1 files changed, 550 insertions, 48 deletions

diff --git a/configure b/configure
index 1e67db268..09db0a335 100755
--- a/configure
+++ b/configure
@@ -624,6 +624,8 @@ ac_includes_default="\
 #endif"
 
 ac_subst_vars='LTLIBOBJS
+CFLAGS_NOPIE
+LDFLAGS_NOPIE
 DEPEND
 UNSUPPORTED_ALGORITHMS
 TEST_MALLOC_OPTIONS
@@ -643,8 +645,10 @@ KRB5CONF
 SSHDLIBS
 SSHLIBS
 SSH_PRIVSEP_USER
+LIBFIDO2
 COMMENT_OUT_ECC
 TEST_SSH_ECC
+PICFLAG
 LIBEDIT
 PKGCONFIG
 LDNSCONFIG
@@ -756,6 +760,8 @@ with_libedit
 with_audit
 with_pie
 enable_pkcs11
+enable_security_key
+with_security_key_builtin
 with_ssl_dir
 with_openssl_header_check
 with_ssl_engine
@@ -1415,6 +1421,7 @@ Optional Features:
   --enable-FEATURE[=ARG]  include FEATURE [ARG=yes]
   --disable-largefile     omit support for large files
   --disable-pkcs11        disable PKCS#11 support code [no]
+  --disable-security-key  disable U2F/FIDO support code no
   --disable-strip         Disable calling strip(1) on install
   --disable-etc-default-login Disable using PATH from /etc/default/login no
   --disable-lastlog       disable use of lastlog even if detected no
@@ -1450,6 +1457,7 @@ Optional Packages:
   --with-libedit[=PATH]   Enable libedit support for sftp
   --with-audit=module     Enable audit support (modules=debug,bsm,linux)
   --with-pie              Build Position Independent Executables if possible
+  --with-security-key-builtin include builtin U2F/FIDO support
   --with-ssl-dir=PATH     Specify path to OpenSSL installation
   --without-openssl-header-check Disable OpenSSL version consistency check
   --with-ssl-engine       Enable OpenSSL (hardware) ENGINE support
@@ -6066,6 +6074,49 @@ fi
 rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 }
         {
+        { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $CC supports compile flag -Wimplicit-fallthrough" >&5
+$as_echo_n "checking if $CC supports compile flag -Wimplicit-fallthrough... " >&6; }
+        saved_CFLAGS="$CFLAGS"
+        CFLAGS="$CFLAGS $WERROR -Wimplicit-fallthrough"
+        _define_flag=""
+        test "x$_define_flag" = "x" && _define_flag="-Wimplicit-fallthrough"
+        cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+#include <stdlib.h>
+#include <stdio.h>
+int main(int argc, char **argv) {
+        /* Some math to catch -ftrapv problems in the toolchain */
+        int i = 123 * argc, j = 456 + argc, k = 789 - argc;
+        float l = i * 2.1;
+        double m = l / 0.5;
+        long long int n = argc * 12345LL, o = 12345LL * (long long int)argc;
+        printf("%d %d %d %f %f %lld %lld\n", i, j, k, l, m, n, o);
+        exit(0);
+}
+
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+
+if $ac_cv_path_EGREP -i "unrecognized option|warning.*ignored" conftest.err >/dev/null
+then
+                { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+                CFLAGS="$saved_CFLAGS"
+else
+                { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+                 CFLAGS="$saved_CFLAGS $_define_flag"
+fi
+else
+   { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+                  CFLAGS="$saved_CFLAGS"
+
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+}
+        {
         { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $CC supports compile flag -fno-strict-aliasing" >&5
 $as_echo_n "checking if $CC supports compile flag -fno-strict-aliasing... " >&6; }
         saved_CFLAGS="$CFLAGS"
@@ -6481,13 +6532,16 @@ $as_echo_n "checking if $CC supports $t... " >&6; }
                 LDFLAGS="$LDFLAGS $t -Werror"
                 cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
- #include <stdio.h>
+
+        #include <stdio.h>
+        int func (int t) {char b[100]; snprintf(b,sizeof b,"%d",t); return t;}
+
 int
 main ()
 {
 
         char x[256];
-        snprintf(x, sizeof(x), "XXX");
+        snprintf(x, sizeof(x), "XXX%d", func(1));
 
