ADDED .fossil-settings/crlf-glob Index: .fossil-settings/crlf-glob ================================================================== --- /dev/null +++ .fossil-settings/crlf-glob @@ -0,0 +1,1 @@ +win/*.vc Index: .fossil-settings/ignore-glob ================================================================== --- .fossil-settings/ignore-glob +++ .fossil-settings/ignore-glob @@ -15,14 +15,15 @@ config.log config.status configure manifest.uuid pkgIndex.tcl -tls.tcl.h -tls.tcl.h.new.1 -tls.tcl.h.new.2 -tlsUuid.h -win/versions.vc +*Uuid.h +win/Debug* win/Release* -win/Debug* +win/version*.vc +win/nmakehlp.exe +win/nmakehlp.obj +win/nmakehlp.out +win/_junk.pch win/nmhlp-out.txt *~ Index: ChangeLog ================================================================== --- ChangeLog +++ ChangeLog @@ -1,5 +1,12 @@ +TclTLS 1.7.22 +========== + +Release Date: Mon Oct 12 15:40:16 CDT 2020 + +https://tcltls.rkeene.org/ + 2015-05-01 Andreas Kupries * configure.in: Bump to version 1.6.5. * win/makefile.vc: * configure: regen with ac-2.59 @@ -23,21 +30,21 @@ * win/makefile.vc: * configure: regen with ac-2.59 * tls.c (MiscObjCmd): Fixed non-static string array used in call of Tcl_GetIndexFromObj(). Memory smash waiting to happen. Thanks - to Brian Griffin for alerting us all to the problem. + to Brian Griffin for alerting us all to the problem. 2012-06-01 Andreas Kupries * tls.c: Applied Jeff's patch from http://www.mail-archive.com/aolserver@listserv.aol.com/msg12356.html * configure.in: Bump to version 1.6.2. * win/makefile.vc: * configure: regen with ac-2.59 - + 2010-08-11 Jeff Hobbs *** TLS 1.6.1 TAGGED *** * configure: regen with ac-2.59 @@ -101,11 +108,11 @@ * win/makefile.vc: with MSVC8 * win/rules.vc: 2007-06-22 Jeff Hobbs - * tlsIO.c (TlsInputProc, TlsOutputProc, TlsWatchProc): + * tlsIO.c (TlsInputProc, TlsOutputProc, TlsWatchProc): * tls.c (VerifyCallback): add an state flag in the verify callback that prevents possibly recursion (on 'update'). [Bug 1652380] * tests/ciphers.test: reworked to make test output cleaner to understand missing ciphers (if any) @@ -113,11 +120,11 @@ * Makefile.in, tclconfig/tcl.m4: update to TEA 3.6 * configure, configure.in: using autoconf-2.59 2007-02-28 Pat Thoyts - * win/makefile.vc: Rebase the DLL sensibly. Additional libs for + * win/makefile.vc: Rebase the DLL sensibly. Additional libs for static link of openssl. * tls.tcl: bug #1579837 - TIP 278 bug (possibly) - fixed. 2006-03-30 Pat Thoyts @@ -135,19 +142,19 @@ build directory. 2004-12-22 Pat Thoyts * configure.in: Incremented minor version to 1.5.1 - * configure: + * configure: 2004-12-17 Pat Thoyts * win/makefile.vc: Added the MSVC build system (from the Tcl * win/rules.vc: sampleextension). * win/nmakehlp.c: * win/tls.rc Added Windows resource file. - + * tls.tcl: From patch #948155, added support for alternate socket commands. * tls.c: Quieten some MSVC warnings. Prefer ckalloc over Tcl_Alloc. (David Graveraux). @@ -180,11 +187,11 @@ * tclconfig/README.txt, tclconfig/install-sh, tclconfig/tcl.m4: 2004-03-17 Dan Razzell * tlsX509.c: Add support for long serial numbers per RFC 3280. - Format is now hexadecimal. + Format is now hexadecimal. [Request #915313] Correctly convert certificate Distinguished Names to Tcl string representation. Eliminates use of deprecated OpenSSL function. Format is now compliant with RFC 2253. [Request #915315] @@ -231,11 +238,11 @@ * tls.c (Tls_Init): added tls::misc command provided by * tlsX509.c: Wojciech Kocjan (wojciech kocjan.org) * tests/keytest1.tcl: to expose more low-level SSL commands * tests/keytest2.tcl: -2003-05-15 Dan Razzell +2003-05-15 Dan Razzell * tls.tcl: * tlsInt.h: * tls.c: add support for binding a password callback to the socket. Now each socket can have its own command and password callbacks instead @@ -370,11 +377,11 @@ loaded into. TLS will fail the test suite with Tcl 8.2-8.3.1. * tests/all.tcl: added catch around ::tcltest::normalizePath because it doesn't exist in pre-8.3 tcltest. - * tests/simpleClient.tcl: + * tests/simpleClient.tcl: * tests/simpleServer.tcl: added simple client/server test scripts that use test certs and can do simple stress tests. 2000-08-14 Jeff Hobbs @@ -473,11 +480,11 @@ 2000-06-05 Scott Stanton * Makefile.in: Fixed broken test target. - * tlsInt.h: + * tlsInt.h: * tls.c: Cleaned up declarations of Tls_Clean to avoid errors on Windows (lint). 2000-06-05 Brent Welch Index: Makefile.in ================================================================== --- Makefile.in +++ Makefile.in @@ -158,11 +158,11 @@ # compiled with. #DEFS = $(TCL_DEFS) @DEFS@ $(PKG_CFLAGS) DEFS = @DEFS@ $(PKG_CFLAGS) # Move pkgIndex.tcl to 'BINARIES' var if it is generated in the Makefile -CONFIG_CLEAN_FILES = Makefile pkgIndex.tcl generic/tls.tcl.h tlsUuid.h +CONFIG_CLEAN_FILES = Makefile pkgIndex.tcl tlsUuid.h CLEANFILES = @CLEANFILES@ CPPFLAGS = @CPPFLAGS@ LIBS = @PKG_LIBS@ @LIBS@ AR = @AR@ @@ -208,17 +208,38 @@ # Your doc target should differentiate from doc builds (by the developer) # and doc installs (see install-doc), which just install the docs on the # end user machine when building from source. #======================================================================== -doc: - @echo "If you have documentation to create, place the commands to" - @echo "build the docs in the 'doc:' target. For example:" - @echo " xml2nroff sample.xml > sample.n" - @echo " xml2html sample.xml > sample.html" +DTPLITE=$(TCLSH) @DTPLITE@ + +doc: make-docs-n make-docs-html + +make-docs-n: doc/tls.man + @echo "make nroff documentation" + @if [ -n "$(DTPLITE)" -a -x "$(DTPLITE)" ]; then \ + $(DTPLITE) -o doc/tls.n nroff doc/tls.man ; \ + fi + +make-docs-html: doc/tls.man + @echo "make HTML documentation" + @if [ -n "$(DTPLITE)" -a -x "$(DTPLITE)" ]; then \ + $(DTPLITE) -o doc/tls.html html doc/tls.man ; \ + fi + +make-docs: doc/tls.man + @echo "make documentation" + @if [ -n "$(DTPLITE)" -a -x "$(DTPLITE)" ]; then \ + $(DTPLITE) -o doc nroff doc ; \ + $(DTPLITE) -o doc html doc ; \ + fi + +#======================================================================== +# Install targets +#======================================================================== -install: all install-binaries install-libraries install-doc +install: all install-binaries install-libraries install-doc-n install-doc-html install-binaries: binaries install-lib-binaries install-bin-binaries #======================================================================== # This rule installs platform-independent files, such as header files. @@ -229,24 +250,48 @@ @$(INSTALL_DATA_DIR) "$(DESTDIR)$(includedir)" @echo "Installing header files in $(DESTDIR)$(includedir)" @list='$(PKG_HEADERS)'; for i in $$list; do \ echo "Installing $(srcdir)/$$i" ; \ $(INSTALL_DATA) $(srcdir)/$$i "$(DESTDIR)$(includedir)" ; \ - done; + done #======================================================================== # Install documentation. Unix manpages should go in the $(mandir) # directory. #======================================================================== -install-doc: doc +install-doc-html: make-docs-html + @$(INSTALL_DATA_DIR) "$(DESTDIR)$(pkglibdir)/html" + @echo "Installing HTML documentation in $(DESTDIR)$(pkglibdir)/html" + @list='doc/*.html'; for i in $$list; do \ + if test -f $$i ; then \ + echo "Installing $$i"; \ + $(INSTALL_DATA) $$i "$(DESTDIR)$(pkglibdir)/html"; \ + fi; \ + done + +install-doc-n: make-docs-n @$(INSTALL_DATA_DIR) "$(DESTDIR)$(mandir)/mann" - @echo "Installing documentation in $(DESTDIR)$(mandir)" - @list='$(srcdir)/doc/*.n'; for i in $$list; do \ - echo "Installing $$i"; \ - $(INSTALL_DATA) $$i "$(DESTDIR)$(mandir)/mann" ; \ + @echo "Installing nroff documentation in $(DESTDIR)$(mandir)/mann" + @list='doc/*.n'; for i in $$list; do \ + if test -f $$i ; then \ + if test -f "$(DESTDIR)$(mandir)/mann/Tcl.n.gz" -o \ + "$(DESTDIR)$(mandir)/mann/Tcl*.n.gz" ; then \ + gzip -k $$i ; \ + echo "Installing $$i.gz"; \ + $(INSTALL_DATA) $$i.gz "$(DESTDIR)$(mandir)/mann" ; \ + rm -f $$i.gz;\ + else \ + echo "Installing $$i"; \ + $(INSTALL_DATA) $$i "$(DESTDIR)$(mandir)/mann" ; \ + fi; \ + fi; \ done + +#======================================================================== +# Test and debug +#======================================================================== test: binaries libraries $(TCLSH) `@CYGPATH@ $(srcdir)/tests/all.tcl` $(TESTFLAGS) \ -load "package ifneeded $(PACKAGE_NAME) $(PACKAGE_VERSION) \ [list load `@CYGPATH@ $(PKG_LIB_FILE)` [string totitle $(PACKAGE_NAME)]]" @@ -290,10 +335,35 @@ $(PKG_STUB_LIB_FILE): $(PKG_STUB_OBJECTS) -rm -f $(PKG_STUB_LIB_FILE) ${MAKE_STUB_LIB} $(RANLIB_STUB) $(PKG_STUB_LIB_FILE) + +#======================================================================== +# Support files needed to compile C code +#======================================================================== + +# Create a C-source-ified version of the script resources for this +# package so that we only need a single file to enable this extension. +# I would prefer to use $< over $?, but FreeBSD's can't handle it, and +# with only one prereq, $? is sufficient. +tls.tcl.h: library/tls.tcl + sed -e '/^\\s*\#/d' -e '/^\\s*$$/d' -e 's/\\/\\\\/g' -e 's/\"/\\"/g' -e 's/^/"/' \ + -e 's/$$/\\n\"/' '$?' > '$@' || { rm -f $@; exit 1; } + +# Create header file with fossil, git, or svn UUID for build-info command +$(srcdir)/manifest.uuid: + printf "git-" >$(srcdir)/manifest.uuid + (cd $(srcdir); git rev-parse HEAD >>$(srcdir)/manifest.uuid || \ + (printf "svn-r" >$(srcdir)/manifest.uuid ; \ + svn info --show-item last-changed-revision >>$(srcdir)/manifest.uuid) || \ + printf "unknown" >$(srcdir)/manifest.uuid) + +tlsUuid.h: $(srcdir)/manifest.uuid + echo "#define TLS_VERSION_UUID \\" >$@ + cat $(srcdir)/manifest.uuid >>$@ + echo "" >>$@ #======================================================================== # We need to enumerate the list of .c to .o lines here. # # In the following lines, $(srcdir) refers to the toplevel directory @@ -308,36 +378,15 @@ # As necessary, add $(srcdir):$(srcdir)/compat:.... #======================================================================== VPATH = $(srcdir):$(srcdir)/generic:$(srcdir)/unix:$(srcdir)/win:$(srcdir)/macosx +tls.@OBJEXT@: tlsUuid.h tls.tcl.h + .c.@OBJEXT@: $(COMPILE) -c `@CYGPATH@ $<` -o $@ -# Create a C-source-ified version of the script resources -# for TclTLS so that we only need a single file to enable -# this extension -tls.tcl.h: @srcdir@/library/tls.tcl Makefile - od -A n -v -t xC < '@srcdir@/library/tls.tcl' > tls.tcl.h.new.1 - sed 's@[^0-9A-Fa-f]@@g;s@..@0x&, @g' < tls.tcl.h.new.1 > tls.tcl.h.new.2 - rm -f tls.tcl.h.new.1 - mv tls.tcl.h.new.2 @srcdir@/generic/tls.tcl.h - -tls.o: tlsUuid.h - -$(srcdir)/manifest.uuid: - printf "git-" >$(srcdir)/manifest.uuid - (cd $(srcdir); git rev-parse HEAD >>$(srcdir)/manifest.uuid || \ - (printf "svn-r" >$(srcdir)/manifest.uuid ; \ - svn info --show-item last-changed-revision >>$(srcdir)/manifest.uuid) || \ - printf "unknown" >$(srcdir)/manifest.uuid) - -tlsUuid.h: $(srcdir)/manifest.uuid - echo "#define TLS_VERSION_UUID \\" >$@ - cat $(srcdir)/manifest.uuid >>$@ - echo "" >>$@ - #======================================================================== # Create the pkgIndex.tcl file. # It is usually easiest to let Tcl do this for you with pkg_mkIndex, but # you may find that you need to customize the package. If so, either # modify the -hand version, or create a pkgIndex.tcl.in file and have @@ -361,13 +410,13 @@ DIST_INSTALL_DATA = CPPROG='cp -p' $(INSTALL) -m 644 DIST_INSTALL_DATA_RECUR = CPPROG='cp -p -R' $(INSTALL) DIST_INSTALL_SCRIPT = CPPROG='cp -p' $(INSTALL) -m 755 dist-clean: - rm -rf $(DIST_DIR) $(DIST_ROOT)/$(PKG_DIR).tar.* + rm -rf $(DIST_DIR) $(top_builddir)/$(PKG_DIR).tar.* -dist: dist-clean +dist: dist-clean manifest.uuid # TEA files $(INSTALL_DATA_DIR) $(DIST_DIR) $(DIST_INSTALL_DATA) $(srcdir)/Makefile.in \ $(srcdir)/acinclude.m4 $(srcdir)/aclocal.m4 \ $(srcdir)/configure.ac $(DIST_DIR)/ @@ -376,32 +425,21 @@ # Extension files $(DIST_INSTALL_DATA) $(srcdir)/ChangeLog \ $(srcdir)/license.terms $(srcdir)/manifest.uuid \ $(srcdir)/README.txt $(srcdir)/pkgIndex.tcl.in $(DIST_DIR)/ - # TEA files - $(INSTALL_DATA_DIR) $(DIST_DIR)/tclconfig - $(DIST_INSTALL_DATA) $(srcdir)/tclconfig/README.txt \ - $(srcdir)/tclconfig/tcl.m4 $(srcdir)/tclconfig/install-sh \ - $(srcdir)/tclconfig/license.terms $(DIST_DIR)/tclconfig/ - - $(INSTALL_DATA_DIR) $(DIST_DIR)/win - $(DIST_INSTALL_DATA) \ - $(srcdir)/win/README.txt $(srcdir)/win/*.vc \ - $(srcdir)/win/nmakehlp.c $(srcdir)/win/*.in $(DIST_DIR)/win/ - - list='build demos doc generic library macosx tests unix'; \ + list='build demos doc generic library tclconfig tests win'; \ for p in $$list; do \ if test -d $(srcdir)/$$p ; then \ $(INSTALL_DATA_DIR) $(DIST_DIR)/$$p; \ $(DIST_INSTALL_DATA_RECUR) $(srcdir)/$$p/* $(DIST_DIR)/$$p/; \ fi; \ done (cd $(DIST_ROOT); $(COMPRESS);) - cd $(top_builddir) mv $(DIST_ROOT)/$(PKG_DIR).tar.gz $(top_builddir) + cd $(top_builddir) #======================================================================== # End of user-definable section #======================================================================== @@ -416,11 +454,11 @@ -test -z "$(CLEANFILES)" || rm -f $(CLEANFILES) distclean: clean -rm -f *.tab.c -rm -f $(CONFIG_CLEAN_FILES) - -rm -f config.cache config.log config.status + -rm -f config.cache config.log config.status configure~ -rm -fR autom4te.cache #======================================================================== # Install binary object libraries. On Windows this includes both .dll and # .lib files. Because the .lib files are not explicitly listed anywhere, @@ -457,10 +495,13 @@ done @if test "x$(SHARED_BUILD)" = "x1"; then \ echo " Install pkgIndex.tcl $(DESTDIR)$(pkglibdir)"; \ $(INSTALL_DATA) pkgIndex.tcl "$(DESTDIR)$(pkglibdir)"; \ fi + @if test -f "$(srcdir)/tlsConfig.sh"; then \ + $(INSTALL_DATA) $(srcdir)/tlsConfig.sh $(DESTDIR)$(libdir); \ + fi #======================================================================== # Install binary executables (e.g. .exe files and dependent .dll files) # This is for files that must go in the bin directory (located next to # wish and tclsh), like dependent .dll files on Windows. Index: README.txt ================================================================== --- README.txt +++ README.txt @@ -2,25 +2,21 @@ Intro ===== This package provides an extension which implements Secure Socket Layer (SSL) -and Transport Layer Security (TLS) over Transmission Control Protocol (TCP) -network communication channels. It utilizes either the OpenSSL or LibreSSL -software library. - -Version 1.9 also provides a cryptography library providing TCL scripts access -to the crypto capabilities of the OpenSSL library. +and Transport Layer Security (TLS) encryption over Transmission Control +Protocol (TCP) network communication channels utilizing the OpenSSL library. Description =========== This extension works by creating a layered TCL Channel on top of an existing bi-directional channel created by the TLS socket command. All existing socket -functionality is supported, in addition to several new options. Both client -and server modes are supported. +functionality is supported in addition to several new options. Both client and +server modes are supported. Documentation ============= @@ -28,55 +24,74 @@ Compatibility ============= -This package requires TCL 8.5 or later. +TCL +--- + +This package requires TCL 8.5 or later. It will also work with TCL 9, but it is +not binary compatible between major TCL versions. This means if this extension +is built with TCL 8.x it will not load into TCL 9 or vice versa. It is best +to compile both separately then install them with the compatible TCL versions. + +OpenSSL +------- + +This package is compatible with OpenSSL v1.1.1 or later, though 3.2 or later is +preferred. See http://www.openssl.org/. Please note that there are a few API +incompatibilities between OpenSSL 1.1.1 and 3.x, so if this extension is built +against OpenSSL 1.1.1 it is not binary compatible with OpenSSL 3.x or vice +versa. + +TCLTLS +------ -This package is compatible with: -- OpenSSL v1.1.1 or later. See (http://www.openssl.org/ -- LibreSSL (TBD version) +There were several changes made in the callback command arguments between +versions 1.7 and 2.0. See doc/tls.html for what changed and library/tls.tcl +for example handler functions that are backwards compatible. Installation ============ -This package uses the Tcl Extension Architecture (TEA) to build and install on -any supported Unix, Mac, or MS Windows system. Either the OpenSSL or LibreSSL -software libraries must be built and available prior to building TCL TLS. +This package uses the TCL Extension Architecture (TEA) to build and install on +any supported Unix, Mac, or MS Windows system. It depends on the OpenSSL +libraries being available prior to building the TCLTLS extension. UNIX and Linux -------------- -The standard TEA config, make and install process is supported. +The standard TEA config, make, and install process is supported. $ cd tcltls $ ./configure --enable-64bit $ make $ make test $ make install -The supported configure options include all of the standard TEA configure script -options, plus: +The supported configure options include all of the standard TEA configure +script options, plus: --disable-tls1 disable TLS1 protocol --disable-tls1_1 disable TLS1.1 protocol --disable-tls1_2 disable TLS1.2 protocol --disable-tls1_3 disable TLS1.3 protocol + --enable-debug enable debugging mode and output more status --enable-ssl-fastpath enable using the underlying file descriptor for talking directly to the SSL library --enable-hardening enable hardening attempts --enable-static-ssl enable static linking to the SSL library If either TCL or OpenSSL are installed in non-standard locations, the following configure options are available. For all options, see ./configure --help. --with-tcl= path to where tclCondig.sh file resides --with-tclinclude= directory containing the public Tcl header files - --with-openssl-dir= path to root directory of OpenSSL or LibreSSL installation - --with-openssl-includedir= path to include directory of OpenSSL or LibreSSL installation - --with-openssl-libdir= path to lib directory of OpenSSL or LibreSSL installation - --with-openssl-pkgconfig= path to root directory of OpenSSL or LibreSSL pkgconfigdir + --with-openssl-dir= path to root directory of OpenSSL installation + --with-openssl-includedir= path to include directory of OpenSSL installation + --with-openssl-libdir= path to lib directory of OpenSSL installation + --with-openssl-pkgconfig= path to root directory of OpenSSL pkg-config directory MacOS ----- @@ -93,11 +108,20 @@ Windows ------- If installing with MinGW, use the TEA build process. If using MS Visual C -(MSVC), see the win/README.txt file for the installation instructions. +(MSVC), see win/README.txt for the build and installation instructions. + + +Certificate Validation +---------------------- + +If OpenSSL is not installed on the system, the Certificate Authority (CA) +provided certificates must be downloaded and installed with the software. +These are used for certificate validation. The CURL team makes them available +at https://curl.se/docs/caextract.html. Look for the cacert.pem file. Copyrights ========== @@ -104,11 +128,11 @@ Original TLS Copyright (C) 1997-2000 Matt Newman TLS 1.4.1 Copyright (C) 2000 Ajuba Solutions TLS 1.6 Copyright (C) 2008 ActiveState Software Inc. TLS 1.7 Copyright (C) 2016 Matt Newman, Ajuba Solutions, ActiveState Software Inc, Roy Keene -TLS 1.8 Copyright (C) 2023 Brian O'Hagan +TLS 1.8-2.0 Copyright (C) 2023-2024 Brian O'Hagan Acknowledgments =============== Non-exclusive credits for TLS are: Index: acinclude.m4 ================================================================== --- acinclude.m4 +++ acinclude.m4 @@ -7,57 +7,81 @@ # # Add here whatever m4 macros you want to define for your package # AC_DEFUN([TCLTLS_SSL_OPENSSL], [ + dnl Determine if pkg-config tool is available AC_CHECK_TOOL([PKG_CONFIG], [pkg-config]) + dnl Enable support for SSL 3.0 protocol + AC_ARG_ENABLE([ssl3], AS_HELP_STRING([--disable-ssl3], [disable SSL3 protocol]), [ + if test "$enableval" == "no"; then + AC_DEFINE([NO_SSL3], [1], [Disable SSL3 protocol]) + AC_MSG_CHECKING([for disable SSL3 protocol]) + AC_MSG_RESULT([yes]) + fi + ], AC_DEFINE([NO_SSL3], [1], [Disable SSL3 protocol])) + dnl Disable support for TLS 1.0 protocol AC_ARG_ENABLE([tls1], AS_HELP_STRING([--disable-tls1], [disable TLS1 protocol]), [ - if test "${enableval}" = "no"; then + if test "$enableval" == "no"; then AC_DEFINE([NO_TLS1], [1], [Disable TLS1 protocol]) AC_MSG_CHECKING([for disable TLS1 protocol]) AC_MSG_RESULT([yes]) fi ]) dnl Disable support for TLS 1.1 protocol AC_ARG_ENABLE([tls1_1], AS_HELP_STRING([--disable-tls1_1], [disable TLS1.1 protocol]), [ - if test "${enableval}" = "no"; then + if test "$enableval" == "no"; then AC_DEFINE([NO_TLS1_1], [1], [Disable TLS1.1 protocol]) AC_MSG_CHECKING([for disable TLS1.1 protocol]) AC_MSG_RESULT([yes]) fi ]) dnl Disable support for TLS 1.2 protocol AC_ARG_ENABLE([tls1_2], AS_HELP_STRING([--disable-tls1_2], [disable TLS1.2 protocol]), [ - if test "${enableval}" = "no"; then + if test "$enableval" == "no"; then AC_DEFINE([NO_TLS1_2], [1], [Disable TLS1.2 protocol]) AC_MSG_CHECKING([for disable TLS1.2 protocol]) AC_MSG_RESULT([yes]) fi ]) dnl Disable support for TLS 1.3 protocol AC_ARG_ENABLE([tls1_3], AS_HELP_STRING([--disable-tls1_3], [disable TLS1.3 protocol]), [ - if test "${enableval}" = "no"; then + if test "$enableval" == "no"; then AC_DEFINE([NO_TLS1_3], [1], [Disable TLS1.3 protocol]) AC_MSG_CHECKING([for disable TLS1.3 protocol]) AC_MSG_RESULT([yes]) fi ]) + + dnl Determine if debugging mode should be enabled + AC_ARG_ENABLE([debug], AS_HELP_STRING([--enable-debug], + [enable debugging mode and output more status]), [ + tcltls_debug_mode="$enableval" + ], [ + tcltls_debug_mode='no' + ]) + if test "$tcltls_debug_mode" == 'yes'; then + AC_DEFINE(TCLEXT_TCLTLS_DEBUG, [1], [Enable debugging mode]) + fi + AC_MSG_CHECKING([for debug mode]) + AC_MSG_RESULT([$tcltls_debug_mode]) + dnl Determine if we have been asked to use a fast path if possible AC_ARG_ENABLE([ssl-fastpath], AS_HELP_STRING([--enable-ssl-fastpath], [enable using the underlying file descriptor for talking directly to the SSL library]), [ tcltls_ssl_fastpath="$enableval" ], [ tcltls_ssl_fastpath='no' ]) - if test "$tcltls_ssl_fastpath" = 'yes'; then + if test "$tcltls_ssl_fastpath" == 'yes'; then AC_DEFINE(TCLTLS_SSL_USE_FASTPATH, [1], [Enable SSL library direct use of the underlying file descriptor]) fi AC_MSG_CHECKING([for fast path]) AC_MSG_RESULT([$tcltls_ssl_fastpath]) @@ -66,12 +90,12 @@ AC_ARG_ENABLE([hardening], AS_HELP_STRING([--enable-hardening], [enable hardening attempts]), [ tcltls_enable_hardening="$enableval" ], [ tcltls_enable_hardening='yes' ]) - if test "$tcltls_enable_hardening" = 'yes'; then - if test "$GCC" = 'yes' -o "$CC" = 'clang'; then + if test "$tcltls_enable_hardening" == 'yes'; then + if test "$GCC" == 'yes' -o "$CC" = 'clang'; then TEA_ADD_CFLAGS([-fstack-protector-all]) TEA_ADD_CFLAGS([-fno-strict-overflow]) AC_DEFINE([_FORTIFY_SOURCE], [2], [Enable fortification]) fi fi @@ -90,11 +114,11 @@ dnl Set SSL files root path AC_ARG_WITH([openssl-dir], AS_HELP_STRING([--with-openssl-dir=], - [path to root directory of OpenSSL or LibreSSL installation] + [path to root directory of OpenSSL installation] ), [ openssldir="$withval" ], [ openssldir='' ] @@ -103,47 +127,46 @@ AC_MSG_RESULT($openssldir) dnl Set SSL include files path AC_ARG_WITH([openssl-includedir], AS_HELP_STRING([--with-openssl-includedir=], - [path to include directory of OpenSSL or LibreSSL installation] + [path to include directory of OpenSSL installation] ), [ opensslincludedir="$withval" ], [ - if test ! -z "$openssldir"; then + if test -n "$openssldir"; then opensslincludedir="${openssldir}/include" else opensslincludedir='' fi ] ) AC_MSG_CHECKING([for OpenSSL include directory]) AC_MSG_RESULT($opensslincludedir) - dnl Set SSL include vars - if test ! -z "$opensslincludedir"; then - if test -f "$opensslincludedir/openssl/ssl.h"; then + dnl Set SSL include variables + if test -n "$opensslincludedir"; then + AC_MSG_CHECKING([for ssl.h]) + if test -f "${opensslincludedir}/openssl/ssl.h"; then TCLTLS_SSL_CFLAGS="-I$opensslincludedir" TCLTLS_SSL_INCLUDES="-I$opensslincludedir" - AC_MSG_CHECKING([for ssl.h]) AC_MSG_RESULT([yes]) else - AC_MSG_CHECKING([for ssl.h]) AC_MSG_RESULT([no]) AC_MSG_ERROR([Unable to locate ssl.h]) fi fi dnl Set SSL lib files path AC_ARG_WITH([openssl-libdir], AS_HELP_STRING([--with-openssl-libdir=], - [path to lib directory of OpenSSL or LibreSSL installation] + [path to lib directory of OpenSSL installation] ), [ openssllibdir="$withval" ], [ - if test ! -z "$openssldir"; then - if test "$do64bit" == 'yes'; then + if test -n "$openssldir"; then + if test "$do64bit" == 'yes' -a -d ${openssldir}/lib64; then openssllibdir="$openssldir/lib64" else openssllibdir="$openssldir/lib" fi else @@ -152,30 +175,30 @@ ] ) AC_MSG_CHECKING([for OpenSSL lib directory]) AC_MSG_RESULT($openssllibdir) - dnl Set SSL lib vars - if test ! -z "$openssllibdir"; then - if test -f "$openssllibdir/libssl${SHLIB_SUFFIX}"; then - if test "${TCLEXT_TLS_STATIC_SSL}" == 'no'; then - TCLTLS_SSL_LIBS="-L$openssllibdir -lcrypto -lssl" - #else - # Linux and Solaris - #TCLTLS_SSL_LIBS="-Wl,-Bstatic `$PKG_CONFIG --static --libs crypto ssl` -Wl,-Bdynamic" - # HPUX - # -Wl,-a,archive ... -Wl,-a,shared_archive - fi + dnl Set SSL lib variables + SSL_LIBS_PATH='' + if test -n "$openssllibdir"; then + if test "$TCLEXT_TLS_STATIC_SSL" == 'no'; then + LIBEXT=${SHLIB_SUFFIX} + else + LIBEXT='.a' + fi + + if test -f "${openssllibdir}/libssl${LIBEXT}"; then + SSL_LIBS_PATH="-L$openssllibdir" else - AC_MSG_ERROR([Unable to locate libssl${SHLIB_SUFFIX}]) + AC_MSG_ERROR([Unable to locate libssl${LIBEXT}]) fi fi dnl Set location of pkgconfig files AC_ARG_WITH([openssl-pkgconfig], AS_HELP_STRING([--with-openssl-pkgconfig=], - [path to pkgconfigdir directory for OpenSSL or LibreSSL] + [path to pkgconfigdir directory for OpenSSL] ), [ opensslpkgconfigdir="$withval" ], [ if test -d ${libdir}/../pkgconfig; then opensslpkgconfigdir="$libdir/../pkgconfig" @@ -185,55 +208,67 @@ ] ) AC_MSG_CHECKING([for OpenSSL pkgconfig]) AC_MSG_RESULT($opensslpkgconfigdir) - - # Use Package Config tool to get config - pkgConfigExtraArgs='' - if test "${SHARED_BUILD}" == 0 -o "$TCLEXT_TLS_STATIC_SSL" = 'yes'; then - pkgConfigExtraArgs='--static' - fi - - dnl Use pkg-config to find the libraries - if test -n "${PKG_CONFIG}"; then + dnl Use pkg-config to find OpenSSL if not already found + if test -n "$PKG_CONFIG" -a -z "$openssldir" -a -z "$opensslincludedir" -a -z "$openssllibdir"; then + USE_PKG_CONFIG=`"${PKG_CONFIG}" --list-all | grep openssl` + + dnl Use pkg-config to find the library names + if test -n "$USE_PKG_CONFIG"; then dnl Temporarily update PKG_CONFIG_PATH PKG_CONFIG_PATH_SAVE="${PKG_CONFIG_PATH}" - if test -n "${opensslpkgconfigdir}"; then + if test -n "$opensslpkgconfigdir"; then if ! test -f "${opensslpkgconfigdir}/openssl.pc"; then AC_MSG_ERROR([Unable to locate ${opensslpkgconfigdir}/openssl.pc]) fi PKG_CONFIG_PATH="${opensslpkgconfigdir}:${PKG_CONFIG_PATH}" export PKG_CONFIG_PATH fi + + pkgConfigExtraArgs='' + if test "$SHARED_BUILD" == "0" -o "$TCLEXT_TLS_STATIC_SSL" == 'yes'; then + pkgConfigExtraArgs='--static' + fi + if test -z "$TCLTLS_SSL_LIBS"; then - TCLTLS_SSL_LIBS="`"${PKG_CONFIG}" openssl --libs $pkgConfigExtraArgs`" || AC_MSG_ERROR([Unable to get OpenSSL Configuration]) + TCLTLS_SSL_LIBS="$SSL_LIBS_PATH `${PKG_CONFIG} openssl --libs $pkgConfigExtraArgs`" || AC_MSG_ERROR([Unable to get OpenSSL Configuration]) + if test "${TCLEXT_TLS_STATIC_SSL}" == 'yes'; then + TCLTLS_SSL_LIBS="-Wl,-Bstatic $TCLTLS_SSL_LIBS -Wl,-Bdynamic" + fi fi if test -z "$TCLTLS_SSL_CFLAGS"; then TCLTLS_SSL_CFLAGS="`"${PKG_CONFIG}" openssl --cflags-only-other $pkgConfigExtraArgs`" || AC_MSG_ERROR([Unable to get OpenSSL Configuration]) fi if test -z "$TCLTLS_SSL_INCLUDES"; then TCLTLS_SSL_INCLUDES="`"${PKG_CONFIG}" openssl --cflags-only-I $pkgConfigExtraArgs`" || AC_MSG_ERROR([Unable to get OpenSSL Configuration]) fi PKG_CONFIG_PATH="${PKG_CONFIG_PATH_SAVE}" + fi fi - - dnl Fallback settings for OpenSSL includes and libs - if test -z "$TCLTLS_SSL_LIBS"; then - TCLTLS_SSL_LIBS="-lcrypto -lssl" - fi + dnl Use fall-back settings for OpenSSL include and library paths if test -z "$TCLTLS_SSL_CFLAGS"; then TCLTLS_SSL_CFLAGS="" fi if test -z "$TCLTLS_SSL_INCLUDES"; then if test -f /usr/include/openssl/ssl.h; then TCLTLS_SSL_INCLUDES="-I/usr/include" fi fi + if test -z "$TCLTLS_SSL_LIBS"; then + if test "$TCLEXT_TLS_STATIC_SSL" == 'no'; then + TCLTLS_SSL_LIBS="$SSL_LIBS_PATH -lssl -lcrypto" + else + # Linux and Solaris + TCLTLS_SSL_LIBS="$SSL_LIBS_PATH -Wl,-Bstatic -lssl -lcrypto -Wl,-Bdynamic" + # HPUX: -Wl,-a,archive ... -Wl,-a,shared_archive + fi + fi dnl Include config variables in --help list and make available to be substituted via AC_SUBST. - AC_ARG_VAR([TCLTLS_SSL_CFLAGS], [C compiler flags for OpenSSL or LibreSSL]) - AC_ARG_VAR([TCLTLS_SSL_INCLUDES], [C compiler include paths for OpenSSL or LibreSSL]) - AC_ARG_VAR([TCLTLS_SSL_LIBS], [libraries to pass to the linker for OpenSSL or LibreSSL]) + AC_ARG_VAR([TCLTLS_SSL_CFLAGS], [C compiler flags for OpenSSL]) + AC_ARG_VAR([TCLTLS_SSL_INCLUDES], [C compiler include paths for OpenSSL]) + AC_ARG_VAR([TCLTLS_SSL_LIBS], [libraries to pass to the linker for OpenSSL]) ]) DELETED build/update-wiki-docs Index: build/update-wiki-docs ================================================================== --- build/update-wiki-docs +++ /dev/null @@ -1,16 +0,0 @@ -#! /usr/bin/env bash - -version="$1" - -cd "$(dirname "$(which "$0")")/.." || exit 1 - -if [ -z "${version}" ]; then - version="$(cat configure.ac | grep AC_INIT | head -1 | sed 's@^AC_INIT([^,]*, *@@;s@,.*$@@;s@ *)$@@')" -fi - -newBody="$(cat tls.htm | sed 's@\[@[@g' | sed '/<\/body>/,$ d;0,/]/ d;// d' | sed 's/@@VERS@@/'"${version}"'/g' | grep -iv '^[@g' | sed '/<\/body>/,$ d;0,/]/ d;// d' | sed 's/@@VERS@@/'"${version}"'/g' | grep -iv '^/dev/null 2>&1 then : emulate sh NULLCMD=: # Pre-4.2 versions of Zsh do word splitting on ${1+"$@"}, which # is contrary to our usage. Disable this feature. alias -g '${1+"$@"}'='"$@"' setopt NO_GLOB_SUBST -else $as_nop - case `(set -o) 2>/dev/null` in #( +else case e in #( + e) case `(set -o) 2>/dev/null` in #( *posix*) : set -o posix ;; #( *) : ;; +esac ;; esac fi @@ -99,11 +99,11 @@ done IFS=$as_save_IFS ;; esac -# We did not find ourselves, most probably we were run as `sh COMMAND' +# We did not find ourselves, most probably we were run as 'sh COMMAND' # in which case we are not to be found in the path. if test "x$as_myself" = x; then as_myself=$0 fi if test ! -f "$as_myself"; then @@ -129,32 +129,32 @@ *x* ) as_opts=-x ;; * ) as_opts= ;; esac exec $CONFIG_SHELL $as_opts "$as_myself" ${1+"$@"} # Admittedly, this is quite paranoid, since all the known shells bail -# out after a failed `exec'. +# out after a failed 'exec'. printf "%s\n" "$0: could not re-execute with $CONFIG_SHELL" >&2 exit 255 fi # We don't want this to propagate to other subprocesses. { _as_can_reexec=; unset _as_can_reexec;} if test "x$CONFIG_SHELL" = x; then - as_bourne_compatible="as_nop=: -if test \${ZSH_VERSION+y} && (emulate sh) >/dev/null 2>&1 + as_bourne_compatible="if test \${ZSH_VERSION+y} && (emulate sh) >/dev/null 2>&1 then : emulate sh NULLCMD=: # Pre-4.2 versions of Zsh do word splitting on \${1+\"\$@\"}, which # is contrary to our usage. Disable this feature. alias -g '\${1+\"\$@\"}'='\"\$@\"' setopt NO_GLOB_SUBST -else \$as_nop - case \`(set -o) 2>/dev/null\` in #( +else case e in #( + e) case \`(set -o) 2>/dev/null\` in #( *posix*) : set -o posix ;; #( *) : ;; +esac ;; esac fi " as_required="as_fn_return () { (exit \$1); } as_fn_success () { as_fn_return 0; } @@ -168,12 +168,13 @@ as_fn_ret_success || { exitcode=1; echo as_fn_ret_success failed.; } as_fn_ret_failure && { exitcode=1; echo as_fn_ret_failure succeeded.; } if ( set x; as_fn_ret_success y && test x = \"\$1\" ) then : -else \$as_nop - exitcode=1; echo positional parameters were not saved. +else case e in #( + e) exitcode=1; echo positional parameters were not saved. ;; +esac fi test x\$exitcode = x0 || exit 1 blah=\$(echo \$(echo blah)) test x\"\$blah\" = xblah || exit 1 test -x / || exit 1" @@ -183,18 +184,19 @@ test \"x\`expr \$as_lineno_1'\$as_run' + 1\`\" = \"x\$as_lineno_2'\$as_run'\"' || exit 1 test \$(( 1 + 1 )) = 2 || exit 1" if (eval "$as_required") 2>/dev/null then : as_have_required=yes -else $as_nop - as_have_required=no +else case e in #( + e) as_have_required=no ;; +esac fi if test x$as_have_required = xyes && (eval "$as_suggested") 2>/dev/null then : -else $as_nop - as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +else case e in #( + e) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR as_found=false for as_dir in /bin$PATH_SEPARATOR/usr/bin$PATH_SEPARATOR$PATH do IFS=$as_save_IFS case $as_dir in #((( @@ -223,16 +225,17 @@ done IFS=$as_save_IFS if $as_found then : -else $as_nop - if { test -f "$SHELL" || test -f "$SHELL.exe"; } && +else case e in #( + e) if { test -f "$SHELL" || test -f "$SHELL.exe"; } && as_run=a "$SHELL" -c "$as_bourne_compatible""$as_required" 2>/dev/null then : CONFIG_SHELL=$SHELL as_have_required=yes -fi +fi ;; +esac fi if test "x$CONFIG_SHELL" != x then : @@ -250,11 +253,11 @@ *x* ) as_opts=-x ;; * ) as_opts= ;; esac exec $CONFIG_SHELL $as_opts "$as_myself" ${1+"$@"} # Admittedly, this is quite paranoid, since all the known shells bail -# out after a failed `exec'. +# out after a failed 'exec'. printf "%s\n" "$0: could not re-execute with $CONFIG_SHELL" >&2 exit 255 fi if test x$as_have_required = xno @@ -269,11 +272,12 @@ $0: including any error possibly output before this $0: message. Then install a modern shell, or manually run $0: the script under such a shell if you do have one." fi exit 1 -fi +fi ;; +esac fi fi SHELL=${CONFIG_SHELL-/bin/sh} export SHELL # Unset more variables known to interfere with behavior of common tools. @@ -308,18 +312,10 @@ { set +e as_fn_set_status $1 exit $1 } # as_fn_exit -# as_fn_nop -# --------- -# Do nothing but, unlike ":", preserve the value of $?. -as_fn_nop () -{ - return $? -} -as_nop=as_fn_nop # as_fn_mkdir_p # ------------- # Create "$as_dir" as a directory, including parents if necessary. as_fn_mkdir_p () @@ -384,15 +380,16 @@ then : eval 'as_fn_append () { eval $1+=\$2 }' -else $as_nop - as_fn_append () +else case e in #( + e) as_fn_append () { eval $1=\$$1\$2 - } + } ;; +esac fi # as_fn_append # as_fn_arith ARG... # ------------------ # Perform arithmetic evaluation on the ARGs, and store the result in the @@ -402,25 +399,18 @@ then : eval 'as_fn_arith () { as_val=$(( $* )) }' -else $as_nop - as_fn_arith () +else case e in #( + e) as_fn_arith () { as_val=`expr "$@" || test $? -eq 1` - } + } ;; +esac fi # as_fn_arith -# as_fn_nop -# --------- -# Do nothing but, unlike ":", preserve the value of $?. -as_fn_nop () -{ - return $? -} -as_nop=as_fn_nop # as_fn_error STATUS ERROR [LINENO LOG_FD] # ---------------------------------------- # Output "`basename $0`: error: ERROR" to stderr. If LINENO and LOG_FD are # provided, also output the error to LOG_FD, referencing LINENO. Then exit the @@ -490,10 +480,12 @@ sed -n ' p /[$]LINENO/= ' <$as_myself | sed ' + t clear + :clear s/[$]LINENO.*/&-/ t lineno b :lineno N @@ -538,11 +530,10 @@ # the shell variables $as_echo and $as_echo_n. New code should use # AS_ECHO(["message"]) and AS_ECHO_N(["message"]), respectively. as_echo='printf %s\n' as_echo_n='printf %s' - rm -f conf$$ conf$$.exe conf$$.file if test -d conf$$.dir; then rm -f conf$$.dir/conf$$.file else rm -f conf$$.dir @@ -550,13 +541,13 @@ fi if (echo >conf$$.file) 2>/dev/null; then if ln -s conf$$.file conf$$ 2>/dev/null; then as_ln_s='ln -s' # ... but there are two gotchas: - # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail. - # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable. - # In both cases, we have to default to `cp -pR'. + # 1) On MSYS, both 'ln -s file dir' and 'ln file dir' fail. + # 2) DJGPP < 2.04 has no symlinks; 'ln -s' creates a wrapper executable. + # In both cases, we have to default to 'cp -pR'. ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe || as_ln_s='cp -pR' elif ln conf$$.file conf$$ 2>/dev/null; then as_ln_s=ln else @@ -577,14 +568,16 @@ as_test_x='test -x' as_executable_p=as_fn_executable_p # Sed expression to map a string onto a valid CPP name. -as_tr_cpp="eval sed 'y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g'" +as_sed_cpp="y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g" +as_tr_cpp="eval sed '$as_sed_cpp'" # deprecated # Sed expression to map a string onto a valid variable name. -as_tr_sh="eval sed 'y%*+%pp%;s%[^_$as_cr_alnum]%_%g'" +as_sed_sh="y%*+%pp%;s%[^_$as_cr_alnum]%_%g" +as_tr_sh="eval sed '$as_sed_sh'" # deprecated test -n "$DJDIR" || exec 7<&0 &1 @@ -657,12 +650,10 @@ PKG_STUB_LIB_FILE MAKE_STUB_LIB MAKE_STATIC_LIB MAKE_SHARED_LIB MAKE_LIB -EGREP -GREP LDFLAGS_DEFAULT CFLAGS_DEFAULT LD_LIBRARY_PATH_VAR SHLIB_CFLAGS SHLIB_LD_LIBS @@ -775,14 +766,16 @@ enable_stubs enable_64bit enable_64bit_vis enable_rpath enable_symbols +enable_ssl3 enable_tls1 enable_tls1_1 enable_tls1_2 enable_tls1_3 +enable_debug enable_ssl_fastpath enable_hardening enable_static_ssl with_openssl_dir with_openssl_includedir @@ -907,11 +900,11 @@ -disable-* | --disable-*) ac_useropt=`expr "x$ac_option" : 'x-*disable-\(.*\)'` # Reject names that are not valid shell variable names. expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null && - as_fn_error $? "invalid feature name: \`$ac_useropt'" + as_fn_error $? "invalid feature name: '$ac_useropt'" ac_useropt_orig=$ac_useropt ac_useropt=`printf "%s\n" "$ac_useropt" | sed 's/[-+.]/_/g'` case $ac_user_opts in *" "enable_$ac_useropt" @@ -933,11 +926,11 @@ -enable-* | --enable-*) ac_useropt=`expr "x$ac_option" : 'x-*enable-\([^=]*\)'` # Reject names that are not valid shell variable names. expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null && - as_fn_error $? "invalid feature name: \`$ac_useropt'" + as_fn_error $? "invalid feature name: '$ac_useropt'" ac_useropt_orig=$ac_useropt ac_useropt=`printf "%s\n" "$ac_useropt" | sed 's/[-+.]/_/g'` case $ac_user_opts in *" "enable_$ac_useropt" @@ -1146,11 +1139,11 @@ -with-* | --with-*) ac_useropt=`expr "x$ac_option" : 'x-*with-\([^=]*\)'` # Reject names that are not valid shell variable names. expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null && - as_fn_error $? "invalid package name: \`$ac_useropt'" + as_fn_error $? "invalid package name: '$ac_useropt'" ac_useropt_orig=$ac_useropt ac_useropt=`printf "%s\n" "$ac_useropt" | sed 's/[-+.]/_/g'` case $ac_user_opts in *" "with_$ac_useropt" @@ -1162,11 +1155,11 @@ -without-* | --without-*) ac_useropt=`expr "x$ac_option" : 'x-*without-\(.*\)'` # Reject names that are not valid shell variable names. expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null && - as_fn_error $? "invalid package name: \`$ac_useropt'" + as_fn_error $? "invalid package name: '$ac_useropt'" ac_useropt_orig=$ac_useropt ac_useropt=`printf "%s\n" "$ac_useropt" | sed 's/[-+.]/_/g'` case $ac_user_opts in *" "with_$ac_useropt" @@ -1192,20 +1185,20 @@ ac_prev=x_libraries ;; -x-libraries=* | --x-libraries=* | --x-librarie=* | --x-librari=* \ | --x-librar=* | --x-libra=* | --x-libr=* | --x-lib=* | --x-li=* | --x-l=*) x_libraries=$ac_optarg ;; - -*) as_fn_error $? "unrecognized option: \`$ac_option' -Try \`$0 --help' for more information" + -*) as_fn_error $? "unrecognized option: '$ac_option' +Try '$0 --help' for more information" ;; *=*) ac_envvar=`expr "x$ac_option" : 'x\([^=]*\)='` # Reject names that are not valid shell variable names. case $ac_envvar in #( '' | [0-9]* | *[!_$as_cr_alnum]* ) - as_fn_error $? "invalid variable name: \`$ac_envvar'" ;; + as_fn_error $? "invalid variable name: '$ac_envvar'" ;; esac eval $ac_envvar=\$ac_optarg export $ac_envvar ;; *) @@ -1251,11 +1244,11 @@ NONE | '' ) case $ac_var in *prefix ) continue;; esac;; esac as_fn_error $? "expected an absolute directory name for --$ac_var: $ac_val" done -# There might be people who depend on the old broken behavior: `$host' +# There might be people who depend on the old broken behavior: '$host' # used to hold the argument of --host etc. # FIXME: To remove some day. build=$build_alias host=$host_alias target=$target_alias @@ -1319,11 +1312,11 @@ fi if test ! -r "$srcdir/$ac_unique_file"; then test "$ac_srcdir_defaulted" = yes && srcdir="$ac_confdir or .." as_fn_error $? "cannot find sources ($ac_unique_file) in $srcdir" fi -ac_msg="sources are in $srcdir, but \`cd $srcdir' does not work" +ac_msg="sources are in $srcdir, but 'cd $srcdir' does not work" ac_abs_confdir=`( cd "$srcdir" && test -r "./$ac_unique_file" || as_fn_error $? "$ac_msg" pwd)` # When building in place, set srcdir=. if test "$ac_abs_confdir" = "$ac_pwd"; then @@ -1347,11 +1340,11 @@ # if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures tls 1.8.0 to adapt to many kinds of systems. +'configure' configures tls 1.8.0 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... To assign environment variables (e.g., CC, CFLAGS...), specify them as VAR=VALUE. See below for descriptions of some of the useful variables. @@ -1361,26 +1354,26 @@ Configuration: -h, --help display this help and exit --help=short display options specific to this package --help=recursive display the short help of all the included packages -V, --version display version information and exit - -q, --quiet, --silent do not print \`checking ...' messages + -q, --quiet, --silent do not print 'checking ...' messages --cache-file=FILE cache test results in FILE [disabled] - -C, --config-cache alias for \`--cache-file=config.cache' + -C, --config-cache alias for '--cache-file=config.cache' -n, --no-create do not create output files - --srcdir=DIR find the sources in DIR [configure dir or \`..'] + --srcdir=DIR find the sources in DIR [configure dir or '..'] Installation directories: --prefix=PREFIX install architecture-independent files in PREFIX [$ac_default_prefix] --exec-prefix=EPREFIX install architecture-dependent files in EPREFIX [PREFIX] -By default, \`make install' will install all the files in -\`$ac_default_prefix/bin', \`$ac_default_prefix/lib' etc. You can specify -an installation prefix other than \`$ac_default_prefix' using \`--prefix', -for instance \`--prefix=\$HOME'. +By default, 'make install' will install all the files in +'$ac_default_prefix/bin', '$ac_default_prefix/lib' etc. You can specify +an installation prefix other than '$ac_default_prefix' using '--prefix', +for instance '--prefix=\$HOME'. For better control, use the options below. Fine tuning of the installation directories: --bindir=DIR user executables [EPREFIX/bin] @@ -1425,14 +1418,16 @@ shared builds (default: on) --enable-64bit enable 64bit support (default: off) --enable-64bit-vis enable 64bit Sparc VIS support (default: off) --disable-rpath disable rpath support (default: on) --enable-symbols build with debugging symbols (default: off) + --disable-ssl3 disable SSL3 protocol --disable-tls1 disable TLS1 protocol --disable-tls1_1 disable TLS1.1 protocol --disable-tls1_2 disable TLS1.2 protocol --disable-tls1_3 disable TLS1.3 protocol + --enable-debug enable debugging mode and output more status --enable-ssl-fastpath enable using the underlying file descriptor for talking directly to the SSL library --enable-hardening enable hardening attempts --enable-static-ssl enable static linking to the SSL library @@ -1442,21 +1437,17 @@ --with-tcl directory containing tcl configuration (tclConfig.sh) --with-tcl8 Compile for Tcl8 in Tcl9 environment --with-tclinclude directory containing the public Tcl header files --with-openssl-dir= - path to root directory of OpenSSL or LibreSSL - installation + path to root directory of OpenSSL installation --with-openssl-includedir= - path to include directory of OpenSSL or LibreSSL - installation + path to include directory of OpenSSL installation --with-openssl-libdir= - path to lib directory of OpenSSL or LibreSSL - installation + path to lib directory of OpenSSL installation --with-openssl-pkgconfig= - path to pkgconfigdir directory for OpenSSL or - LibreSSL + path to pkgconfigdir directory for OpenSSL Some influential environment variables: CC C compiler command CFLAGS C compiler flags LDFLAGS linker flags, e.g. -L if you have libraries in a @@ -1464,17 +1455,17 @@ LIBS libraries to pass to the linker, e.g. -l CPPFLAGS (Objective) C/C++ preprocessor flags, e.g. -I if you have headers in a nonstandard directory CPP C preprocessor TCLTLS_SSL_CFLAGS - C compiler flags for OpenSSL or LibreSSL + C compiler flags for OpenSSL TCLTLS_SSL_INCLUDES - C compiler include paths for OpenSSL or LibreSSL + C compiler include paths for OpenSSL TCLTLS_SSL_LIBS - libraries to pass to the linker for OpenSSL or LibreSSL + libraries to pass to the linker for OpenSSL -Use these variables to override the choices made by `configure' or to help +Use these variables to override the choices made by 'configure' or to help it to find libraries and programs with nonstandard names/locations. Report bugs to the package provider. _ACEOF ac_status=$? @@ -1538,13 +1529,13 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF tls configure 1.8.0 -generated by GNU Autoconf 2.71 +generated by GNU Autoconf 2.72 -Copyright (C) 2021 Free Software Foundation, Inc. +Copyright (C) 2023 Free Software Foundation, Inc. This configure script is free software; the Free Software Foundation gives unlimited permission to copy, distribute and modify it. _ACEOF exit fi @@ -1579,15 +1570,16 @@ test -z "$ac_c_werror_flag" || test ! -s conftest.err } && test -s conftest.$ac_objext then : ac_retval=0 -else $as_nop - printf "%s\n" "$as_me: failed program was:" >&5 +else case e in #( + e) printf "%s\n" "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 - ac_retval=1 + ac_retval=1 ;; +esac fi eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno as_fn_set_status $ac_retval } # ac_fn_c_try_compile @@ -1617,97 +1609,22 @@ test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" || test ! -s conftest.err } then : ac_retval=0 -else $as_nop - printf "%s\n" "$as_me: failed program was:" >&5 +else case e in #( + e) printf "%s\n" "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 - ac_retval=1 + ac_retval=1 ;; +esac fi eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno as_fn_set_status $ac_retval } # ac_fn_c_try_cpp -# ac_fn_c_try_run LINENO -# ---------------------- -# Try to run conftest.$ac_ext, and return whether this succeeded. Assumes that -# executables *can* be run. -ac_fn_c_try_run () -{ - as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack - if { { ac_try="$ac_link" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" -printf "%s\n" "$ac_try_echo"; } >&5 - (eval "$ac_link") 2>&5 - ac_status=$? - printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 - test $ac_status = 0; } && { ac_try='./conftest$ac_exeext' - { { case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" -printf "%s\n" "$ac_try_echo"; } >&5 - (eval "$ac_try") 2>&5 - ac_status=$? - printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 - test $ac_status = 0; }; } -then : - ac_retval=0 -else $as_nop - printf "%s\n" "$as_me: program exited with status $ac_status" >&5 - printf "%s\n" "$as_me: failed program was:" >&5 -sed 's/^/| /' conftest.$ac_ext >&5 - - ac_retval=$ac_status -fi - rm -rf conftest.dSYM conftest_ipa8_conftest.oo - eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno - as_fn_set_status $ac_retval - -} # ac_fn_c_try_run - -# ac_fn_c_check_header_compile LINENO HEADER VAR INCLUDES -# ------------------------------------------------------- -# Tests whether HEADER exists and can be compiled using the include files in -# INCLUDES, setting the cache variable VAR accordingly. -ac_fn_c_check_header_compile () -{ - as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $2" >&5 -printf %s "checking for $2... " >&6; } -if eval test \${$3+y} -then : - printf %s "(cached) " >&6 -else $as_nop - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -$4 -#include <$2> -_ACEOF -if ac_fn_c_try_compile "$LINENO" -then : - eval "$3=yes" -else $as_nop - eval "$3=no" -fi -rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext -fi -eval ac_res=\$$3 - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 -printf "%s\n" "$ac_res" >&6; } - eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno - -} # ac_fn_c_check_header_compile - # ac_fn_c_try_link LINENO # ----------------------- # Try to link conftest.$ac_ext, and return whether this succeeded. ac_fn_c_try_link () { @@ -1735,15 +1652,16 @@ test "$cross_compiling" = yes || test -x conftest$ac_exeext } then : ac_retval=0 -else $as_nop - printf "%s\n" "$as_me: failed program was:" >&5 +else case e in #( + e) printf "%s\n" "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 - ac_retval=1 + ac_retval=1 ;; +esac fi # Delete the IPA/IPO (Inter Procedural Analysis/Optimization) information # created by the PGI compiler (conftest_ipa8_conftest.oo), as it would # interfere with the next link command; also delete a directory that is # left behind by Apple's compiler. We do this before executing the actions. @@ -1751,10 +1669,89 @@ eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno as_fn_set_status $ac_retval } # ac_fn_c_try_link +# ac_fn_c_try_run LINENO +# ---------------------- +# Try to run conftest.$ac_ext, and return whether this succeeded. Assumes that +# executables *can* be run. +ac_fn_c_try_run () +{ + as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack + if { { ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" +printf "%s\n" "$ac_try_echo"; } >&5 + (eval "$ac_link") 2>&5 + ac_status=$? + printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } && { ac_try='./conftest$ac_exeext' + { { case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" +printf "%s\n" "$ac_try_echo"; } >&5 + (eval "$ac_try") 2>&5 + ac_status=$? + printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; } +then : + ac_retval=0 +else case e in #( + e) printf "%s\n" "$as_me: program exited with status $ac_status" >&5 + printf "%s\n" "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + ac_retval=$ac_status ;; +esac +fi + rm -rf conftest.dSYM conftest_ipa8_conftest.oo + eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno + as_fn_set_status $ac_retval + +} # ac_fn_c_try_run + +# ac_fn_c_check_header_compile LINENO HEADER VAR INCLUDES +# ------------------------------------------------------- +# Tests whether HEADER exists and can be compiled using the include files in +# INCLUDES, setting the cache variable VAR accordingly. +ac_fn_c_check_header_compile () +{ + as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $2" >&5 +printf %s "checking for $2... " >&6; } +if eval test \${$3+y} +then : + printf %s "(cached) " >&6 +else case e in #( + e) cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +$4 +#include <$2> +_ACEOF +if ac_fn_c_try_compile "$LINENO" +then : + eval "$3=yes" +else case e in #( + e) eval "$3=no" ;; +esac +fi +rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext ;; +esac +fi +eval ac_res=\$$3 + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 +printf "%s\n" "$ac_res" >&6; } + eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno + +} # ac_fn_c_check_header_compile + # ac_fn_c_check_func LINENO FUNC VAR # ---------------------------------- # Tests whether FUNC exists, setting the cache variable VAR accordingly ac_fn_c_check_func () { @@ -1762,19 +1759,19 @@ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $2" >&5 printf %s "checking for $2... " >&6; } if eval test \${$3+y} then : printf %s "(cached) " >&6 -else $as_nop - cat confdefs.h - <<_ACEOF >conftest.$ac_ext +else case e in #( + e) cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ /* Define $2 to an innocuous variant, in case declares $2. For example, HP-UX 11i declares gettimeofday. */ #define $2 innocuous_$2 /* System header to define __stub macros and hopefully few prototypes, - which can conflict with char $2 (); below. */ + which can conflict with char $2 (void); below. */ #include #undef $2 /* Override any GCC internal prototype to avoid an error. @@ -1781,11 +1778,11 @@ Use char because int might match the return type of a GCC builtin and then its argument prototype would still apply. */ #ifdef __cplusplus extern "C" #endif -char $2 (); +char $2 (void); /* The GNU C library defines this for functions which it implements to always fail with ENOSYS. Some functions are actually named something starting with __ and the normal name is an alias. */ #if defined __stub_$2 || defined __stub___$2 choke me @@ -1800,15 +1797,17 @@ } _ACEOF if ac_fn_c_try_link "$LINENO" then : eval "$3=yes" -else $as_nop - eval "$3=no" +else case e in #( + e) eval "$3=no" ;; +esac fi rm -f core conftest.err conftest.$ac_objext conftest.beam \ - conftest$ac_exeext conftest.$ac_ext + conftest$ac_exeext conftest.$ac_ext ;; +esac fi eval ac_res=\$$3 { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 printf "%s\n" "$ac_res" >&6; } eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno @@ -1837,11 +1836,11 @@ cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. It was created by tls $as_me 1.8.0, which was -generated by GNU Autoconf 2.71. Invocation command line was +generated by GNU Autoconf 2.72. Invocation command line was $ $0$ac_configure_args_raw _ACEOF exec 5>>config.log @@ -2083,14 +2082,14 @@ if test -f "$ac_site_file" && test -r "$ac_site_file"; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: loading site script $ac_site_file" >&5 printf "%s\n" "$as_me: loading site script $ac_site_file" >&6;} sed 's/^/| /' "$ac_site_file" >&5 . "$ac_site_file" \ - || { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 -printf "%s\n" "$as_me: error: in \`$ac_pwd':" >&2;} + || { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: error: in '$ac_pwd':" >&5 +printf "%s\n" "$as_me: error: in '$ac_pwd':" >&2;} as_fn_error $? "failed to load site script $ac_site_file -See \`config.log' for more details" "$LINENO" 5; } +See 'config.log' for more details" "$LINENO" 5; } fi done if test -r "$cache_file"; then # Some versions of bash will fail to source /dev/null (special files @@ -2122,13 +2121,11 @@ #include struct stat; /* Most of the following tests are stolen from RCS 5.7 src/conf.sh. */ struct buf { int x; }; struct buf * (*rcsopen) (struct buf *, struct stat *, int); -static char *e (p, i) - char **p; - int i; +static char *e (char **p, int i) { return p[i]; } static char *f (char * (*g) (char **, int), char **p, ...) { @@ -2138,10 +2135,25 @@ s = g (p, va_arg (v,int)); va_end (v); return s; } +/* C89 style stringification. */ +#define noexpand_stringify(a) #a +const char *stringified = noexpand_stringify(arbitrary+token=sequence); + +/* C89 style token pasting. Exercises some of the corner cases that + e.g. old MSVC gets wrong, but not very hard. */ +#define noexpand_concat(a,b) a##b +#define expand_concat(a,b) noexpand_concat(a,b) +extern int vA; +extern int vbee; +#define aye A +#define bee B +int *pvA = &expand_concat(v,aye); +int *pvbee = &noexpand_concat(v,bee); + /* OSF 4.0 Compaq cc is some sort of almost-ANSI by default. It has function prototypes and stuff, but not \xHH hex character constants. These do not provoke an error unfortunately, instead are silently treated as an "x". The following induces an error, until -std is added to get proper ANSI mode. Curiously \x00 != x always comes out true, for an @@ -2165,20 +2177,23 @@ ok |= (argc == 0 || f (e, argv, 0) != argv[0] || f (e, argv, 1) != argv[1]); ' # Test code for whether the C compiler supports C99 (global declarations) ac_c_conftest_c99_globals=' -// Does the compiler advertise C99 conformance? +/* Does the compiler advertise C99 conformance? */ #if !defined __STDC_VERSION__ || __STDC_VERSION__ < 199901L # error "Compiler does not advertise C99 conformance" #endif + +// See if C++-style comments work. #include extern int puts (const char *); extern int printf (const char *, ...); extern int dprintf (int, const char *, ...); extern void *malloc (size_t); +extern void free (void *); // Check varargs macros. These examples are taken from C99 6.10.3.5. // dprintf is used instead of fprintf to avoid needing to declare // FILE and stderr. #define debug(...) dprintf (2, __VA_ARGS__) @@ -2224,11 +2239,10 @@ typedef const char *ccp; static inline int test_restrict (ccp restrict text) { - // See if C++-style comments work. // Iterate through items via the restricted pointer. // Also check for declarations in for loops. for (unsigned int i = 0; *(text+i) != '\''\0'\''; ++i) continue; return 0; @@ -2290,10 +2304,12 @@ struct incomplete_array *ia = malloc (sizeof (struct incomplete_array) + (sizeof (double) * 10)); ia->datasize = 10; for (int i = 0; i < ia->datasize; ++i) ia->data[i] = i * 1.234; + // Work around memory leak warnings. + free (ia); // Check named initializers. struct named_init ni = { .number = 34, .name = L"Test wide string", @@ -2311,11 +2327,11 @@ || dynamic_array[ni.number - 1] != 543); ' # Test code for whether the C compiler supports C11 (global declarations) ac_c_conftest_c11_globals=' -// Does the compiler advertise C11 conformance? +/* Does the compiler advertise C11 conformance? */ #if !defined __STDC_VERSION__ || __STDC_VERSION__ < 201112L # error "Compiler does not advertise C11 conformance" #endif // Check _Alignas. @@ -2434,36 +2450,36 @@ eval ac_new_set=\$ac_env_${ac_var}_set eval ac_old_val=\$ac_cv_env_${ac_var}_value eval ac_new_val=\$ac_env_${ac_var}_value case $ac_old_set,$ac_new_set in set,) - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: error: \`$ac_var' was set to \`$ac_old_val' in the previous run" >&5 -printf "%s\n" "$as_me: error: \`$ac_var' was set to \`$ac_old_val' in the previous run" >&2;} + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: error: '$ac_var' was set to '$ac_old_val' in the previous run" >&5 +printf "%s\n" "$as_me: error: '$ac_var' was set to '$ac_old_val' in the previous run" >&2;} ac_cache_corrupted=: ;; ,set) - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: error: \`$ac_var' was not set in the previous run" >&5 -printf "%s\n" "$as_me: error: \`$ac_var' was not set in the previous run" >&2;} + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: error: '$ac_var' was not set in the previous run" >&5 +printf "%s\n" "$as_me: error: '$ac_var' was not set in the previous run" >&2;} ac_cache_corrupted=: ;; ,);; *) if test "x$ac_old_val" != "x$ac_new_val"; then # differences in whitespace do not lead to failure. ac_old_val_w=`echo x $ac_old_val` ac_new_val_w=`echo x $ac_new_val` if test "$ac_old_val_w" != "$ac_new_val_w"; then - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: error: \`$ac_var' has changed since the previous run:" >&5 -printf "%s\n" "$as_me: error: \`$ac_var' has changed since the previous run:" >&2;} + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: error: '$ac_var' has changed since the previous run:" >&5 +printf "%s\n" "$as_me: error: '$ac_var' has changed since the previous run:" >&2;} ac_cache_corrupted=: else - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: warning: ignoring whitespace changes in \`$ac_var' since the previous run:" >&5 -printf "%s\n" "$as_me: warning: ignoring whitespace changes in \`$ac_var' since the previous run:" >&2;} + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: warning: ignoring whitespace changes in '$ac_var' since the previous run:" >&5 +printf "%s\n" "$as_me: warning: ignoring whitespace changes in '$ac_var' since the previous run:" >&2;} eval $ac_var=\$ac_old_val fi - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: former value: \`$ac_old_val'" >&5 -printf "%s\n" "$as_me: former value: \`$ac_old_val'" >&2;} - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: current value: \`$ac_new_val'" >&5 -printf "%s\n" "$as_me: current value: \`$ac_new_val'" >&2;} + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: former value: '$ac_old_val'" >&5 +printf "%s\n" "$as_me: former value: '$ac_old_val'" >&2;} + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: current value: '$ac_new_val'" >&5 +printf "%s\n" "$as_me: current value: '$ac_new_val'" >&2;} fi;; esac # Pass precious variables to config.status. if test "$ac_new_set" = set; then case $ac_new_val in @@ -2475,15 +2491,15 @@ *) as_fn_append ac_configure_args " '$ac_arg'" ;; esac fi done if $ac_cache_corrupted; then - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 -printf "%s\n" "$as_me: error: in \`$ac_pwd':" >&2;} + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: error: in '$ac_pwd':" >&5 +printf "%s\n" "$as_me: error: in '$ac_pwd':" >&2;} { printf "%s\n" "$as_me:${as_lineno-$LINENO}: error: changes in the environment can compromise the build" >&5 printf "%s\n" "$as_me: error: changes in the environment can compromise the build" >&2;} - as_fn_error $? "run \`${MAKE-make} distclean' and/or \`rm $cache_file' + as_fn_error $? "run '${MAKE-make} distclean' and/or 'rm $cache_file' and start over" "$LINENO" 5 fi ## -------------------- ## ## Main body of script. ## ## -------------------- ## @@ -2527,12 +2543,12 @@ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 printf %s "checking for $ac_word... " >&6; } if test ${ac_cv_prog_CYGPATH+y} then : printf %s "(cached) " >&6 -else $as_nop - if test -n "$CYGPATH"; then +else case e in #( + e) if test -n "$CYGPATH"; then ac_cv_prog_CYGPATH="$CYGPATH" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do @@ -2551,11 +2567,12 @@ done done IFS=$as_save_IFS test -z "$ac_cv_prog_CYGPATH" && ac_cv_prog_CYGPATH="echo" -fi +fi ;; +esac fi CYGPATH=$ac_cv_prog_CYGPATH if test -n "$CYGPATH"; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $CYGPATH" >&5 printf "%s\n" "$CYGPATH" >&6; } @@ -2630,12 +2647,12 @@ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking system version" >&5 printf %s "checking system version... " >&6; } if test ${tcl_cv_sys_version+y} then : printf %s "(cached) " >&6 -else $as_nop - +else case e in #( + e) # TEA specific: if test "${TEA_PLATFORM}" = "windows" ; then tcl_cv_sys_version=windows else tcl_cv_sys_version=`uname -s`-`uname -r` @@ -2650,11 +2667,12 @@ if test "`uname -s`" = "NetBSD" -a -f /etc/debian_version ; then tcl_cv_sys_version=NetBSD-Debian fi fi fi - + ;; +esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $tcl_cv_sys_version" >&5 printf "%s\n" "$tcl_cv_sys_version" >&6; } system=$tcl_cv_sys_version @@ -2706,12 +2724,12 @@ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for Tcl configuration" >&5 printf %s "checking for Tcl configuration... " >&6; } if test ${ac_cv_c_tclconfig+y} then : printf %s "(cached) " >&6 -else $as_nop - +else case e in #( + e) # First check to see if --with-tcl was specified. if test x"${with_tclconfig}" != x ; then case "${with_tclconfig}" in */tclConfig.sh ) @@ -2792,14 +2810,20 @@ `ls -d /usr/local/lib 2>/dev/null` \ `ls -d /usr/contrib/lib 2>/dev/null` \ `ls -d /usr/pkg/lib 2>/dev/null` \ `ls -d /usr/lib 2>/dev/null` \ `ls -d /usr/lib64 2>/dev/null` \ + `ls -d /usr/lib/tcl9.0 2>/dev/null` \ + `ls -d /usr/lib/tcl8.7 2>/dev/null` \ `ls -d /usr/lib/tcl8.6 2>/dev/null` \ `ls -d /usr/lib/tcl8.5 2>/dev/null` \ + `ls -d /usr/local/lib/tcl9.0 2>/dev/null` \ + `ls -d /usr/local/lib/tcl8.7 2>/dev/null` \ `ls -d /usr/local/lib/tcl8.6 2>/dev/null` \ `ls -d /usr/local/lib/tcl8.5 2>/dev/null` \ + `ls -d /usr/local/lib/tcl/tcl9.0 2>/dev/null` \ + `ls -d /usr/local/lib/tcl/tcl8.7 2>/dev/null` \ `ls -d /usr/local/lib/tcl/tcl8.6 2>/dev/null` \ `ls -d /usr/local/lib/tcl/tcl8.5 2>/dev/null` \ ; do if test -f "$i/tclConfig.sh" ; then ac_cv_c_tclconfig="`(cd $i; pwd)`" @@ -2824,11 +2848,12 @@ ac_cv_c_tclconfig="`(cd $i/unix; pwd)`" break fi done fi - + ;; +esac fi if test x"${ac_cv_c_tclconfig}" = x ; then TCL_BIN_DIR="# no Tcl configs found" @@ -2861,12 +2886,12 @@ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 printf %s "checking for $ac_word... " >&6; } if test ${ac_cv_prog_CC+y} then : printf %s "(cached) " >&6 -else $as_nop - if test -n "$CC"; then +else case e in #( + e) if test -n "$CC"; then ac_cv_prog_CC="$CC" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do @@ -2884,11 +2909,12 @@ fi done done IFS=$as_save_IFS -fi +fi ;; +esac fi CC=$ac_cv_prog_CC if test -n "$CC"; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $CC" >&5 printf "%s\n" "$CC" >&6; } @@ -2906,12 +2932,12 @@ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 printf %s "checking for $ac_word... " >&6; } if test ${ac_cv_prog_ac_ct_CC+y} then : printf %s "(cached) " >&6 -else $as_nop - if test -n "$ac_ct_CC"; then +else case e in #( + e) if test -n "$ac_ct_CC"; then ac_cv_prog_ac_ct_CC="$ac_ct_CC" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do @@ -2929,11 +2955,12 @@ fi done done IFS=$as_save_IFS -fi +fi ;; +esac fi ac_ct_CC=$ac_cv_prog_ac_ct_CC if test -n "$ac_ct_CC"; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_ct_CC" >&5 printf "%s\n" "$ac_ct_CC" >&6; } @@ -2964,12 +2991,12 @@ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 printf %s "checking for $ac_word... " >&6; } if test ${ac_cv_prog_CC+y} then : printf %s "(cached) " >&6 -else $as_nop - if test -n "$CC"; then +else case e in #( + e) if test -n "$CC"; then ac_cv_prog_CC="$CC" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do @@ -2987,11 +3014,12 @@ fi done done IFS=$as_save_IFS -fi +fi ;; +esac fi CC=$ac_cv_prog_CC if test -n "$CC"; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $CC" >&5 printf "%s\n" "$CC" >&6; } @@ -3009,12 +3037,12 @@ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 printf %s "checking for $ac_word... " >&6; } if test ${ac_cv_prog_CC+y} then : printf %s "(cached) " >&6 -else $as_nop - if test -n "$CC"; then +else case e in #( + e) if test -n "$CC"; then ac_cv_prog_CC="$CC" # Let the user override the test. else ac_prog_rejected=no as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH @@ -3049,11 +3077,12 @@ # first if we set CC to just the basename; use the full file name. shift ac_cv_prog_CC="$as_dir$ac_word${1+' '}$@" fi fi -fi +fi ;; +esac fi CC=$ac_cv_prog_CC if test -n "$CC"; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $CC" >&5 printf "%s\n" "$CC" >&6; } @@ -3073,12 +3102,12 @@ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 printf %s "checking for $ac_word... " >&6; } if test ${ac_cv_prog_CC+y} then : printf %s "(cached) " >&6 -else $as_nop - if test -n "$CC"; then +else case e in #( + e) if test -n "$CC"; then ac_cv_prog_CC="$CC" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do @@ -3096,11 +3125,12 @@ fi done done IFS=$as_save_IFS -fi +fi ;; +esac fi CC=$ac_cv_prog_CC if test -n "$CC"; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $CC" >&5 printf "%s\n" "$CC" >&6; } @@ -3122,12 +3152,12 @@ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 printf %s "checking for $ac_word... " >&6; } if test ${ac_cv_prog_ac_ct_CC+y} then : printf %s "(cached) " >&6 -else $as_nop - if test -n "$ac_ct_CC"; then +else case e in #( + e) if test -n "$ac_ct_CC"; then ac_cv_prog_ac_ct_CC="$ac_ct_CC" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do @@ -3145,11 +3175,12 @@ fi done done IFS=$as_save_IFS -fi +fi ;; +esac fi ac_ct_CC=$ac_cv_prog_ac_ct_CC if test -n "$ac_ct_CC"; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_ct_CC" >&5 printf "%s\n" "$ac_ct_CC" >&6; } @@ -3183,12 +3214,12 @@ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 printf %s "checking for $ac_word... " >&6; } if test ${ac_cv_prog_CC+y} then : printf %s "(cached) " >&6 -else $as_nop - if test -n "$CC"; then +else case e in #( + e) if test -n "$CC"; then ac_cv_prog_CC="$CC" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do @@ -3206,11 +3237,12 @@ fi done done IFS=$as_save_IFS -fi +fi ;; +esac fi CC=$ac_cv_prog_CC if test -n "$CC"; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $CC" >&5 printf "%s\n" "$CC" >&6; } @@ -3228,12 +3260,12 @@ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 printf %s "checking for $ac_word... " >&6; } if test ${ac_cv_prog_ac_ct_CC+y} then : printf %s "(cached) " >&6 -else $as_nop - if test -n "$ac_ct_CC"; then +else case e in #( + e) if test -n "$ac_ct_CC"; then ac_cv_prog_ac_ct_CC="$ac_ct_CC" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do @@ -3251,11 +3283,12 @@ fi done done IFS=$as_save_IFS -fi +fi ;; +esac fi ac_ct_CC=$ac_cv_prog_ac_ct_CC if test -n "$ac_ct_CC"; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_ct_CC" >&5 printf "%s\n" "$ac_ct_CC" >&6; } @@ -3280,14 +3313,14 @@ fi fi -test -z "$CC" && { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 -printf "%s\n" "$as_me: error: in \`$ac_pwd':" >&2;} +test -z "$CC" && { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: error: in '$ac_pwd':" >&5 +printf "%s\n" "$as_me: error: in '$ac_pwd':" >&2;} as_fn_error $? "no acceptable C compiler found in \$PATH -See \`config.log' for more details" "$LINENO" 5; } +See 'config.log' for more details" "$LINENO" 5; } # Provide some information about the compiler. printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for C compiler version" >&5 set X $ac_compile ac_compiler=$2 @@ -3355,12 +3388,12 @@ (eval "$ac_link_default") 2>&5 ac_status=$? printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; } then : - # Autoconf-2.13 could set the ac_cv_exeext variable to `no'. -# So ignore a value of `no', otherwise this would lead to `EXEEXT = no' + # Autoconf-2.13 could set the ac_cv_exeext variable to 'no'. +# So ignore a value of 'no', otherwise this would lead to 'EXEEXT = no' # in a Makefile. We should not override ac_cv_exeext if it was cached, # so that the user can short-circuit this test for compilers unknown to # Autoconf. for ac_file in $ac_files '' do @@ -3376,11 +3409,11 @@ if test ${ac_cv_exeext+y} && test "$ac_cv_exeext" != no; then :; else ac_cv_exeext=`expr "$ac_file" : '[^.]*\(\..*\)'` fi # We set ac_cv_exeext here because the later test for it is not - # safe: cross compilers may not add the suffix if given an `-o' + # safe: cross compilers may not add the suffix if given an '-o' # argument, so we may need to know it at that point already. # Even if this section looks crufty: it has the advantage of # actually working. break;; * ) @@ -3387,27 +3420,29 @@ break;; esac done test "$ac_cv_exeext" = no && ac_cv_exeext= -else $as_nop - ac_file='' +else case e in #( + e) ac_file='' ;; +esac fi if test -z "$ac_file" then : { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5 printf "%s\n" "no" >&6; } printf "%s\n" "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 -{ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 -printf "%s\n" "$as_me: error: in \`$ac_pwd':" >&2;} +{ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: error: in '$ac_pwd':" >&5 +printf "%s\n" "$as_me: error: in '$ac_pwd':" >&2;} as_fn_error 77 "C compiler cannot create executables -See \`config.log' for more details" "$LINENO" 5; } -else $as_nop - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: yes" >&5 -printf "%s\n" "yes" >&6; } +See 'config.log' for more details" "$LINENO" 5; } +else case e in #( + e) { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +printf "%s\n" "yes" >&6; } ;; +esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for C compiler default output file name" >&5 printf %s "checking for C compiler default output file name... " >&6; } { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_file" >&5 printf "%s\n" "$ac_file" >&6; } @@ -3427,28 +3462,29 @@ (eval "$ac_link") 2>&5 ac_status=$? printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; } then : - # If both `conftest.exe' and `conftest' are `present' (well, observable) -# catch `conftest.exe'. For instance with Cygwin, `ls conftest' will -# work properly (i.e., refer to `conftest.exe'), while it won't with -# `rm'. + # If both 'conftest.exe' and 'conftest' are 'present' (well, observable) +# catch 'conftest.exe'. For instance with Cygwin, 'ls conftest' will +# work properly (i.e., refer to 'conftest.exe'), while it won't with +# 'rm'. for ac_file in conftest.exe conftest conftest.*; do test -f "$ac_file" || continue case $ac_file in *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM | *.o | *.obj ) ;; *.* ) ac_cv_exeext=`expr "$ac_file" : '[^.]*\(\..*\)'` break;; * ) break;; esac done -else $as_nop - { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 -printf "%s\n" "$as_me: error: in \`$ac_pwd':" >&2;} +else case e in #( + e) { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: error: in '$ac_pwd':" >&5 +printf "%s\n" "$as_me: error: in '$ac_pwd':" >&2;} as_fn_error $? "cannot compute suffix of executables: cannot compile and link -See \`config.log' for more details" "$LINENO" 5; } +See 'config.log' for more details" "$LINENO" 5; } ;; +esac fi rm -f conftest conftest$ac_cv_exeext { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_exeext" >&5 printf "%s\n" "$ac_cv_exeext" >&6; } @@ -3460,10 +3496,12 @@ #include int main (void) { FILE *f = fopen ("conftest.out", "w"); + if (!f) + return 1; return ferror (f) || fclose (f) != 0; ; return 0; } @@ -3499,30 +3537,31 @@ cross_compiling=no else if test "$cross_compiling" = maybe; then cross_compiling=yes else - { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 -printf "%s\n" "$as_me: error: in \`$ac_pwd':" >&2;} + { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: error: in '$ac_pwd':" >&5 +printf "%s\n" "$as_me: error: in '$ac_pwd':" >&2;} as_fn_error 77 "cannot run C compiled programs. -If you meant to cross compile, use \`--host'. -See \`config.log' for more details" "$LINENO" 5; } +If you meant to cross compile, use '--host'. +See 'config.log' for more details" "$LINENO" 5; } fi fi fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $cross_compiling" >&5 printf "%s\n" "$cross_compiling" >&6; } -rm -f conftest.$ac_ext conftest$ac_cv_exeext conftest.out +rm -f conftest.$ac_ext conftest$ac_cv_exeext \ + conftest.o conftest.obj conftest.out ac_clean_files=$ac_clean_files_save { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for suffix of object files" >&5 printf %s "checking for suffix of object files... " >&6; } if test ${ac_cv_objext+y} then : printf %s "(cached) " >&6 -else $as_nop - cat confdefs.h - <<_ACEOF >conftest.$ac_ext +else case e in #( + e) cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main (void) { @@ -3550,20 +3589,22 @@ *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM ) ;; *) ac_cv_objext=`expr "$ac_file" : '.*\.\(.*\)'` break;; esac done -else $as_nop - printf "%s\n" "$as_me: failed program was:" >&5 +else case e in #( + e) printf "%s\n" "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 -{ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 -printf "%s\n" "$as_me: error: in \`$ac_pwd':" >&2;} +{ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: error: in '$ac_pwd':" >&5 +printf "%s\n" "$as_me: error: in '$ac_pwd':" >&2;} as_fn_error $? "cannot compute suffix of object files: cannot compile -See \`config.log' for more details" "$LINENO" 5; } +See 'config.log' for more details" "$LINENO" 5; } ;; +esac fi -rm -f conftest.$ac_cv_objext conftest.$ac_ext +rm -f conftest.$ac_cv_objext conftest.$ac_ext ;; +esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_objext" >&5 printf "%s\n" "$ac_cv_objext" >&6; } OBJEXT=$ac_cv_objext ac_objext=$OBJEXT @@ -3570,12 +3611,12 @@ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether the compiler supports GNU C" >&5 printf %s "checking whether the compiler supports GNU C... " >&6; } if test ${ac_cv_c_compiler_gnu+y} then : printf %s "(cached) " >&6 -else $as_nop - cat confdefs.h - <<_ACEOF >conftest.$ac_ext +else case e in #( + e) cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main (void) { @@ -3588,16 +3629,18 @@ } _ACEOF if ac_fn_c_try_compile "$LINENO" then : ac_compiler_gnu=yes -else $as_nop - ac_compiler_gnu=no +else case e in #( + e) ac_compiler_gnu=no ;; +esac fi rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext ac_cv_c_compiler_gnu=$ac_compiler_gnu - + ;; +esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_c_compiler_gnu" >&5 printf "%s\n" "$ac_cv_c_compiler_gnu" >&6; } ac_compiler_gnu=$ac_cv_c_compiler_gnu @@ -3611,12 +3654,12 @@ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether $CC accepts -g" >&5 printf %s "checking whether $CC accepts -g... " >&6; } if test ${ac_cv_prog_cc_g+y} then : printf %s "(cached) " >&6 -else $as_nop - ac_save_c_werror_flag=$ac_c_werror_flag +else case e in #( + e) ac_save_c_werror_flag=$ac_c_werror_flag ac_c_werror_flag=yes ac_cv_prog_cc_g=no CFLAGS="-g" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ @@ -3630,12 +3673,12 @@ } _ACEOF if ac_fn_c_try_compile "$LINENO" then : ac_cv_prog_cc_g=yes -else $as_nop - CFLAGS="" +else case e in #( + e) CFLAGS="" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main (void) @@ -3646,12 +3689,12 @@ } _ACEOF if ac_fn_c_try_compile "$LINENO" then : -else $as_nop - ac_c_werror_flag=$ac_save_c_werror_flag +else case e in #( + e) ac_c_werror_flag=$ac_save_c_werror_flag CFLAGS="-g" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int @@ -3664,16 +3707,19 @@ _ACEOF if ac_fn_c_try_compile "$LINENO" then : ac_cv_prog_cc_g=yes fi -rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext +rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext ;; +esac fi -rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext +rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext ;; +esac fi rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext - ac_c_werror_flag=$ac_save_c_werror_flag + ac_c_werror_flag=$ac_save_c_werror_flag ;; +esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_prog_cc_g" >&5 printf "%s\n" "$ac_cv_prog_cc_g" >&6; } if test $ac_test_CFLAGS; then CFLAGS=$ac_save_CFLAGS @@ -3696,12 +3742,12 @@ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $CC option to enable C11 features" >&5 printf %s "checking for $CC option to enable C11 features... " >&6; } if test ${ac_cv_prog_cc_c11+y} then : printf %s "(cached) " >&6 -else $as_nop - ac_cv_prog_cc_c11=no +else case e in #( + e) ac_cv_prog_cc_c11=no ac_save_CC=$CC cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ $ac_c_conftest_c11_program _ACEOF @@ -3714,40 +3760,43 @@ fi rm -f core conftest.err conftest.$ac_objext conftest.beam test "x$ac_cv_prog_cc_c11" != "xno" && break done rm -f conftest.$ac_ext -CC=$ac_save_CC +CC=$ac_save_CC ;; +esac fi if test "x$ac_cv_prog_cc_c11" = xno then : { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: unsupported" >&5 printf "%s\n" "unsupported" >&6; } -else $as_nop - if test "x$ac_cv_prog_cc_c11" = x +else case e in #( + e) if test "x$ac_cv_prog_cc_c11" = x then : { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: none needed" >&5 printf "%s\n" "none needed" >&6; } -else $as_nop - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_prog_cc_c11" >&5 +else case e in #( + e) { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_prog_cc_c11" >&5 printf "%s\n" "$ac_cv_prog_cc_c11" >&6; } - CC="$CC $ac_cv_prog_cc_c11" + CC="$CC $ac_cv_prog_cc_c11" ;; +esac fi ac_cv_prog_cc_stdc=$ac_cv_prog_cc_c11 - ac_prog_cc_stdc=c11 + ac_prog_cc_stdc=c11 ;; +esac fi fi if test x$ac_prog_cc_stdc = xno then : { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $CC option to enable C99 features" >&5 printf %s "checking for $CC option to enable C99 features... " >&6; } if test ${ac_cv_prog_cc_c99+y} then : printf %s "(cached) " >&6 -else $as_nop - ac_cv_prog_cc_c99=no +else case e in #( + e) ac_cv_prog_cc_c99=no ac_save_CC=$CC cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ $ac_c_conftest_c99_program _ACEOF @@ -3760,40 +3809,43 @@ fi rm -f core conftest.err conftest.$ac_objext conftest.beam test "x$ac_cv_prog_cc_c99" != "xno" && break done rm -f conftest.$ac_ext -CC=$ac_save_CC +CC=$ac_save_CC ;; +esac fi if test "x$ac_cv_prog_cc_c99" = xno then : { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: unsupported" >&5 printf "%s\n" "unsupported" >&6; } -else $as_nop - if test "x$ac_cv_prog_cc_c99" = x +else case e in #( + e) if test "x$ac_cv_prog_cc_c99" = x then : { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: none needed" >&5 printf "%s\n" "none needed" >&6; } -else $as_nop - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_prog_cc_c99" >&5 +else case e in #( + e) { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_prog_cc_c99" >&5 printf "%s\n" "$ac_cv_prog_cc_c99" >&6; } - CC="$CC $ac_cv_prog_cc_c99" + CC="$CC $ac_cv_prog_cc_c99" ;; +esac fi ac_cv_prog_cc_stdc=$ac_cv_prog_cc_c99 - ac_prog_cc_stdc=c99 + ac_prog_cc_stdc=c99 ;; +esac fi fi if test x$ac_prog_cc_stdc = xno then : { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $CC option to enable C89 features" >&5 printf %s "checking for $CC option to enable C89 features... " >&6; } if test ${ac_cv_prog_cc_c89+y} then : printf %s "(cached) " >&6 -else $as_nop - ac_cv_prog_cc_c89=no +else case e in #( + e) ac_cv_prog_cc_c89=no ac_save_CC=$CC cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ $ac_c_conftest_c89_program _ACEOF @@ -3806,29 +3858,32 @@ fi rm -f core conftest.err conftest.$ac_objext conftest.beam test "x$ac_cv_prog_cc_c89" != "xno" && break done rm -f conftest.$ac_ext -CC=$ac_save_CC +CC=$ac_save_CC ;; +esac fi if test "x$ac_cv_prog_cc_c89" = xno then : { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: unsupported" >&5 printf "%s\n" "unsupported" >&6; } -else $as_nop - if test "x$ac_cv_prog_cc_c89" = x +else case e in #( + e) if test "x$ac_cv_prog_cc_c89" = x then : { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: none needed" >&5 printf "%s\n" "none needed" >&6; } -else $as_nop - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_prog_cc_c89" >&5 +else case e in #( + e) { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_prog_cc_c89" >&5 printf "%s\n" "$ac_cv_prog_cc_c89" >&6; } - CC="$CC $ac_cv_prog_cc_c89" + CC="$CC $ac_cv_prog_cc_c89" ;; +esac fi ac_cv_prog_cc_stdc=$ac_cv_prog_cc_c89 - ac_prog_cc_stdc=c89 + ac_prog_cc_stdc=c89 ;; +esac fi fi ac_ext=c ac_cpp='$CPP $CPPFLAGS' @@ -3840,15 +3895,15 @@ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for existence of ${TCL_BIN_DIR}/tclConfig.sh" >&5 printf %s "checking for existence of ${TCL_BIN_DIR}/tclConfig.sh... " >&6; } if test -f "${TCL_BIN_DIR}/tclConfig.sh" ; then - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: loading" >&5 + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: loading" >&5 printf "%s\n" "loading" >&6; } . "${TCL_BIN_DIR}/tclConfig.sh" else - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: could not find ${TCL_BIN_DIR}/tclConfig.sh" >&5 + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: could not find ${TCL_BIN_DIR}/tclConfig.sh" >&5 printf "%s\n" "could not find ${TCL_BIN_DIR}/tclConfig.sh" >&6; } fi # If the TCL_BIN_DIR is the build directory (not the install directory), # then set the common variable name to the value of the build variables. @@ -3855,13 +3910,13 @@ # For example, the variable TCL_LIB_SPEC will be set to the value # of TCL_BUILD_LIB_SPEC. An extension should make use of TCL_LIB_SPEC # instead of TCL_BUILD_LIB_SPEC since it will work with both an # installed and uninstalled version of Tcl. if test -f "${TCL_BIN_DIR}/Makefile" ; then - TCL_LIB_SPEC="${TCL_BUILD_LIB_SPEC}" - TCL_STUB_LIB_SPEC="${TCL_BUILD_STUB_LIB_SPEC}" - TCL_STUB_LIB_PATH="${TCL_BUILD_STUB_LIB_PATH}" + TCL_LIB_SPEC="${TCL_BUILD_LIB_SPEC}" + TCL_STUB_LIB_SPEC="${TCL_BUILD_STUB_LIB_SPEC}" + TCL_STUB_LIB_PATH="${TCL_BUILD_STUB_LIB_PATH}" elif test "`uname -s`" = "Darwin"; then # If Tcl was built as a framework, attempt to use the libraries # from the framework at the given location so that linking works # against Tcl.framework installed in an arbitrary location. case ${TCL_DEFS} in @@ -3919,22 +3974,22 @@ # first test we've already retrieved platform (cross-compile), fallback to unix otherwise: TEA_PLATFORM="${TEA_PLATFORM-unix}" CYGPATH=echo -else $as_nop - +else case e in #( + e) TEA_PLATFORM="windows" # Extract the first word of "cygpath", so it can be a program name with args. set dummy cygpath; ac_word=$2 { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 printf %s "checking for $ac_word... " >&6; } if test ${ac_cv_prog_CYGPATH+y} then : printf %s "(cached) " >&6 -else $as_nop - if test -n "$CYGPATH"; then +else case e in #( + e) if test -n "$CYGPATH"; then ac_cv_prog_CYGPATH="$CYGPATH" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do @@ -3953,11 +4008,12 @@ done done IFS=$as_save_IFS test -z "$ac_cv_prog_CYGPATH" && ac_cv_prog_CYGPATH="echo" -fi +fi ;; +esac fi CYGPATH=$ac_cv_prog_CYGPATH if test -n "$CYGPATH"; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $CYGPATH" >&5 printf "%s\n" "$CYGPATH" >&6; } @@ -3965,11 +4021,12 @@ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5 printf "%s\n" "no" >&6; } fi - + ;; +esac fi rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext CC=$hold_cc { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $TEA_PLATFORM" >&5 printf "%s\n" "$TEA_PLATFORM" >&6; } @@ -4055,12 +4112,12 @@ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 printf %s "checking for $ac_word... " >&6; } if test ${ac_cv_prog_CC+y} then : printf %s "(cached) " >&6 -else $as_nop - if test -n "$CC"; then +else case e in #( + e) if test -n "$CC"; then ac_cv_prog_CC="$CC" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do @@ -4078,11 +4135,12 @@ fi done done IFS=$as_save_IFS -fi +fi ;; +esac fi CC=$ac_cv_prog_CC if test -n "$CC"; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $CC" >&5 printf "%s\n" "$CC" >&6; } @@ -4100,12 +4158,12 @@ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 printf %s "checking for $ac_word... " >&6; } if test ${ac_cv_prog_ac_ct_CC+y} then : printf %s "(cached) " >&6 -else $as_nop - if test -n "$ac_ct_CC"; then +else case e in #( + e) if test -n "$ac_ct_CC"; then ac_cv_prog_ac_ct_CC="$ac_ct_CC" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do @@ -4123,11 +4181,12 @@ fi done done IFS=$as_save_IFS -fi +fi ;; +esac fi ac_ct_CC=$ac_cv_prog_ac_ct_CC if test -n "$ac_ct_CC"; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_ct_CC" >&5 printf "%s\n" "$ac_ct_CC" >&6; } @@ -4158,12 +4217,12 @@ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 printf %s "checking for $ac_word... " >&6; } if test ${ac_cv_prog_CC+y} then : printf %s "(cached) " >&6 -else $as_nop - if test -n "$CC"; then +else case e in #( + e) if test -n "$CC"; then ac_cv_prog_CC="$CC" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do @@ -4181,11 +4240,12 @@ fi done done IFS=$as_save_IFS -fi +fi ;; +esac fi CC=$ac_cv_prog_CC if test -n "$CC"; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $CC" >&5 printf "%s\n" "$CC" >&6; } @@ -4203,12 +4263,12 @@ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 printf %s "checking for $ac_word... " >&6; } if test ${ac_cv_prog_CC+y} then : printf %s "(cached) " >&6 -else $as_nop - if test -n "$CC"; then +else case e in #( + e) if test -n "$CC"; then ac_cv_prog_CC="$CC" # Let the user override the test. else ac_prog_rejected=no as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH @@ -4243,11 +4303,12 @@ # first if we set CC to just the basename; use the full file name. shift ac_cv_prog_CC="$as_dir$ac_word${1+' '}$@" fi fi -fi +fi ;; +esac fi CC=$ac_cv_prog_CC if test -n "$CC"; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $CC" >&5 printf "%s\n" "$CC" >&6; } @@ -4267,12 +4328,12 @@ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 printf %s "checking for $ac_word... " >&6; } if test ${ac_cv_prog_CC+y} then : printf %s "(cached) " >&6 -else $as_nop - if test -n "$CC"; then +else case e in #( + e) if test -n "$CC"; then ac_cv_prog_CC="$CC" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do @@ -4290,11 +4351,12 @@ fi done done IFS=$as_save_IFS -fi +fi ;; +esac fi CC=$ac_cv_prog_CC if test -n "$CC"; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $CC" >&5 printf "%s\n" "$CC" >&6; } @@ -4316,12 +4378,12 @@ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 printf %s "checking for $ac_word... " >&6; } if test ${ac_cv_prog_ac_ct_CC+y} then : printf %s "(cached) " >&6 -else $as_nop - if test -n "$ac_ct_CC"; then +else case e in #( + e) if test -n "$ac_ct_CC"; then ac_cv_prog_ac_ct_CC="$ac_ct_CC" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do @@ -4339,11 +4401,12 @@ fi done done IFS=$as_save_IFS -fi +fi ;; +esac fi ac_ct_CC=$ac_cv_prog_ac_ct_CC if test -n "$ac_ct_CC"; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_ct_CC" >&5 printf "%s\n" "$ac_ct_CC" >&6; } @@ -4377,12 +4440,12 @@ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 printf %s "checking for $ac_word... " >&6; } if test ${ac_cv_prog_CC+y} then : printf %s "(cached) " >&6 -else $as_nop - if test -n "$CC"; then +else case e in #( + e) if test -n "$CC"; then ac_cv_prog_CC="$CC" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do @@ -4400,11 +4463,12 @@ fi done done IFS=$as_save_IFS -fi +fi ;; +esac fi CC=$ac_cv_prog_CC if test -n "$CC"; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $CC" >&5 printf "%s\n" "$CC" >&6; } @@ -4422,12 +4486,12 @@ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 printf %s "checking for $ac_word... " >&6; } if test ${ac_cv_prog_ac_ct_CC+y} then : printf %s "(cached) " >&6 -else $as_nop - if test -n "$ac_ct_CC"; then +else case e in #( + e) if test -n "$ac_ct_CC"; then ac_cv_prog_ac_ct_CC="$ac_ct_CC" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do @@ -4445,11 +4509,12 @@ fi done done IFS=$as_save_IFS -fi +fi ;; +esac fi ac_ct_CC=$ac_cv_prog_ac_ct_CC if test -n "$ac_ct_CC"; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_ct_CC" >&5 printf "%s\n" "$ac_ct_CC" >&6; } @@ -4474,14 +4539,14 @@ fi fi -test -z "$CC" && { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 -printf "%s\n" "$as_me: error: in \`$ac_pwd':" >&2;} +test -z "$CC" && { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: error: in '$ac_pwd':" >&5 +printf "%s\n" "$as_me: error: in '$ac_pwd':" >&2;} as_fn_error $? "no acceptable C compiler found in \$PATH -See \`config.log' for more details" "$LINENO" 5; } +See 'config.log' for more details" "$LINENO" 5; } # Provide some information about the compiler. printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for C compiler version" >&5 set X $ac_compile ac_compiler=$2 @@ -4509,12 +4574,12 @@ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether the compiler supports GNU C" >&5 printf %s "checking whether the compiler supports GNU C... " >&6; } if test ${ac_cv_c_compiler_gnu+y} then : printf %s "(cached) " >&6 -else $as_nop - cat confdefs.h - <<_ACEOF >conftest.$ac_ext +else case e in #( + e) cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main (void) { @@ -4527,16 +4592,18 @@ } _ACEOF if ac_fn_c_try_compile "$LINENO" then : ac_compiler_gnu=yes -else $as_nop - ac_compiler_gnu=no +else case e in #( + e) ac_compiler_gnu=no ;; +esac fi rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext ac_cv_c_compiler_gnu=$ac_compiler_gnu - + ;; +esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_c_compiler_gnu" >&5 printf "%s\n" "$ac_cv_c_compiler_gnu" >&6; } ac_compiler_gnu=$ac_cv_c_compiler_gnu @@ -4550,12 +4617,12 @@ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether $CC accepts -g" >&5 printf %s "checking whether $CC accepts -g... " >&6; } if test ${ac_cv_prog_cc_g+y} then : printf %s "(cached) " >&6 -else $as_nop - ac_save_c_werror_flag=$ac_c_werror_flag +else case e in #( + e) ac_save_c_werror_flag=$ac_c_werror_flag ac_c_werror_flag=yes ac_cv_prog_cc_g=no CFLAGS="-g" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ @@ -4569,12 +4636,12 @@ } _ACEOF if ac_fn_c_try_compile "$LINENO" then : ac_cv_prog_cc_g=yes -else $as_nop - CFLAGS="" +else case e in #( + e) CFLAGS="" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main (void) @@ -4585,12 +4652,12 @@ } _ACEOF if ac_fn_c_try_compile "$LINENO" then : -else $as_nop - ac_c_werror_flag=$ac_save_c_werror_flag +else case e in #( + e) ac_c_werror_flag=$ac_save_c_werror_flag CFLAGS="-g" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int @@ -4603,16 +4670,19 @@ _ACEOF if ac_fn_c_try_compile "$LINENO" then : ac_cv_prog_cc_g=yes fi -rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext +rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext ;; +esac fi -rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext +rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext ;; +esac fi rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext - ac_c_werror_flag=$ac_save_c_werror_flag + ac_c_werror_flag=$ac_save_c_werror_flag ;; +esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_prog_cc_g" >&5 printf "%s\n" "$ac_cv_prog_cc_g" >&6; } if test $ac_test_CFLAGS; then CFLAGS=$ac_save_CFLAGS @@ -4635,12 +4705,12 @@ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $CC option to enable C11 features" >&5 printf %s "checking for $CC option to enable C11 features... " >&6; } if test ${ac_cv_prog_cc_c11+y} then : printf %s "(cached) " >&6 -else $as_nop - ac_cv_prog_cc_c11=no +else case e in #( + e) ac_cv_prog_cc_c11=no ac_save_CC=$CC cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ $ac_c_conftest_c11_program _ACEOF @@ -4653,40 +4723,43 @@ fi rm -f core conftest.err conftest.$ac_objext conftest.beam test "x$ac_cv_prog_cc_c11" != "xno" && break done rm -f conftest.$ac_ext -CC=$ac_save_CC +CC=$ac_save_CC ;; +esac fi if test "x$ac_cv_prog_cc_c11" = xno then : { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: unsupported" >&5 printf "%s\n" "unsupported" >&6; } -else $as_nop - if test "x$ac_cv_prog_cc_c11" = x +else case e in #( + e) if test "x$ac_cv_prog_cc_c11" = x then : { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: none needed" >&5 printf "%s\n" "none needed" >&6; } -else $as_nop - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_prog_cc_c11" >&5 +else case e in #( + e) { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_prog_cc_c11" >&5 printf "%s\n" "$ac_cv_prog_cc_c11" >&6; } - CC="$CC $ac_cv_prog_cc_c11" + CC="$CC $ac_cv_prog_cc_c11" ;; +esac fi ac_cv_prog_cc_stdc=$ac_cv_prog_cc_c11 - ac_prog_cc_stdc=c11 + ac_prog_cc_stdc=c11 ;; +esac fi fi if test x$ac_prog_cc_stdc = xno then : { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $CC option to enable C99 features" >&5 printf %s "checking for $CC option to enable C99 features... " >&6; } if test ${ac_cv_prog_cc_c99+y} then : printf %s "(cached) " >&6 -else $as_nop - ac_cv_prog_cc_c99=no +else case e in #( + e) ac_cv_prog_cc_c99=no ac_save_CC=$CC cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ $ac_c_conftest_c99_program _ACEOF @@ -4699,40 +4772,43 @@ fi rm -f core conftest.err conftest.$ac_objext conftest.beam test "x$ac_cv_prog_cc_c99" != "xno" && break done rm -f conftest.$ac_ext -CC=$ac_save_CC +CC=$ac_save_CC ;; +esac fi if test "x$ac_cv_prog_cc_c99" = xno then : { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: unsupported" >&5 printf "%s\n" "unsupported" >&6; } -else $as_nop - if test "x$ac_cv_prog_cc_c99" = x +else case e in #( + e) if test "x$ac_cv_prog_cc_c99" = x then : { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: none needed" >&5 printf "%s\n" "none needed" >&6; } -else $as_nop - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_prog_cc_c99" >&5 +else case e in #( + e) { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_prog_cc_c99" >&5 printf "%s\n" "$ac_cv_prog_cc_c99" >&6; } - CC="$CC $ac_cv_prog_cc_c99" + CC="$CC $ac_cv_prog_cc_c99" ;; +esac fi ac_cv_prog_cc_stdc=$ac_cv_prog_cc_c99 - ac_prog_cc_stdc=c99 + ac_prog_cc_stdc=c99 ;; +esac fi fi if test x$ac_prog_cc_stdc = xno then : { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $CC option to enable C89 features" >&5 printf %s "checking for $CC option to enable C89 features... " >&6; } if test ${ac_cv_prog_cc_c89+y} then : printf %s "(cached) " >&6 -else $as_nop - ac_cv_prog_cc_c89=no +else case e in #( + e) ac_cv_prog_cc_c89=no ac_save_CC=$CC cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ $ac_c_conftest_c89_program _ACEOF @@ -4745,29 +4821,32 @@ fi rm -f core conftest.err conftest.$ac_objext conftest.beam test "x$ac_cv_prog_cc_c89" != "xno" && break done rm -f conftest.$ac_ext -CC=$ac_save_CC +CC=$ac_save_CC ;; +esac fi if test "x$ac_cv_prog_cc_c89" = xno then : { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: unsupported" >&5 printf "%s\n" "unsupported" >&6; } -else $as_nop - if test "x$ac_cv_prog_cc_c89" = x +else case e in #( + e) if test "x$ac_cv_prog_cc_c89" = x then : { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: none needed" >&5 printf "%s\n" "none needed" >&6; } -else $as_nop - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_prog_cc_c89" >&5 +else case e in #( + e) { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_prog_cc_c89" >&5 printf "%s\n" "$ac_cv_prog_cc_c89" >&6; } - CC="$CC $ac_cv_prog_cc_c89" + CC="$CC $ac_cv_prog_cc_c89" ;; +esac fi ac_cv_prog_cc_stdc=$ac_cv_prog_cc_c89 - ac_prog_cc_stdc=c89 + ac_prog_cc_stdc=c89 ;; +esac fi fi ac_ext=c ac_cpp='$CPP $CPPFLAGS' @@ -4788,12 +4867,12 @@ fi if test -z "$CPP"; then if test ${ac_cv_prog_CPP+y} then : printf %s "(cached) " >&6 -else $as_nop - # Double quotes because $CC needs to be expanded +else case e in #( + e) # Double quotes because $CC needs to be expanded for CPP in "$CC -E" "$CC -E -traditional-cpp" cpp /lib/cpp do ac_preproc_ok=false for ac_c_preproc_warn_flag in '' yes do @@ -4807,13 +4886,14 @@ Syntax error _ACEOF if ac_fn_c_try_cpp "$LINENO" then : -else $as_nop - # Broken: fails on valid input. -continue +else case e in #( + e) # Broken: fails on valid input. +continue ;; +esac fi rm -f conftest.err conftest.i conftest.$ac_ext # OK, works on sane cases. Now check whether nonexistent headers # can be detected and how. @@ -4823,28 +4903,30 @@ _ACEOF if ac_fn_c_try_cpp "$LINENO" then : # Broken: success on invalid input. continue -else $as_nop - # Passes both tests. +else case e in #( + e) # Passes both tests. ac_preproc_ok=: -break +break ;; +esac fi rm -f conftest.err conftest.i conftest.$ac_ext done -# Because of `break', _AC_PREPROC_IFELSE's cleaning code was skipped. +# Because of 'break', _AC_PREPROC_IFELSE's cleaning code was skipped. rm -f conftest.i conftest.err conftest.$ac_ext if $ac_preproc_ok then : break fi done ac_cv_prog_CPP=$CPP - + ;; +esac fi CPP=$ac_cv_prog_CPP else ac_cv_prog_CPP=$CPP fi @@ -4863,13 +4945,14 @@ Syntax error _ACEOF if ac_fn_c_try_cpp "$LINENO" then : -else $as_nop - # Broken: fails on valid input. -continue +else case e in #( + e) # Broken: fails on valid input. +continue ;; +esac fi rm -f conftest.err conftest.i conftest.$ac_ext # OK, works on sane cases. Now check whether nonexistent headers # can be detected and how. @@ -4879,28 +4962,30 @@ _ACEOF if ac_fn_c_try_cpp "$LINENO" then : # Broken: success on invalid input. continue -else $as_nop - # Passes both tests. +else case e in #( + e) # Passes both tests. ac_preproc_ok=: -break +break ;; +esac fi rm -f conftest.err conftest.i conftest.$ac_ext done -# Because of `break', _AC_PREPROC_IFELSE's cleaning code was skipped. +# Because of 'break', _AC_PREPROC_IFELSE's cleaning code was skipped. rm -f conftest.i conftest.err conftest.$ac_ext if $ac_preproc_ok then : -else $as_nop - { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 -printf "%s\n" "$as_me: error: in \`$ac_pwd':" >&2;} +else case e in #( + e) { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: error: in '$ac_pwd':" >&5 +printf "%s\n" "$as_me: error: in '$ac_pwd':" >&2;} as_fn_error $? "C preprocessor \"$CPP\" fails sanity check -See \`config.log' for more details" "$LINENO" 5; } +See 'config.log' for more details" "$LINENO" 5; } ;; +esac fi ac_ext=c ac_cpp='$CPP $CPPFLAGS' ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' @@ -4917,12 +5002,12 @@ set x ${MAKE-make} ac_make=`printf "%s\n" "$2" | sed 's/+/p/g; s/[^a-zA-Z0-9_]/_/g'` if eval test \${ac_cv_prog_make_${ac_make}_set+y} then : printf %s "(cached) " >&6 -else $as_nop - cat >conftest.make <<\_ACEOF +else case e in #( + e) cat >conftest.make <<\_ACEOF SHELL = /bin/sh all: @echo '@@@%%%=$(MAKE)=@@@%%%' _ACEOF # GNU make sometimes prints "make[1]: Entering ...", which would confuse us. @@ -4930,11 +5015,12 @@ *@@@%%%=?