket options])
3249 # Check for PAM libs
3252 [ --with-pam Enable PAM support ],
3254 if test "x$withval" != "xno" ; then
3255 if test "x$ac_cv_header_security_pam_appl_h" != "xyes" && \
3256 test "x$ac_cv_header_pam_pam_appl_h" != "xyes" ; then
3257 AC_MSG_ERROR([PAM headers not found])
3261 AC_CHECK_LIB([dl], [dlopen], , )
3262 AC_CHECK_LIB([pam], [pam_set_item], , [AC_MSG_ERROR([*** libpam missing])])
3263 AC_CHECK_FUNCS([pam_getenvlist])
3264 AC_CHECK_FUNCS([pam_putenv])
3269 SSHDLIBS="$SSHDLIBS -lpam"
3270 AC_DEFINE([USE_PAM], [1],
3271 [Define if you want to enable PAM support])
3273 if test $ac_cv_lib_dl_dlopen = yes; then
3276 # libdl already in LIBS
3279 SSHDLIBS="$SSHDLIBS -ldl"
3287 AC_ARG_WITH([pam-service],
3288 [ --with-pam-service=name Specify PAM service name ],
3290 if test "x$withval" != "xno" && \
3291 test "x$withval" != "xyes" ; then
3292 AC_DEFINE_UNQUOTED([SSHD_PAM_SERVICE],
3293 ["$withval"], [sshd PAM service name])
3298 # Check for older PAM
3299 if test "x$PAM_MSG" = "xyes" ; then
3300 # Check PAM strerror arguments (old PAM)
3301 AC_MSG_CHECKING([whether pam_strerror takes only one argument])
3302 AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
3304 #if defined(HAVE_SECURITY_PAM_APPL_H)
3305 #include <security/pam_appl.h>
3306 #elif defined (HAVE_PAM_PAM_APPL_H)
3307 #include <pam/pam_appl.h>
3310 (void)pam_strerror((pam_handle_t *)NULL, -1);
3311 ]])], [AC_MSG_RESULT([no])], [
3312 AC_DEFINE([HAVE_OLD_PAM], [1],
3313 [Define if you have an old version of PAM
3314 which takes only one argument to pam_strerror])
3315 AC_MSG_RESULT([yes])
3316 PAM_MSG="yes (old library)"
3323 SSH_PRIVSEP_USER=CYGWIN_SSH_PRIVSEP_USER
3326 SSH_PRIVSEP_USER=sshd
3329 AC_ARG_WITH([privsep-user],
3330 [ --with-privsep-user=user Specify non-privileged user for privilege separation],
3332 if test -n "$withval" && test "x$withval" != "xno" && \
3333 test "x${withval}" != "xyes"; then
3334 SSH_PRIVSEP_USER=$withval
3338 if test "x$SSH_PRIVSEP_USER" = "xCYGWIN_SSH_PRIVSEP_USER" ; then
3339 AC_DEFINE_UNQUOTED([SSH_PRIVSEP_USER], [CYGWIN_SSH_PRIVSEP_USER],
3340 [Cygwin function to fetch non-privileged user for privilege separation])
3342 AC_DEFINE_UNQUOTED([SSH_PRIVSEP_USER], ["$SSH_PRIVSEP_USER"],
3343 [non-privileged user for privilege separation])
3345 AC_SUBST([SSH_PRIVSEP_USER])
3347 if test "x$have_linux_no_new_privs" = "x1" ; then
3348 AC_CHECK_DECL([SECCOMP_MODE_FILTER], [have_seccomp_filter=1], , [
3349 #include <sys/types.h>
3350 #include <linux/seccomp.h>
3353 if test "x$have_seccomp_filter" = "x1" ; then
3354 AC_MSG_CHECKING([kernel for seccomp_filter support])
3355 AC_LINK_IFELSE([AC_LANG_PROGRAM([[
3358 #include <linux/audit.h>
3359 #include <linux/seccomp.h>
3361 #include <sys/prctl.h>
3363 [[ int i = $seccomp_audit_arch;
3365 prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, NULL, 0, 0);
3366 exit(errno == EFAULT ? 0 : 1); ]])],
3367 [ AC_MSG_RESULT([yes]) ], [
3369 # Disable seccomp filter as a target
3370 have_seccomp_filter=0
3375 # Decide which sandbox style to use
3377 AC_ARG_WITH([sandbox],
3378 [ --with-sandbox=style Specify privilege separation sandbox (no, capsicum, darwin, rlimit, seccomp_filter, systrace, pledge)],
3380 if test "x$withval" = "xyes" ; then
3383 sandbox_arg="$withval"
3388 # Some platforms (seems to be the ones that have a kernel poll(2)-type
3389 # function with which they implement select(2)) use an extra file descriptor
3390 # when calling select(2), which means we can't use the rlimit sandbox.
3391 AC_MSG_CHECKING([if select works with descriptor rlimit])
3394 #include <sys/types.h>
3395 #ifdef HAVE_SYS_TIME_H
3396 # include <sys/time.h>
3398 #include <sys/resource.h>
3399 #ifdef HAVE_SYS_SELECT_H
3400 # include <sys/select.h>
3406 struct rlimit rl_zero;
3411 fd = open("/dev/null", O_RDONLY);
3414 rl_zero.rlim_cur = rl_zero.rlim_max = 0;
3415 setrlimit(RLIMIT_FSIZE, &rl_zero);
3416 setrlimit(RLIMIT_NOFILE, &rl_zero);
3419 r = select(fd+1, &fds, NULL, NULL, &tv);
3420 exit (r == -1 ? 1 : 0);
3422 [AC_MSG_RESULT([yes])
3423 select_works_with_rlimit=yes],
3424 [AC_MSG_RESULT([no])
3425 select_works_with_rlimit=no],
3426 [AC_MSG_WARN([cross compiling: assuming yes])
3427 select_works_with_rlimit=yes]
3430 AC_MSG_CHECKING([if setrlimit(RLIMIT_NOFILE,{0,0}) works])
3433 #include <sys/types.h>
3434 #ifdef HAVE_SYS_TIME_H
3435 # include <sys/time.h>
3437 #include <sys/resource.h>
3441 struct rlimit rl_zero;
3445 rl_zero.rlim_cur = rl_zero.rlim_max = 0;
3446 r = setrlimit(RLIMIT_NOFILE, &rl_zero);
3447 exit (r == -1 ? 1 : 0);
3449 [AC_MSG_RESULT([yes])
3450 rlimit_nofile_zero_works=yes],
3451 [AC_MSG_RESULT([no])
3452 rlimit_nofile_zero_works=no],
3453 [AC_MSG_WARN([cross compiling: assuming yes])
3454 rlimit_nofile_zero_works=yes]
3457 AC_MSG_CHECKING([if setrlimit RLIMIT_FSIZE works])
3460 #include <sys/types.h>
3461 #include <sys/resource.h>
3464 struct rlimit rl_zero;
3466 rl_zero.rlim_cur = rl_zero.rlim_max = 0;
3467 exit(setrlimit(RLIMIT_FSIZE, &rl_zero) != 0);
3469 [AC_MSG_RESULT([yes])],
3470 [AC_MSG_RESULT([no])
3471 AC_DEFINE(SANDBOX_SKIP_RLIMIT_FSIZE, 1,
3472 [setrlimit RLIMIT_FSIZE works])],
3473 [AC_MSG_WARN([cross compiling: assuming yes])]
3476 if test "x$sandbox_arg" = "xpledge" || \
3477 ( test -z "$sandbox_arg" && test "x$ac_cv_func_pledge" = "xyes" ) ; then
3478 test "x$ac_cv_func_pledge" != "xyes" && \
3479 AC_MSG_ERROR([pledge sandbox requires pledge(2) support])
3480 SANDBOX_STYLE="pledge"
3481 AC_DEFINE([SANDBOX_PLEDGE], [1], [Sandbox using pledge(2)])
3482 elif test "x$sandbox_arg" = "xsystrace" || \
3483 ( test -z "$sandbox_arg" && test "x$have_systr_policy_kill" = "x1" ) ; then
3484 test "x$have_systr_policy_kill" != "x1" && \
3485 AC_MSG_ERROR([systrace sandbox requires systrace headers and SYSTR_POLICY_KILL support])
3486 SANDBOX_STYLE="systrace"
3487 AC_DEFINE([SANDBOX_SYSTRACE], [1], [Sandbox using systrace(4)])
3488 elif test "x$sandbox_arg" = "xdarwin" || \
3489 ( test -z "$sandbox_arg" && test "x$ac_cv_func_sandbox_init" = "xyes" && \
3490 test "x$ac_cv_header_sandbox_h" = "xyes") ; then
3491 test "x$ac_cv_func_sandbox_init" != "xyes" -o \
3492 "x$ac_cv_header_sandbox_h" != "xyes" && \
3493 AC_MSG_ERROR([Darwin seatbelt sandbox requires sandbox.h and sandbox_init function])
3494 SANDBOX_STYLE="darwin"
3495 AC_DEFINE([SANDBOX_DARWIN], [1], [Sandbox using Darwin sandbox_init(3)])
3496 elif test "x$sandbox_arg" = "xseccomp_filter" || \
3497 ( test -z "$sandbox_arg" && \
3498 test "x$have_seccomp_filter" = "x1" && \
3499 test "x$ac_cv_header_elf_h" = "xyes" && \
3500 test "x$ac_cv_header_linux_audit_h" = "xyes" && \
3501 test "x$ac_cv_header_linux_filter_h" = "xyes" && \
3502 test "x$seccomp_audit_arch" != "x" && \
3503 test "x$have_linux_no_new_privs" = "x1" && \
3504 test "x$ac_cv_func_prctl" = "xyes" ) ; then
3505 test "x$seccomp_audit_arch" = "x" && \
3506 AC_MSG_ERROR([seccomp_filter sandbox not supported on $host])
3507 test "x$have_linux_no_new_privs" != "x1" && \
3508 AC_MSG_ERROR([seccomp_filter sandbox requires PR_SET_NO_NEW_PRIVS])
3509 test "x$have_seccomp_filter" != "x1" && \
3510 AC_MSG_ERROR([seccomp_filter sandbox requires seccomp headers])
3511 test "x$ac_cv_func_prctl" != "xyes" && \
3512 AC_MSG_ERROR([seccomp_filter sandbox requires prctl function])
3513 SANDBOX_STYLE="seccomp_filter"
3514 AC_DEFINE([SANDBOX_SECCOMP_FILTER], [1], [Sandbox using seccomp filter])
3515 elif test "x$sandbox_arg" = "xcapsicum" || \
3516 ( test -z "$sandbox_arg" && \
3517 test "x$ac_cv_header_sys_capsicum_h" = "xyes" && \
3518 test "x$ac_cv_func_cap_rights_limit" = "xyes") ; then
3519 test "x$ac_cv_header_sys_capsicum_h" != "xyes" && \
3520 AC_MSG_ERROR([capsicum sandbox requires sys/capsicum.h header])
3521 test "x$ac_cv_func_cap_rights_limit" != "xyes" && \
3522 AC_MSG_ERROR([capsicum sandbox requires cap_rights_limit function])
3523 SANDBOX_STYLE="capsicum"
3524 AC_DEFINE([SANDBOX_CAPSICUM], [1], [Sandbox using capsicum])
3525 elif test "x$sandbox_arg" = "xrlimit" || \
3526 ( test -z "$sandbox_arg" && test "x$ac_cv_func_setrlimit" = "xyes" && \
3527 test "x$select_works_with_rlimit" = "xyes" && \
3528 test "x$rlimit_nofile_zero_works" = "xyes" ) ; then
3529 test "x$ac_cv_func_setrlimit" != "xyes" && \
3530 AC_MSG_ERROR([rlimit sandbox requires setrlimit function])
3531 test "x$select_works_with_rlimit" != "xyes" && \
3532 AC_MSG_ERROR([rlimit sandbox requires select to work with rlimit])
3533 SANDBOX_STYLE="rlimit"
3534 AC_DEFINE([SANDBOX_RLIMIT], [1], [Sandbox using setrlimit(2)])
3535 elif test "x$sandbox_arg" = "xsolaris" || \
3536 ( test -z "$sandbox_arg" && test "x$SOLARIS_PRIVS" = "xyes" ) ; then
3537 SANDBOX_STYLE="solaris"
3538 AC_DEFINE([SANDBOX_SOLARIS], [1], [Sandbox using Solaris/Illumos privileges])
3539 elif test -z "$sandbox_arg" || test "x$sandbox_arg" = "xno" || \
3540 test "x$sandbox_arg" = "xnone" || test "x$sandbox_arg" = "xnull" ; then
3541 SANDBOX_STYLE="none"
3542 AC_DEFINE([SANDBOX_NULL], [1], [no privsep sandboxing])
3544 AC_MSG_ERROR([unsupported --with-sandbox])
3547 # Cheap hack to ensure NEWS-OS libraries are arranged right.
