Check-in [124d881bb0]
Overview
Comment:Added options to disable TLS protocols
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | TEA
Files: files | file ages | folders
SHA3-256: 124d881bb04fc507e5916f6a9fabdea160e66af9a7266313174c39ce477d47fe
User & Date: bohagan on 2023-05-07 17:48:19
Other Links: branch diff | manifest | tags
Context
2023-05-07
19:09
Fixed detect shared library in pkgIndex.tcl file check-in: 515e670c81 user: bohagan tags: TEA
17:48
Added options to disable TLS protocols check-in: 124d881bb0 user: bohagan tags: TEA
16:51
Fixed make dist check-in: a8bd1bb16d user: bohagan tags: TEA
Changes

Modified acinclude.m4 from [e14d0ef841] to [5705bd6f8e].

80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
	else
		AC_MSG_RESULT([cant])

		$5
	fi
])

AC_DEFUN([TCLTLS_SSL_OPENSSL_CHECK_PROTO_VER], [
	dnl Determine if particular SSL version is enabled
	if test "[$]$1" = "true" -o "[$]$1" = "force"; then
		proto_check='true'
		ifelse($5,, [
			AC_CHECK_FUNC($2,, [
				proto_check='false'
			])
		], [
			AC_LANG_PUSH(C)
			AC_MSG_CHECKING([for $3 protocol support])
			AC_COMPILE_IFELSE([AC_LANG_PROGRAM([
#include <openssl/ssl.h>
#include <openssl/opensslv.h>
#if (SSLEAY_VERSION_NUMBER >= 0x0907000L)
# include <openssl/conf.h>
#endif
			], [
int x = $5;
			])], [
				AC_MSG_RESULT([yes])
			], [
				AC_MSG_RESULT([no])

				proto_check='false'
			])
			AC_LANG_POP([C])
		])

		if test "$proto_check" = 'false'; then
			if test "[$]$1" = "force"; then
				AC_MSG_ERROR([Unable to enable $3])
			fi

			$1='false'
		fi
	fi

	if test "[$]$1" = "false"; then
		AC_DEFINE($4, [1], [Define this to disable $3 in OpenSSL support])
	fi

])

AC_DEFUN([TCLTLS_SSL_OPENSSL], [
	openssldir=''
	opensslpkgconfigdir=''
	AC_ARG_WITH([openssl-dir],
		AS_HELP_STRING(
			[--with-openssl-dir=<dir>],
			[path to root directory of OpenSSL or LibreSSL installation]







<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<







80
81
82
83
84
85
86












































87
88
89
90
91
92
93
	else
		AC_MSG_RESULT([cant])

		$5
	fi
])













































AC_DEFUN([TCLTLS_SSL_OPENSSL], [
	openssldir=''
	opensslpkgconfigdir=''
	AC_ARG_WITH([openssl-dir],
		AS_HELP_STRING(
			[--with-openssl-dir=<dir>],
			[path to root directory of OpenSSL or LibreSSL installation]
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
						;;
				esac
			done
			SHOBJ_DO_STATIC_LINK_LIB([OpenSSL], [$new_TCLTLS_SSL_LIBS_static], [new_TCLTLS_SSL_LIBS_static])
			TCLTLS_SSL_LIBS="${new_TCLTLS_SSL_LIBS_normal} ${new_TCLTLS_SSL_LIBS_static}"
		fi
	fi

	dnl Save compile-altering variables we are changing
	SAVE_LIBS="${LIBS}"
	SAVE_CFLAGS="${CFLAGS}"
	SAVE_CPPFLAGS="${CPPFLAGS}"

	dnl Update compile-altering variables to include the OpenSSL libraries
	LIBS="${TCLTLS_SSL_LIBS} ${SAVE_LIBS} ${TCLTLS_SSL_LIBS}"
	CFLAGS="${TCLTLS_SSL_CFLAGS} ${SAVE_CFLAGS} ${TCLTLS_SSL_CFLAGS}"
	CPPFLAGS="${TCLTLS_SSL_CPPFLAGS} ${SAVE_CPPFLAGS} ${TCLTLS_SSL_CPPFLAGS}"

	dnl Verify that basic functionality is there
	AC_LANG_PUSH(C)
	AC_MSG_CHECKING([if a basic OpenSSL program works])
	AC_LINK_IFELSE([AC_LANG_PROGRAM([
#include <openssl/ssl.h>
#include <openssl/opensslv.h>
#include <openssl/conf.h>
		], [
  SSL_library_init();
  SSL_load_error_strings();
		])], [
		AC_MSG_RESULT([yes])
	], [
		AC_MSG_RESULT([no])
		AC_MSG_ERROR([Unable to compile a basic program using OpenSSL])
	])
	AC_LANG_POP([C])

