openconnect/configure.ac

AC_INIT([openconnect], [9.01])
AC_LANG([C])
AC_CONFIG_HEADERS([config.h])
m4_ifdef([AC_CONFIG_MACRO_DIRS], [AC_CONFIG_MACRO_DIRS([m4])])

PKG_PROG_PKG_CONFIG
AC_CANONICAL_HOST
AM_MAINTAINER_MODE([enable])
AM_INIT_AUTOMAKE([foreign tar-ustar subdir-objects])
m4_ifdef([AM_SILENT_RULES], [AM_SILENT_RULES([yes])])

AC_PREREQ([2.62])

# Upstream's pkg.m4 (since 0.27) offers this now, but define our own
# compatible version in case the local version of pkgconfig isn't new enough.
# https://bugs.freedesktop.org/show_bug.cgi?id=48743
m4_ifdef([PKG_INSTALLDIR], [PKG_INSTALLDIR],
	  [AC_ARG_WITH([pkgconfigdir],
		       [AS_HELP_STRING([--with-pkgconfigdir],
		       [install directory for openconnect.pc pkg-config file])],
			[],[with_pkgconfigdir='$(libdir)/pkgconfig'])
	   AC_SUBST([pkgconfigdir], [${with_pkgconfigdir}])])

use_openbsd_libtool=
symver_time=
symver_getline=
symver_asprintf=
symver_vasprintf=
symver_win32_strerror=
symver_win32_setenv=

# Autoconf is stupid and if the first time it needs to find the C compiler
# is conditional (as it is here for some of the MinGW checks), it forgets
# to ever look for one in the other code paths. Do it explicitly here.
AC_PROG_CC
# Before autoconf 2.70, AC_PROG_CC_C99 appears to be necessary for some
# compilers if you want C99 support. Starting with 2.70, it is obsolete.
m4_version_prereq([2.70], [:], [AC_PROG_CC_C99])

default_browser=xdg-open
have_vhost=no
case $host_os in
 *linux* | *gnu* | *nacl*)
    have_vhost=yes
    AC_MSG_NOTICE([Applying feature macros for GNU build])
    AC_DEFINE(_GNU_SOURCE, 1, [_GNU_SOURCE])
    ;;
 *netbsd*)
    AC_MSG_NOTICE([Applying feature macros for NetBSD build])
    AC_DEFINE(_POSIX_C_SOURCE, 200112L, [_POSIX_C_SOURCE])
    AC_DEFINE(_NETBSD_SOURCE, 1, [_NETBSD_SOURCE])
    ;;
 *openbsd*)
    AC_MSG_NOTICE([Applying feature macros for OpenBSD build])
    use_openbsd_libtool=true
    ;;
 *solaris*|*sunos*)
    AC_MSG_NOTICE([Applying workaround for broken SunOS time() function])
    AC_DEFINE(HAVE_SUNOS_BROKEN_TIME, 1, [On SunOS time() can go backwards])
    symver_time="openconnect__time;"
    ;;
 *mingw32*|*mingw64*|*msys*)
    AC_MSG_NOTICE([Applying feature macros for MinGW/Windows build])
    # For GetVolumeInformationByHandleW() which is Vista+
    AC_DEFINE(_WIN32_WINNT, 0x600, [Windows API version])
    have_win=yes
    # For asprintf()
    AC_DEFINE(_GNU_SOURCE, 1, [_GNU_SOURCE])
    symver_win32_strerror="openconnect__win32_strerror;"
    symver_win32_setenv="openconnect__win32_setenv;"
    # Win32 does have the SCard API
    system_pcsc_libs="-lwinscard"
    system_pcsc_cflags=
    AC_CHECK_TOOL([WINDRES], [windres], [])
    AC_CHECK_TOOL([MAKENSIS], [makensis], [])
    default_browser=

    case $host_cpu in
	x86_64|amd64)
		wintun_arch=amd64
		;;
	*86)
		wintun_arch=x86
		;;
	aarch64|arm64)
		wintun_arch=arm64
		;;
	arm*)
		wintun_arch=arm
		;;
    esac
    AC_SUBST(WINTUN_ARCH, "$wintun_arch")

    # Per https://github.com/MisterDA/ocaml/commit/5855ce5ffd931a2802d5b9a5b2987ab0b276fd0a,
    # "The header file <afunix.h> declares the `struct sockaddr_un` type, but hasn't been picked by mingw-w64."
    AC_CHECK_HEADER([afunix.h], AC_DEFINE([HAVE_AF_UNIX_H], 1, [MinGW has afunix.h]))

    # MINGW_HAS_SECURE_API may only work on newer MinGW:
    # https://stackoverflow.com/a/51977723
    AC_DEFINE(MINGW_HAS_SECURE_API, 1, [Try to make getenv_s and _putenv_s available])
    AC_CHECK_DECL(_putenv_s, [AC_DEFINE(HAVE_PUTENV_S_DECL, 1, [MinGW declares _putenv_s])], [], [#include <sec_api/stdlib_s.h>])
    AC_CHECK_DECL(getenv_s, [AC_DEFINE(HAVE_GETENV_S_DECL, 1, [MinGW declares getenv_s])], [], [#include <sec_api/stdlib_s.h>])
    ;;
 *darwin*)
    system_pcsc_libs="-Wl,-framework -Wl,PCSC"
    system_pcsc_cflags=
    default_browser=open
    ;;
 *)
    # On FreeBSD the only way to get vsyslog() visible is to define
    #  *nothing*, which makes absolutely everything visible.
    # On Darwin enabling _POSIX_C_SOURCE breaks <sys/mount.h> because
    # u_long and other types don't get defined. OpenBSD is similar.
    ;;
esac
AM_CONDITIONAL(OPENCONNECT_WIN32,  [ test "$have_win" = "yes" ])
build_nsis=no
if test "${MAKENSIS}" != ""; then
   AC_CHECK_PROG(have_curl, curl, yes)
   if test "${have_curl}" = "yes"; then
      build_nsis=yes
      if test "${wintun_arch}" != ""; then
	 AC_CHECK_PROG(have_unzip, unzip, yes)
	 if test "${have_unzip}" != "yes"; then
	    wintun_arch=
	 fi
      fi
   fi
fi
AM_CONDITIONAL(BUILD_NSIS, [ test "$build_nsis" = "yes" ])
AM_CONDITIONAL(OPENCONNECT_WINTUN, [ test "${wintun_arch}" != "" ])

AC_ARG_WITH([external-browser],
	[AS_HELP_STRING([--with-external-browser],
	  [command to use for spawning external web browser])])

if test "$with_external_browser" = "yes" || test "$with_external_browser" = ""; then
   if test "$default_browser" != ""; then
      AC_MSG_CHECKING([for ${default_browser}])
      AC_PATH_PROG(with_external_browser, ${default_browser}, no)
   else
      with_external_browser=no
   fi
fi
if test "$with_external_browser" != "no"; then
   if test -x "${with_external_browser}"; then
      AC_DEFINE_UNQUOTED(DEFAULT_EXTERNAL_BROWSER, "${with_external_browser}", [External browser executable])
   else
      AC_MSG_ERROR([${with_external_browser} does not seem to be executable.])
   fi
fi

AC_ARG_WITH([vpnc-script],
	[AS_HELP_STRING([--with-vpnc-script],
	  [default location of vpnc-script helper])])

if test "$with_vpnc_script" = "yes" || test "$with_vpnc_script" = ""; then
   AC_MSG_CHECKING([for vpnc-script in standard locations])
   if test "$have_win" = "yes"; then
      with_vpnc_script=vpnc-script-win.js
   else
      for with_vpnc_script in /usr/local/share/vpnc-scripts/vpnc-script /usr/local/sbin/vpnc-script /usr/share/vpnc-scripts/vpnc-script /usr/sbin/vpnc-script /etc/vpnc/vpnc-script; do
         if test -x "$with_vpnc_script"; then
            break
         fi
      done
      if ! test -x "$with_vpnc_script"; then
	 AC_MSG_ERROR([${with_vpnc_script} does not seem to be executable.]
 [OpenConnect will not function correctly without a vpnc-script.]
 [See https://www.infradead.org/openconnect/vpnc-script.html for more details.]
 []
 [If you are building a distribution package, please ensure that your]
 [packaging is correct, and that a vpnc-script will be installed when the]
 [user installs your package. You should provide a --with-vpnc-script=]
 [argument to this configure script, giving the full path where the script]
 [will be installed.]
 []
 [The standard location is ${with_vpnc_script}. To bypass this error and]
 [build OpenConnect to use the script from this location, even though it is]
 [not present at the time you are building OpenConnect, pass the argument]
 ["--with-vpnc-script=${with_vpnc_script}"])
      else
         AC_MSG_RESULT([${with_vpnc_script}])
      fi
   fi
elif test "$with_vpnc_script" = "no"; then
   AC_MSG_ERROR(You cannot disable vpnc-script.
   OpenConnect will not function correctly without it.
   See https://www.infradead.org/openconnect/vpnc-script.html)
elif test "$have_win" = "yes"; then
   # Oh Windows how we hate thee. If user specifies a vpnc-script and it contains
   # backslashes, double them all up to survive escaping.
   with_vpnc_script="$(echo "${with_vpnc_script}" | sed s/\\\\/\\\\\\\\/g)"
fi

AC_DEFINE_UNQUOTED(DEFAULT_VPNCSCRIPT, "${with_vpnc_script}", [Default vpnc-script locatin])
AC_SUBST(DEFAULT_VPNCSCRIPT, "${with_vpnc_script}")

