TclTLS: Diff

Differences From Artifact [459c02ba4b]:

File generic/tls.c — part of check-in [6a11f12158] at 2023-07-21 23:29:58 on branch errors_and_callbacks — Removed connect or handshake errors trigger background error. Removed Tls_Error call to background error handler when a callback command isn't defined. This would occur during connect/handshake errors. Fixes bug: https://core.tcl-lang.org/tcltls/tktview/2c7b748796 (user: bohagan, size: 83745) [annotate] [blame] [check-ins using]

To Artifact [8e541b360a]:

File generic/tls.c — part of check-in [a4c50c7c74] at 2023-07-24 23:12:48 on branch errors_and_callbacks — Comment and documentation updates. Added more checks for supported protocol versions. (user: bohagan, size: 84023) [annotate] [blame] [check-ins using]

︙
91 92 93 94 95 96 97 98 99 100 101 ~~102~~ 103 104 105 106 107 108 109	91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109	+ -	static Tcl_Mutex locks = NULL; static int locksCount = 0; static Tcl_Mutex init_mx; #endif / OPENSSL_THREADS / #endif / TCL_THREADS / /******************/ / Callbacks / /******************/ / ------------------------------------------------------------------- * Eval Callback Command -- * * Eval callback command and catch any errors *
︙
154 155 156 157 158 159 160 161 162 163 164 165 166 167	154 155 156 157 158 159 160 161 162 163 164 165 166 167 168	+	* monitors SSL connection process * * Results: * None * * Side effects: * Calls callback (if defined) * ------------------------------------------------------------------- / static void InfoCallback(const SSL ssl, int where, int ret) { State statePtr = (State)SSL_get_app_data((SSL )ssl); Tcl_Interp interp = statePtr->interp; Tcl_Obj cmdPtr;
︙
197 198 199 200 201 202 203 ~~204~~ 205 206 207 208 209 210 211	198 199 200 201 202 203 204 205 206 207 208 209 210 211 212	- +	if (where & SSL_CB_READ) minor = "read"; else if (where & SSL_CB_WRITE) minor = "write"; else if (where & SSL_CB_LOOP) minor = "loop"; else if (where & SSL_CB_EXIT) minor = "exit"; else minor = "unknown"; } ~~/* Create command to eval ~~from callback~~ /~~ / Create command to eval */ cmdPtr = Tcl_DuplicateObj(statePtr->callback); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj("info", -1)); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj(Tcl_GetChannelName(statePtr->self), -1)); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj(major, -1)); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj(minor, -1));
︙
253 254 255 256 257 258 259 260 261 262 263 264 265 266	254 255 256 257 258 259 260 261 262 263 264 265 266 267 268	+	* failure alert to peer, and terminate handshake. * 1 - the certificate is deemed valid, continue with handshake. * empty string - no change to certificate validation * * Side effects: * The err field of the currently operative State is set * to a string describing the SSL negotiation failure reason * ------------------------------------------------------------------- / static int VerifyCallback(int ok, X509_STORE_CTX ctx) { Tcl_Obj cmdPtr; SSL ssl = (SSL)X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx()); X509 *cert = X509_STORE_CTX_get_current_cert(ctx);
︙
