X-Git-Url: http://andersk.mit.edu/gitweb/openssh.git/blobdiff_plain/a74e9b64e20e92d70c2d17bd424b076113ff09dd..ccd01778c21e2fc83d9b0da282862828d4832757:/configure.ac

diff --git a/configure.ac b/configure.ac
index 02022a9f..af1f0321 100644
--- a/configure.ac
+++ b/configure.ac
@@ -90,6 +90,13 @@ AC_C_INLINE
 
 AC_CHECK_DECL(LLONG_MAX, have_llong_max=1, , [#include <limits.h>])
 
+use_stack_protector=1
+AC_ARG_WITH(stackprotect,
+    [  --without-stackprotect  Don't use compiler's stack protection], [
+    if test "x$withval" = "xno"; then
+	use_stack_protector=0
+    fi ])
+
 if test "$GCC" = "yes" || test "$GCC" = "egcs"; then
 	CFLAGS="$CFLAGS -Wall -Wpointer-arith -Wuninitialized"
 	GCC_VER=`$CC -v 2>&1 | $AWK '/gcc version /{print $3}'`
@@ -100,19 +107,60 @@ if test "$GCC" = "yes" || test "$GCC" = "egcs"; then
 		     no_attrib_nonnull=1
 		     ;;
 		2.*) no_attrib_nonnull=1 ;;
-		3.*) CFLAGS="$CFLAGS -Wsign-compare" ;;
-		4.*) CFLAGS="$CFLAGS -Wsign-compare -Wno-pointer-sign" ;;
+		3.*) CFLAGS="$CFLAGS -Wsign-compare -Wformat-security" ;;
+		4.*) CFLAGS="$CFLAGS -Wsign-compare -Wno-pointer-sign -Wformat-security" ;;
 		*) ;;
 	esac
 
-	AC_MSG_CHECKING(if $CC understands -fstack-protector-all)
+	AC_MSG_CHECKING(if $CC accepts -fno-builtin-memset)
 	saved_CFLAGS="$CFLAGS"
-	CFLAGS="$CFLAGS -fstack-protector-all"
-	AC_TRY_COMPILE([], [ int main(void){return 0;} ],
-	    [ AC_MSG_RESULT(yes) ],
-	    [ AC_MSG_RESULT(no)
-	      CFLAGS="$saved_CFLAGS" ]
-	)
+	CFLAGS="$CFLAGS -fno-builtin-memset"
+	AC_LINK_IFELSE( [AC_LANG_SOURCE([[
+#include <string.h>
+int main(void){char b[10]; memset(b, 0, sizeof(b));}
+		]])],
+		[ AC_MSG_RESULT(yes) ],
+		[ AC_MSG_RESULT(no)
+		  CFLAGS="$saved_CFLAGS" ]
+)
+
+	# -fstack-protector-all doesn't always work for some GCC versions
+	# and/or platforms, so we test if we can.  If it's not supported
+	# on a given platform gcc will emit a warning so we use -Werror.
+	if test "x$use_stack_protector" = "x1"; then
+	    for t in -fstack-protector-all -fstack-protector; do
+		AC_MSG_CHECKING(if $CC supports $t)
+		saved_CFLAGS="$CFLAGS"
+		saved_LDFLAGS="$LDFLAGS"
+		CFLAGS="$CFLAGS $t -Werror"
+		LDFLAGS="$LDFLAGS $t -Werror"
+		AC_LINK_IFELSE(
+			[AC_LANG_SOURCE([
+#include <stdio.h>
+int main(void){char x[[256]]; snprintf(x, sizeof(x), "XXX"); return 0;}
+			 ])],
+		    [ AC_MSG_RESULT(yes)
+		      CFLAGS="$saved_CFLAGS $t"
+		      LDFLAGS="$saved_LDFLAGS $t"
+		      AC_MSG_CHECKING(if $t works)
+		      AC_RUN_IFELSE(
+			[AC_LANG_SOURCE([
+#include <stdio.h>
+int main(void){char x[[256]]; snprintf(x, sizeof(x), "XXX"); return 0;}
+			])],
+			[ AC_MSG_RESULT(yes)
+			  break ],
+			[ AC_MSG_RESULT(no) ],
+			[ AC_MSG_WARN([cross compiling: cannot test])
+			  break ]
+		      )
+		    ],
+		    [ AC_MSG_RESULT(no) ]
+		)
+		CFLAGS="$saved_CFLAGS"
+		LDFLAGS="$saved_LDFLAGS"
+	    done
+	fi
 
