︙ | | | ︙ | |
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
|
ret = 1;
}
dprintf("Returning TCL_OK with data \"%i\"", ret);
Tcl_SetObjResult(interp, Tcl_NewIntObj(ret));
return TCL_OK;
}
/*
*-------------------------------------------------------------------
*
* ImportObjCmd --
*
* This procedure is invoked to process the "ssl" command
*
|
|
|
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
|
ret = 1;
}
dprintf("Returning TCL_OK with data \"%i\"", ret);
Tcl_SetObjResult(interp, Tcl_NewIntObj(ret));
return TCL_OK;
}
/*
*-------------------------------------------------------------------
*
* ImportObjCmd --
*
* This procedure is invoked to process the "ssl" command
*
|
︙ | | | ︙ | |
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
|
/* new SSL state */
statePtr = (State *) ckalloc((unsigned) sizeof(State));
memset(statePtr, 0, sizeof(State));
statePtr->flags = flags;
statePtr->interp = interp;
statePtr->vflags = verify;
statePtr->err = "";
/* allocate script */
if (script) {
(void) Tcl_GetStringFromObj(script, &len);
if (len) {
|
>
|
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
|
/* new SSL state */
statePtr = (State *) ckalloc((unsigned) sizeof(State));
memset(statePtr, 0, sizeof(State));
statePtr->flags = flags;
statePtr->interp = interp;
statePtr->want = 0;
statePtr->vflags = verify;
statePtr->err = "";
/* allocate script */
if (script) {
(void) Tcl_GetStringFromObj(script, &len);
if (len) {
|
︙ | | | ︙ | |
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
|
Tcl_GetChannelOption(interp, chan, "-encoding", &upperChannelEncoding);
Tcl_GetChannelOption(interp, chan, "-translation", &upperChannelTranslation);
Tcl_GetChannelOption(interp, chan, "-blocking", &upperChannelBlocking);
/* Ensure the channel works in binary mode (for the encryption not to get goofed up). */
Tcl_SetChannelOption(interp, chan, "-translation", "binary");
Tcl_SetChannelOption(interp, chan, "-blocking", "true");
/* Create stacked channel */
dprintf("Consuming Tcl channel %s", Tcl_GetChannelName(chan));
statePtr->self = Tcl_StackChannel(interp, Tls_ChannelType(), (ClientData) statePtr,
(TCL_READABLE | TCL_WRITABLE), chan);
dprintf("Created channel named %s", Tcl_GetChannelName(statePtr->self));
if (statePtr->self == (Tcl_Channel) NULL) {
/*
|
|
|
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
|
Tcl_GetChannelOption(interp, chan, "-encoding", &upperChannelEncoding);
Tcl_GetChannelOption(interp, chan, "-translation", &upperChannelTranslation);
Tcl_GetChannelOption(interp, chan, "-blocking", &upperChannelBlocking);
/* Ensure the channel works in binary mode (for the encryption not to get goofed up). */
Tcl_SetChannelOption(interp, chan, "-translation", "binary");
Tcl_SetChannelOption(interp, chan, "-blocking", "true");
/* Create stacked channel */
dprintf("Consuming Tcl channel %s", Tcl_GetChannelName(chan));
statePtr->self = Tcl_StackChannel(interp, Tls_ChannelType(), (ClientData) statePtr,
(TCL_READABLE | TCL_WRITABLE), chan);
dprintf("Created channel named %s", Tcl_GetChannelName(statePtr->self));
if (statePtr->self == (Tcl_Channel) NULL) {
/*
|
︙ | | | ︙ | |
1619
1620
1621
1622
1623
1624
1625
1626
1627
1628
1629
1630
1631
1632
1633
1634
1635
|
/* Enable server to send cert request after handshake (TLS 1.3 only) */
/* A write operation must take place for the Certificate Request to be
sent to the client, this can be done with SSL_do_handshake(). */
if (request && post_handshake && tls1_3) {
