m4/krb5.m4

   1 dnl Find the compiler and linker flags for Kerberos.
   2 dnl
   3 dnl Finds the compiler and linker flags for linking with Kerberos libraries.
   4 dnl Provides the --with-krb5, --with-krb5-include, and --with-krb5-lib
   5 dnl configure options to specify non-standard paths to the Kerberos libraries.
   6 dnl Uses krb5-config where available unless reduced dependencies is requested
   7 dnl or --with-krb5-include or --with-krb5-lib are given.
   8 dnl
   9 dnl Provides the macro RRA_LIB_KRB5 and sets the substitution variables
  10 dnl KRB5_CPPFLAGS, KRB5_LDFLAGS, and KRB5_LIBS.  Also provides
  11 dnl RRA_LIB_KRB5_SWITCH to set CPPFLAGS, LDFLAGS, and LIBS to include the
  12 dnl Kerberos libraries, saving the current values first, and
  13 dnl RRA_LIB_KRB5_RESTORE to restore those settings to before the last
  14 dnl RRA_LIB_KRB5_SWITCH.  HAVE_KRB5 will always be defined if RRA_LIB_KRB5 is
  15 dnl used.
  16 dnl
  17 dnl If KRB5_CPPFLAGS, KRB5_LDFLAGS, or KRB5_LIBS are set before calling these
  18 dnl macros, their values will be added to whatever the macros discover.
  19 dnl
  20 dnl KRB5_CPPFLAGS_GCC will be set to the same value as KRB5_CPPFLAGS but with
  21 dnl any occurrences of -I changed to -isystem.  This may be useful to suppress
  22 dnl warnings from the Kerberos header files when building with GCC and
  23 dnl aggressive warning flags.  Be aware that this change will change the
  24 dnl compiler header file search order as well.
  25 dnl
  26 dnl Provides the RRA_LIB_KRB5_OPTIONAL macro, which should be used if Kerberos
  27 dnl support is optional.  In this case, Kerberos libraries are mandatory if
  28 dnl --with-krb5 is given, and will not be probed for if --without-krb5 is
  29 dnl given.  Otherwise, they'll be probed for but will not be required.
  30 dnl Defines HAVE_KRB5 and sets rra_use_KRB5 to true if the libraries are
  31 dnl found.  The substitution variables will always be set, but they will be
  32 dnl empty unless Kerberos libraries are found and the user did not disable
  33 dnl Kerberos support.
  34 dnl
  35 dnl Sets the Automake conditional KRB5_USES_COM_ERR saying whether we use
  36 dnl com_err, since if we're also linking with AFS libraries, we may have to
  37 dnl change library ordering in that case.
  38 dnl
  39 dnl Depends on RRA_KRB5_CONFIG, RRA_ENABLE_REDUCED_DEPENDS, and
  40 dnl RRA_SET_LDFLAGS.
  41 dnl
  42 dnl Also provides RRA_FUNC_KRB5_GET_INIT_CREDS_OPT_FREE_ARGS, which checks
  43 dnl whether krb5_get_init_creds_opt_free takes one argument or two.  Defines
  44 dnl HAVE_KRB5_GET_INIT_CREDS_OPT_FREE_2_ARGS if it takes two arguments.
  45 dnl
  46 dnl Also provides RRA_INCLUDES_KRB5, which are the headers to include when
  47 dnl probing the Kerberos library properties.
  48 dnl
  49 dnl The canonical version of this file is maintained in the rra-c-util
  50 dnl package, available at <https://www.eyrie.org/~eagle/software/rra-c-util/>.
  51 dnl
  52 dnl Written by Russ Allbery <eagle@eyrie.org>
  53 dnl Copyright 2018 Russ Allbery <eagle@eyrie.org>
  54 dnl Copyright 2005-2011, 2013-2014
  55 dnl     The Board of Trustees of the Leland Stanford Junior University
  56 dnl
  57 dnl This file is free software; the authors give unlimited permission to copy
  58 dnl and/or distribute it, with or without modifications, as long as this
  59 dnl notice is preserved.
  60 dnl
  61 dnl SPDX-License-Identifier: FSFULLR
  62
  63 dnl Ignore Automake conditionals if not using Automake.
