TclTLS: Diff

Differences From Artifact [2cf7b99093]:

File generic/tls.c — part of check-in [1505883e4a] at 2024-07-01 01:08:10 on branch tls-1.8 — Changed to send SSL_shutdown as part of BIO close channel handler rather than Tls_Clean. (user: bohagan, size: 96220) [annotate] [blame] [check-ins using]

To Artifact [99e542a0c2]:

File generic/tls.c — part of check-in [e3d4330c95] at 2024-07-06 04:17:38 on branch tls-1.8 — Made updates to enhance event processing, I/O operations, etc. to address reports of stalled connections, etc. (user: bohagan, size: 96386) [annotate] [blame] [check-ins using]

︙			︙
1222 1223 1224 1225 1226 1227 1228 ~~1229~~ 1230 1231 1232 1233 1234 1235 1236	ret = 1; } dprintf("Returning TCL_OK with data \"%i\"", ret); Tcl_SetObjResult(interp, Tcl_NewIntObj(ret)); return TCL_OK; } /* ------------------------------------------------------------------- * ImportObjCmd -- * * This procedure is invoked to process the "ssl" command *	\|	1222 1223 1224 1225 1226 1227 1228 1229 1230 1231 1232 1233 1234 1235 1236	ret = 1; } dprintf("Returning TCL_OK with data \"%i\"", ret); Tcl_SetObjResult(interp, Tcl_NewIntObj(ret)); return TCL_OK; } /* ------------------------------------------------------------------- * ImportObjCmd -- * * This procedure is invoked to process the "ssl" command *
︙			︙
1376 1377 1378 1379 1380 1381 1382 1383 1384 1385 1386 1387 1388 1389	/* new SSL state / statePtr = (State ) ckalloc((unsigned) sizeof(State)); memset(statePtr, 0, sizeof(State)); statePtr->flags = flags; statePtr->interp = interp; statePtr->vflags = verify; statePtr->err = ""; /* allocate script */ if (script) { (void) Tcl_GetStringFromObj(script, &len); if (len) {	>	1376 1377 1378 1379 1380 1381 1382 1383 1384 1385 1386 1387 1388 1389 1390	/* new SSL state / statePtr = (State ) ckalloc((unsigned) sizeof(State)); memset(statePtr, 0, sizeof(State)); statePtr->flags = flags; statePtr->interp = interp; statePtr->want = 0; statePtr->vflags = verify; statePtr->err = ""; /* allocate script */ if (script) { (void) Tcl_GetStringFromObj(script, &len); if (len) {
︙			︙
1450 1451 1452 1453 1454 1455 1456 ~~1457~~ 1458 1459 1460 1461 1462 1463 1464	Tcl_GetChannelOption(interp, chan, "-encoding", &upperChannelEncoding); Tcl_GetChannelOption(interp, chan, "-translation", &upperChannelTranslation); Tcl_GetChannelOption(interp, chan, "-blocking", &upperChannelBlocking); /* Ensure the channel works in binary mode (for the encryption not to get goofed up). / Tcl_SetChannelOption(interp, chan, "-translation", "binary"); Tcl_SetChannelOption(interp, chan, "-blocking", "true"); / Create stacked channel / dprintf("Consuming Tcl channel %s", Tcl_GetChannelName(chan)); statePtr->self = Tcl_StackChannel(interp, Tls_ChannelType(), (ClientData) statePtr, (TCL_READABLE \| TCL_WRITABLE), chan); dprintf("Created channel named %s", Tcl_GetChannelName(statePtr->self)); if (statePtr->self == (Tcl_Channel) NULL) { /	\|	1451 1452 1453 1454 1455 1456 1457 1458 1459 1460 1461 1462 1463 1464 1465	Tcl_GetChannelOption(interp, chan, "-encoding", &upperChannelEncoding); Tcl_GetChannelOption(interp, chan, "-translation", &upperChannelTranslation); Tcl_GetChannelOption(interp, chan, "-blocking", &upperChannelBlocking); /* Ensure the channel works in binary mode (for the encryption not to get goofed up). / Tcl_SetChannelOption(interp, chan, "-translation", "binary"); Tcl_SetChannelOption(interp, chan, "-blocking", "true"); / Create stacked channel / dprintf("Consuming Tcl channel %s", Tcl_GetChannelName(chan)); statePtr->self = Tcl_StackChannel(interp, Tls_ChannelType(), (ClientData) statePtr, (TCL_READABLE \| TCL_WRITABLE), chan); dprintf("Created channel named %s", Tcl_GetChannelName(statePtr->self)); if (statePtr->self == (Tcl_Channel) NULL) { /
