# ===========================================================================
# SYNOPSIS
#
#   AX_NAGIOS_GET_SSL
#
# DESCRIPTION
#
#    This macro finds the openssl binary, the header files directory and
#    the library files directory. It will also search for the gnutls
#    compatibility library/headers and the nss compatibility library/headers.
#
# LICENSE
#
#    Copyright (c) 2016 Nagios Core Development Team
#
#   This program is free software; you can redistribute it and/or modify it
#   under the terms of the GNU General Public License as published by the
#   Free Software Foundation; either version 2 of the License, or (at your
#   option) any later version.
#
#   This program is distributed in the hope that it will be useful, but
#   WITHOUT ANY WARRANTY; without even the implied warranty of
#   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General
#   Public License for more details.
#
#   You should have received a copy of the GNU General Public License along
#   with this program. If not, see <http://www.gnu.org/licenses/>.
#
#   As a special exception, the respective Autoconf Macro's copyright owner
#   gives unlimited permission to copy, distribute and modify the configure
#   scripts that are the output of Autoconf when processing the Macro. You
#   need not follow the terms of the GNU General Public License when using
#   or distributing such scripts, even though portions of the text of the
#   Macro appear in them. The GNU General Public License (GPL) does govern
#   all other use of the material that constitutes the Autoconf Macro.
#
#   This special exception to the GPL applies to versions of the Autoconf
#   Macro released by the Autoconf Archive. When you make and distribute a
#   modified version of the Autoconf Macro, you may extend this special
#   exception to the GPL to apply to your modified version as well.
# ===========================================================================

AC_DEFUN([AX_NAGIOS_GET_SSL],
[

# -------------------------------
#  SSL library and include paths
# -------------------------------

SSL_TYPE=openssl
try_pkg_config=1
ssl_dir=
ssl_inc_dir=
ssl_lib_dir=
SSL_INC_PREFIX=
SSL_HDR=
SSL_LIB_DIR=

AC_SUBST(HAVE_SSL)
AC_SUBST(SSL_TYPE)
AC_SUBST(SSL_HDR)
AC_SUBST(SSL_INC_PREFIX)
AC_SUBST(SSL_LIB_DIR)
AC_SUBST(SSL_DH_HEADER)
AC_SUBST(SSL_OBJS)


dnl Makefile for generating DH parameters, pre 3.0 and post 3.0
SSL_DH_HEADER_MAKE_OLD="../include/dh.h:
	\$(SSLBIN) dhparam -C 2048 | awk '/^-----/ {exit} {print}' > \@S|@@"
SSL_DH_HEADER_MAKE_NEW="../include/dh.h: generate_dh_params
	./generate_dh_params > \@S|@@

generate_dh_params: \$(srcdir)/generate_dh_params.c
	\$(CC) \$(CFLAGS) -o \@S|@@ \$(srcdir)/generate_dh_params.c \$(LDFLAGS)"



AC_ARG_WITH([ssl],
	AS_HELP_STRING([--with-ssl=DIR],[sets location of the SSL installation]),
	[ssl_dir=$withval])
AC_ARG_WITH([ssl-inc],
	AS_HELP_STRING([--with-ssl-inc=DIR],
		[sets location of the SSL include files]),
	[ssl_inc_dir=$withval])
AC_ARG_WITH([ssl-lib],
	AS_HELP_STRING([--with-ssl-lib=DIR],[sets location of the SSL libraries]),
	[ssl_lib_dir=$withval])

