1 dnl Find the compiler and linker flags for Kerberos.
3 dnl Finds the compiler and linker flags for linking with Kerberos libraries.
4 dnl Provides the --with-krb5, --with-krb5-include, and --with-krb5-lib
5 dnl configure options to specify non-standard paths to the Kerberos libraries.
6 dnl Uses krb5-config where available unless reduced dependencies is requested
7 dnl or --with-krb5-include or --with-krb5-lib are given.
9 dnl Provides the macro RRA_LIB_KRB5 and sets the substitution variables
10 dnl KRB5_CPPFLAGS, KRB5_LDFLAGS, and KRB5_LIBS. Also provides
11 dnl RRA_LIB_KRB5_SWITCH to set CPPFLAGS, LDFLAGS, and LIBS to include the
12 dnl Kerberos libraries, saving the current values first, and
13 dnl RRA_LIB_KRB5_RESTORE to restore those settings to before the last
14 dnl RRA_LIB_KRB5_SWITCH. HAVE_KRB5 will always be defined if RRA_LIB_KRB5 is
17 dnl If KRB5_CPPFLAGS, KRB5_LDFLAGS, or KRB5_LIBS are set before calling these
18 dnl macros, their values will be added to whatever the macros discover.
20 dnl KRB5_CPPFLAGS_GCC will be set to the same value as KRB5_CPPFLAGS but with
21 dnl any occurrences of -I changed to -isystem. This may be useful to suppress
22 dnl warnings from the Kerberos header files when building with GCC and
23 dnl aggressive warning flags. Be aware that this change will change the
24 dnl compiler header file search order as well.
26 dnl Provides the RRA_LIB_KRB5_OPTIONAL macro, which should be used if Kerberos
27 dnl support is optional. In this case, Kerberos libraries are mandatory if
28 dnl --with-krb5 is given, and will not be probed for if --without-krb5 is
29 dnl given. Otherwise, they'll be probed for but will not be required.
30 dnl Defines HAVE_KRB5 and sets rra_use_KRB5 to true if the libraries are
31 dnl found. The substitution variables will always be set, but they will be
32 dnl empty unless Kerberos libraries are found and the user did not disable
35 dnl Sets the Automake conditional KRB5_USES_COM_ERR saying whether we use
36 dnl com_err, since if we're also linking with AFS libraries, we may have to
37 dnl change library ordering in that case.
39 dnl Depends on RRA_KRB5_CONFIG, RRA_ENABLE_REDUCED_DEPENDS, and
42 dnl Also provides RRA_FUNC_KRB5_GET_INIT_CREDS_OPT_FREE_ARGS, which checks
43 dnl whether krb5_get_init_creds_opt_free takes one argument or two. Defines
44 dnl HAVE_KRB5_GET_INIT_CREDS_OPT_FREE_2_ARGS if it takes two arguments.
46 dnl Also provides RRA_INCLUDES_KRB5, which are the headers to include when
47 dnl probing the Kerberos library properties.
49 dnl The canonical version of this file is maintained in the rra-c-util
50 dnl package, available at <https://www.eyrie.org/~eagle/software/rra-c-util/>.
52 dnl Written by Russ Allbery <eagle@eyrie.org>
53 dnl Copyright 2018 Russ Allbery <eagle@eyrie.org>
54 dnl Copyright 2005-2011, 2013-2014
55 dnl The Board of Trustees of the Leland Stanford Junior University
57 dnl This file is free software; the authors give unlimited permission to copy
58 dnl and/or distribute it, with or without modifications, as long as this
59 dnl notice is preserved.
61 dnl SPDX-License-Identifier: FSFULLR
63 dnl Ignore Automake conditionals if not using Automake.
64 m4_define_default([AM_CONDITIONAL], [:])
66 dnl Headers to include when probing for Kerberos library properties.
67 AC_DEFUN([RRA_INCLUDES_KRB5], [[
70 #elif HAVE_KERBEROSV5_KRB5_H
71 # include <kerberosv5/krb5.h>
73 # include <krb5/krb5.h>
77 dnl Save the current CPPFLAGS, LDFLAGS, and LIBS settings and switch to
78 dnl versions that include the Kerberos flags. Used as a wrapper, with
79 dnl RRA_LIB_KRB5_RESTORE, around tests.