   ;
   return 0;
@@ -6508,13 +6562,16 @@ $as_echo "$as_me: WARNING: cross compiling: cannot test" >&2;}
 else
   cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
- #include <stdio.h>
+
+        #include <stdio.h>
+        int func (int t) {char b[100]; snprintf(b,sizeof b,"%d",t); return t;}
+
 int
 main ()
 {
 
         char x[256];
-        snprintf(x, sizeof(x), "XXX");
+        snprintf(x, sizeof(x), "XXX%d", func(1));
 
   ;
   return 0;
@@ -6741,6 +6798,7 @@ for ac_header in  \
         features.h \
         fcntl.h \
         floatingpoint.h \
+        fnmatch.h \
         getopt.h \
         glob.h \
         ia.h \
@@ -7531,6 +7589,7 @@ done
         ;;
 *-*-haiku*)
         LIBS="$LIBS -lbsd "
+        CFLAGS="$CFLAGS -D_BSD_SOURCE"
         { $as_echo "$as_me:${as_lineno-$LINENO}: checking for socket in -lnetwork" >&5
 $as_echo_n "checking for socket in -lnetwork... " >&6; }
 if ${ac_cv_lib_network_socket+:} false; then :
@@ -7578,6 +7637,9 @@ fi
 
         $as_echo "#define HAVE_U_INT64_T 1" >>confdefs.h
 
+
+$as_echo "#define DISABLE_UTMPX 1" >>confdefs.h
+
         MANTYPE=man
         ;;
 *-*-hpux*)
@@ -8656,11 +8718,34 @@ $as_echo "#define BROKEN_SHADOW_EXPIRE 1" >>confdefs.h
 
 $as_echo "#define BROKEN_GETGROUPS 1" >>confdefs.h
 
-        $as_echo "#define NEED_SETPGRP 1" >>confdefs.h
+
+$as_echo "#define NEED_SETPGRP 1" >>confdefs.h
 
 
 $as_echo "#define HAVE_SYS_SYSLOG_H 1" >>confdefs.h
 
+
+$as_echo "#define DISABLE_UTMPX 1" >>confdefs.h
+
+        # DISABLE_FD_PASSING so that we call setpgrp as root, otherwise we
+        # don't get a controlling tty.
+
+$as_echo "#define DISABLE_FD_PASSING 1" >>confdefs.h
+
+        # On Ultrix some headers are not protected against multiple includes,
+        # so we create wrappers and put it where the compiler will find it.
+        { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: creating compat wrappers for headers" >&5
+$as_echo "$as_me: WARNING: creating compat wrappers for headers" >&2;}
+        mkdir -p netinet
+        for header in netinet/ip.h netdb.h resolv.h; do
+                name=`echo $header | tr 'a-z/.' 'A-Z__'`
+                cat >$header <<EOD
+#ifndef _SSH_COMPAT_${name}
+#define _SSH_COMPAT_${name}
+#include "/usr/include/${header}"
+#endif
+EOD
+        done
         ;;
 
 *-*-lynxos)
@@ -8990,11 +9075,12 @@ $as_echo "#define HAVE_BASENAME 1" >>confdefs.h
 fi
 
 
+zlib=yes
 
 # Check whether --with-zlib was given.
 if test "${with_zlib+set}" = set; then :
   withval=$with_zlib;  if test "x$withval" = "xno" ; then
-                as_fn_error $? "*** zlib is required ***" "$LINENO" 5
+                zlib=no
           elif test "x$withval" != "xyes"; then
                 if test -d "$withval/lib"; then
                         if test -n "${rpath_opt}"; then
@@ -9019,7 +9105,18 @@ if test "${with_zlib+set}" = set; then :
 fi
 
 
-ac_fn_c_check_header_mongrel "$LINENO" "zlib.h" "ac_cv_header_zlib_h" "$ac_includes_default"
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for zlib" >&5
+$as_echo_n "checking for zlib... " >&6; }
+if test "x${zlib}" = "xno"; then
+        { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+else
+        { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+
+$as_echo "#define WITH_ZLIB 1" >>confdefs.h
+
+    ac_fn_c_check_header_mongrel "$LINENO" "zlib.h" "ac_cv_header_zlib_h" "$ac_includes_default"
 if test "x$ac_cv_header_zlib_h" = xyes; then :
 
 else
@@ -9027,7 +9124,7 @@ else
 fi
 
 
-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for deflate in -lz" >&5
+    { $as_echo "$as_me:${as_lineno-$LINENO}: checking for deflate in -lz" >&5
 $as_echo_n "checking for deflate in -lz... " >&6; }
 if ${ac_cv_lib_z_deflate+:} false; then :
   $as_echo_n "(cached) " >&6
@@ -9127,9 +9224,9 @@ if test "${with_zlib_version_check+set}" = set; then :
 fi
 