  64 m4_define_default([AM_CONDITIONAL], [:])
  65
  66 dnl Headers to include when probing for Kerberos library properties.
  67 AC_DEFUN([RRA_INCLUDES_KRB5], [[
  68 #if HAVE_KRB5_H
  69 # include <krb5.h>
  70 #elif HAVE_KERBEROSV5_KRB5_H
  71 # include <kerberosv5/krb5.h>
  72 #else
  73 # include <krb5/krb5.h>
  74 #endif
  75 ]])
  76
  77 dnl Save the current CPPFLAGS, LDFLAGS, and LIBS settings and switch to
  78 dnl versions that include the Kerberos flags.  Used as a wrapper, with
  79 dnl RRA_LIB_KRB5_RESTORE, around tests.
  80 AC_DEFUN([RRA_LIB_KRB5_SWITCH],
  81 [rra_krb5_save_CPPFLAGS="$CPPFLAGS"
  82  rra_krb5_save_LDFLAGS="$LDFLAGS"
  83  rra_krb5_save_LIBS="$LIBS"
  84  CPPFLAGS="$KRB5_CPPFLAGS $CPPFLAGS"
  85  LDFLAGS="$KRB5_LDFLAGS $LDFLAGS"
  86  LIBS="$KRB5_LIBS $LIBS"])
  87
  88 dnl Restore CPPFLAGS, LDFLAGS, and LIBS to their previous values (before
  89 dnl RRA_LIB_KRB5_SWITCH was called).
  90 AC_DEFUN([RRA_LIB_KRB5_RESTORE],
  91 [CPPFLAGS="$rra_krb5_save_CPPFLAGS"
  92  LDFLAGS="$rra_krb5_save_LDFLAGS"
  93  LIBS="$rra_krb5_save_LIBS"])
  94
  95 dnl Set KRB5_CPPFLAGS and KRB5_LDFLAGS based on rra_krb5_root,
  96 dnl rra_krb5_libdir, and rra_krb5_includedir.
  97 AC_DEFUN([_RRA_LIB_KRB5_PATHS],
  98 [AS_IF([test x"$rra_krb5_libdir" != x],
  99     [KRB5_LDFLAGS="-L$rra_krb5_libdir"],
 100     [AS_IF([test x"$rra_krb5_root" != x],
 101         [RRA_SET_LDFLAGS([KRB5_LDFLAGS], [$rra_krb5_root])])])
 102  AS_IF([test x"$rra_krb5_includedir" != x],
 103     [KRB5_CPPFLAGS="-I$rra_krb5_includedir"],
 104     [AS_IF([test x"$rra_krb5_root" != x],
 105         [AS_IF([test x"$rra_krb5_root" != x/usr],
 106             [KRB5_CPPFLAGS="-I${rra_krb5_root}/include"])])])])
 107
 108 dnl Check for a header using a file existence check rather than using
 109 dnl AC_CHECK_HEADERS.  This is used if there were arguments to configure
 110 dnl specifying the Kerberos header path, since we may have one header in the
 111 dnl default include path and another under our explicitly-configured Kerberos
 112 dnl location.
 113 AC_DEFUN([_RRA_LIB_KRB5_CHECK_HEADER],
 114 [AC_MSG_CHECKING([for $1])
 115  AS_IF([test -f "${rra_krb5_incroot}/$1"],
 116     [AC_DEFINE_UNQUOTED(AS_TR_CPP([HAVE_$1]), [1],
 117         [Define to 1 if you have the <$1> header file.])
 118      AC_MSG_RESULT([yes])],
 119     [AC_MSG_RESULT([no])])])
 120
 121 dnl Check for the com_err header.  Internal helper macro since we need
 122 dnl to do the same checks in multiple places.
 123 AC_DEFUN([_RRA_LIB_KRB5_CHECK_HEADER_COM_ERR],
 124 [AS_IF([test x"$rra_krb5_incroot" = x],
 125     [AC_CHECK_HEADERS([et/com_err.h kerberosv5/com_err.h])],
 126         [_RRA_LIB_KRB5_CHECK_HEADER([et/com_err.h])
 127          _RRA_LIB_KRB5_CHECK_HEADER([kerberosv5/com_err.h])])])
 128
 129 dnl Check for the main Kerberos header.  Internal helper macro since we need
 130 dnl to do the same checks in multiple places.
