Overview
Comment: | Fix for bug #58. Crash/hang on protocol version negotiation failure. See bug report for analysis. Now we keep track of handshake failures through the HANDSHAKE_FAILURE flag and do not call back into SSL_accept/SSL_connect if handshake had already failed. |
---|---|
Downloads: | Tarball | ZIP archive | SQL archive |
Timelines: | family | ancestors | descendants | both | trunk |
Files: | files | file ages | folders |
SHA1: |
9182f29754386b984173654c1c988595 |
User & Date: | apnadkarni on 2015-06-06 09:07:08 |
Other Links: | manifest | tags |
Context
2015-06-08
| ||
20:53 | Regenerated configure for 1.6.6. check-in: f7a76c9416 user: andreas_kupries tags: trunk | |
2015-06-06
| ||
09:07 | Fix for bug #58. Crash/hang on protocol version negotiation failure. See bug report for analysis. Now we keep track of handshake failures through the HANDSHAKE_FAILURE flag and do not call back into SSL_accept/SSL_connect if handshake had already failed. check-in: 9182f29754 user: apnadkarni tags: trunk | |
08:56 | Fix TLS version number. Remove outdated references to Tcl 8.2/8.3. check-in: 36912df18d user: apnadkarni tags: trunk | |
Changes
Modified configure.in
from [48def4e62e]
to [e8273bf602].
1 2 3 4 5 6 7 8 9 10 11 12 13 | #!/bin/bash -norc dnl This file is an input file used by the GNU "autoconf" program to dnl generate the file "configure", which is run during Tcl installation dnl to configure the system for the local environment. dnl dnl This file contains code to generate "tls" using either the dnl OpenSSL libraries or libraries from the commercial BSAFE SSL-C dnl product from RSA Security. In the United States, it is necessary dnl to use the RSA BSAFE libraries for any product developed for dnl commercial use. Licensing information for BSAFE SSL-C may be dnl obtained from RSA Data Scurity Inc., San Mateo, California, USA. dnl Their home page on the web is "www.rsasecurity.com". # | | | | 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 | #!/bin/bash -norc dnl This file is an input file used by the GNU "autoconf" program to dnl generate the file "configure", which is run during Tcl installation dnl to configure the system for the local environment. dnl dnl This file contains code to generate "tls" using either the dnl OpenSSL libraries or libraries from the commercial BSAFE SSL-C dnl product from RSA Security. In the United States, it is necessary dnl to use the RSA BSAFE libraries for any product developed for dnl commercial use. Licensing information for BSAFE SSL-C may be dnl obtained from RSA Data Scurity Inc., San Mateo, California, USA. dnl Their home page on the web is "www.rsasecurity.com". # # RCS: @(#) $Id: configure.in,v 1.30 2015/06/06 09:07:08 apnadkarni Exp $ #-------------------------------------------------------------------- # macro used to verify that the configure script can find the sources #-------------------------------------------------------------------- AC_INIT([tls], [1.6.6]) TEA_INIT([3.8]) AC_CONFIG_AUX_DIR(tclconfig) #-------------------------------------------------------------------- # Load the tclConfig.sh file |
︙ | ︙ |
Modified tests/tlsIO.test
from [18affbd0b0]
to [29322e679c].