AC_ARG_ENABLE([auto_dh],
	AS_HELP_STRING([--disable-auto-dh],[disables using builtin DH parameters (if available) and generates custom parameters]),
	auto_dh=no,
	auto_dh=yes)

if test x$ssl_inc_dir != x -o x$ssl_lib_dir != x; then
	try_pkg_config=0
fi

AC_ARG_WITH([kerberos-inc],
	AS_HELP_STRING([--with-kerberos-inc=DIR],
		[sets location of the Kerberos include files]),
	[kerberos_inc_dir=$withval])

if test x$SSL_TYPE = xyes; then
    SSL_TYPE=openssl
fi


dflt_hdrs="$ssl_inc_dir $ssl_dir $ssl_inc_dir/include $ssl_dir/include \
			/usr/include /usr /usr/local /usr/pkg /usr/sfw /usr/sfw/include \
			/usr/local/opt/{BBB} /usr/include/{BBB} /usr/local/include/{BBB} \
			/usr/local/{AAA} /usr/local/{BBB} /usr/lib/{AAA} /usr/lib/{BBB} \
			/usr/{AAA} /usr/freeware/lib/{BBB} /opt/{BBB}"


dflt_libs="$ssl_lib_dir {ssldir} {ssldir}/lib {ssldir}/lib64 /usr/lib64 \
			/usr/lib /usr/lib/x86_64-linux-gnu /usr/lib/i386-linux-gnu \
			/usr/local/lib /usr/lib/{AAA} /usr/{AAA}/lib /usr/{BBB}/lib \
			/usr/pkg/lib /usr/freeware/lib/{BBB} /usr/sfw/lib /opt/freeware/lib \
			/opt/{BBB}/lib/hpux64 /opt/{BBB}/lib/pa20_64 /opt/{BBB}/lib/hpux32 \
			/opt/{BBB}/lib /opt/{BBB}";


AS_CASE([$SSL_TYPE],
	[no], [SSL_TYPE=NONE],
	[yes|openssl],
		[ssl_hdr_dirs=`echo "$dflt_hdrs" | sed -e 's/{AAA}/ssl/g' | sed -e 's/{BBB}/openssl/g'`
		 ssl_lib_dirs=`echo "$dflt_libs" | sed -e 's/{AAA}/ssl/g' | sed -e 's/{BBB}/openssl/g'`
		 SSL_INC_PREFIX=openssl
		 SSL_HDR=ssl.h
		 ssl_lib=libssl],
	[*], echo >&6; AC_MSG_ERROR(['--with-ssl-type=$SSL_TYPE' is invalid])
)


dnl Check for SSL support

if test x$SSL_TYPE != xNONE; then

	found_ssl=no

	dnl RedHat 8.0 and 9.0 include openssl compiled with kerberos,
	dnl so we must include header file
	dnl Must come before openssl checks for Redhat EL 3
	AC_MSG_CHECKING([for Kerberos include files])
	found_kerberos=no
	for dir in $kerberos_inc_dir /usr/kerberos/include /usr/include/krb5 \
				/usr/include; do
		kerbdir="$dir"
		if test -f "$dir/krb5.h"; then
			found_kerberos=yes
			CFLAGS="$CFLAGS -I$kerbdir"
			AC_DEFINE([HAVE_KRB5_H],[1],[Have the krb5.h header file])
			break
		fi
	done

	if test x_$found_kerberos != x_yes; then
		AC_MSG_WARN([could not find include files])
	else
		AC_MSG_RESULT([found Kerberos include files in $kerbdir])
	fi

	dnl First, try using pkg_config
	if test $try_pkg_config -ne 0 ; then
		AC_CHECK_TOOL([PKG_CONFIG], [pkg-config])
	fi
	if test x"$PKG_CONFIG" != x -a $try_pkg_config -ne 0 ; then
		cflags=`$PKG_CONFIG $SSL_TYPE --cflags-only-I 2>/dev/null`
		if test $? -eq 0; then
			CFLAGS="$CFLAGS $cflags"
			LDFLAGS="$LDFLAGS `$PKG_CONFIG $SSL_TYPE --libs-only-L 2>/dev/null`"
			LIBS="$LIBS `$PKG_CONFIG $SSL_TYPE --libs-only-l 2>/dev/null`"
			found_ssl=yes
		fi
	fi

	ax_nagios_run_ssl_save_LIBS=$LIBS
	if test "x_$found_ssl" != "x_yes"; then
		LIBS="$LIBS -l`echo $ssl_lib | sed -e 's/^lib//'` -lcrypto";
	fi

