3 dnl Find the compiler and linker flags for Kerberos.
5 dnl Finds the compiler and linker flags for linking with Kerberos libraries.
6 dnl Provides the --with-krb5, --with-krb5-include, and --with-krb5-lib
7 dnl configure options to specify non-standard paths to the Kerberos libraries.
8 dnl Uses krb5-config where available unless reduced dependencies is requested
9 dnl or --with-krb5-include or --with-krb5-lib are given.
11 dnl Provides the macro RRA_LIB_KRB5 and sets the substitution variables
12 dnl KRB5_CPPFLAGS, KRB5_LDFLAGS, and KRB5_LIBS. Also provides
13 dnl RRA_LIB_KRB5_SWITCH to set CPPFLAGS, LDFLAGS, and LIBS to include the
14 dnl Kerberos libraries, saving the current values first, and
15 dnl RRA_LIB_KRB5_RESTORE to restore those settings to before the last
16 dnl RRA_LIB_KRB5_SWITCH. HAVE_KRB5 will always be defined if RRA_LIB_KRB5 is
19 dnl If KRB5_CPPFLAGS, KRB5_LDFLAGS, or KRB5_LIBS are set before calling these
20 dnl macros, their values will be added to whatever the macros discover.
22 dnl KRB5_CPPFLAGS_WARNINGS will be set to the same value as KRB5_CPPFLAGS but
23 dnl with any occurrences of -I changed to -isystem. This may be useful to
24 dnl suppress warnings from the Kerberos header files when building with and
25 dnl aggressive warning flags. Be aware that this change will change the
26 dnl compiler header file search order as well.
28 dnl Provides the RRA_LIB_KRB5_OPTIONAL macro, which should be used if Kerberos
29 dnl support is optional. In this case, Kerberos libraries are mandatory if
30 dnl --with-krb5 is given, and will not be probed for if --without-krb5 is
31 dnl given. Otherwise, they'll be probed for but will not be required.
32 dnl Defines HAVE_KRB5 and sets rra_use_KRB5 to true if the libraries are
33 dnl found. The substitution variables will always be set, but they will be
34 dnl empty unless Kerberos libraries are found and the user did not disable
37 dnl Sets the Automake conditional KRB5_USES_COM_ERR saying whether we use
38 dnl com_err, since if we're also linking with AFS libraries, we may have to
39 dnl change library ordering in that case.
41 dnl Depends on RRA_KRB5_CONFIG, RRA_ENABLE_REDUCED_DEPENDS, and
44 dnl Also provides RRA_FUNC_KRB5_GET_INIT_CREDS_OPT_FREE_ARGS, which checks
45 dnl whether krb5_get_init_creds_opt_free takes one argument or two. Defines
46 dnl HAVE_KRB5_GET_INIT_CREDS_OPT_FREE_2_ARGS if it takes two arguments.
48 dnl Also provides RRA_INCLUDES_KRB5, which are the headers to include when
49 dnl probing the Kerberos library properties.
51 dnl The canonical version of this file is maintained in the rra-c-util
52 dnl package, available at <https://www.eyrie.org/~eagle/software/rra-c-util/>.
54 dnl Written by Russ Allbery <eagle@eyrie.org>
55 dnl Copyright 2018, 2020-2022 Russ Allbery <eagle@eyrie.org>
56 dnl Copyright 2005-2011, 2013-2014
57 dnl The Board of Trustees of the Leland Stanford Junior University
59 dnl This file is free software; the authors give unlimited permission to copy
60 dnl and/or distribute it, with or without modifications, as long as this
61 dnl notice is preserved.
63 dnl SPDX-License-Identifier: FSFULLR
65 dnl Headers to include when probing for Kerberos library properties.
66 AC_DEFUN([RRA_INCLUDES_KRB5], [[
69 #elif HAVE_KERBEROSV5_KRB5_H
70 # include <kerberosv5/krb5.h>
72 # include <krb5/krb5.h>
76 dnl Save the current CPPFLAGS, LDFLAGS, and LIBS settings and switch to
77 dnl versions that include the Kerberos flags. Used as a wrapper, with
78 dnl RRA_LIB_KRB5_RESTORE, around tests.