1 2 3 4 5 6 7 8 9 10 11 12 | # Commands tested in this file: socket. -*- tcl -*- # # This file contains a collection of tests for one or more of the Tcl # built-in commands. Sourcing this file into Tcl runs the tests and # generates output for errors. No output means no errors were found. # # Copyright (c) 1994-1996 Sun Microsystems, Inc. # Copyright (c) 1998-2000 Ajuba Solutions. # # See the file "license.terms" for information on usage and redistribution # of this file, and for a DISCLAIMER OF ALL WARRANTIES. # | | | 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 | # Commands tested in this file: socket. -*- tcl -*- # # This file contains a collection of tests for one or more of the Tcl # built-in commands. Sourcing this file into Tcl runs the tests and # generates output for errors. No output means no errors were found. # # Copyright (c) 1994-1996 Sun Microsystems, Inc. # Copyright (c) 1998-2000 Ajuba Solutions. # # See the file "license.terms" for information on usage and redistribution # of this file, and for a DISCLAIMER OF ALL WARRANTIES. # # RCS: @(#) $Id: tlsIO.test,v 1.24 2015/06/06 09:07:08 apnadkarni Exp $ # Running socket tests with a remote server: # ------------------------------------------ # # Some tests in socket.test depend on the existence of a remote server to # which they connect. The remote server must be an instance of tcltest and it # must run the script found in the file "remote.tcl" in this directory. You |
︙ | ︙ | |||
2023 2024 2025 2026 2027 2028 2029 2030 2031 2032 2033 2034 2035 2036 2037 2038 2039 2040 | -certfile $clientCert -cafile $caCert -keyfile $clientKey \ [info hostname] 8831] # only the client gets tls::import set res [tls::unimport $c] list $res [catch {close $c} err] $err \ [catch {close $s} err] $err } {{} 0 {} 0 {}} # cleanup if {[string match sock* $commandSocket] == 1} { puts $commandSocket exit flush $commandSocket } catch {close $commandSocket} catch {close $remoteProcChan} ::tcltest::cleanupTests flush stdout return | > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > | 2023 2024 2025 2026 2027 2028 2029 2030 2031 2032 2033 2034 2035 2036 2037 2038 2039 2040 2041 2042 2043 2044 2045 2046 2047 2048 2049 2050 2051 2052 2053 2054 2055 2056 2057 2058 2059 2060 2061 2062 2063 2064 2065 2066 2067 2068 2069 2070 2071 2072 | -certfile $clientCert -cafile $caCert -keyfile $clientKey \ [info hostname] 8831] # only the client gets tls::import set res [tls::unimport $c] list $res [catch {close $c} err] $err \ [catch {close $s} err] $err } {{} 0 {} 0 {}} test tls-bug58-1.0 {test protocol negotiation failure} {socket} { # Following code is based on what was reported in bug #58. Prior # to fix the program would crash with a segfault. proc Accept {sock args} { fconfigure $sock -blocking 0; fileevent $sock readable [list Handshake $sock] } proc Handshake {sock} { set ::done HAND catch {tls::handshake $sock} msg set ::done $msg } # NOTE: when doing an in-process client/server test, both sides need # to be non-blocking for the TLS handshake # Server - Only accept TLS 1 or higher set s [tls::socket \ -certfile $serverCert -cafile $caCert -keyfile $serverKey \ -request 0 -require 0 -ssl2 0 -ssl3 0 -tls1 1 -tls1.1 1 -tls1.2 1 \ -server Accept 8831] # Client - Only propose SSL3 set c [tls::socket -async \ -cafile $caCert \ -request 0 -require 0 -ssl2 0 -ssl3 1 -tls1 0 -tls1.1 0 -tls1.2 0 \ [info hostname] 8831] fconfigure $c -blocking 0 puts $c a ; flush $c after 5000 [list set ::done timeout] vwait ::done set ::done } {handshake failed: wrong version number} # cleanup if {[string match sock* $commandSocket] == 1} { puts $commandSocket exit flush $commandSocket } catch {close $commandSocket} catch {close $remoteProcChan} ::tcltest::cleanupTests flush stdout return |
Modified tlsIO.c
from [9278c7db29]
to [cd93e606f5].