	AC_CHECK_FUNCS([TLS_method])
	TCLTLS_SSL_OPENSSL_CHECK_PROTO_VER([tcltls_ssl_ssl2], [SSLv2_method], [sslv2], [NO_SSL2])
	TCLTLS_SSL_OPENSSL_CHECK_PROTO_VER([tcltls_ssl_ssl3], [SSLv3_method], [sslv3], [NO_SSL3])
	TCLTLS_SSL_OPENSSL_CHECK_PROTO_VER([tcltls_ssl_tls1_0], [TLSv1_method], [tlsv1.0], [NO_TLS1])
	TCLTLS_SSL_OPENSSL_CHECK_PROTO_VER([tcltls_ssl_tls1_1], [TLSv1_1_method], [tlsv1.1], [NO_TLS1_1])
	TCLTLS_SSL_OPENSSL_CHECK_PROTO_VER([tcltls_ssl_tls1_2], [TLSv1_2_method], [tlsv1.2], [NO_TLS1_2])
	TCLTLS_SSL_OPENSSL_CHECK_PROTO_VER([tcltls_ssl_tls1_3], [], [tlsv1.3], [NO_TLS1_3], [SSL_OP_NO_TLSv1_3])

	AC_CACHE_VAL([tcltls_cv_func_tlsext_hostname], [
		AC_LANG_PUSH(C)
		AC_MSG_CHECKING([for SSL_set_tlsext_host_name])
		AC_LINK_IFELSE([AC_LANG_PROGRAM([
#include <openssl/ssl.h>
#include <openssl/conf.h>
			], [
  (void)SSL_set_tlsext_host_name((void *) 0, (void *) 0);
			])], [
			AC_MSG_RESULT([yes])
			tcltls_cv_func_tlsext_hostname='yes'
		], [
			AC_MSG_RESULT([no])
			tcltls_cv_func_tlsext_hostname='no'
		])
		AC_LANG_POP([C])
	])

	if test "$tcltls_cv_func_tlsext_hostname" = 'no'; then
		AC_DEFINE([OPENSSL_NO_TLSEXT], [1], [Define this if your OpenSSL does not support the TLS Extension for SNI])
	fi

	dnl Restore compile-altering variables
	LIBS="${SAVE_LIBS}"
	CFLAGS="${SAVE_CFLAGS}"
	CPPFLAGS="${SAVE_CPPFLAGS}"
])







<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
|
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
176
177
178
179
180
181
182


























183





































						;;
				esac
			done
			SHOBJ_DO_STATIC_LINK_LIB([OpenSSL], [$new_TCLTLS_SSL_LIBS_static], [new_TCLTLS_SSL_LIBS_static])
			TCLTLS_SSL_LIBS="${new_TCLTLS_SSL_LIBS_normal} ${new_TCLTLS_SSL_LIBS_static}"
		fi
	fi


























])





































Modified configure from [bffda83e56] to [60bb9afd54].

782
783
784
785
786
787
788




789
790
791
792
793
794
795
enable_stubs
enable_64bit
enable_64bit_vis
enable_rpath
enable_symbols
with_openssl_dir
with_openssl_pkgconfig




enable_deterministic
with_builtin_dh_params_size
enable_ssl_fastpath
enable_static_ssl
enable_hardening
'
      ac_precious_vars='build_alias







>
>
>
>







782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
enable_stubs
enable_64bit
enable_64bit_vis
enable_rpath
enable_symbols
with_openssl_dir
with_openssl_pkgconfig
enable_tls1
enable_tls1_1
enable_tls1_2
enable_tls1_3
enable_deterministic
with_builtin_dh_params_size
enable_ssl_fastpath
enable_static_ssl
enable_hardening
'
      ac_precious_vars='build_alias
1426
1427
1428
1429
1430
1431
1432




1433
1434
1435
1436
1437
1438
1439
  --enable-shared         build and link with shared libraries (default: on)
  --enable-stubs          build and link with stub libraries. Always true for
                          shared builds (default: on)
  --enable-64bit          enable 64bit support (default: off)
  --enable-64bit-vis      enable 64bit Sparc VIS support (default: off)
  --disable-rpath         disable rpath support (default: on)
  --enable-symbols        build with debugging symbols (default: off)




  --enable-deterministic  enable deterministic parameters
  --enable-ssl-fastpath   enable using the underlying file descriptor for
                          talking directly to the SSL library
  --enable-static-ssl     enable statically linking to the specified SSL
                          library
  --disable-hardening     disable hardening attempts








>
>
>
>







1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
  --enable-shared         build and link with shared libraries (default: on)
  --enable-stubs          build and link with stub libraries. Always true for
                          shared builds (default: on)
  --enable-64bit          enable 64bit support (default: off)
  --enable-64bit-vis      enable 64bit Sparc VIS support (default: off)
  --disable-rpath         disable rpath support (default: on)
  --enable-symbols        build with debugging symbols (default: off)
  --disable-tls1          disable TLS1 support
  --disable-tls1_1        disable TLS1.1 support
  --disable-tls1_2        disable TLS1.2 support
  --disable-tls1_3        disable TLS1.3 support
  --enable-deterministic  enable deterministic parameters
  --enable-ssl-fastpath   enable using the underlying file descriptor for
                          talking directly to the SSL library
  --enable-static-ssl     enable statically linking to the specified SSL
                          library
  --disable-hardening     disable hardening attempts