 131 AC_DEFUN([_RRA_LIB_KRB5_CHECK_HEADER_KRB5],
 132 [AS_IF([test x"$rra_krb5_incroot" = x],
 133      [AC_CHECK_HEADERS([krb5.h kerberosv5/krb5.h krb5/krb5.h])],
 134      [_RRA_LIB_KRB5_CHECK_HEADER([krb5.h])
 135       _RRA_LIB_KRB5_CHECK_HEADER([kerberosv5/krb5.h])
 136       _RRA_LIB_KRB5_CHECK_HEADER([krb5/krb5.h])])])
 137
 138 dnl Does the appropriate library checks for reduced-dependency Kerberos
 139 dnl linkage.  The single argument, if true, says to fail if Kerberos could not
 140 dnl be found.
 141 AC_DEFUN([_RRA_LIB_KRB5_REDUCED],
 142 [RRA_LIB_KRB5_SWITCH
 143  AC_CHECK_LIB([krb5], [krb5_init_context],
 144     [KRB5_LIBS="-lkrb5"
 145      LIBS="$KRB5_LIBS $LIBS"
 146      _RRA_LIB_KRB5_CHECK_HEADER_KRB5
 147      AC_CHECK_FUNCS([krb5_get_error_message],
 148         [AC_CHECK_FUNCS([krb5_free_error_message])],
 149         [AC_CHECK_FUNCS([krb5_get_error_string], [],
 150             [AC_CHECK_FUNCS([krb5_get_err_txt], [],
 151                 [AC_CHECK_LIB([ksvc], [krb5_svc_get_msg],
 152                     [KRB5_LIBS="$KRB5_LIBS -lksvc"
 153                      AC_DEFINE([HAVE_KRB5_SVC_GET_MSG], [1])
 154                      AC_CHECK_HEADERS([ibm_svc/krb5_svc.h], [], [],
 155                         [RRA_INCLUDES_KRB5])],
 156                     [AC_CHECK_LIB([com_err], [com_err],
 157                         [KRB5_LIBS="$KRB5_LIBS -lcom_err"],
 158                         [AS_IF([test x"$1" = xtrue],
 159                             [AC_MSG_ERROR([cannot find usable com_err library])],
 160                             [KRB5_LIBS=""])])
 161                      _RRA_LIB_KRB5_CHECK_HEADER_COM_ERR])])])])],
 162      [AS_IF([test x"$1" = xtrue],
 163          [AC_MSG_ERROR([cannot find usable Kerberos library])])])
 164  RRA_LIB_KRB5_RESTORE])
 165
 166 dnl Does the appropriate library checks for Kerberos linkage when we don't
 167 dnl have krb5-config or reduced dependencies.  The single argument, if true,
 168 dnl says to fail if Kerberos could not be found.