︙			︙
1619 1620 1621 1622 1623 1624 1625 ~~1626 1627 1628~~ 1629 1630 1631 1632 1633 1634 1635	/* Enable server to send cert request after handshake (TLS 1.3 only) / / A write operation must take place for the Certificate Request to be sent to the client, this can be done with SSL_do_handshake(). / if (request && post_handshake && tls1_3) { SSL_verify_client_post_handshake(statePtr->ssl); } ~~/ set automatic curve selection /~~ ~~SSL_set_ecdh_auto(statePtr->ssl, 1);~~ / Set server mode / statePtr->flags \|= TLS_TCL_SERVER; SSL_set_accept_state(statePtr->ssl); } else { / Client callbacks */ #ifdef USE_NPN if (statePtr->protos != NULL && tls1_2 == 0 && tls1_3 == 0) {	< < <	1620 1621 1622 1623 1624 1625 1626 1627 1628 1629 1630 1631 1632 1633	/* Enable server to send cert request after handshake (TLS 1.3 only) / / A write operation must take place for the Certificate Request to be sent to the client, this can be done with SSL_do_handshake(). / if (request && post_handshake && tls1_3) { SSL_verify_client_post_handshake(statePtr->ssl); } / Set server mode / statePtr->flags \|= TLS_TCL_SERVER; SSL_set_accept_state(statePtr->ssl); } else { / Client callbacks */ #ifdef USE_NPN if (statePtr->protos != NULL && tls1_2 == 0 && tls1_3 == 0) {
︙			︙
1649 1650 1651 1652 1653 1654 1655 1656 1657 1658 1659 1660 1661 1662	/* Set client mode / SSL_set_connect_state(statePtr->ssl); } / Set BIO for read and write operations on SSL object / SSL_set_bio(statePtr->ssl, statePtr->p_bio, statePtr->p_bio); BIO_set_ssl(statePtr->bio, statePtr->ssl, BIO_NOCLOSE); / * End of SSL Init / dprintf("Returning %s", Tcl_GetChannelName(statePtr->self)); Tcl_SetResult(interp, (char ) Tcl_GetChannelName(statePtr->self), TCL_VOLATILE);	>	1647 1648 1649 1650 1651 1652 1653 1654 1655 1656 1657 1658 1659 1660 1661	/* Set client mode / SSL_set_connect_state(statePtr->ssl); } / Set BIO for read and write operations on SSL object / SSL_set_bio(statePtr->ssl, statePtr->p_bio, statePtr->p_bio); BIO_set_ssl(statePtr->bio, statePtr->ssl, BIO_NOCLOSE); BIO_set_ssl_mode(statePtr->bio, (long) !server); / * End of SSL Init / dprintf("Returning %s", Tcl_GetChannelName(statePtr->self)); Tcl_SetResult(interp, (char ) Tcl_GetChannelName(statePtr->self), TCL_VOLATILE);
︙			︙
1707 1708 1709 1710 1711 1712 1713 ~~1714~~ 1715 1716 1717 1718 1719 1720 1721	Tcl_AppendResult(interp, "bad channel \"", Tcl_GetChannelName(chan), "\": not a stacked channel", (char ) NULL); Tcl_SetErrorCode(interp, "TLS", "UNIMPORT", "CHANNEL", "INVALID", (char ) NULL); return TCL_ERROR; } /* Flush any pending data / ~~if (Tcl_Flush(chan) != TCL_OK) {~~ return TCL_ERROR; } / Init storage */ Tcl_DStringInit(&upperChannelTranslation); Tcl_DStringInit(&upperChannelBlocking); Tcl_DStringInit(&upperChannelEOFChar);	\| >	1706 1707 1708 1709 1710 1711 1712 1713 1714 1715 1716 1717 1718 1719 1720 1721	Tcl_AppendResult(interp, "bad channel \"", Tcl_GetChannelName(chan), "\": not a stacked channel", (char ) NULL); Tcl_SetErrorCode(interp, "TLS", "UNIMPORT", "CHANNEL", "INVALID", (char ) NULL); return TCL_ERROR; } /* Flush any pending data / if (Tcl_OutputBuffered(chan) > 0 && Tcl_Flush(chan) != TCL_OK) { Tcl_AppendResult(interp, "can't flush channel", (char ) NULL); return TCL_ERROR; } /* Init storage */ Tcl_DStringInit(&upperChannelTranslation); Tcl_DStringInit(&upperChannelBlocking); Tcl_DStringInit(&upperChannelEOFChar);
