configure.ac

OpenSSH 是 SSH （Secure SHell） 协议的免费开源实现。它用安全、加密的网络连接工具代替了 telnet、ftp、 rlogin、rsh 和 rcp 工具。OpenSSH 支持

		AC_DEFINE(HAVE_STRICT_MKSTEMP)
	]
)
fi

dnl make sure that openpty does not reacquire controlling terminal
if test ! -z "$check_for_openpty_ctty_bug"; then
	AC_MSG_CHECKING(if openpty correctly handles controlling tty)
	AC_TRY_RUN(
		[
#include <stdio.h>
#include <sys/fcntl.h>
#include <sys/types.h>
#include <sys/wait.h>

int
main()
{
	pid_t pid;
	int fd, ptyfd, ttyfd, status;

	pid = fork();
	if (pid < 0) {		/* failed */
		exit(1);
	} else if (pid > 0) {	/* parent */
		waitpid(pid, &status, 0);
		if (WIFEXITED(status))
			exit(WEXITSTATUS(status));
		else
			exit(2);
	} else {		/* child */
		close(0); close(1); close(2);
		setsid();
		openpty(&ptyfd, &ttyfd, NULL, NULL, NULL);
		fd = open("/dev/tty", O_RDWR | O_NOCTTY);
		if (fd >= 0)
			exit(3);	/* Acquired ctty: broken */
		else
			exit(0);	/* Did not acquire ctty: OK */
	}
}
		],
		[
			AC_MSG_RESULT(yes)
		],
		[
			AC_MSG_RESULT(no)
			AC_DEFINE(SSHD_ACQUIRES_CTTY)
		]
	)
fi

if test "x$ac_cv_func_getaddrinfo" = "xyes" -a "x$check_for_hpux_broken_getaddrinfo" = "x1"; then
	AC_MSG_CHECKING(if getaddrinfo seems to work)
	AC_TRY_RUN(
		[
#include <stdio.h>
#include <sys/socket.h>
#include <netdb.h>
#include <errno.h>
#include <netinet/in.h>

#define TEST_PORT "2222"

int
main(void)
{
	int err, sock;
	struct addrinfo *gai_ai, *ai, hints;
	char ntop[NI_MAXHOST], strport[NI_MAXSERV], *name = NULL;

	memset(&hints, 0, sizeof(hints));
	hints.ai_family = PF_UNSPEC;
	hints.ai_socktype = SOCK_STREAM;
	hints.ai_flags = AI_PASSIVE;

	err = getaddrinfo(name, TEST_PORT, &hints, &gai_ai);
	if (err != 0) {
		fprintf(stderr, "getaddrinfo failed (%s)", gai_strerror(err));
		exit(1);
	}

	for (ai = gai_ai; ai != NULL; ai = ai->ai_next) {
		if (ai->ai_family != AF_INET6)
			continue;

		err = getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop,
		    sizeof(ntop), strport, sizeof(strport),
		    NI_NUMERICHOST|NI_NUMERICSERV);

		if (err != 0) {
			if (err == EAI_SYSTEM)
				perror("getnameinfo EAI_SYSTEM");
			else
				fprintf(stderr, "getnameinfo failed: %s\n",
				    gai_strerror(err));
			exit(2);
		}

		sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol);
		if (sock < 0)
			perror("socket");
		if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) {
			if (errno == EBADF)
				exit(3);
		}
	}
	exit(0);
}
		],
		[
			AC_MSG_RESULT(yes)
		],
		[
			AC_MSG_RESULT(no)
			AC_DEFINE(BROKEN_GETADDRINFO)
		]
	)
fi

if test "x$ac_cv_func_getaddrinfo" = "xyes" -a "x$check_for_aix_broken_getaddrinfo" = "x1"; then
	AC_MSG_CHECKING(if getaddrinfo seems to work)
	AC_TRY_RUN(
		[
#include <stdio.h>
#include <sys/socket.h>
#include <netdb.h>
#include <errno.h>
#include <netinet/in.h>