AC_CHECK_FUNC(fdevname_r, [AC_DEFINE(HAVE_FDEVNAME_R, 1, [Have fdevname_r() function])], [])
AC_CHECK_FUNC(statfs, [AC_DEFINE(HAVE_STATFS, 1, [Have statfs() function])], [])
AC_CHECK_FUNC(getline, [AC_DEFINE(HAVE_GETLINE, 1, [Have getline() function])],
    [symver_getline="openconnect__getline;"])
AC_CHECK_FUNC(strcasestr, [AC_DEFINE(HAVE_STRCASESTR, 1, [Have strcasestr() function])], [])
AC_CHECK_FUNC(strndup, [AC_DEFINE(HAVE_STRNDUP, 1, [Have strndup() function])], [])
AC_CHECK_FUNC(strchrnul, [AC_DEFINE(HAVE_STRCHRNUL, 1, [Have strchrnul() function])], [])
AC_CHECK_FUNC(asprintf, [AC_DEFINE(HAVE_ASPRINTF, 1, [Have asprintf() function])],
    [symver_asprintf="openconnect__asprintf;"])
AC_CHECK_FUNC(vasprintf, [AC_DEFINE(HAVE_VASPRINTF, 1, [Have vasprintf() function])],
    [symver_vasprintf="openconnect__vasprintf;"])

AC_MSG_CHECKING([for __builtin_clz])
AC_LINK_IFELSE([AC_LANG_PROGRAM([],[return __builtin_clz(0xffffffff);])],
		[AC_MSG_RESULT(yes)
		 AC_DEFINE(HAVE_BUILTIN_CLZ, 1, [Have __builtin_clz()])],
		[AC_MSG_RESULT(no)])

if test -n "$symver_vasprintf"; then
  AC_MSG_CHECKING([for va_copy])
  AC_LINK_IFELSE([AC_LANG_PROGRAM([
	#include <stdarg.h>
	va_list a;],[
	va_list b;
	va_copy(b,a);
	va_end(b);])],
	[AC_DEFINE(HAVE_VA_COPY, 1, [Have va_copy()])
	AC_MSG_RESULT(va_copy)],
	[AC_LINK_IFELSE([AC_LANG_PROGRAM([
		#include <stdarg.h>
		va_list a;],[
		va_list b;
		__va_copy(b,a);
		va_end(b);])],
		[AC_DEFINE(HAVE___VA_COPY, 1, [Have __va_copy()])
		AC_MSG_RESULT(__va_copy)],
		[AC_MSG_RESULT(no)
		AC_MSG_ERROR([Your system lacks vasprintf() and va_copy()])])
	])
fi
AC_SUBST(SYMVER_TIME, $symver_time)
AC_SUBST(SYMVER_GETLINE, $symver_getline)
AC_SUBST(SYMVER_ASPRINTF, $symver_asprintf)
AC_SUBST(SYMVER_VASPRINTF, $symver_vasprintf)
AC_SUBST(SYMVER_WIN32_STRERROR, $symver_win32_strerror)
AC_SUBST(SYMVER_WIN32_SETENV, $symver_win32_setenv)

AS_COMPILER_FLAGS(WFLAGS,
        "-Wall
         -Wextra
         -Wno-missing-field-initializers
         -Wno-sign-compare
         -Wno-unused-parameter
         -Werror=pointer-to-int-cast
         -Werror-implicit-function-declaration
         -Wformat-nonliteral
         -Wformat-security
         -Winit-self
         -Wmissing-declarations
         -Wmissing-include-dirs
         -Wnested-externs
         -Wpointer-arith
         -Wwrite-strings")
AC_SUBST(WFLAGS, [$WFLAGS])

oldCFLAGS="$CFLAGS"
CFLAGS="$CFLAGS $WFLAGS"
AC_MSG_CHECKING([For memset_s])
AC_LINK_IFELSE([AC_LANG_PROGRAM([
	#define __STDC_WANT_LIB_EXT1__ 1
	#include <string.h>],[[
	unsigned char *foo[16];
	memset_s(foo, 16, 0, 16);]])],
	       [AC_MSG_RESULT([yes])
	        AC_DEFINE(__STDC_WANT_LIB_EXT1__, 1, [To request memset_s])
	        AC_DEFINE(HAVE_MEMSET_S, 1, [Have memset_s() function])],
	       [AC_MSG_RESULT([no])
	        AC_CHECK_FUNC(explicit_memset,
			      [AC_DEFINE(HAVE_EXPLICIT_MEMSET, 1, [Have explicit_memset() function])],
			      [AC_CHECK_FUNC(explicit_bzero,
					     [AC_DEFINE(HAVE_EXPLICIT_BZERO, 1, [Have explicit_bzero() function])],
					     [])
			      ])
	       ])
CFLAGS="$oldCFLAGS"

AC_MSG_CHECKING([For localtime_r])
AC_LINK_IFELSE([AC_LANG_PROGRAM([#include <time.h>],[[
	struct tm tm;
	time_t t = 0;
	localtime_r(&t, &tm);]])],
	       [AC_MSG_RESULT([yes])
	        AC_DEFINE(HAVE_LOCALTIME_R, 1, [Have localtime_r() function])],
	       [AC_MSG_RESULT([no])])

if test "$have_win" = yes; then
   # Checking "properly" for __attribute__((dllimport,stdcall)) functions is non-trivial
   LIBS="$LIBS -lws2_32 -lshlwapi -lsecur32 -liphlpapi"
   AC_MSG_CHECKING([For localtime_s])
   AC_LINK_IFELSE([AC_LANG_PROGRAM([#include <time.h>],[[
	struct tm tm;
	time_t t = 0;
	localtime_s(&tm, (time_t)0);]])],
	       [AC_MSG_RESULT([yes])
	        AC_DEFINE(HAVE_LOCALTIME_S, 1, [Have localtime_s() function])],
	       [AC_MSG_RESULT([no])])
else
   AC_CHECK_FUNC(socket, [], AC_CHECK_LIB(socket, socket, [], AC_MSG_ERROR(Cannot find socket() function)))
fi

have_inet_aton=yes
AC_CHECK_FUNC(inet_aton, [], AC_CHECK_LIB(nsl, inet_aton, [], have_inet_aton=no))
if test "$have_inet_aton" = "yes"; then
   AC_DEFINE(HAVE_INET_ATON, 1, [Have inet_aton()])
fi

AC_MSG_CHECKING([for IPV6_PATHMTU socket option])
AC_COMPILE_IFELSE([AC_LANG_PROGRAM([
		  #include <netinet/in.h>
		  #include <sys/socket.h>
		  #include <sys/types.h>],[
		  int foo = IPV6_PATHMTU; (void)foo;])],
		  [AC_DEFINE(HAVE_IPV6_PATHMTU, 1, [Have IPV6_PATHMTU socket option])
		   AC_MSG_RESULT([yes])],
		  [AC_MSG_RESULT([no])])

AC_CHECK_FUNC(__android_log_vprint, [], AC_CHECK_LIB(log, __android_log_vprint, [], []))

AC_ENABLE_SHARED
AC_DISABLE_STATIC

AC_CHECK_FUNC(nl_langinfo, [AC_DEFINE(HAVE_NL_LANGINFO, 1, [Have nl_langinfo() function])], [])

AC_CHECK_FUNC(posix_spawn, [AC_DEFINE(HAVE_POSIX_SPAWN, 1, [Have posix_spawn() function])], [])

if test "$ac_cv_func_nl_langinfo" = "yes"; then
    AM_ICONV
    if test "$am_cv_func_iconv" = "yes"; then
	AC_SUBST(ICONV_LIBS, [$LTLIBICONV])
	AC_SUBST(ICONV_CFLAGS, [$INCICONV])
	AC_DEFINE(HAVE_ICONV, 1, [Have iconv() function])
    fi
fi
AM_CONDITIONAL(OPENCONNECT_ICONV, [test "$am_cv_func_iconv" = "yes"])

AC_ARG_ENABLE([nls],
	AS_HELP_STRING([--disable-nls], [Do not use Native Language Support]),
	[USE_NLS=$enableval], [USE_NLS=yes])
LIBINTL=
if test "$USE_NLS" = "yes"; then
   AC_PATH_PROG(MSGFMT, msgfmt)
   if test "$MSGFMT" = ""; then
      AC_MSG_ERROR(msgfmt could not be found. Try configuring with --disable-nls)
   fi
fi
LIBINTL=
if test "$USE_NLS" = "yes"; then
   AC_MSG_CHECKING([for functional NLS support])
   AC_LINK_IFELSE([AC_LANG_PROGRAM([
    #include <locale.h>
    #include <libintl.h>],[
    setlocale(LC_ALL, "");
    bindtextdomain("openconnect", "/tmp");
    (void)dgettext("openconnect", "foo");])],
    [AC_MSG_RESULT(yes)],
    [AC_LIB_LINKFLAGS_BODY([intl])
     oldLIBS="$LIBS"
     LIBS="$LIBINTL $LIBS"
     oldCFLAGS="$LIBS"
     CFLAGS="$CFLAGS $INCINTL"
     AC_LINK_IFELSE([AC_LANG_PROGRAM([
      #include <locale.h>
      #include <libintl.h>],[
      setlocale(LC_ALL, "");
      bindtextdomain("openconnect", "/tmp");
      (void)dgettext("openconnect", "foo");])],
      [AC_MSG_RESULT(yes (with $INCINTL $LIBINTL))],
      [AC_MSG_RESULT(no)
       USE_NLS=no])
     LIBS="$oldLIBS"])
fi

if test "$USE_NLS" = "yes"; then
   AC_SUBST(INTL_LIBS, [$LTLIBINTL])
   AC_SUBST(INTL_CFLAGS, [$INCINTL])
   AC_DEFINE(ENABLE_NLS, 1, [Enable NLS support])
fi
AM_CONDITIONAL(USE_NLS, [test "$USE_NLS" = "yes"])

AC_ARG_WITH([system-cafile],
	    AS_HELP_STRING([--with-system-cafile],
			   [Location of the default system CA certificate file for old (<3.0.20) GnuTLS versions]))

# We will use GnuTLS by default if it's present. We used to support
# using GnuTLS for the TLS connections and OpenSSL for DTLS, but none
# of the reasons for that make sense any more.