 	if test -z "$have_llong_max"; then
 		# retry LLONG_MAX with -std=gnu99, needed on some Linuxes
@@ -240,6 +288,7 @@ AC_CHECK_HEADERS( \
 	sys/stream.h \
 	sys/stropts.h \
 	sys/strtio.h \
+	sys/statvfs.h \
 	sys/sysmacros.h \
 	sys/time.h \
 	sys/timers.h \
@@ -276,6 +325,11 @@ AC_CHECK_HEADERS(login_cap.h, [], [], [
 #include <sys/types.h>
 ])
 
+# older BSDs need sys/param.h before sys/mount.h
+AC_CHECK_HEADERS(sys/mount.h, [], [], [
+#include <sys/param.h>
+])
+
 # Messages for features tested for in target-specific section
 SIA_MSG="no"
 SPC_MSG="no"
@@ -353,7 +407,7 @@ int main(void) { exit(0); }
 		[],
 		[#include <usersec.h>]
 	)
-	AC_CHECK_FUNCS(setauthdb)
+	AC_CHECK_FUNCS(getgrset setauthdb)
 	AC_CHECK_DECL(F_CLOSEM,
 	    AC_DEFINE(HAVE_FCNTL_CLOSEM, 1, [Use F_CLOSEM fcntl for closefrom]),
 	    [],
@@ -384,8 +438,6 @@ int main(void) { exit(0); }
 	AC_DEFINE(USE_PIPES, 1, [Use PIPES instead of a socketpair()])
 	AC_DEFINE(DISABLE_SHADOW, 1,
 		[Define if you want to disable shadow passwords])
-	AC_DEFINE(IP_TOS_IS_BROKEN, 1,
-		[Define if your system choked on IP TOS setting])
 	AC_DEFINE(NO_X11_UNIX_SOCKETS, 1,
 		[Define if X11 doesn't support AF_UNIX sockets on that system])
 	AC_DEFINE(NO_IPPORT_RESERVED_CONCEPT, 1,
@@ -394,9 +446,11 @@ int main(void) { exit(0); }
 	AC_DEFINE(DISABLE_FD_PASSING, 1,
 		[Define if your platform needs to skip post auth
 		file descriptor passing])
+	AC_DEFINE(SSH_IOBUFSZ, 65536, [Windows is sensitive to read buffer size])
 	;;
 *-*-dgux*)
-	AC_DEFINE(IP_TOS_IS_BROKEN)
+	AC_DEFINE(IP_TOS_IS_BROKEN, 1,
+		[Define if your system choked on IP TOS setting])
 	AC_DEFINE(SETEUID_BREAKS_SETUID)
 	AC_DEFINE(BROKEN_SETREUID)
 	AC_DEFINE(BROKEN_SETREGID)
@@ -427,6 +481,8 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
 	AC_CHECK_DECL(AU_IPv4, [], 
 	    AC_DEFINE(AU_IPv4, 0, [System only supports IPv4 audit records])
 	    [#include <bsm/audit.h>]
+	AC_DEFINE(LASTLOG_WRITE_PUTUTXLINE, 1,
+	    [Define if pututxline updates lastlog too])
 	)
 	;;
 *-*-dragonfly*)
@@ -511,11 +567,18 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
 	AC_DEFINE(WITH_ABBREV_NO_TTY)
 	AC_DEFINE(LOCKED_PASSWD_STRING, "*LK*")
 	;;
+*-*-k*bsd*-gnu | *-*-kopensolaris*-gnu)
+	check_for_libcrypt_later=1
+	AC_DEFINE(PAM_TTY_KLUDGE)
+	AC_DEFINE(LOCKED_PASSWD_PREFIX, "!")
+	AC_DEFINE(SPT_TYPE,SPT_REUSEARGV)