 169 AC_DEFUN([_RRA_LIB_KRB5_MANUAL],
 170 [RRA_LIB_KRB5_SWITCH
 171  rra_krb5_extra=
 172  LIBS=
 173  AC_SEARCH_LIBS([res_search], [resolv], [],
 174     [AC_SEARCH_LIBS([__res_search], [resolv])])
 175  AC_SEARCH_LIBS([gethostbyname], [nsl])
 176  AC_SEARCH_LIBS([socket], [socket], [],
 177     [AC_CHECK_LIB([nsl], [socket], [LIBS="-lnsl -lsocket $LIBS"], [],
 178         [-lsocket])])
 179  AC_SEARCH_LIBS([crypt], [crypt])
 180  AC_SEARCH_LIBS([roken_concat], [roken])
 181  rra_krb5_extra="$LIBS"
 182  LIBS="$rra_krb5_save_LIBS"
 183  AC_CHECK_LIB([krb5], [krb5_init_context],
 184     [KRB5_LIBS="-lkrb5 -lasn1 -lcom_err -lcrypto $rra_krb5_extra"],
 185     [AC_CHECK_LIB([krb5support], [krb5int_getspecific],
 186         [rra_krb5_extra="-lkrb5support $rra_krb5_extra"],
 187         [AC_CHECK_LIB([pthreads], [pthread_setspecific],
 188             [rra_krb5_pthread="-lpthreads"],
 189             [AC_CHECK_LIB([pthread], [pthread_setspecific],
 190                 [rra_krb5_pthread="-lpthread"])])
 191          AC_CHECK_LIB([krb5support], [krb5int_setspecific],
 192             [rra_krb5_extra="-lkrb5support $rra_krb5_extra $rra_krb5_pthread"],
 193             [], [$rra_krb5_pthread $rra_krb5_extra])],
 194         [$rra_krb5_extra])
 195      AC_CHECK_LIB([com_err], [error_message],
 196         [rra_krb5_extra="-lcom_err $rra_krb5_extra"], [], [$rra_krb5_extra])
 197      AC_CHECK_LIB([ksvc], [krb5_svc_get_msg],
 198         [rra_krb5_extra="-lksvc $rra_krb5_extra"], [], [$rra_krb5_extra])
 199      AC_CHECK_LIB([k5crypto], [krb5int_hash_md5],
 200         [rra_krb5_extra="-lk5crypto $rra_krb5_extra"], [], [$rra_krb5_extra])
 201      AC_CHECK_LIB([k5profile], [profile_get_values],
 202         [rra_krb5_extra="-lk5profile $rra_krb5_extra"], [], [$rra_krb5_extra])
 203      AC_CHECK_LIB([krb5], [krb5_cc_default],
 204         [KRB5_LIBS="-lkrb5 $rra_krb5_extra"],
 205         [AS_IF([test x"$1" = xtrue],
 206             [AC_MSG_ERROR([cannot find usable Kerberos library])])],
 207         [$rra_krb5_extra])],
 208     [-lasn1 -lcom_err -lcrypto $rra_krb5_extra])
 209  LIBS="$KRB5_LIBS $LIBS"
 210  _RRA_LIB_KRB5_CHECK_HEADER_KRB5
 211  AC_CHECK_FUNCS([krb5_get_error_message],
 212      [AC_CHECK_FUNCS([krb5_free_error_message])],
 213      [AC_CHECK_FUNCS([krb5_get_error_string], [],
 214          [AC_CHECK_FUNCS([krb5_get_err_txt], [],
 215              [AC_CHECK_FUNCS([krb5_svc_get_msg],
 216                  [AC_CHECK_HEADERS([ibm_svc/krb5_svc.h], [], [],
 217                      [RRA_INCLUDES_KRB5])],
 218                  [_RRA_LIB_KRB5_CHECK_HEADER_COM_ERR])])])])
 219  RRA_LIB_KRB5_RESTORE])
 220
 221 dnl Sanity-check the results of krb5-config and be sure we can really link a
 222 dnl Kerberos program.  If that fails, clear KRB5_CPPFLAGS and KRB5_LIBS so
 223 dnl that we know we don't have usable flags and fall back on the manual
 224 dnl check.
 225 AC_DEFUN([_RRA_LIB_KRB5_CHECK],
 226 [RRA_LIB_KRB5_SWITCH
 227  AC_CHECK_FUNC([krb5_init_context],
 228     [RRA_LIB_KRB5_RESTORE],
 229     [RRA_LIB_KRB5_RESTORE
 230      KRB5_CPPFLAGS=
 231      KRB5_LIBS=
 232      _RRA_LIB_KRB5_PATHS
 233      _RRA_LIB_KRB5_MANUAL([$1])])])
 234
 235 dnl Determine Kerberos compiler and linker flags from krb5-config.  Does the
 236 dnl additional probing we need to do to uncover error handling features, and
 237 dnl falls back on the manual checks.