5363
5364
5365
5366
5367
5368
5369
5370
5371
5372
5373
5374
5375
5376
5377
5378
5379
 case $ac_cv_c_bigendian in #(
   yes)
     printf "%s\n" "#define WORDS_BIGENDIAN 1" >>confdefs.h
;; #(
   no)
      ;; #(
   universal)

printf "%s\n" "#define AC_APPLE_UNIVERSAL_BUILD 1" >>confdefs.h

     ;; #(
   *)
     as_fn_error $? "unknown endianness
 presetting ac_cv_c_bigendian=no (or yes) will help" "$LINENO" 5 ;;
 esac









|
<
<







5371
5372
5373
5374
5375
5376
5377
5378


5379
5380
5381
5382
5383
5384
5385
 case $ac_cv_c_bigendian in #(
   yes)
     printf "%s\n" "#define WORDS_BIGENDIAN 1" >>confdefs.h
;; #(
   no)
      ;; #(
   universal)
     #


     ;; #(
   *)
     as_fn_error $? "unknown endianness
 presetting ac_cv_c_bigendian=no (or yes) will help" "$LINENO" 5 ;;
 esac


8912
8913
8914
8915
8916
8917
8918


8919
8920
8921
8922
8923
8924
8925
#--------------------------------------------------------------------
# If the variable OPENSSL is set, we will build with the OpenSSL
# libraries.  If it is not set, then we will use RSA BSAFE SSL-C
# libraries instead of the default OpenSSL libaries.
#--------------------------------------------------------------------

OPENSSL="1"




	openssldir=''
	opensslpkgconfigdir=''

# Check whether --with-openssl-dir was given.
if test ${with_openssl_dir+y}







>
>







8918
8919
8920
8921
8922
8923
8924
8925
8926
8927
8928
8929
8930
8931
8932
8933
#--------------------------------------------------------------------
# If the variable OPENSSL is set, we will build with the OpenSSL
# libraries.  If it is not set, then we will use RSA BSAFE SSL-C
# libraries instead of the default OpenSSL libaries.
#--------------------------------------------------------------------

OPENSSL="1"
OPENSSL="1"



	openssldir=''
	opensslpkgconfigdir=''

# Check whether --with-openssl-dir was given.
if test ${with_openssl_dir+y}
9004
9005
9006
9007
9008
9009
9010
9011
9012
9013
9014
9015
9016
9017
9018
9019
9020
9021
9022
9023
9024
9025
9026
9027
9028
9029
9030
9031
9032
9033
9034
9035
9036
9037
9038
9039
9040
9041
9042
9043
9044
9045
9046
9047
9048
9049
9050
9051
9052
9053
9054
9055
9056
9057
9058
9059
9060
9061
9062
9063
9064
9065
9066
9067
9068
9069
9070
9071
9072
9073
9074
9075
9076
9077
9078
9079
9080
9081
9082
9083
9084
9085
9086
9087
9088
9089
9090
9091
9092
9093
9094
9095
9096
9097
9098
9099
9100
9101
9102
9103
9104
9105
9106
9107
9108
9109
9110
9111
9112
9113
9114
9115
9116
9117
9118
9119
9120
9121
9122
9123
9124
9125
9126
9127
9128
9129
9130
9131
9132
9133
9134
9135
9136
9137
9138
9139
9140
9141
9142
9143
9144
9145
9146
9147
9148
9149
9150
9151
9152
9153
9154
9155
9156
9157
9158
9159
9160
9161
9162
9163
9164
9165
9166
9167
9168
9169
9170
9171
9172
9173
9174
9175
9176
9177
9178
9179
9180
9181
9182
9183
9184
9185
9186
9187
9188
9189
9190
9191
9192
9193
9194
9195
9196
9197
9198
9199
9200
9201
9202
9203
9204
9205
9206
9207
9208
9209
9210
9211
9212
9213
9214
9215
9216
9217
9218
9219
9220
9221
9222
9223
9224
9225
9226
9227
9228
9229
9230
9231
9232
9233
9234
9235
9236
9237
9238
9239
9240
9241
9242
9243
9244
9245
9246
9247
9248
9249
9250
9251
9252
9253
9254
9255
9256
9257
9258
9259
9260
9261
9262
9263
9264
9265
9266
9267
9268
9269
9270
9271
9272
9273
9274
9275
9276
9277
9278
9279
9280
9281
9282
9283
9284
9285
9286
9287
9288
9289
9290
9291
9292
9293
9294
9295
9296
9297
9298
9299
9300
9301
9302
9303

9304
9305
9306
9307
9308
9309

9310









9311

9312





9313


9314
9315


9316
9317

9318
9319



9320

9321


9322











9323
9324
9325
9326
9327
9328
9329
	PKG_CONFIG_PATH="${PKG_CONFIG_PATH_SAVE}"

	if test "$TCLEXT_BUILD" = "static"; then
				rm -f tcltls.${AREXT}.linkadd
		printf "%s\n" "$TCLTLS_SSL_LIBS" > tcltls.${AREXT}.linkadd
	fi


rm -f core conftest.err conftest.$ac_objext conftest.beam \
    conftest$ac_exeext conftest.$ac_ext
	ac_ext=c
ac_cpp='$CPP $CPPFLAGS'
ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
ac_compiler_gnu=$ac_cv_c_compiler_gnu


	ac_fn_c_check_func "$LINENO" "TLS_method" "ac_cv_func_TLS_method"
if test "x$ac_cv_func_TLS_method" = xyes
then :
  printf "%s\n" "#define HAVE_TLS_METHOD 1" >>confdefs.h

