New upstream version 1.6.7+dfsg
Muammar El Khatib authored 8 years ago
Sergei Golovan committed 6 years ago
0 | 2015-05-01 Andreas Kupries <andreask@activestate.com> | |
1 | ||
2 | * configure.in: Bump to version 1.6.5. | |
3 | * win/makefile.vc: | |
4 | * configure: regen with ac-2.59 | |
5 | * tls.c: Accepted SF TLS [bug/patch #57](https://sourceforge.net/p/tls/bugs/57/). | |
6 | * tlsIO.c: Accepted core Tcl patch in [ticket](http://core.tcl.tk/tcl/tktview/0f94f855cafed92d0e174b7d835453a02831b4dd). | |
7 | ||
0 | 8 | 2014-12-05 Andreas Kupries <andreask@activestate.com> |
1 | 9 | |
2 | 10 | * configure.in: Bump to version 1.6.4. |
0 | 0 | #! /bin/sh |
1 | 1 | # Guess values for system-dependent variables and create Makefiles. |
2 | # Generated by GNU Autoconf 2.59 for tls 1.6.4. | |
2 | # Generated by GNU Autoconf 2.59 for tls 1.6.7. | |
3 | 3 | # |
4 | 4 | # Copyright (C) 2003 Free Software Foundation, Inc. |
5 | 5 | # This configure script is free software; the Free Software Foundation |
266 | 266 | # Identity of this package. |
267 | 267 | PACKAGE_NAME='tls' |
268 | 268 | PACKAGE_TARNAME='tls' |
269 | PACKAGE_VERSION='1.6.4' | |
270 | PACKAGE_STRING='tls 1.6.4' | |
269 | PACKAGE_VERSION='1.6.7' | |
270 | PACKAGE_STRING='tls 1.6.7' | |
271 | 271 | PACKAGE_BUGREPORT='' |
272 | 272 | |
273 | 273 | # Factoring default headers for most tests. |
776 | 776 | # Omit some internal or obsolete options to make the list less imposing. |
777 | 777 | # This message is too long to be a string in the A/UX 3.1 sh. |
778 | 778 | cat <<_ACEOF |
779 | \`configure' configures tls 1.6.4 to adapt to many kinds of systems. | |
779 | \`configure' configures tls 1.6.7 to adapt to many kinds of systems. | |
780 | 780 | |
781 | 781 | Usage: $0 [OPTION]... [VAR=VALUE]... |
782 | 782 | |
833 | 833 | |
834 | 834 | if test -n "$ac_init_help"; then |
835 | 835 | case $ac_init_help in |
836 | short | recursive ) echo "Configuration of tls 1.6.4:";; | |
836 | short | recursive ) echo "Configuration of tls 1.6.7:";; | |
837 | 837 | esac |
838 | 838 | cat <<\_ACEOF |
839 | 839 | |
969 | 969 | test -n "$ac_init_help" && exit 0 |
970 | 970 | if $ac_init_version; then |
971 | 971 | cat <<\_ACEOF |
972 | tls configure 1.6.4 | |
972 | tls configure 1.6.7 | |
973 | 973 | generated by GNU Autoconf 2.59 |
974 | 974 | |
975 | 975 | Copyright (C) 2003 Free Software Foundation, Inc. |
983 | 983 | This file contains any messages produced by compilers while |
984 | 984 | running configure, to aid debugging if configure makes a mistake. |
985 | 985 | |
986 | It was created by tls $as_me 1.6.4, which was | |
986 | It was created by tls $as_me 1.6.7, which was | |
987 | 987 | generated by GNU Autoconf 2.59. Invocation command line was |
988 | 988 | |
989 | 989 | $ $0 $@ |
10810 | 10810 | } >&5 |
10811 | 10811 | cat >&5 <<_CSEOF |
10812 | 10812 | |
10813 | This file was extended by tls $as_me 1.6.4, which was | |
10813 | This file was extended by tls $as_me 1.6.7, which was | |