#define TEST_PORT "2222"

int
main(void)
{
	int err, sock;
	struct addrinfo *gai_ai, *ai, hints;
	char ntop[NI_MAXHOST], strport[NI_MAXSERV], *name = NULL;

	memset(&hints, 0, sizeof(hints));
	hints.ai_family = PF_UNSPEC;
	hints.ai_socktype = SOCK_STREAM;
	hints.ai_flags = AI_PASSIVE;

	err = getaddrinfo(name, TEST_PORT, &hints, &gai_ai);
	if (err != 0) {
		fprintf(stderr, "getaddrinfo failed (%s)", gai_strerror(err));
		exit(1);
	}

	for (ai = gai_ai; ai != NULL; ai = ai->ai_next) {
		if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
			continue;

		err = getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop,
		    sizeof(ntop), strport, sizeof(strport),
		    NI_NUMERICHOST|NI_NUMERICSERV);

		if (ai->ai_family == AF_INET && err != 0) {
			perror("getnameinfo");
			exit(2);
		}
	}
	exit(0);
}
		],
		[
			AC_MSG_RESULT(yes)
			AC_DEFINE(AIX_GETNAMEINFO_HACK, [],
[Define if you have a getaddrinfo that fails for the all-zeros IPv6 address])
		],
		[
			AC_MSG_RESULT(no)
			AC_DEFINE(BROKEN_GETADDRINFO)
		]
	)
fi

if test "x$check_for_conflicting_getspnam" = "x1"; then
	AC_MSG_CHECKING(for conflicting getspnam in shadow.h)
	AC_COMPILE_IFELSE(
		[
#include <shadow.h>
int main(void) {exit(0);}
		],
		[
			AC_MSG_RESULT(no)
		],
		[
			AC_MSG_RESULT(yes)
			AC_DEFINE(GETSPNAM_CONFLICTING_DEFS, 1,
			    [Conflicting defs for getspnam])
		]
	)
fi

AC_FUNC_GETPGRP

# Check for PAM libs
PAM_MSG="no"
AC_ARG_WITH(pam,
	[  --with-pam              Enable PAM support ],
	[
		if test "x$withval" != "xno" ; then
			if test "x$ac_cv_header_security_pam_appl_h" != "xyes" && \
			   test "x$ac_cv_header_pam_pam_appl_h" != "xyes" ; then
				AC_MSG_ERROR([PAM headers not found])
			fi

			AC_CHECK_LIB(dl, dlopen, , )
			AC_CHECK_LIB(pam, pam_set_item, , AC_MSG_ERROR([*** libpam missing]))
			AC_CHECK_FUNCS(pam_getenvlist)
			AC_CHECK_FUNCS(pam_putenv)

			PAM_MSG="yes"

			AC_DEFINE(USE_PAM)
			if test $ac_cv_lib_dl_dlopen = yes; then
				LIBPAM="-lpam -ldl"
			else
				LIBPAM="-lpam"
			fi
			AC_SUBST(LIBPAM)
		fi
	]
)

# Check for older PAM
if test "x$PAM_MSG" = "xyes" ; then
	# Check PAM strerror arguments (old PAM)
	AC_MSG_CHECKING([whether pam_strerror takes only one argument])
	AC_TRY_COMPILE(
		[
#include <stdlib.h>
#if defined(HAVE_SECURITY_PAM_APPL_H)
#include <security/pam_appl.h>
#elif defined (HAVE_PAM_PAM_APPL_H)
#include <pam/pam_appl.h>
#endif
		],
		[(void)pam_strerror((pam_handle_t *)NULL, -1);],
		[AC_MSG_RESULT(no)],
		[
			AC_DEFINE(HAVE_OLD_PAM)
			AC_MSG_RESULT(yes)
			PAM_MSG="yes (old library)"
		]
	)
fi