fi


		if test "$tcltls_ssl_ssl2" = "true" -o "$tcltls_ssl_ssl2" = "force"; then
		proto_check='true'

			ac_fn_c_check_func "$LINENO" "SSLv2_method" "ac_cv_func_SSLv2_method"
if test "x$ac_cv_func_SSLv2_method" = xyes
then :

else $as_nop

				proto_check='false'

fi



		if test "$proto_check" = 'false'; then
			if test "$tcltls_ssl_ssl2" = "force"; then
				as_fn_error $? "Unable to enable sslv2" "$LINENO" 5
			fi

			tcltls_ssl_ssl2='false'
		fi
	fi

	if test "$tcltls_ssl_ssl2" = "false"; then

printf "%s\n" "#define NO_SSL2 1" >>confdefs.h

	fi



		if test "$tcltls_ssl_ssl3" = "true" -o "$tcltls_ssl_ssl3" = "force"; then
		proto_check='true'

			ac_fn_c_check_func "$LINENO" "SSLv3_method" "ac_cv_func_SSLv3_method"
if test "x$ac_cv_func_SSLv3_method" = xyes
then :

else $as_nop

				proto_check='false'

fi



		if test "$proto_check" = 'false'; then
			if test "$tcltls_ssl_ssl3" = "force"; then
				as_fn_error $? "Unable to enable sslv3" "$LINENO" 5
			fi

			tcltls_ssl_ssl3='false'
		fi
	fi

	if test "$tcltls_ssl_ssl3" = "false"; then

printf "%s\n" "#define NO_SSL3 1" >>confdefs.h

	fi



		if test "$tcltls_ssl_tls1_0" = "true" -o "$tcltls_ssl_tls1_0" = "force"; then
		proto_check='true'

			ac_fn_c_check_func "$LINENO" "TLSv1_method" "ac_cv_func_TLSv1_method"
if test "x$ac_cv_func_TLSv1_method" = xyes
then :

else $as_nop

				proto_check='false'

fi



		if test "$proto_check" = 'false'; then
			if test "$tcltls_ssl_tls1_0" = "force"; then
				as_fn_error $? "Unable to enable tlsv1.0" "$LINENO" 5
			fi

			tcltls_ssl_tls1_0='false'
		fi
	fi

	if test "$tcltls_ssl_tls1_0" = "false"; then

printf "%s\n" "#define NO_TLS1 1" >>confdefs.h

	fi



		if test "$tcltls_ssl_tls1_1" = "true" -o "$tcltls_ssl_tls1_1" = "force"; then
		proto_check='true'

			ac_fn_c_check_func "$LINENO" "TLSv1_1_method" "ac_cv_func_TLSv1_1_method"
if test "x$ac_cv_func_TLSv1_1_method" = xyes
then :

else $as_nop

				proto_check='false'

fi



		if test "$proto_check" = 'false'; then
			if test "$tcltls_ssl_tls1_1" = "force"; then
				as_fn_error $? "Unable to enable tlsv1.1" "$LINENO" 5
			fi

			tcltls_ssl_tls1_1='false'
		fi
	fi

	if test "$tcltls_ssl_tls1_1" = "false"; then

printf "%s\n" "#define NO_TLS1_1 1" >>confdefs.h

	fi



		if test "$tcltls_ssl_tls1_2" = "true" -o "$tcltls_ssl_tls1_2" = "force"; then
		proto_check='true'

			ac_fn_c_check_func "$LINENO" "TLSv1_2_method" "ac_cv_func_TLSv1_2_method"
if test "x$ac_cv_func_TLSv1_2_method" = xyes
then :

else $as_nop

				proto_check='false'

fi



		if test "$proto_check" = 'false'; then
			if test "$tcltls_ssl_tls1_2" = "force"; then
				as_fn_error $? "Unable to enable tlsv1.2" "$LINENO" 5
			fi

			tcltls_ssl_tls1_2='false'
		fi
	fi

	if test "$tcltls_ssl_tls1_2" = "false"; then

printf "%s\n" "#define NO_TLS1_2 1" >>confdefs.h

	fi



		if test "$tcltls_ssl_tls1_3" = "true" -o "$tcltls_ssl_tls1_3" = "force"; then
		proto_check='true'

			ac_ext=c
ac_cpp='$CPP $CPPFLAGS'
ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
ac_compiler_gnu=$ac_cv_c_compiler_gnu

			{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for tlsv1.3 protocol support" >&5
printf %s "checking for tlsv1.3 protocol support... " >&6; }
			cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h.  */

#include <openssl/ssl.h>
#include <openssl/opensslv.h>
#if (SSLEAY_VERSION_NUMBER >= 0x0907000L)
# include <openssl/conf.h>
#endif

int
main (void)
{

int x = SSL_OP_NO_TLSv1_3;

  ;
  return 0;
}
_ACEOF
if ac_fn_c_try_compile "$LINENO"
then :