275 276 277 278 279 280 281 ~~282~~ 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 ~~301~~ 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321	277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324	- + - + +	if (statePtr->vflags & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) { return ok; } else { return 1; } } ~~/* Create command to eval ~~from callback~~ /~~ / Create command to eval / cmdPtr = Tcl_DuplicateObj(statePtr->vcmd); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj("verify", -1)); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj(Tcl_GetChannelName(statePtr->self), -1)); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewIntObj(depth)); Tcl_ListObjAppendElement(interp, cmdPtr, Tls_NewX509Obj(interp, cert)); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewIntObj(ok)); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj((char)X509_verify_cert_error_string(err), -1)); statePtr->flags \|= TLS_TCL_CALLBACK; /* Eval callback command / Tcl_IncrRefCount(cmdPtr); ok = EvalCallback(interp, statePtr, cmdPtr); Tcl_DecrRefCount(cmdPtr); statePtr->flags &= ~(TLS_TCL_CALLBACK); ~~return(ok); / By default, leave verification unchanged. /~~ return(ok); / By default, leave verification unchanged. / } / ------------------------------------------------------------------- * Tls_Error -- * * Calls callback with $fd and $msg - so the callback can decide * what to do with errors. * * Side effects: * The err field of the currently operative State is set * to a string describing the SSL negotiation failure reason * ------------------------------------------------------------------- / void Tls_Error(State statePtr, char msg) { Tcl_Interp interp = statePtr->interp; Tcl_Obj cmdPtr;
︙
349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382	352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387	+ +	* * KeyLogCallback -- * * Write received key data to log file. * * Side effects: * none * ------------------------------------------------------------------- / void KeyLogCallback(const SSL ssl, const char line) { char str = getenv(SSLKEYLOGFILE); FILE fd; if (str) { fd = fopen(str, "a"); fprintf(fd, "%s\n",line); fclose(fd); } } /* ------------------------------------------------------------------- * Password Callback -- * * Called when a password is needed to unpack RSA and PEM keys. * Evals any bound password script and returns the result as * the password string. * ------------------------------------------------------------------- / static int PasswordCallback(char buf, int size, int verify, void udata) { State statePtr = (State ) udata; Tcl_Interp interp = statePtr->interp; Tcl_Obj cmdPtr;
︙
390 391 392 393 394 395 396 ~~397~~ 398 399 400 401 402 403 404	395 396 397 398 399 400 401 402 403 404 405 406 407 408 409	- +	strncpy(buf, ret, (size_t) size); return (int)strlen(ret); } else { return -1; } } ~~/* Create command to eval ~~from callback~~ /~~ / Create command to eval / cmdPtr = Tcl_DuplicateObj(statePtr->password); Tcl_Preserve((ClientData) interp); Tcl_Preserve((ClientData) statePtr); / Eval callback and success for ok, abort for error, continue for continue */ Tcl_IncrRefCount(cmdPtr);
︙
463 464 465 466 467 468 469 ~~470~~ 471 472 473 474 475 476 477	468 469 470 471 472 473 474 475 476 477 478 479 480 481 482	- +	if (statePtr->callback == (Tcl_Obj)NULL) { return SSL_TLSEXT_ERR_OK; } else if (ssl == NULL) { return SSL_TLSEXT_ERR_NOACK; } ~~/ Create command to eval ~~from callback~~ /~~ / Create command to eval / cmdPtr = Tcl_DuplicateObj(statePtr->callback); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj("session", -1)); / Session id */ session_id = SSL_SESSION_get_id(session, &ulen); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewByteArrayObj(session_id, (int) ulen));
︙