# Search for OpenSSL
saved_CPPFLAGS="$CPPFLAGS"
saved_LDFLAGS="$LDFLAGS"
AC_ARG_WITH(ssl-dir,
	[  --with-ssl-dir=PATH     Specify path to OpenSSL installation ],
	[
		if test "x$withval" != "xno" ; then
			case "$withval" in
				# Relative paths
				./*|../*)	withval="`pwd`/$withval"
			esac
			if test -d "$withval/lib"; then
				if test -n "${need_dash_r}"; then
					LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
				else
					LDFLAGS="-L${withval}/lib ${LDFLAGS}"
				fi
			else
				if test -n "${need_dash_r}"; then
					LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"
				else
					LDFLAGS="-L${withval} ${LDFLAGS}"
				fi
			fi
			if test -d "$withval/include"; then
				CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
			else
				CPPFLAGS="-I${withval} ${CPPFLAGS}"
			fi
		fi
	]
)
LIBS="-lcrypto $LIBS"
AC_TRY_LINK_FUNC(RAND_add, AC_DEFINE(HAVE_OPENSSL),
	[
		dnl Check default openssl install dir
		if test -n "${need_dash_r}"; then
			LDFLAGS="-L/usr/local/ssl/lib -R/usr/local/ssl/lib ${saved_LDFLAGS}"
		else
			LDFLAGS="-L/usr/local/ssl/lib ${saved_LDFLAGS}"
		fi
		CPPFLAGS="-I/usr/local/ssl/include ${saved_CPPFLAGS}"
		AC_TRY_LINK_FUNC(RAND_add, AC_DEFINE(HAVE_OPENSSL),
			[
				AC_MSG_ERROR([*** Can't find recent OpenSSL libcrypto (see config.log for details) ***])
			]
		)
	]
)

# Determine OpenSSL header version
AC_MSG_CHECKING([OpenSSL header version])
AC_RUN_IFELSE(
	[AC_LANG_SOURCE([[
#include <stdio.h>
#include <string.h>
#include <openssl/opensslv.h>
#define DATA "conftest.sslincver"
int main(void) {
	FILE *fd;
	int rc;

	fd = fopen(DATA,"w");
	if(fd == NULL)
		exit(1);

	if ((rc = fprintf(fd ,"%x (%s)\n", OPENSSL_VERSION_NUMBER, OPENSSL_VERSION_TEXT)) <0)
		exit(1);

	exit(0);
}
	]])],
	[
		ssl_header_ver=`cat conftest.sslincver`
		AC_MSG_RESULT($ssl_header_ver)
	],
	[
		AC_MSG_RESULT(not found)
		AC_MSG_ERROR(OpenSSL version header not found.)
	],
	[
		AC_MSG_WARN([cross compiling: not checking])
	]
)

# Determine OpenSSL library version
AC_MSG_CHECKING([OpenSSL library version])
AC_RUN_IFELSE(
	[AC_LANG_SOURCE([[
#include <stdio.h>
#include <string.h>
#include <openssl/opensslv.h>
#include <openssl/crypto.h>
#define DATA "conftest.ssllibver"
int main(void) {
	FILE *fd;
	int rc;

	fd = fopen(DATA,"w");
	if(fd == NULL)
		exit(1);

	if ((rc = fprintf(fd ,"%x (%s)\n", SSLeay(), SSLeay_version(SSLEAY_VERSION))) <0)
		exit(1);

	exit(0);
}
	]])],
	[
		ssl_library_ver=`cat conftest.ssllibver`
		AC_MSG_RESULT($ssl_library_ver)
	],
	[
		AC_MSG_RESULT(not found)
		AC_MSG_ERROR(OpenSSL library not found.)
	],
	[
		AC_MSG_WARN([cross compiling: not checking])
	]
)

# Sanity check OpenSSL headers
AC_MSG_CHECKING([whether OpenSSL's headers match the library])
AC_RUN_IFELSE(
	[AC_LANG_SOURCE([[
#include <string.h>
#include <openssl/opensslv.h>
int main(void) { exit(SSLeay() == OPENSSL_VERSION_NUMBER ? 0 : 1); }
	]])],
	[
		AC_MSG_RESULT(yes)
	],
	[
		AC_MSG_RESULT(no)
		AC_MSG_ERROR([Your OpenSSL headers do not match your library.
Check config.log for details.
Also see contrib/findssl.sh for help identifying header/library mismatches.])
	],
	[
		AC_MSG_WARN([cross compiling: not checking])
	]
)

# Some systems want crypt() from libcrypt, *not* the version in OpenSSL,
# because the system crypt() is more featureful.
if test "x$check_for_libcrypt_before" = "x1"; then
	AC_CHECK_LIB(crypt, crypt)
fi