 
-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for possibly buggy zlib" >&5
+    { $as_echo "$as_me:${as_lineno-$LINENO}: checking for possibly buggy zlib" >&5
 $as_echo_n "checking for possibly buggy zlib... " >&6; }
-if test "$cross_compiling" = yes; then :
+    if test "$cross_compiling" = yes; then :
         { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: cross compiling: not checking zlib version" >&5
 $as_echo "$as_me: WARNING: cross compiling: not checking zlib version" >&2;}
 
@@ -9190,6 +9287,7 @@ rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \
   conftest.$ac_objext conftest.beam conftest.$ac_ext
 fi
 
+fi
 
 ac_fn_c_check_func "$LINENO" "strcasecmp" "ac_cv_func_strcasecmp"
 if test "x$ac_cv_func_strcasecmp" = xyes; then :
@@ -10350,8 +10448,6 @@ else
 fi
 
                 if test "x$LDNSCONFIG" = "xno"; then
-                        CPPFLAGS="$CPPFLAGS -I${withval}/include"
-                        LDFLAGS="$LDFLAGS -L${withval}/lib"
                         LIBS="-lldns $LIBS"
                         ldns=yes
                 else
@@ -10379,7 +10475,9 @@ $as_echo_n "checking for ldns support... " >&6; }
 
 #include <stdio.h>
 #include <stdlib.h>
-#include <stdint.h>
+#ifdef HAVE_STDINT_H
+# include <stdint.h>
+#endif
 #include <ldns/ldns.h>
 int main() { ldns_status status = ldns_verify_trusted(NULL, NULL, NULL, NULL); status=LDNS_STATUS_OK; exit(0); }
 
@@ -10920,6 +11018,34 @@ $as_echo "no" >&6; }
         fi
 fi
 
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether -fPIC is accepted" >&5
+$as_echo_n "checking whether -fPIC is accepted... " >&6; }
+SAVED_CFLAGS="$CFLAGS"
+CFLAGS="$CFLAGS -fPIC"
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+ #include <stdlib.h>
+int
+main ()
+{
+ exit(0);
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+    PICFLAG="-fPIC";
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+    PICFLAG="";
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+CFLAGS="$SAVED_CFLAGS"
+
+
 for ac_func in  \
         Blowfish_initstate \
         Blowfish_expandstate \
@@ -10951,6 +11077,7 @@ for ac_func in  \
         fchown \
         fchownat \
         flock \
+        fnmatch \
         freeaddrinfo \
         freezero \
         fstatfs \
@@ -10978,6 +11105,7 @@ for ac_func in  \
         inet_ntop \
         innetgr \
         llabs \
+        localtime_r \
         login_getcapbool \
         md5_crypt \
         memmem \
@@ -10995,6 +11123,7 @@ for ac_func in  \
         raise \
         readpassphrase \
         reallocarray \
+        realpath \
         recvmsg \
         recallocarray \
         rresvport_af \
@@ -11073,6 +11202,16 @@ fi
 cat >>confdefs.h <<_ACEOF
 #define HAVE_DECL_BZERO $ac_have_decl
 _ACEOF
+ac_fn_c_check_decl "$LINENO" "memmem" "ac_cv_have_decl_memmem" "$ac_includes_default"
+if test "x$ac_cv_have_decl_memmem" = xyes; then :
+  ac_have_decl=1
+else
+  ac_have_decl=0
+fi
+
+cat >>confdefs.h <<_ACEOF
+#define HAVE_DECL_MEMMEM $ac_have_decl
+_ACEOF
 
 
 for ac_func in mblen mbtowc nl_langinfo wcwidth
@@ -11160,10 +11299,32 @@ if test "${enable_pkcs11+set}" = set; then :
 fi
 