79 AC_DEFUN([RRA_LIB_KRB5_SWITCH],
80 [rra_krb5_save_CPPFLAGS="$CPPFLAGS"
81 rra_krb5_save_LDFLAGS="$LDFLAGS"
82 rra_krb5_save_LIBS="$LIBS"
83 CPPFLAGS="$KRB5_CPPFLAGS $CPPFLAGS"
84 LDFLAGS="$KRB5_LDFLAGS $LDFLAGS"
85 LIBS="$KRB5_LIBS $LIBS"])
87 dnl Restore CPPFLAGS, LDFLAGS, and LIBS to their previous values (before
88 dnl RRA_LIB_KRB5_SWITCH was called).
89 AC_DEFUN([RRA_LIB_KRB5_RESTORE],
90 [CPPFLAGS="$rra_krb5_save_CPPFLAGS"
91 LDFLAGS="$rra_krb5_save_LDFLAGS"
92 LIBS="$rra_krb5_save_LIBS"])
94 dnl Set KRB5_CPPFLAGS and KRB5_LDFLAGS based on rra_krb5_root,
95 dnl rra_krb5_libdir, and rra_krb5_includedir.
96 AC_DEFUN([_RRA_LIB_KRB5_PATHS],
97 [AS_IF([test x"$rra_krb5_libdir" != x],
98 [KRB5_LDFLAGS="-L$rra_krb5_libdir"],
99 [AS_IF([test x"$rra_krb5_root" != x],
100 [RRA_SET_LDFLAGS([KRB5_LDFLAGS], [$rra_krb5_root])])])
101 AS_IF([test x"$rra_krb5_includedir" != x],
102 [KRB5_CPPFLAGS="-I$rra_krb5_includedir"],
103 [AS_IF([test x"$rra_krb5_root" != x],
104 [AS_IF([test x"$rra_krb5_root" != x/usr],
105 [KRB5_CPPFLAGS="-I${rra_krb5_root}/include"])])])])
107 dnl Check for a header using a file existence check rather than using
108 dnl AC_CHECK_HEADERS. This is used if there were arguments to configure
109 dnl specifying the Kerberos header path, since we may have one header in the
110 dnl default include path and another under our explicitly-configured Kerberos
111 dnl location. The second argument is run if the header was found.
112 AC_DEFUN([_RRA_LIB_KRB5_CHECK_HEADER],
113 [AC_MSG_CHECKING([for $1])
114 AS_IF([test -f "${rra_krb5_incroot}/$1"],
115 [AC_DEFINE_UNQUOTED(AS_TR_CPP([HAVE_$1]), [1],
116 [Define to 1 if you have the <$1> header file.])
119 [AC_MSG_RESULT([no])])])
121 dnl Check for the com_err header. Internal helper macro since we need
122 dnl to do the same checks in multiple places.
123 AC_DEFUN([_RRA_LIB_KRB5_CHECK_HEADER_COM_ERR],
124 [AS_IF([test x"$rra_krb5_incroot" = x],
125 [AC_CHECK_HEADERS([et/com_err.h kerberosv5/com_err.h])],
126 [_RRA_LIB_KRB5_CHECK_HEADER([et/com_err.h])
127 _RRA_LIB_KRB5_CHECK_HEADER([kerberosv5/com_err.h])])])
129 dnl Check for the main Kerberos header. Internal helper macro since we need
130 dnl to do the same checks in multiple places. The first argument is run if
131 dnl some header was found, and the second if no header was found.
132 AC_DEFUN([_RRA_LIB_KRB5_CHECK_HEADER_KRB5],
133 [rra_krb5_found_header=
134 AS_IF([test x"$rra_krb5_incroot" = x],
135 [AC_CHECK_HEADERS([krb5.h kerberosv5/krb5.h krb5/krb5.h],
136 [rra_krb5_found_header=true])],
137 [_RRA_LIB_KRB5_CHECK_HEADER([krb5.h],
138 [rra_krb5_found_header=true])
139 _RRA_LIB_KRB5_CHECK_HEADER([kerberosv5/krb5.h],
140 [rra_krb5_found_header=true])
141 _RRA_LIB_KRB5_CHECK_HEADER([krb5/krb5.h],
142 [rra_krb5_found_header=true])])
143 AS_IF([test x"$rra_krb5_found_header" = xtrue], [$1], [$2])])
145 dnl Does the appropriate library checks for reduced-dependency Kerberos