538 539 540 541 542 543 544 ~~545~~ 546 547 548 549 550 551 552	543 544 545 546 547 548 549 550 551 552 553 554 555 556 557	- +	res = SSL_TLSEXT_ERR_NOACK; } if (statePtr->vcmd == (Tcl_Obj)NULL) { return res; } ~~/ Create command to eval ~~from callback~~ /~~ / Create command to eval / cmdPtr = Tcl_DuplicateObj(statePtr->vcmd); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj("alpn", -1)); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj(out, -1)); /* Eval callback command */ Tcl_IncrRefCount(cmdPtr); if ((code = EvalCallback(interp, statePtr, cmdPtr)) > 1) {
︙
604 605 606 607 608 609 610 ~~611 612~~ 613 614 615 616 617 618 619	609 610 611 612 613 614 615 616 617 618 619 620 621 622 623 624	- - + +	#endif /* ------------------------------------------------------------------- * SNI Callback for Servers -- * * Perform server-side SNI hostname selection after receiving SNI he~~ader.~~ * Called after hello callback but before ALPN callback. * Perform server-side SNI hostname selection after receiving SNI extension * in Client Hello. Called after hello callback but before ALPN callback. * * Results: * None * * Side effects: * Calls callback (if defined) *
︙
638 639 640 641 642 643 644 645 646 ~~647~~ 648 649 650 651 652 653 ~~654~~ 655 656 657 658 659 660 661	643 644 645 646 647 648 649 650 651 652 653 654 655 656 657 658 659 660 661 662 663 664 665 666 667	+ - + - +	dprintf("Called"); if (ssl == NULL \|\| arg == NULL) { return SSL_TLSEXT_ERR_NOACK; } /* Only works for TLS 1.2 and earlier / servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name); if (!servername \|\| servername[0] == '\0') { ~~return SSL_TLSEXT_ERR_NOACK;~~ return SSL_TLSEXT_ERR_NOACK; } if (statePtr->vcmd == (Tcl_Obj)NULL) { return SSL_TLSEXT_ERR_OK; } ~~/* Create command to eval ~~from callback~~ /~~ / Create command to eval / cmdPtr = Tcl_DuplicateObj(statePtr->vcmd); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj("sni", -1)); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj(servername , -1)); / Eval callback command */ Tcl_IncrRefCount(cmdPtr); if ((code = EvalCallback(interp, statePtr, cmdPtr)) > 1) {
︙
714 715 716 717 718 719 720 ~~721~~ 722 723 724 725 726 727 728 ~~729~~ 730 731 732 733 734 735 ~~736~~ 737 738 739 740 741 742 ~~743~~ 744 745 746 747 748 ~~749~~ 750 751 752 753 ~~754~~ 755 756 757 758 759 760 761	720 721 722 723 724 725 726 727 728 729 730 731 732 733 734 735 736 737 738 739 740 741 742 743 744 745 746 747 748 749 750 751 752 753 754 755 756 757 758 759 760 761 762 763 764 765 766 767	- + - + - + - + - + - +	} else if (ssl == NULL \|\| arg == NULL) { return SSL_CLIENT_HELLO_ERROR; } /* Get names / if (!SSL_client_hello_get0_ext(ssl, TLSEXT_TYPE_server_name, &p, &remaining) \|\| remaining <= 2) { alert = SSL_R_SSLV3_ALERT_ILLEGAL_PARAMETER; ~~return SSL_CLIENT_HELLO_ERROR;~~ return SSL_CLIENT_HELLO_ERROR; } /* Extract the length of the supplied list of names. / len = ((p++) << 8); len += (p++); if (len + 2 != remaining) { alert = SSL_R_SSLV3_ALERT_ILLEGAL_PARAMETER; ~~return SSL_CLIENT_HELLO_ERROR;~~ return SSL_CLIENT_HELLO_ERROR; } remaining = len; /* The list in practice only has a single element, so we only consider the first one. / if (remaining == 0 \|\| p++ != TLSEXT_NAMETYPE_host_name) { alert = SSL_R_TLSV1_ALERT_INTERNAL_ERROR; ~~return SSL_CLIENT_HELLO_ERROR;~~ return SSL_CLIENT_HELLO_ERROR; } remaining--; / Now we can finally pull out the byte array with the actual hostname. / if (remaining <= 2) { alert = SSL_R_TLSV1_ALERT_INTERNAL_ERROR; ~~return SSL_CLIENT_HELLO_ERROR;~~ return SSL_CLIENT_HELLO_ERROR; } len = ((p++) << 8); len += (p++); if (len + 2 > remaining) { alert = SSL_R_TLSV1_ALERT_INTERNAL_ERROR; ~~return SSL_CLIENT_HELLO_ERROR;~~ return SSL_CLIENT_HELLO_ERROR; } remaining = len; servername = (const char )p; ~~/* Create command to eval ~~from callback~~ /~~ / Create command to eval / cmdPtr = Tcl_DuplicateObj(statePtr->vcmd); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj("hello", -1)); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj(servername, (int) len)); / Eval callback command */ Tcl_IncrRefCount(cmdPtr); if ((code = EvalCallback(interp, statePtr, cmdPtr)) > 1) {
