Files
wolfssl/configure.ac
T
Tobias Frauenschläger fb6b62dd8e Rename Dilithium to canonical ML-DSA (FIPS 204) names
NIST standardized the pre-standardization Dilithium signature scheme as
ML-DSA in FIPS 204. Migrate the provider's user-visible surface to
canonical spellings, with a temporary shim that preserves source-level
backward compatibility for existing consumers.

Renames
-------
* File: wolfcrypt/src/dilithium.c -> wolfcrypt/src/wc_mldsa.c
* New canonical header: wolfssl/wolfcrypt/wc_mldsa.h
* Types: dilithium_key -> MlDsaKey, wc_dilithium_params -> MlDsaParams
* Functions: wc_dilithium_* / wc_Dilithium_* -> wc_MlDsaKey_*
* Build gates: HAVE_DILITHIUM -> WOLFSSL_HAVE_MLDSA,
  WOLFSSL_DILITHIUM_* / WC_DILITHIUM_* -> WOLFSSL_MLDSA_* / WC_MLDSA_*
* Configure flag: --enable-mldsa (legacy --enable-dilithium still works)
* CMake option: WOLFSSL_MLDSA (legacy WOLFSSL_DILITHIUM emits a
  DEPRECATION message)

Backward compatibility
----------------------
wolfssl/wolfcrypt/dilithium.h is now a temporary compatibility shim:
* Forward-translates legacy build gates to canonical (the two sub-gates
  read by certs_test.h are translated in settings.h so the auto-generated
  header is reachable without including dilithium.h; the remainder lives
  in dilithium.h itself).
* Reverse-translates canonical gates back to legacy so unmigrated
  consumer code keying off HAVE_DILITHIUM / WOLFSSL_DILITHIUM_* keeps
  compiling.
* Provides macro / static-inline aliases for the legacy type and
  function names so source-level callers compile unchanged. Sets
  WC_DILITHIUMKEY_TYPE_DEFINED to suppress strict-C99 typedef
  redefinition in asn_public.h.

Two opt-outs are honored: WOLFSSL_NO_DILITHIUM_LEGACY_GATES disables
build-gate translation; WOLFSSL_NO_DILITHIUM_LEGACY_NAMES disables the
symbol aliases. Both are temporary and the shim will be removed in a
future release. doc/dilithium-to-mldsa-migration.md describes the
migration path for downstream consumers.

ABI note
--------
The library now exports wc_MlDsaKey_* instead of wc_dilithium_*.
Pre-built binaries that linked against the legacy symbols need to
recompile against the shim header (which resolves to the new symbols at
compile time) or migrate to the canonical names directly. Source code
keeps building unchanged.

Other changes
-------------
* wolfssl/wolfcrypt/memory.h: drop ML-DSA sub-gate branching for static
  memory pool sizing; WOLFSSL_HAVE_MLDSA builds now pick the larger
  LARGEST_MEM_BUCKET / WOLFMEM_BUCKETS / WOLFMEM_DIST unconditionally.
  Override these macros for small-mem builds.
* gencertbuf.pl + wolfssl/certs_test.h: outer guards migrated to the
  canonical WOLFSSL_HAVE_MLDSA spelling.
* tests/api/test_mldsa.c: adds compile-time API surface validators
  (canonical wc_MlDsaKey_* surface plus legacy alias surface) so
  signature drift produces a build error during make check.
* IDE files (Xcode, INTIME-RTOS, WIN10, VS2022, CSharp wrapper), Zephyr
  CMakeLists.txt, and autotools include.am updated for the rename.
* DYNAMIC_TYPE_DILITHIUM and ML_DSA_PCT_E retained as internal symbols;
  scheduled to be renamed alongside the eventual shim removal.
2026-05-16 09:48:35 -05:00

12960 lines
431 KiB
Plaintext

# configure.ac
#
# Copyright (C) 2006-2026 wolfSSL Inc.
#
# This file is part of wolfSSL. (formerly known as CyaSSL)
#
#
AC_COPYRIGHT([Copyright (C) 2006-2026 wolfSSL Inc.])
AC_PREREQ([2.69])
AC_INIT([wolfssl],[5.9.1],[https://github.com/wolfssl/wolfssl/issues],[wolfssl],[https://www.wolfssl.com])
AC_CONFIG_AUX_DIR([build-aux])
# Inhibit unwanted regeneration of autotools artifacts by Makefile.
AM_MAINTAINER_MODE([disable])
# The following sets CFLAGS to empty if unset on command line. We do not
# want the default "-g -O2" that AC_PROG_CC sets automatically.
: ${CFLAGS=""}
# Capture user C_EXTRA_FLAGS from configure line.
# Use of C_EXTRA_FLAGS is deprecated because CFLAGS was fixed but someone
# might still be using it.
CFLAGS="$CFLAGS $C_EXTRA_FLAGS $C_FLAGS"
AC_PROG_CC
AM_PROG_CC_C_O
AC_CANONICAL_HOST
AC_CONFIG_MACRO_DIR([m4])
AM_INIT_AUTOMAKE([1.13.4 -Wall -Werror -Wno-portability foreign tar-ustar subdir-objects no-define color-tests])
m4_ifdef([AM_SILENT_RULES],[AM_SILENT_RULES([yes])])
AC_ARG_PROGRAM
# Optional CMake package install (enabled by default)
AC_ARG_ENABLE([cmake-install],
[AS_HELP_STRING([--disable-cmake-install],[Disable installation of CMake package files])],
[ ENABLED_CMAKE_INSTALL=$enableval ],
[ ENABLED_CMAKE_INSTALL=yes ])
AM_CONDITIONAL([CMAKE_INSTALL],[test "x$ENABLED_CMAKE_INSTALL" = "xyes"])
AC_CONFIG_HEADERS([config.h:config.in])
LT_PREREQ([2.4.2])
LT_INIT([disable-static win32-dll])
AC_ARG_VAR(EXTRA_CPPFLAGS, [Extra CPPFLAGS to add to end of autoconf-computed arg list. Can also supply directly to make.])
AC_ARG_VAR(EXTRA_CFLAGS, [Extra CFLAGS to add to end of autoconf-computed arg list. Can also supply directly to make.])
AC_ARG_VAR(EXTRA_CCASFLAGS, [Extra CCASFLAGS to add to end of autoconf-computed arg list. Can also supply directly to make.])
AC_ARG_VAR(EXTRA_LDFLAGS, [Extra LDFLAGS to add to end of autoconf-computed arg list. Can also supply directly to make.])
WOLFSSL_CONFIG_ARGS=$ac_configure_args
AC_SUBST([WOLFSSL_CONFIG_ARGS])
# Store configure options and CFLAGS for debian rules generation
CONFIGURE_OPTIONS="$ac_configure_args"
AC_SUBST([CONFIGURE_OPTIONS])
# shared library versioning
# The three numbers in the libwolfssl.so.*.*.* file name. Unfortunately
# increment if interfaces have been removed or changed
WOLFSSL_LIBRARY_VERSION_FIRST=44
# increment if interfaces have been added
# set to zero if WOLFSSL_LIBRARY_VERSION_FIRST is incremented
WOLFSSL_LIBRARY_VERSION_SECOND=2
# increment if source code has changed
# set to zero if WOLFSSL_LIBRARY_VERSION_FIRST is incremented or
# WOLFSSL_LIBRARY_VERSION_SECOND is incremented
WOLFSSL_LIBRARY_VERSION_THIRD=0
WOLFSSL_LIBRARY_VERSION=${WOLFSSL_LIBRARY_VERSION_FIRST}:${WOLFSSL_LIBRARY_VERSION_SECOND}:${WOLFSSL_LIBRARY_VERSION_THIRD}
AC_SUBST([WOLFSSL_LIBRARY_VERSION_FIRST])
AC_SUBST([WOLFSSL_LIBRARY_VERSION_SECOND])
AC_SUBST([WOLFSSL_LIBRARY_VERSION_THIRD])
AC_SUBST([WOLFSSL_LIBRARY_VERSION])
gl_VISIBILITY
AS_IF([ test -n "$CFLAG_VISIBILITY" ], [
AM_CFLAGS="$AM_CFLAGS $CFLAG_VISIBILITY"
])
WOLFSSL_BUILD_DATE=$(LC_TIME=C date +"%a, %d %b %Y %T %z")
AC_SUBST([WOLFSSL_BUILD_DATE])
# Moved these size of and type checks before the library checks.
# The library checks add the library to subsequent test compiles
# and in some rare cases, the networking check causes these sizeof
# checks to fail.
AC_CHECK_SIZEOF([long long])
AC_CHECK_SIZEOF([long])
AC_CHECK_SIZEOF([time_t])
AC_CHECK_TYPES([__uint128_t])
# Distro build feature subset (Debian, Ubuntu, etc.)
AC_ARG_ENABLE([distro],
[AS_HELP_STRING([--enable-distro],[Enable wolfSSL distro build (default: disabled)])],
[ ENABLED_DISTRO=$enableval ],
[ ENABLED_DISTRO=no ]
)
if test "$ENABLED_DISTRO" = "yes"
then
enable_shared=yes
enable_static=yes
enable_all=yes
enable_earlydata=no
REPRODUCIBLE_BUILD_DEFAULT=yes
else
REPRODUCIBLE_BUILD_DEFAULT=no
fi
# Fail when an option is passed that is not recognized
m4_divert_once([DEFAULTS], [enable_option_checking=fatal])
# Allow experimental settings
AC_ARG_ENABLE([experimental],
[AS_HELP_STRING([--enable-experimental],[Allow experimental settings in the configuration (default: disabled)])],
[ ENABLED_EXPERIMENTAL=$enableval ],
[ ENABLED_EXPERIMENTAL=no ]
)
if test "$ENABLED_EXPERIMENTAL" = "yes"
then
AS_IF([ test "$ENABLED_DISTRO" = "yes" && test "$ENABLED_EXPERIMENTAL" = "yes" ],[ AC_MSG_ERROR([--enable-distro and --enable-experimental are mutually exclusive.]) ])
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_EXPERIMENTAL_SETTINGS"
AM_CCASFLAGS="$AM_CCASFLAGS -DWOLFSSL_EXPERIMENTAL_SETTINGS"
fi
# Kernel module benchmark
AC_ARG_ENABLE([kernel-benchmarks],
[AS_HELP_STRING([--enable-kernel-benchmarks],[Enable crypto benchmarking autorun at module load time for kernel module (default: disabled)])],
[ENABLED_KERNEL_BENCHMARKS=$enableval],
[ENABLED_KERNEL_BENCHMARKS="no"])
if test "$ENABLED_KERNEL_BENCHMARKS" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_KERNEL_BENCHMARKS"
fi
AC_SUBST([ENABLED_KERNEL_BENCHMARKS])
AC_ARG_ENABLE([kernel-verbose-debug],
[AS_HELP_STRING([--enable-kernel-verbose-debug],[Enable supplementary runtime debugging messages for kernel module (default: disabled)])],
[ENABLED_KERNEL_VERBOSE_DEBUG=$enableval],
[ENABLED_KERNEL_VERBOSE_DEBUG="no"])
if test "$ENABLED_KERNEL_VERBOSE_DEBUG" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_KERNEL_VERBOSE_DEBUG"
fi
AC_ARG_ENABLE([kernel-stack-debug],
[AS_HELP_STRING([--enable-kernel-stack-debug],[Enable runtime reporting of stack usage in kernel module (default: disabled)])],
[ENABLED_KERNEL_STACK_DEBUG=$enableval],
[ENABLED_KERNEL_STACK_DEBUG="no"])
if test "$ENABLED_KERNEL_STACK_DEBUG" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_KERNEL_STACK_DEBUG"
fi
# Linux Kernel Module options (more options later)
AC_ARG_ENABLE([linuxkm],
[AS_HELP_STRING([--enable-linuxkm],[Enable Linux Kernel Module (default: disabled)])],
[ENABLED_LINUXKM=$enableval],
[ENABLED_LINUXKM=no]
)
AC_ARG_ENABLE([linuxkm-defaults],
[AS_HELP_STRING([--enable-linuxkm-defaults],[Enable feature defaults for Linux Kernel Module (default: disabled)])],
[KERNEL_MODE_DEFAULTS=$enableval],
[KERNEL_MODE_DEFAULTS=$ENABLED_LINUXKM]
)
# FreeBSD Kernel Module
AC_ARG_ENABLE([freebsdkm],
[AS_HELP_STRING([--enable-freebsdkm],[Enable FreeBSD Kernel Module (default: disabled)])],
[ENABLED_BSDKM=$enableval],
[ENABLED_BSDKM=no]
)
AC_ARG_ENABLE([freebsdkm-crypto-register],
[AS_HELP_STRING([--enable-freebsdkm-crypto-register],[Register wolfCrypt implementations with the FreeBSD kernel opencrypto framework. (default: disabled)])],
[ENABLED_BSDKM_REGISTER=$enableval],
[ENABLED_BSDKM_REGISTER=no]
)
AC_CHECK_HEADERS([arpa/inet.h fcntl.h limits.h netdb.h netinet/in.h stddef.h time.h sys/ioctl.h sys/socket.h sys/time.h errno.h sys/un.h ctype.h sys/random.h])
AC_CHECK_LIB([network],[socket])
AC_C_BIGENDIAN
AC_C___ATOMIC
if test "x$ENABLED_BSDKM" = "xyes"; then
# The <stdatomic.h> header should not be included in freebsd kernel build.
# Look for <machine/atomic.h> instead.
AC_CHECK_HEADER(machine/atomic.h, [AM_CPPFLAGS="$AM_CPPFLAGS -DWOLFSSL_HAVE_ATOMIC_H"],[])
else
AC_CHECK_HEADER(stdatomic.h, [AM_CPPFLAGS="$AM_CPPFLAGS -DWOLFSSL_HAVE_ATOMIC_H"],[])
fi
AC_CHECK_HEADER(assert.h, [AM_CPPFLAGS="$AM_CPPFLAGS -DWOLFSSL_HAVE_ASSERT_H"],[])
# check if functions of interest are linkable, but also check if
# they're declared by the expected headers, and if not, supersede the
# unusable positive from AC_CHECK_FUNCS().
AC_CHECK_FUNCS([gethostbyname getaddrinfo gettimeofday gmtime_r gmtime_s inet_ntoa memset socket strftime atexit isascii getpid getrandom])
AC_CHECK_DECLS([gethostbyname, getaddrinfo, gettimeofday, gmtime_r, gmtime_s, inet_ntoa, memset, socket, strftime, atexit, isascii, getpid, getrandom], [], [
if test "$(eval echo \$"$(eval 'echo ac_cv_func_${as_decl_name}')")" = "yes"
then
AC_MSG_NOTICE([ note: earlier check for $(eval 'echo ${as_decl_name}') superseded.])
eval "ac_cv_func_${as_decl_name}=no"
_mask_varname=HAVE_`eval "echo '${as_decl_name}'" | tr 'a-z' 'A-Z'`
sed --in-place "s~^#define ${_mask_varname} 1$~~" confdefs.h
fi
], [[
#ifdef HAVE_SYS_SOCKET_H
#include <sys/socket.h>
#endif
#ifdef HAVE_STRING_H
#include <string.h>
#endif
#ifdef HAVE_NETDB_H
#include <netdb.h>
#endif
#ifdef HAVE_ARPA_INET_H
#include <arpa/inet.h>
#endif
#ifdef HAVE_SYS_TIME_H
#include <sys/time.h>
#endif
#ifdef HAVE_TIME_H
#include <time.h>
#endif
#ifdef HAVE_STDLIB_H
#include <stdlib.h>
#endif
#ifdef HAVE_UNISTD_H
#include <unistd.h>
#endif
#ifdef HAVE_CTYPE_H
#include <ctype.h>
#endif
#ifdef HAVE_SYS_RANDOM_H
#include <sys/random.h>
#endif
]])
AC_PROG_INSTALL
AC_TYPE_SIZE_T
AC_TYPE_UINT8_T
AC_TYPE_UINTPTR_T
AM_PROG_AS
OPTIMIZE_CFLAGS="-Os"
OPTIMIZE_FAST_CFLAGS="-O2"
OPTIMIZE_HUGE_CFLAGS="-funroll-loops -DTFM_SMALL_SET -DTFM_HUGE_SET"
DEBUG_CFLAGS="-g -DDEBUG -DDEBUG_WOLFSSL"
LIB_ADD=
LIB_STATIC_ADD=
PC_LIBS_PRIVATE=""
OPTIMIZE_CFLAGS="$OPTIMIZE_CFLAGS $EXTRA_OPTS_CFLAGS"
OPTIMIZE_FAST_CFLAGS="$OPTIMIZE_FAST_CFLAGS $EXTRA_OPTS_CFLAGS"
OPTIMIZE_HUGE_CFLAGS="$OPTIMIZE_HUGE_CFLAGS $EXTRA_OPTS_CFLAGS"
DEBUG_VFLAGS="$DEBUG_VFLAGS $EXTRA_OPTS_CFLAGS"
if test "$output_objdir" = ""
then
output_objdir=.
fi
# Thread local storage
thread_ls_on="no"
AC_ARG_ENABLE([threadlocal],
[AS_HELP_STRING([--enable-threadlocal],[Enable thread local support (default: enabled)])],
[ ENABLED_THREADLOCAL=$enableval ],
[ ENABLED_THREADLOCAL=yes ]
)
if test "$ENABLED_THREADLOCAL" = "yes"
then
AX_TLS([thread_ls_on=yes],[thread_ls_on=no])
AS_IF([test "x$thread_ls_on" = "xyes"],[AM_CFLAGS="$AM_CFLAGS -DHAVE_THREAD_LS"])
fi
# DEBUG
AX_DEBUG
AS_IF([test "$ax_enable_debug" = "yes"],
[AM_CFLAGS="$AM_CFLAGS $DEBUG_CFLAGS"],
[AM_CFLAGS="$AM_CFLAGS -DNDEBUG"])
AS_IF([test "$ax_enable_debug" = "yes"],
[AM_CCASFLAGS="$DEBUG_CFLAGS $AM_CCASFLAGS"],
[AM_CCASFLAGS="$AM_CCASFLAGS -DNDEBUG"])
AC_ARG_ENABLE([debug-code-points],
[ AS_HELP_STRING([--enable-debug-code-points],[Include source file and line number in --enable-debug messages.]) ],
[ ENABLED_DEBUG_CODEPOINTS=$enableval ],
[ ENABLED_DEBUG_CODEPOINTS=no ]
)
if test "$ENABLED_DEBUG_CODEPOINTS" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DEBUG_CODEPOINTS"
fi
AC_ARG_ENABLE([debug-trace-errcodes],
[ AS_HELP_STRING([--enable-debug-trace-errcodes],[Print trace messages when library errors are thrown.]) ],
[ ENABLED_DEBUG_TRACE_ERRCODES=$enableval ],
[ ENABLED_DEBUG_TRACE_ERRCODES=no ]
)
if test "$ENABLED_DEBUG_TRACE_ERRCODES" != "no"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DEBUG_TRACE_ERROR_CODES"
fi
if test "$ENABLED_DEBUG_TRACE_ERRCODES" = "backtrace"
then
AM_CFLAGS="$AM_CFLAGS -g -funwind-tables -DWOLFSSL_DEBUG_BACKTRACE_ERROR_CODES"
AM_LDFLAGS="$AM_LDFLAGS -lbacktrace"
fi
# Start without certificates enabled and enable if a certificate algorithm is
# enabled
ENABLED_CERTS="no"
# Implements requirements from RFC9325
AC_ARG_ENABLE([harden-tls],
[AS_HELP_STRING([--enable-harden-tls],[Enable requirements from RFC9325. Possible values are <yes>, <112>, or <128>. <yes> is equivalent to <112>. (default: disabled)])],
[ ENABLED_HARDEN_TLS=$enableval ],
[ ENABLED_HARDEN_TLS=no ]
)
if test "x$ENABLED_HARDEN_TLS" != "xno"
then
if test "x$ENABLED_HARDEN_TLS" = "xyes" || test "x$ENABLED_HARDEN_TLS" = "x112"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_HARDEN_TLS=112"
elif test "x$ENABLED_HARDEN_TLS" = "x128"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_HARDEN_TLS=128"
else
AC_MSG_ERROR([Invalid value for --enable-harden-tls])
fi
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_EXTRA_ALERTS -DWOLFSSL_CHECK_ALERT_ON_ERR"
fi
# Support for forcing 32-bit mode
# To force 32-bit instructions use:
# ./configure CFLAGS="-m32" LDFLAGS="-m32" && make
# The checks for sizeof long and long/long are run at the top of configure and require "-m32" to be set directly in the ./configure statement.
AC_ARG_ENABLE([32bit],
[AS_HELP_STRING([--enable-32bit],[Enables 32-bit support (default: disabled)])],
[ ENABLED_32BIT=$enableval ],
[ ENABLED_32BIT=no ]
)
if test "$ENABLED_32BIT" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DWC_32BIT_CPU"
fi
# 16-bit compiler support
AC_ARG_ENABLE([16bit],
[AS_HELP_STRING([--enable-16bit],[Enables 16-bit support (default: disabled)])],
[ ENABLED_16BIT=$enableval ],
[ ENABLED_16BIT=no ]
)
if test "$ENABLED_16BIT" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DWC_16BIT_CPU"
fi
AC_ARG_ENABLE([64bit],
[AS_HELP_STRING([--enable-64bit],[Enables 64-bit support (default: disabled)])],
[ ENABLED_64BIT=$enableval ],
[ ENABLED_64BIT=no ]
)
AC_ARG_ENABLE([kdf],
[AS_HELP_STRING([--enable-kdf],[Enables kdf support (default: enabled)])],
[ ENABLED_KDF=$enableval ],
[ ENABLED_KDF=yes ]
)
AC_ARG_ENABLE([hmac],
[AS_HELP_STRING([--enable-hmac],[Enables HMAC support (default: enabled)])],
[ ENABLED_HMAC=$enableval ],
[ ENABLED_HMAC=yes ]
)
AC_ARG_ENABLE([hmac-copy],
[AS_HELP_STRING([--enable-hmac-copy],[Enables digest copying implementation for HMAC (default: disabled)])],
[ ENABLED_HMAC_COPY=$enableval ],
[ ENABLED_HMAC_COPY=no ]
)
if test "$ENABLED_HMAC_COPY" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_HMAC_COPY_HASH"
fi
AC_ARG_ENABLE([do178],
[AS_HELP_STRING([--enable-do178],[Enable DO-178, Will NOT work w/o DO178 license (default: disabled)])],
[ENABLED_DO178=$enableval],
[ENABLED_DO178="no"])
if test "$ENABLED_DO178" = "no"
then
AM_CFLAGS="$AM_CFLAGS -DNO_DO178"
else
AM_CFLAGS="$AM_CFLAGS -DHAVE_DO178"
fi
# Support for disabling all ASM
AC_ARG_ENABLE([asm],
[AS_HELP_STRING([--enable-asm],[Enables option for assembly (default: enabled)])],
[ ENABLED_ASM=$enableval ],
[ ENABLED_ASM=yes ]
)
if test "$ENABLED_ASM" = "no"
then
AM_CFLAGS="$AM_CFLAGS -DTFM_NO_ASM -DWOLFSSL_NO_ASM"
fi
AC_SUBST([ENABLED_ASM])
# Default math is SP Math all and not fast math
# FIPS v1 and v2 must use fast math
DEF_SP_MATH="yes"
DEF_FAST_MATH="no"
# FIPS 140
AC_ARG_ENABLE([fips],
[AS_HELP_STRING([--enable-fips],[Enable FIPS 140-2/3, Will NOT work w/o FIPS license (default: disabled)])],
[ENABLED_FIPS=$enableval],
[ENABLED_FIPS="no"])
FIPS_FLAVOR="$ENABLED_FIPS"
AC_SUBST([FIPS_FLAVOR])
# wolfProvider Options
AC_ARG_ENABLE([wolfprovider],
[AS_HELP_STRING([--enable-wolfprovider],[Enable wolfProvider options (default: disabled)])],
[ ENABLED_WOLFPROVIDER=$enableval ],
[ ENABLED_WOLFPROVIDER=no ]
)
if test "x$ENABLED_WOLFPROVIDER" != "xno"
then
test -z "$enable_all_crypto" && enable_all_crypto=yes
test -z "$enable_opensslcoexist" && enable_opensslcoexist=yes
test -z "$enable_sha" && enable_sha=yes
test -z "$with_eccminsz" && with_eccminsz=192
test -z "$with_max_ecc_bits" && with_max_ecc_bits=1024
AM_CFLAGS="$AM_CFLAGS -DHAVE_WOLFPROVIDER -DWC_RSA_NO_PADDING -DWOLFSSL_PUBLIC_MP -DHAVE_PUBLIC_FFDHE -DHAVE_FFDHE_6144 -DHAVE_FFDHE_8192 -DWOLFSSL_PSS_LONG_SALT -DWOLFSSL_PSS_SALT_LEN_DISCOVER"
fi
# wolfEngine Options
AC_ARG_ENABLE([engine],
[AS_HELP_STRING([--enable-engine],[Enable wolfEngine options (default: disabled)])],
[ ENABLED_WOLFENGINE=$enableval ],
[ ENABLED_WOLFENGINE=no ]
)
if test "x$ENABLED_WOLFENGINE" != "xno"
then
test -z "$with_eccminsz" && with_eccminsz=192
fi
AS_CASE([$ENABLED_WOLFENGINE],
[no],[
ENABLED_WOLFENGINE="no"
],
[disabled],[
ENABLED_WOLFENGINE="no"
],
[yes|fips-v2|cert3389],[
ENABLED_WOLFENGINE="yes"
ENABLED_FIPS="v2"
],
[fips-v5],[
ENABLED_WOLFENGINE="yes"
ENABLED_FIPS="v5"
],
[fips-v6],[
ENABLED_WOLFENGINE="yes"
ENABLED_FIPS="v6"
],
[fips-ready],[
ENABLED_WOLFENGINE="yes"
ENABLED_FIPS="ready"
],
[no-fips],[
ENABLED_WOLFENGINE="yes"
ENABLED_FIPS="no"
],
[
AC_MSG_ERROR([Invalid value for --enable-engine "$ENABLED_WOLFENGINE" (options: fips-v2, fips-ready, no-fips, no, disabled)])
])
# The FIPS options are:
# no - FIPS build disabled, FIPS sources forbidden in build tree
# disabled - FIPS build disabled, FIPS sources ignored in build tree
# v1 - FIPS 140-2 Cert 2425
# default - same as v1
# v2 - FIPS 140-2 Cert 3389
# cert3389 - alias for v2
# rand - wolfRand
# v5 - FIPS 140-3 Cert 4718
# cert4718 - alias for v5
# v5.2.3 -- FIPS 140-3 with support for ARM acceleration, derived from Cert 4718
# v5.2.4 -- FIPS 140-3 with support for Linux kernel mode, derived from v5.2.3
# ready - FIPS 140-3 settings with in-tree wolfcrypt sources, feature locked
# dev - FIPS 140-3 settings with in-tree wolfcrypt sources, features freely adjustable
# v5-ready - Alias for ready.
# v5-dev - Alias for dev.
# v6 - The SRTP-KDF-full-submission
#
# These options have been retired, but are listed here for historical reference:
# v5-RC8 - historical FIPS 140-3 (wolfCrypt WCv5.0-RC8).
# HAVE_FIPS_VERSION = 5, HAVE_FIPS_VERSION_MINOR = 0.
# v5-RC9 - historical FIPS 140-3 (wolfCrypt WCv5.0-RC9)
# HAVE_FIPS_VERSION = 5, HAVE_FIPS_VERSION_MINOR = 1.
# v5-RC10 - historical FIPS 140-3, wolfCrypt/fips WCv5.0-RC10
# HAVE_FIPS_VERSION = 5, HAVE_FIPS_VERSION_MINOR = 2.
# v5-RC11 - historical FIPS 140-3, wolfCrypt/fips WCv5.0-RC11
# HAVE_FIPS_VERSION = 5, HAVE_FIPS_VERSION_MINOR = 2.
# v5-RC12 - historical FIPS 140-3, wolfCrypt/fips WCv5.0-RC12
AS_CASE([$ENABLED_FIPS],
[no],[
FIPS_VERSION="none"
],
[disabled],[
FIPS_VERSION="disabled"
ENABLED_FIPS="no"
],
[v1|cert2425],[
FIPS_VERSION="v1"
HAVE_FIPS_VERSION_MAJOR=1
ENABLED_FIPS="yes"
DEF_SP_MATH="no"
DEF_FAST_MATH="yes"
],
[v2|cert3389],[
FIPS_VERSION="v2"
HAVE_FIPS_VERSION_MAJOR=2
HAVE_FIPS_VERSION_MINOR=0
ENABLED_FIPS="yes"
DEF_SP_MATH="no"
DEF_FAST_MATH="yes"
],
[rand],[
FIPS_VERSION="rand"
HAVE_FIPS_VERSION_MAJOR=2
HAVE_FIPS_VERSION_MINOR=1
ENABLED_FIPS="yes"
DEF_SP_MATH="no"
DEF_FAST_MATH="no"
],
[v5|cert4718],[
FIPS_VERSION="v5"
HAVE_FIPS_VERSION_MAJOR=5
HAVE_FIPS_VERSION_MINOR=2
HAVE_FIPS_VERSION_PATCH=1
ENABLED_FIPS="yes"
DEF_SP_MATH="no"
DEF_FAST_MATH="yes"
],
[v5.2.3],[
FIPS_VERSION="v5"
HAVE_FIPS_VERSION_MAJOR=5
HAVE_FIPS_VERSION_MINOR=2
HAVE_FIPS_VERSION_PATCH=3
ENABLED_FIPS="yes"
DEF_SP_MATH="yes"
DEF_FAST_MATH="no"
],
[v5.2.4],[
FIPS_VERSION="v5"
HAVE_FIPS_VERSION_MAJOR=5
HAVE_FIPS_VERSION_MINOR=2
HAVE_FIPS_VERSION_PATCH=4
ENABLED_FIPS="yes"
DEF_SP_MATH="yes"
DEF_FAST_MATH="no"
],
[v5-RC12],[
FIPS_VERSION="v5-RC12"
HAVE_FIPS_VERSION_MAJOR=5
HAVE_FIPS_VERSION_MINOR=2
HAVE_FIPS_VERSION_PATCH=0
ENABLED_FIPS="yes"
DEF_SP_MATH="no"
DEF_FAST_MATH="yes"
],
[v5-ready],[
FIPS_VERSION="v5-ready"
HAVE_FIPS_VERSION_MAJOR=5
HAVE_FIPS_VERSION_MINOR=3
ENABLED_FIPS="yes"
DEF_SP_MATH="no"
DEF_FAST_MATH="yes"
],
[v5-dev],[
FIPS_VERSION="v5-dev"
HAVE_FIPS_VERSION_MAJOR=5
HAVE_FIPS_VERSION_MINOR=2
HAVE_FIPS_VERSION_PATCH=1
ENABLED_FIPS="yes"
# for dev, DEF_SP_MATH and DEF_FAST_MATH follow non-FIPS defaults (currently sp-math-all)
],
[v5-kcapi],[
FIPS_VERSION="v5-dev"
HAVE_FIPS_VERSION_MAJOR=5
HAVE_FIPS_VERSION_MINOR=3
HAVE_FIPS_VERSION_PATCH=0
ENABLED_FIPS="yes"
# for dev, DEF_SP_MATH and DEF_FAST_MATH follow non-FIPS defaults (currently sp-math-all)
],
[v6|v6-dev],[
FIPS_VERSION="v6"
HAVE_FIPS_VERSION=6
HAVE_FIPS_VERSION_MAJOR=6
HAVE_FIPS_VERSION_MINOR=0
HAVE_FIPS_VERSION_PATCH=0
ENABLED_FIPS="yes"
DEF_SP_MATH="yes"
DEF_FAST_MATH="no"
],
[v7],[
FIPS_VERSION="v7"
HAVE_FIPS_VERSION=7
HAVE_FIPS_VERSION_MAJOR=7
HAVE_FIPS_VERSION_MINOR=0
HAVE_FIPS_VERSION_PATCH=0
ENABLED_FIPS="yes"
DEF_SP_MATH="yes"
DEF_FAST_MATH="no"
],
# Should always remain one ahead of the latest so as not to be confused with
# the latest
[ready|v7-ready],[
FIPS_VERSION="ready"
HAVE_FIPS_VERSION=8
HAVE_FIPS_VERSION_MAJOR=8
HAVE_FIPS_VERSION_MINOR=0
HAVE_FIPS_VERSION_PATCH=0
ENABLED_FIPS="yes"
DEF_SP_MATH="yes"
DEF_FAST_MATH="no"
],
[dev|v7-dev],[
FIPS_VERSION="dev"
HAVE_FIPS_VERSION_MAJOR=8
HAVE_FIPS_VERSION_MINOR=0
HAVE_FIPS_VERSION_PATCH=0
ENABLED_FIPS="yes"
# for dev, DEF_SP_MATH and DEF_FAST_MATH follow non-FIPS defaults (currently sp-math-all)
],
[lean-aesgcm|lean-aesgcm-ready|lean-aesgcm-dev],[
FIPS_VERSION="$ENABLED_FIPS"
HAVE_FIPS_VERSION_MAJOR=8
HAVE_FIPS_VERSION_MINOR=0
HAVE_FIPS_VERSION_PATCH=0
ENABLED_FIPS="yes"
],
[
AS_IF([test "$ENABLED_FIPS" = "yes"],[ENABLED_FIPS="(unset)"],[ENABLED_FIPS=\"$ENABLED_FIPS\"])
AC_MSG_ERROR([Invalid value for --enable-fips $ENABLED_FIPS (main options: v1, v2, v5, v6, v7, ready, dev, rand, lean-aesgcm, no, disabled)])
])
if test -z "$HAVE_FIPS_VERSION_MAJOR"
then
HAVE_FIPS_VERSION_MAJOR=0
fi
if test -z "$HAVE_FIPS_VERSION_MINOR"
then
HAVE_FIPS_VERSION_MINOR=0
fi
if test -z "$HAVE_FIPS_VERSION_PATCH"
then
HAVE_FIPS_VERSION_PATCH=0
fi
if test -z "$HAVE_FIPS_VERSION"
then
HAVE_FIPS_VERSION="$HAVE_FIPS_VERSION_MAJOR"
fi
if test "$ENABLED_FIPS" != "no"
then
REPRODUCIBLE_BUILD_DEFAULT=yes
fi
AS_CASE([$FIPS_VERSION],
[none],
[
AS_IF([ test -s $srcdir/wolfcrypt/src/fips.c ],
[AC_MSG_ERROR([FIPS source tree is incompatible with non-FIPS build (requires --enable-fips)])])
],
[disabled],
[],
[
AS_IF([ ! test -s $srcdir/wolfcrypt/src/fips.c],
[AC_MSG_ERROR([non-FIPS source tree is incompatible with --enable-fips=$enableval])])
]
)
# For reproducible build, gate out from the build anything that might
# introduce semantically frivolous jitter, maximizing chance of
# identical object files.
AC_ARG_ENABLE([reproducible-build],
[AS_HELP_STRING([--enable-reproducible-build],[Enable maximally reproducible build (default: disabled)])],
[ ENABLED_REPRODUCIBLE_BUILD=$enableval ],
[ ENABLED_REPRODUCIBLE_BUILD=$REPRODUCIBLE_BUILD_DEFAULT ]
)
if test "$ENABLED_REPRODUCIBLE_BUILD" = "yes"
then
# Test ar for the "D" option. Should be checked before the libtool macros.
if test -z "$AR"; then
AR=ar
fi
xxx_ar_flags=$(${AR} --help 2>&1)
if test -z "$RANLIB"; then
RANLIB=ranlib
fi
xxx_ranlib_flags=$(${RANLIB} --help 2>&1)
AS_CASE([$xxx_ar_flags],[*'use zero for timestamps and uids/gids'*],[AR_FLAGS="Dcr" lt_ar_flags="Dcr"])
AS_CASE([$xxx_ranlib_flags],[*'Use zero for symbol map timestamp'*],[RANLIB="${RANLIB} -D"])
AM_CFLAGS="$AM_CFLAGS -DHAVE_REPRODUCIBLE_BUILD"
# opportunistically use -ffile-prefix-map (added in GCC8 and LLVM10)
if "$CC" -ffile-prefix-map=/tmp=. -x c - -o /dev/null >/dev/null 2>&1 <<' EOF'
#include <stdlib.h>
int main(int argc, char **argv) {
(void)argc; (void)argv; return 0;
}
EOF
then
AM_CFLAGS="$AM_CFLAGS -ffile-prefix-map=\$(abs_top_srcdir)/= -ffile-prefix-map=\$(top_srcdir)/="
fi
# opportunistically force linker option --build-id=sha1 (usually the default)
if "$CC" -Wl,--build-id=sha1 -x c - -o /dev/null >/dev/null 2>&1 <<' EOF'
#include <stdlib.h>
int main(int argc, char **argv) {
(void)argc; (void)argv; return 0;
}
EOF
then
AM_LDFLAGS="$AM_LDFLAGS -Wl,--build-id=sha1"
fi
fi
AC_ARG_ENABLE([benchmark],
[AS_HELP_STRING([--enable-benchmark],[Build benchmark when building crypttests (default: enabled)])],
[ENABLED_BENCHMARK=$enableval],
[ENABLED_BENCHMARK=yes]
)
# Remainder of Linux kernel module options, continued from earlier:
ENABLED_LINUXKM_PIE=$ENABLED_FIPS
AC_ARG_ENABLE([kernel-reloc-tables],
[AS_HELP_STRING([--enable-kernel-reloc-tables],[Enable containerized object build of wolfCrypt module in kernel build (default: disabled)])],
[ENABLED_LINUXKM_PIE=$enableval])
AC_ARG_ENABLE([linuxkm-pie],
[AS_HELP_STRING([--enable-linuxkm-pie],[Alias for --enable-kernel-reloc-tables])],
[ENABLED_LINUXKM_PIE=$enableval])
if test "$ENABLED_LINUXKM" = "yes" && test "$ENABLED_LINUXKM_PIE" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DWC_SYM_RELOC_TABLES"
fi
AC_SUBST([ENABLED_LINUXKM_PIE])
AC_ARG_ENABLE([linuxkm-benchmarks],
[AS_HELP_STRING([--enable-linuxkm-benchmarks],[Enable crypto benchmarking autorun at module load time for Linux kernel module (default: disabled)])],
[ENABLED_KERNEL_BENCHMARKS=$enableval])
if test "$ENABLED_LINUXKM" = "yes" && test "$ENABLED_KERNEL_BENCHMARKS" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_LINUXKM_BENCHMARKS"
fi
AC_SUBST([ENABLED_KERNEL_BENCHMARKS])
if test "$ENABLED_LINUXKM" = "yes" && test "$KERNEL_MODE_DEFAULTS" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DH_CONST -DWOLFSSL_SP_MOD_WORD_RP -DWOLFSSL_SP_DIV_64 -DWOLFSSL_SP_DIV_WORD_HALF -DWOLFSSL_SMALL_STACK_STATIC -DWC_SHA3_NO_ASM"
if test "$ENABLED_LINUXKM_PIE" = "yes"; then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_OCSP_ISSUER_CHECK"
fi
if test "$ENABLED_FIPS" = "no"; then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_OLD_PRIME_CHECK"
fi
DEF_SP_MATH="yes"
DEF_FAST_MATH="no"
fi
#
# kernel mode variables. Shared by linuxkm, freebsdkm.
KERNEL_ROOT=""
HAVE_KERNEL_MODE=no
# Kernel root source tree.
AC_ARG_WITH([kernel-source],
[AS_HELP_STRING([--with-kernel-source=PATH],[PATH to root of kernel build tree])],
[KERNEL_ROOT=$withval])
# For backwards compatibility.
AC_ARG_WITH([linux-source],
[AS_HELP_STRING([--with-linux-source=PATH],[PATH to root of Linux kernel build tree])],
[KERNEL_ROOT=$withval])
AC_ARG_WITH([linux-arch],
[AS_HELP_STRING([--with-linux-arch=arch],[built arch (SRCARCH) of Linux kernel build tree])],
[KERNEL_ARCH=$withval],
[KERNEL_ARCH=""])
if test "x$ENABLED_LINUXKM" = "xyes"
then
HAVE_KERNEL_MODE=yes
# Currently DWARF 5 is the default debug format, but it results in
# "Unsupported DW_TAG_atomic_type(0x47): type: 0x1eefc" in some
# kernel module builds.
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_LINUXKM -DWC_SIPHASH_NO_ASM -gdwarf-4"
AS_IF([test "$ax_enable_debug" = "yes"],
[AM_CFLAGS="$AM_CFLAGS -g3"],
[AM_CFLAGS="$AM_CFLAGS -g1"])
AM_CCASFLAGS="$AM_CFLAGS -DWOLFSSL_LINUXKM -DWC_SIPHASH_NO_ASM -gdwarf-4"
AS_IF([test "$ax_enable_debug" = "yes"],
[AM_CCASFLAGS="$AM_CFLAGS -g3"],
[AM_CCASFLAGS="$AM_CFLAGS -g1"])
ENABLED_NO_LIBRARY=yes
ENABLED_BENCHMARK=no
output_objdir="$(realpath "$output_objdir")/linuxkm"
if test "$KERNEL_ROOT" = ""; then
AC_PATH_DEFAULT_KERNEL_SOURCE
KERNEL_ROOT="$DEFAULT_KERNEL_ROOT"
fi
AC_SUBST([KERNEL_ROOT])
if test "$KERNEL_ARCH" = ""; then
AC_DEFAULT_KERNEL_ARCH
KERNEL_ARCH="$DEFAULT_KERNEL_ARCH"
fi
AC_SUBST([KERNEL_ARCH])
if test "${KERNEL_ROOT}" = ""; then
AC_MSG_ERROR([Linux kernel source root not found -- supply with --with-linux-source=PATH.])
fi
if test "${KERNEL_ARCH}" = ""; then
AC_MSG_ERROR([Linux kernel target architecture for build tree ${KERNEL_ROOT} could not be determined. Is target kernel configured?])
fi
AM_CFLAGS="$AM_CFLAGS -DNO_DEV_RANDOM -DNO_WRITEV -DNO_STDIO_FILESYSTEM -DWOLFSSL_NO_SOCK -DWOLFSSL_USER_IO"
fi
#
# FreeBSD
AC_ARG_WITH([bsd-export-syms],
[AS_HELP_STRING([--with-bsd-export-syms=LIST],[Sets FreeBSD kernel module EXPORT_SYMS. Allowed values: YES, NO, or LIST of symbols to export (default NO).])],
[BSDKM_EXPORT_SYMS=$withval],
[BSDKM_EXPORT_SYMS="NO"])
if test "x$ENABLED_BSDKM" = "xyes"
then
# note: bsdkm is wolfcrypt only for now.
HAVE_KERNEL_MODE=yes
KERNEL_MODE_DEFAULTS=yes
ENABLED_NO_LIBRARY=yes
ENABLED_BENCHMARK=no
output_objdir="$(realpath "$output_objdir")/bsdkm"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_BSDKM -DWC_SIPHASH_NO_ASM"
AM_CFLAGS="$AM_CFLAGS -DNO_DEV_RANDOM -DNO_WRITEV -DNO_STDIO_FILESYSTEM"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_SOCK -DWOLFSSL_USER_IO"
AM_CFLAGS="$AM_CFLAGS -DXMALLOC_OVERRIDE -DWOLFCRYPT_ONLY"
AM_CFLAGS="$AM_CFLAGS -DNO_ASN_TIME"
if test "$ax_enable_debug" = "yes"; then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_BSDKM_VERBOSE_DEBUG"
AM_CFLAGS="$AM_CFLAGS -DNO_WOLFSSL_DEBUG_CERTS"
fi
if test "$KERNEL_ROOT" = ""; then
AC_PATH_DEFAULT_BSDKM_SOURCE
KERNEL_ROOT="$DEFAULT_BSDKM_ROOT"
fi
AC_SUBST([KERNEL_ROOT])
AC_SUBST([BSDKM_EXPORT_SYMS])
fi
if test "x$ENABLED_BSDKM_REGISTER" = "xyes"
then
if test "$ENABLED_AESGCM" != "no" && test "$ENABLED_AESGCM_STREAM" = "no" && test "$enable_aesgcm_stream" != "no" && (test "$ENABLED_FIPS" = "no" || test $HAVE_FIPS_VERSION -ge 6); then
ENABLED_AESGCM_STREAM=yes
fi
AM_CFLAGS="$AM_CFLAGS -DBSDKM_CRYPTO_REGISTER"
AC_SUBST([ENABLED_BSDKM_REGISTER])
fi
# end FreeBSD configure
# MATH LIBRARY SELECTION
# Assure consistency of defaults
if test "$DEF_FAST_MATH" = "yes" && ( (test "$enable_sp_math" != "no" && test "$enable_sp_math" != "") || test "$enable_heapmath" = "yes")
then
DEF_FAST_MATH=no
fi
if test "$DEF_SP_MATH" = "yes" && (test "$enable_fastmath" = "yes" || test "$enable_fasthugemath" = "yes" || test "$enable_heapmath" = "yes")
then
DEF_SP_MATH=no
fi
# Single Precision maths implementation
AC_ARG_ENABLE([sp],
[AS_HELP_STRING([--enable-sp],[Enable Single Precision maths implementation (default: disabled)])],
[ ENABLED_SP=$enableval ],
[ ENABLED_SP=$ENABLED_SP_DEFAULT ],
)
AC_ARG_ENABLE([sp-math-all],
[AS_HELP_STRING([--enable-sp-math-all],[Enable Single Precision math implementation for full algorithm suite (default: enabled)])],
[ ENABLED_SP_MATH_ALL=$enableval ],
[ ENABLED_SP_MATH_ALL=$DEF_SP_MATH ],
)
# Single Precision maths (acceleration for common key sizes and curves)
if test "$KERNEL_MODE_DEFAULTS" = "yes" && test "$ENABLED_SP" != "no" && test "$ENABLED_SP_MATH_ALL" = "no"
then
ENABLED_SP_MATH_DEFAULT=yes
else
ENABLED_SP_MATH_DEFAULT=no
fi
AC_ARG_ENABLE([sp-math],
[AS_HELP_STRING([--enable-sp-math],[Enable Single Precision math implementation with restricted algorithm suite (default: disabled)])],
[ ENABLED_SP_MATH=$enableval ],
[ ENABLED_SP_MATH=$ENABLED_SP_MATH_DEFAULT ],
)
if test "$enable_sp_math" != ""
then
# When the restricted SP Math is selected and not SP Math ALL, then disable
# SP Math ALL.
if test "$enable_sp_math" != "no" && test "$enable_sp_math_all" = ""
then
ENABLED_SP_MATH_ALL="no"
else
# Can't choose restricted and unrestricted SP Math
if test "$enable_sp_math" != "no" && test "$enable_sp_math_all" != "no"
then
AC_MSG_ERROR([--enable-sp-math and --enable-sp-math-all are incompatible. Use --enable-sp-math-all only when all key sizes need to be supported.])
fi
fi
fi
# enable SP math assembly support automatically for x86_64 and aarch64 (except Linux kernel module)
SP_ASM_DEFAULT=no
if test "$ENABLED_SP_MATH" = "yes" && test "$KERNEL_MODE_DEFAULTS" = "no"
then
if test "$host_cpu" = "x86_64" || test "$host_cpu" = "aarch64" || test "$host_cpu" = "amd64"
then
SP_ASM_DEFAULT=yes
fi
fi
AC_ARG_ENABLE([sp-asm],
[AS_HELP_STRING([--enable-sp-asm],[Enable Single Precision assembly implementation (default: enabled on x86_64/aarch64/amd64)])],
[ ENABLED_SP_ASM=$enableval ],
[ ENABLED_SP_ASM=$SP_ASM_DEFAULT ],
)
if test "$ENABLED_SP_ASM" != "no"
then
if test "$ENABLED_SP" = "no"
then
AC_MSG_ERROR([--enable-sp-asm requires SP to be enabled.])
fi
if test "$ENABLED_SP" = ""
then
ENABLED_SP=yes
fi
fi
# fastmath
AC_ARG_ENABLE([fastmath],
[AS_HELP_STRING([--enable-fastmath],[Enable legacy Tom's Fast Math back end (default: disabled)])],
[ ENABLED_FASTMATH=$enableval ],
[ ENABLED_FASTMATH=$DEF_FAST_MATH ]
)
# fast HUGE math
AC_ARG_ENABLE([fasthugemath],
[AS_HELP_STRING([--enable-fasthugemath],[Enable legacy Tom's Fast Math + huge code (default: disabled)])],
[ ENABLED_FASTHUGEMATH=$enableval ],
[ ENABLED_FASTHUGEMATH=no ]
)
# ssl bump build
AC_ARG_ENABLE([bump],
[AS_HELP_STRING([--enable-bump],[Enable SSL Bump build (default: disabled)])],
[ ENABLED_BUMP=$enableval ],
[ ENABLED_BUMP=no ]
)
if test "$ENABLED_BUMP" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DLARGE_STATIC_BUFFERS -DWOLFSSL_CERT_GEN -DWOLFSSL_KEY_GEN -DHUGE_SESSION_CACHE -DWOLFSSL_DER_LOAD -DWOLFSSL_ALT_NAMES -DWOLFSSL_TEST_CERT"
DEFAULT_MAX_CLASSIC_ASYM_KEY_BITS=4096
if test "$ENABLED_SP_MATH" = "no" && test "$ENABLED_SP_MATH_ALL" = "no"
then
ENABLED_FASTHUGEMATH="yes"
fi
fi
if test "$ENABLED_FASTHUGEMATH" = "yes"
then
ENABLED_FASTMATH="yes"
fi
if (test "$host_cpu" = "x86_64" || test "$host_cpu" = "amd64") &&
test "$ENABLED_32BIT" != "yes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_X86_64_BUILD"
fi
if test "$host_cpu" = "x86"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_X86_BUILD"
fi
AC_ARG_ENABLE([leanpsk],
[AS_HELP_STRING([--enable-leanpsk],[Enable Lean PSK build (default: disabled)])],
[ ENABLED_LEANPSK=$enableval ],
[ ENABLED_LEANPSK=no ]
)
if test "$ENABLED_LEANPSK" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_LEANPSK -DWOLFSSL_STATIC_PSK -DHAVE_NULL_CIPHER -DSINGLE_THREADED -DNO_AES -DNO_FILESYSTEM -DNO_RSA -DNO_DSA -DNO_DH -DNO_PWDBASED -DNO_MD4 -DNO_MD5 -DNO_ERROR_STRINGS -DNO_OLD_TLS -DNO_RC4 -DNO_WRITEV -DNO_DEV_RANDOM -DWOLFSSL_USER_IO -DNO_SHA"
ENABLED_SLOWMATH="no"
ENABLED_SINGLETHREADED="yes"
enable_lowresource=yes
fi
# ASN
# disabling ASN implicitly disables certs, RSA, DSA, and ECC,
# and also disables MPI unless DH is enabled.
# turn off ASN if leanpsk on
if test "$ENABLED_LEANPSK" = "yes"
then
enable_asn=no
fi
AC_ARG_ENABLE([asn],
[AS_HELP_STRING([--enable-asn],[Enable ASN (default: enabled)])],
[ ENABLED_ASN=$enableval ],
[ ENABLED_ASN=yes ]
)
for v in `echo $ENABLED_ASN | tr "," " "`
do
case $v in
all)
# Enable all ASN features
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ASN_ALL"
ENABLED_ASN=yes
ASN_IMPL=template
;;
template | yes)
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ASN_TEMPLATE"
ENABLED_ASN=yes
ASN_IMPL=template
;;
original)
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ASN_ORIGINAL"
ASN_IMPL=original
;;
nocrypt)
AM_CFLAGS="$AM_CFLAGS -DNO_ASN_CRYPT"
enable_pwdbased=no
ASN_IMPL=template
;;
no)
AM_CFLAGS="$AM_CFLAGS -DNO_ASN -DNO_ASN_CRYPT"
enable_pwdbased=no
ASN_IMPL=no
;;
*)
AC_MSG_ERROR([Invalid asn option. Valid are: all, template/yes, original, nocrypt or no. Seen: $ENABLED_ASN.])
break;;
esac
done
# if sp-math-all is not set, then enable fast math
if test "x$ENABLED_FASTMATH" = "xyes" && test "$enable_sp_math_all" = "" && test "$enable_sp_math" = ""
then
# turn off fastmath if leanpsk on or asn off (w/o DH and ECC)
if test "$ENABLED_LEANPSK" = "yes" || test "$ENABLED_ASN" = "no"
then
if test "$ENABLED_DH" = "no" && test "$ENABLED_ECC" = "no" && test "$ENABLED_RSA" = "no"
then
ENABLED_FASTMATH="no"
else
AM_CFLAGS="$AM_CFLAGS -DUSE_FAST_MATH"
ENABLED_HEAPMATH="no"
fi
else
AM_CFLAGS="$AM_CFLAGS -DUSE_FAST_MATH"
ENABLED_HEAPMATH="no"
ENABLED_SP_MATH_ALL="no"
fi
AS_IF([test "x$host_cpu" = "xaarch64"],[AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AARCH64_BUILD"])
if test "$ENABLED_SAKKE" = "yes" && test "$ENABLED_SAKKE_SMALL" != "yes"
then
AM_CFLAGS="$AM_CFLAGS -funroll-loops -DTFM_SMALL_SET"
fi
fi
# heap based integer.c math (not timing resistant)
AC_ARG_ENABLE([heapmath],
[AS_HELP_STRING([--enable-heapmath],[Enable heap based integer.c math ops (default: disabled)])],
[ ENABLED_HEAPMATH=$enableval ],
[ ENABLED_HEAPMATH=no]
)
if test "x$ENABLED_HEAPMATH" = "xyes"
then
AM_CFLAGS="$AM_CFLAGS -DUSE_INTEGER_HEAP_MATH"
ENABLED_HEAPMATH="yes"
ENABLED_SP="no"
ENABLED_SP_MATH_ALL="no"
fi
# wolfCrypt Only Build
AC_ARG_ENABLE([cryptonly],
[AS_HELP_STRING([--enable-cryptonly],[Enable wolfCrypt Only build (default: disabled)])],
[ENABLED_CRYPTONLY=$enableval],
[ENABLED_CRYPTONLY=no])
AS_IF([test "x$FIPS_VERSION" = "xrand"],[ENABLED_CRYPTONLY="yes"])
# TLS
AC_ARG_ENABLE([tls],
[AS_HELP_STRING([--enable-tls],[Enable TLS support (default: enabled)])],
[ ENABLED_TLS=$enableval ],
[ ENABLED_TLS=yes ]
)
if test "$ENABLED_CRYPTONLY" = "yes"
then
ENABLED_TLS=no
fi
if test "$ENABLED_TLS" = "no"
then
AM_CFLAGS="$AM_CFLAGS -DNO_TLS"
# don't set enable_tls13 or enable_tlsv12 to "no" -- even in cryptonly and
# NO_TLS build, they're needed for their crypto-layer KDFs.
# enable_tlsv10 defaults to "no", so we don't need to set it here either.
test "$enable_dtls" = "" && enable_dtls=no
test "$enable_dtls13" = "" && enable_dtls13=no
test "$enable_dtls_mtu" = "" && enable_dtls_mtu=no
test "$enable_dtlscid" = "" && enable_dtlscid=no
test "$enable_dtls_frag_ch" = "" && enable_dtls_frag_ch=no
test "$enable_mcast" = "" && enable_mcast=no
test "$enable_srtp" = "" && enable_srtp=no
test "$enable_ocsp" = "" && enable_ocsp=no
test "$enable_tlsx" = "" && enable_tlsx=no
test "$enable_sni" = "" && enable_sni=no
test "$enable_crl_monitor" = "" && enable_crl_monitor=no
test "$enable_alpn" = "" && enable_alpn=no
test "$enable_pkcallbacks" = "" && enable_pkcallbacks=no
test "$enable_quic" = "" && enable_quic=no
test "$enable_ech" = "" && enable_ech=no
test "$enable_ocspstapling" = "" && enable_ocspstapling=no
test "$enable_earlydata" = "" && enable_earlydata=no
test "$enable_renegotiation_indication" = "" && enable_renegotiation_indication=no
test "$enable_secure_renegotiation_info" = "" && enable_secure_renegotiation_info=no
test "$enable_secure_renegotiation" = "" && enable_secure_renegotiation=no
# Disable all open source compatibility enables that might get set with all
test "$enable_all_osp" = "" && enable_all_osp=no
fi
# All features, except conflicting or experimental:
AC_ARG_ENABLE([all],
[AS_HELP_STRING([--enable-all],[Enable all wolfSSL features, except SSLv3 (default: disabled)])],
[ ENABLED_ALL=$enableval ],
[ ENABLED_ALL=no ]
)
if test "$ENABLED_ALL" = "yes"
then
test "$enable_all_crypto" = "" && enable_all_crypto=yes
test "$enable_all_osp" = "" && test "$KERNEL_MODE_DEFAULTS" != "yes" && enable_all_osp=yes
test "$enable_dtls" = "" && enable_dtls=yes
test "$enable_dtls_mtu" = "" && enable_dtls_mtu=yes
test "$enable_dtlscid" = "" && enable_dtlscid=yes
test "$enable_dtls_frag_ch" = "" && enable_dtls_frag_ch=yes
if test "x$FIPS_VERSION" != "xv1"
then
test "$enable_tls13" = "" && enable_tls13=yes
test "$enable_dtls13" = "" && enable_dtls13=yes
fi
test "$enable_ocsp" = "" && enable_ocsp=yes
test "$enable_ocspstapling" = "" && test "$enable_ocsp" != "no" && enable_ocspstapling=yes
test "$enable_ocspstapling2" = "" && test "$enable_ocsp" != "no" && enable_ocspstapling2=yes
test "$enable_ocsp_responder" = "" &&
test "$enable_ocsp" != "no" &&
test "$enable_sha" != "no" &&
test "$ASN_IMPL" = "template" &&
enable_ocsp_responder=yes
test "$enable_savesession" = "" && enable_savesession=yes
test "$enable_savecert" = "" && enable_savecert=yes
test "$enable_postauth" = "" && enable_postauth=yes
test "$enable_hrrcookie" = "" && enable_hrrcookie=yes
test "$enable_fallback_scsv" = "" && enable_fallback_scsv=yes
test "$enable_crl_monitor" = "" && enable_crl_monitor=yes
test "$enable_sni" = "" && enable_sni=yes
test "$enable_maxfragment" = "" && enable_maxfragment=yes
test "$enable_alpn" = "" && enable_alpn=yes
test "$enable_truncatedhmac" = "" && enable_truncatedhmac=yes
test "$enable_trustedca" = "" && enable_trustedca=yes
test "$enable_session_ticket" = "" && enable_session_ticket=yes
test "$enable_earlydata" = "" && enable_earlydata=yes
test "$enable_rpk" = "" && enable_rpk=yes
if test "$KERNEL_MODE_DEFAULTS" != "yes"
then
# Disable QUIC with JNI since incompatible with WOLFSSL_TLS13_MIDDLEBOX_COMPAT
test "$enable_quic" = "" && test "$enable_cryptonly" != "yes" && test "$enable_jni" != "yes" && enable_quic=yes
AM_CFLAGS="$AM_CFLAGS -DHAVE_CRL_IO -DHAVE_IO_TIMEOUT"
fi
if test "$ENABLED_SP_MATH" != "yes"
then
# linuxkm is incompatible with opensslextra and its dependents.
if test "$KERNEL_MODE_DEFAULTS" != "yes"
then
test "$enable_opensslextra" = "" && enable_opensslextra=yes
test "$enable_opensslall" = "" && enable_opensslall=yes
test "$enable_certservice" = "" && enable_certservice=yes
fi
fi
if test "$ENABLED_FIPS" = "no"
then
# Disable ECH with JNI since incompatible with WOLFSSL_TLS13_MIDDLEBOX_COMPAT
test "$enable_ech" = "" && test "$enable_jni" != "yes" && enable_ech=yes
test "$enable_scep" = "" && enable_scep=yes
test "$enable_mcast" = "" && enable_mcast=yes
fi
if test "$ENABLED_FIPS" = "no" || test "$HAVE_FIPS_VERSION" -ge 6
then
test "$enable_srtp" = "" && enable_srtp=yes
fi
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DER_LOAD -DKEEP_OUR_CERT -DKEEP_PEER_CERT"
# Certificate extensions and alt. names for FPKI use
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SUBJ_DIR_ATTR -DWOLFSSL_FPKI -DWOLFSSL_SUBJ_INFO_ACC"
# Handle as many subject/issuer name OIDs as possible
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CERT_NAME_ALL"
# More thorough error queue usage.
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_VERBOSE_ERRORS"
fi
# All OSP meta-features:
AC_ARG_ENABLE([all-osp],
[AS_HELP_STRING([--enable-all-osp],[Enable all OSP meta feature sets (default: disabled)])],
[ ENABLED_ALL_OSP=$enableval ],
[ ENABLED_ALL_OSP=no]
)
if test "$ENABLED_ALL_OSP" = "yes"
then
if test "$KERNEL_MODE_DEFAULTS" = "yes"
then
AC_MSG_ERROR([--enable-all-osp is incompatible with --enable-linuxkm-defaults])
fi
test "$enable_tailscale" = "" && enable_tailscale=yes
test "$enable_wolfguard" = "" && enable_wolfguard=yes
test "$enable_webserver" = "" && enable_webserver=yes
if test "$ENABLED_SP_MATH" != "yes"
then
if test "$ENABLED_FIPS" = "no"
then
# S/MIME support requires PKCS7, which requires no FIPS.
test "$enable_smime" = "" && enable_smime=yes
if test "$ENABLED_32BIT" != "yes"
then
test "$enable_openssh" = "" && enable_openssh=yes
fi
fi
if test "$ENABLED_ALL_OSP" != "no"
then
test "$enable_lighty" = "" && enable_lighty=yes
test "$enable_nginx" = "" && enable_nginx=yes
test "$enable_openvpn" = "" && enable_openvpn=yes
test "$enable_asio" = "" && enable_asio=yes
test "$enable_libwebsockets" = "" && enable_libwebsockets=yes
fi
fi
if test "$ENABLED_FIPS" = "no"
then
# these use DES3:
test "$enable_stunnel" = "" && enable_stunnel=yes
test "$enable_curl" = "" && enable_curl=yes
test "$enable_tcpdump" = "" && enable_tcpdump=yes
fi
fi
# Auto-selected activation of all applicable asm accelerations
# Enable asm automatically only if the compiler advertises itself as full Gnu C.
if "$CC" $AM_CFLAGS $CPPFLAGS $CFLAGS -x c - -o /dev/null >/dev/null 2>&1 <<' EOF'
#include <stdlib.h>
int main(int argc, char **argv) {
(void)argc; (void)argv;
#ifdef __STRICT_ANSI__
#error __STRICT_ANSI__
#endif
#ifndef __GNUC__
#error !__GNUC__
#endif
return 0;
}
EOF
then
HAVE_GNUC=yes
fi
if test "$enable_all_crypto" = "yes" &&
test "$KERNEL_MODE_DEFAULTS" = "no" &&
test "$ENABLED_ASM" != "no" &&
test "$HAVE_GNUC" = "yes" &&
test "$enable_sp_asm" != "no" &&
test "$enable_intelasm" != "no" &&
test "$enable_armasm" != "no" &&
test "$enable_afalg" != "yes" &&
test "$ENABLED_32BIT" = "no"
then
DEFAULT_ENABLED_ALL_ASM=yes
else
DEFAULT_ENABLED_ALL_ASM=no
fi
if test "$ENABLED_FIPS" = "yes" && test "$HAVE_FIPS_VERSION" -lt 6
then
case "$host_cpu" in
*x86_64*|*amd64*) ;;
*) DEFAULT_ENABLED_ALL_ASM=no
;;
esac
fi
AC_ARG_ENABLE([all-asm],
[AS_HELP_STRING([--enable-all-asm],[Enable all applicable assembly accelerations (default: disabled)])],
[ ENABLED_ALL_ASM=$enableval ],
[ ENABLED_ALL_ASM=$DEFAULT_ENABLED_ALL_ASM ]
)
if test "$ENABLED_ALL_ASM" != "no"
then
if test "$ENABLED_ASM" = "no"
then
AC_MSG_ERROR([--enable-all-asm is incompatible with --disable-asm])
fi
if test "$enable_sp_asm" = "no"
then
AC_MSG_ERROR([--enable-all-asm is incompatible with --disable-sp-asm])
fi
if test "$enable_intelasm" = "no"
then
AC_MSG_ERROR([--enable-all-asm is incompatible with --disable-intelasm])
fi
if test "$enable_armasm" = "no"
then
AC_MSG_ERROR([--enable-all-asm is incompatible with --disable-armasm])
fi
if test "$enable_ppc32_asm" = "no"
then
AC_MSG_ERROR([--enable-all-asm is incompatible with --disable-ppc32-asm])
fi
case "$host_cpu" in
*x86_64*|*amd64*)
if test "$enable_intelasm" = ""
then
enable_intelasm=yes
fi
if test "$ENABLED_SP" != "no"
then
ENABLED_SP_ASM=yes
if test "$ENABLED_SP" = ""
then
ENABLED_SP=yes
fi
fi
;;
*aarch64*)
if test "$enable_armasm" = ""
then
enable_armasm=yes
fi
if test "$ENABLED_SP" != "no"
then
ENABLED_SP_ASM=yes
if test "$ENABLED_SP" = ""
then
ENABLED_SP=yes
fi
fi
;;
*powerpc64*)
;;
*powerpc*)
if test "$enable_ppc32_asm" = ""
then
enable_ppc32_asm=yes
fi
;;
esac
fi
# RISC-V asm doesn't yet support WOLFSSL_AESGCM_STREAM. Disable
# implicit activation, and error on explicit activation.
if test "$enable_riscv_asm" = "yes"
then
if test "$enable_aesgcm_stream" = "yes"
then
AC_MSG_ERROR([RISC-V asm doesn't yet support WOLFSSL_AESGCM_STREAM.])
fi
enable_aesgcm_stream=no
fi
# All wolfCrypt features:
AC_ARG_ENABLE([all-crypto],
[AS_HELP_STRING([--enable-all-crypto],[Enable all wolfcrypt algorithms (default: disabled)])],
[ ENABLED_ALL_CRYPT=$enableval ],
[ ENABLED_ALL_CRYPT=no ]
)
if test "$ENABLED_ALL_CRYPT" = "yes"
then
test "$enable_atomicuser" = "" && enable_atomicuser=yes
test "$enable_aesecb" = "" && enable_aesecb=yes
test "$enable_aesgcm" = "" && enable_aesgcm=yes
test "$enable_aesccm" = "" && enable_aesccm=yes
test "$enable_aesctr" = "" && enable_aesctr=yes
test "$enable_aesofb" = "" && enable_aesofb=yes
test "$enable_aescfb" = "" && enable_aescfb=yes
test "$enable_aescbc_length_checks" = "" && enable_aescbc_length_checks=yes
test "$enable_camellia" = "" && enable_camellia=yes
test "$enable_ripemd" = "" && enable_ripemd=yes
test "$enable_sha224" = "" && enable_sha224=yes
test "$enable_sha512" = "" && enable_sha512=yes
test "$enable_sha3" = "" && enable_sha3=yes
test "$enable_sessioncerts" = "" && enable_sessioncerts=yes
test "$enable_keygen" = "" && enable_keygen=yes
test "$enable_certgen" = "" && enable_certgen=yes
test "$enable_certreq" = "" && enable_certreq=yes
test "$enable_certext" = "" && enable_certext=yes
test "$enable_sep" = "" && enable_sep=yes
test "$enable_hkdf" = "" && enable_hkdf=yes
test "$enable_eccencrypt" = "" && test "$enable_ecc" != "no" && enable_eccencrypt=yes
test "$enable_fpecc" = "" && test "$enable_ecc" != "no" && enable_fpecc=yes
test "$enable_psk" = "" && enable_psk=yes
test "$enable_cmac" = "" && enable_cmac=yes
test "$enable_cmac_kdf" = "" && enable_cmac_kdf=yes
test "$enable_siphash" = "" && enable_siphash=yes
test "$enable_ocsp" = "" && enable_ocsp=yes
test "$enable_ocspstapling" = "" && test "$enable_ocsp" != "no" && enable_ocspstapling=yes
test "$enable_ocspstapling2" = "" && test "$enable_ocsp" != "no" && enable_ocspstapling2=yes
test "$enable_crl" = "" && enable_crl=yes
test "$enable_supportedcurves" = "" && enable_supportedcurves=yes
test "$enable_tlsx" = "" && enable_tlsx=yes
test "$enable_pwdbased" = "" && enable_pwdbased=yes
test "$enable_aeskeywrap" = "" && enable_aeskeywrap=yes
test "$enable_x963kdf" = "" && enable_x963kdf=yes
test "$enable_indef" = "" && enable_indef=yes
test "$enable_enckeys" = "" && enable_enckeys=yes
test "$enable_hashflags" = "" && enable_hashflags=yes
test "$enable_defaultdhparams" = "" && enable_defaultdhparams=yes
test "$enable_base64encode" = "" && enable_base64encode=yes
test "$enable_base16" = "" && enable_base16=yes
test "$enable_arc4" = "" && enable_arc4=yes
test "$enable_blake2b" = "" && enable_blake2b=yes
test "$enable_blake2s" = "" && enable_blake2s=yes
test "$enable_md2" = "" && enable_md2=yes
test "$enable_md4" = "" && enable_md4=yes
test "$enable_md5" = "" && enable_md5=yes
test "$enable_anon" = "" && enable_anon=yes
test "$enable_ssh" = "" && test "$enable_hmac" != "no" && enable_ssh=yes
test "$enable_rng_bank" = "" && enable_rng_bank=yes
if test "$KERNEL_MODE_DEFAULTS" != "yes"
then
# Scrypt is excluded from kernel module builds (unless explicitly
# enabled) because of its excessive memory requirements.
test "$enable_scrypt" = "" && test "$enable_hmac" != "no" && enable_scrypt=yes
fi
if test "x$FIPS_VERSION" != "xv1"
then
test "$enable_rsapss" = "" && enable_rsapss=yes
fi
# sp-math is incompatible with opensslextra, ECC custom curves, and DSA.
if test "$ENABLED_SP_MATH" != "yes"
then
test "$enable_dsa" = "" && test "$enable_sha" != "no" && enable_dsa=yes
if test "$ENABLED_FIPS" = "no" || test "$HAVE_FIPS_VERSION" -le 5; then
test "$enable_ecccustcurves" = "" && enable_ecccustcurves=yes
test "$enable_ecccustcurves" != "no" && test "$enable_brainpool" = "" && enable_brainpool=yes
test "$enable_ecccustcurves" != "no" && AM_CFLAGS="$AM_CFLAGS -DHAVE_ECC_CDH -DHAVE_ECC_KOBLITZ -DHAVE_ECC_SECPR2 -DHAVE_ECC_SECPR3"
fi
test "$enable_srp" = "" && enable_srp=yes
fi
if test "$ENABLED_FIPS" = "no"
then
test "$enable_curve25519" = "" && enable_curve25519=yes
test "$enable_curve448" = "" && enable_curve448=yes
test "$enable_xchacha" = "" && test "$enable_chacha" != "no" && enable_xchacha=yes
test "$enable_pkcs7" = "" && enable_pkcs7=yes
test "$enable_nullcipher" = "" && enable_nullcipher=yes
test "$enable_ed25519" = "" && enable_ed25519=yes
test "$enable_ed25519_stream" = "" && test "$enable_ed25519" != "no" && enable_ed25519_stream=yes
test "$enable_ed448" = "" && enable_ed448=yes
test "$enable_ed448_stream" = "" && test "$enable_ed448" != "no" && enable_ed448_stream=yes
test "$enable_aessiv" = "" && enable_aessiv=yes
# AFALG lacks AES-EAX
test "$enable_aeseax" = "" && test "$enable_afalg" != "yes" && enable_aeseax=yes
if test "$KERNEL_MODE_DEFAULTS" != "yes"
then
test "$enable_cryptocb" = "" && enable_cryptocb=yes
test "$enable_pkcallbacks" = "" && enable_pkcallbacks=yes
test "$enable_eccsi" = "" && test "$enable_ecc" != "no" && enable_eccsi=yes
test "$enable_sakke" = "" && test "$enable_ecc" != "no" && enable_sakke=yes
fi
fi
if test "$ENABLED_FIPS" = "no" || test "$HAVE_FIPS_VERSION" -ge 6
then
test "$enable_aesgcm_stream" = "" && test "$enable_aesgcm" = "yes" && enable_aesgcm_stream=yes
test "$enable_aesxts" = "" && enable_aesxts=yes
test "$enable_aesxts_stream" = "" && test "$enable_aesxts" = "yes" && enable_aesxts_stream=yes
test "$enable_shake128" = "" && enable_shake128=yes
test "$enable_shake256" = "" && enable_shake256=yes
test "$enable_compkey" = "" && enable_compkey=yes
# AFALG lacks AES-ECB
test "$enable_srtp_kdf" = "" && test "$enable_afalg" != "yes" && enable_srtp_kdf=yes
fi
if test "$ENABLED_FIPS" = "no" || test "$HAVE_FIPS_VERSION" -lt 5; then
test "$enable_des3" = "" && enable_des3=yes
test "$enable_des3" != "no" && AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DES_ECB"
fi
AM_CFLAGS="$AM_CFLAGS -DHAVE_AES_DECRYPT -DHAVE_AES_ECB -DWOLFSSL_ALT_NAMES"
# Enable DH const table speedups (eliminates `-lm` math lib dependency)
AM_CFLAGS="$AM_CFLAGS -DHAVE_FFDHE_2048 -DHAVE_FFDHE_3072"
DEFAULT_MAX_CLASSIC_ASYM_KEY_BITS=4096
# Enable all parsing features for ASN */
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ASN_ALL"
# Enable DH Extra
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DH_EXTRA"
# Enable deterministic ECC signing API with variant
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ECDSA_DETERMINISTIC_K_VARIANT"
# Store issuer name components when parsing certificates.
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_HAVE_ISSUER_NAMES"
# Enable onestep KDF from NIST SP 800 56c option 1.
AM_CFLAGS="$AM_CFLAGS -DWC_KDF_NIST_SP_800_56C"
fi
# kernel-appropriate settings, also in enable-all-crypto above:
if test "$KERNEL_MODE_DEFAULTS" = "yes" && test "$ENABLED_ALL_CRYPT" != "yes"
then
# note several of these are currently on by default, including aesgcm, sha512
if test "$enable_aes" != "no"
then
test "$enable_aesgcm" = "" && enable_aesgcm=yes
test "$enable_aesccm" = "" && enable_aesccm=yes
test "$enable_aesecb" = "" && enable_aesecb=yes
test "$enable_aesctr" = "" && enable_aesctr=yes
test "$enable_aesofb" = "" && enable_aesofb=yes
test "$enable_cmac" = "" && enable_cmac=yes
fi
test "$enable_sha224" = "" && enable_sha224=yes
test "$enable_sha512" = "" && enable_sha512=yes
test "$enable_sha3" = "" && enable_sha3=yes
test "$enable_keygen" = "" && enable_keygen=yes
if test "$enable_ecc" != "no"
then
test "$enable_eccencrypt" = "" && enable_eccencrypt=yes
test "$enable_fpecc" = "" && enable_fpecc=yes
test "$enable_supportedcurves" = "" && enable_supportedcurves=yes
fi
test "$enable_rng" != "no" && test "$enable_rng_bank" = "" && enable_rng_bank=yes
if test "$ENABLED_FIPS" = "no" || test "$HAVE_FIPS_VERSION" -ge 6
then
test "$enable_aes" != "no" && test "$enable_aescfb" = "" && enable_aescfb=yes
test "$enable_aesgcm_stream" = "" && test "$enable_aesgcm" = "yes" && enable_aesgcm_stream=yes
test "$enable_aes" != "no" && test "$enable_aesxts" = "" && enable_aesxts=yes
test "$enable_aesxts_stream" = "" && test "$enable_aesxts" = "yes" && enable_aesxts_stream=yes
test "$enable_shake128" = "" && test "$enable_sha3" = "yes" && enable_shake128=yes
test "$enable_shake256" = "" && test "$enable_sha3" = "yes" && enable_shake256=yes
test "$enable_compkey" = "" && enable_compkey=yes
fi
# Enable DH const table speedups (eliminates `-lm` math lib dependency)
AM_CFLAGS="$AM_CFLAGS -DHAVE_FFDHE_2048 -DHAVE_FFDHE_3072"
DEFAULT_MAX_CLASSIC_ASYM_KEY_BITS=4096
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DH_EXTRA"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ECDSA_DETERMINISTIC_K_VARIANT"
fi
# Support for Tailscale port
AC_ARG_ENABLE([tailscale],
[AS_HELP_STRING([--enable-tailscale],[Enable Tailscale build dependencies (default: disabled)])],
[ ENABLED_TAILSCALE=$enableval ],
[ ENABLED_TAILSCALE=no ]
)
if test "$ENABLED_TAILSCALE" = "yes"
then
enable_wolfguard=yes
test "x$enable_sp" = "x" && enable_sp="yes,256"
enable_opensslall=yes
enable_alpn=yes
enable_sni=yes
enable_certgen=yes
enable_certreq=yes
enable_certext=yes
enable_sessioncerts=yes
enable_cert_setup_cb=yes
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_PUBLIC_MP"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_INIT_CTX_KEY"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ALWAYS_KEEP_SNI"
AM_CFLAGS="$AM_CFLAGS -DWC_CTC_NAME_SIZE=128 -DWOLFSSL_ACME_OID"
fi
# wolfGuard
AC_ARG_ENABLE([wolfguard],
[AS_HELP_STRING([--enable-wolfguard],[Enable wolfGuard dependencies (default: disabled)])],
[ ENABLED_WOLFGUARD=$enableval ],
[ ENABLED_WOLFGUARD=no ]
)
if test "$ENABLED_WOLFGUARD" = "yes"
then
test "$enable_ecc" = "" && enable_ecc=yes
test "$enable_sha256" = "" && enable_sha256=yes
test "$enable_aesgcm" = "" && enable_aesgcm=yes
test "$enable_base64encode" = "" && enable_base64encode=yes
test "$enable_base16" = "" && enable_base16=yes
test "$enable_compkey" = "" && enable_compkey=yes
if test "$ENABLED_FIPS" = "no" || test "$HAVE_FIPS_VERSION" -ge 6
then
test "$enable_aesgcm_stream" = "" && enable_aesgcm_stream=yes
fi
fi
# liboqs
ENABLED_LIBOQS="no"
tryliboqsdir=""
AC_ARG_WITH([liboqs],
[AS_HELP_STRING([--with-liboqs=PATH],[Path to liboqs install (default /usr/local) (requires --enable-experimental)])],
[
AS_IF([ test "$ENABLED_EXPERIMENTAL" != "yes" ],[ AC_MSG_ERROR([LIBOQS requires --enable-experimental.]) ])
AC_MSG_CHECKING([for liboqs])
LIBS="$LIBS -loqs"
AM_CFLAGS="$AM_CFLAGS -pthread"
AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include <oqs/common.h>]], [[ OQS_init(); ]])], [ liboqs_linked=yes ],[ liboqs_linked=no ])
if test "x$liboqs_linked" = "xno" ; then
if test "x$withval" != "xno" ; then
tryliboqsdir=$withval
fi
if test "x$withval" = "xyes" ; then
tryliboqsdir="/usr/local"
fi
CPPFLAGS="$AM_CPPFLAGS -DHAVE_LIBOQS -DHAVE_TLS_EXTENSIONS -I$tryliboqsdir/include -pthread"
LDFLAGS="$AM_LDFLAGS $LDFLAGS -L$tryliboqsdir/lib"
AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include <oqs/common.h>]], [[ OQS_init(); ]])], [ liboqs_linked=yes ],[ liboqs_linked=no ])
if test "x$liboqs_linked" = "xno" ; then
AC_MSG_ERROR([liboqs isn't found.