+	AC_DEFINE(_PATH_BTMP, "/var/log/btmp", [log for bad login attempts])
+	AC_DEFINE(USE_BTMP, 1, [Use btmp to log bad logins])
+	;;
 *-*-linux*)
 	no_dev_ptmx=1
 	check_for_libcrypt_later=1
 	check_for_openpty_ctty_bug=1
-	AC_DEFINE(DONT_TRY_OTHER_AF, 1, [Workaround more Linux IPv6 quirks])
 	AC_DEFINE(PAM_TTY_KLUDGE, 1,
 		[Work around problematic Linux PAM modules handling of PAM_TTY])
 	AC_DEFINE(LOCKED_PASSWD_PREFIX, "!",
@@ -526,6 +589,7 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
 		if it doesn't return EOPNOTSUPP.])
 	AC_DEFINE(_PATH_BTMP, "/var/log/btmp", [log for bad login attempts])
 	AC_DEFINE(USE_BTMP)
+	AC_DEFINE(LINUX_OOM_ADJUST, 1, [Adjust Linux out-of-memory killer])
 	inet6_default_4in6=yes
 	case `uname -r` in
 	1.*|2.0.*)
@@ -565,6 +629,7 @@ mips-sony-bsd|mips-sony-newsos4)
 	AC_DEFINE(SSH_TUN_FREEBSD, 1, [Open tunnel devices the FreeBSD way])
 	AC_CHECK_HEADER([net/if_tap.h], ,
 	    AC_DEFINE(SSH_TUN_NO_L2, 1, [No layer 2 tunnel support]))
+	AC_DEFINE(BROKEN_GLOB, 1, [FreeBSD glob does not do what we need])
 	;;
 *-*-bsdi*)
 	AC_DEFINE(SETEUID_BREAKS_SETUID)
@@ -608,6 +673,7 @@ mips-sony-bsd|mips-sony-newsos4)
 		after setsid()])
 	AC_DEFINE(PASSWD_NEEDS_USERNAME, 1, [must supply username to passwd
 		in case the name is longer than 8 chars])
+	AC_DEFINE(BROKEN_TCGETATTR_ICANON, 1, [tcgetattr with ICANON may hang])
 	external_path_file=/etc/default/login
 	# hardwire lastlog location (can't detect it on some versions)
 	conf_lastlog_location="/var/adm/lastlog"
@@ -678,7 +744,6 @@ mips-sony-bsd|mips-sony-newsos4)
 	;;
 # UnixWare 7.x, OpenUNIX 8
 *-*-sysv5*)
-	check_for_libcrypt_later=1
 	AC_DEFINE(UNIXWARE_LONG_PASSWORDS, 1, [Support passwords > 8 chars])
 	AC_DEFINE(USE_PIPES)
 	AC_DEFINE(SETEUID_BREAKS_SETUID)
@@ -691,8 +756,14 @@ mips-sony-bsd|mips-sony-newsos4)
 		AC_DEFINE(BROKEN_LIBIAF, 1,
 			[ia_uinfo routines not supported by OS yet])
 		AC_DEFINE(BROKEN_UPDWTMPX)
+		AC_CHECK_LIB(prot, getluid,[ LIBS="$LIBS -lprot"
+			AC_CHECK_FUNCS(getluid setluid,,,-lprot)
+			AC_DEFINE(HAVE_SECUREWARE)
+			AC_DEFINE(DISABLE_SHADOW)
+			],,)
 		;;
 	*)	AC_DEFINE(LOCKED_PASSWD_STRING, "*LK*")
+		check_for_libcrypt_later=1
 		;;
 	esac
 	;;
@@ -791,6 +862,7 @@ mips-sony-bsd|mips-sony-newsos4)
 	AC_DEFINE(SETEUID_BREAKS_SETUID)
 	AC_DEFINE(BROKEN_SETREUID)
 	AC_DEFINE(BROKEN_SETREGID)
+	AC_DEFINE(BROKEN_READV_COMPARISON, 1, [Can't do comparisons on readv])
 	;;
 
