luna - wolfssl/configure.ac

    1# configure.ac
    2#
    3# Copyright (C) 2006-2026 wolfSSL Inc.
    4#
    5# This file is part of wolfSSL. (formerly known as CyaSSL)
    6#
    7#
    8AC_COPYRIGHT([Copyright (C) 2006-2026 wolfSSL Inc.])
    9AC_PREREQ([2.69])
   10AC_INIT([wolfssl],[5.9.1],[https://github.com/wolfssl/wolfssl/issues],[wolfssl],[https://www.wolfssl.com])
   11AC_CONFIG_AUX_DIR([build-aux])
   12
   13# Inhibit unwanted regeneration of autotools artifacts by Makefile.
   14AM_MAINTAINER_MODE([disable])
   15
   16# The following sets CFLAGS to empty if unset on command line.  We do not
   17# want the default "-g -O2" that AC_PROG_CC sets automatically.
   18: ${CFLAGS=""}
   19
   20# Capture user C_EXTRA_FLAGS from configure line.
   21# Use of C_EXTRA_FLAGS is deprecated because CFLAGS was fixed but someone
   22# might still be using it.
   23CFLAGS="$CFLAGS $C_EXTRA_FLAGS $C_FLAGS"
   24
   25AC_PROG_CC
   26AM_PROG_CC_C_O
   27AC_CANONICAL_HOST
   28AC_CONFIG_MACRO_DIR([m4])
   29
   30AM_INIT_AUTOMAKE([1.13.4 -Wall -Werror -Wno-portability foreign tar-ustar subdir-objects no-define color-tests])
   31m4_ifdef([AM_SILENT_RULES],[AM_SILENT_RULES([yes])])
   32
   33AC_ARG_PROGRAM
   34
   35# Optional CMake package install (enabled by default)
   36AC_ARG_ENABLE([cmake-install],
   37    [AS_HELP_STRING([--disable-cmake-install],[Disable installation of CMake package files])],
   38    [ ENABLED_CMAKE_INSTALL=$enableval ],
   39    [ ENABLED_CMAKE_INSTALL=yes ])
   40AM_CONDITIONAL([CMAKE_INSTALL],[test "x$ENABLED_CMAKE_INSTALL" = "xyes"])
   41
   42AC_CONFIG_HEADERS([config.h:config.in])
   43
   44LT_PREREQ([2.4.2])
   45LT_INIT([disable-static win32-dll])
   46
   47AC_ARG_VAR(EXTRA_CPPFLAGS, [Extra CPPFLAGS to add to end of autoconf-computed arg list.  Can also supply directly to make.])
   48AC_ARG_VAR(EXTRA_CFLAGS, [Extra CFLAGS to add to end of autoconf-computed arg list.  Can also supply directly to make.])
   49AC_ARG_VAR(EXTRA_CCASFLAGS, [Extra CCASFLAGS to add to end of autoconf-computed arg list.  Can also supply directly to make.])
   50AC_ARG_VAR(EXTRA_LDFLAGS, [Extra LDFLAGS to add to end of autoconf-computed arg list.  Can also supply directly to make.])
   51
   52WOLFSSL_CONFIG_ARGS=$ac_configure_args
   53AC_SUBST([WOLFSSL_CONFIG_ARGS])
   54
   55# Store configure options and CFLAGS for debian rules generation
   56CONFIGURE_OPTIONS="$ac_configure_args"
   57AC_SUBST([CONFIGURE_OPTIONS])
   58
   59# shared library versioning
   60# The three numbers in the libwolfssl.so.*.*.* file name. Unfortunately
   61
   62# increment if interfaces have been removed or changed
   63WOLFSSL_LIBRARY_VERSION_FIRST=44
   64
   65# increment if interfaces have been added
   66# set to zero if WOLFSSL_LIBRARY_VERSION_FIRST is incremented
   67WOLFSSL_LIBRARY_VERSION_SECOND=2
   68
   69# increment if source code has changed
   70# set to zero if WOLFSSL_LIBRARY_VERSION_FIRST is incremented or
   71# WOLFSSL_LIBRARY_VERSION_SECOND is incremented
   72WOLFSSL_LIBRARY_VERSION_THIRD=0
   73
   74WOLFSSL_LIBRARY_VERSION=${WOLFSSL_LIBRARY_VERSION_FIRST}:${WOLFSSL_LIBRARY_VERSION_SECOND}:${WOLFSSL_LIBRARY_VERSION_THIRD}
   75AC_SUBST([WOLFSSL_LIBRARY_VERSION_FIRST])
   76AC_SUBST([WOLFSSL_LIBRARY_VERSION_SECOND])
   77AC_SUBST([WOLFSSL_LIBRARY_VERSION_THIRD])
   78AC_SUBST([WOLFSSL_LIBRARY_VERSION])
   79
   80gl_VISIBILITY
   81AS_IF([ test -n "$CFLAG_VISIBILITY" ], [
   82       AM_CFLAGS="$AM_CFLAGS $CFLAG_VISIBILITY"
   83       ])
   84
   85WOLFSSL_BUILD_DATE=$(LC_TIME=C date +"%a, %d %b %Y %T %z")
   86AC_SUBST([WOLFSSL_BUILD_DATE])
   87
   88
   89# Moved these size of and type checks before the library checks.
   90# The library checks add the library to subsequent test compiles
   91# and in some rare cases, the networking check causes these sizeof
   92# checks to fail.
   93AC_CHECK_SIZEOF([long long])
   94AC_CHECK_SIZEOF([long])
   95AC_CHECK_SIZEOF([time_t])
   96AC_CHECK_TYPES([__uint128_t])
   97
   98
   99# Distro build feature subset (Debian, Ubuntu, etc.)
  100AC_ARG_ENABLE([distro],
  101    [AS_HELP_STRING([--enable-distro],[Enable wolfSSL distro build (default: disabled)])],
  102    [ ENABLED_DISTRO=$enableval ],
  103    [ ENABLED_DISTRO=no ]
  104    )
  105if test "$ENABLED_DISTRO" = "yes"
  106then
  107    enable_shared=yes
  108    enable_static=yes
  109    enable_all=yes
  110    enable_earlydata=no
  111    REPRODUCIBLE_BUILD_DEFAULT=yes
  112else
  113    REPRODUCIBLE_BUILD_DEFAULT=no
  114fi
  115
  116# Fail when an option is passed that is not recognized
  117m4_divert_once([DEFAULTS], [enable_option_checking=fatal])
  118
  119# Allow experimental settings
  120AC_ARG_ENABLE([experimental],
  121    [AS_HELP_STRING([--enable-experimental],[Allow experimental settings in the configuration (default: disabled)])],
  122    [ ENABLED_EXPERIMENTAL=$enableval ],
  123    [ ENABLED_EXPERIMENTAL=no ]
  124    )
  125if test "$ENABLED_EXPERIMENTAL" = "yes"
  126then
  127    AS_IF([ test "$ENABLED_DISTRO" = "yes" && test "$ENABLED_EXPERIMENTAL" = "yes" ],[ AC_MSG_ERROR([--enable-distro and --enable-experimental are mutually exclusive.]) ])
  128    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_EXPERIMENTAL_SETTINGS"
  129    AM_CCASFLAGS="$AM_CCASFLAGS -DWOLFSSL_EXPERIMENTAL_SETTINGS"
  130fi
  131
  132# Kernel module benchmark
  133AC_ARG_ENABLE([kernel-benchmarks],
  134    [AS_HELP_STRING([--enable-kernel-benchmarks],[Enable crypto benchmarking autorun at module load time for kernel module (default: disabled)])],
  135    [ENABLED_KERNEL_BENCHMARKS=$enableval],
  136    [ENABLED_KERNEL_BENCHMARKS="no"])
  137if test "$ENABLED_KERNEL_BENCHMARKS" = "yes"
  138then
  139    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_KERNEL_BENCHMARKS"
  140fi
  141AC_SUBST([ENABLED_KERNEL_BENCHMARKS])
  142
  143AC_ARG_ENABLE([kernel-verbose-debug],
  144    [AS_HELP_STRING([--enable-kernel-verbose-debug],[Enable supplementary runtime debugging messages for kernel module (default: disabled)])],
  145    [ENABLED_KERNEL_VERBOSE_DEBUG=$enableval],
  146    [ENABLED_KERNEL_VERBOSE_DEBUG="no"])
  147if test "$ENABLED_KERNEL_VERBOSE_DEBUG" = "yes"
  148then
  149    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_KERNEL_VERBOSE_DEBUG"
  150fi
  151
  152AC_ARG_ENABLE([kernel-stack-debug],
  153    [AS_HELP_STRING([--enable-kernel-stack-debug],[Enable runtime reporting of stack usage in kernel module (default: disabled)])],
  154    [ENABLED_KERNEL_STACK_DEBUG=$enableval],
  155    [ENABLED_KERNEL_STACK_DEBUG="no"])
  156if test "$ENABLED_KERNEL_STACK_DEBUG" = "yes"
  157then
  158    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_KERNEL_STACK_DEBUG"
  159fi
  160
  161# Linux Kernel Module options (more options later)
  162AC_ARG_ENABLE([linuxkm],
  163    [AS_HELP_STRING([--enable-linuxkm],[Enable Linux Kernel Module (default: disabled)])],
  164    [ENABLED_LINUXKM=$enableval],
  165    [ENABLED_LINUXKM=no]
  166    )
  167
  168AC_ARG_ENABLE([linuxkm-defaults],
  169    [AS_HELP_STRING([--enable-linuxkm-defaults],[Enable feature defaults for Linux Kernel Module (default: disabled)])],
  170    [KERNEL_MODE_DEFAULTS=$enableval],
  171    [KERNEL_MODE_DEFAULTS=$ENABLED_LINUXKM]
  172    )
  173
  174# FreeBSD Kernel Module
  175AC_ARG_ENABLE([freebsdkm],
  176    [AS_HELP_STRING([--enable-freebsdkm],[Enable FreeBSD Kernel Module (default: disabled)])],
  177    [ENABLED_BSDKM=$enableval],
  178    [ENABLED_BSDKM=no]
  179    )
  180
  181AC_ARG_ENABLE([freebsdkm-crypto-register],
  182    [AS_HELP_STRING([--enable-freebsdkm-crypto-register],[Register wolfCrypt implementations with the FreeBSD kernel opencrypto framework. (default: disabled)])],
  183    [ENABLED_BSDKM_REGISTER=$enableval],
  184    [ENABLED_BSDKM_REGISTER=no]
  185    )
  186
  187AC_CHECK_HEADERS([arpa/inet.h fcntl.h limits.h netdb.h netinet/in.h stddef.h time.h sys/ioctl.h sys/socket.h sys/time.h errno.h sys/un.h ctype.h sys/random.h])
  188AC_CHECK_LIB([network],[socket])
  189AC_C_BIGENDIAN
  190AC_C___ATOMIC
  191if test "x$ENABLED_BSDKM" = "xyes"; then
  192    # The <stdatomic.h> header should not be included in freebsd kernel build.
  193    # Look for <machine/atomic.h> instead.
  194    AC_CHECK_HEADER(machine/atomic.h, [AM_CPPFLAGS="$AM_CPPFLAGS -DWOLFSSL_HAVE_ATOMIC_H"],[])
  195else
  196    AC_CHECK_HEADER(stdatomic.h, [AM_CPPFLAGS="$AM_CPPFLAGS -DWOLFSSL_HAVE_ATOMIC_H"],[])
  197fi
  198AC_CHECK_HEADER(assert.h, [AM_CPPFLAGS="$AM_CPPFLAGS -DWOLFSSL_HAVE_ASSERT_H"],[])
  199
  200# check if functions of interest are linkable, but also check if
  201# they're declared by the expected headers, and if not, supersede the
  202# unusable positive from AC_CHECK_FUNCS().
  203AC_CHECK_FUNCS([gethostbyname getaddrinfo gettimeofday gmtime_r gmtime_s inet_ntoa memset socket strftime atexit isascii getpid getrandom])
  204AC_CHECK_DECLS([gethostbyname, getaddrinfo, gettimeofday, gmtime_r, gmtime_s, inet_ntoa, memset, socket, strftime, atexit, isascii, getpid, getrandom], [], [
  205if test "$(eval echo \$"$(eval 'echo ac_cv_func_${as_decl_name}')")" = "yes"
  206then
  207    AC_MSG_NOTICE([    note: earlier check for $(eval 'echo ${as_decl_name}') superseded.])
  208    eval "ac_cv_func_${as_decl_name}=no"
  209    _mask_varname=HAVE_`eval "echo '${as_decl_name}'" | tr 'a-z' 'A-Z'`
  210    sed --in-place "s~^#define ${_mask_varname} 1$~~" confdefs.h
  211fi
  212], [[
  213#ifdef HAVE_SYS_SOCKET_H
  214    #include <sys/socket.h>
  215#endif
  216#ifdef HAVE_STRING_H
  217    #include <string.h>
  218#endif
  219#ifdef HAVE_NETDB_H
  220    #include <netdb.h>
  221#endif
  222#ifdef HAVE_ARPA_INET_H
  223    #include <arpa/inet.h>
  224#endif
  225#ifdef HAVE_SYS_TIME_H
  226    #include <sys/time.h>
  227#endif
  228#ifdef HAVE_TIME_H
  229    #include <time.h>
  230#endif
  231#ifdef HAVE_STDLIB_H
  232    #include <stdlib.h>
  233#endif
  234#ifdef HAVE_UNISTD_H
  235    #include <unistd.h>
  236#endif
  237#ifdef HAVE_CTYPE_H
  238    #include <ctype.h>
  239#endif
  240#ifdef HAVE_SYS_RANDOM_H
  241    #include <sys/random.h>
  242#endif
  243]])
  244
  245AC_PROG_INSTALL
  246AC_TYPE_SIZE_T
  247AC_TYPE_UINT8_T
  248AC_TYPE_UINTPTR_T
  249AM_PROG_AS
  250
  251OPTIMIZE_CFLAGS="-Os"
  252OPTIMIZE_FAST_CFLAGS="-O2"
  253OPTIMIZE_HUGE_CFLAGS="-funroll-loops -DTFM_SMALL_SET -DTFM_HUGE_SET"
  254DEBUG_CFLAGS="-g -DDEBUG -DDEBUG_WOLFSSL"
  255LIB_ADD=
  256LIB_STATIC_ADD=
  257PC_LIBS_PRIVATE=""
  258
  259OPTIMIZE_CFLAGS="$OPTIMIZE_CFLAGS $EXTRA_OPTS_CFLAGS"
  260OPTIMIZE_FAST_CFLAGS="$OPTIMIZE_FAST_CFLAGS $EXTRA_OPTS_CFLAGS"
  261OPTIMIZE_HUGE_CFLAGS="$OPTIMIZE_HUGE_CFLAGS $EXTRA_OPTS_CFLAGS"
  262DEBUG_VFLAGS="$DEBUG_VFLAGS $EXTRA_OPTS_CFLAGS"
  263
  264if test "$output_objdir" = ""
  265then
  266    output_objdir=.
  267fi
  268
  269
  270# Thread local storage
  271thread_ls_on="no"
  272AC_ARG_ENABLE([threadlocal],
  273    [AS_HELP_STRING([--enable-threadlocal],[Enable thread local support (default: enabled)])],
  274    [ ENABLED_THREADLOCAL=$enableval ],
  275    [ ENABLED_THREADLOCAL=yes ]
  276    )
  277if test "$ENABLED_THREADLOCAL" = "yes"
  278then
  279    AX_TLS([thread_ls_on=yes],[thread_ls_on=no])
  280    AS_IF([test "x$thread_ls_on" = "xyes"],[AM_CFLAGS="$AM_CFLAGS -DHAVE_THREAD_LS"])
  281fi
  282
  283
  284# DEBUG
  285AX_DEBUG
  286AS_IF([test "$ax_enable_debug" = "yes"],
  287      [AM_CFLAGS="$AM_CFLAGS $DEBUG_CFLAGS"],
  288      [AM_CFLAGS="$AM_CFLAGS -DNDEBUG"])
  289AS_IF([test "$ax_enable_debug" = "yes"],
  290      [AM_CCASFLAGS="$DEBUG_CFLAGS $AM_CCASFLAGS"],
  291      [AM_CCASFLAGS="$AM_CCASFLAGS -DNDEBUG"])
  292
  293AC_ARG_ENABLE([debug-code-points],
  294    [ AS_HELP_STRING([--enable-debug-code-points],[Include source file and line number in --enable-debug messages.]) ],
  295    [ ENABLED_DEBUG_CODEPOINTS=$enableval ],
  296    [ ENABLED_DEBUG_CODEPOINTS=no ]
  297    )
  298
  299if test "$ENABLED_DEBUG_CODEPOINTS" = "yes"
  300then
  301    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DEBUG_CODEPOINTS"
  302fi
  303
  304AC_ARG_ENABLE([debug-trace-errcodes],
  305    [ AS_HELP_STRING([--enable-debug-trace-errcodes],[Print trace messages when library errors are thrown.]) ],
  306    [ ENABLED_DEBUG_TRACE_ERRCODES=$enableval ],
  307    [ ENABLED_DEBUG_TRACE_ERRCODES=no ]
  308    )
  309
  310if test "$ENABLED_DEBUG_TRACE_ERRCODES" != "no"
  311then
  312    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DEBUG_TRACE_ERROR_CODES"
  313fi
  314
  315if test "$ENABLED_DEBUG_TRACE_ERRCODES" = "backtrace"
  316then
  317    AM_CFLAGS="$AM_CFLAGS -g -funwind-tables -DWOLFSSL_DEBUG_BACKTRACE_ERROR_CODES"
  318    AM_LDFLAGS="$AM_LDFLAGS -lbacktrace"
  319fi
  320
  321# Start without certificates enabled and enable if a certificate algorithm is
  322# enabled
  323ENABLED_CERTS="no"
  324
  325# Implements requirements from RFC9325
  326AC_ARG_ENABLE([harden-tls],
  327    [AS_HELP_STRING([--enable-harden-tls],[Enable requirements from RFC9325. Possible values are <yes>, <112>, or <128>. <yes> is equivalent to <112>. (default: disabled)])],
  328    [ ENABLED_HARDEN_TLS=$enableval ],
  329    [ ENABLED_HARDEN_TLS=no ]
  330    )
  331
  332if test "x$ENABLED_HARDEN_TLS" != "xno"
  333then
  334    if test "x$ENABLED_HARDEN_TLS" = "xyes" || test "x$ENABLED_HARDEN_TLS" = "x112"
  335    then
  336        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_HARDEN_TLS=112"
  337    elif test "x$ENABLED_HARDEN_TLS" = "x128"
  338    then
  339        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_HARDEN_TLS=128"
  340    else
  341        AC_MSG_ERROR([Invalid value for --enable-harden-tls])
  342    fi
  343    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_EXTRA_ALERTS -DWOLFSSL_CHECK_ALERT_ON_ERR"
  344fi
  345
  346# Support for forcing 32-bit mode
  347# To force 32-bit instructions use:
  348#   ./configure CFLAGS="-m32" LDFLAGS="-m32" && make
  349# The checks for sizeof long and long/long are run at the top of configure and require "-m32" to be set directly in the ./configure statement.
  350AC_ARG_ENABLE([32bit],
  351    [AS_HELP_STRING([--enable-32bit],[Enables 32-bit support (default: disabled)])],
  352    [ ENABLED_32BIT=$enableval ],
  353    [ ENABLED_32BIT=no ]
  354    )
  355
  356if test "$ENABLED_32BIT" = "yes"
  357then
  358    AM_CFLAGS="$AM_CFLAGS -DWC_32BIT_CPU"
  359fi
  360
  361# 16-bit compiler support
  362AC_ARG_ENABLE([16bit],
  363    [AS_HELP_STRING([--enable-16bit],[Enables 16-bit support (default: disabled)])],
  364    [ ENABLED_16BIT=$enableval ],
  365    [ ENABLED_16BIT=no ]
  366    )
  367if test "$ENABLED_16BIT" = "yes"
  368then
  369    AM_CFLAGS="$AM_CFLAGS -DWC_16BIT_CPU"
  370fi
  371
  372AC_ARG_ENABLE([64bit],
  373    [AS_HELP_STRING([--enable-64bit],[Enables 64-bit support (default: disabled)])],
  374    [ ENABLED_64BIT=$enableval ],
  375    [ ENABLED_64BIT=no ]
  376    )
  377
  378AC_ARG_ENABLE([kdf],
  379    [AS_HELP_STRING([--enable-kdf],[Enables kdf support (default: enabled)])],
  380    [ ENABLED_KDF=$enableval ],
  381    [ ENABLED_KDF=yes ]
  382    )
  383
  384AC_ARG_ENABLE([hmac],
  385    [AS_HELP_STRING([--enable-hmac],[Enables HMAC support (default: enabled)])],
  386    [ ENABLED_HMAC=$enableval ],
  387    [ ENABLED_HMAC=yes ]
  388    )
  389
  390AC_ARG_ENABLE([hmac-copy],
  391    [AS_HELP_STRING([--enable-hmac-copy],[Enables digest copying implementation for HMAC (default: disabled)])],
  392    [ ENABLED_HMAC_COPY=$enableval ],
  393    [ ENABLED_HMAC_COPY=no ]
  394    )
  395if test "$ENABLED_HMAC_COPY" = "yes"
  396then
  397    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_HMAC_COPY_HASH"
  398fi
  399
  400AC_ARG_ENABLE([do178],
  401    [AS_HELP_STRING([--enable-do178],[Enable DO-178, Will NOT work w/o DO178 license (default: disabled)])],
  402    [ENABLED_DO178=$enableval],
  403    [ENABLED_DO178="no"])
  404
  405if test "$ENABLED_DO178" = "no"
  406then
  407    AM_CFLAGS="$AM_CFLAGS -DNO_DO178"
  408else
  409    AM_CFLAGS="$AM_CFLAGS -DHAVE_DO178"
  410fi
  411# Support for disabling all ASM
  412AC_ARG_ENABLE([asm],
  413    [AS_HELP_STRING([--enable-asm],[Enables option for assembly (default: enabled)])],
  414    [ ENABLED_ASM=$enableval ],
  415    [ ENABLED_ASM=yes ]
  416    )
  417
  418if test "$ENABLED_ASM" = "no"
  419then
  420    AM_CFLAGS="$AM_CFLAGS -DTFM_NO_ASM -DWOLFSSL_NO_ASM"
  421fi
  422AC_SUBST([ENABLED_ASM])
  423
  424# Default math is SP Math all and not fast math
  425# FIPS v1 and v2 must use fast math
  426DEF_SP_MATH="yes"
  427DEF_FAST_MATH="no"
  428
  429# FIPS 140
  430AC_ARG_ENABLE([fips],
  431    [AS_HELP_STRING([--enable-fips],[Enable FIPS 140-2/3, Will NOT work w/o FIPS license (default: disabled)])],
  432    [ENABLED_FIPS=$enableval],
  433    [ENABLED_FIPS="no"])
  434
  435FIPS_FLAVOR="$ENABLED_FIPS"
  436AC_SUBST([FIPS_FLAVOR])
  437
  438# wolfProvider Options
  439AC_ARG_ENABLE([wolfprovider],
  440    [AS_HELP_STRING([--enable-wolfprovider],[Enable wolfProvider options (default: disabled)])],
  441    [ ENABLED_WOLFPROVIDER=$enableval ],
  442    [ ENABLED_WOLFPROVIDER=no ]
  443    )
  444if test "x$ENABLED_WOLFPROVIDER" != "xno"
  445then
  446    test -z "$enable_all_crypto" && enable_all_crypto=yes
  447    test -z "$enable_opensslcoexist" && enable_opensslcoexist=yes
  448    test -z "$enable_sha" && enable_sha=yes
  449    test -z "$with_eccminsz" && with_eccminsz=192
  450    test -z "$with_max_ecc_bits" && with_max_ecc_bits=1024
  451    AM_CFLAGS="$AM_CFLAGS -DHAVE_WOLFPROVIDER -DWC_RSA_NO_PADDING -DWOLFSSL_PUBLIC_MP -DHAVE_PUBLIC_FFDHE -DHAVE_FFDHE_6144 -DHAVE_FFDHE_8192 -DWOLFSSL_PSS_LONG_SALT -DWOLFSSL_PSS_SALT_LEN_DISCOVER"
  452fi
  453
  454# wolfEngine Options
  455AC_ARG_ENABLE([engine],
  456    [AS_HELP_STRING([--enable-engine],[Enable wolfEngine options (default: disabled)])],
  457    [ ENABLED_WOLFENGINE=$enableval ],
  458    [ ENABLED_WOLFENGINE=no ]
  459    )
  460
  461if test "x$ENABLED_WOLFENGINE" != "xno"
  462then
  463    test -z "$with_eccminsz" && with_eccminsz=192
  464fi
  465
  466AS_CASE([$ENABLED_WOLFENGINE],
  467    [no],[
  468        ENABLED_WOLFENGINE="no"
  469    ],
  470    [disabled],[
  471        ENABLED_WOLFENGINE="no"
  472    ],
  473    [yes|fips-v2|cert3389],[
  474        ENABLED_WOLFENGINE="yes"
  475        ENABLED_FIPS="v2"
  476    ],
  477    [fips-v5],[
  478        ENABLED_WOLFENGINE="yes"
  479        ENABLED_FIPS="v5"
  480    ],
  481    [fips-v6],[
  482        ENABLED_WOLFENGINE="yes"
  483        ENABLED_FIPS="v6"
  484    ],
  485    [fips-ready],[
  486        ENABLED_WOLFENGINE="yes"
  487        ENABLED_FIPS="ready"
  488    ],
  489    [no-fips],[
  490        ENABLED_WOLFENGINE="yes"
  491        ENABLED_FIPS="no"
  492    ],
  493    [
  494        AC_MSG_ERROR([Invalid value for --enable-engine "$ENABLED_WOLFENGINE" (options: fips-v2, fips-ready, no-fips, no, disabled)])
  495    ])
  496
  497# The FIPS options are:
  498#   no - FIPS build disabled, FIPS sources forbidden in build tree
  499#   disabled - FIPS build disabled, FIPS sources ignored in build tree
  500#   v1 - FIPS 140-2 Cert 2425
  501#   default - same as v1
  502#   v2 - FIPS 140-2 Cert 3389
  503#   cert3389 - alias for v2
  504#   rand - wolfRand
  505#   v5 - FIPS 140-3 Cert 4718
  506#   cert4718 - alias for v5
  507#   v5.2.3 -- FIPS 140-3 with support for ARM acceleration, derived from Cert 4718
  508#   v5.2.4 -- FIPS 140-3 with support for Linux kernel mode, derived from v5.2.3
  509#   ready - FIPS 140-3 settings with in-tree wolfcrypt sources, feature locked
  510#   dev - FIPS 140-3 settings with in-tree wolfcrypt sources, features freely adjustable
  511#   v5-ready - Alias for ready.
  512#   v5-dev - Alias for dev.
  513#   v6     - The SRTP-KDF-full-submission
  514#
  515# These options have been retired, but are listed here for historical reference:
  516#   v5-RC8 - historical FIPS 140-3 (wolfCrypt WCv5.0-RC8).
  517#            HAVE_FIPS_VERSION = 5, HAVE_FIPS_VERSION_MINOR = 0.
  518#   v5-RC9 - historical FIPS 140-3 (wolfCrypt WCv5.0-RC9)
  519#            HAVE_FIPS_VERSION = 5, HAVE_FIPS_VERSION_MINOR = 1.
  520#   v5-RC10 - historical FIPS 140-3, wolfCrypt/fips WCv5.0-RC10
  521#             HAVE_FIPS_VERSION = 5, HAVE_FIPS_VERSION_MINOR = 2.
  522#   v5-RC11 - historical FIPS 140-3, wolfCrypt/fips WCv5.0-RC11
  523#             HAVE_FIPS_VERSION = 5, HAVE_FIPS_VERSION_MINOR = 2.
  524#   v5-RC12 - historical FIPS 140-3, wolfCrypt/fips WCv5.0-RC12
  525AS_CASE([$ENABLED_FIPS],
  526    [no],[
  527        FIPS_VERSION="none"
  528    ],
  529    [disabled],[
  530        FIPS_VERSION="disabled"
  531        ENABLED_FIPS="no"
  532    ],
  533    [v1|cert2425],[
  534        FIPS_VERSION="v1"
  535        HAVE_FIPS_VERSION_MAJOR=1
  536        ENABLED_FIPS="yes"
  537        DEF_SP_MATH="no"
  538        DEF_FAST_MATH="yes"
  539    ],
  540    [v2|cert3389],[
  541        FIPS_VERSION="v2"
  542        HAVE_FIPS_VERSION_MAJOR=2
  543        HAVE_FIPS_VERSION_MINOR=0
  544        ENABLED_FIPS="yes"
  545        DEF_SP_MATH="no"
  546        DEF_FAST_MATH="yes"
  547    ],
  548    [rand],[
  549        FIPS_VERSION="rand"
  550        HAVE_FIPS_VERSION_MAJOR=2
  551        HAVE_FIPS_VERSION_MINOR=1
  552        ENABLED_FIPS="yes"
  553        DEF_SP_MATH="no"
  554        DEF_FAST_MATH="no"
  555    ],
  556    [v5|cert4718],[
  557        FIPS_VERSION="v5"
  558        HAVE_FIPS_VERSION_MAJOR=5
  559        HAVE_FIPS_VERSION_MINOR=2
  560        HAVE_FIPS_VERSION_PATCH=1
  561        ENABLED_FIPS="yes"
  562        DEF_SP_MATH="no"
  563        DEF_FAST_MATH="yes"
  564    ],
  565    [v5.2.3],[
  566        FIPS_VERSION="v5"
  567        HAVE_FIPS_VERSION_MAJOR=5
  568        HAVE_FIPS_VERSION_MINOR=2
  569        HAVE_FIPS_VERSION_PATCH=3
  570        ENABLED_FIPS="yes"
  571        DEF_SP_MATH="yes"
  572        DEF_FAST_MATH="no"
  573    ],
  574    [v5.2.4],[
  575        FIPS_VERSION="v5"
  576        HAVE_FIPS_VERSION_MAJOR=5
  577        HAVE_FIPS_VERSION_MINOR=2
  578        HAVE_FIPS_VERSION_PATCH=4
  579        ENABLED_FIPS="yes"
  580        DEF_SP_MATH="yes"
  581        DEF_FAST_MATH="no"
  582    ],
  583    [v5-RC12],[
  584        FIPS_VERSION="v5-RC12"
  585        HAVE_FIPS_VERSION_MAJOR=5
  586        HAVE_FIPS_VERSION_MINOR=2
  587        HAVE_FIPS_VERSION_PATCH=0
  588        ENABLED_FIPS="yes"
  589        DEF_SP_MATH="no"
  590        DEF_FAST_MATH="yes"
  591    ],
  592    [v5-ready],[
  593        FIPS_VERSION="v5-ready"
  594        HAVE_FIPS_VERSION_MAJOR=5
  595        HAVE_FIPS_VERSION_MINOR=3
  596        ENABLED_FIPS="yes"
  597        DEF_SP_MATH="no"
  598        DEF_FAST_MATH="yes"
  599    ],
  600    [v5-dev],[
  601        FIPS_VERSION="v5-dev"
  602        HAVE_FIPS_VERSION_MAJOR=5
  603        HAVE_FIPS_VERSION_MINOR=2
  604        HAVE_FIPS_VERSION_PATCH=1
  605        ENABLED_FIPS="yes"
  606        # for dev, DEF_SP_MATH and DEF_FAST_MATH follow non-FIPS defaults (currently sp-math-all)
  607    ],
  608    [v5-kcapi],[
  609        FIPS_VERSION="v5-dev"
  610        HAVE_FIPS_VERSION_MAJOR=5
  611        HAVE_FIPS_VERSION_MINOR=3
  612        HAVE_FIPS_VERSION_PATCH=0
  613        ENABLED_FIPS="yes"
  614        # for dev, DEF_SP_MATH and DEF_FAST_MATH follow non-FIPS defaults (currently sp-math-all)
  615    ],
  616    [v6|v6-dev],[
  617        FIPS_VERSION="v6"
  618        HAVE_FIPS_VERSION=6
  619        HAVE_FIPS_VERSION_MAJOR=6
  620        HAVE_FIPS_VERSION_MINOR=0
  621        HAVE_FIPS_VERSION_PATCH=0
  622        ENABLED_FIPS="yes"
  623        DEF_SP_MATH="yes"
  624        DEF_FAST_MATH="no"
  625    ],
  626    [v7],[
  627        FIPS_VERSION="v7"
  628        HAVE_FIPS_VERSION=7
  629        HAVE_FIPS_VERSION_MAJOR=7
  630        HAVE_FIPS_VERSION_MINOR=0
  631        HAVE_FIPS_VERSION_PATCH=0
  632        ENABLED_FIPS="yes"
  633        DEF_SP_MATH="yes"
  634        DEF_FAST_MATH="no"
  635    ],
  636    # Should always remain one ahead of the latest so as not to be confused with
  637    # the latest
  638    [ready|v7-ready],[
  639        FIPS_VERSION="ready"
  640        HAVE_FIPS_VERSION=8
  641        HAVE_FIPS_VERSION_MAJOR=8
  642        HAVE_FIPS_VERSION_MINOR=0
  643        HAVE_FIPS_VERSION_PATCH=0
  644        ENABLED_FIPS="yes"
  645        DEF_SP_MATH="yes"
  646        DEF_FAST_MATH="no"
  647    ],
  648    [dev|v7-dev],[
  649        FIPS_VERSION="dev"
  650        HAVE_FIPS_VERSION_MAJOR=8
  651        HAVE_FIPS_VERSION_MINOR=0
  652        HAVE_FIPS_VERSION_PATCH=0
  653        ENABLED_FIPS="yes"
  654        # for dev, DEF_SP_MATH and DEF_FAST_MATH follow non-FIPS defaults (currently sp-math-all)
  655    ],
  656    [lean-aesgcm|lean-aesgcm-ready|lean-aesgcm-dev],[
  657        FIPS_VERSION="$ENABLED_FIPS"
  658        HAVE_FIPS_VERSION_MAJOR=8
  659        HAVE_FIPS_VERSION_MINOR=0
  660        HAVE_FIPS_VERSION_PATCH=0
  661        ENABLED_FIPS="yes"
  662    ],
  663    [
  664        AS_IF([test "$ENABLED_FIPS" = "yes"],[ENABLED_FIPS="(unset)"],[ENABLED_FIPS=\"$ENABLED_FIPS\"])
  665        AC_MSG_ERROR([Invalid value for --enable-fips $ENABLED_FIPS (main options: v1, v2, v5, v6, v7, ready, dev, rand, lean-aesgcm, no, disabled)])
  666    ])
  667
  668if test -z "$HAVE_FIPS_VERSION_MAJOR"
  669then
  670    HAVE_FIPS_VERSION_MAJOR=0
  671fi
  672if test -z "$HAVE_FIPS_VERSION_MINOR"
  673then
  674    HAVE_FIPS_VERSION_MINOR=0
  675fi
  676if test -z "$HAVE_FIPS_VERSION_PATCH"
  677then
  678    HAVE_FIPS_VERSION_PATCH=0
  679fi
  680if test -z "$HAVE_FIPS_VERSION"
  681then
  682    HAVE_FIPS_VERSION="$HAVE_FIPS_VERSION_MAJOR"
  683fi
  684
  685if test "$ENABLED_FIPS" != "no"
  686then
  687    REPRODUCIBLE_BUILD_DEFAULT=yes
  688fi
  689
  690AS_CASE([$FIPS_VERSION],
  691    [none],
  692    [
  693      AS_IF([ test -s $srcdir/wolfcrypt/src/fips.c ],
  694            [AC_MSG_ERROR([FIPS source tree is incompatible with non-FIPS build (requires --enable-fips)])])
  695    ],
  696    [disabled],
  697    [],
  698    [
  699      AS_IF([ ! test -s $srcdir/wolfcrypt/src/fips.c],
  700            [AC_MSG_ERROR([non-FIPS source tree is incompatible with --enable-fips=$enableval])])
  701    ]
  702)
  703
  704# For reproducible build, gate out from the build anything that might
  705# introduce semantically frivolous jitter, maximizing chance of
  706# identical object files.
  707AC_ARG_ENABLE([reproducible-build],
  708    [AS_HELP_STRING([--enable-reproducible-build],[Enable maximally reproducible build (default: disabled)])],
  709    [ ENABLED_REPRODUCIBLE_BUILD=$enableval ],
  710    [ ENABLED_REPRODUCIBLE_BUILD=$REPRODUCIBLE_BUILD_DEFAULT ]
  711    )
  712
  713if test "$ENABLED_REPRODUCIBLE_BUILD" = "yes"
  714then
  715    # Test ar for the "D" option. Should be checked before the libtool macros.
  716    if test -z "$AR"; then
  717        AR=ar
  718    fi
  719    xxx_ar_flags=$(${AR} --help 2>&1)
  720    if test -z "$RANLIB"; then
  721        RANLIB=ranlib
  722    fi
  723    xxx_ranlib_flags=$(${RANLIB} --help 2>&1)
  724
  725    AS_CASE([$xxx_ar_flags],[*'use zero for timestamps and uids/gids'*],[AR_FLAGS="Dcr" lt_ar_flags="Dcr"])
  726    AS_CASE([$xxx_ranlib_flags],[*'Use zero for symbol map timestamp'*],[RANLIB="${RANLIB} -D"])
  727
  728    AM_CFLAGS="$AM_CFLAGS -DHAVE_REPRODUCIBLE_BUILD"
  729
  730    # opportunistically use -ffile-prefix-map (added in GCC8 and LLVM10)
  731
  732    if "$CC" -ffile-prefix-map=/tmp=. -x c - -o /dev/null >/dev/null 2>&1 <<'        EOF'
  733        #include <stdlib.h>
  734        int main(int argc, char **argv) {
  735            (void)argc; (void)argv; return 0;
  736        }
  737        EOF
  738    then
  739        AM_CFLAGS="$AM_CFLAGS -ffile-prefix-map=\$(abs_top_srcdir)/= -ffile-prefix-map=\$(top_srcdir)/="
  740    fi
  741
  742    # opportunistically force linker option --build-id=sha1 (usually the default)
  743    if "$CC" -Wl,--build-id=sha1 -x c - -o /dev/null >/dev/null 2>&1 <<'        EOF'
  744        #include <stdlib.h>
  745        int main(int argc, char **argv) {
  746            (void)argc; (void)argv; return 0;
  747        }
  748        EOF
  749    then
  750        AM_LDFLAGS="$AM_LDFLAGS -Wl,--build-id=sha1"
  751    fi
  752fi
  753
  754
  755AC_ARG_ENABLE([benchmark],
  756    [AS_HELP_STRING([--enable-benchmark],[Build benchmark when building crypttests (default: enabled)])],
  757    [ENABLED_BENCHMARK=$enableval],
  758    [ENABLED_BENCHMARK=yes]
  759    )
  760
  761
  762# Remainder of Linux kernel module options, continued from earlier:
  763
  764ENABLED_LINUXKM_PIE=$ENABLED_FIPS
  765
  766AC_ARG_ENABLE([kernel-reloc-tables],
  767    [AS_HELP_STRING([--enable-kernel-reloc-tables],[Enable containerized object build of wolfCrypt module in kernel build (default: disabled)])],
  768    [ENABLED_LINUXKM_PIE=$enableval])
  769
  770AC_ARG_ENABLE([linuxkm-pie],
  771    [AS_HELP_STRING([--enable-linuxkm-pie],[Alias for --enable-kernel-reloc-tables])],
  772    [ENABLED_LINUXKM_PIE=$enableval])
  773
  774if test "$ENABLED_LINUXKM" = "yes" && test "$ENABLED_LINUXKM_PIE" = "yes"
  775then
  776    AM_CFLAGS="$AM_CFLAGS -DWC_SYM_RELOC_TABLES"
  777fi
  778AC_SUBST([ENABLED_LINUXKM_PIE])
  779
  780AC_ARG_ENABLE([linuxkm-benchmarks],
  781    [AS_HELP_STRING([--enable-linuxkm-benchmarks],[Enable crypto benchmarking autorun at module load time for Linux kernel module (default: disabled)])],
  782    [ENABLED_KERNEL_BENCHMARKS=$enableval])
  783if test "$ENABLED_LINUXKM" = "yes" && test "$ENABLED_KERNEL_BENCHMARKS" = "yes"
  784then
  785    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_LINUXKM_BENCHMARKS"
  786fi
  787AC_SUBST([ENABLED_KERNEL_BENCHMARKS])
  788
  789if test "$ENABLED_LINUXKM" = "yes" && test "$KERNEL_MODE_DEFAULTS" = "yes"
  790then
  791    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DH_CONST -DWOLFSSL_SP_MOD_WORD_RP -DWOLFSSL_SP_DIV_64 -DWOLFSSL_SP_DIV_WORD_HALF -DWOLFSSL_SMALL_STACK_STATIC -DWC_SHA3_NO_ASM"
  792    if test "$ENABLED_LINUXKM_PIE" = "yes"; then
  793        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_OCSP_ISSUER_CHECK"
  794    fi
  795    if test "$ENABLED_FIPS" = "no"; then
  796        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_OLD_PRIME_CHECK"
  797    fi
  798    DEF_SP_MATH="yes"
  799    DEF_FAST_MATH="no"
  800fi
  801
  802#
  803# kernel mode variables. Shared by linuxkm, freebsdkm.
  804KERNEL_ROOT=""
  805HAVE_KERNEL_MODE=no
  806
  807# Kernel root source tree.
  808AC_ARG_WITH([kernel-source],
  809    [AS_HELP_STRING([--with-kernel-source=PATH],[PATH to root of kernel build tree])],
  810    [KERNEL_ROOT=$withval])
  811
  812# For backwards compatibility.
  813AC_ARG_WITH([linux-source],
  814    [AS_HELP_STRING([--with-linux-source=PATH],[PATH to root of Linux kernel build tree])],
  815    [KERNEL_ROOT=$withval])
  816
  817AC_ARG_WITH([linux-arch],
  818    [AS_HELP_STRING([--with-linux-arch=arch],[built arch (SRCARCH) of Linux kernel build tree])],
  819    [KERNEL_ARCH=$withval],
  820    [KERNEL_ARCH=""])
  821
  822if test "x$ENABLED_LINUXKM" = "xyes"
  823then
  824    HAVE_KERNEL_MODE=yes
  825    # Currently DWARF 5 is the default debug format, but it results in
  826    # "Unsupported DW_TAG_atomic_type(0x47): type: 0x1eefc" in some
  827    # kernel module builds.
  828    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_LINUXKM -DWC_SIPHASH_NO_ASM -gdwarf-4"
  829    AS_IF([test "$ax_enable_debug" = "yes"],
  830          [AM_CFLAGS="$AM_CFLAGS -g3"],
  831          [AM_CFLAGS="$AM_CFLAGS -g1"])
  832    AM_CCASFLAGS="$AM_CFLAGS -DWOLFSSL_LINUXKM -DWC_SIPHASH_NO_ASM -gdwarf-4"
  833    AS_IF([test "$ax_enable_debug" = "yes"],
  834          [AM_CCASFLAGS="$AM_CFLAGS -g3"],
  835          [AM_CCASFLAGS="$AM_CFLAGS -g1"])
  836
  837    ENABLED_NO_LIBRARY=yes
  838    ENABLED_BENCHMARK=no
  839    output_objdir="$(realpath "$output_objdir")/linuxkm"
  840
  841    if test "$KERNEL_ROOT" = ""; then
  842        AC_PATH_DEFAULT_KERNEL_SOURCE
  843        KERNEL_ROOT="$DEFAULT_KERNEL_ROOT"
  844    fi
  845    AC_SUBST([KERNEL_ROOT])
  846
  847    if test "$KERNEL_ARCH" = ""; then
  848        AC_DEFAULT_KERNEL_ARCH
  849        KERNEL_ARCH="$DEFAULT_KERNEL_ARCH"
  850    fi
  851    AC_SUBST([KERNEL_ARCH])
  852
  853    if test "${KERNEL_ROOT}" = ""; then
  854        AC_MSG_ERROR([Linux kernel source root not found -- supply with --with-linux-source=PATH.])
  855    fi
  856    if test "${KERNEL_ARCH}" = ""; then
  857        AC_MSG_ERROR([Linux kernel target architecture for build tree ${KERNEL_ROOT} could not be determined.  Is target kernel configured?])
  858    fi
  859
  860    AM_CFLAGS="$AM_CFLAGS -DNO_DEV_RANDOM -DNO_WRITEV -DNO_STDIO_FILESYSTEM -DWOLFSSL_NO_SOCK -DWOLFSSL_USER_IO"
  861fi
  862
  863#
  864# FreeBSD
  865AC_ARG_WITH([bsd-export-syms],
  866    [AS_HELP_STRING([--with-bsd-export-syms=LIST],[Sets FreeBSD kernel module EXPORT_SYMS. Allowed values: YES, NO, or LIST of symbols to export (default NO).])],
  867    [BSDKM_EXPORT_SYMS=$withval],
  868    [BSDKM_EXPORT_SYMS="NO"])
  869
  870if test "x$ENABLED_BSDKM" = "xyes"
  871then
  872    # note: bsdkm is wolfcrypt only for now.
  873    HAVE_KERNEL_MODE=yes
  874    KERNEL_MODE_DEFAULTS=yes
  875    ENABLED_NO_LIBRARY=yes
  876    ENABLED_BENCHMARK=no
  877
  878    output_objdir="$(realpath "$output_objdir")/bsdkm"
  879
  880    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_BSDKM -DWC_SIPHASH_NO_ASM"
  881    AM_CFLAGS="$AM_CFLAGS -DNO_DEV_RANDOM -DNO_WRITEV -DNO_STDIO_FILESYSTEM"
  882    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_SOCK -DWOLFSSL_USER_IO"
  883    AM_CFLAGS="$AM_CFLAGS -DXMALLOC_OVERRIDE -DWOLFCRYPT_ONLY"
  884    AM_CFLAGS="$AM_CFLAGS -DNO_ASN_TIME"
  885
  886    if test "$ax_enable_debug" = "yes"; then
  887        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_BSDKM_VERBOSE_DEBUG"
  888        AM_CFLAGS="$AM_CFLAGS -DNO_WOLFSSL_DEBUG_CERTS"
  889    fi
  890
  891    if test "$KERNEL_ROOT" = ""; then
  892        AC_PATH_DEFAULT_BSDKM_SOURCE
  893        KERNEL_ROOT="$DEFAULT_BSDKM_ROOT"
  894    fi
  895    AC_SUBST([KERNEL_ROOT])
  896    AC_SUBST([BSDKM_EXPORT_SYMS])
  897fi
  898
  899if test "x$ENABLED_BSDKM_REGISTER" = "xyes"
  900then
  901    if test "$ENABLED_AESGCM" != "no" && test "$ENABLED_AESGCM_STREAM" = "no" && test "$enable_aesgcm_stream" != "no" && (test "$ENABLED_FIPS" = "no" || test $HAVE_FIPS_VERSION -ge 6); then
  902        ENABLED_AESGCM_STREAM=yes
  903    fi
  904
  905    AM_CFLAGS="$AM_CFLAGS -DBSDKM_CRYPTO_REGISTER"
  906    AC_SUBST([ENABLED_BSDKM_REGISTER])
  907fi
  908# end FreeBSD configure
  909
  910# MATH LIBRARY SELECTION
  911
  912# Assure consistency of defaults
  913if test "$DEF_FAST_MATH" = "yes" && ( (test "$enable_sp_math" != "no" && test "$enable_sp_math" != "") || test "$enable_heapmath" = "yes")
  914then
  915    DEF_FAST_MATH=no
  916fi
  917
  918if test "$DEF_SP_MATH" = "yes" && (test "$enable_fastmath" = "yes" || test "$enable_fasthugemath" = "yes" || test "$enable_heapmath" = "yes")
  919then
  920    DEF_SP_MATH=no
  921fi
  922
  923# Single Precision maths implementation
  924AC_ARG_ENABLE([sp],
  925    [AS_HELP_STRING([--enable-sp],[Enable Single Precision maths implementation (default: disabled)])],
  926    [ ENABLED_SP=$enableval ],
  927    [ ENABLED_SP=$ENABLED_SP_DEFAULT ],
  928    )
  929
  930AC_ARG_ENABLE([sp-math-all],
  931    [AS_HELP_STRING([--enable-sp-math-all],[Enable Single Precision math implementation for full algorithm suite (default: enabled)])],
  932    [ ENABLED_SP_MATH_ALL=$enableval ],
  933    [ ENABLED_SP_MATH_ALL=$DEF_SP_MATH ],
  934    )
  935
  936# Single Precision maths (acceleration for common key sizes and curves)
  937if test "$KERNEL_MODE_DEFAULTS" = "yes" && test "$ENABLED_SP" != "no" && test "$ENABLED_SP_MATH_ALL" = "no"
  938then
  939    ENABLED_SP_MATH_DEFAULT=yes
  940else
  941    ENABLED_SP_MATH_DEFAULT=no
  942fi
  943AC_ARG_ENABLE([sp-math],
  944    [AS_HELP_STRING([--enable-sp-math],[Enable Single Precision math implementation with restricted algorithm suite (default: disabled)])],
  945    [ ENABLED_SP_MATH=$enableval ],
  946    [ ENABLED_SP_MATH=$ENABLED_SP_MATH_DEFAULT ],
  947    )
  948
  949if test "$enable_sp_math" != ""
  950then
  951    # When the restricted SP Math is selected and not SP Math ALL, then disable
  952    # SP Math ALL.
  953    if test "$enable_sp_math" != "no" && test "$enable_sp_math_all" = ""
  954    then
  955        ENABLED_SP_MATH_ALL="no"
  956    else
  957        # Can't choose restricted and unrestricted SP Math
  958        if test "$enable_sp_math" != "no" && test "$enable_sp_math_all" != "no"
  959        then
  960            AC_MSG_ERROR([--enable-sp-math and --enable-sp-math-all are incompatible. Use --enable-sp-math-all only when all key sizes need to be supported.])
  961        fi
  962    fi
  963fi
  964
  965# enable SP math assembly support automatically for x86_64 and aarch64 (except Linux kernel module)
  966SP_ASM_DEFAULT=no
  967if test "$ENABLED_SP_MATH" = "yes" && test "$KERNEL_MODE_DEFAULTS" = "no"
  968then
  969    if test "$host_cpu" = "x86_64" || test "$host_cpu" = "aarch64" || test "$host_cpu" = "amd64"
  970    then
  971        SP_ASM_DEFAULT=yes
  972    fi
  973fi
  974AC_ARG_ENABLE([sp-asm],
  975    [AS_HELP_STRING([--enable-sp-asm],[Enable Single Precision assembly implementation (default: enabled on x86_64/aarch64/amd64)])],
  976    [ ENABLED_SP_ASM=$enableval ],
  977    [ ENABLED_SP_ASM=$SP_ASM_DEFAULT ],
  978    )
  979
  980if test "$ENABLED_SP_ASM" != "no"
  981then
  982    if test "$ENABLED_SP" = "no"
  983    then
  984        AC_MSG_ERROR([--enable-sp-asm requires SP to be enabled.])
  985    fi
  986    if test "$ENABLED_SP" = ""
  987    then
  988        ENABLED_SP=yes
  989    fi
  990fi
  991
  992# fastmath
  993AC_ARG_ENABLE([fastmath],
  994    [AS_HELP_STRING([--enable-fastmath],[Enable legacy Tom's Fast Math back end (default: disabled)])],
  995    [ ENABLED_FASTMATH=$enableval ],
  996    [ ENABLED_FASTMATH=$DEF_FAST_MATH ]
  997    )
  998
  999# fast HUGE math
 1000AC_ARG_ENABLE([fasthugemath],
 1001    [AS_HELP_STRING([--enable-fasthugemath],[Enable legacy Tom's Fast Math + huge code (default: disabled)])],
 1002    [ ENABLED_FASTHUGEMATH=$enableval ],
 1003    [ ENABLED_FASTHUGEMATH=no ]
 1004    )
 1005
 1006# ssl bump build
 1007AC_ARG_ENABLE([bump],
 1008    [AS_HELP_STRING([--enable-bump],[Enable SSL Bump build (default: disabled)])],
 1009    [ ENABLED_BUMP=$enableval ],
 1010    [ ENABLED_BUMP=no ]
 1011    )
 1012
 1013if test "$ENABLED_BUMP" = "yes"
 1014then
 1015    AM_CFLAGS="$AM_CFLAGS -DLARGE_STATIC_BUFFERS -DWOLFSSL_CERT_GEN -DWOLFSSL_KEY_GEN -DHUGE_SESSION_CACHE -DWOLFSSL_DER_LOAD -DWOLFSSL_ALT_NAMES -DWOLFSSL_TEST_CERT"
 1016    DEFAULT_MAX_CLASSIC_ASYM_KEY_BITS=4096
 1017    if test "$ENABLED_SP_MATH" = "no" && test "$ENABLED_SP_MATH_ALL" = "no"
 1018    then
 1019        ENABLED_FASTHUGEMATH="yes"
 1020    fi
 1021fi
 1022
 1023if test "$ENABLED_FASTHUGEMATH" = "yes"
 1024then
 1025    ENABLED_FASTMATH="yes"
 1026fi
 1027
 1028if (test "$host_cpu" = "x86_64" || test "$host_cpu" = "amd64") &&
 1029    test "$ENABLED_32BIT" != "yes"
 1030then
 1031    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_X86_64_BUILD"
 1032fi
 1033if test "$host_cpu" = "x86"
 1034then
 1035    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_X86_BUILD"
 1036fi
 1037
 1038
 1039AC_ARG_ENABLE([leanpsk],
 1040    [AS_HELP_STRING([--enable-leanpsk],[Enable Lean PSK build (default: disabled)])],
 1041    [ ENABLED_LEANPSK=$enableval ],
 1042    [ ENABLED_LEANPSK=no ]
 1043    )
 1044
 1045if test "$ENABLED_LEANPSK" = "yes"
 1046then
 1047    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_LEANPSK -DWOLFSSL_STATIC_PSK -DHAVE_NULL_CIPHER -DSINGLE_THREADED -DNO_AES -DNO_FILESYSTEM -DNO_RSA -DNO_DSA -DNO_DH -DNO_PWDBASED -DNO_MD4 -DNO_MD5 -DNO_ERROR_STRINGS -DNO_OLD_TLS -DNO_RC4 -DNO_WRITEV -DNO_DEV_RANDOM -DWOLFSSL_USER_IO -DNO_SHA"
 1048    ENABLED_SLOWMATH="no"
 1049    ENABLED_SINGLETHREADED="yes"
 1050    enable_lowresource=yes
 1051fi
 1052
 1053
 1054# ASN
 1055
 1056# disabling ASN implicitly disables certs, RSA, DSA, and ECC,
 1057# and also disables MPI unless DH is enabled.
 1058
 1059# turn off ASN if leanpsk on
 1060if test "$ENABLED_LEANPSK" = "yes"
 1061then
 1062    enable_asn=no
 1063fi
 1064
 1065AC_ARG_ENABLE([asn],
 1066    [AS_HELP_STRING([--enable-asn],[Enable ASN (default: enabled)])],
 1067    [ ENABLED_ASN=$enableval ],
 1068    [ ENABLED_ASN=yes ]
 1069    )
 1070
 1071for v in `echo $ENABLED_ASN | tr "," " "`
 1072do
 1073    case $v in
 1074    all)
 1075        # Enable all ASN features
 1076        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ASN_ALL"
 1077        ENABLED_ASN=yes
 1078        ASN_IMPL=template
 1079        ;;
 1080    template | yes)
 1081        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ASN_TEMPLATE"
 1082        ENABLED_ASN=yes
 1083        ASN_IMPL=template
 1084        ;;
 1085    original)
 1086        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ASN_ORIGINAL"
 1087        ASN_IMPL=original
 1088        ;;
 1089    nocrypt)
 1090        AM_CFLAGS="$AM_CFLAGS -DNO_ASN_CRYPT"
 1091        enable_pwdbased=no
 1092        ASN_IMPL=template
 1093        ;;
 1094    no)
 1095        AM_CFLAGS="$AM_CFLAGS -DNO_ASN -DNO_ASN_CRYPT"
 1096        enable_pwdbased=no
 1097        ASN_IMPL=no
 1098        ;;
 1099    *)
 1100        AC_MSG_ERROR([Invalid asn option. Valid are: all, template/yes, original, nocrypt or no. Seen: $ENABLED_ASN.])
 1101        break;;
 1102esac
 1103done
 1104
 1105
 1106# if sp-math-all is not set, then enable fast math
 1107if test "x$ENABLED_FASTMATH" = "xyes" && test "$enable_sp_math_all" = "" && test "$enable_sp_math" = ""
 1108then
 1109    # turn off fastmath if leanpsk on or asn off (w/o DH and ECC)
 1110    if test "$ENABLED_LEANPSK" = "yes" || test "$ENABLED_ASN" = "no"
 1111    then
 1112        if test "$ENABLED_DH" = "no" && test "$ENABLED_ECC" = "no" && test "$ENABLED_RSA" = "no"
 1113        then
 1114            ENABLED_FASTMATH="no"
 1115        else
 1116            AM_CFLAGS="$AM_CFLAGS -DUSE_FAST_MATH"
 1117            ENABLED_HEAPMATH="no"
 1118        fi
 1119    else
 1120        AM_CFLAGS="$AM_CFLAGS -DUSE_FAST_MATH"
 1121        ENABLED_HEAPMATH="no"
 1122        ENABLED_SP_MATH_ALL="no"
 1123    fi
 1124    AS_IF([test "x$host_cpu" = "xaarch64"],[AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AARCH64_BUILD"])
 1125
 1126    if test "$ENABLED_SAKKE" = "yes" && test "$ENABLED_SAKKE_SMALL" != "yes"
 1127    then
 1128        AM_CFLAGS="$AM_CFLAGS -funroll-loops -DTFM_SMALL_SET"
 1129    fi
 1130fi
 1131
 1132
 1133# heap based integer.c math (not timing resistant)
 1134AC_ARG_ENABLE([heapmath],
 1135    [AS_HELP_STRING([--enable-heapmath],[Enable heap based integer.c math ops (default: disabled)])],
 1136    [ ENABLED_HEAPMATH=$enableval ],
 1137    [ ENABLED_HEAPMATH=no]
 1138    )
 1139if test "x$ENABLED_HEAPMATH" = "xyes"
 1140then
 1141    AM_CFLAGS="$AM_CFLAGS -DUSE_INTEGER_HEAP_MATH"
 1142    ENABLED_HEAPMATH="yes"
 1143    ENABLED_SP="no"
 1144    ENABLED_SP_MATH_ALL="no"
 1145fi
 1146
 1147# wolfCrypt Only Build
 1148AC_ARG_ENABLE([cryptonly],
 1149    [AS_HELP_STRING([--enable-cryptonly],[Enable wolfCrypt Only build (default: disabled)])],
 1150    [ENABLED_CRYPTONLY=$enableval],
 1151    [ENABLED_CRYPTONLY=no])
 1152
 1153AS_IF([test "x$FIPS_VERSION" = "xrand"],[ENABLED_CRYPTONLY="yes"])
 1154
 1155# TLS
 1156AC_ARG_ENABLE([tls],
 1157    [AS_HELP_STRING([--enable-tls],[Enable TLS support (default: enabled)])],
 1158    [ ENABLED_TLS=$enableval ],
 1159    [ ENABLED_TLS=yes ]
 1160    )
 1161
 1162if test "$ENABLED_CRYPTONLY" = "yes"
 1163then
 1164    ENABLED_TLS=no
 1165fi
 1166if test "$ENABLED_TLS" = "no"
 1167then
 1168    AM_CFLAGS="$AM_CFLAGS -DNO_TLS"
 1169    # don't set enable_tls13 or enable_tlsv12 to "no" -- even in cryptonly and
 1170    # NO_TLS build, they're needed for their crypto-layer KDFs.
 1171    # enable_tlsv10 defaults to "no", so we don't need to set it here either.
 1172    test "$enable_dtls" = "" && enable_dtls=no
 1173    test "$enable_dtls13" = "" && enable_dtls13=no
 1174    test "$enable_dtls_mtu" = "" && enable_dtls_mtu=no
 1175    test "$enable_dtlscid" = "" && enable_dtlscid=no
 1176    test "$enable_dtls_frag_ch" = "" && enable_dtls_frag_ch=no
 1177    test "$enable_mcast" = "" && enable_mcast=no
 1178    test "$enable_srtp" = "" && enable_srtp=no
 1179    test "$enable_ocsp" = "" && enable_ocsp=no
 1180    test "$enable_tlsx" = "" && enable_tlsx=no
 1181    test "$enable_sni" = "" && enable_sni=no
 1182    test "$enable_crl_monitor" = "" && enable_crl_monitor=no
 1183    test "$enable_alpn" = "" && enable_alpn=no
 1184    test "$enable_pkcallbacks" = "" && enable_pkcallbacks=no
 1185    test "$enable_quic" = "" && enable_quic=no
 1186    test "$enable_ech" = "" && enable_ech=no
 1187    test "$enable_ocspstapling" = "" && enable_ocspstapling=no
 1188    test "$enable_earlydata" = "" && enable_earlydata=no
 1189    test "$enable_renegotiation_indication" = "" && enable_renegotiation_indication=no
 1190    test "$enable_secure_renegotiation_info" = "" && enable_secure_renegotiation_info=no
 1191    test "$enable_secure_renegotiation" = "" && enable_secure_renegotiation=no
 1192
 1193    # Disable all open source compatibility enables that might get set with all
 1194    test "$enable_all_osp" = "" && enable_all_osp=no
 1195fi
 1196
 1197
 1198# All features, except conflicting or experimental:
 1199AC_ARG_ENABLE([all],
 1200    [AS_HELP_STRING([--enable-all],[Enable all wolfSSL features, except SSLv3 (default: disabled)])],
 1201    [ ENABLED_ALL=$enableval ],
 1202    [ ENABLED_ALL=no ]
 1203    )
 1204if test "$ENABLED_ALL" = "yes"
 1205then
 1206    test "$enable_all_crypto" = "" && enable_all_crypto=yes
 1207
 1208    test "$enable_all_osp" = "" && test "$KERNEL_MODE_DEFAULTS" != "yes" && enable_all_osp=yes
 1209
 1210    test "$enable_dtls" = "" && enable_dtls=yes
 1211    test "$enable_dtls_mtu" = "" && enable_dtls_mtu=yes
 1212    test "$enable_dtlscid" = "" && enable_dtlscid=yes
 1213    test "$enable_dtls_frag_ch" = "" && enable_dtls_frag_ch=yes
 1214    if test "x$FIPS_VERSION" != "xv1"
 1215    then
 1216        test "$enable_tls13" = "" && enable_tls13=yes
 1217        test "$enable_dtls13" = "" && enable_dtls13=yes
 1218    fi
 1219
 1220    test "$enable_ocsp" = "" && enable_ocsp=yes
 1221    test "$enable_ocspstapling" = "" && test "$enable_ocsp" != "no" && enable_ocspstapling=yes
 1222    test "$enable_ocspstapling2" = "" && test "$enable_ocsp" != "no" && enable_ocspstapling2=yes
 1223    test "$enable_ocsp_responder" = "" &&
 1224        test "$enable_ocsp" != "no" &&
 1225        test "$enable_sha" != "no" &&
 1226        test "$ASN_IMPL" = "template" &&
 1227        enable_ocsp_responder=yes
 1228    test "$enable_savesession" = "" && enable_savesession=yes
 1229    test "$enable_savecert" = "" && enable_savecert=yes
 1230    test "$enable_postauth" = "" && enable_postauth=yes
 1231    test "$enable_hrrcookie" = "" && enable_hrrcookie=yes
 1232    test "$enable_fallback_scsv" = "" && enable_fallback_scsv=yes
 1233    test "$enable_crl_monitor" = "" && enable_crl_monitor=yes
 1234    test "$enable_sni" = "" && enable_sni=yes
 1235    test "$enable_maxfragment" = "" && enable_maxfragment=yes
 1236    test "$enable_alpn" = "" && enable_alpn=yes
 1237    test "$enable_truncatedhmac" = "" && enable_truncatedhmac=yes
 1238    test "$enable_trustedca" = "" && enable_trustedca=yes
 1239    test "$enable_session_ticket" = "" && enable_session_ticket=yes
 1240    test "$enable_earlydata" = "" && enable_earlydata=yes
 1241    test "$enable_rpk" = "" && enable_rpk=yes
 1242
 1243    if test "$KERNEL_MODE_DEFAULTS" != "yes"
 1244    then
 1245        # Disable QUIC with JNI since incompatible with WOLFSSL_TLS13_MIDDLEBOX_COMPAT
 1246        test "$enable_quic" = "" && test "$enable_cryptonly" != "yes" && test "$enable_jni" != "yes" && enable_quic=yes
 1247        AM_CFLAGS="$AM_CFLAGS -DHAVE_CRL_IO -DHAVE_IO_TIMEOUT"
 1248    fi
 1249
 1250    if test "$ENABLED_SP_MATH" != "yes"
 1251    then
 1252        # linuxkm is incompatible with opensslextra and its dependents.
 1253        if test "$KERNEL_MODE_DEFAULTS" != "yes"
 1254        then
 1255            test "$enable_opensslextra" = "" && enable_opensslextra=yes
 1256            test "$enable_opensslall" = "" && enable_opensslall=yes
 1257            test "$enable_certservice" = "" && enable_certservice=yes
 1258        fi
 1259    fi
 1260
 1261    if test "$ENABLED_FIPS" = "no"
 1262    then
 1263        # Disable ECH with JNI since incompatible with WOLFSSL_TLS13_MIDDLEBOX_COMPAT
 1264        test "$enable_ech" = "" && test "$enable_jni" != "yes" && enable_ech=yes
 1265        test "$enable_scep" = "" && enable_scep=yes
 1266        test "$enable_mcast" = "" && enable_mcast=yes
 1267    fi
 1268
 1269    if test "$ENABLED_FIPS" = "no" || test "$HAVE_FIPS_VERSION" -ge 6
 1270    then
 1271        test "$enable_srtp" = "" && enable_srtp=yes
 1272    fi
 1273
 1274    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DER_LOAD -DKEEP_OUR_CERT -DKEEP_PEER_CERT"
 1275
 1276    # Certificate extensions and alt. names for FPKI use
 1277    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SUBJ_DIR_ATTR -DWOLFSSL_FPKI -DWOLFSSL_SUBJ_INFO_ACC"
 1278
 1279    # Handle as many subject/issuer name OIDs as possible
 1280    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CERT_NAME_ALL"
 1281
 1282    # More thorough error queue usage.
 1283    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_VERBOSE_ERRORS"
 1284fi
 1285
 1286
 1287# All OSP meta-features:
 1288AC_ARG_ENABLE([all-osp],
 1289    [AS_HELP_STRING([--enable-all-osp],[Enable all OSP meta feature sets (default: disabled)])],
 1290    [ ENABLED_ALL_OSP=$enableval ],
 1291    [ ENABLED_ALL_OSP=no]
 1292    )
 1293
 1294if test "$ENABLED_ALL_OSP" = "yes"
 1295then
 1296    if test "$KERNEL_MODE_DEFAULTS" = "yes"
 1297    then
 1298        AC_MSG_ERROR([--enable-all-osp is incompatible with --enable-linuxkm-defaults])
 1299    fi
 1300
 1301    test "$enable_tailscale" = "" && enable_tailscale=yes
 1302    test "$enable_wolfguard" = "" && enable_wolfguard=yes
 1303    test "$enable_webserver" = "" && enable_webserver=yes
 1304
 1305    if test "$ENABLED_SP_MATH" != "yes"
 1306    then
 1307        if test "$ENABLED_FIPS" = "no"
 1308        then
 1309            # S/MIME support requires PKCS7, which requires no FIPS.
 1310            test "$enable_smime" = "" && enable_smime=yes
 1311            if test "$ENABLED_32BIT" != "yes"
 1312            then
 1313                test "$enable_openssh" = "" && enable_openssh=yes
 1314            fi
 1315        fi
 1316
 1317        if test "$ENABLED_ALL_OSP" != "no"
 1318        then
 1319            test "$enable_lighty" = "" && enable_lighty=yes
 1320            test "$enable_nginx" = "" && enable_nginx=yes
 1321            test "$enable_openvpn" = "" && enable_openvpn=yes
 1322            test "$enable_asio" = "" && enable_asio=yes
 1323            test "$enable_libwebsockets" = "" && enable_libwebsockets=yes
 1324        fi
 1325    fi
 1326
 1327    if test "$ENABLED_FIPS" = "no"
 1328    then
 1329        # these use DES3:
 1330        test "$enable_stunnel" = "" && enable_stunnel=yes
 1331        test "$enable_curl" = "" && enable_curl=yes
 1332        test "$enable_tcpdump" = "" && enable_tcpdump=yes
 1333    fi
 1334fi
 1335
 1336
 1337# Auto-selected activation of all applicable asm accelerations
 1338
 1339# Enable asm automatically only if the compiler advertises itself as full Gnu C.
 1340if "$CC" $AM_CFLAGS $CPPFLAGS $CFLAGS -x c - -o /dev/null >/dev/null 2>&1 <<'    EOF'
 1341    #include <stdlib.h>
 1342    int main(int argc, char **argv) {
 1343        (void)argc; (void)argv;
 1344    #ifdef __STRICT_ANSI__
 1345        #error __STRICT_ANSI__
 1346    #endif
 1347    #ifndef __GNUC__
 1348        #error !__GNUC__
 1349    #endif
 1350        return 0;
 1351    }
 1352    EOF
 1353then
 1354    HAVE_GNUC=yes
 1355fi
 1356
 1357if test "$enable_all_crypto" = "yes" &&
 1358   test "$KERNEL_MODE_DEFAULTS" = "no" &&
 1359   test "$ENABLED_ASM" != "no" &&
 1360   test "$HAVE_GNUC" = "yes" &&
 1361   test "$enable_sp_asm" != "no" &&
 1362   test "$enable_intelasm" != "no" &&
 1363   test "$enable_armasm" != "no" &&
 1364   test "$enable_afalg" != "yes" &&
 1365   test "$ENABLED_32BIT" = "no"
 1366then
 1367    DEFAULT_ENABLED_ALL_ASM=yes
 1368else
 1369    DEFAULT_ENABLED_ALL_ASM=no
 1370fi
 1371
 1372if test "$ENABLED_FIPS" = "yes" && test "$HAVE_FIPS_VERSION" -lt 6
 1373then
 1374    case "$host_cpu" in
 1375        *x86_64*|*amd64*) ;;
 1376        *) DEFAULT_ENABLED_ALL_ASM=no
 1377           ;;
 1378    esac
 1379fi
 1380
 1381AC_ARG_ENABLE([all-asm],
 1382    [AS_HELP_STRING([--enable-all-asm],[Enable all applicable assembly accelerations (default: disabled)])],
 1383    [ ENABLED_ALL_ASM=$enableval ],
 1384    [ ENABLED_ALL_ASM=$DEFAULT_ENABLED_ALL_ASM ]
 1385    )
 1386
 1387if test "$ENABLED_ALL_ASM" != "no"
 1388then
 1389    if test "$ENABLED_ASM" = "no"
 1390    then
 1391        AC_MSG_ERROR([--enable-all-asm is incompatible with --disable-asm])
 1392    fi
 1393
 1394    if test "$enable_sp_asm" = "no"
 1395    then
 1396        AC_MSG_ERROR([--enable-all-asm is incompatible with --disable-sp-asm])
 1397    fi
 1398
 1399    if test "$enable_intelasm" = "no"
 1400    then
 1401        AC_MSG_ERROR([--enable-all-asm is incompatible with --disable-intelasm])
 1402    fi
 1403
 1404    if test "$enable_armasm" = "no"
 1405    then
 1406        AC_MSG_ERROR([--enable-all-asm is incompatible with --disable-armasm])
 1407    fi
 1408
 1409    if test "$enable_ppc32_asm" = "no"
 1410    then
 1411        AC_MSG_ERROR([--enable-all-asm is incompatible with --disable-ppc32-asm])
 1412    fi
 1413
 1414    case "$host_cpu" in
 1415        *x86_64*|*amd64*)
 1416            if test "$enable_intelasm" = ""
 1417            then
 1418                enable_intelasm=yes
 1419            fi
 1420            if test "$ENABLED_SP" != "no"
 1421            then
 1422                ENABLED_SP_ASM=yes
 1423                if test "$ENABLED_SP" = ""
 1424                then
 1425                    ENABLED_SP=yes
 1426                fi
 1427            fi
 1428            ;;
 1429        *aarch64*)
 1430            if test "$enable_armasm" = ""
 1431            then
 1432               enable_armasm=yes
 1433            fi
 1434            if test "$ENABLED_SP" != "no"
 1435            then
 1436                ENABLED_SP_ASM=yes
 1437                if test "$ENABLED_SP" = ""
 1438                then
 1439                    ENABLED_SP=yes
 1440                fi
 1441            fi
 1442            ;;
 1443        *powerpc64*)
 1444            ;;
 1445        *powerpc*)
 1446            if test "$enable_ppc32_asm" = ""
 1447            then
 1448               enable_ppc32_asm=yes
 1449            fi
 1450            ;;
 1451    esac
 1452fi
 1453
 1454# RISC-V asm doesn't yet support WOLFSSL_AESGCM_STREAM.  Disable
 1455# implicit activation, and error on explicit activation.
 1456if test "$enable_riscv_asm" = "yes"
 1457then
 1458    if test "$enable_aesgcm_stream" = "yes"
 1459    then
 1460        AC_MSG_ERROR([RISC-V asm doesn't yet support WOLFSSL_AESGCM_STREAM.])
 1461    fi
 1462    enable_aesgcm_stream=no
 1463fi
 1464
 1465# All wolfCrypt features:
 1466AC_ARG_ENABLE([all-crypto],
 1467    [AS_HELP_STRING([--enable-all-crypto],[Enable all wolfcrypt algorithms (default: disabled)])],
 1468    [ ENABLED_ALL_CRYPT=$enableval ],
 1469    [ ENABLED_ALL_CRYPT=no ]
 1470    )
 1471if test "$ENABLED_ALL_CRYPT" = "yes"
 1472then
 1473    test "$enable_atomicuser" = "" && enable_atomicuser=yes
 1474    test "$enable_aesecb" = "" && enable_aesecb=yes
 1475    test "$enable_aesgcm" = "" && enable_aesgcm=yes
 1476    test "$enable_aesccm" = "" && enable_aesccm=yes
 1477    test "$enable_aesctr" = "" && enable_aesctr=yes
 1478    test "$enable_aesofb" = "" && enable_aesofb=yes
 1479    test "$enable_aescfb" = "" && enable_aescfb=yes
 1480    test "$enable_aescbc_length_checks" = "" && enable_aescbc_length_checks=yes
 1481    test "$enable_camellia" = "" && enable_camellia=yes
 1482    test "$enable_ripemd" = "" && enable_ripemd=yes
 1483    test "$enable_sha224" = "" && enable_sha224=yes
 1484    test "$enable_sha512" = "" && enable_sha512=yes
 1485    test "$enable_sha3" = "" && enable_sha3=yes
 1486    test "$enable_sessioncerts" = "" && enable_sessioncerts=yes
 1487    test "$enable_keygen" = "" && enable_keygen=yes
 1488    test "$enable_certgen" = "" && enable_certgen=yes
 1489    test "$enable_certreq" = "" && enable_certreq=yes
 1490    test "$enable_certext" = "" && enable_certext=yes
 1491    test "$enable_sep" = "" && enable_sep=yes
 1492    test "$enable_hkdf" = "" && enable_hkdf=yes
 1493    test "$enable_eccencrypt" = "" && test "$enable_ecc" != "no" && enable_eccencrypt=yes
 1494    test "$enable_fpecc" = "" && test "$enable_ecc" != "no" && enable_fpecc=yes
 1495    test "$enable_psk" = "" && enable_psk=yes
 1496    test "$enable_cmac" = "" && enable_cmac=yes
 1497    test "$enable_cmac_kdf" = "" && enable_cmac_kdf=yes
 1498    test "$enable_siphash" = "" && enable_siphash=yes
 1499    test "$enable_ocsp" = "" && enable_ocsp=yes
 1500    test "$enable_ocspstapling" = "" && test "$enable_ocsp" != "no" && enable_ocspstapling=yes
 1501    test "$enable_ocspstapling2" = "" && test "$enable_ocsp" != "no" && enable_ocspstapling2=yes
 1502    test "$enable_crl" = "" && enable_crl=yes
 1503    test "$enable_supportedcurves" = "" && enable_supportedcurves=yes
 1504    test "$enable_tlsx" = "" && enable_tlsx=yes
 1505    test "$enable_pwdbased" = "" && enable_pwdbased=yes
 1506    test "$enable_aeskeywrap" = "" && enable_aeskeywrap=yes
 1507    test "$enable_x963kdf" = "" && enable_x963kdf=yes
 1508    test "$enable_indef" = "" && enable_indef=yes
 1509    test "$enable_enckeys" = "" && enable_enckeys=yes
 1510    test "$enable_hashflags" = "" && enable_hashflags=yes
 1511    test "$enable_defaultdhparams" = "" && enable_defaultdhparams=yes
 1512    test "$enable_base64encode" = "" && enable_base64encode=yes
 1513    test "$enable_base16" = "" && enable_base16=yes
 1514    test "$enable_arc4" = "" && enable_arc4=yes
 1515    test "$enable_blake2b" = "" && enable_blake2b=yes
 1516    test "$enable_blake2s" = "" && enable_blake2s=yes
 1517    test "$enable_md2" = "" && enable_md2=yes
 1518    test "$enable_md4" = "" && enable_md4=yes
 1519    test "$enable_md5" = "" && enable_md5=yes
 1520    test "$enable_anon" = "" && enable_anon=yes
 1521    test "$enable_ssh" = "" && test "$enable_hmac" != "no" && enable_ssh=yes
 1522    test "$enable_rng_bank" = "" && enable_rng_bank=yes
 1523
 1524    if test "$KERNEL_MODE_DEFAULTS" != "yes"
 1525    then
 1526        # Scrypt is excluded from kernel module builds (unless explicitly
 1527        # enabled) because of its excessive memory requirements.
 1528        test "$enable_scrypt" = "" && test "$enable_hmac" != "no" && enable_scrypt=yes
 1529    fi
 1530
 1531    if test "x$FIPS_VERSION" != "xv1"
 1532    then
 1533        test "$enable_rsapss" = "" && enable_rsapss=yes
 1534    fi
 1535
 1536    # sp-math is incompatible with opensslextra, ECC custom curves, and DSA.
 1537    if test "$ENABLED_SP_MATH" != "yes"
 1538    then
 1539        test "$enable_dsa" = "" && test "$enable_sha" != "no" && enable_dsa=yes
 1540        if test "$ENABLED_FIPS" = "no" || test "$HAVE_FIPS_VERSION" -le 5; then
 1541            test "$enable_ecccustcurves" = "" && enable_ecccustcurves=yes
 1542            test "$enable_ecccustcurves" != "no" && test "$enable_brainpool" = "" && enable_brainpool=yes
 1543            test "$enable_ecccustcurves" != "no" && AM_CFLAGS="$AM_CFLAGS -DHAVE_ECC_CDH -DHAVE_ECC_KOBLITZ -DHAVE_ECC_SECPR2 -DHAVE_ECC_SECPR3"
 1544        fi
 1545        test "$enable_srp" = "" && enable_srp=yes
 1546    fi
 1547
 1548    if test "$ENABLED_FIPS" = "no"
 1549    then
 1550        test "$enable_curve25519" = "" && enable_curve25519=yes
 1551        test "$enable_curve448" = "" && enable_curve448=yes
 1552        test "$enable_xchacha" = "" && test "$enable_chacha" != "no" && enable_xchacha=yes
 1553        test "$enable_pkcs7" = "" && enable_pkcs7=yes
 1554        test "$enable_nullcipher" = "" && enable_nullcipher=yes
 1555        test "$enable_ed25519" = "" && enable_ed25519=yes
 1556        test "$enable_ed25519_stream" = "" && test "$enable_ed25519" != "no" && enable_ed25519_stream=yes
 1557        test "$enable_ed448" = "" && enable_ed448=yes
 1558        test "$enable_ed448_stream" = "" && test "$enable_ed448" != "no" && enable_ed448_stream=yes
 1559        test "$enable_aessiv" = "" && enable_aessiv=yes
 1560        # AFALG lacks AES-EAX
 1561        test "$enable_aeseax" = "" && test "$enable_afalg" != "yes" && enable_aeseax=yes
 1562
 1563        if test "$KERNEL_MODE_DEFAULTS" != "yes"
 1564        then
 1565            test "$enable_cryptocb" = "" && enable_cryptocb=yes
 1566            test "$enable_pkcallbacks" = "" && enable_pkcallbacks=yes
 1567            test "$enable_eccsi" = "" && test "$enable_ecc" != "no" && enable_eccsi=yes
 1568            test "$enable_sakke" = "" && test "$enable_ecc" != "no" && enable_sakke=yes
 1569        fi
 1570    fi
 1571
 1572    if test "$ENABLED_FIPS" = "no" || test "$HAVE_FIPS_VERSION" -ge 6
 1573    then
 1574        test "$enable_aesgcm_stream" = "" && test "$enable_aesgcm" = "yes" && enable_aesgcm_stream=yes
 1575        test "$enable_aesxts" = "" && enable_aesxts=yes
 1576        test "$enable_aesxts_stream" = "" && test "$enable_aesxts" = "yes" && enable_aesxts_stream=yes
 1577        test "$enable_shake128" = "" && enable_shake128=yes
 1578        test "$enable_shake256" = "" && enable_shake256=yes
 1579        test "$enable_compkey" = "" && enable_compkey=yes
 1580        # AFALG lacks AES-ECB
 1581        test "$enable_srtp_kdf" = "" && test "$enable_afalg" != "yes" && enable_srtp_kdf=yes
 1582    fi
 1583
 1584    if test "$ENABLED_FIPS" = "no" || test "$HAVE_FIPS_VERSION" -lt 5; then
 1585        test "$enable_des3" = "" && enable_des3=yes
 1586        test "$enable_des3" != "no" && AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DES_ECB"
 1587    fi
 1588
 1589    AM_CFLAGS="$AM_CFLAGS -DHAVE_AES_DECRYPT -DHAVE_AES_ECB -DWOLFSSL_ALT_NAMES"
 1590
 1591    # Enable DH const table speedups (eliminates `-lm` math lib dependency)
 1592    AM_CFLAGS="$AM_CFLAGS -DHAVE_FFDHE_2048 -DHAVE_FFDHE_3072"
 1593    DEFAULT_MAX_CLASSIC_ASYM_KEY_BITS=4096
 1594
 1595    # Enable all parsing features for ASN */
 1596    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ASN_ALL"
 1597
 1598    # Enable DH Extra
 1599    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DH_EXTRA"
 1600
 1601    # Enable deterministic ECC signing API with variant
 1602    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ECDSA_DETERMINISTIC_K_VARIANT"
 1603
 1604    # Store issuer name components when parsing certificates.
 1605    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_HAVE_ISSUER_NAMES"
 1606
 1607    # Enable onestep KDF from NIST SP 800 56c option 1.
