1 files changed, 924 insertions, 82 deletions

diff --git a/configure b/configure
index 78bbcd008..57b68e256 100755
--- a/configure
+++ b/configure
@@ -1,5 +1,5 @@
 #! /bin/sh
-# From configure.ac Revision: 1.536 .
+# From configure.ac Revision: 1.568 .
 # Guess values for system-dependent variables and create Makefiles.
 # Generated by GNU Autoconf 2.68 for OpenSSH Portable.
 #
@@ -606,6 +606,7 @@ ac_includes_default="\
 ac_subst_vars='LTLIBOBJS
 LIBOBJS
 UNSUPPORTED_ALGORITHMS
+TEST_MALLOC_OPTIONS
 TEST_SSH_IPV6
 piddir
 user_path
@@ -623,7 +624,6 @@ SSHLIBS
 SSH_PRIVSEP_USER
 COMMENT_OUT_ECC
 TEST_SSH_ECC
-TEST_SSH_SHA256
 LIBEDIT
 PKGCONFIG
 LD
@@ -712,6 +712,7 @@ ac_user_opts='
 enable_option_checking
 enable_largefile
 with_stackprotect
+with_hardening
 with_rpath
 with_cflags
 with_cppflags
@@ -728,6 +729,7 @@ with_tcp_wrappers
 with_ldns
 with_libedit
 with_audit
+with_pie
 with_ssl_dir
 with_openssl_header_check
 with_ssl_engine
@@ -1403,6 +1405,7 @@ Optional Packages:
   --with-PACKAGE[=ARG]    use PACKAGE [ARG=yes]
   --without-PACKAGE       do not use PACKAGE (same as --with-PACKAGE=no)
   --without-stackprotect  Don't use compiler's stack protection
+  --without-hardening     Don't use toolchain hardening flags
   --without-rpath         Disable auto-added -R linker paths
   --with-cflags           Specify additional flags to pass to compiler
   --with-cppflags         Specify additional flags to pass to preprocessor
@@ -1419,6 +1422,7 @@ Optional Packages:
   --with-ldns[=PATH]      Use ldns for DNSSEC support (optionally in PATH)
   --with-libedit[=PATH]   Enable libedit support for sftp
   --with-audit=module     Enable audit support (modules=debug,bsm,linux)
+  --with-pie           Build Position Independent Executables if possible
   --with-ssl-dir=PATH     Specify path to OpenSSL installation
   --without-openssl-header-check Disable OpenSSL version consistency check
   --with-ssl-engine       Enable OpenSSL (hardware) ENGINE support
@@ -1426,7 +1430,7 @@ Optional Packages:
   --with-prngd-socket=FILE read entropy from PRNGD/EGD socket FILE (default=/var/run/egd-pool)
   --with-pam              Enable PAM support
   --with-privsep-user=user Specify non-privileged user for privilege separation
-  --with-sandbox=style    Specify privilege separation sandbox (no, darwin, rlimit, systrace, seccomp_filter)
+  --with-sandbox=style    Specify privilege separation sandbox (no, darwin, rlimit, systrace, seccomp_filter, capsicum)
   --with-selinux          Enable SELinux support
   --with-kerberos5=PATH   Enable Kerberos 5 support
   --with-consolekit       Enable ConsoleKit support
@@ -5592,7 +5596,9 @@ if test "x$ac_cv_have_decl_PR_SET_NO_NEW_PRIVS" = xyes; then :
   have_linux_no_new_privs=1
 fi
 
+
 use_stack_protector=1
+use_toolchain_hardening=1
 
 # Check whether --with-stackprotect was given.
 if test "${with_stackprotect+set}" = set; then :
@@ -5603,18 +5609,61 @@ if test "${with_stackprotect+set}" = set; then :
 fi
 
 
+# Check whether --with-hardening was given.
+if test "${with_hardening+set}" = set; then :
+  withval=$with_hardening;
+    if test "x$withval" = "xno"; then
+        use_toolchain_hardening=0
+    fi
+fi
+
+
+# We use -Werror for the tests only so that we catch warnings like "this is
+# on by default" for things like -fPIE.
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking if $CC supports -Werror" >&5
+$as_echo_n "checking if $CC supports -Werror... " >&6; }
+saved_CFLAGS="$CFLAGS"
+CFLAGS="$CFLAGS -Werror"
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+int main(void) { return 0; }
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+   { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+          WERROR="-Werror"
+else
+   { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+          WERROR=""
+
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+CFLAGS="$saved_CFLAGS"
 
 if test "$GCC" = "yes" || test "$GCC" = "egcs"; then
         {
-        { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $CC supports -Qunused-arguments -Werror" >&5
-$as_echo_n "checking if $CC supports -Qunused-arguments -Werror... " >&6; }
+        { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $CC supports compile flag -Qunused-arguments" >&5
+$as_echo_n "checking if $CC supports compile flag -Qunused-arguments... " >&6; }
         saved_CFLAGS="$CFLAGS"
-        CFLAGS="$CFLAGS -Qunused-arguments -Werror"
-        _define_flag="-Qunused-arguments"
-        test "x$_define_flag" = "x" && _define_flag="-Qunused-arguments -Werror"
+        CFLAGS="$CFLAGS $WERROR -Qunused-arguments"
+        _define_flag=""
+        test "x$_define_flag" = "x" && _define_flag="-Qunused-arguments"
         cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
-int main(void) { return 0; }
+
+#include <stdlib.h>
+#include <stdio.h>
+int main(int argc, char **argv) {
+        /* Some math to catch -ftrapv problems in the toolchain */
+        int i = 123 * argc, j = 456 + argc, k = 789 - argc;
+        float l = i * 2.1;
+        double m = l / 0.5;
+        long long int n = argc * 12345LL, o = 12345LL * (long long int)argc;
+        printf("%d %d %d %f %f %lld %lld\n", i, j, k, l, m, n, o);
+        exit(0);
+}
+
 _ACEOF
 if ac_fn_c_try_compile "$LINENO"; then :
 
