1AC_INIT(openconnect, 8.10)
2AC_CONFIG_HEADERS([config.h])
3
4PKG_PROG_PKG_CONFIG
5AC_LANG_C
6AC_CANONICAL_HOST
7AM_MAINTAINER_MODE([enable])
8AM_INIT_AUTOMAKE([foreign tar-ustar])
9m4_ifdef([AM_SILENT_RULES], [AM_SILENT_RULES([yes])])
10
11AC_PREREQ([2.62], [], [AC_SUBST([localedir], ['$(datadir)/locale'])])
12
13# Upstream's pkg.m4 (since 0.27) offers this now, but define our own
14# compatible version in case the local version of pkgconfig isn't new enough.
15# https://bugs.freedesktop.org/show_bug.cgi?id=48743
16m4_ifdef([PKG_INSTALLDIR], [PKG_INSTALLDIR],
17	  [AC_ARG_WITH([pkgconfigdir],
18		       [AS_HELP_STRING([--with-pkgconfigdir],
19		       [install directory for openconnect.pc pkg-config file])],
20			[],[with_pkgconfigdir='$(libdir)/pkgconfig'])
21	   AC_SUBST([pkgconfigdir], [${with_pkgconfigdir}])])
22
23use_openbsd_libtool=
24symver_time=
25symver_getline=
26symver_asprintf=
27symver_vasprintf=
28symver_win32_strerror=
29
30case $host_os in
31 *linux* | *gnu* | *nacl*)
32    AC_MSG_NOTICE([Applying feature macros for GNU build])
33    AC_DEFINE(_GNU_SOURCE, 1, [_GNU_SOURCE])
34    ;;
35 *netbsd*)
36    AC_MSG_NOTICE([Applying feature macros for NetBSD build])
37    AC_DEFINE(_POSIX_C_SOURCE, 200112L, [_POSIX_C_SOURCE])
38    AC_DEFINE(_NETBSD_SOURCE, 1, [_NETBSD_SOURCE])
39    ;;
40 *openbsd*)
41    AC_MSG_NOTICE([Applying feature macros for OpenBSD build])
42    use_openbsd_libtool=true
43    ;;
44 *solaris*|*sunos*)
45    AC_MSG_NOTICE([Applying workaround for broken SunOS time() function])
46    AC_DEFINE(HAVE_SUNOS_BROKEN_TIME, 1, [On SunOS time() can go backwards])
47    symver_time="openconnect__time;"
48    ;;
49 *mingw32*|*mingw64*|*msys*)
50    AC_MSG_NOTICE([Applying feature macros for MinGW/Windows build])
51    # For GetVolumeInformationByHandleW() which is Vista+
52    AC_DEFINE(_WIN32_WINNT, 0x600, [Windows API version])
53    have_win=yes
54    # For asprintf()
55    AC_DEFINE(_GNU_SOURCE, 1, [_GNU_SOURCE])
56    symver_win32_strerror="openconnect__win32_strerror;"
57    # Win32 does have the SCard API
58    system_pcsc_libs="-lwinscard"
59    system_pcsc_cflags=
60    AC_CHECK_TOOL([WINDRES], [windres], [])
61    ;;
62 *darwin*)
63    system_pcsc_libs="-Wl,-framework -Wl,PCSC"
64    system_pcsc_cflags=
65    ;;
66 *)
67    # On FreeBSD the only way to get vsyslog() visible is to define
68    #  *nothing*, which makes absolutely everything visible.
69    # On Darwin enabling _POSIX_C_SOURCE breaks <sys/mount.h> because
70    # u_long and other types don't get defined. OpenBSD is similar.
71    ;;
72esac
73AM_CONDITIONAL(OPENCONNECT_WIN32,  [ test "$have_win" = "yes" ])
74
75AC_ARG_WITH([vpnc-script],
76	[AS_HELP_STRING([--with-vpnc-script],
77	  [default location of vpnc-script helper])])
78
79if test "$with_vpnc_script" = "yes" || test "$with_vpnc_script" = ""; then
80   AC_MSG_CHECKING([for vpnc-script in standard locations])
81   if test "$have_win" = "yes"; then
82      with_vpnc_script=vpnc-script-win.js
83   else
84      for with_vpnc_script in /usr/local/share/vpnc-scripts/vpnc-script /usr/local/sbin/vpnc-script /usr/share/vpnc-scripts/vpnc-script /usr/sbin/vpnc-script /etc/vpnc/vpnc-script; do
85         if test -x "$with_vpnc_script"; then
86            break
87         fi
88      done
89      if ! test -x "$with_vpnc_script"; then
90	 AC_MSG_ERROR([${with_vpnc_script} does not seem to be executable.]
91 [OpenConnect will not function correctly without a vpnc-script.]
92 [See http://www.infradead.org/openconnect/vpnc-script.html for more details.]
93 []
94 [If you are building a distribution package, please ensure that your]
95 [packaging is correct, and that a vpnc-script will be installed when the]
96 [user installs your package. You should provide a --with-vpnc-script=]
97 [argument to this configure script, giving the full path where the script]
98 [will be installed.]
99 []
100 [The standard location is ${with_vpnc_script}. To bypass this error and]
101 [build OpenConnect to use the script from this location, even though it is]
102 [not present at the time you are building OpenConnect, pass the argument]
103 ["--with-vpnc-script=${with_vpnc_script}"])
104      else
105         AC_MSG_RESULT([${with_vpnc_script}])
106      fi
107   fi
108elif test "$with_vpnc_script" = "no"; then
109   AC_ERROR([You cannot disable vpnc-script.]
110   [OpenConnect will not function correctly without it.]
111   [See http://www.infradead.org/openconnect/vpnc-script.html])
112elif test "$have_win" = "yes"; then
113   # Oh Windows how we hate thee. If user specifies a vpnc-script and it contains
114   # backslashes, double them all up to survive escaping.
