TclTLS: Diff

Differences From Artifact [15a7d7809d]:

File tls.c — part of check-in [db95f55e95] at 2016-11-22 17:58:18 on branch rkeene-unthreaded — Applied patch (user: rkeene, size: 49295) [annotate] [blame] [check-ins using] [more...]

To Artifact [9a523164da]:

File tls.c — part of check-in [033849bf66] at 2016-12-07 14:38:43 on branch tls-1-7 — Added additional debugging around asyncronous sockets (user: rkeene, size: 47934) [annotate] [blame] [check-ins using]

1 2 3 4 5 6 7 ~~8 9~~ 10 11 12 13 14 15 16	/* * Copyright (C) 1997-1999 Matt Newman <[email protected]> * some modifications: * Copyright (C) 2000 Ajuba Solutions * Copyright (C) 2002 ActiveState Corporation * Copyright (C) 2004 Starfish Systems * ~~* $Header: /home/rkeene/tmp/cvs2fossil/../tcltls/tls/tls/tls.c,v 1.37 2015/07/07 17:16:02 andreas_kupries Exp $ ~~ TLS (aka SSL) Channel - can be layered on any bi-directional * Tcl_Channel (Note: Requires Trf Core Patch) * * This was built (almost) from scratch based upon observation of * OpenSSL 0.9.2B * * Addition credit is due for Andreas Kupries ([email protected]), for	< <	1 2 3 4 5 6 7 8 9 10 11 12 13 14	/* * Copyright (C) 1997-1999 Matt Newman <[email protected]> * some modifications: * Copyright (C) 2000 Ajuba Solutions * Copyright (C) 2002 ActiveState Corporation * Copyright (C) 2004 Starfish Systems * * TLS (aka SSL) Channel - can be layered on any bi-directional * Tcl_Channel (Note: Requires Trf Core Patch) * * This was built (almost) from scratch based upon observation of * OpenSSL 0.9.2B * * Addition credit is due for Andreas Kupries ([email protected]), for
︙			︙
63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 ~~84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127~~ 128 129 130 131 132 133 134	static int UnimportObjCmd _ANSI_ARGS_ ((ClientData clientData, Tcl_Interp interp, int objc, Tcl_Obj CONST objv[])); static SSL_CTX CTX_Init _ANSI_ARGS_((State statePtr, int proto, char key, char cert, char CAdir, char CAfile, char ciphers, char DHparams)); ~~static int TlsLibInit _ANSI_ARGS_ (()) ;~~ #define TLS_PROTO_SSL2 0x01 #define TLS_PROTO_SSL3 0x02 #define TLS_PROTO_TLS1 0x04 #define TLS_PROTO_TLS1_1 0x08 #define TLS_PROTO_TLS1_2 0x10 #define ENABLED(flag, mask) (((flag) & (mask)) == (mask)) /* * Static data structures / #ifndef OPENSSL_NO_DH ~~/ code derived from output of 'openssl dhparam -C 2048' /~~ ~~static unsigned char dh2048_p[]={~~ ~~0xEC,0xFD,0x6F,0x66,0xD8,0xBC,0xB4,0xCB,0xD7,0xE7,0xB4,0xAE,~~ ~~0xEC,0xC0,0x06,0x25,0x40,0x9F,0x3F,0xC4,0xAC,0x34,0x19,0x36,~~ ~~0x8A,0xAB,0xA9,0xF6,0x45,0x36,0x87,0x1F,0x10,0x35,0x3F,0x90,~~ ~~0x00,0xC6,0x7A,0xE8,0x51,0xF4,0x7F,0x50,0x0F,0xC2,0x82,0x91,~~ ~~0xAD,0x60,0x1B,0x49,0xB1,0x0B,0x23,0xC3,0x37,0xAE,0x0D,0x2C,~~ ~~0x49,0xC6,0xFB,0x60,0x9D,0x50,0x2F,0x8C,0x2F,0xDE,0xE6,0x5F,~~ ~~0x53,0x8B,0x5F,0xF9,0x70,0x16,0xEE,0x51,0xD1,0xAB,0x02,0x48,~~ ~~0x61,0xF1,0xA0,0xD7,0xBD,0x04,0x24,0xF0,0xE4,0xD1,0x0A,0x4C,~~ ~~0x28,0xDC,0x22,0x78,0x7C,0xED,0x2A,0xFA,0xF4,0x57,0x7C,0xAE,~~ ~~0xDF,0x52,0xC6,0xA2,0x11,0x28,0xC5,0x3B,0xB8,0x2F,0x95,0x3F,~~ ~~0x1E,0x05,0x66,0xFE,0x7D,0x1A,0x73,0xA0,0x45,0xF8,0xBB,0x8C,~~ ~~0x64,0xB9,0xA9,0x4D,0x23,0xBE,0x20,0x60,0xA2,0xF7,0xC7,0xD8,~~ ~~0xD8,0x49,0x28,0x9A,0x81,0xAC,0xF9,0x7F,0x3C,0xFC,0xBE,0x25,~~ ~~0x5B,0x1D,0xB6,0xAB,0x08,0x06,0x11,0x8D,0x94,0x69,0x3C,0x68,~~ ~~0x98,0x5A,0x90,0xF8,0xEB,0x19,0xCA,0x9F,0x1C,0x50,0x96,0x53,~~ ~~0xEF,0xEC,0x1B,0x93,0x4F,0x53,0xB7,0xD9,0x04,0x8E,0x48,0x99,~~ ~~0x6E,0x24,0xFF,0x66,0xF5,0xB0,0xDF,0x00,0xBA,0x22,0xE2,0xB6,~~ ~~0xE3,0x3A,0xC2,0x95,0xB1,0x14,0x68,0xFB,0xA5,0x37,0x22,0x78,~~ ~~0x56,0x5C,0xA4,0x23,0x31,0x02,0x97,0x7D,0xA9,0x84,0x0B,0x12,~~ ~~0x26,0x58,0x2F,0x86,0x10,0xAD,0xB0,0xAB,0xB9,0x7B,0x05,0x9A,~~ ~~0xDE,0x11,0xF1,0xE7,0x34,0xC7,0x95,0x42,0x1C,0x4F,0xA9,0xA8,~~ ~~0x92,0xDF,0x3F,0x7B,~~ }; ~~static unsigned char dh2048_g[]={~~ ~~0x02,~~ }; ~~static DH get_dh2048()~~ { ~~DH dh=NULL;~~ ~~if ((dh=DH_new()) == NULL) return(NULL);~~ ~~dh->p=BN_bin2bn(dh2048_p,sizeof(dh2048_p),NULL);~~ ~~dh->g=BN_bin2bn(dh2048_g,sizeof(dh2048_g),NULL);~~ ~~if ((dh->p == NULL) \|\| (dh->g == NULL))~~ ~~return(NULL);~~ ~~return(dh);~~ } #endif / * Defined in Tls_Init to determine what kind of channels we are using * (old-style 8.2.0-8.3.1 or new-style 8.3.2+). */ int channelTypeVersion;	\| < \| < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < <	61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89	static int UnimportObjCmd _ANSI_ARGS_ ((ClientData clientData, Tcl_Interp interp, int objc, Tcl_Obj CONST objv[])); static SSL_CTX CTX_Init _ANSI_ARGS_((State statePtr, int proto, char key, char cert, char CAdir, char CAfile, char ciphers, char DHparams)); static int TlsLibInit _ANSI_ARGS_ ((void)) ; #define TLS_PROTO_SSL2 0x01 #define TLS_PROTO_SSL3 0x02 #define TLS_PROTO_TLS1 0x04 #define TLS_PROTO_TLS1_1 0x08 #define TLS_PROTO_TLS1_2 0x10 #define ENABLED(flag, mask) (((flag) & (mask)) == (mask)) /* * Static data structures / #ifndef OPENSSL_NO_DH #include "dh_params.h" #endif / * Defined in Tls_Init to determine what kind of channels we are using * (old-style 8.2.0-8.3.1 or new-style 8.3.2+). */ int channelTypeVersion;
︙			︙
166 167 168 169 170 171 172 ~~173~~ 174 175 176 177 178 179 180	/* * Threaded operation requires locking callbacks * Based from /crypto/cryptlib.c of OpenSSL and NSOpenSSL. / static Tcl_Mutex locks[CRYPTO_NUM_LOCKS]; static Tcl_Mutex init_mx; ~~static int initialized;~~ static void CryptoThreadLockCallback (int mode, int n, const char file, int line); static unsigned long CryptoThreadIdCallback (void); static void CryptoThreadLockCallback(int mode, int n, const char *file, int line) {	<	121 122 123 124 125 126 127 128 129 130 131 132 133 134	/* * Threaded operation requires locking callbacks * Based from /crypto/cryptlib.c of OpenSSL and NSOpenSSL. / static Tcl_Mutex locks[CRYPTO_NUM_LOCKS]; static Tcl_Mutex init_mx; static void CryptoThreadLockCallback (int mode, int n, const char file, int line); static unsigned long CryptoThreadIdCallback (void); static void CryptoThreadLockCallback(int mode, int n, const char *file, int line) {