@@ -5637,15 +5686,27 @@ fi
 rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 }
         {
-        { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $CC supports -Wunknown-warning-option -Werror" >&5
-$as_echo_n "checking if $CC supports -Wunknown-warning-option -Werror... " >&6; }
+        { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $CC supports compile flag -Wunknown-warning-option" >&5
+$as_echo_n "checking if $CC supports compile flag -Wunknown-warning-option... " >&6; }
         saved_CFLAGS="$CFLAGS"
-        CFLAGS="$CFLAGS -Wunknown-warning-option -Werror"
-        _define_flag="-Wno-unknown-warning-option"
-        test "x$_define_flag" = "x" && _define_flag="-Wunknown-warning-option -Werror"
+        CFLAGS="$CFLAGS $WERROR -Wunknown-warning-option"
+        _define_flag=""
+        test "x$_define_flag" = "x" && _define_flag="-Wunknown-warning-option"
         cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
-int main(void) { return 0; }
+
+#include <stdlib.h>
+#include <stdio.h>
+int main(int argc, char **argv) {
+        /* Some math to catch -ftrapv problems in the toolchain */
+        int i = 123 * argc, j = 456 + argc, k = 789 - argc;
+        float l = i * 2.1;
+        double m = l / 0.5;
+        long long int n = argc * 12345LL, o = 12345LL * (long long int)argc;
+        printf("%d %d %d %f %f %lld %lld\n", i, j, k, l, m, n, o);
+        exit(0);
+}
+
 _ACEOF
 if ac_fn_c_try_compile "$LINENO"; then :
 
@@ -5668,15 +5729,27 @@ fi
 rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 }
         {
-        { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $CC supports -Wall" >&5
-$as_echo_n "checking if $CC supports -Wall... " >&6; }
+        { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $CC supports compile flag -Wall" >&5
+$as_echo_n "checking if $CC supports compile flag -Wall... " >&6; }
         saved_CFLAGS="$CFLAGS"
-        CFLAGS="$CFLAGS -Wall"
+        CFLAGS="$CFLAGS $WERROR -Wall"
         _define_flag=""
         test "x$_define_flag" = "x" && _define_flag="-Wall"
         cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
-int main(void) { return 0; }
+
+#include <stdlib.h>
+#include <stdio.h>
+int main(int argc, char **argv) {
+        /* Some math to catch -ftrapv problems in the toolchain */
+        int i = 123 * argc, j = 456 + argc, k = 789 - argc;
+        float l = i * 2.1;
+        double m = l / 0.5;
+        long long int n = argc * 12345LL, o = 12345LL * (long long int)argc;
+        printf("%d %d %d %f %f %lld %lld\n", i, j, k, l, m, n, o);
+        exit(0);
+}
+
 _ACEOF
 if ac_fn_c_try_compile "$LINENO"; then :
 
@@ -5699,15 +5772,27 @@ fi
 rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 }
         {
-        { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $CC supports -Wpointer-arith" >&5
-$as_echo_n "checking if $CC supports -Wpointer-arith... " >&6; }
+        { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $CC supports compile flag -Wpointer-arith" >&5
+$as_echo_n "checking if $CC supports compile flag -Wpointer-arith... " >&6; }
         saved_CFLAGS="$CFLAGS"
-        CFLAGS="$CFLAGS -Wpointer-arith"
+        CFLAGS="$CFLAGS $WERROR -Wpointer-arith"
         _define_flag=""
         test "x$_define_flag" = "x" && _define_flag="-Wpointer-arith"
         cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
-int main(void) { return 0; }
+
+#include <stdlib.h>
+#include <stdio.h>
+int main(int argc, char **argv) {
+        /* Some math to catch -ftrapv problems in the toolchain */
+        int i = 123 * argc, j = 456 + argc, k = 789 - argc;
+        float l = i * 2.1;
+        double m = l / 0.5;
+        long long int n = argc * 12345LL, o = 12345LL * (long long int)argc;
+        printf("%d %d %d %f %f %lld %lld\n", i, j, k, l, m, n, o);
+        exit(0);
+}
+
 _ACEOF
 if ac_fn_c_try_compile "$LINENO"; then :
 
@@ -5730,15 +5815,27 @@ fi
 rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 }
         {
-        { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $CC supports -Wuninitialized" >&5
-$as_echo_n "checking if $CC supports -Wuninitialized... " >&6; }
+        { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $CC supports compile flag -Wuninitialized" >&5
+$as_echo_n "checking if $CC supports compile flag -Wuninitialized... " >&6; }
         saved_CFLAGS="$CFLAGS"
-        CFLAGS="$CFLAGS -Wuninitialized"
+        CFLAGS="$CFLAGS $WERROR -Wuninitialized"
         _define_flag=""
         test "x$_define_flag" = "x" && _define_flag="-Wuninitialized"
         cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
-int main(void) { return 0; }
+
+#include <stdlib.h>
+#include <stdio.h>
+int main(int argc, char **argv) {
+        /* Some math to catch -ftrapv problems in the toolchain */
+        int i = 123 * argc, j = 456 + argc, k = 789 - argc;
+        float l = i * 2.1;
+        double m = l / 0.5;
+        long long int n = argc * 12345LL, o = 12345LL * (long long int)argc;
+        printf("%d %d %d %f %f %lld %lld\n", i, j, k, l, m, n, o);
+        exit(0);
+}
+
 _ACEOF
 if ac_fn_c_try_compile "$LINENO"; then :
 
@@ -5761,15 +5858,27 @@ fi
 rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 }
         {
-        { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $CC supports -Wsign-compare" >&5
-$as_echo_n "checking if $CC supports -Wsign-compare... " >&6; }
+        { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $CC supports compile flag -Wsign-compare" >&5
+$as_echo_n "checking if $CC supports compile flag -Wsign-compare... " >&6; }
         saved_CFLAGS="$CFLAGS"
-        CFLAGS="$CFLAGS -Wsign-compare"
+        CFLAGS="$CFLAGS $WERROR -Wsign-compare"
         _define_flag=""
         test "x$_define_flag" = "x" && _define_flag="-Wsign-compare"
         cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
-int main(void) { return 0; }
+
+#include <stdlib.h>
+#include <stdio.h>
+int main(int argc, char **argv) {
+        /* Some math to catch -ftrapv problems in the toolchain */
+        int i = 123 * argc, j = 456 + argc, k = 789 - argc;
+        float l = i * 2.1;
+        double m = l / 0.5;
+        long long int n = argc * 12345LL, o = 12345LL * (long long int)argc;
+        printf("%d %d %d %f %f %lld %lld\n", i, j, k, l, m, n, o);
+        exit(0);
+}
+
 _ACEOF
 if ac_fn_c_try_compile "$LINENO"; then :
 
