Check-in [a87c836d6c]

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:Merged in trunk
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | tls-1-7
Files: files | file ages | folders
SHA1:a87c836d6cf3cddb816c05b7571db462cf64dbfb
User & Date: rkeene 2016-12-14 14:42:57
Context
2016-12-14
14:43
TclTLS 1.7.10 check-in: f0d0acd4b5 user: rkeene tags: tls-1-7, tls-1-7-10
14:42
Merged in trunk check-in: a87c836d6c user: rkeene tags: tls-1-7
14:40
Updated EOF while reading from the BIO to map to soft EOF check-in: 24ce678ecd user: rkeene tags: trunk
2016-12-13
20:23
TclTLS 1.7.9 check-in: 7b0845cfb3 user: rkeene tags: tls-1-7, tls-1-7-9
Changes

Changes to Makefile.in.

1
2
3
4
5
6
7
8
9
10
11
12
13
14



15
16
17
18
19
20
21
..
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
..
50
51
52
53
54
55
56

57






58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
..
79
80
81
82
83
84
85
86
87
88
CC = @CC@
AR = @AR@
RANLIB = @RANLIB@
CFLAGS = @CFLAGS@ @SHOBJFLAGS@
CPPFLAGS = @CPPFLAGS@ -I@srcdir@ -I. @DEFS@ @TCL_DEFS@
LDFLAGS = @LDFLAGS@ @SHOBJLDFLAGS@
LIBS = @LIBS@
INSTALL = @INSTALL@
PACKAGE_VERSION = @PACKAGE_VERSION@
prefix = @prefix@
exec_prefix = @exec_prefix@
libdir = @libdir@
TCL_PACKAGE_PATH = @TCL_PACKAGE_PATH@
PACKAGE_INSTALL_DIR = $(TCL_PACKAGE_PATH)/tcltls$(PACKAGE_VERSION)



VPATH = @srcdir@

all: @EXTENSION_TARGET@

# The shared object target
tcltls.@SHOBJEXT@: tls.o tlsBIO.o tlsIO.o tlsX509.o Makefile
	$(CC) $(CPPFLAGS) $(CFLAGS) $(LDFLAGS) -o tcltls.@SHOBJEXT@ tls.o tlsBIO.o tlsIO.o tlsX509.o $(LIBS)
................................................................................
tlsBIO.o: @srcdir@/tlsBIO.c @srcdir@/tlsInt.h Makefile
tlsIO.o: @srcdir@/tlsIO.c @srcdir@/tlsInt.h Makefile
tlsX509.o: @srcdir@/tlsX509.c @srcdir@/tlsInt.h Makefile

# Create a C-source-ified version of the script resources
# for TclTLS so that we only need a single file to enable
# this extension
tls.tcl.h: @srcdir@/tls.tcl
	od -A n -v -t xC < '@srcdir@/tls.tcl' > tls.tcl.h.new.1
	sed 's@  *@@g;s@..@0x&, @g' < tls.tcl.h.new.1 > tls.tcl.h.new.2
	rm -f tls.tcl.h.new.1
	mv tls.tcl.h.new.2 tls.tcl.h

# Create default DH parameters
dh_params.h: @srcdir@/gen_dh_params Makefile
................................................................................
# tree -- the default target will not match paths
.c.o:
	$(CC) $(CPPFLAGS) $(CFLAGS) -o "$@" -c "$<"

# Install the extension
install: @EXTENSION_TARGET@ pkgIndex.tcl
	$(INSTALL) -d '$(DESTDIR)$(PACKAGE_INSTALL_DIR)'

	$(INSTALL) -c @EXTENSION_TARGET@ pkgIndex.tcl '$(DESTDIR)$(PACKAGE_INSTALL_DIR)'







# Test target, run the automated test suite
test: @EXTENSION_TARGET@
	@TCLSH_PROG@ @srcdir@/tests/all.tcl $(TESTFLAGS) -load "lappend auto_path $(shell pwd)"

# Clean the local build directory for rebuild against the same configuration
clean:
	rm -f tls.o tlsBIO.o tlsIO.o tlsX509.o
	rm -f tcltls.@SHOBJEXT@
	rm -f tcltls.@SHOBJEXT@.a tcltls.@SHOBJEXT@.def
	rm -f tcltls.a.new tcltls.a
	rm -f tls.tcl.h.new.1 tls.tcl.h.new.2
	@if [ '@srcdir@' != '.' ]; then echo rm -f tls.tcl.h; rm -f tls.tcl.h; fi

# Clean the local build directory back to what it was after unpacking the
# distribution tarball
distclean: clean
	rm -f config.log config.status
	rm -f dh_params.h.new dh_params.h
	rm -f Makefile pkgIndex.tcl
................................................................................