115   with_vpnc_script="$(echo "${with_vpnc_script}" | sed s/\\\\/\\\\\\\\/g)"
116fi
117
118AC_DEFINE_UNQUOTED(DEFAULT_VPNCSCRIPT, "${with_vpnc_script}", [Default vpnc-script locatin])
119AC_SUBST(DEFAULT_VPNCSCRIPT, "${with_vpnc_script}")
120
121AC_CHECK_FUNC(fdevname_r, [AC_DEFINE(HAVE_FDEVNAME_R, 1, [Have fdevname_r() function])], [])
122AC_CHECK_FUNC(statfs, [AC_DEFINE(HAVE_STATFS, 1, [Have statfs() function])], [])
123AC_CHECK_FUNC(getline, [AC_DEFINE(HAVE_GETLINE, 1, [Have getline() function])],
124    [symver_getline="openconnect__getline;"])
125AC_CHECK_FUNC(strcasestr, [AC_DEFINE(HAVE_STRCASESTR, 1, [Have strcasestr() function])], [])
126AC_CHECK_FUNC(strndup, [AC_DEFINE(HAVE_STRNDUP, 1, [Have strndup() function])], [])
127AC_CHECK_FUNC(asprintf, [AC_DEFINE(HAVE_ASPRINTF, 1, [Have asprintf() function])],
128    [symver_asprintf="openconnect__asprintf;"])
129AC_CHECK_FUNC(vasprintf, [AC_DEFINE(HAVE_VASPRINTF, 1, [Have vasprintf() function])],
130    [symver_vasprintf="openconnect__vasprintf;"])
131
132if test -n "$symver_vasprintf"; then
133  AC_MSG_CHECKING([for va_copy])
134  AC_LINK_IFELSE([AC_LANG_PROGRAM([
135	#include <stdarg.h>
136	va_list a;],[
137	va_list b;
138	va_copy(b,a);
139	va_end(b);])],
140	[AC_DEFINE(HAVE_VA_COPY, 1, [Have va_copy()])
141	AC_MSG_RESULT(va_copy)],
142	[AC_LINK_IFELSE([AC_LANG_PROGRAM([
143		#include <stdarg.h>
144		va_list a;],[
145		va_list b;
146		__va_copy(b,a);
147		va_end(b);])],
148		[AC_DEFINE(HAVE___VA_COPY, 1, [Have __va_copy()])
149		AC_MSG_RESULT(__va_copy)],
150		[AC_MSG_RESULT(no)
151		AC_MSG_ERROR([Your system lacks vasprintf() and va_copy()])])
152	])
153fi
154AC_SUBST(SYMVER_TIME, $symver_time)
155AC_SUBST(SYMVER_GETLINE, $symver_getline)
156AC_SUBST(SYMVER_ASPRINTF, $symver_asprintf)
157AC_SUBST(SYMVER_VASPRINTF, $symver_vasprintf)
158AC_SUBST(SYMVER_WIN32_STRERROR, $symver_win32_strerror)
159
160AS_COMPILER_FLAGS(WFLAGS,
161        "-Wall
162         -Wextra
163         -Wno-missing-field-initializers
164         -Wno-sign-compare
165         -Wno-unused-parameter
166         -Werror=pointer-to-int-cast
167         -Wdeclaration-after-statement
168         -Werror-implicit-function-declaration
169         -Wformat-nonliteral
170         -Wformat-security
171         -Winit-self
172         -Wmissing-declarations
173         -Wmissing-include-dirs
174         -Wnested-externs
175         -Wpointer-arith
176         -Wwrite-strings")
177AC_SUBST(WFLAGS, [$WFLAGS])
178
179oldCFLAGS="$CFLAGS"
180CFLAGS="$CFLAGS $WFLAGS"
181AC_MSG_CHECKING([For memset_s])
182AC_LINK_IFELSE([AC_LANG_PROGRAM([
183	#define __STDC_WANT_LIB_EXT1__ 1
184	#include <string.h>],[[
185	unsigned char *foo[16];
186	memset_s(foo, 16, 0, 16);]])],
187	       [AC_MSG_RESULT([yes])
188	        AC_DEFINE(__STDC_WANT_LIB_EXT1__, 1, [To request memset_s])
189	        AC_DEFINE(HAVE_MEMSET_S, 1, [Have memset_s() function])],
190	       [AC_MSG_RESULT([no])
191	        AC_CHECK_FUNC(explicit_memset,
192			      [AC_DEFINE(HAVE_EXPLICIT_MEMSET, 1, [Have explicit_memset() function])],
193			      [AC_CHECK_FUNC(explicit_bzero,
194					     [AC_DEFINE(HAVE_EXPLICIT_BZERO, 1, [Have explicit_bzero() function])],
195					     [])
196			      ])
197	       ])
198CFLAGS="$oldCFLAGS"
199
200AC_MSG_CHECKING([For localtime_r])
201AC_LINK_IFELSE([AC_LANG_PROGRAM([#include <time.h>],[[
202	struct tm tm;
203	time_t t = 0;
204	localtime_r(&t, &tm);]])],
205	       [AC_MSG_RESULT([yes])
206	        AC_DEFINE(HAVE_LOCALTIME_R, 1, [Have localtime_r() function])],
207	       [AC_MSG_RESULT([no])])
208
209if test "$have_win" = yes; then
210   # Checking "properly" for __attribute__((dllimport,stdcall)) functions is non-trivial
211   LIBS="$LIBS -lws2_32 -lshlwapi -lsecur32 -liphlpapi"
212   AC_MSG_CHECKING([For localtime_s])
213   AC_LINK_IFELSE([AC_LANG_PROGRAM([#include <time.h>],[[
214	struct tm tm;
215	time_t t = 0;
216	localtime_s(&tm, (time_t)0);]])],
217	       [AC_MSG_RESULT([yes])
218	        AC_DEFINE(HAVE_LOCALTIME_S, 1, [Have localtime_s() function])],
219	       [AC_MSG_RESULT([no])])
220else
221   AC_CHECK_FUNC(socket, [], AC_CHECK_LIB(socket, socket, [], AC_ERROR(Cannot find socket() function)))
222fi
223
224have_inet_aton=yes
225AC_CHECK_FUNC(inet_aton, [], AC_CHECK_LIB(nsl, inet_aton, [], have_inet_aton=no))
226if test "$have_inet_aton" = "yes"; then
227   AC_DEFINE(HAVE_INET_ATON, 1, [Have inet_aton()])
228fi
229
230AC_MSG_CHECKING([for IPV6_PATHMTU socket option])
231AC_COMPILE_IFELSE([AC_LANG_PROGRAM([
232		  #include <netinet/in.h>
233		  #include <sys/socket.h>
234		  #include <sys/types.h>],[
235		  int foo = IPV6_PATHMTU; (void)foo;])],
236		  [AC_DEFINE(HAVE_IPV6_PATHMTU, 1, [Have IPV6_PATHMTU socket option])
237		   AC_MSG_RESULT([yes])],
238		  [AC_MSG_RESULT([no])])
239
240AC_CHECK_FUNC(__android_log_vprint, [], AC_CHECK_LIB(log, __android_log_vprint, [], []))
241
242AC_ENABLE_SHARED
243AC_DISABLE_STATIC
244
245AC_CHECK_FUNC(nl_langinfo, [AC_DEFINE(HAVE_NL_LANGINFO, 1, [Have nl_langinfo() function])], [])
246
247if test "$ac_cv_func_nl_langinfo" = "yes"; then
248    AM_ICONV
249    if test "$am_cv_func_iconv" = "yes"; then
250	AC_SUBST(ICONV_LIBS, [$LTLIBICONV])
251	AC_SUBST(ICONV_CFLAGS, [$INCICONV])
252	AC_DEFINE(HAVE_ICONV, 1, [Have iconv() function])
253    fi
254fi
255AM_CONDITIONAL(OPENCONNECT_ICONV, [test "$am_cv_func_iconv" = "yes"])
256
257AC_ARG_ENABLE([nls],
258	AS_HELP_STRING([--disable-nls], [Do not use Native Language Support]),
259	[USE_NLS=$enableval], [USE_NLS=yes])
260LIBINTL=
261if test "$USE_NLS" = "yes"; then
262   AC_PATH_PROG(MSGFMT, msgfmt)
263   if test "$MSGFMT" = ""; then
264      AC_ERROR([msgfmt could not be found. Try configuring with --disable-nls])
265   fi
266fi
267LIBINTL=
268if test "$USE_NLS" = "yes"; then
269   AC_MSG_CHECKING([for functional NLS support])
270   AC_LINK_IFELSE([AC_LANG_PROGRAM([
271    #include <locale.h>
272    #include <libintl.h>],[
273    setlocale(LC_ALL, "");
274    bindtextdomain("openconnect", "/tmp");
275    (void)dgettext("openconnect", "foo");])],
276    [AC_MSG_RESULT(yes)],
277    [AC_LIB_LINKFLAGS_BODY([intl])
278     oldLIBS="$LIBS"
279     LIBS="$LIBS $LIBINTL"
280     oldCFLAGS="$LIBS"
281     CFLAGS="$CFLAGS $INCINTL"
282     AC_LINK_IFELSE([AC_LANG_PROGRAM([
283      #include <locale.h>
284      #include <libintl.h>],[
285      setlocale(LC_ALL, "");
286      bindtextdomain("openconnect", "/tmp");
287      (void)dgettext("openconnect", "foo");])],
288      [AC_MSG_RESULT(yes (with $INCINTL $LIBINTL))],
289      [AC_MSG_RESULT(no)
290       USE_NLS=no])
291     LIBS="$oldLIBS"])
292fi
293
294if test "$USE_NLS" = "yes"; then
295   AC_SUBST(INTL_LIBS, [$LTLIBINTL])
296   AC_SUBST(INTL_CFLAGS, [$INCINTL])
297   AC_DEFINE(ENABLE_NLS, 1, [Enable NLS support])
298fi
299AM_CONDITIONAL(USE_NLS, [test "$USE_NLS" = "yes"])
300
301AC_ARG_WITH([system-cafile],
302	    AS_HELP_STRING([--with-system-cafile],
303			   [Location of the default system CA certificate file for old (<3.0.20) GnuTLS versions]))
304
305# We will use GnuTLS by default if it's present. We used to suppport
306# using GnuTLS for the TLS connections and OpenSSL for DTLS, but none
307# of the reasons for that make sense any more.