10814 | 10814 | generated by GNU Autoconf 2.59. Invocation command line was |
10815 | 10815 | |
10816 | 10816 | CONFIG_FILES = $CONFIG_FILES |
10865 | 10865 | |
10866 | 10866 | cat >>$CONFIG_STATUS <<_ACEOF |
10867 | 10867 | ac_cs_version="\\ |
10868 | tls config.status 1.6.4 | |
10868 | tls config.status 1.6.7 | |
10869 | 10869 | configured by $0, generated by GNU Autoconf 2.59, |
10870 | 10870 | with options \\"`echo "$ac_configure_args" | sed 's/[\\""\`\$]/\\\\&/g'`\\" |
10871 | 10871 |
10 | 10 | dnl obtained from RSA Data Scurity Inc., San Mateo, California, USA. |
11 | 11 | dnl Their home page on the web is "www.rsasecurity.com". |
12 | 12 | # |
13 | # RCS: @(#) $Id: configure.in,v 1.28 2014/12/08 19:09:06 andreas_kupries Exp $ | |
13 | # RCS: @(#) $Id: configure.in,v 1.31 2015/07/07 17:16:02 andreas_kupries Exp $ | |
14 | 14 | |
15 | 15 | |
16 | 16 | #-------------------------------------------------------------------- |
17 | 17 | # macro used to verify that the configure script can find the sources |
18 | 18 | #-------------------------------------------------------------------- |
19 | 19 | |
20 | AC_INIT([tls], [1.6.4]) | |
20 | AC_INIT([tls], [1.6.7]) | |
21 | 21 | |
22 | 22 | TEA_INIT([3.8]) |
23 | 23 |
9 | 9 | # See the file "license.terms" for information on usage and redistribution |
10 | 10 | # of this file, and for a DISCLAIMER OF ALL WARRANTIES. |
11 | 11 | # |
12 | # RCS: @(#) $Id: tlsIO.test,v 1.23 2008/03/19 22:06:13 hobbs2 Exp $ | |
12 | # RCS: @(#) $Id: tlsIO.test,v 1.24 2015/06/06 09:07:08 apnadkarni Exp $ | |
13 | 13 | |
14 | 14 | # Running socket tests with a remote server: |
15 | 15 | # ------------------------------------------ |
2027 | 2027 | [catch {close $s} err] $err |
2028 | 2028 | } {{} 0 {} 0 {}} |
2029 | 2029 | |
2030 | test tls-bug58-1.0 {test protocol negotiation failure} {socket} { | |
2031 | # Following code is based on what was reported in bug #58. Prior | |
2032 | # to fix the program would crash with a segfault. | |
2033 | proc Accept {sock args} { | |
2034 | fconfigure $sock -blocking 0; | |
2035 | fileevent $sock readable [list Handshake $sock] | |
2036 | } | |
2037 | proc Handshake {sock} { | |
2038 | set ::done HAND | |
2039 | catch {tls::handshake $sock} msg | |
2040 | set ::done $msg | |
2041 | } | |
2042 | # NOTE: when doing an in-process client/server test, both sides need | |
2043 | # to be non-blocking for the TLS handshake | |
2044 | ||
2045 | # Server - Only accept TLS 1 or higher | |
2046 | set s [tls::socket \ | |
2047 | -certfile $serverCert -cafile $caCert -keyfile $serverKey \ | |
2048 | -request 0 -require 0 -ssl2 0 -ssl3 0 -tls1 1 -tls1.1 1 -tls1.2 1 \ | |
2049 | -server Accept 8831] | |
2050 | # Client - Only propose SSL3 | |
2051 | set c [tls::socket -async \ | |
2052 | -cafile $caCert \ | |
2053 | -request 0 -require 0 -ssl2 0 -ssl3 1 -tls1 0 -tls1.1 0 -tls1.2 0 \ | |
2054 | [info hostname] 8831] | |
2055 | fconfigure $c -blocking 0 | |
2056 | puts $c a ; flush $c | |
2057 | after 5000 [list set ::done timeout] | |
2058 | vwait ::done | |