3548 if test ! -z "$SONY" ; then
3549 LIBS="$LIBS -liberty";
3552 # Check for long long datatypes
3553 AC_CHECK_TYPES([long long, unsigned long long, long double])
3555 # Check datatype sizes
3556 AC_CHECK_SIZEOF([short int], [2])
3557 AC_CHECK_SIZEOF([int], [4])
3558 AC_CHECK_SIZEOF([long int], [4])
3559 AC_CHECK_SIZEOF([long long int], [8])
3561 # Sanity check long long for some platforms (AIX)
3562 if test "x$ac_cv_sizeof_long_long_int" = "x4" ; then
3563 ac_cv_sizeof_long_long_int=0
3566 # compute LLONG_MIN and LLONG_MAX if we don't know them.
3567 if test -z "$have_llong_max"; then
3568 AC_MSG_CHECKING([for max value of long long])
3572 /* Why is this so damn hard? */
3576 #define __USE_ISOC99
3578 #define DATA "conftest.llminmax"
3579 #define my_abs(a) ((a) < 0 ? ((a) * -1) : (a))
3582 * printf in libc on some platforms (eg old Tru64) does not understand %lld so
3583 * we do this the hard way.
3586 fprint_ll(FILE *f, long long n)
3589 int l[sizeof(long long) * 8];
3592 if (fprintf(f, "-") < 0)
3594 for (i = 0; n != 0; i++) {
3595 l[i] = my_abs(n % 10);
3599 if (fprintf(f, "%d", l[--i]) < 0)
3602 if (fprintf(f, " ") < 0)
3608 long long i, llmin, llmax = 0;
3610 if((f = fopen(DATA,"w")) == NULL)
3613 #if defined(LLONG_MIN) && defined(LLONG_MAX)
3614 fprintf(stderr, "Using system header for LLONG_MIN and LLONG_MAX\n");
3618 fprintf(stderr, "Calculating LLONG_MIN and LLONG_MAX\n");
3619 /* This will work on one's complement and two's complement */
3620 for (i = 1; i > llmax; i <<= 1, i++)
3622 llmin = llmax + 1LL; /* wrap */
3626 if (llmin + 1 < llmin || llmin - 1 < llmin || llmax + 1 > llmax
3627 || llmax - 1 > llmax || llmin == llmax || llmin == 0
3628 || llmax == 0 || llmax < LONG_MAX || llmin > LONG_MIN) {
3629 fprintf(f, "unknown unknown\n");
3633 if (fprint_ll(f, llmin) < 0)
3635 if (fprint_ll(f, llmax) < 0)
3642 llong_min=`$AWK '{print $1}' conftest.llminmax`
3643 llong_max=`$AWK '{print $2}' conftest.llminmax`
3645 AC_MSG_RESULT([$llong_max])
3646 AC_DEFINE_UNQUOTED([LLONG_MAX], [${llong_max}LL],
3647 [max value of long long calculated by configure])
3648 AC_MSG_CHECKING([for min value of long long])
3649 AC_MSG_RESULT([$llong_min])
3650 AC_DEFINE_UNQUOTED([LLONG_MIN], [${llong_min}LL],
3651 [min value of long long calculated by configure])
3654 AC_MSG_RESULT([not found])
3657 AC_MSG_WARN([cross compiling: not checking])
3663 # More checks for data types
3664 AC_CACHE_CHECK([for u_int type], ac_cv_have_u_int, [
3665 AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
3666 [[ u_int a; a = 1;]])],
3667 [ ac_cv_have_u_int="yes" ], [ ac_cv_have_u_int="no"
3670 if test "x$ac_cv_have_u_int" = "xyes" ; then
3671 AC_DEFINE([HAVE_U_INT], [1], [define if you have u_int data type])
3675 AC_CACHE_CHECK([for intXX_t types], ac_cv_have_intxx_t, [
3676 AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
3677 [[ int8_t a; int16_t b; int32_t c; a = b = c = 1;]])],
3678 [ ac_cv_have_intxx_t="yes" ], [ ac_cv_have_intxx_t="no"
3681 if test "x$ac_cv_have_intxx_t" = "xyes" ; then
3682 AC_DEFINE([HAVE_INTXX_T], [1], [define if you have intxx_t data type])
3686 if (test -z "$have_intxx_t" && \
3687 test "x$ac_cv_header_stdint_h" = "xyes")
3689 AC_MSG_CHECKING([for intXX_t types in stdint.h])
3690 AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <stdint.h> ]],
3691 [[ int8_t a; int16_t b; int32_t c; a = b = c = 1;]])],
3693 AC_DEFINE([HAVE_INTXX_T])
3694 AC_MSG_RESULT([yes])
3695 ], [ AC_MSG_RESULT([no])
3699 AC_CACHE_CHECK([for int64_t type], ac_cv_have_int64_t, [
3700 AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
3701 #include <sys/types.h>
3702 #ifdef HAVE_STDINT_H
3703 # include <stdint.h>
3705 #include <sys/socket.h>
3706 #ifdef HAVE_SYS_BITYPES_H
3707 # include <sys/bitypes.h>
3712 [ ac_cv_have_int64_t="yes" ], [ ac_cv_have_int64_t="no"
3715 if test "x$ac_cv_have_int64_t" = "xyes" ; then
3716 AC_DEFINE([HAVE_INT64_T], [1], [define if you have int64_t data type])
3719 AC_CACHE_CHECK([for u_intXX_t types], ac_cv_have_u_intxx_t, [
3720 AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
3721 [[ u_int8_t a; u_int16_t b; u_int32_t c; a = b = c = 1;]])],
3722 [ ac_cv_have_u_intxx_t="yes" ], [ ac_cv_have_u_intxx_t="no"
3725 if test "x$ac_cv_have_u_intxx_t" = "xyes" ; then
3726 AC_DEFINE([HAVE_U_INTXX_T], [1], [define if you have u_intxx_t data type])
3730 if test -z "$have_u_intxx_t" ; then
3731 AC_MSG_CHECKING([for u_intXX_t types in sys/socket.h])
3732 AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/socket.h> ]],
3733 [[ u_int8_t a; u_int16_t b; u_int32_t c; a = b = c = 1;]])],
3735 AC_DEFINE([HAVE_U_INTXX_T])
3736 AC_MSG_RESULT([yes])
3737 ], [ AC_MSG_RESULT([no])
3741 AC_CACHE_CHECK([for u_int64_t types], ac_cv_have_u_int64_t, [
3742 AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
3743 [[ u_int64_t a; a = 1;]])],
3744 [ ac_cv_have_u_int64_t="yes" ], [ ac_cv_have_u_int64_t="no"
3747 if test "x$ac_cv_have_u_int64_t" = "xyes" ; then
3748 AC_DEFINE([HAVE_U_INT64_T], [1], [define if you have u_int64_t data type])
3752 if (test -z "$have_u_int64_t" && \
3753 test "x$ac_cv_header_sys_bitypes_h" = "xyes")
3755 AC_MSG_CHECKING([for u_int64_t type in sys/bitypes.h])
3756 AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/bitypes.h> ]],
3757 [[ u_int64_t a; a = 1]])],
3759 AC_DEFINE([HAVE_U_INT64_T])
3760 AC_MSG_RESULT([yes])
3761 ], [ AC_MSG_RESULT([no])
3765 if test -z "$have_u_intxx_t" ; then
3766 AC_CACHE_CHECK([for uintXX_t types], ac_cv_have_uintxx_t, [
3767 AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
3768 #include <sys/types.h>
3775 [ ac_cv_have_uintxx_t="yes" ], [ ac_cv_have_uintxx_t="no"
3778 if test "x$ac_cv_have_uintxx_t" = "xyes" ; then
3779 AC_DEFINE([HAVE_UINTXX_T], [1],
3780 [define if you have uintxx_t data type])
3784 if (test -z "$have_uintxx_t" && \
3785 test "x$ac_cv_header_stdint_h" = "xyes")
3787 AC_MSG_CHECKING([for uintXX_t types in stdint.h])
3788 AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <stdint.h> ]],
3789 [[ uint8_t a; uint16_t b; uint32_t c; a = b = c = 1;]])],
3791 AC_DEFINE([HAVE_UINTXX_T])
3792 AC_MSG_RESULT([yes])
3793 ], [ AC_MSG_RESULT([no])
3797 if (test -z "$have_uintxx_t" && \
3798 test "x$ac_cv_header_inttypes_h" = "xyes")
3800 AC_MSG_CHECKING([for uintXX_t types in inttypes.h])
3801 AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <inttypes.h> ]],
3802 [[ uint8_t a; uint16_t b; uint32_t c; a = b = c = 1;]])],
3804 AC_DEFINE([HAVE_UINTXX_T])
3805 AC_MSG_RESULT([yes])
3806 ], [ AC_MSG_RESULT([no])
3810 if (test -z "$have_u_intxx_t" || test -z "$have_intxx_t" && \
3811 test "x$ac_cv_header_sys_bitypes_h" = "xyes")
3813 AC_MSG_CHECKING([for intXX_t and u_intXX_t types in sys/bitypes.h])