 1608    AM_CFLAGS="$AM_CFLAGS -DWC_KDF_NIST_SP_800_56C"
 1609fi
 1610
 1611# kernel-appropriate settings, also in enable-all-crypto above:
 1612if test "$KERNEL_MODE_DEFAULTS" = "yes" && test "$ENABLED_ALL_CRYPT" != "yes"
 1613then
 1614    # note several of these are currently on by default, including aesgcm, sha512
 1615    if test "$enable_aes" != "no"
 1616    then
 1617        test "$enable_aesgcm" = "" && enable_aesgcm=yes
 1618        test "$enable_aesccm" = "" && enable_aesccm=yes
 1619        test "$enable_aesecb" = "" && enable_aesecb=yes
 1620        test "$enable_aesctr" = "" && enable_aesctr=yes
 1621        test "$enable_aesofb" = "" && enable_aesofb=yes
 1622        test "$enable_cmac" = "" && enable_cmac=yes
 1623    fi
 1624    test "$enable_sha224" = "" && enable_sha224=yes
 1625    test "$enable_sha512" = "" && enable_sha512=yes
 1626    test "$enable_sha3" = "" && enable_sha3=yes
 1627    test "$enable_keygen" = "" && enable_keygen=yes
 1628    if test "$enable_ecc" != "no"
 1629    then
 1630        test "$enable_eccencrypt" = "" && enable_eccencrypt=yes
 1631        test "$enable_fpecc" = "" && enable_fpecc=yes
 1632        test "$enable_supportedcurves" = "" && enable_supportedcurves=yes
 1633    fi
 1634    test "$enable_rng" != "no" && test "$enable_rng_bank" = "" && enable_rng_bank=yes
 1635    if test "$ENABLED_FIPS" = "no" || test "$HAVE_FIPS_VERSION" -ge 6
 1636    then
 1637        test "$enable_aes" != "no" && test "$enable_aescfb" = "" && enable_aescfb=yes
 1638        test "$enable_aesgcm_stream" = "" && test "$enable_aesgcm" = "yes" && enable_aesgcm_stream=yes
 1639        test "$enable_aes" != "no" && test "$enable_aesxts" = "" && enable_aesxts=yes
 1640        test "$enable_aesxts_stream" = "" && test "$enable_aesxts" = "yes" && enable_aesxts_stream=yes
 1641        test "$enable_shake128" = "" && test "$enable_sha3" = "yes" && enable_shake128=yes
 1642        test "$enable_shake256" = "" && test "$enable_sha3" = "yes" && enable_shake256=yes
 1643        test "$enable_compkey" = "" && enable_compkey=yes
 1644    fi
 1645    # Enable DH const table speedups (eliminates `-lm` math lib dependency)
 1646    AM_CFLAGS="$AM_CFLAGS -DHAVE_FFDHE_2048 -DHAVE_FFDHE_3072"
 1647    DEFAULT_MAX_CLASSIC_ASYM_KEY_BITS=4096
 1648    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DH_EXTRA"
 1649    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ECDSA_DETERMINISTIC_K_VARIANT"
 1650fi
 1651
 1652# Support for Tailscale port
 1653AC_ARG_ENABLE([tailscale],
 1654    [AS_HELP_STRING([--enable-tailscale],[Enable Tailscale build dependencies (default: disabled)])],
 1655    [ ENABLED_TAILSCALE=$enableval ],
 1656    [ ENABLED_TAILSCALE=no ]
 1657    )
 1658if test "$ENABLED_TAILSCALE" = "yes"
 1659then
 1660    enable_wolfguard=yes
 1661    test "x$enable_sp" = "x" && enable_sp="yes,256"
 1662    enable_opensslall=yes
 1663    enable_alpn=yes
 1664    enable_sni=yes
 1665    enable_certgen=yes
 1666    enable_certreq=yes
 1667    enable_certext=yes
 1668    enable_sessioncerts=yes
 1669    enable_cert_setup_cb=yes
 1670    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_PUBLIC_MP"
 1671    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_INIT_CTX_KEY"
 1672    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ALWAYS_KEEP_SNI"
 1673    AM_CFLAGS="$AM_CFLAGS -DWC_CTC_NAME_SIZE=128 -DWOLFSSL_ACME_OID"
 1674fi
 1675
 1676# wolfGuard
 1677AC_ARG_ENABLE([wolfguard],
 1678    [AS_HELP_STRING([--enable-wolfguard],[Enable wolfGuard dependencies (default: disabled)])],
 1679    [ ENABLED_WOLFGUARD=$enableval ],
 1680    [ ENABLED_WOLFGUARD=no ]
 1681    )
 1682if test "$ENABLED_WOLFGUARD" = "yes"
 1683then
 1684    test "$enable_ecc" = "" && enable_ecc=yes
 1685    test "$enable_sha256" = "" && enable_sha256=yes
 1686    test "$enable_aesgcm" = "" && enable_aesgcm=yes
 1687    test "$enable_base64encode" = "" && enable_base64encode=yes
 1688    test "$enable_base16" = "" && enable_base16=yes
 1689    test "$enable_compkey" = "" && enable_compkey=yes
 1690    if test "$ENABLED_FIPS" = "no" || test "$HAVE_FIPS_VERSION" -ge 6
 1691    then
 1692        test "$enable_aesgcm_stream" = "" && enable_aesgcm_stream=yes
 1693    fi
 1694fi
 1695
 1696# liboqs
 1697ENABLED_LIBOQS="no"
 1698tryliboqsdir=""
 1699AC_ARG_WITH([liboqs],
 1700    [AS_HELP_STRING([--with-liboqs=PATH],[Path to liboqs install (default /usr/local) (requires --enable-experimental)])],
 1701    [
 1702        AS_IF([ test "$ENABLED_EXPERIMENTAL" != "yes" ],[ AC_MSG_ERROR([LIBOQS requires --enable-experimental.]) ])
 1703        AC_MSG_CHECKING([for liboqs])
 1704        LIBS="$LIBS -loqs"
 1705        AM_CFLAGS="$AM_CFLAGS -pthread"
 1706
 1707        AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include <oqs/common.h>]], [[ OQS_init(); ]])], [ liboqs_linked=yes ],[ liboqs_linked=no ])
 1708
 1709        if test "x$liboqs_linked" = "xno" ; then
 1710            if test "x$withval" != "xno" ; then
 1711                tryliboqsdir=$withval
 1712            fi
 1713            if test "x$withval" = "xyes" ; then
 1714                tryliboqsdir="/usr/local"
 1715            fi
 1716
 1717            CPPFLAGS="$AM_CPPFLAGS -DHAVE_LIBOQS -DHAVE_TLS_EXTENSIONS -I$tryliboqsdir/include -pthread"
 1718            LDFLAGS="$AM_LDFLAGS $LDFLAGS -L$tryliboqsdir/lib"
 1719
 1720            AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include <oqs/common.h>]], [[ OQS_init(); ]])], [ liboqs_linked=yes ],[ liboqs_linked=no ])
 1721
 1722            if test "x$liboqs_linked" = "xno" ; then
 1723                AC_MSG_ERROR([liboqs isn't found.
 1724                If it's already installed, specify its path using --with-liboqs=/dir/])
 1725            fi
 1726            AC_MSG_RESULT([yes])
 1727            AM_CPPFLAGS="$CPPFLAGS"
 1728            AM_LDFLAGS="$AM_LDFLAGS -L$tryliboqsdir/lib"
 1729        else
 1730            AC_MSG_RESULT([yes])
 1731        fi
 1732
 1733        if test "x$ENABLED_OPENSSLEXTRA" = "xno" && test "x$ENABLED_OPENSSLCOEXIST" = "xno"
 1734        then
 1735            ENABLED_OPENSSLEXTRA="yes"
 1736            AM_CFLAGS="$AM_CFLAGS -DOPENSSL_EXTRA"
 1737        fi
 1738
 1739        AM_CFLAGS="$AM_CFLAGS -DHAVE_LIBOQS -DHAVE_TLS_EXTENSIONS"
 1740        ENABLED_LIBOQS="yes"
 1741    ]
 1742)
 1743
 1744# Falcon (provided via liboqs)
 1745AC_ARG_ENABLE([falcon],
 1746    [AS_HELP_STRING([--enable-falcon],[Enable Falcon post-quantum signatures via liboqs (default: disabled)])],
 1747    [ ENABLED_FALCON=$enableval ],
 1748    [ ENABLED_FALCON=no ])
 1749
 1750if test "$ENABLED_FALCON" = "yes" && test "$ENABLED_LIBOQS" = "no"; then
 1751    AC_MSG_ERROR([--enable-falcon requires --with-liboqs.])
 1752fi
 1753if test "$ENABLED_LIBOQS" = "yes" && test "$ENABLED_FALCON" != "yes"; then
 1754    AC_MSG_ERROR([--with-liboqs requires --enable-falcon.])
 1755fi
 1756
 1757if test "$ENABLED_FALCON" = "yes"; then
 1758    AM_CFLAGS="$AM_CFLAGS -DHAVE_FALCON"
 1759fi
 1760
 1761
 1762# MLKEM
 1763# Used:
 1764#  - SHA3, Shake128 and Shake256
 1765#
 1766# Note, setup is later, after FIPS setup.
 1767
 1768if test "$enable_shake128" != "no" &&
 1769   test "$enable_shake256" != "no" &&
 1770   test "$enable_sha3" != "no" &&
 1771   (test "$ENABLED_FIPS" = "no" || test "$HAVE_FIPS_VERSION" -ge 7)
 1772then
 1773    ENABLED_MLKEM_DEFAULT=yes
 1774else
 1775    ENABLED_MLKEM_DEFAULT=no
 1776fi
 1777
 1778AC_ARG_ENABLE([mlkem],
 1779    [AS_HELP_STRING([--enable-mlkem],[Enable ML-KEM/Kyber (default: enabled)])],
 1780    [ ENABLED_MLKEM=$enableval ],
 1781    [ ENABLED_MLKEM=$ENABLED_MLKEM_DEFAULT ]
 1782    )
 1783# note, inherits default from "mlkem" clause above.
 1784AC_ARG_ENABLE([kyber],
 1785    [AS_HELP_STRING([--enable-kyber],[Alias for --enable-mlkem])],
 1786    [ ENABLED_MLKEM=$enableval ]
 1787    )
 1788
 1789AC_ARG_ENABLE([tls-mlkem-standalone],
 1790    [AS_HELP_STRING([--enable-tls-mlkem-standalone],[Enable ML-KEM as standalone TLS key exchange (non-hybrid) (default: disabled)])],
 1791    [ ENABLED_MLKEM_STANDALONE=$enableval ],
 1792    [ ENABLED_MLKEM_STANDALONE=no ]
 1793    )
 1794
 1795AC_ARG_ENABLE([pqc-hybrids],
 1796    [AS_HELP_STRING([--enable-pqc-hybrids],[Enable PQ/T hybrid combinations (default: enabled)])],
 1797    [ ENABLED_PQC_HYBRIDS=$enableval ],
 1798    [ ENABLED_PQC_HYBRIDS=yes ]
 1799    )
 1800
 1801# Extra PQ/T Hybrid combinations
 1802AC_ARG_ENABLE([extra-pqc-hybrids],
 1803    [AS_HELP_STRING([--enable-extra-pqc-hybrids],[Enable extra PQ/T hybrid combinations (default: disabled)])],
 1804    [ ENABLED_EXTRA_PQC_HYBRIDS=$enableval ],
 1805    [ ENABLED_EXTRA_PQC_HYBRIDS=no ]
 1806    )
 1807
 1808
 1809# Dilithium
 1810#  - SHA3, Shake128 and Shake256
 1811AC_ARG_ENABLE([mldsa],
 1812    [AS_HELP_STRING([--enable-mldsa],[Enable ML-DSA/Dilithium (default: disabled)])],
 1813    [ ENABLED_DILITHIUM=$enableval ],
 1814    [ ENABLED_DILITHIUM=no ]
 1815    )
 1816# note, inherits default from "mldsa" clause above.
 1817AC_ARG_ENABLE([dilithium],
 1818    [AS_HELP_STRING([--enable-dilithium],[Alias for --enable-mldsa])],
 1819    [ ENABLED_DILITHIUM=$enableval ]
 1820    )
 1821
 1822ENABLED_DILITHIUM_OPTS=$ENABLED_DILITHIUM
 1823ENABLED_DILITHIUM_MAKE_KEY=no
 1824ENABLED_DILITHIUM_SIGN=no
 1825ENABLED_DILITHIUM_VERIFY=no
 1826for v in `echo $ENABLED_DILITHIUM_OPTS | tr "," " "`
 1827do
 1828  case $v in
 1829  yes)
 1830    ENABLED_MLDSA44=yes
 1831    ENABLED_MLDSA65=yes
 1832    ENABLED_MLDSA87=yes
 1833    ENABLED_DILITHIUM_MAKE_KEY=yes
 1834    ENABLED_DILITHIUM_SIGN=yes
 1835    ENABLED_DILITHIUM_VERIFY=yes
 1836    ;;
 1837  no)
 1838    ;;
 1839  all)
 1840    ENABLED_DILITHIUM_MAKE_KEY=yes
 1841    ENABLED_DILITHIUM_SIGN=yes
 1842    ENABLED_DILITHIUM_VERIFY=yes
 1843    ;;
 1844  make)
 1845    ENABLED_DILITHIUM_MAKE_KEY=yes
 1846    ;;
 1847  sign)
 1848    ENABLED_DILITHIUM_SIGN=yes
 1849    ;;
 1850  verify)
 1851    ENABLED_DILITHIUM_VERIFY=yes
 1852    ;;
 1853  verify-only)
 1854    ENABLED_DILITHIUM_MAKE_KEY=no
 1855    ENABLED_DILITHIUM_SIGN=no
 1856    ENABLED_DILITHIUM_VERIFY=yes
 1857    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DILITHIUM_VERIFY_ONLY"
 1858    ;;
 1859  small)
 1860    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DILITHIUM_SMALL"
 1861    ;;
 1862  44)
 1863    ENABLED_MLDSA44=yes
 1864    ;;
 1865  65)
 1866    ENABLED_MLDSA65=yes
 1867    ;;
 1868  87)
 1869    ENABLED_MLDSA87=yes
 1870    ;;
 1871  draft|fips204-draft)
 1872    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DILITHIUM_FIPS204_DRAFT"
 1873    ;;
 1874  no-ctx)
 1875    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DILITHIUM_NO_CTX"
 1876    ;;
 1877  *)
 1878    AC_MSG_ERROR([Invalid choice for DILITHIUM [all,make,sign,verify,verify-only,small,44,65,87,no-ctx]: $ENABLED_DILITHIUM.])
 1879    break;;
 1880  esac
 1881done
 1882
 1883# XMSS
 1884AC_ARG_ENABLE([xmss],
 1885    [AS_HELP_STRING([--enable-xmss],[Enable stateful XMSS/XMSS^MT signatures (default: disabled)])],
 1886    [ ENABLED_XMSS=$enableval ],
 1887    [ ENABLED_XMSS=no ]
 1888    )
 1889
 1890for v in `echo $ENABLED_XMSS | tr "," " "`
 1891do
 1892  case $v in
 1893  yes)
 1894    ;;
 1895  no)
 1896    ;;
 1897  verify-only)
 1898    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_XMSS_VERIFY_ONLY -DXMSS_VERIFY_ONLY"
 1899    ;;
 1900  small)
 1901    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_WC_XMSS_SMALL"
 1902    ;;
 1903  *)
 1904    AC_MSG_ERROR([Invalid choice for XMSS []: $ENABLED_XMSS.])
 1905    break;;
 1906  esac
 1907done
 1908
 1909# LMS
 1910AC_ARG_ENABLE([lms],
 1911    [AS_HELP_STRING([--enable-lms],[Enable stateful LMS/HSS signatures (default: disabled)])],
 1912    [ ENABLED_LMS=$enableval ],
 1913    [ ENABLED_LMS=no ]
 1914    )
 1915
 1916for v in `echo $ENABLED_LMS | tr "," " "`
 1917do
 1918  case $v in
 1919  yes)
 1920    ;;
 1921  no)
 1922    ;;
 1923  verify-only)
 1924    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_LMS_VERIFY_ONLY"
 1925    ;;
 1926  small)
 1927    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_WC_LMS_SMALL"
 1928    ;;
 1929  no-sha256-256)
 1930    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_LMS_SHA256_256"
 1931    ;;
 1932  sha256-192)
 1933    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_LMS_SHA256_192"
 1934    ;;
 1935  shake256)
 1936    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_LMS_SHAKE256"
 1937    ;;
 1938  *)
 1939    AC_MSG_ERROR([Invalid choice for LMS []: $ENABLED_LMS.])
 1940    break;;
 1941  esac
 1942done
 1943
 1944# SLH-DSA
 1945ENABLED_SLHDSA=yes
 1946AC_ARG_ENABLE([slhdsa],
 1947    [AS_HELP_STRING([--enable-slhdsa],[Enable SLH-DSA signatures (default: disabled)])],
 1948    [ ENABLED_SLHDSA=$enableval ],
 1949    [ ENABLED_SLHDSA=no ]
 1950    )
 1951
 1952for v in `echo $ENABLED_SLHDSA | tr "," " "`
 1953do
 1954  case $v in
 1955  yes)
 1956    SLHDSA_PARAM_128S=yes
 1957    SLHDSA_PARAM_128F=yes
 1958    SLHDSA_PARAM_192S=yes
 1959    SLHDSA_PARAM_192F=yes
 1960    SLHDSA_PARAM_256S=yes
 1961    SLHDSA_PARAM_256F=yes
 1962    ;;
 1963  no)
 1964    ;;
 1965  verify-only)
 1966    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_VERIFY_ONLY"
 1967    ;;
 1968  small)
 1969    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_WC_SLHDSA_SMALL"
 1970    ;;
 1971  small-mem)
 1972    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_WC_SLHDSA_SMALL_MEM"
 1973    ;;
 1974  128s)
 1975    SLHDSA_PARAM_128S=yes
 1976    ;;
 1977  128f)
 1978    SLHDSA_PARAM_128F=yes
 1979    ;;
 1980  192s)
 1981    SLHDSA_PARAM_192S=yes
 1982    ;;
 1983  192f)
 1984    SLHDSA_PARAM_192F=yes
 1985    ;;
 1986  256s)
 1987    SLHDSA_PARAM_256S=yes
 1988    ;;
 1989  256f)
 1990    SLHDSA_PARAM_256F=yes
 1991    ;;
 1992  no-s)
 1993    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_PARAM_NO_SMALL"
 1994    ;;
 1995  no-f)
 1996    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_PARAM_NO_FAST"
 1997    ;;
 1998  sha2)
 1999    SLHDSA_SHA2=yes
 2000    SLHDSA_PARAM_SHA2_128S=yes
 2001    SLHDSA_PARAM_SHA2_128F=yes
 2002    SLHDSA_PARAM_SHA2_192S=yes
 2003    SLHDSA_PARAM_SHA2_192F=yes
 2004    SLHDSA_PARAM_SHA2_256S=yes
 2005    SLHDSA_PARAM_SHA2_256F=yes
 2006    ;;
 2007  sha2-128s)
 2008    SLHDSA_SHA2=yes
 2009    SLHDSA_PARAM_SHA2_128S=yes
 2010    ;;
 2011  sha2-128f)
 2012    SLHDSA_SHA2=yes
 2013    SLHDSA_PARAM_SHA2_128F=yes
 2014    ;;
 2015  sha2-192s)
 2016    SLHDSA_SHA2=yes
 2017    SLHDSA_PARAM_SHA2_192S=yes
 2018    ;;
 2019  sha2-192f)
 2020    SLHDSA_SHA2=yes
 2021    SLHDSA_PARAM_SHA2_192F=yes
 2022    ;;
 2023  sha2-256s)
 2024    SLHDSA_SHA2=yes
 2025    SLHDSA_PARAM_SHA2_256S=yes
 2026    ;;
 2027  sha2-256f)
 2028    SLHDSA_SHA2=yes
 2029    SLHDSA_PARAM_SHA2_256F=yes
 2030    ;;
 2031  no-sha2-s)
 2032    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_PARAM_NO_SHA2_SMALL"
 2033    ;;
 2034  no-sha2-f)
 2035    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_PARAM_NO_SHA2_FAST"
 2036    ;;
 2037  *)
 2038    AC_MSG_ERROR([Invalid choice for SLH-DSA []: $ENABLED_SLHDSA.])
 2039    break;;
 2040  esac
 2041done
 2042# SINGLE THREADED
 2043AC_ARG_ENABLE([singlethreaded],
 2044    [AS_HELP_STRING([--enable-singlethreaded],[Enable wolfSSL single threaded (default: disabled)])],
 2045    [ ENABLED_SINGLETHREADED=$enableval ],
 2046    [ ENABLED_SINGLETHREADED=no ])
 2047
 2048WOLFSSL_HAVE_PTHREAD=0
 2049AS_IF([ test "x$ENABLED_SINGLETHREADED" = "xno" ],[
 2050       AX_PTHREAD([
 2051                   AC_DEFINE([HAVE_PTHREAD], [1], [Define if you have POSIX threads libraries and header files.])
 2052                   WOLFSSL_HAVE_PTHREAD=1
 2053                   # If AX_PTHREAD is adding -Qunused-arguments, need to prepend with -Xcompiler libtool will use it. Newer
 2054                   # versions of clang don't need the -Q flag when using pthreads.
 2055                   AS_CASE([$PTHREAD_CFLAGS],[-Qunused-arguments*],[PTHREAD_CFLAGS="-Xcompiler $PTHREAD_CFLAGS"])
 2056                   AM_CFLAGS="$AM_CFLAGS $PTHREAD_CFLAGS"
 2057                   LIBS="$LIBS $PTHREAD_LIBS"
 2058                   ],[
 2059                      ENABLED_SINGLETHREADED=yes
 2060                      ])
 2061      ])
 2062
 2063AS_IF([ test "x$ENABLED_SINGLETHREADED" = "xyes" ],[ AM_CFLAGS="$AM_CFLAGS -DSINGLE_THREADED" ])
 2064
 2065# Enable rwlock
 2066AC_ARG_ENABLE([rwlock],
 2067    [AS_HELP_STRING([--enable-rwlock],[Enable use of rwlock (default: disabled)])],
 2068    [ENABLED_RWLOCK=$enableval],
 2069    [ENABLED_RWLOCK=no])
 2070
 2071if test "$ENABLED_RWLOCK" = "yes"
 2072then
 2073    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_USE_RWLOCK"
 2074fi
 2075
 2076# ECH
 2077AC_ARG_ENABLE([ech],
 2078    [AS_HELP_STRING([--enable-ech],[Enable ECH (default: disabled)])],
 2079    [ ENABLED_ECH=$enableval ],
 2080    [ ENABLED_ECH=no ]
 2081    )
 2082if test "$ENABLED_ECH" = "yes"
 2083then
 2084    AM_CFLAGS="$AM_CFLAGS -DHAVE_ECH"
 2085
 2086    test "$enable_hpke" = "" && enable_hpke=yes
 2087    test "$enable_ecc" = "" && enable_ecc=yes
 2088    test "$enable_curve25519" = "" && enable_curve25519=yes
 2089    test "$enable_sha256" = "" && enable_sha256=yes
 2090    test "$enable_sni" = "" && enable_sni=yes
 2091    test "$enable_tls13" = "" && enable_tls13=yes
 2092fi
 2093
 2094# DTLS
 2095# DTLS is a prereq for the options mcast, sctp, and jni. Enabling any of those
 2096# without DTLS will also enable DTLS.
 2097AC_ARG_ENABLE([dtls],
 2098    [AS_HELP_STRING([--enable-dtls],[Enable wolfSSL DTLS (default: disabled)])],
 2099    [ ENABLED_DTLS=$enableval ],
 2100    [ ENABLED_DTLS=no ]
 2101    )
 2102if test "$ENABLED_DTLS" = "yes"
 2103then
 2104  AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DTLS"
 2105fi
 2106
 2107# DTLS change MTU
 2108AC_ARG_ENABLE([dtls-mtu],
 2109    [AS_HELP_STRING([--enable-dtls-mtu],[Enable setting the MTU size for wolfSSL DTLS (default: disabled)])],
 2110    [ ENABLED_DTLS_MTU=$enableval ],
 2111    [ ENABLED_DTLS_MTU=no ]
 2112    )
 2113if test "$ENABLED_DTLS_MTU" = "yes"
 2114then
 2115  AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DTLS_MTU"
 2116fi
 2117
 2118# KeyLog file export
 2119AC_ARG_ENABLE([keylog-export],
 2120              [AS_HELP_STRING([--enable-keylog-export],[Enable insecure export of TLS secrets to an NSS keylog file (default: disabled)])],
 2121    [ ENABLED_KEYLOG_EXPORT=$enableval ],
 2122    [ ENABLED_KEYLOG_EXPORT=no ]
 2123    )
 2124if test "$ENABLED_KEYLOG_EXPORT" = "yes"
 2125then
 2126  AC_MSG_WARN([Keylog export enabled -- Sensitive key data will be stored insecurely.])
 2127  AM_CFLAGS="$AM_CFLAGS -DSHOW_SECRETS -DHAVE_SECRET_CALLBACK -DWOLFSSL_SSLKEYLOGFILE -DWOLFSSL_KEYLOG_EXPORT_WARNED"
 2128fi
 2129
 2130# TLS v1.3 Draft 18 (Note: only final TLS v1.3 supported, here for backwards build compatibility)
 2131AC_ARG_ENABLE([tls13-draft18],
 2132    [AS_HELP_STRING([--enable-tls13-draft18],[Enable wolfSSL TLS v1.3 Draft 18 (default: disabled)])],
 2133    [ ENABLED_TLS13_DRAFT18=$enableval ],
 2134    [ ENABLED_TLS13_DRAFT18=no ]
 2135    )
 2136
 2137# TLS v1.3
 2138AC_ARG_ENABLE([tls13],
 2139    [AS_HELP_STRING([--enable-tls13],[Enable wolfSSL TLS v1.3 (default: enabled)])],
 2140    [ ENABLED_TLS13=$enableval ],
 2141    [ ENABLED_TLS13=yes ]
 2142    )
 2143if test "x$FIPS_VERSION" = "xv1" ||
 2144        ( test "$HAVE_FIPS_VERSION" = 2 && test "$HAVE_FIPS_VERSION_MINOR" = 1 )
 2145then
 2146    ENABLED_TLS13="no"
 2147fi
 2148
 2149# QUIC support
 2150AC_ARG_ENABLE([quic],
 2151    [AS_HELP_STRING([--enable-quic],[Enable QUIC API with wolfSSL TLS v1.3 (default: disabled)])],
 2152    [ ENABLED_QUIC=$enableval ],
 2153    [ ENABLED_QUIC=no ]
 2154    )
 2155
 2156if test "$ENABLED_QUIC" = "yes"
 2157then
 2158    if test "x$ENABLED_TLS13" = "xno"
 2159    then
 2160        AC_MSG_ERROR([TLS 1.3 is disabled - necessary for QUIC])
 2161    fi
 2162    if test "$enable_aesgcm" = "no"
 2163    then
 2164        AC_MSG_ERROR([AES-GCM is disabled - necessary for QUIC])
 2165    fi
 2166    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_QUIC"
 2167    # QUIC proto handlers need app_data at WOLFSSL*
 2168    AM_CFLAGS="$AM_CFLAGS -DHAVE_EX_DATA"
 2169fi
 2170
 2171
 2172# Post-handshake Authentication
 2173AC_ARG_ENABLE([postauth],
 2174    [AS_HELP_STRING([--enable-postauth],[Enable wolfSSL Post-handshake Authentication (default: disabled)])],
 2175    [ ENABLED_TLS13_POST_AUTH=$enableval ],
 2176    [ ENABLED_TLS13_POST_AUTH=no ]
 2177    )
 2178if test "$ENABLED_TLS13_POST_AUTH" = "yes"
 2179then
 2180    if test "x$ENABLED_TLS13" = "xno"
 2181    then
 2182        AC_MSG_NOTICE([TLS 1.3 is disabled - disabling Post-handshake Authentication])
 2183        ENABLED_TLS13_POST_AUTH="no"
 2184    else
 2185        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_POST_HANDSHAKE_AUTH"
 2186    fi
 2187fi
 2188
 2189
 2190# Hello Retry Request Cookie
 2191AC_ARG_ENABLE([hrrcookie],
 2192    [AS_HELP_STRING([--enable-hrrcookie],[Enable the server to send Cookie Extension in HRR with state (default: disabled)])],
 2193    [ ENABLED_SEND_HRR_COOKIE=$enableval ],
 2194    [ ENABLED_SEND_HRR_COOKIE=undefined ]
 2195    )
 2196if test "$ENABLED_SEND_HRR_COOKIE" = "yes"
 2197then
 2198    if test "x$ENABLED_TLS13" = "xno"
 2199    then
 2200        AC_MSG_NOTICE([TLS 1.3 is disabled - disabling HRR Cookie])
 2201        ENABLED_SEND_HRR_COOKIE="no"
 2202    else
 2203        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SEND_HRR_COOKIE"
 2204    fi
 2205fi
 2206
 2207
 2208# RNG
 2209AC_ARG_ENABLE([rng],
 2210    [AS_HELP_STRING([--enable-rng],[Enable compiling and using RNG (default: enabled)])],
 2211    [ ENABLED_RNG=$enableval ],
 2212    [ ENABLED_RNG=yes ]
 2213    )
 2214
 2215if test "$ENABLED_RNG" = "no"
 2216then
 2217    AM_CFLAGS="$AM_CFLAGS -DWC_NO_RNG"
 2218fi
 2219
 2220AC_ARG_ENABLE([rng-bank],
 2221    [AS_HELP_STRING([--enable-rng-bank],[Enable compiling and using RNG banks (default: disabled)])],
 2222    [ ENABLED_RNG_BANK=$enableval ],
 2223    [ ENABLED_RNG_BANK=$KERNEL_MODE_DEFAULTS ]
 2224    )
 2225
 2226if test "$ENABLED_RNG_BANK" = "yes"
 2227then
 2228    AS_IF([test "$ENABLED_RNG" = "no"],
 2229    AC_MSG_ERROR([--enable-rng-bank requires --enable-rng]))
 2230    AM_CFLAGS="$AM_CFLAGS -DWC_RNG_BANK_SUPPORT"
 2231fi
 2232
 2233
 2234# DTLS-SCTP
 2235AC_ARG_ENABLE([sctp],
 2236    [AS_HELP_STRING([--enable-sctp],[Enable wolfSSL DTLS-SCTP support (default: disabled)])],
 2237    [ENABLED_SCTP=$enableval],
 2238    [ENABLED_SCTP=no])
 2239
 2240AS_IF([test "x$ENABLED_SCTP" = "xyes"],
 2241        [AC_MSG_CHECKING([for SCTP])
 2242         AC_RUN_IFELSE(
 2243            [AC_LANG_PROGRAM(
 2244[[
 2245#include <sys/socket.h>
 2246#include <arpa/inet.h>
 2247]],
 2248[[int s = socket(AF_INET, SOCK_STREAM, IPPROTO_SCTP); if (s == -1) return 1;]])],
 2249[AC_MSG_RESULT(yes)],
 2250[AC_MSG_RESULT(no)
 2251 AC_MSG_ERROR([SCTP not available, remove enable-sctp from configure])],
 2252: ,
 2253: ,
 2254: )])
 2255
 2256# DTLS-SRTP
 2257AC_ARG_ENABLE([srtp],
 2258    [AS_HELP_STRING([--enable-srtp],[Enable wolfSSL DTLS-SRTP support (default: disabled)])],
 2259    [ENABLED_SRTP=$enableval],
 2260    [ENABLED_SRTP=no])
 2261
 2262# DTLS-MULTICAST
 2263AC_ARG_ENABLE([mcast],
 2264    [AS_HELP_STRING([--enable-mcast],[Enable wolfSSL DTLS multicast support (default: disabled)])],
 2265    [ENABLED_MCAST=$enableval],
 2266    [ENABLED_MCAST=no])
 2267
 2268
 2269# List of open source project defines using our openssl compatibility layer:
 2270# bind dns (--enable-bind) WOLFSSL_BIND
 2271# libssh2 (--enable-libssh2)
 2272# openssh (--enable-openssh) WOLFSSL_OPENSSH
 2273# openvpn (--enable-openvpn) WOLFSSL_OPENVPN
 2274# nginx (--enable-nginx) WOLFSSL_NGINX
 2275# ntp (--enable-ntp)
 2276# openresty (--enable-openresty)
 2277# haproxy (--enable-haproxy) WOLFSSL_HAPROXY
 2278# wpa_supplicant (--enable-wpas) WOLFSSL_WPAS
 2279# ssl fortress (--enable-fortress) FORTRESS
 2280# ssl bump (--enable-bump)
 2281# signal (--enable-signal)
 2282# lighty (--enable-lighty) HAVE_LIGHTY
 2283# rsyslog (--enable-rsyslog)
 2284# stunnel (--enable-stunnel) HAVE_STUNNEL
 2285# curl (--enable-curl) HAVE_CURL
 2286# libest (--enable-libest) HAVE_LIBEST
 2287# asio (--enable-asio) WOLFSSL_ASIO
 2288# libwebsockets (--enable-libwebsockets) WOLFSSL_LIBWEBSOCKETS
 2289# qt (--enable-qt) WOLFSSL_QT
 2290# qt test (--enable-qt-test) WOLFSSL_QT_TEST
 2291# HAVE_POCO_LIB
 2292# WOLFSSL_MYSQL_COMPATIBLE
 2293# web server (--enable-webserver) HAVE_WEBSERVER
 2294# net-snmp (--enable-net-snmp)
 2295# krb (--enable-krb) WOLFSSL_KRB
 2296# FFmpeg (--enable-ffmpeg) WOLFSSL_FFMPEG
 2297# strongSwan (--enable-strongswan)
 2298# OpenLDAP (--enable-openldap)
 2299# hitch (--enable-hitch)
 2300# memcached (--enable-memcached)
 2301# Mosquitto (--enable-mosquitto) HAVE_MOSQUITTO
 2302
 2303# Bind DNS compatibility Build
 2304AC_ARG_ENABLE([bind],
 2305    [AS_HELP_STRING([--enable-bind],[Enable Bind DNS compatibility build (default: disabled)])],
 2306    [ENABLED_BIND=$enableval],
 2307    [ENABLED_BIND=no])
 2308
 2309AC_ARG_ENABLE([libssh2],
 2310    [AS_HELP_STRING([--enable-libssh2],[Enable libssh2 compatibility build (default: disabled)])],
 2311    [ENABLED_LIBSSH2=$enableval],
 2312    [ENABLED_LIBSSH2=no])
 2313
 2314# OpenSSH compatibility Build
 2315AC_ARG_ENABLE([openssh],
 2316    [AS_HELP_STRING([--enable-openssh],[Enable OpenSSH compatibility build (default: disabled)])],
 2317    [ENABLED_OPENSSH=$enableval],
 2318    [ENABLED_OPENSSH=no])
 2319
 2320if test "$ENABLED_OPENSSH" = "yes"
 2321then
 2322    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_OPENSSH -DHAVE_EX_DATA -DWOLFSSL_BASE16"
 2323    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ERROR_CODE_OPENSSL -DWC_RNG_SEED_CB"
 2324fi
 2325
 2326# OpenVPN compatibility Build
 2327AC_ARG_ENABLE([openvpn],
 2328    [AS_HELP_STRING([--enable-openvpn],[Enable OpenVPN compatibility build (default: disabled)])],
 2329    [ENABLED_OPENVPN=$enableval],
 2330    [ENABLED_OPENVPN=no])
 2331
 2332# openresty compatibility build
 2333AC_ARG_ENABLE([openresty],
 2334    [AS_HELP_STRING([--enable-openresty],[Enable openresty (default: disabled)])],
 2335    [ ENABLED_OPENRESTY=$enableval ],
 2336    [ ENABLED_OPENRESTY=no ]
 2337    )
 2338
 2339# nginx compatibility build
 2340AC_ARG_ENABLE([nginx],
 2341    [AS_HELP_STRING([--enable-nginx],[Enable nginx (default: disabled)])],
 2342    [ ENABLED_NGINX=$enableval ],
 2343    [ ENABLED_NGINX=no ]
 2344    )
 2345
 2346# chrony support. Needs the compatibility layer for SNI callback functionality,
 2347# but otherwise uses pure wolfCrypt.
 2348AC_ARG_ENABLE([chrony],
 2349    [AS_HELP_STRING([--enable-chrony],[Enable chrony support (default: disabled)])],
 2350    [ ENABLED_CHRONY=$enableval ],
 2351    [ ENABLED_CHRONY=no ]
 2352    )
 2353
 2354if test "$ENABLED_CHRONY" = "yes"
 2355then
 2356    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ALWAYS_KEEP_SNI"
 2357fi
 2358
 2359if test "$ENABLED_OPENRESTY" = "yes"
 2360then
 2361    ENABLED_NGINX="yes"
 2362fi
 2363
 2364# OpenLDAP support
 2365AC_ARG_ENABLE([openldap],
 2366    [AS_HELP_STRING([--enable-openldap],[Enable OpenLDAP support (default: disabled)])],
 2367    [ ENABLED_OPENLDAP=$enableval ],
 2368    [ ENABLED_OPENLDAP=no ]
 2369    )
 2370
 2371# Mosquitto support
 2372AC_ARG_ENABLE([mosquitto],
 2373    [AS_HELP_STRING([--enable-mosquitto],[Enable Mosquitto support (default: disabled)])],
 2374    [ ENABLED_MOSQUITTO=$enableval ],
 2375    [ ENABLED_MOSQUITTO=no ]
 2376    )
 2377
 2378if test "x$ENABLED_MOSQUITTO" = "xyes"
 2379then
 2380    AM_CFLAGS="$AM_CFLAGS -DHAVE_MOSQUITTO"
 2381fi
 2382
 2383# lighty Support
 2384AC_ARG_ENABLE([lighty],
 2385    [AS_HELP_STRING([--enable-lighty],[Enable lighttpd/lighty (default: disabled)])],
 2386    [ ENABLED_LIGHTY=$enableval ],
 2387    [ ENABLED_LIGHTY=no ]
 2388    )
 2389
 2390# rsyslog Support
 2391AC_ARG_ENABLE([rsyslog],
 2392    [AS_HELP_STRING([--enable-rsyslog],[Enable rsyslog (default: disabled)])],
 2393    [ ENABLED_RSYSLOG=$enableval ],
 2394    [ ENABLED_RSYSLOG=no ]
 2395    )
 2396
 2397# haproxy compatibility build
 2398AC_ARG_ENABLE([haproxy],
 2399    [AS_HELP_STRING([--enable-haproxy],[Enable haproxy (default: disabled)])],
 2400    [ ENABLED_HAPROXY=$enableval ],
 2401    [ ENABLED_HAPROXY=no ]
 2402    )
 2403
 2404# wpa_supplicant support
 2405AC_ARG_ENABLE([wpas],
 2406    [AS_HELP_STRING([--enable-wpas],[Enable wpa_supplicant support (default: disabled)])],
 2407    [ ENABLED_WPAS=$enableval ],
 2408    [ ENABLED_WPAS=no ]
 2409    )
 2410
 2411# wpa_supplicant support
 2412AC_ARG_ENABLE([wpas-dpp],
 2413    [AS_HELP_STRING([--enable-wpas-dpp],[Enable wpa_supplicant support with dpp (default: disabled)])],
 2414    [ ENABLED_WPAS_DPP=$enableval ],
 2415    [ ENABLED_WPAS_DPP=no ]
 2416    )
 2417
 2418if test "$ENABLED_WPAS_DPP" = "yes"
 2419then
 2420    ENABLED_WPAS="yes"
 2421fi
 2422
 2423# ntp support
 2424AC_ARG_ENABLE([ntp],
 2425    [AS_HELP_STRING([--enable-ntp],[Enable ntp support (default: disabled)])],
 2426    [ ENABLED_NTP=$enableval ],
 2427    [ ENABLED_NTP=no ]
 2428    )
 2429
 2430# Fortress build
 2431AC_ARG_ENABLE([fortress],
 2432    [AS_HELP_STRING([--enable-fortress],[Enable SSL fortress build (default: disabled)])],
 2433    [ ENABLED_FORTRESS=$enableval ],
 2434    [ ENABLED_FORTRESS=no ]
 2435    )
 2436
 2437if test "$ENABLED_OPENSSH" = "yes"
 2438then
 2439    ENABLED_FORTRESS="yes"
 2440fi
 2441
 2442# libwebsockets Support
 2443AC_ARG_ENABLE([libwebsockets],
 2444    [AS_HELP_STRING([--enable-libwebsockets],[Enable libwebsockets (default: disabled)])],
 2445    [ ENABLED_LIBWEBSOCKETS=$enableval ],
 2446    [ ENABLED_LIBWEBSOCKETS=no ]
 2447    )
 2448if test "$ENABLED_LIBWEBSOCKETS" = "yes"
 2449then
 2450    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_LIBWEBSOCKETS -DHAVE_EX_DATA -DOPENSSL_NO_EC"
 2451fi
 2452
 2453# net-snmp Build
 2454AC_ARG_ENABLE([net-snmp],
 2455    [AS_HELP_STRING([--enable-net-snmp],[Enable net-snmp (default: disabled)])],
 2456    [ ENABLED_NETSNMP=$enableval ],
 2457    [ ENABLED_NETSNMP=no ]
 2458    )
 2459
 2460# kerberos 5 Build
 2461AC_ARG_ENABLE([krb],
 2462    [AS_HELP_STRING([--enable-krb],[Enable kerberos 5 support (default: disabled)])],
 2463    [ ENABLED_KRB=$enableval ],
 2464    [ ENABLED_KRB=no ]
 2465    )
 2466
 2467# FFmpeg Build
 2468AC_ARG_ENABLE([ffmpeg],
 2469    [AS_HELP_STRING([--enable-ffmpeg],[Enable FFmpeg support (default: disabled)])],
 2470    [ ENABLED_FFMPEG=$enableval ],
 2471    [ ENABLED_FFMPEG=no ]
 2472    )
 2473
 2474
 2475# IP alternative name Support
 2476AC_ARG_ENABLE([ip-alt-name],
 2477    [AS_HELP_STRING([--enable-ip-alt-name],[Enable IP subject alternative name (default: disabled)])],
 2478    [ ENABLE_IP_ALT_NAME=$enableval ],
 2479    [ ENABLE_IP_ALT_NAME=no ]
 2480    )
 2481
 2482if test "$ENABLE_IP_ALT_NAME" = "yes"
 2483then
 2484    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_IP_ALT_NAME"
 2485fi
 2486
 2487# QT Support
 2488AC_ARG_ENABLE([qt],
 2489    [AS_HELP_STRING([--enable-qt],[Enable qt (default: disabled)])],
 2490    [ ENABLED_QT=$enableval ],
 2491    [ ENABLED_QT=no ]
 2492    )
 2493
 2494# SNIFFER
 2495AC_ARG_ENABLE([sniffer],
 2496   [AS_HELP_STRING([--enable-sniffer],[Enable wolfSSL sniffer support (default: disabled)])],
 2497   [ ENABLED_SNIFFER=$enableval ],
 2498   [ ENABLED_SNIFFER=no ]
 2499   )
 2500
 2501# signal compatibility build
 2502AC_ARG_ENABLE([signal],
 2503    [AS_HELP_STRING([--enable-signal],[Enable signal (default: disabled)])],
 2504    [ ENABLED_SIGNAL=$enableval ],
 2505    [ ENABLED_SIGNAL=no ]
 2506    )
 2507
 2508# strongSwan support
 2509AC_ARG_ENABLE([strongswan],
 2510    [AS_HELP_STRING([--enable-strongswan],[Enable strongSwan support (default: disabled)])],
 2511    [ ENABLED_STRONGSWAN=$enableval ],
 2512    [ ENABLED_STRONGSWAN=no ]
 2513    )
 2514
 2515# hitch support
 2516AC_ARG_ENABLE([hitch],
 2517    [AS_HELP_STRING([--enable-hitch],[Enable hitch support (default: disabled)])],
 2518    [ ENABLED_HITCH=$enableval ],
 2519    [ ENABLED_HITCH=no ]
 2520    )
 2521
 2522# memcached support
 2523AC_ARG_ENABLE([memcached],
 2524    [AS_HELP_STRING([--enable-memcached],[Enable memcached support (default: disabled)])],
 2525    [ ENABLED_MEMCACHED=$enableval ],
 2526    [ ENABLED_MEMCACHED=no ]
 2527    )
 2528
 2529# OpenSSL Coexist
 2530AC_ARG_ENABLE([opensslcoexist],
 2531    [AS_HELP_STRING([--enable-opensslcoexist],[Enable coexistence of wolfssl/openssl (default: disabled)])],
 2532    [ ENABLED_OPENSSLCOEXIST=$enableval ],
 2533    [ ENABLED_OPENSSLCOEXIST=no ]
 2534    )
 2535
 2536if test "x$ENABLED_OPENSSLCOEXIST" = "xyes" || test "$ENABLED_WOLFENGINE" = "yes"
 2537then
 2538    # make sure old names are disabled (except RNG)
 2539    AM_CFLAGS="$AM_CFLAGS -DNO_OLD_WC_NAMES -DNO_OLD_SSL_NAMES"
 2540    AM_CFLAGS="$AM_CFLAGS -DNO_OLD_SHA_NAMES -DNO_OLD_MD5_NAME"
 2541    AM_CFLAGS="$AM_CFLAGS -DOPENSSL_COEXIST"
 2542fi
 2543
 2544# S/MIME
 2545AC_ARG_ENABLE([smime],
 2546    [AS_HELP_STRING([--enable-smime],[Enable S/MIME (default: disabled)])],
 2547    [ ENABLED_SMIME=$enableval ],
 2548    [ ENABLED_SMIME=no ]
 2549    )
 2550
 2551# Platform Security Architecture (PSA)
 2552AC_ARG_ENABLE([psa],
 2553[AS_HELP_STRING([--enable-psa],[use Platform Security Architecture (PSA) interface (default: disabled)])],
 2554[ ENABLED_PSA=$enableval ],
 2555[ ENABLED_PSA=no ]
 2556)
 2557
 2558AC_ARG_WITH([psa-include],
 2559    [AS_HELP_STRING([--with-psa-include=PATH],
 2560       [PATH to directory with PSA header files])],
 2561    [PSA_INCLUDE=$withval],
 2562    [PSA_INCLUDE=""])
 2563
 2564AC_ARG_WITH([psa-lib],
 2565    [AS_HELP_STRING([--with-psa-lib=PATH],[PATH to directory with the PSA library])],
 2566    [PSA_LIB=$withval],
 2567    [PSA_LIB=""])
 2568
 2569AC_ARG_WITH([psa-lib-name],
 2570    [AS_HELP_STRING([--with-psa-lib-name=NAME],[NAME of PSA library])],
 2571    [PSA_LIB_NAME=$withval],
 2572    [PSA_LIB_NAME=""])
 2573
 2574AC_ARG_ENABLE([psa-lib-static],
 2575    [AS_HELP_STRING([--enable-psa-lib-static],[Link PSA as static library (default: disable)])],
 2576    [ ENABLED_PSA_STATIC=$enableval ],
 2577    [ ENABLED_PSA_STATIC=no ]
 2578)
 2579
 2580if test "x$ENABLED_PSA" = "xyes"
 2581then
 2582    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_HAVE_PSA"
 2583fi
 2584
 2585if test "x$ENABLED_PSA" != "xyes" && \
 2586    (test "x$PSA_LIB" != "x" || test "x$PSA_INCLUDE" != "x" || test "x$PSA_LIB_NAME" != "x" )
 2587then
 2588    AC_MSG_ERROR([to use PSA you need to enable it with --enable-psa])
 2589fi
 2590
 2591if test -n "$PSA_LIB"
 2592then
 2593    AC_MSG_CHECKING([for $PSA_LIB])
 2594    if ! test -d "$PSA_LIB"
 2595    then
 2596        AC_MSG_ERROR([PSA lib dir $PSA_LIB not found.])
 2597    fi
 2598    AC_MSG_RESULT([yes])
 2599    AM_LDFLAGS="$AM_LDFLAGS -L$PSA_LIB"
 2600fi
 2601
 2602if test -n "$PSA_LIB_NAME"
 2603then
 2604    if test "x$ENABLED_PSA_STATIC" = "xyes"
 2605    then
 2606        LIB_STATIC_ADD="$LIB_STATIC_ADD $PSA_LIB/$PSA_LIB_NAME"
 2607    else
 2608        LIB_ADD="$LIB_ADD -l$PSA_LIB_NAME"
 2609    fi
 2610fi
 2611
 2612if test -n "$PSA_INCLUDE"
 2613then
 2614    AC_MSG_CHECKING([for $PSA_INCLUDE])
 2615    if ! test -d "$PSA_INCLUDE"
 2616    then
 2617        AC_MSG_ERROR([psa include dir $PSA_INCLUDE not found.])
 2618    fi
 2619    AC_MSG_RESULT([yes])
 2620    AM_CFLAGS="$AM_CFLAGS -I$PSA_INCLUDE"
 2621fi
 2622
 2623AC_SUBST([PSA_LIB])
 2624AC_SUBST([PSA_LIB_NAME])
 2625AC_SUBST([PSA_INCLUDE])
 2626
 2627# OPENSSL Compatibility ALL
 2628AC_ARG_ENABLE([opensslall],
 2629[AS_HELP_STRING([--enable-opensslall],[Enable all OpenSSL API, size++ (default: disabled)])],
 2630[ ENABLED_OPENSSLALL=$enableval ],
 2631[ ENABLED_OPENSSLALL=no ]
 2632)
 2633if test "$ENABLED_LIBWEBSOCKETS" = "yes" || test "$ENABLED_OPENVPN" = "yes" || \
 2634   test "$ENABLED_WPAS_DPP" = "yes" || test "$ENABLED_SMIME" = "yes" || \
 2635   test "$ENABLED_HAPROXY" = "yes" || test "$ENABLED_BIND" = "yes" || \
 2636   test "$ENABLED_NTP" = "yes" || test "$ENABLED_NETSNMP" = "yes" || \
 2637   test "$ENABLED_OPENRESTY" = "yes" || test "$ENABLED_RSYSLOG" = "yes" || \
 2638   test "$ENABLED_KRB" = "yes" || test "$ENABLED_CHRONY" = "yes" || \
 2639   test "$ENABLED_FFMPEG" = "yes" || test "$ENABLED_STRONGSWAN" = "yes" || \
 2640   test "$ENABLED_OPENLDAP" = "yes" || test "x$ENABLED_MOSQUITTO" = "xyes" || \
 2641   test "$ENABLED_HITCH" = "yes" || test "$ENABLED_NGINX" = "yes"
 2642then
 2643    ENABLED_OPENSSLALL="yes"
 2644fi
 2645
 2646# OPENSSL Extra Compatibility
 2647AC_ARG_ENABLE([opensslextra],
 2648    [AS_HELP_STRING([--enable-opensslextra],[Enable extra OpenSSL API, size+ (default: disabled). Skip compat header install using "noinstall"])],
 2649    [ ENABLED_OPENSSLEXTRA=$enableval ],
 2650    [ ENABLED_OPENSSLEXTRA=no ]
 2651    )
 2652
 2653if test "$ENABLED_QUIC" = "yes"
 2654then
 2655    ENABLED_OPENSSLEXTRA="yes"
 2656fi
 2657
 2658
 2659# One Error Queue per Thread
 2660AC_ARG_ENABLE([error-queue-per-thread],
 2661[AS_HELP_STRING([--enable-error-queue-per-thread],[Enable one error queue per thread. Requires thread local storage. (default: disabled)])],
 2662[ ENABLED_ERRORQUEUEPERTHREAD=$enableval ],
 2663[ ENABLED_ERRORQUEUEPERTHREAD=check ]
 2664)
 2665
 2666if test "$ENABLED_ERRORQUEUEPERTHREAD" = "check"
 2667then
 2668    AS_IF([test "$thread_ls_on" = "no" ||
 2669           test "$ENABLED_SINGLETHREADED" = "yes"],
 2670        [ENABLED_ERRORQUEUEPERTHREAD=no],
 2671        [ENABLED_ERRORQUEUEPERTHREAD=yes])
 2672fi
 2673
 2674if test "$ENABLED_ERRORQUEUEPERTHREAD" = "yes"
 2675then
 2676    if test "$thread_ls_on" != "yes"
 2677    then
 2678        AC_MSG_ERROR(error-queue-per-thread needs thread-local storage.)
 2679    fi
 2680    AM_CFLAGS="$AM_CFLAGS -DERROR_QUEUE_PER_THREAD"
 2681fi
 2682
 2683# High Strength Build
 2684AC_ARG_ENABLE([maxstrength],
 2685    [AS_HELP_STRING([--enable-maxstrength],[Enable Max Strength build, allows TLSv1.2-AEAD-PFS ciphers only (default: disabled)])],
 2686    [ENABLED_MAXSTRENGTH=$enableval],
 2687    [ENABLED_MAXSTRENGTH=no])
 2688
 2689
 2690# Harden, enable Timing Resistance and Blinding by default
 2691AC_ARG_ENABLE([harden],
 2692    [AS_HELP_STRING([--enable-harden],[Enable Hardened build, Enables Timing Resistance and Blinding (default: enabled)])],
 2693    [ENABLED_HARDEN=$enableval],
 2694    [ENABLED_HARDEN=yes])
 2695
 2696if test "$ENABLED_HARDEN" = "yes"
 2697then
 2698    AM_CFLAGS="$AM_CFLAGS -DTFM_TIMING_RESISTANT -DECC_TIMING_RESISTANT"
 2699    if test "$ENABLED_RNG" = "yes"
 2700    then
 2701        AM_CFLAGS="$AM_CFLAGS -DWC_RSA_BLINDING"
 2702    fi
 2703else
 2704    AM_CFLAGS="$AM_CFLAGS -DWC_NO_HARDEN -DWC_NO_CACHE_RESISTANT"
 2705fi
 2706
 2707# Fault protection hardening
 2708AC_ARG_ENABLE([faultharden],
 2709    [AS_HELP_STRING([--enable-faultharden],[Enable Fault Hardened build (default: disabled)])],
 2710    [ENABLED_FAULTHARDEN=$enableval],
 2711    [ENABLED_FAULTHARDEN=no])
 2712
 2713if test "$ENABLED_FAULTHARDEN" = "yes"
 2714then
 2715    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CHECK_SIG_FAULTS -DWOLFSSL_CHECK_VER_FAULTS -DWC_SHA3_FAULT_HARDEN -DWC_MLKEM_FAULT_HARDEN -DWC_MLDSA_FAULT_HARDEN"
 2716fi
 2717
 2718AC_ARG_ENABLE([compileharden],
 2719    [AS_HELP_STRING([--enable-compileharden],[Enable extra hardening compile flags (default: disabled)])],
 2720    [ENABLED_COMPILEHARDEN=$enableval],
 2721    [ENABLED_COMPILEHARDEN=no])
 2722
 2723EXTRA_OPTS_CFLAGS=
 2724if test "$ENABLED_COMPILEHARDEN" = "yes"
 2725then
 2726    CAN_USE_32B_BOUNDARIES_FLAG=no
 2727    AX_CHECK_COMPILE_FLAG([-Wa,-mbranches-within-32B-boundaries],
 2728        [CAN_USE_32B_BOUNDARIES_FLAG=yes],
 2729        [CAN_USE_32B_BOUNDARIES_FLAG=no],
 2730        [-Werror],[])
 2731
 2732    if test "$CAN_USE_32B_BOUNDARIES_FLAG" = "yes"
 2733    then
 2734        EXTRA_OPTS_CFLAGS="$EXTRA_OPTS_CFLAGS -Wa,-mbranches-within-32B-boundaries -falign-loops=64"
 2735    else
 2736        AC_MSG_ERROR([compiler does not accept -mbranches-within-32B-boundaries flag])
 2737    fi
 2738fi
 2739
 2740
 2741
 2742# IPv6 Test Apps
 2743AC_ARG_ENABLE([ipv6],
 2744    [AS_HELP_STRING([--enable-ipv6],[Enable testing of IPV6 (default: disabled)])],
 2745    [ ENABLED_IPV6=$enableval ],
 2746    [ ENABLED_IPV6=no ]
 2747    )
 2748
 2749if test "$ENABLED_IPV6" = "yes"
 2750then
 2751    AM_CFLAGS="$AM_CFLAGS -DTEST_IPV6 -DWOLFSSL_IPV6"
 2752fi
 2753
 2754if test "$ENABLED_WPAS" = "small"
 2755then
 2756    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_WPAS_SMALL"
 2757fi
 2758if test "$ENABLED_WPAS" = "yes"
 2759then
 2760    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_WPAS"
 2761    AM_CFLAGS="$AM_CFLAGS -DHAVE_SECRET_CALLBACK"
 2762    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_PUBLIC_ECC_ADD_DBL"
 2763fi
 2764if test "$ENABLED_WPAS" != "no"
 2765then
 2766    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ALWAYS_VERIFY_CB"
 2767    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ALWAYS_KEEP_SNI"
 2768    AM_CFLAGS="$AM_CFLAGS -DHAVE_EX_DATA"
 2769    AM_CFLAGS="$AM_CFLAGS -DHAVE_EXT_CACHE"
 2770    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_EITHER_SIDE"
 2771    AM_CFLAGS="$AM_CFLAGS -DOPENSSL_EXTRA_X509_SMALL"
 2772
 2773    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_PUBLIC_MP"
 2774    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DER_LOAD"
 2775    AM_CFLAGS="$AM_CFLAGS -DATOMIC_USER"
 2776    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_KEY_GEN"
 2777    AS_IF([test "$ENABLED_FIPS" = "no" || test "$HAVE_FIPS_VERSION" -le 2],
 2778          [AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DES_ECB"])
 2779    AM_CFLAGS="$AM_CFLAGS -DKEEP_OUR_CERT"
 2780    AM_CFLAGS="$AM_CFLAGS -DKEEP_PEER_CERT"
 2781    AM_CFLAGS="$AM_CFLAGS -DHAVE_KEYING_MATERIAL"
 2782    AM_CFLAGS="$AM_CFLAGS -DNO_SESSION_CACHE_REF"
 2783    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_VALIDATE_ECC_IMPORT"
 2784    AM_CFLAGS="$AM_CFLAGS -DWC_CTC_NAME_SIZE=128"
 2785
 2786    if test "$ENABLED_OPENSSLEXTRA" = "no"
 2787    then
 2788        ENABLED_OPENSSLEXTRA="yes"
 2789        AM_CFLAGS="$AM_CFLAGS -DOPENSSL_EXTRA"
 2790    fi
 2791fi
 2792
 2793if test "$ENABLED_FORTRESS" = "yes"
 2794then
 2795    AM_CFLAGS="$AM_CFLAGS -DFORTRESS -DWOLFSSL_ALWAYS_VERIFY_CB -DWOLFSSL_AES_COUNTER -DWOLFSSL_AES_DIRECT -DWOLFSSL_DER_LOAD -DWOLFSSL_KEY_GEN"
 2796fi
 2797
 2798# lean TLS build (TLS 1.2 client only (no client auth), ECC256, AES128 and SHA256 w/o Shamir)
 2799AC_ARG_ENABLE([leantls],
 2800    [AS_HELP_STRING([--enable-leantls],[Enable Lean TLS build (default: disabled)])],
 2801    [ ENABLED_LEANTLS=$enableval ],
 2802    [ ENABLED_LEANTLS=no ]
 2803    )
 2804
 2805if test "$ENABLED_LEANTLS" = "yes"
 2806then
 2807    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_LEANTLS -DNO_WRITEV -DHAVE_ECC -DTFM_ECC256 -DECC_USER_CURVES -DNO_WOLFSSL_SERVER -DNO_RSA -DNO_DSA -DNO_DH -DNO_PWDBASED -DNO_MD5 -DNO_ERROR_STRINGS -DNO_OLD_TLS -DNO_RC4 -DNO_SHA -DNO_PSK -DNO_WOLFSSL_MEMORY -DNO_WOLFSSL_CM_VERIFY"
 2808    enable_lowresource=yes
 2809fi
 2810
 2811
 2812# low resource options to reduce flash and memory use
 2813AC_ARG_ENABLE([lowresource],
 2814    [AS_HELP_STRING([--enable-lowresource],[Enable low resource options for memory/flash (default: disabled)])],
 2815    [ ENABLED_LOWRESOURCE=$enableval ],
 2816    [ ENABLED_LOWRESOURCE=no ]
 2817    )
 2818
 2819if test "$ENABLED_LOWRESOURCE" = "yes"
 2820then
 2821    # low memory / flash flags
 2822    AM_CFLAGS="$AM_CFLAGS -DNO_SESSION_CACHE -DRSA_LOW_MEM -DCURVE25519_SMALL -DED25519_SMALL -DWOLFSSL_SMALL_CERT_VERIFY -DWOLFSSL_NO_ASYNC_IO"
 2823
 2824    # low flash flags
 2825    AM_CFLAGS="$AM_CFLAGS -DUSE_SLOW_SHA -DUSE_SLOW_SHA256 -DUSE_SLOW_SHA512"
 2826
 2827    # AES small
 2828    AM_CFLAGS="$AM_CFLAGS -DGCM_SMALL -DWOLFSSL_AES_NO_UNROLL -DWOLFSSL_AES_SMALL_TABLES"
 2829fi
 2830
 2831
 2832# TITAN cache
 2833AC_ARG_ENABLE([titancache],
 2834    [AS_HELP_STRING([--enable-titancache],[Enable titan session cache (default: disabled)])],
 2835    [ ENABLED_TITANCACHE=$enableval ],
 2836    [ ENABLED_TITANCACHE=no ]
 2837    )
 2838
 2839if test "$ENABLED_TITANCACHE" = "yes"
 2840then
 2841    AM_CFLAGS="$AM_CFLAGS -DTITAN_SESSION_CACHE"
 2842fi
 2843
 2844
 2845# HUGE cache
 2846AC_ARG_ENABLE([hugecache],
 2847    [AS_HELP_STRING([--enable-hugecache],[Enable huge session cache (default: disabled)])],
 2848    [ ENABLED_HUGECACHE=$enableval ],
 2849    [ ENABLED_HUGECACHE=no ]
 2850    )
 2851
 2852if test "$ENABLED_HUGECACHE" = "yes"
 2853then
 2854    AM_CFLAGS="$AM_CFLAGS -DHUGE_SESSION_CACHE"
 2855fi
 2856
 2857
 2858# big cache
 2859AC_ARG_ENABLE([bigcache],
 2860    [AS_HELP_STRING([--enable-bigcache],[Enable big session cache (default: disabled)])],
 2861    [ ENABLED_BIGCACHE=$enableval ],
 2862    [ ENABLED_BIGCACHE=no ]
 2863    )
 2864
 2865if test "$ENABLED_BIGCACHE" = "yes"
 2866then
 2867    AM_CFLAGS="$AM_CFLAGS -DBIG_SESSION_CACHE"
 2868fi
 2869
 2870
 2871# SMALL cache
 2872AC_ARG_ENABLE([smallcache],
 2873    [AS_HELP_STRING([--enable-smallcache],[Enable small session cache (default: disabled)])],
 2874    [ ENABLED_SMALLCACHE=$enableval ],
 2875    [ ENABLED_SMALLCACHE=no ]
 2876    )
 2877
 2878if test "$ENABLED_SMALLCACHE" = "yes"
 2879then
 2880    AM_CFLAGS="$AM_CFLAGS -DSMALL_SESSION_CACHE"
 2881fi
 2882
 2883
 2884# Persistent session cache
 2885AC_ARG_ENABLE([savesession],
 2886    [AS_HELP_STRING([--enable-savesession],[Enable persistent session cache (default: disabled)])],
 2887    [ ENABLED_SAVESESSION=$enableval ],
 2888    [ ENABLED_SAVESESSION=no ]
 2889    )
 2890
 2891if test "$ENABLED_SAVESESSION" = "yes"
 2892then
 2893    AM_CFLAGS="$AM_CFLAGS -DPERSIST_SESSION_CACHE"
 2894fi
 2895
 2896
 2897# Persistent cert cache
 2898AC_ARG_ENABLE([savecert],
 2899    [AS_HELP_STRING([--enable-savecert],[Enable persistent cert cache (default: disabled)])],
 2900    [ ENABLED_SAVECERT=$enableval ],
 2901    [ ENABLED_SAVECERT=no ]
 2902    )
 2903
 2904if test "$ENABLED_SAVECERT" = "yes"
 2905then
 2906    AM_CFLAGS="$AM_CFLAGS -DPERSIST_CERT_CACHE"
 2907fi
 2908
 2909
 2910# Write duplicate WOLFSSL object
 2911AC_ARG_ENABLE([writedup],
 2912    [AS_HELP_STRING([--enable-writedup],[Enable write duplication of WOLFSSL objects (default: disabled)])],
 2913    [ ENABLED_WRITEDUP=$enableval ],
 2914    [ ENABLED_WRITEDUP=no ]
 2915    )
 2916
 2917if test "$ENABLED_WRITEDUP" = "yes"
 2918then
 2919    AM_CFLAGS="$AM_CFLAGS -DHAVE_WRITE_DUP"
 2920fi
 2921
 2922
 2923# Atomic User Record Layer
 2924AC_ARG_ENABLE([atomicuser],
 2925    [AS_HELP_STRING([--enable-atomicuser],[Enable Atomic User Record Layer (default: disabled)])],
 2926    [ ENABLED_ATOMICUSER=$enableval ],
 2927    [ ENABLED_ATOMICUSER=no ]
 2928    )
 2929
 2930if test "$ENABLED_ATOMICUSER" = "yes"
 2931then
 2932    AM_CFLAGS="$AM_CFLAGS -DATOMIC_USER"
 2933fi
 2934
 2935
 2936# Public Key Callbacks
 2937AC_ARG_ENABLE([pkcallbacks],
 2938    [AS_HELP_STRING([--enable-pkcallbacks],[Enable Public Key Callbacks (default: disabled)])],
 2939    [ ENABLED_PKCALLBACKS=$enableval ],
 2940    [ ENABLED_PKCALLBACKS=no ]
 2941    )
 2942
 2943if test "$ENABLED_PKCALLBACKS" = "yes"
 2944then
 2945    AM_CFLAGS="$AM_CFLAGS -DHAVE_PK_CALLBACKS"
 2946fi
 2947
 2948
 2949# Maxim Integrated MAXQ10XX
 2950ENABLED_MAXQ10XX="no"
 2951maxqpartnumber=""
 2952AC_ARG_WITH([maxq10xx],
 2953    [AS_HELP_STRING([--with-maxq10xx=PART],[MAXQ10XX PART Number])],
 2954    [
 2955        AC_MSG_CHECKING([for maxq10xx])
 2956
 2957        # Read the part number
 2958        maxqpartnumber=$withval
 2959
 2960        if test "$maxqpartnumber" = "MAXQ1065"; then
 2961            LIB_STATIC_ADD="$LIB_STATIC_ADD lib/libmaxq1065_api.a"
 2962            AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_MAXQ1065"
 2963            ENABLED_MAXQ10XX="yes"
 2964            AC_CHECK_LIB([rt], [clock_gettime])
 2965        elif test "$maxqpartnumber" = "MAXQ108x"; then
 2966            LIB_STATIC_ADD="$LIB_STATIC_ADD lib/libmaxq108x_api.a"
 2967            AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_MAXQ108X"
 2968            ENABLED_MAXQ10XX="yes"
 2969            AC_CHECK_LIB([rt], [clock_gettime])
 2970        else
 2971            AC_MSG_ERROR([need a valid MAXQ part number])
 2972        fi
 2973
 2974        AC_MSG_RESULT([yes])
 2975    ]
 2976)
 2977
 2978AC_ARG_ENABLE([microchip],
 2979    [AS_HELP_STRING([--enable-microchip],[Enable wolfSSL support for microchip/atmel 508/608/100 (default: disabled)])],
 2980    [ ENABLED_ATMEL=$enableval ],
 2981    [ ENABLED_ATMEL=no ]
 2982    )
 2983
 2984if test "$ENABLED_ATMEL" != "no"
 2985then
 2986    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_MICROCHIP"
 2987
 2988    for v in `echo $ENABLED_ATMEL | tr "," " "`
 2989    do
 2990      case $v in
 2991        508)
 2992            AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ATECC508A"
 2993            ;;
 2994
 2995        608)
 2996            AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ATECC608A"
 2997            ;;
 2998
 2999        100)
 3000            AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_MICROCHIP_TA100 -DMICROCHIP_DEV_TYPE=TA100"
 3001            ;;
 3002      esac
 3003    done
 3004fi
 3005
 3006
 3007# Microchip/Atmel CryptoAuthLib
 3008ENABLED_CRYPTOAUTHLIB="no"
 3009AC_ARG_WITH([cryptoauthlib],
 3010    [AS_HELP_STRING([--with-cryptoauthlib=PATH],
 3011                    [PATH to CryptoAuthLib install (default: system paths)])],
 3012    [with_cryptoauthlib=$withval],
 3013    [with_cryptoauthlib=no])
 3014
 3015AS_IF([test "x$with_cryptoauthlib" != "xno"], [
 3016    AS_IF([test "x$ENABLED_ATMEL" = "xno"], [
 3017        AC_MSG_ERROR([--with-cryptoauthlib requires --enable-microchip=<devices>.])
 3018    ])
 3019    AC_MSG_CHECKING([for CryptoAuthLib])
 3020
 3021    libdir=""
 3022    incdir=""
 3023    cryptoauthlib_found="no"
 3024
 3025    saved_LIBS="$LIBS"
 3026    saved_LDFLAGS="$LDFLAGS"
 3027    saved_CPPFLAGS="$CPPFLAGS"
 3028    saved_CFLAGS="$CFLAGS"
 3029
 3030    # Method 1: Try pkg-config first (most reliable)
 3031    m4_ifdef([PKG_CHECK_MODULES], [
 3032        PKG_CHECK_MODULES([CRYPTOAUTHLIB], [cryptoauthlib], [
 3033            CPPFLAGS="$CRYPTOAUTHLIB_CFLAGS $CPPFLAGS"
 3034            CFLAGS="$CRYPTOAUTHLIB_CFLAGS $CFLAGS"
 3035            LIBS="$CRYPTOAUTHLIB_LIBS $LIBS"
 3036            cryptoauthlib_found="pkg-config"
 3037        ], [:])
 3038    ])
 3039
 3040    # Method 2: Manual search if pkg-config failed
 3041    AS_IF([test "x$cryptoauthlib_found" = "xno"], [
 3042        AS_IF([test "x$with_cryptoauthlib" = "xyes"], [
 3043            search_dirs="/usr /usr/local"
 3044        ], [
 3045            search_dirs="$with_cryptoauthlib"
 3046        ])
 3047
 3048        for trylibatcadir in $search_dirs; do
 3049            for try_libdir in "$trylibatcadir/lib" "$trylibatcadir/lib64"; do
 3050                if test -f "$try_libdir/libcryptoauth.so" || test -f "$try_libdir/libcryptoauth.a"; then
 3051                    libdir="$try_libdir"
 3052                    break
 3053                fi
 3054            done
 3055
 3056            if test -z "$libdir"; then
 3057                if test -x /usr/bin/dpkg-architecture; then
 3058                    DEB_HOST_MULTIARCH=`dpkg-architecture -qDEB_HOST_MULTIARCH 2>/dev/null`
 3059                    if test -n "$DEB_HOST_MULTIARCH"; then
 3060                        try_libdir="$trylibatcadir/lib/$DEB_HOST_MULTIARCH"
 3061                        if test -f "$try_libdir/libcryptoauth.so" || test -f "$try_libdir/libcryptoauth.a"; then
 3062                            libdir="$try_libdir"
 3063                        fi
 3064                    fi
 3065                fi
 3066            fi
 3067
 3068            for try_incdir in "$trylibatcadir/include/cryptoauthlib" "$trylibatcadir/include"; do
 3069                if test -f "$try_incdir/cryptoauthlib.h"; then
 3070                    incdir="$try_incdir"
 3071                    break
 3072                fi
 3073            done
 3074
 3075            if test -n "$libdir" && test -n "$incdir"; then
 3076                break
 3077            fi
 3078            libdir=""
 3079            incdir=""
 3080        done
 3081
 3082        if test -n "$libdir" && test -n "$incdir"; then
 3083            CPPFLAGS="-I$incdir $CPPFLAGS"
 3084            CFLAGS="-I$incdir $CFLAGS"
 3085            LDFLAGS="-L$libdir $LDFLAGS"
 3086            LIBS="-lcryptoauth $LIBS"
 3087            cryptoauthlib_found="$libdir"
 3088        fi
 3089    ])
 3090
 3091    AS_IF([test "x$cryptoauthlib_found" != "xno"], [
 3092        wolfssl_include=""
 3093        AS_IF([test -f "${srcdir}/wolfssl/wolfcrypt/types.h"], [
 3094            wolfssl_include="-I${srcdir}"
 3095        ], [test -f "${srcdir}/wolfssl.h"], [
 3096            wolfssl_include="-I${srcdir}"
 3097        ])
 3098
 3099        test_CPPFLAGS="$wolfssl_include $CPPFLAGS"
 3100        test_CFLAGS="$wolfssl_include $CFLAGS"
 3101
 3102        saved_test_CPPFLAGS="$CPPFLAGS"
 3103        saved_test_CFLAGS="$CFLAGS"
 3104        CPPFLAGS="$test_CPPFLAGS"
 3105        CFLAGS="$test_CFLAGS"
 3106
 3107        AC_LINK_IFELSE([AC_LANG_PROGRAM(
 3108            [[#include <cryptoauthlib.h>]],
 3109            [[atcab_init(0); return 0;]])],
 3110            [
 3111                ENABLED_CRYPTOAUTHLIB="yes"
 3112                AC_MSG_RESULT([yes ($cryptoauthlib_found)])
 3113                AC_DEFINE([HAVE_CRYPTOAUTHLIB], [1], [CryptoAuthLib support])
 3114                CPPFLAGS="$saved_test_CPPFLAGS"
 3115                CFLAGS="$saved_test_CFLAGS"
 3116            ],
 3117            [
 3118                LIBS="$saved_LIBS"
 3119                LDFLAGS="$saved_LDFLAGS"
 3120                CPPFLAGS="$saved_CPPFLAGS"
 3121                CFLAGS="$saved_CFLAGS"
 3122                AC_MSG_RESULT([no - compilation failed])
 3123                AC_MSG_ERROR([CryptoAuthLib found but compilation check failed. Check config.log for details.])
 3124            ])
 3125    ], [
 3126        AC_MSG_RESULT([no - library not found])
 3127        AC_MSG_ERROR([CryptoAuthLib not found. Install it or specify path with --with-cryptoauthlib=/path])
 3128    ])
 3129])
 3130
 3131# TropicSquare TROPIC01
 3132# Example: "./configure --with-tropic01=/home/pi/libtropic"
 3133ENABLED_TROPIC01="no"
 3134trylibtropicdir=""
 3135AC_ARG_WITH([tropic01],
 3136    [AS_HELP_STRING([--with-tropic01=PATH],[PATH to  install (default /usr/)])],
 3137    [
 3138        AC_MSG_CHECKING([for libtropic])
 3139        if test "x$withval" != "xno" ; then
 3140            trylibtropicdir=$withval
 3141        fi
 3142        if test "x$withval" = "xyes" ; then
 3143            trylibtropicdir="libtropic"
 3144        fi
 3145        if test -e $trylibtropicdir/build/libtropic.a
 3146        then
 3147            LIB_STATIC_ADD="$LIB_STATIC_ADD $trylibtropicdir/build/libtropic.a"
 3148            LIB_STATIC_ADD="$LIB_STATIC_ADD $trylibtropicdir/build/trezor_crypto/libtrezor_crypto.a"
 3149            AM_CFLAGS="$AM_CFLAGS -I$trylibtropicdir/include"
 3150        else
 3151            ENABLED_TROPIC01="no"
 3152            AC_MSG_ERROR([Could not find libtropic - TropicSquare library])
 3153        fi
 3154        enable_shared=no
 3155        enable_static=yes
 3156        ENABLED_TROPIC01="yes"
 3157        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_TROPIC01"
 3158        AC_MSG_RESULT([yes])
 3159    ]
 3160)
 3161
 3162
 3163# STMicro STSAFE-A100 / STSAFE-A120
 3164# Example: "./configure --enable-stsafe=a120"
 3165ENABLED_STSAFE="no"
 3166AC_ARG_ENABLE([stsafe],
 3167    [AS_HELP_STRING([--enable-stsafe@<:@=a100|a120@:>@],
 3168        [Enable STMicro STSAFE secure-element support. Variant selects the SDK:
 3169         a100 (legacy STSAFE-A1xx SDK, default) or a120 (STSELib).])],
 3170    [ ENABLED_STSAFE=$enableval ],
 3171    [ ENABLED_STSAFE=no ])
 3172
 3173case "$ENABLED_STSAFE" in
 3174    no)        ;;
 3175    yes|a100)  AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_STSAFE -DWOLFSSL_STSAFEA100"
 3176               ENABLED_STSAFE="a100" ;;
 3177    a120)      AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_STSAFE -DWOLFSSL_STSAFEA120" ;;
 3178    *)         AC_MSG_ERROR([Invalid --enable-stsafe value '$ENABLED_STSAFE'; use a100 or a120]) ;;
 3179esac
 3180
 3181
 3182# NXP SE050
 3183# Example: "./configure --with-se050=/home/pi/simw_top"
 3184ENABLED_SE050="no"
 3185trylibse050dir=""
 3186AC_ARG_WITH([se050],
 3187    [AS_HELP_STRING([--with-se050=PATH],[PATH to SE050 install (default /usr/local)])],
 3188    [
 3189        AC_MSG_CHECKING([for SE050])
 3190
 3191        LIBS="$LIBS -lSSS_APIs -lex_common"
 3192        AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include <fsl_sss_api.h>]], [[ sss_mac_init(0);]])],[ libse050_linked=yes ],[ libse050_linked=no ])
 3193
 3194        if test "x$libse050_linked" = "xno" ; then
 3195            if test "x$withval" != "xno" ; then
 3196                trylibse050dir=$withval
 3197            fi
 3198            if test "x$withval" = "xyes" ; then
 3199                trylibse050dir="/usr/local"
 3200            fi
 3201            LDFLAGS="$LDFLAGS -L$trylibse050dir/lib"
 3202            LDFLAGS="$LDFLAGS -L$trylibse050dir/build/sss"
 3203            CPPFLAGS="$CPPFLAGS -I$trylibse050dir/include/se05x"
 3204            CPPFLAGS="$CPPFLAGS -I$trylibse050dir/build"
 3205            CPPFLAGS="$CPPFLAGS -I$trylibse050dir/sss/inc"
 3206            CPPFLAGS="$CPPFLAGS -I$trylibse050dir/sss/ex/inc"
 3207            CPPFLAGS="$CPPFLAGS -I$trylibse050dir/sss/port/default"
 3208            CPPFLAGS="$CPPFLAGS -I$trylibse050dir/hostlib/hostLib/inc"
 3209            CPPFLAGS="$CPPFLAGS -I$trylibse050dir/hostlib/hostLib/libCommon/log"
 3210            CPPFLAGS="$CPPFLAGS -I$trylibse050dir/hostlib/hostLib/libCommon/infra"
 3211            CPPFLAGS="$CPPFLAGS -I$trylibse050dir/hostlib/hostLib/se05x_03_xx_xx"
 3212
 3213            if test -e "$trylibse050dir/build/sss/libSSS_APIs.a"; then
 3214                SE050_STATIC=yes
 3215            else
 3216                SE050_STATIC=no
 3217            fi
 3218            if test "x$SE050_STATIC" = "xyes"; then
 3219                LIB_STATIC_ADD="$trylibse050dir/build/sss/ex/src/libex_common.a \
 3220                                $trylibse050dir/build/sss/libSSS_APIs.a \
 3221                                $trylibse050dir/build/hostlib/hostLib/se05x/libse05x.a \
 3222                                $trylibse050dir/build/hostlib/hostLib/liba7x_utils.a \
 3223                                $trylibse050dir/build/hostlib/hostLib/libCommon/log/libmwlog.a \
 3224                                $trylibse050dir/build/hostlib/hostLib/libCommon/libsmCom.a $LIB_STATIC_ADD"
 3225            else
 3226                AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include <fsl_sss_api.h>]], [[ sss_mac_init(0); ]])],[ libse050_linked=yes ],[ libse050_linked=no ])
 3227                if test "x$libse050_linked" = "xno" ; then
 3228                    AC_MSG_ERROR([SE050 isn't found.
 3229                    If it's already installed, specify its path using --with-se050=/dir/])
 3230                fi
 3231            fi
 3232
 3233            # Requires AES direct
 3234            AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_DIRECT -DHAVE_AES_ECB"
 3235
 3236            # Does not support SHA2-512 224/256
 3237            AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NOSHA512_224 -DWOLFSSL_NOSHA512_256"
 3238
 3239            AC_MSG_RESULT([yes])
 3240        else
 3241            AC_MSG_RESULT([yes])
 3242        fi
 3243
 3244        ENABLED_SE050="yes"
 3245        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SE050 -DSSS_USE_FTR_FILE"
 3246    ]
 3247)
 3248
 3249ENABLED_SNIFFTEST=no
 3250AS_IF([ test "x$ENABLED_SNIFFER" = "xyes" ],
 3251      [
 3252          AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SNIFFER -DWOLFSSL_STATIC_EPHEMERAL"
 3253          AC_CHECK_HEADERS([pcap/pcap.h],
 3254              [ ENABLED_SNIFFTEST=yes ],
 3255              [ AC_MSG_WARN([cannot enable sniffer test without having libpcap available.]) ]
 3256          )
 3257      ])
 3258
 3259
 3260# AES-ECB
 3261AC_ARG_ENABLE([aesecb],
 3262    [AS_HELP_STRING([--enable-aesecb],[Enable wolfSSL AES-ECB support (default: enabled)])],
 3263    [ ENABLED_AESECB=$enableval ],
 3264    [ ENABLED_AESECB=no ]
 3265    )
 3266
 3267if test "$ENABLED_AESECB" != "no"
 3268then
 3269    AM_CFLAGS="$AM_CFLAGS -DHAVE_AES_ECB"
 3270    AM_CCASFLAGS="$AM_CCASFLAGS -DHAVE_AES_ECB"
 3271fi
 3272
 3273# AES-CBC
 3274AC_ARG_ENABLE([aescbc],
 3275    [AS_HELP_STRING([--enable-aescbc],[Enable wolfSSL AES-CBC support (default: enabled)])],
 3276    [ ENABLED_AESCBC=$enableval ],
 3277    [ ENABLED_AESCBC=yes ]
 3278    )
 3279
 3280if test "$ENABLED_AESCBC" = "no"
 3281then
 3282    AM_CFLAGS="$AM_CFLAGS -DNO_AES_CBC"
 3283    AM_CCASFLAGS="$AM_CCASFLAGS -DNO_AES_CBC"
 3284fi
 3285
 3286# AES-CBC length checks (checks that input lengths are multiples of block size)
 3287AC_ARG_ENABLE([aescbc_length_checks],
 3288    [AS_HELP_STRING([--enable-aescbc-length-checks],[Enable AES-CBC length validity checks (default: disabled)])],
 3289    [ ENABLED_AESCBC_LENGTH_CHECKS=$enableval ],
 3290    [ ENABLED_AESCBC_LENGTH_CHECKS=no ]
 3291    )
 3292
 3293if test "$ENABLED_AESCBC_LENGTH_CHECKS" = "yes"
 3294then
 3295    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_CBC_LENGTH_CHECKS"
 3296fi
 3297
 3298# leanpsk and leantls don't need gcm
 3299
 3300# AES-GCM
 3301AC_ARG_ENABLE([aesgcm],
 3302    [AS_HELP_STRING([--enable-aesgcm],[Enable wolfSSL AES-GCM support (default: enabled)])],
 3303    [ ENABLED_AESGCM=$enableval ],
 3304    [ ENABLED_AESGCM=yes ]
 3305    )
 3306AC_ARG_ENABLE([aesgcm-stream],
 3307    [AS_HELP_STRING([--enable-aesgcm-stream],[Enable wolfSSL AES-GCM support with streaming APIs (default: disabled)])],
 3308    [ ENABLED_AESGCM_STREAM=$enableval ],
 3309    [ ENABLED_AESGCM_STREAM=no ]
 3310    )
 3311
 3312# leanpsk and leantls don't need gcm
 3313if test "$FIPS_VERSION" = "rand" || test "$ENABLED_LEANPSK" = "yes" ||
 3314   (test "$ENABLED_LEANTLS" = "yes" && test "$ENABLED_TLS13" = "no")
 3315then
 3316    ENABLED_AESGCM=no
 3317fi
 3318
 3319if test "$ENABLED_AESGCM" = "yes"
 3320then
 3321    ENABLED_AESGCM="4bit"
 3322fi
 3323
 3324
 3325# AES-CCM
 3326AC_ARG_ENABLE([aesccm],
 3327    [AS_HELP_STRING([--enable-aesccm],[Enable wolfSSL AES-CCM support (default: disabled)])],
 3328    [ ENABLED_AESCCM=$enableval ],
 3329    [ ENABLED_AESCCM=no ]
 3330    )
 3331
 3332if test "$ENABLED_AESCCM" = "yes" || test "$ENABLED_WOLFENGINE" = "yes"
 3333then
 3334    AM_CFLAGS="$AM_CFLAGS -DHAVE_AESCCM"
 3335    AM_CCASFLAGS="$AM_CCASFLAGS -DHAVE_AESCCM"
 3336fi
 3337
 3338# AES-EAX
 3339AC_ARG_ENABLE([aeseax],
 3340    [AS_HELP_STRING([--enable-aeseax],[Enable wolfSSL AES-EAX support (default: disabled)])],
 3341    [ ENABLED_AESEAX=$enableval ],
 3342    [ ENABLED_AESEAX=no ]
 3343    )
 3344
 3345if test "$ENABLED_AESEAX" = "yes"
 3346then
 3347    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_EAX"
 3348fi
 3349
 3350# AES-SIV (RFC 5297)
 3351AC_ARG_ENABLE([aessiv],
 3352    [AS_HELP_STRING([--enable-aessiv],[Enable AES-SIV (RFC 5297) (default: disabled)])],
 3353    [ ENABLED_AESSIV=$enableval ],
 3354    [ ENABLED_AESSIV=no ]
 3355    )
 3356
 3357if test "$ENABLED_CHRONY" = "yes"
 3358then
 3359    ENABLED_AESSIV=yes
 3360fi
 3361
 3362# AES-CTR
 3363AC_ARG_ENABLE([aesctr],
 3364    [AS_HELP_STRING([--enable-aesctr],[Enable wolfSSL AES-CTR support (default: disabled)])],
 3365    [ ENABLED_AESCTR=$enableval ],
 3366    [ ENABLED_AESCTR=no ]
 3367    )
 3368if test "$ENABLED_OPENVPN" = "yes" || test "$ENABLED_LIBSSH2" = "yes" || test "$ENABLED_AESSIV" = "yes" || test "$ENABLED_WOLFENGINE" = "yes" || test "$ENABLED_AESEAX" = "yes"
 3369then
 3370    ENABLED_AESCTR=yes
 3371fi
 3372
 3373if test "$ENABLED_QUIC" = "yes"
 3374then
 3375    ENABLED_AESCTR=yes
 3376fi
 3377
 3378# AES-OFB
 3379AC_ARG_ENABLE([aesofb],
 3380    [AS_HELP_STRING([--enable-aesofb],[Enable wolfSSL AES-OFB support (default: disabled)])],
 3381    [ ENABLED_AESOFB=$enableval ],
 3382    [ ENABLED_AESOFB=no ]
 3383    )
 3384
 3385if test "$ENABLED_AESOFB" = "yes"
 3386then
 3387    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_OFB -DWOLFSSL_AES_DIRECT"
 3388fi
 3389
 3390
 3391# AES-CFB
 3392AC_ARG_ENABLE([aescfb],
 3393    [AS_HELP_STRING([--enable-aescfb],[Enable wolfSSL AES-CFB support (default: disabled)])],
 3394    [ ENABLED_AESCFB=$enableval ],
 3395    [ ENABLED_AESCFB=no ]
 3396    )
 3397
 3398if test "$ENABLED_AESCFB" = "yes"
 3399then
 3400    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_CFB"
 3401fi
 3402
 3403AC_ARG_ENABLE([aes-bitsliced],
 3404    [AS_HELP_STRING([--enable-aes-bitsliced],[Enable bitsliced implementation of AES (default: disabled)])],
 3405    [ ENABLED_AESBS=$enableval ],
 3406    [ ENABLED_AESBS=no ]
 3407    )
 3408
 3409if test "$ENABLED_AESBS" = "yes"
 3410then
 3411    AM_CFLAGS="$AM_CFLAGS -DWC_AES_BITSLICED -DHAVE_AES_ECB -DWOLFSSL_AES_DIRECT"
 3412fi
 3413
 3414# SM4
 3415ENABLED_SM4="no"
 3416AC_ARG_ENABLE([sm4-ecb],
 3417    [AS_HELP_STRING([--enable-sm4-ecb],[Enable wolfSSL SM4-ECB support (default: disabled)])],
 3418    [ ENABLED_SM4_ECB=$enableval ],
 3419    [ ENABLED_SM4_ECB=no ]
 3420    )
 3421
 3422if test "$ENABLED_SM4_ECB" = "small"
 3423then
 3424    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SM4_SMALL"
 3425fi
 3426if test "$ENABLED_SM4_ECB" != "no"
 3427then
 3428    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SM4_ECB"
 3429    ENABLED_SM4="yes"
 3430fi
 3431
 3432AC_ARG_ENABLE([sm4-cbc],
 3433    [AS_HELP_STRING([--enable-sm4-cbc],[Enable wolfSSL SM4-CBC support (default: disabled)])],
 3434    [ ENABLED_SM4_CBC=$enableval ],
 3435    [ ENABLED_SM4_CBC=no ]
 3436    )
 3437
 3438if test "$ENABLED_SM4_CBC" = "small"
 3439then
 3440    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SM4_SMALL"
 3441fi
 3442if test "$ENABLED_SM4_CBC" != "no"
 3443then
 3444    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SM4_CBC"
 3445    ENABLED_SM4="yes"
 3446fi
 3447
 3448AC_ARG_ENABLE([sm4-ctr],
 3449    [AS_HELP_STRING([--enable-sm4-ctr],[Enable wolfSSL SM4-CTR support (default: disabled)])],
 3450    [ ENABLED_SM4_CTR=$enableval ],
 3451    [ ENABLED_SM4_CTR=no ]
 3452    )
 3453
 3454if test "$ENABLED_SM4_CTR" = "small"
 3455then
 3456    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SM4_SMALL"
 3457fi
 3458if test "$ENABLED_SM4_CTR" != "no"
 3459then
 3460    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SM4_CTR"
 3461    ENABLED_SM4="yes"
 3462fi
 3463
 3464AC_ARG_ENABLE([sm4-gcm],
 3465    [AS_HELP_STRING([--enable-sm4-gcm],[Enable wolfSSL SM4-GCM support (default: disabled)])],
 3466    [ ENABLED_SM4_GCM=$enableval ],
 3467    [ ENABLED_SM4_GCM=no ]
 3468    )
 3469
 3470if test "$ENABLED_SM4_GCM" = "small"
 3471then
 3472    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SM4_SMALL"
 3473fi
 3474if test "$ENABLED_SM4_GCM" != "no"
 3475then
 3476    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SM4_GCM"
 3477    ENABLED_SM4="yes"
 3478fi
 3479
 3480AC_ARG_ENABLE([sm4-ccm],
 3481    [AS_HELP_STRING([--enable-sm4-ccm],[Enable wolfSSL SM4-CCM support (default: disabled)])],
 3482    [ ENABLED_SM4_CCM=$enableval ],
 3483    [ ENABLED_SM4_CCM=no ]
 3484    )
 3485
 3486if test "$ENABLED_SM4_CCM" = "small"
 3487then
 3488    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SM4_SMALL"
 3489fi
 3490if test "$ENABLED_SM4_CCM" != "no"
 3491then
 3492    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SM4_CCM"
 3493    ENABLED_SM4="yes"
 3494fi
 3495
 3496if test "$ENABLED_SM4" = "yes"
 3497then
 3498    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SM4"
 3499fi
 3500
 3501
 3502ENABLED_ARMASM_CRYPTO="unknown"
 3503ENABLED_ARMASM_INLINE="no"
 3504ENABLED_ARMASM_SHA256_SMALL="no"
 3505ENABLED_ARMASM_SHA3="unknown"
 3506ENABLED_ARMASM_CRYPTO_SM4="no"
 3507# ARM Assembly
 3508# Both SHA3 and SHA512 instructions available with ARMV8.2-a
 3509AC_ARG_ENABLE([armasm],
 3510    [AS_HELP_STRING([--enable-armasm],[Enable wolfSSL ARMv8 ASM support (default: disabled). Set to sha512-crypto or sha3-crypto to use SHA512 and SHA3 instructions with Aarch64 CPU.])],
 3511    [ ENABLED_ARMASM=$enableval ],
 3512    [ ENABLED_ARMASM=no ]
 3513    )
 3514if test "$ENABLED_ARMASM" != "no" && test "$ENABLED_ASM" = "yes"
 3515then
 3516
 3517    for v in `echo $ENABLED_ARMASM | tr "," " "`
 3518    do
 3519        case $v in
 3520        yes)
 3521            ;;
 3522        inline)
 3523            ENABLED_ARMASM_INLINE=yes
 3524            ;;
 3525        no-crypto)
 3526            ENABLED_ARMASM_CRYPTO=no
 3527            ;;
 3528        sha256-small)
 3529            case $host_cpu in
 3530            *arm*)
 3531                ;;
 3532            *)
 3533                AC_MSG_ERROR([SHA256 small option only available on 32-bit ARM CPU.])
 3534                break;;
 3535            esac
 3536            ENABLED_ARMASM_SHA256_SMALL=yes
 3537            ;;
 3538        sha512-crypto | sha3-crypto)
 3539            case $host_cpu in
 3540            *aarch64*)
 3541                ;;
 3542            *)
 3543                AC_MSG_ERROR([SHA512/SHA3 instructions only available on Aarch64 CPU.])
 3544                break;;
 3545            esac
 3546            ENABLED_ARMASM_SHA3=yes
 3547            ENABLED_ARMASM_PLUS=yes
 3548            ;;
 3549        no-sha512-crypto | no-sha3-crypto)
 3550            case $host_cpu in
 3551            *aarch64*)
 3552                ;;
 3553            *)
 3554                AC_MSG_ERROR([SHA512/SHA3 instructions only available on Aarch64 CPU.])
 3555                break;;
 3556            esac
 3557            ENABLED_ARMASM_SHA3=no
 3558            ;;
 3559        sm4)
 3560            case $host_cpu in
 3561            *aarch64*)
 3562                ;;
 3563            *)
 3564                AC_MSG_ERROR([SM4 instructions only available on Aarch64 CPU.])
 3565                break;;
 3566            esac
 3567            ENABLED_ARMASM_SM4=yes
 3568            # gcc requires -march=...+sm4 to enable SM4 instructions
 3569            ENABLED_ARMASM_CRYPTO_SM4=yes
 3570            ENABLED_ARMASM_PLUS=yes
 3571            ;;
 3572        sm3)
 3573            case $host_cpu in
 3574            *aarch64*)
 3575                ;;
 3576            *)
 3577                AC_MSG_ERROR([SM3 instructions only available on Aarch64 CPU.])
 3578                break;;
 3579            esac
 3580            ENABLED_ARMASM_SM3=yes
 3581            # gcc requires -march=...+sm4 to enable SM3 instructions
 3582            ENABLED_ARMASM_CRYPTO_SM4=yes
 3583            ENABLED_ARMASM_PLUS=yes
 3584            ;;
 3585        barrier-sb)
 3586            case $host_cpu in
 3587            *aarch64*)
 3588                ;;
 3589            *)
 3590                AC_MSG_ERROR([SB instructions only available on Aarch64 v8.5+ CPU.])
 3591                break;;
 3592            esac
 3593            ENABLED_ARMASM_BARRIER_SB=yes
 3594            ;;
 3595        barrier-detect)
 3596            case $host_cpu in
 3597            *aarch64*)
 3598                ;;
 3599            *)
 3600                AC_MSG_ERROR([SB instructions only available on Aarch64 v8.5+ CPU.])
 3601                break;;
 3602            esac
 3603            ENABLED_ARMASM_BARRIER_DETECT=yes
 3604            ;;
 3605        aes-block-dup)
 3606            case $host_cpu in
 3607            *arm*)
 3608                ;;
 3609            *)
 3610                AC_MSG_ERROR([AES assembly option only available on 32-bit ARM CPU.])
 3611                break;;
 3612            esac
 3613            ENABLED_ARMASM_AES_BLOCK_INLINE=yes
 3614            ;;
 3615        *)
 3616            case $host_cpu in
 3617            *aarch64*)
 3618                AC_MSG_ERROR([Invalid choice of ARM asm inclusions (yes, inline, no-crypto, sha512-crypto, sha3-crypto, no-sha512-crypto, no-sha3-crypto, barrier-sb, barrier-detect): $ENABLED_ARMASM.])