 *-*-nto-qnx*)
@@ -913,6 +985,7 @@ AC_ARG_WITH(zlib,
 	fi ]
 )
 
+AC_CHECK_HEADER([zlib.h], ,AC_MSG_ERROR([*** zlib.h missing - please install first or check config.log ***]))
 AC_CHECK_LIB(z, deflate, ,
 	[
 		saved_CPPFLAGS="$CPPFLAGS"
@@ -933,7 +1006,6 @@ AC_CHECK_LIB(z, deflate, ,
 		)
 	]
 )
-AC_CHECK_HEADER([zlib.h], ,AC_MSG_ERROR([*** zlib.h missing - please install first or check config.log ***]))
 
 AC_ARG_WITH(zlib-version-check,
 	[  --without-zlib-version-check Disable zlib version check],
@@ -997,7 +1069,7 @@ dnl    Checks for libutil functions
 AC_CHECK_HEADERS(libutil.h)
 AC_SEARCH_LIBS(login, util bsd, [AC_DEFINE(HAVE_LOGIN, 1,
 	[Define if your libraries define login()])])
-AC_CHECK_FUNCS(logout updwtmp logwtmp)
+AC_CHECK_FUNCS(fmt_scaled logout updwtmp logwtmp)
 
 AC_FUNC_STRFTIME
 
@@ -1251,6 +1323,8 @@ AC_ARG_WITH(audit,
 dnl    Checks for library functions. Please keep in alphabetical order
 AC_CHECK_FUNCS( \
 	arc4random \
+	arc4random_buf \
+	arc4random_uniform \
 	asprintf \
 	b64_ntop \
 	__b64_ntop \
@@ -1264,6 +1338,7 @@ AC_CHECK_FUNCS( \
 	fchmod \
 	fchown \
 	freeaddrinfo \
+	fstatvfs \
 	futimes \
 	getaddrinfo \
 	getcwd \
@@ -1315,6 +1390,8 @@ AC_CHECK_FUNCS( \
 	sigvec \
 	snprintf \
 	socketpair \
+	statfs \
+	statvfs \
 	strdup \
 	strerror \
 	strlcat \
@@ -1447,6 +1524,8 @@ AC_CHECK_FUNCS(utmpname)
 dnl    Checks for utmpx functions
 AC_CHECK_FUNCS(endutxent getutxent getutxid getutxline pututxline )
 AC_CHECK_FUNCS(setutxent utmpxname)
+dnl    Checks for lastlog functions
+AC_CHECK_FUNCS(getlastlogxbyname)
 
 AC_CHECK_FUNC(daemon,
 	[AC_DEFINE(HAVE_DAEMON, 1, [Define if your libraries define daemon()])],
@@ -1544,6 +1623,11 @@ if test "x$ac_cv_func_getpeereid" != "xyes" -a "x$ac_cv_func_getpeerucred" != "x
         )
 fi
 