146 dnl linkage. The single argument, if true, says to fail if Kerberos could not
148 AC_DEFUN([_RRA_LIB_KRB5_REDUCED],
150 AC_CHECK_LIB([krb5], [krb5_init_context],
152 LIBS="$KRB5_LIBS $LIBS"
153 AC_CHECK_FUNCS([krb5_get_error_message],
154 [AC_CHECK_FUNCS([krb5_free_error_message])],
155 [AC_CHECK_FUNCS([krb5_get_error_string], [],
156 [AC_CHECK_FUNCS([krb5_get_err_txt], [],
157 [AC_CHECK_LIB([ksvc], [krb5_svc_get_msg],
158 [KRB5_LIBS="$KRB5_LIBS -lksvc"
159 AC_DEFINE([HAVE_KRB5_SVC_GET_MSG], [1])
160 AC_CHECK_HEADERS([ibm_svc/krb5_svc.h], [], [],
161 [RRA_INCLUDES_KRB5])],
162 [AC_CHECK_LIB([com_err], [com_err],
163 [KRB5_LIBS="$KRB5_LIBS -lcom_err"],
164 [AS_IF([test x"$1" = xtrue],
166 [cannot find usable com_err library])],
168 _RRA_LIB_KRB5_CHECK_HEADER_COM_ERR])])])])
169 _RRA_LIB_KRB5_CHECK_HEADER_KRB5([],
172 AS_IF([test x"$1" = xtrue],
173 [AC_MSG_ERROR([cannot find usable Kerberos header])])])],
174 [AS_IF([test x"$1" = xtrue],
175 [AC_MSG_ERROR([cannot find usable Kerberos library])])])
176 RRA_LIB_KRB5_RESTORE])
178 dnl Does the appropriate library checks for Kerberos linkage when we don't
179 dnl have krb5-config or reduced dependencies. The single argument, if true,
180 dnl says to fail if Kerberos could not be found.
181 AC_DEFUN([_RRA_LIB_KRB5_MANUAL],
185 AC_SEARCH_LIBS([res_search], [resolv], [],
186 [AC_SEARCH_LIBS([__res_search], [resolv])])
187 AC_SEARCH_LIBS([gethostbyname], [nsl])
188 AC_SEARCH_LIBS([socket], [socket], [],
189 [AC_CHECK_LIB([nsl], [socket], [LIBS="-lnsl -lsocket $LIBS"], [],
191 AC_SEARCH_LIBS([crypt], [crypt])
192 AC_SEARCH_LIBS([roken_concat], [roken])
193 rra_krb5_extra="$LIBS"
194 LIBS="$rra_krb5_save_LIBS"
195 AC_CHECK_LIB([krb5], [krb5_init_context],
196 [KRB5_LIBS="-lkrb5 -lasn1 -lcom_err -lcrypto $rra_krb5_extra"],
197 [AC_CHECK_LIB([krb5support], [krb5int_getspecific],
198 [rra_krb5_extra="-lkrb5support $rra_krb5_extra"],
199 [AC_CHECK_LIB([pthreads], [pthread_setspecific],
200 [rra_krb5_pthread="-lpthreads"],
201 [AC_CHECK_LIB([pthread], [pthread_setspecific],
202 [rra_krb5_pthread="-lpthread"])])
203 AC_CHECK_LIB([krb5support], [krb5int_setspecific],
204 [rra_krb5_extra="-lkrb5support $rra_krb5_extra $rra_krb5_pthread"],
205 [], [$rra_krb5_pthread $rra_krb5_extra])],
207 AC_CHECK_LIB([com_err], [error_message],
208 [rra_krb5_extra="-lcom_err $rra_krb5_extra"], [], [$rra_krb5_extra])
209 AC_CHECK_LIB([ksvc], [krb5_svc_get_msg],
210 [rra_krb5_extra="-lksvc $rra_krb5_extra"], [], [$rra_krb5_extra])
211 AC_CHECK_LIB([k5crypto], [krb5int_hash_md5],
212 [rra_krb5_extra="-lk5crypto $rra_krb5_extra"], [], [$rra_krb5_extra])
213 AC_CHECK_LIB([k5profile], [profile_get_values],
214 [rra_krb5_extra="-lk5profile $rra_krb5_extra"], [], [$rra_krb5_extra])
215 AC_CHECK_LIB([krb5], [krb5_cc_default],
216 [KRB5_LIBS="-lkrb5 $rra_krb5_extra"],
217 [AS_IF([test x"$1" = xtrue],
218 [AC_MSG_ERROR([cannot find usable Kerberos library])])],
220 [-lasn1 -lcom_err -lcrypto $rra_krb5_extra])
221 LIBS="$KRB5_LIBS $LIBS"