︙
863 864 865 866 867 868 869 ~~870~~ 871 872 873 874 875 876 877	869 870 871 872 873 874 875 876 877 878 879 880 881 882 883	- +	#endif case TLS_TLS1_3: #if defined(NO_TLS1_3) \|\| defined(OPENSSL_NO_TLS1_3) Tcl_AppendResult(interp, protocols[index], ": protocol not supported", NULL); return TCL_ERROR; #else ctx = SSL_CTX_new(TLS_method()); ~~SSL_CTX_set_min_proto_version(ctx, TLS1_3_VERSION);~~ SSL_CTX_set_min_proto_version(ctx, TLS1_3_VERSION); SSL_CTX_set_max_proto_version(ctx, TLS1_3_VERSION); break; #endif default: break; } if (ctx == NULL) {
︙
960 961 962 963 964 965 966 ~~967~~ 968 969 ~~970~~ 971 972 ~~973~~ 974 975 ~~976~~ 977 978 979 980 981 982 983	966 967 968 969 970 971 972 973 974 975 976 977 978 979 980 981 982 983 984 985 986 987 988 989	- + - + - + - +	} objPtr = Tcl_NewListObj(0, NULL); #if OPENSSL_VERSION_NUMBER < 0x10100000L && !defined(NO_SSL2) && !defined(OPENSSL_NO_SSL2) Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj(protocols[TLS_SSL2], -1)); #endif ~~#if !defined(NO_SSL3) && !defined(OPENSSL_NO_SSL3)~~ #if !defined(NO_SSL3) && !defined(OPENSSL_NO_SSL3) && !defined(OPENSSL_NO_SSL3_METHOD) Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj(protocols[TLS_SSL3], -1)); #endif ~~#if !defined(NO_TLS1) && !defined(OPENSSL_NO_TLS1)~~ #if !defined(NO_TLS1) && !defined(OPENSSL_NO_TLS1) && !defined(OPENSSL_NO_TLS1_METHOD) Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj(protocols[TLS_TLS1], -1)); #endif ~~#if !defined(NO_TLS1_1) && !defined(OPENSSL_NO_TLS1_1)~~ #if !defined(NO_TLS1_1) && !defined(OPENSSL_NO_TLS1_1) && !defined(OPENSSL_NO_TLS1_1_METHOD) Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj(protocols[TLS_TLS1_1], -1)); #endif ~~#if !defined(NO_TLS1_2) && !defined(OPENSSL_NO_TLS1_2)~~ #if !defined(NO_TLS1_2) && !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_TLS1_2_METHOD) Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj(protocols[TLS_TLS1_2], -1)); #endif #if !defined(NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_3) Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj(protocols[TLS_TLS1_3], -1)); #endif Tcl_SetObjResult(interp, objPtr);
︙
1148 1149 1150 1151 1152 1153 1154 1155 1156 1157 1158 1159 1160 1161 1162 1163 1164 ~~1165~~ 1166 1167 1168 1169 1170 1171 1172 1173 1174 1175 1176 1177 1178 ~~1179 1180~~ 1181 ~~1182~~ 1183 1184 1185 ~~1186 1187 1188 1189~~ 1190 1191 1192 1193 1194 1195 1196	1154 1155 1156 1157 1158 1159 1160 1161 1162 1163 1164 1165 1166 1167 1168 1169 1170 1171 1172 1173 1174 1175 1176 1177 1178 1179 1180 1181 1182 1183 1184 1185 1186 1187 1188 1189 1190 1191 1192 1193 1194 1195 1196 1197 1198 1199 1200 1201 1202	+ + - + - - - + - - - - + + + +	if (opt[0] != '-') break; OPTOBJ("-alpn", alpn); OPTSTR("-cadir", CAdir); OPTSTR("-cafile", CAfile); OPTBYTE("-cert", cert, cert_len); OPTSTR("-certfile", certfile); OPTSTR("-cipher", ciphers); OPTSTR("-ciphers", ciphers); OPTSTR("-ciphersuites", ciphersuites); OPTOBJ("-command", script); OPTSTR("-dhparams", DHparams); OPTBYTE("-key", key, key_len); OPTSTR("-keyfile", keyfile); OPTSTR("-model", model); OPTOBJ("-password", password); OPTBOOL("-post_handshake", post_handshake); ~~OPTBOOL("-require", require);~~ OPTBOOL("-request", request); OPTBOOL("-require", require); OPTINT("-securitylevel", level); OPTBOOL("-server", server); OPTSTR("-servername", servername); OPTSTR("-session_id", session_id); OPTBOOL("-ssl2", ssl2); OPTBOOL("-ssl3", ssl3); OPTBOOL("-tls1", tls1); OPTBOOL("-tls1.1", tls1_1); OPTBOOL("-tls1.2", tls1_2); OPTBOOL("-tls1.3", tls1_3); OPTOBJ("-validatecommand", vcmd); OPTOBJ("-vcmd", vcmd); ~~OPTBYTE("-cert", cert, cert_len);~~ ~~OPTBYTE("-key", key, key_len);~~ OPTBAD("option", "-alpn, -cadir, -cafile, -cert, -certfile, -cipher, -ciphersuites, -command, -dhparams, -key, -keyfile, -model, -password, -~~requir~~e, -request, -securitylevel, -server, -servername, -session_id, -ssl2, -ssl3, -tls1, -tls1.1, -tls1.2, -tls1.3, or -validatecommand"); OPTBAD("option", "-alpn, -cadir, -cafile, -cert, -certfile, -cipher, -ciphersuites, -command, -dhparams, -key, -keyfile, -model, -password, -post_handshake, -request, -require, -securitylevel, -server, -servername, -session_id, -ssl2, -ssl3, -tls1, -tls1.1, -tls1.2, -tls1.3, or -validatecommand"); return TCL_ERROR; } if (request) verify \|= SSL_VERIFY_CLIENT_ONCE \| SSL_VERIFY_PEER; if (request && require) verify \|= SSL_VERIFY_FAIL_IF_NO_PEER_CERT; if (request && post_handshake) verify \|= SSL_VERIFY_POST_HANDSHAKE; if (verify == 0) verify = SSL_VERIFY_NONE; if (request) verify \|= SSL_VERIFY_CLIENT_ONCE \| SSL_VERIFY_PEER; if (request && require) verify \|= SSL_VERIFY_FAIL_IF_NO_PEER_CERT; if (request && post_handshake) verify \|= SSL_VERIFY_POST_HANDSHAKE; if (verify == 0) verify = SSL_VERIFY_NONE; proto \|= (ssl2 ? TLS_PROTO_SSL2 : 0); proto \|= (ssl3 ? TLS_PROTO_SSL3 : 0); proto \|= (tls1 ? TLS_PROTO_TLS1 : 0); proto \|= (tls1_1 ? TLS_PROTO_TLS1_1 : 0); proto \|= (tls1_2 ? TLS_PROTO_TLS1_2 : 0); proto \|= (tls1_3 ? TLS_PROTO_TLS1_3 : 0);
︙
1314 1315 1316 1317 1318 1319 1320 1321 1322 ~~1323 1324 1325~~ 1326 1327 1328 1329 1330 ~~1331 1332~~ 1333 1334 1335 1336 1337 1338 1339	1320 1321 1322 1323 1324 1325 1326 1327 1328 1329 1330 1331 1332 1333 1334 1335 1336 1337 1338 1339 1340 1341 1342 1343 1344 1345 1346	+ - - - + + + - - + +	Tls_Free((char ) statePtr); return TCL_ERROR; } / Set host server name / if (servername) { / Sets the server name indication (SNI) in ClientHello extension / / Per RFC 6066, hostname is a ASCII encoded string. / if (!SSL_set_tlsext_host_name(statePtr->ssl, servername) && require) { Tcl_AppendResult(interp, "setting TLS host name extension failed", (char ) NULL); ~~Tls_Free((char ) statePtr); return TCL_ERROR; }~~ Tls_Free((char ) statePtr); return TCL_ERROR; } /* Configure server host name checks in the SSL client. Set DNS hostname to name for peer certificate checks. SSL_set1_host has limitations. / if (!SSL_add1_host(statePtr->ssl, servername)) { Tcl_AppendResult(interp, "setting DNS host name failed", (char ) NULL); ~~Tls_Free((char ) statePtr); return TCL_ERROR;~~ Tls_Free((char ) statePtr); return TCL_ERROR; } } /* Resume session id / if (session_id && strlen(session_id) <= SSL_MAX_SID_CTX_LENGTH) { / SSL_set_session() */ if (!SSL_SESSION_set1_id_context(SSL_get_session(statePtr->ssl), session_id, (unsigned int) strlen(session_id))) {
︙