@@ -5792,15 +5901,27 @@ fi
 rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 }
         {
-        { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $CC supports -Wformat-security" >&5
-$as_echo_n "checking if $CC supports -Wformat-security... " >&6; }
+        { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $CC supports compile flag -Wformat-security" >&5
+$as_echo_n "checking if $CC supports compile flag -Wformat-security... " >&6; }
         saved_CFLAGS="$CFLAGS"
-        CFLAGS="$CFLAGS -Wformat-security"
+        CFLAGS="$CFLAGS $WERROR -Wformat-security"
         _define_flag=""
         test "x$_define_flag" = "x" && _define_flag="-Wformat-security"
         cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
-int main(void) { return 0; }
+
+#include <stdlib.h>
+#include <stdio.h>
+int main(int argc, char **argv) {
+        /* Some math to catch -ftrapv problems in the toolchain */
+        int i = 123 * argc, j = 456 + argc, k = 789 - argc;
+        float l = i * 2.1;
+        double m = l / 0.5;
+        long long int n = argc * 12345LL, o = 12345LL * (long long int)argc;
+        printf("%d %d %d %f %f %lld %lld\n", i, j, k, l, m, n, o);
+        exit(0);
+}
+
 _ACEOF
 if ac_fn_c_try_compile "$LINENO"; then :
 
@@ -5823,15 +5944,27 @@ fi
 rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 }
         {
-        { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $CC supports -Wsizeof-pointer-memaccess" >&5
-$as_echo_n "checking if $CC supports -Wsizeof-pointer-memaccess... " >&6; }
+        { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $CC supports compile flag -Wsizeof-pointer-memaccess" >&5
+$as_echo_n "checking if $CC supports compile flag -Wsizeof-pointer-memaccess... " >&6; }
         saved_CFLAGS="$CFLAGS"
-        CFLAGS="$CFLAGS -Wsizeof-pointer-memaccess"
+        CFLAGS="$CFLAGS $WERROR -Wsizeof-pointer-memaccess"
         _define_flag=""
         test "x$_define_flag" = "x" && _define_flag="-Wsizeof-pointer-memaccess"
         cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
-int main(void) { return 0; }
+
+#include <stdlib.h>
+#include <stdio.h>
+int main(int argc, char **argv) {
+        /* Some math to catch -ftrapv problems in the toolchain */
+        int i = 123 * argc, j = 456 + argc, k = 789 - argc;
+        float l = i * 2.1;
+        double m = l / 0.5;
+        long long int n = argc * 12345LL, o = 12345LL * (long long int)argc;
+        printf("%d %d %d %f %f %lld %lld\n", i, j, k, l, m, n, o);
+        exit(0);
+}
+
 _ACEOF
 if ac_fn_c_try_compile "$LINENO"; then :
 
@@ -5854,15 +5987,27 @@ fi
 rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 }
         {
-        { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $CC supports -Wpointer-sign" >&5
-$as_echo_n "checking if $CC supports -Wpointer-sign... " >&6; }
+        { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $CC supports compile flag -Wpointer-sign" >&5
+$as_echo_n "checking if $CC supports compile flag -Wpointer-sign... " >&6; }
         saved_CFLAGS="$CFLAGS"
-        CFLAGS="$CFLAGS -Wpointer-sign"
+        CFLAGS="$CFLAGS $WERROR -Wpointer-sign"
         _define_flag="-Wno-pointer-sign"
         test "x$_define_flag" = "x" && _define_flag="-Wpointer-sign"
         cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
-int main(void) { return 0; }
+
+#include <stdlib.h>
+#include <stdio.h>
+int main(int argc, char **argv) {
+        /* Some math to catch -ftrapv problems in the toolchain */
+        int i = 123 * argc, j = 456 + argc, k = 789 - argc;
+        float l = i * 2.1;
+        double m = l / 0.5;
+        long long int n = argc * 12345LL, o = 12345LL * (long long int)argc;
+        printf("%d %d %d %f %f %lld %lld\n", i, j, k, l, m, n, o);
+        exit(0);
+}
+
 _ACEOF
 if ac_fn_c_try_compile "$LINENO"; then :
 
@@ -5885,15 +6030,27 @@ fi
 rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 }
         {
-        { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $CC supports -Wunused-result" >&5
-$as_echo_n "checking if $CC supports -Wunused-result... " >&6; }
+        { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $CC supports compile flag -Wunused-result" >&5
+$as_echo_n "checking if $CC supports compile flag -Wunused-result... " >&6; }
         saved_CFLAGS="$CFLAGS"
-        CFLAGS="$CFLAGS -Wunused-result"
+        CFLAGS="$CFLAGS $WERROR -Wunused-result"
         _define_flag="-Wno-unused-result"
         test "x$_define_flag" = "x" && _define_flag="-Wunused-result"
         cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
-int main(void) { return 0; }
+
+#include <stdlib.h>
+#include <stdio.h>
+int main(int argc, char **argv) {
+        /* Some math to catch -ftrapv problems in the toolchain */
+        int i = 123 * argc, j = 456 + argc, k = 789 - argc;
+        float l = i * 2.1;
+        double m = l / 0.5;
+        long long int n = argc * 12345LL, o = 12345LL * (long long int)argc;
+        printf("%d %d %d %f %f %lld %lld\n", i, j, k, l, m, n, o);
+        exit(0);
+}
+
 _ACEOF
 if ac_fn_c_try_compile "$LINENO"; then :
 
@@ -5916,15 +6073,27 @@ fi
 rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 }
         {
-        { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $CC supports -fno-strict-aliasing" >&5
-$as_echo_n "checking if $CC supports -fno-strict-aliasing... " >&6; }
+        { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $CC supports compile flag -fno-strict-aliasing" >&5
+$as_echo_n "checking if $CC supports compile flag -fno-strict-aliasing... " >&6; }
         saved_CFLAGS="$CFLAGS"
-        CFLAGS="$CFLAGS -fno-strict-aliasing"
+        CFLAGS="$CFLAGS $WERROR -fno-strict-aliasing"
         _define_flag=""
         test "x$_define_flag" = "x" && _define_flag="-fno-strict-aliasing"
         cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
-int main(void) { return 0; }
+
+#include <stdlib.h>
+#include <stdio.h>
+int main(int argc, char **argv) {
+        /* Some math to catch -ftrapv problems in the toolchain */
+        int i = 123 * argc, j = 456 + argc, k = 789 - argc;
+        float l = i * 2.1;
+        double m = l / 0.5;
+        long long int n = argc * 12345LL, o = 12345LL * (long long int)argc;
+        printf("%d %d %d %f %f %lld %lld\n", i, j, k, l, m, n, o);
+        exit(0);
+}
+
 _ACEOF
 if ac_fn_c_try_compile "$LINENO"; then :
 