AC_ARG_WITH([gnutls],
    AS_HELP_STRING([--without-gnutls], [Do not attempt to use GnuTLS; use OpenSSL instead]))
AC_ARG_WITH([openssl],
    AS_HELP_STRING([--with-openssl], [Location of OpenSSL build dir]))

ssl_library=
esp=
dtls=
hpke=

if test "$with_openssl" != "" -a "$with_openssl" != "no"; then
    if test "$with_gnutls" = ""; then
	with_gnutls=no
    elif test "$with_gnutls" = "yes"; then
	AC_MSG_ERROR([You cannot choose both GnuTLS and OpenSSL.])
    fi
fi

# First, check if GnuTLS exists and is usable
if test "$with_gnutls" = "yes" || test "$with_gnutls" = ""; then
    PKG_CHECK_MODULES(GNUTLS, gnutls,
       [if ! $PKG_CONFIG --atleast-version=3.2.10 gnutls; then
	    AC_MSG_WARN([Your GnuTLS is too old. At least v3.2.10 is required])
	else
	    ssl_library=GnuTLS
	fi], [:])
elif test "$with_gnutls" != "no"; then
    AC_MSG_ERROR(Values other than 'yes' or 'no' for --with-gnutls are not supported)
fi

# Do we need to look for OpenSSL?
if test "$ssl_library" = ""; then
    if test "$with_gnutls" = "yes" -o "$with_openssl" = "no"; then
	    AC_MSG_ERROR([Suitable GnuTLS required but not found])
    elif test "$with_openssl" = "yes" -o "$with_openssl" = ""; then
        PKG_CHECK_MODULES(OPENSSL, openssl, [AC_SUBST(SSL_PC, [openssl])],
	    [oldLIBS="$LIBS"
	     LIBS="-lssl -lcrypto $LIBS"
	     AC_MSG_CHECKING([for OpenSSL without pkg-config])
	     AC_LINK_IFELSE([AC_LANG_PROGRAM([
			        #include <openssl/ssl.h>
				#include <openssl/err.h>],[
				SSL_library_init();
				ERR_clear_error();
				SSL_load_error_strings();
				OpenSSL_add_all_algorithms();])],
			[AC_MSG_RESULT(yes)
			 AC_SUBST([OPENSSL_LIBS], ["-lssl -lcrypto"])
			 AC_SUBST([OPENSSL_CFLAGS], [])]
			 AC_SUBST([openssl_pc_libs], [$OPENSSL_LIBS]),
			[AC_MSG_RESULT(no)
			 AC_MSG_ERROR(Could not build against OpenSSL)])
	     LIBS="$oldLIBS"])
	ssl_library=OpenSSL
	PKG_CHECK_MODULES(P11KIT, p11-kit-1,
	    # libp11 0.4.7 fails to export ERR_LIB_PKCS11 so we don't know what it
	    # is and can't match its errors, which we need to for login checks.
	    [PKG_CHECK_MODULES(LIBP11, libp11 != 0.4.7,
		[AC_DEFINE(HAVE_LIBP11, 1, [Have libp11 and p11-kit for OpenSSL])
		 AC_SUBST(P11KIT_PC, ["libp11 p11-kit-1"])
		 proxy_module="`$PKG_CONFIG --variable=proxy_module p11-kit-1`"
		 pkcs11_support="libp11"
		 AC_DEFINE_UNQUOTED([DEFAULT_PKCS11_MODULE], "${proxy_module}", [p11-kit proxy])],
		[:])], [:])
    else
	OPENSSL_CFLAGS="-I${with_openssl}/include ${OPENSSL_CFLAGS}"
	if test -r "${with_openssl}/libssl.a" -a -r "${with_openssl}/libcrypto.a";  then
	    OPENSSL_LIBS="${with_openssl}/libssl.a ${with_openssl}/libcrypto.a -ldl -lz -pthread"
	elif test -r "${with_openssl}/crypto/.libs/libcrypto.a" -a \
		  -r "${with_openssl}/ssl/.libs/libssl.a"; then
	    OPENSSL_LIBS="${with_openssl}/ssl/.libs/libssl.a ${with_openssl}/crypto/.libs/libcrypto.a -ldl -lz -pthread"
	else
	    AC_MSG_ERROR(Could not find OpenSSL libraries in ${with_openssl});
	fi
	AC_SUBST(OPENSSL_CFLAGS)
	AC_SUBST(OPENSSL_LIBS)
	enable_static=yes
	enable_shared=no
	ssl_library=OpenSSL
    fi
fi

AC_ARG_WITH([openssl-version-check],
    AS_HELP_STRING([--without-openssl-version-check], [Do not check for known-broken OpenSSL versions]))
AC_ARG_WITH([gnutls-version-check],
    AS_HELP_STRING([--without-gnutls-version-check], [Do not check for known-broken GnuTLS versions]))
AC_ARG_WITH([default-gnutls-priority],
    AS_HELP_STRING([--with-default-gnutls-priority=STRING],
	[Provide a default string as GnuTLS priority string]),
	default_gnutls_priority=$withval)
if test -n "$default_gnutls_priority"; then
   AC_DEFINE_UNQUOTED([DEFAULT_PRIO], ["$default_gnutls_priority"], [The GnuTLS priority string])
fi

AC_ARG_WITH([gnutls-tss2],
   AS_HELP_STRING([--with-gnutls-tss2], [Specify TSS2 library (tss2-esys, ibmtss)]))

tss2lib=none
case "$ssl_library" in
    OpenSSL)
	oldLIBS="${LIBS}"
	oldCFLAGS="${CFLAGS}"
	LIBS="${OPENSSL_LIBS} ${LIBS}"
	CFLAGS="${CFLAGS} ${OPENSSL_CFLAGS}"

	# Check for the various known-broken versions of OpenSSL, which includes LibreSSL.
	if test "$with_openssl_version_check" != "no"; then
	    AC_MSG_CHECKING([for known-broken versions of OpenSSL])
	    AC_COMPILE_IFELSE([AC_LANG_PROGRAM([#include <openssl/opensslv.h>],
				[#if defined(LIBRESSL_VERSION_NUMBER)
				#error Bad OpenSSL
				#endif
				])],
			  [],
			  [AC_MSG_RESULT(yes)
			   AC_MSG_ERROR([LibreSSL does not support Cisco DTLS.]
[Build with OpenSSL or GnuTLS instead.])])
	    AC_COMPILE_IFELSE([AC_LANG_PROGRAM([#include <openssl/opensslv.h>],[#if \
				    (OPENSSL_VERSION_NUMBER == 0x10002000L || \
				    (OPENSSL_VERSION_NUMBER >= 0x100000b0L && OPENSSL_VERSION_NUMBER <= 0x100000c0L) || \
				    (OPENSSL_VERSION_NUMBER >= 0x10001040L && OPENSSL_VERSION_NUMBER <= 0x10001060L))
				#error Bad OpenSSL
				#endif
				])],
			  [],
			  [AC_MSG_RESULT(yes)
			   AC_MSG_ERROR(This version of OpenSSL is known to be broken with Cisco DTLS.
See http://rt.openssl.org/Ticket/Display.html?id=2984&user=guest&pass=guest
Add --without-openssl-version-check to configure args to avoid this check, or
perhaps consider building with GnuTLS instead.)])
	    AC_COMPILE_IFELSE([AC_LANG_PROGRAM([#include <openssl/opensslv.h>],[#if \
				    (OPENSSL_VERSION_NUMBER == 0x1000200fL)
				#error Bad OpenSSL
				#endif
				])],
			  [],
			  [AC_MSG_RESULT(yes)
			   AC_MSG_ERROR(This version of OpenSSL is known to be broken with Cisco DTLS.
See http://rt.openssl.org/Ticket/Display.html?id=3703&user=guest&pass=guest
and http://rt.openssl.org/Ticket/Display.html?id=3711&user=guest&pass=guest
Add --without-openssl-version-check to configure args to avoid this check, or
perhaps consider building with GnuTLS instead.)])
	    AC_COMPILE_IFELSE([AC_LANG_PROGRAM([#include <openssl/opensslv.h>],[#if \
				    ((OPENSSL_VERSION_NUMBER >= 0x10001110L && OPENSSL_VERSION_NUMBER <= 0x10001150L) || \
				     (OPENSSL_VERSION_NUMBER >= 0x10002050L && OPENSSL_VERSION_NUMBER <= 0x10002090L))
				#error Bad OpenSSL
				#endif
				])],
			  [],
			  [AC_MSG_RESULT(yes)
			   AC_MSG_ERROR(This version of OpenSSL is known to be broken with Cisco DTLS.
See http://rt.openssl.org/Ticket/Display.html?id=4631&user=guest&pass=guest
Add --without-openssl-version-check to configure args to avoid this check, or
perhaps consider building with GnuTLS instead.)])
	    AC_MSG_RESULT(no)
	fi

