Index: ChangeLog ================================================================== --- ChangeLog +++ ChangeLog @@ -1,5 +1,16 @@ +2014-12-05 Andreas Kupries + + * configure.in: Bump to version 1.6.4. + * win/makefile.vc: + * configure: regen with ac-2.59 + * tls.c: Accepted SF TLS patches #12 and #13 implementing + * tls.htm: support for SNI, and TLS 1.1 + 1.2 + * tlsInt.h: + * tlsIO.c: + * tls.tcl: + 2012-07-09 Andreas Kupries * configure.in: Bump to version 1.6.3. * win/makefile.vc: * configure: regen with ac-2.59 Index: configure ================================================================== --- configure +++ configure @@ -1,8 +1,8 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.59 for tls 1.6.3. +# Generated by GNU Autoconf 2.59 for tls 1.6.4. # # Copyright (C) 2003 Free Software Foundation, Inc. # This configure script is free software; the Free Software Foundation # gives unlimited permission to copy, distribute and modify it. ## --------------------- ## @@ -265,12 +265,12 @@ : ${ac_max_here_lines=38} # Identity of this package. PACKAGE_NAME='tls' PACKAGE_TARNAME='tls' -PACKAGE_VERSION='1.6.3' -PACKAGE_STRING='tls 1.6.3' +PACKAGE_VERSION='1.6.4' +PACKAGE_STRING='tls 1.6.4' PACKAGE_BUGREPORT='' # Factoring default headers for most tests. ac_includes_default="\ #include @@ -775,11 +775,11 @@ # if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures tls 1.6.3 to adapt to many kinds of systems. +\`configure' configures tls 1.6.4 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... To assign environment variables (e.g., CC, CFLAGS...), specify them as VAR=VALUE. See below for descriptions of some of the useful variables. @@ -832,11 +832,11 @@ _ACEOF fi if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of tls 1.6.3:";; + short | recursive ) echo "Configuration of tls 1.6.4:";; esac cat <<\_ACEOF Optional Features: --disable-FEATURE do not include FEATURE (same as --enable-FEATURE=no) @@ -968,11 +968,11 @@ fi test -n "$ac_init_help" && exit 0 if $ac_init_version; then cat <<\_ACEOF -tls configure 1.6.3 +tls configure 1.6.4 generated by GNU Autoconf 2.59 Copyright (C) 2003 Free Software Foundation, Inc. This configure script is free software; the Free Software Foundation gives unlimited permission to copy, distribute and modify it. @@ -982,11 +982,11 @@ exec 5>config.log cat >&5 <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by tls $as_me 1.6.3, which was +It was created by tls $as_me 1.6.4, which was generated by GNU Autoconf 2.59. Invocation command line was $ $0 $@ _ACEOF @@ -10809,11 +10809,11 @@ ## Running $as_me. ## _ASBOX } >&5 cat >&5 <<_CSEOF -This file was extended by tls $as_me 1.6.3, which was +This file was extended by tls $as_me 1.6.4, which was generated by GNU Autoconf 2.59. Invocation command line was CONFIG_FILES = $CONFIG_FILES CONFIG_HEADERS = $CONFIG_HEADERS CONFIG_LINKS = $CONFIG_LINKS @@ -10864,11 +10864,11 @@ Report bugs to ." _ACEOF cat >>$CONFIG_STATUS <<_ACEOF ac_cs_version="\\ -tls config.status 1.6.3 +tls config.status 1.6.4 configured by $0, generated by GNU Autoconf 2.59, with options \\"`echo "$ac_configure_args" | sed 's/[\\""\`\$]/\\\\&/g'`\\" Copyright (C) 2003 Free Software Foundation, Inc. This config.status script is free software; the Free Software Foundation Index: configure.in ================================================================== --- configure.in +++ configure.in @@ -9,18 +9,18 @@ dnl to use the RSA BSAFE libraries for any product developed for dnl commercial use. Licensing information for BSAFE SSL-C may be dnl obtained from RSA Data Scurity Inc., San Mateo, California, USA. dnl Their home page on the web is "www.rsasecurity.com". # -# RCS: @(#) $Id: configure.in,v 1.27 2012/07/09 23:28:02 andreas_kupries Exp $ +# RCS: @(#) $Id: configure.in,v 1.28 2014/12/08 19:09:06 andreas_kupries Exp $ #-------------------------------------------------------------------- # macro used to verify that the configure script can find the sources #-------------------------------------------------------------------- -AC_INIT([tls], [1.6.3]) +AC_INIT([tls], [1.6.4]) TEA_INIT([3.8]) AC_CONFIG_AUX_DIR(tclconfig) Index: tls.c ================================================================== --- tls.c +++ tls.c @@ -3,11 +3,11 @@ * some modifications: * Copyright (C) 2000 Ajuba Solutions * Copyright (C) 2002 ActiveState Corporation * Copyright (C) 2004 Starfish Systems * - * $Header: /home/rkeene/tmp/cvs2fossil/../tcltls/tls/tls/tls.c,v 1.34 2014/04/16 18:33:03 andreas_kupries Exp $ + * $Header: /home/rkeene/tmp/cvs2fossil/../tcltls/tls/tls/tls.c,v 1.35 2014/12/08 19:09:06 andreas_kupries Exp $ * * TLS (aka SSL) Channel - can be layered on any bi-directional * Tcl_Channel (Note: Requires Trf Core Patch) * * This was built (almost) from scratch based upon observation of @@ -66,13 +66,15 @@ static SSL_CTX *CTX_Init _ANSI_ARGS_((State *statePtr, int proto, char *key, char *cert, char *CAdir, char *CAfile, char *ciphers)); static int TlsLibInit _ANSI_ARGS_ (()) ; -#define TLS_PROTO_SSL2 0x01 -#define TLS_PROTO_SSL3 0x02 -#define TLS_PROTO_TLS1 0x04 +#define TLS_PROTO_SSL2 0x01 +#define TLS_PROTO_SSL3 0x02 +#define TLS_PROTO_TLS1 0x04 +#define TLS_PROTO_TLS1_1 0x08 +#define TLS_PROTO_TLS1_2 0x10 #define ENABLED(flag, mask) (((flag) & (mask)) == (mask)) /* * Static data structures */ @@ -506,14 +508,14 @@ Tcl_Interp *interp; int objc; Tcl_Obj *CONST objv[]; { static CONST84 char *protocols[] = { - "ssl2", "ssl3", "tls1", NULL + "ssl2", "ssl3", "tls1", "tls1.1", "tls1.2", NULL }; enum protocol { - TLS_SSL2, TLS_SSL3, TLS_TLS1, TLS_NONE + TLS_SSL2, TLS_SSL3, TLS_TLS1, TLS_TLS1_1, TLS_TLS1_2, TLS_NONE }; Tcl_Obj *objPtr; SSL_CTX *ctx = NULL; SSL *ssl = NULL; STACK_OF(SSL_CIPHER) *sk; @@ -552,10 +554,24 @@ Tcl_AppendResult(interp, "protocol not supported", NULL); return TCL_ERROR; #else ctx = SSL_CTX_new(TLSv1_method()); break; #endif + case