@@ -5947,15 +6116,27 @@ fi
 rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 }
         {
-        { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $CC supports -D_FORTIFY_SOURCE=2" >&5
-$as_echo_n "checking if $CC supports -D_FORTIFY_SOURCE=2... " >&6; }
+        { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $CC supports compile flag -D_FORTIFY_SOURCE=2" >&5
+$as_echo_n "checking if $CC supports compile flag -D_FORTIFY_SOURCE=2... " >&6; }
         saved_CFLAGS="$CFLAGS"
-        CFLAGS="$CFLAGS -D_FORTIFY_SOURCE=2"
+        CFLAGS="$CFLAGS $WERROR -D_FORTIFY_SOURCE=2"
         _define_flag=""
         test "x$_define_flag" = "x" && _define_flag="-D_FORTIFY_SOURCE=2"
         cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
-int main(void) { return 0; }
+
+#include <stdlib.h>
+#include <stdio.h>
+int main(int argc, char **argv) {
+        /* Some math to catch -ftrapv problems in the toolchain */
+        int i = 123 * argc, j = 456 + argc, k = 789 - argc;
+        float l = i * 2.1;
+        double m = l / 0.5;
+        long long int n = argc * 12345LL, o = 12345LL * (long long int)argc;
+        printf("%d %d %d %f %f %lld %lld\n", i, j, k, l, m, n, o);
+        exit(0);
+}
+
 _ACEOF
 if ac_fn_c_try_compile "$LINENO"; then :
 
@@ -5977,6 +6158,165 @@ $as_echo "no" >&6; }
 fi
 rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 }
+    if test "x$use_toolchain_hardening" = "x1"; then
+        {
+        { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $LD supports link flag -Wl,-z,relro" >&5
+$as_echo_n "checking if $LD supports link flag -Wl,-z,relro... " >&6; }
+        saved_LDFLAGS="$LDFLAGS"
+        LDFLAGS="$LDFLAGS $WERROR -Wl,-z,relro"
+        _define_flag=""
+        test "x$_define_flag" = "x" && _define_flag="-Wl,-z,relro"
+        cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+#include <stdlib.h>
+#include <stdio.h>
+int main(int argc, char **argv) {
+        /* Some math to catch -ftrapv problems in the toolchain */
+        int i = 123 * argc, j = 456 + argc, k = 789 - argc;
+        float l = i * 2.1;
+        double m = l / 0.5;
+        long long int n = argc * 12345LL, o = 12345LL * (long long int)argc;
+        printf("%d %d %d %f %f %lld %lld\n", i, j, k, l, m, n, o);
+        exit(0);
+}
+
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+   { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+                  LDFLAGS="$saved_LDFLAGS $_define_flag"
+else
+   { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+                  LDFLAGS="$saved_LDFLAGS"
+
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
+}
+        {
+        { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $LD supports link flag -Wl,-z,now" >&5
+$as_echo_n "checking if $LD supports link flag -Wl,-z,now... " >&6; }
+        saved_LDFLAGS="$LDFLAGS"
+        LDFLAGS="$LDFLAGS $WERROR -Wl,-z,now"
+        _define_flag=""
+        test "x$_define_flag" = "x" && _define_flag="-Wl,-z,now"
+        cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+#include <stdlib.h>
+#include <stdio.h>
+int main(int argc, char **argv) {
+        /* Some math to catch -ftrapv problems in the toolchain */
+        int i = 123 * argc, j = 456 + argc, k = 789 - argc;
+        float l = i * 2.1;
+        double m = l / 0.5;
+        long long int n = argc * 12345LL, o = 12345LL * (long long int)argc;
+        printf("%d %d %d %f %f %lld %lld\n", i, j, k, l, m, n, o);
+        exit(0);
+}
+
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+   { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+                  LDFLAGS="$saved_LDFLAGS $_define_flag"
+else
+   { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+                  LDFLAGS="$saved_LDFLAGS"
+
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
+}
+        {
+        { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $LD supports link flag -Wl,-z,noexecstack" >&5
+$as_echo_n "checking if $LD supports link flag -Wl,-z,noexecstack... " >&6; }
+        saved_LDFLAGS="$LDFLAGS"
+        LDFLAGS="$LDFLAGS $WERROR -Wl,-z,noexecstack"
+        _define_flag=""
+        test "x$_define_flag" = "x" && _define_flag="-Wl,-z,noexecstack"
+        cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+#include <stdlib.h>
+#include <stdio.h>
+int main(int argc, char **argv) {
+        /* Some math to catch -ftrapv problems in the toolchain */
+        int i = 123 * argc, j = 456 + argc, k = 789 - argc;
+        float l = i * 2.1;
+        double m = l / 0.5;
+        long long int n = argc * 12345LL, o = 12345LL * (long long int)argc;
+        printf("%d %d %d %f %f %lld %lld\n", i, j, k, l, m, n, o);
+        exit(0);
+}
+
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+   { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+                  LDFLAGS="$saved_LDFLAGS $_define_flag"
+else
+   { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+                  LDFLAGS="$saved_LDFLAGS"
+
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
+}
+        # NB. -ftrapv expects certain support functions to be present in
+        # the compiler library (libgcc or similar) to detect integer operations
+        # that can overflow. We must check that the result of enabling it
+        # actually links. The test program compiled/linked includes a number
+        # of integer operations that should exercise this.
+        {
+        { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $CC supports compile flag -ftrapv and linking succeeds" >&5
+$as_echo_n "checking if $CC supports compile flag -ftrapv and linking succeeds... " >&6; }
+        saved_CFLAGS="$CFLAGS"
+        CFLAGS="$CFLAGS $WERROR -ftrapv"
+        _define_flag=""
+        test "x$_define_flag" = "x" && _define_flag="-ftrapv"
+        cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+#include <stdlib.h>
+#include <stdio.h>
+int main(int argc, char **argv) {
+        /* Some math to catch -ftrapv problems in the toolchain */
+        int i = 123 * argc, j = 456 + argc, k = 789 - argc;
+        float l = i * 2.1;
+        double m = l / 0.5;
+        long long int n = argc * 12345LL, o = 12345LL * (long long int)argc;
+        printf("%d %d %d %f %f %lld %lld\n", i, j, k, l, m, n, o);
+        exit(0);
+}
+
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+
+if `grep -i "unrecognized option" conftest.err >/dev/null`
+then
+                { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+                CFLAGS="$saved_CFLAGS"
+else
+                { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+                 CFLAGS="$saved_CFLAGS $_define_flag"
+fi
+else
+   { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+                  CFLAGS="$saved_CFLAGS"
+
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
+}
+    fi
         { $as_echo "$as_me:${as_lineno-$LINENO}: checking gcc version" >&5
 $as_echo_n "checking gcc version... " >&6; }
         GCC_VER=`$CC -v 2>&1 | $AWK '/gcc version /{print $3}'`
@@ -6022,7 +6362,8 @@ rm -f core conftest.err conftest.$ac_objext \
         # and/or platforms, so we test if we can.  If it's not supported
         # on a given platform gcc will emit a warning so we use -Werror.
         if test "x$use_stack_protector" = "x1"; then
-            for t in -fstack-protector-all -fstack-protector; do
+            for t in -fstack-protector-strong -fstack-protector-all \
+                    -fstack-protector; do
                 { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $CC supports $t" >&5
 $as_echo_n "checking if $CC supports $t... " >&6; }
                 saved_CFLAGS="$CFLAGS"
@@ -6226,6 +6567,7 @@ fi
 