SSL_verify_client_post_handshake(statePtr->ssl);
}
/* set automatic curve selection */
SSL_set_ecdh_auto(statePtr->ssl, 1);
/* Set server mode */
statePtr->flags |= TLS_TCL_SERVER;
SSL_set_accept_state(statePtr->ssl);
} else {
/* Client callbacks */
#ifdef USE_NPN
if (statePtr->protos != NULL && tls1_2 == 0 && tls1_3 == 0) {
|
<
<
<
|
1620
1621
1622
1623
1624
1625
1626
1627
1628
1629
1630
1631
1632
1633
|
/* Enable server to send cert request after handshake (TLS 1.3 only) */
/* A write operation must take place for the Certificate Request to be
sent to the client, this can be done with SSL_do_handshake(). */
if (request && post_handshake && tls1_3) {
SSL_verify_client_post_handshake(statePtr->ssl);
}
/* Set server mode */
statePtr->flags |= TLS_TCL_SERVER;
SSL_set_accept_state(statePtr->ssl);
} else {
/* Client callbacks */
#ifdef USE_NPN
if (statePtr->protos != NULL && tls1_2 == 0 && tls1_3 == 0) {
|
︙ | | | ︙ | |
1649
1650
1651
1652
1653
1654
1655
1656
1657
1658
1659
1660
1661
1662
|
/* Set client mode */
SSL_set_connect_state(statePtr->ssl);
}
/* Set BIO for read and write operations on SSL object */
SSL_set_bio(statePtr->ssl, statePtr->p_bio, statePtr->p_bio);
BIO_set_ssl(statePtr->bio, statePtr->ssl, BIO_NOCLOSE);
/*
* End of SSL Init
*/
dprintf("Returning %s", Tcl_GetChannelName(statePtr->self));
Tcl_SetResult(interp, (char *) Tcl_GetChannelName(statePtr->self), TCL_VOLATILE);
|
>
|
1647
1648
1649
1650
1651
1652
1653
1654
1655
1656
1657
1658
1659
1660
1661
|
/* Set client mode */
SSL_set_connect_state(statePtr->ssl);
}
/* Set BIO for read and write operations on SSL object */
SSL_set_bio(statePtr->ssl, statePtr->p_bio, statePtr->p_bio);
BIO_set_ssl(statePtr->bio, statePtr->ssl, BIO_NOCLOSE);
BIO_set_ssl_mode(statePtr->bio, (long) !server);
/*
* End of SSL Init
*/
dprintf("Returning %s", Tcl_GetChannelName(statePtr->self));
Tcl_SetResult(interp, (char *) Tcl_GetChannelName(statePtr->self), TCL_VOLATILE);
|
︙ | | | ︙ | |
1707
1708
1709
1710
1711
1712
1713
1714
1715
1716
1717
1718
1719
1720
1721
|
Tcl_AppendResult(interp, "bad channel \"", Tcl_GetChannelName(chan),
"\": not a stacked channel", (char *) NULL);
Tcl_SetErrorCode(interp, "TLS", "UNIMPORT", "CHANNEL", "INVALID", (char *) NULL);
return TCL_ERROR;
}
/* Flush any pending data */
if (Tcl_Flush(chan) != TCL_OK) {
return TCL_ERROR;
}
/* Init storage */
Tcl_DStringInit(&upperChannelTranslation);
Tcl_DStringInit(&upperChannelBlocking);
Tcl_DStringInit(&upperChannelEOFChar);
|
|
>
|
1706
1707
1708
1709
1710
1711
1712
1713
1714
1715
1716
1717
1718
1719
1720
1721
|
Tcl_AppendResult(interp, "bad channel \"", Tcl_GetChannelName(chan),
"\": not a stacked channel", (char *) NULL);
Tcl_SetErrorCode(interp, "TLS", "UNIMPORT", "CHANNEL", "INVALID", (char *) NULL);
return TCL_ERROR;
}
/* Flush any pending data */
if (Tcl_OutputBuffered(chan) > 0 && Tcl_Flush(chan) != TCL_OK) {
Tcl_AppendResult(interp, "can't flush channel", (char *) NULL);
return TCL_ERROR;
}
/* Init storage */
Tcl_DStringInit(&upperChannelTranslation);
Tcl_DStringInit(&upperChannelBlocking);
Tcl_DStringInit(&upperChannelEOFChar);
|
︙ | | | ︙ | |
1909
1910
1911
1912
1913
1914
1915
1916
1917
1918
1919
1920
1921
1922
1923
1924
1925
1926
1927
1928
1929
1930
1931
1932
1933
1934
1935
1936
1937
1938
|
SSL_CTX_set_options(ctx, off); /* Disable specified protocol versions */
/* Allow writes to report success when less than all records have been written */