				{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: yes" >&5
printf "%s\n" "yes" >&6; }

else $as_nop

				{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5
printf "%s\n" "no" >&6; }

				proto_check='false'

fi
rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext
			ac_ext=c
ac_cpp='$CPP $CPPFLAGS'
ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
ac_compiler_gnu=$ac_cv_c_compiler_gnu



		if test "$proto_check" = 'false'; then
			if test "$tcltls_ssl_tls1_3" = "force"; then
				as_fn_error $? "Unable to enable tlsv1.3" "$LINENO" 5
			fi

			tcltls_ssl_tls1_3='false'
		fi
	fi

	if test "$tcltls_ssl_tls1_3" = "false"; then

printf "%s\n" "#define NO_TLS1_3 1" >>confdefs.h

	fi



	if test ${tcltls_cv_func_tlsext_hostname+y}
then :
  printf %s "(cached) " >&6
else $as_nop

		ac_ext=c
ac_cpp='$CPP $CPPFLAGS'
ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
ac_compiler_gnu=$ac_cv_c_compiler_gnu

		{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for SSL_set_tlsext_host_name" >&5
printf %s "checking for SSL_set_tlsext_host_name... " >&6; }
		cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h.  */

#include <openssl/ssl.h>
#include <openssl/conf.h>

int
main (void)
{

  (void)SSL_set_tlsext_host_name((void *) 0, (void *) 0);

  ;
  return 0;
}
_ACEOF
if ac_fn_c_try_link "$LINENO"
then :

			{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: yes" >&5
printf "%s\n" "yes" >&6; }
			tcltls_cv_func_tlsext_hostname='yes'

else $as_nop

			{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5
printf "%s\n" "no" >&6; }
			tcltls_cv_func_tlsext_hostname='no'

fi
rm -f core conftest.err conftest.$ac_objext conftest.beam \
    conftest$ac_exeext conftest.$ac_ext

		ac_ext=c
ac_cpp='$CPP $CPPFLAGS'
ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
ac_compiler_gnu=$ac_cv_c_compiler_gnu












fi










	if test "$tcltls_cv_func_tlsext_hostname" = 'no'; then



printf "%s\n" "#define OPENSSL_NO_TLSEXT 1" >>confdefs.h


	fi




		LIBS="${SAVE_LIBS}"

	CFLAGS="${SAVE_CFLAGS}"


	CPPFLAGS="${SAVE_CPPFLAGS}"













#--------------------------------------------------------------------
# Shared libraries and static libraries have different names.
# Also, windows libraries and unix libraries have different names.
# For the OpenSSL version, I chose to use the same library names that
# OpenSSL uses as its default names.







|
<
<
<
<
<
<
<
|
|
<
<
<
<
|
<
|
|
<
<
|
<
<
<
|
<
|
<
|
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
|
<
|
|
|
<
<
|
<
<
<
|
<
|
<
|
<
|
|
|
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<

<

<



<
<
<
<

<
<
<
|
<
|
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<

<
|
<
|
<
|
|
|
<
<
|
<
<
<
|
<
|
<

<
|
|
|
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<






<
<
<
<
|
<
<
<
<
<
|
<
<
<
|
<
|
<
<
<
<
<
<
|
<
<
<
<
<
<
<
<
<
<
|
<
<
<
<
<
<
<

|
<
<
<
<

<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<



<
<
<



<
<








|
|
<

<
|
<
<
<




>
|





>

>
>
>
>
>
>
>
>
>
|
>

>
>
>
>
>

>
>
|

>
>
|

>


>
>
>
|
>
|
>
>
|
>
>
>
>
>
>
>
>
>
>
>







9012
9013
9014
9015
9016
9017
9018
9019







9020
9021




9022

9023
9024


9025



9026

9027

9028
















9029

9030
9031
9032


9033



9034

9035

9036

9037
9038
9039

























9040

9041

9042
9043
9044




9045



9046

9047





























9048

9049

9050

9051
9052
9053


9054



9055

9056

9057

9058
9059
9060




















9061
9062
9063
9064
9065
9066




9067





9068



9069

9070






9071










9072







9073
9074




9075

























9076
9077
9078



9079
9080
9081


9082
9083
9084
9085
9086
9087
9088
9089
9090
9091

9092

9093



9094
9095
9096
9097
9098
9099
9100
9101
9102
9103
9104
9105
9106
9107
9108
9109
9110
9111
9112
9113
9114
9115
9116
9117
9118
9119
9120
9121
9122
9123
9124
9125
9126
9127
9128
9129
9130
9131
9132
9133
9134
9135
9136
9137
9138
9139
9140
9141
9142
9143
9144
9145
9146
9147
9148
9149
9150
9151
9152
9153
9154
9155
9156
9157
9158
9159
9160
9161
9162
	PKG_CONFIG_PATH="${PKG_CONFIG_PATH_SAVE}"

	if test "$TCLEXT_BUILD" = "static"; then
				rm -f tcltls.${AREXT}.linkadd
		printf "%s\n" "$TCLTLS_SSL_LIBS" > tcltls.${AREXT}.linkadd
	fi

		if test "$TCLEXT_TLS_STATIC_SSL" = 'yes'; then







				if test "$TCLEXT_BUILD" != "static"; then
						new_TCLTLS_SSL_LIBS_normal=''




			new_TCLTLS_SSL_LIBS_static=''

			for arg in $TCLTLS_SSL_LIBS; do
				case "${arg}" in


					-L*)



						new_TCLTLS_SSL_LIBS_normal="${new_TCLTLS_SSL_LIBS_normal} ${arg}"

						new_TCLTLS_SSL_LIBS_static="${new_TCLTLS_SSL_LIBS_static} ${arg}"