80 AC_DEFUN([RRA_LIB_KRB5_SWITCH],
81 [rra_krb5_save_CPPFLAGS="$CPPFLAGS"
82 rra_krb5_save_LDFLAGS="$LDFLAGS"
83 rra_krb5_save_LIBS="$LIBS"
84 CPPFLAGS="$KRB5_CPPFLAGS $CPPFLAGS"
85 LDFLAGS="$KRB5_LDFLAGS $LDFLAGS"
86 LIBS="$KRB5_LIBS $LIBS"])
88 dnl Restore CPPFLAGS, LDFLAGS, and LIBS to their previous values (before
89 dnl RRA_LIB_KRB5_SWITCH was called).
90 AC_DEFUN([RRA_LIB_KRB5_RESTORE],
91 [CPPFLAGS="$rra_krb5_save_CPPFLAGS"
92 LDFLAGS="$rra_krb5_save_LDFLAGS"
93 LIBS="$rra_krb5_save_LIBS"])
95 dnl Set KRB5_CPPFLAGS and KRB5_LDFLAGS based on rra_krb5_root,
96 dnl rra_krb5_libdir, and rra_krb5_includedir.
97 AC_DEFUN([_RRA_LIB_KRB5_PATHS],
98 [AS_IF([test x"$rra_krb5_libdir" != x],
99 [KRB5_LDFLAGS="-L$rra_krb5_libdir"],
100 [AS_IF([test x"$rra_krb5_root" != x],
101 [RRA_SET_LDFLAGS([KRB5_LDFLAGS], [$rra_krb5_root])])])
102 AS_IF([test x"$rra_krb5_includedir" != x],
103 [KRB5_CPPFLAGS="-I$rra_krb5_includedir"],
104 [AS_IF([test x"$rra_krb5_root" != x],
105 [AS_IF([test x"$rra_krb5_root" != x/usr],
106 [KRB5_CPPFLAGS="-I${rra_krb5_root}/include"])])])])
108 dnl Check for a header using a file existence check rather than using
109 dnl AC_CHECK_HEADERS. This is used if there were arguments to configure
110 dnl specifying the Kerberos header path, since we may have one header in the
111 dnl default include path and another under our explicitly-configured Kerberos
113 AC_DEFUN([_RRA_LIB_KRB5_CHECK_HEADER],
114 [AC_MSG_CHECKING([for $1])
115 AS_IF([test -f "${rra_krb5_incroot}/$1"],
116 [AC_DEFINE_UNQUOTED(AS_TR_CPP([HAVE_$1]), [1],
117 [Define to 1 if you have the <$1> header file.])
118 AC_MSG_RESULT([yes])],
119 [AC_MSG_RESULT([no])])])
121 dnl Check for the com_err header. Internal helper macro since we need
122 dnl to do the same checks in multiple places.
123 AC_DEFUN([_RRA_LIB_KRB5_CHECK_HEADER_COM_ERR],
124 [AS_IF([test x"$rra_krb5_incroot" = x],
125 [AC_CHECK_HEADERS([et/com_err.h kerberosv5/com_err.h])],
126 [_RRA_LIB_KRB5_CHECK_HEADER([et/com_err.h])
127 _RRA_LIB_KRB5_CHECK_HEADER([kerberosv5/com_err.h])])])
129 dnl Check for the main Kerberos header. Internal helper macro since we need
130 dnl to do the same checks in multiple places.