︙			︙
1909 1910 1911 1912 1913 1914 1915 ~~1916 1917~~ 1918 1919 1920 1921 1922 1923 1924 1925 1926 1927 1928 1929 1930 1931 1932 1933 1934 1935 1936 1937 1938	SSL_CTX_set_options(ctx, off); /* Disable specified protocol versions / / Allow writes to report success when less than all records have been written / SSL_CTX_set_mode(ctx, SSL_MODE_ENABLE_PARTIAL_WRITE); / Disable attempts to try to process the next record instead of returning after a non-app record. Avoids hangs in blocking mode, when using SSL_read() and a ~~non-application record was sent an~~d no~~ application data ~~was sent~~. / SSL_CTX_clear_mode(ctx, SSL_MODE_AUTO_RETRY);~~ SSL_CTX_sess_set_cache_size(ctx, 128); / Set user defined ciphers, cipher suites, and security level / if ((ciphers != NULL) && !SSL_CTX_set_cipher_list(ctx, ciphers)) { Tcl_AppendResult(interp, "Set ciphers failed: No valid ciphers", (char ) NULL); SSL_CTX_free(ctx); return NULL; } if ((ciphersuites != NULL) && !SSL_CTX_set_ciphersuites(ctx, ciphersuites)) { Tcl_AppendResult(interp, "Set cipher suites failed: No valid ciphers", (char ) NULL); SSL_CTX_free(ctx); return NULL; } / Set security level / if (level > -1 && level < 6) { / SSL_set_security_level */ SSL_CTX_set_security_level(ctx, level); }	\| \| > > >	1909 1910 1911 1912 1913 1914 1915 1916 1917 1918 1919 1920 1921 1922 1923 1924 1925 1926 1927 1928 1929 1930 1931 1932 1933 1934 1935 1936 1937 1938 1939 1940 1941	SSL_CTX_set_options(ctx, off); /* Disable specified protocol versions / / Allow writes to report success when less than all records have been written / SSL_CTX_set_mode(ctx, SSL_MODE_ENABLE_PARTIAL_WRITE); / Disable attempts to try to process the next record instead of returning after a non-app record. Avoids hangs in blocking mode, when using SSL_read() and a non-application record was sent without any application data. / /SSL_CTX_clear_mode(ctx, SSL_MODE_AUTO_RETRY);/ SSL_CTX_sess_set_cache_size(ctx, 128); / Set user defined ciphers, cipher suites, and security level / if ((ciphers != NULL) && !SSL_CTX_set_cipher_list(ctx, ciphers)) { Tcl_AppendResult(interp, "Set ciphers failed: No valid ciphers", (char ) NULL); SSL_CTX_free(ctx); return NULL; } if ((ciphersuites != NULL) && !SSL_CTX_set_ciphersuites(ctx, ciphersuites)) { Tcl_AppendResult(interp, "Set cipher suites failed: No valid ciphers", (char ) NULL); SSL_CTX_free(ctx); return NULL; } / set automatic curve selection / SSL_CTX_set_ecdh_auto(ctx, 1); / Set security level / if (level > -1 && level < 6) { / SSL_set_security_level */ SSL_CTX_set_security_level(ctx, level); }
︙			︙
2099 2100 2101 2102 2103 2104 2105 ~~2106~~ 2107 2108 2109 2110 2111 2112 2113 ~~2114~~ 2115 2116 2117 2118 2119 2120 2121 2122 2123 2124 2125 2126 2127 2128 2129 2130 ~~2131~~ 2132 2133 2134 2135 2136 2137 2138	/* Set directory containing CA certificates in PEM format. / if (CApath != NULL) { if (!SSL_CTX_load_verify_dir(ctx, F2N(CApath, &ds))) { abort++; } Tcl_DStringFree(&ds); } / Set URI for to a store, which may be a single container or a catalog of containers. / if (CAstore != NULL) { if (!SSL_CTX_load_verify_store(ctx, F2N(CAstore, &ds))) { abort++; } Tcl_DStringFree(&ds); } / Set file of CA certificates in PEM format. / if (CAfile != NULL) { if (!SSL_CTX_load_verify_file(ctx, F2N(CAfile, &ds))) { abort++; } Tcl_DStringFree(&ds); / Set list of CAs to send to client when requesting a client certificate / STACK_OF(X509_NAME) certNames = SSL_load_client_CA_file(F2N(CAfile, &ds)); if (certNames != NULL) { SSL_CTX_set_client_CA_list(ctx, certNames); } Tcl_DStringFree(&ds); } #endif } return ctx; } /* ------------------------------------------------------------------- * StatusObjCmd -- return certificate for connected peer info.	