3814 AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
3815 #include <sys/bitypes.h>
3817 int8_t a; int16_t b; int32_t c;
3818 u_int8_t e; u_int16_t f; u_int32_t g;
3819 a = b = c = e = f = g = 1;
3822 AC_DEFINE([HAVE_U_INTXX_T])
3823 AC_DEFINE([HAVE_INTXX_T])
3824 AC_MSG_RESULT([yes])
3825 ], [AC_MSG_RESULT([no])
3830 AC_CACHE_CHECK([for u_char], ac_cv_have_u_char, [
3831 AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
3832 [[ u_char foo; foo = 125; ]])],
3833 [ ac_cv_have_u_char="yes" ], [ ac_cv_have_u_char="no"
3836 if test "x$ac_cv_have_u_char" = "xyes" ; then
3837 AC_DEFINE([HAVE_U_CHAR], [1], [define if you have u_char data type])
3840 AC_CHECK_TYPES([intmax_t, uintmax_t], , , [
3841 #include <sys/types.h>
3847 AC_CHECK_TYPES([sig_atomic_t], , , [#include <signal.h>])
3848 AC_CHECK_TYPES([fsblkcnt_t, fsfilcnt_t], , , [
3849 #include <sys/types.h>
3850 #ifdef HAVE_SYS_BITYPES_H
3851 #include <sys/bitypes.h>
3853 #ifdef HAVE_SYS_STATFS_H
3854 #include <sys/statfs.h>
3856 #ifdef HAVE_SYS_STATVFS_H
3857 #include <sys/statvfs.h>
3861 AC_CHECK_MEMBERS([struct statfs.f_flags], [], [], [[
3862 #include <sys/types.h>
3863 #ifdef HAVE_SYS_BITYPES_H
3864 #include <sys/bitypes.h>
3866 #ifdef HAVE_SYS_STATFS_H
3867 #include <sys/statfs.h>
3869 #ifdef HAVE_SYS_STATVFS_H
3870 #include <sys/statvfs.h>
3872 #ifdef HAVE_SYS_VFS_H
3873 #include <sys/vfs.h>
3878 AC_CHECK_TYPES([in_addr_t, in_port_t], , ,
3879 [#include <sys/types.h>
3880 #include <netinet/in.h>])
3882 AC_CACHE_CHECK([for size_t], ac_cv_have_size_t, [
3883 AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
3884 [[ size_t foo; foo = 1235; ]])],
3885 [ ac_cv_have_size_t="yes" ], [ ac_cv_have_size_t="no"
3888 if test "x$ac_cv_have_size_t" = "xyes" ; then
3889 AC_DEFINE([HAVE_SIZE_T], [1], [define if you have size_t data type])
3892 AC_CACHE_CHECK([for ssize_t], ac_cv_have_ssize_t, [
3893 AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
3894 [[ ssize_t foo; foo = 1235; ]])],
3895 [ ac_cv_have_ssize_t="yes" ], [ ac_cv_have_ssize_t="no"
3898 if test "x$ac_cv_have_ssize_t" = "xyes" ; then
3899 AC_DEFINE([HAVE_SSIZE_T], [1], [define if you have ssize_t data type])
3902 AC_CACHE_CHECK([for clock_t], ac_cv_have_clock_t, [
3903 AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <time.h> ]],
3904 [[ clock_t foo; foo = 1235; ]])],
3905 [ ac_cv_have_clock_t="yes" ], [ ac_cv_have_clock_t="no"
3908 if test "x$ac_cv_have_clock_t" = "xyes" ; then
3909 AC_DEFINE([HAVE_CLOCK_T], [1], [define if you have clock_t data type])
3912 AC_CACHE_CHECK([for sa_family_t], ac_cv_have_sa_family_t, [
3913 AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
3914 #include <sys/types.h>
3915 #include <sys/socket.h>
3916 ]], [[ sa_family_t foo; foo = 1235; ]])],
3917 [ ac_cv_have_sa_family_t="yes" ],
3918 [ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
3919 #include <sys/types.h>
3920 #include <sys/socket.h>
3921 #include <netinet/in.h>
3922 ]], [[ sa_family_t foo; foo = 1235; ]])],
3923 [ ac_cv_have_sa_family_t="yes" ],
3924 [ ac_cv_have_sa_family_t="no" ]
3928 if test "x$ac_cv_have_sa_family_t" = "xyes" ; then
3929 AC_DEFINE([HAVE_SA_FAMILY_T], [1],
3930 [define if you have sa_family_t data type])
3933 AC_CACHE_CHECK([for pid_t], ac_cv_have_pid_t, [
3934 AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
3935 [[ pid_t foo; foo = 1235; ]])],
3936 [ ac_cv_have_pid_t="yes" ], [ ac_cv_have_pid_t="no"
3939 if test "x$ac_cv_have_pid_t" = "xyes" ; then
3940 AC_DEFINE([HAVE_PID_T], [1], [define if you have pid_t data type])
3943 AC_CACHE_CHECK([for mode_t], ac_cv_have_mode_t, [
3944 AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/types.h> ]],
3945 [[ mode_t foo; foo = 1235; ]])],
3946 [ ac_cv_have_mode_t="yes" ], [ ac_cv_have_mode_t="no"
3949 if test "x$ac_cv_have_mode_t" = "xyes" ; then
3950 AC_DEFINE([HAVE_MODE_T], [1], [define if you have mode_t data type])
3954 AC_CACHE_CHECK([for struct sockaddr_storage], ac_cv_have_struct_sockaddr_storage, [
3955 AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
3956 #include <sys/types.h>
3957 #include <sys/socket.h>
3958 ]], [[ struct sockaddr_storage s; ]])],
3959 [ ac_cv_have_struct_sockaddr_storage="yes" ],
3960 [ ac_cv_have_struct_sockaddr_storage="no"
3963 if test "x$ac_cv_have_struct_sockaddr_storage" = "xyes" ; then
3964 AC_DEFINE([HAVE_STRUCT_SOCKADDR_STORAGE], [1],
3965 [define if you have struct sockaddr_storage data type])
3968 AC_CACHE_CHECK([for struct sockaddr_in6], ac_cv_have_struct_sockaddr_in6, [
3969 AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
3970 #include <sys/types.h>
3971 #include <netinet/in.h>
3972 ]], [[ struct sockaddr_in6 s; s.sin6_family = 0; ]])],
3973 [ ac_cv_have_struct_sockaddr_in6="yes" ],
3974 [ ac_cv_have_struct_sockaddr_in6="no"
3977 if test "x$ac_cv_have_struct_sockaddr_in6" = "xyes" ; then
3978 AC_DEFINE([HAVE_STRUCT_SOCKADDR_IN6], [1],
3979 [define if you have struct sockaddr_in6 data type])
3982 AC_CACHE_CHECK([for struct in6_addr], ac_cv_have_struct_in6_addr, [
3983 AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
3984 #include <sys/types.h>
3985 #include <netinet/in.h>
3986 ]], [[ struct in6_addr s; s.s6_addr[0] = 0; ]])],
3987 [ ac_cv_have_struct_in6_addr="yes" ],
3988 [ ac_cv_have_struct_in6_addr="no"
3991 if test "x$ac_cv_have_struct_in6_addr" = "xyes" ; then
3992 AC_DEFINE([HAVE_STRUCT_IN6_ADDR], [1],
3993 [define if you have struct in6_addr data type])
3995 dnl Now check for sin6_scope_id
3996 AC_CHECK_MEMBERS([struct sockaddr_in6.sin6_scope_id], , ,
3998 #ifdef HAVE_SYS_TYPES_H
3999 #include <sys/types.h>
4001 #include <netinet/in.h>
4005 AC_CACHE_CHECK([for struct addrinfo], ac_cv_have_struct_addrinfo, [
4006 AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4007 #include <sys/types.h>
4008 #include <sys/socket.h>
4010 ]], [[ struct addrinfo s; s.ai_flags = AI_PASSIVE; ]])],
4011 [ ac_cv_have_struct_addrinfo="yes" ],
4012 [ ac_cv_have_struct_addrinfo="no"
4015 if test "x$ac_cv_have_struct_addrinfo" = "xyes" ; then
4016 AC_DEFINE([HAVE_STRUCT_ADDRINFO], [1],
4017 [define if you have struct addrinfo data type])
4020 AC_CACHE_CHECK([for struct timeval], ac_cv_have_struct_timeval, [
4021 AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <sys/time.h> ]],
4022 [[ struct timeval tv; tv.tv_sec = 1;]])],
4023 [ ac_cv_have_struct_timeval="yes" ],
4024 [ ac_cv_have_struct_timeval="no"
4027 if test "x$ac_cv_have_struct_timeval" = "xyes" ; then
4028 AC_DEFINE([HAVE_STRUCT_TIMEVAL], [1], [define if you have struct timeval])
4029 have_struct_timeval=1
4032 AC_CHECK_TYPES([struct timespec])
4034 # We need int64_t or else certain parts of the compile will fail.