 
-# PKCS11 depends on OpenSSL.
-if test "x$openssl" = "xyes" && test "x$disable_pkcs11" = "x"; then
-        # PKCS#11 support requires dlopen() and co
-        { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing dlopen" >&5
+disable_sk=
+# Check whether --enable-security-key was given.
+if test "${enable_security_key+set}" = set; then :
+  enableval=$enable_security_key;
+                if test "x$enableval" = "xno" ; then
+                        disable_sk=1
+                fi
+
+
+fi
+
+enable_sk_internal=
+
+# Check whether --with-security-key-builtin was given.
+if test "${with_security_key_builtin+set}" = set; then :
+  withval=$with_security_key_builtin;
+                if test "x$withval" != "xno" ; then
+                        enable_sk_internal=yes
+                fi
+
+
+fi
+
+test "x$disable_sk" != "x" && enable_sk_internal=""
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing dlopen" >&5
 $as_echo_n "checking for library containing dlopen... " >&6; }
 if ${ac_cv_search_dlopen+:} false; then :
   $as_echo_n "(cached) " >&6
@@ -11216,19 +11377,26 @@ $as_echo "$ac_cv_search_dlopen" >&6; }
 ac_res=$ac_cv_search_dlopen
 if test "$ac_res" != no; then :
   test "$ac_res" = "none required" || LIBS="$ac_res $LIBS"
-  ac_fn_c_check_decl "$LINENO" "RTLD_NOW" "ac_cv_have_decl_RTLD_NOW" "#include <dlfcn.h>
 
-"
-if test "x$ac_cv_have_decl_RTLD_NOW" = xyes; then :
+fi
 
-$as_echo "#define ENABLE_PKCS11 /**/" >>confdefs.h
+for ac_func in dlopen
+do :
+  ac_fn_c_check_func "$LINENO" "dlopen" "ac_cv_func_dlopen"
+if test "x$ac_cv_func_dlopen" = xyes; then :
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_DLOPEN 1
+_ACEOF
 
 fi
+done
 
+ac_fn_c_check_decl "$LINENO" "RTLD_NOW" "ac_cv_have_decl_RTLD_NOW" "#include <dlfcn.h>
+"
+if test "x$ac_cv_have_decl_RTLD_NOW" = xyes; then :
 
 fi
 
-fi
 
 # IRIX has a const char return value for gai_strerror()
 for ac_func in gai_strerror
@@ -13384,26 +13552,6 @@ fi
 done
 
 
-        # Search for RIPE-MD support in OpenSSL
-        for ac_func in EVP_ripemd160
-do :
-  ac_fn_c_check_func "$LINENO" "EVP_ripemd160" "ac_cv_func_EVP_ripemd160"
-if test "x$ac_cv_func_EVP_ripemd160" = xyes; then :
-  cat >>confdefs.h <<_ACEOF
-#define HAVE_EVP_RIPEMD160 1
-_ACEOF
-
-else
-  unsupported_algorithms="$unsupported_algorithms \
-                hmac-ripemd160 \
-                hmac-ripemd160@openssh.com \
-                hmac-ripemd160-etm@openssh.com"
-
-
-fi
-done
-
-
         # Check complete ECC support in OpenSSL
         { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether OpenSSL has NID_X9_62_prime256v1" >&5
 $as_echo_n "checking whether OpenSSL has NID_X9_62_prime256v1... " >&6; }
@@ -13570,6 +13718,9 @@ _ACEOF
 fi
 done
 
+                openssl_ecc=yes
+        else
+                openssl_ecc=no
         fi
         if test x$enable_nistp256 = x1; then
 