308
309AC_ARG_WITH([gnutls],
310    AS_HELP_STRING([--without-gnutls], [Do not attempt to use GnuTLS; use OpenSSL instead]))
311AC_ARG_WITH([openssl],
312    AS_HELP_STRING([--with-openssl], [Location of OpenSSL build dir]))
313
314ssl_library=
315esp=
316dtls=
317
318if test "$with_openssl" != "" -a "$with_openssl" != "no"; then
319    if test "$with_gnutls" = ""; then
320	with_gnutls=no
321    elif test "$with_gnutls" = "yes"; then
322	AC_MSG_ERROR([You cannot choose both GnuTLS and OpenSSL.])
323    fi
324fi
325
326# First, check if GnuTLS exists and is usable
327if test "$with_gnutls" = "yes" || test "$with_gnutls" = ""; then
328    PKG_CHECK_MODULES(GNUTLS, gnutls,
329       [if ! $PKG_CONFIG --atleast-version=3.2.10 gnutls; then
330	    AC_MSG_WARN([Your GnuTLS is too old. At least v3.2.10 is required])
331	else
332	    ssl_library=GnuTLS
333	fi], [:])
334elif test "$with_gnutls" != "no"; then
335    AC_ERROR([Values other than 'yes' or 'no' for --with-gnutls are not supported])
336fi
337
338# Do we need to look for OpenSSL?
339if test "$ssl_library" = ""; then
340    if test "$with_gnutls" = "yes" -o "$with_openssl" = "no"; then
341	    AC_MSG_ERROR([Suitable GnuTLS required but not found])
342    elif test "$with_openssl" = "yes" -o "$with_openssl" = ""; then
343        PKG_CHECK_MODULES(OPENSSL, openssl, [AC_SUBST(SSL_PC, [openssl])],
344	    [oldLIBS="$LIBS"
345	     LIBS="$LIBS -lssl -lcrypto"
346	     AC_MSG_CHECKING([for OpenSSL without pkg-config])
347	     AC_LINK_IFELSE([AC_LANG_PROGRAM([
348			        #include <openssl/ssl.h>
349				#include <openssl/err.h>],[
350				SSL_library_init();
351				ERR_clear_error();
352				SSL_load_error_strings();
353				OpenSSL_add_all_algorithms();])],
354			[AC_MSG_RESULT(yes)
355			 AC_SUBST([OPENSSL_LIBS], ["-lssl -lcrypto"])
356			 AC_SUBST([OPENSSL_CFLAGS], [])]
357			 AC_SUBST([openssl_pc_libs], [$OPENSSL_LIBS]),
358			[AC_MSG_RESULT(no)
359			 AC_ERROR([Could not build against OpenSSL])])
360	     LIBS="$oldLIBS"])
361	ssl_library=OpenSSL
362	PKG_CHECK_MODULES(P11KIT, p11-kit-1,
363	    # libp11 0.4.7 fails to export ERR_LIB_PKCS11 so we don't know what it
364	    # is and can't match its errors, which we need to for login checks.
365	    [PKG_CHECK_MODULES(LIBP11, libp11 != 0.4.7,
366		[AC_DEFINE(HAVE_LIBP11, 1, [Have libp11 and p11-kit for OpenSSL])
367		 AC_SUBST(P11KIT_PC, ["libp11 p11-kit-1"])
368		 proxy_module="`$PKG_CONFIG --variable=proxy_module p11-kit-1`"
369		 pkcs11_support="libp11"
370		 AC_DEFINE_UNQUOTED([DEFAULT_PKCS11_MODULE], "${proxy_module}", [p11-kit proxy])],
371		[:])], [:])
372    else
373	OPENSSL_CFLAGS="-I${with_openssl}/include ${OPENSSL_CFLAGS}"
374	if test -r "${with_openssl}/libssl.a" -a -r "${with_openssl}/libcrypto.a";  then
375	    OPENSSL_LIBS="${with_openssl}/libssl.a ${with_openssl}/libcrypto.a -ldl -lz -pthread"
376	elif test -r "${with_openssl}/crypto/.libs/libcrypto.a" -a \
377		  -r "${with_openssl}/ssl/.libs/libssl.a"; then
378	    OPENSSL_LIBS="${with_openssl}/ssl/.libs/libssl.a ${with_openssl}/crypto/.libs/libcrypto.a -ldl -lz -pthread"
379	else
380	    AC_ERROR([Could not find OpenSSL libraries in ${with_openssl}]);
381	fi
382	AC_SUBST(OPENSSL_CFLAGS)
383	AC_SUBST(OPENSSL_LIBS)
384	enable_static=yes
385	enable_shared=no
386	ssl_library=OpenSSL
387    fi
388fi
389
390AC_ARG_WITH([openssl-version-check],
391    AS_HELP_STRING([--without-openssl-version-check], [Do not check for known-broken OpenSSL versions]))
392AC_ARG_WITH([gnutls-version-check],
393    AS_HELP_STRING([--without-gnutls-version-check], [Do not check for known-broken GnuTLS versions]))
394AC_ARG_WITH([default-gnutls-priority],
395    AS_HELP_STRING([--with-default-gnutls-priority=STRING],
396	[Provide a default string as GnuTLS priority string]),
397	default_gnutls_priority=$withval)
398if test -n "$default_gnutls_priority"; then
399   AC_DEFINE_UNQUOTED([DEFAULT_PRIO], ["$default_gnutls_priority"], [The GnuTLS priority string])
400fi
401
402tss2lib=
403case "$ssl_library" in
404    OpenSSL)
405	oldLIBS="${LIBS}"
406	oldCFLAGS="${CFLAGS}"
407	LIBS="${LIBS} ${OPENSSL_LIBS}"
408	CFLAGS="${CFLAGS} ${OPENSSL_CFLAGS}"
409
410	# Check for the various known-broken versions of OpenSSL, which includes LibreSSL.
411	if test "$with_openssl_version_check" != "no"; then
412	    AC_MSG_CHECKING([for known-broken versions of OpenSSL])
413	    AC_COMPILE_IFELSE([AC_LANG_PROGRAM([#include <openssl/opensslv.h>],
414				[#if defined(LIBRESSL_VERSION_NUMBER)
415				#error Bad OpenSSL
416				#endif
417				])],
418			  [],
419			  [AC_MSG_RESULT(yes)
420			   AC_MSG_ERROR([LibreSSL does not support Cisco DTLS.]
421[Build with OpenSSL or GnuTLS instead.])])
422	    AC_COMPILE_IFELSE([AC_LANG_PROGRAM([#include <openssl/opensslv.h>],[#if \
423				    (OPENSSL_VERSION_NUMBER == 0x10002000L || \
424				    (OPENSSL_VERSION_NUMBER >= 0x100000b0L && OPENSSL_VERSION_NUMBER <= 0x100000c0L) || \
425				    (OPENSSL_VERSION_NUMBER >= 0x10001040L && OPENSSL_VERSION_NUMBER <= 0x10001060L))
426				#error Bad OpenSSL
427				#endif
428				])],
429			  [],
430			  [AC_MSG_RESULT(yes)
431			   AC_ERROR([This version of OpenSSL is known to be broken with Cisco DTLS.]
432[See http://rt.openssl.org/Ticket/Display.html?id=2984&user=guest&pass=guest]
433[Add --without-openssl-version-check to configure args to avoid this check, or]
434[perhaps consider building with GnuTLS instead.])])