	AC_MSG_CHECKING([for ENGINE_by_id() in OpenSSL])
	AC_LINK_IFELSE([AC_LANG_PROGRAM([#include <openssl/engine.h>],
					[ENGINE_by_id("foo");])],
		       [AC_MSG_RESULT(yes)
			AC_DEFINE(HAVE_ENGINE, [1], [OpenSSL has ENGINE support])],
		       [AC_MSG_RESULT(no)
			AC_MSG_NOTICE([Building without OpenSSL TPM ENGINE support])])

	AC_MSG_CHECKING([for dtls1_stop_timer() in OpenSSL])
	AC_LINK_IFELSE([AC_LANG_PROGRAM([#include <openssl/ssl.h>
					 #include <stdlib.h>
					 extern void dtls1_stop_timer(SSL *);],
					[dtls1_stop_timer(NULL);])],
		       [AC_MSG_RESULT(yes)
			AC_DEFINE(HAVE_DTLS1_STOP_TIMER, [1], [OpenSSL has dtls1_stop_timer() function])],
		       [AC_MSG_RESULT(no)])

	# DTLS_client_method() and DTLSv1_2_client_method() were both added between
	# OpenSSL v1.0.1 and v1.0.2. DTLSV1.2_client_method() was later deprecated
	# in v1.1.0 so we use DTLS_client_method() as our check for DTLSv1.2 support
	# and that's what we actually use in openssl-dtls.c too.
	AC_MSG_CHECKING([for DTLS_client_method() in OpenSSL])
	AC_LINK_IFELSE([AC_LANG_PROGRAM([#include <openssl/ssl.h>],
					[DTLS_client_method();])],
		       [AC_MSG_RESULT(yes)
			AC_DEFINE(HAVE_DTLS12, [1], [OpenSSL has DTLS_client_method() function])],
		       [AC_MSG_RESULT(no)])

	AC_MSG_CHECKING([for SSL_CTX_set_min_proto_version() in OpenSSL])
	AC_LINK_IFELSE([AC_LANG_PROGRAM([#include <openssl/ssl.h>],
					[SSL_CTX_set_min_proto_version((void *)0, 0);])],
		       [AC_MSG_RESULT(yes)
			AC_DEFINE(HAVE_SSL_CTX_PROTOVER, [1], [OpenSSL has SSL_CTX_set_min_proto_version() function])],
		       [AC_MSG_RESULT(no)])

	AC_MSG_CHECKING([for BIO_meth_free() in OpenSSL])
	AC_LINK_IFELSE([AC_LANG_PROGRAM([#include <openssl/bio.h>],
					[BIO_meth_free((void *)0);])],
		       [AC_MSG_RESULT(yes)
			AC_DEFINE(HAVE_BIO_METH_FREE, [1], [OpenSSL has BIO_meth_free() function])],
		       [AC_MSG_RESULT(no)])

	AC_CHECK_FUNC(HMAC_CTX_copy,
		      [esp=yes],
		      [AC_MSG_WARN([ESP support will be disabled])])

	AC_MSG_CHECKING([for SSL_CIPHER_find() in OpenSSL])
	AC_LINK_IFELSE([AC_LANG_PROGRAM([#include <openssl/ssl.h>],
					[SSL_CIPHER_find((void *)0, "");])],
		       [AC_MSG_RESULT(yes)
			AC_DEFINE(HAVE_SSL_CIPHER_FIND, [1], [OpenSSL has SSL_CIPHER_find() function])],
		       [AC_MSG_RESULT(no)])

	AC_MSG_CHECKING([for HKDF support in OpenSSL])
	AC_LINK_IFELSE([AC_LANG_PROGRAM([#include <openssl/ssl.h>
					 #include <openssl/kdf.h>],
					[EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL);
					 EVP_PKEY_CTX_hkdf_mode(ctx, EVP_PKEY_HKDEF_MODE_EXTRACT_AND_EXPAND);])],
		       [AC_MSG_RESULT(yes)
			hpke=yes],
		       [AC_MSG_RESULT(no)])

	LIBS="${oldLIBS}"
	CFLAGS="${oldCFLAGS}"

	dtls=yes
	AC_DEFINE(OPENCONNECT_OPENSSL, 1, [Using OpenSSL])
	AC_DEFINE(OPENSSL_SUPPRESS_DEPRECATED, 1, [We need to update to OpenSSL 3.0.0 API])
	AC_SUBST(SSL_LIBS, ['$(OPENSSL_LIBS)'])
	AC_SUBST(SSL_CFLAGS, ['$(OPENSSL_CFLAGS)'])
	;;

    GnuTLS)
	oldlibs="$LIBS"
	oldcflags="$CFLAGS"
	LIBS="$GNUTLS_LIBS $LIBS"
	CFLAGS="$CFLAGS $GNUTLS_CFLAGS"
	esp=yes
	dtls=yes

	# Check for the known-broken versions of GnuTLS,
	if test "$with_gnutls_version_check" != "no"; then
           AC_MSG_CHECKING([for known-broken versions of GnuTLS])
           AC_COMPILE_IFELSE([AC_LANG_PROGRAM([#include <gnutls/gnutls.h>],
			       [#if GNUTLS_VERSION_NUMBER >= 0x030603 && GNUTLS_VERSION_NUMBER <= 0x03060c
			       #error Bad GnuTLS
			       #endif
			       ])],
			 [],
			 [AC_MSG_RESULT(yes)
			  AC_MSG_ERROR([DTLS is insecure in GnuTLS v3.6.3 through v3.6.12.]
[See https://gitlab.com/gnutls/gnutls/issues/960]
[Add --without-gnutls-version-check to configure args to avoid this check (DTLS]
[will still be disabled at runtime), or build with another version.])])
	   AC_MSG_RESULT(no)
       fi
	AC_CHECK_FUNC(gnutls_system_key_add_x509,
		      [AC_DEFINE(HAVE_GNUTLS_SYSTEM_KEYS, 1, [From GnuTLS 3.4.0])], [])
	AC_CHECK_FUNC(gnutls_pkcs11_add_provider,
		      [PKG_CHECK_MODULES(P11KIT, p11-kit-1,
					 [AC_DEFINE(HAVE_P11KIT, 1, [Have. P11. Kit.])
					  pkcs11_support=GnuTLS
					  AC_SUBST(P11KIT_PC, p11-kit-1)],
					 [:])], [])
	# From GnuTLS 3.6.13
	AC_CHECK_FUNC(gnutls_hkdf_expand, [have_hkdf=yes], [have_hkdf=no])

	LIBS="-ltspi $oldlibs"
	AC_MSG_CHECKING([for Trousers tss library])
	AC_LINK_IFELSE([AC_LANG_PROGRAM([
					   #include <trousers/tss.h>
					   #include <trousers/trousers.h>],[
					   int err = Tspi_Context_Create((void *)0);
					   Trspi_Error_String(err);])],
		       [AC_MSG_RESULT(yes)
			AC_SUBST([TSS_LIBS], [-ltspi])
			AC_SUBST([TSS_CFLAGS], [])
			AC_DEFINE(HAVE_TROUSERS, 1, [Have Trousers TSS library])],
		       [AC_MSG_RESULT(no)])

	LIBS="$oldlibs"
	CFLAGS="$oldcflags"

	if test "$have_hkdf" = "yes"; then
		PKG_CHECK_MODULES(HOGWEED, [hogweed],
			[AC_MSG_CHECKING([For hogweed built-in mini-gmp])
			 LIBS="$oldlibs $HOGWEED_LIBS"
			 CFLAGS="$oldcflags $HOGWEED_CFLAGS"
			 AC_LINK_IFELSE([AC_LANG_PROGRAM([#include <nettle/ecc.h>],
							 [mpz_clear((void *)0);])],
					[AC_MSG_RESULT(yes)
					 AC_SUBST(HPKE_CFLAGS, ['$(HOGWEED_FLAGS)'])
					 AC_SUBST(HPKE_LIBS, ['$(HOGWEED_LIBS)'])
					 hpke=yes],
					[AC_MSG_RESULT(no)
					 PKG_CHECK_MODULES(GMP, [gmp],
						[hpke=yes
						 AC_SUBST(HPKE_CFLAGS, ['$(HOGWEED_FLAGS) $(GMP_CFLAGS)'])
						 AC_SUBST(HPKE_LIBS, ['$(HOGWEED_LIBS) $(GMP_LIBS)'])],
						[AC_MSG_CHECKING([for gmp without pkgconfig])
						 LIBS="$LIBS -lgmp"
						 AC_LINK_IFELSE([AC_LANG_PROGRAM([#include <gmp.h>],
										 [mpz_clear((void *)0);])],
								[AC_MSG_RESULT(yes)
								 AC_SUBST(HPKE_CFLAGS, ['$(HOGWEED_FLAGS)'])
								 AC_SUBST(HPKE_LIBS, ['$(HOGWEED_LIBS) -lgmp'])
								 hpke=yes],
								[AC_MSG_RESULT(no)])
						 ])
					 ])
			 LIBS="$oldlibs"
			 CFLAGS="$oldcflags"],
			[:])

	fi

	PKG_CHECK_MODULES(TASN1, [libtasn1], [have_tasn1=yes], [have_tasn1=no])
	if test "$have_tasn1" = "yes"; then
	   if test "$with_gnutls_tss2" = "yes" -o "$with_gnutls_tss2" = "tss2-esys" -o "$with_gnutls_tss2" = ""; then
	      PKG_CHECK_MODULES(TSS2_ESYS, [tss2-esys tss2-mu tss2-tctildr],
			     [AC_DEFINE(HAVE_TSS2, 1, [Have TSS2])
			      AC_SUBST(TPM2_CFLAGS, ['$(TASN1_CFLAGS) $(TSS2_ESYS_CFLAGS)'])
			      AC_SUBST(TPM2_LIBS, ['$(TASN1_LIBS) $(TSS2_ESYS_LIBS)'])
			      tss2lib=tss2-esys],
			     [:])
	   fi
	   if test "$tss2lib" = "none"; then
	      if test "$with_gnutls_tss2" = "yes" -o "$with_gnutls_tss2" = "ibmtss" -o "$with_gnutls_tss2" = ""; then