131 AC_DEFUN([_RRA_LIB_KRB5_CHECK_HEADER_KRB5],
132 [AS_IF([test x"$rra_krb5_incroot" = x],
133 [AC_CHECK_HEADERS([krb5.h kerberosv5/krb5.h krb5/krb5.h])],
134 [_RRA_LIB_KRB5_CHECK_HEADER([krb5.h])
135 _RRA_LIB_KRB5_CHECK_HEADER([kerberosv5/krb5.h])
136 _RRA_LIB_KRB5_CHECK_HEADER([krb5/krb5.h])])])
138 dnl Does the appropriate library checks for reduced-dependency Kerberos
139 dnl linkage. The single argument, if true, says to fail if Kerberos could not
141 AC_DEFUN([_RRA_LIB_KRB5_REDUCED],
143 AC_CHECK_LIB([krb5], [krb5_init_context],
145 LIBS="$KRB5_LIBS $LIBS"
146 _RRA_LIB_KRB5_CHECK_HEADER_KRB5
147 AC_CHECK_FUNCS([krb5_get_error_message],
148 [AC_CHECK_FUNCS([krb5_free_error_message])],
149 [AC_CHECK_FUNCS([krb5_get_error_string], [],
150 [AC_CHECK_FUNCS([krb5_get_err_txt], [],
151 [AC_CHECK_LIB([ksvc], [krb5_svc_get_msg],
152 [KRB5_LIBS="$KRB5_LIBS -lksvc"
153 AC_DEFINE([HAVE_KRB5_SVC_GET_MSG], [1])
154 AC_CHECK_HEADERS([ibm_svc/krb5_svc.h], [], [],
155 [RRA_INCLUDES_KRB5])],
156 [AC_CHECK_LIB([com_err], [com_err],
157 [KRB5_LIBS="$KRB5_LIBS -lcom_err"],
158 [AS_IF([test x"$1" = xtrue],
159 [AC_MSG_ERROR([cannot find usable com_err library])],
161 _RRA_LIB_KRB5_CHECK_HEADER_COM_ERR])])])])],
162 [AS_IF([test x"$1" = xtrue],
163 [AC_MSG_ERROR([cannot find usable Kerberos library])])])
164 RRA_LIB_KRB5_RESTORE])
166 dnl Does the appropriate library checks for Kerberos linkage when we don't
167 dnl have krb5-config or reduced dependencies. The single argument, if true,
168 dnl says to fail if Kerberos could not be found.
169 AC_DEFUN([_RRA_LIB_KRB5_MANUAL],
173 AC_SEARCH_LIBS([res_search], [resolv], [],
174 [AC_SEARCH_LIBS([__res_search], [resolv])])
175 AC_SEARCH_LIBS([gethostbyname], [nsl])
176 AC_SEARCH_LIBS([socket], [socket], [],
177 [AC_CHECK_LIB([nsl], [socket], [LIBS="-lnsl -lsocket $LIBS"], [],
179 AC_SEARCH_LIBS([crypt], [crypt])
180 AC_SEARCH_LIBS([roken_concat], [roken])
181 rra_krb5_extra="$LIBS"
182 LIBS="$rra_krb5_save_LIBS"
183 AC_CHECK_LIB([krb5], [krb5_init_context],
184 [KRB5_LIBS="-lkrb5 -lasn1 -lcom_err -lcrypto $rra_krb5_extra"],
185 [AC_CHECK_LIB([krb5support], [krb5int_getspecific],
186 [rra_krb5_extra="-lkrb5support $rra_krb5_extra"],
187 [AC_CHECK_LIB([pthreads], [pthread_setspecific],
188 [rra_krb5_pthread="-lpthreads"],
189 [AC_CHECK_LIB([pthread], [pthread_setspecific],
190 [rra_krb5_pthread="-lpthread"])])
191 AC_CHECK_LIB([krb5support], [krb5int_setspecific],
192 [rra_krb5_extra="-lkrb5support $rra_krb5_extra $rra_krb5_pthread"],
193 [], [$rra_krb5_pthread $rra_krb5_extra])],
195 AC_CHECK_LIB([com_err], [error_message],
196 [rra_krb5_extra="-lcom_err $rra_krb5_extra"], [], [$rra_krb5_extra])
197 AC_CHECK_LIB([ksvc], [krb5_svc_get_msg],
198 [rra_krb5_extra="-lksvc $rra_krb5_extra"], [], [$rra_krb5_extra])
199 AC_CHECK_LIB([k5crypto], [krb5int_hash_md5],
200 [rra_krb5_extra="-lk5crypto $rra_krb5_extra"], [], [$rra_krb5_extra])
201 AC_CHECK_LIB([k5profile], [profile_get_values],
202 [rra_krb5_extra="-lk5profile $rra_krb5_extra"], [], [$rra_krb5_extra])
