Index: configure.in ================================================================== --- configure.in +++ configure.in @@ -9,18 +9,18 @@ dnl to use the RSA BSAFE libraries for any product developed for dnl commercial use. Licensing information for BSAFE SSL-C may be dnl obtained from RSA Data Scurity Inc., San Mateo, California, USA. dnl Their home page on the web is "www.rsasecurity.com". # -# RCS: @(#) $Id: configure.in,v 1.29 2015/05/01 18:44:34 andreas_kupries Exp $ +# RCS: @(#) $Id: configure.in,v 1.30 2015/06/06 09:07:08 apnadkarni Exp $ #-------------------------------------------------------------------- # macro used to verify that the configure script can find the sources #-------------------------------------------------------------------- -AC_INIT([tls], [1.6.5]) +AC_INIT([tls], [1.6.6]) TEA_INIT([3.8]) AC_CONFIG_AUX_DIR(tclconfig) Index: tests/tlsIO.test ================================================================== --- tests/tlsIO.test +++ tests/tlsIO.test @@ -8,11 +8,11 @@ # Copyright (c) 1998-2000 Ajuba Solutions. # # See the file "license.terms" for information on usage and redistribution # of this file, and for a DISCLAIMER OF ALL WARRANTIES. # -# RCS: @(#) $Id: tlsIO.test,v 1.23 2008/03/19 22:06:13 hobbs2 Exp $ +# RCS: @(#) $Id: tlsIO.test,v 1.24 2015/06/06 09:07:08 apnadkarni Exp $ # Running socket tests with a remote server: # ------------------------------------------ # # Some tests in socket.test depend on the existence of a remote server to @@ -2025,10 +2025,42 @@ # only the client gets tls::import set res [tls::unimport $c] list $res [catch {close $c} err] $err \ [catch {close $s} err] $err } {{} 0 {} 0 {}} + +test tls-bug58-1.0 {test protocol negotiation failure} {socket} { + # Following code is based on what was reported in bug #58. Prior + # to fix the program would crash with a segfault. + proc Accept {sock args} { + fconfigure $sock -blocking 0; + fileevent $sock readable [list Handshake $sock] + } + proc Handshake {sock} { + set ::done HAND + catch {tls::handshake $sock} msg + set ::done $msg + } + # NOTE: when doing an in-process client/server test, both sides need + # to be non-blocking for the TLS handshake + + # Server - Only accept TLS 1 or higher + set s [tls::socket \ + -certfile $serverCert -cafile $caCert -keyfile $serverKey \ + -request 0 -require 0 -ssl2 0 -ssl3 0 -tls1 1 -tls1.1 1 -tls1.2 1 \ + -server Accept 8831] + # Client - Only propose SSL3 + set c [tls::socket -async \ + -cafile $caCert \ + -request 0 -require 0 -ssl2 0 -ssl3 1 -tls1 0 -tls1.1 0 -tls1.2 0 \ + [info hostname] 8831] + fconfigure $c -blocking 0 + puts $c a ; flush $c + after 5000 [list set ::done timeout] + vwait ::done + set ::done +} {handshake failed: wrong version number} # cleanup if {[string match sock* $commandSocket] == 1} { puts $commandSocket exit flush $commandSocket Index: tlsIO.c ================================================================== --- tlsIO.c +++ tlsIO.c @@ -1,10 +1,10 @@ /* * Copyright (C) 1997-2000 Matt Newman * Copyright (C) 2000 Ajuba Solutions * - * $Header: /home/rkeene/tmp/cvs2fossil/../tcltls/tls/tls/tlsIO.c,v 1.18 2015/05/01 18:44:34 andreas_kupries Exp $ + * $Header: /home/rkeene/tmp/cvs2fossil/../tcltls/tls/tls/tlsIO.c,v 1.19 2015/06/06 09:07:08 apnadkarni Exp $ * * TLS (aka SSL) Channel - can be layered on any bi-directional * Tcl_Channel (Note: Requires Trf Core Patch) * * This was built from scratch based upon observation of OpenSSL 0.9.2B @@ -886,10 +886,24 @@ int *errorCodePtr; /* Where to store error code. */ { int