︙			︙
312 313 314 315 316 317 318 ~~319~~ 320 321 322 323 324 325 326	int length; SSL ssl = (SSL)X509_STORE_CTX_get_app_data(ctx); X509 cert = X509_STORE_CTX_get_current_cert(ctx); State statePtr = (State)SSL_get_app_data(ssl); int depth = X509_STORE_CTX_get_error_depth(ctx); int err = X509_STORE_CTX_get_error(ctx); ~~dprintf(~~stderr,~~ "Verify: %d\n", ok);~~ if (!ok) { errStr = (char)X509_verify_cert_error_string(err); } else { errStr = (char *)0; }	\|	266 267 268 269 270 271 272 273 274 275 276 277 278 279 280	int length; SSL ssl = (SSL)X509_STORE_CTX_get_app_data(ctx); X509 cert = X509_STORE_CTX_get_current_cert(ctx); State statePtr = (State)SSL_get_app_data(ssl); int depth = X509_STORE_CTX_get_error_depth(ctx); int err = X509_STORE_CTX_get_error(ctx); dprintf("Verify: %d", ok); if (!ok) { errStr = (char)X509_verify_cert_error_string(err); } else { errStr = (char *)0; }
︙			︙
361 362 363 364 365 366 367 ~~368~~ 369 370 371 372 373 374 375	/* It got an error - reject the certificate. / Tcl_BackgroundError( statePtr->interp); ok = 0; } else { result = Tcl_GetObjResult(statePtr->interp); string = Tcl_GetStringFromObj(result, &length); / An empty result leaves verification unchanged. */ ~~if (length > 0) {~~ if (Tcl_GetIntFromObj(statePtr->interp, result, &ok) != TCL_OK) { Tcl_BackgroundError(statePtr->interp); ok = 0; } } } Tcl_DecrRefCount( cmdPtr);	\|	315 316 317 318 319 320 321 322 323 324 325 326 327 328 329	/* It got an error - reject the certificate. / Tcl_BackgroundError( statePtr->interp); ok = 0; } else { result = Tcl_GetObjResult(statePtr->interp); string = Tcl_GetStringFromObj(result, &length); / An empty result leaves verification unchanged. */ if (string != NULL && length > 0) { if (Tcl_GetIntFromObj(statePtr->interp, result, &ok) != TCL_OK) { Tcl_BackgroundError(statePtr->interp); ok = 0; } } } Tcl_DecrRefCount( cmdPtr);
︙			︙
683 684 685 686 687 688 689 ~~690~~ 691 692 693 694 695 696 697 698 699	Tcl_AppendResult(interp, "bad channel \"", Tcl_GetChannelName(chan), "\": not a TLS channel", NULL); return TCL_ERROR; } statePtr = (State )Tcl_GetChannelInstanceData(chan); if (!SSL_is_init_finished(statePtr->ssl)) { ~~int err;~~ ret = Tls_WaitForConnect(statePtr, &err); if ((statePtr->flags & TLS_TCL_ASYNC) && err == EAGAIN) { ret = 0; } if (ret < 0) { CONST char errStr = statePtr->err; Tcl_ResetResult(interp); Tcl_SetErrno(err);	\| >	637 638 639 640 641 642 643 644 645 646 647 648 649 650 651 652 653 654	Tcl_AppendResult(interp, "bad channel \"", Tcl_GetChannelName(chan), "\": not a TLS channel", NULL); return TCL_ERROR; } statePtr = (State )Tcl_GetChannelInstanceData(chan); if (!SSL_is_init_finished(statePtr->ssl)) { int err = 0; ret = Tls_WaitForConnect(statePtr, &err); if ((statePtr->flags & TLS_TCL_ASYNC) && err == EAGAIN) { dprintf("Async set and err = EAGAIN"); ret = 0; } if (ret < 0) { CONST char errStr = statePtr->err; Tcl_ResetResult(interp); Tcl_SetErrno(err);