		 # The Fedora 'tss2-devel' package puts headers in /usr/include/ibmtss/
		 # and the library is named libibmtss.so. The Ubuntu libtss-dev package
		 # puts headers in /usr/include/${host}/tss2/ and the library is named
		 # libtss.so. Neither ships a pkg-config file at the time I write this.
		 AC_CHECK_LIB([tss], [TSS_Create], [tss2inc=tss2
						    tss2lib=tss],
			      AC_CHECK_LIB([ibmtss], [TSS_Create],
					   [tss2inc=ibmtss
					    tss2lib=ibmtss], []))

		 if test "$tss2lib" != "none"; then
		    AC_MSG_CHECKING([For <${tss2inc}/tss.h>])
		    AC_COMPILE_IFELSE([AC_LANG_PROGRAM([#define TPM_POSIX
		                                          #include <${tss2inc}/tss.h>
							  ],[])],
				      [AC_MSG_RESULT(yes)
				       AC_DEFINE_UNQUOTED(HAVE_TSS2, $tss2inc, [TSS2 library])
				       AC_SUBST(TSS2_LIBS, [-l$tss2lib])
				       AC_SUBST(TPM2_CFLAGS, ['$(TASN1_CFLAGS) -DTPM_POSIX'])
				       AC_SUBST(TPM2_LIBS, ['$(TASN1_LIBS) $(TSS2_LIBS)'])],
				      [AC_MSG_RESULT(no)
				       tss2lib=none])
		 fi
	      fi
	   fi
	fi

	AC_DEFINE(OPENCONNECT_GNUTLS, 1, [Using GnuTLS])
	AC_SUBST(SSL_PC, [gnutls])
	AC_SUBST(SSL_LIBS, ['$(GNUTLS_LIBS) $(TPM2_LIBS) $(HPKE_LIBS)'])
	AC_SUBST(SSL_CFLAGS, ['$(GNUTLS_CFLAGS) $(TPM2_CFLAGS) $(HPKE_CFLAGS)'])
	;;

    *)
	# This should never happen
	AC_MSG_ERROR([No SSL library selected])
	;;
esac

case x"$with_gnutls_tss2" in
    xtss2-esys)
	if test "$tss2lib" != "tss2-esys"; then
	   AC_MSG_ERROR([tss2-esys requested but not found])
	fi
	;;

    xibmtss|xtss)
	if test "$tss2lib" != "ibmtss" -a "$tss2lib" != "tss"; then
	   AC_MSG_ERROR([ibmtss requested but not found: $tss2lib])
	fi
	;;

    x|xno)
	;;

    xyes)
	if test "$tss2lib" = "none" -a "$with_gnutls_tss2" = "yes"; then
	   AC_MSG_ERROR([No TSS2 library found])
	fi
	;;

     *)
        AC_MSG_ERROR([Unknown value for gnutls-tss2])
	;;
esac

AM_CONDITIONAL(OPENCONNECT_SYSTEM_KEYS, [ test "$ac_cv_func_gnutls_system_key_add_x509" = "yes" ])
AM_CONDITIONAL(OPENCONNECT_TSS2_ESYS, [ test "$tss2lib" = "tss2-esys" ])
AM_CONDITIONAL(OPENCONNECT_TSS2_IBM, [ test "$tss2lib" = "ibmtss" -o "$tss2lib" = "tss" ])

AC_PATH_PROG(SWTPM, swtpm)
SWTPM_IOCTL=""
TPM2_STARTUP=""
TSSTARTUP=""
if test "$SWTPM" != ""; then
    AC_PATH_PROG(SWTPM_IOCTL, swtpm_ioctl)
    AC_PATH_PROG(TPM2_STARTUP, tpm2_startup)
    AC_PATH_PROG(TSSTARTUP, tsstartup)
fi

# The Intel/TCG TSS can only *create* keys
AC_PATH_PROG(TPM2TSS_GENKEY, tpm2tss-genkey)
# James's one can import them too.
AC_PATH_PROG(CREATE_TPM2_KEY, create_tpm2_key)

AC_ARG_ENABLE([hwtpm-test],
	AS_HELP_STRING([--enable-hwtpm-test], [Test TPM support using real TPMv2 [default=no]]),
	[test_hwtpm=$enableval], [test_hwtpm=no])

if test "$test_hwtpm" = "yes" -a "$TPM2TSS_GENKEY$CREATE_TPM2_KEY" = ""; then
   AC_MSG_ERROR([Hardware TPM test requires tpm2tss-genkey and/or create_tpm2_key tools])
fi

AM_CONDITIONAL(TEST_HWTPM, [ test "$test_hwtpm" = "yes" ])
AM_CONDITIONAL(TEST_SWTPM, [ test "$SWTPM_IOCTL" != "" -a \( "$TPM2_STARTUP" != "" -o "$TSSTARTUP" != "" \) ])
AM_CONDITIONAL(TEST_TPM2_CREATE, [ test "$TPM2TSS_GENKEY" != "" ])
AM_CONDITIONAL(TEST_TPM2_IMPORT, [ test "$CREATE_TPM2_KEY" != "" ])

test_pkcs11=
if test "$pkcs11_support" != ""; then
   AC_CHECK_PROG(test_pkcs11, softhsm2-util, yes)
fi
AM_CONDITIONAL(TEST_PKCS11, [ test "$test_pkcs11" = "yes" ])

# The test is OpenSSL-only for now.
AM_CONDITIONAL(CHECK_DTLS, [ test "$ssl_library" = "OpenSSL" ])

AC_ARG_ENABLE([dtls-xfail],
	AS_HELP_STRING([--enable-dtls-xfail], [Only for gitlab CI. Do not use]))
AM_CONDITIONAL(DTLS_XFAIL, [test "$enable_dtls_xfail" = "yes" ])

AC_ARG_ENABLE([dsa-tests],
	AS_HELP_STRING([--disable-dsa-tests], [Disable DSA keys in self-test]),
	[], [enable_dsa_tests=yes])
AM_CONDITIONAL(TEST_DSA, [test "$enable_dsa_tests" = "yes"])

AC_ARG_ENABLE([ppp-tests],
	AS_HELP_STRING([--enable-ppp-tests], [Enable PPP tests (which require socat and pppd, and must run as root)]),
	[enable_ppp_tests=yes])

AC_ARG_ENABLE([flask-tests],
	AS_HELP_STRING([--disable-flask-tests], [Disable Flask-based tests (which require Python 3.6+ and the Flask module)]),
        [], [enable_flask_tests=yes])

AM_CONDITIONAL(OPENCONNECT_GNUTLS,  [ test "$ssl_library" = "GnuTLS" ])
AM_CONDITIONAL(OPENCONNECT_OPENSSL, [ test "$ssl_library" = "OpenSSL" ])
AM_CONDITIONAL(OPENCONNECT_ESP, [ test "$esp" != "" ])
AM_CONDITIONAL(OPENCONNECT_DTLS, [ test "$dtls" != "" ])

if test "$esp" != ""; then
    AC_DEFINE(HAVE_ESP, 1, [Build with ESP support])
fi
if test "$dtls" != ""; then
    AC_DEFINE(HAVE_DTLS, 1, [Build with DTLS support])
fi
if test "$hpke" != ""; then
   AC_DEFINE(HAVE_HPKE_SUPPORT, 1, [Support Cisco external browser HPKE (ECDH+HKDF+AES-256-GCM)])
fi

AC_ARG_WITH(lz4,
  AS_HELP_STRING([--without-lz4], [disable support for LZ4 compression]),
  test_for_lz4=$withval,
  test_for_lz4=yes)

lz4_pkg=no
if test "$test_for_lz4" = yes; then
PKG_CHECK_MODULES([LIBLZ4], [liblz4], [
	AC_SUBST(LIBLZ4_PC, liblz4)
	AC_DEFINE([HAVE_LZ4], [], [LZ4 was found])
	lz4_pkg=yes
	oldLIBS="$LIBS"
	LIBS="$LIBLZ4_LIBS $LIBS"
	oldCFLAGS="$CFLAGS"
	CFLAGS="$CFLAGS $LIBLZ4_CFLAGS"
	AC_MSG_CHECKING([for LZ4_compress_default()])
	AC_LINK_IFELSE([AC_LANG_PROGRAM([
		   #include <lz4.h>],[
		   LZ4_compress_default("", (char *)0, 0, 0);])],
		  [AC_MSG_RESULT(yes)
		   AC_DEFINE([HAVE_LZ4_COMPRESS_DEFAULT], [], [From LZ4 r129])
		  ],
		  [AC_MSG_RESULT(no)])
	LIBS="$oldLIBS"
	CFLAGS="$oldCFLAGS"
],
[
	AC_MSG_WARN([[
***
*** lz4 not found.
*** ]])
])
fi

# For some bizarre reason now that we use AM_ICONV, the mingw32 build doesn't
# manage to set EGREP properly in the created ./libtool script. Make sure it's
# found.
AC_PROG_EGREP