	dnl Next try just compiling with default settings (unless inc/lib were specified)
	if test "x_$found_ssl" != "x_yes" && test "x$ssl_inc_dir" == "x" && test "x$ssl_lib_dir" == "x"; then
		_AX_NAGIOS_RUN_SSL([found_ssl=yes])
	fi

	if test x_$found_ssl != x_yes; then

		dnl Find the SSL Headers
		AC_MSG_CHECKING([for SSL headers])
		for dir in $ssl_hdr_dirs; do
			if test "$dir" = "/include"; then
				continue
			fi
			ssldir="$dir"
			sslincdir="$dir"
			if test -f "$dir/$SSL_INC_PREFIX/$SSL_HDR"; then
				found_ssl=yes
				CFLAGS="$CFLAGS -I$dir"
				ssldir="$dir/.."
				break
			fi
			if test -f "$dir/include/$SSL_INC_PREFIX/$SSL_HDR"; then
				found_ssl=yes
				CFLAGS="$CFLAGS -I$dir/include"
				sslincdir="$dir/include"
				break
			fi
			if test -f "$dir/include/$SSL_HDR"; then
				found_ssl=yes
				if test "$SSL_HDR" != compat.h ; then
					SSL_INC_PREFIX=""
				fi
				CFLAGS="$CFLAGS -I$dir/include"
				sslincdir="$dir/include"
				break
			fi
			if test -f "$dir/$SSL_HDR"; then
				found_ssl=yes
				SSL_INC_PREFIX=""
				CFLAGS="$CFLAGS -I$dir"
				break
			fi
		done

		if test x_$found_ssl != x_yes; then
			AC_MSG_ERROR([Cannot find ssl headers])
		else
			AX_NORMALIZE_PATH([sslincdir])
			AC_MSG_RESULT([found in $sslincdir])

			dnl Now try and find SSL libraries

			AX_CHECK_LINK_FLAG([-Wl,-rpath,/], [RPATH=yes], [RPATH=no])

			AC_MSG_CHECKING([for SSL libraries])
			found_ssl=no
			ssl_lib_dirs=`echo "$ssl_lib_dirs" | sed -e "s|{ssldir}|$ssldir|g"`

			if test "`uname -s`" = "Darwin" ; then
				soext="dylib"
			elif test "`uname -s`" = "HP-UX" ; then
				if test x$arch = "xia64"; then
					soext="so"
				else
					soext="sl"
				fi
			elif test "`uname -s`" = "AIX" ; then
				soext="a"
			else
				soext="so a"
			fi

			for dir in $ssl_lib_dirs; do
				for ext in $soext; do
					if test -f "$dir/$ssl_lib.$ext"; then
						found_ssl=yes
						SSL_LIB_DIR="$dir"
						break
					fi
				done
				if test x_$found_ssl == x_yes; then
					break
				fi
			done

			if test x_$found_ssl != x_yes; then
				AC_MSG_ERROR([Cannot find ssl libraries])
			else
				AX_NORMALIZE_PATH([SSL_LIB_DIR])
				AC_MSG_RESULT([found in $SSL_LIB_DIR])

				LDFLAGS="$LDFLAGS -L$SSL_LIB_DIR";

				if test x$RPATH == xyes ; then
					# Do we need to add rpath?
					AC_MSG_CHECKING([checking if rpath is required...])
					_AX_NAGIOS_RUN_SSL(
						[AC_MSG_RESULT([no])],
						[AC_MSG_RESULT([yes])
						 LDFLAGS="$LDFLAGS -Wl,-rpath,$SSL_LIB_DIR"],
						[AC_MSG_RESULT([no])]
					)
				fi
			fi
		fi
	fi

	if test x$found_ssl = xyes ; then
		if test -n "$SSL_INC_PREFIX" ; then
			SSL_INC_PREFIX="${SSL_INC_PREFIX}/"
		fi

		dnl try to compile and link to see if SSL is set up properly
		AC_MSG_CHECKING([whether compiling and linking against SSL works])