2059 | set ::done | |
2060 | } {handshake failed: wrong version number} | |
2061 | ||
2030 | 2062 | # cleanup |
2031 | 2063 | if {[string match sock* $commandSocket] == 1} { |
2032 | 2064 | puts $commandSocket exit |
4 | 4 | * Copyright (C) 2002 ActiveState Corporation |
5 | 5 | * Copyright (C) 2004 Starfish Systems |
6 | 6 | * |
7 | * $Header: /cvsroot/tls/tls/tls.c,v 1.35 2014/12/08 19:09:06 andreas_kupries Exp $ | |
7 | * $Header: /cvsroot/tls/tls/tls.c,v 1.37 2015/07/07 17:16:02 andreas_kupries Exp $ | |
8 | 8 | * |
9 | 9 | * TLS (aka SSL) Channel - can be layered on any bi-directional |
10 | 10 | * Tcl_Channel (Note: Requires Trf Core Patch) |
63 | 63 | Tcl_Interp *interp, int objc, Tcl_Obj *CONST objv[])); |
64 | 64 | |
65 | 65 | static SSL_CTX *CTX_Init _ANSI_ARGS_((State *statePtr, int proto, char *key, |
66 | char *cert, char *CAdir, char *CAfile, char *ciphers)); | |
66 | char *cert, char *CAdir, char *CAfile, char *ciphers, | |
67 | char *DHparams)); | |
67 | 68 | |
68 | 69 | static int TlsLibInit _ANSI_ARGS_ (()) ; |
69 | 70 | |
78 | 79 | * Static data structures |
79 | 80 | */ |
80 | 81 | |
81 | #ifndef NO_DH | |
82 | /* from openssl/apps/s_server.c */ | |
83 | ||
84 | static unsigned char dh512_p[]={ | |
85 | 0xDA,0x58,0x3C,0x16,0xD9,0x85,0x22,0x89,0xD0,0xE4,0xAF,0x75, | |
86 | 0x6F,0x4C,0xCA,0x92,0xDD,0x4B,0xE5,0x33,0xB8,0x04,0xFB,0x0F, | |
87 | 0xED,0x94,0xEF,0x9C,0x8A,0x44,0x03,0xED,0x57,0x46,0x50,0xD3, | |
88 | 0x69,0x99,0xDB,0x29,0xD7,0x76,0x27,0x6B,0xA2,0xD3,0xD4,0x12, | |
89 | 0xE2,0x18,0xF4,0xDD,0x1E,0x08,0x4C,0xF6,0xD8,0x00,0x3E,0x7C, | |
90 | 0x47,0x74,0xE8,0x33, | |
82 | #ifndef OPENSSL_NO_DH | |
83 | /* code derived from output of 'openssl dhparam -C 2048' */ | |
84 | ||
85 | static unsigned char dh2048_p[]={ | |
86 | 0xEC,0xFD,0x6F,0x66,0xD8,0xBC,0xB4,0xCB,0xD7,0xE7,0xB4,0xAE, | |
87 | 0xEC,0xC0,0x06,0x25,0x40,0x9F,0x3F,0xC4,0xAC,0x34,0x19,0x36, | |
88 | 0x8A,0xAB,0xA9,0xF6,0x45,0x36,0x87,0x1F,0x10,0x35,0x3F,0x90, | |
89 | 0x00,0xC6,0x7A,0xE8,0x51,0xF4,0x7F,0x50,0x0F,0xC2,0x82,0x91, | |
90 | 0xAD,0x60,0x1B,0x49,0xB1,0x0B,0x23,0xC3,0x37,0xAE,0x0D,0x2C, | |
91 | 0x49,0xC6,0xFB,0x60,0x9D,0x50,0x2F,0x8C,0x2F,0xDE,0xE6,0x5F, | |
92 | 0x53,0x8B,0x5F,0xF9,0x70,0x16,0xEE,0x51,0xD1,0xAB,0x02,0x48, | |
93 | 0x61,0xF1,0xA0,0xD7,0xBD,0x04,0x24,0xF0,0xE4,0xD1,0x0A,0x4C, | |
94 | 0x28,0xDC,0x22,0x78,0x7C,0xED,0x2A,0xFA,0xF4,0x57,0x7C,0xAE, | |
95 | 0xDF,0x52,0xC6,0xA2,0x11,0x28,0xC5,0x3B,0xB8,0x2F,0x95,0x3F, | |
96 | 0x1E,0x05,0x66,0xFE,0x7D,0x1A,0x73,0xA0,0x45,0xF8,0xBB,0x8C, | |
97 | 0x64,0xB9,0xA9,0x4D,0x23,0xBE,0x20,0x60,0xA2,0xF7,0xC7,0xD8, | |
98 | 0xD8,0x49,0x28,0x9A,0x81,0xAC,0xF9,0x7F,0x3C,0xFC,0xBE,0x25, | |
99 | 0x5B,0x1D,0xB6,0xAB,0x08,0x06,0x11,0x8D,0x94,0x69,0x3C,0x68, | |
100 | 0x98,0x5A,0x90,0xF8,0xEB,0x19,0xCA,0x9F,0x1C,0x50,0x96,0x53, | |
101 | 0xEF,0xEC,0x1B,0x93,0x4F,0x53,0xB7,0xD9,0x04,0x8E,0x48,0x99, | |
102 | 0x6E,0x24,0xFF,0x66,0xF5,0xB0,0xDF,0x00,0xBA,0x22,0xE2,0xB6, | |
103 | 0xE3,0x3A,0xC2,0x95,0xB1,0x14,0x68,0xFB,0xA5,0x37,0x22,0x78, | |