If it's already installed, specify its path using --with-liboqs=/dir/])
fi
AC_MSG_RESULT([yes])
AM_CPPFLAGS="$CPPFLAGS"
AM_LDFLAGS="$AM_LDFLAGS -L$tryliboqsdir/lib"
else
AC_MSG_RESULT([yes])
fi
if test "x$ENABLED_OPENSSLEXTRA" = "xno" && test "x$ENABLED_OPENSSLCOEXIST" = "xno"
then
ENABLED_OPENSSLEXTRA="yes"
AM_CFLAGS="$AM_CFLAGS -DOPENSSL_EXTRA"
fi
AM_CFLAGS="$AM_CFLAGS -DHAVE_LIBOQS -DHAVE_TLS_EXTENSIONS"
ENABLED_LIBOQS="yes"
]
)
# Falcon (provided via liboqs)
AC_ARG_ENABLE([falcon],
[AS_HELP_STRING([--enable-falcon],[Enable Falcon post-quantum signatures via liboqs (default: disabled)])],
[ ENABLED_FALCON=$enableval ],
[ ENABLED_FALCON=no ])
if test "$ENABLED_FALCON" = "yes" && test "$ENABLED_LIBOQS" = "no"; then
AC_MSG_ERROR([--enable-falcon requires --with-liboqs.])
fi
if test "$ENABLED_LIBOQS" = "yes" && test "$ENABLED_FALCON" != "yes"; then
AC_MSG_ERROR([--with-liboqs requires --enable-falcon.])
fi
if test "$ENABLED_FALCON" = "yes"; then
AM_CFLAGS="$AM_CFLAGS -DHAVE_FALCON"
fi
# MLKEM
# Used:
# - SHA3, Shake128 and Shake256
#
# Note, setup is later, after FIPS setup.
if test "$enable_shake128" != "no" &&
test "$enable_shake256" != "no" &&
test "$enable_sha3" != "no" &&
(test "$ENABLED_FIPS" = "no" || test "$HAVE_FIPS_VERSION" -ge 7)
then
ENABLED_MLKEM_DEFAULT=yes
else
ENABLED_MLKEM_DEFAULT=no
fi
AC_ARG_ENABLE([mlkem],
[AS_HELP_STRING([--enable-mlkem],[Enable ML-KEM/Kyber (default: enabled)])],
[ ENABLED_MLKEM=$enableval ],
[ ENABLED_MLKEM=$ENABLED_MLKEM_DEFAULT ]
)
# note, inherits default from "mlkem" clause above.
AC_ARG_ENABLE([kyber],
[AS_HELP_STRING([--enable-kyber],[Alias for --enable-mlkem])],
[ ENABLED_MLKEM=$enableval ]
)
AC_ARG_ENABLE([tls-mlkem-standalone],
[AS_HELP_STRING([--enable-tls-mlkem-standalone],[Enable ML-KEM as standalone TLS key exchange (non-hybrid) (default: disabled)])],
[ ENABLED_MLKEM_STANDALONE=$enableval ],
[ ENABLED_MLKEM_STANDALONE=no ]
)
AC_ARG_ENABLE([pqc-hybrids],
[AS_HELP_STRING([--enable-pqc-hybrids],[Enable PQ/T hybrid combinations (default: enabled)])],
[ ENABLED_PQC_HYBRIDS=$enableval ],
[ ENABLED_PQC_HYBRIDS=yes ]
)
# Extra PQ/T Hybrid combinations
AC_ARG_ENABLE([extra-pqc-hybrids],
[AS_HELP_STRING([--enable-extra-pqc-hybrids],[Enable extra PQ/T hybrid combinations (default: disabled)])],
[ ENABLED_EXTRA_PQC_HYBRIDS=$enableval ],
[ ENABLED_EXTRA_PQC_HYBRIDS=no ]
)
# Dilithium
# - SHA3, Shake128 and Shake256
AC_ARG_ENABLE([mldsa],
[AS_HELP_STRING([--enable-mldsa],[Enable ML-DSA/Dilithium (default: disabled)])],
[ ENABLED_MLDSA=$enableval ],
[ ENABLED_MLDSA=no ]
)
# note, inherits default from "mldsa" clause above.
AC_ARG_ENABLE([dilithium],
[AS_HELP_STRING([--enable-dilithium],[Alias for --enable-mldsa])],
[ ENABLED_MLDSA=$enableval ]
)
ENABLED_MLDSA_OPTS=$ENABLED_MLDSA
ENABLED_MLDSA_MAKE_KEY=no
ENABLED_MLDSA_SIGN=no
ENABLED_MLDSA_VERIFY=no
for v in `echo $ENABLED_MLDSA_OPTS | tr "," " "`
do
case $v in
yes)
ENABLED_MLDSA44=yes
ENABLED_MLDSA65=yes
ENABLED_MLDSA87=yes
ENABLED_MLDSA_MAKE_KEY=yes
ENABLED_MLDSA_SIGN=yes
ENABLED_MLDSA_VERIFY=yes
;;
no)
;;
all)
ENABLED_MLDSA_MAKE_KEY=yes
ENABLED_MLDSA_SIGN=yes
ENABLED_MLDSA_VERIFY=yes
;;
make)
ENABLED_MLDSA_MAKE_KEY=yes
;;
sign)
ENABLED_MLDSA_SIGN=yes
;;
verify)
ENABLED_MLDSA_VERIFY=yes
;;
verify-only)
ENABLED_MLDSA_MAKE_KEY=no
ENABLED_MLDSA_SIGN=no
ENABLED_MLDSA_VERIFY=yes
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_MLDSA_VERIFY_ONLY"
;;
small)
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_MLDSA_SMALL"
;;
44)
ENABLED_MLDSA44=yes
;;
65)
ENABLED_MLDSA65=yes
;;
87)
ENABLED_MLDSA87=yes
;;
draft|fips204-draft)
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_MLDSA_FIPS204_DRAFT"
;;
no-ctx)
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_MLDSA_NO_CTX"
;;
*)
AC_MSG_ERROR([Invalid choice for ML-DSA [all,make,sign,verify,verify-only,small,44,65,87,no-ctx]: $ENABLED_MLDSA.])
break;;
esac
done
# XMSS
AC_ARG_ENABLE([xmss],
[AS_HELP_STRING([--enable-xmss],[Enable stateful XMSS/XMSS^MT signatures (default: disabled)])],
[ ENABLED_XMSS=$enableval ],
[ ENABLED_XMSS=no ]
)
for v in `echo $ENABLED_XMSS | tr "," " "`
do
case $v in
yes)
;;
no)
;;
verify-only)
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_XMSS_VERIFY_ONLY -DXMSS_VERIFY_ONLY"
;;
small)
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_WC_XMSS_SMALL"
;;
*)
AC_MSG_ERROR([Invalid choice for XMSS []: $ENABLED_XMSS.])
break;;
esac
done
# LMS
AC_ARG_ENABLE([lms],
[AS_HELP_STRING([--enable-lms],[Enable stateful LMS/HSS signatures (default: disabled)])],
[ ENABLED_LMS=$enableval ],
[ ENABLED_LMS=no ]
)
for v in `echo $ENABLED_LMS | tr "," " "`
do
case $v in
yes)
;;
no)
;;
verify-only)
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_LMS_VERIFY_ONLY"
;;
small)
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_WC_LMS_SMALL"
;;
no-sha256-256)
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_LMS_SHA256_256"
;;
sha256-192)
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_LMS_SHA256_192"
;;
shake256)
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_LMS_SHAKE256"
;;
*)
AC_MSG_ERROR([Invalid choice for LMS []: $ENABLED_LMS.])
break;;
esac
done
# SLH-DSA
ENABLED_SLHDSA=yes
AC_ARG_ENABLE([slhdsa],
[AS_HELP_STRING([--enable-slhdsa],[Enable SLH-DSA signatures (default: disabled)])],
[ ENABLED_SLHDSA=$enableval ],
[ ENABLED_SLHDSA=no ]
)
for v in `echo $ENABLED_SLHDSA | tr "," " "`
do
case $v in
yes)
SLHDSA_PARAM_128S=yes
SLHDSA_PARAM_128F=yes
SLHDSA_PARAM_192S=yes
SLHDSA_PARAM_192F=yes
SLHDSA_PARAM_256S=yes
SLHDSA_PARAM_256F=yes
;;
no)
;;
verify-only)
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_VERIFY_ONLY"
;;
small)
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_WC_SLHDSA_SMALL"
;;
small-mem)
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_WC_SLHDSA_SMALL_MEM"
;;
128s)
SLHDSA_PARAM_128S=yes
;;
128f)
SLHDSA_PARAM_128F=yes
;;
192s)
SLHDSA_PARAM_192S=yes
;;
192f)
SLHDSA_PARAM_192F=yes
;;
256s)
SLHDSA_PARAM_256S=yes
;;
256f)
SLHDSA_PARAM_256F=yes
;;
no-s)
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_PARAM_NO_SMALL"
;;
no-f)
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_PARAM_NO_FAST"
;;
sha2)
SLHDSA_SHA2=yes
SLHDSA_PARAM_SHA2_128S=yes
SLHDSA_PARAM_SHA2_128F=yes
SLHDSA_PARAM_SHA2_192S=yes
SLHDSA_PARAM_SHA2_192F=yes
SLHDSA_PARAM_SHA2_256S=yes
SLHDSA_PARAM_SHA2_256F=yes
;;
sha2-128s)
SLHDSA_SHA2=yes
SLHDSA_PARAM_SHA2_128S=yes
;;
sha2-128f)
SLHDSA_SHA2=yes
SLHDSA_PARAM_SHA2_128F=yes
;;
sha2-192s)
SLHDSA_SHA2=yes
SLHDSA_PARAM_SHA2_192S=yes
;;
sha2-192f)
SLHDSA_SHA2=yes
SLHDSA_PARAM_SHA2_192F=yes
;;
sha2-256s)
SLHDSA_SHA2=yes
SLHDSA_PARAM_SHA2_256S=yes
;;
sha2-256f)
SLHDSA_SHA2=yes
SLHDSA_PARAM_SHA2_256F=yes
;;
no-sha2-s)
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_PARAM_NO_SHA2_SMALL"
;;
no-sha2-f)
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_PARAM_NO_SHA2_FAST"
;;
*)
AC_MSG_ERROR([Invalid choice for SLH-DSA []: $ENABLED_SLHDSA.])
break;;
esac
done
# SINGLE THREADED
AC_ARG_ENABLE([singlethreaded],
[AS_HELP_STRING([--enable-singlethreaded],[Enable wolfSSL single threaded (default: disabled)])],
[ ENABLED_SINGLETHREADED=$enableval ],
[ ENABLED_SINGLETHREADED=no ])
WOLFSSL_HAVE_PTHREAD=0
AS_IF([ test "x$ENABLED_SINGLETHREADED" = "xno" ],[
AX_PTHREAD([
AC_DEFINE([HAVE_PTHREAD], [1], [Define if you have POSIX threads libraries and header files.])
WOLFSSL_HAVE_PTHREAD=1
# If AX_PTHREAD is adding -Qunused-arguments, need to prepend with -Xcompiler libtool will use it. Newer
# versions of clang don't need the -Q flag when using pthreads.
AS_CASE([$PTHREAD_CFLAGS],[-Qunused-arguments*],[PTHREAD_CFLAGS="-Xcompiler $PTHREAD_CFLAGS"])
AM_CFLAGS="$AM_CFLAGS $PTHREAD_CFLAGS"
LIBS="$LIBS $PTHREAD_LIBS"
],[
ENABLED_SINGLETHREADED=yes
])
])
AS_IF([ test "x$ENABLED_SINGLETHREADED" = "xyes" ],[ AM_CFLAGS="$AM_CFLAGS -DSINGLE_THREADED" ])
# Enable rwlock
AC_ARG_ENABLE([rwlock],
[AS_HELP_STRING([--enable-rwlock],[Enable use of rwlock (default: disabled)])],
[ENABLED_RWLOCK=$enableval],
[ENABLED_RWLOCK=no])
if test "$ENABLED_RWLOCK" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_USE_RWLOCK"
fi
# ECH
AC_ARG_ENABLE([ech],
[AS_HELP_STRING([--enable-ech],[Enable ECH (default: disabled)])],
[ ENABLED_ECH=$enableval ],
[ ENABLED_ECH=no ]
)
if test "$ENABLED_ECH" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DHAVE_ECH"
test "$enable_hpke" = "" && enable_hpke=yes
test "$enable_ecc" = "" && enable_ecc=yes
test "$enable_curve25519" = "" && enable_curve25519=yes
test "$enable_sha256" = "" && enable_sha256=yes
test "$enable_sni" = "" && enable_sni=yes
test "$enable_tls13" = "" && enable_tls13=yes
fi
# DTLS
# DTLS is a prereq for the options mcast, sctp, and jni. Enabling any of those
# without DTLS will also enable DTLS.
AC_ARG_ENABLE([dtls],
[AS_HELP_STRING([--enable-dtls],[Enable wolfSSL DTLS (default: disabled)])],
[ ENABLED_DTLS=$enableval ],
[ ENABLED_DTLS=no ]
)
if test "$ENABLED_DTLS" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DTLS"
fi
# DTLS change MTU
AC_ARG_ENABLE([dtls-mtu],
[AS_HELP_STRING([--enable-dtls-mtu],[Enable setting the MTU size for wolfSSL DTLS (default: disabled)])],
[ ENABLED_DTLS_MTU=$enableval ],
[ ENABLED_DTLS_MTU=no ]
)
if test "$ENABLED_DTLS_MTU" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DTLS_MTU"
fi
# KeyLog file export
AC_ARG_ENABLE([keylog-export],
[AS_HELP_STRING([--enable-keylog-export],[Enable insecure export of TLS secrets to an NSS keylog file (default: disabled)])],
[ ENABLED_KEYLOG_EXPORT=$enableval ],
[ ENABLED_KEYLOG_EXPORT=no ]
)
if test "$ENABLED_KEYLOG_EXPORT" = "yes"
then
AC_MSG_WARN([Keylog export enabled -- Sensitive key data will be stored insecurely.])
AM_CFLAGS="$AM_CFLAGS -DSHOW_SECRETS -DHAVE_SECRET_CALLBACK -DWOLFSSL_SSLKEYLOGFILE -DWOLFSSL_KEYLOG_EXPORT_WARNED"
fi
# TLS v1.3 Draft 18 (Note: only final TLS v1.3 supported, here for backwards build compatibility)
AC_ARG_ENABLE([tls13-draft18],
[AS_HELP_STRING([--enable-tls13-draft18],[Enable wolfSSL TLS v1.3 Draft 18 (default: disabled)])],
[ ENABLED_TLS13_DRAFT18=$enableval ],
[ ENABLED_TLS13_DRAFT18=no ]
)
# TLS v1.3
AC_ARG_ENABLE([tls13],
[AS_HELP_STRING([--enable-tls13],[Enable wolfSSL TLS v1.3 (default: enabled)])],
[ ENABLED_TLS13=$enableval ],
[ ENABLED_TLS13=yes ]
)
if test "x$FIPS_VERSION" = "xv1" ||
( test "$HAVE_FIPS_VERSION" = 2 && test "$HAVE_FIPS_VERSION_MINOR" = 1 )
then
ENABLED_TLS13="no"
fi
# QUIC support
AC_ARG_ENABLE([quic],
[AS_HELP_STRING([--enable-quic],[Enable QUIC API with wolfSSL TLS v1.3 (default: disabled)])],
[ ENABLED_QUIC=$enableval ],
[ ENABLED_QUIC=no ]
)
if test "$ENABLED_QUIC" = "yes"
then
if test "x$ENABLED_TLS13" = "xno"
then
AC_MSG_ERROR([TLS 1.3 is disabled - necessary for QUIC])
fi
if test "$enable_aesgcm" = "no"
then
AC_MSG_ERROR([AES-GCM is disabled - necessary for QUIC])
fi
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_QUIC"
# QUIC proto handlers need app_data at WOLFSSL*
AM_CFLAGS="$AM_CFLAGS -DHAVE_EX_DATA"
fi
# Post-handshake Authentication
AC_ARG_ENABLE([postauth],
[AS_HELP_STRING([--enable-postauth],[Enable wolfSSL Post-handshake Authentication (default: disabled)])],
[ ENABLED_TLS13_POST_AUTH=$enableval ],
[ ENABLED_TLS13_POST_AUTH=no ]
)
if test "$ENABLED_TLS13_POST_AUTH" = "yes"
then
if test "x$ENABLED_TLS13" = "xno"
then
AC_MSG_NOTICE([TLS 1.3 is disabled - disabling Post-handshake Authentication])
ENABLED_TLS13_POST_AUTH="no"
else
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_POST_HANDSHAKE_AUTH"
fi
fi
# Hello Retry Request Cookie
AC_ARG_ENABLE([hrrcookie],
[AS_HELP_STRING([--enable-hrrcookie],[Enable the server to send Cookie Extension in HRR with state (default: disabled)])],
[ ENABLED_SEND_HRR_COOKIE=$enableval ],
[ ENABLED_SEND_HRR_COOKIE=undefined ]
)
if test "$ENABLED_SEND_HRR_COOKIE" = "yes"
then
if test "x$ENABLED_TLS13" = "xno"
then
AC_MSG_NOTICE([TLS 1.3 is disabled - disabling HRR Cookie])
ENABLED_SEND_HRR_COOKIE="no"
else
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SEND_HRR_COOKIE"
fi
fi
# RNG
AC_ARG_ENABLE([rng],
[AS_HELP_STRING([--enable-rng],[Enable compiling and using RNG (default: enabled)])],
[ ENABLED_RNG=$enableval ],
[ ENABLED_RNG=yes ]
)
if test "$ENABLED_RNG" = "no"
then
AM_CFLAGS="$AM_CFLAGS -DWC_NO_RNG"
fi
AC_ARG_ENABLE([rng-bank],
[AS_HELP_STRING([--enable-rng-bank],[Enable compiling and using RNG banks (default: disabled)])],
[ ENABLED_RNG_BANK=$enableval ],
[ ENABLED_RNG_BANK=$KERNEL_MODE_DEFAULTS ]
)
if test "$ENABLED_RNG_BANK" = "yes"
then
AS_IF([test "$ENABLED_RNG" = "no"],
AC_MSG_ERROR([--enable-rng-bank requires --enable-rng]))
AM_CFLAGS="$AM_CFLAGS -DWC_RNG_BANK_SUPPORT"
fi
# DTLS-SCTP
AC_ARG_ENABLE([sctp],
[AS_HELP_STRING([--enable-sctp],[Enable wolfSSL DTLS-SCTP support (default: disabled)])],
[ENABLED_SCTP=$enableval],
[ENABLED_SCTP=no])
AS_IF([test "x$ENABLED_SCTP" = "xyes"],
[AC_MSG_CHECKING([for SCTP])
AC_RUN_IFELSE(
[AC_LANG_PROGRAM(
[[
#include <sys/socket.h>
#include <arpa/inet.h>
]],
[[int s = socket(AF_INET, SOCK_STREAM, IPPROTO_SCTP); if (s == -1) return 1;]])],
[AC_MSG_RESULT(yes)],
[AC_MSG_RESULT(no)
AC_MSG_ERROR([SCTP not available, remove enable-sctp from configure])],
: ,
: ,
: )])
# DTLS-SRTP
AC_ARG_ENABLE([srtp],
[AS_HELP_STRING([--enable-srtp],[Enable wolfSSL DTLS-SRTP support (default: disabled)])],
[ENABLED_SRTP=$enableval],
[ENABLED_SRTP=no])
# DTLS-MULTICAST
AC_ARG_ENABLE([mcast],
[AS_HELP_STRING([--enable-mcast],[Enable wolfSSL DTLS multicast support (default: disabled)])],
[ENABLED_MCAST=$enableval],
[ENABLED_MCAST=no])
# List of open source project defines using our openssl compatibility layer:
# bind dns (--enable-bind) WOLFSSL_BIND
# libssh2 (--enable-libssh2)
# openssh (--enable-openssh) WOLFSSL_OPENSSH
# openvpn (--enable-openvpn) WOLFSSL_OPENVPN
# nginx (--enable-nginx) WOLFSSL_NGINX
# ntp (--enable-ntp)
# openresty (--enable-openresty)
# haproxy (--enable-haproxy) WOLFSSL_HAPROXY
# wpa_supplicant (--enable-wpas) WOLFSSL_WPAS
# ssl fortress (--enable-fortress) FORTRESS
# ssl bump (--enable-bump)
# signal (--enable-signal)
# lighty (--enable-lighty) HAVE_LIGHTY
# rsyslog (--enable-rsyslog)
# stunnel (--enable-stunnel) HAVE_STUNNEL
# curl (--enable-curl) HAVE_CURL
# libest (--enable-libest) HAVE_LIBEST
# asio (--enable-asio) WOLFSSL_ASIO
# libwebsockets (--enable-libwebsockets) WOLFSSL_LIBWEBSOCKETS
# qt (--enable-qt) WOLFSSL_QT
# qt test (--enable-qt-test) WOLFSSL_QT_TEST
# HAVE_POCO_LIB
# WOLFSSL_MYSQL_COMPATIBLE
# web server (--enable-webserver) HAVE_WEBSERVER
# net-snmp (--enable-net-snmp)
# krb (--enable-krb) WOLFSSL_KRB
# FFmpeg (--enable-ffmpeg) WOLFSSL_FFMPEG
# strongSwan (--enable-strongswan)
# OpenLDAP (--enable-openldap)
# hitch (--enable-hitch)
# memcached (--enable-memcached)
# Mosquitto (--enable-mosquitto) HAVE_MOSQUITTO
# Bind DNS compatibility Build
AC_ARG_ENABLE([bind],
[AS_HELP_STRING([--enable-bind],[Enable Bind DNS compatibility build (default: disabled)])],
[ENABLED_BIND=$enableval],
[ENABLED_BIND=no])
AC_ARG_ENABLE([libssh2],
[AS_HELP_STRING([--enable-libssh2],[Enable libssh2 compatibility build (default: disabled)])],
[ENABLED_LIBSSH2=$enableval],
[ENABLED_LIBSSH2=no])
# OpenSSH compatibility Build
AC_ARG_ENABLE([openssh],
[AS_HELP_STRING([--enable-openssh],[Enable OpenSSH compatibility build (default: disabled)])],
[ENABLED_OPENSSH=$enableval],
[ENABLED_OPENSSH=no])
if test "$ENABLED_OPENSSH" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_OPENSSH -DHAVE_EX_DATA -DWOLFSSL_BASE16"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ERROR_CODE_OPENSSL -DWC_RNG_SEED_CB"
fi
# OpenVPN compatibility Build
AC_ARG_ENABLE([openvpn],
[AS_HELP_STRING([--enable-openvpn],[Enable OpenVPN compatibility build (default: disabled)])],
[ENABLED_OPENVPN=$enableval],
[ENABLED_OPENVPN=no])
# openresty compatibility build
AC_ARG_ENABLE([openresty],
[AS_HELP_STRING([--enable-openresty],[Enable openresty (default: disabled)])],
[ ENABLED_OPENRESTY=$enableval ],
[ ENABLED_OPENRESTY=no ]
)
# nginx compatibility build
AC_ARG_ENABLE([nginx],
[AS_HELP_STRING([--enable-nginx],[Enable nginx (default: disabled)])],
[ ENABLED_NGINX=$enableval ],
[ ENABLED_NGINX=no ]
)
# chrony support. Needs the compatibility layer for SNI callback functionality,
# but otherwise uses pure wolfCrypt.
AC_ARG_ENABLE([chrony],
[AS_HELP_STRING([--enable-chrony],[Enable chrony support (default: disabled)])],
[ ENABLED_CHRONY=$enableval ],
[ ENABLED_CHRONY=no ]
)
if test "$ENABLED_CHRONY" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ALWAYS_KEEP_SNI"
fi
if test "$ENABLED_OPENRESTY" = "yes"
then
ENABLED_NGINX="yes"
fi
# OpenLDAP support
AC_ARG_ENABLE([openldap],
[AS_HELP_STRING([--enable-openldap],[Enable OpenLDAP support (default: disabled)])],
[ ENABLED_OPENLDAP=$enableval ],
[ ENABLED_OPENLDAP=no ]
)
# Mosquitto support
AC_ARG_ENABLE([mosquitto],
[AS_HELP_STRING([--enable-mosquitto],[Enable Mosquitto support (default: disabled)])],
[ ENABLED_MOSQUITTO=$enableval ],
[ ENABLED_MOSQUITTO=no ]
)
if test "x$ENABLED_MOSQUITTO" = "xyes"
then
AM_CFLAGS="$AM_CFLAGS -DHAVE_MOSQUITTO"
fi
# lighty Support
AC_ARG_ENABLE([lighty],
[AS_HELP_STRING([--enable-lighty],[Enable lighttpd/lighty (default: disabled)])],
[ ENABLED_LIGHTY=$enableval ],
[ ENABLED_LIGHTY=no ]
)
# rsyslog Support
AC_ARG_ENABLE([rsyslog],
[AS_HELP_STRING([--enable-rsyslog],[Enable rsyslog (default: disabled)])],
[ ENABLED_RSYSLOG=$enableval ],
[ ENABLED_RSYSLOG=no ]
)
# haproxy compatibility build
AC_ARG_ENABLE([haproxy],
[AS_HELP_STRING([--enable-haproxy],[Enable haproxy (default: disabled)])],
[ ENABLED_HAPROXY=$enableval ],
[ ENABLED_HAPROXY=no ]
)
# wpa_supplicant support
AC_ARG_ENABLE([wpas],
[AS_HELP_STRING([--enable-wpas],[Enable wpa_supplicant support (default: disabled)])],
[ ENABLED_WPAS=$enableval ],
[ ENABLED_WPAS=no ]
)
# wpa_supplicant support
AC_ARG_ENABLE([wpas-dpp],
[AS_HELP_STRING([--enable-wpas-dpp],[Enable wpa_supplicant support with dpp (default: disabled)])],
[ ENABLED_WPAS_DPP=$enableval ],
[ ENABLED_WPAS_DPP=no ]
)
if test "$ENABLED_WPAS_DPP" = "yes"
then
ENABLED_WPAS="yes"
fi
# ntp support
AC_ARG_ENABLE([ntp],
[AS_HELP_STRING([--enable-ntp],[Enable ntp support (default: disabled)])],
[ ENABLED_NTP=$enableval ],
[ ENABLED_NTP=no ]
)
# Fortress build
AC_ARG_ENABLE([fortress],
[AS_HELP_STRING([--enable-fortress],[Enable SSL fortress build (default: disabled)])],
[ ENABLED_FORTRESS=$enableval ],
[ ENABLED_FORTRESS=no ]
)
if test "$ENABLED_OPENSSH" = "yes"
then
ENABLED_FORTRESS="yes"
fi
# libwebsockets Support
AC_ARG_ENABLE([libwebsockets],
[AS_HELP_STRING([--enable-libwebsockets],[Enable libwebsockets (default: disabled)])],
[ ENABLED_LIBWEBSOCKETS=$enableval ],
[ ENABLED_LIBWEBSOCKETS=no ]
)
if test "$ENABLED_LIBWEBSOCKETS" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_LIBWEBSOCKETS -DHAVE_EX_DATA -DOPENSSL_NO_EC"
fi
# net-snmp Build
AC_ARG_ENABLE([net-snmp],
[AS_HELP_STRING([--enable-net-snmp],[Enable net-snmp (default: disabled)])],
[ ENABLED_NETSNMP=$enableval ],
[ ENABLED_NETSNMP=no ]
)
# kerberos 5 Build
AC_ARG_ENABLE([krb],
[AS_HELP_STRING([--enable-krb],[Enable kerberos 5 support (default: disabled)])],
[ ENABLED_KRB=$enableval ],
[ ENABLED_KRB=no ]
)
# FFmpeg Build
AC_ARG_ENABLE([ffmpeg],
[AS_HELP_STRING([--enable-ffmpeg],[Enable FFmpeg support (default: disabled)])],
[ ENABLED_FFMPEG=$enableval ],
[ ENABLED_FFMPEG=no ]
)
# IP alternative name Support
AC_ARG_ENABLE([ip-alt-name],
[AS_HELP_STRING([--enable-ip-alt-name],[Enable IP subject alternative name (default: disabled)])],
[ ENABLE_IP_ALT_NAME=$enableval ],
[ ENABLE_IP_ALT_NAME=no ]
)
if test "$ENABLE_IP_ALT_NAME" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_IP_ALT_NAME"
fi
# QT Support
AC_ARG_ENABLE([qt],
[AS_HELP_STRING([--enable-qt],[Enable qt (default: disabled)])],
[ ENABLED_QT=$enableval ],
[ ENABLED_QT=no ]
)
# SNIFFER
AC_ARG_ENABLE([sniffer],
[AS_HELP_STRING([--enable-sniffer],[Enable wolfSSL sniffer support (default: disabled)])],
[ ENABLED_SNIFFER=$enableval ],
[ ENABLED_SNIFFER=no ]
)
# signal compatibility build
AC_ARG_ENABLE([signal],
[AS_HELP_STRING([--enable-signal],[Enable signal (default: disabled)])],
[ ENABLED_SIGNAL=$enableval ],
[ ENABLED_SIGNAL=no ]
)
# strongSwan support
AC_ARG_ENABLE([strongswan],
[AS_HELP_STRING([--enable-strongswan],[Enable strongSwan support (default: disabled)])],
[ ENABLED_STRONGSWAN=$enableval ],
[ ENABLED_STRONGSWAN=no ]
)
# hitch support
AC_ARG_ENABLE([hitch],
[AS_HELP_STRING([--enable-hitch],[Enable hitch support (default: disabled)])],
[ ENABLED_HITCH=$enableval ],
[ ENABLED_HITCH=no ]
)
# memcached support
AC_ARG_ENABLE([memcached],
[AS_HELP_STRING([--enable-memcached],[Enable memcached support (default: disabled)])],
[ ENABLED_MEMCACHED=$enableval ],
[ ENABLED_MEMCACHED=no ]
)
# OpenSSL Coexist
AC_ARG_ENABLE([opensslcoexist],
[AS_HELP_STRING([--enable-opensslcoexist],[Enable coexistence of wolfssl/openssl (default: disabled)])],
[ ENABLED_OPENSSLCOEXIST=$enableval ],
[ ENABLED_OPENSSLCOEXIST=no ]
)
if test "x$ENABLED_OPENSSLCOEXIST" = "xyes" || test "$ENABLED_WOLFENGINE" = "yes"
then
# make sure old names are disabled (except RNG)
AM_CFLAGS="$AM_CFLAGS -DNO_OLD_WC_NAMES -DNO_OLD_SSL_NAMES"
AM_CFLAGS="$AM_CFLAGS -DNO_OLD_SHA_NAMES -DNO_OLD_MD5_NAME"
AM_CFLAGS="$AM_CFLAGS -DOPENSSL_COEXIST"
fi
# S/MIME
AC_ARG_ENABLE([smime],
[AS_HELP_STRING([--enable-smime],[Enable S/MIME (default: disabled)])],
[ ENABLED_SMIME=$enableval ],
[ ENABLED_SMIME=no ]
)
# Platform Security Architecture (PSA)
AC_ARG_ENABLE([psa],
[AS_HELP_STRING([--enable-psa],[use Platform Security Architecture (PSA) interface (default: disabled)])],
[ ENABLED_PSA=$enableval ],
[ ENABLED_PSA=no ]
)
AC_ARG_WITH([psa-include],
[AS_HELP_STRING([--with-psa-include=PATH],
[PATH to directory with PSA header files])],
[PSA_INCLUDE=$withval],
[PSA_INCLUDE=""])
AC_ARG_WITH([psa-lib],
[AS_HELP_STRING([--with-psa-lib=PATH],[PATH to directory with the PSA library])],
[PSA_LIB=$withval],
[PSA_LIB=""])
AC_ARG_WITH([psa-lib-name],
[AS_HELP_STRING([--with-psa-lib-name=NAME],[NAME of PSA library])],
[PSA_LIB_NAME=$withval],
[PSA_LIB_NAME=""])
AC_ARG_ENABLE([psa-lib-static],
[AS_HELP_STRING([--enable-psa-lib-static],[Link PSA as static library (default: disable)])],
[ ENABLED_PSA_STATIC=$enableval ],
[ ENABLED_PSA_STATIC=no ]
)
if test "x$ENABLED_PSA" = "xyes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_HAVE_PSA"
fi
if test "x$ENABLED_PSA" != "xyes" && \
(test "x$PSA_LIB" != "x" || test "x$PSA_INCLUDE" != "x" || test "x$PSA_LIB_NAME" != "x" )
then
AC_MSG_ERROR([to use PSA you need to enable it with --enable-psa])
fi
if test -n "$PSA_LIB"
then
AC_MSG_CHECKING([for $PSA_LIB])
if ! test -d "$PSA_LIB"
then
AC_MSG_ERROR([PSA lib dir $PSA_LIB not found.])
fi
AC_MSG_RESULT([yes])
AM_LDFLAGS="$AM_LDFLAGS -L$PSA_LIB"
fi
if test -n "$PSA_LIB_NAME"
then
if test "x$ENABLED_PSA_STATIC" = "xyes"
then
LIB_STATIC_ADD="$LIB_STATIC_ADD $PSA_LIB/$PSA_LIB_NAME"
else
LIB_ADD="$LIB_ADD -l$PSA_LIB_NAME"
fi
fi
if test -n "$PSA_INCLUDE"
then
AC_MSG_CHECKING([for $PSA_INCLUDE])
if ! test -d "$PSA_INCLUDE"
then
AC_MSG_ERROR([psa include dir $PSA_INCLUDE not found.])
fi
AC_MSG_RESULT([yes])
AM_CFLAGS="$AM_CFLAGS -I$PSA_INCLUDE"
fi
AC_SUBST([PSA_LIB])
AC_SUBST([PSA_LIB_NAME])
AC_SUBST([PSA_INCLUDE])
# OPENSSL Compatibility ALL
AC_ARG_ENABLE([opensslall],
[AS_HELP_STRING([--enable-opensslall],[Enable all OpenSSL API, size++ (default: disabled)])],
[ ENABLED_OPENSSLALL=$enableval ],
[ ENABLED_OPENSSLALL=no ]
)
if test "$ENABLED_LIBWEBSOCKETS" = "yes" || test "$ENABLED_OPENVPN" = "yes" || \
test "$ENABLED_WPAS_DPP" = "yes" || test "$ENABLED_SMIME" = "yes" || \
test "$ENABLED_HAPROXY" = "yes" || test "$ENABLED_BIND" = "yes" || \
test "$ENABLED_NTP" = "yes" || test "$ENABLED_NETSNMP" = "yes" || \
test "$ENABLED_OPENRESTY" = "yes" || test "$ENABLED_RSYSLOG" = "yes" || \
test "$ENABLED_KRB" = "yes" || test "$ENABLED_CHRONY" = "yes" || \
test "$ENABLED_FFMPEG" = "yes" || test "$ENABLED_STRONGSWAN" = "yes" || \
test "$ENABLED_OPENLDAP" = "yes" || test "x$ENABLED_MOSQUITTO" = "xyes" || \
test "$ENABLED_HITCH" = "yes" || test "$ENABLED_NGINX" = "yes"
then
ENABLED_OPENSSLALL="yes"
fi
# OPENSSL Extra Compatibility
AC_ARG_ENABLE([opensslextra],
[AS_HELP_STRING([--enable-opensslextra],[Enable extra OpenSSL API, size+ (default: disabled). Skip compat header install using "noinstall"])],
[ ENABLED_OPENSSLEXTRA=$enableval ],
[ ENABLED_OPENSSLEXTRA=no ]
)
if test "$ENABLED_QUIC" = "yes"
then
ENABLED_OPENSSLEXTRA="yes"
fi
# One Error Queue per Thread
AC_ARG_ENABLE([error-queue-per-thread],
[AS_HELP_STRING([--enable-error-queue-per-thread],[Enable one error queue per thread. Requires thread local storage. (default: disabled)])],
[ ENABLED_ERRORQUEUEPERTHREAD=$enableval ],
[ ENABLED_ERRORQUEUEPERTHREAD=check ]
)
if test "$ENABLED_ERRORQUEUEPERTHREAD" = "check"
then
AS_IF([test "$thread_ls_on" = "no" ||
test "$ENABLED_SINGLETHREADED" = "yes"],
[ENABLED_ERRORQUEUEPERTHREAD=no],
[ENABLED_ERRORQUEUEPERTHREAD=yes])
fi
if test "$ENABLED_ERRORQUEUEPERTHREAD" = "yes"
then
if test "$thread_ls_on" != "yes"
then
AC_MSG_ERROR(error-queue-per-thread needs thread-local storage.)
fi
AM_CFLAGS="$AM_CFLAGS -DERROR_QUEUE_PER_THREAD"
fi
# High Strength Build
AC_ARG_ENABLE([maxstrength],
[AS_HELP_STRING([--enable-maxstrength],[Enable Max Strength build, allows TLSv1.2-AEAD-PFS ciphers only (default: disabled)])],
[ENABLED_MAXSTRENGTH=$enableval],
[ENABLED_MAXSTRENGTH=no])
# Harden, enable Timing Resistance and Blinding by default
AC_ARG_ENABLE([harden],
[AS_HELP_STRING([--enable-harden],[Enable Hardened build, Enables Timing Resistance and Blinding (default: enabled)])],
[ENABLED_HARDEN=$enableval],
[ENABLED_HARDEN=yes])
if test "$ENABLED_HARDEN" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DTFM_TIMING_RESISTANT -DECC_TIMING_RESISTANT"
if test "$ENABLED_RNG" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DWC_RSA_BLINDING"
fi
else
AM_CFLAGS="$AM_CFLAGS -DWC_NO_HARDEN -DWC_NO_CACHE_RESISTANT"
fi
# Fault protection hardening
AC_ARG_ENABLE([faultharden],
[AS_HELP_STRING([--enable-faultharden],[Enable Fault Hardened build (default: disabled)])],
[ENABLED_FAULTHARDEN=$enableval],
[ENABLED_FAULTHARDEN=no])
if test "$ENABLED_FAULTHARDEN" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CHECK_SIG_FAULTS -DWOLFSSL_CHECK_VER_FAULTS -DWC_SHA3_FAULT_HARDEN -DWC_MLKEM_FAULT_HARDEN -DWC_MLDSA_FAULT_HARDEN"
fi
AC_ARG_ENABLE([compileharden],
[AS_HELP_STRING([--enable-compileharden],[Enable extra hardening compile flags (default: disabled)])],
[ENABLED_COMPILEHARDEN=$enableval],
[ENABLED_COMPILEHARDEN=no])
EXTRA_OPTS_CFLAGS=
if test "$ENABLED_COMPILEHARDEN" = "yes"
then
CAN_USE_32B_BOUNDARIES_FLAG=no
AX_CHECK_COMPILE_FLAG([-Wa,-mbranches-within-32B-boundaries],
[CAN_USE_32B_BOUNDARIES_FLAG=yes],
[CAN_USE_32B_BOUNDARIES_FLAG=no],
[-Werror],[])
if test "$CAN_USE_32B_BOUNDARIES_FLAG" = "yes"
then
EXTRA_OPTS_CFLAGS="$EXTRA_OPTS_CFLAGS -Wa,-mbranches-within-32B-boundaries -falign-loops=64"
else
AC_MSG_ERROR([compiler does not accept -mbranches-within-32B-boundaries flag])
fi
fi
# IPv6 Test Apps
AC_ARG_ENABLE([ipv6],
[AS_HELP_STRING([--enable-ipv6],[Enable testing of IPV6 (default: disabled)])],
[ ENABLED_IPV6=$enableval ],
[ ENABLED_IPV6=no ]
)
if test "$ENABLED_IPV6" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DTEST_IPV6 -DWOLFSSL_IPV6"
fi
if test "$ENABLED_WPAS" = "small"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_WPAS_SMALL"
fi
if test "$ENABLED_WPAS" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_WPAS"
AM_CFLAGS="$AM_CFLAGS -DHAVE_SECRET_CALLBACK"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_PUBLIC_ECC_ADD_DBL"
fi
if test "$ENABLED_WPAS" != "no"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ALWAYS_VERIFY_CB"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ALWAYS_KEEP_SNI"
AM_CFLAGS="$AM_CFLAGS -DHAVE_EX_DATA"
AM_CFLAGS="$AM_CFLAGS -DHAVE_EXT_CACHE"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_EITHER_SIDE"
AM_CFLAGS="$AM_CFLAGS -DOPENSSL_EXTRA_X509_SMALL"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_PUBLIC_MP"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DER_LOAD"
AM_CFLAGS="$AM_CFLAGS -DATOMIC_USER"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_KEY_GEN"
AS_IF([test "$ENABLED_FIPS" = "no" || test "$HAVE_FIPS_VERSION" -le 2],
[AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DES_ECB"])
AM_CFLAGS="$AM_CFLAGS -DKEEP_OUR_CERT"
AM_CFLAGS="$AM_CFLAGS -DKEEP_PEER_CERT"
AM_CFLAGS="$AM_CFLAGS -DHAVE_KEYING_MATERIAL"
AM_CFLAGS="$AM_CFLAGS -DNO_SESSION_CACHE_REF"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_VALIDATE_ECC_IMPORT"
AM_CFLAGS="$AM_CFLAGS -DWC_CTC_NAME_SIZE=128"
if test "$ENABLED_OPENSSLEXTRA" = "no"
then
ENABLED_OPENSSLEXTRA="yes"
AM_CFLAGS="$AM_CFLAGS -DOPENSSL_EXTRA"
fi
fi
if test "$ENABLED_FORTRESS" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DFORTRESS -DWOLFSSL_ALWAYS_VERIFY_CB -DWOLFSSL_AES_COUNTER -DWOLFSSL_AES_DIRECT -DWOLFSSL_DER_LOAD -DWOLFSSL_KEY_GEN"
fi
# lean TLS build (TLS 1.2 client only (no client auth), ECC256, AES128 and SHA256 w/o Shamir)
AC_ARG_ENABLE([leantls],
[AS_HELP_STRING([--enable-leantls],[Enable Lean TLS build (default: disabled)])],
[ ENABLED_LEANTLS=$enableval ],
[ ENABLED_LEANTLS=no ]
)
if test "$ENABLED_LEANTLS" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_LEANTLS -DNO_WRITEV -DHAVE_ECC -DTFM_ECC256 -DECC_USER_CURVES -DNO_WOLFSSL_SERVER -DNO_RSA -DNO_DSA -DNO_DH -DNO_PWDBASED -DNO_MD5 -DNO_ERROR_STRINGS -DNO_OLD_TLS -DNO_RC4 -DNO_SHA -DNO_PSK -DNO_WOLFSSL_MEMORY -DNO_WOLFSSL_CM_VERIFY"
enable_lowresource=yes
fi
# low resource options to reduce flash and memory use
AC_ARG_ENABLE([lowresource],
[AS_HELP_STRING([--enable-lowresource],[Enable low resource options for memory/flash (default: disabled)])],
[ ENABLED_LOWRESOURCE=$enableval ],
[ ENABLED_LOWRESOURCE=no ]
)
if test "$ENABLED_LOWRESOURCE" = "yes"
then
# low memory / flash flags
AM_CFLAGS="$AM_CFLAGS -DNO_SESSION_CACHE -DRSA_LOW_MEM -DCURVE25519_SMALL -DED25519_SMALL -DWOLFSSL_SMALL_CERT_VERIFY -DWOLFSSL_NO_ASYNC_IO"
# low flash flags
AM_CFLAGS="$AM_CFLAGS -DUSE_SLOW_SHA -DUSE_SLOW_SHA256 -DUSE_SLOW_SHA512"
# AES small
AM_CFLAGS="$AM_CFLAGS -DGCM_SMALL -DWOLFSSL_AES_NO_UNROLL -DWOLFSSL_AES_SMALL_TABLES"
fi
# TITAN cache
AC_ARG_ENABLE([titancache],
[AS_HELP_STRING([--enable-titancache],[Enable titan session cache (default: disabled)])],
[ ENABLED_TITANCACHE=$enableval ],
[ ENABLED_TITANCACHE=no ]
)
if test "$ENABLED_TITANCACHE" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DTITAN_SESSION_CACHE"
fi
# HUGE cache
AC_ARG_ENABLE([hugecache],
[AS_HELP_STRING([--enable-hugecache],[Enable huge session cache (default: disabled)])],
[ ENABLED_HUGECACHE=$enableval ],
[ ENABLED_HUGECACHE=no ]
)
if test "$ENABLED_HUGECACHE" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DHUGE_SESSION_CACHE"
fi
# big cache
AC_ARG_ENABLE([bigcache],
[AS_HELP_STRING([--enable-bigcache],[Enable big session cache (default: disabled)])],
[ ENABLED_BIGCACHE=$enableval ],
[ ENABLED_BIGCACHE=no ]
)
if test "$ENABLED_BIGCACHE" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DBIG_SESSION_CACHE"
fi
# SMALL cache
AC_ARG_ENABLE([smallcache],
[AS_HELP_STRING([--enable-smallcache],[Enable small session cache (default: disabled)])],
[ ENABLED_SMALLCACHE=$enableval ],
[ ENABLED_SMALLCACHE=no ]
)
if test "$ENABLED_SMALLCACHE" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DSMALL_SESSION_CACHE"
fi
# Persistent session cache
AC_ARG_ENABLE([savesession],
[AS_HELP_STRING([--enable-savesession],[Enable persistent session cache (default: disabled)])],
[ ENABLED_SAVESESSION=$enableval ],
[ ENABLED_SAVESESSION=no ]
)
if test "$ENABLED_SAVESESSION" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DPERSIST_SESSION_CACHE"
fi
# Persistent cert cache
AC_ARG_ENABLE([savecert],
[AS_HELP_STRING([--enable-savecert],[Enable persistent cert cache (default: disabled)])],
[ ENABLED_SAVECERT=$enableval ],
[ ENABLED_SAVECERT=no ]
)
if test "$ENABLED_SAVECERT" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DPERSIST_CERT_CACHE"
fi
# Write duplicate WOLFSSL object
AC_ARG_ENABLE([writedup],
[AS_HELP_STRING([--enable-writedup],[Enable write duplication of WOLFSSL objects (default: disabled)])],
[ ENABLED_WRITEDUP=$enableval ],
[ ENABLED_WRITEDUP=no ]
)
if test "$ENABLED_WRITEDUP" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DHAVE_WRITE_DUP"
fi
# Atomic User Record Layer
AC_ARG_ENABLE([atomicuser],
[AS_HELP_STRING([--enable-atomicuser],[Enable Atomic User Record Layer (default: disabled)])],
[ ENABLED_ATOMICUSER=$enableval ],
[ ENABLED_ATOMICUSER=no ]
)
if test "$ENABLED_ATOMICUSER" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DATOMIC_USER"
fi
# Public Key Callbacks
AC_ARG_ENABLE([pkcallbacks],
[AS_HELP_STRING([--enable-pkcallbacks],[Enable Public Key Callbacks (default: disabled)])],
[ ENABLED_PKCALLBACKS=$enableval ],
[ ENABLED_PKCALLBACKS=no ]
)
if test "$ENABLED_PKCALLBACKS" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DHAVE_PK_CALLBACKS"
fi
# Maxim Integrated MAXQ10XX
ENABLED_MAXQ10XX="no"
maxqpartnumber=""
AC_ARG_WITH([maxq10xx],
[AS_HELP_STRING([--with-maxq10xx=PART],[MAXQ10XX PART Number])],
[
AC_MSG_CHECKING([for maxq10xx])
# Read the part number
maxqpartnumber=$withval
if test "$maxqpartnumber" = "MAXQ1065"; then
LIB_STATIC_ADD="$LIB_STATIC_ADD lib/libmaxq1065_api.a"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_MAXQ1065"
ENABLED_MAXQ10XX="yes"
AC_CHECK_LIB([rt], [clock_gettime])
elif test "$maxqpartnumber" = "MAXQ108x"; then
LIB_STATIC_ADD="$LIB_STATIC_ADD lib/libmaxq108x_api.a"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_MAXQ108X"
ENABLED_MAXQ10XX="yes"
AC_CHECK_LIB([rt], [clock_gettime])
else
AC_MSG_ERROR([need a valid MAXQ part number])
fi
AC_MSG_RESULT([yes])
]
)
AC_ARG_ENABLE([microchip],
[AS_HELP_STRING([--enable-microchip],[Enable wolfSSL support for microchip/atmel 508/608/100 (default: disabled)])],
[ ENABLED_ATMEL=$enableval ],
[ ENABLED_ATMEL=no ]
)
if test "$ENABLED_ATMEL" != "no"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_MICROCHIP"
for v in `echo $ENABLED_ATMEL | tr "," " "`
do
case $v in
508)
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ATECC508A"
;;
608)
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ATECC608A"
;;
100)
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_MICROCHIP_TA100 -DMICROCHIP_DEV_TYPE=TA100"
;;
esac
done
fi
# Microchip/Atmel CryptoAuthLib
ENABLED_CRYPTOAUTHLIB="no"
AC_ARG_WITH([cryptoauthlib],
[AS_HELP_STRING([--with-cryptoauthlib=PATH],
[PATH to CryptoAuthLib install (default: system paths)])],
[with_cryptoauthlib=$withval],
[with_cryptoauthlib=no])
AS_IF([test "x$with_cryptoauthlib" != "xno"], [
AS_IF([test "x$ENABLED_ATMEL" = "xno"], [
AC_MSG_ERROR([--with-cryptoauthlib requires --enable-microchip=<devices>.])
])
AC_MSG_CHECKING([for CryptoAuthLib])
libdir=""
incdir=""
cryptoauthlib_found="no"
saved_LIBS="$LIBS"
saved_LDFLAGS="$LDFLAGS"
saved_CPPFLAGS="$CPPFLAGS"
saved_CFLAGS="$CFLAGS"
# Method 1: Try pkg-config first (most reliable)
m4_ifdef([PKG_CHECK_MODULES], [
PKG_CHECK_MODULES([CRYPTOAUTHLIB], [cryptoauthlib], [
CPPFLAGS="$CRYPTOAUTHLIB_CFLAGS $CPPFLAGS"
CFLAGS="$CRYPTOAUTHLIB_CFLAGS $CFLAGS"
LIBS="$CRYPTOAUTHLIB_LIBS $LIBS"
cryptoauthlib_found="pkg-config"
], [:])
])
# Method 2: Manual search if pkg-config failed
AS_IF([test "x$cryptoauthlib_found" = "xno"], [
AS_IF([test "x$with_cryptoauthlib" = "xyes"], [
search_dirs="/usr /usr/local"
], [
search_dirs="$with_cryptoauthlib"
])
for trylibatcadir in $search_dirs; do
for try_libdir in "$trylibatcadir/lib" "$trylibatcadir/lib64"; do
if test -f "$try_libdir/libcryptoauth.so" || test -f "$try_libdir/libcryptoauth.a"; then
libdir="$try_libdir"
break
fi
done
if test -z "$libdir"; then
if test -x /usr/bin/dpkg-architecture; then
DEB_HOST_MULTIARCH=`dpkg-architecture -qDEB_HOST_MULTIARCH 2>/dev/null`
if test -n "$DEB_HOST_MULTIARCH"; then
try_libdir="$trylibatcadir/lib/$DEB_HOST_MULTIARCH"
if test -f "$try_libdir/libcryptoauth.so" || test -f "$try_libdir/libcryptoauth.a"; then
libdir="$try_libdir"
fi
fi
fi
fi
for try_incdir in "$trylibatcadir/include/cryptoauthlib" "$trylibatcadir/include"; do
if test -f "$try_incdir/cryptoauthlib.h"; then
incdir="$try_incdir"
break
fi
done
if test -n "$libdir" && test -n "$incdir"; then
break
fi
libdir=""
incdir=""
done
if test -n "$libdir" && test -n "$incdir"; then
CPPFLAGS="-I$incdir $CPPFLAGS"
CFLAGS="-I$incdir $CFLAGS"
LDFLAGS="-L$libdir $LDFLAGS"
LIBS="-lcryptoauth $LIBS"
cryptoauthlib_found="$libdir"
fi
])
AS_IF([test "x$cryptoauthlib_found" != "xno"], [
wolfssl_include=""
AS_IF([test -f "${srcdir}/wolfssl/wolfcrypt/types.h"], [
wolfssl_include="-I${srcdir}"
], [test -f "${srcdir}/wolfssl.h"], [
wolfssl_include="-I${srcdir}"
])
test_CPPFLAGS="$wolfssl_include $CPPFLAGS"
test_CFLAGS="$wolfssl_include $CFLAGS"
saved_test_CPPFLAGS="$CPPFLAGS"
saved_test_CFLAGS="$CFLAGS"
CPPFLAGS="$test_CPPFLAGS"
CFLAGS="$test_CFLAGS"
AC_LINK_IFELSE([AC_LANG_PROGRAM(
[[#include <cryptoauthlib.h>]],
[[atcab_init(0); return 0;]])],
[
ENABLED_CRYPTOAUTHLIB="yes"
AC_MSG_RESULT([yes ($cryptoauthlib_found)])
AC_DEFINE([HAVE_CRYPTOAUTHLIB], [1], [CryptoAuthLib support])
CPPFLAGS="$saved_test_CPPFLAGS"
CFLAGS="$saved_test_CFLAGS"
],
[
LIBS="$saved_LIBS"
LDFLAGS="$saved_LDFLAGS"
CPPFLAGS="$saved_CPPFLAGS"
CFLAGS="$saved_CFLAGS"
AC_MSG_RESULT([no - compilation failed])
AC_MSG_ERROR([CryptoAuthLib found but compilation check failed. Check config.log for details.])
])
], [
AC_MSG_RESULT([no - library not found])
AC_MSG_ERROR([CryptoAuthLib not found. Install it or specify path with --with-cryptoauthlib=/path])
])
])
# TropicSquare TROPIC01
# Example: "./configure --with-tropic01=/home/pi/libtropic"
ENABLED_TROPIC01="no"
trylibtropicdir=""
AC_ARG_WITH([tropic01],
[AS_HELP_STRING([--with-tropic01=PATH],[PATH to install (default /usr/)])],
[
AC_MSG_CHECKING([for libtropic])
if test "x$withval" != "xno" ; then
trylibtropicdir=$withval
fi
if test "x$withval" = "xyes" ; then
trylibtropicdir="libtropic"
fi
if test -e $trylibtropicdir/build/libtropic.a
then
LIB_STATIC_ADD="$LIB_STATIC_ADD $trylibtropicdir/build/libtropic.a"
LIB_STATIC_ADD="$LIB_STATIC_ADD $trylibtropicdir/build/trezor_crypto/libtrezor_crypto.a"
AM_CFLAGS="$AM_CFLAGS -I$trylibtropicdir/include"
else
ENABLED_TROPIC01="no"
AC_MSG_ERROR([Could not find libtropic - TropicSquare library])
fi
enable_shared=no
enable_static=yes
ENABLED_TROPIC01="yes"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_TROPIC01"
AC_MSG_RESULT([yes])
]
)
# STMicro STSAFE-A100 / STSAFE-A120
# Example: "./configure --enable-stsafe=a120"
ENABLED_STSAFE="no"
AC_ARG_ENABLE([stsafe],
[AS_HELP_STRING([--enable-stsafe@<:@=a100|a120@:>@],
[Enable STMicro STSAFE secure-element support. Variant selects the SDK:
a100 (legacy STSAFE-A1xx SDK, default) or a120 (STSELib).])],
[ ENABLED_STSAFE=$enableval ],
[ ENABLED_STSAFE=no ])
case "$ENABLED_STSAFE" in
no) ;;
yes|a100) AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_STSAFE -DWOLFSSL_STSAFEA100"
ENABLED_STSAFE="a100" ;;
a120) AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_STSAFE -DWOLFSSL_STSAFEA120" ;;
*) AC_MSG_ERROR([Invalid --enable-stsafe value '$ENABLED_STSAFE'; use a100 or a120]) ;;
esac
# NXP SE050
# Example: "./configure --with-se050=/home/pi/simw_top"
ENABLED_SE050="no"
trylibse050dir=""
AC_ARG_WITH([se050],
[AS_HELP_STRING([--with-se050=PATH],[PATH to SE050 install (default /usr/local)])],
[
AC_MSG_CHECKING([for SE050])
LIBS="$LIBS -lSSS_APIs -lex_common"
AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include <fsl_sss_api.h>]], [[ sss_mac_init(0);]])],[ libse050_linked=yes ],[ libse050_linked=no ])
if test "x$libse050_linked" = "xno" ; then
if test "x$withval" != "xno" ; then
trylibse050dir=$withval
fi
if test "x$withval" = "xyes" ; then
trylibse050dir="/usr/local"
fi
LDFLAGS="$LDFLAGS -L$trylibse050dir/lib"
LDFLAGS="$LDFLAGS -L$trylibse050dir/build/sss"
CPPFLAGS="$CPPFLAGS -I$trylibse050dir/include/se05x"
CPPFLAGS="$CPPFLAGS -I$trylibse050dir/build"
CPPFLAGS="$CPPFLAGS -I$trylibse050dir/sss/inc"
CPPFLAGS="$CPPFLAGS -I$trylibse050dir/sss/ex/inc"
CPPFLAGS="$CPPFLAGS -I$trylibse050dir/sss/port/default"
CPPFLAGS="$CPPFLAGS -I$trylibse050dir/hostlib/hostLib/inc"
CPPFLAGS="$CPPFLAGS -I$trylibse050dir/hostlib/hostLib/libCommon/log"
CPPFLAGS="$CPPFLAGS -I$trylibse050dir/hostlib/hostLib/libCommon/infra"
CPPFLAGS="$CPPFLAGS -I$trylibse050dir/hostlib/hostLib/se05x_03_xx_xx"
if test -e "$trylibse050dir/build/sss/libSSS_APIs.a"; then
SE050_STATIC=yes
else
SE050_STATIC=no
fi
if test "x$SE050_STATIC" = "xyes"; then
LIB_STATIC_ADD="$trylibse050dir/build/sss/ex/src/libex_common.a \
$trylibse050dir/build/sss/libSSS_APIs.a \
$trylibse050dir/build/hostlib/hostLib/se05x/libse05x.a \
$trylibse050dir/build/hostlib/hostLib/liba7x_utils.a \
$trylibse050dir/build/hostlib/hostLib/libCommon/log/libmwlog.a \
$trylibse050dir/build/hostlib/hostLib/libCommon/libsmCom.a $LIB_STATIC_ADD"
else
AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include <fsl_sss_api.h>]], [[ sss_mac_init(0); ]])],[ libse050_linked=yes ],[ libse050_linked=no ])
if test "x$libse050_linked" = "xno" ; then
AC_MSG_ERROR([SE050 isn't found.