TLS_TLS1_1: +#if defined(NO_TLS1_1) + Tcl_AppendResult(interp, "protocol not supported", NULL); + return TCL_ERROR; +#else + ctx = SSL_CTX_new(TLSv1_1_method()); break; +#endif + case TLS_TLS1_2: +#if defined(NO_TLS1_2) + Tcl_AppendResult(interp, "protocol not supported", NULL); + return TCL_ERROR; +#else + ctx = SSL_CTX_new(TLSv1_2_method()); break; +#endif default: break; } if (ctx == NULL) { Tcl_AppendResult(interp, REASON(), (char *) NULL); @@ -714,10 +730,13 @@ char *cert = NULL; char *ciphers = NULL; char *CAfile = NULL; char *CAdir = NULL; char *model = NULL; +#ifndef OPENSSL_NO_TLSEXT + char *servername = NULL; /* hostname for Server Name Indication */ +#endif #if defined(NO_SSL2) int ssl2 = 0; #else int ssl2 = 1; #endif @@ -724,15 +743,13 @@ #if defined(NO_SSL3) int ssl3 = 0; #else int ssl3 = 1; #endif -#if defined(NO_SSL2) && defined(NO_SSL3) int tls1 = 1; -#else - int tls1 = 0; -#endif + int tls1_1 = 1; + int tls1_2 = 1; int proto = 0; int verify = 0, require = 0, request = 1; if (objc < 2) { Tcl_WrongNumArgs(interp, 1, objv, "channel ?options?"); @@ -765,16 +782,21 @@ OPTSTR( "-model", model); OPTOBJ( "-password", password); OPTBOOL( "-require", require); OPTBOOL( "-request", request); OPTBOOL( "-server", server); +#ifndef OPENSSL_NO_TLSEXT + OPTSTR( "-servername", servername); +#endif OPTBOOL( "-ssl2", ssl2); OPTBOOL( "-ssl3", ssl3); OPTBOOL( "-tls1", tls1); + OPTBOOL( "-tls1.1", tls1_1); + OPTBOOL( "-tls1.2", tls1_2); - OPTBAD( "option", "-cadir, -cafile, -certfile, -cipher, -command, -keyfile, -model, -password, -require, -request, -server, -ssl2, -ssl3, or -tls1"); + OPTBAD( "option", "-cadir, -cafile, -certfile, -cipher, -command, -keyfile, -model, -password, -require, -request, -server, -servername, -ssl2, -ssl3, -tls1, -tls1.1 or -tls1.2"); return TCL_ERROR; } if (request) verify |= SSL_VERIFY_CLIENT_ONCE | SSL_VERIFY_PEER; if (request && require) verify |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT; @@ -781,10 +803,12 @@ if (verify == 0) verify = SSL_VERIFY_NONE; proto |= (ssl2 ? TLS_PROTO_SSL2 : 0); proto |= (ssl3 ? TLS_PROTO_SSL3 : 0); proto |= (tls1 ? TLS_PROTO_TLS1 : 0); + proto |= (tls1_1 ? TLS_PROTO_TLS1_1 : 0); + proto |= (tls1_2 ? TLS_PROTO_TLS1_2 : 0); /* reset to NULL if blank string provided */ if (cert && !*cert) cert = NULL; if (key && !*key) key = NULL; if (ciphers && !*ciphers) ciphers = NULL; @@ -886,10 +910,21 @@ Tcl_AppendResult(interp, "couldn't construct ssl session: ", REASON(), (char *) NULL); Tls_Free((char *) statePtr); return TCL_ERROR; } + +#ifndef OPENSSL_NO_TLSEXT + if (servername) { + if (!SSL_set_tlsext_host_name(statePtr->ssl, servername) && require) { + Tcl_AppendResult(interp, "setting TLS host name extension failed", + (char *) NULL); + Tls_Free((char *) statePtr); + return TCL_ERROR; + } + } +#endif /* * SSL Callbacks */ @@ -1002,42 +1037,97 @@ Tcl_Interp *interp = statePtr->interp; SSL_CTX *ctx = NULL; Tcl_DString ds; Tcl_DString