︙			︙
760 761 762 763 764 765 766 767 768 769 770 771 772 773 774 775 776	int ssl2 = 1; #endif #if defined(NO_SSL3) int ssl3 = 0; #else int ssl3 = 1; #endif int tls1 = 1; int tls1_1 = 1; int tls1_2 = 1; int proto = 0; int verify = 0, require = 0, request = 1; if (objc < 2) { Tcl_WrongNumArgs(interp, 1, objv, "channel ?options?"); return TCL_ERROR; }	> > > > > > > > > > > >	715 716 717 718 719 720 721 722 723 724 725 726 727 728 729 730 731 732 733 734 735 736 737 738 739 740 741 742 743	int ssl2 = 1; #endif #if defined(NO_SSL3) int ssl3 = 0; #else int ssl3 = 1; #endif #if defined(NO_TLS1) int tls1 = 0; #else int tls1 = 1; #endif #if defined(NO_TLS1_1) int tls1_1 = 0; #else int tls1_1 = 1; #endif #if defined(NO_TLS1_2) int tls1_2 = 0; #else int tls1_2 = 1; #endif int proto = 0; int verify = 0, require = 0, request = 1; if (objc < 2) { Tcl_WrongNumArgs(interp, 1, objv, "channel ?options?"); return TCL_ERROR; }
︙			︙
1521 1522 1523 1524 1525 1526 1527 ~~1528 1529 1530 1531 1532 1533 1534~~ 1535 1536 1537 1538 1539 1540 1541	ASN1_INTEGER_set(X509_get_serialNumber(cert),serial); X509_gmtime_adj(X509_get_notBefore(cert),0); X509_gmtime_adj(X509_get_notAfter(cert),(long)606024*days); X509_set_pubkey(cert,pkey); name=X509_get_subject_name(cert); X509_NAME_add_entry_by_txt(name,"C", MBSTRING_ASC, k_C, -1, -1, 0); X509_NAME_add_entry_by_txt(name,"ST", MBSTRING_ASC, k_ST, -1, -1, 0); X509_NAME_add_entry_by_txt(name,"L", MBSTRING_ASC, k_L, -1, -1, 0); X509_NAME_add_entry_by_txt(name,"O", MBSTRING_ASC, k_O, -1, -1, 0); X509_NAME_add_entry_by_txt(name,"OU", MBSTRING_ASC, k_OU, -1, -1, 0); X509_NAME_add_entry_by_txt(name,"CN", MBSTRING_ASC, k_CN, -1, -1, 0); X509_NAME_add_entry_by_txt(name,"Email", MBSTRING_ASC, k_Email, -1, -1, 0); X509_set_subject_name(cert,name); if (!X509_sign(cert,pkey,EVP_md5())) { X509_free(cert); EVP_PKEY_free(pkey); Tcl_SetResult(interp,"Error signing certificate",NULL);	\| \| \| \| \| \| \|	1488 1489 1490 1491 1492 1493 1494 1495 1496 1497 1498 1499 1500 1501 1502 1503 1504 1505 1506 1507 1508	ASN1_INTEGER_set(X509_get_serialNumber(cert),serial); X509_gmtime_adj(X509_get_notBefore(cert),0); X509_gmtime_adj(X509_get_notAfter(cert),(long)606024days); X509_set_pubkey(cert,pkey); name=X509_get_subject_name(cert); X509_NAME_add_entry_by_txt(name,"C", MBSTRING_ASC, (unsigned char ) k_C, -1, -1, 0); X509_NAME_add_entry_by_txt(name,"ST", MBSTRING_ASC, (unsigned char ) k_ST, -1, -1, 0); X509_NAME_add_entry_by_txt(name,"L", MBSTRING_ASC, (unsigned char ) k_L, -1, -1, 