+AC_CHECK_DECL(SO_RDOMAIN,
+    AC_DEFINE(USE_ROUTINGDOMAIN, 1, [Enable rdomain/VRF support]), ,
+    [#include <sys/types.h>
+     #include <sys/socket.h>])
+
 dnl see whether mkstemp() requires XXXXXX
 if test "x$ac_cv_func_mkdtemp" = "xyes" ; then
 AC_MSG_CHECKING([for (overly) strict mkstemp])
@@ -1819,6 +1903,8 @@ AC_TRY_LINK_FUNC(RAND_add, AC_DEFINE(HAVE_OPENSSL, 1,
 			LDFLAGS="-L/usr/local/ssl/lib ${saved_LDFLAGS}"
 		fi
 		CPPFLAGS="-I/usr/local/ssl/include ${saved_CPPFLAGS}"
+		AC_CHECK_HEADER([openssl/opensslv.h], ,
+		    AC_MSG_ERROR([*** OpenSSL headers missing - please install first or check config.log ***]))
 		AC_TRY_LINK_FUNC(RAND_add, AC_DEFINE(HAVE_OPENSSL),
 			[
 				AC_MSG_ERROR([*** Can't find recent OpenSSL libcrypto (see config.log for details) ***])
@@ -2003,6 +2089,23 @@ int main(void) { exit(EVP_aes_192_cbc() == NULL || EVP_aes_256_cbc() == NULL);}
 	]
 )
 
+AC_MSG_CHECKING([if EVP_DigestUpdate returns an int])
+AC_LINK_IFELSE(
+	[AC_LANG_SOURCE([[
+#include <string.h>
+#include <openssl/evp.h>
+int main(void) { if(EVP_DigestUpdate(NULL, NULL,0)) exit(0); }
+	]])],
+	[
+		AC_MSG_RESULT(yes)
+	],
+	[
+		AC_MSG_RESULT(no)
+		AC_DEFINE(OPENSSL_EVP_DIGESTUPDATE_VOID, 1,
+		    [Define if EVP_DigestUpdate returns void])
+	]
+)
+
 # Some systems want crypt() from libcrypt, *not* the version in OpenSSL,
 # because the system crypt() is more featureful.
 if test "x$check_for_libcrypt_before" = "x1"; then
@@ -2608,8 +2711,20 @@ fi
 TYPE_SOCKLEN_T
 
 AC_CHECK_TYPES(sig_atomic_t,,,[#include <signal.h>])
+AC_CHECK_TYPES([fsblkcnt_t, fsfilcnt_t],,,[
+#include <sys/types.h>
+#ifdef HAVE_SYS_BITYPES_H
+#include <sys/bitypes.h>
+#endif
+#ifdef HAVE_SYS_STATFS_H
+#include <sys/statfs.h>
+#endif
+#ifdef HAVE_SYS_STATVFS_H
+#include <sys/statvfs.h>
+#endif
+])
 
-AC_CHECK_TYPES(in_addr_t,,,
+AC_CHECK_TYPES([in_addr_t, in_port_t],,,
 [#include <sys/types.h>
 #include <netinet/in.h>])
 
@@ -2756,6 +2871,15 @@ AC_CACHE_CHECK([for struct in6_addr], ac_cv_have_struct_in6_addr, [
 if test "x$ac_cv_have_struct_in6_addr" = "xyes" ; then
 	AC_DEFINE(HAVE_STRUCT_IN6_ADDR, 1,
 		[define if you have struct in6_addr data type])
+
+dnl Now check for sin6_scope_id
+	AC_CHECK_MEMBERS([struct sockaddr_in6.sin6_scope_id],,,
+		[
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#include <netinet/in.h>
+		])
 fi
 
 AC_CACHE_CHECK([for struct addrinfo], ac_cv_have_struct_addrinfo, [
@@ -2970,6 +3094,42 @@ if test "x$ac_cv_have_accrights_in_msghdr" = "xyes" ; then
 		file descriptor passing])
 fi
 