If it's already installed, specify its path using --with-se050=/dir/])
fi
fi
# Requires AES direct
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_DIRECT -DHAVE_AES_ECB"
# Does not support SHA2-512 224/256
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NOSHA512_224 -DWOLFSSL_NOSHA512_256"
AC_MSG_RESULT([yes])
else
AC_MSG_RESULT([yes])
fi
ENABLED_SE050="yes"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SE050 -DSSS_USE_FTR_FILE"
]
)
ENABLED_SNIFFTEST=no
AS_IF([ test "x$ENABLED_SNIFFER" = "xyes" ],
[
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SNIFFER -DWOLFSSL_STATIC_EPHEMERAL"
AC_CHECK_HEADERS([pcap/pcap.h],
[ ENABLED_SNIFFTEST=yes ],
[ AC_MSG_WARN([cannot enable sniffer test without having libpcap available.]) ]
)
])
# AES-ECB
AC_ARG_ENABLE([aesecb],
[AS_HELP_STRING([--enable-aesecb],[Enable wolfSSL AES-ECB support (default: enabled)])],
[ ENABLED_AESECB=$enableval ],
[ ENABLED_AESECB=no ]
)
if test "$ENABLED_AESECB" != "no"
then
AM_CFLAGS="$AM_CFLAGS -DHAVE_AES_ECB"
AM_CCASFLAGS="$AM_CCASFLAGS -DHAVE_AES_ECB"
fi
# AES-CBC
AC_ARG_ENABLE([aescbc],
[AS_HELP_STRING([--enable-aescbc],[Enable wolfSSL AES-CBC support (default: enabled)])],
[ ENABLED_AESCBC=$enableval ],
[ ENABLED_AESCBC=yes ]
)
if test "$ENABLED_AESCBC" = "no"
then
AM_CFLAGS="$AM_CFLAGS -DNO_AES_CBC"
AM_CCASFLAGS="$AM_CCASFLAGS -DNO_AES_CBC"
fi
# AES-CBC length checks (checks that input lengths are multiples of block size)
AC_ARG_ENABLE([aescbc_length_checks],
[AS_HELP_STRING([--enable-aescbc-length-checks],[Enable AES-CBC length validity checks (default: disabled)])],
[ ENABLED_AESCBC_LENGTH_CHECKS=$enableval ],
[ ENABLED_AESCBC_LENGTH_CHECKS=no ]
)
if test "$ENABLED_AESCBC_LENGTH_CHECKS" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_CBC_LENGTH_CHECKS"
fi
# leanpsk and leantls don't need gcm
# AES-GCM
AC_ARG_ENABLE([aesgcm],
[AS_HELP_STRING([--enable-aesgcm],[Enable wolfSSL AES-GCM support (default: enabled)])],
[ ENABLED_AESGCM=$enableval ],
[ ENABLED_AESGCM=yes ]
)
AC_ARG_ENABLE([aesgcm-stream],
[AS_HELP_STRING([--enable-aesgcm-stream],[Enable wolfSSL AES-GCM support with streaming APIs (default: disabled)])],
[ ENABLED_AESGCM_STREAM=$enableval ],
[ ENABLED_AESGCM_STREAM=no ]
)
# leanpsk and leantls don't need gcm
if test "$FIPS_VERSION" = "rand" || test "$ENABLED_LEANPSK" = "yes" ||
(test "$ENABLED_LEANTLS" = "yes" && test "$ENABLED_TLS13" = "no")
then
ENABLED_AESGCM=no
fi
if test "$ENABLED_AESGCM" = "yes"
then
ENABLED_AESGCM="4bit"
fi
# AES-CCM
AC_ARG_ENABLE([aesccm],
[AS_HELP_STRING([--enable-aesccm],[Enable wolfSSL AES-CCM support (default: disabled)])],
[ ENABLED_AESCCM=$enableval ],
[ ENABLED_AESCCM=no ]
)
if test "$ENABLED_AESCCM" = "yes" || test "$ENABLED_WOLFENGINE" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DHAVE_AESCCM"
AM_CCASFLAGS="$AM_CCASFLAGS -DHAVE_AESCCM"
fi
# AES-EAX
AC_ARG_ENABLE([aeseax],
[AS_HELP_STRING([--enable-aeseax],[Enable wolfSSL AES-EAX support (default: disabled)])],
[ ENABLED_AESEAX=$enableval ],
[ ENABLED_AESEAX=no ]
)
if test "$ENABLED_AESEAX" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_EAX"
fi
# AES-SIV (RFC 5297)
AC_ARG_ENABLE([aessiv],
[AS_HELP_STRING([--enable-aessiv],[Enable AES-SIV (RFC 5297) (default: disabled)])],
[ ENABLED_AESSIV=$enableval ],
[ ENABLED_AESSIV=no ]
)
if test "$ENABLED_CHRONY" = "yes"
then
ENABLED_AESSIV=yes
fi
# AES-CTR
AC_ARG_ENABLE([aesctr],
[AS_HELP_STRING([--enable-aesctr],[Enable wolfSSL AES-CTR support (default: disabled)])],
[ ENABLED_AESCTR=$enableval ],
[ ENABLED_AESCTR=no ]
)
if test "$ENABLED_OPENVPN" = "yes" || test "$ENABLED_LIBSSH2" = "yes" || test "$ENABLED_AESSIV" = "yes" || test "$ENABLED_WOLFENGINE" = "yes" || test "$ENABLED_AESEAX" = "yes"
then
ENABLED_AESCTR=yes
fi
if test "$ENABLED_QUIC" = "yes"
then
ENABLED_AESCTR=yes
fi
# AES-OFB
AC_ARG_ENABLE([aesofb],
[AS_HELP_STRING([--enable-aesofb],[Enable wolfSSL AES-OFB support (default: disabled)])],
[ ENABLED_AESOFB=$enableval ],
[ ENABLED_AESOFB=no ]
)
if test "$ENABLED_AESOFB" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_OFB -DWOLFSSL_AES_DIRECT"
fi
# AES-CFB
AC_ARG_ENABLE([aescfb],
[AS_HELP_STRING([--enable-aescfb],[Enable wolfSSL AES-CFB support (default: disabled)])],
[ ENABLED_AESCFB=$enableval ],
[ ENABLED_AESCFB=no ]
)
if test "$ENABLED_AESCFB" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_CFB"
fi
AC_ARG_ENABLE([aes-bitsliced],
[AS_HELP_STRING([--enable-aes-bitsliced],[Enable bitsliced implementation of AES (default: disabled)])],
[ ENABLED_AESBS=$enableval ],
[ ENABLED_AESBS=no ]
)
if test "$ENABLED_AESBS" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DWC_AES_BITSLICED -DHAVE_AES_ECB -DWOLFSSL_AES_DIRECT"
fi
# SM4
ENABLED_SM4="no"
AC_ARG_ENABLE([sm4-ecb],
[AS_HELP_STRING([--enable-sm4-ecb],[Enable wolfSSL SM4-ECB support (default: disabled)])],
[ ENABLED_SM4_ECB=$enableval ],
[ ENABLED_SM4_ECB=no ]
)
if test "$ENABLED_SM4_ECB" = "small"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SM4_SMALL"
fi
if test "$ENABLED_SM4_ECB" != "no"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SM4_ECB"
ENABLED_SM4="yes"
fi
AC_ARG_ENABLE([sm4-cbc],
[AS_HELP_STRING([--enable-sm4-cbc],[Enable wolfSSL SM4-CBC support (default: disabled)])],
[ ENABLED_SM4_CBC=$enableval ],
[ ENABLED_SM4_CBC=no ]
)
if test "$ENABLED_SM4_CBC" = "small"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SM4_SMALL"
fi
if test "$ENABLED_SM4_CBC" != "no"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SM4_CBC"
ENABLED_SM4="yes"
fi
AC_ARG_ENABLE([sm4-ctr],
[AS_HELP_STRING([--enable-sm4-ctr],[Enable wolfSSL SM4-CTR support (default: disabled)])],
[ ENABLED_SM4_CTR=$enableval ],
[ ENABLED_SM4_CTR=no ]
)
if test "$ENABLED_SM4_CTR" = "small"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SM4_SMALL"
fi
if test "$ENABLED_SM4_CTR" != "no"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SM4_CTR"
ENABLED_SM4="yes"
fi
AC_ARG_ENABLE([sm4-gcm],
[AS_HELP_STRING([--enable-sm4-gcm],[Enable wolfSSL SM4-GCM support (default: disabled)])],
[ ENABLED_SM4_GCM=$enableval ],
[ ENABLED_SM4_GCM=no ]
)
if test "$ENABLED_SM4_GCM" = "small"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SM4_SMALL"
fi
if test "$ENABLED_SM4_GCM" != "no"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SM4_GCM"
ENABLED_SM4="yes"
fi
AC_ARG_ENABLE([sm4-ccm],
[AS_HELP_STRING([--enable-sm4-ccm],[Enable wolfSSL SM4-CCM support (default: disabled)])],
[ ENABLED_SM4_CCM=$enableval ],
[ ENABLED_SM4_CCM=no ]
)
if test "$ENABLED_SM4_CCM" = "small"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SM4_SMALL"
fi
if test "$ENABLED_SM4_CCM" != "no"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SM4_CCM"
ENABLED_SM4="yes"
fi
if test "$ENABLED_SM4" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SM4"
fi
ENABLED_ARMASM_CRYPTO="unknown"
ENABLED_ARMASM_INLINE="no"
ENABLED_ARMASM_SHA256_SMALL="no"
ENABLED_ARMASM_SHA3="unknown"
ENABLED_ARMASM_CRYPTO_SM4="no"
# ARM Assembly
# Both SHA3 and SHA512 instructions available with ARMV8.2-a
AC_ARG_ENABLE([armasm],
[AS_HELP_STRING([--enable-armasm],[Enable wolfSSL ARMv8 ASM support (default: disabled). Set to sha512-crypto or sha3-crypto to use SHA512 and SHA3 instructions with Aarch64 CPU.])],
[ ENABLED_ARMASM=$enableval ],
[ ENABLED_ARMASM=no ]
)
if test "$ENABLED_ARMASM" != "no" && test "$ENABLED_ASM" = "yes"
then
for v in `echo $ENABLED_ARMASM | tr "," " "`
do
case $v in
yes)
;;
inline)
ENABLED_ARMASM_INLINE=yes
;;
no-crypto)
ENABLED_ARMASM_CRYPTO=no
;;
sha256-small)
case $host_cpu in
*arm*)
;;
*)
AC_MSG_ERROR([SHA256 small option only available on 32-bit ARM CPU.])
break;;
esac
ENABLED_ARMASM_SHA256_SMALL=yes
;;
sha512-crypto | sha3-crypto)
case $host_cpu in
*aarch64*)
;;
*)
AC_MSG_ERROR([SHA512/SHA3 instructions only available on Aarch64 CPU.])
break;;
esac
ENABLED_ARMASM_SHA3=yes
ENABLED_ARMASM_PLUS=yes
;;
no-sha512-crypto | no-sha3-crypto)
case $host_cpu in
*aarch64*)
;;
*)
AC_MSG_ERROR([SHA512/SHA3 instructions only available on Aarch64 CPU.])
break;;
esac
ENABLED_ARMASM_SHA3=no
;;
sm4)
case $host_cpu in
*aarch64*)
;;
*)
AC_MSG_ERROR([SM4 instructions only available on Aarch64 CPU.])
break;;
esac
ENABLED_ARMASM_SM4=yes
# gcc requires -march=...+sm4 to enable SM4 instructions
ENABLED_ARMASM_CRYPTO_SM4=yes
ENABLED_ARMASM_PLUS=yes
;;
sm3)
case $host_cpu in
*aarch64*)
;;
*)
AC_MSG_ERROR([SM3 instructions only available on Aarch64 CPU.])
break;;
esac
ENABLED_ARMASM_SM3=yes
# gcc requires -march=...+sm4 to enable SM3 instructions
ENABLED_ARMASM_CRYPTO_SM4=yes
ENABLED_ARMASM_PLUS=yes
;;
barrier-sb)
case $host_cpu in
*aarch64*)
;;
*)
AC_MSG_ERROR([SB instructions only available on Aarch64 v8.5+ CPU.])
break;;
esac
ENABLED_ARMASM_BARRIER_SB=yes
;;
barrier-detect)
case $host_cpu in
*aarch64*)
;;
*)
AC_MSG_ERROR([SB instructions only available on Aarch64 v8.5+ CPU.])
break;;
esac
ENABLED_ARMASM_BARRIER_DETECT=yes
;;
aes-block-dup)
case $host_cpu in
*arm*)
;;
*)
AC_MSG_ERROR([AES assembly option only available on 32-bit ARM CPU.])
break;;
esac
ENABLED_ARMASM_AES_BLOCK_INLINE=yes
;;
*)
case $host_cpu in
*aarch64*)
AC_MSG_ERROR([Invalid choice of ARM asm inclusions (yes, inline, no-crypto, sha512-crypto, sha3-crypto, no-sha512-crypto, no-sha3-crypto, barrier-sb, barrier-detect): $ENABLED_ARMASM.])
break;;
*arm*)
AC_MSG_ERROR([Invalid choice of ARM asm inclusions (yes, inline, no-crypto, sha256-small, aes-block-dup): $ENABLED_ARMASM.])
break;;
esac
break;;
esac
done
ENABLED_ARMASM="yes"
AM_CCASFLAGS="$AM_CCASFLAGS -DWOLFSSL_ARMASM"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ARMASM"
#Check if mcpu and mfpu values already set if not use default
case $CPPFLAGS in
*mcpu* | *mfpu*)
break;; #Do not override user set values
*)
case $host_cpu in
*aarch64*)
case $host_os in
*darwin*)
# Turn it on unless explicitly turned off.
if test "$ENABLED_ARMASM_SHA3" = "unknown"; then
ENABLED_ARMASM_SHA3="yes"
fi
;;
*)
# +crypto needed for hardware acceleration
if test "$ENABLED_ARMASM_PLUS" = "yes"; then
AM_CPPFLAGS="$AM_CPPFLAGS -march=armv8.2-a+crypto"
if test "$ENABLED_ARMASM_SHA3" = "yes"; then
AM_CPPFLAGS="$AM_CPPFLAGS+sha3"
fi
if test "$ENABLED_ARMASM_CRYPTO_SM4" = "yes"; then
AM_CPPFLAGS="$AM_CPPFLAGS+sm4"
fi
else
AM_CPPFLAGS="$AM_CPPFLAGS -mcpu=generic+crypto -DWOLFSSL_AARCH64_NO_SQRDMLSH"
fi
;;
esac
# Include options.h
AM_CCASFLAGS="$AM_CCASFLAGS -DEXTERNAL_OPTS_OPENVPN"
if test "$ENABLED_ARMASM_CRYPTO" = "unknown"; then
ENABLED_ARMASM_CRYPTO=yes
fi
ENABLED_ARMASM_NEON=yes
ENABLED_ARM_64=yes
# Check for and set -mstrict-align compiler flag
# Used to set assumption that Aarch64 systems will not handle
# unaligned memory references. The flag -mstrict-align is needed
# on some compiler versions to avoid an invalid addressing mode
# error with "m" constraint variables in the inline assembly AES
# code. Even though unaligned load/store access is permitted on
# normal memory with Cortex-A series boards with the exception
# being exclusive and ordered access.
case $CPPFLAGS in
*mstrict-align*)
break;; # already set by user
*)
AM_CPPFLAGS="$AM_CPPFLAGS -mstrict-align"
AC_MSG_NOTICE([64bit ARMv8, setting -mstrict-align]);;
esac
AC_MSG_NOTICE([64bit ARMv8 found, setting mcpu to generic+crypto])
;;
armv7a* | armv7l*)
AM_CPPFLAGS="$AM_CPPFLAGS -march=armv7-a -mfpu=neon -DWOLFSSL_ARM_ARCH=7 -marm"
# Include options.h
AM_CCASFLAGS="$AM_CCASFLAGS -DEXTERNAL_OPTS_OPENVPN"
ENABLED_ARMASM_CRYPTO=no
ENABLED_ARMASM_NEON=yes
ENABLED_ARM_32=yes
AC_MSG_NOTICE([32bit ARMv7-a found, setting mfpu to neon])
if test "$ENABLED_FIPS" != "no" ||
test "$HAVE_FIPS_VERSION_MAJOR" -ge 5;
then
# Use inline ASM with FIPS because of known "issue" with the
# assembly code
ENABLED_ARMASM_INLINE=yes
AC_MSG_NOTICE([32bit ARMv7-a found, setting inline for FIPS])
fi
;;
armv7m*)
# QEMU doesn't work with armv7-m
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ARMASM_THUMB2"
AM_CPPFLAGS="$AM_CPPFLAGS -march=armv7-r -DWOLFSSL_ARMASM_THUMB2 -DWOLFSSL_ARMASM_NO_HW_CRYPTO -DWOLFSSL_ARM_ARCH=7"
# Include options.h
AM_CCASFLAGS="$AM_CCASFLAGS -DEXTERNAL_OPTS_OPENVPN"
ENABLED_ARMASM_CRYPTO=no
ENABLED_ARMASM_NEON=no
ENABLED_ARM_THUMB=yes
ENABLED_ARM_32=yes
AC_MSG_NOTICE([32bit ARMv7-m found])
if test "$ENABLED_FIPS" != "no" ||
test "$HAVE_FIPS_VERSION_MAJOR" -ge 5;
then
# Use inline ASM with FIPS because of known "issue" with the
# assembly code
ENABLED_ARMASM_INLINE=yes
AC_MSG_NOTICE([32bit ARMv7-m found, setting inline for FIPS])
fi
;;
armv6*)
AM_CPPFLAGS="$AM_CPPFLAGS -march=armv6 -DWOLFSSL_ARMASM_NO_HW_CRYPTO -DWOLFSSL_ARM_ARCH=6"
AM_CCASFLAGS="$AM_CCASFLAGS -DEXTERNAL_OPTS_OPENVPN"
ENABLED_ARMASM_CRYPTO=no
ENABLED_ARMASM_NEON=no
ENABLED_ARM_32=yes
AC_MSG_NOTICE([32bit ARMv6 found])
;;
armv4*)
AM_CPPFLAGS="$AM_CPPFLAGS -march=armv4 -DWOLFSSL_ARMASM_NO_HW_CRYPTO -DWOLFSSL_ARM_ARCH=4"
AM_CCASFLAGS="$AM_CCASFLAGS -DEXTERNAL_OPTS_OPENVPN"
ENABLED_ARMASM_CRYPTO=no
ENABLED_ARMASM_NEON=no
ENABLED_ARM_32=yes
AC_MSG_NOTICE([32bit ARMv4 found])
;;
*)
AM_CPPFLAGS="$AM_CPPFLAGS -mfpu=crypto-neon-fp-armv8 -marm"
# Include options.h
AM_CCASFLAGS="$AM_CCASFLAGS -DEXTERNAL_OPTS_OPENVPN"
ENABLED_ARMASM_CRYPTO=yes
ENABLED_ARMASM_NEON=yes
ENABLED_ARM_32=yes
AC_MSG_NOTICE([32bit ARMv8 found, setting mfpu to crypto-neon-fp-armv8])
;;
esac
esac
fi
if test "$ENABLED_ARMASM_SHA256_SMALL" = "yes"; then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ARMASM_SHA256_SMALL"
AM_CCASFLAGS="$AM_CCASFLAGS -DWOLFSSL_ARMASM_SHA256_SMALL"
fi
if test "$ENABLED_ARMASM_SHA3" = "yes"; then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ARMASM_CRYPTO_SHA512 -DWOLFSSL_ARMASM_CRYPTO_SHA3"
AM_CCASFLAGS="$AM_CCASFLAGS -DWOLFSSL_ARMASM_CRYPTO_SHA512 -DWOLFSSL_ARMASM_CRYPTO_SHA3"
fi
if test "$ENABLED_ARMASM_SHA3" = "unknown"; then
ENABLED_ARMASM_SHA3="no"
fi
if test "$ENABLED_ARMASM_SM3" = "yes"; then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ARMASM_CRYPTO_SM3"
fi
if test "$ENABLED_ARMASM_SM4" = "yes"; then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ARMASM_CRYPTO_SM4"
fi
if test "$ENABLED_ARMASM_BARRIER_SB" = "yes"; then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ARMASM_BARRIER_SB"
fi
if test "$ENABLED_ARMASM_BARRIER_DETECT" = "yes"; then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ARMASM_BARRIER_DETECT"
fi
if test "$ENABLED_ARMASM_CRYPTO" = "unknown"; then
ENABLED_ARMASM_CRYPTO=no
fi
if test "$ENABLED_ARMASM_CRYPTO" = "no"; then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ARMASM_NO_HW_CRYPTO"
fi
if test "$ENABLED_ARMASM_NEON" = "no"; then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ARMASM_NO_NEON"
AM_CCASFLAGS="$AM_CCASFLAGS -DWOLFSSL_ARMASM_NO_NEON"
fi
if test "$ENABLED_ARMASM_INLINE" = "yes"; then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ARMASM_INLINE"
fi
if test "$ENABLED_ARMASM_AES_BLOCK_INLINE" = "yes"; then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ARMASM_AES_BLOCK_INLINE"
fi
# RISC-V Assembly
AC_ARG_ENABLE([riscv-asm],
[AS_HELP_STRING([--enable-riscv-asm],[Enable wolfSSL RISC-V ASM support (default: disabled).])],
[ ENABLED_RISCV_ASM=$enableval ],
[ ENABLED_RISCV_ASM=no ]
)
if test "$ENABLED_RISCV_ASM" != "no" && test "$ENABLED_ASM" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_RISCV_ASM"
AC_MSG_NOTICE([64bit RISC-V assembly for AES])
fi
ENABLED_RISCV_ASM_OPTS=$ENABLED_RISCV_ASM
for v in `echo $ENABLED_RISCV_ASM_OPTS | tr "," " "`
do
case $v in
yes)
;;
no)
;;
zbb)
# REV8
ENABLED_RISCV_ASM=yes
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_RISCV_BASE_BIT_MANIPULATION"
;;
zbc|zbkc)
# CLMUL, CLMULH
ENABLED_RISCV_ASM=yes
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_RISCV_CARRYLESS"
;;
zbkb)
# PACK, REV8
ENABLED_RISCV_ASM=yes
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_RISCV_BIT_MANIPULATION"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_RISCV_BASE_BIT_MANIPULATION"
;;
zbt)
# FSL, FSR, FSRI, CMOV, CMIX - QEMU doesn't know about these instructions
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_RISCV_BIT_MANIPULATION_TERNARY"
;;
zkn|zkned)
# AES encrypt/decrpyt, SHA-2
ENABLED_RISCV_ASM=yes
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_RISCV_SCALAR_CRYPTO_ASM"
;;
zv)
ENABLED_RISCV_ASM=yes
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_RISCV_VECTOR"
;;
zvbb|zvkb)
# VBREV8
ENABLED_RISCV_ASM=yes
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_RISCV_VECTOR_BASE_BIT_MANIPULATION"
;;
zvbc)
# VCLMUL, VCLMULH
ENABLED_RISCV_ASM=yes
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_RISCV_VECTOR_CARRYLESS"
;;
zvkg)
# VGMUL, VHHSH
ENABLED_RISCV_ASM=yes
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_RISCV_VECTOR_GCM"
;;
zvkned)
# Vector AES, SHA-2
ENABLED_RISCV_ASM=yes
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_RISCV_VECTOR_CRYPTO_ASM"
;;
*)
AC_MSG_ERROR([Invalid RISC-V option [yes,zbkb,zbb,zbc,zbkc,zkn,zkned,zv,zvkg,zvbc,zvbb,zvkb,zvkned]: $ENABLED_RISCV_ASM.])
break
;;
esac
done
# PPC32 Assembly
AC_ARG_ENABLE([ppc32-asm],
[AS_HELP_STRING([--enable-ppc32-asm],[Enable wolfSSL PowerPC 32-bit ASM support (default: disabled).])],
[ ENABLED_PPC32_ASM=$enableval ],
[ ENABLED_PPC32_ASM=no ]
)
if test "$ENABLED_PPC32_ASM" != "no" && test "$ENABLED_ASM" = "yes"
then
ENABLED_PPC32_ASM_OPTS=$ENABLED_PPC32_ASM
for v in `echo $ENABLED_PPC32_ASM_OPTS | tr "," " "`
do
case $v in
yes)
;;
inline)
ENABLED_PPC32_ASM_INLINE=yes
;;
inline-reg)
ENABLED_PPC32_ASM_INLINE_REG=yes
;;
small)
ENABLED_PPC32_ASM_SMALL=yes
;;
spe)
ENABLED_PPC32_ASM_SPE=yes
;;
*)
AC_MSG_ERROR([Invalid RISC-V option [yes,inline,small]: $ENABLED_PPC32_ASM.])
break
;;
esac
done
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_PPC32_ASM"
AC_MSG_NOTICE([32-bit PowerPC assembly for SHA-256])
ENABLED_PPC32_ASM=yes
fi
if test "$ENABLED_PPC32_ASM_INLINE" = "yes" || test "$ENABLED_PPC32_ASM_INLINE_REG" = "yes"; then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_PPC32_ASM_INLINE"
else
AM_CCASFLAGS="$AM_CCASFLAGS -DWOLFSSL_PPC32_ASM"
fi
if test "$ENABLED_PPC32_ASM_SMALL" = "yes"; then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_PPC32_ASM_SMALL"
AM_CCASFLAGS="$AM_CCASFLAGS -DWOLFSSL_PPC32_ASM_SMALL"
fi
if test "$ENABLED_PPC32_ASM_SPE" = "yes"; then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_PPC32_ASM_SPE"
AM_CCASFLAGS="$AM_CCASFLAGS -DWOLFSSL_PPC32_ASM_SPE"
fi
# Xilinx hardened crypto
AC_ARG_ENABLE([xilinx],
[AS_HELP_STRING([--enable-xilinx],[Enable wolfSSL support for Xilinx hardened crypto(default: disabled)])],
[ ENABLED_XILINX=$enableval ],
[ ENABLED_XILINX=no ]
)
if test "$ENABLED_XILINX" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_XILINX -DWOLFSSL_XILINX_CRYPT"
fi
# CAAM build
trylibsecodir="/usr"
AC_ARG_WITH([seco],
[AS_HELP_STRING([--with-seco=PATH],[PATH to SECO install (default /usr/lib/)])],
[
AC_MSG_CHECKING([for SECO])
if test "x$withval" != "xno" ; then
trylibsecodir=$withval
fi
]
)
AC_ARG_ENABLE([aria],
[AS_HELP_STRING([--enable-aria],[Enable wolfSSL support for ARIA (default: disabled)])],
[ ENABLED_ARIA=$enableval ],
[ ENABLED_ARIA=no ]
)
if test "$ENABLED_ARIA" = "yes"
then
ARIA_DIR=MagicCrypto
# Enable dependency
CFLAGS="$CFLAGS -I$ARIA_DIR/include"
AM_CFLAGS="$AM_CFLAGS -DHAVE_ARIA"
AM_LDFLAGS="$AM_LDFLAGS -L$ARIA_DIR/lib -lMagicCrypto"
build_pwd="$(pwd)"
headers="mcapi_error.h mcapi_type.h mcapi.h"
for header in $headers
do
AC_CHECK_HEADER([$header], [], [
AC_MSG_ERROR([Error including $header. Please put the MagicCrypto library in $build_pwd.])
], [
extern int dummy_int_to_make_compiler_happy;
])
done
fi
AC_ARG_ENABLE([caam],
[AS_HELP_STRING([--enable-caam],[Enable wolfSSL support for CAAM (default: disabled)])],
[ ENABLED_CAAM=$enableval ],
[ ENABLED_CAAM=no ]
)
if test "$ENABLED_CAAM" != "no"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CAAM"
for v in `echo $ENABLED_CAAM | tr "," " "`
do
case $v in
qnx)
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_QNX_CAAM"
ENABLED_CAAM_QNX="yes"
;;
imx6q)
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_IMX6Q_CAAM"
;;
imx6ul)
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_IMX6UL_CAAM"
;;
seco)
SECO_DIR=$trylibsecodir
AM_CPPFLAGS="$AM_CPPFLAGS -I$SECO_DIR/include"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CAAM -DWOLFSSL_SECO_CAAM"
AC_CHECK_LIB([hsm_lib],[hsm_open_session])
AC_CHECK_LIB([seco_nvm_manager],[seco_nvm_manager])
LIB_STATIC_ADD="$LIB_STATIC_ADD $SECO_DIR/lib/hsm_lib.a $SECO_DIR/lib/seco_nvm_manager.a"
LIB_ADD="$LIB_ADD -lz"
;;
esac
done
fi
# INTEL AES-NI
AC_ARG_ENABLE([aesni],
[AS_HELP_STRING([--enable-aesni],[Enable wolfSSL AES-NI support (default: disabled)])],
[ ENABLED_AESNI=$enableval ],
[ ENABLED_AESNI=no ]
)
# INTEL AES-NI with AVX
AC_ARG_ENABLE([aesni-with-avx],
[AS_HELP_STRING([--enable-aesni-with-avx],[Enable AES-NI with additional AVX acceleration for AES (default: disabled)])],
[ ENABLED_AESNI_WITH_AVX=$enableval ],
[ ENABLED_AESNI_WITH_AVX=no ]
)
# INTEL ASM
AC_ARG_ENABLE([intelasm],
[AS_HELP_STRING([--enable-intelasm],[Enable All Intel ASM speedups (default: disabled)])],
[ ENABLED_INTELASM=$enableval ],
[ ENABLED_INTELASM=no ]
)
if test "$ENABLED_ASM" = "yes"
then
if test "$ENABLED_AESNI" = "small"
then
AM_CFLAGS="$AM_CFLAGS -DAES_GCM_AESNI_NO_UNROLL"
ENABLED_AESNI=yes
fi
if test "$ENABLED_INTELASM" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DUSE_INTEL_SPEEDUP"
ENABLED_AESNI=yes
ENABLED_AESNI_WITH_AVX=yes
elif test "$ENABLED_AESNI_WITH_AVX" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DUSE_INTEL_SPEEDUP_FOR_AES"
ENABLED_AESNI=yes
fi
if test "$ENABLED_AESNI" = "yes" || test "$ENABLED_INTELASM" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AESNI"
if test "$KERNEL_MODE_DEFAULTS" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DWC_C_DYNAMIC_FALLBACK"
fi
if test "$CC" != "icc"
then
case $host_os in
mingw*)
# Windows uses intrinsics for GCM which uses SSE4 instructions.
# MSVC has own build files.
AM_CFLAGS="$AM_CFLAGS -maes -msse4 -mpclmul"
;;
*)
# Intrinsics used in AES_set_decrypt_key (TODO: rework)
AM_CFLAGS="$AM_CFLAGS -maes"
;;
esac
fi
AS_IF([test "x$ENABLED_AESGCM" != "xno"],[AM_CCASFLAGS="$AM_CCASFLAGS -DHAVE_AESGCM"])
AS_IF([test "x$ENABLED_SM3" != "xno"],[AM_CCASFLAGS="$AM_CCASFLAGS -DWOLFSSL_SM3"])
fi
if test "$host_cpu" = "x86_64" || test "$host_cpu" = "amd64"
then
AM_CCASFLAGS="$AM_CCASFLAGS -DWOLFSSL_X86_64_BUILD"
fi
if test "$host_cpu" = "x86"
then
AM_CCASFLAGS="$AM_CCASFLAGS -DWOLFSSL_X86_BUILD"
ENABLED_X86_ASM=yes
fi
fi
AC_SUBST([ENABLED_AESNI])
AC_SUBST([ENABLED_AESNI_WITH_AVX])
AC_ARG_ENABLE([aligndata],
[AS_HELP_STRING([--enable-aligndata],[align data for ciphers (default: enabled)])],
[ ENABLED_ALIGN_DATA=$enableval ],
[ ENABLED_ALIGN_DATA=yes ]
)
if test "$ENABLED_ALIGN_DATA" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_USE_ALIGN"
fi
# INTEL RDRAND
AC_ARG_ENABLE([intelrand],
[AS_HELP_STRING([--enable-intelrand],[Enable Intel rdrand as preferred RNG source (default: disabled)])],
[ ENABLED_INTELRDRAND=$enableval ],
[ ENABLED_INTELRDRAND=no ]
)
if test "$ENABLED_INTELRDRAND" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DHAVE_INTEL_RDRAND"
fi
# INTEL RDSEED
AC_ARG_ENABLE([intelrdseed],
[AS_HELP_STRING([--enable-intelrdseed],[Enable Intel rdseed as preferred RNG seeding source (default: disabled)])],
[ ENABLED_INTELRDSEED=$enableval ],
[ ENABLED_INTELRDSEED=no ]
)
if test "$ENABLED_INTELRDSEED" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DHAVE_INTEL_RDSEED"
fi
# AMD RDSEED
AC_ARG_ENABLE([amdrdseed],
[AS_HELP_STRING([--enable-amdrdseed],[Enable AMD rdseed as preferred RNG seeding source (default: disabled)])],
[ ENABLED_AMDRDSEED=$enableval ],
[ ENABLED_AMDRDSEED=no ]
)
AC_ARG_ENABLE([amdrand],
[AS_HELP_STRING([--enable-amdrand],[Alias for --enable-amdrdseed])],
[ ENABLED_AMDRDSEED=$enableval ]
)
if test "$ENABLED_AMDRDSEED" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DHAVE_AMD_RDSEED"
fi
# Linux af_alg
AC_ARG_ENABLE([afalg],
[AS_HELP_STRING([--enable-afalg],[Enable Linux af_alg use for crypto (default: disabled)])],
[ ENABLED_AFALG=$enableval ],
[ ENABLED_AFALG=no ]
)
if test "$ENABLED_AFALG" = "yes"
then
if test "$ENABLED_AESCCM" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_DIRECT"
fi
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AFALG"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AFALG_HASH"
fi
if test "$ENABLED_AFALG" = "xilinx"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AFALG_XILINX -DWOLFSSL_AFALG_XILINX_AES"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AFALG_XILINX_SHA3 -DWOLFSSL_AFALG_XILINX_RSA"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NOSHA3_224 -DWOLFSSL_NOSHA3_256 -DWOLFSSL_NOSHA3_512"
ENABLED_AFALG="yes"
ENABLED_XILINX="yes"
fi
if test "$ENABLED_AFALG" = "xilinx-aes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AFALG_XILINX -DWOLFSSL_AFALG_XILINX_AES"
ENABLED_AFALG="yes"
ENABLED_XILINX="yes"
fi
if test "$ENABLED_AFALG" = "xilinx-sha3"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AFALG_XILINX"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AFALG_XILINX_SHA3"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NOSHA3_224 -DWOLFSSL_NOSHA3_256 -DWOLFSSL_NOSHA3_512"
ENABLED_AFALG="yes"
ENABLED_XILINX="yes"
fi
if test "$ENABLED_AFALG" = "xilinx-rsa"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AFALG_XILINX"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AFALG_XILINX_RSA"
ENABLED_AFALG="yes"
ENABLED_XILINX="yes"
fi
# libkcapi
AC_ARG_ENABLE([kcapi-hash],
[AS_HELP_STRING([--enable-kcapi-hash],[Enable libkcapi use for hashing (default: disabled)])],
[ ENABLED_KCAPI_HASH=$enableval ],
[ ENABLED_KCAPI_HASH=no ]
)
AC_ARG_ENABLE([kcapi-hmac],
[AS_HELP_STRING([--enable-kcapi-hmac],[Enable libkcapi use for HMAC (default: disabled)])],
[ ENABLED_KCAPI_HMAC=$enableval ],
[ ENABLED_KCAPI_HMAC=no ]
)
AC_ARG_ENABLE([kcapi-aes],
[AS_HELP_STRING([--enable-kcapi-aes],[Enable libkcapi use for AES (default: disabled)])],
[ ENABLED_KCAPI_AES=$enableval ],
[ ENABLED_KCAPI_AES=no ]
)
AC_ARG_ENABLE([kcapi-rsa],
[AS_HELP_STRING([--enable-kcapi-rsa],[Enable libkcapi use for RSA (default: disabled)])],
[ ENABLED_KCAPI_RSA=$enableval ],
[ ENABLED_KCAPI_RSA=no ]
)
AC_ARG_ENABLE([kcapi-dh],
[AS_HELP_STRING([--enable-kcapi-dh],[Enable libkcapi use for DH (default: disabled)])],
[ ENABLED_KCAPI_DH=$enableval ],
[ ENABLED_KCAPI_DH=no ]
)
AC_ARG_ENABLE([kcapi-ecc],
[AS_HELP_STRING([--enable-kcapi-ecc],[Enable libkcapi use for ECC (default: disabled)])],
[ ENABLED_KCAPI_ECC=$enableval ],
[ ENABLED_KCAPI_ECC=no ]
)
AC_ARG_ENABLE([kcapi],
[AS_HELP_STRING([--enable-kcapi],[Enable libkcapi use for crypto (default: disabled)])],
[ ENABLED_KCAPI=$enableval ],
[ ENABLED_KCAPI=no ]
)
if test "$ENABLED_KCAPI" = "yes"
then
AS_IF([test "$enable_kcapi_hash" != "no"], [ENABLED_KCAPI_HASH=yes])
AS_IF([test "$enable_kcapi_hmac" != "no"], [ENABLED_KCAPI_HMAC=yes])
AS_IF([test "$enable_kcapi_aes" != "no"], [ENABLED_KCAPI_AES=yes])
AS_IF([test "$enable_kcapi_rsa" != "no"], [ENABLED_KCAPI_RSA=yes])
AS_IF([test "$enable_kcapi_dh" != "no"], [ENABLED_KCAPI_DH=yes])
AS_IF([test "$enable_kcapi_ecc" != "no"], [ENABLED_KCAPI_ECC=yes])
fi
if test "$ENABLED_KCAPI_HASH" != "no" ||
test "$ENABLED_KCAPI_HMAC" != "no" ||
test "$ENABLED_KCAPI_AES" != "no" ||
test "$ENABLED_KCAPI_RSA" != "no" ||
test "$ENABLED_KCAPI_DH" != "no" ||
test "$ENABLED_KCAPI_ECC" != "no"
then
LIBS="$LIBS -lkcapi"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_KCAPI"
fi
if test "$ENABLED_KCAPI_HASH" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_KCAPI_HASH -DWOLFSSL_KCAPI_HASH_KEEP"
# Linux Kernel doesn't support truncated SHA512 algorithms
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NOSHA512_224 -DWOLFSSL_NOSHA512_256"
fi
if test "$ENABLED_KCAPI_HMAC" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_KCAPI_HMAC"
fi
if test "$ENABLED_KCAPI_AES" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_KCAPI_AES"
HAVE_AESGCM_PORT=yes
if test "$ENABLED_AESCCM" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_DIRECT"
fi
if test "$ENABLED_AESGCM_STREAM" = "yes"
then
AC_MSG_ERROR([--enable-aesgcm-stream is incompatible with --enable-kcapi.])
fi
fi
if test "$ENABLED_KCAPI_RSA" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_KCAPI_RSA"
fi
if test "$ENABLED_KCAPI_DH" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_KCAPI_DH -DWOLFSSL_DH_EXTRA"
fi
if test "$ENABLED_KCAPI_ECC" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_KCAPI_ECC"
fi
# Support for Linux dev/crypto calls
AC_ARG_ENABLE([devcrypto],
[AS_HELP_STRING([--enable-devcrypto],[Enable Linux dev crypto calls: all | aes (all aes support) | hash (all hash algos) | cbc (aes-cbc only) (default: disabled)])],
[ ENABLED_DEVCRYPTO=$enableval ],
[ ENABLED_DEVCRYPTO=no ]
)
if test "$ENABLED_DEVCRYPTO" = "yes" || test "$ENABLED_DEVCRYPTO" = "all"
then
#enable all devcrypto supported algorithms
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DEVCRYPTO"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DEVCRYPTO_CBC"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DEVCRYPTO_AES"
if test "$ENABLED_AESCCM" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_DIRECT"
fi
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DEVCRYPTO_HASH"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_HASH_RAW"
ENABLED_DEVCRYPTO=yes
fi
if test "$ENABLED_DEVCRYPTO" = "aes"
then
#enable only AES-CBC algorithm support
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DEVCRYPTO"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DEVCRYPTO_AES"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DEVCRYPTO_CBC"
if test "$ENABLED_AESCCM" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_DIRECT"
fi
ENABLED_DEVCRYPTO=yes
fi
if test "$ENABLED_DEVCRYPTO" = "cbc"
then
#enable only AES-CBC algorithm support
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DEVCRYPTO"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DEVCRYPTO_CBC"
ENABLED_DEVCRYPTO=yes
fi
if test "$ENABLED_DEVCRYPTO" = "hash"
then
#enable only hash algorithm support
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DEVCRYPTO"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DEVCRYPTO_HASH"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_HASH_RAW"
ENABLED_DEVCRYPTO=yes
fi
if test "$ENABLED_DEVCRYPTO" = "hmac"
then
#enable only hmac algorithm support
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DEVCRYPTO"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DEVCRYPTO_HMAC"
ENABLED_DEVCRYPTO=yes
fi
if test "$ENABLED_DEVCRYPTO" = "rsa"
then
#enable only rsa algorithm support
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DEVCRYPTO"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DEVCRYPTO_RSA"
ENABLED_DEVCRYPTO=yes
fi
if test "$ENABLED_DEVCRYPTO" = "seco"
then
#enable support of devcrypto for algos not supported with seco
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DEVCRYPTO"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DEVCRYPTO_HMAC"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DEVCRYPTO_RSA"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DEVCRYPTO_CURVE25519"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DEVCRYPTO_ECDSA"
ENABLED_DEVCRYPTO=yes
fi
# Camellia
AC_ARG_ENABLE([camellia],
[AS_HELP_STRING([--enable-camellia],[Enable wolfSSL Camellia support (default: disabled)])],
[ ENABLED_CAMELLIA=$enableval ],
[ ENABLED_CAMELLIA=no ]
)
if test "$ENABLED_CAMELLIA" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DHAVE_CAMELLIA"
fi
# MD2
AC_ARG_ENABLE([md2],
[AS_HELP_STRING([--enable-md2],[Enable wolfSSL MD2 support (default: disabled)])],
[ ENABLED_MD2=$enableval ],
[ ENABLED_MD2=no ]
)
if test "$ENABLED_BUMP" = "yes"
then
ENABLED_MD2="yes"
fi
if test "$ENABLED_MD2" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_MD2"
fi
# NULL CIPHER
AC_ARG_ENABLE([nullcipher],
[AS_HELP_STRING([--enable-nullcipher],[Enable wolfSSL NULL cipher support (default: disabled)])],
[ ENABLED_NULL_CIPHER=$enableval ],
[ ENABLED_NULL_CIPHER=no ]
)
if test "$ENABLED_NULL_CIPHER" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DHAVE_NULL_CIPHER"
fi
# RIPEMD
AC_ARG_ENABLE([ripemd],
[AS_HELP_STRING([--enable-ripemd],[Enable wolfSSL RIPEMD-160 support (default: disabled)])],
[ ENABLED_RIPEMD=$enableval ],
[ ENABLED_RIPEMD=no ]
)
if test "$ENABLED_OPENSSH" = "yes" && test "x$ENABLED_FIPS" = "xno"
then
ENABLED_RIPEMD="yes"
fi
if test "$ENABLED_RIPEMD" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_RIPEMD"
fi
# BLAKE2
AC_ARG_ENABLE([blake2b],
[AS_HELP_STRING([--enable-blake2b],[Enable wolfSSL BLAKE2b support (default: disabled)])],
[ ENABLED_BLAKE2B=$enableval ],
[ ENABLED_BLAKE2B=no ]
)
# Backward-compat synonym for blake2b:
AC_ARG_ENABLE([blake2],
[AS_HELP_STRING([--enable-blake2],[Enable wolfSSL BLAKE2b support (default: disabled)])],
[ ENABLED_BLAKE2B=$enableval ]
)
if test "$ENABLED_BLAKE2B" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DHAVE_BLAKE2B"
fi
AC_ARG_ENABLE([blake2s],
[AS_HELP_STRING([--enable-blake2s],[Enable wolfSSL BLAKE2s support (default: disabled)])],
[ ENABLED_BLAKE2S=$enableval ],
[ ENABLED_BLAKE2S=no ]
)
if test "$ENABLED_BLAKE2S" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DHAVE_BLAKE2S"
fi
# SHA256
AC_ARG_ENABLE([sha256],
[AS_HELP_STRING([--enable-sha256],[Enable wolfSSL SHA256 support (default: enabled)])],
[ ENABLED_SHA256=$enableval ],
[ ENABLED_SHA256=yes ]
)
if test "$ENABLED_SHA256" = "no"
then
AM_CFLAGS="$AM_CFLAGS -DNO_SHA256"
fi
# set sha224 default
SHA224_DEFAULT=no
if test "$host_cpu" = "x86_64" || test "$host_cpu" = "aarch64" || test "$host_cpu" = "amd64"
then
if test "x$ENABLED_AFALG" = "xno" && test "x$ENABLED_DEVCRYPTO" = "xno" &&
( test "x$ENABLED_FIPS" = "xno" ||
( test "$HAVE_FIPS_VERSION" = 2 && test "$HAVE_FIPS_VERSION_MINOR" != 1 ) )
then
SHA224_DEFAULT=$ENABLED_SHA256
fi
fi
# SHA224
AC_ARG_ENABLE([sha224],
[AS_HELP_STRING([--enable-sha224],[Enable wolfSSL SHA-224 support (default: enabled on x86_64/amd64/aarch64)])],
[ ENABLED_SHA224=$enableval ],
[ ENABLED_SHA224=$SHA224_DEFAULT ]
)
if test "$ENABLED_SHA224" = "yes"
then
if test "$ENABLED_SHA256" = "no"
then
AC_MSG_ERROR([Enabling SHA224 requires enabling SHA256.])
fi
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SHA224"
fi
# set sha3 default
SHA3_DEFAULT=no
if (test "$host_cpu" = "x86_64" || test "$host_cpu" = "aarch64" ||
test "$host_cpu" = "amd64")
then
if test "x$ENABLED_FIPS" = "xno" || test "$HAVE_FIPS_VERSION" -ge 2
then
SHA3_DEFAULT=yes
fi
fi
# SHA3
AC_ARG_ENABLE([sha3],
[AS_HELP_STRING([--enable-sha3],[Enable wolfSSL SHA-3 support (default: enabled on x86_64/amd64/aarch64)])],
[ ENABLED_SHA3=$enableval ],
[ ENABLED_SHA3=$SHA3_DEFAULT ]
)
if test "$ENABLED_SHA3" = "small"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SHA3_SMALL"
fi
if test "$ENABLED_SHA3" = "noasm"
then
ENABLED_SHA3=yes
AM_CFLAGS="$AM_CFLAGS -DWC_SHA3_NO_ASM"
fi
if test "$ENABLED_SHA3" != "no" &&
(test "$ENABLED_FIPS" = "no" || test "$HAVE_FIPS_VERSION" -ge 6)
then
SHAKE_DEFAULT=yes
else
SHAKE_DEFAULT=no
fi
# SHAKE128
AC_ARG_ENABLE([shake128],
[AS_HELP_STRING([--enable-shake128],[Enable wolfSSL SHAKE128 support (default: disabled)])],
[ ENABLED_SHAKE128=$enableval ],
[ ENABLED_SHAKE128=$SHAKE_DEFAULT ]
)
# MLKEM requires SHAKE128. Force-enable when MLKEM is enabled.
if test "$ENABLED_MLKEM" != "no"
then
if test "$ENABLED_SHAKE128" = "no"
then
AC_MSG_NOTICE([MLKEM enabled (not explicitly disabled); overriding --disable-shake128 to enable SHAKE128])
ENABLED_SHAKE128=yes
fi
fi
# SHAKE256
AC_ARG_ENABLE([shake256],
[AS_HELP_STRING([--enable-shake256],[Enable wolfSSL SHAKE256 support (default: disabled)])],
[ ENABLED_SHAKE256=$enableval ],
[ ENABLED_SHAKE256=$SHAKE_DEFAULT ]
)
# MLKEM requires SHAKE256. Force-enable when MLKEM is enabled.
if test "$ENABLED_MLKEM" != "no"
then
if test "$ENABLED_SHAKE256" = "no"
then
AC_MSG_NOTICE([MLKEM enabled (not explicitly disabled); overriding --disable-shake256 to enable SHAKE256])
ENABLED_SHAKE256=yes
fi
fi
# SHA512
AC_ARG_ENABLE([sha512],
[AS_HELP_STRING([--enable-sha512],[Enable wolfSSL SHA-512 support (default: enabled)])],
[ ENABLED_SHA512=$enableval ],
[ ENABLED_SHA512=yes ]
)
# options that don't require sha512
if test "$ENABLED_LEANPSK" = "yes" || test "$ENABLED_LEANTLS" = "yes" || test "$ENABLED_16BIT" = "yes"
then
ENABLED_SHA512="no"
fi
# options that require sha512
if test "$ENABLED_OPENSSH" = "yes" || test "$ENABLED_WPAS" = "yes" || test "$ENABLED_FORTRESS" = "yes"
then
ENABLED_SHA512="yes"
ENABLED_SHA384="yes"
fi
if test "$ENABLED_SHA512" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SHA512"
fi
# SHA-256 Hash DRBG (SP 800-90A) -- sub-option of hashdrbg
AC_ARG_ENABLE([sha256-drbg],
[AS_HELP_STRING([--enable-sha256-drbg],[Enable SHA-256 Hash DRBG (default: enabled)])],
[ ENABLED_SHA256_DRBG=$enableval ],
[ ENABLED_SHA256_DRBG=yes ]
)
# SHA-512 Hash DRBG (SP 800-90A) -- sub-option of hashdrbg
AC_ARG_ENABLE([sha512-drbg],
[AS_HELP_STRING([--enable-sha512-drbg],[Enable SHA-512 Hash DRBG (default: enabled)])],
[ ENABLED_SHA512_DRBG=$enableval ],
[ ENABLED_SHA512_DRBG=yes ]
)
# SHA-512 DRBG requires SHA-512
if test "$ENABLED_SHA512" != "yes"
then
ENABLED_SHA512_DRBG=no
fi
# SHA384
AC_ARG_ENABLE([sha384],
[AS_HELP_STRING([--enable-sha384],[Enable wolfSSL SHA-384 support (default: enabled)])],
[ ENABLED_SHA384=$enableval ],
[ ENABLED_SHA384=yes ]
)
# options that don't require sha384
if test "$ENABLED_LEANPSK" = "yes" || test "$ENABLED_LEANTLS" = "yes" || test "$ENABLED_16BIT" = "yes"
then
ENABLED_SHA384="no"
fi
# options that require sha384
if test "$ENABLED_OPENSSH" = "yes" || test "$ENABLED_WPAS" = "yes" || test "$ENABLED_FORTRESS" = "yes"
then
ENABLED_SHA384="yes"
fi
if test "$ENABLED_SHA384" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SHA384"
fi
# SM3
AC_ARG_ENABLE([sm3],
[AS_HELP_STRING([--enable-sm3],[Enable wolfSSL SM3 support (default: disabled)])],
[ ENABLED_SM3=$enableval ],
[ ENABLED_SM3=no ]
)
if test "$ENABLED_SM3" = "small"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SM3_SMALL"
fi
if test "$ENABLED_SM3" != "no"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SM3"
fi
# SESSION CERTS
AC_ARG_ENABLE([sessioncerts],
[AS_HELP_STRING([--enable-sessioncerts],[Enable session cert storing (default: disabled)])],
[ ENABLED_SESSIONCERTS=$enableval ],
[ ENABLED_SESSIONCERTS=no ]
)
if test "x$ENABLED_NGINX" = "xyes" || test "x$ENABLED_OPENVPN" = "xyes" || \
test "x$ENABLED_LIGHTY" = "xyes" || test "x$ENABLED_NETSNMP" = "xyes" || \
test "x$ENABLED_STRONGSWAN" = "xyes" || test "x$ENABLED_HITCH" = "xyes" || test "x$ENABLED_MOSQUITTO" = "xyes"
then
ENABLED_SESSIONCERTS=yes
fi
if test "$ENABLED_TLS13" = "yes" && test "$ENABLED_PSK" = "yes"
then
ENABLED_SESSIONCERTS=yes
fi
if test "$ENABLED_SESSIONCERTS" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DSESSION_CERTS"
fi
# KEY GENERATION
AC_ARG_ENABLE([keygen],
[AS_HELP_STRING([--enable-keygen],[Enable key generation (only applies to RSA key generation) (default: disabled)])],
[ ENABLED_KEYGEN=$enableval ],
[ ENABLED_KEYGEN=no ]
)
if test "$ENABLED_BIND" = "yes" || test "$ENABLED_NTP" = "yes" || \
test "$ENABLED_LIBSSH2" = "yes" || test "$ENABLED_OPENRESTY" = "yes" || \
test "$ENABLED_NGINX" = "yes" || test "$ENABLED_WOLFENGINE" = "yes" || \
test "$ENABLED_STRONGSWAN" = "yes" || test "$ENABLED_SE050" = "yes"
then
ENABLED_KEYGEN=yes
fi
# ATTRIBUTE CERTIFICATES
AC_ARG_ENABLE([acert],
[AS_HELP_STRING([--enable-acert],[Enable attribute certificate support (default: disabled)])],
[ ENABLED_ACERT=$enableval ],
[ ENABLED_ACERT=no ]
)
# CERT GENERATION
AC_ARG_ENABLE([certgen],
[AS_HELP_STRING([--enable-certgen],[Enable cert generation (default: disabled)])],
[ ENABLED_CERTGEN=$enableval ],
[ ENABLED_CERTGEN=no ]
)
if test "$ENABLED_OPENVPN" = "yes" || test "$ENABLED_OPENSSH" = "yes" || \
test "$ENABLED_BIND" = "yes" || test "$ENABLED_NTP" = "yes" || \
test "$ENABLED_CHRONY" = "yes" || test "$ENABLED_STRONGSWAN" = "yes" || \
test "$ENABLED_OPENLDAP" = "yes" || test "$ENABLED_HITCH" = "yes"
then
ENABLED_CERTGEN=yes
fi
# CERT REQUEST GENERATION
AC_ARG_ENABLE([certreq],
[AS_HELP_STRING([--enable-certreq],[Enable cert request generation (default: disabled)])],
[ ENABLED_CERTREQ=$enableval ],
[ ENABLED_CERTREQ=no ]
)
if test "$ENABLED_WPAS_DPP" = "yes"
then
ENABLED_CERTREQ="yes"
fi
# CERT REQUEST EXTENSION
AC_ARG_ENABLE([certext],
[AS_HELP_STRING([--enable-certext],[Enable cert request extensions (default: disabled)])],
[ ENABLED_CERTEXT=$enableval ],
[ ENABLED_CERTEXT=no ]
)
if test "$ENABLED_OPENVPN" = "yes" || test "$ENABLED_STRONGSWAN" = "yes"
then
ENABLED_CERTEXT=yes
fi
# DECODED CERT CACHE
AC_ARG_ENABLE([certgencache],
[AS_HELP_STRING([--enable-certgencache],[Enable decoded cert caching (default: disabled)])],
[ ENABLED_certgencache=$enableval ],
[ ENABLED_certgencache=no ]
)
if test "$ENABLED_certgencache" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CERT_GEN_CACHE"
fi
# CERT SIGN CALLBACK
AC_ARG_ENABLE([certsigncb],
[AS_HELP_STRING([--enable-certsigncb],[Enable cert signing callback API for TPM/HSM (default: disabled)])],
[ ENABLED_CERTSIGNCB=$enableval ],
[ ENABLED_CERTSIGNCB=no ]
)
if test "$ENABLED_CERTSIGNCB" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CERT_SIGN_CB"
fi
# SEP
AC_ARG_ENABLE([sep],
[AS_HELP_STRING([--enable-sep],[Enable sep extensions (default: disabled)])],
[ ENABLED_SEP=$enableval ],
[ ENABLED_SEP=no ]
)
if test "$ENABLED_SEP" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SEP -DKEEP_PEER_CERT"
fi
# HKDF
AC_ARG_ENABLE([hkdf],
[AS_HELP_STRING([--enable-hkdf],[Enable HKDF (HMAC-KDF) support (default: disabled)])],
[ ENABLED_HKDF=$enableval ],
[ ENABLED_HKDF=no ]
)
if test "$ENABLED_TLS13" = "yes"
then
ENABLED_HKDF="yes"
fi
if test "$ENABLED_HKDF" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DHAVE_HKDF"
fi
# HPKE
AC_ARG_ENABLE([hpke],
[AS_HELP_STRING([--enable-hpke],[Enable HKPE support (default: disabled)])],
[ ENABLED_HPKE=$enableval ],
[ ENABLED_HPKE=no ]
)
if test "$ENABLED_HPKE" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DHAVE_HPKE"
test "$enable_hkdf" = "" && enable_hkdf=yes
fi
# X9.63 KDF
AC_ARG_ENABLE([x963kdf],
[AS_HELP_STRING([--enable-x963kdf],[Enable X9.63 KDF support (default: disabled)])],
[ ENABLED_X963KDF=$enableval ],
[ ENABLED_X963KDF=no ]
)
if test "$ENABLED_X963KDF" = "yes" || test "$ENABLED_WOLFENGINE" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DHAVE_X963_KDF"
fi
# SRTP-KDF
AC_ARG_ENABLE([srtp-kdf],
[AS_HELP_STRING([--enable-srtp-kdf],[Enable SRTP-KDF support (default: disabled)])],
[ ENABLED_SRTP_KDF=$enableval ],
[ ENABLED_SRTP_KDF=no ]
)
# DSA
AC_ARG_ENABLE([dsa],
[AS_HELP_STRING([--enable-dsa],[Enable DSA (default: disabled)])],
[ ENABLED_DSA=$enableval ],
[ ENABLED_DSA=no ]
)
if test "$enable_dsa" = "" && test "$enable_sha" != "no"
then
if (test "$ENABLED_OPENSSH" = "yes" && test "x$ENABLED_FIPS" = "xno") || test "$ENABLED_OPENVPN" = "yes" || test "$ENABLED_NGINX" = "yes" || test "$ENABLED_WPAS" = "yes" || test "$ENABLED_QT" = "yes" || test "$ENABLED_BIND" = "yes" || test "$ENABLED_LIBSSH2" = "yes" || test "$ENABLED_NTP" = "yes"
then
ENABLED_DSA="yes"
fi
fi
if test "$ENABLED_DSA" = "no"
then
AM_CFLAGS="$AM_CFLAGS -DNO_DSA"
else
ENABLED_CERTS=yes
fi
# ECC Shamir
AC_ARG_ENABLE([eccshamir],
[AS_HELP_STRING([--enable-eccshamir],[Enable ECC Shamir (default: enabled)])],
[ ENABLED_ECC_SHAMIR=$enableval ],
[ ENABLED_ECC_SHAMIR=yes ]
)
# ECC
AC_ARG_ENABLE([ecc],
[AS_HELP_STRING([--enable-ecc],[Enable ECC (default: enabled)])],
[ ENABLED_ECC=$enableval ],
[ ENABLED_ECC=yes ]
)
# lean psk doesn't need ecc
if test "$ENABLED_LEANPSK" = "yes"
then
ENABLED_ECC=no
fi
if test "$ENABLED_OPENSSH" = "yes" || test "$ENABLED_NGINX" = "yes" || test "$ENABLED_SIGNAL" = "yes"
then
ENABLED_ECC="yes"
fi
if test "$ENABLED_ECC" != "no"
then
AM_CFLAGS="$AM_CFLAGS -DHAVE_ECC"
if test "$ENABLED_ECC_SHAMIR" = "yes" && test "$ENABLED_LOWRESOURCE" = "no"
then
AM_CFLAGS="$AM_CFLAGS -DECC_SHAMIR"
fi
if test "$ENABLED_ECC" = "nonblock"
then
AM_CFLAGS="$AM_CFLAGS -DWC_ECC_NONBLOCK"
fi
if test "$ENABLED_FASTMATH" = "yes"
then
if test "$ENABLED_LOWRESOURCE" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DALT_ECC_SIZE"
else
AM_CFLAGS="$AM_CFLAGS -DTFM_ECC256"
fi
fi
ENABLED_CERTS=yes
fi
# SM2
AC_ARG_ENABLE([sm2],
[AS_HELP_STRING([--enable-sm2],[Enable wolfSSL SM2 support (default: disabled)])],
[ ENABLED_SM2=$enableval ],
[ ENABLED_SM2=no ]
)
if test "$ENABLED_SM2" = "yes"
then
if test "$ENABLED_ECC" = "no"
then
AC_MSG_ERROR([Cannot enable SM2 without enabling ecc.])
fi
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SM2 -DWOLFSSL_BASE16"
ENABLED_CERTS=yes
fi
# ECC Custom Curves
AC_ARG_ENABLE([ecccustcurves],
[AS_HELP_STRING([--enable-ecccustcurves],[Enable ECC custom curves (default: disabled)])],
[ ENABLED_ECCCUSTCURVES=$enableval ],
[ ENABLED_ECCCUSTCURVES=no ]
)
if test "$ENABLED_WPAS_DPP" = "yes"
then
ENABLED_ECCCUSTCURVES="all"
fi
# ECC Minimum Key Size
AC_ARG_WITH([eccminsz],
[AS_HELP_STRING([--with-eccminsz=BITS],[Sets the ECC minimum key size (default: 224 bits non-FIPS / 192 bits with FIPS)])],
[ ENABLED_ECCMINSZ=$withval ],
[
if test "x$ENABLED_FIPS" = "xno"
then
ENABLED_ECCMINSZ=224
else
ENABLED_ECCMINSZ=192
fi
]
)
AM_CFLAGS="$AM_CFLAGS -DECC_MIN_KEY_SZ=$ENABLED_ECCMINSZ"
# Compressed Key
AC_ARG_ENABLE([compkey],
[AS_HELP_STRING([--enable-compkey],[Enable compressed keys support (default: disabled)])],
[ ENABLED_COMPKEY=$enableval ],
[ ENABLED_COMPKEY=no ]
)
if (test "$ENABLED_WPAS" = "yes" || test "$ENABLED_OPENSSLALL" = "yes")
then
ENABLED_COMPKEY=yes
fi
# Brainpool (depends on _ECCCUSTCURVES)
if test "$ENABLED_ECCCUSTCURVES" != "no"
then
BRAINPOOL_DEFAULT=yes
else
BRAINPOOL_DEFAULT=no
fi
AC_ARG_ENABLE([brainpool],
[AS_HELP_STRING([--enable-brainpool],[Enable Brainpool ECC curves (default: enabled with ECC custom curves)])],
[ ENABLED_BRAINPOOL=$enableval ],
[ ENABLED_BRAINPOOL="$BRAINPOOL_DEFAULT" ]
)
if test "$ENABLED_BRAINPOOL" != "no"
then
if test "$ENABLED_ECCCUSTCURVES" = "no"
then
AC_MSG_ERROR([cannot enable Brainpool without enabling ecccustcurves.])
fi
AM_CFLAGS="$AM_CFLAGS -DHAVE_ECC_BRAINPOOL"
fi
# for using memory optimization setting on both curve25519 and ed25519
ENABLED_CURVE25519_SMALL=no
ENABLED_ED25519_SMALL=no
# CURVE25519
AC_ARG_ENABLE([curve25519],
[AS_HELP_STRING([--enable-curve25519],[Enable Curve25519 (default: disabled). Set to "nonblock" to enable non-blocking support for key gen and shared secret])],
[ ENABLED_CURVE25519=$enableval ],
[ ENABLED_CURVE25519=no ]
)
# Handle curve25519 nonblock option - enable asynccrypt and asynccrypt-sw early
if test "$ENABLED_CURVE25519" = "nonblock"
then
test -z "$enable_asynccrypt" && enable_asynccrypt=yes
test -z "$enable_asynccrypt_sw" && enable_asynccrypt_sw=yes
fi
# Handle RSA/DH nonblock - the SP non-blocking dispatch wants the same
# WOLFSSL_ASYNC_CRYPT_SW shim that ECC/Curve25519 nonblock use so the
# TLS layer can manage per-SSL nb contexts and yield MP_WOULDBLOCK.
if test "$enable_rsa" = "nonblock" || test "$enable_dh" = "nonblock"
then
test -z "$enable_asynccrypt" && enable_asynccrypt=yes
test -z "$enable_asynccrypt_sw" && enable_asynccrypt_sw=yes
fi
if test "$ENABLED_CURVE25519" = "no" && test "$ENABLED_QUIC" = "yes" && test "$ENABLED_FIPS" = "no"
then
ENABLED_CURVE25519=yes
fi
if test "$ENABLED_CURVE25519" = "no" && test "$ENABLED_OPENSSH" = "yes" && test "x$ENABLED_FIPS" = "xno"
then
ENABLED_CURVE25519="yes"
fi
# ED25519
AC_ARG_ENABLE([ed25519],
[AS_HELP_STRING([--enable-ed25519],[Enable ED25519 (default: disabled)])],
[ ENABLED_ED25519=$enableval ],
[ ENABLED_ED25519=no ]
)
AC_ARG_ENABLE([ed25519-stream],
[AS_HELP_STRING([--enable-ed25519-stream],[Enable wolfSSL ED25519 support with streaming verify APIs (default: disabled)])],
[ ENABLED_ED25519_STREAM=$enableval ],
[ ENABLED_ED25519_STREAM=no ]
)
if test "$ENABLED_ED25519" = "no" && \
( (test "$ENABLED_OPENSSH" = "yes" && test "x$ENABLED_FIPS" = "xno") || \
test "$ENABLED_CHRONY" = "yes")
then
ENABLED_ED25519="yes"
fi
# for using memory optimization setting on both curve448 and ed448
ENABLED_CURVE448_SMALL=no
ENABLED_ED448_SMALL=no
# CURVE448
AC_ARG_ENABLE([curve448],
[AS_HELP_STRING([--enable-curve448],[Enable Curve448 (default: disabled)])],
[ ENABLED_CURVE448=$enableval ],
[ ENABLED_CURVE448=no ]
)
# ED448
AC_ARG_ENABLE([ed448],
[AS_HELP_STRING([--enable-ed448],[Enable ED448 (default: disabled)])],
[ ENABLED_ED448=$enableval ],
[ ENABLED_ED448=no ]
)
AC_ARG_ENABLE([ed448-stream],
[AS_HELP_STRING([--enable-ed448-stream],[Enable wolfSSL ED448 support with streaming verify APIs (default: disabled)])],
[ ENABLED_ED448_STREAM=$enableval ],
[ ENABLED_ED448_STREAM=no ]
)
# FP ECC, Fixed Point cache ECC
AC_ARG_ENABLE([fpecc],
[AS_HELP_STRING([--enable-fpecc],[Enable Fixed Point cache ECC (default: disabled)])],
[ ENABLED_FPECC=$enableval ],
[ ENABLED_FPECC=no ]
)
if test "$ENABLED_FPECC" = "yes"
then
if test "$ENABLED_ECC" = "no"
then
AC_MSG_ERROR([cannot enable fpecc without enabling ecc.])
fi
AM_CFLAGS="$AM_CFLAGS -DFP_ECC"
fi
# ECC encrypt
AC_ARG_ENABLE([eccencrypt],
[AS_HELP_STRING([--enable-eccencrypt],[Enable ECC encrypt (default: disabled). yes = SEC1 standard, geniv = Generate IV, iso18033 = ISO 18033 standard, old = original wolfSSL algorithm])],
[ ENABLED_ECC_ENCRYPT=$enableval ],
[ ENABLED_ECC_ENCRYPT=no ]
)
if test "$ENABLED_ECC_ENCRYPT" != "no"
then
if test "$ENABLED_ECC" = "no"
then
AC_MSG_ERROR([cannot enable eccencrypt without enabling ecc.])
fi
if test "$ENABLED_HKDF" = "no"
then
AC_MSG_ERROR([cannot enable eccencrypt without enabling hkdf.])
fi
AM_CFLAGS="$AM_CFLAGS -DHAVE_ECC_ENCRYPT"
if test "$ENABLED_ECC_ENCRYPT" = "old"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ECIES_OLD"
fi
if test "$ENABLED_ECC_ENCRYPT" = "iso18033"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ECIES_ISO18033"
fi
if test "$ENABLED_ECC_ENCRYPT" = "geniv"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ECIES_GEN_IV"
fi
fi
# Elliptic Curve-Based Certificateless Signatures for Identity-Based Encryption (ECCSI)
AC_ARG_ENABLE([eccsi],
[AS_HELP_STRING([--enable-eccsi],[Enable ECCSI (default: disabled)])],
[ ENABLED_ECCSI=$enableval ],
[ ENABLED_ECCSI=no ]
)
if test "x$ENABLED_ECCSI" = "xyes"
then
if test "$ENABLED_ECC" = "no"
then
AC_MSG_ERROR([ECCSI requires ECC.])
fi
AM_CFLAGS="$AM_CFLAGS -DWOLFCRYPT_HAVE_ECCSI -DWOLFSSL_PUBLIC_MP"
fi
# Sakai-Kasahara Key Encryption (SAKKE) - pairing based crypto
AC_ARG_ENABLE([sakke],
[AS_HELP_STRING([--enable-sakke],[Enable SAKKE - paring based crypto (default: disabled)])],
[ ENABLED_SAKKE=$enableval ],
[ ENABLED_SAKKE=no ]
)
if test "$ENABLED_SAKKE" != "no" && test "$ENABLED_ECC" = "no"
then
AC_MSG_ERROR([SAKKE requires ECC.])
fi
if test "x$ENABLED_SAKKE" = "xsmall"
then
ENABLED_SAKKE="yes"
ENABLED_SAKKE_SMALL="yes"
AM_CFLAGS="$AM_CFLAGS -DWOLFCRYPT_SAKKE_SMALL"
fi
if test "x$ENABLED_SAKKE" = "xyes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFCRYPT_HAVE_SAKKE"
fi
# PSK
AC_ARG_ENABLE([psk],
[AS_HELP_STRING([--enable-psk],[Enable PSK (default: disabled)])],
[ ENABLED_PSK=$enableval ],
[ ENABLED_PSK=no ]
)
if test "x$ENABLED_MOSQUITTO" = "xyes"
then
ENABLED_PSK=yes
fi
# Single PSK identity
AC_ARG_ENABLE([psk-one-id],
[AS_HELP_STRING([--enable-psk-one-id],[Enable PSK (default: disabled)])],
[ ENABLED_PSK_ONE_ID=$enableval ],
[ ENABLED_PSK_ONE_ID=no ]
)
if test "$ENABLED_PSK_ONE_ID" = "yes"
then
if test "$ENABLED_PSK" = "no"
then
ENABLED_PSK="yes"
fi
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_PSK_ONE_ID"
fi
# Certificate Authentication with External PSK (RFC 8773bis)
AC_ARG_ENABLE([cert-with-extern-psk],
[AS_HELP_STRING([--enable-cert-with-extern-psk],[Enable Certificate Authentication with External PSKs for TLS 1.3 (default: disabled)])],
[ ENABLED_CERT_WITH_EXTERN_PSK=$enableval ],
[ ENABLED_CERT_WITH_EXTERN_PSK=no ]
)
if test "$ENABLED_CERT_WITH_EXTERN_PSK" = "yes"
then
if test "$ENABLED_TLS13" = "no"
then
AC_MSG_NOTICE([TLS 1.3 is disabled - disabling cert-with-extern-psk])
ENABLED_CERT_WITH_EXTERN_PSK="no"
elif test "$ENABLED_PSK" = "no"
then
AC_MSG_NOTICE([PSK is disabled - disabling cert-with-extern-psk])
ENABLED_CERT_WITH_EXTERN_PSK="no"
else
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CERT_WITH_EXTERN_PSK"
fi
fi
# ERROR STRINGS
AC_ARG_ENABLE([errorstrings],
[AS_HELP_STRING([--enable-errorstrings],[Enable error strings table (default: enabled)])],
[ ENABLED_ERROR_STRINGS=$enableval ],
[ ENABLED_ERROR_STRINGS=yes ]
)
if test "$ENABLED_ERROR_STRINGS" = "no"
then
AM_CFLAGS="$AM_CFLAGS -DNO_ERROR_STRINGS"
else
# turn off error strings if leanpsk or leantls on
if test "$ENABLED_LEANPSK" = "yes" || test "$ENABLED_LEANTLS" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DNO_ERROR_STRINGS"
ENABLED_ERROR_STRINGS=no
fi
fi
# ERROR QUEUE
AC_ARG_ENABLE([errorqueue],
[AS_HELP_STRING([--enable-errorqueue],[Disables adding nodes to error queue when compiled with OPENSSL_EXTRA (default: enabled)])],
[ ENABLED_ERROR_QUEUE=$enableval ],
[ ENABLED_ERROR_QUEUE=yes ]
)
# SSLv3
AC_ARG_ENABLE([sslv3],
[AS_HELP_STRING([--enable-sslv3],[Enable SSL version 3.0 (default: disabled)])],
[ ENABLED_SSLV3=$enableval ],
[ ENABLED_SSLV3=no]
)
if test "x$ENABLED_HAPROXY" = "xyes" && test "x$ENABLED_ALL" = "xno"
then
ENABLED_SSLV3="yes"
fi
if test "$ENABLED_CRYPTONLY" = "yes"
then
ENABLED_SSLV3=no
fi
if test "$ENABLED_SSLV3" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ALLOW_SSLV3"
fi
# TLSv1.0
AC_ARG_ENABLE([tlsv10],
[AS_HELP_STRING([--enable-tlsv10],[Enable old TLS versions 1.0 (default: disabled)])],
[ ENABLED_TLSV10=$enableval ],
[ ENABLED_TLSV10=no ]
)
if test "$ENABLED_TLSV10" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ALLOW_TLSV10"
fi
# OLD TLS
AC_ARG_ENABLE([oldtls],
[AS_HELP_STRING([--enable-oldtls],[Enable old TLS versions < 1.2 (default: disabled)])],
[ ENABLED_OLD_TLS=$enableval ],
[ ENABLED_OLD_TLS=no ]
)
if test "$ENABLED_CRYPTONLY" = "yes" || test "x$ENABLED_HARDEN_TLS" != "xno" || \
test "$ENABLED_LEANPSK" = "yes" || test "$ENABLED_LEANTLS" = "yes"
then
ENABLED_OLD_TLS=no
fi
# if SSL v3.0 or TLS v1.0 enabled, then allow "old tls". QT also requires it apparently
if test "$ENABLED_TLSV10" = "yes" || test "$ENABLED_SSLV3" = "yes" || \
(test "$ENABLED_QT" = "yes" && test "x$ENABLED_ALL" = "xno")
then
ENABLED_OLD_TLS=yes
fi
if test "$ENABLED_OLD_TLS" = "no"
then
AM_CFLAGS="$AM_CFLAGS -DNO_OLD_TLS"
fi
# TLSv1.2
AC_ARG_ENABLE([tlsv12],
[AS_HELP_STRING([--enable-tlsv12],[Enable TLS versions 1.2 (default: enabled)])],
[ ENABLED_TLSV12=$enableval ],
[ ENABLED_TLSV12=yes ]
)
# STACK SIZE info for testwolfcrypt and examples
AC_ARG_ENABLE([stacksize],
[AS_HELP_STRING([--enable-stacksize],[Enable stack size info on examples (default: disabled)])],
[ ENABLED_STACKSIZE=$enableval ],
[ ENABLED_STACKSIZE=no ]
)
if test "$ENABLED_STACKSIZE" != "no"
then
AC_CHECK_FUNC([posix_memalign], [], [AC_MSG_ERROR(stacksize needs posix_memalign)])
AC_CHECK_DECL([posix_memalign], [], [AC_MSG_ERROR(stacksize needs posix_memalign)])
AC_CHECK_FUNC([pthread_attr_setstack], [], AC_CHECK_LIB([pthread],[pthread_attr_setstack]))
AC_CHECK_DECL([pthread_attr_setstack], [], [AC_MSG_ERROR(stacksize needs pthread_attr_setstack)], [[#include <pthread.h>]])
AM_CFLAGS="$AM_CFLAGS -DHAVE_STACK_SIZE"
fi
if test "$ENABLED_STACKSIZE" = "verbose"
then
if test "$thread_ls_on" != "yes" && test "x$ENABLED_SINGLETHREADED" = "xno"
then
AC_MSG_ERROR(stacksize-verbose needs thread-local storage.)