4035 if test "x$ac_cv_have_int64_t" = "xno" && \
4036 test "x$ac_cv_sizeof_long_int" != "x8" && \
4037 test "x$ac_cv_sizeof_long_long_int" = "x0" ; then
4038 echo "OpenSSH requires int64_t support. Contact your vendor or install"
4039 echo "an alternative compiler (I.E., GCC) before continuing."
4043 dnl test snprintf (broken on SCO w/gcc)
4048 #ifdef HAVE_SNPRINTF
4052 char expected_out[50];
4054 #if (SIZEOF_LONG_INT == 8)
4055 long int num = 0x7fffffffffffffff;
4057 long long num = 0x7fffffffffffffffll;
4059 strcpy(expected_out, "9223372036854775807");
4060 snprintf(buf, mazsize, "%lld", num);
4061 if(strcmp(buf, expected_out) != 0)
4068 ]])], [ true ], [ AC_DEFINE([BROKEN_SNPRINTF]) ],
4069 AC_MSG_WARN([cross compiling: Assuming working snprintf()])
4073 dnl Checks for structure members
4074 OSSH_CHECK_HEADER_FOR_FIELD([ut_host], [utmp.h], [HAVE_HOST_IN_UTMP])
4075 OSSH_CHECK_HEADER_FOR_FIELD([ut_host], [utmpx.h], [HAVE_HOST_IN_UTMPX])
4076 OSSH_CHECK_HEADER_FOR_FIELD([syslen], [utmpx.h], [HAVE_SYSLEN_IN_UTMPX])
4077 OSSH_CHECK_HEADER_FOR_FIELD([ut_pid], [utmp.h], [HAVE_PID_IN_UTMP])
4078 OSSH_CHECK_HEADER_FOR_FIELD([ut_type], [utmp.h], [HAVE_TYPE_IN_UTMP])
4079 OSSH_CHECK_HEADER_FOR_FIELD([ut_type], [utmpx.h], [HAVE_TYPE_IN_UTMPX])
4080 OSSH_CHECK_HEADER_FOR_FIELD([ut_tv], [utmp.h], [HAVE_TV_IN_UTMP])
4081 OSSH_CHECK_HEADER_FOR_FIELD([ut_id], [utmp.h], [HAVE_ID_IN_UTMP])
4082 OSSH_CHECK_HEADER_FOR_FIELD([ut_id], [utmpx.h], [HAVE_ID_IN_UTMPX])
4083 OSSH_CHECK_HEADER_FOR_FIELD([ut_addr], [utmp.h], [HAVE_ADDR_IN_UTMP])
4084 OSSH_CHECK_HEADER_FOR_FIELD([ut_addr], [utmpx.h], [HAVE_ADDR_IN_UTMPX])
4085 OSSH_CHECK_HEADER_FOR_FIELD([ut_addr_v6], [utmp.h], [HAVE_ADDR_V6_IN_UTMP])
4086 OSSH_CHECK_HEADER_FOR_FIELD([ut_addr_v6], [utmpx.h], [HAVE_ADDR_V6_IN_UTMPX])
4087 OSSH_CHECK_HEADER_FOR_FIELD([ut_exit], [utmp.h], [HAVE_EXIT_IN_UTMP])
4088 OSSH_CHECK_HEADER_FOR_FIELD([ut_time], [utmp.h], [HAVE_TIME_IN_UTMP])
4089 OSSH_CHECK_HEADER_FOR_FIELD([ut_time], [utmpx.h], [HAVE_TIME_IN_UTMPX])
4090 OSSH_CHECK_HEADER_FOR_FIELD([ut_tv], [utmpx.h], [HAVE_TV_IN_UTMPX])
4092 AC_CHECK_MEMBERS([struct stat.st_blksize])
4093 AC_CHECK_MEMBERS([struct stat.st_mtim])
4094 AC_CHECK_MEMBERS([struct stat.st_mtime])
4095 AC_CHECK_MEMBERS([struct passwd.pw_gecos, struct passwd.pw_class,
4096 struct passwd.pw_change, struct passwd.pw_expire],
4098 #include <sys/types.h>
4102 AC_CHECK_MEMBER([struct __res_state.retrans], [], [AC_DEFINE([__res_state], [state],
4103 [Define if we don't have struct __res_state in resolv.h])],
4106 #if HAVE_SYS_TYPES_H
4107 # include <sys/types.h>
4109 #include <netinet/in.h>
4110 #include <arpa/nameser.h>
4114 AC_CACHE_CHECK([for ss_family field in struct sockaddr_storage],
4115 ac_cv_have_ss_family_in_struct_ss, [
4116 AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4117 #include <sys/types.h>
4118 #include <sys/socket.h>
4119 ]], [[ struct sockaddr_storage s; s.ss_family = 1; ]])],
4120 [ ac_cv_have_ss_family_in_struct_ss="yes" ],
4121 [ ac_cv_have_ss_family_in_struct_ss="no" ])
4123 if test "x$ac_cv_have_ss_family_in_struct_ss" = "xyes" ; then
4124 AC_DEFINE([HAVE_SS_FAMILY_IN_SS], [1], [Fields in struct sockaddr_storage])
4127 AC_CACHE_CHECK([for __ss_family field in struct sockaddr_storage],
4128 ac_cv_have___ss_family_in_struct_ss, [
4129 AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4130 #include <sys/types.h>
4131 #include <sys/socket.h>
4132 ]], [[ struct sockaddr_storage s; s.__ss_family = 1; ]])],
4133 [ ac_cv_have___ss_family_in_struct_ss="yes" ],
4134 [ ac_cv_have___ss_family_in_struct_ss="no"
4137 if test "x$ac_cv_have___ss_family_in_struct_ss" = "xyes" ; then
4138 AC_DEFINE([HAVE___SS_FAMILY_IN_SS], [1],
4139 [Fields in struct sockaddr_storage])
4142 dnl make sure we're using the real structure members and not defines
4143 AC_CACHE_CHECK([for msg_accrights field in struct msghdr],
4144 ac_cv_have_accrights_in_msghdr, [
4145 AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4146 #include <sys/types.h>
4147 #include <sys/socket.h>
4148 #include <sys/uio.h>
4150 #ifdef msg_accrights
4151 #error "msg_accrights is a macro"
4155 m.msg_accrights = 0;
4158 [ ac_cv_have_accrights_in_msghdr="yes" ],
4159 [ ac_cv_have_accrights_in_msghdr="no" ]
4162 if test "x$ac_cv_have_accrights_in_msghdr" = "xyes" ; then
4163 AC_DEFINE([HAVE_ACCRIGHTS_IN_MSGHDR], [1],
4164 [Define if your system uses access rights style
4165 file descriptor passing])
4168 AC_MSG_CHECKING([if struct statvfs.f_fsid is integral type])
4169 AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4170 #include <sys/param.h>
4171 #include <sys/stat.h>
4172 #ifdef HAVE_SYS_TIME_H
4173 # include <sys/time.h>
4175 #ifdef HAVE_SYS_MOUNT_H
4176 #include <sys/mount.h>
4178 #ifdef HAVE_SYS_STATVFS_H
4179 #include <sys/statvfs.h>
4181 ]], [[ struct statvfs s; s.f_fsid = 0; ]])],
4182 [ AC_MSG_RESULT([yes]) ],
4183 [ AC_MSG_RESULT([no])
4185 AC_MSG_CHECKING([if fsid_t has member val])
4186 AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4187 #include <sys/types.h>
4188 #include <sys/statvfs.h>
4189 ]], [[ fsid_t t; t.val[0] = 0; ]])],
4190 [ AC_MSG_RESULT([yes])
4191 AC_DEFINE([FSID_HAS_VAL], [1], [fsid_t has member val]) ],
4192 [ AC_MSG_RESULT([no]) ])
4194 AC_MSG_CHECKING([if f_fsid has member __val])
4195 AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4196 #include <sys/types.h>
4197 #include <sys/statvfs.h>
4198 ]], [[ fsid_t t; t.__val[0] = 0; ]])],
4199 [ AC_MSG_RESULT([yes])
4200 AC_DEFINE([FSID_HAS___VAL], [1], [fsid_t has member __val]) ],
4201 [ AC_MSG_RESULT([no]) ])
4204 AC_CACHE_CHECK([for msg_control field in struct msghdr],
4205 ac_cv_have_control_in_msghdr, [
4206 AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4207 #include <sys/types.h>
4208 #include <sys/socket.h>
4209 #include <sys/uio.h>
4212 #error "msg_control is a macro"
4219 [ ac_cv_have_control_in_msghdr="yes" ],
4220 [ ac_cv_have_control_in_msghdr="no" ]
4223 if test "x$ac_cv_have_control_in_msghdr" = "xyes" ; then
4224 AC_DEFINE([HAVE_CONTROL_IN_MSGHDR], [1],
4225 [Define if your system uses ancillary data style
4226 file descriptor passing])
4229 AC_CACHE_CHECK([if libc defines __progname], ac_cv_libc_defines___progname, [
4230 AC_LINK_IFELSE([AC_LANG_PROGRAM([[]],
4231 [[ extern char *__progname; printf("%s", __progname); ]])],
4232 [ ac_cv_libc_defines___progname="yes" ],
4233 [ ac_cv_libc_defines___progname="no"
4236 if test "x$ac_cv_libc_defines___progname" = "xyes" ; then
4237 AC_DEFINE([HAVE___PROGNAME], [1], [Define if libc defines __progname])
4240 AC_CACHE_CHECK([whether $CC implements __FUNCTION__], ac_cv_cc_implements___FUNCTION__, [
4241 AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include <stdio.h> ]],
4242 [[ printf("%s", __FUNCTION__); ]])],
4243 [ ac_cv_cc_implements___FUNCTION__="yes" ],
4244 [ ac_cv_cc_implements___FUNCTION__="no"
4247 if test "x$ac_cv_cc_implements___FUNCTION__" = "xyes" ; then
4248 AC_DEFINE([HAVE___FUNCTION__], [1],
4249 [Define if compiler implements __FUNCTION__])
4252 AC_CACHE_CHECK([whether $CC implements __func__], ac_cv_cc_implements___func__, [
4253 AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include <stdio.h> ]],