*=@@@%%%*) eval ac_cv_prog_make_${ac_make}_set=yes;; *) eval ac_cv_prog_make_${ac_make}_set=no;; esac -rm -f conftest.make +rm -f conftest.make ;; +esac fi if eval test \$ac_cv_prog_make_${ac_make}_set = yes; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: yes" >&5 printf "%s\n" "yes" >&6; } SET_MAKE= @@ -4955,12 +5041,12 @@ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 printf %s "checking for $ac_word... " >&6; } if test ${ac_cv_prog_RANLIB+y} then : printf %s "(cached) " >&6 -else $as_nop - if test -n "$RANLIB"; then +else case e in #( + e) if test -n "$RANLIB"; then ac_cv_prog_RANLIB="$RANLIB" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do @@ -4978,11 +5064,12 @@ fi done done IFS=$as_save_IFS -fi +fi ;; +esac fi RANLIB=$ac_cv_prog_RANLIB if test -n "$RANLIB"; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $RANLIB" >&5 printf "%s\n" "$RANLIB" >&6; } @@ -5000,12 +5087,12 @@ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 printf %s "checking for $ac_word... " >&6; } if test ${ac_cv_prog_ac_ct_RANLIB+y} then : printf %s "(cached) " >&6 -else $as_nop - if test -n "$ac_ct_RANLIB"; then +else case e in #( + e) if test -n "$ac_ct_RANLIB"; then ac_cv_prog_ac_ct_RANLIB="$ac_ct_RANLIB" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do @@ -5023,11 +5110,12 @@ fi done done IFS=$as_save_IFS -fi +fi ;; +esac fi ac_ct_RANLIB=$ac_cv_prog_ac_ct_RANLIB if test -n "$ac_ct_RANLIB"; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_ct_RANLIB" >&5 printf "%s\n" "$ac_ct_RANLIB" >&6; } @@ -5101,12 +5189,12 @@ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking if the compiler understands -pipe" >&5 printf %s "checking if the compiler understands -pipe... " >&6; } if test ${tcl_cv_cc_pipe+y} then : printf %s "(cached) " >&6 -else $as_nop - +else case e in #( + e) hold_cflags=$CFLAGS; CFLAGS="$CFLAGS -pipe" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int @@ -5118,15 +5206,17 @@ } _ACEOF if ac_fn_c_try_compile "$LINENO" then : tcl_cv_cc_pipe=yes -else $as_nop - tcl_cv_cc_pipe=no +else case e in #( + e) tcl_cv_cc_pipe=no ;; +esac fi rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext - CFLAGS=$hold_cflags + CFLAGS=$hold_cflags ;; +esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $tcl_cv_cc_pipe" >&5 printf "%s\n" "$tcl_cv_cc_pipe" >&6; } if test $tcl_cv_cc_pipe = yes; then CFLAGS="$CFLAGS -pipe" @@ -5146,12 +5236,12 @@ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether byte ordering is bigendian" >&5 printf %s "checking whether byte ordering is bigendian... " >&6; } if test ${ac_cv_c_bigendian+y} then : printf %s "(cached) " >&6 -else $as_nop - ac_cv_c_bigendian=unknown +else case e in #( + e) ac_cv_c_bigendian=unknown # See if we're dealing with a universal compiler. cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #ifndef __APPLE_CC__ not a universal capable compiler @@ -5193,12 +5283,12 @@ #include int main (void) { -#if ! (defined BYTE_ORDER && defined BIG_ENDIAN \ - && defined LITTLE_ENDIAN && BYTE_ORDER && BIG_ENDIAN \ +#if ! (defined BYTE_ORDER && defined BIG_ENDIAN \\ + && defined LITTLE_ENDIAN && BYTE_ORDER && BIG_ENDIAN \\ && LITTLE_ENDIAN) bogus endian macros #endif ; @@ -5225,12 +5315,13 @@ } _ACEOF if ac_fn_c_try_compile "$LINENO" then : ac_cv_c_bigendian=yes -else $as_nop - ac_cv_c_bigendian=no +else case e in #( + e) ac_cv_c_bigendian=no ;; +esac fi rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext fi rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext fi @@ -5270,12 +5361,13 @@ } _ACEOF if ac_fn_c_try_compile "$LINENO" then : ac_cv_c_bigendian=yes -else $as_nop - ac_cv_c_bigendian=no +else case e in #( + e) ac_cv_c_bigendian=no ;; +esac fi rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext fi rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext fi @@ -5298,37 +5390,39 @@ unsigned short int ebcdic_mm[] = { 0xC2C9, 0xC785, 0x95C4, 0x8981, 0x95E2, 0xA8E2, 0 }; int use_ebcdic (int i) { return ebcdic_mm[i] + ebcdic_ii[i]; } - extern int foo; - -int -main (void) -{ -return use_ascii (foo) == use_ebcdic (foo); - ; - return 0; -} + int + main (int argc, char **argv) + { + /* Intimidate the compiler so that it does not + optimize the arrays away. */ + char *p = argv[0]; + ascii_mm[1] = *p++; ebcdic_mm[1] = *p++; + ascii_ii[1] = *p++; ebcdic_ii[1] = *p++; + return use_ascii (argc) == use_ebcdic (*p); + } _ACEOF -if ac_fn_c_try_compile "$LINENO" +if ac_fn_c_try_link "$LINENO" then : - if grep BIGenDianSyS conftest.$ac_objext >/dev/null; then + if grep BIGenDianSyS conftest$ac_exeext >/dev/null; then ac_cv_c_bigendian=yes fi - if grep LiTTleEnDian conftest.$ac_objext >/dev/null ; then + if grep LiTTleEnDian conftest$ac_exeext >/dev/null ; then if test "$ac_cv_c_bigendian" = unknown; then ac_cv_c_bigendian=no else # finding both strings is unlikely to happen, but who knows? ac_cv_c_bigendian=unknown fi fi fi -rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext -else $as_nop - cat confdefs.h - <<_ACEOF >conftest.$ac_ext +rm -f core conftest.err conftest.$ac_objext conftest.beam \ + conftest$ac_exeext conftest.$ac_ext +else case e in #( + e) cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ $ac_includes_default int main (void) { @@ -5347,18 +5441,21 @@ } _ACEOF if ac_fn_c_try_run "$LINENO" then : ac_cv_c_bigendian=no -else $as_nop - ac_cv_c_bigendian=yes +else case e in #( + e) ac_cv_c_bigendian=yes ;; +esac fi rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ - conftest.$ac_objext conftest.beam conftest.$ac_ext + conftest.$ac_objext conftest.beam conftest.$ac_ext ;; +esac fi - fi + fi ;; +esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_c_bigendian" >&5 printf "%s\n" "$ac_cv_c_bigendian" >&6; } case $ac_cv_c_bigendian in #( yes) @@ -5375,11 +5472,10 @@ esac #----------------------------------------------------------------------- -# __CHANGE__ # Specify the C source files to compile in TEA_ADD_SOURCES, # public headers that need to be installed in TEA_ADD_HEADERS, # stub library C source files to compile in TEA_ADD_STUB_SOURCES, # and runtime Tcl library files in TEA_ADD_TCL_SOURCES. # This defines PKG(_STUB)_SOURCES, PKG(_STUB)_OBJECTS, PKG_HEADERS @@ -5477,11 +5573,11 @@ done - vars="library/tls.tcl" + vars="library/tls.tcl license.terms README.txt" for i in $vars; do # check for existence, be strict because it is installed if test ! -f "${srcdir}/$i" ; then as_fn_error $? "could not find tcl source file '${srcdir}/$i'" "$LINENO" 5 fi @@ -5489,29 +5585,31 @@ done #-------------------------------------------------------------------- -# # You can add more files to clean if your extension creates any extra # files by extending CLEANFILES. # Add pkgIndex.tcl if it is generated in the Makefile instead of ./configure # and change Makefile.in to move it from CONFIG_CLEAN_FILES to BINARIES var. # # A few miscellaneous platform-specific items: # TEA_ADD_* any platform specific compiler/build info here. #-------------------------------------------------------------------- -CONFIG_CLEAN_FILES="$CONFIG_CLEAN_FILES tls.tcl.h.* config.log config.status Makefile pkgIndex.tcl tcltls.a.linkadd tcltls.syms" + + CLEANFILES="$CLEANFILES pkgIndex.tcl generic/tls.tcl.h tlsUuid.h" + + if test "${TEA_PLATFORM}" = "windows" ; then - printf "%s\n" "#define BUILD_tls 1" >>confdefs.h - printf "%s\n" "#define WINDOWS 1" >>confdefs.h + CLEANFILES="$CLEANFILES *.lib *.dll *.exp *.ilk *.pdb vc*.pch" - CLEANFILES="pkgIndex.tcl *.lib *.dll *.exp *.ilk *.pdb vc*.pch" else - CLEANFILES="pkgIndex.tcl *.so" + + CLEANFILES="$CLEANFILES *.so" + fi #-------------------------------------------------------------------- # Choose which headers you need. Extension authors should try very @@ -5534,12 +5632,12 @@ if test ${ac_cv_c_tclh+y} then : printf %s "(cached) " >&6 -else $as_nop - +else case e in #( + e) # Use the value from --with-tclinclude, if it was given if test x"${with_tclinclude}" != x ; then if test -f "${with_tclinclude}/tcl.h" ; then ac_cv_c_tclh=${with_tclinclude} @@ -5584,11 +5682,12 @@ ac_cv_c_tclh=$i break fi done fi - + ;; +esac fi # Print a message based on how we determined the include path @@ -5621,12 +5720,13 @@ # Check whether --enable-threads was given. if test ${enable_threads+y} then : enableval=$enable_threads; tcl_ok=$enableval -else $as_nop - tcl_ok=yes +else case e in #( + e) tcl_ok=yes ;; +esac fi if test "${enable_threads+set}" = set; then enableval="$enable_threads" @@ -5660,20 +5760,26 @@ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for pthread_mutex_init in -lpthread" >&5 printf %s "checking for pthread_mutex_init in -lpthread... " >&6; } if test ${ac_cv_lib_pthread_pthread_mutex_init+y} then : printf %s "(cached) " >&6 -else $as_nop - ac_check_lib_save_LIBS=$LIBS +else case e in #( + e) ac_check_lib_save_LIBS=$LIBS LIBS="-lpthread $LIBS" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ /* Override any GCC internal prototype to avoid an error. Use char because int might match the return type of a GCC - builtin and then its argument prototype would still apply. */ -char pthread_mutex_init (); + builtin and then its argument prototype would still apply. + The 'extern "C"' is for builds by C++ compilers; + although this is not generally supported in C code supporting it here + has little cost and some practical benefit (sr 110532). */ +#ifdef __cplusplus +extern "C" +#endif +char pthread_mutex_init (void); int main (void) { return pthread_mutex_init (); ; @@ -5681,24 +5787,27 @@ } _ACEOF if ac_fn_c_try_link "$LINENO" then : ac_cv_lib_pthread_pthread_mutex_init=yes -else $as_nop - ac_cv_lib_pthread_pthread_mutex_init=no +else case e in #( + e) ac_cv_lib_pthread_pthread_mutex_init=no ;; +esac fi rm -f core conftest.err conftest.$ac_objext conftest.beam \ conftest$ac_exeext conftest.$ac_ext -LIBS=$ac_check_lib_save_LIBS +LIBS=$ac_check_lib_save_LIBS ;; +esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_pthread_pthread_mutex_init" >&5 printf "%s\n" "$ac_cv_lib_pthread_pthread_mutex_init" >&6; } if test "x$ac_cv_lib_pthread_pthread_mutex_init" = xyes then : tcl_ok=yes -else $as_nop - tcl_ok=no +else case e in #( + e) tcl_ok=no ;; +esac fi if test "$tcl_ok" = "no"; then # Check a little harder for __pthread_mutex_init in the same # library, as some systems hide it there until pthread.h is @@ -5708,20 +5817,26 @@ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for __pthread_mutex_init in -lpthread" >&5 printf %s "checking for __pthread_mutex_init in -lpthread... " >&6; } if test ${ac_cv_lib_pthread___pthread_mutex_init+y} then : printf %s "(cached) " >&6 -else $as_nop - ac_check_lib_save_LIBS=$LIBS +else case e in #( + e) ac_check_lib_save_LIBS=$LIBS LIBS="-lpthread $LIBS" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ /* Override any GCC internal prototype to avoid an error. Use char because int might match the return type of a GCC - builtin and then its argument prototype would still apply. */ -char __pthread_mutex_init (); + builtin and then its argument prototype would still apply. + The 'extern "C"' is for builds by C++ compilers; + although this is not generally supported in C code supporting it here + has little cost and some practical benefit (sr 110532). */ +#ifdef __cplusplus +extern "C" +#endif +char __pthread_mutex_init (void); int main (void) { return __pthread_mutex_init (); ; @@ -5729,24 +5844,27 @@ } _ACEOF if ac_fn_c_try_link "$LINENO" then : ac_cv_lib_pthread___pthread_mutex_init=yes -else $as_nop - ac_cv_lib_pthread___pthread_mutex_init=no +else case e in #( + e) ac_cv_lib_pthread___pthread_mutex_init=no ;; +esac fi rm -f core conftest.err conftest.$ac_objext conftest.beam \ conftest$ac_exeext conftest.$ac_ext -LIBS=$ac_check_lib_save_LIBS +LIBS=$ac_check_lib_save_LIBS ;; +esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_pthread___pthread_mutex_init" >&5 printf "%s\n" "$ac_cv_lib_pthread___pthread_mutex_init" >&6; } if test "x$ac_cv_lib_pthread___pthread_mutex_init" = xyes then : tcl_ok=yes -else $as_nop - tcl_ok=no +else case e in #( + e) tcl_ok=no ;; +esac fi fi if test "$tcl_ok" = "yes"; then @@ -5756,20 +5874,26 @@ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for pthread_mutex_init in -lpthreads" >&5 printf %s "checking for pthread_mutex_init in -lpthreads... " >&6; } if test ${ac_cv_lib_pthreads_pthread_mutex_init+y} then : printf %s "(cached) " >&6 -else $as_nop - ac_check_lib_save_LIBS=$LIBS +else case e in #( + e) ac_check_lib_save_LIBS=$LIBS LIBS="-lpthreads $LIBS" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ /* Override any GCC internal prototype to avoid an error. Use char because int might match the return type of a GCC - builtin and then its argument prototype would still apply. */ -char pthread_mutex_init (); + builtin and then its argument prototype would still apply. + The 'extern "C"' is for builds by C++ compilers; + although this is not generally supported in C code supporting it here + has little cost and some practical benefit (sr 110532). */ +#ifdef __cplusplus +extern "C" +#endif +char pthread_mutex_init (void); int main (void) { return pthread_mutex_init (); ; @@ -5777,24 +5901,27 @@ } _ACEOF if ac_fn_c_try_link "$LINENO" then : ac_cv_lib_pthreads_pthread_mutex_init=yes -else $as_nop - ac_cv_lib_pthreads_pthread_mutex_init=no +else case e in #( + e) ac_cv_lib_pthreads_pthread_mutex_init=no ;; +esac fi rm -f core conftest.err conftest.$ac_objext conftest.beam \ conftest$ac_exeext conftest.$ac_ext -LIBS=$ac_check_lib_save_LIBS +LIBS=$ac_check_lib_save_LIBS ;; +esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_pthreads_pthread_mutex_init" >&5 printf "%s\n" "$ac_cv_lib_pthreads_pthread_mutex_init" >&6; } if test "x$ac_cv_lib_pthreads_pthread_mutex_init" = xyes then : tcl_ok=yes -else $as_nop - tcl_ok=no +else case e in #( + e) tcl_ok=no ;; +esac fi if test "$tcl_ok" = "yes"; then # The space is needed THREADS_LIBS=" -lpthreads" @@ -5802,20 +5929,26 @@ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for pthread_mutex_init in -lc" >&5 printf %s "checking for pthread_mutex_init in -lc... " >&6; } if test ${ac_cv_lib_c_pthread_mutex_init+y} then : printf %s "(cached) " >&6 -else $as_nop - ac_check_lib_save_LIBS=$LIBS +else case e in #( + e) ac_check_lib_save_LIBS=$LIBS LIBS="-lc $LIBS" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ /* Override any GCC internal prototype to avoid an error. Use char because int might match the return type of a GCC - builtin and then its argument prototype would still apply. */ -char pthread_mutex_init (); + builtin and then its argument prototype would still apply. + The 'extern "C"' is for builds by C++ compilers; + although this is not generally supported in C code supporting it here + has little cost and some practical benefit (sr 110532). */ +#ifdef __cplusplus +extern "C" +#endif +char pthread_mutex_init (void); int main (void) { return pthread_mutex_init (); ; @@ -5823,42 +5956,51 @@ } _ACEOF if ac_fn_c_try_link "$LINENO" then : ac_cv_lib_c_pthread_mutex_init=yes -else $as_nop - ac_cv_lib_c_pthread_mutex_init=no +else case e in #( + e) ac_cv_lib_c_pthread_mutex_init=no ;; +esac fi rm -f core conftest.err conftest.$ac_objext conftest.beam \ conftest$ac_exeext conftest.$ac_ext -LIBS=$ac_check_lib_save_LIBS +LIBS=$ac_check_lib_save_LIBS ;; +esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_c_pthread_mutex_init" >&5 printf "%s\n" "$ac_cv_lib_c_pthread_mutex_init" >&6; } if test "x$ac_cv_lib_c_pthread_mutex_init" = xyes then : tcl_ok=yes -else $as_nop - tcl_ok=no +else case e in #( + e) tcl_ok=no ;; +esac fi if test "$tcl_ok" = "no"; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for pthread_mutex_init in -lc_r" >&5 printf %s "checking for pthread_mutex_init in -lc_r... " >&6; } if test ${ac_cv_lib_c_r_pthread_mutex_init+y} then : printf %s "(cached) " >&6 -else $as_nop - ac_check_lib_save_LIBS=$LIBS +else case e in #( + e) ac_check_lib_save_LIBS=$LIBS LIBS="-lc_r $LIBS" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ /* Override any GCC internal prototype to avoid an error. Use char because int might match the return type of a GCC - builtin and then its argument prototype would still apply. */ -char pthread_mutex_init (); + builtin and then its argument prototype would still apply. + The 'extern "C"' is for builds by C++ compilers; + although this is not generally supported in C code supporting it here + has little cost and some practical benefit (sr 110532). */ +#ifdef __cplusplus +extern "C" +#endif +char pthread_mutex_init (void); int main (void) { return pthread_mutex_init (); ; @@ -5866,24 +6008,27 @@ } _ACEOF if ac_fn_c_try_link "$LINENO" then : ac_cv_lib_c_r_pthread_mutex_init=yes -else $as_nop - ac_cv_lib_c_r_pthread_mutex_init=no +else case e in #( + e) ac_cv_lib_c_r_pthread_mutex_init=no ;; +esac fi rm -f core conftest.err conftest.$ac_objext conftest.beam \ conftest$ac_exeext conftest.$ac_ext -LIBS=$ac_check_lib_save_LIBS +LIBS=$ac_check_lib_save_LIBS ;; +esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_c_r_pthread_mutex_init" >&5 printf "%s\n" "$ac_cv_lib_c_r_pthread_mutex_init" >&6; } if test "x$ac_cv_lib_c_r_pthread_mutex_init" = xyes then : tcl_ok=yes -else $as_nop - tcl_ok=no +else case e in #( + e) tcl_ok=no ;; +esac fi if test "$tcl_ok" = "yes"; then # The space is needed THREADS_LIBS=" -pthread" @@ -5939,12 +6084,13 @@ printf %s "checking how to build libraries... " >&6; } # Check whether --enable-shared was given. if test ${enable_shared+y} then : enableval=$enable_shared; shared_ok=$enableval -else $as_nop - shared_ok=yes +else case e in #( + e) shared_ok=yes ;; +esac fi if test "${enable_shared+set}" = set; then enableval="$enable_shared" @@ -5955,12 +6101,13 @@ # Check whether --enable-stubs was given. if test ${enable_stubs+y} then : enableval=$enable_stubs; stubs_ok=$enableval -else $as_nop - stubs_ok=yes +else case e in #( + e) stubs_ok=yes ;; +esac fi if test "${enable_stubs+set}" = set; then enableval="$enable_stubs" @@ -5972,23 +6119,23 @@ # Stubs are always enabled for shared builds if test "$shared_ok" = "yes" ; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: shared" >&5 printf "%s\n" "shared" >&6; } SHARED_BUILD=1 - STUBS_BUILD=1 + STUBS_BUILD=1 else { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: static" >&5 printf "%s\n" "static" >&6; } SHARED_BUILD=0 printf "%s\n" "#define STATIC_BUILD 1" >>confdefs.h - if test "$stubs_ok" = "yes" ; then - STUBS_BUILD=1 - else - STUBS_BUILD=0 - fi + if test "$stubs_ok" = "yes" ; then + STUBS_BUILD=1 + else + STUBS_BUILD=0 + fi fi if test "${STUBS_BUILD}" = "1" ; then printf "%s\n" "#define USE_TCL_STUBS 1" >>confdefs.h @@ -6018,12 +6165,12 @@ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 printf %s "checking for $ac_word... " >&6; } if test ${ac_cv_prog_RANLIB+y} then : printf %s "(cached) " >&6 -else $as_nop - if test -n "$RANLIB"; then +else case e in #( + e) if test -n "$RANLIB"; then ac_cv_prog_RANLIB="$RANLIB" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do @@ -6041,11 +6188,12 @@ fi done done IFS=$as_save_IFS -fi +fi ;; +esac fi RANLIB=$ac_cv_prog_RANLIB if test -n "$RANLIB"; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $RANLIB" >&5 printf "%s\n" "$RANLIB" >&6; } @@ -6063,12 +6211,12 @@ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 printf %s "checking for $ac_word... " >&6; } if test ${ac_cv_prog_ac_ct_RANLIB+y} then : printf %s "(cached) " >&6 -else $as_nop - if test -n "$ac_ct_RANLIB"; then +else case e in #( + e) if test -n "$ac_ct_RANLIB"; then ac_cv_prog_ac_ct_RANLIB="$ac_ct_RANLIB" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do @@ -6086,11 +6234,12 @@ fi done done IFS=$as_save_IFS -fi +fi ;; +esac fi ac_ct_RANLIB=$ac_cv_prog_ac_ct_RANLIB if test -n "$ac_ct_RANLIB"; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_ct_RANLIB" >&5 printf "%s\n" "$ac_ct_RANLIB" >&6; } @@ -6123,12 +6272,13 @@ printf %s "checking if 64bit support is requested... " >&6; } # Check whether --enable-64bit was given. if test ${enable_64bit+y} then : enableval=$enable_64bit; do64bit=$enableval -else $as_nop - do64bit=no +else case e in #( + e) do64bit=no ;; +esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $do64bit" >&5 printf "%s\n" "$do64bit" >&6; } @@ -6138,12 +6288,13 @@ printf %s "checking if 64bit Sparc VIS support is requested... " >&6; } # Check whether --enable-64bit-vis was given. if test ${enable_64bit_vis+y} then : enableval=$enable_64bit_vis; do64bitVIS=$enableval -else $as_nop - do64bitVIS=no +else case e in #( + e) do64bitVIS=no ;; +esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $do64bitVIS" >&5 printf "%s\n" "$do64bitVIS" >&6; } # Force 64bit on with VIS @@ -6158,12 +6309,12 @@ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking if compiler supports visibility \"hidden\"" >&5 printf %s "checking if compiler supports visibility \"hidden\"... " >&6; } if test ${tcl_cv_cc_visibility_hidden+y} then : printf %s "(cached) " >&6 -else $as_nop - +else case e in #( + e) hold_cflags=$CFLAGS; CFLAGS="$CFLAGS -Werror" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ extern __attribute__((__visibility__("hidden"))) void f(void); @@ -6177,16 +6328,18 @@ } _ACEOF if ac_fn_c_try_link "$LINENO" then : tcl_cv_cc_visibility_hidden=yes -else $as_nop - tcl_cv_cc_visibility_hidden=no +else case e in #( + e) tcl_cv_cc_visibility_hidden=no ;; +esac fi rm -f core conftest.err conftest.$ac_objext conftest.beam \ conftest$ac_exeext conftest.$ac_ext - CFLAGS=$hold_cflags + CFLAGS=$hold_cflags ;; +esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $tcl_cv_cc_visibility_hidden" >&5 printf "%s\n" "$tcl_cv_cc_visibility_hidden" >&6; } if test $tcl_cv_cc_visibility_hidden = yes then : @@ -6206,12 +6359,13 @@ printf %s "checking if rpath support is requested... " >&6; } # Check whether --enable-rpath was given. if test ${enable_rpath+y} then : enableval=$enable_rpath; doRpath=$enableval -else $as_nop - doRpath=yes +else case e in #( + e) doRpath=yes ;; +esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $doRpath" >&5 printf "%s\n" "$doRpath" >&6; } @@ -6222,12 +6376,12 @@ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking system version" >&5 printf %s "checking system version... " >&6; } if test ${tcl_cv_sys_version+y} then : printf %s "(cached) " >&6 -else $as_nop - +else case e in #( + e) # TEA specific: if test "${TEA_PLATFORM}" = "windows" ; then tcl_cv_sys_version=windows else tcl_cv_sys_version=`uname -s`-`uname -r` @@ -6242,11 +6396,12 @@ if test "`uname -s`" = "NetBSD" -a -f /etc/debian_version ; then tcl_cv_sys_version=NetBSD-Debian fi fi fi - + ;; +esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $tcl_cv_sys_version" >&5 printf "%s\n" "$tcl_cv_sys_version" >&6; } system=$tcl_cv_sys_version @@ -6276,26 +6431,27 @@ then : CFLAGS_OPTIMIZE=-O2 CFLAGS_WARNING="-Wall" -else $as_nop - +else case e in #( + e) CFLAGS_OPTIMIZE=-O CFLAGS_WARNING="" - + ;; +esac fi if test -n "$ac_tool_prefix"; then # Extract the first word of "${ac_tool_prefix}ar", so it can be a program name with args. set dummy ${ac_tool_prefix}ar; ac_word=$2 { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 printf %s "checking for $ac_word... " >&6; } if test ${ac_cv_prog_AR+y} then : printf %s "(cached) " >&6 -else $as_nop - if test -n "$AR"; then +else case e in #( + e) if test -n "$AR"; then ac_cv_prog_AR="$AR" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do @@ -6313,11 +6469,12 @@ fi done done IFS=$as_save_IFS -fi +fi ;; +esac fi AR=$ac_cv_prog_AR if test -n "$AR"; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $AR" >&5 printf "%s\n" "$AR" >&6; } @@ -6335,12 +6492,12 @@ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 printf %s "checking for $ac_word... " >&6; } if test ${ac_cv_prog_ac_ct_AR+y} then : printf %s "(cached) " >&6 -else $as_nop - if test -n "$ac_ct_AR"; then +else case e in #( + e) if test -n "$ac_ct_AR"; then ac_cv_prog_ac_ct_AR="$ac_ct_AR" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do @@ -6358,11 +6515,12 @@ fi done done IFS=$as_save_IFS -fi +fi ;; +esac fi ac_ct_AR=$ac_cv_prog_ac_ct_AR if test -n "$ac_ct_AR"; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_ct_AR" >&5 printf "%s\n" "$ac_ct_AR" >&6; } @@ -6389,12 +6547,13 @@ STLIB_LD='${AR} cr' LD_LIBRARY_PATH_VAR="LD_LIBRARY_PATH" if test "x$SHLIB_VERSION" = x then : SHLIB_VERSION="" -else $as_nop - SHLIB_VERSION=".$SHLIB_VERSION" +else case e in #( + e) SHLIB_VERSION=".$SHLIB_VERSION" ;; +esac fi case $system in # TEA specific: windows) MACHINE="X86" @@ -6411,18 +6570,18 @@ ;; esac fi if test "$GCC" != "yes" ; then - if test "${SHARED_BUILD}" = "0" ; then + if test "${SHARED_BUILD}" = "0" ; then runtime=-MT - else + else runtime=-MD - fi - case "x`echo \${VisualStudioVersion}`" in - x1[4-9]*) - lflags="${lflags} -nodefaultlib:libucrt.lib" + fi + case "x`echo \${VisualStudioVersion}`" in + x1[4-9]*) + lflags="${lflags} -nodefaultlib:libucrt.lib" vars="ucrt.lib" for i in $vars; do if test "${TEA_PLATFORM}" = "windows" -a "$GCC" = "yes" ; then # Convert foo.lib to -lfoo for GCC. No-op if not *.lib @@ -6430,16 +6589,16 @@ fi PKG_LIBS="$PKG_LIBS $i" done - ;; - *) - ;; - esac + ;; + *) + ;; + esac - if test "$do64bit" != "no" ; then + if test "$do64bit" != "no" ; then CC="cl.exe" RC="rc.exe" lflags="${lflags} -nologo -MACHINE:${MACHINE} " LINKBIN="link.exe" CFLAGS_DEBUG="-nologo -Zi -Od -W3 ${runtime}d" @@ -6474,12 +6633,12 @@ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 printf %s "checking for $ac_word... " >&6; } if test ${ac_cv_prog_RC+y} then : printf %s "(cached) " >&6 -else $as_nop - if test -n "$RC"; then +else case e in #( + e) if test -n "$RC"; then ac_cv_prog_RC="$RC" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do @@ -6497,11 +6656,12 @@ fi done done IFS=$as_save_IFS -fi +fi ;; +esac fi RC=$ac_cv_prog_RC if test -n "$RC"; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $RC" >&5 printf "%s\n" "$RC" >&6; } @@ -6519,12 +6679,12 @@ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 printf %s "checking for $ac_word... " >&6; } if test ${ac_cv_prog_ac_ct_RC+y} then : printf %s "(cached) " >&6 -else $as_nop - if test -n "$ac_ct_RC"; then +else case e in #( + e) if test -n "$ac_ct_RC"; then ac_cv_prog_ac_ct_RC="$ac_ct_RC" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do @@ -6542,11 +6702,12 @@ fi done done IFS=$as_save_IFS -fi +fi ;; +esac fi ac_ct_RC=$ac_cv_prog_ac_ct_RC if test -n "$ac_ct_RC"; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_ct_RC" >&5 printf "%s\n" "$ac_ct_RC" >&6; } @@ -6580,12 +6741,12 @@ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for cross-compile version of gcc" >&5 printf %s "checking for cross-compile version of gcc... " >&6; } if test ${ac_cv_cross+y} then : printf %s "(cached) " >&6 -else $as_nop - cat confdefs.h - <<_ACEOF >conftest.$ac_ext +else case e in #( + e) cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #ifdef _WIN32 #error cross-compiler #endif @@ -6599,15 +6760,17 @@ } _ACEOF if ac_fn_c_try_compile "$LINENO" then : ac_cv_cross=yes -else $as_nop - ac_cv_cross=no +else case e in #( + e) ac_cv_cross=no ;; +esac fi rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext - + ;; +esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_cross" >&5 printf "%s\n" "$ac_cv_cross" >&6; } if test "$ac_cv_cross" = "yes"; then case "$do64bit" in @@ -6654,11 +6817,11 @@ SHLIB_SUFFIX=".dll" SHARED_LIB_SUFFIX='${TCL_TRIM_DOTS}.dll' TCL_LIB_VERSIONS_OK=nodots - ;; + ;; AIX-*) if test "$GCC" != "yes" then : # AIX requires the _r compiler when gcc isn't being used @@ -6666,11 +6829,11 @@ *_r|*_r\ *) # ok ... ;; *) # Make sure only first arg gets _r - CC=`echo "$CC" | sed -e 's/^\([^ ]*\)/\1_r/'` + CC=`echo "$CC" | sed -e 's/^\([^ ]*\)/\1_r/'` ;; esac { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: Using $CC for compiling with threads" >&5 printf "%s\n" "Using $CC for compiling with threads" >&6; } @@ -6689,19 +6852,20 @@ then : { printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: 64bit mode not supported with GCC on $system" >&5 printf "%s\n" "$as_me: WARNING: 64bit mode not supported with GCC on $system" >&2;} -else $as_nop - +else case e in #( + e) do64bit_ok=yes CFLAGS="$CFLAGS -q64" LDFLAGS_ARCH="-q64" RANLIB="${RANLIB} -X64" AR="${AR} -X64" SHLIB_LD_FLAGS="-b64" - + ;; +esac fi fi if test "`uname -m`" = ia64 @@ -6712,34 +6876,37 @@ if test "$GCC" = yes then : CC_SEARCH_FLAGS='"-Wl,-R,${LIB_RUNTIME_DIR}"' -else $as_nop - +else case e in #( + e) CC_SEARCH_FLAGS='"-R${LIB_RUNTIME_DIR}"' - + ;; +esac fi LD_SEARCH_FLAGS='-R "${LIB_RUNTIME_DIR}"' -else $as_nop - +else case e in #( + e) if test "$GCC" = yes then : SHLIB_LD='${CC} -shared -Wl,-bexpall' -else $as_nop - +else case e in #( + e) SHLIB_LD="/bin/ld -bhalt:4 -bM:SRE -bexpall -H512 -T512 -bnoentry" LDFLAGS="$LDFLAGS -brtl" - + ;; +esac fi SHLIB_LD="${SHLIB_LD} ${SHLIB_LD_FLAGS}" CC_SEARCH_FLAGS='"-L${LIB_RUNTIME_DIR}"' LD_SEARCH_FLAGS=${CC_SEARCH_FLAGS} - + ;; +esac fi ;; BeOS*) SHLIB_CFLAGS="-fPIC" SHLIB_LD='${CC} -nostart' @@ -6753,20 +6920,26 @@ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for inet_ntoa in -lbind" >&5 printf %s "checking for inet_ntoa in -lbind... " >&6; } if test ${ac_cv_lib_bind_inet_ntoa+y} then : printf %s "(cached) " >&6 -else $as_nop - ac_check_lib_save_LIBS=$LIBS +else case e in #( + e) ac_check_lib_save_LIBS=$LIBS LIBS="-lbind $LIBS" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ /* Override any GCC internal prototype to avoid an error. Use char because int might match the return type of a GCC - builtin and then its argument prototype would still apply. */ -char inet_ntoa (); + builtin and then its argument prototype would still apply. + The 'extern "C"' is for builds by C++ compilers; + although this is not generally supported in C code supporting it here + has little cost and some practical benefit (sr 110532). */ +#ifdef __cplusplus +extern "C" +#endif +char inet_ntoa (void); int main (void) { return inet_ntoa (); ; @@ -6774,16 +6947,18 @@ } _ACEOF if ac_fn_c_try_link "$LINENO" then : ac_cv_lib_bind_inet_ntoa=yes -else $as_nop - ac_cv_lib_bind_inet_ntoa=no +else case e in #( + e) ac_cv_lib_bind_inet_ntoa=no ;; +esac fi rm -f core conftest.err conftest.$ac_objext conftest.beam \ conftest$ac_exeext conftest.$ac_ext -LIBS=$ac_check_lib_save_LIBS +LIBS=$ac_check_lib_save_LIBS ;; +esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_bind_inet_ntoa" >&5 printf "%s\n" "$ac_cv_lib_bind_inet_ntoa" >&6; } if test "x$ac_cv_lib_bind_inet_ntoa" = xyes then : @@ -6832,20 +7007,26 @@ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for inet_ntoa in -lnetwork" >&5 printf %s "checking for inet_ntoa in -lnetwork... " >&6; } if test ${ac_cv_lib_network_inet_ntoa+y} then : printf %s "(cached) " >&6 -else $as_nop - ac_check_lib_save_LIBS=$LIBS +else case e in #( + e) ac_check_lib_save_LIBS=$LIBS LIBS="-lnetwork $LIBS" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ /* Override any GCC internal prototype to avoid an error. Use char because int might match the return type of a GCC - builtin and then its argument prototype would still apply. */ -char inet_ntoa (); + builtin and then its argument prototype would still apply. + The 'extern "C"' is for builds by C++ compilers; + although this is not generally supported in C code supporting it here + has little cost and some practical benefit (sr 110532). */ +#ifdef __cplusplus +extern "C" +#endif +char inet_ntoa (void); int main (void) { return inet_ntoa (); ; @@ -6853,16 +7034,18 @@ } _ACEOF if ac_fn_c_try_link "$LINENO" then : ac_cv_lib_network_inet_ntoa=yes -else $as_nop - ac_cv_lib_network_inet_ntoa=no +else case e in #( + e) ac_cv_lib_network_inet_ntoa=no ;; +esac fi rm -f core conftest.err conftest.$ac_objext conftest.beam \ conftest$ac_exeext conftest.$ac_ext -LIBS=$ac_check_lib_save_LIBS +LIBS=$ac_check_lib_save_LIBS ;; +esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_network_inet_ntoa" >&5 printf "%s\n" "$ac_cv_lib_network_inet_ntoa" >&6; } if test "x$ac_cv_lib_network_inet_ntoa" = xyes then : @@ -6882,30 +7065,37 @@ if test "`uname -m`" = ia64 then : SHLIB_SUFFIX=".so" -else $as_nop - +else case e in #( + e) SHLIB_SUFFIX=".sl" - + ;; +esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for shl_load in -ldld" >&5 printf %s "checking for shl_load in -ldld... " >&6; } if test ${ac_cv_lib_dld_shl_load+y} then : printf %s "(cached) " >&6 -else $as_nop - ac_check_lib_save_LIBS=$LIBS +else case e in #( + e) ac_check_lib_save_LIBS=$LIBS LIBS="-ldld $LIBS" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ /* Override any GCC internal prototype to avoid an error. Use char because int might match the return type of a GCC - builtin and then its argument prototype would still apply. */ -char shl_load (); + builtin and then its argument prototype would still apply. + The 'extern "C"' is for builds by C++ compilers; + although this is not generally supported in C code supporting it here + has little cost and some practical benefit (sr 110532). */ +#ifdef __cplusplus +extern "C" +#endif +char shl_load (void); int main (void) { return shl_load (); ; @@ -6913,24 +7103,27 @@ } _ACEOF if ac_fn_c_try_link "$LINENO" then : ac_cv_lib_dld_shl_load=yes -else $as_nop - ac_cv_lib_dld_shl_load=no +else case e in #( + e) ac_cv_lib_dld_shl_load=no ;; +esac fi rm -f core conftest.err conftest.$ac_objext conftest.beam \ conftest$ac_exeext conftest.$ac_ext -LIBS=$ac_check_lib_save_LIBS +LIBS=$ac_check_lib_save_LIBS ;; +esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_dld_shl_load" >&5 printf "%s\n" "$ac_cv_lib_dld_shl_load" >&6; } if test "x$ac_cv_lib_dld_shl_load" = xyes then : tcl_ok=yes -else $as_nop - tcl_ok=no +else case e in #( + e) tcl_ok=no ;; +esac fi if test "$tcl_ok" = yes then : @@ -6946,14 +7139,15 @@ then : SHLIB_LD='${CC} -shared' LD_SEARCH_FLAGS=${CC_SEARCH_FLAGS} -else $as_nop - +else case e in #( + e) CFLAGS="$CFLAGS -z" - + ;; +esac fi # Check to enable 64-bit flags for compiler/linker if test "$do64bit" = "yes" then : @@ -6977,16 +7171,17 @@ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: 64bit mode not supported with GCC on $system" >&5 printf "%s\n" "$as_me: WARNING: 64bit mode not supported with GCC on $system" >&2;} ;; esac -else $as_nop - +else case e in #( + e) do64bit_ok=yes CFLAGS="$CFLAGS +DD64" LDFLAGS_ARCH="+DD64" - + ;; +esac fi fi ;; HP-UX-*.08.*|HP-UX-*.09.*|HP-UX-*.10.*) SHLIB_SUFFIX=".sl" @@ -6993,20 +7188,26 @@ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for shl_load in -ldld" >&5 printf %s "checking for shl_load in -ldld... " >&6; } if test ${ac_cv_lib_dld_shl_load+y} then : printf %s "(cached) " >&6 -else $as_nop - ac_check_lib_save_LIBS=$LIBS +else case e in #( + e) ac_check_lib_save_LIBS=$LIBS LIBS="-ldld $LIBS" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ /* Override any GCC internal prototype to avoid an error. Use char because int might match the return type of a GCC - builtin and then its argument prototype would still apply. */ -char shl_load (); + builtin and then its argument prototype would still apply. + The 'extern "C"' is for builds by C++ compilers; + although this is not generally supported in C code supporting it here + has little cost and some practical benefit (sr 110532). */ +#ifdef __cplusplus +extern "C" +#endif +char shl_load (void); int main (void) { return shl_load (); ; @@ -7014,24 +7215,27 @@ } _ACEOF if ac_fn_c_try_link "$LINENO" then : ac_cv_lib_dld_shl_load=yes -else $as_nop - ac_cv_lib_dld_shl_load=no +else case e in #( + e) ac_cv_lib_dld_shl_load=no ;; +esac fi rm -f core conftest.err conftest.$ac_objext conftest.beam \ conftest$ac_exeext conftest.$ac_ext -LIBS=$ac_check_lib_save_LIBS +LIBS=$ac_check_lib_save_LIBS ;; +esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_dld_shl_load" >&5 printf "%s\n" "$ac_cv_lib_dld_shl_load" >&6; } if test "x$ac_cv_lib_dld_shl_load" = xyes then : tcl_ok=yes -else $as_nop - tcl_ok=no +else case e in #( + e) tcl_ok=no ;; +esac fi if test "$tcl_ok" = yes then : @@ -7075,12 +7279,12 @@ then : CFLAGS="$CFLAGS -mabi=n32" LDFLAGS="$LDFLAGS -mabi=n32" -else $as_nop - +else case e in #( + e) case $system in IRIX-6.3) # Use to build 6.2 compatible binaries on 6.3. CFLAGS="$CFLAGS -n32 -D_OLD_TERMIOS" ;; @@ -7087,11 +7291,12 @@ *) CFLAGS="$CFLAGS -n32" ;; esac LDFLAGS="$LDFLAGS -n32" - + ;; +esac fi ;; IRIX64-6.*) SHLIB_CFLAGS="" SHLIB_LD="ld -n32 -shared -rdata_shared" @@ -7106,23 +7311,24 @@ # Check to enable 64-bit flags for compiler/linker if test "$do64bit" = yes then : - if test "$GCC" = yes + if test "$GCC" = yes then : - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: 64bit mode not supported by gcc" >&5 + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: 64bit mode not supported by gcc" >&5 printf "%s\n" "$as_me: WARNING: 64bit mode not supported by gcc" >&2;} -else $as_nop - - do64bit_ok=yes - SHLIB_LD="ld -64 -shared -rdata_shared" - CFLAGS="$CFLAGS -64" - LDFLAGS_ARCH="-64" - +else case e in #( + e) + do64bit_ok=yes + SHLIB_LD="ld -64 -shared -rdata_shared" + CFLAGS="$CFLAGS -64" + LDFLAGS_ARCH="-64" + ;; +esac fi fi ;; Linux*|GNU*|NetBSD-Debian|DragonFly-*|FreeBSD-*) @@ -7145,11 +7351,11 @@ LIBS=`echo $LIBS | sed s/-pthread//` CFLAGS="$CFLAGS $PTHREAD_CFLAGS" LDFLAGS="$LDFLAGS $PTHREAD_LIBS" fi ;; - esac + esac if test $doRpath = yes then : CC_SEARCH_FLAGS='"-Wl,-rpath,${LIB_RUNTIME_DIR}"' @@ -7165,12 +7371,12 @@ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking if compiler accepts -m64 flag" >&5 printf %s "checking if compiler accepts -m64 flag... " >&6; } if test ${tcl_cv_cc_m64+y} then : printf %s "(cached) " >&6 -else $as_nop - +else case e in #( + e) hold_cflags=$CFLAGS CFLAGS="$CFLAGS -m64" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ @@ -7183,16 +7389,18 @@ } _ACEOF if ac_fn_c_try_link "$LINENO" then : tcl_cv_cc_m64=yes -else $as_nop - tcl_cv_cc_m64=no +else case e in #( + e) tcl_cv_cc_m64=no ;; +esac fi rm -f core conftest.err conftest.$ac_objext conftest.beam \ conftest$ac_exeext conftest.$ac_ext - CFLAGS=$hold_cflags + CFLAGS=$hold_cflags ;; +esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $tcl_cv_cc_m64" >&5 printf "%s\n" "$tcl_cv_cc_m64" >&6; } if test $tcl_cv_cc_m64 = yes then : @@ -7294,12 +7502,12 @@ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking if compiler accepts -arch ppc64 flag" >&5 printf %s "checking if compiler accepts -arch ppc64 flag... " >&6; } if test ${tcl_cv_cc_arch_ppc64+y} then : printf %s "(cached) " >&6 -else $as_nop - +else case e in #( + e) hold_cflags=$CFLAGS CFLAGS="$CFLAGS -arch ppc64 -mpowerpc64 -mcpu=G5" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ @@ -7312,16 +7520,18 @@ } _ACEOF if ac_fn_c_try_link "$LINENO" then : tcl_cv_cc_arch_ppc64=yes -else $as_nop - tcl_cv_cc_arch_ppc64=no +else case e in #( + e) tcl_cv_cc_arch_ppc64=no ;; +esac fi rm -f core conftest.err conftest.$ac_objext conftest.beam \ conftest$ac_exeext conftest.$ac_ext - CFLAGS=$hold_cflags + CFLAGS=$hold_cflags ;; +esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $tcl_cv_cc_arch_ppc64" >&5 printf "%s\n" "$tcl_cv_cc_arch_ppc64" >&6; } if test $tcl_cv_cc_arch_ppc64 = yes then : @@ -7334,12 +7544,12 @@ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking if compiler accepts -arch x86_64 flag" >&5 printf %s "checking if compiler accepts -arch x86_64 flag... " >&6; } if test ${tcl_cv_cc_arch_x86_64+y} then : printf %s "(cached) " >&6 -else $as_nop - +else case e in #( + e) hold_cflags=$CFLAGS CFLAGS="$CFLAGS -arch x86_64" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ @@ -7352,16 +7562,18 @@ } _ACEOF if ac_fn_c_try_link "$LINENO" then : tcl_cv_cc_arch_x86_64=yes -else $as_nop - tcl_cv_cc_arch_x86_64=no +else case e in #( + e) tcl_cv_cc_arch_x86_64=no ;; +esac fi rm -f core conftest.err conftest.$ac_objext conftest.beam \ conftest$ac_exeext conftest.$ac_ext - CFLAGS=$hold_cflags + CFLAGS=$hold_cflags ;; +esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $tcl_cv_cc_arch_x86_64" >&5 printf "%s\n" "$tcl_cv_cc_arch_x86_64" >&6; } if test $tcl_cv_cc_arch_x86_64 = yes then : @@ -7373,61 +7585,24 @@ *) { printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: Don't know how enable 64-bit on architecture \`arch\`" >&5 printf "%s\n" "$as_me: WARNING: Don't know how enable 64-bit on architecture \`arch\`" >&2;};; esac -else $as_nop - +else case e in #( + e) # Check for combined 32-bit and 64-bit fat build if echo "$CFLAGS " |grep -E -q -- '-arch (ppc64|x86_64) ' \ && echo "$CFLAGS " |grep -E -q -- '-arch (ppc|i386) ' then : fat_32_64=yes fi - + ;; +esac fi # TEA specific: use LDFLAGS_DEFAULT instead of LDFLAGS SHLIB_LD='${CC} -dynamiclib ${CFLAGS} ${LDFLAGS_DEFAULT}' - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking if ld accepts -single_module flag" >&5 -printf %s "checking if ld accepts -single_module flag... " >&6; } -if test ${tcl_cv_ld_single_module+y} -then : - printf %s "(cached) " >&6 -else $as_nop - - hold_ldflags=$LDFLAGS - LDFLAGS="$LDFLAGS -dynamiclib -Wl,-single_module" - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -int -main (void) -{ -int i; - ; - return 0; -} -_ACEOF -if ac_fn_c_try_link "$LINENO" -then : - tcl_cv_ld_single_module=yes -else $as_nop - tcl_cv_ld_single_module=no -fi -rm -f core conftest.err conftest.$ac_objext conftest.beam \ - conftest$ac_exeext conftest.$ac_ext - LDFLAGS=$hold_ldflags -fi -{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $tcl_cv_ld_single_module" >&5 -printf "%s\n" "$tcl_cv_ld_single_module" >&6; } - if test $tcl_cv_ld_single_module = yes -then : - - SHLIB_LD="${SHLIB_LD} -Wl,-single_module" - -fi # TEA specific: link shlib with current and compatibility version flags vers=`echo ${PACKAGE_VERSION} | sed -e 's/^\([0-9]\{1,5\}\)\(\(\.[0-9]\{1,3\}\)\{0,2\}\).*$/\1\2/p' -e d` SHLIB_LD="${SHLIB_LD} -current_version ${vers:-0} -compatibility_version ${vers:-0}" SHLIB_SUFFIX=".dylib" LDFLAGS="$LDFLAGS -headerpad_max_install_names" @@ -7434,12 +7609,12 @@ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking if ld accepts -search_paths_first flag" >&5 printf %s "checking if ld accepts -search_paths_first flag... " >&6; } if test ${tcl_cv_ld_search_paths_first+y} then : printf %s "(cached) " >&6 -else $as_nop - +else case e in #( + e) hold_ldflags=$LDFLAGS LDFLAGS="$LDFLAGS -Wl,-search_paths_first" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ @@ -7452,16 +7627,18 @@ } _ACEOF if ac_fn_c_try_link "$LINENO" then : tcl_cv_ld_search_paths_first=yes -else $as_nop - tcl_cv_ld_search_paths_first=no +else case e in #( + e) tcl_cv_ld_search_paths_first=no ;; +esac fi rm -f core conftest.err conftest.$ac_objext conftest.beam \ conftest$ac_exeext conftest.$ac_ext - LDFLAGS=$hold_ldflags + LDFLAGS=$hold_ldflags ;; +esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $tcl_cv_ld_search_paths_first" >&5 printf "%s\n" "$tcl_cv_ld_search_paths_first" >&6; } if test $tcl_cv_ld_search_paths_first = yes then : @@ -7492,12 +7669,12 @@ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for 64-bit X11" >&5 printf %s "checking for 64-bit X11... " >&6; } if test ${tcl_cv_lib_x11_64+y} then : printf %s "(cached) " >&6 -else $as_nop - +else case e in #( + e) for v in CFLAGS CPPFLAGS LDFLAGS; do eval 'hold_'$v'="$'$v'";'$v'="`echo "$'$v' "|sed -e "s/-arch ppc / /g" -e "s/-arch i386 / /g"`"' done CPPFLAGS="$CPPFLAGS -I/usr/X11R6/include" LDFLAGS="$LDFLAGS -L/usr/X11R6/lib -lX11" @@ -7513,18 +7690,20 @@ } _ACEOF if ac_fn_c_try_link "$LINENO" then : tcl_cv_lib_x11_64=yes -else $as_nop - tcl_cv_lib_x11_64=no +else case e in #( + e) tcl_cv_lib_x11_64=no ;; +esac fi rm -f core conftest.err conftest.$ac_objext conftest.beam \ conftest$ac_exeext conftest.$ac_ext for v in CFLAGS CPPFLAGS LDFLAGS; do eval $v'="$hold_'$v'"' - done + done ;; +esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $tcl_cv_lib_x11_64" >&5 printf "%s\n" "$tcl_cv_lib_x11_64" >&6; } fi @@ -7534,12 +7713,12 @@ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for 64-bit Tk" >&5 printf %s "checking for 64-bit Tk... " >&6; } if test ${tcl_cv_lib_tk_64+y} then : printf %s "(cached) " >&6 -else $as_nop - +else case e in #( + e) for v in CFLAGS CPPFLAGS LDFLAGS; do eval 'hold_'$v'="$'$v'";'$v'="`echo "$'$v' "|sed -e "s/-arch ppc / /g" -e "s/-arch i386 / /g"`"' done CPPFLAGS="$CPPFLAGS -DUSE_TCL_STUBS=1 -DUSE_TK_STUBS=1 ${TCL_INCLUDES} ${TK_INCLUDES}" LDFLAGS="$LDFLAGS ${TCL_STUB_LIB_SPEC} ${TK_STUB_LIB_SPEC}" @@ -7555,18 +7734,20 @@ } _ACEOF if ac_fn_c_try_link "$LINENO" then : tcl_cv_lib_tk_64=yes -else $as_nop - tcl_cv_lib_tk_64=no +else case e in #( + e) tcl_cv_lib_tk_64=no ;; +esac fi rm -f core conftest.err conftest.$ac_objext conftest.beam \ conftest$ac_exeext conftest.$ac_ext for v in CFLAGS CPPFLAGS LDFLAGS; do eval $v'="$hold_'$v'"' - done + done ;; +esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $tcl_cv_lib_tk_64" >&5 printf "%s\n" "$tcl_cv_lib_tk_64" >&6; } fi @@ -7594,16 +7775,17 @@ # Digital OSF/1 SHLIB_CFLAGS="" if test "$SHARED_BUILD" = 1 then : - SHLIB_LD='ld -shared -expect_unresolved "*"' + SHLIB_LD='ld -shared -expect_unresolved "*"' -else $as_nop - - SHLIB_LD='ld -non_shared -expect_unresolved "*"' - +else case e in #( + e) + SHLIB_LD='ld -non_shared -expect_unresolved "*"' + ;; +esac fi SHLIB_SUFFIX=".so" if test $doRpath = yes then : @@ -7611,13 +7793,14 @@ LD_SEARCH_FLAGS='-rpath ${LIB_RUNTIME_DIR}' fi if test "$GCC" = yes then : CFLAGS="$CFLAGS -mieee" -else $as_nop - - CFLAGS="$CFLAGS -DHAVE_TZSET -std1 -ieee" +else case e in #( + e) + CFLAGS="$CFLAGS -DHAVE_TZSET -std1 -ieee" ;; +esac fi # see pthread_intro(3) for pthread support on osf1, k.furukawa CFLAGS="$CFLAGS -DHAVE_PTHREAD_ATTR_SETSTACKSIZE" CFLAGS="$CFLAGS -DTCL_THREAD_STACK_MIN=PTHREAD_STACK_MIN*64" LIBS=`echo $LIBS | sed s/-lpthreads//` @@ -7624,15 +7807,16 @@ if test "$GCC" = yes then : LIBS="$LIBS -lpthread -lmach -lexc" -else $as_nop - +else case e in #( + e) CFLAGS="$CFLAGS -pthread" LDFLAGS="$LDFLAGS -pthread" - + ;; +esac fi ;; QNX-6*) # QNX RTP # This may work for all QNX, but it was only reported for v6. @@ -7648,15 +7832,16 @@ then : SHLIB_CFLAGS="-fPIC -melf" LDFLAGS="$LDFLAGS -melf -Wl,-Bexport" -else $as_nop - +else case e in #( + e) SHLIB_CFLAGS="-Kpic -belf" LDFLAGS="$LDFLAGS -belf -Wl,-Bexport" - + ;; +esac fi SHLIB_LD="ld -G" SHLIB_LD_LIBS="" SHLIB_SUFFIX=".so" CC_SEARCH_FLAGS="" @@ -7682,16 +7867,17 @@ SHLIB_LD='${CC} -shared' CC_SEARCH_FLAGS='"-Wl,-R,${LIB_RUNTIME_DIR}"' LD_SEARCH_FLAGS=${CC_SEARCH_FLAGS} -else $as_nop - +else case e in #( + e) SHLIB_LD="/usr/ccs/bin/ld -G -z text" CC_SEARCH_FLAGS='-R "${LIB_RUNTIME_DIR}"' LD_SEARCH_FLAGS=${CC_SEARCH_FLAGS} - + ;; +esac fi ;; SunOS-5*) # Note: If _REENTRANT isn't defined, then Solaris # won't define thread-safe library routines. @@ -7720,41 +7906,44 @@ then : { printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: 64bit mode not supported with GCC < 3.2 on $system" >&5 printf "%s\n" "$as_me: WARNING: 64bit mode not supported with GCC < 3.2 on $system" >&2;} -else $as_nop - +else case e in #( + e) do64bit_ok=yes CFLAGS="$CFLAGS -m64 -mcpu=v9" LDFLAGS="$LDFLAGS -m64 -mcpu=v9" SHLIB_CFLAGS="-fPIC" - + ;; +esac fi -else $as_nop - +else case e in #( + e) do64bit_ok=yes if test "$do64bitVIS" = yes then : CFLAGS="$CFLAGS -xarch=v9a" LDFLAGS_ARCH="-xarch=v9a" -else $as_nop - +else case e in #( + e) CFLAGS="$CFLAGS -xarch=v9" LDFLAGS_ARCH="-xarch=v9" - + ;; +esac fi # Solaris 64 uses this as well #LD_LIBRARY_PATH_VAR="LD_LIBRARY_PATH_64" - + ;; +esac fi -else $as_nop - if test "$arch" = "amd64 i386" +else case e in #( + e) if test "$arch" = "amd64 i386" then : if test "$GCC" = yes then : @@ -7766,28 +7955,31 @@ *) { printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: 64bit mode not supported with GCC on $system" >&5 printf "%s\n" "$as_me: WARNING: 64bit mode not supported with GCC on $system" >&2;};; esac -else $as_nop - +else case e in #( + e) do64bit_ok=yes case $system in SunOS-5.1[1-9]*|SunOS-5.[2-9][0-9]*) CFLAGS="$CFLAGS -m64" LDFLAGS="$LDFLAGS -m64";; *) CFLAGS="$CFLAGS -xarch=amd64" LDFLAGS="$LDFLAGS -xarch=amd64";; esac - + ;; +esac fi -else $as_nop - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: 64bit mode not supported for $arch" >&5 -printf "%s\n" "$as_me: WARNING: 64bit mode not supported for $arch" >&2;} -fi +else case e in #( + e) { printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: 64bit mode not supported for $arch" >&5 +printf "%s\n" "$as_me: WARNING: 64bit mode not supported for $arch" >&2;} ;; +esac +fi ;; +esac fi fi SHLIB_SUFFIX=".so" @@ -7811,35 +8003,37 @@ # for finding sparcv9 libgcc, get the regular libgcc # path, remove so name and append 'sparcv9' #v9gcclibdir="`gcc -print-file-name=libgcc_s.so` | ..." #CC_SEARCH_FLAGS="${CC_SEARCH_FLAGS},-R,$v9gcclibdir" -else $as_nop - if test "$arch" = "amd64 i386" +else case e in #( + e) if test "$arch" = "amd64 i386" then : # JH: static-libgcc is necessary for core Tcl, but may # not be necessary for extensions. SHLIB_LD="$SHLIB_LD -m64 -static-libgcc" -fi +fi ;; +esac fi fi -else $as_nop - +else case e in #( + e) case $system in SunOS-5.[1-9][0-9]*) # TEA specific: use LDFLAGS_DEFAULT instead of LDFLAGS SHLIB_LD='${CC} -G -z text ${LDFLAGS_DEFAULT}';; *) SHLIB_LD='/usr/ccs/bin/ld -G -z text';; esac CC_SEARCH_FLAGS='"-Wl,-R,${LIB_RUNTIME_DIR}"' LD_SEARCH_FLAGS='-R "${LIB_RUNTIME_DIR}"' - + ;; +esac fi ;; UNIX_SV* | UnixWare-5*) SHLIB_CFLAGS="-KPIC" SHLIB_LD='${CC} -G' @@ -7850,12 +8044,12 @@ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for ld accepts -Bexport flag" >&5 printf %s "checking for ld accepts -Bexport flag... " >&6; } if test ${tcl_cv_ld_Bexport+y} then : printf %s "(cached) " >&6 -else $as_nop - +else case e in #( + e) hold_ldflags=$LDFLAGS LDFLAGS="$LDFLAGS -Wl,-Bexport" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ @@ -7868,16 +8062,18 @@ } _ACEOF if ac_fn_c_try_link "$LINENO" then : tcl_cv_ld_Bexport=yes -else $as_nop - tcl_cv_ld_Bexport=no +else case e in #( + e) tcl_cv_ld_Bexport=no ;; +esac fi rm -f core conftest.err conftest.$ac_objext conftest.beam \ conftest$ac_exeext conftest.$ac_ext - LDFLAGS=$hold_ldflags + LDFLAGS=$hold_ldflags ;; +esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $tcl_cv_ld_Bexport" >&5 printf "%s\n" "$tcl_cv_ld_Bexport" >&6; } if test $tcl_cv_ld_Bexport = yes then : @@ -7950,16 +8146,16 @@ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for SEH support in compiler" >&5 printf %s "checking for SEH support in compiler... " >&6; } if test ${tcl_cv_seh+y} then : printf %s "(cached) " >&6 -else $as_nop - if test "$cross_compiling" = yes +else case e in #( + e) if test "$cross_compiling" = yes then : tcl_cv_seh=no -else $as_nop - cat confdefs.h - <<_ACEOF >conftest.$ac_ext +else case e in #( + e) cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #define WIN32_LEAN_AND_MEAN #include #undef WIN32_LEAN_AND_MEAN @@ -7977,18 +8173,21 @@ _ACEOF if ac_fn_c_try_run "$LINENO" then : tcl_cv_seh=yes -else $as_nop - tcl_cv_seh=no +else case e in #( + e) tcl_cv_seh=no ;; +esac fi rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ - conftest.$ac_objext conftest.beam conftest.$ac_ext + conftest.$ac_objext conftest.beam conftest.$ac_ext ;; +esac fi - + ;; +esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $tcl_cv_seh" >&5 printf "%s\n" "$tcl_cv_seh" >&6; } if test "$tcl_cv_seh" = "no" ; then @@ -8005,12 +8204,12 @@ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for EXCEPTION_DISPOSITION support in include files" >&5 printf %s "checking for EXCEPTION_DISPOSITION support in include files... " >&6; } if test ${tcl_cv_eh_disposition+y} then : printf %s "(cached) " >&6 -else $as_nop - cat confdefs.h - <<_ACEOF >conftest.$ac_ext +else case e in #( + e) cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ # define WIN32_LEAN_AND_MEAN # include # undef WIN32_LEAN_AND_MEAN @@ -8026,15 +8225,17 @@ } _ACEOF if ac_fn_c_try_compile "$LINENO" then : tcl_cv_eh_disposition=yes -else $as_nop - tcl_cv_eh_disposition=no +else case e in #( + e) tcl_cv_eh_disposition=no ;; +esac fi rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext - + ;; +esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $tcl_cv_eh_disposition" >&5 printf "%s\n" "$tcl_cv_eh_disposition" >&6; } if test "$tcl_cv_eh_disposition" = "no" ; then @@ -8049,12 +8250,12 @@ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for winnt.h that ignores VOID define" >&5 printf %s "checking for winnt.h that ignores VOID define... " >&6; } if test ${tcl_cv_winnt_ignore_void+y} then : printf %s "(cached) " >&6 -else $as_nop - cat confdefs.h - <<_ACEOF >conftest.$ac_ext +else case e in #( + e) cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #define VOID void #define WIN32_LEAN_AND_MEAN #include @@ -8073,15 +8274,17 @@ } _ACEOF if ac_fn_c_try_compile "$LINENO" then : tcl_cv_winnt_ignore_void=yes -else $as_nop - tcl_cv_winnt_ignore_void=no +else case e in #( + e) tcl_cv_winnt_ignore_void=no ;; +esac fi rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext - + ;; +esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $tcl_cv_winnt_ignore_void" >&5 printf "%s\n" "$tcl_cv_winnt_ignore_void" >&6; } if test "$tcl_cv_winnt_ignore_void" = "yes" ; then @@ -8097,12 +8300,12 @@ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for cast to union support" >&5 printf %s "checking for cast to union support... " >&6; } if test ${tcl_cv_cast_to_union+y} then : printf %s "(cached) " >&6 -else $as_nop - cat confdefs.h - <<_ACEOF >conftest.$ac_ext +else case e in #( + e) cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main (void) { @@ -8115,15 +8318,17 @@ } _ACEOF if ac_fn_c_try_compile "$LINENO" then : tcl_cv_cast_to_union=yes -else $as_nop - tcl_cv_cast_to_union=no +else case e in #( + e) tcl_cv_cast_to_union=no ;; +esac fi rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext - + ;; +esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $tcl_cv_cast_to_union" >&5 printf "%s\n" "$tcl_cv_cast_to_union" >&6; } if test "$tcl_cv_cast_to_union" = "yes"; then @@ -8162,12 +8367,12 @@ tcl_flags="" if test ${tcl_cv_flag__isoc99_source+y} then : printf %s "(cached) " >&6 -else $as_nop - cat confdefs.h - <<_ACEOF >conftest.$ac_ext +else case e in #( + e) cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include int main (void) { @@ -8177,12 +8382,12 @@ } _ACEOF if ac_fn_c_try_compile "$LINENO" then : tcl_cv_flag__isoc99_source=no -else $as_nop - cat confdefs.h - <<_ACEOF >conftest.$ac_ext +else case e in #( + e) cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #define _ISOC99_SOURCE 1 #include int main (void) @@ -8193,16 +8398,19 @@ } _ACEOF if ac_fn_c_try_compile "$LINENO" then : tcl_cv_flag__isoc99_source=yes -else $as_nop - tcl_cv_flag__isoc99_source=no +else case e in #( + e) tcl_cv_flag__isoc99_source=no ;; +esac fi -rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext +rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext ;; +esac fi -rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext +rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext ;; +esac fi if test "x${tcl_cv_flag__isoc99_source}" = "xyes" ; then printf "%s\n" "#define _ISOC99_SOURCE 1" >>confdefs.h @@ -8213,12 +8421,12 @@ if test "${TCL_MAJOR_VERSION}" -ne 8 ; then if test ${tcl_cv_flag__file_offset_bits+y} then : printf %s "(cached) " >&6 -else $as_nop - cat confdefs.h - <<_ACEOF >conftest.$ac_ext +else case e in #( + e) cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include int main (void) { @@ -8228,12 +8436,12 @@ } _ACEOF if ac_fn_c_try_compile "$LINENO" then : tcl_cv_flag__file_offset_bits=no -else $as_nop - cat confdefs.h - <<_ACEOF >conftest.$ac_ext +else case e in #( + e) cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #define _FILE_OFFSET_BITS 64 #include int main (void) @@ -8244,16 +8452,19 @@ } _ACEOF if ac_fn_c_try_compile "$LINENO" then : tcl_cv_flag__file_offset_bits=yes -else $as_nop - tcl_cv_flag__file_offset_bits=no +else case e in #( + e) tcl_cv_flag__file_offset_bits=no ;; +esac fi -rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext +rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext ;; +esac fi -rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext +rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext ;; +esac fi if test "x${tcl_cv_flag__file_offset_bits}" = "xyes" ; then printf "%s\n" "#define _FILE_OFFSET_BITS 64" >>confdefs.h @@ -8274,12 +8485,12 @@ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for 64-bit integer type" >&5 printf %s "checking for 64-bit integer type... " >&6; } if test ${tcl_cv_type_64bit+y} then : printf %s "(cached) " >&6 -else $as_nop - +else case e in #( + e) tcl_cv_type_64bit=none # See if the compiler knows natively about __int64 cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ @@ -8292,35 +8503,37 @@ } _ACEOF if ac_fn_c_try_compile "$LINENO" then : tcl_type_64bit=__int64 -else $as_nop - tcl_type_64bit="long long" +else case e in #( + e) tcl_type_64bit="long long" ;; +esac fi rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext # See if we could use long anyway Note that we substitute in the # type that is our current guess for a 64-bit type inside this check # program, so it should be modified only carefully... - cat confdefs.h - <<_ACEOF >conftest.$ac_ext + cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main (void) { switch (0) { - case 1: case (sizeof(${tcl_type_64bit})==sizeof(long)): ; - } + case 1: case (sizeof(${tcl_type_64bit})==sizeof(long)): ; + } ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO" then : tcl_cv_type_64bit=${tcl_type_64bit} fi -rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext +rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext ;; +esac fi if test "${tcl_cv_type_64bit}" = none ; then printf "%s\n" "#define TCL_WIDE_INT_IS_LONG 1" >>confdefs.h @@ -8345,12 +8558,12 @@ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for 64-bit time_t" >&5 printf %s "checking for 64-bit time_t... " >&6; } if test ${tcl_cv_time_t_64+y} then : printf %s "(cached) " >&6 -else $as_nop - +else case e in #( + e) cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include int main (void) @@ -8361,14 +8574,16 @@ } _ACEOF if ac_fn_c_try_compile "$LINENO" then : tcl_cv_time_t_64=yes -else $as_nop - tcl_cv_time_t_64=no +else case e in #( + e) tcl_cv_time_t_64=no ;; +esac fi -rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext +rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext ;; +esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $tcl_cv_time_t_64" >&5 printf "%s\n" "$tcl_cv_time_t_64" >&6; } if test "x${tcl_cv_time_t_64}" = "xno" ; then # Note that _TIME_BITS=64 requires _FILE_OFFSET_BITS=64 @@ -8376,12 +8591,12 @@ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking if _TIME_BITS=64 enables 64-bit time_t" >&5 printf %s "checking if _TIME_BITS=64 enables 64-bit time_t... " >&6; } if test ${tcl_cv__time_bits+y} then : printf %s "(cached) " >&6 -else $as_nop - +else case e in #( + e) cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #define _TIME_BITS 64 #include int @@ -8393,14 +8608,16 @@ } _ACEOF if ac_fn_c_try_compile "$LINENO" then : tcl_cv__time_bits=yes -else $as_nop - tcl_cv__time_bits=no +else case e in #( + e) tcl_cv__time_bits=no ;; +esac fi -rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext +rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext ;; +esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $tcl_cv__time_bits" >&5 printf "%s\n" "$tcl_cv__time_bits" >&6; } if test "x${tcl_cv__time_bits}" = "xyes" ; then @@ -8413,12 +8630,12 @@ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for struct dirent64" >&5 printf %s "checking for struct dirent64... " >&6; } if test ${tcl_cv_struct_dirent64+y} then : printf %s "(cached) " >&6 -else $as_nop - +else case e in #( + e) cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include #include int @@ -8430,14 +8647,16 @@ } _ACEOF if ac_fn_c_try_compile "$LINENO" then : tcl_cv_struct_dirent64=yes -else $as_nop - tcl_cv_struct_dirent64=no +else case e in #( + e) tcl_cv_struct_dirent64=no ;; +esac fi -rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext +rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext ;; +esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $tcl_cv_struct_dirent64" >&5 printf "%s\n" "$tcl_cv_struct_dirent64" >&6; } if test "x${tcl_cv_struct_dirent64}" = "xyes" ; then @@ -8448,32 +8667,34 @@ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for DIR64" >&5 printf %s "checking for DIR64... " >&6; } if test ${tcl_cv_DIR64+y} then : printf %s "(cached) " >&6 -else $as_nop - +else case e in #( + e) cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include #include int main (void) { struct dirent64 *p; DIR64 d = opendir64("."); - p = readdir64(d); rewinddir64(d); closedir64(d); + p = readdir64(d); rewinddir64(d); closedir64(d); ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO" then : tcl_cv_DIR64=yes -else $as_nop - tcl_cv_DIR64=no +else case e in #( + e) tcl_cv_DIR64=no ;; +esac fi -rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext +rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext ;; +esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $tcl_cv_DIR64" >&5 printf "%s\n" "$tcl_cv_DIR64" >&6; } if test "x${tcl_cv_DIR64}" = "xyes" ; then @@ -8484,12 +8705,12 @@ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for struct stat64" >&5 printf %s "checking for struct stat64... " >&6; } if test ${tcl_cv_struct_stat64+y} then : printf %s "(cached) " >&6 -else $as_nop - +else case e in #( + e) cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include int main (void) @@ -8501,14 +8722,16 @@ } _ACEOF if ac_fn_c_try_compile "$LINENO" then : tcl_cv_struct_stat64=yes -else $as_nop - tcl_cv_struct_stat64=no +else case e in #( + e) tcl_cv_struct_stat64=no ;; +esac fi -rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext +rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext ;; +esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $tcl_cv_struct_stat64" >&5 printf "%s\n" "$tcl_cv_struct_stat64" >&6; } if test "x${tcl_cv_struct_stat64}" = "xyes" ; then @@ -8532,12 +8755,12 @@ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for off64_t" >&5 printf %s "checking for off64_t... " >&6; } if test ${tcl_cv_type_off64_t+y} then : printf %s "(cached) " >&6 -else $as_nop - +else case e in #( + e) cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include int main (void) @@ -8549,19 +8772,21 @@ } _ACEOF if ac_fn_c_try_compile "$LINENO" then : tcl_cv_type_off64_t=yes -else $as_nop - tcl_cv_type_off64_t=no +else case e in #( + e) tcl_cv_type_off64_t=no ;; +esac fi -rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext +rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext ;; +esac fi if test "x${tcl_cv_type_off64_t}" = "xyes" && \ - test "x${ac_cv_func_lseek64}" = "xyes" && \ - test "x${ac_cv_func_open64}" = "xyes" ; then + test "x${ac_cv_func_lseek64}" = "xyes" && \ + test "x${ac_cv_func_open64}" = "xyes" ; then printf "%s\n" "#define HAVE_TYPE_OFF64_T 1" >>confdefs.h { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: yes" >&5 printf "%s\n" "yes" >&6; } @@ -8583,12 +8808,13 @@ printf %s "checking for build with symbols... " >&6; } # Check whether --enable-symbols was given. if test ${enable_symbols+y} then : enableval=$enable_symbols; tcl_ok=$enableval -else $as_nop - tcl_ok=no +else case e in #( + e) tcl_ok=no ;; +esac fi if test "$tcl_ok" = "no"; then CFLAGS_DEFAULT="${CFLAGS_OPTIMIZE} -DNDEBUG" LDFLAGS_DEFAULT="${LDFLAGS_OPTIMIZE}" @@ -8641,18 +8867,18 @@ # depends on values set by the TEA_ENABLE_SHARED, TEA_ENABLE_SYMBOLS, # and TEA_LOAD_TCLCONFIG macros above. #-------------------------------------------------------------------- -{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for grep that handles long lines and -e" >&5 -printf %s "checking for grep that handles long lines and -e... " >&6; } -if test ${ac_cv_path_GREP+y} +{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for egrep -e" >&5 +printf %s "checking for egrep -e... " >&6; } +if test ${ac_cv_path_EGREP_TRADITIONAL+y} then : printf %s "(cached) " >&6 -else $as_nop - if test -z "$GREP"; then - ac_path_GREP_found=false +else case e in #( + e) if test -z "$EGREP_TRADITIONAL"; then + ac_path_EGREP_TRADITIONAL_found=false # Loop through the user's path and test for each of PROGNAME-LIST as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH$PATH_SEPARATOR/usr/xpg4/bin do IFS=$as_save_IFS @@ -8662,69 +8888,59 @@ *) as_dir=$as_dir/ ;; esac for ac_prog in grep ggrep do for ac_exec_ext in '' $ac_executable_extensions; do - ac_path_GREP="$as_dir$ac_prog$ac_exec_ext" - as_fn_executable_p "$ac_path_GREP" || continue -# Check for GNU ac_path_GREP and select it if it is found. - # Check for GNU $ac_path_GREP -case `"$ac_path_GREP" --version 2>&1` in + ac_path_EGREP_TRADITIONAL="$as_dir$ac_prog$ac_exec_ext" + as_fn_executable_p "$ac_path_EGREP_TRADITIONAL" || continue +# Check for GNU ac_path_EGREP_TRADITIONAL and select it if it is found. + # Check for GNU $ac_path_EGREP_TRADITIONAL +case `"$ac_path_EGREP_TRADITIONAL" --version 2>&1` in #( *GNU*) - ac_cv_path_GREP="$ac_path_GREP" ac_path_GREP_found=:;; + ac_cv_path_EGREP_TRADITIONAL="$ac_path_EGREP_TRADITIONAL" ac_path_EGREP_TRADITIONAL_found=:;; +#( *) ac_count=0 printf %s 0123456789 >"conftest.in" while : do cat "conftest.in" "conftest.in" >"conftest.tmp" mv "conftest.tmp" "conftest.in" cp "conftest.in" "conftest.nl" - printf "%s\n" 'GREP' >> "conftest.nl" - "$ac_path_GREP" -e 'GREP$' -e '-(cannot match)-' < "conftest.nl" >"conftest.out" 2>/dev/null || break + printf "%s\n" 'EGREP_TRADITIONAL' >> "conftest.nl" + "$ac_path_EGREP_TRADITIONAL" -E 'EGR(EP|AC)_TRADITIONAL$' < "conftest.nl" >"conftest.out" 2>/dev/null || break diff "conftest.out" "conftest.nl" >/dev/null 2>&1 || break as_fn_arith $ac_count + 1 && ac_count=$as_val - if test $ac_count -gt ${ac_path_GREP_max-0}; then + if test $ac_count -gt ${ac_path_EGREP_TRADITIONAL_max-0}; then # Best one so far, save it but keep looking for a better one - ac_cv_path_GREP="$ac_path_GREP" - ac_path_GREP_max=$ac_count + ac_cv_path_EGREP_TRADITIONAL="$ac_path_EGREP_TRADITIONAL" + ac_path_EGREP_TRADITIONAL_max=$ac_count fi # 10*(2^10) chars as input seems more than enough test $ac_count -gt 10 && break done rm -f conftest.in conftest.tmp conftest.nl conftest.out;; esac - $ac_path_GREP_found && break 3 + $ac_path_EGREP_TRADITIONAL_found && break 3 done done done IFS=$as_save_IFS - if test -z "$ac_cv_path_GREP"; then - as_fn_error $? "no acceptable grep could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" "$LINENO" 5 - fi -else - ac_cv_path_GREP=$GREP -fi - -fi -{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_path_GREP" >&5 -printf "%s\n" "$ac_cv_path_GREP" >&6; } - GREP="$ac_cv_path_GREP" - - -{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for egrep" >&5 -printf %s "checking for egrep... " >&6; } -if test ${ac_cv_path_EGREP+y} -then : - printf %s "(cached) " >&6 -else $as_nop - if echo a | $GREP -E '(a|b)' >/dev/null 2>&1 - then ac_cv_path_EGREP="$GREP -E" - else - if test -z "$EGREP"; then - ac_path_EGREP_found=false + if test -z "$ac_cv_path_EGREP_TRADITIONAL"; then + : + fi +else + ac_cv_path_EGREP_TRADITIONAL=$EGREP_TRADITIONAL +fi + + if test "$ac_cv_path_EGREP_TRADITIONAL" +then : + ac_cv_path_EGREP_TRADITIONAL="$ac_cv_path_EGREP_TRADITIONAL -E" +else case e in #( + e) if test -z "$EGREP_TRADITIONAL"; then + ac_path_EGREP_TRADITIONAL_found=false # Loop through the user's path and test for each of PROGNAME-LIST as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH$PATH_SEPARATOR/usr/xpg4/bin do IFS=$as_save_IFS @@ -8734,58 +8950,60 @@ *) as_dir=$as_dir/ ;; esac for ac_prog in egrep do for ac_exec_ext in '' $ac_executable_extensions; do - ac_path_EGREP="$as_dir$ac_prog$ac_exec_ext" - as_fn_executable_p "$ac_path_EGREP" || continue -# Check for GNU ac_path_EGREP and select it if it is found. - # Check for GNU $ac_path_EGREP -case `"$ac_path_EGREP" --version 2>&1` in + ac_path_EGREP_TRADITIONAL="$as_dir$ac_prog$ac_exec_ext" + as_fn_executable_p "$ac_path_EGREP_TRADITIONAL" || continue +# Check for GNU ac_path_EGREP_TRADITIONAL and select it if it is found. + # Check for GNU $ac_path_EGREP_TRADITIONAL +case `"$ac_path_EGREP_TRADITIONAL" --version 2>&1` in #( *GNU*) - ac_cv_path_EGREP="$ac_path_EGREP" ac_path_EGREP_found=:;; + ac_cv_path_EGREP_TRADITIONAL="$ac_path_EGREP_TRADITIONAL" ac_path_EGREP_TRADITIONAL_found=:;; +#( *) ac_count=0 printf %s 0123456789 >"conftest.in" while : do cat "conftest.in" "conftest.in" >"conftest.tmp" mv "conftest.tmp" "conftest.in" cp "conftest.in" "conftest.nl" - printf "%s\n" 'EGREP' >> "conftest.nl" - "$ac_path_EGREP" 'EGREP$' < "conftest.nl" >"conftest.out" 2>/dev/null || break + printf "%s\n" 'EGREP_TRADITIONAL' >> "conftest.nl" + "$ac_path_EGREP_TRADITIONAL" 'EGR(EP|AC)_TRADITIONAL$' < "conftest.nl" >"conftest.out" 2>/dev/null || break diff "conftest.out" "conftest.nl" >/dev/null 2>&1 || break as_fn_arith $ac_count + 1 && ac_count=$as_val - if test $ac_count -gt ${ac_path_EGREP_max-0}; then + if test $ac_count -gt ${ac_path_EGREP_TRADITIONAL_max-0}; then # Best one so far, save it but keep looking for a better one - ac_cv_path_EGREP="$ac_path_EGREP" - ac_path_EGREP_max=$ac_count + ac_cv_path_EGREP_TRADITIONAL="$ac_path_EGREP_TRADITIONAL" + ac_path_EGREP_TRADITIONAL_max=$ac_count fi # 10*(2^10) chars as input seems more than enough test $ac_count -gt 10 && break done rm -f conftest.in conftest.tmp conftest.nl conftest.out;; esac - $ac_path_EGREP_found && break 3 + $ac_path_EGREP_TRADITIONAL_found && break 3 done done done IFS=$as_save_IFS - if test -z "$ac_cv_path_EGREP"; then + if test -z "$ac_cv_path_EGREP_TRADITIONAL"; then as_fn_error $? "no acceptable egrep could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" "$LINENO" 5 fi else - ac_cv_path_EGREP=$EGREP -fi - - fi -fi -{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_path_EGREP" >&5 -printf "%s\n" "$ac_cv_path_EGREP" >&6; } - EGREP="$ac_cv_path_EGREP" - + ac_cv_path_EGREP_TRADITIONAL=$EGREP_TRADITIONAL +fi + ;; +esac +fi ;; +esac +fi +{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_path_EGREP_TRADITIONAL" >&5 +printf "%s\n" "$ac_cv_path_EGREP_TRADITIONAL" >&6; } + EGREP_TRADITIONAL=$ac_cv_path_EGREP_TRADITIONAL if test "${TEA_PLATFORM}" = "windows" -a "$GCC" != "yes"; then MAKE_STATIC_LIB="\${STLIB_LD} -out:\$@ \$(PKG_OBJECTS)" MAKE_SHARED_LIB="\${SHLIB_LD} \${LDFLAGS} \${LDFLAGS_DEFAULT} -out:\$@ \$(PKG_OBJECTS) \${SHLIB_LD_LIBS}" @@ -8796,11 +9014,11 @@ print("manifest needed") #endif _ACEOF if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | - $EGREP "manifest needed" >/dev/null 2>&1 + $EGREP_TRADITIONAL "manifest needed" >/dev/null 2>&1 then : # Could do a CHECK_PROG for mt, but should always be with MSVC8+ VC_MANIFEST_EMBED_DLL="if test -f \$@.manifest ; then mt.exe -nologo -manifest \$@.manifest -outputresource:\$@\;2 ; fi" VC_MANIFEST_EMBED_EXE="if test -f \$@.manifest ; then mt.exe -nologo -manifest \$@.manifest -outputresource:\$@\;1 ; fi" @@ -8831,17 +9049,22 @@ # substituted. (@@@ Might not be necessary anymore) #-------------------------------------------------------------------- PACKAGE_LIB_PREFIX8="${PACKAGE_LIB_PREFIX}" PACKAGE_LIB_PREFIX9="${PACKAGE_LIB_PREFIX}tcl9" - if test "${TCL_MAJOR_VERSION}" -gt 8 -a x"${with_tcl8}" == x; then + if test "${TCL_MAJOR_VERSION}" -gt 8 -a x"${with_tcl8}" = x; then PACKAGE_LIB_PREFIX="${PACKAGE_LIB_PREFIX9}" else PACKAGE_LIB_PREFIX="${PACKAGE_LIB_PREFIX8}" printf "%s\n" "#define TCL_MAJOR_VERSION 8" >>confdefs.h + fi + if test "${TCL_MAJOR_VERSION}" -gt 8 -a x"${with_tk8}" != x; then + +printf "%s\n" "#define TK_MAJOR_VERSION 8" >>confdefs.h + fi if test "${TEA_PLATFORM}" = "windows" ; then if test "${SHARED_BUILD}" = "1" ; then # We force the unresolved linking of symbols that are really in # the private libraries of Tcl and Tk. @@ -8862,11 +9085,11 @@ eval eval "PKG_LIB_FILE8=${PACKAGE_LIB_PREFIX8}${PACKAGE_NAME}${UNSHARED_LIB_SUFFIX}" eval eval "PKG_LIB_FILE9=${PACKAGE_LIB_PREFIX9}${PACKAGE_NAME}${UNSHARED_LIB_SUFFIX}" eval eval "PKG_LIB_FILE=${PACKAGE_LIB_PREFIX}${PACKAGE_NAME}${UNSHARED_LIB_SUFFIX}" fi # Some packages build their own stubs libraries - if test "${TCL_MAJOR_VERSION}" -gt 8 -a x"${with_tcl8}" == x; then + if test "${TCL_MAJOR_VERSION}" -gt 8 -a x"${with_tcl8}" = x; then eval eval "PKG_STUB_LIB_FILE=${PACKAGE_LIB_PREFIX8}${PACKAGE_NAME}stub.a" else eval eval "PKG_STUB_LIB_FILE=${PACKAGE_LIB_PREFIX8}${PACKAGE_NAME}stub${UNSHARED_LIB_SUFFIX}" fi if test "$GCC" = "yes"; then @@ -8890,11 +9113,11 @@ eval eval "PKG_LIB_FILE8=lib${PACKAGE_LIB_PREFIX8}${PACKAGE_NAME}${UNSHARED_LIB_SUFFIX}" eval eval "PKG_LIB_FILE9=lib${PACKAGE_LIB_PREFIX9}${PACKAGE_NAME}${UNSHARED_LIB_SUFFIX}" eval eval "PKG_LIB_FILE=lib${PACKAGE_LIB_PREFIX}${PACKAGE_NAME}${UNSHARED_LIB_SUFFIX}" fi # Some packages build their own stubs libraries - if test "${TCL_MAJOR_VERSION}" -gt 8 -a x"${with_tcl8}" == x; then + if test "${TCL_MAJOR_VERSION}" -gt 8 -a x"${with_tcl8}" = x; then eval eval "PKG_STUB_LIB_FILE=lib${PACKAGE_LIB_PREFIX8}${PACKAGE_NAME}stub.a" else eval eval "PKG_STUB_LIB_FILE=lib${PACKAGE_LIB_PREFIX8}${PACKAGE_NAME}stub${UNSHARED_LIB_SUFFIX}" fi fi @@ -8921,20 +9144,20 @@ # This marco includes the TCL TLS specific functions to set the # OpenSSL or LibreSSL config. #-------------------------------------------------------------------- - if test -n "$ac_tool_prefix"; then + if test -n "$ac_tool_prefix"; then # Extract the first word of "${ac_tool_prefix}pkg-config", so it can be a program name with args. set dummy ${ac_tool_prefix}pkg-config; ac_word=$2 { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 printf %s "checking for $ac_word... " >&6; } if test ${ac_cv_prog_PKG_CONFIG+y} then : printf %s "(cached) " >&6 -else $as_nop - if test -n "$PKG_CONFIG"; then +else case e in #( + e) if test -n "$PKG_CONFIG"; then ac_cv_prog_PKG_CONFIG="$PKG_CONFIG" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do @@ -8952,11 +9175,12 @@ fi done done IFS=$as_save_IFS -fi +fi ;; +esac fi PKG_CONFIG=$ac_cv_prog_PKG_CONFIG if test -n "$PKG_CONFIG"; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $PKG_CONFIG" >&5 printf "%s\n" "$PKG_CONFIG" >&6; } @@ -8974,12 +9198,12 @@ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 printf %s "checking for $ac_word... " >&6; } if test ${ac_cv_prog_ac_ct_PKG_CONFIG+y} then : printf %s "(cached) " >&6 -else $as_nop - if test -n "$ac_ct_PKG_CONFIG"; then +else case e in #( + e) if test -n "$ac_ct_PKG_CONFIG"; then ac_cv_prog_ac_ct_PKG_CONFIG="$ac_ct_PKG_CONFIG" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do @@ -8997,11 +9221,12 @@ fi done done IFS=$as_save_IFS -fi +fi ;; +esac fi ac_ct_PKG_CONFIG=$ac_cv_prog_ac_ct_PKG_CONFIG if test -n "$ac_ct_PKG_CONFIG"; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_ct_PKG_CONFIG" >&5 printf "%s\n" "$ac_ct_PKG_CONFIG" >&6; } @@ -9023,16 +9248,38 @@ fi else PKG_CONFIG="$ac_cv_prog_PKG_CONFIG" fi + + # Check whether --enable-ssl3 was given. +if test ${enable_ssl3+y} +then : + enableval=$enable_ssl3; + if test "$enableval" == "no"; then + +printf "%s\n" "#define NO_SSL3 1" >>confdefs.h + + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for disable SSL3 protocol" >&5 +printf %s "checking for disable SSL3 protocol... " >&6; } + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +printf "%s\n" "yes" >&6; } + fi + +else case e in #( + e) +printf "%s\n" "#define NO_SSL3 1" >>confdefs.h + ;; +esac +fi + # Check whether --enable-tls1 was given. if test ${enable_tls1+y} then : enableval=$enable_tls1; - if test "${enableval}" = "no"; then + if test "$enableval" == "no"; then printf "%s\n" "#define NO_TLS1 1" >>confdefs.h { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for disable TLS1 protocol" >&5 printf %s "checking for disable TLS1 protocol... " >&6; } @@ -9045,11 +9292,11 @@ # Check whether --enable-tls1_1 was given. if test ${enable_tls1_1+y} then : enableval=$enable_tls1_1; - if test "${enableval}" = "no"; then + if test "$enableval" == "no"; then printf "%s\n" "#define NO_TLS1_1 1" >>confdefs.h { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for disable TLS1.1 protocol" >&5 printf %s "checking for disable TLS1.1 protocol... " >&6; } @@ -9062,11 +9309,11 @@ # Check whether --enable-tls1_2 was given. if test ${enable_tls1_2+y} then : enableval=$enable_tls1_2; - if test "${enableval}" = "no"; then + if test "$enableval" == "no"; then printf "%s\n" "#define NO_TLS1_2 1" >>confdefs.h { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for disable TLS1.2 protocol" >&5 printf %s "checking for disable TLS1.2 protocol... " >&6; } @@ -9079,11 +9326,11 @@ # Check whether --enable-tls1_3 was given. if test ${enable_tls1_3+y} then : enableval=$enable_tls1_3; - if test "${enableval}" = "no"; then + if test "$enableval" == "no"; then printf "%s\n" "#define NO_TLS1_3 1" >>confdefs.h { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for disable TLS1.3 protocol" >&5 printf %s "checking for disable TLS1.3 protocol... " >&6; } @@ -9092,24 +9339,49 @@ fi fi + + # Check whether --enable-debug was given. +if test ${enable_debug+y} +then : + enableval=$enable_debug; + tcltls_debug_mode="$enableval" + +else case e in #( + e) + tcltls_debug_mode='no' + ;; +esac +fi + + if test "$tcltls_debug_mode" == 'yes'; then + +printf "%s\n" "#define TCLEXT_TCLTLS_DEBUG 1" >>confdefs.h + + fi + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for debug mode" >&5 +printf %s "checking for debug mode... " >&6; } + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $tcltls_debug_mode" >&5 +printf "%s\n" "$tcltls_debug_mode" >&6; } + # Check whether --enable-ssl-fastpath was given. if test ${enable_ssl_fastpath+y} then : enableval=$enable_ssl_fastpath; tcltls_ssl_fastpath="$enableval" -else $as_nop - +else case e in #( + e) tcltls_ssl_fastpath='no' - + ;; +esac fi - if test "$tcltls_ssl_fastpath" = 'yes'; then + if test "$tcltls_ssl_fastpath" == 'yes'; then printf "%s\n" "#define TCLTLS_SSL_USE_FASTPATH 1" >>confdefs.h fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for fast path" >&5 @@ -9122,18 +9394,19 @@ if test ${enable_hardening+y} then : enableval=$enable_hardening; tcltls_enable_hardening="$enableval" -else $as_nop - +else case e in #( + e) tcltls_enable_hardening='yes' - + ;; +esac fi - if test "$tcltls_enable_hardening" = 'yes'; then - if test "$GCC" = 'yes' -o "$CC" = 'clang'; then + if test "$tcltls_enable_hardening" == 'yes'; then + if test "$GCC" == 'yes' -o "$CC" = 'clang'; then PKG_CFLAGS="$PKG_CFLAGS -fstack-protector-all" @@ -9155,14 +9428,15 @@ if test ${enable_static_ssl+y} then : enableval=$enable_static_ssl; TCLEXT_TLS_STATIC_SSL="$enableval" -else $as_nop - +else case e in #( + e) TCLEXT_TLS_STATIC_SSL='no' - + ;; +esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for static linking of openSSL libraries" >&5 printf %s "checking for static linking of openSSL libraries... " >&6; } { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $TCLEXT_TLS_STATIC_SSL" >&5 @@ -9174,15 +9448,16 @@ if test ${with_openssl_dir+y} then : withval=$with_openssl_dir; openssldir="$withval" -else $as_nop - +else case e in #( + e) openssldir='' - + ;; +esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for OpenSSL directory" >&5 printf %s "checking for OpenSSL directory... " >&6; } { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $openssldir" >&5 @@ -9193,37 +9468,36 @@ if test ${with_openssl_includedir+y} then : withval=$with_openssl_includedir; opensslincludedir="$withval" -else $as_nop - - if test ! -z "$openssldir"; then +else case e in #( + e) + if test -n "$openssldir"; then opensslincludedir="${openssldir}/include" else opensslincludedir='' fi - + ;; +esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for OpenSSL include directory" >&5 printf %s "checking for OpenSSL include directory... " >&6; } { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $opensslincludedir" >&5 printf "%s\n" "$opensslincludedir" >&6; } - if test ! -z "$opensslincludedir"; then - if test -f "$opensslincludedir/openssl/ssl.h"; then + if test -n "$opensslincludedir"; then + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for ssl.h" >&5 +printf %s "checking for ssl.h... " >&6; } + if test -f "${opensslincludedir}/openssl/ssl.h"; then TCLTLS_SSL_CFLAGS="-I$opensslincludedir" TCLTLS_SSL_INCLUDES="-I$opensslincludedir" - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for ssl.h" >&5 -printf %s "checking for ssl.h... " >&6; } { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: yes" >&5 printf "%s\n" "yes" >&6; } else - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for ssl.h" >&5 -printf %s "checking for ssl.h... " >&6; } { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5 printf "%s\n" "no" >&6; } as_fn_error $? "Unable to locate ssl.h" "$LINENO" 5 fi fi @@ -9233,42 +9507,43 @@ if test ${with_openssl_libdir+y} then : withval=$with_openssl_libdir; openssllibdir="$withval" -else $as_nop - - if test ! -z "$openssldir"; then - if test "$do64bit" == 'yes'; then +else case e in #( + e) + if test -n "$openssldir"; then + if test "$do64bit" == 'yes' -a -d ${openssldir}/lib64; then openssllibdir="$openssldir/lib64" else openssllibdir="$openssldir/lib" fi else openssllibdir='' fi - + ;; +esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for OpenSSL lib directory" >&5 printf %s "checking for OpenSSL lib directory... " >&6; } { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $openssllibdir" >&5 printf "%s\n" "$openssllibdir" >&6; } - if test ! -z "$openssllibdir"; then - if test -f "$openssllibdir/libssl${SHLIB_SUFFIX}"; then - if test "${TCLEXT_TLS_STATIC_SSL}" == 'no'; then - TCLTLS_SSL_LIBS="-L$openssllibdir -lcrypto -lssl" - #else - # Linux and Solaris - #TCLTLS_SSL_LIBS="-Wl,-Bstatic `$PKG_CONFIG --static --libs crypto ssl` -Wl,-Bdynamic" - # HPUX - # -Wl,-a,archive ... -Wl,-a,shared_archive - fi + SSL_LIBS_PATH='' + if test -n "$openssllibdir"; then + if test "$TCLEXT_TLS_STATIC_SSL" == 'no'; then + LIBEXT=${SHLIB_SUFFIX} + else + LIBEXT='.a' + fi + + if test -f "${openssllibdir}/libssl${LIBEXT}"; then + SSL_LIBS_PATH="-L$openssllibdir" else - as_fn_error $? "Unable to locate libssl${SHLIB_SUFFIX}" "$LINENO" 5 + as_fn_error $? "Unable to locate libssl${LIBEXT}" "$LINENO" 5 fi fi # Check whether --with-openssl-pkgconfig was given. @@ -9275,66 +9550,78 @@ if test ${with_openssl_pkgconfig+y} then : withval=$with_openssl_pkgconfig; opensslpkgconfigdir="$withval" -else $as_nop - +else case e in #( + e) if test -d ${libdir}/../pkgconfig; then opensslpkgconfigdir="$libdir/../pkgconfig" else opensslpkgconfigdir='' fi - + ;; +esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for OpenSSL pkgconfig" >&5 printf %s "checking for OpenSSL pkgconfig... " >&6; } { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $opensslpkgconfigdir" >&5 printf "%s\n" "$opensslpkgconfigdir" >&6; } - - # Use Package Config tool to get config - pkgConfigExtraArgs='' - if test "${SHARED_BUILD}" == 0 -o "$TCLEXT_TLS_STATIC_SSL" = 'yes'; then - pkgConfigExtraArgs='--static' - fi - - if test -n "${PKG_CONFIG}"; then + if test -n "$PKG_CONFIG" -a -z "$openssldir" -a -z "$opensslincludedir" -a -z "$openssllibdir"; then + USE_PKG_CONFIG=`"${PKG_CONFIG}" --list-all | grep openssl` + + if test -n "$USE_PKG_CONFIG"; then PKG_CONFIG_PATH_SAVE="${PKG_CONFIG_PATH}" - if test -n "${opensslpkgconfigdir}"; then + if test -n "$opensslpkgconfigdir"; then if ! test -f "${opensslpkgconfigdir}/openssl.pc"; then as_fn_error $? "Unable to locate ${opensslpkgconfigdir}/openssl.pc" "$LINENO" 5 fi PKG_CONFIG_PATH="${opensslpkgconfigdir}:${PKG_CONFIG_PATH}" export PKG_CONFIG_PATH fi + + pkgConfigExtraArgs='' + if test "$SHARED_BUILD" == "0" -o "$TCLEXT_TLS_STATIC_SSL" == 'yes'; then + pkgConfigExtraArgs='--static' + fi + if test -z "$TCLTLS_SSL_LIBS"; then - TCLTLS_SSL_LIBS="`"${PKG_CONFIG}" openssl --libs $pkgConfigExtraArgs`" || as_fn_error $? "Unable to get OpenSSL Configuration" "$LINENO" 5 + TCLTLS_SSL_LIBS="$SSL_LIBS_PATH `${PKG_CONFIG} openssl --libs $pkgConfigExtraArgs`" || as_fn_error $? "Unable to get OpenSSL Configuration" "$LINENO" 5 + if test "${TCLEXT_TLS_STATIC_SSL}" == 'yes'; then + TCLTLS_SSL_LIBS="-Wl,-Bstatic $TCLTLS_SSL_LIBS -Wl,-Bdynamic" + fi fi if test -z "$TCLTLS_SSL_CFLAGS"; then TCLTLS_SSL_CFLAGS="`"${PKG_CONFIG}" openssl --cflags-only-other $pkgConfigExtraArgs`" || as_fn_error $? "Unable to get OpenSSL Configuration" "$LINENO" 5 fi if test -z "$TCLTLS_SSL_INCLUDES"; then TCLTLS_SSL_INCLUDES="`"${PKG_CONFIG}" openssl --cflags-only-I $pkgConfigExtraArgs`" || as_fn_error $? "Unable to get OpenSSL Configuration" "$LINENO" 5 fi PKG_CONFIG_PATH="${PKG_CONFIG_PATH_SAVE}" + fi fi - - if test -z "$TCLTLS_SSL_LIBS"; then - TCLTLS_SSL_LIBS="-lcrypto -lssl" - fi - if test -z "$TCLTLS_SSL_CFLAGS"; then + if test -z "$TCLTLS_SSL_CFLAGS"; then TCLTLS_SSL_CFLAGS="" fi if test -z "$TCLTLS_SSL_INCLUDES"; then if test -f /usr/include/openssl/ssl.h; then TCLTLS_SSL_INCLUDES="-I/usr/include" fi + fi + if test -z "$TCLTLS_SSL_LIBS"; then + if test "$TCLEXT_TLS_STATIC_SSL" == 'no'; then + TCLTLS_SSL_LIBS="$SSL_LIBS_PATH -lssl -lcrypto" + else + # Linux and Solaris + TCLTLS_SSL_LIBS="$SSL_LIBS_PATH -Wl,-Bstatic -lssl -lcrypto -Wl,-Bdynamic" + # HPUX: -Wl,-a,archive ... -Wl,-a,shared_archive + fi fi @@ -9407,41 +9694,41 @@ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for tclsh" >&5 printf %s "checking for tclsh... " >&6; } if test -f "${TCL_BIN_DIR}/Makefile" ; then - # tclConfig.sh is in Tcl build directory - if test "${TEA_PLATFORM}" = "windows"; then - if test -f "${TCL_BIN_DIR}/tclsh${TCL_MAJOR_VERSION}${TCL_MINOR_VERSION}${EXEEXT}" ; then - TCLSH_PROG="${TCL_BIN_DIR}/tclsh${TCL_MAJOR_VERSION}${TCL_MINOR_VERSION}${EXEEXT}" - elif test -f "${TCL_BIN_DIR}/tclsh${TCL_MAJOR_VERSION}${TCL_MINOR_VERSION}s${EXEEXT}" ; then - TCLSH_PROG="${TCL_BIN_DIR}/tclsh${TCL_MAJOR_VERSION}${TCL_MINOR_VERSION}s${EXEEXT}" - elif test -f "${TCL_BIN_DIR}/tclsh${TCL_MAJOR_VERSION}${TCL_MINOR_VERSION}t${EXEEXT}" ; then - TCLSH_PROG="${TCL_BIN_DIR}/tclsh${TCL_MAJOR_VERSION}${TCL_MINOR_VERSION}t${EXEEXT}" - elif test -f "${TCL_BIN_DIR}/tclsh${TCL_MAJOR_VERSION}${TCL_MINOR_VERSION}st${EXEEXT}" ; then - TCLSH_PROG="${TCL_BIN_DIR}/tclsh${TCL_MAJOR_VERSION}${TCL_MINOR_VERSION}st${EXEEXT}" - fi - else - TCLSH_PROG="${TCL_BIN_DIR}/tclsh" - fi - else - # tclConfig.sh is in install location - if test "${TEA_PLATFORM}" = "windows"; then - TCLSH_PROG="tclsh${TCL_MAJOR_VERSION}${TCL_MINOR_VERSION}${EXEEXT}" - else - TCLSH_PROG="tclsh${TCL_MAJOR_VERSION}.${TCL_MINOR_VERSION}" - fi - list="`ls -d ${TCL_BIN_DIR}/../bin 2>/dev/null` \ - `ls -d ${TCL_BIN_DIR}/.. 2>/dev/null` \ - `ls -d ${TCL_PREFIX}/bin 2>/dev/null`" - for i in $list ; do - if test -f "$i/${TCLSH_PROG}" ; then - REAL_TCL_BIN_DIR="`cd "$i"; pwd`/" - break - fi - done - TCLSH_PROG="${REAL_TCL_BIN_DIR}${TCLSH_PROG}" + # tclConfig.sh is in Tcl build directory + if test "${TEA_PLATFORM}" = "windows"; then + if test -f "${TCL_BIN_DIR}/tclsh${TCL_MAJOR_VERSION}${TCL_MINOR_VERSION}${EXEEXT}" ; then + TCLSH_PROG="${TCL_BIN_DIR}/tclsh${TCL_MAJOR_VERSION}${TCL_MINOR_VERSION}${EXEEXT}" + elif test -f "${TCL_BIN_DIR}/tclsh${TCL_MAJOR_VERSION}${TCL_MINOR_VERSION}s${EXEEXT}" ; then + TCLSH_PROG="${TCL_BIN_DIR}/tclsh${TCL_MAJOR_VERSION}${TCL_MINOR_VERSION}s${EXEEXT}" + elif test -f "${TCL_BIN_DIR}/tclsh${TCL_MAJOR_VERSION}${TCL_MINOR_VERSION}t${EXEEXT}" ; then + TCLSH_PROG="${TCL_BIN_DIR}/tclsh${TCL_MAJOR_VERSION}${TCL_MINOR_VERSION}t${EXEEXT}" + elif test -f "${TCL_BIN_DIR}/tclsh${TCL_MAJOR_VERSION}${TCL_MINOR_VERSION}st${EXEEXT}" ; then + TCLSH_PROG="${TCL_BIN_DIR}/tclsh${TCL_MAJOR_VERSION}${TCL_MINOR_VERSION}st${EXEEXT}" + fi + else + TCLSH_PROG="${TCL_BIN_DIR}/tclsh" + fi + else + # tclConfig.sh is in install location + if test "${TEA_PLATFORM}" = "windows"; then + TCLSH_PROG="tclsh${TCL_MAJOR_VERSION}${TCL_MINOR_VERSION}${EXEEXT}" + else + TCLSH_PROG="tclsh${TCL_MAJOR_VERSION}.${TCL_MINOR_VERSION}" + fi + list="`ls -d ${TCL_BIN_DIR}/../bin 2>/dev/null` \ + `ls -d ${TCL_BIN_DIR}/.. 2>/dev/null` \ + `ls -d ${TCL_PREFIX}/bin 2>/dev/null`" + for i in $list ; do + if test -f "$i/${TCLSH_PROG}" ; then + REAL_TCL_BIN_DIR="`cd "$i"; pwd`/" + break + fi + done + TCLSH_PROG="${REAL_TCL_BIN_DIR}${TCLSH_PROG}" fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: ${TCLSH_PROG}" >&5 printf "%s\n" "${TCLSH_PROG}" >&6; } @@ -9477,12 +9764,12 @@ # want to keep, you may remove or edit it. # # config.status only pays attention to the cache file if you give it # the --recheck option to rerun configure. # -# `ac_cv_env_foo' variables (set or unset) will be overridden when -# loading this file, other *unset* `ac_cv_foo' will be assigned the +# 'ac_cv_env_foo' variables (set or unset) will be overridden when +# loading this file, other *unset* 'ac_cv_foo' will be assigned the # following values. _ACEOF # The following way of writing the cache mishandles newlines in values, @@ -9508,18 +9795,18 @@ done (set) 2>&1 | case $as_nl`(ac_space=' '; set) 2>&1` in #( *${as_nl}ac_space=\ *) - # `set' does not quote correctly, so add quotes: double-quote + # 'set' does not quote correctly, so add quotes: double-quote # substitution turns \\\\ into \\, and sed turns \\ into \. sed -n \ "s/'/'\\\\''/g; s/^\\([_$as_cr_alnum]*_cv_[_$as_cr_alnum]*\\)=\\(.*\\)/\\1='\\2'/p" ;; #( *) - # `set' quotes correctly as required by POSIX, so do not add quotes. + # 'set' quotes correctly as required by POSIX, so do not add quotes. sed -n "/^[_$as_cr_alnum]*_cv_[_$as_cr_alnum]*=/p" ;; esac | sort ) | @@ -9579,13 +9866,11 @@ t quote s/^[ ]*#[ ]*define[ ][ ]*\([^ ][^ ]*\)[ ]*\(.*\)/-D\1=\2/g t quote b any :quote -s/[ `~#$^&*(){}\\|;'\''"<>?]/\\&/g -s/\[/\\&/g -s/\]/\\&/g +s/[][ `~#$^&*(){}\\|;'\''"<>?]/\\&/g s/\$/$$/g H :any ${ g @@ -9642,25 +9927,25 @@ ## M4sh Initialization. ## ## -------------------- ## # Be more Bourne compatible DUALCASE=1; export DUALCASE # for MKS sh -as_nop=: if test ${ZSH_VERSION+y} && (emulate sh) >/dev/null 2>&1 then : emulate sh NULLCMD=: # Pre-4.2 versions of Zsh do word splitting on ${1+"$@"}, which # is contrary to our usage. Disable this feature. alias -g '${1+"$@"}'='"$@"' setopt NO_GLOB_SUBST -else $as_nop - case `(set -o) 2>/dev/null` in #( +else case e in #( + e) case `(set -o) 2>/dev/null` in #( *posix*) : set -o posix ;; #( *) : ;; +esac ;; esac fi @@ -9728,11 +10013,11 @@ done IFS=$as_save_IFS ;; esac -# We did not find ourselves, most probably we were run as `sh COMMAND' +# We did not find ourselves, most probably we were run as 'sh COMMAND' # in which case we are not to be found in the path. if test "x$as_myself" = x; then as_myself=$0 fi if test ! -f "$as_myself"; then @@ -9755,11 +10040,10 @@ printf "%s\n" "$as_me:${as_lineno-$LINENO}: error: $2" >&$4 fi printf "%s\n" "$as_me: error: $2" >&2 as_fn_exit $as_status } # as_fn_error - # as_fn_set_status STATUS # ----------------------- # Set $? to STATUS, without forking. @@ -9797,15 +10081,16 @@ then : eval 'as_fn_append () { eval $1+=\$2 }' -else $as_nop - as_fn_append () +else case e in #( + e) as_fn_append () { eval $1=\$$1\$2 - } + } ;; +esac fi # as_fn_append # as_fn_arith ARG... # ------------------ # Perform arithmetic evaluation on the ARGs, and store the result in the @@ -9815,15 +10100,16 @@ then : eval 'as_fn_arith () { as_val=$(( $* )) }' -else $as_nop - as_fn_arith () +else case e in #( + e) as_fn_arith () { as_val=`expr "$@" || test $? -eq 1` - } + } ;; +esac fi # as_fn_arith if expr a : '\(a\)' >/dev/null 2>&1 && test "X`expr 00001 : '.*\(...\)'`" = X001; then @@ -9902,13 +10188,13 @@ fi if (echo >conf$$.file) 2>/dev/null; then if ln -s conf$$.file conf$$ 2>/dev/null; then as_ln_s='ln -s' # ... but there are two gotchas: - # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail. - # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable. - # In both cases, we have to default to `cp -pR'. + # 1) On MSYS, both 'ln -s file dir' and 'ln file dir' fail. + # 2) DJGPP < 2.04 has no symlinks; 'ln -s' creates a wrapper executable. + # In both cases, we have to default to 'cp -pR'. ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe || as_ln_s='cp -pR' elif ln conf$$.file conf$$ 2>/dev/null; then as_ln_s=ln else @@ -9985,14 +10271,16 @@ } # as_fn_executable_p as_test_x='test -x' as_executable_p=as_fn_executable_p # Sed expression to map a string onto a valid CPP name. -as_tr_cpp="eval sed 'y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g'" +as_sed_cpp="y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g" +as_tr_cpp="eval sed '$as_sed_cpp'" # deprecated # Sed expression to map a string onto a valid variable name. -as_tr_sh="eval sed 'y%*+%pp%;s%[^_$as_cr_alnum]%_%g'" +as_sed_sh="y%*+%pp%;s%[^_$as_cr_alnum]%_%g" +as_tr_sh="eval sed '$as_sed_sh'" # deprecated exec 6>&1 ## ----------------------------------- ## ## Main body of $CONFIG_STATUS script. ## @@ -10004,11 +10292,11 @@ # Save the log message, to keep $0 and so on meaningful, and to # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" This file was extended by tls $as_me 1.8.0, which was -generated by GNU Autoconf 2.71. Invocation command line was +generated by GNU Autoconf 2.72. Invocation command line was CONFIG_FILES = $CONFIG_FILES CONFIG_HEADERS = $CONFIG_HEADERS CONFIG_LINKS = $CONFIG_LINKS CONFIG_COMMANDS = $CONFIG_COMMANDS @@ -10031,11 +10319,11 @@ _ACEOF cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 ac_cs_usage="\ -\`$as_me' instantiates files and other configuration actions +'$as_me' instantiates files and other configuration actions from templates according to the current configuration. Unless the files and actions are specified as TAGs, all are instantiated by default. Usage: $0 [OPTION]... [TAG]... @@ -10059,14 +10347,14 @@ ac_cs_config_escaped=`printf "%s\n" "$ac_cs_config" | sed "s/^ //; s/'/'\\\\\\\\''/g"` cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config='$ac_cs_config_escaped' ac_cs_version="\\ tls config.status 1.8.0 -configured by $0, generated by GNU Autoconf 2.71, +configured by $0, generated by GNU Autoconf 2.72, with options \\"\$ac_cs_config\\" -Copyright (C) 2021 Free Software Foundation, Inc. +Copyright (C) 2023 Free Software Foundation, Inc. This config.status script is free software; the Free Software Foundation gives unlimited permission to copy, distribute and modify it." ac_pwd='$ac_pwd' srcdir='$srcdir' @@ -10119,12 +10407,12 @@ -q | -quiet | --quiet | --quie | --qui | --qu | --q \ | -silent | --silent | --silen | --sile | --sil | --si | --s) ac_cs_silent=: ;; # This is an error. - -*) as_fn_error $? "unrecognized option: \`$1' -Try \`$0 --help' for more information." ;; + -*) as_fn_error $? "unrecognized option: '$1' +Try '$0 --help' for more information." ;; *) as_fn_append ac_config_targets " $1" ac_need_defaults=false ;; esac @@ -10171,11 +10459,11 @@ do case $ac_config_target in "Makefile") CONFIG_FILES="$CONFIG_FILES Makefile" ;; "pkgIndex.tcl") CONFIG_FILES="$CONFIG_FILES pkgIndex.tcl" ;; - *) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5;; + *) as_fn_error $? "invalid argument: '$ac_config_target'" "$LINENO" 5;; esac done # If the user did not use the arguments to specify the items to instantiate, @@ -10189,11 +10477,11 @@ # Have a temporary directory for convenience. Make it in the build tree # simply because there is no reason against having it here, and in addition, # creating and moving files from /tmp can sometimes cause problems. # Hook for its removal unless debugging. # Note that there is a small window in which the directory will not be cleaned: -# after its creation but before its name has been assigned to `$tmp'. +# after its creation but before its name has been assigned to '$tmp'. $debug || { tmp= ac_tmp= trap 'exit_status=$? : "${ac_tmp:=$tmp}" @@ -10213,11 +10501,11 @@ } || as_fn_error $? "cannot create a temporary directory in ." "$LINENO" 5 ac_tmp=$tmp # Set up the scripts for CONFIG_FILES section. # No need to generate them if there are no CONFIG_FILES. -# This happens for instance with `./config.status config.h'. +# This happens for instance with './config.status config.h'. if test -n "$CONFIG_FILES"; then ac_cr=`echo X | tr X '\015'` # On cygwin, bash can eat \r inside `` if the user requested igncr. @@ -10379,11 +10667,11 @@ case $ac_tag in :[FHLC]) ac_mode=$ac_tag; continue;; esac case $ac_mode$ac_tag in :[FHL]*:*);; - :L* | :C*:*) as_fn_error $? "invalid tag \`$ac_tag'" "$LINENO" 5;; + :L* | :C*:*) as_fn_error $? "invalid tag '$ac_tag'" "$LINENO" 5;; :[FH]-) ac_tag=-:-;; :[FH]*) ac_tag=$ac_tag:$ac_tag.in;; esac ac_save_IFS=$IFS IFS=: @@ -10401,23 +10689,23 @@ do case $ac_f in -) ac_f="$ac_tmp/stdin";; *) # Look for the file first in the build tree, then in the source tree # (if the path is not absolute). The absolute path cannot be DOS-style, - # because $ac_f cannot contain `:'. + # because $ac_f cannot contain ':'. test -f "$ac_f" || case $ac_f in [\\/$]*) false;; *) test -f "$srcdir/$ac_f" && ac_f="$srcdir/$ac_f";; esac || - as_fn_error 1 "cannot find input file: \`$ac_f'" "$LINENO" 5;; + as_fn_error 1 "cannot find input file: '$ac_f'" "$LINENO" 5;; esac case $ac_f in *\'*) ac_f=`printf "%s\n" "$ac_f" | sed "s/'/'\\\\\\\\''/g"`;; esac as_fn_append ac_file_inputs " '$ac_f'" done - # Let's still pretend it is `configure' which instantiates (i.e., don't + # Let's still pretend it is 'configure' which instantiates (i.e., don't # use $as_me), people would be surprised to read: # /* config.h. Generated by config.status. */ configure_input='Generated from '` printf "%s\n" "$*" | sed 's|^[^:]*/||;s|:[^:]*/|, |g' `' by configure.' @@ -10537,11 +10825,11 @@ s&@mandir@&$mandir&g s&\\\${datarootdir}&$datarootdir&g' ;; esac _ACEOF -# Neutralize VPATH when `$srcdir' = `.'. +# Neutralize VPATH when '$srcdir' = '.'. # Shell code in configure.ac might set extrasub. # FIXME: do we really want to maintain this feature? cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_sed_extra="$ac_vpsub $extrasub @@ -10566,13 +10854,13 @@ test -z "$ac_datarootdir_hack$ac_datarootdir_seen" && { ac_out=`sed -n '/\${datarootdir}/p' "$ac_tmp/out"`; test -n "$ac_out"; } && { ac_out=`sed -n '/^[ ]*datarootdir[ ]*:*=/p' \ "$ac_tmp/out"`; test -z "$ac_out"; } && - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: $ac_file contains a reference to the variable \`datarootdir' + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: $ac_file contains a reference to the variable 'datarootdir' which seems to be undefined. Please make sure it is defined" >&5 -printf "%s\n" "$as_me: WARNING: $ac_file contains a reference to the variable \`datarootdir' +printf "%s\n" "$as_me: WARNING: $ac_file contains a reference to the variable 'datarootdir' which seems to be undefined. Please make sure it is defined" >&2;} rm -f "$ac_tmp/stdin" case $ac_file in -) cat "$ac_tmp/out" && rm -f "$ac_tmp/out";; Index: configure.ac ================================================================== --- configure.ac +++ configure.ac @@ -1,19 +1,16 @@ #!/bin/bash -norc dnl This file is an input file used by the GNU "autoconf" program to dnl generate the file "configure", which is run during Tcl installation dnl to configure the system for the local environment. -# #----------------------------------------------------------------------- # This is the configure.ac for the TclTLS extension. The only places you # should need to modify this file are marked by the string __CHANGE__. #----------------------------------------------------------------------- #----------------------------------------------------------------------- -# Set your package name and version numbers here. -# # This initializes the environment with PACKAGE_NAME and PACKAGE_VERSION # set as provided. These will also be added as -D defs in your Makefile # so you can encode the package version directly into the source files. # This will also define a special symbol for Windows (BUILD_ # so that we create the export library with the dll. @@ -60,11 +57,10 @@ #----------------------------------------------------------------------- TEA_SETUP_COMPILER #----------------------------------------------------------------------- -# __CHANGE__ # Specify the C source files to compile in TEA_ADD_SOURCES, # public headers that need to be installed in TEA_ADD_HEADERS, # stub library C source files to compile in TEA_ADD_STUB_SOURCES, # and runtime Tcl library files in TEA_ADD_TCL_SOURCES. # This defines PKG(_STUB)_SOURCES, PKG(_STUB)_OBJECTS, PKG_HEADERS @@ -75,30 +71,28 @@ TEA_ADD_HEADERS([generic/tls.h]) TEA_ADD_INCLUDES([]) TEA_ADD_LIBS([]) TEA_ADD_CFLAGS([]) TEA_ADD_STUB_SOURCES([]) -TEA_ADD_TCL_SOURCES([library/tls.tcl]) +TEA_ADD_TCL_SOURCES([library/tls.tcl license.terms README.txt]) #-------------------------------------------------------------------- -# # You can add more files to clean if your extension creates any extra # files by extending CLEANFILES. # Add pkgIndex.tcl if it is generated in the Makefile instead of ./configure # and change Makefile.in to move it from CONFIG_CLEAN_FILES to BINARIES var. # # A few miscellaneous platform-specific items: # TEA_ADD_* any platform specific compiler/build info here. #-------------------------------------------------------------------- -CONFIG_CLEAN_FILES="$CONFIG_CLEAN_FILES tls.tcl.h.* config.log config.status Makefile pkgIndex.tcl tcltls.a.linkadd tcltls.syms" +TEA_ADD_CLEANFILES([pkgIndex.tcl generic/tls.tcl.h tlsUuid.h]) + if test "${TEA_PLATFORM}" = "windows" ; then - AC_DEFINE(BUILD_tls) - AC_DEFINE(WINDOWS) - CLEANFILES="pkgIndex.tcl *.lib *.dll *.exp *.ilk *.pdb vc*.pch" + TEA_ADD_CLEANFILES([*.lib *.dll *.exp *.ilk *.pdb vc*.pch]) else - CLEANFILES="pkgIndex.tcl *.so" + TEA_ADD_CLEANFILES([*.so]) fi AC_SUBST(CLEANFILES) #-------------------------------------------------------------------- # Choose which headers you need. Extension authors should try very DELETED doc/docs.css Index: doc/docs.css ================================================================== --- doc/docs.css +++ /dev/null @@ -1,1 +0,0 @@ -body,div,p,th,td,li,dd,ul,ol,dl,dt,blockquote{font-family:Verdana,sans-serif}pre,code{font-family:courier new,Courier,monospace}pre{background-color:#f6fcec;border-top:1px solid #6a6a6a;border-bottom:1px solid #6a6a6a;padding:1em;overflow:auto}body{background-color:#fff;font-size:12px;line-height:1.25;letter-spacing:.2px;padding-left:.5em}h1,h2,h3,h4{font-family:Georgia,serif;padding-left:1em;margin-top:1em}h1{font-size:18px;color:#11577b;border-bottom:1px dotted #11577b;margin-top:0}h2{font-size:14px;color:#11577b;background-color:#c5dce8;padding-left:1em;border:1px solid #6a6a6a}h3,h4{color:#1674a4;background-color:#e8f2f6;border-bottom:1px dotted #11577b;border-top:1px dotted #11577b}h3{font-size:12px}h4{font-size:11px}.keylist dt,.arguments dt{width:20em;float:left;padding:2px;border-top:1px solid #999}.keylist dt{font-weight:700}.keylist dd,.arguments dd{margin-left:20em;padding:2px;border-top:1px solid #999}.copy{background-color:#f6fcfc;white-space:pre;font-size:80%;border-top:1px solid #6a6a6a;margin-top:2em}.tablecell{font-size:12px;padding-left:.5em;padding-right:.5em} Index: doc/tls.html ================================================================== --- doc/tls.html +++ doc/tls.html @@ -1,825 +1,837 @@ - - - - - -TLS (SSL) TCL Commands - + + + +tls - Tcl TLS extension + - - - -