203 AC_CHECK_LIB([krb5], [krb5_cc_default],
204 [KRB5_LIBS="-lkrb5 $rra_krb5_extra"],
205 [AS_IF([test x"$1" = xtrue],
206 [AC_MSG_ERROR([cannot find usable Kerberos library])])],
208 [-lasn1 -lcom_err -lcrypto $rra_krb5_extra])
209 LIBS="$KRB5_LIBS $LIBS"
210 _RRA_LIB_KRB5_CHECK_HEADER_KRB5
211 AC_CHECK_FUNCS([krb5_get_error_message],
212 [AC_CHECK_FUNCS([krb5_free_error_message])],
213 [AC_CHECK_FUNCS([krb5_get_error_string], [],
214 [AC_CHECK_FUNCS([krb5_get_err_txt], [],
215 [AC_CHECK_FUNCS([krb5_svc_get_msg],
216 [AC_CHECK_HEADERS([ibm_svc/krb5_svc.h], [], [],
217 [RRA_INCLUDES_KRB5])],
218 [_RRA_LIB_KRB5_CHECK_HEADER_COM_ERR])])])])
219 RRA_LIB_KRB5_RESTORE])
221 dnl Sanity-check the results of krb5-config and be sure we can really link a
222 dnl Kerberos program. If that fails, clear KRB5_CPPFLAGS and KRB5_LIBS so
223 dnl that we know we don't have usable flags and fall back on the manual
225 AC_DEFUN([_RRA_LIB_KRB5_CHECK],
227 AC_CHECK_FUNC([krb5_init_context],
228 [RRA_LIB_KRB5_RESTORE],
229 [RRA_LIB_KRB5_RESTORE
233 _RRA_LIB_KRB5_MANUAL([$1])])])
235 dnl Determine Kerberos compiler and linker flags from krb5-config. Does the
236 dnl additional probing we need to do to uncover error handling features, and
237 dnl falls back on the manual checks.
238 AC_DEFUN([_RRA_LIB_KRB5_CONFIG],
239 [RRA_KRB5_CONFIG([${rra_krb5_root}], [krb5], [KRB5],
240 [_RRA_LIB_KRB5_CHECK([$1])
242 _RRA_LIB_KRB5_CHECK_HEADER_KRB5
243 AC_CHECK_FUNCS([krb5_get_error_message],
244 [AC_CHECK_FUNCS([krb5_free_error_message])],
245 [AC_CHECK_FUNCS([krb5_get_error_string], [],
246 [AC_CHECK_FUNCS([krb5_get_err_txt], [],
247 [AC_CHECK_FUNCS([krb5_svc_get_msg],
248 [AC_CHECK_HEADERS([ibm_svc/krb5_svc.h], [], [],
249 [RRA_INCLUDES_KRB5])],
250 [_RRA_LIB_KRB5_CHECK_HEADER_COM_ERR])])])])
251 RRA_LIB_KRB5_RESTORE],
253 _RRA_LIB_KRB5_MANUAL([$1])])])
255 dnl The core of the library checking, shared between RRA_LIB_KRB5 and
256 dnl RRA_LIB_KRB5_OPTIONAL. The single argument, if "true", says to fail if
257 dnl Kerberos could not be found. Set up rra_krb5_incroot for later header
259 AC_DEFUN([_RRA_LIB_KRB5_INTERNAL],
260 [AC_REQUIRE([RRA_ENABLE_REDUCED_DEPENDS])
262 AC_SUBST([KRB5_CPPFLAGS])
263 AC_SUBST([KRB5_CPPFLAGS_GCC])
264 AC_SUBST([KRB5_LDFLAGS])
265 AC_SUBST([KRB5_LIBS])
266 AS_IF([test x"$rra_krb5_includedir" != x],
267 [rra_krb5_incroot="$rra_krb5_includedir"],
268 [AS_IF([test x"$rra_krb5_root" != x],
269 [rra_krb5_incroot="${rra_krb5_root}/include"])])
270 AS_IF([test x"$rra_reduced_depends" = xtrue],
272 _RRA_LIB_KRB5_REDUCED([$1])],
273 [AS_IF([test x"$rra_krb5_includedir" = x && test x"$rra_krb5_libdir" = x],
274 [_RRA_LIB_KRB5_CONFIG([$1])],
276 _RRA_LIB_KRB5_MANUAL([$1])])])
277 rra_krb5_uses_com_err=false
278 AS_CASE([$KRB5_LIBS], [*-lcom_err*], [rra_krb5_uses_com_err=true])
279 AM_CONDITIONAL([KRB5_USES_COM_ERR],
280 [test x"$rra_krb5_uses_com_err" = xtrue])
281 KRB5_CPPFLAGS_GCC=`echo "$KRB5_CPPFLAGS" | sed -e 's/-I/-isystem /g'`])
283 dnl The main macro for packages with mandatory Kerberos support.