# Needs to happen after we default to static/shared libraries based on OpenSSL
LT_INIT
if test "$use_openbsd_libtool" = "true" && test -x /usr/bin/libtool; then
	echo using OpenBSD libtool
	LIBTOOL=/usr/bin/libtool
fi
AM_CONDITIONAL(OPENBSD_LIBTOOL, [ test "$use_openbsd_libtool" = "true" ])

AX_CHECK_VSCRIPT

PKG_CHECK_MODULES(LIBXML2, libxml-2.0)

AC_ARG_WITH([builtin-json],
	AS_HELP_STRING([--with-builtin-json],
	[Build with builtin json-parser library [default=auto]]))

json=
AS_IF([test "$with_builtin_json" != "yes"],
	[PKG_CHECK_MODULES(JSON, json-parser,
			   [AC_SUBST(JSON_PC, [json-parser])
			    json=system], [:])
      ])

AS_IF([test "$with_builtin_json" != "no"  && test "$json" = "" ],
	[json=builtin
	 oldLIBS="$LIBS"
	 AC_SEARCH_LIBS(pow, [m])
	 LIBS="$oldLIBS"
	 AC_SUBST([JSON_LIBS], [$ac_cv_search_pow])
	 AC_SUBST([JSON_CFLAGS], ['-I$(srcdir)/json'])
      ])

AS_IF([test "$json" = ""],
    AC_MSG_ERROR(No json-parser package found and --without-builtin-json specified)
    )

AM_CONDITIONAL(BUILTIN_JSON, [test "$json" = "builtin"])

PKG_CHECK_MODULES(ZLIB, zlib, [AC_SUBST(ZLIB_PC, [zlib])],
		  [oldLIBS="$LIBS"
		  LIBS="-lz $LIBS"
		  AC_MSG_CHECKING([for zlib without pkg-config])
		  AC_LINK_IFELSE([AC_LANG_PROGRAM([
		   #include <zlib.h>],[
		   z_stream zs;
		   deflateInit2(&zs, Z_DEFAULT_COMPRESSION, Z_DEFLATED,
		   		-12, 9, Z_DEFAULT_STRATEGY);])],
		  [AC_MSG_RESULT(yes)
		   AC_SUBST([ZLIB_LIBS], [-lz])
		   AC_SUBST([ZLIB_CFLAGS], [])],
  		  [AC_MSG_RESULT(no)
		   AC_MSG_ERROR(Could not build against zlib)])
		  LIBS="$oldLIBS"])

AC_ARG_WITH([libproxy],
	AS_HELP_STRING([--without-libproxy],
	[Build without libproxy library [default=auto]]))
AS_IF([test "x$with_libproxy" != "xno"], [
	PKG_CHECK_MODULES(LIBPROXY, libproxy-1.0,
			[AC_SUBST(LIBPROXY_PC, libproxy-1.0)
			 AC_DEFINE([LIBPROXY_HDR], ["proxy.h"], [libproxy header file])
			 libproxy_pkg=yes],
			 libproxy_pkg=no)
], [libproxy_pkg=disabled])

dnl Libproxy *can* exist without a .pc file, and its header may be called
dnl libproxy.h in that case.
if (test "$libproxy_pkg" = "no"); then
   AC_MSG_CHECKING([for libproxy])
   oldLIBS="$LIBS"
   LIBS="-lproxy $LIBS"
   AC_LINK_IFELSE([AC_LANG_PROGRAM([#include <libproxy.h>],
			   [(void)px_proxy_factory_new();])],
	  [AC_MSG_RESULT(yes (with libproxy.h))
	   AC_DEFINE([LIBPROXY_HDR], ["libproxy.h"], [libproxy header file])
	   AC_SUBST([LIBPROXY_LIBS], [-lproxy])
	   libproxy_pkg=yes],
	  [AC_LINK_IFELSE([AC_LANG_PROGRAM([#include <proxy.h>],
				  [(void)px_proxy_factory_new();])],
		  [AC_MSG_RESULT(yes (with proxy.h))
		   AC_DEFINE([LIBPROXY_HDR], ["proxy.h"], [libproxy header file])
		   AC_SUBST([LIBPROXY_LIBS], [-lproxy])
		   libproxy_pkg=yes],
		   [AC_MSG_RESULT(no)])])
   LIBS="$oldLIBS"
fi

AC_ARG_WITH([stoken],
	AS_HELP_STRING([--without-stoken],
	[Build without libstoken library [default=auto]]))
AS_IF([test "x$with_stoken" != "xno"], [
	PKG_CHECK_MODULES(LIBSTOKEN, stoken,
			[AC_SUBST(LIBSTOKEN_PC, stoken)
			 AC_DEFINE([HAVE_LIBSTOKEN], 1, [Have libstoken])
			 libstoken_pkg=yes],
			 libstoken_pkg=no)
], [libstoken_pkg=disabled])
AM_CONDITIONAL(OPENCONNECT_STOKEN, [test "$libstoken_pkg" = "yes"])

AC_ARG_WITH([libpcsclite],
	AS_HELP_STRING([--without-libpcsclite],
	[Build without libpcsclite library (for Yubikey support) [default=auto]]))
AS_IF([test "x$with_libpcsclite" != "xno"], [
	if test "$system_pcsc_libs" != ""; then
	   AC_SUBST(LIBPCSCLITE_LIBS, "$system_pcsc_libs")
	   AC_SUBST(LIBPCSCLITE_CFLAGS, "$system_pcsc_cflags")
	   AC_SUBST(system_pcsc_libs)
	   libpcsclite_pkg=yes
	else
	    PKG_CHECK_MODULES(LIBPCSCLITE, libpcsclite,
			[AC_SUBST(LIBPCSCLITE_PC, libpcsclite)
			 libpcsclite_pkg=yes],
			libpcsclite_pkg=no)
	fi
], [libpcsclite_pkg=disabled])
if test "$libpcsclite_pkg" = "yes"; then
    AC_DEFINE([HAVE_LIBPCSCLITE], 1, [Have libpcsclite])
fi
AM_CONDITIONAL(OPENCONNECT_LIBPCSCLITE, [test "$libpcsclite_pkg" = "yes"])

AC_CHECK_FUNC(epoll_create1, [AC_DEFINE(HAVE_EPOLL, 1, [Have epoll])], [])

AC_ARG_WITH([libpskc],
	AS_HELP_STRING([--without-libpskc],
	[Build without libpskc library [default=auto]]))
AS_IF([test "x$with_libpskc" != "xno"], [
	PKG_CHECK_MODULES(LIBPSKC, [libpskc >= 2.2.0],
		[AC_SUBST(LIBPSKC_PC, libpskc)
		 AC_DEFINE([HAVE_LIBPSKC], 1, [Have libpskc])
		 libpskc_pkg=yes],
		 libpskc_pkg=no)])

linked_gssapi=no
AC_ARG_WITH([gssapi],
	AS_HELP_STRING([--without-gssapi],
	[Build without GSSAPI support [default=auto]]))

AC_DEFUN([GSSAPI_CHECK_BUILD],[
	gss_old_libs="$LIBS"
	LIBS="$LIBS ${GSSAPI_LIBS}"
	AC_MSG_CHECKING([GSSAPI compilation with "${GSSAPI_LIBS}"])
	AC_LINK_IFELSE([AC_LANG_PROGRAM([
			#include <stdlib.h>
			#include GSSAPI_HDR],[
			OM_uint32 major, minor;
			gss_buffer_desc b = GSS_C_EMPTY_BUFFER;
			gss_ctx_id_t ctx = GSS_C_NO_CONTEXT;
			gss_init_sec_context(&minor, GSS_C_NO_CREDENTIAL, &ctx, GSS_C_NO_NAME, GSS_C_NO_OID,
			    GSS_C_MUTUAL_FLAG, GSS_C_INDEFINITE, GSS_C_NO_CHANNEL_BINDINGS, NULL, NULL,
			    NULL, NULL, NULL);])],
	    [linked_gssapi=yes
	     AC_MSG_RESULT(yes)],
	    [linked_gssapi=no
	     AC_MSG_RESULT(no)])
	LIBS="$gss_old_libs"
])

# Attempt to work out how to build with GSSAPI. Mostly, krb5-config will
# exist and work. Tested on FreeBSD 9, OpenBSD 5.5, NetBSD 6.1.4. Solaris
# has krb5-config but it doesn't do GSSAPI so hard-code the results there.
# Older OpenBSD (I tested 5.2) lacks krb5-config so leave that as an example.
if test "$with_gssapi" != "no"; then
    found_gssapi=no

    if test "${with_gssapi}" != "yes" -a "${with_gssapi}" != "" ; then
	gssapi_root="${with_gssapi}"
    else
	gssapi_root=""
    fi