1408 1409 1410 1411 1412 1413 1414 ~~1415~~ 1416 1417 1418 1419 1420 1421 1422 1423 1424 1425 1426 1427 ~~1428~~ 1429 1430 1431 ~~1432~~ 1433 1434 1435 1436 1437 1438 1439 1440 1441 1442 1443 1444 1445 1446 1447 1448	1415 1416 1417 1418 1419 1420 1421 1422 1423 1424 1425 1426 1427 1428 1429 1430 1431 1432 1433 1434 1435 1436 1437 1438 1439 1440 1441 1442 1443 1444 1445 1446 1447 1448 1449 1450 1451 1452 1453 1454 1455 1456 1457 1458 1459 1460 1461 1462	+ - + + + + + - + + - + +	/* Server callbacks / SSL_CTX_set_tlsext_servername_arg(statePtr->ctx, (void )statePtr); SSL_CTX_set_tlsext_servername_callback(statePtr->ctx, SNICallback); SSL_CTX_set_client_hello_cb(statePtr->ctx, HelloCallback, (void )statePtr); if (statePtr->protos != NULL) { SSL_CTX_set_alpn_select_cb(statePtr->ctx, ALPNCallback, (void )statePtr); #ifdef USE_NPN if (tls1_2 == 0 && tls1_3 == 0) { ~~SSL_CTX_set_next_protos_advertised_cb(statePtr->ctx, NPNCallback, (void )statePtr);~~ SSL_CTX_set_next_protos_advertised_cb(statePtr->ctx, NPNCallback, (void )statePtr); } #endif } /* Enable server to send cert request after handshake (TLS 1.3 only) / / A write operation must take place for the Certificate Request to be sent to the client, this can be done with SSL_do_handshake(). / if (request && post_handshake) { SSL_verify_client_post_handshake(statePtr->ssl); } / Set server mode / statePtr->flags \|= TLS_TCL_SERVER; SSL_set_accept_state(statePtr->ssl); } else { / Client callbacks / ~~if (statePtr->protos != NULL) {~~ #ifdef USE_NPN if (statePtr->protos != NULL && tls1_2 == 0 && tls1_3 == 0) { SSL_CTX_set_next_proto_select_cb(statePtr->ctx, ALPNCallback, (void )statePtr); } #endif } /* Session caching / SSL_CTX_set_session_cache_mode(statePtr->ctx, SSL_SESS_CACHE_CLIENT \| SSL_SESS_CACHE_NO_INTERNAL_STORE); SSL_CTX_sess_set_new_cb(statePtr->ctx, SessionCallback); / Enable post handshake Authentication extension. TLS 1.3 only, not http/2. / if (request && post_handshake) { SSL_set_post_handshake_auth(statePtr->ssl, 1); } / Set client mode / SSL_set_connect_state(statePtr->ssl); } SSL_set_bio(statePtr->ssl, statePtr->p_bio, statePtr->p_bio); BIO_set_ssl(statePtr->bio, statePtr->ssl, BIO_NOCLOSE); / * End of SSL Init
︙
1625 1626 1627 1628 1629 1630 1631 ~~1632~~ 1633 1634 1635 1636 1637 1638 1639 1640	1639 1640 1641 1642 1643 1644 1645 1646 1647 1648 1649 1650 1651 1652 1653 1654	- +	#if !defined(NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_3) off \|= (ENABLED(proto, TLS_PROTO_TLS1_3) ? 0 : SSL_OP_NO_TLSv1_3); #endif break; } ERR_clear_error(); ~~ctx = SSL_CTX_new(method);~~ ctx = SSL_CTX_new(method); if (!ctx) { return(NULL); } if (getenv(SSLKEYLOGFILE)) { SSL_CTX_set_keylog_callback(ctx, KeyLogCallback); }
︙
1657 1658 1659 1660 1661 1662 1663 ~~1664 1665 1666~~ 1667 1668 ~~1669 1670 1671~~ 1672 1673 1674 1675 1676 1677 1678	1671 1672 1673 1674 1675 1676 1677 1678 1679 1680 1681 1682 1683 1684 1685 1686 1687 1688 1689 1690 1691 1692	- - - + + + - - - + + +	#if OPENSSL_VERSION_NUMBER < 0x10101000L SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY); /* handle new handshakes in background. On by default in OpenSSL 1.1.1. / #endif SSL_CTX_sess_set_cache_size(ctx, 128); / Set user defined ciphers, cipher suites, and security level / if ((ciphers != NULL) && !SSL_CTX_set_cipher_list(ctx, ciphers)) { ~~Tcl_AppendResult(interp, "Set ciphers failed: No valid ciphers", (char ) NULL); SSL_CTX_free(ctx); return NULL;~~ Tcl_AppendResult(interp, "Set ciphers failed: No valid ciphers", (char ) NULL); SSL_CTX_free(ctx); return NULL; } if ((ciphersuites != NULL) && !SSL_CTX_set_ciphersuites(ctx, ciphersuites)) { ~~Tcl_AppendResult(interp, "Set cipher suites failed: No valid ciphers", (char ) NULL); SSL_CTX_free(ctx); return NULL;~~ Tcl_AppendResult(interp, "Set cipher suites failed: No valid ciphers", (char ) NULL); SSL_CTX_free(ctx); return NULL; } / Set security level / if (level > -1 && level < 6) { / SSL_set_security_level */ SSL_CTX_set_security_level(ctx, level); }