 
 for ac_header in  \
+        blf.h \
         bstring.h \
         crypt.h \
         crypto/sha2.h \
@@ -6239,6 +6581,7 @@ for ac_header in  \
         glob.h \
         ia.h \
         iaf.h \
+        inttypes.h \
         limits.h \
         locale.h \
         login.h \
@@ -6263,6 +6606,7 @@ for ac_header in  \
         sys/audit.h \
         sys/bitypes.h \
         sys/bsdtty.h \
+        sys/capability.h \
         sys/cdefs.h \
         sys/dir.h \
         sys/mman.h \
@@ -6715,6 +7059,51 @@ $as_echo "#define SSH_IOBUFSZ 65535" >>confdefs.h
 
 $as_echo "#define FILESYSTEM_NO_BACKSLASH 1" >>confdefs.h
 
+        # Cygwin defines optargs, optargs as declspec(dllimport) for historical
+        # reasons which cause compile warnings, so we disable those warnings.
+        {
+        { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $CC supports compile flag -Wno-attributes" >&5
+$as_echo_n "checking if $CC supports compile flag -Wno-attributes... " >&6; }
+        saved_CFLAGS="$CFLAGS"
+        CFLAGS="$CFLAGS $WERROR -Wno-attributes"
+        _define_flag=""
+        test "x$_define_flag" = "x" && _define_flag="-Wno-attributes"
+        cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+#include <stdlib.h>
+#include <stdio.h>
+int main(int argc, char **argv) {
+        /* Some math to catch -ftrapv problems in the toolchain */
+        int i = 123 * argc, j = 456 + argc, k = 789 - argc;
+        float l = i * 2.1;
+        double m = l / 0.5;
+        long long int n = argc * 12345LL, o = 12345LL * (long long int)argc;
+        printf("%d %d %d %f %f %lld %lld\n", i, j, k, l, m, n, o);
+        exit(0);
+}
+
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+
+if `grep -i "unrecognized option" conftest.err >/dev/null`
+then
+                { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+                CFLAGS="$saved_CFLAGS"
+else
+                { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+                 CFLAGS="$saved_CFLAGS $_define_flag"
+fi
+else
+   { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+                  CFLAGS="$saved_CFLAGS"
+
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+}
         ;;
 *-*-dgux*)
 
@@ -6728,6 +7117,7 @@ $as_echo "#define IP_TOS_IS_BROKEN 1" >>confdefs.h
 
         ;;
 *-*-darwin*)
+        use_pie=auto
         { $as_echo "$as_me:${as_lineno-$LINENO}: checking if we have working getaddrinfo" >&5
 $as_echo_n "checking if we have working getaddrinfo... " >&6; }
         if test "$cross_compiling" = yes; then :
@@ -6883,6 +7273,7 @@ done
         ;;
 *-*-dragonfly*)
         SSHDLIBS="$SSHDLIBS -lcrypt"
+        TEST_MALLOC_OPTIONS="AFGJPRX"
         ;;
 *-*-haiku*)
     LIBS="$LIBS -lbsd "
@@ -7105,6 +7496,7 @@ $as_echo "#define USE_BTMP 1" >>confdefs.h
         ;;
 *-*-linux*)
         no_dev_ptmx=1
+        use_pie=auto
         check_for_libcrypt_later=1
         check_for_openpty_ctty_bug=1
 
@@ -7237,6 +7629,13 @@ fi
 
 $as_echo "#define SSH_TUN_PREPEND_AF 1" >>confdefs.h
 
+        TEST_MALLOC_OPTIONS="AJRX"
+
+$as_echo "#define BROKEN_STRNVIS 1" >>confdefs.h
+
+
+$as_echo "#define BROKEN_READ_COMPARISON 1" >>confdefs.h
+
         ;;
 *-*-freebsd*)
         check_for_libcrypt_later=1
@@ -7262,6 +7661,12 @@ $as_echo "#define BROKEN_GLOB 1" >>confdefs.h
 
 $as_echo "#define BROKEN_STRNVIS 1" >>confdefs.h
 
+        TEST_MALLOC_OPTIONS="AJRX"
+        # Preauth crypto occasionally uses file descriptors for crypto offload
+        # and will crash if they cannot be opened.
+
+$as_echo "#define SANDBOX_SKIP_RLIMIT_NOFILE 1" >>confdefs.h
+],
         ;;
 *-*-bsdi*)
         $as_echo "#define SETEUID_BREAKS_SETUID 1" >>confdefs.h
@@ -7288,6 +7693,7 @@ $as_echo "#define BROKEN_SAVED_UIDS 1" >>confdefs.h
 
         ;;
 *-*-openbsd*)
+        use_pie=auto
 
 $as_echo "#define HAVE_ATTRIBUTE__SENTINEL__ 1" >>confdefs.h
 
@@ -7300,6 +7706,7 @@ $as_echo "#define SSH_TUN_OPENBSD 1" >>confdefs.h
 
 $as_echo "#define SYSLOG_R_SAFE_IN_SIGHAND 1" >>confdefs.h
 
+        TEST_MALLOC_OPTIONS="AFGJPRX"
         ;;
 *-*-solaris*)
         if test "x$withval" != "xno" ; then
@@ -8988,6 +9395,64 @@ fi
 done
 