0); X509_NAME_add_entry_by_txt(name,"O", MBSTRING_ASC, (unsigned char ) k_O, -1, -1, 0); X509_NAME_add_entry_by_txt(name,"OU", MBSTRING_ASC, (unsigned char ) k_OU, -1, -1, 0); X509_NAME_add_entry_by_txt(name,"CN", MBSTRING_ASC, (unsigned char ) k_CN, -1, -1, 0); X509_NAME_add_entry_by_txt(name,"Email", MBSTRING_ASC, (unsigned char ) k_Email, -1, -1, 0); X509_set_subject_name(cert,name); if (!X509_sign(cert,pkey,EVP_md5())) { X509_free(cert); EVP_PKEY_free(pkey); Tcl_SetResult(interp,"Error signing certificate",NULL);
︙			︙
1615 1616 1617 1618 1619 1620 1621 ~~1622~~ 1623 1624 1625 1626 ~~1627~~ 1628 1629 1630 1631 1632 1633 1634	if (statePtr->timer != (Tcl_TimerToken) NULL) { Tcl_DeleteTimerHandler(statePtr->timer); statePtr->timer = NULL; } if (statePtr->bio) { /* This will call SSL_shutdown. Bug 1414045 */ ~~dprintf(~~stderr,~~ "BIO_free_all(%p)\n", statePtr->bio);~~ BIO_free_all(statePtr->bio); statePtr->bio = NULL; } if (statePtr->ssl) { ~~dprintf(~~stderr,~~ "SSL_free(%p)\n", statePtr->ssl);~~ SSL_free(statePtr->ssl); statePtr->ssl = NULL; } if (statePtr->ctx) { SSL_CTX_free(statePtr->ctx); statePtr->ctx = NULL; }	\| \|	1582 1583 1584 1585 1586 1587 1588 1589 1590 1591 1592 1593 1594 1595 1596 1597 1598 1599 1600 1601	if (statePtr->timer != (Tcl_TimerToken) NULL) { Tcl_DeleteTimerHandler(statePtr->timer); statePtr->timer = NULL; } if (statePtr->bio) { /* This will call SSL_shutdown. Bug 1414045 */ dprintf("BIO_free_all(%p)", statePtr->bio); BIO_free_all(statePtr->bio); statePtr->bio = NULL; } if (statePtr->ssl) { dprintf("SSL_free(%p)", statePtr->ssl); SSL_free(statePtr->ssl); statePtr->ssl = NULL; } if (statePtr->ctx) { SSL_CTX_free(statePtr->ctx); statePtr->ctx = NULL; }
︙			︙
1658 1659 1660 1661 1662 1663 1664 1665 1666 1667 1668 1669 1670 1671	------------------------------------------------------------------- / int Tls_Init(Tcl_Interp interp) / Interpreter in which the package is * to be made available. / { int major, minor, patchlevel, release; / * The original 8.2.0 stacked channel implementation (and the patch * that preceded it) had problems with scalability and robustness. * These were address in 8.3.2 / 8.4a2, so we now require that as a * minimum for TLS 1.4+. We only support 8.2+ now (8.3.2+ preferred).	> > > >	1625 1626 1627 1628 1629 1630 1631 1632 1633 1634 1635 1636 1637 1638 1639 1640 1641 1642	------------------------------------------------------------------- / int Tls_Init(Tcl_Interp interp) / Interpreter in which the package is * to be made available. / { const char tlsTclInitScript[] = { #include "tls.tcl.h" }; int major, minor, patchlevel, release; / * The original 8.2.0 stacked channel implementation (and the patch * that preceded it) had problems with scalability and robustness. * These were address in 8.3.2 / 8.4a2, so we now require that as a * minimum for TLS 1.4+. We only support 8.2+ now (8.3.2+ preferred).