4254 [[ printf("%s", __func__); ]])],
4255 [ ac_cv_cc_implements___func__="yes" ],
4256 [ ac_cv_cc_implements___func__="no"
4259 if test "x$ac_cv_cc_implements___func__" = "xyes" ; then
4260 AC_DEFINE([HAVE___func__], [1], [Define if compiler implements __func__])
4263 AC_CACHE_CHECK([whether va_copy exists], ac_cv_have_va_copy, [
4264 AC_LINK_IFELSE([AC_LANG_PROGRAM([[
4267 ]], [[ va_copy(x,y); ]])],
4268 [ ac_cv_have_va_copy="yes" ],
4269 [ ac_cv_have_va_copy="no"
4272 if test "x$ac_cv_have_va_copy" = "xyes" ; then
4273 AC_DEFINE([HAVE_VA_COPY], [1], [Define if va_copy exists])
4276 AC_CACHE_CHECK([whether __va_copy exists], ac_cv_have___va_copy, [
4277 AC_LINK_IFELSE([AC_LANG_PROGRAM([[
4280 ]], [[ __va_copy(x,y); ]])],
4281 [ ac_cv_have___va_copy="yes" ], [ ac_cv_have___va_copy="no"
4284 if test "x$ac_cv_have___va_copy" = "xyes" ; then
4285 AC_DEFINE([HAVE___VA_COPY], [1], [Define if __va_copy exists])
4288 AC_CACHE_CHECK([whether getopt has optreset support],
4289 ac_cv_have_getopt_optreset, [
4290 AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include <getopt.h> ]],
4291 [[ extern int optreset; optreset = 0; ]])],
4292 [ ac_cv_have_getopt_optreset="yes" ],
4293 [ ac_cv_have_getopt_optreset="no"
4296 if test "x$ac_cv_have_getopt_optreset" = "xyes" ; then
4297 AC_DEFINE([HAVE_GETOPT_OPTRESET], [1],
4298 [Define if your getopt(3) defines and uses optreset])
4301 AC_CACHE_CHECK([if libc defines sys_errlist], ac_cv_libc_defines_sys_errlist, [
4302 AC_LINK_IFELSE([AC_LANG_PROGRAM([[]],
4303 [[ extern const char *const sys_errlist[]; printf("%s", sys_errlist[0]);]])],
4304 [ ac_cv_libc_defines_sys_errlist="yes" ],
4305 [ ac_cv_libc_defines_sys_errlist="no"
4308 if test "x$ac_cv_libc_defines_sys_errlist" = "xyes" ; then
4309 AC_DEFINE([HAVE_SYS_ERRLIST], [1],
4310 [Define if your system defines sys_errlist[]])
4314 AC_CACHE_CHECK([if libc defines sys_nerr], ac_cv_libc_defines_sys_nerr, [
4315 AC_LINK_IFELSE([AC_LANG_PROGRAM([[]],
4316 [[ extern int sys_nerr; printf("%i", sys_nerr);]])],
4317 [ ac_cv_libc_defines_sys_nerr="yes" ],
4318 [ ac_cv_libc_defines_sys_nerr="no"
4321 if test "x$ac_cv_libc_defines_sys_nerr" = "xyes" ; then
4322 AC_DEFINE([HAVE_SYS_NERR], [1], [Define if your system defines sys_nerr])
4325 # Check libraries needed by DNS fingerprint support
4326 AC_SEARCH_LIBS([getrrsetbyname], [resolv],
4327 [AC_DEFINE([HAVE_GETRRSETBYNAME], [1],
4328 [Define if getrrsetbyname() exists])],
4330 # Needed by our getrrsetbyname()
4331 AC_SEARCH_LIBS([res_query], [resolv])
4332 AC_SEARCH_LIBS([dn_expand], [resolv])
4333 AC_MSG_CHECKING([if res_query will link])
4334 AC_LINK_IFELSE([AC_LANG_PROGRAM([[
4335 #include <sys/types.h>
4336 #include <netinet/in.h>
4337 #include <arpa/nameser.h>
4341 res_query (0, 0, 0, 0, 0);
4343 AC_MSG_RESULT([yes]),
4344 [AC_MSG_RESULT([no])
4346 LIBS="$LIBS -lresolv"
4347 AC_MSG_CHECKING([for res_query in -lresolv])
4348 AC_LINK_IFELSE([AC_LANG_PROGRAM([[
4349 #include <sys/types.h>
4350 #include <netinet/in.h>
4351 #include <arpa/nameser.h>
4355 res_query (0, 0, 0, 0, 0);
4357 [AC_MSG_RESULT([yes])],
4359 AC_MSG_RESULT([no])])
4361 AC_CHECK_FUNCS([_getshort _getlong])
4362 AC_CHECK_DECLS([_getshort, _getlong], , ,
4363 [#include <sys/types.h>
4364 #include <arpa/nameser.h>])
4365 AC_CHECK_MEMBER([HEADER.ad],
4366 [AC_DEFINE([HAVE_HEADER_AD], [1],
4367 [Define if HEADER.ad exists in arpa/nameser.h])], ,
4368 [#include <arpa/nameser.h>])
4371 AC_MSG_CHECKING([if struct __res_state _res is an extern])
4372 AC_LINK_IFELSE([AC_LANG_PROGRAM([[
4374 #if HAVE_SYS_TYPES_H
4375 # include <sys/types.h>
4377 #include <netinet/in.h>
4378 #include <arpa/nameser.h>
4380 extern struct __res_state _res;
4382 struct __res_state *volatile p = &_res; /* force resolution of _res */
4385 [AC_MSG_RESULT([yes])
4386 AC_DEFINE([HAVE__RES_EXTERN], [1],
4387 [Define if you have struct __res_state _res as an extern])
4389 [ AC_MSG_RESULT([no]) ]
4392 # Check whether user wants SELinux support
4395 AC_ARG_WITH([selinux],
4396 [ --with-selinux Enable SELinux support],
4397 [ if test "x$withval" != "xno" ; then
4399 AC_DEFINE([WITH_SELINUX], [1],
4400 [Define if you want SELinux support.])
4402 AC_CHECK_HEADER([selinux/selinux.h], ,
4403 AC_MSG_ERROR([SELinux support requires selinux.h header]))
4404 AC_CHECK_LIB([selinux], [setexeccon],
4405 [ LIBSELINUX="-lselinux"
4406 LIBS="$LIBS -lselinux"
4408 AC_MSG_ERROR([SELinux support requires libselinux library]))
4409 SSHLIBS="$SSHLIBS $LIBSELINUX"
4410 SSHDLIBS="$SSHDLIBS $LIBSELINUX"
4411 AC_CHECK_FUNCS([getseuserbyname get_default_context_with_level])
4416 AC_SUBST([SSHDLIBS])
4418 # Check whether user wants Kerberos 5 support
4420 AC_ARG_WITH([kerberos5],
4421 [ --with-kerberos5=PATH Enable Kerberos 5 support],
4422 [ if test "x$withval" != "xno" ; then
4423 if test "x$withval" = "xyes" ; then
4424 KRB5ROOT="/usr/local"
4429 AC_DEFINE([KRB5], [1], [Define if you want Kerberos 5 support])
4432 AC_PATH_TOOL([KRB5CONF], [krb5-config],
4433 [$KRB5ROOT/bin/krb5-config],
4434 [$KRB5ROOT/bin:$PATH])
4435 if test -x $KRB5CONF ; then
4436 K5CFLAGS="`$KRB5CONF --cflags`"
4437 K5LIBS="`$KRB5CONF --libs`"
4438 CPPFLAGS="$CPPFLAGS $K5CFLAGS"
4440 AC_MSG_CHECKING([for gssapi support])
4441 if $KRB5CONF | grep gssapi >/dev/null ; then
4442 AC_MSG_RESULT([yes])
4443 AC_DEFINE([GSSAPI], [1],
4444 [Define this if you want GSSAPI
4445 support in the version 2 protocol])
4446 GSSCFLAGS="`$KRB5CONF --cflags gssapi`"
4447 GSSLIBS="`$KRB5CONF --libs gssapi`"
4448 CPPFLAGS="$CPPFLAGS $GSSCFLAGS"
4452 AC_MSG_CHECKING([whether we are using Heimdal])
4453 AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <krb5.h>
4454 ]], [[ char *tmp = heimdal_version; ]])],
4455 [ AC_MSG_RESULT([yes])
4456 AC_DEFINE([HEIMDAL], [1],
4457 [Define this if you are using the Heimdal
4458 version of Kerberos V5]) ],
4459 [AC_MSG_RESULT([no])
4462 CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include"
4463 LDFLAGS="$LDFLAGS -L${KRB5ROOT}/lib"
4464 AC_MSG_CHECKING([whether we are using Heimdal])
4465 AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <krb5.h>
4466 ]], [[ char *tmp = heimdal_version; ]])],
4467 [ AC_MSG_RESULT([yes])
4468 AC_DEFINE([HEIMDAL])
4470 K5LIBS="$K5LIBS -lcom_err -lasn1"
4471 AC_CHECK_LIB([roken], [net_write],
4472 [K5LIBS="$K5LIBS -lroken"])
4473 AC_CHECK_LIB([des], [des_cbc_encrypt],
4474 [K5LIBS="$K5LIBS -ldes"])
4475 ], [ AC_MSG_RESULT([no])
4476 K5LIBS="-lkrb5 -lk5crypto -lcom_err"
4478 AC_SEARCH_LIBS([dn_expand], [resolv])
4480 AC_CHECK_LIB([gssapi_krb5], [gss_init_sec_context],
4481 [ AC_DEFINE([GSSAPI])
4482 GSSLIBS="-lgssapi_krb5" ],
4483 [ AC_CHECK_LIB([gssapi], [gss_init_sec_context],
4484 [ AC_DEFINE([GSSAPI])
4485 GSSLIBS="-lgssapi" ],
4486 [ AC_CHECK_LIB([gss], [gss_init_sec_context],
4487 [ AC_DEFINE([GSSAPI])
4489 AC_MSG_WARN([Cannot find any suitable gss-api library - build may fail]))
4493 AC_CHECK_HEADER([gssapi.h], ,
4494 [ unset ac_cv_header_gssapi_h
4495 CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include/gssapi"
4496 AC_CHECK_HEADERS([gssapi.h], ,
4497 AC_MSG_WARN([Cannot find any suitable gss-api header - build may fail])
4503 CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include/gssapi"