    # First: if they specify GSSAPI_LIBS and/or GSSAPI_CFLAGS then use them.
    if test "$GSSAPI_LIBS$GSSAPI_CFLAGS" != ""; then
	found_gssapi=yes
    fi
    # Second: try finding a viable krb5-config that supports gssapi
    if test "$found_gssapi" = "no"; then
        if test -n "${gssapi_root}"; then
	    krb5path="${gssapi_root}/bin:$PATH"
	else
	    krb5path="/usr/kerberos/bin:$PATH"
	fi

	if test -n "$host_alias"; then
	    AC_PATH_PROG(KRB5_CONFIG, [${host_alias}-krb5-config], [], [$krb5path])
	fi
	if test "$KRB5_CONFIG" = ""; then
	    AC_PATH_PROG(KRB5_CONFIG, [krb5-config], [], [$krb5path])
	fi
	if test "$KRB5_CONFIG" != ""; then
	    AC_MSG_CHECKING([whether $KRB5_CONFIG supports gssapi])
	    if "${KRB5_CONFIG}" --cflags gssapi > /dev/null 2>/dev/null; then
		AC_MSG_RESULT(yes)
		found_gssapi=yes
		GSSAPI_LIBS="`"${KRB5_CONFIG}" --libs gssapi`"
		GSSAPI_CFLAGS="`"${KRB5_CONFIG}" --cflags gssapi`"
	    else
		AC_MSG_RESULT(no)
	    fi
	fi
    fi
    # Third: look for <gssapi.h> or <gssapi/gssapi.h> in some likely places,
    #        and we'll worry about how to *link* it in a moment...
    if test "$found_gssapi" = "no"; then
	if test -n "${gssapi_root}"; then
	    if test -r "${with_gssapi}/include/gssapi.h" -o \
		    -r "${with_gssapi}/include/gssapi/gssapi.h"; then
		GSSAPI_CFLAGS="-I\"${with_gssapi}/include\""
	    fi
	else
	    if test -r /usr/kerberos/include/gssapi.h -o \
		      -r /usr/kerberos/include/gssapi/gssapi.h; then
		GSSAPI_CFLAGS=-I/usr/kerberos/include
	    elif test -r /usr/include/kerberosV/gssapi.h -o \
		      -r /usr/include/kerberosV/gssapi/gssapi.h; then
		# OpenBSD 5.2 puts it here
		GSSAPI_CFLAGS=-I/usr/include/kerberosV
	    else
		# Maybe it'll Just Work
		GSSAPI_CFLAGS=
	    fi
	fi
    fi

    oldcflags="$CFLAGS"
    CFLAGS="$CFLAGS ${GSSAPI_CFLAGS}"

    # OK, now see if we've correctly managed to find gssapi.h at least...
    gssapi_hdr=
    AC_CHECK_HEADER([gssapi/gssapi.h],
	[gssapi_hdr="<gssapi/gssapi.h>"],
	[AC_CHECK_HEADER([gssapi.h],
		[gssapi_hdr="<gssapi.h>"],
		[AC_MSG_WARN([Cannot find <gssapi/gssapi.h> or <gssapi.h>])])])

    # Finally, unless we've already failed, see if we can link it.
    linked_gssapi=no
    if test -n "${gssapi_hdr}"; then
	AC_DEFINE_UNQUOTED(GSSAPI_HDR, $gssapi_hdr, [GSSAPI header])
	if test "$found_gssapi" = "yes"; then
	    # We think we have GSSAPI_LIBS already so try it...
	    GSSAPI_CHECK_BUILD
	else
	    LFLAG=
	    if test -n "$gssapi_root"; then
		LFLAG="-L\"${gssapi_root}/lib$libsuff\""
	    fi
	    # Solaris, HPUX, etc.
	    GSSAPI_LIBS="$LFLAG -lgss"
	    GSSAPI_CHECK_BUILD
	    if test "$linked_gssapi" = "no"; then
		GSSAPI_LIBS="$LFLAG -lgssapi"
		GSSAPI_CHECK_BUILD
	    fi
	    if test "$linked_gssapi" = "no"; then
		GSSAPI_LIBS="$LFLAG -lgssapi_krb5"
		GSSAPI_CHECK_BUILD
	    fi
	    if test "$linked_gssapi" = "no"; then
		# OpenBSD 5.2 at least
		GSSAPI_LIBS="$LFLAG -lgssapi -lkrb5 -lcrypto"
		GSSAPI_CHECK_BUILD
	    fi
	    if test "$linked_gssapi" = "no"; then
		# MIT
		GSSAPI_LIBS="$LFLAG -lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err"
		GSSAPI_CHECK_BUILD
	    fi
	    if test "$linked_gssapi" = "no"; then
		# Heimdal
		GSSAPI_LIBS="$LFLAG -lkrb5 -lcrypto -lasn1 -lcom_err -lroken -lgssapi"
		GSSAPI_CHECK_BUILD
	    fi
	    if test "$linked_gssapi" = "no"; then
		AC_MSG_WARN([Cannot find GSSAPI. Try setting GSSAPI_LIBS and GSSAPI_CFLAGS manually])
	    fi
	fi
    fi

    CFLAGS="$oldcflags"

    if test "$linked_gssapi" = "yes"; then
	AC_DEFINE([HAVE_GSSAPI], 1, [Have GSSAPI support])
	AC_SUBST(GSSAPI_CFLAGS)
	AC_SUBST(GSSAPI_LIBS)
    elif test "$with_gssapi" = ""; then
	AC_MSG_WARN([Building without GSSAPI support]);
	unset GSSAPI_CFLAGS
	unset GSSAPI_LIBS
    else
	AC_MSG_ERROR([GSSAPI support requested but not found. Try setting GSSAPI_LIBS/GSSAPI_CFLAGS])
    fi
fi
AM_CONDITIONAL(OPENCONNECT_GSSAPI, [test "$linked_gssapi" = "yes"])

AC_ARG_WITH([java],
	AS_HELP_STRING([--with-java(=DIR)],
		       [Build JNI bindings using jni.h from DIR [default=no]]),
	[], [with_java=no])

if test "$with_java" = "yes"; then
	AX_JNI_INCLUDE_DIR
	for JNI_INCLUDE_DIR in $JNI_INCLUDE_DIRS; do
		  JNI_CFLAGS="$JNI_CFLAGS -I$JNI_INCLUDE_DIR"
	done
elif test "$with_java" = "no"; then
	JNI_CFLAGS=""
else
	JNI_CFLAGS="-I$with_java"
fi

if test "x$JNI_CFLAGS" != "x"; then
	oldCFLAGS="$CFLAGS"
	CFLAGS="$CFLAGS $JNI_CFLAGS"
	AC_MSG_CHECKING([jni.h usability])
	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([#include <jni.h>],
		[jint foo = 0; (void)foo;])],
		AC_MSG_RESULT([yes]),
		[AC_MSG_RESULT([no])
		 AC_MSG_ERROR([unable to compile JNI test program])])
	CFLAGS="$oldCFLAGS"

	AC_SUBST(JNI_CFLAGS, [$JNI_CFLAGS])
fi

AM_CONDITIONAL(OPENCONNECT_JNI, [test "$JNI_CFLAGS" != ""])

AC_ARG_ENABLE([jni-standalone],
	AS_HELP_STRING([--enable-jni-standalone],
		       [build JNI stubs directly into libopenconnect.so [default=no]]),
	[jni_standalone=$enableval],
	[jni_standalone=no])
AM_CONDITIONAL(JNI_STANDALONE, [test $jni_standalone = yes])
symver_java=
if test "$jni_standalone" = "yes" ; then
   symver_java=$(sed -n '/JNIEXPORT/{s/^JNIEXPORT.*\(Java_.*\) *(/\1;/ p}' ${srcdir}/jni.c)
   # Remove the newlines between each item.
   symver_java=$(echo $symver_java)
fi
AC_SUBST(SYMVER_JAVA, $symver_java)

AC_ARG_ENABLE([insecure-debugging],
	AS_HELP_STRING([--enable-insecure-debugging],
                      [Enable --servercert=ACCEPT option, and don't logout on SIGINT]),
	[insecure_debugging=yes],[insecure_debugging=no])

if test "$insecure_debugging" = "yes"; then
    oldcflags="$CFLAGS"
    CFLAGS="$CFLAGS -DINSECURE_DEBUGGING"
fi

AC_CHECK_HEADER([if_tun.h],
    [AC_DEFINE([IF_TUN_HDR], ["if_tun.h"], [if_tun.h include path])],
    [AC_CHECK_HEADER([linux/if_tun.h],
        [AC_DEFINE([IF_TUN_HDR], ["linux/if_tun.h"])],
        [AC_CHECK_HEADER([net/if_tun.h],
            [AC_DEFINE([IF_TUN_HDR], ["net/if_tun.h"])],
            [AC_CHECK_HEADER([net/tun/if_tun.h],
                [AC_DEFINE([IF_TUN_HDR], ["net/tun/if_tun.h"])])])])])

AC_CHECK_HEADER([net/if_utun.h], AC_DEFINE([HAVE_NET_UTUN_H], 1, [Have net/if_utun.h]), ,
		[#include <sys/types.h>])

AC_ARG_ENABLE([vhost-net],
	AS_HELP_STRING([--enable-vhost-net],
		       [Build vhost-net support for tun device acceleration [default=no]]),
	[have_vhost=$enableval])

if test "$have_vhost" = "yes"; then
   AC_MSG_CHECKING([for vhost-net support])
   AC_COMPILE_IFELSE([AC_LANG_PROGRAM([
		#include <linux/if_tun.h>
		#include <linux/virtio_net.h>
		#include <linux/vhost.h>
		#include <sys/eventfd.h>

		struct foo {
			struct vring_desc desc;
			struct vring_avail avail;
			struct vring_used used;
			struct virtio_net_hdr_mrg_rxbuf h;
		};
	],[
		(void)eventfd(0, EFD_CLOEXEC|EFD_NONBLOCK);
		(void)VHOST_NET_F_VIRTIO_NET_HDR;
		(void)VIRTIO_F_VERSION_1;
		(void)TUNSETSNDBUF;
		__sync_synchronize();
	])],
	[have_vhost=yes
	 AC_DEFINE([HAVE_VHOST], 1, [Have vhost])
	 AC_MSG_RESULT([yes])],
	[have_vhost=no
	 AC_MSG_RESULT([no])])
fi
AM_CONDITIONAL(OPENCONNECT_VHOST, [test "$have_vhost" = "yes"])