fi
AM_CFLAGS="$AM_CFLAGS -DHAVE_STACK_SIZE_VERBOSE"
fi
# MEMORY
AC_ARG_ENABLE([memory],
[AS_HELP_STRING([--enable-memory],[Enable memory callbacks (default: enabled)])],
[ ENABLED_MEMORY=$enableval ],
[ ENABLED_MEMORY=yes ]
)
if test "$ENABLED_MEMORY" = "no"
then
AM_CFLAGS="$AM_CFLAGS -DNO_WOLFSSL_MEMORY"
else
# turn off memory cb if leanpsk or leantls on
if test "$ENABLED_LEANPSK" = "yes" || test "$ENABLED_LEANTLS" = "yes"
then
# but don't turn on NO_WOLFSSL_MEMORY because using own
ENABLED_MEMORY=no
fi
fi
# MEMORY SIZE info
AC_ARG_ENABLE([trackmemory],
[AS_HELP_STRING([--enable-trackmemory],[Enable memory use info on wolfCrypt and wolfSSL cleanup (default: disabled)])],
[ ENABLED_TRACKMEMORY=$enableval ],
[ ENABLED_TRACKMEMORY=no ]
)
if test "$ENABLED_TRACKMEMORY" != "no"
then
if test "$ENABLED_MEMORY" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_TRACK_MEMORY"
else
AC_MSG_ERROR([trackmemory requires using wolfSSL memory (--enable-memory).])
fi
if test "$ENABLED_TRACKMEMORY" = "verbose"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_TRACK_MEMORY_VERBOSE"
fi
fi
# MEMORY usage logging
AC_ARG_ENABLE([memorylog],
[AS_HELP_STRING([--enable-memorylog],[Enable dynamic memory logging (default: disabled)])],
[ ENABLED_MEMORYLOG=$enableval ],
[ ENABLED_MEMORYLOG=no ]
)
if test "$ENABLED_MEMORYLOG" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_MEMORY_LOG"
fi
# STACK usage logging
AC_ARG_ENABLE([stacklog],
[AS_HELP_STRING([--enable-stacklog],[Enable stack logging (default: disabled)])],
[ ENABLED_STACKLOG=$enableval ],
[ ENABLED_STACKLOG=no ]
)
if test "$ENABLED_STACKLOG" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_STACK_LOG -finstrument-functions"
fi
ENABLED_WOLFSENTRY=no
AC_ARG_WITH([wolfsentry],
[AS_HELP_STRING([--with-wolfsentry=PATH],[PATH to directory with wolfSentry installation])],
[WOLFSENTRY_INSTALLDIR=$withval],
[WOLFSENTRY_INSTALLDIR=""])
AC_ARG_WITH([wolfsentry-lib],
[AS_HELP_STRING([--with-wolfsentry-lib=PATH],[PATH to directory with wolfSentry library])],
[WOLFSENTRY_LIB=$withval],
[WOLFSENTRY_LIB=""])
AC_ARG_WITH([wolfsentry-include],
[AS_HELP_STRING([--with-wolfsentry-include=PATH],[PATH to directory with wolfSentry header files])],
[WOLFSENTRY_INCLUDE=$withval],
[WOLFSENTRY_INCLUDE=""])
if test -n "$WOLFSENTRY_INSTALLDIR" || test -n "$WOLFSENTRY_LIB" || test -n "$WOLFSENTRY_INCLUDE"
then
ENABLED_WOLFSENTRY=yes
fi
AC_ARG_ENABLE([wolfsentry],
[AS_HELP_STRING([--enable-wolfsentry],[Enable wolfSentry hooks and plugins (default: disabled)])],
[ ENABLED_WOLFSENTRY=$enableval ],
[ ]
)
if test "$WOLFSENTRY_LIB" = "" && test -n "$WOLFSENTRY_INSTALLDIR"
then
WOLFSENTRY_LIB="${WOLFSENTRY_INSTALLDIR}/lib"
fi
if test "$WOLFSENTRY_INCLUDE" = "" && test -n "$WOLFSENTRY_INSTALLDIR"
then
WOLFSENTRY_INCLUDE="${WOLFSENTRY_INSTALLDIR}/include"
fi
if test -n "$WOLFSENTRY_LIB"
then
AC_MSG_CHECKING([for $WOLFSENTRY_LIB])
if ! test -d "$WOLFSENTRY_LIB"
then
AC_MSG_ERROR([wolfSentry lib dir $WOLFSENTRY_LIB not found.])
fi
AC_MSG_RESULT([yes])
WOLFSENTRY_LIB="-L$WOLFSENTRY_LIB"
fi
if test -n "$WOLFSENTRY_INCLUDE"
then
AC_MSG_CHECKING([for $WOLFSENTRY_INCLUDE])
if ! test -d "$WOLFSENTRY_INCLUDE"
then
AC_MSG_ERROR([wolfSentry include dir $WOLFSENTRY_INCLUDE not found.])
fi
AC_MSG_RESULT([yes])
WOLFSENTRY_INCLUDE="-I$WOLFSENTRY_INCLUDE"
fi
if test "$ENABLED_WOLFSENTRY" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_WOLFSENTRY_HOOKS -DHAVE_EX_DATA -DHAVE_EX_DATA_CLEANUP_HOOKS"
if test "$ENABLED_OPENSSLEXTRA" = "no"
then
ENABLED_OPENSSLEXTRA="yes"
AM_CFLAGS="$AM_CFLAGS -DOPENSSL_EXTRA"
fi
WOLFSENTRY_LIB="$WOLFSENTRY_LIB -lwolfsentry"
fi
AC_SUBST([WOLFSENTRY_LIB])
AC_SUBST([WOLFSENTRY_INCLUDE])
if test "$ENABLED_QT" = "yes"
then
# Requires opensslextra and opensslall
if test "x$ENABLED_OPENSSLALL" = "xno" && test "x$ENABLED_OPENSSLCOEXIST" = "xno"
then
ENABLED_OPENSSLALL="yes"
ENABLED_OPENSSLEXTRA="yes"
AM_CFLAGS="$AM_CFLAGS -DOPENSSL_EXTRA -DOPENSSL_ALL -DHAVE_EX_DATA"
fi
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_QT -DSESSION_CERTS -DOPENSSL_NO_SSL2"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_KEY_GEN -DHAVE_EX_DATA"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CUSTOM_CURVES -DHAVE_ECC_SECPR2 -DHAVE_ECC_SECPR3 -DHAVE_ECC_BRAINPOOL -DHAVE_ECC_KOBLITZ"
if test "x$ENABLED_ALL" = "xno"; then
# Don't enable old SSL/TLS for --enable-all, which is used by distro
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ALLOW_SSLV3 -DWOLFSSL_ALLOW_TLSV10"
fi
# Requires OCSP make sure on
if test "x$ENABLED_OCSP" = "xno"
then
ENABLED_OCSP="yes"
fi
# Requires PSK make sure on
if test "x$ENABLED_PSK" = "xno"
then
ENABLED_PSK="yes"
fi
# Requires RC4 make sure on (if not forcefully disabled with --disable-arc4)
test "$enable_arc4" = "" && enable_arc4=yes
if test "x$ENABLED_CERTEXT" = "xno"
then
ENABLED_CERTEXT="yes"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CERT_EXT"
fi
if test "x$ENABLED_CERTGEN" = "xno"
then
ENABLED_CERTGEN="yes"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CERT_GEN"
fi
# requires oldnames disabled
enable_oldnames=no
fi
AC_ARG_ENABLE([qt-test],
[AS_HELP_STRING([--enable-qt-test],[Enable qt tests (default: disabled)])],
[ ENABLED_QT_TEST=$enableval ],
[ ENABLED_QT_TEST=no ]
)
if test "$ENABLED_QT_TEST" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DOPENSSL_NO_SSL3 -DWOLFSSL_STATIC_RSA"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_STATIC_PSK"
fi
# RSA
AC_ARG_ENABLE([rsa],
[AS_HELP_STRING([--enable-rsa],[Enable RSA (default: enabled). Set to "nonblock" to enable non-blocking RSA via TFM fp_exptmod_nb or SP small mod_exp_nb])],
[ ENABLED_RSA=$enableval ],
[ ENABLED_RSA=yes ]
)
if test "$ENABLED_RSA" = "no"
then
AM_CFLAGS="$AM_CFLAGS -DNO_RSA"
elif test "$ENABLED_RSA" = "nonblock"
then
AM_CFLAGS="$AM_CFLAGS -DWC_RSA_NONBLOCK"
ENABLED_RSA=yes
ENABLED_CERTS=yes
# asynccrypt + asynccrypt-sw are auto-enabled earlier in this file when
# --enable-rsa=nonblock is detected, so the TLS layer can pick up the
# per-SSL nb context and yield MP_WOULDBLOCK. RSA_LOW_MEM is left as a
# user choice - the SP non-block backend's compile-time check in
# wolfssl/wolfcrypt/rsa.h enforces it for SP, while the TFM (fastmath)
# backend supports the CRT path without it.
else
# turn off RSA if leanpsk or leantls on
if test "$ENABLED_LEANPSK" = "yes" || test "$ENABLED_LEANTLS" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DNO_RSA"
ENABLED_RSA=no
else
ENABLED_CERTS=yes
fi
fi
AC_ARG_ENABLE([oaep],
[AS_HELP_STRING([--enable-oaep],[Enable RSA OAEP (default: enabled)])],
[ ENABLED_OAEP=$enableval ],
[ ENABLED_OAEP=yes ]
)
if test "$ENABLED_OAEP" = "no"
then
AM_CFLAGS="$AM_CFLAGS -DWC_NO_RSA_OAEP"
fi
AC_ARG_ENABLE([rsapub],
[AS_HELP_STRING([--enable-rsapub],[Enable RSA Public Only (default: disabled)])],
[ ENABLED_RSAPUB=$enableval ],
[ ENABLED_RSAPUB=no ]
)
if test "$ENABLED_RSAPUB" = "yes"
then
if test "$ENABLED_RSA" = "no"
then
ENABLED_RSA="yes"
fi
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_RSA_PUBLIC_ONLY"
fi
AC_ARG_ENABLE([rsavfy],
[AS_HELP_STRING([--enable-rsavfy],[Enable RSA Verify Inline Only (default: disabled)])],
[ ENABLED_RSAVFY=$enableval ],
[ ENABLED_RSAVFY=no ]
)
if test "$ENABLED_RSAVFY" = "yes"
then
if test "$ENABLED_RSA" = "no"
then
ENABLED_RSA="yes"
fi
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_RSA_PUBLIC_ONLY -DWOLFSSL_RSA_VERIFY_ONLY"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_RSA_VERIFY_INLINE -DNO_SIG_WRAPPER"
AM_CFLAGS="$AM_CFLAGS -DNO_CHECK_PRIVATE_KEY"
fi
# RSA-PSS
AC_ARG_ENABLE([rsapss],
[ --enable-rsapss Enable RSA-PSS (default: disabled)],
[ ENABLED_RSAPSS=$enableval ],
[ ENABLED_RSAPSS=no ]
)
if test "$ENABLED_RSA" = "no"
then
ENABLED_RSAPSS="no"
else
if test "$ENABLED_TLS13" = "yes"
then
ENABLED_RSAPSS="yes"
fi
fi
if test "$ENABLED_RSAPSS" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DWC_RSA_PSS -DWOLFSSL_PSS_LONG_SALT"
fi
# DH
AC_ARG_ENABLE([dh],
[AS_HELP_STRING([--enable-dh],[Enable DH (default: enabled). Set to "nonblock" to enable non-blocking DH key agreement via SP small mod_exp_nb])],
[ ENABLED_DH=$enableval ],
[ ENABLED_DH=yes ]
)
if test "$ENABLED_OPENSSH" = "yes" && test "$ENABLED_DH" = "no"
then
ENABLED_DH="yes"
fi
if test "$ENABLED_DH" = "no"
then
AM_CFLAGS="$AM_CFLAGS -DNO_DH"
elif test "$ENABLED_DH" = "nonblock"
then
AM_CFLAGS="$AM_CFLAGS -DWC_DH_NONBLOCK"
ENABLED_DH=yes
# asynccrypt + asynccrypt-sw are auto-enabled earlier in this file.
else
# turn off DH if leanpsk or leantls on
if test "$ENABLED_LEANPSK" = "yes" || test "$ENABLED_LEANTLS" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DNO_DH"
ENABLED_DH=no
fi
fi
if test "$ENABLED_DH" = "const"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DH_CONST"
fi
if test "$ENABLED_SNIFFER" = "yes" && test "$ENABLED_DH" != "no"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DH_EXTRA"
fi
# Anonymous
AC_ARG_ENABLE([anon],
[AS_HELP_STRING([--enable-anon],[Enable Anonymous (default: disabled)])],
[ ENABLED_ANON=$enableval ],
[ ENABLED_ANON=no ]
)
if test "x$ENABLED_WPAS" = "xyes" || test "x$ENABLED_NGINX" = "xyes" || \
test "x$ENABLED_HAPROXY" = "xyes" || test "$ENABLED_RSYSLOG" = "yes"
then
ENABLED_ANON=yes
fi
if test "x$ENABLED_ANON" = "xyes"
then
if test "$ENABLED_DH" = "no"
then
AC_MSG_ERROR([Anonymous suite requires DH.])
fi
AM_CFLAGS="$AM_CFLAGS -DHAVE_ANON"
fi
if test "$ENABLED_RSA" = "yes" && test "$ENABLED_RSAVFY" = "no" && \
test "$ENABLED_ASN" = "no" && test "$ENABLED_LOWRESOURCE" = "no"
then
AC_MSG_ERROR([please disable rsa if disabling asn.])
fi
if test "$ENABLED_DSA" = "yes" && test "$ENABLED_ASN" = "no"
then
AC_MSG_ERROR([please disable dsa if disabling asn.])
fi
# No Big Int (ASN, DSA, RSA, DH, ECC and compatibility layer need bigint)
if test "$ENABLED_ASN" = "no" && test "$ENABLED_DSA" = "no" && \
test "$ENABLED_DH" = "no" && test "$ENABLED_ECC" = "no" && \
test "$ENABLED_RSA" = "no" && test "$ENABLED_OPENSSLEXTRA" = "no" && \
test "$ENABLED_OPENSSLALL" = "yes"
then
ENABLED_SP_MATH_ALL="no"
ENABLED_FASTMATH="no"
ENABLED_HEAPMATH="no"
ENABLED_BIGNUM="no"
else
ENABLED_BIGNUM="yes"
fi
case $host_os in
*linux* | *darwin* | *freebsd*)
DEF_ASN_PRINT="yes"
;;
*)
DEF_ASN_PRINT="no"
;;
esac
AC_ARG_ENABLE([asn-print],
[AS_HELP_STRING([--enable-asn-print],[Enable ASN Print API (default: enabled)])],
[ ENABLED_ASN_PRINT=$enableval ],
[ ENABLED_ASN_PRINT=$DEF_ASN_PRINT ]
)
if test "$ENABLED_ASN_PRINT" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ASN_PRINT"
fi
# AES
AC_ARG_ENABLE([aes],
[AS_HELP_STRING([--enable-aes],[Enable AES (default: enabled)])],
[ ENABLED_AES=$enableval ],
[ ENABLED_AES=yes ]
)
if test "$ENABLED_AES" = "no"
then
AM_CFLAGS="$AM_CFLAGS -DNO_AES"
if test "$ENABLED_FORTRESS" = "yes"
then
AC_MSG_ERROR([fortress requires aes])
fi
if test "$ENABLED_ECC_ENCRYPT" = "yes"
then
AC_MSG_ERROR([cannot enable eccencrypt and hkdf without aes.])
fi
if test "$ENABLED_AESGCM" != "no"
then
AC_MSG_ERROR([AESGCM requires AES.])
fi
if test "$ENABLED_AESCCM" = "yes"
then
AC_MSG_ERROR([AESCCM requires AES.])
fi
if test "$ENABLED_AESCTR" = "yes"
then
AC_MSG_ERROR([AESCTR requires AES.])
fi
else
# turn off AES if leanpsk on
if test "$ENABLED_LEANPSK" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DNO_AES"
ENABLED_AES=no
fi
fi
# DTLSv1.3
AC_ARG_ENABLE([dtls13],
[AS_HELP_STRING([--enable-dtls13],[Enable wolfSSL DTLS v1.3 (default: disabled)])],
[ ENABLED_DTLS13=$enableval ],
[ ENABLED_DTLS13=no ]
)
if test "x$ENABLED_DTLS13" = "xyes"
then
# DTLSv1.3 implies TLS 1.3 and DTLS; auto-enable, but don't
# override explicit --disable.
if test "x$enable_tls13" = "xno" || test "x$ENABLED_TLS13" = "xno"
then
AC_MSG_ERROR([--enable-dtls13 requires TLS 1.3, but TLS 1.3 is disabled])
fi
if test "x$ENABLED_TLS13" != "xyes"
then
AC_MSG_NOTICE([DTLSv1.3 is enabled, enabling TLS 1.3])
ENABLED_TLS13=yes
fi
if test "x$enable_dtls" = "xno"
then
AC_MSG_ERROR([--enable-dtls13 requires DTLS, but --disable-dtls was given])
fi
if test "x$ENABLED_DTLS" != "xyes"
then
AC_MSG_NOTICE([DTLSv1.3 is enabled, enabling DTLS])
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DTLS"
ENABLED_DTLS=yes
fi
if test "x$ENABLED_SEND_HRR_COOKIE" = "xundefined"
then
AC_MSG_NOTICE([DTLSv1.3 is enabled, enabling HRR cookie])
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SEND_HRR_COOKIE"
ENABLED_SEND_HRR_COOKIE="yes"
fi
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DTLS13 -DWOLFSSL_W64_WRAPPER"
if test "x$ENABLED_AES" = "xyes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_DIRECT"
fi
fi
# DTLS CID support
AC_ARG_ENABLE([dtlscid],
[AS_HELP_STRING([--enable-dtlscid],[Enable wolfSSL DTLS ConnectionID (default: disabled)])],
[ ENABLED_DTLS_CID=$enableval ],
[ ENABLED_DTLS_CID=no ]
)
if test "x$ENABLED_DTLS_CID" = "xyes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DTLS_CID"
fi
# DTLS 1.3 Fragment Second ClientHello
AC_ARG_ENABLE([dtls-frag-ch],
[AS_HELP_STRING([--enable-dtls-frag-ch],[Enable wolfSSL DTLS 1.3 ClientHello fragmenting (default: disabled)])],
[ ENABLED_DTLS_CH_FRAG=$enableval ],
[ ENABLED_DTLS_CH_FRAG=no ]
)
if test "x$ENABLED_DTLS_CH_FRAG" = "xyes"
then
if test "x$ENABLED_DTLS13" != "xyes"
then
AC_MSG_ERROR([You need to enable DTLSv1.3 to use DTLS ClientHello fragmenting])
fi
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DTLS_CH_FRAG"
fi
# When MLKEM and DTLS 1.3 are both enabled, DTLS ClientHello fragmenting is
# required (PQC keys in ClientHello can exceed MTU), so enable it automatically.
if test "x$ENABLED_MLKEM" != "xno" && test "x$ENABLED_DTLS13" = "xyes" && test "x$ENABLED_DTLS_CH_FRAG" != "xyes"
then
AC_MSG_NOTICE([MLKEM and DTLS 1.3 are enabled; enabling DTLS ClientHello fragmenting])
ENABLED_DTLS_CH_FRAG=yes
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DTLS_CH_FRAG"
fi
# CODING
AC_ARG_ENABLE([coding],
[AS_HELP_STRING([--enable-coding],[Enable Coding base 16/64 (default: enabled)])],
[ ENABLED_CODING=$enableval ],
[ ENABLED_CODING=yes ]
)
if test "$ENABLED_CODING" = "no"
then
AM_CFLAGS="$AM_CFLAGS -DNO_CODING"
else
# turn off CODING if leanpsk on
if test "$ENABLED_LEANPSK" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DNO_CODING"
ENABLED_CODING=no
fi
fi
# Base64 Encode
BASE64ENCODE_DEFAULT=no
if test "$host_cpu" = "x86_64" || test "$host_cpu" = "amd64"
then
BASE64ENCODE_DEFAULT=yes
fi
AC_ARG_ENABLE([base64encode],
[AS_HELP_STRING([--enable-base64encode],[Enable Base64 encoding (default: enabled on x86_64/amd64)])],
[ ENABLED_BASE64ENCODE=$enableval ],
[ ENABLED_BASE64ENCODE=$BASE64ENCODE_DEFAULT ]
)
if test "$ENABLED_BASE64ENCODE" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_BASE64_ENCODE"
fi
# Base16
AC_ARG_ENABLE([base16],
[AS_HELP_STRING([--enable-base16],[Enable Base16 encoding/decoding (default: disabled)])],
[ ENABLED_BASE16=$enableval ],
[ ENABLED_BASE16=no ]
)
if test "$ENABLED_CAAM" = "qnx"
then
ENABLED_BASE16=yes
fi
if test "$ENABLED_BASE16" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_BASE16"
fi
# MD4
AC_ARG_ENABLE([md4],
[AS_HELP_STRING([--enable-md4],[Enable MD4 (default: disabled)])],
[ ENABLED_MD4=$enableval ],
[ ENABLED_MD4=no ]
)
# DES3
AC_ARG_ENABLE([des3],
[AS_HELP_STRING([--enable-des3],[Enable DES3 (default: disabled)])],
[ ENABLED_DES3=$enableval ],
[ ENABLED_DES3=no ]
)
# Enable 3DES for various metafeatures, unless FIPS 140-3
if (test "$ENABLED_FIPS" = "no" || test "$HAVE_FIPS_VERSION" -le 2) && \
(test "$ENABLED_OPENSSH" = "yes" || \
test "$ENABLED_QT" = "yes" || test "$ENABLED_OPENVPN" = "yes" || \
test "$ENABLED_WPAS" != "no" || test "$ENABLED_NETSNMP" = "yes" || \
test "$ENABLED_LIBSSH2" = "yes" || test "$ENABLED_KRB" = "yes" || \
test "$ENABLED_WOLFENGINE" = "yes" || test "$ENABLED_STRONGSWAN" = "yes")
then
ENABLED_DES3="yes"
fi
# DES3 TLS suites
AC_ARG_ENABLE([des3-tls-suites],
[AS_HELP_STRING([--enable-des3-tls-suites],[Enable DES3 TLS cipher suites (default: disabled)])],
[ ENABLED_DES3_TLS_SUITES=$enableval ],
[ ENABLED_DES3_TLS_SUITES=no ]
)
# ARC4
if (test "$ENABLED_OPENSSH" = "yes" && test "x$ENABLED_FIPS" = "xno") || \
test "$ENABLED_WPAS" = "yes" || test "$ENABLED_KRB" = "yes"
then
# Requires RC4 make sure on (if not forcefully disabled with --disable-arc4)
test "$enable_arc4" = "" && enable_arc4=yes
fi
AC_ARG_ENABLE([arc4],
[AS_HELP_STRING([--enable-arc4],[Enable ARC4 (default: disabled)])],
[ ENABLED_ARC4=$enableval ],
[ ENABLED_ARC4=no ]
)
# MD5
AC_ARG_ENABLE([md5],
[AS_HELP_STRING([--enable-md5],[Enable MD5 (default: disabled)])],
[ ENABLED_MD5=$enableval ],
[ ENABLED_MD5=no ]
)
# Options that require MD5
if test "$ENABLED_WPAS" = "yes" || test "$ENABLED_HAPROXY" = "yes" || \
test "$ENABLED_KRB" = "yes" || test "$ENABLED_NETSNMP" = "yes" || \
test "$ENABLED_NGINX" = "yes" || test "$ENABLED_OPENSSH" = "yes" || \
test "$ENABLED_OPENSSLEXTRA" = "yes" || test "$ENABLED_OPENVPN" = "yes" || \
test "$ENABLED_TLSV10" = "yes" || test "$ENABLED_OLD_TLS" = "yes" || \
test "$ENABLED_FORTRESS" = "yes" || test "$ENABLED_LIGHTY" = "yes" || \
test "$ENABLED_DES3" = "yes" || test "$ENABLED_BUMP" = "yes" || \
test "$ENABLED_OPENSSLALL" = "yes"
then
ENABLED_MD5=yes
fi
# SHA
AC_ARG_ENABLE([sha],
[AS_HELP_STRING([--enable-sha],[Enable SHA (default: enabled)])],
[ ENABLED_SHA=$enableval ],
[ ENABLED_SHA=yes ]
)
if test "$ENABLED_SHA" = "no"
then
AM_CFLAGS="$AM_CFLAGS -DNO_SHA -DNO_OLD_TLS"
else
# turn off SHA if leanpsk or leantls on
if test "$ENABLED_LEANPSK" = "yes" || test "$ENABLED_LEANTLS" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DNO_SHA -DNO_OLD_TLS"
ENABLED_SHA=no
fi
fi
if test "$ENABLED_SHA" = "no" && test "$ENABLED_DSA" != "no"
then
AC_MSG_ERROR([please disable DSA if disabling SHA-1.])
fi
# SipHash
AC_ARG_ENABLE([siphash],
[AS_HELP_STRING([--enable-siphash],[Enable SipHash (default: disabled)])],
[ ENABLED_SIPHASH=$enableval ],
[ ENABLED_SIPHASH=no ]
)
AS_IF([test "x$ENABLED_SIPHASH" = "xyes"],
[AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SIPHASH"])
AC_ARG_ENABLE([cmac-kdf],
[AS_HELP_STRING([--enable-cmac-kdf],[Enables cmac-kdf support (default: disabled)])],
[ ENABLED_CMAC_KDF=$enableval ],
[ ENABLED_CMAC_KDF=no ]
)
if test "$ENABLED_CMAC_KDF" = "yes"
then
if test "$ENABLED_KDF" != "yes"
then
AC_MSG_ERROR([enable-cmac-kdf requires --enable-kdf])
fi
AM_CFLAGS="$AM_CFLAGS -DHAVE_CMAC_KDF"
fi
# CMAC
AC_ARG_ENABLE([cmac],
[AS_HELP_STRING([--enable-cmac],[Enable CMAC (default: disabled)])],
[ ENABLED_CMAC=$enableval ],
[ ENABLED_CMAC=no ]
)
if test "$ENABLED_WPAS" != "no" || test "$ENABLED_NTP" = "yes" || test "$ENABLED_AESSIV" = "yes" || test "$ENABLED_WOLFENGINE" = "yes" || test "$ENABLED_AESEAX" = "yes" || test "$ENABLED_CMAC_KDF" = "yes"
then
ENABLED_CMAC=yes
fi
AS_IF([test "x$ENABLED_CMAC" = "xyes"],
[AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CMAC -DWOLFSSL_AES_DIRECT"])
# SHE (Secure Hardware Extension) key update message generation
# --enable-she=standard: standard SHE support
# --enable-she=extended: standard + extended overrides (custom KDF/headers)
AC_ARG_ENABLE([she],
[AS_HELP_STRING([--enable-she@<:@=standard|extended@:>@],
[Enable SHE key update support (default: disabled)])],
[ ENABLED_SHE=$enableval ],
[ ENABLED_SHE=no ]
)
if test "x$ENABLED_SHE" = "xstandard" || test "x$ENABLED_SHE" = "xextended"
then
if test "$ENABLED_AESCBC" = "no"
then
AC_MSG_ERROR([SHE requires AES-CBC. Cannot use --disable-aescbc with --enable-she.])
fi
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SHE -DWOLFSSL_CMAC -DWOLFSSL_AES_DIRECT"
ENABLED_CMAC=yes
ENABLED_AESCBC=yes
fi
if test "x$ENABLED_SHE" = "xextended"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SHE_EXTENDED"
fi
# AES-XTS
AC_ARG_ENABLE([aesxts],
[AS_HELP_STRING([--enable-aesxts],[Enable AES XTS (default: disabled)])],
[ ENABLED_AESXTS=$enableval ],
[ ENABLED_AESXTS=no ]
)
AS_IF([test "$ENABLED_AESXTS" = "yes" && test "$ENABLED_ARMASM" = "no"],
[ ENABLED_AESXTS_STREAM_DEFAULT=yes ],
[ ENABLED_AESXTS_STREAM_DEFAULT=no ]
)
AC_ARG_ENABLE([aesxts-stream],
[AS_HELP_STRING([--enable-aesxts-stream],[Enable wolfSSL AES-XTS support with streaming APIs (default: disabled)])],
[ ENABLED_AESXTS_STREAM=$enableval ],
[ ENABLED_AESXTS_STREAM=$ENABLED_AESXTS_STREAM_DEFAULT ]
)
# legacy old option name, for compatibility:
AC_ARG_ENABLE([xts],
[AS_HELP_STRING([--enable-xts],[Please use --enable-aesxts])],
[ ENABLED_AESXTS=$enableval ]
)
# AES-CTS
AC_ARG_ENABLE([aescts],
[AS_HELP_STRING([--enable-aescts],[Enable AES CTS (default: disabled)])],
[ ENABLED_AESCTS=$enableval ],
[ ENABLED_AESCTS=no ]
)
if test "$ENABLED_AESCTS" = "yes"
then
if test "$ENABLED_AESCBC" = "no"
then
AC_MSG_ERROR([AES CTS requires AES CBC.])
fi
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_CTS"
fi
# Web Server Build
AC_ARG_ENABLE([webserver],
[AS_HELP_STRING([--enable-webserver],[Enable Web Server (default: disabled)])],
[ ENABLED_WEBSERVER=$enableval ],
[ ENABLED_WEBSERVER=no ]
)
if test "$ENABLED_WEBSERVER" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DHAVE_WEBSERVER"
fi
# Web Client Build (HTTP Client)
AC_ARG_ENABLE([webclient],
[AS_HELP_STRING([--enable-webclient],[Enable Web Client (HTTP) (default: disabled)])],
[ ENABLED_WEBCLIENT=$enableval ],
[ ENABLED_WEBCLIENT=no ]
)
if test "$ENABLED_WEBCLIENT" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DHAVE_HTTP_CLIENT"
fi
# RC2
AC_ARG_ENABLE([rc2],
[AS_HELP_STRING([--enable-rc2],[Enable RC2 encryption (default: disabled)])],
[ ENABLED_RC2=$enableval ],
[ ENABLED_RC2=no ]
)
if test "$ENABLED_RC2" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DWC_RC2"
fi
# CUDA
AC_ARG_ENABLE([cuda],
[AS_HELP_STRING([--enable-cuda],[Enable NVidia CUDA support (default: disabled)])],
[ ENABLED_CUDA=$enableval ],
[ ENABLED_CUDA=no ]
)
if test "$ENABLED_CUDA" = "yes"
then
CC=nvcc
AM_CFLAGS="$AM_CFLAGS -DWC_CUDA -DHAVE_CUDA"
fi
# Certificate Service Support (CFLAG sections later) keep above FIPS section
AC_ARG_ENABLE([certservice],
[AS_HELP_STRING([--enable-certservice],[Enable cert service (default: disabled)])],
[ ENABLED_CERT_SERVICE=$enableval ],
[ ENABLED_CERT_SERVICE=no ]
)
# PWDBASED (CFLAG sections later) keep above FIPS section
AC_ARG_ENABLE([pwdbased],
[AS_HELP_STRING([--enable-pwdbased],[Enable PWDBASED (default: disabled)])],
[ ENABLED_PWDBASED=$enableval ],
[ ENABLED_PWDBASED=no ]
)
# MemUse Entropy
# wolfEntropy Software Jitter SP800-90B certifiable entropy source
if test "$KERNEL_MODE_DEFAULTS" = "yes" && \
test "$ENABLED_AMDRDSEED" != "yes" && \
test "$ENABLED_INTELRDRAND" != "yes" && \
test "$ENABLED_INTELRDSEED" != "yes"
then
ENABLED_ENTROPY_MEMUSE_DEFAULT=yes
else
ENABLED_ENTROPY_MEMUSE_DEFAULT=no
fi
AC_ARG_ENABLE([wolfEntropy],
[AS_HELP_STRING([--enable-wolfEntropy],[Enable memuse entropy support (default: disabled)])],
[ ENABLED_ENTROPY_MEMUSE=$enableval ],
[ ENABLED_ENTROPY_MEMUSE=$ENABLED_ENTROPY_MEMUSE_DEFAULT ]
)
AC_ARG_ENABLE([wolfentropy],
[AS_HELP_STRING([--enable-wolfentropy],[Alias for --enable-wolfEntropy])],
[ ENABLED_ENTROPY_MEMUSE=$enableval ],
)
AC_ARG_ENABLE([entropy-memuse],
[AS_HELP_STRING([--enable-entropy-memuse],[Alias for --enable-wolfEntropy])],
[ ENABLED_ENTROPY_MEMUSE=$enableval ]
)
# AES key wrap
AC_ARG_ENABLE([aeskeywrap],
[AS_HELP_STRING([--enable-aeskeywrap],[Enable AES key wrap support (default: disabled)])],
[ ENABLED_AESKEYWRAP=$enableval ],
[ ENABLED_AESKEYWRAP=no ]
)
# FIPS feature and macro setup
AS_CASE([$FIPS_VERSION],
[v7|ready|dev],[ # FIPS 140-3 PQ-FS
AS_IF([test "$FIPS_VERSION" = "dev"],
ENABLED_FIPS_DEV=yes
[AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_FIPS_DEV"])
AS_IF([test "$FIPS_VERSION" = "ready" || test "$FIPS_VERSION" = "v7"],
ENABLED_FIPS_READY=yes
[AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_FIPS_READY"])
AM_CFLAGS="$AM_CFLAGS \
-DHAVE_FIPS \
-DHAVE_FIPS_VERSION=$HAVE_FIPS_VERSION \
-DHAVE_FIPS_VERSION_MAJOR=$HAVE_FIPS_VERSION_MAJOR \
-DHAVE_FIPS_VERSION_MINOR=$HAVE_FIPS_VERSION_MINOR \
-DHAVE_FIPS_VERSION_PATCH=$HAVE_FIPS_VERSION_PATCH \
-DHAVE_ECC_CDH \
-DWC_RSA_NO_PADDING \
-DECC_USER_CURVES \
-DHAVE_ECC384 \
-DHAVE_ECC521 \
-DWOLFSSL_VALIDATE_FFC_IMPORT \
-DHAVE_FFDHE_Q \
-DHAVE_FFDHE_3072 \
-DHAVE_FFDHE_4096 \
-DHAVE_FFDHE_6144 \
-DHAVE_FFDHE_8192"
# KCAPI API does not support custom k for sign, don't force enable ECC key sizes and don't use seed callback
AS_IF([test "x$ENABLED_KCAPI_ECC" = "xno"],
[AM_CFLAGS="$AM_CFLAGS \
-DWC_RNG_SEED_CB \
-DWOLFSSL_ECDSA_SET_K \
-DWOLFSSL_VALIDATE_ECC_IMPORT \
-DWOLFSSL_VALIDATE_ECC_KEYGEN \
-DHAVE_ECC192 \
-DHAVE_ECC224 \
-DHAVE_ECC256"])
DEFAULT_MAX_CLASSIC_ASYM_KEY_BITS=8192
# optimizations section
# protocol section
AS_IF([test "$ENABLED_WOLFSSH" != "yes" &&
(test "$FIPS_VERSION" != "dev" || test "$enable_ssh" != "no")],
[enable_ssh="yes"])
AS_IF([test "$ENABLED_HKDF" != "yes" &&
(test "$FIPS_VERSION" != "dev" || test "$enable_hkdf" != "no")],
[ENABLED_HKDF="yes"; AM_CFLAGS="$AM_CFLAGS -DHAVE_HKDF"])
AS_IF([test "x$ENABLED_PWDBASED" = "xno" &&
(test "$FIPS_VERSION" != "dev" || test "$enable_pwdbased" != "no")],
[ENABLED_PWDBASED="yes"; AM_CFLAGS="$AM_CFLAGS -DHAVE_PBKDF2 -DHAVE_AESGCM"])
AS_IF([test "x$ENABLED_SRTP" = "xno" &&
(test "$FIPS_VERSION" != "dev" || test "$enable_srtp" != "no")],
[ENABLED_SRTP="yes"])
AS_IF([test "x$ENABLED_SRTP_KDF" = "xno" &&
(test "$FIPS_VERSION" != "dev" || test "$enable_srtp_kdf" != "no")],
[ENABLED_SRTP_KDF="yes"])
# public key section
AS_IF([test "$ENABLED_KEYGEN" != "yes" &&
(test "$FIPS_VERSION" != "dev" || test "$enable_keygen" != "no")],
[ENABLED_KEYGEN="yes"; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_KEY_GEN"])
# AS_IF([test "$ENABLED_COMPKEY" != "yes" &&
# (test "$FIPS_VERSION" != "dev" || test "$enable_compkey" != "yes")],
# [ENABLED_COMPKEY="yes"])
AS_IF([test "$ENABLED_RSAPSS" != "yes" &&
(test "$FIPS_VERSION" != "dev" || test "$enable_rsapss" != "no")],
[ENABLED_RSAPSS="yes"; AM_CFLAGS="$AM_CFLAGS -DWC_RSA_PSS"])
AS_IF([test "$ENABLED_ECC" != "yes" &&
(test "$FIPS_VERSION" != "dev" || test "$enable_ecc" != "no")],
[ENABLED_ECC="yes"; AM_CFLAGS="$AM_CFLAGS -DHAVE_ECC -DTFM_ECC256"
AS_IF([test "$ENABLED_ECC_SHAMIR" = "yes"],
[AM_CFLAGS="$AM_CFLAGS -DECC_SHAMIR"])])
AS_IF([test "$ENABLED_ED25519" = "no" &&
(test "$FIPS_VERSION" != "dev" || test "$enable_ed25519" != "no")],
[ENABLED_ED25519="yes"; AM_CFLAGS="$AM_CFLAGS -DHAVE_ED25519 -DHAVE_ED25519_KEY_IMPORT"])
AS_IF([test "$ENABLED_CURVE25519" != "no" &&
(test "$FIPS_VERSION" != "dev" || test "$enable_curve25519" = "")],
[ENABLED_CURVE25519="no"; AM_CFLAGS="$AM_CFLAGS"])
AS_IF([test "x$ENABLED_ED448" != "xyes" &&
(test "$FIPS_VERSION" != "dev" || test "$enable_ed448" != "no")],
[ENABLED_ED448="yes"; AM_CFLAGS="$AM_CFLAGS -DHAVE_ED448 -DHAVE_ED448_KEY_IMPORT"])
AS_IF([test "$ENABLED_CURVE448" != "no" &&
(test "$FIPS_VERSION" != "dev" || test "$enable_curve448" = "")],
[ENABLED_CURVE448="no"; AM_CFLAGS="$AM_CFLAGS"])
AS_IF([test "x$ENABLED_ED25519_STREAM" != "xyes" &&
(test "$FIPS_VERSION" != "dev" || test "$enable_ed25519_stream" != "no")],
[ENABLED_ED25519_STREAM="yes"])
AS_IF([test "x$ENABLED_ED448_STREAM" != "xyes" &&
(test "$FIPS_VERSION" != "dev" || test "$enable_ed448_stream" != "no")],
[ENABLED_ED448_STREAM="yes"])
AS_IF([test "x$ENABLED_ECCCUSTCURVES" != "xno" &&
test "$FIPS_VERSION" != "dev"],
[AC_MSG_WARN([Forcing off ecccustcurves for FIPS ${FIPS_VERSION}.])
ENABLED_ECCCUSTCURVES="no"])
# Hashing section
AS_IF([test "x$ENABLED_SHA3" != "xyes" &&
(test "$FIPS_VERSION" != "dev" || test "$enable_sha3" != "no")],
[ENABLED_SHA3="yes"; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SHA3"])
AS_IF([test "$ENABLED_SHA224" != "yes" &&
(test "$FIPS_VERSION" != "dev" || test "$enable_sha224" != "no")],
[ENABLED_SHA224="yes"; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SHA224"])
AS_IF([test "$ENABLED_SHA512" = "no" &&
(test "$FIPS_VERSION" != "dev" || test "$enable_sha512" != "no")],
[ENABLED_SHA512="yes"; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SHA512 -DWOLFSSL_SHA384"])
# SHA512-224 and SHA512-256 enabled for FIPS v7+ (needed for ML-DSA
# HashML-DSA ACVP test vectors with SHA2-512/224 and SHA2-512/256)
# Shake128 because we're testing SHAKE256
AS_IF([test "x$ENABLED_SHAKE128" = "xno" &&
(test "$FIPS_VERSION" != "dev" || test "$enable_shake128" != "no")],
[ENABLED_SHAKE128="yes"])
# Shake256 mandated for ED448
AS_IF([test "x$ENABLED_SHAKE256" = "xno" &&
(test "$FIPS_VERSION" != "dev" || test "$enable_shake256" != "no")],
[ENABLED_SHAKE256="yes"])
# Aes section
AS_IF([test "$ENABLED_AESCCM" != "yes" &&
(test "$FIPS_VERSION" != "dev" || test "$enable_aesccm" != "no")],
[ENABLED_AESCCM="yes"; AM_CFLAGS="$AM_CFLAGS -DHAVE_AESCCM"])
AS_IF([test "$ENABLED_AESCTR" != "yes" &&
(test "$FIPS_VERSION" != "dev" || test "$enable_aesctr" != "no")],
[ENABLED_AESCTR="yes"; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_COUNTER"])
AS_IF([test "$ENABLED_CMAC" != "yes" &&
(test "$FIPS_VERSION" != "dev" || test "$enable_cmac" != "no")],
[ENABLED_CMAC="yes"; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CMAC"])
AS_IF([test "$ENABLED_AESGCM" = "no" &&
(test "$FIPS_VERSION" != "dev" || test "$enable_aesgcm" != "no")],
[ENABLED_AESGCM="yes"; AM_CFLAGS="$AM_CFLAGS -DHAVE_AESGCM"; AM_CCASFLAGS="$AM_CCASFLAGS -DHAVE_AESGCM"])
AS_IF([test "$ENABLED_AESGCM_STREAM" != "yes" &&
(test "$FIPS_VERSION" != "dev" || test "$enable_aesgcm_stream" != "no")],
[ENABLED_AESGCM_STREAM="yes"])
AS_IF([test "x$ENABLED_AESOFB" = "xno" &&
(test "$FIPS_VERSION" != "dev" || test "$enable_aesofb" != "no")],
[ENABLED_AESOFB="yes"; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_OFB"])
AS_IF([test "x$ENABLED_AESCFB" = "xno" &&
(test "$FIPS_VERSION" != "dev" || test "$enable_aescfb" != "no")],
[ENABLED_AESCFB="yes"; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_CFB"])
AS_IF([test "x$ENABLED_AESXTS" = "xno" &&
(test "$FIPS_VERSION" != "dev" || test "$enable_aesxts" != "no")],
[ENABLED_AESXTS="yes"; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_XTS"])
AS_IF([test "x$ENABLED_AESXTS" = "xyes" && test "x$ENABLED_AESNI" = "xyes"],
[AM_CCASFLAGS="$AM_CCASFLAGS -DWOLFSSL_AES_XTS"])
AS_IF([test "x$ENABLED_AESXTS_STREAM" = "xno" &&
(test "$FIPS_VERSION" != "dev" || test "$enable_aesxts_stream" != "no")],
[ENABLED_AESXTS_STREAM="yes"])
AS_IF([(test "$ENABLED_AESCCM" != "no" && test "$HAVE_AESCCM_PORT" != "yes") ||
(test "$ENABLED_AESCTR" != "no" && test "$HAVE_AESCTR_PORT" != "yes") ||
(test "$ENABLED_AESGCM" != "no" && test "$HAVE_AESGCM_PORT" != "yes") ||
(test "$ENABLED_AESOFB" != "no" && test "$HAVE_AESOFB_PORT" != "yes")],
[AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_DIRECT -DHAVE_AES_ECB"])
AS_IF([test "x$ENABLED_AESKEYWRAP" != "xyes" &&
(test "$FIPS_VERSION" != "dev" || test "$enable_aeskeywrap" != "no")],
[ENABLED_AESKEYWRAP="yes"; AM_CFLAGS="$AM_CFLAGS -DHAVE_AES_KEYWRAP"])
# Post-Quantum section
AS_IF([test "$ENABLED_MLKEM" != "yes" &&
(test "$FIPS_VERSION" != "dev" || test "$enable_mlkem" != "no")],
[ENABLED_MLKEM="yes"
ENABLED_MLKEM512="yes"
ENABLED_MLKEM768="yes"
ENABLED_MLKEM1024="yes"
ENABLED_MLKEM_MAKE_KEY="yes"
ENABLED_MLKEM_ENCAPSULATE="yes"
ENABLED_MLKEM_DECAPSULATE="yes"])
AS_IF([test "$ENABLED_MLDSA" != "yes" &&
(test "$FIPS_VERSION" != "dev" || test "$enable_dilithium" != "no")],
[ENABLED_MLDSA="yes"
ENABLED_MLDSA44="yes"
ENABLED_MLDSA65="yes"
ENABLED_MLDSA87="yes"
ENABLED_MLDSA_MAKE_KEY="yes"
ENABLED_MLDSA_SIGN="yes"
ENABLED_MLDSA_VERIFY="yes"])
AS_IF([test "$ENABLED_XMSS" != "yes" &&
(test "$FIPS_VERSION" != "dev" || test "$enable_xmss" != "no")],
[ENABLED_XMSS="yes"])
AS_IF([test "$ENABLED_LMS" != "yes" &&
(test "$FIPS_VERSION" != "dev" || test "$enable_lms" != "no")],
[ENABLED_LMS="yes"])
# LMS: enable SHA-256/192 and SHAKE256 parameter sets for FIPS v7
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_LMS_SHA256_192 -DWOLFSSL_LMS_SHAKE256"
AS_IF([test "$ENABLED_SLHDSA" != "yes" &&
(test "$FIPS_VERSION" != "dev" || test "$enable_slhdsa" != "no")],
[ENABLED_SLHDSA="yes"
SLHDSA_PARAM_128S="yes"
SLHDSA_PARAM_128F="yes"
SLHDSA_PARAM_192S="yes"
SLHDSA_PARAM_192F="yes"
SLHDSA_PARAM_256S="yes"
SLHDSA_PARAM_256F="yes"
SLHDSA_SHA2="yes"
SLHDSA_PARAM_SHA2_128S="yes"
SLHDSA_PARAM_SHA2_128F="yes"
SLHDSA_PARAM_SHA2_192S="yes"
SLHDSA_PARAM_SHA2_192F="yes"
SLHDSA_PARAM_SHA2_256S="yes"
SLHDSA_PARAM_SHA2_256F="yes"])
# SHA-256 DRBG -- cannot be disabled at build time in FIPS mode
AS_IF([test "$ENABLED_SHA256_DRBG" != "yes" &&
test "$FIPS_VERSION" != "dev"],
[AC_MSG_ERROR([Can not disable SHA256-DRBG at build time in FIPS mode. Disable at run-time with wc_Sha256Drbg_Disable() or wc_Sha256Drbg_Disable_fips()])])
# SHA-512 DRBG -- cannot be disabled at build time in FIPS mode
AS_IF([test "$ENABLED_SHA512_DRBG" != "yes" &&
test "$FIPS_VERSION" != "dev"],
[AC_MSG_ERROR([Can not disable SHA512-DRBG at build time in FIPS mode. Disable it at run-time with wc_Sha512Drbg_Disable() or wc_Sha512Drbg_Disable_fips()])])
# Old TLS requires MD5 + HMAC, which is not allowed under FIPS 140-3
AS_IF([test "$ENABLED_OLD_TLS" != "no"],
[AC_MSG_WARN([Forcing off oldtls for FIPS ${FIPS_VERSION}.])
ENABLED_OLD_TLS="no"; AM_CFLAGS="$AM_CFLAGS -DNO_OLD_TLS"])
],
[v6],[ # FIPS 140-3 SRTP-KDF (frozen)
AM_CFLAGS="$AM_CFLAGS \
-DHAVE_FIPS \
-DHAVE_FIPS_VERSION=$HAVE_FIPS_VERSION \
-DHAVE_FIPS_VERSION_MAJOR=$HAVE_FIPS_VERSION_MAJOR \
-DHAVE_FIPS_VERSION_MINOR=$HAVE_FIPS_VERSION_MINOR \
-DHAVE_FIPS_VERSION_PATCH=$HAVE_FIPS_VERSION_PATCH \
-DHAVE_ECC_CDH \
-DWC_RSA_NO_PADDING \
-DECC_USER_CURVES \
-DHAVE_ECC384 \
-DHAVE_ECC521 \
-DWOLFSSL_VALIDATE_FFC_IMPORT \
-DHAVE_FFDHE_Q \
-DHAVE_FFDHE_3072 \
-DHAVE_FFDHE_4096 \
-DHAVE_FFDHE_6144 \
-DHAVE_FFDHE_8192"
# KCAPI API does not support custom k for sign, don't force enable ECC key sizes and don't use seed callback
AS_IF([test "x$ENABLED_KCAPI_ECC" = "xno"],
[AM_CFLAGS="$AM_CFLAGS \
-DWC_RNG_SEED_CB \
-DWOLFSSL_ECDSA_SET_K \
-DWOLFSSL_VALIDATE_ECC_IMPORT \
-DWOLFSSL_VALIDATE_ECC_KEYGEN \
-DHAVE_ECC192 \
-DHAVE_ECC224 \
-DHAVE_ECC256"])
DEFAULT_MAX_CLASSIC_ASYM_KEY_BITS=8192
# optimizations section
# protocol section
AS_IF([test "$ENABLED_WOLFSSH" != "yes" &&
(test "$FIPS_VERSION" != "dev" || test "$enable_ssh" != "no")],
[enable_ssh="yes"])
AS_IF([test "$ENABLED_HKDF" != "yes" &&
(test "$FIPS_VERSION" != "dev" || test "$enable_hkdf" != "no")],
[ENABLED_HKDF="yes"; AM_CFLAGS="$AM_CFLAGS -DHAVE_HKDF"])
AS_IF([test "x$ENABLED_PWDBASED" = "xno" &&
(test "$FIPS_VERSION" != "dev" || test "$enable_pwdbased" != "no")],
[ENABLED_PWDBASED="yes"; AM_CFLAGS="$AM_CFLAGS -DHAVE_PBKDF2 -DHAVE_AESGCM"])
AS_IF([test "x$ENABLED_SRTP" = "xno" &&
(test "$FIPS_VERSION" != "dev" || test "$enable_srtp" != "no")],
[ENABLED_SRTP="yes"])
AS_IF([test "x$ENABLED_SRTP_KDF" = "xno" &&
(test "$FIPS_VERSION" != "dev" || test "$enable_srtp_kdf" != "no")],
[ENABLED_SRTP_KDF="yes"])
# public key section
AS_IF([test "$ENABLED_KEYGEN" != "yes" &&
(test "$FIPS_VERSION" != "dev" || test "$enable_keygen" != "no")],
[ENABLED_KEYGEN="yes"; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_KEY_GEN"])
# AS_IF([test "$ENABLED_COMPKEY" != "yes" &&
# (test "$FIPS_VERSION" != "dev" || test "$enable_compkey" != "yes")],
# [ENABLED_COMPKEY="yes"])
AS_IF([test "$ENABLED_RSAPSS" != "yes" &&
(test "$FIPS_VERSION" != "dev" || test "$enable_rsapss" != "no")],
[ENABLED_RSAPSS="yes"; AM_CFLAGS="$AM_CFLAGS -DWC_RSA_PSS"])
AS_IF([test "$ENABLED_ECC" != "yes" &&
(test "$FIPS_VERSION" != "dev" || test "$enable_ecc" != "no")],
[ENABLED_ECC="yes"; AM_CFLAGS="$AM_CFLAGS -DHAVE_ECC -DTFM_ECC256"
AS_IF([test "$ENABLED_ECC_SHAMIR" = "yes"],
[AM_CFLAGS="$AM_CFLAGS -DECC_SHAMIR"])])
AS_IF([test "$ENABLED_ED25519" = "no" &&
(test "$FIPS_VERSION" != "dev" || test "$enable_ed25519" != "no")],
[ENABLED_ED25519="yes"; AM_CFLAGS="$AM_CFLAGS -DHAVE_ED25519 -DHAVE_ED25519_KEY_IMPORT"])
AS_IF([test "$ENABLED_CURVE25519" != "no" &&
(test "$FIPS_VERSION" != "dev" || test "$enable_curve25519" = "")],
[ENABLED_CURVE25519="no"; AM_CFLAGS="$AM_CFLAGS"])
AS_IF([test "x$ENABLED_ED448" != "xyes" &&
(test "$FIPS_VERSION" != "dev" || test "$enable_ed448" != "no")],
[ENABLED_ED448="yes"; AM_CFLAGS="$AM_CFLAGS -DHAVE_ED448 -DHAVE_ED448_KEY_IMPORT"])
AS_IF([test "$ENABLED_CURVE448" != "no" &&
(test "$FIPS_VERSION" != "dev" || test "$enable_curve448" = "")],
[ENABLED_CURVE448="no"; AM_CFLAGS="$AM_CFLAGS"])
AS_IF([test "x$ENABLED_ED25519_STREAM" != "xyes" &&
(test "$FIPS_VERSION" != "dev" || test "$enable_ed25519_stream" != "no")],
[ENABLED_ED25519_STREAM="yes"])
AS_IF([test "x$ENABLED_ED448_STREAM" != "xyes" &&
(test "$FIPS_VERSION" != "dev" || test "$enable_ed448_stream" != "no")],
[ENABLED_ED448_STREAM="yes"])
AS_IF([test "x$ENABLED_ECCCUSTCURVES" != "xno" &&
test "$FIPS_VERSION" != "dev"],
[AC_MSG_WARN([Forcing off ecccustcurves for FIPS ${FIPS_VERSION}.])
ENABLED_ECCCUSTCURVES="no"])
# Hashing section
AS_IF([test "x$ENABLED_SHA3" != "xyes" &&
(test "$FIPS_VERSION" != "dev" || test "$enable_sha3" != "no")],
[ENABLED_SHA3="yes"; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SHA3"])
AS_IF([test "$ENABLED_SHA224" != "yes" &&
(test "$FIPS_VERSION" != "dev" || test "$enable_sha224" != "no")],
[ENABLED_SHA224="yes"; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SHA224"])
AS_IF([test "$ENABLED_SHA512" = "no" &&
(test "$FIPS_VERSION" != "dev" || test "$enable_sha512" != "no")],
[ENABLED_SHA512="yes"; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SHA512 -DWOLFSSL_SHA384"])
# SHA512-224 and SHA512-256 are not in-boundary in FIPS v6.
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NOSHA512_224 -DWOLFSSL_NOSHA512_256"
# Shake128 because we're testing SHAKE256
AS_IF([test "x$ENABLED_SHAKE128" = "xno" &&
(test "$FIPS_VERSION" != "dev" || test "$enable_shake128" != "no")],
[ENABLED_SHAKE128="yes"])
# Shake256 mandated for ED448
AS_IF([test "x$ENABLED_SHAKE256" = "xno" &&
(test "$FIPS_VERSION" != "dev" || test "$enable_shake256" != "no")],
[ENABLED_SHAKE256="yes"])
# Aes section
AS_IF([test "$ENABLED_AESCCM" != "yes" &&
(test "$FIPS_VERSION" != "dev" || test "$enable_aesccm" != "no")],
[ENABLED_AESCCM="yes"; AM_CFLAGS="$AM_CFLAGS -DHAVE_AESCCM"])
AS_IF([test "$ENABLED_AESCTR" != "yes" &&
(test "$FIPS_VERSION" != "dev" || test "$enable_aesctr" != "no")],
[ENABLED_AESCTR="yes"; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_COUNTER"])
AS_IF([test "$ENABLED_CMAC" != "yes" &&
(test "$FIPS_VERSION" != "dev" || test "$enable_cmac" != "no")],
[ENABLED_CMAC="yes"; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CMAC"])
AS_IF([test "$ENABLED_AESGCM" = "no" &&
(test "$FIPS_VERSION" != "dev" || test "$enable_aesgcm" != "no")],
[ENABLED_AESGCM="yes"; AM_CFLAGS="$AM_CFLAGS -DHAVE_AESGCM"; AM_CCASFLAGS="$AM_CCASFLAGS -DHAVE_AESGCM"])
AS_IF([test "$ENABLED_AESGCM_STREAM" != "yes" &&
(test "$FIPS_VERSION" != "dev" || test "$enable_aesgcm_stream" != "no")],
[ENABLED_AESGCM_STREAM="yes"])
AS_IF([test "x$ENABLED_AESOFB" = "xno" &&
(test "$FIPS_VERSION" != "dev" || test "$enable_aesofb" != "no")],
[ENABLED_AESOFB="yes"; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_OFB"])
AS_IF([test "x$ENABLED_AESCFB" = "xno" &&
(test "$FIPS_VERSION" != "dev" || test "$enable_aescfb" != "no")],
[ENABLED_AESCFB="yes"; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_CFB"])
AS_IF([test "x$ENABLED_AESXTS" = "xno" &&
(test "$FIPS_VERSION" != "dev" || test "$enable_aesxts" != "no")],
[ENABLED_AESXTS="yes"; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_XTS"])
AS_IF([test "x$ENABLED_AESXTS" = "xyes" && test "x$ENABLED_AESNI" = "xyes"],
[AM_CCASFLAGS="$AM_CCASFLAGS -DWOLFSSL_AES_XTS"])
AS_IF([test "x$ENABLED_AESXTS_STREAM" = "xno" &&
(test "$FIPS_VERSION" != "dev" || test "$enable_aesxts_stream" != "no")],
[ENABLED_AESXTS_STREAM="yes"])
AS_IF([(test "$ENABLED_AESCCM" != "no" && test "$HAVE_AESCCM_PORT" != "yes") ||
(test "$ENABLED_AESCTR" != "no" && test "$HAVE_AESCTR_PORT" != "yes") ||
(test "$ENABLED_AESGCM" != "no" && test "$HAVE_AESGCM_PORT" != "yes") ||
(test "$ENABLED_AESOFB" != "no" && test "$HAVE_AESOFB_PORT" != "yes")],
[AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_DIRECT -DHAVE_AES_ECB"])
AS_IF([test "x$ENABLED_AESKEYWRAP" != "xyes" &&
(test "$FIPS_VERSION" != "dev" || test "$enable_aeskeywrap" != "no")],
[ENABLED_AESKEYWRAP="yes"; AM_CFLAGS="$AM_CFLAGS -DHAVE_AES_KEYWRAP"])
# Old TLS requires MD5 + HMAC, which is not allowed under FIPS 140-3
AS_IF([test "$ENABLED_OLD_TLS" != "no"],
[AC_MSG_WARN([Forcing off oldtls for FIPS ${FIPS_VERSION}.])
ENABLED_OLD_TLS="no"; AM_CFLAGS="$AM_CFLAGS -DNO_OLD_TLS"])
],
[lean-aesgcm|lean-aesgcm-ready|lean-aesgcm-dev],[
AS_IF([test "$FIPS_VERSION" = "lean-aesgcm-dev"],
[AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_FIPS_DEV"])
AS_IF([test "$FIPS_VERSION" = "lean-aesgcm-ready"],
[AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_FIPS_READY"])
AM_CFLAGS="$AM_CFLAGS \
-DHAVE_FIPS \
-DHAVE_FIPS_VERSION=$HAVE_FIPS_VERSION \
-DHAVE_FIPS_VERSION_MAJOR=$HAVE_FIPS_VERSION_MAJOR \
-DHAVE_FIPS_VERSION_MINOR=$HAVE_FIPS_VERSION_MINOR \
-DHAVE_FIPS_VERSION_PATCH=$HAVE_FIPS_VERSION_PATCH \
-DNO_BIG_INT \
-DWC_RNG_SEED_CB \
-DNO_PBKDF2"
# optimizations section
# protocol section
AS_IF([test "$ENABLED_CRYPTONLY" != "yes" && test "$enable_cryptonly" != "no"],
[ENABLED_CRYPTONLY="yes"; enable_cryptonly="yes"; AM_CFLAGS="$AM_CFLAGS -DWOLFCRYPT_ONLY"])
AS_IF([test "$ENABLED_TLS" != "no" && test "$enable_tls" != "yes"],
[ENABLED_TLS="no"; enable_tls="no"; AM_CFLAGS="$AM_CFLAGS -DNO_TLS"])
AS_IF([test "$ENABLED_TLSV12" != "no" && test "$enable_tlsv12" != "yes"],
[ENABLED_TLSV12="no"; enable_tlsv12="no"; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_TLS12"])
AS_IF([test "$ENABLED_ASN" != "no" && test "$enable_asn" != "yes"],
[ENABLED_ASN="no"; enable_asn="no"; AM_CFLAGS="$AM_CFLAGS -DNO_ASN -DNO_ASN_CRYPT"])
AS_IF([test "$ENABLED_SEND_HRR_COOKIE" != "no" && test "$enable_hrrcookie" != "yes"],
[ENABLED_SEND_HRR_COOKIE="no"; enable_hrrcookie="no"; AM_CFLAGS="$AM_CFLAGS -UWOLFSSL_SEND_HRR_COOKIE"])
AS_IF([test "$ENABLED_WOLFSSH" != "no" && test "$enable_ssh" != "yes"],
[ENABLED_WOLFSSH="no"; enable_ssh="no"])
AS_IF([test "$ENABLED_HKDF" != "no" &&
(test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_hkdf" != "yes")],
[enable_hkdf="no"; ENABLED_HKDF="no"; AM_CFLAGS="$AM_CFLAGS -UHAVE_HKDF"])
AS_IF([test "$ENABLED_PWDBASED" != "no" &&
(test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_pwdbased" != "yes")],
[enable_pwdbased="no"; ENABLED_PWDBASED="no"])
AS_IF([test "$ENABLED_SRTP" != "no" &&
(test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_srtp" != "yes")],
[enable_srtp="no"; ENABLED_SRTP="no"])
AS_IF([test "$ENABLED_SRTP_KDF" != "no" &&
(test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_srtp_kdf" != "yes")],
[enable_srtp_kdf="no"; ENABLED_SRTP_KDF="no"])
AS_IF([test "$ENABLED_PKCS8" != "no" && test "$enable_pkcs8" != "yes"],
[enable_pkcs8="no"; ENABLED_PKCS8="no"; AM_CFLAGS="$AM_CFLAGS -DNO_PKCS8"])
# public key section
AS_IF([test "$ENABLED_SP_MATH_ALL" != "no" &&
(test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_sp_math_all" != "yes")],
[enable_sp_math_all="no"; ENABLED_SP_MATH_ALL="no"])
AS_IF([test "$ENABLED_KEYGEN" != "no" &&
(test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_keygen" != "yes")],
[enable_keygen="no"; ENABLED_KEYGEN="no"; AM_CFLAGS="$AM_CFLAGS -UWOLFSSL_KEY_GEN"])
AS_IF([test "$ENABLED_COMPKEY" != "no" &&
(test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_compkey" != "yes")],
[enable_compkey="no"; ENABLED_COMPKEY="no"])
AS_IF([test "$ENABLED_RSA" != "no" &&
(test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_rsa" != "yes")],
[enable_rsa="no"; ENABLED_RSA="no"; AM_CFLAGS="$AM_CFLAGS -DNO_RSA"])
AS_IF([test "$ENABLED_RSAPSS" != "no" &&
(test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_rsapss" != "yes")],
[enable_rsapss="no"; ENABLED_RSAPSS="no"; AM_CFLAGS="$AM_CFLAGS -UWC_RSA_PSS"])
AS_IF([test "$ENABLED_DH" != "no" &&
(test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_dh" != "yes")],
[enable_dh="no"; ENABLED_DH="no"; AM_CFLAGS="$AM_CFLAGS -DNO_DH"])
AS_IF([test "$ENABLED_ECC" != "no" &&
(test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_ecc" != "yes")],
[enable_ecc="no"; ENABLED_ECC="no"; ENABLED_ECCMINSZ="n/a"; ENABLED_ECC_SHAMIR="no"; AM_CFLAGS="$AM_CFLAGS -UHAVE_ECC -UTFM_ECC256 -UECC_MIN_KEY_SZ -UECC_SHAMIR"])
AS_IF([test "$ENABLED_ED25519" != "no" &&
(test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_ed25519" != "yes")],
[enable_ed25519="no"; ENABLED_ED25519="no"; AM_CFLAGS="$AM_CFLAGS -UHAVE_ED25519 -UHAVE_ED25519_KEY_IMPORT"])
AS_IF([test "$ENABLED_CURVE25519" != "no" &&
(test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_curve25519" != "yes")],
[enable_curve25519="no"; ENABLED_CURVE25519="no"; AM_CFLAGS="$AM_CFLAGS -UHAVE_CURVE25519"])
AS_IF([test "$ENABLED_ED448" != "no" &&
(test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_ed448" != "yes")],
[enable_ed448="no"; ENABLED_ED448="no"; AM_CFLAGS="$AM_CFLAGS -UHAVE_ED448 -UHAVE_ED448_KEY_IMPORT"])
AS_IF([test "$ENABLED_CURVE448" != "no" &&
(test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_curve448" != "yes")],
[enable_curve448="no"; ENABLED_CURVE448="no"; AM_CFLAGS="$AM_CFLAGS -UHAVE_CURVE448"])
AS_IF([test "$ENABLED_ED25519_STREAM" != "no" &&
(test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_ed25519_stream" != "yes")],
[enable_ed25519_stream="no"; ENABLED_ED25519_STREAM="no"])
AS_IF([test "$ENABLED_ED448_STREAM" != "no" &&
(test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_ed448_stream" != "yes")],
[enable_ed448_stream="no"; ENABLED_ED448_STREAM="no"])
AS_IF([test "$ENABLED_ECCCUSTCURVES" != "no" &&
test "$FIPS_VERSION" != "lean-aesgcm-dev"],
[ENABLED_ECCCUSTCURVES="no"])
# Hashing section
AS_IF([test "$ENABLED_SHA" != "no" &&
(test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_sha" != "yes")],
[enable_sha="no"; ENABLED_SHA="no"; AM_CFLAGS="$AM_CFLAGS -DNO_SHA"])
AS_IF([test "$ENABLED_SHA256" = "no" &&
(test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_sha256" != "no")],
[enable_sha256="yes"; ENABLED_SHA256="yes"; AM_CFLAGS="$AM_CFLAGS -UNO_SHA256"])
AS_IF([test "$ENABLED_SHA3" != "no" &&
(test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_sha3" != "yes")],
[enable_sha3="no"; ENABLED_SHA3="no"; AM_CFLAGS="$AM_CFLAGS -UWOLFSSL_SHA3"])
AS_IF([test "$ENABLED_SHAKE128" != "no" &&
(test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_shake128" != "yes")],
[enable_shake128="no"; ENABLED_SHAKE128="no"])
AS_IF([test "$ENABLED_SHAKE256" != "no" &&
(test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_shake256" != "yes")],
[enable_shake256="no"; ENABLED_SHAKE256="no"])
AS_IF([test "$ENABLED_SHA224" != "no" &&
(test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_sha224" != "yes")],
[enable_sha224="no"; ENABLED_SHA224="no"; AM_CFLAGS="$AM_CFLAGS -UWOLFSSL_SHA224"])
AS_IF([test "$ENABLED_SHA384" != "no" &&
(test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_sha384" != "yes")],
[enable_sha384="no"; ENABLED_SHA384="no"; AM_CFLAGS="$AM_CFLAGS -UWOLFSSL_SHA384 -UWOLFSSL_SHA384"])
AS_IF([test "$ENABLED_SHA512" != "no" &&
(test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_sha512" != "yes")],
[enable_sha512="no"; ENABLED_SHA512="no"; ENABLED_SHA512_DRBG="no"; AM_CFLAGS="$AM_CFLAGS -UWOLFSSL_SHA512 -UWOLFSSL_SHA384"])
# SHA512-224 and SHA512-256 are SHA-2 algorithms not in our FIPS algorithm list
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NOSHA512_224 -DWOLFSSL_NOSHA512_256"
AS_IF([test "$ENABLED_SHAKE128" != "no" &&
(test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_shake128" != "yes")],
[enable_shake128="no"; ENABLED_SHAKE128="no"])
AS_IF([test "$ENABLED_SHAKE256" != "no" &&
(test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_shake256" != "yes")],
[enable_shake256="no"; ENABLED_SHAKE256="no"])
AS_IF([test "$ENABLED_MLKEM" != "no" &&
(test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_mlkem" != "yes")],
[enable_mlkem="no"; ENABLED_MLKEM="no"])
AS_IF([test "$ENABLED_MD5" != "no" &&
(test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_md5" != "yes")],
[enable_md5="no"; ENABLED_MD5="no"; AM_CFLAGS="$AM_CFLAGS -DNO_MD5"])
# Aes section
AS_IF([test "$ENABLED_AESCBC" != "no" &&
(test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_aescbc" != "yes")],
[enable_aescbc="no"; ENABLED_AESCBC="no"; AM_CFLAGS="$AM_CFLAGS -DNO_AES_CBC"])
AS_IF([test "$ENABLED_AESCCM" != "no" &&
(test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_aesccm" != "yes")],
[enable_aesccm="no"; ENABLED_AESCCM="no"; AM_CFLAGS="$AM_CFLAGS -UHAVE_AESCCM"])
AS_IF([test "$ENABLED_AESCTR" != "no" &&
(test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_aesctr" != "yes")],
[enable_aesctr="no"; ENABLED_AESCTR="no"; AM_CFLAGS="$AM_CFLAGS -UWOLFSSL_AES_COUNTER"])
AS_IF([test "$ENABLED_CMAC" != "no" &&
(test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_cmac" != "yes")],
[enable_cmac="no"; ENABLED_CMAC="no"; AM_CFLAGS="$AM_CFLAGS -UWOLFSSL_CMAC"])
AS_IF([test "$ENABLED_AESGCM" = "no" &&
(test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_aesgcm" != "no")],
[ENABLED_AESGCM="yes"; AM_CFLAGS="$AM_CFLAGS -DHAVE_AESGCM"; AM_CCASFLAGS="$AM_CCASFLAGS -DHAVE_AESGCM"])
AS_IF([test "$ENABLED_AESGCM_STREAM" != "yes" &&
(test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_aesgcm_stream" != "no")],
[ENABLED_AESGCM_STREAM="yes"])
AS_IF([test "$ENABLED_AESOFB" != "no" &&
(test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_aesofb" != "yes")],
[enable_aesofb="no"; ENABLED_AESOFB="no"; AM_CFLAGS="$AM_CFLAGS -UWOLFSSL_AES_OFB"])
AS_IF([test "$ENABLED_AESCFB" != "no" &&
(test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_aescfb" != "yes")],
[enable_aescfb="no"; ENABLED_AESCFB="no"; AM_CFLAGS="$AM_CFLAGS -UWOLFSSL_AES_CFB"])
AS_IF([test "$ENABLED_AESXTS" != "no" &&
(test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_aesxts" != "yes")],
[enable_aesxts="no"; ENABLED_AESXTS="no"; AM_CFLAGS="$AM_CFLAGS -UWOLFSSL_AES_XTS"])
AS_IF([test "$ENABLED_AESXTS" = "yes" && test "$ENABLED_AESNI" = "yes"],
[AM_CCASFLAGS="$AM_CCASFLAGS -DWOLFSSL_AES_XTS"])
AS_IF([test "$ENABLED_AESXTS_STREAM" != "no" &&
(test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_aesxts_stream" != "yes")],
[enable_aesxts_stream="no"; ENABLED_AESXTS_STREAM="no"])
AS_IF([(test "$ENABLED_AESCCM" != "no" && test "$HAVE_AESCCM_PORT" != "yes") ||
(test "$ENABLED_AESCTR" != "no" && test "$HAVE_AESCTR_PORT" != "yes") ||
(test "$ENABLED_AESGCM" != "no" && test "$HAVE_AESGCM_PORT" != "yes") ||
(test "$ENABLED_AESOFB" != "no" && test "$HAVE_AESOFB_PORT" != "yes")],
[AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_DIRECT -DHAVE_AES_ECB"])
AS_IF([test "$ENABLED_AESKEYWRAP" != "no" &&
(test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_aeskeywrap" != "yes")],
[enable_aeskeywrap="no"; ENABLED_AESKEYWRAP="no"; AM_CFLAGS="$AM_CFLAGS -UHAVE_AES_KEYWRAP"])
# Old TLS requires MD5 + HMAC, which is not allowed under FIPS 140-3
AS_IF([test "$ENABLED_OLD_TLS" != "no"],
[AC_MSG_WARN([Forcing off oldtls for FIPS ${FIPS_VERSION}.])