104 | 0x56,0x5C,0xA4,0x23,0x31,0x02,0x97,0x7D,0xA9,0x84,0x0B,0x12, | |
105 | 0x26,0x58,0x2F,0x86,0x10,0xAD,0xB0,0xAB,0xB9,0x7B,0x05,0x9A, | |
106 | 0xDE,0x11,0xF1,0xE7,0x34,0xC7,0x95,0x42,0x1C,0x4F,0xA9,0xA8, | |
107 | 0x92,0xDF,0x3F,0x7B, | |
91 | 108 | }; |
92 | static unsigned char dh512_g[]={ | |
109 | static unsigned char dh2048_g[]={ | |
93 | 110 | 0x02, |
94 | 111 | }; |
95 | 112 | |
96 | static DH *get_dh512() | |
113 | ||
114 | static DH *get_dh2048() | |
97 | 115 | { |
98 | 116 | DH *dh=NULL; |
99 | 117 | |
100 | 118 | if ((dh=DH_new()) == NULL) return(NULL); |
101 | 119 | |
102 | dh->p=BN_bin2bn(dh512_p,sizeof(dh512_p),NULL); | |
103 | dh->g=BN_bin2bn(dh512_g,sizeof(dh512_g),NULL); | |
120 | dh->p=BN_bin2bn(dh2048_p,sizeof(dh2048_p),NULL); | |
121 | dh->g=BN_bin2bn(dh2048_g,sizeof(dh2048_g),NULL); | |
104 | 122 | |
105 | 123 | if ((dh->p == NULL) || (dh->g == NULL)) |
106 | 124 | return(NULL); |
730 | 748 | char *ciphers = NULL; |
731 | 749 | char *CAfile = NULL; |
732 | 750 | char *CAdir = NULL; |
751 | char *DHparams = NULL; | |
733 | 752 | char *model = NULL; |
734 | 753 | #ifndef OPENSSL_NO_TLSEXT |
735 | 754 | char *servername = NULL; /* hostname for Server Name Indication */ |
777 | 796 | OPTSTR( "-certfile", cert); |
778 | 797 | OPTSTR( "-cipher", ciphers); |
779 | 798 | OPTOBJ( "-command", script); |
799 | OPTSTR( "-dhparams", DHparams); | |
780 | 800 | OPTSTR( "-keyfile", key); |
781 | 801 | OPTSTR( "-model", model); |
782 | 802 | OPTOBJ( "-password", password); |
793 | 813 | OPTBOOL( "-tls1.1", tls1_1); |
794 | 814 | OPTBOOL( "-tls1.2", tls1_2); |
795 | 815 | |
796 | OPTBAD( "option", "-cadir, -cafile, -certfile, -cipher, -command, -keyfile, -model, -password, -require, -request, -server, -servername, -ssl2, -ssl3, -tls1, -tls1.1 or -tls1.2"); | |
816 | OPTBAD( "option", "-cadir, -cafile, -certfile, -cipher, -command, -dhparams, -keyfile, -model, -password, -require, -request, -server, -servername, -ssl2, -ssl3, -tls1, -tls1.1 or -tls1.2"); | |
797 | 817 | |
798 | 818 | return TCL_ERROR; |
799 | 819 | } |
808 | 828 | proto |= (tls1_2 ? TLS_PROTO_TLS1_2 : 0); |
809 | 829 | |
810 | 830 | /* reset to NULL if blank string provided */ |
811 | if (cert && !*cert) cert = NULL; | |
812 | if (key && !*key) key = NULL; | |
813 | if (ciphers && !*ciphers) ciphers = NULL; | |
814 | if (CAfile && !*CAfile) CAfile = NULL; | |
815 | if (CAdir && !*CAdir) CAdir = NULL; | |
831 | if (cert && !*cert) cert = NULL; | |
832 | if (key && !*key) key = NULL; | |
833 | if (ciphers && !*ciphers) ciphers = NULL; | |
834 | if (CAfile && !*CAfile) CAfile = NULL; | |
835 | if (CAdir && !*CAdir) CAdir = NULL; | |
836 | if (DHparams && !*DHparams) DHparams = NULL; | |
816 | 837 | |
817 | 838 | /* new SSL state */ |
818 | 839 | statePtr = (State *) ckalloc((unsigned) sizeof(State)); |
863 | 884 | } |
864 | 885 | ctx = ((State *)Tcl_GetChannelInstanceData(chan))->ctx; |
865 | 886 | } else { |
866 | if ((ctx = CTX_Init(statePtr, proto, key, cert, CAdir, CAfile, ciphers)) | |