AC_CHECK_HEADER([alloca.h], AC_DEFINE([HAVE_ALLOCA_H], 1, [Have alloca.h]))

AC_CHECK_HEADER([endian.h],
    [AC_DEFINE([ENDIAN_HDR], [<endian.h>], [endian header include path])],
    [AC_CHECK_HEADER([sys/endian.h],
        [AC_DEFINE([ENDIAN_HDR], [<sys/endian.h>])],
        [AC_CHECK_HEADER([sys/isa_defs.h],
            [AC_DEFINE([ENDIAN_HDR], [<sys/isa_defs.h>])])])])

build_www=yes
AC_ARG_ENABLE([docs],
    [AS_HELP_STRING([--enable-docs],
        [enable militant API assertions])],
    [build_www=$enableval],
    [])
if test "${build_www}" = "yes"; then
   AC_PATH_PROGS(PYTHON, [python3 python2 python], [], $PATH:/bin:/usr/bin)
   if test -z "${ac_cv_path_PYTHON}"; then
	AC_MSG_NOTICE([Python not found; not building HTML pages])
	build_www=no
   fi
fi
if test "${build_www}" = "yes"; then
   AC_MSG_CHECKING([if groff can create UTF-8 XHTML])
   AC_PATH_PROGS_FEATURE_CHECK([GROFF], [groff],
	[$ac_path_GROFF -t -K UTF-8 -mandoc -Txhtml /dev/null > /dev/null 2>&1 &&
	 ac_cv_path_GROFF=$ac_path_GROFF])
   if test -n "$ac_cv_path_GROFF"; then
      AC_MSG_RESULT(yes)
      AC_SUBST(GROFF, ${ac_cv_path_GROFF})
   else
      AC_MSG_RESULT([no. Not building HTML pages])
      build_www=no
   fi
fi
AM_CONDITIONAL(BUILD_WWW, [test "${build_www}" = "yes"])

# Checks for tests
PKG_CHECK_MODULES([CWRAP], [uid_wrapper, socket_wrapper], have_cwrap=yes, have_cwrap=no)
AM_CONDITIONAL(HAVE_CWRAP, test "x$have_cwrap" != xno)

have_python36_flask=no
if test "$enable_flask_tests" = "yes" -a -n "${ac_cv_path_PYTHON}"; then
    AC_MSG_CHECKING([for Python 3.6+ with Flask module])
    python3 -c 'import sys; assert sys.version_info >= (3,6); import flask' 2>/dev/null
    if test $? -ne 0 ; then
        AC_MSG_RESULT(not found)
    else
        have_python36_flask=yes
        AC_MSG_RESULT(found)
    fi
fi
AM_CONDITIONAL(HAVE_PYTHON36_FLASK, test "$have_python36_flask" = yes)

have_python37_dataclasses=no
if test "$enable_flask_tests" = "yes" -a -n "${ac_cv_path_PYTHON}"; then
    AC_MSG_CHECKING([for Python 3.7+ or 3.6 with dataclasses backport])
    python3 -c 'import sys; assert sys.version_info >= (3,6); import dataclasses' 2>/dev/null
    if test $? -ne 0 ; then
        AC_MSG_RESULT(not found)
    else
        have_python37_dataclasses=yes
        AC_MSG_RESULT(found)
    fi
fi
AM_CONDITIONAL(HAVE_PYTHON37_DATACLASSES, test "$have_python37_dataclasses" = yes)

if test "$enable_ppp_tests" = "yes"; then
    AC_PATH_PROGS(SOCAT, [socat], [], $PATH:/bin:/usr/bin)
    AC_PATH_PROGS(PPPD, [pppd], [], $PATH:/bin:/usr/bin:/sbin:/usr/sbin/)
    if test -z "${ac_cv_path_SOCAT}" -o -z "${ac_cv_path_PPPD}"; then
       AC_MSG_WARN([socat and/or pppd not found; disabling PPP tests])
       enable_ppp_tests=no
    fi
fi
AM_CONDITIONAL(TEST_PPP, [test "$enable_ppp_tests" = "yes"])

have_netns=no
AC_PATH_PROG(NUTTCP, nuttcp)
if test -n "$ac_cv_path_NUTTCP"; then
    AC_PATH_PROG(IP, ip, [], $PATH:/sbin:/usr/sbin)
    if test -n "$ac_cv_path_IP"; then
	AC_MSG_CHECKING([For network namespaces])
	NETNS=openconnect-configure-test-$$
	if ip netns add $NETNS >/dev/null 2>/dev/null; then
	    ip netns delete $NETNS
	    have_netns=yes
	fi
	AC_MSG_RESULT($have_netns)
    fi
fi
AM_CONDITIONAL(HAVE_NETNS, test "x$have_netns" != xno)

AC_ARG_WITH(asan-broken-tests,
  AS_HELP_STRING([--without-asan-broken-tests], [disable any tests that cannot be run under asan]),
  enable_asan_broken_tests=$withval,
  enable_asan_broken_tests=yes)

AC_MSG_CHECKING([whether to enable broken in asan tests])
AC_MSG_RESULT([${enable_asan_broken_tests}])

AM_CONDITIONAL(DISABLE_ASAN_BROKEN_TESTS, test "x$enable_asan_broken_tests" = xno)

AC_SUBST([CONFIG_STATUS_DEPENDENCIES],
	 ['$(top_srcdir)/po/LINGUAS \
	   $(top_srcdir)/openconnect.h \
           $(top_srcdir)/libopenconnect.map.in \
	   $(top_srcdir)/openconnect.8.in \
	   $(top_srcdir)/tests/softhsm2.conf.in \
	   $(top_srcdir)/tests/configs/test-user-cert.config.in \
	   $(top_srcdir)/tests/configs/test-user-pass.config.in'])

RAWLINGUAS=`sed -e "/^#/d" -e "s/#.*//" "${srcdir}/po/LINGUAS"`
# Remove newlines
LINGUAS=`echo $RAWLINGUAS`
AC_SUBST(LINGUAS)

APIMAJOR="`sed -n 's/^#define OPENCONNECT_API_VERSION_MAJOR \(.*\)/\1/p' ${srcdir}/openconnect.h`"
APIMINOR="`sed -n 's/^#define OPENCONNECT_API_VERSION_MINOR \(.*\)/\1/p' ${srcdir}/openconnect.h`"
AC_SUBST(APIMAJOR)
AC_SUBST(APIMINOR)

# We want version.c to depend on the files that would affect the
# output of version.sh. But we cannot assume that they'll exist,
# and we cannot use $(wildcard) in a non-GNU makefile. So we just
# depend on the files which happen to exist at configure time.
GITVERSIONDEPS=
for a in ${srcdir}/.git/index ${srcdir}/.git/packed-refs \
         ${srcdir}/.git/refs/tags ${srcdir}/.git/HEAD; do
    if test -r $a ; then
       GITVERSIONDEPS="$GITVERSIONDEPS $a"
    fi
done
AC_SUBST(GITVERSIONDEPS)

AC_SUBST(OCSERV_USER, $(whoami))
AC_SUBST(OCSERV_GROUP, $(groups|cut -f 1 -d ' '))

AC_CONFIG_FILES(Makefile openconnect.pc po/Makefile www/Makefile \
		libopenconnect.map openconnect.8 www/styles/Makefile \
		www/inc/Makefile www/images/Makefile tests/Makefile \
		tests/softhsm2.conf tests/configs/test-user-cert.config \
		tests/configs/test-user-pass.config)
AC_OUTPUT

AC_DEFUN([SUMMARY],
	 [pretty="$2"
	 if test "$pretty" = "openssl"; then
	     pretty=OpenSSL
	 elif test "$pretty" = "gnutls" -o "$pretty" = "both"; then
	     pretty=GnuTLS
	 elif test "$pretty" = ""; then
	     pretty=no
	 fi
	 echo "AS_HELP_STRING([$1:],[$pretty])"])

echo "BUILD OPTIONS:"
SUMMARY([SSL library], [$ssl_library])
SUMMARY([[PKCS#11 support]], [$pkcs11_support])
if test "$ssl_library" = "GnuTLS"; then
 SUMMARY([TSS2 library], [$tss2lib])
fi
SUMMARY([DTLS support], [$dtls])
SUMMARY([ESP support], [$esp])
SUMMARY([HPKE support], [$hpke])
SUMMARY([libproxy support], [$libproxy_pkg])
SUMMARY([RSA SecurID support], [$libstoken_pkg])
SUMMARY([PSKC OATH file support], [$libpskc_pkg])
SUMMARY([GSSAPI support], [$linked_gssapi])
SUMMARY([vhost-net support], [$have_vhost])
SUMMARY([Yubikey support], [$libpcsclite_pkg])
SUMMARY([JSON parser], [$json])
SUMMARY([LZ4 compression], [$lz4_pkg])
SUMMARY([Java bindings], [$with_java])
SUMMARY([Build docs], [$build_www])
SUMMARY([Unit tests], [$have_cwrap])
SUMMARY([Net namespace tests], [$have_netns])
SUMMARY([DSA tests], [$enable_dsa_tests])
SUMMARY([PPP tests], [$enable_ppp_tests])
SUMMARY([Flask tests], [$have_python36_flask])
SUMMARY([Insecure debugging], [$insecure_debugging])
SUMMARY([NSIS installer], [$build_nsis])

if test "$ssl_library" = "OpenSSL"; then
    AC_MSG_WARN([[
***
*** Be sure to run "make check" to verify OpenSSL DTLS support
*** ]])
fi