ENABLED_OLD_TLS="no"; AM_CFLAGS="$AM_CFLAGS -DNO_OLD_TLS"])
],
[v5*], [ # FIPS 140-3
AM_CFLAGS="$AM_CFLAGS \
-DHAVE_FIPS \
-DHAVE_FIPS_VERSION=$HAVE_FIPS_VERSION \
-DHAVE_FIPS_VERSION_MAJOR=$HAVE_FIPS_VERSION_MAJOR \
-DHAVE_FIPS_VERSION_MINOR=$HAVE_FIPS_VERSION_MINOR \
-DHAVE_FIPS_VERSION_PATCH=$HAVE_FIPS_VERSION_PATCH \
-DHAVE_ECC_CDH \
-DWC_RSA_NO_PADDING \
-DECC_USER_CURVES \
-DHAVE_ECC384 \
-DHAVE_ECC521 \
-DWOLFSSL_VALIDATE_FFC_IMPORT \
-DHAVE_FFDHE_Q \
-DHAVE_FFDHE_3072 \
-DHAVE_FFDHE_4096 \
-DHAVE_FFDHE_6144 \
-DHAVE_FFDHE_8192"
# KCAPI API does not support custom k for sign, don't force enable ECC key sizes and do not use seed callback
AS_IF([test "x$ENABLED_KCAPI_ECC" = "xno"],
[AM_CFLAGS="$AM_CFLAGS \
-DWC_RNG_SEED_CB \
-DWOLFSSL_ECDSA_SET_K \
-DWOLFSSL_VALIDATE_ECC_IMPORT \
-DWOLFSSL_VALIDATE_ECC_KEYGEN \
-DHAVE_ECC192 \
-DHAVE_ECC224 \
-DHAVE_ECC256"])
DEFAULT_MAX_CLASSIC_ASYM_KEY_BITS=8192
# force various features to FIPS 140-3 defaults, unless overridden with dev:
AS_IF([test "$ENABLED_KEYGEN" != "yes" &&
(test "$FIPS_VERSION" != "v5-dev" || test "$enable_keygen" != "no")],
[ENABLED_KEYGEN="yes"; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_KEY_GEN"])
AS_IF([test "$ENABLED_SHA224" != "yes" &&
(test "$FIPS_VERSION" != "v5-dev" || test "$enable_sha224" != "no")],
[ENABLED_SHA224="yes"; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SHA224"])
AS_IF([test "$ENABLED_SHA3" != "yes" &&
(test "$FIPS_VERSION" != "v5-dev" || test "$enable_sha3" != "no")],
[ENABLED_SHA3="yes"; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SHA3"])
AS_IF([test "$ENABLED_WOLFSSH" != "yes" &&
(test "$FIPS_VERSION" != "v5-dev" || test "$enable_ssh" != "no")],
[enable_ssh="yes"])
# Shake128 is a SHA-3 algorithm outside the v5 FIPS algorithm list
AS_IF([test "$ENABLED_SHAKE128" != "no" &&
! (test "$FIPS_VERSION" = "v5-dev" && test "$enable_shake128" = "yes")],
[AC_MSG_WARN([Forcing off shake128 for FIPS ${FIPS_VERSION}.])
ENABLED_SHAKE128=no; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_SHAKE128"])
# Shake256 is a SHA-3 algorithm outside the v5 FIPS algorithm list
AS_IF([test "$ENABLED_SHAKE256" != "no" &&
! (test "$FIPS_VERSION" = "v5-dev" && test "$enable_shake256" = "yes")],
[AC_MSG_WARN([Forcing off shake256 for FIPS ${FIPS_VERSION}.])
ENABLED_SHAKE256=no; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_SHAKE256"])
# SHA512-224 and SHA512-256 are SHA-2 algorithms outside the v5 FIPS algorithm list
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NOSHA512_224 -DWOLFSSL_NOSHA512_256"
AS_IF([test "$ENABLED_AESCCM" != "yes" &&
(test "$FIPS_VERSION" != "v5-dev" || test "$enable_aesccm" != "no")],
[ENABLED_AESCCM="yes"; AM_CFLAGS="$AM_CFLAGS -DHAVE_AESCCM"])
AS_IF([test "$ENABLED_AESXTS" = "yes" &&
! (test "$FIPS_VERSION" = "v5-dev" && test "$enable_aesxts" = "yes")],
[AC_MSG_WARN([Forcing off aesxts for FIPS ${FIPS_VERSION}.])
ENABLED_AESXTS="no"])
AS_IF([test "$ENABLED_RSAPSS" != "yes" &&
(test "$FIPS_VERSION" != "v5-dev" || test "$enable_rsapss" != "no")],
[ENABLED_RSAPSS="yes"; AM_CFLAGS="$AM_CFLAGS -DWC_RSA_PSS"])
AS_IF([test "$ENABLED_ECC" != "yes" &&
(test "$FIPS_VERSION" != "v5-dev" || test "$enable_ecc" != "no")],
[ENABLED_ECC="yes"; AM_CFLAGS="$AM_CFLAGS -DHAVE_ECC -DTFM_ECC256"
AS_IF([test "$ENABLED_ECC_SHAMIR" = "yes" &&
(test "$FIPS_VERSION" != "v5-dev" || test "$enable_eccshamir" != "no")],
[AM_CFLAGS="$AM_CFLAGS -DECC_SHAMIR"])])
AS_IF([test "$ENABLED_AESCTR" != "yes" &&
(test "$FIPS_VERSION" != "v5-dev" || test "$enable_aesctr" != "no")],
[ENABLED_AESCTR="yes"; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_COUNTER"])
AS_IF([test "$ENABLED_CMAC" != "yes" &&
(test "$FIPS_VERSION" != "v5-dev" || test "$enable_cmac" != "no")],
[ENABLED_CMAC="yes"; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CMAC"])
AS_IF([test "$ENABLED_HKDF" != "yes" &&
(test "$FIPS_VERSION" != "v5-dev" || test "$enable_hkdf" != "no")],
[ENABLED_HKDF="yes"; AM_CFLAGS="$AM_CFLAGS -DHAVE_HKDF"])
AS_IF([test "$ENABLED_INTELASM" = "yes"],
[AM_CFLAGS="$AM_CFLAGS -DFORCE_FAILURE_RDSEED"])
AS_IF([test "$ENABLED_SHA512" = "no" &&
(test "$FIPS_VERSION" != "v5-dev" || test "$enable_sha512" != "no")],
[ENABLED_SHA512="yes"; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SHA512 -DWOLFSSL_SHA384"])
AS_IF([test "$ENABLED_AESGCM" = "no" &&
(test "$FIPS_VERSION" != "v5-dev" || test "$enable_aesgcm" != "no")],
[ENABLED_AESGCM="yes"; AM_CFLAGS="$AM_CFLAGS -DHAVE_AESGCM"; AM_CCASFLAGS="$AM_CCASFLAGS -DHAVE_AESGCM"])
# AES-GCM streaming isn't part of the v5 FIPS suite.
AS_IF([test "$ENABLED_AESGCM_STREAM" = "yes" &&
! (test "$FIPS_VERSION" = "v5-dev" && test "$enable_aesgcm_stream" = "yes")],
[AC_MSG_WARN([Forcing off aesgcm-stream for FIPS ${FIPS_VERSION}.])
ENABLED_AESGCM_STREAM="no"])
# Old TLS requires MD5 + HMAC, which is not allowed under FIPS 140-3
AS_IF([test "$ENABLED_OLD_TLS" != "no"],
[AC_MSG_WARN([Forcing off oldtls for FIPS ${FIPS_VERSION}.])
ENABLED_OLD_TLS="no"; AM_CFLAGS="$AM_CFLAGS -DNO_OLD_TLS"])
AS_IF([test $HAVE_FIPS_VERSION_MINOR -ge 2],
[AS_IF([test "x$ENABLED_AESOFB" = "xno" &&
(test "$FIPS_VERSION" != "v5-dev" || test "$enable_aesofb" != "no")],
[ENABLED_AESOFB="yes"; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_OFB"])])
AS_IF([test "$ENABLED_SRTP" != "no" &&
! (test "$FIPS_VERSION" = "v5-dev" && test "$enable_srtp" = "yes")],
[AC_MSG_WARN([Forcing off srtp for FIPS ${FIPS_VERSION}.])
ENABLED_SRTP="no"])
AS_IF([test "$ENABLED_SRTP_KDF" != "no" &&
! (test "$FIPS_VERSION" = "v5-dev" && test "$enable_srtp_kdf" = "yes")],
[AC_MSG_WARN([Forcing off srtp-kdf for FIPS ${FIPS_VERSION}.])
ENABLED_SRTP_KDF="no"])
AS_IF([(test "$ENABLED_AESCCM" != "no" && test "$HAVE_AESCCM_PORT" != "yes") ||
(test "$ENABLED_AESCTR" != "no" && test "$HAVE_AESCTR_PORT" != "yes") ||
(test "$ENABLED_AESGCM" != "no" && test "$HAVE_AESGCM_PORT" != "yes") ||
(test "$ENABLED_AESOFB" != "no" && test "$HAVE_AESOFB_PORT" != "yes") ||
(test "$ENABLED_AESXTS" != "no" && test "$HAVE_AESXTS_PORT" != "yes")],
[AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_DIRECT -DHAVE_AES_ECB"])
],
[v2],[ # FIPS 140-2, Cert 3389
AM_CFLAGS="$AM_CFLAGS \
-DHAVE_FIPS \
-DHAVE_FIPS_VERSION=$HAVE_FIPS_VERSION \
-DHAVE_FIPS_VERSION_MAJOR=$HAVE_FIPS_VERSION_MAJOR \
-DHAVE_FIPS_VERSION_MINOR=$HAVE_FIPS_VERSION_MINOR \
-DHAVE_FIPS_VERSION_PATCH=$HAVE_FIPS_VERSION_PATCH \
-DWOLFSSL_KEY_GEN \
-DWOLFSSL_SHA224 \
-DWOLFSSL_AES_DIRECT \
-DHAVE_AES_ECB \
-DHAVE_ECC_CDH \
-DWC_RSA_NO_PADDING \
-DWOLFSSL_VALIDATE_FFC_IMPORT \
-DHAVE_FFDHE_Q \
-DHAVE_PUBLIC_FFDHE"
ENABLED_KEYGEN="yes"
ENABLED_SHA224="yes"
ENABLED_DES3="yes"
# Shake256 is a SHA-3 algorithm not in our FIPS algorithm list
ENABLED_SHAKE256=no
# SHA512-224 and SHA512-256 are SHA-2 algorithms not in our FIPS algorithm list
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NOSHA512_224 -DWOLFSSL_NOSHA512_256"
AS_IF([test "x$ENABLED_AESCCM" != "xyes"],
[ENABLED_AESCCM="yes"
AM_CFLAGS="$AM_CFLAGS -DHAVE_AESCCM"])
AS_IF([test "x$ENABLED_RSAPSS" != "xyes"],
[ENABLED_RSAPSS="yes"
AM_CFLAGS="$AM_CFLAGS -DWC_RSA_PSS"])
AS_IF([test "x$ENABLED_ECC" != "xyes"],
[ENABLED_ECC="yes"
AM_CFLAGS="$AM_CFLAGS -DHAVE_ECC -DTFM_ECC256 -DWOLFSSL_VALIDATE_ECC_IMPORT"
AS_IF([test "x$ENABLED_ECC_SHAMIR" = "xyes"],
[AM_CFLAGS="$AM_CFLAGS -DECC_SHAMIR"])],
[AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_VALIDATE_ECC_IMPORT"])
AS_IF([test "x$ENABLED_AESCTR" != "xyes"],
[ENABLED_AESCTR="yes"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_COUNTER"])
AS_IF([test "x$ENABLED_AESCTR" != "xyes"],
[ENABLED_AESCTR="yes"
AM_CCASFLAGS="$AM_CCASFLAGS -DWOLFSSL_AES_COUNTER"])
AS_IF([test "x$ENABLED_CMAC" != "xyes"],
[ENABLED_CMAC="yes"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CMAC"])
AS_IF([test "x$ENABLED_HKDF" != "xyes"],
[ENABLED_HKDF="yes"
AM_CFLAGS="$AM_CFLAGS -DHAVE_HKDF"])
AS_IF([test "x$ENABLED_INTELASM" = "xyes"],
[AM_CFLAGS="$AM_CFLAGS -DFORCE_FAILURE_RDSEED"])
AS_IF([test "x$ENABLED_SHA512" = "xno"],
[ENABLED_SHA512="yes"; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SHA512 -DWOLFSSL_SHA384"])
AS_IF([test "x$ENABLED_AESGCM" = "xno"],
[ENABLED_AESGCM="yes"; AM_CFLAGS="$AM_CFLAGS -DHAVE_AESGCM"])
],
["rand"],[
AM_CFLAGS="$AM_CFLAGS \
-DWOLFCRYPT_FIPS_RAND \
-DHAVE_FIPS \
-DHAVE_FIPS_VERSION=$HAVE_FIPS_VERSION \
-DHAVE_FIPS_VERSION_MAJOR=$HAVE_FIPS_VERSION_MAJOR \
-DHAVE_FIPS_VERSION_MINOR=$HAVE_FIPS_VERSION_MINOR \
-DHAVE_FIPS_VERSION_PATCH=$HAVE_FIPS_VERSION_PATCH"
],
["v1"],[ # FIPS 140-2, Cert 2425
AM_CFLAGS="$AM_CFLAGS \
-DHAVE_FIPS \
-DHAVE_FIPS_VERSION=$HAVE_FIPS_VERSION \
-DHAVE_FIPS_VERSION_MAJOR=$HAVE_FIPS_VERSION_MAJOR \
-DHAVE_FIPS_VERSION_MINOR=$HAVE_FIPS_VERSION_MINOR \
-DHAVE_FIPS_VERSION_PATCH=$HAVE_FIPS_VERSION_PATCH"
AS_IF([test "x$ENABLED_SHA512" = "xno"],
[ENABLED_SHA512="yes"; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SHA512 -DWOLFSSL_SHA384"])
AS_IF([test "x$ENABLED_AESGCM" = "xno"],
[ENABLED_AESGCM="yes"; AM_CFLAGS="$AM_CFLAGS -DHAVE_AESGCM"])
AS_IF([test "x$ENABLED_DES3" = "xno"],[ENABLED_DES3="yes"])
])
AS_IF([test "x$ENABLED_FIPS" = "xyes" && test "x$thread_ls_on" = "xno" && test "$ENABLE_LINUXKM" = "no"],
[AC_MSG_ERROR([FIPS requires Thread Local Storage])])
AS_IF([(test "$ENABLED_NULL_CIPHER" = "yes" || test "$ENABLED_LEANPSK" = "yes") && test "$ENABLED_FIPS" != "no" && test "$FIPS_VERSION" != "dev" && test "$FIPS_VERSION" != "v5-dev"],
[AC_MSG_ERROR([FIPS is incompatible with nullcipher])])
# SELFTEST
AC_ARG_ENABLE([selftest],
[AS_HELP_STRING([--enable-selftest],[Enable selftest, Will NOT work w/o CAVP selftest license (default: disabled)])],
[ ENABLED_SELFTEST=$enableval ],
[ ENABLED_SELFTEST="no" ]
)
AS_CASE([$ENABLED_SELFTEST],
["v2"],[
# selftest v2 (wolfCrypt 4.1.0)
ENABLED_SELFTEST="yes"
SELFTEST_VERSION="v2"
],
["no"],[SELFTEST_VERSION="none"],
[
# selftest v1 (wolfCrypt 3.14.2)
ENABLED_SELFTEST="yes"
SELFTEST_VERSION="v1"
])
AS_IF([test "x$ENABLED_SELFTEST" = "xyes" && test ! -s "${srcdir}/wolfcrypt/src/selftest.c"],
[AC_MSG_ERROR([selftest.c is missing, --enable-selftest requires the CAVP selftest source])])
AS_CASE([$SELFTEST_VERSION],
["v2"],[
AM_CFLAGS="$AM_CFLAGS -DHAVE_SELFTEST -DHAVE_SELFTEST_VERSION=2 -DHAVE_PUBLIC_FFDHE"
],
["v1"],[
AM_CFLAGS="$AM_CFLAGS -DHAVE_SELFTEST -DHAVE_PUBLIC_FFDHE"
])
# Set ML-KEM flags
if test "$ENABLED_MLKEM" != "no"
then
if test "$ENABLED_SHA3" = "no"
then
AC_MSG_NOTICE([MLKEM enabled (not explicitly disabled); overriding --disable-sha3 to enable SHA-3])
ENABLED_SHA3=yes
enable_sha3=yes
fi
if test "$ENABLED_SHAKE128" = "no"
then
AC_MSG_WARN([MLKEM enabled (not explicitly disabled); overriding --disable-shake128 to enable SHAKE128])
ENABLED_SHAKE128=yes
fi
if test "$ENABLED_SHAKE256" = "no"
then
AC_MSG_WARN([MLKEM enabled (not explicitly disabled); overriding --disable-shake256 to enable SHAKE256])
ENABLED_SHAKE256=yes
fi
fi
ENABLED_ML_KEM=unset
ENABLED_MLKEM_MAKE_KEY=no
ENABLED_MLKEM_ENCAPSULATE=no
ENABLED_MLKEM_DECAPSULATE=no
for v in `echo $ENABLED_MLKEM | tr "," " "`
do
case $v in
yes)
ENABLED_MLKEM512=yes
ENABLED_MLKEM768=yes
ENABLED_MLKEM1024=yes
ENABLED_MLKEM_MAKE_KEY=yes
ENABLED_MLKEM_ENCAPSULATE=yes
ENABLED_MLKEM_DECAPSULATE=yes
;;
all)
ENABLED_MLKEM_MAKE_KEY=yes
ENABLED_MLKEM_ENCAPSULATE=yes
ENABLED_MLKEM_DECAPSULATE=yes
ENABLED_ML_KEM=yes
ENABLED_ORIGINAL=yes
;;
no)
;;
small)
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_MLKEM_SMALL"
;;
no-large-code)
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_MLKEM_NO_LARGE_CODE"
;;
cache-a)
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_MLKEM_CACHE_A"
;;
512)
ENABLED_MLKEM512=yes
;;
768)
ENABLED_MLKEM768=yes
;;
1024)
ENABLED_MLKEM1024=yes
;;
make)
ENABLED_MLKEM_MAKE_KEY=yes
;;
encapsulate|enc)
ENABLED_MLKEM_ENCAPSULATE=yes
;;
decapsulate|dec)
ENABLED_MLKEM_DECAPSULATE=yes
;;
original|kyber)
ENABLED_ORIGINAL=yes
;;
ml-kem)
ENABLED_ML_KEM=yes
;;
noasm)
AM_CFLAGS="$AM_CFLAGS -DWC_MLKEM_NO_ASM"
;;
*)
AC_MSG_ERROR([Invalid choice for MLKEM []: $ENABLED_MLKEM.])
break;;
esac
done
# Selftest uses its own random.c which doesn't support SHA-512 DRBG
# or runtime DRBG disable/enable APIs
AS_IF([test "x$ENABLED_SELFTEST" = "xyes"],
[ENABLED_SHA512_DRBG=no])
AS_IF([test "x$ENABLED_AESXTS" = "xyes"],
[AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_XTS -DWOLFSSL_AES_DIRECT"])
AS_IF([test "x$ENABLED_AESXTS" = "xyes" && test "x$ENABLED_INTELASM" = "xyes"],
[AM_CCASFLAGS="$AM_CCASFLAGS -DWOLFSSL_AES_XTS"])
AS_IF([test "x$ENABLED_AESXTS" = "xyes" && test "x$ENABLED_AESNI" = "xyes"],
[AM_CCASFLAGS="$AM_CCASFLAGS -DWOLFSSL_AES_XTS"])
# ECC Custom Curves
if test "$ENABLED_ECCCUSTCURVES" != "no"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CUSTOM_CURVES"
# For distro, all or ecccustcurves=all builds, enable all curve types
if test "$ENABLED_DISTRO" = "yes" || test "$ENABLED_ALL" = "yes" || test "$ENABLED_ECCCUSTCURVES" = "all"
then
# Enable ECC SECPR2, SECPR3, BRAINPOOL and KOBLITZ curves
AM_CFLAGS="$AM_CFLAGS -DHAVE_ECC_SECPR2 -DHAVE_ECC_SECPR3 -DHAVE_ECC_BRAINPOOL -DHAVE_ECC_KOBLITZ"
# Enable ECC Cofactor support
AM_CFLAGS="$AM_CFLAGS -DHAVE_ECC_CDH"
# If fastmath enabled and on x86 use speedups
if test "x$ENABLED_FASTMATH" = "xyes" && test "$host_cpu" = "x86_64" -o "$host_cpu" = "amd64"
then
AM_CFLAGS="$AM_CFLAGS -DTFM_ECC192 -DTFM_ECC224 -DTFM_ECC256 -DTFM_ECC384 -DTFM_ECC521"
fi
fi
fi
# Curve448
if test "$ENABLED_CURVE448" != "no"
then
if test "$ENABLED_CURVE448" = "small" || test "$ENABLED_LOWRESOURCE" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DCURVE448_SMALL"
ENABLED_CURVE448_SMALL=yes
ENABLED_CURVE448=yes
fi
if test "$ENABLED_CURVE448" = "no128bit" || test "$ENABLED_32BIT" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DNO_CURVED448_128BIT"
ENABLED_CURVE448=yes
fi
AM_CFLAGS="$AM_CFLAGS -DHAVE_CURVE448"
ENABLED_FE448=yes
ENABLED_CERTS=yes
fi
# Ed448
if test "$ENABLED_ED448" != "no"
then
if test "$ENABLED_ED448" = "small" || test "$ENABLED_LOWRESOURCE" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DED448_SMALL"
ENABLED_ED448_SMALL=yes
ENABLED_CURVE448_SMALL=yes
ENABLED_ED448=yes
fi
if test "$ENABLED_SHA512" = "no"
then
AC_MSG_ERROR([cannot enable ed448 without enabling sha512.])
fi
if test "x$HAVE_FIPS_VERSION" = "x2"
then
AC_MSG_ERROR([cannot enable ed448 w/ dependency shake256 in FIPSv2 mode])
fi
ENABLED_FE448=yes
ENABLED_GE448=yes
AM_CFLAGS="$AM_CFLAGS -DHAVE_ED448"
# EdDSA448 requires SHAKE256 which requires SHA-3
if test "$ENABLED_SHA3" = "no"
then
ENABLED_SHA3=yes
fi
ENABLED_SHAKE256=yes
ENABLED_CERTS=yes
fi
if test "$ENABLED_ED448_STREAM" != "no"
then
if test "$ENABLED_ED448" = "no"
then
AC_MSG_ERROR([ED448 verify streaming enabled but ED448 is disabled])
else
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ED448_STREAMING_VERIFY"
AM_CCASFLAGS="$AM_CCASFLAGS -DWOLFSSL_ED448_STREAMING_VERIFY"
fi
fi
# SRTP-KDF
if test "$ENABLED_SRTP" = "yes"
then
ENABLED_SRTP_KDF="yes"
fi
if test "$ENABLED_SRTP_KDF" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DWC_SRTP_KDF -DHAVE_AES_ECB -DWOLFSSL_AES_DIRECT"
fi
# ML-KEM and Dilithium require SHA-3 and SHAKE -- force them on before flag
# processing so that the correct -D flags are emitted.
if test "$ENABLED_MLKEM" != "no"
then
ENABLED_SHA3=yes
ENABLED_SHAKE128=yes
ENABLED_SHAKE256=yes
fi
if test "$ENABLED_MLDSA" != "no"
then
ENABLED_SHA3=yes
ENABLED_SHAKE128=yes
ENABLED_SHAKE256=yes
fi
# Set SHA-3 flags
if test "$ENABLED_SHA3" != "no"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SHA3"
fi
# Set SHAKE128 flags
# FIPS traditionally does not support SHAKE 128, v6 does
AS_IF([test "x$ENABLED_FIPS" = "xyes" && test $HAVE_FIPS_VERSION -lt 6],
[ENABLED_SHAKE128="no"])
if test "$ENABLED_SHAKE128" != "no"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SHAKE128"
if test "$ENABLED_SHA3" = "no"
then
AC_MSG_ERROR([shake128 requires SHA-3: --enable-sha3])
fi
else
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_SHAKE128"
fi
# Set SHAKE256 flags
# FIPS traditionally does not support SHAKE 256, v6 does
AS_IF([test "x$ENABLED_FIPS" = "xyes" && test $HAVE_FIPS_VERSION -lt 6],
[ENABLED_SHAKE256="no"])
if test "$ENABLED_SHAKE256" != "no"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SHAKE256"
if test "$ENABLED_SHA3" = "no"
then
AC_MSG_ERROR([shake256 requires SHA-3: --enable-sha3])
fi
else
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_SHAKE256"
fi
# MLKEM CFLAG processing (after FIPS section for sandwich pattern)
if test "$ENABLED_MLKEM" != "no"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_HAVE_MLKEM"
AM_CCASFLAGS="$AM_CCASFLAGS -DWOLFSSL_HAVE_MLKEM"
if test "$ENABLED_ORIGINAL" = "yes"; then
# FIPS 203 (ML-KEM) and Kyber use different implicit rejection.
# Kyber mode must not be used in FIPS v7+ builds.
AS_IF([test "$HAVE_FIPS_VERSION" -ge 7],
[AC_MSG_ERROR([Kyber (--enable-mlkem=original) is not compatible with FIPS v7+. Use ML-KEM (FIPS 203) instead.])])
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_MLKEM_KYBER"
if test "$ENABLED_MLKEM512" = ""; then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_KYBER512"
fi
if test "$ENABLED_MLKEM768" = ""; then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_KYBER768"
fi
if test "$ENABLED_MLKEM1024" = ""; then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_KYBER1024"
fi
if test "$ENABLED_ML_KEM" = "unset"; then
ENABLED_ML_KEM=no
fi
fi
if test "$ENABLED_ML_KEM" = "unset"; then
ENABLED_ML_KEM=yes
fi
if test "$ENABLED_ML_KEM" = "yes"; then
if test "$ENABLED_MLKEM512" = ""; then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_ML_KEM_512"
fi
if test "$ENABLED_MLKEM768" = ""; then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_ML_KEM_768"
fi
if test "$ENABLED_MLKEM1024" = ""; then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_ML_KEM_1024"
fi
else
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_ML_KEM"
fi
if test "$ENABLED_MLKEM_MAKE_KEY" = "no"; then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_MLKEM_NO_MAKE_KEY"
fi
if test "$ENABLED_MLKEM_ENCAPSULATE" = "no"; then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_MLKEM_NO_ENCAPSULATE"
fi
if test "$ENABLED_MLKEM_DECAPSULATE" = "no"; then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_MLKEM_NO_DECAPSULATE"
fi
test "$enable_sha3" = "" && enable_sha3=yes
test "$enable_shake128" = "" && enable_shake128=yes
test "$enable_shake256" = "" && enable_shake256=yes
fi
AC_ARG_ENABLE([tls-mlkem-standalone],
[AS_HELP_STRING([--enable-tls-mlkem-standalone],[Enable ML-KEM as standalone TLS key exchange (non-hybrid) (default: disabled)])],
[ ENABLED_MLKEM_STANDALONE=$enableval ],
[ ENABLED_MLKEM_STANDALONE=no ]
)
AS_IF([ test "$ENABLED_MLKEM_STANDALONE" = "yes" && test "$ENABLED_ML_KEM" = "no" ],[AC_MSG_ERROR([ML-KEM as standalone TLS key exchange (non-hybrid) requires ML-KEM.])])
if test "$ENABLED_MLKEM_STANDALONE" != "yes"
then
# Hybrid PQ/T groups all combine ML-KEM with an ECC/Curve25519/Curve448
# base. If none of those is available, hybrids contribute no usable groups
# for TLS 1.3 key exchange. In that case, auto-enable standalone ML-KEM so
# TLS 1.3 has a functional KEM.
if test "$ENABLED_MLKEM" = "yes" && test "$ENABLED_ML_KEM" != "no" && \
test "x$ENABLED_ECC" = "xno" && test "x$ENABLED_CURVE25519" = "xno" && \
test "x$ENABLED_CURVE448" = "xno"
then
AC_MSG_NOTICE([No ECC/Curve25519/Curve448 base for ML-KEM hybrids; auto-enabling standalone ML-KEM for TLS 1.3.])
ENABLED_MLKEM_STANDALONE=yes
else
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_TLS_NO_MLKEM_STANDALONE"
fi
fi
AC_ARG_ENABLE([pqc-hybrids],
[AS_HELP_STRING([--enable-pqc-hybrids],[Enable PQ/T hybrid combinations (default: enabled)])],
[ ENABLED_PQC_HYBRIDS=$enableval ],
[ ENABLED_PQC_HYBRIDS=yes ]
)
if test "$ENABLED_PQC_HYBRIDS" = "yes"
then
if test "$ENABLED_ML_KEM" = "no" || test "$ENABLED_MLKEM" = "no"
then
ENABLED_PQC_HYBRIDS=no
elif test "$ENABLED_MLKEM768" = "" && test "$ENABLED_MLKEM1024" = ""; then
AC_MSG_NOTICE([PQC hybrid combinations require either ML-KEM 768 or ML-KEM 1024, but both disabled.])
ENABLED_PQC_HYBRIDS=no
else
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_PQC_HYBRIDS"
fi
fi
if test "$ENABLED_ML_KEM" != "no" && test "$ENABLED_MLKEM" != "no"
then
if test "$ENABLED_PQC_HYBRIDS" = "no" && test "$ENABLED_MLKEM_STANDALONE" = "no" && test "$ENABLED_CRYPTONLY" = "no"
then
AC_MSG_ERROR([Both hybrid PQ/T and standalone ML-KEM are disabled, so no PQC hybrid combinations will be available.])
fi
fi
# Extra PQ/T Hybrid combinations
AC_ARG_ENABLE([extra-pqc-hybrids],
[AS_HELP_STRING([--enable-extra-pqc-hybrids],[Enable extra PQ/T hybrid combinations (default: disabled)])],
[ ENABLED_EXTRA_PQC_HYBRIDS=$enableval ],
[ ENABLED_EXTRA_PQC_HYBRIDS=no ]
)
if test "$ENABLED_EXTRA_PQC_HYBRIDS" = "yes"
then
AS_IF([ test "$ENABLED_EXPERIMENTAL" != "yes" ],[ AC_MSG_ERROR([extra-pqc-hybrids requires --enable-experimental.]) ])
AS_IF([ test "$ENABLED_ML_KEM" = "no" ],[ AC_MSG_ERROR([extra-pqc-hybrids requires ML-KEM.]) ])
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_EXTRA_PQC_HYBRIDS"
fi
# ML-DSA CFLAG processing (after FIPS section for sandwich pattern)
if test "$ENABLED_MLDSA" != "no"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_HAVE_MLDSA"
AM_CCASFLAGS="$AM_CCASFLAGS -DWOLFSSL_HAVE_MLDSA"
if test "$ENABLED_MLDSA44" = ""; then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_ML_DSA_44"
fi
if test "$ENABLED_MLDSA65" = ""; then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_ML_DSA_65"
fi
if test "$ENABLED_MLDSA87" = ""; then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_ML_DSA_87"
fi
if test "$ENABLED_MLDSA_MAKE_KEY" = "no"; then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_MLDSA_NO_MAKE_KEY"
fi
if test "$ENABLED_MLDSA_SIGN" = "no"; then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_MLDSA_NO_SIGN"
fi
if test "$ENABLED_MLDSA_VERIFY" = "no"; then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_MLDSA_NO_VERIFY"
fi
test "$enable_sha3" = "" && enable_sha3=yes
test "$enable_shake128" = "" && enable_shake128=yes
test "$enable_shake256" = "" && enable_shake256=yes
ENABLED_CERTS=yes
fi
# XMSS CFLAG processing (after FIPS section for sandwich pattern)
if test "$ENABLED_XMSS" != "no"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_HAVE_XMSS"
fi
# LMS CFLAG processing (after FIPS section for sandwich pattern)
if test "$ENABLED_LMS" != "no"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_HAVE_LMS"
fi
# SLH-DSA CFLAG processing (after FIPS section for sandwich pattern)
if test "$ENABLED_SLHDSA" != "no"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_HAVE_SLHDSA"
AM_CCASFLAGS="$AM_CCASFLAGS -DWOLFSSL_HAVE_SLHDSA"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_WC_SLHDSA"
if test "$SLHDSA_PARAM_128S" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_PARAM_128S"
else
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_PARAM_NO_128S"
fi
if test "$SLHDSA_PARAM_128F" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_PARAM_128F"
else
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_PARAM_NO_128F"
fi
if test "$SLHDSA_PARAM_192S" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_PARAM_192S"
else
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_PARAM_NO_192S"
fi
if test "$SLHDSA_PARAM_192F" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_PARAM_192F"
else
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_PARAM_NO_192F"
fi
if test "$SLHDSA_PARAM_256S" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_PARAM_256S"
else
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_PARAM_NO_256S"
fi
if test "$SLHDSA_PARAM_256F" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_PARAM_256F"
else
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_PARAM_NO_256F"
fi
# SHA2 parameter set support
if test "$SLHDSA_SHA2" = "yes"
then
# Dependency checks for SHA2 SLH-DSA
if test "$ENABLED_SHA256" = "no"
then
AC_MSG_ERROR([SLH-DSA SHA2 requires SHA-256 (--enable-sha256)])
fi
if test "$ENABLED_SHA512" = "no"
then
AC_MSG_ERROR([SLH-DSA SHA2 requires SHA-512 (--enable-sha512)])
fi
if test "$ENABLED_HMAC" = "no"
then
AC_MSG_ERROR([SLH-DSA SHA2 requires HMAC (--enable-hmac)])
fi
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_SHA2"
if test "$SLHDSA_PARAM_SHA2_128S" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_PARAM_SHA2_128S"
else
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_PARAM_NO_SHA2_128S"
fi
if test "$SLHDSA_PARAM_SHA2_128F" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_PARAM_SHA2_128F"
else
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_PARAM_NO_SHA2_128F"
fi
if test "$SLHDSA_PARAM_SHA2_192S" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_PARAM_SHA2_192S"
else
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_PARAM_NO_SHA2_192S"
fi
if test "$SLHDSA_PARAM_SHA2_192F" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_PARAM_SHA2_192F"
else
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_PARAM_NO_SHA2_192F"
fi
if test "$SLHDSA_PARAM_SHA2_256S" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_PARAM_SHA2_256S"
else
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_PARAM_NO_SHA2_256S"
fi
if test "$SLHDSA_PARAM_SHA2_256F" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_PARAM_SHA2_256F"
else
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_PARAM_NO_SHA2_256F"
fi
fi
# SLH-DSA requires SHAKE-256 (and SHA-3 as its dependency).
# This runs after the SHAKE256 flags section, so we must set both the
# ENABLED variable and emit the CFLAGS ourselves.
if test "$ENABLED_SHAKE256" = "no" || test "$ENABLED_SHAKE256" = ""
then
ENABLED_SHAKE256=yes
if test "$ENABLED_SHA3" = "no"
then
ENABLED_SHA3=yes
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SHA3"
fi
# Remove -DWOLFSSL_NO_SHAKE256 if it was already added and add the
# positive define.
AM_CFLAGS=$(echo "$AM_CFLAGS" | sed 's/-DWOLFSSL_NO_SHAKE256//g')
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SHAKE256"
fi
fi
# set POLY1305 default
POLY1305_DEFAULT=yes
if test "x$ENABLED_FIPS" = "xyes"
then
POLY1305_DEFAULT=no
fi
# POLY1305
AC_ARG_ENABLE([poly1305],
[AS_HELP_STRING([--enable-poly1305],[Enable wolfSSL POLY1305 support (default: enabled)])],
[ ENABLED_POLY1305=$enableval ],
[ ENABLED_POLY1305=$POLY1305_DEFAULT]
)
# leanpsk and leantls don't need poly1305
if test "$ENABLED_LEANPSK" = "yes" || test "$ENABLED_LEANTLS" = "yes"
then
ENABLED_POLY1305=no
fi
if test "$ENABLED_POLY1305" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DHAVE_POLY1305"
fi
# set CHACHA default
CHACHA_DEFAULT=yes
if test "x$ENABLED_FIPS" = "xyes"
then
CHACHA_DEFAULT=no
fi
# CHACHA
AC_ARG_ENABLE([chacha],
[AS_HELP_STRING([--enable-chacha],[Enable CHACHA (default: enabled). Use `=noasm` to disable asm speedups])],
[ ENABLED_CHACHA=$enableval ],
[ ENABLED_CHACHA=$CHACHA_DEFAULT]
)
# leanpsk and leantls don't need chacha
if test "$ENABLED_LEANPSK" = "yes" || test "$ENABLED_LEANTLS" = "yes"
then
ENABLED_CHACHA=no
fi
if test "$ENABLED_CHACHA" = "noasm" || test "$ENABLED_ASM" = "no"
then
AM_CFLAGS="$AM_CFLAGS -DNO_CHACHA_ASM"
fi
if test "$ENABLED_CHACHA" != "no"
then
AM_CFLAGS="$AM_CFLAGS -DHAVE_CHACHA"
AM_CCASFLAGS="$AM_CCASFLAGS -DHAVE_CHACHA"
fi
# XCHACHA
AC_ARG_ENABLE([xchacha],
[AS_HELP_STRING([--enable-xchacha],[Enable XCHACHA (default: disabled).])],
[ ENABLED_XCHACHA=$enableval ],
[ ENABLED_XCHACHA=no]
)
if test "$ENABLED_XCHACHA" = "yes"
then
if test "$ENABLED_CHACHA" = "no"
then
AC_MSG_ERROR([XChaCha (--enable-xchacha) depends on ChaCha (--enable-chacha)])
fi
AM_CFLAGS="$AM_CFLAGS -DHAVE_XCHACHA"
fi
# ASCON
AC_ARG_ENABLE([ascon],
[AS_HELP_STRING([--enable-ascon],[Enable ASCON (default: disabled).])],
[ ENABLED_ASCON=$enableval ],
[ ENABLED_ASCON=no]
)
if test "$ENABLED_ASCON" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DHAVE_ASCON"
fi
# PUF
AC_ARG_ENABLE([puf],
[AS_HELP_STRING([--enable-puf],[Enable SRAM PUF support (default: disabled)])],
[ ENABLED_PUF=$enableval ],
[ ENABLED_PUF=no ]
)
if test "$ENABLED_PUF" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_PUF -DWOLFSSL_PUF_SRAM"
AS_IF([test "$ENABLED_HKDF" != "yes"],
[ENABLED_HKDF="yes"; AM_CFLAGS="$AM_CFLAGS -DHAVE_HKDF"])
fi
# PUF test mode
AC_ARG_ENABLE([puf-test],
[AS_HELP_STRING([--enable-puf-test],[Enable PUF test mode with synthetic data (default: disabled)])],
[ ENABLED_PUF_TEST=$enableval ],
[ ENABLED_PUF_TEST=no ]
)
if test "$ENABLED_PUF_TEST" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_PUF_TEST"
fi
# Hash DRBG (master switch for all Hash DRBGs)
AC_ARG_ENABLE([hashdrbg],
[AS_HELP_STRING([--enable-hashdrbg],[Enable Hash DRBG support (default: enabled)])],
[ ENABLED_HASHDRBG=$enableval ],
[ ENABLED_HASHDRBG=yes ]
)
# If hashdrbg is explicitly disabled, force both sub-options off
if test "x$ENABLED_HASHDRBG" = "xno"
then
ENABLED_SHA256_DRBG=no
ENABLED_SHA512_DRBG=no
fi
# If both sub-options are off, treat hashdrbg as off
if test "x$ENABLED_SHA256_DRBG" != "xyes" && test "x$ENABLED_SHA512_DRBG" != "xyes"
then
ENABLED_HASHDRBG=no
fi
# FIPS override: Hash DRBG is mandatory
if test "$ENABLED_HASHDRBG" != "yes" && test "$ENABLED_FIPS" = "yes" &&
test "$FIPS_VERSION" != "dev" && test "$ENABLED_KCAPI" = "no"
then
if test "$enable_hashdrbg" = "no"
then
AC_MSG_WARN([SHA256-DRBG required in FIPS build])
fi
ENABLED_HASHDRBG=yes
ENABLED_SHA256_DRBG=yes
fi
# SHA-512 DRBG and runtime DRBG disable/enable APIs are v7+ only
if test "x$ENABLED_FIPS" = "xyes" && test $HAVE_FIPS_VERSION -lt 7
then
ENABLED_SHA512_DRBG=no
fi
# Set Hash DRBG compiler flags
if test "x$ENABLED_HASHDRBG" = "xyes"
then
AM_CFLAGS="$AM_CFLAGS -DHAVE_HASHDRBG"
if test "x$ENABLED_SHA256_DRBG" != "xyes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_SHA256_DRBG"
fi
if test "x$ENABLED_SHA512_DRBG" = "xyes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DRBG_SHA512"
fi
else
AM_CFLAGS="$AM_CFLAGS -DWC_NO_HASHDRBG"
fi
# MemUse Entropy (AKA wolfEntropy)
if test "x$ENABLED_ENTROPY_MEMUSE" != "xno"
then
AM_CFLAGS="$AM_CFLAGS -DHAVE_ENTROPY_MEMUSE"
enable_sha3=yes
for v in `echo $ENABLED_ENTROPY_MEMUSE | tr "," " "`
do
case $v in
yes)
;;
thread)
AM_CFLAGS="$AM_CFLAGS -DENTROPY_MEMUSE_THREAD"
;;
nofallback)
AM_CFLAGS="$AM_CFLAGS -DENTROPY_MEMUSE_FORCE_FAILURE"
;;
*)
AC_MSG_ERROR([Invalid MemUse Entropy option. Valid are: thread, nofallback. Seen: $ENABLED_ENTROPY_MEMUSE.])
break;;
esac
done
fi
if (test "$ENABLED_RNG" = "yes" && test "$ENABLED_ENTROPY_MEMUSE" != "no") || test "$ENABLED_BENCHMARK" = "yes"
then
AC_SEARCH_LIBS([clock_gettime],[rt])
fi
# Filesystem Build
if test "$HAVE_KERNEL_MODE" = "yes"
then
ENABLED_FILESYSTEM_DEFAULT=no
else
ENABLED_FILESYSTEM_DEFAULT=yes
fi
AC_ARG_ENABLE([filesystem],
[AS_HELP_STRING([--enable-filesystem],[Enable Filesystem support (default: enabled)])],
[ ENABLED_FILESYSTEM=$enableval ],
[ ENABLED_FILESYSTEM=$ENABLED_FILESYSTEM_DEFAULT ]
)
if test "$ENABLED_FILESYSTEM" = "no"
then
AM_CFLAGS="$AM_CFLAGS -DNO_FILESYSTEM"
else
# turn off filesystem if leanpsk on
if test "$ENABLED_LEANPSK" = "yes" || test "$ENABLED_LINUXKM" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DNO_FILESYSTEM"
ENABLED_FILESYSTEM=no
fi
fi
# C89 build
AC_ARG_ENABLE([c89],
[AS_HELP_STRING([--enable-c89],[Build with C89 toolchain (default: disabled)])],
[ ENABLED_C89=$enableval ],
[ ENABLED_C89=no ]
)
if test "$ENABLED_C89" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLF_C89"
test "$enable_inline" = "" && enable_inline=no
fi
# inline Build
AC_ARG_ENABLE([inline],
[AS_HELP_STRING([--enable-inline],[Enable inline functions (default: enabled)])],
[ ENABLED_INLINE=$enableval ],
[ ENABLED_INLINE=yes ]
)
if test "$ENABLED_INLINE" = "no"
then
AM_CFLAGS="$AM_CFLAGS -DNO_INLINE"
fi
# OCSP
if test "x$ENABLED_OPENSSLALL" = "xyes" || test "x$ENABLED_NGINX" = "xyes" || \
test "x$ENABLED_LIGHTY" = "xyes" || test "x$ENABLED_MOSQUITTO" = "xyes"
then
test "$enable_ocsp" = "" && enable_ocsp=yes
fi
AC_ARG_ENABLE([ocsp],
[AS_HELP_STRING([--enable-ocsp],[Enable OCSP (default: disabled)])],
[ ENABLED_OCSP=$enableval ],
[ ENABLED_OCSP=no ]
)
# Certificate Status Request : a.k.a. OCSP Stapling
AC_ARG_ENABLE([ocspstapling],
[AS_HELP_STRING([--enable-ocspstapling],[Enable OCSP Stapling ((options: yes, no-multi, no, disabled default: disabled)])],
[ ENABLED_CERTIFICATE_STATUS_REQUEST=$enableval ],
[ ENABLED_CERTIFICATE_STATUS_REQUEST=no ]
)
AS_CASE([$ENABLED_CERTIFICATE_STATUS_REQUEST],
[no],[
ENABLED_CERTIFICATE_STATUS_REQUEST="no"
ENABLED_TLS_OCSP_MULTI="no"
],
[disabled],[
ENABLED_CERTIFICATE_STATUS_REQUEST="no"
ENABLED_TLS_OCSP_MULTI="no"
],
[yes],[
ENABLED_CERTIFICATE_STATUS_REQUEST="yes"
ENABLED_TLS_OCSP_MULTI="yes"
],
[no-multi],[
ENABLED_CERTIFICATE_STATUS_REQUEST="yes"
ENABLED_TLS_OCSP_MULTI="no"
])
if test "x$ENABLED_NGINX" = "xyes" || test "x$ENABLED_WPAS" = "xyes" || \
test "x$ENABLED_HAPROXY" = "xyes" || test "x$ENABLED_LIGHTY" = "xyes" || \
test "x$ENABLED_MOSQUITTO" = "xyes"
then
ENABLED_CERTIFICATE_STATUS_REQUEST="yes"
fi
if test "x$ENABLED_CERTIFICATE_STATUS_REQUEST" = "xyes"
then
AM_CFLAGS="$AM_CFLAGS -DHAVE_TLS_EXTENSIONS -DHAVE_CERTIFICATE_STATUS_REQUEST"
# Requires OCSP make sure on
if test "x$ENABLED_OCSP" = "xno"
then
ENABLED_OCSP="yes"
fi
fi
# Certificate Status Request v2 : a.k.a. OCSP stapling v2
AC_ARG_ENABLE([ocspstapling2],
[AS_HELP_STRING([--enable-ocspstapling2],[Enable OCSP Stapling v2 (default: disabled)])],
[ ENABLED_CERTIFICATE_STATUS_REQUEST_V2=$enableval ],
[ ENABLED_CERTIFICATE_STATUS_REQUEST_V2=no ]
)
if test "x$ENABLED_NGINX" = "xyes" || test "x$ENABLED_WPAS" = "xyes" || test "x$ENABLED_HAPROXY" = "xyes" || test "x$ENABLED_LIGHTY" = "xyes"
then
ENABLED_CERTIFICATE_STATUS_REQUEST_V2=yes
fi
if test "x$ENABLED_CERTIFICATE_STATUS_REQUEST_V2" = "xyes"
then
AM_CFLAGS="$AM_CFLAGS -DHAVE_TLS_EXTENSIONS -DHAVE_CERTIFICATE_STATUS_REQUEST_V2"
# Requires OCSP make sure on
if test "x$ENABLED_OCSP" = "xno"
then
ENABLED_OCSP="yes"
fi
fi
AC_ARG_ENABLE([ocsp-responder],
[AS_HELP_STRING([--enable-ocsp-responder],[Enable OCSP Responder (default: disabled)])],
[ ENABLED_OCSP_RESPONDER=$enableval ],
[ ENABLED_OCSP_RESPONDER=no ]
)
if test "x$ENABLED_OCSP_RESPONDER" = "xyes"
then
ENABLED_OCSP="yes"
ENABLED_CERTGEN="yes"
fi
# CRL
AC_ARG_ENABLE([crl],
[AS_HELP_STRING([--enable-crl],[Enable CRL (Use =io for inline CRL HTTP GET) (default: disabled)])],
[ ENABLED_CRL=$enableval ],
[ ENABLED_CRL=no ]
)
if test "x$ENABLED_NGINX" = "xyes" || test "x$ENABLED_HAPROXY" = "xyes" || \
test "x$ENABLED_OPENVPN" = "xyes" || test "x$ENABLED_WPAS" != "xno" || \
test "x$ENABLED_LIGHTY" = "xyes" || test "x$ENABLED_NETSNMP" = "xyes" || \
test "x$ENABLED_KRB" = "xyes" || test "x$ENABLED_STRONGSWAN" = "xyes" || \
test "x$ENABLED_MOSQUITTO" = "xyes"
then
ENABLED_CRL=yes
fi
if test "$ENABLED_CRL" != "no"
then
AM_CFLAGS="$AM_CFLAGS -DHAVE_CRL"
fi
if test "$ENABLED_CRL" = "io"
then
AM_CFLAGS="$AM_CFLAGS -DHAVE_CRL_IO"
fi
# CRL Monitor
AC_ARG_ENABLE([crl-monitor],
[AS_HELP_STRING([--enable-crl-monitor],[Enable CRL Monitor (default: disabled)])],
[ ENABLED_CRL_MONITOR=$enableval ],
[ ENABLED_CRL_MONITOR=no ]
)
if test "$ENABLED_CRL_MONITOR" = "yes"
then
case $host_os in
*linux* | *darwin* | *freebsd*)
if test "x$ENABLED_SINGLETHREADED" = "xno"; then
AM_CFLAGS="$AM_CFLAGS -DHAVE_CRL_MONITOR"
else
ENABLED_CRL_MONITOR="no"
AC_MSG_ERROR([crl monitor requires threading / pthread])
fi
;;
*)
if test "x$ENABLED_DISTRO" = "xyes" ; then
ENABLED_CRL_MONITOR="no"
else
AC_MSG_ERROR( [crl monitor only allowed on linux, OS X, or freebsd])
fi
break;;
esac
fi
# Whitewood netRandom client library
ENABLED_WNR="no"
trywnrdir=""
AC_ARG_WITH([wnr],
[AS_HELP_STRING([--with-wnr=PATH],[Path to Whitewood netRandom install (default /usr/local)])],
[
AC_MSG_CHECKING([for Whitewood netRandom])
LIBS="$LIBS -lwnr"
AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include <wnr.h>]], [[ wnr_setup(0, 0); ]])], [ wnr_linked=yes ],[ wnr_linked=no ])
if test "x$wnr_linked" = "xno" ; then
if test "x$withval" != "xno" ; then
trywnrdir=$withval
fi
if test "x$withval" = "xyes" ; then
trywnrdir="/usr/local"
fi
CPPFLAGS="$AM_CPPFLAGS -DHAVE_WNR -I$trywnrdir/include"
LDFLAGS="$AM_LDFLAGS $LDFLAGS -L$trywnrdir/lib"
AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include <wnr.h>]], [[ wnr_setup(0, 0); ]])], [ wnr_linked=yes ],[ wnr_linked=no ])
if test "x$wnr_linked" = "xno" ; then
AC_MSG_ERROR([Whitewood netRandom isn't found.
If it's already installed, specify its path using --with-wnr=/dir/])
fi
AC_MSG_RESULT([yes])
AM_CPPFLAGS="$CPPFLAGS"
AM_LDFLAGS="$AM_LDFLAGS -L$trywnrdir/lib"
else
AC_MSG_RESULT([yes])
fi
AM_CFLAGS="$AM_CFLAGS -DHAVE_WNR"
ENABLED_WNR="yes"
]
)
# SNI
# enable SNI automatically for x86_64/x86/aarch64/amd64
SNI_DEFAULT=no
if test "$host_cpu" = "x86_64" || test "$host_cpu" = "x86" || test "$host_cpu" = "aarch64" || test "$host_cpu" = "amd64"
then
SNI_DEFAULT=yes
fi
if test "$ENABLED_TLS" = "no"
then
SNI_DEFAULT=no
fi
AC_ARG_ENABLE([sni],
[AS_HELP_STRING([--enable-sni],[Enable SNI (default: enabled on x86_64/x86/aarch64/amd64)])],
[ ENABLED_SNI=$enableval ],
[ ENABLED_SNI=$SNI_DEFAULT ]
)
if test "x$ENABLED_QT" = "xyes" || test "$ENABLED_QUIC" = "yes"
then
ENABLED_SNI="yes"
fi
if test "x$ENABLED_SNI" = "xyes"
then
AM_CFLAGS="$AM_CFLAGS -DHAVE_TLS_EXTENSIONS -DHAVE_SNI"
fi
# Maximum Fragment Length
AC_ARG_ENABLE([maxfragment],
[AS_HELP_STRING([--enable-maxfragment],[Enable Maximum Fragment Length (default: disabled)])],
[ ENABLED_MAX_FRAGMENT=$enableval ],
[ ENABLED_MAX_FRAGMENT=no ]
)
# ALPN
AC_ARG_ENABLE([alpn],
[AS_HELP_STRING([--enable-alpn],[Enable ALPN (default: disabled)])],
[ ENABLED_ALPN=$enableval ],
[ ENABLED_ALPN=no ]
)
if test "$ENABLED_BIND" = "yes"
then
ENABLED_ALPN=yes
fi
if test "$ENABLED_QUIC" = "yes"
then
ENABLED_ALPN=yes
fi
if test "x$ENABLED_ALPN" = "xyes"
then
AM_CFLAGS="$AM_CFLAGS -DHAVE_TLS_EXTENSIONS -DHAVE_ALPN"
fi
# Maximum Fragment Length
if test "x$ENABLED_MAX_FRAGMENT" = "xyes"
then
AM_CFLAGS="$AM_CFLAGS -DHAVE_TLS_EXTENSIONS -DHAVE_MAX_FRAGMENT"
fi
# Trusted CA Indication Extension
AC_ARG_ENABLE([trustedca],
[AS_HELP_STRING([--enable-trustedca],[Enable Trusted CA Indication (default: disabled)])],
[ ENABLED_TRUSTED_CA=$enableval ],[ ENABLED_TRUSTED_CA=no ])
AS_IF([test "x$ENABLED_TRUSTED_CA" = "xyes"],
[AM_CFLAGS="$AM_CFLAGS -DHAVE_TLS_EXTENSIONS -DHAVE_TRUSTED_CA"])
# Truncated HMAC
AC_ARG_ENABLE([truncatedhmac],
[AS_HELP_STRING([--enable-truncatedhmac],[Enable Truncated HMAC (default: disabled)])],
[ ENABLED_TRUNCATED_HMAC=$enableval ],
[ ENABLED_TRUNCATED_HMAC=no ]
)
if test "x$ENABLED_TRUNCATED_HMAC" = "xyes"
then
AM_CFLAGS="$AM_CFLAGS -DHAVE_TLS_EXTENSIONS -DHAVE_TRUNCATED_HMAC"
fi
# Renegotiation Indication - (FAKE Secure Renegotiation)
# Client will send TLS_EMPTY_RENEGOTIATION_INFO_SCSV, not supported
# with enabling secure renegotiation
AC_ARG_ENABLE([renegotiation-indication],
[AS_HELP_STRING([--enable-renegotiation-indication],[Enable Renegotiation Indication for client via empty cipher (default: disabled)])],
[ ENABLED_RENEGOTIATION_INDICATION=$enableval ],
[ ENABLED_RENEGOTIATION_INDICATION=no ]
)
if test "x$ENABLED_RENEGOTIATION_INDICATION" = "xyes"
then
AM_CFLAGS="$AM_CFLAGS -DHAVE_RENEGOTIATION_INDICATION"
fi
# Secure Renegotiation
AC_ARG_ENABLE([secure-renegotiation],
[AS_HELP_STRING([--enable-secure-renegotiation],[Enable Secure Renegotiation (default: disabled)])],
[ ENABLED_SECURE_RENEGOTIATION=$enableval ],
[ ENABLED_SECURE_RENEGOTIATION=no ]
)
if test "x$ENABLED_HAPROXY" = "xyes"
then
ENABLED_SECURE_RENEGOTIATION=yes
fi
if test "x$ENABLED_SECURE_RENEGOTIATION" = "xyes"
then
if test "x$ENABLED_RENEGOTIATION_INDICATION" = "xyes"
then
AC_MSG_ERROR([cannot enable renegotiation-indication and secure-renegotiation.])
fi
AM_CFLAGS="$AM_CFLAGS -DHAVE_TLS_EXTENSIONS -DHAVE_SECURE_RENEGOTIATION -DHAVE_SERVER_RENEGOTIATION_INFO"
fi
# Secure Renegotiation Info
AC_ARG_ENABLE([secure-renegotiation-info],
[AS_HELP_STRING([--enable-secure-renegotiation-info],[Enable Secure Renegotiation info extension (default: enabled)])],
[ ENABLED_SECURE_RENEGOTIATION_INFO=$enableval ],
[ ENABLED_SECURE_RENEGOTIATION_INFO=yes ]
)
# Fallback SCSV
AC_ARG_ENABLE([fallback-scsv],
[AS_HELP_STRING([--enable-fallback-scsv],[Enable Fallback SCSV (default: disabled)])],
[ ENABLED_FALLBACK_SCSV=$enableval ],
[ ENABLED_FALLBACK_SCSV=no ]
)
if test "x$ENABLED_FALLBACK_SCSV" = "xyes"
then
AM_CFLAGS="$AM_CFLAGS -DHAVE_FALLBACK_SCSV"
fi
# Exporting Keying Material
AC_ARG_ENABLE([keying-material],
[AS_HELP_STRING([--enable-keying-material],[Enable Keying Material Exporters (default: disabled)])],
[ ENABLED_KEYING_MATERIAL=$enableval ],
[ ENABLED_KEYING_MATERIAL=no ]
)
if test "$ENABLED_CHRONY" = "yes" || test "$ENABLED_SRTP" = "yes"
then
ENABLED_KEYING_MATERIAL=yes
fi
if test "x$ENABLED_KEYING_MATERIAL" = "xyes"
then
AM_CFLAGS="$AM_CFLAGS -DHAVE_KEYING_MATERIAL"
fi
# Supported Elliptic Curves Extensions
AC_ARG_ENABLE([supportedcurves],
[AS_HELP_STRING([--enable-supportedcurves],[Enable Supported Elliptic Curves (default: enabled)])],
[ENABLED_SUPPORTED_CURVES=$enableval],
[ENABLED_SUPPORTED_CURVES=yes])
if test "x$ENABLED_SUPPORTED_CURVES" = "xyes"
then
AS_IF([test "x$ENABLED_ECC" = "xno" && test "x$ENABLED_CURVE25519" = "xno" && test "x$ENABLED_CURVE448" = "xno"],
[ENABLED_SUPPORTED_CURVES=no],
[AM_CFLAGS="$AM_CFLAGS -DHAVE_TLS_EXTENSIONS -DHAVE_SUPPORTED_CURVES"])
fi
# Diffie-Hellman
if test "$ENABLED_DH" != "no"
then
if test "$ENABLED_TLS13" = "yes" || test "$ENABLED_SUPPORTED_CURVES" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DHAVE_FFDHE_2048"
fi
fi
# FFDHE parameters only
AC_ARG_ENABLE([ffdhe-only],
[AS_HELP_STRING([--enable-ffdhe-only],[Enable using only FFDHE in client (default: disabled)])],
[ ENABLED_FFDHE_ONLY=$enableval ],
[ ENABLED_FFDHE_ONLY=no ]
)
if test "x$ENABLED_FFDHE_ONLY" = "xyes"
then
if test "$ENABLED_DH" = "no"
then
AC_MSG_ERROR([FFDHE only support requires DH support])
fi
if test "$ENABLED_SUPPORTED_CURVES" = "no"
then
AC_MSG_ERROR([FFDHE only support requires Supported Curves extension])
fi
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_REQUIRE_FFDHE"
fi
# TLS 1.3 Requires either ECC or (RSA/DH), or CURVE25519/ED25519 or CURVE448/ED448 or ML-KEM
if test "x$ENABLED_PSK" = "xno" && test "x$ENABLED_ECC" = "xno" && \
(test "x$ENABLED_RSA" = "xno" || test "x$ENABLED_DH" = "xno") && \
(test "x$ENABLED_CURVE25519" = "xno" || test "x$ENABLED_ED25519" = "xno") && \
(test "x$ENABLED_CURVE448" = "xno" || test "x$ENABLED_ED448" = "xno") && \
test "x$ENABLED_MLKEM" = "xno"
then
# disable TLS 1.3
ENABLED_TLS13=no
fi
# DTLSv1.3 cannot survive a downgrade of TLS 1.3.
if test "x$ENABLED_DTLS13" = "xyes" && test "x$ENABLED_TLS13" = "xno"
then
AC_MSG_ERROR([--enable-dtls13 requires TLS 1.3, but TLS 1.3 was disabled by an earlier prerequisite check (no key-exchange or signature algorithms reachable). Enable at least one of ECC, RSA+DH, Curve25519+Ed25519, Curve448+Ed448, PSK, or ML-KEM.])
fi
if test "$ENABLED_TLS13" = "yes" && (test "x$ENABLED_ECC" = "xyes" || \
test "$ENABLED_DH" != "no" || test "x$ENABLED_MLKEM" = "xyes")
then
AM_CFLAGS="$AM_CFLAGS -DHAVE_SUPPORTED_CURVES"
fi
if test "$ENABLED_TLS13" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_TLS13 -DHAVE_TLS_EXTENSIONS"
fi
# Session Ticket Extension
AC_ARG_ENABLE([session-ticket],
[AS_HELP_STRING([--enable-session-ticket],[Enable Session Ticket (default: disabled)])],
[ ENABLED_SESSION_TICKET=$enableval ],
[ ENABLED_SESSION_TICKET=no ]
)
if test "x$ENABLED_NGINX" = "xyes" || test "$ENABLED_WPAS" = "yes" || test "x$ENABLED_HAPROXY" = "xyes" || test "x$ENABLED_LIGHTY" = "xyes"
then
ENABLED_SESSION_TICKET=yes
fi
if test "x$ENABLED_SESSION_TICKET" = "xyes"
then
AM_CFLAGS="$AM_CFLAGS -DHAVE_TLS_EXTENSIONS -DHAVE_SESSION_TICKET"
fi
AC_ARG_ENABLE([ticket-nonce-malloc],
[AS_HELP_STRING([--enable-ticket-nonce-malloc], [Enable dynamic allocation of ticket nonces (default: disabled)])],
[ ENABLED_TICKET_NONCE_MALLOC=$enableval ],
[ ENABLED_TICKET_NONCE_MALLOC=no_implicit ]
)
if test "$ENABLED_TICKET_NONCE_MALLOC" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_TICKET_NONCE_MALLOC"
fi
# Extended Master Secret Extension
AC_ARG_ENABLE([extended-master],
[AS_HELP_STRING([--enable-extended-master],[Enable Extended Master Secret (default: enabled)])],
[ ENABLED_EXTENDED_MASTER=$enableval ],
[ ENABLED_EXTENDED_MASTER=yes ]
)
if test "$ENABLED_CRYPTONLY" = "yes"
then
ENABLED_EXTENDED_MASTER=no
fi
if test "x$ENABLED_EXTENDED_MASTER" = "xyes"
then
AM_CFLAGS="$AM_CFLAGS -DHAVE_EXTENDED_MASTER"
fi
# TLS Extensions
AC_ARG_ENABLE([tlsx],
[AS_HELP_STRING([--enable-tlsx],[Enable all TLS Extensions (default: disabled)])],
[ ENABLED_TLSX=$enableval ],
[ ENABLED_TLSX=no ]
)
if test "x$ENABLED_NGINX" = "xyes" || test "x$ENABLED_HAPROXY" = "xyes" || test "x$ENABLED_SIGNAL" = "xyes" || test "x$ENABLED_LIGHTY" = "xyes" || test "$ENABLED_CHRONY" = "yes"
then
ENABLED_TLSX=yes
fi
if test "x$ENABLED_TLSX" = "xyes"
then
ENABLED_SNI=yes
ENABLED_MAX_FRAGMENT=yes
ENABLED_TRUNCATED_HMAC=yes
ENABLED_ALPN=yes
ENABLED_TRUSTED_CA=yes
ENABLED_ENCRYPT_THEN_MAC=yes
AM_CFLAGS="$AM_CFLAGS -DHAVE_TLS_EXTENSIONS -DHAVE_SNI -DHAVE_MAX_FRAGMENT -DHAVE_TRUNCATED_HMAC -DHAVE_ALPN -DHAVE_TRUSTED_CA"
# Check the ECC supported curves prereq
AS_IF([test "x$ENABLED_ECC" != "xno" || test "$ENABLED_CURVE25519" != "no" || test "x$ENABLED_CURVE448" = "xyes" || test "x$ENABLED_TLS13" = "xyes"],
[ENABLED_SUPPORTED_CURVES=yes
AM_CFLAGS="$AM_CFLAGS -DHAVE_SUPPORTED_CURVES"])
fi
# Early Data handshake in TLS v1.3 and above
AC_ARG_ENABLE([earlydata],
[AS_HELP_STRING([--enable-earlydata],[Enable Early Data handshake with wolfSSL TLS v1.3 (default: disabled)])],
[ ENABLED_TLS13_EARLY_DATA=$enableval ],
[ ENABLED_TLS13_EARLY_DATA=no ]
)
if test "$ENABLED_TLS13_EARLY_DATA" = "group"
then
ENABLED_TLS13_EARLY_DATA="yes"
# Group EarlyData with ClientHello
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_EARLY_DATA_GROUP"
fi
if test "$ENABLED_TLS13_EARLY_DATA" = "yes"
then
if test "x$ENABLED_TLS13" = "xno" && test "x$ENABLED_ALL" = "xno"
then
AC_MSG_ERROR([cannot enable earlydata without enabling tls13.])
fi
if test "x$ENABLED_SESSION_TICKET" = "xno" && test "x$ENABLED_PSK" = "xno"
then
AC_MSG_ERROR([cannot enable earlydata without enabling session tickets and/or PSK.])