1 2 3 4 | /* * Copyright (C) 1997-2000 Matt Newman <[email protected]> * Copyright (C) 2000 Ajuba Solutions * | | | 1 2 3 4 5 6 7 8 9 10 11 12 | /* * Copyright (C) 1997-2000 Matt Newman <[email protected]> * Copyright (C) 2000 Ajuba Solutions * * $Header: /home/rkeene/tmp/cvs2fossil/../tcltls/tls/tls/tlsIO.c,v 1.19 2015/06/06 09:07:08 apnadkarni Exp $ * * TLS (aka SSL) Channel - can be layered on any bi-directional * Tcl_Channel (Note: Requires Trf Core Patch) * * This was built from scratch based upon observation of OpenSSL 0.9.2B * * Addition credit is due for Andreas Kupries ([email protected]), for |
︙ | ︙ | |||
884 885 886 887 888 889 890 891 892 893 894 895 896 897 898 899 900 901 902 903 904 905 906 907 908 909 910 911 912 913 914 915 916 917 918 919 920 921 922 923 924 925 926 927 928 929 930 931 932 933 934 935 936 | Tls_WaitForConnect( statePtr, errorCodePtr) State *statePtr; int *errorCodePtr; /* Where to store error code. */ { int err; dprintf(stderr,"\nWaitForConnect(0x%x)", (unsigned int) statePtr); for (;;) { /* Not initialized yet! */ if (statePtr->flags & TLS_TCL_SERVER) { err = SSL_accept(statePtr->ssl); } else { err = SSL_connect(statePtr->ssl); } /*SSL_write(statePtr->ssl, (char*)&err, 0); HACK!!! */ if (err > 0) { BIO_flush(statePtr->bio); } if (err <= 0) { int rc = SSL_get_error(statePtr->ssl, err); if (rc == SSL_ERROR_SSL) { Tls_Error(statePtr, (char *)ERR_reason_error_string(ERR_get_error())); *errorCodePtr = ECONNABORTED; return -1; } else if (BIO_should_retry(statePtr->bio)) { if (statePtr->flags & TLS_TCL_ASYNC) { dprintf(stderr,"E! "); *errorCodePtr = EAGAIN; return -1; } else { continue; } } else if (err == 0) { dprintf(stderr,"CR! "); *errorCodePtr = ECONNRESET; return -1; } if (statePtr->flags & TLS_TCL_SERVER) { err = SSL_get_verify_result(statePtr->ssl); if (err != X509_V_OK) { Tls_Error(statePtr, (char *)X509_verify_cert_error_string(err)); *errorCodePtr = ECONNABORTED; return -1; } } *errorCodePtr = Tcl_GetErrno(); dprintf(stderr,"ERR(%d, %d) ", rc, *errorCodePtr); return -1; | > > > > > > > > > > > > > > > > | 884 885 886 887 888 889 890 891 892 893 894 895 896 897 898 899 900 901 902 903 904 905 906 907 908 909 910 911 912 913 914 915 916 917 918 919 920 921 922 923 924 925 926 927 928 929 930 931 932 933 934 935 936 937 938 939 940 941 942 943 944 945 946 947 948 949 950 951 952 | Tls_WaitForConnect( statePtr, errorCodePtr) State *statePtr; int *errorCodePtr; /* Where to store error code. */ { int err; dprintf(stderr,"\nWaitForConnect(0x%x)", (unsigned int) statePtr); if (statePtr->flags & TLS_TCL_HANDSHAKE_FAILED) { /* * We choose ECONNRESET over ECONNABORTED here because some server * side code, on the wiki for example, sets up a read handler that * does a read and if eof closes the channel. There is no catch/try * around the reads so exceptions will result in potentially many * dangling channels hanging around that should have been closed. * (Backgroun: ECONNABORTED maps to a Tcl exception and * ECONNRESET maps to graceful EOF). */ *errorCodePtr = ECONNRESET; return -1; } for (;;) { /* Not initialized yet! */ if (statePtr->flags & TLS_TCL_SERVER) { err = SSL_accept(statePtr->ssl); } else { err = SSL_connect(statePtr->ssl); } /*SSL_write(statePtr->ssl, (char*)&err, 0); HACK!!! */ if (err > 0) { BIO_flush(statePtr->bio); } if (err <= 0) { int rc = SSL_get_error(statePtr->ssl, err); if (rc == SSL_ERROR_SSL) { Tls_Error(statePtr, (char *)ERR_reason_error_string(ERR_get_error())); statePtr->flags |= TLS_TCL_HANDSHAKE_FAILED; *errorCodePtr = ECONNABORTED; return -1; } else if (BIO_should_retry(statePtr->bio)) { if (statePtr->flags & TLS_TCL_ASYNC) { dprintf(stderr,"E! "); *errorCodePtr = EAGAIN; return -1; } else { continue; } } else if (err == 0) { dprintf(stderr,"CR! "); *errorCodePtr = ECONNRESET; return -1; } if (statePtr->flags & TLS_TCL_SERVER) { err = SSL_get_verify_result(statePtr->ssl); if (err != X509_V_OK) { Tls_Error(statePtr, (char *)X509_verify_cert_error_string(err)); statePtr->flags |= TLS_TCL_HANDSHAKE_FAILED; *errorCodePtr = ECONNABORTED; return -1; } } *errorCodePtr = Tcl_GetErrno(); dprintf(stderr,"ERR(%d, %d) ", rc, *errorCodePtr); return -1; |
︙ | ︙ |
Modified tlsInt.h
from [810dac65b4]
to [aca790a765].