err; dprintf(stderr,"\nWaitForConnect(0x%x)", (unsigned int) statePtr); + + if (statePtr->flags & TLS_TCL_HANDSHAKE_FAILED) { + /* + * We choose ECONNRESET over ECONNABORTED here because some server + * side code, on the wiki for example, sets up a read handler that + * does a read and if eof closes the channel. There is no catch/try + * around the reads so exceptions will result in potentially many + * dangling channels hanging around that should have been closed. + * (Backgroun: ECONNABORTED maps to a Tcl exception and + * ECONNRESET maps to graceful EOF). + */ + *errorCodePtr = ECONNRESET; + return -1; + } for (;;) { /* Not initialized yet! */ if (statePtr->flags & TLS_TCL_SERVER) { err = SSL_accept(statePtr->ssl); @@ -905,10 +919,11 @@ int rc = SSL_get_error(statePtr->ssl, err); if (rc == SSL_ERROR_SSL) { Tls_Error(statePtr, (char *)ERR_reason_error_string(ERR_get_error())); + statePtr->flags |= TLS_TCL_HANDSHAKE_FAILED; *errorCodePtr = ECONNABORTED; return -1; } else if (BIO_should_retry(statePtr->bio)) { if (statePtr->flags & TLS_TCL_ASYNC) { dprintf(stderr,"E! "); @@ -925,10 +940,11 @@ if (statePtr->flags & TLS_TCL_SERVER) { err = SSL_get_verify_result(statePtr->ssl); if (err != X509_V_OK) { Tls_Error(statePtr, (char *)X509_verify_cert_error_string(err)); + statePtr->flags |= TLS_TCL_HANDSHAKE_FAILED; *errorCodePtr = ECONNABORTED; return -1; } } *errorCodePtr = Tcl_GetErrno(); Index: tlsInt.h ================================================================== --- tlsInt.h +++ tlsInt.h @@ -1,9 +1,9 @@ /* * Copyright (C) 1997-2000 Matt Newman * - * $Header: /home/rkeene/tmp/cvs2fossil/../tcltls/tls/tls/tlsInt.h,v 1.16 2014/12/08 19:09:06 andreas_kupries Exp $ + * $Header: /home/rkeene/tmp/cvs2fossil/../tcltls/tls/tls/tlsInt.h,v 1.17 2015/06/06 09:07:08 apnadkarni Exp $ * * TLS (aka SSL) Channel - can be layered on any bi-directional * Tcl_Channel (Note: Requires Trf Core Patch) * * This was built from scratch based upon observation of OpenSSL 0.9.2B @@ -98,10 +98,13 @@ #define TLS_TCL_SERVER (1<<1) /* Server-Side */ #define TLS_TCL_INIT (1<<2) /* Initializing connection */ #define TLS_TCL_DEBUG (1<<3) /* Show debug tracing */ #define TLS_TCL_CALLBACK (1<<4) /* In a callback, prevent update * looping problem. [Bug 1652380] */ +#define TLS_TCL_HANDSHAKE_FAILED (1<<5) /* Set on handshake failures and once + * set, all further I/O will result + * in ECONNABORTED errors. */ #define TLS_TCL_DELAY (5) /* * This structure describes the per-instance state Index: win/makefile.vc ================================================================== --- win/makefile.vc +++ win/makefile.vc @@ -16,11 +16,11 @@ # Copyright (c) 2001 ActiveState Corporation. # Copyright (c) 2001-2002 David Gravereaux. # Copyright (c) 2003-2006 Pat Thoyts # #------------------------------------------------------------------------- -# RCS: @(#)$Id: makefile.vc,v 1.13 2015/06/06 07:03:32 apnadkarni Exp $ +# RCS: @(#)$Id: makefile.vc,v 1.14 2015/06/06 09:07:08 apnadkarni Exp $ #------------------------------------------------------------------------- # Check to see we are configured to build with MSVC (MSDEVDIR or MSVCDIR) # or with the MS Platform SDK (MSSDK). Visual Studio .NET 2003 and 2005 define # VCINSTALLDIR instead. The MSVC Toolkit release defines yet another. @@ -162,11 +162,11 @@ # Uncomment the following line if this is a Tk extension. #PROJECT_REQUIRES_TK=1 !include "rules.vc" -DOTVERSION = 1.6.5 +DOTVERSION = 1.6.6 VERSION = $(DOTVERSION:.=) STUBPREFIX = $(PROJECT)stub DLLOBJS = \ $(TMP_DIR)\tls.obj \