fi
if test "x$ENABLED_TLS13" = "xyes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_EARLY_DATA"
fi
fi
if test "$ENABLED_TLSV12" = "no" && test "$ENABLED_TLS13" = "yes" && test "x$ENABLED_SESSION_TICKET" = "xno"
then
AM_CFLAGS="$AM_CFLAGS -DNO_SESSION_CACHE"
fi
# PKCS7
AC_ARG_ENABLE([pkcs7],
[AS_HELP_STRING([--enable-pkcs7],[Enable PKCS7 (default: disabled)])],
[ ENABLED_PKCS7=$enableval ],
[ ENABLED_PKCS7=no ]
)
if test "x$ENABLED_WPAS_DPP" = "xyes"
then
ENABLED_PKCS7=yes
fi
# wolfSSH Options
AC_ARG_ENABLE([wolfssh],
[AS_HELP_STRING([--enable-wolfssh],[Enable wolfSSH options (default: disabled)])],
[ ENABLED_WOLFSSH=$enableval ],
[ ENABLED_WOLFSSH=no ]
)
AC_ARG_ENABLE([ssh],
[AS_HELP_STRING([--enable-ssh],[Enable wolfSSH options (default: disabled)])],
[ ENABLED_SSH=$enableval ],
[ ENABLED_SSH=no ]
)
if test "x$ENABLED_SSH" = "xyes"
then
ENABLED_WOLFSSH="yes"
fi
# wolfTPM Options
AC_ARG_ENABLE([wolftpm],
[AS_HELP_STRING([--enable-wolftpm],[Enable wolfTPM options (default: disabled)])],
[ ENABLED_WOLFTPM=$enableval ],
[ ENABLED_WOLFTPM=no ]
)
# wolfCLU Options
AC_ARG_ENABLE([wolfclu],
[AS_HELP_STRING([--enable-wolfclu],[Enable wolfCLU options (default: disabled)])],
[ ENABLED_WOLFCLU=$enableval ],
[ ENABLED_WOLFCLU=no ]
)
if test "x$ENABLED_WOLFTPM" = "xyes"
then
# Requires cryptocb (set in its enable section)
# Requires certgen, certreq, certext
if test "x$ENABLED_CERTGEN" = "xno"
then
ENABLED_CERTGEN="yes"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CERT_GEN"
fi
if test "x$ENABLED_CERTREQ" = "xno"
then
ENABLED_CERTREQ="yes"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CERT_REQ"
fi
if test "x$ENABLED_CERTEXT" = "xno"
then
ENABLED_CERTEXT="yes"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CERT_EXT"
fi
# Requires PKCS7
if test "x$ENABLED_PKCS7" = "xno"
then
ENABLED_PKCS7="yes"
fi
# Requires aescfb
if test "x$ENABLED_AESCFB" = "xno"
then
ENABLED_AESCFB="yes"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_CFB"
fi
# Requires public mp_
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_PUBLIC_MP"
# Requires allowing CA:FALSE in BasicConstraints
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ALLOW_ENCODING_CA_FALSE"
fi
if test "x$ENABLED_SMIME" = "xyes"
then
AM_CFLAGS="$AM_CFLAGS -DHAVE_SMIME"
# Requires PKCS7
if test "x$ENABLED_PKCS7" = "xno"
then
ENABLED_PKCS7="yes"
fi
fi
# Simple Certificate Enrollment Protocol (SCEP)
AC_ARG_ENABLE([scep],
[AS_HELP_STRING([--enable-scep],[Enable wolfSCEP (default: disabled)])],
[ ENABLED_WOLFSCEP=$enableval ],
[ ENABLED_WOLFSCEP=no ]
)
# Secure Remote Password
AC_ARG_ENABLE([srp],
[AS_HELP_STRING([--enable-srp],[Enable Secure Remote Password (default: disabled)])],
[ ENABLED_SRP=$enableval ],
[ ENABLED_SRP=no ]
)
if test "x$ENABLED_SRP" = "xyes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFCRYPT_HAVE_SRP"
fi
# Indefinite length encoded BER message support
AC_ARG_ENABLE([indef],
[AS_HELP_STRING([--enable-indef],[Enable parsing of indefinite length encoded msgs (default: disabled)])],
[ ENABLED_BER_INDEF=$enableval ],
[ ENABLED_BER_INDEF=no ]
)
if test "x$ENABLED_BER_INDEF" = "xyes"
then
AM_CFLAGS="$AM_CFLAGS -DASN_BER_TO_DER"
fi
# Alternate certification chains, as opposed to requiring full chain validation.
# Certificate validation behavior is relaxed, similar to openssl and
# browsers. Only the peer certificate must validate to a trusted
# certificate. Without this, all certificates sent by a peer must be
# used in the trust chain or the connection will be rejected.
AC_ARG_ENABLE([altcertchains],
[AS_HELP_STRING([--enable-altcertchains],[Enable using alternative certificate chains, only require leaf certificate to validate to trust root (default: disabled)])],
[ ENABLED_ALT_CERT_CHAINS=$enableval ],
[ ENABLED_ALT_CERT_CHAINS=no ]
)
if test "x$ENABLED_ALT_CERT_CHAINS" = "xyes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ALT_CERT_CHAINS"
fi
# Small Stack - Cache on object
if test "$KERNEL_MODE_DEFAULTS" = "yes"
then
ENABLED_SMALL_STACK_CACHE_DEFAULT=yes
else
ENABLED_SMALL_STACK_CACHE_DEFAULT=no
fi
AC_ARG_ENABLE([smallstackcache],
[AS_HELP_STRING([--enable-smallstackcache],[Enable Small Stack Usage Caching (default: disabled)])],
[ ENABLED_SMALL_STACK_CACHE=$enableval ],
[ ENABLED_SMALL_STACK_CACHE=$ENABLED_SMALL_STACK_CACHE_DEFAULT ]
)
if test "x$ENABLED_SMALL_STACK_CACHE" = "xyes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SMALL_STACK_CACHE"
fi
# Small Stack
if test "$KERNEL_MODE_DEFAULTS" = "yes"
then
ENABLED_SMALL_STACK_DEFAULT=yes
else
ENABLED_SMALL_STACK_DEFAULT=no
fi
AC_ARG_ENABLE([smallstack],
[AS_HELP_STRING([--enable-smallstack],[Enable Small Stack Usage (default: disabled)])],
[ ENABLED_SMALL_STACK=$enableval ],
[ ENABLED_SMALL_STACK=$ENABLED_SMALL_STACK_DEFAULT ]
)
if test "x$ENABLED_SMALL_STACK_CACHE" = "xyes"
then
ENABLED_SMALL_STACK=yes
fi
if test "x$ENABLED_SMALL_STACK" = "xyes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SMALL_STACK"
fi
#valgrind
AC_ARG_ENABLE([valgrind],
[AS_HELP_STRING([--enable-valgrind],[Enable valgrind for unit tests (default: disabled)])],
[ ENABLED_VALGRIND=$enableval ],
[ ENABLED_VALGRIND=no ]
)
if test "$ENABLED_VALGRIND" = "yes"
then
AC_CHECK_PROG([HAVE_VALGRIND],[valgrind],[yes],[no])
if test "$HAVE_VALGRIND" = "no"
then
AC_MSG_ERROR([Valgrind not found.])
fi
enable_shared=no
enable_static=yes
AM_CFLAGS="$AM_CFLAGS -DHAVE_VALGRIND"
fi
# Test certs, use internal cert functions for extra testing
AC_ARG_ENABLE([testcert],
[AS_HELP_STRING([--enable-testcert],[Enable Test Cert (default: disabled)])],
[ ENABLED_TESTCERT=$enableval ],
[ ENABLED_TESTCERT=no ]
)
if test "$ENABLED_TESTCERT" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_TEST_CERT"
fi
# I/O Pool, an example to show user how to override memory handler and use
# a pool for the input/output buffer requests
AC_ARG_ENABLE([iopool],
[AS_HELP_STRING([--enable-iopool],[Enable I/O Pool example (default: disabled)])],
[ ENABLED_IOPOOL=$enableval ],
[ ENABLED_IOPOOL=no ]
)
if test "$ENABLED_IOPOOL" = "yes"
then
if test "$thread_ls_on" = "no"
then
AC_MSG_ERROR([I/O Pool example requires Thread Local Storage])
fi
AM_CFLAGS="$AM_CFLAGS -DHAVE_IO_POOL -DXMALLOC_USER"
fi
# Certificate Service Support
if test "$ENABLED_CERT_SERVICE" = "yes"
then
# Requires ecc,certgen, and opensslextra make sure on
if test "x$ENABLED_CERTGEN" = "xno"
then
ENABLED_CERTGEN="yes"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CERT_GEN"
fi
if test "x$ENABLED_ECC" = "xno"
then
ENABLED_ECC="yes"
AM_CFLAGS="$AM_CFLAGS -DHAVE_ECC -DTFM_ECC256"
if test "$ENABLED_ECC_SHAMIR" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DECC_SHAMIR"
fi
fi
if test "x$ENABLED_OPENSSLEXTRA" = "xno" && test "x$ENABLED_OPENSSLCOEXIST" = "xno"
then
ENABLED_OPENSSLEXTRA="yes"
AM_CFLAGS="$AM_CFLAGS -DOPENSSL_EXTRA"
fi
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_HAVE_CERT_SERVICE"
fi
# wolfSSL JNI
AC_ARG_ENABLE([jni],
[AS_HELP_STRING([--enable-jni],[Enable wolfSSL JNI (default: disabled)])],
[ ENABLED_JNI=$enableval ],
[ ENABLED_JNI=no ]
)
if test "$ENABLED_JNI" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_JNI"
AM_CFLAGS="$AM_CFLAGS -DHAVE_EX_DATA"
AM_CFLAGS="$AM_CFLAGS -DKEEP_PEER_CERT"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ALWAYS_VERIFY_CB"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ALWAYS_KEEP_SNI"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_TLS13_MIDDLEBOX_COMPAT"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_PUBLIC_MP"
# Enable openssl compat layer AES-CTS to maintain FIPS compatibility
AM_CFLAGS="$AM_CFLAGS -DHAVE_CTS"
# Enable prereqs if not already enabled
if test "x$ENABLED_DTLS" = "xno"
then
ENABLED_DTLS="yes"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DTLS"
fi
if test "x$ENABLED_DTLS13" = "xno"
then
ENABLED_DTLS13="yes"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DTLS13 -DWOLFSSL_W64_WRAPPER"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DTLS_DROP_STATS"
if test "x$ENABLED_SEND_HRR_COOKIE" = "xundefined"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SEND_HRR_COOKIE"
ENABLED_SEND_HRR_COOKIE="yes"
fi
if test "x$ENABLED_MLKEM" != "xno" && test "x$ENABLED_DTLS_CH_FRAG" != "xyes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DTLS_CH_FRAG"
ENABLED_DTLS_CH_FRAG="yes"
fi
if test "x$ENABLED_AES" = "xyes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_DIRECT"
fi
fi
if test "x$ENABLED_DTLS_MTU" = "xno"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DTLS_MTU"
fi
if test "x$ENABLED_OPENSSLEXTRA" = "xno"
then
ENABLED_OPENSSLEXTRA="yes"
AM_CFLAGS="$AM_CFLAGS -DOPENSSL_EXTRA"
fi
if test "x$ENABLED_OPENSSLALL" = "xno"
then
ENABLED_OPENSSLALL="yes"
AM_CFLAGS="$AM_CFLAGS -DOPENSSL_ALL"
fi
if test "x$ENABLED_CRL" = "xno"
then
ENABLED_CRL="yes"
AM_CFLAGS="$AM_CFLAGS -DHAVE_CRL"
fi
if test "x$ENABLED_OCSP" = "xno"
then
ENABLED_OCSP="yes"
fi
if test "x$ENABLED_CRL_MONITOR" = "xno" && test "x$ENABLED_DISTRO" = "xno"
then
ENABLED_CRL_MONITOR="yes"
AM_CFLAGS="$AM_CFLAGS -DHAVE_CRL_MONITOR"
fi
if test "x$ENABLED_SAVESESSION" = "xno"
then
ENABLED_SAVESESSION="yes"
AM_CFLAGS="$AM_CFLAGS -DPERSIST_SESSION_CACHE"
fi
if test "x$ENABLED_SAVECERT" = "xno"
then
ENABLED_SAVECERT="yes"
AM_CFLAGS="$AM_CFLAGS -DPERSIST_CERT_CACHE"
fi
if test "x$ENABLED_ATOMICUSER" = "xno"
then
ENABLED_ATOMICUSER="yes"
AM_CFLAGS="$AM_CFLAGS -DATOMIC_USER"
fi
if test "x$ENABLED_ECC" = "xno"
then
ENABLED_ECC="yes"
AM_CFLAGS="$AM_CFLAGS -DHAVE_ECC -DTFM_ECC256"
if test "$ENABLED_ECC_SHAMIR" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DECC_SHAMIR"
fi
fi
# Do not enable PK Callbacks in FIPS mode with JNI
if test "x$ENABLED_PKCALLBACKS" = "xno" && test "$ENABLED_FIPS" = "no"
then
ENABLED_PKCALLBACKS="yes"
AM_CFLAGS="$AM_CFLAGS -DHAVE_PK_CALLBACKS"
fi
if test "x$ENABLED_DH" = "xno"
then
ENABLED_DH="yes"
AM_CFLAGS="$AM_CFLAGS -DHAVE_DH"
fi
if test "x$ENABLED_PSK" = "xno"
then
ENABLED_PSK="yes"
fi
if test "x$ENABLED_CERTEXT" = "xno"
then
ENABLED_CERTEXT="yes"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CERT_EXT"
fi
if test "x$ENABLED_CERTGEN" = "xno"
then
ENABLED_CERTGEN="yes"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CERT_GEN"
fi
# wolfCrypt JNI/JCE uses keygen, enable by default here so
# both JCE and JSSE builds can use --enable-jni
if test "x$ENABLED_KEYGEN" = "xno"
then
ENABLED_KEYGEN="yes"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_KEY_GEN"
fi
if test "x$ENABLED_CERTREQ" = "xno"
then
ENABLED_CERTREQ="yes"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CERT_REQ"
fi
if test "x$ENABLED_SNI" = "xno"
then
ENABLED_SNI="yes"
AM_CFLAGS="$AM_CFLAGS -DHAVE_TLS_EXTENSIONS -DHAVE_SNI"
fi
if test "x$ENABLED_ALPN" = "xno"
then
ENABLED_ALPN="yes"
AM_CFLAGS="$AM_CFLAGS -DHAVE_ALPN"
fi
if test "x$ENABLED_ALT_CERT_CHAINS" = "xno"
then
ENABLED_ALT_CERT_CHAINS="yes"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ALT_CERT_CHAINS"
fi
if test "x$ENABLED_SESSIONCERTS" = "xno"
then
ENABLED_SESSIONCERTS="yes"
AM_CFLAGS="$AM_CFLAGS -DSESSION_CERTS"
fi
# cert gen requires alt names
ENABLED_ALTNAMES="yes"
fi
if test "$ENABLED_LIGHTY" = "yes"
then
# Requires opensslextra make sure on
if test "x$ENABLED_OPENSSLEXTRA" = "xno" && test "x$ENABLED_OPENSSLCOEXIST" = "xno"
then
ENABLED_OPENSSLEXTRA="yes"
AM_CFLAGS="$AM_CFLAGS -DOPENSSL_EXTRA"
fi
AM_CFLAGS="$AM_CFLAGS -DHAVE_LIGHTY -DHAVE_WOLFSSL_SSL_H=1"
AM_CFLAGS="$AM_CFLAGS -DHAVE_EX_DATA"
AM_CFLAGS="$AM_CFLAGS -DOPENSSL_ALL"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_KEY_GEN"
# recommended if building wolfSSL specifically for use by lighttpd
if test "x$ENABLED_ALL" = "xno"; then
AM_CFLAGS="$AM_CFLAGS -DOPENSSL_NO_SSL2 -DOPENSSL_NO_COMP"
if test "x$ENABLED_SSLV3" = "xno"; then
AM_CFLAGS="$AM_CFLAGS -DOPENSSL_NO_SSL3"
if test "x$ENABLED_TLSV10" = "xno"; then
AM_CFLAGS="$AM_CFLAGS -DNO_OLD_TLS"
ENABLED_OLD_TLS=no
fi
fi
if test "x$ENABLED_CRL_MONITOR" = "xno"; then
AM_CFLAGS="$AM_CFLAGS -DSINGLE_THREADED"
ENABLED_SINGLETHREADED="yes"
fi
# w/ lighttpd 1.4.56 once wolfSSL updated to expose non-filesystem funcs
#AM_CFLAGS="$AM_CFLAGS -DNO_BIO"
#AM_CFLAGS="$AM_CFLAGS -DNO_FILESYSTEM"
#ENABLED_FILESYSTEM=no
fi
fi
if test "$ENABLED_NGINX" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NGINX -DWOLFSSL_SIGNER_DER_CERT"
AM_CFLAGS="$AM_CFLAGS -DOPENSSL_COMPATIBLE_DEFAULTS"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ERROR_CODE_OPENSSL"
fi
if test "$ENABLED_HAPROXY" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_HAPROXY -DOPENSSL_COMPATIBLE_DEFAULTS"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SIGNER_DER_CERT -DWOLFSSL_KEEP_RNG_SEED_FD_OPEN"
# --enable-all defines its own DEFAULT_MAX_CLASSIC_ASYM_KEY_BITS
if test -z "$DEFAULT_MAX_CLASSIC_ASYM_KEY_BITS"
then
DEFAULT_MAX_CLASSIC_ASYM_KEY_BITS=8192
fi
# Requires opensslextra and opensslall
if test "x$ENABLED_OPENSSLALL" = "xno" && test "x$ENABLED_OPENSSLCOEXIST" = "xno"
then
ENABLED_OPENSSLALL="yes"
ENABLED_OPENSSLEXTRA="yes"
AM_CFLAGS="$AM_CFLAGS -DOPENSSL_EXTRA -DOPENSSL_ALL"
fi
if test "x$ENABLED_CERTGEN" = "xno"
then
ENABLED_CERTGEN="yes"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CERT_GEN"
fi
if test "x$ENABLED_CERTREQ" = "xno"
then
ENABLED_CERTREQ="yes"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CERT_REQ"
fi
# Requires sessioncerts make sure on
if test "x$ENABLED_SESSIONCERTS" = "xno"
then
ENABLED_SESSIONCERTS="yes"
AM_CFLAGS="$AM_CFLAGS -DSESSION_CERTS"
fi
# Requires key gen make sure on
if test "x$ENABLED_KEYGEN" = "xno"
then
ENABLED_KEYGEN="yes"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_KEY_GEN"
fi
fi
if test "$ENABLED_NETSNMP" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DHAVE_EX_DATA"
if test "x$ENABLED_AESCFB" = "xno"
then
ENABLED_AESCFB="yes"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_CFB"
fi
if test "x$ENABLED_DTLS" = "xno"
then
ENABLED_DTLS="yes"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DTLS"
fi
fi
if test "$ENABLED_KRB" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_KRB -DWOLFSSL_AES_DIRECT"
AS_IF([test "$ENABLED_FIPS" = "no" || test "$HAVE_FIPS_VERSION" -le 2],
[AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DES_ECB"])
AM_CFLAGS="$AM_CFLAGS -DHAVE_EX_DATA"
# Requires PKCS7
if test "x$ENABLED_PKCS7" = "xno"
then
ENABLED_PKCS7="yes"
fi
fi
if test "$ENABLED_FFMPEG" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_FFMPEG -DOPENSSL_COMPATIBLE_DEFAULTS"
fi
if test "$ENABLED_SIGNAL" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SIGNAL -DWOLFSSL_AES_COUNTER -DWOLFSSL_AES_DIRECT"
# Requires opensslextra make sure on
if test "x$ENABLED_OPENSSLEXTRA" = "xno" && test "x$ENABLED_OPENSSLCOEXIST" = "xno"
then
ENABLED_OPENSSLEXTRA="yes"
AM_CFLAGS="$AM_CFLAGS -DOPENSSL_EXTRA"
fi
fi
if test "$ENABLED_BIND" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_BIND -DWOLFSSL_DSA_768_MODULUS"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_DIRECT -DHAVE_AES_ECB"
AS_IF([test "$ENABLED_FIPS" = "no" || test "$HAVE_FIPS_VERSION" -le 2],
[AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DES_ECB"])
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SHA224 -DWOLFSSL_SHA384 -DWOLFSSL_SHA512"
AM_CFLAGS="$AM_CFLAGS -DOPENSSL_COMPATIBLE_DEFAULTS"
ENABLED_SHA224="yes"
ENABLED_SHA384="yes"
ENABLED_SHA512="yes"
fi
if test "$ENABLED_RSYSLOG" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_RSYSLOG -DWOLFSSL_ERROR_CODE_OPENSSL"
AM_CFLAGS="$AM_CFLAGS -DHAVE_EX_DATA -DOPENSSL_COMPATIBLE_DEFAULTS"
fi
if test "$ENABLED_OPENVPN" = "yes"
then
ENABLED_SUPPORTED_CURVES="yes"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_OPENVPN -DHAVE_KEYING_MATERIAL"
AM_CFLAGS="$AM_CFLAGS -DHAVE_EX_DATA -DWOLFSSL_KEY_GEN"
AS_IF([test "$ENABLED_FIPS" = "no" || test "$HAVE_FIPS_VERSION" -le 2],
[AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DES_ECB"])
fi
if test "$ENABLED_HITCH" = "yes"
then
# Requires opensslextra make sure on
if test "x$ENABLED_OPENSSLEXTRA" = "xno" && test "x$ENABLED_OPENSSLCOEXIST" = "xno"
then
ENABLED_OPENSSLEXTRA="yes"
AM_CFLAGS="$AM_CFLAGS -DOPENSSL_EXTRA"
fi
# Requires OCSP make sure on
if test "x$ENABLED_OCSP" = "xno"
then
ENABLED_OCSP="yes"
fi
# Requires ALPN
if test "x$ENABLED_ALPN" = "xno"
then
ENABLED_ALPN="yes"
AM_CFLAGS="$AM_CFLAGS -DHAVE_TLS_EXTENSIONS -DHAVE_ALPN"
fi
if test "x$ENABLED_KEYGEN" = "xno"
then
ENABLED_KEYGEN="yes"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_KEY_GEN"
fi
# Requires sessioncerts make sure on
if test "x$ENABLED_SESSIONCERTS" = "xno"
then
ENABLED_SESSIONCERTS="yes"
AM_CFLAGS="$AM_CFLAGS -DSESSION_CERTS"
fi
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_HITCH -DHAVE_EX_DATA -DWOLFSSL_SIGNER_DER_CERT"
AM_CFLAGS="$AM_CFLAGS -DOPENSSL_COMPATIBLE_DEFAULTS -DWOLFSSL_CIPHER_INTERNALNAME"
fi
if test "$ENABLED_MEMCACHED" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SESSION_ID_CTX"
AM_CFLAGS="$AM_CFLAGS -DHAVE_EXT_CACHE -DHAVE_MEMCACHED"
fi
if test "$ENABLED_NGINX" = "yes"|| test "x$ENABLED_HAPROXY" = "xyes" || test "x$ENABLED_LIGHTY" = "xyes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ALWAYS_VERIFY_CB"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ALWAYS_KEEP_SNI"
AM_CFLAGS="$AM_CFLAGS -DKEEP_OUR_CERT -DKEEP_PEER_CERT"
AM_CFLAGS="$AM_CFLAGS -DHAVE_EXT_CACHE -DHAVE_EX_DATA"
ENABLED_CERTGEN="yes"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CERT_GEN"
fi
if (test "$ENABLED_OPENSSH" = "yes" && test "x$ENABLED_FIPS" = "xno") || \
test "$ENABLED_WPAS" = "yes" || test "$ENABLED_QT" = "yes"
then
test "$enable_arc4" = "" && enable_arc4=yes
fi
if test "$ENABLED_ARC4" = "no"
then
AM_CFLAGS="$AM_CFLAGS -DNO_RC4"
else
# turn off ARC4 if leanpsk or leantls on
if test "$ENABLED_LEANPSK" = "yes" || test "$ENABLED_LEANTLS" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DNO_RC4"
ENABLED_ARC4=no
fi
fi
# Asio Support
AC_ARG_ENABLE([asio],
[AS_HELP_STRING([--enable-asio],[Enable asio (default: disabled)])],
[ ENABLED_ASIO=$enableval ],
[ ENABLED_ASIO=no ]
)
if test "$ENABLED_ASIO" = "yes"
then
# Requires opensslextra and opensslall
if test "x$ENABLED_OPENSSLALL" = "xno" && test "x$ENABLED_OPENSSLCOEXIST" = "xno"
then
ENABLED_OPENSSLALL="yes"
ENABLED_OPENSSLEXTRA="yes"
ENABLED_MD5="yes"
AM_CFLAGS="$AM_CFLAGS -DOPENSSL_EXTRA -DOPENSSL_ALL"
fi
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ASIO -DASIO_USE_WOLFSSL -DWOLFSSL_KEY_GEN"
AM_CFLAGS="$AM_CFLAGS -DBOOST_ASIO_USE_WOLFSSL -DHAVE_EX_DATA"
AM_CFLAGS="$AM_CFLAGS -DSSL_TXT_TLSV1_2"
AM_CFLAGS="$AM_CFLAGS -DOPENSSL_NO_SSL2 -DOPENSSL_NO_SSL3"
if test "$ENABLED_TLSV10" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DSSL_TXT_TLSV1"
fi
if test "$ENABLED_OLD_TLS" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DSSL_TXT_TLSV1_1"
fi
# Requires OCSP make sure on
if test "x$ENABLED_OCSP" = "xno"
then
ENABLED_OCSP="yes"
fi
fi
# Apache HTTPD
AC_ARG_ENABLE([apachehttpd],
[AS_HELP_STRING([--enable-apachehttpd],[Enable Apache httpd (default: disabled)])],
[ ENABLED_APACHE_HTTPD=$enableval ],
[ ENABLED_APACHE_HTTPD=no ]
)
if test "$ENABLED_APACHE_HTTPD" = "yes"
then
# Requires opensslextra and opensslall
if test "x$ENABLED_OPENSSLALL" = "xno" && test "x$ENABLED_OPENSSLCOEXIST" = "xno"
then
ENABLED_OPENSSLALL="yes"
ENABLED_OPENSSLEXTRA="yes"
AM_CFLAGS="$AM_CFLAGS -DOPENSSL_EXTRA -DOPENSSL_ALL"
fi
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_APACHE_HTTPD"
AM_CFLAGS="$AM_CFLAGS -DOPENSSL_NO_SSL2 -DOPENSSL_NO_SSL3 -DOPENSSL_NO_COMP"
AM_CFLAGS="$AM_CFLAGS -DHAVE_EX_DATA -DWOLFSSL_SIGNER_DER_CERT"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CERT_EXT -DWOLFSSL_CERT_GEN"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ALWAYS_KEEP_SNI"
AM_CFLAGS="$AM_CFLAGS -DOPENSSL_COMPATIBLE_DEFAULTS"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_OCSP_ISSUER_CHECK"
# Requires OCSP make sure on
if test "x$ENABLED_OCSP" = "xno"
then
ENABLED_OCSP="yes"
fi
# Requires sessioncerts make sure on
if test "x$ENABLED_SESSIONCERTS" = "xno"
then
ENABLED_SESSIONCERTS="yes"
AM_CFLAGS="$AM_CFLAGS -DSESSION_CERTS"
fi
# Requires ALPN
if test "x$ENABLED_ALPN" = "xno"
then
ENABLED_ALPN="yes"
AM_CFLAGS="$AM_CFLAGS -DHAVE_TLS_EXTENSIONS -DHAVE_ALPN"
fi
# Requires CRL
if test "x$ENABLED_CRL" = "xno"
then
ENABLED_CRL="yes"
AM_CFLAGS="$AM_CFLAGS -DHAVE_CRL"
fi
# Requires Certificate Generation, Request and Extensions
if test "x$ENABLED_CERTGEN" = "xno"
then
ENABLED_CERTGEN="yes"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CERT_GEN"
fi
if test "x$ENABLED_CERTREQ" = "xno"
then
ENABLED_CERTREQ="yes"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CERT_REQ"
fi
if test "x$ENABLED_CERTEXT" = "xno"
then
ENABLED_CERTEXT="yes"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CERT_EXT"
fi
# Requires Secure Renegotiation
if test "x$ENABLED_SECURE_RENEGOTIATION" = "xno"
then
AM_CFLAGS="$AM_CFLAGS -DHAVE_TLS_EXTENSIONS -DHAVE_SECURE_RENEGOTIATION -DHAVE_SERVER_RENEGOTIATION_INFO"
fi
fi
# Encrypt-Then-Mac
AC_ARG_ENABLE([enc-then-mac],
[AS_HELP_STRING([--enable-enc-then-mac],[Enable Encrypt-Then-Mac extension (default: enabled)])],
[ ENABLED_ENCRYPT_THEN_MAC=$enableval ],
[ ENABLED_ENCRYPT_THEN_MAC=yes ]
)
if test "x$ENABLED_TLSX" = "xyes"
then
ENABLED_ENCRYPT_THEN_MAC=yes
fi
if test "x$ENABLED_ENCRYPT_THEN_MAC" = "xyes"
then
AM_CFLAGS="$AM_CFLAGS -DHAVE_ENCRYPT_THEN_MAC"
fi
# stunnel Support
AC_ARG_ENABLE([stunnel],
[AS_HELP_STRING([--enable-stunnel],[Enable stunnel (default: disabled)])],
[ ENABLED_STUNNEL=$enableval ],
[ ENABLED_STUNNEL=no ]
)
if test "$ENABLED_WPAS" = "yes"
then
ENABLED_STUNNEL="yes"
fi
# stunnel support requires all the features enabled within this conditional.
if test "$ENABLED_STUNNEL" = "yes"
then
if test "x$ENABLED_OPENSSLEXTRA" = "xno" && test "x$ENABLED_OPENSSLCOEXIST" = "xno"
then
ENABLED_OPENSSLEXTRA="yes"
AM_CFLAGS="$AM_CFLAGS -DOPENSSL_EXTRA"
fi
if test "x$ENABLED_SESSION_TICKET" = "xno"
then
ENABLED_SESSION_TICKET="yes"
AM_CFLAGS="$AM_CFLAGS -DHAVE_SESSION_TICKET"
fi
if test "x$ENABLED_OCSP" = "xno"
then
ENABLED_OCSP="yes"
fi
if test "x$ENABLED_CODING" = "xno"
then
ENABLED_CODING="yes"
fi
if test "x$ENABLED_SESSIONCERTS" = "xno"
then
ENABLED_SESSIONCERTS="yes"
AM_CFLAGS="$AM_CFLAGS -DSESSION_CERTS"
fi
if test "x$ENABLED_CRL" = "xno"
then
ENABLED_CRL="yes"
AM_CFLAGS="$AM_CFLAGS -DHAVE_CRL"
fi
if test "$ENABLED_DES3" = "no" && (test "$ENABLED_FIPS" = "no" || test $HAVE_FIPS_VERSION -lt 5)
then
ENABLED_DES3="yes"
fi
if test "x$ENABLED_TLSX" = "xno"
then
ENABLED_TLSX="yes"
AM_CFLAGS="$AM_CFLAGS -DHAVE_TLS_EXTENSIONS -DHAVE_SNI -DHAVE_MAX_FRAGMENT -DHAVE_TRUNCATED_HMAC"
# Check the ECC supported curves prereq
AS_IF([test "x$ENABLED_ECC" != "xno" || test "$ENABLED_CURVE25519" != "no"],
[ENABLED_SUPPORTED_CURVES=yes
AM_CFLAGS="$AM_CFLAGS -DHAVE_SUPPORTED_CURVES"])
fi
if test "x$ENABLED_ECC" = "xno"
then
ENABLED_OPENSSLEXTRA="yes"
ENABLED_ECC="yes"
AM_CFLAGS="$AM_CFLAGS -DHAVE_ECC -DTFM_ECC256"
if test "$ENABLED_ECC_SHAMIR" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DECC_SHAMIR"
fi
fi
if test "x$ENABLED_CERTEXT" = "xno"
then
ENABLED_CERTEXT="yes"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CERT_EXT"
fi
if test "x$ENABLED_CERTGEN" = "xno"
then
ENABLED_CERTGEN="yes"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CERT_GEN"
fi
if test "x$ENABLED_KEYGEN" = "xno"
then
ENABLED_KEYGEN="yes"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_KEY_GEN"
fi
if test "x$ENABLED_MD5" = "xno"
then
ENABLED_MD5="yes"
fi
AM_CFLAGS="$AM_CFLAGS -DHAVE_STUNNEL -DWOLFSSL_ALWAYS_VERIFY_CB"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ALWAYS_KEEP_SNI -DHAVE_EX_DATA"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SIGNER_DER_CERT"
AS_IF([test "$ENABLED_FIPS" = "no" || test "$HAVE_FIPS_VERSION" -le 2],
[AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DES_ECB"])
AM_CFLAGS="$AM_CFLAGS -DOPENSSL_COMPATIBLE_DEFAULTS -DWOLFSSL_TICKET_HAVE_ID"
fi
# curl Support
AC_ARG_ENABLE([curl],
[AS_HELP_STRING([--enable-curl],[Enable curl (default: disabled)])],
[ ENABLED_CURL=$enableval ],
[ ENABLED_CURL=no ]
)
# curl support requires all the features enabled within this conditional.
if test "$ENABLED_CURL" = "yes"
then
if test "$ENABLED_MD4" = "no"
then
ENABLED_MD4="yes"
fi
if test "$ENABLED_DES3" = "no" && (test "$ENABLED_FIPS" = "no" || test $HAVE_FIPS_VERSION -lt 5)
then
ENABLED_DES3="yes"
fi
if test "x$ENABLED_ALPN" = "xno"
then
ENABLED_ALPN="yes"
AM_CFLAGS="$AM_CFLAGS -DHAVE_ALPN"
fi
if test "x$ENABLED_EX_DATA" = "xno"
then
ENABLED_EX_DATA="yes"
AM_CFLAGS="$AM_CFLAGS -DHAVE_EX_DATA"
fi
if test "x$ENABLED_WOLFSSH" = "xno"
then
ENABLED_WOLFSSH="yes"
fi
if test "x$ENABLED_OPENSSLEXTRA" = "xno"
then
ENABLED_OPENSSLEXTRA="yes"
fi
if test "x$ENABLED_CRL" = "xno"
then
ENABLED_CRL="yes"
AM_CFLAGS="$AM_CFLAGS -DHAVE_CRL"
fi
if test "x$ENABLED_OCSP" = "xno"
then
ENABLED_OCSP="yes"
fi
if test "x$ENABLED_CERTIFICATE_STATUS_REQUEST" = "xno"
then
ENABLED_CERTIFICATE_STATUS_REQUEST="yes"
AM_CFLAGS="$AM_CFLAGS -DHAVE_TLS_EXTENSIONS -DHAVE_CERTIFICATE_STATUS_REQUEST"
fi
if test "x$ENABLED_CERTIFICATE_STATUS_REQUEST_V2" = "xno"
then
ENABLED_CERTIFICATE_STATUS_REQUEST_V2="yes"
AM_CFLAGS="$AM_CFLAGS -DHAVE_TLS_EXTENSIONS -DHAVE_CERTIFICATE_STATUS_REQUEST_V2"
fi
if test "x$ENABLED_SNI" = "xno"
then
ENABLED_SNI="yes"
AM_CFLAGS="$AM_CFLAGS -DHAVE_TLS_EXTENSIONS -DHAVE_SNI"
fi
if test "x$ENABLED_ALT_CERT_CHAINS" = "xno"
then
ENABLED_ALT_CERT_CHAINS="yes"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ALT_CERT_CHAINS"
fi
if test "x$ENABLE_IP_ALT_NAME" = "xno"
then
ENABLE_IP_ALT_NAME="yes"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_IP_ALT_NAME"
fi
if test "x$ENABLED_SESSION_TICKET" = "xno"
then
ENABLED_SESSION_TICKET="yes"
AM_CFLAGS="$AM_CFLAGS -DHAVE_TLS_EXTENSIONS -DHAVE_SESSION_TICKET"
fi
# FTPS server requires pointer to session cache
AM_CFLAGS="$AM_CFLAGS -DNO_SESSION_CACHE_REF"
AS_IF([test "$ENABLED_FIPS" = "no" || test "$HAVE_FIPS_VERSION" -le 2],
[AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DES_ECB"])
# support longer session ticket nonce
if test "$ENABLED_TICKET_NONCE_MALLOC" = "no_implicit"
then
ENABLED_TICKET_NONCE_MALLOC="yes"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_TICKET_NONCE_MALLOC"
fi
elif test "$ENABLED_CURL" = "tiny"
then
# basic config to support tiny-curl.
# OPENSSL_EXTRA_X509_SMALL is sufficient.
if test "x$ENABLED_OPENSSLEXTRA" = "xno"
then
ENABLED_OPENSSLEXTRA="x509small"
fi
# expose a bit more compat API without full OPENSSL_EXTRA.
AM_CFLAGS="$AM_CFLAGS -DHAVE_CURL"
# session cache is necessary, but can be small or micro.
AM_CFLAGS="$AM_CFLAGS -DSMALL_SESSION_CACHE"
fi
if test "$ENABLED_PSK" = "no" && test "$ENABLED_LEANPSK" = "no" \
&& test "x$ENABLED_STUNNEL" = "xno"
then
AM_CFLAGS="$AM_CFLAGS -DNO_PSK"
fi
if test "$ENABLED_PSK" = "no" && \
(test "$ENABLED_LEANPSK" = "yes" || test "x$ENABLED_STUNNEL" = "xyes")
then
ENABLED_PSK=yes
fi
# tcpdump support
AC_ARG_ENABLE([tcpdump],
[AS_HELP_STRING([--enable-tcpdump],[Enable tcpdump (default: disabled)])],
[ ENABLED_TCPDUMP=$enableval ],
[ ENABLED_TCPDUMP=no ]
)
# tcpdump support requires all the features enabled within this conditional.
if test "$ENABLED_TCPDUMP" = "yes"
then
if test "x$ENABLED_OPENSSLEXTRA" = "xno" && test "x$ENABLED_OPENSSLCOEXIST" = "xno"
then
ENABLED_OPENSSLEXTRA="yes"
AM_CFLAGS="$AM_CFLAGS -DOPENSSL_EXTRA"
fi
if test "$ENABLED_DES3" = "no" && (test "$ENABLED_FIPS" = "no" || test $HAVE_FIPS_VERSION -lt 5)
then
ENABLED_DES3="yes"
fi
fi
# sblim-sfcb support
AC_ARG_ENABLE([sblim-sfcb],
[AS_HELP_STRING([--enable-sblim-sfcb],[Enable sblim-sfcb support (default: disabled)])],
[ ENABLED_SBLIM_SFCB=$enableval ],
[ ENABLED_SBLIM_SFCB=no ]
)
# sblim-sfcb support requires all the features enabled within this conditional.
if test "$ENABLED_SBLIM_SFCB" = "yes"
then
if test "x$ENABLED_OPENSSLEXTRA" = "xno" && test "x$ENABLED_OPENSSLCOEXIST" = "xno"
then
ENABLED_OPENSSLEXTRA="yes"
AM_CFLAGS="$AM_CFLAGS -DOPENSSL_EXTRA"
fi
if test "x$ENABLED_CERTGEN" = "xno"
then
ENABLED_CERTGEN="yes"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CERT_GEN"
fi
AM_CFLAGS="$AM_CFLAGS -DHAVE_SBLIM_SFCB -DWOLFSSL_SIGNER_DER_CERT"
fi
# libest Support
AC_ARG_ENABLE([libest],
[AS_HELP_STRING([--enable-libest],[Enable libest (default: disabled)])],
[ ENABLED_LIBEST=$enableval ],
[ ENABLED_LIBEST=no ]
)
if test "$ENABLED_LIBEST" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DHAVE_EX_DATA -DHAVE_LIBEST -DWOLFSSL_ALT_NAMES"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_PSS_SALT_LEN_DISCOVER"
# Requires opensslextra and opensslall
if test "x$ENABLED_OPENSSLALL" = "xno" && test "x$ENABLED_OPENSSLCOEXIST" = "xno"
then
ENABLED_OPENSSLALL="yes"
ENABLED_OPENSSLEXTRA="yes"
AM_CFLAGS="$AM_CFLAGS -DOPENSSL_EXTRA -DOPENSSL_ALL"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_EITHER_SIDE -DWC_RSA_NO_PADDING"
AM_CFLAGS="$AM_CFLAGS -DWC_RSA_PSS -DWOLFSSL_PSS_LONG_SALT"
fi
# Requires OCSP
if test "x$ENABLED_OCSP" = "xno"
then
ENABLED_OCSP="yes"
fi
# Requires PKCS7
if test "x$ENABLED_PKCS7" = "xno"
then
ENABLED_PKCS7="yes"
fi
# Requires Certificate Generation and Request
if test "x$ENABLED_CERTGEN" = "xno"
then
ENABLED_CERTGEN="yes"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CERT_GEN"
fi
if test "x$ENABLED_CERTREQ" = "xno"
then
ENABLED_CERTREQ="yes"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CERT_REQ"
fi
if test "x$ENABLED_CERTEXT" = "xno"
then
ENABLED_CERTEXT="yes"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CERT_EXT"
fi
# Requires CRL
if test "x$ENABLED_CRL" = "xno"
then
ENABLED_CRL="yes"
AM_CFLAGS="$AM_CFLAGS -DHAVE_CRL"
fi
if test "x$ENABLED_SRP" = "xno"
then
ENABLED_SRP="yes"
AM_CFLAGS="$AM_CFLAGS -DWOLFCRYPT_HAVE_SRP"
fi
# Enable prereqs if not already enabled
if test "x$ENABLED_KEYGEN" = "xno"
then
ENABLED_KEYGEN="yes"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_KEY_GEN"
fi
# Requires sessioncerts make sure on
if test "x$ENABLED_SESSIONCERTS" = "xno"
then
ENABLED_SESSIONCERTS="yes"
AM_CFLAGS="$AM_CFLAGS -DSESSION_CERTS"
fi
if test "x$ENABLED_DSA" = "xno"
then
AC_MSG_WARN([Enabling DSA with --enable-dsa is recommended for libest])
fi
fi
if test "$ENABLED_MD4" = "no"
then
#turn on MD4 if using stunnel
if test "x$ENABLED_STUNNEL" = "xyes" || test "x$ENABLED_WPAS" != "xno" || test "x$ENABLED_KRB" = "xyes"
then
ENABLED_MD4="yes"
else
AM_CFLAGS="$AM_CFLAGS -DNO_MD4"
fi
fi
# Encrypted keys
AC_ARG_ENABLE([enckeys],
[AS_HELP_STRING([--enable-enckeys],[Enable PEM encrypted private key support (default: disabled)])],
[ ENABLED_ENCKEYS=$enableval ],
[ ENABLED_ENCKEYS=no ]
)
if test "$ENABLED_OPENSSLEXTRA" = "yes" || test "$ENABLED_WEBSERVER" = "yes" || test "$ENABLED_WPAS" != "no"
then
ENABLED_ENCKEYS=yes
fi
if test "$ENABLED_ENCKEYS" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ENCRYPTED_KEYS"
fi
# PKCS#12
# set PKCS#12 default
PKCS12_DEFAULT=yes
if test "$ENABLED_ASN" = "no" || test "$FIPS_VERSION" = "rand"
then
PKCS12_DEFAULT=no
fi
AC_ARG_ENABLE([pkcs12],
[AS_HELP_STRING([--enable-pkcs12],[Enable pkcs12 (default: enabled)])],
[ ENABLED_PKCS12=$enableval ],
[ ENABLED_PKCS12=$PKCS12_DEFAULT ]
)
if test "x$ENABLED_PKCS12" = "xno"
then
AM_CFLAGS="$AM_CFLAGS -DNO_PKCS12"
fi
# PWDBASED has to come after certservice since we want it on w/o explicit on
if test "$ENABLED_PWDBASED" = "no"
then
if test "$ENABLED_OPENSSLEXTRA" = "yes" || test "$ENABLED_OPENSSLALL" = "yes" || \
test "$ENABLED_WEBSERVER" = "yes" || test "$ENABLED_ENCKEYS" = "yes" || \
test "$ENABLED_PKCS12" = "yes"
then
# opensslextra, opensslall, webserver, enckeys and pkcs12 need pwdbased
ENABLED_PWDBASED=yes
else
AM_CFLAGS="$AM_CFLAGS -DNO_PWDBASED"
fi
fi
AC_ARG_ENABLE([scrypt],
[AS_HELP_STRING([--enable-scrypt],[Enable SCRYPT (default: disabled)])],
[ ENABLED_SCRYPT=$enableval ],
[ ENABLED_SCRYPT=no ]
)
if test "$ENABLED_SCRYPT" = "yes"
then
if test "$ENABLED_PWDBASED" = "no"
then
AC_MSG_ERROR([cannot enable scrypt without enabling pwdbased.])
fi
AM_CFLAGS="$AM_CFLAGS -DHAVE_SCRYPT"
fi
# wolfCrypt Only Build
if test "$ENABLED_CRYPTONLY" = "yes"
then
if test "$ENABLED_OPENSSLALL" = "yes"
then
AC_MSG_ERROR([cryptonly and opensslall are mutually incompatible.])
fi
AM_CFLAGS="$AM_CFLAGS -DWOLFCRYPT_ONLY"
fi
if test "x$ENABLED_CRYPTONLY" = "xno"
then
if test "x$ENABLED_PSK" = "xno" && test "x$ENABLED_ASN" = "xno"
then
AC_MSG_ERROR([please enable psk if disabling asn.])
fi
if test "$ENABLED_AFALG" = "yes"
then
# for TLS connections the intermediate hash needs to store buffer
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AFALG_HASH_KEEP"
fi
if test "$ENABLED_DEVCRYPTO" = "yes"
then
# for TLS connections the intermediate hash needs to store buffer
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DEVCRYPTO_HASH_KEEP"
fi
fi
# Enable Examples, used to disable examples
if test "$HAVE_KERNEL_MODE" = "yes"
then
ENABLED_EXAMPLES_DEFAULT=no
else
ENABLED_EXAMPLES_DEFAULT=yes
fi
AC_ARG_ENABLE([examples],
[AS_HELP_STRING([--enable-examples],[Enable Examples (default: enabled)])],
[ ENABLED_EXAMPLES=$enableval ],
[ ENABLED_EXAMPLES=$ENABLED_EXAMPLES_DEFAULT ]
)
AS_IF([test "x$ENABLED_FILESYSTEM" = "xno"], [ENABLED_EXAMPLES="no"])
AS_IF([test "x$ENABLED_CRYPTONLY" = "xyes"], [ENABLED_EXAMPLES="no"])
# Enable wolfCrypt test and benchmark
if test "$HAVE_KERNEL_MODE" = "yes"
then
ENABLED_CRYPT_TESTS_DEFAULT=no
else
ENABLED_CRYPT_TESTS_DEFAULT=yes
fi
AC_ARG_ENABLE([crypttests],
[AS_HELP_STRING([--enable-crypttests],[Enable Crypt Bench/Test (default: enabled)])],
[ ENABLED_CRYPT_TESTS=$enableval ],
[ ENABLED_CRYPT_TESTS=$ENABLED_CRYPT_TESTS_DEFAULT ]
)
AC_SUBST([ENABLED_CRYPT_TESTS])
if test "$ENABLED_CRYPT_TESTS" = "no"
then
AM_CFLAGS="$AM_CFLAGS -DNO_CRYPT_TEST"
fi
# Build wolfCrypt test and benchmark as libraries. This will compile test.c and
# benchmark.c and make their functions available via libraries, libwolfcrypttest
# and libwolfcryptbench, respectively. Note that this feature is not enabled by
# default, and the API of these libraries should NOT be treated as stable.
AC_ARG_ENABLE([crypttests-libs],
[AS_HELP_STRING([--enable-crypttests-libs],[Enable wolfcrypt test and benchmark libraries (default: disabled)])],
[ ENABLED_CRYPT_TESTS_LIBS=$enableval ],
[ ENABLED_CRYPT_TESTS_LIBS=no ]
)
# LIBZ
ENABLED_LIBZ="no"
trylibzdir=""
AC_ARG_WITH([libz],
[ --with-libz=PATH PATH to libz install (default /usr/) ],
[
AC_MSG_CHECKING([for libz])
CPPFLAGS="$CPPFLAGS -DHAVE_LIBZ"
LIBS="$LIBS -lz"
AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include <zlib.h>]], [[ deflateInit(0, 8); ]])],[ libz_linked=yes ],[ libz_linked=no ])
if test "x$libz_linked" = "xno" ; then
if test "x$withval" != "xno" ; then
trylibzdir=$withval
fi
if test "x$withval" = "xyes" ; then
trylibzdir="/usr"
fi
LDFLAGS="$LDFLAGS -L$trylibzdir/lib"
CPPFLAGS="$CPPFLAGS -I$trylibzdir/include"
AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include <zlib.h>]], [[ deflateInit(0, 8); ]])],[ libz_linked=yes ],[ libz_linked=no ])
if test "x$libz_linked" = "xno" ; then
AC_MSG_ERROR([libz isn't found.
If it's already installed, specify its path using --with-libz=/dir/])
fi
AC_MSG_RESULT([yes])
else
AC_MSG_RESULT([yes])
fi
ENABLED_LIBZ="yes"
]
)
# PKCS#11
AC_ARG_ENABLE([pkcs11],
[AS_HELP_STRING([--enable-pkcs11],[Enable pkcs11 access (default: disabled)])],
[ ENABLED_PKCS11=$enableval ],
[ ENABLED_PKCS11=no ]
)
if test "x$ENABLED_PKCS11" != "xno"
then
AM_CFLAGS="$AM_CFLAGS -DHAVE_PKCS11 -DHAVE_WOLF_BIGINT"
if test "x$ENABLED_PKCS11" != "xstatic"
then
LIBS="$LIBS -ldl"
else
AM_CFLAGS="$AM_CFLAGS -DHAVE_PKCS11_STATIC"
ENABLED_PKCS11="yes"
fi
fi
# PKCS#8
AC_ARG_ENABLE([pkcs8],
[AS_HELP_STRING([--enable-pkcs8],[Enable PKCS #8 key packages (default: enabled)])],
[ ENABLED_PKCS8=$enableval ],
[ ENABLED_PKCS8=yes ]
)
if test "x$ENABLED_PKCS8" = "xno"
then
AM_CFLAGS="$AM_CFLAGS -DNO_PKCS8"
fi
# cavium
trycaviumdir=""
AC_ARG_WITH([cavium],
[ --with-cavium=PATH PATH to cavium/software dir ],
[
AC_MSG_CHECKING([for cavium])
LIB_ADD="-lrt $LIB_ADD"
if test "x$withval" = "xyes" ; then
AC_MSG_ERROR([need a PATH for --with-cavium])
fi
if test "x$withval" != "xno" ; then
trycaviumdir=$withval
fi
CPPFLAGS="$AM_CPPFLAGS -DHAVE_CAVIUM -I$trycaviumdir/include"
LDFLAGS="$AM_LDFLAGS $trycaviumdir/api/cavium_common.o"
AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include "cavium_common.h"]], [[ CspShutdown(CAVIUM_DEV_ID); ]])],[ cavium_linked=yes ],[ cavium_linked=no ])
if test "x$cavium_linked" = "xno" ; then
AC_MSG_ERROR([cavium isn't found.
If it's already installed, specify its path using --with-cavium=/dir/])
else
AM_CPPFLAGS="$CPPFLAGS"
AM_LDFLAGS="$LDFLAGS"
fi
AC_MSG_RESULT([yes])
enable_shared=no
enable_static=yes
ENABLED_CAVIUM=yes
],
[ ENABLED_CAVIUM=no ]
)
# cavium V
trycaviumdir=""
AC_ARG_WITH([cavium-v],
[ --with-cavium-v=PATH PATH to Cavium V/software dir ],
[
AC_MSG_CHECKING([for cavium])
AM_CFLAGS="$AM_CFLAGS -DHAVE_CAVIUM -DHAVE_CAVIUM_V"
LIB_ADD="-lrt -lcrypto $LIB_ADD"
if test "x$withval" = "xyes" ; then
AC_MSG_ERROR([need a PATH for --with-cavium])
fi
if test "x$withval" != "xno" ; then
trycaviumdir=$withval
fi
if test -e $trycaviumdir/lib/libnitrox.a
then
AM_CPPFLAGS="-I$trycaviumdir/include $AM_CPPFLAGS"
else
ENABLED_CAVIUM_V=no
fi
LIB_STATIC_ADD="$trycaviumdir/lib/libnitrox.a $LIB_STATIC_ADD"
if test "$ENABLED_CAVIUM_V" = "no"; then
AC_MSG_ERROR([Could not find Nitrox library])
fi
enable_shared=no
enable_static=yes
enable_opensslextra=yes
ENABLED_CAVIUM=yes
ENABLED_CAVIUM_V=yes
],
[
ENABLED_CAVIUM=no
ENABLED_CAVIUM_V=no
]
)
# Cavium Octeon
OCTEON_ROOT=""
: ${OCTEON_OBJ="obj-octeon2"}
: ${OCTEON_HOST="standalone"}
AC_ARG_WITH([octeon-sync],
[AS_HELP_STRING([--with-octeon-sync=PATH],[PATH to Cavium Octeon SDK dir (sync)])],
[
AC_MSG_CHECKING([for octeon])
if test "x$withval" = "xyes" ; then
AC_MSG_ERROR([need a PATH for --with-octeon])
fi
if test "x$withval" != "xno" ; then
OCTEON_ROOT=$withval
fi
AM_CFLAGS="$AM_CFLAGS -DHAVE_CAVIUM_OCTEON_SYNC"
AM_CFLAGS="$AM_CFLAGS -DOCTEON_MODEL=$OCTEON_MODEL"
AM_CFLAGS="$AM_CFLAGS -I$OCTEON_ROOT/executive"
AS_CASE([$OCTEON_HOST],['linux'],[AM_CFLAGS="$AM_CFLAGS -DCVMX_BUILD_FOR_LINUX_HOST"])
#-I$OCTEON_ROOT/target/include
AM_LDFLAGS="$AM_LDFLAGS -lrt -Xlinker -T -Xlinker $OCTEON_ROOT/executive/cvmx-shared-linux.ld"
AM_LDFLAGS="$AM_LDFLAGS -L$OCTEON_ROOT/executive/$OCTEON_OBJ -lcvmx -lfdt"
enable_shared=no
enable_static=yes
ENABLED_OCTEON_SYNC=yes
AC_MSG_RESULT([yes])
],
[ENABLED_OCTEON_SYNC=no]
)
# Intel QuickAssist
QAT_DIR=""
BUILD_INTEL_QAT_VERSION=2
AC_ARG_WITH([intelqa],
[AS_HELP_STRING([--with-intelqa=PATH],[PATH to Intel QuickAssist (QAT) driver dir])],
[ENABLED_INTEL_QA=yes; QAT_DIR=$withval],
[ENABLED_INTEL_QA=no])
AC_ARG_WITH([intelqa-sync],
[AS_HELP_STRING([--with-intelqa-sync=PATH],[PATH to Intel QuickAssist (QAT) driver dir (sync)])],
[ENABLED_INTEL_QA_SYNC=yes; QAT_DIR=$withval],
[ENABLED_INTEL_QA_SYNC=no])
AS_IF([test "x$ENABLED_INTEL_QA" = "xyes" && test "x$ENABLED_INTEL_QA_SYNC" = "xyes"],
[AC_MSG_ERROR([Both Intel QA Async and Sync are selected, only select one.])])
AS_IF([test "x$ENABLED_INTEL_QA" = "xyes" || test "x$ENABLED_INTEL_QA_SYNC" = "xyes"],
[AC_MSG_CHECKING([for intelqa])
AS_IF([test "x$ENABLED_INTEL_QA" = "xyes"],
[AM_CPPFLAGS="$AM_CPPFLAGS -DHAVE_INTEL_QA -DDO_CRYPTO -DUSER_SPACE"; intelqa_opt=""],
[AM_CPPFLAGS="$AM_CPPFLAGS -DHAVE_INTEL_QA_SYNC -DQAT_USE_POLLING_THREAD -DO_CRYPTO -DUSER_SPACE"; intelqa_opt="-sync"])
OLD_LIBS="$LIBS"
OLD_CPPFLAGS="$CPPFLAGS"
AS_IF([test "x$QAT_DIR" = "xyes"],[AC_MSG_ERROR([need a PATH for --with-intelqa$intelqa_opt])])
QAT_FLAGS="-I$QAT_DIR/quickassist/include -I$QAT_DIR/quickassist/include/lac -I$QAT_DIR/quickassist/utilities/osal/include \
-I$QAT_DIR/quickassist/utilities/osal/src/linux/user_space/include -I$QAT_DIR/quickassist/lookaside/access_layer/include \
-I$QAT_DIR/quickassist/lookaside/access_layer/src/common/include -I$srcdir/wolfssl -I$srcdir/wolfssl/wolfcrypt/port/intel \
-I$QAT_DIR/quickassist/utilities/libusdm_drv -I$QAT_DIR/quickassist/include/icp"
AM_CPPFLAGS="$AM_CPPFLAGS $QAT_FLAGS"
CPPFLAGS="$AM_CPPFLAGS"
LDFLAGS="$LDFLAGS -L$QAT_DIR/build"
LIBS="$LIBS -lqat_s -lusdm_drv_s"
AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include "cpa_cy_common.h"]],[[Cpa16U count = 0; cpaCyGetNumInstances(&count);]])],[intelqa_linked=yes],[intelqa_linked=no])
AS_IF([test "x$intelqa_linked" = "xno"],
[# Try old QAT driver libraries
LIBS="$OLD_LIBS -licp_qa_al_s"
AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include "cpa_cy_common.h"]],[[Cpa16U count = 0; cpaCyGetNumInstances(&count);]])],[intelqa_linked=yes],[intelqa_linked=no])
AS_IF([test "x$intelqa_linked" = "xno"],
[AC_MSG_ERROR([Intel QuickAssist not found. If it's already installed, specify its path using --with-intelqa$intelqa_opt=/dir/])],
[BUILD_INTEL_QAT_VERSION=1])
])
AC_MSG_RESULT([yes])
AS_IF([test "x$BUILD_INTEL_QAT_VERSION" = "x1"],
[LIB_ADD="-ladf_proxy -losal -lrt $LIB_ADD"],
[LIB_ADD="-losal -lrt $LIB_ADD"])
CPPFLAGS="$OLD_CPPFLAGS"
])
################################################################################
# Single Precision option handling #
################################################################################
ENABLED_SP_RSA=no
ENABLED_SP_DH=no
ENABLED_SP_FF_2048=no
ENABLED_SP_FF_3072=no
ENABLED_SP_FF_4096=no
ENABLED_SP_ECC=no
ENABLED_SP_EC_256=no
ENABLED_SP_EC_384=no
ENABLED_SP_EC_521=no
ENABLED_SP_SM2=$ENABLED_SM2
ENABLED_SP_SAKKE_1024=$ENABLED_SAKKE
ENABLED_SP_NO_MALLOC=no
ENABLED_SP_NONBLOCK=no
ENABLED_SP_SMALL=no
for v in `echo $ENABLED_SP | tr "," " "`
do
case $v in
small)
ENABLED_SP_SMALL=yes
ENABLED_SP_RSA=yes
ENABLED_SP_DH=yes
ENABLED_SP_FF_2048=yes
ENABLED_SP_FF_3072=yes
ENABLED_SP_ECC=yes
ENABLED_SP_EC_256=yes
if test "$host_cpu" = "x86_64" || test "$host_cpu" = "aarch64" || test "$host_cpu" = "amd64"; then
ENABLED_SP_FF_4096=yes
ENABLED_SP_EC_384=yes
ENABLED_SP_EC_521=yes
fi
;;
smallfast)
ENABLED_SP_SMALL=yes
ENABLED_SP_RSA=yes
ENABLED_SP_DH=yes
ENABLED_SP_FF_2048=yes
ENABLED_SP_FF_3072=yes
ENABLED_SP_ECC=yes
ENABLED_SP_EC_256=yes
if test "$host_cpu" = "x86_64" || test "$host_cpu" = "aarch64" || test "$host_cpu" = "amd64"; then
ENABLED_SP_FF_4096=yes
ENABLED_SP_EC_384=yes
ENABLED_SP_EC_521=yes
fi
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SP_FAST_MODEXP"
;;
yes)
ENABLED_SP_RSA=yes
ENABLED_SP_DH=yes
ENABLED_SP_FF_2048=yes
ENABLED_SP_FF_3072=yes
ENABLED_SP_ECC=yes
ENABLED_SP_EC_256=yes
if test "$host_cpu" = "x86_64" || test "$host_cpu" = "aarch64" || test "$host_cpu" = "amd64"; then
ENABLED_SP_FF_4096=yes
ENABLED_SP_EC_384=yes
ENABLED_SP_EC_521=yes
fi
;;
no)
;;
smallec256 | smallp256 | small256)
ENABLED_SP_SMALL=yes
ENABLED_SP_ECC=yes
ENABLED_SP_EC_256=yes
;;
ec256 | p256 | 256)
ENABLED_SP_ECC=yes
ENABLED_SP_EC_256=yes
;;
smallec384 | smallp384 | small384)
ENABLED_SP_SMALL=yes
ENABLED_SP_ECC=yes
ENABLED_SP_EC_384=yes
;;
ec384 | p384 | 384)
ENABLED_SP_ECC=yes
ENABLED_SP_EC_384=yes
;;
smallec521 | smallp521 | small521)
ENABLED_SP_SMALL=yes
ENABLED_SP_ECC=yes
ENABLED_SP_EC_521=yes
;;
ec521 | p521 | 521)
ENABLED_SP_ECC=yes
ENABLED_SP_EC_521=yes
;;
smallec1024 | smallp1024 | small1024)
ENABLED_SP_ECC=yes
ENABLED_SP_SMALL=yes
ENABLED_SP_SAKKE_1024=yes
;;
ec1024 | p1024 | 1024)
ENABLED_SP_ECC=yes
ENABLED_SP_SAKKE_1024=yes
;;
smallsm2)
ENABLED_SP_SMALL=yes
ENABLED_SP_ECC=yes
ENABLED_SP_SM2=yes
;;
sm2)
ENABLED_SP_ECC=yes
ENABLED_SP_SM2=yes
;;
small2048)
ENABLED_SP_SMALL=yes
ENABLED_SP_RSA=yes
ENABLED_SP_DH=yes
ENABLED_SP_FF_2048=yes
;;
2048)
ENABLED_SP_RSA=yes
ENABLED_SP_DH=yes
ENABLED_SP_FF_2048=yes
;;
smallrsa2048)
ENABLED_SP_SMALL=yes
ENABLED_SP_RSA=yes
ENABLED_SP_FF_2048=yes
;;
rsa2048)
ENABLED_SP_RSA=yes
ENABLED_SP_FF_2048=yes
;;
small3072)
ENABLED_SP_SMALL=yes
ENABLED_SP_RSA=yes
ENABLED_SP_DH=yes
ENABLED_SP_FF_3072=yes
;;
3072)
ENABLED_SP_RSA=yes
ENABLED_SP_DH=yes
ENABLED_SP_FF_3072=yes
;;
smallrsa3072)
ENABLED_SP_SMALL=yes
ENABLED_SP_RSA=yes
ENABLED_SP_FF_3072=yes
;;
rsa3072)
ENABLED_SP_RSA=yes
ENABLED_SP_FF_3072=yes
;;
small4096)
ENABLED_SP_SMALL=yes
ENABLED_SP_RSA=yes
ENABLED_SP_DH=yes
ENABLED_SP_FF_4096=yes
;;
4096 | +4096)
ENABLED_SP_RSA=yes
ENABLED_SP_DH=yes
ENABLED_SP_FF_4096=yes
;;
smallrsa4096)
ENABLED_SP_SMALL=yes
ENABLED_SP_RSA=yes
ENABLED_SP_FF_4096=yes
;;
rsa4096)
ENABLED_SP_RSA=yes
ENABLED_SP_FF_4096=yes
;;
smallstack)
ENABLED_SP_SMALL_STACK=yes
;;
nomalloc)
ENABLED_SP_NO_MALLOC=yes
;;
nonblock)
# Requires small and no malloc
ENABLED_SP_NONBLOCK=yes
ENABLED_SP_NO_MALLOC=yes
ENABLED_SP_SMALL=yes
;;
asm)
ENABLED_SP_ASM=yes
;;
noasm)
ENABLED_SP_ASM=no
;;
*)
AC_MSG_ERROR([Invalid choice of Single Precision length in bits [256, 384, 521, 1024, 2048, 3072, 4096]: $ENABLED_SP.])