						;;
















					-ldl|-lrt|-lc|-lpthread|-lm|-lcrypt|-lidn|-lresolv|-lgcc|-lgcc_s)

						new_TCLTLS_SSL_LIBS_normal="${new_TCLTLS_SSL_LIBS_normal} ${arg}"
						;;
					-l*)


						new_TCLTLS_SSL_LIBS_static="${new_TCLTLS_SSL_LIBS_static} ${arg}"



						;;

					*)

						new_TCLTLS_SSL_LIBS_normal="${new_TCLTLS_SSL_LIBS_normal} ${arg}"

						;;
				esac
			done








































	{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for how to statically link to OpenSSL" >&5

printf %s "checking for how to statically link to OpenSSL... " >&6; }































	trylink_ADD_LDFLAGS=''

	for arg in $new_TCLTLS_SSL_LIBS_static; do

		case "${arg}" in
			-L*)
				trylink_ADD_LDFLAGS="${arg}"


				;;



		esac

	done



	SAVELIBS="$LIBS"
	staticlib=""
	found="0"




















			ac_ext=c
ac_cpp='$CPP $CPPFLAGS'
ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
ac_compiler_gnu=$ac_cv_c_compiler_gnu





	for trylink in "-Wl,-a,archive $new_TCLTLS_SSL_LIBS_static -Wl,-a,shared_archive" "-Wl,-Bstatic $new_TCLTLS_SSL_LIBS_static -Wl,-Bdynamic" "$new_TCLTLS_SSL_LIBS_static"; do





		if echo " ${LDFLAGS} " | grep ' -static ' >/dev/null; then



			if test "${trylink}" != "$new_TCLTLS_SSL_LIBS_static"; then

				continue






			fi










		fi








		LIBS="${SAVELIBS} ${trylink_ADD_LDFLAGS} ${trylink}"






























		cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h.  */




int
main (void)
{



  ;
  return 0;
}
_ACEOF
if ac_fn_c_try_link "$LINENO"
then :

			staticlib="${trylink}"
			found="1"



			break




fi
rm -f core conftest.err conftest.$ac_objext conftest.beam \
    conftest$ac_exeext conftest.$ac_ext
	done
	ac_ext=c
ac_cpp='$CPP $CPPFLAGS'
ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
ac_compiler_gnu=$ac_cv_c_compiler_gnu

	LIBS="${SAVELIBS}"

	if test "${found}" = "1"; then
		new_RESULT=''
		SAVERESULT="$new_TCLTLS_SSL_LIBS_static"
		for lib in ${SAVERESULT}; do
			addlib='1'
			for removelib in $new_TCLTLS_SSL_LIBS_static; do
				if test "${lib}" = "${removelib}"; then
					addlib='0'
					break
				fi
			done

			if test "$addlib" = '1'; then
				new_RESULT="${new_RESULT} ${lib}"
			fi
		done
		new_TCLTLS_SSL_LIBS_static="${new_RESULT} ${staticlib}"

		{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: ${staticlib}" >&5
printf "%s\n" "${staticlib}" >&6; }


	else
		{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: cant" >&5
printf "%s\n" "cant" >&6; }


	fi

			TCLTLS_SSL_LIBS="${new_TCLTLS_SSL_LIBS_normal} ${new_TCLTLS_SSL_LIBS_static}"
		fi
	fi

#TLS_CHECK_SSL

#AC_CHECK_LIB(crypto, main, [LIBS="$LIBS -lcrypto"])
#AC_CHECK_LIB(ssl, main, [LIBS="$LIBS -lssl"])

	SSL_DIR="/usr"
	SSL_LIB_DIR=${SSL_DIR}/lib64
	SSL_INCLUDE_DIR=${SSL_DIR}/include/openssl





    SSL_INCLUDE_DIR_NATIVE=\"`${CYGPATH} ${SSL_INCLUDE_DIR}`\"
    SSL_LIB_DIR_NATIVE=\"`${CYGPATH} ${SSL_LIB_DIR}`\"



#--------------------------------------------------------------------
# Shared libraries and static libraries have different names.
# Also, windows libraries and unix libraries have different names.
# For the OpenSSL version, I chose to use the same library names that
# OpenSSL uses as its default names.
9373
9374
9375
9376
9377
9378
9379
9380
9381