222 AC_CHECK_FUNCS([krb5_get_error_message],
223 [AC_CHECK_FUNCS([krb5_free_error_message])],
224 [AC_CHECK_FUNCS([krb5_get_error_string], [],
225 [AC_CHECK_FUNCS([krb5_get_err_txt], [],
226 [AC_CHECK_FUNCS([krb5_svc_get_msg],
227 [AC_CHECK_HEADERS([ibm_svc/krb5_svc.h], [], [],
228 [RRA_INCLUDES_KRB5])],
229 [_RRA_LIB_KRB5_CHECK_HEADER_COM_ERR])])])])
230 _RRA_LIB_KRB5_CHECK_HEADER_KRB5([],
233 AS_IF([test x"$1" = xtrue],
234 [AC_MSG_ERROR([cannot find usable Kerberos header])])])
235 RRA_LIB_KRB5_RESTORE])
237 dnl Sanity-check the results of krb5-config and be sure we can really link a
238 dnl Kerberos program. If that fails, clear KRB5_CPPFLAGS and KRB5_LIBS so
239 dnl that we know we don't have usable flags and fall back on the manual
241 AC_DEFUN([_RRA_LIB_KRB5_CHECK],
243 AC_CHECK_FUNC([krb5_init_context],
244 [_RRA_LIB_KRB5_CHECK_HEADER_KRB5([RRA_LIB_KRB5_RESTORE],
245 [RRA_LIB_KRB5_RESTORE
249 _RRA_LIB_KRB5_MANUAL([$1])])],
250 [RRA_LIB_KRB5_RESTORE
254 _RRA_LIB_KRB5_MANUAL([$1])])])
256 dnl Determine Kerberos compiler and linker flags from krb5-config. Does the
257 dnl additional probing we need to do to uncover error handling features, and
258 dnl falls back on the manual checks.
259 AC_DEFUN([_RRA_LIB_KRB5_CONFIG],
260 [RRA_KRB5_CONFIG([${rra_krb5_root}], [krb5], [KRB5],
261 [_RRA_LIB_KRB5_CHECK([$1])
263 AC_CHECK_FUNCS([krb5_get_error_message],
264 [AC_CHECK_FUNCS([krb5_free_error_message])],
265 [AC_CHECK_FUNCS([krb5_get_error_string], [],
266 [AC_CHECK_FUNCS([krb5_get_err_txt], [],
267 [AC_CHECK_FUNCS([krb5_svc_get_msg],
268 [AC_CHECK_HEADERS([ibm_svc/krb5_svc.h], [], [],
269 [RRA_INCLUDES_KRB5])],
270 [_RRA_LIB_KRB5_CHECK_HEADER_COM_ERR])])])])
271 RRA_LIB_KRB5_RESTORE],
273 _RRA_LIB_KRB5_MANUAL([$1])])])
275 dnl The core of the library checking, shared between RRA_LIB_KRB5 and
276 dnl RRA_LIB_KRB5_OPTIONAL. The single argument, if "true", says to fail if
277 dnl Kerberos could not be found. Set up rra_krb5_incroot for later header
279 AC_DEFUN([_RRA_LIB_KRB5_INTERNAL],
280 [AC_REQUIRE([RRA_ENABLE_REDUCED_DEPENDS])
282 AC_SUBST([KRB5_CPPFLAGS])
283 AC_SUBST([KRB5_CPPFLAGS_WARNINGS])
284 AC_SUBST([KRB5_LDFLAGS])
285 AC_SUBST([KRB5_LIBS])
286 AS_IF([test x"$rra_krb5_includedir" != x],
287 [rra_krb5_incroot="$rra_krb5_includedir"],
288 [AS_IF([test x"$rra_krb5_root" != x],
289 [rra_krb5_incroot="${rra_krb5_root}/include"])])
290 AS_IF([test x"$rra_reduced_depends" = xtrue],
292 _RRA_LIB_KRB5_REDUCED([$1])],
293 [AS_IF([test x"$rra_krb5_includedir" = x && test x"$rra_krb5_libdir" = x],
294 [_RRA_LIB_KRB5_CONFIG([$1])],
296 _RRA_LIB_KRB5_MANUAL([$1])])])
297 rra_krb5_uses_com_err=false
298 AS_CASE([$KRB5_LIBS], [*-lcom_err*], [rra_krb5_uses_com_err=true])
299 AM_CONDITIONAL([KRB5_USES_COM_ERR],
300 [test x"$rra_krb5_uses_com_err" = xtrue])
301 KRB5_CPPFLAGS_WARNINGS=`AS_ECHO(["$KRB5_CPPFLAGS"]) | sed 's/-I/-isystem /g'`])
303 dnl The main macro for packages with mandatory Kerberos support.