435	    AC_COMPILE_IFELSE([AC_LANG_PROGRAM([#include <openssl/opensslv.h>],[#if \
436				    (OPENSSL_VERSION_NUMBER == 0x1000200fL)
437				#error Bad OpenSSL
438				#endif
439				])],
440			  [],
441			  [AC_MSG_RESULT(yes)
442			   AC_ERROR([This version of OpenSSL is known to be broken with Cisco DTLS.]
443[See http://rt.openssl.org/Ticket/Display.html?id=3703&user=guest&pass=guest]
444[and http://rt.openssl.org/Ticket/Display.html?id=3711&user=guest&pass=guest]
445[Add --without-openssl-version-check to configure args to avoid this check, or]
446[perhaps consider building with GnuTLS instead.])])
447	    AC_COMPILE_IFELSE([AC_LANG_PROGRAM([#include <openssl/opensslv.h>],[#if \
448				    ((OPENSSL_VERSION_NUMBER >= 0x10001110L && OPENSSL_VERSION_NUMBER <= 0x10001150L) || \
449				     (OPENSSL_VERSION_NUMBER >= 0x10002050L && OPENSSL_VERSION_NUMBER <= 0x10002090L))
450				#error Bad OpenSSL
451				#endif
452				])],
453			  [],
454			  [AC_MSG_RESULT(yes)
455			   AC_ERROR([This version of OpenSSL is known to be broken with Cisco DTLS.]
456[See http://rt.openssl.org/Ticket/Display.html?id=4631&user=guest&pass=guest]
457[Add --without-openssl-version-check to configure args to avoid this check, or]
458[perhaps consider building with GnuTLS instead.])])
459	    AC_MSG_RESULT(no)
460	fi
461
462	AC_MSG_CHECKING([for ENGINE_by_id() in OpenSSL])
463	AC_LINK_IFELSE([AC_LANG_PROGRAM([#include <openssl/engine.h>],
464					[ENGINE_by_id("foo");])],
465		       [AC_MSG_RESULT(yes)
466			AC_DEFINE(HAVE_ENGINE, [1], [OpenSSL has ENGINE support])],
467		       [AC_MSG_RESULT(no)
468			AC_MSG_NOTICE([Building without OpenSSL TPM ENGINE support])])
469
470	AC_MSG_CHECKING([for dtls1_stop_timer() in OpenSSL])
471	AC_LINK_IFELSE([AC_LANG_PROGRAM([#include <openssl/ssl.h>
472					 #include <stdlib.h>
473					 extern void dtls1_stop_timer(SSL *);],
474					[dtls1_stop_timer(NULL);])],
475		       [AC_MSG_RESULT(yes)
476			AC_DEFINE(HAVE_DTLS1_STOP_TIMER, [1], [OpenSSL has dtls1_stop_timer() function])],
477		       [AC_MSG_RESULT(no)])
478
479	# DTLS_client_method() and DTLSv1_2_client_method() were both added between
480	# OpenSSL v1.0.1 and v1.0.2. DTLSV1.2_client_method() was later deprecated
481	# in v1.1.0 so we use DTLS_client_method() as our check for DTLSv1.2 support
482	# and that's what we actually use in openssl-dtls.c too.
483	AC_MSG_CHECKING([for DTLS_client_method() in OpenSSL])
484	AC_LINK_IFELSE([AC_LANG_PROGRAM([#include <openssl/ssl.h>],
485					[DTLS_client_method();])],
486		       [AC_MSG_RESULT(yes)
487			AC_DEFINE(HAVE_DTLS12, [1], [OpenSSL has DTLS_client_method() function])],
488		       [AC_MSG_RESULT(no)])
489
490	AC_MSG_CHECKING([for SSL_CTX_set_min_proto_version() in OpenSSL])
491	AC_LINK_IFELSE([AC_LANG_PROGRAM([#include <openssl/ssl.h>],
492					[SSL_CTX_set_min_proto_version((void *)0, 0);])],
493		       [AC_MSG_RESULT(yes)
494			AC_DEFINE(HAVE_SSL_CTX_PROTOVER, [1], [OpenSSL has SSL_CTX_set_min_proto_version() function])],
495		       [AC_MSG_RESULT(no)])
496
497	AC_MSG_CHECKING([for BIO_meth_free() in OpenSSL])
498	AC_LINK_IFELSE([AC_LANG_PROGRAM([#include <openssl/bio.h>],
499					[BIO_meth_free((void *)0);])],
500		       [AC_MSG_RESULT(yes)
501			AC_DEFINE(HAVE_BIO_METH_FREE, [1], [OpenSSL has BIO_meth_free() function])],
502		       [AC_MSG_RESULT(no)])
503
504	AC_CHECK_FUNC(HMAC_CTX_copy,
505		      [esp=yes],
506		      [AC_MSG_WARN([ESP support will be disabled])])
507
508	AC_MSG_CHECKING([for SSL_CIPHER_find() in OpenSSL])
509	AC_LINK_IFELSE([AC_LANG_PROGRAM([#include <openssl/ssl.h>],
510					[SSL_CIPHER_find((void *)0, "");])],
511		       [AC_MSG_RESULT(yes)
512			AC_DEFINE(HAVE_SSL_CIPHER_FIND, [1], [OpenSSL has SSL_CIPHER_find() function])],
513		       [AC_MSG_RESULT(no)])
514
515	LIBS="${oldLIBS}"
516	CFLAGS="${oldCFLAGS}"
517
518	dtls=yes
519	AC_DEFINE(OPENCONNECT_OPENSSL, 1, [Using OpenSSL])
520	AC_SUBST(SSL_LIBS, ['$(OPENSSL_LIBS)'])
521	AC_SUBST(SSL_CFLAGS, ['$(OPENSSL_CFLAGS)'])
522	;;
523
524    GnuTLS)
525	oldlibs="$LIBS"
526	oldcflags="$CFLAGS"
527	LIBS="$LIBS $GNUTLS_LIBS"
528	CFLAGS="$CFLAGS $GNUTLS_CFLAGS"
529	esp=yes
530	dtls=yes
531
532	# Check for the known-broken versions of GnuTLS,
533	if test "$with_gnutls_version_check" != "no"; then
534           AC_MSG_CHECKING([for known-broken versions of GnuTLS])
535           AC_COMPILE_IFELSE([AC_LANG_PROGRAM([#include <gnutls/gnutls.h>],
536			       [#if GNUTLS_VERSION_NUMBER >= 0x030603 && GNUTLS_VERSION_NUMBER <= 0x03060c
537			       #error Bad GnuTLS
538			       #endif
539			       ])],
540			 [],
541			 [AC_MSG_RESULT(yes)
542			  AC_MSG_ERROR([DTLS is insecure in GnuTLS v3.6.3 through v3.6.12.]
543[See https://gitlab.com/gnutls/gnutls/issues/960]
544[Add --without-gnutls-version-check to configure args to avoid this check (DTLS]
545[will still be disabled at runtime), or build with another version.])])
546	   AC_MSG_RESULT(no)
547       fi
548
549	AC_CHECK_FUNC(gnutls_system_key_add_x509,
550		      [AC_DEFINE(HAVE_GNUTLS_SYSTEM_KEYS, 1, [From GnuTLS 3.4.0])], [])
551	AC_CHECK_FUNC(gnutls_pkcs11_add_provider,
552		      [PKG_CHECK_MODULES(P11KIT, p11-kit-1,
553					 [AC_DEFINE(HAVE_P11KIT, 1, [Have. P11. Kit.])