867 | == (SSL_CTX*)0) { | |
887 | if ((ctx = CTX_Init(statePtr, proto, key, cert, CAdir, CAfile, ciphers, | |
888 | DHparams)) == (SSL_CTX*)0) { | |
868 | 889 | Tls_Free((char *) statePtr); |
869 | 890 | return TCL_ERROR; |
870 | 891 | } |
1024 | 1045 | */ |
1025 | 1046 | |
1026 | 1047 | static SSL_CTX * |
1027 | CTX_Init(statePtr, proto, key, cert, CAdir, CAfile, ciphers) | |
1048 | CTX_Init(statePtr, proto, key, cert, CAdir, CAfile, ciphers, DHparams) | |
1028 | 1049 | State *statePtr; |
1029 | 1050 | int proto; |
1030 | 1051 | char *key; |
1032 | 1053 | char *CAdir; |
1033 | 1054 | char *CAfile; |
1034 | 1055 | char *ciphers; |
1056 | char *DHparams; | |
1035 | 1057 | { |
1036 | 1058 | Tcl_Interp *interp = statePtr->interp; |
1037 | 1059 | SSL_CTX *ctx = NULL; |
1122 | 1144 | #endif |
1123 | 1145 | break; |
1124 | 1146 | } |
1125 | ||
1147 | ||
1126 | 1148 | ctx = SSL_CTX_new (method); |
1127 | 1149 | |
1128 | 1150 | SSL_CTX_set_app_data( ctx, (VOID*)interp); /* remember the interpreter */ |
1140 | 1162 | SSL_CTX_set_default_passwd_cb_userdata(ctx, (void *)statePtr); |
1141 | 1163 | #endif |
1142 | 1164 | |
1143 | #ifndef NO_DH | |
1165 | /* read a Diffie-Hellman parameters file, or use the built-in one */ | |
1166 | #ifdef OPENSSL_NO_DH | |
1167 | if (DHparams != NULL) { | |
1168 | Tcl_AppendResult(interp, | |
1169 | "DH parameter support not available", (char *) NULL); | |
1170 | SSL_CTX_free(ctx); | |
1171 | return (SSL_CTX *)0; | |
1172 | } | |
1173 | #else | |
1144 | 1174 | { |
1145 | DH* dh = get_dh512(); | |
1175 | DH* dh; | |
1176 | if (DHparams != NULL) { | |
1177 | BIO *bio; | |
1178 | Tcl_DStringInit(&ds); | |
1179 | bio = BIO_new_file(F2N(DHparams, &ds), "r"); | |
1180 | if (!bio) { | |
1181 | Tcl_DStringFree(&ds); | |
1182 | Tcl_AppendResult(interp, | |
1183 | "Could not find DH parameters file", (char *) NULL); | |
1184 | SSL_CTX_free(ctx); | |
1185 | return (SSL_CTX *)0; | |
1186 | } | |
1187 | ||
1188 | dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL); | |
1189 | BIO_free(bio); | |
1190 | Tcl_DStringFree(&ds); | |
1191 | if (!dh) { | |
1192 | Tcl_AppendResult(interp, | |
1193 | "Could not read DH parameters from file", (char *) NULL); | |
1194 | SSL_CTX_free(ctx); | |
1195 | return (SSL_CTX *)0; | |
1196 | } | |
1197 | } else { | |
1198 | dh = get_dh2048(); | |
1199 | } | |
1146 | 1200 | SSL_CTX_set_tmp_dh(ctx, dh); |
1147 | 1201 | DH_free(dh); |
1148 | 1202 | } |
1216 | 1270 | return (SSL_CTX *)0; |
1217 | 1271 | #endif |
1218 | 1272 | } |
1219 | SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file( F2N(CAfile, &ds) )); | |
1273 | ||
1274 | /* https://sourceforge.net/p/tls/bugs/57/ */ | |
1275 | if ( CAfile != NULL ) { | |
1276 | STACK_OF(X509_NAME) *certNames = SSL_load_client_CA_file( F2N(CAfile, &ds) ); | |
1277 | if ( certNames != NULL ) { | |
1278 | SSL_CTX_set_client_CA_list(ctx, certNames ); | |
1279 | } | |
1280 | } | |
1220 | 1281 | |
1221 | 1282 | Tcl_DStringFree(&ds); |
1222 | 1283 | Tcl_DStringFree(&ds1); |
