Check-in [a87c836d6c]
Overview
Comment:Merged in trunk
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | tls-1-7
Files: files | file ages | folders
SHA1: a87c836d6cf3cddb816c05b7571db462cf64dbfb
User & Date: rkeene on 2016-12-14 14:42:57
Other Links: branch diff | manifest | tags
Context
2016-12-14
14:43
TclTLS 1.7.10 check-in: f0d0acd4b5 user: rkeene tags: tls-1-7, tls-1-7-10
14:42
Merged in trunk check-in: a87c836d6c user: rkeene tags: tls-1-7
14:40
Updated EOF while reading from the BIO to map to soft EOF check-in: 24ce678ecd user: rkeene tags: trunk
2016-12-13
20:23
TclTLS 1.7.9 check-in: 7b0845cfb3 user: rkeene tags: tls-1-7, tls-1-7-9
Changes
1
2
3
4
5
6
7
8
9
10
11
12
13
14



15
16
17
18
19
20
21
CC = @CC@
AR = @AR@
RANLIB = @RANLIB@
CFLAGS = @CFLAGS@ @SHOBJFLAGS@
CPPFLAGS = @CPPFLAGS@ -I@srcdir@ -I. @DEFS@ @TCL_DEFS@
LDFLAGS = @LDFLAGS@ @SHOBJLDFLAGS@
LIBS = @LIBS@
INSTALL = @INSTALL@
PACKAGE_VERSION = @PACKAGE_VERSION@
prefix = @prefix@
exec_prefix = @exec_prefix@
libdir = @libdir@
TCL_PACKAGE_PATH = @TCL_PACKAGE_PATH@
PACKAGE_INSTALL_DIR = $(TCL_PACKAGE_PATH)/tcltls$(PACKAGE_VERSION)



VPATH = @srcdir@

all: @EXTENSION_TARGET@

# The shared object target
tcltls.@SHOBJEXT@: tls.o tlsBIO.o tlsIO.o tlsX509.o Makefile
	$(CC) $(CPPFLAGS) $(CFLAGS) $(LDFLAGS) -o tcltls.@SHOBJEXT@ tls.o tlsBIO.o tlsIO.o tlsX509.o $(LIBS)







<






>
>
>







1
2
3
4
5
6
7

8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
CC = @CC@
AR = @AR@
RANLIB = @RANLIB@
CFLAGS = @CFLAGS@ @SHOBJFLAGS@
CPPFLAGS = @CPPFLAGS@ -I@srcdir@ -I. @DEFS@ @TCL_DEFS@
LDFLAGS = @LDFLAGS@ @SHOBJLDFLAGS@
LIBS = @LIBS@

PACKAGE_VERSION = @PACKAGE_VERSION@
prefix = @prefix@
exec_prefix = @exec_prefix@
libdir = @libdir@
TCL_PACKAGE_PATH = @TCL_PACKAGE_PATH@
PACKAGE_INSTALL_DIR = $(TCL_PACKAGE_PATH)/tcltls$(PACKAGE_VERSION)
INSTALL = @INSTALL@
INSTALL_PROGRAM = @INSTALL_PROGRAM@
INSTALL_DATA = @INSTALL_DATA@
VPATH = @srcdir@

all: @EXTENSION_TARGET@

# The shared object target
tcltls.@SHOBJEXT@: tls.o tlsBIO.o tlsIO.o tlsX509.o Makefile
	$(CC) $(CPPFLAGS) $(CFLAGS) $(LDFLAGS) -o tcltls.@SHOBJEXT@ tls.o tlsBIO.o tlsIO.o tlsX509.o $(LIBS)
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56

57






58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
tlsBIO.o: @srcdir@/tlsBIO.c @srcdir@/tlsInt.h Makefile
tlsIO.o: @srcdir@/tlsIO.c @srcdir@/tlsInt.h Makefile
tlsX509.o: @srcdir@/tlsX509.c @srcdir@/tlsInt.h Makefile

# Create a C-source-ified version of the script resources
# for TclTLS so that we only need a single file to enable
# this extension
tls.tcl.h: @srcdir@/tls.tcl
	od -A n -v -t xC < '@srcdir@/tls.tcl' > tls.tcl.h.new.1
	sed 's@  *@@g;s@..@0x&, @g' < tls.tcl.h.new.1 > tls.tcl.h.new.2
	rm -f tls.tcl.h.new.1
	mv tls.tcl.h.new.2 tls.tcl.h

# Create default DH parameters
dh_params.h: @srcdir@/gen_dh_params Makefile
	@srcdir@/gen_dh_params @GEN_DH_PARAMS_ARGS@ > dh_params.h.new
	mv dh_params.h.new dh_params.h