		AC_LINK_IFELSE(
			[AC_LANG_PROGRAM([#include <${SSL_INC_PREFIX}${SSL_HDR}>], [SSL_new(NULL)])],
			[
				AC_MSG_RESULT([yes])
				SSL_OBJS="nrpe-ssl.o"
				AC_DEFINE([HAVE_SSL], [1], [Have SSL support])
				$1
			], [
				AC_MSG_ERROR([no])
				$2
			])
	fi

	dnl Detection finished. Reset LIBS if we did not succeed
	if test "x_$found_ssl" != "x_yes"; then
		LIBS=$ax_nagios_run_ssl_save_LIBS
	fi


	if test x$found_ssl = xyes -a x$need_dh = xyes; then

		AC_LINK_IFELSE([dnl
			AC_LANG_PROGRAM(
			[
				#include <stdio.h>
				#include <${SSL_INC_PREFIX}${SSL_HDR}>
			],
			[
				#ifdef OPENSSL_VERSION_MAJOR
					printf("%i %i", OPENSSL_VERSION_MAJOR, OPENSSL_VERSION_MINOR);
				#else
					printf("%i %i", (int)((OPENSSL_VERSION_NUMBER >> 28) & 0x0f), (int)((OPENSSL_VERSION_NUMBER >> 20) & 0xff));
				#endif
				])],
			[
				nagios_ssl_version=$(./conftest$EXEEXT)
				SSL_MAJOR=$(echo $nagios_ssl_version | cut -d' ' -f1)
				SSL_MINOR=$(echo $nagios_ssl_version | cut -d' ' -f2)
			],
			AC_MSG_ERROR([Failed to detect OpenSSL version!]))

		if test x$auto_dh = xyes -a $SSL_MAJOR -lt 1 -o \( $SSL_MAJOR -eq 1 -a $SSL_MINOR -lt 1 \); then
			dnl auto_dh not available before v1.1.0
			auto_dh=no
		fi

		if test x$auto_dh = xyes; then
			AC_DEFINE([AUTO_SSL_DH], [1], [Define to 1 to auto configure SSL DH parameters])
		fi


		dnl Do the Makefile rules here to maintain compatibility and not rely on GNU Make

		if test x$need_dh = xyes ; then
			if test x$auto_dh = xno ; then
				if test $SSL_MAJOR -lt 3 ; then
					dnl Find the openssl program
					dnl Only need openssl binary if we are not using auto or using version less than 3.0
					AC_PATH_PROG([sslbin],[openssl],[value-if-not-found],[${ssldir}/sbin${PATH_SEPARATOR}${ssldir}/bin${PATH_SEPARATOR}${PATH}])

					AC_SUBST([SSL_DH_HEADER_MAKE], [${SSL_DH_HEADER_MAKE_OLD}])
				else
					AC_SUBST([SSL_DH_HEADER_MAKE], [${SSL_DH_HEADER_MAKE_NEW}])
				fi

				AC_SUBST([SSL_DH_HEADER],[../include/dh.h])
			fi
			AC_DEFINE([USE_SSL_DH], [1], [Define to 1 to use SSL DH])
		fi
	fi
fi
])


# _AX_NAGIOS_RUN_SSL([action-if-true], [action-if-false], [action-if-cross-compiling])
AC_DEFUN([_AX_NAGIOS_RUN_SSL], [
	tmp_prefix=""
	if test -n "$SSL_INC_PREFIX" ; then
		tmp_prefix="${SSL_INC_PREFIX}/"
	fi

	AC_RUN_IFELSE(
		[AC_LANG_PROGRAM([
			#include <${tmp_prefix}opensslv.h>
			#include <${tmp_prefix}crypto.h>
		],[
			#if OPENSSL_VERSION_NUMBER >= 0x10100000L
				return OpenSSL_version_num() == OPENSSL_VERSION_NUMBER ? EXIT_SUCCESS : EXIT_FAILURE;
			#else
				return SSLeay() == OPENSSL_VERSION_NUMBER ? EXIT_SUCCESS : EXIT_FAILURE;
			#endif
		])],
		[$1],
		[$2],
		[$3]
	)
])