Tcl Tls Extension Documentation

- -
-
NAME -
-
tls - binding to OpenSSL library - for socket and I/O channel communications.
-
-
-
SYNOPSIS
-
-
package require Tcl ?8.5?
-
package require tls
-
 
-
tls::init ?options?
-
tls::socket ?options? host port
-
tls::socket ?-server command? ?options? port
-
tls::handshake channel
-
tls::status ?-local? channel
-
tls::connection channel
-
tls::import channel ?options?
-
tls::unimport channel
-
 
-
tls::protocols
-
tls::version
-
-
-
COMMANDS
-
CALLBACK OPTIONS
-
HTTPS EXAMPLE
-
SPECIAL CONSIDERATIONS
-
SEE ALSO
-
- -
- -

NAME

- -

tls - binding to OpenSSL library -for socket and I/O channel communications.

- -

SYNOPSIS

- -

package require Tcl ?8.5?
-package require tls
-
-tls::init ?options?
-tls::socket ?options? host port
-tls::socket ?-server command? ?options? port
-tls::status ?-local? channel
-tls::connection channel
-tls::handshake channel
-tls::import channel ?options?
-tls::unimport channel
-
-tls::protocols
-tls::version
-

- -

DESCRIPTION

- + + + +
+

tls(n) 1.8 tls "Tcl TLS extension"

+

Name

+

tls - binding to the OpenSSL library for encrypted socket and I/O channel communications

+
+ + +

Description

This extension provides TCL script access to secure socket communications using the Transport Layer Security (TLS) protocol. It provides a generic -binding to OpenSSL, utilizing the -Tcl_StackChannel API in Tcl 8.4 and higher. +binding to OpenSSL, utilizing the +Tcl_StackChannel API in TCL 8.4 and higher. These sockets behave exactly the same as channels created using the built-in -socket command, along with additional options for controlling -the SSL session. -

- -

COMMANDS

- -

Typically one would use the tls::socket command -which provides compatibility with the native Tcl socket -command. In such cases tls::import should not be -used directly.

- -
-
tls::init ?options?
-
Optional function to set the default options used by - tls::socket. If you call tls::import - directly this routine has no effect. Any of the options - that tls::socket accepts can be set - using this command, though you should limit your options - to only TLS related ones.
-
 
-
tls::socket ?options? - host port
-
tls::socket ?-server command? ?options? port
-
This is a helper function that utilizes the underlying - commands (tls::import). It behaves - exactly the same as the native Tcl socket - command except the options can also include any of the - applicable tls:import - options with one additional option:
-
-
-
-autoservername bool
-
Automatically set the -servername argument to the host - argument (default is false).
-
-
- -
tls::import channel - ?options?
-
Add SSL/TLS encryption to a regular Tcl channel. It need - not be a socket, but must provide bi-directional flow. Also - set session parameters for SSL handshake.
- -
-
-
-alpn list
-
List of protocols to offer during Application-Layer - Protocol Negotiation (ALPN). For example: h2 and - http/1.1, but not h3 or quic.
-
-cadir dir
-
Set the CA certificates path. The default directory is platform - specific and can be set at compile time. This can be overridden - via the SSL_CERT_DIR environment variable.
-
-cafile filename
-
Set the certificate authority (CA) certificates file. The default - is the cert.pem file in the OpsnSSL directory. This can also be - overridden via the SSL_CERT_FILE environment variable.
-
-certfile filename
-
Specify the filename with the certificate to use.
-
-cert filename
-
Specify the contents of a certificate to use, as a DER - encoded binary value (X.509 DER).
-
-cipher string
-
List of ciphers to use. String is a colon (":") separated list - of ciphers. Ciphers can be combined - using the + character. Prefixes can be used to permanently - remove ("!"), delete ("-"), or move a cypher to the end of - the list ("+"). Keywords @STRENGTH (sort by algorithm - key length), @SECLEVEL=n (set security level to - n), and DEFAULT (use default cipher list, at start only) - can also be specified. See OpenSSL documentation for the full - list of valid values. (TLS 1.2 and earlier only)
-
-ciphersuites string
-
List of cipher suites to use. String is a colon (":") - separated list of cipher suite names. (TLS 1.3 only)
-
-command callback
-
Callback command to invoke at several points during the handshake. - This is used to pass errors and tracing information, and - it can allow Tcl scripts to perform their own certificate - validation in place of the default validation provided by - OpenSSL. See CALLBACK OPTIONS - for further discussion.
-
-dhparams filename
-
Specify the Diffie-Hellman parameters file.
-
-keyfile filename
-
Specify the private key file. (default is - value of -certfile)
-
-key filename
-
Specify the private key to use as a DER encoded value (PKCS#1 DER)
-
-model channel
-
Force this channel to share the same SSL_CTX - structure as the specified channel, and - therefore share callbacks etc.
-
-password callback
-
Callback command to invoke when OpenSSL needs to obtain a password. - Typically used to unlock the private key of a certificate. The - callback should return a string which represents the password - to be used. See CALLBACK OPTIONS - for further discussion.
-
-post_handshake bool
-
Allow post-handshake ticket updates.
-
-request bool
-
Request a certificate from peer during SSL handshake. - (default is true)
-
-require bool
-
Require a valid certificate from peer during SSL handshake. - If this is set to true, then -request must - also be set to true and a either a -cadir, -cafile, or platform - default must be provided in order to validate against. - (default is false)
-
-security_level integer
-
Set security level. Must be 0 to 5. The security level affects - the cipher suite encryption algorithms, supported ECC curves, - supported signature algorithms, DH parameter sizes, certificate - key sizes and signature algorithms. The default is 1. - Level 3 and higher disable support for session tickets and only - accept cipher suites that provide forward secrecy.
-
-server bool
-
Set to act as a server and respond with a server handshake when - a client connects and provides a client handshake. - (default is false)
-
-servername host
-
Specify server's hostname. Used to set the TLS 'Server Name - Indication' (SNI) extension. Set to the expected servername - in the server's certificate or one of the subjectAltName - alternates.
-
-session_id string
-
Session id to resume session.
-
-ssl2 bool
-
Enable use of SSL v2. (default is false)
-
-ssl3 bool
-
Enable use of SSL v3. (default is false)
-
-tls1 bool
-
Enable use of TLS v1. (default is true)
-
-tls1.1 bool
-
Enable use of TLS v1.1 (default is true)
-
-tls1.2 bool
-
Enable use of TLS v1.2 (default is true)
-
-tls1.3 bool
-
Enable use of TLS v1.3 (default is true)
-
-validatecommand callback
-
Callback command to invoke to verify or validate protocol config - parameters during the protocol negotiation phase. See - CALLBACK OPTIONS - for further discussion.
-
-
- -
tls::unimport channel
-
Provided for symmetry to tls::import, this - unstacks the encryption of a regular Tcl channel. An error - is thrown if TLS is not the top stacked channel type.
-
 
-
tls::handshake - channel
-
Forces handshake to take place, and returns 0 if - handshake is still in progress (non-blocking), or 1 if - the handshake was successful. If the handshake failed - this routine will throw an error.
-
 
-
tls::status - ?-local? channel
-
Returns the current status of an SSL channel. The result is a list - of key-value pairs describing the SSL, certificate, and certificate - verification status. If the SSL handshake has not yet completed, - an empty list is returned. If -local is specified, then the - local certificate is used.
-
- SSL Status -
-
alpn protocol
-
The protocol selected after Application-Layer Protocol - Negotiation (ALPN).
-
cipher cipher
-
The current cipher in use between for the channel.
-
peername name
-
The peername from the certificate.
-
protocol version
-
The protocol version used for the connection: - SSL2, SSL3, TLS1, TLS1.1, TLS1.2, TLS1.3, or unknown.
-
sbits n
-
The number of bits used for the session key.
-
signatureHashAlgorithm algorithm
-
The signature hash algorithm.
-
signatureType type
-
The signature type value.
-
verifyDepth n
-
Maximum depth for the certificate chain verification. - Default is -1, to check all.
-
verifyMode list
-
List of certificate verification modes.
-
verifyResult result
-
Certificate verification result.
-
ca_names list
-
List of the Certificate Authorities used to create the certificate.
-
-
-
- Certificate Status -
-
all string
-
Dump of all certificate info.
- -
version value
-
The certificate version.
-
serialNumber n
-
The serial number of the certificate as a hex string.
-
signature algorithm
-
Cipher algorithm used for certificate signature.
-
issuer dn
-
The distinguished name (DN) of the certificate issuer.
-
notBefore date
-
The begin date for the validity of the certificate.
-
notAfter date
-
The expiration date for the certificate.
-
subject dn
-
The distinguished name (DN) of the certificate subject. - Fields include: Common Name (CN), Organization (O), Locality - or City (L), State or Province (S), and Country Name (C).
-
issuerUniqueID string
-
The issuer unique id.
-
subjectUniqueID string
-
The subject unique id.
- -
num_extensions n
-
Number of certificate extensions.
-
extensions list
-
List of certificate extension names.
-
authorityKeyIdentifier string
-
(AKI) Key identifier of the Issuing CA certificate that signed - the SSL certificate as a hex string. This value matches the SKI - value of the Intermediate CA certificate.
-
subjectKeyIdentifier string
-
(SKI) Hash of the public key inside the certificate as a hex - string. Used to identify certificates that contain a particular - public key.
-
subjectAltName list
-
List of all of the alternative domain names, sub domains, - and IP addresses that are secured by the certificate.
-
ocsp list
-
List of all Online Certificate Status Protocol (OCSP) URLs.
- -
certificate cert
-
The PEM encoded certificate.
- -
signatureAlgorithm algorithm
-
Cipher algorithm used for the certificate signature.
-
signatureValue string
-
Certificate signature as a hex string.
-
signatureDigest version
-
Certificate signing digest as a hex string.
-
publicKeyAlgorithm algorithm
-
Certificate signature public key algorithm.
-
publicKey string
-
Certificate signature public key as a hex string.
-
bits n
-
Number of bits used for certificate signature key.
-
self_signed boolean
-
Whether the certificate signature is self signed.
- -
sha1_hash hash
-
The SHA1 hash of the certificate as a hex string.
-
sha256_hash hash
-
The SHA256 hash of the certificate as a hex string.
-
-
- -
tls::connection - channel
-
Returns the current connection status of an SSL channel. The - result is a list of key-value pairs describing the connection.
-
- SSL Status -
-
state state
-
State of the connection.
-
servername name
-
The name of the connected to server.
-
protocol version
-
The protocol version used for the connection: - SSL2, SSL3, TLS1, TLS1.1, TLS1.2, TLS1.3, or unknown.
-
renegotiation_allowed boolean
-
Whether protocol renegotiation is supported or not.
-
security_level level
-
The security level used for selection of ciphers, key size, etc.
-
session_reused boolean
-
Whether the session has been reused or not.
-
is_server boolean
-
Whether the connection is configured as a server (1) or client (0).
-
compression mode
-
Compression method.
-
expansion mode
-
Expansion method.
-
caList list
-
List of Certificate Authorities (CA) for X.509 certificate.
-
-
-
- Cipher Info -
-
cipher cipher
-
The current cipher in use for the connection.
-
standard_name name
-
The standard RFC name of cipher.
-
algorithm_bits n
-
The number of processed bits used for cipher.
-
secret_bits n
-
The number of secret bits used for cipher.
-
min_version version
-
The minimum protocol version for cipher.
-
cipher_is_aead boolean
-
Whether the cipher is Authenticated Encryption with - Associated Data (AEAD).
-
cipher_id id
-
The OpenSSL cipher id.
-
description string
-
A text description of the cipher.
-
handshake_digest boolean
-
Digest used during handshake.
-
-
-
- Session Info -
-
alpn protocol
-
The protocol selected after Application-Layer Protocol - Negotiation (ALPN).
-
resumable boolean
-
Whether the session can be resumed or not.
-
start_time seconds
-
Time since session started in seconds since epoch.
-
timeout seconds
-
Max duration of session in seconds before time-out.
-
lifetime seconds
-
Session ticket lifetime hint in seconds.
-
session_id binary_string
-
Unique session id for use in resuming the session.
-
session_ticket binary_string
-
Unique session ticket for use in resuming the session.
-
ticket_app_data binary_string
-
Unique session ticket application data.
-
master_key binary_string
-
Unique session master key.
-
session_cache_mode mode
-
Server cache mode (client, server, or both).
-
-
- -
tls::protocols
-
Returns a list of the supported protocols. Valid values are: - ssl2, ssl3, tls1, tls1.1, tls1.2, - and tls1.3. Exact list depends on OpenSSL version and - compile time flags.
- -
tls::version
-
Returns the OpenSSL version string.
-
- -

CALLBACK OPTIONS

- -

-As indicated above, individual channels can be given their own callbacks +socket command, along with additional options for controlling +the SSL/TLS session.

+
+

Commands

+

Typically one would use the tls::socket command to create a new encrypted +TCP socket. It is compatible with the native TCL ::socket command. +Alternatively for an existing TCP socket, the tls::import command can be +used to start TLS on the connection.

+
+
tls::init ?-option? ?value? ?-option value ...?
+

Optional function to set the default options used by tls::socket. If you +call tls::import directly, this command has no effect. This command +supports all of the same options as the tls::socket command, though you +should limit your options to only TLS related ones.

+
tls::socket ?-option? ?value? ?-option value ...? host port
+

This is a helper function that utilizes the underlying commands socket +and tls::import to create the connection. It behaves the same as the +native TCL socket command, but also supports the tls:import +command options with one additional option. It returns the channel handle id +for the new socket.

+
+
-autoservername bool
+

If true, automatically set the -servername argument to the +host argument. Default is false.

+
+
tls::socket -server command ?-option? ?value? ?-option value ...? port
+

Same as previous, but instead creates a server socket for clients to connect to +just like the Tcl socket -server command. It returns the channel +handle id for the new socket.

+
tls::import channel ?-option? ?value? ?-option value ...?
+

Start TLS encryption on TCL channel channel via a stacked channel. It +need not be a socket, but must provide bi-directional flow. Also sets session +parameters for SSL handshake. Valid options are:

+
+
-alpn list
+

List of protocols to offer during Application-Layer Protocol Negotiation +(ALPN). For example: h2 and http/1.1, but not h3 or +quic.

+
-cadir directory
+

Specifies the directory where the Certificate Authority (CA) certificates are +stored. The default is platform specific and can be set at compile time. The +default location can be overridden by the SSL_CERT_DIR environment +variable. See Certificate Validation for more details.

+
-cafile filename
+

Specifies the file with the Certificate Authority (CA) certificates to use. +The default is "cert.pem", in the OpenSSL directory. The default file can +be overridden by the SSL_CERT_FILE environment variable. See +Certificate Validation for more details.

+
-castore URI
+

Specifies the Uniform Resource Identifier (URI) for the Certificate Authority +(CA) store, which may be a single container or a catalog of containers. +Starting with OpenSSL 3.2 on Windows, set to "org.openssl.winstore://" +to use the built-in Windows Certificate Store. This store only supports root +certificate stores. See Certificate Validation for more details.

+
-certfile filename
+

Specifies the name of the file with the certificate in PEM format to use +as the local (client or server) certificate. It also contains the public key.

+
-cert string
+

Specifies the certificate to use as a DER encoded string (X.509 DER).

+
-cipher string
+

Specifies the list of ciphers to use for TLS 1.2 and earlier connections. +String is a colon ":" separated list of ciphers. +Ciphers can be combined using the "+" character. +Prefixes can be used to permanently remove "!", delete "-", or +move to the end "+" a specified cipher. +Keywords @STRENGTH (sort by algorithm key length), +@SECLEVEL=n (set security level to n), and +DEFAULT (use default cipher list, at start only) can also be specified. +See the OpenSSL +documentation for the full list of valid values.

+
-ciphersuites string
+

Specifies the list of cipher suites to use for TLS 1.3 as a colon +":" separated list of cipher suite names. See the +OpenSSL +documentation for the full list of valid values.

+
-command callback
+

Specifies the callback command to be invoked at several points during the +handshake to pass errors, tracing information, and protocol messages. +See Callback Options for more info.

+
-dhparams filename
+

Specifies the Diffie-Hellman (DH) parameters file.

+
-keyfile filename
+

Specifies the private key file. The default value is to use the file +specified by the -certfile option.

+
-key string
+

Specifies the private key to use as a DER encoded string (PKCS#1 DER).

+
-model channel
+

Force this channel to share the same SSL_CTX structure as the +specified channel, and therefore share config, callbacks, etc.

+
-password callback
+

Specifies the callback command to invoke when OpenSSL needs to obtain a +password. This is typically used to unlock the private key of a certificate. +The callback should return a password string. See Callback Options +for more info.

+
-post_handshake bool
+

Allow post-handshake session ticket updates.

+
-request bool
+

Request a certificate from peer during the SSL handshake. This is needed to do +Certificate Validation. Default is true. +See Certificate Validation for more details.

+
-require bool
+

Require a valid certificate from peer during the SSL handshake. If this is set to +true, then -request must also be set to true and a either -cadir, +-cafile, -castore, or a platform default must be provided in order to +validate against. The default is false since not all platforms have +certificates to validate against in a form compatible with OpenSSL. +See Certificate Validation for more details.

+
-security_level integer
+

Specifies the security level (value from 0 to 5). The security level affects +the allowed cipher suite encryption algorithms, supported ECC curves, +supported signature algorithms, DH parameter sizes, certificate key sizes +and signature algorithms. The default is 1 prior to OpenSSL 3.2 and 2 +thereafter. Level 3 and higher disable support for session tickets and +only accept cipher suites that provide forward secrecy.

+
-server bool
+

Specifies whether to act as a server and respond with a server handshake when a +client connects and provides a client handshake. The default is false.

+
-servername hostname
+

Specify the peer's hostname. This is used to set the TLS Server Name +Indication (SNI) extension. Set this to the expected servername in the +server's certificate or one of the Subject Alternate Names (SAN).

+
-session_id binary_string
+

Specifies the session id to resume a session. Not supported yet.

+
-ssl2 bool
+

Enable use of SSL v2. The default is false. Note: Recent versions of +OpenSSL no longer support SSLv2, so this may not have any effect. See the +tls::protocols command for supported protocols.

+
-ssl3 bool
+

Enable use of SSL v3. The default is false. Note: Recent versions +of OpenSSL may have this disabled at compile time, so this may not have any +effect. See the tls::protocols command for supported protocols.

+
-tls1 bool
+

Enable use of TLS v1. The default is true. Note: TLS 1.0 needs +SHA1 to operate, which is only available in security level 0 for Open SSL 3.0+. +See the -security_level option.

+
-tls1.1 bool
+

Enable use of TLS v1.1. The default is true. Note: TLS 1.1 needs +SHA1 to operate, which is only available in security level 0 for Open SSL 3.0+. +See the -security_level option.

+
-tls1.2 bool
+

Enable use of TLS v1.2. The default is true.

+
-tls1.3 bool
+

Enable use of TLS v1.3. The default is true.

+
-validatecommand callback
+

Specifies the callback command to invoke to validate the peer certificates +and other config info during the protocol negotiation phase. This can be used +by TCL scripts to perform their own Certificate Validation to supplement the +default validation provided by OpenSSL. The script must return a boolean true +to continue the negotiation. See Callback Options for more info.

+
+
tls::unimport channel
+

Compliment to tls::import. Used to remove the top level stacked channel +from channel. This unstacks the encryption of a regular TCL channel. An +error is thrown if TLS is not the top stacked channel type.

+
tls::handshake channel
+

Forces the TLS negotiation handshake to take place immediately, and returns 0 +if handshake is still in progress (non-blocking), or 1 if the handshake was +successful. If the handshake failed, an error will be returned.

+
tls::status ?-local? channel
+

Returns the current status of an SSL channel. The result is a list of key-value +pairs describing the SSL, certificate, and certificate verification status. If +the SSL handshake has not yet completed, an empty list is returned. If the +-local option is specified, then the local certificate is used. Returned +values include:

+

SSL Status

+
+
alpn protocol
+

The protocol selected after Application-Layer Protocol Negotiation (ALPN).

+
cipher cipher
+

The current cipher in use for the session.

+
peername name
+

The peername from the certificate.

+
protocol version
+

The protocol version used for the connection: SSL2, SSL3, TLS1, TLS1.1, TLS1.2, TLS1.3, or unknown.

+
sbits n
+

The number of bits used for the session key.

+
signatureHashAlgorithm algorithm
+

The signature hash algorithm.

+
signatureType type
+

The signature type value.

+
verifyDepth n
+

Maximum depth for the certificate chain verification. Default is -1, to check all.

+
verifyMode list
+

List of certificate verification modes.

+
verifyResult result
+

Certificate verification result.

+
ca_names list
+

List of the Certificate Authorities used to create the certificate.

+
+

Certificate Status

+
+
all string
+

Dump of all certificate info.

+
version value
+

The certificate version.

+
serialNumber string
+

The serial number of the certificate as a hex string.

+
signature algorithm
+

Cipher algorithm used for certificate signature.

+
issuer string
+

The distinguished name (DN) of the certificate issuer.

+
notBefore date
+

The beginning date of the certificate validity.

+
notAfter date
+

The expiration date of the certificate validity.

+
subject string
+

The distinguished name (DN) of the certificate subject. Fields include: Common +Name (CN), Organization (O), Locality or City (L), State or Province (S), and +Country Name (C).

+
issuerUniqueID string
+

The issuer unique id.

+
subjectUniqueID string
+

The subject unique id.

+
num_extensions n
+

Number of certificate extensions.

+
extensions list
+

List of certificate extension names.

+
authorityKeyIdentifier string
+

Authority Key Identifier (AKI) of the Issuing CA certificate that signed the +SSL certificate as a hex string. This value matches the SKI value of the +Intermediate CA certificate.

+
subjectKeyIdentifier string
+

Subject Key Identifier (SKI) hash of the public key inside the certificate as a +hex string. Used to identify certificates that contain a particular public key.

+
subjectAltName list
+

List of all of the Subject Alternative Names (SAN) including domain names, sub +domains, and IP addresses that are secured by the certificate.

+
ocsp list
+

List of all Online Certificate Status Protocol (OCSP) URLs that can be used to +check the validity of this certificate.

+
certificate cert
+

The PEM encoded certificate.

+
signatureAlgorithm algorithm
+

Cipher algorithm used for the certificate signature.

+
signatureValue string
+

Certificate signature as a hex string.

+
signatureDigest version
+

Certificate signing digest as a hex string.

+
publicKeyAlgorithm algorithm
+

Certificate signature public key algorithm.

+
publicKey string
+

Certificate signature public key as a hex string.

+
bits n
+

Number of bits used for certificate signature key.