 
+# On some platforms, inet_ntop may be found in libresolv or libnsl.
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing inet_ntop" >&5
+$as_echo_n "checking for library containing inet_ntop... " >&6; }
+if ${ac_cv_search_inet_ntop+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  ac_func_search_save_LIBS=$LIBS
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char inet_ntop ();
+int
+main ()
+{
+return inet_ntop ();
+  ;
+  return 0;
+}
+_ACEOF
+for ac_lib in '' resolv nsl; do
+  if test -z "$ac_lib"; then
+    ac_res="none required"
+  else
+    ac_res=-l$ac_lib
+    LIBS="-l$ac_lib  $ac_func_search_save_LIBS"
+  fi
+  if ac_fn_c_try_link "$LINENO"; then :
+  ac_cv_search_inet_ntop=$ac_res
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext
+  if ${ac_cv_search_inet_ntop+:} false; then :
+  break
+fi
+done
+if ${ac_cv_search_inet_ntop+:} false; then :
+
+else
+  ac_cv_search_inet_ntop=no
+fi
+rm conftest.$ac_ext
+LIBS=$ac_func_search_save_LIBS
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_inet_ntop" >&5
+$as_echo "$ac_cv_search_inet_ntop" >&6; }
+ac_res=$ac_cv_search_inet_ntop
+if test "$ac_res" != no; then :
+  test "$ac_res" = "none required" || LIBS="$ac_res $LIBS"
+
+fi
+
+
 for ac_func in strftime
 do :
   ac_fn_c_check_func "$LINENO" "strftime" "ac_cv_func_strftime"
@@ -9554,7 +10019,7 @@ $as_echo "no" >&6; }
                         fi
                 fi
                 if test "x$use_pkgconfig_for_libedit" = "xyes"; then
-                        LIBEDIT=`$PKGCONFIG --libs-only-l libedit`
+                        LIBEDIT=`$PKGCONFIG --libs libedit`
                         CPPFLAGS="$CPPFLAGS `$PKGCONFIG --cflags libedit`"
                 else
                         LIBEDIT="-ledit -lcurses"
@@ -9748,7 +10213,7 @@ done
 
 $as_echo "#define USE_BSM_AUDIT 1" >>confdefs.h
 
-                if test "$sol2ver" -eq 11; then
+                if test "$sol2ver" -ge 11; then
                         SSHDLIBS="$SSHDLIBS -lscf"
 
 $as_echo "#define BROKEN_BSM_API 1" >>confdefs.h
@@ -9796,9 +10261,155 @@ $as_echo "no" >&6; }
 fi
 
 
+
+# Check whether --with-pie was given.
+if test "${with_pie+set}" = set; then :
+  withval=$with_pie;
+        if test "x$withval" = "xno"; then
+                use_pie=no
+        fi
+        if test "x$withval" = "xyes"; then
+                use_pie=yes
+        fi
+
+
+fi
+
+if test "x$use_pie" = "x"; then
+        use_pie=no
+fi
+if test "x$use_toolchain_hardening" != "x1" && test "x$use_pie" = "xauto"; then
+        # Turn off automatic PIE when toolchain hardening is off.
+        use_pie=no
+fi
+if test "x$use_pie" = "xauto"; then
+        # Automatic PIE requires gcc >= 4.x
+        { $as_echo "$as_me:${as_lineno-$LINENO}: checking for gcc >= 4.x" >&5
+$as_echo_n "checking for gcc >= 4.x... " >&6; }
+        cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+#if !defined(__GNUC__) || __GNUC__ < 4
+#error gcc is too old
+#endif
+
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+   { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+else
+   { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+          use_pie=no
+
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+fi
+if test "x$use_pie" != "xno"; then
+        SAVED_CFLAGS="$CFLAGS"
+        SAVED_LDFLAGS="$LDFLAGS"
+        {
+        { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $CC supports compile flag -fPIE" >&5
+$as_echo_n "checking if $CC supports compile flag -fPIE... " >&6; }
+        saved_CFLAGS="$CFLAGS"
+        CFLAGS="$CFLAGS $WERROR -fPIE"
+        _define_flag=""
+        test "x$_define_flag" = "x" && _define_flag="-fPIE"
+        cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+#include <stdlib.h>
+#include <stdio.h>
+int main(int argc, char **argv) {
+        /* Some math to catch -ftrapv problems in the toolchain */
+        int i = 123 * argc, j = 456 + argc, k = 789 - argc;
+        float l = i * 2.1;
+        double m = l / 0.5;
+        long long int n = argc * 12345LL, o = 12345LL * (long long int)argc;
+        printf("%d %d %d %f %f %lld %lld\n", i, j, k, l, m, n, o);
+        exit(0);
+}
+
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+
+if `grep -i "unrecognized option" conftest.err >/dev/null`
+then
+                { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+                CFLAGS="$saved_CFLAGS"
+else
+                { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+                 CFLAGS="$saved_CFLAGS $_define_flag"
+fi
+else
+   { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+                  CFLAGS="$saved_CFLAGS"
+
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+}
+        {
+        { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $LD supports link flag -pie" >&5
+$as_echo_n "checking if $LD supports link flag -pie... " >&6; }
+        saved_LDFLAGS="$LDFLAGS"
+        LDFLAGS="$LDFLAGS $WERROR -pie"
+        _define_flag=""
+        test "x$_define_flag" = "x" && _define_flag="-pie"
+        cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+#include <stdlib.h>
+#include <stdio.h>
+int main(int argc, char **argv) {
+        /* Some math to catch -ftrapv problems in the toolchain */
+        int i = 123 * argc, j = 456 + argc, k = 789 - argc;
+        float l = i * 2.1;
+        double m = l / 0.5;
+        long long int n = argc * 12345LL, o = 12345LL * (long long int)argc;
+        printf("%d %d %d %f %f %lld %lld\n", i, j, k, l, m, n, o);
+        exit(0);
+}
+
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+   { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+                  LDFLAGS="$saved_LDFLAGS $_define_flag"
+else
+   { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+                  LDFLAGS="$saved_LDFLAGS"
+
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
+}
+        # We use both -fPIE and -pie or neither.
+        { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether both -fPIE and -pie are supported" >&5
+$as_echo_n "checking whether both -fPIE and -pie are supported... " >&6; }
+        if echo "x $CFLAGS"  | grep ' -fPIE' >/dev/null 2>&1 && \
+           echo "x $LDFLAGS" | grep ' -pie'  >/dev/null 2>&1 ; then
+                { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+        else
+                { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+                CFLAGS="$SAVED_CFLAGS"
+                LDFLAGS="$SAVED_LDFLAGS"
+        fi
+fi
+
 for ac_func in  \
+        Blowfish_initstate \
+        Blowfish_expandstate \
+        Blowfish_expand0state \
+        Blowfish_stream2word \
         arc4random \
         arc4random_buf \
+        arc4random_stir \
         arc4random_uniform \
         asprintf \
         b64_ntop \
@@ -9806,7 +10417,10 @@ for ac_func in  \
         b64_pton \
         __b64_pton \
         bcopy \
+        bcrypt_pbkdf \
         bindresvport_sa \
+        blf_enc \
+        cap_rights_limit \
         clock \
         closefrom \
         dirfd \
@@ -9814,6 +10428,7 @@ for ac_func in  \
         fchmod \
         fchown \
         freeaddrinfo \
+        fstatfs \
         fstatvfs \
         futimes \
         getaddrinfo \
@@ -11550,7 +12165,17 @@ fi
 rm -f core conftest.err conftest.$ac_objext \
     conftest$ac_exeext conftest.$ac_ext
 