9382
9383
9384
9385
9386
9387
9388
    for i in $vars; do
	if test "${TEA_PLATFORM}" = "windows" -a "$GCC" = "yes" ; then
	    # Convert foo.lib to -lfoo for GCC.  No-op if not *.lib
	    i=`echo "$i" | sed -e 's/^\([^-].*\)\.[lL][iI][bB]$/-l\1/'`
	fi
	PKG_LIBS="$PKG_LIBS $i"
    done
    fi


else
    # Subst runtime dir here, use -R and -L where necessary. [Bug 1742859]
    LIB_RUNTIME_DIR=${SSL_LIB_DIR}
    eval "LD_SEARCH_FLAGS=\"${LD_SEARCH_FLAGS}\""
    if test -n "${OPENSSL}"; then

    vars="${LD_SEARCH_FLAGS} -L${SSL_LIB_DIR} -lssl -lcrypto ${GCCPATH} ${GCCLIB}"







|

>







9206
9207
9208
9209
9210
9211
9212
9213
9214
9215
9216
9217
9218
9219
9220
9221
9222
    for i in $vars; do
	if test "${TEA_PLATFORM}" = "windows" -a "$GCC" = "yes" ; then
	    # Convert foo.lib to -lfoo for GCC.  No-op if not *.lib
	    i=`echo "$i" | sed -e 's/^\([^-].*\)\.[lL][iI][bB]$/-l\1/'`
	fi
	PKG_LIBS="$PKG_LIBS $i"
    done


	fi
else
    # Subst runtime dir here, use -R and -L where necessary. [Bug 1742859]
    LIB_RUNTIME_DIR=${SSL_LIB_DIR}
    eval "LD_SEARCH_FLAGS=\"${LD_SEARCH_FLAGS}\""
    if test -n "${OPENSSL}"; then

    vars="${LD_SEARCH_FLAGS} -L${SSL_LIB_DIR} -lssl -lcrypto ${GCCPATH} ${GCCLIB}"
9475
9476
9477
9478
9479
9480
9481





















































9482
9483
9484
9485
9486
9487
9488
#TEA_EXPORT_CONFIG([tls])
#AC_SUBST(SAMPLE_VAR)


#--------------------------------------------------------------------
# Custom
#--------------------------------------------------------------------






















































tcltls_deterministic='false'
# Check whether --enable-deterministic was given.
if test ${enable_deterministic+y}
then :
  enableval=$enable_deterministic;
	if test "$enableval" = "yes"; then







>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>







9309
9310
9311
9312
9313
9314
9315
9316
9317
9318
9319
9320
9321
9322
9323
9324
9325
9326
9327
9328
9329
9330
9331
9332
9333
9334
9335
9336
9337
9338
9339
9340
9341
9342
9343
9344
9345
9346
9347
9348
9349
9350
9351
9352
9353
9354
9355
9356
9357
9358
9359
9360
9361
9362
9363
9364
9365
9366
9367
9368
9369
9370
9371
9372
9373
9374
9375
#TEA_EXPORT_CONFIG([tls])
#AC_SUBST(SAMPLE_VAR)


#--------------------------------------------------------------------
# Custom
#--------------------------------------------------------------------

# Check whether --enable-tls1 was given.
if test ${enable_tls1+y}
then :
  enableval=$enable_tls1;
	if (test "${enableval}" = "no"); then

printf "%s\n" "#define NO_TLS1 1" >>confdefs.h

	fi

fi


# Check whether --enable-tls1_1 was given.
if test ${enable_tls1_1+y}
then :
  enableval=$enable_tls1_1;
	if (test "${enableval}" = "no"); then

printf "%s\n" "#define NO_TLS1_1 1" >>confdefs.h

	fi

fi


# Check whether --enable-tls1_2 was given.
if test ${enable_tls1_2+y}
then :
  enableval=$enable_tls1_2;
	if (test "${enableval}" = "no"); then

printf "%s\n" "#define NO_TLS1_2 1" >>confdefs.h

	fi

fi


# Check whether --enable-tls1_3 was given.
if test ${enable_tls1_3+y}
then :
  enableval=$enable_tls1_3;
	if (test "${enableval}" = "no"); then

printf "%s\n" "#define NO_TLS1_3 1" >>confdefs.h

	fi

fi



tcltls_deterministic='false'
# Check whether --enable-deterministic was given.
if test ${enable_deterministic+y}
then :
  enableval=$enable_deterministic;
	if test "$enableval" = "yes"; then
9503
9504
9505
9506
9507
9508
9509
9510
9511
9512
9513
9514
9515
9516
9517
9518
9519
9520
if test ${with_builtin_dh_params_size+y}
then :
  withval=$with_builtin_dh_params_size;
	case $withval in #(
  2048|4096|8192) :
     ;; #(
  *) :

			as_fn_error $? "Unsupported DH params size: $withval" "$LINENO" 5

	 ;;
esac
	GEN_DH_PARAMS_ARGS="${GEN_DH_PARAMS_ARGS} bits=$withval"

fi










<
|
<
<







9390
9391
9392
9393
9394
9395
9396

9397


9398
9399
9400
9401
9402
9403
9404
if test ${with_builtin_dh_params_size+y}
then :
  withval=$with_builtin_dh_params_size;
	case $withval in #(
  2048|4096|8192) :
     ;; #(
  *) :

    as_fn_error $? "Unsupported DH params size: $withval" "$LINENO" 5 ;;


esac
	GEN_DH_PARAMS_ARGS="${GEN_DH_PARAMS_ARGS} bits=$withval"

fi



9808
9809
9810
9811
9812
9813
9814
9815
9816
9817
9818
9819
9820
9821
9822
  #    will be set to the directory where LIBOBJS objects are built.
  as_fn_append ac_libobjs " \${LIBOBJDIR}$ac_i\$U.$ac_objext"
  as_fn_append ac_ltlibobjs " \${LIBOBJDIR}$ac_i"'$U.lo'
done
LIBOBJS=$ac_libobjs