# Generic target for building files from the "srcdir"
# tree -- the default target will not match paths
.c.o:
	$(CC) $(CPPFLAGS) $(CFLAGS) -o "$@" -c "$<"

# Install the extension
install: @EXTENSION_TARGET@ pkgIndex.tcl
	$(INSTALL) -d '$(DESTDIR)$(PACKAGE_INSTALL_DIR)'

	$(INSTALL) -c @EXTENSION_TARGET@ pkgIndex.tcl '$(DESTDIR)$(PACKAGE_INSTALL_DIR)'







# Test target, run the automated test suite
test: @EXTENSION_TARGET@
	@TCLSH_PROG@ @srcdir@/tests/all.tcl $(TESTFLAGS) -load "lappend auto_path $(shell pwd)"

# Clean the local build directory for rebuild against the same configuration
clean:
	rm -f tls.o tlsBIO.o tlsIO.o tlsX509.o
	rm -f tcltls.@SHOBJEXT@
	rm -f tcltls.@[email protected] tcltls.@[email protected]
	rm -f tcltls.a.new tcltls.a
	rm -f tls.tcl.h.new.1 tls.tcl.h.new.2
	@if [ '@srcdir@' != '.' ]; then echo rm -f tls.tcl.h; rm -f tls.tcl.h; fi

# Clean the local build directory back to what it was after unpacking the
# distribution tarball
distclean: clean
	rm -f config.log config.status
	rm -f dh_params.h.new dh_params.h
	rm -f Makefile pkgIndex.tcl
	rm -f tcltls.a.linkadd

# Clean the local build directory back to only thing things that exist in
# version control system
mrproper: distclean
	rm -f @srcdir@/configure @srcdir@/config.sub @srcdir@/config.guess @srcdir@/install-sh
	rm -f @srcdir@/aclocal.m4
	rm -rf @srcdir@/autom4te.cache
	rm -f @srcdir@/tls.tcl.h

.PHONY: all install clean distclean mrproper test







|


















>
|
>
>
>
>
>
>











|
<















<

|
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78

79
80
81
82
83
84
85
86
87
88
89
90
91
92
93

94
95
tlsBIO.o: @srcdir@/tlsBIO.c @srcdir@/tlsInt.h Makefile
tlsIO.o: @srcdir@/tlsIO.c @srcdir@/tlsInt.h Makefile
tlsX509.o: @srcdir@/tlsX509.c @srcdir@/tlsInt.h Makefile

# Create a C-source-ified version of the script resources
# for TclTLS so that we only need a single file to enable
# this extension
tls.tcl.h: @srcdir@/tls.tcl Makefile
	od -A n -v -t xC < '@srcdir@/tls.tcl' > tls.tcl.h.new.1
	sed 's@  *@@g;s@..@0x&, @g' < tls.tcl.h.new.1 > tls.tcl.h.new.2
	rm -f tls.tcl.h.new.1
	mv tls.tcl.h.new.2 tls.tcl.h

# Create default DH parameters
dh_params.h: @srcdir@/gen_dh_params Makefile
	@srcdir@/gen_dh_params @GEN_DH_PARAMS_ARGS@ > dh_params.h.new
	mv dh_params.h.new dh_params.h

# Generic target for building files from the "srcdir"
# tree -- the default target will not match paths
.c.o:
	$(CC) $(CPPFLAGS) $(CFLAGS) -o "$@" -c "$<"

# Install the extension
install: @EXTENSION_TARGET@ pkgIndex.tcl
	$(INSTALL) -d '$(DESTDIR)$(PACKAGE_INSTALL_DIR)'
	$(INSTALL_PROGRAM) @EXTENSION_TARGET@ '$(DESTDIR)$(PACKAGE_INSTALL_DIR)'
	$(INSTALL_DATA)    pkgIndex.tcl '$(DESTDIR)$(PACKAGE_INSTALL_DIR)'

# A convienent helper to undo the installation just done
uninstall:
	rm -f '$(DESTDIR)$(PACKAGE_INSTALL_DIR)/@EXTENSION_TARGET@'
	rm -f '$(DESTDIR)$(PACKAGE_INSTALL_DIR)/pkgIndex.tcl'
	-rmdir '$(DESTDIR)$(PACKAGE_INSTALL_DIR)'

# Test target, run the automated test suite
test: @EXTENSION_TARGET@
	@TCLSH_PROG@ @srcdir@/tests/all.tcl $(TESTFLAGS) -load "lappend auto_path $(shell pwd)"

# Clean the local build directory for rebuild against the same configuration
clean:
	rm -f tls.o tlsBIO.o tlsIO.o tlsX509.o
	rm -f tcltls.@SHOBJEXT@
	rm -f tcltls.@[email protected] tcltls.@[email protected]
	rm -f tcltls.a.new tcltls.a
	rm -f tls.tcl.h tls.tcl.h.new.1 tls.tcl.h.new.2