+AC_MSG_CHECKING(if struct statvfs.f_fsid is integral type)
+AC_TRY_COMPILE([
+#include <sys/types.h>
+#include <sys/stat.h>
+#ifdef HAVE_SYS_TIME_H
+# include <sys/time.h>
+#endif
+#ifdef HAVE_SYS_MOUNT_H
+#include <sys/mount.h>
+#endif
+#ifdef HAVE_SYS_STATVFS_H
+#include <sys/statvfs.h>
+#endif
+], [struct statvfs s; s.f_fsid = 0;],
+[ AC_MSG_RESULT(yes) ],
+[ AC_MSG_RESULT(no)
+
+	AC_MSG_CHECKING(if fsid_t has member val)
+	AC_TRY_COMPILE([
+#include <sys/types.h>
+#include <sys/statvfs.h>],
+	[fsid_t t; t.val[0] = 0;],
+	[ AC_MSG_RESULT(yes)
+	  AC_DEFINE(FSID_HAS_VAL, 1, fsid_t has member val) ],
+	[ AC_MSG_RESULT(no) ])
+
+	AC_MSG_CHECKING(if f_fsid has member __val)
+	AC_TRY_COMPILE([
+#include <sys/types.h>
+#include <sys/statvfs.h>],
+	[fsid_t t; t.__val[0] = 0;],
+	[ AC_MSG_RESULT(yes)
+	  AC_DEFINE(FSID_HAS___VAL, 1, fsid_t has member __val) ],
+	[ AC_MSG_RESULT(no) ])
+])
+
 AC_CACHE_CHECK([for msg_control field in struct msghdr],
 		ac_cv_have_control_in_msghdr, [
 	AC_COMPILE_IFELSE(
@@ -3141,11 +3301,18 @@ AC_ARG_WITH(opensc,
 	[  --with-opensc[[=PFX]]     Enable smartcard support using OpenSC (optionally in PATH)],
 	[
 	    if test "x$withval" != "xno" ; then
-		if test "x$withval" != "xyes" ; then
-  			OPENSC_CONFIG=$withval/bin/opensc-config
+		AC_PATH_PROG(PKGCONFIG, pkg-config, no)
+		AC_MSG_CHECKING(how to get opensc config)
+		if test "x$withval" != "xyes" -a "x$PKGCONFIG" = "xno"; then
+			OPENSC_CONFIG="$withval/bin/opensc-config"
+		elif test -f "$withval/src/libopensc/libopensc.pc"; then
+			OPENSC_CONFIG="$PKGCONFIG $withval/src/libopensc/libopensc.pc"
+		elif test "x$PKGCONFIG" != "xno"; then
+			OPENSC_CONFIG="$PKGCONFIG libopensc"
 		else
-  			AC_PATH_PROG(OPENSC_CONFIG, opensc-config, no)
+			AC_PATH_PROG(OPENSC_CONFIG, opensc-config, no)
 		fi
+		AC_MSG_RESULT($OPENSC_CONFIG)
 		if test "$OPENSC_CONFIG" != "no"; then
 			LIBOPENSC_CFLAGS=`$OPENSC_CONFIG --cflags`
 			LIBOPENSC_LIBS=`$OPENSC_CONFIG --libs`
@@ -3170,12 +3337,30 @@ AC_SEARCH_LIBS(getrrsetbyname, resolv,
 		AC_SEARCH_LIBS(res_query, resolv)
 		AC_SEARCH_LIBS(dn_expand, resolv)
 		AC_MSG_CHECKING(if res_query will link)
-		AC_TRY_LINK_FUNC(res_query, AC_MSG_RESULT(yes),
+		AC_LINK_IFELSE([
+#include "confdefs.h"
+#include <sys/types.h>
+#include <netinet/in.h>
+#include <arpa/nameser.h>
+#include <netdb.h>
+#include <resolv.h>
+int main()
+{
+	res_query (0, 0, 0, 0, 0);
+	return 0;
+}
+		   ],
+		    AC_MSG_RESULT(yes),
 		   [AC_MSG_RESULT(no)
 		    saved_LIBS="$LIBS"
 		    LIBS="$LIBS -lresolv"
 		    AC_MSG_CHECKING(for res_query in -lresolv)
 		    AC_LINK_IFELSE([
+#include "confdefs.h"
+#include <sys/types.h>
+#include <netinet/in.h>
+#include <arpa/nameser.h>
+#include <netdb.h>
 #include <resolv.h>
 int main()
 {
@@ -3183,8 +3368,7 @@ int main()
 	return 0;
 }
 			],
-			[LIBS="$LIBS -lresolv"
-			 AC_MSG_RESULT(yes)],
+			[AC_MSG_RESULT(yes)],
 			[LIBS="$saved_LIBS"
 			 AC_MSG_RESULT(no)])
 		    ])
@@ -3221,7 +3405,7 @@ int main() { return 0; }
 SELINUX_MSG="no"
 LIBSELINUX=""
 AC_ARG_WITH(selinux,
-	[  --with-selinux   Enable SELinux support],
+	[  --with-selinux          Enable SELinux support],
 	[ if test "x$withval" != "xno" ; then
 		save_LIBS="$LIBS"
 		AC_DEFINE(WITH_SELINUX,1,[Define if you want SELinux support.])
@@ -3250,10 +3434,10 @@ AC_ARG_WITH(kerberos5,
 		AC_DEFINE(KRB5, 1, [Define if you want Kerberos 5 support])
 		KRB5_MSG="yes"
 