LTLIBOBJS=$ac_ltlibobjs



CFLAGS="${CFLAGS} ${CPPFLAGS}"; CPPFLAGS=""

: "${CONFIG_STATUS=./config.status}"
ac_write_fail=0
ac_clean_files_save=$ac_clean_files







<







9692
9693
9694
9695
9696
9697
9698

9699
9700
9701
9702
9703
9704
9705
  #    will be set to the directory where LIBOBJS objects are built.
  as_fn_append ac_libobjs " \${LIBOBJDIR}$ac_i\$U.$ac_objext"
  as_fn_append ac_ltlibobjs " \${LIBOBJDIR}$ac_i"'$U.lo'
done
LIBOBJS=$ac_libobjs

LTLIBOBJS=$ac_ltlibobjs



CFLAGS="${CFLAGS} ${CPPFLAGS}"; CPPFLAGS=""

: "${CONFIG_STATUS=./config.status}"
ac_write_fail=0
ac_clean_files_save=$ac_clean_files

Modified configure.ac from [3b0f7b8ea0] to [ebda080a59].

243
244
245
246
247
248
249




























250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
#TEA_EXPORT_CONFIG([tls])
#AC_SUBST(SAMPLE_VAR)


#--------------------------------------------------------------------
# Custom
#--------------------------------------------------------------------





























dnl Enable support for building the same library every time
tcltls_deterministic='false'
AC_ARG_ENABLE([deterministic], AS_HELP_STRING([--enable-deterministic], [enable deterministic parameters]), [
	if test "$enableval" = "yes"; then
		tcltls_deterministic='true'
	fi
])
if test "$tcltls_deterministic" = 'true'; then
	GEN_DH_PARAMS_ARGS='fallback'
else
	GEN_DH_PARAMS_ARGS=''
fi


dnl Enable support for specifying pre-computed DH params size
AC_ARG_WITH([builtin-dh-params-size], AS_HELP_STRING([--with-builtin-dh-params-size=<bits>], [specify the size of the built-in, precomputed, DH params]), [
	AS_CASE([$withval],
		[2048|4096|8192],,
		[
			AC_MSG_ERROR([Unsupported DH params size: $withval])
		]
	)
	GEN_DH_PARAMS_ARGS="${GEN_DH_PARAMS_ARGS} bits=$withval"
])
AC_SUBST(GEN_DH_PARAMS_ARGS)


dnl Determine if we have been asked to use a fast path if possible
tcltls_ssl_fastpath='no'







>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>

















<
<
<
|
<
<







243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294



295


296
297
298
299
300
301
302
#TEA_EXPORT_CONFIG([tls])
#AC_SUBST(SAMPLE_VAR)


#--------------------------------------------------------------------
# Custom
#--------------------------------------------------------------------

dnl Disable support for TLS 1.0
AC_ARG_ENABLE([tls1], AS_HELP_STRING([--disable-tls1], [disable TLS1 support]), [
	if test "${enableval}" = "no"; then
		AC_DEFINE([NO_TLS1], [1], [Disable TLS1 support])
	fi
])

dnl Disable support for TLS 1.1
AC_ARG_ENABLE([tls1_1], AS_HELP_STRING([--disable-tls1_1], [disable TLS1.1 support]), [
	if test "${enableval}" = "no"; then
		AC_DEFINE([NO_TLS1_1], [1], [Disable TLS1.1 support])
	fi
])

dnl Disable support for TLS 1.2
AC_ARG_ENABLE([tls1_2], AS_HELP_STRING([--disable-tls1_2], [disable TLS1.2 support]), [
	if test "${enableval}" = "no"; then
		AC_DEFINE([NO_TLS1_2], [1], [Disable TLS1.2 support])
	fi
])

dnl Disable support for TLS 1.3
AC_ARG_ENABLE([tls1_3], AS_HELP_STRING([--disable-tls1_3], [disable TLS1.3 support]), [
	if test "${enableval}" = "no"; then
		AC_DEFINE([NO_TLS1_3], [1], [Disable TLS1.3 support])
	fi
])

dnl Enable support for building the same library every time
tcltls_deterministic='false'
AC_ARG_ENABLE([deterministic], AS_HELP_STRING([--enable-deterministic], [enable deterministic parameters]), [
	if test "$enableval" = "yes"; then
		tcltls_deterministic='true'
	fi
])
if test "$tcltls_deterministic" = 'true'; then
	GEN_DH_PARAMS_ARGS='fallback'
else
	GEN_DH_PARAMS_ARGS=''
fi


dnl Enable support for specifying pre-computed DH params size
AC_ARG_WITH([builtin-dh-params-size], AS_HELP_STRING([--with-builtin-dh-params-size=<bits>], [specify the size of the built-in, precomputed, DH params]), [



	AS_CASE([$withval],[2048|4096|8192],,[AC_MSG_ERROR([Unsupported DH params size: $withval])])


	GEN_DH_PARAMS_ARGS="${GEN_DH_PARAMS_ARGS} bits=$withval"
])
AC_SUBST(GEN_DH_PARAMS_ARGS)


dnl Determine if we have been asked to use a fast path if possible
tcltls_ssl_fastpath='no'