# Clean the local build directory back to only thing things that exist in
# version control system
mrproper: distclean
	rm -f @srcdir@/configure @srcdir@/config.sub @srcdir@/config.guess @srcdir@/install-sh
	rm -f @srcdir@/aclocal.m4
	rm -rf @srcdir@/autom4te.cache
	rm -f @srcdir@/tls.tcl.h

.PHONY: all install clean distclean mrproper test







<






>
>
>







 







|







 







>
|
>
>
>
>
>
>











|
<







 







<

|
1
2
3
4
5
6
7

8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
..
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
..
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78

79
80
81
82
83
84
85
..
87
88
89
90
91
92
93

94
95
CC = @CC@
AR = @AR@
RANLIB = @RANLIB@
CFLAGS = @CFLAGS@ @SHOBJFLAGS@
CPPFLAGS = @CPPFLAGS@ -I@srcdir@ -I. @DEFS@ @TCL_DEFS@
LDFLAGS = @LDFLAGS@ @SHOBJLDFLAGS@
LIBS = @LIBS@

PACKAGE_VERSION = @PACKAGE_VERSION@
prefix = @prefix@
exec_prefix = @exec_prefix@
libdir = @libdir@
TCL_PACKAGE_PATH = @TCL_PACKAGE_PATH@
PACKAGE_INSTALL_DIR = $(TCL_PACKAGE_PATH)/tcltls$(PACKAGE_VERSION)
INSTALL = @INSTALL@
INSTALL_PROGRAM = @INSTALL_PROGRAM@
INSTALL_DATA = @INSTALL_DATA@
VPATH = @srcdir@

all: @EXTENSION_TARGET@

# The shared object target
tcltls.@SHOBJEXT@: tls.o tlsBIO.o tlsIO.o tlsX509.o Makefile
	$(CC) $(CPPFLAGS) $(CFLAGS) $(LDFLAGS) -o tcltls.@SHOBJEXT@ tls.o tlsBIO.o tlsIO.o tlsX509.o $(LIBS)
................................................................................
tlsBIO.o: @srcdir@/tlsBIO.c @srcdir@/tlsInt.h Makefile
tlsIO.o: @srcdir@/tlsIO.c @srcdir@/tlsInt.h Makefile
tlsX509.o: @srcdir@/tlsX509.c @srcdir@/tlsInt.h Makefile

# Create a C-source-ified version of the script resources
# for TclTLS so that we only need a single file to enable
# this extension
tls.tcl.h: @srcdir@/tls.tcl Makefile
	od -A n -v -t xC < '@srcdir@/tls.tcl' > tls.tcl.h.new.1
	sed 's@  *@@g;s@..@0x&, @g' < tls.tcl.h.new.1 > tls.tcl.h.new.2
	rm -f tls.tcl.h.new.1
	mv tls.tcl.h.new.2 tls.tcl.h

# Create default DH parameters
dh_params.h: @srcdir@/gen_dh_params Makefile
................................................................................
# tree -- the default target will not match paths
.c.o:
	$(CC) $(CPPFLAGS) $(CFLAGS) -o "$@" -c "$<"

# Install the extension
install: @EXTENSION_TARGET@ pkgIndex.tcl
	$(INSTALL) -d '$(DESTDIR)$(PACKAGE_INSTALL_DIR)'
	$(INSTALL_PROGRAM) @EXTENSION_TARGET@ '$(DESTDIR)$(PACKAGE_INSTALL_DIR)'
	$(INSTALL_DATA)    pkgIndex.tcl '$(DESTDIR)$(PACKAGE_INSTALL_DIR)'

# A convienent helper to undo the installation just done
uninstall:
	rm -f '$(DESTDIR)$(PACKAGE_INSTALL_DIR)/@EXTENSION_TARGET@'
	rm -f '$(DESTDIR)$(PACKAGE_INSTALL_DIR)/pkgIndex.tcl'
	-rmdir '$(DESTDIR)$(PACKAGE_INSTALL_DIR)'

# Test target, run the automated test suite
test: @EXTENSION_TARGET@
	@TCLSH_PROG@ @srcdir@/tests/all.tcl $(TESTFLAGS) -load "lappend auto_path $(shell pwd)"

# Clean the local build directory for rebuild against the same configuration
clean:
	rm -f tls.o tlsBIO.o tlsIO.o tlsX509.o
	rm -f tcltls.@SHOBJEXT@
	rm -f tcltls.@SHOBJEXT@.a tcltls.@SHOBJEXT@.def
	rm -f tcltls.a.new tcltls.a
	rm -f tls.tcl.h tls.tcl.h.new.1 tls.tcl.h.new.2


# Clean the local build directory back to what it was after unpacking the
# distribution tarball
distclean: clean
	rm -f config.log config.status
	rm -f dh_params.h.new dh_params.h
	rm -f Makefile pkgIndex.tcl
................................................................................