SSL_CTX_set_mode(ctx, SSL_MODE_ENABLE_PARTIAL_WRITE);
/* Disable attempts to try to process the next record instead of returning after a
non-app record. Avoids hangs in blocking mode, when using SSL_read() and a
non-application record was sent and no application data was sent. */
SSL_CTX_clear_mode(ctx, SSL_MODE_AUTO_RETRY);
SSL_CTX_sess_set_cache_size(ctx, 128);
/* Set user defined ciphers, cipher suites, and security level */
if ((ciphers != NULL) && !SSL_CTX_set_cipher_list(ctx, ciphers)) {
Tcl_AppendResult(interp, "Set ciphers failed: No valid ciphers", (char *) NULL);
SSL_CTX_free(ctx);
return NULL;
}
if ((ciphersuites != NULL) && !SSL_CTX_set_ciphersuites(ctx, ciphersuites)) {
Tcl_AppendResult(interp, "Set cipher suites failed: No valid ciphers", (char *) NULL);
SSL_CTX_free(ctx);
return NULL;
}
/* Set security level */
if (level > -1 && level < 6) {
/* SSL_set_security_level */
SSL_CTX_set_security_level(ctx, level);
}
|
|
|
>
>
>
|
1909
1910
1911
1912
1913
1914
1915
1916
1917
1918
1919
1920
1921
1922
1923
1924
1925
1926
1927
1928
1929
1930
1931
1932
1933
1934
1935
1936
1937
1938
1939
1940
1941
|
SSL_CTX_set_options(ctx, off); /* Disable specified protocol versions */
/* Allow writes to report success when less than all records have been written */
SSL_CTX_set_mode(ctx, SSL_MODE_ENABLE_PARTIAL_WRITE);
/* Disable attempts to try to process the next record instead of returning after a
non-app record. Avoids hangs in blocking mode, when using SSL_read() and a
non-application record was sent without any application data. */
/*SSL_CTX_clear_mode(ctx, SSL_MODE_AUTO_RETRY);*/
SSL_CTX_sess_set_cache_size(ctx, 128);
/* Set user defined ciphers, cipher suites, and security level */
if ((ciphers != NULL) && !SSL_CTX_set_cipher_list(ctx, ciphers)) {
Tcl_AppendResult(interp, "Set ciphers failed: No valid ciphers", (char *) NULL);
SSL_CTX_free(ctx);
return NULL;
}
if ((ciphersuites != NULL) && !SSL_CTX_set_ciphersuites(ctx, ciphersuites)) {
Tcl_AppendResult(interp, "Set cipher suites failed: No valid ciphers", (char *) NULL);
SSL_CTX_free(ctx);
return NULL;
}
/* set automatic curve selection */
SSL_CTX_set_ecdh_auto(ctx, 1);
/* Set security level */
if (level > -1 && level < 6) {
/* SSL_set_security_level */
SSL_CTX_set_security_level(ctx, level);
}
|
︙ | | | ︙ | |
2099
2100
2101
2102
2103
2104
2105
2106
2107
2108
2109
2110
2111
2112
2113
2114
2115
2116
2117
2118
2119
2120
2121
2122
2123
2124
2125
2126
2127
2128
2129
2130
2131
2132
2133
2134
2135
2136
2137
2138
|
/* Set directory containing CA certificates in PEM format. */
if (CApath != NULL) {
if (!SSL_CTX_load_verify_dir(ctx, F2N(CApath, &ds))) {
abort++;
}
Tcl_DStringFree(&ds);
}
/* Set URI for to a store, which may be a single container or a catalog of containers. */
if (CAstore != NULL) {
if (!SSL_CTX_load_verify_store(ctx, F2N(CAstore, &ds))) {
abort++;
}
Tcl_DStringFree(&ds);
}
/* Set file of CA certificates in PEM format. */
if (CAfile != NULL) {
if (!SSL_CTX_load_verify_file(ctx, F2N(CAfile, &ds))) {
abort++;
}
Tcl_DStringFree(&ds);
/* Set list of CAs to send to client when requesting a client certificate */
STACK_OF(X509_NAME) *certNames = SSL_load_client_CA_file(F2N(CAfile, &ds));
if (certNames != NULL) {
SSL_CTX_set_client_CA_list(ctx, certNames);
}
Tcl_DStringFree(&ds);
}
#endif
}
return ctx;
}
/*
*-------------------------------------------------------------------
*
* StatusObjCmd -- return certificate for connected peer info.