 3619                break;;
 3620            *arm*)
 3621                AC_MSG_ERROR([Invalid choice of ARM asm inclusions (yes, inline, no-crypto, sha256-small, aes-block-dup): $ENABLED_ARMASM.])
 3622                break;;
 3623            esac
 3624            break;;
 3625        esac
 3626    done
 3627    ENABLED_ARMASM="yes"
 3628
 3629    AM_CCASFLAGS="$AM_CCASFLAGS -DWOLFSSL_ARMASM"
 3630    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ARMASM"
 3631    #Check if mcpu and mfpu values already set if not use default
 3632    case $CPPFLAGS in
 3633    *mcpu* | *mfpu*)
 3634        break;; #Do not override user set values
 3635    *)
 3636        case $host_cpu in
 3637        *aarch64*)
 3638            case $host_os in
 3639            *darwin*)
 3640                # Turn it on unless explicitly turned off.
 3641                if test "$ENABLED_ARMASM_SHA3" = "unknown"; then
 3642                    ENABLED_ARMASM_SHA3="yes"
 3643                fi
 3644                ;;
 3645            *)
 3646                # +crypto needed for hardware acceleration
 3647                if test "$ENABLED_ARMASM_PLUS" = "yes"; then
 3648                    AM_CPPFLAGS="$AM_CPPFLAGS -march=armv8.2-a+crypto"
 3649                    if test "$ENABLED_ARMASM_SHA3" = "yes"; then
 3650                        AM_CPPFLAGS="$AM_CPPFLAGS+sha3"
 3651                    fi
 3652                    if test "$ENABLED_ARMASM_CRYPTO_SM4" = "yes"; then
 3653                        AM_CPPFLAGS="$AM_CPPFLAGS+sm4"
 3654                    fi
 3655                else
 3656                    AM_CPPFLAGS="$AM_CPPFLAGS -mcpu=generic+crypto -DWOLFSSL_AARCH64_NO_SQRDMLSH"
 3657                fi
 3658                ;;
 3659            esac
 3660            # Include options.h
 3661            AM_CCASFLAGS="$AM_CCASFLAGS -DEXTERNAL_OPTS_OPENVPN"
 3662            if test "$ENABLED_ARMASM_CRYPTO" = "unknown"; then
 3663                ENABLED_ARMASM_CRYPTO=yes
 3664            fi
 3665            ENABLED_ARMASM_NEON=yes
 3666            ENABLED_ARM_64=yes
 3667
 3668            # Check for and set -mstrict-align compiler flag
 3669            # Used to set assumption that Aarch64 systems will not handle
 3670            #   unaligned memory references. The flag -mstrict-align is needed
 3671            #   on some compiler versions to avoid an invalid addressing mode
 3672            #   error with  "m" constraint variables in the inline assembly AES
 3673            #   code. Even though unaligned load/store access is permitted on
 3674            #   normal memory with Cortex-A series boards with the exception
 3675            #   being exclusive and ordered access.
 3676            case $CPPFLAGS in
 3677                *mstrict-align*)
 3678                    break;; # already set by user
 3679                *)
 3680                    AM_CPPFLAGS="$AM_CPPFLAGS -mstrict-align"
 3681                    AC_MSG_NOTICE([64bit ARMv8, setting -mstrict-align]);;
 3682            esac
 3683            AC_MSG_NOTICE([64bit ARMv8 found, setting mcpu to generic+crypto])
 3684            ;;
 3685        armv7a* | armv7l*)
 3686            AM_CPPFLAGS="$AM_CPPFLAGS -march=armv7-a -mfpu=neon -DWOLFSSL_ARM_ARCH=7 -marm"
 3687            # Include options.h
 3688            AM_CCASFLAGS="$AM_CCASFLAGS -DEXTERNAL_OPTS_OPENVPN"
 3689            ENABLED_ARMASM_CRYPTO=no
 3690            ENABLED_ARMASM_NEON=yes
 3691            ENABLED_ARM_32=yes
 3692            AC_MSG_NOTICE([32bit ARMv7-a found, setting mfpu to neon])
 3693            if test "$ENABLED_FIPS" != "no" ||
 3694                test "$HAVE_FIPS_VERSION_MAJOR" -ge 5;
 3695            then
 3696                # Use inline ASM with FIPS because of known "issue" with the
 3697                # assembly code
 3698                ENABLED_ARMASM_INLINE=yes
 3699                AC_MSG_NOTICE([32bit ARMv7-a found, setting inline for FIPS])
 3700            fi
 3701            ;;
 3702        armv7m*)
 3703            # QEMU doesn't work with armv7-m
 3704            AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ARMASM_THUMB2"
 3705            AM_CPPFLAGS="$AM_CPPFLAGS -march=armv7-r -DWOLFSSL_ARMASM_THUMB2 -DWOLFSSL_ARMASM_NO_HW_CRYPTO -DWOLFSSL_ARM_ARCH=7"
 3706            # Include options.h
 3707            AM_CCASFLAGS="$AM_CCASFLAGS -DEXTERNAL_OPTS_OPENVPN"
 3708            ENABLED_ARMASM_CRYPTO=no
 3709            ENABLED_ARMASM_NEON=no
 3710            ENABLED_ARM_THUMB=yes
 3711            ENABLED_ARM_32=yes
 3712            AC_MSG_NOTICE([32bit ARMv7-m found])
 3713            if test "$ENABLED_FIPS" != "no" ||
 3714                test "$HAVE_FIPS_VERSION_MAJOR" -ge 5;
 3715            then
 3716                # Use inline ASM with FIPS because of known "issue" with the
 3717                # assembly code
 3718                ENABLED_ARMASM_INLINE=yes
 3719                AC_MSG_NOTICE([32bit ARMv7-m found, setting inline for FIPS])
 3720            fi
 3721            ;;
 3722        armv6*)
 3723            AM_CPPFLAGS="$AM_CPPFLAGS -march=armv6 -DWOLFSSL_ARMASM_NO_HW_CRYPTO -DWOLFSSL_ARM_ARCH=6"
 3724            AM_CCASFLAGS="$AM_CCASFLAGS -DEXTERNAL_OPTS_OPENVPN"
 3725            ENABLED_ARMASM_CRYPTO=no
 3726            ENABLED_ARMASM_NEON=no
 3727            ENABLED_ARM_32=yes
 3728            AC_MSG_NOTICE([32bit ARMv6 found])
 3729            ;;
 3730        armv4*)
 3731            AM_CPPFLAGS="$AM_CPPFLAGS -march=armv4 -DWOLFSSL_ARMASM_NO_HW_CRYPTO -DWOLFSSL_ARM_ARCH=4"
 3732            AM_CCASFLAGS="$AM_CCASFLAGS -DEXTERNAL_OPTS_OPENVPN"
 3733            ENABLED_ARMASM_CRYPTO=no
 3734            ENABLED_ARMASM_NEON=no
 3735            ENABLED_ARM_32=yes
 3736            AC_MSG_NOTICE([32bit ARMv4 found])
 3737            ;;
 3738        *)
 3739            AM_CPPFLAGS="$AM_CPPFLAGS -mfpu=crypto-neon-fp-armv8 -marm"
 3740            # Include options.h
 3741            AM_CCASFLAGS="$AM_CCASFLAGS -DEXTERNAL_OPTS_OPENVPN"
 3742            ENABLED_ARMASM_CRYPTO=yes
 3743            ENABLED_ARMASM_NEON=yes
 3744            ENABLED_ARM_32=yes
 3745            AC_MSG_NOTICE([32bit ARMv8 found, setting mfpu to crypto-neon-fp-armv8])
 3746            ;;
 3747        esac
 3748    esac
 3749fi
 3750
 3751if test "$ENABLED_ARMASM_SHA256_SMALL" = "yes"; then
 3752    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ARMASM_SHA256_SMALL"
 3753    AM_CCASFLAGS="$AM_CCASFLAGS -DWOLFSSL_ARMASM_SHA256_SMALL"
 3754fi
 3755if test "$ENABLED_ARMASM_SHA3" = "yes"; then
 3756    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ARMASM_CRYPTO_SHA512 -DWOLFSSL_ARMASM_CRYPTO_SHA3"
 3757    AM_CCASFLAGS="$AM_CCASFLAGS -DWOLFSSL_ARMASM_CRYPTO_SHA512 -DWOLFSSL_ARMASM_CRYPTO_SHA3"
 3758fi
 3759if test "$ENABLED_ARMASM_SHA3" = "unknown"; then
 3760    ENABLED_ARMASM_SHA3="no"
 3761fi
 3762if test "$ENABLED_ARMASM_SM3" = "yes"; then
 3763    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ARMASM_CRYPTO_SM3"
 3764fi
 3765if test "$ENABLED_ARMASM_SM4" = "yes"; then
 3766    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ARMASM_CRYPTO_SM4"
 3767fi
 3768if test "$ENABLED_ARMASM_BARRIER_SB" = "yes"; then
 3769    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ARMASM_BARRIER_SB"
 3770fi
 3771if test "$ENABLED_ARMASM_BARRIER_DETECT" = "yes"; then
 3772    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ARMASM_BARRIER_DETECT"
 3773fi
 3774if test "$ENABLED_ARMASM_CRYPTO" = "unknown"; then
 3775    ENABLED_ARMASM_CRYPTO=no
 3776fi
 3777if test "$ENABLED_ARMASM_CRYPTO" = "no"; then
 3778    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ARMASM_NO_HW_CRYPTO"
 3779fi
 3780if test "$ENABLED_ARMASM_NEON" = "no"; then
 3781    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ARMASM_NO_NEON"
 3782    AM_CCASFLAGS="$AM_CCASFLAGS -DWOLFSSL_ARMASM_NO_NEON"
 3783fi
 3784
 3785if test "$ENABLED_ARMASM_INLINE" = "yes"; then
 3786    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ARMASM_INLINE"
 3787fi
 3788if test "$ENABLED_ARMASM_AES_BLOCK_INLINE" = "yes"; then
 3789    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ARMASM_AES_BLOCK_INLINE"
 3790fi
 3791
 3792# RISC-V Assembly
 3793AC_ARG_ENABLE([riscv-asm],
 3794    [AS_HELP_STRING([--enable-riscv-asm],[Enable wolfSSL RISC-V ASM support (default: disabled).])],
 3795    [ ENABLED_RISCV_ASM=$enableval ],
 3796    [ ENABLED_RISCV_ASM=no ]
 3797    )
 3798if test "$ENABLED_RISCV_ASM" != "no" && test "$ENABLED_ASM" = "yes"
 3799then
 3800    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_RISCV_ASM"
 3801    AC_MSG_NOTICE([64bit RISC-V assembly for AES])
 3802fi
 3803
 3804ENABLED_RISCV_ASM_OPTS=$ENABLED_RISCV_ASM
 3805for v in `echo $ENABLED_RISCV_ASM_OPTS | tr "," " "`
 3806do
 3807  case $v in
 3808  yes)
 3809    ;;
 3810  no)
 3811    ;;
 3812  zbb)
 3813    # REV8
 3814    ENABLED_RISCV_ASM=yes
 3815    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_RISCV_BASE_BIT_MANIPULATION"
 3816    ;;
 3817  zbc|zbkc)
 3818    # CLMUL, CLMULH
 3819    ENABLED_RISCV_ASM=yes
 3820    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_RISCV_CARRYLESS"
 3821    ;;
 3822  zbkb)
 3823    # PACK, REV8
 3824    ENABLED_RISCV_ASM=yes
 3825    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_RISCV_BIT_MANIPULATION"
 3826    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_RISCV_BASE_BIT_MANIPULATION"
 3827    ;;
 3828  zbt)
 3829    # FSL, FSR, FSRI, CMOV, CMIX - QEMU doesn't know about these instructions
 3830    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_RISCV_BIT_MANIPULATION_TERNARY"
 3831    ;;
 3832  zkn|zkned)
 3833    # AES encrypt/decrpyt, SHA-2
 3834    ENABLED_RISCV_ASM=yes
 3835    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_RISCV_SCALAR_CRYPTO_ASM"
 3836    ;;
 3837  zv)
 3838    ENABLED_RISCV_ASM=yes
 3839    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_RISCV_VECTOR"
 3840    ;;
 3841  zvbb|zvkb)
 3842    # VBREV8
 3843    ENABLED_RISCV_ASM=yes
 3844    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_RISCV_VECTOR_BASE_BIT_MANIPULATION"
 3845    ;;
 3846  zvbc)
 3847    # VCLMUL, VCLMULH
 3848    ENABLED_RISCV_ASM=yes
 3849    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_RISCV_VECTOR_CARRYLESS"
 3850    ;;
 3851  zvkg)
 3852    # VGMUL, VHHSH
 3853    ENABLED_RISCV_ASM=yes
 3854    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_RISCV_VECTOR_GCM"
 3855    ;;
 3856  zvkned)
 3857    # Vector AES, SHA-2
 3858    ENABLED_RISCV_ASM=yes
 3859    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_RISCV_VECTOR_CRYPTO_ASM"
 3860    ;;
 3861  *)
 3862    AC_MSG_ERROR([Invalid RISC-V option [yes,zbkb,zbb,zbc,zbkc,zkn,zkned,zv,zvkg,zvbc,zvbb,zvkb,zvkned]: $ENABLED_RISCV_ASM.])
 3863    break
 3864    ;;
 3865  esac
 3866done
 3867
 3868
 3869# PPC32 Assembly
 3870AC_ARG_ENABLE([ppc32-asm],
 3871    [AS_HELP_STRING([--enable-ppc32-asm],[Enable wolfSSL PowerPC 32-bit ASM support (default: disabled).])],
 3872    [ ENABLED_PPC32_ASM=$enableval ],
 3873    [ ENABLED_PPC32_ASM=no ]
 3874    )
 3875
 3876
 3877if test "$ENABLED_PPC32_ASM" != "no" && test "$ENABLED_ASM" = "yes"
 3878then
 3879    ENABLED_PPC32_ASM_OPTS=$ENABLED_PPC32_ASM
 3880    for v in `echo $ENABLED_PPC32_ASM_OPTS | tr "," " "`
 3881    do
 3882      case $v in
 3883      yes)
 3884        ;;
 3885      inline)
 3886        ENABLED_PPC32_ASM_INLINE=yes
 3887        ;;
 3888      inline-reg)
 3889        ENABLED_PPC32_ASM_INLINE_REG=yes
 3890        ;;
 3891      small)
 3892        ENABLED_PPC32_ASM_SMALL=yes
 3893        ;;
 3894      spe)
 3895        ENABLED_PPC32_ASM_SPE=yes
 3896        ;;
 3897      *)
 3898        AC_MSG_ERROR([Invalid RISC-V option [yes,inline,small]: $ENABLED_PPC32_ASM.])
 3899        break
 3900        ;;
 3901      esac
 3902    done
 3903
 3904    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_PPC32_ASM"
 3905    AC_MSG_NOTICE([32-bit PowerPC assembly for SHA-256])
 3906    ENABLED_PPC32_ASM=yes
 3907fi
 3908if test "$ENABLED_PPC32_ASM_INLINE" = "yes" || test "$ENABLED_PPC32_ASM_INLINE_REG" = "yes"; then
 3909    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_PPC32_ASM_INLINE"
 3910else
 3911    AM_CCASFLAGS="$AM_CCASFLAGS -DWOLFSSL_PPC32_ASM"
 3912fi
 3913if test "$ENABLED_PPC32_ASM_SMALL" = "yes"; then
 3914    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_PPC32_ASM_SMALL"
 3915    AM_CCASFLAGS="$AM_CCASFLAGS -DWOLFSSL_PPC32_ASM_SMALL"
 3916fi
 3917if test "$ENABLED_PPC32_ASM_SPE" = "yes"; then
 3918    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_PPC32_ASM_SPE"
 3919    AM_CCASFLAGS="$AM_CCASFLAGS -DWOLFSSL_PPC32_ASM_SPE"
 3920fi
 3921
 3922# Xilinx hardened crypto
 3923AC_ARG_ENABLE([xilinx],
 3924    [AS_HELP_STRING([--enable-xilinx],[Enable wolfSSL support for Xilinx hardened crypto(default: disabled)])],
 3925    [ ENABLED_XILINX=$enableval ],
 3926    [ ENABLED_XILINX=no ]
 3927    )
 3928if test "$ENABLED_XILINX" = "yes"
 3929then
 3930    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_XILINX -DWOLFSSL_XILINX_CRYPT"
 3931fi
 3932
 3933
 3934# CAAM build
 3935trylibsecodir="/usr"
 3936AC_ARG_WITH([seco],
 3937    [AS_HELP_STRING([--with-seco=PATH],[PATH to SECO install (default /usr/lib/)])],
 3938    [
 3939AC_MSG_CHECKING([for SECO])
 3940
 3941if test "x$withval" != "xno" ; then
 3942    trylibsecodir=$withval
 3943fi
 3944]
 3945)
 3946
 3947AC_ARG_ENABLE([aria],
 3948    [AS_HELP_STRING([--enable-aria],[Enable wolfSSL support for ARIA (default: disabled)])],
 3949    [ ENABLED_ARIA=$enableval ],
 3950    [ ENABLED_ARIA=no ]
 3951    )
 3952if test "$ENABLED_ARIA" = "yes"
 3953then
 3954    ARIA_DIR=MagicCrypto
 3955    # Enable dependency
 3956    CFLAGS="$CFLAGS -I$ARIA_DIR/include"
 3957    AM_CFLAGS="$AM_CFLAGS -DHAVE_ARIA"
 3958    AM_LDFLAGS="$AM_LDFLAGS -L$ARIA_DIR/lib -lMagicCrypto"
 3959    build_pwd="$(pwd)"
 3960    headers="mcapi_error.h mcapi_type.h mcapi.h"
 3961    for header in $headers
 3962    do
 3963        AC_CHECK_HEADER([$header], [], [
 3964                AC_MSG_ERROR([Error including $header. Please put the MagicCrypto library in $build_pwd.])
 3965            ], [
 3966            extern int dummy_int_to_make_compiler_happy;
 3967        ])
 3968    done
 3969fi
 3970
 3971AC_ARG_ENABLE([caam],
 3972    [AS_HELP_STRING([--enable-caam],[Enable wolfSSL support for CAAM (default: disabled)])],
 3973    [ ENABLED_CAAM=$enableval ],
 3974    [ ENABLED_CAAM=no ]
 3975    )
 3976
 3977if test "$ENABLED_CAAM" != "no"
 3978then
 3979    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CAAM"
 3980
 3981    for v in `echo $ENABLED_CAAM | tr "," " "`
 3982    do
 3983      case $v in
 3984        qnx)
 3985            AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_QNX_CAAM"
 3986            ENABLED_CAAM_QNX="yes"
 3987            ;;
 3988
 3989        imx6q)
 3990            AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_IMX6Q_CAAM"
 3991            ;;
 3992
 3993        imx6ul)
 3994            AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_IMX6UL_CAAM"
 3995            ;;
 3996
 3997        seco)
 3998            SECO_DIR=$trylibsecodir
 3999            AM_CPPFLAGS="$AM_CPPFLAGS -I$SECO_DIR/include"
 4000            AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CAAM -DWOLFSSL_SECO_CAAM"
 4001
 4002            AC_CHECK_LIB([hsm_lib],[hsm_open_session])
 4003            AC_CHECK_LIB([seco_nvm_manager],[seco_nvm_manager])
 4004            LIB_STATIC_ADD="$LIB_STATIC_ADD $SECO_DIR/lib/hsm_lib.a $SECO_DIR/lib/seco_nvm_manager.a"
 4005            LIB_ADD="$LIB_ADD -lz"
 4006            ;;
 4007
 4008      esac
 4009    done
 4010fi
 4011
 4012# INTEL AES-NI
 4013AC_ARG_ENABLE([aesni],
 4014    [AS_HELP_STRING([--enable-aesni],[Enable wolfSSL AES-NI support (default: disabled)])],
 4015    [ ENABLED_AESNI=$enableval ],
 4016    [ ENABLED_AESNI=no ]
 4017    )
 4018
 4019# INTEL AES-NI with AVX
 4020AC_ARG_ENABLE([aesni-with-avx],
 4021    [AS_HELP_STRING([--enable-aesni-with-avx],[Enable AES-NI with additional AVX acceleration for AES (default: disabled)])],
 4022    [ ENABLED_AESNI_WITH_AVX=$enableval ],
 4023    [ ENABLED_AESNI_WITH_AVX=no ]
 4024    )
 4025
 4026# INTEL ASM
 4027AC_ARG_ENABLE([intelasm],
 4028    [AS_HELP_STRING([--enable-intelasm],[Enable All Intel ASM speedups (default: disabled)])],
 4029    [ ENABLED_INTELASM=$enableval ],
 4030    [ ENABLED_INTELASM=no ]
 4031    )
 4032
 4033if test "$ENABLED_ASM" = "yes"
 4034then
 4035    if test "$ENABLED_AESNI" = "small"
 4036    then
 4037        AM_CFLAGS="$AM_CFLAGS -DAES_GCM_AESNI_NO_UNROLL"
 4038        ENABLED_AESNI=yes
 4039    fi
 4040
 4041    if test "$ENABLED_INTELASM" = "yes"
 4042    then
 4043        AM_CFLAGS="$AM_CFLAGS -DUSE_INTEL_SPEEDUP"
 4044        ENABLED_AESNI=yes
 4045        ENABLED_AESNI_WITH_AVX=yes
 4046    elif test "$ENABLED_AESNI_WITH_AVX" = "yes"
 4047    then
 4048        AM_CFLAGS="$AM_CFLAGS -DUSE_INTEL_SPEEDUP_FOR_AES"
 4049        ENABLED_AESNI=yes
 4050    fi
 4051
 4052    if test "$ENABLED_AESNI" = "yes" || test "$ENABLED_INTELASM" = "yes"
 4053    then
 4054        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AESNI"
 4055        if test "$KERNEL_MODE_DEFAULTS" = "yes"
 4056        then
 4057                AM_CFLAGS="$AM_CFLAGS -DWC_C_DYNAMIC_FALLBACK"
 4058        fi
 4059        if test "$CC" != "icc"
 4060        then
 4061            case $host_os in
 4062            mingw*)
 4063                # Windows uses intrinsics for GCM which uses SSE4 instructions.
 4064                # MSVC has own build files.
 4065                AM_CFLAGS="$AM_CFLAGS -maes -msse4 -mpclmul"
 4066                ;;
 4067            *)
 4068                # Intrinsics used in AES_set_decrypt_key (TODO: rework)
 4069                AM_CFLAGS="$AM_CFLAGS -maes"
 4070                ;;
 4071            esac
 4072        fi
 4073        AS_IF([test "x$ENABLED_AESGCM" != "xno"],[AM_CCASFLAGS="$AM_CCASFLAGS -DHAVE_AESGCM"])
 4074        AS_IF([test "x$ENABLED_SM3" != "xno"],[AM_CCASFLAGS="$AM_CCASFLAGS -DWOLFSSL_SM3"])
 4075    fi
 4076
 4077    if test "$host_cpu" = "x86_64" || test "$host_cpu" = "amd64"
 4078    then
 4079        AM_CCASFLAGS="$AM_CCASFLAGS -DWOLFSSL_X86_64_BUILD"
 4080    fi
 4081    if test "$host_cpu" = "x86"
 4082    then
 4083        AM_CCASFLAGS="$AM_CCASFLAGS -DWOLFSSL_X86_BUILD"
 4084        ENABLED_X86_ASM=yes
 4085    fi
 4086fi
 4087AC_SUBST([ENABLED_AESNI])
 4088AC_SUBST([ENABLED_AESNI_WITH_AVX])
 4089
 4090AC_ARG_ENABLE([aligndata],
 4091    [AS_HELP_STRING([--enable-aligndata],[align data for ciphers (default: enabled)])],
 4092    [ ENABLED_ALIGN_DATA=$enableval ],
 4093    [ ENABLED_ALIGN_DATA=yes ]
 4094    )
 4095
 4096if test "$ENABLED_ALIGN_DATA" = "yes"
 4097then
 4098    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_USE_ALIGN"
 4099fi
 4100
 4101# INTEL RDRAND
 4102AC_ARG_ENABLE([intelrand],
 4103    [AS_HELP_STRING([--enable-intelrand],[Enable Intel rdrand as preferred RNG source (default: disabled)])],
 4104    [ ENABLED_INTELRDRAND=$enableval ],
 4105    [ ENABLED_INTELRDRAND=no ]
 4106    )
 4107
 4108if test "$ENABLED_INTELRDRAND" = "yes"
 4109then
 4110    AM_CFLAGS="$AM_CFLAGS -DHAVE_INTEL_RDRAND"
 4111fi
 4112
 4113# INTEL RDSEED
 4114AC_ARG_ENABLE([intelrdseed],
 4115    [AS_HELP_STRING([--enable-intelrdseed],[Enable Intel rdseed as preferred RNG seeding source (default: disabled)])],
 4116    [ ENABLED_INTELRDSEED=$enableval ],
 4117    [ ENABLED_INTELRDSEED=no ]
 4118    )
 4119
 4120if test "$ENABLED_INTELRDSEED" = "yes"
 4121then
 4122    AM_CFLAGS="$AM_CFLAGS -DHAVE_INTEL_RDSEED"
 4123fi
 4124
 4125# AMD RDSEED
 4126AC_ARG_ENABLE([amdrdseed],
 4127    [AS_HELP_STRING([--enable-amdrdseed],[Enable AMD rdseed as preferred RNG seeding source (default: disabled)])],
 4128    [ ENABLED_AMDRDSEED=$enableval ],
 4129    [ ENABLED_AMDRDSEED=no ]
 4130    )
 4131
 4132AC_ARG_ENABLE([amdrand],
 4133    [AS_HELP_STRING([--enable-amdrand],[Alias for --enable-amdrdseed])],
 4134    [ ENABLED_AMDRDSEED=$enableval ]
 4135    )
 4136
 4137if test "$ENABLED_AMDRDSEED" = "yes"
 4138then
 4139    AM_CFLAGS="$AM_CFLAGS -DHAVE_AMD_RDSEED"
 4140fi
 4141
 4142
 4143# Linux af_alg
 4144AC_ARG_ENABLE([afalg],
 4145    [AS_HELP_STRING([--enable-afalg],[Enable Linux af_alg use for crypto (default: disabled)])],
 4146    [ ENABLED_AFALG=$enableval ],
 4147    [ ENABLED_AFALG=no ]
 4148    )
 4149
 4150if test "$ENABLED_AFALG" = "yes"
 4151then
 4152    if test "$ENABLED_AESCCM" = "yes"
 4153    then
 4154        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_DIRECT"
 4155    fi
 4156    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AFALG"
 4157    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AFALG_HASH"
 4158fi
 4159
 4160if test "$ENABLED_AFALG" = "xilinx"
 4161then
 4162    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AFALG_XILINX -DWOLFSSL_AFALG_XILINX_AES"
 4163    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AFALG_XILINX_SHA3 -DWOLFSSL_AFALG_XILINX_RSA"
 4164    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NOSHA3_224 -DWOLFSSL_NOSHA3_256 -DWOLFSSL_NOSHA3_512"
 4165    ENABLED_AFALG="yes"
 4166    ENABLED_XILINX="yes"
 4167fi
 4168
 4169if test "$ENABLED_AFALG" = "xilinx-aes"
 4170then
 4171    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AFALG_XILINX -DWOLFSSL_AFALG_XILINX_AES"
 4172    ENABLED_AFALG="yes"
 4173    ENABLED_XILINX="yes"
 4174fi
 4175
 4176if test "$ENABLED_AFALG" = "xilinx-sha3"
 4177then
 4178    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AFALG_XILINX"
 4179    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AFALG_XILINX_SHA3"
 4180    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NOSHA3_224 -DWOLFSSL_NOSHA3_256 -DWOLFSSL_NOSHA3_512"
 4181    ENABLED_AFALG="yes"
 4182    ENABLED_XILINX="yes"
 4183fi
 4184
 4185if test "$ENABLED_AFALG" = "xilinx-rsa"
 4186then
 4187    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AFALG_XILINX"
 4188    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AFALG_XILINX_RSA"
 4189    ENABLED_AFALG="yes"
 4190    ENABLED_XILINX="yes"
 4191fi
 4192
 4193
 4194# libkcapi
 4195
 4196AC_ARG_ENABLE([kcapi-hash],
 4197    [AS_HELP_STRING([--enable-kcapi-hash],[Enable libkcapi use for hashing (default: disabled)])],
 4198    [ ENABLED_KCAPI_HASH=$enableval ],
 4199    [ ENABLED_KCAPI_HASH=no ]
 4200    )
 4201
 4202AC_ARG_ENABLE([kcapi-hmac],
 4203    [AS_HELP_STRING([--enable-kcapi-hmac],[Enable libkcapi use for HMAC (default: disabled)])],
 4204    [ ENABLED_KCAPI_HMAC=$enableval ],
 4205    [ ENABLED_KCAPI_HMAC=no ]
 4206    )
 4207
 4208AC_ARG_ENABLE([kcapi-aes],
 4209    [AS_HELP_STRING([--enable-kcapi-aes],[Enable libkcapi use for AES (default: disabled)])],
 4210    [ ENABLED_KCAPI_AES=$enableval ],
 4211    [ ENABLED_KCAPI_AES=no ]
 4212    )
 4213
 4214AC_ARG_ENABLE([kcapi-rsa],
 4215    [AS_HELP_STRING([--enable-kcapi-rsa],[Enable libkcapi use for RSA (default: disabled)])],
 4216    [ ENABLED_KCAPI_RSA=$enableval ],
 4217    [ ENABLED_KCAPI_RSA=no ]
 4218    )
 4219
 4220AC_ARG_ENABLE([kcapi-dh],
 4221    [AS_HELP_STRING([--enable-kcapi-dh],[Enable libkcapi use for DH (default: disabled)])],
 4222    [ ENABLED_KCAPI_DH=$enableval ],
 4223    [ ENABLED_KCAPI_DH=no ]
 4224    )
 4225
 4226AC_ARG_ENABLE([kcapi-ecc],
 4227    [AS_HELP_STRING([--enable-kcapi-ecc],[Enable libkcapi use for ECC (default: disabled)])],
 4228    [ ENABLED_KCAPI_ECC=$enableval ],
 4229    [ ENABLED_KCAPI_ECC=no ]
 4230    )
 4231
 4232AC_ARG_ENABLE([kcapi],
 4233    [AS_HELP_STRING([--enable-kcapi],[Enable libkcapi use for crypto (default: disabled)])],
 4234    [ ENABLED_KCAPI=$enableval ],
 4235    [ ENABLED_KCAPI=no ]
 4236    )
 4237
 4238if test "$ENABLED_KCAPI" = "yes"
 4239then
 4240    AS_IF([test "$enable_kcapi_hash" != "no"], [ENABLED_KCAPI_HASH=yes])
 4241    AS_IF([test "$enable_kcapi_hmac" != "no"], [ENABLED_KCAPI_HMAC=yes])
 4242    AS_IF([test "$enable_kcapi_aes" != "no"], [ENABLED_KCAPI_AES=yes])
 4243    AS_IF([test "$enable_kcapi_rsa" != "no"], [ENABLED_KCAPI_RSA=yes])
 4244    AS_IF([test "$enable_kcapi_dh" != "no"], [ENABLED_KCAPI_DH=yes])
 4245    AS_IF([test "$enable_kcapi_ecc" != "no"], [ENABLED_KCAPI_ECC=yes])
 4246fi
 4247
 4248if  test "$ENABLED_KCAPI_HASH" != "no" ||
 4249    test "$ENABLED_KCAPI_HMAC" != "no" ||
 4250    test "$ENABLED_KCAPI_AES" != "no" ||
 4251    test "$ENABLED_KCAPI_RSA" != "no" ||
 4252    test "$ENABLED_KCAPI_DH" != "no" ||
 4253    test "$ENABLED_KCAPI_ECC" != "no"
 4254then
 4255    LIBS="$LIBS -lkcapi"
 4256    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_KCAPI"
 4257fi
 4258
 4259if test "$ENABLED_KCAPI_HASH" = "yes"
 4260then
 4261    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_KCAPI_HASH -DWOLFSSL_KCAPI_HASH_KEEP"
 4262    # Linux Kernel doesn't support truncated SHA512 algorithms
 4263    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NOSHA512_224 -DWOLFSSL_NOSHA512_256"
 4264fi
 4265
 4266if test "$ENABLED_KCAPI_HMAC" = "yes"
 4267then
 4268    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_KCAPI_HMAC"
 4269fi
 4270
 4271if test "$ENABLED_KCAPI_AES" = "yes"
 4272then
 4273    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_KCAPI_AES"
 4274    HAVE_AESGCM_PORT=yes
 4275    if test "$ENABLED_AESCCM" = "yes"
 4276    then
 4277        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_DIRECT"
 4278    fi
 4279
 4280    if test "$ENABLED_AESGCM_STREAM" = "yes"
 4281    then
 4282        AC_MSG_ERROR([--enable-aesgcm-stream is incompatible with --enable-kcapi.])
 4283    fi
 4284fi
 4285
 4286if test "$ENABLED_KCAPI_RSA" = "yes"
 4287then
 4288    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_KCAPI_RSA"
 4289fi
 4290
 4291if test "$ENABLED_KCAPI_DH" = "yes"
 4292then
 4293    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_KCAPI_DH -DWOLFSSL_DH_EXTRA"
 4294fi
 4295
 4296if test "$ENABLED_KCAPI_ECC" = "yes"
 4297then
 4298    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_KCAPI_ECC"
 4299fi
 4300
 4301
 4302# Support for Linux dev/crypto calls
 4303AC_ARG_ENABLE([devcrypto],
 4304    [AS_HELP_STRING([--enable-devcrypto],[Enable Linux dev crypto calls: all | aes (all aes support) | hash (all hash algos) | cbc (aes-cbc only) (default: disabled)])],
 4305    [ ENABLED_DEVCRYPTO=$enableval ],
 4306    [ ENABLED_DEVCRYPTO=no ]
 4307    )
 4308
 4309if test "$ENABLED_DEVCRYPTO" = "yes" || test "$ENABLED_DEVCRYPTO" = "all"
 4310then
 4311    #enable all devcrypto supported algorithms
 4312    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DEVCRYPTO"
 4313    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DEVCRYPTO_CBC"
 4314    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DEVCRYPTO_AES"
 4315    if test "$ENABLED_AESCCM" = "yes"
 4316    then
 4317        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_DIRECT"
 4318    fi
 4319    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DEVCRYPTO_HASH"
 4320    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_HASH_RAW"
 4321    ENABLED_DEVCRYPTO=yes
 4322fi
 4323if test "$ENABLED_DEVCRYPTO" = "aes"
 4324then
 4325    #enable only AES-CBC algorithm support
 4326    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DEVCRYPTO"
 4327    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DEVCRYPTO_AES"
 4328    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DEVCRYPTO_CBC"
 4329    if test "$ENABLED_AESCCM" = "yes"
 4330    then
 4331        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_DIRECT"
 4332    fi
 4333    ENABLED_DEVCRYPTO=yes
 4334fi
 4335if test "$ENABLED_DEVCRYPTO" = "cbc"
 4336then
 4337    #enable only AES-CBC algorithm support
 4338    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DEVCRYPTO"
 4339    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DEVCRYPTO_CBC"
 4340    ENABLED_DEVCRYPTO=yes
 4341fi
 4342if test "$ENABLED_DEVCRYPTO" = "hash"
 4343then
 4344    #enable only hash algorithm support
 4345    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DEVCRYPTO"
 4346    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DEVCRYPTO_HASH"
 4347    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_HASH_RAW"
 4348    ENABLED_DEVCRYPTO=yes
 4349fi
 4350if test "$ENABLED_DEVCRYPTO" = "hmac"
 4351then
 4352    #enable only hmac algorithm support
 4353    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DEVCRYPTO"
 4354    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DEVCRYPTO_HMAC"
 4355    ENABLED_DEVCRYPTO=yes
 4356fi
 4357if test "$ENABLED_DEVCRYPTO" = "rsa"
 4358then
 4359    #enable only rsa algorithm support
 4360    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DEVCRYPTO"
 4361    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DEVCRYPTO_RSA"
 4362    ENABLED_DEVCRYPTO=yes
 4363fi
 4364if test "$ENABLED_DEVCRYPTO" = "seco"
 4365then
 4366    #enable support of devcrypto for algos not supported with seco
 4367    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DEVCRYPTO"
 4368    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DEVCRYPTO_HMAC"
 4369    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DEVCRYPTO_RSA"
 4370    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DEVCRYPTO_CURVE25519"
 4371    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DEVCRYPTO_ECDSA"
 4372    ENABLED_DEVCRYPTO=yes
 4373fi
 4374
 4375
 4376# Camellia
 4377AC_ARG_ENABLE([camellia],
 4378    [AS_HELP_STRING([--enable-camellia],[Enable wolfSSL Camellia support (default: disabled)])],
 4379    [ ENABLED_CAMELLIA=$enableval ],
 4380    [ ENABLED_CAMELLIA=no ]
 4381    )
 4382
 4383if test "$ENABLED_CAMELLIA" = "yes"
 4384then
 4385    AM_CFLAGS="$AM_CFLAGS -DHAVE_CAMELLIA"
 4386fi
 4387
 4388
 4389# MD2
 4390AC_ARG_ENABLE([md2],
 4391    [AS_HELP_STRING([--enable-md2],[Enable wolfSSL MD2 support (default: disabled)])],
 4392    [ ENABLED_MD2=$enableval ],
 4393    [ ENABLED_MD2=no ]
 4394    )
 4395
 4396if test "$ENABLED_BUMP" = "yes"
 4397then
 4398    ENABLED_MD2="yes"
 4399fi
 4400
 4401if test "$ENABLED_MD2" = "yes"
 4402then
 4403    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_MD2"
 4404fi
 4405
 4406
 4407# NULL CIPHER
 4408AC_ARG_ENABLE([nullcipher],
 4409    [AS_HELP_STRING([--enable-nullcipher],[Enable wolfSSL NULL cipher support (default: disabled)])],
 4410    [ ENABLED_NULL_CIPHER=$enableval ],
 4411    [ ENABLED_NULL_CIPHER=no ]
 4412    )
 4413
 4414if test "$ENABLED_NULL_CIPHER" = "yes"
 4415then
 4416    AM_CFLAGS="$AM_CFLAGS -DHAVE_NULL_CIPHER"
 4417fi
 4418
 4419# RIPEMD
 4420AC_ARG_ENABLE([ripemd],
 4421    [AS_HELP_STRING([--enable-ripemd],[Enable wolfSSL RIPEMD-160 support (default: disabled)])],
 4422    [ ENABLED_RIPEMD=$enableval ],
 4423    [ ENABLED_RIPEMD=no ]
 4424    )
 4425
 4426if test "$ENABLED_OPENSSH" = "yes" && test "x$ENABLED_FIPS" = "xno"
 4427then
 4428    ENABLED_RIPEMD="yes"
 4429fi
 4430
 4431if test "$ENABLED_RIPEMD" = "yes"
 4432then
 4433    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_RIPEMD"
 4434fi
 4435
 4436
 4437# BLAKE2
 4438AC_ARG_ENABLE([blake2b],
 4439    [AS_HELP_STRING([--enable-blake2b],[Enable wolfSSL BLAKE2b support (default: disabled)])],
 4440    [ ENABLED_BLAKE2B=$enableval ],
 4441    [ ENABLED_BLAKE2B=no ]
 4442    )
 4443
 4444# Backward-compat synonym for blake2b:
 4445AC_ARG_ENABLE([blake2],
 4446    [AS_HELP_STRING([--enable-blake2],[Enable wolfSSL BLAKE2b support (default: disabled)])],
 4447    [ ENABLED_BLAKE2B=$enableval ]
 4448    )
 4449
 4450if test "$ENABLED_BLAKE2B" = "yes"
 4451then
 4452    AM_CFLAGS="$AM_CFLAGS -DHAVE_BLAKE2B"
 4453fi
 4454
 4455
 4456AC_ARG_ENABLE([blake2s],
 4457    [AS_HELP_STRING([--enable-blake2s],[Enable wolfSSL BLAKE2s support (default: disabled)])],
 4458    [ ENABLED_BLAKE2S=$enableval ],
 4459    [ ENABLED_BLAKE2S=no ]
 4460    )
 4461
 4462if test "$ENABLED_BLAKE2S" = "yes"
 4463then
 4464    AM_CFLAGS="$AM_CFLAGS -DHAVE_BLAKE2S"
 4465fi
 4466
 4467
 4468# SHA256
 4469AC_ARG_ENABLE([sha256],
 4470    [AS_HELP_STRING([--enable-sha256],[Enable wolfSSL SHA256 support (default: enabled)])],
 4471    [ ENABLED_SHA256=$enableval ],
 4472    [ ENABLED_SHA256=yes ]
 4473    )
 4474
 4475if test "$ENABLED_SHA256" = "no"
 4476then
 4477    AM_CFLAGS="$AM_CFLAGS -DNO_SHA256"
 4478fi
 4479
 4480
 4481# set sha224 default
 4482SHA224_DEFAULT=no
 4483if test "$host_cpu" = "x86_64" || test "$host_cpu" = "aarch64" || test "$host_cpu" = "amd64"
 4484then
 4485    if test "x$ENABLED_AFALG" = "xno" && test "x$ENABLED_DEVCRYPTO" = "xno" &&
 4486        ( test "x$ENABLED_FIPS" = "xno" ||
 4487          ( test "$HAVE_FIPS_VERSION" = 2 && test "$HAVE_FIPS_VERSION_MINOR" != 1 ) )
 4488    then
 4489        SHA224_DEFAULT=$ENABLED_SHA256
 4490    fi
 4491fi
 4492
 4493# SHA224
 4494AC_ARG_ENABLE([sha224],
 4495    [AS_HELP_STRING([--enable-sha224],[Enable wolfSSL SHA-224 support (default: enabled on x86_64/amd64/aarch64)])],
 4496    [ ENABLED_SHA224=$enableval ],
 4497    [ ENABLED_SHA224=$SHA224_DEFAULT ]
 4498    )
 4499
 4500if test "$ENABLED_SHA224" = "yes"
 4501then
 4502    if test "$ENABLED_SHA256" = "no"
 4503    then
 4504        AC_MSG_ERROR([Enabling SHA224 requires enabling SHA256.])
 4505    fi
 4506    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SHA224"
 4507fi
 4508
 4509
 4510# set sha3 default
 4511SHA3_DEFAULT=no
 4512if (test "$host_cpu" = "x86_64" || test "$host_cpu" = "aarch64" ||
 4513    test "$host_cpu" = "amd64")
 4514then
 4515    if test "x$ENABLED_FIPS" = "xno" || test "$HAVE_FIPS_VERSION" -ge 2
 4516    then
 4517        SHA3_DEFAULT=yes
 4518    fi
 4519fi
 4520
 4521# SHA3
 4522AC_ARG_ENABLE([sha3],
 4523    [AS_HELP_STRING([--enable-sha3],[Enable wolfSSL SHA-3 support (default: enabled on x86_64/amd64/aarch64)])],
 4524    [ ENABLED_SHA3=$enableval ],
 4525    [ ENABLED_SHA3=$SHA3_DEFAULT ]
 4526    )
 4527
 4528if test "$ENABLED_SHA3" = "small"
 4529then
 4530    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SHA3_SMALL"
 4531fi
 4532
 4533if test "$ENABLED_SHA3" = "noasm"
 4534then
 4535    ENABLED_SHA3=yes
 4536    AM_CFLAGS="$AM_CFLAGS -DWC_SHA3_NO_ASM"
 4537fi
 4538
 4539if test "$ENABLED_SHA3" != "no" &&
 4540   (test "$ENABLED_FIPS" = "no" || test "$HAVE_FIPS_VERSION" -ge 6)
 4541then
 4542    SHAKE_DEFAULT=yes
 4543else
 4544    SHAKE_DEFAULT=no
 4545fi
 4546
 4547# SHAKE128
 4548AC_ARG_ENABLE([shake128],
 4549    [AS_HELP_STRING([--enable-shake128],[Enable wolfSSL SHAKE128 support (default: disabled)])],
 4550    [ ENABLED_SHAKE128=$enableval ],
 4551    [ ENABLED_SHAKE128=$SHAKE_DEFAULT ]
 4552    )
 4553
 4554# MLKEM requires SHAKE128. Force-enable when MLKEM is enabled.
 4555if test "$ENABLED_MLKEM" != "no"
 4556then
 4557    if test "$ENABLED_SHAKE128" = "no"
 4558    then
 4559        AC_MSG_NOTICE([MLKEM enabled (not explicitly disabled); overriding --disable-shake128 to enable SHAKE128])
 4560        ENABLED_SHAKE128=yes
 4561    fi
 4562fi
 4563
 4564# SHAKE256
 4565AC_ARG_ENABLE([shake256],
 4566    [AS_HELP_STRING([--enable-shake256],[Enable wolfSSL SHAKE256 support (default: disabled)])],
 4567    [ ENABLED_SHAKE256=$enableval ],
 4568    [ ENABLED_SHAKE256=$SHAKE_DEFAULT ]
 4569    )
 4570
 4571# MLKEM requires SHAKE256. Force-enable when MLKEM is enabled.
 4572if test "$ENABLED_MLKEM" != "no"
 4573then
 4574    if test "$ENABLED_SHAKE256" = "no"
 4575    then
 4576        AC_MSG_NOTICE([MLKEM enabled (not explicitly disabled); overriding --disable-shake256 to enable SHAKE256])
 4577        ENABLED_SHAKE256=yes
 4578    fi
 4579fi
 4580
 4581# SHA512
 4582AC_ARG_ENABLE([sha512],
 4583    [AS_HELP_STRING([--enable-sha512],[Enable wolfSSL SHA-512 support (default: enabled)])],
 4584    [ ENABLED_SHA512=$enableval ],
 4585    [ ENABLED_SHA512=yes ]
 4586    )
 4587
 4588# options that don't require sha512
 4589if test "$ENABLED_LEANPSK" = "yes" || test "$ENABLED_LEANTLS" = "yes" || test "$ENABLED_16BIT" = "yes"
 4590then
 4591    ENABLED_SHA512="no"
 4592fi
 4593
 4594# options that require sha512
 4595if test "$ENABLED_OPENSSH" = "yes" || test "$ENABLED_WPAS" = "yes" || test "$ENABLED_FORTRESS" = "yes"
 4596then
 4597    ENABLED_SHA512="yes"
 4598    ENABLED_SHA384="yes"
 4599fi
 4600
 4601if test "$ENABLED_SHA512" = "yes"
 4602then
 4603    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SHA512"
 4604fi
 4605
 4606# SHA-256 Hash DRBG (SP 800-90A) -- sub-option of hashdrbg
 4607AC_ARG_ENABLE([sha256-drbg],
 4608    [AS_HELP_STRING([--enable-sha256-drbg],[Enable SHA-256 Hash DRBG (default: enabled)])],
 4609    [ ENABLED_SHA256_DRBG=$enableval ],
 4610    [ ENABLED_SHA256_DRBG=yes ]
 4611    )
 4612
 4613# SHA-512 Hash DRBG (SP 800-90A) -- sub-option of hashdrbg
 4614AC_ARG_ENABLE([sha512-drbg],
 4615    [AS_HELP_STRING([--enable-sha512-drbg],[Enable SHA-512 Hash DRBG (default: enabled)])],
 4616    [ ENABLED_SHA512_DRBG=$enableval ],
 4617    [ ENABLED_SHA512_DRBG=yes ]
 4618    )
 4619
 4620# SHA-512 DRBG requires SHA-512
 4621if test "$ENABLED_SHA512" != "yes"
 4622then
 4623    ENABLED_SHA512_DRBG=no
 4624fi
 4625
 4626# SHA384
 4627AC_ARG_ENABLE([sha384],
 4628    [AS_HELP_STRING([--enable-sha384],[Enable wolfSSL SHA-384 support (default: enabled)])],
 4629    [ ENABLED_SHA384=$enableval ],
 4630    [ ENABLED_SHA384=yes ]
 4631    )
 4632
 4633# options that don't require sha384
 4634if test "$ENABLED_LEANPSK" = "yes" || test "$ENABLED_LEANTLS" = "yes" || test "$ENABLED_16BIT" = "yes"
 4635then
 4636    ENABLED_SHA384="no"
 4637fi
 4638
 4639# options that require sha384
 4640if test "$ENABLED_OPENSSH" = "yes" || test "$ENABLED_WPAS" = "yes" || test "$ENABLED_FORTRESS" = "yes"
 4641then
 4642    ENABLED_SHA384="yes"
 4643fi
 4644if test "$ENABLED_SHA384" = "yes"
 4645then
 4646    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SHA384"
 4647fi
 4648
 4649
 4650# SM3
 4651AC_ARG_ENABLE([sm3],
 4652    [AS_HELP_STRING([--enable-sm3],[Enable wolfSSL SM3 support (default: disabled)])],
 4653    [ ENABLED_SM3=$enableval ],
 4654    [ ENABLED_SM3=no ]
 4655    )
 4656
 4657if test "$ENABLED_SM3" = "small"
 4658then
 4659    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SM3_SMALL"
 4660fi
 4661if test "$ENABLED_SM3" != "no"
 4662then
 4663    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SM3"
 4664fi
 4665
 4666# SESSION CERTS
 4667AC_ARG_ENABLE([sessioncerts],
 4668    [AS_HELP_STRING([--enable-sessioncerts],[Enable session cert storing (default: disabled)])],
 4669    [ ENABLED_SESSIONCERTS=$enableval ],
 4670    [ ENABLED_SESSIONCERTS=no ]
 4671    )
 4672
 4673if test "x$ENABLED_NGINX" = "xyes" || test "x$ENABLED_OPENVPN" = "xyes" || \
 4674   test "x$ENABLED_LIGHTY" = "xyes" || test "x$ENABLED_NETSNMP" = "xyes" || \
 4675   test "x$ENABLED_STRONGSWAN" = "xyes" || test "x$ENABLED_HITCH" = "xyes" || test "x$ENABLED_MOSQUITTO" = "xyes"
 4676then
 4677    ENABLED_SESSIONCERTS=yes
 4678fi
 4679if test "$ENABLED_TLS13" = "yes" && test "$ENABLED_PSK" = "yes"
 4680then
 4681    ENABLED_SESSIONCERTS=yes
 4682fi
 4683
 4684if test "$ENABLED_SESSIONCERTS" = "yes"
 4685then
 4686    AM_CFLAGS="$AM_CFLAGS -DSESSION_CERTS"
 4687fi
 4688
 4689
 4690# KEY GENERATION
 4691AC_ARG_ENABLE([keygen],
 4692    [AS_HELP_STRING([--enable-keygen],[Enable key generation (only applies to RSA key generation) (default: disabled)])],
 4693    [ ENABLED_KEYGEN=$enableval ],
 4694    [ ENABLED_KEYGEN=no ]
 4695    )
 4696
 4697if test "$ENABLED_BIND" = "yes" || test "$ENABLED_NTP" = "yes" || \
 4698   test "$ENABLED_LIBSSH2" = "yes" || test "$ENABLED_OPENRESTY" = "yes" || \
 4699   test "$ENABLED_NGINX" = "yes" || test "$ENABLED_WOLFENGINE" = "yes" || \
 4700   test "$ENABLED_STRONGSWAN" = "yes" || test "$ENABLED_SE050" = "yes"
 4701then
 4702    ENABLED_KEYGEN=yes
 4703fi
 4704
 4705# ATTRIBUTE CERTIFICATES
 4706AC_ARG_ENABLE([acert],
 4707    [AS_HELP_STRING([--enable-acert],[Enable attribute certificate support (default: disabled)])],
 4708    [ ENABLED_ACERT=$enableval ],
 4709    [ ENABLED_ACERT=no ]
 4710    )
 4711
 4712# CERT GENERATION
 4713AC_ARG_ENABLE([certgen],
 4714    [AS_HELP_STRING([--enable-certgen],[Enable cert generation (default: disabled)])],
 4715    [ ENABLED_CERTGEN=$enableval ],
 4716    [ ENABLED_CERTGEN=no ]
 4717    )
 4718if test "$ENABLED_OPENVPN" = "yes" || test "$ENABLED_OPENSSH" = "yes" || \
 4719   test "$ENABLED_BIND" = "yes" || test "$ENABLED_NTP" = "yes" || \
 4720   test "$ENABLED_CHRONY" = "yes" || test "$ENABLED_STRONGSWAN" = "yes" || \
 4721   test "$ENABLED_OPENLDAP" = "yes" || test "$ENABLED_HITCH" = "yes"
 4722then
 4723    ENABLED_CERTGEN=yes
 4724fi
 4725
 4726# CERT REQUEST GENERATION
 4727AC_ARG_ENABLE([certreq],
 4728    [AS_HELP_STRING([--enable-certreq],[Enable cert request generation (default: disabled)])],
 4729    [ ENABLED_CERTREQ=$enableval ],
 4730    [ ENABLED_CERTREQ=no ]
 4731    )
 4732
 4733if test "$ENABLED_WPAS_DPP" = "yes"
 4734then
 4735    ENABLED_CERTREQ="yes"
 4736fi
 4737
 4738# CERT REQUEST EXTENSION
 4739AC_ARG_ENABLE([certext],
 4740    [AS_HELP_STRING([--enable-certext],[Enable cert request extensions (default: disabled)])],
 4741    [ ENABLED_CERTEXT=$enableval ],
 4742    [ ENABLED_CERTEXT=no ]
 4743    )
 4744if test "$ENABLED_OPENVPN" = "yes" || test "$ENABLED_STRONGSWAN" = "yes"
 4745then
 4746    ENABLED_CERTEXT=yes
 4747fi
 4748
 4749
 4750# DECODED CERT CACHE
 4751AC_ARG_ENABLE([certgencache],
 4752    [AS_HELP_STRING([--enable-certgencache],[Enable decoded cert caching (default: disabled)])],
 4753    [ ENABLED_certgencache=$enableval ],
 4754    [ ENABLED_certgencache=no ]
 4755    )
 4756
 4757if test "$ENABLED_certgencache" = "yes"
 4758then
 4759    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CERT_GEN_CACHE"
 4760fi
 4761
 4762
 4763# CERT SIGN CALLBACK
 4764AC_ARG_ENABLE([certsigncb],
 4765    [AS_HELP_STRING([--enable-certsigncb],[Enable cert signing callback API for TPM/HSM (default: disabled)])],
 4766    [ ENABLED_CERTSIGNCB=$enableval ],
 4767    [ ENABLED_CERTSIGNCB=no ]
 4768    )
 4769
 4770if test "$ENABLED_CERTSIGNCB" = "yes"
 4771then
 4772    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CERT_SIGN_CB"
 4773fi
 4774
 4775
 4776# SEP
 4777AC_ARG_ENABLE([sep],
 4778    [AS_HELP_STRING([--enable-sep],[Enable sep extensions (default: disabled)])],
 4779    [ ENABLED_SEP=$enableval ],
 4780    [ ENABLED_SEP=no ]
 4781    )
 4782if test "$ENABLED_SEP" = "yes"
 4783then
 4784  AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SEP -DKEEP_PEER_CERT"
 4785fi
 4786
 4787
 4788# HKDF
 4789AC_ARG_ENABLE([hkdf],
 4790    [AS_HELP_STRING([--enable-hkdf],[Enable HKDF (HMAC-KDF) support (default: disabled)])],
 4791    [ ENABLED_HKDF=$enableval ],
 4792    [ ENABLED_HKDF=no ]
 4793    )
 4794if test "$ENABLED_TLS13" = "yes"
 4795then
 4796  ENABLED_HKDF="yes"
 4797fi
 4798if test "$ENABLED_HKDF" = "yes"
 4799then
 4800  AM_CFLAGS="$AM_CFLAGS -DHAVE_HKDF"
 4801fi
 4802
 4803
 4804# HPKE
 4805AC_ARG_ENABLE([hpke],
 4806    [AS_HELP_STRING([--enable-hpke],[Enable HKPE support (default: disabled)])],
 4807    [ ENABLED_HPKE=$enableval ],
 4808    [ ENABLED_HPKE=no ]
 4809    )
 4810if test "$ENABLED_HPKE" = "yes"
 4811then
 4812    AM_CFLAGS="$AM_CFLAGS -DHAVE_HPKE"
 4813
 4814    test "$enable_hkdf" = "" && enable_hkdf=yes
 4815fi
 4816
 4817# X9.63 KDF
 4818AC_ARG_ENABLE([x963kdf],
 4819    [AS_HELP_STRING([--enable-x963kdf],[Enable X9.63 KDF support (default: disabled)])],
 4820    [ ENABLED_X963KDF=$enableval ],
 4821    [ ENABLED_X963KDF=no ]
 4822    )
 4823if test "$ENABLED_X963KDF" = "yes" || test "$ENABLED_WOLFENGINE" = "yes"
 4824then
 4825  AM_CFLAGS="$AM_CFLAGS -DHAVE_X963_KDF"
 4826fi
 4827
 4828# SRTP-KDF
 4829AC_ARG_ENABLE([srtp-kdf],
 4830    [AS_HELP_STRING([--enable-srtp-kdf],[Enable SRTP-KDF support (default: disabled)])],
 4831    [ ENABLED_SRTP_KDF=$enableval ],
 4832    [ ENABLED_SRTP_KDF=no ]
 4833    )
 4834
 4835# DSA
 4836AC_ARG_ENABLE([dsa],
 4837    [AS_HELP_STRING([--enable-dsa],[Enable DSA (default: disabled)])],
 4838    [ ENABLED_DSA=$enableval ],
 4839    [ ENABLED_DSA=no ]
 4840    )
 4841
 4842if test "$enable_dsa" = "" && test "$enable_sha" != "no"
 4843then
 4844    if (test "$ENABLED_OPENSSH" = "yes" && test "x$ENABLED_FIPS" = "xno") || test "$ENABLED_OPENVPN" = "yes" || test "$ENABLED_NGINX" = "yes" || test "$ENABLED_WPAS" = "yes" || test "$ENABLED_QT" = "yes" || test "$ENABLED_BIND" = "yes" || test "$ENABLED_LIBSSH2" = "yes" || test "$ENABLED_NTP" = "yes"
 4845    then
 4846        ENABLED_DSA="yes"
 4847    fi
 4848fi
 4849
 4850if test "$ENABLED_DSA" = "no"
 4851then
 4852    AM_CFLAGS="$AM_CFLAGS -DNO_DSA"
 4853else
 4854    ENABLED_CERTS=yes
 4855fi
 4856
 4857# ECC Shamir
 4858AC_ARG_ENABLE([eccshamir],
 4859    [AS_HELP_STRING([--enable-eccshamir],[Enable ECC Shamir (default: enabled)])],
 4860    [ ENABLED_ECC_SHAMIR=$enableval ],
 4861    [ ENABLED_ECC_SHAMIR=yes ]
 4862    )
 4863
 4864
 4865# ECC
 4866AC_ARG_ENABLE([ecc],
 4867    [AS_HELP_STRING([--enable-ecc],[Enable ECC (default: enabled)])],
 4868    [ ENABLED_ECC=$enableval ],
 4869    [ ENABLED_ECC=yes ]
 4870    )
 4871
 4872# lean psk doesn't need ecc
 4873if test "$ENABLED_LEANPSK" = "yes"
 4874then
 4875    ENABLED_ECC=no
 4876fi
 4877
 4878if test "$ENABLED_OPENSSH" = "yes" || test "$ENABLED_NGINX" = "yes" || test "$ENABLED_SIGNAL" = "yes"
 4879then
 4880    ENABLED_ECC="yes"
 4881fi
 4882
 4883if test "$ENABLED_ECC" != "no"
 4884then
 4885    AM_CFLAGS="$AM_CFLAGS -DHAVE_ECC"
 4886
 4887    if test "$ENABLED_ECC_SHAMIR" = "yes" && test "$ENABLED_LOWRESOURCE" = "no"
 4888    then
 4889        AM_CFLAGS="$AM_CFLAGS -DECC_SHAMIR"
 4890    fi
 4891
 4892    if test "$ENABLED_ECC" = "nonblock"
 4893    then
 4894        AM_CFLAGS="$AM_CFLAGS -DWC_ECC_NONBLOCK"
 4895    fi
 4896
 4897    if test "$ENABLED_FASTMATH" = "yes"
 4898    then
 4899        if test "$ENABLED_LOWRESOURCE" = "yes"
 4900        then
 4901            AM_CFLAGS="$AM_CFLAGS -DALT_ECC_SIZE"
 4902        else
 4903            AM_CFLAGS="$AM_CFLAGS -DTFM_ECC256"
 4904        fi
 4905    fi
 4906
 4907    ENABLED_CERTS=yes
 4908fi
 4909
 4910
 4911# SM2
 4912AC_ARG_ENABLE([sm2],
 4913    [AS_HELP_STRING([--enable-sm2],[Enable wolfSSL SM2 support (default: disabled)])],
 4914    [ ENABLED_SM2=$enableval ],
 4915    [ ENABLED_SM2=no ]
 4916    )
 4917
 4918if test "$ENABLED_SM2" = "yes"
 4919then
 4920    if test "$ENABLED_ECC" = "no"
 4921    then
 4922        AC_MSG_ERROR([Cannot enable SM2 without enabling ecc.])
 4923    fi
 4924
 4925    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SM2 -DWOLFSSL_BASE16"
 4926    ENABLED_CERTS=yes
 4927fi
 4928
 4929
 4930# ECC Custom Curves
 4931AC_ARG_ENABLE([ecccustcurves],
 4932    [AS_HELP_STRING([--enable-ecccustcurves],[Enable ECC custom curves (default: disabled)])],
 4933    [ ENABLED_ECCCUSTCURVES=$enableval ],
 4934    [ ENABLED_ECCCUSTCURVES=no ]
 4935    )
 4936
 4937if test "$ENABLED_WPAS_DPP" = "yes"
 4938then
 4939    ENABLED_ECCCUSTCURVES="all"
 4940fi
 4941
 4942# ECC Minimum Key Size
 4943AC_ARG_WITH([eccminsz],
 4944    [AS_HELP_STRING([--with-eccminsz=BITS],[Sets the ECC minimum key size (default: 224 bits non-FIPS / 192 bits with FIPS)])],
 4945    [ ENABLED_ECCMINSZ=$withval ],
 4946    [
 4947        if test "x$ENABLED_FIPS" = "xno"
 4948        then
 4949            ENABLED_ECCMINSZ=224
 4950        else
 4951            ENABLED_ECCMINSZ=192
 4952        fi
 4953    ]
 4954)
 4955AM_CFLAGS="$AM_CFLAGS -DECC_MIN_KEY_SZ=$ENABLED_ECCMINSZ"
 4956
 4957# Compressed Key
 4958AC_ARG_ENABLE([compkey],
 4959    [AS_HELP_STRING([--enable-compkey],[Enable compressed keys support (default: disabled)])],
 4960    [ ENABLED_COMPKEY=$enableval ],
 4961    [ ENABLED_COMPKEY=no ]
 4962    )
 4963
 4964if (test "$ENABLED_WPAS" = "yes" || test "$ENABLED_OPENSSLALL" = "yes")
 4965then
 4966    ENABLED_COMPKEY=yes
 4967fi
 4968
 4969
 4970# Brainpool (depends on _ECCCUSTCURVES)
 4971if test "$ENABLED_ECCCUSTCURVES" != "no"
 4972then
 4973    BRAINPOOL_DEFAULT=yes
 4974else
 4975    BRAINPOOL_DEFAULT=no
 4976fi
 4977
 4978AC_ARG_ENABLE([brainpool],
 4979    [AS_HELP_STRING([--enable-brainpool],[Enable Brainpool ECC curves (default: enabled with ECC custom curves)])],
 4980    [ ENABLED_BRAINPOOL=$enableval ],
 4981    [ ENABLED_BRAINPOOL="$BRAINPOOL_DEFAULT" ]
 4982    )
 4983
 4984if test "$ENABLED_BRAINPOOL" != "no"
 4985then
 4986    if test "$ENABLED_ECCCUSTCURVES" = "no"
 4987    then
 4988        AC_MSG_ERROR([cannot enable Brainpool without enabling ecccustcurves.])
 4989    fi
 4990    AM_CFLAGS="$AM_CFLAGS -DHAVE_ECC_BRAINPOOL"
 4991fi
 4992
 4993
 4994# for using memory optimization setting on both curve25519 and ed25519
 4995ENABLED_CURVE25519_SMALL=no
 4996ENABLED_ED25519_SMALL=no
 4997
 4998# CURVE25519
 4999AC_ARG_ENABLE([curve25519],
 5000    [AS_HELP_STRING([--enable-curve25519],[Enable Curve25519 (default: disabled). Set to "nonblock" to enable non-blocking support for key gen and shared secret])],
 5001    [ ENABLED_CURVE25519=$enableval ],
 5002    [ ENABLED_CURVE25519=no ]
 5003    )
 5004
 5005# Handle curve25519 nonblock option - enable asynccrypt and asynccrypt-sw early
 5006if test "$ENABLED_CURVE25519" = "nonblock"
 5007then
 5008    test -z "$enable_asynccrypt" && enable_asynccrypt=yes
 5009    test -z "$enable_asynccrypt_sw" && enable_asynccrypt_sw=yes
 5010fi
 5011
 5012# Handle RSA/DH nonblock - the SP non-blocking dispatch wants the same
 5013# WOLFSSL_ASYNC_CRYPT_SW shim that ECC/Curve25519 nonblock use so the
 5014# TLS layer can manage per-SSL nb contexts and yield MP_WOULDBLOCK.