# Clean the local build directory back to what it was after unpacking the
# distribution tarball
distclean: clean
	rm -f config.log config.status
	rm -f dh_params.h.new dh_params.h
	rm -f Makefile pkgIndex.tcl
	rm -f tcltls.a.linkadd

# Clean the local build directory back to only thing things that exist in
# version control system
mrproper: distclean
	rm -f @srcdir@/configure @srcdir@/config.sub @srcdir@/config.guess @srcdir@/install-sh
	rm -f @srcdir@/aclocal.m4
	rm -rf @srcdir@/autom4te.cache


.PHONY: all install uninstall clean distclean mrproper test
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
Full filevent sematics should also be intact - see tests directory for
blocking and non-blocking examples.

The current release is TLS 1.6, with binaries built against OpenSSL 0.9.8g.
For best security and function, always compile from source with the latest
official release of OpenSSL (http://www.openssl.org/).

TLS requires Tcl 8.2.0+, with 8.3.2+ preferred.  The stacked channel
implementation in Tcl was originally introduced in 8.2.0 (previously the
Trf patch) and rewritten for 8.3.2+ due to inherent limitations in the
earlier implementation.  TLS should compile with any stubs-capable Tcl
interpreter, but will require 8.2+ when loaded.  There are known
limitations in the 8.2.0-8.3.1 stacked channel implementation, so it is
encouraged that people use TLS with an 8.3.2+ Tcl interpreter.  These
modifications are by Jeff Hobbs.

Non-exclusive credits for TLS are:
   Original work: Matt Newman @ Novadigm
   Updates: Jeff Hobbs @ ActiveState
   Tcl Channel mechanism: Andreas Kupries
   Impetus/Related work: tclSSL (Colin McCormack, Shared Technology)
                         SSLtcl (Peter Antman)







|
<
<
<
<
<
<
|







12
13
14
15
16
17
18
19






20
21
22
23
24
25
26
27
Full filevent sematics should also be intact - see tests directory for
blocking and non-blocking examples.

The current release is TLS 1.6, with binaries built against OpenSSL 0.9.8g.
For best security and function, always compile from source with the latest
official release of OpenSSL (http://www.openssl.org/).

TLS 1.7 and newer require Tcl 8.4.0+, older versions may be used if older






versions of Tcl need to be used.

Non-exclusive credits for TLS are:
   Original work: Matt Newman @ Novadigm
   Updates: Jeff Hobbs @ ActiveState
   Tcl Channel mechanism: Andreas Kupries
   Impetus/Related work: tclSSL (Colin McCormack, Shared Technology)
                         SSLtcl (Peter Antman)
Modified tls.htm from [98bc92e98c] to [4c4e8f1d42].
201
202
203
204
205
206
207
208
209
210
211
212
213




214
215
216
217
218
219
220
            client.(<strong>default</strong>: <em>false</em>)</dd>
        <dt><strong>-servername</strong> <em>host</em></dt>
        <dd>Only available if the OpenSSL library the package is linked
	    against supports the TLS hostname extension for 'Server Name
	    Indication' (SNI). Use to name the logical host we are talking
	    to and expecting a certificate for</dd>
        <dt><strong>-ssl2</strong> <em>bool</em></dt>
        <dd>Enable use of SSL v2. (<strong>default</strong>: <em>true</em>
            unless -DNO_PATENTS was specified in build)</dd>
        <dt><strong>-ssl3 </strong><em>bool</em></dt>
        <dd>Enable use of SSL v3. (<strong>default</strong>: <em>true</em>)</dd>
        <dt>-<strong>tls1</strong> <em>bool</em></dt>
        <dd>Enable use of TLS v1. (<strong>default</strong>: <em>false</em>)</dd>




    </dl>
</blockquote>

<dl>
    <dt><a name="tls::unimport"><b>tls::unimport </b><i>channel</i></a></dt>
    <dd>Provided for symmetry to <strong>tls::import</strong>, this
      unstacks the SSL-enabling of a regular Tcl channel.  An error







|
<

|

|
>
>
>
>







201
202
203
204
205
206
207
208

209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
            client.(<strong>default</strong>: <em>false</em>)</dd>
        <dt><strong>-servername</strong> <em>host</em></dt>
        <dd>Only available if the OpenSSL library the package is linked
	    against supports the TLS hostname extension for 'Server Name
	    Indication' (SNI). Use to name the logical host we are talking
	    to and expecting a certificate for</dd>
        <dt><strong>-ssl2</strong> <em>bool</em></dt>
        <dd>Enable use of SSL v2. (<strong>default</strong>: <em>false</em>)</dd>