@@ -13664,6 +13815,220 @@ done
 
 fi
 
+# PKCS11/U2F depend on OpenSSL and dlopen().
+enable_pkcs11=yes
+enable_sk=yes
+if test "x$openssl" != "xyes" ; then
+        enable_pkcs11="disabled; missing libcrypto"
+        enable_sk="disabled; missing libcrypto"
+fi
+if test "x$openssl_ecc" != "xyes" ; then
+        enable_sk="disabled; OpenSSL has no ECC support"
+fi
+if test "x$ac_cv_func_dlopen" != "xyes" ; then
+        enable_pkcs11="disabled; missing dlopen(3)"
+        enable_sk="disabled; missing dlopen(3)"
+fi
+if test "x$ac_cv_have_decl_RTLD_NOW" != "xyes" ; then
+        enable_pkcs11="disabled; missing RTLD_NOW"
+        enable_sk="disabled; missing RTLD_NOW"
+fi
+if test ! -z "$disable_pkcs11" ; then
+        enable_pkcs11="disabled by user"
+fi
+if test ! -z "$disable_sk" ; then
+        enable_sk="disabled by user"
+fi
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to enable PKCS11" >&5
+$as_echo_n "checking whether to enable PKCS11... " >&6; }
+if test "x$enable_pkcs11" = "xyes" ; then
+
+$as_echo "#define ENABLE_PKCS11 /**/" >>confdefs.h
+
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $enable_pkcs11" >&5
+$as_echo "$enable_pkcs11" >&6; }
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to enable U2F" >&5
+$as_echo_n "checking whether to enable U2F... " >&6; }
+if test "x$enable_sk" = "xyes" ; then
+
+$as_echo "#define ENABLE_SK /**/" >>confdefs.h
+
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $enable_sk" >&5
+$as_echo "$enable_sk" >&6; }
+
+# Now check for built-in security key support.
+if test "x$enable_sk" = "xyes" -a "x$enable_sk_internal" = "xyes" ; then
+        if test -n "$ac_tool_prefix"; then
+  # Extract the first word of "${ac_tool_prefix}pkg-config", so it can be a program name with args.
+set dummy ${ac_tool_prefix}pkg-config; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if ${ac_cv_path_PKGCONFIG+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  case $PKGCONFIG in
+  [\\/]* | ?:[\\/]*)
+  ac_cv_path_PKGCONFIG="$PKGCONFIG" # Let the user override the test with a path.
+  ;;
+  *)
+  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+    for ac_exec_ext in '' $ac_executable_extensions; do
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+    ac_cv_path_PKGCONFIG="$as_dir/$ac_word$ac_exec_ext"
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+  done
+IFS=$as_save_IFS
+
+  ;;
+esac
+fi
+PKGCONFIG=$ac_cv_path_PKGCONFIG
+if test -n "$PKGCONFIG"; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $PKGCONFIG" >&5
+$as_echo "$PKGCONFIG" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+
+fi
+if test -z "$ac_cv_path_PKGCONFIG"; then
+  ac_pt_PKGCONFIG=$PKGCONFIG
+  # Extract the first word of "pkg-config", so it can be a program name with args.
+set dummy pkg-config; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if ${ac_cv_path_ac_pt_PKGCONFIG+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  case $ac_pt_PKGCONFIG in
+  [\\/]* | ?:[\\/]*)
+  ac_cv_path_ac_pt_PKGCONFIG="$ac_pt_PKGCONFIG" # Let the user override the test with a path.
+  ;;
+  *)
+  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+    for ac_exec_ext in '' $ac_executable_extensions; do
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+    ac_cv_path_ac_pt_PKGCONFIG="$as_dir/$ac_word$ac_exec_ext"
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+  done
+IFS=$as_save_IFS
+
+  ;;
+esac
+fi
+ac_pt_PKGCONFIG=$ac_cv_path_ac_pt_PKGCONFIG
+if test -n "$ac_pt_PKGCONFIG"; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_pt_PKGCONFIG" >&5
+$as_echo "$ac_pt_PKGCONFIG" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+  if test "x$ac_pt_PKGCONFIG" = x; then
+    PKGCONFIG="no"
+  else
+    case $cross_compiling:$ac_tool_warned in
+yes:)
+{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5
+$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;}
+ac_tool_warned=yes ;;
+esac
+    PKGCONFIG=$ac_pt_PKGCONFIG
+  fi
+else
+  PKGCONFIG="$ac_cv_path_PKGCONFIG"
+fi
+
+        use_pkgconfig_for_libfido2=
+        if test "x$PKGCONFIG" != "xno"; then
+                { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $PKGCONFIG knows about libfido2" >&5
+$as_echo_n "checking if $PKGCONFIG knows about libfido2... " >&6; }
+                if "$PKGCONFIG" libfido2; then
+                        { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+                        use_pkgconfig_for_libfido2=yes
+                else
+                        { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+                fi
+        fi
+        if test "x$use_pkgconfig_for_libfido2" = "xyes"; then
+                LIBFIDO2=`$PKGCONFIG --libs libfido2`
+                CPPFLAGS="$CPPFLAGS `$PKGCONFIG --cflags libfido2`"
+        else
+                LIBFIDO2="-lfido2 -lcbor"
+        fi
+        OTHERLIBS=`echo $LIBFIDO2 | sed 's/-lfido2//'`
+        { $as_echo "$as_me:${as_lineno-$LINENO}: checking for fido_init in -lfido2" >&5
+$as_echo_n "checking for fido_init in -lfido2... " >&6; }
+if ${ac_cv_lib_fido2_fido_init+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-lfido2  $OTHERLIBS
+         $LIBS"
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char fido_init ();
+int
+main ()
+{
+return fido_init ();
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+  ac_cv_lib_fido2_fido_init=yes
+else
+  ac_cv_lib_fido2_fido_init=no
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_fido2_fido_init" >&5
+$as_echo "$ac_cv_lib_fido2_fido_init" >&6; }
+if test "x$ac_cv_lib_fido2_fido_init" = xyes; then :
+
+
+
+$as_echo "#define ENABLE_SK_INTERNAL /**/" >>confdefs.h
+
+                        enable_sk="built-in"
+
+fi
+
+fi
+
 for ac_func in  \
         arc4random \
         arc4random_buf \
@@ -14756,6 +15121,28 @@ fi
 