554					  pkcs11_support=GnuTLS
555					  AC_SUBST(P11KIT_PC, p11-kit-1)],
556					 [:])], [])
557	LIBS="$oldlibs -ltspi"
558	AC_MSG_CHECKING([for tss library])
559	AC_LINK_IFELSE([AC_LANG_PROGRAM([
560					   #include <trousers/tss.h>
561					   #include <trousers/trousers.h>],[
562					   int err = Tspi_Context_Create((void *)0);
563					   Trspi_Error_String(err);])],
564		       [AC_MSG_RESULT(yes)
565			AC_SUBST([TSS_LIBS], [-ltspi])
566			AC_SUBST([TSS_CFLAGS], [])
567			AC_DEFINE(HAVE_TROUSERS, 1, [Have Trousers TSS library])],
568		       [AC_MSG_RESULT(no)])
569	LIBS="$oldlibs"
570	CFLAGS="$oldcflags"
571
572	PKG_CHECK_MODULES(TASN1, [libtasn1], [have_tasn1=yes], [have_tasn1=no])
573	if test "$have_tasn1" = "yes"; then
574	   PKG_CHECK_MODULES(TSS2_ESYS, [tss2-esys tss2-mu],
575			     [AC_DEFINE(HAVE_TSS2, 1, [Have TSS2])
576			      AC_SUBST(TPM2_CFLAGS, ['$(TASN1_CFLAGS) $(TSS2_ESYS_CFLAGS)'])
577			      AC_SUBST(TPM2_LIBS, ['$(TASN1_LIBS) $(TSS2_ESYS_LIBS)'])
578			      tss2lib=tss2-esys],
579			     [:])
580	   if test "$tss2lib" = ""; then
581	       AC_CHECK_LIB([tss], [TSS_Create], [tss2inc=tss2
582						  tss2lib=tss],
583			    AC_CHECK_LIB([ibmtss], [TSS_Create], [tss2inc=ibmtss
584								  tss2lib=ibmtss], []))
585	       if test "$tss2lib" != ""; then
586		   AC_CHECK_HEADER($tss2inc/tss.h,
587				   [AC_DEFINE_UNQUOTED(HAVE_TSS2, $tss2inc, [TSS2 library])
588				    AC_SUBST(TSS2_LIBS, [-l$tss2lib])
589				    AC_SUBST(TPM2_CFLAGS, ['$(TASN1_CFLAGS)'])
590				    AC_SUBST(TPM2_LIBS, ['$(TASN1_LIBS) $(TSS2_LIBS)'])],
591				   [tss2lib=])
592	       fi
593	   fi
594	fi
595
596	AC_DEFINE(OPENCONNECT_GNUTLS, 1, [Using GnuTLS])
597	AC_SUBST(SSL_PC, [gnutls])
598	AC_SUBST(SSL_LIBS, ['$(GNUTLS_LIBS) $(TPM2_LIBS)'])
599	AC_SUBST(SSL_CFLAGS, ['$(GNUTLS_CFLAGS) $(TPM2_CFLAGS)'])
600	;;
601
602    *)
603	# This should never happen
604	AC_MSG_ERROR([No SSL library selected])
605	;;
606esac
607
608AM_CONDITIONAL(OPENCONNECT_TSS2_ESYS, [ test "$tss2lib" = "tss2-esys" ])
609AM_CONDITIONAL(OPENCONNECT_TSS2_IBM, [ test "$tss2lib" = "ibmtss" -o "$tss2lib" = "tss" ])
610
611test_pkcs11=
612if test "$pkcs11_support" != ""; then
613   AC_CHECK_PROG(test_pkcs11, softhsm2-util, yes)
614fi
615AM_CONDITIONAL(TEST_PKCS11, [ test "$test_pkcs11" = "yes" ])
616
617# The test is OpenSSL-only for now.
618AM_CONDITIONAL(CHECK_DTLS, [ test "$ssl_library" = "OpenSSL" ])
619
620AC_ARG_ENABLE([dtls-xfail],
621	AS_HELP_STRING([--enable-dtls-xfail], [Only for gitlab CI. Do not use]))
622AM_CONDITIONAL(DTLS_XFAIL, [test "$enable_dtls_xfail" = "yes" ])
623
624AC_ARG_ENABLE([dsa-tests],
625	AS_HELP_STRING([--disable-dsa-tests], [Disable DSA keys in self-test]),
626	[], [enable_dsa_tests=yes])
627AM_CONDITIONAL(TEST_DSA, [test "$enable_dsa_tests" = "yes"])
628
629AM_CONDITIONAL(OPENCONNECT_GNUTLS,  [ test "$ssl_library" = "GnuTLS" ])
630AM_CONDITIONAL(OPENCONNECT_OPENSSL, [ test "$ssl_library" = "OpenSSL" ])
631AM_CONDITIONAL(OPENCONNECT_ESP, [ test "$esp" != "" ])
632AM_CONDITIONAL(OPENCONNECT_DTLS, [ test "$dtls" != "" ])
633
634if test "$esp" != ""; then
635    AC_DEFINE(HAVE_ESP, 1, [Build with ESP support])
636fi
637if test "$dtls" != ""; then
638    AC_DEFINE(HAVE_DTLS, 1, [Build with DTLS support])
639fi
640
641AC_ARG_WITH(lz4,
642  AS_HELP_STRING([--without-lz4], [disable support for LZ4 compression]),
643  test_for_lz4=$withval,
644  test_for_lz4=yes)
645
646lz4_pkg=no
647if test "$test_for_lz4" = yes; then
648PKG_CHECK_MODULES([LIBLZ4], [liblz4], [
649	AC_SUBST(LIBLZ4_PC, liblz4)
650	AC_DEFINE([HAVE_LZ4], [], [LZ4 was found])
651	lz4_pkg=yes
652	oldLIBS="$LIBS"
653	LIBS="$LIBS $LIBLZ4_LIBS"
654	oldCFLAGS="$CFLAGS"
655	CFLAGS="$CFLAGS $LIBLZ4_CFLAGS"
656	AC_MSG_CHECKING([for LZ4_compress_default()])
657	AC_LINK_IFELSE([AC_LANG_PROGRAM([
658		   #include <lz4.h>],[
659		   LZ4_compress_default("", (char *)0, 0, 0);])],
660		  [AC_MSG_RESULT(yes)
661		   AC_DEFINE([HAVE_LZ4_COMPRESS_DEFAULT], [], [From LZ4 r129])
662		  ],
663		  [AC_MSG_RESULT(no)])
664	LIBS="$oldLIBS"
665	CFLAGS="$oldCFLAGS"
666],
667[
668	AC_MSG_WARN([[
669***
670*** lz4 not found.
671*** ]])
672])
673fi
674
675# For some bizarre reason now that we use AM_ICONV, the mingw32 build doesn't
676# manage to set EGREP properly in the created ./libtool script. Make sure it's
677# found.