18 | 18 | </dd> |
19 | 19 | <dd><a href="#SYNOPSIS">SYNOPSIS</a> </dd> |
20 | 20 | <dd><dl> |
21 | <dd><b>package require Tcl </b><em>?8.2?</em></dd> | |
22 | <dd><b>package require tls </b><em>?1.5?</em></dd> | |
21 | <dd><b>package require Tcl </b><em>?8.4?</em></dd> | |
22 | <dd><b>package require tls </b><em>?1.6?</em></dd> | |
23 | 23 | <dt> </dt> |
24 | 24 | <dd><b>tls::init </b><i>?options?</i> </dd> |
25 | 25 | <dd><b>tls::socket </b><em>?options? host port</em></dd> |
49 | 49 | |
50 | 50 | <h3><a name="SYNOPSIS">SYNOPSIS</a></h3> |
51 | 51 | |
52 | <p><b>package require Tcl 8.2</b><br> | |
52 | <p><b>package require Tcl 8.4</b><br> | |
53 | 53 | <b>package require tls 1.6</b><br> |
54 | 54 | <br> |
55 | 55 | <a href="#tls::init"><b>tls::init </b><i>?options?</i><br> |
74 | 74 | API for Tcl 8.2 and higher. The sockets behave exactly the same |
75 | 75 | as channels created using Tcl's built-in <strong>socket</strong> |
76 | 76 | command with additional options for controlling the SSL session. |
77 | To use TLS with an earlier version of Tcl than 8.2, please obtain | |
78 | TLS 1.3. Please note that there are known limitations with the | |
79 | stacked channel implementation prior to 8.3.2, so it is recommended | |
80 | that TLS is used with an 8.3.2+ interpreter. The current version | |
81 | of TLS will work with Tcl 8.2+, it is just more stable with 8.3.2+. | |
77 | To use TLS with an earlier version of Tcl than 8.4, please obtain | |
78 | TLS 1.3. | |
82 | 79 | </p> |
83 | 80 | |
84 | 81 | <h3><a name="COMMANDS">COMMANDS</a></h3> |
173 | 170 | <br> |
174 | 171 | See <a href="#CALLBACK OPTIONS">CALLBACK OPTIONS</a> for |
175 | 172 | further discussion.</dd> |
173 | <dt><strong>-dhparams </strong><em>filename</em></dt> | |
174 | <dd>Provide a Diffie-Hellman parameters file.</dd> | |
176 | 175 | <dt><strong>-keyfile</strong> <em>filename</em></dt> |
177 | 176 | <dd>Provide the private key file. (<strong>default</strong>: |
178 | 177 | value of -certfile)</dd> |
390 | 389 | |
391 | 390 | <h3><a name="HTTPS EXAMPLE">HTTPS EXAMPLE</a></h3> |
392 | 391 | |
393 | <p>This example requires a patch to the <strong>http</strong> | |
394 | module that ships with Tcl - this patch has been submitted for | |
395 | inclusion in Tcl 8.2.1, but is also provided in the tls directory | |
396 | if needed. A sample server.pem is provided with the TLS release, | |
392 | <p>This example uses a sample server.pem provided with the TLS release, | |
397 | 393 | courtesy of the <strong>OpenSSL</strong> project.</p> |
398 | 394 | |
399 | 395 | <pre><code> |
0 | 0 | # |
1 | 1 | # Copyright (C) 1997-2000 Matt Newman <matt@novadigm.com> |
2 | 2 | # |
3 | # $Header: /cvsroot/tls/tls/tls.tcl,v 1.13 2014/12/08 19:09:06 andreas_kupries Exp $ | |
3 | # $Header: /cvsroot/tls/tls/tls.tcl,v 1.14 2015/07/07 17:16:03 andreas_kupries Exp $ | |
4 | 4 | # |
5 | 5 | namespace eval tls { |
6 | 6 | variable logcmd tclLog |
70 | 70 | set args [lreplace $args $idx [expr {$idx+1}]] |
71 | 71 | |