 238 AC_DEFUN([_RRA_LIB_KRB5_CONFIG],
 239 [RRA_KRB5_CONFIG([${rra_krb5_root}], [krb5], [KRB5],
 240     [_RRA_LIB_KRB5_CHECK([$1])
 241      RRA_LIB_KRB5_SWITCH
 242      _RRA_LIB_KRB5_CHECK_HEADER_KRB5
 243      AC_CHECK_FUNCS([krb5_get_error_message],
 244          [AC_CHECK_FUNCS([krb5_free_error_message])],
 245          [AC_CHECK_FUNCS([krb5_get_error_string], [],
 246              [AC_CHECK_FUNCS([krb5_get_err_txt], [],
 247                  [AC_CHECK_FUNCS([krb5_svc_get_msg],
 248                      [AC_CHECK_HEADERS([ibm_svc/krb5_svc.h], [], [],
 249                          [RRA_INCLUDES_KRB5])],
 250                      [_RRA_LIB_KRB5_CHECK_HEADER_COM_ERR])])])])
 251      RRA_LIB_KRB5_RESTORE],
 252     [_RRA_LIB_KRB5_PATHS
 253      _RRA_LIB_KRB5_MANUAL([$1])])])
 254
 255 dnl The core of the library checking, shared between RRA_LIB_KRB5 and
 256 dnl RRA_LIB_KRB5_OPTIONAL.  The single argument, if "true", says to fail if
 257 dnl Kerberos could not be found.  Set up rra_krb5_incroot for later header
 258 dnl checking.
 259 AC_DEFUN([_RRA_LIB_KRB5_INTERNAL],
 260 [AC_REQUIRE([RRA_ENABLE_REDUCED_DEPENDS])
 261  rra_krb5_incroot=
 262  AC_SUBST([KRB5_CPPFLAGS])
 263  AC_SUBST([KRB5_CPPFLAGS_GCC])
 264  AC_SUBST([KRB5_LDFLAGS])
 265  AC_SUBST([KRB5_LIBS])
 266  AS_IF([test x"$rra_krb5_includedir" != x],
 267     [rra_krb5_incroot="$rra_krb5_includedir"],
 268     [AS_IF([test x"$rra_krb5_root" != x],
 269         [rra_krb5_incroot="${rra_krb5_root}/include"])])
 270  AS_IF([test x"$rra_reduced_depends" = xtrue],
 271     [_RRA_LIB_KRB5_PATHS
 272      _RRA_LIB_KRB5_REDUCED([$1])],
 273     [AS_IF([test x"$rra_krb5_includedir" = x && test x"$rra_krb5_libdir" = x],
 274         [_RRA_LIB_KRB5_CONFIG([$1])],
 275         [_RRA_LIB_KRB5_PATHS
 276          _RRA_LIB_KRB5_MANUAL([$1])])])
 277  rra_krb5_uses_com_err=false
 278  AS_CASE([$KRB5_LIBS], [*-lcom_err*], [rra_krb5_uses_com_err=true])
 279  AM_CONDITIONAL([KRB5_USES_COM_ERR],
 280     [test x"$rra_krb5_uses_com_err" = xtrue])
 281  KRB5_CPPFLAGS_GCC=`echo "$KRB5_CPPFLAGS" | sed -e 's/-I/-isystem /g'`])
 282
 283 dnl The main macro for packages with mandatory Kerberos support.
 284 AC_DEFUN([RRA_LIB_KRB5],
 285 [rra_krb5_root=
 286  rra_krb5_libdir=
 287  rra_krb5_includedir=
 288  rra_use_KRB5=true
 289
 290  AC_ARG_WITH([krb5],
 291     [AS_HELP_STRING([--with-krb5=DIR],
 292         [Location of Kerberos headers and libraries])],
 293     [AS_IF([test x"$withval" != xyes && test x"$withval" != xno],
 294         [rra_krb5_root="$withval"])])
 295  AC_ARG_WITH([krb5-include],
 296     [AS_HELP_STRING([--with-krb5-include=DIR],
 297         [Location of Kerberos headers])],
 298     [AS_IF([test x"$withval" != xyes && test x"$withval" != xno],
 299         [rra_krb5_includedir="$withval"])])
 300  AC_ARG_WITH([krb5-lib],
 301     [AS_HELP_STRING([--with-krb5-lib=DIR],
 302         [Location of Kerberos libraries])],
 303     [AS_IF([test x"$withval" != xyes && test x"$withval" != xno],
 304         [rra_krb5_libdir="$withval"])])
 305  _RRA_LIB_KRB5_INTERNAL([true])
 306  AC_DEFINE([HAVE_KRB5], 1, [Define to enable Kerberos features.])])
 307
 308 dnl The main macro for packages with optional Kerberos support.