 5015if test "$enable_rsa" = "nonblock" || test "$enable_dh" = "nonblock"
 5016then
 5017    test -z "$enable_asynccrypt" && enable_asynccrypt=yes
 5018    test -z "$enable_asynccrypt_sw" && enable_asynccrypt_sw=yes
 5019fi
 5020
 5021if test "$ENABLED_CURVE25519" = "no" && test "$ENABLED_QUIC" = "yes" && test "$ENABLED_FIPS" = "no"
 5022then
 5023    ENABLED_CURVE25519=yes
 5024fi
 5025
 5026if test "$ENABLED_CURVE25519" = "no" && test "$ENABLED_OPENSSH" = "yes" && test "x$ENABLED_FIPS" = "xno"
 5027then
 5028    ENABLED_CURVE25519="yes"
 5029fi
 5030
 5031
 5032# ED25519
 5033AC_ARG_ENABLE([ed25519],
 5034    [AS_HELP_STRING([--enable-ed25519],[Enable ED25519 (default: disabled)])],
 5035    [ ENABLED_ED25519=$enableval ],
 5036    [ ENABLED_ED25519=no ]
 5037    )
 5038AC_ARG_ENABLE([ed25519-stream],
 5039    [AS_HELP_STRING([--enable-ed25519-stream],[Enable wolfSSL ED25519 support with streaming verify APIs (default: disabled)])],
 5040    [ ENABLED_ED25519_STREAM=$enableval ],
 5041    [ ENABLED_ED25519_STREAM=no ]
 5042    )
 5043
 5044if test "$ENABLED_ED25519" = "no" && \
 5045   ( (test "$ENABLED_OPENSSH" = "yes" && test "x$ENABLED_FIPS" = "xno") || \
 5046    test "$ENABLED_CHRONY" = "yes")
 5047then
 5048    ENABLED_ED25519="yes"
 5049fi
 5050
 5051# for using memory optimization setting on both curve448 and ed448
 5052ENABLED_CURVE448_SMALL=no
 5053ENABLED_ED448_SMALL=no
 5054
 5055# CURVE448
 5056AC_ARG_ENABLE([curve448],
 5057    [AS_HELP_STRING([--enable-curve448],[Enable Curve448 (default: disabled)])],
 5058    [ ENABLED_CURVE448=$enableval ],
 5059    [ ENABLED_CURVE448=no ]
 5060    )
 5061
 5062# ED448
 5063AC_ARG_ENABLE([ed448],
 5064    [AS_HELP_STRING([--enable-ed448],[Enable ED448 (default: disabled)])],
 5065    [ ENABLED_ED448=$enableval ],
 5066    [ ENABLED_ED448=no ]
 5067    )
 5068AC_ARG_ENABLE([ed448-stream],
 5069    [AS_HELP_STRING([--enable-ed448-stream],[Enable wolfSSL ED448 support with streaming verify APIs (default: disabled)])],
 5070    [ ENABLED_ED448_STREAM=$enableval ],
 5071    [ ENABLED_ED448_STREAM=no ]
 5072    )
 5073
 5074# FP ECC, Fixed Point cache ECC
 5075AC_ARG_ENABLE([fpecc],
 5076    [AS_HELP_STRING([--enable-fpecc],[Enable Fixed Point cache ECC (default: disabled)])],
 5077    [ ENABLED_FPECC=$enableval ],
 5078    [ ENABLED_FPECC=no ]
 5079    )
 5080
 5081if test "$ENABLED_FPECC" = "yes"
 5082then
 5083    if test "$ENABLED_ECC" = "no"
 5084    then
 5085        AC_MSG_ERROR([cannot enable fpecc without enabling ecc.])
 5086    fi
 5087    AM_CFLAGS="$AM_CFLAGS -DFP_ECC"
 5088fi
 5089
 5090
 5091# ECC encrypt
 5092AC_ARG_ENABLE([eccencrypt],
 5093    [AS_HELP_STRING([--enable-eccencrypt],[Enable ECC encrypt (default: disabled). yes = SEC1 standard, geniv = Generate IV, iso18033 = ISO 18033 standard, old = original wolfSSL algorithm])],
 5094    [ ENABLED_ECC_ENCRYPT=$enableval ],
 5095    [ ENABLED_ECC_ENCRYPT=no ]
 5096    )
 5097
 5098if test "$ENABLED_ECC_ENCRYPT" != "no"
 5099then
 5100    if test "$ENABLED_ECC" = "no"
 5101    then
 5102        AC_MSG_ERROR([cannot enable eccencrypt without enabling ecc.])
 5103    fi
 5104    if test "$ENABLED_HKDF" = "no"
 5105    then
 5106        AC_MSG_ERROR([cannot enable eccencrypt without enabling hkdf.])
 5107    fi
 5108    AM_CFLAGS="$AM_CFLAGS -DHAVE_ECC_ENCRYPT"
 5109    if test "$ENABLED_ECC_ENCRYPT" = "old"
 5110    then
 5111        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ECIES_OLD"
 5112    fi
 5113    if test "$ENABLED_ECC_ENCRYPT" = "iso18033"
 5114    then
 5115        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ECIES_ISO18033"
 5116    fi
 5117    if test "$ENABLED_ECC_ENCRYPT" = "geniv"
 5118    then
 5119        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ECIES_GEN_IV"
 5120    fi
 5121fi
 5122
 5123# Elliptic Curve-Based Certificateless Signatures for Identity-Based Encryption (ECCSI)
 5124AC_ARG_ENABLE([eccsi],
 5125    [AS_HELP_STRING([--enable-eccsi],[Enable ECCSI (default: disabled)])],
 5126    [ ENABLED_ECCSI=$enableval ],
 5127    [ ENABLED_ECCSI=no ]
 5128    )
 5129
 5130if test "x$ENABLED_ECCSI" = "xyes"
 5131then
 5132    if test "$ENABLED_ECC" = "no"
 5133    then
 5134        AC_MSG_ERROR([ECCSI requires ECC.])
 5135    fi
 5136    AM_CFLAGS="$AM_CFLAGS -DWOLFCRYPT_HAVE_ECCSI -DWOLFSSL_PUBLIC_MP"
 5137fi
 5138
 5139# Sakai-Kasahara Key Encryption (SAKKE) - pairing based crypto
 5140AC_ARG_ENABLE([sakke],
 5141    [AS_HELP_STRING([--enable-sakke],[Enable SAKKE - paring based crypto (default: disabled)])],
 5142    [ ENABLED_SAKKE=$enableval ],
 5143    [ ENABLED_SAKKE=no ]
 5144    )
 5145
 5146if test "$ENABLED_SAKKE" != "no" && test "$ENABLED_ECC" = "no"
 5147then
 5148    AC_MSG_ERROR([SAKKE requires ECC.])
 5149fi
 5150
 5151if test "x$ENABLED_SAKKE" = "xsmall"
 5152then
 5153    ENABLED_SAKKE="yes"
 5154    ENABLED_SAKKE_SMALL="yes"
 5155    AM_CFLAGS="$AM_CFLAGS -DWOLFCRYPT_SAKKE_SMALL"
 5156fi
 5157if test "x$ENABLED_SAKKE" = "xyes"
 5158then
 5159    AM_CFLAGS="$AM_CFLAGS -DWOLFCRYPT_HAVE_SAKKE"
 5160fi
 5161
 5162
 5163# PSK
 5164AC_ARG_ENABLE([psk],
 5165    [AS_HELP_STRING([--enable-psk],[Enable PSK (default: disabled)])],
 5166    [ ENABLED_PSK=$enableval ],
 5167    [ ENABLED_PSK=no ]
 5168    )
 5169
 5170if test "x$ENABLED_MOSQUITTO" = "xyes"
 5171then
 5172    ENABLED_PSK=yes
 5173fi
 5174
 5175# Single PSK identity
 5176AC_ARG_ENABLE([psk-one-id],
 5177    [AS_HELP_STRING([--enable-psk-one-id],[Enable PSK (default: disabled)])],
 5178    [ ENABLED_PSK_ONE_ID=$enableval ],
 5179    [ ENABLED_PSK_ONE_ID=no ]
 5180    )
 5181if test "$ENABLED_PSK_ONE_ID" = "yes"
 5182then
 5183    if test "$ENABLED_PSK" = "no"
 5184    then
 5185        ENABLED_PSK="yes"
 5186    fi
 5187    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_PSK_ONE_ID"
 5188fi
 5189
 5190# Certificate Authentication with External PSK (RFC 8773bis)
 5191AC_ARG_ENABLE([cert-with-extern-psk],
 5192    [AS_HELP_STRING([--enable-cert-with-extern-psk],[Enable Certificate Authentication with External PSKs for TLS 1.3 (default: disabled)])],
 5193    [ ENABLED_CERT_WITH_EXTERN_PSK=$enableval ],
 5194    [ ENABLED_CERT_WITH_EXTERN_PSK=no ]
 5195    )
 5196if test "$ENABLED_CERT_WITH_EXTERN_PSK" = "yes"
 5197then
 5198    if test "$ENABLED_TLS13" = "no"
 5199    then
 5200        AC_MSG_NOTICE([TLS 1.3 is disabled - disabling cert-with-extern-psk])
 5201        ENABLED_CERT_WITH_EXTERN_PSK="no"
 5202    elif test "$ENABLED_PSK" = "no"
 5203    then
 5204        AC_MSG_NOTICE([PSK is disabled - disabling cert-with-extern-psk])
 5205        ENABLED_CERT_WITH_EXTERN_PSK="no"
 5206    else
 5207        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CERT_WITH_EXTERN_PSK"
 5208    fi
 5209fi
 5210
 5211# ERROR STRINGS
 5212AC_ARG_ENABLE([errorstrings],
 5213    [AS_HELP_STRING([--enable-errorstrings],[Enable error strings table (default: enabled)])],
 5214    [ ENABLED_ERROR_STRINGS=$enableval ],
 5215    [ ENABLED_ERROR_STRINGS=yes ]
 5216    )
 5217
 5218if test "$ENABLED_ERROR_STRINGS" = "no"
 5219then
 5220    AM_CFLAGS="$AM_CFLAGS -DNO_ERROR_STRINGS"
 5221else
 5222    # turn off error strings if leanpsk or leantls on
 5223    if test "$ENABLED_LEANPSK" = "yes" || test "$ENABLED_LEANTLS" = "yes"
 5224    then
 5225        AM_CFLAGS="$AM_CFLAGS -DNO_ERROR_STRINGS"
 5226        ENABLED_ERROR_STRINGS=no
 5227    fi
 5228fi
 5229
 5230
 5231# ERROR QUEUE
 5232AC_ARG_ENABLE([errorqueue],
 5233    [AS_HELP_STRING([--enable-errorqueue],[Disables adding nodes to error queue when compiled with OPENSSL_EXTRA (default: enabled)])],
 5234    [ ENABLED_ERROR_QUEUE=$enableval ],
 5235    [ ENABLED_ERROR_QUEUE=yes ]
 5236    )
 5237
 5238
 5239# SSLv3
 5240AC_ARG_ENABLE([sslv3],
 5241    [AS_HELP_STRING([--enable-sslv3],[Enable SSL version 3.0 (default: disabled)])],
 5242    [ ENABLED_SSLV3=$enableval ],
 5243    [ ENABLED_SSLV3=no]
 5244    )
 5245
 5246if test "x$ENABLED_HAPROXY" = "xyes" && test "x$ENABLED_ALL" = "xno"
 5247then
 5248    ENABLED_SSLV3="yes"
 5249fi
 5250if test "$ENABLED_CRYPTONLY" = "yes"
 5251then
 5252    ENABLED_SSLV3=no
 5253fi
 5254
 5255if test "$ENABLED_SSLV3" = "yes"
 5256then
 5257    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ALLOW_SSLV3"
 5258fi
 5259
 5260# TLSv1.0
 5261AC_ARG_ENABLE([tlsv10],
 5262    [AS_HELP_STRING([--enable-tlsv10],[Enable old TLS versions 1.0 (default: disabled)])],
 5263    [ ENABLED_TLSV10=$enableval ],
 5264    [ ENABLED_TLSV10=no ]
 5265    )
 5266
 5267if test "$ENABLED_TLSV10" = "yes"
 5268then
 5269    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ALLOW_TLSV10"
 5270fi
 5271
 5272
 5273# OLD TLS
 5274AC_ARG_ENABLE([oldtls],
 5275    [AS_HELP_STRING([--enable-oldtls],[Enable old TLS versions < 1.2 (default: disabled)])],
 5276    [ ENABLED_OLD_TLS=$enableval ],
 5277    [ ENABLED_OLD_TLS=no ]
 5278    )
 5279
 5280
 5281if test "$ENABLED_CRYPTONLY" = "yes" || test "x$ENABLED_HARDEN_TLS" != "xno" || \
 5282    test "$ENABLED_LEANPSK" = "yes" || test "$ENABLED_LEANTLS" = "yes"
 5283then
 5284    ENABLED_OLD_TLS=no
 5285fi
 5286
 5287# if SSL v3.0 or TLS v1.0 enabled, then allow "old tls". QT also requires it apparently
 5288if test "$ENABLED_TLSV10" = "yes" || test "$ENABLED_SSLV3" = "yes" || \
 5289    (test "$ENABLED_QT" = "yes" && test "x$ENABLED_ALL" = "xno")
 5290then
 5291    ENABLED_OLD_TLS=yes
 5292fi
 5293
 5294if test "$ENABLED_OLD_TLS" = "no"
 5295then
 5296    AM_CFLAGS="$AM_CFLAGS -DNO_OLD_TLS"
 5297fi
 5298
 5299
 5300# TLSv1.2
 5301AC_ARG_ENABLE([tlsv12],
 5302    [AS_HELP_STRING([--enable-tlsv12],[Enable TLS versions 1.2 (default: enabled)])],
 5303    [ ENABLED_TLSV12=$enableval ],
 5304    [ ENABLED_TLSV12=yes ]
 5305    )
 5306
 5307# STACK SIZE info for testwolfcrypt and examples
 5308AC_ARG_ENABLE([stacksize],
 5309    [AS_HELP_STRING([--enable-stacksize],[Enable stack size info on examples (default: disabled)])],
 5310    [ ENABLED_STACKSIZE=$enableval ],
 5311    [ ENABLED_STACKSIZE=no ]
 5312    )
 5313
 5314if test "$ENABLED_STACKSIZE" != "no"
 5315then
 5316    AC_CHECK_FUNC([posix_memalign], [], [AC_MSG_ERROR(stacksize needs posix_memalign)])
 5317    AC_CHECK_DECL([posix_memalign], [], [AC_MSG_ERROR(stacksize needs posix_memalign)])
 5318    AC_CHECK_FUNC([pthread_attr_setstack], [], AC_CHECK_LIB([pthread],[pthread_attr_setstack]))
 5319    AC_CHECK_DECL([pthread_attr_setstack], [], [AC_MSG_ERROR(stacksize needs pthread_attr_setstack)], [[#include <pthread.h>]])
 5320    AM_CFLAGS="$AM_CFLAGS -DHAVE_STACK_SIZE"
 5321fi
 5322
 5323if test "$ENABLED_STACKSIZE" = "verbose"
 5324then
 5325    if test "$thread_ls_on" != "yes" && test "x$ENABLED_SINGLETHREADED" = "xno"
 5326    then
 5327        AC_MSG_ERROR(stacksize-verbose needs thread-local storage.)
 5328    fi
 5329    AM_CFLAGS="$AM_CFLAGS -DHAVE_STACK_SIZE_VERBOSE"
 5330fi
 5331
 5332
 5333# MEMORY
 5334AC_ARG_ENABLE([memory],
 5335    [AS_HELP_STRING([--enable-memory],[Enable memory callbacks (default: enabled)])],
 5336    [ ENABLED_MEMORY=$enableval ],
 5337    [ ENABLED_MEMORY=yes ]
 5338    )
 5339
 5340if test "$ENABLED_MEMORY" = "no"
 5341then
 5342    AM_CFLAGS="$AM_CFLAGS -DNO_WOLFSSL_MEMORY"
 5343else
 5344    # turn off memory cb if leanpsk or leantls on
 5345    if test "$ENABLED_LEANPSK" = "yes" || test "$ENABLED_LEANTLS" = "yes"
 5346    then
 5347        # but don't turn on NO_WOLFSSL_MEMORY because using own
 5348        ENABLED_MEMORY=no
 5349    fi
 5350fi
 5351
 5352
 5353# MEMORY SIZE info
 5354AC_ARG_ENABLE([trackmemory],
 5355    [AS_HELP_STRING([--enable-trackmemory],[Enable memory use info on wolfCrypt and wolfSSL cleanup (default: disabled)])],
 5356    [ ENABLED_TRACKMEMORY=$enableval ],
 5357    [ ENABLED_TRACKMEMORY=no ]
 5358    )
 5359
 5360if test "$ENABLED_TRACKMEMORY" != "no"
 5361then
 5362    if test "$ENABLED_MEMORY" = "yes"
 5363    then
 5364        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_TRACK_MEMORY"
 5365    else
 5366        AC_MSG_ERROR([trackmemory requires using wolfSSL memory (--enable-memory).])
 5367    fi
 5368    if test "$ENABLED_TRACKMEMORY" = "verbose"
 5369    then
 5370        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_TRACK_MEMORY_VERBOSE"
 5371    fi
 5372fi
 5373
 5374# MEMORY usage logging
 5375AC_ARG_ENABLE([memorylog],
 5376    [AS_HELP_STRING([--enable-memorylog],[Enable dynamic memory logging (default: disabled)])],
 5377    [ ENABLED_MEMORYLOG=$enableval ],
 5378    [ ENABLED_MEMORYLOG=no ]
 5379    )
 5380
 5381if test "$ENABLED_MEMORYLOG" = "yes"
 5382then
 5383    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_MEMORY_LOG"
 5384fi
 5385
 5386
 5387# STACK usage logging
 5388AC_ARG_ENABLE([stacklog],
 5389    [AS_HELP_STRING([--enable-stacklog],[Enable stack logging (default: disabled)])],
 5390    [ ENABLED_STACKLOG=$enableval ],
 5391    [ ENABLED_STACKLOG=no ]
 5392    )
 5393
 5394if test "$ENABLED_STACKLOG" = "yes"
 5395then
 5396    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_STACK_LOG -finstrument-functions"
 5397fi
 5398
 5399
 5400ENABLED_WOLFSENTRY=no
 5401
 5402AC_ARG_WITH([wolfsentry],
 5403    [AS_HELP_STRING([--with-wolfsentry=PATH],[PATH to directory with wolfSentry installation])],
 5404    [WOLFSENTRY_INSTALLDIR=$withval],
 5405    [WOLFSENTRY_INSTALLDIR=""])
 5406
 5407AC_ARG_WITH([wolfsentry-lib],
 5408    [AS_HELP_STRING([--with-wolfsentry-lib=PATH],[PATH to directory with wolfSentry library])],
 5409    [WOLFSENTRY_LIB=$withval],
 5410    [WOLFSENTRY_LIB=""])
 5411
 5412AC_ARG_WITH([wolfsentry-include],
 5413    [AS_HELP_STRING([--with-wolfsentry-include=PATH],[PATH to directory with wolfSentry header files])],
 5414    [WOLFSENTRY_INCLUDE=$withval],
 5415    [WOLFSENTRY_INCLUDE=""])
 5416
 5417if test -n "$WOLFSENTRY_INSTALLDIR" || test -n "$WOLFSENTRY_LIB" || test -n "$WOLFSENTRY_INCLUDE"
 5418then
 5419    ENABLED_WOLFSENTRY=yes
 5420fi
 5421
 5422AC_ARG_ENABLE([wolfsentry],
 5423    [AS_HELP_STRING([--enable-wolfsentry],[Enable wolfSentry hooks and plugins (default: disabled)])],
 5424    [ ENABLED_WOLFSENTRY=$enableval ],
 5425    [ ]
 5426    )
 5427
 5428if test "$WOLFSENTRY_LIB" = "" && test -n "$WOLFSENTRY_INSTALLDIR"
 5429then
 5430    WOLFSENTRY_LIB="${WOLFSENTRY_INSTALLDIR}/lib"
 5431fi
 5432
 5433if test "$WOLFSENTRY_INCLUDE" = "" && test -n "$WOLFSENTRY_INSTALLDIR"
 5434then
 5435    WOLFSENTRY_INCLUDE="${WOLFSENTRY_INSTALLDIR}/include"
 5436fi
 5437
 5438if test -n "$WOLFSENTRY_LIB"
 5439then
 5440    AC_MSG_CHECKING([for $WOLFSENTRY_LIB])
 5441    if ! test -d "$WOLFSENTRY_LIB"
 5442    then
 5443        AC_MSG_ERROR([wolfSentry lib dir $WOLFSENTRY_LIB not found.])
 5444    fi
 5445    AC_MSG_RESULT([yes])
 5446    WOLFSENTRY_LIB="-L$WOLFSENTRY_LIB"
 5447fi
 5448
 5449if test -n "$WOLFSENTRY_INCLUDE"
 5450then
 5451    AC_MSG_CHECKING([for $WOLFSENTRY_INCLUDE])
 5452    if ! test -d "$WOLFSENTRY_INCLUDE"
 5453    then
 5454        AC_MSG_ERROR([wolfSentry include dir $WOLFSENTRY_INCLUDE not found.])
 5455    fi
 5456    AC_MSG_RESULT([yes])
 5457    WOLFSENTRY_INCLUDE="-I$WOLFSENTRY_INCLUDE"
 5458fi
 5459
 5460if test "$ENABLED_WOLFSENTRY" = "yes"
 5461then
 5462    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_WOLFSENTRY_HOOKS -DHAVE_EX_DATA -DHAVE_EX_DATA_CLEANUP_HOOKS"
 5463    if test "$ENABLED_OPENSSLEXTRA" = "no"
 5464    then
 5465        ENABLED_OPENSSLEXTRA="yes"
 5466        AM_CFLAGS="$AM_CFLAGS -DOPENSSL_EXTRA"
 5467    fi
 5468    WOLFSENTRY_LIB="$WOLFSENTRY_LIB -lwolfsentry"
 5469fi
 5470
 5471AC_SUBST([WOLFSENTRY_LIB])
 5472AC_SUBST([WOLFSENTRY_INCLUDE])
 5473
 5474
 5475if test "$ENABLED_QT" = "yes"
 5476then
 5477    # Requires opensslextra and opensslall
 5478    if test "x$ENABLED_OPENSSLALL" = "xno" && test "x$ENABLED_OPENSSLCOEXIST" = "xno"
 5479    then
 5480        ENABLED_OPENSSLALL="yes"
 5481        ENABLED_OPENSSLEXTRA="yes"
 5482        AM_CFLAGS="$AM_CFLAGS -DOPENSSL_EXTRA -DOPENSSL_ALL -DHAVE_EX_DATA"
 5483    fi
 5484    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_QT -DSESSION_CERTS -DOPENSSL_NO_SSL2"
 5485    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_KEY_GEN -DHAVE_EX_DATA"
 5486    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CUSTOM_CURVES -DHAVE_ECC_SECPR2 -DHAVE_ECC_SECPR3 -DHAVE_ECC_BRAINPOOL -DHAVE_ECC_KOBLITZ"
 5487    if test "x$ENABLED_ALL" = "xno"; then
 5488        # Don't enable old SSL/TLS for --enable-all, which is used by distro
 5489        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ALLOW_SSLV3 -DWOLFSSL_ALLOW_TLSV10"
 5490    fi
 5491
 5492    # Requires OCSP make sure on
 5493    if test "x$ENABLED_OCSP" = "xno"
 5494    then
 5495        ENABLED_OCSP="yes"
 5496    fi
 5497
 5498    # Requires PSK make sure on
 5499    if test "x$ENABLED_PSK" = "xno"
 5500    then
 5501        ENABLED_PSK="yes"
 5502    fi
 5503
 5504    # Requires RC4 make sure on (if not forcefully disabled with --disable-arc4)
 5505    test "$enable_arc4" = "" && enable_arc4=yes
 5506
 5507    if test "x$ENABLED_CERTEXT" = "xno"
 5508    then
 5509        ENABLED_CERTEXT="yes"
 5510        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CERT_EXT"
 5511    fi
 5512
 5513    if test "x$ENABLED_CERTGEN" = "xno"
 5514    then
 5515        ENABLED_CERTGEN="yes"
 5516        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CERT_GEN"
 5517    fi
 5518
 5519    # requires oldnames disabled
 5520    enable_oldnames=no
 5521fi
 5522
 5523AC_ARG_ENABLE([qt-test],
 5524    [AS_HELP_STRING([--enable-qt-test],[Enable qt tests (default: disabled)])],
 5525    [ ENABLED_QT_TEST=$enableval ],
 5526    [ ENABLED_QT_TEST=no ]
 5527    )
 5528
 5529if test "$ENABLED_QT_TEST" = "yes"
 5530then
 5531    AM_CFLAGS="$AM_CFLAGS -DOPENSSL_NO_SSL3 -DWOLFSSL_STATIC_RSA"
 5532    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_STATIC_PSK"
 5533fi
 5534
 5535# RSA
 5536AC_ARG_ENABLE([rsa],
 5537    [AS_HELP_STRING([--enable-rsa],[Enable RSA (default: enabled). Set to "nonblock" to enable non-blocking RSA via TFM fp_exptmod_nb or SP small mod_exp_nb])],
 5538    [ ENABLED_RSA=$enableval ],
 5539    [ ENABLED_RSA=yes ]
 5540    )
 5541
 5542if test "$ENABLED_RSA" = "no"
 5543then
 5544    AM_CFLAGS="$AM_CFLAGS -DNO_RSA"
 5545elif test "$ENABLED_RSA" = "nonblock"
 5546then
 5547    AM_CFLAGS="$AM_CFLAGS -DWC_RSA_NONBLOCK"
 5548    ENABLED_RSA=yes
 5549    ENABLED_CERTS=yes
 5550    # asynccrypt + asynccrypt-sw are auto-enabled earlier in this file when
 5551    # --enable-rsa=nonblock is detected, so the TLS layer can pick up the
 5552    # per-SSL nb context and yield MP_WOULDBLOCK. RSA_LOW_MEM is left as a
 5553    # user choice - the SP non-block backend's compile-time check in
 5554    # wolfssl/wolfcrypt/rsa.h enforces it for SP, while the TFM (fastmath)
 5555    # backend supports the CRT path without it.
 5556else
 5557    # turn off RSA if leanpsk or leantls on
 5558    if test "$ENABLED_LEANPSK" = "yes" || test "$ENABLED_LEANTLS" = "yes"
 5559    then
 5560        AM_CFLAGS="$AM_CFLAGS -DNO_RSA"
 5561        ENABLED_RSA=no
 5562     else
 5563        ENABLED_CERTS=yes
 5564    fi
 5565fi
 5566
 5567AC_ARG_ENABLE([oaep],
 5568    [AS_HELP_STRING([--enable-oaep],[Enable RSA OAEP (default: enabled)])],
 5569    [ ENABLED_OAEP=$enableval ],
 5570    [ ENABLED_OAEP=yes ]
 5571    )
 5572
 5573if test "$ENABLED_OAEP" = "no"
 5574then
 5575    AM_CFLAGS="$AM_CFLAGS -DWC_NO_RSA_OAEP"
 5576fi
 5577
 5578AC_ARG_ENABLE([rsapub],
 5579    [AS_HELP_STRING([--enable-rsapub],[Enable RSA Public Only (default: disabled)])],
 5580    [ ENABLED_RSAPUB=$enableval ],
 5581    [ ENABLED_RSAPUB=no ]
 5582    )
 5583
 5584if test "$ENABLED_RSAPUB" = "yes"
 5585then
 5586    if test "$ENABLED_RSA" = "no"
 5587    then
 5588        ENABLED_RSA="yes"
 5589    fi
 5590    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_RSA_PUBLIC_ONLY"
 5591fi
 5592
 5593AC_ARG_ENABLE([rsavfy],
 5594    [AS_HELP_STRING([--enable-rsavfy],[Enable RSA Verify Inline Only (default: disabled)])],
 5595    [ ENABLED_RSAVFY=$enableval ],
 5596    [ ENABLED_RSAVFY=no ]
 5597    )
 5598
 5599if test "$ENABLED_RSAVFY" = "yes"
 5600then
 5601    if test "$ENABLED_RSA" = "no"
 5602    then
 5603        ENABLED_RSA="yes"
 5604    fi
 5605    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_RSA_PUBLIC_ONLY -DWOLFSSL_RSA_VERIFY_ONLY"
 5606    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_RSA_VERIFY_INLINE -DNO_SIG_WRAPPER"
 5607    AM_CFLAGS="$AM_CFLAGS -DNO_CHECK_PRIVATE_KEY"
 5608fi
 5609
 5610
 5611# RSA-PSS
 5612AC_ARG_ENABLE([rsapss],
 5613    [  --enable-rsapss         Enable RSA-PSS (default: disabled)],
 5614    [ ENABLED_RSAPSS=$enableval ],
 5615    [ ENABLED_RSAPSS=no ]
 5616    )
 5617
 5618if test "$ENABLED_RSA" = "no"
 5619then
 5620    ENABLED_RSAPSS="no"
 5621else
 5622    if test "$ENABLED_TLS13" = "yes"
 5623    then
 5624        ENABLED_RSAPSS="yes"
 5625    fi
 5626fi
 5627if test "$ENABLED_RSAPSS" = "yes"
 5628then
 5629    AM_CFLAGS="$AM_CFLAGS -DWC_RSA_PSS -DWOLFSSL_PSS_LONG_SALT"
 5630fi
 5631
 5632
 5633# DH
 5634AC_ARG_ENABLE([dh],
 5635    [AS_HELP_STRING([--enable-dh],[Enable DH (default: enabled). Set to "nonblock" to enable non-blocking DH key agreement via SP small mod_exp_nb])],
 5636    [ ENABLED_DH=$enableval ],
 5637    [ ENABLED_DH=yes ]
 5638    )
 5639
 5640if test "$ENABLED_OPENSSH" = "yes" && test "$ENABLED_DH" = "no"
 5641then
 5642    ENABLED_DH="yes"
 5643fi
 5644
 5645if test "$ENABLED_DH" = "no"
 5646then
 5647    AM_CFLAGS="$AM_CFLAGS -DNO_DH"
 5648elif test "$ENABLED_DH" = "nonblock"
 5649then
 5650    AM_CFLAGS="$AM_CFLAGS -DWC_DH_NONBLOCK"
 5651    ENABLED_DH=yes
 5652    # asynccrypt + asynccrypt-sw are auto-enabled earlier in this file.
 5653else
 5654    # turn off DH if leanpsk or leantls on
 5655    if test "$ENABLED_LEANPSK" = "yes" || test "$ENABLED_LEANTLS" = "yes"
 5656    then
 5657        AM_CFLAGS="$AM_CFLAGS -DNO_DH"
 5658        ENABLED_DH=no
 5659    fi
 5660fi
 5661
 5662if test "$ENABLED_DH" = "const"
 5663then
 5664    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DH_CONST"
 5665fi
 5666
 5667if test "$ENABLED_SNIFFER" = "yes" && test "$ENABLED_DH" != "no"
 5668then
 5669    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DH_EXTRA"
 5670fi
 5671
 5672
 5673# Anonymous
 5674AC_ARG_ENABLE([anon],
 5675    [AS_HELP_STRING([--enable-anon],[Enable Anonymous (default: disabled)])],
 5676    [ ENABLED_ANON=$enableval ],
 5677    [ ENABLED_ANON=no ]
 5678    )
 5679
 5680if test "x$ENABLED_WPAS" = "xyes"    || test "x$ENABLED_NGINX" = "xyes" || \
 5681   test "x$ENABLED_HAPROXY" = "xyes" || test "$ENABLED_RSYSLOG" = "yes"
 5682then
 5683    ENABLED_ANON=yes
 5684fi
 5685if test "x$ENABLED_ANON" = "xyes"
 5686then
 5687    if test "$ENABLED_DH" = "no"
 5688    then
 5689        AC_MSG_ERROR([Anonymous suite requires DH.])
 5690    fi
 5691    AM_CFLAGS="$AM_CFLAGS -DHAVE_ANON"
 5692fi
 5693
 5694
 5695if test "$ENABLED_RSA" = "yes" && test "$ENABLED_RSAVFY" = "no" && \
 5696   test "$ENABLED_ASN" = "no" && test "$ENABLED_LOWRESOURCE" = "no"
 5697then
 5698    AC_MSG_ERROR([please disable rsa if disabling asn.])
 5699fi
 5700
 5701if test "$ENABLED_DSA" = "yes" && test "$ENABLED_ASN" = "no"
 5702then
 5703    AC_MSG_ERROR([please disable dsa if disabling asn.])
 5704fi
 5705
 5706# No Big Int (ASN, DSA, RSA, DH, ECC and compatibility layer need bigint)
 5707if test "$ENABLED_ASN" = "no" && test "$ENABLED_DSA" = "no" && \
 5708   test "$ENABLED_DH" = "no" && test "$ENABLED_ECC" = "no" && \
 5709   test "$ENABLED_RSA" = "no" && test "$ENABLED_OPENSSLEXTRA" = "no" && \
 5710   test "$ENABLED_OPENSSLALL" = "yes"
 5711then
 5712    ENABLED_SP_MATH_ALL="no"
 5713    ENABLED_FASTMATH="no"
 5714    ENABLED_HEAPMATH="no"
 5715    ENABLED_BIGNUM="no"
 5716else
 5717    ENABLED_BIGNUM="yes"
 5718fi
 5719
 5720case $host_os in
 5721*linux* | *darwin* | *freebsd*)
 5722    DEF_ASN_PRINT="yes"
 5723    ;;
 5724*)
 5725    DEF_ASN_PRINT="no"
 5726    ;;
 5727esac
 5728
 5729AC_ARG_ENABLE([asn-print],
 5730    [AS_HELP_STRING([--enable-asn-print],[Enable ASN Print API (default: enabled)])],
 5731    [ ENABLED_ASN_PRINT=$enableval ],
 5732    [ ENABLED_ASN_PRINT=$DEF_ASN_PRINT ]
 5733    )
 5734
 5735if test "$ENABLED_ASN_PRINT" = "yes"
 5736then
 5737    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ASN_PRINT"
 5738fi
 5739
 5740
 5741# AES
 5742AC_ARG_ENABLE([aes],
 5743    [AS_HELP_STRING([--enable-aes],[Enable AES (default: enabled)])],
 5744    [ ENABLED_AES=$enableval ],
 5745    [ ENABLED_AES=yes ]
 5746    )
 5747
 5748if test "$ENABLED_AES" = "no"
 5749then
 5750    AM_CFLAGS="$AM_CFLAGS -DNO_AES"
 5751    if test "$ENABLED_FORTRESS" = "yes"
 5752    then
 5753        AC_MSG_ERROR([fortress requires aes])
 5754    fi
 5755    if test "$ENABLED_ECC_ENCRYPT" = "yes"
 5756    then
 5757        AC_MSG_ERROR([cannot enable eccencrypt and hkdf without aes.])
 5758    fi
 5759    if test "$ENABLED_AESGCM" != "no"
 5760    then
 5761        AC_MSG_ERROR([AESGCM requires AES.])
 5762    fi
 5763    if test "$ENABLED_AESCCM" = "yes"
 5764    then
 5765        AC_MSG_ERROR([AESCCM requires AES.])
 5766    fi
 5767    if test "$ENABLED_AESCTR" = "yes"
 5768    then
 5769        AC_MSG_ERROR([AESCTR requires AES.])
 5770    fi
 5771else
 5772    # turn off AES if leanpsk on
 5773    if test "$ENABLED_LEANPSK" = "yes"
 5774    then
 5775        AM_CFLAGS="$AM_CFLAGS -DNO_AES"
 5776        ENABLED_AES=no
 5777    fi
 5778fi
 5779
 5780# DTLSv1.3
 5781AC_ARG_ENABLE([dtls13],
 5782    [AS_HELP_STRING([--enable-dtls13],[Enable wolfSSL DTLS v1.3 (default: disabled)])],
 5783    [ ENABLED_DTLS13=$enableval ],
 5784    [ ENABLED_DTLS13=no ]
 5785    )
 5786if test "x$ENABLED_DTLS13" = "xyes"
 5787then
 5788        # DTLSv1.3 implies TLS 1.3 and DTLS; auto-enable, but don't
 5789        # override explicit --disable.
 5790        if test "x$enable_tls13" = "xno" || test "x$ENABLED_TLS13" = "xno"
 5791        then
 5792                AC_MSG_ERROR([--enable-dtls13 requires TLS 1.3, but TLS 1.3 is disabled])
 5793        fi
 5794        if test "x$ENABLED_TLS13" != "xyes"
 5795        then
 5796                AC_MSG_NOTICE([DTLSv1.3 is enabled, enabling TLS 1.3])
 5797                ENABLED_TLS13=yes
 5798        fi
 5799        if test "x$enable_dtls" = "xno"
 5800        then
 5801                AC_MSG_ERROR([--enable-dtls13 requires DTLS, but --disable-dtls was given])
 5802        fi
 5803        if test "x$ENABLED_DTLS" != "xyes"
 5804        then
 5805                AC_MSG_NOTICE([DTLSv1.3 is enabled, enabling DTLS])
 5806                AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DTLS"
 5807                ENABLED_DTLS=yes
 5808        fi
 5809        if test "x$ENABLED_SEND_HRR_COOKIE" = "xundefined"
 5810        then
 5811                AC_MSG_NOTICE([DTLSv1.3 is enabled, enabling HRR cookie])
 5812                AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SEND_HRR_COOKIE"
 5813                ENABLED_SEND_HRR_COOKIE="yes"
 5814        fi
 5815  AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DTLS13 -DWOLFSSL_W64_WRAPPER"
 5816  if test "x$ENABLED_AES" = "xyes"
 5817  then
 5818      AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_DIRECT"
 5819  fi
 5820fi
 5821
 5822# DTLS CID support
 5823AC_ARG_ENABLE([dtlscid],
 5824    [AS_HELP_STRING([--enable-dtlscid],[Enable wolfSSL DTLS ConnectionID (default: disabled)])],
 5825    [ ENABLED_DTLS_CID=$enableval ],
 5826    [ ENABLED_DTLS_CID=no ]
 5827    )
 5828if test "x$ENABLED_DTLS_CID" = "xyes"
 5829then
 5830  AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DTLS_CID"
 5831fi
 5832
 5833# DTLS 1.3 Fragment Second ClientHello
 5834AC_ARG_ENABLE([dtls-frag-ch],
 5835    [AS_HELP_STRING([--enable-dtls-frag-ch],[Enable wolfSSL DTLS 1.3 ClientHello fragmenting (default: disabled)])],
 5836    [ ENABLED_DTLS_CH_FRAG=$enableval ],
 5837    [ ENABLED_DTLS_CH_FRAG=no ]
 5838    )
 5839if test "x$ENABLED_DTLS_CH_FRAG" = "xyes"
 5840then
 5841  if test "x$ENABLED_DTLS13" != "xyes"
 5842  then
 5843    AC_MSG_ERROR([You need to enable DTLSv1.3 to use DTLS ClientHello fragmenting])
 5844  fi
 5845  AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DTLS_CH_FRAG"
 5846fi
 5847
 5848# When MLKEM and DTLS 1.3 are both enabled, DTLS ClientHello fragmenting is
 5849# required (PQC keys in ClientHello can exceed MTU), so enable it automatically.
 5850if test "x$ENABLED_MLKEM" != "xno" && test "x$ENABLED_DTLS13" = "xyes" && test "x$ENABLED_DTLS_CH_FRAG" != "xyes"
 5851then
 5852  AC_MSG_NOTICE([MLKEM and DTLS 1.3 are enabled; enabling DTLS ClientHello fragmenting])
 5853  ENABLED_DTLS_CH_FRAG=yes
 5854  AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DTLS_CH_FRAG"
 5855fi
 5856
 5857# CODING
 5858AC_ARG_ENABLE([coding],
 5859    [AS_HELP_STRING([--enable-coding],[Enable Coding base 16/64 (default: enabled)])],
 5860    [ ENABLED_CODING=$enableval ],
 5861    [ ENABLED_CODING=yes ]
 5862    )
 5863
 5864if test "$ENABLED_CODING" = "no"
 5865then
 5866    AM_CFLAGS="$AM_CFLAGS -DNO_CODING"
 5867else
 5868    # turn off CODING if leanpsk on
 5869    if test "$ENABLED_LEANPSK" = "yes"
 5870    then
 5871        AM_CFLAGS="$AM_CFLAGS -DNO_CODING"
 5872        ENABLED_CODING=no
 5873    fi
 5874fi
 5875
 5876
 5877# Base64 Encode
 5878BASE64ENCODE_DEFAULT=no
 5879if test "$host_cpu" = "x86_64" || test "$host_cpu" = "amd64"
 5880then
 5881BASE64ENCODE_DEFAULT=yes
 5882fi
 5883AC_ARG_ENABLE([base64encode],
 5884    [AS_HELP_STRING([--enable-base64encode],[Enable Base64 encoding (default: enabled on x86_64/amd64)])],
 5885    [ ENABLED_BASE64ENCODE=$enableval ],
 5886    [ ENABLED_BASE64ENCODE=$BASE64ENCODE_DEFAULT ]
 5887    )
 5888if test "$ENABLED_BASE64ENCODE" = "yes"
 5889then
 5890    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_BASE64_ENCODE"
 5891fi
 5892
 5893
 5894# Base16
 5895AC_ARG_ENABLE([base16],
 5896    [AS_HELP_STRING([--enable-base16],[Enable Base16 encoding/decoding (default: disabled)])],
 5897    [ ENABLED_BASE16=$enableval ],
 5898    [ ENABLED_BASE16=no ]
 5899    )
 5900
 5901if test "$ENABLED_CAAM" = "qnx"
 5902then
 5903    ENABLED_BASE16=yes
 5904fi
 5905
 5906if test "$ENABLED_BASE16" = "yes"
 5907then
 5908    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_BASE16"
 5909fi
 5910
 5911
 5912# MD4
 5913AC_ARG_ENABLE([md4],
 5914    [AS_HELP_STRING([--enable-md4],[Enable MD4 (default: disabled)])],
 5915    [ ENABLED_MD4=$enableval ],
 5916    [ ENABLED_MD4=no ]
 5917    )
 5918
 5919
 5920# DES3
 5921AC_ARG_ENABLE([des3],
 5922    [AS_HELP_STRING([--enable-des3],[Enable DES3 (default: disabled)])],
 5923    [ ENABLED_DES3=$enableval ],
 5924    [ ENABLED_DES3=no ]
 5925    )
 5926
 5927# Enable 3DES for various metafeatures, unless FIPS 140-3
 5928if (test "$ENABLED_FIPS" = "no" || test "$HAVE_FIPS_VERSION" -le 2) && \
 5929    (test "$ENABLED_OPENSSH" = "yes" || \
 5930     test "$ENABLED_QT" = "yes" || test "$ENABLED_OPENVPN" = "yes" || \
 5931     test "$ENABLED_WPAS" != "no"  || test "$ENABLED_NETSNMP" = "yes" || \
 5932     test "$ENABLED_LIBSSH2" = "yes" || test "$ENABLED_KRB" = "yes" || \
 5933     test "$ENABLED_WOLFENGINE" = "yes" || test "$ENABLED_STRONGSWAN" = "yes")
 5934then
 5935    ENABLED_DES3="yes"
 5936fi
 5937
 5938# DES3 TLS suites
 5939AC_ARG_ENABLE([des3-tls-suites],
 5940    [AS_HELP_STRING([--enable-des3-tls-suites],[Enable DES3 TLS cipher suites (default: disabled)])],
 5941    [ ENABLED_DES3_TLS_SUITES=$enableval ],
 5942    [ ENABLED_DES3_TLS_SUITES=no ]
 5943    )
 5944
 5945# ARC4
 5946if (test "$ENABLED_OPENSSH" = "yes" && test "x$ENABLED_FIPS" = "xno") || \
 5947   test "$ENABLED_WPAS" = "yes" || test "$ENABLED_KRB" = "yes"
 5948then
 5949    # Requires RC4 make sure on (if not forcefully disabled with --disable-arc4)
 5950    test "$enable_arc4" = "" && enable_arc4=yes
 5951fi
 5952
 5953AC_ARG_ENABLE([arc4],
 5954    [AS_HELP_STRING([--enable-arc4],[Enable ARC4 (default: disabled)])],
 5955    [ ENABLED_ARC4=$enableval ],
 5956    [ ENABLED_ARC4=no ]
 5957    )
 5958
 5959# MD5
 5960AC_ARG_ENABLE([md5],
 5961    [AS_HELP_STRING([--enable-md5],[Enable MD5 (default: disabled)])],
 5962    [ ENABLED_MD5=$enableval ],
 5963    [ ENABLED_MD5=no ]
 5964    )
 5965
 5966# Options that require MD5
 5967if test "$ENABLED_WPAS" = "yes" || test "$ENABLED_HAPROXY" = "yes" || \
 5968    test "$ENABLED_KRB" = "yes" || test "$ENABLED_NETSNMP" = "yes" || \
 5969    test "$ENABLED_NGINX" = "yes" || test "$ENABLED_OPENSSH" = "yes" || \
 5970    test "$ENABLED_OPENSSLEXTRA" = "yes" || test "$ENABLED_OPENVPN" = "yes" || \
 5971    test "$ENABLED_TLSV10" = "yes" || test "$ENABLED_OLD_TLS" = "yes" || \
 5972    test "$ENABLED_FORTRESS" = "yes" || test "$ENABLED_LIGHTY" = "yes" || \
 5973    test "$ENABLED_DES3" = "yes" || test "$ENABLED_BUMP" = "yes" || \
 5974    test "$ENABLED_OPENSSLALL" = "yes"
 5975then
 5976    ENABLED_MD5=yes
 5977fi
 5978
 5979# SHA
 5980AC_ARG_ENABLE([sha],
 5981    [AS_HELP_STRING([--enable-sha],[Enable SHA (default: enabled)])],
 5982    [ ENABLED_SHA=$enableval ],
 5983    [ ENABLED_SHA=yes ]
 5984    )
 5985if test "$ENABLED_SHA" = "no"
 5986then
 5987    AM_CFLAGS="$AM_CFLAGS -DNO_SHA -DNO_OLD_TLS"
 5988else
 5989    # turn off SHA if leanpsk or leantls on
 5990    if test "$ENABLED_LEANPSK" = "yes" || test "$ENABLED_LEANTLS" = "yes"
 5991    then
 5992        AM_CFLAGS="$AM_CFLAGS -DNO_SHA -DNO_OLD_TLS"
 5993        ENABLED_SHA=no
 5994    fi
 5995fi
 5996
 5997if test "$ENABLED_SHA" = "no" && test "$ENABLED_DSA" != "no"
 5998then
 5999    AC_MSG_ERROR([please disable DSA if disabling SHA-1.])
 6000fi
 6001
 6002
 6003# SipHash
 6004AC_ARG_ENABLE([siphash],
 6005    [AS_HELP_STRING([--enable-siphash],[Enable SipHash (default: disabled)])],
 6006    [ ENABLED_SIPHASH=$enableval ],
 6007    [ ENABLED_SIPHASH=no ]
 6008    )
 6009
 6010AS_IF([test "x$ENABLED_SIPHASH" = "xyes"],
 6011      [AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SIPHASH"])
 6012
 6013AC_ARG_ENABLE([cmac-kdf],
 6014    [AS_HELP_STRING([--enable-cmac-kdf],[Enables cmac-kdf support (default: disabled)])],
 6015    [ ENABLED_CMAC_KDF=$enableval ],
 6016    [ ENABLED_CMAC_KDF=no ]
 6017    )
 6018
 6019if test "$ENABLED_CMAC_KDF" = "yes"
 6020then
 6021 if test "$ENABLED_KDF" != "yes"
 6022 then
 6023   AC_MSG_ERROR([enable-cmac-kdf requires --enable-kdf])
 6024 fi
 6025  AM_CFLAGS="$AM_CFLAGS -DHAVE_CMAC_KDF"
 6026fi
 6027
 6028# CMAC
 6029AC_ARG_ENABLE([cmac],
 6030    [AS_HELP_STRING([--enable-cmac],[Enable CMAC (default: disabled)])],
 6031    [ ENABLED_CMAC=$enableval ],
 6032    [ ENABLED_CMAC=no ]
 6033    )
 6034
 6035if test "$ENABLED_WPAS" != "no" || test "$ENABLED_NTP" = "yes" || test "$ENABLED_AESSIV" = "yes" || test "$ENABLED_WOLFENGINE" = "yes" || test "$ENABLED_AESEAX" = "yes" || test "$ENABLED_CMAC_KDF" = "yes"
 6036then
 6037    ENABLED_CMAC=yes
 6038fi
 6039
 6040AS_IF([test "x$ENABLED_CMAC" = "xyes"],
 6041      [AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CMAC -DWOLFSSL_AES_DIRECT"])
 6042
 6043# SHE (Secure Hardware Extension) key update message generation
 6044# --enable-she=standard: standard SHE support
 6045# --enable-she=extended: standard + extended overrides (custom KDF/headers)
 6046AC_ARG_ENABLE([she],
 6047    [AS_HELP_STRING([--enable-she@<:@=standard|extended@:>@],
 6048                    [Enable SHE key update support (default: disabled)])],
 6049    [ ENABLED_SHE=$enableval ],
 6050    [ ENABLED_SHE=no ]
 6051    )
 6052
 6053if test "x$ENABLED_SHE" = "xstandard" || test "x$ENABLED_SHE" = "xextended"
 6054then
 6055    if test "$ENABLED_AESCBC" = "no"
 6056    then
 6057        AC_MSG_ERROR([SHE requires AES-CBC. Cannot use --disable-aescbc with --enable-she.])
 6058    fi
 6059    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SHE -DWOLFSSL_CMAC -DWOLFSSL_AES_DIRECT"
 6060    ENABLED_CMAC=yes
 6061    ENABLED_AESCBC=yes
 6062fi
 6063
 6064if test "x$ENABLED_SHE" = "xextended"
 6065then
 6066    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SHE_EXTENDED"
 6067fi
 6068
 6069# AES-XTS
 6070AC_ARG_ENABLE([aesxts],
 6071    [AS_HELP_STRING([--enable-aesxts],[Enable AES XTS (default: disabled)])],
 6072    [ ENABLED_AESXTS=$enableval ],
 6073    [ ENABLED_AESXTS=no ]
 6074    )
 6075
 6076AS_IF([test "$ENABLED_AESXTS" = "yes" && test "$ENABLED_ARMASM" = "no"],
 6077    [ ENABLED_AESXTS_STREAM_DEFAULT=yes ],
 6078    [ ENABLED_AESXTS_STREAM_DEFAULT=no ]
 6079    )
 6080
 6081AC_ARG_ENABLE([aesxts-stream],
 6082    [AS_HELP_STRING([--enable-aesxts-stream],[Enable wolfSSL AES-XTS support with streaming APIs (default: disabled)])],
 6083    [ ENABLED_AESXTS_STREAM=$enableval ],
 6084    [ ENABLED_AESXTS_STREAM=$ENABLED_AESXTS_STREAM_DEFAULT ]
 6085    )
 6086
 6087# legacy old option name, for compatibility:
 6088AC_ARG_ENABLE([xts],
 6089    [AS_HELP_STRING([--enable-xts],[Please use --enable-aesxts])],
 6090    [ ENABLED_AESXTS=$enableval ]
 6091    )
 6092
 6093# AES-CTS
 6094AC_ARG_ENABLE([aescts],
 6095    [AS_HELP_STRING([--enable-aescts],[Enable AES CTS (default: disabled)])],
 6096    [ ENABLED_AESCTS=$enableval ],
 6097    [ ENABLED_AESCTS=no ]
 6098    )
 6099
 6100if test "$ENABLED_AESCTS" = "yes"
 6101then
 6102    if test "$ENABLED_AESCBC" = "no"
 6103    then
 6104        AC_MSG_ERROR([AES CTS requires AES CBC.])
 6105    fi
 6106    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_CTS"
 6107fi
 6108
 6109# Web Server Build
 6110AC_ARG_ENABLE([webserver],
 6111    [AS_HELP_STRING([--enable-webserver],[Enable Web Server (default: disabled)])],
 6112    [ ENABLED_WEBSERVER=$enableval ],
 6113    [ ENABLED_WEBSERVER=no ]
 6114    )
 6115
 6116if test "$ENABLED_WEBSERVER" = "yes"
 6117then
 6118    AM_CFLAGS="$AM_CFLAGS -DHAVE_WEBSERVER"
 6119fi
 6120
 6121# Web Client Build (HTTP Client)
 6122AC_ARG_ENABLE([webclient],
 6123    [AS_HELP_STRING([--enable-webclient],[Enable Web Client (HTTP) (default: disabled)])],
 6124    [ ENABLED_WEBCLIENT=$enableval ],
 6125    [ ENABLED_WEBCLIENT=no ]
 6126    )
 6127
 6128if test "$ENABLED_WEBCLIENT" = "yes"
 6129then
 6130    AM_CFLAGS="$AM_CFLAGS -DHAVE_HTTP_CLIENT"
 6131fi
 6132
 6133# RC2
 6134AC_ARG_ENABLE([rc2],
 6135    [AS_HELP_STRING([--enable-rc2],[Enable RC2 encryption (default: disabled)])],
 6136    [ ENABLED_RC2=$enableval ],
 6137    [ ENABLED_RC2=no ]
 6138    )
 6139
 6140if test "$ENABLED_RC2" = "yes"
 6141then
 6142    AM_CFLAGS="$AM_CFLAGS -DWC_RC2"
 6143fi
 6144
 6145# CUDA
 6146AC_ARG_ENABLE([cuda],
 6147    [AS_HELP_STRING([--enable-cuda],[Enable NVidia CUDA support (default: disabled)])],
 6148    [ ENABLED_CUDA=$enableval ],
 6149    [ ENABLED_CUDA=no ]
 6150    )
 6151
 6152if test "$ENABLED_CUDA" = "yes"
 6153then
 6154    CC=nvcc
 6155    AM_CFLAGS="$AM_CFLAGS -DWC_CUDA -DHAVE_CUDA"
 6156fi
 6157
 6158# Certificate Service Support (CFLAG sections later) keep above FIPS section
 6159AC_ARG_ENABLE([certservice],
 6160    [AS_HELP_STRING([--enable-certservice],[Enable cert service (default: disabled)])],
 6161    [ ENABLED_CERT_SERVICE=$enableval ],
 6162    [ ENABLED_CERT_SERVICE=no ]
 6163    )
 6164
 6165# PWDBASED (CFLAG sections later) keep above FIPS section
 6166AC_ARG_ENABLE([pwdbased],
 6167    [AS_HELP_STRING([--enable-pwdbased],[Enable PWDBASED (default: disabled)])],
 6168    [ ENABLED_PWDBASED=$enableval ],
 6169    [ ENABLED_PWDBASED=no ]
 6170    )
 6171
 6172# MemUse Entropy
 6173# wolfEntropy Software Jitter SP800-90B certifiable entropy source
 6174
 6175if test "$KERNEL_MODE_DEFAULTS" = "yes" && \
 6176   test "$ENABLED_AMDRDSEED" != "yes" && \
 6177   test "$ENABLED_INTELRDRAND" != "yes" && \
 6178   test "$ENABLED_INTELRDSEED" != "yes"
 6179then
 6180    ENABLED_ENTROPY_MEMUSE_DEFAULT=yes
 6181else
 6182    ENABLED_ENTROPY_MEMUSE_DEFAULT=no
 6183fi
 6184
 6185AC_ARG_ENABLE([wolfEntropy],
 6186    [AS_HELP_STRING([--enable-wolfEntropy],[Enable memuse entropy support (default: disabled)])],
 6187    [ ENABLED_ENTROPY_MEMUSE=$enableval ],
 6188    [ ENABLED_ENTROPY_MEMUSE=$ENABLED_ENTROPY_MEMUSE_DEFAULT ]
 6189    )
 6190AC_ARG_ENABLE([wolfentropy],
 6191    [AS_HELP_STRING([--enable-wolfentropy],[Alias for --enable-wolfEntropy])],
 6192    [ ENABLED_ENTROPY_MEMUSE=$enableval ],
 6193    )
 6194AC_ARG_ENABLE([entropy-memuse],
 6195    [AS_HELP_STRING([--enable-entropy-memuse],[Alias for --enable-wolfEntropy])],
 6196    [ ENABLED_ENTROPY_MEMUSE=$enableval ]
 6197    )
 6198
 6199# AES key wrap
 6200AC_ARG_ENABLE([aeskeywrap],
 6201    [AS_HELP_STRING([--enable-aeskeywrap],[Enable AES key wrap support (default: disabled)])],
 6202    [ ENABLED_AESKEYWRAP=$enableval ],
 6203    [ ENABLED_AESKEYWRAP=no ]
 6204    )
 6205
 6206# FIPS feature and macro setup
 6207
 6208AS_CASE([$FIPS_VERSION],
 6209    [v7|ready|dev],[ # FIPS 140-3 PQ-FS
 6210
 6211        AS_IF([test "$FIPS_VERSION" = "dev"],
 6212            ENABLED_FIPS_DEV=yes
 6213            [AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_FIPS_DEV"])
 6214        AS_IF([test "$FIPS_VERSION" = "ready" || test "$FIPS_VERSION" = "v7"],
 6215            ENABLED_FIPS_READY=yes
 6216            [AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_FIPS_READY"])
 6217
 6218        AM_CFLAGS="$AM_CFLAGS \
 6219            -DHAVE_FIPS \
 6220            -DHAVE_FIPS_VERSION=$HAVE_FIPS_VERSION \
 6221            -DHAVE_FIPS_VERSION_MAJOR=$HAVE_FIPS_VERSION_MAJOR \
 6222            -DHAVE_FIPS_VERSION_MINOR=$HAVE_FIPS_VERSION_MINOR \
 6223            -DHAVE_FIPS_VERSION_PATCH=$HAVE_FIPS_VERSION_PATCH \
 6224            -DHAVE_ECC_CDH \
 6225            -DWC_RSA_NO_PADDING \
 6226            -DECC_USER_CURVES \
 6227            -DHAVE_ECC384 \
 6228            -DHAVE_ECC521 \
 6229            -DWOLFSSL_VALIDATE_FFC_IMPORT \
 6230            -DHAVE_FFDHE_Q \
 6231            -DHAVE_FFDHE_3072 \
 6232            -DHAVE_FFDHE_4096 \
 6233            -DHAVE_FFDHE_6144 \
 6234            -DHAVE_FFDHE_8192"
 6235
 6236        # KCAPI API does not support custom k for sign, don't force enable ECC key sizes and don't use seed callback
 6237        AS_IF([test "x$ENABLED_KCAPI_ECC" = "xno"],
 6238            [AM_CFLAGS="$AM_CFLAGS \
 6239                -DWC_RNG_SEED_CB \
 6240                -DWOLFSSL_ECDSA_SET_K \
 6241                -DWOLFSSL_VALIDATE_ECC_IMPORT \
 6242                -DWOLFSSL_VALIDATE_ECC_KEYGEN \
 6243                -DHAVE_ECC192 \
 6244                -DHAVE_ECC224 \
 6245                -DHAVE_ECC256"])
 6246
 6247        DEFAULT_MAX_CLASSIC_ASYM_KEY_BITS=8192
 6248# optimizations section
 6249
 6250# protocol section
 6251        AS_IF([test "$ENABLED_WOLFSSH" != "yes" &&
 6252               (test "$FIPS_VERSION" != "dev" || test "$enable_ssh" != "no")],
 6253            [enable_ssh="yes"])
 6254
 6255        AS_IF([test "$ENABLED_HKDF" != "yes" &&
 6256               (test "$FIPS_VERSION" != "dev" || test "$enable_hkdf" != "no")],
 6257            [ENABLED_HKDF="yes"; AM_CFLAGS="$AM_CFLAGS -DHAVE_HKDF"])
 6258
 6259        AS_IF([test "x$ENABLED_PWDBASED" = "xno" &&
 6260               (test "$FIPS_VERSION" != "dev" || test "$enable_pwdbased" != "no")],
 6261            [ENABLED_PWDBASED="yes"; AM_CFLAGS="$AM_CFLAGS -DHAVE_PBKDF2 -DHAVE_AESGCM"])
 6262
 6263        AS_IF([test "x$ENABLED_SRTP" = "xno" &&
 6264               (test "$FIPS_VERSION" != "dev" || test "$enable_srtp" != "no")],
 6265            [ENABLED_SRTP="yes"])
 6266        AS_IF([test "x$ENABLED_SRTP_KDF" = "xno" &&
 6267               (test "$FIPS_VERSION" != "dev" || test "$enable_srtp_kdf" != "no")],
 6268            [ENABLED_SRTP_KDF="yes"])
 6269
 6270# public key section
 6271        AS_IF([test "$ENABLED_KEYGEN" != "yes" &&
 6272               (test "$FIPS_VERSION" != "dev" || test "$enable_keygen" != "no")],
 6273            [ENABLED_KEYGEN="yes"; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_KEY_GEN"])
 6274
 6275#        AS_IF([test "$ENABLED_COMPKEY" != "yes" &&
 6276#               (test "$FIPS_VERSION" != "dev" || test "$enable_compkey" != "yes")],
 6277#            [ENABLED_COMPKEY="yes"])
 6278
 6279        AS_IF([test "$ENABLED_RSAPSS" != "yes" &&
 6280               (test "$FIPS_VERSION" != "dev" || test "$enable_rsapss" != "no")],
 6281            [ENABLED_RSAPSS="yes"; AM_CFLAGS="$AM_CFLAGS -DWC_RSA_PSS"])
 6282
 6283        AS_IF([test "$ENABLED_ECC" != "yes" &&
 6284               (test "$FIPS_VERSION" != "dev" || test "$enable_ecc" != "no")],
 6285            [ENABLED_ECC="yes"; AM_CFLAGS="$AM_CFLAGS -DHAVE_ECC -DTFM_ECC256"
 6286             AS_IF([test "$ENABLED_ECC_SHAMIR" = "yes"],
 6287                 [AM_CFLAGS="$AM_CFLAGS -DECC_SHAMIR"])])
 6288
 6289        AS_IF([test "$ENABLED_ED25519" = "no" &&
 6290               (test "$FIPS_VERSION" != "dev" || test "$enable_ed25519" != "no")],
 6291            [ENABLED_ED25519="yes"; AM_CFLAGS="$AM_CFLAGS -DHAVE_ED25519 -DHAVE_ED25519_KEY_IMPORT"])
 6292
 6293        AS_IF([test "$ENABLED_CURVE25519" != "no" &&
 6294               (test "$FIPS_VERSION" != "dev" || test "$enable_curve25519" = "")],
 6295            [ENABLED_CURVE25519="no"; AM_CFLAGS="$AM_CFLAGS"])
 6296
 6297        AS_IF([test "x$ENABLED_ED448" != "xyes" &&
 6298               (test "$FIPS_VERSION" != "dev" || test "$enable_ed448" != "no")],
 6299            [ENABLED_ED448="yes"; AM_CFLAGS="$AM_CFLAGS -DHAVE_ED448 -DHAVE_ED448_KEY_IMPORT"])
 6300
 6301        AS_IF([test "$ENABLED_CURVE448" != "no" &&
 6302               (test "$FIPS_VERSION" != "dev" || test "$enable_curve448" = "")],
 6303            [ENABLED_CURVE448="no"; AM_CFLAGS="$AM_CFLAGS"])
 6304
 6305        AS_IF([test "x$ENABLED_ED25519_STREAM" != "xyes" &&
 6306               (test "$FIPS_VERSION" != "dev" || test "$enable_ed25519_stream" != "no")],
 6307            [ENABLED_ED25519_STREAM="yes"])
 6308        AS_IF([test "x$ENABLED_ED448_STREAM" != "xyes" &&
 6309               (test "$FIPS_VERSION" != "dev" || test "$enable_ed448_stream" != "no")],
 6310            [ENABLED_ED448_STREAM="yes"])
 6311
 6312        AS_IF([test "x$ENABLED_ECCCUSTCURVES" != "xno" &&
 6313               test "$FIPS_VERSION" != "dev"],
 6314            [AC_MSG_WARN([Forcing off ecccustcurves for FIPS ${FIPS_VERSION}.])
 6315             ENABLED_ECCCUSTCURVES="no"])
 6316
 6317# Hashing section
 6318        AS_IF([test "x$ENABLED_SHA3" != "xyes" &&
 6319               (test "$FIPS_VERSION" != "dev" || test "$enable_sha3" != "no")],
 6320            [ENABLED_SHA3="yes"; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SHA3"])
 6321
 6322        AS_IF([test "$ENABLED_SHA224" != "yes" &&
 6323               (test "$FIPS_VERSION" != "dev" || test "$enable_sha224" != "no")],
 6324            [ENABLED_SHA224="yes"; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SHA224"])
 6325
 6326        AS_IF([test "$ENABLED_SHA512" = "no" &&
 6327               (test "$FIPS_VERSION" != "dev" || test "$enable_sha512" != "no")],
 6328            [ENABLED_SHA512="yes"; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SHA512 -DWOLFSSL_SHA384"])
 6329
 6330        # SHA512-224 and SHA512-256 enabled for FIPS v7+ (needed for ML-DSA
 6331        # HashML-DSA ACVP test vectors with SHA2-512/224 and SHA2-512/256)
 6332
 6333        # Shake128 because we're testing SHAKE256
 6334        AS_IF([test "x$ENABLED_SHAKE128" = "xno" &&
 6335               (test "$FIPS_VERSION" != "dev" || test "$enable_shake128" != "no")],
 6336            [ENABLED_SHAKE128="yes"])
 6337
 6338        # Shake256 mandated for ED448
 6339        AS_IF([test "x$ENABLED_SHAKE256" = "xno" &&
 6340               (test "$FIPS_VERSION" != "dev" || test "$enable_shake256" != "no")],
 6341            [ENABLED_SHAKE256="yes"])
 6342
 6343# Aes section
 6344        AS_IF([test "$ENABLED_AESCCM" != "yes" &&
 6345               (test "$FIPS_VERSION" != "dev" || test "$enable_aesccm" != "no")],
 6346            [ENABLED_AESCCM="yes"; AM_CFLAGS="$AM_CFLAGS -DHAVE_AESCCM"])
 6347
 6348        AS_IF([test "$ENABLED_AESCTR" != "yes" &&
 6349               (test "$FIPS_VERSION" != "dev" || test "$enable_aesctr" != "no")],
 6350            [ENABLED_AESCTR="yes"; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_COUNTER"])
 6351
 6352        AS_IF([test "$ENABLED_CMAC" != "yes" &&
 6353               (test "$FIPS_VERSION" != "dev" || test "$enable_cmac" != "no")],
 6354            [ENABLED_CMAC="yes"; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CMAC"])
 6355
 6356        AS_IF([test "$ENABLED_AESGCM" = "no" &&
 6357               (test "$FIPS_VERSION" != "dev" || test "$enable_aesgcm" != "no")],
 6358            [ENABLED_AESGCM="yes"; AM_CFLAGS="$AM_CFLAGS -DHAVE_AESGCM"; AM_CCASFLAGS="$AM_CCASFLAGS -DHAVE_AESGCM"])
 6359
 6360        AS_IF([test "$ENABLED_AESGCM_STREAM" != "yes" &&
 6361               (test "$FIPS_VERSION" != "dev" || test "$enable_aesgcm_stream" != "no")],
 6362            [ENABLED_AESGCM_STREAM="yes"])
 6363
 6364        AS_IF([test "x$ENABLED_AESOFB" = "xno" &&
 6365               (test "$FIPS_VERSION" != "dev" || test "$enable_aesofb" != "no")],
 6366            [ENABLED_AESOFB="yes"; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_OFB"])
 6367
 6368        AS_IF([test "x$ENABLED_AESCFB" = "xno" &&
 6369               (test "$FIPS_VERSION" != "dev" || test "$enable_aescfb" != "no")],
 6370            [ENABLED_AESCFB="yes"; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_CFB"])
 6371
 6372        AS_IF([test "x$ENABLED_AESXTS" = "xno" &&
 6373               (test "$FIPS_VERSION" != "dev" || test "$enable_aesxts" != "no")],
 6374            [ENABLED_AESXTS="yes"; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_XTS"])
 6375        AS_IF([test "x$ENABLED_AESXTS" = "xyes" && test "x$ENABLED_AESNI" = "xyes"],
 6376            [AM_CCASFLAGS="$AM_CCASFLAGS -DWOLFSSL_AES_XTS"])
 6377
 6378        AS_IF([test "x$ENABLED_AESXTS_STREAM" = "xno" &&
 6379               (test "$FIPS_VERSION" != "dev" || test "$enable_aesxts_stream" != "no")],
 6380            [ENABLED_AESXTS_STREAM="yes"])
 6381
 6382        AS_IF([(test "$ENABLED_AESCCM" != "no" && test "$HAVE_AESCCM_PORT" != "yes") ||
 6383               (test "$ENABLED_AESCTR" != "no" && test "$HAVE_AESCTR_PORT" != "yes") ||
 6384               (test "$ENABLED_AESGCM" != "no" && test "$HAVE_AESGCM_PORT" != "yes") ||
 6385               (test "$ENABLED_AESOFB" != "no" && test "$HAVE_AESOFB_PORT" != "yes")],
 6386            [AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_DIRECT -DHAVE_AES_ECB"])
 6387
 6388        AS_IF([test "x$ENABLED_AESKEYWRAP" != "xyes" &&
 6389               (test "$FIPS_VERSION" != "dev" || test "$enable_aeskeywrap" != "no")],
 6390            [ENABLED_AESKEYWRAP="yes"; AM_CFLAGS="$AM_CFLAGS -DHAVE_AES_KEYWRAP"])
 6391
 6392# Post-Quantum section
 6393        AS_IF([test "$ENABLED_MLKEM" != "yes" &&
 6394               (test "$FIPS_VERSION" != "dev" || test "$enable_mlkem" != "no")],
 6395            [ENABLED_MLKEM="yes"
 6396             ENABLED_MLKEM512="yes"
 6397             ENABLED_MLKEM768="yes"
 6398             ENABLED_MLKEM1024="yes"
 6399             ENABLED_MLKEM_MAKE_KEY="yes"
 6400             ENABLED_MLKEM_ENCAPSULATE="yes"
 6401             ENABLED_MLKEM_DECAPSULATE="yes"])
 6402
 6403        AS_IF([test "$ENABLED_DILITHIUM" != "yes" &&
 6404               (test "$FIPS_VERSION" != "dev" || test "$enable_dilithium" != "no")],
 6405            [ENABLED_DILITHIUM="yes"
 6406             ENABLED_MLDSA44="yes"
 6407             ENABLED_MLDSA65="yes"
 6408             ENABLED_MLDSA87="yes"
 6409             ENABLED_DILITHIUM_MAKE_KEY="yes"
 6410             ENABLED_DILITHIUM_SIGN="yes"
 6411             ENABLED_DILITHIUM_VERIFY="yes"])
 6412
 6413        AS_IF([test "$ENABLED_XMSS" != "yes" &&
 6414               (test "$FIPS_VERSION" != "dev" || test "$enable_xmss" != "no")],
 6415            [ENABLED_XMSS="yes"])
 6416
 6417        AS_IF([test "$ENABLED_LMS" != "yes" &&
 6418               (test "$FIPS_VERSION" != "dev" || test "$enable_lms" != "no")],
 6419            [ENABLED_LMS="yes"])
 6420        # LMS: enable SHA-256/192 and SHAKE256 parameter sets for FIPS v7
 6421        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_LMS_SHA256_192 -DWOLFSSL_LMS_SHAKE256"
 6422
 6423        AS_IF([test "$ENABLED_SLHDSA" != "yes" &&
 6424               (test "$FIPS_VERSION" != "dev" || test "$enable_slhdsa" != "no")],
 6425            [ENABLED_SLHDSA="yes"
 6426             SLHDSA_PARAM_128S="yes"
 6427             SLHDSA_PARAM_128F="yes"
 6428             SLHDSA_PARAM_192S="yes"
 6429             SLHDSA_PARAM_192F="yes"
 6430             SLHDSA_PARAM_256S="yes"
 6431             SLHDSA_PARAM_256F="yes"
 6432             SLHDSA_SHA2="yes"
 6433             SLHDSA_PARAM_SHA2_128S="yes"
 6434             SLHDSA_PARAM_SHA2_128F="yes"
 6435             SLHDSA_PARAM_SHA2_192S="yes"
 6436             SLHDSA_PARAM_SHA2_192F="yes"
 6437             SLHDSA_PARAM_SHA2_256S="yes"
 6438             SLHDSA_PARAM_SHA2_256F="yes"])
 6439
 6440# SHA-256 DRBG -- cannot be disabled at build time in FIPS mode
 6441        AS_IF([test "$ENABLED_SHA256_DRBG" != "yes" &&
 6442               test "$FIPS_VERSION" != "dev"],
 6443            [AC_MSG_ERROR([Can not disable SHA256-DRBG at build time in FIPS mode.  Disable at run-time with wc_Sha256Drbg_Disable() or wc_Sha256Drbg_Disable_fips()])])
 6444
 6445# SHA-512 DRBG -- cannot be disabled at build time in FIPS mode
 6446        AS_IF([test "$ENABLED_SHA512_DRBG" != "yes" &&
 6447               test "$FIPS_VERSION" != "dev"],
 6448            [AC_MSG_ERROR([Can not disable SHA512-DRBG at build time in FIPS mode.  Disable it at run-time with wc_Sha512Drbg_Disable() or wc_Sha512Drbg_Disable_fips()])])
 6449
 6450# Old TLS requires MD5 + HMAC, which is not allowed under FIPS 140-3
 6451        AS_IF([test "$ENABLED_OLD_TLS" != "no"],
 6452            [AC_MSG_WARN([Forcing off oldtls for FIPS ${FIPS_VERSION}.])
 6453             ENABLED_OLD_TLS="no"; AM_CFLAGS="$AM_CFLAGS -DNO_OLD_TLS"])
 6454
 6455    ],
 6456
 6457    [v6],[ # FIPS 140-3 SRTP-KDF (frozen)
 6458
 6459        AM_CFLAGS="$AM_CFLAGS \
 6460            -DHAVE_FIPS \
 6461            -DHAVE_FIPS_VERSION=$HAVE_FIPS_VERSION \
 6462            -DHAVE_FIPS_VERSION_MAJOR=$HAVE_FIPS_VERSION_MAJOR \
 6463            -DHAVE_FIPS_VERSION_MINOR=$HAVE_FIPS_VERSION_MINOR \
 6464            -DHAVE_FIPS_VERSION_PATCH=$HAVE_FIPS_VERSION_PATCH \
 6465            -DHAVE_ECC_CDH \
 6466            -DWC_RSA_NO_PADDING \
 6467            -DECC_USER_CURVES \
 6468            -DHAVE_ECC384 \
 6469            -DHAVE_ECC521 \
 6470            -DWOLFSSL_VALIDATE_FFC_IMPORT \
 6471            -DHAVE_FFDHE_Q \
 6472            -DHAVE_FFDHE_3072 \
 6473            -DHAVE_FFDHE_4096 \
 6474            -DHAVE_FFDHE_6144 \
 6475            -DHAVE_FFDHE_8192"
 6476
 6477        # KCAPI API does not support custom k for sign, don't force enable ECC key sizes and don't use seed callback
 6478        AS_IF([test "x$ENABLED_KCAPI_ECC" = "xno"],
 6479            [AM_CFLAGS="$AM_CFLAGS \
 6480                -DWC_RNG_SEED_CB \
 6481                -DWOLFSSL_ECDSA_SET_K \
 6482                -DWOLFSSL_VALIDATE_ECC_IMPORT \
 6483                -DWOLFSSL_VALIDATE_ECC_KEYGEN \
 6484                -DHAVE_ECC192 \
 6485                -DHAVE_ECC224 \
 6486                -DHAVE_ECC256"])
 6487
 6488        DEFAULT_MAX_CLASSIC_ASYM_KEY_BITS=8192
 6489# optimizations section
 6490
 6491# protocol section
 6492        AS_IF([test "$ENABLED_WOLFSSH" != "yes" &&
 6493               (test "$FIPS_VERSION" != "dev" || test "$enable_ssh" != "no")],
 6494            [enable_ssh="yes"])
 6495
 6496        AS_IF([test "$ENABLED_HKDF" != "yes" &&
 6497               (test "$FIPS_VERSION" != "dev" || test "$enable_hkdf" != "no")],
 6498            [ENABLED_HKDF="yes"; AM_CFLAGS="$AM_CFLAGS -DHAVE_HKDF"])
 6499
 6500        AS_IF([test "x$ENABLED_PWDBASED" = "xno" &&
 6501               (test "$FIPS_VERSION" != "dev" || test "$enable_pwdbased" != "no")],
 6502            [ENABLED_PWDBASED="yes"; AM_CFLAGS="$AM_CFLAGS -DHAVE_PBKDF2 -DHAVE_AESGCM"])
 6503
 6504        AS_IF([test "x$ENABLED_SRTP" = "xno" &&
 6505               (test "$FIPS_VERSION" != "dev" || test "$enable_srtp" != "no")],
 6506            [ENABLED_SRTP="yes"])
 6507        AS_IF([test "x$ENABLED_SRTP_KDF" = "xno" &&
 6508               (test "$FIPS_VERSION" != "dev" || test "$enable_srtp_kdf" != "no")],
 6509            [ENABLED_SRTP_KDF="yes"])
 6510
 6511# public key section
 6512        AS_IF([test "$ENABLED_KEYGEN" != "yes" &&
 6513               (test "$FIPS_VERSION" != "dev" || test "$enable_keygen" != "no")],
 6514            [ENABLED_KEYGEN="yes"; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_KEY_GEN"])
 6515
 6516#        AS_IF([test "$ENABLED_COMPKEY" != "yes" &&
 6517#               (test "$FIPS_VERSION" != "dev" || test "$enable_compkey" != "yes")],
 6518#            [ENABLED_COMPKEY="yes"])
 6519
 6520        AS_IF([test "$ENABLED_RSAPSS" != "yes" &&
 6521               (test "$FIPS_VERSION" != "dev" || test "$enable_rsapss" != "no")],
 6522            [ENABLED_RSAPSS="yes"; AM_CFLAGS="$AM_CFLAGS -DWC_RSA_PSS"])
 6523
 6524        AS_IF([test "$ENABLED_ECC" != "yes" &&
 6525               (test "$FIPS_VERSION" != "dev" || test "$enable_ecc" != "no")],
 6526            [ENABLED_ECC="yes"; AM_CFLAGS="$AM_CFLAGS -DHAVE_ECC -DTFM_ECC256"
 6527             AS_IF([test "$ENABLED_ECC_SHAMIR" = "yes"],
 6528                 [AM_CFLAGS="$AM_CFLAGS -DECC_SHAMIR"])])
 6529
 6530        AS_IF([test "$ENABLED_ED25519" = "no" &&
 6531               (test "$FIPS_VERSION" != "dev" || test "$enable_ed25519" != "no")],
 6532            [ENABLED_ED25519="yes"; AM_CFLAGS="$AM_CFLAGS -DHAVE_ED25519 -DHAVE_ED25519_KEY_IMPORT"])
 6533
 6534        AS_IF([test "$ENABLED_CURVE25519" != "no" &&
 6535               (test "$FIPS_VERSION" != "dev" || test "$enable_curve25519" = "")],
 6536            [ENABLED_CURVE25519="no"; AM_CFLAGS="$AM_CFLAGS"])
 6537
 6538        AS_IF([test "x$ENABLED_ED448" != "xyes" &&
 6539               (test "$FIPS_VERSION" != "dev" || test "$enable_ed448" != "no")],
 6540            [ENABLED_ED448="yes"; AM_CFLAGS="$AM_CFLAGS -DHAVE_ED448 -DHAVE_ED448_KEY_IMPORT"])
 6541
 6542        AS_IF([test "$ENABLED_CURVE448" != "no" &&
 6543               (test "$FIPS_VERSION" != "dev" || test "$enable_curve448" = "")],
 6544            [ENABLED_CURVE448="no"; AM_CFLAGS="$AM_CFLAGS"])
 6545
 6546        AS_IF([test "x$ENABLED_ED25519_STREAM" != "xyes" &&
 6547               (test "$FIPS_VERSION" != "dev" || test "$enable_ed25519_stream" != "no")],
 6548            [ENABLED_ED25519_STREAM="yes"])
 6549        AS_IF([test "x$ENABLED_ED448_STREAM" != "xyes" &&
 6550               (test "$FIPS_VERSION" != "dev" || test "$enable_ed448_stream" != "no")],
 6551            [ENABLED_ED448_STREAM="yes"])
 6552
 6553        AS_IF([test "x$ENABLED_ECCCUSTCURVES" != "xno" &&
 6554               test "$FIPS_VERSION" != "dev"],
 6555            [AC_MSG_WARN([Forcing off ecccustcurves for FIPS ${FIPS_VERSION}.])
 6556             ENABLED_ECCCUSTCURVES="no"])
 6557
 6558# Hashing section
 6559        AS_IF([test "x$ENABLED_SHA3" != "xyes" &&
 6560               (test "$FIPS_VERSION" != "dev" || test "$enable_sha3" != "no")],
 6561            [ENABLED_SHA3="yes"; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SHA3"])
 6562
 6563        AS_IF([test "$ENABLED_SHA224" != "yes" &&
 6564               (test "$FIPS_VERSION" != "dev" || test "$enable_sha224" != "no")],
 6565            [ENABLED_SHA224="yes"; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SHA224"])
 6566
 6567        AS_IF([test "$ENABLED_SHA512" = "no" &&
 6568               (test "$FIPS_VERSION" != "dev" || test "$enable_sha512" != "no")],
 6569            [ENABLED_SHA512="yes"; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SHA512 -DWOLFSSL_SHA384"])
 6570
 6571        # SHA512-224 and SHA512-256 are not in-boundary in FIPS v6.
 6572        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NOSHA512_224 -DWOLFSSL_NOSHA512_256"
 6573
 6574        # Shake128 because we're testing SHAKE256
 6575        AS_IF([test "x$ENABLED_SHAKE128" = "xno" &&
 6576               (test "$FIPS_VERSION" != "dev" || test "$enable_shake128" != "no")],
 6577            [ENABLED_SHAKE128="yes"])
 6578
 6579        # Shake256 mandated for ED448
 6580        AS_IF([test "x$ENABLED_SHAKE256" = "xno" &&
 6581               (test "$FIPS_VERSION" != "dev" || test "$enable_shake256" != "no")],
 6582            [ENABLED_SHAKE256="yes"])
 6583
 6584# Aes section
 6585        AS_IF([test "$ENABLED_AESCCM" != "yes" &&
 6586               (test "$FIPS_VERSION" != "dev" || test "$enable_aesccm" != "no")],
 6587            [ENABLED_AESCCM="yes"; AM_CFLAGS="$AM_CFLAGS -DHAVE_AESCCM"])
 6588
 6589        AS_IF([test "$ENABLED_AESCTR" != "yes" &&
 6590               (test "$FIPS_VERSION" != "dev" || test "$enable_aesctr" != "no")],
 6591            [ENABLED_AESCTR="yes"; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_COUNTER"])
 6592
 6593        AS_IF([test "$ENABLED_CMAC" != "yes" &&
 6594               (test "$FIPS_VERSION" != "dev" || test "$enable_cmac" != "no")],
 6595            [ENABLED_CMAC="yes"; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CMAC"])
 6596
 6597        AS_IF([test "$ENABLED_AESGCM" = "no" &&
 6598               (test "$FIPS_VERSION" != "dev" || test "$enable_aesgcm" != "no")],
 6599            [ENABLED_AESGCM="yes"; AM_CFLAGS="$AM_CFLAGS -DHAVE_AESGCM"; AM_CCASFLAGS="$AM_CCASFLAGS -DHAVE_AESGCM"])
 6600
 6601        AS_IF([test "$ENABLED_AESGCM_STREAM" != "yes" &&
 6602               (test "$FIPS_VERSION" != "dev" || test "$enable_aesgcm_stream" != "no")],
 6603            [ENABLED_AESGCM_STREAM="yes"])
 6604
 6605        AS_IF([test "x$ENABLED_AESOFB" = "xno" &&
 6606               (test "$FIPS_VERSION" != "dev" || test "$enable_aesofb" != "no")],
 6607            [ENABLED_AESOFB="yes"; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_OFB"])
 6608
 6609        AS_IF([test "x$ENABLED_AESCFB" = "xno" &&
 6610               (test "$FIPS_VERSION" != "dev" || test "$enable_aescfb" != "no")],
 6611            [ENABLED_AESCFB="yes"; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_CFB"])
 6612
 6613        AS_IF([test "x$ENABLED_AESXTS" = "xno" &&
 6614               (test "$FIPS_VERSION" != "dev" || test "$enable_aesxts" != "no")],
 6615            [ENABLED_AESXTS="yes"; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_XTS"])
 6616        AS_IF([test "x$ENABLED_AESXTS" = "xyes" && test "x$ENABLED_AESNI" = "xyes"],
 6617            [AM_CCASFLAGS="$AM_CCASFLAGS -DWOLFSSL_AES_XTS"])
 6618
 6619        AS_IF([test "x$ENABLED_AESXTS_STREAM" = "xno" &&
 6620               (test "$FIPS_VERSION" != "dev" || test "$enable_aesxts_stream" != "no")],
 6621            [ENABLED_AESXTS_STREAM="yes"])
 6622
 6623        AS_IF([(test "$ENABLED_AESCCM" != "no" && test "$HAVE_AESCCM_PORT" != "yes") ||
 6624               (test "$ENABLED_AESCTR" != "no" && test "$HAVE_AESCTR_PORT" != "yes") ||
 6625               (test "$ENABLED_AESGCM" != "no" && test "$HAVE_AESGCM_PORT" != "yes") ||
 6626               (test "$ENABLED_AESOFB" != "no" && test "$HAVE_AESOFB_PORT" != "yes")],
 6627            [AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_DIRECT -DHAVE_AES_ECB"])
 6628
 6629        AS_IF([test "x$ENABLED_AESKEYWRAP" != "xyes" &&
 6630               (test "$FIPS_VERSION" != "dev" || test "$enable_aeskeywrap" != "no")],
 6631            [ENABLED_AESKEYWRAP="yes"; AM_CFLAGS="$AM_CFLAGS -DHAVE_AES_KEYWRAP"])
 6632
 6633# Old TLS requires MD5 + HMAC, which is not allowed under FIPS 140-3
 6634        AS_IF([test "$ENABLED_OLD_TLS" != "no"],
 6635            [AC_MSG_WARN([Forcing off oldtls for FIPS ${FIPS_VERSION}.])