4504 AC_CHECK_HEADER([gssapi_krb5.h], ,
4505 [ CPPFLAGS="$oldCPP" ])
4508 if test ! -z "$need_dash_r" ; then
4509 LDFLAGS="$LDFLAGS -R${KRB5ROOT}/lib"
4511 if test ! -z "$blibpath" ; then
4512 blibpath="$blibpath:${KRB5ROOT}/lib"
4515 AC_CHECK_HEADERS([gssapi.h gssapi/gssapi.h])
4516 AC_CHECK_HEADERS([gssapi_krb5.h gssapi/gssapi_krb5.h])
4517 AC_CHECK_HEADERS([gssapi_generic.h gssapi/gssapi_generic.h])
4519 AC_SEARCH_LIBS([k_hasafs], [kafs], [AC_DEFINE([USE_AFS], [1],
4520 [Define this if you want to use libkafs' AFS support])])
4522 AC_CHECK_DECLS([GSS_C_NT_HOSTBASED_SERVICE], [], [], [[
4523 #ifdef HAVE_GSSAPI_H
4524 # include <gssapi.h>
4525 #elif defined(HAVE_GSSAPI_GSSAPI_H)
4526 # include <gssapi/gssapi.h>
4529 #ifdef HAVE_GSSAPI_GENERIC_H
4530 # include <gssapi_generic.h>
4531 #elif defined(HAVE_GSSAPI_GSSAPI_GENERIC_H)
4532 # include <gssapi/gssapi_generic.h>
4536 LIBS="$LIBS $K5LIBS"
4537 AC_CHECK_FUNCS([krb5_cc_new_unique krb5_get_error_message krb5_free_error_message])
4546 # Looking for programs, paths and files
4548 PRIVSEP_PATH=/var/empty
4549 AC_ARG_WITH([privsep-path],
4550 [ --with-privsep-path=xxx Path for privilege separation chroot (default=/var/empty)],
4552 if test -n "$withval" && test "x$withval" != "xno" && \
4553 test "x${withval}" != "xyes"; then
4554 PRIVSEP_PATH=$withval
4558 AC_SUBST([PRIVSEP_PATH])
4560 AC_ARG_WITH([xauth],
4561 [ --with-xauth=PATH Specify path to xauth program ],
4563 if test -n "$withval" && test "x$withval" != "xno" && \
4564 test "x${withval}" != "xyes"; then
4570 TestPath="${TestPath}${PATH_SEPARATOR}/usr/X/bin"
4571 TestPath="${TestPath}${PATH_SEPARATOR}/usr/bin/X11"
4572 TestPath="${TestPath}${PATH_SEPARATOR}/usr/X11R6/bin"
4573 TestPath="${TestPath}${PATH_SEPARATOR}/usr/openwin/bin"
4574 AC_PATH_PROG([xauth_path], [xauth], , [$TestPath])
4575 if (test ! -z "$xauth_path" && test -x "/usr/openwin/bin/xauth") ; then
4576 xauth_path="/usr/openwin/bin/xauth"
4582 AC_ARG_ENABLE([strip],
4583 [ --disable-strip Disable calling strip(1) on install],
4585 if test "x$enableval" = "xno" ; then
4590 AC_SUBST([STRIP_OPT])
4592 if test -z "$xauth_path" ; then
4593 XAUTH_PATH="undefined"
4594 AC_SUBST([XAUTH_PATH])
4596 AC_DEFINE_UNQUOTED([XAUTH_PATH], ["$xauth_path"],
4597 [Define if xauth is found in your path])
4598 XAUTH_PATH=$xauth_path
4599 AC_SUBST([XAUTH_PATH])
4602 dnl # --with-maildir=/path/to/mail gets top priority.
4603 dnl # if maildir is set in the platform case statement above we use that.
4604 dnl # Otherwise we run a program to get the dir from system headers.
4605 dnl # We first look for _PATH_MAILDIR then MAILDIR then _PATH_MAIL
4606 dnl # If we find _PATH_MAILDIR we do nothing because that is what
4607 dnl # session.c expects anyway. Otherwise we set to the value found
4608 dnl # stripping any trailing slash. If for some strage reason our program
4609 dnl # does not find what it needs, we default to /var/spool/mail.
4610 # Check for mail directory
4611 AC_ARG_WITH([maildir],
4612 [ --with-maildir=/path/to/mail Specify your system mail directory],
4614 if test "X$withval" != X && test "x$withval" != xno && \
4615 test "x${withval}" != xyes; then
4616 AC_DEFINE_UNQUOTED([MAIL_DIRECTORY], ["$withval"],
4617 [Set this to your mail directory if you do not have _PATH_MAILDIR])
4620 if test "X$maildir" != "X"; then
4621 AC_DEFINE_UNQUOTED([MAIL_DIRECTORY], ["$maildir"])
4623 AC_MSG_CHECKING([Discovering system mail directory])
4631 #ifdef HAVE_MAILLOCK_H
4632 #include <maillock.h>
4634 #define DATA "conftest.maildir"
4639 fd = fopen(DATA,"w");
4643 #if defined (_PATH_MAILDIR)
4644 if ((rc = fprintf(fd ,"_PATH_MAILDIR:%s\n", _PATH_MAILDIR)) <0)
4646 #elif defined (MAILDIR)
4647 if ((rc = fprintf(fd ,"MAILDIR:%s\n", MAILDIR)) <0)
4649 #elif defined (_PATH_MAIL)
4650 if ((rc = fprintf(fd ,"_PATH_MAIL:%s\n", _PATH_MAIL)) <0)
4659 maildir_what=`awk -F: '{print $1}' conftest.maildir`
4660 maildir=`awk -F: '{print $2}' conftest.maildir \
4662 AC_MSG_RESULT([Using: $maildir from $maildir_what])
4663 if test "x$maildir_what" != "x_PATH_MAILDIR"; then
4664 AC_DEFINE_UNQUOTED([MAIL_DIRECTORY], ["$maildir"])
4668 if test "X$ac_status" = "X2";then
4669 # our test program didn't find it. Default to /var/spool/mail
4670 AC_MSG_RESULT([Using: default value of /var/spool/mail])
4671 AC_DEFINE_UNQUOTED([MAIL_DIRECTORY], ["/var/spool/mail"])
4673 AC_MSG_RESULT([*** not found ***])
4677 AC_MSG_WARN([cross compiling: use --with-maildir=/path/to/mail])
4684 if test ! -z "$cross_compiling" && test "x$cross_compiling" = "xyes"; then
4685 AC_MSG_WARN([cross compiling: Disabling /dev/ptmx test])
4686 disable_ptmx_check=yes
4688 if test -z "$no_dev_ptmx" ; then
4689 if test "x$disable_ptmx_check" != "xyes" ; then
4690 AC_CHECK_FILE(["/dev/ptmx"],
4692 AC_DEFINE_UNQUOTED([HAVE_DEV_PTMX], [1],
4693 [Define if you have /dev/ptmx])
4700 if test ! -z "$cross_compiling" && test "x$cross_compiling" != "xyes"; then
4701 AC_CHECK_FILE(["/dev/ptc"],
4703 AC_DEFINE_UNQUOTED([HAVE_DEV_PTS_AND_PTC], [1],
4704 [Define if you have /dev/ptc])
4709 AC_MSG_WARN([cross compiling: Disabling /dev/ptc test])
4712 # Options from here on. Some of these are preset by platform above
4713 AC_ARG_WITH([mantype],
4714 [ --with-mantype=man|cat|doc Set man page type],
4721 AC_MSG_ERROR([invalid man type: $withval])
4726 if test -z "$MANTYPE"; then
4727 TestPath="/usr/bin${PATH_SEPARATOR}/usr/ucb"
4728 AC_PATH_PROGS([NROFF], [nroff awf], [/bin/false], [$TestPath])
4729 if ${NROFF} -mdoc ${srcdir}/ssh.1 >/dev/null 2>&1; then
4731 elif ${NROFF} -man ${srcdir}/ssh.1 >/dev/null 2>&1; then
4738 if test "$MANTYPE" = "doc"; then
4743 AC_SUBST([mansubdir])
4745 # Check whether to enable MD5 passwords
4747 AC_ARG_WITH([md5-passwords],
4748 [ --with-md5-passwords Enable use of MD5 passwords],
4750 if test "x$withval" != "xno" ; then
4751 AC_DEFINE([HAVE_MD5_PASSWORDS], [1],
4752 [Define if you want to allow MD5 passwords])
4758 # Whether to disable shadow password support
4759 AC_ARG_WITH([shadow],
4760 [ --without-shadow Disable shadow password support],
4762 if test "x$withval" = "xno" ; then
4763 AC_DEFINE([DISABLE_SHADOW])
4769 if test -z "$disable_shadow" ; then
4770 AC_MSG_CHECKING([if the systems has expire shadow information])
4771 AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
4772 #include <sys/types.h>
4775 ]], [[ sp.sp_expire = sp.sp_lstchg = sp.sp_inact = 0; ]])],
4776 [ sp_expire_available=yes ], [
4779 if test "x$sp_expire_available" = "xyes" ; then
4780 AC_MSG_RESULT([yes])
4781 AC_DEFINE([HAS_SHADOW_EXPIRE], [1],
4782 [Define if you want to use shadow password expire field])
4788 # Use ip address instead of hostname in $DISPLAY
4789 if test ! -z "$IPADDR_IN_DISPLAY" ; then
4790 DISPLAY_HACK_MSG="yes"
4791 AC_DEFINE([IPADDR_IN_DISPLAY], [1],
4792 [Define if you need to use IP address
4793 instead of hostname in $DISPLAY])
4795 DISPLAY_HACK_MSG="no"
4796 AC_ARG_WITH([ipaddr-display],
4797 [ --with-ipaddr-display Use ip address instead of hostname in $DISPLAY],
4799 if test "x$withval" != "xno" ; then
4800 AC_DEFINE([IPADDR_IN_DISPLAY])
4801 DISPLAY_HACK_MSG="yes"
4807 # check for /etc/default/login and use it if present.