|
|
|
<
|
2102
2103
2104
2105
2106
2107
2108
2109
2110
2111
2112
2113
2114
2115
2116
2117
2118
2119
2120
2121
2122
2123
2124
2125
2126
2127
2128
2129
2130
2131
2132
2133
2134
2135
2136
2137
2138
2139
2140
|
/* Set directory containing CA certificates in PEM format. */
if (CApath != NULL) {
if (!SSL_CTX_load_verify_dir(ctx, F2N(CApath, &ds))) {
abort++;
}
Tcl_DStringFree(&ds);
}
/* Set URI for to a store, which may be a single container or a catalog of containers. */
if (CAstore != NULL) {
if (!SSL_CTX_load_verify_store(ctx, F2N(CAstore, &ds))) {
abort++;
}
Tcl_DStringFree(&ds);
}
/* Set file of CA certificates in PEM format. */
if (CAfile != NULL) {
if (!SSL_CTX_load_verify_file(ctx, F2N(CAfile, &ds))) {
abort++;
}
Tcl_DStringFree(&ds);
/* Set list of CAs to send to client when requesting a client certificate */
STACK_OF(X509_NAME) *certNames = SSL_load_client_CA_file(F2N(CAfile, &ds));
if (certNames != NULL) {
SSL_CTX_set_client_CA_list(ctx, certNames);
}
Tcl_DStringFree(&ds);
}
#endif
}
return ctx;
}
/*
*-------------------------------------------------------------------
*
* StatusObjCmd -- return certificate for connected peer info.
|
︙ | | | ︙ | |
2312
2313
2314
2315
2316
2317
2318
2319
2320
2321
2322
2323
2324
2325
2326
|
ssl = statePtr->ssl;
if (ssl != NULL) {
const unsigned char *proto;
unsigned int ulen;
/* Initialization finished */
LAPPEND_BOOL(interp, objPtr, "init_finished", SSL_is_init_finished(ssl));
/* connection state */
LAPPEND_STR(interp, objPtr, "state", SSL_state_string_long(ssl), -1);
/* Get SNI requested server name */
LAPPEND_STR(interp, objPtr, "servername", SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name), -1);
/* Report the selected protocol as a result of the negotiation */
|
|
|
2314
2315
2316
2317
2318
2319
2320
2321
2322
2323
2324
2325
2326
2327
2328
|
ssl = statePtr->ssl;
if (ssl != NULL) {
const unsigned char *proto;
unsigned int ulen;
/* Initialization finished */
LAPPEND_BOOL(interp, objPtr, "init_finished", SSL_is_init_finished(ssl));
/* connection state */
LAPPEND_STR(interp, objPtr, "state", SSL_state_string_long(ssl), -1);
/* Get SNI requested server name */
LAPPEND_STR(interp, objPtr, "servername", SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name), -1);
/* Report the selected protocol as a result of the negotiation */
|
︙ | | | ︙ | |
3002
3003
3004
3005
3006
3007
3008
3009
3010
3011
3012
3013
3014
3015
3016
|
| OPENSSL_INIT_ADD_ALL_CIPHERS | OPENSSL_INIT_ADD_ALL_DIGESTS
| OPENSSL_INIT_LOAD_CONFIG | OPENSSL_INIT_ASYNC, NULL)) {
return TCL_ERROR;
}
/* Create BIO handlers */
BIO_new_tcl(NULL, 0);
/* Create exit handler */
Tcl_CreateExitHandler(TlsLibShutdown, NULL);
initialized = 1;
}
return TCL_OK;
}
|
|
|
3004
3005
3006
3007
3008
3009
3010
3011
3012
3013
3014
3015
3016
3017
3018
|
| OPENSSL_INIT_ADD_ALL_CIPHERS | OPENSSL_INIT_ADD_ALL_DIGESTS
| OPENSSL_INIT_LOAD_CONFIG | OPENSSL_INIT_ASYNC, NULL)) {
return TCL_ERROR;
}
/* Create BIO handlers */
BIO_new_tcl(NULL, 0);
/* Create exit handler */
Tcl_CreateExitHandler(TlsLibShutdown, NULL);
initialized = 1;
}
return TCL_OK;
}
|
︙ | | | ︙ | |