 6636             ENABLED_OLD_TLS="no"; AM_CFLAGS="$AM_CFLAGS -DNO_OLD_TLS"])
 6637
 6638    ],
 6639
 6640    [lean-aesgcm|lean-aesgcm-ready|lean-aesgcm-dev],[
 6641
 6642        AS_IF([test "$FIPS_VERSION" = "lean-aesgcm-dev"],
 6643            [AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_FIPS_DEV"])
 6644        AS_IF([test "$FIPS_VERSION" = "lean-aesgcm-ready"],
 6645            [AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_FIPS_READY"])
 6646
 6647        AM_CFLAGS="$AM_CFLAGS \
 6648            -DHAVE_FIPS \
 6649            -DHAVE_FIPS_VERSION=$HAVE_FIPS_VERSION \
 6650            -DHAVE_FIPS_VERSION_MAJOR=$HAVE_FIPS_VERSION_MAJOR \
 6651            -DHAVE_FIPS_VERSION_MINOR=$HAVE_FIPS_VERSION_MINOR \
 6652            -DHAVE_FIPS_VERSION_PATCH=$HAVE_FIPS_VERSION_PATCH \
 6653            -DNO_BIG_INT \
 6654            -DWC_RNG_SEED_CB \
 6655            -DNO_PBKDF2"
 6656
 6657# optimizations section
 6658
 6659# protocol section
 6660        AS_IF([test "$ENABLED_CRYPTONLY" != "yes" && test "$enable_cryptonly" != "no"],
 6661            [ENABLED_CRYPTONLY="yes"; enable_cryptonly="yes"; AM_CFLAGS="$AM_CFLAGS -DWOLFCRYPT_ONLY"])
 6662
 6663        AS_IF([test "$ENABLED_TLS" != "no" && test "$enable_tls" != "yes"],
 6664            [ENABLED_TLS="no"; enable_tls="no"; AM_CFLAGS="$AM_CFLAGS -DNO_TLS"])
 6665
 6666        AS_IF([test "$ENABLED_TLSV12" != "no" && test "$enable_tlsv12" != "yes"],
 6667            [ENABLED_TLSV12="no"; enable_tlsv12="no"; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_TLS12"])
 6668
 6669        AS_IF([test "$ENABLED_ASN" != "no" && test "$enable_asn" != "yes"],
 6670            [ENABLED_ASN="no"; enable_asn="no"; AM_CFLAGS="$AM_CFLAGS -DNO_ASN -DNO_ASN_CRYPT"])
 6671
 6672        AS_IF([test "$ENABLED_SEND_HRR_COOKIE" != "no" && test "$enable_hrrcookie" != "yes"],
 6673            [ENABLED_SEND_HRR_COOKIE="no"; enable_hrrcookie="no"; AM_CFLAGS="$AM_CFLAGS -UWOLFSSL_SEND_HRR_COOKIE"])
 6674
 6675        AS_IF([test "$ENABLED_WOLFSSH" != "no" && test "$enable_ssh" != "yes"],
 6676            [ENABLED_WOLFSSH="no"; enable_ssh="no"])
 6677
 6678        AS_IF([test "$ENABLED_HKDF" != "no" &&
 6679               (test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_hkdf" != "yes")],
 6680            [enable_hkdf="no"; ENABLED_HKDF="no"; AM_CFLAGS="$AM_CFLAGS -UHAVE_HKDF"])
 6681
 6682        AS_IF([test "$ENABLED_PWDBASED" != "no" &&
 6683               (test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_pwdbased" != "yes")],
 6684            [enable_pwdbased="no"; ENABLED_PWDBASED="no"])
 6685
 6686        AS_IF([test "$ENABLED_SRTP" != "no" &&
 6687               (test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_srtp" != "yes")],
 6688            [enable_srtp="no"; ENABLED_SRTP="no"])
 6689
 6690        AS_IF([test "$ENABLED_SRTP_KDF" != "no" &&
 6691               (test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_srtp_kdf" != "yes")],
 6692            [enable_srtp_kdf="no"; ENABLED_SRTP_KDF="no"])
 6693
 6694        AS_IF([test "$ENABLED_PKCS8" != "no" && test "$enable_pkcs8" != "yes"],
 6695            [enable_pkcs8="no"; ENABLED_PKCS8="no"; AM_CFLAGS="$AM_CFLAGS -DNO_PKCS8"])
 6696
 6697# public key section
 6698
 6699        AS_IF([test "$ENABLED_SP_MATH_ALL" != "no" &&
 6700               (test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_sp_math_all" != "yes")],
 6701            [enable_sp_math_all="no"; ENABLED_SP_MATH_ALL="no"])
 6702
 6703        AS_IF([test "$ENABLED_KEYGEN" != "no" &&
 6704               (test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_keygen" != "yes")],
 6705            [enable_keygen="no"; ENABLED_KEYGEN="no"; AM_CFLAGS="$AM_CFLAGS -UWOLFSSL_KEY_GEN"])
 6706
 6707        AS_IF([test "$ENABLED_COMPKEY" != "no" &&
 6708               (test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_compkey" != "yes")],
 6709            [enable_compkey="no"; ENABLED_COMPKEY="no"])
 6710
 6711        AS_IF([test "$ENABLED_RSA" != "no" &&
 6712               (test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_rsa" != "yes")],
 6713            [enable_rsa="no"; ENABLED_RSA="no"; AM_CFLAGS="$AM_CFLAGS -DNO_RSA"])
 6714
 6715        AS_IF([test "$ENABLED_RSAPSS" != "no" &&
 6716               (test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_rsapss" != "yes")],
 6717            [enable_rsapss="no"; ENABLED_RSAPSS="no"; AM_CFLAGS="$AM_CFLAGS -UWC_RSA_PSS"])
 6718
 6719        AS_IF([test "$ENABLED_DH" != "no" &&
 6720               (test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_dh" != "yes")],
 6721            [enable_dh="no"; ENABLED_DH="no"; AM_CFLAGS="$AM_CFLAGS -DNO_DH"])
 6722
 6723        AS_IF([test "$ENABLED_ECC" != "no" &&
 6724               (test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_ecc" != "yes")],
 6725            [enable_ecc="no"; ENABLED_ECC="no"; ENABLED_ECCMINSZ="n/a"; ENABLED_ECC_SHAMIR="no"; AM_CFLAGS="$AM_CFLAGS -UHAVE_ECC -UTFM_ECC256 -UECC_MIN_KEY_SZ -UECC_SHAMIR"])
 6726
 6727        AS_IF([test "$ENABLED_ED25519" != "no" &&
 6728               (test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_ed25519" != "yes")],
 6729            [enable_ed25519="no"; ENABLED_ED25519="no"; AM_CFLAGS="$AM_CFLAGS -UHAVE_ED25519 -UHAVE_ED25519_KEY_IMPORT"])
 6730        AS_IF([test "$ENABLED_CURVE25519" != "no" &&
 6731               (test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_curve25519" != "yes")],
 6732            [enable_curve25519="no"; ENABLED_CURVE25519="no"; AM_CFLAGS="$AM_CFLAGS -UHAVE_CURVE25519"])
 6733
 6734        AS_IF([test "$ENABLED_ED448" != "no" &&
 6735               (test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_ed448" != "yes")],
 6736            [enable_ed448="no"; ENABLED_ED448="no"; AM_CFLAGS="$AM_CFLAGS -UHAVE_ED448 -UHAVE_ED448_KEY_IMPORT"])
 6737        AS_IF([test "$ENABLED_CURVE448" != "no" &&
 6738               (test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_curve448" != "yes")],
 6739            [enable_curve448="no"; ENABLED_CURVE448="no"; AM_CFLAGS="$AM_CFLAGS -UHAVE_CURVE448"])
 6740
 6741        AS_IF([test "$ENABLED_ED25519_STREAM" != "no" &&
 6742               (test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_ed25519_stream" != "yes")],
 6743            [enable_ed25519_stream="no"; ENABLED_ED25519_STREAM="no"])
 6744        AS_IF([test "$ENABLED_ED448_STREAM" != "no" &&
 6745               (test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_ed448_stream" != "yes")],
 6746            [enable_ed448_stream="no"; ENABLED_ED448_STREAM="no"])
 6747
 6748        AS_IF([test "$ENABLED_ECCCUSTCURVES" != "no" &&
 6749               test "$FIPS_VERSION" != "lean-aesgcm-dev"],
 6750            [ENABLED_ECCCUSTCURVES="no"])
 6751
 6752# Hashing section
 6753        AS_IF([test "$ENABLED_SHA" != "no" &&
 6754               (test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_sha" != "yes")],
 6755            [enable_sha="no"; ENABLED_SHA="no"; AM_CFLAGS="$AM_CFLAGS -DNO_SHA"])
 6756
 6757        AS_IF([test "$ENABLED_SHA256" = "no" &&
 6758               (test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_sha256" != "no")],
 6759            [enable_sha256="yes"; ENABLED_SHA256="yes"; AM_CFLAGS="$AM_CFLAGS -UNO_SHA256"])
 6760
 6761        AS_IF([test "$ENABLED_SHA3" != "no" &&
 6762               (test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_sha3" != "yes")],
 6763            [enable_sha3="no"; ENABLED_SHA3="no"; AM_CFLAGS="$AM_CFLAGS -UWOLFSSL_SHA3"])
 6764
 6765        AS_IF([test "$ENABLED_SHAKE128" != "no" &&
 6766               (test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_shake128" != "yes")],
 6767            [enable_shake128="no"; ENABLED_SHAKE128="no"])
 6768
 6769        AS_IF([test "$ENABLED_SHAKE256" != "no" &&
 6770               (test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_shake256" != "yes")],
 6771            [enable_shake256="no"; ENABLED_SHAKE256="no"])
 6772
 6773        AS_IF([test "$ENABLED_SHA224" != "no" &&
 6774               (test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_sha224" != "yes")],
 6775            [enable_sha224="no"; ENABLED_SHA224="no"; AM_CFLAGS="$AM_CFLAGS -UWOLFSSL_SHA224"])
 6776
 6777        AS_IF([test "$ENABLED_SHA384" != "no" &&
 6778               (test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_sha384" != "yes")],
 6779            [enable_sha384="no"; ENABLED_SHA384="no"; AM_CFLAGS="$AM_CFLAGS -UWOLFSSL_SHA384 -UWOLFSSL_SHA384"])
 6780
 6781        AS_IF([test "$ENABLED_SHA512" != "no" &&
 6782               (test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_sha512" != "yes")],
 6783            [enable_sha512="no"; ENABLED_SHA512="no"; ENABLED_SHA512_DRBG="no"; AM_CFLAGS="$AM_CFLAGS -UWOLFSSL_SHA512 -UWOLFSSL_SHA384"])
 6784
 6785        # SHA512-224 and SHA512-256 are SHA-2 algorithms not in our FIPS algorithm list
 6786        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NOSHA512_224 -DWOLFSSL_NOSHA512_256"
 6787
 6788        AS_IF([test "$ENABLED_SHAKE128" != "no" &&
 6789               (test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_shake128" != "yes")],
 6790            [enable_shake128="no"; ENABLED_SHAKE128="no"])
 6791
 6792        AS_IF([test "$ENABLED_SHAKE256" != "no" &&
 6793               (test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_shake256" != "yes")],
 6794            [enable_shake256="no"; ENABLED_SHAKE256="no"])
 6795
 6796        AS_IF([test "$ENABLED_MLKEM" != "no" &&
 6797               (test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_mlkem" != "yes")],
 6798            [enable_mlkem="no"; ENABLED_MLKEM="no"])
 6799
 6800        AS_IF([test "$ENABLED_MD5" != "no" &&
 6801               (test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_md5" != "yes")],
 6802            [enable_md5="no"; ENABLED_MD5="no"; AM_CFLAGS="$AM_CFLAGS -DNO_MD5"])
 6803
 6804# Aes section
 6805        AS_IF([test "$ENABLED_AESCBC" != "no" &&
 6806               (test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_aescbc" != "yes")],
 6807            [enable_aescbc="no"; ENABLED_AESCBC="no"; AM_CFLAGS="$AM_CFLAGS -DNO_AES_CBC"])
 6808
 6809        AS_IF([test "$ENABLED_AESCCM" != "no" &&
 6810               (test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_aesccm" != "yes")],
 6811            [enable_aesccm="no"; ENABLED_AESCCM="no"; AM_CFLAGS="$AM_CFLAGS -UHAVE_AESCCM"])
 6812
 6813        AS_IF([test "$ENABLED_AESCTR" != "no" &&
 6814               (test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_aesctr" != "yes")],
 6815            [enable_aesctr="no"; ENABLED_AESCTR="no"; AM_CFLAGS="$AM_CFLAGS -UWOLFSSL_AES_COUNTER"])
 6816
 6817        AS_IF([test "$ENABLED_CMAC" != "no" &&
 6818               (test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_cmac" != "yes")],
 6819            [enable_cmac="no"; ENABLED_CMAC="no"; AM_CFLAGS="$AM_CFLAGS -UWOLFSSL_CMAC"])
 6820
 6821        AS_IF([test "$ENABLED_AESGCM" = "no" &&
 6822               (test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_aesgcm" != "no")],
 6823            [ENABLED_AESGCM="yes"; AM_CFLAGS="$AM_CFLAGS -DHAVE_AESGCM"; AM_CCASFLAGS="$AM_CCASFLAGS -DHAVE_AESGCM"])
 6824
 6825        AS_IF([test "$ENABLED_AESGCM_STREAM" != "yes" &&
 6826               (test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_aesgcm_stream" != "no")],
 6827            [ENABLED_AESGCM_STREAM="yes"])
 6828
 6829        AS_IF([test "$ENABLED_AESOFB" != "no" &&
 6830               (test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_aesofb" != "yes")],
 6831            [enable_aesofb="no"; ENABLED_AESOFB="no"; AM_CFLAGS="$AM_CFLAGS -UWOLFSSL_AES_OFB"])
 6832
 6833        AS_IF([test "$ENABLED_AESCFB" != "no" &&
 6834               (test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_aescfb" != "yes")],
 6835            [enable_aescfb="no"; ENABLED_AESCFB="no"; AM_CFLAGS="$AM_CFLAGS -UWOLFSSL_AES_CFB"])
 6836
 6837        AS_IF([test "$ENABLED_AESXTS" != "no" &&
 6838               (test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_aesxts" != "yes")],
 6839            [enable_aesxts="no"; ENABLED_AESXTS="no"; AM_CFLAGS="$AM_CFLAGS -UWOLFSSL_AES_XTS"])
 6840        AS_IF([test "$ENABLED_AESXTS" = "yes" && test "$ENABLED_AESNI" = "yes"],
 6841            [AM_CCASFLAGS="$AM_CCASFLAGS -DWOLFSSL_AES_XTS"])
 6842
 6843        AS_IF([test "$ENABLED_AESXTS_STREAM" != "no" &&
 6844               (test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_aesxts_stream" != "yes")],
 6845            [enable_aesxts_stream="no"; ENABLED_AESXTS_STREAM="no"])
 6846
 6847        AS_IF([(test "$ENABLED_AESCCM" != "no" && test "$HAVE_AESCCM_PORT" != "yes") ||
 6848               (test "$ENABLED_AESCTR" != "no" && test "$HAVE_AESCTR_PORT" != "yes") ||
 6849               (test "$ENABLED_AESGCM" != "no" && test "$HAVE_AESGCM_PORT" != "yes") ||
 6850               (test "$ENABLED_AESOFB" != "no" && test "$HAVE_AESOFB_PORT" != "yes")],
 6851            [AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_DIRECT -DHAVE_AES_ECB"])
 6852
 6853        AS_IF([test "$ENABLED_AESKEYWRAP" != "no" &&
 6854               (test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_aeskeywrap" != "yes")],
 6855            [enable_aeskeywrap="no"; ENABLED_AESKEYWRAP="no"; AM_CFLAGS="$AM_CFLAGS -UHAVE_AES_KEYWRAP"])
 6856
 6857# Old TLS requires MD5 + HMAC, which is not allowed under FIPS 140-3
 6858        AS_IF([test "$ENABLED_OLD_TLS" != "no"],
 6859            [AC_MSG_WARN([Forcing off oldtls for FIPS ${FIPS_VERSION}.])
 6860             ENABLED_OLD_TLS="no"; AM_CFLAGS="$AM_CFLAGS -DNO_OLD_TLS"])
 6861
 6862    ],
 6863
 6864    [v5*], [ # FIPS 140-3
 6865
 6866        AM_CFLAGS="$AM_CFLAGS \
 6867            -DHAVE_FIPS \
 6868            -DHAVE_FIPS_VERSION=$HAVE_FIPS_VERSION \
 6869            -DHAVE_FIPS_VERSION_MAJOR=$HAVE_FIPS_VERSION_MAJOR \
 6870            -DHAVE_FIPS_VERSION_MINOR=$HAVE_FIPS_VERSION_MINOR \
 6871            -DHAVE_FIPS_VERSION_PATCH=$HAVE_FIPS_VERSION_PATCH \
 6872            -DHAVE_ECC_CDH \
 6873            -DWC_RSA_NO_PADDING \
 6874            -DECC_USER_CURVES \
 6875            -DHAVE_ECC384 \
 6876            -DHAVE_ECC521 \
 6877            -DWOLFSSL_VALIDATE_FFC_IMPORT \
 6878            -DHAVE_FFDHE_Q \
 6879            -DHAVE_FFDHE_3072 \
 6880            -DHAVE_FFDHE_4096 \
 6881            -DHAVE_FFDHE_6144 \
 6882            -DHAVE_FFDHE_8192"
 6883
 6884        # KCAPI API does not support custom k for sign, don't force enable ECC key sizes and do not use seed callback
 6885        AS_IF([test "x$ENABLED_KCAPI_ECC" = "xno"],
 6886            [AM_CFLAGS="$AM_CFLAGS \
 6887                -DWC_RNG_SEED_CB \
 6888                -DWOLFSSL_ECDSA_SET_K \
 6889                -DWOLFSSL_VALIDATE_ECC_IMPORT \
 6890                -DWOLFSSL_VALIDATE_ECC_KEYGEN \
 6891                -DHAVE_ECC192 \
 6892                -DHAVE_ECC224 \
 6893                -DHAVE_ECC256"])
 6894
 6895        DEFAULT_MAX_CLASSIC_ASYM_KEY_BITS=8192
 6896
 6897        # force various features to FIPS 140-3 defaults, unless overridden with dev:
 6898
 6899        AS_IF([test "$ENABLED_KEYGEN" != "yes" &&
 6900               (test "$FIPS_VERSION" != "v5-dev" || test "$enable_keygen" != "no")],
 6901            [ENABLED_KEYGEN="yes"; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_KEY_GEN"])
 6902
 6903        AS_IF([test "$ENABLED_SHA224" != "yes" &&
 6904               (test "$FIPS_VERSION" != "v5-dev" || test "$enable_sha224" != "no")],
 6905            [ENABLED_SHA224="yes"; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SHA224"])
 6906
 6907        AS_IF([test "$ENABLED_SHA3" != "yes" &&
 6908               (test "$FIPS_VERSION" != "v5-dev" || test "$enable_sha3" != "no")],
 6909            [ENABLED_SHA3="yes"; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SHA3"])
 6910
 6911        AS_IF([test "$ENABLED_WOLFSSH" != "yes" &&
 6912               (test "$FIPS_VERSION" != "v5-dev" || test "$enable_ssh" != "no")],
 6913            [enable_ssh="yes"])
 6914
 6915        # Shake128 is a SHA-3 algorithm outside the v5 FIPS algorithm list
 6916        AS_IF([test "$ENABLED_SHAKE128" != "no" &&
 6917               ! (test "$FIPS_VERSION" = "v5-dev" && test "$enable_shake128" = "yes")],
 6918            [AC_MSG_WARN([Forcing off shake128 for FIPS ${FIPS_VERSION}.])
 6919             ENABLED_SHAKE128=no; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_SHAKE128"])
 6920
 6921        # Shake256 is a SHA-3 algorithm outside the v5 FIPS algorithm list
 6922        AS_IF([test "$ENABLED_SHAKE256" != "no" &&
 6923               ! (test "$FIPS_VERSION" = "v5-dev" && test "$enable_shake256" = "yes")],
 6924            [AC_MSG_WARN([Forcing off shake256 for FIPS ${FIPS_VERSION}.])
 6925             ENABLED_SHAKE256=no; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_SHAKE256"])
 6926
 6927        # SHA512-224 and SHA512-256 are SHA-2 algorithms outside the v5 FIPS algorithm list
 6928        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NOSHA512_224 -DWOLFSSL_NOSHA512_256"
 6929
 6930        AS_IF([test "$ENABLED_AESCCM" != "yes" &&
 6931               (test "$FIPS_VERSION" != "v5-dev" || test "$enable_aesccm" != "no")],
 6932            [ENABLED_AESCCM="yes"; AM_CFLAGS="$AM_CFLAGS -DHAVE_AESCCM"])
 6933
 6934        AS_IF([test "$ENABLED_AESXTS" = "yes" &&
 6935               ! (test "$FIPS_VERSION" = "v5-dev" && test "$enable_aesxts" = "yes")],
 6936            [AC_MSG_WARN([Forcing off aesxts for FIPS ${FIPS_VERSION}.])
 6937             ENABLED_AESXTS="no"])
 6938
 6939        AS_IF([test "$ENABLED_RSAPSS" != "yes" &&
 6940               (test "$FIPS_VERSION" != "v5-dev" || test "$enable_rsapss" != "no")],
 6941            [ENABLED_RSAPSS="yes"; AM_CFLAGS="$AM_CFLAGS -DWC_RSA_PSS"])
 6942
 6943        AS_IF([test "$ENABLED_ECC" != "yes" &&
 6944               (test "$FIPS_VERSION" != "v5-dev" || test "$enable_ecc" != "no")],
 6945            [ENABLED_ECC="yes"; AM_CFLAGS="$AM_CFLAGS -DHAVE_ECC -DTFM_ECC256"
 6946             AS_IF([test "$ENABLED_ECC_SHAMIR" = "yes" &&
 6947                    (test "$FIPS_VERSION" != "v5-dev" || test "$enable_eccshamir" != "no")],
 6948                 [AM_CFLAGS="$AM_CFLAGS -DECC_SHAMIR"])])
 6949
 6950        AS_IF([test "$ENABLED_AESCTR" != "yes" &&
 6951               (test "$FIPS_VERSION" != "v5-dev" || test "$enable_aesctr" != "no")],
 6952            [ENABLED_AESCTR="yes"; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_COUNTER"])
 6953
 6954        AS_IF([test "$ENABLED_CMAC" != "yes" &&
 6955               (test "$FIPS_VERSION" != "v5-dev" || test "$enable_cmac" != "no")],
 6956            [ENABLED_CMAC="yes"; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CMAC"])
 6957
 6958        AS_IF([test "$ENABLED_HKDF" != "yes" &&
 6959               (test "$FIPS_VERSION" != "v5-dev" || test "$enable_hkdf" != "no")],
 6960            [ENABLED_HKDF="yes"; AM_CFLAGS="$AM_CFLAGS -DHAVE_HKDF"])
 6961
 6962        AS_IF([test "$ENABLED_INTELASM" = "yes"],
 6963            [AM_CFLAGS="$AM_CFLAGS -DFORCE_FAILURE_RDSEED"])
 6964
 6965        AS_IF([test "$ENABLED_SHA512" = "no" &&
 6966               (test "$FIPS_VERSION" != "v5-dev" || test "$enable_sha512" != "no")],
 6967            [ENABLED_SHA512="yes"; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SHA512 -DWOLFSSL_SHA384"])
 6968
 6969        AS_IF([test "$ENABLED_AESGCM" = "no" &&
 6970               (test "$FIPS_VERSION" != "v5-dev" || test "$enable_aesgcm" != "no")],
 6971            [ENABLED_AESGCM="yes"; AM_CFLAGS="$AM_CFLAGS -DHAVE_AESGCM"; AM_CCASFLAGS="$AM_CCASFLAGS -DHAVE_AESGCM"])
 6972
 6973        # AES-GCM streaming isn't part of the v5 FIPS suite.
 6974        AS_IF([test "$ENABLED_AESGCM_STREAM" = "yes" &&
 6975               ! (test "$FIPS_VERSION" = "v5-dev" && test "$enable_aesgcm_stream" = "yes")],
 6976            [AC_MSG_WARN([Forcing off aesgcm-stream for FIPS ${FIPS_VERSION}.])
 6977             ENABLED_AESGCM_STREAM="no"])
 6978
 6979        # Old TLS requires MD5 + HMAC, which is not allowed under FIPS 140-3
 6980        AS_IF([test "$ENABLED_OLD_TLS" != "no"],
 6981            [AC_MSG_WARN([Forcing off oldtls for FIPS ${FIPS_VERSION}.])
 6982             ENABLED_OLD_TLS="no"; AM_CFLAGS="$AM_CFLAGS -DNO_OLD_TLS"])
 6983
 6984        AS_IF([test $HAVE_FIPS_VERSION_MINOR -ge 2],
 6985            [AS_IF([test "x$ENABLED_AESOFB" = "xno" &&
 6986                    (test "$FIPS_VERSION" != "v5-dev" || test "$enable_aesofb" != "no")],
 6987                [ENABLED_AESOFB="yes"; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_OFB"])])
 6988
 6989        AS_IF([test "$ENABLED_SRTP" != "no" &&
 6990               ! (test "$FIPS_VERSION" = "v5-dev" && test "$enable_srtp" = "yes")],
 6991            [AC_MSG_WARN([Forcing off srtp for FIPS ${FIPS_VERSION}.])
 6992             ENABLED_SRTP="no"])
 6993
 6994        AS_IF([test "$ENABLED_SRTP_KDF" != "no" &&
 6995               ! (test "$FIPS_VERSION" = "v5-dev" && test "$enable_srtp_kdf" = "yes")],
 6996            [AC_MSG_WARN([Forcing off srtp-kdf for FIPS ${FIPS_VERSION}.])
 6997             ENABLED_SRTP_KDF="no"])
 6998
 6999        AS_IF([(test "$ENABLED_AESCCM" != "no" && test "$HAVE_AESCCM_PORT" != "yes") ||
 7000               (test "$ENABLED_AESCTR" != "no" && test "$HAVE_AESCTR_PORT" != "yes") ||
 7001               (test "$ENABLED_AESGCM" != "no" && test "$HAVE_AESGCM_PORT" != "yes") ||
 7002               (test "$ENABLED_AESOFB" != "no" && test "$HAVE_AESOFB_PORT" != "yes") ||
 7003               (test "$ENABLED_AESXTS" != "no" && test "$HAVE_AESXTS_PORT" != "yes")],
 7004            [AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_DIRECT -DHAVE_AES_ECB"])
 7005    ],
 7006
 7007    [v2],[ # FIPS 140-2, Cert 3389
 7008        AM_CFLAGS="$AM_CFLAGS \
 7009            -DHAVE_FIPS \
 7010            -DHAVE_FIPS_VERSION=$HAVE_FIPS_VERSION \
 7011            -DHAVE_FIPS_VERSION_MAJOR=$HAVE_FIPS_VERSION_MAJOR \
 7012            -DHAVE_FIPS_VERSION_MINOR=$HAVE_FIPS_VERSION_MINOR \
 7013            -DHAVE_FIPS_VERSION_PATCH=$HAVE_FIPS_VERSION_PATCH \
 7014            -DWOLFSSL_KEY_GEN \
 7015            -DWOLFSSL_SHA224 \
 7016            -DWOLFSSL_AES_DIRECT \
 7017            -DHAVE_AES_ECB \
 7018            -DHAVE_ECC_CDH \
 7019            -DWC_RSA_NO_PADDING \
 7020            -DWOLFSSL_VALIDATE_FFC_IMPORT \
 7021            -DHAVE_FFDHE_Q \
 7022            -DHAVE_PUBLIC_FFDHE"
 7023
 7024        ENABLED_KEYGEN="yes"
 7025        ENABLED_SHA224="yes"
 7026        ENABLED_DES3="yes"
 7027        # Shake256 is a SHA-3 algorithm not in our FIPS algorithm list
 7028        ENABLED_SHAKE256=no
 7029        # SHA512-224 and SHA512-256 are SHA-2 algorithms not in our FIPS algorithm list
 7030        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NOSHA512_224 -DWOLFSSL_NOSHA512_256"
 7031        AS_IF([test "x$ENABLED_AESCCM" != "xyes"],
 7032              [ENABLED_AESCCM="yes"
 7033               AM_CFLAGS="$AM_CFLAGS -DHAVE_AESCCM"])
 7034        AS_IF([test "x$ENABLED_RSAPSS" != "xyes"],
 7035              [ENABLED_RSAPSS="yes"
 7036               AM_CFLAGS="$AM_CFLAGS -DWC_RSA_PSS"])
 7037        AS_IF([test "x$ENABLED_ECC" != "xyes"],
 7038              [ENABLED_ECC="yes"
 7039               AM_CFLAGS="$AM_CFLAGS -DHAVE_ECC -DTFM_ECC256 -DWOLFSSL_VALIDATE_ECC_IMPORT"
 7040               AS_IF([test "x$ENABLED_ECC_SHAMIR" = "xyes"],
 7041                     [AM_CFLAGS="$AM_CFLAGS -DECC_SHAMIR"])],
 7042              [AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_VALIDATE_ECC_IMPORT"])
 7043        AS_IF([test "x$ENABLED_AESCTR" != "xyes"],
 7044              [ENABLED_AESCTR="yes"
 7045               AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_COUNTER"])
 7046        AS_IF([test "x$ENABLED_AESCTR" != "xyes"],
 7047              [ENABLED_AESCTR="yes"
 7048               AM_CCASFLAGS="$AM_CCASFLAGS -DWOLFSSL_AES_COUNTER"])
 7049        AS_IF([test "x$ENABLED_CMAC" != "xyes"],
 7050              [ENABLED_CMAC="yes"
 7051               AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CMAC"])
 7052        AS_IF([test "x$ENABLED_HKDF" != "xyes"],
 7053              [ENABLED_HKDF="yes"
 7054               AM_CFLAGS="$AM_CFLAGS -DHAVE_HKDF"])
 7055        AS_IF([test "x$ENABLED_INTELASM" = "xyes"],
 7056              [AM_CFLAGS="$AM_CFLAGS -DFORCE_FAILURE_RDSEED"])
 7057        AS_IF([test "x$ENABLED_SHA512" = "xno"],
 7058            [ENABLED_SHA512="yes"; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SHA512 -DWOLFSSL_SHA384"])
 7059        AS_IF([test "x$ENABLED_AESGCM" = "xno"],
 7060            [ENABLED_AESGCM="yes"; AM_CFLAGS="$AM_CFLAGS -DHAVE_AESGCM"])
 7061    ],
 7062
 7063    ["rand"],[
 7064        AM_CFLAGS="$AM_CFLAGS \
 7065            -DWOLFCRYPT_FIPS_RAND \
 7066            -DHAVE_FIPS \
 7067            -DHAVE_FIPS_VERSION=$HAVE_FIPS_VERSION \
 7068            -DHAVE_FIPS_VERSION_MAJOR=$HAVE_FIPS_VERSION_MAJOR \
 7069            -DHAVE_FIPS_VERSION_MINOR=$HAVE_FIPS_VERSION_MINOR \
 7070            -DHAVE_FIPS_VERSION_PATCH=$HAVE_FIPS_VERSION_PATCH"
 7071    ],
 7072
 7073    ["v1"],[ # FIPS 140-2, Cert 2425
 7074        AM_CFLAGS="$AM_CFLAGS \
 7075            -DHAVE_FIPS \
 7076            -DHAVE_FIPS_VERSION=$HAVE_FIPS_VERSION \
 7077            -DHAVE_FIPS_VERSION_MAJOR=$HAVE_FIPS_VERSION_MAJOR \
 7078            -DHAVE_FIPS_VERSION_MINOR=$HAVE_FIPS_VERSION_MINOR \
 7079            -DHAVE_FIPS_VERSION_PATCH=$HAVE_FIPS_VERSION_PATCH"
 7080        AS_IF([test "x$ENABLED_SHA512" = "xno"],
 7081            [ENABLED_SHA512="yes"; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SHA512 -DWOLFSSL_SHA384"])
 7082        AS_IF([test "x$ENABLED_AESGCM" = "xno"],
 7083            [ENABLED_AESGCM="yes"; AM_CFLAGS="$AM_CFLAGS -DHAVE_AESGCM"])
 7084        AS_IF([test "x$ENABLED_DES3" = "xno"],[ENABLED_DES3="yes"])
 7085    ])
 7086
 7087AS_IF([test "x$ENABLED_FIPS" = "xyes" && test "x$thread_ls_on" = "xno" && test "$ENABLE_LINUXKM" = "no"],
 7088    [AC_MSG_ERROR([FIPS requires Thread Local Storage])])
 7089
 7090AS_IF([(test "$ENABLED_NULL_CIPHER" = "yes" || test "$ENABLED_LEANPSK" = "yes") && test "$ENABLED_FIPS" != "no" && test "$FIPS_VERSION" != "dev" && test "$FIPS_VERSION" != "v5-dev"],
 7091    [AC_MSG_ERROR([FIPS is incompatible with nullcipher])])
 7092
 7093# SELFTEST
 7094AC_ARG_ENABLE([selftest],
 7095    [AS_HELP_STRING([--enable-selftest],[Enable selftest, Will NOT work w/o CAVP selftest license (default: disabled)])],
 7096    [ ENABLED_SELFTEST=$enableval ],
 7097    [ ENABLED_SELFTEST="no" ]
 7098    )
 7099
 7100AS_CASE([$ENABLED_SELFTEST],
 7101    ["v2"],[
 7102        # selftest v2 (wolfCrypt 4.1.0)
 7103        ENABLED_SELFTEST="yes"
 7104        SELFTEST_VERSION="v2"
 7105    ],
 7106    ["no"],[SELFTEST_VERSION="none"],
 7107    [
 7108        # selftest v1 (wolfCrypt 3.14.2)
 7109        ENABLED_SELFTEST="yes"
 7110        SELFTEST_VERSION="v1"
 7111    ])
 7112
 7113AS_IF([test "x$ENABLED_SELFTEST" = "xyes" && test ! -s "${srcdir}/wolfcrypt/src/selftest.c"],
 7114    [AC_MSG_ERROR([selftest.c is missing, --enable-selftest requires the CAVP selftest source])])
 7115
 7116AS_CASE([$SELFTEST_VERSION],
 7117    ["v2"],[
 7118        AM_CFLAGS="$AM_CFLAGS -DHAVE_SELFTEST -DHAVE_SELFTEST_VERSION=2 -DHAVE_PUBLIC_FFDHE"
 7119    ],
 7120    ["v1"],[
 7121        AM_CFLAGS="$AM_CFLAGS -DHAVE_SELFTEST -DHAVE_PUBLIC_FFDHE"
 7122    ])
 7123
 7124
 7125# Set ML-KEM flags
 7126
 7127if test "$ENABLED_MLKEM" != "no"
 7128then
 7129    if test "$ENABLED_SHA3" = "no"
 7130    then
 7131        AC_MSG_NOTICE([MLKEM enabled (not explicitly disabled); overriding --disable-sha3 to enable SHA-3])
 7132        ENABLED_SHA3=yes
 7133        enable_sha3=yes
 7134    fi
 7135
 7136    if test "$ENABLED_SHAKE128" = "no"
 7137    then
 7138        AC_MSG_WARN([MLKEM enabled (not explicitly disabled); overriding --disable-shake128 to enable SHAKE128])
 7139        ENABLED_SHAKE128=yes
 7140    fi
 7141
 7142    if test "$ENABLED_SHAKE256" = "no"
 7143    then
 7144        AC_MSG_WARN([MLKEM enabled (not explicitly disabled); overriding --disable-shake256 to enable SHAKE256])
 7145        ENABLED_SHAKE256=yes
 7146    fi
 7147fi
 7148
 7149ENABLED_ML_KEM=unset
 7150ENABLED_MLKEM_MAKE_KEY=no
 7151ENABLED_MLKEM_ENCAPSULATE=no
 7152ENABLED_MLKEM_DECAPSULATE=no
 7153for v in `echo $ENABLED_MLKEM | tr "," " "`
 7154do
 7155  case $v in
 7156  yes)
 7157    ENABLED_MLKEM512=yes
 7158    ENABLED_MLKEM768=yes
 7159    ENABLED_MLKEM1024=yes
 7160    ENABLED_MLKEM_MAKE_KEY=yes
 7161    ENABLED_MLKEM_ENCAPSULATE=yes
 7162    ENABLED_MLKEM_DECAPSULATE=yes
 7163    ;;
 7164  all)
 7165    ENABLED_MLKEM_MAKE_KEY=yes
 7166    ENABLED_MLKEM_ENCAPSULATE=yes
 7167    ENABLED_MLKEM_DECAPSULATE=yes
 7168    ENABLED_ML_KEM=yes
 7169    ENABLED_ORIGINAL=yes
 7170    ;;
 7171  no)
 7172    ;;
 7173  small)
 7174    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_MLKEM_SMALL"
 7175    ;;
 7176  no-large-code)
 7177    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_MLKEM_NO_LARGE_CODE"
 7178    ;;
 7179  cache-a)
 7180    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_MLKEM_CACHE_A"
 7181    ;;
 7182  512)
 7183    ENABLED_MLKEM512=yes
 7184    ;;
 7185  768)
 7186    ENABLED_MLKEM768=yes
 7187    ;;
 7188  1024)
 7189    ENABLED_MLKEM1024=yes
 7190    ;;
 7191  make)
 7192    ENABLED_MLKEM_MAKE_KEY=yes
 7193    ;;
 7194  encapsulate|enc)
 7195    ENABLED_MLKEM_ENCAPSULATE=yes
 7196    ;;
 7197  decapsulate|dec)
 7198    ENABLED_MLKEM_DECAPSULATE=yes
 7199    ;;
 7200  original|kyber)
 7201    ENABLED_ORIGINAL=yes
 7202    ;;
 7203  ml-kem)
 7204    ENABLED_ML_KEM=yes
 7205    ;;
 7206  noasm)
 7207    AM_CFLAGS="$AM_CFLAGS -DWC_MLKEM_NO_ASM"
 7208    ;;
 7209  *)
 7210    AC_MSG_ERROR([Invalid choice for MLKEM []: $ENABLED_MLKEM.])
 7211    break;;
 7212  esac
 7213done
 7214
 7215# Selftest uses its own random.c which doesn't support SHA-512 DRBG
 7216# or runtime DRBG disable/enable APIs
 7217AS_IF([test "x$ENABLED_SELFTEST" = "xyes"],
 7218    [ENABLED_SHA512_DRBG=no])
 7219
 7220AS_IF([test "x$ENABLED_AESXTS" = "xyes"],
 7221      [AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_XTS -DWOLFSSL_AES_DIRECT"])
 7222AS_IF([test "x$ENABLED_AESXTS" = "xyes" && test "x$ENABLED_INTELASM" = "xyes"],
 7223      [AM_CCASFLAGS="$AM_CCASFLAGS -DWOLFSSL_AES_XTS"])
 7224AS_IF([test "x$ENABLED_AESXTS" = "xyes" && test "x$ENABLED_AESNI" = "xyes"],
 7225      [AM_CCASFLAGS="$AM_CCASFLAGS -DWOLFSSL_AES_XTS"])
 7226
 7227# ECC Custom Curves
 7228if test "$ENABLED_ECCCUSTCURVES" != "no"
 7229then
 7230    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CUSTOM_CURVES"
 7231
 7232    # For distro, all or ecccustcurves=all builds, enable all curve types
 7233    if test "$ENABLED_DISTRO" = "yes" || test "$ENABLED_ALL" = "yes" || test "$ENABLED_ECCCUSTCURVES" = "all"
 7234    then
 7235        # Enable ECC SECPR2, SECPR3, BRAINPOOL and KOBLITZ curves
 7236        AM_CFLAGS="$AM_CFLAGS -DHAVE_ECC_SECPR2 -DHAVE_ECC_SECPR3 -DHAVE_ECC_BRAINPOOL -DHAVE_ECC_KOBLITZ"
 7237
 7238        # Enable ECC Cofactor support
 7239        AM_CFLAGS="$AM_CFLAGS -DHAVE_ECC_CDH"
 7240
 7241        # If fastmath enabled and on x86 use speedups
 7242        if test "x$ENABLED_FASTMATH" = "xyes" && test "$host_cpu" = "x86_64" -o "$host_cpu" = "amd64"
 7243        then
 7244            AM_CFLAGS="$AM_CFLAGS -DTFM_ECC192 -DTFM_ECC224 -DTFM_ECC256 -DTFM_ECC384 -DTFM_ECC521"
 7245        fi
 7246    fi
 7247fi
 7248
 7249# Curve448
 7250if test "$ENABLED_CURVE448" != "no"
 7251then
 7252    if test "$ENABLED_CURVE448" = "small" || test "$ENABLED_LOWRESOURCE" = "yes"
 7253    then
 7254        AM_CFLAGS="$AM_CFLAGS -DCURVE448_SMALL"
 7255        ENABLED_CURVE448_SMALL=yes
 7256        ENABLED_CURVE448=yes
 7257    fi
 7258
 7259    if test "$ENABLED_CURVE448" = "no128bit" || test "$ENABLED_32BIT" = "yes"
 7260    then
 7261        AM_CFLAGS="$AM_CFLAGS -DNO_CURVED448_128BIT"
 7262        ENABLED_CURVE448=yes
 7263    fi
 7264
 7265    AM_CFLAGS="$AM_CFLAGS -DHAVE_CURVE448"
 7266    ENABLED_FE448=yes
 7267    ENABLED_CERTS=yes
 7268fi
 7269
 7270# Ed448
 7271if test "$ENABLED_ED448" != "no"
 7272then
 7273    if test "$ENABLED_ED448" = "small" || test "$ENABLED_LOWRESOURCE" = "yes"
 7274    then
 7275        AM_CFLAGS="$AM_CFLAGS -DED448_SMALL"
 7276        ENABLED_ED448_SMALL=yes
 7277        ENABLED_CURVE448_SMALL=yes
 7278        ENABLED_ED448=yes
 7279    fi
 7280
 7281    if test "$ENABLED_SHA512" = "no"
 7282    then
 7283        AC_MSG_ERROR([cannot enable ed448 without enabling sha512.])
 7284    fi
 7285    if test "x$HAVE_FIPS_VERSION" = "x2"
 7286    then
 7287        AC_MSG_ERROR([cannot enable ed448 w/ dependency shake256 in FIPSv2 mode])
 7288    fi
 7289    ENABLED_FE448=yes
 7290    ENABLED_GE448=yes
 7291    AM_CFLAGS="$AM_CFLAGS -DHAVE_ED448"
 7292
 7293    # EdDSA448 requires SHAKE256 which requires SHA-3
 7294    if test "$ENABLED_SHA3" = "no"
 7295    then
 7296        ENABLED_SHA3=yes
 7297    fi
 7298    ENABLED_SHAKE256=yes
 7299
 7300    ENABLED_CERTS=yes
 7301fi
 7302
 7303if test "$ENABLED_ED448_STREAM" != "no"
 7304then
 7305    if test "$ENABLED_ED448" = "no"
 7306    then
 7307        AC_MSG_ERROR([ED448 verify streaming enabled but ED448 is disabled])
 7308    else
 7309        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ED448_STREAMING_VERIFY"
 7310        AM_CCASFLAGS="$AM_CCASFLAGS -DWOLFSSL_ED448_STREAMING_VERIFY"
 7311    fi
 7312fi
 7313
 7314
 7315# SRTP-KDF
 7316if test "$ENABLED_SRTP" = "yes"
 7317then
 7318  ENABLED_SRTP_KDF="yes"
 7319fi
 7320if test "$ENABLED_SRTP_KDF" = "yes"
 7321then
 7322  AM_CFLAGS="$AM_CFLAGS -DWC_SRTP_KDF -DHAVE_AES_ECB -DWOLFSSL_AES_DIRECT"
 7323fi
 7324
 7325# ML-KEM and Dilithium require SHA-3 and SHAKE -- force them on before flag
 7326# processing so that the correct -D flags are emitted.
 7327if test "$ENABLED_MLKEM" != "no"
 7328then
 7329    ENABLED_SHA3=yes
 7330    ENABLED_SHAKE128=yes
 7331    ENABLED_SHAKE256=yes
 7332fi
 7333if test "$ENABLED_DILITHIUM" != "no"
 7334then
 7335    ENABLED_SHA3=yes
 7336    ENABLED_SHAKE128=yes
 7337    ENABLED_SHAKE256=yes
 7338fi
 7339
 7340# Set SHA-3 flags
 7341if test "$ENABLED_SHA3" != "no"
 7342then
 7343    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SHA3"
 7344fi
 7345
 7346# Set SHAKE128 flags
 7347# FIPS traditionally does not support SHAKE 128, v6 does
 7348AS_IF([test "x$ENABLED_FIPS" = "xyes" && test $HAVE_FIPS_VERSION -lt 6],
 7349        [ENABLED_SHAKE128="no"])
 7350
 7351if test "$ENABLED_SHAKE128" != "no"
 7352then
 7353    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SHAKE128"
 7354    if test "$ENABLED_SHA3" = "no"
 7355    then
 7356        AC_MSG_ERROR([shake128 requires SHA-3: --enable-sha3])
 7357    fi
 7358else
 7359    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_SHAKE128"
 7360fi
 7361
 7362# Set SHAKE256 flags
 7363# FIPS traditionally does not support SHAKE 256, v6 does
 7364AS_IF([test "x$ENABLED_FIPS" = "xyes" && test $HAVE_FIPS_VERSION -lt 6],
 7365        [ENABLED_SHAKE256="no"])
 7366
 7367if test "$ENABLED_SHAKE256" != "no"
 7368then
 7369    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SHAKE256"
 7370    if test "$ENABLED_SHA3" = "no"
 7371    then
 7372        AC_MSG_ERROR([shake256 requires SHA-3: --enable-sha3])
 7373    fi
 7374else
 7375    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_SHAKE256"
 7376fi
 7377
 7378# MLKEM CFLAG processing (after FIPS section for sandwich pattern)
 7379if test "$ENABLED_MLKEM" != "no"
 7380then
 7381    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_HAVE_MLKEM"
 7382    AM_CCASFLAGS="$AM_CCASFLAGS -DWOLFSSL_HAVE_MLKEM"
 7383
 7384    if test "$ENABLED_ORIGINAL" = "yes"; then
 7385        # FIPS 203 (ML-KEM) and Kyber use different implicit rejection.
 7386        # Kyber mode must not be used in FIPS v7+ builds.
 7387        AS_IF([test "$HAVE_FIPS_VERSION" -ge 7],
 7388            [AC_MSG_ERROR([Kyber (--enable-mlkem=original) is not compatible with FIPS v7+. Use ML-KEM (FIPS 203) instead.])])
 7389        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_MLKEM_KYBER"
 7390        if test "$ENABLED_MLKEM512" = ""; then
 7391            AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_KYBER512"
 7392        fi
 7393        if test "$ENABLED_MLKEM768" = ""; then
 7394            AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_KYBER768"
 7395        fi
 7396        if test "$ENABLED_MLKEM1024" = ""; then
 7397            AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_KYBER1024"
 7398        fi
 7399        if test "$ENABLED_ML_KEM" = "unset"; then
 7400            ENABLED_ML_KEM=no
 7401        fi
 7402    fi
 7403    if test "$ENABLED_ML_KEM" = "unset"; then
 7404        ENABLED_ML_KEM=yes
 7405    fi
 7406    if test "$ENABLED_ML_KEM" = "yes"; then
 7407        if test "$ENABLED_MLKEM512" = ""; then
 7408            AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_ML_KEM_512"
 7409        fi
 7410        if test "$ENABLED_MLKEM768" = ""; then
 7411            AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_ML_KEM_768"
 7412        fi
 7413        if test "$ENABLED_MLKEM1024" = ""; then
 7414            AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_ML_KEM_1024"
 7415        fi
 7416    else
 7417        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_ML_KEM"
 7418    fi
 7419    if test "$ENABLED_MLKEM_MAKE_KEY" = "no"; then
 7420        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_MLKEM_NO_MAKE_KEY"
 7421    fi
 7422    if test "$ENABLED_MLKEM_ENCAPSULATE" = "no"; then
 7423        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_MLKEM_NO_ENCAPSULATE"
 7424    fi
 7425    if test "$ENABLED_MLKEM_DECAPSULATE" = "no"; then
 7426        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_MLKEM_NO_DECAPSULATE"
 7427    fi
 7428
 7429    test "$enable_sha3" = "" && enable_sha3=yes
 7430    test "$enable_shake128" = "" && enable_shake128=yes
 7431    test "$enable_shake256" = "" && enable_shake256=yes
 7432fi
 7433
 7434AC_ARG_ENABLE([tls-mlkem-standalone],
 7435    [AS_HELP_STRING([--enable-tls-mlkem-standalone],[Enable ML-KEM as standalone TLS key exchange (non-hybrid) (default: disabled)])],
 7436    [ ENABLED_MLKEM_STANDALONE=$enableval ],
 7437    [ ENABLED_MLKEM_STANDALONE=no ]
 7438    )
 7439
 7440AS_IF([ test "$ENABLED_MLKEM_STANDALONE" = "yes" && test "$ENABLED_ML_KEM" = "no" ],[AC_MSG_ERROR([ML-KEM as standalone TLS key exchange (non-hybrid) requires ML-KEM.])])
 7441if test "$ENABLED_MLKEM_STANDALONE" != "yes"
 7442then
 7443    # Hybrid PQ/T groups all combine ML-KEM with an ECC/Curve25519/Curve448
 7444    # base. If none of those is available, hybrids contribute no usable groups
 7445    # for TLS 1.3 key exchange. In that case, auto-enable standalone ML-KEM so
 7446    # TLS 1.3 has a functional KEM.
 7447    if test "$ENABLED_MLKEM" = "yes" && test "$ENABLED_ML_KEM" != "no" && \
 7448       test "x$ENABLED_ECC" = "xno" && test "x$ENABLED_CURVE25519" = "xno" && \
 7449       test "x$ENABLED_CURVE448" = "xno"
 7450    then
 7451        AC_MSG_NOTICE([No ECC/Curve25519/Curve448 base for ML-KEM hybrids; auto-enabling standalone ML-KEM for TLS 1.3.])
 7452        ENABLED_MLKEM_STANDALONE=yes
 7453    else
 7454        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_TLS_NO_MLKEM_STANDALONE"
 7455    fi
 7456fi
 7457
 7458AC_ARG_ENABLE([pqc-hybrids],
 7459    [AS_HELP_STRING([--enable-pqc-hybrids],[Enable PQ/T hybrid combinations (default: enabled)])],
 7460    [ ENABLED_PQC_HYBRIDS=$enableval ],
 7461    [ ENABLED_PQC_HYBRIDS=yes ]
 7462    )
 7463
 7464if test "$ENABLED_PQC_HYBRIDS" = "yes"
 7465then
 7466    if test "$ENABLED_ML_KEM" = "no" || test "$ENABLED_MLKEM" = "no"
 7467    then
 7468        ENABLED_PQC_HYBRIDS=no
 7469    elif test "$ENABLED_MLKEM768" = "" && test "$ENABLED_MLKEM1024" = ""; then
 7470        AC_MSG_NOTICE([PQC hybrid combinations require either ML-KEM 768 or ML-KEM 1024, but both disabled.])
 7471        ENABLED_PQC_HYBRIDS=no
 7472    else
 7473        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_PQC_HYBRIDS"
 7474    fi
 7475fi
 7476
 7477if test "$ENABLED_ML_KEM" != "no" && test "$ENABLED_MLKEM" != "no"
 7478then
 7479    if test "$ENABLED_PQC_HYBRIDS" = "no" && test "$ENABLED_MLKEM_STANDALONE" = "no" && test "$ENABLED_CRYPTONLY" = "no"
 7480    then
 7481        AC_MSG_ERROR([Both hybrid PQ/T and standalone ML-KEM are disabled, so no PQC hybrid combinations will be available.])
 7482    fi
 7483fi
 7484
 7485# Extra PQ/T Hybrid combinations
 7486AC_ARG_ENABLE([extra-pqc-hybrids],
 7487    [AS_HELP_STRING([--enable-extra-pqc-hybrids],[Enable extra PQ/T hybrid combinations (default: disabled)])],
 7488    [ ENABLED_EXTRA_PQC_HYBRIDS=$enableval ],
 7489    [ ENABLED_EXTRA_PQC_HYBRIDS=no ]
 7490    )
 7491
 7492if test "$ENABLED_EXTRA_PQC_HYBRIDS" = "yes"
 7493then
 7494    AS_IF([ test "$ENABLED_EXPERIMENTAL" != "yes" ],[ AC_MSG_ERROR([extra-pqc-hybrids requires --enable-experimental.]) ])
 7495    AS_IF([ test "$ENABLED_ML_KEM" = "no" ],[ AC_MSG_ERROR([extra-pqc-hybrids requires ML-KEM.]) ])
 7496    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_EXTRA_PQC_HYBRIDS"
 7497fi
 7498
 7499# Dilithium CFLAG processing (after FIPS section for sandwich pattern)
 7500if test "$ENABLED_DILITHIUM" != "no"
 7501then
 7502    AM_CFLAGS="$AM_CFLAGS -DHAVE_DILITHIUM"
 7503    AM_CCASFLAGS="$AM_CCASFLAGS -DHAVE_DILITHIUM"
 7504
 7505    if test "$ENABLED_MLDSA44" = ""; then
 7506        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_ML_DSA_44"
 7507    fi
 7508    if test "$ENABLED_MLDSA65" = ""; then
 7509        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_ML_DSA_65"
 7510    fi
 7511    if test "$ENABLED_MLDSA87" = ""; then
 7512        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_ML_DSA_87"
 7513    fi
 7514    if test "$ENABLED_DILITHIUM_MAKE_KEY" = "no"; then
 7515        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DILITHIUM_NO_MAKE_KEY"
 7516    fi
 7517    if test "$ENABLED_DILITHIUM_SIGN" = "no"; then
 7518        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DILITHIUM_NO_SIGN"
 7519    fi
 7520    if test "$ENABLED_DILITHIUM_VERIFY" = "no"; then
 7521        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DILITHIUM_NO_VERIFY"
 7522    fi
 7523
 7524    test "$enable_sha3" = "" && enable_sha3=yes
 7525    test "$enable_shake128" = "" && enable_shake128=yes
 7526    test "$enable_shake256" = "" && enable_shake256=yes
 7527
 7528    ENABLED_CERTS=yes
 7529fi
 7530
 7531# XMSS CFLAG processing (after FIPS section for sandwich pattern)
 7532if test "$ENABLED_XMSS" != "no"
 7533then
 7534    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_HAVE_XMSS"
 7535fi
 7536
 7537# LMS CFLAG processing (after FIPS section for sandwich pattern)
 7538if test "$ENABLED_LMS" != "no"
 7539then
 7540    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_HAVE_LMS"
 7541fi
 7542
 7543# SLH-DSA CFLAG processing (after FIPS section for sandwich pattern)
 7544if test "$ENABLED_SLHDSA" != "no"
 7545then
 7546    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_HAVE_SLHDSA"
 7547    AM_CCASFLAGS="$AM_CCASFLAGS -DWOLFSSL_HAVE_SLHDSA"
 7548
 7549    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_WC_SLHDSA"
 7550
 7551    if test "$SLHDSA_PARAM_128S" = "yes"
 7552    then
 7553        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_PARAM_128S"
 7554    else
 7555        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_PARAM_NO_128S"
 7556    fi
 7557    if test "$SLHDSA_PARAM_128F" = "yes"
 7558    then
 7559        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_PARAM_128F"
 7560    else
 7561        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_PARAM_NO_128F"
 7562    fi
 7563    if test "$SLHDSA_PARAM_192S" = "yes"
 7564    then
 7565        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_PARAM_192S"
 7566    else
 7567        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_PARAM_NO_192S"
 7568    fi
 7569    if test "$SLHDSA_PARAM_192F" = "yes"
 7570    then
 7571        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_PARAM_192F"
 7572    else
 7573        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_PARAM_NO_192F"
 7574    fi
 7575    if test "$SLHDSA_PARAM_256S" = "yes"
 7576    then
 7577        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_PARAM_256S"
 7578    else
 7579        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_PARAM_NO_256S"
 7580    fi
 7581    if test "$SLHDSA_PARAM_256F" = "yes"
 7582    then
 7583        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_PARAM_256F"
 7584    else
 7585        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_PARAM_NO_256F"
 7586    fi
 7587
 7588    # SHA2 parameter set support
 7589    if test "$SLHDSA_SHA2" = "yes"
 7590    then
 7591        # Dependency checks for SHA2 SLH-DSA
 7592        if test "$ENABLED_SHA256" = "no"
 7593        then
 7594            AC_MSG_ERROR([SLH-DSA SHA2 requires SHA-256 (--enable-sha256)])
 7595        fi
 7596        if test "$ENABLED_SHA512" = "no"
 7597        then
 7598            AC_MSG_ERROR([SLH-DSA SHA2 requires SHA-512 (--enable-sha512)])
 7599        fi
 7600        if test "$ENABLED_HMAC" = "no"
 7601        then
 7602            AC_MSG_ERROR([SLH-DSA SHA2 requires HMAC (--enable-hmac)])
 7603        fi
 7604
 7605        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_SHA2"
 7606
 7607        if test "$SLHDSA_PARAM_SHA2_128S" = "yes"
 7608        then
 7609            AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_PARAM_SHA2_128S"
 7610        else
 7611            AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_PARAM_NO_SHA2_128S"
 7612        fi
 7613        if test "$SLHDSA_PARAM_SHA2_128F" = "yes"
 7614        then
 7615            AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_PARAM_SHA2_128F"
 7616        else
 7617            AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_PARAM_NO_SHA2_128F"
 7618        fi
 7619        if test "$SLHDSA_PARAM_SHA2_192S" = "yes"
 7620        then
 7621            AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_PARAM_SHA2_192S"
 7622        else
 7623            AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_PARAM_NO_SHA2_192S"
 7624        fi
 7625        if test "$SLHDSA_PARAM_SHA2_192F" = "yes"
 7626        then
 7627            AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_PARAM_SHA2_192F"
 7628        else
 7629            AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_PARAM_NO_SHA2_192F"
 7630        fi
 7631        if test "$SLHDSA_PARAM_SHA2_256S" = "yes"
 7632        then
 7633            AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_PARAM_SHA2_256S"
 7634        else
 7635            AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_PARAM_NO_SHA2_256S"
 7636        fi
 7637        if test "$SLHDSA_PARAM_SHA2_256F" = "yes"
 7638        then
 7639            AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_PARAM_SHA2_256F"
 7640        else
 7641            AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SLHDSA_PARAM_NO_SHA2_256F"
 7642        fi
 7643    fi
 7644
 7645    # SLH-DSA requires SHAKE-256 (and SHA-3 as its dependency).
 7646    # This runs after the SHAKE256 flags section, so we must set both the
 7647    # ENABLED variable and emit the CFLAGS ourselves.
 7648    if test "$ENABLED_SHAKE256" = "no" || test "$ENABLED_SHAKE256" = ""
 7649    then
 7650        ENABLED_SHAKE256=yes
 7651        if test "$ENABLED_SHA3" = "no"
 7652        then
 7653            ENABLED_SHA3=yes
 7654            AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SHA3"
 7655        fi
 7656        # Remove -DWOLFSSL_NO_SHAKE256 if it was already added and add the
 7657        # positive define.
 7658        AM_CFLAGS=$(echo "$AM_CFLAGS" | sed 's/-DWOLFSSL_NO_SHAKE256//g')
 7659        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SHAKE256"
 7660    fi
 7661fi
 7662
 7663# set POLY1305 default
 7664POLY1305_DEFAULT=yes
 7665
 7666if test "x$ENABLED_FIPS" = "xyes"
 7667then
 7668POLY1305_DEFAULT=no
 7669fi
 7670
 7671# POLY1305
 7672AC_ARG_ENABLE([poly1305],
 7673    [AS_HELP_STRING([--enable-poly1305],[Enable wolfSSL POLY1305 support (default: enabled)])],
 7674    [ ENABLED_POLY1305=$enableval ],
 7675    [ ENABLED_POLY1305=$POLY1305_DEFAULT]
 7676    )
 7677
 7678# leanpsk and leantls don't need poly1305
 7679if test "$ENABLED_LEANPSK" = "yes" || test "$ENABLED_LEANTLS" = "yes"
 7680then
 7681    ENABLED_POLY1305=no
 7682fi
 7683
 7684if test "$ENABLED_POLY1305" = "yes"
 7685then
 7686    AM_CFLAGS="$AM_CFLAGS -DHAVE_POLY1305"
 7687fi
 7688
 7689
 7690# set CHACHA default
 7691CHACHA_DEFAULT=yes
 7692
 7693if test "x$ENABLED_FIPS" = "xyes"
 7694then
 7695CHACHA_DEFAULT=no
 7696fi
 7697
 7698# CHACHA
 7699AC_ARG_ENABLE([chacha],
 7700    [AS_HELP_STRING([--enable-chacha],[Enable CHACHA (default: enabled). Use `=noasm` to disable asm speedups])],
 7701    [ ENABLED_CHACHA=$enableval ],
 7702    [ ENABLED_CHACHA=$CHACHA_DEFAULT]
 7703    )
 7704
 7705# leanpsk and leantls don't need chacha
 7706if test "$ENABLED_LEANPSK" = "yes" || test "$ENABLED_LEANTLS" = "yes"
 7707then
 7708    ENABLED_CHACHA=no
 7709fi
 7710
 7711if test "$ENABLED_CHACHA" = "noasm" || test "$ENABLED_ASM" = "no"
 7712then
 7713    AM_CFLAGS="$AM_CFLAGS -DNO_CHACHA_ASM"
 7714fi
 7715
 7716if test "$ENABLED_CHACHA" != "no"
 7717then
 7718    AM_CFLAGS="$AM_CFLAGS -DHAVE_CHACHA"
 7719    AM_CCASFLAGS="$AM_CCASFLAGS -DHAVE_CHACHA"
 7720fi
 7721
 7722
 7723# XCHACHA
 7724AC_ARG_ENABLE([xchacha],
 7725    [AS_HELP_STRING([--enable-xchacha],[Enable XCHACHA (default: disabled).])],
 7726    [ ENABLED_XCHACHA=$enableval ],
 7727    [ ENABLED_XCHACHA=no]
 7728    )
 7729
 7730if test "$ENABLED_XCHACHA" = "yes"
 7731then
 7732    if test "$ENABLED_CHACHA" = "no"
 7733    then
 7734        AC_MSG_ERROR([XChaCha (--enable-xchacha) depends on ChaCha (--enable-chacha)])
 7735    fi
 7736    AM_CFLAGS="$AM_CFLAGS -DHAVE_XCHACHA"
 7737fi
 7738
 7739# ASCON
 7740AC_ARG_ENABLE([ascon],
 7741    [AS_HELP_STRING([--enable-ascon],[Enable ASCON (default: disabled).])],
 7742    [ ENABLED_ASCON=$enableval ],
 7743    [ ENABLED_ASCON=no]
 7744    )
 7745
 7746if test "$ENABLED_ASCON" = "yes"
 7747then
 7748    AM_CFLAGS="$AM_CFLAGS -DHAVE_ASCON"
 7749fi
 7750
 7751# PUF
 7752AC_ARG_ENABLE([puf],
 7753    [AS_HELP_STRING([--enable-puf],[Enable SRAM PUF support (default: disabled)])],
 7754    [ ENABLED_PUF=$enableval ],
 7755    [ ENABLED_PUF=no ]
 7756    )
 7757
 7758if test "$ENABLED_PUF" = "yes"
 7759then
 7760    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_PUF -DWOLFSSL_PUF_SRAM"
 7761    AS_IF([test "$ENABLED_HKDF" != "yes"],
 7762          [ENABLED_HKDF="yes"; AM_CFLAGS="$AM_CFLAGS -DHAVE_HKDF"])
 7763fi
 7764
 7765# PUF test mode
 7766AC_ARG_ENABLE([puf-test],
 7767    [AS_HELP_STRING([--enable-puf-test],[Enable PUF test mode with synthetic data (default: disabled)])],
 7768    [ ENABLED_PUF_TEST=$enableval ],
 7769    [ ENABLED_PUF_TEST=no ]
 7770    )
 7771
 7772if test "$ENABLED_PUF_TEST" = "yes"
 7773then
 7774    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_PUF_TEST"
 7775fi
 7776
 7777# Hash DRBG (master switch for all Hash DRBGs)
 7778AC_ARG_ENABLE([hashdrbg],
 7779    [AS_HELP_STRING([--enable-hashdrbg],[Enable Hash DRBG support (default: enabled)])],
 7780    [ ENABLED_HASHDRBG=$enableval ],
 7781    [ ENABLED_HASHDRBG=yes ]
 7782    )
 7783
 7784# If hashdrbg is explicitly disabled, force both sub-options off
 7785if test "x$ENABLED_HASHDRBG" = "xno"
 7786then
 7787    ENABLED_SHA256_DRBG=no
 7788    ENABLED_SHA512_DRBG=no
 7789fi
 7790
 7791# If both sub-options are off, treat hashdrbg as off
 7792if test "x$ENABLED_SHA256_DRBG" != "xyes" && test "x$ENABLED_SHA512_DRBG" != "xyes"
 7793then
 7794    ENABLED_HASHDRBG=no
 7795fi
 7796
 7797# FIPS override: Hash DRBG is mandatory
 7798if test "$ENABLED_HASHDRBG" != "yes" && test "$ENABLED_FIPS" = "yes" &&
 7799   test "$FIPS_VERSION" != "dev" && test "$ENABLED_KCAPI" = "no"
 7800then
 7801    if test "$enable_hashdrbg" = "no"
 7802    then
 7803        AC_MSG_WARN([SHA256-DRBG required in FIPS build])
 7804    fi
 7805    ENABLED_HASHDRBG=yes
 7806    ENABLED_SHA256_DRBG=yes
 7807fi
 7808
 7809# SHA-512 DRBG and runtime DRBG disable/enable APIs are v7+ only
 7810if test "x$ENABLED_FIPS" = "xyes" && test $HAVE_FIPS_VERSION -lt 7
 7811then
 7812    ENABLED_SHA512_DRBG=no
 7813fi
 7814
 7815# Set Hash DRBG compiler flags
 7816if test "x$ENABLED_HASHDRBG" = "xyes"
 7817then
 7818    AM_CFLAGS="$AM_CFLAGS -DHAVE_HASHDRBG"
 7819    if test "x$ENABLED_SHA256_DRBG" != "xyes"
 7820    then
 7821        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_SHA256_DRBG"
 7822    fi
 7823    if test "x$ENABLED_SHA512_DRBG" = "xyes"
 7824    then
 7825        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DRBG_SHA512"
 7826    fi
 7827else
 7828    AM_CFLAGS="$AM_CFLAGS -DWC_NO_HASHDRBG"
 7829fi
 7830
 7831
 7832# MemUse Entropy (AKA wolfEntropy)
 7833if test "x$ENABLED_ENTROPY_MEMUSE" != "xno"
 7834then
 7835    AM_CFLAGS="$AM_CFLAGS -DHAVE_ENTROPY_MEMUSE"
 7836    enable_sha3=yes
 7837
 7838    for v in `echo $ENABLED_ENTROPY_MEMUSE | tr "," " "`
 7839    do
 7840      case $v in
 7841      yes)
 7842        ;;
 7843      thread)
 7844        AM_CFLAGS="$AM_CFLAGS -DENTROPY_MEMUSE_THREAD"
 7845        ;;
 7846      nofallback)
 7847        AM_CFLAGS="$AM_CFLAGS -DENTROPY_MEMUSE_FORCE_FAILURE"
 7848        ;;
 7849      *)
 7850        AC_MSG_ERROR([Invalid MemUse Entropy option. Valid are: thread, nofallback. Seen: $ENABLED_ENTROPY_MEMUSE.])
 7851        break;;
 7852      esac
 7853    done
 7854fi
 7855
 7856if (test "$ENABLED_RNG" = "yes" && test "$ENABLED_ENTROPY_MEMUSE" != "no") || test "$ENABLED_BENCHMARK" = "yes"
 7857then
 7858    AC_SEARCH_LIBS([clock_gettime],[rt])
 7859fi
 7860
 7861
 7862# Filesystem Build
 7863if test "$HAVE_KERNEL_MODE" = "yes"
 7864then
 7865    ENABLED_FILESYSTEM_DEFAULT=no
 7866else
 7867    ENABLED_FILESYSTEM_DEFAULT=yes
 7868fi
 7869AC_ARG_ENABLE([filesystem],
 7870    [AS_HELP_STRING([--enable-filesystem],[Enable Filesystem support (default: enabled)])],
 7871    [ ENABLED_FILESYSTEM=$enableval ],
 7872    [ ENABLED_FILESYSTEM=$ENABLED_FILESYSTEM_DEFAULT ]
 7873    )
 7874
 7875if test "$ENABLED_FILESYSTEM" = "no"
 7876then
 7877    AM_CFLAGS="$AM_CFLAGS -DNO_FILESYSTEM"
 7878else
 7879    # turn off filesystem if leanpsk on
 7880    if test "$ENABLED_LEANPSK" = "yes" || test "$ENABLED_LINUXKM" = "yes"
 7881    then
 7882        AM_CFLAGS="$AM_CFLAGS -DNO_FILESYSTEM"
 7883        ENABLED_FILESYSTEM=no
 7884    fi
 7885fi
 7886
 7887
 7888# C89 build
 7889AC_ARG_ENABLE([c89],
 7890    [AS_HELP_STRING([--enable-c89],[Build with C89 toolchain (default: disabled)])],
 7891    [ ENABLED_C89=$enableval ],
 7892    [ ENABLED_C89=no ]
 7893    )
 7894
 7895if test "$ENABLED_C89" = "yes"
 7896then
 7897    AM_CFLAGS="$AM_CFLAGS -DWOLF_C89"
 7898    test "$enable_inline" = "" && enable_inline=no
 7899fi
 7900
 7901# inline Build
 7902AC_ARG_ENABLE([inline],
 7903    [AS_HELP_STRING([--enable-inline],[Enable inline functions (default: enabled)])],
 7904    [ ENABLED_INLINE=$enableval ],
 7905    [ ENABLED_INLINE=yes ]
 7906    )
 7907
 7908if test "$ENABLED_INLINE" = "no"
 7909then
 7910    AM_CFLAGS="$AM_CFLAGS -DNO_INLINE"
 7911fi
 7912
 7913
 7914# OCSP
 7915if test "x$ENABLED_OPENSSLALL" = "xyes" || test "x$ENABLED_NGINX" = "xyes" || \
 7916   test "x$ENABLED_LIGHTY" = "xyes" || test "x$ENABLED_MOSQUITTO" = "xyes"
 7917then
 7918    test "$enable_ocsp" = "" && enable_ocsp=yes
 7919fi
 7920
 7921AC_ARG_ENABLE([ocsp],
 7922    [AS_HELP_STRING([--enable-ocsp],[Enable OCSP (default: disabled)])],
 7923    [ ENABLED_OCSP=$enableval ],
 7924    [ ENABLED_OCSP=no ]
 7925    )
 7926
 7927
 7928# Certificate Status Request : a.k.a. OCSP Stapling
 7929AC_ARG_ENABLE([ocspstapling],
 7930    [AS_HELP_STRING([--enable-ocspstapling],[Enable OCSP Stapling ((options: yes, no-multi, no, disabled default: disabled)])],
 7931    [ ENABLED_CERTIFICATE_STATUS_REQUEST=$enableval ],
 7932    [ ENABLED_CERTIFICATE_STATUS_REQUEST=no ]
 7933    )
 7934AS_CASE([$ENABLED_CERTIFICATE_STATUS_REQUEST],
 7935    [no],[
 7936        ENABLED_CERTIFICATE_STATUS_REQUEST="no"
 7937        ENABLED_TLS_OCSP_MULTI="no"
 7938    ],
 7939    [disabled],[
 7940        ENABLED_CERTIFICATE_STATUS_REQUEST="no"
 7941        ENABLED_TLS_OCSP_MULTI="no"
 7942    ],
 7943    [yes],[
 7944        ENABLED_CERTIFICATE_STATUS_REQUEST="yes"
 7945        ENABLED_TLS_OCSP_MULTI="yes"
 7946    ],
 7947    [no-multi],[
 7948        ENABLED_CERTIFICATE_STATUS_REQUEST="yes"
 7949        ENABLED_TLS_OCSP_MULTI="no"
 7950    ])
 7951
 7952if test "x$ENABLED_NGINX" = "xyes" || test "x$ENABLED_WPAS" = "xyes" || \
 7953   test "x$ENABLED_HAPROXY" = "xyes" || test "x$ENABLED_LIGHTY" = "xyes" || \
 7954   test "x$ENABLED_MOSQUITTO" = "xyes"
 7955then
 7956    ENABLED_CERTIFICATE_STATUS_REQUEST="yes"
 7957fi
 7958
 7959if test "x$ENABLED_CERTIFICATE_STATUS_REQUEST" = "xyes"
 7960then
 7961    AM_CFLAGS="$AM_CFLAGS -DHAVE_TLS_EXTENSIONS -DHAVE_CERTIFICATE_STATUS_REQUEST"
 7962
 7963    # Requires OCSP make sure on
 7964    if test "x$ENABLED_OCSP" = "xno"
 7965    then
 7966        ENABLED_OCSP="yes"
 7967    fi
 7968fi
 7969
 7970
 7971# Certificate Status Request v2 : a.k.a. OCSP stapling v2
 7972AC_ARG_ENABLE([ocspstapling2],
 7973    [AS_HELP_STRING([--enable-ocspstapling2],[Enable OCSP Stapling v2 (default: disabled)])],
 7974    [ ENABLED_CERTIFICATE_STATUS_REQUEST_V2=$enableval ],
 7975    [ ENABLED_CERTIFICATE_STATUS_REQUEST_V2=no ]
 7976    )
 7977
 7978if test "x$ENABLED_NGINX" = "xyes" || test "x$ENABLED_WPAS" = "xyes" || test "x$ENABLED_HAPROXY" = "xyes" || test "x$ENABLED_LIGHTY" = "xyes"
 7979then
 7980    ENABLED_CERTIFICATE_STATUS_REQUEST_V2=yes
 7981fi
 7982
 7983if test "x$ENABLED_CERTIFICATE_STATUS_REQUEST_V2" = "xyes"
 7984then
 7985    AM_CFLAGS="$AM_CFLAGS -DHAVE_TLS_EXTENSIONS -DHAVE_CERTIFICATE_STATUS_REQUEST_V2"
 7986
 7987    # Requires OCSP make sure on
 7988    if test "x$ENABLED_OCSP" = "xno"
 7989    then
 7990        ENABLED_OCSP="yes"
 7991    fi
 7992fi
 7993
 7994
 7995AC_ARG_ENABLE([ocsp-responder],
 7996    [AS_HELP_STRING([--enable-ocsp-responder],[Enable OCSP Responder (default: disabled)])],
 7997    [ ENABLED_OCSP_RESPONDER=$enableval ],
 7998    [ ENABLED_OCSP_RESPONDER=no ]
 7999    )
 8000
 8001if test "x$ENABLED_OCSP_RESPONDER" = "xyes"
 8002then
 8003    ENABLED_OCSP="yes"
 8004    ENABLED_CERTGEN="yes"
 8005fi
 8006
 8007# CRL
 8008AC_ARG_ENABLE([crl],
 8009    [AS_HELP_STRING([--enable-crl],[Enable CRL (Use =io for inline CRL HTTP GET) (default: disabled)])],
 8010    [ ENABLED_CRL=$enableval ],
 8011    [ ENABLED_CRL=no ]
 8012    )
 8013
 8014if test "x$ENABLED_NGINX" = "xyes" || test "x$ENABLED_HAPROXY" = "xyes" || \
 8015   test "x$ENABLED_OPENVPN" = "xyes" || test "x$ENABLED_WPAS" != "xno" ||  \
 8016   test "x$ENABLED_LIGHTY" = "xyes" || test "x$ENABLED_NETSNMP" = "xyes" || \
 8017   test "x$ENABLED_KRB" = "xyes" || test "x$ENABLED_STRONGSWAN" = "xyes" || \
 8018   test "x$ENABLED_MOSQUITTO" = "xyes"
 8019then
 8020    ENABLED_CRL=yes
 8021fi
 8022
 8023if test "$ENABLED_CRL" != "no"
 8024then
 8025    AM_CFLAGS="$AM_CFLAGS -DHAVE_CRL"
 8026fi
 8027if test "$ENABLED_CRL" = "io"
 8028then
 8029    AM_CFLAGS="$AM_CFLAGS -DHAVE_CRL_IO"
 8030fi
 8031
 8032
 8033# CRL Monitor
 8034AC_ARG_ENABLE([crl-monitor],
 8035    [AS_HELP_STRING([--enable-crl-monitor],[Enable CRL Monitor (default: disabled)])],
 8036    [ ENABLED_CRL_MONITOR=$enableval ],
 8037    [ ENABLED_CRL_MONITOR=no ]
 8038    )
 8039
 8040if test "$ENABLED_CRL_MONITOR" = "yes"
 8041then
 8042    case $host_os in
 8043    *linux* | *darwin* | *freebsd*)
 8044        if test "x$ENABLED_SINGLETHREADED" = "xno"; then
 8045            AM_CFLAGS="$AM_CFLAGS -DHAVE_CRL_MONITOR"
 8046        else
 8047            ENABLED_CRL_MONITOR="no"
 8048            AC_MSG_ERROR([crl monitor requires threading / pthread])
 8049        fi
 8050        ;;
 8051    *)
 8052        if test "x$ENABLED_DISTRO" = "xyes" ; then
 8053            ENABLED_CRL_MONITOR="no"
 8054        else
 8055            AC_MSG_ERROR( [crl monitor only allowed on linux, OS X, or freebsd])
 8056        fi
 8057        break;;
 8058    esac
 8059fi
 8060
 8061# Whitewood netRandom client library
 8062ENABLED_WNR="no"
 8063trywnrdir=""
 8064AC_ARG_WITH([wnr],
 8065    [AS_HELP_STRING([--with-wnr=PATH],[Path to Whitewood netRandom install (default /usr/local)])],
 8066    [
 8067        AC_MSG_CHECKING([for Whitewood netRandom])
 8068        LIBS="$LIBS -lwnr"
 8069
 8070        AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include <wnr.h>]], [[ wnr_setup(0, 0); ]])], [ wnr_linked=yes ],[ wnr_linked=no ])
 8071
 8072        if test "x$wnr_linked" = "xno" ; then
 8073            if test "x$withval" != "xno" ; then
 8074                trywnrdir=$withval
 8075            fi
 8076            if test "x$withval" = "xyes" ; then
 8077                trywnrdir="/usr/local"
 8078            fi
 8079
 8080            CPPFLAGS="$AM_CPPFLAGS -DHAVE_WNR -I$trywnrdir/include"
 8081            LDFLAGS="$AM_LDFLAGS $LDFLAGS -L$trywnrdir/lib"
 8082
 8083            AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include <wnr.h>]], [[ wnr_setup(0, 0); ]])], [ wnr_linked=yes ],[ wnr_linked=no ])
 8084
 8085            if test "x$wnr_linked" = "xno" ; then
 8086                AC_MSG_ERROR([Whitewood netRandom isn't found.
 8087                If it's already installed, specify its path using --with-wnr=/dir/])
 8088            fi
 8089            AC_MSG_RESULT([yes])
 8090            AM_CPPFLAGS="$CPPFLAGS"
 8091            AM_LDFLAGS="$AM_LDFLAGS -L$trywnrdir/lib"
 8092        else
 8093            AC_MSG_RESULT([yes])
 8094        fi
 8095
 8096        AM_CFLAGS="$AM_CFLAGS -DHAVE_WNR"
 8097        ENABLED_WNR="yes"
 8098    ]
 8099)
 8100
 8101
 8102# SNI
 8103# enable SNI automatically for x86_64/x86/aarch64/amd64
 8104SNI_DEFAULT=no
 8105if test "$host_cpu" = "x86_64" || test "$host_cpu" = "x86" || test "$host_cpu" = "aarch64" || test "$host_cpu" = "amd64"
 8106then
 8107    SNI_DEFAULT=yes
 8108fi
 8109
 8110if test "$ENABLED_TLS" = "no"
 8111then
 8112    SNI_DEFAULT=no
 8113fi
 8114
 8115AC_ARG_ENABLE([sni],
 8116    [AS_HELP_STRING([--enable-sni],[Enable SNI (default: enabled on x86_64/x86/aarch64/amd64)])],
 8117    [ ENABLED_SNI=$enableval ],
 8118    [ ENABLED_SNI=$SNI_DEFAULT ]
 8119    )
 8120if test "x$ENABLED_QT" = "xyes" || test "$ENABLED_QUIC" = "yes"
 8121then
 8122    ENABLED_SNI="yes"
 8123fi
 8124
 8125if test "x$ENABLED_SNI" = "xyes"
 8126then
 8127    AM_CFLAGS="$AM_CFLAGS -DHAVE_TLS_EXTENSIONS -DHAVE_SNI"
 8128fi
 8129
 8130# Maximum Fragment Length
 8131AC_ARG_ENABLE([maxfragment],
 8132    [AS_HELP_STRING([--enable-maxfragment],[Enable Maximum Fragment Length (default: disabled)])],
 8133    [ ENABLED_MAX_FRAGMENT=$enableval ],
 8134    [ ENABLED_MAX_FRAGMENT=no ]
 8135    )
 8136
 8137# ALPN
 8138AC_ARG_ENABLE([alpn],
 8139    [AS_HELP_STRING([--enable-alpn],[Enable ALPN (default: disabled)])],
 8140    [ ENABLED_ALPN=$enableval ],
 8141    [ ENABLED_ALPN=no ]
 8142    )
 8143
 8144if test "$ENABLED_BIND" = "yes"
 8145then
 8146    ENABLED_ALPN=yes
 8147fi
 8148
 8149if test "$ENABLED_QUIC" = "yes"
 8150then
 8151    ENABLED_ALPN=yes
 8152fi
 8153
 8154if test "x$ENABLED_ALPN" = "xyes"
 8155then
 8156    AM_CFLAGS="$AM_CFLAGS -DHAVE_TLS_EXTENSIONS -DHAVE_ALPN"
 8157fi
 8158
 8159# Maximum Fragment Length
 8160if test "x$ENABLED_MAX_FRAGMENT" = "xyes"
 8161then
 8162    AM_CFLAGS="$AM_CFLAGS -DHAVE_TLS_EXTENSIONS -DHAVE_MAX_FRAGMENT"
 8163fi
 8164
 8165# Trusted CA Indication Extension
 8166AC_ARG_ENABLE([trustedca],
 8167    [AS_HELP_STRING([--enable-trustedca],[Enable Trusted CA Indication (default: disabled)])],
 8168    [ ENABLED_TRUSTED_CA=$enableval ],[ ENABLED_TRUSTED_CA=no ])
 8169
 8170AS_IF([test "x$ENABLED_TRUSTED_CA" = "xyes"],
 8171      [AM_CFLAGS="$AM_CFLAGS -DHAVE_TLS_EXTENSIONS -DHAVE_TRUSTED_CA"])
 8172
 8173# Truncated HMAC
 8174AC_ARG_ENABLE([truncatedhmac],
 8175    [AS_HELP_STRING([--enable-truncatedhmac],[Enable Truncated HMAC (default: disabled)])],
 8176    [ ENABLED_TRUNCATED_HMAC=$enableval ],
 8177    [ ENABLED_TRUNCATED_HMAC=no ]
 8178    )
 8179
 8180if test "x$ENABLED_TRUNCATED_HMAC" = "xyes"
 8181then
 8182    AM_CFLAGS="$AM_CFLAGS -DHAVE_TLS_EXTENSIONS -DHAVE_TRUNCATED_HMAC"
 8183fi
 8184
 8185# Renegotiation Indication - (FAKE Secure Renegotiation)
 8186# Client will send TLS_EMPTY_RENEGOTIATION_INFO_SCSV, not supported
 8187# with enabling secure renegotiation
 8188AC_ARG_ENABLE([renegotiation-indication],
 8189    [AS_HELP_STRING([--enable-renegotiation-indication],[Enable Renegotiation Indication for client via empty cipher  (default: disabled)])],
 8190    [ ENABLED_RENEGOTIATION_INDICATION=$enableval ],
 8191    [ ENABLED_RENEGOTIATION_INDICATION=no ]
 8192    )
 8193
 8194if test "x$ENABLED_RENEGOTIATION_INDICATION" = "xyes"
 8195then
 8196    AM_CFLAGS="$AM_CFLAGS -DHAVE_RENEGOTIATION_INDICATION"
 8197fi
 8198
 8199# Secure Renegotiation
 8200AC_ARG_ENABLE([secure-renegotiation],
 8201    [AS_HELP_STRING([--enable-secure-renegotiation],[Enable Secure Renegotiation (default: disabled)])],
 8202    [ ENABLED_SECURE_RENEGOTIATION=$enableval ],
 8203    [ ENABLED_SECURE_RENEGOTIATION=no ]
 8204    )
 8205
 8206if test "x$ENABLED_HAPROXY" = "xyes"
 8207then
 8208    ENABLED_SECURE_RENEGOTIATION=yes
 8209fi
 8210
 8211if test "x$ENABLED_SECURE_RENEGOTIATION" = "xyes"
 8212then
 8213    if test "x$ENABLED_RENEGOTIATION_INDICATION" = "xyes"
 8214    then
 8215        AC_MSG_ERROR([cannot enable renegotiation-indication and secure-renegotiation.])
 8216    fi
 8217    AM_CFLAGS="$AM_CFLAGS -DHAVE_TLS_EXTENSIONS -DHAVE_SECURE_RENEGOTIATION -DHAVE_SERVER_RENEGOTIATION_INFO"
 8218fi
 8219
 8220# Secure Renegotiation Info
 8221AC_ARG_ENABLE([secure-renegotiation-info],
 8222    [AS_HELP_STRING([--enable-secure-renegotiation-info],[Enable Secure Renegotiation info extension (default: enabled)])],
 8223    [ ENABLED_SECURE_RENEGOTIATION_INFO=$enableval ],
 8224    [ ENABLED_SECURE_RENEGOTIATION_INFO=yes ]
 8225    )
 8226
 8227
 8228# Fallback SCSV
 8229AC_ARG_ENABLE([fallback-scsv],
 8230    [AS_HELP_STRING([--enable-fallback-scsv],[Enable Fallback SCSV (default: disabled)])],
 8231    [ ENABLED_FALLBACK_SCSV=$enableval ],
 8232    [ ENABLED_FALLBACK_SCSV=no ]
 8233    )
 8234
 8235if test "x$ENABLED_FALLBACK_SCSV" = "xyes"
 8236then
 8237    AM_CFLAGS="$AM_CFLAGS -DHAVE_FALLBACK_SCSV"
 8238fi
 8239
 8240# Exporting Keying Material
 8241AC_ARG_ENABLE([keying-material],
 8242    [AS_HELP_STRING([--enable-keying-material],[Enable Keying Material Exporters (default: disabled)])],
 8243    [ ENABLED_KEYING_MATERIAL=$enableval ],
 8244    [ ENABLED_KEYING_MATERIAL=no ]
 8245    )
 8246
 8247if test "$ENABLED_CHRONY" = "yes" || test "$ENABLED_SRTP" = "yes"
 8248then
 8249    ENABLED_KEYING_MATERIAL=yes
 8250fi
 8251if test "x$ENABLED_KEYING_MATERIAL" = "xyes"
 8252then
 8253    AM_CFLAGS="$AM_CFLAGS -DHAVE_KEYING_MATERIAL"
 8254fi
 8255
 8256# Supported Elliptic Curves Extensions
 8257AC_ARG_ENABLE([supportedcurves],
 8258    [AS_HELP_STRING([--enable-supportedcurves],[Enable Supported Elliptic Curves (default: enabled)])],
 8259    [ENABLED_SUPPORTED_CURVES=$enableval],
 8260    [ENABLED_SUPPORTED_CURVES=yes])
 8261
 8262if test "x$ENABLED_SUPPORTED_CURVES" = "xyes"
 8263then
 8264    AS_IF([test "x$ENABLED_ECC" = "xno" && test "x$ENABLED_CURVE25519" = "xno" && test "x$ENABLED_CURVE448" = "xno"],
 8265          [ENABLED_SUPPORTED_CURVES=no],
 8266          [AM_CFLAGS="$AM_CFLAGS -DHAVE_TLS_EXTENSIONS -DHAVE_SUPPORTED_CURVES"])
 8267fi
 8268
 8269# Diffie-Hellman
 8270if test "$ENABLED_DH" != "no"
 8271then
 8272    if test "$ENABLED_TLS13" = "yes" || test "$ENABLED_SUPPORTED_CURVES" = "yes"
 8273    then
 8274        AM_CFLAGS="$AM_CFLAGS -DHAVE_FFDHE_2048"
 8275    fi
 8276fi
 8277
 8278# FFDHE parameters only
 8279AC_ARG_ENABLE([ffdhe-only],
 8280    [AS_HELP_STRING([--enable-ffdhe-only],[Enable using only FFDHE in client (default: disabled)])],
 8281    [ ENABLED_FFDHE_ONLY=$enableval ],
 8282    [ ENABLED_FFDHE_ONLY=no ]
 8283    )
 8284
 8285if test "x$ENABLED_FFDHE_ONLY" = "xyes"
 8286then
 8287    if test "$ENABLED_DH" = "no"
 8288    then
 8289        AC_MSG_ERROR([FFDHE only support requires DH support])
 8290    fi
 8291    if test "$ENABLED_SUPPORTED_CURVES" = "no"
 8292    then
 8293        AC_MSG_ERROR([FFDHE only support requires Supported Curves extension])
 8294    fi
 8295    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_REQUIRE_FFDHE"
 8296fi
 8297
 8298# TLS 1.3 Requires either ECC or (RSA/DH), or CURVE25519/ED25519 or CURVE448/ED448 or ML-KEM
 8299if test "x$ENABLED_PSK" = "xno" && test "x$ENABLED_ECC" = "xno" && \
 8300    (test "x$ENABLED_RSA" = "xno" || test "x$ENABLED_DH" = "xno") && \
 8301    (test "x$ENABLED_CURVE25519" = "xno" || test "x$ENABLED_ED25519" = "xno") && \
 8302    (test "x$ENABLED_CURVE448" = "xno" || test "x$ENABLED_ED448" = "xno") && \
 8303    test "x$ENABLED_MLKEM" = "xno"
 8304then
 8305    # disable TLS 1.3
 8306    ENABLED_TLS13=no
 8307fi
 8308# DTLSv1.3 cannot survive a downgrade of TLS 1.3.
 8309if test "x$ENABLED_DTLS13" = "xyes" && test "x$ENABLED_TLS13" = "xno"
 8310then
 8311    AC_MSG_ERROR([--enable-dtls13 requires TLS 1.3, but TLS 1.3 was disabled by an earlier prerequisite check (no key-exchange or signature algorithms reachable). Enable at least one of ECC, RSA+DH, Curve25519+Ed25519, Curve448+Ed448, PSK, or ML-KEM.])