break;;
esac
done
ENABLED_SP_LINE="$ENABLE_SP"
ENABLED_SP=no
if test "$ENABLED_RSA" = "yes" && test "$ENABLED_SP_RSA" = "yes"; then
ENABLED_SP=yes
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_HAVE_SP_RSA"
AM_CCASFLAGS="$AM_CCASFLAGS -DWOLFSSL_HAVE_SP_RSA"
fi
if test "$ENABLED_DH" != "no" && test "$ENABLED_SP_DH" = "yes"; then
ENABLED_SP=yes
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_HAVE_SP_DH"
AM_CCASFLAGS="$AM_CCASFLAGS -DWOLFSSL_HAVE_SP_DH"
fi
if test "$ENABLED_SP_RSA" = "yes" || test "$ENABLED_SP_DH" = "yes"; then
if test "$ENABLED_SP_FF_2048" = "no"; then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SP_NO_2048"
AM_CCASFLAGS="$AM_CCASFLAGS -DWOLFSSL_SP_NO_2048"
fi
if test "$ENABLED_SP_FF_3072" = "no"; then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SP_NO_3072"
AM_CCASFLAGS="$AM_CCASFLAGS -DWOLFSSL_SP_NO_3072"
fi
if test "$ENABLED_SP_FF_4096" = "yes"; then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SP_4096"
AM_CCASFLAGS="$AM_CCASFLAGS -DWOLFSSL_SP_4096"
fi
case $host_cpu in
*x86_64* | *aarch64* | *amd64*)
if test "$ENABLED_SP_SMALL" = "no"; then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SP_LARGE_CODE"
fi
;;
*)
;;
esac
fi
if test "$ENABLED_ECC" != "no" && test "$ENABLED_SP_ECC" = "yes"; then
ENABLED_SP=yes
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_HAVE_SP_ECC"
AM_CCASFLAGS="$AM_CCASFLAGS -DWOLFSSL_HAVE_SP_ECC"
if test "$ENABLED_SP_EC_256" = "no"; then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SP_NO_256"
AM_CCASFLAGS="$AM_CCASFLAGS -DWOLFSSL_SP_NO_256"
fi
if test "$ENABLED_SP_EC_384" = "yes"; then
AM_CFLAGS="$AM_CFLAGS -DHAVE_ECC384 -DWOLFSSL_SP_384"
AM_CCASFLAGS="$AM_CCASFLAGS -DWOLFSSL_SP_384"
fi
if test "$ENABLED_SP_EC_521" = "yes"; then
AM_CFLAGS="$AM_CFLAGS -DHAVE_ECC521 -DWOLFSSL_SP_521"
AM_CCASFLAGS="$AM_CCASFLAGS -DWOLFSSL_SP_521"
fi
if test "$ENABLED_SP_SAKKE_1024" = "yes"; then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SP_1024"
AM_CCASFLAGS="$AM_CCASFLAGS -DWOLFSSL_SP_1024"
fi
if test "$ENABLED_SP_SM2" = "yes"; then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SP_SM2"
AM_CCASFLAGS="$AM_CCASFLAGS -DWOLFSSL_SP_SM2"
fi
fi
if test "$ENABLED_SP_SMALL" = "yes"; then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SP_SMALL"
AM_CCASFLAGS="$AM_CCASFLAGS -DWOLFSSL_SP_SMALL"
fi
if test "$ENABLED_SP_SMALL_STACK" = "yes"; then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SP_SMALL_STACK"
AM_CCASFLAGS="$AM_CCASFLAGS -DWOLFSSL_SP_SMALL_STACK"
fi
if test "$ENABLED_SP_NO_MALLOC" = "yes"; then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SP_NO_MALLOC"
AM_CCASFLAGS="$AM_CCASFLAGS -DWOLFSSL_SP_NO_MALLOC"
fi
if test "$ENABLED_SP_NONBLOCK" = "yes"; then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SP_NONBLOCK"
AM_CCASFLAGS="$AM_CCASFLAGS -DWOLFSSL_SP_NONBLOCK"
fi
if test "$ENABLED_SP_MATH" = "yes"; then
if test "$ENABLED_SP" = "no"; then
if test "$ENABLED_RSA" != "no"; then
AC_MSG_ERROR([Must have SP enabled with SP math for RSA: --enable-sp])
fi
if test "$ENABLED_DH" != "no"; then
AC_MSG_ERROR([Must have SP enabled with SP math for DH: --enable-sp])
fi
if test "$ENABLED_ECC" != "no"; then
AC_MSG_ERROR([Must have SP enabled with SP math for ECC: --enable-sp])
fi
fi
if test "$ENABLED_ECCCUSTCURVES" != "no"; then
AC_MSG_ERROR([Cannot use single precision math and custom curves])
fi
if test "$ENABLED_DSA" = "yes"; then
AC_MSG_ERROR([Cannot use single precision math and DSA])
fi
if test "$ENABLED_SRP" = "yes"; then
AC_MSG_ERROR([Cannot use single precision math and SRP])
fi
if test "$ENABLED_SP_RSA" = "no" && test "$ENABLED_RSA" = "yes"; then
AC_MSG_ERROR([Cannot use RSA single precision only math and RSA])
fi
if test "$ENABLED_SP_DH" = "no" && test "$ENABLED_DH" != "no"; then
AC_MSG_ERROR([Cannot use DH single precision only math and DH])
fi
fi
for v in `echo $ENABLED_SP_MATH_ALL | tr "," " "`
do
case $v in
yes | no)
;;
small)
ENABLED_SP_MATH_ALL="yes"
ENABLED_SP_SMALL="yes"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SP_SMALL"
AM_CCASFLAGS="$AM_CCASFLAGS -DWOLFSSL_SP_SMALL"
;;
huge)
ENABLED_SP_MATH_ALL="yes"
ENABLED_FASTHUGEMATH="yes"
AM_CFLAGS="$AM_CFLAGS $OPTIMIZE_HUGE_CFLAGS"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SP_INT_LARGE_COMBA"
;;
256 | 384 | 521 | 1024 | 2048 | 3072 | 4096)
if test -z "$DEFAULT_MAX_CLASSIC_ASYM_KEY_BITS" -o "$DEFAULT_MAX_CLASSIC_ASYM_KEY_BITS" -lt "$v"
then
DEFAULT_MAX_CLASSIC_ASYM_KEY_BITS="$v"
fi
ENABLED_SP_MATH_ALL="yes"
;;
nomalloc)
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SP_NO_MALLOC"
ENABLED_SP_MATH_ALL="yes"
;;
neg)
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SP_INT_NEGATIVE"
ENABLED_SP_MATH_ALL="yes"
;;
*)
AC_MSG_ERROR([Support SP int bit sizes: 256, 384, 521, 1024, 2048, 3072, 4096. $ENABLED_SP_MATH_ALL not supported])
;;
esac
done
AC_ARG_WITH([arm-target],
[AS_HELP_STRING([--with-arm-target=x],[x can be "thumb" or "cortex"])],
[ARM_TARGET="$withval"],
[ARM_TARGET=''])
if test "$ENABLED_SP_MATH_ALL" = "yes" && test "$ENABLED_ASM" != "no"; then
ENABLED_FASTMATH="no"
ENABLED_SLOWMATH="no"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SP_MATH_ALL"
case $host_cpu in
*x86_64* | *amd64*)
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SP_X86_64"
;;
*x86*)
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SP_X86"
;;
*aarch64*)
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SP_ARM64 -DWOLFSSL_AARCH64_BUILD"
;;
*arm*)
if test "$host_alias" = "thumb" || test "$ARM_TARGET" = "thumb"; then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SP_ARM_THUMB"
else
if test "$host_alias" = "cortex" || test "$ARM_TARGET" = "cortex"; then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SP_ARM_CORTEX_M"
else
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SP_ARM32"
fi
fi
;;
*ppc64* | *powerpc64*)
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SP_PPC64"
;;
*ppc* | *powerpc*)
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SP_PPC"
;;
*mips64*)
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SP_MIPS64"
;;
*mips*)
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SP_MIPS"
;;
*riscv32*)
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SP_RISCV32"
;;
*riscv64*)
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SP_RISCV64"
;;
*s390x*)
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SP_S390X"
;;
esac
if test "$ENABLED_FIPS" != "no" || test "$SELFTEST_VERSION" != "none"; then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SP_INT_NEGATIVE"
fi
fi
if test "$ENABLED_SP_ASM" = "yes" && test "$ENABLED_SP" = "yes"; then
if test "$ENABLED_SP_NONBLOCK" = "yes"; then
AC_MSG_ERROR([SP non-blocking not supported with sp-asm])
fi
if test "$ENABLED_ASM" = "no"; then
AC_MSG_ERROR([Assembly code turned off])
fi
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SP_ASM"
AM_CCASFLAGS="$AM_CCASFLAGS -DWOLFSSL_SP_ASM"
case $host_cpu in
*aarch64*)
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SP_ARM64_ASM"
AM_CCASFLAGS="$AM_CCASFLAGS -DWOLFSSL_SP_ARM64_ASM"
ENABLED_SP_ARM64_ASM=yes
;;
*armv7a* | *armv7l*)
if test "$ENABLED_ARMASM" = "no"; then
AM_CPPFLAGS="$AM_CPPFLAGS -march=armv7-a -mfpu=neon -DWOLFSSL_ARM_ARCH=7 -marm"
fi
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SP_ARM32_ASM"
AM_CCASFLAGS="$AM_CCASFLAGS -DWOLFSSL_SP_ARM32_ASM"
ENABLED_SP_ARM32_ASM=yes
;;
*cortex* | *armv7m*)
if test "$ENABLED_ARMASM" = "no"; then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ARMASM_THUMB2"
AM_CPPFLAGS="$AM_CPPFLAGS -march=armv7-r -DWOLFSSL_ARMASM_THUMB2 -DWOLFSSL_ARM_ARCH=7"
fi
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SP_ARM_CORTEX_M_ASM"
AM_CCASFLAGS="$AM_CCASFLAGS -DWOLFSSL_SP_ARM_CORTEX_M_ASM"
ENABLED_SP_ARM_CORTEX_ASM=yes
ENABLED_ARM_THUMB=yes
;;
*armv6*)
if test "$ENABLED_ARMASM" = "no"; then
AM_CPPFLAGS="$AM_CPPFLAGS -march=armv6 -DWOLFSSL_ARM_ARCH=6"
fi
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SP_ARM32_ASM"
AM_CCASFLAGS="$AM_CCASFLAGS -DWOLFSSL_SP_ARM32_ASM"
ENABLED_SP_ARM32_ASM=yes
;;
*armv4*)
if test "$ENABLED_ARMASM" = "no"; then
AM_CPPFLAGS="$AM_CPPFLAGS -march=armv4 -DWOLFSSL_ARM_ARCH=4"
fi
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SP_ARM32_ASM"
AM_CCASFLAGS="$AM_CCASFLAGS -DWOLFSSL_SP_ARM32_ASM"
ENABLED_SP_ARM32_ASM=yes
;;
*arm*)
if test "$host_alias" = "thumb" || test "$ARM_TARGET" = "thumb"; then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SP_ARM_THUMB_ASM"
AM_CCASFLAGS="$AM_CCASFLAGS -DWOLFSSL_SP_ARM_THUMB_ASM"
ENABLED_SP_ARM_THUMB_ASM=yes
else
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SP_ARM32_ASM"
AM_CCASFLAGS="$AM_CCASFLAGS -DWOLFSSL_SP_ARM32_ASM"
ENABLED_SP_ARM32_ASM=yes
fi
;;
*x86_64* | *amd64*)
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SP_X86_64_ASM"
AM_CCASFLAGS="$AM_CCASFLAGS -DWOLFSSL_SP_X86_64_ASM"
ENABLED_SP_X86_64_ASM=yes
;;
*)
AC_MSG_ERROR([SP ASM not available for CPU. Supported CPUs: x86_64, aarch64, arm])
;;
esac
fi
if test "$ENABLED_SP_MATH" = "yes"; then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SP_MATH"
fi
################################################################################
# End - Single Precision option handling #
################################################################################
# static memory use
AC_ARG_ENABLE([staticmemory],
[AS_HELP_STRING([--enable-staticmemory],[Enable static memory use (default: disabled)])],
[ ENABLED_STATICMEMORY=$enableval ],
[ ENABLED_STATICMEMORY=no ]
)
for v in `echo $ENABLED_STATICMEMORY | tr "," " "`
do
case $v in
yes)
;;
no)
;;
small|lean)
ENABLED_STATICMEMORY=yes
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_STATIC_MEMORY_LEAN"
;;
debug)
ENABLED_STATICMEMORY=yes
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_STATIC_MEMORY_DEBUG_CALLBACK"
;;
*)
AC_MSG_ERROR([Invalid choice for staticmemory.])
break;;
esac
done
if test "x$ENABLED_STATICMEMORY" = "xyes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_STATIC_MEMORY"
if test "x$ENABLED_HEAPMATH" = "xyes"
then
AC_MSG_ERROR([--enable-heapmath is incompatible with --enable-staticmemory.])
fi
if test "$ENABLED_LOWRESOURCE" = "yes" && test "$ENABLED_RSA" = "no"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_STATIC_MEMORY_SMALL"
fi
fi
# microchip api
AC_ARG_ENABLE([mcapi],
[AS_HELP_STRING([--enable-mcapi],[Enable Microchip API (default: disabled)])],
[ ENABLED_MCAPI=$enableval ],
[ ENABLED_MCAPI=no ]
)
if test "$ENABLED_MCAPI" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DHAVE_MCAPI"
if test "x$ENABLED_AESCTR" != "xyes"
then
# These flags are already implied by --enable-aesctr
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_COUNTER -DWOLFSSL_AES_DIRECT"
fi
if test "x$ENABLED_AESGCM" != "xyes" && test "x$ENABLED_AESGCM" != "xno"
then
# Use the smaller object size implementation
ENABLED_AESGCM=yes
fi
ENABLED_MD5=yes
fi
if test "$ENABLED_MCAPI" = "yes" && test "$ENABLED_SHA512" = "no"
then
AC_MSG_ERROR([please enable sha512 if enabling mcapi.])
fi
if test "$ENABLED_MCAPI" = "yes" && test "$ENABLED_ECC" = "no"
then
AC_MSG_ERROR([please enable ecc if enabling mcapi.])
fi
if test "$ENABLED_MCAPI" = "yes" && test "$ENABLED_LIBZ" = "no"
then
AC_MSG_ERROR([please use --with-libz if enabling mcapi.])
fi
# cryptodev is old name, replaced with cryptocb
AC_ARG_ENABLE([cryptodev],
[AS_HELP_STRING([--enable-cryptodev],[DEPRECATED, use cryptocb instead])],
[ ENABLED_CRYPTOCB=$enableval ],[ ENABLED_CRYPTOCB=no ])
# Support for crypto callbacks
AC_ARG_ENABLE([cryptocb],
[AS_HELP_STRING([--enable-cryptocb],
[Enable crypto callbacks (default: disabled). Use 'no-default-devid' to enable without a platform-specific default device ID])],
[
case "$enableval" in
no-default-devid)
ENABLED_CRYPTOCB=yes
AM_CPPFLAGS="$AM_CPPFLAGS -DWC_NO_DEFAULT_DEVID"
;;
*)
ENABLED_CRYPTOCB="$enableval"
;;
esac
],
[ ENABLED_CRYPTOCB=no ])
# Enable testing of cryptoCb using software crypto. On platforms where wolfCrypt tests
# are used to test a custom cryptoCb, it may be desired to disable this so wolfCrypt tests
# don't also test software implementations of every algorithm
AC_ARG_ENABLE([cryptocb-sw-test],
[AS_HELP_STRING([--disable-cryptocb-sw-test],[Disable wolfCrypt crypto callback tests using software crypto (default: enabled). Only valid with --enable-cryptocb])],
[ if test "x$ENABLED_CRYPTOCB" = "xno"; then
AC_MSG_ERROR([--disable-cryptocb-sw-test requires --enable-cryptocb])
else
ENABLED_CRYPTOCB_SW_TEST=$enableval
fi ],
[ ENABLED_CRYPTOCB_SW_TEST=yes ]
)
if test "x$ENABLED_PKCS11" = "xyes" || test "x$ENABLED_WOLFTPM" = "xyes" || test "$ENABLED_CAAM" != "no"
then
ENABLED_CRYPTOCB=yes
fi
if test "$ENABLED_CRYPTOCB" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLF_CRYPTO_CB"
fi
if test "$ENABLED_CRYPTOCB_SW_TEST" = "no"
then
AM_CFLAGS="$AM_CFLAGS -DWC_TEST_NO_CRYPTOCB_SW_TEST"
fi
# Crypto Callbacks Utils (Copy/Free/etc)
AC_ARG_ENABLE([cryptocbutils],
[AS_HELP_STRING([--enable-cryptocbutils@<:@=copy,free,setkey,export,...@:>@],
[Enable crypto callback utilities (default: all)])],
[ ENABLED_CRYPTOCB_UTILS=$enableval ],
[ ENABLED_CRYPTOCB_UTILS=no ]
)
if test "$ENABLED_CRYPTOCB_UTILS" != "no"; then
if test "$ENABLED_CRYPTOCB" = "no"; then
AC_MSG_ERROR([--enable-cryptocbutils requires --enable-cryptocb])
fi
if test "$ENABLED_CRYPTOCB_UTILS" = "yes"; then
# Enable all utilities
AM_CFLAGS="$AM_CFLAGS -DWOLF_CRYPTO_CB_COPY -DWOLF_CRYPTO_CB_FREE -DWOLF_CRYPTO_CB_SETKEY -DWOLF_CRYPTO_CB_EXPORT_KEY"
else
# Parse comma-separated list
OIFS="$IFS"
IFS=','
for util in $ENABLED_CRYPTOCB_UTILS; do
case "$util" in
copy)
AM_CFLAGS="$AM_CFLAGS -DWOLF_CRYPTO_CB_COPY"
;;
free)
AM_CFLAGS="$AM_CFLAGS -DWOLF_CRYPTO_CB_FREE"
;;
setkey)
AM_CFLAGS="$AM_CFLAGS -DWOLF_CRYPTO_CB_SETKEY"
;;
export)
AM_CFLAGS="$AM_CFLAGS -DWOLF_CRYPTO_CB_EXPORT_KEY"
;;
*)
AC_MSG_ERROR([Unknown cryptocbutils option: $util. Valid options: copy, free, setkey, export])
;;
esac
done
IFS="$OIFS"
fi
fi
# Crypto callback RSA padding support
# When enabled, the RSA crypto callback args struct exposes the RsaPadding
# parameters so the callback can perform RSA padding/unpadding itself or
# offload it together with the modular exponentiation.
AC_ARG_ENABLE([cryptocb-rsa-pad],
[AS_HELP_STRING([--enable-cryptocb-rsa-pad],[Enable RSA padding aware crypto callbacks (default: disabled). Requires --enable-cryptocb])],
[ ENABLED_CRYPTOCB_RSA_PAD=$enableval ],
[ ENABLED_CRYPTOCB_RSA_PAD=no ]
)
if test "$ENABLED_CRYPTOCB_RSA_PAD" = "yes"
then
if test "x$ENABLED_CRYPTOCB" = "xno"; then
AC_MSG_ERROR([--enable-cryptocb-rsa-pad requires --enable-cryptocb])
fi
AM_CFLAGS="$AM_CFLAGS -DWOLF_CRYPTO_CB_RSA_PAD"
fi
# wc_swdev: software crypto-callback device for testing
AC_ARG_ENABLE([swdev],
[AS_HELP_STRING([--enable-swdev],[Build wc_swdev software crypto-callback for tests (default: disabled). Requires --enable-cryptocb])],
[ ENABLED_SWDEV=$enableval ],
[ ENABLED_SWDEV=no ]
)
if test "$ENABLED_SWDEV" = "yes"
then
if test "$ENABLED_CRYPTOCB" != "yes" && test "$enable_usersettings" != "yes"; then
AC_MSG_ERROR([--enable-swdev requires --enable-cryptocb (or --enable-usersettings with WOLF_CRYPTO_CB defined in user_settings.h)])
fi
if test "x$srcdir" != "x."; then
AC_MSG_ERROR([--enable-swdev currently supports in-tree builds only])
fi
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SWDEV -DWOLF_CRYPTO_CB_FIND"
fi
# Asynchronous Crypto
AC_ARG_ENABLE([asynccrypt],
[AS_HELP_STRING([--enable-asynccrypt],[Enable Asynchronous Crypto (default: disabled)])],
[ ENABLED_ASYNCCRYPT=$enableval ],
[ ENABLED_ASYNCCRYPT=no ]
)
# Asynchronous crypto using software (i.e. not hardware). Required for
# non-blocking crypto with TLS/DTLS.
AC_ARG_ENABLE([asynccrypt-sw],
[AS_HELP_STRING([--enable-asynccrypt-sw],[Enable asynchronous software-based crypto (default: disabled)])],
[ ENABLED_ASYNCCRYPT_SW=$enableval ],
[ ENABLED_ASYNCCRYPT_SW=no ]
)
if test "$ENABLED_ASYNCCRYPT_SW" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ASYNC_CRYPT_SW"
ENABLED_ASYNCCRYPT=yes
fi
if test "$ENABLED_ASYNCCRYPT" = "yes"
then
AC_MSG_NOTICE([Enabling asynchronous support])
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ASYNC_CRYPT -DHAVE_WOLF_EVENT -DHAVE_WOLF_BIGINT -DWOLFSSL_NO_HASH_RAW"
# If no async backend (hardware or software) has been explicitly enabled,
# use the software backend for testing.
if test "x$ENABLED_CAVIUM" != "xyes" && test "x$ENABLED_INTEL_QA" != "xyes" && test "x$ENABLED_CRYPTOCB" != "xyes" && test "x$ENABLED_PKCALLBACKS" != "xyes" && test "x$ENABLED_ASYNCCRYPT_SW" != "xyes"
then
AC_MSG_NOTICE([Enabling asynchronous software simulator])
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ASYNC_CRYPT_SW"
ENABLED_ASYNCCRYPT_SW=yes
fi
fi
# check for async if using Intel QuckAssist or Cavium
if test "x$ENABLED_INTEL_QA" = "xyes" || test "x$ENABLED_CAVIUM" = "xyes" ; then
if test "x$ENABLED_ASYNCCRYPT" = "xno" ; then
AC_MSG_ERROR([Please enable asynchronous support using --enable-asynccrypt])
fi
fi
# Asynchronous threading (Linux specific)
AC_ARG_ENABLE([asyncthreads],
[AS_HELP_STRING([--enable-asyncthreads],[Enable Asynchronous Threading (default: enabled)])],
[ ENABLED_ASYNCTHREADS=$enableval ],
[ ENABLED_ASYNCTHREADS=yes ]
)
if test "$ENABLED_ASYNCCRYPT" = "yes" && test "$ENABLED_ASYNCTHREADS" = "yes"
then
AX_PTHREAD([ENABLED_ASYNCTHREADS=yes],[ENABLED_ASYNCTHREADS=no])
else
ENABLED_ASYNCTHREADS=no
fi
if test "$ENABLED_ASYNCTHREADS" = "yes"
then
LIB_ADD="-lpthread $LIB_ADD"
AM_CFLAGS="$AM_CFLAGS -D_GNU_SOURCE"
else
AM_CFLAGS="$AM_CFLAGS -DWC_NO_ASYNC_THREADING"
fi
# Support for autosar shim
AC_ARG_ENABLE([autosar],
[AS_HELP_STRING([--enable-autosar],[Enable AutoSAR support (default: disabled)])],
[ ENABLED_AUTOSAR=$enableval ],
[ ENABLED_AUTOSAR=no ]
)
if test "$ENABLED_AUTOSAR" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AUTOSAR"
fi
# Session Export
AC_ARG_ENABLE([sessionexport],
[AS_HELP_STRING([--enable-sessionexport],[Enable export and import of sessions (default: disabled)])],
[ ENABLED_SESSIONEXPORT=$enableval ],
[ ENABLED_SESSIONEXPORT=no ]
)
if test "$ENABLED_SESSIONEXPORT" = "yes" ||
test "$ENABLED_SESSIONEXPORT" = "nopeer"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SESSION_EXPORT"
if test "$ENABLED_SESSIONEXPORT" = "nopeer"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SESSION_EXPORT_NOPEER"
fi
fi
if test "$ENABLED_WPAS" != "no" &&
( test "$ENABLED_FIPS" = "no" || test "x$FIPS_VERSION" = "xv6" )
then
ENABLED_AESKEYWRAP="yes"
fi
if test "$ENABLED_AESKEYWRAP" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DHAVE_AES_KEYWRAP -DWOLFSSL_AES_DIRECT"
fi
# Old name support for backwards compatibility
AC_ARG_ENABLE([oldnames],
[AS_HELP_STRING([--enable-oldnames],[Keep backwards compat with old names (default: enabled)])],
[ ENABLED_OLDNAMES=$enableval ],
[ ENABLED_OLDNAMES=yes ]
)
if test "x$ENABLED_OLDNAMES" = "xno" && test "x$ENABLED_OPENSSLCOEXIST" = "xno"
then
AM_CFLAGS="$AM_CFLAGS -DNO_OLD_RNGNAME -DNO_OLD_WC_NAMES -DNO_OLD_SSL_NAMES"
AM_CFLAGS="$AM_CFLAGS -DNO_OLD_SHA_NAMES -DNO_OLD_MD5_NAME"
fi
# Memory Tests
AC_ARG_ENABLE([memtest],
[AS_HELP_STRING([--enable-memtest],[Memory testing option, for internal use (default: disabled)])],
[ ENABLED_MEMTEST=$enableval ],
[ ENABLED_MEMTEST=no ]
)
if test "x$ENABLED_MEMTEST" != "xno"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_TRACK_MEMORY -DWOLFSSL_DEBUG_MEMORY"
fi
if test "x$ENABLED_MEMTEST" = "xfail"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_FORCE_MALLOC_FAIL_TEST"
fi
# Enable hash flags support
# Hash flags are useful for runtime options such as SHA3 KECCAK256 selection
AC_ARG_ENABLE([hashflags],
[AS_HELP_STRING([--enable-hashflags],[Enable support for hash flags (default: disabled)])],
[ ENABLED_HASHFLAGS=$enableval ],
[ ENABLED_HASHFLAGS=no ]
)
if test "x$ENABLED_HASHFLAGS" != "xno"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_HASH_FLAGS"
fi
# Support for enabling setting default DH parameters in TLS
AC_ARG_ENABLE([defaultdhparams],
[AS_HELP_STRING([--enable-defaultdhparams],[Enables option for default dh parameters (default: disabled)])],
[ ENABLED_DHDEFAULTPARAMS=$enableval ],
[ ENABLED_DHDEFAULTPARAMS=$ENABLED_DH ]
)
if test "x$ENABLED_DHDEFAULTPARAMS" = "xyes" && test "x$ENABLED_QT" != "xyes"
then
AM_CFLAGS="$AM_CFLAGS -DHAVE_DH_DEFAULT_PARAMS"
fi
AC_ARG_WITH([max-rsa-bits],
[AS_HELP_STRING([--with-max-rsa-bits=number],[number of bits to support for RSA, DH, and DSA keys])],
[WITH_MAX_CLASSIC_ASYM_KEY_BITS=$withval],
[WITH_MAX_CLASSIC_ASYM_KEY_BITS="$DEFAULT_MAX_CLASSIC_ASYM_KEY_BITS"])
if test -n "$WITH_MAX_CLASSIC_ASYM_KEY_BITS"; then
if test "$WITH_MAX_CLASSIC_ASYM_KEY_BITS" -lt 1024 -o "$WITH_MAX_CLASSIC_ASYM_KEY_BITS" -gt 16384; then
AC_MSG_ERROR([--with-max-rsa-bits argument must be between 1024 and 16384 inclusive])
fi
if test "$ENABLED_FIPS" = "no"
then
AM_CFLAGS="$AM_CFLAGS -DRSA_MAX_SIZE=$WITH_MAX_CLASSIC_ASYM_KEY_BITS"
fi
MPI_MAX_KEY_BITS=$WITH_MAX_CLASSIC_ASYM_KEY_BITS
fi
AC_ARG_WITH([max-ecc-bits],
[AS_HELP_STRING([--with-max-ecc-bits=number],[number of bits to support for ECC algorithms])],
[WITH_MAX_ECC_BITS=$withval],
)
if test -n "$WITH_MAX_ECC_BITS"; then
if test "$WITH_MAX_ECC_BITS" -lt 112 -o "$WITH_MAX_ECC_BITS" -gt 1024; then
AC_MSG_ERROR([--with-max-ecc-bits argument must be between 112 and 1024 inclusive])
fi
AM_CFLAGS="$AM_CFLAGS -DMAX_ECC_BITS=$WITH_MAX_ECC_BITS"
fi
if test -n "$MPI_MAX_KEY_BITS" -o -n "$WITH_MAX_ECC_BITS"; then
if test -n "$MAX_MPI_KEY_BITS" -a -n "$WITH_MAX_ECC_BITS"; then
if test "$MAX_MPI_KEY_BITS" -lt "$WITH_MAX_ECC_BITS"; then
MPI_MAX_KEY_BITS="$WITH_MAX_ECC_BITS"
fi
elif test -n "$WITH_MAX_ECC_BITS"; then
MPI_MAX_KEY_BITS="$WITH_MAX_ECC_BITS"
fi
if test "$MPI_MAX_KEY_BITS" -gt 1024; then
AM_CFLAGS="$AM_CFLAGS -DFP_MAX_BITS=$((MPI_MAX_KEY_BITS * 2)) -DSP_INT_BITS=$MPI_MAX_KEY_BITS"
fi
fi
AC_ARG_ENABLE([linuxkm-lkcapi-register],
[AS_HELP_STRING([--enable-linuxkm-lkcapi-register],[Register wolfCrypt implementations with the Linux Kernel Crypto API backplane.
Possible values are "none" or a comma-separated combination of "all", "all-kconfig", "sysfs-nodes-only", "cbc(aes)", "cfb(aes)",
"gcm(aes)", "rfc4106(gcm(aes))", "xts(aes)", "ctr(aes)", "ofb(aes)", "ecb(aes)", "all-aes", "sha1", "sha2", "sha3", "all-sha",
"hmac(sha1)", "hmac(sha2)", "hmac(sha3)", "all-hmac", "stdrng", "stdrng-default", "ecdsa", "ecdh", "rsa", "dh", and negations of
the foregoing algorithms by prefixing "-".
(default: none)])],
[ENABLED_LINUXKM_LKCAPI_REGISTER=$enableval],
[ENABLED_LINUXKM_LKCAPI_REGISTER=no]
)
if test "$ENABLED_LINUXKM_LKCAPI_REGISTER" != "no"
then
AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_REGISTER"
if test "$ENABLED_AESGCM" != "no" && test "$ENABLED_AESGCM_STREAM" = "no" && test "$enable_aesgcm_stream" != "no" && (test "$ENABLED_FIPS" = "no" || test $HAVE_FIPS_VERSION -ge 6); then
ENABLED_AESGCM_STREAM=yes
fi
if test "$ENABLED_LINUXKM_LKCAPI_REGISTER" = "yes"
then
ENABLED_LINUXKM_LKCAPI_REGISTER=all
fi
for lkcapi_alg in $(echo "$ENABLED_LINUXKM_LKCAPI_REGISTER" | tr ',' ' ')
do
case "$lkcapi_alg" in
all) AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_REGISTER_ALL -DWC_RSA_NO_PADDING -DWOLFSSL_DH_EXTRA"
;;
all-kconfig) AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_REGISTER_ALL -DLINUXKM_LKCAPI_REGISTER_ALL_KCONFIG -DWC_RSA_NO_PADDING -DWOLFSSL_DH_EXTRA"
;;
sysfs-nodes-only) AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_REGISTER_ONLY_ON_COMMAND" ;;
'cbc(aes)') test "$ENABLED_AESCBC" != "no" || AC_MSG_ERROR([linuxkm-lkcapi-register ${lkcapi_alg}: AES-CBC implementation not enabled.])
AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_REGISTER_AESCBC" ;;
'cfb(aes)') test "$ENABLED_AESCFB" != "no" || AC_MSG_ERROR([linuxkm-lkcapi-register ${lkcapi_alg}: AES-CFB implementation not enabled.])
AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_REGISTER_AESCFB" ;;
'gcm(aes)') test "$ENABLED_AESGCM" != "no" || AC_MSG_ERROR([linuxkm-lkcapi-register ${lkcapi_alg}: AES-GCM implementation not enabled.])
AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_REGISTER_AESGCM" ;;
'rfc4106(gcm(aes))') test "$ENABLED_AESGCM" != "no" || AC_MSG_ERROR([linuxkm-lkcapi-register ${lkcapi_alg}: AES-GCM implementation not enabled.])
AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_REGISTER_AESGCM_RFC4106" ;;
'ccm(aes)') test "$ENABLED_AESCCM" != "no" || AC_MSG_ERROR([linuxkm-lkcapi-register ${lkcapi_alg}: AES-CCM implementation not enabled.])
AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_REGISTER_AESCCM" ;;
'rfc4309(ccm(aes))') test "$ENABLED_AESCCM" != "no" || AC_MSG_ERROR([linuxkm-lkcapi-register ${lkcapi_alg}: AES-CCM implementation not enabled.])
AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_REGISTER_AESCCM_RFC4309" ;;
'xts(aes)') test "$ENABLED_AESXTS" != "no" || AC_MSG_ERROR([linuxkm-lkcapi-register ${lkcapi_alg}: AES-XTS implementation not enabled.])
test "$ENABLED_AESXTS_STREAM" != "no" || AC_MSG_ERROR([linuxkm-lkcapi-register ${lkcapi_alg}: --enable-aesxts-stream is required for LKCAPI.])
AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_REGISTER_AESXTS" ;;
'ctr(aes)') test "$ENABLED_AESCTR" != "no" || AC_MSG_ERROR([linuxkm-lkcapi-register ${lkcapi_alg}: AES-CTR implementation not enabled.])
AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_REGISTER_AESCTR" ;;
'ofb(aes)') test "$ENABLED_AESOFB" != "no" || AC_MSG_ERROR([linuxkm-lkcapi-register ${lkcapi_alg}: AES-OFB implementation not enabled.])
AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_REGISTER_AESOFB" ;;
'ecb(aes)') AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_REGISTER_AESECB -DHAVE_AES_ECB" ;;
'all-aes') test "$ENABLED_AES" != "no" || AC_MSG_ERROR([linuxkm-lkcapi-register ${lkcapi_alg}: AES is disabled.])
AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_REGISTER_AES_ALL" ;;
'sha1') test "$ENABLED_SHA" != "no" || AC_MSG_ERROR([linuxkm-lkcapi-register ${lkcapi_alg}: SHA-1 implementation not enabled.])
AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_REGISTER_SHA1" ;;
'sha2') test "$ENABLED_SHA224" != "no" || test "$ENABLED_SHA256" != "no" || test "$ENABLED_SHA384" != "no" || test "$ENABLED_SHA512" != "no" || \
AC_MSG_ERROR([linuxkm-lkcapi-register ${lkcapi_alg}: No SHA-2 implementations are enabled.])
AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_REGISTER_SHA2" ;;
'sha3') test "$ENABLED_SHA3" != "no" || AC_MSG_ERROR([linuxkm-lkcapi-register ${lkcapi_alg}: SHA-3 implementation not enabled.])
AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_REGISTER_SHA3" ;;
'all-sha') AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_REGISTER_SHA_ALL" ;;
'hmac(sha1)') test "$ENABLED_SHA" != "no" && test "$ENABLED_HMAC" != "no" || AC_MSG_ERROR([linuxkm-lkcapi-register ${lkcapi_alg}: SHA-1 HMAC implementation not enabled.])
AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_REGISTER_SHA1_HMAC" ;;
'hmac(sha2)') (test "$ENABLED_SHA224" != "no" || test "$ENABLED_SHA256" != "no" || test "$ENABLED_SHA384" != "no" || test "$ENABLED_SHA512" != "no") && \
test "$ENABLED_HMAC" != "no" || AC_MSG_ERROR([linuxkm-lkcapi-register ${lkcapi_alg}: No SHA-2 HMAC implementations are enabled.])
AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_REGISTER_SHA2_HMAC" ;;
'hmac(sha3)') test "$ENABLED_SHA3" != "no" && test "$ENABLED_HMAC" != "no" || AC_MSG_ERROR([linuxkm-lkcapi-register ${lkcapi_alg}: SHA-3 HMAC implementation not enabled.])
AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_REGISTER_SHA3_HMAC" ;;
'all-hmac') test "$ENABLED_HMAC" != "no" || AC_MSG_ERROR([linuxkm-lkcapi-register ${lkcapi_alg}: HMAC implementation not enabled.])
AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_REGISTER_HMAC_ALL" ;;
'stdrng') test "$ENABLED_HASHDRBG" != "no" || AC_MSG_ERROR([linuxkm-lkcapi-register ${lkcapi_alg}: HASHDRBG implementation not enabled.])
AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_REGISTER_HASH_DRBG" ;;
'stdrng-default') test "$ENABLED_HASHDRBG" != "no" || AC_MSG_ERROR([linuxkm-lkcapi-register ${lkcapi_alg}: HASHDRBG implementation not enabled.])
AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_REGISTER_HASH_DRBG -DLINUXKM_LKCAPI_REGISTER_HASH_DRBG_DEFAULT" ;;
'ecdsa') test "$ENABLED_ECC" != "no" || AC_MSG_ERROR([linuxkm-lkcapi-register ${lkcapi_alg}: ECDSA implementation not enabled.])
AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_REGISTER_ECDSA" ;;
'ecdh') AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_REGISTER_ECDH" ;;
'rsa') test "$ENABLED_RSA" != "no" || AC_MSG_ERROR([linuxkm-lkcapi-register ${lkcapi_alg}: RSA implementation not enabled.])
AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_REGISTER_RSA -DWC_RSA_NO_PADDING" ;;
'dh') AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_REGISTER_DH -DWOLFSSL_DH_EXTRA"
;;
# disable options
'-cbc(aes)') AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_DONT_REGISTER_AESCBC" ;;
'-cfb(aes)') AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_DONT_REGISTER_AESCFB" ;;
'-gcm(aes)') AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_DONT_REGISTER_AESGCM" ;;
'-rfc4106(gcm(aes))')
AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_DONT_REGISTER_AESGCM_RFC4106" ;;
'-ccm(aes)') AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_DONT_REGISTER_AESCCM" ;;
'-rfc4309(ccm(aes))')
AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_DONT_REGISTER_AESCCM_RFC4309" ;;
'-xts(aes)') AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_DONT_REGISTER_AESXTS" ;;
'-ctr(aes)') AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_DONT_REGISTER_AESCTR" ;;
'-ofb(aes)') AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_DONT_REGISTER_AESOFB" ;;
'-ecb(aes)') AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_DONT_REGISTER_AESECB" ;;
'-all-aes') AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_DONT_REGISTER_AES_ALL" ;;
'-sha1') AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_DONT_REGISTER_SHA1" ;;
'-sha2') AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_DONT_REGISTER_SHA2" ;;
'-sha3') AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_DONT_REGISTER_SHA3" ;;
'-all-sha') AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_DONT_REGISTER_SHA_ALL" ;;
'-hmac(sha1)') AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_DONT_REGISTER_SHA1_HMAC" ;;
'-hmac(sha2)') AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_DONT_REGISTER_SHA2_HMAC" ;;
'-hmac(sha3)') AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_DONT_REGISTER_SHA3_HMAC" ;;
'-all-hmac') AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_DONT_REGISTER_HMAC_ALL" ;;
'-stdrng') AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_DONT_REGISTER_HASH_DRBG" ;;
'-stdrng-default') AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_DONT_REGISTER_HASH_DRBG_DEFAULT" ;;
'-ecdsa') AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_DONT_REGISTER_ECDSA" ;;
'-ecdh') AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_DONT_REGISTER_ECDH" ;;
'-rsa') AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_DONT_REGISTER_RSA" ;;
'-dh') AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_DONT_REGISTER_DH" ;;
*) AC_MSG_ERROR([Unsupported LKCAPI algorithm "$lkcapi_alg".]) ;;
esac
done
fi
AC_SUBST([ENABLED_LINUXKM_LKCAPI_REGISTER])
# Library Suffix
LIBSUFFIX=""
AC_ARG_WITH([libsuffix],
[AS_HELP_STRING([--with-libsuffix=SUFFIX],[Library artifact SUFFIX, ie libwolfsslSUFFIX.so])],
[
if test "x$withval" != "xno" ; then
LIBSUFFIX=$withval
fi
if test "x$withval" = "xyes" ; then
AC_MSG_ERROR([Invalid argument to --with-libsuffix, no suffix given])
fi
]
)
AC_SUBST(LIBSUFFIX)
# Support system wide crypto-policy file:
# - Pass path to your wolfssl.config system crypto-policy file.
# - Pass no argument to use default.
AC_ARG_WITH([sys-crypto-policy],
[AS_HELP_STRING([--with-sys-crypto-policy=PATH],[Support for system-wide crypto-policy file. (default: disabled)])],
[ SYS_CRYPTO_POLICY=$withval],
[ SYS_CRYPTO_POLICY=no ]
)
if test "$SYS_CRYPTO_POLICY" != "no"; then
if test "$SYS_CRYPTO_POLICY" = "yes"; then
# Default to the wolfssl fedora crypto-policy file.
SYS_CRYPTO_POLICY="/etc/crypto-policies/back-ends/wolfssl.config"
fi
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SYS_CRYPTO_POLICY"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CRYPTO_POLICY_FILE=\"$SYS_CRYPTO_POLICY\""
fi
AC_ARG_ENABLE([context-extra-user-data],
[AS_HELP_STRING([--enable-context-extra-user-data],[Enables option for storing user-defined data in TLS API contexts, with optional argument the number of slots to allocate (default: disabled)])],
[ ENABLED_EX_DATA=$enableval ],
[ ENABLED_EX_DATA=no ]
)
case "$ENABLED_EX_DATA" in
no) ;;
yes) AM_CFLAGS="$AM_CFLAGS -DHAVE_EX_DATA"
;;
[[1-9]]|[[1-9]][[0-9]]|[[1-9]][[0-9]][[0-9]]|[[1-9]][[0-9]][[0-9]][[0-9]])
AM_CFLAGS="$AM_CFLAGS -DHAVE_EX_DATA -DMAX_EX_DATA=$ENABLED_EX_DATA"
;;
*) AC_MSG_ERROR([Invalid argument to --enable-context-extra-user-data -- must be yes, no, or a number from 1 to 9999 (note: each index reserves one pointer per object, so large values increase memory use)])
;;
esac
# IoT-Safe support
AC_ARG_ENABLE([iotsafe],
[AS_HELP_STRING([--enable-iotsafe],[Enables support for IoT-Safe secure applet (default: disabled)])],
[ ENABLED_IOTSAFE=$enableval ],
[ ENABLED_IOTSAFE=no ]
)
AC_ARG_ENABLE([iotsafe-hwrng],
[AS_HELP_STRING([--enable-iotsafe-hwrng],[Enables support for IoT-Safe RNG (default: disabled)])],
[ ENABLED_IOTSAFE_HWRNG=$enableval ],
[ ENABLED_IOTSAFE_HWRNG=no ]
)
# Make clean
AC_ARG_ENABLE([makeclean],
[AS_HELP_STRING([--enable-makeclean], [Enables forced "make clean" at the
end of configure (default: enabled)])],
[ ENABLED_MAKECLEAN=$enableval ],
[ ENABLED_MAKECLEAN=yes ]
)
# User Settings
AC_ARG_ENABLE([usersettings],
[AS_HELP_STRING([--enable-usersettings],[Use your own user_settings.h and do not add Makefile CFLAGS (default: disabled)])],
[ ENABLED_USERSETTINGS=$enableval ],
[ ENABLED_USERSETTINGS=no ]
)
# Default optimization CFLAGS enable
AC_ARG_ENABLE([optflags],
[AS_HELP_STRING([--enable-optflags],[Enable default optimization CFLAGS for the compiler (default: enabled)])],
[ ENABLED_OPTFLAGS=$enableval ],
[ ENABLED_OPTFLAGS=yes ]
)
# Adds functionality to load CA certificates from the operating system.
AC_ARG_ENABLE([sys-ca-certs],
[AS_HELP_STRING([--enable-sys-ca-certs],[Enable ability to load CA certs from OS (default: enabled)])],
[ ENABLED_SYS_CA_CERTS=$enableval ],
[ ENABLED_SYS_CA_CERTS=yes ]
)
AC_ARG_ENABLE([dual-alg-certs],
[AS_HELP_STRING([--enable-dual-alg-certs],[Enable support for dual key/signature certificates in TLS 1.3 as defined in X9.146 (requires --enable-experimental) (default: disabled)])],
[ ENABLED_DUAL_ALG_CERTS=$enableval ],
[ ENABLED_DUAL_ALG_CERTS=no ]
)
AS_IF([ test "$ENABLED_DUAL_ALG_CERTS" != "no" && test "$ENABLED_EXPERIMENTAL" != "yes" ],[ AC_MSG_ERROR([dual-alg-certs requires --enable-experimental.]) ])
AS_IF([ test "$ENABLED_DUAL_ALG_CERTS" != "no" && test "$ENABLED_CRYPTONLY" = "yes" ],[ AC_MSG_ERROR([dual-alg-certs is incompatible with --enable-cryptonly.]) ])
# Adds functionality to support Raw Public Key (RPK) RFC7250
AC_ARG_ENABLE([rpk],
[AS_HELP_STRING([--enable-rpk],[Enable support for Raw Public Key (RPK) RFC7250 (default: disabled)])],
[ ENABLED_RPK=$enableval ],
[ ENABLED_RPK=no ]
)
# Allows dynamically loading the certificate
AC_ARG_ENABLE([cert-setup-cb],
[AS_HELP_STRING([--enable-cert-setup-cb],[Enable support for dynamically loading TLS certificates (default: disabled)])],
[ ENABLED_CERT_SETUP_CB=$enableval ],
[ ENABLED_CERT_SETUP_CB=no ]
)
# check if should run the trusted peer certs test
# (for now checking both C_FLAGS and C_EXTRA_FLAGS)
AS_CASE(["$CFLAGS $CPPFLAGS"],[*'WOLFSSL_TRUST_PEER_CERT'*],[ENABLED_TRUSTED_PEER_CERT=yes])
# Allows disabling the OPENSSL_COMPATIBLE_DEFAULTS macro
AC_ARG_ENABLE([openssl-compatible-defaults],
[AS_HELP_STRING([--disable-openssl-compatible-defaults],[Disable OpenSSL compatible defaults when enabled by other options (default: enabled)])],
[ ENABLED_OPENSSL_COMPATIBLE_DEFAULTS=$enableval ],
[ ENABLED_OPENSSL_COMPATIBLE_DEFAULTS=yes ]
)
AS_CASE(["$CFLAGS $CPPFLAGS $AM_CFLAGS"],[*'OPENSSL_COMPATIBLE_DEFAULTS'*],
[FOUND_OPENSSL_COMPATIBLE_DEFAULTS=yes])
if test "x$FOUND_OPENSSL_COMPATIBLE_DEFAULTS" = "xyes"
then
if test "x$ENABLED_OPENSSL_COMPATIBLE_DEFAULTS" = "xyes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_TRUST_PEER_CERT"
AM_CFLAGS="$AM_CFLAGS -DNO_SESSION_CACHE_REF"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_TLS13_NO_PEEK_HANDSHAKE_DONE"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ALT_CERT_CHAINS"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_PRIORITIZE_PSK"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CHECK_ALERT_ON_ERR"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_TICKET_HAVE_ID"
ENABLED_TRUSTED_PEER_CERT=yes
else
CFLAGS=$(printf "%s" "$CFLAGS" | sed 's/-DOPENSSL_COMPATIBLE_DEFAULTS//g')
CPPFLAGS=$(printf "%s" "$CPPFLAGS" | sed 's/-DOPENSSL_COMPATIBLE_DEFAULTS//g')
AM_CFLAGS=$(printf "%s" "$AM_CFLAGS" | sed 's/-DOPENSSL_COMPATIBLE_DEFAULTS//g')
fi
fi
# Make function 'wolfSSL_X509_EXTENSION_get_data' return different type of
# data for each type of extension, as it used to do in the past, instead of
# always returning the full OCTET STRING of the extension. Use only if you
# need to keep compatibility with older versions.
AC_ARG_ENABLE([old-extdata-fmt],
[AS_HELP_STRING([--enable-old-extdata-fmt],[Enable old format for extracting extension data (default: disabled)])],
[ ENABLED_OLD_EXTDATA_FMT=$enableval ],
[ ENABLED_OLD_EXTDATA_FMT=no ]
)
if test "x$ENABLED_OLD_EXTDATA_FMT" = "xyes"; then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_OLD_EXTDATA_FMT"
fi
# determine if we have key validation mechanism
if test "x$ENABLED_ECC" != "xno" || test "x$ENABLED_RSA" = "xyes"
then
if test "$ENABLED_ASN" != "no" && test "$ENABLED_ASN" != "nocrypt"
then
ENABLED_PKI="yes"
fi
fi
# When building for wolfRand, strip out all options to disable everything.
AS_IF([test "x$ENABLED_FIPS" = "xyes" && test "x$FIPS_VERSION" = "xrand"],
[NEW_AM_CFLAGS="-DNO_AES -DNO_DH -DNO_ASN -DNO_RSA -DNO_SHA -DNO_MD5 -DNO_BIG_INT"
for v in $AM_CFLAGS
do
case $v in
-DHAVE_FFDHE_2048 | -DTFM_TIMING_RESISTANT | -DECC_TIMING_RESISTANT | \
-DWC_RSA_BLINDING | -DHAVE_AESGCM | -DWOLFSSL_SHA512 | -DWOLFSSL_SHA384 | \
-DHAVE_ECC | -DTFM_ECC256 | -DECC_SHAMIR | -DHAVE_TLS_EXTENSIONS | \
-DHAVE_SUPPORTED_CURVES | -DHAVE_EXTENDED_MASTER | -DUSE_FAST_MATH | \
-DWOLFSSL_SHA3)
AS_ECHO(["ignoring $v"])
;;
*)
NEW_AM_CFLAGS="$NEW_AM_CFLAGS $v"
;;
esac
done
AM_CFLAGS=$NEW_AM_CFLAGS])
case $host_cpu in
*arm*)
if test "$host_alias" = "thumb" || test "$ARM_TARGET" = "thumb"; then
AM_CFLAGS="$AM_CFLAGS -mthumb -march=armv6"
ENABLED_ARM_THUMB=yes
else
if test "$host_alias" = "cortex" || test "$ARM_TARGET" = "cortex"; then
AM_CFLAGS="$AM_CFLAGS -mcpu=cortex-r5"
fi
fi
;;
esac
if test "$ENABLED_LOWRESOURCE" = "yes" && test "$ENABLED_ECC" = "yes" && (test "$ENABLED_RSA" = "yes" || test "$ENABLED_DH" = "yes") && (test "$ENABLED_SP_MATH" = "yes" || test "$ENABLED_SP_MATH_ALL" = "yes")
then
AM_CFLAGS="$AM_CFLAGS -DALT_ECC_SIZE"
fi
################################################################################
# Update ENABLE_* variables #
################################################################################
if test "x$ENABLED_SYS_CA_CERTS" = "xyes"
then
if test "x$ENABLED_CERTS" = "xno"
then
ENABLED_SYS_CA_CERTS="no"
fi
case $host_os in
*darwin*)
# Headers used for MacOS default system CA certs behavior. Only MacOS SDK will have this header
AC_CHECK_HEADERS([Security/SecTrustSettings.h])
# Headers used for Apple native cert validation. All device SDKs should have these headers
AC_CHECK_HEADERS([Security/SecCertificate.h])
AC_CHECK_HEADERS([Security/SecTrust.h])
AC_CHECK_HEADERS([Security/SecPolicy.h])
# Either Security/SecTrustSettings (for MacOS cert loading), or the
# trio of Security/SecCertificate.h, Security/SecTrust.h, and
# Security/SecPolicy.h (for native trust APIs on other apple devices)
# must be present. Default to SecTrustSettings method on MacOS.
AS_IF([test "$ac_cv_header_Security_SecTrustSettings_h" = "yes" \
|| (test "$ac_cv_header_Security_SecCertificate_h" = "yes" \
&& test "$ac_cv_header_Security_SecTrust_h" = "yes" \
&& test "$ac_cv_header_Security_SecPolicy_h" = "yes")],
[
LDFLAGS="$LDFLAGS -framework CoreFoundation -framework Security"
AS_IF([test "$ac_cv_header_Security_SecTrustSettings_h" != "yes"],
[
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_APPLE_NATIVE_CERT_VALIDATION"
])
],
[
AC_MSG_ERROR([Unable to find Apple Security.framework headers])
])
;;
mingw*)
;;
*)
# Only disable on no filesystem non Mac/Windows, as Mac and Windows
# depend on APIs which don't need filesystem support enabled in wolfSSL.
if test "x$ENABLED_FILESYSTEM" = "xno"
then
ENABLED_SYS_CA_CERTS="no"
fi
;;
esac
fi
if test "x$ENABLED_WOLFCLU" = "xyes"
then
if test "x$ENABLED_CERTGEN" = "xno"
then
ENABLED_CERTGEN="yes"
fi
if test "x$ENABLED_CERTREQ" = "xno"
then
ENABLED_CERTREQ="yes"
fi
if test "x$ENABLED_CERTEXT" = "xno"
then
ENABLED_CERTEXT="yes"
fi
# Requires md5
if test "$ENABLED_MD5" = "no"
then
ENABLED_MD5="yes"
fi
# Requires aesctr
if test "x$ENABLED_AESCTR" = "xno"
then
ENABLED_AESCTR="yes"
fi
# Uses key generation
if test "x$ENABLED_KEYGEN" = "xno"
then
ENABLED_KEYGEN="yes"
fi
# Uses functions guarded by opensslall
if test "$ENABLED_OPENSSLALL" = "no"
then
ENABLED_OPENSSLALL="yes"
fi
# Has option for signing with ED25519
if test "$ENABLED_ED25519" = "no"
then
ENABLED_ED25519=yes
ENABLED_FEMATH=yes
ENABLED_GEMATH=yes
ENABLED_CERTS=yes
fi
# Has sha512 hashing
if test "$ENABLED_SHA512" = "no"
then
ENABLED_SHA512="yes"
fi
# Has support for DES3 encrypt/decrypt
if test "$ENABLED_DES3" = "no" && (test "$ENABLED_FIPS" = "no" || test $HAVE_FIPS_VERSION -lt 5)
then
ENABLED_DES3="yes"
fi
# Has support for PKCS7
if test "$ENABLED_PKCS7" = "no"
then
ENABLED_PKCS7=yes
fi
# Uses alt name
ENABLED_ALTNAMES="yes"
AM_CFLAGS="$AM_CFLAGS -DHAVE_OID_ENCODING -DWOLFSSL_NO_ASN_STRICT"
# OCSP responder
if test "$ENABLED_OCSP" = "no"; then
ENABLED_OCSP="yes"
fi
if test "$ENABLED_OCSP_RESPONDER" = "no"; then
ENABLED_OCSP_RESPONDER="yes"
fi
fi
if test "$ENABLED_STRONGSWAN" = "yes"; then
if test "$ENABLED_CERTREQ" = "no"; then
ENABLED_CERTREQ="yes"
fi
if test "$ENABLED_OCSP" = "no"; then
ENABLED_OCSP="yes"
fi
fi
AS_IF([test "x$ENABLED_MCAPI" = "xyes"],
[AS_IF([test "x$ENABLED_DES3" = "xno"],[ENABLED_DES3="yes"])])
if test "$ENABLED_OPENSSH" = "yes" || test "$ENABLED_NGINX" = "yes" || \
test "$ENABLED_SIGNAL" = "yes" || test "$ENABLED_WPAS" = "yes" || \
test "$ENABLED_FORTRESS" = "yes" || test "$ENABLED_BUMP" = "yes" || \
test "$ENABLED_OPENSSLALL" = "yes" || \
test "$ENABLED_LIBWEBSOCKETS" = "yes" || \
test "x$ENABLED_LIGHTY" = "xyes" || test "$ENABLED_LIBSSH2" = "yes" || \
test "x$ENABLED_NTP" = "xyes" || test "$ENABLED_RSYSLOG" = "yes" || \
test "$ENABLED_OPENLDAP" = "yes" || test "$ENABLED_HITCH" = "yes" || test "x$ENABLED_MOSQUITTO" = "xyes"
then
ENABLED_OPENSSLEXTRA="yes"
fi
if test "$ENABLED_CURVE25519" != "no" && test "$ENABLED_CURVE25519" != "asm" && test "$KERNEL_MODE_DEFAULTS" = "yes"
then
ENABLED_CURVE25519=noasm
fi
if test "$ENABLED_ED25519" != "no" && test "$ENABLED_ED25519" != "asm" && test "$KERNEL_MODE_DEFAULTS" = "yes"
then
ENABLED_ED25519=noasm
fi
if test "$ENABLED_CURVE25519" = "noasm" || test "$ENABLED_ED25519" = "noasm"
then
AM_CFLAGS="$AM_CFLAGS -DNO_CURVED25519_X64"
fi
if test "$ENABLED_CURVE25519" != "no"
then
if test "$ENABLED_CURVE25519" = "small" || test "$ENABLED_CURVE25519" = "nonblock" || test "$ENABLED_LOWRESOURCE" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DCURVE25519_SMALL"
ENABLED_CURVE25519_SMALL=yes
fi
if test "$ENABLED_CURVE25519" = "nonblock"
then
AM_CFLAGS="$AM_CFLAGS -DWC_X25519_NONBLOCK"
fi
if test "$ENABLED_CURVE25519" = "no128bit" || test "$ENABLED_32BIT" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DNO_CURVED25519_128BIT"
fi
if test "$ENABLED_CURVE25519" = "ed"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CURVE25519_USE_ED25519"
AM_CCASFLAGS="$AM_CCASFLAGS -DWOLFSSL_CURVE25519_USE_ED25519"
fi
if test "$ENABLED_CURVE25519" = "not-ed"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CURVE25519_NOT_USE_ED25519"
AM_CCASFLAGS="$AM_CCASFLAGS -DWOLFSSL_CURVE25519_NOT_USE_ED25519"
fi
AM_CFLAGS="$AM_CFLAGS -DHAVE_CURVE25519"
AM_CCASFLAGS="$AM_CCASFLAGS -DHAVE_CURVE25519"
ENABLED_FEMATH=yes
fi
if test "$ENABLED_ED25519" != "no"
then
if test "$ENABLED_ED25519" = "small" || test "$ENABLED_LOWRESOURCE" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DED25519_SMALL"
ENABLED_ED25519_SMALL=yes
ENABLED_CURVE25519_SMALL=yes
fi
AM_CFLAGS="$AM_CFLAGS -DHAVE_ED25519"
AM_CCASFLAGS="$AM_CCASFLAGS -DHAVE_ED25519"
ENABLED_FEMATH=yes
ENABLED_GEMATH=yes
ENABLED_CERTS=yes
fi
if test "$ENABLED_MD5" = "yes"
then
# turn off MD5 if leanpsk or leantls on
if test "$ENABLED_LEANPSK" = "yes" || test "$ENABLED_LEANTLS" = "yes"
then
ENABLED_MD5=no
fi
fi
if test "x$ENABLED_LEANPSK" = "xyes" || test "x$ENABLED_CERTS" = "xno" || \
test "x$ENABLED_ASN" = "xno"
then
ENABLED_CERTS=no
ENABLED_ASN=no
fi
################################################################################
# Check for build-type conflicts #
################################################################################
AS_IF([test "x$ENABLED_MAXSTRENGTH" = "xyes" && \
test "x$ENABLED_LEANPSK" = "xyes"],
[AC_MSG_ERROR([Cannot use Max Strength and Lean PSK at the same time.])])
AS_IF([test "x$ENABLED_CRYPTONLY" = "xno" && \
test "x$ENABLED_PSK" = "xno" && \
test "x$ENABLED_ASN" = "xno"],
[AC_MSG_ERROR([please enable psk if disabling asn.])])
AS_IF([test "x$ENABLED_OCSP" = "xyes" && \
test "x$ENABLED_ASN" = "xno"],
[AC_MSG_ERROR([please enable asn if enabling ocsp.])])
AS_IF([test "x$ENABLED_SMIME" = "xyes" && \
test "x$ENABLED_ASN" = "xno"],
[AC_MSG_ERROR([please enable asn if enabling S/MIME.])])
AS_IF([test "x$ENABLED_OCSP" = "xyes" && \
test "x$ENABLED_RSA" = "xno" && \
test "x$ENABLED_ECC" = "xno"],
[AC_MSG_ERROR([please enable rsa or ecc if enabling ocsp.])])
# Sync Intel QA and Sync Cavium Octeon require the crypto callback
AS_IF([test "x$ENABLED_INTEL_QA_SYNC" = "xyes" || test "x$ENABLED_OCTEON_SYNC" = "xyes"],
[AS_IF([test "x$ENABLED_CRYPTOCB" = "xno"],
[AC_MSG_ERROR([please enable the crypto callback support using --enable-cryptocb])])])
# checks for pkcs7 needed enables
AS_IF([test "x$ENABLED_PKCS7" = "xyes" && \
test "x$ENABLED_RSA" = "xno" && \
test "x$ENABLED_ECC" = "xno"],
[AC_MSG_ERROR([please enable ecc or rsa if enabling pkcs7.])])
AS_IF([test "x$ENABLED_PKCS7" = "xyes" && \
test "x$ENABLED_SHA" = "xno" && \
test "x$ENABLED_SHA256" = "xno"],
[AC_MSG_ERROR([please enable sha or sha256 if enabling pkcs7.])])
AS_IF([test "x$ENABLED_PKCS7" = "xyes" && \
test "x$ENABLED_AES" = "xno" && \
test "x$ENABLED_DES3" = "xno"],
[AC_MSG_ERROR([please enable either AES or 3DES if enabling pkcs7.])])
AS_IF([test "x$ENABLED_WOLFSCEP" = "xyes" && \
test "x$ENABLED_AES" = "xno" && \
test "x$ENABLED_DES3" = "xno"],
[AC_MSG_ERROR([please enable either AES or 3DES if enabling scep.])])
AS_IF([test "x$ENABLED_LEANTLS" = "xyes" && \
test "x$ENABLED_ECC" = "xno"],
[AC_MSG_ERROR([please enable ecc if enabling leantls.])])
AS_IF([test "x$ENABLED_SNIFFER" = "xyes" && \
test "x$ENABLED_RSA" = "xno" && \
test "x$ENABLED_ECC" = "xno" && \
test "x$ENABLED_CURVE25519" = "xno"],
[AC_MSG_ERROR([please enable ecc, rsa or curve25519 if enabling sniffer.])])
# Lean TLS forces off prereqs of SCEP.
AS_IF([test "x$ENABLED_SCEP" = "xyes" && \
test "x$ENABLED_LEANTLS" = "xyes"],
[AC_MSG_ERROR([Cannot use SCEP and Lean TLS at the same time.])])
# CMAC currently requires AES.
AS_IF([test "x$ENABLED_CMAC" = "xyes" && \
test "x$ENABLED_AES" = "xno"],
[AC_MSG_ERROR([cannot use CMAC without AES.])])
# certreq requires certgen
AS_IF([test "x$ENABLED_CERT_REQ" = "xyes" && \
test "x$ENABLED_CERT_GEN" = "xno"],
[AC_MSG_ERROR([cannot use certreq without certgen.])])
# ed25519 requires sha512
AS_IF([test "$ENABLED_ED25519" != "no" && \
test "x$ENABLED_SHA512" = "xno" && \
test "x$ENABLED_32BIT" = "xno"],
[AC_MSG_ERROR([cannot enable ed25519 without enabling sha512.])])
# ed25519 stream requires ed25519
AS_IF([test "x$ENABLED_ED25519_STREAM" = "xyes" && \
test "x$ENABLED_ED25519" = "xno"],
[AC_MSG_ERROR([ED25519 verify streaming enabled but ED25519 is disabled])])
# Ensure only one size is enabled
AS_IF([test "x$ENABLED_64BIT" = "xyes" && \
test "x$ENABLED_32BIT" = "xyes"],
[AC_MSG_ERROR([cannot specify 64-bit build and 32-bit build.])])
AS_IF([test "x$ENABLED_64BIT" = "xyes" && \
test "x$ENABLED_16BIT" = "xyes"],
[AC_MSG_ERROR([cannot specify 64-bit build and 16-bit build.])])
AS_IF([test "x$ENABLED_32BIT" = "xyes" && \
test "x$ENABLED_16BIT" = "xyes"],
[AC_MSG_ERROR([cannot specify 32-bit build and 16-bit build.])])
# 16-bit build not supported with SP
AS_IF([test "x$ENABLED_16BIT" = "xyes" && \
test "x$ENABLED_SP" = "xyes"],
[AC_MSG_ERROR([16-bit build not available with SP.])])
################################################################################
# Update CFLAGS based on options #
################################################################################
AS_IF([test "$ENABLED_SP_MATH" = "no" && test "$ENABLED_SP_MATH_ALL" = "no" &&
test "$ENABLED_FASTMATH" = "no" && test "$ENABLED_HEAPMATH" = "no"],
[AM_CFLAGS="$AM_CFLAGS -DNO_BIG_INT"])
AS_IF([test "x$ENABLED_CERTS" = "xno"],
[AM_CFLAGS="$AM_CFLAGS -DNO_CERTS"])
AS_IF([test "x$ENABLED_ASN" = "xno"],
[AM_CFLAGS="$AM_CFLAGS -DNO_ASN"])
AS_IF([test "x$ENABLED_SYS_CA_CERTS" = "xyes"],
[AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SYS_CA_CERTS"])
AS_IF([test "x$ENABLED_DUAL_ALG_CERTS" = "xyes"],
[AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DUAL_ALG_CERTS"])
AS_IF([test "x$ENABLED_RPK" = "xyes"],
[AM_CFLAGS="$AM_CFLAGS -DHAVE_RPK"])
AS_IF([test "x$ENABLED_CERT_SETUP_CB" = "xyes"],
[AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CERT_SETUP_CB"])
AS_IF([test "x$ENABLED_ALTNAMES" = "xyes"],
[AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ALT_NAMES"])
AS_IF([test "x$ENABLED_KEYGEN" = "xyes"],
[AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_KEY_GEN"])
AS_IF([test "x$ENABLED_ACERT" = "xyes"],
[AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ACERT"])
AS_IF([test "x$ENABLED_CERTREQ" = "xyes"],
[AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CERT_REQ"])
AS_IF([test "x$ENABLED_CERTGEN" = "xyes"],
[AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CERT_GEN"])
AS_IF([test "x$ENABLED_CERTEXT" = "xyes"],
[AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CERT_EXT"])
AS_IF([test "x$ENABLED_OCSP" = "xyes"],
[AM_CFLAGS="$AM_CFLAGS -DHAVE_OCSP"])
AS_IF([test "x$ENABLED_OCSP_RESPONDER" = "xyes"],
[AM_CFLAGS="$AM_CFLAGS -DHAVE_OCSP_RESPONDER"])
if test "$ENABLED_OCSP" = "yes"
then
# check openssl command tool for testing ocsp
AC_CHECK_PROG([HAVE_OPENSSL_CMD],[openssl],[yes],[no])
if test "$HAVE_OPENSSL_CMD" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DHAVE_OPENSSL_CMD"
else
AC_MSG_WARN([openssl command line tool not available for testing ocsp])
fi
fi
AS_IF([test "x$ENABLED_STRONGSWAN" = "xyes"],
[AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_LOG_PRINTF -DWOLFSSL_PUBLIC_MP -DHAVE_EX_DATA"
AS_IF([test "$ENABLED_FIPS" = "no" || test "$HAVE_FIPS_VERSION" -le 2],
[AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DES_ECB"])])
AS_IF([test "x$ENABLED_OPENLDAP" = "xyes"], [AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SIGNER_DER_CERT"])
AS_IF([test "x$ENABLED_MOSQUITTO" = "xyes"], [AM_CFLAGS="$AM_CFLAGS -DHAVE_EX_DATA"])
if test "$ENABLED_ED25519_STREAM" != "no" && test "$ENABLED_SE050" != "yes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ED25519_STREAMING_VERIFY"
AM_CCASFLAGS="$AM_CCASFLAGS -DWOLFSSL_ED25519_STREAMING_VERIFY"
fi
if test "$ENABLED_ERROR_QUEUE" = "no" || test "$ENABLED_JNI" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DNO_ERROR_QUEUE"
fi
AS_IF([test "x$ENABLED_OPENSSLALL" = "xyes"],
[AM_CFLAGS="$AM_CFLAGS -DOPENSSL_ALL -DWOLFSSL_EITHER_SIDE -DWC_RSA_NO_PADDING -DWC_RSA_PSS -DWOLFSSL_PSS_LONG_SALT -DWOLFSSL_TICKET_HAVE_ID -DWOLFSSL_ERROR_CODE_OPENSSL -DWOLFSSL_CERT_NAME_ALL"])
AS_IF([test "x$ENABLED_AESSIV" = "xyes"], [AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_SIV"])
AS_IF([test "x$ENABLED_AESCTR" = "xyes" && test "x$ENABLED_FORTRESS" != "xyes"],
[AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_COUNTER -DWOLFSSL_AES_DIRECT"])
if test "$ENABLED_MD5" = "no"
then
AM_CFLAGS="$AM_CFLAGS -DNO_MD5 -DNO_OLD_TLS"
fi
AS_IF([test "x$ENABLED_AESBS" = "xyes" && test "x$ENABLED_ARMASM" = "xyes"],
[AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_DIRECT"])
if test "$ENABLED_HMAC" = "no"
then
AM_CFLAGS="$AM_CFLAGS -DNO_HMAC"
fi
if test "$ENABLED_OPENSSLEXTRA" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DOPENSSL_EXTRA"
fi
if test "$ENABLED_OPENSSLEXTRA" = "x509small"
then
AC_MSG_NOTICE([Enabling only a subset of X509 opensslextra])
AM_CFLAGS="$AM_CFLAGS -DOPENSSL_EXTRA_X509_SMALL"
fi
if test "$ENABLED_WOLFSCEP" = "yes"
then
# Enable prereqs if not already enabled
if test "x$ENABLED_KEYGEN" = "xno"
then
ENABLED_KEYGEN="yes"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_KEY_GEN"
fi
if test "x$ENABLED_CERTGEN" = "xno"
then
ENABLED_CERTGEN="yes"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CERT_GEN"
fi
if test "x$ENABLED_CERTREQ" = "xno"
then
ENABLED_CERTREQ="yes"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CERT_REQ"
fi
if test "x$ENABLED_CERTEXT" = "xno"
then
ENABLED_CERTEXT="yes"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CERT_EXT"
fi
if test "x$ENABLED_PKCS7" = "xno"
then
ENABLED_PKCS7="yes"
fi
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_HAVE_WOLFSCEP"
fi
if test "x$ENABLED_PKCS7" = "xyes"
then
AM_CFLAGS="$AM_CFLAGS -DHAVE_PKCS7"
# Enable prereqs if not already enabled
if test "x$ENABLED_AESKEYWRAP" = "xno"
then
ENABLED_AESKEYWRAP="yes"
AM_CFLAGS="$AM_CFLAGS -DHAVE_AES_KEYWRAP -DWOLFSSL_AES_DIRECT"
fi
if test "x$ENABLED_X963KDF" = "xno" && test "$ENABLED_ECC" != "no"
then
ENABLED_X963KDF="yes"
AM_CFLAGS="$AM_CFLAGS -DHAVE_X963_KDF"
fi
fi
if test "x$ENABLED_DES3" = "xno"
then
AM_CFLAGS="$AM_CFLAGS -DNO_DES3"
else
# turn off DES3 if leanpsk or leantls on
if test "$ENABLED_LEANPSK" = "yes" || test "$ENABLED_LEANTLS" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DNO_DES3"
ENABLED_DES3=no
fi
fi
if test "x$ENABLED_DES3_TLS_SUITES" = "xno"
then
AM_CFLAGS="$AM_CFLAGS -DNO_DES3_TLS_SUITES"
else
AS_IF([test "x$ENABLED_DES3" = "xno"],
[AC_MSG_ERROR([DES3 TLS suites require DES3])])
fi
if test "$ENABLED_AESGCM" != "no"
then
if test "$ENABLED_AESGCM" = "word"
then
ENABLED_AESGCM=yes
fi
if test "$ENABLED_AESGCM" = "word32"
then
AM_CFLAGS="$AM_CFLAGS -DGCM_WORD32"
ENABLED_AESGCM=yes
fi
if test "$ENABLED_AESGCM" = "small" || test "$ENABLED_LOWRESOURCE" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DGCM_SMALL"
ENABLED_AESGCM=yes
fi
if test "$ENABLED_AESGCM" = "table"
then
AM_CFLAGS="$AM_CFLAGS -DGCM_TABLE"
ENABLED_AESGCM=yes
fi
if test "$ENABLED_AESGCM" = "4bit"
then
AM_CFLAGS="$AM_CFLAGS -DGCM_TABLE_4BIT"
ENABLED_AESGCM=yes
fi
AM_CFLAGS="$AM_CFLAGS -DHAVE_AESGCM"
fi
if test "$ENABLED_AESGCM_STREAM" != "no"
then
if test "$ENABLED_AESGCM" = "no"
then
AC_MSG_ERROR([AES-GCM streaming is enabled but AES-GCM is disabled.])
elif test "$ENABLED_RISCV_ASM" = "yes"
then
AC_MSG_ERROR([RISC-V asm doesn't yet support WOLFSSL_AESGCM_STREAM.])
else
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AESGCM_STREAM"
AM_CCASFLAGS="$AM_CCASFLAGS -DWOLFSSL_AESGCM_STREAM"
fi
fi
if test "$ENABLED_AESXTS_STREAM" != "no"
then
if test "$ENABLED_AESXTS" = "no"
then
AC_MSG_ERROR([AES-XTS streaming enabled but AES-XTS is disabled])
else
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AESXTS_STREAM"
AM_CCASFLAGS="$AM_CCASFLAGS -DWOLFSSL_AESXTS_STREAM"
fi
fi
if test "$ENABLED_IOTSAFE" != "no"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_IOTSAFE"
ENABLED_IOTSAFE=yes
fi
if test "$ENABLED_IOTSAFE_HWRNG" != "no"
then
AM_CFLAGS="$AM_CFLAGS -DHAVE_IOTSAFE_HWRNG"
ENABLED_IOTSAFE_HWRNG=yes
fi
if test "x$ENABLED_WOLFENGINE" = "xyes"
then
AM_CFLAGS="$AM_CFLAGS -DHAVE_AES_ECB"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_DIRECT"
AM_CFLAGS="$AM_CFLAGS -DWC_RSA_NO_PADDING"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_PUBLIC_MP"
AM_CFLAGS="$AM_CFLAGS -DHAVE_WOLFENGINE"
fi
if test "$ENABLED_WOLFENGINE" = "yes" && test "$ENABLED_FIPS" != "no"
then
AM_CFLAGS="$AM_CFLAGS -DSha3=wc_Sha3"
AM_CFLAGS="$AM_CFLAGS -DNO_OLD_SHA256_NAMES"
AM_CFLAGS="$AM_CFLAGS -DNO_OLD_MD5_NAME"
fi
if test "$ENABLED_WOLFENGINE" = "yes" && test "$FIPS_VERSION" != "v2"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_PSS_LONG_SALT"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_PSS_SALT_LEN_DISCOVER"
fi
AS_IF([test "x$ENABLED_MAXSTRENGTH" = "xyes"],
[AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_MAX_STRENGTH -DWOLFSSL_CIPHER_TEXT_CHECK"])
AS_IF([test "x$ENABLED_MAXSTRENGTH" = "xyes" && \
test "x$ENABLED_OLD_TLS" = "xyes"],
[AM_CFLAGS="$AM_CFLAGS -DNO_OLD_TLS"
ENABLED_OLD_TLS=no])
AS_IF([test "x$ENABLED_MAXSTRENGTH" = "xyes" && \
test "x$ENABLED_SSLV3" = "xyes"],
[AC_MSG_ERROR([Cannot use Max Strength and SSLv3 at the same time.])])