 fi
 
+ac_fn_c_check_decl "$LINENO" "UINT32_MAX" "ac_cv_have_decl_UINT32_MAX" "
+#ifdef HAVE_SYS_LIMITS_H
+# include <sys/limits.h>
+#endif
+#ifdef HAVE_LIMITS_H
+# include <limits.h>
+#endif
+#ifdef HAVE_STDINT_H
+# include <stdint.h>
+#endif
+
+"
+if test "x$ac_cv_have_decl_UINT32_MAX" = xyes; then :
+  ac_have_decl=1
+else
+  ac_have_decl=0
+fi
+
+cat >>confdefs.h <<_ACEOF
+#define HAVE_DECL_UINT32_MAX $ac_have_decl
+_ACEOF
+
 
 # More checks for data types
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for u_int type" >&5
@@ -15215,7 +15602,9 @@ fi
 
 ac_fn_c_check_type "$LINENO" "intmax_t" "ac_cv_type_intmax_t" "
 #include <sys/types.h>
-#include <stdint.h>
+#ifdef HAVE_STDINT_H
+# include <stdint.h>
+#endif
 
 "
 if test "x$ac_cv_type_intmax_t" = xyes; then :
@@ -15228,7 +15617,9 @@ _ACEOF
 fi
 ac_fn_c_check_type "$LINENO" "uintmax_t" "ac_cv_type_uintmax_t" "
 #include <sys/types.h>
-#include <stdint.h>
+#ifdef HAVE_STDINT_H
+# include <stdint.h>
+#endif
 
 "
 if test "x$ac_cv_type_uintmax_t" = xyes; then :
@@ -15361,7 +15752,36 @@ _ACEOF
 fi
 
 
+ac_fn_c_check_member "$LINENO" "struct statfs" "f_files" "ac_cv_member_struct_statfs_f_files" "
+#include <sys/param.h>
+#include <sys/types.h>
+#ifdef HAVE_SYS_BITYPES_H
+#include <sys/bitypes.h>
+#endif
+#ifdef HAVE_SYS_STATFS_H
+#include <sys/statfs.h>
+#endif
+#ifdef HAVE_SYS_STATVFS_H
+#include <sys/statvfs.h>
+#endif
+#ifdef HAVE_SYS_VFS_H
+#include <sys/vfs.h>
+#endif
+#ifdef HAVE_SYS_MOUNT_H
+#include <sys/mount.h>
+#endif
+
+"
+if test "x$ac_cv_member_struct_statfs_f_files" = xyes; then :
+
+cat >>confdefs.h <<_ACEOF
+#define HAVE_STRUCT_STATFS_F_FILES 1
+_ACEOF
+
+
+fi
 ac_fn_c_check_member "$LINENO" "struct statfs" "f_flags" "ac_cv_member_struct_statfs_f_flags" "
+#include <sys/param.h>
 #include <sys/types.h>
 #ifdef HAVE_SYS_BITYPES_H
 #include <sys/bitypes.h>
@@ -15375,6 +15795,9 @@ ac_fn_c_check_member "$LINENO" "struct statfs" "f_flags" "ac_cv_member_struct_st
 #ifdef HAVE_SYS_VFS_H
 #include <sys/vfs.h>
 #endif
+#ifdef HAVE_SYS_MOUNT_H
+#include <sys/mount.h>
+#endif
 