 8312fi
 8313if test "$ENABLED_TLS13" = "yes" && (test "x$ENABLED_ECC" = "xyes" || \
 8314    test "$ENABLED_DH" != "no" || test "x$ENABLED_MLKEM" = "xyes")
 8315then
 8316    AM_CFLAGS="$AM_CFLAGS -DHAVE_SUPPORTED_CURVES"
 8317fi
 8318if test "$ENABLED_TLS13" = "yes"
 8319then
 8320    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_TLS13 -DHAVE_TLS_EXTENSIONS"
 8321fi
 8322
 8323
 8324# Session Ticket Extension
 8325AC_ARG_ENABLE([session-ticket],
 8326    [AS_HELP_STRING([--enable-session-ticket],[Enable Session Ticket (default: disabled)])],
 8327    [ ENABLED_SESSION_TICKET=$enableval ],
 8328    [ ENABLED_SESSION_TICKET=no ]
 8329    )
 8330
 8331if test "x$ENABLED_NGINX" = "xyes" || test "$ENABLED_WPAS" = "yes" || test "x$ENABLED_HAPROXY" = "xyes" || test "x$ENABLED_LIGHTY" = "xyes"
 8332then
 8333    ENABLED_SESSION_TICKET=yes
 8334fi
 8335
 8336if test "x$ENABLED_SESSION_TICKET" = "xyes"
 8337then
 8338    AM_CFLAGS="$AM_CFLAGS -DHAVE_TLS_EXTENSIONS -DHAVE_SESSION_TICKET"
 8339fi
 8340
 8341AC_ARG_ENABLE([ticket-nonce-malloc],
 8342    [AS_HELP_STRING([--enable-ticket-nonce-malloc], [Enable dynamic allocation of ticket nonces (default: disabled)])],
 8343    [ ENABLED_TICKET_NONCE_MALLOC=$enableval ],
 8344    [ ENABLED_TICKET_NONCE_MALLOC=no_implicit ]
 8345    )
 8346
 8347if test "$ENABLED_TICKET_NONCE_MALLOC" = "yes"
 8348then
 8349    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_TICKET_NONCE_MALLOC"
 8350fi
 8351
 8352# Extended Master Secret Extension
 8353AC_ARG_ENABLE([extended-master],
 8354    [AS_HELP_STRING([--enable-extended-master],[Enable Extended Master Secret (default: enabled)])],
 8355    [ ENABLED_EXTENDED_MASTER=$enableval ],
 8356    [ ENABLED_EXTENDED_MASTER=yes ]
 8357    )
 8358
 8359if test "$ENABLED_CRYPTONLY" = "yes"
 8360then
 8361    ENABLED_EXTENDED_MASTER=no
 8362fi
 8363if test "x$ENABLED_EXTENDED_MASTER" = "xyes"
 8364then
 8365    AM_CFLAGS="$AM_CFLAGS -DHAVE_EXTENDED_MASTER"
 8366fi
 8367
 8368# TLS Extensions
 8369AC_ARG_ENABLE([tlsx],
 8370    [AS_HELP_STRING([--enable-tlsx],[Enable all TLS Extensions (default: disabled)])],
 8371    [ ENABLED_TLSX=$enableval ],
 8372    [ ENABLED_TLSX=no ]
 8373    )
 8374
 8375if test "x$ENABLED_NGINX" = "xyes" || test "x$ENABLED_HAPROXY" = "xyes" || test "x$ENABLED_SIGNAL" = "xyes" || test "x$ENABLED_LIGHTY" = "xyes" || test "$ENABLED_CHRONY" = "yes"
 8376then
 8377    ENABLED_TLSX=yes
 8378fi
 8379
 8380if test "x$ENABLED_TLSX" = "xyes"
 8381then
 8382    ENABLED_SNI=yes
 8383    ENABLED_MAX_FRAGMENT=yes
 8384    ENABLED_TRUNCATED_HMAC=yes
 8385    ENABLED_ALPN=yes
 8386    ENABLED_TRUSTED_CA=yes
 8387    ENABLED_ENCRYPT_THEN_MAC=yes
 8388    AM_CFLAGS="$AM_CFLAGS -DHAVE_TLS_EXTENSIONS -DHAVE_SNI -DHAVE_MAX_FRAGMENT -DHAVE_TRUNCATED_HMAC -DHAVE_ALPN -DHAVE_TRUSTED_CA"
 8389    # Check the ECC supported curves prereq
 8390    AS_IF([test "x$ENABLED_ECC" != "xno" || test "$ENABLED_CURVE25519" != "no" || test "x$ENABLED_CURVE448" = "xyes" || test "x$ENABLED_TLS13" = "xyes"],
 8391          [ENABLED_SUPPORTED_CURVES=yes
 8392           AM_CFLAGS="$AM_CFLAGS -DHAVE_SUPPORTED_CURVES"])
 8393fi
 8394
 8395# Early Data handshake in TLS v1.3 and above
 8396AC_ARG_ENABLE([earlydata],
 8397    [AS_HELP_STRING([--enable-earlydata],[Enable Early Data handshake with wolfSSL TLS v1.3 (default: disabled)])],
 8398    [ ENABLED_TLS13_EARLY_DATA=$enableval ],
 8399    [ ENABLED_TLS13_EARLY_DATA=no ]
 8400    )
 8401
 8402if test "$ENABLED_TLS13_EARLY_DATA" = "group"
 8403then
 8404    ENABLED_TLS13_EARLY_DATA="yes"
 8405    # Group EarlyData with ClientHello
 8406    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_EARLY_DATA_GROUP"
 8407fi
 8408if test "$ENABLED_TLS13_EARLY_DATA" = "yes"
 8409then
 8410    if test "x$ENABLED_TLS13" = "xno" && test "x$ENABLED_ALL" = "xno"
 8411    then
 8412        AC_MSG_ERROR([cannot enable earlydata without enabling tls13.])
 8413    fi
 8414    if test "x$ENABLED_SESSION_TICKET" = "xno" && test "x$ENABLED_PSK" = "xno"
 8415    then
 8416        AC_MSG_ERROR([cannot enable earlydata without enabling session tickets and/or PSK.])
 8417    fi
 8418    if test "x$ENABLED_TLS13" = "xyes"
 8419    then
 8420        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_EARLY_DATA"
 8421    fi
 8422fi
 8423
 8424if test "$ENABLED_TLSV12" = "no" && test "$ENABLED_TLS13" = "yes" && test "x$ENABLED_SESSION_TICKET" = "xno"
 8425then
 8426    AM_CFLAGS="$AM_CFLAGS -DNO_SESSION_CACHE"
 8427fi
 8428
 8429# PKCS7
 8430AC_ARG_ENABLE([pkcs7],
 8431    [AS_HELP_STRING([--enable-pkcs7],[Enable PKCS7 (default: disabled)])],
 8432    [ ENABLED_PKCS7=$enableval ],
 8433    [ ENABLED_PKCS7=no ]
 8434    )
 8435
 8436if test "x$ENABLED_WPAS_DPP" = "xyes"
 8437then
 8438    ENABLED_PKCS7=yes
 8439fi
 8440
 8441# wolfSSH Options
 8442AC_ARG_ENABLE([wolfssh],
 8443    [AS_HELP_STRING([--enable-wolfssh],[Enable wolfSSH options (default: disabled)])],
 8444    [ ENABLED_WOLFSSH=$enableval ],
 8445    [ ENABLED_WOLFSSH=no ]
 8446    )
 8447
 8448AC_ARG_ENABLE([ssh],
 8449    [AS_HELP_STRING([--enable-ssh],[Enable wolfSSH options (default: disabled)])],
 8450    [ ENABLED_SSH=$enableval ],
 8451    [ ENABLED_SSH=no ]
 8452    )
 8453
 8454if test "x$ENABLED_SSH" = "xyes"
 8455then
 8456    ENABLED_WOLFSSH="yes"
 8457fi
 8458
 8459# wolfTPM Options
 8460AC_ARG_ENABLE([wolftpm],
 8461    [AS_HELP_STRING([--enable-wolftpm],[Enable wolfTPM options (default: disabled)])],
 8462    [ ENABLED_WOLFTPM=$enableval ],
 8463    [ ENABLED_WOLFTPM=no ]
 8464    )
 8465
 8466# wolfCLU Options
 8467AC_ARG_ENABLE([wolfclu],
 8468    [AS_HELP_STRING([--enable-wolfclu],[Enable wolfCLU options (default: disabled)])],
 8469    [ ENABLED_WOLFCLU=$enableval ],
 8470    [ ENABLED_WOLFCLU=no ]
 8471    )
 8472
 8473
 8474if test "x$ENABLED_WOLFTPM" = "xyes"
 8475then
 8476    # Requires cryptocb (set in its enable section)
 8477    # Requires certgen, certreq, certext
 8478    if test "x$ENABLED_CERTGEN" = "xno"
 8479    then
 8480        ENABLED_CERTGEN="yes"
 8481        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CERT_GEN"
 8482    fi
 8483    if test "x$ENABLED_CERTREQ" = "xno"
 8484    then
 8485        ENABLED_CERTREQ="yes"
 8486        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CERT_REQ"
 8487    fi
 8488    if test "x$ENABLED_CERTEXT" = "xno"
 8489    then
 8490        ENABLED_CERTEXT="yes"
 8491        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CERT_EXT"
 8492    fi
 8493
 8494    # Requires PKCS7
 8495    if test "x$ENABLED_PKCS7" = "xno"
 8496    then
 8497        ENABLED_PKCS7="yes"
 8498    fi
 8499
 8500    # Requires aescfb
 8501    if test "x$ENABLED_AESCFB" = "xno"
 8502    then
 8503        ENABLED_AESCFB="yes"
 8504        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_CFB"
 8505    fi
 8506
 8507    # Requires public mp_
 8508    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_PUBLIC_MP"
 8509
 8510    # Requires allowing CA:FALSE in BasicConstraints
 8511    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ALLOW_ENCODING_CA_FALSE"
 8512fi
 8513
 8514if test "x$ENABLED_SMIME" = "xyes"
 8515then
 8516    AM_CFLAGS="$AM_CFLAGS -DHAVE_SMIME"
 8517    # Requires PKCS7
 8518    if test "x$ENABLED_PKCS7" = "xno"
 8519    then
 8520        ENABLED_PKCS7="yes"
 8521    fi
 8522fi
 8523
 8524# Simple Certificate Enrollment Protocol (SCEP)
 8525AC_ARG_ENABLE([scep],
 8526    [AS_HELP_STRING([--enable-scep],[Enable wolfSCEP (default: disabled)])],
 8527    [ ENABLED_WOLFSCEP=$enableval ],
 8528    [ ENABLED_WOLFSCEP=no ]
 8529    )
 8530
 8531
 8532# Secure Remote Password
 8533AC_ARG_ENABLE([srp],
 8534    [AS_HELP_STRING([--enable-srp],[Enable Secure Remote Password (default: disabled)])],
 8535    [ ENABLED_SRP=$enableval ],
 8536    [ ENABLED_SRP=no ]
 8537    )
 8538
 8539if test "x$ENABLED_SRP" = "xyes"
 8540then
 8541    AM_CFLAGS="$AM_CFLAGS -DWOLFCRYPT_HAVE_SRP"
 8542fi
 8543
 8544
 8545# Indefinite length encoded BER message support
 8546AC_ARG_ENABLE([indef],
 8547    [AS_HELP_STRING([--enable-indef],[Enable parsing of indefinite length encoded msgs (default: disabled)])],
 8548    [ ENABLED_BER_INDEF=$enableval ],
 8549    [ ENABLED_BER_INDEF=no ]
 8550    )
 8551
 8552if test "x$ENABLED_BER_INDEF" = "xyes"
 8553then
 8554    AM_CFLAGS="$AM_CFLAGS -DASN_BER_TO_DER"
 8555fi
 8556
 8557# Alternate certification chains, as opposed to requiring full chain validation.
 8558# Certificate validation behavior is relaxed, similar to openssl and
 8559# browsers. Only the peer certificate must validate to a trusted
 8560# certificate. Without this, all certificates sent by a peer must be
 8561# used in the trust chain or the connection will be rejected.
 8562AC_ARG_ENABLE([altcertchains],
 8563    [AS_HELP_STRING([--enable-altcertchains],[Enable using alternative certificate chains, only require leaf certificate to validate to trust root (default: disabled)])],
 8564    [ ENABLED_ALT_CERT_CHAINS=$enableval ],
 8565    [ ENABLED_ALT_CERT_CHAINS=no ]
 8566    )
 8567
 8568if test "x$ENABLED_ALT_CERT_CHAINS" = "xyes"
 8569then
 8570    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ALT_CERT_CHAINS"
 8571fi
 8572
 8573# Small Stack - Cache on object
 8574if test "$KERNEL_MODE_DEFAULTS" = "yes"
 8575then
 8576    ENABLED_SMALL_STACK_CACHE_DEFAULT=yes
 8577else
 8578    ENABLED_SMALL_STACK_CACHE_DEFAULT=no
 8579fi
 8580AC_ARG_ENABLE([smallstackcache],
 8581    [AS_HELP_STRING([--enable-smallstackcache],[Enable Small Stack Usage Caching (default: disabled)])],
 8582    [ ENABLED_SMALL_STACK_CACHE=$enableval ],
 8583    [ ENABLED_SMALL_STACK_CACHE=$ENABLED_SMALL_STACK_CACHE_DEFAULT ]
 8584    )
 8585
 8586if test "x$ENABLED_SMALL_STACK_CACHE" = "xyes"
 8587then
 8588    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SMALL_STACK_CACHE"
 8589fi
 8590
 8591# Small Stack
 8592if test "$KERNEL_MODE_DEFAULTS" = "yes"
 8593then
 8594    ENABLED_SMALL_STACK_DEFAULT=yes
 8595else
 8596    ENABLED_SMALL_STACK_DEFAULT=no
 8597fi
 8598AC_ARG_ENABLE([smallstack],
 8599    [AS_HELP_STRING([--enable-smallstack],[Enable Small Stack Usage (default: disabled)])],
 8600    [ ENABLED_SMALL_STACK=$enableval ],
 8601    [ ENABLED_SMALL_STACK=$ENABLED_SMALL_STACK_DEFAULT ]
 8602    )
 8603
 8604if test "x$ENABLED_SMALL_STACK_CACHE" = "xyes"
 8605then
 8606    ENABLED_SMALL_STACK=yes
 8607fi
 8608if test "x$ENABLED_SMALL_STACK" = "xyes"
 8609then
 8610    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SMALL_STACK"
 8611fi
 8612
 8613
 8614#valgrind
 8615AC_ARG_ENABLE([valgrind],
 8616    [AS_HELP_STRING([--enable-valgrind],[Enable valgrind for unit tests (default: disabled)])],
 8617    [ ENABLED_VALGRIND=$enableval ],
 8618    [ ENABLED_VALGRIND=no ]
 8619    )
 8620
 8621if test "$ENABLED_VALGRIND" = "yes"
 8622then
 8623    AC_CHECK_PROG([HAVE_VALGRIND],[valgrind],[yes],[no])
 8624
 8625    if test "$HAVE_VALGRIND" = "no"
 8626    then
 8627        AC_MSG_ERROR([Valgrind not found.])
 8628    fi
 8629    enable_shared=no
 8630    enable_static=yes
 8631    AM_CFLAGS="$AM_CFLAGS -DHAVE_VALGRIND"
 8632fi
 8633
 8634
 8635# Test certs, use internal cert functions for extra testing
 8636AC_ARG_ENABLE([testcert],
 8637    [AS_HELP_STRING([--enable-testcert],[Enable Test Cert (default: disabled)])],
 8638    [ ENABLED_TESTCERT=$enableval ],
 8639    [ ENABLED_TESTCERT=no ]
 8640    )
 8641
 8642if test "$ENABLED_TESTCERT" = "yes"
 8643then
 8644    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_TEST_CERT"
 8645fi
 8646
 8647
 8648# I/O Pool, an example to show user how to override memory handler and use
 8649# a pool for the input/output buffer requests
 8650AC_ARG_ENABLE([iopool],
 8651    [AS_HELP_STRING([--enable-iopool],[Enable I/O Pool example (default: disabled)])],
 8652    [ ENABLED_IOPOOL=$enableval ],
 8653    [ ENABLED_IOPOOL=no ]
 8654    )
 8655
 8656if test "$ENABLED_IOPOOL" = "yes"
 8657then
 8658    if test "$thread_ls_on" = "no"
 8659    then
 8660        AC_MSG_ERROR([I/O Pool example requires Thread Local Storage])
 8661    fi
 8662    AM_CFLAGS="$AM_CFLAGS -DHAVE_IO_POOL -DXMALLOC_USER"
 8663fi
 8664
 8665# Certificate Service Support
 8666if test "$ENABLED_CERT_SERVICE" = "yes"
 8667then
 8668    # Requires ecc,certgen, and opensslextra make sure on
 8669    if test "x$ENABLED_CERTGEN" = "xno"
 8670    then
 8671        ENABLED_CERTGEN="yes"
 8672        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CERT_GEN"
 8673    fi
 8674    if test "x$ENABLED_ECC" = "xno"
 8675    then
 8676        ENABLED_ECC="yes"
 8677        AM_CFLAGS="$AM_CFLAGS -DHAVE_ECC -DTFM_ECC256"
 8678
 8679        if test "$ENABLED_ECC_SHAMIR" = "yes"
 8680        then
 8681            AM_CFLAGS="$AM_CFLAGS -DECC_SHAMIR"
 8682        fi
 8683    fi
 8684    if test "x$ENABLED_OPENSSLEXTRA" = "xno" && test "x$ENABLED_OPENSSLCOEXIST" = "xno"
 8685    then
 8686        ENABLED_OPENSSLEXTRA="yes"
 8687        AM_CFLAGS="$AM_CFLAGS -DOPENSSL_EXTRA"
 8688    fi
 8689    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_HAVE_CERT_SERVICE"
 8690fi
 8691
 8692
 8693# wolfSSL JNI
 8694AC_ARG_ENABLE([jni],
 8695    [AS_HELP_STRING([--enable-jni],[Enable wolfSSL JNI (default: disabled)])],
 8696    [ ENABLED_JNI=$enableval ],
 8697    [ ENABLED_JNI=no ]
 8698    )
 8699if test "$ENABLED_JNI" = "yes"
 8700then
 8701    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_JNI"
 8702    AM_CFLAGS="$AM_CFLAGS -DHAVE_EX_DATA"
 8703    AM_CFLAGS="$AM_CFLAGS -DKEEP_PEER_CERT"
 8704    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ALWAYS_VERIFY_CB"
 8705    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ALWAYS_KEEP_SNI"
 8706    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_TLS13_MIDDLEBOX_COMPAT"
 8707    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_PUBLIC_MP"
 8708
 8709    # Enable openssl compat layer AES-CTS to maintain FIPS compatibility
 8710    AM_CFLAGS="$AM_CFLAGS -DHAVE_CTS"
 8711
 8712    # Enable prereqs if not already enabled
 8713    if test "x$ENABLED_DTLS" = "xno"
 8714    then
 8715        ENABLED_DTLS="yes"
 8716        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DTLS"
 8717    fi
 8718
 8719    if test "x$ENABLED_DTLS13" = "xno"
 8720    then
 8721        ENABLED_DTLS13="yes"
 8722        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DTLS13 -DWOLFSSL_W64_WRAPPER"
 8723        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DTLS_DROP_STATS"
 8724        if test "x$ENABLED_SEND_HRR_COOKIE" = "xundefined"
 8725        then
 8726            AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SEND_HRR_COOKIE"
 8727            ENABLED_SEND_HRR_COOKIE="yes"
 8728        fi
 8729        if test "x$ENABLED_MLKEM" != "xno" && test "x$ENABLED_DTLS_CH_FRAG" != "xyes"
 8730        then
 8731            AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DTLS_CH_FRAG"
 8732            ENABLED_DTLS_CH_FRAG="yes"
 8733        fi
 8734        if test "x$ENABLED_AES" = "xyes"
 8735        then
 8736            AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_DIRECT"
 8737        fi
 8738    fi
 8739
 8740    if test "x$ENABLED_DTLS_MTU" = "xno"
 8741    then
 8742        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DTLS_MTU"
 8743    fi
 8744
 8745    if test "x$ENABLED_OPENSSLEXTRA" = "xno"
 8746    then
 8747        ENABLED_OPENSSLEXTRA="yes"
 8748        AM_CFLAGS="$AM_CFLAGS -DOPENSSL_EXTRA"
 8749    fi
 8750    if test "x$ENABLED_OPENSSLALL" = "xno"
 8751    then
 8752        ENABLED_OPENSSLALL="yes"
 8753        AM_CFLAGS="$AM_CFLAGS -DOPENSSL_ALL"
 8754    fi
 8755    if test "x$ENABLED_CRL" = "xno"
 8756    then
 8757        ENABLED_CRL="yes"
 8758        AM_CFLAGS="$AM_CFLAGS -DHAVE_CRL"
 8759    fi
 8760    if test "x$ENABLED_OCSP" = "xno"
 8761    then
 8762        ENABLED_OCSP="yes"
 8763    fi
 8764    if test "x$ENABLED_CRL_MONITOR" = "xno" && test "x$ENABLED_DISTRO" = "xno"
 8765    then
 8766        ENABLED_CRL_MONITOR="yes"
 8767        AM_CFLAGS="$AM_CFLAGS -DHAVE_CRL_MONITOR"
 8768    fi
 8769    if test "x$ENABLED_SAVESESSION" = "xno"
 8770    then
 8771        ENABLED_SAVESESSION="yes"
 8772        AM_CFLAGS="$AM_CFLAGS -DPERSIST_SESSION_CACHE"
 8773    fi
 8774    if test "x$ENABLED_SAVECERT" = "xno"
 8775    then
 8776        ENABLED_SAVECERT="yes"
 8777        AM_CFLAGS="$AM_CFLAGS -DPERSIST_CERT_CACHE"
 8778    fi
 8779    if test "x$ENABLED_ATOMICUSER" = "xno"
 8780    then
 8781        ENABLED_ATOMICUSER="yes"
 8782        AM_CFLAGS="$AM_CFLAGS -DATOMIC_USER"
 8783    fi
 8784    if test "x$ENABLED_ECC" = "xno"
 8785    then
 8786        ENABLED_ECC="yes"
 8787        AM_CFLAGS="$AM_CFLAGS -DHAVE_ECC -DTFM_ECC256"
 8788
 8789        if test "$ENABLED_ECC_SHAMIR" = "yes"
 8790        then
 8791            AM_CFLAGS="$AM_CFLAGS -DECC_SHAMIR"
 8792        fi
 8793    fi
 8794    # Do not enable PK Callbacks in FIPS mode with JNI
 8795    if test "x$ENABLED_PKCALLBACKS" = "xno" && test "$ENABLED_FIPS" = "no"
 8796    then
 8797        ENABLED_PKCALLBACKS="yes"
 8798        AM_CFLAGS="$AM_CFLAGS -DHAVE_PK_CALLBACKS"
 8799    fi
 8800    if test "x$ENABLED_DH" = "xno"
 8801    then
 8802        ENABLED_DH="yes"
 8803        AM_CFLAGS="$AM_CFLAGS -DHAVE_DH"
 8804    fi
 8805    if test "x$ENABLED_PSK" = "xno"
 8806    then
 8807        ENABLED_PSK="yes"
 8808    fi
 8809    if test "x$ENABLED_CERTEXT" = "xno"
 8810    then
 8811        ENABLED_CERTEXT="yes"
 8812        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CERT_EXT"
 8813    fi
 8814    if test "x$ENABLED_CERTGEN" = "xno"
 8815    then
 8816        ENABLED_CERTGEN="yes"
 8817        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CERT_GEN"
 8818    fi
 8819    # wolfCrypt JNI/JCE uses keygen, enable by default here so
 8820    # both JCE and JSSE builds can use --enable-jni
 8821    if test "x$ENABLED_KEYGEN" = "xno"
 8822    then
 8823        ENABLED_KEYGEN="yes"
 8824        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_KEY_GEN"
 8825    fi
 8826    if test "x$ENABLED_CERTREQ" = "xno"
 8827    then
 8828        ENABLED_CERTREQ="yes"
 8829        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CERT_REQ"
 8830    fi
 8831    if test "x$ENABLED_SNI" = "xno"
 8832    then
 8833        ENABLED_SNI="yes"
 8834        AM_CFLAGS="$AM_CFLAGS -DHAVE_TLS_EXTENSIONS -DHAVE_SNI"
 8835    fi
 8836    if test "x$ENABLED_ALPN" = "xno"
 8837    then
 8838        ENABLED_ALPN="yes"
 8839        AM_CFLAGS="$AM_CFLAGS -DHAVE_ALPN"
 8840    fi
 8841    if test "x$ENABLED_ALT_CERT_CHAINS" = "xno"
 8842    then
 8843        ENABLED_ALT_CERT_CHAINS="yes"
 8844        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ALT_CERT_CHAINS"
 8845    fi
 8846
 8847    if test "x$ENABLED_SESSIONCERTS" = "xno"
 8848    then
 8849        ENABLED_SESSIONCERTS="yes"
 8850        AM_CFLAGS="$AM_CFLAGS -DSESSION_CERTS"
 8851    fi
 8852
 8853    # cert gen requires alt names
 8854    ENABLED_ALTNAMES="yes"
 8855fi
 8856
 8857if test "$ENABLED_LIGHTY" = "yes"
 8858then
 8859    # Requires opensslextra make sure on
 8860    if test "x$ENABLED_OPENSSLEXTRA" = "xno" && test "x$ENABLED_OPENSSLCOEXIST" = "xno"
 8861    then
 8862        ENABLED_OPENSSLEXTRA="yes"
 8863        AM_CFLAGS="$AM_CFLAGS -DOPENSSL_EXTRA"
 8864    fi
 8865    AM_CFLAGS="$AM_CFLAGS -DHAVE_LIGHTY -DHAVE_WOLFSSL_SSL_H=1"
 8866    AM_CFLAGS="$AM_CFLAGS -DHAVE_EX_DATA"
 8867    AM_CFLAGS="$AM_CFLAGS -DOPENSSL_ALL"
 8868    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_KEY_GEN"
 8869    # recommended if building wolfSSL specifically for use by lighttpd
 8870    if test "x$ENABLED_ALL" = "xno"; then
 8871        AM_CFLAGS="$AM_CFLAGS -DOPENSSL_NO_SSL2 -DOPENSSL_NO_COMP"
 8872        if test "x$ENABLED_SSLV3" = "xno"; then
 8873            AM_CFLAGS="$AM_CFLAGS -DOPENSSL_NO_SSL3"
 8874            if test "x$ENABLED_TLSV10" = "xno"; then
 8875                AM_CFLAGS="$AM_CFLAGS -DNO_OLD_TLS"
 8876                ENABLED_OLD_TLS=no
 8877            fi
 8878        fi
 8879        if test "x$ENABLED_CRL_MONITOR" = "xno"; then
 8880            AM_CFLAGS="$AM_CFLAGS -DSINGLE_THREADED"
 8881            ENABLED_SINGLETHREADED="yes"
 8882        fi
 8883
 8884        # w/ lighttpd 1.4.56 once wolfSSL updated to expose non-filesystem funcs
 8885        #AM_CFLAGS="$AM_CFLAGS -DNO_BIO"
 8886        #AM_CFLAGS="$AM_CFLAGS -DNO_FILESYSTEM"
 8887        #ENABLED_FILESYSTEM=no
 8888    fi
 8889fi
 8890
 8891if test "$ENABLED_NGINX" = "yes"
 8892then
 8893    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NGINX -DWOLFSSL_SIGNER_DER_CERT"
 8894    AM_CFLAGS="$AM_CFLAGS -DOPENSSL_COMPATIBLE_DEFAULTS"
 8895    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ERROR_CODE_OPENSSL"
 8896fi
 8897
 8898if test "$ENABLED_HAPROXY" = "yes"
 8899then
 8900    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_HAPROXY -DOPENSSL_COMPATIBLE_DEFAULTS"
 8901    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SIGNER_DER_CERT -DWOLFSSL_KEEP_RNG_SEED_FD_OPEN"
 8902    # --enable-all defines its own DEFAULT_MAX_CLASSIC_ASYM_KEY_BITS
 8903    if test -z "$DEFAULT_MAX_CLASSIC_ASYM_KEY_BITS"
 8904    then
 8905        DEFAULT_MAX_CLASSIC_ASYM_KEY_BITS=8192
 8906    fi
 8907    # Requires opensslextra and opensslall
 8908    if test "x$ENABLED_OPENSSLALL" = "xno" && test "x$ENABLED_OPENSSLCOEXIST" = "xno"
 8909    then
 8910        ENABLED_OPENSSLALL="yes"
 8911        ENABLED_OPENSSLEXTRA="yes"
 8912        AM_CFLAGS="$AM_CFLAGS -DOPENSSL_EXTRA -DOPENSSL_ALL"
 8913    fi
 8914
 8915    if test "x$ENABLED_CERTGEN" = "xno"
 8916    then
 8917        ENABLED_CERTGEN="yes"
 8918        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CERT_GEN"
 8919    fi
 8920
 8921    if test "x$ENABLED_CERTREQ" = "xno"
 8922    then
 8923        ENABLED_CERTREQ="yes"
 8924        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CERT_REQ"
 8925    fi
 8926
 8927    # Requires sessioncerts make sure on
 8928    if test "x$ENABLED_SESSIONCERTS" = "xno"
 8929    then
 8930        ENABLED_SESSIONCERTS="yes"
 8931        AM_CFLAGS="$AM_CFLAGS -DSESSION_CERTS"
 8932    fi
 8933
 8934    # Requires key gen make sure on
 8935    if test "x$ENABLED_KEYGEN" = "xno"
 8936    then
 8937        ENABLED_KEYGEN="yes"
 8938        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_KEY_GEN"
 8939    fi
 8940fi
 8941
 8942if test "$ENABLED_NETSNMP" = "yes"
 8943then
 8944    AM_CFLAGS="$AM_CFLAGS -DHAVE_EX_DATA"
 8945
 8946    if test "x$ENABLED_AESCFB" = "xno"
 8947    then
 8948        ENABLED_AESCFB="yes"
 8949        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_CFB"
 8950    fi
 8951
 8952    if test "x$ENABLED_DTLS" = "xno"
 8953    then
 8954        ENABLED_DTLS="yes"
 8955        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DTLS"
 8956    fi
 8957fi
 8958
 8959if test "$ENABLED_KRB" = "yes"
 8960then
 8961    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_KRB -DWOLFSSL_AES_DIRECT"
 8962    AS_IF([test "$ENABLED_FIPS" = "no" || test "$HAVE_FIPS_VERSION" -le 2],
 8963          [AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DES_ECB"])
 8964    AM_CFLAGS="$AM_CFLAGS -DHAVE_EX_DATA"
 8965
 8966    # Requires PKCS7
 8967    if test "x$ENABLED_PKCS7" = "xno"
 8968    then
 8969        ENABLED_PKCS7="yes"
 8970    fi
 8971fi
 8972
 8973if test "$ENABLED_FFMPEG" = "yes"
 8974then
 8975    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_FFMPEG -DOPENSSL_COMPATIBLE_DEFAULTS"
 8976fi
 8977
 8978if test "$ENABLED_SIGNAL" = "yes"
 8979then
 8980    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SIGNAL -DWOLFSSL_AES_COUNTER -DWOLFSSL_AES_DIRECT"
 8981    # Requires opensslextra make sure on
 8982    if test "x$ENABLED_OPENSSLEXTRA" = "xno" && test "x$ENABLED_OPENSSLCOEXIST" = "xno"
 8983    then
 8984        ENABLED_OPENSSLEXTRA="yes"
 8985        AM_CFLAGS="$AM_CFLAGS -DOPENSSL_EXTRA"
 8986    fi
 8987fi
 8988
 8989if test "$ENABLED_BIND" = "yes"
 8990then
 8991    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_BIND -DWOLFSSL_DSA_768_MODULUS"
 8992    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_DIRECT -DHAVE_AES_ECB"
 8993    AS_IF([test "$ENABLED_FIPS" = "no" || test "$HAVE_FIPS_VERSION" -le 2],
 8994          [AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DES_ECB"])
 8995    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SHA224 -DWOLFSSL_SHA384 -DWOLFSSL_SHA512"
 8996    AM_CFLAGS="$AM_CFLAGS -DOPENSSL_COMPATIBLE_DEFAULTS"
 8997    ENABLED_SHA224="yes"
 8998    ENABLED_SHA384="yes"
 8999    ENABLED_SHA512="yes"
 9000fi
 9001
 9002if test "$ENABLED_RSYSLOG" = "yes"
 9003then
 9004    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_RSYSLOG -DWOLFSSL_ERROR_CODE_OPENSSL"
 9005    AM_CFLAGS="$AM_CFLAGS -DHAVE_EX_DATA -DOPENSSL_COMPATIBLE_DEFAULTS"
 9006fi
 9007
 9008if test "$ENABLED_OPENVPN" = "yes"
 9009then
 9010    ENABLED_SUPPORTED_CURVES="yes"
 9011    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_OPENVPN -DHAVE_KEYING_MATERIAL"
 9012    AM_CFLAGS="$AM_CFLAGS -DHAVE_EX_DATA -DWOLFSSL_KEY_GEN"
 9013    AS_IF([test "$ENABLED_FIPS" = "no" || test "$HAVE_FIPS_VERSION" -le 2],
 9014          [AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DES_ECB"])
 9015fi
 9016
 9017if test "$ENABLED_HITCH" = "yes"
 9018then
 9019    # Requires opensslextra make sure on
 9020    if test "x$ENABLED_OPENSSLEXTRA" = "xno" && test "x$ENABLED_OPENSSLCOEXIST" = "xno"
 9021    then
 9022        ENABLED_OPENSSLEXTRA="yes"
 9023        AM_CFLAGS="$AM_CFLAGS -DOPENSSL_EXTRA"
 9024    fi
 9025
 9026    # Requires OCSP make sure on
 9027    if test "x$ENABLED_OCSP" = "xno"
 9028    then
 9029        ENABLED_OCSP="yes"
 9030    fi
 9031
 9032    # Requires ALPN
 9033    if test "x$ENABLED_ALPN" = "xno"
 9034    then
 9035        ENABLED_ALPN="yes"
 9036        AM_CFLAGS="$AM_CFLAGS -DHAVE_TLS_EXTENSIONS -DHAVE_ALPN"
 9037    fi
 9038
 9039    if test "x$ENABLED_KEYGEN" = "xno"
 9040    then
 9041        ENABLED_KEYGEN="yes"
 9042        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_KEY_GEN"
 9043    fi
 9044
 9045    # Requires sessioncerts make sure on
 9046    if test "x$ENABLED_SESSIONCERTS" = "xno"
 9047    then
 9048        ENABLED_SESSIONCERTS="yes"
 9049        AM_CFLAGS="$AM_CFLAGS -DSESSION_CERTS"
 9050    fi
 9051
 9052    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_HITCH -DHAVE_EX_DATA -DWOLFSSL_SIGNER_DER_CERT"
 9053    AM_CFLAGS="$AM_CFLAGS -DOPENSSL_COMPATIBLE_DEFAULTS -DWOLFSSL_CIPHER_INTERNALNAME"
 9054fi
 9055
 9056if test "$ENABLED_MEMCACHED" = "yes"
 9057then
 9058    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SESSION_ID_CTX"
 9059    AM_CFLAGS="$AM_CFLAGS -DHAVE_EXT_CACHE -DHAVE_MEMCACHED"
 9060fi
 9061
 9062
 9063if test "$ENABLED_NGINX" = "yes"|| test "x$ENABLED_HAPROXY" = "xyes" || test "x$ENABLED_LIGHTY" = "xyes"
 9064then
 9065    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ALWAYS_VERIFY_CB"
 9066    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ALWAYS_KEEP_SNI"
 9067    AM_CFLAGS="$AM_CFLAGS -DKEEP_OUR_CERT -DKEEP_PEER_CERT"
 9068    AM_CFLAGS="$AM_CFLAGS -DHAVE_EXT_CACHE -DHAVE_EX_DATA"
 9069
 9070    ENABLED_CERTGEN="yes"
 9071    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CERT_GEN"
 9072fi
 9073
 9074if (test "$ENABLED_OPENSSH" = "yes" && test "x$ENABLED_FIPS" = "xno") || \
 9075   test "$ENABLED_WPAS" = "yes" || test "$ENABLED_QT" = "yes"
 9076then
 9077    test "$enable_arc4" = "" && enable_arc4=yes
 9078fi
 9079
 9080if test "$ENABLED_ARC4" = "no"
 9081then
 9082    AM_CFLAGS="$AM_CFLAGS -DNO_RC4"
 9083else
 9084    # turn off ARC4 if leanpsk or leantls on
 9085    if test "$ENABLED_LEANPSK" = "yes" || test "$ENABLED_LEANTLS" = "yes"
 9086    then
 9087        AM_CFLAGS="$AM_CFLAGS -DNO_RC4"
 9088        ENABLED_ARC4=no
 9089    fi
 9090fi
 9091
 9092# Asio Support
 9093AC_ARG_ENABLE([asio],
 9094    [AS_HELP_STRING([--enable-asio],[Enable asio (default: disabled)])],
 9095    [ ENABLED_ASIO=$enableval ],
 9096    [ ENABLED_ASIO=no ]
 9097    )
 9098if test "$ENABLED_ASIO" = "yes"
 9099then
 9100    # Requires opensslextra and opensslall
 9101    if test "x$ENABLED_OPENSSLALL" = "xno" && test "x$ENABLED_OPENSSLCOEXIST" = "xno"
 9102    then
 9103        ENABLED_OPENSSLALL="yes"
 9104        ENABLED_OPENSSLEXTRA="yes"
 9105        ENABLED_MD5="yes"
 9106        AM_CFLAGS="$AM_CFLAGS -DOPENSSL_EXTRA -DOPENSSL_ALL"
 9107    fi
 9108    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ASIO -DASIO_USE_WOLFSSL -DWOLFSSL_KEY_GEN"
 9109    AM_CFLAGS="$AM_CFLAGS -DBOOST_ASIO_USE_WOLFSSL -DHAVE_EX_DATA"
 9110    AM_CFLAGS="$AM_CFLAGS -DSSL_TXT_TLSV1_2"
 9111    AM_CFLAGS="$AM_CFLAGS -DOPENSSL_NO_SSL2 -DOPENSSL_NO_SSL3"
 9112    if test "$ENABLED_TLSV10" = "yes"
 9113    then
 9114        AM_CFLAGS="$AM_CFLAGS -DSSL_TXT_TLSV1"
 9115    fi
 9116    if test "$ENABLED_OLD_TLS" = "yes"
 9117    then
 9118        AM_CFLAGS="$AM_CFLAGS -DSSL_TXT_TLSV1_1"
 9119    fi
 9120
 9121    # Requires OCSP make sure on
 9122    if test "x$ENABLED_OCSP" = "xno"
 9123    then
 9124        ENABLED_OCSP="yes"
 9125    fi
 9126fi
 9127
 9128# Apache HTTPD
 9129AC_ARG_ENABLE([apachehttpd],
 9130    [AS_HELP_STRING([--enable-apachehttpd],[Enable Apache httpd (default: disabled)])],
 9131    [ ENABLED_APACHE_HTTPD=$enableval ],
 9132    [ ENABLED_APACHE_HTTPD=no ]
 9133    )
 9134if test "$ENABLED_APACHE_HTTPD" = "yes"
 9135then
 9136    # Requires opensslextra and opensslall
 9137    if test "x$ENABLED_OPENSSLALL" = "xno" && test "x$ENABLED_OPENSSLCOEXIST" = "xno"
 9138    then
 9139        ENABLED_OPENSSLALL="yes"
 9140        ENABLED_OPENSSLEXTRA="yes"
 9141        AM_CFLAGS="$AM_CFLAGS -DOPENSSL_EXTRA -DOPENSSL_ALL"
 9142    fi
 9143    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_APACHE_HTTPD"
 9144    AM_CFLAGS="$AM_CFLAGS -DOPENSSL_NO_SSL2 -DOPENSSL_NO_SSL3 -DOPENSSL_NO_COMP"
 9145    AM_CFLAGS="$AM_CFLAGS -DHAVE_EX_DATA -DWOLFSSL_SIGNER_DER_CERT"
 9146    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CERT_EXT -DWOLFSSL_CERT_GEN"
 9147    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ALWAYS_KEEP_SNI"
 9148    AM_CFLAGS="$AM_CFLAGS -DOPENSSL_COMPATIBLE_DEFAULTS"
 9149    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_OCSP_ISSUER_CHECK"
 9150
 9151    # Requires OCSP make sure on
 9152    if test "x$ENABLED_OCSP" = "xno"
 9153    then
 9154        ENABLED_OCSP="yes"
 9155    fi
 9156
 9157    # Requires sessioncerts make sure on
 9158    if test "x$ENABLED_SESSIONCERTS" = "xno"
 9159    then
 9160        ENABLED_SESSIONCERTS="yes"
 9161        AM_CFLAGS="$AM_CFLAGS -DSESSION_CERTS"
 9162    fi
 9163
 9164    # Requires ALPN
 9165    if test "x$ENABLED_ALPN" = "xno"
 9166    then
 9167        ENABLED_ALPN="yes"
 9168        AM_CFLAGS="$AM_CFLAGS -DHAVE_TLS_EXTENSIONS -DHAVE_ALPN"
 9169    fi
 9170
 9171    # Requires CRL
 9172    if test "x$ENABLED_CRL" = "xno"
 9173    then
 9174        ENABLED_CRL="yes"
 9175        AM_CFLAGS="$AM_CFLAGS -DHAVE_CRL"
 9176    fi
 9177
 9178    # Requires Certificate Generation, Request and Extensions
 9179    if test "x$ENABLED_CERTGEN" = "xno"
 9180    then
 9181        ENABLED_CERTGEN="yes"
 9182        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CERT_GEN"
 9183    fi
 9184    if test "x$ENABLED_CERTREQ" = "xno"
 9185    then
 9186        ENABLED_CERTREQ="yes"
 9187        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CERT_REQ"
 9188    fi
 9189    if test "x$ENABLED_CERTEXT" = "xno"
 9190    then
 9191        ENABLED_CERTEXT="yes"
 9192        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CERT_EXT"
 9193    fi
 9194
 9195    # Requires Secure Renegotiation
 9196    if test "x$ENABLED_SECURE_RENEGOTIATION" = "xno"
 9197    then
 9198            AM_CFLAGS="$AM_CFLAGS -DHAVE_TLS_EXTENSIONS -DHAVE_SECURE_RENEGOTIATION -DHAVE_SERVER_RENEGOTIATION_INFO"
 9199    fi
 9200fi
 9201
 9202# Encrypt-Then-Mac
 9203AC_ARG_ENABLE([enc-then-mac],
 9204    [AS_HELP_STRING([--enable-enc-then-mac],[Enable Encrypt-Then-Mac extension (default: enabled)])],
 9205    [ ENABLED_ENCRYPT_THEN_MAC=$enableval ],
 9206    [ ENABLED_ENCRYPT_THEN_MAC=yes ]
 9207    )
 9208
 9209if test "x$ENABLED_TLSX" = "xyes"
 9210then
 9211    ENABLED_ENCRYPT_THEN_MAC=yes
 9212fi
 9213
 9214if test "x$ENABLED_ENCRYPT_THEN_MAC" = "xyes"
 9215then
 9216    AM_CFLAGS="$AM_CFLAGS -DHAVE_ENCRYPT_THEN_MAC"
 9217fi
 9218
 9219
 9220# stunnel Support
 9221AC_ARG_ENABLE([stunnel],
 9222    [AS_HELP_STRING([--enable-stunnel],[Enable stunnel (default: disabled)])],
 9223    [ ENABLED_STUNNEL=$enableval ],
 9224    [ ENABLED_STUNNEL=no ]
 9225    )
 9226if test "$ENABLED_WPAS" = "yes"
 9227then
 9228    ENABLED_STUNNEL="yes"
 9229fi
 9230# stunnel support requires all the features enabled within this conditional.
 9231if test "$ENABLED_STUNNEL" = "yes"
 9232then
 9233    if test "x$ENABLED_OPENSSLEXTRA" = "xno" && test "x$ENABLED_OPENSSLCOEXIST" = "xno"
 9234    then
 9235        ENABLED_OPENSSLEXTRA="yes"
 9236        AM_CFLAGS="$AM_CFLAGS -DOPENSSL_EXTRA"
 9237    fi
 9238
 9239    if test "x$ENABLED_SESSION_TICKET" = "xno"
 9240    then
 9241        ENABLED_SESSION_TICKET="yes"
 9242        AM_CFLAGS="$AM_CFLAGS -DHAVE_SESSION_TICKET"
 9243    fi
 9244
 9245    if test "x$ENABLED_OCSP" = "xno"
 9246    then
 9247        ENABLED_OCSP="yes"
 9248    fi
 9249
 9250    if test "x$ENABLED_CODING" = "xno"
 9251    then
 9252        ENABLED_CODING="yes"
 9253    fi
 9254
 9255    if test "x$ENABLED_SESSIONCERTS" = "xno"
 9256    then
 9257        ENABLED_SESSIONCERTS="yes"
 9258        AM_CFLAGS="$AM_CFLAGS -DSESSION_CERTS"
 9259    fi
 9260
 9261    if test "x$ENABLED_CRL" = "xno"
 9262    then
 9263        ENABLED_CRL="yes"
 9264        AM_CFLAGS="$AM_CFLAGS -DHAVE_CRL"
 9265    fi
 9266
 9267    if test "$ENABLED_DES3" = "no" && (test "$ENABLED_FIPS" = "no" || test $HAVE_FIPS_VERSION -lt 5)
 9268    then
 9269        ENABLED_DES3="yes"
 9270    fi
 9271
 9272    if test "x$ENABLED_TLSX" = "xno"
 9273    then
 9274        ENABLED_TLSX="yes"
 9275        AM_CFLAGS="$AM_CFLAGS -DHAVE_TLS_EXTENSIONS -DHAVE_SNI -DHAVE_MAX_FRAGMENT -DHAVE_TRUNCATED_HMAC"
 9276
 9277        # Check the ECC supported curves prereq
 9278        AS_IF([test "x$ENABLED_ECC" != "xno" || test "$ENABLED_CURVE25519" != "no"],
 9279              [ENABLED_SUPPORTED_CURVES=yes
 9280               AM_CFLAGS="$AM_CFLAGS -DHAVE_SUPPORTED_CURVES"])
 9281    fi
 9282
 9283    if test "x$ENABLED_ECC" = "xno"
 9284    then
 9285        ENABLED_OPENSSLEXTRA="yes"
 9286        ENABLED_ECC="yes"
 9287        AM_CFLAGS="$AM_CFLAGS -DHAVE_ECC -DTFM_ECC256"
 9288
 9289        if test "$ENABLED_ECC_SHAMIR" = "yes"
 9290        then
 9291            AM_CFLAGS="$AM_CFLAGS -DECC_SHAMIR"
 9292        fi
 9293    fi
 9294
 9295    if test "x$ENABLED_CERTEXT" = "xno"
 9296    then
 9297        ENABLED_CERTEXT="yes"
 9298        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CERT_EXT"
 9299    fi
 9300
 9301    if test "x$ENABLED_CERTGEN" = "xno"
 9302    then
 9303        ENABLED_CERTGEN="yes"
 9304        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CERT_GEN"
 9305    fi
 9306
 9307    if test "x$ENABLED_KEYGEN" = "xno"
 9308    then
 9309        ENABLED_KEYGEN="yes"
 9310        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_KEY_GEN"
 9311    fi
 9312
 9313    if test "x$ENABLED_MD5" = "xno"
 9314    then
 9315        ENABLED_MD5="yes"
 9316    fi
 9317
 9318    AM_CFLAGS="$AM_CFLAGS -DHAVE_STUNNEL -DWOLFSSL_ALWAYS_VERIFY_CB"
 9319    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ALWAYS_KEEP_SNI -DHAVE_EX_DATA"
 9320    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SIGNER_DER_CERT"
 9321    AS_IF([test "$ENABLED_FIPS" = "no" || test "$HAVE_FIPS_VERSION" -le 2],
 9322          [AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DES_ECB"])
 9323    AM_CFLAGS="$AM_CFLAGS -DOPENSSL_COMPATIBLE_DEFAULTS -DWOLFSSL_TICKET_HAVE_ID"
 9324fi
 9325
 9326# curl Support
 9327AC_ARG_ENABLE([curl],
 9328    [AS_HELP_STRING([--enable-curl],[Enable curl (default: disabled)])],
 9329    [ ENABLED_CURL=$enableval ],
 9330    [ ENABLED_CURL=no ]
 9331    )
 9332# curl support requires all the features enabled within this conditional.
 9333if test "$ENABLED_CURL" = "yes"
 9334then
 9335    if test "$ENABLED_MD4" = "no"
 9336    then
 9337        ENABLED_MD4="yes"
 9338    fi
 9339
 9340    if test "$ENABLED_DES3" = "no" && (test "$ENABLED_FIPS" = "no" || test $HAVE_FIPS_VERSION -lt 5)
 9341    then
 9342        ENABLED_DES3="yes"
 9343    fi
 9344
 9345    if test "x$ENABLED_ALPN" = "xno"
 9346    then
 9347        ENABLED_ALPN="yes"
 9348        AM_CFLAGS="$AM_CFLAGS -DHAVE_ALPN"
 9349    fi
 9350
 9351    if test "x$ENABLED_EX_DATA" = "xno"
 9352    then
 9353        ENABLED_EX_DATA="yes"
 9354        AM_CFLAGS="$AM_CFLAGS -DHAVE_EX_DATA"
 9355    fi
 9356
 9357    if test "x$ENABLED_WOLFSSH" = "xno"
 9358    then
 9359        ENABLED_WOLFSSH="yes"
 9360    fi
 9361
 9362    if test "x$ENABLED_OPENSSLEXTRA" = "xno"
 9363    then
 9364        ENABLED_OPENSSLEXTRA="yes"
 9365    fi
 9366
 9367    if test "x$ENABLED_CRL" = "xno"
 9368    then
 9369        ENABLED_CRL="yes"
 9370        AM_CFLAGS="$AM_CFLAGS -DHAVE_CRL"
 9371    fi
 9372
 9373    if test "x$ENABLED_OCSP" = "xno"
 9374    then
 9375        ENABLED_OCSP="yes"
 9376    fi
 9377
 9378    if test "x$ENABLED_CERTIFICATE_STATUS_REQUEST" = "xno"
 9379    then
 9380        ENABLED_CERTIFICATE_STATUS_REQUEST="yes"
 9381        AM_CFLAGS="$AM_CFLAGS -DHAVE_TLS_EXTENSIONS -DHAVE_CERTIFICATE_STATUS_REQUEST"
 9382    fi
 9383
 9384    if test "x$ENABLED_CERTIFICATE_STATUS_REQUEST_V2" = "xno"
 9385    then
 9386        ENABLED_CERTIFICATE_STATUS_REQUEST_V2="yes"
 9387        AM_CFLAGS="$AM_CFLAGS -DHAVE_TLS_EXTENSIONS -DHAVE_CERTIFICATE_STATUS_REQUEST_V2"
 9388    fi
 9389
 9390    if test "x$ENABLED_SNI" = "xno"
 9391    then
 9392        ENABLED_SNI="yes"
 9393        AM_CFLAGS="$AM_CFLAGS -DHAVE_TLS_EXTENSIONS -DHAVE_SNI"
 9394    fi
 9395
 9396    if test "x$ENABLED_ALT_CERT_CHAINS" = "xno"
 9397    then
 9398        ENABLED_ALT_CERT_CHAINS="yes"
 9399        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ALT_CERT_CHAINS"
 9400    fi
 9401
 9402    if test "x$ENABLE_IP_ALT_NAME" = "xno"
 9403    then
 9404        ENABLE_IP_ALT_NAME="yes"
 9405        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_IP_ALT_NAME"
 9406    fi
 9407
 9408    if test "x$ENABLED_SESSION_TICKET" = "xno"
 9409    then
 9410        ENABLED_SESSION_TICKET="yes"
 9411        AM_CFLAGS="$AM_CFLAGS -DHAVE_TLS_EXTENSIONS -DHAVE_SESSION_TICKET"
 9412    fi
 9413
 9414    # FTPS server requires pointer to session cache
 9415    AM_CFLAGS="$AM_CFLAGS -DNO_SESSION_CACHE_REF"
 9416
 9417    AS_IF([test "$ENABLED_FIPS" = "no" || test "$HAVE_FIPS_VERSION" -le 2],
 9418          [AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DES_ECB"])
 9419
 9420    # support longer session ticket nonce
 9421    if test "$ENABLED_TICKET_NONCE_MALLOC" = "no_implicit"
 9422    then
 9423        ENABLED_TICKET_NONCE_MALLOC="yes"
 9424        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_TICKET_NONCE_MALLOC"
 9425    fi
 9426elif test "$ENABLED_CURL" = "tiny"
 9427then
 9428    # basic config to support tiny-curl.
 9429    # OPENSSL_EXTRA_X509_SMALL is sufficient.
 9430    if test "x$ENABLED_OPENSSLEXTRA" = "xno"
 9431    then
 9432        ENABLED_OPENSSLEXTRA="x509small"
 9433    fi
 9434
 9435    # expose a bit more compat API without full OPENSSL_EXTRA.
 9436    AM_CFLAGS="$AM_CFLAGS -DHAVE_CURL"
 9437
 9438    # session cache is necessary, but can be small or micro.
 9439    AM_CFLAGS="$AM_CFLAGS -DSMALL_SESSION_CACHE"
 9440fi
 9441
 9442if test "$ENABLED_PSK" = "no" && test "$ENABLED_LEANPSK" = "no" \
 9443    && test "x$ENABLED_STUNNEL" = "xno"
 9444then
 9445    AM_CFLAGS="$AM_CFLAGS -DNO_PSK"
 9446fi
 9447
 9448if test "$ENABLED_PSK" = "no" &&  \
 9449    (test "$ENABLED_LEANPSK" = "yes" || test "x$ENABLED_STUNNEL" = "xyes")
 9450then
 9451    ENABLED_PSK=yes
 9452fi
 9453
 9454# tcpdump support
 9455AC_ARG_ENABLE([tcpdump],
 9456    [AS_HELP_STRING([--enable-tcpdump],[Enable tcpdump (default: disabled)])],
 9457    [ ENABLED_TCPDUMP=$enableval ],
 9458    [ ENABLED_TCPDUMP=no ]
 9459    )
 9460# tcpdump support requires all the features enabled within this conditional.
 9461if test "$ENABLED_TCPDUMP" = "yes"
 9462then
 9463    if test "x$ENABLED_OPENSSLEXTRA" = "xno" && test "x$ENABLED_OPENSSLCOEXIST" = "xno"
 9464    then
 9465        ENABLED_OPENSSLEXTRA="yes"
 9466        AM_CFLAGS="$AM_CFLAGS -DOPENSSL_EXTRA"
 9467    fi
 9468
 9469    if test "$ENABLED_DES3" = "no" && (test "$ENABLED_FIPS" = "no" || test $HAVE_FIPS_VERSION -lt 5)
 9470    then
 9471        ENABLED_DES3="yes"
 9472    fi
 9473fi
 9474
 9475# sblim-sfcb support
 9476AC_ARG_ENABLE([sblim-sfcb],
 9477    [AS_HELP_STRING([--enable-sblim-sfcb],[Enable sblim-sfcb support (default: disabled)])],
 9478    [ ENABLED_SBLIM_SFCB=$enableval ],
 9479    [ ENABLED_SBLIM_SFCB=no ]
 9480    )
 9481# sblim-sfcb support requires all the features enabled within this conditional.
 9482if test "$ENABLED_SBLIM_SFCB" = "yes"
 9483then
 9484    if test "x$ENABLED_OPENSSLEXTRA" = "xno" && test "x$ENABLED_OPENSSLCOEXIST" = "xno"
 9485    then
 9486        ENABLED_OPENSSLEXTRA="yes"
 9487        AM_CFLAGS="$AM_CFLAGS -DOPENSSL_EXTRA"
 9488    fi
 9489
 9490    if test "x$ENABLED_CERTGEN" = "xno"
 9491    then
 9492        ENABLED_CERTGEN="yes"
 9493        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CERT_GEN"
 9494    fi
 9495
 9496    AM_CFLAGS="$AM_CFLAGS -DHAVE_SBLIM_SFCB -DWOLFSSL_SIGNER_DER_CERT"
 9497fi
 9498
 9499# libest Support
 9500AC_ARG_ENABLE([libest],
 9501    [AS_HELP_STRING([--enable-libest],[Enable libest (default: disabled)])],
 9502    [ ENABLED_LIBEST=$enableval ],
 9503    [ ENABLED_LIBEST=no ]
 9504    )
 9505
 9506if test "$ENABLED_LIBEST" = "yes"
 9507then
 9508    AM_CFLAGS="$AM_CFLAGS -DHAVE_EX_DATA -DHAVE_LIBEST -DWOLFSSL_ALT_NAMES"
 9509    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_PSS_SALT_LEN_DISCOVER"
 9510
 9511    # Requires opensslextra and opensslall
 9512    if test "x$ENABLED_OPENSSLALL" = "xno" && test "x$ENABLED_OPENSSLCOEXIST" = "xno"
 9513    then
 9514        ENABLED_OPENSSLALL="yes"
 9515        ENABLED_OPENSSLEXTRA="yes"
 9516        AM_CFLAGS="$AM_CFLAGS -DOPENSSL_EXTRA -DOPENSSL_ALL"
 9517        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_EITHER_SIDE -DWC_RSA_NO_PADDING"
 9518        AM_CFLAGS="$AM_CFLAGS -DWC_RSA_PSS -DWOLFSSL_PSS_LONG_SALT"
 9519    fi
 9520
 9521    # Requires OCSP
 9522    if test "x$ENABLED_OCSP" = "xno"
 9523    then
 9524        ENABLED_OCSP="yes"
 9525    fi
 9526
 9527    # Requires PKCS7
 9528    if test "x$ENABLED_PKCS7" = "xno"
 9529    then
 9530        ENABLED_PKCS7="yes"
 9531    fi
 9532
 9533    # Requires Certificate Generation and Request
 9534    if test "x$ENABLED_CERTGEN" = "xno"
 9535    then
 9536        ENABLED_CERTGEN="yes"
 9537        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CERT_GEN"
 9538    fi
 9539    if test "x$ENABLED_CERTREQ" = "xno"
 9540    then
 9541        ENABLED_CERTREQ="yes"
 9542        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CERT_REQ"
 9543    fi
 9544    if test "x$ENABLED_CERTEXT" = "xno"
 9545    then
 9546        ENABLED_CERTEXT="yes"
 9547        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CERT_EXT"
 9548    fi
 9549
 9550    # Requires CRL
 9551    if test "x$ENABLED_CRL" = "xno"
 9552    then
 9553        ENABLED_CRL="yes"
 9554        AM_CFLAGS="$AM_CFLAGS -DHAVE_CRL"
 9555    fi
 9556
 9557    if test "x$ENABLED_SRP" = "xno"
 9558    then
 9559        ENABLED_SRP="yes"
 9560        AM_CFLAGS="$AM_CFLAGS -DWOLFCRYPT_HAVE_SRP"
 9561    fi
 9562
 9563    # Enable prereqs if not already enabled
 9564    if test "x$ENABLED_KEYGEN" = "xno"
 9565    then
 9566        ENABLED_KEYGEN="yes"
 9567        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_KEY_GEN"
 9568    fi
 9569
 9570    # Requires sessioncerts make sure on
 9571    if test "x$ENABLED_SESSIONCERTS" = "xno"
 9572    then
 9573        ENABLED_SESSIONCERTS="yes"
 9574        AM_CFLAGS="$AM_CFLAGS -DSESSION_CERTS"
 9575    fi
 9576
 9577    if test "x$ENABLED_DSA" = "xno"
 9578    then
 9579        AC_MSG_WARN([Enabling DSA with --enable-dsa is recommended for libest])
 9580    fi
 9581fi
 9582
 9583if test "$ENABLED_MD4" = "no"
 9584then
 9585    #turn on MD4 if using stunnel
 9586    if test "x$ENABLED_STUNNEL" = "xyes" || test "x$ENABLED_WPAS" != "xno" || test "x$ENABLED_KRB" = "xyes"
 9587    then
 9588        ENABLED_MD4="yes"
 9589    else
 9590        AM_CFLAGS="$AM_CFLAGS -DNO_MD4"
 9591    fi
 9592fi
 9593
 9594
 9595# Encrypted keys
 9596AC_ARG_ENABLE([enckeys],
 9597    [AS_HELP_STRING([--enable-enckeys],[Enable PEM encrypted private key support (default: disabled)])],
 9598    [ ENABLED_ENCKEYS=$enableval ],
 9599    [ ENABLED_ENCKEYS=no ]
 9600    )
 9601
 9602if test "$ENABLED_OPENSSLEXTRA" = "yes" || test "$ENABLED_WEBSERVER" = "yes" || test "$ENABLED_WPAS" != "no"
 9603then
 9604    ENABLED_ENCKEYS=yes
 9605fi
 9606
 9607if test "$ENABLED_ENCKEYS" = "yes"
 9608then
 9609    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ENCRYPTED_KEYS"
 9610fi
 9611
 9612
 9613# PKCS#12
 9614# set PKCS#12 default
 9615PKCS12_DEFAULT=yes
 9616if test "$ENABLED_ASN" = "no" || test "$FIPS_VERSION" = "rand"
 9617then
 9618    PKCS12_DEFAULT=no
 9619fi
 9620AC_ARG_ENABLE([pkcs12],
 9621    [AS_HELP_STRING([--enable-pkcs12],[Enable pkcs12 (default: enabled)])],
 9622    [ ENABLED_PKCS12=$enableval ],
 9623    [ ENABLED_PKCS12=$PKCS12_DEFAULT ]
 9624    )
 9625
 9626if test "x$ENABLED_PKCS12" = "xno"
 9627then
 9628    AM_CFLAGS="$AM_CFLAGS -DNO_PKCS12"
 9629fi
 9630
 9631# PWDBASED has to come after certservice since we want it on w/o explicit on
 9632if test "$ENABLED_PWDBASED" = "no"
 9633then
 9634    if test "$ENABLED_OPENSSLEXTRA" = "yes" || test "$ENABLED_OPENSSLALL" = "yes" || \
 9635       test "$ENABLED_WEBSERVER" = "yes" || test "$ENABLED_ENCKEYS" = "yes" || \
 9636       test "$ENABLED_PKCS12" = "yes"
 9637    then
 9638        # opensslextra, opensslall, webserver, enckeys and pkcs12 need pwdbased
 9639        ENABLED_PWDBASED=yes
 9640    else
 9641        AM_CFLAGS="$AM_CFLAGS -DNO_PWDBASED"
 9642    fi
 9643fi
 9644
 9645
 9646AC_ARG_ENABLE([scrypt],
 9647    [AS_HELP_STRING([--enable-scrypt],[Enable SCRYPT (default: disabled)])],
 9648    [ ENABLED_SCRYPT=$enableval ],
 9649    [ ENABLED_SCRYPT=no ]
 9650    )
 9651
 9652if test "$ENABLED_SCRYPT" = "yes"
 9653then
 9654    if test "$ENABLED_PWDBASED" = "no"
 9655    then
 9656        AC_MSG_ERROR([cannot enable scrypt without enabling pwdbased.])
 9657    fi
 9658    AM_CFLAGS="$AM_CFLAGS -DHAVE_SCRYPT"
 9659fi
 9660
 9661
 9662# wolfCrypt Only Build
 9663if test "$ENABLED_CRYPTONLY" = "yes"
 9664then
 9665    if test "$ENABLED_OPENSSLALL" = "yes"
 9666    then
 9667        AC_MSG_ERROR([cryptonly and opensslall are mutually incompatible.])
 9668    fi
 9669    AM_CFLAGS="$AM_CFLAGS -DWOLFCRYPT_ONLY"
 9670fi
 9671
 9672if test "x$ENABLED_CRYPTONLY" = "xno"
 9673then
 9674    if test "x$ENABLED_PSK" = "xno" && test "x$ENABLED_ASN" = "xno"
 9675    then
 9676        AC_MSG_ERROR([please enable psk if disabling asn.])
 9677    fi
 9678
 9679    if test "$ENABLED_AFALG" = "yes"
 9680    then
 9681        # for TLS connections the intermediate hash needs to store buffer
 9682        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AFALG_HASH_KEEP"
 9683    fi
 9684
 9685    if test "$ENABLED_DEVCRYPTO" = "yes"
 9686    then
 9687        # for TLS connections the intermediate hash needs to store buffer
 9688        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DEVCRYPTO_HASH_KEEP"
 9689    fi
 9690fi
 9691
 9692
 9693# Enable Examples, used to disable examples
 9694if test "$HAVE_KERNEL_MODE" = "yes"
 9695then
 9696    ENABLED_EXAMPLES_DEFAULT=no
 9697else
 9698    ENABLED_EXAMPLES_DEFAULT=yes
 9699fi
 9700AC_ARG_ENABLE([examples],
 9701    [AS_HELP_STRING([--enable-examples],[Enable Examples  (default: enabled)])],
 9702    [ ENABLED_EXAMPLES=$enableval ],
 9703    [ ENABLED_EXAMPLES=$ENABLED_EXAMPLES_DEFAULT ]
 9704    )
 9705
 9706AS_IF([test "x$ENABLED_FILESYSTEM" = "xno"], [ENABLED_EXAMPLES="no"])
 9707AS_IF([test "x$ENABLED_CRYPTONLY" = "xyes"], [ENABLED_EXAMPLES="no"])
 9708
 9709
 9710# Enable wolfCrypt test and benchmark
 9711if test "$HAVE_KERNEL_MODE" = "yes"
 9712then
 9713    ENABLED_CRYPT_TESTS_DEFAULT=no
 9714else
 9715    ENABLED_CRYPT_TESTS_DEFAULT=yes
 9716fi
 9717AC_ARG_ENABLE([crypttests],
 9718    [AS_HELP_STRING([--enable-crypttests],[Enable Crypt Bench/Test  (default: enabled)])],
 9719    [ ENABLED_CRYPT_TESTS=$enableval ],
 9720    [ ENABLED_CRYPT_TESTS=$ENABLED_CRYPT_TESTS_DEFAULT ]
 9721    )
 9722AC_SUBST([ENABLED_CRYPT_TESTS])
 9723
 9724if test "$ENABLED_CRYPT_TESTS" = "no"
 9725then
 9726    AM_CFLAGS="$AM_CFLAGS -DNO_CRYPT_TEST"
 9727fi
 9728
 9729# Build wolfCrypt test and benchmark as libraries. This will compile test.c and
 9730# benchmark.c and make their functions available via libraries, libwolfcrypttest
 9731# and libwolfcryptbench, respectively. Note that this feature is not enabled by
 9732# default, and the API of these libraries should NOT be treated as stable.
 9733AC_ARG_ENABLE([crypttests-libs],
 9734    [AS_HELP_STRING([--enable-crypttests-libs],[Enable wolfcrypt test and benchmark libraries (default: disabled)])],
 9735    [ ENABLED_CRYPT_TESTS_LIBS=$enableval ],
 9736    [ ENABLED_CRYPT_TESTS_LIBS=no ]
 9737    )
 9738
 9739# LIBZ
 9740ENABLED_LIBZ="no"
 9741trylibzdir=""
 9742AC_ARG_WITH([libz],
 9743    [  --with-libz=PATH        PATH to libz install (default /usr/) ],
 9744    [
 9745        AC_MSG_CHECKING([for libz])
 9746        CPPFLAGS="$CPPFLAGS -DHAVE_LIBZ"
 9747        LIBS="$LIBS -lz"
 9748
 9749        AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include <zlib.h>]], [[ deflateInit(0, 8); ]])],[ libz_linked=yes ],[ libz_linked=no ])
 9750
 9751        if test "x$libz_linked" = "xno" ; then
 9752            if test "x$withval" != "xno" ; then
 9753                trylibzdir=$withval
 9754            fi
 9755            if test "x$withval" = "xyes" ; then
 9756                trylibzdir="/usr"
 9757            fi
 9758
 9759            LDFLAGS="$LDFLAGS -L$trylibzdir/lib"
 9760            CPPFLAGS="$CPPFLAGS -I$trylibzdir/include"
 9761
 9762            AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include <zlib.h>]], [[ deflateInit(0, 8); ]])],[ libz_linked=yes ],[ libz_linked=no ])
 9763
 9764            if test "x$libz_linked" = "xno" ; then
 9765                AC_MSG_ERROR([libz isn't found.
 9766                If it's already installed, specify its path using --with-libz=/dir/])
 9767            fi
 9768            AC_MSG_RESULT([yes])
 9769        else
 9770            AC_MSG_RESULT([yes])
 9771        fi
 9772        ENABLED_LIBZ="yes"
 9773    ]
 9774)
 9775
 9776
 9777# PKCS#11
 9778AC_ARG_ENABLE([pkcs11],
 9779    [AS_HELP_STRING([--enable-pkcs11],[Enable pkcs11 access (default: disabled)])],
 9780    [ ENABLED_PKCS11=$enableval ],
 9781    [ ENABLED_PKCS11=no ]
 9782    )
 9783
 9784if test "x$ENABLED_PKCS11" != "xno"
 9785then
 9786    AM_CFLAGS="$AM_CFLAGS -DHAVE_PKCS11 -DHAVE_WOLF_BIGINT"
 9787    if test "x$ENABLED_PKCS11" != "xstatic"
 9788    then
 9789        LIBS="$LIBS -ldl"
 9790    else
 9791        AM_CFLAGS="$AM_CFLAGS -DHAVE_PKCS11_STATIC"
 9792        ENABLED_PKCS11="yes"
 9793    fi
 9794fi
 9795
 9796
 9797# PKCS#8
 9798AC_ARG_ENABLE([pkcs8],
 9799    [AS_HELP_STRING([--enable-pkcs8],[Enable PKCS #8 key packages (default: enabled)])],
 9800    [ ENABLED_PKCS8=$enableval ],
 9801    [ ENABLED_PKCS8=yes ]
 9802    )
 9803
 9804if test "x$ENABLED_PKCS8" = "xno"
 9805then
 9806    AM_CFLAGS="$AM_CFLAGS -DNO_PKCS8"
 9807fi
 9808
 9809
 9810# cavium
 9811trycaviumdir=""
 9812AC_ARG_WITH([cavium],
 9813    [  --with-cavium=PATH      PATH to cavium/software dir ],
 9814    [
 9815        AC_MSG_CHECKING([for cavium])
 9816        LIB_ADD="-lrt $LIB_ADD"
 9817
 9818        if test "x$withval" = "xyes" ; then
 9819            AC_MSG_ERROR([need a PATH for --with-cavium])
 9820        fi
 9821        if test "x$withval" != "xno" ; then
 9822            trycaviumdir=$withval
 9823        fi
 9824
 9825        CPPFLAGS="$AM_CPPFLAGS -DHAVE_CAVIUM -I$trycaviumdir/include"
 9826        LDFLAGS="$AM_LDFLAGS $trycaviumdir/api/cavium_common.o"
 9827
 9828        AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include "cavium_common.h"]], [[ CspShutdown(CAVIUM_DEV_ID); ]])],[ cavium_linked=yes ],[ cavium_linked=no ])
 9829
 9830        if test "x$cavium_linked" = "xno" ; then
 9831            AC_MSG_ERROR([cavium isn't found.
 9832            If it's already installed, specify its path using --with-cavium=/dir/])
 9833        else
 9834            AM_CPPFLAGS="$CPPFLAGS"
 9835            AM_LDFLAGS="$LDFLAGS"
 9836        fi
 9837        AC_MSG_RESULT([yes])
 9838        enable_shared=no
 9839        enable_static=yes
 9840        ENABLED_CAVIUM=yes
 9841    ],
 9842    [ ENABLED_CAVIUM=no ]
 9843)
 9844
 9845# cavium V
 9846trycaviumdir=""
 9847AC_ARG_WITH([cavium-v],
 9848    [  --with-cavium-v=PATH    PATH to Cavium V/software dir ],
 9849    [
 9850        AC_MSG_CHECKING([for cavium])
 9851        AM_CFLAGS="$AM_CFLAGS -DHAVE_CAVIUM -DHAVE_CAVIUM_V"
 9852        LIB_ADD="-lrt -lcrypto $LIB_ADD"
 9853
 9854        if test "x$withval" = "xyes" ; then
 9855            AC_MSG_ERROR([need a PATH for --with-cavium])
 9856        fi
 9857        if test "x$withval" != "xno" ; then
 9858            trycaviumdir=$withval
 9859        fi
 9860
 9861        if test -e $trycaviumdir/lib/libnitrox.a
 9862        then
 9863            AM_CPPFLAGS="-I$trycaviumdir/include $AM_CPPFLAGS"
 9864        else
 9865            ENABLED_CAVIUM_V=no
 9866        fi
 9867        LIB_STATIC_ADD="$trycaviumdir/lib/libnitrox.a $LIB_STATIC_ADD"
 9868
 9869        if test "$ENABLED_CAVIUM_V" = "no"; then
 9870            AC_MSG_ERROR([Could not find Nitrox library])
 9871        fi
 9872
 9873        enable_shared=no
 9874        enable_static=yes
 9875        enable_opensslextra=yes
 9876
 9877        ENABLED_CAVIUM=yes
 9878        ENABLED_CAVIUM_V=yes
 9879    ],
 9880    [
 9881        ENABLED_CAVIUM=no
 9882        ENABLED_CAVIUM_V=no
 9883    ]
 9884)
 9885
 9886
 9887# Cavium Octeon
 9888OCTEON_ROOT=""
 9889: ${OCTEON_OBJ="obj-octeon2"}
 9890: ${OCTEON_HOST="standalone"}
 9891
 9892AC_ARG_WITH([octeon-sync],
 9893    [AS_HELP_STRING([--with-octeon-sync=PATH],[PATH to Cavium Octeon SDK dir (sync)])],
 9894    [
 9895        AC_MSG_CHECKING([for octeon])
 9896
 9897        if test "x$withval" = "xyes" ; then
 9898            AC_MSG_ERROR([need a PATH for --with-octeon])
 9899        fi
 9900        if test "x$withval" != "xno" ; then
 9901            OCTEON_ROOT=$withval
 9902        fi
 9903
 9904        AM_CFLAGS="$AM_CFLAGS -DHAVE_CAVIUM_OCTEON_SYNC"
 9905        AM_CFLAGS="$AM_CFLAGS -DOCTEON_MODEL=$OCTEON_MODEL"
 9906        AM_CFLAGS="$AM_CFLAGS -I$OCTEON_ROOT/executive"
 9907        AS_CASE([$OCTEON_HOST],['linux'],[AM_CFLAGS="$AM_CFLAGS -DCVMX_BUILD_FOR_LINUX_HOST"])
 9908
 9909        #-I$OCTEON_ROOT/target/include
 9910        AM_LDFLAGS="$AM_LDFLAGS -lrt -Xlinker -T -Xlinker $OCTEON_ROOT/executive/cvmx-shared-linux.ld"
 9911        AM_LDFLAGS="$AM_LDFLAGS -L$OCTEON_ROOT/executive/$OCTEON_OBJ -lcvmx -lfdt"
 9912
 9913        enable_shared=no
 9914        enable_static=yes
 9915
 9916        ENABLED_OCTEON_SYNC=yes
 9917        AC_MSG_RESULT([yes])
 9918    ],
 9919    [ENABLED_OCTEON_SYNC=no]
 9920)
 9921
 9922
 9923# Intel QuickAssist
 9924QAT_DIR=""
 9925BUILD_INTEL_QAT_VERSION=2
 9926
 9927AC_ARG_WITH([intelqa],
 9928    [AS_HELP_STRING([--with-intelqa=PATH],[PATH to Intel QuickAssist (QAT) driver dir])],
 9929    [ENABLED_INTEL_QA=yes; QAT_DIR=$withval],
 9930    [ENABLED_INTEL_QA=no])
 9931
 9932AC_ARG_WITH([intelqa-sync],
 9933    [AS_HELP_STRING([--with-intelqa-sync=PATH],[PATH to Intel QuickAssist (QAT) driver dir (sync)])],
 9934    [ENABLED_INTEL_QA_SYNC=yes; QAT_DIR=$withval],
 9935    [ENABLED_INTEL_QA_SYNC=no])
 9936
 9937AS_IF([test "x$ENABLED_INTEL_QA" = "xyes" && test "x$ENABLED_INTEL_QA_SYNC" = "xyes"],
 9938    [AC_MSG_ERROR([Both Intel QA Async and Sync are selected, only select one.])])
 9939
 9940AS_IF([test "x$ENABLED_INTEL_QA" = "xyes" || test "x$ENABLED_INTEL_QA_SYNC" = "xyes"],
 9941    [AC_MSG_CHECKING([for intelqa])
 9942     AS_IF([test "x$ENABLED_INTEL_QA" = "xyes"],
 9943           [AM_CPPFLAGS="$AM_CPPFLAGS -DHAVE_INTEL_QA -DDO_CRYPTO -DUSER_SPACE"; intelqa_opt=""],
 9944           [AM_CPPFLAGS="$AM_CPPFLAGS -DHAVE_INTEL_QA_SYNC -DQAT_USE_POLLING_THREAD -DO_CRYPTO -DUSER_SPACE"; intelqa_opt="-sync"])
 9945     OLD_LIBS="$LIBS"
 9946     OLD_CPPFLAGS="$CPPFLAGS"
 9947
 9948     AS_IF([test "x$QAT_DIR" = "xyes"],[AC_MSG_ERROR([need a PATH for --with-intelqa$intelqa_opt])])
 9949
 9950     QAT_FLAGS="-I$QAT_DIR/quickassist/include -I$QAT_DIR/quickassist/include/lac -I$QAT_DIR/quickassist/utilities/osal/include \
 9951         -I$QAT_DIR/quickassist/utilities/osal/src/linux/user_space/include -I$QAT_DIR/quickassist/lookaside/access_layer/include \
 9952         -I$QAT_DIR/quickassist/lookaside/access_layer/src/common/include -I$srcdir/wolfssl -I$srcdir/wolfssl/wolfcrypt/port/intel \
 9953         -I$QAT_DIR/quickassist/utilities/libusdm_drv -I$QAT_DIR/quickassist/include/icp"
 9954     AM_CPPFLAGS="$AM_CPPFLAGS $QAT_FLAGS"
 9955     CPPFLAGS="$AM_CPPFLAGS"
 9956
 9957     LDFLAGS="$LDFLAGS -L$QAT_DIR/build"
 9958     LIBS="$LIBS -lqat_s -lusdm_drv_s"
 9959
 9960     AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include "cpa_cy_common.h"]],[[Cpa16U count = 0; cpaCyGetNumInstances(&count);]])],[intelqa_linked=yes],[intelqa_linked=no])
 9961
 9962     AS_IF([test "x$intelqa_linked" = "xno"],
 9963           [# Try old QAT driver libraries
 9964            LIBS="$OLD_LIBS -licp_qa_al_s"
 9965            AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include "cpa_cy_common.h"]],[[Cpa16U count = 0; cpaCyGetNumInstances(&count);]])],[intelqa_linked=yes],[intelqa_linked=no])
 9966            AS_IF([test "x$intelqa_linked" = "xno"],
 9967                [AC_MSG_ERROR([Intel QuickAssist not found. If it's already installed, specify its path using --with-intelqa$intelqa_opt=/dir/])],
 9968                [BUILD_INTEL_QAT_VERSION=1])
 9969           ])
 9970
 9971     AC_MSG_RESULT([yes])
 9972
 9973     AS_IF([test "x$BUILD_INTEL_QAT_VERSION" = "x1"],
 9974        [LIB_ADD="-ladf_proxy -losal -lrt $LIB_ADD"],
 9975        [LIB_ADD="-losal -lrt $LIB_ADD"])
 9976     CPPFLAGS="$OLD_CPPFLAGS"
 9977])
 9978
 9979################################################################################
 9980# Single Precision option handling                                             #
 9981################################################################################
 9982
 9983ENABLED_SP_RSA=no
 9984ENABLED_SP_DH=no
 9985ENABLED_SP_FF_2048=no
 9986ENABLED_SP_FF_3072=no
 9987ENABLED_SP_FF_4096=no
 9988ENABLED_SP_ECC=no
 9989ENABLED_SP_EC_256=no
 9990ENABLED_SP_EC_384=no
 9991ENABLED_SP_EC_521=no
 9992ENABLED_SP_SM2=$ENABLED_SM2
 9993ENABLED_SP_SAKKE_1024=$ENABLED_SAKKE
 9994ENABLED_SP_NO_MALLOC=no
 9995ENABLED_SP_NONBLOCK=no
 9996ENABLED_SP_SMALL=no
 9997for v in `echo $ENABLED_SP | tr "," " "`
 9998do
 9999  case $v in
10000  small)
10001    ENABLED_SP_SMALL=yes
10002    ENABLED_SP_RSA=yes
10003    ENABLED_SP_DH=yes
10004    ENABLED_SP_FF_2048=yes
10005    ENABLED_SP_FF_3072=yes
10006    ENABLED_SP_ECC=yes
10007    ENABLED_SP_EC_256=yes
10008    if test "$host_cpu" = "x86_64" || test "$host_cpu" = "aarch64" || test "$host_cpu" = "amd64"; then
10009      ENABLED_SP_FF_4096=yes
10010      ENABLED_SP_EC_384=yes
10011      ENABLED_SP_EC_521=yes
10012    fi
10013    ;;
10014
10015  smallfast)
10016    ENABLED_SP_SMALL=yes
10017    ENABLED_SP_RSA=yes
10018    ENABLED_SP_DH=yes
10019    ENABLED_SP_FF_2048=yes
10020    ENABLED_SP_FF_3072=yes
10021    ENABLED_SP_ECC=yes
10022    ENABLED_SP_EC_256=yes
10023    if test "$host_cpu" = "x86_64" || test "$host_cpu" = "aarch64" || test "$host_cpu" = "amd64"; then
10024      ENABLED_SP_FF_4096=yes
10025      ENABLED_SP_EC_384=yes
10026      ENABLED_SP_EC_521=yes
10027    fi
10028    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SP_FAST_MODEXP"
10029    ;;
10030
10031  yes)
10032    ENABLED_SP_RSA=yes
10033    ENABLED_SP_DH=yes
10034    ENABLED_SP_FF_2048=yes
10035    ENABLED_SP_FF_3072=yes
10036    ENABLED_SP_ECC=yes
10037    ENABLED_SP_EC_256=yes
10038    if test "$host_cpu" = "x86_64" || test "$host_cpu" = "aarch64" || test "$host_cpu" = "amd64"; then
10039      ENABLED_SP_FF_4096=yes
10040      ENABLED_SP_EC_384=yes
10041      ENABLED_SP_EC_521=yes
10042    fi
10043    ;;
10044
10045  no)
10046    ;;
10047
10048  smallec256 | smallp256 | small256)
10049    ENABLED_SP_SMALL=yes
10050    ENABLED_SP_ECC=yes
10051    ENABLED_SP_EC_256=yes
10052    ;;
10053  ec256 | p256 | 256)
10054    ENABLED_SP_ECC=yes
10055    ENABLED_SP_EC_256=yes
10056    ;;
10057  smallec384 | smallp384 | small384)
10058    ENABLED_SP_SMALL=yes
10059    ENABLED_SP_ECC=yes
10060    ENABLED_SP_EC_384=yes
10061    ;;
10062  ec384 | p384 | 384)
10063    ENABLED_SP_ECC=yes
10064    ENABLED_SP_EC_384=yes
10065    ;;
10066  smallec521 | smallp521 | small521)
10067    ENABLED_SP_SMALL=yes
10068    ENABLED_SP_ECC=yes
10069    ENABLED_SP_EC_521=yes
10070    ;;
10071  ec521 | p521 | 521)
10072    ENABLED_SP_ECC=yes
10073    ENABLED_SP_EC_521=yes
10074    ;;
10075  smallec1024 | smallp1024 | small1024)
10076    ENABLED_SP_ECC=yes
10077    ENABLED_SP_SMALL=yes
10078    ENABLED_SP_SAKKE_1024=yes
10079    ;;
10080  ec1024 | p1024 | 1024)
10081    ENABLED_SP_ECC=yes
10082    ENABLED_SP_SAKKE_1024=yes
10083    ;;
10084  smallsm2)
10085    ENABLED_SP_SMALL=yes
10086    ENABLED_SP_ECC=yes
10087    ENABLED_SP_SM2=yes
10088    ;;
10089  sm2)
10090    ENABLED_SP_ECC=yes
10091    ENABLED_SP_SM2=yes
10092    ;;
10093
10094  small2048)
10095    ENABLED_SP_SMALL=yes
10096    ENABLED_SP_RSA=yes
10097    ENABLED_SP_DH=yes
10098    ENABLED_SP_FF_2048=yes
10099    ;;
10100  2048)
10101    ENABLED_SP_RSA=yes
10102    ENABLED_SP_DH=yes
10103    ENABLED_SP_FF_2048=yes
10104    ;;
10105  smallrsa2048)
10106    ENABLED_SP_SMALL=yes
10107    ENABLED_SP_RSA=yes
10108    ENABLED_SP_FF_2048=yes
10109    ;;
10110  rsa2048)
10111    ENABLED_SP_RSA=yes
10112    ENABLED_SP_FF_2048=yes
10113    ;;
10114
10115  small3072)
10116    ENABLED_SP_SMALL=yes
10117    ENABLED_SP_RSA=yes
10118    ENABLED_SP_DH=yes
10119    ENABLED_SP_FF_3072=yes
10120    ;;
10121  3072)
10122    ENABLED_SP_RSA=yes
10123    ENABLED_SP_DH=yes
10124    ENABLED_SP_FF_3072=yes
10125    ;;
10126  smallrsa3072)
10127    ENABLED_SP_SMALL=yes
10128    ENABLED_SP_RSA=yes
10129    ENABLED_SP_FF_3072=yes
10130    ;;
10131  rsa3072)
10132    ENABLED_SP_RSA=yes
10133    ENABLED_SP_FF_3072=yes
10134    ;;
10135
10136  small4096)
10137    ENABLED_SP_SMALL=yes
10138    ENABLED_SP_RSA=yes
10139    ENABLED_SP_DH=yes
10140    ENABLED_SP_FF_4096=yes
10141    ;;
10142  4096 | +4096)
10143    ENABLED_SP_RSA=yes
10144    ENABLED_SP_DH=yes
10145    ENABLED_SP_FF_4096=yes
10146    ;;
10147  smallrsa4096)
10148    ENABLED_SP_SMALL=yes
10149    ENABLED_SP_RSA=yes
10150    ENABLED_SP_FF_4096=yes
10151    ;;
10152  rsa4096)
10153    ENABLED_SP_RSA=yes
10154    ENABLED_SP_FF_4096=yes
10155    ;;
10156
10157  smallstack)
10158    ENABLED_SP_SMALL_STACK=yes
10159    ;;
10160
10161  nomalloc)
10162    ENABLED_SP_NO_MALLOC=yes
10163    ;;
10164
10165  nonblock)
10166    # Requires small and no malloc
10167    ENABLED_SP_NONBLOCK=yes
10168    ENABLED_SP_NO_MALLOC=yes
10169    ENABLED_SP_SMALL=yes
10170    ;;
10171
10172  asm)
10173    ENABLED_SP_ASM=yes
10174    ;;
10175
10176  noasm)
10177    ENABLED_SP_ASM=no
10178    ;;
10179
10180  *)
10181    AC_MSG_ERROR([Invalid choice of Single Precision length in bits [256, 384, 521, 1024, 2048, 3072, 4096]: $ENABLED_SP.])