+
self_signed boolean
+

Whether the certificate signature is self signed.

+
sha1_hash hash
+

The SHA1 hash of the certificate as a hex string.

+
sha256_hash hash
+

The SHA256 hash of the certificate as a hex string.

+
+
tls::connection channel
+

Returns the current connection status of an SSL channel. The result is a list +of key-value pairs describing the connection. Returned values include:

+

SSL Status

+
+
state state
+

State of the connection.

+
servername name
+

The name of the connected to server.

+
protocol version
+

The protocol version used for the connection: SSL2, SSL3, TLS1, TLS1.1, TLS1.2, TLS1.3, or unknown.

+
renegotiation_allowed boolean
+

Whether protocol renegotiation is supported or not.

+
security_level level
+

The security level used for selection of ciphers, key size, etc.

+
session_reused boolean
+

Whether the session has been reused or not.

+
is_server boolean
+

Whether the connection is configured as a server (1) or client (0).

+
compression mode
+

Compression method.

+
expansion mode
+

Expansion method.

+
caList list
+

List of Certificate Authorities (CA) for X.509 certificate.

+
+

Cipher Info

+
+
cipher cipher
+

The current cipher in use for the connection.

+
standard_name name
+

The standard RFC name of cipher.

+
algorithm_bits n
+

The number of processed bits used for cipher.

+
secret_bits n
+

The number of secret bits used for cipher.

+
min_version version
+

The minimum protocol version for cipher.

+
cipher_is_aead boolean
+

Whether the cipher is Authenticated Encryption with Associated Data (AEAD).

+
cipher_id id
+

The OpenSSL cipher id.

+
description string
+

A text description of the cipher.

+
handshake_digest boolean
+

Digest used during handshake.

+
+

Session Info

+
+
alpn protocol
+

The protocol selected after Application-Layer Protocol Negotiation (ALPN).

+
resumable boolean
+

Whether the session can be resumed or not.

+
start_time seconds
+

Time since session started in seconds since epoch.

+
timeout seconds
+

Max duration of session in seconds before time-out.

+
lifetime seconds
+

Session ticket lifetime hint in seconds.

+
session_id binary_string
+

Unique session id for use in resuming the session.

+
session_ticket binary_string
+

Unique session ticket for use in resuming the session.

+
ticket_app_data binary_string
+

Unique session ticket application data.

+
master_key binary_string
+

Unique session master key.

+
session_cache_mode mode
+

Server cache mode (client, server, or both).

+
+
tls::ciphers ?protocol? ?verbose? ?supported?
+

Without any args, returns a list of all symmetric ciphers for use with the +-cipher option. With protocol, only the ciphers supported for that +protocol are returned. See the tls::protocols command for the supported +protocols. If verbose is specified as true then a verbose, human readable +list is returned with additional information on the cipher. If supported +is specified as true, then only the ciphers supported for protocol will be listed.

+
tls::protocols
+

Returns a list of the supported SSL/TLS protocols. Valid values are: +ssl2, ssl3, tls1, tls1.1, tls1.2, and +tls1.3. Exact list depends on OpenSSL version and compile time flags.

+
tls::version
+

Returns the OpenSSL version string.

+
+
+

Certificate Validation

+

Summary of command line options

+

The following options are used for peer Certificate Validation:

+
+
-cadir directory
+

Specifies the directory where the Certificate Authority (CA) certificates are +stored. The default is platform specific, but is usually "/etc/ssl/certs" on +Linux/Unix systems. The default location can be overridden by the +SSL_CERT_DIR environment variable.

+
-cafile filename
+

Specifies the file with the Certificate Authority (CA) certificates to use in +PEM file format. The default is "cert.pem", in the OpenSSL directory. On +Linux/Unix systems, this is usually "/etc/ssl/ca-bundle.pem". The default file +can be overridden by the SSL_CERT_FILE environment variable.

+
-castore URI
+

Specifies the Uniform Resource Identifier (URI) for the Certificate Authority +(CA) store, which may be a single container or a catalog of containers. +Starting with OpenSSL 3.2 on Windows, set to "org.openssl.winstore://" +to use the built-in Windows Certificate Store. This store only supports root +certificate stores.

+
-request bool
+

Request a certificate from peer during the SSL handshake. This is needed to do +Certificate Validation. Default is true. In addition, the +client can manually inspect and accept or reject each certificate using the +-validatecommand option.

+
-require bool
+

Require a valid certificate from peer during the SSL handshake. If this is set +to true, then -request must also be set to true and either +-cadir, -cafile, -castore, or a platform default must be +provided in order to validate against. The default is false since not +all platforms have certificates to validate against in a form compatible with +OpenSSL. See Certificate Validation for more details.

+
+
+

When are command line options needed?

+

By default, a client TLS connection does NOT validate the server certificate +chain. This limitation is due to the lack of a common cross platform +database of Certificate Authority (CA) provided certificates to validate +against. Many Linux systems natively support OpenSSL and thus have these +certificates installed as part of the OS, but MacOS and Windows do not. In +order to use the -require option, one of the following must be true:

+
    +

  • On Linux and Unix systems with OpenSSL already installed, if the CA +certificates are stored in the standard locations, or if the SSL_CERT_DIR +or SSL_CERT_FILE environment variables are set, then -cadir, +-cadir, and -castore aren't needed.

    • +

  • If OpenSSL is not installed in the default location, or when using Mac OS +or Windows and OpenSSL is installed, the SSL_CERT_DIR and/or +SSL_CERT_FILE environment variables or the one of the -cadir, +-cadir, or -castore options must be defined.

    • +

  • On Windows, starting in OpenSSL 3.2, it is now possible to access the +built-in Windows Certificate Store from OpenSSL. This can be achieved by +setting the -castore option to "org.openssl.winstore://".

    • +

  • If OpenSSL is not installed, the CA certificates must be downloaded and +installed with the user software. The CURL team makes them available at +CA certificates extracted +from Mozilla in the "cacert.pem" file. You must then either set the +SSL_CERT_DIR and/or SSL_CERT_FILE environment variables or the +-cadir or -cafile options to the CA cert file's install +location. It is your responsibility to keep this file up to date.

    • +
+
+
+

Callback Options

+

As previously described, each channel can be given their own callbacks to handle intermediate processing by the OpenSSL library, using the --command, -password, and --validate_command options passed to either of -tls::socket or tls::import. -If the callback generates an error, the bgerror command will be -invoked with the error information. -

- -
-
- -
-command callback
-
- Invokes the specified callback script at several points - during the OpenSSL handshake and use. See below for the possible - arguments passed to the callback script. Values returned from the - callback are ignored. - -
-
- -
- -
- error channelId message -
-
- This form of callback is invoked whenever an error occurs during the - initial connection, handshake, or I/O operations. The message - argument can be from the Tcl_ErrnoMsg, OpenSSL function - ERR_reason_error_string(), or a custom message. -
- -
- -
- info channelId major minor message type -
-
- This form of callback is invoked by the OpenSSL function - SSL_set_info_callback() during the initial connection - and handshake operations. The type argument is new for - TLS 1.8. The arguments are: -
-
    -
  • Possible values for major are: - handshake, alert, connect, accept.
    • -
  • Possible values for minor are: - start, done, read, write, loop, exit.
    • -
  • The message argument is a descriptive string which may - be generated either by SSL_state_string_long() or by - SSL_alert_desc_string_long(), depending on the context.
    • -
  • For alerts, the possible values for type are: - warning, fatal, and unknown. For others, - info is used.
    • -
-
- -
- message channelId direction version content_type message -
-
- This form of callback is invoked by the OpenSSL function - SSL_set_msg_callback() whenever a message is sent or - received during the initial connection, handshake, or I/O operations. - It is only available when OpenSSL is complied with the - enable-ssl-trace option. Arguments are: direction - is Sent or Received, version is the protocol - version, content_type is the message content type, and - message is more info from the SSL_trace API. - This callback is new for TLS 1.8. -
-
- -
- session channelId session_id ticket lifetime -
-
- This form of callback is invoked by the OpenSSL function - SSL_CTX_sess_set_new_cb() whenever a new session id is - sent by the server during the initial connection and handshake, but - can also be received later if the -post_handshake option is - used. Arguments are: session_id is the current - session identifier, ticket is the session ticket info, and - lifetime is the the ticket lifetime in seconds. - This callback is new for TLS 1.8. -
-
-
-
- -
- -
-password callback
-
- Invokes the specified callback script when OpenSSL needs to - obtain a password. See below for the possible arguments passed to - the callback script. See below for valid return values. - -
-
- -
- -
- password rwflag size -
-
- Invoked when loading or storing a PEM certificate with encryption. - Where rwflag is 0 for reading/decryption or 1 for - writing/encryption (can prompt user to confirm) and - size is the max password length in bytes. - The callback should return the password as a string. - Both arguments are new for TLS 1.8. -
-
- -
- - -
-validatecommand callback
-
- Invokes the specified callback script during handshake in - order to validate the provided value(s). See below for the possible - arguments passed to the callback script. If not specified, OpenSSL - will accept valid certificates and extensions. - To reject the value and abort the connection, the callback should return 0. - To accept the value and continue the connection, it should return 1. - To reject the value, but continue the connection, it should return 2. - -
-
- -
- -
- alpn channelId protocol match -
-
- For servers, this form of callback is invoked when the client ALPN - extension is received. If match is true, protocol - is the first -alpn option specified protocol common to both - the client and server. If not, the first client specified protocol is - used. It is called after the hello and ALPN callbacks. - This callback is new for TLS 1.8. -
- -
- -
- hello channelId servername -
-
- For servers, this form of callback is invoked during client hello - message processing. The purpose is so the server can select the - appropriate certificate to present to the client, and to make other - configuration adjustments relevant to that server name and its - configuration. It is called before the SNI and ALPN callbacks. - This callback is new for TLS 1.8. -
- -
- -
- sni channelId servername -
-
- For servers, this form of callback is invoked when the Server Name - Indication (SNI) extension is received. The servername - argument is the client provided server name in the -servername - option. The purpose is so when a server supports multiple names, the - right certificate can be used. It is called after the hello callback - but before the ALPN callback. - This callback is new for TLS 1.8. -
- -
- -
- verify channelId depth cert status error -
-
- This form of callback is invoked by OpenSSL when a new certificate - is received from the peer. It allows the client to check the - certificate verification results and choose whether to continue - or not. It is called for each certificate in the certificate chain. -
    -
  • The depth argument is the integer depth of the - certificate in the certificate chain, where 0 is the peer certificate - and higher values going up to the Certificate Authority (CA).
    • -
  • The cert argument is a list of key-value pairs similar - to those returned by - tls::status.
    • -
  • The status argument is the boolean validity of the - current certificate where 0 is invalid and 1 is valid.
    • -
  • The error argument is the error message, if any, generated - by X509_STORE_CTX_get_error().
    • -
-
-
-
-
-
-
- -

-Reference implementations of these callbacks are provided in the -distribution as tls::callback, tls::password, -and tls::validate_command respectively. Note that these are -sample implementations only. In a more realistic deployment -you would specify your own callback scripts on each TLS channel using the --command, -password, and -validate_command options. -

- -

-The default behavior when the -command and -validate_command -options are not specified is for TLS to process the associated library callbacks -internally. The default behavior when the -password option is not -specified is for TLS to process the associated library callbacks by attempting -to call tls::password. -The difference between these two behaviors is a consequence of maintaining -compatibility with earlier implementations. -

- -

- -The use of the reference callbacks tls::callback, -tls::password, and tls::validate_command -is not recommended. They may be removed from future releases. - -

- -

DEBUG

- -TLS key logging can be enabled by setting the environment variable -SSLKEYLOGFILE to the name of the file to log to. Then whenever TLS -key material is generated or received it will be logged to the file. This -is useful for logging key data for network logging tools to use to -decrypt the data. - -

-The tls::debug variable provides some additional -control over these reference callbacks. Its value is zero by default. -Higher values produce more diagnostic output, and will also force the -verify method in tls::callback to accept the -certificate, even when it is invalid if the tls::validate_command -callback is used for the -validatecommand option. -

- -

- -The use of the variable tls::debug is not recommended. -It may be removed from future releases. - -

- -

Debug Examples

- +-command, -password, and -validate_command options +passed to either of tls::socket or tls::import. +Unlike previous versions of TclTLS, only if the callback generates an error, +will the bgerror command be invoked with the error information.

+

Values for Command Callback

+

The callback for the -command option is invoked at several points during the +OpenSSL handshake and during routine operations. See below for the possible +arguments passed to the callback script. Values returned from the callback are +ignored.

+
+
error channelId message
+

This form of callback is invoked whenever an error occurs during the initial +connection, handshake, or I/O operations. The message argument can be +from the Tcl_ErrnoMsg, OpenSSL function ERR_reason_error_string(), +or a custom message. This callback is new for TclTLS 1.8.

+
info channelId major minor message type
+

This form of callback is invoked by the OpenSSL function +SSL_set_info_callback() during the initial connection and handshake +operations. The arguments are:

+
+
major
+

Major category for error. Valid enums are: handshake, alert, +connect, accept.

+
minor
+

Minor category for error. Valid enums are: start, done, read, +write, loop, exit.

+
message
+

Descriptive message string which may be generated either by +SSL_state_string_long() or SSL_alert_desc_string_long(), +depending on the context.

+
type
+

For alerts, the possible values are: warning, +fatal, and unknown. For others, info is used. +This argument is new for TclTLS 1.8.

+
+
message channelId direction version content_type message
+

This form of callback is invoked by the OpenSSL function +SSL_set_msg_callback() whenever a message is sent or received during the +initial connection, handshake, or I/O operations. It is only available when +OpenSSL is complied with the enable-ssl-trace option. This callback is +new for TclTLS 1.8. The arguments are:

+
+
direction
+

Direction is either Sent or Received.

+
version
+

Version is the protocol version.

+
content_type
+

Content type is the message content type.

+
message
+

Message is more info from the SSL_trace API. +This argument is new for TclTLS 1.8.

+
+
session channelId session_id session_ticket lifetime
+

This form of callback is invoked by the OpenSSL function +SSL_CTX_sess_set_new_cb() whenever a new session id is sent by the +server during the initial connection and handshake and also during the session +if the -post_handshake option is set to true. This callback is new for +TclTLS 1.8. The arguments are:

+
+
session_id
+

Session Id is the current session identifier

+
session_ticket
+

Ticket is the session ticket info

+
lifetime
+

Lifetime is the ticket lifetime in seconds.

+
+
verify channelId depth cert status error
+

This callback was moved to the -verify_callback in TclTLS 1.8.

+
+
+

Values for Password Callback

+

The callback for the -password option is invoked by TclTLS whenever OpenSSL needs +to obtain a password. See below for the possible arguments passed to the +callback script. The user provided password is expected to be returned by the +callback.

+
+
password rwflag size
+

Invoked when loading or storing an encrypted PEM certificate. The arguments are:

+
+
rwflag
+

The read/write flag is 0 for reading/decryption or 1 for writing/encryption. +The latter can be used to determine when to prompt the user to confirm. +This argument is new for TclTLS 1.8.

+
size
+

The size is the maximum length of the password in bytes. +This argument is new for TclTLS 1.8.

+
+
+
+

Values for Validate Command Callback

+

The callback for the -validatecommand option is invoked during the handshake +process in order for the application to validate the provided value(s). See +below for the possible arguments passed to the callback script. If not +specified, OpenSSL will accept all valid certificates and extensions. To reject +the value and abort the connection, the callback should return 0. To accept the +value and continue the connection, it should return 1. To reject the value, but +continue the connection, it should return 2. This callback is new for TclTLS 1.8.

+
+
alpn channelId protocol match
+

For servers, this form of callback is invoked when the client ALPN extension is +received. If match is true, then protocol is the first +-alpn protocol option in common to both the client and server. +If not, the first client specified protocol is used. This callback is called +after the Hello and ALPN callbacks.

+
hello channelId servername
+

For servers, this form of callback is invoked during client hello message +processing. The purpose is so the server can select the appropriate certificate +to present to the client, and to make other configuration adjustments relevant +to that server name and its configuration. It is called before the SNI and ALPN +callbacks.

+
sni channelId servername
+

For servers, this form of callback is invoked when the Server Name Indication +(SNI) extension is received. The servername argument is the client +provided server name specified in the -servername</b> option. The +purpose is so when a server supports multiple names, the right certificate +can be used. It is called after the hello callback but before the ALPN +callback.

+
verify channelId depth cert status error
+

This form of callback is invoked by OpenSSL when a new certificate is received +from the peer. It allows the client to check the certificate verification +results and choose whether to continue or not. It is called for each +certificate in the certificate chain. This callback was moved from +-command in TclTLS 1.8. The arguments are:

+
+
depth
+

The depth is the integer depth of the certificate in the certificate chain, +where 0 is the peer certificate and higher values going up to the Certificate +Authority (CA).

+
cert
+

The cert argument is a list of key-value pairs similar to those returned by +tls::status.

+
status
+

The status argument is the boolean validity of the current certificate where 0 +is invalid and 1 is valid.

+
error
+

The error argument is the error message, if any, generated by +X509_STORE_CTX_get_error().

+
+
+

Reference implementations of these callbacks are provided in "tls.tcl" +as tls::callback, tls::password, and tls::validate_command +respectively. Note that these are only sample implementations. In a more +realistic deployment you would specify your own callback scripts on each TLS +channel using the -command, -password, and +-validate_command options.

+

The default behavior when the -command and -validate_command +options are not specified, is for TclTLS to process the associated library +callbacks internally. The default behavior when the -password option +is not specified is for TclTLS to process the associated library callbacks by +attempting to call tls::password. The difference between these two +behaviors is a consequence of maintaining compatibility with earlier +implementations.

+

The use of the reference callbacks tls::callback, tls::password, +and tls::validate_command is not recommended. They may be removed from future releases.

+
+
+

Debug

+

For most debugging needs, the -callback option can be used to provide +sufficient insight and information on the TLS handshake and progress. If +further troubleshooting insight is needed, the compile time option +--enable-debug can be used to get detailed execution flow status.

+

TLS key logging can be enabled by setting the environment variable +SSLKEYLOGFILE to the name of the file to log to. Then whenever TLS key +material is generated or received it will be logged to the file. This is useful +for logging key data for network logging tools to use to decrypt the data.

+

The tls::debug variable provides some additional control over these +reference callbacks. Its value is zero by default. Higher values produce more +diagnostic output, and will also force the verify method in tls::callback +to accept the certificate, even when it is invalid if the +-validatecommand option is set to tls::validate_command.

+

The use of the variable tls::debug is not recommended. +It may be removed from future releases.

+
+

Debug Examples

These examples use the default Unix platform SSL certificates. For standard installations, -cadir and -cafile should not be needed. If your certificates are in non-standard locations, update -cadir or use -cafile as needed.

-
-Example #1: Use HTTP package - - -

+
Example #1: Use HTTP package

+
 package require http
 package require tls
-set url "https://www.tcl.tk/"
-
-http::register https 443 [list ::tls::socket -autoservername true -require true -cadir /etc/ssl/certs \
-    -command ::tls::callback -password ::tls::password -validatecommand ::tls::validate_command]
-
+set url "https://www.tcl.tk/"
+http::register https 443 [list ::tls::socket -autoservername true -require true -cadir /etc/ssl/certs  -command ::tls::callback -password ::tls::password -validatecommand ::tls::validate_command]
 # Check for error
 set token [http::geturl $url]
-if {[http::status $token] ne "ok"} {
-    puts [format "Error %s" [http::status $token]]
+if {[http::status $token] ne "ok"} {
+    puts [format "Error %s" [http::status $token]]
 }
-
 # Get web page
 set data [http::data $token]
 puts [string length $data]
-
 # Cleanup
 ::http::cleanup $token
-

-
-Example #2: Use raw socket
-

+

+
Example #2: Use raw socket

+
 package require tls
-
-set url "www.tcl-lang.org"
+set url "www.tcl-lang.org"
 set port 443
-
-set ch [tls::socket -autoservername 1 -servername $url -request 1 -require 1 \
-    -alpn {http/1.1} -cadir /etc/ssl/certs -command ::tls::callback \
-    -password ::tls::password -validatecommand ::tls::validate_command $url $port]
+set ch [tls::socket -autoservername 1 -servername $url -request 1 -require 1  -alpn {http/1.1} -cadir /etc/ssl/certs -command ::tls::callback  -password ::tls::password -validatecommand ::tls::validate_command $url $port]
 chan configure $ch -buffersize 65536
 tls::handshake $ch
-
-puts $ch "GET / HTTP/1.1"
+puts $ch "GET / HTTP/1.1"
 flush $ch
 after 500
 set data [read $ch]
-
 array set status [tls::status $ch]
 array set conn [tls::connection $ch]
 array set chan [chan configure $ch]
 close $ch
 parray status
 parray conn
 parray chan
-

-
-
-
HTTPS EXAMPLE

-
+
+
+

HTTP Package Examples

These examples use the default Unix platform SSL certificates. For standard installations, -cadir and -cafile should not be needed. If your certificates -are in non-standard locations, update -cadir or use -cafile as needed.

- -Example #1: Get web page - -

+are in non-standard locations, set -cadir or use -cafile as needed.

+
Example #3: Get web page

+
 package require http
 package require tls
-set url "https://www.tcl.tk/"
-
+set url "https://www.tcl.tk/"
 http::register https 443 [list ::tls::socket -autoservername true -require true -cadir /etc/ssl/certs]
-
 # Check for error
 set token [http::geturl $url]
-if {[http::status $token] ne "ok"} {
-    puts [format "Error %s" [http::status $token]]
+if {[http::status $token] ne "ok"} {
+    puts [format "Error %s" [http::status $token]]
 }
-
 # Get web page
 set data [http::data $token]
 puts $data
-
 # Cleanup
 ::http::cleanup $token
-

-
-Example #2: Download file
-
-

+

+
Example #4: Download file

+
 package require http
 package require tls
-
-set url "https://wiki.tcl-lang.org/sitemap.xml"
+set url "https://wiki.tcl-lang.org/sitemap.xml"
 set filename [file tail $url]
-
 http::register https 443 [list ::tls::socket -autoservername true -require true -cadir /etc/ssl/certs]
-
 # Get file
 set ch [open $filename wb]
 set token [::http::geturl $url -blocksize 65536 -channel $ch]
-
 # Cleanup
 close $ch
 ::http::cleanup $token
-

-
-
SPECIAL CONSIDERATIONS

-
+
+
+

Special Considerations

The capabilities of this package can vary enormously based upon how the linked to OpenSSL library was configured and built. New versions may obsolete older protocol versions, add or remove ciphers, change default values, etc. -Use the tls::protocols commands to obtain the supported +Use the tls::protocols commands to obtain the supported protocol versions.

- -

SEE ALSO

- -

socket, fileevent, http, -OpenSSL

- -
- -
-Copyright © 1999 Matt Newman.
-Copyright © 2004 Starfish Systems.
-Copyright © 2023 Brian O'Hagan.
-
- - +
+

See Also

+

OpenSSL, http, socket

+
+

Keywords

+

I/O, IP Address, OpenSSL, SSL, TCP, TLS, TclTLS, asynchronous I/O, bind, certificate, channel, connection, domain name, host, https, network, network address, socket, tls