1 2 3 | /* * Copyright (C) 1997-2000 Matt Newman <[email protected]> * | | | 1 2 3 4 5 6 7 8 9 10 11 | /* * Copyright (C) 1997-2000 Matt Newman <[email protected]> * * $Header: /home/rkeene/tmp/cvs2fossil/../tcltls/tls/tls/tlsInt.h,v 1.17 2015/06/06 09:07:08 apnadkarni Exp $ * * TLS (aka SSL) Channel - can be layered on any bi-directional * Tcl_Channel (Note: Requires Trf Core Patch) * * This was built from scratch based upon observation of OpenSSL 0.9.2B * * Addition credit is due for Andreas Kupries ([email protected]), for |
︙ | ︙ | |||
96 97 98 99 100 101 102 103 104 105 106 107 108 109 | */ #define TLS_TCL_ASYNC (1<<0) /* non-blocking mode */ #define TLS_TCL_SERVER (1<<1) /* Server-Side */ #define TLS_TCL_INIT (1<<2) /* Initializing connection */ #define TLS_TCL_DEBUG (1<<3) /* Show debug tracing */ #define TLS_TCL_CALLBACK (1<<4) /* In a callback, prevent update * looping problem. [Bug 1652380] */ #define TLS_TCL_DELAY (5) /* * This structure describes the per-instance state * of an ssl channel. * | > > > | 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 | */ #define TLS_TCL_ASYNC (1<<0) /* non-blocking mode */ #define TLS_TCL_SERVER (1<<1) /* Server-Side */ #define TLS_TCL_INIT (1<<2) /* Initializing connection */ #define TLS_TCL_DEBUG (1<<3) /* Show debug tracing */ #define TLS_TCL_CALLBACK (1<<4) /* In a callback, prevent update * looping problem. [Bug 1652380] */ #define TLS_TCL_HANDSHAKE_FAILED (1<<5) /* Set on handshake failures and once * set, all further I/O will result * in ECONNABORTED errors. */ #define TLS_TCL_DELAY (5) /* * This structure describes the per-instance state * of an ssl channel. * |
︙ | ︙ |
Modified win/makefile.vc
from [e48829291b]
to [91ee39841d].
︙ | ︙ | |||
14 15 16 17 18 19 20 | # Copyright (c) 1995-1996 Sun Microsystems, Inc. # Copyright (c) 1998-2000 Ajuba Solutions. # Copyright (c) 2001 ActiveState Corporation. # Copyright (c) 2001-2002 David Gravereaux. # Copyright (c) 2003-2006 Pat Thoyts # #------------------------------------------------------------------------- | | | 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 | # Copyright (c) 1995-1996 Sun Microsystems, Inc. # Copyright (c) 1998-2000 Ajuba Solutions. # Copyright (c) 2001 ActiveState Corporation. # Copyright (c) 2001-2002 David Gravereaux. # Copyright (c) 2003-2006 Pat Thoyts # #------------------------------------------------------------------------- # RCS: @(#)$Id: makefile.vc,v 1.14 2015/06/06 09:07:08 apnadkarni Exp $ #------------------------------------------------------------------------- # Check to see we are configured to build with MSVC (MSDEVDIR or MSVCDIR) # or with the MS Platform SDK (MSSDK). Visual Studio .NET 2003 and 2005 define # VCINSTALLDIR instead. The MSVC Toolkit release defines yet another. !if !defined(MSDEVDIR) && !defined(MSVCDIR) && !defined(MSSDK) && !defined(VCINSTALLDIR) && !defined(VCToolkitInstallDir) MSG = ^ |
︙ | ︙ | |||
160 161 162 163 164 165 166 | PROJECT = tls # Uncomment the following line if this is a Tk extension. #PROJECT_REQUIRES_TK=1 !include "rules.vc" | | | 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 | PROJECT = tls # Uncomment the following line if this is a Tk extension. #PROJECT_REQUIRES_TK=1 !include "rules.vc" DOTVERSION = 1.6.6 VERSION = $(DOTVERSION:.=) STUBPREFIX = $(PROJECT)stub DLLOBJS = \ $(TMP_DIR)\tls.obj \ $(TMP_DIR)\tlsBIO.obj \ $(TMP_DIR)\tlsIO.obj \ |
︙ | ︙ |