-		AC_MSG_CHECKING(for krb5-config)
-		if test -x  $KRB5ROOT/bin/krb5-config ; then
-			KRB5CONF=$KRB5ROOT/bin/krb5-config
-			AC_MSG_RESULT($KRB5CONF)
+		AC_PATH_PROG([KRB5CONF],[krb5-config],
+			     [$KRB5ROOT/bin/krb5-config],
+			     [$KRB5ROOT/bin:$PATH])
+		if test -x $KRB5CONF ; then
 
 			AC_MSG_CHECKING(for gssapi support)
 			if $KRB5CONF | grep gssapi >/dev/null ; then
@@ -3279,7 +3463,6 @@ AC_ARG_WITH(kerberos5,
 				         AC_MSG_RESULT(no)
 			)
 		else
-			AC_MSG_RESULT(no)
 			CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include"
 			LDFLAGS="$LDFLAGS -L${KRB5ROOT}/lib"
 			AC_MSG_CHECKING(whether we are using Heimdal)
@@ -3298,12 +3481,12 @@ AC_ARG_WITH(kerberos5,
 			)
 			AC_SEARCH_LIBS(dn_expand, resolv)
 
-			AC_CHECK_LIB(gssapi,gss_init_sec_context,
+			AC_CHECK_LIB(gssapi_krb5, gss_init_sec_context,
 				[ AC_DEFINE(GSSAPI)
-				  K5LIBS="-lgssapi $K5LIBS" ],
-				[ AC_CHECK_LIB(gssapi_krb5,gss_init_sec_context,
+				  K5LIBS="-lgssapi_krb5 $K5LIBS" ],
+				[ AC_CHECK_LIB(gssapi, gss_init_sec_context,
 					[ AC_DEFINE(GSSAPI)
-					  K5LIBS="-lgssapi_krb5 $K5LIBS" ],
+					  K5LIBS="-lgssapi $K5LIBS" ],
 					AC_MSG_WARN([Cannot find any suitable gss-api library - build may fail]),
 					$K5LIBS)
 				],
@@ -4002,6 +4185,13 @@ dnl Adding -Werror to CFLAGS early prevents configure tests from running.
 dnl Add now.
 CFLAGS="$CFLAGS $werror_flags"
 
+if grep "#define BROKEN_GETADDRINFO 1" confdefs.h >/dev/null || \
+    test "x$ac_cv_func_getaddrinfo" != "xyes" ; then
+	AC_SUBST(TEST_SSH_IPV6, no)
+else
+	AC_SUBST(TEST_SSH_IPV6, yes)
+fi
+
 AC_EXEEXT
 AC_CONFIG_FILES([Makefile buildpkg.sh opensshd.init openssh.xml \
 	openbsd-compat/Makefile openbsd-compat/regress/Makefile \