        <dt><strong>-ssl3 </strong><em>bool</em></dt>
        <dd>Enable use of SSL v3. (<strong>default</strong>: <em>false</em>)</dd>
        <dt>-<strong>tls1</strong> <em>bool</em></dt>
        <dd>Enable use of TLS v1. (<strong>default</strong>: <em>true</em>)</dd>
        <dt>-<strong>tls1.1</strong> <em>bool</em></dt>
        <dd>Enable use of TLS v1.1 (<strong>default</strong>: <em>true</em>)</dd>
        <dt>-<strong>tls1.2</strong> <em>bool</em></dt>
        <dd>Enable use of TLS v1.2 (<strong>default</strong>: <em>true</em>)</dd>
    </dl>
</blockquote>

<dl>
    <dt><a name="tls::unimport"><b>tls::unimport </b><i>channel</i></a></dt>
    <dd>Provided for symmetry to <strong>tls::import</strong>, this
      unstacks the SSL-enabling of a regular Tcl channel.  An error
Modified tlsBIO.c from [561dcc523d] to [c3e8b987ad].
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
	tclErrno = Tcl_GetErrno();

	dprintf("[chan=%p] BioWrite(%d) -> %d [tclEof=%d; tclErrno=%d]", (void *) chan, bufLen, ret, tclEofChan, Tcl_GetErrno());

	BIO_clear_flags(bio, BIO_FLAGS_WRITE | BIO_FLAGS_SHOULD_RETRY);

	if (tclEofChan && ret <= 0) {
		dprintf("Got %i from Tcl_WriteRaw, and EOF is set; ret = -1", ret);
		Tcl_SetErrno(ECONNRESET);
		ret = -1;
	} else if (ret == 0) {
		dprintf("Got 0 from Tcl_WriteRaw, and EOF is not set; ret = 0");
		dprintf("Setting retry read flag");
		BIO_set_retry_read(bio);
	} else if (ret < 0) {
		dprintf("We got some kind of I/O error");








|

|







125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
	tclErrno = Tcl_GetErrno();

	dprintf("[chan=%p] BioWrite(%d) -> %d [tclEof=%d; tclErrno=%d]", (void *) chan, bufLen, ret, tclEofChan, Tcl_GetErrno());

	BIO_clear_flags(bio, BIO_FLAGS_WRITE | BIO_FLAGS_SHOULD_RETRY);

	if (tclEofChan && ret <= 0) {
		dprintf("Got EOF while reading, returning a Connection Reset error which maps to Soft EOF");
		Tcl_SetErrno(ECONNRESET);
		ret = 0;
	} else if (ret == 0) {
		dprintf("Got 0 from Tcl_WriteRaw, and EOF is not set; ret = 0");
		dprintf("Setting retry read flag");
		BIO_set_retry_read(bio);
	} else if (ret < 0) {
		dprintf("We got some kind of I/O error");

178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
	tclErrno = Tcl_GetErrno();

	dprintf("[chan=%p] BioRead(%d) -> %d [tclEof=%d; tclErrno=%d]", (void *) chan, bufLen, ret, tclEofChan, tclErrno);

	BIO_clear_flags(bio, BIO_FLAGS_READ | BIO_FLAGS_SHOULD_RETRY);

	if (tclEofChan && ret <= 0) {
		dprintf("Got %i from Tcl_Read or Tcl_ReadRaw, and EOF is set; ret = -1", ret);
		Tcl_SetErrno(ECONNRESET);
		ret = -1;
	} else if (ret == 0) {
		dprintf("Got 0 from Tcl_Read or Tcl_ReadRaw, and EOF is not set; ret = 0");
		dprintf("Setting retry read flag");
		BIO_set_retry_read(bio);
	} else if (ret < 0) {
		dprintf("We got some kind of I/O error");








|

|







178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
	tclErrno = Tcl_GetErrno();

	dprintf("[chan=%p] BioRead(%d) -> %d [tclEof=%d; tclErrno=%d]", (void *) chan, bufLen, ret, tclEofChan, tclErrno);

	BIO_clear_flags(bio, BIO_FLAGS_READ | BIO_FLAGS_SHOULD_RETRY);

	if (tclEofChan && ret <= 0) {
		dprintf("Got EOF while reading, returning a Connection Reset error which maps to Soft EOF");
		Tcl_SetErrno(ECONNRESET);
		ret = 0;
	} else if (ret == 0) {
		dprintf("Got 0 from Tcl_Read or Tcl_ReadRaw, and EOF is not set; ret = 0");
		dprintf("Setting retry read flag");
		BIO_set_retry_read(bio);
	} else if (ret < 0) {
		dprintf("We got some kind of I/O error");