+
+

Category

+

tls

+
+ +
ADDED doc/tls.man Index: doc/tls.man ================================================================== --- /dev/null +++ doc/tls.man @@ -0,0 +1,949 @@ +[comment {-*- tcl -*- doctools manpage}] +[comment {To convert this to another documentation format use the dtplite + script from tcllib: dtplite -o tls.n nroff tls.man + dtplite -o tls.html html tls.man +}] +[manpage_begin tls n 1.8] +[category tls] +[copyright {1999 Matt Newman}] +[copyright {2004 Starfish Systems}] +[copyright {2024 Brian O'Hagan}] +[keywords tls I/O "IP Address" OpenSSL SSL TCP TLS "asynchronous I/O" bind certificate channel connection "domain name" host "https" "network address" network socket TclTLS] +[moddesc {Tcl TLS extension}] +[see_also http socket [uri https://www.openssl.org/ OpenSSL]] +[titledesc {binding to the OpenSSL library for encrypted socket and I/O channel communications}] +[require Tcl 8.5-] +[require tls 1.8] +[description] + +This extension provides TCL script access to secure socket communications +using the Transport Layer Security (TLS) protocol. It provides a generic +binding to [uri "https://www.openssl.org/" OpenSSL], utilizing the +[syscmd Tcl_StackChannel] API in TCL 8.4 and higher. +These sockets behave exactly the same as channels created using the built-in +[syscmd socket] command, along with additional options for controlling +the SSL/TLS session. + +[section Commands] + +Typically one would use the [cmd tls::socket] command to create a new encrypted +TCP socket. It is compatible with the native TCL [syscmd ::socket] command. +Alternatively for an existing TCP socket, the [cmd tls::import] command can be +used to start TLS on the connection. + +[list_begin definitions] + +[call [cmd tls::init] [opt [arg -option]] [opt [arg value]] [opt [arg "-option value ..."]]] + +Optional function to set the default options used by [cmd tls::socket]. If you +call [cmd tls::import] directly, this command has no effect. This command +supports all of the same options as the [cmd tls::socket] command, though you +should limit your options to only TLS related ones. + +[call [cmd tls::socket] [opt [arg -option]] [opt [arg value]] [opt [arg "-option value ..."]] [arg host] [arg port]] + +This is a helper function that utilizes the underlying commands [syscmd socket] +and [cmd tls::import] to create the connection. It behaves the same as the +native TCL [syscmd socket] command, but also supports the [cmd tls:import] +command options with one additional option. It returns the channel handle id +for the new socket. + +[list_begin options] + +[opt_def -autoservername [arg bool]] +If [const true], automatically set the [option -servername] argument to the +[emph host] argument. Default is [const false]. + +[list_end] + +[call [cmd tls::socket] [option -server] [arg command] [opt [arg -option]] [opt [arg value]] [opt [arg "-option value ..."]] [arg port]] + +Same as previous, but instead creates a server socket for clients to connect to +just like the Tcl [syscmd "socket -server"] command. It returns the channel +handle id for the new socket. + +[call [cmd tls::import] [arg channel] [opt [arg -option]] [opt [arg value]] [opt [arg "-option value ..."]]] + +Start TLS encryption on TCL channel [arg channel] via a stacked channel. It +need not be a socket, but must provide bi-directional flow. Also sets session +parameters for SSL handshake. Valid options are: + +[list_begin options] + +[opt_def -alpn [arg list]] +List of protocols to offer during Application-Layer Protocol Negotiation +(ALPN). For example: [const h2] and [const http/1.1], but not [const h3] or +[const quic]. + +[opt_def -cadir [arg directory]] +Specifies the directory where the Certificate Authority (CA) certificates are +stored. The default is platform specific and can be set at compile time. The +default location can be overridden by the [var SSL_CERT_DIR] environment +variable. See [sectref "Certificate Validation"] for more details. + +[opt_def -cafile [arg filename]] +Specifies the file with the Certificate Authority (CA) certificates to use. +The default is [file cert.pem], in the OpenSSL directory. The default file can +be overridden by the [var SSL_CERT_FILE] environment variable. See +[sectref "Certificate Validation"] for more details. + +[opt_def -castore [arg URI]] +Specifies the Uniform Resource Identifier (URI) for the Certificate Authority +(CA) store, which may be a single container or a catalog of containers. +Starting with OpenSSL 3.2 on Windows, set to "[const "org.openssl.winstore://"]" +to use the built-in Windows Certificate Store. This store only supports root +certificate stores. See [sectref "Certificate Validation"] for more details. + +[opt_def -certfile [arg filename]] +Specifies the name of the file with the certificate in PEM format to use +as the local (client or server) certificate. It also contains the public key. + +[opt_def -cert [arg string]] +Specifies the certificate to use as a DER encoded string (X.509 DER). + +[opt_def -cipher [arg string]] +Specifies the list of ciphers to use for TLS 1.2 and earlier connections. +String is a colon "[const :]" separated list of ciphers. +Ciphers can be combined using the "[const +]" character. +Prefixes can be used to permanently remove "[const !]", delete "[const -]", or +move to the end "[const +]" a specified cipher. +Keywords [const @STRENGTH] (sort by algorithm key length), +[const @SECLEVEL=][emph n] (set security level to n), and +[const DEFAULT] (use default cipher list, at start only) can also be specified. +See the [uri "https://docs.openssl.org/master/man1/openssl-ciphers/#options" OpenSSL] +documentation for the full list of valid values. + +[opt_def -ciphersuites [arg string]] +Specifies the list of cipher suites to use for TLS 1.3 as a colon +"[const :]" separated list of cipher suite names. See the +[uri "https://docs.openssl.org/master/man1/openssl-ciphers/#options" OpenSSL] +documentation for the full list of valid values. + +[opt_def -command [arg callback]] +Specifies the callback command to be invoked at several points during the +handshake to pass errors, tracing information, and protocol messages. +See [sectref "Callback Options"] for more info. + +[opt_def -dhparams [arg filename]] +Specifies the Diffie-Hellman (DH) parameters file. + +[opt_def -keyfile [arg filename]] +Specifies the private key file. The default value is to use the file +specified by the [arg -certfile] option. + +[opt_def -key [arg string]] +Specifies the private key to use as a DER encoded string (PKCS#1 DER). + +[opt_def -model [arg channel]] +Force this channel to share the same [term SSL_CTX] structure as the +specified [arg channel], and therefore share config, callbacks, etc. + +[opt_def -password [arg callback]] +Specifies the callback command to invoke when OpenSSL needs to obtain a +password. This is typically used to unlock the private key of a certificate. +The callback should return a password string. See [sectref "Callback Options"] +for more info. + +[opt_def -post_handshake [arg bool]] +Allow post-handshake session ticket updates. + +[opt_def -request [arg bool]] +Request a certificate from peer during the SSL handshake. This is needed to do +Certificate Validation. Default is [const true]. +See [sectref "Certificate Validation"] for more details. + +[opt_def -require [arg bool]] +Require a valid certificate from peer during the SSL handshake. If this is set to +true, then [option -request] must also be set to true and a either [option -cadir], +[option -cafile], [option -castore], or a platform default must be provided in order to +validate against. The default is [const false] since not all platforms have +certificates to validate against in a form compatible with OpenSSL. +See [sectref "Certificate Validation"] for more details. + +[opt_def -security_level [arg integer]] +Specifies the security level (value from 0 to 5). The security level affects +the allowed cipher suite encryption algorithms, supported ECC curves, +supported signature algorithms, DH parameter sizes, certificate key sizes +and signature algorithms. The default is 1 prior to OpenSSL 3.2 and 2 +thereafter. Level 3 and higher disable support for session tickets and +only accept cipher suites that provide forward secrecy. + +[opt_def -server [arg bool]] +Specifies whether to act as a server and respond with a server handshake when a +client connects and provides a client handshake. The default is [const false]. + +[opt_def -servername [arg hostname]] +Specify the peer's hostname. This is used to set the TLS Server Name +Indication (SNI) extension. Set this to the expected servername in the +server's certificate or one of the Subject Alternate Names (SAN). + +[opt_def -session_id [arg binary_string]] +Specifies the session id to resume a session. Not supported yet. + +[opt_def -ssl2 [arg bool]] +Enable use of SSL v2. The default is [const false]. Note: Recent versions of +OpenSSL no longer support SSLv2, so this may not have any effect. See the +[cmd tls::protocols] command for supported protocols. + +[opt_def -ssl3 [arg bool]] +Enable use of SSL v3. The default is [const false]. Note: Recent versions +of OpenSSL may have this disabled at compile time, so this may not have any +effect. See the [cmd tls::protocols] command for supported protocols. + +[opt_def -tls1 [arg bool]] +Enable use of TLS v1. The default is [const true]. Note: TLS 1.0 needs +SHA1 to operate, which is only available in security level 0 for Open SSL 3.0+. +See the [arg -security_level] option. + +[opt_def -tls1.1 [arg bool]] +Enable use of TLS v1.1. The default is [const true]. Note: TLS 1.1 needs +SHA1 to operate, which is only available in security level 0 for Open SSL 3.0+. +See the [arg -security_level] option. + +[opt_def -tls1.2 [arg bool]] +Enable use of TLS v1.2. The default is [const true]. + +[opt_def -tls1.3 [arg bool]] +Enable use of TLS v1.3. The default is [const true]. + +[opt_def -validatecommand [arg callback]] +Specifies the callback command to invoke to validate the peer certificates +and other config info during the protocol negotiation phase. This can be used +by TCL scripts to perform their own Certificate Validation to supplement the +default validation provided by OpenSSL. The script must return a boolean true +to continue the negotiation. See [sectref "Callback Options"] for more info. + +[list_end] + +[call [cmd tls::unimport] [arg channel]] + +Compliment to [cmd tls::import]. Used to remove the top level stacked channel +from [arg channel]. This unstacks the encryption of a regular TCL channel. An +error is thrown if TLS is not the top stacked channel type. + +[call [cmd tls::handshake] [arg channel]] + +Forces the TLS negotiation handshake to take place immediately, and returns 0 +if handshake is still in progress (non-blocking), or 1 if the handshake was +successful. If the handshake failed, an error will be returned. + +[call [cmd tls::status] [opt [option -local]] [arg channel]] + +Returns the current status of an SSL channel. The result is a list of key-value +pairs describing the SSL, certificate, and certificate verification status. If +the SSL handshake has not yet completed, an empty list is returned. If the +[option -local] option is specified, then the local certificate is used. Returned +values include: + +[para] + +SSL Status + +[list_begin definitions] + +[def "[var alpn] [arg protocol]"] +The protocol selected after Application-Layer Protocol Negotiation (ALPN). + +[def "[var cipher] [arg cipher]"] +The current cipher in use for the session. + +[def "[var peername] [arg name]"] +The peername from the certificate. + +[def "[var protocol] [arg version]"] +The protocol version used for the connection: SSL2, SSL3, TLS1, TLS1.1, TLS1.2, TLS1.3, or unknown. + +[def "[var sbits] [arg n]"] +The number of bits used for the session key. + +[def "[var signatureHashAlgorithm] [arg algorithm]"] +The signature hash algorithm. + +[def "[var signatureType] [arg type]"] +The signature type value. + +[def "[var verifyDepth] [arg n]"] +Maximum depth for the certificate chain verification. Default is -1, to check all. + +[def "[var verifyMode] [arg list]"] +List of certificate verification modes. + +[def "[var verifyResult] [arg result]"] +Certificate verification result. + +[def "[var ca_names] [arg list]"] +List of the Certificate Authorities used to create the certificate. + +[list_end] + +Certificate Status + +[list_begin definitions] + +[def "[var all] [arg string]"] +Dump of all certificate info. + +[def "[var version] [arg value]"] +The certificate version. + +[def "[var serialNumber] [arg string]"] +The serial number of the certificate as a hex string. + +[def "[var signature] [arg algorithm]"] +Cipher algorithm used for certificate signature. + +[def "[var issuer] [arg string]"] +The distinguished name (DN) of the certificate issuer. + +[def "[var notBefore] [arg date]"] +The beginning date of the certificate validity. + +[def "[var notAfter] [arg date]"] +The expiration date of the certificate validity. + +[def "[var subject] [arg string]"] +The distinguished name (DN) of the certificate subject. Fields include: Common +Name (CN), Organization (O), Locality or City (L), State or Province (S), and +Country Name (C). + +[def "[var issuerUniqueID] [arg string]"] +The issuer unique id. + +[def "[var subjectUniqueID] [arg string]"] +The subject unique id. + +[def "[var num_extensions] [arg n]"] +Number of certificate extensions. + +[def "[var extensions] [arg list]"] +List of certificate extension names. + +[def "[var authorityKeyIdentifier] [arg string]"] +Authority Key Identifier (AKI) of the Issuing CA certificate that signed the +SSL certificate as a hex string. This value matches the SKI value of the +Intermediate CA certificate. + +[def "[var subjectKeyIdentifier] [arg string]"] +Subject Key Identifier (SKI) hash of the public key inside the certificate as a +hex string. Used to identify certificates that contain a particular public key. + +[def "[var subjectAltName] [arg list]"] +List of all of the Subject Alternative Names (SAN) including domain names, sub +domains, and IP addresses that are secured by the certificate. + +[def "[var ocsp] [arg list]"] +List of all Online Certificate Status Protocol (OCSP) URLs that can be used to +check the validity of this certificate. + +[def "[var certificate] [arg cert]"] +The PEM encoded certificate. + +[def "[var signatureAlgorithm] [arg algorithm]"] +Cipher algorithm used for the certificate signature. + +[def "[var signatureValue] [arg string]"] +Certificate signature as a hex string. + +[def "[var signatureDigest] [arg version]"] +Certificate signing digest as a hex string. + +[def "[var publicKeyAlgorithm] [arg algorithm]"] +Certificate signature public key algorithm. + +[def "[var publicKey] [arg string]"] +Certificate signature public key as a hex string. + +[def "[var bits] [arg n]"] +Number of bits used for certificate signature key. + +[def "[var self_signed] [arg boolean]"] +Whether the certificate signature is self signed. + +[def "[var sha1_hash] [arg hash]"] +The SHA1 hash of the certificate as a hex string. + +[def "[var sha256_hash] [arg hash]"] +The SHA256 hash of the certificate as a hex string. + +[list_end] + +[call [cmd tls::connection] [arg channel]] + +Returns the current connection status of an SSL channel. The result is a list +of key-value pairs describing the connection. Returned values include: + +[para] + +SSL Status + +[list_begin definitions] + +[def "[var state] [arg state]"] +State of the connection. + +[def "[var servername] [arg name]"] +The name of the connected to server. + +[def "[var protocol] [arg version]"] +The protocol version used for the connection: SSL2, SSL3, TLS1, TLS1.1, TLS1.2, TLS1.3, or unknown. + +[def "[var renegotiation_allowed] [arg boolean]"] +Whether protocol renegotiation is supported or not. + +[def "[var security_level] [arg level]"] +The security level used for selection of ciphers, key size, etc. + +[def "[var session_reused] [arg boolean]"] +Whether the session has been reused or not. + +[def "[var is_server] [arg boolean]"] +Whether the connection is configured as a server (1) or client (0). + +[def "[var compression] [arg mode]"] +Compression method. + +[def "[var expansion] [arg mode]"] +Expansion method. + +[def "[var caList] [arg list]"] +List of Certificate Authorities (CA) for X.509 certificate. + +[list_end] + +Cipher Info + +[list_begin definitions] + +[def "[var cipher] [arg cipher]"] +The current cipher in use for the connection. + +[def "[var standard_name] [arg name]"] +The standard RFC name of cipher. + +[def "[var algorithm_bits] [arg n]"] +The number of processed bits used for cipher. + +[def "[var secret_bits] [arg n]"] +The number of secret bits used for cipher. + +[def "[var min_version] [arg version]"] +The minimum protocol version for cipher. + +[def "[var cipher_is_aead] [arg boolean]"] +Whether the cipher is Authenticated Encryption with Associated Data (AEAD). + +[def "[var cipher_id] [arg id]"] +The OpenSSL cipher id. + +[def "[var description] [arg string]"] +A text description of the cipher. + +[def "[var handshake_digest] [arg boolean]"] +Digest used during handshake. + +[list_end] + +Session Info + +[list_begin definitions] + +[def "[var alpn] [arg protocol]"] +The protocol selected after Application-Layer Protocol Negotiation (ALPN). + +[def "[var resumable] [arg boolean]"] +Whether the session can be resumed or not. + +[def "[var start_time] [arg seconds]"] +Time since session started in seconds since epoch. + +[def "[var timeout] [arg seconds]"] +Max duration of session in seconds before time-out. + +[def "[var lifetime] [arg seconds]"] +Session ticket lifetime hint in seconds. + +[def "[var session_id] [arg binary_string]"] +Unique session id for use in resuming the session. + +[def "[var session_ticket] [arg binary_string]"] +Unique session ticket for use in resuming the session. + +[def "[var ticket_app_data] [arg binary_string]"] +Unique session ticket application data. + +[def "[var master_key] [arg binary_string]"] +Unique session master key. + +[def "[var session_cache_mode] [arg mode]"] +Server cache mode (client, server, or both). + +[list_end] + +[call [cmd tls::ciphers] [opt [arg protocol]] [opt [arg verbose]] [opt [arg supported]]] + +Without any args, returns a list of all symmetric ciphers for use with the +[arg -cipher] option. With [arg protocol], only the ciphers supported for that +protocol are returned. See the [cmd tls::protocols] command for the supported +protocols. If [arg verbose] is specified as true then a verbose, human readable +list is returned with additional information on the cipher. If [arg supported] +is specified as true, then only the ciphers supported for protocol will be listed. + +[call [cmd tls::protocols]] + +Returns a list of the supported SSL/TLS protocols. Valid values are: +[const ssl2], [const ssl3], [const tls1], [const tls1.1], [const tls1.2], and +[const tls1.3]. Exact list depends on OpenSSL version and compile time flags. + +[call [cmd tls::version]] + +Returns the OpenSSL version string. + +[list_end] + + +[section "Certificate Validation"] + +[subsection "Summary of command line options"] + +The following options are used for peer Certificate Validation: + +[list_begin options] + +[opt_def -cadir [arg directory]] +Specifies the directory where the Certificate Authority (CA) certificates are +stored. The default is platform specific, but is usually [file "/etc/ssl/certs"] on +Linux/Unix systems. The default location can be overridden by the +[var SSL_CERT_DIR] environment variable. + +[opt_def -cafile [arg filename]] +Specifies the file with the Certificate Authority (CA) certificates to use in +[const PEM] file format. The default is [file cert.pem], in the OpenSSL directory. On +Linux/Unix systems, this is usually [file /etc/ssl/ca-bundle.pem]. The default file +can be overridden by the [var SSL_CERT_FILE] environment variable. + +[opt_def -castore [arg URI]] +Specifies the Uniform Resource Identifier (URI) for the Certificate Authority +(CA) store, which may be a single container or a catalog of containers. +Starting with OpenSSL 3.2 on Windows, set to "[const "org.openssl.winstore://"]" +to use the built-in Windows Certificate Store. This store only supports root +certificate stores. + +[opt_def -request [arg bool]] +Request a certificate from peer during the SSL handshake. This is needed to do +Certificate Validation. Default is [const true]. In addition, the +client can manually inspect and accept or reject each certificate using the +[arg -validatecommand] option. + +[opt_def -require [arg bool]] +Require a valid certificate from peer during the SSL handshake. If this is set +to [const true], then [arg -request] must also be set to [const true] and either +[arg -cadir], [arg -cafile], [arg -castore], or a platform default must be +provided in order to validate against. The default is [const false] since not +all platforms have certificates to validate against in a form compatible with +OpenSSL. See [sectref "Certificate Validation"] for more details. + +[list_end] + +[subsection "When are command line options needed?"] + +By default, a client TLS connection does [emph NOT] validate the server certificate +chain. This limitation is due to the lack of a common cross platform +database of Certificate Authority (CA) provided certificates to validate +against. Many Linux systems natively support OpenSSL and thus have these +certificates installed as part of the OS, but MacOS and Windows do not. In +order to use the [option -require] option, one of the following must be true: + +[list_begin itemized] + +[item] +On Linux and Unix systems with OpenSSL already installed, if the CA +certificates are stored in the standard locations, or if the [var SSL_CERT_DIR] +or [var SSL_CERT_FILE] environment variables are set, then [option -cadir], +[option -cadir], and [option -castore] aren't needed. + +[item] +If OpenSSL is not installed in the default location, or when using Mac OS +or Windows and OpenSSL is installed, the [var SSL_CERT_DIR] and/or +[var SSL_CERT_FILE] environment variables or the one of the [option -cadir], +[option -cadir], or [option -castore] options must be defined. + +[item] +On Windows, starting in OpenSSL 3.2, it is now possible to access the +built-in Windows Certificate Store from OpenSSL. This can be achieved by +setting the [option -castore] option to "[const org.openssl.winstore://]". + +[item] +If OpenSSL is not installed, the CA certificates must be downloaded and +installed with the user software. The CURL team makes them available at +[uri "https://curl.se/docs/caextract.html" "CA certificates extracted +from Mozilla"] in the [file cacert.pem] file. You must then either set the +[var SSL_CERT_DIR] and/or [var SSL_CERT_FILE] environment variables or the +[option -cadir] or [option -cafile] options to the CA cert file's install +location. It is your responsibility to keep this file up to date. + +[list_end] + +[section "Callback Options"] + +As previously described, each channel can be given their own callbacks +to handle intermediate processing by the OpenSSL library, using the +[option -command], [option -password], and [option -validate_command] options +passed to either of [cmd tls::socket] or [cmd tls::import]. +Unlike previous versions of TclTLS, only if the callback generates an error, +will the [syscmd bgerror] command be invoked with the error information. + +[subsection "Values for Command Callback"] + +The callback for the [option -command] option is invoked at several points during the +OpenSSL handshake and during routine operations. See below for the possible +arguments passed to the callback script. Values returned from the callback are +ignored. + +[list_begin options] + +[opt_def error [arg "channelId message"]] +This form of callback is invoked whenever an error occurs during the initial +connection, handshake, or I/O operations. The [arg message] argument can be +from the Tcl_ErrnoMsg, OpenSSL function [fun ERR_reason_error_string()], +or a custom message. This callback is new for TclTLS 1.8. + +[opt_def info [arg "channelId major minor message type"]] +This form of callback is invoked by the OpenSSL function +[fun SSL_set_info_callback()] during the initial connection and handshake +operations. The arguments are: + +[list_begin definitions] + +[def [arg major]] +Major category for error. Valid enums are: [const handshake], [const alert], +[const connect], [const accept]. + +[def [arg minor]] +Minor category for error. Valid enums are: [const start], [const done], [const read], +[const write], [const loop], [const exit]. + +[def [arg message]] +Descriptive message string which may be generated either by +[fun SSL_state_string_long()] or [fun SSL_alert_desc_string_long()], +depending on the context. + +[def [arg type]] +For alerts, the possible values are: [const warning], +[const fatal], and [const unknown]. For others, [const info] is used. +This argument is new for TclTLS 1.8. + +[list_end] + +[opt_def message [arg "channelId direction version content_type message"]] +This form of callback is invoked by the OpenSSL function +[fun SSL_set_msg_callback()] whenever a message is sent or received during the +initial connection, handshake, or I/O operations. It is only available when +OpenSSL is complied with the [const enable-ssl-trace] option. This callback is +new for TclTLS 1.8. The arguments are: + +[list_begin definitions] + +[def [arg direction]] +Direction is either [const Sent] or [const Received]. + +[def [arg version]] +Version is the protocol version. + +[def [arg content_type]] +Content type is the message content type. + +[def [arg message]] +Message is more info from the [const SSL_trace] API. +This argument is new for TclTLS 1.8. + +[list_end] + +[opt_def session [arg "channelId session_id session_ticket lifetime"]] +This form of callback is invoked by the OpenSSL function +[fun SSL_CTX_sess_set_new_cb()] whenever a new session id is sent by the +server during the initial connection and handshake and also during the session +if the [option -post_handshake] option is set to true. This callback is new for +TclTLS 1.8. The arguments are: + +[list_begin definitions] + +[def [arg session_id]] +Session Id is the current session identifier + +[def [arg session_ticket]] +Ticket is the session ticket info + +[def [arg lifetime]] +Lifetime is the ticket lifetime in seconds. + +[list_end] + +[opt_def verify [arg "channelId depth cert status error"]] +This callback was moved to the [option -verify_callback] in TclTLS 1.8. + +[list_end] + +[subsection "Values for Password Callback"] + +The callback for the [option -password] option is invoked by TclTLS whenever OpenSSL needs +to obtain a password. See below for the possible arguments passed to the +callback script. The user provided password is expected to be returned by the +callback. + +[list_begin options] + +[opt_def password [arg "rwflag size"]] +Invoked when loading or storing an encrypted PEM certificate. The arguments are: + +[list_begin definitions] + +[def [arg rwflag]] +The read/write flag is 0 for reading/decryption or 1 for writing/encryption. +The latter can be used to determine when to prompt the user to confirm. +This argument is new for TclTLS 1.8. + +[def [arg size]] +The size is the maximum length of the password in bytes. +This argument is new for TclTLS 1.8. + +[list_end] + +[list_end] + +[subsection "Values for Validate Command Callback"] + +The callback for the [option -validatecommand] option is invoked during the handshake +process in order for the application to validate the provided value(s). See +below for the possible arguments passed to the callback script. If not +specified, OpenSSL will accept all valid certificates and extensions. To reject +the value and abort the connection, the callback should return 0. To accept the +value and continue the connection, it should return 1. To reject the value, but +continue the connection, it should return 2. This callback is new for TclTLS 1.8. + +[list_begin options] + +[opt_def alpn [arg "channelId protocol match"]] +For servers, this form of callback is invoked when the client ALPN extension is +received. If [arg match] is true, then [arg protocol] is the first +[option -alpn] protocol option in common to both the client and server. +If not, the first client specified protocol is used. This callback is called +after the Hello and ALPN callbacks. + +[opt_def hello [arg "channelId servername"]] +For servers, this form of callback is invoked during client hello message +processing. The purpose is so the server can select the appropriate certificate +to present to the client, and to make other configuration adjustments relevant +to that server name and its configuration. It is called before the SNI and ALPN +callbacks. + +[opt_def sni [arg "channelId servername"]] +For servers, this form of callback is invoked when the Server Name Indication +(SNI) extension is received. The [arg servername] argument is the client +provided server name specified in the [option -servername] option. The +purpose is so when a server supports multiple names, the right certificate +can be used. It is called after the hello callback but before the ALPN +callback. + +[opt_def verify [arg "channelId depth cert status error"]] +This form of callback is invoked by OpenSSL when a new certificate is received +from the peer. It allows the client to check the certificate verification +results and choose whether to continue or not. It is called for each +certificate in the certificate chain. This callback was moved from +[option -command] in TclTLS 1.8. The arguments are: + +[list_begin definitions] + +[def [arg depth]] +The depth is the integer depth of the certificate in the certificate chain, +where 0 is the peer certificate and higher values going up to the Certificate +Authority (CA). + +[def [arg cert]] +The cert argument is a list of key-value pairs similar to those returned by +[cmd tls::status]. + +[def [arg status]] +The status argument is the boolean validity of the current certificate where 0 +is invalid and 1 is valid. + +[def [arg error]] +The error argument is the error message, if any, generated by +[fun X509_STORE_CTX_get_error()]. + +[list_end] + +[list_end] + +Reference implementations of these callbacks are provided in [file tls.tcl] +as [cmd tls::callback], [cmd tls::password], and [cmd tls::validate_command] +respectively. Note that these are only [emph sample] implementations. In a more +realistic deployment you would specify your own callback scripts on each TLS +channel using the [option -command], [option -password], and +[option -validate_command] options. + +[para] + +The default behavior when the [option -command] and [option -validate_command] +options are not specified, is for TclTLS to process the associated library +callbacks internally. The default behavior when the [option -password] option +is not specified is for TclTLS to process the associated library callbacks by +attempting to call [cmd tls::password]. The difference between these two +behaviors is a consequence of maintaining compatibility with earlier +implementations. + +[para] + +[emph "The use of the reference callbacks [cmd tls::callback], [cmd tls::password], +and [cmd tls::validate_command] is not recommended. They may be removed from future releases."] + +[section Debug] + +For most debugging needs, the [option -callback] option can be used to provide +sufficient insight and information on the TLS handshake and progress. If +further troubleshooting insight is needed, the compile time option +[option --enable-debug] can be used to get detailed execution flow status. + +[para] + +TLS key logging can be enabled by setting the environment variable +[var SSLKEYLOGFILE] to the name of the file to log to. Then whenever TLS key +material is generated or received it will be logged to the file. This is useful +for logging key data for network logging tools to use to decrypt the data. + +[para] + +The [var tls::debug] variable provides some additional control over these +reference callbacks. Its value is zero by default. Higher values produce more +diagnostic output, and will also force the verify method in [cmd tls::callback] +to accept the certificate, even when it is invalid if the +[option -validatecommand] option is set to [cmd tls::validate_command]. + +[para] + +[emph "The use of the variable [var tls::debug] is not recommended. +It may be removed from future releases."] + +[section "Debug Examples"] + +These examples use the default Unix platform SSL certificates. For standard +installations, -cadir and -cafile should not be needed. If your certificates +are in non-standard locations, update -cadir or use -cafile as needed. + +[para] + +Example #1: Use HTTP package + +[example { + +package require http +package require tls +set url "https://www.tcl.tk/" + +http::register https 443 [list ::tls::socket -autoservername true -require true -cadir /etc/ssl/certs \ + -command ::tls::callback -password ::tls::password -validatecommand ::tls::validate_command] + +# Check for error +set token [http::geturl $url] +if {[http::status $token] ne "ok"} { + puts [format "Error %s" [http::status $token]] +} + +# Get web page +set data [http::data $token] +puts [string length $data] + +# Cleanup +::http::cleanup $token +}] + +Example #2: Use raw socket + +[example { + +package require tls + +set url "www.tcl-lang.org" +set port 443 + +set ch [tls::socket -autoservername 1 -servername $url -request 1 -require 1 \ + -alpn {http/1.1} -cadir /etc/ssl/certs -command ::tls::callback \ + -password ::tls::password -validatecommand ::tls::validate_command $url $port] +chan configure $ch -buffersize 65536 +tls::handshake $ch + +puts $ch "GET / HTTP/1.1" +flush $ch +after 500 +set data [read $ch] + +array set status [tls::status $ch] +array set conn [tls::connection $ch] +array set chan [chan configure $ch] +close $ch +parray status +parray conn +parray chan +}] + +[section "HTTP Package Examples"] + +These examples use the default Unix platform SSL certificates. For standard +installations, -cadir and -cafile should not be needed. If your certificates +are in non-standard locations, set -cadir or use -cafile as needed. + +[para] + +Example #3: Get web page + +[example { + +package require http +package require tls +set url "https://www.tcl.tk/" + +http::register https 443 [list ::tls::socket -autoservername true -require true -cadir /etc/ssl/certs] + +# Check for error +set token [http::geturl $url] +if {[http::status $token] ne "ok"} { + puts [format "Error %s" [http::status $token]] +} + +# Get web page +set data [http::data $token] +puts $data + +# Cleanup +::http::cleanup $token +}] + +Example #4: Download file + +[example { + +package require http +package require tls + +set url "https://wiki.tcl-lang.org/sitemap.xml" +set filename [file tail $url] + +http::register https 443 [list ::tls::socket -autoservername true -require true -cadir /etc/ssl/certs] + +# Get file +set ch [open $filename wb] +set token [::http::geturl $url -blocksize 65536 -channel $ch] + +# Cleanup +close $ch +::http::cleanup $token +}] + +[section "Special Considerations"] + +The capabilities of this package can vary enormously based upon how the +linked to OpenSSL library was configured and built. New versions may obsolete +older protocol versions, add or remove ciphers, change default values, etc. +Use the [cmd tls::protocols] commands to obtain the supported +protocol versions. + +[manpage_end] ADDED doc/tls.n Index: doc/tls.n ================================================================== --- /dev/null +++ doc/tls.n @@ -0,0 +1,1151 @@ +'\" +'\" Generated from file 'tls\&.man' by tcllib/doctools with format 'nroff' +'\" Copyright (c) 1999 Matt Newman +'\" Copyright (c) 2004 Starfish Systems +'\" Copyright (c) 2024 Brian O'Hagan +'\" +.TH "tls" n 1\&.8 tls "Tcl TLS extension" +.\" The -*- nroff -*- definitions below are for supplemental macros used +.\" in Tcl/Tk manual entries. +.\" +.\" .AP type name in/out ?indent? +.\" Start paragraph describing an argument to a library procedure. +.\" type is type of argument (int, etc.), in/out is either "in", "out", +.\" or "in/out" to describe whether procedure reads or modifies arg, +.\" and indent is equivalent to second arg of .IP (shouldn't ever be +.\" needed; use .AS below instead) +.\" +.\" .AS ?type? ?name? +.\" Give maximum sizes of arguments for setting tab stops. Type and +.\" name are examples of largest possible arguments that will be passed +.\" to .AP later. If args are omitted, default tab stops are used. +.\" +.\" .BS +.\" Start box enclosure. From here until next .BE, everything will be +.\" enclosed in one large box. +.\" +.\" .BE +.\" End of box enclosure. +.\" +.\" .CS +.\" Begin code excerpt. +.\" +.\" .CE +.\" End code excerpt. +.\" +.\" .VS ?version? ?br? +.\" Begin vertical sidebar, for use in marking newly-changed parts +.\" of man pages. The first argument is ignored and used for recording +.\" the version when the .VS was added, so that the sidebars can be +.\" found and removed when they reach a certain age. If another argument +.\" is present, then a line break is forced before starting the sidebar. +.\" +.\" .VE +.\" End of vertical sidebar. +.\" +.\" .DS +.\" Begin an indented unfilled display. +.\" +.\" .DE +.\" End of indented unfilled display. +.\" +.\" .SO ?manpage? +.\" Start of list of standard options for a Tk widget. The manpage +.\" argument defines where to look up the standard options; if +.\" omitted, defaults to "options". The options follow on successive +.\" lines, in three columns separated by tabs. +.\" +.\" .SE +.\" End of list of standard options for a Tk widget. +.\" +.\" .OP cmdName dbName dbClass +.\" Start of description of a specific option. cmdName gives the +.\" option's name as specified in the class command, dbName gives +.\" the option's name in the option database, and dbClass gives +.\" the option's class in the option database. +.\" +.\" .UL arg1 arg2 +.\" Print arg1 underlined, then print arg2 normally. +.\" +.\" .QW arg1 ?arg2? +.\" Print arg1 in quotes, then arg2 normally (for trailing punctuation). +.\" +.\" .PQ arg1 ?arg2? +.\" Print an open parenthesis, arg1 in quotes, then arg2 normally +.\" (for trailing punctuation) and then a closing parenthesis. +.\" +.\" # Set up traps and other miscellaneous stuff for Tcl/Tk man pages. +.if t .wh -1.3i ^B +.nr ^l \n(.l +.ad b +.\" # Start an argument description +.de AP +.ie !"\\$4"" .TP \\$4 +.el \{\ +. ie !"\\$2"" .TP \\n()Cu +. el .TP 15 +.\} +.ta \\n()Au \\n()Bu +.ie !"\\$3"" \{\ +\&\\$1 \\fI\\$2\\fP (\\$3) +.\".b +.\} +.el \{\ +.br +.ie !"\\$2"" \{\ +\&\\$1 \\fI\\$2\\fP +.\} +.el \{\ +\&\\fI\\$1\\fP +.\} +.\} +.. +.\" # define tabbing values for .AP +.de AS +.nr )A 10n +.if !"\\$1"" .nr )A \\w'\\$1'u+3n +.nr )B \\n()Au+15n +.\" +.if !"\\$2"" .nr )B \\w'\\$2'u+\\n()Au+3n +.nr )C \\n()Bu+\\w'(in/out)'u+2n +.. +.AS Tcl_Interp Tcl_CreateInterp in/out +.\" # BS - start boxed text +.\" # ^y = starting y location +.\" # ^b = 1 +.de BS +.br +.mk ^y +.nr ^b 1u +.if n .nf +.if n .ti 0 +.if n \l'\\n(.lu\(ul' +.if n .fi +.. +.\" # BE - end boxed text (draw box now) +.de BE +.nf +.ti 0 +.mk ^t +.ie n \l'\\n(^lu\(ul' +.el \{\ +.\" Draw four-sided box normally, but don't draw top of +.\" box if the box started on an earlier page. +.ie !\\n(^b-1 \{\ +\h'-1.5n'\L'|\\n(^yu-1v'\l'\\n(^lu+3n\(ul'\L'\\n(^tu+1v-\\n(^yu'\l'|0u-1.5n\(ul' +.\} +.el \}\ +\h'-1.5n'\L'|\\n(^yu-1v'\h'\\n(^lu+3n'\L'\\n(^tu+1v-\\n(^yu'\l'|0u-1.5n\(ul' +.\} +.\} +.fi +.br +.nr ^b 0 +.. +.\" # VS - start vertical sidebar +.\" # ^Y = starting y location +.\" # ^v = 1 (for troff; for nroff this doesn't matter) +.de VS +.if !"\\$2"" .br +.mk ^Y +.ie n 'mc \s12\(br\s0 +.el .nr ^v 1u +.. +.\" # VE - end of vertical sidebar +.de VE +.ie n 'mc +.el \{\ +.ev 2 +.nf +.ti 0 +.mk ^t +\h'|\\n(^lu+3n'\L'|\\n(^Yu-1v\(bv'\v'\\n(^tu+1v-\\n(^Yu'\h'-|\\n(^lu+3n' +.sp -1 +.fi +.ev +.\} +.nr ^v 0 +.. +.\" # Special macro to handle page bottom: finish off current +.\" # box/sidebar if in box/sidebar mode, then invoked standard +.\" # page bottom macro. +.de ^B +.ev 2 +'ti 0 +'nf +.mk ^t +.if \\n(^b \{\ +.\" Draw three-sided box if this is the box's first page, +.\" draw two sides but no top otherwise. +.ie !\\n(^b-1 \h'-1.5n'\L'|\\n(^yu-1v'\l'\\n(^lu+3n\(ul'\L'\\n(^tu+1v-\\n(^yu'\h'|0u'\c +.el \h'-1.5n'\L'|\\n(^yu-1v'\h'\\n(^lu+3n'\L'\\n(^tu+1v-\\n(^yu'\h'|0u'\c +.\} +.if \\n(^v \{\ +.nr ^x \\n(^tu+1v-\\n(^Yu +\kx\h'-\\nxu'\h'|\\n(^lu+3n'\ky\L'-\\n(^xu'\v'\\n(^xu'\h'|0u'\c +.\} +.bp +'fi +.ev +.if \\n(^b \{\ +.mk ^y +.nr ^b 2 +.\} +.if \\n(^v \{\ +.mk ^Y +.\} +.. +.\" # DS - begin display +.de DS +.RS +.nf +.sp +.. +.\" # DE - end display +.de DE +.fi +.RE +.sp +.. +.\" # SO - start of list of standard options +.de SO +'ie '\\$1'' .ds So \\fBoptions\\fR +'el .ds So \\fB\\$1\\fR +.SH "STANDARD OPTIONS" +.LP +.nf +.ta 5.5c 11c +.ft B +.. +.\" # SE - end of list of standard options +.de SE +.fi +.ft R +.LP +See the \\*(So manual entry for details on the standard options. +.. +.\" # OP - start of full description for a single option +.de OP +.LP +.nf +.ta 4c +Command-Line Name: \\fB\\$1\\fR +Database Name: \\fB\\$2\\fR +Database Class: \\fB\\$3\\fR +.fi +.IP +.. +.\" # CS - begin code excerpt +.de CS +.RS +.nf +.ta .25i .5i .75i 1i +.. +.\" # CE - end code excerpt +.de CE +.fi +.RE +.. +.\" # UL - underline word +.de UL +\\$1\l'|0\(ul'\\$2 +.. +.\" # QW - apply quotation marks to word +.de QW +.ie '\\*(lq'"' ``\\$1''\\$2 +.\"" fix emacs highlighting +.el \\*(lq\\$1\\*(rq\\$2 +.. +.\" # PQ - apply parens and quotation marks to word +.de PQ +.ie '\\*(lq'"' (``\\$1''\\$2)\\$3 +.\"" fix emacs highlighting +.el (\\*(lq\\$1\\*(rq\\$2)\\$3 +.. +.\" # QR - quoted range +.de QR +.ie '\\*(lq'"' ``\\$1''\\-``\\$2''\\$3 +.\"" fix emacs highlighting +.el \\*(lq\\$1\\*(rq\\-\\*(lq\\$2\\*(rq\\$3 +.. +.\" # MT - "empty" string +.de MT +.QW "" +.. +.BS +.SH NAME +tls \- binding to the OpenSSL library for encrypted socket and I/O channel communications +.SH SYNOPSIS +package require \fBTcl 8\&.5-\fR +.sp +package require \fBtls 1\&.8\fR +.sp +\fBtls::init\fR ?\fI-option\fR? ?\fIvalue\fR? ?\fI-option value \&.\&.\&.\fR? +.sp +\fBtls::socket\fR ?\fI-option\fR? ?\fIvalue\fR? ?\fI-option value \&.\&.\&.\fR? \fIhost\fR \fIport\fR +.sp +\fBtls::socket\fR \fB-server\fR \fIcommand\fR ?\fI-option\fR? ?\fIvalue\fR? ?\fI-option value \&.\&.\&.\fR? \fIport\fR +.sp +\fBtls::import\fR \fIchannel\fR ?\fI-option\fR? ?\fIvalue\fR? ?\fI-option value \&.\&.\&.\fR? +.sp +\fBtls::unimport\fR \fIchannel\fR +.sp +\fBtls::handshake\fR \fIchannel\fR +.sp +\fBtls::status\fR ?\fB-local\fR? \fIchannel\fR +.sp +\fBtls::connection\fR \fIchannel\fR +.sp +\fBtls::ciphers\fR ?\fIprotocol\fR? ?\fIverbose\fR? ?\fIsupported\fR? +.sp +\fBtls::protocols\fR +.sp +\fBtls::version\fR +.sp +.BE +.SH DESCRIPTION +This extension provides TCL script access to secure socket communications +using the Transport Layer Security (TLS) protocol\&. It provides a generic +binding to \fIOpenSSL\fR [https://www\&.openssl\&.org/], utilizing the +\fBTcl_StackChannel\fR API in TCL 8\&.4 and higher\&. +These sockets behave exactly the same as channels created using the built-in +\fBsocket\fR command, along with additional options for controlling +the SSL/TLS session\&. +.SH COMMANDS +Typically one would use the \fBtls::socket\fR command to create a new encrypted +TCP socket\&. It is compatible with the native TCL \fB::socket\fR command\&. +Alternatively for an existing TCP socket, the \fBtls::import\fR command can be +used to start TLS on the connection\&. +.TP +\fBtls::init\fR ?\fI-option\fR? ?\fIvalue\fR? ?\fI-option value \&.\&.\&.\fR? +Optional function to set the default options used by \fBtls::socket\fR\&. If you +call \fBtls::import\fR directly, this command has no effect\&. This command +supports all of the same options as the \fBtls::socket\fR command, though you +should limit your options to only TLS related ones\&. +.TP +\fBtls::socket\fR ?\fI-option\fR? ?\fIvalue\fR? ?\fI-option value \&.\&.\&.\fR? \fIhost\fR \fIport\fR +This is a helper function that utilizes the underlying commands \fBsocket\fR +and \fBtls::import\fR to create the connection\&. It behaves the same as the +native TCL \fBsocket\fR command, but also supports the \fBtls:import\fR +command options with one additional option\&. It returns the channel handle id +for the new socket\&. +.RS +.TP +\fB-autoservername\fR \fIbool\fR +If \fBtrue\fR, automatically set the \fB-servername\fR argument to the +\fIhost\fR argument\&. Default is \fBfalse\fR\&. +.RE +.TP +\fBtls::socket\fR \fB-server\fR \fIcommand\fR ?\fI-option\fR? ?\fIvalue\fR? ?\fI-option value \&.\&.\&.\fR? \fIport\fR +Same as previous, but instead creates a server socket for clients to connect to +just like the Tcl \fBsocket -server\fR command\&. It returns the channel +handle id for the new socket\&. +.TP +\fBtls::import\fR \fIchannel\fR ?\fI-option\fR? ?\fIvalue\fR? ?\fI-option value \&.\&.\&.\fR? +Start TLS encryption on TCL channel \fIchannel\fR via a stacked channel\&. It +need not be a socket, but must provide bi-directional flow\&. Also sets session +parameters for SSL handshake\&. Valid options are: +.RS +.TP +\fB-alpn\fR \fIlist\fR +List of protocols to offer during Application-Layer Protocol Negotiation +(ALPN)\&. For example: \fBh2\fR and \fBhttp/1\&.1\fR, but not \fBh3\fR or +\fBquic\fR\&. +.TP +\fB-cadir\fR \fIdirectory\fR +Specifies the directory where the Certificate Authority (CA) certificates are +stored\&. The default is platform specific and can be set at compile time\&. The +default location can be overridden by the \fBSSL_CERT_DIR\fR environment +variable\&. See \fBCertificate Validation\fR for more details\&. +.TP +\fB-cafile\fR \fIfilename\fR +Specifies the file with the Certificate Authority (CA) certificates to use\&. +The default is "\fIcert\&.pem\fR", in the OpenSSL directory\&. The default file can +be overridden by the \fBSSL_CERT_FILE\fR environment variable\&. See +\fBCertificate Validation\fR for more details\&. +.TP +\fB-castore\fR \fIURI\fR +Specifies the Uniform Resource Identifier (URI) for the Certificate Authority +(CA) store, which may be a single container or a catalog of containers\&. +Starting with OpenSSL 3\&.2 on Windows, set to "\fBorg\&.openssl\&.winstore://\fR" +to use the built-in Windows Certificate Store\&. This store only supports root +certificate stores\&. See \fBCertificate Validation\fR for more details\&. +.TP +\fB-certfile\fR \fIfilename\fR +Specifies the name of the file with the certificate in PEM format to use +as the local (client or server) certificate\&. It also contains the public key\&. +.TP +\fB-cert\fR \fIstring\fR +Specifies the certificate to use as a DER encoded string (X\&.509 DER)\&. +.TP +\fB-cipher\fR \fIstring\fR +Specifies the list of ciphers to use for TLS 1\&.2 and earlier connections\&. +String is a colon "\fB:\fR" separated list of ciphers\&. +Ciphers can be combined using the "\fB+\fR" character\&. +Prefixes can be used to permanently remove "\fB!\fR", delete "\fB-\fR", or +move to the end "\fB+\fR" a specified cipher\&. +Keywords \fB@STRENGTH\fR (sort by algorithm key length), +\fB@SECLEVEL=\fR\fIn\fR (set security level to n), and +\fBDEFAULT\fR (use default cipher list, at start only) can also be specified\&. +See the \fIOpenSSL\fR [https://docs\&.openssl\&.org/master/man1/openssl-ciphers/#options] +documentation for the full list of valid values\&. +.TP +\fB-ciphersuites\fR \fIstring\fR +Specifies the list of cipher suites to use for TLS 1\&.3 as a colon +"\fB:\fR" separated list of cipher suite names\&. See the +\fIOpenSSL\fR [https://docs\&.openssl\&.org/master/man1/openssl-ciphers/#options] +documentation for the full list of valid values\&. +.TP +\fB-command\fR \fIcallback\fR +Specifies the callback command to be invoked at several points during the +handshake to pass errors, tracing information, and protocol messages\&. +See \fBCallback Options\fR for more info\&. +.TP +\fB-dhparams\fR \fIfilename\fR +Specifies the Diffie-Hellman (DH) parameters file\&. +.TP +\fB-keyfile\fR \fIfilename\fR +Specifies the private key file\&. The default value is to use the file +specified by the \fI-certfile\fR option\&. +.TP +\fB-key\fR \fIstring\fR +Specifies the private key to use as a DER encoded string (PKCS#1 DER)\&. +.TP +\fB-model\fR \fIchannel\fR +Force this channel to share the same \fISSL_CTX\fR structure as the +specified \fIchannel\fR, and therefore share config, callbacks, etc\&. +.TP +\fB-password\fR \fIcallback\fR +Specifies the callback command to invoke when OpenSSL needs to obtain a +password\&. This is typically used to unlock the private key of a certificate\&. +The callback should return a password string\&. See \fBCallback Options\fR +for more info\&. +.TP +\fB-post_handshake\fR \fIbool\fR +Allow post-handshake session ticket updates\&. +.TP +\fB-request\fR \fIbool\fR +Request a certificate from peer during the SSL handshake\&. This is needed to do +Certificate Validation\&. Default is \fBtrue\fR\&. +See \fBCertificate Validation\fR for more details\&. +.TP +\fB-require\fR \fIbool\fR +Require a valid certificate from peer during the SSL handshake\&. If this is set to +true, then \fB-request\fR must also be set to true and a either \fB-cadir\fR, +\fB-cafile\fR, \fB-castore\fR, or a platform default must be provided in order to +validate against\&. The default is \fBfalse\fR since not all platforms have +certificates to validate against in a form compatible with OpenSSL\&. +See \fBCertificate Validation\fR for more details\&. +.TP +\fB-security_level\fR \fIinteger\fR +Specifies the security level (value from 0 to 5)\&. The security level affects +the allowed cipher suite encryption algorithms, supported ECC curves, +supported signature algorithms, DH parameter sizes, certificate key sizes +and signature algorithms\&. The default is 1 prior to OpenSSL 3\&.2 and 2 +thereafter\&. Level 3 and higher disable support for session tickets and +only accept cipher suites that provide forward secrecy\&. +.TP +\fB-server\fR \fIbool\fR +Specifies whether to act as a server and respond with a server handshake when a +client connects and provides a client handshake\&. The default is \fBfalse\fR\&. +.TP +\fB-servername\fR \fIhostname\fR +Specify the peer's hostname\&. This is used to set the TLS Server Name +Indication (SNI) extension\&. Set this to the expected servername in the +server's certificate or one of the Subject Alternate Names (SAN)\&. +.TP +\fB-session_id\fR \fIbinary_string\fR +Specifies the session id to resume a session\&. Not supported yet\&. +.TP +\fB-ssl2\fR \fIbool\fR +Enable use of SSL v2\&. The default is \fBfalse\fR\&. Note: Recent versions of +OpenSSL no longer support SSLv2, so this may not have any effect\&. See the +\fBtls::protocols\fR command for supported protocols\&. +.TP +\fB-ssl3\fR \fIbool\fR +Enable use of SSL v3\&. The default is \fBfalse\fR\&. Note: Recent versions +of OpenSSL may have this disabled at compile time, so this may not have any +effect\&. See the \fBtls::protocols\fR command for supported protocols\&. +.TP +\fB-tls1\fR \fIbool\fR +Enable use of TLS v1\&. The default is \fBtrue\fR\&. Note: TLS 1\&.0 needs +SHA1 to operate, which is only available in security level 0 for Open SSL 3\&.0+\&. +See the \fI-security_level\fR option\&. +.TP +\fB-tls1\&.1\fR \fIbool\fR +Enable use of TLS v1\&.1\&. The default is \fBtrue\fR\&. Note: TLS 1\&.1 needs +SHA1 to operate, which is only available in security level 0 for Open SSL 3\&.0+\&. +See the \fI-security_level\fR option\&. +.TP +\fB-tls1\&.2\fR \fIbool\fR +Enable use of TLS v1\&.2\&. The default is \fBtrue\fR\&. +.TP +\fB-tls1\&.3\fR \fIbool\fR +Enable use of TLS v1\&.3\&. The default is \fBtrue\fR\&. +.TP +\fB-validatecommand\fR \fIcallback\fR +Specifies the callback command to invoke to validate the peer certificates +and other config info during the protocol negotiation phase\&. This can be used +by TCL scripts to perform their own Certificate Validation to supplement the +default validation provided by OpenSSL\&. The script must return a boolean true +to continue the negotiation\&. See \fBCallback Options\fR for more info\&. +.RE +.TP +\fBtls::unimport\fR \fIchannel\fR +Compliment to \fBtls::import\fR\&. Used to remove the top level stacked channel +from \fIchannel\fR\&. This unstacks the encryption of a regular TCL channel\&. An +error is thrown if TLS is not the top stacked channel type\&. +.TP +\fBtls::handshake\fR \fIchannel\fR +Forces the TLS negotiation handshake to take place immediately, and returns 0 +if handshake is still in progress (non-blocking), or 1 if the handshake was +successful\&. If the handshake failed, an error will be returned\&. +.TP +\fBtls::status\fR ?\fB-local\fR? \fIchannel\fR +Returns the current status of an SSL channel\&. The result is a list of key-value +pairs describing the SSL, certificate, and certificate verification status\&. If +the SSL handshake has not yet completed, an empty list is returned\&. If the +\fB-local\fR option is specified, then the local certificate is used\&. Returned +values include: +.sp +SSL Status +.RS +.TP +\fBalpn\fR \fIprotocol\fR +The protocol selected after Application-Layer Protocol Negotiation (ALPN)\&. +.TP +\fBcipher\fR \fIcipher\fR +The current cipher in use for the session\&. +.TP +\fBpeername\fR \fIname\fR +The peername from the certificate\&. +.TP +\fBprotocol\fR \fIversion\fR +The protocol version used for the connection: SSL2, SSL3, TLS1, TLS1\&.1, TLS1\&.2, TLS1\&.3, or unknown\&. +.TP +\fBsbits\fR \fIn\fR +The number of bits used for the session key\&. +.TP +\fBsignatureHashAlgorithm\fR \fIalgorithm\fR +The signature hash algorithm\&. +.TP +\fBsignatureType\fR \fItype\fR +The signature type value\&. +.TP +\fBverifyDepth\fR \fIn\fR +Maximum depth for the certificate chain verification\&. Default is -1, to check all\&. +.TP +\fBverifyMode\fR \fIlist\fR +List of certificate verification modes\&. +.TP +\fBverifyResult\fR \fIresult\fR +Certificate verification result\&. +.TP +\fBca_names\fR \fIlist\fR +List of the Certificate Authorities used to create the certificate\&. +.RE +.IP +Certificate Status +.RS +.TP +\fBall\fR \fIstring\fR +Dump of all certificate info\&. +.TP +\fBversion\fR \fIvalue\fR +The certificate version\&. +.TP +\fBserialNumber\fR \fIstring\fR +The serial number of the certificate as a hex string\&. +.TP +\fBsignature\fR \fIalgorithm\fR +Cipher algorithm used for certificate signature\&. +.TP +\fBissuer\fR \fIstring\fR +The distinguished name (DN) of the certificate issuer\&. +.TP +\fBnotBefore\fR \fIdate\fR +The beginning date of the certificate validity\&. +.TP +\fBnotAfter\fR \fIdate\fR +The expiration date of the certificate validity\&. +.TP +\fBsubject\fR \fIstring\fR +The distinguished name (DN) of the certificate subject\&. Fields include: Common +Name (CN), Organization (O), Locality or City (L), State or Province (S), and +Country Name (C)\&. +.TP +\fBissuerUniqueID\fR \fIstring\fR +The issuer unique id\&. +.TP +\fBsubjectUniqueID\fR \fIstring\fR +The subject unique id\&. +.TP +\fBnum_extensions\fR \fIn\fR +Number of certificate extensions\&. +.TP +\fBextensions\fR \fIlist\fR +List of certificate extension names\&. +.TP +\fBauthorityKeyIdentifier\fR \fIstring\fR +Authority Key Identifier (AKI) of the Issuing CA certificate that signed the +SSL certificate as a hex string\&. This value matches the SKI value of the +Intermediate CA certificate\&. +.TP +\fBsubjectKeyIdentifier\fR \fIstring\fR +Subject Key Identifier (SKI) hash of the public key inside the certificate as a +hex string\&. Used to identify certificates that contain a particular public key\&. +.TP +\fBsubjectAltName\fR \fIlist\fR +List of all of the Subject Alternative Names (SAN) including domain names, sub +domains, and IP addresses that are secured by the certificate\&. +.TP +\fBocsp\fR \fIlist\fR +List of all Online Certificate Status Protocol (OCSP) URLs that can be used to +check the validity of this certificate\&. +.TP +\fBcertificate\fR \fIcert\fR +The PEM encoded certificate\&. +.TP +\fBsignatureAlgorithm\fR \fIalgorithm\fR +Cipher algorithm used for the certificate signature\&. +.TP +\fBsignatureValue\fR \fIstring\fR +Certificate signature as a hex string\&. +.TP +\fBsignatureDigest\fR \fIversion\fR +Certificate signing digest as a hex string\&. +.TP +\fBpublicKeyAlgorithm\fR \fIalgorithm\fR +Certificate signature public key algorithm\&. +.TP +\fBpublicKey\fR \fIstring\fR +Certificate signature public key as a hex string\&. +.TP +\fBbits\fR \fIn\fR +Number of bits used for certificate signature key\&. +.TP +\fBself_signed\fR \fIboolean\fR +Whether the certificate signature is self signed\&. +.TP +\fBsha1_hash\fR \fIhash\fR +The SHA1 hash of the certificate as a hex string\&. +.TP +\fBsha256_hash\fR \fIhash\fR +The SHA256 hash of the certificate as a hex string\&. +.RE +.TP +\fBtls::connection\fR \fIchannel\fR +Returns the current connection status of an SSL channel\&. The result is a list +of key-value pairs describing the connection\&. Returned values include: +.sp +SSL Status +.RS +.TP +\fBstate\fR \fIstate\fR +State of the connection\&. +.TP +\fBservername\fR \fIname\fR +The name of the connected to server\&. +.TP +\fBprotocol\fR \fIversion\fR +The protocol version used for the connection: SSL2, SSL3, TLS1, TLS1\&.1, TLS1\&.2, TLS1\&.3, or unknown\&. +.TP +\fBrenegotiation_allowed\fR \fIboolean\fR +Whether protocol renegotiation is supported or not\&. +.TP +\fBsecurity_level\fR \fIlevel\fR +The security level used for selection of ciphers, key size, etc\&. +.TP +\fBsession_reused\fR \fIboolean\fR +Whether the session has been reused or not\&. +.TP +\fBis_server\fR \fIboolean\fR +Whether the connection is configured as a server (1) or client (0)\&. +.TP +\fBcompression\fR \fImode\fR +Compression method\&. +.TP +\fBexpansion\fR \fImode\fR +Expansion method\&. +.TP +\fBcaList\fR \fIlist\fR +List of Certificate Authorities (CA) for X\&.509 certificate\&. +.RE +.IP +Cipher Info +.RS +.TP +\fBcipher\fR \fIcipher\fR +The current cipher in use for the connection\&. +.TP +\fBstandard_name\fR \fIname\fR +The standard RFC name of cipher\&. +.TP +\fBalgorithm_bits\fR \fIn\fR +The number of processed bits used for cipher\&. +.TP +\fBsecret_bits\fR \fIn\fR +The number of secret bits used for cipher\&. +.TP +\fBmin_version\fR \fIversion\fR +The minimum protocol version for cipher\&. +.TP +\fBcipher_is_aead\fR \fIboolean\fR +Whether the cipher is Authenticated Encryption with Associated Data (AEAD)\&. +.TP +\fBcipher_id\fR \fIid\fR +The OpenSSL cipher id\&. +.TP +\fBdescription\fR \fIstring\fR +A text description of the cipher\&. +.TP +\fBhandshake_digest\fR \fIboolean\fR +Digest used during handshake\&. +.RE +.IP +Session Info +.RS +.TP +\fBalpn\fR \fIprotocol\fR +The protocol selected after Application-Layer Protocol Negotiation (ALPN)\&. +.TP +\fBresumable\fR \fIboolean\fR +Whether the session can be resumed or not\&. +.TP +\fBstart_time\fR \fIseconds\fR +Time since session started in seconds since epoch\&. +.TP +\fBtimeout\fR \fIseconds\fR +Max duration of session in seconds before time-out\&. +.TP +\fBlifetime\fR \fIseconds\fR +Session ticket lifetime hint in seconds\&. +.TP +\fBsession_id\fR \fIbinary_string\fR +Unique session id for use in resuming the session\&. +.TP +\fBsession_ticket\fR \fIbinary_string\fR +Unique session ticket for use in resuming the session\&. +.TP +\fBticket_app_data\fR \fIbinary_string\fR +Unique session ticket application data\&. +.TP +\fBmaster_key\fR \fIbinary_string\fR +Unique session master key\&. +.TP +\fBsession_cache_mode\fR \fImode\fR +Server cache mode (client, server, or both)\&. +.RE +.TP +\fBtls::ciphers\fR ?\fIprotocol\fR? ?\fIverbose\fR? ?\fIsupported\fR? +Without any args, returns a list of all symmetric ciphers for use with the +\fI-cipher\fR option\&. With \fIprotocol\fR, only the ciphers supported for that +protocol are returned\&. See the \fBtls::protocols\fR command for the supported +protocols\&. If \fIverbose\fR is specified as true then a verbose, human readable +list is returned with additional information on the cipher\&. If \fIsupported\fR +is specified as true, then only the ciphers supported for protocol will be listed\&. +.TP +\fBtls::protocols\fR +Returns a list of the supported SSL/TLS protocols\&. Valid values are: +\fBssl2\fR, \fBssl3\fR, \fBtls1\fR, \fBtls1\&.1\fR, \fBtls1\&.2\fR, and +\fBtls1\&.3\fR\&. Exact list depends on OpenSSL version and compile time flags\&. +.TP +\fBtls::version\fR +Returns the OpenSSL version string\&. +.PP +.SH "CERTIFICATE VALIDATION" +.SS "SUMMARY OF COMMAND LINE OPTIONS" +The following options are used for peer Certificate Validation: +.TP +\fB-cadir\fR \fIdirectory\fR +Specifies the directory where the Certificate Authority (CA) certificates are +stored\&. The default is platform specific, but is usually "\fI/etc/ssl/certs\fR" on +Linux/Unix systems\&. The default location can be overridden by the +\fBSSL_CERT_DIR\fR environment variable\&. +.TP +\fB-cafile\fR \fIfilename\fR +Specifies the file with the Certificate Authority (CA) certificates to use in +\fBPEM\fR file format\&. The default is "\fIcert\&.pem\fR", in the OpenSSL directory\&. On +Linux/Unix systems, this is usually "\fI/etc/ssl/ca-bundle\&.pem\fR"\&. The default file +can be overridden by the \fBSSL_CERT_FILE\fR environment variable\&. +.TP +\fB-castore\fR \fIURI\fR +Specifies the Uniform Resource Identifier (URI) for the Certificate Authority +(CA) store, which may be a single container or a catalog of containers\&. +Starting with OpenSSL 3\&.2 on Windows, set to "\fBorg\&.openssl\&.winstore://\fR" +to use the built-in Windows Certificate Store\&. This store only supports root +certificate stores\&. +.TP +\fB-request\fR \fIbool\fR +Request a certificate from peer during the SSL handshake\&. This is needed to do +Certificate Validation\&. Default is \fBtrue\fR\&. In addition, the +client can manually inspect and accept or reject each certificate using the +\fI-validatecommand\fR option\&. +.TP +\fB-require\fR \fIbool\fR +Require a valid certificate from peer during the SSL handshake\&. If this is set +to \fBtrue\fR, then \fI-request\fR must also be set to \fBtrue\fR and either +\fI-cadir\fR, \fI-cafile\fR, \fI-castore\fR, or a platform default must be +provided in order to validate against\&. The default is \fBfalse\fR since not +all platforms have certificates to validate against in a form compatible with +OpenSSL\&. See \fBCertificate Validation\fR for more details\&. +.PP +.SS "WHEN ARE COMMAND LINE OPTIONS NEEDED?" +By default, a client TLS connection does \fINOT\fR validate the server certificate +chain\&. This limitation is due to the lack of a common cross platform +database of Certificate Authority (CA) provided certificates to validate +against\&. Many Linux systems natively support OpenSSL and thus have these +certificates installed as part of the OS, but MacOS and Windows do not\&. In +order to use the \fB-require\fR option, one of the following must be true: +.IP \(bu +On Linux and Unix systems with OpenSSL already installed, if the CA +certificates are stored in the standard locations, or if the \fBSSL_CERT_DIR\fR +or \fBSSL_CERT_FILE\fR environment variables are set, then \fB-cadir\fR, +\fB-cadir\fR, and \fB-castore\fR aren't needed\&. +.IP \(bu +If OpenSSL is not installed in the default location, or when using Mac OS +or Windows and OpenSSL is installed, the \fBSSL_CERT_DIR\fR and/or +\fBSSL_CERT_FILE\fR environment variables or the one of the \fB-cadir\fR, +\fB-cadir\fR, or \fB-castore\fR options must be defined\&. +.IP \(bu +On Windows, starting in OpenSSL 3\&.2, it is now possible to access the +built-in Windows Certificate Store from OpenSSL\&. This can be achieved by +setting the \fB-castore\fR option to "\fBorg\&.openssl\&.winstore://\fR"\&. +.IP \(bu +If OpenSSL is not installed, the CA certificates must be downloaded and +installed with the user software\&. The CURL team makes them available at +\fICA certificates extracted +from Mozilla\fR [https://curl\&.se/docs/caextract\&.html] in the "\fIcacert\&.pem\fR" file\&. You must then either set the +\fBSSL_CERT_DIR\fR and/or \fBSSL_CERT_FILE\fR environment variables or the +\fB-cadir\fR or \fB-cafile\fR options to the CA cert file's install +location\&. It is your responsibility to keep this file up to date\&. +.PP +.SH "CALLBACK OPTIONS" +As previously described, each channel can be given their own callbacks +to handle intermediate processing by the OpenSSL library, using the +\fB-command\fR, \fB-password\fR, and \fB-validate_command\fR options +passed to either of \fBtls::socket\fR or \fBtls::import\fR\&. +Unlike previous versions of TclTLS, only if the callback generates an error, +will the \fBbgerror\fR command be invoked with the error information\&. +.SS "VALUES FOR COMMAND CALLBACK" +The callback for the \fB-command\fR option is invoked at several points during the +OpenSSL handshake and during routine operations\&. See below for the possible +arguments passed to the callback script\&. Values returned from the callback are +ignored\&. +.TP +\fBerror\fR \fIchannelId message\fR +This form of callback is invoked whenever an error occurs during the initial +connection, handshake, or I/O operations\&. The \fImessage\fR argument can be +from the Tcl_ErrnoMsg, OpenSSL function \fBERR_reason_error_string()\fR, +or a custom message\&. This callback is new for TclTLS 1\&.8\&. +.TP +\fBinfo\fR \fIchannelId major minor message type\fR +This form of callback is invoked by the OpenSSL function +\fBSSL_set_info_callback()\fR during the initial connection and handshake +operations\&. The arguments are: +.RS +.TP +\fImajor\fR +Major category for error\&. Valid enums are: \fBhandshake\fR, \fBalert\fR, +\fBconnect\fR, \fBaccept\fR\&. +.TP +\fIminor\fR +Minor category for error\&. Valid enums are: \fBstart\fR, \fBdone\fR, \fBread\fR, +\fBwrite\fR, \fBloop\fR, \fBexit\fR\&. +.TP +\fImessage\fR +Descriptive message string which may be generated either by +\fBSSL_state_string_long()\fR or \fBSSL_alert_desc_string_long()\fR, +depending on the context\&. +.TP +\fItype\fR +For alerts, the possible values are: \fBwarning\fR, +\fBfatal\fR, and \fBunknown\fR\&. For others, \fBinfo\fR is used\&. +This argument is new for TclTLS 1\&.8\&. +.RE +.TP +\fBmessage\fR \fIchannelId direction version content_type message\fR +This form of callback is invoked by the OpenSSL function +\fBSSL_set_msg_callback()\fR whenever a message is sent or received during the +initial connection, handshake, or I/O operations\&. It is only available when +OpenSSL is complied with the \fBenable-ssl-trace\fR option\&. This callback is +new for TclTLS 1\&.8\&. The arguments are: +.RS +.TP +\fIdirection\fR +Direction is either \fBSent\fR or \fBReceived\fR\&. +.TP +\fIversion\fR +Version is the protocol version\&. +.TP +\fIcontent_type\fR +Content type is the message content type\&. +.TP +\fImessage\fR +Message is more info from the \fBSSL_trace\fR API\&. +This argument is new for TclTLS 1\&.8\&. +.RE +.TP +\fBsession\fR \fIchannelId session_id session_ticket lifetime\fR +This form of callback is invoked by the OpenSSL function +\fBSSL_CTX_sess_set_new_cb()\fR whenever a new session id is sent by the +server during the initial connection and handshake and also during the session +if the \fB-post_handshake\fR option is set to true\&. This callback is new for +TclTLS 1\&.8\&. The arguments are: +.RS +.TP +\fIsession_id\fR +Session Id is the current session identifier +.TP +\fIsession_ticket\fR +Ticket is the session ticket info +.TP +\fIlifetime\fR +Lifetime is the ticket lifetime in seconds\&. +.RE +.TP +\fBverify\fR \fIchannelId depth cert status error\fR +This callback was moved to the \fB-verify_callback\fR in TclTLS 1\&.8\&. +.PP +.SS "VALUES FOR PASSWORD CALLBACK" +The callback for the \fB-password\fR option is invoked by TclTLS whenever OpenSSL needs +to obtain a password\&. See below for the possible arguments passed to the +callback script\&. The user provided password is expected to be returned by the +callback\&. +.TP +\fBpassword\fR \fIrwflag size\fR +Invoked when loading or storing an encrypted PEM certificate\&. The arguments are: +.RS +.TP +\fIrwflag\fR +The read/write flag is 0 for reading/decryption or 1 for writing/encryption\&. +The latter can be used to determine when to prompt the user to confirm\&. +This argument is new for TclTLS 1\&.8\&. +.TP +\fIsize\fR +The size is the maximum length of the password in bytes\&. +This argument is new for TclTLS 1\&.8\&. +.RE +.PP +.SS "VALUES FOR VALIDATE COMMAND CALLBACK" +The callback for the \fB-validatecommand\fR option is invoked during the handshake +process in order for the application to validate the provided value(s)\&. See +below for the possible arguments passed to the callback script\&. If not +specified, OpenSSL will accept all valid certificates and extensions\&. To reject +the value and abort the connection, the callback should return 0\&. To accept the +value and continue the connection, it should return 1\&. To reject the value, but +continue the connection, it should return 2\&. This callback is new for TclTLS 1\&.8\&. +.TP +\fBalpn\fR \fIchannelId protocol match\fR +For servers, this form of callback is invoked when the client ALPN extension is +received\&. If \fImatch\fR is true, then \fIprotocol\fR is the first +\fB-alpn\fR protocol option in common to both the client and server\&. +If not, the first client specified protocol is used\&. This callback is called +after the Hello and ALPN callbacks\&. +.TP +\fBhello\fR \fIchannelId servername\fR +For servers, this form of callback is invoked during client hello message +processing\&. The purpose is so the server can select the appropriate certificate +to present to the client, and to make other configuration adjustments relevant +to that server name and its configuration\&. It is called before the SNI and ALPN +callbacks\&. +.TP +\fBsni\fR \fIchannelId servername\fR +For servers, this form of callback is invoked when the Server Name Indication +(SNI) extension is received\&. The \fIservername\fR argument is the client +provided server name specified in the \fB-servername\fR option\&. The +purpose is so when a server supports multiple names, the right certificate +can be used\&. It is called after the hello callback but before the ALPN +callback\&. +.TP +\fBverify\fR \fIchannelId depth cert status error\fR +This form of callback is invoked by OpenSSL when a new certificate is received +from the peer\&. It allows the client to check the certificate verification +results and choose whether to continue or not\&. It is called for each +certificate in the certificate chain\&. This callback was moved from +\fB-command\fR in TclTLS 1\&.8\&. The arguments are: +.RS +.TP +\fIdepth\fR +The depth is the integer depth of the certificate in the certificate chain, +where 0 is the peer certificate and higher values going up to the Certificate +Authority (CA)\&. +.TP +\fIcert\fR +The cert argument is a list of key-value pairs similar to those returned by +\fBtls::status\fR\&. +.TP +\fIstatus\fR +The status argument is the boolean validity of the current certificate where 0 +is invalid and 1 is valid\&. +.TP +\fIerror\fR +The error argument is the error message, if any, generated by +\fBX509_STORE_CTX_get_error()\fR\&. +.RE +.PP +Reference implementations of these callbacks are provided in "\fItls\&.tcl\fR" +as \fBtls::callback\fR, \fBtls::password\fR, and \fBtls::validate_command\fR +respectively\&. Note that these are only \fIsample\fR implementations\&. In a more +realistic deployment you would specify your own callback scripts on each TLS +channel using the \fB-command\fR, \fB-password\fR, and +\fB-validate_command\fR options\&. +.PP +The default behavior when the \fB-command\fR and \fB-validate_command\fR +options are not specified, is for TclTLS to process the associated library +callbacks internally\&. The default behavior when the \fB-password\fR option +is not specified is for TclTLS to process the associated library callbacks by +attempting to call \fBtls::password\fR\&. The difference between these two +behaviors is a consequence of maintaining compatibility with earlier +implementations\&. +.PP +\fIThe use of the reference callbacks \fBtls::callback\fR, \fBtls::password\fR, +and \fBtls::validate_command\fR is not recommended\&. They may be removed from future releases\&.\fR +.SH DEBUG +For most debugging needs, the \fB-callback\fR option can be used to provide +sufficient insight and information on the TLS handshake and progress\&. If +further troubleshooting insight is needed, the compile time option +\fB--enable-debug\fR can be used to get detailed execution flow status\&. +.PP +TLS key logging can be enabled by setting the environment variable +\fBSSLKEYLOGFILE\fR to the name of the file to log to\&. Then whenever TLS key +material is generated or received it will be logged to the file\&. This is useful +for logging key data for network logging tools to use to decrypt the data\&. +.PP +The \fBtls::debug\fR variable provides some additional control over these +reference callbacks\&. Its value is zero by default\&. Higher values produce more +diagnostic output, and will also force the verify method in \fBtls::callback\fR +to accept the certificate, even when it is invalid if the +\fB-validatecommand\fR option is set to \fBtls::validate_command\fR\&. +.PP +\fIThe use of the variable \fBtls::debug\fR is not recommended\&. +It may be removed from future releases\&.\fR +.SH "DEBUG EXAMPLES" +These examples use the default Unix platform SSL certificates\&. For standard +installations, -cadir and -cafile should not be needed\&. If your certificates +are in non-standard locations, update -cadir or use -cafile as needed\&. +.PP +Example #1: Use HTTP package +.CS + + + +package require http +package require tls +set url "https://www\&.tcl\&.tk/" + +http::register https 443 [list ::tls::socket -autoservername true -require true -cadir /etc/ssl/certs -command ::tls::callback -password ::tls::password -validatecommand ::tls::validate_command] + +# Check for error +set token [http::geturl $url] +if {[http::status $token] ne "ok"} { + puts [format "Error %s" [http::status $token]] +} + +# Get web page +set data [http::data $token] +puts [string length $data] + +# Cleanup +::http::cleanup $token + +.CE +Example #2: Use raw socket +.CS + + + +package require tls + +set url "www\&.tcl-lang\&.org" +set port 443 + +set ch [tls::socket -autoservername 1 -servername $url -request 1 -require 1 -alpn {http/1\&.1} -cadir /etc/ssl/certs -command ::tls::callback -password ::tls::password -validatecommand ::tls::validate_command $url $port] +chan configure $ch -buffersize 65536 +tls::handshake $ch + +puts $ch "GET / HTTP/1\&.1" +flush $ch +after 500 +set data [read $ch] + +array set status [tls::status $ch] +array set conn [tls::connection $ch] +array set chan [chan configure $ch] +close $ch +parray status +parray conn +parray chan + +.CE +.SH "HTTP PACKAGE EXAMPLES" +These examples use the default Unix platform SSL certificates\&. For standard +installations, -cadir and -cafile should not be needed\&. If your certificates +are in non-standard locations, set -cadir or use -cafile as needed\&. +.PP +Example #3: Get web page +.CS + + + +package require http +package require tls +set url "https://www\&.tcl\&.tk/" + +http::register https 443 [list ::tls::socket -autoservername true -require true -cadir /etc/ssl/certs] + +# Check for error +set token [http::geturl $url] +if {[http::status $token] ne "ok"} { + puts [format "Error %s" [http::status $token]] +} + +# Get web page +set data [http::data $token] +puts $data + +# Cleanup +::http::cleanup $token + +.CE +Example #4: Download file +.CS + + + +package require http +package require tls + +set url "https://wiki\&.tcl-lang\&.org/sitemap\&.xml" +set filename [file tail $url] + +http::register https 443 [list ::tls::socket -autoservername true -require true -cadir /etc/ssl/certs] + +# Get file +set ch [open $filename wb] +set token [::http::geturl $url -blocksize 65536 -channel $ch] + +# Cleanup +close $ch +::http::cleanup $token + +.CE +.SH "SPECIAL CONSIDERATIONS" +The capabilities of this package can vary enormously based upon how the +linked to OpenSSL library was configured and built\&. New versions may obsolete +older protocol versions, add or remove ciphers, change default values, etc\&. +Use the \fBtls::protocols\fR commands to obtain the supported +protocol versions\&. +.SH "SEE ALSO" +\fIOpenSSL\fR [https://www\&.openssl\&.org/], http, socket +.SH KEYWORDS +I/O, IP Address, OpenSSL, SSL, TCP, TLS, TclTLS, asynchronous I/O, bind, certificate, channel, connection, domain name, host, https, network, network address, socket, tls +.SH CATEGORY +tls +.SH COPYRIGHT +.nf +Copyright (c) 1999 Matt Newman +Copyright (c) 2004 Starfish Systems +Copyright (c) 2024 Brian O'Hagan + +.fi Index: generic/tls.c ================================================================== --- generic/tls.c +++ generic/tls.c @@ -1,20 +1,21 @@ /* + * TLS Channel - This extension provides a encrypted communication channel + * using the TLS or SSL protocols. It can be layered on top of any + * bi-directional Tcl_Channel. + * + * This was initially built (almost) from scratch based upon observation of + * OpenSSL 0.9.2B. + * * Copyright (C) 1997-1999 Matt Newman * some modifications: * Copyright (C) 2000 Ajuba Solutions * Copyright (C) 2002 ActiveState Corporation * Copyright (C) 2004 Starfish Systems * Copyright (C) 2023 Brian O'Hagan * - * TLS (aka SSL) Channel - can be layered on any bi-directional - * Tcl_Channel (Note: Requires Trf Core Patch) - * - * This was built (almost) from scratch based upon observation of - * OpenSSL 0.9.2B - * - * Addition credit is due for Andreas Kupries (a.kupries@westend.com), for + * Additional credit is due for Andreas Kupries (a.kupries@westend.com), for * providing the Tcl_ReplaceChannel mechanism and working closely with me * to enhance it to support full fileevent semantics. * * Also work done by the follow people provided the impetus to do this "right": * tclSSL (Colin McCormack, Shared Technology) @@ -25,10 +26,13 @@ #include "tlsInt.h" #include "tclOpts.h" #include "tlsUuid.h" #include #include +#include +#include +#include #include #include /* Min OpenSSL version */ #if OPENSSL_VERSION_NUMBER < 0x10101000L @@ -39,19 +43,17 @@ /* * Forward declarations */ #define F2N(key, dsp) \ - (((key) == NULL) ? (char *) NULL : \ + (((key) == NULL) ? (char *)NULL : \ Tcl_TranslateFileName(interp, (key), (dsp))) static SSL_CTX *CTX_Init(State *statePtr, int isServer, int proto, char *key, char *certfile, unsigned char *key_asn1, unsigned char *cert_asn1, - int key_asn1_len, int cert_asn1_len, char *CApath, char *CAfile, - char *ciphers, char *ciphersuites, int level, char *DHparams); - -static int TlsLibInit(int uninitialize); + Tcl_Size key_asn1_len, Tcl_Size cert_asn1_len, char *CApath, char *CAstore, + char *CAfile, char *ciphers, char *ciphersuites, int level, char *DHparams); #define TLS_PROTO_SSL2 0x01 #define TLS_PROTO_SSL3 0x02 #define TLS_PROTO_TLS1 0x04 #define TLS_PROTO_TLS1_1 0x08 @@ -59,33 +61,10 @@ #define TLS_PROTO_TLS1_3 0x20 #define ENABLED(flag, mask) (((flag) & (mask)) == (mask)) #define SSLKEYLOGFILE "SSLKEYLOGFILE" -/* - * Thread-Safe TLS Code - */ - -#ifdef TCL_THREADS -#define OPENSSL_THREAD_DEFINES -#include - -#ifdef OPENSSL_THREADS -#include -#include - -/* - * Threaded operation requires locking callbacks - * Based from /crypto/cryptlib.c of OpenSSL and NSOpenSSL. - */ - -static Tcl_Mutex *locks = NULL; -static int locksCount = 0; -static Tcl_Mutex init_mx; -#endif /* OPENSSL_THREADS */ -#endif /* TCL_THREADS */ - /********************/ /* Callbacks */ /********************/ @@ -104,17 +83,21 @@ * Evaluates callback command * *------------------------------------------------------------------- */ static int -EvalCallback(Tcl_Interp *interp, State *statePtr, Tcl_Obj *cmdPtr) { +EvalCallback( + Tcl_Interp *interp, /* Tcl interpreter */ + State *statePtr, /* Client state for TLS socket */ + Tcl_Obj *cmdPtr) /* Command to eval as a Tcl object */ +{ int code, ok = 0; dprintf("Called"); - Tcl_Preserve((ClientData) interp); - Tcl_Preserve((ClientData) statePtr); + Tcl_Preserve((void *) interp); + Tcl_Preserve((void *) statePtr); /* Eval callback with success for ok or return value 1, fail for error or return value 0 */ Tcl_ResetResult(interp); code = Tcl_EvalObjEx(interp, cmdPtr, TCL_EVAL_GLOBAL); dprintf("EvalCallback: %d", code); @@ -133,12 +116,12 @@ #else Tcl_BackgroundException(interp, code); #endif } - Tcl_Release((ClientData) statePtr); - Tcl_Release((ClientData) interp); + Tcl_Release((void *) statePtr); + Tcl_Release((void *) interp); return ok; } /* *------------------------------------------------------------------- @@ -154,20 +137,25 @@ * Calls callback (if defined) * *------------------------------------------------------------------- */ static void -InfoCallback(const SSL *ssl, int where, int ret) { +InfoCallback( + const SSL *ssl, /* SSL context */ + int where, /* Source of info */ + int ret) /* message enum */ +{ State *statePtr = (State*)SSL_get_app_data((SSL *)ssl); Tcl_Interp *interp = statePtr->interp; Tcl_Obj *cmdPtr; - char *major; char *minor; + const char *major, *minor; dprintf("Called"); - if (statePtr->callback == (Tcl_Obj*)NULL) + if (statePtr->callback == (Tcl_Obj*)NULL) { return; + } if (where & SSL_CB_HANDSHAKE_START) { major = "handshake"; minor = "start"; } else if (where & SSL_CB_HANDSHAKE_DONE) { @@ -226,11 +214,19 @@ * *------------------------------------------------------------------- */ #ifndef OPENSSL_NO_SSL_TRACE static void -MessageCallback(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg) { +MessageCallback( + int write_p, /* Message 0=received, 1=sent */ + int version, /* TLS version */ + int content_type, /* Protocol content type */ + const void *buf, /* Protocol message */ + size_t len, /* Protocol message length */ + SSL *ssl, /* SSL context */ + void *arg) /* Client state for TLS socket */ +{ State *statePtr = (State*)arg; Tcl_Interp *interp = statePtr->interp; Tcl_Obj *cmdPtr; char *ver, *type; BIO *bio; @@ -237,12 +233,13 @@ char buffer[15000]; buffer[0] = 0; dprintf("Called"); - if (statePtr->callback == (Tcl_Obj*)NULL) + if (statePtr->callback == (Tcl_Obj*)NULL) { return; + } switch(version) { #if OPENSSL_VERSION_NUMBER < 0x10100000L && !defined(NO_SSL2) && !defined(OPENSSL_NO_SSL2) case SSL2_VERSION: ver = "SSLv2"; @@ -310,10 +307,12 @@ buffer[n] = 0; (void)BIO_flush(bio); BIO_free(bio); } + dprintf("Message direction=%d, ver=%s, type=%s, message=%s", write_p, ver, type, &buffer[0]); + /* Create command to eval with fn, chan, direction, version, type, and message args */ cmdPtr = Tcl_DuplicateObj(statePtr->callback); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj("message", -1)); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj(Tcl_GetChannelName(statePtr->self), -1)); @@ -363,11 +362,14 @@ * to a string describing the SSL negotiation failure reason * *------------------------------------------------------------------- */ static int -VerifyCallback(int ok, X509_STORE_CTX *ctx) { +VerifyCallback( + int ok, /* Verify result */ + X509_STORE_CTX *ctx) /* CTX context */ +{ Tcl_Obj *cmdPtr; SSL *ssl = (SSL*)X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx()); X509 *cert = X509_STORE_CTX_get_current_cert(ctx); State *statePtr = (State*)SSL_get_app_data(ssl); Tcl_Interp *interp = statePtr->interp; @@ -386,25 +388,27 @@ } } else if (cert == NULL || ssl == NULL) { return 0; } - dprintf("VerifyCallback: eval callback"); + dprintf("VerifyCallback: create callback command"); /* Create command to eval with fn, chan, depth, cert info list, status, and error args */ cmdPtr = Tcl_DuplicateObj(statePtr->vcmd); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj("verify", -1)); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj(Tcl_GetChannelName(statePtr->self), -1)); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewIntObj(depth)); - Tcl_ListObjAppendElement(interp, cmdPtr, Tls_NewX509Obj(interp, cert)); + Tcl_ListObjAppendElement(interp, cmdPtr, Tls_NewX509Obj(interp, cert, 0)); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewIntObj(ok)); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj((char*)X509_verify_cert_error_string(err), -1)); /* Prevent I/O while callback is in progress */ /* statePtr->flags |= TLS_TCL_CALLBACK; */ + + dprintf("VerifyCallback: eval callback"); /* Eval callback command */ Tcl_IncrRefCount(cmdPtr); ok = EvalCallback(interp, statePtr, cmdPtr); Tcl_DecrRefCount(cmdPtr); @@ -421,26 +425,32 @@ * Tls_Error -- * * Calls callback with error message. * * Side effects: - * The err field of the currently operative State is set - * to a string describing the SSL negotiation failure reason + * The err field of the currently operative State is set to a + * string describing the SSL negotiation failure reason * *------------------------------------------------------------------- */ void -Tls_Error(State *statePtr, char *msg) { +Tls_Error( + State *statePtr, /* Client state for TLS socket */ + const char *msg) /* Error message */ +{ Tcl_Interp *interp = statePtr->interp; Tcl_Obj *cmdPtr, *listPtr; unsigned long err; statePtr->err = msg; - dprintf("Called"); + dprintf("Called with message %s", msg); - if (statePtr->callback == (Tcl_Obj*)NULL) + if (statePtr->callback == (Tcl_Obj*)NULL) { return; + } + + dprintf("Tls_Error: create callback command"); /* Create command to eval with fn, chan, and message args */ cmdPtr = Tcl_DuplicateObj(statePtr->callback); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj("error", -1)); Tcl_ListObjAppendElement(interp, cmdPtr, @@ -457,10 +467,12 @@ Tcl_ListObjAppendElement(interp, listPtr, Tcl_NewStringObj(ERR_reason_error_string(err), -1)); } Tcl_ListObjAppendElement(interp, cmdPtr, listPtr); } + dprintf("Tls_Error: eval callback"); + /* Eval callback command */ Tcl_IncrRefCount(cmdPtr); EvalCallback(interp, statePtr, cmdPtr); Tcl_DecrRefCount(cmdPtr); } @@ -475,11 +487,14 @@ * Side effects: * none * *------------------------------------------------------------------- */ -void KeyLogCallback(const SSL *ssl, const char *line) { +void KeyLogCallback( + const SSL *ssl, /* Client state for TLS socket */ + const char *line) /* Key data to be logged */ +{ char *str = getenv(SSLKEYLOGFILE); FILE *fd; dprintf("Called"); @@ -509,11 +524,16 @@ * Password size in bytes or -1 for an error. * *------------------------------------------------------------------- */ static int -PasswordCallback(char *buf, int size, int rwflag, void *udata) { +PasswordCallback( + char *buf, /* Pointer to buffer to store password in */ + int size, /* Buffer length in bytes */ + int rwflag, /* Whether password is needed for read or write */ + void *udata) /* Client state for TLS socket */ +{ State *statePtr = (State *) udata; Tcl_Interp *interp = statePtr->interp; Tcl_Obj *cmdPtr; int code; Tcl_Size len; @@ -520,31 +540,25 @@ dprintf("Called"); /* If no callback, use default callback */ if (statePtr->password == NULL) { - if (Tcl_EvalEx(interp, "tls::password", -1, TCL_EVAL_GLOBAL) == TCL_OK) { - char *ret = (char *) Tcl_GetStringFromObj(Tcl_GetObjResult(interp), &len); - if (len > (Tcl_Size) size-1) { - len = (Tcl_Size) size-1; - } - strncpy(buf, ret, (size_t) len); - buf[len] = '\0'; - return (int) len; - } else { - return -1; - } + cmdPtr = Tcl_NewListObj(0, NULL); + Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj("tls::password", -1)); + } else { + cmdPtr = Tcl_DuplicateObj(statePtr->password); } /* Create command to eval with fn, rwflag, and size args */ - cmdPtr = Tcl_DuplicateObj(statePtr->password); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj("password", -1)); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewIntObj(rwflag)); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewIntObj(size)); - Tcl_Preserve((ClientData) interp); - Tcl_Preserve((ClientData) statePtr); + dprintf("PasswordCallback: eval callback"); + + Tcl_Preserve((void *) interp); + Tcl_Preserve((void *) statePtr); /* Eval callback command */ Tcl_IncrRefCount(cmdPtr); code = Tcl_EvalObjEx(interp, cmdPtr, TCL_EVAL_GLOBAL); if (code != TCL_OK) { @@ -554,24 +568,24 @@ Tcl_BackgroundException(interp, code); #endif } Tcl_DecrRefCount(cmdPtr); - Tcl_Release((ClientData) statePtr); + Tcl_Release((void *) statePtr); /* If successful, pass back password string and truncate if too long */ if (code == TCL_OK) { char *ret = (char *) Tcl_GetStringFromObj(Tcl_GetObjResult(interp), &len); if (len > (Tcl_Size) size-1) { len = (Tcl_Size) size-1; } strncpy(buf, ret, (size_t) len); buf[len] = '\0'; - Tcl_Release((ClientData) interp); + Tcl_Release((void *) interp); return (int) len; } - Tcl_Release((ClientData) interp); + Tcl_Release((void *) interp); return -1; } /* *------------------------------------------------------------------- @@ -594,11 +608,14 @@ * 1 = success where app retains session in session cache, and must call SSL_SESSION_free() when done. * *------------------------------------------------------------------- */ static int -SessionCallback(SSL *ssl, SSL_SESSION *session) { +SessionCallback( + SSL *ssl, /* SSL context */ + SSL_SESSION *session) /* Session context */ +{ State *statePtr = (State*)SSL_get_app_data((SSL *)ssl); Tcl_Interp *interp = statePtr->interp; Tcl_Obj *cmdPtr; const unsigned char *ticket; const unsigned char *session_id; @@ -663,12 +680,18 @@ * protocols are configured for this connection. The connection continues. * *------------------------------------------------------------------- */ static int -ALPNCallback(SSL *ssl, const unsigned char **out, unsigned char *outlen, - const unsigned char *in, unsigned int inlen, void *arg) { +ALPNCallback( + SSL *ssl, /* SSL context */ + const unsigned char **out, /* Return buffer to store selected protocol */ + unsigned char *outlen, /* Return buffer size */ + const unsigned char *in, /* Peer provided protocols */ + unsigned int inlen, /* Peer buffer size */ + void *arg) /* Client state for TLS socket */ +{ State *statePtr = (State*)arg; Tcl_Interp *interp = statePtr->interp; Tcl_Obj *cmdPtr; int code, res; @@ -732,11 +755,16 @@ * *------------------------------------------------------------------- */ #ifdef USE_NPN static int -NPNCallback(const SSL *ssl, const unsigned char **out, unsigned int *outlen, void *arg) { +NPNCallback( + const SSL *ssl, /* SSL context */ + const unsigned char **out, /* Return buffer to store selected protocol */ + unsigned int *outlen, /* Return buffer size */ + void *arg) /* Client state for TLS socket */ +{ State *statePtr = (State*)arg; dprintf("Called"); if (ssl == NULL || arg == NULL) { @@ -780,11 +808,15 @@ * e.g. if SNI has not been configured. The connection continues. * *------------------------------------------------------------------- */ static int -SNICallback(const SSL *ssl, int *alert, void *arg) { +SNICallback( + const SSL *ssl, /* SSL context */ + int *alert, /* Returned alert message */ + void *arg) /* Client state for TLS socket */ +{ State *statePtr = (State*)arg; Tcl_Interp *interp = statePtr->interp; Tcl_Obj *cmdPtr; int code, res; const char *servername = NULL; @@ -852,11 +884,15 @@ * SSL_CLIENT_HELLO_SUCCESS: success * *------------------------------------------------------------------- */ static int -HelloCallback(SSL *ssl, int *alert, void *arg) { +HelloCallback( + SSL *ssl, /* SSL context */ + int *alert, /* Returned alert message */ + void *arg) /* Client state for TLS socket */ +{ State *statePtr = (State*)arg; Tcl_Interp *interp = statePtr->interp; Tcl_Obj *cmdPtr; int code, res; const char *servername; @@ -865,11 +901,11 @@ dprintf("Called"); if (statePtr->vcmd == (Tcl_Obj*)NULL) { return SSL_CLIENT_HELLO_SUCCESS; - } else if (ssl == (const SSL *)NULL || arg == (void *)NULL) { + } else if (ssl == (const SSL *)NULL || arg == NULL) { return SSL_CLIENT_HELLO_ERROR; } /* Get names */ if (!SSL_client_hello_get0_ext(ssl, TLSEXT_TYPE_server_name, &p, &remaining) || remaining <= 2) { @@ -948,26 +984,30 @@ * constructs and destroys SSL context (CTX) * *------------------------------------------------------------------- */ static const char *protocols[] = { - "ssl2", "ssl3", "tls1", "tls1.1", "tls1.2", "tls1.3", NULL + "ssl2", "ssl3", "tls1", "tls1.1", "tls1.2", "tls1.3", NULL }; enum protocol { TLS_SSL2, TLS_SSL3, TLS_TLS1, TLS_TLS1_1, TLS_TLS1_2, TLS_TLS1_3, TLS_NONE }; static int -CiphersObjCmd(ClientData clientData, Tcl_Interp *interp, int objc, Tcl_Obj *const objv[]) { +CiphersObjCmd( + TCL_UNUSED(ClientData), /* Client data */ + Tcl_Interp *interp, /* Tcl interpreter */ + int objc, /* Arg count */ + Tcl_Obj *const objv[]) /* Arguments as Tcl objects */ +{ Tcl_Obj *objPtr = NULL; SSL_CTX *ctx = NULL; SSL *ssl = NULL; STACK_OF(SSL_CIPHER) *sk; char buf[BUFSIZ]; int index, verbose = 0, use_supported = 0; const SSL_METHOD *method; - (void) clientData; dprintf("Called"); if ((objc < 2) || (objc > 4)) { Tcl_WrongNumArgs(interp, 1, objv, "protocol ?verbose? ?supported?"); @@ -986,46 +1026,46 @@ ERR_clear_error(); switch ((enum protocol)index) { case TLS_SSL2: #if OPENSSL_VERSION_NUMBER >= 0x10100000L || defined(NO_SSL2) || defined(OPENSSL_NO_SSL2) - Tcl_AppendResult(interp, protocols[index], ": protocol not supported", (char *) NULL); + Tcl_AppendResult(interp, protocols[index], ": protocol not supported", (char *)NULL); return TCL_ERROR; #else method = SSLv2_method(); break; #endif case TLS_SSL3: #if defined(NO_SSL3) || defined(OPENSSL_NO_SSL3) || defined(OPENSSL_NO_SSL3_METHOD) - Tcl_AppendResult(interp, protocols[index], ": protocol not supported", (char *) NULL); + Tcl_AppendResult(interp, protocols[index], ": protocol not supported", (char *)NULL); return TCL_ERROR; #else method = SSLv3_method(); break; #endif case TLS_TLS1: #if defined(NO_TLS1) || defined(OPENSSL_NO_TLS1) || defined(OPENSSL_NO_TLS1_METHOD) - Tcl_AppendResult(interp, protocols[index], ": protocol not supported", (char *) NULL); + Tcl_AppendResult(interp, protocols[index], ": protocol not supported", (char *)NULL); return TCL_ERROR; #else method = TLSv1_method(); break; #endif case TLS_TLS1_1: #if defined(NO_TLS1_1) || defined(OPENSSL_NO_TLS1_1) || defined(OPENSSL_NO_TLS1_1_METHOD) - Tcl_AppendResult(interp, protocols[index], ": protocol not supported", (char *) NULL); + Tcl_AppendResult(interp, protocols[index], ": protocol not supported", (char *)NULL); return TCL_ERROR; #else method = TLSv1_1_method(); break; #endif case TLS_TLS1_2: #if defined(NO_TLS1_2) || defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_2_METHOD) - Tcl_AppendResult(interp, protocols[index], ": protocol not supported", (char *) NULL); + Tcl_AppendResult(interp, protocols[index], ": protocol not supported", (char *)NULL); return TCL_ERROR; #else method = TLSv1_2_method(); break; #endif case TLS_TLS1_3: #if defined(NO_TLS1_3) || defined(OPENSSL_NO_TLS1_3) - Tcl_AppendResult(interp, protocols[index], ": protocol not supported", (char *) NULL); + Tcl_AppendResult(interp, protocols[index], ": protocol not supported", (char *)NULL); return TCL_ERROR; #else method = TLS_method(); SSL_CTX_set_min_proto_version(ctx, TLS1_3_VERSION); SSL_CTX_set_max_proto_version(ctx, TLS1_3_VERSION); @@ -1036,17 +1076,17 @@ break; } ctx = SSL_CTX_new(method); if (ctx == NULL) { - Tcl_AppendResult(interp, GET_ERR_REASON(), (char *) NULL); + Tcl_AppendResult(interp, GET_ERR_REASON(), (char *)NULL); return TCL_ERROR; } ssl = SSL_new(ctx); if (ssl == NULL) { - Tcl_AppendResult(interp, GET_ERR_REASON(), (char *) NULL); + Tcl_AppendResult(interp, GET_ERR_REASON(), (char *)NULL); SSL_CTX_free(ctx); return TCL_ERROR; } /* Use list and order as would be sent in a ClientHello or all available ciphers */ @@ -1065,11 +1105,11 @@ if (c == NULL) continue; /* cipher name or (NONE) */ cp = SSL_CIPHER_get_name(c); if (cp == NULL) break; - Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj((char *) cp, -1)); + Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj(cp, -1)); } } else { objPtr = Tcl_NewStringObj("",0); for (int i = 0; i < sk_SSL_CIPHER_num(sk); i++) { @@ -1109,14 +1149,19 @@ * Side effects: * none * *------------------------------------------------------------------- */ + static int -ProtocolsObjCmd(ClientData clientData, Tcl_Interp *interp, int objc, Tcl_Obj *const objv[]) { +ProtocolsObjCmd( + TCL_UNUSED(ClientData), /* Client data */ + Tcl_Interp *interp, /* Tcl interpreter */ + int objc, /* Arg count */ + Tcl_Obj *const objv[]) /* Arguments as Tcl objects */ +{ Tcl_Obj *objPtr; - (void) clientData; dprintf("Called"); if (objc != 1) { Tcl_WrongNumArgs(interp, 1, objv, ""); @@ -1164,17 +1209,22 @@ * Side effects: * May force SSL negotiation to take place. * *------------------------------------------------------------------- */ -static int HandshakeObjCmd(ClientData clientData, Tcl_Interp *interp, int objc, Tcl_Obj *const objv[]) { - Tcl_Channel chan; /* The channel to set a mode on. */ - State *statePtr; /* client state for ssl socket */ + +static int HandshakeObjCmd( + TCL_UNUSED(ClientData), /* Client data */ + Tcl_Interp *interp, /* Tcl interpreter */ + int objc, /* Arg count */ + Tcl_Obj *const objv[]) /* Arguments as Tcl objects */ +{ + Tcl_Channel chan; /* The channel to set a mode on. */ + State *statePtr; /* Client state for TLS socket */ const char *errStr = NULL; int ret = 1; int err = 0; - (void) clientData; dprintf("Called"); if (objc != 2) { Tcl_WrongNumArgs(interp, 1, objv, "channel"); @@ -1190,12 +1240,12 @@ /* Make sure to operate on the topmost channel */ chan = Tcl_GetTopChannel(chan); if (Tcl_GetChannelType(chan) != Tls_ChannelType()) { Tcl_AppendResult(interp, "bad channel \"", Tcl_GetChannelName(chan), - "\": not a TLS channel", (char *) NULL); - Tcl_SetErrorCode(interp, "TLS", "HANDSHAKE", "CHANNEL", "INVALID", (char *) NULL); + "\": not a TLS channel", (char *)NULL); + Tcl_SetErrorCode(interp, "TLS", "HANDSHAKE", "CHANNEL", "INVALID", (char *)NULL); return TCL_ERROR; } statePtr = (State *)Tcl_GetChannelInstanceData(chan); dprintf("Calling Tls_WaitForConnect"); @@ -1213,15 +1263,15 @@ if (!errStr || (*errStr == 0)) { errStr = Tcl_PosixError(interp); } - Tcl_AppendResult(interp, "handshake failed: ", errStr, (char *) NULL); + Tcl_AppendResult(interp, "handshake failed: ", errStr, (char *)NULL); if ((result = SSL_get_verify_result(statePtr->ssl)) != X509_V_OK) { - Tcl_AppendResult(interp, " due to \"", X509_verify_cert_error_string(result), "\"", (char *) NULL); + Tcl_AppendResult(interp, " due to \"", X509_verify_cert_error_string(result), "\"", (char *)NULL); } - Tcl_SetErrorCode(interp, "TLS", "HANDSHAKE", "FAILED", (char *) NULL); + Tcl_SetErrorCode(interp, "TLS", "HANDSHAKE", "FAILED", (char *)NULL); dprintf("Returning TCL_ERROR with handshake failed: %s", errStr); return TCL_ERROR; } else { if (err != 0) { dprintf("Got an error with a completed handshake: err = %i", err); @@ -1231,11 +1281,11 @@ dprintf("Returning TCL_OK with data \"%i\"", ret); Tcl_SetObjResult(interp, Tcl_NewIntObj(ret)); return TCL_OK; } - + /* *------------------------------------------------------------------- * * ImportObjCmd -- * @@ -1249,14 +1299,20 @@ * Side effects: * May modify the behavior of an IO channel. * *------------------------------------------------------------------- */ + static int -ImportObjCmd(ClientData clientData, Tcl_Interp *interp, int objc, Tcl_Obj *const objv[]) { +ImportObjCmd( + TCL_UNUSED(ClientData), /* Client data */ + Tcl_Interp *interp, /* Tcl interpreter */ + int objc, /* Arg count */ + Tcl_Obj *const objv[]) /* Arguments as Tcl objects */ +{ Tcl_Channel chan; /* The channel to set a mode on. */ - State *statePtr; /* client state for ssl socket */ + State *statePtr; /* Client state for TLS socket */ SSL_CTX *ctx = NULL; Tcl_Obj *script = NULL; Tcl_Obj *password = NULL; Tcl_Obj *vcmd = NULL; Tcl_DString upperChannelTranslation, upperChannelBlocking, upperChannelEncoding, upperChannelEOFChar; @@ -1272,20 +1328,20 @@ Tcl_Size cert_len = 0; char *ciphers = NULL; char *ciphersuites = NULL; char *CAfile = NULL; char *CApath = NULL; + char *CAstore = NULL; char *DHparams = NULL; char *model = NULL; char *servername = NULL; /* hostname for Server Name Indication */ char *session_id = NULL; Tcl_Obj *alpn = NULL; int ssl2 = 0, ssl3 = 0; int tls1 = 1, tls1_1 = 1, tls1_2 = 1, tls1_3 = 1; int proto = 0, level = -1; int verify = 0, require = 0, request = 1, post_handshake = 0; - (void) clientData; dprintf("Called"); #if defined(NO_TLS1) || defined(OPENSSL_NO_TLS1) tls1 = 0; @@ -1322,10 +1378,11 @@ break; OPTOBJ("-alpn", alpn); OPTSTR("-cadir", CApath); OPTSTR("-cafile", CAfile); + OPTSTR("-castore", CAstore); OPTBYTE("-cert", cert, cert_len); OPTSTR("-certfile", certfile); OPTSTR("-cipher", ciphers); OPTSTR("-ciphers", ciphers); OPTSTR("-ciphersuites", ciphersuites); @@ -1349,11 +1406,11 @@ OPTBOOL("-tls1.2", tls1_2); OPTBOOL("-tls1.3", tls1_3); OPTOBJ("-validatecommand", vcmd); OPTOBJ("-vcmd", vcmd); - OPTBAD("option", "-alpn, -cadir, -cafile, -cert, -certfile, -cipher, -ciphersuites, -command, -dhparams, -key, -keyfile, -model, -password, -post_handshake, -request, -require, -security_level, -server, -servername, -session_id, -ssl2, -ssl3, -tls1, -tls1.1, -tls1.2, -tls1.3, or -validatecommand"); + OPTBAD("option", "-alpn, -cadir, -cafile, -castore, -cert, -certfile, -cipher, -ciphersuites, -command, -dhparams, -key, -keyfile, -model, -password, -post_handshake, -request, -require, -security_level, -server, -servername, -session_id, -ssl2, -ssl3, -tls1, -tls1.1, -tls1.2, -tls1.3, or -validatecommand"); return TCL_ERROR; } if (request) verify |= SSL_VERIFY_CLIENT_ONCE | SSL_VERIFY_PEER; if (request && require) verify |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT; @@ -1374,18 +1431,20 @@ if (keyfile && !*keyfile) keyfile = NULL; if (ciphers && !*ciphers) ciphers = NULL; if (ciphersuites && !*ciphersuites) ciphersuites = NULL; if (CAfile && !*CAfile) CAfile = NULL; if (CApath && !*CApath) CApath = NULL; + if (CAstore && !*CAstore) CAstore = NULL; if (DHparams && !*DHparams) DHparams = NULL; /* new SSL state */ statePtr = (State *) ckalloc((unsigned) sizeof(State)); memset(statePtr, 0, sizeof(State)); statePtr->flags = flags; statePtr->interp = interp; + statePtr->want = 0; statePtr->vflags = verify; statePtr->err = ""; /* allocate script */ if (script) { @@ -1427,54 +1486,57 @@ * Make sure to operate on the topmost channel */ chan = Tcl_GetTopChannel(chan); if (Tcl_GetChannelType(chan) != Tls_ChannelType()) { Tcl_AppendResult(interp, "bad channel \"", Tcl_GetChannelName(chan), - "\": not a TLS channel", (char *) NULL); - Tcl_SetErrorCode(interp, "TLS", "IMPORT", "CHANNEL", "INVALID", (char *) NULL); + "\": not a TLS channel", (char *)NULL); + Tcl_SetErrorCode(interp, "TLS", "IMPORT", "CHANNEL", "INVALID", (char *)NULL); Tls_Free((tls_free_type *) statePtr); return TCL_ERROR; } ctx = ((State *)Tcl_GetChannelInstanceData(chan))->ctx; } else { - if ((ctx = CTX_Init(statePtr, server, proto, keyfile, certfile, key, cert, (int) key_len, - (int) cert_len, CApath, CAfile, ciphers, ciphersuites, level, DHparams)) == NULL) { + if ((ctx = CTX_Init(statePtr, server, proto, keyfile, certfile, key, cert, key_len, + cert_len, CApath, CAstore, CAfile, ciphers, ciphersuites, level, DHparams)) == NULL) { Tls_Free((tls_free_type *) statePtr); return TCL_ERROR; } } statePtr->ctx = ctx; - /* - * We need to make sure that the channel works in binary (for the - * encryption not to get goofed up). - * We only want to adjust the buffering in pre-v2 channels, where - * each channel in the stack maintained its own buffers. - */ + /* Preserve channel config */ Tcl_DStringInit(&upperChannelTranslation); Tcl_DStringInit(&upperChannelBlocking); Tcl_DStringInit(&upperChannelEOFChar); Tcl_DStringInit(&upperChannelEncoding); Tcl_GetChannelOption(interp, chan, "-eofchar", &upperChannelEOFChar); Tcl_GetChannelOption(interp, chan, "-encoding", &upperChannelEncoding); Tcl_GetChannelOption(interp, chan, "-translation", &upperChannelTranslation); Tcl_GetChannelOption(interp, chan, "-blocking", &upperChannelBlocking); + + /* Ensure the channel works in binary mode (for the encryption not to get goofed up). */ Tcl_SetChannelOption(interp, chan, "-translation", "binary"); Tcl_SetChannelOption(interp, chan, "-blocking", "true"); + + /* Create stacked channel */ dprintf("Consuming Tcl channel %s", Tcl_GetChannelName(chan)); - statePtr->self = Tcl_StackChannel(interp, Tls_ChannelType(), (ClientData) statePtr, - (TCL_READABLE | TCL_WRITABLE), chan); + statePtr->self = Tcl_StackChannel(interp, Tls_ChannelType(), statePtr, (TCL_READABLE | TCL_WRITABLE), chan); dprintf("Created channel named %s", Tcl_GetChannelName(statePtr->self)); if (statePtr->self == (Tcl_Channel) NULL) { /* * No use of Tcl_EventuallyFree because no possible Tcl_Preserve. */ Tls_Free((tls_free_type *) statePtr); + Tcl_DStringFree(&upperChannelTranslation); + Tcl_DStringFree(&upperChannelEncoding); + Tcl_DStringFree(&upperChannelEOFChar); + Tcl_DStringFree(&upperChannelBlocking); return TCL_ERROR; } + /* Restore channel config */ Tcl_SetChannelOption(interp, statePtr->self, "-translation", Tcl_DStringValue(&upperChannelTranslation)); Tcl_SetChannelOption(interp, statePtr->self, "-encoding", Tcl_DStringValue(&upperChannelEncoding)); Tcl_SetChannelOption(interp, statePtr->self, "-eofchar", Tcl_DStringValue(&upperChannelEOFChar)); Tcl_SetChannelOption(interp, statePtr->self, "-blocking", Tcl_DStringValue(&upperChannelBlocking)); Tcl_DStringFree(&upperChannelTranslation); @@ -1486,32 +1548,32 @@ * SSL Initialization */ statePtr->ssl = SSL_new(statePtr->ctx); if (!statePtr->ssl) { /* SSL library error */ - Tcl_AppendResult(interp, "couldn't construct ssl session: ", GET_ERR_REASON(), (char *) NULL); - Tcl_SetErrorCode(interp, "TLS", "IMPORT", "INIT", "FAILED", (char *) NULL); + Tcl_AppendResult(interp, "couldn't construct ssl session: ", GET_ERR_REASON(), (char *)NULL); + Tcl_SetErrorCode(interp, "TLS", "IMPORT", "INIT", "FAILED", (char *)NULL); Tls_Free((tls_free_type *) statePtr); return TCL_ERROR; } /* Set host server name */ if (servername) { /* Sets the server name indication (SNI) in ClientHello extension */ /* Per RFC 6066, hostname is a ASCII encoded string, though RFC 4366 says UTF-8. */ if (!SSL_set_tlsext_host_name(statePtr->ssl, servername) && require) { - Tcl_AppendResult(interp, "Set SNI extension failed: ", GET_ERR_REASON(), (char *) NULL); - Tcl_SetErrorCode(interp, "TLS", "IMPORT", "SNI", "FAILED", (char *) NULL); + Tcl_AppendResult(interp, "Set SNI extension failed: ", GET_ERR_REASON(), (char *)NULL); + Tcl_SetErrorCode(interp, "TLS", "IMPORT", "SNI", "FAILED", (char *)NULL); Tls_Free((tls_free_type *) statePtr); return TCL_ERROR; } /* Set hostname for peer certificate hostname verification in clients. Don't use SSL_set1_host since it has limitations. */ if (!SSL_add1_host(statePtr->ssl, servername)) { - Tcl_AppendResult(interp, "Set DNS hostname failed: ", GET_ERR_REASON(), (char *) NULL); - Tcl_SetErrorCode(interp, "TLS", "IMPORT", "HOSTNAME", "FAILED", (char *) NULL); + Tcl_AppendResult(interp, "Set DNS hostname failed: ", GET_ERR_REASON(), (char *)NULL); + Tcl_SetErrorCode(interp, "TLS", "IMPORT", "HOSTNAME", "FAILED", (char *)NULL); Tls_Free((tls_free_type *) statePtr); return TCL_ERROR; } } @@ -1518,12 +1580,12 @@ /* Resume session id */ if (session_id && strlen(session_id) <= SSL_MAX_SID_CTX_LENGTH) { /* SSL_set_session() */ if (!SSL_SESSION_set1_id_context(SSL_get_session(statePtr->ssl), (const unsigned char *) session_id, (unsigned int) strlen(session_id))) { - Tcl_AppendResult(interp, "Resume session failed: ", GET_ERR_REASON(), (char *) NULL); - Tcl_SetErrorCode(interp, "TLS", "IMPORT", "SESSION", "FAILED", (char *) NULL); + Tcl_AppendResult(interp, "Resume session failed: ", GET_ERR_REASON(), (char *)NULL); + Tcl_SetErrorCode(interp, "TLS", "IMPORT", "SESSION", "FAILED", (char *)NULL); Tls_Free((tls_free_type *) statePtr); return TCL_ERROR; } } @@ -1544,12 +1606,12 @@ /* Determine the memory required for the protocol-list */ for (i = 0; i < cnt; i++) { Tcl_GetStringFromObj(list[i], &len); if (len > 255) { - Tcl_AppendResult(interp, "ALPN protocol names too long", (char *) NULL); - Tcl_SetErrorCode(interp, "TLS", "IMPORT", "ALPN", "FAILED", (char *) NULL); + Tcl_AppendResult(interp, "ALPN protocol names too long", (char *)NULL); + Tcl_SetErrorCode(interp, "TLS", "IMPORT", "ALPN", "FAILED", (char *)NULL); Tls_Free((tls_free_type *) statePtr); return TCL_ERROR; } protos_len += 1 + (int) len; } @@ -1565,12 +1627,12 @@ } /* SSL_set_alpn_protos makes a copy of the protocol-list */ /* Note: This function reverses the return value convention */ if (SSL_set_alpn_protos(statePtr->ssl, protos, protos_len)) { - Tcl_AppendResult(interp, "Set ALPN protocols failed: ", GET_ERR_REASON(), (char *) NULL); - Tcl_SetErrorCode(interp, "TLS", "IMPORT", "ALPN", "FAILED", (char *) NULL); + Tcl_AppendResult(interp, "Set ALPN protocols failed: ", GET_ERR_REASON(), (char *)NULL); + Tcl_SetErrorCode(interp, "TLS", "IMPORT", "ALPN", "FAILED", (char *)NULL); Tls_Free((tls_free_type *) statePtr); ckfree(protos); return TCL_ERROR; } @@ -1585,10 +1647,11 @@ /* * SSL Callbacks */ SSL_set_app_data(statePtr->ssl, (void *)statePtr); /* point back to us */ SSL_set_verify(statePtr->ssl, verify, VerifyCallback); + /*SSL_set_verify_depth(SSL_set_verify_depth, 0);*/ SSL_set_info_callback(statePtr->ssl, InfoCallback); /* Callback for observing protocol messages */ #ifndef OPENSSL_NO_SSL_TRACE /* void SSL_CTX_set_msg_callback_arg(statePtr->ctx, (void *)statePtr); @@ -1620,13 +1683,10 @@ sent to the client, this can be done with SSL_do_handshake(). */ if (request && post_handshake && tls1_3) { SSL_verify_client_post_handshake(statePtr->ssl); } - /* set automatic curve selection */ - SSL_set_ecdh_auto(statePtr->ssl, 1); - /* Set server mode */ statePtr->flags |= TLS_TCL_SERVER; SSL_set_accept_state(statePtr->ssl); } else { /* Client callbacks */ @@ -1646,18 +1706,21 @@ } /* Set client mode */ SSL_set_connect_state(statePtr->ssl); } + + /* Set BIO for read and write operations on SSL object */ SSL_set_bio(statePtr->ssl, statePtr->p_bio, statePtr->p_bio); BIO_set_ssl(statePtr->bio, statePtr->ssl, BIO_NOCLOSE); + BIO_set_ssl_mode(statePtr->bio, (long) !server); /* * End of SSL Init */ dprintf("Returning %s", Tcl_GetChannelName(statePtr->self)); - Tcl_SetResult(interp, (char *) Tcl_GetChannelName(statePtr->self), TCL_VOLATILE); + Tcl_SetResult(interp, (char *)Tcl_GetChannelName(statePtr->self), TCL_VOLATILE); return TCL_OK; } /* @@ -1673,42 +1736,198 @@ * Side effects: * May modify the behavior of an IO channel. * *------------------------------------------------------------------- */ + static int -UnimportObjCmd(ClientData clientData, Tcl_Interp *interp, int objc, Tcl_Obj *const objv[]) { - Tcl_Channel chan; /* The channel to set a mode on. */ - (void) clientData; +UnimportObjCmd( + TCL_UNUSED(ClientData), /* Client data */ + Tcl_Interp *interp, /* Tcl interpreter */ + int objc, /* Arg count */ + Tcl_Obj *const objv[]) /* Arguments as Tcl objects */ +{ + Tcl_Channel chan, parent; /* The stacked and underlying channels */ + Tcl_DString upperChannelTranslation, upperChannelBlocking, upperChannelEncoding, upperChannelEOFChar; + int res = TCL_OK; dprintf("Called"); if (objc != 2) { Tcl_WrongNumArgs(interp, 1, objv, "channel"); return TCL_ERROR; } + /* Validate channel name */ chan = Tcl_GetChannel(interp, Tcl_GetString(objv[1]), NULL); if (chan == (Tcl_Channel) NULL) { return TCL_ERROR; } /* Make sure to operate on the topmost channel */ chan = Tcl_GetTopChannel(chan); + parent = Tcl_GetStackedChannel(chan); - if (Tcl_GetChannelType(chan) != Tls_ChannelType()) { + /* Verify is a stacked channel */ + if (parent == NULL) { Tcl_AppendResult(interp, "bad channel \"", Tcl_GetChannelName(chan), - "\": not a TLS channel", (char *) NULL); - Tcl_SetErrorCode(interp, "TLS", "UNIMPORT", "CHANNEL", "INVALID", (char *) NULL); + "\": not a stacked channel", (char *)NULL); + Tcl_SetErrorCode(interp, "TLS", "UNIMPORT", "CHANNEL", "INVALID", (char *)NULL); return TCL_ERROR; } - if (Tcl_UnstackChannel(interp, chan) == TCL_ERROR) { + /* Flush any pending data */ + if (Tcl_OutputBuffered(chan) > 0 && Tcl_Flush(chan) != TCL_OK) { + Tcl_AppendResult(interp, "can't flush channel", (char *)NULL); return TCL_ERROR; } - return TCL_OK; + /* Init storage */ + Tcl_DStringInit(&upperChannelTranslation); + Tcl_DStringInit(&upperChannelBlocking); + Tcl_DStringInit(&upperChannelEOFChar); + Tcl_DStringInit(&upperChannelEncoding); + + /* Preserve current channel config */ + Tcl_GetChannelOption(interp, chan, "-blocking", &upperChannelBlocking); + Tcl_GetChannelOption(interp, chan, "-encoding", &upperChannelEncoding); + Tcl_GetChannelOption(interp, chan, "-eofchar", &upperChannelEOFChar); + Tcl_GetChannelOption(interp, chan, "-translation", &upperChannelTranslation); + + /* Unstack the channel */ + if (Tcl_UnstackChannel(interp, chan) != TCL_OK) { + res = TCL_ERROR; + } + + /* Restore channel config */ + Tcl_SetChannelOption(interp, parent, "-encoding", Tcl_DStringValue(&upperChannelEncoding)); + Tcl_SetChannelOption(interp, parent, "-eofchar", Tcl_DStringValue(&upperChannelEOFChar)); + Tcl_SetChannelOption(interp, parent, "-translation", Tcl_DStringValue(&upperChannelTranslation)); + Tcl_SetChannelOption(interp, parent, "-blocking", Tcl_DStringValue(&upperChannelBlocking)); + + /* Clean-up */ + Tcl_DStringFree(&upperChannelTranslation); + Tcl_DStringFree(&upperChannelEncoding); + Tcl_DStringFree(&upperChannelEOFChar); + Tcl_DStringFree(&upperChannelBlocking); + return res; +} + +/* + *------------------------------------------------------------------- + * + * TlsLoadClientCAFileFromMemory -- Load certificates from a client + * CA file from VFS into memory. + * + * Results: + * Number of certificates loaded or 0 for none. + * + * Side effects: + * Loads CA certificates + * + *------------------------------------------------------------------- + */ +static int +TlsLoadClientCAFileFromMemory( + Tcl_Interp *interp, /* Tcl interpreter */ + SSL_CTX *ctx, /* CTX context */ + Tcl_Obj *file) /* CA certificates filename */ +{ + BIO *bio = NULL; + X509 *cert = NULL; + X509_STORE *store = NULL; + Tcl_Obj *buf = NULL; + const void *data = NULL; + X509_NAME *name = NULL; + STACK_OF(X509_NAME) *certNames = NULL; + int ret = 0; + Tcl_Size len = 0; + + /* Read file into memory */ + Tcl_Channel in = Tcl_FSOpenFileChannel(interp, file, "r", 0); + if (in == NULL) { + goto cleanup; + } + Tcl_SetChannelOption(interp, in, "-encoding", "binary"); + buf = Tcl_NewObj(); + Tcl_IncrRefCount(buf); + + if (Tcl_ReadChars(in, buf, -1, 0) < 0) { + Tcl_Close(interp, in); + goto cleanup; + } + Tcl_Close(interp, in); + + data = (const void *) Tcl_GetByteArrayFromObj(buf, &len); + bio = BIO_new_mem_buf(data, len); + if (bio == NULL) { + goto cleanup; + } + + /* Where the certs go */ + store = SSL_CTX_get_cert_store(ctx); + if (store == NULL) { + store = X509_STORE_new(); + if (store == NULL) { + goto cleanup; + } + } + + /* Where the CA names go */ + certNames = sk_X509_NAME_new_null(); + if (!certNames) { + goto cleanup; + } + + /* Attempt to load all certs from the PEM file */ + while ((cert = PEM_read_bio_X509(bio, NULL, 0, NULL)) != NULL) { + if (X509_STORE_add_cert(store, cert) == 0) { + X509_free(cert); + ret = 0; + goto cleanup; + } + /* Copy name to stack before certificate gets freed */ + name = X509_get_subject_name(cert); + if (name) { + X509_NAME *name_copy = X509_NAME_dup(name); + if (!name_copy || !sk_X509_NAME_push(certNames, name_copy)) { + X509_free(cert); + ret = 0; + goto cleanup; + } + } + X509_free(cert); + ret ++; + } + + /* At least one cert was added so retain the store and CA list */ + if (ret) { + if (SSL_CTX_get_cert_store(ctx) == NULL) { + SSL_CTX_set_cert_store(ctx, store); + } + SSL_CTX_set_client_CA_list(ctx, certNames); + } + + cleanup: + + if (! ret) { + /* New store is not required */ + if (store != SSL_CTX_get_cert_store(ctx)) { + X509_STORE_free(store); + } + /* Cert names will not be used */ + if (certNames) { + sk_X509_NAME_pop_free(certNames, X509_NAME_free); + } + } + + BIO_free(bio); + + if (buf) + Tcl_DecrRefCount(buf); + + return ret; } /* *------------------------------------------------------------------- * @@ -1720,14 +1939,30 @@ * Side effects: * constructs SSL context (CTX) * *------------------------------------------------------------------- */ + static SSL_CTX * -CTX_Init(State *statePtr, int isServer, int proto, char *keyfile, char *certfile, - unsigned char *key, unsigned char *cert, int key_len, int cert_len, char *CApath, - char *CAfile, char *ciphers, char *ciphersuites, int level, char *DHparams) { +CTX_Init( + State *statePtr, /* Client state for TLS socket */ + int isServer, /* Is server or client */ + int proto, /* TLS protocol versions mask */ + char *keyfile, /* Private key filename in pEM format */ + char *certfile, /* Certificate filename in PEM format */ + unsigned char *key, /* Private key in PEM format */ + unsigned char *cert, /* Certificate in PEM format */ + Tcl_Size key_len, /* Private key length in bytes */ + Tcl_Size cert_len, /* Certificate length in bytes */ + char *CApath, /* CA directory path */ + char *CAstore, /* CA Store URI path */ + char *CAfile, /* CA filename */ + char *ciphers, /* List of ciphers */ + char *ciphersuites, /* List of cipher suites */ + int level, /* Security level */ + char *DHparams) /* DH parameters */ +{ Tcl_Interp *interp = statePtr->interp; SSL_CTX *ctx = NULL; Tcl_DString ds; int off = 0, abort = 0; int load_private_key; @@ -1734,48 +1969,48 @@ const SSL_METHOD *method; dprintf("Called"); if (!proto) { - Tcl_AppendResult(interp, "no valid protocol selected", (char *) NULL); + Tcl_AppendResult(interp, "no valid protocol selected", (char *)NULL); return NULL; } /* create SSL context */ #if OPENSSL_VERSION_NUMBER >= 0x10100000L || defined(NO_SSL2) || defined(OPENSSL_NO_SSL2) if (ENABLED(proto, TLS_PROTO_SSL2)) { - Tcl_AppendResult(interp, "SSL2 protocol not supported", (char *) NULL); + Tcl_AppendResult(interp, "SSL2 protocol not supported", (char *)NULL); return NULL; } #endif #if defined(NO_SSL3) || defined(OPENSSL_NO_SSL3) if (ENABLED(proto, TLS_PROTO_SSL3)) { - Tcl_AppendResult(interp, "SSL3 protocol not supported", (char *) NULL); + Tcl_AppendResult(interp, "SSL3 protocol not supported", (char *)NULL); return NULL; } #endif #if defined(NO_TLS1) || defined(OPENSSL_NO_TLS1) if (ENABLED(proto, TLS_PROTO_TLS1)) { - Tcl_AppendResult(interp, "TLS 1.0 protocol not supported", (char *) NULL); + Tcl_AppendResult(interp, "TLS 1.0 protocol not supported", (char *)NULL); return NULL; } #endif #if defined(NO_TLS1_1) || defined(OPENSSL_NO_TLS1_1) if (ENABLED(proto, TLS_PROTO_TLS1_1)) { - Tcl_AppendResult(interp, "TLS 1.1 protocol not supported", (char *) NULL); + Tcl_AppendResult(interp, "TLS 1.1 protocol not supported", (char *)NULL); return NULL; } #endif #if defined(NO_TLS1_2) || defined(OPENSSL_NO_TLS1_2) if (ENABLED(proto, TLS_PROTO_TLS1_2)) { - Tcl_AppendResult(interp, "TLS 1.2 protocol not supported", (char *) NULL); + Tcl_AppendResult(interp, "TLS 1.2 protocol not supported", (char *)NULL); return NULL; } #endif #if defined(NO_TLS1_3) || defined(OPENSSL_NO_TLS1_3) if (ENABLED(proto, TLS_PROTO_TLS1_3)) { - Tcl_AppendResult(interp, "TLS 1.3 protocol not supported", (char *) NULL); + Tcl_AppendResult(interp, "TLS 1.3 protocol not supported", (char *)NULL); return NULL; } #endif if (proto == 0) { /* Use full range */ @@ -1865,29 +2100,38 @@ #if OPENSSL_VERSION_NUMBER < 0x10100000L OpenSSL_add_all_algorithms(); /* Load ciphers and digests */ #endif SSL_CTX_set_app_data(ctx, (void*)interp); /* remember the interpreter */ - SSL_CTX_set_options(ctx, SSL_OP_ALL); /* all SSL bug workarounds */ - SSL_CTX_set_options(ctx, SSL_OP_NO_COMPRESSION); /* disable compression even if supported */ - SSL_CTX_set_options(ctx, off); /* disable protocol versions */ -#if OPENSSL_VERSION_NUMBER < 0x10101000L - SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY); /* handle new handshakes in background. On by default in OpenSSL 1.1.1. */ -#endif + SSL_CTX_set_options(ctx, SSL_OP_ALL); /* Enable all SSL bug workarounds */ + SSL_CTX_set_options(ctx, SSL_OP_NO_COMPRESSION); /* Disable compression even if supported */ + SSL_CTX_set_options(ctx, off); /* Disable specified protocol versions */ + + /* Allow writes to report success when less than all records have been written */ + SSL_CTX_set_mode(ctx, SSL_MODE_ENABLE_PARTIAL_WRITE); + + /* Disable attempts to try to process the next record instead of returning after a + non-app record. Avoids hangs in blocking mode, when using SSL_read() and a + non-application record was sent without any application data. */ + /*SSL_CTX_clear_mode(ctx, SSL_MODE_AUTO_RETRY);*/ + SSL_CTX_sess_set_cache_size(ctx, 128); /* Set user defined ciphers, cipher suites, and security level */ if ((ciphers != NULL) && !SSL_CTX_set_cipher_list(ctx, ciphers)) { - Tcl_AppendResult(interp, "Set ciphers failed: No valid ciphers", (char *) NULL); + Tcl_AppendResult(interp, "Set ciphers failed: No valid ciphers", (char *)NULL); SSL_CTX_free(ctx); return NULL; } if ((ciphersuites != NULL) && !SSL_CTX_set_ciphersuites(ctx, ciphersuites)) { - Tcl_AppendResult(interp, "Set cipher suites failed: No valid ciphers", (char *) NULL); + Tcl_AppendResult(interp, "Set cipher suites failed: No valid ciphers", (char *)NULL); SSL_CTX_free(ctx); return NULL; } + + /* set automatic curve selection */ + SSL_CTX_set_ecdh_auto(ctx, 1); /* Set security level */ if (level > -1 && level < 6) { /* SSL_set_security_level */ SSL_CTX_set_security_level(ctx, level); @@ -1899,11 +2143,11 @@ /* read a Diffie-Hellman parameters file, or use the built-in one */ Tcl_DStringInit(&ds); #ifdef OPENSSL_NO_DH if (DHparams != NULL) { - Tcl_AppendResult(interp, "DH parameter support not available", (char *) NULL); + Tcl_AppendResult(interp, "DH parameter support not available", (char *)NULL); SSL_CTX_free(ctx); return NULL; } #else { @@ -1912,30 +2156,31 @@ BIO *bio; bio = BIO_new_file(F2N(DHparams, &ds), "r"); if (!bio) { Tcl_DStringFree(&ds); - Tcl_AppendResult(interp, "Could not find DH parameters file", (char *) NULL); + Tcl_AppendResult(interp, "Could not find DH parameters file", (char *)NULL); SSL_CTX_free(ctx); return NULL; } dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL); BIO_free(bio); Tcl_DStringFree(&ds); if (!dh) { - Tcl_AppendResult(interp, "Could not read DH parameters from file", (char *) NULL); + Tcl_AppendResult(interp, "Could not read DH parameters from file", (char *)NULL); SSL_CTX_free(ctx); return NULL; } SSL_CTX_set_tmp_dh(ctx, dh); DH_free(dh); } else { /* Use well known DH parameters that have built-in support in OpenSSL */ if (!SSL_CTX_set_dh_auto(ctx, 1)) { - Tcl_AppendResult(interp, "Could not enable set DH auto: ", GET_ERR_REASON(), (char *) NULL); + Tcl_AppendResult(interp, "Could not enable set DH auto: ", GET_ERR_REASON(), + (char *)NULL); SSL_CTX_free(ctx); return NULL; } } } @@ -1947,31 +2192,31 @@ load_private_key = 1; if (SSL_CTX_use_certificate_file(ctx, F2N(certfile, &ds), SSL_FILETYPE_PEM) <= 0) { Tcl_DStringFree(&ds); Tcl_AppendResult(interp, "unable to set certificate file ", certfile, ": ", - GET_ERR_REASON(), (char *) NULL); + GET_ERR_REASON(), (char *)NULL); SSL_CTX_free(ctx); return NULL; } Tcl_DStringFree(&ds); } else if (cert != NULL) { load_private_key = 1; - if (SSL_CTX_use_certificate_ASN1(ctx, cert_len, cert) <= 0) { + if (SSL_CTX_use_certificate_ASN1(ctx, (int) cert_len, cert) <= 0) { Tcl_AppendResult(interp, "unable to set certificate: ", - GET_ERR_REASON(), (char *) NULL); + GET_ERR_REASON(), (char *)NULL); SSL_CTX_free(ctx); return NULL; } } else { certfile = (char*)X509_get_default_cert_file(); if (SSL_CTX_use_certificate_file(ctx, certfile, SSL_FILETYPE_PEM) <= 0) { #if 0 Tcl_AppendResult(interp, "unable to use default certificate file ", certfile, ": ", - GET_ERR_REASON(), (char *) NULL); + GET_ERR_REASON(), (char *)NULL); SSL_CTX_free(ctx); return NULL; #endif } } @@ -1991,38 +2236,41 @@ if (SSL_CTX_use_PrivateKey_file(ctx, F2N(keyfile, &ds), SSL_FILETYPE_PEM) <= 0) { Tcl_DStringFree(&ds); /* flush the passphrase which might be left in the result */ Tcl_SetResult(interp, NULL, TCL_STATIC); Tcl_AppendResult(interp, "unable to set public key file ", keyfile, " ", - GET_ERR_REASON(), (char *) NULL); + GET_ERR_REASON(), (char *)NULL); SSL_CTX_free(ctx); return NULL; } Tcl_DStringFree(&ds); } else if (key != NULL) { - if (SSL_CTX_use_PrivateKey_ASN1(EVP_PKEY_RSA, ctx, key,key_len) <= 0) { + if (SSL_CTX_use_PrivateKey_ASN1(EVP_PKEY_RSA, ctx, key, (int) key_len) <= 0) { /* flush the passphrase which might be left in the result */ Tcl_SetResult(interp, NULL, TCL_STATIC); - Tcl_AppendResult(interp, "unable to set public key: ", GET_ERR_REASON(), (char *) NULL); + Tcl_AppendResult(interp, "unable to set public key: ", GET_ERR_REASON(), (char *)NULL); SSL_CTX_free(ctx); return NULL; } } /* Now we know that a key and cert have been set against * the SSL context */ if (!SSL_CTX_check_private_key(ctx)) { Tcl_AppendResult(interp, "private key does not match the certificate public key", - (char *) NULL); + (char *)NULL); SSL_CTX_free(ctx); return NULL; } } - /* Set to use default location and file for Certificate Authority (CA) certificates. The - * verify path and store can be overridden by the SSL_CERT_DIR env var. The verify file can - * be overridden by the SSL_CERT_FILE env var. */ + /* Set to use the default location and file for Certificate Authority (CA) certificates. + * The default CA certificates directory is called certs in the default OpenSSL + * directory. It contains the CA certificates in PEM format, with one certificate per + * file. The verify path and store can be overridden by the SSL_CERT_DIR env var. The + * default CA certificates file is called cert.pem in the default OpenSSL directory. + * The verify file can be overridden by the SSL_CERT_FILE env var. */ if (!SSL_CTX_set_default_verify_paths(ctx)) { abort++; } /* Overrides for the CA verify path and file */ @@ -2032,10 +2280,11 @@ Tcl_DString ds1; Tcl_DStringInit(&ds1); if (!SSL_CTX_load_verify_locations(ctx, F2N(CAfile, &ds), F2N(CApath, &ds1))) { abort++; + return NULL; } Tcl_DStringFree(&ds); Tcl_DStringFree(&ds1); /* Set list of CAs to send to client when requesting a client certificate */ @@ -2047,39 +2296,77 @@ } Tcl_DStringFree(&ds); } #else + /* Set directory containing CA certificates in PEM format. */ if (CApath != NULL) { if (!SSL_CTX_load_verify_dir(ctx, F2N(CApath, &ds))) { abort++; } Tcl_DStringFree(&ds); } - if (CAfile != NULL) { - if (!SSL_CTX_load_verify_file(ctx, F2N(CAfile, &ds))) { + + /* Set URI for to a store, which may be a single container or a catalog of containers. */ + if (CAstore != NULL) { + if (!SSL_CTX_load_verify_store(ctx, F2N(CAstore, &ds))) { abort++; } Tcl_DStringFree(&ds); + } - /* Set list of CAs to send to client when requesting a client certificate */ - STACK_OF(X509_NAME) *certNames = SSL_load_client_CA_file(F2N(CAfile, &ds)); - if (certNames != NULL) { - SSL_CTX_set_client_CA_list(ctx, certNames); + /* Set file of CA certificates in PEM format. */ + if (CAfile != NULL) { + Tcl_Obj *cafileobj = Tcl_NewStringObj(CAfile, -1); + Tcl_IncrRefCount(cafileobj); + + Tcl_Obj *fsinfo = Tcl_FSFileSystemInfo(cafileobj); + if (fsinfo) { + Tcl_IncrRefCount(fsinfo); + + Tcl_Obj *fstype = NULL; + Tcl_ListObjIndex(interp, fsinfo, 0, &fstype); + + if (Tcl_StringMatch("native", Tcl_GetString(fstype))) { + if (!SSL_CTX_load_verify_file(ctx, F2N(CAfile, &ds))) { + abort++; + } + Tcl_DStringFree(&ds); + + /* Set list of CAs to send to client when requesting a client certificate */ + STACK_OF(X509_NAME) *certNames = SSL_load_client_CA_file(F2N(CAfile, &ds)); + if (certNames != NULL) { + SSL_CTX_set_client_CA_list(ctx, certNames); + } + Tcl_DStringFree(&ds); + + } else { + /* Load certificate into memory */ + if (!TlsLoadClientCAFileFromMemory(interp, ctx, cafileobj)) { + abort++; + } + } + Tcl_DecrRefCount(fsinfo); + + } else { + abort++; /* Path is not recognized */ } - Tcl_DStringFree(&ds); + Tcl_DecrRefCount(cafileobj); } #endif } + if (abort > 0) { + /* return error */ + } return ctx; } /* *------------------------------------------------------------------- * - * StatusObjCmd -- return certificate for connected peer. + * StatusObjCmd -- return certificate for connected peer info. * * Results: * A standard Tcl result. * * Side effects: @@ -2086,21 +2373,25 @@ * None. * *------------------------------------------------------------------- */ static int -StatusObjCmd(ClientData clientData, Tcl_Interp *interp, int objc, Tcl_Obj *const objv[]) { +StatusObjCmd( + TCL_UNUSED(ClientData), /* Client data */ + Tcl_Interp *interp, /* Tcl interpreter */ + int objc, /* Arg count */ + Tcl_Obj *const objv[]) /* Arguments as Tcl objects */ +{ State *statePtr; X509 *peer; Tcl_Obj *objPtr; Tcl_Channel chan; char *channelName, *ciphers; int mode; const unsigned char *proto; unsigned int len; int nid, res; - (void) clientData; dprintf("Called"); if (objc < 2 || objc > 3 || (objc == 3 && !strcmp(Tcl_GetString(objv[1]), "-local"))) { Tcl_WrongNumArgs(interp, 1, objv, "?-local? channel"); @@ -2116,12 +2407,12 @@ /* Make sure to operate on the topmost channel */ chan = Tcl_GetTopChannel(chan); if (Tcl_GetChannelType(chan) != Tls_ChannelType()) { Tcl_AppendResult(interp, "bad channel \"", Tcl_GetChannelName(chan), - "\": not a TLS channel", (char *) NULL); - Tcl_SetErrorCode(interp, "TLS", "STATUS", "CHANNEL", "INVALID", (char *) NULL); + "\": not a TLS channel", (char *)NULL); + Tcl_SetErrorCode(interp, "TLS", "STATUS", "CHANNEL", "INVALID", (char *)NULL); return TCL_ERROR; } statePtr = (State *) Tcl_GetChannelInstanceData(chan); /* Get certificate for peer or self */ @@ -2130,11 +2421,11 @@ } else { peer = SSL_get_certificate(statePtr->ssl); } /* Get X509 certificate info */ if (peer) { - objPtr = Tls_NewX509Obj(interp, peer); + objPtr = Tls_NewX509Obj(interp, peer, 1); if (objc == 2) { X509_free(peer); peer = NULL; } } else { @@ -2152,24 +2443,24 @@ LAPPEND_STR(interp, objPtr, "verifyResult", X509_verify_cert_error_string(SSL_get_verify_result(statePtr->ssl)), -1); /* Verify mode */ mode = SSL_get_verify_mode(statePtr->ssl); - if (mode && SSL_VERIFY_NONE) { + if (mode & SSL_VERIFY_NONE) { LAPPEND_STR(interp, objPtr, "verifyMode", "none", -1); } else { Tcl_Obj *listObjPtr = Tcl_NewListObj(0, NULL); - if (mode && SSL_VERIFY_PEER) { + if (mode & SSL_VERIFY_PEER) { Tcl_ListObjAppendElement(interp, listObjPtr, Tcl_NewStringObj("peer", -1)); } - if (mode && SSL_VERIFY_FAIL_IF_NO_PEER_CERT) { + if (mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) { Tcl_ListObjAppendElement(interp, listObjPtr, Tcl_NewStringObj("fail if no peer cert", -1)); } - if (mode && SSL_VERIFY_CLIENT_ONCE) { + if (mode & SSL_VERIFY_CLIENT_ONCE) { Tcl_ListObjAppendElement(interp, listObjPtr, Tcl_NewStringObj("client once", -1)); } - if (mode && SSL_VERIFY_POST_HANDSHAKE) { + if (mode & SSL_VERIFY_POST_HANDSHAKE) { Tcl_ListObjAppendElement(interp, listObjPtr, Tcl_NewStringObj("post handshake", -1)); } LAPPEND_OBJ(interp, objPtr, "verifyMode", listObjPtr) } @@ -2188,17 +2479,20 @@ res = SSL_get_signature_nid(statePtr->ssl, &nid); } if (!res) {nid = 0;} LAPPEND_STR(interp, objPtr, "signatureHashAlgorithm", OBJ_nid2ln(nid), -1); + /* Added in OpenSSL 1.1.1a */ +#if OPENSSL_VERSION_NUMBER > 0x10101000L if (objc == 2) { res = SSL_get_peer_signature_type_nid(statePtr->ssl, &nid); } else { res = SSL_get_signature_type_nid(statePtr->ssl, &nid); } if (!res) {nid = 0;} LAPPEND_STR(interp, objPtr, "signatureType", OBJ_nid2ln(nid), -1); +#endif Tcl_SetObjResult(interp, objPtr); return TCL_OK; } @@ -2211,19 +2505,25 @@ * A list of connection info * *------------------------------------------------------------------- */ -static int ConnectionInfoObjCmd(ClientData clientData, Tcl_Interp *interp, int objc, Tcl_Obj *const objv[]) { +static int ConnectionInfoObjCmd( + TCL_UNUSED(ClientData), /* Client data */ + Tcl_Interp *interp, /* Tcl interpreter */ + int objc, /* Arg count */ + Tcl_Obj *const objv[]) /* Arguments as Tcl objects */ +{ Tcl_Channel chan; /* The channel to set a mode on */ - State *statePtr; /* client state for ssl socket */ + State *statePtr; /* Client state for TLS socket */ Tcl_Obj *objPtr, *listPtr; const SSL *ssl; const SSL_CIPHER *cipher; const SSL_SESSION *session; const EVP_MD *md; - (void) clientData; + + dprintf("Called"); if (objc != 2) { Tcl_WrongNumArgs(interp, 1, objv, "channel"); return TCL_ERROR; } @@ -2235,27 +2535,37 @@ /* Make sure to operate on the topmost channel */ chan = Tcl_GetTopChannel(chan); if (Tcl_GetChannelType(chan) != Tls_ChannelType()) { Tcl_AppendResult(interp, "bad channel \"", Tcl_GetChannelName(chan), - "\": not a TLS channel", (char *) NULL); - Tcl_SetErrorCode(interp, "TLS", "CONNECTION", "CHANNEL", "INVALID", (char *) NULL); + "\": not a TLS channel", (char *)NULL); + Tcl_SetErrorCode(interp, "TLS", "CONNECTION", "CHANNEL", "INVALID", (char *)NULL); return TCL_ERROR; } objPtr = Tcl_NewListObj(0, NULL); /* Connection info */ statePtr = (State *)Tcl_GetChannelInstanceData(chan); ssl = statePtr->ssl; if (ssl != NULL) { + const unsigned char *proto; + unsigned int ulen; + + /* Initialization finished */ + LAPPEND_BOOL(interp, objPtr, "init_finished", SSL_is_init_finished(ssl)); + /* connection state */ LAPPEND_STR(interp, objPtr, "state", SSL_state_string_long(ssl), -1); /* Get SNI requested server name */ LAPPEND_STR(interp, objPtr, "servername", SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name), -1); + /* Report the selected protocol as a result of the negotiation */ + SSL_get0_alpn_selected(statePtr->ssl, &proto, &ulen); + LAPPEND_STR(interp, objPtr, "alpn", (char *)proto, (Tcl_Size) ulen); + /* Get protocol */ LAPPEND_STR(interp, objPtr, "protocol", SSL_get_version(ssl), -1); /* Renegotiation allowed */ LAPPEND_BOOL(interp, objPtr, "renegotiation_allowed", SSL_get_secure_renegotiation_support((SSL *) ssl)); @@ -2269,10 +2579,30 @@ /* Is server info */ LAPPEND_BOOL(interp, objPtr, "is_server", SSL_is_server(ssl)); /* Is DTLS */ LAPPEND_BOOL(interp, objPtr, "is_dtls", SSL_is_dtls(ssl)); + +#if OPENSSL_VERSION_NUMBER >= 0x30200000L + /* Is QUIC */ + LAPPEND_BOOL(interp, objPtr, "is_quic", SSL_is_quic(ssl)); + + /* Is TLS */ + LAPPEND_BOOL(interp, objPtr, "is_tls", SSL_is_tls(ssl)); +#endif + + /* DANE TLS authentication */ + LAPPEND_BOOL(interp, objPtr, "dane_auth", SSL_get0_dane((SSL *)ssl) != NULL); + + /* Waiting for async */ + LAPPEND_BOOL(interp, objPtr, "waiting_for_async", SSL_waiting_for_async((SSL *)ssl)); + + /* Time-out */ + LAPPEND_LONG(interp, objPtr, "time-out", SSL_get_default_timeout(ssl)); + + /* Is Certificate Transparency validation enabled */ + LAPPEND_BOOL(interp, objPtr, "ct_enabled", SSL_ct_is_enabled(ssl)); } /* Cipher info */ cipher = SSL_get_current_cipher(ssl); if (cipher != NULL) { @@ -2449,21 +2779,23 @@ * None. * *------------------------------------------------------------------- */ static int -VersionObjCmd(ClientData clientData, Tcl_Interp *interp, int objc, Tcl_Obj *const objv[]) { +VersionObjCmd( + TCL_UNUSED(ClientData), /* Client data */ + Tcl_Interp *interp, /* Tcl interpreter */ + TCL_UNUSED(int), /* objc - Arg count */ + TCL_UNUSED(Tcl_Obj *const *)) /* objv - Arguments as Tcl objects */ +{ Tcl_Obj *objPtr; - (void) clientData; - (void) objc; - (void) objv; dprintf("Called"); objPtr = Tcl_NewStringObj(OPENSSL_VERSION_TEXT, -1); - Tcl_SetObjResult(interp, objPtr); + Tcl_SetObjResult(interp, objPtr); return TCL_OK; } /* *------------------------------------------------------------------- @@ -2477,17 +2809,20 @@ * None. * *------------------------------------------------------------------- */ static int -MiscObjCmd(ClientData clientData, Tcl_Interp *interp, int objc, Tcl_Obj *const objv[]) { +MiscObjCmd( + TCL_UNUSED(ClientData), /* Client data */ + Tcl_Interp *interp, /* Tcl interpreter */ + int objc, /* Arg count */ + Tcl_Obj *const objv[]) /* Arguments as Tcl objects */ +{ static const char *commands [] = { "req", "strreq", NULL }; enum command { C_REQ, C_STRREQ, C_DUMMY }; - Tcl_Size cmd; - int isStr; + int cmd, isStr; char buffer[16384]; - (void) clientData; dprintf("Called"); if (objc < 2) { Tcl_WrongNumArgs(interp, 1, objv, "subcommand ?args?"); @@ -2505,16 +2840,15 @@ case C_STRREQ: { EVP_PKEY *pkey=NULL; X509 *cert=NULL; X509_NAME *name=NULL; Tcl_Obj **listv; - Tcl_Size listc; - int i; + Tcl_Size listc, i; BIO *out=NULL; - char *k_C="",*k_ST="",*k_L="",*k_O="",*k_OU="",*k_CN="",*k_Email=""; + const char *k_C="",*k_ST="",*k_L="",*k_O="",*k_OU="",*k_CN="",*k_Email=""; char *keyout,*pemout,*str; int keysize,serial=0,days=365; #if OPENSSL_VERSION_NUMBER < 0x30000000L BIGNUM *bne = NULL; @@ -2699,11 +3033,13 @@ * Frees all the state * *------------------------------------------------------------------- */ void -Tls_Free(tls_free_type *blockPtr) { +Tls_Free( + tls_free_type *blockPtr) /* Client state for TLS socket */ +{ State *statePtr = (State *)blockPtr; dprintf("Called"); Tls_Clean(statePtr); @@ -2726,11 +3062,13 @@ * Side effects: * Frees all the state * *------------------------------------------------------------------- */ -void Tls_Clean(State *statePtr) { +void Tls_Clean( + State *statePtr) /* Client state for TLS socket */ +{ dprintf("Called"); /* * we're assuming here that we're single-threaded */ @@ -2737,29 +3075,11 @@ if (statePtr->timer != (Tcl_TimerToken) NULL) { Tcl_DeleteTimerHandler(statePtr->timer); statePtr->timer = NULL; } - if (statePtr->protos) { - ckfree(statePtr->protos); - statePtr->protos = NULL; - } - if (statePtr->bio) { - /* This will call SSL_shutdown. Bug 1414045 */ - dprintf("BIO_free_all(%p)", statePtr->bio); - BIO_free_all(statePtr->bio); - statePtr->bio = NULL; - } - if (statePtr->ssl) { - dprintf("SSL_free(%p)", statePtr->ssl); - SSL_free(statePtr->ssl); - statePtr->ssl = NULL; - } - if (statePtr->ctx) { - SSL_CTX_free(statePtr->ctx); - statePtr->ctx = NULL; - } + /* Remove callbacks */ if (statePtr->callback) { Tcl_DecrRefCount(statePtr->callback); statePtr->callback = NULL; } if (statePtr->password) { @@ -2768,10 +3088,33 @@ } if (statePtr->vcmd) { Tcl_DecrRefCount(statePtr->vcmd); statePtr->vcmd = NULL; } + + if (statePtr->protos) { + ckfree(statePtr->protos); + statePtr->protos = NULL; + } + + if (statePtr->bio) { + /* This will call SSL_shutdown. Bug 1414045 */ + dprintf("BIO_free_all(%p)", statePtr->bio); + BIO_free_all(statePtr->bio); + statePtr->bio = NULL; + } + + if (statePtr->ssl) { + dprintf("SSL_free(%p)", statePtr->ssl); + SSL_free(statePtr->ssl); + statePtr->ssl = NULL; + } + + if (statePtr->ctx) { + SSL_CTX_free(statePtr->ctx); + statePtr->ctx = NULL; + } dprintf("Returning"); } /* @@ -2794,11 +3137,13 @@ # define STRINGIFY(x) STRINGIFY1(x) # define STRINGIFY1(x) #x #endif int -BuildInfoCommand(Tcl_Interp* interp) { +BuildInfoCommand( + Tcl_Interp* interp) /* Tcl interpreter */ +{ Tcl_CmdInfo info; if (Tcl_GetCommandInfo(interp, "::tcl::build-info", &info)) { Tcl_CreateObjCommand(interp, "::tls::build-info", info.objProc, (void *)( PACKAGE_VERSION "+" STRINGIFY(TLS_VERSION_UUID) @@ -2855,22 +3200,89 @@ ), NULL); } return TCL_OK; } +/* + *------------------------------------------------------* + * + * TlsLibShutdown -- + * + * Shutdown SSL library once per application + * + * Results: + * A standard TCL result + * + * Side effects: + * Shutdown SSL library + * + *------------------------------------------------------* + */ +void TlsLibShutdown( + ClientData clientData) /* Not used */ +{ + dprintf("Called"); + + BIO_cleanup(); +} + +/* + *------------------------------------------------------* + * + * TlsLibInit -- + * + * Initializes SSL library once per application + * + * Results: + * A standard Tcl result + * + * Side effects: + * Initializes SSL library + * + *------------------------------------------------------* + */ +static int TlsLibInit() { + static int initialized = 0; + + dprintf("Called"); + + if (!initialized) { + /* Initialize BOTH libcrypto and libssl. */ + if (!OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS | OPENSSL_INIT_LOAD_CRYPTO_STRINGS + | OPENSSL_INIT_ADD_ALL_CIPHERS | OPENSSL_INIT_ADD_ALL_DIGESTS + | OPENSSL_INIT_LOAD_CONFIG | OPENSSL_INIT_ASYNC, NULL)) { + return TCL_ERROR; + } + + /* Create BIO handlers */ + BIO_new_tcl(NULL, 0); + + /* Create exit handler */ + Tcl_CreateExitHandler(TlsLibShutdown, NULL); + initialized = 1; + } + return TCL_OK; +} + +/* Init script */ +static const char tlsTclInitScript[] = { +#include "tls.tcl.h" +}; + /* *------------------------------------------------------------------- * * Tls_Init -- * * This is a package initialization procedure, which is called - * by Tcl when this package is to be added to an interpreter. + * by TCL when this package is to be added to an interpreter. * - * Results: Ssl configured and loaded + * Results: + * Initializes structures and creates commands. * * Side effects: - * create the ssl command, initialize ssl context + * Create the commands * *------------------------------------------------------------------- */ #if TCL_MAJOR_VERSION > 8 @@ -2877,38 +3289,37 @@ #define MIN_VERSION "9.0" #else #define MIN_VERSION "8.5" #endif -static const char tlsTclInitScript[] = { -#include "tls.tcl.h" - 0x00 - }; - -DLLEXPORT int Tls_Init(Tcl_Interp *interp) { +DLLEXPORT int Tls_Init( + Tcl_Interp *interp) /* Tcl interpreter */ +{ dprintf("Called"); #ifdef USE_TCL_STUBS if (Tcl_InitStubs(interp, MIN_VERSION, 0) == NULL) { return TCL_ERROR; } -#endif - if (Tcl_PkgRequire(interp, "Tcl", MIN_VERSION, 0) == NULL) { +#else + if (Tcl_PkgRequireEx(interp, "Tcl", MIN_VERSION, 0, NULL) == NULL) { return TCL_ERROR; } +#endif - if (TlsLibInit(0) != TCL_OK) { - Tcl_AppendResult(interp, "could not initialize SSL library", (char *) NULL); + if (TlsLibInit() != TCL_OK) { + Tcl_AppendResult(interp, "could not initialize SSL library", (char *)NULL); return TCL_ERROR; } Tcl_CreateObjCommand(interp, "::tls::ciphers", CiphersObjCmd, (ClientData) NULL, (Tcl_CmdDeleteProc *) NULL); Tcl_CreateObjCommand(interp, "::tls::connection", ConnectionInfoObjCmd, (ClientData) NULL, (Tcl_CmdDeleteProc *) NULL); Tcl_CreateObjCommand(interp, "::tls::handshake", HandshakeObjCmd, (ClientData) NULL, (Tcl_CmdDeleteProc *) NULL); Tcl_CreateObjCommand(interp, "::tls::import", ImportObjCmd, (ClientData) NULL, (Tcl_CmdDeleteProc *) NULL); Tcl_CreateObjCommand(interp, "::tls::unimport", UnimportObjCmd, (ClientData) NULL, (Tcl_CmdDeleteProc *) NULL); + Tcl_CreateObjCommand(interp, "::tls::unstack", UnimportObjCmd, (ClientData) NULL, (Tcl_CmdDeleteProc *) NULL); Tcl_CreateObjCommand(interp, "::tls::status", StatusObjCmd, (ClientData) NULL, (Tcl_CmdDeleteProc *) NULL); Tcl_CreateObjCommand(interp, "::tls::version", VersionObjCmd, (ClientData) NULL, (Tcl_CmdDeleteProc *) NULL); Tcl_CreateObjCommand(interp, "::tls::misc", MiscObjCmd, (ClientData) NULL, (Tcl_CmdDeleteProc *) NULL); Tcl_CreateObjCommand(interp, "::tls::protocols", ProtocolsObjCmd, (ClientData) NULL, (Tcl_CmdDeleteProc *) NULL); @@ -2920,134 +3331,25 @@ return Tcl_PkgProvide(interp, PACKAGE_NAME, PACKAGE_VERSION); } /* - *------------------------------------------------------* - * - * Tls_SafeInit -- - * - * ------------------------------------------------* - * Standard procedure required by 'load'. - * Initializes this extension for a safe interpreter. - * ------------------------------------------------* - * - * Side effects: - * As of 'Tls_Init' - * - * Result: - * A standard Tcl error code. - * - *------------------------------------------------------* - */ -DLLEXPORT int Tls_SafeInit(Tcl_Interp *interp) { + *------------------------------------------------------------------- + * + * Tls_SafeInit -- + * + * This is a package initialization procedure for safe interps. + * + * Results: + * Same as of 'Tls_Init' + * + * Side effects: + * Same as of 'Tls_Init' + * + *------------------------------------------------------------------- + */ +DLLEXPORT int Tls_SafeInit( + Tcl_Interp *interp) /* Tcl interpreter */ +{ dprintf("Called"); return Tls_Init(interp); } - -/* - *------------------------------------------------------* - * - * TlsLibInit -- - * - * ------------------------------------------------* - * Initializes SSL library once per application - * ------------------------------------------------* - * - * Side effects: - * initializes SSL library - * - * Result: - * none - * - *------------------------------------------------------* - */ -static int TlsLibInit(int uninitialize) { - static int initialized = 0; - int status = TCL_OK; -#if defined(OPENSSL_THREADS) && defined(TCL_THREADS) - size_t num_locks; -#endif - - if (uninitialize) { - if (!initialized) { - dprintf("Asked to uninitialize, but we are not initialized"); - - return TCL_OK; - } - - dprintf("Asked to uninitialize"); - -#if defined(OPENSSL_THREADS) && defined(TCL_THREADS) - Tcl_MutexLock(&init_mx); - - if (locks) { - free(locks); - locks = NULL; - locksCount = 0; - } -#endif - initialized = 0; - -#if defined(OPENSSL_THREADS) && defined(TCL_THREADS) - Tcl_MutexUnlock(&init_mx); -#endif - - return TCL_OK; - } - - if (initialized) { - dprintf("Called, but using cached value"); - return status; - } - - dprintf("Called"); - -#if defined(OPENSSL_THREADS) && defined(TCL_THREADS) - Tcl_MutexLock(&init_mx); -#endif - initialized = 1; - -#if defined(OPENSSL_THREADS) && defined(TCL_THREADS) - num_locks = 1; - locksCount = (int) num_locks; - locks = malloc(sizeof(*locks) * num_locks); - memset(locks, 0, sizeof(*locks) * num_locks); -#endif - - /* Initialize BOTH libcrypto and libssl. */ - OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS | OPENSSL_INIT_LOAD_CRYPTO_STRINGS - | OPENSSL_INIT_ADD_ALL_CIPHERS | OPENSSL_INIT_ADD_ALL_DIGESTS, NULL); - - BIO_new_tcl(NULL, 0); - -#if 0 - /* - * XXX:TODO: Remove this code and replace it with a check - * for enough entropy and do not try to create our own - * terrible entropy - */ - /* - * Seed the random number generator in the SSL library, - * using the do/while construct because of the bug note in the - * OpenSSL FAQ at http://www.openssl.org/support/faq.html#USER1 - * - * The crux of the problem is that Solaris 7 does not have a - * /dev/random or /dev/urandom device so it cannot gather enough - * entropy from the RAND_seed() when TLS initializes and refuses - * to go further. Earlier versions of OpenSSL carried on regardless. - */ - srand((unsigned int) time((time_t *) NULL)); - do { - for (i = 0; i < 16; i++) { - rnd_seed[i] = 1 + (char) (255.0 * rand()/(RAND_MAX+1.0)); - } - RAND_seed(rnd_seed, sizeof(rnd_seed)); - } while (RAND_status() != 1); -#endif - -#if defined(OPENSSL_THREADS) && defined(TCL_THREADS) - Tcl_MutexUnlock(&init_mx); -#endif - - return status; -} Index: generic/tls.h ================================================================== --- generic/tls.h +++ generic/tls.h @@ -1,12 +1,11 @@ /* - * Copyright (C) 1997-2000 Matt Newman - * - * TLS (aka SSL) Channel - can be layered on any bi-directional - * Tcl_Channel (Note: Requires Trf Core Patch) + * TLS Channel - This extension provides a encrypted communication channel + * using the TLS or SSL protocols. It can be layered on top of any + * bi-directional Tcl_Channel. * - * This was built from scratch based upon observation of OpenSSL 0.9.2B + * Copyright (C) 1997-2000 Matt Newman * * Addition credit is due for Andreas Kupries (a.kupries@westend.com), for * providing the Tcl_ReplaceChannel mechanism and working closely with me * to enhance it to support full fileevent semantics. * @@ -13,11 +12,11 @@ * Also work done by the follow people provided the impetus to do this "right":- * tclSSL (Colin McCormack, Shared Technology) * SSLtcl (Peter Antman) * */ - + #ifndef _TLS_H #define _TLS_H #include Index: generic/tlsBIO.c ================================================================== --- generic/tlsBIO.c +++ generic/tlsBIO.c @@ -1,276 +1,504 @@ /* - * Copyright (C) 1997-2000 Matt Newman - * - * Provides BIO layer to interface OpenSSL to TCL. - */ - -#include "tlsInt.h" - -/* Called by SSL_write() */ -static int BioWrite(BIO *bio, const char *buf, int bufLen) { - Tcl_Channel chan; - Tcl_Size ret; - int tclEofChan, tclErrno; - - chan = Tls_GetParent((State *) BIO_get_data(bio), 0); - - dprintf("[chan=%p] BioWrite(%p, , %d)", (void *)chan, (void *) bio, bufLen); - - ret = Tcl_WriteRaw(chan, buf, (Tcl_Size) bufLen); - - tclEofChan = Tcl_Eof(chan); - tclErrno = Tcl_GetErrno(); - - dprintf("[chan=%p] BioWrite(%d) -> %" TCL_SIZE_MODIFIER "d [tclEof=%d; tclErrno=%d]", - (void *) chan, bufLen, ret, tclEofChan, tclErrno); - - BIO_clear_flags(bio, BIO_FLAGS_WRITE | BIO_FLAGS_SHOULD_RETRY); - - if (tclEofChan && ret <= 0) { - dprintf("Got EOF while reading, returning a Connection Reset error which maps to Soft EOF"); - Tcl_SetErrno(ECONNRESET); - ret = 0; - - } else if (ret == 0) { - dprintf("Got 0 from Tcl_WriteRaw, and EOF is not set; ret = 0"); - dprintf("Setting retry read flag"); - BIO_set_retry_read(bio); - - } else if (ret < 0) { - dprintf("We got some kind of I/O error"); - - if (tclErrno == EAGAIN) { - dprintf("It's EAGAIN"); - } else { - dprintf("It's an unexpected error: %s/%i", Tcl_ErrnoMsg(tclErrno), tclErrno); - } - - } else { - dprintf("Successfully wrote %" TCL_SIZE_MODIFIER "d bytes of data", ret); - } - - if (ret != -1 || (ret == -1 && tclErrno == EAGAIN)) { - if (BIO_should_read(bio)) { - dprintf("Setting should retry read flag"); - - BIO_set_retry_read(bio); - } - } - return (int) ret; -} - -/* Called by SSL_read()*/ -static int BioRead(BIO *bio, char *buf, int bufLen) { - Tcl_Channel chan; - Tcl_Size ret = 0; - int tclEofChan, tclErrno; - - chan = Tls_GetParent((State *) BIO_get_data(bio), 0); - - dprintf("[chan=%p] BioRead(%p, , %d)", (void *) chan, (void *) bio, bufLen); - - if (buf == NULL) { + * Provides Custom BIO layer to interface OpenSSL with TCL. These functions + * directly interface between the TCL IO channel and BIO buffers. + * + * Copyright (C) 1997-2000 Matt Newman + * Copyright (C) 2024 Brian O'Hagan + * + */ + +/* + tlsBIO.c tlsIO.c + +------+ +-----+ +------+ + | |Tcl_WriteRaw <-- BioWrite| SSL |BIO_write <-- TlsOutputProc <-- Write| | + |socket| | BIO | | App | + | |Tcl_ReadRaw --> BioRead| |BIO_Read --> TlsInputProc --> Read| | + +------+ +-----+ +------+ +*/ + +#include "tlsInt.h" +#include + +/* Define BIO methods structure */ +static BIO_METHOD *BioMethods = NULL; + + + +/* + *----------------------------------------------------------------------------- + * + * BIOShouldRetry -- + * + * Determine if should retry operation based on error code. Same + * conditions as BIO_sock_should_retry function. + * + * Results: + * 1 = retry, 0 = no retry + * + * Side effects: + * None + * + *----------------------------------------------------------------------------- + */ + +static int BIOShouldRetry(int code) { + int res = 0; + dprintf("BIOShouldRetry %d=%s", code, Tcl_ErrnoMsg(code)); + + if (code == EAGAIN || code == EWOULDBLOCK || code == ENOTCONN || code == EPROTO || +#ifdef _WIN32 + code == WSAEWOULDBLOCK || +#endif + code == EINTR || code == EINPROGRESS || code == EALREADY) { + res = 1; + } + + dprintf("BIOShouldRetry %d=%s, res=%d", code, Tcl_ErrnoMsg(code), res); + + return res; +} + +/* + *----------------------------------------------------------------------------- + * + * BioWrite -- + * + * This function is used to read encrypted data from the BIO and write it + * into the socket. This function will be called in response to the + * application calling the BIO_write_ex() or BIO_write() functions. + * + * Results: + * Returns the number of bytes written to channel, 0 for EOF, or -1 for + * error. + * + * Side effects: + * Writes BIO data to channel. + * + *----------------------------------------------------------------------------- + */ + +static int BioWrite(BIO *bio, const char *buf, int bufLen) { + Tcl_Size ret; + int is_eof, tclErrno; + State *statePtr = (State *) BIO_get_data(bio); + Tcl_Channel chan = Tls_GetParent(statePtr, 0); + + dprintf("[chan=%p] BioWrite(bio=%p, buf=%p, len=%d)", (void *)chan, (void *) bio, buf, bufLen); + + BIO_clear_retry_flags(bio); + Tcl_SetErrno(0); + + /* Write data to underlying channel */ + ret = Tcl_WriteRaw(chan, buf, (Tcl_Size) bufLen); + is_eof = Tcl_Eof(chan); + tclErrno = Tcl_GetErrno(); + + dprintf("[chan=%p] BioWrite(%d) -> %" TCL_SIZE_MODIFIER "d [tclEof=%d; tclErrno=%d: %s]", + (void *) chan, bufLen, ret, is_eof, tclErrno, Tcl_ErrnoMsg(tclErrno)); + + if (ret > 0) { + dprintf("Successfully wrote %" TCL_SIZE_MODIFIER "d bytes of data", ret); + + } else if (ret == 0) { + if (is_eof) { + dprintf("Got EOF while writing, returning a Connection Reset error which maps to Soft EOF"); + Tcl_SetErrno(ECONNRESET); + BIO_set_flags(bio, BIO_FLAGS_IN_EOF); + + } else { + dprintf("Got 0 from Tcl_WriteRaw, and EOF is not set; ret = 0"); + BIO_set_retry_write(bio); + + dprintf("Setting retry read flag"); + BIO_set_retry_read(bio); + } + + } else { + dprintf("We got some kind of I/O error"); + + if (BIOShouldRetry(tclErrno)) { + dprintf("Try again for: %i=%s", tclErrno, Tcl_ErrnoMsg(tclErrno)); + BIO_set_retry_write(bio); + + } else { + dprintf("Unexpected error: %i=%s", tclErrno, Tcl_ErrnoMsg(tclErrno)); + } + } + + dprintf("BioWrite returning %" TCL_SIZE_MODIFIER "d", ret); + return (int) ret; +} + +/* + *----------------------------------------------------------------------------- + * + * BioRead -- + * + * This function is used to read encrypted data from the socket and + * write it into the BIO. This function will be called in response to the + * application calling the BIO_read_ex() or BIO_read() functions. + * + * Results: + * Returns the number of bytes read from channel, 0 for EOF, or -1 for + * error. + * + * Side effects: + * Reads channel data into BIO. + * + * Data is received in whole blocks known as records from the peer. A whole + * record is processed (e.g. decrypted) in one go and is buffered by OpenSSL + * until it is read by the application via a call to SSL_read. SSL_pending() + * returns the number of bytes which have been processed, buffered, and are + * available inside ssl for immediate read. SSL_has_pending() returns 1 if + * data is buffered (whether processed or unprocessed) and 0 otherwise. + * + *----------------------------------------------------------------------------- + */ + +static int BioRead(BIO *bio, char *buf, int bufLen) { + Tcl_Size ret = 0; + int is_eof, tclErrno, is_blocked; + State *statePtr = (State *) BIO_get_data(bio); + Tcl_Channel chan = Tls_GetParent(statePtr, 0); + + dprintf("[chan=%p] BioRead(bio=%p, buf=%p, len=%d)", (void *) chan, (void *) bio, buf, bufLen); + + if (buf == NULL || bufLen <= 0) { return 0; } - ret = Tcl_ReadRaw(chan, buf, (Tcl_Size) bufLen); - - tclEofChan = Tcl_Eof(chan); - tclErrno = Tcl_GetErrno(); - - dprintf("[chan=%p] BioRead(%d) -> %" TCL_SIZE_MODIFIER "d [tclEof=%d; tclErrno=%d]", - (void *) chan, bufLen, ret, tclEofChan, tclErrno); - - BIO_clear_flags(bio, BIO_FLAGS_READ | BIO_FLAGS_SHOULD_RETRY); - - if (tclEofChan && ret <= 0) { - dprintf("Got EOF while reading, returning a Connection Reset error which maps to Soft EOF"); - Tcl_SetErrno(ECONNRESET); - ret = 0; - - } else if (ret == 0) { - dprintf("Got 0 from Tcl_Read or Tcl_ReadRaw, and EOF is not set; ret = 0"); - dprintf("Setting retry read flag"); - BIO_set_retry_read(bio); - - } else if (ret < 0) { - dprintf("We got some kind of I/O error"); - - if (tclErrno == EAGAIN) { - dprintf("It's EAGAIN"); - } else { - dprintf("It's an unexpected error: %s/%i", Tcl_ErrnoMsg(tclErrno), tclErrno); - } - - } else { - dprintf("Successfully read %" TCL_SIZE_MODIFIER "d bytes of data", ret); - } - - if (ret != -1 || (ret == -1 && tclErrno == EAGAIN)) { - if (BIO_should_write(bio)) { - dprintf("Setting should retry write flag"); - - BIO_set_retry_write(bio); - } - } - - dprintf("BioRead(%p, , %d) [%p] returning %" TCL_SIZE_MODIFIER "d", (void *) bio, - bufLen, (void *) chan, ret); - - return (int) ret; -} - -static int BioPuts(BIO *bio, const char *str) { - dprintf("BioPuts(%p, ) called", bio, str); + BIO_clear_retry_flags(bio); + Tcl_SetErrno(0); + + /* Read data from underlying channel */ + ret = Tcl_ReadRaw(chan, buf, (Tcl_Size) bufLen); + + is_eof = Tcl_Eof(chan); + tclErrno = Tcl_GetErrno(); + is_blocked = Tcl_InputBlocked(chan); + + dprintf("[chan=%p] BioRead(%d) -> %" TCL_SIZE_MODIFIER "d [tclEof=%d; blocked=%d; tclErrno=%d: %s]", + (void *) chan, bufLen, ret, is_eof, is_blocked, tclErrno, Tcl_ErrnoMsg(tclErrno)); + + if (ret > 0) { + dprintf("Successfully read %" TCL_SIZE_MODIFIER "d bytes of data", ret); + + } else if (ret == 0) { + if (is_eof) { + dprintf("Got EOF while reading, returning a Connection Reset error which maps to Soft EOF"); + Tcl_SetErrno(ECONNRESET); + BIO_set_flags(bio, BIO_FLAGS_IN_EOF); + + } else if (is_blocked) { + dprintf("Got input blocked from Tcl_ReadRaw. Setting retry read flag"); + BIO_set_retry_read(bio); + } + + } else { + dprintf("We got some kind of I/O error"); + + if (BIOShouldRetry(tclErrno)) { + dprintf("Try again for: %i=%s", tclErrno, Tcl_ErrnoMsg(tclErrno)); + BIO_set_retry_read(bio); + + } else { + dprintf("Unexpected error: %i=%s", tclErrno, Tcl_ErrnoMsg(tclErrno)); + } + } + + dprintf("BioRead returning %" TCL_SIZE_MODIFIER "d", ret); + return (int) ret; +} + +/* + *----------------------------------------------------------------------------- + * + * BioPuts -- + * + * This function is used to read a NULL terminated string from the BIO and + * write it to the channel. This function will be called in response to + * the application calling the BIO_puts() function. + * + * Results: + * Returns the number of bytes written to channel or 0 for error. + * + * Side effects: + * Writes data to channel. + * + *----------------------------------------------------------------------------- + */ + +static int BioPuts(BIO *bio, const char *str) { + dprintf("BioPuts(%p) \"%s\"", bio, str); return BioWrite(bio, str, (int) strlen(str)); } +/* + *----------------------------------------------------------------------------- + * + * BioCtrl -- + * + * This function is used to process control messages in the BIO. This + * function will be called in response to the application calling the + * BIO_ctrl() function. + * + * Results: + * Function dependent + * + * Side effects: + * Function dependent + * + *----------------------------------------------------------------------------- + */ + static long BioCtrl(BIO *bio, int cmd, long num, void *ptr) { - Tcl_Channel chan; long ret = 1; - - chan = Tls_GetParent((State *) BIO_get_data(bio), 0); + State *statePtr = (State *) BIO_get_data(bio); + Tcl_Channel chan = Tls_GetParent(statePtr, 0); dprintf("BioCtrl(%p, 0x%x, 0x%lx, %p)", (void *) bio, cmd, num, ptr); switch (cmd) { case BIO_CTRL_RESET: + /* opt - Resets BIO to initial state. Implements BIO_reset. */ dprintf("Got BIO_CTRL_RESET"); + /* Return 1 for success (0 for file BIOs) and -1 for failure */ ret = 0; break; - case BIO_C_FILE_SEEK: - dprintf("Got BIO_C_FILE_SEEK"); - ret = 0; - break; - case BIO_C_FILE_TELL: - dprintf("Got BIO_C_FILE_TELL"); - ret = 0; + case BIO_CTRL_EOF: + /* opt - Returns whether EOF has been reached. Implements BIO_eof. */ + dprintf("Got BIO_CTRL_EOF"); + /* Returns 1 if EOF has been reached, 0 if not, or <0 for failure */ + ret = ((chan) ? (Tcl_Eof(chan) || BIO_test_flags(bio, BIO_FLAGS_IN_EOF)) : 1); break; case BIO_CTRL_INFO: + /* opt - extra info on BIO. Implements BIO_get_mem_data */ dprintf("Got BIO_CTRL_INFO"); - ret = 1; - break; - case BIO_C_SET_FD: - dprintf("Unsupported call: BIO_C_SET_FD"); - ret = -1; - break; - case BIO_C_GET_FD: - dprintf("Unsupported call: BIO_C_GET_FD"); - ret = -1; - break; - case BIO_CTRL_GET_CLOSE: - dprintf("Got BIO_CTRL_CLOSE"); - ret = BIO_get_shutdown(bio); - break; - case BIO_CTRL_SET_CLOSE: - dprintf("Got BIO_SET_CLOSE"); - BIO_set_shutdown(bio, num); - break; - case BIO_CTRL_EOF: - dprintf("Got BIO_CTRL_EOF"); - ret = ((chan) ? Tcl_Eof(chan) : 1); - break; - case BIO_CTRL_PENDING: - dprintf("Got BIO_CTRL_PENDING"); - ret = ((chan) ? ((Tcl_InputBuffered(chan) ? 1 : 0)) : 0); - dprintf("BIO_CTRL_PENDING(%d)", (int) ret); - break; - case BIO_CTRL_WPENDING: - dprintf("Got BIO_CTRL_WPENDING"); + ret = 0; + break; + case BIO_CTRL_SET: + /* man - set the 'IO' parameter */ + dprintf("Got BIO_CTRL_SET"); ret = 0; break; - case BIO_CTRL_DUP: - dprintf("Got BIO_CTRL_DUP"); - break; - case BIO_CTRL_FLUSH: - dprintf("Got BIO_CTRL_FLUSH"); - ret = ((chan) && (Tcl_WriteRaw(chan, "", 0) >= 0) ? 1 : -1); - dprintf("BIO_CTRL_FLUSH returning value %li", ret); + case BIO_CTRL_GET: + /* man - get the 'IO' parameter */ + dprintf("Got BIO_CTRL_GET "); + ret = 0; break; case BIO_CTRL_PUSH: + /* opt - internal, used to signify change. Implements BIO_push */ dprintf("Got BIO_CTRL_PUSH"); ret = 0; break; case BIO_CTRL_POP: + /* opt - internal, used to signify change. Implements BIO_pop */ dprintf("Got BIO_CTRL_POP"); ret = 0; break; - case BIO_CTRL_SET: - dprintf("Got BIO_CTRL_SET"); + case BIO_CTRL_GET_CLOSE: + /* man - Get the close on BIO_free() flag set by BIO_CTRL_SET_CLOSE. Implements BIO_get_close */ + dprintf("Got BIO_CTRL_CLOSE"); + /* Returns BIO_CLOSE, BIO_NOCLOSE, or <0 for failure */ + ret = BIO_get_shutdown(bio); + break; + case BIO_CTRL_SET_CLOSE: + /* man - Set the close on BIO_free() flag. Implements BIO_set_close */ + dprintf("Got BIO_SET_CLOSE"); + BIO_set_shutdown(bio, num); + /* Returns 1 on success or <=0 for failure */ + ret = 1; + break; + case BIO_CTRL_PENDING: + /* opt - Return number of bytes in BIO waiting to be read. Implements BIO_pending. */ + dprintf("Got BIO_CTRL_PENDING"); + /* Return the amount of pending data or 0 for error */ + ret = ((chan) ? Tcl_InputBuffered(chan) : 0); + break; + case BIO_CTRL_FLUSH: + /* opt - Flush any buffered output. Implements BIO_flush. */ + dprintf("Got BIO_CTRL_FLUSH"); + /* Use Tcl_WriteRaw instead of Tcl_Flush to operate on right chan in stack */ + /* Returns 1 for success, <=0 for error/retry. */ + ret = ((chan) && (Tcl_WriteRaw(chan, "", 0) >= 0) ? 1 : -1); + /*ret = BioWrite(bio, NULL, 0);*/ + break; + case BIO_CTRL_DUP: + /* man - extra stuff for 'duped' BIO. Implements BIO_dup_state */ + dprintf("Got BIO_CTRL_DUP"); + ret = 1; + break; + case BIO_CTRL_WPENDING: + /* opt - Return number of bytes in BIO still to be written. Implements BIO_wpending. */ + dprintf("Got BIO_CTRL_WPENDING"); + /* Return the amount of pending data or 0 for error */ + ret = ((chan) ? Tcl_OutputBuffered(chan) : 0); + break; + case BIO_CTRL_SET_CALLBACK: + /* opt - Sets an informational callback. Implements BIO_set_info_callback */ ret = 0; break; - case BIO_CTRL_GET : - dprintf("Got BIO_CTRL_GET "); + case BIO_CTRL_GET_CALLBACK: + /* opt - Get and return the info callback. Implements BIO_get_info_callback */ ret = 0; break; -#ifdef BIO_CTRL_GET_KTLS_SEND + + case BIO_C_FILE_SEEK: + /* Not used for sockets. Tcl_Seek only works on top chan. Implements BIO_seek() */ + dprintf("Got BIO_C_FILE_SEEK"); + ret = 0; /* Return 0 success and -1 for failure */ + break; + case BIO_C_FILE_TELL: + /* Not used for sockets. Tcl_Tell only works on top chan. Implements BIO_tell() */ + dprintf("Got BIO_C_FILE_TELL"); + ret = 0; /* Return 0 success and -1 for failure */ + break; + case BIO_C_SET_FD: + /* Implements BIO_set_fd */ + dprintf("Unsupported call: BIO_C_SET_FD"); + ret = -1; + break; + case BIO_C_GET_FD: + /* Implements BIO_get_fd() */ + dprintf("Unsupported call: BIO_C_GET_FD"); + ret = -1; + break; + +#if OPENSSL_VERSION_NUMBER >= 0x30000000L && defined(BIO_CTRL_GET_KTLS_SEND) case BIO_CTRL_GET_KTLS_SEND: + /* Implements BIO_get_ktls_send */ dprintf("Got BIO_CTRL_GET_KTLS_SEND"); + /* Returns 1 if the BIO is using the Kernel TLS data-path for sending, 0 if not */ ret = 0; break; #endif -#ifdef BIO_CTRL_GET_KTLS_RECV +#if OPENSSL_VERSION_NUMBER >= 0x30000000L && defined(BIO_CTRL_GET_KTLS_RECV) case BIO_CTRL_GET_KTLS_RECV: + /* Implements BIO_get_ktls_recv */ dprintf("Got BIO_CTRL_GET_KTLS_RECV"); + /* Returns 1 if the BIO is using the Kernel TLS data-path for receiving, 0 if not */ ret = 0; break; #endif default: dprintf("Got unknown control command (%i)", cmd); ret = 0; break; } + dprintf("BioCtrl return value %li", ret); return ret; } +/* + *----------------------------------------------------------------------------- + * + * BioNew -- + * + * This function is used to create a new instance of the BIO. This + * function will be called in response to the application calling the + * BIO_new() function. + * + * Results: + * Returns boolean success result (1=success, 0=failure) + * + * Side effects: + * Initializes BIO structure. + * + *----------------------------------------------------------------------------- + */ + static int BioNew(BIO *bio) { dprintf("BioNew(%p) called", bio); - BIO_set_init(bio, 0); + if (bio == NULL) { + return 0; + } + BIO_set_data(bio, NULL); + BIO_set_init(bio, 0); BIO_clear_flags(bio, -1); return 1; } +/* + *----------------------------------------------------------------------------- + * + * BioFree -- + * + * This function is used to destroy an instance of a BIO. This function + * will be called in response to the application calling the BIO_free() + * function. + * + * Results: + * Returns boolean success result + * + * Side effects: + * Initializes BIO structure. + * + *----------------------------------------------------------------------------- + */ + static int BioFree(BIO *bio) { + dprintf("BioFree(%p) called", bio); + if (bio == NULL) { return 0; } - dprintf("BioFree(%p) called", bio); - + /* Clear flags if set to BIO_CLOSE (close I/O stream when the BIO is freed) */ if (BIO_get_shutdown(bio)) { - if (BIO_get_init(bio)) { - /*shutdown(bio->num, 2) */ - /*closesocket(bio->num) */ - } - + BIO_set_data(bio, NULL); BIO_set_init(bio, 0); BIO_clear_flags(bio, -1); } return 1; } +/* + *----------------------------------------------------------------------------- + * + * BIO_new_tcl -- + * + * This function is used to initialize the BIO method handlers. + * + * Results: + * Returns pointer to BIO or NULL for failure + * + * Side effects: + * Initializes BIO Methods. + * + *----------------------------------------------------------------------------- + */ + BIO *BIO_new_tcl(State *statePtr, int flags) { BIO *bio; - static BIO_METHOD *BioMethods = NULL; #ifdef TCLTLS_SSL_USE_FASTPATH Tcl_Channel parentChannel; const Tcl_ChannelType *parentChannelType; - void *parentChannelFdIn_p, *parentChannelFdOut_p; + int parentChannelFdIn, parentChannelFdOut, parentChannelFd; int validParentChannelFd; - int tclGetChannelHandleRet; #endif dprintf("BIO_new_tcl() called"); + /* Create custom BIO method */ if (BioMethods == NULL) { - BioMethods = BIO_meth_new(BIO_TYPE_TCL, "tcl"); + /* BIO_TYPE_BIO = (19|BIO_TYPE_SOURCE_SINK) -- half a BIO pair */ + /* BIO_TYPE_CONNECT = (12|BIO_TYPE_SOURCE_SINK|BIO_TYPE_DESCRIPTOR) */ + /* BIO_TYPE_ACCEPT = (13|BIO_TYPE_SOURCE_SINK|BIO_TYPE_DESCRIPTOR) */ + BioMethods = BIO_meth_new(BIO_TYPE_BIO, "tcl"); + if (BioMethods == NULL) { + dprintf("Memory allocation error"); + + return NULL; + } + /* Not used BIO_meth_set_write_ex */ BIO_meth_set_write(BioMethods, BioWrite); + /* Not used BIO_meth_set_read_ex */ BIO_meth_set_read(BioMethods, BioRead); BIO_meth_set_puts(BioMethods, BioPuts); BIO_meth_set_ctrl(BioMethods, BioCtrl); BIO_meth_set_create(BioMethods, BioNew); BIO_meth_set_destroy(BioMethods, BioFree); @@ -290,13 +518,16 @@ parentChannel = Tls_GetParent(statePtr, 0); parentChannelType = Tcl_GetChannelType(parentChannel); validParentChannelFd = 0; if (strcmp(parentChannelType->typeName, "tcp") == 0) { - tclGetChannelHandleRet = Tcl_GetChannelHandle(parentChannel, TCL_READABLE, (ClientData) &parentChannelFdIn_p); + void *parentChannelFdIn_p, *parentChannelFdOut_p; + int tclGetChannelHandleRet; + + tclGetChannelHandleRet = Tcl_GetChannelHandle(parentChannel, TCL_READABLE, &parentChannelFdIn_p); if (tclGetChannelHandleRet == TCL_OK) { - tclGetChannelHandleRet = Tcl_GetChannelHandle(parentChannel, TCL_WRITABLE, (ClientData) &parentChannelFdOut_p); + tclGetChannelHandleRet = Tcl_GetChannelHandle(parentChannel, TCL_WRITABLE, &parentChannelFdOut_p); if (tclGetChannelHandleRet == TCL_OK) { parentChannelFdIn = PTR2INT(parentChannelFdIn_p); parentChannelFdOut = PTR2INT(parentChannelFdOut_p); if (parentChannelFdIn == parentChannelFdOut) { parentChannelFd = parentChannelFdIn; @@ -308,17 +539,47 @@ if (validParentChannelFd) { dprintf("We found a shortcut, this channel is backed by a socket: %i", parentChannelFdIn); bio = BIO_new_socket(parentChannelFd, flags); statePtr->flags |= TLS_TCL_FASTPATH; + BIO_set_data(bio, statePtr); + BIO_set_shutdown(bio, flags); + BIO_set_init(bio, 1); return bio; } +#endif dprintf("Falling back to Tcl I/O for this channel"); -#endif bio = BIO_new(BioMethods); BIO_set_data(bio, statePtr); BIO_set_shutdown(bio, flags); - BIO_set_init(bio, 1); + BIO_set_init(bio, 1); /* Enable read & write */ return bio; } + +/* + *----------------------------------------------------------------------------- + * + * BIO_cleanup -- + * + * This function is used to destroy a BIO_METHOD structure and free up any + * memory associated with it. + * + * Results: + * Standard TCL result + * + * Side effects: + * Destroys BIO Methods. + * + *----------------------------------------------------------------------------- + */ + +int BIO_cleanup () { + dprintf("BIO_cleanup() called"); + + if (BioMethods != NULL) { + BIO_meth_free(BioMethods); + BioMethods = NULL; + } + return TCL_OK; +} Index: generic/tlsIO.c ================================================================== --- generic/tlsIO.c +++ generic/tlsIO.c @@ -1,47 +1,51 @@ /* + * Provides IO functions to interface between the BIO buffers and TCL + * applications when using stacked channels. + * * Copyright (C) 1997-2000 Matt Newman * Copyright (C) 2000 Ajuba Solutions + * Copyright (C) 2024 Brian O'Hagan * - * TLS (aka SSL) Channel - can be layered on any bi-directional - * Tcl_Channel (Note: Requires Trf Core Patch) - * - * This was built from scratch based upon observation of OpenSSL 0.9.2B - * - * Addition credit is due for Andreas Kupries (a.kupries@westend.com), for + * Additional credit is due for Andreas Kupries (a.kupries@westend.com), for * providing the Tcl_ReplaceChannel mechanism and working closely with me * to enhance it to support full fileevent semantics. * * Also work done by the follow people provided the impetus to do this "right": - * tclSSL (Colin McCormack, Shared Technology) - * SSLtcl (Peter Antman) + * tclSSL (Colin McCormack, Shared Technology) + * SSLtcl (Peter Antman) * */ + +/* + tlsBIO.c tlsIO.c + +------+ +-----+ +------+ + | |Tcl_WriteRaw <-- BioWrite| SSL |BIO_write <-- TlsOutputProc <-- Write| | + |socket| | BIO | | App | + | |Tcl_ReadRaw --> BioRead| |BIO_Read --> TlsInputProc --> Read| | + +------+ +-----+ +------+ +*/ #include "tlsInt.h" #include /* - * Forward declarations - */ -static void TlsChannelHandlerTimer(ClientData clientData); - -/* - *------------------------------------------------------------------- + *----------------------------------------------------------------------------- * * TlsBlockModeProc -- * - * This procedure is invoked by the generic IO level - * to set blocking and nonblocking modes + * This procedure is invoked by the generic IO level to set channel to + * blocking or nonblocking mode. Called by the generic I/O layer whenever + * the Tcl_SetChannelOption() function is used with option -blocking. * * Results: - * 0 if successful or POSIX error code if failed. + * 0 if successful or POSIX error code if failed. * * Side effects: - * Sets the device into blocking or nonblocking mode. + * Sets the device into blocking or nonblocking mode. * - *------------------------------------------------------------------- + *----------------------------------------------------------------------------- */ static int TlsBlockModeProc(ClientData instanceData, int mode) { State *statePtr = (State *) instanceData; if (mode == TCL_MODE_NONBLOCKING) { @@ -51,38 +55,55 @@ } return 0; } /* - *------------------------------------------------------------------- + *----------------------------------------------------------------------------- * * TlsCloseProc -- * - * This procedure is invoked by the generic IO level to perform - * channel-type-specific cleanup when a SSL socket based channel - * is closed. - * - * Note: we leave the underlying socket alone, is this right? + * This procedure is invoked by the generic IO level to perform channel + * type specific cleanup when a SSL socket based channel is closed. + * Called by the generic I/O layer whenever the Tcl_Close() function is + * used. * * Results: - * 0 if successful or POSIX error code if failed. + * 0 if successful or POSIX error code if failed. * * Side effects: - * Closes the socket of the channel. + * Closes the socket of the channel. * - *------------------------------------------------------------------- + *----------------------------------------------------------------------------- */ static int TlsCloseProc(ClientData instanceData, Tcl_Interp *interp) { State *statePtr = (State *) instanceData; dprintf("TlsCloseProc(%p)", (void *) statePtr); - Tls_Clean(statePtr); + /* Send shutdown notification. Will return 0 while in process, then 1 when complete. */ + /* Closes the write direction of the connection; the read direction is closed by the peer. */ + /* Does not affect socket state. Don't call after fatal error. */ + if (statePtr->ssl != NULL && !