304 AC_DEFUN([RRA_LIB_KRB5],
311 [AS_HELP_STRING([--with-krb5=DIR],
312 [Location of Kerberos headers and libraries])],
313 [AS_IF([test x"$withval" != xyes && test x"$withval" != xno],
314 [rra_krb5_root="$withval"])])
315 AC_ARG_WITH([krb5-include],
316 [AS_HELP_STRING([--with-krb5-include=DIR],
317 [Location of Kerberos headers])],
318 [AS_IF([test x"$withval" != xyes && test x"$withval" != xno],
319 [rra_krb5_includedir="$withval"])])
320 AC_ARG_WITH([krb5-lib],
321 [AS_HELP_STRING([--with-krb5-lib=DIR],
322 [Location of Kerberos libraries])],
323 [AS_IF([test x"$withval" != xyes && test x"$withval" != xno],
324 [rra_krb5_libdir="$withval"])])
325 _RRA_LIB_KRB5_INTERNAL([true])
326 AC_DEFINE([HAVE_KRB5], 1, [Define to enable Kerberos features.])])
328 dnl The main macro for packages with optional Kerberos support.
329 AC_DEFUN([RRA_LIB_KRB5_OPTIONAL],
336 [AS_HELP_STRING([--with-krb5@<:@=DIR@:>@],
337 [Location of Kerberos headers and libraries])],
338 [AS_IF([test x"$withval" = xno],
339 [rra_use_KRB5=false],
340 [AS_IF([test x"$withval" != xyes], [rra_krb5_root="$withval"])
341 rra_use_KRB5=true])])
342 AC_ARG_WITH([krb5-include],
343 [AS_HELP_STRING([--with-krb5-include=DIR],
344 [Location of Kerberos headers])],
345 [AS_IF([test x"$withval" != xyes && test x"$withval" != xno],
346 [rra_krb5_includedir="$withval"])])
347 AC_ARG_WITH([krb5-lib],
348 [AS_HELP_STRING([--with-krb5-lib=DIR],
349 [Location of Kerberos libraries])],
350 [AS_IF([test x"$withval" != xyes && test x"$withval" != xno],
351 [rra_krb5_libdir="$withval"])])
353 AS_IF([test x"$rra_use_KRB5" != xfalse],
354 [AS_IF([test x"$rra_use_KRB5" = xtrue],
355 [_RRA_LIB_KRB5_INTERNAL([true])],
356 [_RRA_LIB_KRB5_INTERNAL([false])])],
357 [AM_CONDITIONAL([KRB5_USES_COM_ERR], [false])])
358 AS_IF([test x"$KRB5_LIBS" != x],
360 AC_DEFINE([HAVE_KRB5], 1, [Define to enable Kerberos features.])])])
362 dnl Source used by RRA_FUNC_KRB5_GET_INIT_CREDS_OPT_FREE_ARGS.
363 AC_DEFUN([_RRA_FUNC_KRB5_OPT_FREE_ARGS_SOURCE], [RRA_INCLUDES_KRB5] [[
367 krb5_get_init_creds_opt *opts;
369 krb5_get_init_creds_opt_free(c, opts);
373 dnl Check whether krb5_get_init_creds_opt_free takes one argument or two.
374 dnl Early Heimdal used to take a single argument. Defines
375 dnl HAVE_KRB5_GET_INIT_CREDS_OPT_FREE_2_ARGS if it takes two arguments.
377 dnl Should be called with RRA_LIB_KRB5_SWITCH active.
378 AC_DEFUN([RRA_FUNC_KRB5_GET_INIT_CREDS_OPT_FREE_ARGS],
379 [AC_CACHE_CHECK([if krb5_get_init_creds_opt_free takes two arguments],
380 [rra_cv_func_krb5_get_init_creds_opt_free_args],
381 [AC_COMPILE_IFELSE([AC_LANG_SOURCE([_RRA_FUNC_KRB5_OPT_FREE_ARGS_SOURCE])],
382 [rra_cv_func_krb5_get_init_creds_opt_free_args=yes],
383 [rra_cv_func_krb5_get_init_creds_opt_free_args=no])])
384 AS_IF([test $rra_cv_func_krb5_get_init_creds_opt_free_args = yes],
385 [AC_DEFINE([HAVE_KRB5_GET_INIT_CREDS_OPT_FREE_2_ARGS], 1,
386 [Define if krb5_get_init_creds_opt_free takes two arguments.])])])