 "
 if test "x$ac_cv_member_struct_statfs_f_flags" = xyes; then :
@@ -15807,6 +16230,42 @@ $as_echo "#define HAVE_STRUCT_ADDRINFO 1" >>confdefs.h
 
 fi
 
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether time.h and sys/time.h may both be included" >&5
+$as_echo_n "checking whether time.h and sys/time.h may both be included... " >&6; }
+if ${ac_cv_header_time+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+#include <sys/types.h>
+#include <sys/time.h>
+#include <time.h>
+
+int
+main ()
+{
+if ((struct tm *) 0)
+return 0;
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+  ac_cv_header_time=yes
+else
+  ac_cv_header_time=no
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_header_time" >&5
+$as_echo "$ac_cv_header_time" >&6; }
+if test $ac_cv_header_time = yes; then
+
+$as_echo "#define TIME_WITH_SYS_TIME 1" >>confdefs.h
+
+fi
+
+
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for struct timeval" >&5
 $as_echo_n "checking for struct timeval... " >&6; }
 if ${ac_cv_have_struct_timeval+:} false; then :
@@ -15842,16 +16301,51 @@ $as_echo "#define HAVE_STRUCT_TIMEVAL 1" >>confdefs.h
         have_struct_timeval=1
 fi
 
-ac_fn_c_check_type "$LINENO" "struct timespec" "ac_cv_type_struct_timespec" "$ac_includes_default"
-if test "x$ac_cv_type_struct_timespec" = xyes; then :
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for struct timespec" >&5
+$as_echo_n "checking for struct timespec... " >&6; }
+if ${ac_cv_have_struct_timespec+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
 
-cat >>confdefs.h <<_ACEOF
-#define HAVE_STRUCT_TIMESPEC 1
+        cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+    #ifdef TIME_WITH_SYS_TIME
+    # include <sys/time.h>
+    # include <time.h>
+    #else
+    # ifdef HAVE_SYS_TIME_H
+    #  include <sys/time.h>
+    # else
+    #  include <time.h>
+    # endif
+    #endif
+
+int
+main ()
+{
+ struct timespec ts; ts.tv_sec = 1;
+  ;
+  return 0;
+}
 _ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+   ac_cv_have_struct_timespec="yes"
+else
+   ac_cv_have_struct_timespec="no"
 
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 
 fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_have_struct_timespec" >&5
+$as_echo "$ac_cv_have_struct_timespec" >&6; }
+if test "x$ac_cv_have_struct_timespec" = "xyes" ; then
+
+$as_echo "#define HAVE_STRUCT_TIMESPEC 1" >>confdefs.h
 
+        have_struct_timespec=1
+fi
 
 # We need int64_t or else certain parts of the compile will fail.
 if test "x$ac_cv_have_int64_t" = "xno" && \
@@ -19428,6 +19922,12 @@ DEPEND=$(cat $srcdir/.depend)
 CFLAGS="${CFLAGS} ${CFLAGS_AFTER}"
 LDFLAGS="${LDFLAGS} ${LDFLAGS_AFTER}"
 
+# Make a copy of CFLAGS/LDFLAGS without PIE options.
+LDFLAGS_NOPIE=`echo "$LDFLAGS" | sed 's/ -pie//'`
+CFLAGS_NOPIE=`echo "$CFLAGS" | sed 's/ -fPIE//'`
+
+
+
 
 ac_config_files="$ac_config_files Makefile buildpkg.sh opensshd.init openssh.xml openbsd-compat/Makefile openbsd-compat/regress/Makefile survey.sh"
 
@@ -20777,6 +21277,8 @@ echo "           Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
 echo "                  BSD Auth support: $BSD_AUTH_MSG"
 echo "              Random number source: $RAND_MSG"
 echo "             Privsep sandbox style: $SANDBOX_STYLE"
+echo "                   PKCS#11 support: $enable_pkcs11"
+echo "                  U2F/FIDO support: $enable_sk"
 
 echo ""