678AC_PROG_EGREP
679
680# Needs to happen after we default to static/shared libraries based on OpenSSL
681AC_PROG_LIBTOOL
682if test "$use_openbsd_libtool" = "true" && test -x /usr/bin/libtool; then
683	echo using OpenBSD libtool
684	LIBTOOL=/usr/bin/libtool
685fi
686AM_CONDITIONAL(OPENBSD_LIBTOOL, [ test "$use_openbsd_libtool" = "true" ])
687
688AX_CHECK_VSCRIPT
689
690PKG_CHECK_MODULES(LIBXML2, libxml-2.0)
691
692PKG_CHECK_MODULES(ZLIB, zlib, [AC_SUBST(ZLIB_PC, [zlib])],
693		  [oldLIBS="$LIBS"
694		  LIBS="$LIBS -lz"
695		  AC_MSG_CHECKING([for zlib without pkg-config])
696		  AC_LINK_IFELSE([AC_LANG_PROGRAM([
697		   #include <zlib.h>],[
698		   z_stream zs;
699		   deflateInit2(&zs, Z_DEFAULT_COMPRESSION, Z_DEFLATED,
700		   		-12, 9, Z_DEFAULT_STRATEGY);])],
701		  [AC_MSG_RESULT(yes)
702		   AC_SUBST([ZLIB_LIBS], [-lz])
703		   AC_SUBST([ZLIB_CFLAGS], [])],
704  		  [AC_MSG_RESULT(no)
705		   AC_ERROR([Could not build against zlib])])
706		  LIBS="$oldLIBS"])
707
708AC_ARG_WITH([libproxy],
709	AS_HELP_STRING([--without-libproxy],
710	[Build without libproxy library [default=auto]]))
711AS_IF([test "x$with_libproxy" != "xno"], [
712	PKG_CHECK_MODULES(LIBPROXY, libproxy-1.0,
713			[AC_SUBST(LIBPROXY_PC, libproxy-1.0)
714			 AC_DEFINE([LIBPROXY_HDR], ["proxy.h"], [libproxy header file])
715			 libproxy_pkg=yes],
716			 libproxy_pkg=no)
717], [libproxy_pkg=disabled])
718
719dnl Libproxy *can* exist without a .pc file, and its header may be called
720dnl libproxy.h in that case.
721if (test "$libproxy_pkg" = "no"); then
722   AC_MSG_CHECKING([for libproxy])
723   oldLIBS="$LIBS"
724   LIBS="$LIBS -lproxy"
725   AC_LINK_IFELSE([AC_LANG_PROGRAM([#include <libproxy.h>],
726			   [(void)px_proxy_factory_new();])],
727	  [AC_MSG_RESULT(yes (with libproxy.h))
728	   AC_DEFINE([LIBPROXY_HDR], ["libproxy.h"], [libproxy header file])
729	   AC_SUBST([LIBPROXY_LIBS], [-lproxy])
730	   libproxy_pkg=yes],
731	  [AC_LINK_IFELSE([AC_LANG_PROGRAM([#include <proxy.h>],
732				  [(void)px_proxy_factory_new();])],
733		  [AC_MSG_RESULT(yes (with proxy.h))
734		   AC_DEFINE([LIBPROXY_HDR], ["proxy.h"], [libproxy header file])
735		   AC_SUBST([LIBPROXY_LIBS], [-lproxy])
736		   libproxy_pkg=yes],
737		   [AC_MSG_RESULT(no)])])
738   LIBS="$oldLIBS"
739fi
740
741AC_ARG_WITH([stoken],
742	AS_HELP_STRING([--without-stoken],
743	[Build without libstoken library [default=auto]]))
744AS_IF([test "x$with_stoken" != "xno"], [
745	PKG_CHECK_MODULES(LIBSTOKEN, stoken,
746			[AC_SUBST(LIBSTOKEN_PC, stoken)
747			 AC_DEFINE([HAVE_LIBSTOKEN], 1, [Have libstoken])
748			 libstoken_pkg=yes],
749			 libstoken_pkg=no)
750], [libstoken_pkg=disabled])
751AM_CONDITIONAL(OPENCONNECT_STOKEN, [test "$libstoken_pkg" = "yes"])
752
753AC_ARG_WITH([libpcsclite],
754	AS_HELP_STRING([--without-libpcsclite],
755	[Build without libpcsclite library (for Yubikey support) [default=auto]]))
756AS_IF([test "x$with_libpcsclite" != "xno"], [
757	if test "$system_pcsc_libs" != ""; then
758	   AC_SUBST(LIBPCSCLITE_LIBS, "$system_pcsc_libs")
759	   AC_SUBST(LIBPCSCLITE_CFLAGS, "$system_pcsc_cflags")
760	   AC_SUBST(system_pcsc_libs)
761	   libpcsclite_pkg=yes
762	else
763	    PKG_CHECK_MODULES(LIBPCSCLITE, libpcsclite,
764			[AC_SUBST(LIBPCSCLITE_PC, libpcsclite)
765			 libpcsclite_pkg=yes],
766			libpcsclite_pkg=no)
767	fi
768], [libpcsclite_pkg=disabled])
769if test "$libpcsclite_pkg" = "yes"; then
770    AC_DEFINE([HAVE_LIBPCSCLITE], 1, [Have libpcsclite])
771fi
772AM_CONDITIONAL(OPENCONNECT_LIBPCSCLITE, [test "$libpcsclite_pkg" = "yes"])
773
774AC_ARG_WITH([libpskc],
775	AS_HELP_STRING([--without-libpskc],
776	[Build without libpskc library [default=auto]]))
777AS_IF([test "x$with_libpskc" != "xno"], [
778	PKG_CHECK_MODULES(LIBPSKC, [libpskc >= 2.2.0],
779		[AC_SUBST(LIBPSKC_PC, libpskc)
780		 AC_DEFINE([HAVE_LIBPSKC], 1, [Have libpskc])
781		 libpskc_pkg=yes],
782		 libpskc_pkg=no)])
783
784linked_gssapi=no
785AC_ARG_WITH([gssapi],
786	AS_HELP_STRING([--without-gssapi],
787	[Build without GSSAPI support [default=auto]]))
788
789AC_DEFUN([GSSAPI_CHECK_BUILD],[
790	gss_old_libs="$LIBS"
791	LIBS="$LIBS ${GSSAPI_LIBS}"
792	AC_MSG_CHECKING([GSSAPI compilation with "${GSSAPI_LIBS}"])
793	AC_LINK_IFELSE([AC_LANG_PROGRAM([
794			#include <stdlib.h>
795			#include GSSAPI_HDR],[
796			OM_uint32 major, minor;
797			gss_buffer_desc b = GSS_C_EMPTY_BUFFER;
798			gss_ctx_id_t ctx = GSS_C_NO_CONTEXT;
799			gss_init_sec_context(&minor, GSS_C_NO_CREDENTIAL, &ctx, GSS_C_NO_NAME, GSS_C_NO_OID,
800			    GSS_C_MUTUAL_FLAG, GSS_C_INDEFINITE, GSS_C_NO_CHANNEL_BINDINGS, NULL, NULL,
801			    NULL, NULL, NULL);])],
802	    [linked_gssapi=yes
803	     AC_MSG_RESULT(yes)],
804	    [linked_gssapi=no
805	     AC_MSG_RESULT(no)])
806	LIBS="$gss_old_libs"
807])
808
809# Attempt to work out how to build with GSSAPI. Mostly, krb5-config will
810# exist and work. Tested on FreeBSD 9, OpenBSD 5.5, NetBSD 6.1.4. Solaris
811# has krb5-config but it doesn't do GSSAPI so hard-code the results there.
812# Older OpenBSD (I tested 5.2) lacks krb5-config so leave that as an example.
813if test "$with_gssapi" != "no"; then
814    found_gssapi=no
815
816    if test "${with_gssapi}" != "yes" -a "${with_gssapi}" != "" ; then
817	gssapi_root="${with_gssapi}"
818    else
819	gssapi_root=""
820    fi
821
822    # First: if they specify GSSAPI_LIBS and/or GSSAPI_CFLAGS then use them.