# Clean the local build directory back to only thing things that exist in
# version control system
mrproper: distclean
	rm -f @srcdir@/configure @srcdir@/config.sub @srcdir@/config.guess @srcdir@/install-sh
	rm -f @srcdir@/aclocal.m4
	rm -rf @srcdir@/autom4te.cache


.PHONY: all install uninstall clean distclean mrproper test

Changes to README.txt.

12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
Full filevent sematics should also be intact - see tests directory for
blocking and non-blocking examples.

The current release is TLS 1.6, with binaries built against OpenSSL 0.9.8g.
For best security and function, always compile from source with the latest
official release of OpenSSL (http://www.openssl.org/).

TLS requires Tcl 8.2.0+, with 8.3.2+ preferred.  The stacked channel
implementation in Tcl was originally introduced in 8.2.0 (previously the
Trf patch) and rewritten for 8.3.2+ due to inherent limitations in the
earlier implementation.  TLS should compile with any stubs-capable Tcl
interpreter, but will require 8.2+ when loaded.  There are known
limitations in the 8.2.0-8.3.1 stacked channel implementation, so it is
encouraged that people use TLS with an 8.3.2+ Tcl interpreter.  These
modifications are by Jeff Hobbs.

Non-exclusive credits for TLS are:
   Original work: Matt Newman @ Novadigm
   Updates: Jeff Hobbs @ ActiveState
   Tcl Channel mechanism: Andreas Kupries
   Impetus/Related work: tclSSL (Colin McCormack, Shared Technology)
                         SSLtcl (Peter Antman)

This code is licensed under the same terms as the Tcl Core.







|
|
<
<
<
<
<
<









12
13
14
15
16
17
18
19
20






21
22
23
24
25
26
27
28
29
Full filevent sematics should also be intact - see tests directory for
blocking and non-blocking examples.

The current release is TLS 1.6, with binaries built against OpenSSL 0.9.8g.
For best security and function, always compile from source with the latest
official release of OpenSSL (http://www.openssl.org/).

TLS 1.7 and newer require Tcl 8.4.0+, older versions may be used if older
versions of Tcl need to be used.







Non-exclusive credits for TLS are:
   Original work: Matt Newman @ Novadigm
   Updates: Jeff Hobbs @ ActiveState
   Tcl Channel mechanism: Andreas Kupries
   Impetus/Related work: tclSSL (Colin McCormack, Shared Technology)
                         SSLtcl (Peter Antman)

This code is licensed under the same terms as the Tcl Core.

Changes to tls.htm.

201
202
203
204
205
206
207
208
209
210
211
212
213




214
215
216
217
218
219
220
            client.(<strong>default</strong>: <em>false</em>)</dd>
        <dt><strong>-servername</strong> <em>host</em></dt>
        <dd>Only available if the OpenSSL library the package is linked
	    against supports the TLS hostname extension for 'Server Name
	    Indication' (SNI). Use to name the logical host we are talking
	    to and expecting a certificate for</dd>
        <dt><strong>-ssl2</strong> <em>bool</em></dt>
        <dd>Enable use of SSL v2. (<strong>default</strong>: <em>true</em>
            unless -DNO_PATENTS was specified in build)</dd>
        <dt><strong>-ssl3 </strong><em>bool</em></dt>
        <dd>Enable use of SSL v3. (<strong>default</strong>: <em>true</em>)</dd>
        <dt>-<strong>tls1</strong> <em>bool</em></dt>
        <dd>Enable use of TLS v1. (<strong>default</strong>: <em>false</em>)</dd>




    </dl>
</blockquote>

<dl>
    <dt><a name="tls::unimport"><b>tls::unimport </b><i>channel</i></a></dt>
    <dd>Provided for symmetry to <strong>tls::import</strong>, this
      unstacks the SSL-enabling of a regular Tcl channel.  An error







|
<

|

|
>
>
>
>







201
202
203
204
205
206
207
208

209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
            client.(<strong>default</strong>: <em>false</em>)</dd>
        <dt><strong>-servername</strong> <em>host</em></dt>
        <dd>Only available if the OpenSSL library the package is linked
	    against supports the TLS hostname extension for 'Server Name
	    Indication' (SNI). Use to name the logical host we are talking
	    to and expecting a certificate for</dd>
        <dt><strong>-ssl2</strong> <em>bool</em></dt>
        <dd>Enable use of SSL v2. (<strong>default</strong>: <em>false</em>)</dd>