10182    break;;
10183  esac
10184done
10185
10186ENABLED_SP_LINE="$ENABLE_SP"
10187ENABLED_SP=no
10188if test "$ENABLED_RSA" = "yes" && test "$ENABLED_SP_RSA" = "yes"; then
10189    ENABLED_SP=yes
10190    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_HAVE_SP_RSA"
10191    AM_CCASFLAGS="$AM_CCASFLAGS -DWOLFSSL_HAVE_SP_RSA"
10192fi
10193if test "$ENABLED_DH" != "no" && test "$ENABLED_SP_DH" = "yes"; then
10194    ENABLED_SP=yes
10195    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_HAVE_SP_DH"
10196    AM_CCASFLAGS="$AM_CCASFLAGS -DWOLFSSL_HAVE_SP_DH"
10197fi
10198if test "$ENABLED_SP_RSA" = "yes" || test "$ENABLED_SP_DH" = "yes"; then
10199    if test "$ENABLED_SP_FF_2048" = "no"; then
10200        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SP_NO_2048"
10201        AM_CCASFLAGS="$AM_CCASFLAGS -DWOLFSSL_SP_NO_2048"
10202    fi
10203    if test "$ENABLED_SP_FF_3072" = "no"; then
10204        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SP_NO_3072"
10205        AM_CCASFLAGS="$AM_CCASFLAGS -DWOLFSSL_SP_NO_3072"
10206    fi
10207    if test "$ENABLED_SP_FF_4096" = "yes"; then
10208        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SP_4096"
10209        AM_CCASFLAGS="$AM_CCASFLAGS -DWOLFSSL_SP_4096"
10210    fi
10211
10212    case $host_cpu in
10213    *x86_64* | *aarch64* | *amd64*)
10214        if test "$ENABLED_SP_SMALL" = "no"; then
10215            AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SP_LARGE_CODE"
10216        fi
10217        ;;
10218    *)
10219        ;;
10220    esac
10221fi
10222if test "$ENABLED_ECC" != "no" && test "$ENABLED_SP_ECC" = "yes"; then
10223    ENABLED_SP=yes
10224    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_HAVE_SP_ECC"
10225    AM_CCASFLAGS="$AM_CCASFLAGS -DWOLFSSL_HAVE_SP_ECC"
10226    if test "$ENABLED_SP_EC_256" = "no"; then
10227        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SP_NO_256"
10228        AM_CCASFLAGS="$AM_CCASFLAGS -DWOLFSSL_SP_NO_256"
10229    fi
10230    if test "$ENABLED_SP_EC_384" = "yes"; then
10231        AM_CFLAGS="$AM_CFLAGS -DHAVE_ECC384 -DWOLFSSL_SP_384"
10232        AM_CCASFLAGS="$AM_CCASFLAGS -DWOLFSSL_SP_384"
10233    fi
10234    if test "$ENABLED_SP_EC_521" = "yes"; then
10235        AM_CFLAGS="$AM_CFLAGS -DHAVE_ECC521 -DWOLFSSL_SP_521"
10236        AM_CCASFLAGS="$AM_CCASFLAGS -DWOLFSSL_SP_521"
10237    fi
10238    if test "$ENABLED_SP_SAKKE_1024" = "yes"; then
10239        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SP_1024"
10240        AM_CCASFLAGS="$AM_CCASFLAGS -DWOLFSSL_SP_1024"
10241    fi
10242    if test "$ENABLED_SP_SM2" = "yes"; then
10243        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SP_SM2"
10244        AM_CCASFLAGS="$AM_CCASFLAGS -DWOLFSSL_SP_SM2"
10245    fi
10246fi
10247if test "$ENABLED_SP_SMALL" = "yes"; then
10248    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SP_SMALL"
10249    AM_CCASFLAGS="$AM_CCASFLAGS -DWOLFSSL_SP_SMALL"
10250fi
10251if test "$ENABLED_SP_SMALL_STACK" = "yes"; then
10252    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SP_SMALL_STACK"
10253    AM_CCASFLAGS="$AM_CCASFLAGS -DWOLFSSL_SP_SMALL_STACK"
10254fi
10255if test "$ENABLED_SP_NO_MALLOC" = "yes"; then
10256    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SP_NO_MALLOC"
10257    AM_CCASFLAGS="$AM_CCASFLAGS -DWOLFSSL_SP_NO_MALLOC"
10258fi
10259if test "$ENABLED_SP_NONBLOCK" = "yes"; then
10260    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SP_NONBLOCK"
10261    AM_CCASFLAGS="$AM_CCASFLAGS -DWOLFSSL_SP_NONBLOCK"
10262fi
10263
10264if test "$ENABLED_SP_MATH" = "yes"; then
10265    if test "$ENABLED_SP" = "no"; then
10266        if test "$ENABLED_RSA" != "no"; then
10267            AC_MSG_ERROR([Must have SP enabled with SP math for RSA: --enable-sp])
10268        fi
10269        if test "$ENABLED_DH" != "no"; then
10270            AC_MSG_ERROR([Must have SP enabled with SP math for DH: --enable-sp])
10271        fi
10272        if test "$ENABLED_ECC" != "no"; then
10273            AC_MSG_ERROR([Must have SP enabled with SP math for ECC: --enable-sp])
10274        fi
10275    fi
10276    if test "$ENABLED_ECCCUSTCURVES" != "no"; then
10277        AC_MSG_ERROR([Cannot use single precision math and custom curves])
10278    fi
10279    if test "$ENABLED_DSA" = "yes"; then
10280        AC_MSG_ERROR([Cannot use single precision math and DSA])
10281    fi
10282    if test "$ENABLED_SRP" = "yes"; then
10283        AC_MSG_ERROR([Cannot use single precision math and SRP])
10284    fi
10285    if test "$ENABLED_SP_RSA" = "no" && test "$ENABLED_RSA" = "yes"; then
10286        AC_MSG_ERROR([Cannot use RSA single precision only math and RSA])
10287    fi
10288    if test "$ENABLED_SP_DH" = "no" && test "$ENABLED_DH" != "no"; then
10289        AC_MSG_ERROR([Cannot use DH single precision only math and DH])
10290    fi
10291fi
10292
10293for v in `echo $ENABLED_SP_MATH_ALL | tr "," " "`
10294do
10295  case $v in
10296  yes | no)
10297    ;;
10298  small)
10299    ENABLED_SP_MATH_ALL="yes"
10300    ENABLED_SP_SMALL="yes"
10301    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SP_SMALL"
10302    AM_CCASFLAGS="$AM_CCASFLAGS -DWOLFSSL_SP_SMALL"
10303    ;;
10304  huge)
10305    ENABLED_SP_MATH_ALL="yes"
10306    ENABLED_FASTHUGEMATH="yes"
10307    AM_CFLAGS="$AM_CFLAGS $OPTIMIZE_HUGE_CFLAGS"
10308    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SP_INT_LARGE_COMBA"
10309    ;;
10310  256 | 384 | 521 | 1024 | 2048 | 3072 | 4096)
10311    if test -z "$DEFAULT_MAX_CLASSIC_ASYM_KEY_BITS" -o "$DEFAULT_MAX_CLASSIC_ASYM_KEY_BITS" -lt "$v"
10312    then
10313        DEFAULT_MAX_CLASSIC_ASYM_KEY_BITS="$v"
10314    fi
10315    ENABLED_SP_MATH_ALL="yes"
10316    ;;
10317  nomalloc)
10318    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SP_NO_MALLOC"
10319    ENABLED_SP_MATH_ALL="yes"
10320    ;;
10321  neg)
10322    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SP_INT_NEGATIVE"
10323    ENABLED_SP_MATH_ALL="yes"
10324    ;;
10325  *)
10326    AC_MSG_ERROR([Support SP int bit sizes: 256, 384, 521, 1024, 2048, 3072, 4096. $ENABLED_SP_MATH_ALL not supported])
10327    ;;
10328  esac
10329done
10330
10331AC_ARG_WITH([arm-target],
10332    [AS_HELP_STRING([--with-arm-target=x],[x can be "thumb" or "cortex"])],
10333    [ARM_TARGET="$withval"],
10334    [ARM_TARGET=''])
10335
10336if test "$ENABLED_SP_MATH_ALL" = "yes" && test "$ENABLED_ASM" != "no"; then
10337
10338  ENABLED_FASTMATH="no"
10339  ENABLED_SLOWMATH="no"
10340
10341  AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SP_MATH_ALL"
10342
10343  case $host_cpu in
10344  *x86_64* | *amd64*)
10345    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SP_X86_64"
10346    ;;
10347  *x86*)
10348    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SP_X86"
10349    ;;
10350  *aarch64*)
10351    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SP_ARM64 -DWOLFSSL_AARCH64_BUILD"
10352    ;;
10353  *arm*)
10354    if test "$host_alias" = "thumb" || test "$ARM_TARGET" = "thumb"; then
10355      AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SP_ARM_THUMB"
10356    else
10357      if test "$host_alias" = "cortex" || test "$ARM_TARGET" = "cortex"; then
10358        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SP_ARM_CORTEX_M"
10359      else
10360        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SP_ARM32"
10361      fi
10362    fi
10363    ;;
10364  *ppc64* | *powerpc64*)
10365    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SP_PPC64"
10366    ;;
10367  *ppc* | *powerpc*)
10368    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SP_PPC"
10369    ;;
10370  *mips64*)
10371    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SP_MIPS64"
10372    ;;
10373  *mips*)
10374    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SP_MIPS"
10375    ;;
10376  *riscv32*)
10377    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SP_RISCV32"
10378    ;;
10379  *riscv64*)
10380    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SP_RISCV64"
10381    ;;
10382  *s390x*)
10383    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SP_S390X"
10384    ;;
10385  esac
10386
10387  if test "$ENABLED_FIPS" != "no" || test "$SELFTEST_VERSION" != "none"; then
10388    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SP_INT_NEGATIVE"
10389  fi
10390fi
10391
10392
10393if test "$ENABLED_SP_ASM" = "yes" && test "$ENABLED_SP" = "yes"; then
10394  if test "$ENABLED_SP_NONBLOCK" = "yes"; then
10395    AC_MSG_ERROR([SP non-blocking not supported with sp-asm])
10396  fi
10397  if test "$ENABLED_ASM" = "no"; then
10398    AC_MSG_ERROR([Assembly code turned off])
10399  fi
10400
10401  AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SP_ASM"
10402  AM_CCASFLAGS="$AM_CCASFLAGS -DWOLFSSL_SP_ASM"
10403  case $host_cpu in
10404  *aarch64*)
10405    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SP_ARM64_ASM"
10406    AM_CCASFLAGS="$AM_CCASFLAGS -DWOLFSSL_SP_ARM64_ASM"
10407    ENABLED_SP_ARM64_ASM=yes
10408    ;;
10409  *armv7a* | *armv7l*)
10410    if test "$ENABLED_ARMASM" = "no"; then
10411      AM_CPPFLAGS="$AM_CPPFLAGS -march=armv7-a -mfpu=neon -DWOLFSSL_ARM_ARCH=7 -marm"
10412    fi
10413    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SP_ARM32_ASM"
10414    AM_CCASFLAGS="$AM_CCASFLAGS -DWOLFSSL_SP_ARM32_ASM"
10415    ENABLED_SP_ARM32_ASM=yes
10416    ;;
10417  *cortex* | *armv7m*)
10418    if test "$ENABLED_ARMASM" = "no"; then
10419        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ARMASM_THUMB2"
10420        AM_CPPFLAGS="$AM_CPPFLAGS -march=armv7-r -DWOLFSSL_ARMASM_THUMB2 -DWOLFSSL_ARM_ARCH=7"
10421    fi
10422    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SP_ARM_CORTEX_M_ASM"
10423    AM_CCASFLAGS="$AM_CCASFLAGS -DWOLFSSL_SP_ARM_CORTEX_M_ASM"
10424    ENABLED_SP_ARM_CORTEX_ASM=yes
10425    ENABLED_ARM_THUMB=yes
10426    ;;
10427  *armv6*)
10428    if test "$ENABLED_ARMASM" = "no"; then
10429      AM_CPPFLAGS="$AM_CPPFLAGS -march=armv6 -DWOLFSSL_ARM_ARCH=6"
10430    fi
10431    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SP_ARM32_ASM"
10432    AM_CCASFLAGS="$AM_CCASFLAGS -DWOLFSSL_SP_ARM32_ASM"
10433    ENABLED_SP_ARM32_ASM=yes
10434    ;;
10435  *armv4*)
10436    if test "$ENABLED_ARMASM" = "no"; then
10437      AM_CPPFLAGS="$AM_CPPFLAGS -march=armv4 -DWOLFSSL_ARM_ARCH=4"
10438    fi
10439    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SP_ARM32_ASM"
10440    AM_CCASFLAGS="$AM_CCASFLAGS -DWOLFSSL_SP_ARM32_ASM"
10441    ENABLED_SP_ARM32_ASM=yes
10442    ;;
10443  *arm*)
10444    if test "$host_alias" = "thumb" || test "$ARM_TARGET" = "thumb"; then
10445      AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SP_ARM_THUMB_ASM"
10446      AM_CCASFLAGS="$AM_CCASFLAGS -DWOLFSSL_SP_ARM_THUMB_ASM"
10447      ENABLED_SP_ARM_THUMB_ASM=yes
10448    else
10449      AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SP_ARM32_ASM"
10450      AM_CCASFLAGS="$AM_CCASFLAGS -DWOLFSSL_SP_ARM32_ASM"
10451      ENABLED_SP_ARM32_ASM=yes
10452    fi
10453    ;;
10454  *x86_64* | *amd64*)
10455    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SP_X86_64_ASM"
10456    AM_CCASFLAGS="$AM_CCASFLAGS -DWOLFSSL_SP_X86_64_ASM"
10457    ENABLED_SP_X86_64_ASM=yes
10458    ;;
10459  *)
10460    AC_MSG_ERROR([SP ASM not available for CPU. Supported CPUs: x86_64, aarch64, arm])
10461    ;;
10462  esac
10463
10464fi
10465
10466
10467if test "$ENABLED_SP_MATH" = "yes"; then
10468    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SP_MATH"
10469fi
10470
10471################################################################################
10472# End - Single Precision option handling                                       #
10473################################################################################
10474
10475# static memory use
10476AC_ARG_ENABLE([staticmemory],
10477    [AS_HELP_STRING([--enable-staticmemory],[Enable static memory use (default: disabled)])],
10478    [ ENABLED_STATICMEMORY=$enableval ],
10479    [ ENABLED_STATICMEMORY=no ]
10480    )
10481
10482for v in `echo $ENABLED_STATICMEMORY | tr "," " "`
10483do
10484  case $v in
10485  yes)
10486    ;;
10487  no)
10488    ;;
10489  small|lean)
10490    ENABLED_STATICMEMORY=yes
10491    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_STATIC_MEMORY_LEAN"
10492    ;;
10493  debug)
10494    ENABLED_STATICMEMORY=yes
10495    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_STATIC_MEMORY_DEBUG_CALLBACK"
10496    ;;
10497  *)
10498    AC_MSG_ERROR([Invalid choice for staticmemory.])
10499    break;;
10500  esac
10501done
10502
10503if test "x$ENABLED_STATICMEMORY" = "xyes"
10504then
10505    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_STATIC_MEMORY"
10506
10507    if test "x$ENABLED_HEAPMATH" = "xyes"
10508    then
10509        AC_MSG_ERROR([--enable-heapmath is incompatible with --enable-staticmemory.])
10510    fi
10511    if test "$ENABLED_LOWRESOURCE" = "yes" && test "$ENABLED_RSA" = "no"
10512    then
10513        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_STATIC_MEMORY_SMALL"
10514    fi
10515fi
10516
10517
10518# microchip api
10519AC_ARG_ENABLE([mcapi],
10520    [AS_HELP_STRING([--enable-mcapi],[Enable Microchip API (default: disabled)])],
10521    [ ENABLED_MCAPI=$enableval ],
10522    [ ENABLED_MCAPI=no ]
10523    )
10524
10525if test "$ENABLED_MCAPI" = "yes"
10526then
10527    AM_CFLAGS="$AM_CFLAGS -DHAVE_MCAPI"
10528    if test "x$ENABLED_AESCTR" != "xyes"
10529    then
10530        # These flags are already implied by --enable-aesctr
10531        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_COUNTER -DWOLFSSL_AES_DIRECT"
10532    fi
10533    if test "x$ENABLED_AESGCM" != "xyes" && test "x$ENABLED_AESGCM" != "xno"
10534    then
10535        # Use the smaller object size implementation
10536        ENABLED_AESGCM=yes
10537    fi
10538
10539    ENABLED_MD5=yes
10540fi
10541
10542if test "$ENABLED_MCAPI" = "yes" && test "$ENABLED_SHA512" = "no"
10543then
10544    AC_MSG_ERROR([please enable sha512 if enabling mcapi.])
10545fi
10546
10547if test "$ENABLED_MCAPI" = "yes" && test "$ENABLED_ECC" = "no"
10548then
10549    AC_MSG_ERROR([please enable ecc if enabling mcapi.])
10550fi
10551
10552if test "$ENABLED_MCAPI" = "yes" && test "$ENABLED_LIBZ" = "no"
10553then
10554    AC_MSG_ERROR([please use --with-libz if enabling mcapi.])
10555fi
10556
10557
10558# cryptodev is old name, replaced with cryptocb
10559AC_ARG_ENABLE([cryptodev],
10560    [AS_HELP_STRING([--enable-cryptodev],[DEPRECATED, use cryptocb instead])],
10561    [ ENABLED_CRYPTOCB=$enableval ],[ ENABLED_CRYPTOCB=no ])
10562
10563# Support for crypto callbacks
10564AC_ARG_ENABLE([cryptocb],
10565    [AS_HELP_STRING([--enable-cryptocb],
10566        [Enable crypto callbacks (default: disabled). Use 'no-default-devid' to enable without a platform-specific default device ID])],
10567[
10568    case "$enableval" in
10569        no-default-devid)
10570            ENABLED_CRYPTOCB=yes
10571            AM_CPPFLAGS="$AM_CPPFLAGS -DWC_NO_DEFAULT_DEVID"
10572            ;;
10573        *)
10574            ENABLED_CRYPTOCB="$enableval"
10575            ;;
10576    esac
10577],
10578[ ENABLED_CRYPTOCB=no ])
10579
10580# Enable testing of cryptoCb using software crypto. On platforms where wolfCrypt tests
10581# are used to test a custom cryptoCb, it may be desired to disable this so wolfCrypt tests
10582# don't also test software implementations of every algorithm
10583AC_ARG_ENABLE([cryptocb-sw-test],
10584    [AS_HELP_STRING([--disable-cryptocb-sw-test],[Disable wolfCrypt crypto callback tests using software crypto (default: enabled). Only valid with --enable-cryptocb])],
10585    [ if test "x$ENABLED_CRYPTOCB" = "xno"; then
10586          AC_MSG_ERROR([--disable-cryptocb-sw-test requires --enable-cryptocb])
10587      else
10588          ENABLED_CRYPTOCB_SW_TEST=$enableval
10589      fi ],
10590    [ ENABLED_CRYPTOCB_SW_TEST=yes ]
10591    )
10592
10593if test "x$ENABLED_PKCS11" = "xyes" || test "x$ENABLED_WOLFTPM" = "xyes" || test "$ENABLED_CAAM" != "no"
10594then
10595    ENABLED_CRYPTOCB=yes
10596fi
10597if test "$ENABLED_CRYPTOCB" = "yes"
10598then
10599    AM_CFLAGS="$AM_CFLAGS -DWOLF_CRYPTO_CB"
10600fi
10601
10602if test "$ENABLED_CRYPTOCB_SW_TEST" = "no"
10603then
10604        AM_CFLAGS="$AM_CFLAGS -DWC_TEST_NO_CRYPTOCB_SW_TEST"
10605fi
10606
10607# Crypto Callbacks Utils (Copy/Free/etc)
10608AC_ARG_ENABLE([cryptocbutils],
10609    [AS_HELP_STRING([--enable-cryptocbutils@<:@=copy,free,setkey,export,...@:>@],
10610                    [Enable crypto callback utilities (default: all)])],
10611    [ ENABLED_CRYPTOCB_UTILS=$enableval ],
10612    [ ENABLED_CRYPTOCB_UTILS=no ]
10613)
10614
10615if test "$ENABLED_CRYPTOCB_UTILS" != "no"; then
10616    if test "$ENABLED_CRYPTOCB" = "no"; then
10617        AC_MSG_ERROR([--enable-cryptocbutils requires --enable-cryptocb])
10618    fi
10619
10620    if test "$ENABLED_CRYPTOCB_UTILS" = "yes"; then
10621        # Enable all utilities
10622        AM_CFLAGS="$AM_CFLAGS -DWOLF_CRYPTO_CB_COPY -DWOLF_CRYPTO_CB_FREE -DWOLF_CRYPTO_CB_SETKEY -DWOLF_CRYPTO_CB_EXPORT_KEY"
10623    else
10624        # Parse comma-separated list
10625        OIFS="$IFS"
10626        IFS=','
10627        for util in $ENABLED_CRYPTOCB_UTILS; do
10628            case "$util" in
10629                copy)
10630                    AM_CFLAGS="$AM_CFLAGS -DWOLF_CRYPTO_CB_COPY"
10631                    ;;
10632                free)
10633                    AM_CFLAGS="$AM_CFLAGS -DWOLF_CRYPTO_CB_FREE"
10634                    ;;
10635                setkey)
10636                    AM_CFLAGS="$AM_CFLAGS -DWOLF_CRYPTO_CB_SETKEY"
10637                    ;;
10638                export)
10639                    AM_CFLAGS="$AM_CFLAGS -DWOLF_CRYPTO_CB_EXPORT_KEY"
10640                    ;;
10641                *)
10642                    AC_MSG_ERROR([Unknown cryptocbutils option: $util. Valid options: copy, free, setkey, export])
10643                    ;;
10644            esac
10645        done
10646        IFS="$OIFS"
10647    fi
10648fi
10649
10650# Crypto callback RSA padding support
10651# When enabled, the RSA crypto callback args struct exposes the RsaPadding
10652# parameters so the callback can perform RSA padding/unpadding itself or
10653# offload it together with the modular exponentiation.
10654AC_ARG_ENABLE([cryptocb-rsa-pad],
10655    [AS_HELP_STRING([--enable-cryptocb-rsa-pad],[Enable RSA padding aware crypto callbacks (default: disabled). Requires --enable-cryptocb])],
10656    [ ENABLED_CRYPTOCB_RSA_PAD=$enableval ],
10657    [ ENABLED_CRYPTOCB_RSA_PAD=no ]
10658    )
10659
10660if test "$ENABLED_CRYPTOCB_RSA_PAD" = "yes"
10661then
10662    if test "x$ENABLED_CRYPTOCB" = "xno"; then
10663        AC_MSG_ERROR([--enable-cryptocb-rsa-pad requires --enable-cryptocb])
10664    fi
10665    AM_CFLAGS="$AM_CFLAGS -DWOLF_CRYPTO_CB_RSA_PAD"
10666fi
10667
10668
10669# wc_swdev: software crypto-callback device for testing
10670AC_ARG_ENABLE([swdev],
10671    [AS_HELP_STRING([--enable-swdev],[Build wc_swdev software crypto-callback for tests (default: disabled). Requires --enable-cryptocb])],
10672    [ ENABLED_SWDEV=$enableval ],
10673    [ ENABLED_SWDEV=no ]
10674)
10675
10676if test "$ENABLED_SWDEV" = "yes"
10677then
10678    if test "$ENABLED_CRYPTOCB" != "yes" && test "$enable_usersettings" != "yes"; then
10679        AC_MSG_ERROR([--enable-swdev requires --enable-cryptocb (or --enable-usersettings with WOLF_CRYPTO_CB defined in user_settings.h)])
10680    fi
10681    if test "x$srcdir" != "x."; then
10682        AC_MSG_ERROR([--enable-swdev currently supports in-tree builds only])
10683    fi
10684    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SWDEV -DWOLF_CRYPTO_CB_FIND"
10685fi
10686
10687
10688# Asynchronous Crypto
10689AC_ARG_ENABLE([asynccrypt],
10690    [AS_HELP_STRING([--enable-asynccrypt],[Enable Asynchronous Crypto (default: disabled)])],
10691    [ ENABLED_ASYNCCRYPT=$enableval ],
10692    [ ENABLED_ASYNCCRYPT=no ]
10693    )
10694
10695# Asynchronous crypto using software (i.e. not hardware). Required for
10696# non-blocking crypto with TLS/DTLS.
10697AC_ARG_ENABLE([asynccrypt-sw],
10698    [AS_HELP_STRING([--enable-asynccrypt-sw],[Enable asynchronous software-based crypto (default: disabled)])],
10699    [ ENABLED_ASYNCCRYPT_SW=$enableval ],
10700    [ ENABLED_ASYNCCRYPT_SW=no ]
10701    )
10702if test "$ENABLED_ASYNCCRYPT_SW" = "yes"
10703then
10704    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ASYNC_CRYPT_SW"
10705    ENABLED_ASYNCCRYPT=yes
10706fi
10707
10708if test "$ENABLED_ASYNCCRYPT" = "yes"
10709then
10710    AC_MSG_NOTICE([Enabling asynchronous support])
10711
10712    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ASYNC_CRYPT -DHAVE_WOLF_EVENT -DHAVE_WOLF_BIGINT -DWOLFSSL_NO_HASH_RAW"
10713
10714    # If no async backend (hardware or software) has been explicitly enabled,
10715    # use the software backend for testing.
10716    if test "x$ENABLED_CAVIUM" != "xyes" && test "x$ENABLED_INTEL_QA" != "xyes" && test "x$ENABLED_CRYPTOCB" != "xyes" && test "x$ENABLED_PKCALLBACKS" != "xyes" && test "x$ENABLED_ASYNCCRYPT_SW" != "xyes"
10717    then
10718        AC_MSG_NOTICE([Enabling asynchronous software simulator])
10719        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ASYNC_CRYPT_SW"
10720        ENABLED_ASYNCCRYPT_SW=yes
10721    fi
10722fi
10723
10724# check for async if using Intel QuckAssist or Cavium
10725if test "x$ENABLED_INTEL_QA" = "xyes" || test "x$ENABLED_CAVIUM" = "xyes" ; then
10726    if test "x$ENABLED_ASYNCCRYPT" = "xno" ; then
10727        AC_MSG_ERROR([Please enable asynchronous support using --enable-asynccrypt])
10728    fi
10729fi
10730
10731# Asynchronous threading (Linux specific)
10732AC_ARG_ENABLE([asyncthreads],
10733    [AS_HELP_STRING([--enable-asyncthreads],[Enable Asynchronous Threading (default: enabled)])],
10734    [ ENABLED_ASYNCTHREADS=$enableval ],
10735    [ ENABLED_ASYNCTHREADS=yes ]
10736    )
10737
10738if test "$ENABLED_ASYNCCRYPT" = "yes" && test "$ENABLED_ASYNCTHREADS" = "yes"
10739then
10740    AX_PTHREAD([ENABLED_ASYNCTHREADS=yes],[ENABLED_ASYNCTHREADS=no])
10741else
10742    ENABLED_ASYNCTHREADS=no
10743fi
10744
10745if test "$ENABLED_ASYNCTHREADS" = "yes"
10746then
10747    LIB_ADD="-lpthread $LIB_ADD"
10748    AM_CFLAGS="$AM_CFLAGS -D_GNU_SOURCE"
10749else
10750    AM_CFLAGS="$AM_CFLAGS -DWC_NO_ASYNC_THREADING"
10751fi
10752
10753
10754# Support for autosar shim
10755AC_ARG_ENABLE([autosar],
10756    [AS_HELP_STRING([--enable-autosar],[Enable AutoSAR support (default: disabled)])],
10757    [ ENABLED_AUTOSAR=$enableval ],
10758    [ ENABLED_AUTOSAR=no ]
10759    )
10760
10761if test "$ENABLED_AUTOSAR" = "yes"
10762then
10763    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AUTOSAR"
10764fi
10765
10766
10767# Session Export
10768AC_ARG_ENABLE([sessionexport],
10769    [AS_HELP_STRING([--enable-sessionexport],[Enable export and import of sessions (default: disabled)])],
10770    [ ENABLED_SESSIONEXPORT=$enableval ],
10771    [ ENABLED_SESSIONEXPORT=no ]
10772    )
10773
10774if test "$ENABLED_SESSIONEXPORT" = "yes" ||
10775   test "$ENABLED_SESSIONEXPORT" = "nopeer"
10776then
10777    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SESSION_EXPORT"
10778
10779    if test "$ENABLED_SESSIONEXPORT" = "nopeer"
10780    then
10781        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SESSION_EXPORT_NOPEER"
10782    fi
10783fi
10784
10785
10786if test "$ENABLED_WPAS" != "no" &&
10787    ( test "$ENABLED_FIPS" = "no" || test "x$FIPS_VERSION" = "xv6" )
10788then
10789    ENABLED_AESKEYWRAP="yes"
10790fi
10791
10792if test "$ENABLED_AESKEYWRAP" = "yes"
10793then
10794    AM_CFLAGS="$AM_CFLAGS -DHAVE_AES_KEYWRAP -DWOLFSSL_AES_DIRECT"
10795fi
10796
10797
10798# Old name support for backwards compatibility
10799AC_ARG_ENABLE([oldnames],
10800    [AS_HELP_STRING([--enable-oldnames],[Keep backwards compat with old names (default: enabled)])],
10801    [ ENABLED_OLDNAMES=$enableval ],
10802    [ ENABLED_OLDNAMES=yes ]
10803    )
10804
10805if test "x$ENABLED_OLDNAMES" = "xno" && test "x$ENABLED_OPENSSLCOEXIST" = "xno"
10806then
10807    AM_CFLAGS="$AM_CFLAGS -DNO_OLD_RNGNAME -DNO_OLD_WC_NAMES -DNO_OLD_SSL_NAMES"
10808    AM_CFLAGS="$AM_CFLAGS -DNO_OLD_SHA_NAMES -DNO_OLD_MD5_NAME"
10809fi
10810
10811
10812# Memory Tests
10813AC_ARG_ENABLE([memtest],
10814    [AS_HELP_STRING([--enable-memtest],[Memory testing option, for internal use (default: disabled)])],
10815    [ ENABLED_MEMTEST=$enableval ],
10816    [ ENABLED_MEMTEST=no ]
10817    )
10818
10819if test "x$ENABLED_MEMTEST" != "xno"
10820then
10821    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_TRACK_MEMORY -DWOLFSSL_DEBUG_MEMORY"
10822fi
10823
10824if test "x$ENABLED_MEMTEST" = "xfail"
10825then
10826    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_FORCE_MALLOC_FAIL_TEST"
10827fi
10828
10829# Enable hash flags support
10830# Hash flags are useful for runtime options such as SHA3 KECCAK256 selection
10831AC_ARG_ENABLE([hashflags],
10832    [AS_HELP_STRING([--enable-hashflags],[Enable support for hash flags (default: disabled)])],
10833    [ ENABLED_HASHFLAGS=$enableval ],
10834    [ ENABLED_HASHFLAGS=no ]
10835    )
10836
10837if test "x$ENABLED_HASHFLAGS" != "xno"
10838then
10839    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_HASH_FLAGS"
10840fi
10841
10842# Support for enabling setting default DH parameters in TLS
10843AC_ARG_ENABLE([defaultdhparams],
10844    [AS_HELP_STRING([--enable-defaultdhparams],[Enables option for default dh parameters (default: disabled)])],
10845    [ ENABLED_DHDEFAULTPARAMS=$enableval ],
10846    [ ENABLED_DHDEFAULTPARAMS=$ENABLED_DH ]
10847    )
10848if test "x$ENABLED_DHDEFAULTPARAMS" = "xyes" && test "x$ENABLED_QT" != "xyes"
10849then
10850    AM_CFLAGS="$AM_CFLAGS -DHAVE_DH_DEFAULT_PARAMS"
10851fi
10852
10853
10854AC_ARG_WITH([max-rsa-bits],
10855    [AS_HELP_STRING([--with-max-rsa-bits=number],[number of bits to support for RSA, DH, and DSA keys])],
10856    [WITH_MAX_CLASSIC_ASYM_KEY_BITS=$withval],
10857    [WITH_MAX_CLASSIC_ASYM_KEY_BITS="$DEFAULT_MAX_CLASSIC_ASYM_KEY_BITS"])
10858
10859if test -n "$WITH_MAX_CLASSIC_ASYM_KEY_BITS"; then
10860   if test "$WITH_MAX_CLASSIC_ASYM_KEY_BITS" -lt 1024 -o "$WITH_MAX_CLASSIC_ASYM_KEY_BITS" -gt 16384; then
10861       AC_MSG_ERROR([--with-max-rsa-bits argument must be between 1024 and 16384 inclusive])
10862   fi
10863   if test "$ENABLED_FIPS" = "no"
10864   then
10865      AM_CFLAGS="$AM_CFLAGS -DRSA_MAX_SIZE=$WITH_MAX_CLASSIC_ASYM_KEY_BITS"
10866   fi
10867   MPI_MAX_KEY_BITS=$WITH_MAX_CLASSIC_ASYM_KEY_BITS
10868fi
10869
10870AC_ARG_WITH([max-ecc-bits],
10871    [AS_HELP_STRING([--with-max-ecc-bits=number],[number of bits to support for ECC algorithms])],
10872    [WITH_MAX_ECC_BITS=$withval],
10873    )
10874
10875if test -n "$WITH_MAX_ECC_BITS"; then
10876   if test "$WITH_MAX_ECC_BITS" -lt 112 -o "$WITH_MAX_ECC_BITS" -gt 1024; then
10877       AC_MSG_ERROR([--with-max-ecc-bits argument must be between 112 and 1024 inclusive])
10878   fi
10879   AM_CFLAGS="$AM_CFLAGS -DMAX_ECC_BITS=$WITH_MAX_ECC_BITS"
10880fi
10881
10882if test -n "$MPI_MAX_KEY_BITS" -o -n "$WITH_MAX_ECC_BITS"; then
10883   if test -n "$MAX_MPI_KEY_BITS" -a -n "$WITH_MAX_ECC_BITS"; then
10884       if test "$MAX_MPI_KEY_BITS" -lt "$WITH_MAX_ECC_BITS"; then
10885           MPI_MAX_KEY_BITS="$WITH_MAX_ECC_BITS"
10886       fi
10887   elif test -n "$WITH_MAX_ECC_BITS"; then
10888       MPI_MAX_KEY_BITS="$WITH_MAX_ECC_BITS"
10889   fi
10890   if test "$MPI_MAX_KEY_BITS" -gt 1024; then
10891       AM_CFLAGS="$AM_CFLAGS -DFP_MAX_BITS=$((MPI_MAX_KEY_BITS * 2)) -DSP_INT_BITS=$MPI_MAX_KEY_BITS"
10892   fi
10893fi
10894
10895AC_ARG_ENABLE([linuxkm-lkcapi-register],
10896    [AS_HELP_STRING([--enable-linuxkm-lkcapi-register],[Register wolfCrypt implementations with the Linux Kernel Crypto API backplane.
10897    Possible values are "none" or a comma-separated combination of "all", "all-kconfig", "sysfs-nodes-only", "cbc(aes)", "cfb(aes)",
10898    "gcm(aes)", "rfc4106(gcm(aes))", "xts(aes)", "ctr(aes)", "ofb(aes)", "ecb(aes)", "all-aes", "sha1", "sha2", "sha3", "all-sha",
10899    "hmac(sha1)", "hmac(sha2)", "hmac(sha3)", "all-hmac", "stdrng", "stdrng-default", "ecdsa", "ecdh", "rsa", "dh", and negations of
10900    the foregoing algorithms by prefixing "-".
10901    (default: none)])],
10902    [ENABLED_LINUXKM_LKCAPI_REGISTER=$enableval],
10903    [ENABLED_LINUXKM_LKCAPI_REGISTER=no]
10904    )
10905if test "$ENABLED_LINUXKM_LKCAPI_REGISTER" != "no"
10906then
10907    AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_REGISTER"
10908
10909    if test "$ENABLED_AESGCM" != "no" && test "$ENABLED_AESGCM_STREAM" = "no" && test "$enable_aesgcm_stream" != "no" && (test "$ENABLED_FIPS" = "no" || test $HAVE_FIPS_VERSION -ge 6); then
10910        ENABLED_AESGCM_STREAM=yes
10911    fi
10912
10913    if test "$ENABLED_LINUXKM_LKCAPI_REGISTER" = "yes"
10914    then
10915        ENABLED_LINUXKM_LKCAPI_REGISTER=all
10916    fi
10917
10918    for lkcapi_alg in $(echo "$ENABLED_LINUXKM_LKCAPI_REGISTER" | tr ',' ' ')
10919    do
10920        case "$lkcapi_alg" in
10921        all) AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_REGISTER_ALL -DWC_RSA_NO_PADDING -DWOLFSSL_DH_EXTRA"
10922             ;;
10923        all-kconfig) AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_REGISTER_ALL -DLINUXKM_LKCAPI_REGISTER_ALL_KCONFIG -DWC_RSA_NO_PADDING -DWOLFSSL_DH_EXTRA"
10924             ;;
10925        sysfs-nodes-only) AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_REGISTER_ONLY_ON_COMMAND" ;;
10926        'cbc(aes)') test "$ENABLED_AESCBC" != "no" || AC_MSG_ERROR([linuxkm-lkcapi-register ${lkcapi_alg}: AES-CBC implementation not enabled.])
10927                    AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_REGISTER_AESCBC" ;;
10928        'cfb(aes)') test "$ENABLED_AESCFB" != "no" || AC_MSG_ERROR([linuxkm-lkcapi-register ${lkcapi_alg}: AES-CFB implementation not enabled.])
10929                    AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_REGISTER_AESCFB" ;;
10930        'gcm(aes)') test "$ENABLED_AESGCM" != "no" || AC_MSG_ERROR([linuxkm-lkcapi-register ${lkcapi_alg}: AES-GCM implementation not enabled.])
10931                    AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_REGISTER_AESGCM" ;;
10932        'rfc4106(gcm(aes))') test "$ENABLED_AESGCM" != "no" || AC_MSG_ERROR([linuxkm-lkcapi-register ${lkcapi_alg}: AES-GCM implementation not enabled.])
10933                    AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_REGISTER_AESGCM_RFC4106" ;;
10934        'ccm(aes)') test "$ENABLED_AESCCM" != "no" || AC_MSG_ERROR([linuxkm-lkcapi-register ${lkcapi_alg}: AES-CCM implementation not enabled.])
10935                    AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_REGISTER_AESCCM" ;;
10936        'rfc4309(ccm(aes))') test "$ENABLED_AESCCM" != "no" || AC_MSG_ERROR([linuxkm-lkcapi-register ${lkcapi_alg}: AES-CCM implementation not enabled.])
10937                    AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_REGISTER_AESCCM_RFC4309" ;;
10938        'xts(aes)') test "$ENABLED_AESXTS" != "no" || AC_MSG_ERROR([linuxkm-lkcapi-register ${lkcapi_alg}: AES-XTS implementation not enabled.])
10939                    test "$ENABLED_AESXTS_STREAM" != "no" || AC_MSG_ERROR([linuxkm-lkcapi-register ${lkcapi_alg}: --enable-aesxts-stream is required for LKCAPI.])
10940                    AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_REGISTER_AESXTS" ;;
10941        'ctr(aes)') test "$ENABLED_AESCTR" != "no" || AC_MSG_ERROR([linuxkm-lkcapi-register ${lkcapi_alg}: AES-CTR implementation not enabled.])
10942                    AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_REGISTER_AESCTR" ;;
10943        'ofb(aes)') test "$ENABLED_AESOFB" != "no" || AC_MSG_ERROR([linuxkm-lkcapi-register ${lkcapi_alg}: AES-OFB implementation not enabled.])
10944                    AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_REGISTER_AESOFB" ;;
10945        'ecb(aes)') AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_REGISTER_AESECB -DHAVE_AES_ECB" ;;
10946        'all-aes') test "$ENABLED_AES" != "no" || AC_MSG_ERROR([linuxkm-lkcapi-register ${lkcapi_alg}: AES is disabled.])
10947                    AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_REGISTER_AES_ALL" ;;
10948        'sha1')     test "$ENABLED_SHA" != "no" || AC_MSG_ERROR([linuxkm-lkcapi-register ${lkcapi_alg}: SHA-1 implementation not enabled.])
10949                    AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_REGISTER_SHA1" ;;
10950        'sha2')     test "$ENABLED_SHA224" != "no" || test "$ENABLED_SHA256" != "no" || test "$ENABLED_SHA384" != "no" || test "$ENABLED_SHA512" != "no" || \
10951                    AC_MSG_ERROR([linuxkm-lkcapi-register ${lkcapi_alg}: No SHA-2 implementations are enabled.])
10952                    AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_REGISTER_SHA2" ;;
10953        'sha3')     test "$ENABLED_SHA3" != "no" || AC_MSG_ERROR([linuxkm-lkcapi-register ${lkcapi_alg}: SHA-3 implementation not enabled.])
10954                    AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_REGISTER_SHA3" ;;
10955        'all-sha') AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_REGISTER_SHA_ALL" ;;
10956        'hmac(sha1)') test "$ENABLED_SHA" != "no" && test "$ENABLED_HMAC" != "no" || AC_MSG_ERROR([linuxkm-lkcapi-register ${lkcapi_alg}: SHA-1 HMAC implementation not enabled.])
10957                    AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_REGISTER_SHA1_HMAC" ;;
10958        'hmac(sha2)') (test "$ENABLED_SHA224" != "no" || test "$ENABLED_SHA256" != "no" || test "$ENABLED_SHA384" != "no" || test "$ENABLED_SHA512" != "no") && \
10959                    test "$ENABLED_HMAC" != "no" || AC_MSG_ERROR([linuxkm-lkcapi-register ${lkcapi_alg}: No SHA-2 HMAC implementations are enabled.])
10960                    AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_REGISTER_SHA2_HMAC" ;;
10961        'hmac(sha3)') test "$ENABLED_SHA3" != "no" && test "$ENABLED_HMAC" != "no" || AC_MSG_ERROR([linuxkm-lkcapi-register ${lkcapi_alg}: SHA-3 HMAC implementation not enabled.])
10962                    AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_REGISTER_SHA3_HMAC" ;;
10963        'all-hmac') test "$ENABLED_HMAC" != "no" || AC_MSG_ERROR([linuxkm-lkcapi-register ${lkcapi_alg}: HMAC implementation not enabled.])
10964                    AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_REGISTER_HMAC_ALL" ;;
10965        'stdrng') test "$ENABLED_HASHDRBG" != "no" || AC_MSG_ERROR([linuxkm-lkcapi-register ${lkcapi_alg}: HASHDRBG implementation not enabled.])
10966                    AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_REGISTER_HASH_DRBG" ;;
10967        'stdrng-default') test "$ENABLED_HASHDRBG" != "no" || AC_MSG_ERROR([linuxkm-lkcapi-register ${lkcapi_alg}: HASHDRBG implementation not enabled.])
10968                    AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_REGISTER_HASH_DRBG -DLINUXKM_LKCAPI_REGISTER_HASH_DRBG_DEFAULT" ;;
10969        'ecdsa')    test "$ENABLED_ECC" != "no" || AC_MSG_ERROR([linuxkm-lkcapi-register ${lkcapi_alg}: ECDSA implementation not enabled.])
10970                    AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_REGISTER_ECDSA" ;;
10971        'ecdh')     AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_REGISTER_ECDH" ;;
10972        'rsa')      test "$ENABLED_RSA" != "no" || AC_MSG_ERROR([linuxkm-lkcapi-register ${lkcapi_alg}: RSA implementation not enabled.])
10973                    AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_REGISTER_RSA -DWC_RSA_NO_PADDING" ;;
10974        'dh')       AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_REGISTER_DH -DWOLFSSL_DH_EXTRA"
10975                    ;;
10976        # disable options
10977        '-cbc(aes)') AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_DONT_REGISTER_AESCBC" ;;
10978        '-cfb(aes)') AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_DONT_REGISTER_AESCFB" ;;
10979        '-gcm(aes)') AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_DONT_REGISTER_AESGCM" ;;
10980        '-rfc4106(gcm(aes))')
10981                     AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_DONT_REGISTER_AESGCM_RFC4106" ;;
10982        '-ccm(aes)') AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_DONT_REGISTER_AESCCM" ;;
10983        '-rfc4309(ccm(aes))')
10984                     AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_DONT_REGISTER_AESCCM_RFC4309" ;;
10985        '-xts(aes)') AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_DONT_REGISTER_AESXTS" ;;
10986        '-ctr(aes)') AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_DONT_REGISTER_AESCTR" ;;
10987        '-ofb(aes)') AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_DONT_REGISTER_AESOFB" ;;
10988        '-ecb(aes)') AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_DONT_REGISTER_AESECB" ;;
10989        '-all-aes') AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_DONT_REGISTER_AES_ALL" ;;
10990        '-sha1')     AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_DONT_REGISTER_SHA1" ;;
10991        '-sha2')     AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_DONT_REGISTER_SHA2" ;;
10992        '-sha3')     AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_DONT_REGISTER_SHA3" ;;
10993        '-all-sha')  AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_DONT_REGISTER_SHA_ALL" ;;
10994        '-hmac(sha1)') AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_DONT_REGISTER_SHA1_HMAC" ;;
10995        '-hmac(sha2)') AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_DONT_REGISTER_SHA2_HMAC" ;;
10996        '-hmac(sha3)') AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_DONT_REGISTER_SHA3_HMAC" ;;
10997        '-all-hmac') AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_DONT_REGISTER_HMAC_ALL" ;;
10998        '-stdrng')   AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_DONT_REGISTER_HASH_DRBG" ;;
10999        '-stdrng-default') AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_DONT_REGISTER_HASH_DRBG_DEFAULT" ;;
11000        '-ecdsa')    AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_DONT_REGISTER_ECDSA" ;;
11001        '-ecdh')     AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_DONT_REGISTER_ECDH" ;;
11002        '-rsa')      AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_DONT_REGISTER_RSA" ;;
11003        '-dh')       AM_CFLAGS="$AM_CFLAGS -DLINUXKM_LKCAPI_DONT_REGISTER_DH" ;;
11004        *) AC_MSG_ERROR([Unsupported LKCAPI algorithm "$lkcapi_alg".])      ;;
11005        esac
11006    done
11007fi
11008AC_SUBST([ENABLED_LINUXKM_LKCAPI_REGISTER])
11009
11010# Library Suffix
11011LIBSUFFIX=""
11012AC_ARG_WITH([libsuffix],
11013    [AS_HELP_STRING([--with-libsuffix=SUFFIX],[Library artifact SUFFIX, ie libwolfsslSUFFIX.so])],
11014    [
11015        if test "x$withval" != "xno" ; then
11016            LIBSUFFIX=$withval
11017        fi
11018        if test "x$withval" = "xyes" ; then
11019            AC_MSG_ERROR([Invalid argument to --with-libsuffix, no suffix given])
11020        fi
11021    ]
11022)
11023AC_SUBST(LIBSUFFIX)
11024
11025# Support system wide crypto-policy file:
11026#   - Pass path to your wolfssl.config system crypto-policy file.
11027#   - Pass no argument to use default.
11028AC_ARG_WITH([sys-crypto-policy],
11029    [AS_HELP_STRING([--with-sys-crypto-policy=PATH],[Support for system-wide crypto-policy file. (default: disabled)])],
11030    [ SYS_CRYPTO_POLICY=$withval],
11031    [ SYS_CRYPTO_POLICY=no ]
11032    )
11033
11034if test "$SYS_CRYPTO_POLICY" != "no"; then
11035    if test "$SYS_CRYPTO_POLICY" = "yes"; then
11036        # Default to the wolfssl fedora crypto-policy file.
11037        SYS_CRYPTO_POLICY="/etc/crypto-policies/back-ends/wolfssl.config"
11038    fi
11039
11040    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SYS_CRYPTO_POLICY"
11041    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CRYPTO_POLICY_FILE=\"$SYS_CRYPTO_POLICY\""
11042fi
11043
11044AC_ARG_ENABLE([context-extra-user-data],
11045    [AS_HELP_STRING([--enable-context-extra-user-data],[Enables option for storing user-defined data in TLS API contexts, with optional argument the number of slots to allocate (default: disabled)])],
11046    [ ENABLED_EX_DATA=$enableval ],
11047    [ ENABLED_EX_DATA=no ]
11048    )
11049case "$ENABLED_EX_DATA" in
11050no) ;;
11051yes) AM_CFLAGS="$AM_CFLAGS -DHAVE_EX_DATA"
11052     ;;
11053[[1-9]]|[[1-9]][[0-9]]|[[1-9]][[0-9]][[0-9]]|[[1-9]][[0-9]][[0-9]][[0-9]])
11054       AM_CFLAGS="$AM_CFLAGS -DHAVE_EX_DATA -DMAX_EX_DATA=$ENABLED_EX_DATA"
11055       ;;
11056*) AC_MSG_ERROR([Invalid argument to --enable-context-extra-user-data -- must be yes, no, or a number from 1 to 9999 (note: each index reserves one pointer per object, so large values increase memory use)])
11057   ;;
11058esac
11059
11060# IoT-Safe support
11061AC_ARG_ENABLE([iotsafe],
11062    [AS_HELP_STRING([--enable-iotsafe],[Enables support for IoT-Safe secure applet (default: disabled)])],
11063    [ ENABLED_IOTSAFE=$enableval ],
11064    [ ENABLED_IOTSAFE=no ]
11065    )
11066
11067AC_ARG_ENABLE([iotsafe-hwrng],
11068    [AS_HELP_STRING([--enable-iotsafe-hwrng],[Enables support for IoT-Safe RNG (default: disabled)])],
11069    [ ENABLED_IOTSAFE_HWRNG=$enableval ],
11070    [ ENABLED_IOTSAFE_HWRNG=no ]
11071    )
11072
11073# Make clean
11074AC_ARG_ENABLE([makeclean],
11075    [AS_HELP_STRING([--enable-makeclean], [Enables forced "make clean" at the
11076    end of configure (default: enabled)])],
11077    [ ENABLED_MAKECLEAN=$enableval ],
11078    [ ENABLED_MAKECLEAN=yes ]
11079    )
11080
11081# User Settings
11082AC_ARG_ENABLE([usersettings],
11083    [AS_HELP_STRING([--enable-usersettings],[Use your own user_settings.h and do not add Makefile CFLAGS (default: disabled)])],
11084    [ ENABLED_USERSETTINGS=$enableval ],
11085    [ ENABLED_USERSETTINGS=no ]
11086    )
11087
11088
11089# Default optimization CFLAGS enable
11090AC_ARG_ENABLE([optflags],
11091    [AS_HELP_STRING([--enable-optflags],[Enable default optimization CFLAGS for the compiler (default: enabled)])],
11092    [ ENABLED_OPTFLAGS=$enableval ],
11093    [ ENABLED_OPTFLAGS=yes ]
11094    )
11095
11096# Adds functionality to load CA certificates from the operating system.
11097AC_ARG_ENABLE([sys-ca-certs],
11098    [AS_HELP_STRING([--enable-sys-ca-certs],[Enable ability to load CA certs from OS (default: enabled)])],
11099    [ ENABLED_SYS_CA_CERTS=$enableval ],
11100    [ ENABLED_SYS_CA_CERTS=yes ]
11101    )
11102
11103AC_ARG_ENABLE([dual-alg-certs],
11104    [AS_HELP_STRING([--enable-dual-alg-certs],[Enable support for dual key/signature certificates in TLS 1.3 as defined in X9.146 (requires --enable-experimental) (default: disabled)])],
11105    [ ENABLED_DUAL_ALG_CERTS=$enableval ],
11106    [ ENABLED_DUAL_ALG_CERTS=no ]
11107    )
11108
11109AS_IF([ test "$ENABLED_DUAL_ALG_CERTS" != "no" && test "$ENABLED_EXPERIMENTAL" != "yes" ],[ AC_MSG_ERROR([dual-alg-certs requires --enable-experimental.]) ])
11110
11111AS_IF([ test "$ENABLED_DUAL_ALG_CERTS" != "no" && test "$ENABLED_CRYPTONLY" = "yes" ],[ AC_MSG_ERROR([dual-alg-certs is incompatible with --enable-cryptonly.]) ])
11112
11113# Adds functionality to support Raw Public Key (RPK) RFC7250
11114AC_ARG_ENABLE([rpk],
11115    [AS_HELP_STRING([--enable-rpk],[Enable support for Raw Public Key (RPK) RFC7250 (default: disabled)])],
11116    [ ENABLED_RPK=$enableval ],
11117    [ ENABLED_RPK=no ]
11118    )
11119
11120# Allows dynamically loading the certificate
11121AC_ARG_ENABLE([cert-setup-cb],
11122    [AS_HELP_STRING([--enable-cert-setup-cb],[Enable support for dynamically loading TLS certificates (default: disabled)])],
11123    [ ENABLED_CERT_SETUP_CB=$enableval ],
11124    [ ENABLED_CERT_SETUP_CB=no ]
11125    )
11126
11127# check if should run the trusted peer certs test
11128# (for now checking both C_FLAGS and C_EXTRA_FLAGS)
11129AS_CASE(["$CFLAGS $CPPFLAGS"],[*'WOLFSSL_TRUST_PEER_CERT'*],[ENABLED_TRUSTED_PEER_CERT=yes])
11130
11131# Allows disabling the OPENSSL_COMPATIBLE_DEFAULTS macro
11132AC_ARG_ENABLE([openssl-compatible-defaults],
11133    [AS_HELP_STRING([--disable-openssl-compatible-defaults],[Disable OpenSSL compatible defaults when enabled by other options (default: enabled)])],
11134    [ ENABLED_OPENSSL_COMPATIBLE_DEFAULTS=$enableval ],
11135    [ ENABLED_OPENSSL_COMPATIBLE_DEFAULTS=yes ]
11136    )
11137
11138AS_CASE(["$CFLAGS $CPPFLAGS $AM_CFLAGS"],[*'OPENSSL_COMPATIBLE_DEFAULTS'*],
11139    [FOUND_OPENSSL_COMPATIBLE_DEFAULTS=yes])
11140if test "x$FOUND_OPENSSL_COMPATIBLE_DEFAULTS" = "xyes"
11141then
11142    if test "x$ENABLED_OPENSSL_COMPATIBLE_DEFAULTS" = "xyes"
11143    then
11144        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_TRUST_PEER_CERT"
11145        AM_CFLAGS="$AM_CFLAGS -DNO_SESSION_CACHE_REF"
11146        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_TLS13_NO_PEEK_HANDSHAKE_DONE"
11147        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ALT_CERT_CHAINS"
11148        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_PRIORITIZE_PSK"
11149        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CHECK_ALERT_ON_ERR"
11150        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_TICKET_HAVE_ID"
11151        ENABLED_TRUSTED_PEER_CERT=yes
11152    else
11153        CFLAGS=$(printf "%s" "$CFLAGS" | sed 's/-DOPENSSL_COMPATIBLE_DEFAULTS//g')
11154        CPPFLAGS=$(printf "%s" "$CPPFLAGS" | sed 's/-DOPENSSL_COMPATIBLE_DEFAULTS//g')
11155        AM_CFLAGS=$(printf "%s" "$AM_CFLAGS" | sed 's/-DOPENSSL_COMPATIBLE_DEFAULTS//g')
11156    fi
11157fi
11158
11159# Make function 'wolfSSL_X509_EXTENSION_get_data' return different type of
11160# data for each type of extension, as it used to do in the past, instead of
11161# always returning the full OCTET STRING of the extension. Use only if you
11162# need to keep compatibility with older versions.
11163AC_ARG_ENABLE([old-extdata-fmt],
11164    [AS_HELP_STRING([--enable-old-extdata-fmt],[Enable old format for extracting extension data (default: disabled)])],
11165    [ ENABLED_OLD_EXTDATA_FMT=$enableval ],
11166    [ ENABLED_OLD_EXTDATA_FMT=no ]
11167    )
11168
11169if test "x$ENABLED_OLD_EXTDATA_FMT" = "xyes"; then
11170  AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_OLD_EXTDATA_FMT"
11171fi
11172
11173# determine if we have key validation mechanism
11174if test "x$ENABLED_ECC" != "xno" || test "x$ENABLED_RSA" = "xyes"
11175then
11176    if test "$ENABLED_ASN" != "no" && test "$ENABLED_ASN" != "nocrypt"
11177    then
11178        ENABLED_PKI="yes"
11179    fi
11180fi
11181
11182# When building for wolfRand, strip out all options to disable everything.
11183AS_IF([test "x$ENABLED_FIPS" = "xyes" && test "x$FIPS_VERSION" = "xrand"],
11184[NEW_AM_CFLAGS="-DNO_AES -DNO_DH -DNO_ASN -DNO_RSA -DNO_SHA -DNO_MD5 -DNO_BIG_INT"
11185for v in $AM_CFLAGS
11186do
11187  case $v in
11188-DHAVE_FFDHE_2048 | -DTFM_TIMING_RESISTANT | -DECC_TIMING_RESISTANT | \
11189-DWC_RSA_BLINDING | -DHAVE_AESGCM | -DWOLFSSL_SHA512 | -DWOLFSSL_SHA384 | \
11190-DHAVE_ECC | -DTFM_ECC256 | -DECC_SHAMIR | -DHAVE_TLS_EXTENSIONS | \
11191-DHAVE_SUPPORTED_CURVES | -DHAVE_EXTENDED_MASTER | -DUSE_FAST_MATH | \
11192-DWOLFSSL_SHA3)
11193    AS_ECHO(["ignoring $v"])
11194    ;;
11195  *)
11196    NEW_AM_CFLAGS="$NEW_AM_CFLAGS $v"
11197    ;;
11198  esac
11199done
11200AM_CFLAGS=$NEW_AM_CFLAGS])
11201
11202case $host_cpu in
11203  *arm*)
11204    if test "$host_alias" = "thumb" || test "$ARM_TARGET" = "thumb"; then
11205      AM_CFLAGS="$AM_CFLAGS -mthumb -march=armv6"
11206      ENABLED_ARM_THUMB=yes
11207    else
11208      if test "$host_alias" = "cortex" || test "$ARM_TARGET" = "cortex"; then
11209        AM_CFLAGS="$AM_CFLAGS -mcpu=cortex-r5"
11210      fi
11211    fi
11212    ;;
11213esac
11214
11215if test "$ENABLED_LOWRESOURCE" = "yes" && test "$ENABLED_ECC" = "yes" && (test "$ENABLED_RSA" = "yes" || test "$ENABLED_DH" = "yes") && (test "$ENABLED_SP_MATH" = "yes" || test "$ENABLED_SP_MATH_ALL" = "yes")
11216then
11217    AM_CFLAGS="$AM_CFLAGS -DALT_ECC_SIZE"
11218fi
11219
11220################################################################################
11221# Update ENABLE_* variables                                                    #
11222################################################################################
11223
11224if test "x$ENABLED_SYS_CA_CERTS" = "xyes"
11225then
11226    if test "x$ENABLED_CERTS" = "xno"
11227    then
11228        ENABLED_SYS_CA_CERTS="no"
11229    fi
11230
11231    case $host_os in
11232        *darwin*)
11233            # Headers used for MacOS default system CA certs behavior. Only MacOS SDK will have this header
11234            AC_CHECK_HEADERS([Security/SecTrustSettings.h])
11235            # Headers used for Apple native cert validation. All device SDKs should have these headers
11236            AC_CHECK_HEADERS([Security/SecCertificate.h])
11237            AC_CHECK_HEADERS([Security/SecTrust.h])
11238            AC_CHECK_HEADERS([Security/SecPolicy.h])
11239            # Either Security/SecTrustSettings (for MacOS cert loading), or the
11240            # trio of Security/SecCertificate.h, Security/SecTrust.h, and
11241            # Security/SecPolicy.h (for native trust APIs on other apple devices)
11242            # must be present. Default to SecTrustSettings method on MacOS.
11243            AS_IF([test "$ac_cv_header_Security_SecTrustSettings_h" = "yes" \
11244                   || (test "$ac_cv_header_Security_SecCertificate_h" = "yes" \
11245                       && test "$ac_cv_header_Security_SecTrust_h" = "yes" \
11246                       && test "$ac_cv_header_Security_SecPolicy_h" = "yes")],
11247            [
11248                LDFLAGS="$LDFLAGS -framework CoreFoundation -framework Security"
11249                AS_IF([test "$ac_cv_header_Security_SecTrustSettings_h" != "yes"],
11250                [
11251                  AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_APPLE_NATIVE_CERT_VALIDATION"
11252                ])
11253            ],
11254            [
11255              AC_MSG_ERROR([Unable to find Apple Security.framework headers])
11256            ])
11257            ;;
11258        mingw*)
11259            ;;
11260        *)
11261            # Only disable on no filesystem non Mac/Windows, as Mac and Windows
11262            # depend on APIs which don't need filesystem support enabled in wolfSSL.
11263            if test "x$ENABLED_FILESYSTEM" = "xno"
11264            then
11265                ENABLED_SYS_CA_CERTS="no"
11266            fi
11267            ;;
11268    esac
11269fi
11270
11271if test "x$ENABLED_WOLFCLU" = "xyes"
11272then
11273    if test "x$ENABLED_CERTGEN" = "xno"
11274    then
11275        ENABLED_CERTGEN="yes"
11276    fi
11277    if test "x$ENABLED_CERTREQ" = "xno"
11278    then
11279        ENABLED_CERTREQ="yes"
11280    fi
11281    if test "x$ENABLED_CERTEXT" = "xno"
11282    then
11283        ENABLED_CERTEXT="yes"
11284    fi
11285
11286    # Requires md5
11287    if test "$ENABLED_MD5" = "no"
11288    then
11289        ENABLED_MD5="yes"
11290    fi
11291
11292    # Requires aesctr
11293    if test "x$ENABLED_AESCTR" = "xno"
11294    then
11295        ENABLED_AESCTR="yes"
11296    fi
11297
11298    # Uses key generation
11299    if test "x$ENABLED_KEYGEN" = "xno"
11300    then
11301        ENABLED_KEYGEN="yes"
11302    fi
11303
11304    # Uses functions guarded by opensslall
11305    if test "$ENABLED_OPENSSLALL" = "no"
11306    then
11307        ENABLED_OPENSSLALL="yes"
11308    fi
11309
11310    # Has option for signing with ED25519
11311    if test "$ENABLED_ED25519" = "no"
11312    then
11313        ENABLED_ED25519=yes
11314        ENABLED_FEMATH=yes
11315        ENABLED_GEMATH=yes
11316        ENABLED_CERTS=yes
11317    fi
11318
11319    # Has sha512 hashing
11320    if test "$ENABLED_SHA512" = "no"
11321    then
11322        ENABLED_SHA512="yes"
11323    fi
11324
11325    # Has support for DES3 encrypt/decrypt
11326    if test "$ENABLED_DES3" = "no" && (test "$ENABLED_FIPS" = "no" || test $HAVE_FIPS_VERSION -lt 5)
11327    then
11328        ENABLED_DES3="yes"
11329    fi
11330
11331    # Has support for PKCS7
11332    if test "$ENABLED_PKCS7" = "no"
11333    then
11334        ENABLED_PKCS7=yes
11335    fi
11336
11337    # Uses alt name
11338    ENABLED_ALTNAMES="yes"
11339
11340    AM_CFLAGS="$AM_CFLAGS -DHAVE_OID_ENCODING -DWOLFSSL_NO_ASN_STRICT"
11341
11342    # OCSP responder
11343    if test "$ENABLED_OCSP" = "no"; then
11344        ENABLED_OCSP="yes"
11345    fi
11346    if test "$ENABLED_OCSP_RESPONDER" = "no"; then
11347        ENABLED_OCSP_RESPONDER="yes"
11348    fi
11349fi
11350
11351if test "$ENABLED_STRONGSWAN" = "yes"; then
11352    if test "$ENABLED_CERTREQ" = "no"; then
11353        ENABLED_CERTREQ="yes"
11354    fi
11355
11356    if test "$ENABLED_OCSP" = "no"; then
11357        ENABLED_OCSP="yes"
11358    fi
11359fi
11360
11361AS_IF([test "x$ENABLED_MCAPI" = "xyes"],
11362      [AS_IF([test "x$ENABLED_DES3" = "xno"],[ENABLED_DES3="yes"])])
11363
11364if test "$ENABLED_OPENSSH" = "yes" || test "$ENABLED_NGINX" = "yes" || \
11365   test "$ENABLED_SIGNAL" = "yes" || test "$ENABLED_WPAS" = "yes" || \
11366   test "$ENABLED_FORTRESS" = "yes" || test "$ENABLED_BUMP" = "yes" || \
11367   test "$ENABLED_OPENSSLALL" = "yes" || \
11368   test "$ENABLED_LIBWEBSOCKETS" = "yes" || \
11369   test "x$ENABLED_LIGHTY" = "xyes" || test "$ENABLED_LIBSSH2" = "yes" || \
11370   test "x$ENABLED_NTP" = "xyes" || test "$ENABLED_RSYSLOG" = "yes" || \
11371   test "$ENABLED_OPENLDAP" = "yes" || test "$ENABLED_HITCH" = "yes" || test "x$ENABLED_MOSQUITTO" = "xyes"
11372then
11373    ENABLED_OPENSSLEXTRA="yes"
11374fi
11375
11376if test "$ENABLED_CURVE25519" != "no" && test "$ENABLED_CURVE25519" != "asm" && test "$KERNEL_MODE_DEFAULTS" = "yes"
11377then
11378    ENABLED_CURVE25519=noasm
11379fi
11380
11381if test "$ENABLED_ED25519" != "no" && test "$ENABLED_ED25519" != "asm" && test "$KERNEL_MODE_DEFAULTS" = "yes"
11382then
11383    ENABLED_ED25519=noasm
11384fi
11385
11386if test "$ENABLED_CURVE25519" = "noasm" || test "$ENABLED_ED25519" = "noasm"
11387then
11388    AM_CFLAGS="$AM_CFLAGS -DNO_CURVED25519_X64"
11389fi
11390
11391if test "$ENABLED_CURVE25519" != "no"
11392then
11393    if test "$ENABLED_CURVE25519" = "small" || test "$ENABLED_CURVE25519" = "nonblock" || test "$ENABLED_LOWRESOURCE" = "yes"
11394    then
11395        AM_CFLAGS="$AM_CFLAGS -DCURVE25519_SMALL"
11396        ENABLED_CURVE25519_SMALL=yes
11397    fi
11398
11399    if test "$ENABLED_CURVE25519" = "nonblock"
11400    then
11401        AM_CFLAGS="$AM_CFLAGS -DWC_X25519_NONBLOCK"
11402    fi
11403
11404    if test "$ENABLED_CURVE25519" = "no128bit" || test "$ENABLED_32BIT" = "yes"
11405    then
11406        AM_CFLAGS="$AM_CFLAGS -DNO_CURVED25519_128BIT"
11407    fi
11408
11409    if test "$ENABLED_CURVE25519" = "ed"
11410    then
11411        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CURVE25519_USE_ED25519"
11412        AM_CCASFLAGS="$AM_CCASFLAGS -DWOLFSSL_CURVE25519_USE_ED25519"
11413    fi
11414    if test "$ENABLED_CURVE25519" = "not-ed"
11415    then
11416        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CURVE25519_NOT_USE_ED25519"
11417        AM_CCASFLAGS="$AM_CCASFLAGS -DWOLFSSL_CURVE25519_NOT_USE_ED25519"
11418    fi
11419
11420
11421    AM_CFLAGS="$AM_CFLAGS -DHAVE_CURVE25519"
11422    AM_CCASFLAGS="$AM_CCASFLAGS -DHAVE_CURVE25519"
11423    ENABLED_FEMATH=yes
11424fi
11425
11426if test "$ENABLED_ED25519" != "no"
11427then
11428    if test "$ENABLED_ED25519" = "small" || test "$ENABLED_LOWRESOURCE" = "yes"
11429    then
11430        AM_CFLAGS="$AM_CFLAGS -DED25519_SMALL"
11431        ENABLED_ED25519_SMALL=yes
11432        ENABLED_CURVE25519_SMALL=yes
11433    fi
11434
11435    AM_CFLAGS="$AM_CFLAGS -DHAVE_ED25519"
11436    AM_CCASFLAGS="$AM_CCASFLAGS -DHAVE_ED25519"
11437    ENABLED_FEMATH=yes
11438    ENABLED_GEMATH=yes
11439    ENABLED_CERTS=yes
11440fi
11441
11442if test "$ENABLED_MD5" = "yes"
11443then
11444    # turn off MD5 if leanpsk or leantls on
11445    if test "$ENABLED_LEANPSK" = "yes" || test "$ENABLED_LEANTLS" = "yes"
11446    then
11447        ENABLED_MD5=no
11448    fi
11449fi
11450
11451if test "x$ENABLED_LEANPSK" = "xyes" || test "x$ENABLED_CERTS" = "xno" || \
11452   test "x$ENABLED_ASN" = "xno"
11453then
11454   ENABLED_CERTS=no
11455   ENABLED_ASN=no
11456fi
11457
11458################################################################################
11459# Check for build-type conflicts                                               #
11460################################################################################
11461
11462AS_IF([test "x$ENABLED_MAXSTRENGTH" = "xyes" && \
11463       test "x$ENABLED_LEANPSK" = "xyes"],
11464      [AC_MSG_ERROR([Cannot use Max Strength and Lean PSK at the same time.])])
11465
11466AS_IF([test "x$ENABLED_CRYPTONLY" = "xno" && \
11467       test "x$ENABLED_PSK" = "xno" && \
11468       test "x$ENABLED_ASN" = "xno"],
11469      [AC_MSG_ERROR([please enable psk if disabling asn.])])
11470
11471AS_IF([test "x$ENABLED_OCSP" = "xyes" && \
11472       test "x$ENABLED_ASN" = "xno"],
11473      [AC_MSG_ERROR([please enable asn if enabling ocsp.])])
11474
11475AS_IF([test "x$ENABLED_SMIME" = "xyes" && \
11476       test "x$ENABLED_ASN" = "xno"],
11477       [AC_MSG_ERROR([please enable asn if enabling S/MIME.])])
11478
11479AS_IF([test "x$ENABLED_OCSP" = "xyes" && \
11480       test "x$ENABLED_RSA" = "xno" && \
11481       test "x$ENABLED_ECC" = "xno"],
11482      [AC_MSG_ERROR([please enable rsa or ecc if enabling ocsp.])])
11483
11484# Sync Intel QA and Sync Cavium Octeon require the crypto callback
11485AS_IF([test "x$ENABLED_INTEL_QA_SYNC" = "xyes" || test "x$ENABLED_OCTEON_SYNC" = "xyes"],
11486        [AS_IF([test "x$ENABLED_CRYPTOCB" = "xno"],
11487         [AC_MSG_ERROR([please enable the crypto callback support using --enable-cryptocb])])])
11488
11489# checks for pkcs7 needed enables
11490AS_IF([test "x$ENABLED_PKCS7" = "xyes" && \
11491       test "x$ENABLED_RSA" = "xno" && \
11492       test "x$ENABLED_ECC" = "xno"],
11493      [AC_MSG_ERROR([please enable ecc or rsa if enabling pkcs7.])])
11494
11495AS_IF([test "x$ENABLED_PKCS7" = "xyes" && \
11496       test "x$ENABLED_SHA" = "xno" && \
11497       test "x$ENABLED_SHA256" = "xno"],
11498      [AC_MSG_ERROR([please enable sha or sha256 if enabling pkcs7.])])
11499
11500AS_IF([test "x$ENABLED_PKCS7" = "xyes" && \
11501       test "x$ENABLED_AES" = "xno" && \
11502       test "x$ENABLED_DES3" = "xno"],
11503      [AC_MSG_ERROR([please enable either AES or 3DES if enabling pkcs7.])])
11504
11505AS_IF([test "x$ENABLED_WOLFSCEP" = "xyes" && \
11506       test "x$ENABLED_AES" = "xno" && \
11507       test "x$ENABLED_DES3" = "xno"],
11508      [AC_MSG_ERROR([please enable either AES or 3DES if enabling scep.])])
11509
11510AS_IF([test "x$ENABLED_LEANTLS" = "xyes" && \
11511       test "x$ENABLED_ECC" = "xno"],
11512      [AC_MSG_ERROR([please enable ecc if enabling leantls.])])
11513
11514AS_IF([test "x$ENABLED_SNIFFER" = "xyes" && \
11515       test "x$ENABLED_RSA" = "xno" && \
11516       test "x$ENABLED_ECC" = "xno" && \
11517       test "x$ENABLED_CURVE25519" = "xno"],
11518      [AC_MSG_ERROR([please enable ecc, rsa or curve25519 if enabling sniffer.])])
11519
11520# Lean TLS forces off prereqs of SCEP.
11521AS_IF([test "x$ENABLED_SCEP" = "xyes" && \
11522       test "x$ENABLED_LEANTLS" = "xyes"],
11523      [AC_MSG_ERROR([Cannot use SCEP and Lean TLS at the same time.])])
11524
11525# CMAC currently requires AES.
11526AS_IF([test "x$ENABLED_CMAC" = "xyes" && \
11527       test "x$ENABLED_AES" = "xno"],
11528      [AC_MSG_ERROR([cannot use CMAC without AES.])])
11529
11530# certreq requires certgen
11531AS_IF([test "x$ENABLED_CERT_REQ" = "xyes" && \
11532       test "x$ENABLED_CERT_GEN" = "xno"],
11533      [AC_MSG_ERROR([cannot use certreq without certgen.])])
11534
11535# ed25519 requires sha512
11536AS_IF([test "$ENABLED_ED25519" != "no" && \
11537       test "x$ENABLED_SHA512" = "xno" && \
11538       test "x$ENABLED_32BIT" = "xno"],
11539      [AC_MSG_ERROR([cannot enable ed25519 without enabling sha512.])])
11540
11541# ed25519 stream requires ed25519
11542AS_IF([test "x$ENABLED_ED25519_STREAM" = "xyes" && \
11543       test "x$ENABLED_ED25519" = "xno"],
11544      [AC_MSG_ERROR([ED25519 verify streaming enabled but ED25519 is disabled])])
11545
11546# Ensure only one size is enabled
11547AS_IF([test "x$ENABLED_64BIT" = "xyes" && \
11548       test "x$ENABLED_32BIT" = "xyes"],
11549      [AC_MSG_ERROR([cannot specify 64-bit build and 32-bit build.])])
11550AS_IF([test "x$ENABLED_64BIT" = "xyes" && \
11551       test "x$ENABLED_16BIT" = "xyes"],
11552      [AC_MSG_ERROR([cannot specify 64-bit build and 16-bit build.])])
11553AS_IF([test "x$ENABLED_32BIT" = "xyes" && \
11554       test "x$ENABLED_16BIT" = "xyes"],
11555      [AC_MSG_ERROR([cannot specify 32-bit build and 16-bit build.])])
11556
11557# 16-bit build not supported with SP
11558AS_IF([test "x$ENABLED_16BIT" = "xyes" && \
11559       test "x$ENABLED_SP" = "xyes"],
11560      [AC_MSG_ERROR([16-bit build not available with SP.])])
11561
11562################################################################################
11563# Update CFLAGS based on options                                               #
11564################################################################################
11565AS_IF([test "$ENABLED_SP_MATH" = "no" && test "$ENABLED_SP_MATH_ALL" = "no" &&
11566       test "$ENABLED_FASTMATH" = "no" && test "$ENABLED_HEAPMATH" = "no"],
11567      [AM_CFLAGS="$AM_CFLAGS -DNO_BIG_INT"])
11568
11569AS_IF([test "x$ENABLED_CERTS" = "xno"],
11570      [AM_CFLAGS="$AM_CFLAGS -DNO_CERTS"])
11571
11572AS_IF([test "x$ENABLED_ASN" = "xno"],
11573      [AM_CFLAGS="$AM_CFLAGS -DNO_ASN"])
11574
11575AS_IF([test "x$ENABLED_SYS_CA_CERTS" = "xyes"],
11576      [AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SYS_CA_CERTS"])
11577
11578AS_IF([test "x$ENABLED_DUAL_ALG_CERTS" = "xyes"],
11579      [AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DUAL_ALG_CERTS"])
11580
11581AS_IF([test "x$ENABLED_RPK" = "xyes"],
11582      [AM_CFLAGS="$AM_CFLAGS -DHAVE_RPK"])
11583
11584AS_IF([test "x$ENABLED_CERT_SETUP_CB" = "xyes"],
11585      [AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CERT_SETUP_CB"])
11586
11587AS_IF([test "x$ENABLED_ALTNAMES" = "xyes"],
11588      [AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ALT_NAMES"])
11589
11590AS_IF([test "x$ENABLED_KEYGEN" = "xyes"],
11591      [AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_KEY_GEN"])
11592
11593AS_IF([test "x$ENABLED_ACERT" = "xyes"],
11594      [AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ACERT"])
11595
11596AS_IF([test "x$ENABLED_CERTREQ" = "xyes"],
11597      [AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CERT_REQ"])
11598
11599AS_IF([test "x$ENABLED_CERTGEN" = "xyes"],
11600      [AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CERT_GEN"])
11601
11602AS_IF([test "x$ENABLED_CERTEXT" = "xyes"],
11603      [AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CERT_EXT"])
11604
11605AS_IF([test "x$ENABLED_OCSP" = "xyes"],
11606      [AM_CFLAGS="$AM_CFLAGS -DHAVE_OCSP"])
11607
11608AS_IF([test "x$ENABLED_OCSP_RESPONDER" = "xyes"],
11609      [AM_CFLAGS="$AM_CFLAGS -DHAVE_OCSP_RESPONDER"])
11610
11611if test "$ENABLED_OCSP" = "yes"
11612then
11613    # check openssl command tool for testing ocsp
11614    AC_CHECK_PROG([HAVE_OPENSSL_CMD],[openssl],[yes],[no])
11615
11616    if test "$HAVE_OPENSSL_CMD" = "yes"
11617    then
11618        AM_CFLAGS="$AM_CFLAGS -DHAVE_OPENSSL_CMD"
11619    else
11620        AC_MSG_WARN([openssl command line tool not available for testing ocsp])
11621    fi
11622fi
11623
11624AS_IF([test "x$ENABLED_STRONGSWAN" = "xyes"],
11625      [AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_LOG_PRINTF -DWOLFSSL_PUBLIC_MP -DHAVE_EX_DATA"
11626       AS_IF([test "$ENABLED_FIPS" = "no" || test "$HAVE_FIPS_VERSION" -le 2],
11627             [AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DES_ECB"])])
11628
11629AS_IF([test "x$ENABLED_OPENLDAP" = "xyes"], [AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SIGNER_DER_CERT"])
11630
11631AS_IF([test "x$ENABLED_MOSQUITTO" = "xyes"], [AM_CFLAGS="$AM_CFLAGS -DHAVE_EX_DATA"])
11632
11633if test "$ENABLED_ED25519_STREAM" != "no" && test "$ENABLED_SE050" != "yes"
11634then
11635    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ED25519_STREAMING_VERIFY"
11636    AM_CCASFLAGS="$AM_CCASFLAGS -DWOLFSSL_ED25519_STREAMING_VERIFY"
11637fi
11638
11639if test "$ENABLED_ERROR_QUEUE" = "no" || test "$ENABLED_JNI" = "yes"
11640then
11641    AM_CFLAGS="$AM_CFLAGS -DNO_ERROR_QUEUE"
11642fi
11643
11644AS_IF([test "x$ENABLED_OPENSSLALL" = "xyes"],
11645      [AM_CFLAGS="$AM_CFLAGS -DOPENSSL_ALL -DWOLFSSL_EITHER_SIDE -DWC_RSA_NO_PADDING -DWC_RSA_PSS -DWOLFSSL_PSS_LONG_SALT -DWOLFSSL_TICKET_HAVE_ID -DWOLFSSL_ERROR_CODE_OPENSSL -DWOLFSSL_CERT_NAME_ALL"])
11646
11647AS_IF([test "x$ENABLED_AESSIV" = "xyes"], [AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_SIV"])
11648
11649AS_IF([test "x$ENABLED_AESCTR" = "xyes" && test "x$ENABLED_FORTRESS" != "xyes"],
11650      [AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_COUNTER -DWOLFSSL_AES_DIRECT"])
11651
11652if test "$ENABLED_MD5" = "no"
11653then
11654    AM_CFLAGS="$AM_CFLAGS -DNO_MD5 -DNO_OLD_TLS"
11655fi
11656
11657AS_IF([test "x$ENABLED_AESBS" = "xyes" && test "x$ENABLED_ARMASM" = "xyes"],
11658      [AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_DIRECT"])
11659
11660if test "$ENABLED_HMAC" = "no"
11661then
11662    AM_CFLAGS="$AM_CFLAGS -DNO_HMAC"
11663fi
11664
11665if test "$ENABLED_OPENSSLEXTRA" = "yes"
11666then
11667    AM_CFLAGS="$AM_CFLAGS -DOPENSSL_EXTRA"
11668fi
11669
11670if test "$ENABLED_OPENSSLEXTRA" = "x509small"
11671then
11672  AC_MSG_NOTICE([Enabling only a subset of X509 opensslextra])
11673  AM_CFLAGS="$AM_CFLAGS -DOPENSSL_EXTRA_X509_SMALL"
11674fi
11675
11676if test "$ENABLED_WOLFSCEP" = "yes"
11677then
11678    # Enable prereqs if not already enabled
11679    if test "x$ENABLED_KEYGEN" = "xno"
11680    then
11681        ENABLED_KEYGEN="yes"
11682        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_KEY_GEN"
11683    fi
11684    if test "x$ENABLED_CERTGEN" = "xno"
11685    then
11686        ENABLED_CERTGEN="yes"
11687        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CERT_GEN"
11688    fi
11689    if test "x$ENABLED_CERTREQ" = "xno"
11690    then
11691        ENABLED_CERTREQ="yes"
11692        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CERT_REQ"
11693    fi
11694    if test "x$ENABLED_CERTEXT" = "xno"
11695    then
11696        ENABLED_CERTEXT="yes"
11697        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CERT_EXT"
11698    fi
11699    if test "x$ENABLED_PKCS7" = "xno"
11700    then
11701        ENABLED_PKCS7="yes"
11702    fi
11703    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_HAVE_WOLFSCEP"
11704fi
11705
11706if test "x$ENABLED_PKCS7" = "xyes"
11707then
11708    AM_CFLAGS="$AM_CFLAGS -DHAVE_PKCS7"
11709    # Enable prereqs if not already enabled
11710    if test "x$ENABLED_AESKEYWRAP" = "xno"
11711    then
11712        ENABLED_AESKEYWRAP="yes"
11713        AM_CFLAGS="$AM_CFLAGS -DHAVE_AES_KEYWRAP -DWOLFSSL_AES_DIRECT"
11714    fi
11715    if test "x$ENABLED_X963KDF" = "xno" && test "$ENABLED_ECC" != "no"
11716    then
11717        ENABLED_X963KDF="yes"
11718        AM_CFLAGS="$AM_CFLAGS -DHAVE_X963_KDF"
11719    fi
11720fi
11721
11722if test "x$ENABLED_DES3" = "xno"
11723then
11724    AM_CFLAGS="$AM_CFLAGS -DNO_DES3"
11725else
11726    # turn off DES3 if leanpsk or leantls on
11727    if test "$ENABLED_LEANPSK" = "yes" || test "$ENABLED_LEANTLS" = "yes"
11728    then
11729        AM_CFLAGS="$AM_CFLAGS -DNO_DES3"
11730        ENABLED_DES3=no
11731    fi
11732fi
11733
11734if test "x$ENABLED_DES3_TLS_SUITES" = "xno"
11735then
11736    AM_CFLAGS="$AM_CFLAGS -DNO_DES3_TLS_SUITES"
11737else
11738    AS_IF([test "x$ENABLED_DES3" = "xno"],
11739        [AC_MSG_ERROR([DES3 TLS suites require DES3])])
11740fi
11741
11742if test "$ENABLED_AESGCM" != "no"
11743then
11744    if test "$ENABLED_AESGCM" = "word"
11745    then
11746        ENABLED_AESGCM=yes
11747    fi
11748
11749    if test "$ENABLED_AESGCM" = "word32"
11750    then
11751        AM_CFLAGS="$AM_CFLAGS -DGCM_WORD32"
11752        ENABLED_AESGCM=yes
11753    fi
11754
11755    if test "$ENABLED_AESGCM" = "small" || test "$ENABLED_LOWRESOURCE" = "yes"
11756    then
11757        AM_CFLAGS="$AM_CFLAGS -DGCM_SMALL"
11758        ENABLED_AESGCM=yes
11759    fi
11760
11761    if test "$ENABLED_AESGCM" = "table"
11762    then
11763        AM_CFLAGS="$AM_CFLAGS -DGCM_TABLE"
11764        ENABLED_AESGCM=yes
11765    fi
11766
11767    if test "$ENABLED_AESGCM" = "4bit"
11768    then
11769        AM_CFLAGS="$AM_CFLAGS -DGCM_TABLE_4BIT"
11770        ENABLED_AESGCM=yes
11771    fi
11772
11773    AM_CFLAGS="$AM_CFLAGS -DHAVE_AESGCM"
11774fi
11775if test "$ENABLED_AESGCM_STREAM" != "no"
11776then
11777    if test "$ENABLED_AESGCM" = "no"
11778    then
11779        AC_MSG_ERROR([AES-GCM streaming is enabled but AES-GCM is disabled.])
11780    elif test "$ENABLED_RISCV_ASM" = "yes"
11781    then
11782        AC_MSG_ERROR([RISC-V asm doesn't yet support WOLFSSL_AESGCM_STREAM.])
11783    else
11784        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AESGCM_STREAM"
11785        AM_CCASFLAGS="$AM_CCASFLAGS -DWOLFSSL_AESGCM_STREAM"
11786    fi
11787fi
11788
11789if test "$ENABLED_AESXTS_STREAM" != "no"
11790then
11791    if test "$ENABLED_AESXTS" = "no"
11792    then
11793        AC_MSG_ERROR([AES-XTS streaming enabled but AES-XTS is disabled])
11794    else
11795        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AESXTS_STREAM"
11796        AM_CCASFLAGS="$AM_CCASFLAGS -DWOLFSSL_AESXTS_STREAM"
11797    fi
11798fi
11799
11800if test "$ENABLED_IOTSAFE" != "no"
11801then
11802    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_IOTSAFE"
11803    ENABLED_IOTSAFE=yes
11804fi
11805
11806if test "$ENABLED_IOTSAFE_HWRNG" != "no"
11807then
11808    AM_CFLAGS="$AM_CFLAGS -DHAVE_IOTSAFE_HWRNG"
11809    ENABLED_IOTSAFE_HWRNG=yes
11810fi
11811
11812if test "x$ENABLED_WOLFENGINE" = "xyes"
11813then
11814    AM_CFLAGS="$AM_CFLAGS -DHAVE_AES_ECB"
11815    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_DIRECT"
11816    AM_CFLAGS="$AM_CFLAGS -DWC_RSA_NO_PADDING"
11817    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_PUBLIC_MP"
11818    AM_CFLAGS="$AM_CFLAGS -DHAVE_WOLFENGINE"
11819fi
11820
11821if test "$ENABLED_WOLFENGINE" = "yes" && test "$ENABLED_FIPS" != "no"
11822then
11823    AM_CFLAGS="$AM_CFLAGS -DSha3=wc_Sha3"
11824    AM_CFLAGS="$AM_CFLAGS -DNO_OLD_SHA256_NAMES"
11825    AM_CFLAGS="$AM_CFLAGS -DNO_OLD_MD5_NAME"
11826fi
11827
11828if test "$ENABLED_WOLFENGINE" = "yes" && test "$FIPS_VERSION" != "v2"
11829then
11830    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_PSS_LONG_SALT"
11831    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_PSS_SALT_LEN_DISCOVER"
11832fi
11833
11834AS_IF([test "x$ENABLED_MAXSTRENGTH" = "xyes"],
11835      [AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_MAX_STRENGTH -DWOLFSSL_CIPHER_TEXT_CHECK"])
11836
11837AS_IF([test "x$ENABLED_MAXSTRENGTH" = "xyes" && \
11838       test "x$ENABLED_OLD_TLS" = "xyes"],
11839      [AM_CFLAGS="$AM_CFLAGS -DNO_OLD_TLS"
11840       ENABLED_OLD_TLS=no])
11841
11842AS_IF([test "x$ENABLED_MAXSTRENGTH" = "xyes" && \
11843       test "x$ENABLED_SSLV3" = "xyes"],
11844      [AC_MSG_ERROR([Cannot use Max Strength and SSLv3 at the same time.])])