823    if test "$GSSAPI_LIBS$GSSAPI_CFLAGS" != ""; then
824	found_gssapi=yes
825    fi
826    # Second: try finding a viable krb5-config that supports gssapi
827    if test "$found_gssapi" = "no"; then
828        if test -n "${gssapi_root}"; then
829	    krb5path="${gssapi_root}/bin:$PATH"
830	else
831	    krb5path="/usr/kerberos/bin:$PATH"
832	fi
833
834	if test -n "$host_alias"; then
835	    AC_PATH_PROG(KRB5_CONFIG, [${host_alias}-krb5-config], [], [$krb5path])
836	fi
837	if test "$KRB5_CONFIG" = ""; then
838	    AC_PATH_PROG(KRB5_CONFIG, [krb5-config], [], [$krb5path])
839	fi
840	if test "$KRB5_CONFIG" != ""; then
841	    AC_MSG_CHECKING([whether $KRB5_CONFIG supports gssapi])
842	    if "${KRB5_CONFIG}" --cflags gssapi > /dev/null 2>/dev/null; then
843		AC_MSG_RESULT(yes)
844		found_gssapi=yes
845		GSSAPI_LIBS="`"${KRB5_CONFIG}" --libs gssapi`"
846		GSSAPI_CFLAGS="`"${KRB5_CONFIG}" --cflags gssapi`"
847	    else
848		AC_MSG_RESULT(no)
849	    fi
850	fi
851    fi
852    # Third: look for <gssapi.h> or <gssapi/gssapi.h> in some likely places,
853    #        and we'll worry about how to *link* it in a moment...
854    if test "$found_gssapi" = "no"; then
855	if test -n "${gssapi_root}"; then
856	    if test -r "${with_gssapi}/include/gssapi.h" -o \
857		    -r "${with_gssapi}/include/gssapi/gssapi.h"; then
858		GSSAPI_CFLAGS="-I\"${with_gssapi}/include\""
859	    fi
860	else
861	    if test -r /usr/kerberos/include/gssapi.h -o \
862		      -r /usr/kerberos/include/gssapi/gssapi.h; then
863		GSSAPI_CFLAGS=-I/usr/kerberos/include
864	    elif test -r /usr/include/kerberosV/gssapi.h -o \
865		      -r /usr/include/kerberosV/gssapi/gssapi.h; then
866		# OpenBSD 5.2 puts it here
867		GSSAPI_CFLAGS=-I/usr/include/kerberosV
868	    else
869		# Maybe it'll Just Work
870		GSSAPI_CFLAGS=
871	    fi
872	fi
873    fi
874
875    oldcflags="$CFLAGS"
876    CFLAGS="$CFLAGS ${GSSAPI_CFLAGS}"
877
878    # OK, now see if we've correctly managed to find gssapi.h at least...
879    gssapi_hdr=
880    AC_CHECK_HEADER([gssapi/gssapi.h],
881	[gssapi_hdr="<gssapi/gssapi.h>"],
882	[AC_CHECK_HEADER([gssapi.h],
883		[gssapi_hdr="<gssapi.h>"],
884		[AC_MSG_WARN([Cannot find <gssapi/gssapi.h> or <gssapi.h>])])])
885
886    # Finally, unless we've already failed, see if we can link it.
887    linked_gssapi=no
888    if test -n "${gssapi_hdr}"; then
889	AC_DEFINE_UNQUOTED(GSSAPI_HDR, $gssapi_hdr, [GSSAPI header])
890	if test "$found_gssapi" = "yes"; then
891	    # We think we have GSSAPI_LIBS already so try it...
892	    GSSAPI_CHECK_BUILD
893	else
894	    LFLAG=
895	    if test -n "$gssapi_root"; then
896		LFLAG="-L\"${gssapi_root}/lib$libsuff\""
897	    fi
898	    # Solaris, HPUX, etc.
899	    GSSAPI_LIBS="$LFLAG -lgss"
900	    GSSAPI_CHECK_BUILD
901	    if test "$linked_gssapi" = "no"; then
902		GSSAPI_LIBS="$LFLAG -lgssapi"
903		GSSAPI_CHECK_BUILD
904	    fi
905	    if test "$linked_gssapi" = "no"; then
906		GSSAPI_LIBS="$LFLAG -lgssapi_krb5"
907		GSSAPI_CHECK_BUILD
908	    fi
909	    if test "$linked_gssapi" = "no"; then
910		# OpenBSD 5.2 at least
911		GSSAPI_LIBS="$LFLAG -lgssapi -lkrb5 -lcrypto"
912		GSSAPI_CHECK_BUILD
913	    fi
914	    if test "$linked_gssapi" = "no"; then
915		# MIT
916		GSSAPI_LIBS="$LFLAG -lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err"
917		GSSAPI_CHECK_BUILD
918	    fi
919	    if test "$linked_gssapi" = "no"; then
920		# Heimdal
921		GSSAPI_LIBS="$LFLAG -lkrb5 -lcrypto -lasn1 -lcom_err -lroken -lgssapi"
922		GSSAPI_CHECK_BUILD
923	    fi
924	    if test "$linked_gssapi" = "no"; then
925		AC_MSG_WARN([Cannot find GSSAPI. Try setting GSSAPI_LIBS and GSSAPI_CFLAGS manually])
926	    fi
927	fi
928    fi
929
930    CFLAGS="$oldcflags"
931
932    if test "$linked_gssapi" = "yes"; then
933	AC_DEFINE([HAVE_GSSAPI], 1, [Have GSSAPI support])
934	AC_SUBST(GSSAPI_CFLAGS)
935	AC_SUBST(GSSAPI_LIBS)
936    elif test "$with_gssapi" = ""; then
937	AC_MSG_WARN([Building without GSSAPI support]);
938	unset GSSAPI_CFLAGS
939	unset GSSAPI_LIBS
940    else
941	AC_MSG_ERROR([GSSAPI support requested but not found. Try setting GSSAPI_LIBS/GSSAPI_CFLAGS])
942    fi
943fi
944AM_CONDITIONAL(OPENCONNECT_GSSAPI, [test "$linked_gssapi" = "yes"])
945
946AC_ARG_WITH([java],
947	AS_HELP_STRING([--with-java(=DIR)],
948		       [Build JNI bindings using jni.h from DIR [default=no]]),
949	[], [with_java=no])
950
951if test "$with_java" = "yes"; then
952	AX_JNI_INCLUDE_DIR
953	for JNI_INCLUDE_DIR in $JNI_INCLUDE_DIRS; do
954		  JNI_CFLAGS="$JNI_CFLAGS -I$JNI_INCLUDE_DIR"
955	done
956elif test "$with_java" = "no"; then
957	JNI_CFLAGS=""
958else
959	JNI_CFLAGS="-I$with_java"
960fi
961
962if test "x$JNI_CFLAGS" != "x"; then
963	oldCFLAGS="$CFLAGS"
964	CFLAGS="$CFLAGS $JNI_CFLAGS"
965	AC_MSG_CHECKING([jni.h usability])
966	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([#include <jni.h>],
967		[jint foo = 0; (void)foo;])],
968		AC_MSG_RESULT([yes]),
969		[AC_MSG_RESULT([no])
970		 AC_MSG_ERROR([unable to compile JNI test program])])
971	CFLAGS="$oldCFLAGS"
972
973	AC_SUBST(JNI_CFLAGS, [$JNI_CFLAGS])
974fi
975
976AM_CONDITIONAL(OPENCONNECT_JNI, [test "$JNI_CFLAGS" != ""])
977
978AC_ARG_ENABLE([jni-standalone],
979	AS_HELP_STRING([--enable-jni-standalone],
980		       [build JNI stubs directly into libopenconnect.so [default=no]]),
981	[jni_standalone=$enableval],
982	[jni_standalone=no])
983AM_CONDITIONAL(JNI_STANDALONE, [test $jni_standalone = yes])
984symver_java=
985if test "$jni_standalone" = "yes" ; then
986   symver_java=$(sed -n '/JNIEXPORT/{s/^JNIEXPORT.*\(Java_.*\) *(/\1;/ p}' ${srcdir}/jni.c)
987   # Remove the newlines between each item.