72 | 72 | set usage "wrong # args: should be \"tls::socket -server command ?options? port\"" |
73 | set options "-cadir, -cafile, -certfile, -cipher, -command, -keyfile, -myaddr, -password, -request, -require, -servername, -ssl2, -ssl3, -tls1, -tls1.1 or -tls1.2" | |
73 | set options "-cadir, -cafile, -certfile, -cipher, -command, -dhparams, -keyfile, -myaddr, -password, -request, -require, -servername, -ssl2, -ssl3, -tls1, -tls1.1 or -tls1.2" | |
74 | 74 | } else { |
75 | 75 | set server 0 |
76 | 76 | |
77 | 77 | set usage "wrong # args: should be \"tls::socket ?options? host port\"" |
78 | set options "-async, -cadir, -cafile, -certfile, -cipher, -command, -keyfile, -myaddr, -myport, -password, -request, -require, -servername, -ssl2, -ssl3, -tls1, -tls1.1 or -tls1.2" | |
78 | set options "-async, -cadir, -cafile, -certfile, -cipher, -command, -dhparams, -keyfile, -myaddr, -myport, -password, -request, -require, -servername, -ssl2, -ssl3, -tls1, -tls1.1 or -tls1.2" | |
79 | 79 | } |
80 | 80 | set argc [llength $args] |
81 | 81 | set sopts {} |
93 | 93 | *,-certfile - |
94 | 94 | *,-cipher - |
95 | 95 | *,-command - |
96 | *,-dhparams - | |
96 | 97 | *,-keyfile - |
97 | 98 | *,-password - |
98 | 99 | *,-request - |
1 | 1 | * Copyright (C) 1997-2000 Matt Newman <matt@novadigm.com> |
2 | 2 | * Copyright (C) 2000 Ajuba Solutions |
3 | 3 | * |
4 | * $Header: /cvsroot/tls/tls/tlsIO.c,v 1.17 2014/12/08 19:09:06 andreas_kupries Exp $ | |
4 | * $Header: /cvsroot/tls/tls/tlsIO.c,v 1.19 2015/06/06 09:07:08 apnadkarni Exp $ | |
5 | 5 | * |
6 | 6 | * TLS (aka SSL) Channel - can be layered on any bi-directional |
7 | 7 | * Tcl_Channel (Note: Requires Trf Core Patch) |
344 | 344 | if (!SSL_is_init_finished(statePtr->ssl)) { |
345 | 345 | bytesRead = Tls_WaitForConnect(statePtr, errorCodePtr); |
346 | 346 | if (bytesRead <= 0) { |
347 | if (*errorCodePtr == ECONNRESET) { | |
348 | /* Soft EOF */ | |
349 | *errorCodePtr = 0; | |
350 | bytesRead = 0; | |
351 | } | |
347 | 352 | goto input; |
348 | 353 | } |
349 | 354 | } |
883 | 888 | |
884 | 889 | dprintf(stderr,"\nWaitForConnect(0x%x)", (unsigned int) statePtr); |
885 | 890 | |
891 | if (statePtr->flags & TLS_TCL_HANDSHAKE_FAILED) { | |
892 | /* | |
893 | * We choose ECONNRESET over ECONNABORTED here because some server | |
894 | * side code, on the wiki for example, sets up a read handler that | |
895 | * does a read and if eof closes the channel. There is no catch/try | |
896 | * around the reads so exceptions will result in potentially many | |
897 | * dangling channels hanging around that should have been closed. | |
898 | * (Backgroun: ECONNABORTED maps to a Tcl exception and | |
899 | * ECONNRESET maps to graceful EOF). | |
900 | */ | |
901 | *errorCodePtr = ECONNRESET; | |
902 | return -1; | |
903 | } | |
904 | ||
886 | 905 | for (;;) { |
887 | 906 | /* Not initialized yet! */ |
888 | 907 | if (statePtr->flags & TLS_TCL_SERVER) { |
901 | 920 | if (rc == SSL_ERROR_SSL) { |
902 | 921 | Tls_Error(statePtr, |