4808 AC_ARG_ENABLE([etc-default-login],
4809 [ --disable-etc-default-login Disable using PATH from /etc/default/login [no]],
4810 [ if test "x$enableval" = "xno"; then
4811 AC_MSG_NOTICE([/etc/default/login handling disabled])
4812 etc_default_login=no
4814 etc_default_login=yes
4816 [ if test ! -z "$cross_compiling" && test "x$cross_compiling" = "xyes";
4818 AC_MSG_WARN([cross compiling: not checking /etc/default/login])
4819 etc_default_login=no
4821 etc_default_login=yes
4825 if test "x$etc_default_login" != "xno"; then
4826 AC_CHECK_FILE(["/etc/default/login"],
4827 [ external_path_file=/etc/default/login ])
4828 if test "x$external_path_file" = "x/etc/default/login"; then
4829 AC_DEFINE([HAVE_ETC_DEFAULT_LOGIN], [1],
4830 [Define if your system has /etc/default/login])
4834 dnl BSD systems use /etc/login.conf so --with-default-path= has no effect
4835 if test $ac_cv_func_login_getcapbool = "yes" && \
4836 test $ac_cv_header_login_cap_h = "yes" ; then
4837 external_path_file=/etc/login.conf
4840 # Whether to mess with the default path
4841 SERVER_PATH_MSG="(default)"
4842 AC_ARG_WITH([default-path],
4843 [ --with-default-path= Specify default $PATH environment for server],
4845 if test "x$external_path_file" = "x/etc/login.conf" ; then
4847 --with-default-path=PATH has no effect on this system.
4848 Edit /etc/login.conf instead.])
4849 elif test "x$withval" != "xno" ; then
4850 if test ! -z "$external_path_file" ; then
4852 --with-default-path=PATH will only be used if PATH is not defined in
4853 $external_path_file .])
4855 user_path="$withval"
4856 SERVER_PATH_MSG="$withval"
4859 [ if test "x$external_path_file" = "x/etc/login.conf" ; then
4860 AC_MSG_WARN([Make sure the path to scp is in /etc/login.conf])
4862 if test ! -z "$external_path_file" ; then
4864 If PATH is defined in $external_path_file, ensure the path to scp is included,
4865 otherwise scp will not work.])
4869 /* find out what STDPATH is */
4874 #ifndef _PATH_STDPATH
4875 # ifdef _PATH_USERPATH /* Irix */
4876 # define _PATH_STDPATH _PATH_USERPATH
4878 # define _PATH_STDPATH "/usr/bin:/bin:/usr/sbin:/sbin"
4881 #include <sys/types.h>
4882 #include <sys/stat.h>
4884 #define DATA "conftest.stdpath"
4889 fd = fopen(DATA,"w");
4893 if ((rc = fprintf(fd,"%s", _PATH_STDPATH)) < 0)
4898 [ user_path=`cat conftest.stdpath` ],
4899 [ user_path="/usr/bin:/bin:/usr/sbin:/sbin" ],
4900 [ user_path="/usr/bin:/bin:/usr/sbin:/sbin" ]
4902 # make sure $bindir is in USER_PATH so scp will work
4903 t_bindir="${bindir}"
4904 while echo "${t_bindir}" | egrep '\$\{|NONE/' >/dev/null 2>&1; do
4905 t_bindir=`eval echo ${t_bindir}`
4907 NONE/*) t_bindir=`echo $t_bindir | sed "s~NONE~$prefix~"` ;;
4910 NONE/*) t_bindir=`echo $t_bindir | sed "s~NONE~$ac_default_prefix~"` ;;
4913 echo $user_path | grep ":$t_bindir" > /dev/null 2>&1
4914 if test $? -ne 0 ; then
4915 echo $user_path | grep "^$t_bindir" > /dev/null 2>&1
4916 if test $? -ne 0 ; then
4917 user_path=$user_path:$t_bindir
4918 AC_MSG_RESULT([Adding $t_bindir to USER_PATH so scp will work])
4923 if test "x$external_path_file" != "x/etc/login.conf" ; then
4924 AC_DEFINE_UNQUOTED([USER_PATH], ["$user_path"], [Specify default $PATH])
4925 AC_SUBST([user_path])
4928 # Set superuser path separately to user path
4929 AC_ARG_WITH([superuser-path],
4930 [ --with-superuser-path= Specify different path for super-user],
4932 if test -n "$withval" && test "x$withval" != "xno" && \
4933 test "x${withval}" != "xyes"; then
4934 AC_DEFINE_UNQUOTED([SUPERUSER_PATH], ["$withval"],
4935 [Define if you want a different $PATH
4937 superuser_path=$withval
4943 AC_MSG_CHECKING([if we need to convert IPv4 in IPv6-mapped addresses])
4944 IPV4_IN6_HACK_MSG="no"
4946 [ --with-4in6 Check for and convert IPv4 in IPv6 mapped addresses],
4948 if test "x$withval" != "xno" ; then
4949 AC_MSG_RESULT([yes])
4950 AC_DEFINE([IPV4_IN_IPV6], [1],
4951 [Detect IPv4 in IPv6 mapped addresses
4953 IPV4_IN6_HACK_MSG="yes"
4958 if test "x$inet6_default_4in6" = "xyes"; then
4959 AC_MSG_RESULT([yes (default)])
4960 AC_DEFINE([IPV4_IN_IPV6])
4961 IPV4_IN6_HACK_MSG="yes"
4963 AC_MSG_RESULT([no (default)])
4968 # Whether to enable BSD auth support
4970 AC_ARG_WITH([bsd-auth],
4971 [ --with-bsd-auth Enable BSD auth support],
4973 if test "x$withval" != "xno" ; then
4974 AC_DEFINE([BSD_AUTH], [1],
4975 [Define if you have BSD auth support])
4981 # Where to place sshd.pid
4983 # make sure the directory exists
4984 if test ! -d $piddir ; then
4985 piddir=`eval echo ${sysconfdir}`
4987 NONE/*) piddir=`echo $piddir | sed "s~NONE~$ac_default_prefix~"` ;;
4991 AC_ARG_WITH([pid-dir],
4992 [ --with-pid-dir=PATH Specify location of sshd.pid file],
4994 if test -n "$withval" && test "x$withval" != "xno" && \
4995 test "x${withval}" != "xyes"; then
4997 if test ! -d $piddir ; then
4998 AC_MSG_WARN([** no $piddir directory on this system **])
5004 AC_DEFINE_UNQUOTED([_PATH_SSH_PIDDIR], ["$piddir"],
5005 [Specify location of ssh.pid])
5008 dnl allow user to disable some login recording features
5009 AC_ARG_ENABLE([lastlog],
5010 [ --disable-lastlog disable use of lastlog even if detected [no]],
5012 if test "x$enableval" = "xno" ; then
5013 AC_DEFINE([DISABLE_LASTLOG])
5017 AC_ARG_ENABLE([utmp],
5018 [ --disable-utmp disable use of utmp even if detected [no]],
5020 if test "x$enableval" = "xno" ; then
5021 AC_DEFINE([DISABLE_UTMP])
5025 AC_ARG_ENABLE([utmpx],
5026 [ --disable-utmpx disable use of utmpx even if detected [no]],
5028 if test "x$enableval" = "xno" ; then
5029 AC_DEFINE([DISABLE_UTMPX], [1],
5030 [Define if you don't want to use utmpx])
5034 AC_ARG_ENABLE([wtmp],
5035 [ --disable-wtmp disable use of wtmp even if detected [no]],
5037 if test "x$enableval" = "xno" ; then
5038 AC_DEFINE([DISABLE_WTMP])
5042 AC_ARG_ENABLE([wtmpx],
5043 [ --disable-wtmpx disable use of wtmpx even if detected [no]],
5045 if test "x$enableval" = "xno" ; then
5046 AC_DEFINE([DISABLE_WTMPX], [1],
5047 [Define if you don't want to use wtmpx])
5051 AC_ARG_ENABLE([libutil],
5052 [ --disable-libutil disable use of libutil (login() etc.) [no]],
5054 if test "x$enableval" = "xno" ; then
5055 AC_DEFINE([DISABLE_LOGIN])
5059 AC_ARG_ENABLE([pututline],
5060 [ --disable-pututline disable use of pututline() etc. ([uw]tmp) [no]],
5062 if test "x$enableval" = "xno" ; then
5063 AC_DEFINE([DISABLE_PUTUTLINE], [1],
5064 [Define if you don't want to use pututline()
5065 etc. to write [uw]tmp])
5069 AC_ARG_ENABLE([pututxline],
5070 [ --disable-pututxline disable use of pututxline() etc. ([uw]tmpx) [no]],
5072 if test "x$enableval" = "xno" ; then
5073 AC_DEFINE([DISABLE_PUTUTXLINE], [1],
5074 [Define if you don't want to use pututxline()
5075 etc. to write [uw]tmpx])
5079 AC_ARG_WITH([lastlog],
5080 [ --with-lastlog=FILE|DIR specify lastlog location [common locations]],
5082 if test "x$withval" = "xno" ; then
5083 AC_DEFINE([DISABLE_LASTLOG])
5084 elif test -n "$withval" && test "x${withval}" != "xyes"; then
5085 conf_lastlog_location=$withval
5090 dnl lastlog, [uw]tmpx? detection
5091 dnl NOTE: set the paths in the platform section to avoid the
5092 dnl need for command-line parameters
5093 dnl lastlog and [uw]tmp are subject to a file search if all else fails
5095 dnl lastlog detection
5096 dnl NOTE: the code itself will detect if lastlog is a directory
5097 AC_MSG_CHECKING([if your system defines LASTLOG_FILE])
5098 AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
5099 #include <sys/types.h>
5101 #ifdef HAVE_LASTLOG_H
5102 # include <lastlog.h>
5110 ]], [[ char *lastlog = LASTLOG_FILE; ]])],
5111 [ AC_MSG_RESULT([yes]) ],
5114 AC_MSG_CHECKING([if your system defines _PATH_LASTLOG])
5115 AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
5116 #include <sys/types.h>