11845
11846AS_IF([test "x$ENABLED_SCTP" = "xyes"],
11847      [AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SCTP"])
11848
11849AS_IF([test "x$ENABLED_SRTP" = "xyes"],
11850      [AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SRTP"])
11851
11852AS_IF([test "x$ENABLED_MCAST" = "xyes"],
11853      [AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_MULTICAST"])
11854
11855# WOLFSSL_AFALG does not support SHA224 yet
11856AS_IF([(test "x$ENABLED_AFALG" = "xyes") && (test "x$ENABLED_SHA224" = "xyes")],
11857      [AC_MSG_ERROR([--enable-sha224 with --enable-afalg not yet supported])])
11858
11859# WOLFSSL_DEVCRYPTO does not support SHA224 yet
11860AS_IF([(test "x$ENABLED_DEVCRYPTO" = "xyes") && \
11861       (test "x$ENABLED_CAAM" = "xno") && \
11862       (test "x$ENABLED_SHA224" = "xyes")],
11863      [AC_MSG_ERROR([--enable-sha224 with --enable-devcrypto not yet supported])])
11864
11865# SCTP, Multicast, SRTP, and strongSwan require DTLS
11866AS_IF([(test "x$ENABLED_DTLS" = "xno") && \
11867        (test "x$ENABLED_SCTP" = "xyes" || test "x$ENABLED_MCAST" = "xyes" || \
11868         test "x$ENABLED_SRTP" = "xyes" || \
11869         test "x$ENABLED_STRONGSWAN" = "xyes")],
11870      [AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DTLS"
11871       ENABLED_DTLS=yes])
11872
11873# Multicast requires the null cipher
11874AS_IF([test "x$ENABLED_NULL_CIPHER" = "xno" && \
11875        test "x$ENABLED_MCAST" = "xyes"],
11876      [AM_CFLAGS="$AM_CFLAGS -DHAVE_NULL_CIPHER"
11877       ENABLED_NULL_CIPHER=yes])
11878
11879# wolfSSH and WPA Supplicant both need Public MP, only enable once.
11880# This will let you know if you enabled wolfSSH but have any of the prereqs
11881# disabled. Some of these options, disabling them adds things to the FLAGS and
11882# you need to check and add items in two places depending on the option.
11883AS_IF([test "x$ENABLED_WOLFSSH" = "xyes"],[AS_IF([test "x$ENABLED_WPAS" = "xno"],[AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_PUBLIC_MP"])])
11884
11885if test "x$ENABLED_OPENSSLCOEXIST" = "xyes"; then
11886    if test "x$ENABLED_OPENSSLALL" = "xyes"; then
11887        AC_MSG_ERROR([Cannot use --enable-opensslcoexist with --enable-opensslall])
11888    fi
11889fi
11890
11891if test "$ENABLED_WOLFSSH" = "yes" && test "$ENABLED_HMAC" = "no"
11892then
11893    AC_MSG_ERROR([WOLFSSH requires HMAC.])
11894fi
11895
11896AS_IF([test "x$ENABLED_WOLFSSH" = "xyes"],[AM_CPPFLAGS="$AM_CPPFLAGS -DWOLFSSL_WOLFSSH"])
11897
11898# only allow secure renegotiation info with TLSV12 and ASN
11899if test "x$ENABLED_ASN" = "xno" || \
11900    test "x$ENABLED_TLSV12" = "xno" || \
11901    test "x$ENABLED_RENEGOTIATION_INDICATION" = "xyes"; then
11902    ENABLED_SECURE_RENEGOTIATION_INFO="no"
11903fi
11904
11905if test "x$ENABLED_SECURE_RENEGOTIATION_INFO" = "xyes"; then
11906    AM_CFLAGS="$AM_CFLAGS -DHAVE_TLS_EXTENSIONS -DHAVE_SERVER_RENEGOTIATION_INFO"
11907fi
11908
11909
11910if test "$ENABLED_COMPKEY" = "yes"
11911then
11912    AM_CFLAGS="$AM_CFLAGS -DHAVE_COMP_KEY"
11913fi
11914
11915
11916# Deprecated Algorithm Handling
11917if test "$ENABLED_ARC4" = "yes"
11918then
11919    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ALLOW_RC4"
11920fi
11921
11922
11923# Link with the math library iff needed.
11924if test "$ENABLED_DH" != "no" && test "$ENABLED_DH" != "const"; then
11925   LT_LIB_M
11926fi
11927
11928# multiple OCSP stapling for TLS 1.3 Certificate extension
11929if test "$ENABLED_CERTIFICATE_STATUS_REQUEST" = "yes"
11930then
11931    if test "$ENABLED_TLS13" = "yes"
11932    then
11933        if test "$ENABLED_TLS_OCSP_MULTI" = "yes"
11934        then
11935            AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_TLS_OCSP_MULTI"
11936        fi
11937    fi
11938fi
11939################################################################################
11940
11941# USER SETTINGS
11942if test "x$ENABLED_USERSETTINGS" = "xyes"
11943then
11944    # Replace all options and just use WOLFSSL_USER_SETTINGS and
11945    # WOLFSSL_USER_SETTINGS_ASM.  Re-append build-system flags that affect
11946    # preprocessor guards in test files and must survive the reset.
11947    AM_CFLAGS="-DWOLFSSL_USER_SETTINGS -DWOLFSSL_USER_SETTINGS_ASM"
11948    AM_CCASFLAGS="-DWOLFSSL_USER_SETTINGS -DWOLFSSL_USER_SETTINGS_ASM"
11949    AS_IF([test "x$ENABLED_SWDEV" = "xyes"],[
11950        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SWDEV -DWOLF_CRYPTO_CB_FIND"
11951        AM_CCASFLAGS="$AM_CCASFLAGS -DWOLFSSL_SWDEV -DWOLF_CRYPTO_CB_FIND"
11952    ])
11953
11954    # Generate assembly-safe user_settings_asm.h (just preprocessor directives
11955    # from user_settings.h).
11956    $srcdir/scripts/user_settings_asm.sh "$CPPFLAGS $CFLAGS $CXXFLAGS"
11957    if test $? -ne 0; then
11958        AC_MSG_ERROR([$srcdir/scripts/user_settings_asm.sh failed.])
11959    fi
11960fi
11961
11962# OPTIMIZE FLAGS
11963# For distro disable custom build options that interfere with symbol generation
11964if test "$GCC" = "yes" && test "$ENABLED_DISTRO" = "no"
11965then
11966    if test "$ENABLED_CUDA" != "yes"
11967    then
11968        AM_CFLAGS="$AM_CFLAGS -Wall -Wno-unused"
11969    fi
11970    if test "$ax_enable_debug" = "no"
11971    then
11972    AS_IF([test "x$ENABLED_OPTFLAGS" = "xyes"], [
11973        if test "$ENABLED_FASTMATH" = "yes"
11974        then
11975            AM_CFLAGS="$AM_CFLAGS $OPTIMIZE_FAST_CFLAGS"
11976            if test "$ENABLED_FASTHUGEMATH" = "yes"
11977            then
11978                AM_CFLAGS="$AM_CFLAGS $OPTIMIZE_HUGE_CFLAGS"
11979            fi
11980        else
11981            if (test "$ENABLED_SP" = "yes" || test "$ENABLED_SP_MATH_ALL" = "yes") && test "$ENABLED_SP_SMALL" = "no"
11982            then
11983                AM_CFLAGS="$AM_CFLAGS $OPTIMIZE_FAST_CFLAGS"
11984                if test "$ENABLED_FASTHUGEMATH" = "yes"
11985                then
11986                    AM_CFLAGS="$AM_CFLAGS $OPTIMIZE_HUGE_CFLAGS"
11987                    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SP_INT_LARGE_COMBA"
11988                fi
11989            else
11990                AM_CFLAGS="$AM_CFLAGS $OPTIMIZE_CFLAGS"
11991            fi
11992        fi
11993    ])
11994    fi
11995fi
11996
11997# ICC command line warning for non supported warning flags
11998if test "$CC" = "icc"
11999then
12000    AM_CFLAGS="$AM_CFLAGS -wd10006"
12001fi
12002
12003# Expose HAVE___UINT128_T to options flags"
12004if test "$ac_cv_type___uint128_t" = "yes"
12005then
12006    AM_CFLAGS="$AM_CFLAGS -DHAVE___UINT128_T=1"
12007fi
12008
12009# Add HAVE_GETPID to AM_CFLAGS for inclusion in options.h
12010if test "$ac_cv_func_getpid" = "yes"
12011then
12012    AM_CFLAGS="$AM_CFLAGS -DHAVE_GETPID=1"
12013fi
12014
12015LIB_SOCKET_NSL
12016AX_HARDEN_CC_COMPILER_FLAGS
12017
12018if test "$ENABLED_SELFTEST" = yes || test "$ENABLED_FIPS" = yes
12019then
12020    if ! test "$ENABLED_FIPS_DEV" = yes && ! test "$ENABLED_FIPS_READY" = yes
12021    then
12022        # rsa.c wc_hash2mgf() switches on enum wc_HashType, which is defined
12023        # outside the FIPS boundary.  Unsupported hashes are correctly handled
12024        # by the default clause.
12025        AC_LANG_PUSH([C])
12026        AX_APPEND_COMPILE_FLAGS([-Wno-switch-enum],,[$ax_append_compile_cflags_extra])
12027        AC_LANG_POP
12028    fi
12029fi
12030
12031# -Wdeprecated-enum-enum-conversion is on by default in C++20, but conflicts with
12032# our use of enum constructs to define fungible constants.
12033if test "$KERNEL_MODE_DEFAULTS" != "yes"
12034then
12035    AX_CHECK_COMPILE_FLAG([-Werror -Wno-deprecated-enum-enum-conversion],
12036      [AX_APPEND_FLAG([-Wno-deprecated-enum-enum-conversion], [AM_CFLAGS])])
12037fi
12038
12039case $host_os in
12040    mingw*)
12041        # if mingw then link to ws2_32 for sockets, and crypt32
12042        LDFLAGS="$LDFLAGS -lws2_32"
12043        LIB_ADD="$LIB_ADD -lcrypt32"
12044        if test "$enable_shared" = "yes"
12045        then
12046            AC_DEFINE([WOLFSSL_DLL], [1], [Use __declspec(dllexport) when building library])
12047            if test "$enable_static" = "yes"
12048            then
12049                MINGW_LIB_WARNING="yes"
12050            fi
12051        fi ;;
12052    *darwin*)
12053        # Add required frameworks for static linking on macOS
12054        if test "$enable_shared" = "no"; then
12055            if test "x$ENABLED_SYS_CA_CERTS" = "xyes"; then
12056                PC_LIBS_PRIVATE="$PC_LIBS_PRIVATE -framework CoreFoundation -framework Security"
12057            fi
12058        fi ;;
12059esac
12060
12061if test "$enable_shared" = "no"; then
12062    if test "$enable_static" = "yes"; then
12063        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_TEST_STATIC_BUILD"
12064    fi
12065fi
12066
12067if test "$ENABLED_WOLFGUARD" = "yes"; then
12068    if test "$ENABLED_ECC" = "no" ||
12069       test "$ENABLED_SHA256" = "no" ||
12070       test "$ENABLED_AESGCM" = "no" ||
12071       test "$ENABLED_HMAC" = "no" ||
12072       test "$ENABLED_RNG" = "no"
12073    then
12074        AC_MSG_ERROR([--enable-wolfguard requires ECC, SHA256-HMAC, AES-GCM, and RNG.])
12075    fi
12076fi
12077
12078if test "x$ENABLED_LINUXKM" = "xyes"; then
12079    AX_SIMD_CC_COMPILER_FLAGS
12080    AC_SUBST([CFLAGS_FPU_DISABLE])
12081    AC_SUBST([CFLAGS_FPU_ENABLE])
12082    AC_SUBST([CFLAGS_SIMD_DISABLE])
12083    AC_SUBST([CFLAGS_SIMD_ENABLE])
12084    AC_SUBST([CFLAGS_AUTO_VECTORIZE_DISABLE])
12085    AC_SUBST([CFLAGS_AUTO_VECTORIZE_ENABLE])
12086    AC_SUBST([ASFLAGS_FPU_DISABLE_SIMD_ENABLE])
12087    AC_SUBST([ASFLAGS_FPU_ENABLE_SIMD_DISABLE])
12088    AC_SUBST([ASFLAGS_FPUSIMD_DISABLE])
12089    AC_SUBST([ASFLAGS_FPUSIMD_ENABLE])
12090
12091    if test "$ENABLED_OPENSSLEXTRA" != "no" && test "$ENABLED_LINUXKM_PIE" = "yes" && test "$ENABLED_CRYPTONLY" = "no"; then
12092        AC_MSG_ERROR([--enable-opensslextra with --enable-linuxkm-pie and without --enable-cryptonly is incompatible with --enable-linuxkm.])
12093    fi
12094    if test "$ENABLED_FILESYSTEM" = "yes"; then
12095        AC_MSG_ERROR([--enable-filesystem is incompatible with --enable-linuxkm.])
12096    fi
12097    if test "$ENABLED_AFALG" = "yes"; then
12098        AC_MSG_ERROR([--enable-afalg is incompatible with --enable-linuxkm.])
12099    fi
12100    if test "$ENABLED_DEVCRYPTO" = "yes"; then
12101        AC_MSG_ERROR([--enable-devcrypto is incompatible with --enable-linuxkm.])
12102    fi
12103    if test "$ENABLED_PKCS11" = "yes"; then
12104        AC_MSG_ERROR([--enable-pkcs11 is incompatible with --enable-linuxkm.])
12105    fi
12106    if test "$ENABLED_JNI" = "yes"; then
12107        AC_MSG_ERROR([--enable-jni is incompatible with --enable-linuxkm.])
12108    fi
12109    if test "$ENABLED_16BIT" = "yes"; then
12110        AC_MSG_ERROR([--enable-16bit is incompatible with --enable-linuxkm.])
12111    fi
12112    if test "$ENABLED_SINGLETHREADED" = "yes"; then
12113        AC_MSG_ERROR([--enable-singlethreaded is incompatible with --enable-linuxkm.])
12114    fi
12115    if test "$ENABLED_VALGRIND" = "yes"; then
12116        AC_MSG_ERROR([--enable-valgrind is incompatible with --enable-linuxkm.])
12117    fi
12118    if test "$ENABLED_FASTMATH" = "yes"; then
12119        AC_MSG_ERROR([--enable-fastmath is incompatible with --enable-linuxkm (exceeds stack limit).])
12120    fi
12121    if test "$ENABLED_LIBZ_RSA" = "yes"; then
12122        AC_MSG_ERROR([--with-libz is incompatible with --enable-linuxkm.])
12123    fi
12124    if test "$ENABLED_IOPOOL" = "yes"; then
12125        AC_MSG_ERROR([--enable-iopool is incompatible with --enable-linuxkm.])
12126    fi
12127    if test "$ENABLED_EXAMPLES" = "yes"; then
12128        AC_MSG_ERROR([--enable-examples is incompatible with --enable-linuxkm.])
12129    fi
12130    if test "$ENABLED_SMALL_STACK" != "yes"; then
12131        AC_MSG_ERROR([--enable-smallstack is required for --enable-linuxkm.])
12132    fi
12133    if test "$ENABLED_SP_MATH" != "yes" && test "$ENABLED_SP_MATH_ALL" = "no" && test "$ENABLED_BIGNUM" != "no"; then
12134        AC_MSG_ERROR([--enable-sp-math or --enable-sp-math-all is required for --enable-linuxkm.])
12135    fi
12136    if test "$ENABLED_STACKSIZE" != "no"; then
12137        AC_MSG_ERROR([--enable-stacksize is incompatible with --enable-linuxkm.])
12138    fi
12139    if test "$ENABLED_STACKLOG" = "yes"; then
12140        AC_MSG_ERROR([--enable-stacklog is incompatible with --enable-linuxkm.])
12141    fi
12142fi
12143
12144AS_IF([test "$ENABLED_ASM" = "no" && (test "$ENABLED_INTELASM" != "no" || \
12145                                      test "$ENABLED_AESNI" != "no" || \
12146                                      test "$ENABLED_ARMASM" != "no" || \
12147                                      test "$ENABLED_RISCV_ASM" != "no" || \
12148                                      test "$ENABLED_SP_ASM" != "no")],
12149      [AC_MSG_WARN([Conflicting asm settings.])])
12150
12151# The following AM_CONDITIONAL statements set flags for use in the Makefiles.
12152# Some of these affect build targets and objects, some trigger different
12153# test scripts for make check.
12154AM_CONDITIONAL([BUILD_DISTRO],[test "x$ENABLED_DISTRO" = "xyes"])
12155AM_CONDITIONAL([BUILD_OPENSSL_COMPAT],[test "x$ENABLED_OPENSSLEXTRA" != "xnoinstall"])
12156AM_CONDITIONAL([BUILD_ALL],[test "x$ENABLED_ALL" = "xyes"])
12157AM_CONDITIONAL([BUILD_TLS13],[test "x$ENABLED_TLS13" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
12158AM_CONDITIONAL([BUILD_RNG],[test "x$ENABLED_RNG" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
12159AM_CONDITIONAL([BUILD_SCTP],[test "x$ENABLED_SCTP" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
12160AM_CONDITIONAL([BUILD_SRTP],[test "x$ENABLED_SRTP" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
12161AM_CONDITIONAL([BUILD_MCAST],[test "x$ENABLED_MCAST" = "xyes"])
12162AM_CONDITIONAL([BUILD_IPV6],[test "x$ENABLED_IPV6" = "xyes"])
12163AM_CONDITIONAL([BUILD_LEANPSK],[test "x$ENABLED_LEANPSK" = "xyes"])
12164AM_CONDITIONAL([BUILD_LEANTLS],[test "x$ENABLED_LEANTLS" = "xyes"])
12165AM_CONDITIONAL([BUILD_LOWMEM],[test "x$ENABLED_LOWRESOURCE" = "xyes"])
12166AM_CONDITIONAL([BUILD_PKCALLBACKS],  [ test "x$ENABLED_PKCALLBACKS" = "xyes"])
12167AM_CONDITIONAL([BUILD_CRYPTOAUTHLIB],[test "x$ENABLED_CRYPTOAUTHLIB" = "xyes"])
12168AM_CONDITIONAL([BUILD_SNIFFER],  [ test "x$ENABLED_SNIFFER"   = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
12169AM_CONDITIONAL([BUILD_SNIFFTEST],[ test "x$ENABLED_SNIFFTEST" = "xyes"])
12170AM_CONDITIONAL([BUILD_AESGCM],[test "x$ENABLED_AESGCM" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
12171AM_CONDITIONAL([BUILD_AESCCM],[test "x$ENABLED_AESCCM" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
12172AM_CONDITIONAL([BUILD_AESXTS],[test "x$ENABLED_AESXTS" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
12173AM_CONDITIONAL([BUILD_ARMASM],[test "x$ENABLED_ARMASM" = "xyes"])
12174AM_CONDITIONAL([BUILD_ARMASM_INLINE],[test "x$ENABLED_ARMASM_INLINE" = "xyes"])
12175AM_CONDITIONAL([BUILD_ARMASM_CRYPTO],[test "x$ENABLED_ARMASM_CRYPTO" = "xyes"])
12176AM_CONDITIONAL([BUILD_ARMASM_NEON],[test "x$ENABLED_ARMASM_NEON" = "xyes"])
12177AM_CONDITIONAL([BUILD_ARM_THUMB],[test "$ENABLED_ARM_THUMB" = "yes"  || test "$ENABLED_USERSETTINGS" = "yes"])
12178AM_CONDITIONAL([BUILD_ARM_NONTHUMB],[test "$ENABLED_ARM_THUMB" != "yes"  || test "$ENABLED_USERSETTINGS" = "yes"])
12179AM_CONDITIONAL([BUILD_ARM_32],[test "$ENABLED_ARM_32" = "yes"  || test "$ENABLED_USERSETTINGS" = "yes"])
12180AM_CONDITIONAL([BUILD_ARM_64],[test "$ENABLED_ARM_64" = "yes"  || test "$ENABLED_USERSETTINGS" = "yes"])
12181AM_CONDITIONAL([BUILD_RISCV_ASM],[test "x$ENABLED_RISCV_ASM" = "xyes"])
12182AM_CONDITIONAL([BUILD_PPC32_ASM],[test "x$ENABLED_PPC32_ASM" = "xyes"])
12183AM_CONDITIONAL([BUILD_PPC32_ASM_INLINE],[test "x$ENABLED_PPC32_ASM_INLINE" = "xyes"])
12184AM_CONDITIONAL([BUILD_PPC32_ASM_INLINE_REG],[test "x$ENABLED_PPC32_ASM_INLINE_REG" = "xyes"])
12185AM_CONDITIONAL([BUILD_XILINX],[test "x$ENABLED_XILINX" = "xyes"])
12186AM_CONDITIONAL([BUILD_AESNI],[test "x$ENABLED_AESNI" = "xyes"])
12187AM_CONDITIONAL([BUILD_INTELASM],[test "x$ENABLED_INTELASM" = "xyes"])
12188AM_CONDITIONAL([BUILD_X86_ASM],[test "x$ENABLED_X86_ASM" = "xyes"])
12189AM_CONDITIONAL([BUILD_AFALG],[test "x$ENABLED_AFALG" = "xyes"])
12190AM_CONDITIONAL([BUILD_KCAPI],[test "x$ENABLED_KCAPI" = "xyes"])
12191AM_CONDITIONAL([BUILD_DEVCRYPTO],[test "x$ENABLED_DEVCRYPTO" = "xyes"])
12192AM_CONDITIONAL([BUILD_CAMELLIA],[test "x$ENABLED_CAMELLIA" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
12193AM_CONDITIONAL([BUILD_MD2],[test "x$ENABLED_MD2" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
12194AM_CONDITIONAL([BUILD_RIPEMD],[test "x$ENABLED_RIPEMD" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
12195AM_CONDITIONAL([BUILD_BLAKE2B],[test "x$ENABLED_BLAKE2B" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
12196AM_CONDITIONAL([BUILD_BLAKE2S],[test "x$ENABLED_BLAKE2S" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
12197AM_CONDITIONAL([BUILD_SHA512],[test "x$ENABLED_SHA512" = "xyes" || test "x$ENABLED_SHA384" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
12198AM_CONDITIONAL([BUILD_DSA],[test "x$ENABLED_DSA" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
12199AM_CONDITIONAL([BUILD_ECC],[test "x$ENABLED_ECC" != "xno" || test "x$ENABLED_USERSETTINGS" = "xyes"])
12200AM_CONDITIONAL([BUILD_ED25519],[test "$ENABLED_ED25519" != "no" || test "x$ENABLED_USERSETTINGS" = "xyes"])
12201AM_CONDITIONAL([BUILD_ED25519_SMALL],[test "x$ENABLED_ED25519_SMALL" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
12202AM_CONDITIONAL([BUILD_FEMATH], [test "x$ENABLED_FEMATH" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
12203AM_CONDITIONAL([BUILD_GEMATH], [test "x$ENABLED_GEMATH" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
12204AM_CONDITIONAL([BUILD_CURVE25519],[test "$ENABLED_CURVE25519" != "no" || test "x$ENABLED_USERSETTINGS" = "xyes"])
12205AM_CONDITIONAL([BUILD_CURVE25519_INTELASM],[test "$ENABLED_CURVE25519" != "noasm" && test "$ENABLED_ED25519" != "noasm" && test "$ENABLED_INTELASM" = "yes"])
12206AM_CONDITIONAL([BUILD_CURVE25519_SMALL],[test "x$ENABLED_CURVE25519_SMALL" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
12207AM_CONDITIONAL([BUILD_ED448],[test "x$ENABLED_ED448" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
12208AM_CONDITIONAL([BUILD_ED448_SMALL],[test "x$ENABLED_ED448_SMALL" = "xyes"])
12209AM_CONDITIONAL([BUILD_FE448], [test "x$ENABLED_FE448" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
12210AM_CONDITIONAL([BUILD_GE448], [test "x$ENABLED_GE448" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
12211AM_CONDITIONAL([BUILD_CURVE448],[test "x$ENABLED_CURVE448" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
12212AM_CONDITIONAL([BUILD_CURVE448_SMALL],[test "x$ENABLED_CURVE448_SMALL" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
12213AM_CONDITIONAL([BUILD_WC_LMS],[test "x$ENABLED_LMS" != "xno" || test "x$ENABLED_USERSETTINGS" = "xyes"])
12214AM_CONDITIONAL([BUILD_WC_XMSS],[test "x$ENABLED_XMSS" != "xno" || test "x$ENABLED_USERSETTINGS" = "xyes"])
12215AM_CONDITIONAL([BUILD_WC_SLHDSA],[test "x$ENABLED_SLHDSA" != "xno" || test "x$ENABLED_USERSETTINGS" = "xyes"])
12216AM_CONDITIONAL([BUILD_WC_MLKEM],[test "x$ENABLED_MLKEM" != "xno" || test "x$ENABLED_USERSETTINGS" = "xyes"])
12217AM_CONDITIONAL([BUILD_DILITHIUM],[test "x$ENABLED_DILITHIUM" != "xno" || test "x$ENABLED_USERSETTINGS" = "xyes"])
12218AM_CONDITIONAL([BUILD_ECCSI],[test "x$ENABLED_ECCSI" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
12219AM_CONDITIONAL([BUILD_SAKKE],[test "x$ENABLED_SAKKE" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
12220AM_CONDITIONAL([BUILD_MEMORY],[test "x$ENABLED_MEMORY" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
12221AM_CONDITIONAL([BUILD_MEMUSE],[test "x$ENABLED_ENTROPY_MEMUSE" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
12222AM_CONDITIONAL([BUILD_RNG_BANK],[test "$ENABLED_RNG_BANK" = "yes" || test "$ENABLED_USERSETTINGS" = "yes"])
12223AM_CONDITIONAL([BUILD_RSA],[test "x$ENABLED_RSA" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
12224AM_CONDITIONAL([BUILD_DH],[test "x$ENABLED_DH" != "xno" || test "x$ENABLED_USERSETTINGS" = "xyes"])
12225AM_CONDITIONAL([BUILD_ASN],[test "x$ENABLED_ASN" != "xno" || test "x$ENABLED_RSA" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
12226AM_CONDITIONAL([BUILD_AES],[test "x$ENABLED_AES" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
12227AM_CONDITIONAL([BUILD_CODING],[test "x$ENABLED_CODING" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
12228AM_CONDITIONAL([BUILD_RC4],[test "x$ENABLED_ARC4" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
12229AM_CONDITIONAL([BUILD_MD5],[test "x$ENABLED_MD5" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
12230AM_CONDITIONAL([BUILD_SHA],[test "x$ENABLED_SHA" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
12231AM_CONDITIONAL([BUILD_FIPS],[test "x$ENABLED_FIPS" = "xyes"])
12232AC_SUBST([ENABLED_FIPS])
12233AM_CONDITIONAL([BUILD_FIPS_V1],[test "$HAVE_FIPS_VERSION" = 1])
12234AM_CONDITIONAL([BUILD_FIPS_V2],[test "$HAVE_FIPS_VERSION" = 2 && test "$HAVE_FIPS_VERSION_MINOR" = 0])
12235AM_CONDITIONAL([BUILD_FIPS_V2_PLUS],[test "$HAVE_FIPS_VERSION" -ge 2 ])
12236AM_CONDITIONAL([BUILD_FIPS_RAND],[test "$HAVE_FIPS_VERSION" = 2 && test "$HAVE_FIPS_VERSION_MINOR" = 1])
12237AM_CONDITIONAL([BUILD_FIPS_V5],[test "$HAVE_FIPS_VERSION" = 5])
12238AM_CONDITIONAL([BUILD_FIPS_V5_PLUS],[test "$HAVE_FIPS_VERSION" -ge 5])
12239AM_CONDITIONAL([BUILD_FIPS_V6],[test $HAVE_FIPS_VERSION = 6])
12240AM_CONDITIONAL([BUILD_FIPS_V6_PLUS],[test $HAVE_FIPS_VERSION -ge 6])
12241AM_CONDITIONAL([BUILD_FIPS_V7],[test $HAVE_FIPS_VERSION = 7])
12242AM_CONDITIONAL([BUILD_FIPS_V7_PLUS],[test $HAVE_FIPS_VERSION -ge 7])
12243AM_CONDITIONAL([BUILD_SIPHASH],[test "x$ENABLED_SIPHASH" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
12244AM_CONDITIONAL([BUILD_CMAC],[test "x$ENABLED_CMAC" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
12245AM_CONDITIONAL([BUILD_SHE],[test "x$ENABLED_SHE" = "xstandard" || test "x$ENABLED_SHE" = "xextended" || test "x$ENABLED_USERSETTINGS" = "xyes"])
12246AM_CONDITIONAL([BUILD_SELFTEST],[test "x$ENABLED_SELFTEST" = "xyes"])
12247AM_CONDITIONAL([BUILD_SHA224],[test "x$ENABLED_SHA224" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
12248AM_CONDITIONAL([BUILD_SHA3],[test "x$ENABLED_SHA3" != "xno" || test "x$ENABLED_USERSETTINGS" = "xyes"])
12249AM_CONDITIONAL([BUILD_POLY1305],[test "x$ENABLED_POLY1305" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
12250AM_CONDITIONAL([BUILD_CHACHA],[test "x$ENABLED_CHACHA" = "xyes" || test "x$ENABLED_CHACHA" = "xnoasm" || test "x$ENABLED_USERSETTINGS" = "xyes"])
12251AM_CONDITIONAL([BUILD_CHACHA_NOASM],[test "$ENABLED_CHACHA" = "noasm"])
12252AM_CONDITIONAL([BUILD_XCHACHA],[test "x$ENABLED_XCHACHA" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
12253AM_CONDITIONAL([BUILD_ASCON],[test "x$ENABLED_ASCON" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
12254AM_CONDITIONAL([BUILD_PUF],[test "x$ENABLED_PUF" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
12255AM_CONDITIONAL([BUILD_SM2],[test "x$ENABLED_SM2" != "xno" || test "x$ENABLED_USERSETTINGS" = "xyes"])
12256AM_CONDITIONAL([BUILD_SM3],[test "x$ENABLED_SM3" != "xno" || test "x$ENABLED_USERSETTINGS" = "xyes"])
12257AM_CONDITIONAL([BUILD_SM4],[test "x$ENABLED_SM4" != "xno" || test "x$ENABLED_USERSETTINGS" = "xyes"])
12258AM_CONDITIONAL([BUILD_INLINE],[test "x$ENABLED_INLINE" = "xyes"])
12259AM_CONDITIONAL([BUILD_OCSP],[test "x$ENABLED_OCSP" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
12260AM_CONDITIONAL([BUILD_OCSP_STAPLING],[test "x$ENABLED_CERTIFICATE_STATUS_REQUEST" = "xyes"])
12261AM_CONDITIONAL([BUILD_OCSP_STAPLING_MULTI],[test "x$ENABLED_CERTIFICATE_STATUS_REQUEST" = "xyes" && test "x$ENABLED_TLS13" = "xyes" && test "x$ENABLED_TLS_OCSP_MULTI" = "xyes"])
12262AM_CONDITIONAL([BUILD_OCSP_STAPLING_V2],[test "x$ENABLED_CERTIFICATE_STATUS_REQUEST_V2" = "xyes"])
12263AM_CONDITIONAL([BUILD_CRL],[test "x$ENABLED_CRL" != "xno" || test "x$ENABLED_USERSETTINGS" = "xyes"])
12264AM_CONDITIONAL([BUILD_CRL_MONITOR],[test "x$ENABLED_CRL_MONITOR" = "xyes"])
12265AM_CONDITIONAL([BUILD_LIBOQS],[test "x$ENABLED_LIBOQS" = "xyes"])
12266AM_CONDITIONAL([BUILD_WNR],[test "x$ENABLED_WNR" = "xyes"])
12267AM_CONDITIONAL([BUILD_SRP],[test "x$ENABLED_SRP" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
12268AM_CONDITIONAL([USE_VALGRIND],[test "x$ENABLED_VALGRIND" = "xyes"])
12269AM_CONDITIONAL([BUILD_MD4],[test "x$ENABLED_MD4" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
12270AM_CONDITIONAL([BUILD_PWDBASED],[test "x$ENABLED_PWDBASED" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
12271AM_CONDITIONAL([BUILD_SCRYPT],[test "x$ENABLED_SCRYPT" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
12272AM_CONDITIONAL([BUILD_CRYPTONLY],[test "x$ENABLED_CRYPTONLY" = "xyes"])
12273AM_CONDITIONAL([BUILD_FASTMATH],[test "x$ENABLED_FASTMATH" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
12274AM_CONDITIONAL([BUILD_HEAPMATH],[test "x$ENABLED_HEAPMATH" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
12275AM_CONDITIONAL([BUILD_EXAMPLE_SERVERS],[test "x$ENABLED_EXAMPLES" = "xyes" && test "x$ENABLED_LEANTLS" = "xno"])
12276AM_CONDITIONAL([BUILD_EXAMPLE_CLIENTS],[test "x$ENABLED_EXAMPLES" = "xyes"])
12277AM_CONDITIONAL([BUILD_EXAMPLE_ASN1],[test "x$ENABLED_EXAMPLES" = "xyes" && test "x$ENABLED_ASN_PRINT" = "xyes" && test "$ENABLED_ASN" != "no"])
12278AM_CONDITIONAL([BUILD_OCSP_RESPONDER],[test "x$ENABLED_EXAMPLES" = "xyes" && test "x$ENABLED_OCSP_RESPONDER" = "xyes"])
12279AM_CONDITIONAL([BUILD_TESTS],[test "x$ENABLED_EXAMPLES" = "xyes"])
12280AM_CONDITIONAL([BUILD_THREADED_EXAMPLES],[test "x$ENABLED_SINGLETHREADED" = "xno" && test "x$ENABLED_EXAMPLES" = "xyes" && test "x$ENABLED_LEANTLS" = "xno"])
12281AM_CONDITIONAL([BUILD_WOLFCRYPT_TESTS],[test "x$ENABLED_CRYPT_TESTS" = "xyes"])
12282AM_CONDITIONAL([BUILD_WOLFCRYPT_TESTS_LIBS],[test "x$ENABLED_CRYPT_TESTS_LIBS" = "xyes"])
12283AM_CONDITIONAL([BUILD_LIBZ],[test "x$ENABLED_LIBZ" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
12284AM_CONDITIONAL([BUILD_PKCS11],[test "x$ENABLED_PKCS11" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
12285AM_CONDITIONAL([BUILD_PKCS12],[test "x$ENABLED_PKCS12" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
12286AM_CONDITIONAL([BUILD_PKCS8],[test "x$ENABLED_PKCS8" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
12287AM_CONDITIONAL([BUILD_CAVIUM],[test "x$ENABLED_CAVIUM" = "xyes"])
12288AM_CONDITIONAL([BUILD_CAVIUM_V],[test "x$ENABLED_CAVIUM_V" = "xyes"])
12289AM_CONDITIONAL([BUILD_OCTEON_SYNC],[test "x$ENABLED_OCTEON_SYNC" = "xyes"])
12290AM_CONDITIONAL([BUILD_INTEL_QA],[test "x$ENABLED_INTEL_QA" = "xyes"])
12291AM_CONDITIONAL([BUILD_INTEL_QA_SYNC],[test "x$ENABLED_INTEL_QA_SYNC" = "xyes"])
12292INCLUDE_SP_INT="no"
12293AM_CONDITIONAL([BUILD_SP],[test "x$ENABLED_SP" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
12294AM_CONDITIONAL([BUILD_SP_C32],[ ( ( (test "$ENABLED_SP_RSA" = "yes" || test "$ENABLED_SP_DH" = "yes" \
12295                               || test "$ENABLED_SP_ECC" = "yes") && test "x$ENABLED_SP_ASM" = "xno") \
12296                             || test "x$ENABLED_USERSETTINGS" = "xyes") && test "x$ENABLED_64BIT" != "xyes"])
12297AM_CONDITIONAL([BUILD_SP_C64],[ ( ( (test "$ENABLED_SP_RSA" = "yes" || test "$ENABLED_SP_DH" = "yes" \
12298                               || test "$ENABLED_SP_ECC" = "yes") && test "x$ENABLED_SP_ASM" = "xno") \
12299                             || test "x$ENABLED_USERSETTINGS" = "xyes") && test "x$ENABLED_32BIT" != "xyes"])
12300AM_CONDITIONAL([BUILD_SP_ARM64],[test "x$ENABLED_SP_ARM64_ASM" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
12301AM_CONDITIONAL([BUILD_SP_ARM32],[test "x$ENABLED_SP_ARM32_ASM" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
12302AM_CONDITIONAL([BUILD_SP_ARM_THUMB],[test "x$ENABLED_SP_ARM_THUMB_ASM" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
12303AM_CONDITIONAL([BUILD_SP_ARM_CORTEX],[test "x$ENABLED_SP_ARM_CORTEX_ASM" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
12304AM_CONDITIONAL([BUILD_SP_X86_64],[test "x$ENABLED_SP_X86_64_ASM" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
12305AM_CONDITIONAL([BUILD_SP_INT],[test "x$ENABLED_SP_MATH" = "xyes" || test "x$ENABLED_SP_MATH_ALL" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
12306AM_COND_IF([BUILD_SP], [INCLUDE_SP_INT="yes"])
12307AM_COND_IF([BUILD_SP_INT], [INCLUDE_SP_INT="yes"])
12308AC_SUBST([INCLUDE_SP_INT])
12309AM_CONDITIONAL([BUILD_MCAPI],[test "x$ENABLED_MCAPI" = "xyes"])
12310AM_CONDITIONAL([BUILD_ASYNCCRYPT],[test "x$ENABLED_ASYNCCRYPT" = "xyes"])
12311AM_CONDITIONAL([BUILD_WOLFEVENT],[test "x$ENABLED_ASYNCCRYPT" = "xyes"])
12312AM_CONDITIONAL([BUILD_CRYPTOCB],[test "x$ENABLED_CRYPTOCB" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
12313AM_CONDITIONAL([BUILD_SWDEV],[test "x$ENABLED_SWDEV" = "xyes"])
12314AM_CONDITIONAL([BUILD_PSK],[test "x$ENABLED_PSK" = "xyes"])
12315AM_CONDITIONAL([BUILD_TRUST_PEER_CERT],[test "x$ENABLED_TRUSTED_PEER_CERT" = "xyes"])
12316AM_CONDITIONAL([BUILD_PKI],[test "x$ENABLED_PKI" = "xyes"])
12317AM_CONDITIONAL([BUILD_DES3],[test "x$ENABLED_DES3" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
12318AM_CONDITIONAL([BUILD_PKCS7],[test "x$ENABLED_PKCS7" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
12319AM_CONDITIONAL([BUILD_SMIME],[test "x$ENABLED_SMIME" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
12320AM_CONDITIONAL([BUILD_HASHFLAGS],[test "x$ENABLED_HASHFLAGS" = "xyes"])
12321AM_CONDITIONAL([BUILD_LINUXKM],[test "$ENABLED_LINUXKM" = "yes"])
12322AM_CONDITIONAL([BUILD_KERNEL_MODE_DEFAULTS],[test "$KERNEL_MODE_DEFAULTS" != "no"])
12323AM_CONDITIONAL([BUILD_BSDKM],[test "$ENABLED_BSDKM" = "yes"])
12324AM_CONDITIONAL([BUILD_KERNEL_MODULE],[test "$ENABLED_BSDKM" = "yes" || test "$ENABLED_LINUXKM" = "yes"])
12325AM_CONDITIONAL([BUILD_NO_LIBRARY],[test "$ENABLED_NO_LIBRARY" = "yes"])
12326AM_CONDITIONAL([BUILD_BENCHMARK],[test "$ENABLED_BENCHMARK" = "yes"])
12327AM_CONDITIONAL([BUILD_RC2],[test "x$ENABLED_RC2" = "xyes"])
12328AM_CONDITIONAL([BUILD_CUDA],[test "x$ENABLED_CUDA" = "xyes"])
12329AM_CONDITIONAL([BUILD_CAAM],[test "x$ENABLED_CAAM" != "xno"])
12330AM_CONDITIONAL([BUILD_QNXCAAM],[test "x$ENABLED_CAAM_QNX" = "xyes"])
12331AM_CONDITIONAL([BUILD_IOTSAFE],[test "x$ENABLED_IOTSAFE" = "xyes"])
12332AM_CONDITIONAL([BUILD_IOTSAFE_HWRNG],[test "x$ENABLED_IOTSAFE_HWRNG" = "xyes"])
12333AM_CONDITIONAL([BUILD_SE050],[test "x$ENABLED_SE050" = "xyes"])
12334AM_CONDITIONAL([BUILD_STSAFE],[test "x$ENABLED_STSAFE" != "xno"])
12335AM_CONDITIONAL([BUILD_TROPIC01],[test "x$ENABLED_TROPIC01" = "xyes"])
12336AM_CONDITIONAL([BUILD_KDF],[test "x$ENABLED_KDF" = "xyes"])
12337AM_CONDITIONAL([BUILD_HMAC],[test "x$ENABLED_HMAC" = "xyes"])
12338AM_CONDITIONAL([BUILD_ERROR_STRINGS],[test "x$ENABLED_ERROR_STRINGS" = "xyes"])
12339AM_CONDITIONAL([BUILD_DO178],[test "x$ENABLED_DO178" = "xyes"])
12340AM_CONDITIONAL([BUILD_PSA],[test "x$ENABLED_PSA" = "xyes"])
12341AM_CONDITIONAL([BUILD_DTLS13],[test "x$ENABLED_DTLS13" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
12342AM_CONDITIONAL([BUILD_QUIC],[test "x$ENABLED_QUIC" = "xyes"])
12343AM_CONDITIONAL([BUILD_DTLS_CID],[test "x$ENABLED_DTLS_CID" = "xyes"])
12344AM_CONDITIONAL([BUILD_HPKE],[test "x$ENABLED_HPKE" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
12345AM_CONDITIONAL([BUILD_DTLS],[test "x$ENABLED_DTLS" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
12346AM_CONDITIONAL([BUILD_MAXQ10XX],[test "x$ENABLED_MAXQ10XX" = "xyes"])
12347AM_CONDITIONAL([BUILD_ARIA],[test "x$ENABLED_ARIA" = "xyes"])
12348AM_CONDITIONAL([BUILD_XILINX],[test "x$ENABLED_XILINX" = "xyes"])
12349AM_CONDITIONAL([BUILD_AUTOSAR],[test "x$ENABLED_AUTOSAR" = "xyes"])
12350
12351if test "$ENABLED_REPRODUCIBLE_BUILD" != "yes" &&
12352   (test "$ax_enable_debug" = "yes" ||
12353        test "$ENABLED_STACKSIZE" != "no" ||
12354        (test "$ENABLED_LEANTLS" = "no" &&
12355             test "$ENABLED_LEANPSK" = "no" &&
12356             test "$ENABLED_LOWRESOURCE" = "no"))
12357then
12358    AM_CFLAGS="$AM_CFLAGS -DHAVE_WC_INTROSPECTION"
12359fi
12360
12361if test "$ENABLED_REPRODUCIBLE_BUILD" != "yes"
12362then
12363    AM_CFLAGS="$AM_CFLAGS -include ${output_objdir}/.build_params"
12364fi
12365
12366AM_CPPFLAGS="$AM_CPPFLAGS $EXTRA_CPPFLAGS"
12367AM_CFLAGS="$AM_CFLAGS $EXTRA_CFLAGS"
12368AM_CCASFLAGS="$AM_CCASFLAGS $EXTRA_CCASFLAGS"
12369AM_LDFLAGS="$AM_LDFLAGS $EXTRA_LDFLAGS"
12370
12371CREATE_HEX_VERSION
12372AC_SUBST([AM_CPPFLAGS])
12373AC_SUBST([AM_CFLAGS])
12374AC_SUBST([AM_LDFLAGS])
12375AC_SUBST([AM_CCASFLAGS])
12376AC_SUBST([LIB_ADD])
12377AC_SUBST([LIB_STATIC_ADD])
12378AC_SUBST([LIBM])
12379AC_SUBST([PC_LIBS_PRIVATE])
12380AC_SUBST([WOLFSSL_HAVE_PTHREAD])
12381HAVE_PTHREAD=$WOLFSSL_HAVE_PTHREAD
12382AC_SUBST([HAVE_PTHREAD])
12383PACKAGE_INIT=''
12384AC_SUBST([PACKAGE_INIT])
12385WOLFSSL_PREFIX_ABS=$prefix
12386if test "x$WOLFSSL_PREFIX_ABS" = "xNONE"; then
12387    WOLFSSL_PREFIX_ABS=$ac_default_prefix
12388fi
12389WOLFSSL_EXEC_PREFIX_ABS=$exec_prefix
12390if test "x$WOLFSSL_EXEC_PREFIX_ABS" = "xNONE"; then
12391    WOLFSSL_EXEC_PREFIX_ABS=$WOLFSSL_PREFIX_ABS
12392fi
12393prefix=$WOLFSSL_PREFIX_ABS
12394exec_prefix=$WOLFSSL_EXEC_PREFIX_ABS
12395eval WOLFSSL_LIBDIR_ABS=\"$libdir\"
12396eval WOLFSSL_INCLUDEDIR_ABS=\"$includedir\"
12397AC_SUBST([WOLFSSL_PREFIX_ABS])
12398AC_SUBST([WOLFSSL_LIBDIR_ABS])
12399AC_SUBST([WOLFSSL_INCLUDEDIR_ABS])
12400
12401# FINAL
12402AC_CONFIG_FILES([stamp-h], [echo timestamp > stamp-h])
12403AC_CONFIG_FILES([Makefile
12404        wolfssl/version.h
12405        wolfssl/options.h
12406        support/wolfssl.pc
12407        debian/control
12408        debian/changelog
12409        rpm/spec
12410        wolfcrypt/test/test_paths.h
12411        ])
12412AS_IF([ test "x$ENABLED_CMAKE_INSTALL" = "xyes" ],[
12413AC_CONFIG_FILES([cmake/wolfssl-config.cmake:cmake/Config.cmake.in
12414        cmake/wolfssl-config-version.cmake:cmake/wolfssl-config-version.cmake.in
12415        cmake/wolfssl-targets.cmake:cmake/wolfssl-targets.cmake.in
12416        ])
12417])
12418AC_CONFIG_FILES([scripts/unit.test],[chmod +x scripts/unit.test])
12419AC_CONFIG_FILES([debian/rules],[chmod +x debian/rules])
12420
12421AX_CREATE_GENERIC_CONFIG
12422AX_AM_JOBSERVER([yes])
12423
12424# See Automake 9.4.1 Built Sources Example
12425AC_DEFUN([AX_OUT_OF_TREE_FILE],[
12426  AC_CONFIG_COMMANDS([$1], [test ! -f $srcdir/$1 && echo -n >> $srcdir/$1])
12427])
12428
12429AX_OUT_OF_TREE_FILE([wolfssl/wolfcrypt/async.h])
12430AX_OUT_OF_TREE_FILE([wolfssl/wolfcrypt/fips.h])
12431AX_OUT_OF_TREE_FILE([wolfssl/wolfcrypt/port/cavium/cavium_nitrox.h])
12432AX_OUT_OF_TREE_FILE([wolfssl/wolfcrypt/port/intel/quickassist.h])
12433AX_OUT_OF_TREE_FILE([wolfssl/wolfcrypt/port/intel/quickassist_mem.h])
12434
12435AC_OUTPUT
12436
12437
12438if test "$ENABLED_MAKECLEAN" = "yes"
12439then
12440    # force make clean
12441    AC_MSG_NOTICE([---])
12442    AC_MSG_NOTICE([Running make clean...])
12443    if test -z "$MAKE"; then
12444        MAKE="make"
12445    fi
12446
12447    if test "$verbose" = "yes"; then
12448        $MAKE clean
12449    else
12450        $MAKE clean >/dev/null
12451    fi
12452fi
12453
12454if test "$ENABLED_REPRODUCIBLE_BUILD" != "yes"
12455then
12456    ESCAPED_ARGS=$(echo "$ac_configure_args" | sed 's/\\/\\\\/g;s/\"/\\\"/g')
12457    ESCAPED_GLOBAL_CFLAGS=$(echo "$CPPFLAGS $AM_CPPFLAGS $CFLAGS $AM_CFLAGS" | sed 's/\\/\\\\/g;s/\"/\\\"/g')
12458    echo "#define LIBWOLFSSL_CONFIGURE_ARGS \"$ESCAPED_ARGS\"" > "${output_objdir}/.build_params" &&
12459        echo "#define LIBWOLFSSL_GLOBAL_CFLAGS \"$ESCAPED_GLOBAL_CFLAGS\" LIBWOLFSSL_GLOBAL_EXTRA_CFLAGS" >> "${output_objdir}/.build_params" ||
12460        AC_MSG_ERROR([Couldn't create ${output_objdir}/.build_params.])
12461else
12462    rm -f "${output_objdir}/.build_params"
12463fi
12464
12465# generate user options header
12466AC_MSG_NOTICE([---])
12467AC_MSG_NOTICE([Generating user options header...])
12468
12469OPTION_FILE="wolfssl/options.h"
12470rm -f $OPTION_FILE
12471
12472echo "/* wolfssl options.h" > $OPTION_FILE
12473echo " * generated from configure options" >> $OPTION_FILE
12474echo " *" >> $OPTION_FILE
12475echo " * Copyright (C) 2006-2026 wolfSSL Inc." >> $OPTION_FILE
12476echo " *" >> $OPTION_FILE
12477echo " * This file is part of wolfSSL. (formerly known as CyaSSL)" >> $OPTION_FILE
12478echo " *" >> $OPTION_FILE
12479echo " */" >> $OPTION_FILE
12480
12481echo "" >> $OPTION_FILE
12482echo "#ifdef WOLFSSL_NO_OPTIONS_H" >> $OPTION_FILE
12483echo "/* options.h inhibited by configuration */" >> $OPTION_FILE
12484echo "#elif !defined(WOLFSSL_OPTIONS_H)" >> $OPTION_FILE
12485echo "#define WOLFSSL_OPTIONS_H" >> $OPTION_FILE
12486echo "" >> $OPTION_FILE
12487echo "" >> $OPTION_FILE
12488echo "#ifdef __cplusplus" >> $OPTION_FILE
12489echo "extern \"C\" {" >> $OPTION_FILE
12490echo "#endif" >> $OPTION_FILE
12491echo "" >> $OPTION_FILE
12492
12493# Check for supported command to trim option with.
12494# note: cut requires an argument to exit with success.
12495if colrm >/dev/null 2>&1 </dev/null; then
12496    TRIM="colrm 3"
12497elif echo "" | cut -c1 >/dev/null 2>&1 </dev/null; then
12498    TRIM="cut -c1-2"
12499else
12500    AC_MSG_ERROR([Could not find colrm or cut to make options file])
12501fi
12502
12503for option in $AM_CPPFLAGS $CPPFLAGS $AM_CFLAGS $CFLAGS; do
12504    opt_type=$(echo $option | $TRIM )
12505    case "$opt_type" in
12506    -D)
12507        option=$(echo "$option" | tr -d '\\')
12508        RHS_only=$(echo "$option" | sed 's/^-D//')
12509        noequalsign=$(echo "$RHS_only" | tr '=' ' ')
12510        if test "$noequalsign" = "NDEBUG" || test "$noequalsign" = "DEBUG"
12511        then
12512            if test "$verbose" = "yes"; then
12513                AC_MSG_NOTICE([not outputting (N)DEBUG to $OPTION_FILE])
12514            fi
12515            continue
12516        fi
12517
12518        # allow user to ignore system options
12519        ignoresys=$(echo "$noequalsign" | grep '^_.*')
12520        if test -n "$ignoresys"
12521        then
12522            echo "#ifndef WOLFSSL_OPTIONS_IGNORE_SYS" >> $OPTION_FILE
12523        fi
12524
12525        # note need to use both autotools-style [] quoting and shell-style ''
12526        # quoting for sed script with [] character set expression here.
12527        noarg=$(echo "$RHS_only" | sed ['s/\(([^=)]*)\)\{0,1\}=.*//'])
12528        echo "#undef  $noarg" >> $OPTION_FILE
12529        echo "#define $noequalsign" >> $OPTION_FILE
12530
12531        if test -n "$ignoresys"
12532        then
12533            echo "#endif" >> $OPTION_FILE
12534        fi
12535
12536        echo "" >> $OPTION_FILE
12537        ;;
12538    -U)
12539        RHS_only=$(echo $option | sed 's/^-U//')
12540        echo "#undef  $RHS_only" >> $OPTION_FILE
12541        echo "" >> $OPTION_FILE
12542        ;;
12543    *)
12544        if test "$verbose" = "yes"; then
12545            AC_MSG_NOTICE([option "$option" is not a preprocessor directive -- not saving to $OPTION_FILE])
12546        fi
12547        ;;
12548    esac
12549done
12550
12551echo "" >> $OPTION_FILE
12552echo "#ifdef __cplusplus" >> $OPTION_FILE
12553echo "}" >> $OPTION_FILE
12554echo "#endif" >> $OPTION_FILE
12555echo "" >> $OPTION_FILE
12556echo "" >> $OPTION_FILE
12557echo "#endif /* WOLFSSL_OPTIONS_H */" >> $OPTION_FILE
12558echo "" >> $OPTION_FILE
12559
12560if test "$ENABLED_DEBUG_TRACE_ERRCODES" != "no"
12561then
12562    support/gen-debug-trace-error-codes.sh || AC_MSG_ERROR([Header generation for debug-trace-errcodes failed.])
12563fi
12564
12565if test "$ENABLED_OPENSSLEXTRA" = "yes" && test "$ENABLED_LINUXKM" = "no"
12566then
12567    SAVE_CFLAGS=$CFLAGS
12568    CFLAGS="$CFLAGS $DEFS -I. -I$srcdir"
12569    if test "$ENABLED_INTEL_QA" = "yes"
12570    then
12571        CFLAGS="$CFLAGS $QAT_FLAGS"
12572    fi
12573    build_pwd="$(pwd)"
12574    cd "$srcdir"
12575    openssl_headers=$(echo wolfssl/openssl/*.h)
12576    cd "$build_pwd"
12577    for header in $openssl_headers
12578    do
12579        AC_CHECK_HEADER([$header], [], [
12580                AC_MSG_ERROR([Header file inconsistency detected -- error including ${header}.])
12581            ], [
12582            #include <${OPTION_FILE}>
12583            extern int dummy_int_to_make_compiler_happy;
12584        ])
12585    done
12586    CFLAGS=$SAVE_CFLAGS
12587fi
12588
12589if test "$silent" != "yes"; then
12590
12591# output config summary
12592echo "---"
12593echo "Configuration summary for $PACKAGE_NAME version $VERSION"
12594echo ""
12595echo "   * Installation prefix:        $prefix"
12596echo "   * System type:                $host_vendor-$host_os"
12597echo "   * Host CPU:                   $host_cpu"
12598echo "   * C Compiler:                 $CC"
12599echo "   * C Flags:                    $CFLAGS"
12600echo "   * C++ Compiler:               $CXX"
12601echo "   * C++ Flags:                  $CXXFLAGS"
12602echo "   * CPP Flags:                  $CPPFLAGS"
12603echo "   * CCAS Flags:                 $CCASFLAGS"
12604echo "   * LD Flags:                   $LDFLAGS"
12605echo "   * LIB Flags:                  $LIB"
12606echo "   * Library Suffix:             $LIBSUFFIX"
12607
12608test "$HAVE_KERNEL_MODE" = "yes" && \
12609echo "   * Kernel mode:                $HAVE_KERNEL_MODE" && \
12610echo "   * Kernel mode defaults:       $KERNEL_MODE_DEFAULTS" && \
12611
12612test "$ENABLED_LINUXKM" = "yes" && \
12613echo "   * Linux Kernel Build Root:    $KERNEL_ROOT" && \
12614echo "   * Linux Kernel Build Arch:    $KERNEL_ARCH" && \
12615echo "   * fpu disable C flags:        $CFLAGS_FPU_DISABLE" && \
12616echo "   * fpu enable C flags:         $CFLAGS_FPU_ENABLE" && \
12617echo "   * SIMD disable C flags:       $CFLAGS_SIMD_DISABLE" && \
12618echo "   * SIMD enable C flags:        $CFLAGS_SIMD_ENABLE" && \
12619echo "   * No-auto-vectorize C flags:  $CFLAGS_AUTO_VECTORIZE_DISABLE" && \
12620echo "   * Auto-vectorize C flags:     $CFLAGS_AUTO_VECTORIZE_ENABLE" && \
12621echo "   * SIMD enable as flags:       $ASFLAGS_FPU_DISABLE_SIMD_ENABLE" && \
12622echo "   * FPU enable as flags:        $ASFLAGS_FPU_ENABLE_SIMD_DISABLE" && \
12623echo "   * SIMD+FPU disable as flags:  $ASFLAGS_FPUSIMD_DISABLE" && \
12624echo "   * SIMD+FPU enable as flags:   $ASFLAGS_FPUSIMD_ENABLE" && \
12625echo "   * Linux kernel module PIE:    $ENABLED_LINUXKM_PIE"
12626
12627test "$ENABLED_BSDKM" = "yes" && \
12628echo "   * FreeBSD Kernel Build Root:  $KERNEL_ROOT"
12629
12630echo "   * Debug enabled:              $ax_enable_debug"
12631echo "   * Coverage enabled:           $ax_enable_coverage"
12632echo "   * Warnings as failure:        $ac_cv_warnings_as_errors"
12633echo "   * make -j:                    $enable_jobserver"
12634echo "   * VCS checkout:               $ac_cv_vcs_checkout"
12635echo
12636echo "   Features "
12637if test "$ENABLED_EXPERIMENTAL" = "yes"
12638then
12639    echo "   * Experimental settings:      Allowed"
12640else
12641    echo "   * Experimental settings:      Forbidden"
12642fi
12643if test "$ENABLED_FIPS" = "yes"; then
12644echo "   * FIPS:                       $FIPS_VERSION"
12645else
12646echo "   * FIPS:                       $ENABLED_FIPS"
12647fi
12648echo "   * Single threaded:            $ENABLED_SINGLETHREADED"
12649echo "   * Filesystem:                 $ENABLED_FILESYSTEM"
12650echo "   * OpenSSH Build:              $ENABLED_OPENSSH"
12651echo "   * OpenSSL Extra API:          $ENABLED_OPENSSLEXTRA"
12652echo "   * OpenSSL Coexist:            $ENABLED_OPENSSLCOEXIST"
12653echo "   * Old Names:                  $ENABLED_OLDNAMES"
12654echo "   * Max Strength Build:         $ENABLED_MAXSTRENGTH"
12655echo "   * Distro Build:               $ENABLED_DISTRO"
12656echo "   * Reproducible Build:         $ENABLED_REPRODUCIBLE_BUILD"
12657echo "   * Side-channel Hardening:     $ENABLED_HARDEN"
12658
12659echo "   * Single Precision Math:      $ENABLED_SP"
12660if test "$ENABLED_SP_MATH_ALL" != "no"
12661then
12662    ENABLED_SP_MATH_DESC="all"
12663else
12664    if test "$ENABLED_SP_MATH" = "yes"
12665    then
12666        ENABLED_SP_MATH_DESC="restricted"
12667    else
12668        ENABLED_SP_MATH_DESC="no"
12669    fi
12670fi
12671echo "   * SP implementation:          $ENABLED_SP_MATH_DESC"
12672echo "   * Fast Math:                  $ENABLED_FASTMATH"
12673echo "   * Heap Math:                  $ENABLED_HEAPMATH"
12674echo "   * Assembly Allowed:           $ENABLED_ASM"
12675echo "   * sniffer:                    $ENABLED_SNIFFER"
12676echo "   * snifftest:                  $ENABLED_SNIFFTEST"
12677echo "   * ARC4:                       $ENABLED_ARC4"
12678echo "   * AES:                        $ENABLED_AES"
12679echo "   * AES-NI:                     $ENABLED_AESNI"
12680echo "   * AVX for AES:                $ENABLED_AESNI_WITH_AVX"
12681echo "   * AES-CBC:                    $ENABLED_AESCBC"
12682echo "   * AES-CBC length checks:      $ENABLED_AESCBC_LENGTH_CHECKS"
12683echo "   * AES-GCM:                    $ENABLED_AESGCM"
12684echo "   * AES-GCM streaming:          $ENABLED_AESGCM_STREAM"
12685echo "   * AES-CCM:                    $ENABLED_AESCCM"
12686echo "   * AES-CTR:                    $ENABLED_AESCTR"
12687echo "   * AES-CFB:                    $ENABLED_AESCFB"
12688echo "   * AES-OFB:                    $ENABLED_AESOFB"
12689echo "   * AES-XTS:                    $ENABLED_AESXTS"
12690echo "   * AES-XTS streaming:          $ENABLED_AESXTS_STREAM"
12691echo "   * AES-SIV:                    $ENABLED_AESSIV"
12692echo "   * AES-EAX:                    $ENABLED_AESEAX"
12693echo "   * AES Bitspliced:             $ENABLED_AESBS"
12694echo "   * AES Key Wrap:               $ENABLED_AESKEYWRAP"
12695echo "   * ARIA:                       $ENABLED_ARIA"
12696echo "   * ASCON:                      $ENABLED_ASCON"
12697echo "   * DES3:                       $ENABLED_DES3"
12698echo "   * DES3 TLS Suites:            $ENABLED_DES3_TLS_SUITES"
12699echo "   * Camellia:                   $ENABLED_CAMELLIA"
12700echo "   * CUDA:                       $ENABLED_CUDA"
12701echo "   * SM4-ECB:                    $ENABLED_SM4_ECB"
12702echo "   * SM4-CBC:                    $ENABLED_SM4_CBC"
12703echo "   * SM4-CTR:                    $ENABLED_SM4_CTR"
12704echo "   * SM4-GCM:                    $ENABLED_SM4_GCM"
12705echo "   * SM4-CCM:                    $ENABLED_SM4_CCM"
12706echo "   * NULL Cipher:                $ENABLED_NULL_CIPHER"
12707echo "   * MD2:                        $ENABLED_MD2"
12708echo "   * MD4:                        $ENABLED_MD4"
12709echo "   * MD5:                        $ENABLED_MD5"
12710echo "   * RIPEMD:                     $ENABLED_RIPEMD"
12711echo "   * SHA:                        $ENABLED_SHA"
12712echo "   * SHA-224:                    $ENABLED_SHA224"
12713echo "   * SHA-256:                    $ENABLED_SHA256"
12714echo "   * SHA-384:                    $ENABLED_SHA384"
12715echo "   * SHA-512:                    $ENABLED_SHA512"
12716echo "   * SHA3:                       $ENABLED_SHA3"
12717echo "   * SHAKE128:                   $ENABLED_SHAKE128"
12718echo "   * SHAKE256:                   $ENABLED_SHAKE256"
12719echo "   * SM3:                        $ENABLED_SM3"
12720echo "   * BLAKE2B:                    $ENABLED_BLAKE2B"
12721echo "   * BLAKE2S:                    $ENABLED_BLAKE2S"
12722echo "   * SipHash:                    $ENABLED_SIPHASH"
12723echo "   * CMAC:                       $ENABLED_CMAC"
12724echo "   * keygen:                     $ENABLED_KEYGEN"
12725echo "   * acert:                      $ENABLED_ACERT"
12726echo "   * certgen:                    $ENABLED_CERTGEN"
12727echo "   * certreq:                    $ENABLED_CERTREQ"
12728echo "   * certext:                    $ENABLED_CERTEXT"
12729echo "   * certgencache:               $ENABLED_certgencache"
12730echo "   * CHACHA:                     $ENABLED_CHACHA"
12731echo "   * XCHACHA:                    $ENABLED_XCHACHA"
12732echo "   * Hash DRBG:                  $ENABLED_HASHDRBG"
12733echo "   * SHA-256 Hash DRBG:          $ENABLED_SHA256_DRBG"
12734echo "   * SHA-512 Hash DRBG:          $ENABLED_SHA512_DRBG"
12735echo "   * MmemUse Entropy:"
12736echo "   * (AKA: wolfEntropy):         $ENABLED_ENTROPY_MEMUSE"
12737echo "   * PWDBASED:                   $ENABLED_PWDBASED"
12738echo "   * Encrypted keys:             $ENABLED_ENCKEYS"
12739echo "   * scrypt:                     $ENABLED_SCRYPT"
12740echo "   * wolfCrypt Only:             $ENABLED_CRYPTONLY"
12741echo "   * HKDF:                       $ENABLED_HKDF"
12742echo "   * HPKE:                       $ENABLED_HPKE"
12743echo "   * X9.63 KDF:                  $ENABLED_X963KDF"
12744echo "   * SRTP-KDF:                   $ENABLED_SRTP_KDF"
12745echo "   * PSK:                        $ENABLED_PSK"
12746echo "   * Poly1305:                   $ENABLED_POLY1305"
12747echo "   * LEANPSK:                    $ENABLED_LEANPSK"
12748echo "   * LEANTLS:                    $ENABLED_LEANTLS"
12749echo "   * RSA:                        $ENABLED_RSA"
12750echo "   * RSA-PSS:                    $ENABLED_RSAPSS"
12751echo "   * DSA:                        $ENABLED_DSA"
12752echo "   * DH:                         $ENABLED_DH"
12753echo "   * DH Default Parameters:      $ENABLED_DHDEFAULTPARAMS"
12754echo "   * ECC:                        $ENABLED_ECC"
12755echo "   * ECC Custom Curves:          $ENABLED_ECCCUSTCURVES"
12756echo "   * ECC Minimum Bits:           $ENABLED_ECCMINSZ"
12757echo "   * FPECC:                      $ENABLED_FPECC"
12758echo "   * ECC_ENCRYPT:                $ENABLED_ECC_ENCRYPT"
12759echo "   * Brainpool:                  $ENABLED_BRAINPOOL"
12760echo "   * SM2:                        $ENABLED_SM2"
12761echo "   * CURVE25519:                 $ENABLED_CURVE25519"
12762echo "   * ED25519:                    $ENABLED_ED25519"
12763echo "   * ED25519 streaming:          $ENABLED_ED25519_STREAM"
12764echo "   * CURVE448:                   $ENABLED_CURVE448"
12765echo "   * ED448:                      $ENABLED_ED448"
12766echo "   * ED448 streaming:            $ENABLED_ED448_STREAM"
12767echo "   * LMS:                        $ENABLED_LMS"
12768echo "   * XMSS:                       $ENABLED_XMSS"
12769echo "   * SLH-DSA                     $ENABLED_SLHDSA"
12770echo "   * MLKEM:                      $ENABLED_MLKEM"
12771echo "   * DILITHIUM:                  $ENABLED_DILITHIUM"
12772echo "   * ECCSI                       $ENABLED_ECCSI"
12773echo "   * SAKKE                       $ENABLED_SAKKE"
12774echo "   * ASN:                        $ENABLED_ASN"
12775echo "   * Anonymous cipher:           $ENABLED_ANON"
12776echo "   * CODING:                     $ENABLED_CODING"
12777echo "   * MEMORY:                     $ENABLED_MEMORY"
12778echo "   * I/O POOL:                   $ENABLED_IOPOOL"
12779echo "   * wolfSentry:                 $ENABLED_WOLFSENTRY"
12780echo "   * LIGHTY:                     $ENABLED_LIGHTY"
12781echo "   * WPA Supplicant:             $ENABLED_WPAS"
12782echo "   * HAPROXY:                    $ENABLED_HAPROXY"
12783echo "   * STUNNEL:                    $ENABLED_STUNNEL"
12784echo "   * tcpdump:                    $ENABLED_TCPDUMP"
12785echo "   * libssh2:                    $ENABLED_LIBSSH2"
12786echo "   * ntp:                        $ENABLED_NTP"
12787echo "   * rsyslog:                    $ENABLED_RSYSLOG"
12788echo "   * Apache httpd:               $ENABLED_APACHE_HTTPD"
12789echo "   * NGINX:                      $ENABLED_NGINX"
12790echo "   * OpenResty:                  $ENABLED_OPENRESTY"
12791echo "   * ASIO:                       $ENABLED_ASIO"
12792echo "   * LIBWEBSOCKETS:              $ENABLED_LIBWEBSOCKETS"
12793echo "   * Qt:                         $ENABLED_QT"
12794echo "   * Qt Unit Testing:            $ENABLED_QT_TEST"
12795echo "   * SIGNAL:                     $ENABLED_SIGNAL"
12796echo "   * chrony:                     $ENABLED_CHRONY"
12797echo "   * strongSwan:                 $ENABLED_STRONGSWAN"
12798echo "   * OpenLDAP:                   $ENABLED_OPENLDAP"
12799echo "   * hitch:                      $ENABLED_HITCH"
12800echo "   * memcached:                  $ENABLED_MEMCACHED"
12801echo "   * Mosquitto                   $ENABLED_MOSQUITTO"
12802echo "   * ERROR_STRINGS:              $ENABLED_ERROR_STRINGS"
12803echo "   * DTLS:                       $ENABLED_DTLS"
12804echo "   * DTLS v1.3:                  $ENABLED_DTLS13"
12805echo "   * SCTP:                       $ENABLED_SCTP"
12806echo "   * SRTP:                       $ENABLED_SRTP"
12807echo "   * Indefinite Length:          $ENABLED_BER_INDEF"
12808echo "   * Multicast:                  $ENABLED_MCAST"
12809echo "   * SSL v3.0 (Old):             $ENABLED_SSLV3"
12810echo "   * TLS v1.0 (Old):             $ENABLED_TLSV10"
12811echo "   * TLS v1.1 (Old):             $ENABLED_OLD_TLS"
12812echo "   * TLS v1.2:                   $ENABLED_TLSV12"
12813echo "   * TLS v1.3:                   $ENABLED_TLS13"
12814echo "   * RPK:                        $ENABLED_RPK"
12815echo "   * Post-handshake Auth:        $ENABLED_TLS13_POST_AUTH"
12816echo "   * Early Data:                 $ENABLED_TLS13_EARLY_DATA"
12817echo "   * QUIC:                       $ENABLED_QUIC"
12818echo "   * Send State in HRR Cookie:   $ENABLED_SEND_HRR_COOKIE"
12819echo "   * OCSP:                       $ENABLED_OCSP"
12820echo "   * OCSP Stapling:              $ENABLED_CERTIFICATE_STATUS_REQUEST"
12821echo "   * OCSP Stapling v2:           $ENABLED_CERTIFICATE_STATUS_REQUEST_V2"
12822echo "   * CRL:                        $ENABLED_CRL"
12823echo "   * CRL-MONITOR:                $ENABLED_CRL_MONITOR"
12824echo "   * Persistent session cache:   $ENABLED_SAVESESSION"
12825echo "   * Persistent cert    cache:   $ENABLED_SAVECERT"
12826echo "   * Atomic User Record Layer:   $ENABLED_ATOMICUSER"
12827echo "   * Public Key Callbacks:       $ENABLED_PKCALLBACKS"
12828echo "   * liboqs:                     $ENABLED_LIBOQS"
12829echo "   * Falcon (via liboqs):        $ENABLED_FALCON"
12830echo "   * Whitewood netRandom:        $ENABLED_WNR"
12831echo "   * Server Name Indication:     $ENABLED_SNI"
12832echo "   * ALPN:                       $ENABLED_ALPN"
12833echo "   * Maximum Fragment Length:    $ENABLED_MAX_FRAGMENT"
12834echo "   * Trusted CA Indication:      $ENABLED_TRUSTED_CA"
12835echo "   * Truncated HMAC:             $ENABLED_TRUNCATED_HMAC"
12836echo "   * Supported Elliptic Curves:  $ENABLED_SUPPORTED_CURVES"
12837echo "   * FFDHE only in client:       $ENABLED_FFDHE_ONLY"
12838echo "   * Session Ticket:             $ENABLED_SESSION_TICKET"
12839echo "   * Extended Master Secret:     $ENABLED_EXTENDED_MASTER"
12840echo "   * Renegotiation Indication:   $ENABLED_RENEGOTIATION_INDICATION"
12841echo "   * Secure Renegotiation:       $ENABLED_SECURE_RENEGOTIATION"
12842echo "   * Fallback SCSV:              $ENABLED_FALLBACK_SCSV"
12843echo "   * Keying Material Exporter:   $ENABLED_KEYING_MATERIAL"
12844echo "   * All TLS Extensions:         $ENABLED_TLSX"
12845echo "   * S/MIME:                     $ENABLED_SMIME"
12846echo "   * PKCS#7:                     $ENABLED_PKCS7"
12847echo "   * PKCS#8:                     $ENABLED_PKCS8"
12848echo "   * PKCS#11:                    $ENABLED_PKCS11"
12849echo "   * PKCS#12:                    $ENABLED_PKCS12"
12850echo "   * wolfSSH:                    $ENABLED_WOLFSSH"
12851echo "   * wolfEngine:                 $ENABLED_WOLFENGINE"
12852echo "   * wolfTPM:                    $ENABLED_WOLFTPM"
12853echo "   * wolfCLU:                    $ENABLED_WOLFCLU"
12854echo "   * wolfSCEP:                   $ENABLED_WOLFSCEP"
12855echo "   * Secure Remote Password:     $ENABLED_SRP"
12856echo "   * Small Stack:                $ENABLED_SMALL_STACK"
12857echo "   * Linux Kernel Module:        $ENABLED_LINUXKM"
12858
12859test "$ENABLED_LINUXKM" = "yes" && \
12860echo "   * Linux kernel module bench:  $ENABLED_KERNEL_BENCHMARKS" && \
12861echo "   * Linux kernel alg register:  $ENABLED_LINUXKM_LKCAPI_REGISTER"
12862
12863echo "   * valgrind unit tests:        $ENABLED_VALGRIND"
12864echo "   * LIBZ:                       $ENABLED_LIBZ"
12865echo "   * Examples:                   $ENABLED_EXAMPLES"
12866echo "   * Crypt tests:                $ENABLED_CRYPT_TESTS"
12867echo "   * Stack sizes in tests:       $ENABLED_STACKSIZE"
12868echo "   * Heap stats in tests:        $ENABLED_TRACKMEMORY"
12869echo "   * Asynchronous Crypto:        $ENABLED_ASYNCCRYPT"
12870echo "   * Asynchronous Crypto (sim):  $ENABLED_ASYNCCRYPT_SW"
12871echo "   * Cavium Nitrox:              $ENABLED_CAVIUM"
12872echo "   * Cavium Octeon (Sync):       $ENABLED_OCTEON_SYNC"
12873echo "   * Intel Quick Assist:         $ENABLED_INTEL_QA"
12874if test "$ENABLED_ARMASM_INLINE" = "yes"
12875then
12876    ENABLED_ARMASM="inline C"
12877fi
12878echo "   * ARM ASM:                    $ENABLED_ARMASM"
12879echo "   * ARM ASM SHA512/SHA3 Crypto  $ENABLED_ARMASM_SHA3"
12880echo "   * ARM ASM SM3/SM4 Crypto      $ENABLED_ARMASM_CRYPTO_SM4"
12881echo "   * RISC-V ASM                  $ENABLED_RISCV_ASM"
12882if test "$ENABLED_PPC32_ASM_INLINE" = "yes"
12883then
12884    ENABLED_PPC32_ASM="inline C"
12885fi
12886if test "$ENABLED_PPC32_ASM_INLINE_REG" = "yes"
12887then
12888    ENABLED_PPC32_ASM="inline C Reg"
12889fi
12890echo "   * PPC32 ASM                   $ENABLED_PPC32_ASM"
12891echo "   * Write duplicate:            $ENABLED_WRITEDUP"
12892echo "   * Xilinx Hardware Acc.:       $ENABLED_XILINX"
12893echo "   * C89:                        $ENABLED_C89"
12894echo "   * Inline Code:                $ENABLED_INLINE"
12895echo "   * Linux AF_ALG:               $ENABLED_AFALG"
12896echo "   * Linux KCAPI:                $ENABLED_KCAPI"
12897echo "   * Linux devcrypto:            $ENABLED_DEVCRYPTO"
12898echo "   * PK callbacks:               $ENABLED_PKCALLBACKS"
12899echo "   * Crypto callbacks:           $ENABLED_CRYPTOCB"
12900echo "   * i.MX CAAM:                  $ENABLED_CAAM"
12901echo "   * IoT-Safe:                   $ENABLED_IOTSAFE"
12902echo "   * IoT-Safe HWRNG:             $ENABLED_IOTSAFE_HWRNG"
12903echo "   * NXP SE050:                  $ENABLED_SE050"
12904echo "   * STMicro STSAFE:             $ENABLED_STSAFE"
12905echo "   * TROPIC01:                   $ENABLED_TROPIC01"
12906echo "   * Maxim Integrated MAXQ10XX:  $ENABLED_MAXQ10XX"
12907echo "   * PSA:                        $ENABLED_PSA"
12908echo "   * System CA certs:            $ENABLED_SYS_CA_CERTS"
12909echo "   * Dual alg cert support:      $ENABLED_DUAL_ALG_CERTS"
12910echo "   * ERR Queues per Thread:      $ENABLED_ERRORQUEUEPERTHREAD"
12911echo "   * rwlock:                     $ENABLED_RWLOCK"
12912echo "   * keylog export:              $ENABLED_KEYLOG_EXPORT"
12913echo "   * AutoSAR :                   $ENABLED_AUTOSAR"
12914echo "   * ML-KEM  standalone:         $ENABLED_MLKEM_STANDALONE"
12915echo "   * PQ/T hybrids:               $ENABLED_PQC_HYBRIDS"
12916echo "   * Extra PQ/T hybrids:         $ENABLED_EXTRA_PQC_HYBRIDS"
12917echo "   * PUF:                        $ENABLED_PUF"
12918echo ""
12919echo "---"
12920
12921echo "./configure flags: $(./config.status --config)"
12922
12923fi # $silent != yes
12924
12925################################################################################
12926# Show warnings at bottom so they are noticed
12927################################################################################
12928
12929# MinGW static vs shared library
12930# Reference URL from libtool for MinGW is located at
12931# http://www.gnu.org/software/libtool/manual/libtool.html#Cygwin-to-MinGW-Cross
12932# this allows for not even having dllimport/dllexport on functions
12933# with recent libtools, only requiring it with global variables.
12934#
12935# The following warning is displayed here because if not using "contemporary GNU
12936# tools" there is the possibility of export/import issues.
12937# wolfSSL uses __declspec(dllexport) and "contemporary GNU tools" handle the
12938# case where both static and shared libraries are built.
12939#
12940# More can be found about the MinGW linker at
12941# https://sourceware.org/binutils/docs/ld/WIN32.html
12942if test "$MINGW_LIB_WARNING" = "yes"
12943then
12944    AC_MSG_WARN([Building with shared and static library at the same time on this system may cause export/import problems when using non contemporary GNU tools.])
12945fi
12946
12947if test -n "$WITH_MAX_ECC_BITS"; then
12948    if test "$WITH_MAX_ECC_BITS" -lt "$ENABLED_ECCMINSZ"; then
12949        AC_MSG_ERROR([--with-max-ecc-bits argument ($WITH_MAX_ECC_BITS) must be greater than --with-eccminsz argument ($ENABLED_ECCMINSZ)])
12950    fi
12951fi
12952
12953if test "$silent" != "yes"; then
12954
12955echo "---"
12956echo "Note: Make sure your application includes \"wolfssl/options.h\" before any other wolfSSL headers."
12957echo "      You can define \"WOLFSSL_USE_OPTIONS_H\" in your application to include this automatically."
12958
12959fi