(statePtr->flags & TLS_TCL_HANDSHAKE_FAILED)) { + BIO_flush(statePtr->bio); + SSL_shutdown(statePtr->ssl); + } + + /* Tls_Free calls Tls_Clean */ Tcl_EventuallyFree((ClientData)statePtr, Tls_Free); return 0; } +/* + *----------------------------------------------------------------------------- + * + * TlsClose2Proc -- + * + * Similar to TlsCloseProc, but allows for separate close read and write + * side of channel. + * + *----------------------------------------------------------------------------- + */ static int TlsClose2Proc(ClientData instanceData, /* The socket state. */ Tcl_Interp *interp, /* For errors - can be NULL. */ int flags) /* Flags to close read and/or write side of channel */ { State *statePtr = (State *) instanceData; @@ -94,34 +115,38 @@ } return EINVAL; } /* - *------------------------------------------------------* + *----------------------------------------------------------------------------- * * Tls_WaitForConnect -- * + * Perform connect (client) or accept (server) function. Also performs + * equivalent of handshake function. + * * Result: - * 0 if successful, -1 if failed. + * 1 if successful, 0 if wait for connect, and -1 if failed. * * Side effects: - * Issues SSL_accept or SSL_connect + * Issues SSL_accept or SSL_connect * - *------------------------------------------------------* + *----------------------------------------------------------------------------- */ int Tls_WaitForConnect(State *statePtr, int *errorCodePtr, int handshakeFailureIsPermanent) { unsigned long backingError; - int err, rc; + int err, rc = 0; int bioShouldRetry; *errorCodePtr = 0; dprintf("WaitForConnect(%p)", (void *) statePtr); dprintFlags(statePtr); + /* Can also check SSL_is_init_finished(ssl) */ if (!(statePtr->flags & TLS_TCL_INIT)) { dprintf("Tls_WaitForConnect called on already initialized channel -- returning with immediate success"); - return 0; + return 1; } if (statePtr->flags & TLS_TCL_HANDSHAKE_FAILED) { /* * Different types of operations have different requirements @@ -132,27 +157,28 @@ *errorCodePtr = ECONNABORTED; } else { dprintf("Asked to wait for a TLS handshake that has already failed. Returning soft error"); *errorCodePtr = ECONNRESET; } - Tls_Error(statePtr, "Wait for failed handshake"); return -1; } for (;;) { ERR_clear_error(); + BIO_clear_retry_flags(statePtr->bio); - /* Not initialized yet! Also calls SSL_do_handshake. */ + /* Not initialized yet! Also calls SSL_do_handshake(). */ if (statePtr->flags & TLS_TCL_SERVER) { dprintf("Calling SSL_accept()"); err = SSL_accept(statePtr->ssl); } else { dprintf("Calling SSL_connect()"); err = SSL_connect(statePtr->ssl); } + /* 1=successful, 0=not successful and shut down, <0=fatal error */ if (err > 0) { dprintf("Accept or connect was successful"); err = BIO_flush(statePtr->bio); if (err <= 0) { @@ -160,40 +186,45 @@ } } else { dprintf("Accept or connect failed"); } + /* Same as SSL_want, but also checks the error queue */ rc = SSL_get_error(statePtr->ssl, err); backingError = ERR_get_error(); if (rc != SSL_ERROR_NONE) { dprintf("Got error: %i (rc = %i)", err, rc); dprintf("Got error: %s", ERR_reason_error_string(backingError)); } - bioShouldRetry = 0; + /* The retry flag is set by the BIO_set_retry_* functions */ + bioShouldRetry = BIO_should_retry(statePtr->bio); + dprintf("bioShouldRetry = %d", bioShouldRetry); + if (err <= 0) { - if (rc == SSL_ERROR_WANT_CONNECT || rc == SSL_ERROR_WANT_ACCEPT || rc == SSL_ERROR_WANT_READ || rc == SSL_ERROR_WANT_WRITE) { + if (rc == SSL_ERROR_WANT_CONNECT || rc == SSL_ERROR_WANT_ACCEPT) { + bioShouldRetry = 1; + } else if (rc == SSL_ERROR_WANT_READ) { + bioShouldRetry = 1; + statePtr->want |= TCL_READABLE; + } else if (rc == SSL_ERROR_WANT_WRITE) { bioShouldRetry = 1; + statePtr->want |= TCL_WRITABLE; } else if (BIO_should_retry(statePtr->bio)) { bioShouldRetry = 1; } else if (rc == SSL_ERROR_SYSCALL && Tcl_GetErrno() == EAGAIN) { bioShouldRetry = 1; } - } else { - if (!SSL_is_init_finished(statePtr->ssl)) { - bioShouldRetry = 1; - } } if (bioShouldRetry) { dprintf("The I/O did not complete -- but we should try it again"); if (statePtr->flags & TLS_TCL_ASYNC) { dprintf("Returning EAGAIN so that it can be retried later"); *errorCodePtr = EAGAIN; - Tls_Error(statePtr, "Handshake not complete, will retry later"); - return -1; + return 0; } else { dprintf("Doing so now"); continue; } } @@ -202,20 +233,27 @@ break; } switch (rc) { case SSL_ERROR_NONE: - /* The TLS/SSL I/O operation completed */ + /* The TLS/SSL I/O operation completed successfully */ dprintf("The connection is good"); *errorCodePtr = 0; break; - case SSL_ERROR_ZERO_RETURN: - /* The TLS/SSL peer has closed the connection for writing by sending the close_notify alert */ - dprintf("SSL_ERROR_ZERO_RETURN: Connect returned an invalid value..."); - *errorCodePtr = EINVAL; - Tls_Error(statePtr, "Peer has closed the connection for writing by sending the close_notify alert"); + case SSL_ERROR_SSL: + /* A non-recoverable, fatal error in the SSL library occurred, usually a protocol error */ + /* This includes certificate validation errors */ + dprintf("SSL_ERROR_SSL: Got permanent fatal SSL error, aborting immediately"); + if (SSL_get_verify_result(statePtr->ssl) != X509_V_OK) { + Tls_Error(statePtr, X509_verify_cert_error_string(SSL_get_verify_result(statePtr->ssl))); + } + if (backingError != 0) { + Tls_Error(statePtr, ERR_reason_error_string(backingError)); + } + statePtr->flags |= TLS_TCL_HANDSHAKE_FAILED; + *errorCodePtr = ECONNABORTED; return -1; case SSL_ERROR_SYSCALL: /* Some non-recoverable, fatal I/O error occurred */ dprintf("SSL_ERROR_SYSCALL"); @@ -229,110 +267,160 @@ dprintf("I/O error occurred (errno = %lu)", (unsigned long) Tcl_GetErrno()); *errorCodePtr = Tcl_GetErrno(); if (*errorCodePtr == ECONNRESET) { *errorCodePtr = ECONNABORTED; } - Tls_Error(statePtr, (char *) Tcl_ErrnoMsg(*errorCodePtr)); + Tls_Error(statePtr, Tcl_ErrnoMsg(*errorCodePtr)); } else { dprintf("I/O error occurred (backingError = %lu)", backingError); *errorCodePtr = Tcl_GetErrno(); if (*errorCodePtr == ECONNRESET) { *errorCodePtr = ECONNABORTED; } - Tls_Error(statePtr, (char *) ERR_reason_error_string(backingError)); - } - - statePtr->flags |= TLS_TCL_HANDSHAKE_FAILED; - return -1; - - case SSL_ERROR_SSL: - /* A non-recoverable, fatal error in the SSL library occurred, usually a protocol error */ - dprintf("SSL_ERROR_SSL: Got permanent fatal SSL error, aborting immediately"); - if (SSL_get_verify_result(statePtr->ssl) != X509_V_OK) { - Tls_Error(statePtr, (char *) X509_verify_cert_error_string(SSL_get_verify_result(statePtr->ssl))); - } - if (backingError != 0) { - Tls_Error(statePtr, (char *) ERR_reason_error_string(backingError)); - } - statePtr->flags |= TLS_TCL_HANDSHAKE_FAILED; - *errorCodePtr = ECONNABORTED; - return -1; - - case SSL_ERROR_WANT_READ: - case SSL_ERROR_WANT_WRITE: - case SSL_ERROR_WANT_X509_LOOKUP: - case SSL_ERROR_WANT_CONNECT: - case SSL_ERROR_WANT_ACCEPT: - case SSL_ERROR_WANT_ASYNC: - case SSL_ERROR_WANT_ASYNC_JOB: - case SSL_ERROR_WANT_CLIENT_HELLO_CB: - default: - /* The operation did not complete and should be retried later. */ - dprintf("Operation did not complete, call function again later: %i", rc); - *errorCodePtr = EAGAIN; - dprintf("ERR(%d, %d) ", rc, *errorCodePtr); - Tls_Error(statePtr, "Operation did not complete, call function again later"); - return -1; - } - - dprintf("Removing the \"TLS_TCL_INIT\" flag since we have completed the handshake"); - statePtr->flags &= ~TLS_TCL_INIT; - - dprintf("Returning in success"); - *errorCodePtr = 0; - return 0; -} - -/* - *------------------------------------------------------------------- - * - * TlsInputProc -- - * - * This procedure is invoked by the generic IO level - * to read input from a SSL socket based channel. - * - * Results: - * Returns the number of bytes read or -1 on error. Sets errorCodePtr - * to a POSIX error code if an error occurred, or 0 if none. - * - * Side effects: - * Reads input from the input device of the channel. - * - *------------------------------------------------------------------- - */ -static int TlsInputProc(ClientData instanceData, char *buf, int bufSize, int *errorCodePtr) { - unsigned long backingError; - State *statePtr = (State *) instanceData; - int bytesRead; - int tlsConnect; - int err; - - *errorCodePtr = 0; - - dprintf("BIO_read(%d)", bufSize); - - if (statePtr->flags & TLS_TCL_CALLBACK) { - /* don't process any bytes while verify callback is running */ - dprintf("Callback is running, reading 0 bytes"); - return 0; - } - - dprintf("Calling Tls_WaitForConnect"); - tlsConnect = Tls_WaitForConnect(statePtr, errorCodePtr, 0); - if (tlsConnect < 0) { - dprintf("Got an error waiting to connect (tlsConnect = %i, *errorCodePtr = %i)", tlsConnect, *errorCodePtr); - Tls_Error(statePtr, strerror(*errorCodePtr)); - - bytesRead = -1; - if (*errorCodePtr == ECONNRESET) { - dprintf("Got connection reset"); - /* Soft EOF */ - *errorCodePtr = 0; - bytesRead = 0; - } - return bytesRead; + Tls_Error(statePtr, ERR_reason_error_string(backingError)); + } + + statePtr->flags |= TLS_TCL_HANDSHAKE_FAILED; + return -1; + + case SSL_ERROR_ZERO_RETURN: + /* Peer has closed the connection by sending the close_notify alert. Can't read, but can write. */ + /* Need to return an EOF, so channel is closed which will send an SSL_shutdown(). */ + dprintf("SSL_ERROR_ZERO_RETURN: Connect returned an invalid value..."); + *errorCodePtr = ECONNRESET; + Tls_Error(statePtr, "Peer has closed the connection for writing by sending the close_notify alert"); + return -1; + + case SSL_ERROR_WANT_READ: + /* More data must be read from the underlying BIO layer in order to complete the actual SSL_*() operation. */ + dprintf("SSL_ERROR_WANT_READ"); + BIO_set_retry_read(statePtr->bio); + *errorCodePtr = EAGAIN; + dprintf("ERR(SSL_ERROR_ZERO_RETURN, EAGAIN) "); + statePtr->want |= TCL_READABLE; + return 0; + + case SSL_ERROR_WANT_WRITE: + /* There is data in the SSL buffer that must be written to the underlying BIO in order to complete the SSL_*() operation. */ + dprintf("SSL_ERROR_WANT_WRITE"); + BIO_set_retry_write(statePtr->bio); + *errorCodePtr = EAGAIN; + dprintf("ERR(SSL_ERROR_WANT_WRITE, EAGAIN) "); + statePtr->want |= TCL_WRITABLE; + return 0; + + case SSL_ERROR_WANT_CONNECT: + /* Connect would have blocked. */ + dprintf("SSL_ERROR_WANT_CONNECT"); + BIO_set_retry_special(statePtr->bio); + BIO_set_retry_reason(statePtr->bio, BIO_RR_CONNECT); + *errorCodePtr = EAGAIN; + dprintf("ERR(SSL_ERROR_WANT_CONNECT, EAGAIN) "); + return 0; + + case SSL_ERROR_WANT_ACCEPT: + /* Accept would have blocked */ + dprintf("SSL_ERROR_WANT_ACCEPT"); + BIO_set_retry_special(statePtr->bio); + BIO_set_retry_reason(statePtr->bio, BIO_RR_ACCEPT); + *errorCodePtr = EAGAIN; + dprintf("ERR(SSL_ERROR_WANT_ACCEPT, EAGAIN) "); + return 0; + + case SSL_ERROR_WANT_X509_LOOKUP: + /* App callback set by SSL_CTX_set_client_cert_cb has asked to be called again */ + /* The operation did not complete because an application callback set by SSL_CTX_set_client_cert_cb() has asked to be called again. */ + dprintf("SSL_ERROR_WANT_X509_LOOKUP"); + BIO_set_retry_special(statePtr->bio); + BIO_set_retry_reason(statePtr->bio, BIO_RR_SSL_X509_LOOKUP); + *errorCodePtr = EAGAIN; + dprintf("ERR(SSL_ERROR_WANT_X509_LOOKUP, EAGAIN) "); + return 0; + + case SSL_ERROR_WANT_ASYNC: + /* Used with flag SSL_MODE_ASYNC, op didn't complete because an async engine is still processing data */ + case SSL_ERROR_WANT_ASYNC_JOB: + /* The asynchronous job could not be started because there were no async jobs available in the pool. */ + case SSL_ERROR_WANT_CLIENT_HELLO_CB: + /* The operation did not complete because an application callback set by SSL_CTX_set_client_hello_cb() has asked to be called again. */ +#if OPENSSL_VERSION_NUMBER >= 0x30000000L + case SSL_ERROR_WANT_RETRY_VERIFY: + /* The operation did not complete because a certificate verification callback has asked to be called again via SSL_set_retry_verify(3). */ +#endif + default: + /* The operation did not complete and should be retried later. */ + dprintf("Operation did not complete, call function again later"); + *errorCodePtr = EAGAIN; + dprintf("ERR(Other, EAGAIN) "); + return 0; + } + + dprintf("Removing the \"TLS_TCL_INIT\" flag since we have completed the handshake"); + statePtr->flags &= ~TLS_TCL_INIT; + + dprintf("Returning success"); + *errorCodePtr = 0; + return 1; +} + +/* + *----------------------------------------------------------------------------- + * + * TlsInputProc -- + * + * This procedure is invoked by the generic I/O layer to read data from + * the BIO whenever the Tcl_Read(), Tcl_ReadChars, Tcl_Gets, and + * Tcl_GetsObj functions are used. Equivalent to SSL_read_ex and SSL_read. + * + * Results: + * Returns the number of bytes read or -1 on error. Sets errorCodePtr to + * a POSIX error code if an error occurred, or 0 if none. + * + * Side effects: + * Reads input from the input device of the channel. + * + * Data is received in whole blocks known as records from the peer. A whole + * record is processed (e.g. decrypted) in one go and is buffered by OpenSSL + * until it is read by the application via a call to SSL_read. + * + *----------------------------------------------------------------------------- + */ +static int TlsInputProc(ClientData instanceData, char *buf, int bufSize, int *errorCodePtr) { + unsigned long backingError; + State *statePtr = (State *) instanceData; + int bytesRead, err; + *errorCodePtr = 0; + + dprintf("Read(%d)", bufSize); + + /* Skip if user verify callback is still running */ + if (statePtr->flags & TLS_TCL_CALLBACK) { + dprintf("Callback is running, reading 0 bytes"); + return 0; + } + + /* If not initialized, do connect */ + /* Can also check SSL_is_init_finished(ssl) */ + if (statePtr->flags & TLS_TCL_INIT) { + int tlsConnect; + + dprintf("Calling Tls_WaitForConnect"); + + tlsConnect = Tls_WaitForConnect(statePtr, errorCodePtr, 0); + if (tlsConnect < 0) { + dprintf("Got an error waiting to connect (tlsConnect = %i, *errorCodePtr = %i)", tlsConnect, *errorCodePtr); + + bytesRead = -1; + if (*errorCodePtr == ECONNRESET) { + dprintf("Got connection reset"); + /* Soft EOF */ + *errorCodePtr = 0; + bytesRead = 0; + } + return bytesRead; + } } /* * We need to clear the SSL error stack now because we sometimes reach * this function with leftover errors in the stack. If BIO_read @@ -343,37 +431,59 @@ * BIO_read specially (as advised in the RSA docs). TLS's lower level BIO * functions play with the retry flags though, and this seems to work * correctly. Similar fix in TlsOutputProc. - hobbs */ ERR_clear_error(); + BIO_clear_retry_flags(statePtr->bio); bytesRead = BIO_read(statePtr->bio, buf, bufSize); dprintf("BIO_read -> %d", bytesRead); + /* Same as SSL_want, but also checks the error queue */ err = SSL_get_error(statePtr->ssl, bytesRead); backingError = ERR_get_error(); -#if 0 if (bytesRead <= 0) { + /* The retry flag is set by the BIO_set_retry_* functions */ if (BIO_should_retry(statePtr->bio)) { - dprintf("I/O failed, will retry based on EAGAIN"); - *errorCodePtr = EAGAIN; + dprintf("Read failed with code=%d, bytes read=%d: should retry", err, bytesRead); + /* Some docs imply we should redo the BIO_read now */ + } else { + dprintf("Read failed with code=%d, bytes read=%d: error condition", err, bytesRead); + } + + dprintf("BIO is EOF %d", BIO_eof(statePtr->bio)); + + /* These are the same as BIO_retry_type */ + if (BIO_should_read(statePtr->bio)) { + dprintf("BIO has insufficient data to read and return"); + statePtr->want |= TCL_READABLE; + } + if (BIO_should_write(statePtr->bio)) { + dprintf("BIO has pending data to write"); + statePtr->want |= TCL_WRITABLE; + } + if (BIO_should_io_special(statePtr->bio)) { + int reason = BIO_get_retry_reason(statePtr->bio); + dprintf("BIO has some special condition other than read or write: code=%d", reason); } + dprintf("BIO has pending data to write"); } -#endif switch (err) { case SSL_ERROR_NONE: + /* I/O operation completed */ + dprintf("SSL_ERROR_NONE"); dprintBuffer(buf, bytesRead); break; case SSL_ERROR_SSL: /* A non-recoverable, fatal error in the SSL library occurred, usually a protocol error */ dprintf("SSL error, indicating that the connection has been aborted"); if (backingError != 0) { - Tls_Error(statePtr, (char *) ERR_reason_error_string(backingError)); + Tls_Error(statePtr, ERR_reason_error_string(backingError)); } else if (SSL_get_verify_result(statePtr->ssl) != X509_V_OK) { - Tls_Error(statePtr, (char *) X509_verify_cert_error_string(SSL_get_verify_result(statePtr->ssl))); + Tls_Error(statePtr, X509_verify_cert_error_string(SSL_get_verify_result(statePtr->ssl))); } else { Tls_Error(statePtr, "Unknown SSL error"); } *errorCodePtr = ECONNABORTED; bytesRead = -1; @@ -383,16 +493,42 @@ if (ERR_GET_REASON(backingError) == SSL_R_UNEXPECTED_EOF_WHILE_READING) { dprintf("(Unexpected) EOF reached") *errorCodePtr = 0; bytesRead = 0; Tls_Error(statePtr, "EOF reached"); - } + } #endif break; + + case SSL_ERROR_WANT_READ: + /* Op did not complete due to not enough data was available. Retry later. */ + dprintf("Got SSL_ERROR_WANT_READ, mapping this to EAGAIN"); + *errorCodePtr = EAGAIN; + bytesRead = -1; + statePtr->want |= TCL_READABLE; + BIO_set_retry_read(statePtr->bio); + break; + + case SSL_ERROR_WANT_WRITE: + /* Op did not complete due to unable to send all data to the BIO. Retry later. */ + dprintf("Got SSL_ERROR_WANT_WRITE, mapping this to EAGAIN"); + *errorCodePtr = EAGAIN; + bytesRead = -1; + statePtr->want |= TCL_WRITABLE; + BIO_set_retry_write(statePtr->bio); + break; + + case SSL_ERROR_WANT_X509_LOOKUP: + /* Op didn't complete since callback set by SSL_CTX_set_client_cert_cb() asked to be called again */ + dprintf("Got SSL_ERROR_WANT_X509_LOOKUP, mapping it to EAGAIN"); + *errorCodePtr = EAGAIN; + bytesRead = -1; + break; case SSL_ERROR_SYSCALL: /* Some non-recoverable, fatal I/O error occurred */ + dprintf("SSL_ERROR_SYSCALL"); if (backingError == 0 && bytesRead == 0) { /* Unexpected EOF from the peer for OpenSSL 1.1 */ dprintf("(Unexpected) EOF reached") *errorCodePtr = 0; @@ -401,32 +537,34 @@ } else if (backingError == 0 && bytesRead == -1) { dprintf("I/O error occurred (errno = %lu)", (unsigned long) Tcl_GetErrno()); *errorCodePtr = Tcl_GetErrno(); bytesRead = -1; - Tls_Error(statePtr, (char *) Tcl_ErrnoMsg(*errorCodePtr)); + Tls_Error(statePtr, Tcl_ErrnoMsg(*errorCodePtr)); } else { dprintf("I/O error occurred (backingError = %lu)", backingError); *errorCodePtr = Tcl_GetErrno(); bytesRead = -1; - Tls_Error(statePtr, (char *) ERR_reason_error_string(backingError)); + Tls_Error(statePtr, ERR_reason_error_string(backingError)); } break; case SSL_ERROR_ZERO_RETURN: + /* Peer has closed the connection by sending the close_notify alert. Can't read, but can write. */ + /* Need to return an EOF, so channel is closed which will send an SSL_shutdown(). */ dprintf("Got SSL_ERROR_ZERO_RETURN, this means an EOF has been reached"); bytesRead = 0; *errorCodePtr = 0; Tls_Error(statePtr, "Peer has closed the connection for writing by sending the close_notify alert"); break; - case SSL_ERROR_WANT_READ: - dprintf("Got SSL_ERROR_WANT_READ, mapping this to EAGAIN"); - bytesRead = -1; + case SSL_ERROR_WANT_ASYNC: + /* Used with flag SSL_MODE_ASYNC, op didn't complete because an async engine is still processing data */ + dprintf("Got SSL_ERROR_WANT_ASYNC, mapping this to EAGAIN"); *errorCodePtr = EAGAIN; - Tls_Error(statePtr, "SSL_ERROR_WANT_READ"); + bytesRead = -1; break; default: dprintf("Unknown error (err = %i), mapping to EOF", err); *errorCodePtr = 0; @@ -438,58 +576,64 @@ dprintf("Input(%d) -> %d [%d]", bufSize, bytesRead, *errorCodePtr); return bytesRead; } /* - *------------------------------------------------------------------- + *----------------------------------------------------------------------------- * * TlsOutputProc -- * - * This procedure is invoked by the generic IO level - * to write output to a SSL socket based channel. + * This procedure is invoked by the generic I/O layer to write data to the + * BIO whenever the the Tcl_Write(), Tcl_WriteChars, and Tcl_WriteObj + * functions are used. Equivalent to SSL_write_ex and SSL_write. * * Results: - * Returns the number of bytes written or -1 on error. Sets errorCodePtr - * to a POSIX error code if an error occurred, or 0 if none. + * Returns the number of bytes written or -1 on error. Sets errorCodePtr + * to a POSIX error code if an error occurred, or 0 if none. * * Side effects: - * Writes output on the output device of the channel. + * Writes output on the output device of the channel. * - *------------------------------------------------------------------- + *----------------------------------------------------------------------------- */ static int TlsOutputProc(ClientData instanceData, const char *buf, int toWrite, int *errorCodePtr) { unsigned long backingError; State *statePtr = (State *) instanceData; int written, err; - int tlsConnect; - *errorCodePtr = 0; - dprintf("BIO_write(%p, %d)", (void *) statePtr, toWrite); + dprintf("Write(%p, %d)", (void *) statePtr, toWrite); dprintBuffer(buf, toWrite); + /* Skip if user verify callback is still running */ if (statePtr->flags & TLS_TCL_CALLBACK) { dprintf("Don't process output while callbacks are running"); written = -1; *errorCodePtr = EAGAIN; return -1; } - dprintf("Calling Tls_WaitForConnect"); - tlsConnect = Tls_WaitForConnect(statePtr, errorCodePtr, 1); - if (tlsConnect < 0) { - dprintf("Got an error waiting to connect (tlsConnect = %i, *errorCodePtr = %i)", tlsConnect, *errorCodePtr); - Tls_Error(statePtr, strerror(*errorCodePtr)); - - written = -1; - if (*errorCodePtr == ECONNRESET) { - dprintf("Got connection reset"); - /* Soft EOF */ - *errorCodePtr = 0; - written = 0; - } - return written; + /* If not initialized, do connect */ + /* Can also check SSL_is_init_finished(ssl) */ + if (statePtr->flags & TLS_TCL_INIT) { + int tlsConnect; + + dprintf("Calling Tls_WaitForConnect"); + + tlsConnect = Tls_WaitForConnect(statePtr, errorCodePtr, 1); + if (tlsConnect < 0) { + dprintf("Got an error waiting to connect (tlsConnect = %i, *errorCodePtr = %i)", tlsConnect, *errorCodePtr); + + written = -1; + if (*errorCodePtr == ECONNRESET) { + dprintf("Got connection reset"); + /* Soft EOF */ + *errorCodePtr = 0; + written = 0; + } + return written; + } } if (toWrite == 0) { dprintf("zero-write"); err = BIO_flush(statePtr->bio); @@ -518,49 +662,94 @@ * BIO_write specially (as advised in the RSA docs). TLS's lower level * BIO functions play with the retry flags though, and this seems to * work correctly. Similar fix in TlsInputProc. - hobbs */ ERR_clear_error(); + BIO_clear_retry_flags(statePtr->bio); written = BIO_write(statePtr->bio, buf, toWrite); dprintf("BIO_write(%p, %d) -> [%d]", (void *) statePtr, toWrite, written); + /* Same as SSL_want, but also checks the error queue */ err = SSL_get_error(statePtr->ssl, written); backingError = ERR_get_error(); + + if (written <= 0) { + /* The retry flag is set by the BIO_set_retry_* functions */ + if (BIO_should_retry(statePtr->bio)) { + dprintf("Write failed with code %d, bytes written=%d: should retry", err, written); + } else { + dprintf("Write failed with code %d, bytes written=%d: error condition", err, written); + } + + /* These are the same as BIO_retry_type */ + if (BIO_should_read(statePtr->bio)) { + dprintf("BIO has insufficient data to read and return"); + } + if (BIO_should_write(statePtr->bio)) { + dprintf("BIO has pending data to write"); + } + if (BIO_should_io_special(statePtr->bio)) { + int reason = BIO_get_retry_reason(statePtr->bio); + dprintf("BIO has some special condition other than read or write: code=%d", reason); + } + dprintf("BIO has pending data to write"); + + } else { + BIO_flush(statePtr->bio); + } switch (err) { case SSL_ERROR_NONE: + /* I/O operation completed */ + dprintf("SSL_ERROR_NONE"); if (written < 0) { written = 0; } break; - case SSL_ERROR_WANT_WRITE: - dprintf("Got SSL_ERROR_WANT_WRITE, mapping it to EAGAIN"); - *errorCodePtr = EAGAIN; + case SSL_ERROR_SSL: + /* A non-recoverable, fatal error in the SSL library occurred, usually a protocol error */ + dprintf("SSL error, indicating that the connection has been aborted"); + if (backingError != 0) { + Tls_Error(statePtr, ERR_reason_error_string(backingError)); + } else if (SSL_get_verify_result(statePtr->ssl) != X509_V_OK) { + Tls_Error(statePtr, X509_verify_cert_error_string(SSL_get_verify_result(statePtr->ssl))); + } else { + Tls_Error(statePtr, "Unknown SSL error"); + } + *errorCodePtr = ECONNABORTED; written = -1; - Tls_Error(statePtr, "SSL_ERROR_WANT_WRITE"); break; case SSL_ERROR_WANT_READ: - dprintf(" write R BLOCK"); - Tls_Error(statePtr, "SSL_ERROR_WANT_READ"); + /* Op did not complete due to not enough data was available. Retry later. */ + dprintf("Got SSL_ERROR_WANT_READ, mapping it to EAGAIN"); + *errorCodePtr = EAGAIN; + written = -1; + statePtr->want |= TCL_READABLE; + BIO_set_retry_read(statePtr->bio); + break; + + case SSL_ERROR_WANT_WRITE: + /* Op did not complete due to unable to send all data to the BIO. Retry later. */ + dprintf("Got SSL_ERROR_WANT_WRITE, mapping it to EAGAIN"); + *errorCodePtr = EAGAIN; + written = -1; + statePtr->want |= TCL_WRITABLE; + BIO_set_retry_write(statePtr->bio); break; case SSL_ERROR_WANT_X509_LOOKUP: - dprintf(" write X BLOCK"); - Tls_Error(statePtr, "SSL_ERROR_WANT_X509_LOOKUP"); - break; - - case SSL_ERROR_ZERO_RETURN: - dprintf(" closed"); - written = 0; - *errorCodePtr = 0; - Tls_Error(statePtr, "Peer has closed the connection for writing by sending the close_notify alert"); + /* Op didn't complete since callback set by SSL_CTX_set_client_cert_cb() asked to be called again */ + dprintf("Got SSL_ERROR_WANT_X509_LOOKUP, mapping it to EAGAIN"); + *errorCodePtr = EAGAIN; + written = -1; break; case SSL_ERROR_SYSCALL: /* Some non-recoverable, fatal I/O error occurred */ + dprintf("SSL_ERROR_SYSCALL"); if (backingError == 0 && written == 0) { dprintf("EOF reached") *errorCodePtr = 0; written = 0; @@ -568,31 +757,33 @@ } else if (backingError == 0 && written == -1) { dprintf("I/O error occurred (errno = %lu)", (unsigned long) Tcl_GetErrno()); *errorCodePtr = Tcl_GetErrno(); written = -1; - Tls_Error(statePtr, (char *) Tcl_ErrnoMsg(*errorCodePtr)); + Tls_Error(statePtr, Tcl_ErrnoMsg(*errorCodePtr)); } else { dprintf("I/O error occurred (backingError = %lu)", backingError); *errorCodePtr = Tcl_GetErrno(); written = -1; - Tls_Error(statePtr, (char *) ERR_reason_error_string(backingError)); + Tls_Error(statePtr, ERR_reason_error_string(backingError)); } break; - case SSL_ERROR_SSL: - /* A non-recoverable, fatal error in the SSL library occurred, usually a protocol error */ - dprintf("SSL error, indicating that the connection has been aborted"); - if (backingError != 0) { - Tls_Error(statePtr, (char *) ERR_reason_error_string(backingError)); - } else if (SSL_get_verify_result(statePtr->ssl) != X509_V_OK) { - Tls_Error(statePtr, (char *) X509_verify_cert_error_string(SSL_get_verify_result(statePtr->ssl))); - } else { - Tls_Error(statePtr, "Unknown SSL error"); - } - *errorCodePtr = ECONNABORTED; + case SSL_ERROR_ZERO_RETURN: + /* Peer has closed the connection by sending the close_notify alert. Can't read, but can write. */ + /* Need to return an EOF, so channel is closed which will send an SSL_shutdown(). */ + dprintf("Got SSL_ERROR_ZERO_RETURN, this means an EOF has been reached"); + *errorCodePtr = 0; + written = 0; + Tls_Error(statePtr, "Peer has closed the connection for writing by sending the close_notify alert"); + break; + + case SSL_ERROR_WANT_ASYNC: + /* Used with flag SSL_MODE_ASYNC, op didn't complete because an async engine is still processing data */ + dprintf("Got SSL_ERROR_WANT_ASYNC, mapping this to EAGAIN"); + *errorCodePtr = EAGAIN; written = -1; break; default: dprintf("unknown error: %d", err); @@ -603,45 +794,64 @@ dprintf("Output(%d) -> %d", toWrite, written); return written; } /* - *------------------------------------------------------------------- + *----------------------------------------------------------------------------- + * + * Tls_GetParent -- + * + * Get parent channel for a stacked channel. + * + * Results: + * Tcl_Channel or NULL if none. + * + *----------------------------------------------------------------------------- + */ +Tcl_Channel Tls_GetParent(State *statePtr, int maskFlags) { + dprintf("Requested to get parent of channel %p", statePtr->self); + + if ((statePtr->flags & ~maskFlags) & TLS_TCL_FASTPATH) { + dprintf("Asked to get the parent channel while we are using FastPath -- returning NULL"); + return NULL; + } + return Tcl_GetStackedChannel(statePtr->self); +} + +/* + *----------------------------------------------------------------------------- * * TlsSetOptionProc -- * - * Sets an option value for a SSL socket based channel, or a - * list of all options and their values. + * Sets an option to value for a SSL socket based channel. Called by the + * generic I/O layer whenever the Tcl_SetChannelOption() function is used. * * Results: - * TCL_OK if successful or TCL_ERROR if failed. + * TCL_OK if successful or TCL_ERROR if failed. * * Side effects: - * Updates channel option to new value. + * Updates channel option to new value. * - *------------------------------------------------------------------- + *----------------------------------------------------------------------------- */ static int TlsSetOptionProc(ClientData instanceData, /* Socket state. */ Tcl_Interp *interp, /* For errors - can be NULL. */ const char *optionName, /* Name of the option to set the value for, or * NULL to get all options and their values. */ const char *optionValue) /* Value for option. */ { State *statePtr = (State *) instanceData; - - Tcl_Channel downChan = Tls_GetParent(statePtr, TLS_TCL_FASTPATH); + Tcl_Channel parent = Tls_GetParent(statePtr, TLS_TCL_FASTPATH); Tcl_DriverSetOptionProc *setOptionProc; - setOptionProc = Tcl_ChannelSetOptionProc(Tcl_GetChannelType(downChan)); + dprintf("Called"); + + /* Pass to parent */ + setOptionProc = Tcl_ChannelSetOptionProc(Tcl_GetChannelType(parent)); if (setOptionProc != NULL) { - return (*setOptionProc)(Tcl_GetChannelInstanceData(downChan), interp, optionName, optionValue); - } else if (optionName == (char*) NULL) { - /* - * Request is query for all options, this is ok. - */ - return TCL_OK; + return (*setOptionProc)(Tcl_GetChannelInstanceData(parent), interp, optionName, optionValue); } /* * Request for a specific option has to fail, we don't have any. */ return Tcl_BadChannelOption(interp, optionName, ""); @@ -650,20 +860,21 @@ /* *------------------------------------------------------------------- * * TlsGetOptionProc -- * - * Gets an option value for a SSL socket based channel, or a - * list of all options and their values. + * Get a option's value for a SSL socket based channel, or a list of all + * options and their values. Called by the generic I/O layer whenever the + * Tcl_GetChannelOption() function is used. + * * * Results: - * A standard Tcl result. The value of the specified option or a - * list of all options and their values is returned in the - * supplied DString. + * A standard Tcl result. The value of the specified option or a list of + * all options and their values is returned in the supplied DString. * * Side effects: - * None. + * None. * *------------------------------------------------------------------- */ static int TlsGetOptionProc(ClientData instanceData, /* Socket state. */ @@ -671,17 +882,19 @@ const char *optionName, /* Name of the option to retrieve the value for, or * NULL to get all options and their values. */ Tcl_DString *optionValue) /* Where to store the computed value initialized by caller. */ { State *statePtr = (State *) instanceData; - - Tcl_Channel downChan = Tls_GetParent(statePtr, TLS_TCL_FASTPATH); + Tcl_Channel parent = Tls_GetParent(statePtr, TLS_TCL_FASTPATH); Tcl_DriverGetOptionProc *getOptionProc; - getOptionProc = Tcl_ChannelGetOptionProc(Tcl_GetChannelType(downChan)); + dprintf("Called"); + + /* Pass to parent */ + getOptionProc = Tcl_ChannelGetOptionProc(Tcl_GetChannelType(parent)); if (getOptionProc != NULL) { - return (*getOptionProc)(Tcl_GetChannelInstanceData(downChan), interp, optionName, optionValue); + return (*getOptionProc)(Tcl_GetChannelInstanceData(parent), interp, optionName, optionValue); } else if (optionName == (char*) NULL) { /* * Request is query for all options, this is ok. */ return TCL_OK; @@ -691,53 +904,105 @@ */ return Tcl_BadChannelOption(interp, optionName, ""); } /* - *------------------------------------------------------------------- + *----------------------------------------------------------------------------- + * + * TlsChannelHandlerTimer -- + * + * Called by the notifier via a timer, to flush out data waiting in + * channel buffers. called by the generic I/O layer whenever the + * Tcl_GetChannelHandle() function is used. + * + * Results: + * None. + * + * Side effects: + * Creates notification event. + * + *----------------------------------------------------------------------------- + */ +static void TlsChannelHandlerTimer(ClientData clientData) { + State *statePtr = (State *) clientData; + int mask = statePtr->want; /* Init to SSL_ERROR_WANT_READ and SSL_ERROR_WANT_WRITE */ + + dprintf("Called"); + + statePtr->timer = (Tcl_TimerToken) NULL; + + /* Check for amount of data pending in BIO write buffer */ + if (BIO_wpending(statePtr->bio)) { + dprintf("[chan=%p] BIO writable", statePtr->self); + + mask |= TCL_WRITABLE; + } + + /* Check for amount of data pending in BIO read buffer */ + if (BIO_pending(statePtr->bio)) { + dprintf("[chan=%p] BIO readable", statePtr->self); + + mask |= TCL_READABLE; + } + + /* Notify the generic IO layer that the mask events have occurred on the channel */ + dprintf("Notifying ourselves"); + Tcl_NotifyChannel(statePtr->self, mask); + statePtr->want = 0; + + dprintf("Returning"); + + return; +} + +/* + *----------------------------------------------------------------------------- * * TlsWatchProc -- * - * Initialize the notifier to watch Tcl_Files from this channel. + * Set up the event notifier to watch for events of interest from this + * channel. Called by the generic I/O layer whenever the user (or the + * system) announces its (dis)interest in events on the channel. This is + * called repeatedly. * * Results: - * None. + * None. * * Side effects: - * Sets up the notifier so that a future event on the channel - * will be seen by Tcl. + * Sets up the time-based notifier so that future events on the channel + * will be seen by TCL. * - *------------------------------------------------------------------- + *----------------------------------------------------------------------------- */ static void TlsWatchProc(ClientData instanceData, /* The socket state. */ int mask) /* Events of interest; an OR-ed combination of * TCL_READABLE, TCL_WRITABLE and TCL_EXCEPTION. */ { - Tcl_Channel downChan; + Tcl_Channel parent; State *statePtr = (State *) instanceData; Tcl_DriverWatchProc *watchProc; + int pending = 0; dprintf("TlsWatchProc(0x%x)", mask); + dprintFlags(statePtr); /* Pretend to be dead as long as the verify callback is running. * Otherwise that callback could be invoked recursively. */ if (statePtr->flags & TLS_TCL_CALLBACK) { dprintf("Callback is on-going, doing nothing"); return; } - dprintFlags(statePtr); - - downChan = Tls_GetParent(statePtr, TLS_TCL_FASTPATH); + parent = Tls_GetParent(statePtr, TLS_TCL_FASTPATH); if (statePtr->flags & TLS_TCL_HANDSHAKE_FAILED) { dprintf("Asked to watch a socket with a failed handshake -- nothing can happen here"); dprintf("Unregistering interest in the lower channel"); - watchProc = Tcl_ChannelWatchProc(Tcl_GetChannelType(downChan)); - watchProc(Tcl_GetChannelInstanceData(downChan), 0); + watchProc = Tcl_ChannelWatchProc(Tcl_GetChannelType(parent)); + watchProc(Tcl_GetChannelInstanceData(parent), 0); statePtr->watchMask = 0; return; } statePtr->watchMask = mask; @@ -747,50 +1012,55 @@ * 'TransformNotifyProc'. But we have to pass the interest down now. * We are allowed to add additional 'interest' to the mask if we want * to. But this transformation has no such interest. It just passes * the request down, unchanged. */ - dprintf("Registering our interest in the lower channel (chan=%p)", (void *) downChan); - watchProc = Tcl_ChannelWatchProc(Tcl_GetChannelType(downChan)); - watchProc(Tcl_GetChannelInstanceData(downChan), mask); - - - /* - * Management of the internal timer. - */ - if (statePtr->timer != (Tcl_TimerToken) NULL) { - dprintf("A timer was found, deleting it"); - Tcl_DeleteTimerHandler(statePtr->timer); - statePtr->timer = (Tcl_TimerToken) NULL; - } - - if ((mask & TCL_READABLE) && - ((Tcl_InputBuffered(statePtr->self) > 0) || (BIO_ctrl_pending(statePtr->bio) > 0))) { - /* - * There is interest in readable events and we actually have - * data waiting, so generate a timer to flush that. - */ - dprintf("Creating a new timer since data appears to be waiting"); - statePtr->timer = Tcl_CreateTimerHandler(TLS_TCL_DELAY, TlsChannelHandlerTimer, (ClientData) statePtr); - } -} - -/* - *------------------------------------------------------------------- - * - * TlsGetHandleProc -- - * - * Called from Tcl_GetChannelFile to retrieve o/s file handler - * from the SSL socket based channel. - * - * Results: - * The appropriate Tcl_File handle or NULL if none. - * - * Side effects: - * None. - * - *------------------------------------------------------------------- + dprintf("Registering our interest in the lower channel (chan=%p)", (void *) parent); + watchProc = Tcl_ChannelWatchProc(Tcl_GetChannelType(parent)); + watchProc(Tcl_GetChannelInstanceData(parent), mask); + + /* Do we have any pending events */ + pending = (statePtr->want || \ + ((mask & TCL_READABLE) && ((Tcl_InputBuffered(statePtr->self) > 0) || (BIO_ctrl_pending(statePtr->bio) > 0))) || + ((mask & TCL_WRITABLE) && ((Tcl_OutputBuffered(statePtr->self) > 0) || (BIO_ctrl_wpending(statePtr->bio) > 0)))); + + dprintf("IO Want=%d, input buffer=%d, output buffer=%d, BIO pending=%zd, BIO wpending=%zd", \ + statePtr->want, Tcl_InputBuffered(statePtr->self), Tcl_OutputBuffered(statePtr->self), \ + BIO_ctrl_pending(statePtr->bio), BIO_ctrl_wpending(statePtr->bio)); + + if (!(mask & TCL_READABLE) || pending == 0) { + /* Remove timer, if any */ + if (statePtr->timer != (Tcl_TimerToken) NULL) { + dprintf("A timer was found, deleting it"); + Tcl_DeleteTimerHandler(statePtr->timer); + statePtr->timer = (Tcl_TimerToken) NULL; + } + + } else { + /* Add timer, if none */ + if (statePtr->timer == (Tcl_TimerToken) NULL) { + dprintf("Creating a new timer since data appears to be waiting"); + statePtr->timer = Tcl_CreateTimerHandler(TLS_TCL_DELAY, TlsChannelHandlerTimer, (ClientData) statePtr); + } + } +} + +/* + *----------------------------------------------------------------------------- + * + * TlsGetHandleProc -- + * + * This procedure is invoked by the generic IO level to retrieve an OS + * specific handle associated with the channel. Not used for transforms. + * + * Results: + * The appropriate Tcl_File handle or NULL if none. + * + * Side effects: + * None. + * + *----------------------------------------------------------------------------- */ static int TlsGetHandleProc(ClientData instanceData, /* Socket state. */ int direction, /* TCL_READABLE or TCL_WRITABLE */ ClientData *handlePtr) /* Handle associated with the channel */ { @@ -798,142 +1068,97 @@ return Tcl_GetChannelHandle(Tls_GetParent(statePtr, TLS_TCL_FASTPATH), direction, handlePtr); } /* - *------------------------------------------------------------------- + *----------------------------------------------------------------------------- * * TlsNotifyProc -- * - * Handler called by Tcl to inform us of activity - * on the underlying channel. + * This procedure is invoked by the generic IO level to notify the channel + * that an event has occurred on the underlying channel. It is used by stacked channel drivers that + * wish to be notified of events that occur on the underlying (stacked) + * channel. * * Results: - * Type of event or 0 if failed + * Type of event or 0 if failed * * Side effects: - * May process the incoming event by itself. + * May process the incoming event by itself. * - *------------------------------------------------------------------- + *----------------------------------------------------------------------------- */ static int TlsNotifyProc(ClientData instanceData, /* Socket state. */ int mask) /* type of event that occurred: * OR-ed combination of TCL_READABLE or TCL_WRITABLE */ { State *statePtr = (State *) instanceData; - int errorCode; + int errorCode = 0; + + dprintf("Called"); + + /* + * Delete an existing timer. It was not fired, yet we are + * here, so the channel below generated such an event and we + * don't have to. The renewal of the interest after the + * execution of channel handlers will eventually cause us to + * recreate the timer (in WatchProc). + */ + if (statePtr->timer != (Tcl_TimerToken) NULL) { + Tcl_DeleteTimerHandler(statePtr->timer); + statePtr->timer = (Tcl_TimerToken) NULL; + } + + /* Skip if user verify callback is still running */ + if (statePtr->flags & TLS_TCL_CALLBACK) { + dprintf("Callback is on-going, returning failed"); + return 0; + } + + /* If not initialized, do connect */ + if (statePtr->flags & TLS_TCL_INIT) { + int tlsConnect; + + dprintf("Calling Tls_WaitForConnect"); + + tlsConnect = Tls_WaitForConnect(statePtr, &errorCode, 1); + if (tlsConnect < 1) { + dprintf("Got an error waiting to connect (tlsConnect = %i, *errorCodePtr = %i)", tlsConnect, errorCode); + if (errorCode == EAGAIN) { + dprintf("Async flag could be set (didn't check) and errorCode == EAGAIN: Returning failed"); + + return 0; + } + + dprintf("Tls_WaitForConnect returned an error"); + } + } + + dprintf("Returning %i", mask); /* * An event occurred in the underlying channel. This * transformation doesn't process such events thus returns the * incoming mask unchanged. */ - if (statePtr->timer != (Tcl_TimerToken) NULL) { - /* - * Delete an existing timer. It was not fired, yet we are - * here, so the channel below generated such an event and we - * don't have to. The renewal of the interest after the - * execution of channel handlers will eventually cause us to - * recreate the timer (in WatchProc). - */ - Tcl_DeleteTimerHandler(statePtr->timer); - statePtr->timer = (Tcl_TimerToken) NULL; - } - - if (statePtr->flags & TLS_TCL_CALLBACK) { - dprintf("Returning 0 due to callback"); - return 0; - } - - dprintf("Calling Tls_WaitForConnect"); - errorCode = 0; - if (Tls_WaitForConnect(statePtr, &errorCode, 1) < 0) { - Tls_Error(statePtr, strerror(errorCode)); - if (errorCode == EAGAIN) { - dprintf("Async flag could be set (didn't check) and errorCode == EAGAIN: Returning 0"); - - return 0; - } - - dprintf("Tls_WaitForConnect returned an error"); - } - - dprintf("Returning %i", mask); - return mask; } /* - *------------------------------------------------------* - * - * TlsChannelHandlerTimer -- - * - * ------------------------------------------------* - * Called by the notifier (-> timer) to flush out - * information waiting in channel buffers. - * ------------------------------------------------* - * - * Side effects: - * As of 'TlsChannelHandler'. - * - * Result: - * None. - * - *------------------------------------------------------* - */ -static void TlsChannelHandlerTimer(ClientData clientData) { - State *statePtr = (State *) clientData; - int mask = 0; - - dprintf("Called"); - - statePtr->timer = (Tcl_TimerToken) NULL; - - if (BIO_wpending(statePtr->bio)) { - dprintf("[chan=%p] BIO writable", statePtr->self); - - mask |= TCL_WRITABLE; - } - - if (BIO_pending(statePtr->bio)) { - dprintf("[chan=%p] BIO readable", statePtr->self); - - mask |= TCL_READABLE; - } - - dprintf("Notifying ourselves"); - Tcl_NotifyChannel(statePtr->self, mask); - - dprintf("Returning"); - - return; -} - -Tcl_Channel Tls_GetParent(State *statePtr, int maskFlags) { - dprintf("Requested to get parent of channel %p", statePtr->self); - - if ((statePtr->flags & ~maskFlags) & TLS_TCL_FASTPATH) { - dprintf("Asked to get the parent channel while we are using FastPath -- returning NULL"); - return NULL; - } - return Tcl_GetStackedChannel(statePtr->self); -} - -/* - *------------------------------------------------------------------- + *----------------------------------------------------------------------------- * * Tls_ChannelType -- * - * Return the correct TLS channel driver info + * Defines the correct TLS channel driver handlers for this channel type. * * Results: - * The correct channel driver for the current version of Tcl. + * Tcl_ChannelType structure. * * Side effects: - * None. + * None. * - *------------------------------------------------------------------- + *----------------------------------------------------------------------------- */ static const Tcl_ChannelType tlsChannelType = { "tls", /* Type name */ TCL_CHANNEL_VERSION_5, /* v5 channel */ TlsCloseProc, /* Close proc */ Index: generic/tlsInt.h ================================================================== --- generic/tlsInt.h +++ generic/tlsInt.h @@ -1,14 +1,11 @@ /* + * Macro and structure definitions for TLS extension + * * Copyright (C) 1997-2000 Matt Newman * - * TLS (aka SSL) Channel - can be layered on any bi-directional - * Tcl_Channel (Note: Requires Trf Core Patch) - * - * This was built from scratch based upon observation of OpenSSL 0.9.2B - * - * Addition credit is due for Andreas Kupries (a.kupries@westend.com), for + * Additional credit is due for Andreas Kupries (a.kupries@westend.com), for * providing the Tcl_ReplaceChannel mechanism and working closely with me * to enhance it to support full fileevent semantics. * * Also work done by the follow people provided the impetus to do this "right":- * tclSSL (Colin McCormack, Shared Technology) @@ -15,21 +12,34 @@ * SSLtcl (Peter Antman) * */ #ifndef _TLSINT_H #define _TLSINT_H + +/* Platform unique definitions */ +#if ((defined(_WIN32)) || (defined(__MINGW32__)) || (defined(__MINGW64__))) +#ifndef WIN32_LEAN_AND_MEAN +#define WIN32_LEAN_AND_MEAN +#endif +#include +#include /* OpenSSL needs this on Windows */ +#endif #include "tls.h" #include #include #include +#include +#include +#include +#include -#ifdef _WIN32 -#define WIN32_LEAN_AND_MEAN -#include -#include /* OpenSSL needs this on Windows */ -#endif +/* Windows needs to know which symbols to export. */ +#ifdef BUILD_tls +#undef TCL_STORAGE_CLASS +#define TCL_STORAGE_CLASS DLLEXPORT +#endif /* BUILD_udp */ /* Handle TCL 8.6 CONST changes */ #ifndef CONST86 # if TCL_MAJOR_VERSION > 8 # define CONST86 const @@ -40,29 +50,50 @@ /* * Backwards compatibility for size type change */ #if TCL_MAJOR_VERSION < 9 && TCL_MINOR_VERSION < 7 - #ifndef Tcl_Size - typedef int Tcl_Size; - #endif +#include +#ifndef TCL_SIZE_MAX +#define TCL_SIZE_MAX INT_MAX +#endif + +#ifndef Tcl_Size + typedef int Tcl_Size; +#endif + +#define TCL_SIZE_MODIFIER "" +#define Tcl_GetSizeIntFromObj Tcl_GetIntFromObj +#define Tcl_NewSizeIntObj Tcl_NewIntObj +#define Tcl_NewSizeIntFromObj Tcl_NewWideIntObj +#endif + +#ifndef JOIN +# define JOIN(a,b) JOIN1(a,b) +# define JOIN1(a,b) a##b +#endif - #define TCL_SIZE_MODIFIER "" +#ifndef TCL_UNUSED +# if defined(__cplusplus) +# define TCL_UNUSED(T) T +# elif defined(__GNUC__) && (__GNUC__ > 2) +# define TCL_UNUSED(T) T JOIN(dummy, __LINE__) __attribute__((unused)) +# else +# define TCL_UNUSED(T) T JOIN(dummy, __LINE__) +# endif #endif -#include -#include -#include -#include +/* Define missing POSIX error codes */ #ifndef ECONNABORTED #define ECONNABORTED 130 /* Software caused connection abort */ #endif #ifndef ECONNRESET #define ECONNRESET 131 /* Connection reset by peer */ #endif +/* Debug and error macros */ #ifdef TCLEXT_TCLTLS_DEBUG #include #define dprintf(...) { \ char dprintfBuffer[8192], *dprintfBuffer_p; \ dprintfBuffer_p = &dprintfBuffer[0]; \ @@ -124,20 +155,15 @@ } #define LAPPEND_BOOL(interp, obj, text, value) {\ if (text != NULL) Tcl_ListObjAppendElement(interp, obj, Tcl_NewStringObj(text, -1)); \ Tcl_ListObjAppendElement(interp, obj, Tcl_NewBooleanObj(value)); \ } -#define LAPPEND_OBJ(interp, obj, text, listObj) {\ +#define LAPPEND_OBJ(interp, obj, text, tclObj) {\ if (text != NULL) Tcl_ListObjAppendElement(interp, obj, Tcl_NewStringObj(text, -1)); \ - Tcl_ListObjAppendElement(interp, obj, listObj); \ + Tcl_ListObjAppendElement(interp, obj, (tclObj != NULL) ? tclObj : Tcl_NewStringObj("", 0)); \ } -/* - * OpenSSL BIO Routines - */ -#define BIO_TYPE_TCL (19|0x0400) - /* * Defines for State.flags */ #define TLS_TCL_ASYNC (1<<0) /* non-blocking mode */ #define TLS_TCL_SERVER (1<<1) /* Server-Side */ @@ -144,11 +170,11 @@ #define TLS_TCL_INIT (1<<2) /* Initializing connection */ #define TLS_TCL_DEBUG (1<<3) /* Show debug tracing */ #define TLS_TCL_CALLBACK (1<<4) /* In a callback, prevent update * looping problem. [Bug 1652380] */ #define TLS_TCL_HANDSHAKE_FAILED (1<<5) /* Set on handshake failures and once set, all - * further I/O will result in ECONNABORTED errors. */ + * further I/O will result in ECONNABORTED errors. */ #define TLS_TCL_FASTPATH (1<<6) /* The parent channel is being used directly by the SSL library */ #define TLS_TCL_DELAY (5) /* * This structure describes the per-instance state of an SSL channel. @@ -159,10 +185,11 @@ Tcl_Channel self; /* this socket channel */ Tcl_TimerToken timer; int flags; /* see State.flags above */ int watchMask; /* current WatchProc mask */ + int want; /* pending wants from OpenSSL */ int mode; /* current mode of parent channel */ Tcl_Interp *interp; /* interpreter in which this resides */ Tcl_Obj *callback; /* script called for tracing, info, and errors */ Tcl_Obj *password; /* script called for certificate password */ @@ -172,14 +199,14 @@ SSL *ssl; /* Struct for SSL processing */ SSL_CTX *ctx; /* SSL Context */ BIO *bio; /* Struct for SSL processing */ BIO *p_bio; /* Parent BIO (that is layered on Tcl_Channel) */ - unsigned char *protos; /* List of supported protocols in protocol format */ unsigned int protos_len; /* Length of protos */ + unsigned char *protos; /* List of supported protocols in protocol format */ - char *err; + const char *err; } State; #ifdef USE_TCL_STUBS #ifndef Tcl_StackChannel #error "Unable to compile on this version of Tcl" @@ -194,19 +221,20 @@ /* * Forward declarations */ const Tcl_ChannelType *Tls_ChannelType(void); -Tcl_Channel Tls_GetParent(State *statePtr, int maskFlags); +Tcl_Channel Tls_GetParent(State *statePtr, int maskFlags); -Tcl_Obj *Tls_NewX509Obj(Tcl_Interp *interp, X509 *cert); +Tcl_Obj *Tls_NewX509Obj(Tcl_Interp *interp, X509 *cert, int all); Tcl_Obj *Tls_NewCAObj(Tcl_Interp *interp, const SSL *ssl, int peer); -void Tls_Error(State *statePtr, char *msg); -void Tls_Free(tls_free_type *blockPtr); -void Tls_Clean(State *statePtr); -int Tls_WaitForConnect(State *statePtr, int *errorCodePtr, int handshakeFailureIsPermanent); +void Tls_Error(State *statePtr, const char *msg); +void Tls_Free(tls_free_type *blockPtr); +void Tls_Clean(State *statePtr); +int Tls_WaitForConnect(State *statePtr, int *errorCodePtr, int handshakeFailureIsPermanent); -BIO *BIO_new_tcl(State* statePtr, int flags); +BIO *BIO_new_tcl(State* statePtr, int flags); +int BIO_cleanup(); #define PTR2INT(x) ((int) ((intptr_t) (x))) #endif /* _TLSINT_H */ Index: generic/tlsX509.c ================================================================== --- generic/tlsX509.c +++ generic/tlsX509.c @@ -1,6 +1,8 @@ /* + * Parse X.509 certificates and return contents as a TCL key-value list. + * * Copyright (C) 1997-2000 Sensus Consulting Ltd. * Matt Newman * Copyright (C) 2023 Brian O'Hagan */ #include @@ -12,133 +14,206 @@ #include #include #include "tlsInt.h" /* Define maximum certificate size. Max PEM size 100kB and DER size is 24kB. */ -#define CERT_STR_SIZE 32768 - - -/* - * Binary string to hex string - */ -int String_to_Hex(unsigned char* input, int ilen, unsigned char *output, int olen) { - int count = 0; - unsigned char *iptr = input; - unsigned char *optr = &output[0]; - const char *hex = "0123456789abcdef"; - - for (int i = 0; i < ilen && count < olen - 1; i++, count += 2) { - *optr++ = hex[(*iptr>>4)&0xF]; - *optr++ = hex[(*iptr++)&0xF]; - } - *optr = 0; - return count; -} - -/* - * BIO to Buffer - */ -int BIO_to_Buffer(int result, BIO *bio, void *buffer, int size) { - int len = 0; - int pending = BIO_pending(bio); - - if (result) { - len = BIO_read(bio, buffer, (pending < size) ? pending : size); +#define CERT_STR_SIZE 24576 + + +/* + *----------------------------------------------------------------------------- + * + * String_to_Hex -- + * + * Format contents of a binary string as a hex string + * + * Results: + * TCL byte array object with x509 identifier as a hex string + * + * Side Effects: + * None + * + *----------------------------------------------------------------------------- + */ +Tcl_Obj *String_to_Hex(unsigned char* input, int ilen) { + unsigned char *iptr = input; + Tcl_Obj *resultObj = Tcl_NewByteArrayObj(NULL, 0); + unsigned char *data = Tcl_SetByteArrayLength(resultObj, (Tcl_Size)ilen*2); + unsigned char *dptr = &data[0]; + const char *hex = "0123456789abcdef"; + + if (resultObj == NULL) { + return NULL; + } + + for (int i = 0; i < ilen; i++) { + *dptr++ = hex[(*iptr>>4)&0xF]; + *dptr++ = hex[(*iptr++)&0xF]; + } + return resultObj; +} + +/* + *----------------------------------------------------------------------------- + * + * BIO_to_Buffer -- + * + * Output contents of a BIO to a buffer + * + * Results: + * Returns length of string in buffer + * + * Side effects: + * None + * + *----------------------------------------------------------------------------- + */ +Tcl_Size BIO_to_Buffer(int result, BIO *bio, void *output, int olen) { + Tcl_Size len = 0; + int pending = BIO_pending(bio); + + if (result) { + len = (Tcl_Size) BIO_read(bio, output, (pending < olen) ? pending : olen); (void)BIO_flush(bio); if (len < 0) { len = 0; } } return len; } /* - * Get X509 Certificate Extensions + *----------------------------------------------------------------------------- + * + * Tls_x509Extensions -- + * + * Get list of X.509 Certificate Extensions + * + * Results: + * TCL list of extensions and boolean critical status + * + * Side effects: + * None + * + *----------------------------------------------------------------------------- */ Tcl_Obj *Tls_x509Extensions(Tcl_Interp *interp, X509 *cert) { const STACK_OF(X509_EXTENSION) *exts; - Tcl_Obj *listPtr = Tcl_NewListObj(0, NULL); + Tcl_Obj *resultObj = Tcl_NewListObj(0, NULL); - if (listPtr == NULL) { + if (resultObj == NULL) { return NULL; } if ((exts = X509_get0_extensions(cert)) != NULL) { for (int i=0; i < X509_get_ext_count(cert); i++) { X509_EXTENSION *ex = sk_X509_EXTENSION_value(exts, i); ASN1_OBJECT *obj = X509_EXTENSION_get_object(ex); /* ASN1_OCTET_STRING *data = X509_EXTENSION_get_data(ex); */ int critical = X509_EXTENSION_get_critical(ex); - LAPPEND_BOOL(interp, listPtr, OBJ_nid2ln(OBJ_obj2nid(obj)), critical); + LAPPEND_BOOL(interp, resultObj, OBJ_nid2ln(OBJ_obj2nid(obj)), critical); } } - return listPtr; + return resultObj; } /* - * Get Authority and Subject Key Identifiers + *----------------------------------------------------------------------------- + * + * Tls_x509Identifier -- + * + * Get X.509 certificate Authority or Subject Key Identifiers + * + * Results: + * TCL byte array object with x509 identifier as a hex string + * + * Side effects: + * None + * + *----------------------------------------------------------------------------- */ Tcl_Obj *Tls_x509Identifier(const ASN1_OCTET_STRING *astring) { - Tcl_Obj *resultPtr = NULL; - int len = 0; - unsigned char buffer[1024]; + Tcl_Obj *resultObj = NULL; if (astring != NULL) { - len = String_to_Hex((unsigned char *)ASN1_STRING_get0_data(astring), - ASN1_STRING_length(astring), buffer, 1024); + resultObj = String_to_Hex((unsigned char *)ASN1_STRING_get0_data(astring), + ASN1_STRING_length(astring)); } - resultPtr = Tcl_NewStringObj((char *) &buffer[0], (Tcl_Size) len); - return resultPtr; + return resultObj; } /* - * Get Key Usage + *----------------------------------------------------------------------------- + * + * Tls_x509KeyUsage -- + * + * Get X.509 certificate key usage types + * + * Results: + * Tcl list of types + * + * Side effects: + * None + * + *----------------------------------------------------------------------------- */ Tcl_Obj *Tls_x509KeyUsage(Tcl_Interp *interp, X509 *cert, uint32_t xflags) { uint32_t usage = X509_get_key_usage(cert); - Tcl_Obj *listPtr = Tcl_NewListObj(0, NULL); + Tcl_Obj *resultObj = Tcl_NewListObj(0, NULL); - if (listPtr == NULL) { + if (resultObj == NULL) { return NULL; } if ((xflags & EXFLAG_KUSAGE) && usage < UINT32_MAX) { if (usage & KU_DIGITAL_SIGNATURE) { - Tcl_ListObjAppendElement(interp, listPtr, Tcl_NewStringObj("Digital Signature", -1)); + Tcl_ListObjAppendElement(interp, resultObj, Tcl_NewStringObj("Digital Signature", -1)); } if (usage & KU_NON_REPUDIATION) { - Tcl_ListObjAppendElement(interp, listPtr, Tcl_NewStringObj("Non-Repudiation", -1)); + Tcl_ListObjAppendElement(interp, resultObj, Tcl_NewStringObj("Non-Repudiation", -1)); } if (usage & KU_KEY_ENCIPHERMENT) { - Tcl_ListObjAppendElement(interp, listPtr, Tcl_NewStringObj("Key Encipherment", -1)); + Tcl_ListObjAppendElement(interp, resultObj, Tcl_NewStringObj("Key Encipherment", -1)); } if (usage & KU_DATA_ENCIPHERMENT) { - Tcl_ListObjAppendElement(interp, listPtr, Tcl_NewStringObj("Data Encipherment", -1)); + Tcl_ListObjAppendElement(interp, resultObj, Tcl_NewStringObj("Data Encipherment", -1)); } if (usage & KU_KEY_AGREEMENT) { - Tcl_ListObjAppendElement(interp, listPtr, Tcl_NewStringObj("Key Agreement", -1)); + Tcl_ListObjAppendElement(interp, resultObj, Tcl_NewStringObj("Key Agreement", -1)); } if (usage & KU_KEY_CERT_SIGN) { - Tcl_ListObjAppendElement(interp, listPtr, Tcl_NewStringObj("Certificate Signing", -1)); + Tcl_ListObjAppendElement(interp, resultObj, Tcl_NewStringObj("Certificate Signing", -1)); } if (usage & KU_CRL_SIGN) { - Tcl_ListObjAppendElement(interp, listPtr, Tcl_NewStringObj("CRL Signing", -1)); + Tcl_ListObjAppendElement(interp, resultObj, Tcl_NewStringObj("CRL Signing", -1)); } if (usage & KU_ENCIPHER_ONLY) { - Tcl_ListObjAppendElement(interp, listPtr, Tcl_NewStringObj("Encipher Only", -1)); + Tcl_ListObjAppendElement(interp, resultObj, Tcl_NewStringObj("Encipher Only", -1)); } if (usage & KU_DECIPHER_ONLY) { - Tcl_ListObjAppendElement(interp, listPtr, Tcl_NewStringObj("Decipher Only", -1)); + Tcl_ListObjAppendElement(interp, resultObj, Tcl_NewStringObj("Decipher Only", -1)); } } else { - Tcl_ListObjAppendElement(interp, listPtr, Tcl_NewStringObj("unrestricted", -1)); + Tcl_ListObjAppendElement(interp, resultObj, Tcl_NewStringObj("unrestricted", -1)); } - return listPtr; + return resultObj; } /* - * Get Certificate Purpose + *----------------------------------------------------------------------------- + * + * Tls_x509Purpose -- + * + * Get X.509 certificate purpose + * + * Results: + * Purpose string + * + * Side effects: + * None + * + *----------------------------------------------------------------------------- */ char *Tls_x509Purpose(X509 *cert) { char *purpose = NULL; if (X509_check_purpose(cert, X509_PURPOSE_SSL_CLIENT, 0) > 0) { @@ -164,17 +239,29 @@ } return purpose; } /* - * For each purpose, get certificate applicability + *----------------------------------------------------------------------------- + * + * Tls_x509Purposes -- + * + * Get X.509 certificate purpose types + * + * Results: + * Tcl list of each purpose and whether it is CA or non-CA + * + * Side effects: + * None + * + *----------------------------------------------------------------------------- */ Tcl_Obj *Tls_x509Purposes(Tcl_Interp *interp, X509 *cert) { - Tcl_Obj *listPtr = Tcl_NewListObj(0, NULL); + Tcl_Obj *resultObj = Tcl_NewListObj(0, NULL); X509_PURPOSE *ptmp; - if (listPtr == NULL) { + if (resultObj == NULL) { return NULL; } for (int i = 0; i < X509_PURPOSE_get_count(); i++) { ptmp = X509_PURPOSE_get0(i); @@ -183,95 +270,131 @@ for (int j = 0; j < 2; j++) { int idret = X509_check_purpose(cert, X509_PURPOSE_get_id(ptmp), j); Tcl_ListObjAppendElement(interp, tmpPtr, Tcl_NewStringObj(j ? "CA" : "nonCA", -1)); Tcl_ListObjAppendElement(interp, tmpPtr, Tcl_NewStringObj(idret == 1 ? "Yes" : "No", -1)); } - LAPPEND_OBJ(interp, listPtr, X509_PURPOSE_get0_name(ptmp), tmpPtr); + LAPPEND_OBJ(interp, resultObj, X509_PURPOSE_get0_name(ptmp), tmpPtr); } - return listPtr; + return resultObj; } /* - * Get Subject Alternate Names (SAN) and Issuer Alternate Names + *----------------------------------------------------------------------------- + * + * Tls_x509Names -- + * + * Get a list of Subject Alternate Names (SAN) or Issuer Alternate Names + * + * Results: + * Tcl list of alternate names + * + * Side effects: + * None + * + *----------------------------------------------------------------------------- */ Tcl_Obj *Tls_x509Names(Tcl_Interp *interp, X509 *cert, int nid, BIO *bio) { STACK_OF(GENERAL_NAME) *names; - Tcl_Obj *listPtr = Tcl_NewListObj(0, NULL); - int len; + Tcl_Obj *resultObj = Tcl_NewListObj(0, NULL); + Tcl_Size len; char buffer[1024]; - if (listPtr == NULL) { + if (resultObj == NULL) { return NULL; } if ((names = X509_get_ext_d2i(cert, nid, NULL, NULL)) != NULL) { for (int i=0; i < sk_GENERAL_NAME_num(names); i++) { const GENERAL_NAME *name = sk_GENERAL_NAME_value(names, i); len = BIO_to_Buffer(name && GENERAL_NAME_print(bio, (GENERAL_NAME *) name), bio, buffer, 1024); - LAPPEND_STR(interp, listPtr, NULL, buffer, (Tcl_Size) len); + LAPPEND_STR(interp, resultObj, NULL, buffer, len); } sk_GENERAL_NAME_pop_free(names, GENERAL_NAME_free); } - return listPtr; + return resultObj; } /* - * Get EXtended Key Usage + *----------------------------------------------------------------------------- + * + * Tls_x509ExtKeyUsage -- + * + * Get a list of Extended Key Usages + * + * Returns: + * Tcl list of usages + * + * Side effects: + * None + * + *----------------------------------------------------------------------------- */ Tcl_Obj *Tls_x509ExtKeyUsage(Tcl_Interp *interp, X509 *cert, uint32_t xflags) { uint32_t usage = X509_get_key_usage(cert); - Tcl_Obj *listPtr = Tcl_NewListObj(0, NULL); + Tcl_Obj *resultObj = Tcl_NewListObj(0, NULL); - if (listPtr == NULL) { + if (resultObj == NULL) { return NULL; } if ((xflags & EXFLAG_XKUSAGE) && usage < UINT32_MAX) { usage = X509_get_extended_key_usage(cert); if (usage & XKU_SSL_SERVER) { - Tcl_ListObjAppendElement(interp, listPtr, Tcl_NewStringObj("TLS Web Server Authentication", -1)); + Tcl_ListObjAppendElement(interp, resultObj, Tcl_NewStringObj("TLS Web Server Authentication", -1)); } if (usage & XKU_SSL_CLIENT) { - Tcl_ListObjAppendElement(interp, listPtr, Tcl_NewStringObj("TLS Web Client Authentication", -1)); + Tcl_ListObjAppendElement(interp, resultObj, Tcl_NewStringObj("TLS Web Client Authentication", -1)); } if (usage & XKU_SMIME) { - Tcl_ListObjAppendElement(interp, listPtr, Tcl_NewStringObj("E-mail Protection", -1)); + Tcl_ListObjAppendElement(interp, resultObj, Tcl_NewStringObj("E-mail Protection", -1)); } if (usage & XKU_CODE_SIGN) { - Tcl_ListObjAppendElement(interp, listPtr, Tcl_NewStringObj("Code Signing", -1)); + Tcl_ListObjAppendElement(interp, resultObj, Tcl_NewStringObj("Code Signing", -1)); } if (usage & XKU_SGC) { - Tcl_ListObjAppendElement(interp, listPtr, Tcl_NewStringObj("SGC", -1)); + Tcl_ListObjAppendElement(interp, resultObj, Tcl_NewStringObj("SGC", -1)); } if (usage & XKU_OCSP_SIGN) { - Tcl_ListObjAppendElement(interp, listPtr, Tcl_NewStringObj("OCSP Signing", -1)); + Tcl_ListObjAppendElement(interp, resultObj, Tcl_NewStringObj("OCSP Signing", -1)); } if (usage & XKU_TIMESTAMP) { - Tcl_ListObjAppendElement(interp, listPtr, Tcl_NewStringObj("Time Stamping", -1)); + Tcl_ListObjAppendElement(interp, resultObj, Tcl_NewStringObj("Time Stamping", -1)); } if (usage & XKU_DVCS ) { - Tcl_ListObjAppendElement(interp, listPtr, Tcl_NewStringObj("DVCS", -1)); + Tcl_ListObjAppendElement(interp, resultObj, Tcl_NewStringObj("DVCS", -1)); } if (usage & XKU_ANYEKU) { - Tcl_ListObjAppendElement(interp, listPtr, Tcl_NewStringObj("Any Extended Key Usage", -1)); + Tcl_ListObjAppendElement(interp, resultObj, Tcl_NewStringObj("Any Extended Key Usage", -1)); } } else { - Tcl_ListObjAppendElement(interp, listPtr, Tcl_NewStringObj("unrestricted", -1)); + Tcl_ListObjAppendElement(interp, resultObj, Tcl_NewStringObj("unrestricted", -1)); } - return listPtr; + return resultObj; } /* - * Get CRL Distribution Points + *----------------------------------------------------------------------------- + * + * Tls_x509CrlDp -- + * + * Get list of CRL Distribution Points + * + * Returns: + * Tcl list of URIs and relative-names + * + * Side effects: + * None + * + *----------------------------------------------------------------------------- */ Tcl_Obj *Tls_x509CrlDp(Tcl_Interp *interp, X509 *cert) { STACK_OF(DIST_POINT) *crl; - Tcl_Obj *listPtr = Tcl_NewListObj(0, NULL); + Tcl_Obj *resultObj = Tcl_NewListObj(0, NULL); - if (listPtr == NULL) { + if (resultObj == NULL) { return NULL; } if ((crl = X509_get_ext_d2i(cert, NID_crl_distribution_points, NULL, NULL)) != NULL) { for (int i=0; i < sk_DIST_POINT_num(crl); i++) { @@ -283,108 +406,136 @@ for (int j = 0; j < sk_GENERAL_NAME_num(distpoint->name.fullname); j++) { GENERAL_NAME *gen = sk_GENERAL_NAME_value(distpoint->name.fullname, j); int type; ASN1_STRING *uri = GENERAL_NAME_get0_value(gen, &type); if (type == GEN_URI) { - LAPPEND_STR(interp, listPtr, (char *) NULL, (char *) ASN1_STRING_get0_data(uri), (Tcl_Size) ASN1_STRING_length(uri)); + LAPPEND_STR(interp, resultObj, (char *) NULL, (char *) ASN1_STRING_get0_data(uri), (Tcl_Size) ASN1_STRING_length(uri)); } } } else if (distpoint->type == 1) { /* relative-name X509NAME */ STACK_OF(X509_NAME_ENTRY) *sk_relname = distpoint->name.relativename; for (int j = 0; j < sk_X509_NAME_ENTRY_num(sk_relname); j++) { X509_NAME_ENTRY *e = sk_X509_NAME_ENTRY_value(sk_relname, j); ASN1_STRING *d = X509_NAME_ENTRY_get_data(e); - LAPPEND_STR(interp, listPtr, (char *) NULL, (char *) ASN1_STRING_data(d), (Tcl_Size) ASN1_STRING_length(d)); + LAPPEND_STR(interp, resultObj, (char *) NULL, (char *) ASN1_STRING_data(d), (Tcl_Size) ASN1_STRING_length(d)); } } } CRL_DIST_POINTS_free(crl); } - return listPtr; + return resultObj; } /* - * Get On-line Certificate Status Protocol (OSCP) URL + *----------------------------------------------------------------------------- + * + * Tls_x509Oscp + * + * Get list of On-line Certificate Status Protocol (OSCP) URIs + * + * Results: + * Tcl list of URIs + * + * Side effects: + * None + * + *----------------------------------------------------------------------------- */ Tcl_Obj *Tls_x509Oscp(Tcl_Interp *interp, X509 *cert) { STACK_OF(OPENSSL_STRING) *ocsp; - Tcl_Obj *listPtr = Tcl_NewListObj(0, NULL); + Tcl_Obj *resultObj = Tcl_NewListObj(0, NULL); - if (listPtr == NULL) { + if (resultObj == NULL) { return NULL; } if ((ocsp = X509_get1_ocsp(cert)) != NULL) { for (int i = 0; i < sk_OPENSSL_STRING_num(ocsp); i++) { - LAPPEND_STR(interp, listPtr, NULL, sk_OPENSSL_STRING_value(ocsp, i), -1); + LAPPEND_STR(interp, resultObj, NULL, sk_OPENSSL_STRING_value(ocsp, i), -1); } X509_email_free(ocsp); } - return listPtr; + return resultObj; } /* - * Get Certificate Authority (CA) Issuers URL + *----------------------------------------------------------------------------- + * + * Tls_x509CaIssuers -- + * + * Get list of Certificate Authority (CA) Issuer URIs + * + * Results: + * Tcl list of CA issuer URIs + * + * Side effects: + * None + * + *----------------------------------------------------------------------------- */ Tcl_Obj *Tls_x509CaIssuers(Tcl_Interp *interp, X509 *cert) { STACK_OF(ACCESS_DESCRIPTION) *ads; ACCESS_DESCRIPTION *ad; - Tcl_Obj *listPtr = Tcl_NewListObj(0, NULL); + Tcl_Obj *resultObj = Tcl_NewListObj(0, NULL); unsigned char *buf; - int len; + + if (resultObj == NULL) { + return NULL; + } if ((ads = X509_get_ext_d2i(cert, NID_info_access, NULL, NULL)) != NULL) { for (int i = 0; i < sk_ACCESS_DESCRIPTION_num(ads); i++) { ad = sk_ACCESS_DESCRIPTION_value(ads, i); if (OBJ_obj2nid(ad->method) == NID_ad_ca_issuers && ad->location) { if (ad->location->type == GEN_URI) { - len = ASN1_STRING_to_UTF8(&buf, ad->location->d.uniformResourceIdentifier); - Tcl_ListObjAppendElement(interp, listPtr, Tcl_NewStringObj((char *) buf, (Tcl_Size) len)); + Tcl_Size len = (Tcl_Size) ASN1_STRING_to_UTF8(&buf, ad->location->d.uniformResourceIdentifier); + Tcl_ListObjAppendElement(interp, resultObj, Tcl_NewStringObj((char *) buf, len)); OPENSSL_free(buf); break; } } } /* sk_ACCESS_DESCRIPTION_pop_free(ads, ACCESS_DESCRIPTION_free); */ AUTHORITY_INFO_ACCESS_free(ads); } - return listPtr; + return resultObj; } /* - *------------------------------------------------------* - * - * Tls_NewX509Obj -- - * - * ------------------------------------------------* - * Converts a X509 certificate into a Tcl_Obj - * ------------------------------------------------* - * - * Side effects: - * None - * - * Result: - * A Tcl List Object representing the provided - * X509 certificate. - * - *------------------------------------------------------* - */ - -Tcl_Obj* -Tls_NewX509Obj(Tcl_Interp *interp, X509 *cert) { - Tcl_Obj *certPtr = Tcl_NewListObj(0, NULL); - BIO *bio = BIO_new(BIO_s_mem()); - int mdnid, pknid, bits, len; + *----------------------------------------------------------------------------- + * + * Tls_NewX509Obj -- + * + * Parses a X509 certificate and returns contents as a key-value Tcl list. + * + * Result: + * A Tcl List with the X509 certificate info as a key-value list + * + * Side effects: + * None + * + *----------------------------------------------------------------------------- + */ +Tcl_Obj *Tls_NewX509Obj(Tcl_Interp *interp, X509 *cert, int all) { + Tcl_Obj *resultObj = Tcl_NewListObj(0, NULL); + BIO *bio = BIO_new(BIO_s_mem()); + int mdnid, pknid, bits; + Tcl_Size len; unsigned int ulen; uint32_t xflags; - char buffer[BUFSIZ]; - unsigned char md[EVP_MAX_MD_SIZE]; unsigned long flags = XN_FLAG_RFC2253 | ASN1_STRFLGS_UTF8_CONVERT; flags &= ~ASN1_STRFLGS_ESC_MSB; - if (interp == NULL || cert == NULL || bio == NULL || certPtr == NULL) { + char *buffer = ckalloc(BUFSIZ > EVP_MAX_MD_SIZE ? BUFSIZ : EVP_MAX_MD_SIZE); + + dprintf("Called"); + + if (interp == NULL || cert == NULL || bio == NULL || resultObj == NULL || buffer == NULL) { + Tcl_DecrRefCount(resultObj); + BIO_free(bio); + if (buffer != NULL) ckfree(buffer); return NULL; } /* Signature algorithm and value - RFC 5280 section 4.1.1.2 and 4.1.1.3 */ /* signatureAlgorithm is the id of the cryptographic algorithm used by the @@ -396,138 +547,138 @@ int sig_nid; X509_get0_signature(&sig, &sig_alg, cert); /* sig_nid = X509_get_signature_nid(cert) */ sig_nid = OBJ_obj2nid(sig_alg->algorithm); - LAPPEND_STR(interp, certPtr, "signatureAlgorithm", OBJ_nid2ln(sig_nid), -1); - len = (sig_nid != NID_undef) ? String_to_Hex(sig->data, sig->length, (unsigned char *) buffer, BUFSIZ) : 0; - LAPPEND_STR(interp, certPtr, "signatureValue", buffer, (Tcl_Size) len); + LAPPEND_STR(interp, resultObj, "signatureAlgorithm", OBJ_nid2ln(sig_nid), -1); + if (sig_nid != NID_undef) { + LAPPEND_OBJ(interp, resultObj, "signatureValue", String_to_Hex(sig->data, sig->length)); + } else { + LAPPEND_STR(interp, resultObj, "signatureValue", "", 0); + } } /* Version of the encoded certificate - RFC 5280 section 4.1.2.1 */ - LAPPEND_LONG(interp, certPtr, "version", X509_get_version(cert)+1); + LAPPEND_LONG(interp, resultObj, "version", X509_get_version(cert)+1); /* Unique number assigned by CA to certificate - RFC 5280 section 4.1.2.2 */ len = BIO_to_Buffer(i2a_ASN1_INTEGER(bio, X509_get0_serialNumber(cert)), bio, buffer, BUFSIZ); - LAPPEND_STR(interp, certPtr, "serialNumber", buffer, (Tcl_Size) len); + LAPPEND_STR(interp, resultObj, "serialNumber", buffer, len); /* Signature algorithm used by the CA to sign the certificate. Must match signatureAlgorithm. RFC 5280 section 4.1.2.3 */ - LAPPEND_STR(interp, certPtr, "signature", OBJ_nid2ln(X509_get_signature_nid(cert)), -1); + LAPPEND_STR(interp, resultObj, "signature", OBJ_nid2ln(X509_get_signature_nid(cert)), -1); /* Issuer identifies the entity that signed and issued the cert. RFC 5280 section 4.1.2.4 */ len = BIO_to_Buffer(X509_NAME_print_ex(bio, X509_get_issuer_name(cert), 0, flags), bio, buffer, BUFSIZ); - LAPPEND_STR(interp, certPtr, "issuer", buffer, (Tcl_Size) len); + LAPPEND_STR(interp, resultObj, "issuer", buffer, len); /* Certificate validity period is the interval the CA warrants that it will maintain info on the status of the certificate. RFC 5280 section 4.1.2.5 */ /* Get Validity - Not Before */ len = BIO_to_Buffer(ASN1_TIME_print(bio, X509_get0_notBefore(cert)), bio, buffer, BUFSIZ); - LAPPEND_STR(interp, certPtr, "notBefore", buffer, (Tcl_Size) len); + LAPPEND_STR(interp, resultObj, "notBefore", buffer, len); /* Get Validity - Not After */ len = BIO_to_Buffer(ASN1_TIME_print(bio, X509_get0_notAfter(cert)), bio, buffer, BUFSIZ); - LAPPEND_STR(interp, certPtr, "notAfter", buffer, (Tcl_Size) len); + LAPPEND_STR(interp, resultObj, "notAfter", buffer, len); /* Subject identifies the entity associated with the public key stored in the subject public key field. RFC 5280 section 4.1.2.6 */ len = BIO_to_Buffer(X509_NAME_print_ex(bio, X509_get_subject_name(cert), 0, flags), bio, buffer, BUFSIZ); - LAPPEND_STR(interp, certPtr, "subject", buffer, (Tcl_Size) len); + LAPPEND_STR(interp, resultObj, "subject", buffer, len); /* SHA1 Digest (Fingerprint) of cert - DER representation */ - if (X509_digest(cert, EVP_sha1(), md, &ulen)) { - len = String_to_Hex(md, len, (unsigned char *) buffer, BUFSIZ); - LAPPEND_STR(interp, certPtr, "sha1_hash", buffer, (Tcl_Size) ulen); + if (X509_digest(cert, EVP_sha1(), (unsigned char *)buffer, &ulen)) { + LAPPEND_OBJ(interp, resultObj, "sha1_hash", String_to_Hex((unsigned char *)buffer, (int) ulen)); } /* SHA256 Digest (Fingerprint) of cert - DER representation */ - if (X509_digest(cert, EVP_sha256(), md, &ulen)) { - len = String_to_Hex(md, len, (unsigned char *) buffer, BUFSIZ); - LAPPEND_STR(interp, certPtr, "sha256_hash", buffer, (Tcl_Size) ulen); + if (X509_digest(cert, EVP_sha256(), (unsigned char *)buffer, &ulen)) { + LAPPEND_OBJ(interp, resultObj, "sha256_hash", String_to_Hex((unsigned char *)buffer, (int) ulen)); } /* Subject Public Key Info specifies the public key and identifies the algorithm with which the key is used. RFC 5280 section 4.1.2.7 */ if (X509_get_signature_info(cert, &mdnid, &pknid, &bits, &xflags)) { ASN1_BIT_STRING *key; unsigned int n; - LAPPEND_STR(interp, certPtr, "signingDigest", OBJ_nid2ln(mdnid), -1); - LAPPEND_STR(interp, certPtr, "publicKeyAlgorithm", OBJ_nid2ln(pknid), -1); - LAPPEND_INT(interp, certPtr, "bits", bits); /* Effective security bits */ + LAPPEND_STR(interp, resultObj, "signingDigest", OBJ_nid2ln(mdnid), -1); + LAPPEND_STR(interp, resultObj, "publicKeyAlgorithm", OBJ_nid2ln(pknid), -1); + LAPPEND_INT(interp, resultObj, "bits", bits); /* Effective security bits */ key = X509_get0_pubkey_bitstr(cert); - len = String_to_Hex(key->data, key->length, (unsigned char *) buffer, BUFSIZ); - LAPPEND_STR(interp, certPtr, "publicKey", buffer, (Tcl_Size) len); - - len = 0; - if (X509_pubkey_digest(cert, EVP_get_digestbynid(pknid), md, &n)) { - len = String_to_Hex(md, (int) n, (unsigned char *) buffer, BUFSIZ); - } - LAPPEND_STR(interp, certPtr, "publicKeyHash", buffer, (Tcl_Size) len); + LAPPEND_OBJ(interp, resultObj, "publicKey", String_to_Hex(key->data, key->length)); + + if (X509_pubkey_digest(cert, EVP_get_digestbynid(pknid), (unsigned char *)buffer, &n)) { + LAPPEND_OBJ(interp, resultObj, "publicKeyHash", String_to_Hex((unsigned char *)buffer, (int) n)); + } else { + LAPPEND_STR(interp, resultObj, "publicKeyHash", "", 0); + } /* digest of the DER representation of the certificate */ - len = 0; - if (X509_digest(cert, EVP_get_digestbynid(mdnid), md, &n)) { - len = String_to_Hex(md, (int) n, (unsigned char *) buffer, BUFSIZ); + if (X509_digest(cert, EVP_get_digestbynid(mdnid), (unsigned char *)buffer, &n)) { + LAPPEND_OBJ(interp, resultObj, "signatureHash", String_to_Hex((unsigned char *)buffer, (int) n)); + } else { + LAPPEND_STR(interp, resultObj, "signatureHash", "", 0); } - LAPPEND_STR(interp, certPtr, "signatureHash", buffer, (Tcl_Size) len); } /* Certificate Purpose. Call before checking for extensions. */ - LAPPEND_STR(interp, certPtr, "purpose", Tls_x509Purpose(cert), -1); - LAPPEND_OBJ(interp, certPtr, "certificatePurpose", Tls_x509Purposes(interp, cert)); + LAPPEND_STR(interp, resultObj, "purpose", Tls_x509Purpose(cert), -1); + LAPPEND_OBJ(interp, resultObj, "certificatePurpose", Tls_x509Purposes(interp, cert)); /* Get extensions flags */ xflags = X509_get_extension_flags(cert); - LAPPEND_INT(interp, certPtr, "extFlags", xflags); + LAPPEND_INT(interp, resultObj, "extFlags", xflags); /* Check if cert was issued by CA cert issuer or self signed */ - LAPPEND_BOOL(interp, certPtr, "selfIssued", xflags & EXFLAG_SI); - LAPPEND_BOOL(interp, certPtr, "selfSigned", xflags & EXFLAG_SS); - LAPPEND_BOOL(interp, certPtr, "isProxyCert", xflags & EXFLAG_PROXY); - LAPPEND_BOOL(interp, certPtr, "extInvalid", xflags & EXFLAG_INVALID); - LAPPEND_BOOL(interp, certPtr, "isCACert", X509_check_ca(cert)); + LAPPEND_BOOL(interp, resultObj, "selfIssued", xflags & EXFLAG_SI); + LAPPEND_BOOL(interp, resultObj, "selfSigned", xflags & EXFLAG_SS); + LAPPEND_BOOL(interp, resultObj, "isProxyCert", xflags & EXFLAG_PROXY); + LAPPEND_BOOL(interp, resultObj, "extInvalid", xflags & EXFLAG_INVALID); + LAPPEND_BOOL(interp, resultObj, "isCACert", X509_check_ca(cert)); /* The Unique Ids are used to handle the possibility of reuse of subject and/or issuer names over time. RFC 5280 section 4.1.2.8 */ { const ASN1_BIT_STRING *iuid, *suid; - X509_get0_uids(cert, &iuid, &suid); + X509_get0_uids(cert, &iuid, &suid); - Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("issuerUniqueId", -1)); + Tcl_ListObjAppendElement(interp, resultObj, Tcl_NewStringObj("issuerUniqueId", -1)); if (iuid != NULL) { - Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewByteArrayObj((const unsigned char *)iuid->data, (Tcl_Size) iuid->length)); + Tcl_ListObjAppendElement(interp, resultObj, Tcl_NewByteArrayObj((const unsigned char *)iuid->data, (Tcl_Size) iuid->length)); } else { - Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("", -1)); + Tcl_ListObjAppendElement(interp, resultObj, Tcl_NewStringObj("", -1)); } - Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("subjectUniqueId", -1)); + Tcl_ListObjAppendElement(interp, resultObj, Tcl_NewStringObj("subjectUniqueId", -1)); if (suid != NULL) { - Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewByteArrayObj((const unsigned char *)suid->data, (Tcl_Size) suid->length)); + Tcl_ListObjAppendElement(interp, resultObj, Tcl_NewByteArrayObj((const unsigned char *)suid->data, (Tcl_Size) suid->length)); } else { - Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("", -1)); + Tcl_ListObjAppendElement(interp, resultObj, Tcl_NewStringObj("", -1)); } } /* X509 v3 Extensions - RFC 5280 section 4.1.2.9 */ - LAPPEND_INT(interp, certPtr, "extCount", X509_get_ext_count(cert)); - LAPPEND_OBJ(interp, certPtr, "extensions", Tls_x509Extensions(interp, cert)); + LAPPEND_INT(interp, resultObj, "extCount", X509_get_ext_count(cert)); + LAPPEND_OBJ(interp, resultObj, "extensions", Tls_x509Extensions(interp, cert)); /* Authority Key Identifier (AKI) is the Subject Key Identifier (SKI) of its signer (the CA). RFC 5280 section 4.2.1.1, NID_authority_key_identifier */ - LAPPEND_OBJ(interp, certPtr, "authorityKeyIdentifier", + LAPPEND_OBJ(interp, resultObj, "authorityKeyIdentifier", Tls_x509Identifier(X509_get0_authority_key_id(cert))); /* Subject Key Identifier (SKI) is used to identify certificates that contain a particular public key. RFC 5280 section 4.2.1.2, NID_subject_key_identifier */ - LAPPEND_OBJ(interp, certPtr, "subjectKeyIdentifier", + LAPPEND_OBJ(interp, resultObj, "subjectKeyIdentifier", Tls_x509Identifier(X509_get0_subject_key_id(cert))); /* Key usage extension defines the purpose (e.g., encipherment, signature, certificate signing) of the key in the certificate. RFC 5280 section 4.2.1.3, NID_key_usage */ - LAPPEND_OBJ(interp, certPtr, "keyUsage", Tls_x509KeyUsage(interp, cert, xflags)); + LAPPEND_OBJ(interp, resultObj, "keyUsage", Tls_x509KeyUsage(interp, cert, xflags)); /* Certificate Policies - indicates the issuing CA considers its issuerDomainPolicy equivalent to the subject CA's subjectDomainPolicy. RFC 5280 section 4.2.1.4, NID_certificate_policies */ if (xflags & EXFLAG_INVALID_POLICY) { /* Reject cert */ @@ -535,27 +686,27 @@ /* Policy Mappings - RFC 5280 section 4.2.1.5, NID_policy_mappings */ /* Subject Alternative Name (SAN) contains additional URLs, DNS names, or IP addresses bound to certificate. RFC 5280 section 4.2.1.6, NID_subject_alt_name */ - LAPPEND_OBJ(interp, certPtr, "subjectAltName", Tls_x509Names(interp, cert, NID_subject_alt_name, bio)); + LAPPEND_OBJ(interp, resultObj, "subjectAltName", Tls_x509Names(interp, cert, NID_subject_alt_name, bio)); /* Issuer Alternative Name is used to associate Internet style identities with the certificate issuer. RFC 5280 section 4.2.1.7, NID_issuer_alt_name */ - LAPPEND_OBJ(interp, certPtr, "issuerAltName", Tls_x509Names(interp, cert, NID_issuer_alt_name, bio)); + LAPPEND_OBJ(interp, resultObj, "issuerAltName", Tls_x509Names(interp, cert, NID_issuer_alt_name, bio)); /* Subject Directory Attributes provides identification attributes (e.g., nationality) of the subject. RFC 5280 section 4.2.1.8 (subjectDirectoryAttributes) */ /* Basic Constraints identifies whether the subject of the cert is a CA and the max depth of valid cert paths for this cert. RFC 5280 section 4.2.1.9, NID_basic_constraints */ if (!