︙
1881 1882 1883 1884 1885 1886 1887 1888 1889 1890 1891 1892 1893 1894	1895 1896 1897 1898 1899 1900 1901 1902 1903 1904 1905 1906 1907 1908 1909 1910	+ +	chan = Tcl_GetTopChannel(chan); if (Tcl_GetChannelType(chan) != Tls_ChannelType()) { Tcl_AppendResult(interp, "bad channel \"", Tcl_GetChannelName(chan), "\": not a TLS channel", NULL); return TCL_ERROR; } statePtr = (State ) Tcl_GetChannelInstanceData(chan); / Get certificate for peer or self */ if (objc == 2) { peer = SSL_get_peer_certificate(statePtr->ssl); } else { peer = SSL_get_certificate(statePtr->ssl); } if (peer) { objPtr = Tls_NewX509Obj(interp, peer);
︙
2034 2035 2036 2037 2038 2039 2040 ~~2041~~ 2042 2043 2044 2045 2046 2047 2048	2050 2051 2052 2053 2054 2055 2056 2057 2058 2059 2060 2061 2062 2063 2064	- +	bits = SSL_CIPHER_get_bits(cipher, &alg_bits); Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj("bits", -1)); Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewIntObj(bits)); Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj("secret_bits", -1)); Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewIntObj(alg_bits)); /* alg_bits is actual key secret bits. If use bits and secret (algorithm) bits differ, ~~the rest of the bits are fixed, i.e. for limited export ciphers (bits < 56) /~~ the rest of the bits are fixed, i.e. for limited export ciphers (bits < 56) / Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj("min_version", -1)); Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj(SSL_CIPHER_get_version(cipher), -1)); /* Get OpenSSL-specific ID, not IANA ID */ Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj("id", -1)); Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewIntObj((int) SSL_CIPHER_get_id(cipher)));
︙
2586 2587 2588 2589 2590 2591 2592 ~~2593 2594~~ 2595 ~~2596 2597~~ 2598 ~~2599~~ 2600 2601 ~~2602~~ 2603 ~~2604 2605 2606 2607 2608~~ 2609 ~~2610~~ 2611 2612 ~~2613~~ 2614 2615 ~~2616~~ 2617 2618 2619 ~~2620 2621~~ 2622 2623 2624 2625 2626 2627 2628	2602 2603 2604 2605 2606 2607 2608 2609 2610 2611 2612 2613 2614 2615 2616 2617 2618 2619 2620 2621 2622 2623 2624 2625 2626 2627 2628 2629 2630 2631 2632 2633 2634 2635 2636 2637 2638 2639 2640 2641 2642 2643 2644	- - + + - - + + - + - + - - - - - + + + + + - + - + - + - - + +	static int initialized = 0; int status = TCL_OK; #if defined(OPENSSL_THREADS) && defined(TCL_THREADS) size_t num_locks; #endif if (uninitialize) { ~~if (!initialized) { dprintf("Asked to uninitialize, but we are not initialized");~~ if (!initialized) { dprintf("Asked to uninitialize, but we are not initialized"); ~~return(TCL_OK); }~~ return(TCL_OK); } ~~dprintf("Asked to uninitialize");~~ dprintf("Asked to uninitialize"); #if defined(OPENSSL_THREADS) && defined(TCL_THREADS) ~~Tcl_MutexLock(&init_mx);~~ Tcl_MutexLock(&init_mx); ~~if (locks) { free(locks); locks = NULL; locksCount = 0; }~~ if (locks) { free(locks); locks = NULL; locksCount = 0; } #endif ~~initialized = 0;~~ initialized = 0; #if defined(OPENSSL_THREADS) && defined(TCL_THREADS) ~~Tcl_MutexUnlock(&init_mx);~~ Tcl_MutexUnlock(&init_mx); #endif ~~return(TCL_OK);~~ return(TCL_OK); } if (initialized) { ~~dprintf("Called, but using cached value"); return(status);~~ dprintf("Called, but using cached value"); return(status); } dprintf("Called"); #if defined(OPENSSL_THREADS) && defined(TCL_THREADS) Tcl_MutexLock(&init_mx); #endif
︙