ds1; int off = 0; - - /* create SSL context */ -#if !defined(NO_SSL2) && !defined(NO_SSL3) - if (ENABLED(proto, TLS_PROTO_SSL2) && - ENABLED(proto, TLS_PROTO_SSL3)) { - ctx = SSL_CTX_new(SSLv23_method()); - } else -#endif - if (ENABLED(proto, TLS_PROTO_SSL2)) { -#if defined(NO_SSL2) - Tcl_AppendResult(interp, "protocol not supported", NULL); - return (SSL_CTX *)0; -#else - ctx = SSL_CTX_new(SSLv2_method()); -#endif - } else if (ENABLED(proto, TLS_PROTO_TLS1)) { - ctx = SSL_CTX_new(TLSv1_method()); - } else if (ENABLED(proto, TLS_PROTO_SSL3)) { -#if defined(NO_SSL3) - Tcl_AppendResult(interp, "protocol not supported", NULL); - return (SSL_CTX *)0; -#else - ctx = SSL_CTX_new(SSLv3_method()); -#endif - } else { + const SSL_METHOD *method; + + if (!proto) { Tcl_AppendResult(interp, "no valid protocol selected", NULL); return (SSL_CTX *)0; } - off |= (ENABLED(proto, TLS_PROTO_TLS1) ? 0 : SSL_OP_NO_TLSv1); - off |= (ENABLED(proto, TLS_PROTO_SSL2) ? 0 : SSL_OP_NO_SSLv2); - off |= (ENABLED(proto, TLS_PROTO_SSL3) ? 0 : SSL_OP_NO_SSLv3); + + /* create SSL context */ +#if defined(NO_SSL2) + if (ENABLED(proto, TLS_PROTO_SSL2)) { + Tcl_AppendResult(interp, "protocol not supported", NULL); + return (SSL_CTX *)0; + } +#endif +#if defined(NO_SSL3) + if (ENABLED(proto, TLS_PROTO_SSL3)) { + Tcl_AppendResult(interp, "protocol not supported", NULL); + return (SSL_CTX *)0; + } +#endif +#if defined(NO_TLS1) + if (ENABLED(proto, TLS_PROTO_TLS1)) { + Tcl_AppendResult(interp, "protocol not supported", NULL); + return (SSL_CTX *)0; + } +#endif +#if defined(NO_TLS1_1) + if (ENABLED(proto, TLS_PROTO_TLS1_1)) { + Tcl_AppendResult(interp, "protocol not supported", NULL); + return (SSL_CTX *)0; + } +#endif +#if defined(NO_TLS1_2) + if (ENABLED(proto, TLS_PROTO_TLS1_2)) { + Tcl_AppendResult(interp, "protocol not supported", NULL); + return (SSL_CTX *)0; + } +#endif + + switch (proto) { +#if !defined(NO_SSL2) + case TLS_PROTO_SSL2: + method = SSLv2_method (); + break; +#endif +#if !defined(NO_SSL3) + case TLS_PROTO_SSL3: + method = SSLv3_method (); + break; +#endif +#if !defined(NO_TLS1) + case TLS_PROTO_TLS1: + method = TLSv1_method (); + break; +#endif +#if !defined(NO_TLS1_1) + case TLS_PROTO_TLS1_1: + method = TLSv1_1_method (); + break; +#endif +#if !defined(NO_TLS1_2) + case TLS_PROTO_TLS1_2: + method = TLSv1_2_method (); + break; +#endif + default: + method = SSLv23_method (); +#if !defined(NO_SSL2) + off |= (ENABLED(proto, TLS_PROTO_SSL2) ? 0 : SSL_OP_NO_SSLv2); +#endif +#if !defined(NO_SSL3) + off |= (ENABLED(proto, TLS_PROTO_SSL3) ? 0 : SSL_OP_NO_SSLv3); +#endif +#if !defined(NO_TLS1) + off |= (ENABLED(proto, TLS_PROTO_TLS1) ? 0 : SSL_OP_NO_TLSv1); +#endif +#if !defined(NO_TLS1_1) + off |= (ENABLED(proto, TLS_PROTO_TLS1_1) ? 0 : SSL_OP_NO_TLSv1_1); +#endif +#if !defined(NO_TLS1_2) + off |= (ENABLED(proto, TLS_PROTO_TLS1_2) ? 