AS_IF([test "x$ENABLED_SCTP" = "xyes"],
[AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SCTP"])
AS_IF([test "x$ENABLED_SRTP" = "xyes"],
[AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SRTP"])
AS_IF([test "x$ENABLED_MCAST" = "xyes"],
[AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_MULTICAST"])
# WOLFSSL_AFALG does not support SHA224 yet
AS_IF([(test "x$ENABLED_AFALG" = "xyes") && (test "x$ENABLED_SHA224" = "xyes")],
[AC_MSG_ERROR([--enable-sha224 with --enable-afalg not yet supported])])
# WOLFSSL_DEVCRYPTO does not support SHA224 yet
AS_IF([(test "x$ENABLED_DEVCRYPTO" = "xyes") && \
(test "x$ENABLED_CAAM" = "xno") && \
(test "x$ENABLED_SHA224" = "xyes")],
[AC_MSG_ERROR([--enable-sha224 with --enable-devcrypto not yet supported])])
# SCTP, Multicast, SRTP, and strongSwan require DTLS
AS_IF([(test "x$ENABLED_DTLS" = "xno") && \
(test "x$ENABLED_SCTP" = "xyes" || test "x$ENABLED_MCAST" = "xyes" || \
test "x$ENABLED_SRTP" = "xyes" || \
test "x$ENABLED_STRONGSWAN" = "xyes")],
[AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DTLS"
ENABLED_DTLS=yes])
# Multicast requires the null cipher
AS_IF([test "x$ENABLED_NULL_CIPHER" = "xno" && \
test "x$ENABLED_MCAST" = "xyes"],
[AM_CFLAGS="$AM_CFLAGS -DHAVE_NULL_CIPHER"
ENABLED_NULL_CIPHER=yes])
# wolfSSH and WPA Supplicant both need Public MP, only enable once.
# This will let you know if you enabled wolfSSH but have any of the prereqs
# disabled. Some of these options, disabling them adds things to the FLAGS and
# you need to check and add items in two places depending on the option.
AS_IF([test "x$ENABLED_WOLFSSH" = "xyes"],[AS_IF([test "x$ENABLED_WPAS" = "xno"],[AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_PUBLIC_MP"])])
if test "x$ENABLED_OPENSSLCOEXIST" = "xyes"; then
if test "x$ENABLED_OPENSSLALL" = "xyes"; then
AC_MSG_ERROR([Cannot use --enable-opensslcoexist with --enable-opensslall])
fi
fi
if test "$ENABLED_WOLFSSH" = "yes" && test "$ENABLED_HMAC" = "no"
then
AC_MSG_ERROR([WOLFSSH requires HMAC.])
fi
AS_IF([test "x$ENABLED_WOLFSSH" = "xyes"],[AM_CPPFLAGS="$AM_CPPFLAGS -DWOLFSSL_WOLFSSH"])
# only allow secure renegotiation info with TLSV12 and ASN
if test "x$ENABLED_ASN" = "xno" || \
test "x$ENABLED_TLSV12" = "xno" || \
test "x$ENABLED_RENEGOTIATION_INDICATION" = "xyes"; then
ENABLED_SECURE_RENEGOTIATION_INFO="no"
fi
if test "x$ENABLED_SECURE_RENEGOTIATION_INFO" = "xyes"; then
AM_CFLAGS="$AM_CFLAGS -DHAVE_TLS_EXTENSIONS -DHAVE_SERVER_RENEGOTIATION_INFO"
fi
if test "$ENABLED_COMPKEY" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DHAVE_COMP_KEY"
fi
# Deprecated Algorithm Handling
if test "$ENABLED_ARC4" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ALLOW_RC4"
fi
# Link with the math library iff needed.
if test "$ENABLED_DH" != "no" && test "$ENABLED_DH" != "const"; then
LT_LIB_M
fi
# multiple OCSP stapling for TLS 1.3 Certificate extension
if test "$ENABLED_CERTIFICATE_STATUS_REQUEST" = "yes"
then
if test "$ENABLED_TLS13" = "yes"
then
if test "$ENABLED_TLS_OCSP_MULTI" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_TLS_OCSP_MULTI"
fi
fi
fi
################################################################################
# USER SETTINGS
if test "x$ENABLED_USERSETTINGS" = "xyes"
then
# Replace all options and just use WOLFSSL_USER_SETTINGS and
# WOLFSSL_USER_SETTINGS_ASM. Re-append build-system flags that affect
# preprocessor guards in test files and must survive the reset.
AM_CFLAGS="-DWOLFSSL_USER_SETTINGS -DWOLFSSL_USER_SETTINGS_ASM"
AM_CCASFLAGS="-DWOLFSSL_USER_SETTINGS -DWOLFSSL_USER_SETTINGS_ASM"
AS_IF([test "x$ENABLED_SWDEV" = "xyes"],[
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SWDEV -DWOLF_CRYPTO_CB_FIND"
AM_CCASFLAGS="$AM_CCASFLAGS -DWOLFSSL_SWDEV -DWOLF_CRYPTO_CB_FIND"
])
# Generate assembly-safe user_settings_asm.h (just preprocessor directives
# from user_settings.h).
$srcdir/scripts/user_settings_asm.sh "$CPPFLAGS $CFLAGS $CXXFLAGS"
if test $? -ne 0; then
AC_MSG_ERROR([$srcdir/scripts/user_settings_asm.sh failed.])
fi
fi
# OPTIMIZE FLAGS
# For distro disable custom build options that interfere with symbol generation
if test "$GCC" = "yes" && test "$ENABLED_DISTRO" = "no"
then
if test "$ENABLED_CUDA" != "yes"
then
AM_CFLAGS="$AM_CFLAGS -Wall -Wno-unused"
fi
if test "$ax_enable_debug" = "no"
then
AS_IF([test "x$ENABLED_OPTFLAGS" = "xyes"], [
if test "$ENABLED_FASTMATH" = "yes"
then
AM_CFLAGS="$AM_CFLAGS $OPTIMIZE_FAST_CFLAGS"
if test "$ENABLED_FASTHUGEMATH" = "yes"
then
AM_CFLAGS="$AM_CFLAGS $OPTIMIZE_HUGE_CFLAGS"
fi
else
if (test "$ENABLED_SP" = "yes" || test "$ENABLED_SP_MATH_ALL" = "yes") && test "$ENABLED_SP_SMALL" = "no"
then
AM_CFLAGS="$AM_CFLAGS $OPTIMIZE_FAST_CFLAGS"
if test "$ENABLED_FASTHUGEMATH" = "yes"
then
AM_CFLAGS="$AM_CFLAGS $OPTIMIZE_HUGE_CFLAGS"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SP_INT_LARGE_COMBA"
fi
else
AM_CFLAGS="$AM_CFLAGS $OPTIMIZE_CFLAGS"
fi
fi
])
fi
fi
# ICC command line warning for non supported warning flags
if test "$CC" = "icc"
then
AM_CFLAGS="$AM_CFLAGS -wd10006"
fi
# Expose HAVE___UINT128_T to options flags"
if test "$ac_cv_type___uint128_t" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DHAVE___UINT128_T=1"
fi
# Add HAVE_GETPID to AM_CFLAGS for inclusion in options.h
if test "$ac_cv_func_getpid" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DHAVE_GETPID=1"
fi
LIB_SOCKET_NSL
AX_HARDEN_CC_COMPILER_FLAGS
if test "$ENABLED_SELFTEST" = yes || test "$ENABLED_FIPS" = yes
then
if ! test "$ENABLED_FIPS_DEV" = yes && ! test "$ENABLED_FIPS_READY" = yes
then
# rsa.c wc_hash2mgf() switches on enum wc_HashType, which is defined
# outside the FIPS boundary. Unsupported hashes are correctly handled
# by the default clause.
AC_LANG_PUSH([C])
AX_APPEND_COMPILE_FLAGS([-Wno-switch-enum],,[$ax_append_compile_cflags_extra])
AC_LANG_POP
fi
fi
# -Wdeprecated-enum-enum-conversion is on by default in C++20, but conflicts with
# our use of enum constructs to define fungible constants.
if test "$KERNEL_MODE_DEFAULTS" != "yes"
then
AX_CHECK_COMPILE_FLAG([-Werror -Wno-deprecated-enum-enum-conversion],
[AX_APPEND_FLAG([-Wno-deprecated-enum-enum-conversion], [AM_CFLAGS])])
fi
case $host_os in
mingw*)
# if mingw then link to ws2_32 for sockets, and crypt32
LDFLAGS="$LDFLAGS -lws2_32"
LIB_ADD="$LIB_ADD -lcrypt32"
if test "$enable_shared" = "yes"
then
AC_DEFINE([WOLFSSL_DLL], [1], [Use __declspec(dllexport) when building library])
if test "$enable_static" = "yes"
then
MINGW_LIB_WARNING="yes"
fi
fi ;;
*darwin*)
# Add required frameworks for static linking on macOS
if test "$enable_shared" = "no"; then
if test "x$ENABLED_SYS_CA_CERTS" = "xyes"; then
PC_LIBS_PRIVATE="$PC_LIBS_PRIVATE -framework CoreFoundation -framework Security"
fi
fi ;;
esac
if test "$enable_shared" = "no"; then
if test "$enable_static" = "yes"; then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_TEST_STATIC_BUILD"
fi
fi
if test "$ENABLED_WOLFGUARD" = "yes"; then
if test "$ENABLED_ECC" = "no" ||
test "$ENABLED_SHA256" = "no" ||
test "$ENABLED_AESGCM" = "no" ||
test "$ENABLED_HMAC" = "no" ||
test "$ENABLED_RNG" = "no"
then
AC_MSG_ERROR([--enable-wolfguard requires ECC, SHA256-HMAC, AES-GCM, and RNG.])
fi
fi
if test "x$ENABLED_LINUXKM" = "xyes"; then
AX_SIMD_CC_COMPILER_FLAGS
AC_SUBST([CFLAGS_FPU_DISABLE])
AC_SUBST([CFLAGS_FPU_ENABLE])
AC_SUBST([CFLAGS_SIMD_DISABLE])
AC_SUBST([CFLAGS_SIMD_ENABLE])
AC_SUBST([CFLAGS_AUTO_VECTORIZE_DISABLE])
AC_SUBST([CFLAGS_AUTO_VECTORIZE_ENABLE])
AC_SUBST([ASFLAGS_FPU_DISABLE_SIMD_ENABLE])
AC_SUBST([ASFLAGS_FPU_ENABLE_SIMD_DISABLE])
AC_SUBST([ASFLAGS_FPUSIMD_DISABLE])
AC_SUBST([ASFLAGS_FPUSIMD_ENABLE])
if test "$ENABLED_OPENSSLEXTRA" != "no" && test "$ENABLED_LINUXKM_PIE" = "yes" && test "$ENABLED_CRYPTONLY" = "no"; then
AC_MSG_ERROR([--enable-opensslextra with --enable-linuxkm-pie and without --enable-cryptonly is incompatible with --enable-linuxkm.])
fi
if test "$ENABLED_FILESYSTEM" = "yes"; then
AC_MSG_ERROR([--enable-filesystem is incompatible with --enable-linuxkm.])
fi
if test "$ENABLED_AFALG" = "yes"; then
AC_MSG_ERROR([--enable-afalg is incompatible with --enable-linuxkm.])
fi
if test "$ENABLED_DEVCRYPTO" = "yes"; then
AC_MSG_ERROR([--enable-devcrypto is incompatible with --enable-linuxkm.])
fi
if test "$ENABLED_PKCS11" = "yes"; then
AC_MSG_ERROR([--enable-pkcs11 is incompatible with --enable-linuxkm.])
fi
if test "$ENABLED_JNI" = "yes"; then
AC_MSG_ERROR([--enable-jni is incompatible with --enable-linuxkm.])
fi
if test "$ENABLED_16BIT" = "yes"; then
AC_MSG_ERROR([--enable-16bit is incompatible with --enable-linuxkm.])
fi
if test "$ENABLED_SINGLETHREADED" = "yes"; then
AC_MSG_ERROR([--enable-singlethreaded is incompatible with --enable-linuxkm.])
fi
if test "$ENABLED_VALGRIND" = "yes"; then
AC_MSG_ERROR([--enable-valgrind is incompatible with --enable-linuxkm.])
fi
if test "$ENABLED_FASTMATH" = "yes"; then
AC_MSG_ERROR([--enable-fastmath is incompatible with --enable-linuxkm (exceeds stack limit).])
fi
if test "$ENABLED_LIBZ_RSA" = "yes"; then
AC_MSG_ERROR([--with-libz is incompatible with --enable-linuxkm.])
fi
if test "$ENABLED_IOPOOL" = "yes"; then
AC_MSG_ERROR([--enable-iopool is incompatible with --enable-linuxkm.])
fi
if test "$ENABLED_EXAMPLES" = "yes"; then
AC_MSG_ERROR([--enable-examples is incompatible with --enable-linuxkm.])
fi
if test "$ENABLED_SMALL_STACK" != "yes"; then
AC_MSG_ERROR([--enable-smallstack is required for --enable-linuxkm.])
fi
if test "$ENABLED_SP_MATH" != "yes" && test "$ENABLED_SP_MATH_ALL" = "no" && test "$ENABLED_BIGNUM" != "no"; then
AC_MSG_ERROR([--enable-sp-math or --enable-sp-math-all is required for --enable-linuxkm.])
fi
if test "$ENABLED_STACKSIZE" != "no"; then
AC_MSG_ERROR([--enable-stacksize is incompatible with --enable-linuxkm.])
fi
if test "$ENABLED_STACKLOG" = "yes"; then
AC_MSG_ERROR([--enable-stacklog is incompatible with --enable-linuxkm.])
fi
fi
AS_IF([test "$ENABLED_ASM" = "no" && (test "$ENABLED_INTELASM" != "no" || \
test "$ENABLED_AESNI" != "no" || \
test "$ENABLED_ARMASM" != "no" || \
test "$ENABLED_RISCV_ASM" != "no" || \
test "$ENABLED_SP_ASM" != "no")],
[AC_MSG_WARN([Conflicting asm settings.])])
# The following AM_CONDITIONAL statements set flags for use in the Makefiles.
# Some of these affect build targets and objects, some trigger different
# test scripts for make check.
AM_CONDITIONAL([BUILD_DISTRO],[test "x$ENABLED_DISTRO" = "xyes"])
AM_CONDITIONAL([BUILD_OPENSSL_COMPAT],[test "x$ENABLED_OPENSSLEXTRA" != "xnoinstall"])
AM_CONDITIONAL([BUILD_ALL],[test "x$ENABLED_ALL" = "xyes"])
AM_CONDITIONAL([BUILD_TLS13],[test "x$ENABLED_TLS13" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
AM_CONDITIONAL([BUILD_RNG],[test "x$ENABLED_RNG" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
AM_CONDITIONAL([BUILD_SCTP],[test "x$ENABLED_SCTP" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
AM_CONDITIONAL([BUILD_SRTP],[test "x$ENABLED_SRTP" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
AM_CONDITIONAL([BUILD_MCAST],[test "x$ENABLED_MCAST" = "xyes"])
AM_CONDITIONAL([BUILD_IPV6],[test "x$ENABLED_IPV6" = "xyes"])
AM_CONDITIONAL([BUILD_LEANPSK],[test "x$ENABLED_LEANPSK" = "xyes"])
AM_CONDITIONAL([BUILD_LEANTLS],[test "x$ENABLED_LEANTLS" = "xyes"])
AM_CONDITIONAL([BUILD_LOWMEM],[test "x$ENABLED_LOWRESOURCE" = "xyes"])
AM_CONDITIONAL([BUILD_PKCALLBACKS], [ test "x$ENABLED_PKCALLBACKS" = "xyes"])
AM_CONDITIONAL([BUILD_CRYPTOAUTHLIB],[test "x$ENABLED_CRYPTOAUTHLIB" = "xyes"])
AM_CONDITIONAL([BUILD_SNIFFER], [ test "x$ENABLED_SNIFFER" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
AM_CONDITIONAL([BUILD_SNIFFTEST],[ test "x$ENABLED_SNIFFTEST" = "xyes"])
AM_CONDITIONAL([BUILD_AESGCM],[test "x$ENABLED_AESGCM" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
AM_CONDITIONAL([BUILD_AESCCM],[test "x$ENABLED_AESCCM" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
AM_CONDITIONAL([BUILD_AESXTS],[test "x$ENABLED_AESXTS" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
AM_CONDITIONAL([BUILD_ARMASM],[test "x$ENABLED_ARMASM" = "xyes"])
AM_CONDITIONAL([BUILD_ARMASM_INLINE],[test "x$ENABLED_ARMASM_INLINE" = "xyes"])
AM_CONDITIONAL([BUILD_ARMASM_CRYPTO],[test "x$ENABLED_ARMASM_CRYPTO" = "xyes"])
AM_CONDITIONAL([BUILD_ARMASM_NEON],[test "x$ENABLED_ARMASM_NEON" = "xyes"])
AM_CONDITIONAL([BUILD_ARM_THUMB],[test "$ENABLED_ARM_THUMB" = "yes" || test "$ENABLED_USERSETTINGS" = "yes"])
AM_CONDITIONAL([BUILD_ARM_NONTHUMB],[test "$ENABLED_ARM_THUMB" != "yes" || test "$ENABLED_USERSETTINGS" = "yes"])
AM_CONDITIONAL([BUILD_ARM_32],[test "$ENABLED_ARM_32" = "yes" || test "$ENABLED_USERSETTINGS" = "yes"])
AM_CONDITIONAL([BUILD_ARM_64],[test "$ENABLED_ARM_64" = "yes" || test "$ENABLED_USERSETTINGS" = "yes"])
AM_CONDITIONAL([BUILD_RISCV_ASM],[test "x$ENABLED_RISCV_ASM" = "xyes"])
AM_CONDITIONAL([BUILD_PPC32_ASM],[test "x$ENABLED_PPC32_ASM" = "xyes"])
AM_CONDITIONAL([BUILD_PPC32_ASM_INLINE],[test "x$ENABLED_PPC32_ASM_INLINE" = "xyes"])
AM_CONDITIONAL([BUILD_PPC32_ASM_INLINE_REG],[test "x$ENABLED_PPC32_ASM_INLINE_REG" = "xyes"])
AM_CONDITIONAL([BUILD_XILINX],[test "x$ENABLED_XILINX" = "xyes"])
AM_CONDITIONAL([BUILD_AESNI],[test "x$ENABLED_AESNI" = "xyes"])
AM_CONDITIONAL([BUILD_INTELASM],[test "x$ENABLED_INTELASM" = "xyes"])
AM_CONDITIONAL([BUILD_X86_ASM],[test "x$ENABLED_X86_ASM" = "xyes"])
AM_CONDITIONAL([BUILD_AFALG],[test "x$ENABLED_AFALG" = "xyes"])
AM_CONDITIONAL([BUILD_KCAPI],[test "x$ENABLED_KCAPI" = "xyes"])
AM_CONDITIONAL([BUILD_DEVCRYPTO],[test "x$ENABLED_DEVCRYPTO" = "xyes"])
AM_CONDITIONAL([BUILD_CAMELLIA],[test "x$ENABLED_CAMELLIA" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
AM_CONDITIONAL([BUILD_MD2],[test "x$ENABLED_MD2" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
AM_CONDITIONAL([BUILD_RIPEMD],[test "x$ENABLED_RIPEMD" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
AM_CONDITIONAL([BUILD_BLAKE2B],[test "x$ENABLED_BLAKE2B" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
AM_CONDITIONAL([BUILD_BLAKE2S],[test "x$ENABLED_BLAKE2S" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
AM_CONDITIONAL([BUILD_SHA512],[test "x$ENABLED_SHA512" = "xyes" || test "x$ENABLED_SHA384" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
AM_CONDITIONAL([BUILD_DSA],[test "x$ENABLED_DSA" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
AM_CONDITIONAL([BUILD_ECC],[test "x$ENABLED_ECC" != "xno" || test "x$ENABLED_USERSETTINGS" = "xyes"])
AM_CONDITIONAL([BUILD_ED25519],[test "$ENABLED_ED25519" != "no" || test "x$ENABLED_USERSETTINGS" = "xyes"])
AM_CONDITIONAL([BUILD_ED25519_SMALL],[test "x$ENABLED_ED25519_SMALL" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
AM_CONDITIONAL([BUILD_FEMATH], [test "x$ENABLED_FEMATH" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
AM_CONDITIONAL([BUILD_GEMATH], [test "x$ENABLED_GEMATH" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
AM_CONDITIONAL([BUILD_CURVE25519],[test "$ENABLED_CURVE25519" != "no" || test "x$ENABLED_USERSETTINGS" = "xyes"])
AM_CONDITIONAL([BUILD_CURVE25519_INTELASM],[test "$ENABLED_CURVE25519" != "noasm" && test "$ENABLED_ED25519" != "noasm" && test "$ENABLED_INTELASM" = "yes"])
AM_CONDITIONAL([BUILD_CURVE25519_SMALL],[test "x$ENABLED_CURVE25519_SMALL" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
AM_CONDITIONAL([BUILD_ED448],[test "x$ENABLED_ED448" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
AM_CONDITIONAL([BUILD_ED448_SMALL],[test "x$ENABLED_ED448_SMALL" = "xyes"])
AM_CONDITIONAL([BUILD_FE448], [test "x$ENABLED_FE448" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
AM_CONDITIONAL([BUILD_GE448], [test "x$ENABLED_GE448" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
AM_CONDITIONAL([BUILD_CURVE448],[test "x$ENABLED_CURVE448" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
AM_CONDITIONAL([BUILD_CURVE448_SMALL],[test "x$ENABLED_CURVE448_SMALL" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
AM_CONDITIONAL([BUILD_WC_LMS],[test "x$ENABLED_LMS" != "xno" || test "x$ENABLED_USERSETTINGS" = "xyes"])
AM_CONDITIONAL([BUILD_WC_XMSS],[test "x$ENABLED_XMSS" != "xno" || test "x$ENABLED_USERSETTINGS" = "xyes"])
AM_CONDITIONAL([BUILD_WC_SLHDSA],[test "x$ENABLED_SLHDSA" != "xno" || test "x$ENABLED_USERSETTINGS" = "xyes"])
AM_CONDITIONAL([BUILD_WC_MLKEM],[test "x$ENABLED_MLKEM" != "xno" || test "x$ENABLED_USERSETTINGS" = "xyes"])
AM_CONDITIONAL([BUILD_MLDSA],[test "x$ENABLED_MLDSA" != "xno" || test "x$ENABLED_USERSETTINGS" = "xyes"])
AM_CONDITIONAL([BUILD_ECCSI],[test "x$ENABLED_ECCSI" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
AM_CONDITIONAL([BUILD_SAKKE],[test "x$ENABLED_SAKKE" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
AM_CONDITIONAL([BUILD_MEMORY],[test "x$ENABLED_MEMORY" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
AM_CONDITIONAL([BUILD_MEMUSE],[test "x$ENABLED_ENTROPY_MEMUSE" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
AM_CONDITIONAL([BUILD_RNG_BANK],[test "$ENABLED_RNG_BANK" = "yes" || test "$ENABLED_USERSETTINGS" = "yes"])
AM_CONDITIONAL([BUILD_RSA],[test "x$ENABLED_RSA" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
AM_CONDITIONAL([BUILD_DH],[test "x$ENABLED_DH" != "xno" || test "x$ENABLED_USERSETTINGS" = "xyes"])
AM_CONDITIONAL([BUILD_ASN],[test "x$ENABLED_ASN" != "xno" || test "x$ENABLED_RSA" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
AM_CONDITIONAL([BUILD_AES],[test "x$ENABLED_AES" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
AM_CONDITIONAL([BUILD_CODING],[test "x$ENABLED_CODING" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
AM_CONDITIONAL([BUILD_RC4],[test "x$ENABLED_ARC4" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
AM_CONDITIONAL([BUILD_MD5],[test "x$ENABLED_MD5" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
AM_CONDITIONAL([BUILD_SHA],[test "x$ENABLED_SHA" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
AM_CONDITIONAL([BUILD_FIPS],[test "x$ENABLED_FIPS" = "xyes"])
AC_SUBST([ENABLED_FIPS])
AM_CONDITIONAL([BUILD_FIPS_V1],[test "$HAVE_FIPS_VERSION" = 1])
AM_CONDITIONAL([BUILD_FIPS_V2],[test "$HAVE_FIPS_VERSION" = 2 && test "$HAVE_FIPS_VERSION_MINOR" = 0])
AM_CONDITIONAL([BUILD_FIPS_V2_PLUS],[test "$HAVE_FIPS_VERSION" -ge 2 ])
AM_CONDITIONAL([BUILD_FIPS_RAND],[test "$HAVE_FIPS_VERSION" = 2 && test "$HAVE_FIPS_VERSION_MINOR" = 1])
AM_CONDITIONAL([BUILD_FIPS_V5],[test "$HAVE_FIPS_VERSION" = 5])
AM_CONDITIONAL([BUILD_FIPS_V5_PLUS],[test "$HAVE_FIPS_VERSION" -ge 5])
AM_CONDITIONAL([BUILD_FIPS_V6],[test $HAVE_FIPS_VERSION = 6])
AM_CONDITIONAL([BUILD_FIPS_V6_PLUS],[test $HAVE_FIPS_VERSION -ge 6])
AM_CONDITIONAL([BUILD_FIPS_V7],[test $HAVE_FIPS_VERSION = 7])
AM_CONDITIONAL([BUILD_FIPS_V7_PLUS],[test $HAVE_FIPS_VERSION -ge 7])
AM_CONDITIONAL([BUILD_SIPHASH],[test "x$ENABLED_SIPHASH" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
AM_CONDITIONAL([BUILD_CMAC],[test "x$ENABLED_CMAC" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
AM_CONDITIONAL([BUILD_SHE],[test "x$ENABLED_SHE" = "xstandard" || test "x$ENABLED_SHE" = "xextended" || test "x$ENABLED_USERSETTINGS" = "xyes"])
AM_CONDITIONAL([BUILD_SELFTEST],[test "x$ENABLED_SELFTEST" = "xyes"])
AM_CONDITIONAL([BUILD_SHA224],[test "x$ENABLED_SHA224" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
AM_CONDITIONAL([BUILD_SHA3],[test "x$ENABLED_SHA3" != "xno" || test "x$ENABLED_USERSETTINGS" = "xyes"])
AM_CONDITIONAL([BUILD_POLY1305],[test "x$ENABLED_POLY1305" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
AM_CONDITIONAL([BUILD_CHACHA],[test "x$ENABLED_CHACHA" = "xyes" || test "x$ENABLED_CHACHA" = "xnoasm" || test "x$ENABLED_USERSETTINGS" = "xyes"])
AM_CONDITIONAL([BUILD_CHACHA_NOASM],[test "$ENABLED_CHACHA" = "noasm"])
AM_CONDITIONAL([BUILD_XCHACHA],[test "x$ENABLED_XCHACHA" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
AM_CONDITIONAL([BUILD_ASCON],[test "x$ENABLED_ASCON" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
AM_CONDITIONAL([BUILD_PUF],[test "x$ENABLED_PUF" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
AM_CONDITIONAL([BUILD_SM2],[test "x$ENABLED_SM2" != "xno" || test "x$ENABLED_USERSETTINGS" = "xyes"])
AM_CONDITIONAL([BUILD_SM3],[test "x$ENABLED_SM3" != "xno" || test "x$ENABLED_USERSETTINGS" = "xyes"])
AM_CONDITIONAL([BUILD_SM4],[test "x$ENABLED_SM4" != "xno" || test "x$ENABLED_USERSETTINGS" = "xyes"])
AM_CONDITIONAL([BUILD_INLINE],[test "x$ENABLED_INLINE" = "xyes"])
AM_CONDITIONAL([BUILD_OCSP],[test "x$ENABLED_OCSP" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
AM_CONDITIONAL([BUILD_OCSP_STAPLING],[test "x$ENABLED_CERTIFICATE_STATUS_REQUEST" = "xyes"])
AM_CONDITIONAL([BUILD_OCSP_STAPLING_MULTI],[test "x$ENABLED_CERTIFICATE_STATUS_REQUEST" = "xyes" && test "x$ENABLED_TLS13" = "xyes" && test "x$ENABLED_TLS_OCSP_MULTI" = "xyes"])
AM_CONDITIONAL([BUILD_OCSP_STAPLING_V2],[test "x$ENABLED_CERTIFICATE_STATUS_REQUEST_V2" = "xyes"])
AM_CONDITIONAL([BUILD_CRL],[test "x$ENABLED_CRL" != "xno" || test "x$ENABLED_USERSETTINGS" = "xyes"])
AM_CONDITIONAL([BUILD_CRL_MONITOR],[test "x$ENABLED_CRL_MONITOR" = "xyes"])
AM_CONDITIONAL([BUILD_LIBOQS],[test "x$ENABLED_LIBOQS" = "xyes"])
AM_CONDITIONAL([BUILD_WNR],[test "x$ENABLED_WNR" = "xyes"])
AM_CONDITIONAL([BUILD_SRP],[test "x$ENABLED_SRP" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
AM_CONDITIONAL([USE_VALGRIND],[test "x$ENABLED_VALGRIND" = "xyes"])
AM_CONDITIONAL([BUILD_MD4],[test "x$ENABLED_MD4" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
AM_CONDITIONAL([BUILD_PWDBASED],[test "x$ENABLED_PWDBASED" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
AM_CONDITIONAL([BUILD_SCRYPT],[test "x$ENABLED_SCRYPT" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
AM_CONDITIONAL([BUILD_CRYPTONLY],[test "x$ENABLED_CRYPTONLY" = "xyes"])
AM_CONDITIONAL([BUILD_FASTMATH],[test "x$ENABLED_FASTMATH" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
AM_CONDITIONAL([BUILD_HEAPMATH],[test "x$ENABLED_HEAPMATH" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
AM_CONDITIONAL([BUILD_EXAMPLE_SERVERS],[test "x$ENABLED_EXAMPLES" = "xyes" && test "x$ENABLED_LEANTLS" = "xno"])
AM_CONDITIONAL([BUILD_EXAMPLE_CLIENTS],[test "x$ENABLED_EXAMPLES" = "xyes"])
AM_CONDITIONAL([BUILD_EXAMPLE_ASN1],[test "x$ENABLED_EXAMPLES" = "xyes" && test "x$ENABLED_ASN_PRINT" = "xyes" && test "$ENABLED_ASN" != "no"])
AM_CONDITIONAL([BUILD_OCSP_RESPONDER],[test "x$ENABLED_EXAMPLES" = "xyes" && test "x$ENABLED_OCSP_RESPONDER" = "xyes"])
AM_CONDITIONAL([BUILD_TESTS],[test "x$ENABLED_EXAMPLES" = "xyes"])
AM_CONDITIONAL([BUILD_THREADED_EXAMPLES],[test "x$ENABLED_SINGLETHREADED" = "xno" && test "x$ENABLED_EXAMPLES" = "xyes" && test "x$ENABLED_LEANTLS" = "xno"])
AM_CONDITIONAL([BUILD_WOLFCRYPT_TESTS],[test "x$ENABLED_CRYPT_TESTS" = "xyes"])
AM_CONDITIONAL([BUILD_WOLFCRYPT_TESTS_LIBS],[test "x$ENABLED_CRYPT_TESTS_LIBS" = "xyes"])
AM_CONDITIONAL([BUILD_LIBZ],[test "x$ENABLED_LIBZ" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
AM_CONDITIONAL([BUILD_PKCS11],[test "x$ENABLED_PKCS11" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
AM_CONDITIONAL([BUILD_PKCS12],[test "x$ENABLED_PKCS12" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
AM_CONDITIONAL([BUILD_PKCS8],[test "x$ENABLED_PKCS8" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
AM_CONDITIONAL([BUILD_CAVIUM],[test "x$ENABLED_CAVIUM" = "xyes"])
AM_CONDITIONAL([BUILD_CAVIUM_V],[test "x$ENABLED_CAVIUM_V" = "xyes"])
AM_CONDITIONAL([BUILD_OCTEON_SYNC],[test "x$ENABLED_OCTEON_SYNC" = "xyes"])
AM_CONDITIONAL([BUILD_INTEL_QA],[test "x$ENABLED_INTEL_QA" = "xyes"])
AM_CONDITIONAL([BUILD_INTEL_QA_SYNC],[test "x$ENABLED_INTEL_QA_SYNC" = "xyes"])
INCLUDE_SP_INT="no"
AM_CONDITIONAL([BUILD_SP],[test "x$ENABLED_SP" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
AM_CONDITIONAL([BUILD_SP_C32],[ ( ( (test "$ENABLED_SP_RSA" = "yes" || test "$ENABLED_SP_DH" = "yes" \
|| test "$ENABLED_SP_ECC" = "yes") && test "x$ENABLED_SP_ASM" = "xno") \
|| test "x$ENABLED_USERSETTINGS" = "xyes") && test "x$ENABLED_64BIT" != "xyes"])
AM_CONDITIONAL([BUILD_SP_C64],[ ( ( (test "$ENABLED_SP_RSA" = "yes" || test "$ENABLED_SP_DH" = "yes" \
|| test "$ENABLED_SP_ECC" = "yes") && test "x$ENABLED_SP_ASM" = "xno") \
|| test "x$ENABLED_USERSETTINGS" = "xyes") && test "x$ENABLED_32BIT" != "xyes"])
AM_CONDITIONAL([BUILD_SP_ARM64],[test "x$ENABLED_SP_ARM64_ASM" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
AM_CONDITIONAL([BUILD_SP_ARM32],[test "x$ENABLED_SP_ARM32_ASM" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
AM_CONDITIONAL([BUILD_SP_ARM_THUMB],[test "x$ENABLED_SP_ARM_THUMB_ASM" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
AM_CONDITIONAL([BUILD_SP_ARM_CORTEX],[test "x$ENABLED_SP_ARM_CORTEX_ASM" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
AM_CONDITIONAL([BUILD_SP_X86_64],[test "x$ENABLED_SP_X86_64_ASM" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
AM_CONDITIONAL([BUILD_SP_INT],[test "x$ENABLED_SP_MATH" = "xyes" || test "x$ENABLED_SP_MATH_ALL" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
AM_COND_IF([BUILD_SP], [INCLUDE_SP_INT="yes"])
AM_COND_IF([BUILD_SP_INT], [INCLUDE_SP_INT="yes"])
AC_SUBST([INCLUDE_SP_INT])
AM_CONDITIONAL([BUILD_MCAPI],[test "x$ENABLED_MCAPI" = "xyes"])
AM_CONDITIONAL([BUILD_ASYNCCRYPT],[test "x$ENABLED_ASYNCCRYPT" = "xyes"])
AM_CONDITIONAL([BUILD_WOLFEVENT],[test "x$ENABLED_ASYNCCRYPT" = "xyes"])
AM_CONDITIONAL([BUILD_CRYPTOCB],[test "x$ENABLED_CRYPTOCB" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
AM_CONDITIONAL([BUILD_SWDEV],[test "x$ENABLED_SWDEV" = "xyes"])
AM_CONDITIONAL([BUILD_PSK],[test "x$ENABLED_PSK" = "xyes"])
AM_CONDITIONAL([BUILD_TRUST_PEER_CERT],[test "x$ENABLED_TRUSTED_PEER_CERT" = "xyes"])
AM_CONDITIONAL([BUILD_PKI],[test "x$ENABLED_PKI" = "xyes"])
AM_CONDITIONAL([BUILD_DES3],[test "x$ENABLED_DES3" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
AM_CONDITIONAL([BUILD_PKCS7],[test "x$ENABLED_PKCS7" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
AM_CONDITIONAL([BUILD_SMIME],[test "x$ENABLED_SMIME" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
AM_CONDITIONAL([BUILD_HASHFLAGS],[test "x$ENABLED_HASHFLAGS" = "xyes"])
AM_CONDITIONAL([BUILD_LINUXKM],[test "$ENABLED_LINUXKM" = "yes"])
AM_CONDITIONAL([BUILD_KERNEL_MODE_DEFAULTS],[test "$KERNEL_MODE_DEFAULTS" != "no"])
AM_CONDITIONAL([BUILD_BSDKM],[test "$ENABLED_BSDKM" = "yes"])
AM_CONDITIONAL([BUILD_KERNEL_MODULE],[test "$ENABLED_BSDKM" = "yes" || test "$ENABLED_LINUXKM" = "yes"])
AM_CONDITIONAL([BUILD_NO_LIBRARY],[test "$ENABLED_NO_LIBRARY" = "yes"])
AM_CONDITIONAL([BUILD_BENCHMARK],[test "$ENABLED_BENCHMARK" = "yes"])
AM_CONDITIONAL([BUILD_RC2],[test "x$ENABLED_RC2" = "xyes"])
AM_CONDITIONAL([BUILD_CUDA],[test "x$ENABLED_CUDA" = "xyes"])
AM_CONDITIONAL([BUILD_CAAM],[test "x$ENABLED_CAAM" != "xno"])
AM_CONDITIONAL([BUILD_QNXCAAM],[test "x$ENABLED_CAAM_QNX" = "xyes"])
AM_CONDITIONAL([BUILD_IOTSAFE],[test "x$ENABLED_IOTSAFE" = "xyes"])
AM_CONDITIONAL([BUILD_IOTSAFE_HWRNG],[test "x$ENABLED_IOTSAFE_HWRNG" = "xyes"])
AM_CONDITIONAL([BUILD_SE050],[test "x$ENABLED_SE050" = "xyes"])
AM_CONDITIONAL([BUILD_STSAFE],[test "x$ENABLED_STSAFE" != "xno"])
AM_CONDITIONAL([BUILD_TROPIC01],[test "x$ENABLED_TROPIC01" = "xyes"])
AM_CONDITIONAL([BUILD_KDF],[test "x$ENABLED_KDF" = "xyes"])
AM_CONDITIONAL([BUILD_HMAC],[test "x$ENABLED_HMAC" = "xyes"])
AM_CONDITIONAL([BUILD_ERROR_STRINGS],[test "x$ENABLED_ERROR_STRINGS" = "xyes"])
AM_CONDITIONAL([BUILD_DO178],[test "x$ENABLED_DO178" = "xyes"])
AM_CONDITIONAL([BUILD_PSA],[test "x$ENABLED_PSA" = "xyes"])
AM_CONDITIONAL([BUILD_DTLS13],[test "x$ENABLED_DTLS13" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
AM_CONDITIONAL([BUILD_QUIC],[test "x$ENABLED_QUIC" = "xyes"])
AM_CONDITIONAL([BUILD_DTLS_CID],[test "x$ENABLED_DTLS_CID" = "xyes"])
AM_CONDITIONAL([BUILD_HPKE],[test "x$ENABLED_HPKE" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
AM_CONDITIONAL([BUILD_DTLS],[test "x$ENABLED_DTLS" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
AM_CONDITIONAL([BUILD_MAXQ10XX],[test "x$ENABLED_MAXQ10XX" = "xyes"])
AM_CONDITIONAL([BUILD_ARIA],[test "x$ENABLED_ARIA" = "xyes"])
AM_CONDITIONAL([BUILD_XILINX],[test "x$ENABLED_XILINX" = "xyes"])
AM_CONDITIONAL([BUILD_AUTOSAR],[test "x$ENABLED_AUTOSAR" = "xyes"])
if test "$ENABLED_REPRODUCIBLE_BUILD" != "yes" &&
(test "$ax_enable_debug" = "yes" ||
test "$ENABLED_STACKSIZE" != "no" ||
(test "$ENABLED_LEANTLS" = "no" &&
test "$ENABLED_LEANPSK" = "no" &&
test "$ENABLED_LOWRESOURCE" = "no"))
then
AM_CFLAGS="$AM_CFLAGS -DHAVE_WC_INTROSPECTION"
fi
if test "$ENABLED_REPRODUCIBLE_BUILD" != "yes"
then
AM_CFLAGS="$AM_CFLAGS -include ${output_objdir}/.build_params"
fi
AM_CPPFLAGS="$AM_CPPFLAGS $EXTRA_CPPFLAGS"
AM_CFLAGS="$AM_CFLAGS $EXTRA_CFLAGS"
AM_CCASFLAGS="$AM_CCASFLAGS $EXTRA_CCASFLAGS"
AM_LDFLAGS="$AM_LDFLAGS $EXTRA_LDFLAGS"
CREATE_HEX_VERSION
AC_SUBST([AM_CPPFLAGS])
AC_SUBST([AM_CFLAGS])
AC_SUBST([AM_LDFLAGS])
AC_SUBST([AM_CCASFLAGS])
AC_SUBST([LIB_ADD])
AC_SUBST([LIB_STATIC_ADD])
AC_SUBST([LIBM])
AC_SUBST([PC_LIBS_PRIVATE])
AC_SUBST([WOLFSSL_HAVE_PTHREAD])
HAVE_PTHREAD=$WOLFSSL_HAVE_PTHREAD
AC_SUBST([HAVE_PTHREAD])
PACKAGE_INIT=''
AC_SUBST([PACKAGE_INIT])
WOLFSSL_PREFIX_ABS=$prefix
if test "x$WOLFSSL_PREFIX_ABS" = "xNONE"; then
WOLFSSL_PREFIX_ABS=$ac_default_prefix
fi
WOLFSSL_EXEC_PREFIX_ABS=$exec_prefix
if test "x$WOLFSSL_EXEC_PREFIX_ABS" = "xNONE"; then
WOLFSSL_EXEC_PREFIX_ABS=$WOLFSSL_PREFIX_ABS
fi
prefix=$WOLFSSL_PREFIX_ABS
exec_prefix=$WOLFSSL_EXEC_PREFIX_ABS
eval WOLFSSL_LIBDIR_ABS=\"$libdir\"
eval WOLFSSL_INCLUDEDIR_ABS=\"$includedir\"
AC_SUBST([WOLFSSL_PREFIX_ABS])
AC_SUBST([WOLFSSL_LIBDIR_ABS])
AC_SUBST([WOLFSSL_INCLUDEDIR_ABS])
# FINAL
AC_CONFIG_FILES([stamp-h], [echo timestamp > stamp-h])
AC_CONFIG_FILES([Makefile
wolfssl/version.h
wolfssl/options.h
support/wolfssl.pc
debian/control
debian/changelog
rpm/spec
wolfcrypt/test/test_paths.h
])
AS_IF([ test "x$ENABLED_CMAKE_INSTALL" = "xyes" ],[
AC_CONFIG_FILES([cmake/wolfssl-config.cmake:cmake/Config.cmake.in
cmake/wolfssl-config-version.cmake:cmake/wolfssl-config-version.cmake.in
cmake/wolfssl-targets.cmake:cmake/wolfssl-targets.cmake.in
])
])
AC_CONFIG_FILES([scripts/unit.test],[chmod +x scripts/unit.test])
AC_CONFIG_FILES([debian/rules],[chmod +x debian/rules])
AX_CREATE_GENERIC_CONFIG
AX_AM_JOBSERVER([yes])
# See Automake 9.4.1 Built Sources Example
AC_DEFUN([AX_OUT_OF_TREE_FILE],[
AC_CONFIG_COMMANDS([$1], [test ! -f $srcdir/$1 && echo -n >> $srcdir/$1])
])
AX_OUT_OF_TREE_FILE([wolfssl/wolfcrypt/async.h])
AX_OUT_OF_TREE_FILE([wolfssl/wolfcrypt/fips.h])
AX_OUT_OF_TREE_FILE([wolfssl/wolfcrypt/port/cavium/cavium_nitrox.h])
AX_OUT_OF_TREE_FILE([wolfssl/wolfcrypt/port/intel/quickassist.h])
AX_OUT_OF_TREE_FILE([wolfssl/wolfcrypt/port/intel/quickassist_mem.h])
AC_OUTPUT
if test "$ENABLED_MAKECLEAN" = "yes"
then
# force make clean
AC_MSG_NOTICE([---])
AC_MSG_NOTICE([Running make clean...])
if test -z "$MAKE"; then
MAKE="make"
fi
if test "$verbose" = "yes"; then
$MAKE clean
else
$MAKE clean >/dev/null
fi
fi
if test "$ENABLED_REPRODUCIBLE_BUILD" != "yes"
then
ESCAPED_ARGS=$(echo "$ac_configure_args" | sed 's/\\/\\\\/g;s/\"/\\\"/g')
ESCAPED_GLOBAL_CFLAGS=$(echo "$CPPFLAGS $AM_CPPFLAGS $CFLAGS $AM_CFLAGS" | sed 's/\\/\\\\/g;s/\"/\\\"/g')
echo "#define LIBWOLFSSL_CONFIGURE_ARGS \"$ESCAPED_ARGS\"" > "${output_objdir}/.build_params" &&
echo "#define LIBWOLFSSL_GLOBAL_CFLAGS \"$ESCAPED_GLOBAL_CFLAGS\" LIBWOLFSSL_GLOBAL_EXTRA_CFLAGS" >> "${output_objdir}/.build_params" ||
AC_MSG_ERROR([Couldn't create ${output_objdir}/.build_params.])
else
rm -f "${output_objdir}/.build_params"
fi
# generate user options header
AC_MSG_NOTICE([---])
AC_MSG_NOTICE([Generating user options header...])
OPTION_FILE="wolfssl/options.h"
rm -f $OPTION_FILE
echo "/* wolfssl options.h" > $OPTION_FILE
echo " * generated from configure options" >> $OPTION_FILE
echo " *" >> $OPTION_FILE
echo " * Copyright (C) 2006-2026 wolfSSL Inc." >> $OPTION_FILE
echo " *" >> $OPTION_FILE
echo " * This file is part of wolfSSL. (formerly known as CyaSSL)" >> $OPTION_FILE
echo " *" >> $OPTION_FILE
echo " */" >> $OPTION_FILE
echo "" >> $OPTION_FILE
echo "#ifdef WOLFSSL_NO_OPTIONS_H" >> $OPTION_FILE
echo "/* options.h inhibited by configuration */" >> $OPTION_FILE
echo "#elif !defined(WOLFSSL_OPTIONS_H)" >> $OPTION_FILE
echo "#define WOLFSSL_OPTIONS_H" >> $OPTION_FILE
echo "" >> $OPTION_FILE
echo "" >> $OPTION_FILE
echo "#ifdef __cplusplus" >> $OPTION_FILE
echo "extern \"C\" {" >> $OPTION_FILE
echo "#endif" >> $OPTION_FILE
echo "" >> $OPTION_FILE
# Check for supported command to trim option with.
# note: cut requires an argument to exit with success.
if colrm >/dev/null 2>&1 </dev/null; then
TRIM="colrm 3"
elif echo "" | cut -c1 >/dev/null 2>&1 </dev/null; then
TRIM="cut -c1-2"
else
AC_MSG_ERROR([Could not find colrm or cut to make options file])
fi
for option in $AM_CPPFLAGS $CPPFLAGS $AM_CFLAGS $CFLAGS; do
opt_type=$(echo $option | $TRIM )
case "$opt_type" in
-D)
option=$(echo "$option" | tr -d '\\')
RHS_only=$(echo "$option" | sed 's/^-D//')
noequalsign=$(echo "$RHS_only" | tr '=' ' ')
if test "$noequalsign" = "NDEBUG" || test "$noequalsign" = "DEBUG"
then
if test "$verbose" = "yes"; then
AC_MSG_NOTICE([not outputting (N)DEBUG to $OPTION_FILE])
fi
continue
fi
# allow user to ignore system options
ignoresys=$(echo "$noequalsign" | grep '^_.*')
if test -n "$ignoresys"
then
echo "#ifndef WOLFSSL_OPTIONS_IGNORE_SYS" >> $OPTION_FILE
fi
# note need to use both autotools-style [] quoting and shell-style ''
# quoting for sed script with [] character set expression here.
noarg=$(echo "$RHS_only" | sed ['s/\(([^=)]*)\)\{0,1\}=.*//'])
echo "#undef $noarg" >> $OPTION_FILE
echo "#define $noequalsign" >> $OPTION_FILE
if test -n "$ignoresys"
then
echo "#endif" >> $OPTION_FILE
fi
echo "" >> $OPTION_FILE
;;
-U)
RHS_only=$(echo $option | sed 's/^-U//')
echo "#undef $RHS_only" >> $OPTION_FILE
echo "" >> $OPTION_FILE
;;
*)
if test "$verbose" = "yes"; then
AC_MSG_NOTICE([option "$option" is not a preprocessor directive -- not saving to $OPTION_FILE])
fi
;;
esac
done
echo "" >> $OPTION_FILE
echo "#ifdef __cplusplus" >> $OPTION_FILE
echo "}" >> $OPTION_FILE
echo "#endif" >> $OPTION_FILE
echo "" >> $OPTION_FILE
echo "" >> $OPTION_FILE
echo "#endif /* WOLFSSL_OPTIONS_H */" >> $OPTION_FILE
echo "" >> $OPTION_FILE
if test "$ENABLED_DEBUG_TRACE_ERRCODES" != "no"
then
support/gen-debug-trace-error-codes.sh || AC_MSG_ERROR([Header generation for debug-trace-errcodes failed.])
fi
if test "$ENABLED_OPENSSLEXTRA" = "yes" && test "$ENABLED_LINUXKM" = "no"
then
SAVE_CFLAGS=$CFLAGS
CFLAGS="$CFLAGS $DEFS -I. -I$srcdir"
if test "$ENABLED_INTEL_QA" = "yes"
then
CFLAGS="$CFLAGS $QAT_FLAGS"
fi
build_pwd="$(pwd)"
cd "$srcdir"
openssl_headers=$(echo wolfssl/openssl/*.h)
cd "$build_pwd"
for header in $openssl_headers
do
AC_CHECK_HEADER([$header], [], [
AC_MSG_ERROR([Header file inconsistency detected -- error including ${header}.])
], [
#include <${OPTION_FILE}>
extern int dummy_int_to_make_compiler_happy;
])
done
CFLAGS=$SAVE_CFLAGS
fi
if test "$silent" != "yes"; then
# output config summary
echo "---"
echo "Configuration summary for $PACKAGE_NAME version $VERSION"
echo ""
echo " * Installation prefix: $prefix"
echo " * System type: $host_vendor-$host_os"
echo " * Host CPU: $host_cpu"
echo " * C Compiler: $CC"
echo " * C Flags: $CFLAGS"
echo " * C++ Compiler: $CXX"
echo " * C++ Flags: $CXXFLAGS"
echo " * CPP Flags: $CPPFLAGS"
echo " * CCAS Flags: $CCASFLAGS"
echo " * LD Flags: $LDFLAGS"
echo " * LIB Flags: $LIB"
echo " * Library Suffix: $LIBSUFFIX"
test "$HAVE_KERNEL_MODE" = "yes" && \
echo " * Kernel mode: $HAVE_KERNEL_MODE" && \
echo " * Kernel mode defaults: $KERNEL_MODE_DEFAULTS" && \
test "$ENABLED_LINUXKM" = "yes" && \
echo " * Linux Kernel Build Root: $KERNEL_ROOT" && \
echo " * Linux Kernel Build Arch: $KERNEL_ARCH" && \
echo " * fpu disable C flags: $CFLAGS_FPU_DISABLE" && \
echo " * fpu enable C flags: $CFLAGS_FPU_ENABLE" && \
echo " * SIMD disable C flags: $CFLAGS_SIMD_DISABLE" && \
echo " * SIMD enable C flags: $CFLAGS_SIMD_ENABLE" && \
echo " * No-auto-vectorize C flags: $CFLAGS_AUTO_VECTORIZE_DISABLE" && \
echo " * Auto-vectorize C flags: $CFLAGS_AUTO_VECTORIZE_ENABLE" && \
echo " * SIMD enable as flags: $ASFLAGS_FPU_DISABLE_SIMD_ENABLE" && \
echo " * FPU enable as flags: $ASFLAGS_FPU_ENABLE_SIMD_DISABLE" && \
echo " * SIMD+FPU disable as flags: $ASFLAGS_FPUSIMD_DISABLE" && \
echo " * SIMD+FPU enable as flags: $ASFLAGS_FPUSIMD_ENABLE" && \
echo " * Linux kernel module PIE: $ENABLED_LINUXKM_PIE"
test "$ENABLED_BSDKM" = "yes" && \
echo " * FreeBSD Kernel Build Root: $KERNEL_ROOT"
echo " * Debug enabled: $ax_enable_debug"
echo " * Coverage enabled: $ax_enable_coverage"
echo " * Warnings as failure: $ac_cv_warnings_as_errors"
echo " * make -j: $enable_jobserver"
echo " * VCS checkout: $ac_cv_vcs_checkout"
echo
echo " Features "
if test "$ENABLED_EXPERIMENTAL" = "yes"
then
echo " * Experimental settings: Allowed"
else
echo " * Experimental settings: Forbidden"
fi
if test "$ENABLED_FIPS" = "yes"; then
echo " * FIPS: $FIPS_VERSION"
else
echo " * FIPS: $ENABLED_FIPS"
fi
echo " * Single threaded: $ENABLED_SINGLETHREADED"
echo " * Filesystem: $ENABLED_FILESYSTEM"
echo " * OpenSSH Build: $ENABLED_OPENSSH"
echo " * OpenSSL Extra API: $ENABLED_OPENSSLEXTRA"
echo " * OpenSSL Coexist: $ENABLED_OPENSSLCOEXIST"
echo " * Old Names: $ENABLED_OLDNAMES"
echo " * Max Strength Build: $ENABLED_MAXSTRENGTH"
echo " * Distro Build: $ENABLED_DISTRO"
echo " * Reproducible Build: $ENABLED_REPRODUCIBLE_BUILD"
echo " * Side-channel Hardening: $ENABLED_HARDEN"
echo " * Single Precision Math: $ENABLED_SP"
if test "$ENABLED_SP_MATH_ALL" != "no"
then
ENABLED_SP_MATH_DESC="all"
else
if test "$ENABLED_SP_MATH" = "yes"
then
ENABLED_SP_MATH_DESC="restricted"
else
ENABLED_SP_MATH_DESC="no"
fi
fi
echo " * SP implementation: $ENABLED_SP_MATH_DESC"
echo " * Fast Math: $ENABLED_FASTMATH"
echo " * Heap Math: $ENABLED_HEAPMATH"
echo " * Assembly Allowed: $ENABLED_ASM"
echo " * sniffer: $ENABLED_SNIFFER"
echo " * snifftest: $ENABLED_SNIFFTEST"
echo " * ARC4: $ENABLED_ARC4"
echo " * AES: $ENABLED_AES"
echo " * AES-NI: $ENABLED_AESNI"
echo " * AVX for AES: $ENABLED_AESNI_WITH_AVX"
echo " * AES-CBC: $ENABLED_AESCBC"
echo " * AES-CBC length checks: $ENABLED_AESCBC_LENGTH_CHECKS"
echo " * AES-GCM: $ENABLED_AESGCM"
echo " * AES-GCM streaming: $ENABLED_AESGCM_STREAM"
echo " * AES-CCM: $ENABLED_AESCCM"
echo " * AES-CTR: $ENABLED_AESCTR"
echo " * AES-CFB: $ENABLED_AESCFB"
echo " * AES-OFB: $ENABLED_AESOFB"
echo " * AES-XTS: $ENABLED_AESXTS"
echo " * AES-XTS streaming: $ENABLED_AESXTS_STREAM"
echo " * AES-SIV: $ENABLED_AESSIV"
echo " * AES-EAX: $ENABLED_AESEAX"
echo " * AES Bitspliced: $ENABLED_AESBS"
echo " * AES Key Wrap: $ENABLED_AESKEYWRAP"
echo " * ARIA: $ENABLED_ARIA"
echo " * ASCON: $ENABLED_ASCON"
echo " * DES3: $ENABLED_DES3"
echo " * DES3 TLS Suites: $ENABLED_DES3_TLS_SUITES"
echo " * Camellia: $ENABLED_CAMELLIA"
echo " * CUDA: $ENABLED_CUDA"
echo " * SM4-ECB: $ENABLED_SM4_ECB"
echo " * SM4-CBC: $ENABLED_SM4_CBC"
echo " * SM4-CTR: $ENABLED_SM4_CTR"
echo " * SM4-GCM: $ENABLED_SM4_GCM"
echo " * SM4-CCM: $ENABLED_SM4_CCM"
echo " * NULL Cipher: $ENABLED_NULL_CIPHER"
echo " * MD2: $ENABLED_MD2"
echo " * MD4: $ENABLED_MD4"
echo " * MD5: $ENABLED_MD5"
echo " * RIPEMD: $ENABLED_RIPEMD"
echo " * SHA: $ENABLED_SHA"
echo " * SHA-224: $ENABLED_SHA224"
echo " * SHA-256: $ENABLED_SHA256"
echo " * SHA-384: $ENABLED_SHA384"
echo " * SHA-512: $ENABLED_SHA512"
echo " * SHA3: $ENABLED_SHA3"
echo " * SHAKE128: $ENABLED_SHAKE128"
echo " * SHAKE256: $ENABLED_SHAKE256"
echo " * SM3: $ENABLED_SM3"
echo " * BLAKE2B: $ENABLED_BLAKE2B"
echo " * BLAKE2S: $ENABLED_BLAKE2S"
echo " * SipHash: $ENABLED_SIPHASH"
echo " * CMAC: $ENABLED_CMAC"
echo " * keygen: $ENABLED_KEYGEN"
echo " * acert: $ENABLED_ACERT"
echo " * certgen: $ENABLED_CERTGEN"
echo " * certreq: $ENABLED_CERTREQ"
echo " * certext: $ENABLED_CERTEXT"
echo " * certgencache: $ENABLED_certgencache"
echo " * CHACHA: $ENABLED_CHACHA"
echo " * XCHACHA: $ENABLED_XCHACHA"
echo " * Hash DRBG: $ENABLED_HASHDRBG"
echo " * SHA-256 Hash DRBG: $ENABLED_SHA256_DRBG"
echo " * SHA-512 Hash DRBG: $ENABLED_SHA512_DRBG"
echo " * MmemUse Entropy:"
echo " * (AKA: wolfEntropy): $ENABLED_ENTROPY_MEMUSE"
echo " * PWDBASED: $ENABLED_PWDBASED"
echo " * Encrypted keys: $ENABLED_ENCKEYS"
echo " * scrypt: $ENABLED_SCRYPT"
echo " * wolfCrypt Only: $ENABLED_CRYPTONLY"
echo " * HKDF: $ENABLED_HKDF"
echo " * HPKE: $ENABLED_HPKE"
echo " * X9.63 KDF: $ENABLED_X963KDF"
echo " * SRTP-KDF: $ENABLED_SRTP_KDF"
echo " * PSK: $ENABLED_PSK"
echo " * Poly1305: $ENABLED_POLY1305"
echo " * LEANPSK: $ENABLED_LEANPSK"
echo " * LEANTLS: $ENABLED_LEANTLS"
echo " * RSA: $ENABLED_RSA"
echo " * RSA-PSS: $ENABLED_RSAPSS"
echo " * DSA: $ENABLED_DSA"
echo " * DH: $ENABLED_DH"
echo " * DH Default Parameters: $ENABLED_DHDEFAULTPARAMS"
echo " * ECC: $ENABLED_ECC"
echo " * ECC Custom Curves: $ENABLED_ECCCUSTCURVES"
echo " * ECC Minimum Bits: $ENABLED_ECCMINSZ"
echo " * FPECC: $ENABLED_FPECC"
echo " * ECC_ENCRYPT: $ENABLED_ECC_ENCRYPT"
echo " * Brainpool: $ENABLED_BRAINPOOL"
echo " * SM2: $ENABLED_SM2"
echo " * CURVE25519: $ENABLED_CURVE25519"
echo " * ED25519: $ENABLED_ED25519"
echo " * ED25519 streaming: $ENABLED_ED25519_STREAM"
echo " * CURVE448: $ENABLED_CURVE448"
echo " * ED448: $ENABLED_ED448"
echo " * ED448 streaming: $ENABLED_ED448_STREAM"
echo " * LMS: $ENABLED_LMS"
echo " * XMSS: $ENABLED_XMSS"
echo " * SLH-DSA $ENABLED_SLHDSA"
echo " * MLKEM: $ENABLED_MLKEM"
echo " * ML-DSA: $ENABLED_MLDSA"
echo " * ECCSI $ENABLED_ECCSI"
echo " * SAKKE $ENABLED_SAKKE"
echo " * ASN: $ENABLED_ASN"
echo " * Anonymous cipher: $ENABLED_ANON"
echo " * CODING: $ENABLED_CODING"
echo " * MEMORY: $ENABLED_MEMORY"
echo " * I/O POOL: $ENABLED_IOPOOL"
echo " * wolfSentry: $ENABLED_WOLFSENTRY"
echo " * LIGHTY: $ENABLED_LIGHTY"
echo " * WPA Supplicant: $ENABLED_WPAS"
echo " * HAPROXY: $ENABLED_HAPROXY"
echo " * STUNNEL: $ENABLED_STUNNEL"
echo " * tcpdump: $ENABLED_TCPDUMP"
echo " * libssh2: $ENABLED_LIBSSH2"
echo " * ntp: $ENABLED_NTP"
echo " * rsyslog: $ENABLED_RSYSLOG"
echo " * Apache httpd: $ENABLED_APACHE_HTTPD"
echo " * NGINX: $ENABLED_NGINX"
echo " * OpenResty: $ENABLED_OPENRESTY"
echo " * ASIO: $ENABLED_ASIO"
echo " * LIBWEBSOCKETS: $ENABLED_LIBWEBSOCKETS"
echo " * Qt: $ENABLED_QT"
echo " * Qt Unit Testing: $ENABLED_QT_TEST"
echo " * SIGNAL: $ENABLED_SIGNAL"
echo " * chrony: $ENABLED_CHRONY"
echo " * strongSwan: $ENABLED_STRONGSWAN"
echo " * OpenLDAP: $ENABLED_OPENLDAP"
echo " * hitch: $ENABLED_HITCH"
echo " * memcached: $ENABLED_MEMCACHED"
echo " * Mosquitto $ENABLED_MOSQUITTO"
echo " * ERROR_STRINGS: $ENABLED_ERROR_STRINGS"
echo " * DTLS: $ENABLED_DTLS"
echo " * DTLS v1.3: $ENABLED_DTLS13"
echo " * SCTP: $ENABLED_SCTP"
echo " * SRTP: $ENABLED_SRTP"
echo " * Indefinite Length: $ENABLED_BER_INDEF"
echo " * Multicast: $ENABLED_MCAST"
echo " * SSL v3.0 (Old): $ENABLED_SSLV3"
echo " * TLS v1.0 (Old): $ENABLED_TLSV10"
echo " * TLS v1.1 (Old): $ENABLED_OLD_TLS"
echo " * TLS v1.2: $ENABLED_TLSV12"
echo " * TLS v1.3: $ENABLED_TLS13"
echo " * RPK: $ENABLED_RPK"
echo " * Post-handshake Auth: $ENABLED_TLS13_POST_AUTH"
echo " * Early Data: $ENABLED_TLS13_EARLY_DATA"
echo " * QUIC: $ENABLED_QUIC"
echo " * Send State in HRR Cookie: $ENABLED_SEND_HRR_COOKIE"
echo " * OCSP: $ENABLED_OCSP"
echo " * OCSP Stapling: $ENABLED_CERTIFICATE_STATUS_REQUEST"
echo " * OCSP Stapling v2: $ENABLED_CERTIFICATE_STATUS_REQUEST_V2"
echo " * CRL: $ENABLED_CRL"
echo " * CRL-MONITOR: $ENABLED_CRL_MONITOR"
echo " * Persistent session cache: $ENABLED_SAVESESSION"
echo " * Persistent cert cache: $ENABLED_SAVECERT"
echo " * Atomic User Record Layer: $ENABLED_ATOMICUSER"
echo " * Public Key Callbacks: $ENABLED_PKCALLBACKS"
echo " * liboqs: $ENABLED_LIBOQS"
echo " * Falcon (via liboqs): $ENABLED_FALCON"
echo " * Whitewood netRandom: $ENABLED_WNR"
echo " * Server Name Indication: $ENABLED_SNI"
echo " * ALPN: $ENABLED_ALPN"
echo " * Maximum Fragment Length: $ENABLED_MAX_FRAGMENT"
echo " * Trusted CA Indication: $ENABLED_TRUSTED_CA"
echo " * Truncated HMAC: $ENABLED_TRUNCATED_HMAC"
echo " * Supported Elliptic Curves: $ENABLED_SUPPORTED_CURVES"
echo " * FFDHE only in client: $ENABLED_FFDHE_ONLY"
echo " * Session Ticket: $ENABLED_SESSION_TICKET"
echo " * Extended Master Secret: $ENABLED_EXTENDED_MASTER"
echo " * Renegotiation Indication: $ENABLED_RENEGOTIATION_INDICATION"
echo " * Secure Renegotiation: $ENABLED_SECURE_RENEGOTIATION"
echo " * Fallback SCSV: $ENABLED_FALLBACK_SCSV"
echo " * Keying Material Exporter: $ENABLED_KEYING_MATERIAL"
echo " * All TLS Extensions: $ENABLED_TLSX"
echo " * S/MIME: $ENABLED_SMIME"
echo " * PKCS#7: $ENABLED_PKCS7"
echo " * PKCS#8: $ENABLED_PKCS8"
echo " * PKCS#11: $ENABLED_PKCS11"
echo " * PKCS#12: $ENABLED_PKCS12"
echo " * wolfSSH: $ENABLED_WOLFSSH"
echo " * wolfEngine: $ENABLED_WOLFENGINE"
echo " * wolfTPM: $ENABLED_WOLFTPM"
echo " * wolfCLU: $ENABLED_WOLFCLU"
echo " * wolfSCEP: $ENABLED_WOLFSCEP"
echo " * Secure Remote Password: $ENABLED_SRP"
echo " * Small Stack: $ENABLED_SMALL_STACK"
echo " * Linux Kernel Module: $ENABLED_LINUXKM"
test "$ENABLED_LINUXKM" = "yes" && \
echo " * Linux kernel module bench: $ENABLED_KERNEL_BENCHMARKS" && \
echo " * Linux kernel alg register: $ENABLED_LINUXKM_LKCAPI_REGISTER"
echo " * valgrind unit tests: $ENABLED_VALGRIND"
echo " * LIBZ: $ENABLED_LIBZ"
echo " * Examples: $ENABLED_EXAMPLES"
echo " * Crypt tests: $ENABLED_CRYPT_TESTS"
echo " * Stack sizes in tests: $ENABLED_STACKSIZE"
echo " * Heap stats in tests: $ENABLED_TRACKMEMORY"
echo " * Asynchronous Crypto: $ENABLED_ASYNCCRYPT"
echo " * Asynchronous Crypto (sim): $ENABLED_ASYNCCRYPT_SW"
echo " * Cavium Nitrox: $ENABLED_CAVIUM"
echo " * Cavium Octeon (Sync): $ENABLED_OCTEON_SYNC"
echo " * Intel Quick Assist: $ENABLED_INTEL_QA"
if test "$ENABLED_ARMASM_INLINE" = "yes"
then
ENABLED_ARMASM="inline C"
fi
echo " * ARM ASM: $ENABLED_ARMASM"
echo " * ARM ASM SHA512/SHA3 Crypto $ENABLED_ARMASM_SHA3"
echo " * ARM ASM SM3/SM4 Crypto $ENABLED_ARMASM_CRYPTO_SM4"
echo " * RISC-V ASM $ENABLED_RISCV_ASM"
if test "$ENABLED_PPC32_ASM_INLINE" = "yes"
then
ENABLED_PPC32_ASM="inline C"
fi
if test "$ENABLED_PPC32_ASM_INLINE_REG" = "yes"
then
ENABLED_PPC32_ASM="inline C Reg"
fi
echo " * PPC32 ASM $ENABLED_PPC32_ASM"
echo " * Write duplicate: $ENABLED_WRITEDUP"
echo " * Xilinx Hardware Acc.: $ENABLED_XILINX"
echo " * C89: $ENABLED_C89"
echo " * Inline Code: $ENABLED_INLINE"
echo " * Linux AF_ALG: $ENABLED_AFALG"
echo " * Linux KCAPI: $ENABLED_KCAPI"
echo " * Linux devcrypto: $ENABLED_DEVCRYPTO"
echo " * PK callbacks: $ENABLED_PKCALLBACKS"
echo " * Crypto callbacks: $ENABLED_CRYPTOCB"
echo " * i.MX CAAM: $ENABLED_CAAM"
echo " * IoT-Safe: $ENABLED_IOTSAFE"
echo " * IoT-Safe HWRNG: $ENABLED_IOTSAFE_HWRNG"
echo " * NXP SE050: $ENABLED_SE050"
echo " * STMicro STSAFE: $ENABLED_STSAFE"
echo " * TROPIC01: $ENABLED_TROPIC01"
echo " * Maxim Integrated MAXQ10XX: $ENABLED_MAXQ10XX"
echo " * PSA: $ENABLED_PSA"
echo " * System CA certs: $ENABLED_SYS_CA_CERTS"
echo " * Dual alg cert support: $ENABLED_DUAL_ALG_CERTS"
echo " * ERR Queues per Thread: $ENABLED_ERRORQUEUEPERTHREAD"
echo " * rwlock: $ENABLED_RWLOCK"
echo " * keylog export: $ENABLED_KEYLOG_EXPORT"
echo " * AutoSAR : $ENABLED_AUTOSAR"
echo " * ML-KEM standalone: $ENABLED_MLKEM_STANDALONE"
echo " * PQ/T hybrids: $ENABLED_PQC_HYBRIDS"
echo " * Extra PQ/T hybrids: $ENABLED_EXTRA_PQC_HYBRIDS"
echo " * PUF: $ENABLED_PUF"
echo ""
echo "---"
echo "./configure flags: $(./config.status --config)"
fi # $silent != yes
################################################################################
# Show warnings at bottom so they are noticed
################################################################################
# MinGW static vs shared library
# Reference URL from libtool for MinGW is located at
# http://www.gnu.org/software/libtool/manual/libtool.html#Cygwin-to-MinGW-Cross
# this allows for not even having dllimport/dllexport on functions
# with recent libtools, only requiring it with global variables.
#
# The following warning is displayed here because if not using "contemporary GNU
# tools" there is the possibility of export/import issues.
# wolfSSL uses __declspec(dllexport) and "contemporary GNU tools" handle the
# case where both static and shared libraries are built.
#
# More can be found about the MinGW linker at
# https://sourceware.org/binutils/docs/ld/WIN32.html
if test "$MINGW_LIB_WARNING" = "yes"
then
AC_MSG_WARN([Building with shared and static library at the same time on this system may cause export/import problems when using non contemporary GNU tools.])
fi
if test -n "$WITH_MAX_ECC_BITS"; then
if test "$WITH_MAX_ECC_BITS" -lt "$ENABLED_ECCMINSZ"; then
AC_MSG_ERROR([--with-max-ecc-bits argument ($WITH_MAX_ECC_BITS) must be greater than --with-eccminsz argument ($ENABLED_ECCMINSZ)])
fi
fi
if test "$silent" != "yes"; then
echo "---"
echo "Note: Make sure your application includes \"wolfssl/options.h\" before any other wolfSSL headers."
echo " You can define \"WOLFSSL_USE_OPTIONS_H\" in your application to include this automatically."
fi