︙			︙
1717 1718 1719 1720 1721 1722 1723 ~~1724~~ 1725 1726 1727 1728 1729 1730 1731	Tcl_CreateObjCommand(interp, "tls::version", VersionObjCmd, (ClientData) 0, (Tcl_CmdDeleteProc ) NULL); Tcl_CreateObjCommand(interp, "tls::misc", MiscObjCmd, (ClientData) 0, (Tcl_CmdDeleteProc ) NULL); ~~return Tcl_PkgProvide(interp, ~~PACKAGE_NAME~~, PACKAGE_VERSION);~~ } /* ------------------------------------------------------ * * Tls_SafeInit -- *	> > > > \|	1688 1689 1690 1691 1692 1693 1694 1695 1696 1697 1698 1699 1700 1701 1702 1703 1704 1705 1706	Tcl_CreateObjCommand(interp, "tls::version", VersionObjCmd, (ClientData) 0, (Tcl_CmdDeleteProc ) NULL); Tcl_CreateObjCommand(interp, "tls::misc", MiscObjCmd, (ClientData) 0, (Tcl_CmdDeleteProc ) NULL); if (interp) { Tcl_Eval(interp, tlsTclInitScript); } return Tcl_PkgProvide(interp, "tls", PACKAGE_VERSION); } /* ------------------------------------------------------ * * Tls_SafeInit -- *
︙			︙
1763 1764 1765 1766 1767 1768 1769 ~~1770 1771 1772~~ 1773 1774 1775 1776 1777 1778 ~~1779 1780 1781 1782~~ 1783 1784 1785 1786 1787 1788 1789	* initilizes SSL library * * Result: * none * ------------------------------------------------------ / ~~static int Tls~~LibI~~nit () {~~ int i; char rnd_seed[16] = "GrzSlplKqUdnnzP!"; / 16 bytes / int status=TCL_OK; #if defined(OPENSSL_THREADS) && defined(TCL_THREADS) size_t num_locks; ~~if (!initialized) {~~ Tcl_MutexLock(&init_mx); ~~if (!initialized) {~~ ~~initialized = 1;~~ #endif if (CRYPTO_set_mem_functions((void ()(size_t))Tcl_Alloc, (void ()(void , size_t))Tcl_Realloc, (void()(void ))Tcl_Free) == 0) { /* Not using Tcl's mem functions ... not critical */ }	\| \| < > > > > > > < \| < <	1738 1739 1740 1741 1742 1743 1744 1745 1746 1747 1748 1749 1750 1751 1752 1753 1754 1755 1756 1757 1758 1759 1760 1761 1762 1763 1764 1765 1766	* initilizes SSL library * * Result: * none * ------------------------------------------------------ / static int TlsLibInit (void) { static int initialized = 0; int i; char rnd_seed[16] = "GrzSlplKqUdnnzP!"; / 16 bytes / int status=TCL_OK; if (initialized) { return status; } initialized = 1; #if defined(OPENSSL_THREADS) && defined(TCL_THREADS) size_t num_locks; Tcl_MutexLock(&init_mx); #endif if (CRYPTO_set_mem_functions((void ()(size_t))Tcl_Alloc, (void ()(void , size_t))Tcl_Realloc, (void()(void ))Tcl_Free) == 0) { /* Not using Tcl's mem functions ... not critical */ }
︙			︙
1820 1821 1822 1823 1824 1825 1826 ~~1827 1828~~ 1829 1830 1831 1832 ~~1833~~ 1834 1835	srand((unsigned int) time((time_t ) NULL)); do { for (i = 0; i < 16; i++) { rnd_seed[i] = 1 + (char) (255.0 rand()/(RAND_MAX+1.0)); } RAND_seed(rnd_seed, sizeof(rnd_seed)); } while (RAND_status() != 1); ~~} done:~~ #if defined(OPENSSL_THREADS) && defined(TCL_THREADS) Tcl_MutexUnlock(&init_mx); #endif } return status; }	< \| <	1797 1798 1799 1800 1801 1802 1803 1804 1805 1806 1807 1808 1809 1810	srand((unsigned int) time((time_t ) NULL)); do { for (i = 0; i < 16; i++) { rnd_seed[i] = 1 + (char) (255.0 rand()/(RAND_MAX+1.0)); } RAND_seed(rnd_seed, sizeof(rnd_seed)); } while (RAND_status() != 1); done: #if defined(OPENSSL_THREADS) && defined(TCL_THREADS) Tcl_MutexUnlock(&init_mx); #endif return status; }