5118 #ifdef HAVE_LASTLOG_H
5119 # include <lastlog.h>
5124 ]], [[ char *lastlog = _PATH_LASTLOG; ]])],
5125 [ AC_MSG_RESULT([yes]) ],
5128 system_lastlog_path=no
5132 if test -z "$conf_lastlog_location"; then
5133 if test x"$system_lastlog_path" = x"no" ; then
5134 for f in /var/log/lastlog /usr/adm/lastlog /var/adm/lastlog /etc/security/lastlog ; do
5135 if (test -d "$f" || test -f "$f") ; then
5136 conf_lastlog_location=$f
5139 if test -z "$conf_lastlog_location"; then
5140 AC_MSG_WARN([** Cannot find lastlog **])
5141 dnl Don't define DISABLE_LASTLOG - that means we don't try wtmp/wtmpx
5146 if test -n "$conf_lastlog_location"; then
5147 AC_DEFINE_UNQUOTED([CONF_LASTLOG_FILE], ["$conf_lastlog_location"],
5148 [Define if you want to specify the path to your lastlog file])
5152 AC_MSG_CHECKING([if your system defines UTMP_FILE])
5153 AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
5154 #include <sys/types.h>
5159 ]], [[ char *utmp = UTMP_FILE; ]])],
5160 [ AC_MSG_RESULT([yes]) ],
5161 [ AC_MSG_RESULT([no])
5164 if test -z "$conf_utmp_location"; then
5165 if test x"$system_utmp_path" = x"no" ; then
5166 for f in /etc/utmp /usr/adm/utmp /var/run/utmp; do
5167 if test -f $f ; then
5168 conf_utmp_location=$f
5171 if test -z "$conf_utmp_location"; then
5172 AC_DEFINE([DISABLE_UTMP])
5176 if test -n "$conf_utmp_location"; then
5177 AC_DEFINE_UNQUOTED([CONF_UTMP_FILE], ["$conf_utmp_location"],
5178 [Define if you want to specify the path to your utmp file])
5182 AC_MSG_CHECKING([if your system defines WTMP_FILE])
5183 AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
5184 #include <sys/types.h>
5189 ]], [[ char *wtmp = WTMP_FILE; ]])],
5190 [ AC_MSG_RESULT([yes]) ],
5191 [ AC_MSG_RESULT([no])
5194 if test -z "$conf_wtmp_location"; then
5195 if test x"$system_wtmp_path" = x"no" ; then
5196 for f in /usr/adm/wtmp /var/log/wtmp; do
5197 if test -f $f ; then
5198 conf_wtmp_location=$f
5201 if test -z "$conf_wtmp_location"; then
5202 AC_DEFINE([DISABLE_WTMP])
5206 if test -n "$conf_wtmp_location"; then
5207 AC_DEFINE_UNQUOTED([CONF_WTMP_FILE], ["$conf_wtmp_location"],
5208 [Define if you want to specify the path to your wtmp file])
5212 AC_MSG_CHECKING([if your system defines WTMPX_FILE])
5213 AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
5214 #include <sys/types.h>
5222 ]], [[ char *wtmpx = WTMPX_FILE; ]])],
5223 [ AC_MSG_RESULT([yes]) ],
5224 [ AC_MSG_RESULT([no])
5225 system_wtmpx_path=no
5227 if test -z "$conf_wtmpx_location"; then
5228 if test x"$system_wtmpx_path" = x"no" ; then
5229 AC_DEFINE([DISABLE_WTMPX])
5232 AC_DEFINE_UNQUOTED([CONF_WTMPX_FILE], ["$conf_wtmpx_location"],
5233 [Define if you want to specify the path to your wtmpx file])
5237 if test ! -z "$blibpath" ; then
5238 LDFLAGS="$LDFLAGS $blibflags$blibpath"
5239 AC_MSG_WARN([Please check and edit blibpath in LDFLAGS in Makefile])
5242 AC_CHECK_MEMBER([struct lastlog.ll_line], [], [
5243 if test x$SKIP_DISABLE_LASTLOG_DEFINE != "xyes" ; then
5244 AC_DEFINE([DISABLE_LASTLOG])
5247 #ifdef HAVE_SYS_TYPES_H
5248 #include <sys/types.h>
5256 #ifdef HAVE_LASTLOG_H
5257 #include <lastlog.h>
5261 AC_CHECK_MEMBER([struct utmp.ut_line], [], [
5262 AC_DEFINE([DISABLE_UTMP])
5263 AC_DEFINE([DISABLE_WTMP])
5265 #ifdef HAVE_SYS_TYPES_H
5266 #include <sys/types.h>
5274 #ifdef HAVE_LASTLOG_H
5275 #include <lastlog.h>
5279 dnl Adding -Werror to CFLAGS early prevents configure tests from running.
5281 CFLAGS="$CFLAGS $werror_flags"
5283 if test "x$ac_cv_func_getaddrinfo" != "xyes" ; then
5288 AC_CHECK_DECL([BROKEN_GETADDRINFO], [TEST_SSH_IPV6=no])
5289 AC_SUBST([TEST_SSH_IPV6], [$TEST_SSH_IPV6])
5290 AC_SUBST([TEST_SSH_UTF8], [$TEST_SSH_UTF8])
5291 AC_SUBST([TEST_MALLOC_OPTIONS], [$TEST_MALLOC_OPTIONS])
5292 AC_SUBST([UNSUPPORTED_ALGORITHMS], [$unsupported_algorithms])
5293 AC_SUBST([DEPEND], [$(cat $srcdir/.depend)])
5295 CFLAGS="${CFLAGS} ${CFLAGS_AFTER}"
5296 LDFLAGS="${LDFLAGS} ${LDFLAGS_AFTER}"
5299 AC_CONFIG_FILES([Makefile buildpkg.sh opensshd.init openssh.xml \
5300 openbsd-compat/Makefile openbsd-compat/regress/Makefile \
5304 # Print summary of options
5306 # Someone please show me a better way :)
5307 A=`eval echo ${prefix}` ; A=`eval echo ${A}`
5308 B=`eval echo ${bindir}` ; B=`eval echo ${B}`
5309 C=`eval echo ${sbindir}` ; C=`eval echo ${C}`
5310 D=`eval echo ${sysconfdir}` ; D=`eval echo ${D}`
5311 E=`eval echo ${libexecdir}/ssh-askpass` ; E=`eval echo ${E}`
5312 F=`eval echo ${mandir}/${mansubdir}X` ; F=`eval echo ${F}`
5313 G=`eval echo ${piddir}` ; G=`eval echo ${G}`
5314 H=`eval echo ${PRIVSEP_PATH}` ; H=`eval echo ${H}`
5315 I=`eval echo ${user_path}` ; I=`eval echo ${I}`
5316 J=`eval echo ${superuser_path}` ; J=`eval echo ${J}`
5319 echo "OpenSSH has been configured with the following options:"
5320 echo " User binaries: $B"
5321 echo " System binaries: $C"
5322 echo " Configuration files: $D"
5323 echo " Askpass program: $E"
5324 echo " Manual pages: $F"
5325 echo " PID file: $G"
5326 echo " Privilege separation chroot path: $H"
5327 if test "x$external_path_file" = "x/etc/login.conf" ; then
5328 echo " At runtime, sshd will use the path defined in $external_path_file"
5329 echo " Make sure the path to scp is present, otherwise scp will not work"
5331 echo " sshd default user PATH: $I"
5332 if test ! -z "$external_path_file"; then
5333 echo " (If PATH is set in $external_path_file it will be used instead. If"
5334 echo " used, ensure the path to scp is present, otherwise scp will not work.)"
5337 if test ! -z "$superuser_path" ; then
5338 echo " sshd superuser user PATH: $J"
5340 echo " Manpage format: $MANTYPE"
5341 echo " PAM support: $PAM_MSG"
5342 echo " OSF SIA support: $SIA_MSG"
5343 echo " KerberosV support: $KRB5_MSG"
5344 echo " SELinux support: $SELINUX_MSG"
5345 echo " TCP Wrappers support: $TCPW_MSG"
5346 echo " MD5 password support: $MD5_MSG"
5347 echo " libedit support: $LIBEDIT_MSG"
5348 echo " libldns support: $LDNS_MSG"
5349 echo " Solaris process contract support: $SPC_MSG"
5350 echo " Solaris project support: $SP_MSG"
5351 echo " Solaris privilege support: $SPP_MSG"
5352 echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG"
5353 echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
5354 echo " BSD Auth support: $BSD_AUTH_MSG"
5355 echo " Random number source: $RAND_MSG"
5356 echo " Privsep sandbox style: $SANDBOX_STYLE"
5360 echo " Host: ${host}"
5361 echo " Compiler: ${CC}"
5362 echo " Compiler flags: ${CFLAGS}"
5363 echo "Preprocessor flags: ${CPPFLAGS}"
5364 echo " Linker flags: ${LDFLAGS}"
5365 echo " Libraries: ${LIBS}"
5366 if test ! -z "${SSHDLIBS}"; then
5367 echo " +for sshd: ${SSHDLIBS}"
5369 if test ! -z "${SSHLIBS}"; then
5370 echo " +for ssh: ${SSHLIBS}"
5375 if test "x$MAKE_PACKAGE_SUPPORTED" = "xyes" ; then
5376 echo "SVR4 style packages are supported with \"make package\""
5380 if test "x$PAM_MSG" = "xyes" ; then
5381 echo "PAM is enabled. You may need to install a PAM control file "
5382 echo "for sshd, otherwise password authentication may fail. "
5383 echo "Example PAM control files can be found in the contrib/ "
5388 if test ! -z "$NO_PEERCHECK" ; then
5389 echo "WARNING: the operating system that you are using does not"
5390 echo "appear to support getpeereid(), getpeerucred() or the"
5391 echo "SO_PEERCRED getsockopt() option. These facilities are used to"
5392 echo "enforce security checks to prevent unauthorised connections to"
5393 echo "ssh-agent. Their absence increases the risk that a malicious"
5394 echo "user can connect to your agent."
5398 if test "$AUDIT_MODULE" = "bsm" ; then
5399 echo "WARNING: BSM audit support is currently considered EXPERIMENTAL."
5400 echo "See the Solaris section in README.platform for details."