903 | 922 | (char *)ERR_reason_error_string(ERR_get_error())); |
923 | statePtr->flags |= TLS_TCL_HANDSHAKE_FAILED; | |
904 | 924 | *errorCodePtr = ECONNABORTED; |
905 | 925 | return -1; |
906 | 926 | } else if (BIO_should_retry(statePtr->bio)) { |
912 | 932 | continue; |
913 | 933 | } |
914 | 934 | } else if (err == 0) { |
915 | if (Tcl_Eof(statePtr->self)) { | |
916 | return 0; | |
917 | } | |
918 | 935 | dprintf(stderr,"CR! "); |
919 | 936 | *errorCodePtr = ECONNRESET; |
920 | 937 | return -1; |
924 | 941 | if (err != X509_V_OK) { |
925 | 942 | Tls_Error(statePtr, |
926 | 943 | (char *)X509_verify_cert_error_string(err)); |
944 | statePtr->flags |= TLS_TCL_HANDSHAKE_FAILED; | |
927 | 945 | *errorCodePtr = ECONNABORTED; |
928 | 946 | return -1; |
929 | 947 | } |
0 | 0 | /* |
1 | 1 | * Copyright (C) 1997-2000 Matt Newman <matt@novadigm.com> |
2 | 2 | * |
3 | * $Header: /cvsroot/tls/tls/tlsInt.h,v 1.16 2014/12/08 19:09:06 andreas_kupries Exp $ | |
3 | * $Header: /cvsroot/tls/tls/tlsInt.h,v 1.17 2015/06/06 09:07:08 apnadkarni Exp $ | |
4 | 4 | * |
5 | 5 | * TLS (aka SSL) Channel - can be layered on any bi-directional |
6 | 6 | * Tcl_Channel (Note: Requires Trf Core Patch) |
99 | 99 | #define TLS_TCL_DEBUG (1<<3) /* Show debug tracing */ |
100 | 100 | #define TLS_TCL_CALLBACK (1<<4) /* In a callback, prevent update |
101 | 101 | * looping problem. [Bug 1652380] */ |
102 | #define TLS_TCL_HANDSHAKE_FAILED (1<<5) /* Set on handshake failures and once | |
103 | * set, all further I/O will result | |
104 | * in ECONNABORTED errors. */ | |
102 | 105 | |
103 | 106 | #define TLS_TCL_DELAY (5) |
104 | 107 |
17 | 17 | # Copyright (c) 2003-2006 Pat Thoyts |
18 | 18 | # |
19 | 19 | #------------------------------------------------------------------------- |
20 | # RCS: @(#)$Id: makefile.vc,v 1.11 2014/12/08 19:09:06 andreas_kupries Exp $ | |
20 | # RCS: @(#)$Id: makefile.vc,v 1.14 2015/06/06 09:07:08 apnadkarni Exp $ | |
21 | 21 | #------------------------------------------------------------------------- |
22 | 22 | |
23 | 23 | # Check to see we are configured to build with MSVC (MSDEVDIR or MSVCDIR) |
163 | 163 | #PROJECT_REQUIRES_TK=1 |
164 | 164 | !include "rules.vc" |
165 | 165 | |
166 | DOTVERSION = 1.6.4 | |
166 | DOTVERSION = 1.6.6 | |
167 | 167 | VERSION = $(DOTVERSION:.=) |
168 | 168 | STUBPREFIX = $(PROJECT)stub |
169 | 169 | |
191 | 191 | SSL_LIB_DIR = $(OPENSSL)\lib |
192 | 192 | !endif |
193 | 193 | |
194 | SSL_LIBS =-libpath:"$(SSL_LIB_DIR)" ssleay32s.lib libeay32s.lib | |
194 | SSL_LIBS =-libpath:"$(SSL_LIB_DIR)" ssleay32.lib libeay32.lib | |
195 | 195 | |
196 | 196 | SSL_CFLAGS =-DNO_IDEA=1 -DNO_RC5=1 |
197 | 197 | |
198 | !if !exist("$(SSL_LIB_DIR)\ssleay32s.lib") | |
198 | !if !exist("$(SSL_LIB_DIR)\ssleay32.lib") | |
199 | 199 | MSG = ^ |
200 | Failed to locate "$(SSL_LIB_DIR)\ssleay32s.lib" | |
200 | Failed to locate "$(SSL_LIB_DIR)\ssleay32.lib" | |
201 | 201 | You must provide the path to your OpenSSL library.... |
202 | 202 | !error $(MSG) |
203 | 203 | !endif |