        <dt><strong>-ssl3 </strong><em>bool</em></dt>
        <dd>Enable use of SSL v3. (<strong>default</strong>: <em>false</em>)</dd>
        <dt>-<strong>tls1</strong> <em>bool</em></dt>
        <dd>Enable use of TLS v1. (<strong>default</strong>: <em>true</em>)</dd>
        <dt>-<strong>tls1.1</strong> <em>bool</em></dt>
        <dd>Enable use of TLS v1.1 (<strong>default</strong>: <em>true</em>)</dd>
        <dt>-<strong>tls1.2</strong> <em>bool</em></dt>
        <dd>Enable use of TLS v1.2 (<strong>default</strong>: <em>true</em>)</dd>
    </dl>
</blockquote>

<dl>
    <dt><a name="tls::unimport"><b>tls::unimport </b><i>channel</i></a></dt>
    <dd>Provided for symmetry to <strong>tls::import</strong>, this
      unstacks the SSL-enabling of a regular Tcl channel.  An error

Changes to tlsBIO.c.

125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
...
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
	tclErrno = Tcl_GetErrno();

	dprintf("[chan=%p] BioWrite(%d) -> %d [tclEof=%d; tclErrno=%d]", (void *) chan, bufLen, ret, tclEofChan, Tcl_GetErrno());

	BIO_clear_flags(bio, BIO_FLAGS_WRITE | BIO_FLAGS_SHOULD_RETRY);

	if (tclEofChan && ret <= 0) {
		dprintf("Got %i from Tcl_WriteRaw, and EOF is set; ret = -1", ret);
		Tcl_SetErrno(ECONNRESET);
		ret = -1;
	} else if (ret == 0) {
		dprintf("Got 0 from Tcl_WriteRaw, and EOF is not set; ret = 0");
		dprintf("Setting retry read flag");
		BIO_set_retry_read(bio);
	} else if (ret < 0) {
		dprintf("We got some kind of I/O error");

................................................................................
	tclErrno = Tcl_GetErrno();

	dprintf("[chan=%p] BioRead(%d) -> %d [tclEof=%d; tclErrno=%d]", (void *) chan, bufLen, ret, tclEofChan, tclErrno);

	BIO_clear_flags(bio, BIO_FLAGS_READ | BIO_FLAGS_SHOULD_RETRY);

	if (tclEofChan && ret <= 0) {
		dprintf("Got %i from Tcl_Read or Tcl_ReadRaw, and EOF is set; ret = -1", ret);
		Tcl_SetErrno(ECONNRESET);
		ret = -1;
	} else if (ret == 0) {
		dprintf("Got 0 from Tcl_Read or Tcl_ReadRaw, and EOF is not set; ret = 0");
		dprintf("Setting retry read flag");
		BIO_set_retry_read(bio);
	} else if (ret < 0) {
		dprintf("We got some kind of I/O error");








|

|







 







|

|







125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
...
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
	tclErrno = Tcl_GetErrno();

	dprintf("[chan=%p] BioWrite(%d) -> %d [tclEof=%d; tclErrno=%d]", (void *) chan, bufLen, ret, tclEofChan, Tcl_GetErrno());

	BIO_clear_flags(bio, BIO_FLAGS_WRITE | BIO_FLAGS_SHOULD_RETRY);

	if (tclEofChan && ret <= 0) {
		dprintf("Got EOF while reading, returning a Connection Reset error which maps to Soft EOF");
		Tcl_SetErrno(ECONNRESET);
		ret = 0;
	} else if (ret == 0) {
		dprintf("Got 0 from Tcl_WriteRaw, and EOF is not set; ret = 0");
		dprintf("Setting retry read flag");
		BIO_set_retry_read(bio);
	} else if (ret < 0) {
		dprintf("We got some kind of I/O error");

................................................................................
	tclErrno = Tcl_GetErrno();

	dprintf("[chan=%p] BioRead(%d) -> %d [tclEof=%d; tclErrno=%d]", (void *) chan, bufLen, ret, tclEofChan, tclErrno);

	BIO_clear_flags(bio, BIO_FLAGS_READ | BIO_FLAGS_SHOULD_RETRY);

	if (tclEofChan && ret <= 0) {
		dprintf("Got EOF while reading, returning a Connection Reset error which maps to Soft EOF");
		Tcl_SetErrno(ECONNRESET);
		ret = 0;
	} else if (ret == 0) {
		dprintf("Got 0 from Tcl_Read or Tcl_ReadRaw, and EOF is not set; ret = 0");
		dprintf("Setting retry read flag");
		BIO_set_retry_read(bio);
	} else if (ret < 0) {
		dprintf("We got some kind of I/O error");