\| \| <	2102 2103 2104 2105 2106 2107 2108 2109 2110 2111 2112 2113 2114 2115 2116 2117 2118 2119 2120 2121 2122 2123 2124 2125 2126 2127 2128 2129 2130 2131 2132 2133 2134 2135 2136 2137 2138 2139 2140	/* Set directory containing CA certificates in PEM format. / if (CApath != NULL) { if (!SSL_CTX_load_verify_dir(ctx, F2N(CApath, &ds))) { abort++; } Tcl_DStringFree(&ds); } / Set URI for to a store, which may be a single container or a catalog of containers. / if (CAstore != NULL) { if (!SSL_CTX_load_verify_store(ctx, F2N(CAstore, &ds))) { abort++; } Tcl_DStringFree(&ds); } / Set file of CA certificates in PEM format. / if (CAfile != NULL) { if (!SSL_CTX_load_verify_file(ctx, F2N(CAfile, &ds))) { abort++; } Tcl_DStringFree(&ds); / Set list of CAs to send to client when requesting a client certificate / STACK_OF(X509_NAME) certNames = SSL_load_client_CA_file(F2N(CAfile, &ds)); if (certNames != NULL) { SSL_CTX_set_client_CA_list(ctx, certNames); } Tcl_DStringFree(&ds); } #endif } return ctx; } /* ------------------------------------------------------------------- * StatusObjCmd -- return certificate for connected peer info.
︙			︙
2312 2313 2314 2315 2316 2317 2318 ~~2319~~ 2320 2321 2322 2323 2324 2325 2326	ssl = statePtr->ssl; if (ssl != NULL) { const unsigned char proto; unsigned int ulen; / Initialization finished / LAPPEND_BOOL(interp, objPtr, "init_finished", SSL_is_init_finished(ssl)); / connection state / LAPPEND_STR(interp, objPtr, "state", SSL_state_string_long(ssl), -1); / Get SNI requested server name / LAPPEND_STR(interp, objPtr, "servername", SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name), -1); / Report the selected protocol as a result of the negotiation */	\|	2314 2315 2316 2317 2318 2319 2320 2321 2322 2323 2324 2325 2326 2327 2328	ssl = statePtr->ssl; if (ssl != NULL) { const unsigned char proto; unsigned int ulen; / Initialization finished / LAPPEND_BOOL(interp, objPtr, "init_finished", SSL_is_init_finished(ssl)); / connection state / LAPPEND_STR(interp, objPtr, "state", SSL_state_string_long(ssl), -1); / Get SNI requested server name / LAPPEND_STR(interp, objPtr, "servername", SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name), -1); / Report the selected protocol as a result of the negotiation */
︙			︙
3002 3003 3004 3005 3006 3007 3008 ~~3009~~ 3010 3011 3012 3013 3014 3015 3016	\| OPENSSL_INIT_ADD_ALL_CIPHERS \| OPENSSL_INIT_ADD_ALL_DIGESTS \| OPENSSL_INIT_LOAD_CONFIG \| OPENSSL_INIT_ASYNC, NULL)) { return TCL_ERROR; } /* Create BIO handlers / BIO_new_tcl(NULL, 0); / Create exit handler */ Tcl_CreateExitHandler(TlsLibShutdown, NULL); initialized = 1; } return TCL_OK; }	\|	3004 3005 3006 3007 3008 3009 3010 3011 3012 3013 3014 3015 3016 3017 3018	\| OPENSSL_INIT_ADD_ALL_CIPHERS \| OPENSSL_INIT_ADD_ALL_DIGESTS \| OPENSSL_INIT_LOAD_CONFIG \| OPENSSL_INIT_ASYNC, NULL)) { return TCL_ERROR; } /* Create BIO handlers / BIO_new_tcl(NULL, 0); / Create exit handler */ Tcl_CreateExitHandler(TlsLibShutdown, NULL); initialized = 1; } return TCL_OK; }
︙			︙