# Some Linux systems (Slackware) need crypt() from libcrypt, *not* the
# version in OpenSSL.
if test "x$check_for_libcrypt_later" = "x1"; then
	AC_CHECK_LIB(crypt, crypt, LIBS="$LIBS -lcrypt")
fi


### Configure cryptographic random number support

# Check wheter OpenSSL seeds itself
AC_MSG_CHECKING([whether OpenSSL's PRNG is internally seeded])
AC_RUN_IFELSE(
	[AC_LANG_SOURCE([[
#include <string.h>
#include <openssl/rand.h>
int main(void) { exit(RAND_status() == 1 ? 0 : 1); }
	]])],
	[
		OPENSSL_SEEDS_ITSELF=yes
		AC_MSG_RESULT(yes)
	],
	[
		AC_MSG_RESULT(no)
		# Default to use of the rand helper if OpenSSL doesn't
		# seed itself
		USE_RAND_HELPER=yes
	],
	[
		AC_MSG_WARN([cross compiling: assuming yes])
		# This is safe, since all recent OpenSSL versions will
		# complain at runtime if not seeded correctly. 
		OPENSSL_SEEDS_ITSELF=yes
	]
)


# Do we want to force the use of the rand helper?
AC_ARG_WITH(rand-helper,
	[  --with-rand-helper      Use subprocess to gather strong randomness ],
	[
		if test "x$withval" = "xno" ; then
			# Force use of OpenSSL's internal RNG, even if
			# the previous test showed it to be unseeded.
			if test -z "$OPENSSL_SEEDS_ITSELF" ; then
				AC_MSG_WARN([*** Forcing use of OpenSSL's non-self-seeding PRNG])
				OPENSSL_SEEDS_ITSELF=yes
				USE_RAND_HELPER=""
			fi
		else
			USE_RAND_HELPER=yes
		fi
	],
)	

# Which randomness source do we use?
if test ! -z "$OPENSSL_SEEDS_ITSELF" -a -z "$USE_RAND_HELPER" ; then
	# OpenSSL only
	AC_DEFINE(OPENSSL_PRNG_ONLY)
	RAND_MSG="OpenSSL internal ONLY"
	INSTALL_SSH_RAND_HELPER=""
elif test ! -z "$USE_RAND_HELPER" ; then
	# install rand helper
	RAND_MSG="ssh-rand-helper"
	INSTALL_SSH_RAND_HELPER="yes"
fi
AC_SUBST(INSTALL_SSH_RAND_HELPER)

### Configuration of ssh-rand-helper

# PRNGD TCP socket
AC_ARG_WITH(prngd-port,
	[  --with-prngd-port=PORT  read entropy from PRNGD/EGD TCP localhost:PORT],
	[
		case "$withval" in
		no)
			withval=""
			;;
		[[0-9]]*)
			;;
		*)
			AC_MSG_ERROR(You must specify a numeric port number for --with-prngd-port)
			;;
		esac
		if test ! -z "$withval" ; then
			PRNGD_PORT="$withval"
			AC_DEFINE_UNQUOTED(PRNGD_PORT, $PRNGD_PORT)
		fi
	]
)

# PRNGD Unix domain socket
AC_ARG_WITH(prngd-socket,
	[  --with-prngd-socket=FILE read entropy from PRNGD/EGD socket FILE (default=/var/run/egd-pool)],
	[
		case "$withval" in
		yes)
			withval="/var/run/egd-pool"
			;;
		no)
			withval=""
			;;
		/*)
			;;
		*)
			AC_MSG_ERROR(You must specify an absolute path to the entropy socket)
			;;
		esac

		if test ! -z "$withval" ; then
			if test ! -z "$PRNGD_PORT" ; then
				AC_MSG_ERROR(You may not specify both a PRNGD/EGD port and socket)
			fi
			if test ! -r "$withval" ; then
				AC_MSG_WARN(Entropy socket is not readable)
			fi
			PRNGD_SOCKET="$withval"
			AC_DEFINE_UNQUOTED(PRNGD_SOCKET, "$PRNGD_SOCKET")
		fi
	],
	[
		# Check for existing socket only if we don't have a random device already