(xflags & EXFLAG_PROXY)) { - LAPPEND_LONG(interp, certPtr, "pathLen", X509_get_pathlen(cert)); + LAPPEND_LONG(interp, resultObj, "pathLen", X509_get_pathlen(cert)); } else { - LAPPEND_LONG(interp, certPtr, "pathLen", X509_get_proxy_pathlen(cert)); + LAPPEND_LONG(interp, resultObj, "pathLen", X509_get_proxy_pathlen(cert)); } - LAPPEND_BOOL(interp, certPtr, "basicConstraintsCA", xflags & EXFLAG_CA); + LAPPEND_BOOL(interp, resultObj, "basicConstraintsCA", xflags & EXFLAG_CA); /* Name Constraints is only used in CA certs to indicate the name space for all subject names in subsequent certificates in a certification path MUST be located. RFC 5280 section 4.2.1.10, NID_name_constraints */ @@ -562,52 +713,66 @@ /* Policy Constraints is only used in CA certs to limit the length of a cert chain for that CA. RFC 5280 section 4.2.1.11, NID_policy_constraints */ /* Extended Key Usage indicates the purposes the certified public key may be used, beyond the basic purposes. RFC 5280 section 4.2.1.12, NID_ext_key_usage */ - LAPPEND_OBJ(interp, certPtr, "extendedKeyUsage", Tls_x509ExtKeyUsage(interp, cert, xflags)); + LAPPEND_OBJ(interp, resultObj, "extendedKeyUsage", Tls_x509ExtKeyUsage(interp, cert, xflags)); /* CRL Distribution Points identifies where CRL information can be obtained. RFC 5280 section 4.2.1.13*/ - LAPPEND_OBJ(interp, certPtr, "crlDistributionPoints", Tls_x509CrlDp(interp, cert)); + LAPPEND_OBJ(interp, resultObj, "crlDistributionPoints", Tls_x509CrlDp(interp, cert)); /* Freshest CRL extension */ if (xflags & EXFLAG_FRESHEST) { } /* Authority Information Access indicates how to access info and services for the certificate issuer. RFC 5280 section 4.2.2.1, NID_info_access */ - /* Get On-line Certificate Status Protocol (OSCP) Responders URL */ - LAPPEND_OBJ(interp, certPtr, "ocspResponders", Tls_x509Oscp(interp, cert)); + /* On-line Certificate Status Protocol (OSCP) Responders URL */ + LAPPEND_OBJ(interp, resultObj, "ocspResponders", Tls_x509Oscp(interp, cert)); - /* Get Certificate Authority (CA) Issuers URL */ - LAPPEND_OBJ(interp, certPtr, "caIssuers", Tls_x509CaIssuers(interp, cert)); + /* Certificate Authority (CA) Issuers URL */ + LAPPEND_OBJ(interp, resultObj, "caIssuers", Tls_x509CaIssuers(interp, cert)); /* Subject Information Access - RFC 5280 section 4.2.2.2, NID_sinfo_access */ /* Certificate Alias. If uses a PKCS#12 structure, alias will reflect the friendlyName attribute (RFC 2985). */ { - len = 0; - unsigned char *string = X509_alias_get0(cert, &len); - LAPPEND_STR(interp, certPtr, "alias", (char *) string, (Tcl_Size) len); - string = X509_keyid_get0(cert, &len); - LAPPEND_STR(interp, certPtr, "keyId", (char *) string, (Tcl_Size) len); + int ilen = 0; + unsigned char *string = X509_alias_get0(cert, &ilen); + LAPPEND_STR(interp, resultObj, "alias", (char *) string, (Tcl_Size) ilen); + string = X509_keyid_get0(cert, &ilen); + LAPPEND_STR(interp, resultObj, "keyId", (char *) string, (Tcl_Size) ilen); } /* Certificate and dump all data */ - { - char certStr[CERT_STR_SIZE]; + if (all) { + Tcl_Obj *allObj = Tcl_NewByteArrayObj(NULL, 0); + Tcl_Obj *certObj = Tcl_NewByteArrayObj(NULL, 0); + unsigned char *allStr, *certStr; + + if (allObj == NULL || certObj == NULL) { + Tcl_DecrRefCount(allObj); + BIO_free(bio); + ckfree(buffer); + return resultObj; + } /* Get certificate */ + certStr = Tcl_SetByteArrayLength(certObj, CERT_STR_SIZE); len = BIO_to_Buffer(PEM_write_bio_X509(bio, cert), bio, certStr, CERT_STR_SIZE); - LAPPEND_STR(interp, certPtr, "certificate", certStr, (Tcl_Size) len); + Tcl_SetByteArrayLength(certObj, len); + LAPPEND_OBJ(interp, resultObj, "certificate", certObj) - /* Get all cert info */ - len = BIO_to_Buffer(X509_print_ex(bio, cert, flags, 0), bio, certStr, CERT_STR_SIZE); - LAPPEND_STR(interp, certPtr, "all", certStr, (Tcl_Size) len); + /* Get all info on certificate */ + allStr = Tcl_SetByteArrayLength(allObj, CERT_STR_SIZE * 2); + len = BIO_to_Buffer(X509_print_ex(bio, cert, flags, 0), bio, allStr, CERT_STR_SIZE * 2); + Tcl_SetByteArrayLength(allObj, len); + LAPPEND_OBJ(interp, resultObj, "all", allObj) } BIO_free(bio); - return certPtr; + ckfree(buffer); + return resultObj; } Index: library/tls.tcl ================================================================== --- library/tls.tcl +++ library/tls.tcl @@ -1,5 +1,7 @@ +# +# Support functions for the TLS extension # # Copyright (C) 1997-2000 Matt Newman # namespace eval tls { variable logcmd tclLog @@ -13,11 +15,11 @@ variable srvuid 0 # Over-ride this if you are using a different socket command variable socketCmd if {![info exists socketCmd]} { - set socketCmd [info command ::socket] + set socketCmd [info command ::socket] } # This is the possible arguments to tls::socket and tls::init # The format of this is a list of lists ## Each inner list contains the following elements @@ -26,42 +28,43 @@ ### Variable to add the option to: #### sopts: [socket] option #### iopts: [tls::import] option ### How many arguments the following the option to consume variable socketOptionRules { - {0 -async sopts 0} - {* -myaddr sopts 1} - {0 -myport sopts 1} - {* -type sopts 1} - {* -alpn iopts 1} - {* -cadir iopts 1} - {* -cafile iopts 1} - {* -cert iopts 1} - {* -certfile iopts 1} - {* -cipher iopts 1} - {* -ciphersuites iopts 1} - {* -command iopts 1} - {* -dhparams iopts 1} - {* -key iopts 1} - {* -keyfile iopts 1} - {* -password iopts 1} - {* -post_handshake iopts 1} - {* -request iopts 1} - {* -require iopts 1} - {* -securitylevel iopts 1} - {* -autoservername discardOpts 1} - {* -server iopts 1} - {* -servername iopts 1} - {* -session_id iopts 1} - {* -ssl2 iopts 1} - {* -ssl3 iopts 1} - {* -tls1 iopts 1} - {* -tls1.1 iopts 1} - {* -tls1.2 iopts 1} - {* -tls1.3 iopts 1} - {* -validatecommand iopts 1} - {* -vcmd iopts 1} + {0 -async sopts 0} + {* -myaddr sopts 1} + {0 -myport sopts 1} + {* -type sopts 1} + {* -alpn iopts 1} + {* -cadir iopts 1} + {* -cafile iopts 1} + {* -castore iopts 1} + {* -cert iopts 1} + {* -certfile iopts 1} + {* -cipher iopts 1} + {* -ciphersuites iopts 1} + {* -command iopts 1} + {* -dhparams iopts 1} + {* -key iopts 1} + {* -keyfile iopts 1} + {* -password iopts 1} + {* -post_handshake iopts 1} + {* -request iopts 1} + {* -require iopts 1} + {* -securitylevel iopts 1} + {* -autoservername discardOpts 1} + {* -server iopts 1} + {* -servername iopts 1} + {* -session_id iopts 1} + {* -ssl2 iopts 1} + {* -ssl3 iopts 1} + {* -tls1 iopts 1} + {* -tls1.1 iopts 1} + {* -tls1.2 iopts 1} + {* -tls1.3 iopts 1} + {* -validatecommand iopts 1} + {* -vcmd iopts 1} } # tls::socket and tls::init options as a humane readable string variable socketOptionsNoServer variable socketOptionsServer @@ -76,11 +79,11 @@ variable socketOptionsServer variable socketOptionsSwitchBody # Do not re-run if we have already been initialized if {[info exists socketOptionsSwitchBody]} { - return + return } # Create several structures from our list of options ## 1. options: a text representation of the valid options for the current ## server type @@ -87,47 +90,47 @@ ## 2. argSwitchBody: Switch body for processing arguments set options(0) [list] set options(1) [list] set argSwitchBody [list] foreach optionRule $socketOptionRules { - set ruleServer [lindex $optionRule 0] - set ruleOption [lindex $optionRule 1] - set ruleVarToUpdate [lindex $optionRule 2] - set ruleVarArgsToConsume [lindex $optionRule 3] - - foreach server [list 0 1] { - if {![string match $ruleServer $server]} { - continue - } - - lappend options($server) $ruleOption - } - - switch -- $ruleVarArgsToConsume { - 0 { - set argToExecute { - lappend @VAR@ $arg - set argsArray($arg) true - } - } - 1 { - set argToExecute { - incr idx - if {$idx >= [llength $args]} { - return -code error "\"$arg\" option must be followed by value" - } - set argValue [lindex $args $idx] - lappend @VAR@ $arg $argValue - set argsArray($arg) $argValue - } - } - default { - return -code error "Internal argument construction error" - } - } - - lappend argSwitchBody $ruleServer,$ruleOption [string map [list @VAR@ $ruleVarToUpdate] $argToExecute] + set ruleServer [lindex $optionRule 0] + set ruleOption [lindex $optionRule 1] + set ruleVarToUpdate [lindex $optionRule 2] + set ruleVarArgsToConsume [lindex $optionRule 3] + + foreach server [list 0 1] { + if {![string match $ruleServer $server]} { + continue + } + + lappend options($server) $ruleOption + } + + switch -- $ruleVarArgsToConsume { + 0 { + set argToExecute { + lappend @VAR@ $arg + set argsArray($arg) true + } + } + 1 { + set argToExecute { + incr idx + if {$idx >= [llength $args]} { + return -code error "\"$arg\" option must be followed by value" + } + set argValue [lindex $args $idx] + lappend @VAR@ $arg $argValue + set argsArray($arg) $argValue + } + } + default { + return -code error "Internal argument construction error" + } + } + + lappend argSwitchBody $ruleServer,$ruleOption [string map [list @VAR@ $ruleVarToUpdate] $argToExecute] } # Add in the final options lappend argSwitchBody {*,-*} {return -code error "bad option \"$arg\": must be one of $options"} lappend argSwitchBody default break @@ -213,16 +216,16 @@ set server 1 set callback [lindex $args [expr {$idx+1}]] set args [lreplace $args $idx [expr {$idx+1}]] set usage "wrong # args: should be \"tls::socket -server command ?options? port\"" - set options $socketOptionsServer + set options $socketOptionsServer } else { set server 0 set usage "wrong # args: should be \"tls::socket ?options? host port\"" - set options $socketOptionsNoServer + set options $socketOptionsNoServer } # Combine defaults with current options set args [concat $defaults $args] @@ -253,17 +256,17 @@ } set host [lindex $args [expr {$argc-2}]] set port [lindex $args [expr {$argc-1}]] - # If an "-autoservername" option is found, honor it - if {[info exists argsArray(-autoservername)] && $argsArray(-autoservername)} { - if {![info exists argsArray(-servername)]} { - set argsArray(-servername) $host - lappend iopts -servername $host - } - } + # If an "-autoservername" option is found, honor it + if {[info exists argsArray(-autoservername)] && $argsArray(-autoservername)} { + if {![info exists argsArray(-servername)]} { + set argsArray(-servername) $host + lappend iopts -servername $host + } + } lappend sopts $host $port } # # Create TCP/IP socket @@ -313,89 +316,83 @@ log 2 "tls::_accept - called \"$callback\" succeeded" } } # -# Sample callback for hooking: - -# -# error -# verify -# info -# -proc tls::callback {option args} { - variable debug - - #log 2 [concat $option $args] +# Sample callback for status data from OpenSSL +# +proc tls::callback {option chan args} { + variable debug switch -- $option { "error" { - foreach {chan msg} $args break + lassign $args msg log 0 "TLS/$chan: error: $msg" } "info" { - # poor man's lassign - foreach {chan major minor msg type} $args break + set type "" + lassign $args major minor msg type - if {$msg != ""} { + if {$msg ne ""} { append state ": $msg" } # For tracing upvar #0 tls::$chan cb set cb($major) $minor log 2 "TLS/$chan: $major/$minor: $state" } "message" { - # poor man's lassign - foreach {chan direction version content_type msg} $args break - - log 0 "TLS/$chan: info: $direction $msg" - } - "session" { - foreach {chan session_id ticket lifetime} $args break - - log 0 "TLS/$chan: session: lifetime $lifetime" - } - default { - return -code error "bad option \"$option\":\ - must be one of error, info, or session" - } - } -} - -# -# Sample callback when return value is needed -# -proc tls::validate_command {option args} { - variable debug - - #log 2 [concat $option $args] - - switch -- $option { - "alpn" { - foreach {chan protocol match} $args break - - log 0 "TLS/$chan: alpn: $protocol $match" - } - "hello" { - foreach {chan servername} $args break - - log 0 "TLS/$chan: hello: $servername" - } - "sni" { - foreach {chan servername} $args break - - log 0 "TLS/$chan: sni: $servername" - } - "verify" { - # poor man's lassign - foreach {chan depth cert rc err} $args break - - array set c $cert - - if {$rc != "1"} { + lassign $args direction version content_type msg + + log 0 "TLS/$chan: info: $direction $msg" + } + "session" { + lassign $args session_id ticket lifetime + + log 0 "TLS/$chan: session: lifetime $lifetime" + } + "verify" { + # Backwards compatible for v1.7 + return [tls::validate_command $option $chan {*}$args] + } + default { + return -code error "bad option \"$option\":\ + must be one of error, info, message, or session" + } + } +} + +# +# Sample callback when return value is needed. New for TLS 1.8+. +# +proc tls::validate_command {option chan args} { + variable debug + + switch -- $option { + "alpn" { + lassign $args protocol match + + log 0 "TLS/$chan: alpn: $protocol $match" + } + "hello" { + lassign $args servername + + log 0 "TLS/$chan: hello: $servername" + } + "sni" { + lassign $args servername + + log 0 "TLS/$chan: sni: $servername" + } + "verify" { + lassign $args depth cert rc err + + array set c $cert + + if {$rc ne "1"} { log 1 "TLS/$chan: verify/$depth: Bad Cert: $err (rc = $rc)" } else { log 2 "TLS/$chan: verify/$depth: $c(subject)" } if {$debug > 0} { @@ -404,21 +401,21 @@ return $rc } } default { return -code error "bad option \"$option\":\ - must be one of alpn, info, or verify" + must be one of alpn, hello, sni, or verify" } } return 1 } proc tls::xhandshake {chan} { upvar #0 tls::$chan cb if {[info exists cb(handshake)] && \ - $cb(handshake) == "done"} { + $cb(handshake) eq "done"} { return 1 } while {1} { vwait tls::${chan}(handshake) if {![info exists cb(handshake)]} { @@ -428,23 +425,26 @@ return 1 } } } -proc tls::password {rwflag size} { +# +# Sample callback to get password when needed. Args are new for TLS 1.8+. +# +proc tls::password {{option password} {rwflag 0} {size 0}} { log 0 "TLS/Password: did you forget to set your passwd!" # Return the worlds best kept secret password. return "secret" } proc tls::log {level msg} { variable debug variable logcmd - if {$level > $debug || $logcmd == ""} { + if {$level > $debug || $logcmd eq ""} { return } set cmd $logcmd lappend cmd $msg uplevel #0 $cmd } Index: license.terms ================================================================== --- license.terms +++ license.terms @@ -25,14 +25,14 @@ NO OBLIGATION TO PROVIDE MAINTENANCE, SUPPORT, UPDATES, ENHANCEMENTS, OR MODIFICATIONS. GOVERNMENT USE: If you are acquiring this software on behalf of the U.S. government, the Government shall have only "Restricted Rights" -in the software and related documentation as defined in the Federal +in the software and related documentation as defined in the Federal Acquisition Regulations (FARs) in Clause 52.227.19 (c) (2). If you are acquiring the software on behalf of the Department of Defense, the software shall be classified as "Commercial Computer Software" and the Government shall have only "Restricted Rights" as defined in Clause 252.227-7013 (c) (1) of DFARs. Notwithstanding the foregoing, the authors grant the U.S. Government and others acting in its behalf permission to use and distribute the software in accordance with the -terms specified in this license. +terms specified in this license. Index: pkgIndex.tcl.in ================================================================== --- pkgIndex.tcl.in +++ pkgIndex.tcl.in @@ -1,25 +1,32 @@ # -*- tcl -*- # Tcl package index file, version 1.1 # if {[package vsatisfies [package provide Tcl] 9.0-]} { - package ifneeded @PACKAGE_NAME@ @PACKAGE_VERSION@ \ - [list load [file join $dir @PKG_LIB_FILE9@] [string totitle @PACKAGE_NAME@]] - set initScript [file join $dir @PACKAGE_NAME@.tcl] - if {[file exists $initScript]} { - source -encoding utf-8 $initScript - } + package ifneeded @PACKAGE_NAME@ @PACKAGE_VERSION@ [list apply {{dir} { + # Load library + load [file join $dir @PKG_LIB_FILE9@] [string totitle @PACKAGE_NAME@] + + # Source init file + set initScript [file join $dir @PACKAGE_NAME@.tcl] + if {[file exists $initScript]} { + source -encoding utf-8 $initScript + } + }} $dir] } else { if {![package vsatisfies [package provide Tcl] 8.5]} {return} package ifneeded @PACKAGE_NAME@ @PACKAGE_VERSION@ [list apply {{dir} { + # Load library if {[string tolower [file extension @PKG_LIB_FILE8@]] in [list .dll .dylib .so]} { # Load dynamic library load [file join $dir @PKG_LIB_FILE8@] [string totitle @PACKAGE_NAME@] } else { # Static library load {} [string totitle @PACKAGE_NAME@] } + + # Source init file set initScript [file join $dir @PACKAGE_NAME@.tcl] if {[file exists $initScript]} { source -encoding utf-8 $initScript } }} $dir] Index: tclconfig/tcl.m4 ================================================================== --- tclconfig/tcl.m4 +++ tclconfig/tcl.m4 @@ -140,14 +140,20 @@ `ls -d /usr/local/lib 2>/dev/null` \ `ls -d /usr/contrib/lib 2>/dev/null` \ `ls -d /usr/pkg/lib 2>/dev/null` \ `ls -d /usr/lib 2>/dev/null` \ `ls -d /usr/lib64 2>/dev/null` \ + `ls -d /usr/lib/tcl9.0 2>/dev/null` \ + `ls -d /usr/lib/tcl8.7 2>/dev/null` \ `ls -d /usr/lib/tcl8.6 2>/dev/null` \ `ls -d /usr/lib/tcl8.5 2>/dev/null` \ + `ls -d /usr/local/lib/tcl9.0 2>/dev/null` \ + `ls -d /usr/local/lib/tcl8.7 2>/dev/null` \ `ls -d /usr/local/lib/tcl8.6 2>/dev/null` \ `ls -d /usr/local/lib/tcl8.5 2>/dev/null` \ + `ls -d /usr/local/lib/tcl/tcl9.0 2>/dev/null` \ + `ls -d /usr/local/lib/tcl/tcl8.7 2>/dev/null` \ `ls -d /usr/local/lib/tcl/tcl8.6 2>/dev/null` \ `ls -d /usr/local/lib/tcl/tcl8.5 2>/dev/null` \ ; do if test -f "$i/tclConfig.sh" ; then ac_cv_c_tclconfig="`(cd $i; pwd)`" @@ -217,10 +223,14 @@ no_tk=true AC_ARG_WITH(tk, AS_HELP_STRING([--with-tk], [directory containing tk configuration (tkConfig.sh)]), [with_tkconfig="${withval}"]) + AC_ARG_WITH(tk8, + AS_HELP_STRING([--with-tk8], + [Compile for Tk8 in Tk9 environment]), + [with_tk8="${withval}"]) AC_MSG_CHECKING([for Tk configuration]) AC_CACHE_VAL(ac_cv_c_tkconfig,[ # First check to see if --with-tkconfig was specified. if test x"${with_tkconfig}" != x ; then @@ -284,16 +294,22 @@ `ls -d ${exec_prefix}/lib 2>/dev/null` \ `ls -d ${prefix}/lib 2>/dev/null` \ `ls -d /usr/local/lib 2>/dev/null` \ `ls -d /usr/contrib/lib 2>/dev/null` \ `ls -d /usr/pkg/lib 2>/dev/null` \ + `ls -d /usr/lib/tk9.0 2>/dev/null` \ + `ls -d /usr/lib/tk8.7 2>/dev/null` \ `ls -d /usr/lib/tk8.6 2>/dev/null` \ `ls -d /usr/lib/tk8.5 2>/dev/null` \ `ls -d /usr/lib 2>/dev/null` \ `ls -d /usr/lib64 2>/dev/null` \ + `ls -d /usr/local/lib/tk9.0 2>/dev/null` \ + `ls -d /usr/local/lib/tk8.7 2>/dev/null` \ `ls -d /usr/local/lib/tk8.6 2>/dev/null` \ `ls -d /usr/local/lib/tk8.5 2>/dev/null` \ + `ls -d /usr/local/lib/tcl/tk9.0 2>/dev/null` \ + `ls -d /usr/local/lib/tcl/tk8.7 2>/dev/null` \ `ls -d /usr/local/lib/tcl/tk8.6 2>/dev/null` \ `ls -d /usr/local/lib/tcl/tk8.5 2>/dev/null` \ ; do if test -f "$i/tkConfig.sh" ; then ac_cv_c_tkconfig="`(cd $i; pwd)`" @@ -368,26 +384,26 @@ AC_DEFUN([TEA_LOAD_TCLCONFIG], [ AC_MSG_CHECKING([for existence of ${TCL_BIN_DIR}/tclConfig.sh]) if test -f "${TCL_BIN_DIR}/tclConfig.sh" ; then - AC_MSG_RESULT([loading]) + AC_MSG_RESULT([loading]) . "${TCL_BIN_DIR}/tclConfig.sh" else - AC_MSG_RESULT([could not find ${TCL_BIN_DIR}/tclConfig.sh]) + AC_MSG_RESULT([could not find ${TCL_BIN_DIR}/tclConfig.sh]) fi # If the TCL_BIN_DIR is the build directory (not the install directory), # then set the common variable name to the value of the build variables. # For example, the variable TCL_LIB_SPEC will be set to the value # of TCL_BUILD_LIB_SPEC. An extension should make use of TCL_LIB_SPEC # instead of TCL_BUILD_LIB_SPEC since it will work with both an # installed and uninstalled version of Tcl. if test -f "${TCL_BIN_DIR}/Makefile" ; then - TCL_LIB_SPEC="${TCL_BUILD_LIB_SPEC}" - TCL_STUB_LIB_SPEC="${TCL_BUILD_STUB_LIB_SPEC}" - TCL_STUB_LIB_PATH="${TCL_BUILD_STUB_LIB_PATH}" + TCL_LIB_SPEC="${TCL_BUILD_LIB_SPEC}" + TCL_STUB_LIB_SPEC="${TCL_BUILD_STUB_LIB_SPEC}" + TCL_STUB_LIB_PATH="${TCL_BUILD_STUB_LIB_PATH}" elif test "`uname -s`" = "Darwin"; then # If Tcl was built as a framework, attempt to use the libraries # from the framework at the given location so that linking works # against Tcl.framework installed in an arbitrary location. case ${TCL_DEFS} in @@ -476,26 +492,26 @@ AC_DEFUN([TEA_LOAD_TKCONFIG], [ AC_MSG_CHECKING([for existence of ${TK_BIN_DIR}/tkConfig.sh]) if test -f "${TK_BIN_DIR}/tkConfig.sh" ; then - AC_MSG_RESULT([loading]) + AC_MSG_RESULT([loading]) . "${TK_BIN_DIR}/tkConfig.sh" else - AC_MSG_RESULT([could not find ${TK_BIN_DIR}/tkConfig.sh]) + AC_MSG_RESULT([could not find ${TK_BIN_DIR}/tkConfig.sh]) fi # If the TK_BIN_DIR is the build directory (not the install directory), # then set the common variable name to the value of the build variables. # For example, the variable TK_LIB_SPEC will be set to the value # of TK_BUILD_LIB_SPEC. An extension should make use of TK_LIB_SPEC # instead of TK_BUILD_LIB_SPEC since it will work with both an # installed and uninstalled version of Tcl. if test -f "${TK_BIN_DIR}/Makefile" ; then - TK_LIB_SPEC="${TK_BUILD_LIB_SPEC}" - TK_STUB_LIB_SPEC="${TK_BUILD_STUB_LIB_SPEC}" - TK_STUB_LIB_PATH="${TK_BUILD_STUB_LIB_PATH}" + TK_LIB_SPEC="${TK_BUILD_LIB_SPEC}" + TK_STUB_LIB_SPEC="${TK_BUILD_STUB_LIB_SPEC}" + TK_STUB_LIB_PATH="${TK_BUILD_STUB_LIB_PATH}" elif test "`uname -s`" = "Darwin"; then # If Tk was built as a framework, attempt to use the libraries # from the framework at the given location so that linking works # against Tk.framework installed in an arbitrary location. case ${TK_DEFS} in @@ -569,41 +585,41 @@ #------------------------------------------------------------------------ AC_DEFUN([TEA_PROG_TCLSH], [ AC_MSG_CHECKING([for tclsh]) if test -f "${TCL_BIN_DIR}/Makefile" ; then - # tclConfig.sh is in Tcl build directory - if test "${TEA_PLATFORM}" = "windows"; then - if test -f "${TCL_BIN_DIR}/tclsh${TCL_MAJOR_VERSION}${TCL_MINOR_VERSION}${EXEEXT}" ; then - TCLSH_PROG="${TCL_BIN_DIR}/tclsh${TCL_MAJOR_VERSION}${TCL_MINOR_VERSION}${EXEEXT}" - elif test -f "${TCL_BIN_DIR}/tclsh${TCL_MAJOR_VERSION}${TCL_MINOR_VERSION}s${EXEEXT}" ; then - TCLSH_PROG="${TCL_BIN_DIR}/tclsh${TCL_MAJOR_VERSION}${TCL_MINOR_VERSION}s${EXEEXT}" - elif test -f "${TCL_BIN_DIR}/tclsh${TCL_MAJOR_VERSION}${TCL_MINOR_VERSION}t${EXEEXT}" ; then - TCLSH_PROG="${TCL_BIN_DIR}/tclsh${TCL_MAJOR_VERSION}${TCL_MINOR_VERSION}t${EXEEXT}" - elif test -f "${TCL_BIN_DIR}/tclsh${TCL_MAJOR_VERSION}${TCL_MINOR_VERSION}st${EXEEXT}" ; then - TCLSH_PROG="${TCL_BIN_DIR}/tclsh${TCL_MAJOR_VERSION}${TCL_MINOR_VERSION}st${EXEEXT}" - fi - else - TCLSH_PROG="${TCL_BIN_DIR}/tclsh" - fi - else - # tclConfig.sh is in install location - if test "${TEA_PLATFORM}" = "windows"; then - TCLSH_PROG="tclsh${TCL_MAJOR_VERSION}${TCL_MINOR_VERSION}${EXEEXT}" - else - TCLSH_PROG="tclsh${TCL_MAJOR_VERSION}.${TCL_MINOR_VERSION}" - fi - list="`ls -d ${TCL_BIN_DIR}/../bin 2>/dev/null` \ - `ls -d ${TCL_BIN_DIR}/.. 2>/dev/null` \ - `ls -d ${TCL_PREFIX}/bin 2>/dev/null`" - for i in $list ; do - if test -f "$i/${TCLSH_PROG}" ; then - REAL_TCL_BIN_DIR="`cd "$i"; pwd`/" - break - fi - done - TCLSH_PROG="${REAL_TCL_BIN_DIR}${TCLSH_PROG}" + # tclConfig.sh is in Tcl build directory + if test "${TEA_PLATFORM}" = "windows"; then + if test -f "${TCL_BIN_DIR}/tclsh${TCL_MAJOR_VERSION}${TCL_MINOR_VERSION}${EXEEXT}" ; then + TCLSH_PROG="${TCL_BIN_DIR}/tclsh${TCL_MAJOR_VERSION}${TCL_MINOR_VERSION}${EXEEXT}" + elif test -f "${TCL_BIN_DIR}/tclsh${TCL_MAJOR_VERSION}${TCL_MINOR_VERSION}s${EXEEXT}" ; then + TCLSH_PROG="${TCL_BIN_DIR}/tclsh${TCL_MAJOR_VERSION}${TCL_MINOR_VERSION}s${EXEEXT}" + elif test -f "${TCL_BIN_DIR}/tclsh${TCL_MAJOR_VERSION}${TCL_MINOR_VERSION}t${EXEEXT}" ; then + TCLSH_PROG="${TCL_BIN_DIR}/tclsh${TCL_MAJOR_VERSION}${TCL_MINOR_VERSION}t${EXEEXT}" + elif test -f "${TCL_BIN_DIR}/tclsh${TCL_MAJOR_VERSION}${TCL_MINOR_VERSION}st${EXEEXT}" ; then + TCLSH_PROG="${TCL_BIN_DIR}/tclsh${TCL_MAJOR_VERSION}${TCL_MINOR_VERSION}st${EXEEXT}" + fi + else + TCLSH_PROG="${TCL_BIN_DIR}/tclsh" + fi + else + # tclConfig.sh is in install location + if test "${TEA_PLATFORM}" = "windows"; then + TCLSH_PROG="tclsh${TCL_MAJOR_VERSION}${TCL_MINOR_VERSION}${EXEEXT}" + else + TCLSH_PROG="tclsh${TCL_MAJOR_VERSION}.${TCL_MINOR_VERSION}" + fi + list="`ls -d ${TCL_BIN_DIR}/../bin 2>/dev/null` \ + `ls -d ${TCL_BIN_DIR}/.. 2>/dev/null` \ + `ls -d ${TCL_PREFIX}/bin 2>/dev/null`" + for i in $list ; do + if test -f "$i/${TCLSH_PROG}" ; then + REAL_TCL_BIN_DIR="`cd "$i"; pwd`/" + break + fi + done + TCLSH_PROG="${REAL_TCL_BIN_DIR}${TCLSH_PROG}" fi AC_MSG_RESULT([${TCLSH_PROG}]) AC_SUBST(TCLSH_PROG) ]) @@ -627,41 +643,41 @@ #------------------------------------------------------------------------ AC_DEFUN([TEA_PROG_WISH], [ AC_MSG_CHECKING([for wish]) if test -f "${TK_BIN_DIR}/Makefile" ; then - # tkConfig.sh is in Tk build directory - if test "${TEA_PLATFORM}" = "windows"; then - if test -f "${TK_BIN_DIR}/wish${TK_MAJOR_VERSION}${TK_MINOR_VERSION}${EXEEXT}" ; then - WISH_PROG="${TK_BIN_DIR}/wish${TK_MAJOR_VERSION}${TK_MINOR_VERSION}${EXEEXT}" - elif test -f "${TK_BIN_DIR}/wish${TK_MAJOR_VERSION}${TK_MINOR_VERSION}s${EXEEXT}" ; then - WISH_PROG="${TK_BIN_DIR}/wish${TK_MAJOR_VERSION}${TK_MINOR_VERSION}$s{EXEEXT}" - elif test -f "${TK_BIN_DIR}/wish${TK_MAJOR_VERSION}${TK_MINOR_VERSION}t${EXEEXT}" ; then - WISH_PROG="${TK_BIN_DIR}/wish${TK_MAJOR_VERSION}${TK_MINOR_VERSION}t${EXEEXT}" - elif test -f "${TK_BIN_DIR}/wish${TK_MAJOR_VERSION}${TK_MINOR_VERSION}st${EXEEXT}" ; then - WISH_PROG="${TK_BIN_DIR}/wish${TK_MAJOR_VERSION}${TK_MINOR_VERSION}st${EXEEXT}" - fi - else - WISH_PROG="${TK_BIN_DIR}/wish" - fi - else - # tkConfig.sh is in install location - if test "${TEA_PLATFORM}" = "windows"; then - WISH_PROG="wish${TK_MAJOR_VERSION}${TK_MINOR_VERSION}${EXEEXT}" - else - WISH_PROG="wish${TK_MAJOR_VERSION}.${TK_MINOR_VERSION}" - fi - list="`ls -d ${TK_BIN_DIR}/../bin 2>/dev/null` \ - `ls -d ${TK_BIN_DIR}/.. 2>/dev/null` \ - `ls -d ${TK_PREFIX}/bin 2>/dev/null`" - for i in $list ; do - if test -f "$i/${WISH_PROG}" ; then - REAL_TK_BIN_DIR="`cd "$i"; pwd`/" - break - fi - done - WISH_PROG="${REAL_TK_BIN_DIR}${WISH_PROG}" + # tkConfig.sh is in Tk build directory + if test "${TEA_PLATFORM}" = "windows"; then + if test -f "${TK_BIN_DIR}/wish${TK_MAJOR_VERSION}${TK_MINOR_VERSION}${EXEEXT}" ; then + WISH_PROG="${TK_BIN_DIR}/wish${TK_MAJOR_VERSION}${TK_MINOR_VERSION}${EXEEXT}" + elif test -f "${TK_BIN_DIR}/wish${TK_MAJOR_VERSION}${TK_MINOR_VERSION}s${EXEEXT}" ; then + WISH_PROG="${TK_BIN_DIR}/wish${TK_MAJOR_VERSION}${TK_MINOR_VERSION}$s{EXEEXT}" + elif test -f "${TK_BIN_DIR}/wish${TK_MAJOR_VERSION}${TK_MINOR_VERSION}t${EXEEXT}" ; then + WISH_PROG="${TK_BIN_DIR}/wish${TK_MAJOR_VERSION}${TK_MINOR_VERSION}t${EXEEXT}" + elif test -f "${TK_BIN_DIR}/wish${TK_MAJOR_VERSION}${TK_MINOR_VERSION}st${EXEEXT}" ; then + WISH_PROG="${TK_BIN_DIR}/wish${TK_MAJOR_VERSION}${TK_MINOR_VERSION}st${EXEEXT}" + fi + else + WISH_PROG="${TK_BIN_DIR}/wish" + fi + else + # tkConfig.sh is in install location + if test "${TEA_PLATFORM}" = "windows"; then + WISH_PROG="wish${TK_MAJOR_VERSION}${TK_MINOR_VERSION}${EXEEXT}" + else + WISH_PROG="wish${TK_MAJOR_VERSION}.${TK_MINOR_VERSION}" + fi + list="`ls -d ${TK_BIN_DIR}/../bin 2>/dev/null` \ + `ls -d ${TK_BIN_DIR}/.. 2>/dev/null` \ + `ls -d ${TK_PREFIX}/bin 2>/dev/null`" + for i in $list ; do + if test -f "$i/${WISH_PROG}" ; then + REAL_TK_BIN_DIR="`cd "$i"; pwd`/" + break + fi + done + WISH_PROG="${REAL_TK_BIN_DIR}${WISH_PROG}" fi AC_MSG_RESULT([${WISH_PROG}]) AC_SUBST(WISH_PROG) ]) @@ -719,26 +735,26 @@ # Stubs are always enabled for shared builds if test "$shared_ok" = "yes" ; then AC_MSG_RESULT([shared]) SHARED_BUILD=1 - STUBS_BUILD=1 + STUBS_BUILD=1 else AC_MSG_RESULT([static]) SHARED_BUILD=0 AC_DEFINE(STATIC_BUILD, 1, [This a static build]) - if test "$stubs_ok" = "yes" ; then - STUBS_BUILD=1 - else - STUBS_BUILD=0 - fi + if test "$stubs_ok" = "yes" ; then + STUBS_BUILD=1 + else + STUBS_BUILD=0 + fi fi if test "${STUBS_BUILD}" = "1" ; then AC_DEFINE(USE_TCL_STUBS, 1, [Use Tcl stubs]) AC_DEFINE(USE_TCLOO_STUBS, 1, [Use TclOO stubs]) if test "${TEA_WINDOWINGSYSTEM}" != ""; then - AC_DEFINE(USE_TK_STUBS, 1, [Use Tk stubs]) + AC_DEFINE(USE_TK_STUBS, 1, [Use Tk stubs]) fi fi AC_SUBST(SHARED_BUILD) AC_SUBST(STUBS_BUILD) @@ -1179,25 +1195,25 @@ ;; esac fi if test "$GCC" != "yes" ; then - if test "${SHARED_BUILD}" = "0" ; then + if test "${SHARED_BUILD}" = "0" ; then runtime=-MT - else + else runtime=-MD - fi - case "x`echo \${VisualStudioVersion}`" in - x1[[4-9]]*) - lflags="${lflags} -nodefaultlib:libucrt.lib" - TEA_ADD_LIBS([ucrt.lib]) - ;; - *) - ;; - esac - - if test "$do64bit" != "no" ; then + fi + case "x`echo \${VisualStudioVersion}`" in + x1[[4-9]]*) + lflags="${lflags} -nodefaultlib:libucrt.lib" + TEA_ADD_LIBS([ucrt.lib]) + ;; + *) + ;; + esac + + if test "$do64bit" != "no" ; then CC="cl.exe" RC="rc.exe" lflags="${lflags} -nologo -MACHINE:${MACHINE} " LINKBIN="link.exe" CFLAGS_DEBUG="-nologo -Zi -Od -W3 ${runtime}d" @@ -1279,21 +1295,21 @@ SHLIB_SUFFIX=".dll" SHARED_LIB_SUFFIX='${TCL_TRIM_DOTS}.dll' TCL_LIB_VERSIONS_OK=nodots - ;; + ;; AIX-*) AS_IF([test "$GCC" != "yes"], [ # AIX requires the _r compiler when gcc isn't being used case "${CC}" in *_r|*_r\ *) # ok ... ;; *) # Make sure only first arg gets _r - CC=`echo "$CC" | sed -e 's/^\([[^ ]]*\)/\1_r/'` + CC=`echo "$CC" | sed -e 's/^\([[^ ]]*\)/\1_r/'` ;; esac AC_MSG_RESULT([Using $CC for compiling with threads]) ]) LIBS="$LIBS -lc" @@ -1492,18 +1508,18 @@ LD_SEARCH_FLAGS='-rpath "${LIB_RUNTIME_DIR}"']) # Check to enable 64-bit flags for compiler/linker AS_IF([test "$do64bit" = yes], [ - AS_IF([test "$GCC" = yes], [ - AC_MSG_WARN([64bit mode not supported by gcc]) - ], [ - do64bit_ok=yes - SHLIB_LD="ld -64 -shared -rdata_shared" - CFLAGS="$CFLAGS -64" - LDFLAGS_ARCH="-64" - ]) + AS_IF([test "$GCC" = yes], [ + AC_MSG_WARN([64bit mode not supported by gcc]) + ], [ + do64bit_ok=yes + SHLIB_LD="ld -64 -shared -rdata_shared" + CFLAGS="$CFLAGS -64" + LDFLAGS_ARCH="-64" + ]) ]) ;; Linux*|GNU*|NetBSD-Debian|DragonFly-*|FreeBSD-*) SHLIB_CFLAGS="-fPIC" SHLIB_SUFFIX=".so" @@ -1521,11 +1537,11 @@ # The -pthread needs to go in the LDFLAGS, not LIBS LIBS=`echo $LIBS | sed s/-pthread//` CFLAGS="$CFLAGS $PTHREAD_CFLAGS" LDFLAGS="$LDFLAGS $PTHREAD_LIBS"]) ;; - esac + esac AS_IF([test $doRpath = yes], [ CC_SEARCH_FLAGS='"-Wl,-rpath,${LIB_RUNTIME_DIR}"']) LD_SEARCH_FLAGS=${CC_SEARCH_FLAGS} AS_IF([test "`uname -m`" = "alpha"], [CFLAGS="$CFLAGS -mieee"]) @@ -1647,19 +1663,10 @@ && echo "$CFLAGS " |grep -E -q -- '-arch (ppc|i386) '], [ fat_32_64=yes]) ]) # TEA specific: use LDFLAGS_DEFAULT instead of LDFLAGS SHLIB_LD='${CC} -dynamiclib ${CFLAGS} ${LDFLAGS_DEFAULT}' - AC_CACHE_CHECK([if ld accepts -single_module flag], tcl_cv_ld_single_module, [ - hold_ldflags=$LDFLAGS - LDFLAGS="$LDFLAGS -dynamiclib -Wl,-single_module" - AC_LINK_IFELSE([AC_LANG_PROGRAM([[]], [[int i;]])], - [tcl_cv_ld_single_module=yes],[tcl_cv_ld_single_module=no]) - LDFLAGS=$hold_ldflags]) - AS_IF([test $tcl_cv_ld_single_module = yes], [ - SHLIB_LD="${SHLIB_LD} -Wl,-single_module" - ]) # TEA specific: link shlib with current and compatibility version flags vers=`echo ${PACKAGE_VERSION} | sed -e 's/^\([[0-9]]\{1,5\}\)\(\(\.[[0-9]]\{1,3\}\)\{0,2\}\).*$/\1\2/p' -e d` SHLIB_LD="${SHLIB_LD} -current_version ${vers:-0} -compatibility_version ${vers:-0}" SHLIB_SUFFIX=".dylib" LDFLAGS="$LDFLAGS -headerpad_max_install_names" @@ -1726,13 +1733,13 @@ ;; OSF1-V*) # Digital OSF/1 SHLIB_CFLAGS="" AS_IF([test "$SHARED_BUILD" = 1], [ - SHLIB_LD='ld -shared -expect_unresolved "*"' + SHLIB_LD='ld -shared -expect_unresolved "*"' ], [ - SHLIB_LD='ld -non_shared -expect_unresolved "*"' + SHLIB_LD='ld -non_shared -expect_unresolved "*"' ]) SHLIB_SUFFIX=".so" AS_IF([test $doRpath = yes], [ CC_SEARCH_FLAGS='"-Wl,-rpath,${LIB_RUNTIME_DIR}"' LD_SEARCH_FLAGS='-rpath ${LIB_RUNTIME_DIR}']) @@ -1898,11 +1905,11 @@ AC_CACHE_CHECK([for ld accepts -Bexport flag], tcl_cv_ld_Bexport, [ hold_ldflags=$LDFLAGS LDFLAGS="$LDFLAGS -Wl,-Bexport" AC_LINK_IFELSE([AC_LANG_PROGRAM([[]], [[int i;]])], [tcl_cv_ld_Bexport=yes],[tcl_cv_ld_Bexport=no]) - LDFLAGS=$hold_ldflags]) + LDFLAGS=$hold_ldflags]) AS_IF([test $tcl_cv_ld_Bexport = yes], [ LDFLAGS="$LDFLAGS -Wl,-Bexport" ]) CC_SEARCH_FLAGS="" LD_SEARCH_FLAGS="" @@ -2017,12 +2024,12 @@ ]], [[ CHAR c; SHORT s; LONG l; ]])], - [tcl_cv_winnt_ignore_void=yes], - [tcl_cv_winnt_ignore_void=no]) + [tcl_cv_winnt_ignore_void=yes], + [tcl_cv_winnt_ignore_void=no]) ) if test "$tcl_cv_winnt_ignore_void" = "yes" ; then AC_DEFINE(HAVE_WINNT_IGNORE_VOID, 1, [Defined when cygwin/mingw ignores VOID define in winnt.h]) fi @@ -2594,13 +2601,13 @@ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[]], [[__int64 value = (__int64) 0;]])], [tcl_type_64bit=__int64],[tcl_type_64bit="long long"]) # See if we could use long anyway Note that we substitute in the # type that is our current guess for a 64-bit type inside this check # program, so it should be modified only carefully... - AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[]], [[switch (0) { - case 1: case (sizeof(${tcl_type_64bit})==sizeof(long)): ; - }]])],[tcl_cv_type_64bit=${tcl_type_64bit}],[])]) + AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[]], [[switch (0) { + case 1: case (sizeof(${tcl_type_64bit})==sizeof(long)): ; + }]])],[tcl_cv_type_64bit=${tcl_type_64bit}],[])]) if test "${tcl_cv_type_64bit}" = none ; then AC_DEFINE(TCL_WIDE_INT_IS_LONG, 1, [Do 'long' and 'long long' have the same size (64-bit)?]) AC_MSG_RESULT([yes]) elif test "${tcl_cv_type_64bit}" = "__int64" \ -a "${TEA_PLATFORM}" = "windows" ; then @@ -2641,11 +2648,11 @@ fi AC_CACHE_CHECK([for DIR64], tcl_cv_DIR64,[ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[#include #include ]], [[struct dirent64 *p; DIR64 d = opendir64("."); - p = readdir64(d); rewinddir64(d); closedir64(d);]])], + p = readdir64(d); rewinddir64(d); closedir64(d);]])], [tcl_cv_DIR64=yes], [tcl_cv_DIR64=no])]) if test "x${tcl_cv_DIR64}" = "xyes" ; then AC_DEFINE(HAVE_DIR64, 1, [Is 'DIR64' in ?]) fi @@ -2664,12 +2671,12 @@ ]])], [tcl_cv_type_off64_t=yes], [tcl_cv_type_off64_t=no])]) dnl Define HAVE_TYPE_OFF64_T only when the off64_t type and the dnl functions lseek64 and open64 are defined. if test "x${tcl_cv_type_off64_t}" = "xyes" && \ - test "x${ac_cv_func_lseek64}" = "xyes" && \ - test "x${ac_cv_func_open64}" = "xyes" ; then + test "x${ac_cv_func_lseek64}" = "xyes" && \ + test "x${ac_cv_func_open64}" = "xyes" ; then AC_DEFINE(HAVE_TYPE_OFF64_T, 1, [Is off64_t in ?]) AC_MSG_RESULT([yes]) else AC_MSG_RESULT([no]) fi @@ -3197,15 +3204,18 @@ # substituted. (@@@ Might not be necessary anymore) #-------------------------------------------------------------------- PACKAGE_LIB_PREFIX8="${PACKAGE_LIB_PREFIX}" PACKAGE_LIB_PREFIX9="${PACKAGE_LIB_PREFIX}tcl9" - if test "${TCL_MAJOR_VERSION}" -gt 8 -a x"${with_tcl8}" == x; then + if test "${TCL_MAJOR_VERSION}" -gt 8 -a x"${with_tcl8}" = x; then PACKAGE_LIB_PREFIX="${PACKAGE_LIB_PREFIX9}" else PACKAGE_LIB_PREFIX="${PACKAGE_LIB_PREFIX8}" AC_DEFINE(TCL_MAJOR_VERSION, 8, [Compile for Tcl8?]) + fi + if test "${TCL_MAJOR_VERSION}" -gt 8 -a x"${with_tk8}" != x; then + AC_DEFINE(TK_MAJOR_VERSION, 8, [Compile for Tk8?]) fi if test "${TEA_PLATFORM}" = "windows" ; then if test "${SHARED_BUILD}" = "1" ; then # We force the unresolved linking of symbols that are really in # the private libraries of Tcl and Tk. @@ -3226,11 +3236,11 @@ eval eval "PKG_LIB_FILE8=${PACKAGE_LIB_PREFIX8}${PACKAGE_NAME}${UNSHARED_LIB_SUFFIX}" eval eval "PKG_LIB_FILE9=${PACKAGE_LIB_PREFIX9}${PACKAGE_NAME}${UNSHARED_LIB_SUFFIX}" eval eval "PKG_LIB_FILE=${PACKAGE_LIB_PREFIX}${PACKAGE_NAME}${UNSHARED_LIB_SUFFIX}" fi # Some packages build their own stubs libraries - if test "${TCL_MAJOR_VERSION}" -gt 8 -a x"${with_tcl8}" == x; then + if test "${TCL_MAJOR_VERSION}" -gt 8 -a x"${with_tcl8}" = x; then eval eval "PKG_STUB_LIB_FILE=${PACKAGE_LIB_PREFIX8}${PACKAGE_NAME}stub.a" else eval eval "PKG_STUB_LIB_FILE=${PACKAGE_LIB_PREFIX8}${PACKAGE_NAME}stub${UNSHARED_LIB_SUFFIX}" fi if test "$GCC" = "yes"; then @@ -3254,11 +3264,11 @@ eval eval "PKG_LIB_FILE8=lib${PACKAGE_LIB_PREFIX8}${PACKAGE_NAME}${UNSHARED_LIB_SUFFIX}" eval eval "PKG_LIB_FILE9=lib${PACKAGE_LIB_PREFIX9}${PACKAGE_NAME}${UNSHARED_LIB_SUFFIX}" eval eval "PKG_LIB_FILE=lib${PACKAGE_LIB_PREFIX}${PACKAGE_NAME}${UNSHARED_LIB_SUFFIX}" fi # Some packages build their own stubs libraries - if test "${TCL_MAJOR_VERSION}" -gt 8 -a x"${with_tcl8}" == x; then + if test "${TCL_MAJOR_VERSION}" -gt 8 -a x"${with_tcl8}" = x; then eval eval "PKG_STUB_LIB_FILE=lib${PACKAGE_LIB_PREFIX8}${PACKAGE_NAME}stub.a" else eval eval "PKG_STUB_LIB_FILE=lib${PACKAGE_LIB_PREFIX8}${PACKAGE_NAME}stub${UNSHARED_LIB_SUFFIX}" fi fi @@ -3400,21 +3410,21 @@ # public and private headers in the same set. # We want to ensure these are substituted so as not to require # any *_NATIVE vars be defined in the Makefile TCL_INCLUDES="-I${TCL_GENERIC_DIR_NATIVE} -I${TCL_PLATFORM_DIR_NATIVE}" if test "`uname -s`" = "Darwin"; then - # If Tcl was built as a framework, attempt to use - # the framework's Headers and PrivateHeaders directories - case ${TCL_DEFS} in - *TCL_FRAMEWORK*) + # If Tcl was built as a framework, attempt to use + # the framework's Headers and PrivateHeaders directories + case ${TCL_DEFS} in + *TCL_FRAMEWORK*) if test -d "${TCL_BIN_DIR}/Headers" -a \ -d "${TCL_BIN_DIR}/PrivateHeaders"; then TCL_INCLUDES="-I\"${TCL_BIN_DIR}/Headers\" -I\"${TCL_BIN_DIR}/PrivateHeaders\" ${TCL_INCLUDES}" else TCL_INCLUDES="${TCL_INCLUDES} ${TCL_INCLUDE_SPEC} `echo "${TCL_INCLUDE_SPEC}" | sed -e 's/Headers/PrivateHeaders/'`" fi - ;; + ;; esac result="Using ${TCL_INCLUDES}" else if test ! -f "${TCL_SRC_DIR}/generic/tclInt.h" ; then AC_MSG_ERROR([Cannot find private header tclInt.h in ${TCL_SRC_DIR}]) @@ -3851,14 +3861,14 @@ AC_DEFUN([TEA_LOAD_CONFIG], [ AC_MSG_CHECKING([for existence of ${$1_BIN_DIR}/$1Config.sh]) if test -f "${$1_BIN_DIR}/$1Config.sh" ; then - AC_MSG_RESULT([loading]) + AC_MSG_RESULT([loading]) . "${$1_BIN_DIR}/$1Config.sh" else - AC_MSG_RESULT([file not found]) + AC_MSG_RESULT([file not found]) fi # # If the $1_BIN_DIR is the build directory (not the install directory), # then set the common variable name to the value of the build variables. @@ -3868,15 +3878,15 @@ # installed and uninstalled version of Tcl. # if test -f "${$1_BIN_DIR}/Makefile" ; then AC_MSG_WARN([Found Makefile - using build library specs for $1]) - $1_LIB_SPEC=${$1_BUILD_LIB_SPEC} - $1_STUB_LIB_SPEC=${$1_BUILD_STUB_LIB_SPEC} - $1_STUB_LIB_PATH=${$1_BUILD_STUB_LIB_PATH} - $1_INCLUDE_SPEC=${$1_BUILD_INCLUDE_SPEC} - $1_LIBRARY_PATH=${$1_LIBRARY_PATH} + $1_LIB_SPEC=${$1_BUILD_LIB_SPEC} + $1_STUB_LIB_SPEC=${$1_BUILD_STUB_LIB_SPEC} + $1_STUB_LIB_PATH=${$1_BUILD_STUB_LIB_PATH} + $1_INCLUDE_SPEC=${$1_BUILD_INCLUDE_SPEC} + $1_LIBRARY_PATH=${$1_LIBRARY_PATH} fi AC_SUBST($1_VERSION) AC_SUBST($1_BIN_DIR) AC_SUBST($1_SRC_DIR) @@ -3953,11 +3963,11 @@ eval $1_STUB_LIB_FLAG="-l$1stub${PACKAGE_VERSION}" else eval $1_LIB_FLAG="-l$1`echo ${PACKAGE_VERSION} | tr -d .`" eval $1_STUB_LIB_FLAG="-l$1stub`echo ${PACKAGE_VERSION} | tr -d .`" fi - if test "${TCL_MAJOR_VERSION}" -gt 8 -a x"${with_tcl8}" == x; then + if test "${TCL_MAJOR_VERSION}" -gt 8 -a x"${with_tcl8}" = x; then eval $1_STUB_LIB_FLAG="-l$1stub" fi $1_BUILD_LIB_SPEC="-L`$CYGPATH $(pwd)` ${$1_LIB_FLAG}" $1_LIB_SPEC="-L`$CYGPATH ${pkglibdir}` ${$1_LIB_FLAG}" @@ -4046,56 +4056,56 @@ AC_MSG_CHECKING([for macher]) AC_CACHE_VAL(ac_cv_path_macher, [ search_path=`echo ${PATH} | sed -e 's/:/ /g'` for dir in $search_path ; do - for j in `ls -r $dir/macher 2> /dev/null` \ - `ls -r $dir/macher 2> /dev/null` ; do - if test x"$ac_cv_path_macher" = x ; then - if test -f "$j" ; then - ac_cv_path_macher=$j - break - fi - fi - done + for j in `ls -r $dir/macher 2> /dev/null` \ + `ls -r $dir/macher 2> /dev/null` ; do + if test x"$ac_cv_path_macher" = x ; then + if test -f "$j" ; then + ac_cv_path_macher=$j + break + fi + fi + done done ]) if test -f "$ac_cv_path_macher" ; then - MACHER_PROG="$ac_cv_path_macher" - AC_MSG_RESULT([$MACHER_PROG]) - AC_MSG_RESULT([Found macher in environment]) + MACHER_PROG="$ac_cv_path_macher" + AC_MSG_RESULT([$MACHER_PROG]) + AC_MSG_RESULT([Found macher in environment]) fi AC_MSG_CHECKING([for zip]) AC_CACHE_VAL(ac_cv_path_zip, [ search_path=`echo ${PATH} | sed -e 's/:/ /g'` for dir in $search_path ; do - for j in `ls -r $dir/zip 2> /dev/null` \ - `ls -r $dir/zip 2> /dev/null` ; do - if test x"$ac_cv_path_zip" = x ; then - if test -f "$j" ; then - ac_cv_path_zip=$j - break - fi - fi - done + for j in `ls -r $dir/zip 2> /dev/null` \ + `ls -r $dir/zip 2> /dev/null` ; do + if test x"$ac_cv_path_zip" = x ; then + if test -f "$j" ; then + ac_cv_path_zip=$j + break + fi + fi + done done ]) if test -f "$ac_cv_path_zip" ; then - ZIP_PROG="$ac_cv_path_zip" - AC_MSG_RESULT([$ZIP_PROG]) - ZIP_PROG_OPTIONS="-rq" - ZIP_PROG_VFSSEARCH="*" - AC_MSG_RESULT([Found INFO Zip in environment]) - # Use standard arguments for zip + ZIP_PROG="$ac_cv_path_zip" + AC_MSG_RESULT([$ZIP_PROG]) + ZIP_PROG_OPTIONS="-rq" + ZIP_PROG_VFSSEARCH="*" + AC_MSG_RESULT([Found INFO Zip in environment]) + # Use standard arguments for zip else - # It is not an error if an installed version of Zip can't be located. - # We can use the locally distributed minizip instead - ZIP_PROG="./minizip${EXEEXT_FOR_BUILD}" - ZIP_PROG_OPTIONS="-o -r" - ZIP_PROG_VFSSEARCH="*" - ZIP_INSTALL_OBJS="minizip${EXEEXT_FOR_BUILD}" - AC_MSG_RESULT([No zip found on PATH. Building minizip]) + # It is not an error if an installed version of Zip can't be located. + # We can use the locally distributed minizip instead + ZIP_PROG="./minizip${EXEEXT_FOR_BUILD}" + ZIP_PROG_OPTIONS="-o -r" + ZIP_PROG_VFSSEARCH="*" + ZIP_INSTALL_OBJS="minizip${EXEEXT_FOR_BUILD}" + AC_MSG_RESULT([No zip found on PATH. Building minizip]) fi AC_SUBST(MACHER_PROG) AC_SUBST(ZIP_PROG) AC_SUBST(ZIP_PROG_OPTIONS) AC_SUBST(ZIP_PROG_VFSSEARCH) Index: tests/all.tcl ================================================================== --- tests/all.tcl +++ tests/all.tcl @@ -5,11 +5,10 @@ # in this directory. # # Copyright (c) 1998-2000 by Ajuba Solutions. # All rights reserved. # -# RCS: @(#) $Id: all.tcl,v 1.5 2000/08/15 18:45:01 hobbs Exp $ set path [file normalize [file dirname [file join [pwd] [info script]]]] #set auto_path [linsert $auto_path 0 [file normalize [file join [file dirname [info script]] ..]]] set auto_path [linsert $auto_path 0 [file dirname $path] [file normalize [pwd]]] Index: tests/badssl.csv ================================================================== --- tests/badssl.csv +++ tests/badssl.csv @@ -38,11 +38,11 @@ BadSSL,invalid-expected-sct,,,badssl invalid-expected-sct.badssl.com,,,"handshake failed: certificate verify failed due to ""unable to get local issuer certificate""",,,1 BadSSL,long-extended-subdomain-name-containing-many-letters-and-dashes,,,badssl long-extended-subdomain-name-containing-many-letters-and-dashes.badssl.com,,,,,, BadSSL,longextendedsubdomainnamewithoutdashesinordertotestwordwrapping,,,badssl longextendedsubdomainnamewithoutdashesinordertotestwordwrapping.badssl.com,,,,,, BadSSL,mitm-software,,,badssl mitm-software.badssl.com,,,"handshake failed: certificate verify failed due to ""unable to get local issuer certificate""",,,1 BadSSL,no-common-name,,,badssl no-common-name.badssl.com,,,"handshake failed: certificate verify failed due to ""certificate has expired""",,,1 -BadSSL,no-sct,,,badssl no-sct.badssl.com,,,"handshake failed: certificate verify failed due to ""unable to get local issuer certificate""",,,1 +BadSSL,no-sct,,,badssl no-sct.badssl.com,,,,,, BadSSL,no-subject,,,badssl no-subject.badssl.com,,,"handshake failed: certificate verify failed due to ""certificate has expired""",,,1 BadSSL,null,,,badssl null.badssl.com,,glob,handshake failed: * alert handshake failure,,,1 BadSSL,pinning-test,,,badssl pinning-test.badssl.com,,,,,, BadSSL,preact-cli,,,badssl preact-cli.badssl.com,,,"handshake failed: certificate verify failed due to ""unable to get local issuer certificate""",,,1 BadSSL,preloaded-hsts,,,badssl preloaded-hsts.badssl.com,,,,,, @@ -49,11 +49,11 @@ BadSSL,rc4-md5,,,badssl rc4-md5.badssl.com,,glob,handshake failed: * alert handshake failure,,,1 BadSSL,rc4,,,badssl rc4.badssl.com,,glob,handshake failed: * alert handshake failure,,,1 BadSSL,revoked,,,badssl revoked.badssl.com,,,"handshake failed: certificate verify failed due to ""certificate has expired""",,,1 BadSSL,rsa2048,,,badssl rsa2048.badssl.com,,,,,, BadSSL,rsa4096,,,badssl rsa4096.badssl.com,,,,,, -BadSSL,rsa8192,,,badssl rsa8192.badssl.com,,,,,, +BadSSL,rsa8192,,,badssl rsa8192.badssl.com,,,"handshake failed: certificate verify failed due to ""certificate has expired""",,,1 BadSSL,self-signed,old_api,,badssl self-signed.badssl.com,,,"handshake failed: certificate verify failed due to ""self signed certificate""",,,1 BadSSL,self-signed,new_api,,badssl self-signed.badssl.com,,,"handshake failed: certificate verify failed due to ""self-signed certificate""",,,1 BadSSL,sha1-2016,,,badssl sha1-2016.badssl.com,,,"handshake failed: certificate verify failed due to ""unable to get local issuer certificate""",,,1 BadSSL,sha1-2017,old_api,,badssl sha1-2017.badssl.com,,,"handshake failed: certificate verify failed due to ""certificate has expired""",,,1 BadSSL,sha1-2017,new_api,,badssl sha1-2017.badssl.com,,,"handshake failed: certificate verify failed due to ""CA signature digest algorithm too weak""",,,1 Index: tests/badssl.test ================================================================== --- tests/badssl.test +++ tests/badssl.test @@ -147,11 +147,11 @@ badssl no-common-name.badssl.com } -result {handshake failed: certificate verify failed due to "certificate has expired"} -returnCodes {1} test BadSSL-1.33 {no-sct} -body { badssl no-sct.badssl.com - } -result {handshake failed: certificate verify failed due to "unable to get local issuer certificate"} -returnCodes {1} + } test BadSSL-1.34 {no-subject} -body { badssl no-subject.badssl.com } -result {handshake failed: certificate verify failed due to "certificate has expired"} -returnCodes {1} @@ -179,11 +179,11 @@ badssl rc4.badssl.com } -match {glob} -result {handshake failed: * alert handshake failure} -returnCodes {1} test BadSSL-1.41 {revoked} -body { badssl revoked.badssl.com - } -result {handshake failed: certificate verify failed due to "certificate has expired"} -returnCodes {1} + } test BadSSL-1.42 {rsa2048} -body { badssl rsa2048.badssl.com } @@ -191,11 +191,11 @@ badssl rsa4096.badssl.com } test BadSSL-1.44 {rsa8192} -body { badssl rsa8192.badssl.com - } + } -result {handshake failed: certificate verify failed due to "certificate has expired"} -returnCodes {1} test BadSSL-1.45 {self-signed} -constraints {old_api} -body { badssl self-signed.badssl.com } -result {handshake failed: certificate verify failed due to "self signed certificate"} -returnCodes {1} Index: tests/certs/README.txt ================================================================== --- tests/certs/README.txt +++ tests/certs/README.txt Index: tests/ciphers.csv ================================================================== --- tests/ciphers.csv +++ tests/ciphers.csv @@ -1,10 +1,10 @@ # Group,Name,Constraints,Setup,Body,Cleanup,Match,Result,Output,Error Output,Return Codes command,package require tls,,,,,,,,, command,,,,,,,,,, command,# Make sure path includes location of OpenSSL executable,,,,,,,,, -command,"if {[info exists ::env(OPENSSL)]} {set ::env(path) [string cat [file join $::env(OPENSSL) bin] "";"" $::env(path)}",,,,,,,,, +command,"if {[info exists ::env(OPENSSL)]} {set ::env(path) [string cat [file join $::env(OPENSSL) bin "";""] $::env(path)]}",,,,,,,,, command,,,,,,,,,, command,# Constraints,,,,,,,,, command,set protocols [list ssl2 ssl3 tls1 tls1.1 tls1.2 tls1.3],,,,,,,,, command,foreach protocol $protocols {::tcltest::testConstraint $protocol 0},,,,,,,,, command,foreach protocol [::tls::protocols] {::tcltest::testConstraint $protocol 1},,,,,,,,, Index: tests/ciphers.test ================================================================== --- tests/ciphers.test +++ tests/ciphers.test @@ -9,20 +9,35 @@ set auto_path [concat [list [file dirname [file dirname [info script]]]] $auto_path] package require tls # Make sure path includes location of OpenSSL executable -if {[info exists ::env(OPENSSL)]} {set ::env(path) [string cat [file join $::env(OPENSSL) bin] ";" $::env(path)} +if {[info exists ::env(OPENSSL)]} {set ::env(path) [string cat [file join $::env(OPENSSL) bin ";"] $::env(path)]} # Constraints set protocols [list ssl2 ssl3 tls1 tls1.1 tls1.2 tls1.3] foreach protocol $protocols {::tcltest::testConstraint $protocol 0} foreach protocol [::tls::protocols] {::tcltest::testConstraint $protocol 1} ::tcltest::testConstraint OpenSSL [string match "OpenSSL*" [::tls::version]] # Helper functions -proc lcompare {list1 list2} {set m "";set u "";foreach i $list1 {if {$i ni $list2} {lappend m $i}};foreach i $list2 {if {$i ni $list1} {lappend u $i}};return [list "missing" $m "unexpected" $u]} +proc lcompare {list1 list2} { + set m "" + set u "" + foreach i $list1 { + if {$i ni $list2} { + lappend m $i + } + } + foreach i $list2 { + if {$i ni $list1} { + lappend u $i + } + } + return [list "missing" $m "unexpected" $u] +} + proc exec_get {delim args} {return [split [exec openssl {*}$args] $delim]} # Test protocols @@ -31,85 +46,85 @@ } -result {missing {ssl2 ssl3} unexpected {}} # Test ciphers -test CiphersAll-2.1 {SSL2} -constraints {ssl2} -body { +test Ciphers_By_Protocol-2.1 {SSL2} -constraints {ssl2} -body { lcompare [exec_get ":" ciphers -ssl2] [::tls::ciphers ssl2] } -result {missing {} unexpected {}} -test CiphersAll-2.2 {SSL3} -constraints {ssl3} -body { +test Ciphers_By_Protocol-2.2 {SSL3} -constraints {ssl3} -body { lcompare [exec_get ":" ciphers -ssl3] [::tls::ciphers ssl3] } -result {missing {} unexpected {}} -test CiphersAll-2.3 {TLS1} -constraints {tls1} -body { +test Ciphers_By_Protocol-2.3 {TLS1.0} -constraints {tls1} -body { lcompare [exec_get ":" ciphers -tls1] [::tls::ciphers tls1] } -result {missing {} unexpected {}} -test CiphersAll-2.4 {TLS1.1} -constraints {tls1.1} -body { +test Ciphers_By_Protocol-2.4 {TLS1.1} -constraints {tls1.1} -body { lcompare [exec_get ":" ciphers -tls1_1] [::tls::ciphers tls1.1] } -result {missing {} unexpected {}} -test CiphersAll-2.5 {TLS1.2} -constraints {tls1.2} -body { +test Ciphers_By_Protocol-2.5 {TLS1.2} -constraints {tls1.2} -body { lcompare [exec_get ":" ciphers -tls1_2] [::tls::ciphers tls1.2] } -result {missing {} unexpected {}} -test CiphersAll-2.6 {TLS1.3} -constraints {tls1.3} -body { +test Ciphers_By_Protocol-2.6 {TLS1.3} -constraints {tls1.3} -body { lcompare [exec_get ":" ciphers -tls1_3] [::tls::ciphers tls1.3] } -result {missing {} unexpected {}} # Test cipher descriptions -test CiphersDesc-3.1 {SSL2} -constraints {ssl2} -body { +test Ciphers_With_Descriptions-3.1 {SSL2} -constraints {ssl2} -body { lcompare [exec_get "\r\n" ciphers -ssl2 -v] [split [string trim [::tls::ciphers ssl2 1]] \n] } -result {missing {} unexpected {}} -test CiphersDesc-3.2 {SSL3} -constraints {ssl3} -body { +test Ciphers_With_Descriptions-3.2 {SSL3} -constraints {ssl3} -body { lcompare [exec_get "\r\n" ciphers -ssl3 -v] [split [string trim [::tls::ciphers ssl3 1]] \n] } -result {missing {} unexpected {}} -test CiphersDesc-3.3 {TLS1} -constraints {tls1} -body { +test Ciphers_With_Descriptions-3.3 {TLS1.0} -constraints {tls1} -body { lcompare [exec_get "\r\n" ciphers -tls1 -v] [split [string trim [::tls::ciphers tls1 1]] \n] } -result {missing {} unexpected {}} -test CiphersDesc-3.4 {TLS1.1} -constraints {tls1.1} -body { +test Ciphers_With_Descriptions-3.4 {TLS1.1} -constraints {tls1.1} -body { lcompare [exec_get "\r\n" ciphers -tls1_1 -v] [split [string trim [::tls::ciphers tls1.1 1]] \n] } -result {missing {} unexpected {}} -test CiphersDesc-3.5 {TLS1.2} -constraints {tls1.2} -body { +test Ciphers_With_Descriptions-3.5 {TLS1.2} -constraints {tls1.2} -body { lcompare [exec_get "\r\n" ciphers -tls1_2 -v] [split [string trim [::tls::ciphers tls1.2 1]] \n] } -result {missing {} unexpected {}} -test CiphersDesc-3.6 {TLS1.3} -constraints {tls1.3} -body { +test Ciphers_With_Descriptions-3.6 {TLS1.3} -constraints {tls1.3} -body { lcompare [exec_get "\r\n" ciphers -tls1_3 -v] [split [string trim [::tls::ciphers tls1.3 1]] \n] } -result {missing {} unexpected {}} # Test protocol specific ciphers -test CiphersSpecific-4.1 {SSL2} -constraints {ssl2} -body { +test Ciphers_Protocol_Specific-4.1 {SSL2} -constraints {ssl2} -body { lcompare [exec_get ":" ciphers -ssl2 -s] [::tls::ciphers ssl2 0 1] } -result {missing {} unexpected {}} -test CiphersSpecific-4.2 {SSL3} -constraints {ssl3} -body { +test Ciphers_Protocol_Specific-4.2 {SSL3} -constraints {ssl3} -body { lcompare [exec_get ":" ciphers -ssl3 -s] [::tls::ciphers ssl3 0 1] } -result {missing {} unexpected {}} -test CiphersSpecific-4.3 {TLS1} -constraints {tls1} -body { +test Ciphers_Protocol_Specific-4.3 {TLS1.0} -constraints {tls1} -body { lcompare [exec_get ":" ciphers -tls1 -s] [::tls::ciphers tls1 0 1] } -result {missing {} unexpected {}} -test CiphersSpecific-4.4 {TLS1.1} -constraints {tls1.1} -body { +test Ciphers_Protocol_Specific-4.4 {TLS1.1} -constraints {tls1.1} -body { lcompare [exec_get ":" ciphers -tls1_1 -s] [::tls::ciphers tls1.1 0 1] } -result {missing {} unexpected {}} -test CiphersSpecific-4.5 {TLS1.2} -constraints {tls1.2} -body { +test Ciphers_Protocol_Specific-4.5 {TLS1.2} -constraints {tls1.2} -body { lcompare [exec_get ":" ciphers -tls1_2 -s] [::tls::ciphers tls1.2 0 1] } -result {missing {} unexpected {}} -test CiphersSpecific-4.6 {TLS1.3} -constraints {tls1.3} -body { +test Ciphers_Protocol_Specific-4.6 {TLS1.3} -constraints {tls1.3} -body { lcompare [exec_get ":" ciphers -tls1_3 -s] [::tls::ciphers tls1.3 0 1] } -result {missing {} unexpected {}} # Test version Index: tests/common.tcl ================================================================== --- tests/common.tcl +++ tests/common.tcl @@ -1,5 +1,6 @@ +#!/usr/bin/env tclsh # Common Constraints package require tls # Supported protocols Index: tests/keytest2.tcl ================================================================== --- tests/keytest2.tcl +++ tests/keytest2.tcl @@ -1,6 +1,6 @@ -#! /usr/bin/env tclsh +#!/usr/bin/env tclsh set auto_path [linsert $auto_path 0 [file normalize [file join [file dirname [info script]] ..]]] package require tls set s [tls::socket 127.0.0.1 12300] Index: tests/make_test_files.tcl ================================================================== --- tests/make_test_files.tcl +++ tests/make_test_files.tcl @@ -72,10 +72,11 @@ set in [open $filename r] array set cases [list] # Open output test file set out [open [format %s.test [file rootname $filename]] w] + fconfigure $out -encoding utf-8 -translation {auto lf} array set cases [list] # Add setup commands to test file puts $out [format "# Auto generated test cases for %s" [file tail $filename]] #puts $out [format "# Auto generated test cases for %s created on %s" [file tail $filename] [clock format [clock seconds]]] Index: tests/oldTests/client.pem ================================================================== --- tests/oldTests/client.pem +++ tests/oldTests/client.pem Index: tests/oldTests/server.pem ================================================================== --- tests/oldTests/server.pem +++ tests/oldTests/server.pem @@ -269,11 +269,11 @@ cmlzYmFuZTEaMBgGA1UEChMRQ3J5cHRTb2Z0IFB0eSBMdGQxFDASBgNVBAsTC2Rl dmVsb3BtZW50MRkwFwYDVQQDExBDcnlwdFNvZnQgRGV2IENBMFwwDQYJKoZIhvcN AQEBBQADSwAwSAJBAOAOAqogG5QwAmLhzyO4CoRnx/wVy4NZP4dxJy83O1EnL0rw OdsamJKvPOLHgSXo3gDu9uVyvCf/QJmZAmC5ml8CAwEAATANBgkqhkiG9w0BAQQF AANBADRRS/GVdd7rAqRW6SdmgLJduOU2yq3avBu99kRqbp9A/dLu6r6jU+eP4oOA -TfdbFZtAAD2Hx9jUtY3tfdrJOb8= +TfdbFZtAAD2Hx9jUtY3tfdrJOb8= -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIICVjCCAgACAQAwDQYJKoZIhvcNAQEEBQAwgbUxCzAJBgNVBAYTAkFVMRMwEQYD VQQIEwpRdWVlbnNsYW5kMREwDwYDVQQHEwhCcmlzYmFuZTEaMBgGA1UEChMRQ3J5 Index: tests/oldTests/tls.tcl ================================================================== --- tests/oldTests/tls.tcl +++ tests/oldTests/tls.tcl @@ -1,11 +1,11 @@ # # Copyright (C) 1997-2000 Matt Newman # set dir [file dirname [info script]] regsub {\.} [info tclversion] {} vshort -if {$tcl_platform(platform) == "windows"} { +if {$tcl_platform(platform) eq "windows"} { if {[info exists tcl_platform(debug)]} { load $dir/../win/Debug$vshort/tls.dll } else { load $dir/../win/Release$vshort/tls.dll } Index: tests/oldTests/tlsAuto.tcl ================================================================== --- tests/oldTests/tlsAuto.tcl +++ tests/oldTests/tlsAuto.tcl @@ -15,11 +15,11 @@ } if {[eof $chan]} { close $chan set ::/Exit 1 } - if {$data != ""} { + if {$data ne ""} { puts -nonewline stderr "$data" } } proc doit {chan count {delay 1000}} { if {$count == 0} { Index: tests/oldTests/tlsBlocking.tcl ================================================================== --- tests/oldTests/tlsBlocking.tcl +++ tests/oldTests/tlsBlocking.tcl Index: tests/oldTests/tlsCiphers.tcl ================================================================== --- tests/oldTests/tlsCiphers.tcl +++ tests/oldTests/tlsCiphers.tcl Index: tests/oldTests/tlsHttp.tcl ================================================================== --- tests/oldTests/tlsHttp.tcl +++ tests/oldTests/tlsHttp.tcl @@ -10,11 +10,11 @@ # # Initialize context # #tls::init -certfile client.pem -cafile server.pem -ssl2 1 -ssl3 1 -tls1 0 ;#-cipher RC4-MD5 -tls::init -cafile server.pem +tls::init -cafile server.pem # # Register with http module # http::register https 443 [list ::tls::socket -require 1] Index: tests/oldTests/tlsSrv.tcl ================================================================== --- tests/oldTests/tlsSrv.tcl +++ tests/oldTests/tlsSrv.tcl @@ -17,12 +17,12 @@ if {[catch {read $chan 1024} data]} { puts stderr "EOF ($data)" catch {close $chan} return } - - if {$verbose && $data != ""} { + + if {$verbose && $data ne ""} { puts -nonewline stderr $data } if {[eof $chan]} { ;# client gone or finished puts stderr "EOF" close $chan ;# release the servers client channel @@ -42,13 +42,13 @@ puts [tls::status $chan] fconfigure $chan -buffering none -blocking 0 fileevent $chan readable [list reflectCB $chan 1] } -#tls::init -cafile server.pem -certfile server.pem +#tls::init -cafile server.pem -certfile server.pem tls::init -cafile server.pem -#tls::init +#tls::init set chan [tls::socket -server acceptCB \ -request 1 -require 0 1234] # -require 1 -command tls::callback 1234] Index: tests/oldTests/tlsSrv2.tcl ================================================================== --- tests/oldTests/tlsSrv2.tcl +++ tests/oldTests/tlsSrv2.tcl @@ -16,12 +16,12 @@ if {[catch {read $chan 1024} data]} { puts stderr "EOF ($data)" catch {close $chan} return } - - if {$verbose && $data != ""} { + + if {$verbose && $data ne ""} { puts -nonewline stderr $data } if {[eof $chan]} { ;# client gone or finished puts stderr "EOF" close $chan ;# release the servers client channel Index: tests/oldTests/tlsUpload.tcl ================================================================== --- tests/oldTests/tlsUpload.tcl +++ tests/oldTests/tlsUpload.tcl @@ -15,11 +15,11 @@ } if {[eof $chan]} { close $chan set ::/Exit 1 } - if {$data != ""} { + if {$data ne ""} { puts -nonewline stderr "$data" } } proc doit {chan count {delay 1000}} { if {$count == 0} { Index: tests/remote.tcl ================================================================== --- tests/remote.tcl +++ tests/remote.tcl @@ -1,5 +1,7 @@ +#!/usr/bin/env tclsh +# # This file contains Tcl code to implement a remote server that can be # used during testing of Tcl socket code. This server is used by some # of the tests in socket.test. # # Source this file in the remote server you are using to test Tcl against. @@ -7,11 +9,10 @@ # Copyright (c) 1995-1996 Sun Microsystems, Inc. # # See the file "license.terms" for information on usage and redistribution # of this file, and for a DISCLAIMER OF ALL WARRANTIES. # -# RCS: @(#) $Id: remote.tcl,v 1.6 2004/02/11 22:41:25 razzell Exp $ # load tls package package require tls # Initialize message delimitor @@ -58,18 +59,18 @@ proc __readAndExecute__ {s} { global command VERBOSE set l [gets $s] - if {[string compare $l "--Marker--Marker--Marker--"] == 0} { + if {$l eq "--Marker--Marker--Marker--"} { if {[info exists command($s)]} { puts $s [list error incomplete_command] } puts $s "--Marker--Marker--Marker--" return } - if {[string compare $l ""] == 0} { + if {$l eq ""} { if {[eof $s]} { if {$VERBOSE} { puts "Server closing $s, eof from client" } close $s @@ -101,11 +102,11 @@ fconfigure $s -buffering line -translation crlf } set serverIsSilent 0 for {set i 0} {$i < $argc} {incr i} { - if {[string compare -serverIsSilent [lindex $argv $i]] == 0} { + if {[lindex $argv $i] eq "-serverIsSilent"} { set serverIsSilent 1 break } } if {![info exists serverPort]} { @@ -113,11 +114,11 @@ set serverPort $env(serverPort) } } if {![info exists serverPort]} { for {set i 0} {$i < $argc} {incr i} { - if {[string compare -port [lindex $argv $i]] == 0} { + if {[lindex $argv $i] eq "-port"} { if {$i < [expr $argc - 1]} { set serverPort [lindex $argv [expr $i + 1]] } break } @@ -132,11 +133,11 @@ set serverAddress $env(serverAddress) } } if {![info exists serverAddress]} { for {set i 0} {$i < $argc} {incr i} { - if {[string compare -address [lindex $argv $i]] == 0} { + if {[lindex $argv $i] eq "-address"} { if {$i < [expr $argc - 1]} { set serverAddress [lindex $argv [expr $i + 1]] } break } Index: tests/simpleClient.tcl ================================================================== --- tests/simpleClient.tcl +++ tests/simpleClient.tcl @@ -61,11 +61,11 @@ #dputs "EOF $chan ([shortstr $data])" incr OPTS(openports) -1 catch {close $chan} return } - #if {$data != ""} { dputs "got $chan ([shortstr $data])" } + #if {$data ne ""} { dputs "got $chan ([shortstr $data])" } if {[string match *CLOSE\n $data]} { dputs "CLOSE $chan" incr OPTS(openports) -1 close $chan return Index: tests/simpleServer.tcl ================================================================== --- tests/simpleServer.tcl +++ tests/simpleServer.tcl @@ -40,11 +40,11 @@ if {[catch {read $chan} data]} { #dputs "EOF $chan ([shortstr $data)" catch {close $chan} return } - #if {$data != ""} { dputs "got $chan ([shortstr $data])" } + #if {$data ne ""} { dputs "got $chan ([shortstr $data])" } if {[eof $chan]} { # client gone or finished dputs "EOF $chan" close $chan ;# release the port return Index: tests/tlsIO.test ================================================================== --- tests/tlsIO.test +++ tests/tlsIO.test @@ -3,59 +3,58 @@ # This file contains a collection of tests for one or more of the Tcl # built-in commands. Sourcing this file into Tcl runs the tests and # generates output for errors. No output means no errors were found. # # Copyright (c) 1994-1996 Sun Microsystems, Inc. -# Copyright (c) 1998-2000 Ajuba Solutions. +# Copyright (c) 1998-2000 Ajuba Solutions. # # See the file "license.terms" for information on usage and redistribution # of this file, and for a DISCLAIMER OF ALL WARRANTIES. # -# RCS: @(#) $Id: tlsIO.test,v 1.24 2015/06/06 09:07:08 apnadkarni Exp $ # Running socket tests with a remote server: # ------------------------------------------ -# +# # Some tests in socket.test depend on the existence of a remote server to # which they connect. The remote server must be an instance of tcltest and it # must run the script found in the file "remote.tcl" in this directory. You # can start the remote server on any machine reachable from the machine on # which you want to run the socket tests, by issuing: -# +# # tcltest remote.tcl -port 8048 # Or choose another port number. -# +# # If the machine you are running the remote server on has several IP # interfaces, you can choose which interface the server listens on for # connections by specifying the -address command line flag, so: -# +# # tcltest remote.tcl -address your.machine.com -# +# # These options can also be set by environment variables. On Unix, you can # type these commands to the shell from which the remote server is started: -# +# # shell% setenv serverPort 8048 # shell% setenv serverAddress your.machine.com -# +# # and subsequently you can start the remote server with: -# +# # tcltest remote.tcl -# +# # to have it listen on port 8048 on the interface your.machine.com. -# +# # When the server starts, it prints out a detailed message containing its # configuration information, and it will block until killed with a Ctrl-C. # Once the remote server exists, you can run the tests in socket.test with # the server by setting two Tcl variables: -# +# # % set remoteServerIP # % set remoteServerPort 8048 -# +# # These variables are also settable from the environment. On Unix, you can: -# +# # shell% setenv remoteServerIP machine.where.server.runs # shell% setenv remoteServerPort 8048 -# +# # The preamble of the socket.test file checks to see if the variables are set # either in Tcl or in the environment; if they are, it attempts to connect to # the server. If the connection is successful, the tests using the remote # server will be performed; otherwise, it will attempt to start the remote # server (via exec) on platforms that support this, on the local host, @@ -85,12 +84,12 @@ set clientKey [file join $certsDir client.key] # Some tests require the testthread and exec commands set ::tcltest::testConstraints(testthread) \ - [expr {[info commands testthread] != {}}] -set ::tcltest::testConstraints(exec) [expr {[info commands exec] != {}}] + [expr {[info commands testthread] ne {}}] +set ::tcltest::testConstraints(exec) [expr {[info commands exec] ne {}}] # # If remoteServerIP or remoteServerPort are not set, check in the # environment variables for externally set values. # @@ -119,11 +118,11 @@ # Some errors are normal. dputs "handshake: $result" } elseif {$result == 1} { # Handshake complete if {[llength $args]} { eval [list fconfigure $s] $args } - if {$cmd == ""} { + if {$cmd eq ""} { fileevent $s $type "" } else { fileevent $s $type "$cmd [list $s]" } dputs "handshake: complete" @@ -136,11 +135,11 @@ # # Check if we're supposed to do tests against the remote server # set doTestsWithRemoteServer 1 -if {![info exists remoteServerIP] && ($tcl_platform(platform) != "macintosh")} { +if {![info exists remoteServerIP] && ($tcl_platform(platform) ne "macintosh")} { set remoteServerIP 127.0.0.1 } if {($doTestsWithRemoteServer == 1) && (![info exists remoteServerPort])} { set remoteServerPort $tlsServerPort } @@ -157,11 +156,11 @@ if {$doTestsWithRemoteServer} { catch {close $commandSocket} if {[catch {set commandSocket [tls::socket \ -certfile $clientCert -cafile $caCert -keyfile $clientKey \ $remoteServerIP $remoteServerPort]}] != 0} { - if {[info commands exec] == ""} { + if {[info commands exec] eq ""} { set noRemoteTestReason "can't exec" set doTestsWithRemoteServer 0 } else { set remoteServerIP 127.0.0.1 set remoteFile [file join [pwd] remote.tcl] @@ -222,12 +221,12 @@ while {1} { set line [gets $commandSocket] if {[eof $commandSocket]} { error "remote server disappeared" } - if {[string compare $line "--Marker--Marker--Marker--"] == 0} { - if {[string compare [lindex $resp 0] error] == 0} { + if {$line eq "--Marker--Marker--Marker--"} { + if {[lindex $resp 0] eq "error"} { error [lindex $resp 1] } else { return [lindex $resp 1] } } else { @@ -566,11 +565,11 @@ set l [gets $s] if {[eof $s]} { global x close $s set x done - } else { + } else { incr i puts $s $l } } set i 0 @@ -1143,15 +1142,18 @@ localhost 8831] # This differs from socket-9.1 in that both sides need to be # non-blocking because of TLS' required handshake fconfigure $c -blocking 0 puts -nonewline $c 01234567890123456789012345678901234567890123456789 - close $c + flush $c + set timer2 [after 2000 [list close $c]] set timer [after 10000 "set done timed_out"] vwait done after cancel $timer - close $s + after cancel $timer2 + catch {close $c} + catch {close $s} list $spurious $len } {0 50} test tlsIO-9.2 {testing async write, fileevents, flush on close} {socket} { set firstblock [string repeat a 31] @@ -1229,11 +1231,11 @@ proc timerproc {} { global done count c set done true set count {timer went off, eof is not sticky} close $c - } + } set count 0 set done false proc write_then_close {s} { puts $s bye close $s @@ -1388,21 +1390,21 @@ -certfile $clientCert -cafile $caCert -keyfile $clientKey \ $remoteServerIP 8836] fconfigure $f -translation crlf -buffering line for {set cnt 0} {$cnt < 50} {incr cnt} { puts $f "hello, $cnt" - if {[string compare [gets $f] "hello, $cnt"] != 0} { + if {[gets $f] ne "hello, $cnt"} { break } } close $f sendCommand {close $socket10_7_test_server} set cnt } 50 # Macintosh sockets can have more than one server per port -if {$tcl_platform(platform) == "macintosh"} { +if {$tcl_platform(platform) eq "macintosh"} { set conflictResult {0 8836} } else { set conflictResult {1 {couldn't open socket: address already in use}} } @@ -1464,11 +1466,11 @@ close $s1 close $s2 close $s3 sendCommand {close $socket10_9_test_server} set i -} 100 +} 100 test tlsIO-11.8 {client with several servers} {socket doTestsWithRemoteServer} { sendCertValues sendCommand { tls::init -certfile $serverCert -cafile $caCert -keyfile $serverKey @@ -1722,11 +1724,11 @@ global failed set status [catch {read $file} data] if {$status != 0} { set x "read failed, error was $data" catch { close $file } - } elseif {[string compare {} $data]} { + } elseif {$data ne {}} { } elseif {[fblocked $file]} { } elseif {[eof $file]} { if {$failed} { set x "$type socket was inherited" } else { @@ -1941,11 +1943,11 @@ set l [gets $s] if {[eof $s]} { global x close $s set x done - } else { + } else { incr i puts $s $l } } set i 0 @@ -1953,15 +1955,15 @@ close $f # thread cleans itself up. testthread exit } script - + # create a thread set serverthread [testthread create { source script } ] update - + after 1000 set s [tls::socket 127.0.0.1 8828] fconfigure $s -buffering line catch { @@ -1971,11 +1973,11 @@ close $s update after 2000 lappend result [threadReap] - + set result } {hello 1} test tlsIO-14.1 {test tls::unimport} {socket} { @@ -1988,11 +1990,11 @@ list [catch {tls::unimport bogus} msg] $msg } {1 {can not find channel named "bogus"}} test tlsIO-14.4 {test tls::unimport} {socket} { # stdin can take different names as the "top" channel list [catch {tls::unimport stdin} msg] \ - [string match {bad channel "*": not a TLS channel} $msg] + [string match {bad channel "*": not a stacked channel} $msg] } {1 1} test tlsIO-14.5 {test tls::unimport} {socket} { set len 0 set spurious 0 set done 0 @@ -2029,27 +2031,27 @@ # Following code is based on what was reported in bug #58. Prior # to fix the program would crash with a segfault. proc Accept {sock args} { fconfigure $sock -blocking 0; fileevent $sock readable [list Handshake $sock] - } + } proc Handshake {sock} { set ::done HAND catch {tls::handshake $sock} msg set ::done $msg - } + } # NOTE: when doing an in-process client/server test, both sides need # to be non-blocking for the TLS handshake - # Server - Only accept TLS 1.2 + # Server - Only accept TLS 1.3 set s [tls::socket \ -certfile $serverCert -cafile $caCert -keyfile $serverKey -request 0 \ - -require 0 -ssl2 0 -ssl3 0 -tls1 0 -tls1.1 0 -tls1.2 1 -tls1.3 0 \ + -require 0 -ssl2 0 -ssl3 0 -tls1 0 -tls1.1 0 -tls1.2 0 -tls1.3 1 \ -server Accept 8831] - # Client - Only propose TLS1.0 + # Client - Only propose TLS1.2 set c [tls::socket -async -cafile $caCert -request 0 -require 0 \ - -ssl2 0 -ssl3 0 -tls1 1 -tls1.1 0 -tls1.2 0 -tls1.3 0 localhost 8831] + -ssl2 0 -ssl3 0 -tls1 0 -tls1.1 0 -tls1.2 1 -tls1.3 0 localhost 8831] fconfigure $c -blocking 0 puts $c a ; flush $c after 5000 [list set ::done timeout] vwait ::done switch -exact -- $::done { @@ -2056,10 +2058,12 @@ "handshake failed: wrong ssl version" - "handshake failed: unsupported protocol" { set ::done "handshake failed: wrong version number" } } + catch {close $c} + catch {close $s} set ::done } {handshake failed: wrong version number} # cleanup if {[string match sock* $commandSocket] == 1} { Index: win/README.txt ================================================================== --- win/README.txt +++ win/README.txt @@ -67,18 +67,11 @@ set INSTALLDIR=%TCLINSTALL%\lib set SSLINSTALL=\path\to\openssl\dir 2a) Unzip distribution to %BUILDDIR% -2b) Start BASH shell (MinGW62 Git shell) - - cd %BUILDDIR% - od -A n -v -t xC < 'library/tls.tcl' > tls.tcl.h.new.1 - sed 's@[^0-9A-Fa-f]@@g;s@..@0x&, @g' < tls.tcl.h.new.1 > generic/tls.tcl.h - rm -f tls.tcl.h.new.1 - -2c) Start Visual Studio shell +2b) Start Visual Studio shell At Visual Studio x64 native prompt: cd %BUILDDIR%\win Index: win/makefile.vc ================================================================== --- win/makefile.vc +++ win/makefile.vc @@ -1,22 +1,26 @@ #------------------------------------------------------------- -*- makefile -*- # -# Makefile for TclTLS extensions. +# Makefile for TCL TLS extension # # Basic build, test and install -# nmake /f makefile.vc INSTALLDIR=c:\path\to\tcl -# nmake /f makefile.vc INSTALLDIR=c:\path\to\tcl test -# nmake /f makefile.vc INSTALLDIR=c:\path\to\tcl install +# nmake /f makefile.vc INSTALLDIR=c:\path\to\tcl TCLDIR=c:\path\to\tcl\sources +# nmake /f makefile.vc INSTALLDIR=c:\path\to\tcl TCLDIR=c:\path\to\tcl\sources test +# nmake /f makefile.vc INSTALLDIR=c:\path\to\tcl TCLDIR=c:\path\to\tcl\sources install # # For other build options (debug, static etc.), # See TIP 477 (https://core.tcl-lang.org/tips/doc/main/tip/477.md) for # detailed documentation. # # See the file "license.terms" for information on usage and redistribution # of this file, and for a DISCLAIMER OF ALL WARRANTIES. # #------------------------------------------------------------------------------ + +#------------------------------------------------------------------------- +# Project specific information +#------------------------------------------------------------------------- # The name of the package PROJECT=tls !include "rules-ext.vc" @@ -30,14 +34,15 @@ $(TMP_DIR)\tlsIO.obj \ $(TMP_DIR)\tlsX509.obj # Define any additional project include flags # SSL_INSTALL_FOLDER = with the OpenSSL installation folder following. -PRJ_INCLUDES = -I"$(SSL_INSTALL_FOLDER)\include" -I"$(OPENSSL_INSTALL_DIR)\include" +PRJ_INCLUDES = -I"$(SSL_INSTALL_FOLDER)\include" -I"$(OPENSSL_INSTALL_DIR)\include" -I"$(TMP_DIR)" # Define any additional compiler flags that might be required for the project -PRJ_DEFINES = -D NO_SSL2 -D NO_SSL3 -D _CRT_SECURE_NO_WARNINGS +PRJ_DEFINES = -D NO_SSL2 -D NO_SSL3 /D_CRT_SECURE_NO_WARNINGS /D_CRT_NONSTDC_NO_DEPRECATE /D__STDC_WANT_SECURE_LIB__=1 +# /DTCLEXT_TCLTLS_DEBUG # # SSL Libs: # 1. ${LIBCRYPTO}.dll # 2. ${LIBSSL}.dll @@ -47,50 +52,101 @@ # On *nix libcrypto.so.* and libssl.so.* (where suffix is a version indicator). # PRJ_LIBS = \ "$(SSL_INSTALL_FOLDER)\lib\libssl.lib" \ "$(SSL_INSTALL_FOLDER)\lib\libcrypto.lib" \ - WS2_32.LIB GDI32.LIB ADVAPI32.LIB CRYPT32.LIB USER32.LIB + User32.Lib WS2_32.Lib Gdi32.Lib AdvAPI32.Lib Crypt32.Lib -# Define the standard targets +# Define the standard targets which calls rules.vc !include "targets.vc" +.SUFFIXES: .c .obj .res .man + +#--------------------------------------------------------------------- # Project specific targets +#--------------------------------------------------------------------- + +# Implicit rule to generate html from man files +# NOTE: this requires doctools from tcllib hence it is not intended +# to be run during install. Rather, use it to generate a new version +# of HTML docs to be stored in the repository. +TCLSH = "$(_INSTALLDIR)\..\bin\tclsh.exe" +DTPLITE = "$(_INSTALLDIR)\..\bin\dtplite.tcl" + +make-docs-html: +!IF EXIST($(DTPLITE)) + "$(TCLSH)" "$(DTPLITE)" -o "$(ROOT)\doc\$(PROJECT).html" html "$(ROOT)\doc\$(PROJECT).man" +!ENDIF + +make-docs-n: +!IF EXIST($(DTPLITE)) + "$(TCLSH)" "$(DTPLITE)" -o "$(ROOT)\doc\$(PROJECT).n" nroff "$(ROOT)\doc\$(PROJECT).man" +!ENDIF + +make-docs: +!IF EXIST($(DTPLITE)) + "$(TCLSH)" "$(DTPLITE)" -o "$DOCDIR" html "$(ROOT)\doc" + "$(TCLSH)" "$(DTPLITE)" -o "$DOCDIR" nroff "$(ROOT)\doc" +!ENDIF + +docs: make-docs-n make-docs-html -all: default-target +all: setup default-target clean: default-clean - @if exist $(WIN_DIR)\tlsUuid.h del $(WIN_DIR)\tlsUuid.h realclean: default-hose - @if exist $(WIN_DIR)\tlsUuid.h del $(WIN_DIR)\tlsUuid.h + +# Explicit dependency rules +$(PRJ_OBJS): $(TMP_DIR)\tls.tcl.h $(TMP_DIR)\tlsUuid.h # We must define a pkgindex target that will create a pkgIndex.tcl # file in the $(OUT_DIR) directory. We can just redirect to the # default-pkgindex target for our sample extension. pkgindex: default-pkgindex-tea -$(ROOT)\manifest.uuid: - copy $(WIN_DIR)\gitmanifest.in $(ROOT)\manifest.uuid - git rev-parse HEAD >>$(ROOT)\manifest.uuid +# Create a C source file version of the script resources for inclusion in the +# build so that only the compiled library file is needed for this extension to +# load and operate. +$(TMP_DIR)\tls.tcl.h: $(LIBDIR)\tls.tcl + "$(TCLSH)" << $(LIBDIR)\tls.tcl >$(TMP_DIR)\tls.tcl.h + set in [open [lindex $$argv 0] r] + while {[gets $$in line] != -1} { + switch -regexp -- $$line "^$$" - {^\s*#} continue + regsub -all {\\} $$line {\\\\} line + regsub -all {"} $$line {\"} line + puts "\"$$line\\n\"" + } +<< + +# Use manifest file which defines fossil/git commit id for build-info command +$(TMP_DIR)\manifest.uuid: +!IF EXIST($(ROOT)\manifest.uuid) + @copy "$(ROOT)\manifest.uuid" "$(TMP_DIR)\manifest.uuid" +!ELSE +!IF EXIST($(ROOT)\.git) + @copy "$(WIN_DIR)\gitmanifest.in" "$(TMP_DIR)\manifest.uuid" + @git rev-parse HEAD >>$(TMP_DIR)\manifest.uuid || echo unknown >>$(TMP_DIR)\manifest.uuid +!ELSE + @echo unknown >$(TMP_DIR)\manifest.uuid +!ENDIF +!ENDIF -$(WIN_DIR)\tlsUuid.h: $(ROOT)\manifest.uuid - copy $(WIN_DIR)\tlsUuid.h.in+$(ROOT)\manifest.uuid $(WIN_DIR)\tlsUuid.h - +$(TMP_DIR)\tlsUuid.h: $(TMP_DIR)\manifest.uuid + @copy $(WIN_DIR)\tlsUuid.h.in+$(TMP_DIR)\manifest.uuid $(TMP_DIR)\tlsUuid.h + @echo: >>$(TMP_DIR)\tlsUuid.h # The default install target only installs binaries and scripts so add # an additional target for our documentation. Note this *adds* a target # since no commands are listed after it. The original targets for # install (from targets.vc) will remain. -install: default-pkgindex-tea default-install default-install-docs-html - if exist "$(SSL_INSTALL_FOLDER)\bin\libcrypto-*-x64.dll" ( - xcopy /c /y "$(SSL_INSTALL_FOLDER)\bin\libcrypto-*-x64.dll" "$(PRJ_INSTALL_DIR)" - ) - if exist "$(SSL_INSTALL_FOLDER)\bin\libssl-*-x64.dll" ( - xcopy /c /y "$(SSL_INSTALL_FOLDER)\bin\libssl-*-x64.dll" "$(PRJ_INSTALL_DIR)" - ) - -# Explicit dependency rules -$(GENERICDIR)\tls.c: $(WIN_DIR)\tlsUuid.h +install: pkgindex default-install default-install-docs-html +!IF EXIST($(SSL_INSTALL_FOLDER)\bin\libcrypto-*-x64.dll) + @xcopy /c /y "$(SSL_INSTALL_FOLDER)\bin\libcrypto-*-x64.dll" "$(PRJ_INSTALL_DIR)" +!ENDIF +!IF EXIST($(SSL_INSTALL_FOLDER)\bin\libssl-*-x64.dll) + @xcopy /c /y "$(SSL_INSTALL_FOLDER)\bin\libssl-*-x64.dll" "$(PRJ_INSTALL_DIR)" +!ENDIF # Test package test: default-test + Index: win/nmakehlp.c ================================================================== --- win/nmakehlp.c +++ win/nmakehlp.c @@ -88,11 +88,11 @@ if (argc > 1 && *argv[1] == '-') { switch (*(argv[1]+1)) { case 'c': if (argc != 3) { chars = snprintf(msg, sizeof(msg) - 1, - "usage: %s -c \n" + "usage: %s -c \n" "Tests for whether cl.exe supports an option\n" "exitcodes: 0 == no, 1 == yes, 2 == error\n", argv[0]); WriteFile(GetStdHandle(STD_ERROR_HANDLE), msg, chars, &dwWritten, NULL); return 2; @@ -99,11 +99,11 @@ } return CheckForCompilerFeature(argv[2]); case 'l': if (argc < 3) { chars = snprintf(msg, sizeof(msg) - 1, - "usage: %s -l ? ...?\n" + "usage: %s -l ? ...?\n" "Tests for whether link.exe supports an option\n" "exitcodes: 0 == no, 1 == yes, 2 == error\n", argv[0]); WriteFile(GetStdHandle(STD_ERROR_HANDLE), msg, chars, &dwWritten, NULL); return 2; @@ -269,11 +269,11 @@ &pi); /* Pointer to PROCESS_INFORMATION structure. */ if (!ok) { DWORD err = GetLastError(); int chars = snprintf(msg, sizeof(msg) - 1, - "Tried to launch: \"%s\", but got error [%lu]: ", cmdline, err); + "Tried to launch: \"%s\", but got error [%u]: ", cmdline, err); FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM|FORMAT_MESSAGE_IGNORE_INSERTS| FORMAT_MESSAGE_MAX_WIDTH_MASK, 0L, err, 0, (LPSTR)&msg[chars], (300-chars), 0); WriteFile(GetStdHandle(STD_ERROR_HANDLE), msg, lstrlen(msg), &err,NULL); @@ -316,15 +316,15 @@ * Look for the commandline warning code in both streams. * - in MSVC 6 & 7 we get D4002, in MSVC 8 we get D9002. */ return !(strstr(Out.buffer, "D4002") != NULL - || strstr(Err.buffer, "D4002") != NULL - || strstr(Out.buffer, "D9002") != NULL - || strstr(Err.buffer, "D9002") != NULL - || strstr(Out.buffer, "D2021") != NULL - || strstr(Err.buffer, "D2021") != NULL); + || strstr(Err.buffer, "D4002") != NULL + || strstr(Out.buffer, "D9002") != NULL + || strstr(Err.buffer, "D9002") != NULL + || strstr(Out.buffer, "D2021") != NULL + || strstr(Err.buffer, "D2021") != NULL); } static int CheckForLinkerFeature( char **options, @@ -403,11 +403,11 @@ &pi); /* Pointer to PROCESS_INFORMATION structure. */ if (!ok) { DWORD err = GetLastError(); int chars = snprintf(msg, sizeof(msg) - 1, - "Tried to launch: \"%s\", but got error [%lu]: ", cmdline, err); + "Tried to launch: \"%s\", but got error [%u]: ", cmdline, err); FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM|FORMAT_MESSAGE_IGNORE_INSERTS| FORMAT_MESSAGE_MAX_WIDTH_MASK, 0L, err, 0, (LPSTR)&msg[chars], (300-chars), 0); WriteFile(GetStdHandle(STD_ERROR_HANDLE), msg, lstrlen(msg), &err,NULL); @@ -491,13 +491,13 @@ return (strstr(string, substring) != NULL); } /* * GetVersionFromFile -- - * Looks for a match string in a file and then returns the version - * following the match where a version is anything acceptable to - * package provide or package ifneeded. + * Looks for a match string in a file and then returns the version + * following the match where a version is anything acceptable to + * package provide or package ifneeded. */ static const char * GetVersionFromFile( const char *filename, @@ -598,13 +598,13 @@ * consist of lines matching the regular expression: * \s*\S+\s+\S*$ * * Usage is something like: * nmakehlp -S << $** > $@ - * @PACKAGE_NAME@ $(PACKAGE_NAME) - * @PACKAGE_VERSION@ $(PACKAGE_VERSION) - * << + * @PACKAGE_NAME@ $(PACKAGE_NAME) + * @PACKAGE_VERSION@ $(PACKAGE_VERSION) + * << */ static int SubstituteFile( const char *substitutions, @@ -745,26 +745,29 @@ */ hSearch = FindFirstFileEx(path, 0, &finfo, 1, NULL, 0); #else hSearch = FindFirstFile(path, &finfo); #endif - if (hSearch == INVALID_HANDLE_VALUE) + if (hSearch == INVALID_HANDLE_VALUE) { return 1; /* Not found */ + } /* Loop through all subdirs checking if the keypath is under there */ ret = 1; /* Assume not found */ do { int sublen; /* * We need to check it is a directory despite the * FindExSearchLimitToDirectories in the above call. See SDK docs */ - if ((finfo.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY) == 0) + if ((finfo.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY) == 0) { continue; + } sublen = strlen(finfo.cFileName); - if ((dirlen+1+sublen+1+keylen+1) > sizeof(path)) + if ((dirlen+1+sublen+1+keylen+1) > sizeof(path)) { continue; /* Path does not fit, assume not matched */ + } strncpy(path+dirlen+1, finfo.cFileName, sublen); path[dirlen+1+sublen] = '\\'; strncpy(path+dirlen+1+sublen+1, keypath, keylen+1); if (FileExists(path)) { /* Found a match, print to stdout */ @@ -780,17 +783,17 @@ /* * LocateDependency -- * * Locates a dependency for a package. - * keypath - a relative path within the package directory - * that is used to confirm it is the correct directory. + * keypath - a relative path within the package directory + * that is used to confirm it is the correct directory. * The search path for the package directory is currently only - * the parent and grandparent of the current working directory. - * If found, the command prints - * name_DIRPATH= - * and returns 0. If not found, does not print anything and returns 1. + * the parent and grandparent of the current working directory. + * If found, the command prints + * name_DIRPATH= + * and returns 0. If not found, does not print anything and returns 1. */ static int LocateDependency(const char *keypath) { size_t i; int ret; Index: win/rules.vc ================================================================== --- win/rules.vc +++ win/rules.vc @@ -22,11 +22,11 @@ # The following macros define the version of the rules.vc nmake build system # For modifications that are not backward-compatible, you *must* change # the major version. RULES_VERSION_MAJOR = 1 -RULES_VERSION_MINOR = 11 +RULES_VERSION_MINOR = 13 # The PROJECT macro must be defined by parent makefile. !if "$(PROJECT)" == "" !error *** Error: Macro PROJECT not defined! Please define it before including rules.vc !endif @@ -762,13 +762,13 @@ # If parent makefile has not defined DOTVERSION, try to get it from TEA # first from a configure.in file, and then from configure.ac !ifndef DOTVERSION !if [echo DOTVERSION = \> versions.vc] \ - || [nmakehlp -V $(ROOT)\configure.in AC_INIT >> versions.vc] + || [nmakehlp -V $(ROOT)\configure.in ^[$(PROJECT)^] >> versions.vc] !if [echo DOTVERSION = \> versions.vc] \ - || [nmakehlp -V $(ROOT)\configure.ac AC_INIT >> versions.vc] + || [nmakehlp -V $(ROOT)\configure.ac ^[$(PROJECT)^] >> versions.vc] !error *** Could not figure out extension version. Please define DOTVERSION in parent makefile before including rules.vc. !endif !endif !include versions.vc !endif # DOTVERSION @@ -878,10 +878,14 @@ !endif !if [nmakehlp -f $(OPTS) "tcl8"] !message *** Build for Tcl8 TCL_BUILD_FOR = 8 +!endif +!if [nmakehlp -f $(OPTS) "tk8"] +!message *** Build for Tk8 +TK_BUILD_FOR = 8 !endif !if $(TCL_MAJOR_VERSION) == 8 !if [nmakehlp -f $(OPTS) "time64bit"] !message *** Force 64-bit time_t @@ -1133,20 +1137,20 @@ # # Set up paths to various Tcl executables and libraries needed by extensions # # TIP 430. Unused for 8.6 but no harm defining it to allow a common rules.vc -TCLSCRIPTZIPNAME = libtcl$(TCL_MAJOR_VERSION).$(TCL_MINOR_VERSION)$(TCL_PATCH_LETTER)$(TCL_RELEASE_SERIAL).zip -TKSCRIPTZIPNAME = libtk$(TK_MAJOR_VERSION).$(TK_MINOR_VERSION)$(TK_PATCH_LETTER)$(TK_RELEASE_SERIAL).zip +TCL_ZIP_FILE = libtcl$(TCL_MAJOR_VERSION).$(TCL_MINOR_VERSION)$(TCL_PATCH_LETTER)$(TCL_RELEASE_SERIAL).zip +TK_ZIP_FILE = libtk$(TK_MAJOR_VERSION).$(TK_MINOR_VERSION)$(TK_PATCH_LETTER)$(TK_RELEASE_SERIAL).zip !if $(DOING_TCL) TCLSHNAME = $(PROJECT)sh$(VERSION)$(SUFX).exe TCLSH = $(OUT_DIR)\$(TCLSHNAME) TCLIMPLIB = $(OUT_DIR)\$(PROJECT)$(VERSION)$(SUFX).lib TCLLIBNAME = $(PROJECT)$(VERSION)$(SUFX).$(EXT) TCLLIB = $(OUT_DIR)\$(TCLLIBNAME) -TCLSCRIPTZIP = $(OUT_DIR)\$(TCLSCRIPTZIPNAME) +TCLSCRIPTZIP = $(OUT_DIR)\$(TCL_ZIP_FILE) !if $(TCL_MAJOR_VERSION) == 8 TCLSTUBLIBNAME = $(STUBPREFIX)$(VERSION).lib !else TCLSTUBLIBNAME = $(STUBPREFIX).lib @@ -1178,11 +1182,11 @@ TCLIMPLIB = $(_TCLDIR)\lib\tcl$(TCL_VERSION)t$(SUFX:t=).lib !endif TCL_LIBRARY = $(_TCLDIR)\lib TCLREGLIB = $(_TCLDIR)\lib\tclreg13$(SUFX:t=).lib TCLDDELIB = $(_TCLDIR)\lib\tcldde14$(SUFX:t=).lib -TCLSCRIPTZIP = $(_TCLDIR)\lib\$(TCLSCRIPTZIPNAME) +TCLSCRIPTZIP = $(_TCLDIR)\lib\$(TCL_ZIP_FILE) TCLTOOLSDIR = \must\have\tcl\sources\to\build\this\target TCL_INCLUDES = -I"$(_TCLDIR)\include" !else # Building against Tcl sources @@ -1202,11 +1206,11 @@ TCLIMPLIB = $(_TCLDIR)\win\$(BUILDDIRTOP)\tcl$(TCL_VERSION)t$(SUFX:t=).lib !endif TCL_LIBRARY = $(_TCLDIR)\library TCLREGLIB = $(_TCLDIR)\win\$(BUILDDIRTOP)\tclreg13$(SUFX:t=).lib TCLDDELIB = $(_TCLDIR)\win\$(BUILDDIRTOP)\tcldde14$(SUFX:t=).lib -TCLSCRIPTZIP = $(_TCLDIR)\win\$(BUILDDIRTOP)\$(TCLSCRIPTZIPNAME) +TCLSCRIPTZIP = $(_TCLDIR)\win\$(BUILDDIRTOP)\$(TCL_ZIP_FILE) TCLTOOLSDIR = $(_TCLDIR)\tools TCL_INCLUDES = -I"$(_TCLDIR)\generic" -I"$(_TCLDIR)\win" !endif # TCLINSTALL @@ -1246,16 +1250,16 @@ !else TKSTUBLIBNAME = tkstub.lib !endif !if $(DOING_TK) -WISH = $(OUT_DIR)\$(WISHNAME) +WISH = $(OUT_DIR)\$(WISHNAME) TKSTUBLIB = $(OUT_DIR)\$(TKSTUBLIBNAME) TKIMPLIB = $(OUT_DIR)\$(TKIMPLIBNAME) TKLIB = $(OUT_DIR)\$(TKLIBNAME) TK_INCLUDES = -I"$(WIN_DIR)" -I"$(GENERICDIR)" -TKSCRIPTZIP = $(OUT_DIR)\$(TKSCRIPTZIPNAME) +TKSCRIPTZIP = $(OUT_DIR)\$(TK_ZIP_FILE) !else # effectively NEED_TK !if $(TKINSTALL) # Building against installed Tk WISH = $(_TKDIR)\bin\$(WISHNAME) @@ -1266,11 +1270,11 @@ !if !exist("$(TKIMPLIB)") TKIMPLIBNAME = tk$(TK_VERSION)$(SUFX:t=).lib TKIMPLIB = $(_TKDIR)\lib\$(TKIMPLIBNAME) !endif TK_INCLUDES = -I"$(_TKDIR)\include" -TKSCRIPTZIP = $(_TKDIR)\lib\$(TKSCRIPTZIPNAME) +TKSCRIPTZIP = $(_TKDIR)\lib\$(TK_ZIP_FILE) !else # Building against Tk sources WISH = $(_TKDIR)\win\$(BUILDDIRTOP)\$(WISHNAME) TKSTUBLIB = $(_TKDIR)\win\$(BUILDDIRTOP)\$(TKSTUBLIBNAME) @@ -1280,11 +1284,11 @@ !if !exist("$(TKIMPLIB)") TKIMPLIBNAME = tk$(TK_VERSION)$(SUFX:t=).lib TKIMPLIB = $(_TKDIR)\win\$(BUILDDIRTOP)\$(TKIMPLIBNAME) !endif TK_INCLUDES = -I"$(_TKDIR)\generic" -I"$(_TKDIR)\win" -I"$(_TKDIR)\xlib" -TKSCRIPTZIP = $(_TKDIR)\win\$(BUILDDIRTOP)\$(TKSCRIPTZIPNAME) +TKSCRIPTZIP = $(_TKDIR)\win\$(BUILDDIRTOP)\$(TK_ZIP_FILE) !endif # TKINSTALL tklibs = "$(TKSTUBLIB)" "$(TKIMPLIB)" @@ -1292,11 +1296,12 @@ !endif # $(DOING_TK) || $(NEED_TK) # Various output paths PRJIMPLIB = $(OUT_DIR)\$(PROJECT)$(VERSION)$(SUFX).lib PRJLIBNAME8 = $(PROJECT)$(VERSION)$(SUFX).$(EXT) -PRJLIBNAME9 = tcl9$(PROJECT)$(VERSION)$(SUFX).$(EXT) +# Even when building against Tcl 8, PRJLIBNAME9 must not have "t" +PRJLIBNAME9 = tcl9$(PROJECT)$(VERSION)$(SUFX:t=).$(EXT) !if $(TCL_MAJOR_VERSION) == 8 || "$(TCL_BUILD_FOR)" == "8" PRJLIBNAME = $(PRJLIBNAME8) !else PRJLIBNAME = $(PRJLIBNAME9) !endif @@ -1444,26 +1449,26 @@ !if $(TCL_MAJOR_VERSION) == 8 !if "$(_USE_64BIT_TIME_T)" == "1" OPTDEFINES = $(OPTDEFINES) /D_USE_64BIT_TIME_T=1 !endif - -# _ATL_XP_TARGETING - Newer SDK's need this to build for XP -COMPILERFLAGS = /D_ATL_XP_TARGETING !endif !if "$(TCL_BUILD_FOR)" == "8" OPTDEFINES = $(OPTDEFINES) /DTCL_MAJOR_VERSION=8 !endif +!if "$(TK_BUILD_FOR)" == "8" +OPTDEFINES = $(OPTDEFINES) /DTK_MAJOR_VERSION=8 +!endif # Like the TEA system only set this non empty for non-Tk extensions # Note: some extensions use PACKAGE_NAME and others use PACKAGE_TCLNAME # so we pass both !if !$(DOING_TCL) && !$(DOING_TK) PKGNAMEFLAGS = /DPACKAGE_NAME="\"$(PRJ_PACKAGE_TCLNAME)\"" \ - /DPACKAGE_TCLNAME="\"$(PRJ_PACKAGE_TCLNAME)\"" \ - /DPACKAGE_VERSION="\"$(DOTVERSION)\"" \ - /DMODULE_SCOPE=extern + /DPACKAGE_TCLNAME="\"$(PRJ_PACKAGE_TCLNAME)\"" \ + /DPACKAGE_VERSION="\"$(DOTVERSION)\"" \ + /DMODULE_SCOPE=extern !endif # crt picks the C run time based on selected OPTS !if $(MSVCRT) !if $(DEBUG) && !$(UNCHECKED) @@ -1796,22 +1801,22 @@ FILETYPE VFT_DLL FILESUBTYPE 0x0L BEGIN BLOCK "StringFileInfo" BEGIN - BLOCK "040904b0" - BEGIN - VALUE "FileDescription", "Tcl extension " PROJECT - VALUE "OriginalFilename", PRJLIBNAME - VALUE "FileVersion", DOTVERSION - VALUE "ProductName", "Package " PROJECT " for Tcl" - VALUE "ProductVersion", DOTVERSION - END + BLOCK "040904b0" + BEGIN + VALUE "FileDescription", "Tcl extension " PROJECT + VALUE "OriginalFilename", PRJLIBNAME + VALUE "FileVersion", DOTVERSION + VALUE "ProductName", "Package " PROJECT " for Tcl" + VALUE "ProductVersion", DOTVERSION + END END BLOCK "VarFileInfo" BEGIN - VALUE "Translation", 0x409, 1200 + VALUE "Translation", 0x409, 1200 END END <<