988   symver_java=$(echo $symver_java)
989fi
990AC_SUBST(SYMVER_JAVA, $symver_java)
991
992AC_CHECK_HEADER([if_tun.h],
993    [AC_DEFINE([IF_TUN_HDR], ["if_tun.h"], [if_tun.h include path])],
994    [AC_CHECK_HEADER([linux/if_tun.h],
995        [AC_DEFINE([IF_TUN_HDR], ["linux/if_tun.h"])],
996        [AC_CHECK_HEADER([net/if_tun.h],
997            [AC_DEFINE([IF_TUN_HDR], ["net/if_tun.h"])],
998            [AC_CHECK_HEADER([net/tun/if_tun.h],
999                [AC_DEFINE([IF_TUN_HDR], ["net/tun/if_tun.h"])])])])])
1000
1001AC_CHECK_HEADER([net/if_utun.h], AC_DEFINE([HAVE_NET_UTUN_H], 1, [Have net/if_utun.h]), ,
1002		[#include <sys/types.h>])
1003
1004AC_CHECK_HEADER([alloca.h], AC_DEFINE([HAVE_ALLOCA_H], 1, [Have alloca.h]))
1005
1006AC_CHECK_HEADER([endian.h],
1007    [AC_DEFINE([ENDIAN_HDR], [<endian.h>], [endian header include path])],
1008    [AC_CHECK_HEADER([sys/endian.h],
1009        [AC_DEFINE([ENDIAN_HDR], [<sys/endian.h>])],
1010        [AC_CHECK_HEADER([sys/isa_defs.h],
1011            [AC_DEFINE([ENDIAN_HDR], [<sys/isa_defs.h>])])])])
1012
1013build_www=yes
1014AC_PATH_PROGS(PYTHON, [python3 python2 python], [], $PATH:/bin:/usr/bin)
1015if test -z "${ac_cv_path_PYTHON}"; then
1016   AC_MSG_NOTICE([Python not found; not building HTML pages])
1017   build_www=no
1018fi
1019if test "${build_www}" = "yes"; then
1020   AC_MSG_CHECKING([if groff can create UTF-8 XHTML])
1021   AC_PATH_PROGS_FEATURE_CHECK([GROFF], [groff],
1022	[$ac_path_GROFF -t -K UTF-8 -mandoc -Txhtml /dev/null > /dev/null 2>&1 &&
1023	 ac_cv_path_GROFF=$ac_path_GROFF])
1024   if test -n "$ac_cv_path_GROFF"; then
1025      AC_MSG_RESULT(yes)
1026      AC_SUBST(GROFF, ${ac_cv_path_GROFF})
1027   else
1028      AC_MSG_RESULT([no. Not building HTML pages])
1029      build_www=no
1030   fi
1031fi
1032AM_CONDITIONAL(BUILD_WWW, [test "${build_www}" = "yes"])
1033
1034# Checks for tests
1035PKG_CHECK_MODULES([CWRAP], [uid_wrapper, socket_wrapper], have_cwrap=yes, have_cwrap=no)
1036AM_CONDITIONAL(HAVE_CWRAP, test "x$have_cwrap" != xno)
1037
1038have_netns=no
1039AC_PATH_PROG(NUTTCP, nuttcp)
1040if test -n "$ac_cv_path_NUTTCP"; then
1041    AC_PATH_PROG(IP, ip, [], $PATH:/sbin:/usr/sbin)
1042    if test -n "$ac_cv_path_IP"; then
1043	AC_MSG_CHECKING([For network namespaces])
1044	NETNS=openconnect-configure-test-$$
1045	if ip netns add $NETNS >/dev/null 2>/dev/null; then
1046	    ip netns delete $NETNS
1047	    have_netns=yes
1048	fi
1049	AC_MSG_RESULT($have_netns)
1050    fi
1051fi
1052AM_CONDITIONAL(HAVE_NETNS, test "x$have_netns" != xno)
1053
1054AC_SUBST([CONFIG_STATUS_DEPENDENCIES],
1055	 ['$(top_srcdir)/po/LINGUAS \
1056	   $(top_srcdir)/openconnect.h \
1057           $(top_srcdir)/libopenconnect.map.in \
1058	   $(top_srcdir)/openconnect.8.in \
1059	   $(top_srcdir)/tests/softhsm2.conf.in \
1060	   $(top_srcdir)/tests/configs/test-user-cert.config.in \
1061	   $(top_srcdir)/tests/configs/test-user-pass.config.in'])
1062
1063RAWLINGUAS=`sed -e "/^#/d" -e "s/#.*//" "${srcdir}/po/LINGUAS"`
1064# Remove newlines
1065LINGUAS=`echo $RAWLINGUAS`
1066AC_SUBST(LINGUAS)
1067
1068APIMAJOR="`sed -n 's/^#define OPENCONNECT_API_VERSION_MAJOR \(.*\)/\1/p' ${srcdir}/openconnect.h`"
1069APIMINOR="`sed -n 's/^#define OPENCONNECT_API_VERSION_MINOR \(.*\)/\1/p' ${srcdir}/openconnect.h`"
1070AC_SUBST(APIMAJOR)
1071AC_SUBST(APIMINOR)
1072
1073# We want version.c to depend on the files that would affect the
1074# output of version.sh. But we cannot assume that they'll exist,
1075# and we cannot use $(wildcard) in a non-GNU makefile. So we just
1076# depend on the files which happen to exist at configure time.
1077GITVERSIONDEPS=
1078for a in ${srcdir}/.git/index ${srcdir}/.git/packed-refs \
1079         ${srcdir}/.git/refs/tags ${srcdir}/.git/HEAD; do
1080    if test -r $a ; then
1081       GITVERSIONDEPS="$GITVERSIONDEPS $a"
1082    fi
1083done
1084AC_SUBST(GITVERSIONDEPS)
1085
1086AC_SUBST(OCSERV_USER, $(whoami))
1087AC_SUBST(OCSERV_GROUP, $(groups|cut -f 1 -d ' '))
1088
1089AC_CONFIG_FILES(Makefile openconnect.pc po/Makefile www/Makefile \
1090		libopenconnect.map openconnect.8 www/styles/Makefile \
1091		www/inc/Makefile www/images/Makefile tests/Makefile \
1092		tests/softhsm2.conf tests/configs/test-user-cert.config \
1093		tests/configs/test-user-pass.config)
1094AC_OUTPUT
1095
1096AC_DEFUN([SUMMARY],
1097	 [pretty="$2"
1098	 if test "$pretty" = "openssl"; then
1099	     pretty=OpenSSL
1100	 elif test "$pretty" = "gnutls" -o "$pretty" = "both"; then
1101	     pretty=GnuTLS
1102	 elif test "$pretty" = ""; then
1103	     pretty=no
1104	 fi
1105	 echo "AS_HELP_STRING([$1:],[$pretty])"])
1106
1107echo "BUILD OPTIONS:"
1108SUMMARY([SSL library], [$ssl_library])
1109SUMMARY([[PKCS#11 support]], [$pkcs11_support])
1110SUMMARY([DTLS support], [$dtls])
1111SUMMARY([ESP support], [$esp])
1112SUMMARY([libproxy support], [$libproxy_pkg])
1113SUMMARY([RSA SecurID support], [$libstoken_pkg])
1114SUMMARY([PSKC OATH file support], [$libpskc_pkg])
1115SUMMARY([GSSAPI support], [$linked_gssapi])
1116SUMMARY([Yubikey support], [$libpcsclite_pkg])
1117SUMMARY([LZ4 compression], [$lz4_pkg])
1118SUMMARY([Java bindings], [$with_java])
1119SUMMARY([Build docs], [$build_www])
1120SUMMARY([Unit tests], [$have_cwrap])
1121SUMMARY([Net namespace tests], [$have_netns])
1122
1123if test "$ssl_library" = "OpenSSL"; then
1124    AC_MSG_WARN([[
1125***
1126*** Be sure to run "make check" to verify OpenSSL DTLS support
1127*** ]])
1128fi
1129