0 : SSL_OP_NO_TLSv1_2); +#endif + break; + } + ctx = SSL_CTX_new (method); + SSL_CTX_set_app_data( ctx, (VOID*)interp); /* remember the interpreter */ SSL_CTX_set_options( ctx, SSL_OP_ALL); /* all SSL bug workarounds */ SSL_CTX_set_options( ctx, off); /* all SSL bug workarounds */ SSL_CTX_sess_set_cache_size( ctx, 128); Index: tls.htm ================================================================== --- tls.htm +++ tls.htm @@ -198,10 +198,15 @@ handshake. If this is set to true then -request must also be set to true. (default: false)
-server bool
Handshake as server if true, else handshake as client.(default: false)
+
-servername host
+
Only available if the OpenSSL library the package is linked + against supports the TLS hostname extension for 'Server Name + Indication' (SNI). Use to name the logical host we are talking + to and expecting a certificate for
-ssl2 bool
Enable use of SSL v2. (default: true unless -DNO_PATENTS was specified in build)
-ssl3 bool
Enable use of SSL v3. (default: true)
Index: tls.tcl ================================================================== --- tls.tcl +++ tls.tcl @@ -1,9 +1,9 @@ # # Copyright (C) 1997-2000 Matt Newman # -# $Header: /home/rkeene/tmp/cvs2fossil/../tcltls/tls/tls/tls.tcl,v 1.12 2010/07/27 17:15:47 hobbs2 Exp $ +# $Header: /home/rkeene/tmp/cvs2fossil/../tcltls/tls/tls/tls.tcl,v 1.13 2014/12/08 19:09:06 andreas_kupries Exp $ # namespace eval tls { variable logcmd tclLog variable debug 0 @@ -69,16 +69,16 @@ set server 1 set callback [lindex $args [expr {$idx+1}]] set args [lreplace $args $idx [expr {$idx+1}]] set usage "wrong # args: should be \"tls::socket -server command ?options? port\"" - set options "-cadir, -cafile, -certfile, -cipher, -command, -keyfile, -myaddr, -password, -request, -require, -ssl2, -ssl3, or -tls1" + set options "-cadir, -cafile, -certfile, -cipher, -command, -keyfile, -myaddr, -password, -request, -require, -servername, -ssl2, -ssl3, -tls1, -tls1.1 or -tls1.2" } else { set server 0 set usage "wrong # args: should be \"tls::socket ?options? host port\"" - set options "-async, -cadir, -cafile, -certfile, -cipher, -command, -keyfile, -myaddr, -myport, -password, -request, -require, -ssl2, -ssl3, or -tls1" + set options "-async, -cadir, -cafile, -certfile, -cipher, -command, -keyfile, -myaddr, -myport, -password, -request, -require, -servername, -ssl2, -ssl3, -tls1, -tls1.1 or -tls1.2" } set argc [llength $args] set sopts {} set iopts [concat [list -server $server] $defaults] ;# Import options @@ -96,13 +96,16 @@ *,-command - *,-keyfile - *,-password - *,-request - *,-require - + *,-servername - *,-ssl2 - *,-ssl3 - - *,-tls1 {lappend iopts $arg [lindex $args [incr idx]]} + *,-tls1 - + *,-tls1.1 - + *,-tls1.2 {lappend iopts $arg [lindex $args [incr idx]]} -* {return -code error "bad option \"$arg\": must be one of $options"} default {break} } } if {$server} { Index: tlsIO.c ================================================================== --- tlsIO.c +++ tlsIO.c @@ -1,10 +1,10 @@ /* * Copyright (C) 1997-2000 Matt Newman * Copyright (C) 2000 Ajuba Solutions * - * $Header: /home/rkeene/tmp/cvs2fossil/../tcltls/tls/tls/tlsIO.c,v 1.16 2007/06/22 21:20:38 hobbs2 Exp $ + * $Header: /home/rkeene/tmp/cvs2fossil/../tcltls/tls/tls/tlsIO.c,v 1.17 2014/12/08 19:09:06 andreas_kupries Exp $ * * TLS (aka SSL) Channel - can be layered on any bi-directional * Tcl_Channel (Note: Requires Trf Core Patch) * * This was built from scratch based upon observation of OpenSSL 0.9.2B @@ -726,10 +726,23 @@ */ Tcl_DeleteTimerHandler(statePtr->timer); statePtr->timer = (Tcl_TimerToken) NULL; } + + if (statePtr->flags & TLS_TCL_CALLBACK) { + return 0; + } + + if (statePtr->flags & TLS_TCL_INIT + && !SSL_is_init_finished(statePtr->ssl)) { + int errorCode; + if (Tls_WaitForConnect(statePtr, &errorCode) <= 0 + && errorCode == EAGAIN) { + return 0; + } + } return mask; } /* @@ -898,10 +911,13 @@ return -1; } else { continue; } } else if (err == 0) { + if (Tcl_Eof(statePtr->self)) { + return 0; + } dprintf(stderr,"CR! "); *errorCodePtr = ECONNRESET; return -1; } if (statePtr->flags & TLS_TCL_SERVER) { Index: tlsInt.h ================================================================== --- tlsInt.h +++ tlsInt.h @@ -1,9 +1,9 @@ /* * Copyright (C) 1997-2000 Matt Newman * - * $Header: /home/rkeene/tmp/cvs2fossil/../tcltls/tls/tls/tlsInt.h,v 1.15 2007/06/22 21:20:38 hobbs2 Exp $ + * $Header: /home/rkeene/tmp/cvs2fossil/../tcltls/tls/tls/tlsInt.h,v 1.16 2014/12/08 19:09:06 andreas_kupries Exp $ * * TLS (aka SSL) Channel - can be layered on any bi-directional * Tcl_Channel (Note: Requires Trf Core Patch) * * This was built from scratch based upon observation of OpenSSL 0.9.2B @@ -51,10 +51,18 @@ #else #include #include #include #endif + +#ifndef SSL_OP_NO_TLSv1_1 +#define NO_TLS1_1 +#endif + +#ifndef SSL_OP_NO_TLSv1_2 +#define NO_TLS1_2 +#endif #ifdef TCL_STORAGE_CLASS # undef TCL_STORAGE_CLASS #endif #ifdef BUILD_tls Index: win/makefile.vc ================================================================== --- win/makefile.vc +++ win/makefile.vc @@ -16,11 +16,11 @@ # Copyright (c) 2001 ActiveState Corporation. # Copyright (c) 2001-2002 David Gravereaux. # Copyright (c) 2003-2006 Pat Thoyts # #------------------------------------------------------------------------- -# RCS: @(#)$Id: makefile.vc,v 1.10 2012/07/09 23:28:02 andreas_kupries Exp $ +# RCS: @(#)$Id: makefile.vc,v 1.11 2014/12/08 19:09:06 andreas_kupries Exp $ #------------------------------------------------------------------------- # Check to see we are configured to build with MSVC (MSDEVDIR or MSVCDIR) # or with the MS Platform SDK (MSSDK). Visual Studio .NET 2003 and 2005 define # VCINSTALLDIR instead. The MSVC Toolkit release defines yet another. @@ -162,11 +162,11 @@ # Uncomment the following line if this is a Tk extension. #PROJECT_REQUIRES_TK=1 !include "rules.vc" -DOTVERSION = 1.6.3 +DOTVERSION = 1.6.4 VERSION = $(DOTVERSION:.=) STUBPREFIX = $(PROJECT)stub DLLOBJS = \ $(TMP_DIR)\tls.obj \