284 AC_DEFUN([RRA_LIB_KRB5],
291 [AS_HELP_STRING([--with-krb5=DIR],
292 [Location of Kerberos headers and libraries])],
293 [AS_IF([test x"$withval" != xyes && test x"$withval" != xno],
294 [rra_krb5_root="$withval"])])
295 AC_ARG_WITH([krb5-include],
296 [AS_HELP_STRING([--with-krb5-include=DIR],
297 [Location of Kerberos headers])],
298 [AS_IF([test x"$withval" != xyes && test x"$withval" != xno],
299 [rra_krb5_includedir="$withval"])])
300 AC_ARG_WITH([krb5-lib],
301 [AS_HELP_STRING([--with-krb5-lib=DIR],
302 [Location of Kerberos libraries])],
303 [AS_IF([test x"$withval" != xyes && test x"$withval" != xno],
304 [rra_krb5_libdir="$withval"])])
305 _RRA_LIB_KRB5_INTERNAL([true])
306 AC_DEFINE([HAVE_KRB5], 1, [Define to enable Kerberos features.])])
308 dnl The main macro for packages with optional Kerberos support.
309 AC_DEFUN([RRA_LIB_KRB5_OPTIONAL],
316 [AS_HELP_STRING([--with-krb5@<:@=DIR@:>@],
317 [Location of Kerberos headers and libraries])],
318 [AS_IF([test x"$withval" = xno],
319 [rra_use_KRB5=false],
320 [AS_IF([test x"$withval" != xyes], [rra_krb5_root="$withval"])
321 rra_use_KRB5=true])])
322 AC_ARG_WITH([krb5-include],
323 [AS_HELP_STRING([--with-krb5-include=DIR],
324 [Location of Kerberos headers])],
325 [AS_IF([test x"$withval" != xyes && test x"$withval" != xno],
326 [rra_krb5_includedir="$withval"])])
327 AC_ARG_WITH([krb5-lib],
328 [AS_HELP_STRING([--with-krb5-lib=DIR],
329 [Location of Kerberos libraries])],
330 [AS_IF([test x"$withval" != xyes && test x"$withval" != xno],
331 [rra_krb5_libdir="$withval"])])
333 AS_IF([test x"$rra_use_KRB5" != xfalse],
334 [AS_IF([test x"$rra_use_KRB5" = xtrue],
335 [_RRA_LIB_KRB5_INTERNAL([true])],
336 [_RRA_LIB_KRB5_INTERNAL([false])])],
337 [AM_CONDITIONAL([KRB5_USES_COM_ERR], [false])])
338 AS_IF([test x"$KRB5_LIBS" != x],
340 AC_DEFINE([HAVE_KRB5], 1, [Define to enable Kerberos features.])])])
342 dnl Source used by RRA_FUNC_KRB5_GET_INIT_CREDS_OPT_FREE_ARGS.
343 AC_DEFUN([_RRA_FUNC_KRB5_OPT_FREE_ARGS_SOURCE], [RRA_INCLUDES_KRB5] [[
347 krb5_get_init_creds_opt *opts;
349 krb5_get_init_creds_opt_free(c, opts);
353 dnl Check whether krb5_get_init_creds_opt_free takes one argument or two.
354 dnl Early Heimdal used to take a single argument. Defines
355 dnl HAVE_KRB5_GET_INIT_CREDS_OPT_FREE_2_ARGS if it takes two arguments.
357 dnl Should be called with RRA_LIB_KRB5_SWITCH active.
358 AC_DEFUN([RRA_FUNC_KRB5_GET_INIT_CREDS_OPT_FREE_ARGS],
359 [AC_CACHE_CHECK([if krb5_get_init_creds_opt_free takes two arguments],
360 [rra_cv_func_krb5_get_init_creds_opt_free_args],
361 [AC_COMPILE_IFELSE([AC_LANG_SOURCE([_RRA_FUNC_KRB5_OPT_FREE_ARGS_SOURCE])],
362 [rra_cv_func_krb5_get_init_creds_opt_free_args=yes],
363 [rra_cv_func_krb5_get_init_creds_opt_free_args=no])])
364 AS_IF([test $rra_cv_func_krb5_get_init_creds_opt_free_args = yes],
365 [AC_DEFINE([HAVE_KRB5_GET_INIT_CREDS_OPT_FREE_2_ARGS], 1,
366 [Define if krb5_get_init_creds_opt_free takes two arguments.])])])