 309 AC_DEFUN([RRA_LIB_KRB5_OPTIONAL],
 310 [rra_krb5_root=
 311  rra_krb5_libdir=
 312  rra_krb5_includedir=
 313  rra_use_KRB5=
 314
 315  AC_ARG_WITH([krb5],
 316     [AS_HELP_STRING([--with-krb5@<:@=DIR@:>@],
 317         [Location of Kerberos headers and libraries])],
 318     [AS_IF([test x"$withval" = xno],
 319         [rra_use_KRB5=false],
 320         [AS_IF([test x"$withval" != xyes], [rra_krb5_root="$withval"])
 321          rra_use_KRB5=true])])
 322  AC_ARG_WITH([krb5-include],
 323     [AS_HELP_STRING([--with-krb5-include=DIR],
 324         [Location of Kerberos headers])],
 325     [AS_IF([test x"$withval" != xyes && test x"$withval" != xno],
 326         [rra_krb5_includedir="$withval"])])
 327  AC_ARG_WITH([krb5-lib],
 328     [AS_HELP_STRING([--with-krb5-lib=DIR],
 329         [Location of Kerberos libraries])],
 330     [AS_IF([test x"$withval" != xyes && test x"$withval" != xno],
 331         [rra_krb5_libdir="$withval"])])
 332
 333  AS_IF([test x"$rra_use_KRB5" != xfalse],
 334      [AS_IF([test x"$rra_use_KRB5" = xtrue],
 335          [_RRA_LIB_KRB5_INTERNAL([true])],
 336          [_RRA_LIB_KRB5_INTERNAL([false])])],
 337      [AM_CONDITIONAL([KRB5_USES_COM_ERR], [false])])
 338  AS_IF([test x"$KRB5_LIBS" != x],
 339     [rra_use_KRB5=true
 340      AC_DEFINE([HAVE_KRB5], 1, [Define to enable Kerberos features.])])])
 341
 342 dnl Source used by RRA_FUNC_KRB5_GET_INIT_CREDS_OPT_FREE_ARGS.
 343 AC_DEFUN([_RRA_FUNC_KRB5_OPT_FREE_ARGS_SOURCE], [RRA_INCLUDES_KRB5] [[
 344 int
 345 main(void)
 346 {
 347     krb5_get_init_creds_opt *opts;
 348     krb5_context c;
 349     krb5_get_init_creds_opt_free(c, opts);
 350 }
 351 ]])
 352
 353 dnl Check whether krb5_get_init_creds_opt_free takes one argument or two.
 354 dnl Early Heimdal used to take a single argument.  Defines
 355 dnl HAVE_KRB5_GET_INIT_CREDS_OPT_FREE_2_ARGS if it takes two arguments.
 356 dnl
 357 dnl Should be called with RRA_LIB_KRB5_SWITCH active.
 358 AC_DEFUN([RRA_FUNC_KRB5_GET_INIT_CREDS_OPT_FREE_ARGS],
 359 [AC_CACHE_CHECK([if krb5_get_init_creds_opt_free takes two arguments],
 360     [rra_cv_func_krb5_get_init_creds_opt_free_args],
 361     [AC_COMPILE_IFELSE([AC_LANG_SOURCE([_RRA_FUNC_KRB5_OPT_FREE_ARGS_SOURCE])],
 362         [rra_cv_func_krb5_get_init_creds_opt_free_args=yes],
 363         [rra_cv_func_krb5_get_init_creds_opt_free_args=no])])
 364  AS_IF([test $rra_cv_func_krb5_get_init_creds_opt_free_args = yes],
 365     [AC_DEFINE([HAVE_KRB5_GET_INIT_CREDS_OPT_FREE_2_ARGS], 1,
 366         [Define if krb5_get_init_creds_opt_free takes two arguments.])])])