-for ac_func in RSA_generate_key_ex DSA_generate_parameters_ex BN_is_prime_ex RSA_get_default_method HMAC_CTX_init
+for ac_func in  \
+        BN_is_prime_ex \
+        DSA_generate_parameters_ex \
+        EVP_DigestInit_ex \
+        EVP_DigestFinal_ex \
+        EVP_MD_CTX_init \
+        EVP_MD_CTX_cleanup \
+        HMAC_CTX_init \
+        RSA_generate_key_ex \
+        RSA_get_default_method \
+
 do :
   as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
 ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
@@ -11935,10 +12560,9 @@ if eval test \"x\$"$as_ac_var"\" = x"yes"; then :
   cat >>confdefs.h <<_ACEOF
 #define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1
 _ACEOF
- TEST_SSH_SHA256=yes
+
 else
-  TEST_SSH_SHA256=no
-     unsupported_algorithms="$unsupported_algorithms \
+  unsupported_algorithms="$unsupported_algorithms \
         hmac-sha2-256 hmac-sha2-512 \
         diffie-hellman-group-exchange-sha256 \
         hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com"
@@ -11948,10 +12572,9 @@ fi
 done
 
 
-
 # Check complete ECC support in OpenSSL
-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether OpenSSL has complete ECC support" >&5
-$as_echo_n "checking whether OpenSSL has complete ECC support... " >&6; }
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether OpenSSL has NID_X9_62_prime256v1" >&5
+$as_echo_n "checking whether OpenSSL has NID_X9_62_prime256v1... " >&6; }
 cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 
@@ -11969,41 +12592,183 @@ int
 main ()
 {
 
-        EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp521r1);
-        const EVP_MD *m = EVP_sha512(); /* We need this too */
+        EC_KEY *e = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
+        const EVP_MD *m = EVP_sha256(); /* We need this too */
 
   ;
   return 0;
 }
 _ACEOF
 if ac_fn_c_try_link "$LINENO"; then :
+   { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+          enable_nistp256=1
+else
+   { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
 
-                { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether OpenSSL has NID_secp384r1" >&5
+$as_echo_n "checking whether OpenSSL has NID_secp384r1... " >&6; }
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+#include <openssl/ec.h>
+#include <openssl/ecdh.h>
+#include <openssl/ecdsa.h>
+#include <openssl/evp.h>
+#include <openssl/objects.h>
+#include <openssl/opensslv.h>
+#if OPENSSL_VERSION_NUMBER < 0x0090807f /* 0.9.8g */
+# error "OpenSSL < 0.9.8g has unreliable ECC code"
+#endif
+
+int
+main ()
+{
+
+        EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp384r1);
+        const EVP_MD *m = EVP_sha384(); /* We need this too */
+
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+   { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
 $as_echo "yes" >&6; }
+          enable_nistp384=1
+else
+   { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
 
-$as_echo "#define OPENSSL_HAS_ECC 1" >>confdefs.h
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether OpenSSL has NID_secp521r1" >&5
+$as_echo_n "checking whether OpenSSL has NID_secp521r1... " >&6; }
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+#include <openssl/ec.h>
+#include <openssl/ecdh.h>
+#include <openssl/ecdsa.h>
+#include <openssl/evp.h>
+#include <openssl/objects.h>
+#include <openssl/opensslv.h>
+#if OPENSSL_VERSION_NUMBER < 0x0090807f /* 0.9.8g */
+# error "OpenSSL < 0.9.8g has unreliable ECC code"
+#endif
+
+int
+main ()
+{
 
-                TEST_SSH_ECC=yes
-                COMMENT_OUT_ECC=""
+        EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp521r1);
+        const EVP_MD *m = EVP_sha512(); /* We need this too */
+
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+   { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+          { $as_echo "$as_me:${as_lineno-$LINENO}: checking if OpenSSL's NID_secp521r1 is functional" >&5
+$as_echo_n "checking if OpenSSL's NID_secp521r1 is functional... " >&6; }
+          if test "$cross_compiling" = yes; then :
+   { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: cross-compiling: assuming yes" >&5
+$as_echo "$as_me: WARNING: cross-compiling: assuming yes" >&2;}
+                  enable_nistp521=1
 
 else
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
 
-                { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+#include <openssl/ec.h>
+#include <openssl/ecdh.h>
+#include <openssl/ecdsa.h>
+#include <openssl/evp.h>
+#include <openssl/objects.h>
+#include <openssl/opensslv.h>
+
+int
+main ()
+{
+
+                EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp521r1);
+                const EVP_MD *m = EVP_sha512(); /* We need this too */
+                exit(e == NULL || m == NULL);
+
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_run "$LINENO"; then :
+   { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+                  enable_nistp521=1
+else
+   { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
 $as_echo "no" >&6; }
-                TEST_SSH_ECC=no
-                COMMENT_OUT_ECC="#no ecc#"
-                unsupported_algorithms="$unsupported_algorithms \
-                    ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521 \
-                    ecdsa-sha2-nistp256-cert-v01@openssh.com \
-                    ecdsa-sha2-nistp384-cert-v01@openssh.com \
-                    ecdsa-sha2-nistp521-cert-v01@openssh.com \
-                    ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521"
+fi
+rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \
+  conftest.$ac_objext conftest.beam conftest.$ac_ext
+fi
 
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
 
 fi
 rm -f core conftest.err conftest.$ac_objext \
     conftest$ac_exeext conftest.$ac_ext
 
+COMMENT_OUT_ECC="#no ecc#"
+TEST_SSH_ECC=no
+
+if test x$enable_nistp256 = x1 || test x$enable_nistp384 = x1 || \
+    test x$enable_nistp521 = x1; then
+
+$as_echo "#define OPENSSL_HAS_ECC 1" >>confdefs.h
+
+fi
+if test x$enable_nistp256 = x1; then
+
+$as_echo "#define OPENSSL_HAS_NISTP256 1" >>confdefs.h
+
+        TEST_SSH_ECC=yes
+        COMMENT_OUT_ECC=""
+else
+        unsupported_algorithms="$unsupported_algorithms ecdsa-sha2-nistp256 \
+            ecdh-sha2-nistp256 ecdsa-sha2-nistp256-cert-v01@openssh.com"
+fi
+if test x$enable_nistp384 = x1; then
+
+$as_echo "#define OPENSSL_HAS_NISTP384 1" >>confdefs.h
+
+        TEST_SSH_ECC=yes
+        COMMENT_OUT_ECC=""
+else
+        unsupported_algorithms="$unsupported_algorithms ecdsa-sha2-nistp384 \
+            ecdh-sha2-nistp384 ecdsa-sha2-nistp384-cert-v01@openssh.com"
+fi
+if test x$enable_nistp521 = x1; then
+
+$as_echo "#define OPENSSL_HAS_NISTP521 1" >>confdefs.h
+
+        TEST_SSH_ECC=yes
+        COMMENT_OUT_ECC=""
+else
+        unsupported_algorithms="$unsupported_algorithms ecdh-sha2-nistp521 \
+            ecdsa-sha2-nistp521 ecdsa-sha2-nistp521-cert-v01@openssh.com"
+fi
+
+
 
 
 saved_LIBS="$LIBS"
@@ -12694,6 +13459,18 @@ elif test "x$sandbox_arg" = "xseccomp_filter" || \
 
 $as_echo "#define SANDBOX_SECCOMP_FILTER 1" >>confdefs.h
 
+elif test "x$sandbox_arg" = "xcapsicum" || \
+     ( test -z "$sandbox_arg" && \
+       test "x$ac_cv_header_sys_capability_h" = "xyes" && \
+       test "x$ac_cv_func_cap_rights_limit" = "xyes") ; then
+       test "x$ac_cv_header_sys_capability_h" != "xyes" && \
+                as_fn_error $? "capsicum sandbox requires sys/capability.h header" "$LINENO" 5
+       test "x$ac_cv_func_cap_rights_limit" != "xyes" && \
+                as_fn_error $? "capsicum sandbox requires cap_rights_limit function" "$LINENO" 5
+       SANDBOX_STYLE="capsicum"
+
+$as_echo "#define SANDBOX_CAPSICUM 1" >>confdefs.h
+
 elif test "x$sandbox_arg" = "xrlimit" || \
      ( test -z "$sandbox_arg" && test "x$ac_cv_func_setrlimit" = "xyes" && \
        test "x$select_works_with_rlimit" = "xyes" && \
@@ -13263,7 +14040,9 @@ $as_echo "#define HAVE_U_INT64_T 1" >>confdefs.h
         have_u_int64_t=1
 fi
 
-if test -z "$have_u_int64_t" ; then
+if (test -z "$have_u_int64_t" && \
+           test "x$ac_cv_header_sys_bitypes_h" = "xyes")
+then
     { $as_echo "$as_me:${as_lineno-$LINENO}: checking for u_int64_t type in sys/bitypes.h" >&5
 $as_echo_n "checking for u_int64_t type in sys/bitypes.h... " >&6; }
         cat confdefs.h - <<_ACEOF >conftest.$ac_ext
@@ -13335,7 +14114,9 @@ $as_echo "#define HAVE_UINTXX_T 1" >>confdefs.h
         fi
 fi
 
-if test -z "$have_uintxx_t" ; then
+if (test -z "$have_uintxx_t" && \
+           test "x$ac_cv_header_stdint_h" = "xyes")
+then
     { $as_echo "$as_me:${as_lineno-$LINENO}: checking for uintXX_t types in stdint.h" >&5
 $as_echo_n "checking for uintXX_t types in stdint.h... " >&6; }
         cat confdefs.h - <<_ACEOF >conftest.$ac_ext
@@ -13364,6 +14145,37 @@ fi
 rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
 
+if (test -z "$have_uintxx_t" && \
+           test "x$ac_cv_header_inttypes_h" = "xyes")
+then
+    { $as_echo "$as_me:${as_lineno-$LINENO}: checking for uintXX_t types in inttypes.h" >&5
+$as_echo_n "checking for uintXX_t types in inttypes.h... " >&6; }
+        cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+ #include <inttypes.h>
+int
+main ()
+{
+ uint8_t a; uint16_t b; uint32_t c; a = b = c = 1;
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+
+                        $as_echo "#define HAVE_UINTXX_T 1" >>confdefs.h
+
+                        { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+
+else
+   { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+fi
+
 if (test -z "$have_u_intxx_t" || test -z "$have_intxx_t" && \
            test "x$ac_cv_header_sys_bitypes_h" = "xyes")
 then
@@ -13438,6 +14250,34 @@ $as_echo "#define HAVE_U_CHAR 1" >>confdefs.h
 
 fi
 
+ac_fn_c_check_type "$LINENO" "intmax_t" "ac_cv_type_intmax_t" "
+#include <sys/types.h>
+#include <stdint.h>
+
+"
+if test "x$ac_cv_type_intmax_t" = xyes; then :
+
+cat >>confdefs.h <<_ACEOF
+#define HAVE_INTMAX_T 1
+_ACEOF
+
+
+fi
+ac_fn_c_check_type "$LINENO" "uintmax_t" "ac_cv_type_uintmax_t" "
+#include <sys/types.h>
+#include <stdint.h>
+
+"
+if test "x$ac_cv_type_uintmax_t" = xyes; then :
+
+cat >>confdefs.h <<_ACEOF
+#define HAVE_UINTMAX_T 1
+_ACEOF
+
+
+fi
+
+
 
    ac_fn_c_check_type "$LINENO" "socklen_t" "ac_cv_type_socklen_t" "#include <sys/types.h>
 #include <sys/socket.h>
@@ -17680,6 +18520,8 @@ fi
 
 TEST_SSH_IPV6=$TEST_SSH_IPV6
 
+TEST_MALLOC_OPTIONS=$TEST_MALLOC_OPTIONS
+
 UNSUPPORTED_ALGORITHMS=$unsupported_algorithms